diff --git a/.github/ISSUE_TEMPLATE/default.md b/.github/ISSUE_TEMPLATE/default.md
new file mode 100755
index 0000000000..88cd61e83b
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/default.md
@@ -0,0 +1,27 @@
+---
+name: Issue
+about: Report a bug or make a feature request.
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+|Wazuh version|Component|Install type|Install method|Platform|
+|---|---|---|---|---|
+| X.Y.Z-rev | Wazuh component | Manager/Agent | Packages/Sources | OS version |
+
+<!--
+Whenever possible, issues should be created for bug reporting and feature requests.
+For questions related to the user experience, please refer:
+- Wazuh mailing list: https://groups.google.com/forum/#!forum/wazuh
+- Join Wazuh on Slack: https://wazuh.com/community/join-us-on-slack
+
+Please fill the table above. Feel free to extend it at your convenience.
+-->
+
+<!--
+
+You may want to set debug options `<component>.debug=2` (see https://documentation.wazuh.com/current/user-manual/reference/internal-options.html) to get verbose logs. This may help investigate the issue.
+
+-->
diff --git a/.github/ISSUE_TEMPLATE/planned__epic_support_new_oss.md b/.github/ISSUE_TEMPLATE/planned__epic_support_new_oss.md
new file mode 100644
index 0000000000..d5956011c5
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/planned__epic_support_new_oss.md
@@ -0,0 +1,47 @@
+---
+name: 'Planned: Epic support new OSs'
+about: Add support for a new OS.
+title: Support new OSs - <OS name & version>
+labels: level/epic, request/operational, type/maintenance
+assignees: ''
+
+---
+
+# Description
+| Related issue |
+|---|
+| Issue number |
+
+| Agent tier | Central components support | OS type |
+|-|-|-|
+| 1/2/3 | Yes/No | New family/Major/Minor |
+
+# Specific issues
+
+<!-- Always -->
+**QA**
+-
+
+<!-- Central components/Major/New family -->
+**CppServer**
+-
+
+<!-- Central components -->
+**Indexer**
+-
+
+<!-- Always -->
+**DevOps**
+-
+
+<!-- Always -->
+**Dashboard**
+-
+
+<!-- Always -->
+**ThreatIntel**
+-
+
+<!-- Always -->
+**Agent**
+-
diff --git a/.github/ISSUE_TEMPLATE/planned__specific_support_new_oss.md b/.github/ISSUE_TEMPLATE/planned__specific_support_new_oss.md
new file mode 100644
index 0000000000..aa77924aeb
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/planned__specific_support_new_oss.md
@@ -0,0 +1,100 @@
+---
+name: 'Planned: Specific support new OSs'
+about: Test compatibility with new OS.
+title: Support new OSs - <OS name & version> - <Specific test name>
+labels: level/task, request/operational, type/maintenance
+assignees: ''
+
+---
+
+# Description
+| Related issue | Epic issue |
+|---|---|
+| Issue number | Issue number|
+
+| Agent tier | Central components support | OS type |
+|-|-|-|
+| 1/2/3 | Yes/No | New family/Major/Minor |
+
+# Plan
+
+<!-- Uncomment for QA issue
+**QA**
+- [ ] Add new tests according to the OS's tier.
+- [ ] Add proper documentation.
+- [ ] Do basic E2E test functionality for all stateful modules according to the OS's tier.
+-->
+
+<!-- Uncomment for CPPSERVER issue
+**CppServer**
+- [ ] **Tier 1 agent**: Make sure that VD works properly according to the OS tier.
+- [ ] **Central components**: Add support for the new OS to the GitHub Actions package builder.
+- [ ] **Central components**: Smoke test that the package works, including installation, upgrade, and its related functionality.
+-->
+
+<!-- Uncomment for INDEXER issue
+**Indexer**
+- [ ] **Central components**: Add support for the new OS to the GitHub Actions package builder.
+- [ ] **Central components**: Smoke test that the package works, including installation and upgrade.
+-->
+
+<!-- Uncomment for DEVOPS minor issue
+**DevOps**
+- [ ] Update the allocator images.
+- [ ] Update AMI, OVA, or Docker images if needed.
+-->
+
+<!-- Uncomment for DEVOPS major/new family issue
+**DevOps**
+- [ ] **Central components**: Manually allocate two different accessible machines with the new OS. This is the first step for everything else.
+- [ ] **No central components**: Deploy an All In One (in our featured OS, probably Amazon Linux) and allocate an accessible machine with the new OS to test the agent. This is the first step for everything else.
+- [ ] **Central components**: Review/test the installation assistant using the new OS.
+- [ ] Add support in the allocator.
+- [ ] Adapt Puppet.
+- [ ] Adapt Ansible.
+- [ ] Update AMI, OVA, or Docker images if needed.
+-->
+
+<!-- Uncomment for DASHBOARD issue
+**Dashboard**
+- [ ] **Central components**: Add support for the new OS to the GitHub Actions package builder.
+- [ ] **Central components**: Smoke test that the package works, including installation and upgrade.
+- [ ] Make sure that the agent-related information in the agent list is correct.
+- [ ] Test the deployment one-liner for the new OS.
+-->
+
+<!-- Uncomment for THREATINTEL issue
+**ThreatIntel**
+- [ ] Define a plan to support the new OS, particularly with regard to SCA policies.
+-->
+
+<!-- Uncomment for AGENT issue
+- [ ] Smoke test that the package works, including installation, upgrade, and its related tier functionality.
+- [ ] Add support for the new OS to the GitHub Actions package builder.
+
+**Agent**
+Requested testing code:
+:white_circle: Requested.
+:black_circle: Not requested.
+
+Result code:
+:green_circle: Completed: Test finished with success.
+:red_circle: Completed with failures.
+:yellow_circle: Completed with known issues.
+
+- **Requested checks by tier:**
+|| Tier 1 | Tier 2 | Tier 3 | Result |
+|-|-|-|-|-|
+| **Log collection - System events** | :white_circle: | :white_circle: | :white_circle: | |
+| **Log collection - Log files** | :white_circle: | :white_circle: | :white_circle: | |
+| **Log collection -Command execution** | :white_circle: | :white_circle: | :white_circle: | |
+| **FIM - Scheduled** | :white_circle: | :white_circle: | :white_circle: | |
+| **FIM - Realtime** | :white_circle: | :black_circle: | :black_circle: | |
+| **FIM - Whodata** | :white_circle: | :black_circle: | :black_circle: | |
+| **SCA** | :white_circle: | :white_circle: | :black_circle: | |
+| **Inventory** | :white_circle: | :white_circle: | :white_circle: | |
+| **Active response** | :white_circle: | :white_circle: | :black_circle: | |
+| **Remote upgrade** | :white_circle: | :black_circle: | :black_circle: | |
+| **Command monitoring** | :white_circle: | :white_circle: | :black_circle: | |
+| **Wodles** | :white_circle: | :black_circle: | :black_circle: | |
+-->
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/release_manual_tests.md b/.github/ISSUE_TEMPLATE/release_manual_tests.md
new file mode 100644
index 0000000000..df15810fbd
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/release_manual_tests.md
@@ -0,0 +1,54 @@
+---
+name: Release Candidate - Manual tests
+about: Report the results after running manual tests for the specified release.
+title: Release [WAZUH VERSION] - Manual tests - [TEST NAME]
+labels: release/4.3.0
+assignees: ''
+
+---
+
+The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.
+
+## Test information
+|                         |                                            |
+|-------------------------|--------------------------------------------|
+| **Test name**           |                                            |
+| **Category**            |                                            |
+| **Deployment option**   |                                            |
+| **Main release issue**  |                                            |
+| **Release candidate #** |                                            |
+
+## Test description
+ADD TEST DESCRIPTION HERE
+
+## Test report procedure
+
+All test results must have one of the following statuses: 
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| :green_circle:  | All checks passed. |
+| :red_circle:  | There is at least one failed result. |
+| :yellow_circle:  | There is at least one expected failure or skipped test and no failures. |
+
+Any failing test must be properly addressed with a new issue, detailing the error and the possible cause. 
+
+An extended report of the test results must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.
+
+## Conclusions
+
+All tests have been executed and the results can be found [here]().
+
+|                |             |                     |                |
+|----------------|-------------|---------------------|----------------|
+| **Status**     | **Test**    | **Failure type**    | **Notes**      |
+|                |             |                     |                |
+
+All tests have passed and the fails have been reported or justified. Therefore, I conclude that this issue is finished and OK for this release candidate.
+
+## Auditors validation
+The definition of done for this one is the validation of the conclusions and the test results from all auditors.
+
+All checks from below must be accepted in order to close this issue.
+
+- [ ] MODULE OWNER
+- [ ] EXTRA REVIEWER
diff --git a/.github/ISSUE_TEMPLATE/scheduled__support_new_oss.md b/.github/ISSUE_TEMPLATE/scheduled__support_new_oss.md
new file mode 100644
index 0000000000..4eaa605d3a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/scheduled__support_new_oss.md
@@ -0,0 +1,29 @@
+---
+name: 'Scheduled: Support new OSs'
+about: Regularly check for new OS versions during their prerelease stages of development.
+title: 'Week # - Support new OSs'
+labels: level/task, request/operational, type/maintenance
+assignees: ''
+
+---
+
+|Week|Previous issue|
+|---|---|
+|21|https://github.com/wazuh/wazuh/issues/23311|
+
+## Description
+
+This issue aims to regularly check for new OS versions during their prerelease stages of development.
+
+Each OS must have one of the following check statuses:
+ 
+| Check | Description |
+|:-:|--------------------------------------------|
+| 🟡      | New OS version has been found. |
+| ⚫      | No new  OS version has been found. |
+
+Check the current table: 
+
+| OS family | Version | Release date | Estimated frequency  | Links | Check | Support OS issue |
+|-|-|-|-|-|:-:|-|
+| Ubuntu (**_SAMPLE, DELETE_**)                        | 24.10 | 05/23/2024 | Semester   | [Releases](https://wiki.ubuntu.com/Releases) / [Pre-releases](https://wiki.ubuntu.com/Releases#:~:text=mailing%20list.-,Future,-Version)| 🟡 | https://github.com/wazuh/wazuh/issues/23579 |
diff --git a/.github/ISSUE_TEMPLATE/system_tests.md b/.github/ISSUE_TEMPLATE/system_tests.md
new file mode 100644
index 0000000000..91644da5ab
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/system_tests.md
@@ -0,0 +1,80 @@
+---
+name: Release Candidate - System tests
+about: Report the results after running system tests.
+title: Release [WAZUH VERSION] - [STAGE] - System tests
+labels: level/task, type/test
+assignees: ''
+
+---
+
+The following issue aims to run all `system tests` for the current release candidate, report the results, and open new issues for any encountered errors.
+
+## System tests information
+|                                      |                                            |
+|--------------------------------------|--------------------------------------------|
+| **Main release candidate issue**     |                                            |
+| **Version**                          |                                            |
+| **Release candidate #**              |                                            |
+| **Tag**                              |                                            |
+| **Previous system tests issue**      |                                            |
+
+## Instructions
+To run tests in an AWS EC2 virtual environment, the following requirements will need to be met:
+
+| Environment                  | EC2                                       |
+|------------------------------|-------------------------------------------|
+|Basic_cluster                 |Ubuntu 22.04.2 LTS C5.XLarge 15GB SSD      |
+|Big_cluster_40_agents         |Ubuntu 22.04.2 LTS T3.Large 60GB SSD       |
+|Agentless_cluster             |Ubuntu 22.04.2 LTS C5a.XLarge 30GB SSD     |
+|Four_manager_disconnected_node|Ubuntu 22.04.2 LTS T3.Large 30GB SSD       |
+|One_manager_agent             |Ubuntu 22.04.2 LTS T3.Large 30GB SSD       |
+|Manager_agent                 |Ubuntu 22.04.2 LTS T3.Large 30GB SSD       |
+|Enrollment_cluster            |Ubuntu 22.04.2 LTS T3.Large 30GB SSD       |
+|Basic_environment             |Ubuntu 22.04.2 LTS T3.Large 30GB SSD       |
+
+
+These requirements should be requested to the @wazuh/devel-devops team via https://github.com/wazuh/internal-devel-requests.
+
+For further information, check https://github.com/wazuh/wazuh-qa/tree/master/tests/system/README.md
+
+## Test report procedure
+All individual test checks must be marked as:
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| Pass | The test ran successfully. |
+| Xfail | The test was expected to fail and it failed. It must be properly justified and reported in an issue.  |
+| Skip | The test was not run. It must be properly justified and reported in an issue.  |
+| Fail | The test failed. A new issue must be opened to evaluate and address the problem. |
+
+All test results must have one the following statuses:
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| :green_circle:  | All checks passed. |
+| :red_circle:  | There is at least one failed check. |
+| :yellow_circle:  | There is at least one expected fail or skipped test and no failures. |
+
+Any failing test must be properly addressed with a new issue, detailing the error and the possible cause. It must be included in the `Fixes` section of the current release candidate main issue.
+
+Any expected fail or skipped test must have an issue justifying the reason. All auditors must validate the justification for an expected fail or skipped test.
+
+An extended report of the test results must be attached as a zip or txt. This report can be used by the auditors to dig deeper into any possible failures and details.
+
+## Conclusions
+
+<!--
+All tests have been executed and the results can be found [here]().
+
+|                |             |                     |                |
+|----------------|-------------|---------------------|----------------|
+| **Status**     | **Test**    | **Failure type**    | **Notes**      |
+|                |             |                     |                |
+
+All tests have passed and the fails have been reported or justified. I therefore conclude that this issue is finished and OK for this release candidate.
+-->
+
+## Auditors validation
+The definition of done for this one is the validation of the conclusions and the test results from all auditors.
+
+All checks from below must be accepted in order to close this issue.
+
+- [ ] @wazuh/devel-qa-release
diff --git a/.github/ISSUE_TEMPLATE/workload_benchmarks_metrics.md b/.github/ISSUE_TEMPLATE/workload_benchmarks_metrics.md
new file mode 100644
index 0000000000..b1dc8f116e
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/workload_benchmarks_metrics.md
@@ -0,0 +1,67 @@
+---
+name: Release Candidate - Workload benchmarks metrics
+about: Report the workload benchmarks metrics.
+title: Release [WAZUH VERSION] - Release Candidate [RC VERSION] - Workload benchmarks
+  metrics
+labels: ''
+assignees: ''
+
+---
+
+The following issue aims to run all `workload benchmarks` for the current release candidate, report the results, and open new issues for any encountered errors.
+
+## Workload benchmarks metrics information
+|                                               |                                            |
+|-----------------------------------------------|--------------------------------------------|
+| **Main release candidate issue**              |                                            |
+| **Version**                                   |                                            |
+| **Release candidate #**                       |                                            |
+| **Tag**                                       |                                            |
+| **Previous Workload benchmarks metrics issue**|                                            |
+
+## Test configuration
+All tests will be run and workload performance metrics will be obtained for the following clustered environment configurations:
+
+|                   |                    |
+|-------------------|--------------------|
+| **# Agents**      | **# Worker nodes** |
+|                   |                    |
+
+## Test report procedure
+All individual test checks must be marked as:
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| Pass | The test ran successfully. |
+| Xfail | The test was expected to fail and it failed. It must be properly justified and reported in an issue.  |
+| Skip | The test was not run. It must be properly justified and reported in an issue.  |
+| Fail | The test failed. A new issue must be opened to evaluate and address the problem. |
+
+All test results must have one the following statuses: 
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| :green_circle:  | All checks passed. |
+| :red_circle:  | There is at least one failed check. |
+| :yellow_circle:  | There is at least one expected fail or skipped test and no failures. |
+
+Any failing test must be properly addressed with a new issue, detailing the error and the possible cause. It must be included in the `Fixes` section of the current release candidate main issue.
+
+Any expected fail or skipped test must have an issue justifying the reason. All auditors must validate the justification for an expected fail or skipped test.
+
+An extended report of the test results must be attached as a zip or txt. This report can be used by the auditors to dig deeper into any possible failures and details.
+
+## Conclusions
+
+<!--
+All tests have been executed and the results can be found [here]().
+
+All tests have passed and the fails have been reported or justified. I therefore conclude that this issue is finished and OK for this release candidate.
+
+For a detailed conclusion and report on the cluster performance metrics please refer to [Issue comment]().
+-->
+
+## Auditors validation
+The definition of done for this one is the validation of the conclusions and the test results from all auditors.
+
+All checks from below must be accepted in order to close this issue.
+
+- [ ]
diff --git a/.github/ISSUE_TEMPLATE/wpk_upgrade_tests.md b/.github/ISSUE_TEMPLATE/wpk_upgrade_tests.md
new file mode 100644
index 0000000000..237db48447
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/wpk_upgrade_tests.md
@@ -0,0 +1,205 @@
+---
+name: Release Candidate - WPK upgrade tests
+about: Report the results after upgrade agent via WPK.
+title: Release [WAZUH VERSION] - Release Candidate [RC VERSION] - WPK upgrade tests
+labels: ''
+assignees: ''
+
+---
+
+The following issue aims to run `upgrade WPK tests` for the current release candidate, report the results, and open new issues for any encountered errors.
+
+## WPK upgrade tests information
+
+|Main RC issue|Version|Release candidate|Tag|Previous issue|
+|---|---|---|---|---|
+||||||
+
+## Test report procedure
+All individual test checks must be marked as:
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| Pass | The test ran successfully. |
+| Xfail | The test was expected to fail and it failed. It must be properly justified and reported in an issue.  |
+| Skip | The test was not run. It must be properly justified and reported in an issue.  |
+| Fail | The test failed. A new issue must be opened to evaluate and address the problem. |
+
+All test results must have one the following statuses: 
+|                                  |                                            |
+|---------------------------------|--------------------------------------------|
+| :green_circle:  | All checks passed. |
+| :red_circle:  | There is at least one failed check. |
+| :yellow_circle:  | There is at least one expected fail or skipped test and no failures. |
+
+Any failing test must be properly addressed with a new issue, detailing the error and the possible cause. It must be included in the `Fixes` section of the current release candidate main issue.
+
+Any expected fail or skipped test must have an issue justifying the reason. All auditors must validate the justification for an expected fail or skipped test.
+
+An extended report of the test results must be attached as a zip or txt. This report can be used by the auditors to dig deeper into any possible failures and details.
+
+## Tests
+
+To evaluate this feature, it is necessary to test upgrading the agent and also the case when the upgrade fails (rollback). The `tree` command will be used to compare, before and after the upgrade/rollback process, and check that the presence, ownership and permissions of the files and directories are expected.
+
+Wazuh versions to test (Upgrade to the current agent version):
+### Linux
+
+|OS|Version|Status|Upgrade fail|Upgrade OK|
+|----|-----|------|---------------|------------------|
+|CentOS 6|3.6| | | | | 
+|CentOS 6|3.7| | | | |
+|CentOS 6|3.13.3| | | | |
+|CentOS 6|4.0.4| | | | |
+|CentOS 6|4.1.5| | | | |
+|CentOS 6|4.2.7| | | | |
+|CentOS 6|4.3.4| | | | |
+|CentOS 8|3.6| | | | |
+|CentOS 8|3.7| | | | |
+|CentOS 8|3.13.3| | | | |
+|CentOS 8|4.0.4| | | | |
+|CentOS 8|4.1.5| | | | |
+|CentOS 8|4.2.7| | | | |
+|CentOS 8|4.3.4| | | | |
+|Ubuntu 20|3.6| | | | |
+|Ubuntu 20|3.7| | | | |
+|Ubuntu 20|3.13.3||  | | |
+|Ubuntu 20|4.0.4||  | | |
+|Ubuntu 20|4.1.5|  |||  |
+|Ubuntu 20|4.2.7|  |||  |
+|Ubuntu 20|4.3 ||  |  |
+|openSUSE Tumbleweed|3.6| | | | |
+|openSUSE Tumbleweed|3.7| | | | |
+|openSUSE Tumbleweed|3.13.3|| || |
+|openSUSE Tumbleweed|4.0.4|| | ||
+|openSUSE Tumbleweed|4.1.5|| | ||
+|openSUSE Tumbleweed|4.2.7|| || |
+|openSUSE Tumbleweed|4.3| | |
+|Amazon Linux 2|3.6| | | | |
+|Amazon Linux 2|3.7| | | | |
+|Amazon Linux 2|3.13.3|| || |
+|Amazon Linux 2|4.0.4|| | ||
+|Amazon Linux 2|4.1.5|| | ||
+|Amazon Linux 2|4.2.7|| || |
+|Amazon Linux 2|4.3| | |
+
+### Windows
+
+|OS|Version|Status|Upgrade fail|Upgrade OK|
+|----|-----|------|---------------|------------------|
+|Server 2008|3.6| | | | |
+|Server 2008|3.7| | | | |
+|Server 2008|3.13.3|| || |
+|Server 2008|4.0.4|| | ||
+|Server 2008|4.1.5|| | ||
+|Server 2008|4.2.7|| || |
+|Server 2008|4.3| | |
+|Server 2012 R2|3.6| | | | |
+|Server 2012 R2|3.7| | | | |
+|Server 2012 R2|3.13.3|| || |
+|Server 2012 R2|4.0.4|| | ||
+|Server 2012 R2|4.1.5|| | ||
+|Server 2012 R2|4.2.7|| || |
+|Server 2012 R2|4.3| | |
+|Server 2016|3.6| | | | |
+|Server 2016|3.7| | | | |
+|Server 2016|3.13.3|| || |
+|Server 2016|4.0.4|| | ||
+|Server 2016|4.1.5|| | ||
+|Server 2016|4.2.7|| || |
+|Server 2016|4.3| | |
+|Server 2019|3.6| | | | |
+|Server 2019|3.7| | | | |
+|Server 2019|3.13.3|| || |
+|Server 2019|4.0.4|| | ||
+|Server 2019|4.1.5|| | ||
+|Server 2019|4.2.7|| || |
+|Server 2019|4.3| | |
+|Windows 10|3.6| | | | |
+|Windows 10|3.7| | | | |
+|Windows 10|3.13.3|| || |
+|Windows 10|4.0.4|| | ||
+|Windows 10|4.1.5|| | ||
+|Windows 10|4.2.7|| || |
+|Windows 10|4.3| | |
+|Server 2022|3.6| | | | |
+|Server 2022|3.7| | | | |
+|Server 2022|3.13.3|| || |
+|Server 2022|4.0.4|| | ||
+|Server 2022|4.1.5|| | ||
+|Server 2022|4.2.7|| || |
+|Server 2022|4.3| | |
+
+### macOS
+
+|OS|Version|Status|Upgrade fail|Upgrade OK|
+|----|-----------|--------|-------|------------------|
+| Sierra |4.3.0| || | | |
+| Sierra |4.3.4| || | | |
+| Catalina |4.3.0| || | | |
+| Catalina |4.3.4| || | | |
+| Big Sur |4.3.0| || | | |
+| Big Sur |4.3.4| || | | |
+| Monterey |4.3.0| || | | |
+| Monterey |4.3.4| || | | |
+
+<!--
+For each operating system and version, check the following points and add a comment for each OS tested.
+## Linux:
+###  UPGRADE FAIL
+
+- [ ] The wazuh home backup is restored correctly (no traces of the installation, but only the `.tar.gz` backup and the logs).
+- [ ] The permissions and owners of the following directories did NOT change:
+      - `/`
+      - `/var`
+      - `/usr`, `/usr/lib/`, `/usr/lib/systemd/`, `/usr/lib/systemd/system/`
+      - `/etc`, `/etc/systemd/`, `/etc/systemd/system/`, `/etc/rc.d`, `/etc/initd.d/`, `/etc/initd.d/rc.d/`
+- [ ] Wazuh service runs wazuh-control (`systemctl cat wazuh-agent.service`)
+- [ ] Wazuh service runs ossec-control (`systemctl cat wazuh-agent.service`)
+- [ ] The service was enabled (`systemctl is-enabled wazuh-agent.service`)
+- [ ] Init file runs wazuh-control (`cat /etc/rc.d/init.d/wazuh-agent`)
+- [ ] Init file runs ossec-control (`cat /etc/rc.d/init.d/wazuh-agent`)
+- [ ] Wazuh as service is enabled `chkconfig --list` 
+- [ ] Wazuh starts and connects when the backup is restored (`cat /var/ossec/var/run/ossec-agentd.state`)
+- [ ] Wazuh starts and connects automatically when the system is rebooted.
+- [ ] Restore SELinux policies (`semodule -l | grep -i wazuh`) (DISABLED)
+
+###  UPGRADE OK
+
+- [ ] Upgrade is performed successfully (agent connects to the manager after upgrading)
+- [ ] Service starts automatically after rebooting
+- [ ] Agent connects to the manager after rebooting
+
+## Windows:
+### UPGRADE FAIL
+- [ ] Wazuh-Agent folder tree:  No files are lost after the rollback. The logs of the failed upgrade (`ossec.log`) are kept.
+- [ ] After the rollback the agent connects to the manager
+- [ ] After reboot, the Wazuh-Agent starts and connects to the manager.
+- [ ] The correct Wazuh-Agent version is shown in the list of Windows' `programs and features`.
+- [ ] A new version of Wazuh-Agent can be manually installed via MSI after the rollback process.
+
+### UPGRADE OK
+
+- [ ] Message `Upgrade finished successfully.` is shown in `upgrade.log` file.
+- [ ] Wazuh service is started and the agent is connected to the manager.
+- [ ] The version shown in the control panel is 4.3
+
+## MacOS:
+### UPGRADE FAIL
+
+- [ ] Wazuh-Agent folder tree:  No files are lost after the rollback. The logs of the failed upgrade (`ossec.log`) are kept.
+- [ ] After the rollback the agent connects to the manager
+- [ ] After reboot, the Wazuh-Agent starts and connects to the manager.
+
+### UPGRADE OK
+
+- [ ] Message `Upgrade finished successfully.` is shown in `upgrade.log` file.
+- [ ] Wazuh service is started and the agent is connected to the manager.
+-->
+
+
+## Auditors validation
+The definition of done for this one is the validation of the conclusions and the test results from all auditors.
+
+All checks from below must be accepted in order to close this issue.
+
+- [ ]
diff --git a/.github/actions/clang_format/action.yml b/.github/actions/clang_format/action.yml
new file mode 100644
index 0000000000..7b5f7e1c8b
--- /dev/null
+++ b/.github/actions/clang_format/action.yml
@@ -0,0 +1,64 @@
+name: "Coding style check"
+description: "Validates the Coding style of a given module"
+
+inputs:
+  path:
+    required: true
+    description: "Path to validate"
+    default: src/
+  id:
+    required: true
+    description: "Module identifier, used to name the artifact"
+
+runs:
+  using: "composite"
+  steps:    
+      - name: Dependencies for local execution
+        if: env.ACT # Only run for local execution
+        shell: bash
+        run: |
+          wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|sudo apt-key add -
+          echo "deb http://deb.debian.org/debian/ testing main" >>  /etc/apt/sources.conf
+          sudo apt update
+
+      # Dependencies for testing:
+      # - clang-format 
+      - name: Install dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: clang-format 
+          version: 1.0
+
+      - name: Check Coding style
+        shell: bash
+        run: |
+
+          # Don't apply changes, just check
+          arguments="--dry-run "
+
+          # Retrieve all the source files for the desired module
+          sourceFiles=$(find ${{ inputs.path }} -type f \( -name "*.cpp" -o -name "*.hpp" \) | tr '\n' ' ')
+          arguments+="-i $sourceFiles "
+
+          ERRORS_FILE=${{ inputs.path }}/clang_format_errors.txt
+          clang-format $arguments 2> ${ERRORS_FILE}
+
+          # Check if there are errors
+          if [ -s "${ERRORS_FILE}" ]; then
+            echo "---------------------------------"
+            echo "FAILED: Clang-format check failed"
+            echo "---------------------------------"
+            exit 1
+          else
+            echo "---------------------------------"
+            echo "PASSED: Clang-format check passed"
+            echo "---------------------------------"
+          fi
+
+      # Upload errors as an artifact, when failed
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: Clang-format errors - ${{ inputs.id }}
+          path: ${{ inputs.path }}/clang_format_errors.txt
+          retention-days: 1
diff --git a/.github/actions/compile/action.yml b/.github/actions/compile/action.yml
new file mode 100644
index 0000000000..ff7c41cd70
--- /dev/null
+++ b/.github/actions/compile/action.yml
@@ -0,0 +1,25 @@
+name: "Compile"
+description: "Executes a compilation."
+
+inputs:
+  path:
+    required: true
+    description: "Path to compile and test"
+    default: src/
+
+runs:
+  using: "composite"
+  steps:
+      - name: Compile
+        run: |
+          SRC_FOLDER=$(pwd)/src
+
+          VERSION=$(cat src/VERSION)
+          echo $VERSION
+          REVISION=$(cat src/REVISION)
+          echo $REVISION
+
+          cd ${{ inputs.path }}
+          mkdir -p build && cd build
+          cmake -DSRC_FOLDER=${SRC_FOLDER} -DVERSION="$VERSION" -DREVISION="$REVISION" .. && make -j2
+        shell: bash
diff --git a/.github/actions/compile_and_test/action.yml b/.github/actions/compile_and_test/action.yml
new file mode 100644
index 0000000000..6b4477acab
--- /dev/null
+++ b/.github/actions/compile_and_test/action.yml
@@ -0,0 +1,87 @@
+name: "Compile and test"
+description: "Executes a compilation and test (optional) routine based on a path. It also validates the right execution with ASAN or Valgrind"
+
+inputs:
+  path:
+    required: true
+    description: "Path to compile and test"
+    default: src/
+  asan:
+    required: false
+    description: "Enable address sanitizer"
+    default: "false"
+  test:
+    required: false
+    description: "Run tests"
+    default: "true"
+
+runs:
+  using: "composite"
+  steps:
+      # Dependencies for testing:
+      # - valgrind
+      - name: Install dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: valgrind
+          version: 1.0
+
+      # Dependencies for coverage:
+      # - lcov
+      - name: Install dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: lcov
+          version: 1.0
+
+      - name: Compile
+        run: |
+          SRC_FOLDER=$(pwd)/src
+
+          VERSION=$(cat src/VERSION)
+          echo $VERSION
+          REVISION=$(cat src/REVISION)
+          echo $REVISION
+
+          cd ${{ inputs.path }}
+          mkdir -p build && cd build
+
+          if [[ ${{ inputs.test }} == "false" ]]; then
+            echo "Compiling without tests"
+            cmake -DSRC_FOLDER=${SRC_FOLDER} -DVERSION="$VERSION" -DREVISION="$REVISION" .. && make -j2
+          else
+            if [[ "${{ inputs.asan }}" != "false" ]]; then
+              # Compile for ASAN
+              echo "Compiling for ASAN"
+              export COMPILATION_FLAGS="-g -fsanitize=address -fsanitize=undefined -fsanitize=leak"
+            else
+              # Compile for valgrind and coverage
+              echo "Compiling for valgrind and coverage"
+              export COMPILATION_FLAGS="-fprofile-arcs -ftest-coverage -lgcov --coverage"
+            fi
+            # Read version and revision file.
+            cmake -DSRC_FOLDER=${SRC_FOLDER} -DCMAKE_CXX_FLAGS="$COMPILATION_FLAGS" -DUNIT_TEST=ON -DVERSION="$VERSION" -DREVISION="$REVISION" .. && make -j2
+          fi
+
+        shell: bash
+
+      - name: Test
+        run: |
+
+          if [[ ${{ inputs.test }} == "false" ]]; then
+            echo "Skipping tests"
+          else
+            cd ${{ inputs.path }}/build
+
+            if [[ "${{ inputs.asan }}" != "false" ]]; then
+              # Run for ASAN
+              echo "Running tests for ASAN"
+              ctest --output-on-failure
+            else
+              # Run for valgrind and coverage
+              echo "Running tests for valgrind and coverage"
+              valgrind ctest --output-on-failure
+            fi
+          fi
+
+        shell: bash
diff --git a/.github/actions/coverage/action.yml b/.github/actions/coverage/action.yml
new file mode 100644
index 0000000000..106e73a44a
--- /dev/null
+++ b/.github/actions/coverage/action.yml
@@ -0,0 +1,125 @@
+name: "Coverage"
+description: "Calculates the coverage for a module located on a given path"
+
+inputs:
+  path:
+    required: true
+    description: "Path to the module"
+  id:
+    required: true
+    description: "Module identifier, used to name the artifact"
+
+runs:
+  using: "composite"
+  steps:
+      - name: Dependencies for local execution
+        if: env.ACT # Only run for local execution
+        shell: bash
+        run: |
+
+          # Update packages
+          sudo apt-get update
+          sudo apt-get install -y bc
+
+      # Dependencies for testing:
+      # - lcov
+      - name: Install dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: lcov
+          version: 1.0
+
+      # Generate the coverage files
+      - name: Generate coverage files
+        shell: bash
+        run: |
+
+          cd ${{ inputs.path }}
+
+          # Set arguments
+          arguments="--capture "
+
+          # Set working directory
+          if [[ -d "build/tests/unit" ]]; then
+            arguments+="--directory build/tests/unit "
+          fi
+
+          if [[ -d "build/tests/component" ]]; then
+            arguments+="--directory build/tests/component "
+          fi
+
+          # Set output file
+          arguments+="--output-file build/coverage.info "
+
+          # # Disable branch coverage
+          arguments+="-rc lcov_branch_coverage=0 "
+
+          # Include test files
+          include_files=""
+          for file in $(find src/ include/ -type f -regextype posix-extended -regex ".*/*\.(hpp|cpp|h|c)")
+          do
+            if [[ ! "$file" =~ "_generated.h" ]]; then
+              include_files+="--include=$(pwd)$dir/$file "
+            fi
+          done
+          arguments+="$include_files"
+
+          echo "Executing: lcov $arguments"
+          lcov $arguments
+
+      # Generate the HTML coverage report
+      - name: Generate coverage report
+        shell: bash
+        run: |
+
+          cd ${{ inputs.path }}/build
+
+          # Generate HTML report
+          genhtml coverage.info --output-directory coverage_report
+
+      # Upload the coverage report as an artifact
+      - name: Uploading coverage report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: Coverage Report - ${{ inputs.id }}
+          path: ./${{ inputs.path }}/build/coverage_report
+          retention-days: 1
+
+      # Check whether the coverage is greater than 90% both for lines and functions
+      - name: Validate coverage
+        shell: bash
+        run: |
+
+          cd ${{ inputs.path }}
+
+          # Obtain the coverage data
+          coverageData=($(lcov --list build/coverage.info | tail -n1 | grep -oE '[0-9.]+%'))
+
+          # Check if lines the coverage is greater than 90%
+          linesCoverage=$(echo "${coverageData[0]}" | sed 's/%//')
+          echo "Lines coverage is: $linesCoverage %"
+          if ! (( $(echo "$linesCoverage > 90" | bc -l) )); then
+            echo "----------------------------------------"
+            echo "FAILED: Lines coverage is lower than 90%"
+            echo "----------------------------------------"
+            exit 1
+          else
+            echo "------------------------------------------"
+            echo "PASSED: Lines coverage is greater than 90%"
+            echo "------------------------------------------"
+          fi
+
+          # Check if functions coverage is greater than 90%
+          functionsCoverage=$(echo "${coverageData[1]}" | sed 's/%//')
+          echo "Functions coverage is: $functionsCoverage %"
+          if ! (( $(echo "$functionsCoverage > 90" | bc -l) )); then
+            echo "---------------------------------------------"
+            echo "FAILED: Functions coverage is lower than 90%"
+            echo "--------------------------------------------"
+            exit 1
+          else
+            echo "----------------------------------------------"
+            echo "PASSED: Functions coverage is greater than 90%"
+            echo "----------------------------------------------"
+          fi
diff --git a/.github/actions/doxygen/action.yml b/.github/actions/doxygen/action.yml
new file mode 100644
index 0000000000..dc250552e1
--- /dev/null
+++ b/.github/actions/doxygen/action.yml
@@ -0,0 +1,72 @@
+name: "Doxygen documentation generartion"
+description: "Generates the documentation for a given module"
+
+inputs:
+  path:
+    required: true
+    description: "Path to the module we want to generate documentation for"
+    default: src/
+  doxygen_config:
+    required: true
+    description: "Path to the doxygen configuration file"
+    default: src/Doxyfile
+  id:
+    required: true
+    description: "Module identifier, used to name the artifact"
+
+runs:
+  using: "composite"
+  steps:    
+      # Dependencies for testing:
+      # - doxygen 
+      # - graphviz
+      - name: Install dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: doxygen graphviz
+          version: 1.0
+
+      - name: Generate documentation
+        shell: bash
+        run: |
+
+          # Generate the doxygen configuration file
+          CONFIG_FILE=${{ inputs.path }}/doxygen_config.cfg
+          {
+              cat ${{ inputs.doxygen_config }}
+              echo "OUTPUT_DIRECTORY = ${{ inputs.path }}/doc"
+              echo "INPUT = ${{ inputs.path }}"
+          } > ${CONFIG_FILE}
+
+          # Generate the documentation
+          sudo dot -c
+          ERRORS_FILE=${{ inputs.path }}/doxygen_errors.txt
+          doxygen -s ${CONFIG_FILE} 2> ${ERRORS_FILE}
+
+          # Check if there are errors
+          if [ -s "${ERRORS_FILE}" ]; then
+            echo "-----------------------------------------------"
+            echo "FAILED: Doxygen documentation generation failed"
+            echo "-----------------------------------------------"
+            exit 1
+          else
+            echo "----------------------------------------------------"
+            echo "PASSED: Doxygen documentation generated successfully"
+            echo "----------------------------------------------------"
+          fi
+
+      # Upload errors as an artifact, when failed
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: Doxygen errors - ${{ inputs.id }}
+          path: ${{ inputs.path }}/doxygen_errors.txt
+          retention-days: 1
+
+      # Upload the documentation as an artifact, when successful
+      - uses: actions/upload-artifact@v3
+        if: success()
+        with:
+          name: Doxygen Documentation - ${{ inputs.id }}
+          path: ${{ inputs.path }}/doc
+          retention-days: 1
diff --git a/.github/actions/ghcr_pull_and_push/build_and_push_image_to_ghcr.sh b/.github/actions/ghcr_pull_and_push/build_and_push_image_to_ghcr.sh
new file mode 100644
index 0000000000..f24b6198b7
--- /dev/null
+++ b/.github/actions/ghcr_pull_and_push/build_and_push_image_to_ghcr.sh
@@ -0,0 +1,22 @@
+GITHUB_PUSH_SECRET=$1
+GITHUB_USER=$2
+DOCKER_IMAGE_NAME=$3
+BUILD_CONTEXT=$4
+DOCKERFILE_PATH="$BUILD_CONTEXT/Dockerfile"
+if [ -n "$5" ]; then
+    DOCKER_IMAGE_TAG=$5
+else
+    exit 1
+fi
+GITHUB_REPOSITORY="wazuh/wazuh"
+GITHUB_OWNER="wazuh"
+IMAGE_ID=ghcr.io/${GITHUB_OWNER}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}
+IMAGE_ID=$(echo ${IMAGE_ID} | tr '[A-Z]' '[a-z]')
+
+# Login to GHCR
+echo ${GITHUB_PUSH_SECRET} | docker login https://ghcr.io -u $GITHUB_USER --password-stdin
+
+# Build image
+echo build -t ${IMAGE_ID} -f ${DOCKERFILE_PATH} ${BUILD_CONTEXT}
+docker build -t ${IMAGE_ID} -f ${DOCKERFILE_PATH} ${BUILD_CONTEXT}
+docker push ${IMAGE_ID}
diff --git a/.github/actions/ghcr_pull_and_push/pull_image_from_ghcr.sh b/.github/actions/ghcr_pull_and_push/pull_image_from_ghcr.sh
new file mode 100644
index 0000000000..d17c6f45cc
--- /dev/null
+++ b/.github/actions/ghcr_pull_and_push/pull_image_from_ghcr.sh
@@ -0,0 +1,20 @@
+set -x
+GITHUB_PUSH_SECRET=$1
+GITHUB_USER=$2
+DOCKER_IMAGE_NAME=$3
+if [ -n "$4" ]; then
+    DOCKER_IMAGE_TAG="$4"
+else
+    exit 1
+fi
+GITHUB_REPOSITORY="wazuh/wazuh"
+GITHUB_OWNER="wazuh"
+IMAGE_ID=ghcr.io/${GITHUB_OWNER}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}
+IMAGE_ID=$(echo ${IMAGE_ID} | tr '[A-Z]' '[a-z]')
+
+# Login to GHCR
+echo ${GITHUB_PUSH_SECRET} | docker login https://ghcr.io -u $GITHUB_USER --password-stdin
+
+# Pull and rename image
+docker pull ${IMAGE_ID}
+docker image tag ghcr.io/${GITHUB_OWNER}/${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG} ${DOCKER_IMAGE_NAME}:${DOCKER_IMAGE_TAG}
diff --git a/.github/actions/ghcr_pull_and_push/retag_image.sh b/.github/actions/ghcr_pull_and_push/retag_image.sh
new file mode 100644
index 0000000000..2bd2bb7292
--- /dev/null
+++ b/.github/actions/ghcr_pull_and_push/retag_image.sh
@@ -0,0 +1,62 @@
+set -x
+GITHUB_PUSH_SECRET=$1
+GITHUB_USER=$2
+OLD_TAG=$3
+NEW_TAG=$4
+if [ -n "$5" ]; then
+    SINGLE_IMAGE="$5"
+fi
+
+IMAGES_LIST=(
+    "common_wpk_builder"
+    "compile_windows_agent"
+    "pkg_deb_agent_builder_i386"
+    "pkg_deb_agent_builder_amd64"
+    "pkg_deb_agent_builder_arm64"
+    "pkg_deb_agent_builder_armhf"
+    "pkg_deb_manager_builder_amd64"
+    "pkg_rpm_agent_builder_i386"
+    "pkg_rpm_agent_builder_amd64"
+    "pkg_rpm_agent_builder_arm64"
+    "pkg_rpm_agent_builder_armhf"
+    "pkg_rpm_manager_builder_amd64"
+    "pkg_rpm_legacy_builder_i386"
+    "pkg_rpm_legacy_builder_amd64"
+)
+
+retag_image(){
+    DOCKER_IMAGE_NAME="$1"
+    OLD_TAG="$2"
+    NEW_TAG="$3"
+    GITHUB_REPOSITORY="wazuh/wazuh"
+    GITHUB_OWNER="wazuh"
+    IMAGE_ID=$(echo "ghcr.io/${GITHUB_OWNER}/${DOCKER_IMAGE_NAME}" | tr '[A-Z]' '[a-z]')
+
+    # Bring old tag
+    pull_output=$(docker pull ${IMAGE_ID}:${OLD_TAG})
+
+    if echo "$pull_output" | grep -qi "error"; then
+        echo "Failed pulling ${IMAGE_ID}:${OLD_TAG}"
+        exit 1
+    else
+        # Retag
+        docker tag ${IMAGE_ID}:${OLD_TAG} ${IMAGE_ID}:${NEW_TAG}
+        # Upload
+        docker push ${IMAGE_ID}:${NEW_TAG}
+        docker rmi ${IMAGE_ID}:${OLD_TAG} -f
+        docker rmi ${IMAGE_ID}:${NEW_TAG} -f
+    fi
+}
+
+# Login to GHCR
+echo ${GITHUB_PUSH_SECRET} | docker login https://ghcr.io -u $GITHUB_USER --password-stdin
+
+if [ -n "$SINGLE_IMAGE" ]; then
+    # Retag the image passed as argument
+    retag_image $SINGLE_IMAGE $OLD_TAG $NEW_TAG
+else
+    # Iterate images list retagging
+    for DOCKER_IMAGE_NAME in "${IMAGES_LIST[@]}"; do
+        retag_image $DOCKER_IMAGE_NAME $OLD_TAG $NEW_TAG
+    done
+fi
diff --git a/.github/actions/install_build_deps/action.yml b/.github/actions/install_build_deps/action.yml
new file mode 100644
index 0000000000..3bcc43aac7
--- /dev/null
+++ b/.github/actions/install_build_deps/action.yml
@@ -0,0 +1,55 @@
+name: "Install Wazuh build dependencies"
+description: "This action installs all the requirements to test and build Wazuh agent/server in Ubuntu Linux"
+inputs:
+   target:
+     required: true
+     description: "Wazuh target to decide if install or not custom dependencies"
+runs:
+  using: "composite"
+  steps:
+    - name: Update apt-get
+      shell: bash
+      run: sudo apt-get update -y
+    - name: Install tools and libraries
+      shell: bash
+      run: sudo apt-get install cppcheck astyle valgrind lcov clang-tools -y
+    - name: Install mingw
+      shell: bash
+      run: |
+        if [[ "${{ inputs.target }}" == "winagent" ]]; then
+          sudo apt-get install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+        else
+          echo "Skipping mingw installation for this target"
+        fi
+    - name: Install wine
+      shell: bash
+      run: |
+        if [[ "${{ inputs.target }}" == "winagent" ]]; then
+          sudo dpkg --add-architecture i386
+          sudo mkdir -pm755 /etc/apt/keyrings
+          sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
+          sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources
+          sudo apt-get update
+          sudo apt-get install -y --allow-downgrades libc6:i386 libgcc-s1:i386 libstdc++6:i386 wine-stable-i386 wine-stable-amd64 winehq-stable
+        else
+          echo "Skipping wine installation for this target"
+        fi
+    - name: Install CMocka
+      shell: bash
+      run: |
+        if [[ "${{ inputs.target }}" == "winagent" ]]; then
+          echo "Installing CMocka by sources with 'winagent' required flags"
+          cd /tmp
+          curl -L https://git.cryptomilk.org/projects/cmocka.git/snapshot/stable-1.1.tar.gz | \
+          tar zvx -C /tmp/ && \
+          sed -i "s|ON|OFF|g" /tmp/stable-1.1/DefineOptions.cmake && \
+          mkdir /tmp/stable-1.1/build && \
+          cd /tmp/stable-1.1/build && \
+          cmake -DCMAKE_C_COMPILER=i686-w64-mingw32-gcc -DCMAKE_C_LINK_EXECUTABLE=i686-w64-mingw32-ld -DCMAKE_INSTALL_PREFIX=/usr/i686-w64-mingw32/ -DCMAKE_SYSTEM_NAME=Windows -DCMAKE_BUILD_TYPE=Release .. && \
+          make && \
+          sudo make install && \
+          cd $GITHUB_WORKSPACE
+        else
+          echo "Installing CMocka directly from apt-get"
+          sudo apt-get install libcmocka-dev -y
+        fi
diff --git a/.github/actions/test_deploy_macos.sh b/.github/actions/test_deploy_macos.sh
new file mode 100644
index 0000000000..218b353fab
--- /dev/null
+++ b/.github/actions/test_deploy_macos.sh
@@ -0,0 +1,140 @@
+#!/bin/bash
+
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Global variables
+VERSION="$(sed 's/v//' src/VERSION)"
+MAJOR=$(echo "${VERSION}" | cut -dv -f2 | cut -d. -f1)
+MINOR=$(echo "${VERSION}" | cut -d. -f2)
+SHA="$(git rev-parse --short=7 "$1")"
+
+WAZUH_MACOS_AGENT_DEPLOYMENT_VARS="/tmp/wazuh_envs"
+conf_path="/Library/Ossec/etc/ossec.conf"
+
+VARS=( "WAZUH_MANAGER" "WAZUH_MANAGER_PORT" "WAZUH_PROTOCOL" "WAZUH_REGISTRATION_SERVER" "WAZUH_REGISTRATION_PORT" "WAZUH_REGISTRATION_PASSWORD" "WAZUH_KEEP_ALIVE_INTERVAL" "WAZUH_TIME_RECONNECT" "WAZUH_REGISTRATION_CA" "WAZUH_REGISTRATION_CERTIFICATE" "WAZUH_REGISTRATION_KEY" "WAZUH_AGENT_NAME" "WAZUH_AGENT_GROUP" "ENROLLMENT_DELAY" )
+VALUES=( "1.1.1.1" "7777" "udp" "2.2.2.2" "8888" "password" "10" "10" "/Library/Ossec/etc/testsslmanager.cert" "/Library/Ossec/etc/testsslmanager.cert" "/Library/Ossec/etc/testsslmanager.key" "test-agent" "test-group" "10" )
+TAGS1=( "<address>" "<port>" "<protocol>" "<manager_address>" "<port>" "<password>" "<notify_time>" "<time-reconnect>" "<server_ca_path>" "<agent_certificate_path>" "<agent_key_path>" "<agent_name>" "<groups>" "<delay_after_enrollment>" )
+TAGS2=( "</address>" "</port>" "</protocol>" "</manager_address>" "</port>" "</password>" "</notify_time>" "</time-reconnect>" "</server_ca_path>" "</agent_certificate_path>" "</agent_key_path>" "</agent_name>" "</groups>" "</delay_after_enrollment>" )
+WAZUH_REGISTRATION_PASSWORD_PATH="/Library/Ossec/etc/authd.pass"
+
+function install_wazuh(){
+
+  echo "Testing the following variables $1"
+
+  eval "echo \"$1\" > ${WAZUH_MACOS_AGENT_DEPLOYMENT_VARS} && installer -pkg wazuh-agent-${VERSION}-0.commit${SHA}.pkg -target / > /dev/null 2>&1"
+  
+}
+
+function remove_wazuh () {
+
+  /bin/rm -r /Library/Ossec > /dev/null 2>&1
+  /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist > /dev/null 2>&1
+  /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist > /dev/null 2>&1
+  /bin/rm -rf /Library/StartupItems/WAZUH > /dev/null 2>&1
+  /usr/bin/dscl . -delete "/Users/wazuh" > /dev/null 2>&1
+  /usr/bin/dscl . -delete "/Groups/wazuh" > /dev/null 2>&1
+  /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent > /dev/null 2>&1
+
+}
+
+function test() {
+
+  for i in "${!VARS[@]}"; do
+    if ( echo "${@}" | grep -q -w "${VARS[i]}" ); then
+      if [ "${VARS[i]}" == "WAZUH_MANAGER" ] || [ "${VARS[i]}" == "WAZUH_PROTOCOL" ]; then
+        LIST=( "${VALUES[i]//,/ }" )
+        for j in "${!LIST[@]}"; do
+          if ( grep -q "${TAGS1[i]}${LIST[j]}${TAGS2[i]}" "${conf_path}" ); then
+            echo "The variable ${VARS[i]} is set correctly"
+          else
+            echo "The variable ${VARS[i]} is not set correctly"
+            exit 1
+          fi
+        done
+      elif [ "${VARS[i]}" == "WAZUH_REGISTRATION_PASSWORD" ]; then
+        if ( grep -q "${VALUES[i]}" "${WAZUH_REGISTRATION_PASSWORD_PATH}" ); then
+          echo "The variable ${VARS[i]} is set correctly"
+        else
+          echo "The variable ${VARS[i]} is not set correctly"
+          exit 1
+        fi
+      else
+        if ( grep -q "${TAGS1[i]}${VALUES[i]}${TAGS2[i]}" "${conf_path}" ); then
+          echo "The variable ${VARS[i]} is set correctly"
+        else
+          echo "The variable ${VARS[i]} is not set correctly"
+          exit 1
+        fi
+      fi
+    fi
+  done
+
+}
+
+echo "Download package https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/${MAJOR}.${MINOR}/macos/wazuh-agent-${VERSION}-0.commit${SHA}.pkg"
+wget "https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/${MAJOR}.${MINOR}/macos/wazuh-agent-${VERSION}-0.commit${SHA}.pkg" > /dev/null 2>&1
+
+install_wazuh "WAZUH_MANAGER='1.1.1.1' && WAZUH_MANAGER_PORT='7777' && WAZUH_PROTOCOL='udp' && WAZUH_REGISTRATION_SERVER='2.2.2.2' && WAZUH_REGISTRATION_PORT='8888' && WAZUH_REGISTRATION_PASSWORD='password' && WAZUH_KEEP_ALIVE_INTERVAL='10' && WAZUH_TIME_RECONNECT='10' && WAZUH_REGISTRATION_CA='/Library/Ossec/etc/testsslmanager.cert' && WAZUH_REGISTRATION_CERTIFICATE='/Library/Ossec/etc/testsslmanager.cert' && WAZUH_REGISTRATION_KEY='/Library/Ossec/etc/testsslmanager.key' && WAZUH_AGENT_NAME='test-agent' && WAZUH_AGENT_GROUP='test-group' && ENROLLMENT_DELAY='10'" 
+test "WAZUH_MANAGER WAZUH_MANAGER_PORT WAZUH_PROTOCOL WAZUH_REGISTRATION_SERVER WAZUH_REGISTRATION_PORT WAZUH_REGISTRATION_PASSWORD WAZUH_KEEP_ALIVE_INTERVAL WAZUH_TIME_RECONNECT WAZUH_REGISTRATION_CA WAZUH_REGISTRATION_CERTIFICATE WAZUH_REGISTRATION_KEY WAZUH_AGENT_NAME WAZUH_AGENT_GROUP ENROLLMENT_DELAY" 
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER='1.1.1.1'"
+test "WAZUH_MANAGER"
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER_PORT='7777'"
+test "WAZUH_MANAGER_PORT"
+remove_wazuh
+
+install_wazuh "WAZUH_PROTOCOL='udp'"
+test "WAZUH_PROTOCOL"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_SERVER='2.2.2.2'"
+test "WAZUH_REGISTRATION_SERVER"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PORT='8888'"
+test "WAZUH_REGISTRATION_PORT"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PASSWORD='password'"
+test "WAZUH_REGISTRATION_PASSWORD"
+remove_wazuh
+
+install_wazuh "WAZUH_KEEP_ALIVE_INTERVAL='10'"
+test "WAZUH_KEEP_ALIVE_INTERVAL"
+remove_wazuh
+
+install_wazuh "WAZUH_TIME_RECONNECT='10'"
+test "WAZUH_TIME_RECONNECT"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CA='/Library/Ossec/etc/testsslmanager.cert'"
+test "WAZUH_REGISTRATION_CA"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CERTIFICATE='/Library/Ossec/etc/testsslmanager.cert'"
+test "WAZUH_REGISTRATION_CERTIFICATE"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_KEY='/Library/Ossec/etc/testsslmanager.key'"
+test "WAZUH_REGISTRATION_KEY"
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_NAME='test-agent'"
+test "WAZUH_AGENT_NAME"
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_GROUP='test-group'"
+test "WAZUH_AGENT_GROUP"
+remove_wazuh
+
+install_wazuh "ENROLLMENT_DELAY='10'"
+test "ENROLLMENT_DELAY"
+remove_wazuh
diff --git a/.github/actions/test_deploy_ubuntu.sh b/.github/actions/test_deploy_ubuntu.sh
new file mode 100644
index 0000000000..4558757853
--- /dev/null
+++ b/.github/actions/test_deploy_ubuntu.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Global variables
+VERSION="$(sed 's/v//' src/VERSION)"
+MAJOR=$(echo "${VERSION}" | cut -dv -f2 | cut -d. -f1)
+MINOR=$(echo "${VERSION}" | cut -d. -f2)
+SHA="$(git rev-parse --short=7 "$1")"
+
+conf_path="/var/ossec/etc/ossec.conf"
+
+VARS=( "WAZUH_MANAGER" "WAZUH_MANAGER_PORT" "WAZUH_PROTOCOL" "WAZUH_REGISTRATION_SERVER" "WAZUH_REGISTRATION_PORT" "WAZUH_REGISTRATION_PASSWORD" "WAZUH_KEEP_ALIVE_INTERVAL" "WAZUH_TIME_RECONNECT" "WAZUH_REGISTRATION_CA" "WAZUH_REGISTRATION_CERTIFICATE" "WAZUH_REGISTRATION_KEY" "WAZUH_AGENT_NAME" "WAZUH_AGENT_GROUP" "ENROLLMENT_DELAY" )
+VALUES=( "1.1.1.1" "7777" "udp" "2.2.2.2" "8888" "password" "10" "10" "/var/ossec/etc/testsslmanager.cert" "/var/ossec/etc/testsslmanager.cert" "/var/ossec/etc/testsslmanager.key" "test-agent" "test-group" "10" )
+TAGS1=( "<address>" "<port>" "<protocol>" "<manager_address>" "<port>" "<password>" "<notify_time>" "<time-reconnect>" "<server_ca_path>" "<agent_certificate_path>" "<agent_key_path>" "<agent_name>" "<groups>" "<delay_after_enrollment>" )
+TAGS2=( "</address>" "</port>" "</protocol>" "</manager_address>" "</port>" "</password>" "</notify_time>" "</time-reconnect>" "</server_ca_path>" "</agent_certificate_path>" "</agent_key_path>" "</agent_name>" "</groups>" "</delay_after_enrollment>" )
+WAZUH_REGISTRATION_PASSWORD_PATH="/var/ossec/etc/authd.pass"
+
+function install_wazuh(){
+
+  echo "Testing the following variables $*"
+  eval "${*} apt install -y ./wazuh-agent_${VERSION}-0.commit${SHA}_amd64.deb > /dev/null 2>&1"
+  
+}
+
+function remove_wazuh () {
+
+  apt purge -y wazuh-agent > /dev/null 2>&1
+
+}
+
+function test() {
+
+  for i in "${!VARS[@]}"; do
+    if ( echo "${@}" | grep -q -w "${VARS[i]}" ); then
+      if [ "${VARS[i]}" == "WAZUH_MANAGER" ] || [ "${VARS[i]}" == "WAZUH_PROTOCOL" ]; then
+        LIST=( "${VALUES[i]//,/ }" )
+        for j in "${!LIST[@]}"; do
+          if ( grep -q "${TAGS1[i]}${LIST[j]}${TAGS2[i]}" "${conf_path}" ); then
+            echo "The variable ${VARS[i]} is set correctly"
+          else
+            echo "The variable ${VARS[i]} is not set correctly"
+            exit 1
+          fi
+        done
+      elif [ "${VARS[i]}" == "WAZUH_REGISTRATION_PASSWORD" ]; then
+        if ( grep -q "${VALUES[i]}" "${WAZUH_REGISTRATION_PASSWORD_PATH}" ); then
+          echo "The variable ${VARS[i]} is set correctly"
+        else
+          echo "The variable ${VARS[i]} is not set correctly"
+          exit 1
+        fi
+      else
+        if ( grep -q "${TAGS1[i]}${VALUES[i]}${TAGS2[i]}" "${conf_path}" ); then
+          echo "The variable ${VARS[i]} is set correctly"
+        else
+          echo "The variable ${VARS[i]} is not set correctly"
+          exit 1
+        fi
+      fi
+    fi
+  done
+
+}
+
+echo "Download package: https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/${MAJOR}.${MINOR}/deb/var/wazuh-agent_${VERSION}-0.commit${SHA}_amd64.deb"
+wget "https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/${MAJOR}.${MINOR}/deb/var/wazuh-agent_${VERSION}-0.commit${SHA}_amd64.deb" > /dev/null 2>&1
+
+install_wazuh "WAZUH_MANAGER=1.1.1.1 WAZUH_MANAGER_PORT=7777 WAZUH_PROTOCOL=udp WAZUH_REGISTRATION_SERVER=2.2.2.2 WAZUH_REGISTRATION_PORT=8888 WAZUH_REGISTRATION_PASSWORD=password WAZUH_KEEP_ALIVE_INTERVAL=10 WAZUH_TIME_RECONNECT=10 WAZUH_REGISTRATION_CA=/var/ossec/etc/testsslmanager.cert WAZUH_REGISTRATION_CERTIFICATE=/var/ossec/etc/testsslmanager.cert WAZUH_REGISTRATION_KEY=/var/ossec/etc/testsslmanager.key WAZUH_AGENT_NAME=test-agent WAZUH_AGENT_GROUP=test-group ENROLLMENT_DELAY=10" 
+test "WAZUH_MANAGER WAZUH_MANAGER_PORT WAZUH_PROTOCOL WAZUH_REGISTRATION_SERVER WAZUH_REGISTRATION_PORT WAZUH_REGISTRATION_PASSWORD WAZUH_KEEP_ALIVE_INTERVAL WAZUH_TIME_RECONNECT WAZUH_REGISTRATION_CA WAZUH_REGISTRATION_CERTIFICATE WAZUH_REGISTRATION_KEY WAZUH_AGENT_NAME WAZUH_AGENT_GROUP ENROLLMENT_DELAY" 
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER=1.1.1.1"
+test "WAZUH_MANAGER"
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER_PORT=7777"
+test "WAZUH_MANAGER_PORT"
+remove_wazuh
+
+install_wazuh "WAZUH_PROTOCOL=udp"
+test "WAZUH_PROTOCOL"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_SERVER=2.2.2.2"
+test "WAZUH_REGISTRATION_SERVER"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PORT=8888"
+test "WAZUH_REGISTRATION_PORT"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PASSWORD=password"
+test "WAZUH_REGISTRATION_PASSWORD"
+remove_wazuh
+
+install_wazuh "WAZUH_KEEP_ALIVE_INTERVAL=10"
+test "WAZUH_KEEP_ALIVE_INTERVAL"
+remove_wazuh
+
+install_wazuh "WAZUH_TIME_RECONNECT=10"
+test "WAZUH_TIME_RECONNECT"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CA=/var/ossec/etc/testsslmanager.cert"
+test "WAZUH_REGISTRATION_CA"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CERTIFICATE=/var/ossec/etc/testsslmanager.cert"
+test "WAZUH_REGISTRATION_CERTIFICATE"
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_KEY=/var/ossec/etc/testsslmanager.key"
+test "WAZUH_REGISTRATION_KEY"
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_NAME=test-agent"
+test "WAZUH_AGENT_NAME"
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_GROUP=test-group"
+test "WAZUH_AGENT_GROUP"
+remove_wazuh
+
+install_wazuh "ENROLLMENT_DELAY=10"
+test "ENROLLMENT_DELAY"
+remove_wazuh
diff --git a/.github/actions/test_deploy_win.ps1 b/.github/actions/test_deploy_win.ps1
new file mode 100644
index 0000000000..81cd0d886f
--- /dev/null
+++ b/.github/actions/test_deploy_win.ps1
@@ -0,0 +1,157 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+$VERSION = Get-Content src/VERSION
+[version]$VERSION = $VERSION -replace '[v]',''
+$MAJOR=$VERSION.Major
+$MINOR=$VERSION.Minor
+$SHA= git rev-parse --short $args[0]
+
+$TEST_ARRAY=@( 
+              @("WAZUH_MANAGER ", "1.1.1.1", "<address>", "</address>"), 
+              @("WAZUH_MANAGER_PORT ", "7777", "<port>", "</port>"),
+              @("WAZUH_PROTOCOL ", "udp", "<protocol>", "</protocol>"),
+              @("WAZUH_REGISTRATION_SERVER ", "2.2.2.2", "<manager_address>", "</manager_address>"),
+              @("WAZUH_REGISTRATION_PORT ", "8888", "<port>", "</port>"),
+              @("WAZUH_REGISTRATION_PASSWORD ", "password", "<password>", "</password>"),
+              @("WAZUH_KEEP_ALIVE_INTERVAL ", "10", "<notify_time>", "</notify_time>"),
+              @("WAZUH_TIME_RECONNECT ", "10", "<time-reconnect>", "</time-reconnect>"),
+              @("WAZUH_REGISTRATION_CA ", "/var/ossec/etc/testsslmanager.cert", "<server_ca_path>", "</server_ca_path>"),
+              @("WAZUH_REGISTRATION_CERTIFICATE ", "/var/ossec/etc/testsslmanager.cert", "<agent_certificate_path>", "</agent_certificate_path>"),
+              @("WAZUH_REGISTRATION_KEY ", "/var/ossec/etc/testsslmanager.key", "<agent_key_path>", "</agent_key_path>"),
+              @("WAZUH_AGENT_NAME ", "test-agent", "<agent_name>", "</agent_name>"),
+              @("WAZUH_AGENT_GROUP ", "test-group", "<groups>", "</groups>"),
+              @("ENROLLMENT_DELAY ", "10", "<delay_after_enrollment>", "</delay_after_enrollment>")
+)
+
+function install_wazuh($vars)
+{
+
+    Write-Output "Testing the following variables $vars"
+    Start-Process  C:\Windows\System32\msiexec.exe -ArgumentList  "/i wazuh-agent-$VERSION-0.commit$SHA.msi /qn $vars" -wait
+    
+}
+
+function remove_wazuh
+{
+
+    Start-Process  C:\Windows\System32\msiexec.exe -ArgumentList "/x wazuh-agent-$VERSION-commit$SHA.msi /qn" -wait
+
+}
+
+function test($vars)
+{
+
+  For ($i=0; $i -lt $TEST_ARRAY.Length; $i++) {
+    if($vars.Contains($TEST_ARRAY[$i][0])) {
+      if ( ($TEST_ARRAY[$i][0] -eq "WAZUH_MANAGER ") -OR ($TEST_ARRAY[$i][0] -eq "WAZUH_PROTOCOL ") ) {
+        $LIST = $TEST_ARRAY[$i][1].split(",")
+        For ($j=0; $j -lt $LIST.Length; $j++) {
+          $SEL = Select-String -Path 'C:\Program Files (x86)\ossec-agent\ossec.conf' -Pattern "$($TEST_ARRAY[$i][2])$($LIST[$j])$($TEST_ARRAY[$i][3])"
+          if($SEL -ne $null) {
+            Write-Output "The variable $($TEST_ARRAY[$i][0]) is set correctly"
+          }
+          if($SEL -eq $null) {
+            Write-Output "The variable $($TEST_ARRAY[$i][0]) is not set correctly"
+            exit 1
+          }
+        }
+      }
+      ElseIf ( ($TEST_ARRAY[$i][0] -eq "WAZUH_REGISTRATION_PASSWORD ") ) {
+        if (Test-Path 'C:\Program Files (x86)\ossec-agent\authd.pass'){
+          $SEL = Select-String -Path 'C:\Program Files (x86)\ossec-agent\authd.pass' -Pattern "$($TEST_ARRAY[$i][1])"
+          if($SEL -ne $null) {
+            Write-Output "The variable $($TEST_ARRAY[$i][0]) is set correctly"
+          }
+          if($SEL -eq $null) {
+            Write-Output "The variable $($TEST_ARRAY[$i][0]) is not set correctly"
+            exit 1
+          }
+        }
+        else
+        {
+          Write-Output "WAZUH_REGISTRATION_PASSWORD is not correct"
+          exit 1
+        }
+      }
+      Else {
+        $SEL = Select-String -Path 'C:\Program Files (x86)\ossec-agent\ossec.conf' -Pattern "$($TEST_ARRAY[$i][2])$($TEST_ARRAY[$i][1])$($TEST_ARRAY[$i][3])"
+        if($SEL -ne $null) {
+          Write-Output "The variable $($TEST_ARRAY[$i][0]) is set correctly"
+        }
+        if($SEL -eq $null) {
+          Write-Output "The variable $($TEST_ARRAY[$i][0]) is not set correctly"
+          exit 1
+        }
+      }
+    }
+  }
+
+}
+
+Write-Output "Download package: https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/$MAJOR.$MINOR/windows/wazuh-agent-$VERSION-0.commit$SHA.msi"
+Invoke-WebRequest -Uri "https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/pullrequests/$MAJOR.$MINOR/windows/wazuh-agent-$VERSION-0.commit$SHA.msi" -OutFile "wazuh-agent-$VERSION-0.commit$SHA.msi"
+
+install_wazuh "WAZUH_MANAGER=1.1.1.1 WAZUH_MANAGER_PORT=7777 WAZUH_PROTOCOL=udp WAZUH_REGISTRATION_SERVER=2.2.2.2 WAZUH_REGISTRATION_PORT=8888 WAZUH_REGISTRATION_PASSWORD=password WAZUH_KEEP_ALIVE_INTERVAL=10 WAZUH_TIME_RECONNECT=10 WAZUH_REGISTRATION_CA=/var/ossec/etc/testsslmanager.cert WAZUH_REGISTRATION_CERTIFICATE=/var/ossec/etc/testsslmanager.cert WAZUH_REGISTRATION_KEY=/var/ossec/etc/testsslmanager.key WAZUH_AGENT_NAME=test-agent WAZUH_AGENT_GROUP=test-group ENROLLMENT_DELAY=10" 
+test "WAZUH_MANAGER WAZUH_MANAGER_PORT WAZUH_PROTOCOL WAZUH_REGISTRATION_SERVER WAZUH_REGISTRATION_PORT WAZUH_REGISTRATION_PASSWORD WAZUH_KEEP_ALIVE_INTERVAL WAZUH_TIME_RECONNECT WAZUH_REGISTRATION_CA WAZUH_REGISTRATION_CERTIFICATE WAZUH_REGISTRATION_KEY WAZUH_AGENT_NAME WAZUH_AGENT_GROUP ENROLLMENT_DELAY " 
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER=1.1.1.1"
+test "WAZUH_MANAGER "
+remove_wazuh
+
+install_wazuh "WAZUH_MANAGER_PORT=7777"
+test "WAZUH_MANAGER_PORT "
+remove_wazuh
+
+install_wazuh "WAZUH_PROTOCOL=udp"
+test "WAZUH_PROTOCOL "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_SERVER=2.2.2.2"
+test "WAZUH_REGISTRATION_SERVER "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PORT=8888"
+test "WAZUH_REGISTRATION_PORT "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_PASSWORD=password"
+test "WAZUH_REGISTRATION_PASSWORD "
+remove_wazuh
+
+install_wazuh "WAZUH_KEEP_ALIVE_INTERVAL=10"
+test "WAZUH_KEEP_ALIVE_INTERVAL "
+remove_wazuh
+
+install_wazuh "WAZUH_TIME_RECONNECT=10"
+test "WAZUH_TIME_RECONNECT "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CA=/var/ossec/etc/testsslmanager.cert"
+test "WAZUH_REGISTRATION_CA "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_CERTIFICATE=/var/ossec/etc/testsslmanager.cert"
+test "WAZUH_REGISTRATION_CERTIFICATE "
+remove_wazuh
+
+install_wazuh "WAZUH_REGISTRATION_KEY=/var/ossec/etc/testsslmanager.key"
+test "WAZUH_REGISTRATION_KEY "
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_NAME=test-agent"
+test "WAZUH_AGENT_NAME "
+remove_wazuh
+
+install_wazuh "WAZUH_AGENT_GROUP=test-group"
+test "WAZUH_AGENT_GROUP "
+remove_wazuh
+
+install_wazuh "ENROLLMENT_DELAY=10"
+test "ENROLLMENT_DELAY "
+remove_wazuh
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100755
index 0000000000..ed578180d8
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,76 @@
+|Related issue|
+|---|
+||
+
+<!--
+This template reflects sections that must be included in new Pull requests.
+Contributions from the community are really appreciated. If this is the case, please add the
+"contribution" to properly track the Pull Request.
+
+Please fill the table above. Feel free to extend it at your convenience.
+-->
+
+## Description
+
+<!--
+Add a clear description of how the problem has been solved.
+-->
+
+## Configuration options
+
+<!--
+When proceed, this section should include new configuration parameters.
+-->
+
+## Logs/Alerts example
+
+<!--
+Paste here related logs and alerts
+-->
+
+## Tests
+
+<!--
+Depending on the affected components by this PR, the following checks should be selected and marked.
+-->
+
+<!-- Minimum checks required -->
+- Compilation without warnings in every supported platform
+  - [ ] Linux
+  - [ ] Windows
+  - [ ] MAC OS X
+- [ ] Source installation
+- [ ] Package installation
+- [ ] Source upgrade
+- [ ] Package upgrade
+- [ ] Review logs syntax and correct language
+- [ ] QA templates contemplate the added capabilities
+
+<!-- Depending on the affected OS -->
+- Memory tests for Linux
+  - [ ] Scan-build report
+  - [ ] Coverity
+  - [ ] Valgrind (memcheck and descriptor leaks check)
+  - [ ] Dr. Memory
+  - [ ] AddressSanitizer
+- Memory tests for Windows
+  - [ ] Scan-build report
+  - [ ] Coverity
+  - [ ] Dr. Memory
+- Memory tests for macOS
+  - [ ] Scan-build report
+  - [ ] Leaks
+  - [ ] AddressSanitizer
+
+<!-- Checks for huge PRs that affect the product more generally -->
+- [ ] Retrocompatibility with older Wazuh versions
+- [ ] Working on cluster environments
+- [ ] Configuration on demand reports new parameters
+- [ ] The data flow works as expected (agent-manager-api-app)
+- [ ] Added unit tests (for new features)
+- [ ] Stress test for affected components
+
+<!-- Ruleset required checks, rules/decoder -->
+- Decoder/Rule tests
+  - [ ] Added unit testing files ".ini"
+  - [ ] runtests.py executed without errors
\ No newline at end of file
diff --git a/.github/workflows/.python_version b/.github/workflows/.python_version
new file mode 100644
index 0000000000..2c0733315e
--- /dev/null
+++ b/.github/workflows/.python_version
@@ -0,0 +1 @@
+3.11
diff --git a/.github/workflows/deployment_vars.yml b/.github/workflows/deployment_vars.yml
new file mode 100644
index 0000000000..1f1c7ba1c1
--- /dev/null
+++ b/.github/workflows/deployment_vars.yml
@@ -0,0 +1,79 @@
+name: Deployment variable tests
+on:
+    pull_request:
+        paths:
+            - 'src/init/register_configure_agent.sh'
+            - 'src/win32/InstallerScripts.vbs'
+
+jobs:
+    test_ubuntu:
+        name: Test Deployment variables on Ubuntu
+        runs-on: ubuntu-latest
+        steps:
+          - uses: actions/checkout@v2
+
+          - name: Wait for build to succeed
+            uses: fountainhead/action-wait-for-check@v1.0.0
+            id: wait-for-build-deb
+            with:
+              token: ${{ secrets.GITHUB_TOKEN }}
+              checkName: 'Build Linux amd64 agent deb package'
+              ref: ${{ github.event.pull_request.head.sha || github.sha }}
+              timeoutSeconds: 3600
+              intervalSeconds: 60
+
+          - name: Fail after timeout
+            if: steps.wait-for-build.outputs.conclusion == 'timed_out'
+            run: exit 1
+
+          - name: Run test
+            if: steps.wait-for-build-deb.outputs.conclusion == 'success'
+            run: sudo bash .github/actions/test_deploy_ubuntu.sh ${{ github.event.pull_request.head.sha || github.sha }}
+
+    test_macos:
+        name: Test Deployment variables on macOS
+        runs-on: macOS-latest
+        steps:
+          - uses: actions/checkout@v2
+
+          - name: Wait for build to succeed
+            uses: fountainhead/action-wait-for-check@v1.0.0
+            id: wait-for-build-macos
+            with:
+              token: ${{ secrets.GITHUB_TOKEN }}
+              checkName: 'Build macOS agent package signed MacOS'
+              ref: ${{ github.event.pull_request.head.sha || github.sha }}
+              timeoutSeconds: 3600
+              intervalSeconds: 60
+          
+          - name: Fail after timeout
+            if: steps.wait-for-build.outputs.conclusion == 'timed_out'
+            run: exit 1
+
+          - name: Run test
+            if: steps.wait-for-build-macos.outputs.conclusion == 'success'
+            run: sudo bash .github/actions/test_deploy_macos.sh ${{ github.event.pull_request.head.sha || github.sha }}
+
+    test_windows:
+        name: Test Deployment variables on Windows
+        runs-on: windows-latest
+        steps:
+          - uses: actions/checkout@v2
+
+          - name: Wait for build to succeed
+            uses: fountainhead/action-wait-for-check@v1.0.0
+            id: wait-for-build-win
+            with:
+              token: ${{ secrets.GITHUB_TOKEN }}
+              checkName: 'Build Windows i386 agent package'
+              ref: ${{ github.event.pull_request.head.sha || github.sha }}
+              timeoutSeconds: 3600
+              intervalSeconds: 60
+
+          - name: Fail after timeout
+            if: steps.wait-for-build.outputs.conclusion == 'timed_out'
+            run: exit 1
+
+          - name: Run test
+            if: steps.wait-for-build-win.outputs.conclusion == 'success'
+            run: .github/actions/test_deploy_win.ps1 ${{ github.event.pull_request.head.sha || github.sha }}
diff --git a/.github/workflows/integration_tests_aws_tier_0_1.yml b/.github/workflows/integration_tests_aws_tier_0_1.yml
new file mode 100644
index 0000000000..5b56a974d7
--- /dev/null
+++ b/.github/workflows/integration_tests_aws_tier_0_1.yml
@@ -0,0 +1,178 @@
+name: Integration tests for AWS - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+      base_qa_it_fw_branch:
+        description: 'Base qa-integration-framework branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+      QA_IT_FW_BRANCH: ${{ github.base_ref || inputs.base_qa_it_fw_branch }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.IT_AWS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.IT_AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: 'us-east-1'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          elif [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${QA_IT_FW_BRANCH}`" != "X" ]; then
+              QA_BRANCH=${QA_IT_FW_BRANCH}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      - name: Set AWS credentials file
+        run: |
+          sudo aws configure set aws_access_key_id ${{ secrets.IT_AWS_KEY_ID }} --profile default
+          sudo aws configure set aws_secret_access_key ${{ secrets.IT_AWS_SECRET_ACCESS_KEY }} --profile default
+          sudo aws configure set default.region ${AWS_DEFAULT_REGION} --profile default
+      # Build wazuh server for linux.
+      - name: Build wazuh server for linux
+        run: |
+          make deps -C src TARGET=server -j2
+          make -C src TARGET=server -j2
+      # Install wazuh server for linux.
+      - name: Install wazuh server for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="server"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCOLLECTOR="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SCA="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_UPDATE_CHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Run AWS integration tests.
+      - name: Run Parser related tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/aws_s3.py') ||
+            contains(steps.get_modified_files.outputs.files, 'wodles/aws/aws_tools.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 test_aws/test_parser.py
+      - name: Run every test due to base WazuhIntegration class change or manual dispatch
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/wazuh_integration.py') ||
+            ${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 test_aws/
+      # Bucket tests
+      - name: Run Custom Buckets tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k kms test_aws/
+          sudo python3 -m pytest --tier 0 --tier 1 -k macie test_aws/
+          sudo python3 -m pytest --tier 0 --tier 1 -k trusted_advisor test_aws/
+      - name: Run Config tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/config.py') ||
+            contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k config test_aws/
+      - name: Run GuardDuty tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/guardduty.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k guardduty test_aws/
+      - name: Run CloudTrail tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/cloudtrail.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k cloudtrail test_aws/
+      - name: Run Load Balancers tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/load_balancers.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k alb test_aws/
+          sudo python3 -m pytest --tier 0 --tier 1 -k clb test_aws/
+          sudo python3 -m pytest --tier 0 --tier 1 -k nlb test_aws/
+      - name: Run Server Access tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/server_access.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k server_access test_aws/
+      - name: Run Umbrella tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/umbrella.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k cisco test_aws/
+      - name: Run VPC Flow tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/vpcflow.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k vpc test_aws/
+      - name: Run WAF tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/waf.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/buckets_s3/aws_bucket.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k waf test_aws/
+      # Services tests
+      - name: Run CloudWatch tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/services/cloudwatchlogs.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/services/aws_service.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k cloudwatch test_aws/
+      - name: Run Inspector tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/services/inspector.py') ||
+          contains(steps.get_modified_files.outputs.files, 'wodles/aws/services/aws_service.py')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 -k inspector test_aws/
+      # Custom Logs Buckets tests
+      - name: Run Inspector tests
+        if: contains(steps.get_modified_files.outputs.files, 'wodles/aws/subscribers/**')
+        run: |
+          cd tests/integration
+          sudo python3 -m pytest --tier 0 --tier 1 test_aws/test_custom_bucket.py
diff --git a/.github/workflows/integration_tests_execd_tier_0_1_lin.yml b/.github/workflows/integration_tests_execd_tier_0_1_lin.yml
new file mode 100644
index 0000000000..ea68708115
--- /dev/null
+++ b/.github/workflows/integration_tests_execd_tier_0_1_lin.yml
@@ -0,0 +1,78 @@
+name: Integration tests for Execd on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run execd integration tests.
+      - name: Run execd integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_execd/
diff --git a/.github/workflows/integration_tests_execd_tier_0_1_win.yml b/.github/workflows/integration_tests_execd_tier_0_1_win.yml
new file mode 100644
index 0000000000..2244853f9c
--- /dev/null
+++ b/.github/workflows/integration_tests_execd_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for Execd on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run execd integration tests.
+      - name: Run execd integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest -m win32 --tier 0 --tier 1 test_execd\
diff --git a/.github/workflows/integration_tests_fim_tier_0_1_lin.yml b/.github/workflows/integration_tests_fim_tier_0_1_lin.yml
new file mode 100644
index 0000000000..570606bc27
--- /dev/null
+++ b/.github/workflows/integration_tests_fim_tier_0_1_lin.yml
@@ -0,0 +1,83 @@
+name: Integration tests for FIM on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Install audit required by FIM
+      - name: Install audit
+        run: |
+          sudo apt-get update
+          sudo apt-get install auditd -y
+      # Run fim integration tests.
+      - name: Run fim integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_fim/
diff --git a/.github/workflows/integration_tests_fim_tier_0_1_macos.yml b/.github/workflows/integration_tests_fim_tier_0_1_macos.yml
new file mode 100644
index 0000000000..317bab30ba
--- /dev/null
+++ b/.github/workflows/integration_tests_fim_tier_0_1_macos.yml
@@ -0,0 +1,78 @@
+name: Integration tests for FIM on MacOS - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: macos-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for macOS.
+      - name: Build wazuh agent for macOS
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for macOS.
+      - name: Install wazuh agent for macOS
+        run: |
+            echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo "USER_DIR=/Library/Ossec" >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+            echo "" >> ./etc/preloaded-vars.conf
+            sudo sh install.sh
+            rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run fim integration tests.
+      - name: Run fim integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_fim/
diff --git a/.github/workflows/integration_tests_fim_tier_0_1_win.yml b/.github/workflows/integration_tests_fim_tier_0_1_win.yml
new file mode 100644
index 0000000000..f5b0051e64
--- /dev/null
+++ b/.github/workflows/integration_tests_fim_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for FIM on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run fim integration tests.
+      - name: Run fim integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest --tier 0 --tier 1 test_fim\
diff --git a/.github/workflows/integration_tests_fim_tier_2_lin.yml b/.github/workflows/integration_tests_fim_tier_2_lin.yml
new file mode 100644
index 0000000000..8aa7c159a3
--- /dev/null
+++ b/.github/workflows/integration_tests_fim_tier_2_lin.yml
@@ -0,0 +1,83 @@
+name: Integration tests for FIM on Linux - Tier 2
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Install audit required by FIM
+      - name: Install audit
+        run: |
+          sudo apt-get update
+          sudo apt-get install auditd -y
+      # Run fim integration tests.
+      - name: Run fim integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 2 test_fim/
diff --git a/.github/workflows/integration_tests_fim_tier_2_win.yml.yml b/.github/workflows/integration_tests_fim_tier_2_win.yml.yml
new file mode 100644
index 0000000000..432f3bc2b2
--- /dev/null
+++ b/.github/workflows/integration_tests_fim_tier_2_win.yml.yml
@@ -0,0 +1,94 @@
+name: Integration tests for FIM on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run fim integration tests.
+      - name: Run fim integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest --tier 2 test_fim\
diff --git a/.github/workflows/integration_tests_github_tier_0_1_lin.yml b/.github/workflows/integration_tests_github_tier_0_1_lin.yml
new file mode 100644
index 0000000000..93bdfb2858
--- /dev/null
+++ b/.github/workflows/integration_tests_github_tier_0_1_lin.yml
@@ -0,0 +1,78 @@
+name: Integration tests for GitHub on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run github integration tests.
+      - name: Run github integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_github/
diff --git a/.github/workflows/integration_tests_github_tier_0_1_win.yml b/.github/workflows/integration_tests_github_tier_0_1_win.yml
new file mode 100644
index 0000000000..2e2e1dbb01
--- /dev/null
+++ b/.github/workflows/integration_tests_github_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for GitHub on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run github integration tests.
+      - name: Run github integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest --tier 0 --tier 1 test_github\
diff --git a/.github/workflows/integration_tests_logcollector_tier_0_1_lin.yml b/.github/workflows/integration_tests_logcollector_tier_0_1_lin.yml
new file mode 100644
index 0000000000..ba5a1643c0
--- /dev/null
+++ b/.github/workflows/integration_tests_logcollector_tier_0_1_lin.yml
@@ -0,0 +1,78 @@
+name: Integration tests for logcollector on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run logcollector integration tests.
+      - name: Run logcollector integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_logcollector/
diff --git a/.github/workflows/integration_tests_logcollector_tier_0_1_macos.yml b/.github/workflows/integration_tests_logcollector_tier_0_1_macos.yml
new file mode 100644
index 0000000000..2f7238a216
--- /dev/null
+++ b/.github/workflows/integration_tests_logcollector_tier_0_1_macos.yml
@@ -0,0 +1,78 @@
+name: Integration tests for logcollector on MacOS - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: macos-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for macOS.
+      - name: Build wazuh agent for macOS
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for macOS.
+      - name: Install wazuh agent for macOS
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/Library/Ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run logcollector integration tests.
+      - name: Run logcollector integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_logcollector/
diff --git a/.github/workflows/integration_tests_logcollector_tier_0_1_win.yml b/.github/workflows/integration_tests_logcollector_tier_0_1_win.yml
new file mode 100644
index 0000000000..1abe16fb7e
--- /dev/null
+++ b/.github/workflows/integration_tests_logcollector_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for logcollector on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run logcollector integration tests.
+      - name: Run logcollector integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest --tier 0 --tier 1 test_logcollector\
diff --git a/.github/workflows/integration_tests_msgraph_tier_0_1_lin.yml b/.github/workflows/integration_tests_msgraph_tier_0_1_lin.yml
new file mode 100644
index 0000000000..d2b668cb74
--- /dev/null
+++ b/.github/workflows/integration_tests_msgraph_tier_0_1_lin.yml
@@ -0,0 +1,88 @@
+name: Integration tests for MsGraph on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Setup MSGraph Proxy
+      - name: Download m365proxy and config http for msgraph module
+        run: |
+          sed -i 's/https:\/\/%s\/%s/http:\/\/%s\/%s/g' src/wazuh_modules/wm_ms_graph.h
+          curl -L http://packages.wazuh.com/utils/m365proxy/m365proxy.tar.gz | \
+          tar zvx -C /tmp/
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCOLLECTOR="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SCA="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run msgraph integration tests.
+      - name: Run msgraph integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_msgraph/
diff --git a/.github/workflows/integration_tests_office365_tier_0_1_lin.yml b/.github/workflows/integration_tests_office365_tier_0_1_lin.yml
new file mode 100644
index 0000000000..fd8fbc1879
--- /dev/null
+++ b/.github/workflows/integration_tests_office365_tier_0_1_lin.yml
@@ -0,0 +1,78 @@
+name: Integration tests for Office365 on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run office365 integration tests.
+      - name: Run office365 integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_office365/
diff --git a/.github/workflows/integration_tests_office365_tier_0_1_win.yml b/.github/workflows/integration_tests_office365_tier_0_1_win.yml
new file mode 100644
index 0000000000..f028e322cd
--- /dev/null
+++ b/.github/workflows/integration_tests_office365_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for Office365 on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run office365 integration tests.
+      - name: Run office365 integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest --tier 0 --tier 1 test_office365\
diff --git a/.github/workflows/integration_tests_sca_tier_0_1_lin.yml b/.github/workflows/integration_tests_sca_tier_0_1_lin.yml
new file mode 100644
index 0000000000..33f758a3d5
--- /dev/null
+++ b/.github/workflows/integration_tests_sca_tier_0_1_lin.yml
@@ -0,0 +1,82 @@
+name: Integration tests for SCA on Linux - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  build:
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      # Build wazuh agent for linux.
+      - name: Build wazuh agent for linux
+        run: |
+          make deps -C src TARGET=agent -j2
+          make -C src TARGET=agent -j2
+      # Install wazuh agent for linux.
+      - name: Install wazuh agent for linux
+        run: |
+          echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AGENT_SERVER_IP="127.0.0.1"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo "USER_DIR=/var/ossec" >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_EMAIL="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_ROOTCHECK="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSCOLLECTOR="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SCA="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_WHITE_LIST="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_SYSLOG="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_ENABLE_AUTHD="n"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          echo 'USER_AUTO_START="y"' >> ./etc/preloaded-vars.conf
+          echo "" >> ./etc/preloaded-vars.conf
+          sudo sh install.sh
+          rm ./etc/preloaded-vars.conf
+      # Download and install integration tests framework.
+      - name: Download and install integration tests framework
+        run: |
+          if [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_NAME}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_NAME}
+          elif [ "X`git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git ${BRANCH_BASE}`" != "X" ]; then
+              QA_BRANCH=${BRANCH_BASE}
+          else
+              QA_BRANCH="main"
+          fi
+          git clone -b ${QA_BRANCH} --single-branch https://github.com/wazuh/qa-integration-framework.git
+          sudo pip install qa-integration-framework/
+          sudo rm -rf qa-integration-framework/
+      # Run sca integration tests.
+      - name: Run sca integration tests
+        run: |
+          cd tests/integration
+          sudo python -m pytest --tier 0 --tier 1 test_sca/
diff --git a/.github/workflows/integration_tests_sca_tier_0_1_win.yml b/.github/workflows/integration_tests_sca_tier_0_1_win.yml
new file mode 100644
index 0000000000..33178e932f
--- /dev/null
+++ b/.github/workflows/integration_tests_sca_tier_0_1_win.yml
@@ -0,0 +1,94 @@
+name: Integration tests for SCA on Windows - Tier 0 and 1
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: 'Base branch'
+        required: true
+        default: 'main'
+
+jobs:
+  # Build the winagent on linux.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # Install wingw required to build the winagent.
+      - name: Install dependencies
+        run: sudo apt install gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis -y
+      # Build winagent.
+      - name: Build wazuh agent for windows
+        run: |
+          make deps -C src TARGET=winagent -j2
+          make -C src TARGET=winagent -j2
+      # Compress the files generated by the build.
+      - name: Compress the winagent build
+        run: cd .. && zip -r wazuh.zip wazuh
+      # Make folder and save the compressed build as artifacts.
+      - name: Save compressed build
+        run: |
+          mkdir -p src/winagent
+          cp ../wazuh.zip src/winagent/wazuh.zip
+      # Upload build artifacts.
+      - name: Upload Artifact winagent
+        uses: actions/upload-artifact@v3
+        with:
+          name: winagent
+          path: src/winagent
+  # Execute the tests on windows.
+  run-test:
+    needs: build
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+      BRANCH_BASE: ${{ github.base_ref || inputs.base_branch }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: ".github/workflows/.python_version"
+          architecture: x64
+      - name: Add WiX toolkit to PATH
+        shell: bash
+        run: echo "${WIX}bin" >> $GITHUB_PATH
+      # Download the compressed winagent build.
+      - name: Download Artifact winagent
+        uses: actions/download-artifact@v3
+        with:
+          name: winagent
+          path: C:\winagent\
+      # Decompress the winagent files.
+      - name: Decompress wazuh
+        run: |
+          Expand-Archive -LiteralPath C:\winagent\wazuh.zip -DestinationPath C:\
+      # Build the winagent installer.
+      - name: Build wazuh installer
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-installer-build-msi.bat
+      # Install the windows agent.
+      - name: Install wazuh agent
+        run: |
+          cd  C:\wazuh\src\win32
+          .\wazuh-agent--.msi /q WAZUH_MANAGER="127.0.0.1"
+      # Download and install integration tests framework.
+      - name: Download and install qa-integration-framework
+        run: |
+          if (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_NAME) {
+              $QA_BRANCH = $env:BRANCH_NAME
+          } elseif (git ls-remote --heads https://github.com/wazuh/qa-integration-framework.git $env:BRANCH_BASE) {
+              $QA_BRANCH = $env:BRANCH_BASE
+          } else {
+              $QA_BRANCH = "main"
+          }
+          git clone -b $QA_BRANCH --single-branch https://github.com/wazuh/qa-integration-framework.git
+          pip install qa-integration-framework/
+          rm qa-integration-framework/ -r -force
+      # Run sca integration tests.
+      - name: Run sca integration tests
+        run: |
+          cd C:\wazuh\tests\integration
+          python -m pytest -m win32 --tier 0 --tier 1 test_sca\
diff --git a/.github/workflows/packages_retag_images.yml b/.github/workflows/packages_retag_images.yml
new file mode 100644
index 0000000000..207c80c28a
--- /dev/null
+++ b/.github/workflows/packages_retag_images.yml
@@ -0,0 +1,73 @@
+name: Package - Retag Docker images
+on:
+  workflow_dispatch:
+    inputs:
+      old_version:
+        description: |
+          Tag name refering old tag
+          (Use a version name. Ex 4.8.0)
+        required: false
+        default: none
+      new_version:
+        description: |
+          Retagging tag
+          (Use a version name. Ex 4.8.0
+          Must be newer than old one.)
+        required: false
+        default: none
+      single_docker_image:
+        description: |
+          Docker image name. Used to retag only
+          the provided image.
+        required: false
+        default: ''
+  push:
+    branches:
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - 'master'
+    paths:
+      - 'src/VERSION'
+
+jobs:
+  Upload-package-building-images:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    name: Package - Retag Docker images
+
+    steps:
+      - name: Cancel previous runs
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          cancel_others: 'true'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          skip_after_successful_duplicate: 'false'
+
+      - name: Checkout repository previous commit
+        uses: actions/checkout@v4
+        with:
+            fetch-depth: 2
+      - run: git checkout HEAD^
+
+      - name: Get old version from src/VERSION
+        run: |
+          VERSION=$(sed 's/^v\([0-9]*\.[0-9]*\.[0-9]*\)/\1/' $GITHUB_WORKSPACE/src/VERSION)
+          echo "OLD_VERSION=$VERSION" >> $GITHUB_ENV;
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Get new version from src/VERSION
+        run: |
+          VERSION=$(sed 's/^v\([0-9]*\.[0-9]*\.[0-9]*\)/\1/' $GITHUB_WORKSPACE/src/VERSION)
+          echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV;
+
+      - name: Run retag script
+        run: |
+          if [ "${{ inputs.old_version }}" != "none" ] && [ "${{ inputs.new_version }}" != "none" ]; then
+            new_version=${{ inputs.new_version }}
+            old_version=${{ inputs.old_version }}
+          else
+            new_version=${{ env.NEW_VERSION }}
+            old_version=${{ env.OLD_VERSION }}
+          fi
+          bash $GITHUB_WORKSPACE/.github/actions/ghcr_pull_and_push/retag_image.sh ${{ secrets.CI_WAZUH_AGENT_PACKAGES_CLASSIC }} ${{ github.actor}} $old_version $new_version ${{ inputs.single_docker_image }}
diff --git a/.github/workflows/packages_upload_images.yml b/.github/workflows/packages_upload_images.yml
new file mode 100644
index 0000000000..314a6bc80b
--- /dev/null
+++ b/.github/workflows/packages_upload_images.yml
@@ -0,0 +1,201 @@
+run-name: Package - Upload Docker package building images
+name: Package - Upload Docker package building images
+
+on:
+  push:
+    branches:
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - 'master'
+    paths:
+      - 'packages/**'
+
+jobs:
+  Upload-package-building-images:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Cancel previous runs
+        uses: fkirc/skip-duplicate-actions@master
+        with:
+          cancel_others: 'true'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          skip_after_successful_duplicate: 'false'
+
+      - name: Checkout wazuh/wazuh repository
+        uses: actions/checkout@v4
+
+      - name: Get changed files
+        uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          filters: |
+            pkg_deb_manager_builder_amd64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/debs/amd64/manager/**'
+              - 'packages/debs/utils/**'
+            pkg_rpm_manager_builder_amd64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/amd64/manager/**'
+              - 'packages/rpms/utils/**'
+            pkg_deb_agent_builder_amd64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/debs/amd64/agent/**'
+              - 'packages/debs/utils/**'
+            pkg_deb_agent_builder_i386:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/debs/i386/agent/**'
+              - 'packages/debs/utils/**'
+            pkg_rpm_agent_builder_amd64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/amd64/agent/**'
+              - 'packages/rpms/utils/**'
+            pkg_rpm_agent_builder_i386:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/i386/agent/**'
+              - 'packages/rpms/utils/**'
+            pkg_rpm_legacy_builder_amd64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/amd64/legacy/**'
+              - 'packages/rpms/utils/**'
+            pkg_rpm_legacy_builder_i386:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/i386/legacy/**'
+              - 'packages/rpms/utils/**'
+            pkg_deb_agent_builder_arm64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/debs/arm64/agent/**'
+              - 'packages/debs/utils/**'
+            pkg_deb_agent_builder_armhf:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/debs/armhf/agent/**'
+              - 'packages/debs/utils/**'
+            pkg_rpm_agent_builder_arm64:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/arm64/agent/**'
+              - 'packages/rpms/utils/**'
+            pkg_rpm_agent_builder_armhf:
+              - 'packages/build.sh'
+              - 'packages/generate_package.sh'
+              - 'packages/rpms/armhf/agent/**'
+              - 'packages/rpms/utils/**'
+            compile_windows_agent:
+              - 'packages/windows/**'
+            commom_wpk_builder:
+              - 'packages/wpk/wpkpack.py'
+              - 'packages/wpk/run.sh'
+              - 'packages/wpk/generate_wpk_package.sh'
+              - 'packages/wpk/common/**'
+
+      - name: Set TAG and WAZUH_AGENT_PACKAGES_BRANCH
+        run: |
+          VERSION=$(sed 's/^v\([0-9]*\.[0-9]*\.[0-9]*\)/\1/' src/VERSION)
+          echo "TAG=$VERSION" >> $GITHUB_ENV;
+
+      - name: Request pkg_deb_manager_builder_amd64 update
+        if: steps.changes.outputs.pkg_deb_manager_builder_amd64 == 'true'
+        run: |
+          gh workflow run packages-upload-manager-images.yml -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=deb -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Request pkg_rpm_manager_builder_amd64 update
+        if: steps.changes.outputs.pkg_rpm_manager_builder_amd64 == 'true'
+        run: |
+          gh workflow run packages-upload-manager-images.yml -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Request pkg_deb_agent_builder_amd64 update
+        if: steps.changes.outputs.pkg_deb_agent_builder_amd64 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=deb -f architecture=amd64 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_deb_agent_builder_i386 update
+        if: steps.changes.outputs.pkg_deb_agent_builder_i386 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=deb -f architecture=i386 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_agent_builder_amd64 update
+        if: steps.changes.outputs.pkg_rpm_agent_builder_amd64 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=amd64 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_agent_builder_i386 update
+        if: steps.changes.outputs.pkg_rpm_agent_builder_i386 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=amd64 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_legacy_builder_amd64 update
+        if: steps.changes.outputs.pkg_rpm_legacy_builder_amd64 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=amd64 -f legacy=true -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_legacy_builder_i386 update
+        if: steps.changes.outputs.pkg_rpm_legacy_builder_i386 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=i386 -f legacy=true -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_deb_agent_builder_arm64 update
+        if: steps.changes.outputs.pkg_deb_agent_builder_arm64 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-arm.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=deb -f architecture=arm64 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_deb_agent_builder_armhf update
+        if: steps.changes.outputs.pkg_deb_agent_builder_armhf == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-arm.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=deb -f architecture=armhf -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_agent_builder_arm64 update
+        if: steps.changes.outputs.pkg_rpm_agent_builder_arm64 == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-arm.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=arm64 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request pkg_rpm_agent_builder_armhf update
+        if: steps.changes.outputs.pkg_rpm_agent_builder_armhf == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-arm.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=rpm -f architecture=armhf -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request compile_windows_agent update
+        if: steps.changes.outputs.compile_windows_agent == 'true'
+        run: |
+          gh workflow run packages-upload-agent-images-amd.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=windows -f architecture=i386 -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
+
+      - name: Request commom_wpk_builder update
+        if: steps.changes.outputs.commom_wpk_builder == 'true'
+        run: |
+          gh workflow run packages-upload-wpk-images.yml --repo wazuh/wazuh-agent-packages -r ${{ github.ref_name }} -f docker_image_tag=${{ env.TAG }} -f system=common -f source_reference=${{ github.ref_name }}
+        env:
+          GH_TOKEN: ${{ secrets.CI_WAZUH_AGENT_PACKAGES }}
diff --git a/.gitignore b/.gitignore
index 460ae459bb..47317c7386 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,13 @@
 # patch files
 *.rej
 *.orig
+
+# Python cache
+__pycache__
+.pytest_cache
+
+# Thumbnails
+._*
+
+### Python Virtualenv
+venv
diff --git a/README.md b/README.md
index 1666a0c84d..90e92a8902 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,190 @@
-# wazuh-agent
-Wazuh agent, the Wazuh agent for endpoints.
+# Wazuh
+
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
+[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
+[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
+[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
+[![Coverity](https://scan.coverity.com/projects/10992/badge.svg)](https://scan.coverity.com/projects/wazuh-wazuh)
+[![Twitter](https://img.shields.io/twitter/follow/wazuh?style=social)](https://twitter.com/wazuh)
+[![YouTube](https://img.shields.io/youtube/views/peTSzcAueEc?style=social)](https://www.youtube.com/watch?v=peTSzcAueEc)
+
+
+Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.
+
+Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts.
+
+## Wazuh capabilities
+
+A brief presentation of some of the more common use cases of the Wazuh solution.
+
+**Intrusion detection**
+
+Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
+
+In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
+
+**Log data analysis**
+
+Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage. When no agent is deployed, the server can also receive data via syslog from network devices or applications.
+
+The Wazuh rules help make you aware of application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations and a variety of other security and operational issues.
+
+**File integrity monitoring**
+
+Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on. In addition, it natively identifies users and applications used to create or modify files.
+
+File integrity monitoring capabilities can be used in combination with threat intelligence to identify threats or compromised hosts. In addition, several regulatory compliance standards, such as PCI DSS, require it.
+
+**Vulnerability detection**
+
+Wazuh agents pull software inventory data and send this information to the server, where it is correlated with continuously updated CVE (Common Vulnerabilities and Exposure) databases, in order to identify well-known vulnerable software.
+
+Automated vulnerability assessment helps you find the weak spots in your critical assets and take corrective action before attackers exploit them to sabotage your business or steal confidential data.
+
+**Configuration assessment**
+
+Wazuh monitors system and application configuration settings to ensure they are compliant with your security policies, standards and/or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
+
+Additionally, configuration checks can be customized, tailoring them to properly align with your organization. Alerts include recommendations for better configuration, references and mapping with regulatory compliance.
+
+**Incident response**
+
+Wazuh provides out-of-the-box active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met.
+
+In addition, Wazuh can be used to remotely run commands or system queries, identifying indicators of compromise (IOCs) and helping perform other live forensics or incident response tasks.
+
+**Regulatory compliance**
+
+Wazuh provides some of the necessary security controls to become compliant with industry standards and regulations. These features, combined with its scalability and multi-platform support help organizations meet technical compliance requirements.
+
+Wazuh is widely used by payment processing companies and financial institutions to meet PCI DSS (Payment Card Industry Data Security Standard) requirements. Its web user interface provides reports and dashboards that can help with this and other regulations (e.g. GPG13 or GDPR).
+
+**Cloud security**
+
+Wazuh helps monitoring cloud infrastructure at an API level, using integration modules that are able to pull security data from well known cloud providers, such as Amazon AWS, Azure or Google Cloud. In addition, Wazuh provides rules to assess the configuration of your cloud environment, easily spotting weaknesses.
+
+In addition, Wazuh light-weight and multi-platform agents are commonly used to monitor cloud environments at the instance level.
+
+**Containers security**
+
+Wazuh provides security visibility into your Docker hosts and containers, monitoring their behavior and detecting threats, vulnerabilities and anomalies. The Wazuh agent has native integration with the Docker engine allowing users to monitor images, volumes, network settings, and running containers.
+
+Wazuh continuously collects and analyzes detailed runtime information. For example, alerting for containers running in privileged mode, vulnerable applications, a shell running in a container, changes to persistent volumes or images, and other possible threats.
+
+## WUI
+
+The Wazuh WUI provides a powerful user interface for data visualization and analysis. This interface can also be used to manage Wazuh configuration and to monitor its status.
+
+**Modules overview**
+
+![Modules overview](https://github.com/wazuh/wazuh-dashboard-plugins/raw/master/screenshots/app.png)
+
+**Security events**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app2.png)
+
+**Integrity monitoring**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app3.png)
+
+**Vulnerability detection**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app4.png)
+
+**Regulatory compliance**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app5.png)
+
+**Agents overview**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app6.png)
+
+**Agent summary**
+
+![Overview](https://github.com/wazuh/wazuh-dashboard-plugins/blob/master/screenshots/app7.png)
+
+## Orchestration
+
+Here you can find all the automation tools maintained by the Wazuh team.
+
+* [Wazuh AWS CloudFormation](https://github.com/wazuh/wazuh-cloudformation)
+
+* [Docker containers](https://github.com/wazuh/wazuh-docker)
+
+* [Wazuh Ansible](https://github.com/wazuh/wazuh-ansible)
+
+* [Wazuh Chef](https://github.com/wazuh/wazuh-chef)
+
+* [Wazuh Puppet](https://github.com/wazuh/wazuh-puppet)
+
+* [Wazuh Kubernetes](https://github.com/wazuh/wazuh-kubernetes)
+
+* [Wazuh Bosh](https://github.com/wazuh/wazuh-bosh)
+
+* [Wazuh Salt](https://github.com/wazuh/wazuh-salt)
+
+## Branches
+
+* `master` branch contains the latest code, be aware of possible bugs on this branch.
+* `stable` branch on correspond to the last Wazuh stable version.
+
+## Software and libraries used
+
+|Software|Version|Author|License|
+|---|---|---|---|
+|[bzip2](https://github.com/libarchive/bzip2)|1.0.8|Julian Seward|BSD License|
+|[cJSON](https://github.com/DaveGamble/cJSON)|1.7.12|Dave Gamble|MIT License|
+|[cPython](https://github.com/python/cpython)|3.10.13|Guido van Rossum|Python Software Foundation License version 2|
+|[cURL](https://github.com/curl/curl)|8.5.0|Daniel Stenberg|MIT License|
+|[Flatbuffers](https://github.com/google/flatbuffers/)|23.5.26|Google Inc.|Apache 2.0 License|
+|[GoogleTest](https://github.com/google/googletest)|1.11.0|Google Inc.|3-Clause "New" BSD License|
+|[jemalloc](https://github.com/jemalloc/jemalloc)|5.2.1|Jason Evans|2-Clause "Simplified" BSD License|
+|[Lua](https://github.com/lua/lua)|5.3.6|PUC-Rio|MIT License|
+|[libarchive](https://github.com/libarchive/libarchive)|3.7.2|Tim Kientzle|3-Clause "New" BSD License|
+|[libdb](https://github.com/yasuhirokimura/db18)|18.1.40|Oracle Corporation|Affero GPL v3|
+|[libffi](https://github.com/libffi/libffi)|3.2.1|Anthony Green|MIT License|
+|[libpcre2](https://github.com/PCRE2Project/pcre2)|10.42.0|Philip Hazel|BSD License|
+|[libplist](https://github.com/libimobiledevice/libplist)|2.2.0|Aaron Burghardt et al.|GNU Lesser General Public License version 2.1|
+|[libYAML](https://github.com/yaml/libyaml)|0.1.7|Kirill Simonov|MIT License|
+|[liblzma](https://github.com/tukaani-project/xz)|5.4.2|Lasse Collin, Jia Tan et al.|GNU Public License version 3|
+|[Linux Audit userspace](https://github.com/linux-audit/audit-userspace)|2.8.4|Rik Faith|LGPL (copyleft)|
+|[msgpack](https://github.com/msgpack/msgpack-c)|3.1.1|Sadayuki Furuhashi|Boost Software License version 1.0|
+|[nlohmann](https://github.com/nlohmann/json)|3.7.3|Niels Lohmann|MIT License|
+|[OpenSSL](https://github.com/openssl/openssl)|3.0.12|OpenSSL Software Foundation|Apache 2.0 License|
+|[pacman](https://gitlab.archlinux.org/pacman/pacman)|5.2.2|Judd Vinet|GNU Public License version 2 (copyleft)|
+|[popt](https://github.com/rpm-software-management/popt)|1.16|Jeff Johnson & Erik Troan|MIT License|
+|[procps](https://gitlab.com/procps-ng/procps)|2.8.3|Brian Edmonds et al.|LGPL (copyleft)|
+|[RocksDB](https://github.com/facebook/rocksdb/)|8.3.2|Facebook Inc.|Apache 2.0 License|
+|[rpm](https://github.com/rpm-software-management/rpm)|4.18.2|Marc Ewing & Erik Troan|GNU Public License version 2 (copyleft)|
+|[sqlite](https://github.com/sqlite/sqlite)|3.45.0|D. Richard Hipp|Public Domain (no restrictions)|
+|[zlib](https://github.com/madler/zlib)|1.3.1|Jean-loup Gailly & Mark Adler|zlib/libpng License|
+
+* [PyPi packages](framework/requirements.txt)
+
+## Documentation
+
+* [Full documentation](http://documentation.wazuh.com)
+* [Wazuh installation guide](https://documentation.wazuh.com/current/installation-guide/index.html)
+
+## Get involved
+
+Become part of the [Wazuh's community](https://wazuh.com/community/) to learn from other users, participate in discussions, talk to our developers and contribute to the project.
+
+If you want to contribute to our project please don’t hesitate to make pull-requests, submit issues or send commits, we will review all your questions.
+
+You can also join our [Slack community channel](https://wazuh.com/community/join-us-on-slack/) and [mailing list](https://groups.google.com/d/forum/wazuh) by sending an email to [wazuh+subscribe@googlegroups.com](mailto:wazuh+subscribe@googlegroups.com), to ask questions and participate in discussions.
+
+Stay up to date on news, releases, engineering articles and more.
+
+* [Wazuh website](http://wazuh.com)
+* [Linkedin](https://www.linkedin.com/company/wazuh)
+* [YouTube](https://www.youtube.com/c/wazuhsecurity)
+* [Twitter](https://twitter.com/wazuh)
+* [Wazuh blog](https://wazuh.com/blog/)
+* [Slack announcements channel](https://wazuh.com/community/join-us-on-slack/)
+
+## Authors
+
+Wazuh Copyright (C) 2015-2023 Wazuh Inc. (License GPLv2)
+
+Based on the OSSEC project started by Daniel Cid.
diff --git a/bump_version.sh b/bump_version.sh
old mode 100644
new mode 100755
index e69de29bb2..22f7378b6a
--- a/bump_version.sh
+++ b/bump_version.sh
@@ -0,0 +1,219 @@
+#!/bin/bash
+
+# Bump source version
+# Copyright (C) 2015, Wazuh Inc.
+# May 2, 2017
+
+# Syntax:
+# bump_version [ <version> ] [ -r <revision> ] [ -p <product_version> ]
+# Example:
+# ./bump_version.sh v3.0.0-alpha1 -r 3457 -p 3.0.0.1
+
+while [ -n "$1" ]
+do
+    case $1 in
+    "-p")
+        if [[ $2 =~ ^[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+$ ]]
+        then
+            product=$2
+        else
+            echo "Error: product does not match 'X.X.X.X'"
+            exit 1
+        fi
+
+        shift 2
+        ;;
+    "-r")
+        if [[ $2 =~ ^[[:digit:]]+$ ]]
+        then
+            revision=$2
+        else
+            echo "Error: revision is not numeric."
+            exit 1
+        fi
+
+        shift 2
+        ;;
+    *)
+        if [[ $1 =~ ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+(-[[:alnum:]]+)?$ ]]
+        then
+            version=$1
+        else
+            echo "Error: incorrect version (must have form 'vX.X.X' or 'vX.X.X-...')."
+            exit 1
+        fi
+
+        shift 1
+    esac
+done
+
+if [ -z "$version" ] && [ -z "$revision" ] && [ -z "$product" ]
+then
+    echo "Error: no arguments given."
+    echo "Syntax: $0 [ <version> ] [ -r <revision> ] [ -p <product_version> ]"
+    exit 1
+fi
+
+cd $(dirname $0)
+
+VERSION_FILE="../src/VERSION"
+REVISION_FILE="../src/REVISION"
+DEFS_FILE="../src/headers/defs.h"
+WAZUH_SERVER="../src/init/wazuh-server.sh"
+WAZUH_AGENT="../src/init/wazuh-client.sh"
+WAZUH_LOCAL="../src/init/wazuh-local.sh"
+NSIS_FILE="../src/win32/wazuh-installer.nsi"
+MSI_FILE="../src/win32/wazuh-installer.wxs"
+FW_INIT="../framework/wazuh/__init__.py"
+CLUSTER_INIT="../framework/wazuh/core/cluster/__init__.py"
+API_SETUP="../api/setup.py"
+API_SPEC="../api/api/spec/spec.yaml"
+VERSION_DOCU="../src/Doxyfile"
+WIN_RESOURCE="../src/win32/version.rc"
+
+if [ -n "$version" ]
+then
+
+    # File VERSIONS
+
+    echo $version > $VERSION_FILE
+
+    # File defs.h
+
+    egrep "^#define __ossec_version +\"v.+\"" $DEFS_FILE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable version definition found at file $DEFS_FILE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/^(#define __ossec_version +)\"v.*\"/\1\"$version\"/" $DEFS_FILE
+
+    # wazuh-control
+
+    sed -E -i'' -e "s/^(VERSION=+)\"v.*\"/\1\"$version\"/" $WAZUH_SERVER
+    sed -E -i'' -e "s/^(VERSION=+)\"v.*\"/\1\"$version\"/" $WAZUH_AGENT
+    sed -E -i'' -e "s/^(VERSION=+)\"v.*\"/\1\"$version\"/" $WAZUH_LOCAL
+
+    # File wazuh-installer.nsi
+
+    egrep "^\!define VERSION \".+\"" $NSIS_FILE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable version definition found at file $NSIS_FILE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/^(\!define VERSION \").+\"/\1${version:1}\"/g" $NSIS_FILE
+
+    # File wazuh-installer.wxs
+
+    egrep '<Product Id="\*" Name="Wazuh Agent" Language="1033" Version=".+" Manufacturer=' $MSI_FILE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable version definition found at file $MSI_FILE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/(<Product Id=\"\*\" Name=\"Wazuh Agent\" Language=\"1033\" Version=\").+(\" Manufacturer=)/\1${version:1}\2/g" $MSI_FILE
+
+    # Framework
+
+    sed -E -i'' -e "s/__version__ = '.+'/__version__ = '${version:1}'/g" $FW_INIT
+
+    # Cluster
+
+    sed -E -i'' -e "s/__version__ = '.+'/__version__ = '${version:1}'/g" $CLUSTER_INIT
+
+    # API
+
+    sed -E -i'' -e "s/version='.+',/version='${version:1}',/g" $API_SETUP
+    sed -E -i'' -e "s/version: '.+'/version: '${version:1}'/g" $API_SPEC
+    sed -E -i'' -e "s_/v[0-9]+\.[0-9]+\.[0-9]+_/${version}_g" $API_SPEC
+    sed -E -i'' -e "s_com/[0-9]+\.[0-9]+_com/$(expr match "$version" 'v\([0-9]*.[0-9]*\).*')_g" $API_SPEC
+
+    # Documentation config file
+
+    sed -E -i'' -e "s/PROJECT_NUMBER         = \".+\"/PROJECT_NUMBER         = \"$version\"/g" $VERSION_DOCU
+
+    # version.rc
+
+    egrep "^#define VER_PRODUCTVERSION_STR v.+" $WIN_RESOURCE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable version definition (VER_PRODUCTVERSION_STR) found at file $WIN_RESOURCE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/^(#define VER_PRODUCTVERSION_STR +)v.+/\1$version/" $WIN_RESOURCE
+
+    egrep "^#define VER_PRODUCTVERSION [[:digit:]]+,[[:digit:]]+,[[:digit:]]+,[[:digit:]]+" $WIN_RESOURCE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable version definition (VER_PRODUCTVERSION) found at file $WIN_RESOURCE"
+        exit 1
+    fi
+
+    product_commas=`echo "${version:1}.0" | tr '.' ','`
+    sed -E -i'' -e "s/^(#define VER_PRODUCTVERSION +).+/\1$product_commas/" $WIN_RESOURCE
+fi
+
+if [ -n "$revision" ]
+then
+    CURRENT_VERSION=$(cat $VERSION_FILE)
+
+    # File REVISION
+
+    echo $revision > $REVISION_FILE
+
+    # wazuh-control
+
+    sed -E -i'' -e "s/^(REVISION=+)\".*\"/\1\"$revision\"/" $WAZUH_SERVER
+    sed -E -i'' -e "s/^(REVISION=+)\".*\"/\1\"$revision\"/" $WAZUH_AGENT
+    sed -E -i'' -e "s/^(REVISION=+)\".*\"/\1\"$revision\"/" $WAZUH_LOCAL
+
+    # File wazuh-installer.nsi
+
+    egrep "^\!define REVISION \".+\"" $NSIS_FILE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable revision definition found at file $NSIS_FILE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/^(\!define REVISION \").+\"/\1$revision\"/g" $NSIS_FILE
+
+    # Cluster
+
+    sed -E -i'' -e "s/__revision__ = '.+'/__revision__ = '$revision'/g" $CLUSTER_INIT
+
+    # API
+
+    sed -E -i'' -e "s/x-revision: .+'/x-revision: '$revision'/g" $API_SPEC
+
+    # Documentation config file
+
+    sed -E -i'' -e "s/PROJECT_NUMBER         = \".+\"/PROJECT_NUMBER         = \"$CURRENT_VERSION-$revision\"/g" $VERSION_DOCU
+fi
+
+if [ -n "$product" ]
+then
+
+    # File wazuh-installer.nsi
+
+    egrep "^VIProductVersion \".+\"" $NSIS_FILE > /dev/null
+
+    if [ $? != 0 ]
+    then
+        echo "Error: no suitable product definition found at file $NSIS_FILE"
+        exit 1
+    fi
+
+    sed -E -i'' -e "s/^(VIProductVersion \").+\"/\1$product\"/g" $NSIS_FILE
+fi
diff --git a/etc/ruleset/rootcheck/cis_apache2224_rcl.txt b/etc/ruleset/rootcheck/cis_apache2224_rcl.txt
new file mode 100644
index 0000000000..3086655e6e
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_apache2224_rcl.txt
@@ -0,0 +1,512 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2017
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry , use "->" to look for a specific entry and another
+# "->" to look for the value.
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Apache Https Server 
+# Based on Center for Internet Security Benchmark for Apache HttpSserver 2.4 v1.3.1 and Apache HttpsServer 2.2 v3.4.1 (https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308)
+#
+#
+$main-conf=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf;
+$conf-dirs=/etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d;
+$ssl-confs=/etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf;
+$mods-en=/etc/apache2/mods-enabled;
+$request-confs=/etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf;
+$traceen=/etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf;
+#
+#
+#2.3 Disable WebDAV Modules
+[CIS - Apache Configuration - 2.3: WebDAV Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav;
+f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav;
+d:$mods-en -> dav.load;
+#
+#
+#2.4 Disable Status Module
+[CIS - Apache Configuration - 2.4: Status Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus;
+f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus;
+d:$mods-en -> status.load;
+#
+#
+#2.5 Disable Autoindex Module
+[CIS - Apache Configuration - 2.5: Autoindex Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex;
+f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex;
+d:$mods-en -> autoindex.load;
+#
+#
+#2.6 Disable Proxy Modules
+[CIS - Apache Configuration - 2.6: Proxy Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy;
+f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy;
+d:$mods-en -> proxy.load;
+#
+#
+#2.7 Disable User Directories Modules
+[CIS - Apache Configuration - 2.7: User Directories Modules are enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir;
+f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir;
+d:$mods-en -> userdir.load;
+#
+#
+#2.8 Disable Info Module
+[CIS - Apache Configuration - 2.8: Info Module is enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo;
+d:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo;
+d:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo;
+d:$mods-en -> info.load;
+#
+#
+#3.2 Give the Apache User Account an Invalid Shell 
+[CIS - Apache Configuration - 3.2: Apache User Account has got a valid shell] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/passwd -> r:/var/www && !r:\.*/bin/false$|/sbin/nologin$;
+#
+#
+#3.3 Lock the Apache User Account
+[CIS - Apache Configuration - 3.3: Lock the Apache User Account] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && !r:\p!\.*$; 
+#
+#
+#4.4 Restrict Override for All Directories
+[CIS - Apache Configuration - 4.4: Restrict Override for All Directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$;
+d:$conf-dirs -> conf -> !r:^# && !r:\w+ && r:allowoverridelist;
+f:$main-conf -> !r:^# && !r:\w+ && r:allowoverride && !r:none$;
+f:$main-conf -> !r:^# && !r:\w+ && r:allowoverridelist;
+#
+#
+#5.3 Minimize Options for Other Directories
+[CIS - Apache Configuration - 5.3: Minimize Options for other directories] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:options\sincludes;
+f:$main-conf -> !r:^# && r:options\sincludes;
+#
+#
+#5.4.1 Remove default index.html sites
+[CIS - Apache Configuration - 5.4.1: Remove default index.html sites] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:/var/www -> index.html;
+d:/var/www/html -> index.html;
+#
+#
+#5.4.2 Remove the Apache user manual
+[CIS - Apache Configuration - 5.4.2: Remove the Apache user manual] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:/etc/httpd/conf.d -> manual.conf; 
+d:/etc/apache2/conf-enabled -> apache2-doc.conf;
+#
+#
+#5.4.5 Verify that no Handler is enabled 
+[CIS - Apache Configuration - 5.4.5: A Handler is configured] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:/wsethandler;
+f:$main-conf -> !r:^# && r:/wsethandler;
+#
+#
+#5.5 Remove default CGI content printenv 
+[CIS - Apache Configuration - 5.5: Remove default CGI content printenv] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:/var/www/cgi-bin -> printenv;
+d:/usr/lib/cgi-bin -> printenv;
+#
+#
+#5.6 Remove default CGI content test-cgi 
+[CIS - Apache Configuration - 5.6: Remove default CGI content test-cgi] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:/var/www/cgi-bin -> test-cgi;
+d:/usr/lib/cgi-bin -> test-cgi;
+#
+#
+#5.7 Limit HTTP Request Method
+[CIS - Apache Configuration - 5.7: Disable HTTP Request Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:<limitexcept\sget\spost\soptions>;
+#
+#
+#5.8 Disable HTTP Trace Method
+[CIS - Apache Configuration - 5.8: Disable HTTP Trace Method] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$traceen -> !r:^# && r:traceenable\s+on\s*$;
+#
+#
+#5.9 Restrict HTTP Protocol Versions
+[CIS - Apache Configuration - 5.9: Restrict HTTP Protocol Versions] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;
+d:$mods-en -> !f:rewrite.load;
+f:$main-conf -> !r:rewriteengine\son;
+f:$main-conf -> !r:rewritecond && !r:%{THE_REQUEST} && !r:!HTTP/1\\.1\$; 
+f:$main-conf -> !r:rewriterule && !r:.* - [F];
+#
+#
+#5.12 Deny IP Address Based Requests
+[CIS - Apache Configuration - 5.12: Deny IP Address Based Requests] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;
+d:$mods-en -> !f:rewrite.load;
+f:$main-conf -> !r:rewriteengine\son;
+f:$main-conf -> !r:rewritecond && !r:%{HTTP_HOST} && !r:www\\.\w+\\.\w+ [NC]$;
+f:$main-conf -> !r:rewritecond && !r:%{REQUEST_URI} && !r:/error [NC]$; 
+f:$main-conf -> !r:rewriterule && !r:.\(.*\) - [L,F]$;
+#
+#
+#5.13 Restrict Listen Directive 
+[CIS - Apache Configuration - 5.13: Restrict Listen Directive] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:listen\s80$;
+d:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p80;
+d:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p80;
+f:$main-conf -> !r:^# && r:listen\s80$;
+f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
+f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*; 
+f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s80$;
+f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
+f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;
+f:/etc/apache2/ports.conf -> !r:^# && r:listen\s80$;
+f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p\d*;
+f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;
+#
+#
+#5.14 Restrict Browser Frame Options 
+[CIS - Apache Configuration - 5.14: Restrict Browser Frame Options] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:header\salways\sappend\sx-frame-options && !r:sameorigin|deny; 
+#
+#
+#6.1 Configure the Error Log to notice at least
+[CIS - Apache Configuration - 6.1: Configure the Error Log to notice at least] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice;
+f:$main-conf -> !r:loglevel\snotice\score\p && !r:info|debug;
+#
+#
+#6.2 Configure a Syslog facility for Error Log 
+[CIS - Apache Configuration - 6.2: Configure a Syslog facility for Error Log] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:errorlog\s+\p*syslog\p\.*\p*;
+#
+#
+#7.6 Disable SSL Insecure Renegotiation 
+[CIS - Apache Configuration - 7.6: Disable SSL Insecure Renegotiation] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on\s*;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s*$;
+#
+#
+#7.7 Ensure SSL Compression is not enabled 
+[CIS - Apache Configuration - 7.7: Ensure SSL Compression is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on\s*;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s*$;
+#
+#
+#7.8 Disable SSL TLS v1.0 Protocol
+[CIS - Apache Configuration - 7.8: Disable insecure TLS Protocol] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$ssl-confs -> !r:^\t*\s*sslprotocol;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+all;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*tlsv1\P\s*;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv2\P\s*;
+f:$ssl-confs -> !r:^\t*\s*# && r:sslprotocol\s+\.*sslv3\P\s*;
+#
+#
+#7.9 Enable OCSP Stapling
+[CIS - Apache Configuration - 7.9: Enable OCSP Stapling] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+ssl;
+d:$mods-en -> !f:ssl.load;
+f:$ssl-confs -> !r:\t*\s*# && r:sslusestapling\s+off;
+f:$ssl-confs -> !r:\t*\s*sslusestapling\s+on;
+f:$ssl-confs -> !r:\t*\s*sslstaplingcache\s+\.+;
+#
+#
+#7.10 Enable HTTP Strict Transport Security 
+[CIS - Apache Configuration - 7.10: Enable HTTP Strict Transport Security] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/apache2/apache2.conf -> !r:Header\salways\sset\sStrict-Transport-Security\s"max-age=\d\d\d\d*";
+f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=1\d\d";
+f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=2\d\d";
+f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=3\d\d";
+f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=4\d\d";
+f:/etc/apache2/apache2.conf -> !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=5\d\d";
+#
+#
+#8.1 Set ServerToken to Prod or ProductOnly 
+[CIS - Apache Configuration - 8.1: Set ServerToken to Prod or ProductOnly] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major;
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor;
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min;
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal;
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os;
+d:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full;
+#
+#
+#8.2: Set ServerSignature to Off
+[CIS - Apache Configuration - 8.2: Set ServerSignature to Off] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email;
+d:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on;
+#
+#
+#8.3: Prevent Information Leakage via Default Apache Content 
+[CIS - Apache Configuration - 8.3: Prevent Information Leakage via Default Apache Content] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+d:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf;
+d:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*;
+#
+#
+#9.1:Set TimeOut to 10 or less 
+[CIS - Apache Configuration - 9.1: Set TimeOut to 10 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^# && r:timeout\s+9\d;
+f:$main-conf -> !r:^# && r:timeout\s+8\d;
+f:$main-conf -> !r:^# && r:timeout\s+7\d;
+f:$main-conf -> !r:^# && r:timeout\s+6\d;
+f:$main-conf -> !r:^# && r:timeout\s+5\d;
+f:$main-conf -> !r:^# && r:timeout\s+4\d;
+f:$main-conf -> !r:^# && r:timeout\s+3\d;
+f:$main-conf -> !r:^# && r:timeout\s+2\d;
+f:$main-conf -> !r:^# && r:timeout\s+11;
+f:$main-conf -> !r:^# && r:timeout\s+12;
+f:$main-conf -> !r:^# && r:timeout\s+13;
+f:$main-conf -> !r:^# && r:timeout\s+14;
+f:$main-conf -> !r:^# && r:timeout\s+15;
+f:$main-conf -> !r:^# && r:timeout\s+16;
+f:$main-conf -> !r:^# && r:timeout\s+17;
+f:$main-conf -> !r:^# && r:timeout\s+18;
+f:$main-conf -> !r:^# && r:timeout\s+19;
+f:$main-conf -> !r:^timeout\s+\d\d*;
+f:$main-conf -> !r:^# && r:timeout\s+\d\d\d+;
+#
+#
+#9.2:Set the KeepAlive directive to On 
+[CIS - Apache Configuration - 9.2: Set the KeepAlive directive to On] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^# && r:keepalive\s+off;
+f:$main-conf -> !r:keepalive\s+on;
+#
+#
+#9.3:Set MaxKeepAliveRequests to 100 or greater
+[CIS - Apache Configuration - 9.3: Set MaxKeepAliveRequest to 100 or greater] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^maxkeepaliverequests\s+\d\d\d+;
+#
+#
+#9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service
+[CIS - Apache Configuration - 9.4: Set KeepAliveTimeout Low] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:keepalivetimeout\s+\d\d*;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+16;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+17;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+18;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+19;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+2\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+3\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+4\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+5\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+6\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+7\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+8\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+9\d;
+f:$main-conf -> !r:^# && r:keepalivetimeout\s+\d\d\d+;
+#
+#
+#9.5 Set Timeout Limits for Request Headers
+[CIS - Apache Configuration - 9.5: Set Timeout Limits for Request Headers] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;
+d:$mods-en -> !f:reqtimeout.load;
+f:$request-confs -> !r:^\t*\s*requestreadtimeout\.+header\p\d\d*\D\d\d*;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D41;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D42;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D43;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D44;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D45;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D46;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D47;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D48;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D49;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D5\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D6\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D7\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D8\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D9\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D\d\d\d+;
+#
+#
+#9.6 Set Timeout Limits for Request Body 
+[CIS - Apache Configuration - 9.6: Set Timeout Limits for Request Body] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;
+d:$mods-en -> !f:reqtimeout.load;
+f:$request-confs -> !r:\t*\s*requestreadtimeout\.+body\p\d\d*;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p21;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p22;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p23;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p24;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p25;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p26;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p27;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p28;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p29;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p3\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p4\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p5\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p6\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p7\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p8\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p9\d;
+f:$request-confs -> !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p\d\d\d+;
+#
+#
+#10.1 Set the LimitRequestLine directive to 512 or less
+[CIS - Apache Configuration - 10.1: Set LimitRequestLine to 512 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^limitrequestline\s+\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\13;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\14;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\15;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\16;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\17;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\18;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\19;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\2\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\3\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\4\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\5\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\6\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\7\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\8\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+5\9\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+6\d\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+7\d\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+8\d\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+9\d\d;
+f:$main-conf -> !r:^# && r:limitrequestline\s+\d\d\d\d+;
+#
+#
+#10.2 Set the LimitRequestFields directive to 100 or less
+[CIS - Apache Configuration - 10.2: Set LimitRequestFields to 100 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^limitrequestfields\s\d\d*;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d1;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d2;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d3;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d4;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d5;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d6;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d7;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d8;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+1\d9;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+11\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+12\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+13\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+14\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+15\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+16\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+17\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+18\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+19\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+2\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+3\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+4\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+5\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+6\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+7\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+8\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+9\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfields\s+\d\d\d\d+;
+#
+#
+#10.3 Set the LimitRequestFieldsize directive to 1024 or less
+[CIS - Apache Configuration - 10.3: Set LimitRequestFieldsize to 1024 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^limitrequestfieldsize\s+\d\d*;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d25;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d26;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d27;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d28;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d29;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d3\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d4\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d5\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d6\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d7\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d8\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+1\d9\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+11\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+12\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+13\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+14\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+15\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+16\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+17\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+18\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+19\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+2\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+3\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+4\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+5\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+6\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+7\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+8\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+9\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestfieldsize\s+\d\d\d\d\d+;
+#
+#
+#10.4 Set the LimitRequestBody directive to 102400 or less
+[CIS - Apache Configuration - 10.4: Set LimitRequestBody to 102400 or less] [any] [https://workbench.cisecurity.org/benchmarks/307, https://workbench.cisecurity.org/benchmarks/308]
+f:$main-conf -> !r:^limitrequestbody\s+\d\d*;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+0\s*$;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d1;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d2;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d3;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d4;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d5;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d6;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d7;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d8;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d24\d9;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d241\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d242\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d243\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d244\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d245\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d246\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d247\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d248\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d249\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d25\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d26\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d27\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d28\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d29\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d3\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d4\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d5\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d6\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d7\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d8\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+1\d9\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+11\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+12\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+13\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+14\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+15\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+16\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+17\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+18\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+19\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+2\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+3\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+4\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+5\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+6\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+7\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+8\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+9\d\d\d\d\d;
+f:$main-conf -> !r:^# && r:limitrequestbody\s+\d\d\d\d\d\d\d+;
diff --git a/etc/ruleset/rootcheck/cis_debian_linux_rcl.txt b/etc/ruleset/rootcheck/cis_debian_linux_rcl.txt
new file mode 100644
index 0000000000..bc12c32cc0
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_debian_linux_rcl.txt
@@ -0,0 +1,203 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2008 Daniel B. Cid - dcid@ossec.net
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Debian/Ubuntu
+# Based on Center for Internet Security Benchmark for Debian Linux v1.0
+
+# Main one. Only valid for Debian/Ubuntu.
+[CIS - Testing against the CIS Debian Linux Benchmark v1.0] [all required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/debian_version;
+f:/proc/sys/kernel/ostype -> Linux;
+
+
+# Section 1.4 - Partition scheme.
+[CIS - Debian Linux - 1.4 - Robust partition scheme - /tmp is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+[CIS - Debian Linux - 1.4 - Robust partition scheme - /opt is not on its own partition {CIS: 1.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/opt;
+f:/etc/fstab -> !r:/opt;
+
+[CIS - Debian Linux - 1.4 - Robust partition scheme - /var is not on its own partition {CIS: 1.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:/var;
+
+
+# Section 2.3 - SSH configuration
+[CIS - Debian Linux - 2.3 - SSH Configuration - Protocol version 1 enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+[CIS - Debian Linux - 2.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+[CIS - Debian Linux - 2.3 - SSH Configuration - Empty passwords permitted {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
+
+[CIS - Debian Linux - 2.3 - SSH Configuration - Host based authentication enabled {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+[CIS - Debian Linux - 2.3 - SSH Configuration - Root login allowed {CIS: 2.3 Debian Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
+
+
+# Section 2.4 Enable system accounting
+#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not installed {CIS: 2.4 Debian Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+#f:!/etc/default/sysstat;
+#f:!/var/log/sysstat;
+
+#[CIS - Debian Linux - 2.4 - System Accounting - Sysstat not enabled {CIS: 2.4 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+#f:!/etc/default/sysstat;
+#f:/etc/default/sysstat -> !r:^# && r:ENABLED="false";
+
+
+# Section 2.5 Install and run Bastille
+#[CIS - Debian Linux - 2.5 - System harderning - Bastille is not installed {CIS: 2.5 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+#f:!/etc/Bastille;
+
+
+# Section 2.6 Ensure sources.list Sanity
+[CIS - Debian Linux - 2.6 - Sources list sanity - Security updates not enabled {CIS: 2.6 Debian Linux} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:!/etc/apt/sources.list;
+f:!/etc/apt/sources.list -> !r:^# && r:http://security.debian|http://security.ubuntu;
+
+
+# Section 3 - Minimize inetd services
+[CIS - Debian Linux - 3.3 - Telnet enabled on inetd {CIS: 3.3 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:telnet;
+
+[CIS - Debian Linux - 3.4 - FTP enabled on inetd {CIS: 3.4 Debian Linux} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:/ftp;
+
+[CIS - Debian Linux - 3.5 - rsh/rlogin/rcp enabled on inetd {CIS: 3.5 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:shell|login;
+
+[CIS - Debian Linux - 3.6 - tftpd enabled on inetd {CIS: 3.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:tftp;
+
+[CIS - Debian Linux - 3.7 - imap enabled on inetd {CIS: 3.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:imap;
+
+[CIS - Debian Linux - 3.8 - pop3 enabled on inetd {CIS: 3.8 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:pop;
+
+[CIS - Debian Linux - 3.9 - Ident enabled on inetd {CIS: 3.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inetd.conf -> !r:^# && r:ident;
+
+
+# Section 4 - Minimize boot services
+[CIS - Debian Linux - 4.1 - Disable inetd - Inetd enabled but no services running {CIS: 4.1 Debian Linux} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+p:inetd;
+f:!/etc/inetd.conf -> !r:^# && r:wait;
+
+[CIS - Debian Linux - 4.3 - GUI login enabled {CIS: 4.3 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/inittab -> !r:^# && r:id:5;
+
+[CIS - Debian Linux - 4.6 - Disable standard boot services - Samba Enabled {CIS: 4.6 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/samba;
+
+[CIS - Debian Linux - 4.7 - Disable standard boot services - NFS Enabled {CIS: 4.7 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/nfs-common;
+f:/etc/init.d/nfs-user-server;
+f:/etc/init.d/nfs-kernel-server;
+
+[CIS - Debian Linux - 4.9 - Disable standard boot services - NIS Enabled {CIS: 4.9 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/nis;
+
+[CIS - Debian Linux - 4.13 - Disable standard boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/apache;
+f:/etc/init.d/apache2;
+
+[CIS - Debian Linux - 4.15 - Disable standard boot services - DNS server Enabled {CIS: 4.15 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/bind;
+
+[CIS - Debian Linux - 4.16 - Disable standard boot services - MySQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/mysql;
+
+[CIS - Debian Linux - 4.16 - Disable standard boot services - PostgreSQL server Enabled {CIS: 4.16 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/postgresql;
+
+[CIS - Debian Linux - 4.17 - Disable standard boot services - Webmin Enabled {CIS: 4.17 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/webmin;
+
+[CIS - Debian Linux - 4.18 - Disable standard boot services - Squid Enabled {CIS: 4.18 Debian Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/init.d/squid;
+
+
+# Section 5 - Kernel tuning
+[CIS - Debian Linux - 5.1 - Network parameters - Source routing accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+[CIS - Debian Linux - 5.1 - Network parameters - ICMP broadcasts accepted {CIS: 5.1 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+[CIS - Debian Linux - 5.2 - Network parameters - IP Forwarding enabled {CIS: 5.2 Debian Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+
+# Section 7 - Permissions
+[CIS - Debian Linux - 7.1 - Partition /var without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
+
+[CIS - Debian Linux - 7.1 - Partition /tmp without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
+
+[CIS - Debian Linux - 7.1 - Partition /opt without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
+
+[CIS - Debian Linux - 7.1 - Partition /home without 'nodev' set {CIS: 7.1 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
+
+[CIS - Debian Linux - 7.2 - Removable partition /media without 'nodev' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+[CIS - Debian Linux - 7.2 - Removable partition /media without 'nosuid' set {CIS: 7.2 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+[CIS - Debian Linux - 7.3 - User-mounted removable partition /media {CIS: 7.3 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && r:user;
+
+
+# Section 8 - Access and authentication
+[CIS - Debian Linux - 8.8 - LILO Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/lilo.conf -> !r:^# && !r:restricted;
+f:/etc/lilo.conf -> !r:^# && !r:password=;
+
+[CIS - Debian Linux - 8.8 - GRUB Password not set {CIS: 8.8 Debian Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/boot/grub/menu.lst -> !r:^# && !r:password;
+
+[CIS - Debian Linux - 9.2 - Account with empty password present {CIS: 9.2 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - Debian Linux - 13.11 - Non-root account with uid 0 {CIS: 13.11 Debian Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
diff --git a/etc/ruleset/rootcheck/cis_mysql5_6_community_rcl.txt b/etc/ruleset/rootcheck/cis_mysql5_6_community_rcl.txt
new file mode 100644
index 0000000000..25eb72e3a8
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_mysql5_6_community_rcl.txt
@@ -0,0 +1,165 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2017
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry , use "->" to look for a specific entry and another
+# "->" to look for the value.
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for MYSQL 
+# Based on Center for Internet Security Benchmark for MYSQL v1.1.0 
+#
+$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
+$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
+$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
+#
+#
+#1.3 Disable MySQL Command History
+[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
+d:$home_dirs -> ^.mysql_history$;
+#
+#
+#1.5 Disable Interactive Login
+[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
+#
+#
+#1.6 Verify That 'MYSQL_PWD' Is Not In Use
+[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
+#
+#
+#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE' 
+[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
+f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
+#
+#
+#4.4 Ensure 'local_infile' Is Disabled
+[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
+f:$mysql-cnfs -> r:local-infile\s*$;
+#
+#
+#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
+[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
+f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
+f:$mysql-cnfs -> r:skip-grant-tables\s*$;
+#
+#
+#4.6 Ensure '--skip-symbolic-links' Is Enabled
+[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
+f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
+f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
+#
+#
+#4.8 Ensure 'secure_file_priv' is not empty
+[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
+f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
+f:$mysql-cnfs -> r:secure_file_priv\s*$;
+#
+#
+#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
+[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:strict_all_tables\s*$;
+#
+#
+#6.1 Ensure 'log_error' is not empty
+[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
+f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
+f:$mysql-cnfs -> r:log_error\s*$;
+#
+#
+#6.2 Ensure Log Files are not Stored on a non-system partition
+[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
+f:$mysql-cnfs -> r:log_bin\s*$;
+#
+#
+#6.3 Ensure 'log_warning' is set to 2 at least
+[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
+f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
+f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
+f:$mysql-cnfs -> r:log_warnings\s*$;
+#
+#
+#6.5 Ensure 'log_raw' is set to 'off'
+[CIS - MySQL Configuration - 6.5: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
+f:$mysql-cnfs -> r:log-raw\s*$;
+#
+#
+#7.1 Ensure 'old_password' is not set to '1' or 'On'
+[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
+f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
+f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
+f:$mysql-cnfs -> r:old_passwords\s*$;
+#
+#
+#7.2 Ensure 'secure_auth' is set to 'ON'
+[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
+f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
+f:$mysql-cnfs -> r:secure_auth\s*$;
+#
+#
+#7.3 Ensure Passwords Are Not Stored in the Global Configuration
+[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
+#
+#
+#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
+[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
+f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
+#
+#
+#7.6 Ensure Password Policy is in Place
+[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
+f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
+f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
+f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
+f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
+f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
+f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
+#
+#
+#9.2 Ensure 'master_info_repository' is set to 'Table'
+[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
+f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
+f:$mysql-cnfs -> r:master_info_repository\s*$;
diff --git a/etc/ruleset/rootcheck/cis_mysql5_6_enterprise_rcl.txt b/etc/ruleset/rootcheck/cis_mysql5_6_enterprise_rcl.txt
new file mode 100644
index 0000000000..2e1671b570
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_mysql5_6_enterprise_rcl.txt
@@ -0,0 +1,215 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2017
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry , use "->" to look for a specific entry and another
+# "->" to look for the value.
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for MYSQL 
+# Based on Center for Internet Security Benchmark for MYSQL v1.1.0 
+#
+$home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
+$enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
+$mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
+#
+#
+#1.3 Disable MySQL Command History
+[CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
+d:$home_dirs -> ^.mysql_history$;
+#
+#
+#1.5 Disable Interactive Login
+[CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
+#
+#
+#1.6 Verify That 'MYSQL_PWD' Is Not In Use
+[CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
+#
+#
+#4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE' 
+[CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
+f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
+#
+#
+#4.4 Ensure 'local_infile' Is Disabled
+[CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
+f:$mysql-cnfs -> r:local-infile\s*$;
+#
+#
+#4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
+[CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
+f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
+f:$mysql-cnfs -> r:skip-grant-tables\s*$;
+#
+#
+#4.6 Ensure '--skip-symbolic-links' Is Enabled
+[CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
+f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
+f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
+#
+#
+#4.8 Ensure 'secure_file_priv' is not empty
+[CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
+f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
+f:$mysql-cnfs -> r:secure_file_priv\s*$;
+#
+#
+#4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
+[CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:strict_all_tables\s*$;
+#
+#
+#6.1 Ensure 'log_error' is not empty
+[CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
+f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
+f:$mysql-cnfs -> r:log_error\s*$;
+#
+#
+#6.2 Ensure Log Files are not Stored on a non-system partition
+[CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
+f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
+f:$mysql-cnfs -> r:log_bin\s*$;
+#
+#
+#6.3 Ensure 'log_warning' is set to 2 at least
+[CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
+f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
+f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
+f:$mysql-cnfs -> r:log_warnings\s*$;
+#
+#
+#6.4 Ensure 'log_raw' is set to 'off'
+[CIS - MySQL Configuration - 6.4: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
+f:$mysql-cnfs -> r:log-raw\s*$;
+#
+#
+#6.5 Ensure audit_log_connection_policy is not set to 'none'
+[CIS - MySQL Configuration - 6.5: audit_log_connection_policy is set to 'none' change it to all or erros] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r^# && r::audit_log_connection_policy\s*=\s*none;
+f:$mysql-cnfs -> r:audit_log_connection_policy\s*$;
+#
+#
+#6.6 Ensure audit_log_exclude_account is set to Null
+[CIS - MySQL Configuration - 6.6:audit_log_exclude_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && !r:null\s*$;
+f:$mysql-cnfs -> r:audit_log_exclude_accounts\s*$;
+#
+#
+#6.7 Ensure audit_log_include_accounts is set to Null
+[CIS - MySQL Configuration - 6.7:audit_log_include_accounts is not set to Null] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && !r:null\s*$;
+f:$mysql-cnfs -> r:audit_log_include_accounts\s*$;
+#
+#
+#6.9 Ensure audit_log_policy is not set to all 
+[CIS - MySQL Configuration - 6.9: audit_log_policy is not set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*queries;
+f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*none;
+f:$mysql-cnfs -> !r:^# && r:audit_log_policy\s*=\s*logins;
+f:$mysql-cnfs -> r:audit_log_policy\s*$;
+#
+#
+#6.10 Ensure audit_log_statement_policy is set to all
+[CIS - MySQL Configuration - 6.10: Ensure audit_log_statement_policy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+errors;
+f:$mysql-cnfs -> !r:^# && r:audit_log_statement_policy\.+none;
+f:$mysql-cnfs -> r:audit_log_statement_policy\s*$;
+#
+#
+#6.11 Ensure audit_log_strategy is set to synchronous or semisynchronous
+[CIS - MySQL Configuration - 6.11: Ensure audit_log_strategy is set to all] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+asynchronous;
+f:$mysql-cnfs -> !r:^# && r:audit_log_strategy\.+performance;
+f:$mysql-cnfs -> !r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous;
+f:$mysql-cnfs -> r:audit_log_strategy\s*$;
+#
+#
+#6.12 Make sure the audit plugin can't be unloaded
+[CIS - MySQL Configuration - 6.12: Audit plugin can be unloaded] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*on\s*;
+f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*off\s*;
+f:$mysql-cnfs -> !r:^# && r:^audit_log\s*=\s*force\s*;
+f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent\s*;
+f:$mysql-cnfs -> r:^audit_log\s$;
+#
+#
+#7.1 Ensure 'old_password' is not set to '1' or 'On'
+[CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
+f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
+f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
+f:$mysql-cnfs -> r:old_passwords\s*$;
+#
+#
+#7.2 Ensure 'secure_auth' is set to 'ON'
+[CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
+f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
+f:$mysql-cnfs -> r:secure_auth\s*$;
+#
+#
+#7.3 Ensure Passwords Are Not Stored in the Global Configuration
+[CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
+#
+#
+#7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
+[CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
+f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
+#
+#
+#7.6 Ensure Password Policy is in Place
+[CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
+f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
+f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
+f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
+f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
+f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
+f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
+#
+#
+#9.2 Ensure 'master_info_repository' is set to 'Table'
+[CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
+f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
+f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
+f:$mysql-cnfs -> r:master_info_repository\s*$;
diff --git a/etc/ruleset/rootcheck/cis_rhel5_linux_rcl.txt b/etc/ruleset/rootcheck/cis_rhel5_linux_rcl.txt
new file mode 100644
index 0000000000..afc16ff24f
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_rhel5_linux_rcl.txt
@@ -0,0 +1,852 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for Red Hat / CentOS 5
+# Based on CIS Benchmark for Red Hat Enterprise Linux 5 v2.1.0
+
+# TODO: URL is invalid currently
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 5;
+f:/etc/redhat-release -> r:^CentOS && r:release 5;
+f:/etc/redhat-release -> r:^Cloud && r:release 5;
+f:/etc/redhat-release -> r:^Oracle && r:release 5;
+f:/etc/redhat-release -> r:^Better && r:release 5;
+
+
+# 1.1.1 /tmp: partition
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 1.1.1 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+# 1.1.2 /tmp: nodev
+[CIS - RHEL5 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 1.1.3 /tmp: nosuid
+[CIS - RHEL5 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
+
+# 1.1.4 /tmp: noexec
+[CIS - RHEL5 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 1.1.5 Build considerations - Partition scheme.
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r^# && !r:/var;
+
+# 1.1.6 bind mount /var/tmp to /tmp
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
+
+# 1.1.7 /var/log: partition
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log;
+
+# 1.1.8 /var/log/audit: partition
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log/audit;
+
+# 1.1.9 /home: partition
+[CIS - RHEL5 - - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 Debian RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/home;
+
+# 1.1.10 /home: nodev
+[CIS - RHEL5 - 1.1.10 -  Partition /home without 'nodev' set {CIS: 1.1.10 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
+
+# 1.1.11 nodev on removable media partitions (not scored)
+[CIS - RHEL5 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+# 1.1.12 noexec on removable media partitions (not scored)
+[CIS - RHEL5 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
+
+# 1.1.13 nosuid on removable media partitions (not scored)
+[CIS - RHEL5 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+# 1.1.14 /dev/shm: nodev
+[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
+
+# 1.1.15 /dev/shm: nosuid
+[CIS - RHEL5 - 1.1.11 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
+
+# 1.1.16 /dev/shm: noexec
+[CIS - RHEL5 - 1.1.11 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+
+# 1.1.17 sticky bit on world writable directories (Scored)
+# TODO
+
+# 1.1.18 disable cramfs (not scored)
+
+# 1.1.19 disable freevxfs (not scored)
+
+# 1.1.20 disable jffs2 (not scored)
+
+# 1.1.21 disable hfs (not scored)
+
+# 1.1.22 disable hfsplus (not scored)
+
+# 1.1.23 disable squashfs (not scored)
+
+# 1.1.24 disable udf (not scored)
+
+
+##########################################
+# 1.2 Software Updates
+##########################################
+
+# 1.2.1 Configure rhn updates (not scored)
+
+# 1.2.2 verify  RPM gpg keys  (Scored)
+# TODO
+
+# 1.2.3 verify gpgcheck enabled (Scored)
+# TODO
+
+# 1.2.4 Disable rhnsd (not scored)
+
+# 1.2.5 Disable yum-updatesd (Scored)
+[CIS - RHEL5 - 1.2.5 - yum-updatesd not Disabled {CIS: 1.2.5 RHEL5} {PCI_DSS: 6.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+p:yum-updatesd;
+
+# 1.2.6 Obtain updates with yum (not scored)
+
+# 1.2.7 Verify package integrity (not scored)
+
+
+###############################################
+# 1.3 Advanced Intrusion Detection Environment
+###############################################
+#
+# Skipped, this control is obsoleted by OSSEC
+#
+
+
+###############################################
+# 1.4 Configure SELinux
+###############################################
+
+# 1.4.1 enable selinux in /etc/grub.conf
+[CIS - RHEL5 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/grub.conf -> !r:selinux=0;
+
+# 1.4.2 Set selinux state
+[CIS - RHEL5 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/selinux/config -> r:SELINUX=enforcing;
+
+# 1.4.3 Set seliux policy
+[CIS - RHEL5 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/selinux/config -> r:SELINUXTYPE=targeted;
+
+# 1.4.4 Remove SETroubleshoot
+[CIS - RHEL5 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsetroubleshoot$;
+
+# 1.4.5 Disable MCS Translation service mcstrans
+[CIS - RHEL5 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dmctrans$;
+
+# 1.4.6 Check for unconfined daemons
+# TODO
+
+
+###############################################
+# 1.5  Secure Boot Settings
+###############################################
+
+# 1.5.1 Set User/Group Owner on /etc/grub.conf
+# TODO (no mode tests)
+
+# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
+# TODO (no mode tests)
+
+# 1.5.3 Set Boot Loader Password (Scored)
+[CIS - RHEL5 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/boot/grub/menu.lst -> !r:^# && !r:password;
+
+# 1.5.4 Require Authentication for Single-User Mode (Scored)
+[CIS - RHEL5 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/inittab -> !r:^# && r:S:wait;
+
+# 1.5.5 Disable Interactive Boot (Scored)
+[CIS - RHEL5 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no;
+
+
+
+###############################################
+# 1.6  Additional Process Hardening
+###############################################
+
+# 1.6.1 Restrict Core Dumps (Scored)
+[CIS - RHEL5 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
+
+# 1.6.2 Configure ExecShield (Scored)
+[CIS - RHEL5 - 1.6.2 - ExecShield not enabled  {CIS: 1.6.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/kernel/exec-shield -> 0;
+
+# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
+[CIS - RHEL5 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled  {CIS: 1.6.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/kernel/randomize_va_space -> 0;
+
+# 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored)
+# TODO
+
+# 1.6.5 Disable Prelink (Scored)
+[CIS - RHEL5 - 1.6.5 - Prelink not disabled {CIS: 1.6.5 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/sysconfig/prelink -> !r:PRELINKING=no;
+
+
+###############################################
+# 1.7  Use the Latest OS Release
+###############################################
+
+
+###############################################
+# 2 OS Services
+###############################################
+
+###############################################
+# 2.1 Remove Legacy Services
+###############################################
+
+# 2.1.1 Remove telnet-server (Scored)
+# TODO: detect it is installed at all
+[CIS - RHEL5 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
+
+
+# 2.1.2 Remove telnet Clients (Scored)
+# TODO
+
+# 2.1.3 Remove rsh-server (Scored)
+[CIS - RHEL5 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
+
+# 2.1.4 Remove rsh (Scored)
+# TODO
+
+# 2.1.5 Remove NIS Client (Scored)
+[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+
+# 2.1.6 Remove NIS Server (Scored)
+[CIS - RHEL5 - 2.1.5 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypserv$;
+
+# 2.1.7 Remove tftp (Scored)
+# TODO
+
+# 2.1.8 Remove tftp-server (Scored)
+[CIS - RHEL5 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
+
+# 2.1.9 Remove talk (Scored)
+# TODO
+
+# 2.1.10 Remove talk-server (Scored)
+[CIS - RHEL5 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
+
+# 2.1.11 Remove xinetd (Scored)
+# TODO
+
+# 2.1.12 Disable chargen-dgram (Scored)
+# TODO
+
+# 2.1.13 Disable chargen-stream (Scored)
+# TODO
+
+# 2.1.14 Disable daytime-dgram (Scored)
+# TODO
+
+# 2.1.15 Disable daytime-stream (Scored)
+# TODO
+
+# 2.1.16 Disable echo-dgram (Scored)
+# TODO
+
+# 2.1.17 Disable echo-stream (Scored)
+# TODO
+
+# 2.1.18 Disable tcpmux-server (Scored)
+# TODO
+
+
+###############################################
+# 3 Special Purpose Services
+###############################################
+
+###############################################
+# 3.1 Disable Avahi Server
+###############################################
+
+# 3.1.1 Disable Avahi Server (Scored)
+[CIS - RHEL5 - 3.1.1 - Avahi daemon not disabled {CIS: 3.1.1 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+p:avahi-daemon;
+
+# 3.1.2 Service Only via Required Protocol (Not Scored)
+# TODO
+
+# 3.1.3 Check Responses TTL Field (Scored)
+# TODO
+
+# 3.1.4 Prevent Other Programs from Using Avahi’s Port (Not Scored)
+# TODO
+
+# 3.1.5 Disable Publishing (Not Scored)
+
+# 3.1.6 Restrict Published Information (if publishing is required) (Not scored)
+
+# 3.2 Set Daemon umask (Scored)
+[CIS - RHEL5 - 3.2 - Set daemon umask - Default umask is higher than 027 {CIS: 3.2 RHEL5}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;
+
+# 3.3 Remove X Windows (Scored)
+[CIS - RHEL5 - 3.3 - X11 not disabled {CIS: 3.3 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/inittab -> !r:^# && r:id:5;
+
+# 3.4 Disable Print Server - CUPS (Not Scored)
+
+# 3.5 Remove DHCP Server (Not Scored)
+# TODO
+
+# 3.6 Configure Network Time Protocol (NTP) (Scored)
+#[CIS - RHEL5 - 3.6 - NTPD not disabled {CIS: 3.6 RHEL5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+# TODO.
+
+# 3.7 Remove LDAP (Not Scored)
+
+# 3.8 Disable NFS and RPC (Not Scored)
+[CIS - RHEL5 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+# 3.9 Remove DNS Server (Not Scored)
+# TODO
+
+# 3.10 Remove FTP Server (Not Scored)
+[CIS - RHEL5 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL5} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
+
+# 3.11 Remove HTTP Server (Not Scored)
+[CIS - RHEL5 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dhttpd$;
+
+# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+[CIS - RHEL5 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
+
+[CIS - RHEL5 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
+
+# 3.13 Remove Samba (Not Scored)
+[CIS - RHEL5 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+# 3.14 Remove HTTP Proxy Server (Not Scored)
+[CIS - RHEL5 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+# 3.15 Remove SNMP Server (Not Scored)
+[CIS - RHEL5 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL5} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# TODO
+
+
+###############################################
+# 4 Network Configuration and Firewalls
+###############################################
+
+###############################################
+# 4.1 Modify Network Parameters (Host Only)
+###############################################
+
+# 4.1.1 Disable IP Forwarding (Scored)
+[CIS - RHEL5 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+# 4.1.2 Disable Send Packet Redirects (Scored)
+[CIS - RHEL5 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
+f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
+
+
+###############################################
+# 4.2 Modify Network Parameters (Host and Router)
+###############################################
+
+# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
+[CIS - RHEL5 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
+[CIS - RHEL5 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 4.2.2 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
+
+# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+[CIS - RHEL5 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
+
+# 4.2.4 Log Suspicious Packets (Scored)
+[CIS - RHEL5 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
+
+# 4.2.5 Enable Ignore Broadcast Requests (Scored)
+[CIS - RHEL5 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+# 4.2.6 Enable Bad Error Message Protection (Scored)
+[CIS - RHEL5 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
+
+# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
+[CIS - RHEL5 - 4.2.7 - Network parameters - RFC Source route validation not enabled  {CIS: 4.2.7 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
+f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
+
+# 4.2.8 Enable TCP SYN Cookies (Scored)
+[CIS - RHEL5 - 4.2.8 - Network parameters - SYN Cookies not enabled  {CIS: 4.2.8 RHEL5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
+
+
+###############################################
+# 4.3 Wireless Networking
+###############################################
+
+# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
+
+
+###############################################
+# 4.4 Disable ipv6
+###############################################
+
+###############################################
+# 4.4.1 Configure IPv6
+###############################################
+
+# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
+
+# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
+
+# 4.4.2 Disable IPv6 (Not Scored)
+
+
+###############################################
+# 4.5 Install TCP Wrappers
+###############################################
+
+# 4.5.1 Install TCP Wrappers (Not Scored)
+
+# 4.5.2 Create /etc/hosts.allow (Not Scored)
+
+# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
+# TODO
+
+# 4.5.4 Create /etc/hosts.deny (Not Scored)
+
+# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
+# TODO
+
+
+###############################################
+# 4.6 Uncommon Network Protocols
+###############################################
+
+# 4.6.1 Disable DCCP (Not Scored)
+
+# 4.6.2 Disable SCTP (Not Scored)
+
+# 4.6.3 Disable RDS (Not Scored)
+
+# 4.6.4 Disable TIPC (Not Scored)
+
+# 4.7 Enable IPtables (Scored)
+# TODO
+
+# 4.8 Enable IP6tables (Not Scored)
+
+
+###############################################
+# 5 Logging and Auditing
+###############################################
+
+###############################################
+# 5.1 Configure Syslog
+###############################################
+
+# 5.1.1 Configure /etc/syslog.conf (Not Scored)
+
+# 5.1.2 Create and Set Permissions on syslog Log Files (Scored)
+
+# 5.1.3 Configure syslog to Send Logs to a Remote Log Host (Scored)
+
+# 5.1.4 Accept Remote syslog Messages Only on Designated Log Hosts (Not Scored)
+
+
+###############################################
+# 5.2 Configure rsyslog
+###############################################
+
+# 5.2.1 Install the rsyslog package (Not Scored)
+
+# 5.2.2 Activate the rsyslog Service (Not Scored)
+
+# 5.2.3 Configure /etc/rsyslog.conf (Not Scored)
+
+# 5.2.4 Create and Set Permissions on rsyslog Log Files (Not Scored)
+
+# 5.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Not Scored)
+
+# 5.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+
+
+###############################################
+# 5.3 Configure System Accounting (auditd)
+###############################################
+
+###############################################
+# 5.3.1 Configure Data Retention
+###############################################
+
+# 5.3.1.1 Configure Audit Log Storage Size (Not Scored)
+
+# 5.3.1.2 Disable System on Audit Log Full (Not Scored)
+
+# 5.3.1.3 Keep All Auditing Information (Scored)
+
+# 5.3.2 Enable auditd Service (Scored)
+
+# 5.3.3 Configure Audit Log Storage Size (Not Scored)
+
+# 5.3.4 Disable System on Audit Log Full (Not Scored)
+
+# 5.3.5 Keep All Auditing Information (Scored)
+
+# 5.3.6 Enable Auditing for Processes That Start Prior to auditd (Scored)
+
+# 5.3.7 Record Events That Modify Date and Time Information (Scored)
+
+# 5.3.8 Record Events That Modify User/Group Information (Scored)
+
+# 5.3.9 Record Events That Modify the System’s Network Environment (Scored)
+
+# 5.3.10 Record Events That Modify the System’s Mandatory Access Controls (Scored)
+
+# 5.3.11 Collect Login and Logout Events (Scored)
+
+# 5.3.12 Collect Session Initiation Information (Scored)
+
+# 5.3.13 Collect Discretionary Access Control Permission Modification Events (Scored)
+
+# 5.3.14 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+
+# 5.3.15 Collect Use of Privileged Commands (Scored)
+
+# 5.3.16 Collect Successful File System Mounts (Scored)
+
+# 5.3.17 Collect File Deletion Events by User (Scored)
+
+# 5.3.18 Collect Changes to System Administration Scope (sudoers) (Scored)
+
+# 5.3.19 Collect System Administrator Actions (sudolog) (Scored)
+
+# 5.3.20 Collect Kernel Module Loading and Unloading (Scored)
+
+# 5.3.21 Make the Audit Configuration Immutable (Scored)
+
+# 5.4 Configure logrotate (Not Scored)
+
+
+###############################################
+# 6 System Access, Authentication and Authorization
+###############################################
+
+###############################################
+# 6.1 Configure cron and anacron
+###############################################
+
+# 6.1.1 Enable anacron Daemon (Scored)
+
+# 6.1.2 Enable cron Daemon (Scored)
+
+# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
+
+# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
+
+# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+
+# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+
+# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+
+# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+
+# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+
+# 6.1.10 Restrict at Daemon (Scored)
+
+# 6.1.11 Restrict at/cron to Authorized Users (Scored)
+
+###############################################
+# 6.1 Configure SSH
+###############################################
+
+# 6.2.1 Set SSH Protocol to 2 (Scored)
+[CIS - RHEL5 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+# 6.2.2 Set LogLevel to INFO (Scored)
+
+# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+
+# 6.2.4 Disable SSH X11 Forwarding (Scored)
+
+# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+
+# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+[CIS - RHEL5 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
+[CIS - RHEL5 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+# 6.2.8 Disable SSH Root Login (Scored)
+[CIS - RHEL5 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
+
+# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+[CIS - RHEL5 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL5} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
+
+# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
+
+# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
+
+# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
+
+# 6.2.13 Limit Access via SSH (Scored)
+
+# 6.2.14 Set SSH Banner (Scored)
+
+# 6.2.15 Enable SSH UsePrivilegeSeparation (Scored)
+
+
+###############################################
+# 6.3 Configure PAM
+###############################################
+
+# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+
+# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored)
+
+# 6.3.3 Use pam_deny.so to Deny Services (Not Scored)
+
+# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
+
+# 6.3.5 Limit Password Reuse (Scored)
+
+# 6.3.6 Remove the pam_ccreds Package (Scored)
+
+# 6.4 Restrict root Login to System Console (Not Scored)
+
+# 6.5 Restrict Access to the su Command (Scored)
+
+
+###############################################
+# 7 User Accounts and Environment
+###############################################
+
+###############################################
+# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
+###############################################
+
+# 7.1.1 Set Password Expiration Days (Scored)
+
+# 7.1.2 Set Password Change Minimum Number of Days (Scored)
+
+# 7.1.3 Set Password Expiring Warning Days (Scored)
+
+# 7.2 Disable System Accounts (Scored)
+
+# 7.3 Set Default Group for root Account (Scored)
+
+# 7.4 Set Default umask for Users (Scored)
+
+# 7.5 Lock Inactive User Accounts (Scored)
+
+
+###############################################
+# 8 Warning Banners
+###############################################
+
+###############################################
+# 8.1 Warning Banners for Standard Login Services
+###############################################
+
+# 8.1.1 Set Warning Banner for Standard Login Services (Scored)
+
+# 8.1.2 Remove OS Information from Login Warning Banners (Scored)
+
+# 8.2 Set GNOME Warning Banner (Not Scored)
+
+
+###############################################
+# 9 System Maintenance
+###############################################
+
+###############################################
+# 9.1 Verify System File Permissions
+###############################################
+
+# 9.1.1 Verify System File Permissions (Not Scored)
+
+# 9.1.2 Verify Permissions on /etc/passwd (Scored)
+
+# 9.1.3 Verify Permissions on /etc/shadow (Scored)
+
+# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
+
+# 9.1.5 Verify Permissions on /etc/group (Scored)
+
+# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
+
+# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
+
+# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
+
+# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
+
+# 9.1.10 Find World Writable Files (Not Scored)
+
+# 9.1.11 Find Un-owned Files and Directories (Scored)
+
+# 9.1.12 Find Un-grouped Files and Directories (Scored)
+
+# 9.1.13 Find SUID System Executables (Not Scored)
+
+# 9.1.14 Find SGID System Executables (Not Scored)
+
+
+###############################################
+# 9.2 Review User and Group Settings
+###############################################
+
+# 9.2.1 Ensure Password Fields are Not Empty (Scored)
+
+# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+
+# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+
+# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+
+# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+[CIS - RHEL5 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL5} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+# 9.2.6 Ensure root PATH Integrity (Scored)
+
+# 9.2.7 Check Permissions on User Home Directories (Scored)
+
+# 9.2.8 Check User Dot File Permissions (Scored)
+
+# 9.2.9 Check Permissions on User .netrc Files (Scored)
+
+# 9.2.10 Check for Presence of User .rhosts Files (Scored)
+
+# 9.2.11 Check Groups in /etc/passwd (Scored)
+
+# 9.2.12 Check That Users Are Assigned Home Directories (Scored)
+
+# 9.2.13 Check That Defined Home Directories Exist (Scored)
+
+# 9.2.14 Check User Home Directory Ownership (Scored)
+
+# 9.2.15 Check for Duplicate UIDs (Scored)
+
+# 9.2.16 Check for Duplicate GIDs (Scored)
+
+# 9.2.17 Check That Reserved UIDs Are Assigned to System Accounts
+
+# 9.2.18 Check for Duplicate User Names (Scored)
+
+# 9.2.19 Check for Duplicate Group Names (Scored)
+
+# 9.2.20 Check for Presence of User .netrc Files (Scored)
+
+# 9.2.21 Check for Presence of User .forward Files (Scored)
+
+# Other/Legacy Tests
+[CIS - RHEL5 - X.X.X - Account with empty password present  {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - RHEL5 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+[CIS - RHEL5 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+[CIS - RHEL5 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - RHEL5 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - RHEL5 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - RHEL5 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
diff --git a/etc/ruleset/rootcheck/cis_rhel6_linux_rcl.txt b/etc/ruleset/rootcheck/cis_rhel6_linux_rcl.txt
new file mode 100644
index 0000000000..48b8a87045
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_rhel6_linux_rcl.txt
@@ -0,0 +1,794 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for Red Hat / CentOS 6
+# Based on CIS Benchmark for Red Hat Enterprise Linux 6 v1.3.0
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+[CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6;
+f:/etc/redhat-release -> r:^CentOS && r:release 6;
+f:/etc/redhat-release -> r:^Cloud && r:release 6;
+f:/etc/redhat-release -> r:^Oracle && r:release 6;
+f:/etc/redhat-release -> r:^Better && r:release 6;
+
+# 1.1.1 /tmp: partition
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+# 1.1.2 /tmp: nodev
+[CIS - RHEL6 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 1.1.3 /tmp: nosuid
+[CIS - RHEL6 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
+
+# 1.1.4 /tmp: noexec
+[CIS - RHEL6 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 1.1.5 Build considerations - Partition scheme.
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r^# && !r:/var;
+
+# 1.1.6 bind mount /var/tmp to /tmp
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
+
+# 1.1.7 /var/log: partition
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log;
+
+# 1.1.8 /var/log/audit: partition
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log/audit;
+
+# 1.1.9 /home: partition
+[CIS - RHEL6 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> ^# && !r:/home;
+
+# 1.1.10 /home: nodev
+[CIS - RHEL6 - 1.1.10 -  Partition /home without 'nodev' set {CIS: 1.1.10 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
+
+# 1.1.11 nodev on removable media partitions (not scored)
+[CIS - RHEL6 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+# 1.1.12 noexec on removable media partitions (not scored)
+[CIS - RHEL6 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
+
+# 1.1.13 nosuid on removable media partitions (not scored)
+[CIS - RHEL6 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+# 1.1.14 /dev/shm: nodev
+[CIS - RHEL6 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
+
+# 1.1.15 /dev/shm: nosuid
+[CIS - RHEL6 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
+
+# 1.1.16 /dev/shm: noexec
+[CIS - RHEL6 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+
+# 1.1.17 sticky bit on world writable directories (Scored)
+# TODO
+
+# 1.1.18 disable cramfs (not scored)
+
+# 1.1.19 disable freevxfs (not scored)
+
+# 1.1.20 disable jffs2 (not scored)
+
+# 1.1.21 disable hfs (not scored)
+
+# 1.1.22 disable hfsplus (not scored)
+
+# 1.1.23 disable squashfs (not scored)
+
+# 1.1.24 disable udf (not scored)
+
+
+##########################################
+# 1.2 Software Updates
+##########################################
+
+# 1.2.1 Configure rhn updates (not scored)
+
+# 1.2.2 verify  RPM gpg keys  (Scored)
+# TODO
+
+# 1.2.3 verify gpgcheck enabled (Scored)
+# TODO
+
+# 1.2.4 Disable rhnsd (not scored)
+
+# 1.2.5 Obtain Software Package Updates with yum (Not Scored)
+
+# 1.2.6 Obtain updates with yum (not scored)
+
+
+###############################################
+# 1.3 Advanced Intrusion Detection Environment
+###############################################
+#
+# Skipped, this control is obsoleted by OSSEC
+#
+
+###############################################
+# 1.4 Configure SELinux
+###############################################
+
+# 1.4.1 enable selinux in /etc/grub.conf
+[CIS - RHEL6 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/grub.conf -> !r:selinux=0;
+
+# 1.4.2 Set selinux state
+[CIS - RHEL6 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/selinux/config -> r:SELINUX=enforcing;
+
+# 1.4.3 Set seliux policy
+[CIS - RHEL6 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/selinux/config -> r:SELINUXTYPE=targeted;
+
+# 1.4.4 Remove SETroubleshoot
+[CIS - RHEL6 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dsetroubleshoot$;
+
+# 1.4.5 Disable MCS Translation service mcstrans
+[CIS - RHEL6 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dmctrans$;
+
+# 1.4.6 Check for unconfined daemons
+# TODO
+
+
+###############################################
+# 1.5  Secure Boot Settings
+###############################################
+
+# 1.5.1 Set User/Group Owner on /etc/grub.conf
+# TODO (no mode tests)
+
+# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
+# TODO (no mode tests)
+
+# 1.5.3 Set Boot Loader Password (Scored)
+[CIS - RHEL6 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/boot/grub/menu.lst -> !r:^# && !r:password;
+
+# 1.5.4 Require Authentication for Single-User Mode (Scored)
+[CIS - RHEL6 - 1.5.4 - Authentication for single user mode not enabled {CIS: 1.5.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/inittab -> !r:^# && r:S:wait;
+
+# 1.5.5 Disable Interactive Boot (Scored)
+[CIS - RHEL6 - 1.5.5 - Interactive Boot not disabled {CIS: 1.5.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no;
+
+
+###############################################
+# 1.6  Additional Process Hardening
+###############################################
+
+# 1.6.1 Restrict Core Dumps (Scored)
+[CIS - RHEL6 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
+
+# 1.6.2 Configure ExecShield (Scored)
+[CIS - RHEL6 - 1.6.2 - ExecShield not enabled  {CIS: 1.6.2 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/kernel/exec-shield -> 0;
+
+# 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
+[CIS - RHEL6 - 1.6.3 - Randomized Virtual Memory Region Placement not enabled  {CIS: 1.6.3 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/kernel/randomize_va_space -> 0;
+
+
+###############################################
+# 1.7  Use the Latest OS Release  (Not Scored)
+###############################################
+
+
+###############################################
+# 2 OS Services
+###############################################
+
+###############################################
+# 2.1 Remove Legacy Services
+###############################################
+
+# 2.1.1 Remove telnet-server (Scored)
+# TODO: detect it is installed at all
+[CIS - RHEL6 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
+
+
+# 2.1.2 Remove telnet Clients (Scored)
+# TODO
+
+# 2.1.3 Remove rsh-server (Scored)
+[CIS - RHEL6 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
+
+# 2.1.4 Remove rsh (Scored)
+# TODO
+
+# 2.1.5 Remove NIS Client (Scored)
+[CIS - RHEL6 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+
+# 2.1.6 Remove NIS Server (Scored)
+[CIS - RHEL6 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dypserv$;
+
+# 2.1.7 Remove tftp (Scored)
+# TODO
+
+# 2.1.8 Remove tftp-server (Scored)
+[CIS - RHEL6 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
+
+# 2.1.9 Remove talk (Scored)
+# TODO
+
+# 2.1.10 Remove talk-server (Scored)
+[CIS - RHEL6 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL6} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
+
+# 2.1.11 Remove xinetd (Scored)
+# TODO
+
+# 2.1.12 Disable chargen-dgram (Scored)
+# TODO
+
+# 2.1.13 Disable chargen-stream (Scored)
+# TODO
+
+# 2.1.14 Disable daytime-dgram (Scored)
+# TODO
+
+# 2.1.15 Disable daytime-stream (Scored)
+# TODO
+
+# 2.1.16 Disable echo-dgram (Scored)
+# TODO
+
+# 2.1.17 Disable echo-stream (Scored)
+# TODO
+
+# 2.1.18 Disable tcpmux-server (Scored)
+# TODO
+
+
+###############################################
+# 3 Special Purpose Services
+###############################################
+
+# 3.1 Set Daemon umask (Scored)
+[CIS - RHEL6 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL6} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;
+
+# 3.2 Remove X Windows (Scored)
+[CIS - RHEL6 - 3.2 - X11 not disabled {CIS: 3.2 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/inittab -> !r:^# && r:id:5;
+
+# 3.3 Disable Avahi Server (Scored)
+[CIS - RHEL6 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+p:avahi-daemon;
+
+# 3.4 Disable Print Server - CUPS (Not Scored)
+
+# 3.5 Remove DHCP Server (Not Scored)
+# TODO
+
+# 3.6 Configure Network Time Protocol (NTP) (Scored)
+#[CIS - RHEL6 - 3.6 - NTPD not disabled {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+# TODO.
+
+# 3.7 Remove LDAP (Not Scored)
+
+# 3.8 Disable NFS and RPC (Not Scored)
+[CIS - RHEL6 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+# 3.9 Remove DNS Server (Not Scored)
+# TODO
+
+# 3.10 Remove FTP Server (Not Scored)
+[CIS - RHEL6 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
+
+# 3.11 Remove HTTP Server (Not Scored)
+[CIS - RHEL6 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL6}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dhttpd$;
+
+# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+[CIS - RHEL6 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
+
+[CIS - RHEL6 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
+
+# 3.13 Remove Samba (Not Scored)
+[CIS - RHEL6 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+# 3.14 Remove HTTP Proxy Server (Not Scored)
+[CIS - RHEL6 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+# 3.15 Remove SNMP Server (Not Scored)
+[CIS - RHEL6 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL6} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# TODO
+
+
+###############################################
+# 4 Network Configuration and Firewalls
+###############################################
+
+###############################################
+# 4.1 Modify Network Parameters (Host Only)
+###############################################
+
+# 4.1.1 Disable IP Forwarding (Scored)
+[CIS - RHEL6 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+# 4.1.2 Disable Send Packet Redirects (Scored)
+[CIS - RHEL6 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
+f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
+
+
+###############################################
+# 4.2 Modify Network Parameters (Host and Router)
+###############################################
+
+# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
+[CIS - RHEL6 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
+#[CIS - RHEL6 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+#f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
+#f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
+
+# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+[CIS - RHEL6 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
+
+# 4.2.4 Log Suspicious Packets (Scored)
+[CIS - RHEL6 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
+
+# 4.2.5 Enable Ignore Broadcast Requests (Scored)
+[CIS - RHEL6 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+# 4.2.6 Enable Bad Error Message Protection (Scored)
+[CIS - RHEL6 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
+
+# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
+[CIS - RHEL6 - 4.2.7 - Network parameters - RFC Source route validation not enabled  {CIS: 4.2.7 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
+f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
+
+# 4.2.8 Enable TCP SYN Cookies (Scored)
+[CIS - RHEL6 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL6} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
+
+
+###############################################
+# 4.3 Wireless Networking
+###############################################
+
+# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
+
+
+###############################################
+# 4.4 Disable ipv6
+###############################################
+
+###############################################
+# 4.4.1 Configure IPv6
+###############################################
+
+# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
+
+# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
+
+# 4.4.2 Disable IPv6 (Not Scored)
+
+
+###############################################
+# 4.5 Install TCP Wrappers
+###############################################
+
+# 4.5.1 Install TCP Wrappers (Not Scored)
+
+# 4.5.2 Create /etc/hosts.allow (Not Scored)
+
+# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
+# TODO
+
+# 4.5.4 Create /etc/hosts.deny (Not Scored)
+
+# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
+# TODO
+
+
+###############################################
+# 4.6 Uncommon Network Protocols
+###############################################
+
+# 4.6.1 Disable DCCP (Not Scored)
+
+# 4.6.2 Disable SCTP (Not Scored)
+
+# 4.6.3 Disable RDS (Not Scored)
+
+# 4.6.4 Disable TIPC (Not Scored)
+
+# 4.7 Enable IPtables (Scored)
+# TODO
+
+# 4.8 Enable IP6tables (Not Scored)
+
+
+###############################################
+# 5 Logging and Auditing
+###############################################
+
+###############################################
+# 5.1 Configure Syslog
+###############################################
+
+# 5.1.1 Install the rsyslog package (Scored)
+# TODO
+
+# 5.1.2 Activate the rsyslog Service (Scored)
+# TODO
+
+# 5.1.3 Configure /etc/rsyslog.conf (Not Scored)
+
+# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)
+
+# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
+
+# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+
+
+###############################################
+# 5.2 Configure System Accounting (auditd)
+###############################################
+
+###############################################
+# 5.2.1 Configure Data Retention
+###############################################
+
+# 5.2.1.1 Configure Audit Log Storage Size (Not Scored)
+
+# 5.2.1.2 Disable System on Audit Log Full (Not Scored)
+
+# 5.2.1.3 Keep All Auditing Information (Scored)
+
+# 5.2.2 Enable auditd Service (Scored)
+
+# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
+
+# 5.2.4 Record Events That Modify Date and Time Information (Scored)
+
+# 5.2.5 Record Events That Modify User/Group Information (Scored)
+
+# 5.2.6 Record Events That Modify the System’s Network Environment (Scored)
+
+# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
+
+# 5.2.8 Collect Login and Logout Events (Scored)
+
+# 5.2.9 Collect Session Initiation Information (Scored)
+
+# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored)
+
+# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+
+# 5.2.12 Collect Use of Privileged Commands (Scored)
+
+# 5.2.13 Collect Successful File System Mounts (Scored)
+
+# 5.2.14 Collect File Deletion Events by User (Scored)
+
+# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored)
+
+# 5.2.16 Collect System Administrator Actions (sudolog) (Scored)
+
+# 5.2.17 Collect Kernel Module Loading and Unloading (Scored)
+
+# 5.2.18 Make the Audit Configuration Immutable (Scored)
+
+# 5.3 Configure logrotate (Not Scored)
+
+
+###############################################
+# 6 System Access, Authentication and Authorization
+###############################################
+
+###############################################
+# 6.1 Configure cron and anacron
+###############################################
+
+# 6.1.1 Enable anacron Daemon (Scored)
+
+# 6.1.2 Enable cron Daemon (Scored)
+
+# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
+
+# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
+
+# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+
+# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+
+# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+
+# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+
+# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+
+# 6.1.10 Restrict at Daemon (Scored)
+
+# 6.1.11 Restrict at/cron to Authorized Users (Scored)
+
+###############################################
+# 6.1 Configure SSH
+###############################################
+
+# 6.2.1 Set SSH Protocol to 2 (Scored)
+[CIS - RHEL6 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+# 6.2.2 Set LogLevel to INFO (Scored)
+
+# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+
+# 6.2.4 Disable SSH X11 Forwarding (Scored)
+
+# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+
+# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+[CIS - RHEL6 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
+[CIS - RHEL6 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+# 6.2.8 Disable SSH Root Login (Scored)
+[CIS - RHEL6 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
+
+# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+[CIS - RHEL6 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL6} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
+
+# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
+
+# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
+
+# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
+
+# 6.2.13 Limit Access via SSH (Scored)
+
+# 6.2.14 Set SSH Banner (Scored)
+
+
+###############################################
+# 6.3 Configure PAM
+###############################################
+
+# 6.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+
+# 6.3.2 Set Lockout for Failed Password Attempts (Not Scored)
+
+# 6.3.3 Use pam_deny.so to Deny Services (Not Scored)
+
+# 6.3.4 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
+
+# 6.3.5 Limit Password Reuse (Scored)
+
+# 6.4 Restrict root Login to System Console (Not Scored)
+
+# 6.5 Restrict Access to the su Command (Scored)
+
+
+###############################################
+# 7 User Accounts and Environment
+###############################################
+
+###############################################
+# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
+###############################################
+
+# 7.1.1 Set Password Expiration Days (Scored)
+
+# 7.1.2 Set Password Change Minimum Number of Days (Scored)
+
+# 7.1.3 Set Password Expiring Warning Days (Scored)
+
+# 7.2 Disable System Accounts (Scored)
+
+# 7.3 Set Default Group for root Account (Scored)
+
+# 7.4 Set Default umask for Users (Scored)
+
+# 7.5 Lock Inactive User Accounts (Scored)
+
+
+###############################################
+# 8 Warning Banners
+###############################################
+
+###############################################
+# 8.1 Warning Banners for Standard Login Services
+###############################################
+
+# 8.1 Set Warning Banner for Standard Login Services (Scored)
+
+# 8.2 Remove OS Information from Login Warning Banners (Scored)
+
+# 8.3 Set GNOME Warning Banner (Not Scored)
+
+
+###############################################
+# 9 System Maintenance
+###############################################
+
+###############################################
+# 9.1 Verify System File Permissions
+###############################################
+
+# 9.1.1 Verify System File Permissions (Not Scored)
+
+# 9.1.2 Verify Permissions on /etc/passwd (Scored)
+
+# 9.1.3 Verify Permissions on /etc/shadow (Scored)
+
+# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
+
+# 9.1.5 Verify Permissions on /etc/group (Scored)
+
+# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
+
+# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
+
+# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
+
+# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
+
+# 9.1.10 Find World Writable Files (Not Scored)
+
+# 9.1.11 Find Un-owned Files and Directories (Scored)
+
+# 9.1.12 Find Un-grouped Files and Directories (Scored)
+
+# 9.1.13 Find SUID System Executables (Not Scored)
+
+# 9.1.14 Find SGID System Executables (Not Scored)
+
+
+###############################################
+# 9.2 Review User and Group Settings
+###############################################
+
+# 9.2.1 Ensure Password Fields are Not Empty (Scored)
+
+# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+
+# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+
+# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+
+# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+[CIS - RHEL6 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL6} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+# 9.2.6 Ensure root PATH Integrity (Scored)
+
+# 9.2.7 Check Permissions on User Home Directories (Scored)
+
+# 9.2.8 Check User Dot File Permissions (Scored)
+
+# 9.2.9 Check Permissions on User .netrc Files (Scored)
+
+# 9.2.10 Check for Presence of User .rhosts Files (Scored)
+
+# 9.2.11 Check Groups in /etc/passwd (Scored)
+
+# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored)
+
+# 9.2.13 Check User Home Directory Ownership (Scored)
+
+# 9.2.14 Check for Duplicate UIDs (Scored)
+
+# 9.2.15 Check for Duplicate GIDs (Scored)
+
+# 9.2.16 Check for Duplicate User Names (Scored)
+
+# 9.2.17 Check for Duplicate Group Names (Scored)
+
+# 9.2.18 Check for Presence of User .netrc Files (Scored)
+
+# 9.2.19 Check for Presence of User .forward Files (Scored)
+
+
+# Other/Legacy Tests
+[CIS - RHEL6 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - RHEL6 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+[CIS - RHEL6 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+[CIS - RHEL6 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - RHEL6 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - RHEL6 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - RHEL6 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
diff --git a/etc/ruleset/rootcheck/cis_rhel7_linux_rcl.txt b/etc/ruleset/rootcheck/cis_rhel7_linux_rcl.txt
new file mode 100644
index 0000000000..3d2199255c
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_rhel7_linux_rcl.txt
@@ -0,0 +1,820 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for Red Hat / CentOS 7
+# Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0
+
+# Vars
+$sshd_file=/etc/ssh/sshd_config;
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7;
+f:/etc/redhat-release -> r:^CentOS && r:release 7;
+f:/etc/redhat-release -> r:^Cloud && r:release 7;
+f:/etc/redhat-release -> r:^Oracle && r:release 7;
+f:/etc/redhat-release -> r:^Better && r:release 7;
+f:/etc/redhat-release -> r:^OpenVZ && r:release 7;
+
+# 1.1.1 /tmp: partition
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+# 1.1.2 /tmp: nodev
+[CIS - RHEL7 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 1.1.3 /tmp: nosuid
+[CIS - RHEL7 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
+
+# 1.1.4 /tmp: noexec
+[CIS - RHEL7 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec;
+
+# 1.1.5 Build considerations - Partition scheme.
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r^# && !r:/var;
+
+# 1.1.6 bind mount /var/tmp to /tmp
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && !r:/var/tmp;
+
+# 1.1.7 /var/log: partition
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && !r:/var/log;
+
+# 1.1.8 /var/log/audit: partition
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && !r:/var/log/audit;
+
+# 1.1.9 /home: partition
+[CIS - RHEL7 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && !r:/home;
+
+# 1.1.10 /home: nodev
+[CIS - RHEL7 - 1.1.10 -  Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
+
+# 1.1.11 nodev on removable media partitions (not scored)
+[CIS - RHEL7 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+# 1.1.12 noexec on removable media partitions (not scored)
+[CIS - RHEL7 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
+
+# 1.1.13 nosuid on removable media partitions (not scored)
+[CIS - RHEL7 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+# 1.1.14 /dev/shm: nodev
+[CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
+
+# 1.1.15 /dev/shm: nosuid
+[CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
+
+# 1.1.16 /dev/shm: noexec
+[CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+
+# 1.1.17 sticky bit on world writable directories (Scored)
+# TODO
+
+# 1.1.18 disable cramfs (not scored)
+
+# 1.1.19 disable freevxfs (not scored)
+
+# 1.1.20 disable jffs2 (not scored)
+
+# 1.1.21 disable hfs (not scored)
+
+# 1.1.22 disable hfsplus (not scored)
+
+# 1.1.23 disable squashfs (not scored)
+
+# 1.1.24 disable udf (not scored)
+
+
+##########################################
+# 1.2 Software Updates
+##########################################
+
+# 1.2.1 Configure rhn updates (not scored)
+
+# 1.2.2 verify  RPM gpg keys  (Scored)
+# TODO
+
+# 1.2.3 verify gpgcheck enabled (Scored)
+# TODO
+
+# 1.2.4 Disable rhnsd (not scored)
+
+# 1.2.5 Obtain Software Package Updates with yum (Not Scored)
+
+# 1.2.6 Obtain updates with yum (not scored)
+
+
+###############################################
+# 1.3 Advanced Intrusion Detection Environment
+###############################################
+#
+# Skipped, this control is obsoleted by OSSEC
+#
+
+###############################################
+# 1.4 Configure SELinux
+###############################################
+
+# 1.4.1 enable selinux in /etc/grub.conf
+[CIS - RHEL7 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/grub.conf -> r:selinux=0;
+f:/etc/grub2.cfg -> r:selinux=0;
+
+# 1.4.2 Set selinux state
+[CIS - RHEL7 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/selinux/config -> !r:SELINUX=enforcing;
+
+# 1.4.3 Set seliux policy
+[CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;
+
+# 1.4.4 Remove SETroubleshoot
+[CIS - RHEL7 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsetroubleshoot$;
+f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert;
+
+# 1.4.5 Disable MCS Translation service mcstrans
+[CIS - RHEL7 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dmctrans$;
+f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd;
+
+# 1.4.6 Check for unconfined daemons
+# TODO
+
+
+###############################################
+# 1.5  Secure Boot Settings
+###############################################
+
+# 1.5.1 Set User/Group Owner on /etc/grub.conf
+# TODO (no mode tests)
+# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
+
+# 1.5.2 Set Permissions on /etc/grub.conf (Scored)
+# TODO (no mode tests)
+#  stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
+
+# 1.5.3 Set Boot Loader Password (Scored)
+[CIS - RHEL7 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
+
+
+
+###############################################
+# 1.6  Additional Process Hardening
+###############################################
+
+# 1.6.1 Restrict Core Dumps (Scored)
+[CIS - RHEL7 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
+
+# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
+# Note this is also labeled 1.6.1 in the CIS benchmark.
+[CIS - RHEL7 - 1.6.1 - Randomized Virtual Memory Region Placement not enabled  {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/kernel/randomize_va_space -> !r:^2$;
+
+
+###############################################
+# 1.7  Use the Latest OS Release  (Not Scored)
+###############################################
+
+
+###############################################
+# 2 OS Services
+###############################################
+
+###############################################
+# 2.1 Remove Legacy Services
+###############################################
+
+# 2.1.1 Remove telnet-server (Scored)
+# TODO: detect it is installed at all
+[CIS - RHEL7 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
+
+
+# 2.1.2 Remove telnet Clients (Scored)
+# TODO
+
+# 2.1.3 Remove rsh-server (Scored)
+[CIS - RHEL7 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
+# TODO (finish this)
+f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
+f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
+f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
+
+# 2.1.4 Remove rsh (Scored)
+# TODO
+
+# 2.1.5 Remove NIS Client (Scored)
+[CIS - RHEL7 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
+
+# 2.1.6 Remove NIS Server (Scored)
+[CIS - RHEL7 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypserv$;
+f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
+
+# 2.1.7 Remove tftp (Scored)
+# TODO
+
+# 2.1.8 Remove tftp-server (Scored)
+[CIS - RHEL7 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/tftp.service -> r:Exec;
+
+# 2.1.9 Remove talk (Scored)
+# TODO
+
+# 2.1.10 Remove talk-server (Scored)
+[CIS - RHEL7 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
+
+# 2.1.11 Remove xinetd (Scored)
+[CIS - RHEL7 - 2.1.11 -  xinetd detected {CIS: 2.1.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
+
+# 2.1.12 Disable chargen-dgram (Scored)
+[CIS - RHEL7 - 2.1.12 -  chargen-dgram enabled on xinetd {CIS: 2.1.12 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no;
+
+# 2.1.13 Disable chargen-stream (Scored)
+[CIS - RHEL7 - 2.1.13 -  chargen-stream enabled on xinetd {CIS: 2.1.13 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no;
+
+# 2.1.14 Disable daytime-dgram (Scored)
+[CIS - RHEL7 - 2.1.14 -  daytime-dgram enabled on xinetd {CIS: 2.1.14 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no;
+
+# 2.1.15 Disable daytime-stream (Scored)
+[CIS - RHEL7 - 2.1.15 -  daytime-stream enabled on xinetd {CIS: 2.1.15 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no;
+
+
+# 2.1.16 Disable echo-dgram (Scored)
+[CIS - RHEL7 - 2.1.16 -  echo-dgram enabled on xinetd {CIS: 2.1.16 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no;
+
+# 2.1.17 Disable echo-stream (Scored)
+[CIS - RHEL7 - 2.1.17 -  echo-stream enabled on xinetd {CIS: 2.1.17 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no;
+
+# 2.1.18 Disable tcpmux-server (Scored)
+[CIS - RHEL7 - 2.1.18 -  tcpmux-server enabled on xinetd {CIS: 2.1.18 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/tcpmux-server -> !r:^# && r:disable && r:no;
+
+
+###############################################
+# 3 Special Purpose Services
+###############################################
+
+# 3.1 Set Daemon umask (Scored)
+[CIS - RHEL7 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL7} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/sysconfig/init -> !r:^# && r:^umask && <:umask 027;
+
+# 3.2 Remove X Windows (Scored)
+[CIS - RHEL7 - 3.2 - X11 not disabled {CIS: 3.2 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+p:gdm-x-session;
+
+# 3.3 Disable Avahi Server (Scored)
+[CIS - RHEL7 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+p:avahi-daemon;
+
+# 3.4 Disable Print Server - CUPS (Not Scored)
+
+# 3.5 Remove DHCP Server (Scored)
+[CIS - RHEL7 - 3.5 - DHCPnot disabled {CIS: 3.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
+
+# 3.6 Configure Network Time Protocol (NTP) (Scored)
+[CIS - RHEL7 - 3.6 - NTPD not Configured {CIS: 3.6 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
+f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
+
+# 3.7 Remove LDAP (Not Scored)
+
+# 3.8 Disable NFS and RPC (Not Scored)
+[CIS - RHEL7 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+# 3.9 Remove DNS Server (Not Scored)
+# TODO
+
+# 3.10 Remove FTP Server (Not Scored)
+[CIS - RHEL7 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
+
+# 3.11 Remove HTTP Server (Not Scored)
+[CIS - RHEL7 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dhttpd$;
+
+# 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+[CIS - RHEL7 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
+
+[CIS - RHEL7 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
+
+# 3.13 Remove Samba (Not Scored)
+[CIS - RHEL7 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+# 3.14 Remove HTTP Proxy Server (Not Scored)
+[CIS - RHEL7 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+# 3.15 Remove SNMP Server (Not Scored)
+[CIS - RHEL7 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+# 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# TODO
+
+
+###############################################
+# 4 Network Configuration and Firewalls
+###############################################
+
+###############################################
+# 4.1 Modify Network Parameters (Host Only)
+###############################################
+
+# 4.1.1 Disable IP Forwarding (Scored)
+[CIS - RHEL7 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+# 4.1.2 Disable Send Packet Redirects (Scored)
+[CIS - RHEL7 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;
+
+
+###############################################
+# 4.2 Modify Network Parameters (Host and Router)
+###############################################
+
+# 4.2.1 Disable Source Routed Packet Acceptance (Scored)
+[CIS - RHEL7 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+# 4.2.2 Disable ICMP Redirect Acceptance (Scored)
+[CIS - RHEL7 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
+
+# 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+[CIS - RHEL7 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
+
+# 4.2.4 Log Suspicious Packets (Scored)
+[CIS - RHEL7 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
+
+# 4.2.5 Enable Ignore Broadcast Requests (Scored)
+[CIS - RHEL7 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+# 4.2.6 Enable Bad Error Message Protection (Scored)
+[CIS - RHEL7 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
+
+# 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
+[CIS - RHEL7 - 4.2.7 - Network parameters - RFC Source route validation not enabled  {CIS: 4.2.7 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
+f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
+
+# 4.2.8 Enable TCP SYN Cookies (Scored)
+[CIS - RHEL7 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
+
+
+###############################################
+# 4.3 Wireless Networking
+###############################################
+
+# 4.3.1 Deactivate Wireless Interfaces (Not Scored)
+
+
+###############################################
+# 4.4 Disable ipv6
+###############################################
+
+###############################################
+# 4.4.1 Configure IPv6
+###############################################
+
+# 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
+
+# 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
+
+# 4.4.2 Disable IPv6 (Not Scored)
+
+
+###############################################
+# 4.5 Install TCP Wrappers
+###############################################
+
+# 4.5.1 Install TCP Wrappers (Not Scored)
+
+# 4.5.2 Create /etc/hosts.allow (Not Scored)
+
+# 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
+# TODO
+
+# 4.5.4 Create /etc/hosts.deny (Not Scored)
+
+# 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
+# TODO
+
+
+###############################################
+# 4.6 Uncommon Network Protocols
+###############################################
+
+# 4.6.1 Disable DCCP (Not Scored)
+
+# 4.6.2 Disable SCTP (Not Scored)
+
+# 4.6.3 Disable RDS (Not Scored)
+
+# 4.6.4 Disable TIPC (Not Scored)
+
+# 4.7 Enable IPtables (Scored)
+#[CIS - RHEL7 - 4.7 - Uncommon Network Protocols - Firewalld not enabled {CIS: 4.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+#f:/usr/lib/systemd/system/firewalld.service -> TODO;
+
+
+###############################################
+# 5 Logging and Auditing
+###############################################
+
+###############################################
+# 5.1 Configure Syslog
+###############################################
+
+# 5.1.1 Install the rsyslog package (Scored)
+# TODO
+
+# 5.1.2 Activate the rsyslog Service (Scored)
+# TODO
+
+# 5.1.3 Configure /etc/rsyslog.conf (Not Scored)
+
+# 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)
+
+# 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
+
+# 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+
+
+###############################################
+# 5.2 Configure System Accounting (auditd)
+###############################################
+
+###############################################
+# 5.2.1 Configure Data Retention
+###############################################
+
+# 5.2.1.1 Configure Audit Log Storage Size (Not Scored)
+
+# 5.2.1.2 Disable System on Audit Log Full (Not Scored)
+
+# 5.2.1.3 Keep All Auditing Information (Scored)
+
+# 5.2.2 Enable auditd Service (Scored)
+
+# 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
+
+# 5.2.4 Record Events That Modify Date and Time Information (Scored)
+
+# 5.2.5 Record Events That Modify User/Group Information (Scored)
+
+# 5.2.6 Record Events That Modify the System’s Network Environment (Scored)
+
+# 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
+
+# 5.2.8 Collect Login and Logout Events (Scored)
+
+# 5.2.9 Collect Session Initiation Information (Scored)
+
+# 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored)
+
+# 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+
+# 5.2.12 Collect Use of Privileged Commands (Scored)
+
+# 5.2.13 Collect Successful File System Mounts (Scored)
+
+# 5.2.14 Collect File Deletion Events by User (Scored)
+
+# 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored)
+
+# 5.2.16 Collect System Administrator Actions (sudolog) (Scored)
+
+# 5.2.17 Collect Kernel Module Loading and Unloading (Scored)
+
+# 5.2.18 Make the Audit Configuration Immutable (Scored)
+
+# 5.3 Configure logrotate (Not Scored)
+
+
+###############################################
+# 6 System Access, Authentication and Authorization
+###############################################
+
+###############################################
+# 6.1 Configure cron and anacron
+###############################################
+
+# 6.1.1 Enable anacron Daemon (Scored)
+
+# 6.1.2 Enable cron Daemon (Scored)
+
+# 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
+
+# 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
+
+# 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+
+# 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+
+# 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+
+# 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+
+# 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+
+# 6.1.10 Restrict at Daemon (Scored)
+
+# 6.1.11 Restrict at/cron to Authorized Users (Scored)
+
+###############################################
+# 6.2 Configure SSH
+###############################################
+
+# 6.2.1 Set SSH Protocol to 2 (Scored)
+[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+# 6.2.2 Set LogLevel to INFO (Scored)
+[CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
+
+# 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+# TODO
+
+# 6.2.4 Disable SSH X11 Forwarding (Scored)
+# TODO
+
+# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+[CIS - RHEL7 - 6.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less  {CIS - RHEL7 - 6.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;
+
+# 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+[CIS - RHEL7 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+# 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
+[CIS - RHEL7 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+# 6.2.8 Disable SSH Root Login (Scored)
+[CIS - RHEL7 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;
+
+# 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+[CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;
+
+# 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
+
+# 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
+
+# 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
+
+# 6.2.13 Limit Access via SSH (Scored)
+
+# 6.2.14 Set SSH Banner (Scored)
+
+
+###############################################
+# 6.3 Configure PAM
+###############################################
+
+# 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
+# authconfig --test | grep hashing | grep sha512
+
+# 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+
+# 6.3.3 Set Lockout for Failed Password Attempts (Not Scored)
+
+# 6.3.4 Limit Password Reuse (Scored)
+
+
+# 6.4 Restrict root Login to System Console (Not Scored)
+
+# 6.5 Restrict Access to the su Command (Scored)
+
+
+###############################################
+# 7 User Accounts and Environment
+###############################################
+
+###############################################
+# 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
+###############################################
+
+# 7.1.1 Set Password Expiration Days (Scored)
+
+# 7.1.2 Set Password Change Minimum Number of Days (Scored)
+
+# 7.1.3 Set Password Expiring Warning Days (Scored)
+
+# 7.2 Disable System Accounts (Scored)
+
+# 7.3 Set Default Group for root Account (Scored)
+
+# 7.4 Set Default umask for Users (Scored)
+
+# 7.5 Lock Inactive User Accounts (Scored)
+
+
+###############################################
+# 8 Warning Banners
+###############################################
+
+###############################################
+# 8.1 Warning Banners for Standard Login Services
+###############################################
+
+# 8.1 Set Warning Banner for Standard Login Services (Scored)
+
+# 8.2 Remove OS Information from Login Warning Banners (Scored)
+
+# 8.3 Set GNOME Warning Banner (Not Scored)
+
+
+###############################################
+# 9 System Maintenance
+###############################################
+
+###############################################
+# 9.1 Verify System File Permissions
+###############################################
+
+# 9.1.1 Verify System File Permissions (Not Scored)
+
+# 9.1.2 Verify Permissions on /etc/passwd (Scored)
+
+# 9.1.3 Verify Permissions on /etc/shadow (Scored)
+
+# 9.1.4 Verify Permissions on /etc/gshadow (Scored)
+
+# 9.1.5 Verify Permissions on /etc/group (Scored)
+
+# 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
+
+# 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
+
+# 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
+
+# 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
+
+# 9.1.10 Find World Writable Files (Not Scored)
+
+# 9.1.11 Find Un-owned Files and Directories (Scored)
+
+# 9.1.12 Find Un-grouped Files and Directories (Scored)
+
+# 9.1.13 Find SUID System Executables (Not Scored)
+
+# 9.1.14 Find SGID System Executables (Not Scored)
+
+
+###############################################
+# 9.2 Review User and Group Settings
+###############################################
+
+# 9.2.1 Ensure Password Fields are Not Empty (Scored)
+
+# 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+
+# 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+
+# 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+
+# 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+[CIS - RHEL7 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL7} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+# 9.2.6 Ensure root PATH Integrity (Scored)
+
+# 9.2.7 Check Permissions on User Home Directories (Scored)
+
+# 9.2.8 Check User Dot File Permissions (Scored)
+
+# 9.2.9 Check Permissions on User .netrc Files (Scored)
+
+# 9.2.10 Check for Presence of User .rhosts Files (Scored)
+
+# 9.2.11 Check Groups in /etc/passwd (Scored)
+
+# 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored)
+
+# 9.2.13 Check User Home Directory Ownership (Scored)
+
+# 9.2.14 Check for Duplicate UIDs (Scored)
+
+# 9.2.15 Check for Duplicate GIDs (Scored)
+
+# 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts  (Scored)
+
+# 9.2.17 Check for Duplicate User Names (Scored)
+
+# 9.2.18 Check for Duplicate Group Names (Scored)
+
+# 9.2.19 Check for Presence of User .netrc Files (Scored)
+
+# 9.2.20 Check for Presence of User .forward Files (Scored)
+
+
+# Other/Legacy Tests
+[CIS - RHEL7 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - RHEL7 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+[CIS - RHEL7 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+[CIS - RHEL7 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - RHEL7 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - RHEL7 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - RHEL7 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
diff --git a/etc/ruleset/rootcheck/cis_rhel_linux_rcl.txt b/etc/ruleset/rootcheck/cis_rhel_linux_rcl.txt
new file mode 100644
index 0000000000..4574c1402f
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_rhel_linux_rcl.txt
@@ -0,0 +1,288 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for Red Hat (RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4 and 5).
+# Based on CIS Benchmark for Red Hat Enterprise Linux v1.0.5
+
+
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+
+# Main one. Only valid for Red Hat/Fedora.
+[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4;
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3;
+f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1;
+f:/etc/fedora-release -> r:^Fedora && r:release 1;
+f:/etc/fedora-release -> r:^Fedora && r:release 2;
+f:/etc/fedora-release -> r:^Fedora && r:release 3;
+f:/etc/fedora-release -> r:^Fedora && r:release 4;
+f:/etc/fedora-release -> r:^Fedora && r:release 5;
+
+
+# Build considerations - Partition scheme.
+[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /var is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:/var;
+
+[CIS - Red Hat Linux - - Build considerations - Robust partition scheme - /home is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:/home;
+
+
+# Section 1.3 - SSH configuration
+[CIS - Red Hat Linux - 1.3 - SSH Configuration - Protocol version 1 enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+[CIS - Red Hat Linux - 1.3 - SSH Configuration - IgnoreRHosts disabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+[CIS - Red Hat Linux - 1.3 - SSH Configuration - Empty passwords permitted {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
+
+[CIS - Red Hat Linux - 1.3 - SSH Configuration - Host based authentication enabled {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+[CIS - Red Hat Linux - 1.3 - SSH Configuration - Root login allowed {CIS: 1.3 Red Hat Linux} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
+
+
+# Section 1.4 Enable system accounting
+#[CIS - Red Hat Linux - 1.4 - System Accounting - Sysstat not installed] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+#f:!/var/log/sa;
+
+
+# Section 2.5 Install and run Bastille
+#[CIS - Red Hat Linux - 1.5 - System harderning - Bastille is not installed] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+#f:!/etc/Bastille;
+
+
+# Section 2 - Minimize xinetd services
+[CIS - Red Hat Linux - 2.3 - Telnet enabled on xinetd {CIS: 2.3 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/telnet -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.4 - VSFTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/vsftpd -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.4 - WU-FTP enabled on xinetd {CIS: 2.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/wu-ftpd -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.5 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.5 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.c/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.c/shell -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.6 - tftpd enabled on xinetd {CIS: 2.6 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/tftpd -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.7 - imap enabled on xinetd {CIS: 2.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/imap -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.c/imaps -> !r:^# && r:disable && r:no;
+
+[CIS - Red Hat Linux - 2.8 - pop3 enabled on xinetd {CIS: 2.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/xinetd.c/ipop3 -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.c/pop3s -> !r:^# && r:disable && r:no;
+
+
+# Section 3 - Minimize boot services
+[CIS - Red Hat Linux - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 Red Hat Linux}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/init.d/functions -> !r:^# && r:^umask && >:umask 027;
+
+[CIS - Red Hat Linux - 3.4 - GUI login enabled {CIS: 3.4 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/inittab -> !r:^# && r:id:5;
+
+[CIS - Red Hat Linux - 3.7 - Disable standard boot services - Samba Enabled {CIS: 3.7 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+[CIS - Red Hat Linux - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+[CIS - Red Hat Linux - 3.10 - Disable standard boot services - NIS Enabled {CIS: 3.10 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+d:$rc_dirs -> ^S\d\dypserv$;
+
+[CIS - Red Hat Linux - 3.13 - Disable standard boot services - NetFS Enabled {CIS: 3.13 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
+
+[CIS - Red Hat Linux - 3.15 - Disable standard boot services - Apache web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dapache$;
+d:$rc_dirs -> ^S\d\dhttpd$;
+
+[CIS - Red Hat Linux - 3.15 - Disable standard boot services - TUX web server Enabled {CIS: 3.15 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dtux$;
+
+[CIS - Red Hat Linux - 3.16 - Disable standard boot services - SNMPD process Enabled {CIS: 3.16 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+[CIS - Red Hat Linux - 3.17 - Disable standard boot services - DNS server Enabled {CIS: 3.17 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - Red Hat Linux - 3.18 - Disable standard boot services - MySQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - Red Hat Linux - 3.18 - Disable standard boot services - PostgreSQL server Enabled {CIS: 3.18 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - Red Hat Linux - 3.19 - Disable standard boot services - Webmin Enabled {CIS: 3.19 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dwebmin$;
+
+[CIS - Red Hat Linux - 3.20 - Disable standard boot services - Squid Enabled {CIS: 3.20 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+[CIS - Red Hat Linux - 3.21 - Disable standard boot services - Kudzu hardware detection Enabled {CIS: 3.21 Red Hat Linux} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+
+# Section 4 - Kernel tuning
+[CIS - Red Hat Linux - 4.1 - Network parameters - Source routing accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+[CIS - Red Hat Linux - 4.1 - Network parameters - ICMP broadcasts accepted {CIS: 4.1 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+[CIS - Red Hat Linux - 4.2 - Network parameters - IP Forwarding enabled {CIS: 4.2 Red Hat Linux}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+
+# Section 6 - Permissions
+[CIS - Red Hat Linux - 6.1 - Partition /var without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var && !r:nodev;
+
+[CIS - Red Hat Linux - 6.1 - Partition /tmp without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && !r:nodev;
+
+[CIS - Red Hat Linux - 6.1 - Partition /opt without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/opt && !r:nodev;
+
+[CIS - Red Hat Linux - 6.1 - Partition /home without 'nodev' set {CIS: 6.1 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && !r:nodev ;
+
+[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nodev' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+[CIS - Red Hat Linux - 6.2 - Removable partition /media without 'nosuid' set {CIS: 6.2 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+[CIS - Red Hat Linux - 6.3 - User-mounted removable partition allowed on the console {CIS: 6.3 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+
+# Section 7 - Access and authentication
+[CIS - Red Hat Linux - 7.8 - LILO Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/lilo.conf -> !r:^# && !r:restricted;
+f:/etc/lilo.conf -> !r:^# && !r:password=;
+
+[CIS - Red Hat Linux - 7.8 - GRUB Password not set {CIS: 7.8 Red Hat Linux} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/boot/grub/menu.lst -> !r:^# && !r:password;
+
+[CIS - Red Hat Linux - 8.2 - Account with empty password present {CIS: 8.2 Red Hat Linux} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - Red Hat Linux - SN.11 - Non-root account with uid 0 {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+
+# Tests specific for VMware ESX - Runs on Red Hat Linux -
+# Will not be tested anywhere else.
+[VMware ESX - Testing against the Security Harderning benchmark VI3 for ESX 3.5] [any required] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+f:/etc/vmware-release -> r:^VMware ESX;
+
+
+# Virtual Machine Files and Settings - 1
+# 1.1
+[VMware ESX - VM settings - Copy operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.copy.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.copy.disable && r:false;
+
+# 1.2
+[VMware ESX - VM settings - Paste operation between guest and console enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.paste.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.paste.disable && r:false;
+
+# 1.3
+[VMware ESX - VM settings - GUI Options enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setGUIOptions.enable && r:true;
+
+# 1.4
+[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Rotate size not 100KB] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^log.rotateSize;
+d:/vmfs/volumes -> .vmx$ -> r:^log.rotateSize && !r:"100000";
+
+# 1.5
+[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Maximum number of logs not 10] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^log.keepOld;
+d:/vmfs/volumes -> .vmx$ -> r:^log.keepOld && r:"10";
+
+# 1.6
+[VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - Guests allowed to write SetInfo data to config] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.setinfo.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.setinfo.disable && r:false;
+
+# 1.7
+[VMware ESX - VM settings - Nonpersistent Disks being used] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> r:^scsi\d:\d.mode && r:!independent-nonpersistent;
+
+# 1.8
+[VMware ESX - VM settings - Floppy drive present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> r:^floppy\d+.present && r:!false;
+
+[VMware ESX - VM settings - Serial port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> r:^serial\d+.present && r:!false;
+
+[VMware ESX - VM settings - Parallel port present] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> r:^parallel\d+.present && r:!false;
+
+# 1.9
+[VMware ESX - VM settings - Unauthorized Removal or Connection of Devices allowed] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^Isolation.tools.connectable.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^Isolation.tools.connectable.disable && r:false;
+
+# 1.10
+[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskWiper enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskWiper.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskWiper.disable && r:false;
+
+[VMware ESX - VM settings - Avoid Denial of Service Caused by Virtual Disk Modification Operations - diskShrink enabled] [any] [http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf]
+d:/vmfs/volumes -> .vmx$ -> !r:^isolation.tools.diskShrink.disable;
+d:/vmfs/volumes -> .vmx$ -> r:^isolation.tools.diskShrink.disable && r:false;
+
+
+# Configuring the Service Console in ESX 3.5 - 2
+# 2.1
diff --git a/etc/ruleset/rootcheck/cis_sles11_linux_rcl.txt b/etc/ruleset/rootcheck/cis_sles11_linux_rcl.txt
new file mode 100644
index 0000000000..8ded004454
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_sles11_linux_rcl.txt
@@ -0,0 +1,731 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for SUSE SLES 11
+# Based on CIS Benchmark for SUSE Linux Enterprise Server 11 v1.1.0
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+[CIS - Testing against the CIS SUSE Linux Enterprise Server 11 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4";
+
+# 2.1 /tmp: partition
+[CIS - SLES11 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+# 2.2 /tmp: nodev
+[CIS - SLES11 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 2.3 /tmp: nosuid
+[CIS - SLES11 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
+
+# 2.4 /tmp: noexec
+[CIS - SLES11 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 2.5 Build considerations - Partition scheme.
+[CIS - SLES11 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r^# && !r:/var;
+
+# 2.6 bind mount /var/tmp to /tmp
+[CIS - SLES11 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
+
+# 2.7 /var/log: partition
+[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log;
+
+# 2.8 /var/log/audit: partition
+[CIS - SLES11 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log/audit;
+
+# 2.9 /home: partition
+[CIS - SLES11 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> ^# && !r:/home;
+
+# 2.10 /home: nodev
+[CIS - SLES11 - 2.10 -  Partition /home without 'nodev' set {CIS: 2.10 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
+
+# 2.11 nodev on removable media partitions (not scored)
+[CIS - SLES11 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+# 2.12 noexec on removable media partitions (not scored)
+[CIS - SLES11 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
+
+# 2.13 nosuid on removable media partitions (not scored)
+[CIS - SLES11 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+# 2.14 /dev/shm: nodev
+[CIS - SLES11 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
+
+# 2.15 /dev/shm: nosuid
+[CIS - SLES11 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
+
+# 2.16 /dev/shm: noexec
+[CIS - SLES11 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+
+# 2.17 sticky bit on world writable directories (Scored)
+# TODO
+
+# 2.18 disable cramfs (not scored)
+
+# 2.19 disable freevxfs (not scored)
+
+# 2.20 disable jffs2 (not scored)
+
+# 2.21 disable hfs (not scored)
+
+# 2.22 disable hfsplus (not scored)
+
+# 2.23 disable squashfs (not scored)
+
+# 2.24 disable udf (not scored)
+
+# 2.25 disable automounting (Scored)
+# TODO
+
+###############################################
+# 3  Secure Boot Settings
+###############################################
+
+# 3.1 Set User/Group Owner on /etc/grub.conf
+# TODO (no mode tests)
+# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
+
+# 3.2 Set Permissions on /etc/grub.conf (Scored)
+# TODO (no mode tests)
+#  stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
+
+# 3.3 Set Boot Loader Password (Scored)
+[CIS - SLES11 - 3.3 - GRUB Password not set {CIS: 3.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
+
+# 3.4 Require Authentication for Single-User Mode (Scored)
+
+# 3.5 Disable Interactive Boot (Scored)
+
+###############################################
+# 4  Additional Process Hardening
+###############################################
+
+# 4.1 Restrict Core Dumps (Scored)
+[CIS - SLES11 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
+
+# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+# TODO
+
+# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+[CIS - SLES11 - 4.3 - Randomized Virtual Memory Region Placement not enabled  {CIS: 4.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/kernel/randomize_va_space -> 2;
+
+# 4.4 Disable Prelink (Scored)
+# TODO
+
+# 4.5 Activate AppArmor (Scored)
+# TODO
+
+###############################################
+# 5 OS Services
+###############################################
+
+###############################################
+# 5.1 Remove Legacy Services
+###############################################
+
+# 5.1.1 Remove NIS Server (Scored)
+[CIS - SLES11 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypserv$;
+
+# 5.1.2 Remove NIS Client (Scored)
+[CIS - SLES11 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+
+# 5.1.3 Remove rsh-server (Scored)
+[CIS - SLES11 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
+
+# 5.1.4 Remove rsh client (Scored)
+# TODO
+
+# 5.1.5 Remove talk-server (Scored)
+[CIS - SLES11 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
+
+# 5.1.6 Remove talk client (Scored)
+# TODO
+
+# 5.1.7 Remove telnet-server (Scored)
+# TODO: detect it is installed at all
+[CIS - SLES11 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
+
+# 5.1.8 Remove tftp-server (Scored)
+[CIS - SLES11 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES11} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
+
+# 5.1.9 Remove xinetd (Scored)
+[CIS - SLES11 - 5.1.9 -  xinetd detected {CIS: 5.1.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+
+# 5.2 Disable chargen-udp (Scored)
+[CIS - SLES11 - 5.2 -  chargen-udp enabled on xinetd {CIS: 5.2 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no;
+
+# 5.3 Disable chargen (Scored)
+[CIS - SLES11 - 5.3 -  chargen enabled on xinetd {CIS: 5.3 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no;
+
+# 5.4 Disable daytime-udp (Scored)
+[CIS - SLES11 - 5.4 -  daytime-udp enabled on xinetd {CIS: 5.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no;
+
+# 5.5 Disable daytime (Scored)
+[CIS - SLES11 - 5.5 -  daytime enabled on xinetd {CIS: 5.5 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no;
+
+
+# 5.6 Disable echo-udp (Scored)
+[CIS - SLES11 - 5.6 -  echo-udp enabled on xinetd {CIS: 5.6 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no;
+
+# 5.7 Disable echo (Scored)
+[CIS - SLES11 - 5.7 -  echo enabled on xinetd {CIS: 5.7 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no;
+
+# 5.8 Disable discard-udp (Scored)
+[CIS - SLES11 - 5.8 -  discard-udp enabled on xinetd {CIS: 5.8 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no;
+
+# 5.9 Disable discard (Scored)
+[CIS - SLES11 - 5.9 -  discard enabled on xinetd {CIS: 5.9 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no;
+
+# 5.10 Disable time-udp (Scored)
+[CIS - SLES11 - 5.10 -  time-udp enabled on xinetd {CIS: 5.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no;
+
+# 5.11 Disable time (Scored)
+[CIS - SLES11 - 5.11 -  time enabled on xinetd {CIS: 5.11 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no;
+
+###############################################
+# 6 Special Purpose Services
+###############################################
+
+# 6.1 Remove X Windows (Scored)
+[CIS - SLES11 - 6.1 - X11 not disabled {CIS: 6.1 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/inittab -> !r:^# && r:id:5;
+
+# 6.2 Disable Avahi Server (Scored)
+[CIS - SLES11 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+p:avahi-daemon;
+
+# 6.3 Disable Print Server - CUPS (Not Scored)
+#TODO
+
+# 6.4 Remove DHCP Server (Scored)
+#[CIS - SLES11 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dhcpd$;
+d:$rc_dirs -> ^S\d\dhcpd6$;
+
+# 6.5 Configure Network Time Protocol (NTP) (Scored)
+#TODO Chrony
+[CIS - SLES11 - 6.5 - NTPD not Configured {CIS: 6.5 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
+f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
+
+# 6.6 Remove LDAP (Not Scored)
+#TODO
+
+# 6.7 Disable NFS and RPC (Not Scored)
+[CIS - SLES11 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+# 6.8 Remove DNS Server (Not Scored)
+# TODO
+
+# 6.9 Remove FTP Server (Not Scored)
+[CIS - SLES11 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
+
+# 6.10 Remove HTTP Server (Not Scored)
+[CIS - SLES11 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES11}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dapache2$;
+
+# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+[CIS - SLES11 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
+
+[CIS - SLES11 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
+
+# 6.12 Remove Samba (Not Scored)
+[CIS - SLES11 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+# 6.13 Remove HTTP Proxy Server (Not Scored)
+[CIS - SLES11 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+# 6.14 Remove SNMP Server (Not Scored)
+[CIS - SLES11 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# TODO
+
+# 6.16 Ensure rsync service is not enabled (Scored)
+[CIS - SLES11 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES11} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\drsyncd$;
+
+# 6.17 Ensure Biosdevname is not enabled (Scored)
+# TODO
+
+###############################################
+# 7 Network Configuration and Firewalls
+###############################################
+
+###############################################
+# 7.1 Modify Network Parameters (Host Only)
+###############################################
+
+# 7.1.1 Disable IP Forwarding (Scored)
+[CIS - SLES11 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+# 7.1.2 Disable Send Packet Redirects (Scored)
+[CIS - SLES11 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
+f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
+
+###############################################
+# 7.2 Modify Network Parameters (Host and Router)
+###############################################
+
+# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
+[CIS - SLES11 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
+[CIS - SLES11 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
+
+# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+[CIS - SLES11 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
+
+# 7.2.4 Log Suspicious Packets (Scored)
+[CIS - SLES11 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
+
+# 7.2.5 Enable Ignore Broadcast Requests (Scored)
+[CIS - SLES11 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+# 7.2.6 Enable Bad Error Message Protection (Scored)
+[CIS - SLES11 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
+
+# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
+[CIS - SLES11 - 7.2.7 - Network parameters - RFC Source route validation not enabled  {CIS: 7.2.7 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
+f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
+
+# 7.2.8 Enable TCP SYN Cookies (Scored)
+[CIS - SLES11 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES11} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
+
+###############################################
+# 7.3 Configure IPv6
+###############################################
+
+# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
+
+# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
+
+# 7.3.3 Disable IPv6 (Not Scored)
+
+###############################################
+# 7.4 Install TCP Wrappers
+###############################################
+
+# 7.4.1 Install TCP Wrappers (Not Scored)
+
+# 7.4.2 Create /etc/hosts.allow (Not Scored)
+
+# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
+# TODO
+
+# 7.4.4 Create /etc/hosts.deny (Not Scored)
+
+# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored)
+# TODO
+
+###############################################
+# 7.5 Uncommon Network Protocols
+###############################################
+
+# 7.5.1 Disable DCCP (Not Scored)
+
+# 7.5.2 Disable SCTP (Not Scored)
+
+# 7.5.3 Disable RDS (Not Scored)
+
+# 7.5.4 Disable TIPC (Not Scored)
+
+# 7.6 Deactivate Wireless Interfaces (Not Scored)
+
+# 7.7 Enable SuSEfirewall2 (Scored)
+
+# 7.8 Limit access to trusted networks (Not Scored)
+
+###############################################
+# 8 Logging and Auditing
+###############################################
+
+###############################################
+# 8.1 Configure System Accounting (auditd)
+###############################################
+
+###############################################
+# 8.1.1 Configure Data Retention
+###############################################
+
+# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
+
+# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
+
+# 8.1.1.3 Keep All Auditing Information (Scored)
+
+# 8.1.2 Enable auditd Service (Scored)
+
+# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
+
+# 8.1.4 Record Events That Modify Date and Time Information (Scored)
+
+# 8.1.5 Record Events That Modify User/Group Information (Scored)
+
+# 8.1.6 Record Events That Modify the System’s Network Environment (Scored)
+
+# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
+
+# 8.1.8 Collect Login and Logout Events (Scored)
+
+# 8.1.9 Collect Session Initiation Information (Scored)
+
+# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
+
+# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+
+# 8.1.12 Collect Use of Privileged Commands (Scored)
+
+# 8.1.13 Collect Successful File System Mounts (Scored)
+
+# 8.1.14 Collect File Deletion Events by User (Scored)
+
+# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
+
+# 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
+
+# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
+
+# 8.1.18 Make the Audit Configuration Immutable (Scored)
+
+###############################################
+# 8.2 Configure rsyslog
+###############################################
+
+# 8.2.1 Install the rsyslog package (Scored)
+# TODO
+
+# 8.2.2 Activate the rsyslog Service (Scored)
+# TODO
+
+# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
+
+# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
+
+# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
+
+# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+
+###############################################
+# 8.3 Advanced Intrusion Detection Environment (AIDE)
+###############################################
+
+# 8.3.1 Install AIDE (Scored)
+
+# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+
+# 8.4 Configure logrotate (Not Scored)
+
+###############################################
+# 9 System Access, Authentication and Authorization
+###############################################
+
+###############################################
+# 9.1 Configure cron and anacron
+###############################################
+
+# 9.1.1 Enable cron Daemon (Scored)
+
+# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
+
+# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+
+# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+
+# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+
+# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+
+# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+
+# 9.1.8 Restrict at/cron to Authorized Users (Scored)
+
+###############################################
+# 9.2 Configure SSH
+###############################################
+
+# 9.2.1 Set SSH Protocol to 2 (Scored)
+[CIS - SLES11 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+# 9.2.2 Set LogLevel to INFO (Scored)
+[CIS - SLES11 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
+
+# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+# TODO
+
+# 9.2.4 Disable SSH X11 Forwarding (Scored)
+# TODO
+
+# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+[ CIS - SLES11 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less  {CIS - SLES11 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;
+
+# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+[CIS - SLES11 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+# 9.2.7 Set SSH HostbasedAuthentication to No (Scored)
+[CIS - SLES11 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+# 9.2.8 Disable SSH Root Login (Scored)
+[CIS - SLES11 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;
+
+# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+[CIS - SLES11 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES11} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;
+
+# 9.2.10 Do Not Allow Users to Set Environment Options (Scored)
+
+# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
+
+# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored)
+
+# 9.2.13 Limit Access via SSH (Scored)
+
+# 9.2.14 Set SSH Banner (Scored)
+
+###############################################
+# 9.3 Configure PAM
+###############################################
+
+# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+
+# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored)
+
+# 9.3.3 Limit Password Reuse (Scored)
+
+# 9.4 Restrict root Login to System Console (Not Scored)
+
+# 9.5 Restrict Access to the su Command (Scored)
+
+###############################################
+# 10 User Accounts and Environment
+###############################################
+
+###############################################
+# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs)
+###############################################
+
+# 10.1.1 Set Password Expiration Days (Scored)
+
+# 10.1.2 Set Password Change Minimum Number of Days (Scored)
+
+# 10.1.3 Set Password Expiring Warning Days (Scored)
+
+# 10.2 Disable System Accounts (Scored)
+
+# 10.3 Set Default Group for root Account (Scored)
+
+# 10.4 Set Default umask for Users (Scored)
+
+# 10.5 Lock Inactive User Accounts (Scored)
+
+
+###############################################
+# 11 Warning Banners
+###############################################
+
+# 11.1 Set Warning Banner for Standard Login Services (Scored)
+
+# 11.2 Remove OS Information from Login Warning Banners (Scored)
+
+# 11.3 Set Graphical Warning Banner (Not Scored)
+
+###############################################
+# 12 Verify System File Permissions
+###############################################
+
+# 12.1 Verify System File Permissions (Not Scored)
+
+# 12.2 Verify Permissions on /etc/passwd (Scored)
+
+# 12.3 Verify Permissions on /etc/shadow (Scored)
+
+# 12.4 Verify Permissions on /etc/group (Scored)
+
+# 12.5 Verify User/Group Ownership on /etc/passwd (Scored)
+
+# 12.6 Verify User/Group Ownership on /etc/shadow (Scored)
+
+# 12.7 Verify User/Group Ownership on /etc/group (Scored)
+
+# 12.8 Find World Writable Files (Not Scored)
+
+# 12.9 Find Un-owned Files and Directories (Scored)
+
+# 12.10 Find Un-grouped Files and Directories (Scored)
+
+# 12.11 Find SUID System Executables (Not Scored)
+
+# 12.12 Find SGID System Executables (Not Scored)
+
+###############################################
+# 13 Review User and Group Settings
+###############################################
+
+# 13.1 Ensure Password Fields are Not Empty (Scored)
+
+# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+
+# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+
+# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+
+# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+[CIS - SLES11 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES11} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+# 13.6 Ensure root PATH Integrity (Scored)
+
+# 13.7 Check Permissions on User Home Directories (Scored)
+
+# 13.8 Check User Dot File Permissions (Scored)
+
+# 13.9 Check Permissions on User .netrc Files (Scored)
+
+# 13.10 Check for Presence of User .rhosts Files (Scored)
+
+# 13.11 Check Groups in /etc/passwd (Scored)
+
+# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
+
+# 13.13 Check User Home Directory Ownership (Scored)
+
+# 13.14 Check for Duplicate UIDs (Scored)
+
+# 13.15 Check for Duplicate GIDs (Scored)
+
+# 13.16 Check for Duplicate User Names (Scored)
+
+# 13.17 Check for Duplicate Group Names (Scored)
+
+# 13.18 Check for Presence of User .netrc Files (Scored)
+
+# 13.19 Check for Presence of User .forward Files (Scored)
+
+# 13.20 Ensure shadow group is empty (Scored)
+
+
+# Other/Legacy Tests
+[CIS - SLES11 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - SLES11 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+[CIS - SLES11 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+[CIS - SLES11 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - SLES11 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - SLES11 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - SLES11 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_11_Benchmark_v1.1.0.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
diff --git a/etc/ruleset/rootcheck/cis_sles12_linux_rcl.txt b/etc/ruleset/rootcheck/cis_sles12_linux_rcl.txt
new file mode 100644
index 0000000000..2d050201e2
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_sles12_linux_rcl.txt
@@ -0,0 +1,741 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2014
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+
+# CIS Checks for SUSE SLES 12
+# Based on CIS Benchmark for SUSE Linux Enterprise Server 12 v1.0.0
+
+# RC scripts location
+$rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
+
+
+[CIS - Testing against the CIS SUSE Linux Enterprise Server 12 Benchmark v1.0.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP1";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP3";
+f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4";
+
+# 2.1 /tmp: partition
+[CIS - SLES12 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:/tmp;
+
+# 2.2 /tmp: nodev
+[CIS - SLES12 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 2.3 /tmp: nosuid
+[CIS - SLES12 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
+
+# 2.4 /tmp: noexec
+[CIS - SLES12 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
+
+# 2.5 Build considerations - Partition scheme.
+[CIS - SLES12 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r^# && !r:/var;
+
+# 2.6 bind mount /var/tmp to /tmp
+[CIS - SLES12 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
+
+# 2.7 /var/log: partition
+[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log;
+
+# 2.8 /var/log/audit: partition
+[CIS - SLES12 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> ^# && !r:/var/log/audit;
+
+# 2.9 /home: partition
+[CIS - SLES12 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> ^# && !r:/home;
+
+# 2.10 /home: nodev
+[CIS - SLES12 - 2.10 -  Partition /home without 'nodev' set {CIS: 2.10 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
+
+# 2.11 nodev on removable media partitions (not scored)
+[CIS - SLES12 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
+
+# 2.12 noexec on removable media partitions (not scored)
+[CIS - SLES12 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
+
+# 2.13 nosuid on removable media partitions (not scored)
+[CIS - SLES12 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
+
+# 2.14 /dev/shm: nodev
+[CIS - SLES12 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
+
+# 2.15 /dev/shm: nosuid
+[CIS - SLES12 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
+
+# 2.16 /dev/shm: noexec
+[CIS - SLES12 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
+
+# 2.17 sticky bit on world writable directories (Scored)
+# TODO
+
+# 2.18 disable cramfs (not scored)
+
+# 2.19 disable freevxfs (not scored)
+
+# 2.20 disable jffs2 (not scored)
+
+# 2.21 disable hfs (not scored)
+
+# 2.22 disable hfsplus (not scored)
+
+# 2.23 disable squashfs (not scored)
+
+# 2.24 disable udf (not scored)
+
+# 2.25 disable automounting (Scored)
+# TODO
+
+###############################################
+# 3  Secure Boot Settings
+###############################################
+
+# 3.1 Set User/Group Owner on /etc/grub.conf
+# TODO (no mode tests)
+# stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
+
+# 3.2 Set Permissions on /etc/grub.conf (Scored)
+# TODO (no mode tests)
+#  stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
+
+# 3.3 Set Boot Loader Password (Scored)
+[CIS - SLES12 - 3.3 - GRUB Password not set {CIS: 3.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
+
+###############################################
+# 4  Additional Process Hardening
+###############################################
+
+# 4.1 Restrict Core Dumps (Scored)
+[CIS - SLES12 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
+
+# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+# TODO
+
+# 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+[CIS - SLES12 - 4.3 - Randomized Virtual Memory Region Placement not enabled  {CIS: 4.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/kernel/randomize_va_space -> 2;
+
+# 4.4 Disable Prelink (Scored)
+# TODO
+
+# 4.5 Activate AppArmor (Scored)
+# TODO
+
+###############################################
+# 5 OS Services
+###############################################
+
+###############################################
+# 5.1 Remove Legacy Services
+###############################################
+
+# 5.1.1 Remove NIS Server (Scored)
+[CIS - SLES12 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dypserv$;
+f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
+
+# 5.1.2 Remove NIS Client (Scored)
+[CIS - SLES12 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dypbind$;
+f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
+
+# 5.1.3 Remove rsh-server (Scored)
+[CIS - SLES12 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
+f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
+# TODO (finish this)
+f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
+f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
+f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
+
+# 5.1.4 Remove rsh client (Scored)
+# TODO
+
+# 5.1.5 Remove talk-server (Scored)
+[CIS - SLES12 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
+
+# 5.1.6 Remove talk client (Scored)
+# TODO
+
+# 5.1.7 Remove telnet-server (Scored)
+# TODO: detect it is installed at all
+[CIS - SLES12 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
+
+# 5.1.8 Remove tftp-server (Scored)
+[CIS - SLES12 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
+f:/usr/lib/systemd/system/tftp.service -> r:Exec;
+
+# 5.1.9 Remove xinetd (Scored)
+[CIS - SLES12 - 5.1.9 -  xinetd detected {CIS: 5.1.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
+
+# 5.2 Disable chargen-udp (Scored)
+[CIS - SLES12 - 5.2 -  chargen-udp enabled on xinetd {CIS: 5.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no;
+
+# 5.3 Disable chargen (Scored)
+[CIS - SLES12 - 5.3 -  chargen enabled on xinetd {CIS: 5.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no;
+
+# 5.4 Disable daytime-udp (Scored)
+[CIS - SLES12 - 5.4 -  daytime-udp enabled on xinetd {CIS: 5.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no;
+
+# 5.5 Disable daytime (Scored)
+[CIS - SLES12 - 5.5 -  daytime enabled on xinetd {CIS: 5.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no;
+
+
+# 5.6 Disable echo-udp (Scored)
+[CIS - SLES12 - 5.6 -  echo-udp enabled on xinetd {CIS: 5.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no;
+
+# 5.7 Disable echo (Scored)
+[CIS - SLES12 - 5.7 -  echo enabled on xinetd {CIS: 5.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no;
+
+# 5.8 Disable discard-udp (Scored)
+[CIS - SLES12 - 5.8 -  discard-udp enabled on xinetd {CIS: 5.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no;
+
+# 5.9 Disable discard (Scored)
+[CIS - SLES12 - 5.9 -  discard enabled on xinetd {CIS: 5.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no;
+
+# 5.10 Disable time-udp (Scored)
+[CIS - SLES12 - 5.10 -  time-udp enabled on xinetd {CIS: 5.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no;
+
+# 5.11 Disable time (Scored)
+[CIS - SLES12 - 5.11 -  time enabled on xinetd {CIS: 5.11 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no;
+
+###############################################
+# 6 Special Purpose Services
+###############################################
+
+# 6.1 Remove X Windows (Scored)
+[CIS - SLES12 - 6.1 - X11 not disabled {CIS: 6.1 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/usr/lib/systemd/system/default.target -> r:Graphical;
+p:gdm-x-session;
+
+# 6.2 Disable Avahi Server (Scored)
+[CIS - SLES12 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+p:avahi-daemon;
+
+# 6.3 Disable Print Server - CUPS (Not Scored)
+#TODO
+
+# 6.4 Remove DHCP Server (Scored)
+[CIS - SLES12 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
+
+# 6.5 Configure Network Time Protocol (NTP) (Scored)
+#TODO Chrony
+[CIS - SLES12 - 6.5 - NTPD not Configured {CIS: 6.5 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
+f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
+
+# 6.6 Remove LDAP (Not Scored)
+#TODO
+
+# 6.7 Disable NFS and RPC (Not Scored)
+[CIS - SLES12 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dnfs$;
+d:$rc_dirs -> ^S\d\dnfslock$;
+
+# 6.8 Remove DNS Server (Not Scored)
+# TODO
+
+# 6.9 Remove FTP Server (Not Scored)
+[CIS - SLES12 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
+
+# 6.10 Remove HTTP Server (Not Scored)
+[CIS - SLES12 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dapache2$;
+
+# 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+[CIS - SLES12 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
+
+[CIS - SLES12 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
+
+# 6.12 Remove Samba (Not Scored)
+[CIS - SLES12 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dsamba$;
+d:$rc_dirs -> ^S\d\dsmb$;
+
+# 6.13 Remove HTTP Proxy Server (Not Scored)
+[CIS - SLES12 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dsquid$;
+
+# 6.14 Remove SNMP Server (Not Scored)
+[CIS - SLES12 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dsnmpd$;
+
+# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
+# TODO
+
+# 6.16 Ensure rsync service is not enabled (Scored)
+[CIS - SLES12 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\drsyncd$;
+
+# 6.17 Ensure Biosdevname is not enabled (Scored)
+# TODO
+
+###############################################
+# 7 Network Configuration and Firewalls
+###############################################
+
+###############################################
+# 7.1 Modify Network Parameters (Host Only)
+###############################################
+
+# 7.1.1 Disable IP Forwarding (Scored)
+[CIS - SLES12 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/ip_forward -> 1;
+f:/proc/sys/net/ipv6/ip_forward -> 1;
+
+# 7.1.2 Disable Send Packet Redirects (Scored)
+[CIS - SLES12 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
+f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
+
+###############################################
+# 7.2 Modify Network Parameters (Host and Router)
+###############################################
+
+# 7.2.1 Disable Source Routed Packet Acceptance (Scored)
+[CIS - SLES12 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
+
+# 7.2.2 Disable ICMP Redirect Acceptance (Scored)
+[CIS - SLES12 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
+
+# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+[CIS - SLES12 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
+f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
+
+# 7.2.4 Log Suspicious Packets (Scored)
+[CIS - SLES12 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
+
+# 7.2.5 Enable Ignore Broadcast Requests (Scored)
+[CIS - SLES12 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
+
+# 7.2.6 Enable Bad Error Message Protection (Scored)
+[CIS - SLES12 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
+
+# 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
+[CIS - SLES12 - 7.2.7 - Network parameters - RFC Source route validation not enabled  {CIS: 7.2.7 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
+f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
+
+# 7.2.8 Enable TCP SYN Cookies (Scored)
+[CIS - SLES12 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
+
+###############################################
+# 7.3 Configure IPv6
+###############################################
+
+# 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
+
+# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
+
+# 7.3.3 Disable IPv6 (Not Scored)
+
+###############################################
+# 7.4 Install TCP Wrappers
+###############################################
+
+# 7.4.1 Install TCP Wrappers (Not Scored)
+
+# 7.4.2 Create /etc/hosts.allow (Not Scored)
+
+# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
+# TODO
+
+# 7.4.4 Create /etc/hosts.deny (Not Scored)
+
+# 7.5.5 Verify Permissions on /etc/hosts.deny (Scored)
+# TODO
+
+###############################################
+# 7.5 Uncommon Network Protocols
+###############################################
+
+# 7.5.1 Disable DCCP (Not Scored)
+
+# 7.5.2 Disable SCTP (Not Scored)
+
+# 7.5.3 Disable RDS (Not Scored)
+
+# 7.5.4 Disable TIPC (Not Scored)
+
+# 7.6 Deactivate Wireless Interfaces (Not Scored)
+
+# 7.7 Enable SuSEfirewall2 (Scored)
+
+# 7.8 Limit access to trusted networks (Not Scored)
+
+###############################################
+# 8 Logging and Auditing
+###############################################
+
+###############################################
+# 8.1 Configure System Accounting (auditd)
+###############################################
+
+###############################################
+# 8.1.1 Configure Data Retention
+###############################################
+
+# 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
+
+# 8.1.1.2 Disable System on Audit Log Full (Not Scored)
+
+# 8.1.1.3 Keep All Auditing Information (Scored)
+
+# 8.1.2 Enable auditd Service (Scored)
+
+# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
+
+# 8.1.4 Record Events That Modify Date and Time Information (Scored)
+
+# 8.1.5 Record Events That Modify User/Group Information (Scored)
+
+# 8.1.6 Record Events That Modify the System’s Network Environment (Scored)
+
+# 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
+
+# 8.1.8 Collect Login and Logout Events (Scored)
+
+# 8.1.9 Collect Session Initiation Information (Scored)
+
+# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
+
+# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+
+# 8.1.12 Collect Use of Privileged Commands (Scored)
+
+# 8.1.13 Collect Successful File System Mounts (Scored)
+
+# 8.1.14 Collect File Deletion Events by User (Scored)
+
+# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
+
+# 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
+
+# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
+
+# 8.1.18 Make the Audit Configuration Immutable (Scored)
+
+###############################################
+# 8.2 Configure rsyslog
+###############################################
+
+# 8.2.1 Install the rsyslog package (Scored)
+# TODO
+
+# 8.2.2 Activate the rsyslog Service (Scored)
+# TODO
+
+# 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
+
+# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
+
+# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
+
+# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
+
+###############################################
+# 8.3 Advanced Intrusion Detection Environment (AIDE)
+###############################################
+
+# 8.3.1 Install AIDE (Scored)
+
+# 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+
+# 8.4 Configure logrotate (Not Scored)
+
+###############################################
+# 9 System Access, Authentication and Authorization
+###############################################
+
+###############################################
+# 9.1 Configure cron and anacron
+###############################################
+
+# 9.1.1 Enable cron Daemon (Scored)
+
+# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
+
+# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+
+# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+
+# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+
+# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+
+# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+
+# 9.1.8 Restrict at/cron to Authorized Users (Scored)
+
+###############################################
+# 9.2 Configure SSH
+###############################################
+
+# 9.2.1 Set SSH Protocol to 2 (Scored)
+[CIS - SLES12 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
+
+# 9.2.2 Set LogLevel to INFO (Scored)
+[CIS - SLES12 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
+
+# 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+# TODO
+
+# 9.2.4 Disable SSH X11 Forwarding (Scored)
+# TODO
+
+# 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+[ CIS - SLES12 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less  {CIS - SLES12 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$;
+f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries;
+f:/etc/ssh/sshd_config -> !r:MaxAuthTries;
+
+# 9.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+[CIS - SLES12 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
+
+# 9.2.7 Set SSH HostbasedAuthentication to No (Scored)
+[CIS - SLES12 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
+
+# 9.2.8 Disable SSH Root Login (Scored)
+[CIS - SLES12 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
+f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
+
+# 9.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+[CIS - SLES12 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
+f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
+
+# 9.2.10 Do Not Allow Users to Set Environment Options (Scored)
+
+# 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
+
+# 9.2.12 Set Idle Timeout Interval for User Login (Not Scored)
+
+# 9.2.13 Limit Access via SSH (Scored)
+
+# 9.2.14 Set SSH Banner (Scored)
+
+###############################################
+# 9.3 Configure PAM
+###############################################
+
+# 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+
+# 9.3.2 Set Lockout for Failed Password Attempts (Not Scored)
+
+# 9.3.3 Limit Password Reuse (Scored)
+
+# 9.4 Restrict root Login to System Console (Not Scored)
+
+# 9.5 Restrict Access to the su Command (Scored)
+
+###############################################
+# 10 User Accounts and Environment
+###############################################
+
+###############################################
+# 10.1 Set Shadow Password Suite Parameters (/etc/login.defs)
+###############################################
+
+# 10.1.1 Set Password Expiration Days (Scored)
+
+# 10.1.2 Set Password Change Minimum Number of Days (Scored)
+
+# 10.1.3 Set Password Expiring Warning Days (Scored)
+
+# 10.2 Disable System Accounts (Scored)
+
+# 10.3 Set Default Group for root Account (Scored)
+
+# 10.4 Set Default umask for Users (Scored)
+
+# 10.5 Lock Inactive User Accounts (Scored)
+
+
+###############################################
+# 11 Warning Banners
+###############################################
+
+# 11.1 Set Warning Banner for Standard Login Services (Scored)
+
+# 11.2 Remove OS Information from Login Warning Banners (Scored)
+
+# 11.3 Set Graphical Warning Banner (Not Scored)
+
+###############################################
+# 12 Verify System File Permissions
+###############################################
+
+# 12.1 Verify System File Permissions (Not Scored)
+
+# 12.2 Verify Permissions on /etc/passwd (Scored)
+
+# 12.3 Verify Permissions on /etc/shadow (Scored)
+
+# 12.4 Verify Permissions on /etc/group (Scored)
+
+# 12.5 Verify User/Group Ownership on /etc/passwd (Scored)
+
+# 12.6 Verify User/Group Ownership on /etc/shadow (Scored)
+
+# 12.7 Verify User/Group Ownership on /etc/group (Scored)
+
+# 12.8 Find World Writable Files (Not Scored)
+
+# 12.9 Find Un-owned Files and Directories (Scored)
+
+# 12.10 Find Un-grouped Files and Directories (Scored)
+
+# 12.11 Find SUID System Executables (Not Scored)
+
+# 12.12 Find SGID System Executables (Not Scored)
+
+###############################################
+# 13 Review User and Group Settings
+###############################################
+
+# 13.1 Ensure Password Fields are Not Empty (Scored)
+
+# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+
+# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+
+# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+
+# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+[CIS - SLES12 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES12} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
+
+# 13.6 Ensure root PATH Integrity (Scored)
+
+# 13.7 Check Permissions on User Home Directories (Scored)
+
+# 13.8 Check User Dot File Permissions (Scored)
+
+# 13.9 Check Permissions on User .netrc Files (Scored)
+
+# 13.10 Check for Presence of User .rhosts Files (Scored)
+
+# 13.11 Check Groups in /etc/passwd (Scored)
+
+# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
+
+# 13.13 Check User Home Directory Ownership (Scored)
+
+# 13.14 Check for Duplicate UIDs (Scored)
+
+# 13.15 Check for Duplicate GIDs (Scored)
+
+# 13.16 Check for Duplicate User Names (Scored)
+
+# 13.17 Check for Duplicate Group Names (Scored)
+
+# 13.18 Check for Presence of User .netrc Files (Scored)
+
+# 13.19 Check for Presence of User .forward Files (Scored)
+
+# 13.20 Ensure shadow group is empty (Scored)
+
+
+# Other/Legacy Tests
+[CIS - SLES12 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/shadow -> r:^\w+::;
+
+[CIS - SLES12 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+f:/etc/security/console.perms -> r:^<console>  \d+ <cdrom>;
+f:/etc/security/console.perms -> r:^<console>  \d+ <floppy>;
+
+[CIS - SLES12 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dkudzu$;
+
+[CIS - SLES12 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dpostgresql$;
+
+[CIS - SLES12 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dmysqld$;
+
+[CIS - SLES12 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dnamed$;
+
+[CIS - SLES12 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
+d:$rc_dirs -> ^S\d\dnetfs$;
diff --git a/etc/ruleset/rootcheck/cis_win2012r2_domainL1_rcl.txt b/etc/ruleset/rootcheck/cis_win2012r2_domainL1_rcl.txt
new file mode 100644
index 0000000000..777e4218c8
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_win2012r2_domainL1_rcl.txt
@@ -0,0 +1,1069 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Windows Server 2012 R2 Domain Controller L1
+# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
+#
+#
+#
+#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;
+#
+#
+#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
+#
+#
+#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
+#
+#
+#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
+#
+#
+#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
+#
+#
+#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' 
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
+#
+#
+#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
+#
+#
+#2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.1: Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0;
+
+#
+#
+#2.3.5.2 Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.2: Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2;
+#
+#
+#2.3.5.3 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.5.3: Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1;
+#
+#
+#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
+#
+#
+#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
+#
+#
+#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
+#
+#
+#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;
+#
+#
+#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;
+#
+#
+#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;
+#
+#
+#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;
+#
+#
+#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
+#
+#
+#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
+#
+#
+#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
+#
+#
+#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
+#
+#
+#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
+#
+#
+#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
+#
+#
+#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
+#
+#
+#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
+#
+#
+#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
+#
+#
+#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
+#
+#
+#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
+#
+#
+#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
+#
+#
+#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
+#
+#
+#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
+#
+#
+#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
+#
+#
+#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.+;
+#
+#
+#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
+#
+#
+#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
+#
+#
+#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
+#
+#
+#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
+#
+#
+#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
+#
+#
+#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
+#
+#
+#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
+#
+#
+#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
+#
+#
+#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
+#
+#
+#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
+#
+#
+#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
+#
+#
+#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
+#
+#
+#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
+#
+#
+#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
+#
+#
+#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
+#
+#
+#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
+#
+#
+#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
+#
+#
+#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
+#
+#
+#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
+r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
+#
+#
+#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
+#
+#
+#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
+#
+#
+#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
+#
+#
+#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
+#
+#
+#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
+#
+#
+#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
+#
+#
+#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+#
+#
+#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
+#
+#
+#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
+#
+#
+#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0; 
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+#
+#
+#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w; 
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
+#
+#
+#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
+#
+#
+#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog; 
+#
+#
+#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
+#
+#
+#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
+#
+#
+#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
+#
+#
+#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
+#
+#
+#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
+#
+#
+#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
+#
+#
+#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
+#
+#
+#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
+#
+#
+#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
+#
+#
+#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
+#
+#
+#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
+#
+#
+#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
+#
+#
+#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
+#
+#
+#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
+#
+#
+#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
+#
+#
+#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
+#
+#
+#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
+#
+#
+#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
+#
+#
+#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
+#
+#
+#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
+#
+#
+#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
+#
+#
+#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
+#
+#
+#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
+#
+#
+#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
+#
+#
+#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
+#
+#
+#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
+#
+#
+#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
+#
+#
+#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
+#
+#
+#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
+#
+#
+#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
+#
+#
+#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
+#
+#
+#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
+#
+#
+#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;
+#
+#
+#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
+#
+#
+#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
+#
+#
+#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
+#
+#
+#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
+#
+#
+#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
+#
+#
+#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
+#
+#
+#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
+#
+#
+#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
+#
+#
+#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
+#
+#
+#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
+#
+#
+#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
+#
+#
+#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
+#
+#
+#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;
+#
+#
+#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
+#
+#
+#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
+#
+#
+#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
+#
+#
+#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
+#
+#
+#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
+#
+#
+#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
+#
+#
+#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
+#
+#
+#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
+#
+#
+#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
+#
+#
+#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
+#
+#
+#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
+#
+#
+#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;
+#
+#
+#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;
+#
+#
+#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
+#
+#
+#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
+#
+#
+#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
+#
+#
+#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
+#
+#
+#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
+#
+#
+#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
+#
+#
+#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
+#
+#
+#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
+#
+#
+#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
+#
+#
+#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
+#
+#
+#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
+#
+#
+#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
+#
+#
+#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
+#
+#
+#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
+#
diff --git a/etc/ruleset/rootcheck/cis_win2012r2_domainL2_rcl.txt b/etc/ruleset/rootcheck/cis_win2012r2_domainL2_rcl.txt
new file mode 100644
index 0000000000..811ef64d6b
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_win2012r2_domainL2_rcl.txt
@@ -0,0 +1,347 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Windows Server 2012 R2 Domain Controller L2
+# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
+#
+#
+#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
+#
+#
+#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
+#
+#
+#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery  -> !0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
+#
+#
+#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
+#
+#
+#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
+#
+#
+#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
+#
+#
+#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
+#
+#
+#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
+#
+#
+#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
+#
+#
+#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
+#
+#
+#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
+#
+#
+#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !DCSettingIndex;
+#
+#
+#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !ACSettingIndex;
+#
+#
+#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
+#
+#
+#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
+#
+#
+#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
+#
+#
+#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
+#
+#
+#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
+#
+#
+#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
+#
+#
+#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
+#
+#
+#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
+#
+#
+#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
+#
+#
+#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
+#
+#
+#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
+#
+#
+#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;
+#
+#
+#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
+#
+#
+#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
+#
+#
+#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
+#
+#
+#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
+#
+#
+#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
+#
+#
+#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
+#
diff --git a/etc/ruleset/rootcheck/cis_win2012r2_memberL1_rcl.txt b/etc/ruleset/rootcheck/cis_win2012r2_memberL1_rcl.txt
new file mode 100644
index 0000000000..bbdd28a59f
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_win2012r2_memberL1_rcl.txt
@@ -0,0 +1,1135 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Windows Server 2012 R2 Domain Controller L2
+# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
+#
+#
+#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;
+#
+#
+#2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.2: Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;
+#
+#
+#2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.1.4: Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;
+#
+#
+#2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.1: Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;
+#
+#
+#2.3.2.2 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.2.2: Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;
+#
+#
+#2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.1: Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AllocateDASD -> 2;
+#
+#
+#2.3.4.2 Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.4.2: Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;
+#
+#
+#2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.1: Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;
+#
+#
+#2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.2: Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;
+#
+#
+#2.3.6.3 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.3: Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;
+#
+#
+#2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.4: Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;
+#
+#
+#2.3.6.6 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.6.6: Ensure 'Domain member: Require strong session key' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;
+#
+#
+#2.3.7.1 Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.1: Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;
+#
+#
+#2.3.7.2 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.2: Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;
+#
+#
+#2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.3: Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;
+#
+#
+#2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.7: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;
+#
+#
+#2.3.7.8 Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.8: Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon;
+#
+#
+#2.3.7.9 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.7.9: Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon -> !ScRemoveOption;
+#
+#
+#2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.1: Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;
+#
+#
+#2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.2: Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;
+#
+#
+#2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.8.3: Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;
+#
+#
+#2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.1: Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;
+#
+#
+#2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.2: Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;
+#
+#
+#2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.3: Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;
+#
+#
+#2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.4: Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
+#
+#
+#2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.9.5: Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;
+#
+#
+#2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.2: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;
+#
+#
+#2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.3: Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;
+#
+#
+#2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.5: Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;
+#
+#
+#2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.6: Configure 'Network access: Named Pipes that can be accessed anonymously'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;
+#
+#
+#2.3.10.7 Configure 'Network access: Remotely accessible registry paths'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.7: Configure 'Network access: Remotely accessible registry paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;
+#
+#
+#2.3.10.8 Configure 'Network access: Remotely accessible registry paths and sub-paths'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.8: Configure 'Network access: Remotely accessible registry paths and sub-paths'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;
+#
+#
+#2.3.10.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.9: Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;
+#
+#
+#2.3.10.10 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.10: Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.+;
+#
+#
+#2.3.10.11 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.11: Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;
+#
+#
+#2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.1: Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;
+#
+#
+#2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.2: Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;
+#
+#
+#2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.3: Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;
+#
+#
+#2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.4: Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;
+#
+#
+#2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.5: Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;
+#
+#
+#2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.6: Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;
+#
+#
+#2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.7: Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;
+#
+#
+#2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;
+#
+#
+#2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.9: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption''] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;
+#
+#
+#2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.11.10: Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;
+#
+#
+#2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.13.1: Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;
+#
+#
+#2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.1: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;
+#
+#
+#2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.15.2: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;
+#
+#
+#2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.1: Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;
+#
+#
+#2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.2: Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;
+#
+#
+#2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.3: Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;
+#
+#
+#2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.4: Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;
+#
+#
+#2.3.17.5 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.5: Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;
+r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;
+#
+#
+#2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.6: Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;
+#
+#
+#2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.7: Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;
+#
+#
+#2.3.17.8 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.8: Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;
+#
+#
+#2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.17.9: Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;
+#
+#
+#9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.1: Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;
+#
+#
+#9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.2: Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.3: Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.4: Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;
+#
+#
+#9.1.5 Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.5: Ensure 'Windows Firewall: Domain: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.1.6 Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.6: Ensure 'Windows Firewall: Domain: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.1.7 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.7: Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+#
+#
+#9.1.8 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.8: Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.1.9 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.9: Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.1.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.1.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.1: Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;
+#
+#
+#9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.2: Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.3: Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.4: Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;
+#
+#
+#9.2.5 Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.5: Ensure 'Windows Firewall: Private: Settings: Apply local firewall rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.2.6 Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.6: Ensure 'Windows Firewall: Private: Settings: Apply local connection security rules' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.2.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+#
+#
+#9.2.8 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.8: Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.2.9 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.9: Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.2.10 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.2.10: Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.1: Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;
+#
+#
+#9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.2: Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;
+#
+#
+#9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.3: Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;
+#
+#
+#9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.4: Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;
+#
+#
+#9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.5: Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;
+#
+#
+#9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.6: Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;
+#
+#
+#9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.7: Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\*.log'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;
+#
+#
+#9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.8: Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;
+#
+#
+#9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.9: Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;
+#
+#
+#9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
+[CIS - Microsoft Windows Server 2012 R2 - 9.3.10: Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;
+#
+#
+#18.1.1.1 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.1: Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;
+#
+#
+#18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.1.1.2: Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;
+#
+#
+#18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.1: Ensure LAPS AdmPwd GPO Extension / CSE is installed] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;
+#
+#
+#18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.2: Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;
+#
+#
+#18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.3: Ensure 'Enable Local Admin Password Management' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;
+#
+#
+#18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.4: Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;
+#
+#
+#18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.5: Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;
+#
+#
+#18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
+[CIS - Microsoft Windows Server 2012 R2 - 18.2.6: Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;
+#
+#
+#18.3.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.1: Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;
+#
+#
+#18.3.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.2: Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;
+#
+#
+#18.3.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.3: Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;
+#
+#
+#18.3.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.4: Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;
+#
+#
+#18.3.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.6: Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;
+#
+#
+#18.3.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.8: Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;
+#
+#
+#18.3.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.9: Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;
+#
+#
+#18.3.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.12: Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;
+#
+#
+#18.4.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.2: Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;
+#
+#
+#18.4.11.3 Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.11.3: Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;
+#
+#
+#18.4.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.1: Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;
+#
+#
+#18.6.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.6.1: Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;
+#
+#
+#18.6.2 Ensure 'WDigest Authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.6.2: Ensure 'WDigest Authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;
+#
+#
+#18.8.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.3.1: Ensure 'Include command line in process creation events' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;
+#
+#
+#18.8.12.1 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.12.1: Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;
+#
+#
+#18.8.19.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.2: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;
+#
+#
+#18.8.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.3: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;
+#
+#
+#18.8.19.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.19.4: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;
+#
+#
+#18.8.25.1 Ensure 'Do not display network selection UI' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.1: Ensure 'Do not display network selection UI' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;
+#
+#
+#18.8.25.2 Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.2: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;
+#
+#
+#18.8.25.3 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.3: Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;
+#
+#
+#18.8.25.4 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.4: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;
+#
+#
+#18.8.25.5 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.25.5: Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;
+#
+#
+#18.8.31.1 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.1: Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;
+#
+#
+#18.8.31.2 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.31.2: Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;
+#
+#
+#18.8.32.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.1: Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;
+#
+#
+#18.9.6.1 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.6.1: Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;
+#
+#
+#18.9.8.1 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.1: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;
+#
+#
+#18.9.8.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.2: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;
+#
+#
+#18.9.8.3 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.8.3: Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;
+#
+#
+#18.9.15.1 Ensure 'Do not display the password reveal button' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.1: Ensure 'Do not display the password reveal button' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;
+#
+#
+#18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.15.2: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;
+#
+#
+#18.9.26.1.1 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.1: Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;
+#
+#
+#18.9.26.1.2 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.1.2: Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;
+#
+#
+#18.9.26.2.1 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.1: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;
+#
+#
+#18.9.26.2.2 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.2.2: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;
+#
+#
+#18.9.26.3.1 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.1: Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;
+#
+#
+#18.9.26.3.2 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.3.2: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;
+#
+#
+#18.9.26.4.1 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.1: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;
+#
+#
+#18.9.26.4.2 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.26.4.2: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;
+#
+#
+#18.9.30.2 Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.2: Ensure 'Configure Windows SmartScreen' is set to 'Enabled: Require approval from an administrator before running downloaded unknown software'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;
+#
+#
+#18.9.30.3 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.3: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;
+#
+#
+#18.9.30.4 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.4: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;
+#
+#
+#18.9.30.5 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.30.5: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;
+#
+#
+#18.9.47.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.1: Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;
+#
+#
+#18.9.47.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.47.2: Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;
+#
+#
+#18.9.52.2.2 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.2.2: Ensure 'Do not allow passwords to be saved' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;
+#
+#
+#18.9.52.3.3.2 Ensure 'Do not allow drive redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.2: Ensure 'Do not allow drive redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;
+#
+#
+#18.9.52.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.1: Ensure 'Always prompt for password upon connection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;
+#
+#
+#18.9.52.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.2: Ensure 'Require secure RPC communication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;
+#
+#
+#18.9.52.3.9.3 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.9.3: Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;
+#
+#
+#18.9.52.3.11.1 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.1: Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;
+#
+#
+#18.9.52.3.11.2 Ensure 'Do not use temporary folders per session' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.11.2: Ensure 'Do not use temporary folders per session' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;
+#
+#
+#18.9.53.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.53.1: Ensure 'Prevent downloading of enclosures' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;
+#
+#
+#18.9.54.2 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.2: Ensure 'Allow indexing of encrypted files' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;
+#
+#
+#18.9.61.1 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.1: Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;
+#
+#
+#18.9.61.2 Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.2: Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;
+#
+#
+#18.9.70.2.1 Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.2.1: Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;
+#
+#
+#18.9.70.3 Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.70.3: Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;
+#
+#
+#18.9.74.1 Ensure 'Allow user control over installs' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.1: Ensure 'Allow user control over installs' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;
+#
+#
+#18.9.74.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.2: Ensure 'Always install with elevated privileges' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;
+#
+#
+#18.9.75.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.75.1: Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;
+#
+#
+#18.9.84.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.1: Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;
+#
+#
+#18.9.84.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.84.2: Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;
+#
+#
+#18.9.86.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;
+#
+#
+#18.9.86.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.2: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;
+#
+#
+#18.9.86.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.1.3: Ensure 'Disallow Digest authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;
+#
+#
+#18.9.86.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.1: Ensure 'Allow Basic authentication' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;
+#
+#
+#18.9.86.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.3: Ensure 'Allow unencrypted traffic' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;
+#
+#
+#18.9.86.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.4: Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;
+#
+#
+#18.9.90.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.2: Ensure 'Configure Automatic Updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;
+#
+#
+#18.9.90.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.3: Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;
+#
+#
+#18.9.90.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.90.4: Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;
+#
+#
+#
diff --git a/etc/ruleset/rootcheck/cis_win2012r2_memberL2_rcl.txt b/etc/ruleset/rootcheck/cis_win2012r2_memberL2_rcl.txt
new file mode 100644
index 0000000000..3695dc483b
--- /dev/null
+++ b/etc/ruleset/rootcheck/cis_win2012r2_memberL2_rcl.txt
@@ -0,0 +1,4733 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# CIS Checks for Windows Server 2012 R2 Domain Controller L2
+# Based on Center for Internet Security Benchmark v2.2.1 for Microsoft Windows Server 2012 R2 (https://workbench.cisecurity.org/benchmarks/288)
+#
+#
+#2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'
+[CIS - Microsoft Windows Server 2012 R2 - Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 5;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 6;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 7;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 8;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 9;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> a;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> b;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> c;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> d;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> e;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> f;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> \w\w+;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;
+#
+#
+#2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 2.3.10.4: Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;
+#
+#
+#18.3.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.5: Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;
+#
+#
+#18.3.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.7: Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery  -> !0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;
+#
+#
+#18.3.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.10: Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;
+#
+#
+#18.3.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+[CIS - Microsoft Windows Server 2012 R2 - 18.3.11: Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;
+#
+#
+#18.4.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.1: Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;
+#
+#
+#18.4.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.9.2: Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;
+#
+#
+#18.4.10.2 Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.10.2: Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;
+#
+#
+#18.4.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.19.2.1: Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;
+#
+#
+#18.4.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.1: Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;
+#
+#
+#18.4.20.2 Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.20.2: Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;
+#
+#
+#18.4.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.4.21.2: Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+ -> !1;
+#
+#
+#18.8.20.1.1 Ensure 'Turn off access to the Store' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.1: Ensure 'Turn off access to the Store' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;
+#
+#
+#18.8.20.1.2 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.2: Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;
+#
+#
+#18.8.20.1.3 Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.3: Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;
+#
+#
+#18.8.20.1.4 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.4: Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;
+#
+#
+#18.8.20.1.5 Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.5: Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;
+#
+#
+#18.8.20.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.6: Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;
+#
+#
+#18.8.20.1.7 Ensure 'Turn off printing over HTTP' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.7: Ensure 'Turn off printing over HTTP' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;
+#
+#
+#18.8.20.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.8: Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;
+r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;
+#
+#
+#18.8.20.1.9 Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.9: Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;
+#
+#
+#18.8.20.1.10 Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.10: Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;
+#
+#
+#18.8.20.1.11 Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.11: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;
+#
+#
+#18.8.20.1.12 Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.12: Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;
+#
+#
+#18.8.20.1.13 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.13: Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;
+#
+#
+#18.8.20.1.14 Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.20.1.14: Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;
+#
+#
+#18.8.24.1 Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.24.1: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;
+#
+#
+#18.8.29.5.1 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.1: Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !DCSettingIndex;
+#
+#
+#18.8.29.5.2 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.29.5.2: Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !ACSettingIndex;
+#
+#
+#18.8.32.2 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.32.2: Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients;
+#
+#
+#18.8.39.5.1 Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.5.1: Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;
+#
+#
+#18.8.39.11.1 Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.39.11.1: Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;
+#
+#
+#18.8.41.1 Ensure 'Turn off the advertising ID' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.41.1: Ensure 'Turn off the advertising ID' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;
+#
+#
+#18.8.44.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.1: Ensure 'Enable Windows NTP Client' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;
+#
+#
+#18.8.44.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.8.44.1.2: Ensure 'Enable Windows NTP Server' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;
+#
+#
+#18.9.37.1 Ensure 'Turn off location' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.37.1: Ensure 'Turn off location' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;
+#
+#
+#18.9.52.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.2.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;
+#
+#
+#18.9.52.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.1: Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;
+#
+#
+#18.9.52.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.3: Ensure 'Do not allow LPT port redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;
+#
+#
+#18.9.52.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.3.4: Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;
+#
+#
+#18.9.52.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.1: Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;
+#
+#
+#18.9.52.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.52.3.10.2: Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;
+#
+#
+#18.9.54.3 Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.54.3: Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;
+#
+#
+#18.9.59.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.59.1: Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;
+#
+#
+#18.9.61.3 Ensure 'Turn off the Store application' is set to 'Enabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.61.3: Ensure 'Turn off the Store application' is set to 'Enabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;
+#
+#
+#18.9.69.3.1 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.69.3.1: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;
+#
+#
+#18.9.74.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.74.3: Ensure 'Join Microsoft MAPS' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;
+#
+#
+#18.9.86.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.86.2.2: Ensure 'Allow remote server management through WinRM' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;
+#
+#
+#18.9.87.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
+[CIS - Microsoft Windows Server 2012 R2 - 18.9.87.1: Ensure 'Allow Remote Shell Access' is set to 'Disabled'] [any] [https://workbench.cisecurity.org/benchmarks/288]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;
+#
+
+
diff --git a/etc/ruleset/rootcheck/rootkit_files.txt b/etc/ruleset/rootcheck/rootkit_files.txt
index e69de29bb2..eada35cca2 100644
--- a/etc/ruleset/rootcheck/rootkit_files.txt
+++ b/etc/ruleset/rootcheck/rootkit_files.txt
@@ -0,0 +1,410 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# rootkit_files.txt, (C) Daniel B. Cid
+# Imported from the rootcheck project.
+#
+# Blank lines and lines starting with '#' are ignored.
+#
+# Each line must be in the following format:
+# file_name ! Name ::Link to it
+#
+# Files that start with an '*' will be searched in the whole system.
+
+# Bash door
+tmp/mcliZokhb           ! Bash door ::/rootkits/bashdoor.php
+tmp/mclzaKmfa           ! Bash door ::/rootkits/bashdoor.php
+
+# adore Worm
+dev/.shit/red.tgz       ! Adore Worm ::/rootkits/adorew.php
+usr/lib/libt            ! Adore Worm ::/rootkits/adorew.php
+usr/bin/adore           ! Adore Worm ::/rootkits/adorew.php
+*/klogd.o               ! Adore Worm ::/rootkits/adorew.php
+*/red.tar               ! Adore Worm ::/rootkits/adorew.php
+
+# T.R.K rootkit
+usr/bin/soucemask       ! TRK rootkit ::/rootkits/trk.php
+usr/bin/sourcemask      ! TRK rootkit ::/rootkits/trk.php
+
+# 55.808.A Worm
+tmp/.../a               ! 55808.A Worm ::
+tmp/.../r               ! 55808.A Worm ::
+
+# Volc Rootkit
+usr/lib/volc            ! Volc Rootkit ::
+usr/bin/volc            ! Volc Rootkit ::
+
+# Illogic
+lib/security/.config    ! Illogic Rootkit ::rootkits/illogic.php
+usr/bin/sia             ! Illogic Rootkit ::rootkits/illogic.php
+etc/ld.so.hash          ! Illogic Rootkit ::rootkits/illogic.php
+*/uconf.inv             ! Illogic Rootkit ::rootkits/illogic.php
+
+# T0rnkit
+usr/src/.puta           ! t0rn Rootkit ::rootkits/torn.php
+usr/info/.t0rn          ! t0rn Rootkit ::rootkits/torn.php
+lib/ldlib.tk            ! t0rn Rootkit ::rootkits/torn.php
+etc/ttyhash             ! t0rn Rootkit ::rootkits/torn.php
+sbin/xlogin             ! t0rn Rootkit ::rootkits/torn.php
+*/ldlib.tk              ! t0rn Rootkit ::rootkits/torn.php
+*/.t0rn                 ! t0rn Rootkit ::rootkits/torn.php
+*/.puta                 ! t0rn Rootkit ::rootkits/torn.php
+
+# RK17
+bin/rtty                        ! RK17 ::
+bin/squit                       ! RK17 ::
+sbin/pback                      ! RK17 ::
+proc/kset                       ! RK17 ::
+usr/src/linux/modules/autod.o   ! RK17 ::
+usr/src/linux/modules/soundx.o  ! RK17 ::
+
+# Ramen Worm
+usr/lib/ldlibps.so      ! Ramen Worm ::rootkits/ramen.php
+usr/lib/ldlibns.so      ! Ramen Worm ::rootkits/ramen.php
+usr/lib/ldliblogin.so   ! Ramen Worm ::rootkits/ramen.php
+usr/src/.poop           ! Ramen Worm ::rootkits/ramen.php
+tmp/ramen.tgz           ! Ramen Worm ::rootkits/ramen.php
+etc/xinetd.d/asp        ! Ramen Worm ::rootkits/ramen.php
+
+# Sadmind/IIS Worm
+dev/cuc                 ! Sadmind/IIS Worm ::
+
+# Monkit
+lib/defs                ! Monkit ::
+usr/lib/libpikapp.a     ! Monkit found ::
+
+# RSHA
+usr/bin/kr4p            ! RSHA ::
+usr/bin/n3tstat         ! RSHA ::
+usr/bin/chsh2           ! RSHA ::
+usr/bin/slice2          ! RSHA ::
+etc/rc.d/rsha           ! RSHA ::
+
+# ShitC worm
+bin/home                ! ShitC ::
+sbin/home               ! ShitC ::
+usr/sbin/in.slogind     ! ShitC ::
+
+# Omega Worm
+dev/chr                 ! Omega Worm ::
+
+# rh-sharpe
+bin/.ps                 ! Rh-Sharpe ::
+usr/bin/cleaner         ! Rh-Sharpe ::
+usr/bin/slice           ! Rh-Sharpe ::
+usr/bin/vadim           ! Rh-Sharpe ::
+usr/bin/.ps             ! Rh-Sharpe ::
+bin/.lpstree            ! Rh-Sharpe ::
+usr/bin/.lpstree        ! Rh-Sharpe ::
+usr/bin/lnetstat        ! Rh-Sharpe ::
+bin/lnetstat            ! Rh-Sharpe ::
+usr/bin/ldu             ! Rh-Sharpe ::
+bin/ldu                 ! Rh-Sharpe ::
+usr/bin/lkillall        ! Rh-Sharpe ::
+bin/lkillall            ! Rh-Sharpe ::
+usr/include/rpcsvc/du   ! Rh-Sharpe ::
+
+# Maniac RK
+usr/bin/mailrc          ! Maniac RK ::
+
+# Showtee / Romanian
+usr/lib/.egcs           ! Showtee ::
+usr/lib/.wormie         ! Showtee ::
+usr/lib/.kinetic        ! Showtee ::
+usr/lib/liblog.o        ! Showtee ::
+usr/include/addr.h      ! Showtee / Romanian rootkit ::
+usr/include/cron.h      ! Showtee ::
+usr/include/file.h      ! Showtee / Romanian rootkit ::
+usr/include/syslogs.h   ! Showtee / Romanian rootkit ::
+usr/include/proc.h      ! Showtee / Romanian rootkit ::
+usr/include/chk.h       ! Showtee ::
+usr/sbin/initdl         ! Romanian rootkit ::
+usr/sbin/xntps          ! Romanian rootkit ::
+
+# Optickit
+usr/bin/xchk            ! Optickit ::
+usr/bin/xsf             ! Optickit ::
+
+# LDP worm
+dev/.kork           ! LDP Worm ::
+bin/.login          ! LDP Worm ::
+bin/.ps             ! LDP Worm ::
+
+# Telekit
+dev/hda06           ! TeLeKit trojan ::
+usr/info/libc1.so   ! TeleKit trojan ::
+
+# Tribe bot
+dev/wd4     ! Tribe bot ::
+
+# LRK
+dev/ida/.inet       ! LRK rootkit ::rootkits/lrk.php
+*/bindshell         ! LRK rootkit ::rootkits/lrk.php
+
+# Adore Rootkit
+etc/bin/ava         ! Adore Rootkit ::
+etc/sbin/ava        ! Adore Rootkit ::
+
+# Slapper
+tmp/.bugtraq            ! Slapper installed ::
+tmp/.bugtraq.c          ! Slapper installed ::
+tmp/.cinik              ! Slapper installed ::
+tmp/.b                  ! Slapper installed ::
+tmp/httpd               ! Slapper installed ::
+tmp./update             ! Slapper installed ::
+tmp/.unlock             ! Slapper installed ::
+tmp/.font-unix/.cinik   ! Slapper installed ::
+tmp/.cinik              ! Slapper installed ::
+
+# Scalper
+tmp/.uua            ! Scalper installed ::
+tmp/.a              ! Scalper installed ::
+
+# Knark
+proc/knark          ! Knark Installed ::rootkits/knark.php
+dev/.pizda          ! Knark Installed ::rootkits/knark.php
+dev/.pula           ! Knark Installed ::rootkits/knark.php
+dev/.pula           ! Knark Installed ::rootkits/knark.php
+*/taskhack          ! Knark Installed ::rootkits/knark.php
+*/rootme            ! Knark Installed ::rootkits/knark.php
+*/nethide           ! Knark Installed ::rootkits/knark.php
+*/hidef             ! Knark Installed ::rootkits/knark.php
+*/ered              ! Knark Installed ::rootkits/knark.php
+
+# Lion worm
+dev/.lib            ! Lion Worm ::rootkits/lion.php
+dev/.lib/1iOn.sh    ! Lion Worm ::rootkits/lion.php
+bin/mjy             ! Lion Worm ::rootkits/lion.php
+bin/in.telnetd      ! Lion Worm ::rootkits/lion.php
+usr/info/torn       ! Lion Worm ::rootkits/lion.php
+*/1iOn\.sh          ! Lion Worm ::rootkits/lion.php
+
+# Bobkit
+usr/include/.../        ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/lib/.../            ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/sbin/.../           ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/bin/ntpsx           ! Bobkit Rootkit ::rootkits/bobkit.php
+tmp/.bkp                ! Bobkit Rootkit ::rootkits/bobkit.php
+usr/lib/.bkit-          ! Bobkit Rootkit ::rootkits/bobkit.php
+*/bkit-                 ! Bobkit Rootkit ::rootkits/bobkit.php
+
+# Hidrootkit
+var/lib/games/.k        ! Hidr00tkit ::
+
+# Ark
+dev/ptyxx       ! Ark rootkit ::
+
+# Mithra Rootkit
+usr/lib/locale/uboot        ! Mithra`s rootkit ::
+
+# Optickit
+usr/bin/xsf         ! OpticKit ::
+usr/bin/xchk        ! OpticKit ::
+
+# LOC rookit
+tmp/xp          ! LOC rookit ::
+tmp/kidd0.c     ! LOC rookit ::
+tmp/kidd0       ! LOC rookit ::
+
+# TC2 worm
+usr/info/.tc2k      ! TC2 Worm ::
+usr/bin/util        ! TC2 Worm ::
+usr/sbin/initcheck  ! TC2 Worm ::
+usr/sbin/ldb        ! TC2 Worm ::
+
+# Anonoiyng rootkit
+usr/sbin/mech       ! Anonoiyng rootkit ::
+usr/sbin/kswapd     ! Anonoiyng rootkit ::
+
+# SuckIt
+lib/.x              ! SuckIt rootkit ::
+*/hide.log          ! Suckit rootkit ::
+lib/sk              ! SuckIT rootkit ::
+
+# Beastkit
+usr/local/bin/bin       ! Beastkit rootkit ::rootkits/beastkit.php
+usr/man/.man10          ! Beastkit rootkit ::rootkits/beastkit.php
+usr/sbin/arobia         ! Beastkit rootkit ::rootkits/beastkit.php
+usr/lib/elm/arobia      ! Beastkit rootkit ::rootkits/beastkit.php
+usr/local/bin/.../bktd  ! Beastkit rootkit ::rootkits/beastkit.php
+
+# Tuxkit
+dev/tux             ! Tuxkit rootkit ::rootkits/Tuxkit.php
+usr/bin/xsf         ! Tuxkit rootkit ::rootkits/Tuxkit.php
+usr/bin/xchk        ! Tuxkit rootkit ::rootkits/Tuxkit.php
+*/.file             ! Tuxkit rootkit ::rootkits/Tuxkit.php
+*/.addr             ! Tuxkit rootkit ::rootkits/Tuxkit.php
+
+# Old rootkits
+usr/include/rpc/ ../kit     ! Old rootkits ::rootkits/Old.php
+usr/include/rpc/ ../kit2    ! Old rootkits ::rootkits/Old.php
+usr/doc/.sl                 ! Old rootkits ::rootkits/Old.php
+usr/doc/.sp                 ! Old rootkits ::rootkits/Old.php
+usr/doc/.statnet            ! Old rootkits ::rootkits/Old.php
+usr/doc/.logdsys            ! Old rootkits ::rootkits/Old.php
+usr/doc/.dpct               ! Old rootkits ::rootkits/Old.php
+usr/doc/.gifnocfi           ! Old rootkits ::rootkits/Old.php
+usr/doc/.dnif               ! Old rootkits ::rootkits/Old.php
+usr/doc/.nigol              ! Old rootkits ::rootkits/Old.php
+
+# Kenga3 rootkit
+usr/include/. .         ! Kenga3 rootkit
+
+# ESRK rootkit
+usr/lib/tcl5.3          ! ESRK rootkit
+
+# Fu rootkit
+sbin/xc                 ! Fu rootkit
+usr/include/ivtype.h    ! Fu rootkit
+bin/.lib                ! Fu rootkit
+
+# ShKit rootkit
+lib/security/.config    ! ShKit rootkit
+etc/ld.so.hash          ! ShKit rootkit
+
+# AjaKit rootkit
+lib/.ligh.gh            ! AjaKit rootkit
+lib/.libgh.gh           ! AjaKit rootkit
+lib/.libgh-gh           ! AjaKit rootkit
+dev/tux                 ! AjaKit rootkit
+dev/tux/.proc           ! AjaKit rootkit
+dev/tux/.file           ! AjaKit rootkit
+
+# zaRwT rootkit
+bin/imin                ! zaRwT rootkit
+bin/imout               ! zaRwT rootkit
+
+# Madalin rootkit
+usr/include/icekey.h    ! Madalin rootkit
+usr/include/iceconf.h   ! Madalin rootkit
+usr/include/iceseed.h   ! Madalin rootkit
+
+# shv5 rootkit XXX http://www.askaboutskating.com/forum/.../shv5/setup
+lib/libsh.so            ! shv5 rootkit
+usr/lib/libsh           ! shv5 rootkit
+
+# BMBL rootkit (http://www.giac.com/practical/GSEC/Steve_Terrell_GSEC.pdf)
+etc/.bmbl               ! BMBL rootkit
+etc/.bmbl/sk            ! BMBL rootkit
+
+# rootedoor rootkit
+*/rootedoor             ! Rootedoor rootkit
+
+# 0vason rootkit
+*/ovas0n                ! ovas0n rootkit ::/rootkits/ovason.php
+*/ovason                ! ovas0n rootkit ::/rootkits/ovason.php
+
+# Rpimp reverse telnet
+*/rpimp                 ! rpv21 (Reverse Pimpage)::/rootkits/rpimp.php
+
+# Cback Linux worm
+tmp/cback              ! cback worm ::/rootkits/cback.php
+tmp/derfiq             ! cback worm ::/rootkits/cback.php
+
+# aPa Kit (from rkhunter)
+usr/share/.aPa          ! Apa Kit
+
+# enye-sec Rootkit
+etc/.enyelkmHIDE^IT.ko  ! enye-sec Rootkit ::/rootkits/enye-sec.php
+
+# Override Rootkit
+dev/grid-hide-pid-     ! Override rootkit ::/rootkits/override.php
+dev/grid-unhide-pid-   ! Override rootkit ::/rootkits/override.php
+dev/grid-show-pids     ! Override rootkit ::/rootkits/override.php
+dev/grid-hide-port-    ! Override rootkit ::/rootkits/override.php
+dev/grid-unhide-port-  ! Override rootkit ::/rootkits/override.php
+
+# PHALANX rootkit
+usr/share/.home*        ! PHALANX rootkit ::
+usr/share/.home*/tty    ! PHALANX rootkit ::
+etc/host.ph1            ! PHALANX rootkit ::
+bin/host.ph1            ! PHALANX rootkit ::
+
+# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
+# and from chkrootkit
+usr/share/.zk                   ! ZK rootkit ::
+usr/share/.zk/zk                ! ZK rootkit ::
+etc/1ssue.net                   ! ZK rootkit ::
+usr/X11R6/.zk                   ! ZK rootkit ::
+usr/X11R6/.zk/xfs               ! ZK rootkit ::
+usr/X11R6/.zk/echo              ! ZK rootkit ::
+etc/sysconfig/console/load.zk   ! ZK rootkit ::
+
+# Public sniffers
+*/.linux-sniff          ! Sniffer log ::
+*/sniff-l0g             ! Sniffer log ::
+*/core_$                ! Sniffer log ::
+*/tcp.log               ! Sniffer log ::
+*/chipsul               ! Sniffer log ::
+*/beshina               ! Sniffer log ::
+*/.owned$               | Sniffer log ::
+
+# Solaris worm -
+# http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
+var/adm/.profile        ! Solaris Worm ::
+var/spool/lp/.profile   ! Solaris Worm ::
+var/adm/sa/.adm         ! Solaris Worm ::
+var/spool/lp/admins/.lp ! Solaris Worm ::
+
+# Suspicious files
+etc/rc.d/init.d/rc.modules  ! Suspicious file ::rootkits/Suspicious.php
+lib/ldd.so                  ! Suspicious file ::rootkits/Suspicious.php
+usr/man/muie                ! Suspicious file ::rootkits/Suspicious.php
+usr/X11R6/include/pain      ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/sourcemask          ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ras2xm              ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ddc                 ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/jdc                 ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/in.telnet          ! Suspicious file ::rootkits/Suspicious.php
+sbin/vobiscum               ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/jcd                ! Suspicious file ::rootkits/Suspicious.php
+usr/sbin/atd2               ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/ishit               ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/.etc                ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/xstat               ! Suspicious file ::rootkits/Suspicious.php
+var/run/.tmp                ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man1/lib/.lib       ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man2/.man8          ! Suspicious file ::rootkits/Suspicious.php
+var/run/.pid                ! Suspicious file ::rootkits/Suspicious.php
+lib/.so                     ! Suspicious file ::rootkits/Suspicious.php
+lib/.fx                     ! Suspicious file ::rootkits/Suspicious.php
+lib/lblip.tk                ! Suspicious file ::rootkits/Suspicious.php
+usr/lib/.fx                 ! Suspicious file ::rootkits/Suspicious.php
+var/local/.lpd              ! Suspicious file ::rootkits/Suspicious.php
+dev/rd/cdb                  ! Suspicious file ::rootkits/Suspicious.php
+dev/.rd/                    ! Suspicious file ::rootkits/Suspicious.php
+usr/lib/pt07                ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/atm                 ! Suspicious file ::rootkits/Suspicious.php
+tmp/.cheese                 ! Suspicious file ::rootkits/Suspicious.php
+dev/.arctic                 ! Suspicious file ::rootkits/Suspicious.php
+dev/.xman                   ! Suspicious file ::rootkits/Suspicious.php
+dev/.golf                   ! Suspicious file ::rootkits/Suspicious.php
+dev/srd0                    ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyzx                   ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyzg                   ! Suspicious file ::rootkits/Suspicious.php
+dev/xdf1                    ! Suspicious file ::rootkits/Suspicious.php
+dev/ttyop                   ! Suspicious file ::rootkits/Suspicious.php
+dev/ttyof                   ! Suspicious file ::rootkits/Suspicious.php
+dev/hd7                     ! Suspicious file ::rootkits/Suspicious.php
+dev/hdx1                    ! Suspicious file ::rootkits/Suspicious.php
+dev/hdx2                    ! Suspicious file ::rootkits/Suspicious.php
+dev/xdf2                    ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyp                    ! Suspicious file ::rootkits/Suspicious.php
+dev/ptyr                    ! Suspicious file ::rootkits/Suspicious.php
+sbin/pback                  ! Suspicious file ::rootkits/Suspicious.php
+usr/man/man3/psid           ! Suspicious file ::rootkits/Suspicious.php
+proc/kset                   ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/gib                 ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/snick               ! Suspicious file ::rootkits/Suspicious.php
+usr/bin/kfl                 ! Suspicious file ::rootkits/Suspicious.php
+tmp/.dump                   ! Suspicious file ::rootkits/Suspicious.php
+var/.x                      ! Suspicious file ::rootkits/Suspicious.php
+var/.x/psotnic              ! Suspicious file ::rootkits/Suspicious.php
+*/.log                      ! Suspicious file ::rootkits/Suspicious.php
+*/ecmf                      ! Suspicious file ::rootkits/Suspicious.php
+*/mirkforce                 ! Suspicious file ::rootkits/Suspicious.php
+*/mfclean                   ! Suspicious file ::rootkits/Suspicious.php
diff --git a/etc/ruleset/rootcheck/rootkit_trojans.txt b/etc/ruleset/rootcheck/rootkit_trojans.txt
new file mode 100644
index 0000000000..3bbeddabba
--- /dev/null
+++ b/etc/ruleset/rootcheck/rootkit_trojans.txt
@@ -0,0 +1,111 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# rootkit_trojans.txt, (C) Daniel B. Cid
+#
+# Imported from the rootcheck project.
+# Some entries taken from the chkrootkit project.
+#
+# Blank lines and lines starting with '#' are ignored.
+#
+# Each line must be in the following format:
+# file_name !string_to_search!Description
+
+# Common binaries and public trojan entries
+ls          !bash|^/bin/sh|dev/[^clu]|\.tmp/lsfile|duarawkz|/prof|/security|file\.h!
+env         !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+echo        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chown       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chmod       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+chgrp       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+cat         !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cl]|^/bin/.*sh!
+bash        !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+sh          !proc\.h|/dev/[0-9]|/dev/[hijkz]!
+uname       !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
+date        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
+du          !w0rm|/prof|file\.h!
+df          !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
+login       !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+passwd      !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
+mingetty    !bash|Dimensioni|pacchetto!
+chfn        !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+chsh        !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
+mail        !bash|file\.h|proc\.h|/dev/[^nu]!
+su          !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo        !satori|vejeta|conf\.inv!
+crond       !/dev/[^nt]|bash!
+gpm         !bash|mingetty!
+ifconfig    !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!
+diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+md5sum      !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+hdparm      !bash|/dev/ida!
+ldd         !/dev/[^n]|proc\.h|libshow.so|libproc.a!
+
+# Trojan entries for troubleshooting binaries
+grep        !bash|givemer!
+egrep       !bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh!
+find        !bash|/dev/[^tnlcs]|/prof|/home/virus|file\.h!
+lsof        !/prof|/dev/[^apcmnfk]|proc\.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp!
+netstat     !bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h!
+top         !/dev/[^npi3st%]|proc\.h|/prof/!
+ps          !/dev/ttyo|\.1proc|proc\.h|bash|^/bin/sh!
+tcpdump     !bash|^/bin/sh|file\.h|proc\.h|/dev/[^bu]|^/bin/.*sh!
+pidof       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^f]|^/bin/.*sh!
+fuser       !bash|^/bin/sh|file\.h|proc\.h|/dev/[a-dtz]|^/bin/.*sh!
+w           !uname -a|proc\.h|bash!
+
+# Trojan entries for common daemons
+sendmail    !bash|fuck!
+named       !bash|blah|/dev/[0-9]|^/bin/sh!
+inetd       !bash|^/bin/sh|file\.h|proc\.h|/dev/[^un%]|^/bin/.*sh!
+apachectl   !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+sshd        !check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk|bash|/dev[a-s]|/dev[A-Z]/!
+syslogd     !bash|/usr/lib/pt07|/dev/[^cln]]|syslogs\.h|proc\.h!
+xinetd      !bash|file\.h|proc\.h!
+in.telnetd  !cterm100|vt350|VT100|ansi-term|bash|^/bin/sh|/dev[A-R]|/dev/[a-z]/!
+in.fingerd  !bash|^/bin/sh|cterm100|/dev/!
+identd      !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+init        !bash|/dev/h
+tcpd        !bash|proc\.h|p1r0c4|hack|/dev/[^n]!
+rlogin      !p1r0c4|r00t|bash|/dev/[^nt]!
+
+# Kill trojan
+killall     !/dev/[^t%]|proc\.h|bash|tmp!
+kill        !/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp!
+
+# Rootkit entries
+/etc/rc.d/rc.sysinit    !enyelkmHIDE! enye-sec Rootkit
+
+# ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf)
+/etc/sysconfig/console/load.zk   !/bin/sh! ZK rootkit
+/etc/sysconfig/console/load.zk   !usr/bin/run! ZK rootkit
+
+# Modified /etc/hosts entries
+# Idea taken from:
+# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
+# http://www.sophos.com/security/analyses/trojbagledll.html
+# http://www.f-secure.com/v-descs/fantibag_b.shtml
+/etc/hosts  !^[^#]*avp\.ch!Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*avp\.ru!Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*awaps\.net! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*ca\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*mcafee\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*microsoft\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*f-secure\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*sophos\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*symantec\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*my-etrust\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*nai\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*networkassociates\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*viruslist\.ru! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*kaspersky! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*symantecliveupdate\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*grisoft\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*clamav\.net! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*bitdefender\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*antivirus\.com! Anti-virus site on the hosts file
+/etc/hosts  !^[^#]*sans\.org! Security site on the hosts file
diff --git a/etc/ruleset/rootcheck/system_audit_rcl.txt b/etc/ruleset/rootcheck/system_audit_rcl.txt
new file mode 100644
index 0000000000..e5586ce322
--- /dev/null
+++ b/etc/ruleset/rootcheck/system_audit_rcl.txt
@@ -0,0 +1,102 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - p (process running)
+#             - d (any file inside the directory)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
+$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
+
+# PHP checks
+[PHP - Register globals are enabled] [any] []
+f:$php.ini -> r:^register_globals = On;
+
+# PHP checks
+[PHP - Expose PHP is enabled] [any] []
+f:$php.ini -> r:^expose_php = On;
+
+# PHP checks
+[PHP - Allow URL fopen is enabled] [any] []
+f:$php.ini -> r:^allow_url_fopen = On;
+
+# PHP checks
+[PHP - Displaying of errors is enabled] [any] []
+f:$php.ini -> r:^display_errors = On;
+
+# PHP checks - consider open_basedir && disable_functions
+
+
+## Looking for common web exploits (might indicate that you are owned).
+## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
+#[Web exploits - Possible compromise] [any] []
+#d:$web_dirs -> .txt$ -> r:^<?php|^#!;
+
+## Looking for common web exploits files (might indicate that you are owned).
+## There are not specific, like the above.
+## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
+[Web exploits (uncommon file name inside htdocs) - Possible compromise  {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> ^.yop$;
+
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> ^id$;
+
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> ^.ssh$;
+
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> ^...$;
+
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> ^.shell$;
+
+## Looking for outdated Web applications
+## Taken from http://sucuri.net/latest-versions
+[Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2';
+
+[Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8';
+
+[Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;
+
+## Looking for known backdoors
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode) {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;
+
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST)) {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
+d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;
+
+[Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;
+
+[Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;
diff --git a/etc/ruleset/rootcheck/system_audit_ssh.txt b/etc/ruleset/rootcheck/system_audit_ssh.txt
new file mode 100644
index 0000000000..558bb17dea
--- /dev/null
+++ b/etc/ruleset/rootcheck/system_audit_ssh.txt
@@ -0,0 +1,75 @@
+#  SSH Rootcheck
+#
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+
+
+$sshd_file=/etc/ssh/sshd_config;
+
+
+# Listen PORT != 22
+# The option Port specifies on which port number ssh daemon listens for incoming connections.
+# Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port.
+[SSH Hardening - 1: Port 22 {PCI_DSS: 2.2.4}] [any] [1]
+f:$sshd_file -> !r:^# && r:Port\.+22;
+
+
+# Protocol 2
+# The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use.
+# Version 1 of the SSH protocol has weaknesses.
+[SSH Hardening - 2: Protocol 1 {PCI_DSS: 2.2.4}] [any] [2]
+f:$sshd_file -> !r:^# && r:Protocol\.+1;
+
+
+# PermitRootLogin no
+# The option PermitRootLogin specifies whether root can log in using ssh.
+# If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses.
+[SSH Hardening - 3: Root can log in] [any] [3]
+f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;
+
+
+# PubkeyAuthentication yes
+# Access only by public key
+# Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password.
+[SSH Hardening - 4: No Public Key authentication {PCI_DSS: 2.2.4}] [any] [4]
+f:$sshd_file -> !r:^\s*PubkeyAuthentication\.+yes;
+
+
+# PasswordAuthentication no
+# The option PasswordAuthentication specifies whether we should use password-based authentication.
+# Use public key authentication instead of passwords
+[SSH Hardening - 5: Password Authentication {PCI_DSS: 2.2.4}] [any] [5]
+f:$sshd_file -> !r:^\s*PasswordAuthentication\.+no;
+
+
+# PermitEmptyPasswords no
+# The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password
+# Accounts with null passwords are a bad practice.
+[SSH Hardening - 6: Empty passwords allowed {PCI_DSS: 2.2.4}] [any] [6]
+f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;
+
+
+# IgnoreRhosts yes
+# The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication.
+# For security reasons it is recommended to no use rhosts or shosts files for authentication.
+[SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}] [any] [7]
+f:$sshd_file -> !r:^\s*IgnoreRhosts\.+yes;
+
+
+# LoginGraceTime 30
+# The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
+# 30 seconds is the recommended time for avoiding open connections without authenticate
+[SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}] [any] [8]
+f:$sshd_file -> !r:^\s*LoginGraceTime\s+30\s*$;
+
+
+# MaxAuthTries 4
+# The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
+# This should be set to 4.
+[SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}] [any] [9]
+f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;
diff --git a/etc/ruleset/rootcheck/win_applications_rcl.txt b/etc/ruleset/rootcheck/win_applications_rcl.txt
new file mode 100644
index 0000000000..01e5af4304
--- /dev/null
+++ b/etc/ruleset/rootcheck/win_applications_rcl.txt
@@ -0,0 +1,135 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Application detection - (C) 2007 Daniel B. Cid - dcid@ossec.net
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+[Chat/IM/VoIP - Skype {PCI_DSS: 10.6.1}] [any] []
+f:\Program Files\Skype\Phone;
+f:\Documents and Settings\All Users\Documents\My Skype Pictures;
+f:\Documents and Settings\Skype;
+f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
+r:HKLM\SOFTWARE\Skype;
+r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
+p:r:Skype.exe;
+
+[Chat/IM - Yahoo {PCI_DSS: 10.6.1}] [any] []
+f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
+r:HKLM\SOFTWARE\Yahoo;
+
+[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] []
+r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;
+
+[Chat/IM - AOL {PCI_DSS: 10.6.1}] [any] [http://www.aol.com]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
+r:HKEY_CLASSES_ROOT\aim\shell\open\command;
+r:HKEY_CLASSES_ROOT\AIM.Protocol;
+r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
+f:\Program Files\AIM95;
+p:r:aim.exe;
+
+[Chat/IM - MSN {PCI_DSS: 10.6.1}] [any] [http://www.msn.com]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
+r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
+f:\Program Files\MSN Messenger;
+f:\Program Files\Messenger;
+p:r:msnmsgr.exe;
+
+[Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [http://www.icq.com]
+r:HKLM\SOFTWARE\Mirabilis\ICQ;
+
+[P2P - UTorrent {PCI_DSS: 10.6.1}] [any] []
+p:r:utorrent.exe;
+
+[P2P - LimeWire {PCI_DSS: 11.4}] [any] []
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
+r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
+f:\Program Files\limewire;
+f:\Program Files\limeshop;
+
+[P2P/Adware - Kazaa {PCI_DSS: 11.4}] [any] []
+f:\Program Files\kazaa;
+f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
+f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
+f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
+f:%WINDIR%\System32\Cd_clint.dll;
+f:%WINDIR%\Sysnative\Cd_clint.dll;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
+r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
+
+# http://vil.nai.com/vil/content/v_135023.htm
+[Adware - RxToolBar {PCI_DSS: 11.4}] [any] [http://vil.nai.com/vil/content/v_135023.htm]
+r:HKEY_CURRENT_USER\Software\Infotechnics;
+r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
+r:HKEY_CURRENT_USER\Software\RX Toolbar;
+r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
+r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
+f:\Program Files\RXToolBar;
+
+# http://btfaq.com/serve/cache/18.html
+[P2P - BitTorrent {PCI_DSS: 10.6.1}] [any] [http://btfaq.com/serve/cache/18.html]
+f:\Program Files\BitTorrent;
+r:HKEY_CLASSES_ROOT\.torrent;
+r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
+r:HKEY_CLASSES_ROOT\bittorrent;
+r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;
+
+# http://www.gotomypc.com
+[Remote Access - GoToMyPC {PCI_DSS: 10.6.1}] [any] []
+f:\Program Files\Citrix\GoToMyPC;
+f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
+f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
+f:\Program Files\expertcity\GoToMyPC;
+r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
+r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
+r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
+p:r:g2svc.exe;
+p:r:g2pre.exe;
+
+[Spyware - Twain Tec Spyware {PCI_DSS: 11.4}] [any] []
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
+f:%WINDIR%\twaintec.dll;
+
+# http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
+[Spyware - SpyBuddy {PCI_DSS: 11.4}] [any] []
+f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
+f:\Program Files\ExploreAnywhere\SpyBuddy;
+f:\Program Files\ExploreAnywhere;
+f:%WINDIR%\System32\sysicept.dll;
+f:%WINDIR%\Sysnative\sysicept.dll;
+r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
+
+[Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] []
+r:HKLM\SOFTWARE\Avenue Media;
+r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
+r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;
diff --git a/etc/ruleset/rootcheck/win_audit_rcl.txt b/etc/ruleset/rootcheck/win_audit_rcl.txt
new file mode 100644
index 0000000000..afdc7a0319
--- /dev/null
+++ b/etc/ruleset/rootcheck/win_audit_rcl.txt
@@ -0,0 +1,82 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Windows Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceded by: =: (for equal) - default
+#                             r: (for ossec regexes)
+#                             >: (for strcmp greater)
+#                             <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
+[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] []
+r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
+r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
+
+# http://support.microsoft.com/kb/825750
+[DCOM disabled {PCI_DSS: 10.6.1}] [any] []
+r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;
+
+# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
+[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] []
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
+r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;
+
+# http://research.eeye.com/html/alerts/AL20060813.html
+# Disabled by some Malwares (sometimes by McAfee and Symantec
+# security center too).
+[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] []
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;
+
+# Checking for the microsoft firewall.
+[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] []
+r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;
+r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;
+
+#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
+[Null sessions allowed {PCI_DSS: 11.4}] [any] []
+r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
+
+[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
+r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;
+
+# http://support.microsoft.com/default.aspx?scid=315231
+[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231]
+r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
+r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;
+
+[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
+f:%WINDIR%\System32\drivers\npf.sys;
+f:%WINDIR%\Sysnative\drivers\npf.sys;
diff --git a/etc/ruleset/rootcheck/win_malware_rcl.txt b/etc/ruleset/rootcheck/win_malware_rcl.txt
new file mode 100644
index 0000000000..cd65c21bd3
--- /dev/null
+++ b/etc/ruleset/rootcheck/win_malware_rcl.txt
@@ -0,0 +1,176 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@ossec.net
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://www.gnu.org/licenses/gpl.html
+#
+# [Malware name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+#             - f (for file or directory)
+#             - r (registry entry)
+#             - p (process running)
+#
+# Additional values:
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
+# For files, use "->" to look for a specific value in the file.
+#
+# # Values can be preceded by: =: (for equal) - default
+#                               r: (for ossec regexes)
+#                               >: (for strcmp greater)
+#                               <: (for strcmp  lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+
+# http://www.iss.net/threats/ginwui.html
+[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html]
+f:%WINDIR%\System32\zsyhide.dll;
+f:%WINDIR%\Sysnative\zsyhide.dll;
+f:%WINDIR%\System32\zsydll.dll;
+f:%WINDIR%\Sysnative\zsydll.dll;
+r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
+r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;
+
+# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
+[Wargbot Backdoor {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\System32\wgareg.exe;
+f:%WINDIR%\Sysnative\wgareg.exe;
+r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;
+
+# http://www.f-prot.com/virusinfo/descriptions/sober_j.html
+[Sober Worm {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\System32\nonzipsr.noz;
+f:%WINDIR%\Sysnative\nonzipsr.noz;
+f:%WINDIR%\System32\clonzips.ssc;
+f:%WINDIR%\Sysnative\clonzips.ssc;
+f:%WINDIR%\System32\clsobern.isc;
+f:%WINDIR%\Sysnative\clsobern.isc;
+f:%WINDIR%\System32\sb2run.dii;
+f:%WINDIR%\Sysnative\sb2run.dii;
+f:%WINDIR%\System32\winsend32.dal;
+f:%WINDIR%\Sysnative\winsend32.dal;
+f:%WINDIR%\System32\winroot64.dal;
+f:%WINDIR%\Sysnative\winroot64.dal;
+f:%WINDIR%\System32\zippedsr.piz;
+f:%WINDIR%\Sysnative\zippedsr.piz;
+f:%WINDIR%\System32\winexerun.dal;
+f:%WINDIR%\Sysnative\winexerun.dal;
+f:%WINDIR%\System32\winmprot.dal;
+f:%WINDIR%\Sysnative\winmprot.dal;
+f:%WINDIR%\System32\dgssxy.yoi;
+f:%WINDIR%\Sysnative\dgssxy.yoi;
+f:%WINDIR%\System32\cvqaikxt.apk;
+f:%WINDIR%\Sysnative\cvqaikxt.apk;
+f:%WINDIR%\System32\sysmms32.lla;
+f:%WINDIR%\Sysnative\sysmms32.lla;
+f:%WINDIR%\System32\Odin-Anon.Ger;
+f:%WINDIR%\Sysnative\Odin-Anon.Ger;
+
+# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
+[Hotword Trojan {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\System32\_;
+f:%WINDIR%\Sysnative\_;
+f:%WINDIR%\System32\explore.exe;
+f:%WINDIR%\Sysnative\explore.exe;
+f:%WINDIR%\System32\ svchost.exe;
+f:%WINDIR%\Sysnative\ svchost.exe;
+f:%WINDIR%\System32\mmsystem.dlx;
+f:%WINDIR%\Sysnative\mmsystem.dlx;
+f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
+f:%WINDIR%\Sysnative\WINDLL-ObjectsWin*.DLX;
+f:%WINDIR%\System32\CFXP.DRV;
+f:%WINDIR%\Sysnative\CFXP.DRV;
+f:%WINDIR%\System32\CHJO.DRV;
+f:%WINDIR%\Sysnative\CHJO.DRV;
+f:%WINDIR%\System32\MMSYSTEM.DLX;
+f:%WINDIR%\Sysnative\MMSYSTEM.DLX;
+f:%WINDIR%\System32\OLECLI.DL;
+f:%WINDIR%\Sysnative\OLECLI.DL;
+
+[Beagle worm {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\System32\winxp.exe;
+f:%WINDIR%\Sysnative\winxp.exe;
+f:%WINDIR%\System32\winxp.exeopen;
+f:%WINDIR%\Sysnative\winxp.exeopen;
+f:%WINDIR%\System32\winxp.exeopenopen;
+f:%WINDIR%\Sysnative\winxp.exeopenopen;
+f:%WINDIR%\System32\winxp.exeopenopenopen;
+f:%WINDIR%\Sysnative\winxp.exeopenopenopen;
+f:%WINDIR%\System32\winxp.exeopenopenopenopen;
+f:%WINDIR%\Sysnative\winxp.exeopenopenopenopen;
+
+# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
+[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
+f:%WINDIR%\System32\ntos.exe;
+f:%WINDIR%\Sysnative\ntos.exe;
+f:%WINDIR%\System32\wsnpoem;
+f:%WINDIR%\Sysnative\wsnpoem;
+f:%WINDIR%\System32\wsnpoem\audio.dll;
+f:%WINDIR%\Sysnative\wsnpoem\audio.dll;
+f:%WINDIR%\System32\wsnpoem\video.dll;
+f:%WINDIR%\Sysnative\wsnpoem\video.dll;
+r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
+
+# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
+[Looked.BK Worm {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\uninstall\rundl132.exe;
+f:%WINDIR%\Logo1_.exe;
+f:%Windir%\RichDll.dll;
+r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;
+
+[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
+p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
+f:!%WINDIR%\SysWOW64;
+
+[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
+p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
+f:!%WINDIR%\SysWOW64;
+
+[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] []
+f:%Windir%\System32\rdriv.sys;
+f:%Windir%\Sysnative\rdriv.sys;
+f:%Windir%\lsass.exe;
+
+[Possible Malware File {PCI_DSS: 11.4}] [any] []
+f:%WINDIR%\utorrent.exe;
+f:%WINDIR%\System32\utorrent.exe;
+f:%WINDIR%\Sysnative\utorrent.exe;
+f:%WINDIR%\System32\Files32.vxd;
+f:%WINDIR%\Sysnative\Files32.vxd;
+
+# Modified /etc/hosts entries
+# Idea taken from:
+# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
+# http://www.sophos.com/security/analyses/trojbagledll.html
+# http://www.f-secure.com/v-descs/fantibag_b.shtml
+[Anti-virus site on the hosts file] [any] []
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:networkassociates.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
+f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
+f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
diff --git a/etc/ruleset/sca/almalinux/cis_alma_linux_8.yml b/etc/ruleset/sca/almalinux/cis_alma_linux_8.yml
new file mode 100644
index 0000000000..4e96f528d2
--- /dev/null
+++ b/etc/ruleset/sca/almalinux/cis_alma_linux_8.yml
@@ -0,0 +1,4598 @@
+# Security Configuration Assessment
+# CIS Checks for Alma Linux 8
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Alma Linux 8 Benchmark v2.0.0 - 05-31-2022
+
+policy:
+  id: "cis_alma_linux_8"
+  file: "cis_alma_linux_8.yml"
+  name: "CIS Alma Linux 8 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Alma Linux 8 systems running on x86 and x64 platforms. This document was tested against Alma Linux 8."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Alma Linux platform."
+  description: "Requirements for running the policy against Alma Linux 8."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^AlmaLinux && r:release 8"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 32000
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs. Example: # printf "install cramfs /bin/false blacklist cramfs " >> /etc/modprobe.d/cramfs.conf Run the following command to unload the cramfs module: # modprobe -r cramfs.'
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v cramfs -> r:^\s*\t*install\s*\t*/bin/false'
+      - "not c:lsmod -> r:cramfs"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^\s*\t*blacklist\s*cramfs'
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 32001
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with the lines that reads install squashfs /bin/false and blacklist squashfs. Example: # printf "install squashfs /bin/false blacklist squashfs " >> /etc/modprobe.d/squashfs.conf Run the following command to unload the squashfs module: # modprobe -r squashfs.'
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v squashfs -> r:^\s*\t*install\s*\t*/bin/false'
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^\s*\t*blacklist\s*squashfs'
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 32002
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install udf /bin/false. Example: # printf "install udf /bin/false blacklist udf " >> /etc/modprobe.d/udf.conf Run the following command to unload the udf module: # modprobe -r udf.'
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v udf -> r:^\s*\t*install\s*\t*/bin/false'
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^\s*\t*blacklist\s*udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 32003
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 32004
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:nodev'
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 32005
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:noexec'
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 32006
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:nosuid'
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 32007
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 32008
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s && r:nodev'
+
+  # 1.1.3.3 Ensure noexec option set on /var partition. (Automated)
+  - id: 32009
+    title: "Ensure noexec option set on /var partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s && r:noexec'
+
+  # 1.1.3.4 Ensure nosuid option set on /var partition. (Automated)
+  - id: 32010
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s && r:nosuid'
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 32011
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary file residing in /var/tmp is to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 32012
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:noexec'
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 32013
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:nosuid'
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 32014
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:nodev'
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 32015
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contain the log files that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 32016
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 32017
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 32018
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:nosuid'
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 32019
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contain the audit.log file that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 32020
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:noexec'
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 32021
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:nodev'
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 32022
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:nosuid'
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 32023
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 32024
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 32025
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:nosuid'
+
+  # 1.1.7.4 Ensure usrquota option set on /home partition. (Automated)
+  - id: 32026
+    title: "Ensure usrquota option set on /home partition."
+    description: "The usrquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.user Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:usrquota'
+
+  # 1.1.7.5 Ensure grpquota option set on /home partition. (Automated)
+  - id: 32027
+    title: "Ensure grpquota option set on /home partition."
+    description: "The grpquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.group Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:grpquota'
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 32028
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:nodev'
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 32029
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:noexec'
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 32030
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:nosuid'
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 32031
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # dnf remove autofs Run the following command to disable autofs if it is required: # systemctl --now disable autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled autofs -> r:^Failed && r:No such file or directory"
+      - "not c:systemctl is-enabled autofs -> r:^enabled"
+
+  # 1.1.10 Disable USB Storage. (Automated)
+  - id: 32032
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:^install /bin/true"
+      - "not c:lsmod -> r:^usb-storage"
+
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 32033
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_techniques: ["T1017", "T1019", "T1068", "T1072", "T1073", "T1075", "T1100", "T1103", "T1137", "T1138", "T1189", "T1190", "T1195", "T1210", "T1211", "T1212", "T1495"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^\s*gpgcheck\s*=\s*1'
+      - 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck\s*=\s*0'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 32034
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 32035
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:^enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:^enabled"
+      - "c:systemctl status aidecheck.service -> r:active"
+
+  # 1.4.1 Ensure bootloader password is set. (Automated) - Not Implemented
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated) - Not Implemented
+
+  # 1.4.3 Ensure authentication is required when booting into rescue mode. (Automated)
+  - id: 32036
+    title: "Ensure authentication is required when booting into rescue mode."
+    description: "Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials."
+    remediation: "The systemd drop-in files must be created if it is necessary to change the default settings: Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden: [Service] ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:^ExecStart=- && r:systemd/systemd-sulogin-shell\s*\t*rescue'
+      - 'd:/etc/systemd/system/rescue.service.d -> r:\.+ -> r:^ExecStart=- && r:systemd/systemd-sulogin-shell\s*\t*rescue'
+
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 32037
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 32038
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - nist_sp_800-53: ["CM-6b"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 32039
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 32040
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: grubby --update-kernel ALL --remove-args 'selinux=0 enforcing=0'."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 32041
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 32042
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permisive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 32043
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 32044
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 32045
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa setroubleshoot -> r:^setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 32046
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa mcstrans -> r:mcstrans"
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 32047
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 32048
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+    condition: any
+    rules:
+      - "not f:/etc/issue"
+      - 'not f:/etc/issue -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 32049
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+    condition: any
+    rules:
+      - "not f:/etc/issue.net"
+      - 'not f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 32050
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 32051
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 32052
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 32053
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "f:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 32054
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text='
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 32055
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:disable-user-list=true'
+
+  # 1.8.4 Ensure XDMCP is not enabled. (Automated)
+  - id: 32056
+    title: "Ensure XDMCP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.8.5 Ensure automatic mounting of removable media is disabled. (Automated)
+  - id: 32057
+    title: "Ensure automatic mounting of removable media is disabled."
+    description: "By default GNOME automatically mounts removable media when inserted as a convenience to the user."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Ensure that automatic mounting of media is disabled for all GNOME users: # cat << EOF >> /etc/dconf/db/local.d/00-media-automount [org/gnome/desktop/media-handling] automount=false automount-open=false EOF Apply the changes with: # dconf update OR Run the following command to uninstall the GNOME desktop Manager package: # dnf uninstall gdm."
+    references:
+      - "https://access.redhat.com/solutions/20107"
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - "c:gsettings get org.gnome.desktop.media-handling automount -> r:^false"
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 32058
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_techniques: ["T1017", "T1019", "T1068", "T1072", "T1073", "T1075", "T1100", "T1103", "T1137", "T1138", "T1189", "T1190", "T1195", "T1210", "T1211", "T1212", "T1495"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 32059
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_techniques: ["T1040", "T1070", "T1114", "T1119", "T1145", "T1208", "T1492", "T1493", "T1527", "T1530"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 32060
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 32061
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  # 2.2.1 Ensure xinetd is not installed. (Automated)
+  - id: 32062
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # dnf remove xinetd."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1028", "T1046", "T1051", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1200", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:^package xinetd is not installed"
+
+  # 2.2.2 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 32063
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 32064
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+      - "c:rpm -q avahi-autoipd -> r:^package avahi-autoipd is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 32065
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 32066
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the rpm -q dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.6 Ensure DNS Server is not installed. (Automated)
+  - id: 32067
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.7 Ensure VSFTP Server is not installed. (Automated)
+  - id: 32068
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.8 Ensure TFTP Server is not installed. (Automated)
+  - id: 32069
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.9 Ensure a web server is not installed. (Automated)
+  - id: 32070
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.10 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 32071
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.11 Ensure Samba is not installed. (Automated)
+  - id: 32072
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 32073
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.13 Ensure net-snmp is not installed. (Automated)
+  - id: 32074
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1028", "T1046", "T1051", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1200", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.14 Ensure NIS server is not installed. (Automated)
+  - id: 32075
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # dnf remove ypserv."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1028", "T1046", "T1051", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1200", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:^package ypserv is not installed"
+
+  # 2.2.15 Ensure telnet-server is not installed. (Automated)
+  - id: 32076
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1028", "T1046", "T1051", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1200", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.16 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 32077
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.17 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 32078
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-package is required as a dependency, the nfs-server should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 32079
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind -> r:masked|No such file or directory"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked|No such file or directory"
+
+  # 2.2.19 Ensure rsync-daemon is not installed or the rsyncd service is masked. (Automated)
+  - id: 32080
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked._."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 32081
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # dnf remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:^package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 32082
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # dnf remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:^package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 32083
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # dnf remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:^package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 32084
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 32085
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1028", "T1046", "T1052", "T1064", "T1076", "T1086", "T1091", "T1092", "T1118", "T1121", "T1127", "T1133", "T1137", "T1164", "T1170", "T1171", "T1173", "T1175", "T1180", "T1184", "T1191", "T1210", "T1221", "T1519"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.6 Ensure TFTP client is not installed. (Automated)
+  - id: 32086
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.3.7 Ensure FTP client is not installed. (Automated)
+  - id: 32087
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+
+  # 3.1.1 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+  # 3.1.2 Verify if IPv6 is enabled or disabled on the system. (Manual) - Not Implemented
+
+  # 3.1.3 Ensure SCTP is disabled. (Automated)
+  - id: 32088
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install sctp /bin/true " >> /etc/modprobe.d/sctp.conf.'
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:^install\s*\t*/bin/true'
+      - "not c:lsmod -> r:^sctp"
+
+  # 3.1.4 Ensure DCCP is disabled. (Automated)
+  - id: 32089
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install dccp /bin/true " >> /etc/modprobe.d/dccp.conf.'
+    compliance:
+      - cis: ["3.1.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:^install\s*\t*/bin/true'
+      - "not c:lsmod -> r:^dccp"
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  # 3.4.1.1 Ensure firewalld is installed. (Automated)
+  - id: 32090
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # dnf install firewalld iptables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:^firewalld-"
+      - "c:rpm -q iptables -> r:^iptables-"
+
+  # 3.4.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 32091
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 32092
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was added in release v0.6.0. In Fedora 19 Linux derivatives, firewalld utilizes iptables as its back-end by default."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: firewalld may configured as the front-end to nftables. If this case, nftables should be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # dnf remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.4.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+      - "c:systemctl is-active nftables -> r:^inactive"
+      - "c:systemctl is-enabled nftables -> r:^masked"
+
+  # 3.4.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 32093
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.4.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:^enabled"
+      - "c:firewall-cmd --state -> r:^running"
+
+  # 3.4.1.5 Ensure firewalld default zone is set. (Automated) - Not Implemented
+  # 3.4.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) - Not Implemented
+  # 3.4.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+
+  # 3.4.2.1 Ensure nftables is installed. (Automated)
+  - id: 32094
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 32095
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # dnf remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 32096
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.2.4 Ensure iptables are flushed with nftables. (Manual)
+  - id: 32097
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.4.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "not c:iptables -L -> r:^Chain|^Accept|^Reject|^target"
+      - "not c:ip6tables -L -> r:^Chain|^Accept|^Reject|^target"
+
+  # 3.4.2.5 Ensure an nftables table exists. (Automated)
+  - id: 32098
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.4.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+
+  # 3.4.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 32099
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.4.2.7 Ensure nftables loopback traffic is configured. (Automated) - Not Implemented
+  # 3.4.2.8 Ensure nftables outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 32100
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.4.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 32101
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.4.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:^enabled"
+
+  # 3.4.2.11 Ensure nftables rules are permanent. (Automated)
+  - id: 32102
+    title: "Ensure nftables rules are permanent."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered."
+    rationale: "Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot."
+    remediation: 'Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot: Example: include "/etc/nftables/nftables.rules".'
+    compliance:
+      - cis: ["3.4.2.11"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/nftables.conf -> r:^include"
+
+  # 3.4.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 32103
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # dnf install iptables iptables-services."
+    compliance:
+      - cis: ["3.4.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:^iptables-"
+      - "c:rpm -q iptables-services -> r:^iptables-services-"
+
+  # 3.4.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 32104
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # dnf remove nftables."
+    compliance:
+      - cis: ["3.4.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:package nftables is not installed"
+
+  # 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 32105
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 32106
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.4.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:ACCEPT && r:all && r:lo\s*\t**'
+      - 'c:iptables -L INPUT -v -n -> r:DROP && r:all && r:*\s*\t** && r:127.0.0.0'
+      - 'c:iptables -L OUTPUT -v -n -> r:ACCEPT && r:all && r:*\s*\t*lo'
+
+  # 3.4.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 32107
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:INPUT && r:policy DROP"
+      - "c:iptables -L -> r:FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:OUTPUT && r:policy DROP"
+
+  # 3.4.3.2.5 Ensure iptables rules are saved. (Automated) - Not Impemented
+
+  # 3.4.3.2.6 Ensure iptables is enabled and active. (Automated)
+  - id: 32108
+    title: "Ensure iptables is enabled and active."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.4.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:^enabled"
+      - "c:systemctl is-active iptables -> r:^active"
+
+  # 3.4.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 32109
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.4.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:ACCEPT && r:all && r:lo\s*\t**'
+      - 'c:ip6tables -L INPUT -v -n -> r:DROP && r:all && r:*\s*\t** && r:::1'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:ACCEPT && r:all && r:*\s*\t*lo'
+
+  # 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 32110
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:OUTPUT && r:policy DROP"
+
+  # 3.4.3.3.5 Ensure ip6tables rules are saved. (Automated) - Not Implemented
+
+  # 3.4.3.3.6 Ensure ip6tables is enabled and active. (Automated)
+  - id: 32111
+    title: "Ensure ip6tables is enabled and active."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.4.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ip6tables -> r:^enabled"
+      - "c:systemctl is-active ip6tables -> r:^active"
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 32112
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditd service is enabled. (Automated)
+  - id: 32113
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 32114
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to add audit=1 to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 32115
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:\s*audit_backlog_limit=(d+) compare >= 8192'
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 32116
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*='
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 32117
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 32118
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 32119
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1047", "T1051", "T1053", "T1054", "T1055", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1088", "T1089", "T1096", "T1097", "T1098", "T1100", "T1134", "T1136", "T1145", "T1146", "T1150", "T1156", "T1157", "T1165", "T1169", "T1175", "T1184", "T1190", "T1196", "T1198", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1489", "T1492", "T1494", "T1495", "T1501", "T1504", "T1505", "T1525", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 32120
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1047", "T1051", "T1053", "T1054", "T1055", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1088", "T1089", "T1096", "T1097", "T1098", "T1100", "T1110", "T1134", "T1136", "T1145", "T1146", "T1150", "T1156", "T1157", "T1165", "T1169", "T1175", "T1184", "T1190", "T1196", "T1198", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1489", "T1492", "T1494", "T1495", "T1501", "T1504", "T1505", "T1525", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 32121
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1031", "T1034", "T1038", "T1044", "T1053", "T1073", "T1076", "T1078", "T1081", "T1088", "T1114", "T1145", "T1161", "T1176", "T1213", "T1214", "T1482", "T1484", "T1505", "T1525", "T1527", "T1528", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 32122
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1031", "T1034", "T1038", "T1044", "T1053", "T1073", "T1076", "T1078", "T1081", "T1088", "T1114", "T1145", "T1161", "T1176", "T1213", "T1214", "T1482", "T1484", "T1505", "T1525", "T1527", "T1528", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 32123
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1047", "T1051", "T1053", "T1054", "T1055", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1088", "T1089", "T1096", "T1097", "T1098", "T1100", "T1134", "T1136", "T1145", "T1146", "T1150", "T1156", "T1157", "T1165", "T1169", "T1175", "T1184", "T1190", "T1196", "T1198", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1489", "T1492", "T1494", "T1495", "T1501", "T1504", "T1505", "T1525", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 32124
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-perm_mod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 32125
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1003", "T1004", "T1017", "T1019", "T1021", "T1023", "T1028", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1055", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1088", "T1089", "T1096", "T1097", "T1098", "T1100", "T1110", "T1134", "T1136", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1175", "T1184", "T1185", "T1190", "T1196", "T1197", "T1198", "T1206", "T1208", "T1209", "T1210", "T1213", "T1214", "T1215", "T1218", "T1484", "T1489", "T1492", "T1494", "T1495", "T1501", "T1504", "T1505", "T1525", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 32126
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - mitre_techniques: ["T1003", "T1004", "T1017", "T1019", "T1021", "T1023", "T1028", "T1031", "T1034", "T1035", "T1036", "T1037", "T1038", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1055", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1088", "T1089", "T1096", "T1097", "T1098", "T1100", "T1110", "T1114", "T1134", "T1136", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1161", "T1162", "T1163", "T1165", "T1168", "T1169", "T1175", "T1176", "T1184", "T1185", "T1190", "T1196", "T1197", "T1198", "T1206", "T1208", "T1209", "T1210", "T1213", "T1214", "T1215", "T1218", "T1482", "T1484", "T1489", "T1492", "T1494", "T1495", "T1501", "T1504", "T1505", "T1525", "T1527", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 32127
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 32128
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1031", "T1034", "T1038", "T1044", "T1053", "T1073", "T1076", "T1078", "T1081", "T1088", "T1114", "T1145", "T1161", "T1176", "T1213", "T1214", "T1482", "T1484", "T1505", "T1525", "T1527", "T1528", "T1530"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 32129
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 32130
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-priv_cmd.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 32131
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 32132
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 32133
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 32134
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2\" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'not d:/etc/audit/rules.d -> r:\.+.rules$ -> !r:\s*\t*-e 2$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 32135
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:/usr/sbin/augenrules && r:No change"
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 32136
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 32137
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 32138
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 32139
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+      - 'd:/etc/rsyslog.d/ -> r:\.+.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual) - Not Implemented
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 32140
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 32141
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:^systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 32142
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled systemd-journal-upload.service -> r:^\s*\t*enabled$'
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 32143
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 32144
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 32145
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress=yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 32146
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 32147
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated)
+  - id: 32148
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files contain information from many services on the local system, or in the event of a centralized log server, others systems logs as well. In general log files are found in /var/log/, although application can be configured to store logs elsewhere. Should your application store logs in another, ensure to run the same test on that location."
+    rationale: "It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them."
+    remediation: 'Run the following command to set permissions on all existing log files in /var/log. Although the command is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues. # find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" + If there are services that logs to other locations, ensure that those log files have the appropriate permissions.'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +" -> r:\w+'
+
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 32149
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 32150
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 32151
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 32152
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 32153
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 32154
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 32155
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 32156
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow`: #!/usr/bin/env bash { if rpm -q cronie >/dev/null; then [ -e /etc/cron.deny ] && rm -f /etc/cron.deny [ ! -e /etc/cron.allow ] && touch /etc/cron.allow chown root:root /etc/cron.allow chmod u-x,go-rwx /etc/cron.allow else echo "cron is not installed on the system" fi } OR Run the following command to remove cron: # dnf remove cronie.'
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat -L /etc/cron.allow -> r:Access:\s*\(0\d\d0/-\w\w\w\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 32157
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file mode for /etc/at.allow: #!/usr/bin/env bash { if rpm -q at >/dev/null; then [ -e /etc/at.deny ] && rm -f /etc/at.deny [ ! -e /etc/at.allow ] && touch /etc/at.allow chown root:root /etc/at.allow chmod u-x,go-rwx /etc/at.allow else echo "at is not installed on the system" fi } OR Run the following command to remove at: # dnf remove at.'
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat -L /etc/at.allow -> r:Access:\s*\(0\d\d0/-\w\w\w\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 32158
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated)
+  - id: 32159
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, the possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated."
+    remediation: "Run the following commands to set permissions, ownership, and group on the private SSH host key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,g-wx,o- rwx {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \\;."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "find /etc/ssh -xdev -type f -name \"ssh_host_*_key\" -exec stat {} \\;" -> r:Access:\s*\( && !r:-rw-r--r--'
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated)
+  - id: 32160
+    title: "Ensure permissions on SSH public host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go- wx {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;."
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "find /etc/ssh -xdev -type f -name \"ssh_host_*_key.pub\" -exec stat {} \\;" -> r:Access:\s*\( && !r:-rw-r--r--'
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 32161
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 32162
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*LogLevel\s+INFO|^\s*\t*LogLevel\s+VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+ && !r:INFO|VERBOSE'
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 32163
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*usepam\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 32164
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitRootLogin\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 32165
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_techniques: ["T1004", "T1017", "T1021", "T1023", "T1031", "T1034", "T1040", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1072", "T1075", "T1076", "T1078", "T1084", "T1089", "T1097", "T1098", "T1110", "T1114", "T1133", "T1134", "T1136", "T1152", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1185", "T1197", "T1213", "T1484", "T1489", "T1501", "T1528", "T1530", "T1537", "T1538", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*HostbasedAuthentication\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 32166
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_techniques: ["T1004", "T1017", "T1021", "T1023", "T1031", "T1034", "T1040", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1072", "T1075", "T1076", "T1078", "T1084", "T1089", "T1097", "T1098", "T1110", "T1114", "T1133", "T1134", "T1136", "T1152", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1185", "T1197", "T1213", "T1484", "T1489", "T1501", "T1528", "T1530", "T1537", "T1538", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitEmptyPasswords\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 32167
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitUserEnvironment\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 32168
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*IgnoreRhosts\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 32169
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*X11Forwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 32170
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 32171
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_techniques: ["T1040", "T1070", "T1114", "T1119", "T1145", "T1208", "T1492", "T1493", "T1527", "T1530"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> ^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 32172
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*banner\s*\t*/'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*banner\s*\t*/'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 32173
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_techniques: ["T1004", "T1021", "T1023", "T1031", "T1034", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1072", "T1075", "T1076", "T1078", "T1084", "T1089", "T1097", "T1134", "T1152", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1185", "T1197", "T1213", "T1484", "T1489", "T1501", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare > 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 32174
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare > 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare > 30'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare > 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 32175
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*maxsessions\s+(\d+) compare <= 10'
+      - 'f:/etc/ssh/sshd_config ->  n:^\s*\t*maxsessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config ->  n:^\s*\t*maxsessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 32176
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 32177
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - mitre_techniques: ["T1031", "T1034", "T1038", "T1044", "T1053", "T1073", "T1076", "T1078", "T1081", "T1088", "T1110", "T1114", "T1145", "T1161", "T1176", "T1213", "T1214", "T1482", "T1484", "T1505", "T1525", "T1527", "T1528", "T1530"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare > 0 && n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'not c:sshd -T -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare > 0 && n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare != 0'
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 32178
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dnf list sudo -> r:^sudo.x86_64"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 32179
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 32180
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 32181
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 32182
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 32183
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -V -> r:Authentication timestamp timeout:\s*\t*5.0 minutes'
+      - 'f:/etc/sudoers -> n:timestamp_timeout=(\d+) compare < 15 && n:timestamp_timeout=(\d+) compare != -1'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 32184
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual) - Not Implemented
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 32185
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_techniques: ["T1004", "T1021", "T1023", "T1031", "T1034", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1072", "T1075", "T1076", "T1078", "T1084", "T1089", "T1097", "T1134", "T1152", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1185", "T1197", "T1213", "T1484", "T1489", "T1501", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 32186
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more Either of the following can be used to enforce complex passwords: - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 32187
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater. Depending on the version you are running, follow one of the two methods bellow. Versions 8.2 and later: Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900 Versions 8.0 and 8.1: Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options. This script should be modified as needed to follow local site policy. #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=(0|[6-9]|[1- 9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/deny=\\S+/deny=5/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=\\d*\\b.*$' \"$file\"; then sed -r 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 deny=5 \\4/' $file fi if grep -P -- '^\\h*(auth\\h+required\\h+pam_faillock\\.so\\h+)([^#\\n\\r]+)?\\h+unlock_time=([1- 9]|[1-9][0-9]|[1-8][0-9][0-9])\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/unlock_time=\\S+/unlock_time=900/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+unlock_time=\\d*\\b.*$ ' \"$file\"; then sed -ri 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 unlock_time=900 \\4/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_techniques: ["T1004", "T1021", "T1023", "T1031", "T1034", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1072", "T1075", "T1076", "T1078", "T1084", "T1089", "T1097", "T1134", "T1152", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1185", "T1197", "T1213", "T1484", "T1489", "T1501", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth'
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth && r:required && r:\s*\t*pam_faillock.so && r:\s*\t*authfail'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:fail_interval\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 32188
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:password\s*\t*requisite|password\s*\t*sufficient && r:pam_pwhistory.so|pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 32189
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> r:\s*ENCRYPT_METHOD SHA512'
+      - 'f:/etc/libuser.conf -> r:\s*crypt_style = sha512'
+      - 'f:/etc/pam.d/password-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 32190
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:(\d+): compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is 7 or more. (Automated)
+  - id: 32191
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare < 7'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 32192
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:\d+:(\d+): compare < 7'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 32193
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'not f:/etc/shadow -> n:^\w+:\w+:\w+:\w+:\w+:\w+:(\d+): compare > 30'
+      - 'not f:/etc/shadow -> r:^\w+:\w+:\w+:\w+:\w+:\w+:-1:'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 32194
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && r:root:\w+:\w+:0:'
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+
+  # 6.1.1 Audit system file permissions. (Manual)
+  # 6.1.2 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+
+  # 6.1.3 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 32195
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 32196
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:0 root 0 root && n:shadow (\d+) compare == 0'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 32197
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group: # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 32198
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:0 root 0 root && n:gshadow (\d+) compare == 0'
+
+  # 6.1.7 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 32199
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.8 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 32200
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:0 root 0 root && n:shadow- (\d+) compare == 0'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 32201
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.10 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 32202
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:0 root 0 root && n:gshadow (\d+) compare == 0'
+
+  # 6.1.11 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.14 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit SGID executables. (Manual) - Not Implemented
+
+  # 6.2.1 Ensure password fields are not empty. (Automated)
+  - id: 32203
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.3 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.8 Ensure root is the only UID 0 account. (Automated)
+  - id: 32204
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: 'This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in recommendation "Ensure access to the su command is restricted".'
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.9 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.10 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.11 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.12 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' .netrc Files are not group or world accessible. (Automated) - Not Implemented
+  # 6.2.14 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .rhosts files. (Automated) -Not Implemented
\ No newline at end of file
diff --git a/etc/ruleset/sca/almalinux/cis_alma_linux_9.yml b/etc/ruleset/sca/almalinux/cis_alma_linux_9.yml
new file mode 100644
index 0000000000..51498e3f6d
--- /dev/null
+++ b/etc/ruleset/sca/almalinux/cis_alma_linux_9.yml
@@ -0,0 +1,4580 @@
+# Security Configuration Assessment
+# CIS Checks for Alma Linux 9
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Alma Linux 9 Benchmark v1.0.0 - 06-02-2022
+
+policy:
+  id: "cis_alma_linux_9"
+  file: "cis_alma_linux_9.yml"
+  name: "CIS Benchmark for Alma Linux 9"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Alma Linux 9 systems running on x86 and x64 platforms. This document was tested against Alma Linux 9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Alma Linux platform."
+  description: "Requirements for running the policy against Alma Linux 9."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^AlmaLinux && r:release 9"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled. (Automated)
+
+  - id: 32500
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: "Run the following script to disable squashfs: #!/usr/bin/env bash { l_mname=\"squashfs\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/false|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*squashfs'
+
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled. (Automated)
+
+  - id: 32501
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: "Run the following script to disable the udf filesystem: #!/usr/bin/env bash { l_mname=\"udf\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/false|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+
+  - id: 32502
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 tmpfs /tmp 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+
+  - id: 32503
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:nodev'
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+
+  - id: 32504
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:noexec'
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+
+  - id: 32505
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s && r:nosuid'
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+
+  - id: 32506
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+
+  - id: 32507
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s && r:nodev'
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+
+  - id: 32508
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s && r:nosuid'
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+
+  - id: 32509
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+
+  - id: 32510
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:noexec'
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+
+  - id: 32511
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:nosuid'
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+
+  - id: 32512
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s && r:nodev'
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+
+  - id: 32513
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_techniques: ["T0005", "T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+
+  - id: 32514
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+
+  - id: 32515
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+
+  - id: 32516
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s && r:nosuid'
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+
+  - id: 32517
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+
+  - id: 32518
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:noexec'
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+
+  - id: 32519
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:nodev'
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+
+  - id: 32520
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s && r:nosuid'
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+
+  - id: 32521
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+
+  - id: 32522
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+
+  - id: 32523
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s && r:nosuid'
+
+  # 1.1.8.1 Ensure /dev/shm is a separate partition. (Automated)
+
+  - id: 32524
+    title: "Ensure /dev/shm is a separate partition."
+    description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
+    rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
+    impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 tmpfs."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+
+  # 1.1.8.2 Ensure nodev option set on /dev/shm partition. (Automated)
+
+  - id: 32525
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:nodev'
+
+  # 1.1.8.3 Ensure noexec option set on /dev/shm partition. (Automated)
+
+  - id: 32526
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:noexec'
+
+  # 1.1.8.4 Ensure nosuid option set on /dev/shm partition. (Automated)
+
+  - id: 32527
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s && r:nosuid'
+
+  # 1.1.9 Disable USB Storage. (Automated)
+
+  - id: 32528
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Run the following script to disable usb-storage: #!/usr/bin/env bash { l_mname=\"usb-storage\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$(tr '-' '_' <<< \"$l_mname\")\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+      - mitre_mitigations: ["M1034"]
+      - mitre_tactics: ["TA0001", "TA0010"]
+      - mitre_techniques: ["T1091"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:^install /bin/true"
+      - "not c:lsmod -> r:^usb-storage"
+
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+
+  - id: 32529
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^\s*gpgcheck\s*=\s*1'
+      - 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck\s*=\s*0'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  # 1.2.4 Ensure repo_gpgcheck is globally activated. (Manual) - Not Implemented
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+
+  - id: 32530
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1565", "T1565.001"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+
+  - id: 32531
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1036", "T1036.005"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:^enable"
+      - "c:systemctl is-enabled aidecheck.timer -> r:^enable"
+      - "c:systemctl status aidecheck.service -> r:active"
+
+  # 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+
+  - id: 32532
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: 'Add or update the following selection lines for "/etc/aide/aide.conf" to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512.'
+    compliance:
+      - cis: ["4.1.4.11"]
+      - cis_csc_v7: ["5.1"]
+      - cis_csc_v8: ["4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/aide/aide.conf"
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditctl\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditd\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/ausearch\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/aureport\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/autrace\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/augenrules\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+
+  - id: 32533
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password>."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1046"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*password'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+
+  - id: 32534
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:Access:\s*\(0700/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/grubenv -> r:Access:\s*\(0600/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/user.cfg -> r:Access:\s*\(0600/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+
+  - id: 32535
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+
+  - id: 32536
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+      - nist_sp_800-53: ["CM-6b"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+
+  - id: 32537
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+
+  - id: 32538
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove the selinux=0 and enforcing=0 parameters: grubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi)\"."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+
+  - id: 32539
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+
+  - id: 32540
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permisive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+
+  - id: 32541
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 32542
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+
+  - id: 32543
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa setroubleshoot -> r:^setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+
+  - id: 32544
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa mcstrans -> r:mcstrans"
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+
+  - id: 32545
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: all
+    rules:
+      - "not f:/etc/mod"
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+
+  - id: 32546
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: any
+    rules:
+      - "not f:/etc/issue"
+      - 'not f:/etc/issue -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+
+  - id: 32547
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+    condition: any
+    rules:
+      - "not f:/etc/issue.net"
+      - 'not f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|alma'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+
+  - id: 32548
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+
+  - id: 32549
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+
+  - id: 32550
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Automated)
+
+  - id: 32551
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "f:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+
+  - id: 32552
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Run the following script to verify that the banner message is enabled and set: #!/usr/bin/env bash { l_pkgoutput=\"\" if command -v dpkg-query > /dev/null 2>&1; then l_pq=\"dpkg-query -W\" elif command -v rpm > /dev/null 2>&1; then l_pq=\"rpm -q\" fi l_pcl=\"gdm gdm3\" # Space seporated list of packages to check for l_pn in $l_pcl; do $l_pq \"$l_pn\" > /dev/null 2>&1 && l_pkgoutput=\"$l_pkgoutput\\n - Package: \\\"$l_pn\\\" exists on the system\\n - checking configuration\" done if [ -n \"$l_pkgoutput\" ]; then l_gdmprofile=\"gdm\" # Set this to desired profile name IaW Local site policy l_bmessage=\"'Authorized uses only. All activity may be monitored and reported'\" # Set to desired banner message if [ ! -f \"/etc/dconf/profile/$l_gdmprofile\" ]; then echo \"Creating profile \\\"$l_gdmprofile\\\"\" echo -e \"user-db:user\\nsystem-db:$l_gdmprofile\\nfile- db:/usr/share/$l_gdmprofile/greeter-dconf-defaults\" > /etc/dconf/profile/$l_gdmprofile fi if [ ! -d \"/etc/dconf/db/$l_gdmprofile.d/\" ]; then echo \"Creating dconf database directory \\\"/etc/dconf/db/$l_gdmprofile.d/\\\"\" mkdir /etc/dconf/db/$l_gdmprofile.d/ fi if ! grep -Piq '^\\h*banner-message-enable\\h*=\\h*true\\b' /etc/dconf/db/$l_gdmprofile.d/*; then echo \"creating gdm keyfile for machine-wide settings\" if ! grep -Piq -- '^\\h*banner-message-enable\\h*=\\h*' /etc/dconf/db/$l_gdmprofile.d/*; then l_kfile=\"/etc/dconf/db/$l_gdmprofile.d/01-banner-message\" echo -e \"\\n[org/gnome/login-screen]\\nbanner-message-enable=true\" >> \"$l_kfile\" else l_kfile=\"$(grep -Pil -- '^\\h*banner-message-enable\\h*=\\h*' /etc/dconf/db/$l_gdmprofile.d/*)\" ! grep -Pq '^\\h*\\[org\\/gnome\\/login-screen\\]' \"$l_kfile\" && sed -ri '/^\\s*banner- message-enable/ i\\[org/gnome/login-screen]' \"$l_kfile\" ! grep -Pq '^\\h*banner-message-enable\\h*=\\h*true\\b' \"$l_kfile\" && sed -ri 's/^\\s*(banner-message-enable\\s*=\\s*)(\\S+)(\\s*.*$)/\\1true \\3//' \"$l_kfile\" # sed -ri '/^\\s*\\[org\\/gnome\\/login-screen\\]/ a\\\\nbanner-message-enable=true' \"$l_kfile\" fi fi if ! grep -Piq \"^\\h*banner-message-text=[\\'\\\"]+\\S+\" \"$l_kfile\"; then sed -ri \"/^\\s*banner-message-enable/ a\\banner-message-text=$l_bmessage\" \"$l_kfile\" fi dconf update else echo -e \"\\n\\n - GNOME Desktop Manager isn't installed\\n - Recommendation is Not Applicable\\n - No remediation required\\n\" fi } Note: - There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode. - The banner message cannot be read from an external file. OR Run the following command to remove the gdm package: # dnf remove gdm."
+    references:
+      - "https://help.gnome.org/admin/system-admin-guide/stable/login-banner.html.en"
+    compliance:
+      - cis: ["1.8.2"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text='
+
+  # 1.8.3 Ensure GDM disable-user-list option is enabled. (Automated)
+
+  - id: 32553
+    title: "Ensure GDM disable-user-list option is enabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls if a list of users is displayed on the login screen."
+    rationale: "Displaying the user list eliminates half of the Userid/Password equation that an unauthorized person would need to log on."
+    remediation: "Run the following script to enable the disable-user-list option: Note: the l_gdm_profile variable in the script can be changed if a different profile name is desired in accordance with local site policy. #!/usr/bin/env bash { l_gdmprofile=\"gdm\" if [ ! -f \"/etc/dconf/profile/$l_gdmprofile\" ]; then echo \"Creating profile \\\"$l_gdmprofile\\\"\" echo -e \"user-db:user\\nsystem-db:$l_gdmprofile\\nfile- db:/usr/share/$l_gdmprofile/greeter-dconf-defaults\" > /etc/dconf/profile/$l_gdmprofile fi if [ ! -d \"/etc/dconf/db/$l_gdmprofile.d/\" ]; then echo \"Creating dconf database directory \\\"/etc/dconf/db/$l_gdmprofile.d/\\\"\" mkdir /etc/dconf/db/$l_gdmprofile.d/ fi if ! grep -Piq '^\\h*disable-user-list\\h*=\\h*true\\b' /etc/dconf/db/$l_gdmprofile.d/*; then echo \"creating gdm keyfile for machine-wide settings\" if ! grep -Piq -- '^\\h*\\[org\\/gnome\\/login-screen\\]' /etc/dconf/db/$l_gdmprofile.d/*; then echo -e \"\\n[org/gnome/login-screen]\\n# Do not show the user list\\ndisable-user-list=true\" >> /etc/dconf/db/$l_gdmprofile.d/00-login- screen else sed -ri '/^\\s*\\[org\\/gnome\\/login-screen\\]/ a\\# Do not show the user list\\ndisable-user-list=true' $(grep -Pil -- '^\\h*\\[org\\/gnome\\/login- screen\\]' /etc/dconf/db/$l_gdmprofile.d/*) fi fi dconf update } Note: When the user profile is created or changed, the user will need to log out and log in again before the changes will be applied. OR Run the following command to remove the GNOME package: # dnf remove gdm."
+    references:
+      - "https://help.gnome.org/admin/system-admin-guide/stable/login-userlist-disable.html.en"
+    compliance:
+      - cis: ["1.8.3"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1087", "T1087.001", "T1087.002"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text='
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:disable-user-list=true'
+
+  # 1.8.4 Ensure GDM screen locks when the user is idle. (Automated)
+
+  - id: 32554
+    title: "Ensure GDM screen locks when the user is idle."
+    description: "GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time. - idle-delay=uint32 {n} - Number of seconds of inactivity before the screen goes blank - lock-delay=uint32 {n} - Number of seconds after the screen is blank before locking the screen Example key file: # Specify the dconf path [org/gnome/desktop/session] # Number of seconds of inactivity before the screen goes blank # Set to 0 seconds if you want to deactivate the screensaver. idle-delay=uint32 900 # Specify the dconf path [org/gnome/desktop/screensaver] # Number of seconds after the screen is blank before locking the screen lock-delay=uint32 5."
+    rationale: "Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended."
+    remediation: "Create or edit a file in the /etc/dconf/profile/ and verify it includes the following: user-db:user system-db:{NAME_OF_DCONF_DATABASE} Note: local is the name of a dconf database used in the examples. Example: # echo -e '\\nuser-db:user\\nsystem-db:local' >> /etc/dconf/profile/user Create the directory /etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/ if it doesn't already exist: Example: # mkdir /etc/dconf/db/local.d Create the key file `/etc/dconf/db/{NAME_OF_DCONF_DATABASE}.d/{FILE_NAME} to provide information for the {NAME_OF_DCONF_DATABASE} database: Example script: #!/usr/bin/env bash { l_key_file=\"/etc/dconf/db/local.d/00-screensaver\" l_idmv=\"900\" # Set max value for idle-delay in seconds (between 1 and 900) l_ldmv=\"5\" # Set max value for lock-delay in seconds (between 0 and 5) { echo '# Specify the dconf path' echo '[org/gnome/desktop/session]' echo '' echo '# Number of seconds of inactivity before the screen goes blank' echo '# Set to 0 seconds if you want to deactivate the screensaver.' echo \"idle-delay=uint32 $l_idmv\" echo '' echo '# Specify the dconf path' echo '[org/gnome/desktop/screensaver]' echo '' echo '# Number of seconds after the screen is blank before locking the screen' echo \"lock-delay=uint32 $l_ldmv\" } > \"$l_key_file\" } Note: You must include the uint32 along with the integer key values as shown. Run the following command to update the system databases: # dconf update Note: Users must log out and back in again before the system-wide settings take effect."
+    references:
+      - "https://help.gnome.org/admin/system-admin-guide/stable/desktop-lockscreen.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["15"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - mitre_tactics: ["TA0027"]
+      - mitre_techniques: ["T1461"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - 'd:/etc/dconf/db/local.d -> r:\.+ -> r:lock-delay=uint32'
+
+  # 1.8.5 Ensure GDM screen locks cannot be overridden. (Automated) - Not Implemented
+
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled. (Automated)
+
+  - id: 32555
+    title: "Ensure GDM automatic mounting of removable media is disabled."
+    description: "By default GNOME automatically mounts removable media when inserted as a convenience to the user."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Run the following script to disable automatic mounting of media for all GNOME users: #!/usr/bin/env bash { l_pkgoutput=\"\" l_gpname=\"local\" # Set to desired dconf profile name (default is local) # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\\n # determine system's package manager if command -v dpkg-query > /dev/null 2>&1; then l_pq=\"dpkg-query -W\" elif command -v rpm > /dev/null 2>&1; then l_pq=\"rpm -q\" fi # Check if GDM is installed l_pcl=\"gdm gdm3\" # Space seporated list of packages to check for l_pn in $l_pcl; do $l_pq \"$l_pn\" > /dev/null 2>&1 && l_pkgoutput=\"$l_pkgoutput\\n - Package: \\\"$l_pn\\\" exists on the system\\n - checking configuration\" done # Check configuration (If applicable) if [ -n \"$l_pkgoutput\" ]; then echo -e \"$l_pkgoutput\" # Look for existing settings and set variables if they exist l_kfile=\"$(grep -Prils -- '^\\h*automount\\b' /etc/dconf/db/*.d)\" l_kfile2=\"$(grep -Prils -- '^\\h*automount-open\\b' /etc/dconf/db/*.d)\" # Set profile name based on dconf db directory ({PROFILE_NAME}.d) if [ -f \"$l_kfile\" ]; then l_gpname=\"$(awk -F\\/ '{split($(NF-1),a,\".\");print a[1]}' <<< \"$l_kfile\")\" echo \" - updating dconf profile name to \\\"$l_gpname\\\"\" elif [ -f \"$l_kfile2\" ]; then l_gpname=\"$(awk -F\\/ '{split($(NF-1),a,\".\");print a[1]}' <<< \"$l_kfile2\")\" echo \" - updating dconf profile name to \\\"$l_gpname\\\"\" fi # check for consistency (Clean up configuration if needed) if [ -f \"$l_kfile\" ] && [ \"$(awk -F\\/ '{split($(NF-1),a,\".\");print a[1]}' <<< \"$l_kfile\")\" != \"$l_gpname\" ]; then sed -ri \"/^\\s*automount\\s*=/s/^/# /\" \"$l_kfile\" l_kfile=\"/etc/dconf/db/$l_gpname.d/00-media-automount\" fi if [ -f \"$l_kfile2\" ] && [ \"$(awk -F\\/ '{split($(NF-1),a,\".\");print a[1]}' <<< \"$l_kfile2\")\" != \"$l_gpname\" ]; then sed -ri \"/^\\s*automount-open\\s*=/s/^/# /\" \"$l_kfile2\" fi [ -z \"$l_kfile\" ] && l_kfile=\"/etc/dconf/db/$l_gpname.d/00-media- automount\" # Check if profile file exists if grep -Pq -- \"^\\h*system-db:$l_gpname\\b\" /etc/dconf/profile/*; then echo -e \"\\n - dconf database profile exists in: \\\"$(grep -Pl -- \"^\\h*system-db:$l_gpname\\b\" /etc/dconf/profile/*)\\\"\" else if [ ! -f \"/etc/dconf/profile/user\" ]; then l_gpfile=\"/etc/dconf/profile/user\" else l_gpfile=\"/etc/dconf/profile/user2\" fi echo -e \" - creating dconf database profile\" { echo -e \"\\nuser-db:user\" echo \"system-db:$l_gpname\" } >> \"$l_gpfile\" fi # create dconf directory if it doesn't exists l_gpdir=\"/etc/dconf/db/$l_gpname.d\" if [ -d \"$l_gpdir\" ]; then echo \" - The dconf database directory \\\"$l_gpdir\\\" exists\" else echo \" - creating dconf database directory \\\"$l_gpdir\\\"\" mkdir \"$l_gpdir\" fi # check automount-open setting if grep -Pqs -- '^\\h*automount-open\\h*=\\h*false\\b' \"$l_kfile\"; then echo \" - \\\"automount-open\\\" is set to false in: \\\"$l_kfile\\\"\" else echo \" - creating \\\"automount-open\\\" entry in \\\"$l_kfile\\\"\" ! grep -Psq -- '\\^\\h*\\[org\\/gnome\\/desktop\\/media-handling\\]\\b' \"$l_kfile\" && echo '[org/gnome/desktop/media-handling]' >> \"$l_kfile\" sed -ri '/^\\s*\\[org\\/gnome\\/desktop\\/media-handling\\]/a \\\\nautomount-open=false' \"$l_kfile\" fi # check automount setting if grep -Pqs -- '^\\h*automount\\h*=\\h*false\\b' \"$l_kfile\"; then echo \" - \\\"automount\\\" is set to false in: \\\"$l_kfile\\\"\" else echo \" - creating \\\"automount\\\" entry in \\\"$l_kfile\\\"\" ! grep -Psq -- '\\^\\h*\\[org\\/gnome\\/desktop\\/media-handling\\]\\b' \"$l_kfile\" && echo '[org/gnome/desktop/media-handling]' >> \"$l_kfile\" sed -ri '/^\\s*\\[org\\/gnome\\/desktop\\/media-handling\\]/a \\\\nautomount=false' \"$l_kfile\" fi # update dconf database dconf update else echo -e \"\\n - GNOME Desktop Manager package is not installed on the system\\n - Recommendation is not applicable\" fi } OR Run the following command to uninstall the GNOME desktop Manager package: # dnf remove gdm."
+    references:
+      - "https://access.redhat.com/solutions/20107"
+    compliance:
+      - cis: ["1.8.6"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0001", "TA0008"]
+      - mitre_techniques: ["T1091"]
+    condition: all
+    rules:
+      - "c:gsettings get org.gnome.desktop.media-handling automount -> r:^false"
+
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden. (Automated) - Not Implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled. (Automated) - Not Implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden. (Automated) - Not Implemented
+  # 1.8.10 Ensure XDCMP is not enabled. (Automated)
+  - id: 32556
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 32557
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_mitigations: ["M1051"]
+      - mitre_tactics: ["TA0004", "TA0008"]
+      - mitre_techniques: ["T1211"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 32558
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 32559
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 32560
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  # 2.2.1 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 32561
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 32562
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 32563
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 32564
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.5 Ensure DNS Server is not installed. (Automated)
+  - id: 32565
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.6 Ensure VSFTP Server is not installed. (Automated)
+  - id: 32566
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.7 Ensure TFTP Server is not installed. (Automated)
+  - id: 32567
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    impact: "TFTP is often used to provide files for network booting such as for PXE based installation of servers."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.8 Ensure a web server is not installed. (Automated)
+  - id: 32568
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.9 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 32569
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.10 Ensure Samba is not installed. (Automated)
+  - id: 32570
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.11 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 32571
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.12 Ensure net-snmp is not installed. (Automated)
+  - id: 32572
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.13 Ensure telnet-server is not installed. (Automated)
+  - id: 32573
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.14 Ensure dnsmasq is not installed. (Automated)
+  - id: 32574
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # dnf remove dnsmasq."
+    compliance:
+      - cis: ["2.2.14"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+    condition: all
+    rules:
+      - "c:rpm -q dnsmasq -> r:^package dnsmasq is not installed"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 32575
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 32576
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-utils package is required as a dependency, the nfs-server service should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-utils package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 32577
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1498", "T1498.002", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind -> r:masked|No such file or directory"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked|No such file or directory"
+
+  # 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked. (Automated)
+  - id: 32578
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync-daemon package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync-daemon package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  # 2.3.1 Ensure telnet client is not installed. (Automated)
+  - id: 32579
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.2 Ensure LDAP client is not installed. (Automated)
+  - id: 32580
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.3 Ensure TFTP client is not installed. (Automated)
+  - id: 32581
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.3.4 Ensure FTP client is not installed. (Automated)
+  - id: 32582
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.4 Ensure nonessential services listening on the system are removed or masked. (Manual) - Not Implemented
+
+  # 3.1.1 Ensure IPv6 status is identified. (Manual) - Not Implemented
+
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  # 3.1.3 Ensure TIPC is disabled. (Automated)
+  - id: 32583
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Run the following script to disable tipc: #!/usr/bin/env bash { l_mname=\"tipc\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v7: ["9.2", "9.1"]
+      - iso_27001-2013: ["A.13.1.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1068", "T1210"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v tipc -> r:^install\s*\t*/bin/true'
+      - "not c:lsmod -> r:^tipc"
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  # 3.4.1.1 Ensure nftables is installed. (Automated)
+  - id: 32584
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.1.2 Ensure a single firewall configuration utility is in use. (Automated)
+  - id: 32585
+    title: "Ensure a single firewall configuration utility is in use."
+    description: "FirewallD - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed NFTables - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel Note: firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option."
+    rationale: "In order to configure firewall rules for nftables, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results."
+    remediation: "Run the following script to ensure that a single firewall utility is in use on the system: #!/usr/bin/env bash { l_output=\"\" l_output2=\"\" l_fwd_status=\"\" l_nft_status=\"\" l_fwutil_status=\"\" # Determine FirewallD utility Status rpm -q firewalld > /dev/null 2>&1 && l_fwd_status=\"$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)\" # Determine NFTables utility Status rpm -q nftables > /dev/null 2>&1 && l_nft_status=\"$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)\" l_fwutil_status=\"$l_fwd_status:$l_nft_status\" case $l_fwutil_status in enabled:active:masked:inactive|enabled:active:disabled:inactive) echo -e \"\\n - FirewallD utility is in use, enabled and active\\n - NFTables utility is correctly disabled or masked and inactive\\n - no remediation required\" ;; masked:inactive:enabled:active|disabled:inactive:enabled:active) echo -e \"\\n - NFTables utility is in use, enabled and active\\n - FirewallD utility is correctly disabled or masked and inactive\\n - no remediation required\" ;; enabled:active:enabled:active) echo -e \"\\n - Both FirewallD and NFTables utilities are enabled and active\\n - stopping and masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables ;; enabled:*:enabled:*) echo -e \"\\n - Both FirewallD and NFTables utilities are enabled\\n - remediating\" if [ \"$(awk -F: '{print $2}' <<< \"$l_fwutil_status\")\" = \"active\" ] && [ \"$(awk -F: '{print $4}' <<< \"$l_fwutil_status\")\" = \"inactive\" ]; then echo \" - masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables elif [ \"$(awk -F: '{print $4}' <<< \"$l_fwutil_status\")\" = \"active\" ] && [ \"$(awk -F: '{print $2}' <<< \"$l_fwutil_status\")\" = \"inactive\" ]; then echo \" - masking FirewallD utility\" systemctl stop firewalld && systemctl --now mask firewalld fi ;; *:active:*:active) echo -e \"\\n - Both FirewallD and NFTables utilities are active\\n - remediating\" if [ \"$(awk -F: '{print $1}' <<< \"$l_fwutil_status\")\" = \"enabled\" ] && [ \"$(awk -F: '{print $3}' <<< \"$l_fwutil_status\")\" != \"enabled\" ]; then echo \" - stopping and masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables elif [ \"$(awk -F: '{print $3}' <<< \"$l_fwutil_status\")\" = \"enabled\" ] && [ \"$(awk -F: '{print $1}' <<< \"$l_fwutil_status\")\" != \"enabled\" ]; then echo \" - stopping and masking FirewallD utility\" systemctl stop firewalld && systemctl --now mask firewalld fi ;; :enabled:active) echo -e \"\\n - NFTables utility is in use, enabled, and active\\n - FirewallD package is not installed\\n - no remediation required\" ;; :) echo -e \"\\n - Neither FirewallD or NFTables is installed.\\n - remediating\\n - installing NFTables\" dnf -q install nftables ;; *:*:) echo -e \"\\n - NFTables package is not installed on the system\\n - remediating\\n - installing NFTables\" dnf -q install nftables ;; *) echo -e \"\\n - Unable to determine firewall state\" ;; esac }."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-"
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.2.1 Ensure firewalld default zone is set. (Automated) - Not Implemented
+
+  # 3.4.2.2 Ensure at least one nftables table exists. (Automated)
+  - id: 32586
+    title: "Ensure at least one nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "Without a table, nftables will not filter network traffic."
+    impact: "Adding or modifying firewall rules can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example if FirewallD is not in use on the system: # nft create table inet filter Note: FirewallD uses the table inet firewalld NFTables table that is created when FirewallD is installed."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+
+  # 3.4.2.3 Ensure nftables base chains exist. (Automated)
+  - id: 32587
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.4.2.4 Ensure host based firewall loopback traffic is configured. (Automated) - Not Implemented
+  # 3.4.2.5 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+  # 3.4.2.6 Ensure nftables established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.7 Ensure nftables default deny firewall policy. (Automated)
+  - id: 32588
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "If NFTables utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 32589
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 32590
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to update the grub2 configuration with audit=1: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.3 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 32591
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:\s*audit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.1.4 Ensure auditd service is enabled. (Automated)
+  - id: 32592
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 32593
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*='
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 32594
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 32595
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shut down the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 32596
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 32597
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 32598
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 32599
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 32600
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 32601
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-mounts.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1034"]
+      - mitre_tactics: ["TA0010"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 32602
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 32603
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 32604
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 32605
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 32606
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 32607
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 32608
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 32609
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 32610
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 32611
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2\" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'not d:/etc/audit/rules.d -> r:\.+.rules$ -> !r:\s*\t*-e 2$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 32612
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:/usr/sbin/augenrules && r:No change"
+
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive. (Automated) - Not Implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files. (Automated) - Not Implemented
+
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files. (Automated)
+  - id: 32613
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file\\s*=\\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:log_group\s*\t*= && !r:adm|root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive. (Automated) - Not Implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive. (Automated)
+  - id: 32614
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%n %a\" {} + -> r:\\w+ -> !r:000|040|200|400|600|240|440|640"
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root. (Automated)
+  - id: 32615
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.rules' -o -name '*.conf' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root. (Automated)
+  - id: 32616
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive. (Automated)
+  - id: 32617
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:\w+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 4.1.4.9 Ensure audit tools are owned by root. (Automated)
+  - id: 32618
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:root|\\s*'
+
+  # 4.1.4.10 Ensure audit tools belong to group root. (Automated)
+  - id: 32619
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755 && r:\s*\t*root\s*\t*root'
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 32620
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data enroute to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 32621
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1211", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 32622
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 32623
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has its own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+      - 'd:/etc/rsyslog.d/ -> r:\.+.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual) - Not Implemented
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 32624
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside its operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. New format module(load="imtcp") input(type="imtcp" port="514") -OR- Old format $ModLoad imtcp $InputTCPServerRun Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 32625
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:^systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 32626
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled systemd-journal-upload.service -> r:^\s*\t*enabled$'
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 32627
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 32628
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 32629
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress=yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 32630
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 32631
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership. (Automated)
+  - id: 32632
+    title: "Ensure all logfiles have appropriate permissions and ownership."
+    description: "Log files contain information from many services on the local system, or in the event of a centralized log server, others system's logs as well. In general log files are found in /var/log/, although application can be configured to store logs elsewhere. Should your application store its logs in another location, ensure to run the same test on that location."
+    rationale: "It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them."
+    remediation: "Run the following script to update permissions and ownership on files in /var/log. Although the script is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues. #!/usr/bin/env bash { echo -e \"\\n- Start remediation - logfiles have appropriate permissions and ownership\" UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) find /var/log -type f | while read -r fname; do bname=\"$(basename \"$fname\")\" fugname=\"$(stat -Lc \"%U %G\" \"$fname\")\" funame=\"$(awk '{print $1}' <<< \"$fugname\")\" fugroup=\"$(awk '{print $2}' <<< \"$fugname\")\" fuid=\"$(stat -Lc \"%u\" \"$fname\")\" fmode=\"$(stat -Lc \"%a\" \"$fname\")\" case \"$bname\" in lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp- *) ! grep -Pq -- '^\\h*[0,2,4,6][0,2,4,6][0,4]\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod ug-x,o-wx \"$fname\" ! grep -Pq -- '^\\h*root\\h*$' <<< \"$funame\" && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Pq -- '^\\h*(utmp|root)\\h*$' <<< \"$fugroup\" && echo -e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" ;; secure | auth.log | syslog | messages) ! grep -Pq -- '^\\h*[0,2,4,6][0,4]0\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod u-x,g-wx,o-rwx \"$fname\" ! grep -Pq -- '^\\h*(syslog|root)\\h*$' <<< \"$funame\" && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Pq -- '^\\h*(adm|root)\\h*$' <<< \"$fugroup\" && echo -e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" ;; SSSD | sssd) ! grep -Pq -- '^\\h*[0,2,4,6][0,2,4,6]0\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod ug-x,o-rwx \"$fname\" ! grep -Piq -- '^\\h*(SSSD|root)\\h*$' <<< \"$funame\" && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Piq -- '^\\h*(SSSD|root)\\h*$' <<< \"$fugroup\" && echo -e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" ;; gdm | gdm3) ! grep -Pq -- '^\\h*[0,2,4,6][0,2,4,6]0\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod ug-x,o-rwx ! grep -Pq -- '^\\h*root\\h*$' <<< \"$funame\" && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Pq -- '^\\h*(gdm3?|root)\\h*$' <<< \"$fugroup\" && echo -e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" ;; *.journal | *.journal~) ! grep -Pq -- '^\\h*[0,2,4,6][0,4]0\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod u-x,g-wx,o-rwx \"$fname\" ! grep -Pq -- '^\\h*root\\h*$' <<< \"$funame\" && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Pq -- '^\\h*(systemd-journal|root)\\h*$' <<< \"$fugroup\" && echo -e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" ;; *) ! grep -Pq -- '^\\h*[0,2,4,6][0,4]0\\h*$' <<< \"$fmode\" && echo -e \"- changing mode on \\\"$fname\\\"\" && chmod u-x,g-wx,o-rwx \"$fname\" if [ \"$fuid\" -ge \"$UID_MIN\" ] || ! grep -Pq -- '(adm|root|'\"$(id -gn \"$funame\")\"')' <<< \"$fugroup\"; then if [ -n \"$(awk -v grp=\"$fugroup\" -F: '$1==grp {print $4}' /etc/group)\" ] || ! grep -Pq '(syslog|root)' <<< \"$funame\"; then [ \"$fuid\" -ge \"$UID_MIN\" ] && echo -e \"- changing owner on \\\"$fname\\\"\" && chown root \"$fname\" ! grep -Pq -- '^\\h*(adm|root)\\h*$' <<< \"$fugroup\" && echo - e \"- changing group on \\\"$fname\\\"\" && chgrp root \"$fname\" fi fi ;; esac done echo -e \"- End remediation - logfiles have appropriate permissions and ownership\\n\" } Note: You may also need to change the configuration for your logging software or services for any logs that had incorrect permissions. If there are services that log to other locations, ensure that those log files have the appropriate permissions."
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +" -> r:\w+'
+
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 32633
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 32634
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to this file could provide unprivileged users with the ability to elevate their privileges. Read access to this file could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 32635
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 32636
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 32637
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 32638
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 32639
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily, weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:Access:\s*\(0\d00/\w\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 32640
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow: #!/usr/bin/env bash { if rpm -q cronie >/dev/null; then [ -e /etc/cron.deny ] && rm -f /etc/cron.deny [ ! -e /etc/cron.allow ] && touch /etc/cron.allow chown root:root /etc/cron.allow chmod u-x,go-rwx /etc/cron.allow else echo "cron is not installed on the system" fi } OR Run the following command to remove cron: # dnf remove cronie.'
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not f:/etc/cron.deny"
+      - 'c:stat /etc/cron.allow/ -> r:Access:\s*\t*\(0640/-rw-r-----\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 32641
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file mode for /etc/at.allow: #!/usr/bin/env bash { if rpm -q at >/dev/null; then [ -e /etc/at.deny ] && rm -f /etc/at.deny [ ! -e /etc/at.allow ] && touch /etc/at.allow chown root:root /etc/at.allow chmod u-x,go-rwx /etc/at.allow else echo "at is not installed on the system" fi } OR Run the following command to remove at: # dnf remove at.'
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/at.allow/ -> r:Access:\s*\t*\(0640/-rw-r-----\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2 Configure SSH Server
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 32642
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod u-x,go-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*root\)\s*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 32643
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set one or more of the parameters as follows: AllowUsers <userlist> -OR- AllowGroups <grouplist> -OR- DenyUsers <userlist> -OR- DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.* -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 32644
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LogLevel parameter as follows: LogLevel VERBOSE OR LogLevel INFO Run the following command to comment out any LogLevel parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than VERBOSE or INFO: # grep -Pi '^\\h*LogLevel\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)' | while read -r l_out; do sed -ri \"/^\\s*LogLevel\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - "c:sshd -T -> r:^loglevel VERBOSE|^loglevel INFO"
+      - "not f:/etc/ssh/sshd_config -> !r:^\\s*\\t*loglevel\\s*\\t*VERBOSE|^\\s*\\t*loglevel\\s*\\t*INFO"
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 32645
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd as a non-root user."
+    remediation: "Edit or create a file in the directory /etc/ssh/sshd_config.d/ ending in *.conf or the /etc/ssh/sshd_config file and set the parameter as follows: UsePAM yes Run the following command to comment out any UsePAM parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*UsePAM\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*UsePAM\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.6"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^usepam yes"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*UsePAM\\s*\\t*no"
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 32646
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitRootLogin parameter as follows: PermitRootLogin no Run the following command to comment out any PermitRootLogin parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitRootLogin\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitRootLogin\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permitrootlogin no"
+      - "f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitRootLogin\\s*\\t*no"
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 32647
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the HostbasedAuthentication parameter as follows: HostbasedAuthentication no Run the following command to comment out any HostbasedAuthentication parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*HostbasedAuthentication\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*HostbasedAuthentication\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^hostbasedauthentication no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*HostBasedAuthentication\\s*\\t*yes"
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 32648
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitEmptyPasswords parameter as follows: PermitEmptyPasswords no Run the following command to comment out any PermitEmptyPasswords parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitEmptyPasswords\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitEmptyPasswords\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permitemptypasswords no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitEmptyPasswords\\s*\\t*yes"
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 32649
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitUserEnvironment parameter as follows: PermitUserEnvironment no Run the following command to comment out any PermitUserEnvironment parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitUserEnvironment\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitUserEnvironment\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permituserenvironment no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitUserEnvironment\\s*\\t*yes"
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 32650
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter as follows: IgnoreRhosts yes Run the following command to comment out any IgnoreRhosts parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*IgnoreRhosts\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*IgnoreRhosts\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.11"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^ignorerhosts yes"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*IgnoreRhosts\\s*\\t*no"
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 32651
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the X11Forwarding parameter as follows: X11Forwarding no Run the following command to comment out any X11Forwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*X11Forwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*X11Forwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1210"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^x11forwarding no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*x11forwarding\\s*\\t*yes"
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 32652
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the AllowTcpForwarding parameter as follows: AllowTcpForwarding no Run the following command to comment out any AllowTcpForwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*AllowTcpForwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*AllowTcpForwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^allowtcpforwarding && r:no$"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*AllowTcpForwarding\\s*\\t*yes"
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 32653
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd /etc/ssh/sshd_config.d/*.conf # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> ^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 32654
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the Banner parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^banner && r:/etc/issue.net$"
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 32655
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows: MaxAuthTries 4 Run the following command to comment out any MaxAuthTries parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 4: # grep -Pi '^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*maxauthtries\\s+([5-9]|[1-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:sshd -T -> n:^maxauthtries\\s+(\\d+) compare <= 4"
+      - "not f:/etc/ssh/sshd_config -> n:^\\s*\\t*maxauthtries\\s+(\\d+) compare > 4"
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 32656
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxStartups parameter as follows: MaxStartups 10:30:60 Run the following command to comment out any MaxStartups parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10:30:60: # grep -Pi '^\\s*maxstartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0- 9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0- 9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxStartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0- 9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1- 9]|[7-9][0-9]|[1-9][0-9][0-9]+)))/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*(\d+):\d+:\d+ compare > 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*(\d+):\d+:\d+ compare == 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:(\d+):\d+ compare > 30'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:(\d+):\d+ compare == 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:\d+:(\d+) compare > 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:\d+:(\d+) compare == 0'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 32657
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxSessions parameter as follows: MaxSessions 10 Run the following command to comment out any MaxSessions parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10 # grep -Pi '^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.18"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:sshd -T -> n:^maxsessions\\s*\\t*(\\d+) compare <= 10"
+      - "not f:/etc/ssh/sshd_config -> n:^^\\s*\\t*MaxSessions\\s+(\\d+) compare > 10"
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 32658
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60 Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LoginGraceTime parameter as follows: LoginGraceTime 60 -or- LoginGraceTime 1m Run the following command to comment out any LoginGraceTime parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting equal to 0 or greater than 60 seconds: # grep -Pi '^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read - r l_out; do sed -ri \"/^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.19"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*logingracetime\s*(\d+) compare <= 60 && n:^logingracetime\s*(\d+) compare >= 1'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*LoginGraceTime\s*\t*(\d+) compare > 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*LoginGraceTime\s*\t*(\d+) compare == 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 32659
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below are only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not, and never had, intentionally the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus may no longer be abused to disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option on. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination. abled by TCPKeepAlive is spoofable."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the ClientAliveInterval and ClientAliveCountMax parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3 Edit files ending in *.conf in the /etc/ssh/sshd_config.d/ directory and the /etc/ssh/sshd_config file and remove occurrences of the ClientAliveInterval and ClientAliveCountMax parameters not in accordence with local site policy. Run the following command to comment out any ClientAliveCountMax parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include the setting of 0 \"disabled\": # grep -Pi '^\\h*ClientAliveCountMax\\h+0\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*ClientAliveCountMax\\s+0/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:sshd -T -> -> n:^clientaliveinterval\\s*\\t*(\\d+) compare > 0"
+      - "c:sshd -T -> -> n:^clientalivecountmax\\s*\\t*(\\d+) compare > 0"
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 32660
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dnf list sudo -> r:^sudo.x86_64"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 32661
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026", "M1038"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 32662
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files. Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate to manage the sudo log in accordance with your local policy."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 32663
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 32664
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 32665
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -V -> r:Authentication timestamp timeout:\s*\t*15.0 minutes'
+      - 'f:/etc/sudoers -> n:timestamp_timeout=(\d+) compare < 15 && n:timestamp_timeout=(\d+) compare != -1'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 32666
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual) - Not Implemented
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 32667
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 32668
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more Either of the following can be used to enforce complex passwords: - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.002", "T1110.003", "T1178.001", "T1178.002", "T1178.003", "T1178.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 32669
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be greater than 0 and no greater than 5. unlock_time should be 0 (never), or 900 seconds or greater. Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth'
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth && r:required && r:\s*\t*pam_faillock.so && r:\s*\t*authfail'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:fail_interval\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 32670
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*requisite|password\s*\t*sufficient && r:pam_pwhistory.so|pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt. (Automated)
+  - id: 32671
+    title: "Ensure password hashing algorithm is SHA-512 or yescrypt."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash { for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256|yescrypt)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256|yescrypt)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' \"$file\" fi fi done authselect apply-changes } Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> r:\s*ENCRYPT_METHOD SHA512'
+      - 'f:/etc/libuser.conf -> r:\s*crypt_style = sha512'
+      - 'f:/etc/pam.d/password-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 32672
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:(\d+): compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 32673
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs: PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare < 7'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 32674
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:\d+:(\d+): compare < 7'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 32675
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'not f:/etc/shadow -> n:^\w+:\w+:\w+:\w+:\w+:\w+:(\d+): compare > 30'
+      - 'not f:/etc/shadow -> r:^\w+:\w+:\w+:\w+:\w+:\w+:-1:'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 32676
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && r:root:\w+:\w+:0:'
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+  # 5.6.6 Ensure root password is set. (Automated) - Not Implemented
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 32677
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 32678
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 32679
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 32680
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 32681
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:0 root 0 root && n:shadow (\d+) compare == 0'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 32682
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow-: # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:0 root 0 root && n:shadow- (\d+) compare == 0'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 32683
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow: # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:0 root 0 root && n:gshadow (\d+) compare == 0'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 32684
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow- -> r:0 root 0 root && n:gshadow- (\d+) compare == 0'
+
+  # 6.1.9 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.10 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit system file permissions. (Manual) - Not Implemented
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 32685
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can use shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 32686
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+
+  # 6.2.4 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 32687
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1548"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.10 Ensure local interactive user home directories exist. (Automated) - Not Implemented
+  # 6.2.11 Ensure local interactive users own their home directories. (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.13 Ensure no local interactive user has .netrc files. (Automated) - Not Implemented
+  # 6.2.14 Ensure no local interactive user has .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no local interactive user has .rhosts files. (Automated) - Not Implemented
+  # 6.2.16 Ensure local interactive user dot files are not group or world writable. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/amazon/cis_amazon_linux_1.yml b/etc/ruleset/sca/amazon/cis_amazon_linux_1.yml
new file mode 100644
index 0000000000..ebfd8d4cf3
--- /dev/null
+++ b/etc/ruleset/sca/amazon/cis_amazon_linux_1.yml
@@ -0,0 +1,3200 @@
+# Security Configuration Assessment
+# CIS Checks for Amazon Linux 1
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Amazon Linux v2.1.0 - 08-19-2020
+
+policy:
+  id: "cis_amazon_linux_1"
+  file: "cis_amazon_linux_1.yml"
+  name: "CIS Amazon Linux Benchmark v2.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Amazon Linux systems."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Amazon Linux version."
+  description: "Requirements for running the policy against Amazon Linux 1."
+  condition: any
+  rules:
+    - "f:/etc/system-release -> r:^Amazon Linux AMI release"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 cramfs: filesystem
+  - id: 20000
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 freevxfs: filesystem
+  - id: 20001
+    title: "Ensure mounting of freevxfs filesystems is disabled."
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true. Run the following command to unload the freevxfs module: rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:install /bin/true|Module freevxfs not found"
+      - "not c:lsmod -> r:freevxfs"
+
+  # 1.1.1.3 jffs2: filesystem
+  - id: 20002
+    title: "Ensure mounting of jffs2 filesystems is disabled."
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true. Run the following command to unload the jffs2 module: rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:install /bin/true|Module jffs2 not found"
+      - "not c:lsmod -> r:jffs2"
+
+  # 1.1.1.4 hfs: filesystem
+  - id: 20003
+    title: "Ensure mounting of hfs filesystems is disabled."
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true. Run the following command to unload the hfs module: rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:install /bin/true|Module hfs not found"
+      - "not c:lsmod -> r:hfs"
+
+  # 1.1.1.5 hfsplus: filesystem
+  - id: 20004
+    title: "Ensure mounting of hfsplus filesystems is disabled."
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true. Run the following command to unload the hfsplus module: rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:install /bin/true|Module hfsplus not found"
+      - "not c:lsmod -> r:hfsplus"
+
+  # 1.1.1.6 squashfs: filesystem
+  - id: 20005
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.7 udfs: filesystem
+  - id: 20006
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true. Run the following command to unload the udf module: rmmod udf"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.1.8 FAT: filesystem
+  - id: 20007
+    title: "Ensure mounting of FAT filesystems is disabled."
+    description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install vfat /bin/true. Run the following command to unload the vfat module: rmmod vfat"
+    compliance:
+      - cis: ["1.1.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v vfat -> r:install /bin/true|Module vfat not found"
+      - "not c:lsmod -> r:vfat"
+
+  # 1.1.2 /tmp: partition
+  - id: 20008
+    title: "Ensure separate partition exists for /tmp."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  # 1.1.3 /tmp: nodev
+  - id: 20009
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstabfile and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp:# mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.4 /tmp: nosuid
+  - id: 20010
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.5 /tmp: noexec
+  - id: 20011
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.6 Build considerations - Partition scheme.
+  - id: 20012
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.7 bind mount /var/tmp to /tmp
+  - id: 20013
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.8 nodev set on /var/tmp
+  - id: 20014
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  # 1.1.9 nosuid set on /var/tmp
+  - id: 20015
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  # 1.1.10 noexec set on /var/tmp
+  - id: 20016
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  # 1.1.11 /var/log: partition
+  - id: 20017
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data ."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.12 /var/log/audit: partition
+  - id: 20018
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.13 /home: partition
+  - id: 20019
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.14 /home: nodev
+  - id: 20020
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nodev
+  - id: 20021
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.16 /dev/shm: nosuid
+  - id: 20022
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.17 /dev/shm: noexec
+  - id: 20023
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  # 1.1.19 Disable Automounting
+  - id: 20024
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: # chkconfig autofs off"
+    compliance:
+      - cis: ["1.1.19"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list autofs -> r:^\s*\t*autofs\.*on'
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.3 Activate gpgcheck
+  - id: 20025
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:^gpgcheck=1"
+      - "not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0"
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 install AIDE
+  - id: 20026
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install aide: yum install aide // Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 AIDE regular checks
+  - id: 20027
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: crontab -u root -e // Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check  // Notes: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.  "
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:crontab -u root -l -> r:aide"
+      - "c:grep -r aide /etc/cron.* /etc/crontab -> r:aide"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+  # 1.4.1 Configure bootloader
+  - id: 20028
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub/menu.lst and linked as /boot/grub/grub.conf and /etc/grub.conf ."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/menu.lst # chmod og-rwx /boot/grub/menu.lst"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/menu.lst -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.2 Single user authentication
+  - id: 20029
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin':  SINGLE=/sbin/sulogin"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:SINGLE\s*=\s*/sbin/sulogin'
+
+  # 1.4.3 Ensure interactive boot is not enabled (Scored)
+  - id: 20030
+    title: "Ensure interactive boot is not enabled."
+    description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot . "
+    rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings. "
+    remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:PROMPT\s*=\s*no'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Restrict Core Dumps (Scored)
+  - id: 20031
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 XD/NX enabled
+  - id: 20032
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:dmesg -> r:NX \(Execute Disable\) protection: active'
+
+  # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 20033
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.5.4 Disable prelink
+  - id: 20034
+    title: "Ensure prelink is disabled."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> package prelink is not installed"
+
+  ###############################################
+  # 1.6 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 SELinux not disabled
+  - id: 20035
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: "Edit /boot/grub/menu.lst and remove all instances of selinux=0 and enforcing=0 on all kernel lines"
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/menu.lst -> r:^\s*\t*kernel\.*selinux=0|^\s*\t*kernel\.*enforcing=0'
+
+  # 1.6.1.2 Set selinux state
+  - id: 20036
+    title: "Ensure the SELinux state is enforcing."
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing'
+      - 'f:/etc/selinux/config -> r:^SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.3 Set selinux policy
+  - id: 20037
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Policy from config file:\s+targeted|^Policy from config file:\s+mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Remove SETroubleshoot
+  - id: 20038
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.5 Disable MCS Translation service mcstrans
+  - id: 20039
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  # 1.6.1.6 Ensure no unconfined daemons exist
+  - id: 20040
+    title: "Ensure no unconfined daemons exist."
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+
+  # 1.6.2 Install SELinux
+  - id: 20041
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install libselinux: yum install libselinux"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:rpm -q libselinux -> r:libselinux-\S+'
+
+  ###############################################
+  # 1.7  Warning Banners
+  ###############################################
+  # 1.7.1.1 Configure message of the day (Scored)
+  - id: 20042
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.2 Configure local login warning banner (Not Scored)
+  - id: 20043
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.3 Configure remote login warning banner (Not Scored)
+  - id: 20044
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.4 Configure /etc/motd permissions (Not Scored)
+  - id: 20045
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.1.5 Configure /etc/issue permissions (Scored)
+  - id: 20046
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.1.6 Configure /etc/issue.net permissions (Not Scored)
+  - id: 20047
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8 Ensure updates, patches, and additional security software are installed (Not Scored)
+  - id: 20048
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Site policy may mandate a testing period before install onto production systems for available updates. The audit and remediation here only cover security updates. Non-security updates can be audited with and comparing against site policy: # yum check-update"
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: all
+    rules:
+      - "c:yum check-update --security -> r:No packages needed for security"
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 inetd Services
+  ###############################################
+  # 2.1.1 Disable chargen services (Scored)
+
+  - id: 20049
+    title: "Ensure chargen services are not enabled."
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list chargen-dgram -> r:^\s*\t*chargen-dgram:\s*\t*on'
+      - 'c:chkconfig --list chargen-stream ->  r:^\s*\t*chargen-stream:\s*\t*on'
+
+  # 2.1.2 Disable daytime services (Scored)
+  - id: 20050
+    title: "Ensure daytime services are not enabled."
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list daytime-dgram -> r:^\s*\t*daytime-dgram:\s*\t*on'
+      - 'c:chkconfig --list daytime-stream -> r:^\s*\t*daytime-stream:\s*\t*on'
+
+  # 2.1.3 Disable discard services (Scored)
+  - id: 20051
+    title: "Ensure discard services are not enabled."
+    description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list discard-dgram -> r:^\s*\t*discard-dgram:\s*\t*on'
+      - 'c:chkconfig --list discard-stream -> r:^\s*\t*discard-stream:\s*\t*on'
+
+  # 2.1.4 Disable echo-dgram (Scored)
+  - id: 20052
+    title: "Ensure echo services are not enabled."
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list echo-dgram -> r:^\s*\t*echo-dgram:\s*\t*on'
+      - 'c:chkconfig --list echo-stream -> r:^\s*\t*echo-stream:\s*\t*on'
+
+  # 2.1.5 Disable time-stream (Scored)
+  - id: 20053
+    title: "Ensure time services are not enabled."
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list time-dgram -> r:^\s*\t*time-dgram:\s*\t*on'
+      - 'c:chkconfig --list time-stream -> r:^\s*\t*time-stream:\s*\t*on'
+
+  # 2.1.6 Remove rsh-server (Scored)
+  - id: 20054
+    title: "Ensure rsh server is not enabled."
+    description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Run the following commands to disable rsh, rlogin, and rexec: # chkconfig rsh off   # chkconfig rlogin off  # chkconfig rexec off"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rexec -> r:^\s*\t*rexec:\s*\t*on'
+      - 'c:chkconfig --list rlogin -> r:^\s*\t*rlogin:\s*\t*on'
+      - 'c:chkconfig --list rsh -> r:^\s*\t*rsh:\s*\t*on'
+
+  # 2.1.7 Remove talk server (Scored)
+  - id: 20055
+    title: "Ensure talk server is not enabled."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable talk: # chkconfig talk off"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list talk -> r:^\s*\t*talk:\s*\t*on'
+
+  # 2.1.8 Remove telnet-server (Scored)
+  - id: 20056
+    title: "Ensure telnet server is not enabled."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to disable telnet: # chkconfig telnet off"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list telnet -> r:^\s*\t*telnet:\s*\t*on'
+
+  # 2.1.9 Ensure tftp server is not enabled (Scored)
+  - id: 20057
+    title: "Ensure tftp server is not enabled."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Run the following command to disable tftp: # chkconfig tftp off"
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list tftp -> r:^\s*\t*tftp:\s*\t*on'
+
+  # 2.1.10 Remove rsync service (Scored)
+  - id: 20058
+    title: "Ensure rsync service is not enabled."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # chkconfig rsyncd off"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rsync -> r:^\s*\t*rsync:\s*\t*on'
+
+  # 2.1.11 Remove xinetd (Scored)
+  - id: 20059
+    title: "Ensure xinetd is not enabled."
+    description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Run the following command to disable xinetd: # chkconfig xinetd off"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list xinetd -> r:^\s*\t*xinetd\.*on'
+
+  ##############################################
+  # 2.2 Remove Legacy Services
+  ###############################################
+
+  # 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+  - id: 20060
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available run the following commands and verify either ntp or chrony is installed: # rpm -q ntp # rpm -q chrony  On virtual systems where host based time synchronization is available consult your virtualization software documentation and verify that host based synchronization is in use."
+    compliance:
+      - cis: ["2.2.2.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q ntp -> r:^package ntp is not installed"
+      - "not c:rpm -q chrony -> r:^package chrony is not installed"
+
+  # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored)
+  - id: 20061
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>. 3) Add or edit the daemonline in/etc/init.d/ntpd to include ' -u ntp:ntp ': daemon $prog -u ntp:ntp -p /var/run/ntpd.pid $OPTIONS"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntpd -> r:daemon\s*=\s* && r:-u ntp:ntp'
+
+  # 2.2.1.3 Configure Network Time Protocol (Chrony) (Scored)
+  - id: 20062
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.2.2 Remove X Windows (Scored)
+  - id: 20063
+    title: "Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11* -> r:^xorg-x11"
+
+  # 2.2.3 Disable Avahi Server (Scored)
+  - id: 20064
+    title: "Ensure Avahi Server is not enabled."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon: # chkconfig avahi-daemon off"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list avahi-daemon -> r:^\s*\t*avahi-daemon\.*on'
+
+  # 2.2.4 Ensure CUPS is not enabled (Scored)
+  - id: 20065
+    title: "Ensure CUPS is not enabled."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups : # chkconfig cups off"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list cups -> r:^\s*\t*cups\.*on'
+
+  # 2.2.5 Remove DHCP Server (Scored)
+  - id: 20066
+    title: "Ensure DHCP Server is not enabled."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dhcpd: # chkconfig dhcpd off"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp
+    condition: none
+    rules:
+      - 'c:chkconfig --list dhcpd -> r:^\s*\t*dhcpd\.*on'
+
+  # 2.2.6 Remove LDAP Server (Scored)
+  - id: 20067
+    title: "Ensure LDAP Server is not enabled."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # chkconfig slapd off"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on OpenLDAP is available at https://www.openldap.org
+    condition: none
+    rules:
+      - 'c:chkconfig --list slapd -> r:^\s*\t*slapd\.*on'
+
+  # 2.2.7 Disable NFS and RPC (Scored)
+  - id: 20068
+    title: "Ensure NFS and RPC are not enabled."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # chkconfig nfs off; # chkconfig rpcbind off"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list nfs -> r:^\s*\t*nfs\.*on'
+      - 'c:chkconfig --list rpcbind -> r:^\s*\t*rpcbind\.*on'
+
+  # 2.2.8 Ensure DNS Server is not enabled (Scored)
+  - id: 20069
+    title: "Ensure DNS Server is not enabled."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named : # chkconfig named off"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list named -> r:^\s*\t*named\.*on'
+
+  # 2.2.9 Remove FTP Server (Scored)
+  - id: 20070
+    title: "Ensure FTP Server is not enabled."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list vsftpd -> r:^\s*\t*vsftpd\.*on'
+
+  # 2.2.10 Remove HTTP Server (Scored)
+  - id: 20071
+    title: "Ensure HTTP server is not enabled."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable httpd: # chkconfig httpd off"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list httpd -> r:^\s*\t*httpd\.*on'
+
+  # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored)
+  - id: 20072
+    title: "Ensure IMAP and POP3 server is not enabled."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dovecot: # chkconfig dovecot off"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list dovecot -> r:^\s*\t*dovecot\.*on'
+
+  # 2.2.12 Remove Samba (Scored)
+  - id: 20073
+    title: "Ensure Samba is not enabled."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable smb: # chkconfig smb off"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list smb -> r:^\s*\t*smb\.*on'
+
+  # 2.2.13 Remove HTTP Proxy Server (Scored)
+  - id: 20074
+    title: "Ensure HTTP Proxy Server is not enabled."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # chkconfig squid off"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list squid -> r:^\s*\t*squid\.*on'
+
+  # 2.2.14 Remove SNMP Server (Not Scored)
+  - id: 20075
+    title: "Ensure SNMP Server is not enabled."
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # chkconfig snmpd off"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list snmpd -> r:^\s*\t*snmpd\.*on'
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)
+  - id: 20076
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Restart postfix: # service postfix restart"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.+LISTEN'
+
+  # 2.2.16 Remove NIS Server (Scored)
+  - id: 20077
+    title: "Ensure NIS Server is not enabled."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable ypserv: # chkconfig ypserv off"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list ypserv -> r:^\s*\t*ypserv\.*on'
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+  # 2.3.1 Remove NIS Client (Scored)
+  - id: 20078
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind: # yum remove ypbind"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed (Scored)
+  - id: 20079
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Run the following command to uninstall rsh : # yum remove rsh"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed (Scored)
+  - id: 20080
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk : # yum remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed (Scored)
+  - id: 20081
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet : # yum remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed (Scored)
+  - id: 20082
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # yum remove openldap-clients"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> package openldap-clients is not installed"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 3.1.1 Disable IP Forwarding (Scored)
+  - id: 20083
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  # 3.1.2 Disable Send Packet Redirects (Scored)
+  - id: 20084
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 3.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 3.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 20085
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 20086
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 20087
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.2.4 Log Suspicious Packets (Scored)
+  - id: 20088
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 20089
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 20090
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.7 Enable RFC-recommended Source Route Validation (Scored)
+  - id: 20091
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 20092
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  ###############################################
+  # 3.3 IPv6
+  ###############################################
+  # 3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored)
+  - id: 20093
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 and net.ipv6.conf.default.accept_ra = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0'
+
+  # 3.3.2 Ensure IPv6 redirects are not accepted (Not Scored)
+  - id: 20094
+    title: "Ensure IPv6 redirects are not accepted."
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0  || net.ipv6.conf.default.accept_redirects = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0'
+
+  # 3.3.3 Ensure IPv6 is disabled (Not Scored)
+  - id: 20095
+    title: "Ensure IPv6 is disabled."
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: "Edit /boot/grub/grub.conf to include ipv6.disable=1 on all kernel lines."
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel && !r:ipv6.disable=1'
+
+  ###############################################
+  # 3.4 TCP Wrappers
+  ###############################################
+  # 3.4.1 Ensure TCP Wrappers is installed (Scored)
+  - id: 20096
+    title: "Ensure TCP Wrappers is installed."
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Run the following command to install tcp_wrappers: yum install tcp_wrappers"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:rpm -q tcp_wrappers -> r:^tcp_wrappers-"
+      - "c:rpm -q tcp_wrappers-libs -> r:^tcp_wrappers-libs-"
+
+  # 3.4.3 Ensure /etc/hosts.deny is configured (Scored)
+  - id: 20097
+    title: "Ensure /etc/hosts.deny is configured."
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: "Run the following command to create /etc/hosts.deny: echo 'ALL: ALL' >> /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'f:/etc/hosts.deny -> r:^ALL\s*:\s*ALL'
+
+  # 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)
+  - id: 20098
+    title: "Ensure permissions on /etc/hosts.allow are configured.."
+    description: "The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow : chown root:root /etc/hosts.allow and chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)'
+
+  # 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)
+  - id: 20099
+    title: "Ensure permissions on /etc/hosts.deny are configured.."
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : chown root:root /etc/hosts.deny and chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 3.5 Uncommon Network Protocols
+  ###############################################
+  # 3.5.1 Ensure DCCP is disabled (Not Scored)
+  - id: 20100
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v dccp -> r:install /bin/true"
+      - "not c:lsmod -> r:dccp"
+
+  # 3.5.2 Ensure SCTP is disabled (Not Scored)
+  - id: 20101
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v sctp -> r:install /bin/true"
+      - "not c:lsmod -> r:sctp"
+
+  # 3.5.3 Ensure RDS is disabled (Not Scored)
+  - id: 20102
+    title: "Ensure RDS is disabled."
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v rds -> r:install /bin/true"
+      - "not c:lsmod -> r:rds"
+
+  # 3.5.4 Ensure TIPC is disabled (Not Scored)
+  - id: 20103
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v tipc -> r:install /bin/true"
+      - "not c:lsmod -> r:tipc"
+
+  ###############################################
+  # 3.6 Firewall Configuration
+  ###############################################
+  # 3.6.1 Ensure iptables is installed (Scored)
+  - id: 20104
+    title: "Ensure iptables is installed."
+    description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables ."
+    rationale: "iptables is required for firewall management and configuration."
+    remediation: "Run the following command to install iptables : yum install iptables"
+    compliance:
+      - cis: ["3.6.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.1"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:iptables-"
+
+  # 3.6.2 Ensure default deny firewall policy (Scored)
+  - id: 20105
+    title: "Ensure default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: iptables -P INPUT DROP; iptables -P OUTPUT DROP and iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.6.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.6.3 Ensure loopback traffic is configured (Scored)
+  - id: 20106
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.6.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+  ###############################################
+  # 4.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure audit log storage size is configured (Not Scored)
+  - id: 20107
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file\s*=\s*\d+'
+
+  # 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+  - id: 20108
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email   action_mail_acct = root   admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^admin_space_left_action\s*=\s*halt'
+
+  # 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+  - id: 20109
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2 Ensure auditd service is enabled (Scored)
+  - id: 20110
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd : # chkconfig auditd on"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list auditd -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+  - id: 20111
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: "Edit /boot/grub/menu.lst to include audit=1 on all kernel lines. Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/menu.lst -> r:^\s*\t*kernel && !r:audit=1'
+
+  # 4.1.4 Ensure events that modify date and time information are collected (Scored)
+  - id: 20112
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change   -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b64 -S clock_settime -k time-change   -a always,exit -Farch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/localtime && r:-p wa && r:-k time-change"
+
+  # 4.1.5 Ensure events that modify user/group information are collected (Scored)
+  - id: 20113
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:    -w /etc/group -p wa -k identity    -w /etc/passwd -p wa -k identity    -w /etc/gshadow -p wa -k identity    -w /etc/shadow -p wa -k identity    -w /etc/security/opasswd -p wa -k identity"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/security/opasswd && r:-p wa && r:-k identity"
+
+  # 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+  - id: 20114
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations)."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale        For 64 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale"
+
+  # 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
+  - id: 20115
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/selinux/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:-w /usr/share/selinux/ && r:-p wa && r:-k MAC-policy"
+
+  # 4.1.8 Ensure login and logout events are collected (Scored)
+  - id: 20116
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:  -w /var/log/lastlog -p wa -k logins   -w /var/run/faillock/ -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/faillock/ && r:-p wa && r:-k logins"
+
+  # 4.1.9 Ensure session initiation information is collected (Scored)
+  - id: 20117
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:   -w /var/run/utmp -p wa -k session   -w /var/log/wtmp -p wa -k logins   -w /var/log/btmp -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.3"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins"
+
+  # 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+  - id: 20118
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrem"
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  # 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+  - id: 20119
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated  with system calls that control creation ( creat ), opening ( open , openat ) and truncation (  truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-  privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the  system call returned EACCES (permission denied to the file) or EPERM (some other  permanent error associated with the specific system call). All audit records will be tagged  with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+
+  # 4.1.13 Ensure successful file system mounts are collected (Scored)
+  - id: 20120
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts"
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k mounts"
+
+  # 4.1.14 Ensure file deletion events by users are collected (Scored)
+  - id: 20121
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete"
+    compliance:
+      - cis: ["4.1.14"]
+      - pci_dss: ["10.5.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k delete"
+
+  # 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+  - id: 20122
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /etc/sudoers -p wa -k scope   -w /etc/sudoers.d/ -p wa -k scope"
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  # 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+  - id: 20123
+    title: "Ensure system administrator actions (sudolog) are collected."
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1", "5.5"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/sudo.log && r:-p wa && r:-k actions"
+
+  # 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+  - id: 20124
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules"
+      - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.18 Ensure the audit configuration is immutable (Scored)
+  - id: 20125
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file.   -e 2"
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["3", "6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:tail -1 /etc/audit/audit.rules -> r:^-e 2"
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog Service is enabled (Scored)
+  - id: 20126
+    title: "Ensure rsyslog Service is enabled."
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lackblogging instead."
+    remediation: "Run the following command to enable rsyslog :   # chkconfig rsyslog on"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list rsyslog -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 20127
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored)
+  - id: 20128
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host).   *.* @@loghost.example.com   Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep *.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf -> !r:# && r:*.* @@\.+'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 20129
+    title: "Ensure syslog-ng service is enabled."
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable syslog-ng :   # chkconfig syslog-ng on"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list syslog-ng -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 20130
+    title: "Ensure syslog-ng default file permissions configured."
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(0600\)|perm\(0640\)|perm\(0440\)|perm\(0400\)|perm\(0000\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 20131
+    title: "Ensure syslog-ng is configured to send logs to a remote log host."
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 20132
+    title: "Ensure rsyslog or syslog-ng is installed."
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands:   # yum install rsyslog   # yum install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q rsyslog -> package rsyslog is not installed"
+      - "not c:rpm -q syslog-ng -> package syslog-ng is not installed"
+
+  # 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+  - id: 20133
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitivebdata is archived and protected."
+    remediation: "Run the following command to set permissions on all existing log files: # find /var/log -type f -exec chmod g-wx,o-rwx {} +"
+    compliance:
+      - cis: ["4.2.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  ###############################################
+  # 5 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled (Scored)
+  - id: 20134
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron : # chkconfig crond on"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:chkconfig --list crond -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 20135
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 20136
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 20137
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 20138
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 20139
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0\w00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 20140
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+  - id: 20141
+    title: "Ensure at/cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:stat /etc/cron.deny -> r:No such file or directory$"
+      - "c:stat /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+  - id: 20142
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: chown root:root /etc/ssh/sshd_config and chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Set SSH Protocol to 2 (Scored)
+  - id: 20143
+    title: "Ensure SSH Protocol is set to 2."
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2'
+
+  # 5.2.3 Set LogLevel to INFO (Scored)
+  - id: 20144
+    title: "Ensure SSH LogLevel is set to INFO."
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO'
+
+  # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 20145
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 20146
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 20147
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.2.8 Disable SSH Root Login (Scored)
+  - id: 20148
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no'
+
+  # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 20149
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
+  - id: 20150
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitUserEnvironment\s*\t*no'
+
+  # 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
+  - id: 20151
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 and ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 300'
+      - 'f:$sshd_file -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 20152
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.13"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60'
+
+  # 5.2.14 Ensure SSH access is limited (Scored)
+  - id: 20153
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. DenyUsers The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. DenyGroups The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>; AllowGroups <grouplist>; DenyUsers <userlist> and DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1", "5.8"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:$sshd_file -> r:^\s*AllowUsers'
+      - 'f:$sshd_file -> r:^\s*AllowGroups'
+      - 'f:$sshd_file -> r:^\s*DenyUsers'
+      - 'f:$sshd_file -> r:^\s*DenyGroups'
+
+  # 5.2.15 Ensure SSH warning banner is configured (Scored)
+  - id: 20154
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  ###############################################
+  # 5.3 Configure PAM
+  ###############################################
+  # 5.3.1 Ensure password creation requirements are configured (Scored)
+  - id: 20155
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:grep pam_pwquality.so /etc/pam.d/password-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'c:grep pam_pwquality.so /etc/pam.d/system-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> n:dcredit\s*\t*=\s*\t*(\d+) compare = -1'
+      - 'f:/etc/security/pwquality.conf -> n:lcredit\s*\t*=\s*\t*(\d+) compare = -1'
+      - 'f:/etc/security/pwquality.conf -> n:ocredit\s*\t*=\s*\t*(\d+) compare = -1'
+      - 'f:/etc/security/pwquality.conf -> n:ucredit\s*\t*=\s*\t*(\d+) compare = -1'
+
+  # 5.3.3 Ensure password reuse is limited (Scored)
+  - id: 20156
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5   or    password required pam_pwhistory.so remember=5"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 20157
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown: password sufficient pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+
+  ###############################################
+  # 5.4 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.4.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
+  - id: 20158
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 90 and modify user parameters for all users with a password set to match: chage --maxdays 90 <user>"
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+  - id: 20159
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 and modify user parameters for all users with a password set to match: chage --mindays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+  - id: 20160
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 and modify user parameters for all users with a password set to match: chage --warndays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+  - id: 20161
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: useradd -D -f 30 and modify user parameters for all users with a password set to match: chage --inactive 30 <user>"
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+  - id: 20162
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 20163
+    title: "Ensure default user umask is 027 or more restrictive."
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 20164
+    title: "Ensure default user shell timeout is 900 seconds or less."
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.6 Ensure access to the su command is restricted (Scored)
+  - id: 20165
+    title: "Ensure access to the su command is restricted.."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su ."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.2 Configure /etc/passwd permissions (Scored)
+  - id: 20166
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.44"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Configure /etc/shadow permissions (Scored)
+  - id: 20167
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 000 /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Configure /etc/group permissions (Scored)
+  - id: 20168
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Configure /etc/gshadow permissions (Scored)
+  - id: 20169
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following command to set permissions on /etc/gshadow: # chown root:root /etc/gshadow # chmod 000 /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Configure /etc/passwd- permissions (Scored)
+  - id: 20170
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Configure /etc/shadow- permissions (Scored)
+  - id: 20171
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/shadow-: # chown root:root /etc/shadow- # chmod 000 /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Configure /etc/group- permissions (Scored)
+  - id: 20172
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Configure /etc/gshadow- permissions (Scored)
+  - id: 20173
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 000 /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+  # 6.2.1 Check passwords fields (Scored)
+  - id: 20174
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: passwd -l <username> || Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Delete legacy entries in /etc/passwd (Scored)
+  - id: 20175
+    title: "Ensure no legacy + entries exist in /etc/passwd."
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 6.2.3 Delete legacy entries in /etc/shadow (Scored)
+  - id: 20176
+    title: "Ensure no legacy + entries exist in /etc/shadow."
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 6.2.4 Delete legacy entries in /etc/group (Scored)
+  - id: 20177
+    title: "Ensure no legacy + entries exist in /etc/group."
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 20178
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
diff --git a/etc/ruleset/sca/amazon/cis_amazon_linux_2.yml b/etc/ruleset/sca/amazon/cis_amazon_linux_2.yml
new file mode 100644
index 0000000000..3f02c7e1ae
--- /dev/null
+++ b/etc/ruleset/sca/amazon/cis_amazon_linux_2.yml
@@ -0,0 +1,3391 @@
+# Security Configuration Assessment
+# CIS Checks for Amazon Linux 2
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Amazon Linux 2 Benchmark v2.0.0 - 07-28-2021
+
+policy:
+  id: "cis_amazon_linux_2"
+  file: "cis_amazon_linux_2.yml"
+  name: "CIS Amazon Linux 2 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Amazon Linux 2 systems."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Amazon Linux platform."
+  description: "Requirements for running the policy against Amazon Linux 2."
+  condition: any
+  rules:
+    - "f:/etc/system-release -> r:^Amazon && r:release 2"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled.
+  - id: 20500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/directory ending in .conf. Example: vim /etc/modprobe.d/cramfs.confand add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled.
+  - id: 20501
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled..
+  - id: 20502
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true. Run the following command to unload the udf module: rmmod udf"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Ensure /tmp is configured.
+  - id: 20503
+    title: "Ensure /tmp is configured."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexecoption on the mount, making /tmpuseless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuidprogram and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    remediation: "Create or update an entry for /tmp in either /etc/fstab  OR   in a systemd tmp.mount file:  If /etc/fstab is used:  Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs     defaults,rw,nosuid,nodev,noexec,relatime  0 0         Run the following command to remount /tmp:  # mount -o remount,noexec,nodev,nosuid /tmp        OR        If systemd tmp.mount file is used:    Run the following command to create the file /etc/systemd/system/tmp.mount if it doesn't exist:                 # [ ! -f /etc/systemd/system/tmp.mount ] && cp -v /usr/lib/systemd/system/tmp.mount /etc/systemd/system/                      Edit the file /etc/systemd/system/tmp.mount:  [Mount]   What=tmpfs    Where=/tmp    Type=tmpfs    Options=mode=1777,strictatime,noexec,nodev,nosuid     Run the following command to reload the systemd daemon:# systemctl daemon-reload                  Run the following command to unmask tmp.mount:    # systemctl unmask tmp.mpunt                  Run the following command to enable and start tmp.mount:    # systemctl enable --now tmp.mount"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["9.4", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: any
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+      - 'c:sh -c "systemctl show \"tmp.mount\" | grep -i \"unitfilestate\"" -> r:UnitFileState=enabled'
+
+  # 1.1.3 Ensure noexec option set on /tmp partition.
+  - id: 20504
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file OR  the /etc/systemd/system/local-fs.target.wants/tmp.mount file:    IF /etc/fstab is used to mount /tmp       Edit the /etc/fstabfile and add noexecto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp:      # mount -o remount,noexec /tmp        OR           IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options:       [Mount]      Options=mode=1777,strictatime,noexec,nodev,nosuid         Run the following command to restart the systemd daemon: #  systemctl daemon-reload               Run the following command to restart tmp.mount               # systemctl restart tmp.mount"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.4 Ensure nodev option set on /tmp partition.
+  - id: 20505
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab   file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:   IF /etc/fstab is used to mount /tmp  Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp:          # mount -o remount,nodev /tmp         OR        IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options:    [Mount]   Options=mode=1777,strictatime,noexec,nodev,nosuid                   Run the following command to restart the systemd daemon: #  systemctl daemon-reload               Run the following command to restart tmp.mount            # systemctl restart tmp.mount"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.5 Ensure nosuid option set on /tmp partition.
+  - id: 20506
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "IF /etc/fstab is used to mount /tmp Edit the /etc/fstab   file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:   IF /etc/fstab is used to mount /tmp  Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp:          # mount -o remount,nosuid /tmp         OR        IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options:    [Mount]   Options=mode=1777,strictatime,noexec,nosuid,nosuid                   Run the following command to restart the systemd daemon: #  systemctl daemon-reload               Run the following command to restart tmp.mount            # systemctl restart tmp.mount"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.6 Ensure /dev/shm is configured.
+  - id: 20507
+    title: "Ensure /dev/shm is configured."
+    description: "/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd."
+    rationale: "Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Edit /etc/fstab and add or edit the following line:  tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0  Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s'
+      - 'f:/etc/fstab -> r:\s/dev/shm\s'
+
+  # 1.1.7 Ensure noexec option set on /dev/shm partition.
+  - id: 20508
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  # 1.1.8 Ensure nodev option set on /dev/shm partition.
+  - id: 20509
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.9 Ensure nosuid option set on /dev/shm partition..
+  - id: 20510
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.10 Ensure separate partition exists for /var.
+  - id: 20511
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.11 Ensure separate partition exists for /var/tmp.
+  - id: 20512
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications and is intended for temporary files that are preserved across reboots."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.12 Ensure /var/tmp partition includes the noexec option.
+  - id: 20513
+    title: "Ensure /var/tmp partition includes the noexec option."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  # 1.1.13 Ensure /var/tmp partition includes the nodev option.
+  - id: 20514
+    title: "Ensure /var/tmp partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  # 1.1.14 Ensure /var/tmp partition includes the nosuid option.
+  - id: 20515
+    title: "Ensure /var/tmp partition includes the nosuid option."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  # 1.1.15 Ensure separate partition exists for /var/log.
+  - id: 20516
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data ."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.16 Ensure separate partition exists for /var/log/audit.
+  - id: 20517
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.17 Ensure separate partition exists for /home.
+  - id: 20518
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.18 Ensure /home partition includes the nodev option.
+  - id: 20519
+    title: "Ensure /home partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.18"]
+      - cis_csc: ["5.1", "13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.19 Ensure removable media partitions include noexec option - Can't be implemented.
+  # 1.1.20 Ensure nodev option set on removable media partitions - Can't be implemented.
+  # 1.1.21 Ensure nosuid option set on removable media partitions - Can't be implemented.
+
+  # 1.1.22 Ensure sticky bit is set on all world-writable directories.
+  - id: 20520
+    title: "Ensure sticky bit is set on all world-writable directories."
+    description: "Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them."
+    rationale: "This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user."
+    remediation: "Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null | xargs -I '{}' chmod a+t '{}'"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'not c:sh -c "df --local -P 2> /dev/null | awk ''{if (NR!=1) print $6}'' | xargs -I ''{}'' find ''{}'' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" -> r:^/'
+
+  # 1.1.23 Disable Automounting.
+  - id: 20521
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: systemctl disable autofs"
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl show autofs.service -> r:unitfilestate=enabled"
+
+  # 1.1.24  Disable USB Storage.
+  - id: 20522
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf Add the following line: install usb-storage /bin/true . Run the following command to unload the usb-storage module: rmmod usb-storage"
+    compliance:
+      - cis: ["1.1.24"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ############################################################
+  # 1.2 Configure Software Updates.
+  ############################################################
+
+  # 1.2.1 Ensure GPG keys are configured -> can't be implemented - requires manual action.
+  # 1.2.2 Ensure package manager repositories are configured -> can't be implemented - requires manual action.
+
+  # 1.2.3 Activate gpgcheck.
+  - id: 20523
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:gpgcheck=1"
+      - "not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0"
+
+  ############################################################
+  # 1.3 Filesystem Integrity Checking.
+  ############################################################
+
+  # 1.3.1 Ensure AIDE is installed.
+  - id: 20524
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: yum install aide // Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked.
+  - id: 20525
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check run the following command: crontab -u root -e         Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check  // Notes: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.              OR        If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines:    [Unit]      Description=Aide Check    [Service]     Type=simpleExecStart=/usr/sbin/aide --check      [Install]     WantedBy=multi-user.target      Create or edit the file  /etc/systemd/system/aidecheck.timer and add the following lines:   [Unit]   Description=Aide check every day at 5AM      [Timer]     OnCalendar=*-*-* 05:00:00      Unit=aidecheck.service      [Install]     WantedBy=multi-user.target        Run the following commands:        # chown root:root /etc/systemd/system/aidecheck.*         # chmod 0644 /etc/systemd/system/aidecheck.*           # systemctl daemon-reload          # systemctl enable aidecheck.service        # systemctl --now enable aidecheck.timer "
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:crontab -u root -l -> r:aide"
+      - "c:grep -r aide /etc/cron.* /etc/crontab -> r:aide"
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:enabled"
+
+  ############################################################
+  # 1.4 Secure Boot Settings.
+  ############################################################
+
+  # 1.4.1 Ensure permissions on bootloader config are configured.
+  - id: 20526
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.cfg .  On newer grub2 systems the encrypted bootloader password is contained in /boot/grub2/user.cfg"
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg    # chmod og-rwx /boot/grub2/grub.cfg  # chown root:root /boot/grub2/user.cfg  # chmod og-rwx /boot/grub2/user.cfg"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/user.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|cannot stat'
+
+  # 1.4.2 Ensure authentication required for single user mode.
+  - id: 20527
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: 'Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" '
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+      - 'f:/usr/lib/systemd/system/emergency.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+
+  ############################################################
+  # 1.5 Additional Process Hardening.
+  ############################################################
+
+  # 1.5.1 Ensure core dumps are restricted.
+  - id: 20528
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:hard\s*\t*core\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 Ensure XD/NX support is enabled.
+  - id: 20529
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system. Note: Ensure your system supports the XD or NX bit and has PAE support before implementing this recommendation as this may prevent it from booting if these are not supported by your hardware."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios"
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "journalctl -k --boot | grep \"protection: \" | tail -1" -> r:protection: active'
+      - 'not c:sh -c "[[ -n $(grep noexec[0-9]*=off /proc/cmdline) || -z $(grep -E -i \" (pae|nx) \" /proc/cpuinfo) || -n $(grep \"\\sNX\\s.*\\sprotection:\\s\" /var/log/dmesg | grep -v active) ]] && echo \"NX Protection is not active\"" -> r:^NX Protection is not active$'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled.
+  - id: 20530
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.5.4 Ensure prelink is not installed.
+  - id: 20531
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal: # prelink -ua     Run the following command to uninstall prelink: # yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> r:package prelink is not installed"
+
+  ############################################################
+  # 1.6 Mandatory Access Control.
+  ############################################################
+  # 1.6.1 Configure SELinux.
+  ############################################################
+
+  # 1.6.1.1 Ensure SELinux is installed.
+  - id: 20532
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install libselinux: # yum install libselinux"
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:rpm -q libselinux -> r:libselinux-\S+'
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration.
+  - id: 20533
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX=""  || Run the following command to update the grub2 configuration: grub2-mkconfig -o /boot/grub2/grub.cfg'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*linux\.+selinux=0|linux\.+enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured.
+  - id: 20534
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s*\t*targeted$|^Loaded policy name:\s*\t*mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is enforcing or permissive.
+  - id: 20535
+    title: "Ensure the SELinux mode is enforcing or permissive."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t"
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1    OR     To set SELinux mode to Permissive: # setenforce 0     Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing   OR    For Permissive mode:  SELINUX=permissive"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:Enforcing|Permisive"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing|^SELINUX=Permisive"
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing.
+  - id: 20536
+    title: "Ensure the SELinux mode is enforcing."
+    description: "Set SELinux to enable when the system is booted"
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:Enforcing"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing"
+
+  # 1.6.1.6 Ensure no unconfined services exist - Not implemented
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed.
+  - id: 20537
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot"
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q setroubleshoot -> r:package setroubleshoot is not installed"
+
+  # 1.6.1.8 Disable MCS Translation service mcstrans.
+  - id: 20538
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans"
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q mcstrans -> r:package mcstrans is not installed"
+
+  ############################################################
+  # 1.7  Warning Banners.
+  ############################################################
+
+  # 1.7.1 Ensure message of the day is configured properly.
+  - id: 20539
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, \\v  or references to the OS platform    OR    If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd"
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.2 Ensure local login warning banner is configured properly.
+  - id: 20540
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version -or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.3 "Ensure remote login warning banner is configured properly.
+  - id: 20541
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m, \\r, \\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured.
+  - id: 20542
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured.
+  - id: 20543
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured.
+  - id: 20544
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8 Ensure updates, patches, and additional security software are installed.
+  - id: 20545
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available packages # yum update --security "
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: all
+    rules:
+      - 'c:sh -c " yum check-updates --security | grep \"No packages\"" -> r:No packages needed for security'
+
+  ############################################################
+  # 2 OS Services.
+  ############################################################
+  ############################################################
+  # 2.1.1 Time Synchronization.
+  ############################################################
+
+  # 2.1.1.1 Ensure time synchronization is in use.
+  - id: 20546
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run One of the following commands to install chrony or NTP: to install chrony run the following command: # yum install chrony OR to install ntp: run the following command: # yum install ntp"
+    compliance:
+      - cis: ["2.1.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q ntp -> r:^package ntp is not installed"
+      - "not c:rpm -q chrony -> r:^package chrony is not installed"
+
+  # 2.2.1.2  Ensure chrony is configured.
+  - id: 20547
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Note: This recommendation only applies if chrony is in use on the system."
+    remediation: '1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server>. 2) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'':OPTIONS=" -u chrony"'
+    compliance:
+      - cis: ["2.1.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.1.1.3  Ensure ntp is configured.
+  - id: 20548
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'"
+    compliance:
+      - cis: ["2.1.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp'
+      - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp'
+
+  # 2.1.2 Ensure X11 Server components are not installed.
+  - id: 20549
+    title: " Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:rpm -q xorg-x11 -> r:package xorg-x11 is not installed"
+
+  # 2.1.3 Ensure Avahi Server is not enabled.
+  - id: 20550
+    title: " Ensure Avahi Server is not enabled."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable this package to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon:  # systemctl disable avahi-daemon"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi-autoipd -> r:package avahi-autoipd is not installed"
+      - "c:rpm -q avahi -> r:package avahi is not installed"
+
+  # 2.1.4 Ensure CUPS is not enabled.
+  - id: 20551
+    title: "Ensure CUPS is not enabled."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface. Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to disable cups: # systemctl disable cups"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:package cups is not installed"
+
+  # 2.1.5 Ensure DHCP Server is not installed.
+  - id: 20552
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # yum remove dhcp"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp
+    condition: all
+    rules:
+      - "c:rpm -q dhcp -> r:package dhcp is not installed"
+
+  # 2.1.6 Ensure LDAP server is not installed.
+  - id: 20553
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove openldap-servers: # yum remove openldap-servers"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on OpenLDAP is available at https://www.openldap.org
+    condition: any
+    rules:
+      - "c:rpm -q openldap-servers -> r:package openldap-servers is not installed"
+
+  # 2.1.7 Ensure DNS Server is not installed.
+  - id: 20554
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # yum remove bind"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:package bind is not installed"
+
+  # 2.1.8 Ensure FTP Server is not installed.
+  - id: 20555
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)"
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # yum remove vsftpd"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:package vsftpd is not installed"
+
+  # 2.1.9 Ensure HTTP server is not installed.
+  - id: 20556
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove httpd: # yum remove httpd"
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q httpd -> r:package httpd is not installed"
+
+  # 2.1.10 Ensure IMAP and POP3 server is not installed.
+  - id: 20557
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dovecot: # yum remove dovecot"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:package dovecot is not installed"
+
+  # 2.1.11 Ensure Samba is not installed.
+  - id: 20558
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove smb: # yum remove samba"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:package samba is not installed"
+
+  # 2.1.12 Ensure HTTP Proxy Server is not installed.
+  - id: 20559
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove squid: # yum remove squid"
+    compliance:
+      - cis: ["2.1.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:package squid is not installed"
+
+  # 2.1.13 Ensure net-snmp is not installed.
+  - id: 20560
+    title: "Ensure SNMP Server is not installed."
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3replaces the simple/clear text password sharing used in SNMPv2with more securely encoded parameters. If the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove snmpd: # yum remove snmpd"
+    compliance:
+      - cis: ["2.1.13"]
+      - cis_csc: ["2.6", 9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:package net-snmp is not installed"
+
+  # 2.1.14 Ensure NIS server is not installed.
+  - id: 20561
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove snmpd: # yum remove snmpd"
+    compliance:
+      - cis: ["2.1.14"]
+      - cis_csc: ["2.6", 9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:package ypserv is not installed"
+
+  # 2.1.15 Ensure telnet-server is not installed.
+  - id: 20562
+    title: "Ensure NIS server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove telnet-server: # yum remove telnet-server"
+    compliance:
+      - cis: ["2.1.15"]
+      - cis_csc: ["2.6", 9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:package telnet-server is not installed"
+
+  # 2.1.16 Ensure mail transfer agent is configured for local-only mode.
+  - id: 20563
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only . Restart postfix: # systemctl restart postfix"
+    compliance:
+      - cis: ["2.1.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\s* && !r:127.0.0.1:25\.*|::1:25\.*'
+
+  # 2.1.17 Ensure nfs-utils is not installed or the nfs-server service is masked.
+  - id: 20564
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following command to remove nfs-utils: # yum remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server"
+    compliance:
+      - cis: ["2.1.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked"
+
+  # 2.1.18 Ensure rpcbind is not installed or the rpcbind services are masked.
+  - id: 20565
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening"
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove rpcbind: # yum remove rpcbind OR If the rpcbind is required as a dependency, run the following command to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask nfs-server && # systemctl --now mask rpcbind.socket"
+    compliance:
+      - cis: ["2.1.18"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind -> r:masked"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked"
+
+  # 2.1.19 Ensure rsync is not installed or the rsyncd service is masked.
+  - id: 20566
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to remove the rsync package: # yum remove rsync    OR    Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd"
+    compliance:
+      - cis: ["2.1.19"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked"
+
+  ############################################################
+  # 2.2 Service Clients.
+  ############################################################
+
+  # 2.2.1 Ensure NIS Client is not enabled.
+  - id: 20567
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind: # yum remove ypbind"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:package ypbind is not installed"
+
+  # 2.2.2 Ensure rsh client is not installed.
+  - id: 20568
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin ."
+    remediation: "Run the following command to uninstall rsh: # yum remove rsh"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:^package rsh is not installed"
+
+  # 2.2.3 Ensure talk client is not installed.
+  - id: 20569
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk: # yum remove talk"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:^package talk is not installed"
+
+  # 2.2.4 Ensure telnet client is not installed.
+  - id: 20570
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet: # yum remove telnet"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.2.5 Ensure LDAP client is not installed.
+  - id: 20571
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients: # yum remove openldap-clients"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3 Ensure nonessential services are removed or masked - Not implemented
+
+  #######################################################
+  # 3 Network Configuration.
+  #######################################################
+  #######################################################
+  # 3.1 Disable unused network protocols and devices.
+  #######################################################
+
+  # 3.1.1 Disable IPv6.
+  - id: 20572
+    title: "Disable IPv6."
+    description: "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented."
+    rationale: "If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+    remediation: >
+      Use one of the two following methods to disable IPv6 on the system:
+
+      To disable IPv6 through the GRUB2 config:
+
+      Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:
+      GRUB_CMDLINE_LINUX="ipv6.disable=1"
+
+      Run the following command to update the grub2 configuration:
+      # grub2-mkconfig -o /boot/grub2/grub.cfg
+
+      OR
+
+      To disable IPv6 through sysctl settings:
+
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv6.conf.all.disable_ipv6=1
+      # sysctl -w net.ipv6.conf.default.disable_ipv6=1 
+      # sysctl -w net.ipv6.route.flush=1
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not f:/boot/grub2/grub.cfg -> r:ipv6.disable\s*=\s*1'
+      - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1'
+      - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1'
+
+  # 3.1.2 Ensure wireless interfaces are disabled -> Not implemented, requires manual action.
+
+  #######################################################
+  # 3.2 Network Parameters (Host Only).
+  #######################################################
+
+  # 3.2.1 Ensure IP forwarding is disabled.
+  - id: 20573
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Run the following commands to restore the default parameters and set the active kernel parameters: # grep -Els '^\\s*net\\.ipv4\\.ip_forward\\s*=\\s*1' /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri 's/^\\s*(net\\.ipv4\\.ip_forward\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/' $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'not c:grep -RhEs "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/*.conf -> r:1'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+      - 'not c:grep -RhEs "net\.ipv6\.conf\.all\.forwarding" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf -> r:1'
+
+  # 3.2.2 Ensure packet redirect sending is disabled.
+  - id: 20574
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+
+  ##################################################
+  # 3.3 Network Parameters (Host and Router).
+  ##################################################
+
+  # 3.3.1 Ensure source routed packets are not accepted.
+  - id: 20575
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters:       # sysctl -w net.ipv4.conf.all.accept_source_route=0       # sysctl -w net.ipv4.conf.default.accept_source_route=0        # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* -> r:1'
+      - 'not c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* -> r:1'
+
+  # 3.3.2 Ensure ICMP redirects are not accepted.
+  - id: 20576
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters:      # sysctl -w net.ipv4.conf.all.accept_redirects=0          # sysctl -w net.ipv4.conf.default.accept_redirects=0            # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+
+  # 3.3.3 Ensure secure ICMP redirects are not accepted.
+  - id: 20577
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters:  # sysctl -w net.ipv4.conf.all.secure_redirects=0         # sysctl -w net.ipv4.conf.default.secure_redirects=0          # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:1'
+
+  # 3.3.4 Ensure suspicious packets are logged.
+  - id: 20578
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters:    # sysctl -w net.ipv4.conf.all.log_martians=1       # sysctl -w net.ipv4.conf.default.log_martians=1          # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:0'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:0'
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored.
+  - id: 20579
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters:     # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1           # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'not c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:0'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored.
+  - id: 20580
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1      # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'not c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:0'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled.
+  - id: 20581
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters:   # sysctl -w net.ipv4.conf.all.rp_filter=1         # sysctl -w net.ipv4.conf.default.rp_filter=1         # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'not c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:0'
+      - 'not c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:0'
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled.
+  - id: 20582
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1     # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'not c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:0'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted.
+  - id: 20583
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:       net.ipv6.conf.all.accept_ra = 0        and          net.ipv6.conf.default.accept_ra = 0            Then, run the following commands to set the active kernel parameters:  # sysctl -w net.ipv6.conf.all.accept_ra=0              # sysctl -w net.ipv6.conf.default.accept_ra=0           # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+      - 'not c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:1'
+      - 'not c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:1'
+
+  ############################################################
+  # 3.4 Uncommon Network Protocols.
+  ############################################################
+
+  # 3.4.1 Ensure DCCP is disabled.
+  - id: 20584
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v dccp -> r:install /bin/true"
+      - "not c:lsmod -> r:dccp"
+
+  # 3.4.2 Ensure SCTP is disabled.
+  - id: 20585
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v sctp -> r:install /bin/true"
+      - "not c:lsmod -> r:sctp"
+
+  ############################################################
+  # 3.5 Firewall Configuration.
+  ############################################################
+  ############################################################
+  # 3.5.1 Configure firewalld.
+  ############################################################
+
+  # 3.5.1.1 Ensure firewalld is installed.
+  - id: 20586
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install FirewallD and iptables: # yum install firewalld iptables"
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:firewalld-"
+
+  # 3.5.1.2 Ensure iptables-services not installed with firewalld.
+  # 3.5.2.3 Ensure iptables-services not installed with nftables.
+  - id: 20587
+    title: "Ensure iptables-services not installed with firewalld or nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # yum remove iptables-services"
+    compliance:
+      - cis: ["3.5.1.2", "3.5.2.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^iptables-services-"
+      - "not c:rpm -q firewalld -> r:firewalld-"
+      - "not c:rpm -q nftables -> r:nftables-"
+
+  # 3.5.1.3 Ensure nftables either not installed or masked with firewalld.
+  - id: 20588
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both firewalld and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # yum remove nftables OR Run the following command to stop and mask nftables: # systemctl --now mask nftables"
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "not c:systemctl is-enabled nftables -> r:enabled"
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+      - "c:rpm -q firewalld -> r:firewalld-"
+
+  # 3.5.1.4 Ensure firewalld service enabled and running.
+  - id: 20589
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld"
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld"
+    compliance:
+      - cis: ["3.5.1.4"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:enabled"
+      - "c:firewalld --state -> r:running"
+
+  # 3.5.1.5 Ensure firewalld default zone is set.
+  - id: 20590
+    title: "Ensure firewalld default zone is set."
+    description: "A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. 1.- The default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone. 2.- If no zone assigned to a connection, interface or source, only the default zone is used. 3.- The default zone is not always listed as being used for an interface or source as it will be used for it either way. This depends on the manager of the interfaces. Connections handled by NetworkManager are listed as NetworkManager requests to add the zone binding for the interface used by the connection. Also interfaces under control of the network service are listed also because the service requests it."
+    rationale: "Because the default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone, it is important for the default zone to set."
+    remediation: "Run the following command to set the default zone: # firewall-cmd --set-default-zone=<NAME_OF_ZONE> Example: # firewall-cmd --set-default-zone=public"
+    compliance:
+      - cis: ["3.5.1.5"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    references:
+      - https://firewalld.org/documentation
+      - https://firewalld.org/documentation/man-pages/firewalld.zone
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:enabled"
+      - "c:firewalld --state -> r:running"
+
+  # 3.5.1.6 Ensure network interfaces are assigned to appropriate zone - Not implemented, requires manual operation.
+  # 3.5.1.7 Ensure firewalld drops unnecessary services and ports - Not implemented, requires manual operation.
+
+  ############################################################
+  # 3.5.2 Configure nftables.
+  ############################################################
+
+  # 3.5.2.1 Ensure nftables is installed.
+  - id: 20591
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install nftables # yum install nftables"
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.5.2.2.1 Ensure firewalld is either not installed or masked with nftables.
+  - id: 20592
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: "firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options."
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld"
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  # 3.5.2.4 Ensure iptables are flushed with nftables.
+  - id: 20594
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables"
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded"
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F"
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "iptables -L | egrep -v  \"^target|^Chain\"" -> r:^\w+'
+      - 'not c:sh -c "ip6tables -L | egrep -v  \"^target|^Chain\"" -> r:^\w+'
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.5.2.5 Ensure an nftables table exists.
+  - id: 20595
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter"
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.5.2.6 Ensure nftables base chains exist.
+  # 3.5.2.9 Ensure nftables default deny firewall policy.
+  - id: 20596
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; }"
+    compliance:
+      - cis: ["3.5.2.6", "3.5.2.9"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:input"
+      - "c:nft list ruleset -> r:forward"
+      - "c:nft list ruleset -> r:output"
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.5.2.7 Ensure nftables loopback traffic is configured - Not implemented, SCA limitation.
+  # 3.5.2.8 Ensure nftables outbound and established connections are configured - Not implemented, SCA limitation.
+  # 3.5.2.9 Ensure nftables default deny firewall policy - covered by 20596.
+
+  # 3.5.2.10 Ensure nftables service is enabled.
+  - id: 20597
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables"
+    compliance:
+      - cis: ["3.5.2.10"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.5.2.11 Ensure nftables rules are permanent - Not implemented, requires manual operation.
+
+  ############################################################
+  # 3.5.3 Configure iptables.
+  ############################################################
+  ############################################################
+  # 3.5.3.1 Configure iptables software.
+  ############################################################
+
+  # 3.5.3.1.1 Ensure iptables packages are installed.
+  # 3.5.3.1.2 Ensure nftables is not installed with iptables.
+  # 3.5.3.1.3 Ensure firewalld is either not installed or masked with iptables.
+  - id: 20598
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # yum install iptables iptables-services"
+    compliance:
+      - cis: ["3.5.3.1.1", "3.5.3.1.2", "3.5.3.1.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+      - "c:rpm -q iptables -> r:iptables-"
+
+  ############################################################
+  # 3.5.3.2 Configure IPv4 iptables.
+  ############################################################
+
+  # 3.5.3.2.1 Ensure iptables loopback traffic is configured - Not implemented, requires manual operation.
+  # 3.5.3.2.2 Ensure iptables outbound and established connections are configured - Not implemented, requires manual operation.
+  # 3.5.3.2.3 Ensure iptables rules exist for all open ports - Not implemented, SCA limitation.
+
+  # 3.5.3.2.4 Ensure iptables default deny firewall policy.
+  - id: 20599
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.5.3.2.4"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:iptables -L INPUT   -> r:policy DROP"
+      - "c:iptables -L FORWARD -> r:policy DROP"
+      - "c:iptables -L OUTPUT  -> r:policy DROP"
+
+  # 3.5.3.2.5 Ensure iptables rules are saved - Not implemented, requires manual operation.
+
+  # 3.5.3.2.6 Ensure iptables is enabled and running.
+  - id: 20600
+    title: "Ensure iptables is enabled and running."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables"
+    compliance:
+      - cis: ["3.5.3.2.6"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:enabled"
+      - "c:systemctl status iptables -> r:active && r:running|exited"
+
+  ############################################################
+  # 3.5.3.3 Configure IPv6 iptables.
+  ############################################################
+
+  # 3.5.3.3.1 Ensure IPv6 loopback traffic is configured.
+  - id: 20601
+    title: "Ensure IPv6 loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic tothe loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure"
+    remediation: "Run the following commands to implement the loopback rules:# ip6tables -A INPUT -i lo -j ACCEPT# ip6tables -A OUTPUT -o lo -j ACCEPT# ip6tables -A INPUT -s::1 -j DROP"
+    compliance:
+      - cis: ["3.5.3.3.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L INPUT -v -n -> r:ACCEPT && r:lo"
+      - "c:ip6tables -L INPUT -v -n -> r:DROP"
+      - "c:ip6tables -L OUTPUT -v -n -> r:ACCEPT && r:lo"
+
+  # 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured - Not implemented, requires manual operation.
+  # 3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports - Not implemented, requires manual operation.
+
+  # 3.5.3.3.4 Ensure ip6tables default deny firewall policy.
+  - id: 20602
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP; # ip6tables -P OUTPUT DROP; # ip6tables -PFORWARD DROP"
+    compliance:
+      - cis: ["3.5.3.3.4"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L INPUT -> r:policy DROP"
+      - "c:ip6tables -L FORWARD -> r:policy DROP"
+      - "c:ip6tables -L OUTPUT -> r:policy DROP"
+
+  # 3.5.3.3.5 Ensure ip6tables rules are saved - Not implemented, requires manual operation.
+
+  #3.5.3.3.6 Ensure ip6tables is enabled and running
+  - id: 20603
+    title: "Ensure ip6tables is enabled and running."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable ip6tables"
+    compliance:
+      - cis: ["3.5.3.3.6"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ip6tables -> r:enabled"
+      - "c:systemctl status ip6tables -> r:active && r:running|exited"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+
+  # 4.1.1.1 Ensure auditd is installed.
+  - id: 20604
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # yum install audit audit-libs"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+      - "c:rpm -q audit-libs -> r:^audit-libs-"
+
+  # 4.1.1.2 Ensure auditd service is enabled and running.
+  - id: 20605
+    title: "Ensure auditd service is enabled and running."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl enable auditd"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+      - "c:systemctl status auditd -> r:active && r:running"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled.
+  - id: 20606
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. Note: This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" . Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*linux && r:audit=1'
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured.
+  - id: 20607
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>"
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted.
+  - id: 20608
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full.
+  - id: 20609
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email   action_mail_acct = root   admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc: [6.4"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt'
+
+  # 4.1.2.4 Ensure audit_backlog_limit is sufficient - Not implmented, SCA limitation.
+
+  # 4.1.3 Ensure events that modify date and time information are collected.
+  - id: 20610
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change, -a always,exit -F arch=b32 -S clock_settime -k time-change, -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change, -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange, -a always,exit -F arch=b64 -S clock_settime -k time-change, -a always,exit -F arch=b32 -S clock_settime -k time-change, -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/localtime && r:-p wa && r:-k time-change'
+
+  # 4.1.4 Ensure events that modify user/group information are collected.
+  - id: 20611
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file: -w /etc/group -p wa -k identity, -w /etc/passwd -p wa -k identity, -w /etc/gshadow -p wa -k identity, -w /etc/shadow -p wa -k identity, -w /etc/security/opasswd -p wa -k identity"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/group && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/passwd && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/gshadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/shadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/security/opasswd && r:-p wa && r:-k identity'
+
+  # 4.1.5 Ensure events that modify the system's network environment are collected.
+  - id: 20612
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations)."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale, -w /etc/issue -p wa -k system-locale, -w /etc/issue.net -p wa -k system-locale, -w /etc/hosts -p wa -k system-locale, -w /etc/sysconfig/network -p wa -k system-locale, -w /etc/sysconfig/network-scripts/ -p wa -k system-locale. For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale, -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale, -w /etc/issue -p wa -k system-locale, -w /etc/issue.net -p wa -k system-locale, -w /etc/hosts -p wa -k system-locale, -w /etc/sysconfig/network -p wa -k system-locale, -w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale'
+
+  # 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected.
+  - id: 20613
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to  the /etc/selinux/ and /usr/share/selinux/ directories."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy, -w /usr/share/selinux/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/selinux/ && r:-p wa && r:-k MAC-policy"
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:-w /usr/share/selinux/ && r:-p wa && r:-k MAC-policy'
+
+  # 4.1.7 Ensure login and logout events are collected.
+  - id: 20614
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file: -w /var/log/lastlog -p wa -k logins, -w /var/run/faillock/ -p wa -k logins"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/faillock/ && r:-p wa && r:-k logins"
+
+  # 4.1.8 Ensure session initiation information is collected.
+  - id: 20615
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file: -w /var/run/utmp -p wa -k session, -w /var/log/wtmp -p wa -k logins, -w /var/log/btmp -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins"
+
+  # 4.1.9 Ensure discretionary access control permission modification events are collected.
+  - id: 20616
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod   For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrem . Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected.
+  - id: 20617
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated  with system calls that control creation ( creat ), opening ( open, openat ) and truncation (  truncate, ftruncate ) of files. An audit log record will only be written if the user is a non-  privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the  system call returned EACCES (permission denied to the file) or EPERM (some other  permanent error associated with the specific system call). All audit records will be tagged  with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access   For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access . Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  # 4.1.11 Ensure use of privileged commands is collected - Not implemented, SCA limitation.
+
+  # 4.1.12 Ensure successful file system mounts are collected.
+  - id: 20618
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts   For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts   -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts . Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  # 4.1.13 Ensure file deletion events by users are collected.
+  - id: 20619
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for ollowing system calls and tags them with the identifier "delete": unlink -remove a file     unlinkat - remove a file attribute), rename (rename a file and renameat - rename a file attribute.'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete  For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:   -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete . Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.5.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  # 4.1.14 Ensure changes to system administration scope (sudoers) is collected.
+  - id: 20620
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers or a file in the /etc/sudoers.d directory will be written to when the file or its attributes have changed."
+    rationale: "Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file:   -w /etc/sudoers -p wa -k scope   -w /etc/sudoers.d/ -p wa -k scope . Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["4.8", "6.3"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  # 4.1.15 Ensure system administrator command executions (sudo) are collected.
+  - id: 20621
+    title: "Ensure system administrator command executions (sudo) are collected."
+    description: "sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed."
+    rationale: "creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/rules.d/audit.rules file:   -a exit,always -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions  and  -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions ."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.9", "6.3"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/sudo.log && r:-p wa && r:-k actions"
+
+  # 4.1.16 Ensure kernel module loading and unloading is collected.
+  - id: 20622
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:  -w /sbin/insmod -p x -k modules                   -w /sbin/rmmod -p x -k modules           -w /sbin/modprobe -p x -k modules        -a always,exit -F arch=b32 -S init_module -S delete_module -k modules     For 64 bit systems add the following lines to the /etc/audit/rules.d/audit.rules file:             -w /sbin/insmod -p x -k modules              -w /sbin/rmmod -p x -k modules                -w /sbin/modprobe -p x -k modules           -a always,exit -F arch=b64 -S init_module -S delete_module -k modules "
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules"
+      - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.17 Ensure the audit configuration is immutable.
+  - id: 20623
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl . Setting the flag " -e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/rules.d/audit.rules file: -e 2"
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-e 2"
+
+  ############################################################
+  # 4.2 Configure Logging.
+  ############################################################
+  ############################################################
+  # 4.2.1 Configure rsyslog.
+  ############################################################
+
+  # 4.2.1.1 Ensure rsyslog is installed.
+  # 4.2.1.2 Ensure rsyslog Service is enabled.
+  - id: 20624
+    title: "Ensure rsyslog Service is enabled and running."
+    description: "rsyslogneeds to be enabled and running to perform logging"
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lackblogging instead."
+    remediation: "Run the following command to enable rsyslog:   # systemctl enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.2", "4.2.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:rsyslog-"
+      - "c:systemctl is-enabled rsyslog -> r:^enabled$"
+      - "c:systemctl status rsyslog -> r:active && r:running"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured.
+  - id: 20625
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.4 Ensure logging is configured - Not implemented, requires manual operation.
+
+  # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host.
+  - id: 20626
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host).   *.* @@loghost.example.com   Run the following command to reload the rsyslogd configuration: #  systemctl restart rsyslog"
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep *.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf -> !r:# && r:*.* @@\.+'
+
+  # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - Not implemented, requires manual operation.
+
+  ############################################################
+  # 4.2.2 Configure journald.
+  ############################################################
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog.
+  - id: 20627
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:ForwardToSyslog=yes"
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files.
+  - id: 20628
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes"
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:Compress=yes"
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk.
+  - id: 20629
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:Storage=persistent"
+
+  # 4.2.3 Ensure logrotate is configured - Not implemented, requires manual operation.
+  # 4.2.4 Ensure permissions on all logfiles are configured - Not implemented, requires manual operation.
+
+  ####################################################
+  # 5 Access, Authentication and Authorization.
+  ####################################################
+  ####################################################
+  # 5.1 Configure time-based job schedulers.
+  ####################################################
+
+  # 5.1.1 Ensure cron daemon is enabled(Automated).
+  - id: 20630
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron : # systemctl enable crond "
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:enabled"
+      - "c:systemctl status crond -> r:active && r:running"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured.
+  - id: 20631
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab; # chmod og-rwx /etc/crontab "
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\w00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured
+  - id: 20633
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly; # chmod og-rwx /etc/cron.hourly; "
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured
+  - id: 20634
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily; # chmod og-rwx /etc/cron.daily;"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured
+  - id: 20635
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly; # chmod og-rwx /etc/cron.weekly;"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured
+  - id: 20636
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly; # chmod og-rwx /etc/cron.monthly;"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\w00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured
+  - id: 20637
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d/directory contains system cronjobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d :   # chown root:root /etc/cron.d;   # chmod og-rwx /etc/cron.d;"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users.
+  - id: 20638
+    title: "Ensure at/cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.alloware allowed to use at and cron."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allowfile to control who can run cronjobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8", "5.1.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/cron.deny -> r:No such file or directory$"
+      - "c:stat -L /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ############################################################
+  # 5.2 Configure sudo.
+  ############################################################
+
+  # 5.2.1 Ensure sudo is installed.
+  - id: 20639
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo. # yum install sudo"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.2.2 Ensure sudo commands use pty.
+  - id: 20640
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo-pty."
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing. This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not."
+    remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults use_pty"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.2.3 Ensure sudo log file exists.
+  - id: 20641
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>"'
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  ############################################################
+  # 5.3 Configure SSH Server.
+  ############################################################
+
+  # 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured.
+  - id: 20642
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: chown root:root /etc/ssh/sshd_config and chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\t*\s*0/\t*\s*root\)\s*\t*Gid:\s*\t*\(\t*\s*0/\t*\s*root\)$'
+
+  # 5.3.2 Ensure permissions on SSH private host key files are configured.
+  - id: 20643
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated"
+    remediation: "Run the following commands to set ownership and permissions on the private SSH host key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0640 {} \\;  # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \\;"
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_rsa_key" -exec stat {} \; -> r:^Access:\t*\s*\(0600/-rw-------\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_ecdsa_key" -exec stat {} \; -> r:^Access:\t*\s*\(0600/-rw-------\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_ed25519_key" -exec stat {} \; -> r:^Access:\t*\s*\(0600/-rw-------\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+
+  # 5.3.3 Ensure permissions on SSH public host key files are configured.
+  - id: 20644
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go-wx {} \\;    #find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_rsa_key.pub" -exec stat {} \; -> r:^Access:\s*\(0644/-rw-r--r--\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_ecdsa_key.pub" -exec stat {} \; -> r:^Access:\s*\(0644/-rw-r--r--\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+      - 'c:find /etc/ssh -xdev -type f -name "ssh_host_ed25519_key.pub" -exec stat {} \; -> r:^Access:\s*\(0644/-rw-r--r--\)\t*\s*Uid:\t*\s*\(\t*\s*0/\t*\s*root\)\t*\s*Gid:\t*\s*\(\t*\s*0/\t*\s*root\)$'
+
+  # 5.3.4 Ensure SSH access is limited - Not implemented, requires manual operation.
+
+  # 5.3.5 Ensure SSH LogLevel is appropriate.
+  - id: 20645
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:$sshd_file -> r:^# && r:LogLevel\s*\t*INFO'
+      - 'f:$sshd_file -> r:^# && r:LogLevel\s*\t*VERBOSE'
+
+  # 5.3.6 Ensure SSH X11 forwarding is disabled.
+  - id: 20646
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.3.6"]
+      - pci_dss: ["9.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s*\t*no'
+
+  # 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less.
+  - id: 20647
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.3.8 Ensure SSH IgnoreRhosts is enabled.
+  - id: 20648
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.3.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.3.9 Ensure SSH HostbasedAuthentication is disabled.
+  - id: 20649
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.3.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.3.10 Ensure SSH root login is disabled.
+  - id: 20650
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.3.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no'
+
+  # 5.3.11 Ensure SSH PermitEmptyPasswords is disabled.
+  - id: 20651
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.3.11"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+
+  # 5.3.12 Ensure SSH PermitUserEnvironment is disabled.
+  - id: 20652
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.3.12"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*PermitUserEnvironment\s*\t*no'
+
+  # 5.3.13 Ensure only strong Ciphers are used.
+  - id: 20653
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "This variable limits the ciphers that SSH can use during communication."
+    rationale: "Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.: The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a 'Sweet32' attack; The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involvingLSB values, aka the 'Bar Mitzvah' issue; The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session; Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors; The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address"
+    remediation: "Edit the /etc/ssh/sshd_configfile add/modify the Ciphersline to contain a comma separated list of the site approved ciphersExample:Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    compliance:
+      - cis: ["5.3.13"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["12.3.8"]
+    condition: none
+    rules:
+      - 'c:sh -c "sshd -T | grep ciphers" -> r:3des-cbc|aes192-cbc|aes256-cbc|arcfour|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se'
+
+  # 5.3.14 Ensure only strong MAC algorithms are used.
+  - id: 20654
+    title: "Ensure only strong MAC algorithms are used."
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example:MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.3.14"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["12.3.8"]
+    condition: none
+    rules:
+      - 'c:sh -c "sshd -T | grep macs" -> r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com'
+
+  # 5.3.15 Ensure only strong Key Exchange algorithms are used.
+  - id: 20655
+    title: "Ensure that strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received"
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks"
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms.Example:'KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'"
+    compliance:
+      - cis: ["5.3.15"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["12.3.8"]
+    condition: none
+    rules:
+      - 'c:sh -c "sshd -T | grep kexalgorithms" -> r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1'
+
+  # 5.3.16 Ensure SSH Idle Timeout Interval is configured.
+  - id: 20656
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 and ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.3.16"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 300'
+      - 'f:$sshd_file -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+      - 'f:$sshd_file -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare >= 1'
+      - 'f:$sshd_file -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare >= 0'
+
+  # 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less.
+  - id: 20657
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.3.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["4.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60'
+
+  # 5.3.18 Ensure SSH warning banner is configured.
+  - id: 20658
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.3.18"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  # 5.3.19 Ensure SSH PAM is enabled.
+  - id: 20659
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes"
+    compliance:
+      - cis: ["5.3.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:$sshd_file -> r:UsePAM yes"
+
+  # 5.3.20 Ensure SSH AllowTcpForwarding is disabled.
+  - id: 20660
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and backdoors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no"
+    compliance:
+      - cis: ["5.3.20"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:$sshd_file -> r:AllowTcpForwarding no"
+
+  # 5.3.21 Ensure SSH MaxStartups is configured. Not implemented, requires manual operation.
+  - id: 20661
+    title: "Ensure SSH MaxStartups is configured. Not implemented, requires manual operation."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60"
+    compliance:
+      - cis: ["5.3.21"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:maxstartups \d+:\d+:\d+'
+
+  # 5.3.22 Ensure SSH MaxSessions is limited.
+  - id: 20662
+    title: "Ensure SSH MaxSessions is limited."
+    description: "The MaxSessions parameter Specifies the maximum number of open sessions permitted per network connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10"
+    compliance:
+      - cis: ["5.3.22"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:MaxSessions \d+'
+
+  ############################################################
+  # 5.4 Configure PAM.
+  ############################################################
+
+  # 5.4.1 Ensure password creation requirements are configured.
+  - id: 20663
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: minlen = 14     Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy: minclass = 4    OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1      Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:password requisite pam_pwquality.so try_first_pass retry=3"
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  # 5.4.2 Ensure lockout for failed password attempts is configured - Not implemented, requires manual operation.
+
+  # 5.4.3 Ensure password hashing algorithm is SHA-512.
+  - id: 20664
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these changes only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown: password sufficient pam_unix.so sha512"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+
+  # 5.4.4 Ensure password reuse is limited.
+  - id: 20665
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these changes only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5   or    password required pam_pwhistory.so remember=5"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+
+  ############################################################
+  # 5.5 User Accounts and Environment.
+  ############################################################
+  ############################################################
+  # 5.5.1 Set Shadow Password Suite Parameters.
+  ############################################################
+
+  # 5.5.1.1 Ensure password expiration is 365 days or less.
+  - id: 20666
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 90 and modify user parameters for all users with a password set to match: chage --maxdays 90 <user>"
+    compliance:
+      - cis: ["5.5.1.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.5.1.2 Ensure minimum days between password changes is configured.
+  - id: 20667
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 and modify user parameters for all users with a password set to match: chage --mindays 7 <user>"
+    compliance:
+      - cis: ["5.5.1.2"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 5.5.1.3 Ensure password expiration warning days is 7 or more.
+  - id: 20668
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 and modify user parameters for all users with a password set to match: chage --warndays 7 <user>"
+    compliance:
+      - cis: ["5.5.1.3"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.5.1.4 Ensure inactive password lock is 30 days or less.
+  - id: 20669
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: useradd -D -f 30 and modify user parameters for all users with a password set to match: chage --inactive 30 <user>"
+    compliance:
+      - cis: ["5.5.1.4"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.5.1.5 Ensure all users last password change date is in the past - Not implemented, requires manual operation
+  # 5.5.2 Ensure system accounts are secured - Not implemented, requires manual operation
+
+  # 5.5.3 Ensure default group for the root account is GID 0.
+  - id: 20670
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: usermod -g 0 root"
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.5.4 Ensure default user shell timeout is configured.
+  - id: 20671
+    title: " Ensure default user shell timeout is 900 seconds or less."
+    description: "TMOUT is an environmental setting that determines the timeout of a shell in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening"
+    remediation: "Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.5.5 Ensure default user umask is configured.
+  - id: 20672
+    title: "Ensure default user umask is 027 or more restrictive."
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umaskcommand into the standard shell configuration files ( .profile, .bashrc, etc.) in their home directories."
+    rationale: "Setting a very secure default value for umaskensures that users make a conscious choice about their file permissions. A default umasksetting of 077causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umaskof 022would make files readable by every user on the system."
+    remediation: "Edit the /etc/bashrc, /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.5.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && n:umask 0(\d) compare <= 2'
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && n:umask 0\d(\d) compare <= 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && n:umask 0\d(\d) compare <= 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask 0(\d) compare <= 2'
+
+  # 5.6 Ensure root login is restricted to system console - Not implemented, requires manual operation
+
+  # 5.7 Ensure access to the su command is restricted.
+  - id: 20673
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su ."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid"
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ############################################################
+  # 6 System Maintenance.
+  ############################################################
+  ############################################################
+  # 6.1 System File Permissions.
+  ############################################################
+
+  # 6.1.1 Audit system file permissions - Not implemented, requires manual operation.
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured.
+  - id: 20674
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd   # chmod u-x,g-wx,o-wx /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/passwd- are configured
+  - id: 20675
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd-   # chmod u-x,g-wx,o-wx /etc/passwd-"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured.
+  - id: 20676
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 000 /etc/shadow"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/shadow- are configured.
+  - id: 20677
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow- file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow- file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/shadow-: # chown root:root /etc/shadow- # chmod 000 /etc/shadow-"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow- are configured.
+  - id: 20678
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow- file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow- file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 000 /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured.
+  - id: 20679
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/gshadow: # chown root:root /etc/gshadow # chmod 000 /etc/gshadow"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/group are configured.
+  - id: 20680
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/group-are configured.
+  - id: 20681
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.10 Ensure no world writable files exist - Not implemented, requires manual operation.
+  # 6.1.11 Ensure no unowned files or directories exist - Not implemented, requires manual operation.
+  # 6.1.12 Ensure no ungrouped files or directories exist - Not implemented, requires manual operation.
+  # 6.1.13 Audit SUID executables - Not implemented, requires manual operation.
+  # 6.1.14 Audit SGID executables - Not implemented, requires manual operation.
+
+  ############################################################
+  # 6.2 User and Group Settings.
+  ############################################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords - Not implemented, requires manual operation.
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty.
+  - id: 20682
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: passwd -l <username> || Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group - Not implemented, requires manual operation.
+
+  # 6.2.4 Ensure shadow group is empty.
+  - id: 20683
+    title: "Ensure shadow group is empty."
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group"
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily runa password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove any legacy '+' entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^shadow:\.+:\.+:\.+:\.+'
+
+  # 6.2.5 Ensure no duplicate user names exist - Not implemented, requires manual operation.
+  # 6.2.6 Ensure no duplicate group names exist - Not implemented, requires manual operation.
+  # 6.2.7 Ensure no duplicate UIDs exist - Not implemented, requires manual operation.
+  # 6.2.8 Ensure no duplicate GIDs exist - Not implemented, requires manual operation.
+
+  # 6.2.9 Ensure root is the only UID 0 account.
+  - id: 20684
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*root: && r:^\w+:\w+:0:'
+# 6.2.10 Ensure root PATH Integrity - Not implemented, requires manual operation.
+# 6.2.11 Ensure all users' home directories exist - Not implemented, requires manual operation.
+# 6.2.12 Ensure users own their home directories - Not implemented, requires manual operation.
+# 6.2.13 Ensure users' home directories permissions are 750 or more restrictive - Not implemented, requires manual operation.
+# 6.2.14 Ensure users' dot files are not group or world writable - Not implemented, requires manual operation.
+# 6.2.15 Ensure no users have .forward files - Not implemented, requires manual operation.
+# 6.2.16 Ensure no users have .netrc files - Not implemented, requires manual operation.
+# 6.2.17 Ensure no users have .rhosts files - Not implemented, requires manual operation.
diff --git a/etc/ruleset/sca/amazon/cis_amazon_linux_2023.yml b/etc/ruleset/sca/amazon/cis_amazon_linux_2023.yml
new file mode 100644
index 0000000000..be7bbf5dfb
--- /dev/null
+++ b/etc/ruleset/sca/amazon/cis_amazon_linux_2023.yml
@@ -0,0 +1,4601 @@
+# Security Configuration Assessment
+# CIS Checks for Amazon Linux 2023
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Amazon Linux 2023 Benchmark v1.0.0 - 06-02-2023
+
+policy:
+  id: "cis_amazon_linux_2023"
+  file: "cis_amazon_linux_2023.yml"
+  name: "CIS Benchmark for Amazon Linux 2023 Benchmark v1.0.0."
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Amazon Linux 2023 systems running on x86 and x64 platforms. This document was tested against Amazon Linux 2023."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Amazon Linux platform."
+  description: "Requirements for running the policy against Amazon Linux 2023."
+  condition: any
+  rules:
+    - "f:/etc/system-release -> r:^Amazon && r:release 2023"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1 Initial Setup
+  # 1.1 Filesystem Configuration.
+  # 1.1.1 Disable unused filesystems
+
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 31000
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: "Run the following script to disable squashfs: #!/usr/bin/env bash { l_mname=\"squashfs\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\b$l_mname)\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \/bin\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \"$l_mname\" to be not loadable\" echo -e \"install $l_mname \/bin\/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \"$l_mname\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\b\"; then echo -e \" - deny listing \"$l_mname\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/ $l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \"$l_mname\" doesn't exist on the system\" fi}."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1050"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/false|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*squashfs'
+
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 31001
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: "Run the following script to disable the udf filesystem: #!/usr/bin/env bash { l_mname=\"udf\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h +Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then \\# Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\b$l_mname)\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \/bin\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \"$l_mname\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> \/etc\/modprobe.d\/\"$l_mname\".conf fi \\# Remediate loaded if lsmod | grep \"$l_mname\" > \/dev\/null 2>&1; then echo -e \" - unloading module \"$l_mname\"\" modprobe -r \"$l_mname\" fi \\# Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\b\"; then echo -e \" - deny listing \"$l_mname\"\" echo -e \"blacklist $l_mname\" >> \/etc/modprobe.d\/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \"$l_mname\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1050"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/false|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 31002
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+      - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:\s*/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 31003
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 31004
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 31005
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 31006
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["MP-2", "AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0006"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:\s*/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 31007
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+  - id: 31008
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nosuid"
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 31009
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:\s*/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 31010
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 31011
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 31012
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 31013
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - nist_sp_800-53: ["CM-6"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:\s*/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 31014
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 31015
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 31016
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 31017
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - nist_sp_800-53: ["CM-6"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:\s*/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 31018
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 31019
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 31020
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 31021
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:\s*/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 31022
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 31023
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  # 1.1.8.1 Ensure /dev/shm is a separate partition. (Automated)
+  - id: 31024
+    title: "Ensure /dev/shm is a separate partition."
+    description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
+    rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
+    impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0."
+    references:
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+      - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:\s*/dev/shm\s'
+
+  # 1.1.8.2 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 31025
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.8.3 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 31026
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.4 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 31027
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.9 Disable USB Storage. (Automated)
+  - id: 31028
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - pci_dss_v3.2.1: ["9.7.1"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+      - nist_sp_800-53: ["SC-18(4)"]
+      - mitre_techniques: ["T1091"]
+      - mitre_tactics: ["TA0001", "TA0010"]
+      - mitre_mitigations: ["M1034"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  # 1.2 Configure Software Updates
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 31029
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "f:/etc/dnf/dnf.conf -> r:gpgcheck=1"
+      - "not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0"
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+  # 1.2.4 Ensure gpgcheck is globally activated. (Automated) - Not Implemented
+
+  # 1.3 Filesystem Integrity Checking
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 31030
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1565", "T1565.001"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 31031
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1036", "T1036.005"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1022"]
+    condition: any
+    rules:
+      - "c:crontab -u root -l -> r:aide"
+      - "c:grep -r aide /etc/cron.* /etc/crontab -> r:aide"
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:enabled"
+
+  # 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+  - id: 31032
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: "Add or update the following selection lines for to a file ending in .conf in the /etc/aide.conf.d/ directory or to /etc/aide.conf to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512."
+    compliance:
+      - cis: ["1.3.3"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/aide.conf -> r:\/sbin\/(auditctl|auditd|ausearch|aureport|autrace|augenrules)\H*\b'
+      - 'd:/etc/aide.conf.d -> r:\.+.conf -> r:\/sbin\/(auditctl|auditd|ausearch|aureport|autrace|augenrules)\H*\b'
+
+  # 1.4 Secure Boot Settings
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 31033
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password> Run the following command to update the grub2 configuration: # grub2-mkconfig -o \"$(dirname \"$(find /boot -type f \\( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \\) -exec grep -Pl '^\\h*(kernelopts=|linux|kernel)' {} \\;)\")/grub.cfg\"."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1046"]
+    condition: any
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*password'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 31034
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options. The grub2 configuration is usually grub.cfg. On newer grub2 systems the encrypted bootloader password is contained in user.cfg. If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Access:\s*\(0400/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.5.1 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+  # 1.5.2 Ensure ptrace_scope is restricted. (Automated) - Not Implemented
+  # 1.5.3 Ensure core dump storage is disabled. (Automated)
+  - id: 31035
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v7: ["13.2"]
+      - cmmc_v2.0: ["AM.3.036"]
+      - nist_sp_800-53: ["CM-7"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_mitigations: ["M1057"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/coredump.conf -> r:Storage=0"
+
+  # 1.5.4 Ensure core dump backtraces are disabled. (Automated)
+  - id: 31036
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc_v7: ["13.2"]
+      - cmmc_v2.0: ["AM.3.036"]
+      - nist_sp_800-53: ["CM-6"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_mitigations: ["M1057"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/coredump.conf -> r:ProcessSizeMax=0"
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 31037
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 31038
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove the selinux=0 and enforcing=0 parameters: grubby --update-kernel ALL --remove-args 'selinux=0 enforcing=0' Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: grep -Prsq -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi)\"."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*linux\.+selinux=0|linux\.+enforcing=0'
+      - 'f:/boot/grub2/grubenv -> r:^\s*linux\.+selinux=0|linux\.+enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 31039
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0003"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded\s*policy\s*name:\s*\t*targeted$|^Loaded\s*policy\s*name:\s*\t*mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 31040
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:Enforcing|Permisive"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing|^SELINUX=Permisive"
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 31041
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:Enforcing"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing"
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 31042
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "not c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 31043
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:rpm -q setroubleshoot -> r:^package\s*setroubleshoot\s*is\s*not\s*installed$'
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 31044
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["SI-4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:rpm -q mcstrans -> r:^package\s*mcstrans\s*is\s*not\s*installed$'
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 31045
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 31046
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 31047
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Amazon'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 31048
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 31049
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 31050
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 31051
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0002"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:^package gdm is not installed$"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated) - Not Implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled. (Automated) - Not Implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle. (Automated) - Not Implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden. (Automated) - Not Implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled. (Automated) - Not Implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden. (Automated) - Not Implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled. (Automated) - Not Implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden. (Automated) - Not Implemented
+
+  # 1.8.10 Ensure XDMCP is not enabled. (Automated)
+  - id: 31052
+    title: "Ensure XDMCP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1050"]
+    condition: all
+    rules:
+      - 'not f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 31053
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1211"]
+      - mitre_tactics: ["TA0004", "TA0008"]
+      - mitre_mitigations: ["M1051"]
+    condition: all
+    rules:
+      - "c:dnf check-update -> r:^No"
+      - "c:dnf needs-restarting -r -> r:Reboot should not be necessary"
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 31054
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "not f:/etc/crypto-policies/config -> r:LEGACY"
+
+  ############################################################
+  # 2 Services.
+  ############################################################
+  ############################################################
+  # 2.1 Time Synchronization.
+  ############################################################
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 31055
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - nist_800-53: ["AU-3", "AU-12"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:chrony-"
+
+  # 2.1.2  Ensure chrony is configured. (Automated)
+  - id: 31056
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server>. Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'':OPTIONS=" -u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - nist_800-53: ["AU-3", "AU-12"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.2.1 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 31057
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: "Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the 'headless' Java packages for your specific Java runtime."
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed$"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 31058
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed$"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 31059
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - https://www.cups.org
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed$"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 31060
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed$"
+
+  # 2.2.5 Ensure DNS Server is not installed. (Automated)
+  - id: 31061
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed$"
+
+  # 2.2.6 Ensure VSFTP Server is not installed. (Automated)
+  - id: 31062
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd  is not installed$"
+
+  # 2.2.7 Ensure TFTP Server is not installed. (Automated)
+  - id: 31063
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    impact: "TFTP is often used to provide files for network booting such as for PXE based installation of servers."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed$"
+
+  # 2.2.8 Ensure a web server is not installed. (Automated)
+  - id: 31064
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q httpd -> r:^package httpd is not installed$"
+      - "c:rpm -q nginx -> r:^package nginx is not installed$"
+
+  # 2.2.9 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 31065
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed$"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed$"
+
+  # 2.2.10 Ensure Samba is not installed. (Automated)
+  - id: 31066
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed$"
+
+  # 2.2.11 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 31067
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed$"
+
+  # 2.2.12 Ensure net-snmp is not installed. (Automated)
+  - id: 31068
+    title: "Ensure SNMP Server is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values."
+    remediation: "Run the following command to remove net-snmp: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed$"
+
+  # 2.2.13 Ensure telnet-server is not installed. (Automated)
+  - id: 31069
+    title: "Ensure NIS server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed$"
+
+  # 2.2.14 Ensure dnsmasq is not installed. (Automated)
+  - id: 31070
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # dnf remove dnsmasq."
+    compliance:
+      - cis: ["2.2.14"]
+      - nist_sp_800-53: ["CM-7"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dnsmasq -> r:^package dnsmasq is not installed$"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 31071
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only. Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["SI-4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\s* && !r:127.0.0.1:25\.*|::1:25\.*'
+
+  # 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 31072
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-package is required as a dependency, the nfs-server should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["SI-4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed$"
+      - "c:systemctl is-enabled nfs-server -> r:masked"
+
+  # 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 31073
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind. socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["SI-4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1210", "T1498", "T1498.002", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed$"
+      - "c:systemctl is-enabled rpcbind -> r:masked"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked"
+
+  # 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked. (Automated)
+  - id: 31074
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync-daemon package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync-daemon package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["SI-4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed$"
+      - "c:systemctl is-enabled rsyncd -> r:masked"
+
+  ############################################################
+  # 2.3 Service Clients.
+  ############################################################
+
+  # 2.3.1 Ensure telnet client is not installed. (Automated)
+  - id: 31075
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_mitigations: ["M1041", "M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed$"
+
+  # 2.3.2 Ensure LDAP client is not installed. (Automated)
+  - id: 31076
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed$"
+
+  # 2.3.3 Ensure TFTP client is not installed. (Automated)
+  - id: 31077
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed$"
+
+  # 2.3.4 Ensure FTP client is not installed. (Automated)
+  - id: 31078
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed$"
+
+  # 2.4 Ensure nonessential services listening on the system are removed or masked. (Manual) - Not implemented
+
+  ############################################################
+  # 3 Network Configuration
+  ############################################################
+
+  #######################################################
+  # 3.1 Disable unused network protocols and devices.
+  #######################################################
+
+  # 3.1.1 Ensure IPv6 status is identified. (Manual) - Not implemented
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not implemented
+  # 3.1.3 Ensure TIPC is disabled. (Automated) - Not implemented
+
+  #######################################################
+  # 3.2 Network Parameters (Host Only).
+  #######################################################
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not implemented
+  # 3.2.2 Ensure packet redirect sending is disabled  (Automated) - Not implemented
+
+  ##################################################
+  # 3.3 Network Parameters (Host and Router).
+  ##################################################
+  # 3.3.1 Ensure source routed packets are not accepted (Automated) - Not implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted (Automated) - Not implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not implemented
+
+  ############################################################
+  # 3.4 Configure Host Based Firewall.
+  ############################################################
+
+  ############################################################
+  # 3.4.1 Configure a firewall utility.
+  ############################################################
+
+  # 3.4.1.1 Ensure nftables is installed. (Automated)
+  - id: 31079
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - soc_2: ["CC6.6"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.4.1.2 Ensure a single firewall configuration utility is in use. (Automated) - Not implemented
+
+  ############################################################
+  # 3.4.2 Configure nfttables.
+  ############################################################
+
+  # 3.4.2.1 Ensure firewalld default zone is set. (Automated) - Not implemented
+
+  # 3.4.2.2 Ensure at least one nftables table exists. (Automated)
+  - id: 31080
+    title: "Ensure at least one nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "Without a table, nftables will not filter network traffic."
+    impact: "Adding or modifying firewall rules can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example if FirewallD is not in use on the system: # nft create table inet filter Note: FirewallD uses the table inet firewalld NFTables table that is created when FirewallD is installed."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+      - "c:nft list tables -> r:^table"
+
+  # 3.4.2.3 Ensure nftables base chains exist.
+  - id: 31081
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+      - "c:nft list ruleset -> r:input"
+      - "c:nft list ruleset -> r:forward"
+      - "c:nft list ruleset -> r:output"
+
+  # 3.4.2.4 Ensure host based firewall loopback traffic is configured. (Automated) - Not implemented
+  # 3.4.2.5 Ensure firewalld drops unnecessary services and ports. (Manual) - Not implemented
+  # 3.4.2.6 Ensure nftables established connections are configured. (Manual) - Not implemented
+
+  # 3.4.2.7 Ensure nftables default deny firewall policy.(Automated)
+  - id: 31082
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "If NFTables utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+      - "c:nft list ruleset -> r:input && r:drop"
+      - "c:nft list ruleset -> r:forward && r:drop"
+      - "c:nft list ruleset -> r:output && r:drop"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 31083
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+      - "not c:rpm -q audit -> r:^package audit is not installed$"
+
+  # 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 31084
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to add audit=1 to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit=(\d+) compare == 1'
+
+  # 4.1.1.3 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 31085
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.1.4 Ensure auditd service is enabled. (Automated)
+  - id: 31086
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled auditd -> r:^\s*enabled'
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 31087
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+$'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 31088
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs$'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 31089
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 31090
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 31091
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 31092
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 31093
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 31094
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 31095
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-mounts.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0010"]
+      - mitre_mitigations: ["M1034"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 31096
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0001"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 31097
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0001"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 31098
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 31099
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 31100
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 31101
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-priv_cmd.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 31102
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 31103
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 31104
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 31105
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2\" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sh -c "grep -iEh ''^\s*\t*-e 2\s*$'' /etc/audit/rules.d/*.rules | tail -1" -> r:^\s*\t*-e 2\s*$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 31106
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:augenrules --check -> r:^\s*/usr/sbin/augenrules && r:No change$'
+
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive. (Automated) -Not Implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files (Automated) - Not Implemented
+
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files (Automated)
+  - id: 31107
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file\\s*=\\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*log_group\s*\t*=\s*\t*adm|^\s*\t*log_group\s*\t*=\s*\t*root'
+      - 'c:sh -c "DIR_NAME=$(awk -F\"=\" ''/^\s*\t*log_file\s*\t*/ {print $2}'' /etc/audit/auditd.conf); stat -c \"%G\" $DIR_NAME" -> r:adm|root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive (Automated) - Not Implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive (Automated)
+  - id: 31108
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.rules" -> r:^/etc/audit && !r:640|600|400'
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.conf" -> r:^/etc/audit && !r:640|600|400'
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root (Automated)
+  - id: 31109
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root (Automated)
+  - id: 31110
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive (Automated)
+  - id: 31111
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 4.1.4.9 Ensure audit tools are owned by root (Automated)
+  - id: 31112
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.10 Ensure audit tools belong to group root (Automated)
+  - id: 31113
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  ############################################################
+  # 4.2 Configure Logging
+  ############################################################
+
+  ############################################################
+  # 4.2.1 Configure rsyslog
+  ############################################################
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 31114
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1005", "T1070", "1070.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:rpm -q rsyslog -> r:^\s*\t*rsyslog-'
+      - 'not c:rpm -q rsyslog -> r:^\s*\t*package rsyslog is not installed$'
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 31115
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1211", "T1562", "1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled$"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 31116
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 31117
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+      - 'd:/etc/rsyslog.d/ -> r:\.+.conf -> r:^\$FileCreateMode 0640|^\$FileCreateMode 0600|^\$FileCreateMode 0400'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual) - Not Implemented
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 31118
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  ############################################################
+  # 4.2.2 Configure journald
+  ############################################################
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 31119
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'c:rpm -q systemd-journal-remote -> r:^\s*\t*systemd-journal-remote-'
+      - 'not c:rpm -q systemd-journal-remote -> r:^\s*\t*package systemd-journal-remote is not installed$'
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 31120
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled systemd-journal-upload.service -> r:^\s*\t*enabled$'
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 31121
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled systemd-journal-remote.socket -> r:^\s*\t*masked$'
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 31122
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 31123
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*\t*=\s*\t*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 31124
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*\t*=\s*\t*persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 31125
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  ############################################################
+  # 5 Access, Authentication and Authorization
+  ############################################################
+
+  ####################################################
+  # 5.1 Configure time-based job schedulers.
+  ####################################################
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 31126
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled crond -> r:^\s*\t*enabled$'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 31127
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 31128
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access:\s*\(0\d00/d\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 31129
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access:\s*\(0\d00/drwx------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 31130
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access:\s*\(0\d00/d\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 31131
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access:\s*\(0\d00/d\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 31132
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access:\s*\(0\d00/d\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 31133
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow: #!/usr/bin/env bash { if rpm -q cronie >/dev/null; then [ -e /etc/cron.deny ] && rm -f /etc/cron.deny [ ! -e /etc/cron.allow ] && touch /etc/cron.allow chown root:root /etc/cron.allow chmod u-x,go-rwx /etc/cron.allow else echo "cron is not installed on the system" fi } OR Run the following command to remove cron: # dnf remove cronie.'
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat -L /etc/cron.allow -> r:^Access:\s*\(0\d\d0/-\w\w\w\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 31134
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file mode for /etc/at.allow: #!/usr/bin/env bash { if rpm -q at >/dev/null; then [ -e /etc/at.deny ] && rm -f /etc/at.deny [ ! -e /etc/at.allow ] && touch /etc/at.allow chown root:root /etc/at.allow chmod u-x,go-rwx /etc/at.allow else echo "at is not installed on the system" fi } OR Run the following command to remove at: # dnf remove at.'
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat -L /etc/at.allow -> r:^Access:\s*\(0\d\d0/-\w\w\w\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  ####################################################
+  # 5.2 Configure SSH Server
+  ####################################################
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 31135
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 31136
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set one or more of the parameters as follows: AllowUsers <userlist> -OR- AllowGroups <grouplist> -OR- DenyUsers <userlist> -OR- DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 31137
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LogLevel parameter as follows: LogLevel VERBOSE OR LogLevel INFO Run the following command to comment out any LogLevel parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than VERBOSE or INFO: # grep -Pi ''^\\h*LogLevel\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''(VERBOSE|INFO)'' | while read -r l_out; do sed -ri \"/^\\s*LogLevel\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*LogLevel\s+INFO|^\s*\t*LogLevel\s+VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+INFO|^\s*\t*LogLevel\s+VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+ && !r:INFO|VERBOSE'
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 31138
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: 'Edit or create a file in the directory /etc/ssh/sshd_config.d/ ending in *.conf or the /etc/ssh/sshd_config file and set the parameter as follows: UsePAM yes Run the following command to comment out any UsePAM parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi ''^\\h*UsePAM\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''yes'' | while read -r l_out; do sed -ri \"/^\\s*UsePAM\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*usepam\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 31139
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitRootLogin parameter as follows: PermitRootLogin no Run the following command to comment out any PermitRootLogin parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi ''^\\h*PermitRootLogin\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri \"/^\\s*PermitRootLogin\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitRootLogin\s+no'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\s+no'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 31140
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the HostbasedAuthentication parameter as follows: HostbasedAuthentication no Run the following command to comment out any HostbasedAuthentication parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi ''^\\h*HostbasedAuthentication\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri \"/^\\s*HostbasedAuthentication\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*HostbasedAuthentication\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 31141
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitEmptyPasswords parameter as follows: PermitEmptyPasswords no Run the following command to comment out any PermitEmptyPasswords parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi ''^\\h*PermitEmptyPasswords\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri \"/^\\s*PermitEmptyPasswords\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitEmptyPasswords\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 31142
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitUserEnvironment parameter as follows: PermitUserEnvironment no Run the following command to comment out any PermitUserEnvironment parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi ''^\\h*PermitUserEnvironment\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri \"/^\\s*PermitUserEnvironment\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*PermitUserEnvironment\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 31143
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter as follows: IgnoreRhosts yes Run the following command to comment out any IgnoreRhosts parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi ''^\\h*IgnoreRhosts\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''yes'' | while read -r l_out; do sed -ri \"/^\s*IgnoreRhosts\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.11"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*IgnoreRhosts\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 31144
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the X11Forwarding parameter as follows: X11Forwarding no Run the following command to comment out any X11Forwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi ''^\\h*X11Forwarding\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri \"/^\\s*X11Forwarding\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*X11Forwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 31145
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the AllowTcpForwarding parameter as follows: AllowTcpForwarding no Run the following command to comment out any AllowTcpForwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi ''^\\h*AllowTcpForwarding\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi ''no'' | while read -r l_out; do sed -ri "/^\\s*AllowTcpForwarding\\s+/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 31146
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> r:^\s*CRYPTO_POLICY\s*='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 31147
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the Banner parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*banner\s*\t*/'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*banner\s*\t*/'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 31148
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows: MaxAuthTries 4 Run the following command to comment out any MaxAuthTries parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 4: # grep -Pi ''^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*maxauthtries\\s+([5-9]|[1-9][0-9]+)/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare > 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 31149
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxStartups parameter as follows: MaxStartups 10:30:60 Run the following command to comment out any MaxStartups parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10:30:60: # grep -Pi ''^\\s*maxstartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxStartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare > 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare > 30'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare > 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 31150
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxSessions parameter as follows: MaxSessions 10 Run the following command to comment out any MaxSessions parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10 # grep -Pi ''^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.18"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*maxsessions\s+(\d+) compare <= 10'
+      - 'f:/etc/ssh/sshd_config ->  n:^\s*\t*maxsessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config ->  n:^\s*\t*maxsessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 31151
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: 'Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60 Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LoginGraceTime parameter as follows: LoginGraceTime 60 -or- LoginGraceTime 1m Run the following command to comment out any LoginGraceTime parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting equal to 0 or greater than 60 seconds: # grep -Pi ''^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004", "T1499", "T1499.002"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 31152
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: 'Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the ClientAliveInterval and ClientAliveCountMax parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3 Edit files ending in *.conf in the /etc/ssh/sshd_config.d/ directory and the /etc/ssh/sshd_config file and remove occurrences of the ClientAliveInterval and ClientAliveCountMax parameters not in accordence with local site policy. Run the following command to comment out any ClientAliveCountMax parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include the setting of 0 \"disabled\": # grep -Pi ''^\\h*ClientAliveCountMax\\h+0\\b'' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*ClientAliveCountMax\\s+0/s/^/# /\" \"$(awk -F: ''{print $1}'' <<< $l_out)\";done.'
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare > 0'
+
+  ####################################################
+  # 5.3 Configure privilege escalation
+  ####################################################
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 31153
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dnf list installed| grep sudo -> r:^sudo.x86_64"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 31154
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_mitigations: ["M1026", "M1038"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 31155
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1026"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 31156
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 31157
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 31158
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -V -> r:Authentication timestamp timeout:\s*\t*15.0 minutes'
+      - 'f:/etc/sudoers -> n:timestamp_timeout=(\d+) compare < 15'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 31159
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  ####################################################
+  # 5.4 Configure authselect
+  ####################################################
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual) - Not Implemented
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 31160
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth\s*silent'
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*authfail'
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:account\s*\t*required\s*\t*pam_faillock.so'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*preauth\s*silent'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*authfail'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:account\s*\t*required\s*\t*pam_faillock.so'
+
+  ####################################################
+  # 5.5 Configure PAM
+  ####################################################
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 31161
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more ** Either of the following can be used to enforce complex passwords:** - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1178.001", "T1178.002", "T1178.003", "T1178.004", "T1110", "T1110.001", "T1110.002", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*try_first_pass\s*local_users_only\s*enforce_for_root\s*retry=3'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*try_first_pass\s*local_users_only\s*enforce_for_root\s*retry=3'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:minclass\s*\t*=\s*\t*(\d+) compare >=4'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 31162
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater. Depending on the version you are running, follow one of the two methods bellow. Versions 8.2 and later: Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900 Versions 8.0 and 8.1: Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options. This script should be modified as needed to follow local site policy. #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=(0|[6-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/deny=\\S+/deny=5/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=\\d*\\b.*$' \"$file\"; then sed -r 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 deny=5 \\4/' $file fi if grep -P -- '^\\h*(auth\\h+required\\h+pam_faillock\\.so\\h+)([^#\\n\\r]+)?\\h+unlock_time=([1-9]|[1-9][0-9]|[1-8][0-9][0-9])\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/unlock_time=\\S+/unlock_time=900/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+unlock_time=\\d*\\b.*$ ' \"$file\"; then sed -ri 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 unlock_time=900 \\4/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: none
+    rules:
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:^\s*\t*deny\s*\t*=\s*\t*(\d+) compare > 5'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:^\s*\t*deny\s*\t*=\s*\t*(\d+) compare == 0'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:^\s*\t*unlock_time\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:^\s*\t*unlock_time\s*\t*=\s*\t*(\d+) compare == 0'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 31163
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*requisite\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*sufficient\s*\t*pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 31164
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: all
+    rules:
+      - 'f:/etc/libuser.conf -> r:^\s*\t*crypt_style\s*\t*=\s*\t*sha512'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD\s*\t*SHA512'
+      - 'f:/etc/pam.d/password-auth -> !r:^\s*\t*# && r:password\s*\t*sufficient\s*\t*pam_unix.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*sufficient\s*\t*pam_unix.so && r:sha512'
+
+  # ####################################################
+  # # 5.6 User Accounts and Environment
+  # ####################################################
+
+  # ####################################################
+  # # 5.6.1 Set Shadow Password Suite Parameters.
+  # ####################################################
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 31165
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:(\d+): compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is 7 or more. (Automated)
+  - id: 31166
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare == 0'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 31167
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:\d+:(\d+): compare < 7'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 31168
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'not f:/etc/shadow -> n:^\w+:\w+:\w+:\w+:\w+:\w+:(\d+): compare > 30'
+      - 'not f:/etc/shadow -> r:^\w+:\w+:\w+:\w+:\w+:\w+:-1:'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - No Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 31169
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && r:root:\w+:\w+:0:'
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+
+  # 5.6.6 Ensure root password is set. (Automated)
+  - id: 31170
+    title: "Ensure default group for the root account is GID 0."
+    description: "There are a number of methods to access the root account directly. Without a password set any user would be able to gain access and thus control over the entire system."
+    rationale: "Access to root should be secured at all times."
+    remediation: "Set the root password with: # passwd root."
+    compliance:
+      - cis: ["5.6.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'c:passwd -S root -> r:Password\s*set'
+
+  ####################################################
+  # 6 System Maintenance
+  ####################################################
+
+  ####################################################
+  # 6.1 System File Permissions
+  ####################################################
+
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 31171
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 31172
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.3 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 31173
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.4 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 31174
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.5 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 31175
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.6 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 31176
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:^\s*/etc/shadow\s*\t*0\s*t*0/root\s*\t*0/root$|^\s*/etc/shadow\s*0\s*0\s*root\s*0\s*root$'
+
+  # 6.1.7 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 31177
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow-: # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:^\s*/etc/shadow-\s*\t*0\s*t*0/root\s*\t*0/root$|^\s*/etc/shadow-\s*0\s*0\s*root\s*0\s*root$'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 31178
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow: # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:^\s*/etc/gshadow\s*\t*0\s*t*0/root\s*\t*0/root$|^\s*/etc/gshadow\s*0\s*0\s*root\s*0\s*root$'
+
+  # 6.1.9 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 31179
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1003, T1003.008, T1222, T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow- -> r:^\s*/etc/gshadow-\s*\t*0\s*t*0/root\s*\t*0/root$|^\s*/etc/gshadow-\s*0\s*0\s*root\s*0\s*root$'
+
+  # 6.1.10 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+
+  # 6.1.13 Ensure sticky bit is set on all world-writable directories. (Automated)
+  - id: 31180
+    title: "Ensure sticky bit is set on all world-writable directories."
+    description: "Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them."
+    rationale: "This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user."
+    remediation: "Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null | xargs -I '{}' chmod a+t '{}'."
+    compliance:
+      - cis: ["6.1.13"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1028"]
+    condition: all
+    rules:
+      - 'not c:sh -c "df --local -P 2> /dev/null | awk ''{if (NR!=1) print $6}'' | xargs -I ''{}'' find ''{}'' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" -> r:^/'
+
+  # 6.1.14 Audit SUID executables. (Manual)
+  # 6.1.15 Audit SGID executables. (Manual)
+  # 6.1.16 Audit system file permissions. (Manual)
+
+  ####################################################
+  # 6.2 User and Group Settings
+  ####################################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+  - id: 31181
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can use shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 31182
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group - Not implemente
+  # 6.2.4 Ensure no duplicate UIDs exist - Not implemented
+  # 6.2.5 Ensure no duplicate GIDs exist - Not implemented
+  # 6.2.6 Ensure no duplicate user names exist - Not implemented
+  # 6.2.7 Ensure no duplicate group names exist - Not implemented
+  # 6.2.8 Ensure root PATH Integrity - Not implemented
+
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 31183
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.10 Ensure local interactive user home directories exist (Automated) - Not Implemented
+  # 6.2.11 Ensure local interactive users own their home directories (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - Not Implemented
+  # 6.2.13 Ensure no local interactive user has .netrc files (Automated) - Not Implemented
+  # 6.2.14 Ensure no local interactive user has .forward files (Automated) - Not Implemented
+  # 6.2.15 Ensure no local interactive user has .rhosts files (Automated) - Not Implemented
+  # 6.2.16 Ensure local interactive user dot files are not group or world writable (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/applications/cis_apache_24.yml b/etc/ruleset/sca/applications/cis_apache_24.yml
new file mode 100644
index 0000000000..e8d25da4fd
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_apache_24.yml
@@ -0,0 +1,518 @@
+# Security Configuration Assessment
+# CIS Checks for Apache
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Apache 2.4 v1.5.0 - 06-12-2019
+#
+# RPM based distributions locate its Apache configuration files under /etc/httpd
+# Otherwise, Debian-based distros do it under /etc/apache2
+# Adapt this policy to each case by commuting the commented block of variables as well as the requirement rules
+
+policy:
+  id: "cis_apache"
+  file: "cis_apache_24.yml"
+  name: "CIS Apache HTTP Server 2.4 Benchmark v1.5.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server version 2.4 running on Linux."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that Apache is installed on the system. If your Apache installation is located at /etc/apache2, review the policy file"
+  description: "Requirements for running the SCA scan against the Apache policy."
+  condition: any
+  rules:
+    - "f:/etc/httpd/conf/httpd.conf"
+#    - 'f:/etc/apache2/apache2.conf'
+
+variables:
+  $main-conf: /etc/httpd/conf/httpd.conf
+  $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d
+  $ssl-confs: /etc/httpd/conf.d/ssl.conf
+  $request-confs: /etc/httpd/conf/httpd.conf
+  $traceen: /etc/httpd/conf/httpd.conf
+  $enabled-modules: httpd -M
+
+# In case your installation is located in: /etc/apache2 use this block of variables
+#variables:
+#  $main-conf: /etc/apache2/apache2.conf
+#  $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled
+#  $ssl-confs: /etc/apache2/mods-enabled/ssl.conf
+#  $request-confs: /etc/apache2/mods-enabled/reqtimeout.conf
+#  $traceen: /etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf
+#  $enabled-modules: apachectl -M
+
+#2.3 Disable WebDAV Modules
+checks:
+  - id: 10000
+    title: "Ensure the WebDAV Modules Are Disabled"
+    description: "The Apache mod_dav and mod_dav_fs modules support WebDAV (Web-based Distributed Authoring and Versioning) functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server."
+    rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls."
+    remediation: "Perform either one of the following to disable WebDAV module: 1. For source builds with static modules run the Apache ./configure script without including the mod_dav, and mod_dav_fs in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_dav.html
+    condition: none
+    rules:
+      - 'c:$enabled-modules -> r:dav_\.+module'
+
+  #2.4 Disable Status Module
+  - id: 10001
+    title: "Ensure the Status Module Is Disabled"
+    description: "The Apache mod_status module provides current server performance statistics."
+    rationale: "When mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). The mod_status module may provide an adversary with information that can be used to refine exploits that depend on measuring server load."
+    remediation: "Perform either one of the following to disable the mod_status module: 1) For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. 2) For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file. ##LoadModule status_module modules/mod_status.so"
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_status.html
+    condition: none
+    rules:
+      - "c:$enabled-modules -> r:status_module"
+
+  #2.5 Disable Autoindex Module
+  - id: 10002
+    title: "Ensure the Autoindex Module Is Disabled"
+    description: "The Apache mod_autoindex module automatically generates a web page listing the contents of directories on the server, typically used so an index.html does not have to be generated."
+    rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed."
+    remediation: "Perform either one of the following to disable the mod_autoindex module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-autoindex configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex. 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_autoindex from the httpd.conf file. ## LoadModule autoindex_module modules/mod_autoindex.so"
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html
+    condition: none
+    rules:
+      - "c:$enabled-modules -> r:autoindex_module"
+
+  #2.6 Disable Proxy Modules
+  - id: 10003
+    title: "Ensure the Proxy Modules Are Disabled"
+    description: "The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network then the proxy module should not be loaded."
+    rationale: "Proxy servers can act as an important security control when properly configured, however a secure proxy server is not within the scope of this benchmark. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests is a very common attack, as proxy servers are useful for anonymizing attacks on other servers, or possibly proxying requests into an otherwise protected network."
+    remediation: "Perform either one of the following to disable the proxy module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_proxy in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so"
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
+    condition: none
+    rules:
+      - "c:$enabled-modules -> r:proxy_"
+
+  #2.7 Disable User Directories Modules
+  - id: 10004
+    title: "Ensure the User Directories Module Is Disabled"
+    description: "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed."
+    rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network. Also consider that every time a new account is created on the system, there is potentially new content available via the web site."
+    remediation: "Perform either one of the following to disable the user directories module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file. ##LoadModule userdir_module modules/mod_userdir.so"
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["18", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html
+    condition: none
+    rules:
+      - "c:$enabled-modules -> userdir_"
+
+  #2.8 Disable Info Module
+  - id: 10005
+    title: "Ensure the Info Module Is Disabled"
+    description: "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location."
+    rationale: "While having server configuration information available as a web page may be convenient it is recommended that this module NOT be enabled. Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc."
+    remediation: "Perform either one of the following to disable the mod_info module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_info in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file. ##LoadModule info_module modules/mod_info.so"
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_info.html
+    condition: none
+    rules:
+      - "c:$enabled-modules -> r:info_module"
+
+  #3.2 Give the Apache User Account an Invalid Shell
+  - id: 10006
+    title: "Ensure the Apache User Account Has an Invalid Shell"
+    description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to login."
+    rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system."
+    remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache"
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc: ["16", "4.3"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:apache && r:/sbin/nologin$|/dev/null$"
+
+  #3.3 Lock the Apache User Account
+  - id: 10007
+    title: "Ensure the Apache User Account Is Locked"
+    description: "The user account under which Apache runs should not have a valid password, but should be locked."
+    rationale: "As a defense-in-depth measure the Apache user account should be locked to prevent logins, and to prevent a user from suing to apache using the password. In general, there should not be a need for anyone to have to su as apache, and when there is a need, then sudo should be used instead, which would not require the apache account password."
+    remediation: "Use the passwd command to lock the apache account: # passwd -l apache"
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc: ["16", "16.8"]
+    condition: any
+    rules:
+      - 'c:passwd -S apache -> r:apache && r:\s*\t*L|\s*\t*LK'
+      - "c:passwd -S apache -> r:apache && r:Password locked"
+
+  #4.4 Restrict Override for All Directories
+  - id: 10008
+    title: "Ensure OverRide Is Disabled for All Directories"
+    description: "The Apache AllowOverride directive and the new AllowOverrideList directive allow for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. When this directive is set to All, then any directive which has the .htaccess context is allowed in .htaccess files."
+    rationale: ".htaccess files decentralizes access control and increases the risk of server configuration being changed inappropriately."
+    remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. 2. Set the value for all AllowOverride directives to None. 3. Remove any AllowOverrideList directives found."
+    compliance:
+      - cis: ["4.4"]
+      - cis_csc: ["14.4", "14.6"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
+      - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
+    condition: all
+    rules:
+      - "d:$conf-dirs -> conf -> !r:^# && r:allowoverride|AllowOverride && r:none|None"
+      - "not d:$conf-dirs -> conf -> r:allowoverridelist|AllowOverrideList"
+      - "f:$main-conf -> !r:^# && r:allowoverride|AllowOverride && r:none|None"
+      - "f:$main-conf -> r:allowoverridelist|AllowOverrideList"
+
+  #5.3 Minimize Options for Other Directories
+  - id: 10009
+    title: "Ensure Options for Other Directories Are Minimized"
+    description: "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation."
+    rationale: "Likewise, the options for other directories and hosts needs to be restricted to the minimal options required. A setting of None is recommended, however it is recognized that other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, & Indexes."
+    remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> elements. 2. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above."
+    compliance:
+      - cis: ["5.3"]
+      - cis_csc: ["18", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#options
+      - https://httpd.apache.org/docs/2.4/mod/mod_include.html
+    condition: none
+    rules:
+      - "d:$conf-dirs -> conf -> !r:^# && r:options && r:includes|Includes"
+      - "f:$main-conf -> !r:^# && r:options && r:includes|Includes"
+
+  #5.4.2 Remove the Apache user manual
+  - id: 10010
+    title: "Ensure Default HTML Content Is Removed"
+    description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed."
+    rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development."
+    remediation: "Review all pre-installed content and remove content which is not required. In particular look for the unnecessary content which may be found in the document root directory, a configuration directory such as conf/extra directory, or as a Unix/Linux package. 1. Remove the default index.html or welcome page if it is a separate package. If it is part of main Apache httpd package such as it is on Red Hat Linux, then comment out the configuration as shown below. Removing a file such as the welcome.conf, is not recommended as it may get replaced if the package is updated. 2. Remove the Apache user manual content or comment out configurations referencing the manual. # yum erase httpd-manual 3. Remove or comment out any Server Information handler configuration. 4. Remove or comment out any other handler configuration such as perl-status."
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc: ["18.9", "5.1"]
+    condition: none
+    rules:
+      - "d:/var/www -> index.html"
+      - "d:/var/www/html -> index.html"
+      - "d:$conf-dirs -> r:manual.conf|apache2-doc.conf"
+      - "d:$conf-dirs -> conf -> !r:^# && r:sethandler|SetHandler && r:server"
+      - "f:$main-conf -> !r:^# && r:sethandler|SetHandler && r:server"
+      - "d:$conf-dirs -> conf -> !r:^# && r:sethandler|SetHandler && r:perl"
+      - "f:$main-conf -> !r:^# && r:sethandler|SetHandler && r:perl"
+
+  #5.5 Remove default CGI content printenv
+  - id: 10011
+    title: "Ensure the Default CGI Content printenv Script Is Removed"
+    description: "Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for Apache installations is the script printenv. This script will print back to the requester all of the CGI environment variables which includes many server configuration details and system paths."
+    rationale: "CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The printenv script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information."
+    remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the printenvdefault CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/printenv"
+    compliance:
+      - cis: ["5.5"]
+      - cis_csc: ["18", "4.7"]
+    condition: none
+    rules:
+      - "d:/var/www/cgi-bin -> printenv"
+      - "d:/usr/lib/cgi-bin -> printenv"
+
+  #5.6 Remove default CGI content test-cgi
+  - id: 10012
+    title: "Ensure the Default CGI Content test-cgi Script Is Removed"
+    description: "Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi. This script will print back to the requester CGI environment variables which includes many server configuration details."
+    rationale: "CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The test-cgi script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information."
+    remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the test-cgi default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/test-cgi"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["18.9", "4.7"]
+    condition: none
+    rules:
+      - "d:/var/www/cgi-bin -> test-cgi"
+      - "d:/usr/lib/cgi-bin -> test-cgi"
+
+  #5.8 Disable HTTP Trace Method
+  - id: 10013
+    title: "Ensure the HTTP TRACE Method Is Disabled"
+    description: "Use the Apache TraceEnable directive to disable the HTTP TRACE request method."
+    rationale: "The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse and should be disabled."
+    remediation: "Perform the following to implement the recommended state: 1. Locate the main Apache configuration file such as httpd.conf. 2. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like <Directory> or <Location>."
+    compliance:
+      - cis: ["5.8"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://www.ietf.org/rfc/rfc2616.txt
+      - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
+    condition: all
+    rules:
+      - "f:$traceen -> !r:^# && r:TraceEnable && r:off"
+
+  #5.13 Restrict Listen Directive
+  - id: 10014
+    title: "Ensure the IP Addresses for Listening for Requests Are Specified"
+    description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified, or with an IP address of zeros should not be used."
+    rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an inappropriate IP address / interface that was not intended for the web server. Single homed system with a single IP addressed are also required to have an explicit IP address in the Listen directive, in case additional interfaces are added to the system at a later date."
+    remediation: "Perform the following to implement the recommended state: 1. Find any Listen directives in the Apache configuration file with no IP address specified, or with an IP address of all zeros similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. 2. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address & Port."
+    compliance:
+      - cis: ["5.13"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
+    condition: none
+    rules:
+      - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s*\t*\d+$|Listen\s*\t*\d+$'
+      - "d:$conf-dirs -> conf -> !r:^# && r:listen|Listen && r:0.0.0.0"
+      - 'f:$main-conf -> !r:^# && r:listen\s*\t*\d+$|Listen\s*\t*\d+$'
+      - "f:$main-conf -> !r:^# && r:listen|Listen && r:0.0.0.0"
+
+  #5.14 Restrict Browser Frame Options
+  - id: 10015
+    title: "Ensure Browser Framing Is Restricted"
+    description: "The Header directive allows server HTTP response headers to be added, replaced or merged. We will use the directive to add a server HTTP response header to tell browsers to restrict all of the web pages from being framed by other web sites."
+    rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which using frames to include the expected content from the legitimate site. The attack can also be performed via XSS (either reflected, DOM or stored XSS) to add the malicious content to the legitimate web site. To combat this vector, an HTTP Response header, X-Frame-Options, has been introduced that allows a server to specify whether a web page may be loaded in any frame (DENY) or those frames that share the pages origin (SAMEORIGIN)."
+    remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frames-Options header in the Apache configuration to have the condition always, an action of append and a value of SAMEORIGIN or DENY, as shown below. Header always append X-Frame-Options SAMEORIGIN"
+    compliance:
+      - cis: ["5.14"]
+      - cis_csc: ["18", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
+      - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+      - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
+    condition: all
+    rules:
+      - "f:$main-conf -> r:Header && r:always && r:append && r:X-Frame-Options && r:SAMEORIGIN|DENY"
+
+  #7.6 Disable SSL Insecure Renegotiation
+  - id: 10016
+    title: "Ensure Insecure SSL Renegotiation Is Not Enabled"
+    description: "A man-in-the-middle renegotiation attack was discovered in SSLv3 and TLSv1 in November, 2009 (CVE-2009-3555). First, a work around and then a fix was approved as an Internet Standard as RFC 574, Feb 2010. The work around, which removes the renegotiation, is available from OpenSSL as of version 0.9.8l and newer versions. For details: https://www.openssl.org/news/secadv_20091111.txt The SSLInsecureRenegotiation directive was added in Apache 2.2.15, for web servers linked with OpenSSL version 0.9.8m or later, to provide backward compatibility to clients with the older, unpatched SSL implementations."
+    rationale: "Enabling the SSLInsecureRenegotiation directive leaves the server vulnerable to man-in- the-middle renegotiation attack. Therefore, the SSLInsecureRenegotiation directive should not be enabled."
+    remediation: "Perform the following to implement the recommended state: Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present modify the value to be off. If the directive is not present then no action is required. SSLInsecureRenegotiation off"
+    compliance:
+      - cis: ["7.6"]
+      - cis_csc: ["14.2", "14.4"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation
+      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
+      - https://azure.microsoft.com/en-us/services/multi-factor-authentication/
+    condition: none
+    rules:
+      - 'f:$ssl-confs -> !r:^# && r:sslinsecurerenegotiation|SSLInsecureRenegotiation && r:\s+on$'
+
+  #7.7 Ensure SSL Compression is not enabled
+  - id: 10017
+    title: "Ensure SSL Compression is Not Enabled"
+    description: "The SSLCompression directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the SSLCompression directive be set to off."
+    rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator. If the authenticator in a session cookie is derived, it can be used to impersonate the account associated with the authenticator."
+    remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files for the SSLCompression directive. 2. If the directive is present, set it to off."
+    compliance:
+      - cis: ["7.7"]
+      - cis_csc: ["14.2", "14.4"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression
+      - https://en.wikipedia.org/wiki/CRIME
+
+    condition: none
+    rules:
+      - 'f:$ssl-confs -> !r:^# && r:sslcompression|SSLCompression && r:\s+on$'
+
+  #8.1 Set ServerToken to Prod or ProductOnly
+  - id: 10018
+    title: "Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'"
+    description: "Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed."
+    rationale: "Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released."
+    remediation: "Perform the following to implement the recommended state: Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod"
+    compliance:
+      - cis: ["8.1"]
+      - cis_csc: ["18.9", "14.7"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
+    condition: any
+    rules:
+      - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens|ServerTokens && r:\s+Prod|\s+ProductOnly'
+
+  #8.2: Set ServerSignature to Off
+  - id: 10019
+    title: "Ensure ServerSignature Is Not Enabled"
+    description: "Disable the server signatures which generates a signature line as a trailing footer at the bottom of server generated documents such as error pages."
+    rationale: "Server signatures are helpful when the server is acting as a proxy, since it helps the user distinguish errors from the proxy rather than the destination server, however in this context there is no need for the additional information."
+    remediation: "Perform the following to implement the recommended state: Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off"
+    compliance:
+      - cis: ["8.2"]
+      - cis_csc: ["18", "13.2"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
+    condition: none
+    rules:
+      - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature|ServerSignature && r:\s+on|\s+On'
+
+  #9.1:Set TimeOut to 10 or less
+  - id: 10020
+    title: "Ensure the TimeOut Is Set to 10 or Less"
+    description: "Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity. DoS attacks, which are normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality. Although there is no 100% solution for preventing DoS attacks, the following recommendation uses the Timeout directive to mitigate some of the risk, by requiring more effort for a successful DoS attack. Of course, DoS attacks can happen in rather unintentional ways as well as intentional and these directives will help in many of those situations as well."
+    rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections and we allow the server to free up resources more quickly and be more responsive. By making the server more efficient, it will be more resilient to DoS conditions. The Timeout directive affects several timeout values for Apache, so review the Apache document carefully."
+    remediation: "Perform the following to implement the recommended state: Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter. Timeout 10"
+    compliance:
+      - cis: ["9.1"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#timeout
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && && r:timeout|Timeout && n:\s+(\d+) compare <= 10'
+
+  #9.2:Set the KeepAlive directive to On
+  - id: 10021
+    title: "Ensure KeepAlive Is Enabled"
+    description: "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On."
+    rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server resiliency to DoS attacks."
+    remediation: "Perform the following to implement the recommended state: Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that KeepAlive connections are enabled. KeepAlive On"
+    compliance:
+      - cis: ["9.2"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive
+    condition: none
+    rules:
+      - 'f:$main-conf -> !r:^# && r:keepalive|KeepAlive && r:\s+off|\s+Off'
+
+  #9.3:Set MaxKeepAliveRequests to 100 or greater
+  - id: 10022
+    title: "Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater"
+    description: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed."
+    rationale: "The MaxKeepAliveRequests directive is important to be used to mitigate the risk of Denial of Service (DoS) attack technique by reducing the overhead imposed on the server. The KeepAlive directive must be enabled before it is effective. Enabling KeepAlives allows for multiple HTTP requests to be sent while keeping the same TCP connection alive. This reduces the overhead of having to setup and tear down TCP connections for each request. By making the server more efficient, it will be more resilient to DoS conditions."
+    remediation: "Perform the following to implement the recommended state: Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more. MaxKeepAliveRequests 100"
+    compliance:
+      - cis: ["9.3"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests
+    condition: none
+    rules:
+      - 'f:$main-conf -> !r:^# && r:maxkeepaliverequests|MaxKeepAliveRequests && n:\s+(\d+) compare < 100'
+
+  #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service
+  - id: 10023
+    title: "Ensure KeepAliveTimeout is Set to a Value of 15 or Less"
+    description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive."
+    rationale: "The KeepAliveTimeout directive is used mitigate some of the risk, by requiring more effort for a successful DoS attack. By enabling KeepAlive and keeping the timeout relatively low for old connections and we allow the server to free up resources more quickly and be more responsive."
+    remediation: "Perform the following to implement the recommended state: Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less. KeepAliveTimeout 15"
+    compliance:
+      - cis: ["9.4"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && r:keepalivetimeout|KeepAliveTimeout && n:\s+(\d+) compare <= 15'
+
+  #9.5 Set Timeout Limits for Request Headers
+  - id: 10024
+    title: "Ensure the Timeout Limits for Request Headers is Set to 40 or Less"
+    description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout and a minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes received. The recommended setting is to have a maximum timeout of 40 seconds or less. Keep in mind that for SSL/TLS virtual hosts the time for the TLS handshake must fit within the timeout."
+    rationale: "Setting a request header timeout is vital for mitigating Denial of Service attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies. Starting in June 2009 with the Slow Loris DoS attack, which used a slow GET request as published by Robert Hansen (RSnake) on his blog http://ha.ckers.org/slowloris/. Later in November 2010 at the OWASP App Sec DC conference Wong Onn Chee demonstrated a slow POST request attack which was even more effective."
+    remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500"
+    compliance:
+      - cis: ["9.5"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://ha.ckers.org/slowloris/
+      - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t
+      - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
+    condition: any
+    rules:
+      - 'f:$main-conf -> !r:^# && r:loadmodule|LoadModule && r:\s+mod_reqtimeout'
+      - 'f:$request-confs -> !r:^# && r:requestreadtimeout|RequestReadTimeout && n:header=\d+\p(\d+) compare <= 40'
+
+  #9.6 Set Timeout Limits for Request Body
+  - id: 10025
+    title: "Ensure Timeout Limits for the Request Body is Set to 20 or Less"
+    description: "The RequestReadTimeout directive also allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, and a maximum timeout and minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes are received. The recommended setting is to have a maximum timeout of 20 seconds or less. The default value is body=20,MinRate=500."
+    rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks like the OWASP Slow POST attack, which provide the body of the request very slowly. Therefore, the body portion of the request must have a timeout as well. A timeout of 20 seconds or less is recommended."
+    remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500"
+    compliance:
+      - cis: ["9.6"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
+    condition: any
+    rules:
+      - 'f:$main-conf -> !r:^# && r:loadmodule|LoadModule && r:\s+mod_reqtimeout'
+      - 'f:$request-confs -> !r:^# && r:requestreadtimeout|RequestReadTimeout && n:body=(\d+) compare <= 20'
+
+  #10.1 Set the LimitRequestLine directive to 512 or less
+  - id: 10026
+    title: "Ensure the LimitRequestLine directive is Set to 512 or less"
+    description: "Buffer Overflow attacks attempt to exploit an application by providing more data than the application buffer can contain. If the application allows copying data to the buffer to overflow the boundaries of the buffer, then the application is vulnerable to a buffer overflow. The results of Buffer overflow vulnerabilities vary, and may result in the application crashing, or may allow the attacker to execute instructions provided in the data. The Apache LimitRequest* directives allow the Apache web server to limit the sizes of requests and request fields and can be used to help protect programs and applications processing those requests. Specifically, the LimitRequestLine directive limits the allowed size of a client's HTTP request-line, which consists of the HTTP method, URI, and protocol version."
+    rationale: "The limiting of the size of the request line is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable CGI program, module or application that would have attempted to process the request. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directive is available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications."
+    remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestline directive in the Apache configuration to have a value of 512 or shorter. LimitRequestline 512"
+    compliance:
+      - cis: ["10.1"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && r:limitrequestline|LimitRequestLine && n:\s(\d+) compare <= 512'
+
+  #10.2 Set the LimitRequestFields directive to 100 or less
+  - id: 10027
+    title: "Ensure the LimitRequestFields Directive is Set to 100 or Less"
+    description: "The LimitRequestFields directive limits the number of fields allowed in an HTTP request."
+    rationale: "The limiting of the number of fields is helpful so that the web server can prevent an unexpectedly high number of fields from being passed to a potentially vulnerable CGI program, module or application that would have attempted to process the request. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications."
+    remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100. LimitRequestFields 100"
+    compliance:
+      - cis: ["10.2"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && r:limitrequestfields|LimitRequestFields && n:\s(\d+) compare <= 100'
+
+  #10.3 Set the LimitRequestFieldsize directive to 1024 or less
+  - id: 10028
+    title: "Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less"
+    description: "The LimitRequestFieldSize limits the number of bytes that will be allowed in an HTTP request header. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less."
+    rationale: "By limiting of the size of request headers is helpful so that the web server can prevent an unexpectedly long or large value from being passed to exploit a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications."
+    remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less. LimitRequestFieldsize 1024"
+    compliance:
+      - cis: ["10.3"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && r:limitrequestfieldsize|LimitRequestFieldSize && n:\s(\d+) compare <= 1024'
+
+  #10.4 Set the LimitRequestBody directive to 102400 or less
+  - id: 10029
+    title: "Ensure the LimitRequestBody Directive is Set to 102400 or Less"
+    description: "The LimitRequestBody directive limits the number of bytes that are allowed in a request body. Size of requests may vary greatly; for example, during a file upload the size of the file must fit within this limit."
+    rationale: "The limiting of the size of the request body is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. The LimitRequestBody may be configured on a per directory, or per location context. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications."
+    remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server. LimitRequestBody 102400"
+    compliance:
+      - cis: ["10.4"]
+      - cis_csc: ["9", "5.1"]
+    references:
+      - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
+    condition: all
+    rules:
+      - 'f:$main-conf -> !r:^# && r:limitrequestbody|LimitRequestBody && n:\s(\d+) compare <= 102400'
diff --git a/etc/ruleset/sca/applications/cis_iis_10.yml b/etc/ruleset/sca/applications/cis_iis_10.yml
new file mode 100644
index 0000000000..54bc4dea90
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_iis_10.yml
@@ -0,0 +1,722 @@
+# Security Configuration Assessment
+# CIS Checks for Microsoft IIS 10
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark v1.1.1 for Microsoft IIS 10 - 03-13-2019
+
+policy:
+  id: "cis_iis_10"
+  file: "cis_iis_10.yml"
+  name: "CIS Microsoft IIS 10 Benchmark v1.1.1"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft IIS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that IIS 10 is installed in the system"
+  description: "Requirements for running the SCA scan against IIS 10"
+  condition: all
+  rules:
+    - 'c:reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp -> r:IIS 10'
+
+checks:
+  # 1 Basic Configurations
+  - id: 22000
+    title: "Ensure web content is on non-system partition"
+    description: "Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume."
+    rationale: "Isolating web content from system files may reduce the probability of: - Web sites/applications exhausting system disk space - File IO vulnerability in the web site/application from affecting the confidentiality and/or integrity of system files"
+    remediation: "1. Browse to web content in C:\\inetpub\\wwwroot\\ 2. Copy or cut content onto a dedicated and restricted web folder on a non-systemdrive such as D:\\webroot\\ 3. Change mappings for any applications or Virtual Directories to reflect the new location To change the mapping for the application named app1 which resides under the Default Web Site, open IIS Manager: 1. Expand the server node 2. Expand Sites 3. Expand Default Web Site 4. Click on app1 5. In the Actions pane, select Basic Settings 6. In the Physical path text box, put the new location of the application, D:\\wwwroot\\app1 in the example above"
+    compliance:
+      - cis: ["1.1"]
+      - cis_csc: ["14"]
+    condition: none
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list vdir -> r:SystemDrive'
+
+  #1.2 - Has to be done manually as each site needs to be verified individually
+  #    title: "Ensure 'host headers' are on all sites"
+
+  - id: 22001
+    title: "Ensure 'directory browsing' is set to disabled"
+    description: "Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met: 1. No specific file is requested in the URL 2. The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list"
+    rationale: "Ensuring that directory browsing is disabled may reduce the probability of disclosing sensitive content that is inadvertently accessible via IIS."
+    remediation: "Enter the following command in AppCmd.exe to configure:%systemroot%\\system32\\inetsrv\\appcmd set config /section:directoryBrowse /enabled:false"
+    compliance:
+      - cis: ["1.3"]
+      - cis_csc: ["14"]
+    references:
+      - http://blogs.iis.net/thomad/archive/2008/02/10/moving-the-iis7-inetpub-directory-to-a-different-drive.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:directoryBrowse -> r:directoryBrowse enabled="false"'
+
+  - id: 22002
+    title: "Ensure 'application pool identity' is configured for all application pools"
+    description: "Application Pool Identities are the actual users/authorities that will run the worker process - w3wp.exe. Assigning the correct user authority will help ensure that applications can function properly, while not giving overly permissive permissions on the system. These identities can further be used in ACLs to protect system content. It is recommended that each Application Pool run under a unique identity. IIS has additional built-in least privilege identities intended for use by Application Pools. It is recommended that the default Application Pool Identity be changed to a least privilege principle other than Network Service. Furthermore, it is recommended that all application pool identities be assigned a unique least privilege principal. To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a Web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. It is recommended the Application Pool Identity be set as the Anonymous User Identity. The name of the Application Pool account corresponds to the name of the Application Pool. Application Pool Identities were introduced in Windows Server 2008 SP2. It is recommended that Application Pools be set to run as ApplicationPoolIdentity unless there is an underlying reason that the application pool needs to run as a specified end user account. One example where this is needed is for web farms using Kerberos authentication"
+    rationale: "Setting Application Pools to use unique least privilege identities such as ApplicationPoolIdentity reduces the potential harm the identity could cause should the application ever become compromised. Additionally, it will simplify application pools configuration and account management."
+    remediation: "To change the ApplicationPool identity to the built-in ApplicationPoolIdentity using AppCmd.exe, run the following from a command prompt: Enter the following command in AppCmd.exe to configure %systemroot%\\system32\\inetsrv\\appcmd set config /section:applicationPools /[name='<apppool name>'].processModel.identityType:ApplicationPoolIdentity "
+    compliance:
+      - cis: ["1.4"]
+      - cis_csc: ["18"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc771170%28WS.10%29.aspx
+      - http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/
+      - http://learn.iis.net/page.aspx/624/application-pool-identities/
+      - http://blogs.iis.net/tomwoolums/archive/2008/12/17/iis-7-0-application-pools.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:applicationPools -> r:processModel identityType="ApplicationPoolIdentity"'
+
+  - id: 22003
+    title: "Ensure 'unique application pools' is set for sites"
+    description: "IIS introduced a new security feature called Application Pool Identities that allows Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. It is recommended that all Sites run under unique, dedicated Application Pools."
+    rationale: "By setting sites to run under unique Application Pools, resource-intensive applications can be assigned to their own application pools which could improve server and application performance.In addition, it can help maintain application availability: if an application in one pool fails, applications in other pools are not affected.Last, isolating applications helps mitigate the potential risk of one application being allowed access to the resources of another application. It is also recommended to stop any application pool that is not in use or was created by an installation such as .Net 4.0."
+    remediation: "The following appcmd.exe command will set the application pool for a given application: %systemroot%\\system32\\inetsrv\\appcmd set app '<website name>/' /applicationpool:<apppool name>"
+    compliance:
+      - cis: ["1.5"]
+      - cis_csc: ["14.6"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc753449%28WS.10%29.aspx
+      - http://blogs.iis.net/tomwoolums/archive/2008/12/17/iis-7-0-application-pools.aspx
+      - http://learn.iis.net/page.aspx/624/application-pool-identities/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list app -> r:applicationPool:DefaultAppPool'
+
+  - id: 22004
+    title: "Ensure 'application pool identity' is configured for anonymous user identity"
+    description: "To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a Web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. It is recommended the Application Pool Identity be set as the Anonymous User Identity."
+    rationale: "Configuring the anonymous user identity to use the application pool identity will help ensure site isolation - provided sites are set to use the application pool identity. Since a unique principal will run each application pool, it will ensure the identity is least privilege. Additionally, it will simplify Site management."
+    remediation: "To use AppCmd.exe to configure anonymousAuthenticationat the server level, the command would look like this: %systemroot%\\system32\\inetsrv\\appcmd set config -section:anonymousAuthentication /username:\"\" --password"
+    compliance:
+      - cis: ["1.6"]
+      - cis_csc: ["14.6"]
+    references:
+      - http://learn.iis.net/page.aspx/202/application-pool-identity-as-anonymous-user/
+      - http://learn.iis.net/page.aspx/624/application-pool-identities/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list app -> r:anonymousAuthentication enabled="true"'
+
+  - id: 22005
+    title: " Ensure WebDav feature is disabled"
+    description: "WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server. This functionality is available in IIS when the WebDAV feature is enabled."
+    rationale: "WebDAV is not widely used, and it has serious security concerns because it may allow clients to modify unauthorized files on the web server. Therefore, the WebDav feature should be disabled."
+    remediation: "To disable this feature using PowerShell, enter the following command: Remove-WindowsFeature Web-DAV-Publishing Verify that Success is True"
+    compliance:
+      - cis: ["1.7"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:powershell.exe import-module servermanager;Get-WindowsFeature Web-DAV-Publishing -> r:available"
+
+  # 2  Configure Authentication and Authorization
+  - id: 22006
+    title: "Ensure 'global authorization rule' is set to restrict access"
+    description: "IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g. static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals."
+    rationale: "Configuring a global Authorization rule that restricts access will ensure inheritance of the settings down through the hierarchy of web directories; if that content is copied elsewhere, the authorization rules flow with it. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of accidental or unauthorized access."
+    remediation: "To configure URL Authorization at the server level using command line utilities:Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config -section:system.webServer/security/authorization /-\"[users='*',roles='',verbs='']\"; %systemroot%\\system32\\inetsrv\\appcmd set config -section:system.webServer/security/authorization /+\"[accessType='Allow',roles='Administrators']\""
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization
+      - http://www.iis.net/learn/get-started/whats-new-in-iis-7/changes-in-security-between-iis-60-and-iis-7-and-above#Authorization
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.webserver/security/authorization -> r:remove users="\*" roles="" verbs="" && accessType="Allow",roles="Administrators"'
+
+  - id: 22007
+    title: "Ensure access to sensitive site features is restricted to authenticated principals only"
+    description: "IIS supports both challenge-based and login redirection-based authentication methods. Challenge-based authentication methods, such as Integrated Windows Authentication, require a client to respond correctly to a server-initiated challenge. A login redirection based authentication method such as Forms Authentication relies on redirection to a login page to determine the identity of the principal. Challenge-based authentication and login redirection-based authentication methods cannot be used in conjunction with one another. Public servers/sites are typically configured to use Anonymous Authentication. This method typically works, provided the content or services is intended for use by the public. When sites, applications, or specific content containers are not intended for anonymous public use, an appropriate authentication mechanism should be utilized. Authentication will help confirm the identity of clients who request access to sites, application, and content. IIS provides the following authentication modules by default: Anonymous Authentication - allows anonymous users to access sites, applications, and/or content Integrated Windows Authentication - authenticates users using the NTLM or Kerberos protocols; Kerberos v5 requires a connection to Active Directory ASP.NET Impersonation - allows ASP.NET applications to run under a security context different from the default security context for an application Forms Authentication - enables a user to login to the configured space with a valid user name and password which is then validated against a database or other credentials store Basic authentication - requires a valid user name and password to access content Client Certificate Mapping Authentication - allows automatic authentication of users who log on with client certificates that have been configured; requires SSL Digest Authentication - uses Windows domain controller to authenticate users who request accessNote that none of the challenge-based authentication modules can be used at the same time Forms Authentication is enabled for certain applications/content. Forms Authentication does not rely on IIS authentication, so anonymous access for the ASP.NET application can be configured if Forms Authentication will be used. It is recommended that sites containing sensitive information, confidential data, or non public web services be configured with a credentials-based authentication mechanism"
+    rationale: "Configuring authentication will help mitigate the risk of unauthorized users accessing data and/or services, and in some cases reduce the potential harm that can be done to a system."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config - section:system.web/authentication /mode:<Windows|Passport|Forms>"
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["14.6"]
+    references:
+      - http://learn.iis.net/page.aspx/377/using-aspnet-forms-authentication/rev/1
+      - http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/
+      - http://technet.microsoft.com/en-us/library/cc733010%28WS.10%29.aspx
+      - http://msdn.microsoft.com/en-us/library/aa480476.aspx
+      - https://technet.microsoft.com/en-us/library/hh831496(v=ws.11).aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.web/authentication -> r:cookieless="UseCookies" requireSSL="true"'
+
+  - id: 22008
+    title: "Ensure 'forms authentication' require SSL"
+    description: "Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Forms Authentication be encrypted using SSL."
+    rationale: "Requiring SSL for Forms Authentication will protect the confidentiality of credentials during the login process, helping mitigate the risk of stolen user information."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config - section:system.web/authentication /mode:Forms"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc771077(WS.10).aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.web/authentication -> r:requireSSL="true"'
+
+  - id: 22009
+    title: "Ensure 'forms authentication' is set to use cookies"
+    description: "Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies."
+    rationale: "Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL. Moving session information identifiers into the URL may cause session IDs to show up in proxy logs, browsing history, and be accessible to client scripting via document.location."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config - section:system.web/authentication /forms.cookieless:\"UseCookies\""
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc732830%28WS.10%29.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.web/authentication -> r:cookieless="UseCookies"'
+
+  #2.5 - Has to be done manually as each app name needs to be provided individually
+  #    title: "Ensure 'cookie protection mode' is configured for forms authentication"
+
+  #2.6 - Has to be done manually as each app name needs to be provided individually
+  #    title: "Ensure transport layer security for 'basic authentication' is #configured"
+
+  #2.7 - Has to be done manually as each app name needs to be provided individually
+  #    title: "Ensure 'passwordFormat' is not set to clear"
+
+  #2.8 - Has to be done manually as each app name needs to be provided individually
+  #    title: "Ensure 'credentials' are not stored in configuration files"
+
+  #3 ASP.NET Configuration Recommendations
+
+  #3.1 - Has to be done manually as .NET versions used by each App may vary
+  #    title: "Ensure 'deployment method retail' is set"
+
+  #3.2 - Has to be done manually as each website name must be provided
+  #    title: "Ensure 'debug' is turned off"
+
+  #3.3 - Has to be done manually as each website name must be provided
+  #    title: "Ensure custom error messages are not off"
+
+  #3.4 - Has to be done manually as each website name must be provided
+  #    title: "Ensure IIS HTTP detailed errors are hidden from displaying remotely"
+
+  #3.5 - Has to be done manually as each website name must be provided
+  #    title: "Ensure ASP.NET stack tracing is not enabled"
+
+  #3.6 - Has to be done manually as each website name must be provided
+  #    title: " Ensure 'httpcookie' mode is configured for session state"
+
+  #3.7 - Has to be done manually as each website name must be provided
+  #    title: "Ensure 'cookies' are set with HttpOnly attribute"
+
+  - id: 22010
+    title: "Ensure 'MachineKey validation method - .Net 3.5' is configured"
+    description: "The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification."
+    rationale: "Setting the validation property to AES will provide confidentiality and integrity protection to the viewstate. AES is the strongest encryption algorithm supported by the validation property. Setting the validation property to SHA1 will provide integrity protection to the viewstate. SHA1 is the strongest hashing algorithm supported by the validation property."
+    remediation: "To set the Machine Key encryption at the global level using an appcmd.exe command: %systemroot%\\system32\\inetsrv\\appcmd set config /commit:WEBROOT /section:machineKey /validation:SHA1"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc772271%28WS.10%29.aspx
+      - http://technet.microsoft.com/en-us/library/cc772287%28WS.10%29.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /commit:WEBROOT /section:machineKey -> r:validation="SHA1"|validation="AES"'
+
+  - id: 22011
+    title: "Ensure 'MachineKey validation method - .Net 4.5' is configured"
+    description: "The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification."
+    rationale: "SHA-2 is the strongest hashing algorithm supported by the validation property so it should be used as the validation method for the MachineKey in .Net 4.5."
+    remediation: "To set the Machine Key encryption at the global level using an appcmd.exe command: %systemroot%\\system32\\inetsrv\\appcmd set config /commit:WEBROOT /section:machineKey /validation:HMACSHA256"
+    compliance:
+      - cis: ["3.9"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-aspnet-configuration-management
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /commit:WEBROOT /section:machineKey -> r:validation="HMACSHA256"'
+
+  - id: 22012
+    title: " Ensure global .NET trust level is configured"
+    description: "This only applies to .Net 2.0. Future versions have stopped supporting this feature. An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions may access all resource types on a server and perform privileged operations, while applications that run with partial trust have varying levels of operating permissions and access to resources. It is recommended that the global .NET Trust Level be set to Medium or lower."
+    rationale: "The CAS determines the permissions that are granted to the application on the server. Setting a minimal level of trust that is compatible with the applications will limit the potential harm that a compromised application could cause to a system."
+    remediation: "To set the .Net Trust Level to Medium at the server level using an appcmd.exe command: %systemroot%\\system32\\inetsrv\\appcmd set config /commit:WEBROOT /section:trust /level:Medium"
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.6"]
+    references:
+      - http://technet.microsoft.com/en-us/library/cc772237(WS.10).aspx
+      - http://msdn.microsoft.com/en-us/library/ms691448%28VS.90%29.aspx
+      - Professional IIS 7 by Ken Schaefer, Jeff Cochran, Scott Forsyth, Rob Baugh, Mike Everest, Dennis Glendenning
+      - http://support.microsoft.com/kb/2698981
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /commit:WEBROOT /section:trust -> r:level="Low"|level="Medium"'
+
+  - id: 22013
+    title: "Ensure X-Powered-By Header is removed"
+    description: "The x-powered-by headers may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers."
+    rationale: "While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/httpProtocol /-\"customHeaders.[name='X-Powered-By']\" /commit:apphost"
+    compliance:
+      - cis: ["3.11"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://blogs.msdn.microsoft.com/jpsanders/2015/10/07/remove-server-and-x-powered-by-headers-from-your-azure-mobile-apps/
+    condition: none
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.webServer/httpProtocol -> r:name="X-Powered-By"'
+
+  - id: 22014
+    title: "Ensure Server Header is removed"
+    description: "The server header may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers."
+    rationale: "While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers. The server header removal directive is a new feature in IIS 10 that can assist in mitigating this risk."
+    remediation: "Enter the following command to use AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:\"True\" /commit:apphost"
+    compliance:
+      - cis: ["3.12"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://blogs.msdn.microsoft.com/jpsanders/2015/10/07/remove-server-and-x-powered-by-headers-from-your-azure-mobile-apps/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config -section:system.webServer/security/requestFiltering -> r:removeServerHeader="true"'
+
+  #4 Request Filtering and Other Restriction Modules
+  - id: 22015
+    title: "Ensure 'maxAllowedContentLength' is configured"
+    description: "The maxAllowedContentLength Request Filter is the maximum size of the http request, measured in bytes, which can be sent from a client to the server. Configuring this value enables the total request size to be restricted to a configured value. It is recommended that the overall size of requests be restricted to a maximum value appropriate for the server, site, or application."
+    rationale: "Setting an appropriate value that has been tested for the maxAllowedContentLength filter will lower the impact an abnormally large request would otherwise have on IIS and/or web applications. This helps to ensure availability of web content and services, and may also help mitigate the risk of buffer overflow type attacks in unmanaged components."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /requestLimits.maxAllowedContentLength:30000000"
+    compliance:
+      - cis: ["4.1"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
+      - http://learn.iis.net/page.aspx/143/use-request-filtering/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:requestfiltering -> n:maxAllowedContentLength="(\d)" compare <= 30000000'
+
+  - id: 22016
+    title: "Ensure 'maxURL request filter' is configured"
+    description: "The maxURL attribute of the <requestLimits> property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept. It is recommended that a limit be put on the length of URL."
+    rationale: "With a properly configured Request Filter limiting the amount of data accepted in the URL, chances of undesired application behaviors affecting the availability of content and services are reduced."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /requestLimits.maxURL:4096"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
+      - http://learn.iis.net/page.aspx/143/use-request-filtering/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:requestfiltering -> n:maxUrl="(\d)" compare <= 4096'
+
+  - id: 22017
+    title: "Ensure 'MaxQueryString request filter' is configured"
+    description: "The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications. It is recommended that values always be established to limit the amount of data will can be accepted in the query string."
+    rationale: "With a properly configured Request Filter limiting the amount of data accepted in the query string, chances of undesired application behaviors such as app pool failures are reduced."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /requestLimits.maxQueryString:2048"
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
+      - http://learn.iis.net/page.aspx/143/use-request-filtering/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:requestfiltering -> n:maxQueryString="(\d)" compare <= 2048'
+
+  - id: 22018
+    title: "maxQueryString"
+    description: "This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters. It is recommended that requests containing non-ASCII characters be rejected, where possible."
+    rationale: "This feature can help defend against canonicalization attacks, reducing the potential attack surface of servers, sites, and/or applications."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /allowHighBitCharacters:false"
+    compliance:
+      - cis: ["4.4"]
+      - cis_csc: ["18"]
+    references:
+      - http://learn.iis.net/page.aspx/143/use-request-filtering/
+      - http://learn.iis.net/page.aspx/936/urlscan-1-reference/
+      - Professional IIS 7 by Ken Schaefer, Jeff Cochran, Scott Forsyth, Rob Baugh, Mike Everest, Dennis Glendenning
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:requestfiltering -> r:allowHighBitCharacters="false"'
+
+  - id: 22019
+    title: "Ensure Double-Encoded requests will be rejected"
+    description: "This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected."
+    rationale: "This feature will help prevent attacks that rely on URLs that have been crafted to contain double-encoded request(s)."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /allowDoubleEscaping:false"
+    compliance:
+      - cis: ["4.5"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
+      - http://learn.iis.net/page.aspx/143/use-request-filtering/
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:requestfiltering -> r:allowDoubleEscaping="false"'
+
+  - id: 22020
+    title: "Ensure 'HTTP Trace Method' is disabled"
+    description: "The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request. One such way to mitigate this is by using the <verbs>element of the <requestFiltering>collection. The <verbs> element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan. It is recommended the HTTP TRACE method be denied."
+    rationale: "Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. This risk can be mitigated by not allowing the TRACE verb."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false']"
+    compliance:
+      - cis: ["4.6"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.kb.cert.org/vuls/id/867593
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/verbs
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd listconfig /section:requestfiltering -> r:verb="TRACE" allowed="false"'
+
+  - id: 22021
+    title: "Ensure Unlisted File Extensions are not allowed"
+    description: "The FileExtensions Request Filter allows administrators to define specific extensions their web server(s) will allow and disallow. The property allowUnlisted will cover all other file extensions not explicitly allowed or denied. Often times, extensions such as .config, .bat, .exe, to name a few, should never be served. The AllowExtensions and DenyExtensionsoptions are the UrlScan equivalents. It is recommended that all extensions be unallowed at the most global level possible, with only those necessary being allowed."
+    rationale: "Disallowing all but the necessary file extensions can greatly reduce the attack surface of applications and servers."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:requestfiltering /fileExtensions.allowunlisted:false"
+    compliance:
+      - cis: ["4.7"]
+      - cis_csc: ["18"]
+    references:
+      - http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
+      - http://www.iis.net/learn/manage/configuring-security/configure-request-filtering-in-iis
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd listconfig /section:requestfiltering -> r:fileExtensions\.+allowUnlisted="false"'
+
+  - id: 22022
+    title: "Ensure Handler is not granted Write and Script/Execute"
+    description: "Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/Scriptor Write permissions, but not both."
+    rationale: "By allowing both Execute/Scriptand Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config /section:handlers /accessPolicy:Read,Script"
+    compliance:
+      - cis: ["4.8"]
+      - cis_csc: ["18"]
+    references:
+      - http://technet.microsoft.com/en-us/library/dd391910%28WS.10%29.aspx
+      - http://blogs.iis.net/thomad/archive/2006/11/05/quo-vadis-accessflags.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd list config /section:handlers -> r:accessPolicy="Read, Script"'
+
+  - id: 22023
+    title: "Ensure 'notListedIsapisAllowed' is set to false"
+    description: "The notListedIsapisAllowedattribute is a server-level setting that is located in the ApplicationHost.configfile in the <isapiCgiRestriction>element of the <system.webServer>section under <security>. This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. It is recommended that notListedIsapisAllowedbe set to false."
+    rationale: "Restricting this attribute to falsewill help prevent potentially malicious ISAPI extensions from being run."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedIsapisAllowed:false"
+    compliance:
+      - cis: ["4.9"]
+      - cis_csc: ["18"]
+    references:
+      - http://technet.microsoft.com/en-us/library/dd378846%28WS.10%29.aspx
+      - http://www.iis.net/ConfigReference/system.webServer/security/isapiCgiRestriction
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/isapiCgiRestriction -> r:notListedIsapisAllowed="false"'
+
+  - id: 22024
+    title: "Ensure 'notListedCgisAllowed' is set to false"
+    description: "The notListedCgisAllowed attribute is a server-level setting that is located in the ApplicationHost.configfile in the <isapiCgiRestriction>element of the <system.webServer>section under <security>. This element ensures that malicious users cannot copy unauthorized CGI binaries to the Web server and then run them. It is recommended that notListedCgisAllowedbe set to false."
+    rationale: "Restricting this attribute to falsewill help prevent unlisted CGI extensions, including potentially malicious CGI scripts from being run."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedCgisAllowed:false"
+    compliance:
+      - cis: ["4.10"]
+      - cis_csc: ["18"]
+    references:
+      - http://technet.microsoft.com/en-us/library/dd391919%28WS.10%29.aspx
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/isapiCgiRestriction -> r:notListedCgisAllowed="false"'
+
+  - id: 22025
+    title: "Ensure 'Dynamic IP Address Restrictions' is enabled"
+    description: "IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client."
+    rationale: "Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified number of requests or requests frequency. Ensure that you receive the Forbidden page once the block has been enforced."
+    remediation: 'Enter the following commands in powershell.exe to configure: Set-WebConfigurationProperty -pspath ''MACHINE/WEBROOT/APPHOST'' -filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" -name"enabled" -value "True"Set-WebConfigurationProperty -pspath ''MACHINE/WEBROOT/APPHOST'' -filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" -name "maxConcurrentRequests" -value <number of requests>'
+    compliance:
+      - cis: ["4.11"]
+      - cis_csc: ["9.5"]
+    references:
+      - http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/dynamicIpSecurity -> r:denyByConcurrentRequests enabled="true" && r:denyByRequestRate enabled="true"'
+
+  #5 IIS Logging Recommendations
+  - id: 22026
+    title: "Ensure Default IIS web log location is moved"
+    description: "IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response, and can be the most valuable. Malicious users are aware of this, and will often try to remove evidence of their activities. It is therefore recommended that the default location for IIS log files be changed to a restricted, non system drive"
+    rationale: "Moving IIS logging to a restricted, non-system drive will help mitigate the risk of logs being maliciously altered, removed, or lost in the event of system drive failure(s)."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd set config -section:sites -siteDefaults.logfile.directory:<new log location> "
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.4"]
+    references:
+      - https://technet.microsoft.com/en-us/library/cc770709(v=ws.10).aspx?
+    condition: none
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.applicationHost/sites -> r:directory="%SystemDrive%\inetpub\logs\LogFiles"'
+
+  #5.2 - Has to be done manually, requires user interaction
+  #    title: "Ensure Advanced IIS logging is enabled"
+
+  #5.3 - Has to be done manually, requires user interaction
+  #    title: "Ensure 'ETW Logging' is enabled"
+
+  #6 FTP Requests
+  - id: 22027
+    title: "Ensure FTP requests are encrypted"
+    description: "The new FTP Publishing Service for IIS supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers."
+    rationale: "By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic as well as credentials are thereby guarded against interception."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.applicationHost/sites /siteDefaults.ftpServer.security.ssl.controlChannelPolicy:\"SslRequire\" /siteDefaults.ftpServer.security.ssl.dataChannelPolicy:\"SslRequire\" /commit:apphost"
+    compliance:
+      - cis: ["6.1"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://www.windowsnetworking.com/articles_tutorials/IIS-FTP-Publishing-Service-Part3.html
+      - http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/#03
+      - https://tools.ietf.org/html/rfc4217
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.applicationHost/sites -> r:controlChannelPolicy="SslRequire"&&dataChannelPolicy="SslRequire"'
+
+  - id: 22028
+    title: "Ensure FTP Logon attempt restrictions is enabled"
+    description: "IIS introduced a built-in network security feature to automatically block brute force FTP attacks. This can be used to mitigate a malicious client from attempting a brute-force attack on a discovered account, such as the local administrator account."
+    rationale: "Successful brute force FTP attacks can allow an otherwise unauthorized user to make changes to data that should not be made. This could allow the unauthorized user to modify website code by uploading malicious software or even changing functionality for items such as online payments."
+    remediation: "Enter the following command in AppCmd.exe to configure: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.ftpServer/security/authentication /denyByFailure.enabled:\"True\" /commit:apphost"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["9.1"]
+    references:
+      - http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-ftp-logon-attempt-restrictions
+    condition: all
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.ftpServer/security/authentication -> r:denyByFailure enabled="true"'
+
+  #7 Transport Encryption
+  - id: 22029
+    title: "Ensure HSTS Header is set"
+    description: 'HTTP Strict Transport Security (HSTS) allows a site to inform the user agent to communicate with the site only over HTTPS. This header takes two parameters: max-age, "specifies the number of seconds, after the reception of the STS header field, during whichthe user agent regards the host (from whom the message was received) as a Known HSTSHost [speaks only HTTPS]"; and includeSubDomains. includeSubDomains is an optionaldirective that defines how this policy is applied to subdomains. If includeSubDomains isincluded in the header, it provides the following definition: this HSTS Policy also applies toany hosts whose domain names are subdomains of the Known HSTS Host''s domain name.'
+    rationale: "HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. HSTS relies on the User Agent/Browser to enforce the required behavior. All major browsers support it. If the browser doesn't support HSTS, it will be ignored.When a browser knows that a domain has enabled HSTS, it does two things:1. Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.2. Removes the ability for users to click through warnings about invalid certificates.A domain instructs browsers that it has enabled HSTS by returning an HTTP header over an HTTPS connection."
+    remediation: "To set the HTTP Header at the server level using an AppCmd.exe command, run the following command from an elevated command prompt: %systemroot%\\system32\\inetsrv\\appcmd.exe set config -section:system.webServer/httpProtocol /+\"customHeaders.[name='Strict-Transport-Security',value='max-age=480; preload']\""
+    compliance:
+      - cis: ["7.1"]
+      - cis_csc: ["18"]
+    condition: all
+    references:
+      - http://tools.ietf.org/html/rfc6797#section-5.1
+      - https://https.cio.gov/hsts/
+      - https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders#006
+    rules:
+      - 'c:%systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/httpProtocol -> r:name="Strict-Transport-Security" && n:max-age=(\d) compare > 0'
+
+  - id: 22030
+    title: "Ensure SSLv2 is Disabled"
+    description: "This protocol is not considered cryptographically secure."
+    rationale: "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data."
+    remediation: "Set the following key is set to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server:Enabled HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Client:Enabled. Set the following key is set to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server:DisabledByDefault HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Client:DisabledByDefault"
+    compliance:
+      - cis: ["7.2"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server -> DisabledByDefault -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client -> DisabledByDefault -> 1'
+
+  - id: 22031
+    title: "Ensure SSLv3 is Disabled"
+    description: "This protocol is not considered cryptographically secure. Disabling it is recommended."
+    rationale: "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data."
+    remediation: "Set the following keys to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server:Enabled HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client:Enabled. Set the following keys to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server:DisabledByDefault HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client:DisabledByDefault"
+    compliance:
+      - cis: ["7.3"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.openssl.org/~bodo/ssl-poodle.pdf
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server -> DisabledByDefault -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client -> DisabledByDefault -> 1'
+
+  - id: 22032
+    title: "Ensure TLS 1.0 is Disabled"
+    description: 'The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016.'
+    rationale: "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data."
+    remediation: "Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server:Enabled HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client:Enabled. Set the following key is set to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server:DisabledByDefault HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client:DisabledByDefault"
+    compliance:
+      - cis: ["7.4"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server -> DisabledByDefault -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client -> DisabledByDefault -> 1'
+
+  - id: 22033
+    title: "Ensure TLS 1.1 is Disabled"
+    description: "TLS 1.1 is required for backward compatibility. Ensure you fully test your application to ensure that backwards compatibility is not needed. If it is, build in exceptions as necessary for backwards compatibility"
+    rationale: "Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data"
+    remediation: "Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server:Enabled HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client:Enabled. Set the following key is set to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server:DisabledByDefault HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client:DisabledByDefault"
+    compliance:
+      - cis: ["7.5"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+      - https://community.qualys.com/thread/16565-is-there-a-reason-for-still-having-tlsv11-enabled
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server -> DisabledByDefault -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client -> DisabledByDefault -> 1'
+
+  - id: 22034
+    title: "Ensure TLS 1.2 is Enabled"
+    description: "TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic."
+    rationale: "Enabling this protocol will help ensure the confidentiality and integrity of data in transit."
+    remediation: "Set the following key to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server:Enabled. Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server:DisabledByDefault"
+    compliance:
+      - cis: ["7.6"]
+      - cis_csc: ["14.4"]
+    references:
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server -> Enabled -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server -> DisabledByDefault -> 0'
+
+  - id: 22035
+    title: "Ensure NULL Cipher Suites is Disabled"
+    description: "The NULL cipher does not provide data confidentiality or integrity. It is recommended that the NULL cipher be disabled."
+    rationale: "By disabling the NULL cipher, there is a better chance of maintaining data confidentiality and integrity."
+    remediation: "Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\NULL:Enabled"
+    compliance:
+      - cis: ["7.7"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL -> Enabled -> 0'
+
+  - id: 22036
+    title: "Ensure DES Cipher Suites is Disabled"
+    description: "DES is a weak symmetric-key cipher. It is recommended that it be disabled."
+    rationale: "By disabling DES, there is a better chance of maintaining data confidentiality and integrity."
+    remediation: "Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\DES 56/56:Enabled"
+    compliance:
+      - cis: ["7.8"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 -> Enabled -> 0'
+
+  - id: 22037
+    title: "Ensure RC4 Cipher Suites is Disabled"
+    description: "RC4 is a stream cipher that has known practical attacks. It is recommended that RC4 be disabled. The only RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128."
+    rationale: "The use of RC4 may increase an adversaries ability to read sensitive information sent over SSL/TLS."
+    remediation: "Set the following keys to 0 to disable RC4 40/128, RC4 56/128, RC4 64/128, RC4 128/128 ciphers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 40/128:Enabled, HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 56/128:Enabled, HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 64/128:Enabled,HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 128/128:Enabled."
+    compliance:
+      - cis: ["7.9"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128 -> Enabled -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 -> Enabled -> 0'
+
+  - id: 22038
+    title: "Ensure AES 128/128 Cipher Suite is Disabled"
+    description: "Enabling AES 128/128 may be required for client compatibility. Enable or disable this cipher suite accordingly."
+    rationale: "This item is Scored for the following reasons and should be disabled: Enabling AES 256/256 is recommended. This cipher does not suffer from known practical attacks."
+    remediation: "Set the following key to 0: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\AES 128/128:Enabled"
+    compliance:
+      - cis: ["7.10"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128 -> Enabled -> 0'
+
+  - id: 22039
+    title: "Ensure AES 256/256 Cipher Suite is Enabled"
+    description: "AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2."
+    rationale: "Enabling this cipher will help ensure the confidentiality and integrity of data in transit."
+    remediation: "Set the following key to 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\AES 128/128:Enabled"
+    compliance:
+      - cis: ["7.11"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - http://technet.microsoft.com/en-us/library/dn786419.aspx
+      - http://technet.microsoft.com/en-us/library/dn786433.aspx
+      - http://msdn.microsoft.com/en-us/library/aa374757%28v=vs.85%29.aspx
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256 -> Enabled -> 1'
+
+  - id: 22040
+    title: "Ensure TLS Cipher Suite ordering is Configured"
+    description: "Cipher suites are a named combination of authentication, encryption, message authentication code, and key exchange algorithms used for the security settings of a network connection using TLS protocol. Clients send a cipher list and a list of ciphers that it supports in order of preference to a server. The server then replies with the cipher suite that it selects from the client cipher suite list"
+    rationale: "Cipher suites should be ordered from strongest to weakest in order to ensure that the more secure configuration is used for encryption between the server and client."
+    remediation: "Set HKLM\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002:Functions to TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256."
+    compliance:
+      - cis: ["7.12"]
+      - cis_csc: ["14.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 -> Functions -> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.'
diff --git a/etc/ruleset/sca/applications/cis_mysql5_6_community.yml b/etc/ruleset/sca/applications/cis_mysql5_6_community.yml
new file mode 100644
index 0000000000..9a0bc18e09
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_mysql5_6_community.yml
@@ -0,0 +1,291 @@
+# Security Configuration Assessment
+# CIS Checks for Oracle MySQL Community Edition 5.6
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Oracle MySQL Community Edition 5.6 v1.1.0  - 08-15-2016
+
+policy:
+  id: "cis_mysql_community"
+  file: "cis_mysql5_6_community.yml"
+  name: "CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0"
+  description: "This document, CIS Oracle MySQL Community Server 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Community Server 5.6. This guide was tested against MySQL Community Server 5.6 running on Ubuntu Linux 14.04, but applies to other linux distributions as well."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that MySQL is installed on the system"
+  description: "Requirements for running the SCA scan against the MySQL policy."
+  condition: any
+  rules:
+    - "d:/etc/mysql"
+    - "d:/var/lib/mysql"
+
+checks:
+  #1 Operating System Level Configuration
+  - id: 10500
+    title: "Disable MySQL Command History"
+    description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled."
+    rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys."
+    remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null."
+    compliance:
+      - cis: ["1.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html
+      - https://bugs.mysql.com/bug.php?id=72158
+    condition: none
+    rules:
+      - "d:/home -> ^.mysql_history$"
+      - "d:/root -> ^.mysql_history$"
+
+  - id: 10501
+    title: "Disable Interactive Login"
+    description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would."
+    rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled."
+    remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - "c:getent passwd mysql -> r:/bin/false|/sbin/nologin"
+
+  - id: 10502
+    title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles"
+    description: "MySQL can read a default database password from an environment variable called MYSQL_PWD."
+    rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved."
+    remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method."
+    compliance:
+      - cis: ["1.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html
+    condition: none
+    rules:
+      - "c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD"
+
+  #4 General
+  - id: 10503
+    title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'"
+    description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add."
+    rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server."
+    remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file."
+    compliance:
+      - cis: ["4.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs
+    condition: none
+    rules:
+      - "c:my_print_defaults mysqld -> r:allow-suspicious-udfs"
+
+  - id: 10504
+    title: "Ensure 'local_infile' is Disabled"
+    description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'."
+    rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
+    remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service."
+    compliance:
+      - cis: ["4.4"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file
+      - https://dev.mysql.com/doc/refman/5.6/en/load-data.html
+    condition: all
+    rules:
+      - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0'
+
+  - id: 10505
+    title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'"
+    description: "This option causes mysqld to start without using the privilege system."
+    rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases."
+    remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE"
+    compliance:
+      - cis: ["4.5"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables
+    condition: all
+    rules:
+      - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false'
+
+  - id: 10506
+    title: "Ensure '--skip-symbolic-links' Is Enabled"
+    description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available.  When use of symbolic links are enabled, they have different effects depending on the host platform.  When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. "
+    rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories."
+    remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not exist, create it in the 'mysqld' section."
+    compliance:
+      - cis: ["4.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links
+    condition: all
+    rules:
+      - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes'
+
+  - id: 10507
+    title: "Ensure 'secure_file_priv' is not empty"
+    description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL."
+    rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. "
+    remediation: "Add the line secure_file_priv=<path_to_load_directory> to the [mysqld] section of the MySQL configuration file and restart the MySQL service."
+    compliance:
+      - cis: ["4.8"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv
+    condition: all
+    rules:
+      - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.'
+
+  - id: 10508
+    title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'"
+    description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work."
+    rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. "
+    remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file."
+    compliance:
+      - cis: ["4.9"]
+    condition: all
+    rules:
+      - "c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables"
+
+  #6 Auditing and Logging
+  - id: 10509
+    title: "Ensure 'log_error' is not empty"
+    description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails"
+    rationale: "Enabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed."
+    remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)."
+    compliance:
+      - cis: ["6.1"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/error-log.html
+    condition: all
+    rules:
+      - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*'
+
+  - id: 10510
+    title: "Ensure Log Files are not Stored on a non-system partition"
+    description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem.  It is common practice to ensure that the system filesystem is left uncluttered by application logs.  System filesystems include the root, /var, or /usr."
+    rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
+    remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr."
+    compliance:
+      - cis: ["6.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html
+      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html
+    condition: none
+    rules:
+      - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$'
+
+  - id: 10511
+    title: "Ensure 'log_warning' is set to 2"
+    description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log.  A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging."
+    rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections."
+    remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)."
+    compliance:
+      - cis: ["6.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings
+    condition: all
+    rules:
+      - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2'
+
+  - id: 10512
+    title: "Ensure 'log_raw' is set to 'OFF'"
+    description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text.  If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. "
+    rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords."
+    remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF"
+    compliance:
+      - cis: ["6.4"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw
+    condition: all
+    rules:
+      - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$'
+
+  #7 Authentication
+  - id: 10513
+    title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'"
+    description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.  Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin"
+    rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details."
+    remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin."
+    compliance:
+      - cis: ["7.1"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html
+      - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords
+      - https://www.cvedetails.com/cve/CVE-2003-1480/
+    condition: none
+    rules:
+      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1'
+      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on'
+
+  - id: 10514
+    title: "Ensure 'secure_auth' is set to 'ON'"
+    description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format."
+    rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)."
+    remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file."
+    compliance:
+      - cis: ["7.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth
+    condition: all
+    rules:
+      - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on'
+
+  - id: 10515
+    title: "Ensure Passwords Are Not Stored in the Global Configuration"
+    description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)."
+    rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password."
+    remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. "
+    compliance:
+      - cis: ["7.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
+    condition: none
+    rules:
+      - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*'
+
+  - id: 10516
+    title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'"
+    description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
+    rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
+    remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting."
+    compliance:
+      - cis: ["7.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$'
+
+  - id: 10517
+    title: "Ensure Password Policy is in Place"
+    description: "Password complexity includes password characteristics such as length, case, length, and character sets."
+    rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
+    remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required."
+    compliance:
+      - cis: ["7.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html
+    condition: all
+    rules:
+      - 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$'
+      - 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$'
+      - 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14'
+      - 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1'
+      - 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1'
+      - 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1'
+      - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*'
+
+  #9 Replication
+  - id: 10518
+    title: "Ensure 'master_info_repository' is set to 'TABLE'"
+    description: "The master_info_repository setting determines to where a slave logs master status and connection information.  The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well."
+    rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using."
+    remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist."
+    compliance:
+      - cis: ["9.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository
+    condition: all
+    rules:
+      - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table'
diff --git a/etc/ruleset/sca/applications/cis_mysql5_6_enterprise.yml b/etc/ruleset/sca/applications/cis_mysql5_6_enterprise.yml
new file mode 100644
index 0000000000..fc595962b0
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_mysql5_6_enterprise.yml
@@ -0,0 +1,369 @@
+# Security Configuration Assessment
+# CIS Checks for Oracle MySQL Entreprise Edition 5.6
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Oracle MySQL Entreprise Edition 5.6 v1.1.0  - 08-15-2016
+
+policy:
+  id: "cis_mysql_enterprise"
+  file: "cis_mysql5_6_enterprise.yml"
+  name: "CIS Oracle MySQL Enterprise Edition 5.6 Benchmark v1.1.0"
+  description: "This document, CIS Oracle MySQL Enterprise Edition 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Enterprise Edition 5.6. The tests were carried out against MySQL Enterprise Edition 5.6 running on Ubuntu Linux 14.04, but applies to other linux distributions as well."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that MySQL is installed on the system"
+  description: "Requirements for running the SCA scan against the MySQL policy."
+  condition: any
+  rules:
+    - "d:/etc/mysql"
+    - "d:/var/lib/mysql"
+
+checks:
+  #1 Operating System Level Configuration
+  - id: 11000
+    title: "Disable MySQL Command History"
+    description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled."
+    rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys."
+    remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null."
+    compliance:
+      - cis: ["1.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html
+      - https://bugs.mysql.com/bug.php?id=72158
+    condition: none
+    rules:
+      - "d:/home -> ^.mysql_history$"
+      - "d:/root -> ^.mysql_history$"
+
+  - id: 11001
+    title: "Disable Interactive Login"
+    description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would."
+    rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled."
+    remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - "c:getent passwd mysql -> r:/bin/false|/sbin/nologin"
+
+  - id: 11002
+    title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles"
+    description: "MySQL can read a default database password from an environment variable called MYSQL_PWD."
+    rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved."
+    remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method."
+    compliance:
+      - cis: ["1.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html
+    condition: none
+    rules:
+      - "c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD"
+
+  #4 General
+  - id: 11003
+    title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'"
+    description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add."
+    rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server."
+    remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file."
+    compliance:
+      - cis: ["4.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs
+    condition: none
+    rules:
+      - "c:my_print_defaults mysqld -> r:allow-suspicious-udfs"
+
+  - id: 11004
+    title: "Ensure 'local_infile' is Disabled"
+    description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'."
+    rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
+    remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service."
+    compliance:
+      - cis: ["4.4"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file
+      - https://dev.mysql.com/doc/refman/5.6/en/load-data.html
+    condition: all
+    rules:
+      - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0'
+
+  - id: 11005
+    title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'"
+    description: "This option causes mysqld to start without using the privilege system."
+    rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases."
+    remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE"
+    compliance:
+      - cis: ["4.5"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables
+    condition: all
+    rules:
+      - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false'
+
+  - id: 11006
+    title: "Ensure '--skip-symbolic-links' Is Enabled"
+    description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available.  When use of symbolic links are enabled, they have different effects depending on the host platform.  When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. "
+    rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories."
+    remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not exist, create it in the 'mysqld' section."
+    compliance:
+      - cis: ["4.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links
+    condition: all
+    rules:
+      - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes'
+
+  - id: 11007
+    title: "Ensure 'secure_file_priv' is not empty"
+    description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL."
+    rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. "
+    remediation: "Add the line secure_file_priv=<path_to_load_directory> to the [mysqld] section of the MySQL configuration file and restart the MySQL service."
+    compliance:
+      - cis: ["4.8"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv
+    condition: all
+    rules:
+      - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.'
+
+  - id: 11008
+    title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'"
+    description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work."
+    rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. "
+    remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file."
+    compliance:
+      - cis: ["4.9"]
+    condition: all
+    rules:
+      - "c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables"
+
+  #6 Auditing and Logging
+  - id: 11009
+    title: "Ensure 'log_error' is not empty"
+    description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails"
+    rationale: "Enabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed."
+    remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)."
+    compliance:
+      - cis: ["6.1"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/error-log.html
+    condition: all
+    rules:
+      - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*'
+
+  - id: 11010
+    title: "Ensure Log Files are not Stored on a non-system partition"
+    description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem.  It is common practice to ensure that the system filesystem is left uncluttered by application logs.  System filesystems include the root, /var, or /usr."
+    rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
+    remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr."
+    compliance:
+      - cis: ["6.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html
+      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html
+    condition: none
+    rules:
+      - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$'
+
+  - id: 11011
+    title: "Ensure 'log_warning' is set to 2"
+    description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log.  A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging."
+    rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections."
+    remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)."
+    compliance:
+      - cis: ["6.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings
+    condition: all
+    rules:
+      - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2'
+
+  - id: 11012
+    title: "Ensure 'log_raw' is set to 'OFF'"
+    description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text.  If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. "
+    rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords."
+    remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF"
+    compliance:
+      - cis: ["6.4"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw
+    condition: all
+    rules:
+      - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$'
+
+  #7 Authentication
+  - id: 11013
+    title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'"
+    description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.  Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin"
+    rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details."
+    remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin."
+    compliance:
+      - cis: ["7.1"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html
+      - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html
+      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords
+      - https://www.cvedetails.com/cve/CVE-2003-1480/
+    condition: none
+    rules:
+      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1'
+      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on'
+
+  - id: 11014
+    title: "Ensure 'secure_auth' is set to 'ON'"
+    description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format."
+    rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)."
+    remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file."
+    compliance:
+      - cis: ["7.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth
+    condition: all
+    rules:
+      - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on'
+
+  - id: 11015
+    title: "Ensure Passwords Are Not Stored in the Global Configuration"
+    description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)."
+    rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password."
+    remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. "
+    compliance:
+      - cis: ["7.3"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
+    condition: none
+    rules:
+      - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*'
+
+  - id: 11016
+    title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'"
+    description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
+    rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
+    remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting."
+    compliance:
+      - cis: ["7.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$'
+
+  - id: 11017
+    title: "Ensure Password Policy is in Place"
+    description: "Password complexity includes password characteristics such as length, case, length, and character sets."
+    rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
+    remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required."
+    compliance:
+      - cis: ["7.6"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html
+    condition: all
+    rules:
+      - 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$'
+      - 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$'
+      - 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14'
+      - 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1'
+      - 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1'
+      - 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1'
+      - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*'
+
+  #9 Replication
+  - id: 11018
+    title: "Ensure 'master_info_repository' is set to 'TABLE'"
+    description: "The master_info_repository setting determines to where a slave logs master status and connection information.  The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well."
+    rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using."
+    remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist."
+    compliance:
+      - cis: ["9.2"]
+    references:
+      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository
+    condition: all
+    rules:
+      - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table'
+
+  #10 Enterprise rules
+  - id: 11019
+    title: "Ensure audit_log_connection_policy is not set to 'NONE'"
+    description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. "
+    rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation."
+    remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file."
+    compliance:
+      - cis: ["6.5"]
+    condition: none
+    rules:
+      - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE'
+
+  - id: 11020
+    title: "Ensure audit_log_exclude_account is set to NULL"
+    description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log."
+    rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable."
+    remediation: "Set audit_log_exclude_accounts=NULL in my.cnf."
+    compliance:
+      - cis: ["6.6"]
+    condition: all
+    rules:
+      - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$'
+
+  - id: 11021
+    title: "Ensure audit_log_include_accounts is set to NULL"
+    description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log."
+    rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log."
+    remediation: "Set audit_log_include_accounts=NULL in my.cnf."
+    compliance:
+      - cis: ["6.7"]
+    condition: all
+    rules:
+      - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$'
+
+  - id: 11022
+    title: "Ensure audit_log_policy is set to log logins and connections"
+    description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled.  It must be set to log logins and connections."
+    rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file."
+    remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';"
+    compliance:
+      - cis: ["6.9"]
+    condition: all
+    rules:
+      - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins'
+
+  - id: 11023
+    title: "Ensure audit_log_statement_policy is set to ALL"
+    description: "This setting controls whether statements are written to the audit log."
+    rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log."
+    remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server."
+    compliance:
+      - cis: ["6.10"]
+    condition: all
+    rules:
+      - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$'
+
+  - id: 11024
+    title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS"
+    description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS."
+    rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead."
+    remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)."
+    compliance:
+      - cis: ["6.11"]
+    condition: all
+    rules:
+      - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS'
+
+  - id: 11025
+    title: "Make sure the audit plugin can't be unloaded"
+    description: "Set audit_log to FORCE_PLUS_PERMANENT."
+    rationale: "This makes disables unloading on the plugin."
+    remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)."
+    compliance:
+      - cis: ["6.12"]
+    condition: all
+    rules:
+      - 'c:grep -Rh force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT'
diff --git a/etc/ruleset/sca/applications/cis_postgre_sql_13.yml b/etc/ruleset/sca/applications/cis_postgre_sql_13.yml
new file mode 100644
index 0000000000..2e33b389db
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_postgre_sql_13.yml
@@ -0,0 +1,1140 @@
+# Security Configuration Assessment
+# CIS Checks for PostgreSQL 13
+# Copyright (C) 2015, Wazuh Inc.
+
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+
+# Based on:
+# Center for Internet Security Benchmark for PostgreSQL 13 Benchmark v1.0.0 - 02-26-2021
+
+policy:
+  id: "cis_postgresql_13"
+  file: "cis_postgre_sql_13.yml"
+  name: "CIS Benchmark for PostgreSQL 13"
+  description: "This document, CIS PostgreSQL 13 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for PostgreSQL 13."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+variables: # default values, please provide based on your organization policies
+  $user: test_user # must be granted pg_read_all_settings and LOGIN and .pgpass exists
+  $host: localhost
+  $db: postgres
+  $log_destination: stderr #stderr
+  $log_filename: postgresql-%Y-%m-%d_%H%M%S.log #postgresql-%Y-%m-%d_%H%M%S.log
+  $log_directory: log # log
+  $log_policy: "0600" # 0600
+  $log_rotation_age: 1d # 1d
+  $log_rotation_size: 10MB # 10MB
+  $syslog_facility: local0 # local0
+  $syslog_ident: postgres # postgres
+  $log_timezone: America/New_York #  server's timezone in the Operating System
+
+requirements:
+  title: "Check that postgreSQL13 is up and able to execute commands from shell"
+  description: "Requirements for running the SCA scan against the PostgreSQL13 setup. "
+  condition: all
+  rules:
+    - 'c:psql -U $user -h $host $db -c "\\l" -w -> r:row'
+    - "c:psql --version -> r:13"
+
+checks:
+  # 1 Installation and Patches
+
+  # 1.1 Ensure packages are obtained from authorized repositories (Manual)
+  # Not Applicable: requiers manual verification
+
+  # 1.2 Ensure systemd Service Files Are Enabled (Automated)
+  - id: 24000
+    title: Ensure systemd Service Files Are Enabled
+    description: Confirm, and correct if necessary, the PostgreSQL systemd service is enabled.
+    rationale: >
+      Enabling the systemd service on the OS ensures the database service is active when a
+      change of state occurs as in the case of a system startup or reboot.
+    remediation: >
+      Irrespective of package source, PostgreSQL services can be identified because it typically
+      includes the text string "postgresql". PGDG installs do not automatically register the service
+      as a "want" of the default systemd target. Multiple instances of PostgreSQL services often
+      distinguish themselves using a version number.
+    compliance:
+      - cis: ["1.2"]
+      - cis_csc: ["18", "5.1"]
+    references:
+      - https://linuxcommand.org/man_pages/runlevel8.html
+      - https://linuxcommand.org/man_pages/chkconfig8.html
+      - https://www.tldp.org/LDP/sag/html/run-levels-intro.html
+    condition: all
+    rules:
+      - c:sh -c "systemctl get-default | systemctl list-dependencies | grep postgres" -> r:postgres
+
+  # 1.3 Ensure Data Cluster Initialized Successfully (Automated)
+  # Not Applicable: user switching
+
+  # 2 Directory and File Permissions
+  # Not Applicable: user switching
+
+  # 3 Logging Monitoring And Auditing
+
+  # 3.1.1
+  # Not Applicable: Not covered
+
+  # 3.1.2 Ensure the log destinations are set correctly (Automated) --TODO--
+  - id: 24001
+    title: Ensure the log destinations are set correctly
+    description: >
+      PostgreSQL supports several methods for logging server messages, including stderr,
+      csvlog and syslog. On Windows, eventlog is also supported. One or more of these
+      destinations should be set for server log output.
+    rationale: >
+      If log_destination is not set, then any log messages generated by the core PostgreSQL
+      processes will be lost.
+    remediation: >
+      "Execute the following SQL statements to remediate this setting (in this example, setting the
+      log destination to csvlog):
+
+      postgres=# alter system set log_destination = 'csvlog';
+
+      ALTER SYSTEM
+
+      postgres=# select pg_reload_conf();
+
+      pg_reload_conf
+
+      ----------------
+
+      t
+
+      (1 row)"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/runtime-config-logging.html
+    condition: all
+    rules:
+      - c:sh -c "psql -U $user -h $host $db -c \"SHOW log_destination\" | grep $log_destination$" -> r:\.+
+
+  # 3.1.3 Ensure the logging collector is enabled (Automated)
+  - id: 24002
+    title: Ensure the logging collector is enabled
+    description: >
+      The logging collector is a background process that captures log messages sent to stderr
+      and redirects them into log files. The logging_collector setting must be enabled in order
+      for this process to run. It can only be set at server start.
+    rationale: >
+      "The logging collector approach is often more useful than logging to syslog, since some
+      types of messages might not appear in syslog output. One common example is dynamiclinker failure message; another may be error messages produced by scripts such as
+      archive_command.
+      Note: This setting must be enabled when log_destination is either stderr or csvlog and
+      for certain other logging parameters to take effect."
+    remediation: >
+      "Execute the following SQL statement(s) to remediate this setting:
+
+      postgres=# alter system set logging_collector = 'on';
+
+      ALTER SYSTEM
+
+      26 | Page
+
+      Unfortunately, this setting can only be changed at server (re)start. As root, restart the
+
+      PostgreSQL service for this change to take effect:
+
+      # whoami
+
+      root
+
+      # systemctl restart postgresql-13
+
+      # systemctl status postgresql-13|grep 'ago$'
+
+      Active: active (running) since <date>; 1s ago"
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW logging_collector" -> r:\son'
+
+  # 3.1.4 Ensure the log file destination directory is set correctly (Automated)
+  - id: 24003
+    title: Ensure the log file destination directory is set correctly
+    description: >
+      The log_directory setting specifies the destination directory for log files when
+      log_destination is stderr or csvlog. It can be specified as relative to the cluster data
+      directory ($PGDATA) or as an absolute path. log_directory should be set according to your
+      organization's logging policy.
+    rationale: >
+      If log_directory is not set, it is interpreted as the absolute path '/' and PostgreSQL will
+      attempt to write its logs there (and typically fail due to a lack of permissions to that
+      directory). This parameter should be set to direct the logs into the appropriate directory
+      location as defined by your organization's logging policy.
+    remediation: >
+      "Execute the following SQL statement(s) to remediate this setting:
+
+      postgres=# alter system set log_directory='/var/log/postgres';
+
+      ALTER SYSTEM
+
+      postgres=# select pg_reload_conf();
+
+      pg_reload_conf
+
+      ----------------
+
+      28 | Page
+
+      t
+
+      (1 row)
+
+      postgres=# SHOW log_directory;
+
+      log_directory
+
+      ---------------
+
+      /var/log/postgres
+
+      (1 row)
+
+      Note: The use of /var/log/postgres, above, is an example. This should be set to an
+      appropriate path as defined by your organization's logging requirements. Having said that,
+      it is a good idea to have the logs outside of your PGDATA directory so that they are not
+      included by things like pg_basebackup or pgBackRest."
+    compliance:
+      - cis: ["3.1.4"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_directory\" | grep $log_directory$" -> r:\.+'
+
+  # 3.1.5 Ensure the filename pattern for log files is set correctly (Automated)
+  - id: 24004
+    title: Ensure the filename pattern for log files is set correctly
+    description: >
+      The log_filename setting specifies the filename pattern for log files. The value for
+      log_filename should match your organization's logging policy.
+      The value is treated as a strftime pattern, so %-escapes can be used to specify timevarying filenames. The supported %-escapes are similar to those listed in the Open Group's
+      strftime specification. If you specify a filename without escapes, you should plan to use a
+      log rotation utility to avoid eventually filling the partition that contains log_directory. If
+      there are any time-zone-dependent %-escapes, the computation is done in the zone
+      specified by log_timezone. Also, the system's strftime is not used directly, so platformspecific (nonstandard) extensions do not work.
+      If CSV-format output is enabled in log_destination, .csv will be appended to the log
+      filename. (If log_filename ends in .log, the suffix is replaced instead.)
+    rationale: >
+      If log_filename is not set, then the value of log_directory is appended to an empty string
+      try to write to a directory instead of a file.
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting:
+      postgres=# alter system set log_filename='postgresql-%Y%m%d.log';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+      postgres=# SHOW log_filename;
+      log_filename
+      -------------------
+      postgresql-%Y%m%d.log
+      (1 row)
+      Note: In this example, a new logfile will be created for each day (e.g. postgresql20180901.log)"
+    compliance:
+      - cis: ["3.1.5"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://man7.org/linux/man-pages/man3/strftime.3.html
+      - https://www.postgresql.org/docs/current/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_filename\" | grep $log_filename" -> r:\.+'
+
+  # 3.1.6 Ensure the log file permissions are set correctly (Automated)
+  - id: 24005
+    title: Ensure the log file permissions are set correctly
+    description: >
+      The log_file_mode setting determines the file permissions for log files when
+      logging_collector is enabled. The parameter value is expected to be a numeric mode
+      specification in the form accepted by the chmod and umask system calls. (To use the
+      customary octal format, the number must start with a 0 (zero).)
+      The permissions should be set to allow only the necessary access to authorized personnel.
+      In most cases the best setting is 0600, so that only the server owner can read or write the
+      log files. The other commonly useful setting is 0640, allowing members of the owner's
+      group to read the files, although to make use of that, you will need to alter the
+      log_directory setting to store the log files outside the cluster data directory.
+    rationale: >
+      Log files often contain sensitive data. Allowing unnecessary access to log files may
+      inadvertently expose sensitive data to unauthorized personnel.
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting (with the example assuming a desired value of 0600):
+      postgres=# alter system set log_file_mode = '0600';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      33 | Page
+      ----------------
+      t
+      (1 row)
+      postgres=# SHOW log_file_mode;
+      log_file_mode
+      ---------------
+      0600
+      (1 row)"
+    compliance:
+      - cis: ["3.1.6"]
+      - cis_csc: ["14.4", "14.6"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_file_mode\" | grep $log_file_mode" -> r:\.+'
+
+  # 3.1.7 Ensure 'log_truncate_on_rotation' is enabled (Automated)
+  - id: 24006
+    title: Ensure 'log_truncate_on_rotation' is enabled
+    description: >
+      "Enabling the log_truncate_on_rotation setting when logging_collector is enabled
+      causes PostgreSQL to truncate (overwrite) existing log files with the same name during log
+      rotation instead of appending to them. For example, using this setting in combination with
+      a log_filename setting value like postgresql-%H.log would result in generating 24 hourly
+      log files and then cyclically overwriting them:
+
+      postgresql-00.log
+
+      postgresql-01.log
+
+      [...]
+
+      postgresql-23.log
+
+      Note: Truncation will occur only when a new file is being opened due to time-based
+      rotation, not during server startup or size-based rotation (see later in this benchmark for
+      size-based rotation details)."
+    rationale: >
+      If this setting is disabled, pre-existing log files will be appended to if log_filename is
+      configured in such a way that static names are generated.
+      Enabling or disabling the truncation should only be decided when also considering the
+      value of log_filename and log_rotation_age/log_rotation_size.
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting:
+      postgres=# alter system set log_truncate_on_rotation = 'on';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+      postgres=# SHOW log_truncate_on_rotation;
+      log_truncate_on_rotation
+      --------------------------
+      on
+      (1 row)"
+    compliance:
+      - cis: ["3.1.7"]
+      - cis_csc: ["6.3", "6.4"]
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_truncate_on_rotation" -> r:\son'
+
+  # 3.1.8 Ensure the maximum log file lifetime is set correctly (Automated)
+  - id: 24007
+    title: Ensure the maximum log file lifetime is set correctly
+    description: >
+      When logging_collector is enabled, the log_rotation_age parameter determines the
+      maximum lifetime of an individual log file (depending on the value of log_filename). After
+      this many minutes have elapsed, a new log file will be created via automatic log file
+      rotation. Current best practices advise log rotation at least daily, but your organization's
+      logging policy should dictate your rotation schedule.
+    rationale: Log rotation is a standard best practice for log management.
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting (in this example, setting it
+      to one hour):
+      postgres=# alter system set log_rotation_age='1h';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)"
+    compliance:
+      - cis: ["3.1.8"]
+      - cis_csc: ["6.3", "6.4"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_rotation_age\" | grep $log_rotation_age" -> r:\.+'
+
+  # 3.1.9 Ensure the maximum log file size is set correctly (Automated)
+  - id: 24008
+    title: Ensure the maximum log file size is set correctly
+    description: >
+      The log_rotation_size setting determines the maximum size of an individual log file.
+      Once the maximum size is reached, automatic log file rotation will occur.
+    rationale: >
+      If this is set to zero, size-triggered creation of new log files is disabled. This will prevent
+      automatic log file rotation when files become too large, which could put log data at
+      increased risk of loss (unless age-based rotation is configured).
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting (in this example, setting it to 1GB):
+      postgres=# alter system set log_rotation_size = '1GB';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)"
+    compliance:
+      - cis: ["3.1.9"]
+      - cis_csc: ["6.3", "6.4"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_rotation_size\" | grep $log_rotation_size" -> r:\.+'
+
+  # 3.1.10 Ensure the correct syslog facility is selected (Manual)
+  - id: 24009
+    title: Ensure the correct syslog facility is selected
+    description: >
+      The syslog_facility setting specifies the syslog "facility" to be used when logging to
+      syslog is enabled. You can choose from any of the 'local' facilities. Your organization's logging policy should dictate which facility to use based on the syslog
+      daemon in use.
+    rationale: >
+      If not set to the appropriate facility, the PostgreSQL log messages may be intermingled with
+      other applications' log messages, incorrectly routed, or potentially dropped (depending on
+      your syslog configuration).
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting (in this example, setting it to the LOCAL1 facility):
+      postgres=  alter system set syslog_facility = 'LOCAL1';
+      ALTER SYSTEM
+      postgres=  select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)"
+    compliance:
+      - cis: ["3.1.10"]
+      - cis_csc: ["6", "6.2"]
+    references:
+      - https://tools.ietf.org/html/rfc3164 section-4.1.1
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"show syslog_facility\" | grep $syslog_facility" -> r:\.+'
+
+  # 3.1.11 Ensure the program name for PostgreSQL syslog messages is correct (Automated)
+  - id: 24010
+    title: Ensure the program name for PostgreSQL syslog messages is correct
+    description: >
+      The syslog_ident setting specifies the program name used to identify PostgreSQL
+      messages in syslog logs. An example of a possible program name is postgres.
+    rationale: >
+      If this is not set correctly, it may be difficult or impossible to distinguish PostgreSQL
+      messages from other messages in syslog logs.
+    remediation: |
+      "Execute the following SQL statement(s) to remediate this setting (in this example, assuming a program name of proddb):
+      postgres=# alter system set syslog_ident = 'proddb';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+      postgres=# show syslog_ident;
+      syslog_ident
+      --------------
+      proddb
+      (1 row)"
+    compliance:
+      - cis: ["3.1.11"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://tools.ietf.org/html/rfc3164#section-4.1.3
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"show syslog_ident\" | grep $syslog_ident" -> r:\.+'
+
+  # 3.1.12 Ensure the correct messages are written to the server log (Automated)
+  - id: 24011
+    title: Ensure the correct messages are written to the server log
+    description: >
+      The log_min_messages setting specifies the message levels that are written to the server
+      log. Each level includes all the levels that follow it. The lower the level (vertically, below),
+      the fewer messages are sent.
+    rationale: >
+      If this is not set to the correct value, too many messages or too few messages may be
+      written to the server log.
+    remediation: |
+      Execute the following SQL statement(s) as superuser to remediate this setting (in this example, to set it to warning):
+      postgres=# alter system set log_min_messages = 'warning';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.12"]
+      - cis_csc: ["6", "6.4"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: none
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_min_messages" -> r:\serror|\slog$|\sfatal$|\spanic$'
+
+  ## 3.1.13 Ensure the correct SQL statements generating errors are recorded (Automated)
+  - id: 24012
+    title: Ensure the correct SQL statements generating errors are recorded
+    description: >
+      The log_min_error_statement setting causes all SQL statements generating errors at or
+      above the specified severity level to be recorded in the server log. Each level includes all
+      the levels that follow it. The lower the level (vertically, below), the fewer messages are
+      recorded.
+
+      ERROR is considered the best practice setting. Changes should only be made in accordance
+      with your organization's logging policy.
+
+      Note: To effectively turn off logging of failing statements, set this parameter to PANIC.
+    rationale: >
+      If this is not set to the correct value, too many erring SQL statements or too few erring SQL
+      statements may be written to the server log.
+    remediation: |
+      Execute the following SQL statement(s) as superuser to remediate this setting (in the example, to error):
+      postgres=# alter system set log_min_error_statement = 'error';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.13"]
+      - cis_csc: ["6", "6.4"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: none
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_min_error_statement" -> r:\slog$|\sfatal$|\spanic$'
+
+  ## 3.1.14 Ensure 'debug_print_parse' is disabled (Automated)
+  - id: 24013
+    title: Ensure 'debug_print_parse' is disabled
+    description: >
+      The debug_print_parse setting enables printing the resulting parse tree for each executed
+      query. These messages are emitted at the LOG message level. Unless directed otherwise by
+      your organization's logging policy, it is recommended this setting be disabled by setting it
+      to off.
+    rationale: >
+      Enabling any of the DEBUG printing variables may cause the logging of sensitive information
+      that would otherwise be omitted based on the configuration of the other logging settings.
+    remediation: |
+      Execute the following SQL statement(s) to remediate this setting:
+      postgres=  alter system set debug_print_parse='off';
+      ALTER SYSTEM
+      postgres=  select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.14"]
+      - cis_csc: ["6", "5.1"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "show debug_print_parse" -> r:\soff'
+
+  ## 3.1.15 Ensure 'debug_print_rewritten' is disabled (Automated)
+  - id: 24014
+    title: Ensure 'debug_print_rewritten' is disabled
+    description: >
+      The debug_print_rewritten setting enables printing the query rewriter output for each
+      executed query. These messages are emitted at the LOG message level. Unless directed
+      otherwise by your organization's logging policy, it is recommended this setting be disabled
+      by setting it to off.
+    rationale: >
+      Enabling any of the DEBUG printing variables may cause the logging of sensitive information
+      that would otherwise be omitted based on the configuration of the other logging settings.
+    remediation: |
+      Execute the following SQL statement(s) to disable this setting:
+      postgres=# alter system set debug_print_rewritten = 'off';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.15"]
+      - cis_csc: ["6", "5.1"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html+
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "show debug_print_rewritten" -> r:\soff'
+
+  ## 3.1.16 Ensure 'debug_print_plan' is disabled (Automated)
+  - id: 24015
+    title: Ensure 'debug_print_plan' is disabled
+    description: >
+      The debug_print_plan setting enables printing the execution plan for each executed query.
+      These messages are emitted at the LOG message level. Unless directed otherwise by your
+      organization's logging policy, it is recommended this setting be disabled by setting it to off.
+    rationale: >
+      Enabling any of the DEBUG printing variables may cause the logging of sensitive information
+      that would otherwise be omitted based on the configuration of the other logging settings.
+    remediation: |
+      Execute the following SQL statement(s) to disable this setting:
+      postgres=# alter system set debug_print_plan = 'off';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.16"]
+      - cis_csc: ["6", "5.1"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "show debug_print_plan" -> r:\soff'
+
+  ## 3.1.17 Ensure 'debug_pretty_print' is enabled (Automated)
+  - id: 24016
+    title: Ensure 'debug_pretty_print' is enabled
+    description: >
+      Enabling debug_pretty_print indents the messages produced by debug_print_parse,
+      debug_print_rewritten, or debug_print_plan making them significantly easier to read.
+    rationale: >
+      If this setting is disabled, the "compact" format is used instead, significantly reducing
+      readability of the DEBUG statement log messages.
+    remediation: |
+      Execute the following SQL statement(s) to enable this setting:
+      postgres=# alter system set debug_pretty_print = 'on';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.17"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "show debug_pretty_print" -> r:\son'
+
+  ## 3.1.18 Ensure 'log_connections' is enabled (Automated)
+  - id: 24017
+    title: Ensure 'log_connections' is enabled
+    description: >
+      Enabling the log_connections setting causes each attempted connection to the server to
+      be logged, as well as successful completion of client authentication. This parameter cannot
+      be changed after session start.
+    rationale: >
+      PostgreSQL does not maintain an internal record of attempted connections to the database
+      for later auditing. It is only by enabling the logging of these attempts that one can
+      determine if unexpected attempts are being made.
+
+      Note that enabling this without also enabling log_disconnections provides little value.
+      Generally, you would enable/disable the pair together.
+    remediation: |
+      Execute the following SQL statement(s) to enable this setting:
+      postgres=# alter system set log_connections = 'on';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.18"]
+      - cis_csc: ["6", "6.3"]
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_connections" -> r:\son'
+
+  ## 3.1.19 Ensure 'log_disconnections' is enabled (Automated)
+  - id: 24018
+    title: Ensure 'log_disconnections' is enabled (Automated)
+    description: >
+      Enabling the log_disconnections setting logs the end of each session, including session
+      duration. This parameter cannot be changed after session start.
+    rationale: >
+      PostgreSQL does not maintain the beginning or ending of a connection internally for later
+      review. It is only by enabling the logging of these that one can examine connections for
+      failed attempts, 'over long' duration, or other anomalies.
+
+      Note that enabling this without also enabling log_connections provides little value.
+      Generally, you would enable/disable the pair together
+    remediation: |
+      Execute the following SQL statement(s) to enable this setting:
+      postgres=  alter system set log_disconnections = 'on';
+      ALTER SYSTEM
+      postgres=  select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.19"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_disconnections" -> r:\son'
+
+  ## 3.1.20 Ensure 'log_error_verbosity' is set correctly (Automated)
+  - id: 24019
+    title: Ensure 'log_error_verbosity' is set correctly
+    description: >
+      The log_error_verbosity setting specifies the verbosity (amount of detail) of logged
+      messages.
+    rationale: >
+      If this is not set to the correct value, too many details or too few details may be logged.
+    remediation: |
+      Execute the following SQL statement(s) as superuser to remediate this setting (in this example, to verbose):
+      postgres=# alter system set log_error_verbosity = 'verbose';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.20"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_error_verbosity" -> r:\sverbose'
+
+  ## 3.1.21 Ensure 'log_hostname' is set correctly (Automated)
+  - id: 24020
+    title: Ensure 'log_hostname' is set correctly
+    description: >
+      Enabling the log_hostname setting causes the hostname of the connecting host to be logged
+      in addition to the host's IP address for connection log messages. Disabling the setting
+      causes only the connecting host's IP address to be logged, and not the hostname. Unless
+      your organization's logging policy requires hostname logging, it is best to disable this
+      setting so as not to incur the overhead of DNS resolution for each statement that is logged.
+    rationale: >
+      Depending on your hostname resolution setup, enabling this setting might impose a nonnegligible performance penalty. Additionally, the IP addresses that are logged can be
+      resolved to their DNS names when reviewing the logs (unless dynamic host names are
+      being used as part of your DHCP setup).
+    remediation: |
+      Execute the following SQL statement(s) to remediate this setting (in this example, to off):
+      postgres=# alter system set log_hostname='off';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.21"]
+      - cis_csc: ["6", "5.1"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_hostname" -> r:\soff'
+
+  ## 3.1.22 Ensure 'log_line_prefix' is set correctly (Automated)
+  - id: 24021
+    title: Ensure 'log_line_prefix' is set correctly
+    description: >
+      The log_line_prefix setting specifies a printf-style string that is prefixed to each log line.
+      If blank, no prefix is used. You should configure this as recommended by the pgBadger
+      development team unless directed otherwise by your organization's logging policy.
+
+      % characters begin "escape sequences" that are replaced with status information as
+      outlined below. Unrecognized escapes are ignored. Other characters are copied straight to
+      the log line. Some escapes are only recognized by session processes and will be treated as
+      empty by background processes such as the main server process. Status information may
+      be aligned either left or right by specifying a numeric literal after the % and before the
+      option. A negative value will cause the status information to be padded on the right with
+      spaces to give it a minimum width, whereas a positive value will pad on the left. Padding
+      can be useful to aid human readability in log files.
+    rationale: >
+      Properly setting log_line_prefix allows for adding additional information to each log
+      entry (such as the user, or the database). Said information may then be of use in auditing or
+      security reviews.
+    remediation: |
+      Execute the following SQL statement(s) to remediate this setting:
+      postgres=# alter system set log_line_prefix = '%m [%p]: [%l-1]
+      db=%d,user=%u,app=%a,client=%h';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.22"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://pgbadger.darold.net/
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_disconnections" -> r:%m\s\[%p\]:\s\[%l-1\]\sdb=%d,user=%u,app=%a,client=%h'
+
+  ## 3.1.23 Ensure 'log_statement' is set correctly (Automated)
+  - id: 24022
+    title: Ensure 'log_statement' is set correctly
+    description: >
+      The log_statement setting specifies the types of SQL statements that are logged.
+      It is recommended this be set to ddl unless otherwise directed by your organization's
+      logging policy.
+    rationale: >
+      Setting log_statement to align with your organization's security and logging policies
+      facilitates later auditing and review of database activities.
+    remediation: |
+      Execute the following SQL statement(s) as superuser to remediate this setting:
+      postgres=# alter system set log_statement='ddl';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.23"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW log_statement" -> r:\sdll'
+
+  ## 3.1.24 Ensure 'log_timezone' is set correctly (Automated)
+  - id: 24023
+    title: Ensure 'log_timezone' is set correctly
+    description: >
+      The log_timezone setting specifies the time zone to use in timestamps within log messages.
+      This value is cluster-wide, so that all sessions will report timestamps consistently. Unless
+      directed otherwise by your organization's logging policy, set this to either GMT or UTC.
+    rationale: >
+      Log entry timestamps should be configured for an appropriate time zone as defined by
+      your organization's logging policy to ensure a lack of confusion around when a logged
+      event occurred.
+
+      Note that this setting affects only the timestamps present in the logs. It does not affect the
+      time zone in use by the database itself (for example, select now()), nor does it affect the
+      host's time zone.
+    remediation: |
+      Execute the following SQL statement(s) to remediate this setting:
+      postgres=# alter system set log_timezone = 'GMT';
+      ALTER SYSTEM
+      postgres=# select pg_reload_conf();
+      pg_reload_conf
+      ----------------
+      72 | Page
+      t
+      (1 row)
+    compliance:
+      - cis: ["3.1.24"]
+      - cis_csc: ["6", "6.3"]
+    references:
+      - https://www.postgresql.org/docs/current/static/runtime-config-logging.html
+      - https://en.wikipedia.org/wiki/Time_zone
+    condition: all
+    rules:
+      - 'c:sh -c "psql -U $user -h $host $db -c \"SHOW log_timezone\" | grep $log_timezone" -> r:\.+'
+
+  ## 3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled (Automated)
+  - id: 24024
+    title: Ensure the PostgreSQL Audit Extension (pgAudit) is enabled
+    description: >
+      The PostgreSQL Audit Extension (pgAudit) provides detailed session and/or object audit
+      logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide
+      PostgreSQL users with the capability to produce audit logs often required to comply with
+      government, financial, or ISO certifications.
+    rationale: >
+      Basic statement logging can be provided by the standard logging facility with
+      log_statement = all. This is acceptable for monitoring and other uses but does not
+      provide the level of detail generally required for an audit. It is not enough to have a list of
+      all the operations performed against the database, it must also be possible to find
+      particular statements that are of interest to an auditor. The standard logging facility shows
+      what the user requested, while pgAudit focuses on the details of what happened while the
+      database was satisfying the request.
+
+      When logging SELECT and DML statements, pgAudit can be configured to log a separate entry
+      for each relation referenced in a statement. No parsing is required to find all statements
+      that touch a particular table. In fact, the goal is that the statement text is provided primarily
+      for deep forensics and should not be required for an audit.
+    remediation: |
+      To install and enable pgAudit, simply install the appropriate rpm from the PGDG repo:
+      # whoami
+      root
+      pgauditlogtofile_96.x86_64 : PostgreSQL Audit Log To File Extension
+      [root@centos8 ~]# dnf -y install pgaudit15_13
+      Last metadata expiration check: 0:24:09 ago on Mon 14 Dec 2020 06:59:52 PM
+      UTC.
+      Dependencies resolved.
+      =============================================================================
+      Package Architecture Version Repository Size
+      =============================================================================
+      Installing:
+      pgaudit15_13 x86_64 1.5.0-1.rhel8 pgdg13 52 k
+      Transaction Summary
+      =============================================================================
+      Install 1 Package
+      Total download size: 52 k
+      Installed size: 93 k
+      Downloading Packages:
+      pgaudit15_13-1.5.0-1.rhel8.x86_64.rpm 54 kB/s | 52 kB 00:00
+      -----------------------------------------------------------------------------
+      Total 54 kB/s | 52 kB 00:00
+      75 | Page
+      Running transaction check
+      Transaction check succeeded.
+      Running transaction test
+      Transaction test succeeded.
+      Running transaction
+      Preparing : 1/1
+      Installing : pgaudit15_13-1.5.0-1.rhel8.x86_64 1/1
+      Running scriptlet: pgaudit15_13-1.5.0-1.rhel8.x86_64 1/1
+      Verifying : pgaudit15_13-1.5.0-1.rhel8.x86_64 1/1
+      Installed:
+      pgaudit15_13-1.5.0-1.rhel8.x86_64
+      Complete!
+      pgAudit is now installed and ready to be configured. Next, we need to alter the postgresql.conf configuration file to:
+      • enable pgAudit as an extension in the shared_preload_libraries parameter
+      • indicate which classes of statements we want to log via the pgaudit.log parameter
+      and, finally, restart the PostgreSQL service:
+      $ vi ${PGDATA}/postgresql.conf
+      Find the shared_preload_libraries entry, and add 'pgaudit' to it (preserving any existing entries):
+      shared_preload_libraries = 'pgaudit'
+      OR
+      shared_preload_libraries = 'pgaudit,somethingelse'
+      Now, add a new pgaudit-specific entry:
+      # for this example we are logging the ddl and write operations
+      pgaudit.log='ddl,write'
+      Restart the PostgreSQL server for changes to take affect:
+      # whoami
+      root
+      # systemctl restart postgresql-13
+      # systemctl status postgresql-13|grep 'ago$'
+      Active: active (running) since [date] 10s ago
+    compliance:
+      - cis: ["3.2"]
+      - cis: ["6", "6.2"]
+    references:
+      - https://www.pgaudit.org/
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "show shared_preload_libraries" -> r:pgaudit'
+
+  ## 4 User Access and Authorization
+
+  ## 4.1 Ensure sudo is configured correctly (Manual)
+  ## Not Aplicable: requires user switching
+
+  ## 4.2 Ensure excessive administrative privileges are revoked (Manual)
+  ## Not Aplicable: requires user switching
+
+  ## 4.3 Ensure excessive function privileges are revoked (Automated)
+  ## Not Aplicable: requires user switching
+
+  ## 4.4 Ensure excessive DML privileges are revoked (Manual)
+  ## Not Aplicable: subjective
+
+  ## 4.5 Use pg_permission extension to audit object permissions (Automated)
+  - id: 24025
+    title: Use pg_permission extension to audit object permissions
+    description: >
+      Using a PostgreSQL extension called pg_permissions it is possible to declare which DB
+      users should have which permissions on a given object and generate a report showing
+      compliance/deviation.
+    rationale: >
+      Auditing permissions in a PostgreSQL database can be intimidating given the default
+      manner in which permissions are presented. The pg_permissions extension greatly
+      simplifies this presentation and allows the user to declare what permissions should exist
+      and then report on differences from that ideal.
+
+    compliance:
+      - cis: ["4.5"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://github.com/cybertec-postgresql/pg_permission
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "select * from pg_available_extensions where name=\"pg_permissions\";" -> r:pg_permissions && !r:(0\srows) && !r:ERROR'
+
+  ## 4.6 Ensure Row Level Security (RLS) is configured correctly (Manual)
+  ## Not Aplicable: subjective
+
+  ## 4.7 Ensure the set_user extension is installed (Automated)
+  - id: 24026
+    title: Ensure the set_user extension is installed
+    description: >
+      PostgreSQL access to the superuser database role must be controlled and audited to
+      prevent unauthorized access.
+    rationale: >
+      Even when reducing and limiting the access to the superuser role as described earlier in
+      this benchmark, it is still difficult to determine who accessed the superuser role and what
+      actions were taken using that role. As such, it is ideal to prevent anyone from logging in as
+      the superuser and forcing them to escalate their role. This model is used at the OS level by
+      the use of sudo and should be emulated in the database. The set_user extension allows for
+      this setup.
+
+    compliance:
+      - cis: ["4.7"]
+      - cis_csc: ["5.1", "5.8", "4.3"]
+    references:
+      - https://github.com/pgaudit/set_user
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "select * from pg_available_extensions where name=\"set_user\";" -> r:set_user && !r:(0\srows) && !r:ERROR'
+
+  # 4.8 Make use of default roles (Manual)
+  # Not Aplicable: subjective
+
+  # 5 Connection and Login
+  # Not Aplicable: requires user interaction
+
+  # 6 PostgreSQL Settings
+  # 6.7 Ensure FIPS 140-2 OpenSSL Cryptography Is Used (Automated)
+  - id: 24027
+    title: Ensure FIPS 140-2 OpenSSL Cryptography Is Used
+    description: >
+      Install, configure, and use OpenSSL on a platform that has a NIST certified FIPS 140-2
+      installation of OpenSSL. This provides PostgreSQL instances the ability to generate and
+      validate cryptographic hashes to protect unclassified information requiring confidentiality
+      and cryptographic protection, in accordance with the data owner's requirements.
+    rationale: >
+      Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security
+      standard developed by a U.S. Government and industry working group for validating the
+      quality of cryptographic modules. Use of weak, or untested, encryption algorithms
+      undermine the purposes of utilizing encryption to protect data. PostgreSQL uses OpenSSL
+      for the underlying encryption layer.
+      The database and application must implement cryptographic modules adhering to the
+      higher standards approved by the federal government since this provides assurance they
+      have been tested and validated. It is the responsibility of the data owner to assess the
+      cryptography requirements in light of applicable federal laws, Executive Orders, directives,
+      policies, regulations, and standards.
+      For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for
+      Cryptographic Modules. Note that the product's cryptographic modules must be validated
+      and certified by NIST as FIPS-compliant. The security functions validated as part of FIPS
+      140-2 for cryptographic modules are described in FIPS 140-2 Annex A. Currently only Red
+      Hat Enterprise Linux is certified as a FIPS 140-2 distribution of OpenSSL. For other
+      operating systems, users must obtain or build their own FIPS 140-2 OpenSSL libraries.
+
+    compliance:
+      - cis: ["6.7"]
+      - cis_csc: ["14.2", "14.4"]
+    references:
+      - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies
+      - https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1758.pdf
+      - https://csrc.nist.gov/publications/fips
+    condition: all
+    rules:
+      - 'c:fips-mode-setup --check -> r:FIPS\smode\sis\senabled'
+
+  # 6.8 Ensure SSL is enabled and configured correctly (Automated)
+  - id: 24028
+    title: Ensure SSL is enabled and configured correctly
+    description: >
+      SSL on a PostgreSQL server should be enabled (set to on) and configured to encrypt TCP
+      traffic to and from the server.
+    rationale: >
+      If SSL is not enabled and configured correctly, this increases the risk of data being
+      compromised in transit.
+
+    compliance:
+      - cis: ["6.8"]
+      - cis_csc: ["14.2", "14.4"]
+    references:
+      - https://www.postgresql.org/docs/current/static/ssl-tcp.html
+      - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
+      - https://www.postgresql.org/docs/current/static/libpq-ssl.html
+    condition: all
+    rules:
+      - 'c:psql -U $user -h $host $db -c "SHOW ssl" -> r:\son'
+
+  # 7 Replication
+
+  # 8 Special Configuration Considerations
+  # 8.3 Ensure the backup and restore tool, 'pgBackRest', is installed and configured (Automated)
+  - id: 24029
+    title: Ensure the backup and restore tool, 'pgBackRest', is installed and configured
+    description: >
+      pgBackRest aims to be a simple, reliable backup and restore system that can seamlessly
+      scale up to the largest databases and workloads. Instead of relying on traditional backup
+      tools like tar and rsync, pgBackRest implements all backup features internally and uses a
+      custom protocol for communicating with remote systems. Removing reliance on tar and
+      rsync allows for better solutions to database-specific backup challenges. The custom
+      remote protocol allows for more flexibility and limits the types of connections that are
+      required to perform a backup which increases security.
+    rationale: >
+      The native PostgreSQL backup facility pg_dump provides adequate logical backup
+      operations but does not provide for Point In Time Recovery (PITR). The PostgreSQL facility
+      pg_basebackup performs physical backup of the database files and does provide for PITR,
+      but it is constrained by single threading. Both of these methodologies are standard in the
+      PostgreSQL ecosystem and appropriate for particular backup/recovery needs. pgBackRest
+      offers another option with much more robust features and flexibility.
+      pgBackRest is open-source software developed to perform efficient backups on PostgreSQL
+      databases that measure in tens of terabytes and greater. It supports per file checksums,
+      compression, partial/failed backup resume, high-performance parallel transfer,
+      asynchronous archiving, tablespaces, expiration, full/differential/incremental,
+      local/remote operation via SSH, hard-linking, restore, backup encryption, and more.
+      pgBackRest is written in C and Perl and does not depend on rsync or tar but instead
+      performs its own deltas which gives it maximum flexibility. Finally, pgBackRest provides an
+      easy-to-use internal repository listing backup details accessible via the pgbackrest info
+      command.
+    remediation: >
+      pgBackRest is not installed nor configured for PostgreSQL by default, but instead is
+      maintained as a GitHub project. Fortunately, it is a part of the PGDG repository and can be
+      easily installed:
+
+      $ whoami
+
+      root
+
+      $ dnf -y install pgbackrest
+
+      [snip]
+
+      Installed:
+
+      pgbackrest-2.31-1.rhel8.x86_64
+
+      Complete!
+
+      Once installed, pgBackRest must be configured for things like stanza name, backup
+      location, retention policy, logging, etc. Please consult the configuration guide.
+      If employing pgBackRest for your backup/recovery solution, ensure the repository, base
+      backups, and WAL archives are stored on a reliable file system separate from the database
+      server. Further, the external storage system where backups resided should have limited
+      access to only those system administrators as necessary. Finally, as with any
+      backup/recovery solution, stringent testing must be conducted. A backup is only good if
+      it can be restored successfully.
+    compliance:
+      - cis: ["8.3"]
+      - cis_csc: ["10", "10.1", "10.2"]
+    references:
+      - https://pgbackrest.org/
+      - https://github.com/pgbackrest/pgbackrest
+      - https://www.postgresql.org/docs/current/static/app-pgdump.html
+      - https://www.postgresql.org/docs/current/static/app-pgbasebackup.html
+    condition: none
+    rules:
+      - "c:pgbackrest -> -bash: pgbackrest: command not found"
diff --git a/etc/ruleset/sca/applications/cis_sqlserver_2012.yml b/etc/ruleset/sca/applications/cis_sqlserver_2012.yml
new file mode 100644
index 0000000000..4c84d3e013
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_sqlserver_2012.yml
@@ -0,0 +1,459 @@
+# Security Configuration Assessment
+# CIS Microsoft SQL Server 2012
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on Center for Internet Security Benchmark for Microsoft SQL Server 2012 v1.5.0 - 05-31-2019
+
+policy:
+  id: "cis_sqlserver_2012"
+  file: "cis_sqlserver_2012.yml"
+  name: "CIS Microsoft SQL Server 2012 Benchmark v1.5.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft SQL Server 2012."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform has Microsoft SQL Server 2012"
+  description: "Requirements for running the CIS Microsoft SQL Server 2012 Benchmark"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+variables:
+  $User:
+
+checks:
+  ######################################################
+  # 2 Surface Area Reduction
+  ######################################################
+  # 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' (Scored)
+  - id: 11500
+    title: "Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'"
+    description: "Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on external data sources. This functionality should be disabled."
+    rationale: "This feature can be used to remotely access and exploit vulnerabilities on remote SQL Server instances and to run unsafe Visual Basic for Application functions."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries' ;\" -> r:Ad Hoc Distributed Queries\\s+0\\s+0"
+
+  # 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' (Scored)
+  - id: 11501
+    title: "Ensure 'CLR Enabled' Server Configuration Option is set to '0'"
+    description: "The clr enabled option specifies whether user assemblies can be run by SQL Server."
+    rationale: "Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["18.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';\" -> r:0\\s+0"
+
+  # 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+  - id: 11502
+    title: "Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'"
+    description: "The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level."
+    rationale: "When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE <database_name> SET DB_CHAINING ON command. This database option may not be changed on the master , model , or tempdb system databases."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';\" -> r:0\\s+0"
+
+  # 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+  - id: 11503
+    title: "Ensure 'Database Mail XPs' Server Configuration Option is set to '0'"
+    description: "The Database Mail XPs option controls the ability to generate and transmit email messages from SQL Server."
+    rationale: "Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';\" -> r:0\\s+0"
+
+  # 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+  - id: 11504
+    title: "Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'"
+    description: "The Ole Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server."
+    rationale: "Enabling this option will increase the attack surface of SQL Server and allow users to execute functions in the security context of SQL Server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';\" -> r:0\\s+0"
+
+  # 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
+  - id: 11505
+    title: "Ensure 'Remote Access' Server Configuration Option is set to '0'"
+    description: "The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server."
+    rationale: "Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';\" -> r:0\\s+0"
+
+  # 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' (Scored)
+  - id: 11506
+    title: "Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'"
+    description: "The remote admin connections option controls whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC)."
+    rationale: 'The Dedicated Administrator Connection (DAC) lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. In a cluster scenario, the administrator may not actually be logged on to the same node that is currently hosting the SQL Server instance and thus is considered "remote". Therefore, this setting should usually be enabled ( 1 ) for SQL Server failover clusters; otherwise it should be disabled ( 0 ) which is the default.'
+    remediation: "Run the following T-SQL command on non-clustered installations: EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"USE master; SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;\" -> r:0\\s*\\t*0|0 rows affected"
+
+  # 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' (Scored)
+  - id: 11507
+    title: "Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'"
+    description: "The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup."
+    rationale: "Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';\" -> r:0\\s+0"
+
+  # 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' (Scored)
+  - id: 11508
+    title: "Ensure 'Trustworthy' Database Property is set to 'Off'"
+    description: "The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances."
+    rationale: "Provides protection from malicious CLR assemblies or extended procedures."
+    remediation: "Execute the following T-SQL statement against the databases (replace <dbname> below) returned by the Audit Procedure: ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;"
+    compliance:
+      - cis: ["2.9"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property"
+      - "https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != ''msdb'';" -> r:0 rows affected'
+
+  # 2.11 Ensure SQL Server is configured to use non-standard ports (Not Scored)
+  - id: 11509
+    title: "Ensure SQL Server is configured to use non-standard ports"
+    description: "If enabled, the default SQL Server instance will be assigned a default port of TCP:1433 for TCP/IP communication. Administrators can also configure named instances to use TCP:1433 for communication. TCP:1433 is a widely known SQL Server port and this port assignment should be changed."
+    rationale: "Using a non-default port helps protect the database from attacks directed to the default port."
+    remediation: "1: In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <InstanceName> , and then double-click the TCP/IP or VIA protocol. 2: In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1 , IP2 , up to IPAll . One of these is for the IP address of the loopback adapter, 127.0.0.1 . Additional IP addresses appear for each IP Address on the computer. 3: Change the TCP Port field from 1433 to another non-standard port or leave the TCP Port field empty and set the TCP Dynamic Ports value to 0 to enable dynamic port assignment and then click OK. 4: In the console pane, click SQL Server Services. 5: In the details pane, right-click SQL Server (<InstanceName>) and then click Restart, to stop and restart SQL Server."
+    compliance:
+      - cis: ["2.11"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port"
+    condition: none
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433'; \" -> r:1433"
+
+  # 2.13 Ensure 'sa' Login Account is set to 'Disabled' (Scored)
+  - id: 11510
+    title: "Ensure 'sa' Login Account is set to 'Disabled'"
+    description: "The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01 ."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal."
+    remediation: "Execute the following T-SQL query: USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO"
+    compliance:
+      - cis: ["2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" -> r:0 rows affected'
+
+  # 2.14 Ensure 'sa' Login Account has been renamed (Scored)
+  - id: 11511
+    title: "Ensure 'sa' Login Account has been renamed"
+    description: "The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01 ."
+    rationale: "It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known."
+    remediation: "Replace the <different_user> value within the below syntax and execute to rename the sa login. ALTER LOGIN sa WITH NAME = <different_user>;"
+    compliance:
+      - cis: ["2.14"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.server_principals WHERE sid = 0x01;" -> r:sa'
+
+  # 2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'
+  - id: 11512
+    title: "Ensure 'xp_cmdshell' Server Configuration Option is set to '0'"
+    description: "The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client."
+    rationale: "The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.15"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';\" -> r:0\\s+0"
+
+  # 2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+  - id: 11513
+    title: "Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases"
+    description: "AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If enabled, subsequent connections to the given database will require the database to be reopened and relevant procedure caches to be rebuilt."
+    rationale: "Because authentication of users for contained databases occurs within the database not at the server\\instance level, the database must be opened every time to authenticate a user. The frequent opening/closing of the database consumes additional server resources and may contribute to a denial of service."
+    remediation: "Execute the following T-SQL, replacing <database_name> with each database name found by the Audit Procedure: ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;"
+    compliance:
+      - cis: ["2.16"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" -> r:0 rows affected'
+
+  # 2.17 Ensure no login exists with the name 'sa' (Scored)
+  - id: 11514
+    title: "Ensure no login exists with the name 'sa'"
+    description: "The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login ( principal_id = 1 ) has been renamed."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name."
+    remediation: "Execute the appropriate ALTER or DROP statement below based on the principal_id returned for the login named sa . Replace the <different_name> value within the below syntax and execute to rename the sa login. USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa"
+    compliance:
+      - cis: ["2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT principal_id, name FROM sys.server_principals WHERE name = ''sa'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 3 Authentication and Authorization
+  ###########################################################
+  # 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' (Scored)
+  - id: 11515
+    title: "Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'"
+    description: "Uses Windows Authentication to validate attempted connections."
+    rationale: "Windows provides a more robust authentication mechanism than SQL Server authentication."
+    remediation: "Perform either the GUI or T-SQL method shown: GUI Method: 1. Open SQL Server Management Studio. 2. Open the Object Explorer tab and connect to the target database instance. 3. Right click the instance name and select Properties. 4. Select the Security page from the left menu. 5. Set the Server authentication setting to Windows Authentication Mode. or T-SQL Method: Run the following T-SQL in a Query Window: USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO Restart the SQL Server service for the change to take effect."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT SERVERPROPERTY(''IsIntegratedSecurityOnly'') as [login_mode];" -> r:^1'
+
+  # 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role (Scored)
+  - id: 11516
+    title: "Ensure only the default permissions specified by Microsoft are granted to the public server role"
+    description: "public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users."
+    rationale: "Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles."
+    remediation: "Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access. Revoke the <permission_name> from the public role as shown below USE [master] GO REVOKE <permission_name> FROM public; GO"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N''public'') and state_desc LIKE ''GRANT%'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''VIEW ANY DATABASE'' and class_desc = ''SERVER'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 2) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 3) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 4) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 5); " -> r:0 rows affected'
+
+  # 3.10 Ensure Windows local groups are not SQL Logins (Scored)
+  - id: 11517
+    title: "Ensure Windows local groups are not SQL Logins"
+    description: "Local Windows groups should not be used as logins for SQL Server instances."
+    rationale: "Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance."
+    remediation: "1. For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts. 2. Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required. 3. Drop the LocalGroupName login using the syntax below after replacing <name> . USE [master] GO DROP LOGIN [<name>] GO"
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "USE [master] SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = ''WINDOWS_GROUP'' AND pr.[name] like CAST(SERVERPROPERTY(''MachineName'') AS nvarchar) + ''%'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 4 Password Policies
+  ###########################################################
+
+  # 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Scored)
+  - id: 11518
+    title: "Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role"
+    description: "Applies the same password expiration policy used in Windows to passwords used inside SQL Server."
+    rationale: "Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL SERVER is an equivalent permission to sysadmin and logins with that permission should also be required to have expiring passwords."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = ON;"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["16.2, 16.10"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms161959(v=sql.110).aspx"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT l.[name], ''sysadmin membership'' AS ''Access_Method'' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER(''sysadmin'',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], ''CONTROL SERVER'' AS ''Access_Method'' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = ''CL'' AND p.state IN (''G'', ''W'') AND l.is_expiration_checked <> 1;" -> r:0 rows affected'
+
+  # 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins (Scored)
+  - id: 11519
+    title: "Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins"
+    description: "Applies the same password complexity policy used in Windows to passwords used insideSQL Server."
+    rationale: "Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute force attack."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_POLICY = ON; Note: In the case of AWS RDS do not perform this remediation for the Master account."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16, 4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms161959(v=sql.110).aspx"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;" -> r:0 rows affected'
+
+  ##########################################################
+  # 5 Auditing and Logging
+  ##########################################################
+  # 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+  - id: 11520
+    title: "Ensure 'Maximum number of error log files' is set to greater than or equal to '12'"
+    description: "SQL Server error log files must be protected from loss. The log files must be backed up before they are overwritten. Retaining more error logs helps prevent loss from frequent recycling before backups can occur."
+    rationale: "The SQL Server error log contains important information about major server events and login attempt information as well."
+    remediation: "Adjust the number of logs to prevent data loss. The default value of 6 may be insufficient for a production environment. Perform either the GUI or T-SQL method shown: GUI Method 1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure 4. Check the Limit the number of error log files before they are recycled 5. Set the Maximum number of error log files to greater than or equal to 12 T-SQL Method Run the following T-SQL to change the number of error log files, replace <NumberAbove12> with your desired number of error log files: EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms177285(v=sql.110).aspx"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];\" -> n:^\\s*(\\d+) compare >= 12"
+
+  # 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Scored)
+  - id: 11521
+    title: "Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'"
+    description: "The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands."
+    rationale: "Default trace provides valuable audit information regarding security-related activities on the server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';\" -> r:1\\s+1"
+
+  ###########################################################
+  # 6 Application Development
+  ###########################################################
+  # 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies (Scored)
+  - id: 11522
+    title: "Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies"
+    description: "Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry."
+    rationale: "Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System. Assemblies which are Microsoft-created ( is_user_defined = 0 ) are excluded from this check as they are required for overall system functionality."
+    remediation: "ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["18"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms345101(v=sql.110).aspx"
+      - "http://msdn.microsoft.com/en-us/library/ms189790(v=sql.110).aspx"
+      - "http://msdn.microsoft.com/en-us/library/ms186711(v=sql.110).aspx"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1;" -> r:EXTERNAL_ACCESS|UNSAFE'
diff --git a/etc/ruleset/sca/applications/cis_sqlserver_2014.yml b/etc/ruleset/sca/applications/cis_sqlserver_2014.yml
new file mode 100644
index 0000000000..a56c0655ff
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_sqlserver_2014.yml
@@ -0,0 +1,457 @@
+# Security Configuration Assessment
+# CIS Microsoft SQL Server 2014
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on Center for Internet Security Benchmark for Microsoft SQL Server 2014 v1.4.0 - 05-31-2019
+
+policy:
+  id: "cis_sqlserver_2014"
+  file: "cis_sqlserver_2014"
+  name: "CIS Microsoft SQL Server 2014 Benchmark v1.4.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft SQL Server 2014."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform has Microsoft SQL Server 2014"
+  description: "Requirements for running the CIS Microsoft SQL Server 2014 Benchmark"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+variables:
+  $User:
+
+checks:
+  ######################################################
+  # 2 Surface Area Reduction
+  ######################################################
+  # 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' (Scored)
+  - id: 12000
+    title: "Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'"
+    description: "Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on external data sources. This functionality should be disabled."
+    rationale: "This feature can be used to remotely access and exploit vulnerabilities on remote SQL Server instances and to run unsafe Visual Basic for Application functions."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries' ;\" -> r:Ad Hoc Distributed Queries\\s+0\\s+0"
+
+  # 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' (Scored)
+  - id: 12001
+    title: "Ensure 'CLR Enabled' Server Configuration Option is set to '0'"
+    description: "The clr enabled option specifies whether user assemblies can be run by SQL Server."
+    rationale: "Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["18.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';\" -> r:0\\s+0"
+
+  # 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+  - id: 12002
+    title: "Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'"
+    description: "The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level."
+    rationale: "When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE <database_name> SET DB_CHAINING ON command. This database option may not be changed on the master , model , or tempdb system databases."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';\" -> r:0\\s+0"
+
+  # 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+  - id: 12003
+    title: "Ensure 'Database Mail XPs' Server Configuration Option is set to '0'"
+    description: "The Database Mail XPs option controls the ability to generate and transmit email messages from SQL Server."
+    rationale: "Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';\" -> r:0\\s+0"
+
+  # 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+  - id: 12004
+    title: "Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'"
+    description: "The Ole Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server."
+    rationale: "Enabling this option will increase the attack surface of SQL Server and allow users to execute functions in the security context of SQL Server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';\" -> r:0\\s+0"
+
+  # 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
+  - id: 12005
+    title: "Ensure 'Remote Access' Server Configuration Option is set to '0'"
+    description: "The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server."
+    rationale: "Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';\" -> r:0\\s+0"
+
+  # 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' (Scored)
+  - id: 12006
+    title: "Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'"
+    description: "The remote admin connections option controls whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC)."
+    rationale: 'The Dedicated Administrator Connection (DAC) lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. In a cluster scenario, the administrator may not actually be logged on to the same node that is currently hosting the SQL Server instance and thus is considered "remote". Therefore, this setting should usually be enabled ( 1 ) for SQL Server failover clusters; otherwise it should be disabled ( 0 ) which is the default.'
+    remediation: "Run the following T-SQL command on non-clustered installations: EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"USE master; SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;\" -> r:0\\s*\\t*0|0 rows affected"
+
+  # 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' (Scored)
+  - id: 12007
+    title: "Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'"
+    description: "The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup."
+    rationale: "Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';\" -> r:0\\s+0"
+
+  # 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' (Scored)
+  - id: 12008
+    title: "Ensure 'Trustworthy' Database Property is set to 'Off'"
+    description: "The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances."
+    rationale: "Provides protection from malicious CLR assemblies or extended procedures."
+    remediation: "Execute the following T-SQL statement against the databases (replace <dbname> below) returned by the Audit Procedure: ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;"
+    compliance:
+      - cis: ["2.9"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property"
+      - "https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != ''msdb'';" -> r:0 rows affected'
+
+  # 2.11 Ensure SQL Server is configured to use non-standard ports (Not Scored)
+  - id: 12009
+    title: "Ensure SQL Server is configured to use non-standard ports"
+    description: "If enabled, the default SQL Server instance will be assigned a default port of TCP:1433 for TCP/IP communication. Administrators can also configure named instances to use TCP:1433 for communication. TCP:1433 is a widely known SQL Server port and this port assignment should be changed."
+    rationale: "Using a non-default port helps protect the database from attacks directed to the default port."
+    remediation: "1: In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <InstanceName> , and then double-click the TCP/IP or VIA protocol. 2: In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1 , IP2 , up to IPAll . One of these is for the IP address of the loopback adapter, 127.0.0.1 . Additional IP addresses appear for each IP Address on the computer. 3: Change the TCP Port field from 1433 to another non-standard port or leave the TCP Port field empty and set the TCP Dynamic Ports value to 0 to enable dynamic port assignment and then click OK. 4: In the console pane, click SQL Server Services. 5: In the details pane, right-click SQL Server (<InstanceName>) and then click Restart, to stop and restart SQL Server."
+    compliance:
+      - cis: ["2.11"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port"
+    condition: none
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433'; \" -> r:1433"
+
+  # 2.13 Ensure 'sa' Login Account is set to 'Disabled' (Scored)
+  - id: 12010
+    title: "Ensure 'sa' Login Account is set to 'Disabled'"
+    description: "The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01 ."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal."
+    remediation: "Execute the following T-SQL query: USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO"
+    compliance:
+      - cis: ["2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" -> r:0 rows affected'
+
+  # 2.14 Ensure 'sa' Login Account has been renamed (Scored)
+  - id: 12011
+    title: "Ensure 'sa' Login Account has been renamed"
+    description: "The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01 ."
+    rationale: "It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known."
+    remediation: "Replace the <different_user> value within the below syntax and execute to rename the sa login. ALTER LOGIN sa WITH NAME = <different_user>;"
+    compliance:
+      - cis: ["2.14"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.server_principals WHERE sid = 0x01;" -> r:sa'
+
+  # 2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'
+  - id: 12012
+    title: "Ensure 'xp_cmdshell' Server Configuration Option is set to '0'"
+    description: "The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client."
+    rationale: "The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.15"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';\" -> r:0\\s+0"
+
+  # 2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+  - id: 12013
+    title: "Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases"
+    description: "AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If enabled, subsequent connections to the given database will require the database to be reopened and relevant procedure caches to be rebuilt."
+    rationale: "Because authentication of users for contained databases occurs within the database not at the server\\instance level, the database must be opened every time to authenticate a user. The frequent opening/closing of the database consumes additional server resources and may contribute to a denial of service."
+    remediation: "Execute the following T-SQL, replacing <database_name> with each database name found by the Audit Procedure: ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;"
+    compliance:
+      - cis: ["2.16"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" -> r:0 rows affected'
+
+  # 2.17 Ensure no login exists with the name 'sa' (Scored)
+  - id: 12014
+    title: "Ensure no login exists with the name 'sa'"
+    description: "The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login ( principal_id = 0x01 ) has been renamed."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name."
+    remediation: "Execute the appropriate ALTER or DROP statement below based on the principal_id returned for the login named sa . Replace the <different_name> value within the below syntax and execute to rename the sa login. USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa"
+    compliance:
+      - cis: ["2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT principal_id, name FROM sys.server_principals WHERE name = ''sa'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 3 Authentication and Authorization
+  ###########################################################
+  # 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' (Scored)
+  - id: 12015
+    title: "Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'"
+    description: "Uses Windows Authentication to validate attempted connections."
+    rationale: "Windows provides a more robust authentication mechanism than SQL Server authentication."
+    remediation: "Perform either the GUI or T-SQL method shown: GUI Method: 1. Open SQL Server Management Studio. 2. Open the Object Explorer tab and connect to the target database instance. 3. Right click the instance name and select Properties. 4. Select the Security page from the left menu. 5. Set the Server authentication setting to Windows Authentication Mode. or T-SQL Method: Run the following T-SQL in a Query Window: USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO Restart the SQL Server service for the change to take effect."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT SERVERPROPERTY(''IsIntegratedSecurityOnly'') as [login_mode];" -> r:^1'
+
+  # 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role (Scored)
+  - id: 12016
+    title: "Ensure only the default permissions specified by Microsoft are granted to the public server role"
+    description: "public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users."
+    rationale: "Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles."
+    remediation: "Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access. Revoke the <permission_name> from the public role as shown below USE [master] GO REVOKE <permission_name> FROM public; GO"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N''public'') and state_desc LIKE ''GRANT%'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''VIEW ANY DATABASE'' and class_desc = ''SERVER'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 2) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 3) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 4) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 5); " -> r:0 rows affected'
+
+  # 3.10 Ensure Windows local groups are not SQL Logins (Scored)
+  - id: 12017
+    title: "Ensure Windows local groups are not SQL Logins"
+    description: "Local Windows groups should not be used as logins for SQL Server instances."
+    rationale: "Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance."
+    remediation: "1. For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts. 2. Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required. 3. Drop the LocalGroupName login using the syntax below after replacing <name> . USE [master] GO DROP LOGIN [<name>] GO"
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "USE [master] SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = ''WINDOWS_GROUP'' AND pr.[name] like CAST(SERVERPROPERTY(''MachineName'') AS nvarchar) + ''%'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 4 Password Policies
+  ###########################################################
+  # 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Scored)
+  - id: 12018
+    title: "Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role"
+    description: "Applies the same password expiration policy used in Windows to passwords used inside SQL Server."
+    rationale: "Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL SERVER is an equivalent permission to sysadmin and logins with that permission should also be required to have expiring passwords."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = ON;"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["16.2, 16.10"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms161959(v=sql.120).aspx"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT l.[name], ''sysadmin membership'' AS ''Access_Method'' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER(''sysadmin'',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], ''CONTROL SERVER'' AS ''Access_Method'' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = ''CL'' AND p.state IN (''G'', ''W'') AND l.is_expiration_checked <> 1;" -> r:0 rows affected'
+
+  # 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins (Scored)
+  - id: 12019
+    title: "Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins"
+    description: "Applies the same password complexity policy used in Windows to passwords used insideSQL Server."
+    rationale: "Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute force attack."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_POLICY = ON; Note: In the case of AWS RDS do not perform this remediation for the Master account."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16, 4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms161959(v=sql.120).aspx"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;" -> r:0 rows affected'
+
+  ##########################################################
+  # 5 Auditing and Logging
+  ##########################################################
+  # 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+  - id: 12020
+    title: "Ensure 'Maximum number of error log files' is set to greater than or equal to '12'"
+    description: "SQL Server error log files must be protected from loss. The log files must be backed up before they are overwritten. Retaining more error logs helps prevent loss from frequent recycling before backups can occur."
+    rationale: "The SQL Server error log contains important information about major server events and login attempt information as well."
+    remediation: "Adjust the number of logs to prevent data loss. The default value of 6 may be insufficient for a production environment. Perform either the GUI or T-SQL method shown: GUI Method 1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure 4. Check the Limit the number of error log files before they are recycled 5. Set the Maximum number of error log files to greater than or equal to 12 T-SQL Method Run the following T-SQL to change the number of error log files, replace <NumberAbove12> with your desired number of error log files: EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms177285(v=sql.120).aspx"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];\" -> n:^\\s*(\\d+) compare >= 12"
+
+  # 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Scored)
+  - id: 12021
+    title: "Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'"
+    description: "The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands."
+    rationale: "Default trace provides valuable audit information regarding security-related activities on the server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';\" -> r:1\\s+1"
+
+  ###########################################################
+  # 6 Application Development
+  ###########################################################
+  # 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies (Scored)
+  - id: 12022
+    title: "Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies"
+    description: "Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry."
+    rationale: "Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System. Assemblies which are Microsoft-created ( is_user_defined = 0 ) are excluded from this check as they are required for overall system functionality."
+    remediation: "ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["18"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms345101(v=sql.120).aspx"
+      - "http://msdn.microsoft.com/en-us/library/ms189790(v=sql.120).aspx"
+      - "http://msdn.microsoft.com/en-us/library/ms186711(v=sql.120).aspx"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1;" -> r:EXTERNAL_ACCESS|UNSAFE'
diff --git a/etc/ruleset/sca/applications/cis_sqlserver_2016.yml b/etc/ruleset/sca/applications/cis_sqlserver_2016.yml
new file mode 100644
index 0000000000..d31470fbff
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_sqlserver_2016.yml
@@ -0,0 +1,667 @@
+# Security Configuration Assessment
+# CIS Microsoft SQL Server 2016
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on Center for Internet Security Benchmark for Microsoft SQL Server 2016 v1.3.0 - 04-30-2021
+
+policy:
+  id: "cis_sqlserver_2016"
+  file: "cis_sqlserver_2016.yml"
+  name: "CIS Microsoft SQL Server 2016 Benchmark v1.3.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft SQL Server 2016."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform has Microsoft SQL Server 2016"
+  description: "Requirements for running the CIS Microsoft SQL Server 2016 Benchmark"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+checks:
+  ######################################################
+  # 2 Surface Area Reduction
+  ######################################################
+  # 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'
+  - id: 13000
+    title: Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'
+    description: >
+      Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on
+      external data sources. This functionality should be disabled.
+    rationale: >
+      This feature can be used to remotely access and exploit vulnerabilities on remote SQL
+      Server instances and to run unsafe Visual Basic for Application functions.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["9.1"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/adhoc-distributed-queries-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries' ;\" -> r:Ad Hoc Distributed Queries\\s+0\\s+0"
+
+  # 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'
+  - id: 13001
+    title: Ensure 'CLR Enabled' Server Configuration Option is set to '0'
+    description: The clr enabled option specifies whether user assemblies can be run by SQL Server.
+    rationale: >
+      Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk
+      from both inadvertent and malicious assemblies.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'clr enabled', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["18.9"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transactsql
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';\" -> r:0\\s+0"
+
+  # 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+  - id: 13002
+    title: Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+    description: >
+      The cross db ownership chaining option controls cross-database ownership chaining
+      across all databases at the instance (or server) level.
+    rationale: >
+      When enabled, this option allows a member of the db_owner role in a database to gain
+      access to objects owned by a login in any other database, causing an unnecessary
+      information disclosure. When required, cross-database ownership chaining should only be
+      enabled for the specific databases requiring it instead of at the instance level for all
+      databases by using the ALTER DATABASE<database_name>SET DB_CHAINING ON command.
+      This database option may not be changed on the master, model, or tempdb system
+      databases.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'cross db ownership chaining', 0;
+        RECONFIGURE;
+        GO
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/crossdb-ownership-chaining-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';\" -> r:0\\s+0"
+
+  # 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+  - id: 13003
+    title: Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+    description: >
+      The Database Mail XPs option controls the ability to generate and transmit email
+      messages from SQL Server.
+    rationale: >
+      Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS
+      attack vector and channel to exfiltrate data from the database server to a remote host.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'Database Mail XPs', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/databasemail/database-mail
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';\" -> r:0\\s+0"
+
+  # 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+  - id: 13004
+    title: Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+    description: >
+      The Ole Automation Procedures option controls whether OLE Automation objects can be
+      instantiated within Transact-SQL batches. These are extended stored procedures that allow
+      SQL Server users to execute functions external to SQL Server.
+    rationale: >
+      Enabling this option will increase the attack surface of SQL Server and allow users to
+      execute functions in the security context of SQL Server.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'Ole Automation Procedures', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/oleautomation-procedures-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';\" -> r:0\\s+0"
+
+  # 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
+  - id: 13005
+    title: Ensure 'Remote Access' Server Configuration Option is set to '0'
+    description: >
+      The remote access option controls the execution of local stored procedures on remote
+      servers or remote stored procedures on local server.
+    rationale: >
+      Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers
+      by off-loading query processing to a target.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'remote access', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/configure-the-remote-access-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';\" -> r:0\\s+0"
+
+  # 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'
+  - id: 13006
+    title: Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'
+    description: >
+      The remote admin connections option controls whether a client application on a remote
+      computer can use the Dedicated Administrator Connection (DAC).
+    rationale: >
+      The Dedicated Administrator Connection (DAC) lets an administrator access a running
+      server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot
+      problems on the server, even when the server is locked or running in an abnormal state
+      and not responding to a SQL Server Database Engine connection. In a cluster scenario, the
+      administrator may not actually be logged on to the same node that is currently hosting the
+      SQL Server instance and thus is considered "remote". Therefore, this setting should usually
+      be enabled (1) for SQL Server failover clusters; otherwise, it should be disabled (0) which is
+      the default.
+    remediation: >
+      Run the following T-SQL command on non-clustered installations:
+        EXECUTE sp_configure 'remote admin connections', 0;
+        RECONFIGURE;
+        GO
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["9.1"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/remote-admin-connections-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"USE master; SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;\" -> r:remote admin connections\\s+0\\s+0"
+
+  # 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'
+  - id: 13007
+    title: Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'
+    description: >
+      The scan for startup procs option, if enabled, causes SQL Server to scan for and
+      automatically run all stored procedures that are set to execute upon service startup.
+    rationale: >
+      Enforcing this control reduces the threat of an entity leveraging these facilities for
+      malicious purposes.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'scan for startup procs', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+
+      Restart the Database Engine.
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/configure-the-scan-for-startup-procs-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';\" -> r:0\\s+0"
+
+  # 2.9 Ensure 'Trustworthy' Database Property is set to 'Off'
+  - id: 13008
+    title: Ensure 'Trustworthy' Database Property is set to 'Off'
+    description: >
+      The TRUSTWORTHY database option allows database objects to access objects in other
+      databases under certain circumstances.
+    rationale: >
+      Provides protection from malicious CLR assemblies or extended procedures.
+    remediation: >
+      Execute the following T-SQL statement against the databases (replace <database_name> below) returned by the Audit Procedure:
+        ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;
+    compliance:
+      - cis: ["2.9"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthydatabase-property
+      - https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-thetrustworthy-database-setting-in-sql-server
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != ''msdb'';" -> r:0 rows affected'
+
+  # 2.11 Ensure SQL Server is configured to use non-standard ports
+  - id: 13009
+    title: Ensure SQL Server is configured to use non-standard ports
+    description: >
+      If installed, a default SQL Server instance will be assigned a default port of TCP:1433 for
+      TCP/IP communication. Administrators can also manually configure named instances to
+      use TCP:1433 for communication. TCP:1433 is a widely known SQL Server port and this
+      port assignment should be changed. In a multi-instance scenario, each instance must be
+      assigned its own dedicated TCP/IP port.
+    rationale: >
+      Using a non-default port helps protect the database from attacks directed to the default
+      port.
+    remediation: >
+      1. In SQL Server Configuration Manager, in the console pane, expand SQL Server
+      Network Configuration, expand Protocols for <InstanceName>, and then doubleclick the TCP/IP protocol
+      2. In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses
+      appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the
+      loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP Address on
+      the computer.
+      3. Under IPAll, change the TCP Port field from 1433 to a non-standard port or leave
+      the TCP Port field empty and set the TCP Dynamic Ports value to 0 to enable
+      dynamic port assignment and then click OK.
+      4. In the console pane, click SQL Server Services.
+      5. In the details pane, right-click SQL Server (<InstanceName>) and then click
+      Restart, to stop and restart SQL Server.
+    compliance:
+      - cis: ["2.11"]
+      - cis_csc: ["9"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/configure-a-server-to-listen-on-a-specific-tcp-port
+    condition: none
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433'; \" -> r:1433"
+
+  # 2.13 Ensure the 'sa' Login Account is set to 'Disabled'
+  - id: 13010
+    title: Ensure the 'sa' Login Account is set to 'Disabled'
+    description: >
+      The sa account is a widely known and often widely used SQL Server account with sysadmin
+      privileges. This is the original login created during installation and always has the
+      principal_id=1 and sid=0x01.
+    rationale: >
+      Enforcing this control reduces the probability of an attacker executing brute force attacks
+      against a well-known principal.
+    remediation: >
+      Execute the following T-SQL query:
+        USE [master]
+        GO
+        DECLARE @tsql nvarchar(max)
+        SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE'
+        EXEC (@tsql)
+        GO
+    compliance:
+      - cis: ["2.13"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/system-catalogviews/sys-server-principals-transact-sql
+      - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql
+      - https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-anauthentication-mode
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" -> r:0 rows affected'
+
+  # 2.14 Ensure the 'sa' Login Account has been renamed
+  - id: 13011
+    title: Ensure the 'sa' Login Account has been renamed
+    description: >
+      The sa account is a widely known and often widely used SQL Server login with sysadmin
+      privileges. The sa login is the original login created during installation and always has
+      principal_id=1 and sid=0x01.
+    rationale: >
+      It is more difficult to launch password-guessing and brute-force attacks against the sa login
+      if the name is not known.
+    remediation: >
+      Replace the <different_user> value within the below syntax and execute to rename the sa login.
+        ALTER LOGIN sa WITH NAME = <different_user>;
+    compliance:
+      - cis: ["2.14"]
+      - cis_csc: ["5"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-anauthentication-mode
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.server_principals WHERE sid = 0x01;" -> r:^sa'
+
+  # 2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'
+  - id: 13012
+    title: Ensure 'xp_cmdshell' Server Configuration Option is set to '0'
+    description: >
+      The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can
+      be used by an authenticated SQL Server user to execute operating-system command shell
+      commands and return results as rows within the SQL client.
+    rationale: >
+      The xp_cmdshell procedure is commonly used by attackers to read or write data to/from
+      the underlying Operating System of a database server.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'xp_cmdshell', 0;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["2.15"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/system-storedprocedures/xp-cmdshell-transact-sql
+      - https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xpcmdshell-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';\" -> r:0\\s+0"
+
+  # 2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+  - id: 13013
+    title: Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+    description: >
+      AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If
+      enabled, subsequent connections to the given database will require the database to be
+      reopened and relevant procedure caches to be rebuilt.
+    rationale: >
+      Because authentication of users for contained databases occurs within the database not at
+      the server\instance level, the database must be opened every time to authenticate a user.
+      The frequent opening/closing of the database consumes additional server resources and
+      may contribute to a denial of service.
+    remediation: >
+      Execute the following T-SQL, replacing <database_name> with each database name found by the Audit Procedure:
+        ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;
+    compliance:
+      - cis: ["2.16"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/databases/securitybest-practices-with-contained-databases
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" -> r:0 rows affected'
+
+  # 2.17 Ensure no login exists with the name 'sa'
+  - id: 13014
+    title: Ensure no login exists with the name 'sa'
+    description: >
+      The sa login (e.g. principal) is a widely known and often widely used SQL Server account.
+      Therefore, there should not be a login called sa even when the original sa login
+      (principal_id = 1) has been renamed.
+    rationale: >
+      Enforcing this control reduces the probability of an attacker executing brute force attacks
+      against a well-known principal name.
+    remediation: >
+      Execute the appropriate ALTER or DROP statement below based on the principal_id
+      returned for the login named sa. Replace the <different_name> value within the below
+      syntax and execute to rename the sa login.
+        USE [master]
+        GO
+        -- If principal_id = 1 or the login owns database objects, rename the sa
+        login
+        ALTER LOGIN [sa] WITH NAME = <different_name>;
+        GO
+        -- If the login owns no database objects, then drop it
+        -- Do NOT drop the login if it is principal_id = 1
+        DROP LOGIN sa
+    compliance:
+      - cis: ["2.17"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT principal_id, name FROM sys.server_principals WHERE name = ''sa'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 3 Authentication and Authorization
+  ###########################################################
+  # 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'
+  - id: 13015
+    title: Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'
+    description: Uses Windows Authentication to validate attempted connections.
+    rationale: Windows provides a more robust authentication mechanism than SQL Server authentication.
+    remediation: >
+      Perform either the GUI or T-SQL method shown:
+      1.1.1.5 GUI Method
+        1. Open SQL Server Management Studio.
+        2. Open the Object Explorer tab and connect to the target database instance.
+        3. Right click the instance name and select Properties.
+        4. Select the Security page from the left menu.
+        5. Set the Server authentication setting to Windows Authentication Mode.
+
+      1.1.1.6 T-SQL Method
+      Run the following T-SQL in a Query Window:
+        USE [master]
+        GO
+        EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE',
+        N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1
+        GO
+
+      Restart the SQL Server service for the change to take effect.
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.9"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/server-properties-security-page
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT SERVERPROPERTY(''IsIntegratedSecurityOnly'') as [login_mode];" -> r:^1'
+
+  # 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role
+  - id: 13016
+    title: Ensure only the default permissions specified by Microsoft are granted to the public server role
+    description: >
+      public is a special fixed server role containing all logins. Unlike other fixed server roles,
+      permissions can be changed for the public role. In keeping with the principle of least
+      privileges, the public server role should not be used to grant permissions at the server
+      scope as these would be inherited by all users.
+    rationale: >
+      Every SQL Server login belongs to the public role and cannot be removed from this role.
+      Therefore, any permissions granted to this role will be available to all logins unless they
+      have been explicitly denied to specific logins or user-defined server roles.
+    remediation: >
+      1. Add the extraneous permissions found in the Audit query results to the specific
+      logins to user-defined server roles which require the access.
+      2. Revoke the <permission_name> from the public role as shown below
+        USE [master]
+        GO
+        REVOKE <permission_name> FROM public;
+        GO
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relationaldatabases/security/authentication-access/server-level-roles
+      - https://docs.microsoft.com/en-us/sql/relationaldatabases/security/authentication-access/server-level-roles#permissions-of-fixedserver-roles
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N''public'') and state_desc LIKE ''GRANT%'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''VIEW ANY DATABASE'' and class_desc = ''SERVER'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 2) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 3) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 4) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 5); " -> r:0 rows affected'
+
+  # 3.10 Ensure Windows local groups are not SQL Logins
+  - id: 13017
+    title: Ensure Windows local groups are not SQL Logins
+    description: Local Windows groups should not be used as logins for SQL Server instances.
+    rationale: >
+      Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with
+      OS level administrator rights (and no SQL Server rights) could add users to the local
+      Windows groups and thereby give themselves or others access to the SQL Server instance.
+    remediation: >
+      1. For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts.
+      2. Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required.
+      3. Drop the LocalGroupName login using the syntax below after replacing <name>.
+        USE [master]
+        GO
+        DROP LOGIN [<name>]
+        GO
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.4"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "USE [master] SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = ''WINDOWS_GROUP'' AND pr.[name] like CAST(SERVERPROPERTY(''MachineName'') AS nvarchar) + ''%'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 4 Password Policies
+  ###########################################################
+  # 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role
+  - id: 13018
+    title: Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role
+    description: Applies the same password expiration policy used in Windows to passwords used inside SQL Server.
+    rationale: >
+      Ensuring SQL logins comply with the secure password policy applied by the Windows
+      Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are
+      changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL
+      SERVER is an equivalent permission to sysadmin and logins with that permission should
+      also be required to have expiring passwords.
+    remediation: >
+      For each <login_name> found by the Audit Procedure, execute the following T-SQL statement:
+        ALTER LOGIN [<login_name>] WITH CHECK_EXPIRATION = ON;
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["16.2"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/security/passwordpolicy?view=sql-server-2016
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT l.[name], ''sysadmin membership'' AS ''Access_Method'' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER(''sysadmin'',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], ''CONTROL SERVER'' AS ''Access_Method'' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = ''CL'' AND p.state IN (''G'', ''W'') AND l.is_expiration_checked <> 1;" -> r:0 rows affected'
+
+  # 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins
+  - id: 13019
+    title: Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins
+    description: Applies the same password complexity policy used in Windows to passwords used inside SQL Server.
+    rationale: >
+      Ensure SQL authenticated login passwords comply with the secure password policy applied
+      by the Windows Server Benchmark so that they cannot be easily compromised via brute
+      force attack.
+    remediation: >
+      For each <login_name> found by the Audit Procedure, execute the following T-SQL statement:
+        ALTER LOGIN [<login_name>] WITH CHECK_POLICY = ON;
+
+      Note: In the case of AWS RDS do not perform this remediation for the Master account.
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/security/passwordpolicy
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;" -> r:0 rows affected'
+
+  ##########################################################
+  # 5 Auditing and Logging
+  ##########################################################
+  # 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+  - id: 13020
+    title: Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+    description: >
+      SQL Server error log files must be protected from loss. The log files must be backed up
+      before they are overwritten. Retaining more error logs helps prevent loss from frequent
+      recycling before backups can occur.
+    rationale: >
+      The SQL Server error log contains important information about major server events and
+      login attempt information as well.
+    remediation: >
+      Adjust the number of logs to prevent data loss. The default value of 6 may be insufficient for
+      a production environment. Perform either the GUI or T-SQL method shown:
+
+      1.1.1.9 GUI Method
+        1. Open SQL Server Management Studio.
+        2. Open Object Explorer and connect to the target instance.
+        3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure
+        4. Check the Limit the number of error log files before they are recycled
+        5. Set the Maximum number of error log files to greater than or equal to 12
+
+      1.1.1.10T-SQL Method
+      Run the following T-SQL to change the number of error log files, replace <NumberAbove12>
+      with your desired number of error log files:
+        EXEC master.sys.xp_instance_regwrite
+        N'HKEY_LOCAL_MACHINE',
+        N'Software\Microsoft\MSSQLServer\MSSQLServer',
+        N'NumErrorLogs',
+        REG_DWORD,
+        <NumberAbove12>;
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.3"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/scmservices-configure-sql-server-error-logs
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];\" -> n:^\\s*(\\d+) compare >= 12"
+
+  # 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'
+  - id: 13021
+    title: Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'
+    description: >
+      The default trace provides audit logging of database activity including account creations,
+      privilege elevation and execution of DBCC commands.
+    rationale: Default trace provides valuable audit information regarding security-related activities on the server.
+    remediation: >
+      Run the following T-SQL command:
+        EXECUTE sp_configure 'show advanced options', 1;
+        RECONFIGURE;
+        EXECUTE sp_configure 'default trace enabled', 1;
+        RECONFIGURE;
+        GO
+        EXECUTE sp_configure 'show advanced options', 0;
+        RECONFIGURE;
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/database-engine/configurewindows/default-trace-enabled-server-configuration-option
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';\" -> r:1\\s+1"
+
+  ###########################################################
+  # 6 Application Development
+  ###########################################################
+  # 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies
+  - id: 13022
+    title: Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies
+    description: >
+      Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from
+      accessing external system resources such as files, the network, environment variables, or
+      the registry.
+    rationale: >
+      Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access
+      sensitive areas of the operating system, steal and/or transmit data and alter the state and
+      other protection measures of the underlying Windows Operating System.
+
+      Assemblies which are Microsoft-created (is_user_defined = 0) are excluded from this
+      check as they are required for overall system functionality.
+    remediation: >
+      USE <database_name>;
+      GO
+      ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["18"]
+    references:
+      - https://docs.microsoft.com/en-us/sql/relational-databases/clrintegration/security/clr-integration-code-access-security
+      - https://docs.microsoft.com/en-us/sql/relational-databases/system-catalogviews/sys-assemblies-transact-sql
+      - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-assembly-transactsql
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1;" -> r:EXTERNAL_ACCESS|UNSAFE'
diff --git a/etc/ruleset/sca/applications/cis_sqlserver_2017.yml b/etc/ruleset/sca/applications/cis_sqlserver_2017.yml
new file mode 100644
index 0000000000..5a140f403f
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_sqlserver_2017.yml
@@ -0,0 +1,454 @@
+# Security Configuration Assessment
+# CIS Microsoft SQL Server 2017
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on Center for Internet Security Benchmark for Microsoft SQL Server 2017 v1.1.0 - 06-30-2020
+
+policy:
+  id: "cis_sqlserver_2017"
+  file: "cis_sqlserver_2017.yml"
+  name: "CIS Microsoft SQL Server 2017 Benchmark v1.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft SQL Server 2017."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform has Microsoft SQL Server 2017"
+  description: "Requirements for running the CIS Microsoft SQL Server 2017 Benchmark"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+checks:
+  ######################################################
+  # 2 Surface Area Reduction
+  ######################################################
+  # 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' (Scored)
+  - id: 12500
+    title: "Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'"
+    description: "Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on external data sources. This functionality should be disabled."
+    rationale: "This feature can be used to remotely access and exploit vulnerabilities on remote SQL Server instances and to run unsafe Visual Basic for Application functions."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries' ;\" -> r:Ad Hoc Distributed Queries\\s+0\\s+0"
+
+  # 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' (Scored)
+  - id: 12501
+    title: "Ensure 'CLR Enabled' Server Configuration Option is set to '0'"
+    description: "The clr enabled option specifies whether user assemblies can be run by SQL Server."
+    rationale: "Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["18.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';\" -> r:0\\s+0"
+
+  # 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+  - id: 12502
+    title: "Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'"
+    description: "The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level."
+    rationale: "When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE <database_name> SET DB_CHAINING ON command. This database option may not be changed on the master , model , or tempdb system databases."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';\" -> r:0\\s+0"
+
+  # 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+  - id: 12503
+    title: "Ensure 'Database Mail XPs' Server Configuration Option is set to '0'"
+    description: "The Database Mail XPs option controls the ability to generate and transmit email messages from SQL Server."
+    rationale: "Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';\" -> r:0\\s+0"
+
+  # 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+  - id: 12504
+    title: "Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'"
+    description: "The Ole Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server."
+    rationale: "Enabling this option will increase the attack surface of SQL Server and allow users to execute functions in the security context of SQL Server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';\" -> r:0\\s+0"
+
+  # 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
+  - id: 12505
+    title: "Ensure 'Remote Access' Server Configuration Option is set to '0'"
+    description: "The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server."
+    rationale: "Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';\" -> r:0\\s+0"
+
+  # 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' (Scored)
+  - id: 12506
+    title: "Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'"
+    description: "The remote admin connections option controls whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC)."
+    rationale: 'The Dedicated Administrator Connection (DAC) lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. In a cluster scenario, the administrator may not actually be logged on to the same node that is currently hosting the SQL Server instance and thus is considered "remote". Therefore, this setting should usually be enabled ( 1 ) for SQL Server failover clusters; otherwise it should be disabled ( 0 ) which is the default.'
+    remediation: "Run the following T-SQL command on non-clustered installations: EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"USE master; SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;\" -> r:0\\s*\\t*0|0 rows affected"
+
+  # 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' (Scored)
+  - id: 12507
+    title: "Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'"
+    description: "The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup."
+    rationale: "Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';\" -> r:0\\s+0"
+
+  # 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' (Scored)
+  - id: 12508
+    title: "Ensure 'Trustworthy' Database Property is set to 'Off'"
+    description: "The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances."
+    rationale: "Provides protection from malicious CLR assemblies or extended procedures."
+    remediation: "Execute the following T-SQL statement against the databases (replace <database_name> below) returned by the Audit Procedure: ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;"
+    compliance:
+      - cis: ["2.9"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property"
+      - "https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != ''msdb'';" -> r:0 rows affected'
+
+  # 2.11 Ensure SQL Server is configured to use non-standard ports (Not Scored)
+  - id: 12509
+    title: "Ensure SQL Server is configured to use non-standard ports"
+    description: "If installed, a default SQL Server instance will be assigned a default port of TCP:1433 for TCP/IP communication. Administrators can also configure named instances to use TCP:1433 for communication TCP:1433 is a widely known SQL Server port and this port assignment should be changed. In a multi-instance scenario, each instance must be assigned its own dedicated TCP/IP port."
+    rationale: "Using a non-default port helps protect the database from attacks directed to the default port."
+    remediation: "1: In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <InstanceName> , and then double-click the TCP/IP protocol. 2: In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1 , IP2 , up to IPAll . One of these is for the IP address of the loopback adapter, 127.0.0.1 . Additional IP addresses appear for each IP Address on the computer. 3: Under IPALL, change the TCP Port field from 1433 to a non-standard port or leave the TCP Port field empty and set the TCP Dynamic Ports value to 0 to enable dynamic port assignment and then click OK. 4: In the console pane, click SQL Server Services. 5: In the details pane, right-click SQL Server (<InstanceName>) and then click Restart, to stop and restart SQL Server."
+    compliance:
+      - cis: ["2.11"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port"
+    condition: none
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433'; \" -> r:1433"
+
+  # 2.13 Ensure the 'sa' Login Account is set to 'Disabled' (Scored)
+  - id: 12510
+    title: "Ensure the 'sa' Login Account is set to 'Disabled'"
+    description: "The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01 ."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal."
+    remediation: "Execute the following T-SQL query: USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO"
+    compliance:
+      - cis: ["2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" -> r:0 rows affected'
+
+  # 2.14 Ensure the 'sa' Login Account has been renamed (Scored)
+  - id: 12511
+    title: "Ensure the 'sa' Login Account has been renamed"
+    description: "The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01 ."
+    rationale: "It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known."
+    remediation: "Replace the <different_user> value within the below syntax and execute to rename the sa login. ALTER LOGIN sa WITH NAME = <different_user>;"
+    compliance:
+      - cis: ["2.14"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.server_principals WHERE sid = 0x01;" -> r:sa'
+
+  # 2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'
+  - id: 12512
+    title: "Ensure 'xp_cmdshell' Server Configuration Option is set to '0'"
+    description: "The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client."
+    rationale: "The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.15"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';\" -> r:0\\s+0"
+
+  # 2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+  - id: 12513
+    title: "Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases"
+    description: "AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If enabled, subsequent connections to the given database will require the database to be reopened and relevant procedure caches to be rebuilt."
+    rationale: "Because authentication of users for contained databases occurs within the database not at the server\\instance level, the database must be opened every time to authenticate a user. The frequent opening/closing of the database consumes additional server resources and may contribute to a denial of service."
+    remediation: "Execute the following T-SQL, replacing <database_name> with each database name found by the Audit Procedure: ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;"
+    compliance:
+      - cis: ["2.16"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" -> r:0 rows affected'
+
+  # 2.17 Ensure no login exists with the name 'sa' (Scored)
+  - id: 12514
+    title: "Ensure no login exists with the name 'sa'"
+    description: "The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login ( principal_id = 1 ) has been renamed."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name."
+    remediation: "Execute the appropriate ALTER or DROP statement below based on the principal_id returned for the login named sa . Replace the <different_name> value within the below syntax and execute to rename the sa login. USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa"
+    compliance:
+      - cis: ["2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT principal_id, name FROM sys.server_principals WHERE name = ''sa'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 3 Authentication and Authorization
+  ###########################################################
+  # 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' (Scored)
+  - id: 12515
+    title: "Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'"
+    description: "Uses Windows Authentication to validate attempted connections."
+    rationale: "Windows provides a more robust authentication mechanism than SQL Server authentication."
+    remediation: "Perform either the GUI or T-SQL method shown: GUI Method: 1. Open SQL Server Management Studio. 2. Open the Object Explorer tab and connect to the target database instance. 3. Right click the instance name and select Properties. 4. Select the Security page from the left menu. 5. Set the Server authentication setting to Windows Authentication Mode. or T-SQL Method: Run the following T-SQL in a Query Window: USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO Restart the SQL Server service for the change to take effect."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT SERVERPROPERTY(''IsIntegratedSecurityOnly'') as [login_mode];" -> r:^1'
+
+  # 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role (Scored)
+  - id: 12516
+    title: "Ensure only the default permissions specified by Microsoft are granted to the public server role"
+    description: "public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users."
+    rationale: "Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles."
+    remediation: "Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access. Revoke the _<permission_name>_ from the public role as shown below USE [master] GO REVOKE <permission_name> FROM public; GO"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N''public'') and state_desc LIKE ''GRANT%'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''VIEW ANY DATABASE'' and class_desc = ''SERVER'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 2) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 3) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 4) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 5); " -> r:0 rows affected'
+
+  # 3.10 Ensure Windows local groups are not SQL Logins (Scored)
+  - id: 12517
+    title: "Ensure Windows local groups are not SQL Logins"
+    description: "Local Windows groups should not be used as logins for SQL Server instances."
+    rationale: "Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance."
+    remediation: "1. For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts. 2. Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required. 3. Drop the LocalGroupName login using the syntax below after replacing <name> . USE [master] GO DROP LOGIN [<name>] GO"
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "USE [master] SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = ''WINDOWS_GROUP'' AND pr.[name] like CAST(SERVERPROPERTY(''MachineName'') AS nvarchar) + ''%'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 4 Password Policies
+  ###########################################################
+  # 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Scored)
+  - id: 12518
+    title: "Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role"
+    description: "Applies the same password expiration policy used in Windows to passwords used inside SQL Server."
+    rationale: "Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL SERVER is an equivalent permission to sysadmin and logins with that permission should also be required to have expiring passwords."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = ON;"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["16.2, 16.10"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT l.[name], ''sysadmin membership'' AS ''Access_Method'' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER(''sysadmin'',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], ''CONTROL SERVER'' AS ''Access_Method'' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = ''CL'' AND p.state IN (''G'', ''W'') AND l.is_expiration_checked <> 1;" -> r:0 rows affected'
+
+  # 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins (Scored)
+  - id: 12519
+    title: "Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins"
+    description: "Applies the same password complexity policy used in Windows to passwords used insideSQL Server."
+    rationale: "Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute force attack."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_POLICY = ON; Note: In the case of AWS RDS do not perform this remediation for the Master account."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16, 4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;" -> r:0 rows affected'
+
+  ##########################################################
+  # 5 Auditing and Logging
+  ##########################################################
+  # 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+  - id: 12520
+    title: "Ensure 'Maximum number of error log files' is set to greater than or equal to '12'"
+    description: "SQL Server error log files must be protected from loss. The log files must be backed up before they are overwritten. Retaining more error logs helps prevent loss from frequent recycling before backups can occur."
+    rationale: "The SQL Server error log contains important information about major server events and login attempt information as well."
+    remediation: "Adjust the number of logs to prevent data loss. The default value of 6 may be insufficient for a production environment. Perform either the GUI or T-SQL method shown: GUI Method 1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure 4. Check the Limit the number of error log files before they are recycled 5. Set the Maximum number of error log files to greater than or equal to 12 T-SQL Method Run the following T-SQL to change the number of error log files, replace <NumberAbove12> with your desired number of error log files: EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/scm-services-configure-sql-server-error-logs"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];\" -> n:^\\s*(\\d+) compare >= 12"
+
+  # 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Scored)
+  - id: 12521
+    title: "Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'"
+    description: "The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands."
+    rationale: "Default trace provides valuable audit information regarding security-related activities on the server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';\" -> r:1\\s+1"
+
+  ###########################################################
+  # 6 Application Development
+  ###########################################################
+  # 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies (Scored)
+  - id: 12522
+    title: "Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies"
+    description: "Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry."
+    rationale: "Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System. Assemblies which are Microsoft-created ( is_user_defined = 0 ) are excluded from this check as they are required for overall system functionality."
+    remediation: "ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["18"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/security/clr-integration-code-access-security"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-assemblies-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-assembly-transact-sql"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1;" -> r:EXTERNAL_ACCESS|UNSAFE'
diff --git a/etc/ruleset/sca/applications/cis_sqlserver_2019.yml b/etc/ruleset/sca/applications/cis_sqlserver_2019.yml
new file mode 100644
index 0000000000..4f1bc603ee
--- /dev/null
+++ b/etc/ruleset/sca/applications/cis_sqlserver_2019.yml
@@ -0,0 +1,438 @@
+# Security Configuration Assessment
+# CIS Microsoft SQL Server 2019
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on Center for Internet Security Benchmark for Microsoft SQL Server 2019 v1.1.0 - 05-31-2019
+
+policy:
+  id: "cis_sqlserver_2019"
+  file: "cis_sqlserver_2019"
+  name: "CIS Microsoft SQL Server 2019 Benchmark v1.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft SQL Server 2019."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform has Microsoft SQL Server 2019"
+  description: "Requirements for running the CIS Microsoft SQL Server 2019 Benchmark"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+variables:
+  $User:
+
+checks:
+  ######################################################
+  # 2 Surface Area Reduction
+  ######################################################
+  # 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' (Scored)
+  - id: 13500
+    title: "Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'"
+    description: "Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on external data sources. This functionality should be disabled."
+    rationale: "This feature can be used to remotely access and exploit vulnerabilities on remote SQL Server instances and to run unsafe Visual Basic for Application functions."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries' ;\" -> r:Ad Hoc Distributed Queries\\s+0\\s+0"
+
+  # 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' (Scored)
+  - id: 13501
+    title: "Ensure 'CLR Enabled' Server Configuration Option is set to '0'"
+    description: "The clr enabled option specifies whether user assemblies can be run by SQL Server."
+    rationale: "Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["18.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';\" -> r:0\\s+0"
+
+  # 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
+  - id: 13502
+    title: "Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'"
+    description: "The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level."
+    rationale: "When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE <database_name> SET DB_CHAINING ON command. This database option may not be changed on the master , model , or tempdb system databases."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';\" -> r:0\\s+0"
+
+  # 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
+  - id: 13503
+    title: "Ensure 'Database Mail XPs' Server Configuration Option is set to '0'"
+    description: "The Database Mail XPs option controls the ability to generate and transmit email messages from SQL Server."
+    rationale: "Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';\" -> r:0\\s+0"
+
+  # 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
+  - id: 13504
+    title: "Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'"
+    description: "The Ole Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server."
+    rationale: "Enabling this option will increase the attack surface of SQL Server and allow users to execute functions in the security context of SQL Server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["2.5"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';\" -> r:0\\s+0"
+
+  # 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
+  - id: 13505
+    title: "Ensure 'Remote Access' Server Configuration Option is set to '0'"
+    description: "The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server."
+    rationale: "Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';\" -> r:0\\s+0"
+
+  # 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' (Scored)
+  - id: 13506
+    title: "Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'"
+    description: "The remote admin connections option controls whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC)."
+    rationale: 'The Dedicated Administrator Connection (DAC) lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. In a cluster scenario, the administrator may not actually be logged on to the same node that is currently hosting the SQL Server instance and thus is considered "remote". Therefore, this setting should usually be enabled ( 1 ) for SQL Server failover clusters; otherwise it should be disabled ( 0 ) which is the default.'
+    remediation: "Run the following T-SQL command on non-clustered installations: EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO"
+    compliance:
+      - cis: ["2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"USE master; SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;\" -> r:0\\s*\\t*0|0 rows affected"
+
+  # 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' (Scored)
+  - id: 13507
+    title: "Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'"
+    description: "The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup."
+    rationale: "Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE; Restart the Database Engine."
+    compliance:
+      - cis: ["2.8"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';\" -> r:0\\s+0"
+
+  # 2.9 Ensure 'Trustworthy' Database Property is set to 'Off' (Scored)
+  - id: 13508
+    title: "Ensure 'Trustworthy' Database Property is set to 'Off'"
+    description: "The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances."
+    rationale: "Provides protection from malicious CLR assemblies or extended procedures."
+    remediation: "Execute the following T-SQL statement against the databases (replace <dbname> below) returned by the Audit Procedure: ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;"
+    compliance:
+      - cis: ["2.9"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property"
+      - "https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != ''msdb'';" -> r:0 rows affected'
+
+  # 2.11 Ensure SQL Server is configured to use non-standard ports (Not Scored)
+  - id: 13509
+    title: "Ensure SQL Server is configured to use non-standard ports"
+    description: "If installed, the default SQL Server instance will be assigned a default port of TCP:1433 for TCP/IP communication. Administrators can also manually configure named instances to use TCP:1433 for communication. TCP:1433 is a widely known SQL Server port and this port assignment should be changed. In a multi-instance scenario, each instance must be assigned its own TCP/IP port."
+    rationale: "Using a non-default port helps protect the database from attacks directed to the default port."
+    remediation: "1: In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <InstanceName> , and then double-click the TCP/IP protocol. 2: In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1 , IP2 , up to IPAll . One of these is for the IP address of the loopback adapter, 127.0.0.1 . Additional IP addresses appear for each IP Address on the computer. 3: Under IPALL, change the TCP Port field from 1433 to another non-standard port or leave the TCP Port field empty and set the TCP Dynamic Ports value to 0 to enable dynamic port assignment and then click OK. 4: In the console pane, click SQL Server Services. 5: In the details pane, right-click SQL Server (<InstanceName>) and then click Restart, to stop and restart SQL Server."
+    compliance:
+      - cis: ["2.11"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port"
+    condition: none
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433'; \" -> r:1433"
+
+  # 2.13 Ensure the 'sa' Login Account is set to 'Disabled' (Scored)
+  - id: 13510
+    title: "Ensure the 'sa' Login Account is set to 'Disabled'"
+    description: "The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01 ."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal."
+    remediation: "Execute the following T-SQL query: USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO"
+    compliance:
+      - cis: ["2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" -> r:0 rows affected'
+
+  # 2.14 Ensure the 'sa' Login Account has been renamed (Scored)
+  - id: 13511
+    title: "Ensure the 'sa' Login Account has been renamed"
+    description: "The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01 ."
+    rationale: "It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known."
+    remediation: "Replace the <different_user> value within the below syntax and execute to rename the sa login. ALTER LOGIN sa WITH NAME = <different_user>;"
+    compliance:
+      - cis: ["2.14"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name FROM sys.server_principals WHERE sid = 0x01;" -> r:^sa'
+
+  # 2.15 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
+  - id: 13512
+    title: "Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases"
+    description: "AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If enabled, subsequent connections to the given database will require the database to be reopened and relevant procedure caches to be rebuilt."
+    rationale: "Because authentication of users for contained databases occurs within the database not at the server\\instance level, the database must be opened every time to authenticate a user. The frequent opening/closing of the database consumes additional server resources and may contribute to a denial of service."
+    remediation: "Execute the following T-SQL, replacing <database_name> with each database name found by the Audit Procedure: ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;"
+    compliance:
+      - cis: ["2.15"]
+      - cis_csc: ["18"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" -> r:0 rows affected'
+
+  # 2.16 Ensure no login exists with the name 'sa' (Scored)
+  - id: 13513
+    title: "Ensure no login exists with the name 'sa'"
+    description: "The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login ( principal_id = 1 ) has been renamed."
+    rationale: "Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name."
+    remediation: "Execute the appropriate ALTER or DROP statement below based on the principal_id returned for the login named sa . Replace the <different_name> value within the below syntax and execute to rename the sa login. USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa"
+    compliance:
+      - cis: ["2.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.6", "CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT principal_id, name FROM sys.server_principals WHERE name = ''sa'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 3 Authentication and Authorization
+  ###########################################################
+  # 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' (Scored)
+  - id: 13514
+    title: "Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'"
+    description: "Uses Windows Authentication to validate attempted connections."
+    rationale: "Windows provides a more robust authentication mechanism than SQL Server authentication."
+    remediation: "Perform either the GUI or T-SQL method shown: GUI Method: 1. Open SQL Server Management Studio. 2. Open the Object Explorer tab and connect to the target database instance. 3. Right click the instance name and select Properties. 4. Select the Security page from the left menu. 5. Set the Server authentication setting to Windows Authentication Mode. or T-SQL Method: Run the following T-SQL in a Query Window: USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO Restart the SQL Server service for the change to take effect."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT SERVERPROPERTY(''IsIntegratedSecurityOnly'') as [login_mode];" -> r:^1'
+
+  # 3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role (Scored)
+  - id: 13515
+    title: "Ensure only the default permissions specified by Microsoft are granted to the public server role"
+    description: "public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users."
+    rationale: "Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles."
+    remediation: "Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access. Revoke the <permission_name> from the public role as shown below USE [master] GO REVOKE <permission_name> FROM public; GO"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N''public'') and state_desc LIKE ''GRANT%'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''VIEW ANY DATABASE'' and class_desc = ''SERVER'') AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 2) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 3) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 4) AND NOT (state_desc = ''GRANT'' and [permission_name] = ''CONNECT'' and class_desc = ''ENDPOINT'' and major_id = 5); " -> r:0 rows affected'
+
+  # 3.10 Ensure Windows local groups are not SQL Logins (Scored)
+  - id: 13516
+    title: "Ensure Windows local groups are not SQL Logins"
+    description: "Local Windows groups should not be used as logins for SQL Server instances."
+    rationale: "Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance."
+    remediation: "1. For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts. 2. Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required. 3. Drop the LocalGroupName login using the syntax below after replacing <name> . USE [master] GO DROP LOGIN [<name>] GO"
+    compliance:
+      - cis: ["3.10"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "USE [master] SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = ''WINDOWS_GROUP'' AND pr.[name] like CAST(SERVERPROPERTY(''MachineName'') AS nvarchar) + ''%'';" -> r:0 rows affected'
+
+  ###########################################################
+  # 4 Password Policies
+  ###########################################################
+  # 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Scored)
+  - id: 13517
+    title: "Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role"
+    description: "Applies the same password expiration policy used in Windows to passwords used inside SQL Server."
+    rationale: "Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL SERVER is an equivalent permission to sysadmin and logins with that permission should also be required to have expiring passwords."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = ON;"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["16.2, 16.10"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT l.[name], ''sysadmin membership'' AS ''Access_Method'' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER(''sysadmin'',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], ''CONTROL SERVER'' AS ''Access_Method'' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = ''CL'' AND p.state IN (''G'', ''W'') AND l.is_expiration_checked <> 1;" -> r:0 rows affected'
+
+  # 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins (Scored)
+  - id: 13518
+    title: "Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins"
+    description: "Applies the same password complexity policy used in Windows to passwords used insideSQL Server."
+    rationale: "Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute force attack."
+    remediation: "For each <login_name> found by the Audit Procedure, execute the following T-SQL statement: ALTER LOGIN <login_name> WITH CHECK_POLICY = ON; Note: In the case of AWS RDS do not perform this remediation for the Master account."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16, 4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy"
+    condition: all
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;" -> r:0 rows affected'
+
+  ##########################################################
+  # 5 Auditing and Logging
+  ##########################################################
+  # 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
+  - id: 13519
+    title: "Ensure 'Maximum number of error log files' is set to greater than or equal to '12'"
+    description: "SQL Server error log files must be protected from loss. The log files must be backed up before they are overwritten. Retaining more error logs helps prevent loss from frequent recycling before backups can occur."
+    rationale: "The SQL Server error log contains important information about major server events and login attempt information as well."
+    remediation: "Adjust the number of logs to prevent data loss. The default value of 6 may be insufficient for a production environment. Perform either the GUI or T-SQL method shown: GUI Method: 1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure 4. Check the Limit the number of error log files before they are recycled 5. Set the Maximum number of error log files to greater than or equal to 12. T-SQL Method: Run the following T-SQL to change the number of error log files, replace <NumberAbove12> with your desired number of error log files: EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "http://msdn.microsoft.com/en-us/library/ms177285(v=sql.120).aspx"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];\" -> n:^\\s*(\\d+) compare >= 12"
+
+  # 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Scored)
+  - id: 13520
+    title: "Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'"
+    description: "The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands."
+    rationale: "Default trace provides valuable audit information regarding security-related activities on the server."
+    remediation: "Run the following T-SQL command: EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option"
+    condition: all
+    rules:
+      - "c:sqlcmd -Q \"SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';\" -> r:1\\s+1"
+
+  ###########################################################
+  # 6 Application Development
+  ###########################################################
+  # 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies (Scored)
+  - id: 13521
+    title: "Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies"
+    description: "Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry."
+    rationale: "Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System. Assemblies which are Microsoft-created ( is_user_defined = 0 ) are excluded from this check as they are required for overall system functionality."
+    remediation: "ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["18"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/security/clr-integration-code-access-security"
+      - "https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-assemblies-transact-sql"
+      - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-assembly-transact-sql"
+    condition: none
+    rules:
+      - 'c:sqlcmd -Q "SELECT name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1;" -> r:EXTERNAL_ACCESS|UNSAFE'
diff --git a/etc/ruleset/sca/applications/web_vulnerabilities.yml b/etc/ruleset/sca/applications/web_vulnerabilities.yml
new file mode 100644
index 0000000000..66e4a75d9d
--- /dev/null
+++ b/etc/ruleset/sca/applications/web_vulnerabilities.yml
@@ -0,0 +1,182 @@
+# Security Configuration Assessment
+# Checks for web-related vulnerabilities on Linux systems
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+
+policy:
+  id: "web_vulnerabilities"
+  file: "web_vulnerabilities.yml"
+  name: "System audit for web-related vulnerabilities"
+  description: "Guidance for establishing a secure configuration for web-related vulnerabilities."
+
+requirements:
+  title: Check if web-server files are present
+  description: "Requirements for running the SCA scan against the web-vulnerability policy."
+  condition: any
+  rules:
+    - "f:$php.ini"
+    - "d:$web_dirs"
+
+# In case your configuration files are not located on these paths, set the variables to match your php.ini file and your web directory
+# Other possible default locations for php.ini: /var/www/conf/php.ini,/etc/php5/apache2/php.ini
+# Other possible default locations for web directory: /var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www
+variables:
+  $php.ini: /etc/php.ini
+  $web_dirs: /var/www
+
+# PHP checks
+checks:
+  - id: 14000
+    title: "PHP - Ensure 'Register globals' are not enabled"
+    condition: all
+    rules:
+      - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off'
+
+  - id: 14001
+    title: "PHP - Ensure 'Expose PHP' is not enabled"
+    condition: all
+    rules:
+      - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off'
+
+  - id: 14002
+    title: "PHP - Ensure 'Allow URL fopen' is not enabled"
+    condition: all
+    rules:
+      - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off'
+
+  - id: 14003
+    title: "PHP - Ensure 'Displaying of errors' is not enabled"
+    condition: all
+    rules:
+      - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off'
+
+  # WEB checks
+  - id: 14004
+    title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^.yop$"
+
+  - id: 14005
+    title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^id$"
+
+  - id: 14006
+    title: "Web exploits: '.ssh' is an uncommon file name inside htdocs"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^.ssh$"
+
+  - id: 14007
+    title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^...$"
+
+  - id: 14008
+    title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^.shell$"
+
+  # Outdated Web applications
+  - id: 14009
+    title: "Web vulnerability - Outdated WordPress installation"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2'
+
+  - id: 14010
+    title: "Web vulnerability - Outdated Joomla installation"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8'
+
+  - id: 14011
+    title: "Web vulnerability - Outdated osCommerce (v2.2) installation"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - "d:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-"
+
+  # Known backdoors
+  - id: 14012
+    title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo'
+
+  - id: 14013
+    title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST'
+
+  - id: 14014
+    title: "Web vulnerability - .htaccess file compromised"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html
+    condition: none
+    rules:
+      - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond\s+\S+HTTP_REFERERS\s+\S+google'
+
+  - id: 14015
+    title: "Web vulnerability - .htaccess file compromised - auto append"
+    compliance:
+      - pci_dss: ["6.5", "6.6", "11.4"]
+      - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"]
+      - tsc: ["CC6.6", "CC7.1", "CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html
+    condition: none
+    rules:
+      - 'd:$web_dirs -> ^.htaccess$ -> r:^php_value\s*auto_append_file'
diff --git a/etc/ruleset/sca/centos/6/cis_centos6_linux.yml b/etc/ruleset/sca/centos/6/cis_centos6_linux.yml
new file mode 100644
index 0000000000..809ed8d363
--- /dev/null
+++ b/etc/ruleset/sca/centos/6/cis_centos6_linux.yml
@@ -0,0 +1,3224 @@
+# Security Configuration Assessment
+# CIS Checks for CentOS 6
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for CentOS 6 v2.0.2 - 06-02-2016
+
+policy:
+  id: "cis_centos6_linux"
+  file: "cis_centos6_linux.yml"
+  name: "CIS CentOS Linux 6 Benchmark v2.0.2"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 6 systems running on x86 and x64 platforms. This document was tested against CentOS 6."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check CentOS 6 version"
+  description: "Requirements for running the policy against CentOS 6."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^CentOS && r:release 6"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 cramfs: filesystem
+  - id: 5500
+    title: "Ensure mounting of cramfs filesystems is disabled"
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 freevxfs: filesystem
+  - id: 5501
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true. Run the following command to unload the freevxfs module: rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:install /bin/true|Module freevxfs not found"
+      - "not c:lsmod -> r:freevxfs"
+
+  # 1.1.1.3 jffs2: filesystem
+  - id: 5502
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true. Run the following command to unload the jffs2 module: rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:install /bin/true|Module jffs2 not found"
+      - "not c:lsmod -> r:jffs2"
+
+  # 1.1.1.4 hfs: filesystem
+  - id: 5503
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true. Run the following command to unload the hfs module: rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:install /bin/true|Module hfs not found"
+      - "not c:lsmod -> r:hfs"
+  # 1.1.1.5 hfsplus: filesystem
+  - id: 5504
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true. Run the following command to unload the hfsplus module: rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:install /bin/true|Module hfsplus not found"
+      - "not c:lsmod -> r:hfsplus"
+  # 1.1.1.6 squashfs: filesystem
+  - id: 5505
+    title: "Ensure mounting of squashfs filesystems is disabled"
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.7 udfs: filesystem
+  - id: 5506
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true. Run the following command to unload the udf module: rmmod udf"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.1.8 FAT: filesystem
+  - id: 5507
+    title: "Ensure mounting of FAT filesystems is disabled"
+    description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install vfat /bin/true. Run the following command to unload the vfat module: rmmod vfat"
+    compliance:
+      - cis: ["1.1.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v vfat -> r:install /bin/true|Module vfat not found"
+      - "not c:lsmod -> r:vfat"
+
+  # 1.1.2 /tmp: partition
+  - id: 5508
+    title: "Ensure separate partition exists for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  # 1.1.3 /tmp: nodev
+  - id: 5509
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstabfile and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp:# mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.4 /tmp: nosuid
+  - id: 5510
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.5 /tmp: noexec
+  - id: 5511
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.6 Build considerations - Partition scheme.
+  - id: 5512
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.7 bind mount /var/tmp to /tmp
+  - id: 5513
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.8 nodev set on /var/tmp
+  - id: 5514
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  # 1.1.9 nosuid set on /var/tmp
+  - id: 5515
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  # 1.1.10 noexec set on /var/tmp
+  - id: 5516
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  # 1.1.11 /var/log: partition
+  - id: 5517
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data ."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.12 /var/log/audit: partition
+  - id: 5518
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.13 /home: partition
+  - id: 5519
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.14 /home: nodev
+  - id: 5520
+    title: "Ensure nodev option set on /home partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nodev
+  - id: 5521
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.16 /dev/shm: nosuid
+  - id: 5522
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.17 /dev/shm: noexec
+  - id: 5523
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  # 1.1.22 Disable Automounting
+  - id: 5524
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: # chkconfig autofs off"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list autofs -> r:^\s*\t*autofs\.*on'
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.2 Activate gpgcheck
+  - id: 5525
+    title: "Ensure gpgcheck is globally activated"
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:^gpgcheck=1"
+      - "not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0"
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 install AIDE
+  - id: 5526
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install aide: yum install aide // Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 AIDE regular checks
+  - id: 5527
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: crontab -u root -e // Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check  // Notes: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.  "
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:crontab -u root -l -> r:aide"
+      - "c:grep -r aide /etc/cron.* /etc/crontab -> r:aide"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+  # 1.4.1 Configure bootloader
+  - id: 5528
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub/grub.conf and linked as /boot/grub/menu.lst and /etc/grub.conf ."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.conf # chmod og-rwx /boot/grub/grub.conf"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.conf -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.2 Set Boot Loader Password (Scored)
+  - id: 5529
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: "Create an encrypted password with grub-md5-crypt: # grub-md5-crypt Password: <password>       Retype Password: <password> <encrypted-password>          Copy and paste the <encrypted-password> into the global section of /boot/grub/grub.conf : password --md5 <encrypted-password>"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^password --md5\s\.+'
+
+  # 1.4.3 Single user authentication
+  - id: 5530
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin':  SINGLE=/sbin/sulogin"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:SINGLE\s*=\s*/sbin/sulogin'
+
+  # 1.4.4 Ensure interactive boot is not enabled (Scored)
+  - id: 5531
+    title: "Ensure interactive boot is not enabled"
+    description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot . "
+    rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings. "
+    remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no"
+    compliance:
+      - cis: ["1.4.4"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:PROMPT\s*=\s*no'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Restrict Core Dumps (Scored)
+  - id: 5532
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 XD/NX enabled
+  - id: 5533
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "dmesg | grep NX" -> r:NX \(Execute Disable\) protection: active'
+
+  # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 5534
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.5.4 Disable prelink
+  - id: 5535
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> package prelink is not installed"
+
+  ###############################################
+  # 1.6 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 SELinux not disabled
+  - id: 5536
+    title: "Ensure SELinux is not disabled in bootloader configuration"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines"
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel\.*selinux=0|^\s*\t*kernel\.*enforcing=0'
+
+  # 1.6.1.2 Set selinux state
+  - id: 5537
+    title: "Ensure the SELinux state is enforcing"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing'
+      - 'f:/etc/selinux/config -> r:^SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.3 Set selinux policy
+  - id: 5538
+    title: "Ensure SELinux policy is configured"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Policy from config file:\s+targeted|^Policy from config file:\s+mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Remove SETroubleshoot
+  - id: 5539
+    title: "Ensure SETroubleshoot is not installed"
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.5 Disable MCS Translation service mcstrans
+  - id: 5540
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed"
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  # 1.6.1.6 Ensure no unconfined daemons exist
+  - id: 5541
+    title: "Ensure no unconfined daemons exist"
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+  # 1.6.2 Install SELinux
+  - id: 5542
+    title: "Ensure SELinux is installed"
+    description: "SELinux provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install libselinux: yum install libselinux"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:rpm -q libselinux -> r:libselinux-\S+'
+
+  ###############################################
+  # 1.7  Warning Banners
+  ###############################################
+  # 1.7.1.1 Configure message of the day (Scored)
+  - id: 5543
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.2 Configure local login warning banner (Not Scored)
+  - id: 5544
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.3 Configure remote login warning banner (Not Scored)
+  - id: 5545
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.4 Configure /etc/motd permissions (Not Scored)
+  - id: 5546
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.1.5 Configure /etc/issue permissions (Scored)
+  - id: 5547
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+  # 1.7.1.6 Configure /etc/issue.net permissions (Not Scored)
+  - id: 5548
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.2 Ensure GDM login banner is configured (Scored)
+  - id: 5549
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Create the /etc/dconf/profile/gdm file with the following contents:  user-db:user   system-db:gdm        file-db:/usr/share/gdm/greeter-dconf-defaults     ||  Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message :   [org/gnome/login-screen]     banner-message-enable=true      banner-message-text='Authorized uses only. All activity may be monitored and reported.'   ||   Run the following command to update the system databases: dconf update"
+    compliance:
+      - cis: ["1.7.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-enable=true"
+      - 'f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-text=\.+'
+
+  # 1.8 Ensure updates, patches, and additional security software are installed (Not Scored)
+  - id: 5550
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Site policy may mandate a testing period before install onto production systems for available updates. The audit and remediation here only cover security updates. Non-security updates can be audited with and comparing against site policy: # yum check-update"
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: all
+    rules:
+      - "c:yum check-update --security -> r:No packages needed for security"
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 inetd Services
+  ###############################################
+  # 2.1.1 Disable chargen services (Scored)
+
+  - id: 5551
+    title: "Ensure chargen services are not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list chargen-dgram -> r:^\s*\t*chargen-dgram:\s*\t*on'
+      - 'c:chkconfig --list chargen-stream -> r:^\s*\t*chargen-stream:\s*\t*on'
+
+  # 2.1.2 Disable daytime services (Scored)
+  - id: 5552
+    title: "Ensure daytime services are not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list daytime-dgram -> r:^\s*\t*daytime-dgram:\s*\t*on'
+      - 'c:chkconfig --list daytime-stream -> r:^\s*\t*daytime-stream:\s*\t*on'
+
+  # 2.1.3 Disable discard services (Scored)
+  - id: 5553
+    title: "Ensure discard services are not enabled"
+    description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list discard-dgram -> r:^\s*\t*discard-dgram:\s*\t*on'
+      - 'c:chkconfig --list discard-stream -> r:^\s*\t*discard-stream:\s*\t*on'
+
+  # 2.1.4 Disable echo-dgram (Scored)
+  - id: 5554
+    title: "Ensure echo services are not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list echo-dgram -> r:^\s*\t*echo-dgram:\s*\t*on'
+      - 'c:chkconfig --list echo-stream -> r:^\s*\t*echo-stream:\s*\t*on'
+
+  # 2.1.5 Disable time-stream (Scored)
+  - id: 5555
+    title: "Ensure time services are not enabled"
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list time-dgram -> r:^\s*\t*time-dgram:\s*\t*on'
+      - 'c:chkconfig --list time-stream -> r:^\s*\t*time-stream:\s*\t*on'
+
+  # 2.1.6 Remove rsh-server (Scored)
+  - id: 5556
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Run the following commands to disable rsh, rlogin, and rexec: # chkconfig rsh off   # chkconfig rlogin off  # chkconfig rexec off"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rexec -> r:^\s*\t*rexec:\s*\t*on'
+      - 'c:chkconfig --list rlogin -> r:^\s*\t*rlogin:\s*\t*on'
+      - 'c:chkconfig --list rsh -> r:^\s*\t*rsh:\s*\t*on'
+
+  # 2.1.7 Remove talk server (Scored)
+  - id: 5557
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable talk: # chkconfig talk off"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list talk -> r:^\s*\t*talk:\s*\t*on'
+
+  # 2.1.8 Remove telnet-server (Scored)
+  - id: 5558
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to disable telnet: # chkconfig telnet off"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list telnet -> r:^\s*\t*telnet:\s*\t*on'
+
+  # 2.1.9 Ensure tftp server is not enabled (Scored)
+  - id: 5559
+    title: "Ensure tftp server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Run the following command to disable tftp: # chkconfig tftp off"
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list tftp -> r:^\s*\t*tftp:\s*\t*on'
+
+  # 2.1.10 Remove rsync service (Scored)
+  - id: 5560
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # chkconfig rsyncd off"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rsync -> r:^\s*\t*rsync:\s*\t*on'
+
+  # 2.1.11 Remove xinetd (Scored)
+  - id: 5561
+    title: "Ensure xinetd is not enabled"
+    description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Run the following command to disable xinetd: # chkconfig xinetd off"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list xinetd -> r:^\s*\t*xinetd\.*on'
+
+  ##############################################
+  # 2.2 Remove Legacy Services
+  ###############################################
+
+  # 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+  - id: 5562
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available run the following commands and verify either ntp or chrony is installed: # rpm -q ntp # rpm -q chrony  On virtual systems where host based time synchronization is available consult your virtualization software documentation and verify that host based synchronization is in use."
+    compliance:
+      - cis: ["2.2.2.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q ntp -> r:^package ntp is not installed"
+      - "not c:rpm -q chrony -> r:^package chrony is not installed"
+
+  # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored)
+  - id: 5563
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp'
+
+  # 2.2.1.3 Configure Network Time Protocol (Chrony) (Scored)
+  - id: 5564
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.2.2 Remove X Windows (Scored)
+  - id: 5565
+    title: "Ensure X Window System is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11* -> r:^xorg-x11"
+
+  # 2.2.3 Disable Avahi Server (Scored)
+  - id: 5566
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon: # chkconfig avahi-daemon off"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list avahi-daemon -> r:^\s*\t*avahi-daemon\.*on'
+
+  # 2.2.4 Ensure CUPS is not enabled (Scored)
+  - id: 5567
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups : # chkconfig cups off"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list cups -> r:^\s*\t*cups\.*on'
+
+  # 2.2.5 Remove DHCP Server (Scored)
+  - id: 5568
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dhcpd: # chkconfig dhcpd off"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp
+    condition: none
+    rules:
+      - 'c:chkconfig --list dhcpd -> r:^\s*\t*dhcpd\.*on'
+
+  # 2.2.6 Remove LDAP Server (Scored)
+  - id: 5569
+    title: "Ensure LDAP Server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # chkconfig slapd off"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on OpenLDAP is available at https://www.openldap.org
+    condition: none
+    rules:
+      - 'c:chkconfig --list slapd -> r:^\s*\t*slapd\.*on'
+
+  # 2.2.7 Disable NFS and RPC (Scored)
+  - id: 5570
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # chkconfig nfs off; # chkconfig rpcbind off"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list nfs -> r:^\s*\t*nfs\.*on'
+      - 'c:chkconfig --list rpcbind -> r:^\s*\t*rpcbind\.*on'
+
+  # 2.2.8 Ensure DNS Server is not enabled (Scored)
+  - id: 5571
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named : # chkconfig named off"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list named -> r:^\s*\t*named\.*on'
+
+  # 2.2.9 Remove FTP Server (Scored)
+  - id: 5572
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list vsftpd -> r:^\s*\t*vsftpd\.*on'
+
+  # 2.2.10 Remove HTTP Server (Scored)
+  - id: 5573
+    title: "Ensure HTTP server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable httpd: # chkconfig httpd off"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list httpd -> r:^\s*\t*httpd\.*on'
+
+  # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored)
+  - id: 5574
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dovecot: # chkconfig dovecot off"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list dovecot -> r:^\s*\t*dovecot\.*on'
+
+  # 2.2.12 Remove Samba (Scored)
+  - id: 5575
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable smb: # chkconfig smb off"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list smb -> r:^\s*\t*smb\.*on'
+
+  # 2.2.13 Remove HTTP Proxy Server (Scored)
+  - id: 5576
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # chkconfig squid off"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list squid -> r:^\s*\t*squid\.*on'
+
+  # 2.2.14 Remove SNMP Server (Not Scored)
+  - id: 5577
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # chkconfig snmpd off"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list snmpd -> r:^\s*\t*snmpd\.*on'
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)
+  - id: 5578
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Restart postfix: # service postfix restart"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.+LISTEN'
+
+  # 2.2.16 Remove NIS Server (Scored)
+  - id: 5579
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable ypserv: # chkconfig ypserv off"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list ypserv -> r:^\s*\t*ypserv\.*on'
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+  # 2.3.1 Remove NIS Client (Scored)
+  - id: 5580
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind: # yum remove ypbind"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed (Scored)
+  - id: 5581
+    title: "Ensure rsh client is not installed"
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Run the following command to uninstall rsh : # yum remove rsh"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed (Scored)
+  - id: 5582
+    title: "Ensure talk client is not installed"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk : # yum remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed (Scored)
+  - id: 5583
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet : # yum remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed (Scored)
+  - id: 5584
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # yum remove openldap-clients"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> package openldap-clients is not installed"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 3.1.1 Disable IP Forwarding (Scored)
+  - id: 5585
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  # 3.1.2 Disable Send Packet Redirects (Scored)
+  - id: 5586
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 3.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 3.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 5587
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 5588
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 5589
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.2.4 Log Suspicious Packets (Scored)
+  - id: 5590
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 5591
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 5592
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.7 Enable RFC-recommended Source Route Validation (Scored)
+  - id: 5593
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 5594
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  ###############################################
+  # 3.3 IPv6
+  ###############################################
+  # 3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored)
+  - id: 5595
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 and net.ipv6.conf.default.accept_ra = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0'
+
+  # 3.3.2 Ensure IPv6 redirects are not accepted (Not Scored)
+  - id: 5596
+    title: "Ensure IPv6 redirects are not accepted"
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0  || net.ipv6.conf.default.accept_redirects = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0'
+
+  # 3.3.3 Ensure IPv6 is disabled (Not Scored)
+  - id: 5597
+    title: "Ensure IPv6 is disabled"
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: "Edit /boot/grub/grub.conf to include ipv6.disable=1 on all kernel lines."
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel && !r:ipv6.disable=1'
+
+  ###############################################
+  # 3.4 TCP Wrappers
+  ###############################################
+  # 3.4.1 Ensure TCP Wrappers is installed (Scored)
+  - id: 5598
+    title: "Ensure TCP Wrappers is installed"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Run the following command to install tcp_wrappers: yum install tcp_wrappers"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:rpm -q tcp_wrappers -> r:^tcp_wrappers-"
+      - "c:rpm -q tcp_wrappers-libs -> r:^tcp_wrappers-libs-"
+
+  # 3.4.3 Ensure /etc/hosts.deny is configured (Scored)
+  - id: 5599
+    title: "Ensure /etc/hosts.deny is configured"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: "Run the following command to create /etc/hosts.deny: echo 'ALL: ALL' >> /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'f:/etc/hosts.deny -> r:^ALL\s*:\s*ALL'
+
+  # 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)
+  - id: 5600
+    title: "Ensure permissions on /etc/hosts.allow are configured."
+    description: "The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow : chown root:root /etc/hosts.allow and chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)'
+
+  # 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)
+  - id: 5601
+    title: "Ensure permissions on /etc/hosts.deny are configured."
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : chown root:root /etc/hosts.deny and chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 3.5 Uncommon Network Protocols
+  ###############################################
+  # 3.5.1 Ensure DCCP is disabled (Not Scored)
+  - id: 5602
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v dccp -> r:install /bin/true"
+      - "not c:lsmod -> r:dccp"
+
+  # 3.5.2 Ensure SCTP is disabled (Not Scored)
+  - id: 5603
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v sctp -> r:install /bin/true"
+      - "not c:lsmod -> r:sctp"
+
+  # 3.5.3 Ensure RDS is disabled (Not Scored)
+  - id: 5604
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v rds -> r:install /bin/true"
+      - "not c:lsmod -> r:rds"
+
+  # 3.5.4 Ensure TIPC is disabled (Not Scored)
+  - id: 5605
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v tipc -> r:install /bin/true"
+      - "not c:lsmod -> r:tipc"
+
+  ###############################################
+  # 3.6 Firewall Configuration
+  ###############################################
+  # 3.6.1 Ensure iptables is installed (Scored)
+  - id: 5606
+    title: "Ensure iptables is installed"
+    description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables ."
+    rationale: "iptables is required for firewall management and configuration."
+    remediation: "Run the following command to install iptables : yum install iptables"
+    compliance:
+      - cis: ["3.6.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.1"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:iptables-"
+
+  # 3.6.2 Ensure default deny firewall policy (Scored)
+  - id: 5607
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: iptables -P INPUT DROP; iptables -P OUTPUT DROP and iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.6.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.6.3 Ensure loopback traffic is configured (Scored)
+  - id: 5608
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.6.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+  ###############################################
+  # 4.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure audit log storage size is configured (Not Scored)
+  - id: 5609
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file\s*=\s*\d+'
+
+  # 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+  - id: 5610
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email   action_mail_acct = root   admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^admin_space_left_action\s*=\s*halt'
+
+  # 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+  - id: 5611
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2 Ensure auditd service is enabled (Scored)
+  - id: 5612
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd : # chkconfig auditd on"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list auditd -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+  - id: 5613
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: "Edit /boot/grub/grub.conf to include audit=1 on all kernel lines. Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel && !r:audit=1'
+
+  # 4.1.4 Ensure events that modify date and time information are collected (Scored)
+  - id: 5614
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change   -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b64 -S clock_settime -k time-change   -a always,exit -Farch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/localtime && r:-p wa && r:-k time-change"
+
+  # 4.1.5 Ensure events that modify user/group information are collected (Scored)
+  - id: 5615
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:    -w /etc/group -p wa -k identity    -w /etc/passwd -p wa -k identity    -w /etc/gshadow -p wa -k identity    -w /etc/shadow -p wa -k identity    -w /etc/security/opasswd -p wa -k identity"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/security/opasswd && r:-p wa && r:-k identity"
+
+  # 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+  - id: 5616
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations)."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale        For 64 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale"
+
+  # 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
+  - id: 5617
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/selinux/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:-w /usr/share/selinux/ && r:-p wa && r:-k MAC-policy"
+
+  # 4.1.8 Ensure login and logout events are collected (Scored)
+  - id: 5618
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:  -w /var/log/lastlog -p wa -k logins   -w /var/run/faillock/ -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/faillock/ && r:-p wa && r:-k logins"
+
+  # 4.1.9 Ensure session initiation information is collected (Scored)
+  - id: 5619
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:   -w /var/run/utmp -p wa -k session   -w /var/log/wtmp -p wa -k logins   -w /var/log/btmp -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.3"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins"
+
+  # 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+  - id: 5620
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrem"
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  # 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+  - id: 5621
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated  with system calls that control creation ( creat ), opening ( open , openat ) and truncation (  truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-  privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the  system call returned EACCES (permission denied to the file) or EPERM (some other  permanent error associated with the specific system call). All audit records will be tagged  with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+
+  # 4.1.13 Ensure successful file system mounts are collected (Scored)
+  - id: 5622
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts"
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k mounts"
+
+  # 4.1.14 Ensure file deletion events by users are collected (Scored)
+  - id: 5623
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete"
+    compliance:
+      - cis: ["4.1.14"]
+      - pci_dss: ["10.5.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k delete"
+
+  # 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+  - id: 5624
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /etc/sudoers -p wa -k scope   -w /etc/sudoers.d/ -p wa -k scope"
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  # 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+  - id: 5625
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1", "5.5"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/sudo.log && r:-p wa && r:-k actions"
+
+  # 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+  - id: 5626
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules"
+      - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.18 Ensure the audit configuration is immutable (Scored)
+  - id: 5627
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file.   -e 2"
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["3", "6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:tail -1 /etc/audit/audit.rules -> r:^-e 2"
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog Service is enabled (Scored)
+  - id: 5628
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lackblogging instead."
+    remediation: "Run the following command to enable rsyslog :   # chkconfig rsyslog on"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list rsyslog -> r:2:on && r:3:on && r:4:on && r:5:on"
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 5629
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored)
+  - id: 5630
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host).   *.* @@loghost.example.com   Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep *.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf -> !r:# && r:*.* @@\.+'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 5631
+    title: "Ensure syslog-ng service is enabled"
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable syslog-ng :   # chkconfig syslog-ng on"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list syslog-ng -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 5632
+    title: "Ensure syslog-ng default file permissions configured"
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(0600\)|perm\(0640\)|perm\(0440\)|perm\(0400\)|perm\(0000\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 5633
+    title: "Ensure syslog-ng is configured to send logs to a remote log host"
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 5634
+    title: "Ensure rsyslog or syslog-ng is installed"
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands:   # yum install rsyslog   # yum install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q rsyslog -> package rsyslog is not installed"
+      - "not c:rpm -q syslog-ng -> package syslog-ng is not installed"
+
+  # 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+  - id: 5635
+    title: "Ensure permissions on all logfiles are configured"
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitivebdata is archived and protected."
+    remediation: "Run the following command to set permissions on all existing log files: # find /var/log -type f -exec chmod g-wx,o-rwx {} +"
+    compliance:
+      - cis: ["4.2.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  ###############################################
+  # 5 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled (Scored)
+  - id: 5636
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron : # chkconfig crond on"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:chkconfig --list crond -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 5637
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 5638
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 5639
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 5640
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 5641
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\w00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 5642
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+  - id: 5643
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/cron.deny -> r:No such file or directory$"
+      - "c:stat -L /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+  - id: 5644
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: chown root:root /etc/ssh/sshd_config and chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Set SSH Protocol to 2 (Scored)
+  - id: 5645
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2'
+
+  # 5.2.3 Set LogLevel to INFO (Scored)
+  - id: 5646
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO'
+
+  # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 5647
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 5648
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 5649
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.2.8 Disable SSH Root Login (Scored)
+  - id: 5650
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no'
+
+  # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 5651
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
+  - id: 5652
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitUserEnvironment\s*\t*no'
+
+  # 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
+  - id: 5653
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 and ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 300'
+      - 'f:$sshd_file -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 5654
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.13"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60'
+
+  # 5.2.14 Ensure SSH access is limited (Scored)
+  - id: 5655
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. DenyUsers The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. DenyGroups The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>; AllowGroups <grouplist>; DenyUsers <userlist> and DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1", "5.8"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:$sshd_file -> r:^\s*AllowUsers'
+      - 'f:$sshd_file -> r:^\s*AllowGroups'
+      - 'f:$sshd_file -> r:^\s*DenyUsers'
+      - 'f:$sshd_file -> r:^\s*DenyGroups'
+
+  # 5.2.15 Ensure SSH warning banner is configured (Scored)
+  - id: 5656
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  ###############################################
+  # 5.3 Configure PAM
+  ###############################################
+  # 5.3.1 Ensure password creation requirements are configured (Scored)
+  - id: 5657
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_cracklib.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_cracklib.so and to conform to site policy: password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.7", "16.12"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:grep pam_cracklib.so /etc/pam.d/password-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'c:grep pam_cracklib.so /etc/pam.d/system-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  # 5.3.3 Ensure password reuse is limited (Scored)
+  - id: 5658
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5   or    password required pam_pwhistory.so remember=5"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 5659
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown: password sufficient pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+  ###############################################
+  # 5.4 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.4.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
+  - id: 5660
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 90 and modify user parameters for all users with a password set to match: chage --maxdays 90 <user>"
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+  - id: 5661
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 and modify user parameters for all users with a password set to match: chage --mindays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+  - id: 5662
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 and modify user parameters for all users with a password set to match: chage --warndays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+  - id: 5663
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: useradd -D -f 30 and modify user parameters for all users with a password set to match: chage --inactive 30 <user>"
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+  - id: 5664
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 5665
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 5666
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.6 Ensure access to the su command is restricted (Scored)
+  - id: 5667
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su ."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.2 Configure /etc/passwd permissions (Scored)
+  - id: 5668
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Configure /etc/shadow permissions (Scored)
+  - id: 5669
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 000 /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Configure /etc/group permissions (Scored)
+  - id: 5670
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Configure /etc/gshadow permissions (Scored)
+  - id: 5671
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following command to set permissions on /etc/gshadow: # chown root:root /etc/gshadow # chmod 000 /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Configure /etc/passwd- permissions (Scored)
+  - id: 5672
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Configure /etc/shadow- permissions (Scored)
+  - id: 5673
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/shadow-: # chown root:root /etc/shadow- # chmod 000 /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Configure /etc/group- permissions (Scored)
+  - id: 5674
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Configure /etc/gshadow- permissions (Scored)
+  - id: 5675
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 000 /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+  # 6.2.1 Check passwords fields (Scored)
+  - id: 5676
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: passwd -l <username> || Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Delete legacy entries in /etc/passwd (Scored)
+  - id: 5677
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 6.2.3 Delete legacy entries in /etc/shadow (Scored)
+  - id: 5678
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 6.2.4 Delete legacy entries in /etc/group (Scored)
+  - id: 5679
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 5680
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
diff --git a/etc/ruleset/sca/centos/7/cis_centos7_linux.yml b/etc/ruleset/sca/centos/7/cis_centos7_linux.yml
new file mode 100644
index 0000000000..e53c37fe45
--- /dev/null
+++ b/etc/ruleset/sca/centos/7/cis_centos7_linux.yml
@@ -0,0 +1,4431 @@
+# Security Configuration Assessment
+# CIS Checks for CentOS 7
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security CentOS 7 Benchmark v3.1.2 - 08-31-2021
+
+policy:
+  id: "cis_centos7_linux"
+  file: "cis_centos7_linux.yml"
+  name: "CIS CentOS Linux 7 Benchmark v3.1.2."
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for CentOS 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check CentOS 7 platform."
+  description: "Requirements for running the policy against CentOS 7."
+  condition: any
+  rules:
+    - "f:/etc/system-release -> r:^CentOS && r:release 7"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  ##############################################
+  # 1.1 Filesystem Configuration
+  ##############################################
+
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 6000 
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/cramfs.conf and add the following line: install cramfs /bin/true Run the following command to unload the cramfs module: # rmmod cramfs."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 6001 
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'Disabling squashfs will prevent the use of snap. Snap is a package manager for Linux for installing Snap packages. "Snap" application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment. When snaps are deployed on versions of Linux, the Ubuntu app store is used as default back-end, but other stores can be enabled as well.'
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/squashfs.conf and add the following line: install squashfs /bin/true Run the following command to unload the squashfs module: # rmmod squashfs."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 6002 
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf."
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Ensure /tmp is configured. (Automated)
+  - id: 6003 
+    title: "Ensure /tmp is configured."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily."
+    remediation: "Create or update an entry for /tmp in either /etc/fstab OR in a systemd tmp.mount file: If /etc/fstab is used: configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp # mount -o remount,noexec,nodev,nosuid /tmp OR if systemd tmp.mount file is used: run the following command to create the file /etc/systemd/system/tmp.mount if it doesn't exist: # [ ! -f /etc/systemd/system/tmp.mount ] && cp -v /usr/lib/systemd/system/tmp.mount /etc/systemd/system/ Edit the file /etc/systemd/system/tmp.mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to reload the systemd daemon: # systemctl daemon-reload Run the following command to unmask and start tmp.mount: # systemctl --now unmask tmp.mount."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.4", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:findmnt -n /tmp -> r:\s/tmp\s'
+      - 'f:/etc/fstab -> r:\s/tmp\s'
+      - 'c:systemctl show "tmp.mount" -> r:^\s*UnitFileState=enabled'
+
+  # 1.1.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 6004 
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local- fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp OR if systemd is used to mount /tmp:_ Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /tmp -> r:noexec"
+
+  # 1.1.4 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 6005 
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local- fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp OR if systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /tmp -> r:nodev"
+
+  # 1.1.5 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 6006 
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp OR if systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount: # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /tmp -> r:nosuid"
+
+  # 1.1.6 Ensure /dev/shm is configured. (Automated)
+  - id: 6007 
+    title: "Ensure /dev/shm is configured."
+    description: "/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd."
+    rationale: "Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Edit /etc/fstab and add or edit the following line: tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0 Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /dev/shm -> r:\s/dev/shm\s'
+      - 'f:/etc/fstab -> r:\s/dev/shm\s'
+
+  # 1.1.7 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 6008 
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["2.6", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /dev/shm -> r:noexec"
+
+  # 1.1.8 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 6009 
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /dev/shm -> r:nodev"
+
+  # 1.1.9 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 6010 
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /dev/shm -> r:nosuid"
+
+  # 1.1.10 Ensure separate partition exists for /var. (Automated)
+  - id: 6011 
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /var -> r:\s/var\s'
+
+  # 1.1.11 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 6012 
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications and is intended for temporary files that are preserved across reboots."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /var/tmp -> r:\s/var/tmp\s'
+
+  # 1.1.12 Ensure /var/tmp partition includes the noexec option. (Automated)
+  - id: 6013 
+    title: "Ensure /var/tmp partition includes the noexec option."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /var/tmp -> r:noexec"
+
+  # 1.1.13 Ensure /var/tmp partition includes the nodev option. (Automated)
+  - id: 6014 
+    title: "Ensure /var/tmp partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add nodev to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp."
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /var/tmp -> r:nodev"
+
+  # 1.1.14 Ensure /var/tmp partition includes the nosuid option. (Automated)
+  - id: 6015 
+    title: "Ensure /var/tmp partition includes the nosuid option."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nosuid /var/tmp."
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /var/tmp -> r:nosuid"
+
+  # 1.1.15 Ensure separate partition exists for /var/log. (Automated)
+  - id: 6016 
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc_v8: ["4.1", "8.3"]
+      - cis_csc_v7: ["6.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["10.7", "11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["A1.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /var/log -> r:\s/var/log\s'
+
+  # 1.1.16 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 6017 
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd , it may not perform as desired."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /var/log/audit -> r:\s/var/log/audit\s'
+
+  # 1.1.17 Ensure separate partition exists for /home. (Automated)
+  - id: 6018 
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -n /home -> r:\s/home\s'
+
+  # 1.1.18 Ensure /home partition includes the nodev option. (Automated)
+  - id: 6019 
+    title: "Ensure /home partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "For existing /home partitions, edit the /etc/fstab file and add nodev to the fourth field (mounting options) of the /home entry. See the fstab(5) manual page for more information. Run the following command to remount /home: # mount -o remount,nodev /home."
+    compliance:
+      - cis: ["1.1.18"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:findmnt -n /home -> r:nodev"
+
+  # 1.1.19 Ensure removable media partitions include noexec option. (Automated) - Not Implemented
+  # 1.1.20 Ensure nodev option set on removable media partitions. (Automated) - Not Implemented
+  # 1.1.21 Ensure nosuid option set on removable media partitions. (Automated) - Not Implemented
+  # 1.1.22 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+
+  # 1.1.23 Disable Automounting. (Automated)
+  - id: 6020 
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Run the following command to mask autofs: # systemctl --now mask autofs OR run the following command to remove autofs # yum remove autofs."
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'not c:systemctl show "autofs.service" -> r:\s*unitfilestate=enabled'
+
+  # 1.1.24 Disable USB Storage. (Automated)
+  - id: 6021 
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf Add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.24"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+  # 1.2.1 Ensure GPG keys are configured (Manual) - Not Implemented
+  # 1.2.2 Ensure package manager repositories are configured (Manual) - Not Implemented
+
+  # 1.2.3 Ensure gpgcheck is globally activated. (Automated)
+  - id: 6022 
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/*.repo files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set 'gpgcheck=1' in the [main] section. Edit any failing files in /etc/yum.repos.d/*.repo and set all instances of gpgcheck to 1."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:gpgcheck=1"
+      - 'd:/etc/yum.repos.d/ -> r:\.*.repo -> r:gpgcheck=1'
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 6023 
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # yum install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 6024 
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:enabled"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+
+  # 1.4.1 Ensure bootloader password is set. (Automated) - Not Implemented
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated) - Not Implemented
+
+  # 1.4.3 Ensure authentication required for single user mode. (Automated)
+  - id: 6025 
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Note: The systemctl option --fail is synonymous with --job-mode=fail. Using either is acceptable."
+    rationale: "Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: 'Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default".'
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+      - 'f:/usr/lib/systemd/system/emergency.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Ensure core dumps are restricted. (Automated)
+  - id: 6026 
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload."
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/limits.conf -> r:hard\s*\t*core\s*\t*0$'
+      - 'd:/etc/security/limits.d/ -> r:\. -> r:hard\s*\t*core\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+      - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+      - 'd:/etc/sysctl.d/ -> r:\. -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 Ensure XD/NX support is enabled. (Automated)
+  - id: 6027 
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system. Note: Ensure your system supports the XD or NX bit and has PAE support before implementing this recommendation as this may prevent it from booting if these are not supported by your hardware."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:journalctl -> r:\s*protection:\s*\t*active'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated)
+  - id: 6028 
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2."
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+      - 'f:/etc/sysctl.conf -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'd:/etc/sysctl.d -> r:\.* -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+
+  # 1.5.4 Ensure prelink is not installed. (Automated)
+  - id: 6029 
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Run the following command to uninstall prelink: # yum remove prelink."
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> r:package prelink is not installed"
+
+  ###############################################
+  # 1.6 Mandatory Access Control
+  ###############################################
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 6030 
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # yum install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:rpm -q libselinux -> r:libselinux-\S+'
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated) - Not Implemented
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 6031 
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only. Note: If your organization requires stricter policies, ensure that they are set in the /etc/selinux/config file."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+      - 'c:sestatus -> r:^Loaded policy name:\s*\t*targeted$|^Loaded policy name:\s*\t*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is enforcing or permissive. (Automated)
+  - id: 6032 
+    title: "Ensure the SELinux mode is enforcing or permissive."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing|^Permissive"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing|^SELINUX=permissive"
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 6033 
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing"
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing"
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 6034 
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains Note: Occasionally certain daemons such as backup or centralized management software may require running unconfined. Any such software should be carefully analyzed and documented before such an exception is made."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 6035 
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to Uninstall setroubleshoot: # yum remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q setroubleshoot -> r:package setroubleshoot is not installed"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 6036 
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q mcstrans -> r:package mcstrans is not installed"
+
+  ###############################################
+  # 1.7 Command Line Warning Banners
+  ###############################################
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 6037 
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 6038 
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 6039 
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 6040 
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 6041 
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 6042 
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 1.8  GNOME Display Manager
+  ###############################################
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 6043 
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # yum remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:package gdm is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 6044 
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:banner-message-text=\.+'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:disable-user-list=true'
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 6045 
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:disable-user-list=true'
+
+  # 1.8.4 Ensure XDCMP is not enabled. (Automated)
+  - id: 6046 
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 inetd Services
+  ###############################################
+
+  # 2.1.1 Ensure xinetd is not installed (Automated)
+  - id: 6047 
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # yum remove xinetd."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:package xinetd is not installed"
+
+  ###############################################
+  # 2.2 Special Purpose Services
+  ###############################################
+
+  # 2.2.1.1 Ensure time synchronization is in use. (Manual)
+  - id: 6048 
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: - If another method for time synchronization is being used, this section may be skipped. - Only one time synchronization package should be installed."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run One of the following commands to install chrony or NTP: To install chrony, run the following command: # yum install chrony OR To install ntp, run the following command: # yum install ntp Note: On systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: any
+    rules:
+      - "c:rpm -q chrony ntp -> r:chrony-"
+      - "c:rpm -q ntp -> r:ntp-"
+
+  # 2.2.1.2 Ensure chrony is configured. (Automated)
+  - id: 6049 
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Note: This recommendation only applies if chrony is in use on the system."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.2.1.3 Ensure ntp is configured. (Automated)
+  - id: 6050 
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. Note: This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ''-u ntp:ntp'': OPTIONS="-u ntp:ntp" Reload the systemd daemon: systemctl daemon-reload Enable and start the ntp service: systemctl --now enable ntpd.'
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ntpd -> r:enabled"
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp'
+
+  # 2.2.2 Ensure X11 Server components are not installed. (Automated)
+  - id: 6051 
+    title: "Ensure X11 Server components are not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # yum remove xorg-x11-server*."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11-server* -> r:^xorg-x11-server"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 6052 
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # yum remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi-autoipd -> r:package avahi-autoipd is not installed"
+      - "c:rpm -q avahi -> r:package avahi is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 6053 
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # yum remove cups."
+    references:
+      - "http://www.cups.org"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 6054 
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # yum remove dhcp."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp -> r:package dhcp is not installed"
+
+  # 2.2.6 Ensure LDAP server is not installed. (Automated)
+  - id: 6055 
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove openldap-servers: # yum remove openldap-servers."
+    references:
+      - "http://www.openldap.org"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-servers -> r:package openldap-servers is not installed"
+
+  # 2.2.7 Ensure DNS Server is not installed. (Automated)
+  - id: 6056 
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # yum remove bind."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:package bind is not installed"
+
+  # 2.2.8 Ensure FTP Server is not installed. (Automated)
+  - id: 6057 
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface. Note: Additional FTP servers also exist and should be removed if not required."
+    remediation: "Run the following command to remove vsftpd: # yum remove vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:package vsftpd is not installed"
+
+  # 2.2.9 Ensure HTTP server is not installed. (Automated)
+  - id: 6058 
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be removed to reduce the potential attack surface. Notes: - Several http servers exist. apache, apache2, lighttpd, and nginx are example packages that provide an HTTP server. - These and other packages should also be audited, and removed if not required."
+    remediation: "Run the following command to remove httpd: # yum remove httpd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q httpd -> r:package httpd is not installed"
+
+  # 2.2.10 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 6059 
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Notes: - Several IMAP/POP3 servers exist and can use other service names. courier-imap and cyrus-imap are example services that provide a mail server. - These and other services should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot: # yum remove dovecot."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:package dovecot is not installed"
+
+  # 2.2.11 Ensure Samba is not installed. (Automated)
+  - id: 6060 
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # yum remove samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:package samba is not installed"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 6061 
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # yum remove squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:package squid is not installed"
+
+  # 2.2.13 Ensure net-snmp is not installed. (Automated)
+  - id: 6062 
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # yum remove net-snmp."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:package net-snmp is not installed"
+
+  # 2.2.14 Ensure NIS server is not installed. (Automated)
+  - id: 6063 
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # yum remove ypserv."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:package ypserv is not installed"
+
+  # 2.2.15 Ensure telnet-server is not installed. (Automated)
+  - id: 6064 
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # yum remove telnet-server."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:package telnet-server is not installed"
+
+  # 2.2.16 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 6065 
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:LISTEN\.*:25\s* && !r:127.0.0.1:25\.*|\s*\.*::1'
+
+  # 2.2.17 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 6066 
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # yum remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nfs-utils -> r:package nfs-utils is not installed"
+
+  # 2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 6067 
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # yum remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind -> r:masked"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked"
+
+  # 2.2.19 Ensure rsync is not installed or the rsyncd service is masked. (Automated)
+  - id: 6068 
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # yum remove rsync OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:package rprsynccbind is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked"
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 6069 
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # yum remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 6070 
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # yum remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 6071 
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # yum remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 6072 
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # yum remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 6073 
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # yum remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:package openldap-clients is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual)
+  - id: 6074 
+    title: "Ensure nonessential services are removed or masked."
+    description: "A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communication endpoint. Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations."
+    rationale: "Services listening on the system pose a potential risk as an attack vector. These services should be reviewed, and if not required, the service should be stopped, and the package containing the service should be removed. If required packages have a dependency, the service should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove the package containing the service: # yum remove <package_name> OR If required packages have a dependency: Run the following command to stop and mask the service: # systemctl --now mask <service_name>."
+    compliance:
+      - cis: ["2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:lsof -i -P -n -> r:(ESTABLISHED)"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Disable unused network protocols and devices
+  ###############################################
+
+  # 3.1.1 Disable IPv6. (Manual)
+  - id: 6075 
+    title: "Disable IPv6."
+    description: "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented."
+    rationale: "If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+    impact: "If IPv6 is disabled through sysctl config, SSH X11forwarding may no longer function as expected. We recommend that SSH X11fowarding be disabled, but if required, the following will allow for SSH X11forwarding with IPv6 disabled through sysctl config: Add the following line the /etc/ssh/sshd_config file: AddressFamily inet Run the following command to re-start the openSSH server: # systemctl restart sshd."
+    remediation: 'Use one of the two following methods to disable IPv6 on the system: To disable IPv6 through the GRUB2 config: Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Ru the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg OR To disable IPv6 through sysctl settings: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.disable_ipv6=1 # sysctl -w net.ipv6.conf.default.disable_ipv6=1 # sysctl -w net.ipv6.route.flush=1.'
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*linux && !r:ipv6.disable=1'
+      - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:net.ipv6.conf.all.disable_ipv6\s*=\s*0'
+      - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:net.ipv6.conf.default.disable_ipv6\s*=\s*0'
+
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  ##################################################
+  # 3.2 Network Parameters (Host Only)
+  ##################################################
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated)
+  - id: 6076 
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Run the following commands to restore the default parameters and set the active kernel parameters: # grep -Els \"^\\s*net\\.ipv4\\.ip_forward\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv4\\.ip_forward\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 # grep -Els \"^\\s*net\\.ipv6\\.conf\\.all\\.forwarding\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv6\\.conf\\.all\\.forwarding\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated)
+  - id: 6077 
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ##################################################
+  # 3.3 Network Parameters (Host and Router)
+  ##################################################
+
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated)
+  - id: 6078 
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is not disabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated)
+  - id: 6079 
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects and net.ipv6.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is not disabled Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated)
+  - id: 6080 
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.3.4 Ensure suspicious packets are logged. (Automated)
+  - id: 6081 
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated)
+  - id: 6082 
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated)
+  - id: 6083 
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated)
+  - id: 6084 
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.7"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated)
+  - id: 6085 
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated)
+  - id: 6086 
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "IF IPv6 is enabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_raa -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+
+  ###############################################
+  # 3.4 Uncommon Network Protocols
+  ###############################################
+
+  - id: 6087 
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf Add the following line: install dccp /bin/true."
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:install\s*\t*/bin/true'
+      - "not c:lsmod -> r:dccp"
+
+  # 3.4.2 Ensure SCTP is disabled. (Automated)
+  - id: 6088 
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf Add the following line: install sctp /bin/true."
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:install\s*\t*/bin/true'
+      - "not c:lsmod -> r:sctp"
+
+  ###############################################
+  # 3.5 Firewall Configuration
+  ###############################################
+  ###############################################
+  # 3.5.1 Configure firewalld
+  ###############################################
+
+  # 3.5.1.1 Ensure firewalld is installed. (Automated)
+  - id: 6089 
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # yum install firewalld iptables."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:firewalld-"
+      - "c:rpm -q iptables -> r:iptables-"
+
+  # 3.5.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 6090 
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # yum remove iptables-services."
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:package iptables-services is not installed"
+
+  # 3.5.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 6091 
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was added in release v0.6.0. In Fedora 19 Linux derivatives, firewalld utilizes iptables as its back-end by default."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: firewalld may configured as the front-end to nftables. If this case, nftables should be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # yum remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nftables -> r:package nftables is not installed"
+      - 'not c:systemctl status nftables -> r:active \(running\)|\(exited\)'
+      - "c:systemctl is-enabled nftables -> r:masked"
+
+  # 3.5.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 6092 
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.5.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:enabled"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.5.1.5 Ensure firewalld default zone is set. (Automated) - Not Implemented
+  # 3.5.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) - Not Implemented
+  # 3.5.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+  ###############################################
+  # 3.5.2 Configure nftables
+  ###############################################
+
+  # 3.5.2.1 Ensure nftables is installed. (Automated)
+  - id: 6093 
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # yum install nftables."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.5.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 6094 
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:package firewalld is not installed"
+      - "c:command -v firewall-cmd >/dev/null && firewall-cmd --state -> r:not running"
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  # 3.5.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 6095 
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # yum remove iptables-services."
+    compliance:
+      - cis: ["3.5.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:package iptables-services is not installed"
+
+  # 3.5.2.4 Ensure iptables are flushed with nftables. (Manual)
+  - id: 6096 
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - "c:iptables -L -> r:Chain INPUT"
+      - "c:ip6tables -L -> r:Chain INPUT"
+
+  # 3.5.2.5 Ensure an nftables table exists. (Automated)
+  - id: 6097 
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:table"
+
+  # 3.5.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 6098 
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.5.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:type filter hook input priority 0"
+      - "c:nft list ruleset -> r:type filter forward priority 0"
+      - "c:nft list ruleset -> r:type filter hook output priority 0"
+
+  # 3.5.2.7 Ensure nftables loopback traffic is configured. (Automated)
+  - id: 6099 
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop IF IPv6 is enabled: Run the following command to implement the IPv6 loopback rules: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.5.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list ruleset -> r:iif "lo" accept'
+      - "c:nft list ruleset -> r:ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"
+
+  # 3.5.2.8 Ensure nftables outbound and established connections are configured. (Manual)
+  - id: 6100 
+    title: "Ensure nftables outbound and established connections are configured."
+    description: "Configure the firewall rules for new outbound and established connections."
+    rationale: "If rules are not in place for new outbound and established connections, all packets will be dropped by the default policy preventing network usage."
+    remediation: "Configure nftables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: # nft add rule inet filter input ip protocol tcp ct state established accept # nft add rule inet filter input ip protocol udp ct state established accept # nft add rule inet filter input ip protocol icmp ct state established accept # nft add rule inet filter output ip protocol tcp ct state new,related,established accept # nft add rule inet filter output ip protocol udp ct state new,related,established accept # nft add rule inet filter output ip protocol icmp ct state new,related,established accept."
+    compliance:
+      - cis: ["3.5.2.8"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:ip protocol tcp ct state established accept"
+      - "c:nft list ruleset -> r:ip protocol udp ct state established accept"
+      - "c:nft list ruleset -> r:ip protocol icmp ct state established accept"
+      - "c:nft list ruleset -> r:ip protocol tcp ct state established,related,new accept"
+      - "c:nft list ruleset -> r:ip protocol udp ct state established,related,new accept"
+      - "c:nft list ruleset -> r:ip protocol icmp ct state established,related,new accept"
+
+  # 3.5.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 6101 
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.5.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:type filter hook input priority 0; policy drop;"
+      - "c:nft list ruleset -> r:type filter hook forward priority 0; policy drop;"
+      - "c:nft list ruleset -> r:type filter hook output priority 0; policy drop;"
+
+  # 3.5.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 6102 
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.5.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.5.2.11 Ensure nftables rules are permanent. (Automated)
+  - id: 6103 
+    title: "Ensure nftables rules are permanent."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered."
+    rationale: "Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot."
+    remediation: 'Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot: Example: include "/etc/nftables/nftables.rules".'
+    compliance:
+      - cis: ["3.5.2.11"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/nftables.conf -> r:^include "/etc/nftables/nftables.rules"'
+      - 'not f:/etc/sysconfig/nftables.conf -> r:#\s*include "/etc/nftables/nftables.rules"'
+
+  ###############################################
+  # 3.5.3 Configure iptables
+  ###############################################
+  ###############################################
+  #3.5.3.1 Configure iptables software
+  ###############################################
+
+  # 3.5.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 6104 
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # yum install iptables iptables-services."
+    compliance:
+      - cis: ["3.5.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:iptables-"
+      - "c:rpm -q iptables-services -> r:iptables-services-"
+
+  # 3.5.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 6105 
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # yum remove nftables."
+    compliance:
+      - cis: ["3.5.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:package nftables is not installed"
+
+  # 3.5.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 6106 
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.5.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:package firewalld is not installed"
+      - 'not c:systemctl status firewalld -> r:active \(running\)'
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  # 3.5.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 6107 
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.5.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.5.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.5.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.5.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 6108 
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'c:iptables -L -> r:/Chain INPUT \(policy DROP\)|Chain FORWARD \(policy DROP\)|Chain OUTPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:/Chain INPUT \(policy REJECT\)|Chain FORWARD \(policy REJECT\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.5.3.2.5 Ensure iptables rules are saved. (Automated)
+  - id: 6109 
+    title: "Ensure iptables rules are saved."
+    description: "The iptables-services package includes the /etc/sysconfig/iptables file. The iptables rules in this file will be loaded by the iptables.service during boot, or when it is started or re-loaded."
+    rationale: "If the iptables rules are not saved and a system re-boot occurs, the iptables rules will be lost."
+    remediation: "Run the following commands to create or update the /etc/sysconfig/iptables file: Run the following command to review the current running iptables configuration: # iptables -L Output should include: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere DROP all -- loopback/8 anywhere ACCEPT tcp -- anywhere anywhere state ESTABLISHED ACCEPT udp -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED Run the following command to save the verified running configuration to the file /etc/sysconfig/iptables: # service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]."
+    compliance:
+      - cis: ["3.5.3.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/iptables -> r::INPUT DROP|:FORWARD DROP|:OUTPUT DROP"
+      - 'c:service iptables save -> r:iptables: Saving firewall rules to /etc/sysconfig/iptables:\[ OK \]'
+
+  # 3.5.3.2.6 Ensure iptables is enabled and running. (Automated)
+  - id: 6110 
+    title: "Ensure iptables is enabled and running."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.5.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:enabled"
+      - 'c:systemctl status iptables -> r:active \(running\)|\(exited\)'
+
+  # 3.5.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 6111 
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.5.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L INPUT -v -n -> r:Chain INPUT"
+      - "c:ip6tables -L OUTPUT -v -n -> r:Chain OUTPUT"
+
+  # 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.5.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 6112 
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'c:ip6tables -L -> r:/Chain INPUT \(policy DROP\)|Chain FORWARD \(policy DROP\)|Chain OUTPUT \(policy DROP\)'
+      - 'c:ip6tables -L -> r:/Chain INPUT \(policy REJECT\)|Chain FORWARD \(policy REJECT\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.5.3.3.5 Ensure ip6tables rules are saved. (Automated)
+  - id: 6113 
+    title: "Ensure ip6tables rules are saved."
+    description: "The iptables-services package includes the /etc/sysconfig/ip6tables file. The ip6tables rules in this file will be loaded by the ip6tables.service during boot, or when it is started or re-loaded."
+    rationale: "If the ip6tables rules are not saved and a system re-boot occurs, the ip6tables rules will be lost."
+    remediation: "Run the following commands to create or update the /etc/sysconfig/ip6tables file: Run the following command to review the current running iptables configuration: # ip6tables -L Output should include: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all anywhere anywhere DROP all localhost anywhere ACCEPT tcp anywhere anywhere state ESTABLISHED ACCEPT udp anywhere anywhere state ESTABLISHED ACCEPT icmp anywhere anywhere state ESTABLISHED ACCEPT tcp anywhere anywhere tcp dpt:ssh state NEW Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT tcp anywhere anywhere state NEW,ESTABLISHED ACCEPT udp anywhere anywhere state NEW,ESTABLISHED ACCEPT icmp anywhere anywhere state NEW,ESTABLISHED Run the following command to save the verified running configuration to the file /etc/sysconfig/ip6tables: # service ip6tables save ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]."
+    compliance:
+      - cis: ["3.5.3.3.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/ip6tables -> r::INPUT DROP|:FORWARD DROP|:OUTPUT DROP"
+      - 'c:service ip6tables save -> r:iptables: Saving firewall rules to /etc/sysconfig/ip6tables:\[ OK \]'
+
+  # 3.5.3.3.6 Ensure ip6tables is enabled and running. (Automated)
+  - id: 6114 
+    title: "Ensure ip6tables is enabled and running."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.5.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ip6tables -> r:enabled"
+      - 'c:systemctl status ip6tables -> r:active \(running\)|\(exited\)'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+  ###############################################
+  # 4.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 6115 
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # yum install audit audit-libs."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+      - "c:rpm -q audit-libs -> r:^audit-libs-"
+
+  # 4.1.1.2 Ensure auditd service is enabled and running. (Automated)
+  - id: 6116 
+    title: "Ensure auditd service is enabled and running."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable and start auditd : # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+      - 'c:systemctl status auditd -> r:Active: active \(running\)'
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated) - Not Implemented
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 6117 
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. Notes: - The max_log_file parameter is measured in megabytes. - Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file = \d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 6118 
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.2", "6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 6119 
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt'
+
+  # 4.1.2.4 Ensure audit_backlog_limit is sufficient. (Automated) - Not Implemented
+
+  # 4.1.3 Ensure events that modify date and time information are collected. (Automated)
+  - id: 6120 
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems edit or create a file in the \/etc\/audit\/rules.d\/ directory ending in .rules. Example: vi \/etc\/audit\/rules.d\/time-change.rules and add the following lines: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w \/etc\/localtime -p wa -k time-change For 64 bit systems edit or create a file in the \/etc\/audit\/rules.d\/ directory ending in .rules. Example: vi \/etc\/audit\/rules.d\/time-change.rules and add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -Farch=b32 -S clock_settime -k time-change -w \/etc\/localtime -p wa -k time-change. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/localtime && r:-p wa && r:-k time-change'
+
+  # 4.1.4 Ensure events that modify user/group information are collected. (Automated)
+  - id: 6121 
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file. Note: Reloading the auditd config to set active settings may require a system reboot.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-identity.rules Add the following lines: -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/group && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/passwd && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/gshadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/shadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/security/opasswd && r:-p wa && r:-k identity'
+
+  # 4.1.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 6122 
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale.".'
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-system_local.rules Add the following lines: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-system_local.rules Add the following lines: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale'
+
+  # 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 6123 
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: - If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited. - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-MAC_policy.rules Add the following lines: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/selinux/ && r:-p wa && r:-k MAC-policy'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /usr/share/selinux/ && r:-p wa && r:-k MAC-policy'
+
+  # 4.1.7 Ensure login and logout events are collected. (Automated)
+  - id: 6124 
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - The file /var/log/lastlog maintain records of the last time a user successfully logged in. - The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-logins.rules Add the following lines: -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /var/log/lastlog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /var/run/faillog/ && r:-p wa && r:-k logins'
+
+  # 4.1.8 Ensure session initiation information is collected. (Automated)
+  - id: 6125 
+    title: "Ensure session initiation information is collected."
+    description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file \/var\/run\/utmp tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The \/var\/log\/wtmp file tracks logins, logouts, shutdown, and reboot events. The file \/var\/log\/btmp keeps track of failed login attempts and can be read by entering the command \/usr\/bin\/last -f \/var\/log\/btmp .All audit records will be tagged with the identifier \"logins.\" Notes: - The last command can be used to read \/var\/log\/wtmp (last with no parameters) and \/var\/run\/utmp (last -f \/var\/run\/utmp) - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-session.rules Add the following lines: -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins'
+
+  # 4.1.9 Ensure discretionary access control permission modification events are collected. (Automated)
+  - id: 6126 
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >=1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\" Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-perm_mod.rules Add the following lines: -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-perm_mod.rules Add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+
+  # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected. (Automated)
+  - id: 6127 
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open , openat) and truncation ( truncate , ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid>=1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\" Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-access.rules Add the following lines: -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-access.rules Add the following lines: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+
+  # 4.1.11 Ensure use of privileged commands is collected. (Automated) - Not Implemented
+
+  # 4.1.12 Ensure successful file system mounts are collected. (Automated)
+  - id: 6128 
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-mounts.rules Add the following lines: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-mounts.rules Add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts'
+
+  # 4.1.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 6129 
+    title: "Ensure file deletion events by users are collected."
+    description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for following system calls and tags them with the identifier \"delete\": - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat - rename a file attribute Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-deletion.rules Add the following lines: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-deletion.rules Add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete'
+
+  # 4.1.14 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 6130 
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers or a file in the /etc/sudoers.d directory will be written to when the file or its attributes have changed. Note: Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules _Example: vi /etc/audit/rules.d/50-scope.rules Add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope'
+
+  # 4.1.15 Ensure system administrator command executions (sudo) are collected. (Automated)
+  - id: 6131 
+    title: "Ensure system administrator command executions (sudo) are collected."
+    description: "sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed."
+    rationale: "creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed. Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/50-actions.rules Add the following line: -a exit,always -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/50-actions.rules Add the following lines: -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions -a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions'
+
+  # 4.1.16 Ensure kernel module loading and unloading is collected. (Automated)
+  - id: 6132 
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.'
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.17 Ensure the audit configuration is immutable. (Automated)
+  - id: 6133 
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the following line at the end of the file: -e 2."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-e 2'
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 6134 
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is a recommended replacement to the original syslogd daemon. rsyslog provides improvements over syslogd, including: connection-oriented (i.e. TCP) transmission of logs - - The option to log to database formats - Encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # yum install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog Service is enabled and running. (Automated)
+  - id: 6135 
+    title: "Ensure rsyslog Service is enabled and running."
+    description: "rsyslog needs to be enabled and running to perform logging."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable and start rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:enabled"
+      - 'c:systemctl status rsyslog -> r:active \(running\)'
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured. (Automated)
+  - id: 6136 
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. The $FileCreateMode parameter specifies the file creation mode with which rsyslogd creates new files. If not specified, the value 0644 is used. Notes: - The value given must always be a 4-digit octal number, with the initial digit being zero. - This setting can be overridden by a less restrictive setting in any file ending in .conf in the /etc/rsyslog.d/ directory."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\.*.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.4 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host. (Automated)
+  - id: 6137 
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead. Note: Ensure that the selection of logfiles being sent follows local site policy."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines: Newer syntax: <files to sent to the remote log server> action(type="omfwd" target="<FQDN or ip of loghost>" port="<port number>" protocol="tcp" action.resumeRetryCount="<number of re-tries>" queue.type="LinkedList" queue.size=<number of messages to queue>") Example: *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Older syntax: *.* @@<FQDN or ip of loghost> Example: *.* @@192.168.2.100 Run the following command to reload the rsyslog configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc_v8: ["8.9"]
+      - cis_csc_v7: ["6.6", "6.8"]
+      - nist_sp_800-53: ["AU-6(3)"]
+      - pci_dss_v3.2.1: ["10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.3.3"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^[^#]\s*\S+\.\*\s+@'
+      - 'd:/etc/rsyslog.d/ -> r:\.*.conf -> r:^[^#]\s*\S+\.\*\s+@'
+
+  # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
+  - id: 6138 
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts."
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. Note: The $ModLoad imtcp line can have the .so extension added to the end of the module, or use the full path to the module."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the \/etc\/rsyslog.conf file and un-comment or add the following lines: $ModLoad imtcp $InputTCPServerRun 514 For hosts that are not designated as log hosts, edit the \/etc\/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514 Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/rsyslog.conf -> r:^#$ModLoad\s*\t*imtcp'
+      - 'not d:/etc/rsyslog.d/*.conf -> r:^#$ModLoad\s*\t*imtcp'
+      - 'not f:/etc/rsyslog.conf -> r:^#$InputTCPServerRun\s*\t*514'
+      - 'not d:/etc/rsyslog.d/*.conf -> r:^#$InputTCPServerRun\s*\t*514'
+
+  ###############################################
+  # 4.2 Configure journald
+  ###############################################
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog. (Automated)
+  - id: 6139 
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: 'Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Notes: - This recommendation assumes that recommendation 4.2.1.5, "Ensure rsyslog is configured to send logs to a remote log host" has been implemented. - The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters - As noted in the journald man pages: journald logs may be exported to rsyslog either through the process mentioned here, or through a facility like systemd-journald.service. There are trade-offs involved in each implementation, where ForwardToSyslog will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service, on the other hand, will record bootup events, but may delay sending the information to rsyslog, leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system.'
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v8: ["8.9"]
+      - cis_csc_v7: ["6.5"]
+      - nist_sp_800-53: ["AU-6(3)"]
+      - pci_dss_v3.2.1: ["10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.3.3"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files. (Automated)
+  - id: 6140 
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress\s*=\s*yes'
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 6141 
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage\s*=\s*persistent'
+
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Manual)
+  - id: 6142 
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information."
+    remediation: 'Run the following commands to set permissions on all existing log files: # find /var/log -type f -exec chmod g-wx,o-rwx "{}" + Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions.'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:find /var/log -type f -ls -> r:^$'
+
+  # 4.2.4 Ensure logrotate is configured. (Manual) - Not Implemented
+  ####################################################
+  # 5 Access, Authentication and Authorization
+  ####################################################
+  ####################################################
+  # 5.1 Configure time-based job schedulers
+  ####################################################
+
+  # 5.1.1 Ensure cron daemon is enabled and running. (Automated)
+  - id: 6143 
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run. If another method for scheduling tasks is not being used, cron is used to execute them, and needs to be enabled and running."
+    remediation: "Run the following command to enable and start cron: # systemctl --now enable crond OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:enabled"
+      - 'c:systemctl status crond -> r:Active: active \(running\) since \w+ \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 6144 
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab: # chown root:root /etc/crontab # chmod u-x,og-rwx /etc/crontab OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 6145 
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly/ directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/ OR Run the following command to remove cron # yum remove cronie."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 6146 
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily directory: # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 6147 
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly/ directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/ OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 6148 
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly directory: # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 6149 
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d/ directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d directory: # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 6150 
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following command to remove /etc/cron.deny: # rm /etc/cron.deny Run the following command to create /etc/cron.allow # touch /etc/cron.allow Run the following commands to set the owner and permissions on /etc/cron.allow: # chown root:root /etc/cron.allow # chmod u-x,og-rwx /etc/cron.allow OR Run the following command to remove cron # yum remove cronie."
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat /etc/cron.deny -> r:No such file or directory$"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 6151 
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following command to remove /etc/at.deny: # rm /etc/at.deny Run the following command to create /etc/at.allow # touch /etc/at.allow Run the following commands to set the owner and permissions on /etc/at.allow: # chown root:root /etc/at.allow # chmod u-x,og-rwx /etc/at.allow OR Run the following command to remove at: # yum remove at."
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat /etc/at.allow -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  ###############################################
+  # 5.2 Configure Sudo
+  ###############################################
+
+  # 5.2.1 Ensure sudo is installed. (Automated)
+  - id: 6152 
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo. # yum install sudo."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.2.2 Ensure sudo commands use pty. (Automated)
+  - id: 6153 
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo-pty Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later. The -f option allows you to tell visudo which file to edit."
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing. This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not."
+    remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.2.3 Ensure sudo log file exists. (Automated)
+  - id: 6154 
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later. The -f option allows you to tell visudo which file to edit."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "Editing the sudo configuration incorrectly can cause sudo to stop functioning."
+    remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # ###############################################
+  # # 5.3 Configure SSH Server
+  # ###############################################
+
+  # 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 6155 
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.3.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.3.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.3.4 Ensure SSH access is limited. (Automated)
+  - id: 6156 
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["3.3", "5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "MP.L2-3.8.2", "SC.L2-3.13.3"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.3.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 6157 
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - 'f:/etc/ssh/sshd_config ->!r:^# && r:loglevel\s*(VERBOSE|INFO)'
+
+  # 5.3.6 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 6158 
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through an existing SSH shell session to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    impact: "X11 programs on the server will not be able to be forwarded to a ssh-client display."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*x11forwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+
+  # 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 6159 
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.3.8 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 6160 
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.3.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.3.9 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 6161 
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.3.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.3.10 Ensure SSH root login is disabled. (Automated)
+  - id: 6162 
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.3.10"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitRootLogin\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.3.11 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 6163 
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.3.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitEmptyPasswords\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.3.12 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 6164 
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing a Trojan's programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.3.12"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.3.13 Ensure only strong Ciphers are used. (Automated)
+  - id: 6165 
+    title: "Ensure only strong Ciphers are used."
+    description: "This variable limits the ciphers that SSH can use during communication. Note: Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack - The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue - The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr."
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+    compliance:
+      - cis: ["5.3.13"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "c: sshd -T -C user=root -> r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+      - "not f:/etc/ssh/sshd_config -> r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 5.3.14 Ensure only strong MAC algorithms are used. (Automated)
+  - id: 6166 
+    title: "Ensure only strong MAC algorithms are used."
+    description: "This variable Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. Note: Some organizations may have stricter requirements for approved MACs. Ensure that MACs used are in compliance with site policy."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256."
+    references:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    compliance:
+      - cis: ["5.3.14"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.4", "16.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c: sshd -T -C user=root -> r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+      - "not f:/etc/ssh/sshd_config -> r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.3.15 Ensure only strong Key Exchange algorithms are used. (Automated)
+  - id: 6167 
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Note: Some organizations may have stricter requirements for approved Key Exchange algorithms. Ensure that Key Exchange algorithms used are in compliance with site policy."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2- nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange- sha256."
+    compliance:
+      - cis: ["5.3.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c: sshd -T -C user=root -> r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+      - "not f:/etc/ssh/sshd_config -> r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.3.16 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 6168 
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.3.16"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*clientaliveinterval\s*\t*(\d+) compare => 1 &&  n:^\s*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -C user=root -> n:^\s*clientalivecountmax\s*\t*(\d+) compare == 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*clientaliveinterval\s*\t*(\d+) compare => 1 &&  n:^\s*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*clientalivecountmax\s*\t*(\d+) compare == 0'
+
+  # 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 6169 
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.3.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*logingracetime\s*\t*(\d+) compare => 1 &&  n:^\s*logingracetime\s*\t*(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*logingracetime\s*\t*(\d+) compare => 1 &&  n:^\s*logingracetime\s*\t*(\d+) compare <= 60'
+
+  # 5.3.18 Ensure SSH warning banner is configured. (Automated)
+  - id: 6170 
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.3.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  # 5.3.19 Ensure SSH PAM is enabled. (Automated)
+  - id: 6171 
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(5) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.3.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*UsePAM\s+no'
+
+  # 5.3.20 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 6172 
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.3.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2", "13.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*allowtcpforwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.3.21 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 6173 
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.3.21"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*maxstartups\s*10:30:60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s*(\d+):\S*:\S* compare <=10 && n:^\s*maxstartups\s*\S*:(\d+):\S* compare <=30 && n:^\s*maxstartups\s*\S*:\S*:(\d+) compare <=60'
+
+  # 5.3.22 Ensure SSH MaxSessions is limited. (Automated)
+  - id: 6174 
+    title: "Ensure SSH MaxSessions is limited."
+    description: "The MaxSessions parameter Specifies the maximum number of open sessions permitted per network connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.3.22"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxsessions\s*(\d+) compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s*(\d+) compare <= 10'
+
+  ###############################################
+  # 5.4 Configure PAM
+  ###############################################
+
+  # 5.4.1 Ensure password creation requirements are configured. (Automated)
+  - id: 6175 
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. The following options are set in the /etc/security/pwquality.conf file: Password Length: - minlen = 14 - password must be 14 characters or more Password complexity: - minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR - dcredit = -1 - provide at least one digit - ucredit = -1 - provide at least one uppercase character - ocredit = -1 - provide at least one special character - lcredit = -1 - provide at least one lowercase character The following is set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies. Notes: - Settings in /etc/security/pwquality.conf must use spaces around the = symbol. - Additional modules options may be set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files."
+    rationale: "Strong passwords and limited attempts before locking an account protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so try_first_pass retry=3."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s*=\s*(\d+) compare >= 14 && n:^\s*minclass\s*=\s*(\d+) compare == 4'
+      - 'f:/etc/security/pwquality.conf -> r:dcredit\s*=\s*-1s*|\s*ucredit\s*=\s*-1\s*|\s*lcredit\s*=\s*-1\s*|\s*ocredit\s*=\s*-1'
+
+  # 5.4.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 6176 
+    title: "Ensure lockout for failed password attempts is configured."
+    description: 'Lock out users after n unsuccessful consecutive login attempts. These settings are commonly configured with the pam_faillock.so module. Some environments may continue using the pam_tally2.so module, where this older method may simplify automation in mixed environments. Set the lockout number in deny= to the policy in effect at your site. unlock_time=_n_ is the number of seconds the account remains locked after the number of attempts configured in deny=_n_ has been met. Notes: - Additional module options may be set, recommendation only covers those listed here. - When modifying authentication configuration using the authconfig utility, the system-auth and password-auth files are overwritten with the settings from the authconfig utility. This can be avoided by creating symbolic links in place of the configuration files, which authconfig recognizes and does not overwrite. These symbolic links are the default for Fedora 19 derived distributions. - Use of the "audit" keyword may log credentials in the case of user error during - authentication. This risk should be evaluated in the context of the site policies of your organization. If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so or the pam_tally2.so module, the user can be unlocked by issuing following commands. This command sets the failed count to 0, effectively unlocking the user. If pam_faillock.so is used: o o # faillock --user <username> --reset o o # pam_tally2 -u <username> --reset If pam_tally2.so is used:.'
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth and add the following lines: Modify the deny= and unlock_time= parameters to conform to local site policy, Not to be greater than deny=5 To use pam_faillock.so module, add the following lines to the auth section: auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 The auth sections should look similar to the following example: Note: The ordering on the lines in the auth section is important. The preauth line needs to below the line auth required pam_env.so and above all password validation lines. The authfail line needs to be after all password validation lines such as pam_sss.so. Incorrect order can cause you to be locked out of the system Example: auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 # <- Under "auth required pam_env.so" auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 # <- Last auth line before "auth requisite pam_succeed_if.so" auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so Add the following line to the account section: account required pam_faillock.so Example: account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_pam_succeed_if.so uid < 1000 quiet account required pam_permit.so OR To use the pam_tally2.so module, add the following line to the auth section: auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 The auth sections should look similar to the following example: Note: The ordering on the lines in the auth section is important. the additional line needs to below the line auth required pam_env.so and above all password validation lines. Example: auth required pam_env.so auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 # <- Under "auth required pam_env.so" auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so Add the following line to the account section: account required pam_tally2.so Example: account required pam_tally2.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_pam_succeed_if.so uid < 1000 quiet account required pam_permit.so.'
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide"
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:\s*auth\s+\S+\s+pam'
+      - 'f:/etc/pam.d/password-auth -> r:\s*auth\s+\S+\s+pam'
+      - 'f:/etc/pam.d/system-auth -> r:\s*account\s+required\s+pam_faillock.so\s*'
+      - 'f:/etc/pam.d/password-auth -> r:\s*account\s+required\s+pam_faillock.so\s*'
+      - 'f:/etc/pam.d/system-auth -> r:\s*auth\s+\S+\s+pam_\(tally2|unix\).so'
+      - 'f:/etc/pam.d/password-auth -> r:\s*auth\s+\S+\s+pam_\(tally2|unix\).so'
+      - 'f:/etc/pam.d/system-auth -> r:\s*account\s+required\s+pam_tally2.so\s*'
+      - 'f:/etc/pam.d/password-auth -> r:\s*account\s+required\s+pam_tally2.so\s*'
+
+  # 5.4.3 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 6177 
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Note: - These changes only apply to accounts configured on the local system. - Additional module options may be set, recommendation only covers those listed here."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include sha512 option and remove the md5 option for pam_unix.so: password sufficient pam_unix.so sha512 Note: - Any system accounts that need to be expired should be carefully done separately by the - system administrator to prevent any potential problems. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login, In accordance with local site policies. - To accomplish this, the following command can be used. o This command intentionally does not affect the root account. The root account's password will also need to be changed. # awk -F: '( $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $1 !~ /^(nfs)?nobody$/ && $1 != \"root\" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0."
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:\s*password\s+\(sufficient|requisite|required\)\s+pam_unix.so\s*sha512'
+      - 'f:/etc/pam.d/password-auth -> r:\s*password\s+\(sufficient|requisite|required\)\s+pam_unix.so\s*sha512'
+
+  # 5.4.4 Ensure password reuse is limited. (Automated)
+  - id: 6178 
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Note: Additional module options may be set, recommendation only covers those listed here."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "Edit both the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: Note: Add or modify the line containing the pam_pwhistory.so after the first occurrence of password requisite: password required pam_pwhistory.so remember=5 Example: (Second line is modified) password requisite pam_pwquality.so try_first_pass local_users_only authtok_type= password required pam_pwhistory.so use_authtok remember=5 retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so."
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/pam.d/system-auth -> n:\s*password\s+\(requisite|required\)\s+pam_pwhistory.so\s*remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/password-auth -> n:\s*password\s+\(requisite|required\)\s+pam_pwhistory.so\s*remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> n:\s*password\s+\(requisite|required\)\s+pam_pwhistory.so\s*remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/password-auth -> n:\s*password\s+\(requisite|required\)\s+pam_pwhistory.so\s*remember=(\d+) compare >= 5'
+
+  # 5.5.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 6179 
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days. Notes: - A value of -1 will disable password expiration. - The password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials via a brute force attack, using already compromised credentials, or gaining the credentials by other means, can be limited by the age of the password. Therefore, reducing the maximum age of a password can also reduce an attacker's window of opportunity. Requiring passwords to be changed helps to mitigate the risk posed by the poor security practice of passwords being used for multiple accounts, and poorly implemented off-boarding and change of responsibility policies. This should not be considered a replacement for proper implementation of these policies and practices. Note: If it is believed that a user's password may have been compromised, the user's account should be locked immediately. Local policy should be followed to ensure the secure update of their password."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.5.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 6180 
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs : PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.5.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\S*:\S*:(\d+):\S*:\S*:\S*:\S*:\S* compare < 1'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*::\S*:\S*:\S*:\S*:\S*'
+
+  # 5.5.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 6181 
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.5.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.5.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 6182 
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Note: A value of -1 would disable this setting."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.5.1.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.9"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*\t*(\d+) compare <= 30'
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.5.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.5.2 Ensure system accounts are secured. (Automated) - Not Implemented
+
+  # 5.5.3 Ensure default group for the root account is GID 0. (Automated)
+  - id: 6183 
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.5.4 Ensure default user shell timeout is configured. (Automated) - Not Implemented
+  # 5.5.5 Ensure default user umask is configured. (Automated) - Not Implemented
+  # 5.6 Ensure root login is restricted to system console. (Manual) - Not Implemented
+
+  # 5.7 Ensure access to the su command is restricted. (Automated)
+  - id: 6184 
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 6185 
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd : # chown root:root /etc/passwd # chmod u-x,g-wx,o-wx /etc/passwd."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 6186 
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd- : # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0644/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 6187 
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow : # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 6188 
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 6189 
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 6190 
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow : # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 6191 
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group : # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 6192 
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.10 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+
+  ###############################################
+  # 6.2 User and Group Settings
+  ###############################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 6193 
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Notes: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "If any accounts in the /etc/passwd file do not have a single x in the password field, run the following command to set these accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 6194 
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.4 Ensure shadow group is empty. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 6195 
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*root && n:^\w+:\S*:(\d+):\S*:\S*:\S*:\S* compare == 0'
+
+  # 6.2.10 Ensure root PATH Integrity. (Automated) - Not Implemented
+  # 6.2.11 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.12 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.14 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.17 Ensure no users have .rhosts files. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/centos/8/cis_centos8_linux.yml b/etc/ruleset/sca/centos/8/cis_centos8_linux.yml
new file mode 100644
index 0000000000..14a6c9d0b5
--- /dev/null
+++ b/etc/ruleset/sca/centos/8/cis_centos8_linux.yml
@@ -0,0 +1,4451 @@
+# Security Configuration Assessment
+# CIS Checks for CentOS 8
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security CentOS Linux 8 Benchmark v2.0.0 - 02-23-2022
+
+policy:
+  id: "cis_centos8_linux"
+  file: "cis_centos8_linux.yml"
+  name: "CIS CentOS Linux 8 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for CentOS Linux 8 systems running on x86 and x64 platforms. This document was tested against CentOS Linux 8."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Centos 8 family platform"
+  description: "Requirements for running the policy against CentOS 8 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Centos && r:release 8"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 6500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs. Example: # printf "install cramfs /bin/false blacklist cramfs " >> /etc/modprobe.d/cramfs.conf Run the following command to unload the cramfs module: # modprobe -r cramfs.'
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:^install|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^blacklist\s*\t*cramfs'
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 6501
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with the lines that reads install squashfs /bin/false and blacklist squashfs. Example: # printf "install squashfs /bin/false blacklist squashfs " >> /etc/modprobe.d/squashfs.conf Run the following command to unload the squashfs module: # modprobe -r squashfs.'
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:^install|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^blacklist\s*\t*squashfs'
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 6502
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install udf /bin/false. Example: # printf "install udf /bin/false blacklist udf " >> /etc/modprobe.d/udf.conf Run the following command to unload the udf module: # modprobe -r udf.'
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:^install|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d -> r:\.+ -> r:^blacklist\s*\t*udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 6503
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 6504
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:nodev'
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 6505
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:noexec'
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 6506
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:nosuid'
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 6507
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 6508
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var\s && !r:nodev'
+
+  # 1.1.3.3 Ensure noexec option set on /var partition. (Automated)
+  - id: 6509
+    title: "Ensure noexec option set on /var partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var\s && !r:noexec'
+
+  # 1.1.3.4 Ensure nosuid option set on /var partition. (Automated)
+  - id: 6510
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var\s && !r:nosuid'
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 6511
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary file residing in /var/tmp is to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 6512
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:noexec'
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 6513
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:nosuid'
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 6514
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:nodev'
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 6515
+    title: "Configure /var/log The /var/log directory is used by system services to store log data. 1.1.5.1 Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contain the log files that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 6516
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log\s && !r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 6517
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log\s && !r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 6518
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log\s && !r:noexec'
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 6519
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contain the audit.log file that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 6520
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s && !r:noexec'
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 6521
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s && !r:nodev'
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 6522
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s && !r:nosuid'
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 6523
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 6524
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/home\s && !r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 6525
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/home\s && !r:nodev'
+
+  # 1.1.7.4 Ensure usrquota option set on /home partition. (Automated)
+  - id: 6526
+    title: "Ensure usrquota option set on /home partition."
+    description: "The usrquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.user Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/home\s && !r:usrquota'
+      - "c:quotaon -p user -> r:user"
+
+  # 1.1.7.5 Ensure grpquota option set on /home partition. (Automated)
+  - id: 6527
+    title: "Ensure grpquota option set on /home partition."
+    description: "The grpquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.group Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && !r:grpquota'
+      - "c:quotaon -p group -> r:user"
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 6528
+    title: "Configure /dev/shm 1.1.8.1 Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && !r:nodev'
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 6529
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && !r:nodev'
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 6530
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && !r:nosuid'
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 6531
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # dnf remove autofs Run the following command to disable autofs if it is required: # systemctl --now disable autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> r:^enabled"
+
+  # 1.1.10 Disable USB Storage. (Automated)
+  - id: 6532
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 6533
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^gpgcheck\s*\t*=\s*\t*1'
+      - 'not d:/etc/yum.repos.d/ -> r:\.+ -> r:gpgcheck=0'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 6534
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 6535
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 6536
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password> Run the following command to update the grub2 configuration: # grub2-mkconfig -o \"$(dirname \"$(find /boot -type f \\( -name 'grubenv' -o - name 'grub.conf' -o -name 'grub.cfg' \\) -exec grep -Pl '^\\h*(kernelopts=|linux|kernel)' {} \\;)\")/grub.cfg\"."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 6537
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options. The grub2 configuration is usually grub.cfg. On newer grub2 systems the encrypted bootloader password is contained in user.cfg. If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration file(s): # [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg # [ -f /boot/grub2/grub.cfg ] && chmod og-rwx /boot/grub2/grub.cfg # [ -f /boot/grub2/grubenv ] && chown root:root /boot/grub2/grubenv # [ -f /boot/grub2/grubenv ] && chmod og-rwx /boot/grub2/grubenv # [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg # [ -f /boot/grub2/user.cfg ] && chmod og-rwx /boot/grub2/user.cfg OR If the system uses UEFI, edit /etc/fstab and add the fmask=0077, uid=0, and gid=0 options: Example: <device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0 Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/grubenv -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/user.cfg -> r:Access:\s*\(0600/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication is required when booting into rescue mode. (Automated)
+  - id: 6538
+    title: "Ensure authentication is required when booting into rescue mode."
+    description: "Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials."
+    remediation: "The systemd drop-in files must be created if it is necessary to change the default settings: Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden: [Service] ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/usr/lib/systemd/system/rescue.service -> r: systemd-sulogin-shell"
+      - 'd:/etc/systemd/system/rescue.service.d/ -> r:\.+ -> r: systemd-sulogin-shell'
+
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 6539
+    title: "Additional Process Hardening 1.5.1 Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 6540
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated)
+  - id: 6541
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: 'Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: Example: # printf " kernel.randomize_va_space = 2 " >> /etc/sysctl.d/60-kernel_sysctl.conf Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2.'
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+      - 'f:/etc/sysctl.conf -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+      - 'd:/etc/sysctl.d/ -> r:\.+ -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 6542
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 6543
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: grubby --update-kernel ALL --remove-args 'selinux=0 enforcing=0'."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 6544
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 6545
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permisive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 6546
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 6547
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 6548
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa setroubleshoot -> r:^setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 6549
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:rpm -qa mcstrans -> r:^mcstrans"
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 6550
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 6551
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 6552
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 6553
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 6554
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 6555
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 6556
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "f:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 6557
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text='
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 6558
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm"
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:disable-user-list=true'
+
+  # 1.8.4 Ensure XDMCP is not enabled. (Automated)
+  - id: 6559
+    title: "Ensure XDMCP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.8.5 Ensure automatic mounting of removable media is disabled. (Automated)
+  - id: 6560
+    title: "Ensure automatic mounting of removable media is disabled."
+    description: "By default GNOME automatically mounts removable media when inserted as a convenience to the user."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Ensure that automatic mounting of media is disabled for all GNOME users: # cat << EOF >> /etc/dconf/db/local.d/00-media-automount [org/gnome/desktop/media-handling] automount=false automount-open=false EOF Apply the changes with: # dconf update."
+    references:
+      - "https://access.redhat.com/solutions/20107"
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - "c:gsettings get org.gnome.desktop.media-handling automount -> r:^false"
+      - "c:gsettings get org.gnome.desktop.media-handling automount-open -> r:^false"
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 6561
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 6562
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 6563
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 6564
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  # 2.2.1 Ensure xinetd is not installed. (Automated)
+  - id: 6565
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # dnf remove xinetd."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:^package xinetd is not installed"
+
+  # 2.2.2 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 6566
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 6567
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+      - "c:rpm -q avahi-autoipd -> r:^package avahi-autoipd is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 6568
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 6569
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the rpm -q dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.6 Ensure DNS Server is not installed. (Automated)
+  - id: 6570
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.7 Ensure FTP Server is not installed. (Automated)
+  - id: 6571
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.2.8 Ensure VSFTP Server is not installed. (Automated)
+  - id: 6572
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.9 Ensure TFTP Server is not installed. (Automated)
+  - id: 6573
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.10 Ensure a web server is not installed. (Automated)
+  - id: 6574
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.11 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 6575
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.12 Ensure Samba is not installed. (Automated)
+  - id: 6576
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.13 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 6577
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.14 Ensure net-snmp is not installed. (Automated)
+  - id: 6578
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.15 Ensure NIS server is not installed. (Automated)
+  - id: 6579
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # dnf remove ypserv."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:^package ypserv is not installed"
+
+  # 2.2.16 Ensure telnet-server is not installed. (Automated)
+  - id: 6580
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.17 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 6581
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 6582
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-package is required as a dependency, the nfs-server should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 6583
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind -> r:masked|No such file or directory"
+      - "c:systemctl is-enabled rpcbind.socket -> r:masked|No such file or directory"
+
+  # 2.2.20 Ensure rsync is not installed or the rsyncd service is masked. (Automated)
+  - id: 6584
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.20"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:^package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 6585
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # dnf remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:^package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 6586
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # dnf remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:^package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 6587
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # dnf remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:^package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 6588
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 6589
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.6 Ensure TFTP client is not installed. (Automated)
+  - id: 6590
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+
+  # 3.1.1 Verify if IPv6 is enabled on the system. (Manual) - Not Implemented
+
+  # 3.1.2 Ensure SCTP is disabled. (Automated)
+  - id: 6591
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install sctp /bin/true " >> /etc/modprobe.d/sctp.conf.'
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:^install\s*\t*/bin/true'
+      - "not c:lsmod -> r:^sctp"
+
+  # 3.1.3 Ensure DCCP is disabled. (Automated)
+  - id: 6592
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install dccp /bin/true " >> /etc/modprobe.d/dccp.conf.'
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:^install\s*\t*/bin/true'
+      - "not c:lsmod -> r:^dccp"
+
+  # 3.1.4 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  # 3.4.1.1 Ensure firewalld is installed. (Automated)
+  - id: 6593
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # dnf install firewalld iptables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:^firewalld-"
+      - "c:rpm -q iptables -> r:^iptables-"
+
+  # 3.4.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 6594
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 6595
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was added in release v0.6.0. In Fedora 19 Linux derivatives, firewalld utilizes iptables as its back-end by default."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: firewalld may configured as the front-end to nftables. If this case, nftables should be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # dnf remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.4.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+      - "c:systemctl is-active nftables -> r:^inactive"
+      - "c:systemctl is-enabled nftables -> r:^masked"
+
+  # 3.4.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 6596
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.4.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:^enabled"
+      - "c:firewall-cmd --state -> r:^running"
+
+  # 3.4.1.5 Ensure firewalld default zone is set. (Automated) - Not Implemented
+  # 3.4.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) - Not Implemented
+
+  # 3.4.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+
+  # 3.4.2.1 Ensure nftables is installed. (Automated)
+  - id: 6597
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 6598
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # dnf remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 6599
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.2.4 Ensure iptables are flushed with nftables. (Manual) - Not Implemented
+
+  # 3.4.2.5 Ensure an nftables table exists. (Automated)
+  - id: 6600
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.4.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.4.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 6601
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.4.2.7 Ensure nftables loopback traffic is configured. (Automated)
+  - id: 6602
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop IF IPv6 is enabled: Run the following command to implement the IPv6 loopback rules: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:iif "lo" accept'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip saddr|ip6 saddr'
+
+  # 3.4.2.8 Ensure nftables outbound and established connections are configured. (Manual) -Not Implemented
+
+  # 3.4.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 6603
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.4.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 6604
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.4.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:^enabled"
+
+  # 3.4.2.11 Ensure nftables rules are permanent. (Automated)
+  - id: 6605
+    title: "Ensure nftables rules are permanent."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered."
+    rationale: "Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot."
+    remediation: 'Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot: Example: include "/etc/nftables/nftables.rules".'
+    compliance:
+      - cis: ["3.4.2.11"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/nftables.conf -> r:include *"
+
+  # 3.4.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 6606
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # dnf install iptables iptables-services."
+    compliance:
+      - cis: ["3.4.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:^iptables-"
+      - "c:rpm -q iptables-services -> r:^iptables-services-"
+
+  # 3.4.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 6607
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # dnf remove nftables."
+    compliance:
+      - cis: ["3.4.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:package nftables is not installed"
+
+  # 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 6608
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:systemctl status firewalld -> r:active && r:running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 6609
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.4.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.4.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 6610
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:iptables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.4.3.2.5 Ensure iptables rules are saved. (Automated) - Not Implemented
+
+  # 3.4.3.2.6 Ensure iptables is enabled and active. (Automated)
+  - id: 6611
+    title: "Ensure iptables is enabled and active."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.4.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:^enabled"
+      - "c:systemctl is-active iptables -> r:^active"
+
+  # 3.4.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 6612
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.4.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:ACCEPT\s*\t*all\s*\t*lo && r:\s*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:DROP\s*\t*all\s*\t*lo && r:\s*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:ACCEPT\s*\t*all\s*\t*lo && r:\s*::/0'
+
+  # 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 6613
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.4.3.3.5 Ensure ip6tables rules are saved. (Automated) - Not Implemented
+
+  # 3.4.3.3.6 Ensure ip6tables is enabled and active. (Automated)
+  - id: 6614
+    title: "Ensure ip6tables is enabled and active."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.4.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ip6tables -> r:^enabled"
+      - "c:systemctl is-active ip6tables -> r:^active"
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 6615
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditd service is enabled. (Automated)
+  - id: 6616
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 6617
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to add audit=1 to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "not f:/boot/grub2/grubenv -> r:kernelopts= && !r:audit=1"
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 6618
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts= && n:audit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 6619
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 6620
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 6621
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 6622
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 6623
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 6624
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 6625
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 6626
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 6627
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-perm_mod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v7: ["5.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 6628
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 6629
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 6630
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v7: ["13"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 6631
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 6632
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 6633
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-priv_cmd.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 6634
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 6635
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 6636
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v7: ["5.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 6637
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the following line at the end of the file: -e 2."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "grep -iEh ''^\s*\t*-e 2\s*$'' /etc/audit/rules.d/*.rules | tail -1" -> r:^\s*\t*-e 2\s*$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 6638
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:augenrules --check -> r:^\s*/usr/sbin/augenrules && r:No change$'
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 6639
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 6640
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 6641
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 6642
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\.*.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual) - Not Implemented
+
+  # 4.2.1.7 Ensure rsyslog is not configured to recieve logs from a remote client. (Automated) - Not Implemented
+  - id: 6643
+    title: "Ensure rsyslog is not configured to recieve logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  # 4.2.2.1 Ensure journald is configured to send logs to a remote log host 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 6644
+    title: "Ensure journald is configured to send logs to a remote log host 4.2.2.1.1 Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:^systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual)
+  - id: 6645
+    title: "Ensure systemd-journal-remote is configured."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journal-upload.conf file and ensure the following lines are set per your environment: URL=192.168.50.42 ServerKeyFile=/etc/ssl/private/journal-upload.pem ServerCertificateFile=/etc/ssl/certs/journal-upload.pem TrustedCertificateFile=/etc/ssl/ca/trusted.pem Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journal-upload.conf -> r:URL="
+      - "f:/etc/systemd/journal-upload.conf -> r:ServerKeyFile="
+      - "f:/etc/systemd/journal-upload.conf -> r:ServerCertificateFile="
+      - "f:/etc/systemd/journal-upload.conf -> r:TrustedCertificateFile="
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 6646
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 4.2.2.1.4 Ensure journald is not configured to recieve logs from a remote client. (Automated)
+  - id: 6647
+    title: "Ensure journald is not configured to recieve logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 6648
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 6649
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Compress=yes"
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 6650
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Storage=persistent"
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 6651
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> !r:^# && r:ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual)
+  - id: 6652
+    title: "Ensure journald log rotation is configured per site policy."
+    description: "Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated."
+    rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files."
+    remediation: "Review /etc/systemd/journald.conf and verify logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritisation of parameters. The specific parameters for log rotation are: SystemMaxUse= SystemKeepFree= RuntimeMaxUse= RuntimeKeepFree= MaxFileSec=."
+    compliance:
+      - cis: ["4.2.2.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:SystemMaxUse="
+      - "f:/etc/systemd/journald.conf -> r:SystemKeepFree="
+      - "f:/etc/systemd/journald.conf -> r:RuntimeMaxUse="
+      - "f:/etc/systemd/journald.conf -> r:RuntimeKeepFree="
+      - "f:/etc/systemd/journald.conf -> r:MaxFileSec="
+
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 6653
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 6654
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/crontab" -> r:600\s*\t*-rw------- && r:0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 6655
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.hourly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 6656
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.daily/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 6657
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.weekly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 6658
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.monthly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 6659
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.d/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 6660
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following scritp to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow`: #!/usr/bin/env bash cron_fix() { if rpm -q cronie >/dev/null; then [ -e /etc/cron.deny ] && rm -f /etc/cron.deny [ ! -e /etc/cron.allow ] && touch /etc/cron.allow chown root:root /etc/cron.allow chmod u-x,go-rwx /etc/cron.allow else echo "cron is not installed on the system" fi } cron_fix OR Run the following command to remove cron: # dnf remove cronie.'
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.allow -> r:640\s*\t*-rw-r-----\s*\t*0\s*\t*root\s*\t*0\s*\t*crontab'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 6661
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file mode for /etc/at.allow: #!/usr/bin/env bash at_fix() { if rpm -q at >/dev/null; then [ -e /etc/at.deny ] && rm -f /etc/at.deny [ ! -e /etc/at.allow ] && touch /etc/at.allow chown root:root /etc/at.allow chmod u-x,go-rwx /etc/at.allow else echo "at is not installed on the system" fi } at_fix OR Run the following command to remove at: # dnf remove at.'
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/at.allow -> r:640\s*\t*-rw-r-----\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 6662
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/sshd_config" -> r:600\s*\t*-rw------- && r:0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 6663
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 6664
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*LogLevel\s+INFO|^\s*LogLevel\s*VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> !r:^\s*LogLevel\s+INFO|^\s*LogLevel\s+VERBOSE'
+      - 'not d:/etc/ssh/sshd_config.d/ -> r:\.*.conf$ -> !r:^\s*LogLevel\s+INFO|^\s*LogLevel\s+VERBOSE'
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 6665
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*usepam\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 6666
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitRootLogin\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 6667
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*HostbasedAuthentication\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*HostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 6668
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitEmptyPasswords\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 6669
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitUserEnvironment\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 6670
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*IgnoreRhosts\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*IgnoreRhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 6671
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*X11Forwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 6672
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 6673
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> ^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 6674
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*banner\s*\t*/etc/issue.net'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 6675
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'not f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare > 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 6676
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*maxstartups\s+10:30:60'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 6677
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*maxsessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 6678
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+      - 'not f:/etc/ssh/sshd_config -> r:\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 6679
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -> r:clientalivecountmax\s*\t*0'
+      - 'not f:/etc/ssh/sshd_config -> r:^ClientAliveInterval\s*\t*0'
+      - 'not f:/etc/ssh/sshd_config -> n:^ClientAliveInterval\s*\t*(\d+) > 900'
+      - 'not f:/etc/ssh/sshd_config -> n:^clientalivecountmax\s*\t*(\d+) > 0'
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 6680
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dnf list sudo -> r:^sudo.x86_64"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 6681
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 6682
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 6683
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "not f:/etc/sudoers -> !r:^# && r:*NOPASSWD"
+      - 'not d:/etc/sudoers.d -> r:\.* -> !r:^# && r:*NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 6684
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^# && r:*\!authenticate'
+      - 'not d:/etc/sudoers.d -> r:\.* -> !r:^# && r:*\!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 6685
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> n:timestamp_timeout=(\d+) compare =< 15 && n:timestamp_timeout=(\d+) compare != -1'
+      - 'c:sudo -V -> r:Authentication timestamp timeout:\s*\t*5.0 minutes'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 6686
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual) - Not Implemented
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 6687
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 6688
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more ** Either of the following can be used to enforce complex passwords:** - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated) - Not Implemented
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 6689
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> !r:^\s*\t*# && r:password\s*\t*requisite|password\s*\t*sufficient && r:pam_pwhistory.so|pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 6690
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> r:^\s*ENCRYPT_METHOD SHA512'
+      - 'f:/etc/libuser.conf -> r:^\s*crypt_style = sha512'
+      - 'f:/etc/pam.d/password-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> r:\s*password && r:requisite|required|sufficient && r:pam_unix.so && r:sha512'
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 6691
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:(\d+): compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is 7 or more. (Automated)
+  - id: 6692
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare < 7'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 6693
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:\d+:\d+:(\d+): compare < 7'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 6694
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not f:/etc/shadow -> n:^\w+:\w+:\w+:\w+:\w+:\w+:(\d+): compare > 30'
+      - 'not f:/etc/shadow -> r:^\w+:\w+:\w+:\w+:\w+:\w+:-1:'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 6695
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && r:root:\w+:\w+:0:'
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+  # 6.1.2 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+
+  # 6.1.3 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 6696
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 6697
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:0 root 0 root && n:shadow (\d+) compare == 0'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 6698
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group: # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 6699
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:0 root 0 root && n:gshadow (\d+) compare == 0'
+
+  # 6.1.7 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 6700
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.8 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 6701
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:0 root 0 root && n:shadow- (\d+) compare == 0'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 6702
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.10 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 6703
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow- -> r:0 root 0 root && n:gshadow- (\d+) compare == 0'
+
+  # 6.1.11 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.14 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit SGID executables. (Manual) - Not Implemented
+
+  # 6.2.1 Ensure password fields are not empty. (Automated)
+  - id: 6704
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.3 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.8 Ensure root is the only UID 0 account. (Automated)
+  - id: 6705
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: 'This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in recommendation "Ensure access to the su command is restricted".'
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.9 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.10 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.11 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.12 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' .netrc Files are not group or world accessible. (Automated) - Not Implemented
+  # 6.2.14 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .rhosts files. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/darwin/15/cis_apple_macOS_10.11.yml b/etc/ruleset/sca/darwin/15/cis_apple_macOS_10.11.yml
new file mode 100644
index 0000000000..dae76af524
--- /dev/null
+++ b/etc/ruleset/sca/darwin/15/cis_apple_macOS_10.11.yml
@@ -0,0 +1,442 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 10.11
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple OSX 10.11 Benchmark v1.1.0 - 11-04-2016
+
+policy:
+  id: "cis_apple_macos_10_11"
+  file: "cis_apple_macOS_10.11.yml"
+  name: "CIS Apple macOS 10.11 Benchmark v1.1.0"
+  description: "This document, CIS Apple macOS 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.11. This guide was tested against Apple macOS 10.11."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version"
+  description: "Requirements for running the SCA scan against macOS 10.11 (El Capitan)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p11'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:.*10\p11'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11'
+
+checks:
+  # 1.1 Verify all Apple provided software is current (Scored)
+  - id: 8500
+    title: "Verify all Apple provided software is current"
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -l  2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Scored)
+  - id: 8501
+    title: "Enable Auto Update"
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1"
+    compliance:
+      - cis: ["1.2"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable app update installs (Scored)
+  - id: 8502
+    title: "Enable app update installs"
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE    The remediation requires a log out and log in to show in the GUI. Please note that."
+    compliance:
+      - cis: ["1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.4 Enable system data files and security update installs (Scored)
+  - id: 8503
+    title: "Enable system data files and security update installs"
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.4"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.5 Enable OS X update installs (Scored)
+  - id: 8504
+    title: "Enable OS X update installs"
+    description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1"
+
+  # 2.2.1 Enable "Set time and date automatically" (Not Scored)
+  - id: 8505
+    title: 'Enable "Set time and date automatically"'
+    description: 'Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple''s automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on "Set time and date automatically" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting.'
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.2.3 Restrict NTP server to loopback interface (Scored)
+  - id: 8506
+    title: "Restrict NTP server to loopback interface"
+    description: 'The Apple System Preference setting to "Set date and time automatically" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted.  Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access.'
+    rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network."
+    remediation: "1. Run the following command in Terminal:  sudo vim /etc/ntp-restrict.conf  2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo"
+    compliance:
+      - cis: ["2.2.3"]
+    condition: all
+    rules:
+      - "f:/etc/ntp-restrict.conf -> r:restrict lo"
+
+  # 2.4.1 Disable Remote Apple Events (Scored)
+  - id: 8507
+    title: "Disable Remote Apple Events"
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.4 Disable Printer Sharing (Scored)
+  - id: 8508
+    title: "Disable Printer Sharing"
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing"
+    compliance:
+      - cis: ["2.4.4"]
+    condition: none
+    rules:
+      - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes'
+
+  # 2.4.5 Disable Remote Login (Scored)
+  - id: 8509
+    title: "Disable Remote Login"
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.8 Disable File Sharing (Scored)
+  - id: 8510
+    title: "Disable File Sharing"
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist  - Run the following command in Terminal to turn off SMB sharing from the CLI:  sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:AppleFileServer"
+      - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
+
+  # 2.5.1 Disable "Wake for network access" (Scored)
+  - id: 8511
+    title: 'Disable "Wake for network access"'
+    description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: 'Run the following command in Terminal:  sudo pmset -a womp 0   Note: The -c flag means "wall power." Different settings must be used for other power sources.'
+    compliance:
+      - cis: ["2.5.1"]
+    condition: none
+    rules:
+      - 'c:pmset -c -g -> r:womp && !r:\s0$'
+      - 'c:pmset -b -g -> r:womp && !r:\s0$'
+
+  # 2.6.1 Enable FileVault (Scored)
+  - id: 8512
+    title: "Enable FileVault"
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.6.1"]
+    condition: all
+    rules:
+      - "c:diskutil cs list -> r:^Encryption Status && r:Unlocked"
+      - "c:diskutil cs list -> r:^Encryption Type && r:AES-XTS"
+
+  # 2.6.2 Enable Gatekeeper (Scored)
+  - id: 8513
+    title: "Enable Gatekeeper"
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.6.2"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.6.3 Enable Firewall (Scored)
+  - id: 8514
+    title: "Enable Firewall"
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services"
+    compliance:
+      - cis: ["2.6.3"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  # 2.6.4 Enable Firewall Stealth Mode (Scored)
+  - id: 8515
+    title: "Enable Firewall Stealth Mode"
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.6.4"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored)
+  - id: 8516
+    title: "Enable Secure Keyboard Entry in terminal.app"
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+
+  # 2.11 Java 6 is not the default Java runtime (Scored)
+  - id: 8517
+    title: "Java 6 is not the default Java runtime"
+    description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle.  The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System"
+    rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path."
+    remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used."
+    compliance:
+      - cis: ["2.11"]
+    condition: none
+    rules:
+      - "c:/usr/libexec/java_home -> r:1.6.0"
+
+  # 3.2 Enable security auditing (Scored)
+  - id: 8518
+    title: "Enable security auditing"
+    description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.3 Configure Security Auditing Flags (Scored)
+  - id: 8519
+    title: "Configure Security Auditing Flags"
+    description: "Auditing is the capture and maintenance of information about security-related events."
+    rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised."
+    remediation: '1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with "flags" 3. Add the following flags: lo, ad, fd, fm, -all.  4. Save the file.'
+    compliance:
+      - cis: ["3.3"]
+    condition: all
+    rules:
+      - "f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all"
+
+  # 4.1 Disable Bonjour advertising service (Scored)
+  - id: 8520
+    title: "Disable Bonjour advertising service"
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X  is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.'
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # 4.4 Ensure http server is not running (Scored)
+  - id: 8521
+    title: "Ensure http server is not running"
+    description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the Web Server is not running and is not set to start at boot    Stop the Web Server: sudo apachectl stop    Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true"
+    compliance:
+      - cis: ["4.4"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure ftp server is not running (Scored)
+  - id: 8522
+    title: "Ensure ftp server is not running"
+    description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered"
+    rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist"
+    compliance:
+      - cis: ["4.5"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:com.apple.ftpd"
+
+  # 4.6 Ensure nfs server is not running (Scored)
+  - id: 8523
+    title: "Ensure nfs server is not running"
+    description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Stop the NFS Server: sudo nfsd disable    Remove the exported Directory listing: rm /etc/export"
+    compliance:
+      - cis: ["4.6"]
+    condition: none
+    rules:
+      - "p:nfsd"
+      - "p:/sbin/nfsd"
+      - "f:/etc/exports"
+
+  # 5.7 Do not enable the "root" account (Scored)
+  - id: 8524
+    title: 'Do not enable the "root" account'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges.  By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups.  Click the lock icon to unlock it.  In the Network Account Server section, click Join or Edit.  Click Open Directory Utility.  Click the lock icon to unlock it.  Select the Edit menu > Disable Root User."
+    compliance:
+      - cis: ["5.7"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.8 Disable automatic login (Scored)
+  - id: 8525
+    title: "Disable automatic login"
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.8"]
+    condition: none
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser"
+
+  # 5.9 Require a password to wake the computer from sleep or screen saver (Scored)
+  - id: 8526
+    title: "Require a password to wake the computer from sleep or screen saver"
+    description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use."
+    rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence."
+    remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect.  defaults write com.apple.screensaver askForPassword -int 1  2.  The current user will need to log off and on for changes to take effect."
+    compliance:
+      - cis: ["5.9"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.screensaver askForPassword -> 1"
+
+  # 5.11 Disable ability to login to another user's active and locked session (Scored)
+  - id: 8527
+    title: "Disable ability to login to another user's active and locked session"
+    description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions."
+    rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information."
+    remediation: '1. Run the following command in Terminal:  sudo vi /etc/pam.d/screensaver 2. Locate   "account    required     pam_group.so no_warn group=admin,wheel fail_safe" 3. Remove "admin," 4. Save'
+    compliance:
+      - cis: ["5.11"]
+    condition: none
+    rules:
+      - "f:/etc/pam.d/screensaver -> r:group=admin,wheel|group=wheel,admin && r:fail_safe"
+
+  # 5.18 System Integrity Protection status (Scored)
+  - id: 8528
+    title: "System Integrity Protection status"
+    description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan.  System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in OS X Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable    3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.18"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 6.1.3 Disable guest account login (Scored)
+  - id: 8529
+    title: "Disable guest account login"
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO"
+    compliance:
+      - cis: ["6.1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.5 Remove Guest home folder (Scored)
+  - id: 8530
+    title: "Remove Guest home folder"
+    description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Scored)
+  - id: 8531
+    title: "Turn on filename extensions"
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+
+  # 6.3 Disable the automatic run of safe files in Safari (Scored)
+  - id: 8532
+    title: "Disable the automatic run of safe files in Safari"
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/16/cis_apple_macOS_10.12.yml b/etc/ruleset/sca/darwin/16/cis_apple_macOS_10.12.yml
new file mode 100644
index 0000000000..d7a3486605
--- /dev/null
+++ b/etc/ruleset/sca/darwin/16/cis_apple_macOS_10.12.yml
@@ -0,0 +1,404 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 10.12
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 10.12 Benchmark v1.1.0 - 09-06-2018
+
+policy:
+  id: "cis_apple_macos_10_12"
+  file: "cis_apple_macOS_10.12.yml"
+  name: "CIS Apple macOS 10.12 Benchmark v1.1.0"
+  description: "This document, CIS Apple macOS 10.12 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.12. This guide was tested against Apple macOS 10.12."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version"
+  description: "Requirements for running the SCA scan against macOS 10.12 (Sierra)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p12'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p12'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12'
+
+checks:
+  # 1.1 Verify all Apple provided software is current (Scored)
+  - id: 9000
+    title: "Verify all Apple provided software is current"
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -l  2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Scored)
+  - id: 9001
+    title: "Enable Auto Update"
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1"
+    compliance:
+      - cis: ["1.2"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable app update installs (Scored)
+  - id: 9002
+    title: "Enable app update installs"
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE    The remediation requires a log out and log in to show in the GUI. Please note that."
+    compliance:
+      - cis: ["1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.4 Enable system data files and security update installs (Scored)
+  - id: 9003
+    title: "Enable system data files and security update installs"
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.4"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.5 Enable macOS update installs (Scored)
+  - id: 9004
+    title: "Enable macOS update installs"
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1"
+
+  # 2.2.1 Enable "Set time and date automatically" (Scored)
+  - id: 9005
+    title: 'Enable "Set time and date automatically"'
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries.  Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.4.1 Disable Remote Apple Events (Scored)
+  - id: 9006
+    title: "Disable Remote Apple Events"
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.4 Disable Printer Sharing (Scored)
+  - id: 9007
+    title: "Disable Printer Sharing"
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing"
+    compliance:
+      - cis: ["2.4.4"]
+    condition: none
+    rules:
+      - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes'
+
+  # 2.4.5 Disable Remote Login (Scored)
+  - id: 9008
+    title: "Disable Remote Login"
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.8 Disable File Sharing (Scored)
+  - id: 9009
+    title: "Disable File Sharing"
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist  - Run the following command in Terminal to turn off SMB sharing from the CLI:  sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:AppleFileServer"
+      - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
+
+  # 2.5.1 Disable "Wake for network access" (Scored)
+  - id: 9010
+    title: 'Disable "Wake for network access"'
+    description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: 'Run the following command in Terminal:  sudo pmset -a womp 0   Note: The -c flag means "wall power." Different settings must be used for other power sources.'
+    compliance:
+      - cis: ["2.5.1"]
+    condition: none
+    rules:
+      - 'c:pmset -g -> r:womp && !r:\s0$'
+
+  # 2.6.1.1 Enable FileVault (Scored)
+  - id: 9011
+    title: "Enable FileVault"
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.6.1.1"]
+    condition: all
+    rules:
+      - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
+
+  # 2.6.2 Enable Gatekeeper (Scored)
+  - id: 9012
+    title: "Enable Gatekeeper"
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.6.2"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.6.3 Enable Firewall (Scored)
+  - id: 9013
+    title: "Enable Firewall"
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services"
+    compliance:
+      - cis: ["2.6.3"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  # 2.6.4 Enable Firewall Stealth Mode (Scored)
+  - id: 9014
+    title: "Enable Firewall Stealth Mode"
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.6.4"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored)
+  - id: 9015
+    title: "Enable Secure Keyboard Entry in terminal.app"
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+
+  # 2.11 Java 6 is not the default Java runtime (Scored)
+  - id: 9016
+    title: "Java 6 is not the default Java runtime"
+    description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle.  The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System"
+    rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path."
+    remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable."
+    compliance:
+      - cis: ["2.11"]
+    condition: none
+    rules:
+      - "c:/usr/libexec/java_home -> r:1.6.0"
+
+  # 3.1 Enable security auditing (Scored)
+  - id: 9017
+    title: "Enable security auditing"
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.2 Configure Security Auditing Flags (Scored)
+  - id: 9018
+    title: "Configure Security Auditing Flags"
+    description: "Auditing is the capture and maintenance of information about security-related events."
+    rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised."
+    remediation: '1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with "flags" 3. Add the following flags: lo, ad, fd, fm, -all.  4. Save the file.'
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all"
+
+  # 4.1 Disable Bonjour advertising service (Scored)
+  - id: 9019
+    title: "Disable Bonjour advertising service"
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers.'
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # 4.4 Ensure http server is not running (Scored)
+  - id: 9020
+    title: "Ensure http server is not running"
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Stop the Web Server sudo apachectl stop    Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
+    compliance:
+      - cis: ["4.4"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure FTP server is not running (Scored)
+  - id: 9021
+    title: "Ensure FTP server is not running"
+    description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered"
+    rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist"
+    compliance:
+      - cis: ["4.5"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:com.apple.ftpd"
+
+  # 4.6 Ensure nfs server is not running (Scored)
+  - id: 9022
+    title: "Ensure nfs server is not running"
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Stop the NFS Server sudo nfsd disable    Remove the exported Directory listing rm /etc/export"
+    compliance:
+      - cis: ["4.6"]
+    condition: none
+    rules:
+      - "p:nfsd"
+      - "p:/sbin/nfsd"
+      - "f:/etc/exports"
+
+  # 5.8 Do not enable the "root" account (Scored)
+  - id: 9023
+    title: 'Do not enable the "root" account'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User."
+    compliance:
+      - cis: ["5.8"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.9 Disable automatic login (Scored)
+  - id: 9024
+    title: "Disable automatic login"
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.9"]
+    condition: none
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser"
+
+  # 5.20 System Integrity Protection status (Scored)
+  - id: 9025
+    title: "System Integrity Protection status"
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan.  System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable    3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.20"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 6.1.3 Disable guest account login (Scored)
+  - id: 9026
+    title: "Disable guest account login"
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO"
+    compliance:
+      - cis: ["6.1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.5 Remove Guest home folder (Scored)
+  - id: 9027
+    title: "Remove Guest home folder"
+    description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Scored)
+  - id: 9028
+    title: "Turn on filename extensions"
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+
+  # 6.3 Disable the automatic run of safe files in Safari (Scored)
+  - id: 9029
+    title: "Disable the automatic run of safe files in Safari"
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml b/etc/ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
new file mode 100644
index 0000000000..a7413c0779
--- /dev/null
+++ b/etc/ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
@@ -0,0 +1,405 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 10.13
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 10.13 Benchmark v1.0.0 - 08-31-2018
+
+policy:
+  id: "cis_apple_macos_10_13"
+  file: "cis_apple_macOS_10.13.yml"
+  name: "CIS Apple macOS 10.13 Benchmark v1.0.0"
+  description: "This document, CIS Apple macOS 10.13 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. This guide was tested against Apple macOS 10.13."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version"
+  description: "Requirements for running the SCA scan against macOS 10.13 (High Sierra)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p13'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p13'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*10\p13'
+
+checks:
+  # 1.1 Verify all Apple provided software is current (Scored)
+  - id: 9500
+    title: "Verify all Apple provided software is current"
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -l    2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Scored)
+  - id: 9501
+    title: "Enable Auto Update"
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1"
+    compliance:
+      - cis: ["1.2"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable app update installs (Scored)
+  - id: 9502
+    title: "Enable app update installs"
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE    The remediation requires a log out and log in to show in the GUI. Please note that."
+    compliance:
+      - cis: ["1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.4 Enable system data files and security update installs (Scored)
+  - id: 9503
+    title: "Enable system data files and security update installs"
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.4"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.5 Enable macOS update installs (Scored)
+  - id: 9504
+    title: "Enable macOS update installs"
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1"
+
+  # 2.2.1 Enable "Set time and date automatically" (Scored)
+  - id: 9505
+    title: 'Enable "Set time and date automatically"'
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.4.1 Disable Remote Apple Events (Scored)
+  - id: 9506
+    title: "Disable Remote Apple Events"
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.4 Disable Printer Sharing (Scored)
+  - id: 9507
+    title: "Disable Printer Sharing"
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing"
+    compliance:
+      - cis: ["2.4.4"]
+    condition: none
+    rules:
+      - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes'
+
+  # 2.4.5 Disable Remote Login (Scored)
+  - id: 9508
+    title: "Disable Remote Login"
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.8 Disable File Sharing (Scored)
+  - id: 9509
+    title: "Disable File Sharing"
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist  - Run the following command in Terminal to turn off SMB sharing from the CLI:  sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:AppleFileServer"
+      - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
+
+  # 2.5.1 Disable "Wake for network access" (Scored)
+  - id: 9510
+    title: 'Disable "Wake for network access"'
+    description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command in Terminal: sudo pmset -a womp 0"
+    compliance:
+      - cis: ["2.5.1"]
+    condition: none
+    rules:
+      - 'c:pmset -g -> r:womp && !r:\s0$'
+
+  # 2.6.1.1 Enable FileVault (Scored)
+  - id: 9511
+    title: "Enable FileVault"
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.6.1.1"]
+    condition: all
+    rules:
+      - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
+
+  # 2.6.2 Enable Gatekeeper (Scored)
+  - id: 9512
+    title: "Enable Gatekeeper"
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.6.2"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.6.3 Enable Firewall (Scored)
+  - id: 9513
+    title: "Enable Firewall"
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services "
+    compliance:
+      - cis: ["2.6.3"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  # 2.6.4 Enable Firewall Stealth Mode (Scored)
+  - id: 9514
+    title: "Enable Firewall Stealth Mode"
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.6.4"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored)
+  - id: 9515
+    title: "Enable Secure Keyboard Entry in terminal.app"
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+
+  # 2.11 Java 6 is not the default Java runtime (Scored)
+  - id: 9516
+    title: "Java 6 is not the default Java runtime"
+    description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle.  The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System"
+    rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path."
+    remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable."
+    compliance:
+      - cis: ["2.11"]
+    condition: none
+    rules:
+      - "c:/usr/libexec/java_home -> r:1.6.0"
+
+  # 2.13 Ensure EFI version is valid and being regularly checked (Scored)
+  - id: 9517
+    title: "Ensure EFI version is valid and being regularly checked"
+    description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
+    rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
+    remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+    compliance:
+      - cis: ["2.13"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes"
+      - 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$'
+
+  # 3.1 Enable security auditing (Scored)
+  - id: 9518
+    title: "Enable security auditing"
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.2 Configure Security Auditing Flags (Scored)
+  - id: 9519
+    title: "Configure Security Auditing Flags"
+    description: "Auditing is the capture and maintenance of information about security-related events."
+    rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised."
+    remediation: '1. Open a terminal session and edit the /etc/security/audit_control file  2. Find the line beginning with "flags"  3. Add the following flags: lo, ad, fd, fm, -all.  4. Save the file.'
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all"
+
+  # 4.1 Disable Bonjour advertising service (Scored)
+  - id: 9520
+    title: "Disable Bonjour advertising service"
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers.'
+    remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # 4.4 Ensure http server is not running (Scored)
+  - id: 9521
+    title: "Ensure http server is not running"
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop    Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
+    compliance:
+      - cis: ["4.4"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure nfs server is not running (Scored)
+  - id: 9522
+    title: "Ensure nfs server is not running"
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable    Remove the exported Directory listing: rm /etc/export"
+    compliance:
+      - cis: ["4.5"]
+    condition: none
+    rules:
+      - "p:nfsd"
+      - "p:/sbin/nfsd"
+      - "f:/etc/exports"
+
+  # 5.11 Do not enable the "root" account (Scored)
+  - id: 9523
+    title: 'Do not enable the "root" account'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User."
+    compliance:
+      - cis: ["5.11"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.12 Disable automatic login (Scored)
+  - id: 9524
+    title: "Disable automatic login"
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.12"]
+    condition: none
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser"
+
+  # 5.23 System Integrity Protection status (Scored)
+  - id: 9525
+    title: "System Integrity Protection status"
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan.  System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable    3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.23"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 6.1.3 Disable guest account login (Scored)
+  - id: 9526
+    title: "Disable guest account login"
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO"
+    compliance:
+      - cis: ["6.1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.5 Remove Guest home folder (Scored)
+  - id: 9527
+    title: "Remove Guest home folder"
+    description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Scored)
+  - id: 9528
+    title: "Turn on filename extensions"
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+
+  # 6.3 Disable the automatic run of safe files in Safari (Scored)
+  - id: 9529
+    title: "Disable the automatic run of safe files in Safari"
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/18/cis_apple_macOS_10.14.yml b/etc/ruleset/sca/darwin/18/cis_apple_macOS_10.14.yml
new file mode 100644
index 0000000000..c666337300
--- /dev/null
+++ b/etc/ruleset/sca/darwin/18/cis_apple_macOS_10.14.yml
@@ -0,0 +1,757 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 10.14
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 10.14 Benchmark v1.0.0 - 04-06-2020
+
+policy:
+  id: "cis_apple_macos_10_14"
+  file: "cis_apple_macOS_10.14.yml"
+  name: "CIS Apple macOS 10.14 Benchmark v1.0.0"
+  description: "This document, CIS Apple macOS 10.14 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.14. This guide was tested against Apple macOS 10.14."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version"
+  description: "Requirements for running the SCA scan against macOS 10.14 (Mojave)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p14'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p14'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*10\p14'
+
+checks:
+  # 1.1 Verify all Apple provided software is current (Automated)
+  - id: 17000
+    title: "Verify all Apple provided software is current"
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -l    2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Automated)
+  - id: 17001
+    title: "Enable Auto Update"
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true"
+    compliance:
+      - cis: ["1.2"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable app update installs (Automated)
+  - id: 17002
+    title: "Enable Download new updates when available"
+    description: 'In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true"
+    compliance:
+      - cis: ["1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -> 1"
+
+  # 1.4 Enable app update installs (Automated)
+  - id: 17003
+    title: "Enable app update installs"
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.4"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.5 Enable system data files and security update installs (Automated)
+  - id: 17004
+    title: "Enable system data files and security update installs"
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.5"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.6 Enable macOS update installs (Automated)
+  - id: 17005
+    title: "Enable macOS update installs"
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.6"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 2.1.1 Turn off Bluetooth, if no paired devices exist (Automated)
+  - id: 17006
+    title: "Turn off Bluetooth, if no paired devices exist"
+    description: "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure."
+    rationale: "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access."
+    remediation: "Open a terminal session and enter the following command to disable bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP blued"
+    compliance:
+      - cis: ["2.1.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -> 0"
+      - "c:system_profiler SPBluetoothDataType -> r:Connectable: Yes"
+
+  # not implemented SCA Limit -> 2.1.2 Show Bluetooth status in menu bar (Automated)
+
+  # 2.2.1 Enable "Set time and date automatically" (Automated)
+  - id: 17008
+    title: 'Enable "Set time and date automatically"'
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.2.2 Ensure time set is within appropriate limits (Automated)
+  - id: 17009
+    title: "Ensure time set is within appropriate limits"
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    remediation: "Run the following commands to ensure your time is set within an appropriate limit: sudo systemsetup -getnetworktimeserver -> Get the time server name and then run: sudo touch /var/db/ntp-kod && sudo chown root:wheel /var/db/ntp-kod && sudo sntp -sS <YOUR-TIME-SERVER> "
+    compliance:
+      - cis: ["2.2.2"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+
+  # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Automated)
+  - id: 17010
+    title: "Set an inactivity interval of 20 minutes or less for the screen saver"
+    description: "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts."
+    rationale: "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time."
+    remediation: "Run the following command to verify that the idle time of the screen saver to 20 minutes or less (≤1200): sudo defaults -currentHost write com.apple.screensaver idleTime -int 600 "
+    compliance:
+      - cis: ["2.3.1"]
+    condition: all
+    rules:
+      - "c:defaults -currentHost read com.apple.screensaver idleTime -> !r:does not exist"
+
+  # 2.3.2 Secure screen saver corners (Automated)
+  - id: 17011
+    title: "Secure screen saver corners"
+    description: "Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen."
+    rationale: "Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system."
+    remediation: "Run the following command to turn off Disable Screen Saver for a Hot Corner: sudo -u <username> defaults write com.apple.dock <corner that is set to '6'> -int 0 "
+    compliance:
+      - cis: ["2.3.2"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.dock wvous-tl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-nl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-tr-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-br-corner -> !r:^6$"
+
+  # 2.4.1 Disable Remote Apple Events (Automated)
+  - id: 17012
+    title: "Disable Remote Apple Events"
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.2 Disable Internet Sharing (Automated)
+  - id: 17013
+    title: "Disable Internet Sharing"
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command to turn off Internet Sharing: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0"
+    compliance:
+      - cis: ["2.4.2"]
+    condition: all
+    rules:
+      - 'c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+
+  # 2.4.3 Disable Screen Sharing (Automated)
+  - id: 17014
+    title: "Disable Screen Sharing"
+    description: "Screen sharing allows a computer to connect to another computer on a network and display the computer’s screen. While sharing the computer’s screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer."
+    rationale: "Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    remediation: "Run the following command to turn off Screen Sharing: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist"
+    compliance:
+      - cis: ["2.4.3"]
+    condition: all
+    rules:
+      - "c:launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist -> r:Service is disabled"
+
+  # 2.4.4 Disable Printer Sharing (Automated)
+  - id: 17015
+    title: "Disable Printer Sharing"
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Run the following command in Terminal: sudo cupsctl --no-share-printers"
+    compliance:
+      - cis: ["2.4.4"]
+    references:
+      - https://support.apple.com/kb/PH11450
+    condition: all
+    rules:
+      - 'c:sudo system_profiler SPPrintersDataType | grep -e Sharing -> r:System Printer Sharing:\s*\t*Yes'
+
+  # 2.4.5 Disable Remote Login (Automated)
+  - id: 17016
+    title: "Disable Remote Login"
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.6 Disable DVD or CD Sharing (Automated)
+  - id: 17017
+    title: "Disable DVD or CD Sharing"
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    remediation: "Run the following command to disable DVD or CD sharing: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgent.plist"
+    compliance:
+      - cis: ["2.4.6"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:ODSAgent"
+
+  # 2.4.7 Disable Bluetooth Sharing (Automated)
+  - id: 17018
+    title: "Disable Bluetooth Sharing "
+    description: "Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices."
+    rationale: "Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system."
+    remediation: "Perform the following to disable Bluetooth Sharing: Graphical Method: 1. Open System Preferences 2. Select Sharing 3. Uncheck Bluetooth Sharing"
+    compliance:
+      - cis: ["2.4.7"]
+    condition: all
+    rules:
+      - 'c:system_profiler SPBluetoothDataType -> !r:State:\s*\t*Enabled'
+
+  # 2.4.8 Disable File Sharing (Automated)
+  - id: 17019
+    title: "Disable File Sharing"
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP and SMB file sharing from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist && sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:AppleFileServer"
+      - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
+  #      - 'c:sudo launchctl print-disabled system | grep com.apple.smbd -> r:\s*\t*com.apple.smbd'
+
+  # 2.4.9 Disable Remote Management (Automated)
+  - id: 17020
+    title: "Disable Remote Management"
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems."
+    rationale: "Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    remediation: "Run the following command to disable remote management: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources /kickstart -deactivate -stop"
+    compliance:
+      - cis: ["2.4.9"]
+    condition: all
+    rules:
+      - "not p:ARDAgent"
+
+  # 2.4.10 Disable Content Caching (Automated)
+  - id: 17021
+    title: "Disable Content Caching"
+    description: "Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk they add to the management complexity, since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary."
+    remediation: "Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.10"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AssetCache.plist Activated -> 0"
+
+  # 2.5.1.1 Enable FileVault (Automated)
+  - id: 17022
+    title: "Enable FileVault"
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. Filevault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details: https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/ https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/ "
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.5.1.1"]
+    condition: all
+    rules:
+      - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
+
+  # 2.5.2 Enable Gatekeeper (Automated)
+  - id: 17023
+    title: "Enable Gatekeeper"
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.5.2"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.5.3 Enable Firewall (Automated)
+  - id: 17024
+    title: "Enable Firewall"
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services "
+    compliance:
+      - cis: ["2.5.3"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  # 2.5.4 Enable Firewall Stealth Mode (Automated)
+  - id: 17025
+    title: "Enable Firewall Stealth Mode"
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.5.4"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # 2.5.6 Enable Location Services (Automated)
+  - id: 17026
+    title: "Enable Location Services"
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. Users do not need to change the time or the time zone, the computer will do it for them. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. For the purpose of asset management and time and log management with mobile computers location services simplify some processes.There are some use cases where it is important that the computer not be able to report it's exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Run the following command to enable location services: sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist"
+    compliance:
+      - cis: ["2.5.6"]
+    references:
+      - https://support.apple.com/en-us/HT204690
+    condition: all
+    rules:
+      - "c:launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist -> r:service already loaded"
+
+  # 2.5.8 Disable sending diagnostic and usage data to Apple (Automated) 17027
+  - id: 17027
+    title: "Disable sending diagnostic and usage data to Apple"
+    description: "Apple provides a mechanism to send diagnostic and analytics data back to Apple to help them improve the platform. Information sent to Apple may contain internal organizational information that should be controlled and not available for processing by Apple. Turn off all Analytics and Improvements sharing."
+    rationale: "Organizations should have knowledge of what is shared with the vendor and the setting automatically forwards information to Apple."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["2.5.8"]
+    condition: all
+    rules:
+      - 'c:defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -> 0'
+
+  # not implemented - SCA Limit -> 2.5.9 Review Advertising settings (Manual)
+
+  # 2.7.1 Time Machine Auto-Backup (Automated)
+  - id: 17028
+    title: "Time Machine Auto-Backup"
+    description: "Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil"
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    remediation: "Run the following enable TimeMachine: sudo sudo tmutil setdestination -a /Volumes/<volumename> && sudo tmutil enable"
+    compliance:
+      - cis: ["2.7.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -> 1"
+
+  # 2.8 Disable Wake for network access (Automated)
+  - id: 17030
+    title: "Disable Wake for network access"
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. Theie macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Wake for network access: sudo pmset -a womp 0 "
+    compliance:
+      - cis: ["2.8"]
+    condition: all
+    rules:
+      - 'c:pmset -g -> n:womp\s*\t*(\d) compare == 0'
+
+  # 2.9 Disable Power Nap (Automated)
+  - id: 17031
+    title: "Disable Power Nap"
+    description: "This features allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Power Nap: sudo pmset -a powernap 0"
+    compliance:
+      - cis: ["2.9"]
+    condition: all
+    rules:
+      - 'c:pmset -g -> n:pwernap\s*\t*(\d) compare == 0'
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Automated)
+  - id: 17032
+    title: "Enable Secure Keyboard Entry in terminal.app"
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+      # - 'c:sudo -u <username> defaults read -app Terminal SecureKeyboardEntry -> 1'
+
+  # 2.12 Ensure EFI version is valid and being regularly checked (Automated)
+  - id: 17033
+    title: "Ensure EFI version is valid and being regularly checked"
+    description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
+    rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
+    remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+    compliance:
+      - cis: ["2.12"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes"
+      - 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$'
+
+  # 3.1 Enable security auditing (Automated)
+  - id: 17034
+    title: "Enable security auditing"
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.3 Retain install.log for 365 or more days with no maximum size (Automated)
+  - id: 17035
+    title: "Retain install.log for 365 or more days with no maximum size"
+    description: "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization."
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    remediation: "Perform the following to ensure that install logs are retained for at least 365 days:Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+    condition: all
+    rules:
+      - 'c:grep -i ttl /etc/asl/com.apple.install -> n:ttl\w+(\d+) compare > 365'
+
+  # 3.5 Control access to audit records (Automated)
+  - id: 17037
+    title: "Control access to audit records"
+    description: "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files."
+    rationale: "Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes."
+    remediation: "Run the following to commands to set the audit records to the root user and wheel group:  sudo chown -R root:wheel /etc/security/audit_control && sudo chown -R root:wheel /var/audit/"
+    compliance:
+      - cis: ["3.5"]
+    condition: all
+    rules:
+      - 'c:ls -le /etc/security/audit_control -> r:root\s*\t*wheel|total'
+      - 'c:ls -le /var/audit/ -> r:root\s*\t*wheel|total'
+
+  # 3.6 Ensure Firewall is configured to log (Automated)
+  - id: 17038
+    title: "Ensure Firewall is configured to log"
+    description: "The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled."
+    rationale: "In order to troubleshoot the successes and failures of a firewall logging should be enabled."
+    remediation: "Run the following command to enable logging of the firewall: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on"
+    compliance:
+      - cis: ["3.6"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode -> r:Log mode is on"
+
+  # 4.1 Disable Bonjour advertising service (Automated)
+  - id: 17039
+    title: "Disable Bonjour advertising service"
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers.. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.'
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # 4.4 Ensure http server is not running (Automated)
+  - id: 17041
+    title: "Ensure http server is not running"
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop    Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
+    compliance:
+      - cis: ["4.4"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure nfs server is not running (Scored)
+  - id: 17042
+    title: "Ensure nfs server is not running"
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.nfsd.plist   Remove the exported Directory listing: sudo rm /etc/export"
+    compliance:
+      - cis: ["4.5"]
+    condition: none
+    rules:
+      - "p:nfsd"
+      - "p:/sbin/nfsd"
+      - "f:/etc/exports"
+
+  # 5.1.2 Check System Wide Applications for appropriate permissions (Automated)
+  - id: 17044
+    title: "Check System Wide Applications for appropriate permissions"
+    description: "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions"
+    rationale: "Unauthorized modifications of applications could lead to the execution of malicious code."
+    remediation: "Run the following command to change the permissions for each application that does not meet the requirements: sudo chmod -R o-w /Applications/<applicationname>"
+    compliance:
+      - cis: ["5.1.2"]
+    condition: all
+    rules:
+      - 'c:find /Applications -iname "*.app" -type d -perm -2 -ls -> r:^$'
+
+  # 5.1.3 Check System folder for world writable files (Automated)
+  - id: 17045
+    title: "Check System folder for world writable files"
+    description: "Software sometimes insists on being installed in the /System Directory and have inappropriate world writable permissions."
+    rationale: 'Folders in /System should not be world writable. The audit check excludes the "Drop Box" folder that is part of Apple''s default user template.'
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /System folder: sudo chmod -R o-w /Path/<baddirectory>"
+    compliance:
+      - cis: ["5.1.3"]
+    condition: all
+    rules:
+      - "c:find /System -type d -perm -2 -ls -> r:^$|Public/Drop Box"
+
+  # 5.1.4 Check Library folder for world writable files (Automated)
+  - id: 17046
+    title: "Check Library folder for world writable files"
+    description: "Software sometimes insists on being installed in the /Library Directory and have inappropriate world writable permissions."
+    rationale: "Folders in /Library should not be world writable. The audit check excludes the /Library/Caches folder where the sticky bit is set."
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /Library folder: sudo chmod -R o-w /Library/<baddirectory>"
+    compliance:
+      - cis: ["5.1.4"]
+    condition: all
+    rules:
+      - "c:find /Library -type d -perm -2 -ls -> r:^$|Caches"
+
+  # 5.3 Reduce the sudo timeout period (Automated) 17051
+  - id: 17051
+    title: "Reduce the sudo timeout period"
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+    condition: all
+    rules:
+      - 'c:grep -e "timestamp" /etc/sudoers -> r:Defaults timestamp_timeout=0'
+
+  # 5.5 Use a separate timestamp for each user/tty combo (Automated)
+  - id: 17052
+    title: "Use a separate timestamp for each user/tty combo"
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+    condition: all
+    rules:
+      - 'c:grep -E -s "!tty_tickets" /etc/sudoers /etc/sudoers.d/* -> r:^$'
+      - 'c:grep -E -s "timestamp_type" /etc/sudoers /etc/sudoers.d/* -> r:^$|!timestamp_type=ppid|!timestamp_type=global'
+
+  # 5.7 Do not enable the "root" account (Automated)
+  - id: 17053
+    title: 'Do not enable the "root" account'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User."
+    compliance:
+      - cis: ["5.7"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.8 Disable automatic login (Automated)
+  - id: 17054
+    title: "Disable automatic login"
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.8"]
+    condition: none
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser"
+
+  # 5.13 Create a custom message for the Login Screen (Automated) 17058
+  - id: 17058
+    title: "Create a custom message for the Login Screen"
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: 'Run the following command to enable a custom login screen message: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom.message>"'
+    compliance:
+      - cis: ["5.13"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText -> !r:does not exist"
+
+  # 5.14 Create a Login window banner (Automated) 17059
+  - id: 17059
+    title: "Create a Login window banner"
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: "Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text."
+    compliance:
+      - cis: ["5.14"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+
+  # not implemented - SCA Limit -> 5.15 Do not enter a password-related hint (Automated)
+
+  # 5.16 Disable Fast User Switching (Manual)
+  - id: 17070
+    title: "Disable Fast User Switching"
+    description: "Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access many valid users can login to other user's assigned computers."
+    rationale: "Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious."
+    remediation: "Run the following command to turn fast user switching off:  sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false"
+    compliance:
+      - cis: ["5.16"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> r:does not exist"
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> 0"
+
+  # not implemented - process - 5.17 Secure individual keychains and items (Manual)
+  # not implemented - process - 5.18 Create specialized keychains for different purposes (Manual)
+
+  # 5.19 System Integrity Protection status (Automated)
+  - id: 17061
+    title: "System Integrity Protection status"
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable    3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.19"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 6.1.1 Display login window as name and password (Automated) 17062
+  - id: 17062
+    title: "Display login window as name and password"
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Run the following command to enable the login window to display name and password: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true"
+    compliance:
+      - cis: ["6.1.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -> 1"
+
+  # jal
+  # 6.1.2 Disable "Show password hints" (Automated) 17063
+  - id: 17063
+    title: 'Disable "Show password hints"'
+    description: "Password hints are user created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    remediation: "Run the following command to disable password hints: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0"
+    compliance:
+      - cis: ["6.1.2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> r:does not exist"
+
+  # 6.1.3 Disable guest account login (Automated)
+  - id: 17064
+    title: "Disable guest account login"
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.4 Disable "Allow guests to connect to shared folders" (Automated) 17065
+  - id: 17065
+    title: 'Disable "Allow guests to connect to shared folders"'
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.4"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> 0"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> r:does not exist"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> r:does not exist"
+
+  # 6.1.5 Remove Guest home folder (Automated)
+  - id: 17066
+    title: "Remove Guest home folder"
+    description: "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: sudo rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Automated)
+  - id: 17067
+    title: "Turn on filename extensions"
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+      # - 'c:defaults read /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -> 1'
+
+  # 6.3 Disable the automatic run of safe files in Safari (Automated)
+  - id: 17068
+    title: "Disable the automatic run of safe files in Safari"
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/19/cis_apple_macOS_10.15.yml b/etc/ruleset/sca/darwin/19/cis_apple_macOS_10.15.yml
new file mode 100644
index 0000000000..6cfa250072
--- /dev/null
+++ b/etc/ruleset/sca/darwin/19/cis_apple_macOS_10.15.yml
@@ -0,0 +1,821 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 10.15
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 10.15 Benchmark v1.1.0 - 11-10-2020
+
+policy:
+  id: "cis_apple_macos_10_15"
+  file: "cis_apple_macOS_10.15.yml"
+  name: "CIS Apple macOS 10.15 Benchmark v1.1.0"
+  description: "This document, CIS Apple macOS 10.15 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version"
+  description: "Requirements for running the SCA scan against macOS 10.15 (Catalina)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p15'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p15'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*10\p15'
+
+checks:
+  # 1.1 Verify all Apple provided software is current (Automated)
+  - id: 17500
+    title: "Verify all Apple provided software is current"
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -l    2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Automated)
+  - id: 17501
+    title: "Enable Auto Update"
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true"
+    compliance:
+      - cis: ["1.2"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable Download new updates when available (Automated)
+  - id: 17502
+    title: "Enable Download new updates when available"
+    description: 'In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true"
+    compliance:
+      - cis: ["1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -> 1"
+
+  # 1.4 Enable app update installs (Automated)
+  - id: 17503
+    title: "Enable app update installs"
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.4"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.5 Enable system data files and security update installs (Automated)
+  - id: 17504
+    title: "Enable system data files and security update installs"
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.5"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.6 Enable macOS update installs (Automated)
+  - id: 17505
+    title: "Enable macOS update installs"
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.6"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 2.1.1 Turn off Bluetooth, if no paired devices exist (Automated)
+  - id: 17506
+    title: "Turn off Bluetooth, if no paired devices exist"
+    description: "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure."
+    rationale: "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access."
+    remediation: "Open a terminal session and enter the following command to disable bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP blued"
+    compliance:
+      - cis: ["2.1.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -> 0"
+      - "c:system_profiler SPBluetoothDataType -> r:Connectable: Yes"
+
+  # not implemented - SCA Limit -> 2.1.2 Show Bluetooth status in menu bar (Automated)
+
+  # 2.2.1 Enable "Set time and date automatically" (Automated)
+  - id: 17508
+    title: 'Enable "Set time and date automatically"'
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.2.2 Ensure time set is within appropriate limits (Automated)
+  - id: 17509
+    title: "Ensure time set is within appropriate limits"
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    remediation: "Run the following commands to ensure your time is set within an appropriate limit: sudo systemsetup -getnetworktimeserver -> Get the time server name and then run: sudo touch /var/db/ntp-kod && sudo chown root:wheel /var/db/ntp-kod && sudo sntp -sS <YOUR-TIME-SERVER> "
+    compliance:
+      - cis: ["2.2.2"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+      #- Pending check offset is in the 270.x seconds
+
+  # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Automated)
+  - id: 17510
+    title: "Set an inactivity interval of 20 minutes or less for the screen saver"
+    description: "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts."
+    rationale: "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time."
+    remediation: "Run the following command to verify that the idle time of the screen saver to 20 minutes or less (≤1200): sudo defaults -currentHost write com.apple.screensaver idleTime -int 600 "
+    compliance:
+      - cis: ["2.3.1"]
+    condition: all
+    rules:
+      - "c:defaults -currentHost read com.apple.screensaver idleTime -> !r:does not exist"
+
+  # 2.3.2 Secure screen saver corners (Automated)
+  - id: 17511
+    title: "Secure screen saver corners"
+    description: "Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen."
+    rationale: "Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system."
+    remediation: "Run the following command to turn off Disable Screen Saver for a Hot Corner: sudo -u <username> defaults write com.apple.dock <corner that is set to '6'> -int 0 "
+    compliance:
+      - cis: ["2.3.2"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.dock wvous-tl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-nl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-tr-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-br-corner -> !r:^6$"
+
+  # not implemented - process -> 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Manual)
+
+  # 2.4.1 Disable Remote Apple Events (Automated)
+  - id: 17512
+    title: "Disable Remote Apple Events"
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.2 Disable Internet Sharing (Automated)
+  - id: 17513
+    title: "Disable Internet Sharing"
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command to turn off Internet Sharing: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0"
+    compliance:
+      - cis: ["2.4.2"]
+    condition: all
+    rules:
+      - 'c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+
+  # 2.4.3 Disable Screen Sharing (Automated)
+  - id: 17514
+    title: "Disable Screen Sharing"
+    description: "Screen sharing allows a computer to connect to another computer on a network and display the computer’s screen. While sharing the computer’s screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer."
+    rationale: "Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    remediation: "Run the following command to turn off Screen Sharing: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist"
+    compliance:
+      - cis: ["2.4.3"]
+    condition: all
+    rules:
+      - "c:launchctl load /System/Library/LaunchDaemons/com.apple.screensharing.plist -> r:Service is disabled"
+
+  # 2.4.4 Disable Printer Sharing (Automated)
+  - id: 17515
+    title: "Disable Printer Sharing"
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Run the following command in Terminal: sudo cupsctl --no-share-printers"
+    compliance:
+      - cis: ["2.4.4"]
+    references:
+      - https://support.apple.com/kb/PH11450
+    condition: all
+    rules:
+      - 'c:system_profiler SPPrintersDataType | grep -e Sharing -> r:System Printer Sharing:\s*\t*Yes'
+
+  # 2.4.5 Disable Remote Login (Automated)
+  - id: 17516
+    title: "Disable Remote Login"
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.6 Disable DVD or CD Sharing (Automated)
+  - id: 17517
+    title: "Disable DVD or CD Sharing"
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    remediation: "Run the following command to disable DVD or CD sharing: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ODSAgent.plist"
+    compliance:
+      - cis: ["2.4.6"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:ODSAgent"
+
+  # 2.4.7 Disable Bluetooth Sharing (Automated)
+  - id: 17518
+    title: "Disable Bluetooth Sharing "
+    description: "Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices."
+    rationale: "Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system."
+    remediation: "Perform the following to disable Bluetooth Sharing: Graphical Method: 1. Open System Preferences 2. Select Sharing 3. Uncheck Bluetooth Sharing"
+    compliance:
+      - cis: ["2.4.7"]
+    condition: all
+    rules:
+      - 'c:system_profiler SPBluetoothDataType -> !r:State:\s*\t*Enabled'
+
+  # 2.4.8 Disable File Sharing (Automated)
+  - id: 17519
+    title: "Disable File Sharing"
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP and SMB file sharing from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist && sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+    condition: none
+    rules:
+      - "c:launchctl list -> r:AppleFileServer"
+      - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\<array|\<Array|\<ARRAY'
+  #      - 'c:sudo launchctl print-disabled system | grep com.apple.smbd -> r:\s*\t*com.apple.smbd'
+
+  # 2.4.9 Disable Remote Management (Automated)
+  - id: 17520
+    title: "Disable Remote Management"
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems."
+    rationale: "Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    remediation: "Run the following command to disable remote management: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources /kickstart -deactivate -stop"
+    compliance:
+      - cis: ["2.4.9"]
+    condition: all
+    rules:
+      - "not p:ARDAgent"
+
+  # 2.4.10 Disable Content Caching (Automated)
+  - id: 17521
+    title: "Disable Content Caching"
+    description: "Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk they add to the management complexity, since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary."
+    remediation: "Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.10"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AssetCache.plist Activated -> 0"
+
+  # 2.4.11 Disable Media Sharing (Automated)
+  - id: 17522
+    title: "Disable Media Sharing"
+    description: "Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs. With this capability guest users can also use media downloaded on the computer. Best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices."
+    rationale: "Disabling Media Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.11"]
+    references:
+      - https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac
+    condition: all
+    rules:
+      - "c:defaults read com.apple.amp.mediasharingd home-sharing-enabled -> 0"
+
+  # 2.5.1.1 Enable FileVault (Automated)
+  - id: 17523
+    title: "Enable FileVault"
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. Filevault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details: "
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.5.1.1"]
+    references:
+      - https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
+      - https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/
+    condition: all
+    rules:
+      - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
+
+  # not implemented - SCA Limit -> 2.5.1.2 Ensure all user storage APFS volumes are encrypted (Manual)
+  # not implemented - SCA Limit -> 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted (Manual)
+
+  # 2.5.2 Enable Gatekeeper (Automated)
+  - id: 17524
+    title: "Enable Gatekeeper"
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.5.2"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.5.3 Enable Firewall (Automated)
+  - id: 17525
+    title: "Enable Firewall"
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services "
+    compliance:
+      - cis: ["2.5.3"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  #
+  # 2.5.4 Enable Firewall Stealth Mode (Automated)
+  - id: 17526
+    title: "Enable Firewall Stealth Mode"
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.5.4"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # not implemented - process -> 2.5.5 Review Application Firewall Rules (Manual)
+
+  #
+  # 2.5.6 Enable Location Services (Automated)
+  - id: 17527
+    title: "Enable Location Services"
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. Users do not need to change the time or the time zone, the computer will do it for them. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. For the purpose of asset management and time and log management with mobile computers location services simplify some processes.There are some use cases where it is important that the computer not be able to report it's exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Run the following command to enable location services: sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist"
+    compliance:
+      - cis: ["2.5.6"]
+    references:
+      - https://support.apple.com/en-us/HT204690
+    condition: all
+    rules:
+      - "c:launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist -> r:service already loaded"
+
+  # not implemented - process -> 2.5.7 Monitor Location Services Access (Manual)
+
+  # 2.5.8 Disable sending diagnostic and usage data to Apple (Automated)
+  - id: 17528
+    title: "Disable sending diagnostic and usage data to Apple"
+    description: "Apple provides a mechanism to send diagnostic and analytics data back to Apple to help them improve the platform. Information sent to Apple may contain internal organizational information that should be controlled and not available for processing by Apple. Turn off all Analytics and Improvements sharing."
+    rationale: "Organizations should have knowledge of what is shared with the vendor and the setting automatically forwards information to Apple."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["2.5.8"]
+    condition: all
+    rules:
+      - 'c:defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -> 0'
+
+  # not implemented - SCA Limit -> 2.5.9 Review Advertising settings (Manual)
+  # not implemented - process -> 2.6.1 iCloud configuration (Manual)
+  # not implemented - process -> 2.6.2 iCloud keychain (Manual)
+  # not implemented - process -> 2.6.3 iCloud Drive (Manual)
+  # not implemented - process -> 2.6.4 iCloud Drive Document and Desktop sync (Manual)
+
+  # 2.7.1 Time Machine Auto-Backup (Automated)
+  - id: 17530
+    title: "Time Machine Auto-Backup"
+    description: "Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil"
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    remediation: "Run the following enable TimeMachine: sudo sudo tmutil setdestination -a /Volumes/<volumename> && sudo tmutil enable"
+    compliance:
+      - cis: ["2.7.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -> 1"
+
+  # not implemented - SCA Limit -> 2.7.2 Time Machine Volumes Are Encrypted (Automated)
+
+  # 2.8 Disable Wake for network access (Automated)
+  - id: 17531
+    title: "Disable Wake for network access"
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. Theie macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Wake for network access: sudo pmset -a womp 0 "
+    compliance:
+      - cis: ["2.8"]
+    condition: all
+    rules:
+      - 'c:pmset -g -> n:womp\s*\t*(\d) compare == 0'
+
+  # 2.9 Disable Power Nap (Automated)
+  - id: 17532
+    title: "Disable Power Nap"
+    description: "This features allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Power Nap: sudo pmset -a powernap 0"
+    compliance:
+      - cis: ["2.9"]
+    condition: all
+    rules:
+      - 'c:pmset -g -> n:pwernap\s*\t*(\d) compare == 0'
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Automated)
+  - id: 17533
+    title: "Enable Secure Keyboard Entry in terminal.app"
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+      # - 'c:sudo -u <username> defaults read -app Terminal SecureKeyboardEntry -> 1'
+
+  # not implemented - process -> 2.11 Securely delete files as needed (Manual)
+
+  # 2.12 Ensure EFI version is valid and being regularly checked (Automated)
+  - id: 17534
+    title: "Ensure EFI version is valid and being regularly checked"
+    description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
+    rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
+    remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+    compliance:
+      - cis: ["2.12"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes"
+      - 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$'
+
+  # 3.1 Enable security auditing (Automated)
+  - id: 17535
+    title: "Enable security auditing"
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # not implemented - process -> 3.2 Configure Security Auditing Flags per local organizational requirements (Manual)
+
+  # 3.3 Retain install.log for 365 or more days with no maximum size (Automated)
+  - id: 17536
+    title: "Retain install.log for 365 or more days with no maximum size"
+    description: "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization."
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    remediation: "Perform the following to ensure that install logs are retained for at least 365 days:Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+    condition: all
+    rules:
+      - 'c:grep -i ttl /etc/asl/com.apple.install -> n:ttl\w+(\d+) compare > 365'
+
+  # not implemented - SCA Limit -> 3.4 Ensure security auditing retention (Automated)
+
+  # 3.5 Control access to audit records (Automated)
+  - id: 17537
+    title: "Control access to audit records"
+    description: "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files."
+    rationale: "Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes."
+    remediation: "Run the following to commands to set the audit records to the root user and wheel group:  sudo chown -R root:wheel /etc/security/audit_control && sudo chown -R root:wheel /var/audit/"
+    compliance:
+      - cis: ["3.5"]
+    condition: all
+    rules:
+      - 'c:ls -le /etc/security/audit_control -> r:root\s*\t*wheel|total'
+      - 'c:ls -le /var/audit/ -> r:root\s*\t*wheel|total'
+
+  # 3.6 Ensure Firewall is configured to log (Automated)
+  - id: 17538
+    title: "Ensure Firewall is configured to log"
+    description: "The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled."
+    rationale: "In order to troubleshoot the successes and failures of a firewall logging should be enabled."
+    remediation: "Run the following command to enable logging of the firewall: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on"
+    compliance:
+      - cis: ["3.6"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode -> r:Log mode is on"
+
+  # 4.1 Disable Bonjour advertising service (Automated)
+  - id: 17539
+    title: "Disable Bonjour advertising service"
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers.. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.'
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # not implemented - SCA Limit -> 4.2 Enable "Show Wi-Fi status in menu bar" (Automated)
+  # not implemented - process -> 4.3 Create network specific locations (Manual)
+
+  # 4.4 Ensure http server is not running (Automated)
+  - id: 17541
+    title: "Ensure http server is not running"
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop    Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
+    compliance:
+      - cis: ["4.4"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure nfs server is not running (Scored)
+  - id: 17542
+    title: "Ensure nfs server is not running"
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.nfsd.plist   Remove the exported Directory listing: sudo rm /etc/export"
+    compliance:
+      - cis: ["4.5"]
+    condition: none
+    rules:
+      - "p:nfsd"
+      - "p:/sbin/nfsd"
+      - "f:/etc/exports"
+
+  # not implemented - SCA Limit -> 5.1.1 Secure Home Folders (Automated)
+
+  # 5.1.2 Check System Wide Applications for appropriate permissions (Automated)
+  - id: 17544
+    title: "Check System Wide Applications for appropriate permissions"
+    description: "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions"
+    rationale: "Unauthorized modifications of applications could lead to the execution of malicious code."
+    remediation: "Run the following command to change the permissions for each application that does not meet the requirements: sudo chmod -R o-w /Applications/<applicationname>"
+    compliance:
+      - cis: ["5.1.2"]
+    condition: all
+    rules:
+      - 'c:find /Applications -iname "*.app" -type d -perm -2 -ls -> r:^$'
+
+  # 5.1.3 Check System folder for world writable files (Automated)
+  - id: 17545
+    title: "Check System folder for world writable files"
+    description: "Software sometimes insists on being installed in the /System Directory and have inappropriate world writable permissions."
+    rationale: 'Folders in /System should not be world writable. The audit check excludes the "Drop Box" folder that is part of Apple''s default user template.'
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /System folder: sudo chmod -R o-w /Path/<baddirectory>"
+    compliance:
+      - cis: ["5.1.3"]
+    condition: all
+    rules:
+      - "c:find /System -type d -perm -2 -ls -> r:^$|Public/Drop Box"
+
+  # 5.1.4 Check Library folder for world writable files (Automated)
+  - id: 17546
+    title: "Check Library folder for world writable files"
+    description: "Software sometimes insists on being installed in the /Library Directory and have inappropriate world writable permissions."
+    rationale: "Folders in /Library should not be world writable. The audit check excludes the /Library/Caches folder where the sticky bit is set."
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /Library folder: sudo chmod -R o-w /Library/<baddirectory>"
+    compliance:
+      - cis: ["5.1.4"]
+    condition: all
+    rules:
+      - "c:find /Library -type d -perm -2 -ls -> r:^$|Caches"
+
+  # not implemented - SCA Limit -> 5.2.1 Configure account lockout threshold (Automated)
+  # not implemented - SCA Limit -> 5.2.2 Set a minimum password length (Automated)
+  # not implemented - SCA Limit -> 5.2.3 Complex passwords must contain an Alphabetic Character (Manual)
+  # not implemented - SCA Limit -> 5.2.4 Complex passwords must contain a Numeric Character (Manual)
+  # not implemented - SCA Limit -> 5.2.5 Complex passwords must contain a Special Character (Manual)
+  # not implemented - SCA Limit -> 5.2.6 Complex passwords must uppercase and lowercase letters (Manual)
+  # not implemented - SCA Limit -> 5.2.7 Password Age (Automated)
+  # not implemented - SCA Limit -> 5.2.8 Password History (Automated)
+
+  # 5.3 Reduce the sudo timeout period (Automated) 17551
+  - id: 17551
+    title: "Reduce the sudo timeout period"
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+    condition: all
+    rules:
+      - 'c:grep -e "timestamp" /etc/sudoers -> r:Defaults timestamp_timeout=0'
+
+  # not implemented - SCA Limit -> 5.4 Automatically lock the login keychain for inactivity (Manual)
+
+  # 5.5 Use a separate timestamp for each user/tty combo (Automated) 17552
+  - id: 17552
+    title: "Use a separate timestamp for each user/tty combo"
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+    condition: all
+    rules:
+      - 'c:grep -E -s "!tty_tickets" /etc/sudoers /etc/sudoers.d/* -> r:^$'
+      - 'c:grep -E -s "timestamp_type" /etc/sudoers /etc/sudoers.d/* -> r:^$|!timestamp_type=ppid|!timestamp_type=global'
+
+  # not implemented - SCA Limit -> 5.6 Ensure login keychain is locked when the computer sleeps (Manual)
+
+  # 5.7 Do not enable the "root" account (Automated)
+  - id: 17553
+    title: 'Do not enable the "root" account'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User."
+    compliance:
+      - cis: ["5.7"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.8 Disable automatic login (Automated)
+  - id: 17554
+    title: "Disable automatic login"
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.8"]
+    condition: none
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser"
+
+  # not implemented - process - 5.9 Require a password to wake the computer from sleep or screen saver (Manual)
+  # not implemented - SCA Limit -> 5.10 Ensure system is set to hibernate (Automated)
+  # not implemented - SCA Limit -> 5.11 Require an administrator password to access system-wide preferences (Automated)
+  # not implemented - SCA Limit -> 5.12 Disable ability to login to another user's active and locked session (Automated)
+
+  # 5.13 Create a custom message for the Login Screen (Automated)
+  - id: 17558
+    title: "Create a custom message for the Login Screen"
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: 'Run the following command to enable a custom login screen message: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom.message>"'
+    compliance:
+      - cis: ["5.13"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText -> !r:does not exist"
+
+  # 5.14 Create a Login window banner (Automated)
+  - id: 17559
+    title: "Create a Login window banner"
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: "Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text."
+    compliance:
+      - cis: ["5.14"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+
+  # not implemented - SCA Limit -> 5.15 Do not enter a password-related hint (Automated)
+
+  # 5.16 Disable Fast User Switching (Manual)
+  - id: 17560
+    title: "Disable Fast User Switching"
+    description: "Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access many valid users can login to other user's assigned computers."
+    rationale: "Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious."
+    remediation: "Run the following command to turn fast user switching off:  sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false"
+    compliance:
+      - cis: ["5.16"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> r:does not exist"
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> 0"
+
+  # not implemented - process - 5.17 Secure individual keychains and items (Manual)
+  # not implemented - process - 5.18 Create specialized keychains for different purposes (Manual)
+
+  # 5.19 System Integrity Protection status (Automated)
+  - id: 17561
+    title: "System Integrity Protection status"
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable    3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.19"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 6.1.1 Display login window as name and password (Automated)
+  - id: 17562
+    title: "Display login window as name and password"
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Run the following command to enable the login window to display name and password: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true"
+    compliance:
+      - cis: ["6.1.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -> 1"
+
+  # jal
+  # 6.1.2 Disable "Show password hints" (Automated)
+  - id: 17563
+    title: 'Disable "Show password hints"'
+    description: "Password hints are user created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    remediation: "Run the following command to disable password hints: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0"
+    compliance:
+      - cis: ["6.1.2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> r:does not exist"
+
+  # 6.1.3 Disable guest account login (Automated)
+  - id: 17564
+    title: "Disable guest account login"
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.3"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.4 Disable "Allow guests to connect to shared folders" (Automated)
+  - id: 17565
+    title: 'Disable "Allow guests to connect to shared folders"'
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.4"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> 0"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> r:does not exist"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> r:does not exist"
+
+  # 6.1.5 Remove Guest home folder (Automated)
+  - id: 17566
+    title: "Remove Guest home folder"
+    description: "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: sudo rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Automated)
+  - id: 17567
+    title: "Turn on filename extensions"
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+      # - 'c:defaults read /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -> 1'
+
+  # 6.3 Disable the automatic run of safe files in Safari (Automated)
+  - id: 17568
+    title: "Disable the automatic run of safe files in Safari"
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/20/cis_apple_macOS_11.1.yml b/etc/ruleset/sca/darwin/20/cis_apple_macOS_11.1.yml
new file mode 100644
index 0000000000..288029f982
--- /dev/null
+++ b/etc/ruleset/sca/darwin/20/cis_apple_macOS_11.1.yml
@@ -0,0 +1,1018 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 11.x
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 11.0 Big Sur Benchmark v2.1.0 - 07-19-2022
+
+policy:
+  id: "cis_apple_macos_11.x"
+  file: "cis_apple_macOS_11.1.yml"
+  name: "CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0"
+  description: "CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.15. This guide was tested against Apple macOS 10.15."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version."
+  description: "Requirements for running the SCA scan against macOS 11.x (Big Sur)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*11\p'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*11\p'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*11\p'
+
+checks:
+  ############################################################
+  #1 Install Updates, Patches and Additional Security Software
+  ############################################################
+  # 1.1 Verify all Apple provided software is current (Automated)
+  - id: 18000
+    title: "Verify all Apple provided software is current."
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following: softwareupdate -i -a      2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename"
+    compliance:
+      - cis: ["1.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Enable Auto Update (Automated)
+  - id: 18001
+    title: "Enable Auto Update."
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true"
+    compliance:
+      - cis: ["1.2"]
+      - cis_level: ["1"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1"
+
+  # 1.3 Enable Download new updates when available (Automated)
+  - id: 18002
+    title: "Enable Download new updates when available."
+    description: 'In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true"
+    compliance:
+      - cis: ["1.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -> 1"
+
+  # 1.4 Enable app update installs (Automated)
+  - id: 18003
+    title: "Enable app update installs."
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1"
+
+  # 1.5 Enable system data files and security update installs (Automated)
+  - id: 18004
+    title: "Enable system data files and security update installs."
+    description: "Ensure that system and security updates are installed after they are available from Apple.  This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.5"]
+      - cis_level: ["1"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1"
+
+  # 1.6 Enable macOS update installs (Automated)
+  - id: 18005
+    title: "Enable macOS update installs."
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited"
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates AutoUpdate - bool TRUE"
+    compliance:
+      - cis: ["1.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -> 1"
+
+  ############################################################
+  #2 System Preferences
+  ############################################################
+  #2.1 Bluetooth
+  ############################################################
+
+  # 2.1.1 Turn off Bluetooth, if no paired devices exist (Automated)
+  - id: 18006
+    title: "Turn off Bluetooth, if no paired devices exist."
+    description: "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure."
+    rationale: "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access."
+    remediation: "Open a terminal session and enter the following command to disable bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP blued"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -> 0"
+      - "c:system_profiler SPBluetoothDataType -> r:Connectable: Yes"
+
+  # 2.1.2 Show Bluetooth status in menu bar (Automated)
+  - id: 18007
+    title: "Show Bluetooth status in menu bar."
+    description: "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off."
+    rationale: "Enabling Show Bluetooth status in menu bar is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active. "
+    remediation: "For each user, run the following command to enable Bluetooth status in the menu bar: sudo -u <username> defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults -currentHost read com.apple.controlcenter.plist Bluetooth -> 18"
+
+  ############################################################
+  #2.2 Date & Time
+  ############################################################
+  # 2.2.1 Enable "Set time and date automatically" (Automated)
+  - id: 18008
+    title: "Enable Set time and date automatically."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes.  This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver>    sudo systemsetup -setusingnetworktime on"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.2.2 Ensure time set is within appropriate limits (Automated)
+  - id: 18009
+    title: "Ensure time set is within appropriate limits."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds, for this audit a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time this check is not strict, it may be too great for your organization, adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    remediation: "Run the following commands to ensure your time is set within an appropriate limit: sudo systemsetup -getnetworktimeserver -> Get the time server name and then run: sudo touch /var/db/ntp-kod && sudo chown root:wheel /var/db/ntp-kod && sudo sntp -sS <YOUR-TIME-SERVER> "
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+      #- Pending check offset is in the 270.x seconds
+
+  ############################################################
+  #2.3 Desktop & Screen Saver
+  ############################################################
+  # 2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver (Automated)
+  - id: 18010
+    title: "Set an inactivity interval of 20 minutes or less for the screen saver."
+    description: "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts."
+    rationale: "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time."
+    remediation: "Run the following command to verify that the idle time of the screen saver to 20 minutes or less (≤1200): sudo defaults -currentHost write com.apple.screensaver idleTime -int 600 "
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "c:defaults -currentHost read com.apple.screensaver idleTime -> r:does not exist"
+
+  # 2.3.2 Secure screen saver corners (Automated)
+  - id: 18011
+    title: "Secure screen saver corners."
+    description: "Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen."
+    rationale: "Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system."
+    remediation: "Run the following command to turn off Disable Screen Saver for a Hot Corner: sudo -u <username> defaults write com.apple.dock <corner that is set to '6'> -int 0 "
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.dock wvous-tl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-bl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-tr-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-br-corner -> !r:^6$"
+
+  # not implemented - process -> 2.3.3 Familiarize users with screen lock tools or corner to Start Screen Saver (Manual)
+
+  ############################################################
+  #2.4 Sharing
+  ############################################################
+  # 2.4.1 Disable Remote Apple Events (Automated)
+  - id: 18012
+    title: "Disable Remote Apple Events."
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.2 Disable Internet Sharing (Automated)
+  - id: 18013
+    title: "Disable Internet Sharing."
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command to turn off Internet Sharing: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0"
+    compliance:
+      - cis: ["2.4.2"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - 'c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+
+  # 2.4.3 Disable Screen Sharing (Automated)
+  - id: 18014
+    title: "Disable Screen Sharing."
+    description: "Screen sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer."
+    rationale: "Disabling screen sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    remediation: "Run the following command to turn off Screen Sharing: sudo launchctl disable system/com.apple.screensharing"
+    compliance:
+      - cis: ["2.4.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.screensharing\" => true''" -> 1'
+
+  # 2.4.4 Disable Printer Sharing (Automated)
+  - id: 18015
+    title: "Disable Printer Sharing."
+    description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Run the following command in Terminal: sudo cupsctl --no-share-printers"
+    compliance:
+      - cis: ["2.4.4"]
+      - cis_level: ["1"]
+    references:
+      - https://support.apple.com/kb/PH11450
+    condition: all
+    rules:
+      - 'c:sh -c "cupsctl | grep _share_printers | cut -d ''='' -f2" -> 0'
+
+  # 2.4.5 Disable Remote Login (Automated)
+  - id: 18016
+    title: "Disable Remote Login."
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.6 Disable DVD or CD Sharing (Automated)
+  - id: 18017
+    title: "Disable DVD or CD Sharing."
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    remediation: "Run the following command to disable DVD or CD sharing: sudo launchctl disable system/com.apple.ODSAgent "
+    compliance:
+      - cis: ["2.4.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.ODSAgent\" => true''" -> 1'
+
+  # 2.4.7 Disable Bluetooth Sharing (Automated)
+  - id: 18018
+    title: "Disable Bluetooth Sharing ."
+    description: "Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices."
+    rationale: "Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system."
+    remediation: "Perform the following to disable Bluetooth Sharing: Graphical Method: 1. Open System Preferences 2. Select Sharing 3. Uncheck Bluetooth Sharing"
+    compliance:
+      - cis: ["2.4.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -> 0"
+
+  # 2.4.8 Disable File Sharing (Automated)
+  - id: 18019
+    title: "Disable File Sharing."
+    description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)"
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command in Terminal to turn off AFP and SMB file sharing from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
+    compliance:
+      - cis: ["2.4.8"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.smbd\" => true''" -> 1'
+
+  # 2.4.9 Disable Remote Management (Automated)
+  - id: 18020
+    title: "Disable Remote Management."
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current Screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems."
+    rationale: "Remote management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    remediation: "Run the following command to disable remote management: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources /kickstart -deactivate -stop"
+    compliance:
+      - cis: ["2.4.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not p:ARDAgent"
+
+  # 2.4.10 Disable Content Caching (Automated)
+  - id: 18021
+    title: "Disable Content Caching."
+    description: "Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk they add to the management complexity, since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary."
+    remediation: "Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.10"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AssetCache.plist Activated -> 0"
+
+  # 2.4.11 Disable Media Sharing (Automated)
+  - id: 18022
+    title: "Disable Media Sharing."
+    description: "Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs. With this capability guest users can also use media downloaded on the computer. Best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices."
+    rationale: "Disabling Media Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command in to disable content caching: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.11"]
+      - cis_level: ["2"]
+    references:
+      - https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac
+    condition: all
+    rules:
+      - "c:defaults read com.apple.amp.mediasharingd home-sharing-enabled -> 0"
+
+  # 2.4.12 Ensure AirDrop Is Disabled (Automated)
+  - id: 18069
+    title: "Ensure AirDrop Is Disabled."
+    description: "While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards."
+    rationale: "AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area."
+    remediation: "Run the following commands to disable AirDrop: sudo -u <username> defaults write com.apple.NetworkBrowser DisableAirDrop -bool true"
+    references:
+      - https://www.techrepublic.com/article/apple-airdrop-users-reportedly-vulnerable-to-security-flaw/
+      - https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure
+    compliance:
+      - cis: ["2.4.12"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.NetworkBrowser DisableAirDrop -> 1"
+
+  ############################################################
+  # 2.5 Security & Privacy
+  ############################################################
+  # 2.5.1 Encryption
+  ############################################################
+  # 2.5.1.1 Enable FileVault (Automated)
+  - id: 18023
+    title: "Enable FileVault."
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. Filevault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details: "
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.5.1.1"]
+      - cis_level: ["1"]
+    references:
+      - https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
+      - https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/
+    condition: all
+    rules:
+      - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$'
+
+  # not implemented - SCA Limit -> 2.5.1.2 Ensure all user storage APFS volumes are encrypted (Manual)
+  # not implemented - SCA Limit -> 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted (Manual)
+
+  ############################################################
+  # 2.5.2 Firewall
+  ############################################################
+  # 2.5.2.1 Enable Gatekeeper (Automated)
+  - id: 18024
+    title: "Enable Gatekeeper."
+    description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command in Terminal: sudo spctl --master-enable"
+    compliance:
+      - cis: ["2.5.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:spctl --status -> r:^assessments\s*\t*enabled$'
+
+  # 2.5.2.2 Enable Firewall (Automated)
+  - id: 18025
+    title: "Enable Firewall."
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system.  Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.alf globalstate - int <value>    Where <value> is: - 1 = on for specific services - 2 = on for essential services "
+    compliance:
+      - cis: ["2.5.2"]
+      - cis_level: ["1"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+
+  # 2.5.2.3 Enable Firewall Stealth Mode (Automated)
+  - id: 18026
+    title: "Enable Firewall Stealth Mode."
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.5.3"]
+      - cis_level: ["1"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled"
+
+  # 2.5.3 Enable Location Services (Automated)
+  - id: 18027
+    title: "Enable Location Services."
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. Users do not need to change the time or the time zone, the computer will do it for them. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. For the purpose of asset management and time and log management with mobile computers location services simplify some processes.There are some use cases where it is important that the computer not be able to report it's exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Run the following command to enable location services: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist"
+    compliance:
+      - cis: ["2.5.3"]
+      - cis_level: ["2"]
+    references:
+      - https://support.apple.com/en-us/HT204690
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.locationd" -> 1'
+
+  # not implemented - process -> 2.5.4 Review Application Firewall Rules (Manual)
+
+  # 2.5.5 Disable sending diagnostic and usage data to Apple (Automated)
+  - id: 18028
+    title: "Disable sending diagnostic and usage data to Apple."
+    description: "Apple provides a mechanism to send diagnostic and analytics data back to Apple to help them improve the platform. Information sent to Apple may contain internal organizational information that should be controlled and not available for processing by Apple. Turn off all Analytics and Improvements sharing."
+    rationale: "Organizations should have knowledge of what is shared with the vendor and the setting automatically forwards information to Apple."
+    remediation: "For each needed user, run the following command to enable limited ad tracking: sudo -u <username> defaults -currentHost write /Users/<username>/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false"
+    compliance:
+      - cis: ["2.5.5"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - 'c:defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -> 0'
+
+  # 2.5.6 Limit Ad tracking and personalized Ads (Automated)
+  - id: 18029
+    title: "Limit Ad tracking and personalized Ads."
+    description: "Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer that when they see advertising it is relevant to them and their interests, the detailed information that is data mining collected, correlated, and available to advertisers in repositories is often disconcerting. This information is valuable to both advertisers and attackers and has been used with other metadata to reveal users' identities"
+    rationale: "Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["2.5.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults -currentHost read /Users/<username>/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising -> 0"
+
+  ############################################################
+  # 2.6 iCloud
+  ############################################################
+  # not implemented - process -> 2.6.1 iCloud configuration (Manual)
+  # not implemented - process -> 2.6.2 iCloud keychain (Manual)
+  # not implemented - process -> 2.6.3 iCloud Drive (Manual)
+  # not implemented - process -> 2.6.4 iCloud Drive Document and Desktop sync (Manual)
+
+  ############################################################
+  # 2.7 Time Machine
+  ############################################################
+  # 2.7.1 Time Machine Auto-Backup (Automated)
+  - id: 18030
+    title: "Time Machine Auto-Backup."
+    description: "Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil"
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    remediation: "Run the following enable TimeMachine: sudo sudo tmutil setdestination -a /Volumes/<volumename> && sudo tmutil enable"
+    compliance:
+      - cis: ["2.7.1"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -> 1"
+
+  # not implemented - SCA Limit -> 2.7.2 Time Machine Volumes Are Encrypted (Automated)
+
+  # 2.8 Disable Wake for network access (Automated)
+  - id: 18031
+    title: "Disable Wake for network access."
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. Theie macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Wake for network access: sudo pmset -a womp 0 "
+    compliance:
+      - cis: ["2.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "pmset -g | grep -e womp" -> r:0'
+
+  # 2.9 Disable Power Nap (Automated)
+  - id: 18032
+    title: "Disable Power Nap."
+    description: "This features allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Run the following command to disable Power Nap: sudo pmset -a powernap 0"
+    compliance:
+      - cis: ["2.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "pmset -g everything | grep -e powernap" -> r:powernap\s+0'
+
+  # 2.10 Enable Secure Keyboard Entry in terminal.app (Automated)
+  - id: 18033
+    title: "Enable Secure Keyboard Entry in terminal.app."
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry."
+    compliance:
+      - cis: ["2.10"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> 1"
+
+  # 2.11 Ensure EFI version is valid and being regularly checked (Automated)
+  - id: 18034
+    title: "Ensure EFI version is valid and being regularly checked."
+    description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
+    rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
+    remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+    compliance:
+      - cis: ["2.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "system_profiler SPiBridgeDataType | grep \"T2\"" -> r:Model Name: Apple T2 Security Chip'
+      - 'c:sh -c "launchctl list | grep com.apple.driver.eficheck" -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$'
+
+  # not implemented - requires supervision -> 2.12 Automatic Actions for Optical Media (Manual)
+  # not implemented - requires supervision -> 2.13 Review Siri Settings (Manual)
+  # not implemented - requires supervision -> 2.14 Review Sidecar Settings (Manual)
+
+  ############################################################
+  # 3 Logging and Auditing
+  ############################################################
+  # 3.1 Enable security auditing (Automated)
+  - id: 18035
+    title: "Enable security auditing."
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -i auditd" -> r:com.apple.auditd'
+
+  # not implemented - process -> 3.2 Configure Security Auditing Flags per local organizational requirements (Manual)
+
+  # 3.3 Retain install.log for 365 or more days with no maximum size (Automated)
+  - id: 18036
+    title: "Retain install.log for 365 or more days with no maximum size."
+    description: "macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization."
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    remediation: "Perform the following to ensure that install logs are retained for at least 365 days:Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:grep -i ttl /etc/asl/com.apple.install -> n:ttl\w+(\d+) compare > 365'
+      - "c:grep -i all_max= /etc/asl/com.apple.install -> r:^$"
+
+  # not implemented - SCA Limit -> 3.4 Ensure security auditing retention (Automated)
+
+  # 3.5 Control access to audit records (Automated)
+  - id: 18037
+    title: "Control access to audit records."
+    description: "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files."
+    rationale: "Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes."
+    remediation: "Run the following to commands to set the audit records to the root user and wheel group:  sudo chown -R root:wheel /etc/security/audit_control && sudo chown -R root:wheel /var/audit/"
+    compliance:
+      - cis: ["3.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:ls -le /etc/security/audit_control -> r:root\s*\t*wheel|root'
+      - 'c:ls -le /var/audit/ -> r:root\s*\t*wheel|root'
+
+  # 3.6 Ensure Firewall is configured to log (Automated)
+  - id: 18038
+    title: "Ensure Firewall is configured to log."
+    description: "The socketfilter firewall is what is used when the firewall is turned on in the Security PreferencePane. In order to appropriately monitor what access is allowed and denied logging must be enabled."
+    rationale: "In order to troubleshoot the successes and failures of a firewall logging should be enabled."
+    remediation: "Run the following command to enable logging of the firewall: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on"
+    compliance:
+      - cis: ["3.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode -> r:Log mode is on"
+
+  # not implemented - process -> 3.7 Software Inventory Considerations (Manual)
+
+  ############################################################
+  # 4 Network Configurations
+  ############################################################
+  # 4.1 Disable Bonjour advertising service (Automated)
+  - id: 18039
+    title: "Disable Bonjour advertising service."
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers.. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.'
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true"
+    compliance:
+      - cis: ["4.1"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1"
+
+  # not implemented - SCA Limit -> 4.2 Enable "Show Wi-Fi status in menu bar" (Automated)
+  # not implemented - process -> 4.3 Create network specific locations (Manual)
+
+  # 4.4 Ensure http server is not running (Automated)
+  - id: 18040
+    title: "Ensure http server is not running."
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer.  Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop    Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true"
+    compliance:
+      - cis: ["4.4"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "p:httpd"
+      - "p:/usr/sbin/httpd"
+
+  # 4.5 Ensure nfs server is not running (Scored)
+  - id: 18041
+    title: "Ensure nfs server is not running."
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer."
+    rationale: "File serving should not be done from a user desktop, dedicated servers should be used.  Open ports make it easier to exploit the computer."
+    remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.nfsd.plist   Remove the exported Directory listing: sudo rm /etc/export"
+    compliance:
+      - cis: ["4.5"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "f:/etc/exports"
+      - 'not c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.nfsd\" => true''" -> 1'
+
+  # not implemented - Review -> 4.6 Review Wi-Fi Settings (Manual)
+
+  ############################################################
+  # 5 System Access, Authentication and Authorization
+  ############################################################
+  # 5.1 File System Permissions and Access Controls
+  ############################################################
+  # not implemented - SCA Limit -> 5.1.1 Secure Home Folders (Automated)
+
+  # 5.1.2 Check System Wide Applications for appropriate permissions (Automated)
+  - id: 18042
+    title: "Check System Wide Applications for appropriate permissions."
+    description: "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world writable and allow any process or user to alter them for other processes or users to then execute modified versions"
+    rationale: "Unauthorized modifications of applications could lead to the execution of malicious code."
+    remediation: "Run the following command to change the permissions for each application that does not meet the requirements: sudo chmod -R o-w /Applications/<applicationname>"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:find /Applications -iname "*.app" -type d -perm -2 -ls -> r:^$'
+
+  # 5.1.3 Check System folder for world writable files (Automated)
+  - id: 18043
+    title: "Check System folder for world writable files."
+    description: "Software sometimes insists on being installed in the /System Directory and have inappropriate world writable permissions."
+    rationale: 'Folders in /System should not be world writable. The audit check excludes the "Drop Box" folder that is part of Apple''s default user template.'
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /System folder: sudo chmod -R o-w /Path/<baddirectory>"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:find /System -type d -perm -2 -ls -> r:^$"
+
+  # 5.1.4 Check Library folder for world writable files (Automated)
+  - id: 18044
+    title: "Check Library folder for world writable files."
+    description: "Software sometimes insists on being installed in the /Library Directory and have inappropriate world writable permissions."
+    rationale: "Folders in /Library should not be world writable. The audit check excludes the /Library/Caches folder where the sticky bit is set."
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /Library folder: sudo chmod -R o-w /Library/<baddirectory>"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - 'c:sh -c "find /System/Volumes/Data/Library -type d -perm -2 -ls | grep -v Caches | grep -v Audio" -> r:^$'
+
+  ############################################################
+  # 5.2 Password Management
+  ############################################################
+  # not implemented - SCA Limit -> 5.2.1 Configure account lockout threshold (Automated)
+  # not implemented - SCA Limit -> 5.2.2 Set a minimum password length (Automated)
+  # not implemented - SCA Limit -> 5.2.3 Complex passwords must contain an Alphabetic Character (Manual)
+  # not implemented - SCA Limit -> 5.2.4 Complex passwords must contain a Numeric Character (Manual)
+  # not implemented - SCA Limit -> 5.2.5 Complex passwords must contain a Special Character (Manual)
+  # not implemented - SCA Limit -> 5.2.6 Complex passwords must uppercase and lowercase letters (Manual)
+  # not implemented - SCA Limit -> 5.2.7 Password Age (Automated)
+  # not implemented - SCA Limit -> 5.2.8 Password History (Automated)
+
+  # 5.3 Reduce the sudo timeout period (Automated) 18051
+  - id: 18045
+    title: "Reduce the sudo timeout period."
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:grep -e "timestamp" /etc/sudoers -> r:Defaults timestamp_timeout=0'
+
+  # not implemented - SCA Limit -> 5.4 Automatically lock the login keychain for inactivity (Manual)
+
+  # 5.5 Use a separate timestamp for each user/tty combo (Automated)
+  - id: 18046
+    title: "Use a separate timestamp for each user/tty combo."
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo -> Add the line Defaults timestamp_timeout=0 in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:grep -E -s '!tty_tickets' /etc/sudoers /etc/sudoers.d/* -> r:^$"
+      - 'c:grep -E -s "timestamp_type" /etc/sudoers /etc/sudoers.d/* -> r:^$|!timestamp_type=ppid|!timestamp_type=global'
+
+  # not implemented - SCA Limit -> 5.6 Ensure login keychain is locked when the computer sleeps (Manual)
+
+  # 5.7 Do not enable the "root" account (Automated)
+  - id: 18047
+    title: "Do not enable the root account"
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User. Terminal Method: Run the following command to disable the root user: sudo dsenableroot -d"
+    compliance:
+      - cis: ["5.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.8 Disable automatic login (Automated)
+  - id: 18048
+    title: "Disable automatic login."
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser -> r:^$"
+
+  # not implemented - process - 5.9 Require a password to wake the computer from sleep or screen saver (Manual)
+  # not implemented - SCA Limit -> 5.10 Ensure system is set to hibernate (Automated)
+  # 5.11 Require an administrator password to access system-wide preferences (Automated)
+  - id: 18049
+    title: "Require an administrator password to access system-wide preferences."
+    description: "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer. "
+    rationale: "By requiring a password to unlock system-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes."
+    remediation: "Perform the following to verify that an administrator password is required to access system-wide preferences: 1.  Open System Preferences 2.  Select Security & Privacy 3.  Select General 4.  Select Advanced... 5.  Set Require an administrator password to access system-wide preferences"
+    compliance:
+      - cis: ["5.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep false" -> r:^<false/>'
+
+  # 5.12 Disable ability to login to another user's active and locked session (Automated)
+  - id: 18050
+    title: "Ensure an administrator account cannot login to another user's active and locked session."
+    description: "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions."
+    rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information."
+    remediation: "Run the following command to disable a user logging into another user's active and/or locked session: $ sudo security authorizationdb write system.login.screensaver use-login-window-ui"
+    compliance:
+      - cis: ["5.12"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "security authorizationdb read system.login.screensaver 2>&1 | grep -c ''use-login-window-ui''" -> 1'
+
+  # 5.13 Create a custom message for the Login Screen (Automated)
+  - id: 18051
+    title: "Create a custom message for the Login Screen."
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: 'Run the following command to enable a custom login screen message: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom.message>"'
+    compliance:
+      - cis: ["5.13"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText -> !r:does not exist"
+
+  # 5.14 Create a Login window banner (Automated)
+  - id: 18052
+    title: "Create a Login window banner."
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: "Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text."
+    compliance:
+      - cis: ["5.14"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+
+  # not implemented - SCA Limit -> 5.15 Do not enter a password-related hint (Automated)
+
+  # 5.16 Disable Fast User Switching (Manual)
+  - id: 18053
+    title: "Disable Fast User Switching."
+    description: "Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access many valid users can login to other user's assigned computers."
+    rationale: "Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious."
+    remediation: "Run the following command to turn fast user switching off:  sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false"
+    compliance:
+      - cis: ["5.16"]
+      - cis_level: ["2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> r:does not exist"
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> 0"
+
+  # not implemented - process - 5.17 Secure individual keychains and items (Manual)
+
+  # 5.18 System Integrity Protection status (Automated)
+  - id: 18054
+    title: "System Integrity Protection status."
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable   3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.18"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled"
+
+  # 5.19 Enable Sealed System Volume (SSV) (Automated)
+  - id: 18055
+    title: "Enable Sealed System Volume (SSV)."
+    description: "SThe seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system. During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree."
+    rationale: "Running without Sealed System Volume on a production system could run the risk of Apple software, that integrates directly with macOS, being modified. "
+    remediation: "Perform the following while booted in macOS Recovery Partition.  1. Select Terminal from the Utilities menu    2. Run the following command in Terminal: /usr/bin/csrutil enable authenticated-root 3. The output should be: Successfully enabled System authenticated root. Please restart the machine for the changes to take effect.    4. Reboot."
+    compliance:
+      - cis: ["5.19"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:/usr/bin/csrutil authenticated-root status  -> r:^SAuthenticated Root status: enabled"
+
+  # 5.20 Enable Library Validation (Automated)
+  - id: 18056
+    title: "Enable Library Validation."
+    description: "Library Validation is a security feature introduced in macOS 10.10 Yosemite. Library Validation protects processes from loading arbitrary libraries. This stops root from loading arbitrary libraries into any process (depending on SIP status),and keeps root from becoming more powerful. Security is strengthened, because some user processes can no longer be fooled to run additional code without root's explicit request, which may grant access to daemons that depend on LibraryValidation for secure validation of code identity."
+    rationale: "Running without Library Validation on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by Library Validation."
+    remediation: "Run the following command to set Library Validation: sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation DisableLibraryValidation -bool false"
+    references:
+      - https://github.com/Automattic/wp-desktop/issues/790
+      - https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/
+      - http://www.newosxbook.com/articles/CodeSigning.pdf
+    compliance:
+      - cis: ["5.20"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation  -> 0"
+
+  ############################################################
+  # 6 User Accounts and Environment
+  ############################################################
+  # 6.1 Accounts Preferences Action Items
+  ############################################################
+  # 6.1.1 Display login window as name and password (Automated)
+  - id: 18057
+    title: "Display login window as name and password."
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Run the following command to enable the login window to display name and password: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true"
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -> 1"
+
+  # 6.1.2 Disable "Show password hints" (Automated)
+  - id: 18058
+    title: "Disable Show password hints."
+    description: "Password hints are user created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    remediation: "Run the following command to disable password hints: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> r:does not exist"
+
+  # 6.1.3 Disable guest account login (Automated)
+  - id: 18059
+    title: "Disable guest account login."
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0"
+
+  # 6.1.4 Disable "Allow guests to connect to shared folders" (Automated)
+  - id: 18060
+    title: "Disable Allow guests to connect to shared folders"
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system."
+    remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool false"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> 0"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> 0"
+      - "c:defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess -> r:does not exist"
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> r:does not exist"
+
+  # 6.1.5 Remove Guest home folder (Automated)
+  - id: 18061
+    title: "Remove Guest home folder."
+    description: "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "1. Run the following command in Terminal: sudo rm -R /Users/Guest  2. Make sure there is no output"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Turn on filename extensions (Automated)
+  - id: 18062
+    title: "Turn on filename extensions."
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions    Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1"
+
+  # 6.3 Disable the automatic run of safe files in Safari (Automated)
+  - id: 18063
+    title: "Disable the automatic run of safe files in Safari."
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: 'Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open "safe" files after downloading    Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no       Terminal Method: Run the following command to disable safe files from not opening in Safari: sudo -u <username> defaults write /Users/<username>/LibraryContainers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false'
+    compliance:
+      - cis: ["6.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0"
diff --git a/etc/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml b/etc/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml
new file mode 100644
index 0000000000..d4c96f239d
--- /dev/null
+++ b/etc/ruleset/sca/darwin/21/cis_apple_macOS_12.0.yml
@@ -0,0 +1,1085 @@
+# Security Configuration Assessment
+# CIS Checks for macOS 11.x
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Apple macOS 12.0 Monterey Benchmark v1.1.0 - 06-20-2022
+policy:
+  id: "cis_apple_macos_12.x"
+  file: "cis_apple_macOS_12.0.yml"
+  name: "CIS Apple macOS 12.0 Monterey Benchmark v1.1.0"
+  description: "This document, CIS Apple macOS 12.0 Monterey Benchmark provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 12.0 Monterey. This guide was tested against Apple macOS 12.0 Monterey."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check macOS version."
+  description: "Requirements for running the SCA scan against macOS 12.x (Monterey)."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*12\p'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*12\p'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*12\p'
+
+checks:
+  ############################################################
+  #1 Install Updates, Patches and Additional Security Software
+  ############################################################
+  # 1.1 Ensure All Apple-provided Software Is Current (Automated)
+  - id: 29000
+    title: "Ensure All Apple-provided Software Is Current."
+    description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update."
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    remediation: "1. In Terminal, run the following command to verify what packages need to be installed: sudo softwareupdate -l. 2.1. In Terminal, run the following command to install all the packages that need to be updated: sudo software -i -a -R. 2.2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename'"
+    compliance:
+      - cis: ["1.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available"
+
+  # 1.2 Ensure Auto Update Is Enabled (Automated)
+  - id: 29001
+    title: "Ensure Auto Update Is Enabled."
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true"
+    compliance:
+      - cis: ["1.2"]
+      - cis_level: ["1"]
+    references:
+      - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
+      - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutomaticCheckEnabled" -> r:AutomaticCheckEnabled\s*=\s*1'
+
+  # 1.3 Ensure Download New Updates When Available is Enabled (Automated)
+  - id: 29002
+    title: "Ensure Download New Updates When Available is Enabled."
+    description: 'In the GUI both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected.'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true"
+    compliance:
+      - cis: ["1.3"]
+      - cis_level: ["1"]
+    references:
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutomaticDownload" -> r:AutomaticDownload\s*=\s*1'
+
+  # 1.4 Ensure Installation of App Update Is Enabled (Automated)
+  - id: 29003
+    title: "Ensure Installation of App Update Is Enabled."
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE"
+    compliance:
+      - cis: ["1.4"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutomaticallyInstallAppUpdates" -> r:AutomaticallyInstallAppUpdates\s*=\s*1'
+
+  # 1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled (Automated)
+  - id: 29004
+    title: "Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled."
+    description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true"
+    compliance:
+      - cis: ["1.5"]
+      - cis_level: ["1"]
+    references:
+      - https://www.thesafemac.com/tag/xprotect/
+      - https://support.apple.com/en-us/HT202491
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> r:^1$"
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> r:^1$"
+
+  # 1.6 Ensure Install of macOS Updates Is Enabled (Automated)
+  - id: 29005
+    title: "Ensure Install of macOS Updates Is Enabled."
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    remediation: "Run the following command to to enable automatic checking and installing of macOS updates: sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE"
+    compliance:
+      - cis: ["1.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutomaticallyInstallMacOSUpdates" -> r:AutomaticallyInstallMacOSUpdates\s*=\s*1'
+
+  # 1.7 Audit Computer Name (Manual) - Not implemented
+
+  ############################################################
+  #2 System Preferences
+  ############################################################
+  #2.1 Bluetooth
+  ############################################################
+
+  # 2.1.1 Ensure Bluetooth Is Disabled If No Devices Are Paired (Automated)
+  - id: 29006
+    title: "Ensure Bluetooth Is Disabled If No Devices Are Paired."
+    description: "Bluetooth devices use a wireless communications system that replaces the cables used by other peripherals to connect to a system. It is by design a peer-to-peer network technology and typically lacks centralized administration and security enforcement infrastructure."
+    rationale: "Bluetooth is particularly susceptible to a diverse set of security vulnerabilities involving identity detection, location tracking, denial of service, unintended control and access of data and voice channels, and unauthorized device control and data access."
+    remediation: "Open a terminal session and enter the following command to disable bluetooth: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP bluetoothd"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState -> r:^0$"
+      - "c:system_profiler SPBluetoothDataType -> r:Connected: Yes"
+
+  # 2.1.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated)
+  - id: 29007
+    title: "Ensure Show Bluetooth Status in Menu Bar Is Enabled."
+    description: "By showing the Bluetooth status in the menu bar, a small Bluetooth icon is placed in the menu bar. This icon quickly shows the status of Bluetooth, and can allow the user to quickly turn Bluetooth on or off."
+    rationale: 'Enabling "Show Bluetooth status in menu bar" is a security awareness method that helps understand the current state of Bluetooth, including whether it is enabled, discoverable, what paired devices exist, and what paired devices are currently active.'
+    remediation: "For each user, run the following command to enable Bluetooth status in the menu bar: sudo -u <username> defaults -currentHost write com.apple.controlcenter.plist Bluetooth -int 18"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults -currentHost read com.apple.controlcenter.plist Bluetooth -> r:^1$8"
+      - 'c:sh -c "profiles -P -o stdout | grep Bluetooth" -> r:Bluetooth\s*=\s*1'
+
+  ############################################################
+  # 2.2 Date & Time
+  ############################################################
+  # 2.2.1 Ensure "Set time and date automatically" Is Enabled (Automated)
+  - id: 29008
+    title: 'Ensure "Set time and date automatically" Is Enabled'
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver <timeserver> sudo systemsetup -setusingnetworktime on. Run the following commands if you have not set, or need to set, a new time zone: sudo /usr/sbin/systemsetup -listtimezones sudo /usr/sbin/systemsetup -settimezone <selected time zone>"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+      - 'c:sh -c "profiles -P -o stdout | grep forceAutomaticDateAndTime" -> r:forceAutomaticDateAndTime\s*=\s*1'
+
+  # 2.2.2 Ensure time set is within appropriate limits (Automated)
+  - id: 29009
+    title: "Ensure time set is within appropriate limits."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed. Note: ntpdate has been deprecated with 10.14. sntp replaces that command. NOTE: set the correct network time server in the rules."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    remediation: "Run the following commands to ensure your time is set within an appropriate limit: sudo systemsetup -getnetworktimeserver -> Get the time server name and then run: sudo touch /var/db/ntp-kod && sudo chown root:wheel /var/db/ntp-kod && sudo sntp -sS <YOUR-TIME-SERVER> "
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+      - 'c:sh -c "sntp time.apple.com | grep +/-" -> n:+(\d+)\.\d+\s+/- compare <= 270'
+      - 'c:sh -c "sntp time.apple.com | grep +/-" -> n:+\d+\.\d+\s+/-\s(\d+)\.\d+ compare <= 270'
+
+  ############################################################
+  # 2.3 Desktop & Screen Saver
+  ############################################################
+  # 2.3.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated)
+  - id: 29010
+    title: "Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled."
+    description: "A locking screensaver is one of the standard security controls to limit access to a computer and the current user's session when the computer is temporarily unused or unattended. In macOS the screensaver starts after a value selected in a drop down menu, 10 minutes and 20 minutes are both options and either is acceptable. Any value can be selected through the command line or script but a number that is not reflected in the GUI can be problematic. 20 minutes is the default for new accounts."
+    rationale: "Setting an inactivity interval for the screensaver prevents unauthorized persons from viewing a system left unattended for an extensive period of time."
+    remediation: "Run the following command to verify that the idle time of the screen saver to 20 minutes or less (≤1200):  $ sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value ≤1200>. If there are multiple users out of compliance with the prescribed setting, run this command for each user to set their idle time:  $ sudo -u <username> /usr/bin/defaults -currentHost write com.apple.screensaver idleTime -int <value ≤1200>. Note: Issues arise if the command line is used to make the setting something other than what is available in the GUI Menu. Choose either 1 (60), 2 (120), 5 (300), 10 (600), or 20 (120) minutes to avoid any issues. Profile Method: 1. Create or edit a configuration profile with the PayLoadType of com.apple.screensaver.user 2. Add the key idleTime 3. Set the key to <integer><≤1200></integer> "
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "not c:defaults -currentHost read com.apple.screensaver idleTime -> r:does not exist"
+      - 'c:defaults -currentHost read com.apple.screensaver idleTime -> n:^(\d+)$ compare <= 1200'
+      - 'c:sh -c "profiles -P -o stdout | grep idleTime" -> n:idleTime\s*=\s*(\d+) compare <= 1200'
+
+  # 2.3.2 Ensure Screen Saver Corners Are Secure (Automated)
+  - id: 29011
+    title: "Ensure Screen Saver Corners Are Secure."
+    description: "Hot Corners can be configured to disable the screen saver by moving the mouse cursor to a corner of the screen."
+    rationale: "Setting a hot corner to disable the screen saver poses a potential security risk since an unauthorized person could use this to bypass the login screen and gain access to the system."
+    remediation: "Run the following command to turn off Disable Screen Saver for a Hot Corner: sudo -u <username> defaults write com.apple.dock <corner that is set to '6'> -int 0 "
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read com.apple.dock wvous-tl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-bl-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-tr-corner -> !r:^6$"
+      - "c:defaults read com.apple.dock wvous-br-corner -> !r:^6$"
+
+  # 2.3.3 Audit Lock Screen and Start Screen Saver Tools (Manual) -> Not implemented
+
+  ############################################################
+  # 2.4 Sharing
+  ############################################################
+  # 2.4.1 Ensure Remote Apple Events Is Disabled (Automated)
+  - id: 29012
+    title: "Ensure Remote Apple Events Is Disabled."
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off"
+    compliance:
+      - cis: ["2.4.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.4.2 Ensure Internet Sharing Is Disabled (Automated)
+  - id: 29013
+    title: "Ensure Internet Sharing Is Disabled"
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command to turn off Internet Sharing: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0"
+    compliance:
+      - cis: ["2.4.2"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - 'c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+      - 'c:sh -c "profiles -P -o stdout | grep forceInternetSharingOff" -> r:forceInternetSharingOff\s*=\s*1'
+
+  # 2.4.3 Ensure Screen Sharing Is Disabled (Automated)
+  - id: 29014
+    title: "Ensure Screen Sharing Is Disabled."
+    description: "Screen Sharing allows a computer to connect to another computer on a network and display the computer’s screen. While sharing the computer’s screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer."
+    rationale: "Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    remediation: "Run the following command to turn off Screen Sharing: sudo launchctl disable system/com.apple.screensharing"
+    compliance:
+      - cis: ["2.4.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.screensharing\" => true''" -> 1'
+
+  # 2.4.4 Ensure Printer Sharing Is Disabled (Automated)
+  - id: 29015
+    title: "Ensure Printer Sharing Is Disabled."
+    description: "By enabling Printer Sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Run the following command in Terminal: sudo cupsctl --no-share-printers"
+    compliance:
+      - cis: ["2.4.4"]
+      - cis_level: ["1"]
+    references:
+      - https://support.apple.com/kb/PH11450
+    condition: all
+    rules:
+      - 'c:sh -c "cupsctl | grep _share_printers | cut -d ''='' -f2" -> 0'
+
+  # 2.4.5 Ensure Remote Login Is Disabled (Automated)
+  - id: 29016
+    title: "Ensure Remote Login Is Disabled."
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in section 7.5. macOS no longer has TCP Wrappers support built-in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Most macOS computers are mobile workstations, managing IP based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off"
+    compliance:
+      - cis: ["2.4.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.4.6 Ensure DVD or CD Sharing Is Disabled (Automated)
+  - id: 29017
+    title: "Ensure DVD or CD Sharing Is Disabled."
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing the sharing of an external optical drive persists when a drive is reconnected."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    remediation: "Run the following command to disable DVD or CD sharing: sudo launchctl disable system/com.apple.ODSAgent "
+    compliance:
+      - cis: ["2.4.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.ODSAgent\" => true''" -> 1'
+
+  # 2.4.7 Ensure Bluetooth Sharing Is Disabled (Automated)
+  - id: 29018
+    title: "Ensure Bluetooth Sharing Is Disabled."
+    description: "Bluetooth Sharing allows files to be exchanged with Bluetooth enabled devices."
+    rationale: "Disabling Bluetooth Sharing minimizes the risk of an attacker using Bluetooth to remotely attack the system."
+    remediation: "Run the following command to disable Bluetooth Sharing is disabled: sudo -u <username> /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false"
+    compliance:
+      - cis: ["2.4.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults -currentHost read com.apple.Bluetooth PrefKeyServicesEnabled -> r:^0$"
+      - 'c:sh -c "profiles -P -o stdout | grep PrefKeyServicesEnabled" -> r:PrefKeyServicesEnabled\s*=\s*0|^[^\W]*$'
+
+  # 2.4.8 Ensure File Sharing Is Disabled (Automated)
+  - id: 29019
+    title: "Ensure File Sharing Is Disabled."
+    description: "Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled."
+    rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    remediation: "Run the following command to disable SMB file sharing: sudo launchctl disable system/com.apple.smbd "
+    compliance:
+      - cis: ["2.4.8"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.smbd\" => true''" -> 1'
+
+  # 2.4.9 Ensure Remote Management Is Disabled (Automated)
+  - id: 29020
+    title: "Ensure Remote Management Is Disabled."
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, definitely a concern for mobile systems."
+    rationale: "Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    remediation: "Run the following command to disable Remote Management: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"
+    compliance:
+      - cis: ["2.4.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not p:/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"
+
+  # 2.4.10 Ensure Content Caching Is Disabled (Automated)
+  - id: 29021
+    title: "Ensure Content Caching Is Disabled."
+    description: "Starting with 10.13 (macOS High Sierra) Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints and greater bandwidth on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets the effectiveness of this capability would be determined on how many Macs were on each subnet at the time new large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity bandwidth user endpoints should not store content and act as a cluster to provision data."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk they add to the management complexity, since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary."
+    remediation: "Run the following command to disable Content Caching:: sudo AssetCacheManagerUtil deactivate"
+    compliance:
+      - cis: ["2.4.10"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.AssetCache.plist Activated -> r:^0$"
+      - 'c:sh -c "profiles -P -o stdout | grep allowContentCaching" -> r:allowContentCaching\s*=\s*0'
+
+  # 2.4.11 Ensure AirDrop Is Disabled (Automated)
+  - id: 29022
+    title: "Ensure AirDrop Is Disabled."
+    description: "AirDrop is Apple's built-in on demand ad hoc file exchange system that is compatible with both macOS and iOS. It uses Bluetooth LE for discovery that limits connectivity to Mac or iOS users that are in close proximity. Depending on the setting it allows everyone or only Contacts to share files when they are nearby to each other. In many ways this technology is far superior to the alternatives. The file transfer is done over a TLS encrypted session, does not require any open ports that are required for file sharing, does not leave file copies on email servers or within cloud storage, and allows for the service to be mitigated so that only people already trusted and added to contacts can interact with you. While there are positives to AirDrop, there are privacy concerns that could expose personal information. For that reason, AirDrop should be disabled, and should only be enabled when needed and disabled afterwards."
+    rationale: "AirDrop can allow malicious files to be downloaded from unknown sources. Contacts Only limits may expose personal information to devices in the same area."
+    remediation: "Run the following commands to disable AirDrop: sudo -u <username> defaults write com.apple.NetworkBrowser DisableAirDrop -bool true"
+    references:
+      - "https://www.techrepublic.com/article/apple-airdrop-users-reportedly-vulnerable-to-security-flaw/"
+      - "https://www.imore.com/how-apple-keeps-your-airdrop-files-private-and-secure"
+      - "https://en.wikipedia.org/wiki/AirDrop"
+    compliance:
+      - cis: ["2.4.11"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read com.apple.NetworkBrowser DisableAirDrop -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep DisableAirDrop" -> r:DisableAirDrop\s*=\s*1'
+
+  # 2.4.12 Ensure Media Sharing Is Disabled (Automated)
+  - id: 29023
+    title: "Ensure Media Sharing Is Disabled."
+    description: "Starting with macOS 10.15 Apple has provided a control to allow a user to share Apple downloaded content on all Apple devices that are signed in with the same Apple ID. This allows a user to share downloaded Movies, Music or TV shows with other controlled macOS, iOS and iPadOS devices as well as photos with Apple TVs. With this capability guest users can also use media downloaded on the computer. The recommended best practice is not to use the computer as a server but to utilize Apple's cloud storage to download and use content stored there if content stored with Apple is used on multiple devices."
+    rationale: "Disabling Media Sharing reduces the remote attack surface of the system."
+    remediation: "Run the following command to disable Media Sharing: sudo -u <username> defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0"
+    compliance:
+      - cis: ["2.4.12"]
+      - cis_level: ["2"]
+    references:
+      - https://support.apple.com/guide/mac-help/set-up-media-sharing-on-mac-mchlp13371337/mac
+    condition: any
+    rules:
+      - "c:defaults read com.apple.amp.mediasharingd home-sharing-enabled -> r:^0$|does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep homeSharingUIStatus" -> r:homeSharingUIStatus\s*=\s*0'
+      - 'c:sh -c "profiles -P -o stdout | grep legacySharingUIStatus" -> r:legacySharingUIStatus\s*=\s*0'
+      - 'c:sh -c "profiles -P -o stdout | grep mediaSharingUIStatus" -> r:mediaSharingUIStatus\s*=\s*0'
+
+  # 2.4.13 Ensure AirPlay Receiver Is Disabled (Automated) - Not implemented
+
+  ############################################################
+  # 2.5 Security & Privacy
+  ############################################################
+  # 2.5.1 Encryption
+  ############################################################
+  # 2.5.1.1 Ensure FileVault Is Enabled (Automated)
+  - id: 29024
+    title: "Ensure FileVault Is Enabled."
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see references)."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    remediation: "Perform the following to enable FileVault: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault"
+    compliance:
+      - cis: ["2.5.1.1"]
+      - cis_level: ["1"]
+    references:
+      - https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
+      - https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/
+    condition: all
+    rules:
+      - "c:fdesetup status -> r:^FileVault is On"
+
+  # 2.5.1.2 Ensure all user storage APFS volumes are encrypted (Manual) - Not implemented
+  # 2.5.1.3 Ensure all user storage CoreStorage volumes are encrypted (Manual) - Not implemented
+
+  ############################################################
+  # 2.5.2 Firewall
+  ############################################################
+  # 2.5.2.1 Ensure Gatekeeper is Enabled (Automated)
+  - id: 29025
+    title: "Ensure Gatekeeper is Enabled."
+    description: "Gatekeeper is Apple's application allowlisting control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Run the following command to enable Gatekeeper to allow applications from App Store and identified developers: sudo /usr/sbin/spctl --master-enable"
+    compliance:
+      - cis: ["2.5.2.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:spctl --status -> r:^assessments enabled"
+      - 'c:sh -c "profiles -P -o stdout | grep AllowIdentifiedDevelopers" -> r:AllowIdentifiedDevelopers\s*=\s*1'
+      - 'c:sh -c "profiles -P -o stdout | grep EnableAssessment" -> r:EnableAssessment\s*=\s*1'
+
+  # 2.5.2.2 Ensure Firewall Is Enabled (Automated)
+  - id: 29026
+    title: "Ensure Firewall Is Enabled."
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall."
+    rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet."
+    remediation: "Run the following command to enable the firewall: sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int <value> For the <value>, use either 1, specific services, or 2, essential services only."
+    compliance:
+      - cis: ["2.5.2.2"]
+      - cis_level: ["1"]
+    references:
+      - "https://support.apple.com/en-us/HT201642"
+      - "https://support.apple.com/en-ca/guide/security/seca0e83763f/web"
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+      - 'c:sh -c "profiles -P -o stdout | grep EnableFirewall" -> r:EnableFirewall\s*=\s*1'
+
+  # 2.5.2.3 Ensure Firewall Stealth Mode Is Enabled (Automated)
+  - id: 29027
+    title: "Ensure Firewall Stealth Mode Is Enabled."
+    description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    remediation: "Run the following command to enable stealth mode: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on"
+    compliance:
+      - cis: ["2.5.2.3"]
+      - cis_level: ["1"]
+    references:
+      - https://support.apple.com/en-us/HT201642
+    condition: any
+    rules:
+      - "c:/usr/sbin/system_profiler SPFirewallDataType -> r:Stealth Mode: Yes"
+      - 'c:sh -c "profiles -P -o stdout | grep EnableStealthMode" -> r:EnableStealthMode\s*=\s*1'
+
+  # 2.5.3 Ensure Location Services Is Enabled (Automated)
+  - id: 29028
+    title: "Ensure Location Services Is Enabled."
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. With the operating system verifying the location, users do not need to change the time or the time zone. The computer will change them based on the user's location. They do not need to specify their location for weather or travel times and even get alerts on travel times to meetings and appointment where location information is supplied. Location Services simplify some processes, for the purpose of asset management and time and log management, with mobile computers. There are some use cases where it is important that the computer not be able to report its exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location Services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Run the following command to enable Location Services: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist"
+    compliance:
+      - cis: ["2.5.3"]
+      - cis_level: ["2"]
+    references:
+      - https://support.apple.com/en-us/HT204690
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.locationd" -> 1'
+
+  # 2.5.4 Audit Location Services Access (Manual) - Not implemented
+
+  # 2.5.5 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated)
+  - id: 29029
+    title: "Ensure Sending Diagnostic and Usage Data to Apple Is Disabled."
+    description: "Apple provides a mechanism to send diagnostic and analytics data back to Apple to help them improve the platform. Information sent to Apple may contain internal organizational information that should be controlled and not available for processing by Apple. Turn off all Analytics and Improvements sharing. Share Mac Analytics (Share with App Developers dependent on Mac Analytic sharing) - Includes diagnostics, usage and location data. Share iCloud Analytics - Includes iCloud data and usage information."
+    rationale: "Organizations should have knowledge of what is shared with the vendor and the setting automatically forwards information to Apple."
+    remediation: "Perform the following to disable diagnostic data being sent to Apple: sudo /usr/bin/defaults write /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false, sudo /bin/chmod 644 /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist, sudo /usr/sbin/chgrp admin /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist"
+    compliance:
+      - cis: ["2.5.5"]
+      - cis_level: ["2"]
+    condition: any
+    rules:
+      - 'c:defaults read /Library/Application\ Support/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -> r:^0$'
+      - 'c:sh -c "profiles -P -o stdout | grep allowDiagnosticSubmission" -> r:allowDiagnosticSubmission\s*=\s*0'
+
+  # 2.5.6 Ensure Limit Ad Tracking Is Enabled (Automated) - Not implemented
+  # 2.5.7 Audit Camera Privacy and Confidentiality (Manual) - Not implemented
+
+  ############################################################
+  # 2.6 Apple ID
+  ############################################################
+  ############################################################
+  # 2.6.1 iCloud
+  ############################################################
+  # 2.6.1.1 Audit iCloud Configuration (Manual) - Not impemented
+  # 2.6.1.2 Audit iCloud Keychain (Manual) - Not implemented
+  # 2.6.1.3 Audit iCloud Drive (Manual) - Not implemented
+  # 2.6.1.4 Ensure iCloud Drive Document and Desktop Sync is Disabled (Automated) - Not implemented
+  # 2.6.2 Audit App Store Password Settings (Manual) - Not implemented
+
+  ############################################################
+  # 2.7 Time Machine
+  ############################################################
+  # 2.7.1 Ensure Backup Up Automatically is Enabled (Automated)
+  - id: 29030
+    title: "Ensure Backup Up Automatically is Enabled."
+    description: 'Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. SnapshotDates = ( "2012-08-20 12:10:22 +0000", "2013-02-03 23:43:22 +0000", "2014-02-19 21:37:21 +0000", "2015-02-22 13:07:25 +0000", "2016-08-20 14:07:14 +0000" When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil'
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    remediation: "Run the following command to enable automatic backups if Time Machine is enabled: sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true"
+    compliance:
+      - cis: ["2.7.1"]
+      - cis_level: ["2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutoBackup" -> r:AutoBackup\s*=\s*1'
+
+  # 2.7.2 Ensure Time Machine Volumes Are Encrypted (Automated) - Not implemented
+
+  # 2.8 Ensure Wake for Network Access Is Disabled (Automated)
+  - id: 29031
+    title: "Ensure Wake for Network Access Is Disabled."
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    remediation: "Perform the following disable Wake for network access or Power Nap: Run the following command to disable Wake for network access: sudo pmset -a womp 0 "
+    compliance:
+      - cis: ["2.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "pmset -g | grep -e womp" -> r:0'
+
+  # 2.9 Ensure Power Nap Is Disabled (Automated)
+  - id: 29032
+    title: "Ensure Power Nap Is Disabled."
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
+    remediation: "Perform the following disable Wake for network access or Power Nap: sudo pmset -a powernap 0"
+    compliance:
+      - cis: ["2.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "pmset -g everything | grep powernap | grep -c 1" -> r:^0$'
+
+  # 2.10 Ensure Secure Keyboard Entry terminal.app is Enabled (Automated)
+  - id: 29033
+    title: "Ensure Secure Keyboard Entry terminal.app is Enabled."
+    description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal."
+    rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal."
+    remediation: "Perform the following to enable secure keyboard entries in Terminal: sudo -u <username> /usr/bin/defaults write -app Terminal SecureKeyboardEntry -bool true"
+    compliance:
+      - cis: ["2.10"]
+      - cis_level: ["1"]
+    references:
+      - "https://support.apple.com/en-ca/guide/terminal/trml109/2.11"
+    condition: all
+    rules:
+      - "c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$|does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep SecureKeyboardEntry" -> r:SecureKeyboardEntry\s*=\s*1'
+
+  # 2.11 Ensure EFI Version Is Valid and Checked Regularly (Automated)
+  - id: 29034
+    title: "Ensure EFI Version Is Valid and Checked Regularly."
+    description: "In order to mitigate firmware attacks Apple has created an automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days."
+    rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either."
+    remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended."
+    compliance:
+      - cis: ["2.11"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check ->  No changes detected in primary hashes"
+      - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check ->  MBP133\.'
+      - 'c:sh -c "system_profiler SPiBridgeDataType | grep \"T2\"" -> r:Model Name: Apple T2 Security Chip'
+      - 'c:sh -c "launchctl list | grep com.apple.driver.eficheck" -> r:com.apple.driver.eficheck'
+
+  # 2.12 Audit Automatic Actions for Optical Media (Manual) - Not implemented
+  # 2.13 Audit Siri Settings (Manual) - Not implemented
+  # 2.14 Audit Sidecar Settings (Manual) - Not implemented
+  # 2.15 Audit Touch ID and Wallet & Apple Pay Settings (Manual) - Not implemented
+  # 2.16 Audit Notification System Preference Settings (Manual) - Not implemented
+  # 2.17 Audit Passwords System Preference Setting (Manual) - Not implemented
+
+  ############################################################
+  # 3 Logging and Auditing
+  ############################################################
+  # 3.1 Ensure Security Auditing Is Enabled (Automated)
+  - id: 29035
+    title: "Ensure Security Auditing Is Enabled."
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Run the following command to load auditd: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist"
+    compliance:
+      - cis: ["3.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -i auditd" -> r:com.apple.auditd'
+
+  # 3.2 Ensure Security Auditing Flags Are Configured Per Local Organizational Requirements (Automated) - Not implemented
+
+  # 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size (Automated)
+  - id: 29036
+    title: "Ensure install.log Is Retained for 365 or More Days and No Maximum Size."
+    description: 'macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an "all_max" file limitation, no reference to a minimum retention and a less precise rotation argument. The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year and depending on the applications a size restriction could compromise the ability to store a full year. While this Benchmark is not scoring for a rotation flag the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired. Please review the File Rotation section in the man page for more information. man asl.conf - The maximum file size limitation string should be removed "all_max=" - An organization appropriate retention should be added "ttl=" - The rotation should be set with timestamps "rotate=utc" or "rotate=local"'
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    remediation: "Perform the following to ensure that install logs are retained for at least 365 days: Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:grep -i ttl /etc/asl/com.apple.install -> n:ttl=(\d+) compare > 364'
+      - "not c:grep -i all_max= /etc/asl/com.apple.install -> r:all_max="
+
+  # 3.4 Ensure Security Auditing Retention Is Enabled (Automated) - Not implemented
+
+  # 3.5 Ensure Access to Audit Records Is Controlled (Automated)
+  - id: 29037
+    title: "Ensure Access to Audit Records Is Controlled."
+    description: "The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files."
+    rationale: "Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated, but the authoritative files should be protected from unauthorized changes."
+    remediation: "Run the following to commands to set the audit records to the root user and wheel group: sudo chown -R root:wheel /etc/security/audit_control, sudo chmod -R o-rw /etc/security/audit_control, sudo chown -R root:wheel /var/audit/, sudo chmod -R o-rw /var/audit/ Note: It is recommended to do a thorough verification process on why the audit logs have been changed before following the remediation steps. If the system has different access controls on the audit logs, and the changes cannot be traced, a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes."
+    compliance:
+      - cis: ["3.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:ls -le /etc/security/audit_control -> r:root\s*\t*wheel|root'
+      - "not c:ls -le /etc/security/audit_control -> r:[-r]{7}r-|[-r]{7}-w|[-r]{7}rw"
+      - 'c:ls -le /var/audit/ -> r:root\s*\t*wheel|root'
+      - "not c:ls -le /var/audit -> r:[-r]{7}r-|[-r]{7}-w|[-r]{7}rw"
+
+  # 3.6 Ensure Firewall Logging Is Enabled and Configured (Automated)
+  - id: 29038
+    title: "Ensure Firewall Logging Is Enabled and Configured."
+    description: 'The socketfilter firewall is what is used when the firewall is turned on in the Security Preference Pane. In order to appropriately monitor what access is allowed and denied logging must be enabled. The logging level must be set to "detailed" to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examine firewall connection attempts.'
+    rationale: "In order to troubleshoot the successes and failures of a firewall, detailed logging should be enabled."
+    remediation: "Run the following command to enable logging of the firewall: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on.  sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail."
+    compliance:
+      - cis: ["3.6"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - 'c:sh -c "system_profiler SPFirewallDataType | /usr/bin/grep Logging" -> r:Firewall Logging: Yes'
+      - "c:defaults read read /Library/Preferences/com.apple.alf.plist loggingoption -> r:^2$"
+      - 'c:sh -c "profiles -P -o stdout | grep EnableLogging" -> r:EnableLogging\s*=\s*1'
+      - 'c:sh -c "profiles -P -o stdout | grep LoggingOption" -> r:LoggingOption\s*=\s*detail'
+
+  # 3.7 Audit Software Inventory (Manual) - Not implemented
+
+  ############################################################
+  # 4 Network Configurations
+  ############################################################
+  # 4.1 Ensure Bonjour Advertising Services Is Disabled (Automated)
+  - id: 29039
+    title: "Ensure Bonjour Advertising Services Is Disabled."
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed.'
+    remediation: "Run the following command to disable Bonjour Advertising services: sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true"
+    compliance:
+      - cis: ["4.1"]
+      - cis_level: ["2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep NoMulticastAdvertisements" -> r:NoMulticastAdvertisements\s*=\s*1'
+
+  # 4.2 Ensure Show Wi-Fi status in Menu Bar Is Enabled (Automated) - Not implemented
+  # 4.3 Audit Network Specific Locations (Manual) - Not implemented
+
+  # 4.4 Ensure HTTP Server Is Disabled (Automated)
+  - id: 29040
+    title: "Ensure HTTP Server Is Disabled."
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    remediation: "Run the following command to disable the http server services: sudo launchctl disable system/org.apache.httpd"
+    compliance:
+      - cis: ["4.4"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"org.apache.httpd\" => true''" -> 1'
+
+  # 4.5 Ensure NFS Server Is Disabled (Automated)
+  - id: 29041
+    title: "Ensure NFS Server Is Disabled."
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer."
+    rationale: "File serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer."
+    remediation: "Run the following command to disable the nfsd fileserver services: sudo launchctl disable system/com.apple.nfsd. Remove the exported Directory listing:  sudo rm /etc/exports"
+    compliance:
+      - cis: ["4.5"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "f:/etc/exports"
+      - 'c:sh -c "launchctl print-disabled system | grep -c ''\"com.apple.nfsd\" => true''" -> 1'
+
+  # 4.6 Audit Wi-Fi Settings (Manual) - Not implemented
+
+  ############################################################
+  # 5 System Access, Authentication and Authorization
+  ############################################################
+  # 5.1 File System Permissions and Access Controls
+  ############################################################
+  # 5.1.1 Ensure Home Folders Are Secure (Automated) - Not implemented
+
+  # 5.1.2 Ensure System Integrity Protection Status (SIPS) Is Enabled (Automated)
+  - id: 29042
+    title: "Ensure System Integrity Protection Status (SIPS) Is Enabled."
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    remediation: "Perform the following to enable System Integrity Protection: 1. Reboot into the Recovery Partition (reboot and hold down Command (⌘) + R) 2. Select Utilities 3. Select Terminal 4. Run the following command: sudo /usr/bin/csrutil enable Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 5. Reboot the computer"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:csrutil status -> r:^System Integrity Protection status: enabled."
+
+  # 5.1.3 Ensure Apple Mobile File Integrity Is Enabled (Automated)
+  - id: 29043
+    title: "Ensure Apple Mobile File Integrity Is Enabled."
+    description: "Apple Mobile File Integrity was first released in macOS 10.12, the daemon and service block attempts to run unsigned code. AMFI uses lanchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation."
+    rationale: "Apple Mobile File Integrity (AMFI) validates that application code is validated."
+    remediation: 'Run the following command to enable the Apple Mobile File Integrity service: sudo /usr/sbin/nvram boot-args=""'
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_level: ["1"]
+    references:
+      - "https://eclecticlight.co/2018/12/29/amfi-checking-file-integrity-on-your-mac/"
+      - "https://github.com/usnistgov/macos_security/issues/39"
+      - "https://github.com/usnistgov/macos_security/issues/40"
+      - "https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/"
+    condition: all
+    rules:
+      - 'c:sh -c "nvram -p | grep -c \"amfi_get_out_of_my_way=1\"" -> 0'
+
+  # 5.1.4 Ensure Library Validation Is Enabled (Automated)
+  - id: 29044
+    title: "Ensure Library Validation Is Enabled."
+    description: "Library Validation is a security feature introduced in macOS 10.10 Yosemite. Library Validation protects processes from loading arbitrary libraries. This stops root from loading arbitrary libraries into any process (depending on SIP status),and keeps root from becoming more powerful. Security is strengthened, because some user processes can no longer be fooled to run additional code without root's explicit request, which may grant access to daemons that depend on Library Validation for secure validation of code identity."
+    rationale: "Running without Library Validation on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by Library Validation."
+    remediation: "Run the following command to set library validation: sudo /usr/bin/defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool false"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_level: ["1"]
+    references:
+      - "https://github.com/Automattic/wp-desktop/issues/790"
+      - "https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/"
+      - "http://www.newosxbook.com/articles/CodeSigning.pdf"
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -> r:^0$"
+      - 'c:sh -c "profiles -P -o stdout | grep DisableLibraryValidation" -> r:DisableLibraryValidation\s*=\s*0'
+
+  # 5.1.5 Ensure Sealed System Volume (SSV) Is Enabled (Automated)
+  - id: 29045
+    title: "Ensure Sealed System Volume (SSV) Is Enabled."
+    description: "Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur. During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume. The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system. During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree."
+    rationale: "Running without Sealed System Volume on a production system could run the risk of Apple software, that integrates directly with macOS, being modified."
+    remediation: "Perform the following to enable System Integrity Protection: 1. Reboot into the Recovery Partition (reboot and hold down Command (⌘) + R) 2. Select an administrator's account and enter that account's password 3. Select Utilities 4. Select Terminal 5. Run the following command: sudo /usr/bin/csrutil enable authenticated-root 6. Reboot the computer."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_level: ["1"]
+    references:
+      - "https://developer.apple.com/news/?id=3xpv8r2m"
+      - "https://eclecticlight.co/2020/11/30/is-big-surs-system-volume-sealed/"
+      - "https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/"
+    condition: all
+    rules:
+      - "c:csrutil authenticated-root status -> r:^Authenticated Root status: enabled"
+
+  # 5.1.6 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated)
+  - id: 29046
+    title: "Ensure Appropriate Permissions Are Enabled for System Wide Applications."
+    description: "Applications in the System Applications Directory (/Applications) should be world executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions."
+    rationale: "Unauthorized modifications of applications could lead to the execution of malicious code."
+    remediation: "Run the following command to change the permissions for each application that does not meet the requirements: sudo chmod -R o-w /Applications/<applicationname>"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'not c:find /Applications -iname "*.app" -type d -perm -2 -ls -> r:/Applications/'
+
+  # 5.1.7 Ensure No World Writable Files Exist in the System Folder (Automated)
+  - id: 29047
+    title: "Ensure No World Writable Files Exist in the System Folder."
+    description: "Software sometimes insists on being installed in the /System/Volumes/Data/SystemDirectory and have inappropriate world-writable permissions."
+    rationale: 'Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the "Drop Box" folder that is part of Apple''s default user template.'
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /System folder: sudo chmod -R o-w /Path/<baddirectory>"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'not c:find /System/Volumes/Data/System -type d -perm -2 -ls  -> r:\d+\s+/System/Volumes/Data/System'
+
+  # 5.1.8 Ensure No World Writable Files Exist in the Library Folder (Automated)
+  - id: 29048
+    title: "Ensure No World Writable Files Exist in the Library Folder."
+    description: "Software sometimes insists on being installed in the /Library Directory and have inappropriate world-writable permissions."
+    rationale: "Folders in /System/Volumes/Data/Library should not be world-writable. The audit check excludes the /System/Volumes/Data/Library/Caches and /System/Volumes/Data/Library/Preferences/Audio/Data folders where the sticky bit is set."
+    remediation: "Run the following command to set permissions so that folders are not world writable in the /System/Volumes/Data/Library folder: sudo /bin/chmod -R o-w /System/Volumes/Data/Library/<baddirectory>"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - 'not c:sh -c "find /System/Volumes/Data/Library -type d -perm -2 -ls | grep -v ''Caches|Audio''" -> r:\d+\s+/System/Volumes/Data/Library'
+
+  ############################################################
+  # 5.2 Password Management
+  ############################################################
+  # 5.2.1 Ensure Password Account Lockout Threshold Is Configured (Automated) - Not implemented
+  # 5.2.2 Ensure Password Minimum Length Is Configured (Automated) - Not implemented
+  # 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured (Manual) - Not implemented
+  # 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured (Manual) - Not implemented
+  # 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured (Manual) - Not implemented
+  # 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Manual) - Not implemented
+  # 5.2.7 Ensure Password Age Is Configured (Automated) - Not implemented
+  # 5.2.8 Ensure Password History Is Configured (Automated) - Not implemented
+
+  # 5.3 Ensure the Sudo Timeout Period Is Set to Zero (Automated)
+  - id: 29049
+    title: "Ensure the Sudo Timeout Period Is Set to Zero."
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control along with the control to use a separate timestamp for each tty limits the window where an unauthorized user, process or attacker could utilize legitimate credentials that are valid for longer than required."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    remediation: "Run the following command to edit the sudo settings: sudo visudo. Add the line 'Defaults timestamp_timeout=0' in the Override built-in defaults section. "
+    compliance:
+      - cis: ["5.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*timestamp_timeout=0'
+
+  # 5.4 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo (Automated)
+  - id: 29050
+    title: "Ensure a Separate Timestamp Is Enabled for Each User/tty Combo."
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    remediation: "Edit the /etc/sudoers file with visudo and remove !tty_tickets from any Defaults line. If there is a Default line of timestamp_type= with a value other than tty, change the value to tty If there is a file in the /etc/sudoers.d/ folder that contains Defaults !tty_tickets, edit the file and remove !tty_tickets from any Defaults line. If there is a file /etc/sudoers.d/ folder that contains a Default line of timestamp_type= with a value other than tty, change the value to tty."
+    compliance:
+      - cis: ["5.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not f:/etc/sudoers -> r:!tty_tickets"
+      - 'not d:/etc/sudoers.d -> r:\.* -> r:!tty_tickets'
+      - "not f:/etc/sudoers -> r:timestamp_type=ppid"
+      - 'not d:/etc/sudoers.d -> r:\.* -> r:timestamp_type=ppid'
+      - "not f:/etc/sudoers -> r:timestamp_type=global"
+      - 'not d:/etc/sudoers.d -> r:\.* -> r:timestamp_type=global'
+
+  # 5.5 Ensure login keychain is locked when the computer sleeps (Manual) - Not implemented
+
+  # 5.6 Ensure the "root" Account Is Disabled (Automated)
+  - id: 29051
+    title: 'Ensure the "root" Account Is Disabled'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly use the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    remediation: "Run the following command to disable the root user: sudo /usr/sbin/dsenableroot -d"
+    compliance:
+      - cis: ["5.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.7 Ensure Automatic Login Is Disabled (Automated)
+  - id: 29052
+    title: "Ensure Automatic Login Is Disabled."
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    remediation: "Run the following command to disable automatic login: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser"
+    compliance:
+      - cis: ["5.7"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - 'not c:defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser -> r:^\w'
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser -> r:does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep com.apple.login.mcx.DisableAutoLoginClient" -> r:com.apple.login.mcx.DisableAutoLoginClient\s*=\s*1'
+
+  # 5.8 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled (Automated) - Not implemented
+  # 5.9 Ensure system is set to hibernate (Automated) - Not implemented
+
+  # 5.10 Require an administrator password to access system-wide preferences (Automated)
+  - id: 29053
+    title: "Require an administrator password to access system-wide preferences."
+    description: "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer."
+    rationale: "By requiring a password to unlock system-wide System Preferences the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes."
+    remediation: "The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings. Run the following commands to enable that an administrator password is required to access system-wide preferences: $ sudo security authorizationdb read system.preferences > /tmp/system.preferences.plist $ sudo defaults write /tmp/system.preferences.plist shared -bool false $ sudo security authorizationdb write system.preferences < /tmp/system.preferences.plist"
+    compliance:
+      - cis: ["5.10"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "security authorizationdb read system.preferences | grep -A1 shared | grep false" -> r:<false/>'
+
+  # 5.11 Ensure an administrator account cannot login to another user's active and locked session (Automated)
+  - id: 29054
+    title: "Ensure an administrator account cannot login to another user's active and locked session."
+    description: "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions."
+    rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information."
+    remediation: "Run the following command to disable a user logging into another user's active and/or locked session: sudo security authorizationdb write system.login.screensaver use-login-window-ui"
+    compliance:
+      - cis: ["5.11"]
+      - cis_level: ["1"]
+    references:
+      - "https://derflounder.wordpress.com/2014/02/16/managing-the-authorization- database-in-os-x-mavericks/"
+      - "https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver"
+    condition: all
+    rules:
+      - 'c:sh -c "security authorizationdb read system.login.screensaver | grep -c ''use-login-window-ui''" -> 1'
+
+  # 5.12 Ensure a Custom Message for the Login Screen Is Enabled (Automated)
+  - id: 29055
+    title: "Ensure a Custom Message for the Login Screen Is Enabled."
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: 'Run the following command to enable a custom login screen message: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom.message>"'
+    compliance:
+      - cis: ["5.12"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "not c:defaults read /Library/Preferences/com.apple.loginwindow.plist LoginwindowText -> r:does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep LoginwindowText" -> r:LoginwindowText\s*=\s*"\w+'
+
+  # 5.13 Ensure a Login Window Banner Exists (Automated)
+  - id: 29056
+    title: "Ensure a Login Window Banner Exists."
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    remediation: "Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text."
+    compliance:
+      - cis: ["5.13"]
+      - cis_level: ["2"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+
+  # 5.14 Ensure Users' Accounts Do Not Have a Password Hint (Automated) - Not implemented
+
+  # 5.15 Ensure Fast User Switching Is Disabled (Manual)
+  - id: 29057
+    title: "Ensure Fast User Switching Is Disabled."
+    description: "Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit log in access many valid users can login to other user's assigned computers."
+    rationale: "Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious."
+    remediation: "Run the following command to turn fast user switching off: sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false"
+    compliance:
+      - cis: ["5.15"]
+      - cis_level: ["2"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/.GlobalPreferences.plist MultipleSessionEnabled -> r:^0$|does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep MultipleSessionEnabled" -> r:MultipleSessionEnabled\s*=\s*0'
+
+  ############################################################
+  # 6 User Accounts and Environment
+  ############################################################
+  # 6.1 Accounts Preferences Action Items
+  ############################################################
+  # 6.1.1 Ensure Login Window Displays as Name and Password Is Enabled (Automated)
+  - id: 29058
+    title: "Ensure Login Window Displays as Name and Password Is Enabled."
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Run the following command to enable the login window to display name and password: sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true"
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -> r:^1$"
+      - 'c:sh -c "profiles -P -o stdout | grep SHOWFULLNAME" -> r:SHOWFULLNAME\s*=\s*1'
+
+  # 6.1.2 Ensure Show Password Hints Is Disabled (Automated)
+  - id: 29059
+    title: "Ensure Show Password Hints Is Disabled."
+    description: "Password hints are user-created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by providing information to anyone that the user provided to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    remediation: "Run the following command to disable password hints: sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow RetriesUntilHint -> r:^0$|does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep RetriesUntilHint" -> r:RetriesUntilHint\s*=\s*0'
+
+  # 6.1.3 Ensure Guest Account Is Disabled (Automated)
+  - id: 29060
+    title: "Ensure Guest Account Is Disabled."
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    remediation: "Run the following command to disable the guest account: sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$"
+      - 'c:sh -c "profiles -P -o stdout | grep DisableGuestAccount" -> r:DisableGuestAccount\s*=\s*1'
+      - 'c:sh -c "profiles -P -o stdout | grep EnableGuestAccount" -> r:EnableGuestAccount\s*=\s*0'
+
+  # 6.1.4 Ensure Guest Access to Shared Folders Is Disabled (Automated)
+  - id: 29061
+    title: "Ensure Guest Access to Shared Folders Is Disabled."
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system."
+    remediation: "Run the following commands to verify that shared folders are not accessible to guest users: sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -> r:^0$|does not exist"
+      - 'c:sh -c "profiles -P -o stdout | grep AllowGuestAccess" -> r:AllowGuestAccess\s*=\s*0'
+
+  # 6.1.5 Ensure the Guest Home Folder Does Not Exist (Automated)
+  - id: 29062
+    title: "Ensure the Guest Home Folder Does Not Exist."
+    description: "In the previous two controls the guest account login has been disabled and sharing to guests has been disabled as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folder's continued existence, it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    remediation: "Run the following command to remove the Guest user home folder: sudo /bin/rm -R /Users/Guest"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - "d:/Users/Guest"
+
+  # 6.2 Ensure Show All Filename Extensions Setting is Enabled (Automated)
+  - id: 29063
+    title: "Ensure Show All Filename Extensions Setting is Enabled."
+    description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format."
+    rationale: "Visible filename extensions allow the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files."
+    remediation: "Run the following command to enable displaying of file extensions: sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true"
+    compliance:
+      - cis: ["6.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$"
+
+  # 6.3 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated)
+  - id: 29064
+    title: "Ensure Automatic Opening of Safe Files in Safari Is Disabled."
+    description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser."
+    rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input."
+    remediation: "Run the following command to disable safe files from not opening in Safari: sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"
+    compliance:
+      - cis: ["6.3"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$"
+      - 'c:sh -c "profiles -P -o stdout | grep AutoOpenSafeDownloads" -> r:AutoOpenSafeDownloads\s*=\s*0'
diff --git a/etc/ruleset/sca/darwin/22/cis_apple_macOS_13.x.yml b/etc/ruleset/sca/darwin/22/cis_apple_macOS_13.x.yml
new file mode 100644
index 0000000000..88ab674e97
--- /dev/null
+++ b/etc/ruleset/sca/darwin/22/cis_apple_macOS_13.x.yml
@@ -0,0 +1,1537 @@
+# Security Configuration Assessment
+# CIS Checks for Apple macOS 13.x Ventura
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# SCA policy for Apple macOS 13.x Ventura based on Center for Internet Security Apple macOS 13.x Ventura Benchmark v1.0.0 - 11-14-2022
+
+policy:
+  id: "cis_macOS_13"
+  file: "cis_apple_macOS_13.x.yml"
+  name: "CIS Apple macOS 13.0 Ventura Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 13.x. This guide was tested against Apple macOS 13.x."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Apple macOS version."
+  description: "Requirements for running the SCA scan against Apple macOS 13.x Ventura."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*13\p'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:.*13\p'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*13\p'
+
+checks:
+  ##########################################################################
+  # 1 Install Updates, Patches and Additional Security Software
+  ##########################################################################
+
+  # 1.1 Ensure All Apple-provided Software Is Current. (Automated)
+  - id: 31000
+    title: "Ensure All Apple-provided Software Is Current."
+    description: 'Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update. Software updates should be run at minimum every 30 days. Run the following command to verify when software update was previously run: $ /usr/bin/sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep -e LastFullSuccessfulDate. The response should be in the last 30 days (Example): LastFullSuccessfulDate = "2020-07-30 12:45:25 +0000";.'
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    impact: "Missing patches can lead to more exploit opportunities."
+    remediation: "Graphical Method: Perform the following to install all available software updates: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select Update All Terminal Method: Run the following command to verify what packages need to be installed: $ /usr/bin/sudo /usr/sbin/softwareupdate -l The output will include the following: Software Update found the following new or updated software: Run the following command to install all the packages that need to be updated: $ /usr/bin/sudo /usr/sbin/softwareupdate -i -a -R Or run the following command to install individual packages: $ /usr/bin/sudo /usr/sbin/softwareupdate -i '<package name>' example: $ /usr/bin/sudo /usr/sbin/softwareupdate -l Software Update Tool Finding available software Software Update found the following new or updated software: * iTunesX-12.8.2 iTunes (12.8.2), 273614K [recommended] $ /usr/bin/sudo /usr/sbin/softwareupdate -i 'iTunesX-12.8.2' Software Update Tool Downloaded iTunes Installing iTunes Done with iTunes Done."
+    compliance:
+      - cis: ["1.1"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_techniques: ["T1017", "T1019", "T1031", "T1034", "T1038", "T1044", "T1053", "T1068", "T1072", "T1073", "T1075", "T1076", "T1078", "T1081", "T1088", "T1100", "T1103", "T1114", "T1137", "T1138", "T1145", "T1161", "T1176", "T1189", "T1190", "T1195", "T1210", "T1211", "T1212", "T1213", "T1214", "T1482", "T1484", "T1495", "T1505", "T1525", "T1527", "T1528", "T1530"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available."
+
+  # 1.2 Ensure Auto Update Is Enabled. (Automated)
+  - id: 31001
+    title: "Ensure Auto Update Is Enabled."
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected, background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur. http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    impact: "Without automatic update, updates may not be made in a timely manner and the system will be exposed to additional risk."
+    remediation: "Graphical Method: Perform the steps following to enable the system to automatically check for updates: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Check for updates to enabled 6. Select Done Terminal Method: Run the following command to enable auto update: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticCheckEnabled 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.2"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticCheckEnabled'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticCheckEnabled'')" -> r:\.+'
+
+  # 1.3 Ensure Download New Updates When Available Is Enabled. (Automated)
+  - id: 31002
+    title: "Ensure Download New Updates When Available Is Enabled."
+    description: 'In the GUI, both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected.'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    impact: 'If "Download new updates when available" is not selected, updates may not be made in a timely manner and the system will be exposed to additional risk.'
+    remediation: "Perform the following to enable the system to automatically check for updates: Graphical Method: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Download new updates when available to enabled 6. Select Done Terminal Method: Run the following command to enable auto update: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticDownload 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.3"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticDownload'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticDownload'')" -> r:\.+'
+
+  # 1.4 Ensure Install of macOS Updates Is Enabled. (Automated)
+  - id: 31003
+    title: "Ensure Install of macOS Updates Is Enabled."
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off simply to allow the administrator to contact users in order to verify installation. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable macOS updates to run automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install macOS updates to enabled 6. Select Done Terminal Method: Run the following command to to enable automatic checking and installing of macOS updates: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticallyInstallMacOSUpdates 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.4"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticallyInstallMacOSUpdates'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticallyInstallMacOSUpdates'')" -> r:\.+'
+
+  # 1.5 Ensure Install Application Updates from the App Store Is Enabled. (Automated)
+  - id: 31004
+    title: "Ensure Install Application Updates from the App Store Is Enabled."
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or administrator privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable App Store updates to install automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install application updates from the App Store to enabled 6. Select Done Terminal Method: Run the following command to turn on App Store auto updating: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE Note: This remediation requires a log out and log in to show in the GUI. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticallyInstallAppUpdates 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.5"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^1$"
+
+  # 1.6 Ensure Install Security Responses and System Files Is Enabled. (Automated)
+  - id: 31005
+    title: "Ensure Install Security Responses and System Files Is Enabled."
+    description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable system data files and security updates to install automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install Security Responses and System files to enabled 6. Select Done Terminal Method: Run the following commands to enable automatic checking of system data files and security updates: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is ConfigDataInstall 3. The key must be set to <true/> 4. The key to also include is CriticalUpdateInstall 5. The key must be set to <true/>."
+    references:
+      - https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-monterey/
+      - https://support.apple.com/en-us/HT202491
+      - https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web
+      - https://support.apple.com/guide/deployment/rapid-security-responses-dep93ff7ea78/1/web/1.0
+    compliance:
+      - cis: ["1.6"]
+      - cis_csc_v8: ["7.3", "7.4", "7.7"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["CA.L2-3.12.2", "RA.L2-3.11.3", "SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["11.3.1", "11.3.2", "11.3.2.1"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''ConfigDataInstall'')" && c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''CriticalUpdateInstall'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''ConfigDataInstall'')" && c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''CriticalUpdateInstall'')" -> r:\.+'
+
+  # 1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days. (Automated)
+  - id: 31006
+    title: "Ensure Software Update Deferment Is Less Than or Equal to 30 Days."
+    description: "Apple provides the capability to manage software updates on Apple devices through mobile device management. Part of those capabilities permit organizations to defer software updates and allow for testing. Many organizations have specialized software and configurations that may be negatively impacted by Apple updates. If software updates are deferred, they should not be deferred for more than 30 days. This control only verifies that deferred software updates are not deferred for more than 30 days."
+    rationale: "Apple software updates almost always include security updates. Attackers evaluate updates to create exploit code in order to attack unpatched systems. The longer a system remains unpatched, the greater an exploit possibility exists in which there are publicly reported vulnerabilities."
+    impact: "Some organizations may need more than 30 days to evaluate the impact of software updates."
+    remediation: "Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.applicationaccess 2. The key to include is enforcedSoftwareUpdateDelay 3. The key must be set to <integer><1-30></integer>."
+    references:
+      - https://support.apple.com/guide/deployment/manage-software-updates-depc4c80847a/web
+    compliance:
+      - cis: ["1.7"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''enforcedSoftwareUpdateDelay'')" -> n:^(\d+)$ compare <= 30'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''enforcedSoftwareUpdateDelay'')" -> r:\.+'
+
+  ############################################################
+  # 2 System Settings
+  ############################################################
+
+  # 2.1 Apple ID
+  # 2.1.1 iCloud
+  # 2.1.1.1 Audit iCloud Keychain (Manual) - Not implemented
+  # 2.1.1.2 Audit iCloud Drive (Manual) - Not implemented
+  # 2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is Disabled (Automated) - Not Implemented
+  # 2.1.2 Audit App Store Password Settings (Manual) - Not implemented
+  # 2.2 Network
+
+  # 2.2.1 Ensure Firewall Is Enabled. (Automated)
+  - id: 31007
+    title: "Ensure Firewall Is Enabled."
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall:."
+    rationale: "A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet."
+    impact: "The firewall may block legitimate traffic. Applications that are unsigned will require special handling."
+    remediation: "Graphical Method: Perform the following steps to turn the firewall on: 1. Open System Settings 2. Select Network 3. Select Firewall 4. Set Firewall to enabled Terminal Method: Run the following command to enable the firewall: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int <value> For the <value>, use either 1, specific services, or 2, essential services only. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.security.firewall 2. The key to include is EnableFirewall 3. The key must be set to <true/>."
+    references:
+      - "https://support.apple.com/en-us/guide/security/seca0e83763f/web"
+      - "http://support.apple.com/en-us/HT201642"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.1", "4.5", "13.1"]
+      - cis_csc_v7: ["5.1", "9.4", "9.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L1-3.1.20", "AU.L2-3.3.5", "AU.L2-3.3.6", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6", "SI.L2-3.14.3", "SI.L2-3.14.7"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.13.1.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AU-6(1)", "AU-7", "CM-7(1)", "CM-9", "IR-4(1)", "SA-10", "SC-7(5)", "SI-4(2)", "SI-4(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.5.3", "10.6.1", "11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "10.7", "10.7.1", "10.7.2", "10.7.3", "11.5", "2.1.1", "2.2.1"]
+      - soc_2: ["CC6.6", "CC7.1", "CC7.2", "CC8.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+      - "c:defaults read /Library/Preferences/com.apple.security.firewall EnableFirewall -> r:^1$|^2$|^true$"
+
+  # 2.2.2 Ensure Firewall Stealth Mode Is Enabled. (Automated)
+  - id: 31008
+    title: "Ensure Firewall Stealth Mode Is Enabled."
+    description: "While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    impact: "Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected. This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable."
+    remediation: "Graphical Method: Perform the following steps to enable firewall stealth mode: 1. Open System Settings 2. Select Network 3. Select Firewall 4. Select Options... 5. Set Enabled stealth mode to enabled Terminal Method: Run the following command to enable stealth mode: $ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on Stealth mode enabled Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.security.firewall 2. The key to include is EnableStealthMode 3. The key must be set to <true/> Note: This key must be set in the same configuration profile with EnableFirewall set to <true/>. If it is set in its own configuration profile, it will fail."
+    references:
+      - "http://support.apple.com/en-us/HT201642"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.1", "4.5", "4.8"]
+      - cis_csc_v7: ["5.1", "9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L1-3.1.20", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.4", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf stealthenabled -> r:^1$|^2$"
+      - "c:defaults read /Library/Preferences/com.apple.security.firewall EnableStealthMode -> r:^1$|^2$|^true$"
+
+  # 2.3 General
+  # 2.3.1 AirDrop & Handoff
+  # 2.3.1.1 Ensure AirDrop Is Disabled (Automated) - Not Implemented
+  # 2.3.1.2 Ensure AirPlay Receiver Is Disabled (Automated) - Not Implemented
+  # 2.3.2 Date & Time
+
+  # 2.3.2.1 Ensure Set Time and Date Automatically Is Enabled. (Automated)
+  - id: 31009
+    title: "Ensure Set Time and Date Automatically Is Enabled."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required, use the Date & Time System Preference with each server separated by a space. Additional Note: The default Apple time server is time.apple.com. Variations include time.euro.apple.com. While it is certainly more efficient to use internal time servers, there is no reason to block access to global Apple time servers or to add a time.apple.com alias to internal DNS records. There are no reports that Apple gathers any information from NTP synchronization, as the computers already phone home to Apple for Apple services including iCloud use and software updates. Best practice is to allow DNS resolution to an authoritative time service for time.apple.com, preferably to connect to Apple servers, but local servers are acceptable as well."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    impact: "The timed service will periodically synchronize with named time servers and will make the computer time more accurate."
+    remediation: "Graphical Method: Perform the following to enable the date and time to be set automatically: 1. Open System Settings 2. Select General 3. Select Date & Time 4. Set Set time and date automatically to enabled Note: By default, the operating system will use time.apple.com as the time server. You can change to any time server that meets your organization's requirements. Terminal Method: Run the following commands to enable the date and time setting automatically: $ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver <your.time.server> setNetworkTimeServer: <your.time.server> $ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on setUsingNetworkTime: On example: $ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver time.apple.com setNetworkTimeServer: time.apple.com $ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on setUsingNetworkTime: On Run the following commands if you have not set, or need to set, a new time zone: $ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones $ /usr/bin/sudo /usr/sbin/systemsetup -settimezone <selected time zone> example: $ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones Time Zones: Africa/Abidjan Africa/Accra Africa/Addis_Ababa ... $ /usr/bin/sudo /usr/sbin/systemsetup -settimezone America/New_York Set TimeZone: America/New_York."
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'c:/usr/sbin/systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.3.2.2 Ensure Time Is Set Within Appropriate Limits. (Automated)
+  - id: 31010
+    title: "Ensure Time Is Set Within Appropriate Limits."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems, the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed. If there are consistent drift issues on the OS, some of the most common drift issues should be investigated: - The chosen time server is not reachable based on network firewall rules on the current network - The computer is offline often and the battery drains, and the network is not immediately available - The chosen time server is a special internal or non-public time server that does not provide a reliable time source Note: ntpdate has been deprecated with 10.14. sntp replaces that command."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    impact: "Accurate time is required for many computer functions."
+    remediation: "Terminal Method: Run the following commands to ensure your time is set within an appropriate limit: $ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver The output will include Network Time Server: and the name of your time server example: Network Time Server: time.apple.com. $ /usr/bin/sudo /usr/bin/sntp -sS <your.time.server> example: $ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver Network Time Server: time.apple.com $ /usr/bin/sudo /usr/bin/sntp -sS time.apple.com."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+
+  # 2.3.3 Sharing
+
+  # 2.3.3.1 Ensure DVD or CD Sharing Is Disabled. (Automated)
+  - id: 31011
+    title: "Ensure DVD or CD Sharing Is Disabled."
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing, the sharing of an external optical drive persists when a drive is reconnected."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    impact: "Many Apple devices are now sold without optical drives, however drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long-term storage. To store necessary data from an optical drive it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in its original form on another form of external storage."
+    remediation: "Graphical Method: Perform the following steps to disable DVD or CD Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set DVD or CD sharing to disabled Terminal Method: Run the following command to disable DVD or CD Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.ODSAgent Note: If using the Terminal method, the GUI will still show the service checked until after a reboot."
+    compliance:
+      - cis: ["2.3.3.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.ODSAgent" -> r:^0$'
+
+  # 2.3.3.2 Ensure Screen Sharing Is Disabled. (Automated)
+  - id: 31012
+    title: "Ensure Screen Sharing Is Disabled."
+    description: "Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer. While mature administration and management does not use graphical connections for standard maintenance, most help desks have capabilities to assist users in performing their work when they have technical issues and need support. Help desks use graphical remote tools to understand what the user sees and assist them so they can get back to work. For MacOS, some of these remote capabilities can use Apple's OS tools. Control is therefore not meant to prohibit the use of a just-in-time graphical view from authorized personnel with authentication controls. Sharing should not be enabled except in narrow windows when help desk support is required."
+    rationale: "Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    impact: "Help desks may require the periodic use of a graphical connection mechanism to assist users. Any support that relies on native MacOS components will not work unless a scripted solution to enable and disable sharing as neccessary."
+    remediation: "Graphical Method: Perform the following steps to disable Screen Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Screen Sharing to disabled Terminal Method: Run the following command to turn off Screen Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing."
+    references:
+      - https://support.apple.com/guide/mac-help/turn-screen-sharing-on-or-off-mh11848/mac
+    compliance:
+      - cis: ["2.3.3.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.screensharing" -> r:^0$'
+
+  # 2.3.3.3 Ensure File Sharing Is Disabled. (Automated)
+  - id: 31013
+    title: "Ensure File Sharing Is Disabled."
+    description: "File sharing from a user workstation creates additional risks, such as: - Open ports are created that can be probed and attacked - Passwords are attached to user accounts for access that may be exposed and endanger other parts of the organizational environment, including directory accounts Increased complexity makes security more difficult and may expose additional attack vectors - Apple's File Sharing uses the Server Message Block (SMB) protocol to share to other computers that can mount SMB shares. This includes other macOS computers. Apple warns that SMB sharing stored passwords is less secure, and anyone with system access can gain access to the password for that account. When sharing with SMB, each user accessing the Mac must have SMB enabled. Storing passwords, especially copies of valid directory passwords, decrease security for the directory account and should not be used."
+    rationale: "By disabling File Sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    impact: "File Sharing can be used to share documents with other users, but hardened servers should be used rather than user endpoints. Turning on File Sharing increases the visibility and attack surface of a system unnecessarily."
+    remediation: "Graphical Method: Perform the following steps to disable File Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set File Sharing to disabled Terminal Method: Run the following command to disable File Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd."
+    compliance:
+      - cis: ["2.3.3.3"]
+      - cis_csc_v8: ["4.1", "4.8", "5.4"]
+      - cis_csc_v7: ["4.3", "5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.3", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3", "A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.smbd" -> r:^0$'
+
+  # 2.3.3.4 Ensure Printer Sharing Is Disabled. (Automated)
+  - id: 31014
+    title: "Ensure Printer Sharing Is Disabled."
+    description: "By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Graphical Method: Perform the following steps to disable Printer Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Printer Sharing to disabled Terminal Method: Run the following command to disable Printer Sharing: $ /usr/bin/sudo /usr/sbin/cupsctl --no-share-printers."
+    compliance:
+      - cis: ["2.3.3.4"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "cupsctl | grep _share_printers | cut -d ''='' -f2" -> r:^0$'
+
+  # 2.3.3.5 Ensure Remote Login Is Disabled. (Automated)
+  - id: 31015
+    title: "Ensure Remote Login Is Disabled."
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP-based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in the Network sub-section. macOS no longer has TCP Wrappers support built in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Since most macOS computers are mobile workstations, managing IP-based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    impact: "The SSH server built into macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser, and productivity tools, should not use the same device as a server. There are Enterprise management toolsets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate administrator service accounts. For macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access including brute force attacks. There are some basic criteria that need to be considered: - Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication, directory accounts for users that don't even use the system can be locked out. - Do not use SSH key pairs when there is no insight to the security on the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key, they may not need a password or a key logger to access the SSH server. - Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark."
+    remediation: "Perform the following to disable Remote Login: Graphical Method: Perform the following steps to disable Remote Login: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Login to disabled Terminal Method: Run the following command to disable Remote Login: $ /usr/bin/sudo /usr/sbin/systemsetup -setremotelogin off Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)? Entering yes will disable remote login."
+    compliance:
+      - cis: ["2.3.3.5"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.3.3.6 Ensure Remote Management Is Disabled. (Automated)
+  - id: 31016
+    title: "Ensure Remote Management Is Disabled."
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is a major concern for mobile systems. As with other sharing options, an open port even for authorized management functions can be attacked, and both unauthorized access and Denial-of-Service vulnerabilities could be exploited. If remote management is required, the pf firewall should restrict access only to known, trusted management consoles. Remote management should not be used across the Internet without the use of a VPN tunnel."
+    rationale: "Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    impact: "Many organizations utilize ARD for client management."
+    remediation: "Graphical Method: Perform the following steps to disable Remote Management: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Management to disabled Terminal Method: Run the following command to disable Remote Management: $ /usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources /kickstart -deactivate -stop Starting... Removed preference to start ARD after reboot. Done."
+    compliance:
+      - cis: ["2.3.3.6"]
+      - cis_csc_v8: ["4.1", "4.8", "5.4"]
+      - cis_csc_v7: ["4.3", "9.2", "14.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.3", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3", "A.9.2.3"]
+      - mitre_techniques: ["T1003", "T1015", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1133", "T1134", "T1136", "T1169", "T1175", "T1176", "T1184", "T1190", "T1200", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not p:/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"
+
+  # 2.3.3.7 Ensure Remote Apple Events Is Disabled. (Automated)
+  - id: 31017
+    title: "Ensure Remote Apple Events Is Disabled."
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    impact: "With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer."
+    remediation: "Graphical Method: Perform the following steps to disable Remote Apple Events: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Apple Events to disabled Terminal Method: Run the following commands to set Remote Apple Events to Off: $ /usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents off setremoteappleevents: Off."
+    compliance:
+      - cis: ["2.3.3.7"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.3.3.8 Ensure Internet Sharing Is Disabled. (Automated)
+  - id: 31018
+    title: "Ensure Internet Sharing Is Disabled."
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    impact: "Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices."
+    remediation: "Graphical Method: Perform the following steps to disable Internet Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Internet Sharing to disabled Terminal Method: Run the following command to turn off Internet Sharing: $ usr/bin/sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 Note: Using the Terminal Method will not be reflected in the GUI, but will disable the underlying service. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is forceInternetSharingOff 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.3.3.8"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''forceInternetSharingOff'')" -> r:^true$'
+
+  # 2.3.3.9 Ensure Content Caching Is Disabled. (Automated)
+  - id: 31019
+    title: "Ensure Content Caching Is Disabled."
+    description: "Starting with 10.13 (macOS High Sierra), Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints or greater bandwidth exist on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets, the effectiveness of this capability would be determined by how many Macs were on each subnet at the time new, large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity and bandwidth user endpoints should not store content and act as a cluster to provision data. Content types supported by Content Caching in macOS."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk, they add to the management complexity. Since the value of the service is in specific use cases organizations with the use case described above can accept risk as necessary."
+    impact: "This setting will adversely affect bandwidth usage between local subnets and the Internet."
+    remediation: "Graphical Method: Perform the following steps to disable Content Caching: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Content Caching to disabled Terminal Method: Run the following command to disable Content Caching: $ /usr/bin/sudo /usr/bin/AssetCacheManagerUtil deactivate The output will include Content caching deactivated Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.applicationaccess 2. The key to include is allowContentCaching 3. The key must be set to <false/>."
+    references:
+      - https://support.apple.com/guide/mac-help/about-content-caching-mchl9388ba1b/
+      - https://support.apple.com/guide/mac-help/set-up-content-caching-on-mac-mchl3b6c3720/
+    compliance:
+      - cis: ["2.3.3.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.AssetCache'').objectForKey(''Activated'')" -> r:^0$'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''allowContentCaching'')" -> r:^0$|^true$'
+
+  # 2.3.3.10 Ensure Media Sharing Is Disabled (Automated) - Not implemented
+  # 2.3.3.11 Ensure Bluetooth Sharing Is Disabled (Automated) - Not implemented
+  # 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information (Manual) - Not implemented
+  # 2.3.4 Time Machine
+
+  # 2.3.4.1 Ensure Backup Automatically is Enabled If Time Machine Is Enabled. (Automated)
+  - id: 31020
+    title: "Ensure Backup Automatically is Enabled If Time Machine Is Enabled."
+    description: 'Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur, Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. SnapshotDates = ( "2012-08-20 12:10:22 +0000", "2013-02-03 23:43:22 +0000", "2014-02-19 21:37:21 +0000", "2015-02-22 13:07:25 +0000", "2016-08-20 14:07:14 +0000" When the backup volume is connected to the computer more extensive information is available through tmutil. See man tmutil.'
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    impact: "The backup will run periodically in the background and could have user impact while running."
+    remediation: "Graphical Method: Perform the following steps to enable Time Machine automatic backup: 1. Open System Settings 2. Select General 3. Select Time Machine 4. Select Options... 5. Set Back up frequency to Automatically <every hour/every day/every week> Terminal Method: Run the following command to enable automatic backups if Time Machine is enabled: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.TimeMachine 2. The key to include is Forced 3. The key must be set to: <array> <dict> <key>mcx_preference_settings</key> <dict> <key>AutoBackup</key> <true/> </dict> </dict> </array>."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc_v8: ["11.2"]
+      - cis_csc_v7: ["10.1"]
+      - hipaa: ["164.308(a)(7)(ii)(A)"]
+      - iso_27001-2013: ["A.12.3.1"]
+      - mitre_techniques: ["T1485", "T1486", "T1487", "T1488", "T1490", "T1491"]
+      - pci_dss_v3.2.1: ["12.10.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.TimeMachine'').objectForKey(''AutoBackup'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.TimeMachine'').objectForKey(''LastDestinationID'')" -> r:^\.+$'
+
+  # 2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled. (Automated)
+  - id: 31021
+    title: "Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled."
+    description: "One of the most important security tools for data protection on macOS is FileVault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use. While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes."
+    rationale: "Backup volumes need to be encrypted."
+    remediation: "Graphical Method: Perform the following steps to enable encryption on the Time Machine drive: 1. Open System Settings 2. Select General 3. Select Time Machine 4. Select the unencrypted drive 5. Select - to forget that drive as a destination 6. Select + to add a different drive as the destination 7. Select Set Up Disk... 8. Set Encrypt Backup to enabled 9. Enter a password in the New Password and the same password in the Re-enter Password fields 10. A password hint is required, but it is recommended that you do not use any identifying information for the password Note: In macOS 12.0 Monterey and previous, the existing Time Machine drive could have encryption added without formatting it. This is no longer possible in macOS 13.0 Ventura. If you with to keep previous backups from the unencrypted volume, you will need to manually move those files over to the new encrypted drive."
+    compliance:
+      - cis: ["2.3.4.2"]
+      - cis_csc_v8: ["3.6", "3.11", "11.3"]
+      - cis_csc_v7: ["10.4", "13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "MP.L2-3.8.9", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.12.3.1", "A.6.2.1"]
+      - mitre_techniques: ["T1040", "T1070", "T1072", "T1114", "T1119", "T1145", "T1208", "T1485", "T1486", "T1487", "T1488", "T1490", "T1491", "T1492", "T1493", "T1527", "T1530"]
+      - nist_sp_800-53: ["CP-9(8)", "SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1", "9.5", "9.5.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["A1.2", "CC6.1", "CC6.4", "CC6.7"]
+    condition: all
+    rules:
+      - 'c: sh -c "defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted" -> r:^0$'
+
+  # 2.4 Control Center
+  # 2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled (Automated) - Not implemented
+  # 2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled (Automated) - Not implemented
+  # 2.5 Siri & Spotlight
+  # 2.5.1 Audit Siri Settings (Manual) - Not Implemented
+  # 2.6 Privacy & Security
+  # 2.6.1 Location Services
+
+  # 2.6.1.1 Ensure Location Services Is Enabled. (Automated)
+  - id: 31022
+    title: "Ensure Location Services Is Enabled."
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. With the operating system verifying the location, users do not need to change the time or the time zone. The computer will change them based on the user's location. They do not need to specify their location for weather or travel times, and they will receive alerts on travel times to meetings and appointment where location information is supplied. Location Services simplify some processes with mobile computers, such as asset management and time or log management. There are some use cases where it is important that the computer not be able to report its exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location Services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Graphical Method: Perform the following steps to enable Location Services: 1. Open System Settings 2. Select Privacy & Security 3. Select Location Services 4. Set Location Services to enabled Terminal Method: Run the following command to enable Location Services: $ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist If the com.apple.locationd.plist outputs 0, run the following command to also ensure Location Services is running: $ /usr/bin/sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false $ /usr/bin/sudo /bin/launchctl kickstart -k system/com.apple.locationd Note: In some use cases, organizations may not want Location Services running. To disable Location Services, System Integrity Protection must be disabled."
+    references:
+      - "https://support.apple.com/en-us/HT204690"
+    compliance:
+      - cis: ["2.6.1.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.locationd" -> r:^1$'
+      - 'c:sudo -u _locationd /usr/bin/osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.locationd'').objectForKey(''LocationServicesEnabled'')" -> r:^1$'
+
+  # 2.6.1.2 Ensure Location Services Is in the Menu Bar. (Automated)
+  - id: 31023
+    title: "Ensure Location Services Is in the Menu Bar."
+    description: "This setting provides the user to understand the current status of Location Services and which applications are using it."
+    rationale: 'Apple has fully integrated location services into macOS. Where the computer is currently located is used for Timezones, weather, travel times, geolocation, "Find my Mac" and advertising services. This benchmark recommends that location services are enabled for most users. Many users may have occasions when they do not want to share their current locations, some users may need to rarely share their locations. The immediate availability of Location Services in the menu bar provides easy access to the current status, which applications are using the service and a quick shortcut to making changes. This setting provides better user control in managing user privacy.'
+    impact: "Users may be provided visibility to a setting they cannot control if organizations control Location Services globally by policy."
+    remediation: "Graphical Method: Perform the following steps to set whether the location services icon is in the menu bar: 1. Open System Settings 2. Select Privacy & Security 3. Select Location Services 4. Select Details... 5. Set Show location icon in menu bar when System Services request your location to your organization's parameters Terminal Method: Run the following commands to set the option of the location services icon being in the menu bar: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool <true/false>."
+    compliance:
+      - cis: ["2.6.1.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -> r:^1$|^true$"
+
+  # 2.6.1.3 Audit Location Services Access (Manual) - Not Implemented
+  # 2.6.2 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled (Automated) - Not implemented
+  # 2.6.3 Ensure Limit Ad Tracking Is Enabled (Automated) - Not implemented
+
+  # 2.6.4 Ensure Gatekeeper Is Enabled. (Automated)
+  - id: 31024
+    title: "Ensure Gatekeeper Is Enabled."
+    description: "Gatekeeper is Apple's application that utilizes allowlisting to restrict downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. In an update to Gatekeeper in macOS 13 Ventura, Gatekeeper checks every application on every launch, not just quarantined apps."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Graphical Method: Perform the following steps to enable Gatekeeper: 1. Open System Settings 2. Select Privacy & Security 3. Set 'Allow apps downloaded from' to 'App Store and identified developers' Terminal Method: Run the following command to enable Gatekeeper to allow applications from App Store and identified developers: $ /usr/bin/sudo /usr/sbin/spctl --master-enable Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.systempolicy.control 2. The key to include is AllowIdentifiedDevelopers 3. The key must be set to <true/> 4. The key to also include is EnableAssessment 5. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.6.4"]
+      - cis_csc_v8: ["10.1", "10.2", "10.5"]
+      - cis_csc_v7: ["8.2", "8.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.2", "SI.L1-3.14.4"]
+      - hipaa: ["164.308(a)(5)(ii)(B)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1017", "T1019", "T1027", "T1045", "T1068", "T1072", "T1073", "T1075", "T1091", "T1100", "T1103", "T1137", "T1138", "T1189", "T1190", "T1193", "T1194", "T1195", "T1200", "T1210", "T1211", "T1212", "T1215", "T1221", "T1495"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4", "11.4", "5.1", "5.1.1", "5.2"]
+      - pci_dss_v4.0: ["5.1.1", "5.2.1", "5.2.2", "5.3.1", "5.3.2"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - "c:spctl --status -> r:^assessments enabled"
+
+  # 2.6.5 Ensure FileVault Is Enabled. (Automated)
+  - id: 31025
+    title: "Ensure FileVault Is Enabled."
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost. FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References)."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    impact: "Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it."
+    remediation: "Graphical Method: Perform the following steps to enable FileVault: 1. Open System Settings 2. Select Security & Privacy 3. Select Turn On... Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is dontAllowFDEDisable 3. The key must be set to <true/> Note: This profile is required to pass the audit."
+    references:
+      - https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/
+      - https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/
+      - https://derflounder.wordpress.com/2021/10/29/use-of-filevault-institutional-recovery-keys-no-longer-recommended-by-apple/
+    compliance:
+      - cis: ["2.6.5"]
+      - cis_csc_v8: ["3.6", "3.11"]
+      - cis_csc_v7: ["13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.6.2.1"]
+      - mitre_techniques: ["T1040", "T1070", "T1072", "T1114", "T1119", "T1145", "T1208", "T1492", "T1493", "T1527", "T1530"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:fdesetup status -> r:^FileVault is On"
+      - 'c:osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')" -> r:^0$'
+
+  # 2.6.6 Audit Lockdown Mode (Manual) - Not Implemented
+  # 2.6.7 Ensure an Administrator Password Is Required to Access System-Wide Preferences. (Manual)
+  - id: 31026
+    title: "Ensure an Administrator Password Is Required to Access System-Wide Preferences."
+    description: "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer."
+    rationale: "By requiring a password to unlock system-wide System Preferences, the risk is mitigated of a user changing configurations that affect the entire system and requires an admin user to re-authenticate to make changes."
+    impact: "Users will need to enter their password to unlock some additional preference panes that are unlocked by default like Network, Startup and Printers & Scanners."
+    remediation: "Graphical Method: Perform the following steps to verify that an administrator password is required to access system-wide preferences: 1. Open System Settings 2. Select Privacy & Security 3. Select Advanced 4. Set Require an administrator password to access system-wide settings to enabled. Terminal Method: The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings. Run the following commands to enable that an administrator password is required to access system-wide preferences: $ /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist YES (0) $ /usr/bin/sudo /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false $ /usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist YES (0)."
+    compliance:
+      - cis: ["2.6.7"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:security authorizationdb read system.preferences | grep -A1 shared -> r:>false<"
+
+  # 2.7 Desktop & Dock
+  # 2.7.1 Ensure Screen Saver Corners Are Secure (Automated) - Not implemented
+  # 2.8 Displays
+  # 2.8.1 Audit Universal Control Settings (Manual) - Not Implemented
+  # 2.9 Battery (Energy Saver)
+
+  # 2.9.1 Ensure Power Nap Is Disabled for Intel Macs. (Automated)
+  - id: 31027
+    title: "Ensure Power Nap Is Disabled for Intel Macs."
+    description: "Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
+    impact: "Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept."
+    remediation: "Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0."
+    compliance:
+      - cis: ["2.9.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "pmset -g custom" -> r:powernap\s*\t*1'
+
+  # 2.9.2 Ensure Wake for Network Access Is Disabled. (Automated)
+  - id: 31028
+    title: "Ensure Wake for Network Access Is Disabled."
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    impact: "Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
+    remediation: "Graphical Method: Perform the following steps to disable Wake for network access: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Wake for network access to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Options... 4. Set Wake for network access to Never Terminal Method: Run the following command to disable Wake for network access: $ /usr/bin/sudo /usr/bin/pmset -a womp 0 Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is com.apple.EnergySaver.desktop.ACPower 3. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> 4. The key to also include is com.apple.EnergySaver.portable.ACPower 5. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> 6. The key to also include is com.apple.EnergySaver.portable.BatteryPower 7. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky."
+    compliance:
+      - cis: ["2.9.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1051", "T1076", "T1133", "T1200"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'c:sh -c "pmset -g | grep -e womp" -> r:0'
+      - 'not c:sh -c "profiles -P -o stdout | grep ''Wake On LAN''" -> n:=\s*(\d) compare != 0'
+      - 'not c:sh -c "profiles -P -o stdout | grep ''Wake On Modem Ring''" -> n:=\s*(\d) compare != 0'
+
+  # 2.9.3 Ensure the OS is not Activate When Resuming from Sleep (Automated) - Not Implemented
+  # 2.10 Lock Screen
+  # 2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (Automated) - Not implemented
+  # 2.10.2 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled. (Automated)
+  - id: 31029
+    title: "Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled."
+    description: "Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use."
+    rationale: "Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence."
+    impact: "Without a screenlock in place anyone with physical access to the computer would be logged in and able to use the active user's session."
+    remediation: "Graphical Method: Perform the following steps to enable a password for unlock after a screen saver begins or after sleep: 1. Open System Settings 2. Select Lock Screen 3. Set Require password after screensaver begins or display is turned off to either After 0 seconds or After 5 seconds Terminal Method: Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps: $ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password> or $ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password> Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.screensaver 2. The key to include is askForPassword 3. The key must be set to <true/> 4. The key to also include is askForPasswordDelay 5. The key must be set to <integer><0,5></integer>."
+    references:
+      - "https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2"
+      - "https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaultScreensaver.mobileconfig"
+    compliance:
+      - cis: ["2.10.2"]
+      - cis_csc_v8: ["4.7"]
+      - cis_csc_v7: ["4.2"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.screensaver'').objectForKey(''askForPassword'')" -> n:^(\d+)$ compare == 1'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.screensaver'').objectForKey(''askForPasswordDelay'')" -> n:^(\d+)$ compare <= 5'
+
+  # 2.10.3 Ensure a Custom Message for the Login Screen Is Enabled. (Automated)
+  - id: 31030
+    title: "Ensure a Custom Message for the Login Screen Is Enabled."
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    impact: "If users are not informed of their responsibilities, unapproved activities may occur. Users that are not approved for access may take the lack of a warning banner as implied consent to access."
+    remediation: 'Graphical Method: Perform the following steps to enable a login banner set to your organization''s required text: 1. Open System Settings 2. Select Lock Screen 3. Set Show message when locked to enabled 4. Select Set 5. Insert text in the Set a message to appear on the lock screen that matches your organization''s required text 6. Select Done Terminal Method: Run the following command to enable a custom login screen message: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom message>" example: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Center for Internet Security Test Message" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is LoginwindowText 3. The key must be set to <string><Your organization''s required text></string>.'
+    compliance:
+      - cis: ["2.10.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''LoginwindowText'')" -> r:^\.+$'
+
+  # 2.10.4 Ensure Login Window Displays as Name and Password Is Enabled. (Automated)
+  - id: 31031
+    title: "Ensure Login Window Displays as Name and Password Is Enabled."
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level, and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Graphical Method: Perform the following steps to ensure the login window display name and password: 1. Open System Settings 2. Select Lock Screen 3. Set 'Login window showstoName and Password` Terminal Method: Run the following command to enable the login window to display name and password: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true Note: The GUI will not display the updated setting until the current user(s) logs out. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is SHOWFULLNAME 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.10.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''SHOWFULLNAME'')" -> r:^1$|^true$'
+
+  # 2.10.5 Ensure Show Password Hints Is Disabled. (Automated)
+  - id: 31032
+    title: "Ensure Show Password Hints Is Disabled."
+    description: "Password hints are user-created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by displaying information provided by the user to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    impact: "The user can set the hint to any value, including the password itself or clues that allow trivial social engineering attacks."
+    remediation: "Graphical Method: Perform the following steps to disable password hints from being shown: 1. Open System Settings 2. Select Lock Screen 3. Set 'Show password hints` to disabled Terminal Method: Run the following command to disable password hints: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is RetriesUntilHint 3. The key must be set to <integer>0</integer>."
+    compliance:
+      - cis: ["2.10.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''RetriesUntilHint'')" -> r:^0$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''RetriesUntilHint'')" -> r:\w+'
+
+  # 2.11 Touch ID & Password (Login Password)
+  # 2.11.1 Ensure Users' Accounts Do Not Have a Password Hint. (Automated)
+  - id: 31033
+    title: "Ensure Users' Accounts Do Not Have a Password Hint."
+    description: "Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password."
+    rationale: "Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks."
+    remediation: "Graphical Method: Perform the following steps to remove a user's password hint: 1. Open System Settings 2. Select Touch ID & Passwords (or Login Password on non-Touch ID Macs) 3. Select Change... 4. Change the password and ensure that no text is entered in the Password hint box Note: This will only change the currently logged-in user's password, and not any others that are not compliant on the Mac. Use the terminal method if multiple users are not in compliance. Terminal Method: Run the following command to remove a user's password hint: $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/<username> hint example: $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser hint $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser hint."
+    compliance:
+      - cis: ["2.11.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'not c:dscl . -list /Users hint -> r:^\w*$'
+
+  # 2.11.2 Audit Touch ID and Wallet & Apple Pay Settings (Manual) - Not Implemented
+  # 2.12 Users & Groups
+
+  # 2.12.1 Ensure Guest Account Is Disabled. (Automated)
+  - id: 31034
+    title: "Ensure Guest Account Is Disabled."
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes and cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    impact: "A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access."
+    remediation: "Graphical Method: Perform the following steps to disable guest account availability: 1. Open System Settings 2. Select Users & Groups 3. Select the i next to the Guest User 4. Set Allow guests to log in to this computer to disabled Terminal Method: Run the following command to disable the guest account: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is DisableGuestAccount 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.12.1"]
+      - cis_csc_v8: ["5.2", "6.2", "6.8"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.4", "AC.L2-3.1.5", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - hipaa: ["164.308(a)(3)(ii)(B)", "164.308(a)(3)(ii)(C)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(C)"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - nist_sp_800-53: ["AC-2(1)", "AC-5", "AC-6", "AC-6(1)", "AC-6(7)", "AU-9(4)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["10.3.1", "2.2.2", "7.1", "7.1.1", "7.2", "7.2.1", "7.2.2", "7.2.4", "7.2.6", "7.3", "7.3.1", "7.3.2", "8.2.4", "8.2.5", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC5.2", "CC6.1", "CC6.2", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''DisableGuestAccount'')" -> r:^1$'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''GuestEnabled'')" -> r:^0$'
+
+  # 2.12.2 Ensure Guest Access to Shared Folders Is Disabled. (Automated)
+  - id: 31035
+    title: "Ensure Guest Access to Shared Folders Is Disabled."
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system."
+    impact: "Unauthorized users could access shared files on the system."
+    remediation: "Graphical Method: Perform the following steps to no longer allow guest user access to shared folders: 1. Open System Settings 2. Select Users & Groups 3. Select the i next to the Guest User 4. Set Allow guests to connect to shared folders to disabled Terminal Method: Run the following commands to verify that shared folders are not accessible to guest users: $ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off."
+    compliance:
+      - cis: ["2.12.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - "c:sysadminctl -smbGuestAccess status -> r:SMB guest access disabled"
+
+  # 2.12.3 Ensure Automatic Login Is Disabled. (Automated)
+  - id: 31036
+    title: "Ensure Automatic Login Is Disabled."
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    impact: "If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials."
+    remediation: "Graphical Method: Perform the following steps to set automatic login to off: 1. Open System Settings 2. Select Users & Groups 3. Set Automatic login in as... to Off Terminal Method: Run the following command to disable automatic login: $ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is com.apple.login.mcx.DisableAutoLoginClient 3. The key must be set to <true/> Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed."
+    compliance:
+      - cis: ["2.12.3"]
+      - cis_csc_v8: ["4.7"]
+      - cis_csc_v7: ["4.2"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''com.apple.login.mcx.DisableAutoLoginClient'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''autoLoginUser'')" -> r:^\.+$'
+
+  # 2.13 Passwords
+  # 2.13.1 Audit Passwords System Preference Setting (Manual) - Not implemented
+  # 2.14 Notifications
+  # 2.14.1 Audit Notification & Focus Settings (Manual) - Not implemented
+  ##########################################################################
+  # 3 Logging and Auditing
+  ##########################################################################
+
+  # 3.1 Ensure Security Auditing Is Enabled. (Automated)
+  - id: 31037
+    title: "Ensure Security Auditing Is Enabled."
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Terminal Method: Perform the following to enable security auditing: Run the following command to load auditd: $ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["4.9", "6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1110", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.2 Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements. (Automated)
+  - id: 31038
+    title: "Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements."
+    description: "Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements."
+    rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Depending on the governing authority, organizations can have vastly different auditing requirements. In this control we have selected a minimal set of audit flags that should be a part of any organizational requirements. The flags selected below may not adequately meet organizational requirements for users of this benchmark. The auditing checks for the flags proposed here will not impact additional flags that are selected."
+    remediation: "Terminal Method: Perform the following to set the required Security Auditing Flags: Edit the /etc/security/audit_control file and add -fm, ad, -ex, aa, -fr, lo, and -fw to flags. You can also substitute -all for -fm, -ex, -fr, and -fw."
+    references:
+      - https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/
+      - https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev-1/draft/documents/sp800-179r1-draft.pdf
+      - https://www.scip.ch/en/?labs.20150108
+      - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
+      - https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc_v8: ["3.14", "8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7", "AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "11.5"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - "f:/etc/security/audit_control -> r:^flags && r:-fm && r:-ex && r:ad && r:aa && r:lo && r:-fr && r:-fw"
+      - "f:/etc/security/audit_control -> r:^flags && r:-all && r:ad && r:aa && r:lo"
+
+  # 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size. (Automated)
+  - id: 31039
+    title: "Ensure install.log Is Retained for 365 or More Days and No Maximum Size."
+    description: 'macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an "all_max" file limitation, no reference to a minimum retention, and a less precise rotation argument. The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year, and depending on the applications a size restriction could compromise the ability to store a full year. While this Benchmark is not scoring for a rotation flag, the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired. Please review the File Rotation section in the man page for more information. man asl.conf - The maximum file size limitation string should be removed "all_max=" - An organization appropriate retention should be added "ttl=" - The rotation should be set with timestamps "rotate=utc" or "rotate=local".'
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    impact: "Without log files system maintenance and security forensics cannot be properly performed."
+    remediation: "Terminal Method: Perform the following to ensure that install logs are retained for at least 365 days: Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc_v8: ["8.1", "8.3"]
+      - cis_csc_v7: ["6.4", "6.7"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - pci_dss_v4.0: ["10.1", "10.1.1"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/asl/com.apple.install -> n:^\s*ttl=(\d+) compare > 364'
+      - 'not f:/etc/asl/com.apple.install -> r:^\s*all_max='
+
+  # 3.4 Ensure Security Auditing Retention Is Enabled. (Automated)
+  - id: 31040
+    title: "Ensure Security Auditing Retention Is Enabled."
+    description: "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records. Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following: expire-after:60d OR 5G This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required."
+    rationale: "The audit records need to be retained long enough to be reviewed as necessary."
+    impact: "The recommendation is that at least 60 days or 5 gigabytes of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data."
+    remediation: "Terminal Method: Perform the following to set the audit retention length: Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 5G."
+    compliance:
+      - cis: ["3.4"]
+      - cis_csc_v8: ["8.1", "8.3"]
+      - cis_csc_v7: ["6.4", "6.7"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - pci_dss_v4.0: ["10.1", "10.1.1"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*(\d+)s OR \d+\w compare => 5184000'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*(\d+)h OR \d+\w compare => 1440'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*(\d+)d OR \d+\w compare => 60'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*(\d+)y OR \d+\w compare => 1'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*\d+\w OR (\d+)b compare => 5368709120'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*\d+\w OR (\d+)k compare => 5242880'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*\d+\w OR (\d+)m compare => 5120'
+      - 'f:/etc/security/audit_control -> n:^expire-after:\s*\d+\w OR (\d+)g compare => 5'
+
+  # 3.5 Ensure Access to Audit Records Is Controlled (Automated) - Not implemented
+  # 3.6 Ensure Firewall Logging Is Enabled and Configured (Automated) - Not implemented
+  # 3.7 Audit Software Inventory (Manual) - Not Implemented
+
+  ##########################################################################
+  # 4 Network Configurations
+  ##########################################################################
+
+  # 4.1 Ensure Bonjour Advertising Services Is Disabled. (Automated)
+  - id: 31041
+    title: "Ensure Bonjour Advertising Services Is Disabled."
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly-configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices, the pf or other firewall would be needed.'
+    impact: "Some applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the mDNSResponder is turned off."
+    remediation: "Terminal Method: Run the following command to disable Bonjour Advertising services: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mDNSResponder 2. The key to include is NoMulticastAdvertisements."
+    compliance:
+      - cis: ["4.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.mDNSResponder'').objectForKey(''NoMulticastAdvertisements'')" -> r:^1$'
+
+  # 4.2 Ensure HTTP Server Is Disabled. (Automated)
+  - id: 31042
+    title: "Ensure HTTP Server Is Disabled."
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache, however, is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    impact: "The web server is both a point of attack for the system and a means for unauthorized file transfers."
+    remediation: "Terminal Method: Run the following command to disable the HTTP server services: $ sudo /usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist."
+    references:
+      - https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230793
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not c:launchctl list -> r:org.apache.httpd"
+
+  # 4.3 Ensure NFS Server Is Disabled. (Automated)
+  - id: 31043
+    title: "Ensure NFS Server Is Disabled."
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer. The etc/exports file contains the list of NFS shared directories. If the file exists, it is likely that NFS sharing has been enabled in the past or may be available periodically. As an additional check, the audit verifies that there is no /etc/exports file."
+    rationale: "File serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer."
+    impact: "The nfs server is both a point of attack for the system and a means for unauthorized file transfers."
+    remediation: "Terminal Method: Run the following command to disable the nfsd fileserver services: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd Remove the exported Directory listing. $ /usr/bin/sudo /bin/rm /etc/exports."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - mitre_techniques: ["T1003", "T1011", "T1015", "T1017", "T1019", "T1028", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1051", "T1053", "T1054", "T1055", "T1058", "T1067", "T1070", "T1072", "T1073", "T1075", "T1076", "T1077", "T1078", "T1080", "T1081", "T1084", "T1086", "T1087", "T1088", "T1089", "T1092", "T1096", "T1097", "T1098", "T1100", "T1110", "T1112", "T1130", "T1133", "T1134", "T1136", "T1137", "T1138", "T1139", "T1142", "T1145", "T1146", "T1147", "T1148", "T1150", "T1156", "T1157", "T1165", "T1166", "T1169", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1184", "T1187", "T1190", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1206", "T1208", "T1209", "T1210", "T1214", "T1215", "T1218", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1494", "T1495", "T1501", "T1503", "T1504", "T1505", "T1506", "T1525", "T1530", "T1535", "T1537", "T1539"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not c:launchctl list -> r:com.apple.nfsd"
+      - "not f:/etc/exports"
+
+  ##########################################################################
+  # 5 System Access, Authentication and Authorization
+  ##########################################################################
+
+  # 5.1 File System Permissions and Access Controls
+  - id: 31044
+    title: "Ensure Home Folders Are Secure."
+    description: 'By default, macOS allows all valid users into the top level of every other user''s home folder and restricts access to the Apple default folders within. Another user on the same system can see you have a "Documents" folder but cannot see inside it. This configuration does work for personal file sharing but can expose user files to standard accounts on the system. The best parallel for Enterprise environments is that everyone who has a Dropbox account can see everything that is at the top level but can''t see your pictures. Similarly with macOS, users can see into every new Directory that is created because of the default permissions. Home folders should be restricted to access only by the user. Sharing should be used on dedicated servers or cloud instances that are managing access controls. Some environments may encounter problems if execute rights are removed as well as read and write. Either no access or execute only for group or others is acceptable.'
+    rationale: "Allowing all users to view the top level of all networked users' home folder may not be desirable since it may lead to the revelation of sensitive information."
+    impact: 'If implemented, users will not be able to use the "Public" folders in other users'' home folders. "Public" folders with appropriate permissions would need to be set up in the /Shared folder.'
+    remediation: "Terminal Method: For each user, run the following command to secure all home folders: $ /usr/bin/sudo /bin/chmod -R og-rwx /Users/<username> Alternately, run the following command if there needs to be executable access for a home folder: $ /usr/bin/sudo /bin/chmod -R og-rw /Users/<username> example: $ /usr/bin/sudo /bin/chmod -R og-rw /Users/thirduser/ $ /usr/bin/sudo /bin/chmod -R og-rwx /Users/fourthuser/ # /bin/ls -l /Users/ total 0 drwxr-xr-x+ 12 Guest _guest 384 24 Jul 13:42 Guest drwxrwxrwt 4 root wheel 128 22 Jul 11:00 Shared drwx--x--x+ 18 firstuser staff 576 10 Aug 14:36 firstuser drwx--x--x+ 15 seconduser staff 480 10 Aug 09:16 seconduser drwx--x--x+ 11 thirduser staff 352 10 Aug 14:53 thirduser drwx------+ 11 fourthuser staff 352 10 Aug 14:53 fourthuser."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1004", "T1015", "T1021", "T1023", "T1031", "T1034", "T1035", "T1036", "T1037", "T1044", "T1047", "T1050", "T1051", "T1053", "T1054", "T1070", "T1072", "T1073", "T1075", "T1076", "T1078", "T1080", "T1081", "T1084", "T1089", "T1096", "T1097", "T1133", "T1134", "T1145", "T1146", "T1150", "T1152", "T1156", "T1157", "T1159", "T1160", "T1162", "T1163", "T1165", "T1168", "T1169", "T1184", "T1185", "T1196", "T1197", "T1198", "T1200", "T1209", "T1213", "T1484", "T1489", "T1492", "T1494", "T1501", "T1504", "T1528", "T1530", "T1537", "T1538"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'not c:sh -c "ls -l /Users | grep -v total" -> !r:^drwx------ && !r:^drwx--x--x'
+
+  # 5.1.1 Ensure Home Folders Are Secure. (Automated) - Not Implemented
+
+  # 5.1.2 Ensure System Integrity Protection Status (SIP) Is Enabled. (Automated)
+  - id: 31045
+    title: "Ensure System Integrity Protection Status (SIP) Is Enabled."
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    impact: "System binaries and processes could become compromised."
+    remediation: "Terminal Method: Perform the following steps to enable System Integrity Protection: 1. Reboot into the Recovery Partition (reboot and hold down Command + R) 2. Select Utilities 3. Select Terminal 4. Run the following command: $ /usr/bin/sudo /usr/bin/csrutil enable Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 5. Reboot the computer Note: You should research why the system had SIP disabled. It might be a better option to erase the Mac and reinstall the operating system. That is at your discretion. Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS."
+    references:
+      - https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
+      - https://support.apple.com/en-us/HT204899
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["2.3", "2.6", "10.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-7(1)", "CM-7(2)", "CM-8(3)", "SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - pci_dss_v4.0: ["1.2.5", "12.3.4", "2.2.4"]
+      - soc_2: ["CC5.2", "CC6.8", "CC7.1"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+    condition: all
+    rules:
+      - "c:csrutil status -> r:^System Integrity Protection status: enabled."
+
+  # 5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled. (Automated)
+  - id: 31046
+    title: "Ensure Apple Mobile File Integrity (AMFI) Is Enabled."
+    description: "Apple Mobile File Integrity (AMFI) was first released in macOS 10.12. The daemon and service block attempts to run unsigned code. AMFI uses lanchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation."
+    rationale: "Apple Mobile File Integrity validates that application code is validated."
+    impact: "Applications could be compromised with malicious code."
+    remediation: 'Terminal Method: Run the following command to enable the Apple Mobile File Integrity service: $ /usr/bin/sudo /usr/sbin/nvram boot-args="".'
+    references:
+      - https://eclecticlight.co/2018/12/29/amfi-checking-file-integrity-on-your-mac/
+      - https://github.com/usnistgov/macos_security/issues/39
+      - https://github.com/usnistgov/macos_security/issues/40
+      - https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["2.3", "2.6"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-7(1)", "CM-7(2)", "CM-8(3)"]
+      - pci_dss_v4.0: ["1.2.5", "12.3.4", "2.2.4"]
+      - soc_2: ["CC5.2", "CC7.1"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+    condition: all
+    rules:
+      - "not c:nvram -p -> r:amfi_get_out_of_my_way=1"
+
+  # 5.1.4 Ensure Sealed System Volume (SSV) Is Enabled. (Automated)
+  - id: 31047
+    title: "Ensure Sealed System Volume (SSV) Is Enabled."
+    description: "Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur. During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume. The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system. During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree."
+    rationale: "Running without Sealed System Volume on a production system could run the risk of Apple software that integrates directly with macOS being modified."
+    impact: "Apple Software that integrates with the operating system could become compromised."
+    remediation: "If SSV has been disabled, assume that the operating system has been compromised. Back up any files, and do a clean install to a known good Operating System."
+    references:
+      - https://developer.apple.com/news/?id=3xpv8r2m
+      - https://eclecticlight.co/2020/11/30/is-big-surs-system-volume-sealed/
+      - https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/
+      - https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.6", "3.11"]
+      - cis_csc_v7: ["13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.6.2.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1527", "T1119", "T1530", "T1114", "T1070", "T1208", "T1040", "T1145", "T1492", "T1493", "T1072"]
+    condition: all
+    rules:
+      - "c:csrutil authenticated-root status -> r:^Authenticated Root status: enabled"
+
+  # 5.1.5 Ensure Appropriate Permissions Are Enabled for System Wide Applications (Automated) - Not implemented
+  # 5.1.6 Ensure No World Writable Files Exist in the System Folder (Automated) - Not implemented
+  # 5.1.7 Ensure No World Writable Files Exist in the Library Folder (Automated) - Not implemented
+
+  # 5.2 Password Management
+
+  # 5.2.1 Ensure Password Account Lockout Threshold Is Configured. (Automated)
+  - id: 31048
+    title: "Ensure Password Account Lockout Threshold Is Configured."
+    description: "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. Ensure that a lockout threshold is part of the password policy on the computer."
+    rationale: "The account lockout feature mitigates brute-force password attacks on the system."
+    impact: "The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on. The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered."
+    remediation: 'Terminal Method: Run the following command to set the maximum number of failed login attempts to less than or equal to 5: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"maxFailedLoginAttempts=<value=<5>\" Note: When the account lockout threshold is set with pwpolicy, it will also set a reset value to policyAttributeMinutesUntilFailedAuthenticationReset that defaults to 1 minute. You can change this value with the command: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"policyAttributeMinutesUntilFailedAuthenticationReset=<value in minutes>\" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"maxFailedLoginAttempts=5\" /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"policyAttributeMinutesUntilFailedAuthenticationReset=10\" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is maxFailedAttempts 3. The key must be set to <integer><value<=5></integer> Note: When setting the lockout threshold with a mobile configuration profile there is no default reset to the lockout. To set the reset value use the key autoEnableInSeconds and set the key to <integer><value in seconds></integer>. Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    references:
+      - CIS Password Policy - https://workbench.cisecurity.org/communities/113
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+      - mitre_techniques: ["T1134", "T1197", "T1538", "T1530", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1076", "T1021", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:maxFailedLoginAttempts=(\d+) compare < 6'
+
+  # 5.2.2 Ensure Password Minimum Length Is Configured. (Automated)
+  - id: 31049
+    title: "Ensure Password Minimum Length Is Configured."
+    description: "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements. Ensure that a minimum of a 15-character password is part of the password policy on the computer. Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating."
+    rationale: "Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system."
+    impact: "Short passwords can be easily attacked."
+    remediation: 'Terminal Method: Run the following command to set the password length to greater than or equal to 15: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"minChars=<value>=15>\" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy \"minChars=15\" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is minLength 3. The key must be set to <integer><value>=15></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:minChars=(\d+) compare > 14'
+
+  # 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured. (Manual)
+  - id: 31050
+    title: "Ensure Complex Password Must Contain Alphabetic Characters Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that an Alphabetic character is part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set the that passwords must contain at least one letter: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy - setaccountpolicies "requiresAlpha=<value>=1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresAlpha=1" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is requireAlphanumeric 3. The key must be set to <true/> Note: This profile sets a requirement of both an alphabetical and a numeric character. Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - "c:pwpolicy -getaccountpolicies -> r:Contain at least one number and one alphabetic character."
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumLetters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured. (Manual)
+  - id: 31051
+    title: "Ensure Complex Password Must Contain Numeric Character Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a number or numeric value is part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set passwords to require at least one number: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy - setaccountpolicies "requiresNumeric=<value>=1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresNumeric=2" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is requireAlphanumeric 3. The key must be set to <true/> Note: This profile sets a requirement of both an alphabetical and a numeric character. Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - "c:pwpolicy -getaccountpolicies -> r:Contain at least one number and one alphabetic character."
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumNumericCharacters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured (Manual) - Not Implemented
+
+  # 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured (Manual)
+  - id: 31052
+    title: "Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that both uppercase and lowercase letters are part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set passwords to require at upper and lower case letter: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=<value>=1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=1".'
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1003", "T1017", "T1019", "T1028", "T1035", "T1047", "T1051", "T1053", "T1055", "T1067", "T1072", "T1075", "T1076", "T1077", "T1078", "T1084", "T1086", "T1088", "T1097", "T1098", "T1100", "T1134", "T1136", "T1169", "T1175", "T1184", "T1190", "T1206", "T1208", "T1210", "T1214", "T1215", "T1218", "T1495", "T1501", "T1505", "T1525"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumMixedCaseCharacters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.7 Ensure Password Age Is Configured. (Automated)
+  - id: 31053
+    title: "Ensure Password Age Is Configured."
+    description: "Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts."
+    rationale: "Passwords should be changed periodically to reduce exposure."
+    impact: "Required password changes will lead to some locked computers requiring admin assistance."
+    remediation: 'Terminal Method: Run the following command to require that passwords expire after at most 365 days: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=<value<=525600>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=43200" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is maxPINAgeInDays 3. The key must be set to <integer><value>=365></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.3"]
+      - cis_csc_v7: ["16.9"]
+      - cmmc_v2.0: ["IA.L2-3.5.6"]
+      - nist_sp_800-53: ["AC-2(3)"]
+      - pci_dss_v3.2.1: ["8.1.4"]
+      - pci_dss_v4.0: ["8.3.7"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078", "T1134", "T1197", "T1538", "T1089", "T1157", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1050", "T1075", "T1097", "T1163", "T1021", "T1489", "T1051", "T1023", "T1165", "T1501", "T1072", "T1537", "T1047", "T1084", "T1004"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:maxMinutesUntilChangePassword=(\d+) compare < 525601'
+
+  # 5.2.8 Ensure Password History Is Configured. (Automated)
+  - id: 31054
+    title: "Ensure Password History Is Configured."
+    description: "Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users must reset passwords periodically. This control ensures that previous passwords are not reused immediately by keeping a history of previous password hashes. Ensure that password history checks are part of the password policy on the computer. This control checks whether a new password is different than the previous 15. The latest NIST guidance based on exploit research referenced in this section details how one of the greatest risks is password exposure rather than password cracking. Passwords should be changed to a new unique value whenever a password might have been exposed to anyone other than the account holder. Attackers have maintained persistent control based on predictable password change patterns and substantially different patterns should be used in case of a leak."
+    rationale: "Old passwords should not be reused."
+    impact: "Required password changes will lead to some locked computers requiring admin assistance."
+    remediation: 'Terminal Method: Run the following command to require that the password must to be different from at least the last 15 passwords: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=<value>=15>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=15" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is pinHistory 3. The key must be set to <integer><value>=15></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:usingHistory=(\d+) compare > 14'
+
+  # 5.3 Encryption
+
+  # 5.3.1 Ensure all user storage APFS volumes are encrypted (Manual) - Not Implemented
+  # 5.3.2 Ensure all user storage CoreStorage volumes are encrypted (Manual) - Not Implemented
+
+  # 5.4 Ensure the Sudo Timeout Period Is Set to Zero. (Automated)
+  - id: 31055
+    title: "Ensure the Sudo Timeout Period Is Set to Zero."
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    impact: "This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period. In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password."
+    remediation: "Terminal Method: Run the following command to edit the sudo settings: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name> example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file. Add the line Defaults timestamp_timeout=0 to the configuration file. If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group: $ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/."
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+      - mitre_techniques: ["T1110", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: all
+    rules:
+      - "c:sudo -V -> r:Authentication timestamp timeout: 0.0 minutes"
+      - "c:stat /etc/sudoers.d -> r:root wheel"
+
+  # 5.5 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo. (Automated)
+  - id: 31056
+    title: "Ensure a Separate Timestamp Is Enabled for Each User/tty Combo."
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    impact: "This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed."
+    remediation: "Terminal Method: Run the following command to edit the sudo settings: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name> example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file. Add the line Defaults timestamp_type=tty to the configuration file. Note: The Defaults timestamp_type=tty line can be added to an existing configuration file or a new one. That will depend on your organization's preference and works either way."
+    references:
+      - https://github.com/jorangreef/sudo-prompt/issues/33
+    compliance:
+      - cis: ["5.5"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+      - mitre_techniques: ["T1110", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: all
+    rules:
+      - "c:sudo -V -> r:Type of authentication timestamp record: tty"
+
+  # 5.6 Ensure the "root" Account Is Disabled. (Automated)
+  - id: 31057
+    title: 'Ensure the "root" Account Is Disabled.'
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some versions of Linux, the system administrator may commonly use the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    impact: "Some legacy POSIX software might expect an available root account."
+    remediation: "Graphical Method: Perform the following steps to ensure that the root user is disabled: 1. Open /System/Library/CoreServices/Applications/Directory Utility 2. Click the lock icon to unlock the service 3. Click Edit in the menu bar 4. Click Disable Root User Terminal Method: Run the following command to disable the root user: $ /usr/bin/sudo /usr/sbin/dsenableroot -d username = root user password:."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.7 Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session. (Automated)
+  - id: 31058
+    title: "Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session."
+    description: "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions."
+    rationale: "Disabling the administrator's and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information."
+    impact: "While Fast user switching is a workaround for some lab environments, especially where there is even less of an expectation of privacy, this setting change may impact some maintenance workflows."
+    remediation: "Terminal Method: Run the following command to disable a user logging into another user's active and/or locked session: $ /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui YES (0)."
+    references:
+      - https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/
+      - https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+      - mitre_techniques: ["T1110", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+    condition: all
+    rules:
+      - "c:security authorizationdb read system.login.screensaver -> r:use-login-window-ui"
+
+  # 5.8 Ensure a Login Window Banner Exists. (Automated)
+  - id: 31059
+    title: "Ensure a Login Window Banner Exists."
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    impact: "Users will have to click on the window with the Login text before logging into the computer."
+    remediation: "Terminal Method: Run the following commands to create or edit the login window text and set the proper permissions: Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text. Perform the following to set permissions on the policy banner file: $ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.txt $ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.rtf Note: If your organization uses an .rtfd file to set the policy banner, run $ /usr/bin/sudo /usr/sbin/chown -R o+rx /Library/Security/PolicyBanner.rtfd to update the permissions."
+    references:
+      - https://support.apple.com/en-au/HT202277
+    compliance:
+      - cis: ["5.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+      - 'c:stat -f %A /Library/Security/PolicyBanner.* -> r:\d\d4'
+
+  # 5.9 Ensure Legacy EFI Is Valid and Updating (Automated) - Not implemented
+
+  # 5.10 Ensure the Guest Home Folder Does Not Exist. (Automated)
+  - id: 31060
+    title: "Ensure the Guest Home Folder Does Not Exist."
+    description: "In the previous two controls, the guest account login has been disabled and sharing to guests has been disabled, as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed, you have the option to archive it, leave it in place, or delete. In the case of the guest folder, the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed, it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders, as well. Rather than ignoring the folder's continued existence, it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    impact: "The Guest account should not be necessary after it is disabled, and it will be automatically re-created if the Guest account is re-enabled."
+    remediation: "Terminal Method: Run the following command to remove the Guest user home folder: $ /usr/bin/sudo /bin/rm -R /Users/Guest."
+    compliance:
+      - cis: ["5.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+    condition: all
+    rules:
+      - "not d:/Users/Guest"
+
+  ##########################################################################
+  # 6 Applications
+  ##########################################################################
+
+  # 6.1 Finder
+
+  # 6.1.1 Ensure Show All Filename Extensions Setting is Enabled (Automated) - Not implemented
+
+  # 6.2 Mail
+
+  # 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled (Manual) - Not Implemented
+
+  # 6.3 Safari
+
+  # 6.3.1 Ensure Automatic Opening of Safe Files in Safari Is Disabled (Automated) - Not implemented
+  # 6.3.2 Audit History and Remove History Items (Manual) - Not implemented
+  # 6.3.3 Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled (Automated) - Not implemented
+  # 6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled (Automated) - Not implemented
+  # 6.3.5 Audit Hide IP Address in Safari Setting (Manual) - Not implemented
+  # 6.3.6 Ensure Advertising Privacy Protection in Safari Is Enabled (Automated) - Not implemented
+  # 6.3.7 Ensure Show Full Website Address in Safari Is Enabled (Automated) - Not implemented
+
+  # 6.4 Terminal
+
+  # 6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled (Automated) - Not implemented
diff --git a/etc/ruleset/sca/darwin/23/cis_apple_macOS_14.x.yml b/etc/ruleset/sca/darwin/23/cis_apple_macOS_14.x.yml
new file mode 100644
index 0000000000..7269a85f08
--- /dev/null
+++ b/etc/ruleset/sca/darwin/23/cis_apple_macOS_14.x.yml
@@ -0,0 +1,1452 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Mac0S 14 Sonoma Benchmark v1.0.0 - 10-16-2023
+
+policy:
+  id: "cis_macOS_14.0_Sonoma.yml"
+  file: "cis_macOS_14.0_Sonoma.yml"
+  name: "CIS_Apple_macOS_14.0_Sonoma_Benchmark_v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for MacOS 14 Sonoma systems."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check MacOS 14 Sonoma platform."
+  description: "Requirements for running the policy against MacOS 14 Sonoma."
+  condition: any
+  rules:
+    - 'c:sw_vers -> r:^ProductVersion:\t*\s*14\p'
+    - 'c:system_profiler SPSoftwareDataType -> r:System Version:.*14\p'
+    - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*14\p'
+
+checks:
+  # 1.1 Ensure All Apple-provided Software Is Current. (Automated)
+  - id: 34000
+    title: "Ensure All Apple-provided Software Is Current."
+    description: 'Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update. Software updates should be run at minimum every 30 days. Run the following command to verify when software update was previously run: $ /usr/bin/sudo defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep -e LastFullSuccessfulDate. The response should be in the last 30 days (Example): LastFullSuccessfulDate = "2020-07-30 12:45:25 +0000";.'
+    rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities."
+    impact: "Installation of updates can be disruptive to the users especially if an restart is required. Major updates need to be applied after creating an organizational patch policy. It is also advised to run updates and forced restarts during system downtime and not while in active use."
+    remediation: 'Graphical Method: Perform the following to install all available software updates: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select Update All Terminal Method: Run the following command to verify what packages need to be installed: $ /usr/bin/sudo /usr/sbin/softwareupdate -l The output will include the following: Software Update found the following new or updated software: Run the following command to install all the packages that need to be updated: To install all updates run the command: $ /usr/bin/sudo /usr/sbin/softwareupdate -i -a Or run the following command to install individual packages: $ /usr/bin/sudo /usr/sbin/softwareupdate -i ''<package name>'' Note: If one of the software updates listed includes Action: restart, then you must attach the -R flag to force a system restart. If the system update is complete but no restart occurs, then the system is in an unknown state that requires a future restart. It is advised to run updates and forced restarts during system downtime and not while in active use. example: $ /usr/bin/sudo /usr/sbin/softwareupdate -l Software Update Tool Finding available software Software Update found the following new or updated software: * Label: ProVideoFormats-2.2.7 Title: Pro Video Formats, Version: 2.2.7, Size: 9693KiB, Recommended: YES, * Label: Command Line Tools for Xcode-15.0 Title: Command Line Tools for Xcode, Version: 15.0, Size: 721962KiB, Recommended: YES, $ /usr/bin/sudo /usr/sbin/softwareupdate -i ''ProVideoFormats-2.2.7'' Software Update Tool Finding available software Attempting to quit apps: ( "com.apple.Compressor" ) Waiting for user to quit any relevant apps Successfully quit all apps Downloaded Pro Video Formats Installing Pro Video Formats Done with Pro Video Formats Done. In the above example, if a restart was required, the command to remediate would be /usr/bin/sudo /usr/sbin/softwareupdate -i ''ProVideoFormats-2.2.7'' -R.'
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf"
+    compliance:
+      - cis: ["1.1"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "c:softwareupdate -l -> r:No new software available."
+
+  # 1.2 Ensure Auto Update Is Enabled. (Automated)
+  - id: 34001
+    title: "Ensure Auto Update Is Enabled."
+    description: 'Auto Update verifies that your system has the newest security patches and software updates. If "Automatically check for updates" is not selected, background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur. http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/.'
+    rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities."
+    impact: "Without automatic update, updates may not be made in a timely manner and the system will be exposed to additional risk."
+    remediation: "Graphical Method: Perform the following steps to enable the system to automatically check for updates: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Check for updates to enabled 6. Select Done Terminal Method: Run the following command to enable auto update: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticCheckEnabled 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.2"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticCheckEnabled'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticCheckEnabled'')" -> r:\.+'
+
+  # 1.3 Ensure Download New Updates When Available Is Enabled. (Automated)
+  - id: 34002
+    title: "Ensure Download New Updates When Available Is Enabled."
+    description: 'In the GUI, both "Install macOS updates" and "Install app updates from the App Store" are dependent on whether "Download new updates when available" is selected.'
+    rationale: "It is important that a system has the newest updates downloaded so that they can be applied."
+    impact: 'If "Download new updates when available" is not selected, updates may not be made in a timely manner and the system will be exposed to additional risk.'
+    remediation: "Perform the following to enable the system to automatically check for updates: Graphical Method: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Download new updates when available to enabled 6. Select Done Terminal Method: Run the following command to enable auto update: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticDownload 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.3"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticDownload'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticDownload'')" -> r:\.+'
+
+  # 1.4 Ensure Install of macOS Updates Is Enabled. (Automated)
+  - id: 34003
+    title: "Ensure Install of macOS Updates Is Enabled."
+    description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off simply to allow the administrator to contact users in order to verify installation. A dependable, repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable macOS updates to run automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install macOS updates to enabled 6. Select Done Terminal Method: Run the following command to to enable automatic checking and installing of macOS updates: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool TRUE Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticallyInstallMacOSUpdates 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.4"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticallyInstallMacOSUpdates'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''AutomaticallyInstallMacOSUpdates'')" -> r:\.+'
+
+  # 1.5 Ensure Install Application Updates from the App Store Is Enabled. (Automated)
+  - id: 34004
+    title: "Ensure Install Application Updates from the App Store Is Enabled."
+    description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or administrator privileges for end users."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable App Store updates to install automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install application updates from the App Store to enabled 6. Select Done Terminal Method: Run the following command to turn on App Store auto updating: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE Note: This remediation requires a log out and log in to show in the GUI. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is AutomaticallyInstallAppUpdates 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["1.5"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^1$"
+
+  # 1.6 Ensure Install Security Responses and System Files Is Enabled. (Automated)
+  - id: 34005
+    title: "Ensure Install Security Responses and System Files Is Enabled."
+    description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper. With this setting in place, new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights. Apple has introduced a security feature that allows for smaller downloads and the installation of security updates when a reboot is not required. This feature is only available when the last regular update has already been applied. This feature emphasizes that a Mac must be up-to-date on patches so that Apple's security tools can be used to quickly patch when a rapid response is necessary."
+    rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited."
+    impact: "Unpatched software may be exploited."
+    remediation: "Graphical Method: Perform the following steps to enable system data files and security updates to install automatically: 1. Open System Settings 2. Select General 3. Select Software Update 4. Select the i 5. Set Install Security Responses and System files to enabled 6. Select Done Terminal Method: Run the following commands to enable automatic checking of system data files and security updates: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.SoftwareUpdate 2. The key to include is ConfigDataInstall 3. The key must be set to <true/> 4. The key to also include is CriticalUpdateInstall 5. The key must be set to <true/>."
+    references:
+      - "https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-monterey/"
+      - "https://support.apple.com/en-us/HT202491"
+      - "https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web"
+      - "https://support.apple.com/guide/deployment/rapid-security-responses-dep93ff7ea78/1/web/1.0"
+    compliance:
+      - cis: ["1.6"]
+      - cis_csc_v8: ["7.3", "7.4", "7.7"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["CA.L2-3.12.2", "RA.L2-3.11.3", "SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["11.3.1", "11.3.2", "11.3.2.1"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''ConfigDataInstall'')" -> r:^1$'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.SoftwareUpdate'').objectForKey(''CriticalUpdateInstall'')" -> r:^1$'
+
+  # 1.7 Ensure Software Update Deferment Is Less Than or Equal to 30 Days. (Automated)
+  - id: 34006
+    title: "Ensure Software Update Deferment Is Less Than or Equal to 30 Days."
+    description: "Apple provides the capability to manage software updates on Apple devices through mobile device management. Part of those capabilities permit organizations to defer software updates and allow for testing. Many organizations have specialized software and configurations that may be negatively impacted by Apple updates. If software updates are deferred, they should not be deferred for more than 30 days. This control only verifies that deferred software updates are not deferred for more than 30 days."
+    rationale: "Apple software updates almost always include security updates. Attackers evaluate updates to create exploit code in order to attack unpatched systems. The longer a system remains unpatched, the greater an exploit possibility exists in which there are publicly reported vulnerabilities."
+    impact: "Some organizations may need more than 30 days to evaluate the impact of software updates."
+    remediation: "Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.applicationaccess 2. The key to include is enforcedSoftwareUpdateDelay 3. The key must be set to <integer><1-30></integer>."
+    references:
+      - "https://support.apple.com/guide/deployment/manage-software-updates-depc4c80847a/web"
+    compliance:
+      - cis: ["1.7"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''enforcedSoftwareUpdateDelay'')" -> n:^(\d+)$ compare <= 30'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''enforcedSoftwareUpdateDelay'')" -> r:\.+'
+
+  # 1.8 Ensure the System is Managed by a Mobile Device Management (MDM) Software. (Manual) - Not Implemented
+
+  # 2.1.1.1 Audit iCloud Keychain. (Manual) - Not Implemented
+  # 2.1.1.2 Audit iCloud Drive. (Manual) - Not Implemented
+  # 2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is Disabled. (Automated) - Not Implemented
+  # 2.1.1.4 Audit Security Keys Used With AppleIDs. (Manual) - Not Implemented
+  # 2.1.1.5 Audit Freeform Sync to iCloud. (Manual) - Not Implemented
+  # 2.1.2 Audit App Store Password Settings. (Manual) - Not Implemented
+
+  # 2.2.1 Ensure Firewall Is Enabled. (Automated)
+  - id: 34007
+    title: "Ensure Firewall Is Enabled."
+    description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall:."
+    rationale: "A firewall minimizes the threat of unauthorized users gaining access to your system while connected to a network or the Internet."
+    impact: "The firewall may block legitimate traffic. Applications that are unsigned will require special handling."
+    remediation: "Graphical Method: Perform the following steps to turn the firewall on: 1. Open System Settings 2. Select Network 3. Select Firewall 4. Set Firewall to enabled Terminal Method: Run the following command to enable the firewall: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int <value> For the <value>, use either 1, specific services, or 2, essential services only. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.security.firewall 2. The key to include is EnableFirewall 3. The key must be set to <true/>."
+    references:
+      - "https://support.apple.com/en-us/guide/security/seca0e83763f/web"
+      - "http://support.apple.com/en-us/HT201642"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.1", "4.5", "13.1"]
+      - cis_csc_v7: ["5.1", "9.4", "9.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L1-3.1.20", "AU.L2-3.3.5", "AU.L2-3.3.6", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6", "SI.L2-3.14.3", "SI.L2-3.14.7"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.13.1.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AU-6(1)", "AU-7", "CM-7(1)", "CM-9", "IR-4(1)", "SA-10", "SC-7(5)", "SI-4(2)", "SI-4(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.5.3", "10.6.1", "11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "10.7", "10.7.1", "10.7.2", "10.7.3", "11.5", "2.1.1", "2.2.1"]
+      - soc_2: ["CC6.6", "CC7.1", "CC7.2", "CC8.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$"
+      - "c:defaults read /Library/Preferences/com.apple.security.firewall EnableFirewall -> r:^1$|^2$|^true$"
+
+  # 2.2.2 Ensure Firewall Stealth Mode Is Enabled. (Automated)
+  - id: 34008
+    title: "Ensure Firewall Stealth Mode Is Enabled."
+    description: "While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic."
+    rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet."
+    impact: "Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected. This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable."
+    remediation: "Graphical Method: Perform the following steps to enable firewall stealth mode: 1. Open System Settings 2. Select Network 3. Select Firewall 4. Select Options... 5. Set Enabled stealth mode to enabled Terminal Method: Run the following command to enable stealth mode: $ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw -- setstealthmode on Stealth mode enabled Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.security.firewall 2. The key to include is EnableStealthMode 3. The key must be set to <true/> Note: This key must be set in the same configuration profile with EnableFirewall set to <true/>. If it is set in its own configuration profile, it will fail."
+    references:
+      - "http://support.apple.com/en-us/HT201642"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.1", "4.5", "4.8"]
+      - cis_csc_v7: ["5.1", "9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L1-3.1.20", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.4", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.alf stealthenabled -> r:^1$|^2$"
+      - "c:defaults read /Library/Preferences/com.apple.security.firewall EnableStealthMode -> r:^1$|^2$|^true$"
+
+  # 2.3.1.1 Ensure AirDrop Is Disabled When Not Actively Transferring Files. (Automated) - Not Implemented
+  # 2.3.1.2 Ensure AirPlay Receiver Is Disabled. (Automated) - Not Implemented
+
+  # 2.3.2.1 Ensure Set Time and Date Automatically Is Enabled. (Automated)
+  - id: 34009
+    title: "Ensure Set Time and Date Automatically Is Enabled."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates, and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required, use the Date & Time System Preference with each server separated by a space. Additional Note: The default Apple time server is time.apple.com. Variations include time.euro.apple.com. While it is certainly more efficient to use internal time servers, there is no reason to block access to global Apple time servers or to add a time.apple.com alias to internal DNS records. There are no reports that Apple gathers any information from NTP synchronization, as the computers already phone home to Apple for Apple services including iCloud use and software updates. Best practice is to allow DNS resolution to an authoritative time service for time.apple.com, preferably to connect to Apple servers, but local servers are acceptable as well."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features."
+    impact: "The timed service will periodically synchronize with named time servers and will make the computer time more accurate."
+    remediation: "Graphical Method: Perform the following to enable the date and time to be set automatically: 1. Open System Settings 2. Select General 3. Select Date & Time 4. Set Set time and date automatically to enabled Note: By default, the operating system will use time.apple.com as the time server. You can change to any time server that meets your organization's requirements. Terminal Method: Run the following commands to enable the date and time setting automatically: $ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver <your.time.server> setNetworkTimeServer: <your.time.server> $ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on setUsingNetworkTime: On example: $ /usr/bin/sudo /usr/sbin/systemsetup -setnetworktimeserver time.apple.com setNetworkTimeServer: time.apple.com $ /usr/bin/sudo /usr/sbin/systemsetup -setusingnetworktime on setUsingNetworkTime: On Run the following commands if you have not set, or need to set, a new time zone: $ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones $ /usr/bin/sudo /usr/sbin/systemsetup -settimezone <selected time zone> example: $ /usr/bin/sudo /usr/sbin/systemsetup -listtimezones Time Zones: Africa/Abidjan Africa/Accra Africa/Addis_Ababa ... $ /usr/bin/sudo /usr/sbin/systemsetup -settimezone America/New_York Set TimeZone: America/New_York."
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'c:/usr/sbin/systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On'
+
+  # 2.3.2.2 Ensure Time Is Set Within Appropriate Limits. (Automated)
+  - id: 34010
+    title: "Ensure Time Is Set Within Appropriate Limits."
+    description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Ensure that time on the computer is within acceptable limits. Truly accurate time is measured within milliseconds. For this audit, a drift under four and a half minutes passes the control check. Since Kerberos is one of the important features of macOS integration into Directory systems, the guidance here is to warn you before there could be an impact to operations. From the perspective of accurate time, this check is not strict, so it may be too great for your organization. Your organization can adjust to a smaller offset value as needed. If there are consistent drift issues on the OS, some of the most common drift issues should be investigated: - The chosen time server is not reachable based on network firewall rules on the current network - The computer is offline often and the battery drains, and the network is not immediately available - The chosen time server is a special internal or non-public time server that does not provide a reliable time source Note: ntpdate has been deprecated with 10.14. sntp replaces that command."
+    rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features. Audit check is for more than 4 minutes and 30 seconds ahead or behind."
+    impact: "Accurate time is required for many computer functions."
+    remediation: "Terminal Method: Run the following commands to ensure your time is set within an appropriate limit: $ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver The output will include Network Time Server: and the name of your time server example: Network Time Server: time.apple.com. $ /usr/bin/sudo /usr/bin/sntp -sS <your.time.server> example: $ /usr/bin/sudo /usr/sbin/systemsetup -getnetworktimeserver Network Time Server: time.apple.com $ /usr/bin/sudo /usr/bin/sntp -sS time.apple.com."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemsetup -getnetworktimeserver -> r:Network Time Server:"
+
+  # 2.3.3.1 Ensure DVD or CD Sharing Is Disabled. (Automated)
+  - id: 34011
+    title: "Ensure DVD or CD Sharing Is Disabled."
+    description: "DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing, the sharing of an external optical drive persists when a drive is reconnected."
+    rationale: "Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data."
+    impact: "Many Apple devices are now sold without optical drives, however drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long-term storage. To store necessary data from an optical drive it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in its original form on another form of external storage."
+    remediation: "Graphical Method: Perform the following steps to disable DVD or CD Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set DVD or CD sharing to disabled Terminal Method: Run the following command to disable DVD or CD Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.ODSAgent Note: If using the Terminal method, the GUI will still show the service checked until after a reboot."
+    compliance:
+      - cis: ["2.3.3.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.ODSAgent" -> r:^0$'
+
+  # 2.3.3.2 Ensure Screen Sharing Is Disabled. (Automated)
+  - id: 34012
+    title: "Ensure Screen Sharing Is Disabled."
+    description: "Screen Sharing allows a computer to connect to another computer on a network and display the computer's screen. While sharing the computer's screen, the user can control what happens on that computer, such as opening documents or applications, opening, moving, or closing windows, and even shutting down the computer. While mature administration and management does not use graphical connections for standard maintenance, most help desks have capabilities to assist users in performing their work when they have technical issues and need support. Help desks use graphical remote tools to understand what the user sees and assist them so they can get back to work. For MacOS, some of these remote capabilities can use Apple's OS tools. Control is therefore not meant to prohibit the use of a just-in-time graphical view from authorized personnel with authentication controls. Sharing should not be enabled except in narrow windows when help desk support is required. Screen Sharing on macOS can allow the use of the insecure VNC protocol. VNC is a clear text protocol that should not be used on macOS."
+    rationale: "Disabling Screen Sharing mitigates the risk of remote connections being made without the user of the console knowing that they are sharing the computer."
+    impact: "Help desks may require the periodic use of a graphical connection mechanism to assist users. Any support that relies on native MacOS components will not work unless a scripted solution to enable and disable sharing as neccessary."
+    remediation: "Graphical Method: Perform the following steps to disable Screen Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Screen Sharing to disabled Terminal Method: Run the following command to turn off Screen Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.screensharing."
+    references:
+      - "https://support.apple.com/guide/mac-help/turn-screen-sharing-on-or-off-mh11848/mac"
+    compliance:
+      - cis: ["2.3.3.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.screensharing" -> r:^0$'
+
+  # 2.3.3.3 Ensure File Sharing Is Disabled. (Automated)
+  - id: 34013
+    title: "Ensure File Sharing Is Disabled."
+    description: "File sharing from a user workstation creates additional risks, such as: - Open ports are created that can be probed and attacked - Passwords are attached to user accounts for access that may be exposed and endanger other parts of the organizational environment, including directory accounts Increased complexity makes security more difficult and may expose additional attack vectors - Apple's File Sharing uses the Server Message Block (SMB) protocol to share to other computers that can mount SMB shares. This includes other macOS computers. Apple warns that SMB sharing stored passwords is less secure, and anyone with system access can gain access to the password for that account. When sharing with SMB, each user accessing the Mac must have SMB enabled. Storing passwords, especially copies of valid directory passwords, decreases security for the directory account and should not be used."
+    rationale: "By disabling File Sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced."
+    impact: "File Sharing can be used to share documents with other users, but hardened servers should be used rather than user endpoints. Turning on File Sharing increases the visibility and attack surface of a system unnecessarily."
+    remediation: "Graphical Method: Perform the following steps to disable File Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set File Sharing to disabled Terminal Method: Run the following command to disable File Sharing: $ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd."
+    compliance:
+      - cis: ["2.3.3.3"]
+      - cis_csc_v8: ["4.1", "4.8", "5.4"]
+      - cis_csc_v7: ["4.3", "5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.3", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3", "A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.smbd" -> r:^0$'
+
+  # 2.3.3.4 Ensure Printer Sharing Is Disabled. (Automated)
+  - id: 34014
+    title: "Ensure Printer Sharing Is Disabled."
+    description: "By enabling Printer Sharing, the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead."
+    rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system."
+    remediation: "Graphical Method: Perform the following steps to disable Printer Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Printer Sharing to disabled Terminal Method: Run the following command to disable Printer Sharing: $ /usr/bin/sudo /usr/sbin/cupsctl --no-share-printers."
+    compliance:
+      - cis: ["2.3.3.4"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "cupsctl | grep _share_printers | cut -d ''='' -f2" -> r:^0$'
+
+  # 2.3.3.5 Ensure Remote Login Is Disabled. (Automated)
+  - id: 34015
+    title: "Ensure Remote Login Is Disabled."
+    description: "Remote Login allows an interactive terminal connection to a computer."
+    rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers. macOS does have an IP-based firewall available (pf, ipfw has been deprecated) that is not enabled or configured. There are more details and links in the Network sub-section. macOS no longer has TCP Wrappers support built in and does not have strong Brute-Force password guessing mitigations, or frequent patching of openssh by Apple. Since most macOS computers are mobile workstations, managing IP-based firewall rules on mobile devices can be very resource intensive. All of these factors can be parts of running a hardened SSH server."
+    impact: "The SSH server built into macOS should not be enabled on a standard user computer, particularly one that changes locations and IP addresses. A standard user that runs local applications, including email, web browser, and productivity tools, should not use the same device as a server. There are Enterprise management toolsets that do utilize SSH. If they are in use, the computer should be locked down to only respond to known, trusted IP addresses and appropriate administrator service accounts. For macOS computers that are being used for specialized functions, there are several options to harden the SSH server to protect against unauthorized access, including brute force attacks. There are some basic criteria that need to be considered: - Do not open an SSH server to the internet without controls in place to mitigate SSH brute force attacks. This is particularly important for systems bound to Directory environments. It is great to have controls in place to protect the system, but if they trigger after the user is already locked out of their account, they are not optimal. If authorization happens after authentication, directory accounts for users that don't even use the system can be locked out. - Do not use SSH key pairs when there is no insight to the security on the client system that will authenticate into the server with a private key. If an attacker gets access to the remote system and can find the key, they may not need a password or a key logger to access the SSH server. - Detailed instructions on hardening an SSH server, if needed, are available in the CIS Linux Benchmarks, but it is beyond the scope of this benchmark."
+    remediation: "Perform the following to disable Remote Login: Graphical Method: Perform the following steps to disable Remote Login: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Login to disabled Terminal Method: Run the following command to disable Remote Login: $ /usr/bin/sudo /usr/sbin/systemsetup -setremotelogin off Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)? Entering yes will disable remote login."
+    compliance:
+      - cis: ["2.3.3.5"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off'
+
+  # 2.3.3.6 Ensure Remote Management Is Disabled. (Automated)
+  - id: 34016
+    title: "Ensure Remote Management Is Disabled."
+    description: "Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs. The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing. Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is a major concern for mobile systems. As with other sharing options, an open port even for authorized management functions can be attacked, and both unauthorized access and Denial-of-Service vulnerabilities could be exploited. If remote management is required, the pf firewall should restrict access only to known, trusted management consoles. Remote management should not be used across the Internet without the use of a VPN tunnel."
+    rationale: "Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring."
+    impact: "Many organizations utilize ARD for client management."
+    remediation: "Graphical Method: Perform the following steps to disable Remote Management: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Management to disabled Terminal Method: Run the following command to disable Remote Management: $ /usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources /kickstart -deactivate -stop Starting... Removed preference to start ARD after reboot. Done."
+    compliance:
+      - cis: ["2.3.3.6"]
+      - cis_csc_v8: ["4.1", "4.8", "5.4"]
+      - cis_csc_v7: ["4.3", "9.2", "14.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.3", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3", "A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.1", "CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not p:/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"
+
+  # 2.3.3.7 Ensure Remote Apple Events Is Disabled. (Automated)
+  - id: 34017
+    title: "Ensure Remote Apple Events Is Disabled."
+    description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer."
+    rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system."
+    impact: "With remote Apple events turned on, an AppleScript program running on another Mac can interact with the local computer."
+    remediation: "Graphical Method: Perform the following steps to disable Remote Apple Events: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Remote Apple Events to disabled Terminal Method: Run the following commands to set Remote Apple Events to Off: $ /usr/bin/sudo /usr/sbin/systemsetup -setremoteappleevents off setremoteappleevents: Off."
+    compliance:
+      - cis: ["2.3.3.7"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off'
+
+  # 2.3.3.8 Ensure Internet Sharing Is Disabled. (Automated)
+  - id: 34018
+    title: "Ensure Internet Sharing Is Disabled."
+    description: "Internet Sharing uses the open source natd process to share an internet connection with other computers and devices on a local network. This allows the Mac to function as a router and share the connection to other, possibly unauthorized, devices."
+    rationale: "Disabling Internet Sharing reduces the remote attack surface of the system."
+    impact: "Internet Sharing allows the computer to function as a router and other computers to use it for access. This can expose both the computer itself and the networks it is accessing to unacceptable access from unapproved devices."
+    remediation: "Graphical Method: Perform the following steps to disable Internet Sharing: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Internet Sharing to disabled Terminal Method: Run the following command to turn off Internet Sharing: $ usr/bin/sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0 Note: Using the Terminal Method will not be reflected in the GUI, but will disable the underlying service. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is forceInternetSharingOff 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.3.3.8"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not c:defaults read /Library/Preferences/SystemConfiguration/com.apple.nat -> r:Enabled\s*\t*=\s*\t*1'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''forceInternetSharingOff'')" -> r:^true$'
+
+  # 2.3.3.9 Ensure Content Caching Is Disabled. (Automated)
+  - id: 34019
+    title: "Ensure Content Caching Is Disabled."
+    description: "Starting with 10.13 (macOS High Sierra), Apple introduced a service to make it easier to deploy data from Apple, including software updates, where there are bandwidth constraints to the Internet and fewer constraints or greater bandwidth exist on the local subnet. This capability can be very valuable for organizations that have throttled and possibly metered Internet connections. In heterogeneous enterprise networks with multiple subnets, the effectiveness of this capability would be determined by how many Macs were on each subnet at the time new, large updates were made available upstream. This capability requires the use of mac OS clients as P2P nodes for updated Apple content. Unless there is a business requirement to manage operational Internet connectivity and bandwidth, user endpoints should not store content and act as a cluster to provision data. Content types supported by Content Caching in macOS."
+    rationale: "The main use case for Mac computers is as mobile user endpoints. P2P sharing services should not be enabled on laptops that are using untrusted networks. Content Caching can allow a computer to be a server for local nodes on an untrusted network. While there are certainly logical controls that could be used to mitigate risk, they add to the management complexity. Since the value of the service is in specific use cases, organizations with the use case described above can accept risk as necessary."
+    impact: "This setting will adversely affect bandwidth usage between local subnets and the Internet."
+    remediation: "Graphical Method: Perform the following steps to disable Content Caching: 1. Open System Settings 2. Select General 3. Select Sharing 4. Set Content Caching to disabled Terminal Method: Run the following command to disable Content Caching: $ /usr/bin/sudo /usr/bin/AssetCacheManagerUtil deactivate The output will include Content caching deactivated Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.applicationaccess 2. The key to include is allowContentCaching 3. The key must be set to <false/>."
+    references:
+      - "https://support.apple.com/guide/mac-help/about-content-caching-mchl9388ba1b/"
+      - "https://support.apple.com/guide/mac-help/set-up-content-caching-on-mac-mchl3b6c3720/"
+    compliance:
+      - cis: ["2.3.3.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.AssetCache'').objectForKey(''Activated'')" -> r:^0$'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.applicationaccess'').objectForKey(''allowContentCaching'')" -> r:^0$|^true$'
+
+  # 2.3.3.10 Ensure Media Sharing Is Disabled. (Automated) - Not Implemented
+  # 2.3.3.11 Ensure Bluetooth Sharing Is Disabled. (Automated) - Not Implemented
+  # 2.3.3.12 Ensure Computer Name Does Not Contain PII or Protected Organizational Information. (Manual) - Not Implemented
+
+  # 2.3.4.1 Ensure Backup Automatically is Enabled If Time Machine Is Enabled. (Automated)
+  - id: 34020
+    title: "Ensure Backup Automatically is Enabled If Time Machine Is Enabled."
+    description: 'Backup solutions are only effective if the backups run on a regular basis. The time to check for backups is before the hard drive fails or the computer goes missing. In order to simplify the user experience so that backups are more likely to occur, Time Machine should be on and set to Back Up Automatically whenever the target volume is available. Operational staff should ensure that backups complete on a regular basis and the backups are tested to ensure that file restoration from backup is possible when needed. Backup dates are available even when the target volume is not available in the Time Machine plist. SnapshotDates = ( "2012-08-20 12:10:22 +0000", "2013-02-03 23:43:22 +0000", "2014-02-19 21:37:21 +0000", "2015-02-22 13:07:25 +0000", "2016-08-20 14:07:14 +0000" When the backup volume is connected to the computer, more extensive information is available through tmutil. See man tmutil.'
+    rationale: "Backups should automatically run whenever the backup drive is available."
+    impact: "The backup will run periodically in the background and could have user impact while running."
+    remediation: "Graphical Method: Perform the following steps to enable Time Machine automatic backup: 1. Open System Settings 2. Select General 3. Select Time Machine 4. Select Options... 5. Set Back up frequency to Automatically <every hour/every day/every week> Terminal Method: Run the following command to enable automatic backups if Time Machine is enabled: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine.plist AutoBackup -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX.TimeMachine 2. The key to include is AutoBackup 3. The key must be set to."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc_v8: ["11.2"]
+      - cis_csc_v7: ["10.1"]
+      - hipaa: ["164.308(a)(7)(ii)(A)"]
+      - iso_27001-2013: ["A.12.3.1"]
+      - pci_dss_v3.2.1: ["12.10.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.TimeMachine'').objectForKey(''AutoBackup'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.TimeMachine'').objectForKey(''LastDestinationID'')" -> r:^\.+$'
+
+  # 2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled. (Automated)
+  - id: 34021
+    title: "Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled."
+    description: "One of the most important security tools for data protection on macOS is FileVault. With encryption in place, it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not, it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique, complex password to unlock the drive can be stored in keychains on multiple systems for ease of use. While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult, backup volumes should be protected just like boot volumes."
+    rationale: "Backup volumes need to be encrypted."
+    remediation: "Graphical Method: Perform the following steps to enable encryption on the Time Machine drive: 1. Open System Settings 2. Select General 3. Select Time Machine 4. Select the unencrypted drive 5. Select - to forget that drive as a destination 6. Select + to add a different drive as the destination 7. Select Set Up Disk... 8. Set Encrypt Backup to enabled 9. Enter a password in the New Password and the same password in the Re-enter Password fields 10. A password hint is required, but it is recommended that you do not use any identifying information for the password Note: In macOS 12.0 Monterey and previous, the existing Time Machine drive could have encryption added without formatting it. This is no longer possible in macOS 13.0 Ventura. If you wish to keep previous backups from the unencrypted volume, you will need to manually move those files over to the new encrypted drive."
+    compliance:
+      - cis: ["2.3.4.2"]
+      - cis_csc_v8: ["3.6", "3.11", "11.3"]
+      - cis_csc_v7: ["10.4", "13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "MP.L2-3.8.9", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.12.3.1", "A.6.2.1"]
+      - nist_sp_800-53: ["CP-9(8)", "SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1", "9.5", "9.5.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["A1.2", "CC6.1", "CC6.4", "CC6.7"]
+    condition: all
+    rules:
+      - 'c: sh -c "defaults read /Library/Preferences/com.apple.TimeMachine.plist | grep -c NotEncrypted" -> r:^0$'
+
+  # 2.4.1 Ensure Show Wi-Fi status in Menu Bar Is Enabled. (Automated) - Not Implemented
+  # 2.4.2 Ensure Show Bluetooth Status in Menu Bar Is Enabled. (Automated) - Not Implemented
+  # 2.5.1 Audit Siri Settings. (Manual) - Not Implemented
+  # 2.5.2 Ensure Listen for "Hey Siri" Is Disabled. (Manual) - Not Implemented
+
+  # 2.6.1.1 Ensure Location Services Is Enabled. (Automated)
+  - id: 34022
+    title: "Ensure Location Services Is Enabled."
+    description: "macOS uses location information gathered through local Wi-Fi networks to enable applications to supply relevant information to users. With the operating system verifying the location, users do not need to change the time or the time zone. The computer will change them based on the user's location. They do not need to specify their location for weather or travel times, and they will receive alerts on travel times to meetings and appointments where location information is supplied. Location Services simplify some processes with mobile computers, such as asset management and time or log management. There are some use cases where it is important that the computer not be able to report its exact location. While the general use case is to enable Location Services, it should not be allowed if the physical location of the computer and the user should not be public knowledge."
+    rationale: "Location Services are helpful in most use cases and can simplify log and time management where computers change time zones."
+    remediation: "Graphical Method: Perform the following steps to enable Location Services: 1. Open System Settings 2. Select Privacy & Security 3. Select Location Services 4. Set Location Services to enabled Terminal Method: Run the following command to enable Location Services: $ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.locationd.plist If the com.apple.locationd.plist outputs 0, run the following command to also ensure Location Services is running: $ /usr/bin/sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false $ /usr/bin/sudo /bin/launchctl kickstart -k system/com.apple.locationd Note: In some use cases, organizations may not want Location Services running. To disable Location Services, System Integrity Protection must be disabled."
+    references:
+      - "https://support.apple.com/en-us/HT204690"
+    compliance:
+      - cis: ["2.6.1.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.locationd" -> r:^1$'
+      - 'c:sudo -u _locationd /usr/bin/osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.locationd'').objectForKey(''LocationServicesEnabled'')" -> r:^1$'
+
+  # 2.6.1.2 Ensure Location Services Is in the Menu Bar. (Automated)
+  - id: 34023
+    title: "Ensure Location Services Is in the Menu Bar."
+    description: "This setting provides the user an understanding of the current status of Location Services and which applications are using it."
+    rationale: 'Apple has fully integrated location services into macOS. Where the computer is currently located is used for Timezones, weather, travel times, geolocation, "Find my Mac," and advertising services. This benchmark recommends that location services are enabled for most users. Many users may have occasions when they do not want to share their current locations, and some users may need to rarely share their locations. The immediate availability of Location Services in the menu bar provides easy access to the current status, which applications are using the service, and a quick shortcut to making changes. This setting provides better user control in managing user privacy.'
+    impact: "Users may be provided visibility to a setting they cannot control if organizations control Location Services globally by policy."
+    remediation: "Graphical Method: Perform the following steps to set whether the location services icon is in the menu bar: 1. Open System Settings 2. Select Privacy & Security 3. Select Location Services 4. Select Details... 5. Set Show location icon in menu bar when System Services request your location to enabled Terminal Method: Run the following commands to set the option of the location services icon being in the menu bar: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true."
+    compliance:
+      - cis: ["2.6.1.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:defaults read /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -> r:^1$|^true$"
+
+  # 2.6.1.3 Audit Location Services Access. (Manual) - Not Implemented
+  # 2.6.2.1 Audit Full Disk Access for Applications. (Manual) - Not Implemented
+  # 2.6.3 Ensure Sending Diagnostic and Usage Data to Apple Is Disabled. (Automated) - Not Implemented
+  # 2.6.4 Ensure Limit Ad Tracking Is Enabled. (Automated) - Not Implemented
+
+  # 2.6.5 Ensure Gatekeeper Is Enabled. (Automated)
+  - id: 34024
+    title: "Ensure Gatekeeper Is Enabled."
+    description: "Gatekeeper is Apple's application that utilizes allowlisting to restrict downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization. In an update to Gatekeeper in macOS 13 Ventura, Gatekeeper checks every application on every launch, not just quarantined apps."
+    rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system."
+    remediation: "Graphical Method: Perform the following steps to enable Gatekeeper: 1. Open System Settings 2. Select Privacy & Security 3. Set 'Allow apps downloaded from' to 'App Store and identified developers' Terminal Method: Run the following command to enable Gatekeeper to allow applications from App Store and identified developers: $ /usr/bin/sudo /usr/sbin/spctl --master-enable Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.systempolicy.control 2. The key to include is AllowIdentifiedDevelopers 3. The key must be set to <true/> 4. The key to also include is EnableAssessment 5. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.6.5"]
+      - cis_csc_v8: ["10.1", "10.2", "10.5"]
+      - cis_csc_v7: ["8.2", "8.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.2", "SI.L1-3.14.4"]
+      - hipaa: ["164.308(a)(5)(ii)(B)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4", "11.4", "5.1", "5.1.1", "5.2"]
+      - pci_dss_v4.0: ["5.1.1", "5.2.1", "5.2.2", "5.3.1", "5.3.2"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - "c:spctl --status -> r:^assessments enabled"
+
+  # 2.6.6 Ensure FileVault Is Enabled. (Automated)
+  - id: 34025
+    title: "Ensure FileVault Is Enabled."
+    description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. FileVault should be used with a saved escrow key to ensure that the owner can decrypt their data if the password is lost. FileVault may also be enabled using command line using the fdesetup command. To use this functionality, consult the Der Flounder blog for more details (see link below under References)."
+    rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it."
+    impact: "Mounting a FileVault encrypted volume from an alternate boot source will require a valid password to decrypt it."
+    remediation: "Graphical Method: Perform the following steps to enable FileVault: 1. Open System Settings 2. Select Security & Privacy 3. Select Turn On... Note: This will allow you to create a recovery key for FileVault. Keep the key saved securely in case it is needed at a later date. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is dontAllowFDEDisable 3. The key must be set to <true/> Note: This profile is required to pass the audit."
+    references:
+      - "https://derflounder.wordpress.com/2015/02/02/managing-yosemites-filevault-2-with-fdesetup/"
+      - "https://derflounder.wordpress.com/2019/01/15/unlock-or-decrypt-your-filevault-encrypted-boot-drive-from-the-command-line-on-macos-mojave/"
+      - "https://derflounder.wordpress.com/2021/10/29/use-of-filevault-institutional-recovery-keys-no-longer-recommended-by-apple/"
+      - "https://support.apple.com/guide/security/passcodes-and-passwords-sec20230a10d/1/web/1"
+    compliance:
+      - cis: ["2.6.6"]
+      - cis_csc_v8: ["3.6", "3.11"]
+      - cis_csc_v7: ["13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.6.2.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:fdesetup status -> r:^FileVault is On"
+      - 'c:osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')" -> r:^0$'
+
+  # 2.6.7 Audit Lockdown Mode. (Manual) - Not Implemented
+
+  # 2.6.8 Ensure an Administrator Password Is Required to Access System-Wide Preferences. (Automated)
+  - id: 34026
+    title: "Ensure an Administrator Password Is Required to Access System-Wide Preferences."
+    description: "System Preferences controls system and user settings on a macOS Computer. System Preferences allows the user to tailor their experience on the computer as well as allowing the System Administrator to configure global security settings. Some of the settings should only be altered by the person responsible for the computer."
+    rationale: "By requiring a password to unlock system-wide System Preferences, the risk of a user changing configurations that affect the entire system is mitigated and requires an admin user to re-authenticate to make changes."
+    remediation: "Graphical Method: Perform the following steps to verify that an administrator password is required to access system-wide preferences: 1. Open System Settings 2. Select Privacy & Security 3. Select Advanced 4. Set Require an administrator password to access system-wide settings to enabled. Terminal Method: The authorizationdb settings cannot be written to directly, so the plist must be exported out to temporary file. Changes can be made to the temporary plist, then imported back into the authorizationdb settings. Run the following commands to enable that an administrator password is required to access system-wide preferences: $ /usr/bin/sudo /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist YES (0) $ /usr/bin/sudo /usr/bin/defaults write /tmp/system.preferences.plist shared -bool false $ /usr/bin/sudo /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist YES (0)."
+    impact: "Users will need to enter their password to unlock some additional preference panes that are unlocked by default like Network, Startup and Printers & Scanners."
+    compliance:
+      - cis: ["2.6.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:security authorizationdb read system.preferences | grep -A1 shared -> r:>false<"
+
+  # 2.7.1 Ensure Screen Saver Corners Are Secure. (Automated) - Not Implemented
+  # 2.8.1 Audit Universal Control Settings. (Manual) - Not Implemented
+  # 2.9.1.1 Ensure the OS Is Not Active When Resuming from Standby (Intel). (Automated) - Not Implemented
+  # 2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon). (Automated) - Not Implemented
+
+  # 2.9.1.3 Ensure FileVault is Locked on Sleep. (Automated)
+  - id: 34027
+    title: "Ensure FileVault is Locked on Sleep."
+    description: "Full Disk Encryption (FDE) is a Data-at-Rest (DAR) solution. It ensures that when the data on the drive is not in use it is full encrypted, but it can be decrypted (unlocked) as needed. When a Mac sleeps, the encryption keys remain in memory so that the drive is encrypted but unlocked. There are attacks available to interact with the OS and data on the unlocked drive. FileVault volumes should be locked when not in use to resist attack."
+    rationale: "The purpose of DAR is to ensure data is encrypted while at rest. If the volume is always unlocked it is not sufficient."
+    impact: "The laptop will require a user to log in with their username and password, not TouchID, into the OS after the FileVault key is destroyed."
+    remediation: "Terminal Method: Run the following command to ensure FileVault keys are set to be destroyed on standby: $ /usr/bin/sudo /usr/bin/pmset -a destroyfvkeyonstandby 1."
+    compliance:
+      - cis: ["2.9.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:pmset -b -g -> r:^\s*\t*DestroyFVKeyOnStandby\s*\t*1'
+
+  # 2.9.2 Ensure Power Nap Is Disabled for Intel Macs. (Automated)
+  - id: 34028
+    title: "Ensure Power Nap Is Disabled for Intel Macs."
+    description: "Power Nap allows the system to stay in low power mode, especially while on battery power, and periodically connect to previously known networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input. This control has been updated to check the status on both battery and AC Power. The presence of an electrical outlet does not completely correlate with logical and physical security of the device or available networks."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access. The use of Power Nap adds to the risk of compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
+    impact: "Power Nap exists for unattended user application updates like email and social media clients. With Power Nap disabled, the computer will not wake and reconnect to known wireless SSIDs intermittently when slept."
+    remediation: "Graphical Method: Perform the following steps to disable Power Nap: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Power Nap to disabled 4. Select UPS (if applicable) 5. Set Power Nap to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Power Adapter (for laptops only) 4. Set Power Nap to disabled 5. Select Battery 6. Set Power Nap to disabled 7. Select UPS (if applicable) 8. Set Power Nap to disabled Terminal Method: Run the following command to disable Power Nap: $ /usr/bin/sudo /usr/bin/pmset -a powernap 0."
+    compliance:
+      - cis: ["2.9.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "pmset -g custom" -> r:^\s*\t*powernap\s*\t*1'
+
+  # 2.9.3 Ensure Wake for Network Access Is Disabled. (Automated)
+  - id: 34029
+    title: "Ensure Wake for Network Access Is Disabled."
+    description: "This feature allows the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. This macOS feature is meant to allow the computer to resume activity as needed regardless of physical security controls. This feature allows other users to be able to access your computer's shared resources, such as shared printers or Apple Music playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer, it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist, the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on any unmanaged network or where untrusted devices exist that could send wake signals."
+    rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access."
+    impact: "Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature. The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs."
+    remediation: "Graphical Method: Perform the following steps to disable Wake for network access: Desktop Instructions: 1. Open System Settings 2. Select Energy Saver 3. Set Wake for network access to disabled Laptop Instructions: 1. Open System Settings 2. Select Battery 3. Select Options... 4. Set Wake for network access to Never Terminal Method: Run the following command to disable Wake for network access: $ /usr/bin/sudo /usr/bin/pmset -a womp 0 Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is com.apple.EnergySaver.desktop.ACPower 3. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> 4. The key to also include is com.apple.EnergySaver.portable.ACPower 5. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> 6. The key to also include is com.apple.EnergySaver.portable.BatteryPower 7. The key must be set to: <dict> <key>Wake On LAN</key> <integer>0</integer> <key>Wake On Modem Ring</key> <integer>0</integer> </dict> Note: Both Wake on LAN and Wake on Modem Ring need to be set. Only setting Wake On LAN will allow the profile to install but not set any settings. This profile will only apply the setting at installation and is not sticky."
+    compliance:
+      - cis: ["2.9.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not c:sh -c "pmset -g custom" -> r:^\s*\t*womp\s*\t*1'
+      - 'not c:sh -c "profiles -P -o stdout | grep ''Wake On LAN''" -> n:=\s*(\d) compare != 0'
+      - 'not c:sh -c "profiles -P -o stdout | grep ''Wake On Modem Ring''" -> n:=\s*(\d) compare != 0'
+
+  # 2.10.1 Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled. (Automated) - Not Implemented
+
+  # 2.10.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or Immediately. (Automated)
+  - id: 34030
+    title: "Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or Immediately."
+    description: "Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use."
+    rationale: "Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence."
+    impact: "Without a screenlock in place, anyone with physical access to the computer would be logged in and able to use the active user's session."
+    remediation: "Graphical Method: Perform the following steps to enable a password for unlock after a screen saver begins or after sleep: 1. Open System Settings 2. Select Lock Screen 3. Set Require password after screensaver begins or display is turned off to either After 0 seconds or After 5 seconds Terminal Method: Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps: $ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password> or $ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password> Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.screensaver 2. The key to include is askForPassword 3. The key must be set to <true/> 4. The key to also include is askForPasswordDelay 5. The key must be set to <integer><0,5></integer>."
+    references:
+      - "https://blog.kolide.com/screensaver-security-on-macos-10-13-is-broken-a385726e2ae2"
+      - "https://github.com/rtrouton/profiles/blob/master/SetDefaultScreensaver/SetDefaultScreensaver.mobileconfig"
+    compliance:
+      - cis: ["2.10.2"]
+      - cis_csc_v8: ["4.7"]
+      - cis_csc_v7: ["4.2"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.screensaver'').objectForKey(''askForPassword'')" -> n:^(\d+)$ compare == 1'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.screensaver'').objectForKey(''askForPasswordDelay'')" -> n:^(\d+)$ compare <= 5'
+
+  # 2.10.3 Ensure a Custom Message for the Login Screen Is Enabled. (Automated)
+  - id: 34031
+    title: "Ensure a Custom Message for the Login Screen Is Enabled."
+    description: "An access warning informs the user that the system is reserved for authorized use only, and that the use of the system may be monitored."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    impact: "If users are not informed of their responsibilities, unapproved activities may occur. Users that are not approved for access may take the lack of a warning banner as implied consent to access."
+    remediation: 'Graphical Method: Perform the following steps to enable a login banner set to your organization''s required text: 1. Open System Settings 2. Select Lock Screen 3. Set Show message when locked to enabled 4. Select Set 5. Insert text in the Set a message to appear on the lock screen that matches your organization''s required text 6. Select Done Terminal Method: Run the following command to enable a custom login screen message: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "<custom message>" example: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Center for Internet Security Test Message" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is LoginwindowText 3. The key must be set to <string><Your organization''s required text></string>.'
+    compliance:
+      - cis: ["2.10.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''LoginwindowText'')" -> r:^\.+$'
+
+  # 2.10.4 Ensure Login Window Displays as Name and Password Is Enabled. (Automated)
+  - id: 34032
+    title: "Ensure Login Window Displays as Name and Password Is Enabled."
+    description: "The login window prompts a user for his/her credentials, verifies their authorization level, and then allows or denies the user access to the system."
+    rationale: "Prompting the user to enter both their username and password makes it twice as hard for unauthorized users to gain access to the system since they must discover two attributes."
+    remediation: "Graphical Method: Perform the following steps to ensure the login window display name and password: 1. Open System Settings 2. Select Lock Screen 3. Set 'Login window showstoName and Password` Terminal Method: Run the following command to enable the login window to display name and password: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true Note: The GUI will not display the updated setting until the current user(s) logs out. Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is SHOWFULLNAME 3. The key must be set to <true/>."
+    compliance:
+      - cis: ["2.10.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''SHOWFULLNAME'')" -> r:^1$|^true$'
+
+  # 2.10.5 Ensure Show Password Hints Is Disabled. (Automated)
+  - id: 34033
+    title: "Ensure Show Password Hints Is Disabled."
+    description: "Password hints are user-created text displayed when an incorrect password is used for an account."
+    rationale: "Password hints make it easier for unauthorized persons to gain access to systems by displaying information provided by the user to assist in remembering the password. This info could include the password itself or other information that might be readily discerned with basic knowledge of the end user."
+    impact: "The user can set the hint to any value, including the password itself or clues that allow trivial social engineering attacks."
+    remediation: "Graphical Method: Perform the following steps to disable password hints from being shown: 1. Open System Settings 2. Select Lock Screen 3. Set 'Show password hints` to disabled Terminal Method: Run the following command to disable password hints: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is RetriesUntilHint 3. The key must be set to <integer>0</integer>."
+    compliance:
+      - cis: ["2.10.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''RetriesUntilHint'')" -> r:^0$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''RetriesUntilHint'')" -> r:\w+'
+
+  # 2.11.1 Ensure Users' Accounts Do Not Have a Password Hint. (Automated)
+  - id: 34034
+    title: "Ensure Users' Accounts Do Not Have a Password Hint."
+    description: "Password hints help the user recall their passwords for various systems and/or accounts. In most cases, password hints are simple and closely related to the user's password."
+    rationale: "Password hints that are closely related to the user's password are a security vulnerability, especially in the social media age. Unauthorized users are more likely to guess a user's password if there is a password hint. The password hint is very susceptible to social engineering attacks and information exposure on social media networks."
+    remediation: "Graphical Method: Perform the following steps to remove a user's password hint: 1. Open System Settings 2. Select Touch ID & Passwords (or Login Password on non-Touch ID Macs) 3. Select Change... 4. Change the password and ensure that no text is entered in the Password hint box Note: This will only change the currently logged-in user's password, and not any others that are not compliant on the Mac. Use the terminal method if multiple users are not in compliance. Terminal Method: Run the following command to remove a user's password hint: $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/<username> hint example: $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/firstuser hint $ /usr/bin/sudo /usr/bin/dscl . -list /Users hint . -delete /Users/seconduser hint."
+    compliance:
+      - cis: ["2.11.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not c:dscl . -list /Users hint -> r:^\w*$'
+
+  # 2.11.2 Audit Touch ID. (Manual) - Not Implemented
+
+  # 2.12.1 Ensure Guest Account Is Disabled. (Automated)
+  - id: 34035
+    title: "Ensure Guest Account Is Disabled."
+    description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes and cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out."
+    rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    impact: "A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access."
+    remediation: "Graphical Method: Perform the following steps to disable guest account availability: 1. Open System Settings 2. Select Users & Groups 3. Select the i next to the Guest User 4. Set Allow guests to log in to this computer to disabled Terminal Method: Run the following command to disable the guest account: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.MCX 2. The key to include is DisableGuestAccount 3. The key must be set to <true/> 4. The key to include is EnableGuestAccount 5. The key must be set to <false/>."
+    compliance:
+      - cis: ["2.12.1"]
+      - cis_csc_v8: ["5.2", "6.2", "6.8"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.4", "AC.L2-3.1.5", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - hipaa: ["164.308(a)(3)(ii)(B)", "164.308(a)(3)(ii)(C)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(C)"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["AC-2(1)", "AC-5", "AC-6", "AC-6(1)", "AC-6(7)", "AU-9(4)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["10.3.1", "2.2.2", "7.1", "7.1.1", "7.2", "7.2.1", "7.2.2", "7.2.4", "7.2.6", "7.3", "7.3.1", "7.3.2", "8.2.4", "8.2.5", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC5.2", "CC6.1", "CC6.2", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''DisableGuestAccount'')" -> r:^1$'
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''GuestEnabled'')" -> r:^0$'
+
+  # 2.12.2 Ensure Guest Access to Shared Folders Is Disabled. (Automated)
+  - id: 34036
+    title: "Ensure Guest Access to Shared Folders Is Disabled."
+    description: "Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network."
+    rationale: "Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system."
+    impact: "Unauthorized users could access shared files on the system."
+    remediation: "Graphical Method: Perform the following steps to no longer allow guest user access to shared folders: 1. Open System Settings 2. Select Users & Groups 3. Select the i next to the Guest User 4. Set Allow guests to connect to shared folders to disabled Terminal Method: Run the following commands to verify that shared folders are not accessible to guest users: $ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off."
+    compliance:
+      - cis: ["2.12.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:sysadminctl -smbGuestAccess status -> r:SMB guest access disabled"
+
+  # 2.12.3 Ensure Automatic Login Is Disabled. (Automated)
+  - id: 34037
+    title: "Ensure Automatic Login Is Disabled."
+    description: "The automatic login feature saves a user's system access credentials and bypasses the login screen. Instead, the system automatically loads to the user's desktop screen."
+    rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system."
+    impact: "If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials."
+    remediation: "Graphical Method: Perform the following steps to set automatic login to off: 1. Open System Settings 2. Select Users & Groups 3. Set Automatic login in as... to Off Terminal Method: Run the following command to disable automatic login: $ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is com.apple.login.mcx.DisableAutoLoginClient 3. The key must be set to <true/> Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed."
+    compliance:
+      - cis: ["2.12.3"]
+      - cis_csc_v8: ["4.7"]
+      - cis_csc_v7: ["4.2"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: any
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''com.apple.login.mcx.DisableAutoLoginClient'')" -> r:^1$'
+      - 'not c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.loginwindow'').objectForKey(''autoLoginUser'')" -> r:^\.+$'
+
+  # 2.13.1 Audit Passwords System Preference Setting. (Manual) - Not Implemented
+  # 2.14.1 Audit Game Center Settings. (Manual) - Not Implemented
+  # 2.15.1 Audit Notification & Focus Settings. (Manual) - Not Implemented
+  # 2.16.1 Audit Wallet & Apple Pay Settings. (Manual) - Not Implemented
+  # 2.17.1 Audit Internet Accounts for Authorized Use. (Manual) - Not Implemented
+
+  # 2.18.1 Ensure On-Device Dictation Is Enabled. (Automated) - Not Implemented
+
+  # 3.1 Ensure Security Auditing Is Enabled. (Automated)
+  - id: 34038
+    title: "Ensure Security Auditing Is Enabled."
+    description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log."
+    rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor."
+    remediation: "Terminal Method: Perform the following to enable security auditing: Run the following command to load auditd: $ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist."
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["4.9", "6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:launchctl list -> r:com.apple.auditd"
+
+  # 3.2 Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements. (Automated)
+  - id: 34039
+    title: "Ensure Security Auditing Flags For User-Attributable Events Are Configured Per Local Organizational Requirements."
+    description: "Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements."
+    rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Depending on the governing authority, organizations can have vastly different auditing requirements. In this control we have selected a minimal set of audit flags that should be a part of any organizational requirements. The flags selected below may not adequately meet organizational requirements for users of this benchmark. The auditing checks for the flags proposed here will not impact additional flags that are selected."
+    remediation: "Terminal Method: Perform the following to set the required Security Auditing Flags: Edit the /etc/security/audit_control file and add -fm, ad, -ex, aa, -fr, lo, and -fw to flags. You can also substitute -all for -fm, -ex, -fr, and -fw."
+    references:
+      - "https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/"
+      - "https://csrc.nist.gov/CSRC/media/Publications/sp/800-179/rev-1/draft/documents/sp800-179r1-draft.pdf"
+      - "https://www.scip.ch/en/?labs.20150108"
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf"
+      - "https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf"
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc_v8: ["3.14", "8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7", "AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "11.5"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - "f:/etc/security/audit_control -> r:^flags && r:-fm && r:-ex && r:ad && r:aa && r:lo && r:-fr && r:-fw"
+      - "f:/etc/security/audit_control -> r:^flags && r:-all && r:ad && r:aa && r:lo"
+
+  # 3.3 Ensure install.log Is Retained for 365 or More Days and No Maximum Size. (Automated)
+  - id: 34040
+    title: "Ensure install.log Is Retained for 365 or More Days and No Maximum Size."
+    description: 'macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an "all_max" file limitation, no reference to a minimum retention, and a less precise rotation argument. The all_max flag control will remove old log entries based only on the size of the log files. Log size can vary widely depending on how verbose installing applications are in their log entries. The decision here is to ensure that logs go back a year, and depending on the applications a size restriction could compromise the ability to store a full year. While this Benchmark is not scoring for a rotation flag, the default rotation is sequential rather than using a timestamp. Auditors may prefer timestamps in order to simply review specific dates where event information is desired. Please review the File Rotation section in the man page for more information. man asl.conf - The maximum file size limitation string should be removed "all_max=" - An organization appropriate retention should be added "ttl=" - The rotation should be set with timestamps "rotate=utc" or "rotate=local".'
+    rationale: "Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred."
+    impact: "Without log files system maintenance and security forensics cannot be properly performed."
+    remediation: "Terminal Method: Perform the following to ensure that install logs are retained for at least 365 days: Edit the /etc/asl/com.apple.install file and add or modify the ttl value to 365 or greater on the file line. Also, remove the all_max= setting and value from the file line."
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc_v8: ["8.1", "8.3"]
+      - cis_csc_v7: ["6.4", "6.7"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - pci_dss_v4.0: ["10.1", "10.1.1"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/asl/com.apple.install -> !r:^\s*# && n:ttl=(\d+) compare >= 365'
+      - 'not f:/etc/asl/com.apple.install -> !r:^\s*# && r:all_max='
+
+  # 3.4 Ensure Security Auditing Retention Is Enabled. (Automated)
+  - id: 34041
+    title: "Ensure Security Auditing Retention Is Enabled."
+    description: "The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records. Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following: expire-after:60d OR 5G This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required."
+    rationale: "The audit records need to be retained long enough to be reviewed as necessary."
+    impact: "The recommendation is that at least 60 days or 5 gigabytes of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data."
+    remediation: "Terminal Method: Perform the following to set the audit retention length: Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 5G."
+    compliance:
+      - cis: ["3.4"]
+      - cis_csc_v8: ["8.1", "8.3"]
+      - cis_csc_v7: ["6.4", "6.7"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.12.4.3"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - pci_dss_v4.0: ["10.1", "10.1.1"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)s compare >= 5184000'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)h compare >= 1440'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)d compare >= 60'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)y compare >= 1'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)b compare >= 5368709120'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)k compare >= 5242880'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)m compare >= 5120'
+      - 'f:/etc/security/audit_control -> n:^\s*expire-after\p\w*(\d+)g compare >= 5'
+
+  # 3.5 Ensure Access to Audit Records Is Controlled. (Automated) - Not Implemented
+  # 3.6 Ensure Firewall Logging Is Enabled and Configured. (Automated) - Not Implemented
+  # 3.7 Audit Software Inventory. (Manual) - Not Implemented
+
+  # 4.1 Ensure Bonjour Advertising Services Is Disabled. (Automated)
+  - id: 34042
+    title: "Ensure Bonjour Advertising Services Is Disabled."
+    description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled."
+    rationale: 'Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour''s multicast DNS feature to discover a vulnerable or poorly-configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of "I''m here!" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices, the pf or other firewall would be needed.'
+    impact: "Some applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the mDNSResponder is turned off."
+    remediation: "Terminal Method: Run the following command to disable Bonjour Advertising services: $ /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mDNSResponder 2. The key to include is NoMulticastAdvertisements."
+    compliance:
+      - cis: ["4.1"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.mDNSResponder'').objectForKey(''NoMulticastAdvertisements'')" -> r:^1$'
+
+  # 4.2 Ensure HTTP Server Is Disabled. (Automated)
+  - id: 34043
+    title: "Ensure HTTP Server Is Disabled."
+    description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. Apache, however, is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end-user computer. Web sharing should only be done through hardened web servers and appropriate cloud services."
+    rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer."
+    impact: "The web server is both a point of attack for the system and a means for unauthorized file transfers."
+    remediation: "Terminal Method: Run the following command to disable the HTTP server services: $ /usr/bin/sudo /usr/sbin/apachectl stop $ /usr/bin/sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist."
+    references:
+      - "https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230793"
+      - "https://httpd.apache.org/security/vulnerabilities_24.html"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not c:launchctl list -> r:org.apache.httpd"
+
+  # 4.3 Ensure NFS Server Is Disabled. (Automated)
+  - id: 34044
+    title: "Ensure NFS Server Is Disabled."
+    description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable, and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end-user computer. The etc/exports file contains the list of NFS shared directories. If the file exists, it is likely that NFS sharing has been enabled in the past or may be available periodically. As an additional check, the audit verifies that there is no /etc/exports file."
+    rationale: "File serving should not be done from a user desktop. Dedicated servers should be used. Open ports make it easier to exploit the computer."
+    impact: "The nfs server is both a point of attack for the system and a means for unauthorized file transfers."
+    remediation: "Terminal Method: Run the following command to disable the nfsd fileserver services: $ /usr/bin/sudo /sbin/nfsd stop $ /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd Remove the exported Directory listing. $ /usr/bin/sudo /bin/rm /etc/exports."
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc_v8: ["4.1", "4.8"]
+      - cis_csc_v7: ["5.1", "9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "11.5", "2.2", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.5", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not c:launchctl list -> r:com.apple.nfsd"
+      - "not f:/etc/exports"
+
+  # 5.1.1 Ensure Home Folders Are Secure. (Automated) - Not Implemented
+
+  # 5.1.2 Ensure System Integrity Protection Status (SIP) Is Enabled. (Automated)
+  - id: 34045
+    title: "Ensure System Integrity Protection Status (SIP) Is Enabled."
+    description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID."
+    rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP."
+    impact: "System binaries and processes could become compromised."
+    remediation: "Terminal Method: Perform the following steps to enable System Integrity Protection: 1. Reboot into the Recovery Partition (reboot and hold down Command () + R) 2. Select Utilities 3. Select Terminal 4. Run the following command: $ /usr/bin/sudo /usr/bin/csrutil enable Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 5. Reboot the computer Note: You should research why the system had SIP disabled. It might be a better option to erase the Mac and reinstall the operating system. That is at your discretion. Note: You cannot enable System Integrity Protection from the booted operating system. If the remediation is attempted in the booted OS and not the Recovery Partition the output will give the error csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS."
+    references:
+      - "https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection"
+      - "https://support.apple.com/en-us/HT204899"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["2.3", "2.6", "10.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-7(1)", "CM-7(2)", "CM-8(3)", "SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - pci_dss_v4.0: ["1.2.5", "12.3.4", "2.2.4"]
+      - soc_2: ["CC5.2", "CC6.8", "CC7.1"]
+    condition: all
+    rules:
+      - "c:csrutil status -> r:^System Integrity Protection status: enabled."
+
+  # 5.1.3 Ensure Apple Mobile File Integrity (AMFI) Is Enabled. (Automated)
+  - id: 34046
+    title: "Ensure Apple Mobile File Integrity (AMFI) Is Enabled."
+    description: "Apple Mobile File Integrity (AMFI) was first released in macOS 10.12. The daemon and service block attempts to run unsigned code. AMFI uses lanchd, code signatures, certificates, entitlements, and provisioning profiles to create a filtered entitlement dictionary for an app. AMFI is the macOS kernel module that enforces code-signing and library validation."
+    rationale: "Apple Mobile File Integrity validates that application code is validated."
+    impact: "Applications could be compromised with malicious code."
+    remediation: 'Terminal Method: Run the following command to enable the Apple Mobile File Integrity service: $ /usr/bin/sudo /usr/sbin/nvram boot-args="".'
+    references:
+      - "https://eclecticlight.co/2018/12/29/amfi-checking-file-integrity-on-your-mac/"
+      - "https://github.com/usnistgov/macos_security/issues/39"
+      - "https://github.com/usnistgov/macos_security/issues/40"
+      - "https://www.naut.ca/blog/2020/11/13/forbidden-commands-to-liberate-macos/"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["2.3", "2.6"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-7(1)", "CM-7(2)", "CM-8(3)"]
+      - pci_dss_v4.0: ["1.2.5", "12.3.4", "2.2.4"]
+      - soc_2: ["CC5.2", "CC7.1"]
+    condition: all
+    rules:
+      - "not c:nvram -p -> r:amfi_get_out_of_my_way=1"
+
+  # 5.1.4 Ensure Sealed System Volume (SSV) Is Enabled. (Automated)
+  - id: 34047
+    title: "Ensure Sealed System Volume (SSV) Is Enabled."
+    description: "Sealed System Volume is a security feature introduced in macOS 11.0 Big Sur. During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume. The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system. During read operations for files located in the Sealed System Volume, a hash is calculated and compared to the value stored in the Merkle tree."
+    rationale: "Running without Sealed System Volume on a production system could run the risk of Apple software that integrates directly with macOS being modified."
+    impact: "Apple Software that integrates with the operating system could become compromised."
+    remediation: "If SSV has been disabled, assume that the operating system has been compromised. Back up any files, and do a clean install to a known good Operating System."
+    references:
+      - "https://developer.apple.com/news/?id=3xpv8r2m"
+      - "https://eclecticlight.co/2020/11/30/is-big-surs-system-volume-sealed/"
+      - "https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/"
+      - "https://support.apple.com/guide/security/signed-system-volume-security-secd698747c9/web"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.6", "3.11"]
+      - cis_csc_v7: ["13.6", "14.8"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.6.2.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:csrutil authenticated-root status -> r:^Authenticated Root status: enabled"
+
+  # 5.1.5 Ensure Appropriate Permissions Are Enabled for System Wide Applications. (Automated) - Not Implemented
+  # 5.1.6 Ensure No World Writable Folders Exist in the System Folder. (Automated) - Not Implemented
+  # 5.1.7 Ensure No World Writable Folders Exist in the Library Folder. (Automated) - Not Implemented
+
+  # 5.2.1 Ensure Password Account Lockout Threshold Is Configured. (Automated)
+  - id: 34048
+    title: "Ensure Password Account Lockout Threshold Is Configured."
+    description: "The account lockout threshold specifies the amount of times a user can enter an incorrect password before a lockout will occur. Ensure that a lockout threshold is part of the password policy on the computer."
+    rationale: "The account lockout feature mitigates brute-force password attacks on the system."
+    impact: "The number of incorrect log on attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user log on. The locked account will auto-unlock after a few minutes when bad password attempts stop. The computer will accept the still-valid password if remembered or recovered."
+    remediation: 'Terminal Method: Run the following command to set the maximum number of failed login attempts to less than or equal to 5: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttempts=<value<5>" $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "policyAttributeMinutesUntilFailedAuthenticationReset=<value<15>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxFailedLoginAttempts=5" /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "policyAttributeMinutesUntilFailedAuthenticationReset=15" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is maxFailedAttempts 3. The key must be set to <integer><value<5></integer> 4. The key to include is minutesUntilFailedLoginReset 5. The key must be set to <integer><value<15></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    references:
+      - "https://workbench.cisecurity.org/communities/113"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:maxFailedLoginAttempts=(\d+) compare <= 5'
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:policyAttributeMinutesUntilFailedAuthenticationReset=(\d+) compare >= 15'
+
+  # 5.2.2 Ensure Password Minimum Length Is Configured. (Automated)
+  - id: 34049
+    title: "Ensure Password Minimum Length Is Configured."
+    description: "A minimum password length is the fewest number of characters a password can contain to meet a system's requirements. Ensure that a minimum of a 15-character password is part of the password policy on the computer. Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating."
+    rationale: "Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system."
+    impact: "Short passwords can be easily attacked."
+    remediation: 'Terminal Method: Run the following command to set the password length to greater than or equal to 15: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "minChars=<value>15>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "minChars=15" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is minLength 3. The key must be set to <integer><value>15></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:minChars=(\d+) compare >= 15'
+
+  # 5.2.3 Ensure Complex Password Must Contain Alphabetic Characters Is Configured. (Manual)
+  - id: 34050
+    title: "Ensure Complex Password Must Contain Alphabetic Characters Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that an Alphabetic character is part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set the that passwords must contain at least one letter: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy - setaccountpolicies "requiresAlpha=<value>1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresAlpha=1" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is requireAlphanumeric 3. The key must be set to <true/> Note: This profile sets a requirement of both an alphabetical and a numeric character. Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:pwpolicy -getaccountpolicies -> r:Contain at least one number and one alphabetic character."
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumLetters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured. (Manual)
+  - id: 34051
+    title: "Ensure Complex Password Must Contain Numeric Character Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that a number or numeric value is part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set passwords to require at least one number: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy - setaccountpolicies "requiresNumeric=<value>1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresNumeric=2" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is requireAlphanumeric 3. The key must be set to <true/> Note: This profile sets a requirement of both an alphabetical and a numeric character. Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:pwpolicy -getaccountpolicies -> r:Contain at least one number and one alphabetic character."
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumNumericCharacters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.5 Ensure Complex Password Must Contain Special Character Is Configured. (Manual) - Not Implemented
+
+  # 5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured. (Manual)
+  - id: 34052
+    title: "Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured."
+    description: "Complex passwords contain one character from each of the following classes: English uppercase letters, English lowercase letters, Westernized Arabic numerals, and non-alphanumeric characters. Ensure that both uppercase and lowercase letters are part of the password policy on the computer."
+    rationale: "The more complex a password, the more resistant it will be against persons seeking unauthorized access to a system."
+    impact: "Password policy should be in effect to reduce the risk of exposed services being compromised easily through dictionary attacks or other social engineering attempts."
+    remediation: 'Terminal Method: Run the following command to set passwords to require at upper and lower case letter: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=<value>1>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "requiresMixedCase=1".'
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh  -c "pwpolicy -getaccountpolicies | grep -A1 minimumMixedCaseCharacters " -> n:>(\d+)< compare >= 1'
+
+  # 5.2.7 Ensure Password Age Is Configured. (Automated)
+  - id: 34053
+    title: "Ensure Password Age Is Configured."
+    description: "Over time, passwords can be captured by third parties through mistakes, phishing attacks, third-party breaches, or merely brute-force attacks. To reduce the risk of exposure and to decrease the incentives of password reuse (passwords that are not forced to be changed periodically generally are not ever changed), users should reset passwords periodically. This control uses 365 days as the acceptable value. Some organizations may be more or less restrictive. This control mainly exists to mitigate against password reuse of the macOS account password in other realms that may be more prone to compromise. Attackers take advantage of exposed information to attack other accounts."
+    rationale: "Passwords should be changed periodically to reduce exposure."
+    impact: "Required password changes will lead to some locked computers requiring admin assistance."
+    remediation: 'Terminal Method: Run the following command to require that passwords expire after at most 365 days: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=<value<525600>" example: $ /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "maxMinutesUntilChangePassword=43200" Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.mobiledevice.passwordpolicy 2. The key to include is maxPINAgeInDays 3. The key must be set to <integer><value>365></integer> Note: The profile method is the preferred method for setting password policy since - setglobalpolicy in pwpolicy is deprecated and will likely be removed in a future macOS release.'
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.3"]
+      - cis_csc_v7: ["16.9"]
+      - cmmc_v2.0: ["IA.L2-3.5.6"]
+      - nist_sp_800-53: ["AC-2(3)"]
+      - pci_dss_v3.2.1: ["8.1.4"]
+      - pci_dss_v4.0: ["8.3.7"]
+    condition: all
+    rules:
+      - 'c:pwpolicy -n /Local/Default -getglobalpolicy -> n:maxMinutesUntilChangePassword=(\d+) compare <= 525601'
+
+  # 5.2.8 Ensure Password History Is Configured. (Automated) - Not Implemented
+  # 5.3.1 Ensure all user storage APFS volumes are encrypted. (Manual) - Not Implemented
+  # 5.3.2 Ensure all user storage CoreStorage volumes are encrypted. (Manual) - Not Implemented
+
+  # 5.4 Ensure the Sudo Timeout Period Is Set to Zero. (Automated)
+  - id: 34054
+    title: "Ensure the Sudo Timeout Period Is Set to Zero."
+    description: "The sudo command allows the user to run programs as the root user. Working as the root user allows the user an extremely high level of configurability within the system. This control, along with the control to use a separate timestamp for each tty, limits the window where an unauthorized user, process, or attacker could utilize legitimate credentials that are valid for longer than required."
+    rationale: "The sudo command stays logged in as the root user for five minutes before timing out and re-requesting a password. This five-minute window should be eliminated since it leaves the system extremely vulnerable. This is especially true if an exploit were to gain access to the system, since they would be able to make changes as a root user."
+    impact: "This control has a serious impact where users often have to use sudo. It is even more of an impact where users have to use sudo multiple times in quick succession as part of normal work processes. Organizations with that common use case will likely find this control too onerous and are better to accept the risk of not requiring a 0 grace period. In some ways the use of sudo -s, which is undesirable, is better than a long grace period since that use does change the hash to show that it is a root shell rather than a normal shell where sudo commands will be implemented without a password."
+    remediation: "Terminal Method: Run the following command to edit the sudo settings: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name> example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file. Add the line Defaults timestamp_timeout=0 to the configuration file. If /etc/sudoers.d/ is not owned by root or in the wheel group, run the following to change ownership and group: $ /usr/bin/sudo /usr/sbin/chown -R root:wheel /etc/security/sudoers.d/."
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - "c:sudo -V -> r:Authentication timestamp timeout: 0.0 minutes"
+      - "c:stat /etc/sudoers.d -> r:root wheel"
+
+  # 5.5 Ensure a Separate Timestamp Is Enabled for Each User/tty Combo. (Automated)
+  - id: 34055
+    title: "Ensure a Separate Timestamp Is Enabled for Each User/tty Combo."
+    description: "Using tty tickets ensures that a user must enter the sudo password in each Terminal session. With sudo versions 1.8 and higher, introduced in 10.12, the default value is to have tty tickets for each interface so that root access is limited to a specific terminal. The default configuration can be overwritten or not configured correctly on earlier versions of macOS."
+    rationale: "In combination with removing the sudo timeout grace period, a further mitigation should be in place to reduce the possibility of a background process using elevated rights when a user elevates to root in an explicit context or tty. Additional mitigation should be in place to reduce the risk of privilege escalation of background processes."
+    impact: "This control should have no user impact. Developers or installers may have issues if background processes are spawned with different interfaces than where sudo was executed."
+    remediation: "Terminal Method: Run the following command to edit the sudo settings: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/<configuration file name> example: $ /usr/bin/sudo /usr/sbin/visudo -f /etc/sudoers.d/10_cissudoconfiguration Note: Unlike other Unix and/or Linux distros, macOS will ignore configuration files in the sudoers.d folder that contain a . so do not add a file extension to the configuration file. Add the line Defaults timestamp_type=tty to the configuration file. Note: The Defaults timestamp_type=tty line can be added to an existing configuration file or a new one. That will depend on your organization's preference and works either way."
+    references:
+      - "https://github.com/jorangreef/sudo-prompt/issues/33"
+    compliance:
+      - cis: ["5.5"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - "c:sudo -V -> r:Type of authentication timestamp record: tty"
+
+  # 5.6 Ensure the "root" Account Is Disabled. (Automated)
+  - id: 34056
+    title: "Ensure the 'root' Account Is Disabled."
+    description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some versions of Linux, the system administrator may commonly use the root account to perform administrative functions."
+    rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)."
+    impact: "Some legacy POSIX software might expect an available root account."
+    remediation: "Graphical Method: Perform the following steps to ensure that the root user is disabled: 1. Open /System/Library/CoreServices/Applications/Directory Utility 2. Click the lock icon to unlock the service 3. Click Edit in the menu bar 4. Click Disable Root User Terminal Method: Run the following command to disable the root user: $ /usr/bin/sudo /usr/sbin/dsenableroot -d username = root user password:."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority"
+
+  # 5.7 Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session. (Automated)
+  - id: 34057
+    title: "Ensure an Administrator Account Cannot Login to Another User's Active and Locked Session."
+    description: "macOS has a privilege that can be granted to any user that will allow that user to unlock active user's sessions."
+    rationale: "Disabling the administrator's and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information."
+    impact: "While Fast user switching is a workaround for some lab environments, especially where there is even less of an expectation of privacy, this setting change may impact some maintenance workflows."
+    remediation: "Terminal Method: Run the following command to disable a user logging into another user's active and/or locked session: $ /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui YES (0)."
+    references:
+      - "https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/"
+      - "https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver"
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - "c:security authorizationdb read system.login.screensaver -> r:use-login-window-ui"
+
+  # 5.8 Ensure a Login Window Banner Exists. (Automated)
+  - id: 34058
+    title: "Ensure a Login Window Banner Exists."
+    description: "A Login window banner warning informs the user that the system is reserved for authorized use only. It enforces an acknowledgment by the user that they have been informed of the use policy in the banner if required. The system recognizes either the .txt and the .rtf formats."
+    rationale: "An access warning may reduce a casual attacker's tendency to target the system. Access warnings may also aid in the prosecution of an attacker by evincing the attacker's knowledge of the system's private status, acceptable use policy, and authorization requirements."
+    impact: "Users will have to click on the window with the Login text before logging into the computer."
+    remediation: "Terminal Method: Run the following commands to create or edit the login window text and set the proper permissions: Edit (or create) a PolicyBanner.txt or PolicyBanner.rtf file, in the /Library/Security/ folder, to include the required login window banner text. Perform the following to set permissions on the policy banner file: $ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.txt $ /usr/bin/sudo /usr/sbin/chown o+r /Library/Security/PolicyBanner.rtf Note: If your organization uses an .rtfd file to set the policy banner, run $ /usr/bin/sudo /usr/sbin/chown -R o+rx /Library/Security/PolicyBanner.rtfd to update the permissions."
+    references:
+      - "https://support.apple.com/en-au/HT202277"
+    compliance:
+      - cis: ["5.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/Library/Security -> r:^PolicyBanner"
+      - 'c:stat -f %A /Library/Security/PolicyBanner.* -> r:\d\d4'
+
+  # 5.9 Ensure the Guest Home Folder Does Not Exist. (Automated)
+  - id: 34059
+    title: "Ensure the Guest Home Folder Does Not Exist."
+    description: "In the previous two controls, the guest account login has been disabled and sharing to guests has been disabled, as well. There is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed, you have the option to archive it, leave it in place, or delete. In the case of the guest folder, the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed, it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders, as well. Rather than ignoring the folder's continued existence, it is best removed."
+    rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately."
+    impact: "The Guest account should not be necessary after it is disabled, and it will be automatically re-created if the Guest account is re-enabled."
+    remediation: "Terminal Method: Run the following command to remove the Guest user home folder: $ /usr/bin/sudo /bin/rm -R /Users/Guest."
+    compliance:
+      - cis: ["5.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "not d:/Users/Guest"
+
+  # 5.10 Ensure XProtect Is Running and Updated. (Automated)
+  - id: 34060
+    title: "Ensure XProtect Is Running and Updated."
+    description: "XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware is completely integrated into the OS. No matter what other tools are being used XProtect should have the latest signatures available."
+    rationale: "Apple creates signatures for known malware that actually effects Macs and that knowledge should be leveraged."
+    impact: "Some organizations may have effective Mac OS anti-malware tools that XProtect conflicts with."
+    remediation: "Terminal Method: Run the following command to enable and update XProtect: $ sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.pl ist $ sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.Plugi nService.plist $ sudo /usr/sbin/softwareupdate -l --background-critical softwareupdate[97180]: Triggering a background check with forced scan (critical and config-data updates only) ... Note: Xprotect can only be enabled/disabled if SIP (System Integrity Protection) is disabled. If Xprotect is disabled, the system might be compromised and needs to be investigated."
+    references:
+      - "https://eclecticlight.co/2021/10/27/silently-updated-security-data-files-in-monterey/"
+      - "https://eclecticlight.co/2020/12/14/silently-updated-security-data-files-in-big-sur/"
+      - "https://eclecticlight.co/2019/10/17/security-data-files-how-theyve-changed-in-catalina/"
+      - "https://eclecticlight.co/2022/05/12/apple-has-pushed-an-update-to-xprotect-21/"
+      - "https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web"
+      - "https://eclecticlight.co/2023/06/12/malware-detection-and-remediation-by-xprotect-remediator/"
+    compliance:
+      - cis: ["5.10"]
+      - cis_csc_v8: ["10.1", "10.2", "10.5"]
+      - cis_csc_v7: ["8.2", "8.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.2", "SI.L1-3.14.4"]
+      - hipaa: ["164.308(a)(5)(ii)(B)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4", "11.4", "5.1", "5.1.1", "5.2"]
+      - pci_dss_v4.0: ["5.1.1", "5.2.1", "5.2.2", "5.3.1", "5.3.2"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:sh -c "launchctl list | grep -c com.apple.XProtect.daemon.scan" -> r:^1$'
+      - 'c:sh -c "launchctl list | grep -c com.apple.XProtect.daemon.scan.startup" -> r:^1$'
+
+  # 6.1.1 Ensure Show All Filename Extensions Setting is Enabled. (Automated) - Not Implemented
+  # 6.2.1 Ensure Protect Mail Activity in Mail Is Enabled. (Manual) - Not Implemented
+  # 6.3.1 Ensure Automatic Opening of Safe Files in Safari Is Disabled. (Automated) - Not Implemented
+  # 6.3.2 Audit History and Remove History Items. (Manual) - Not Implemented
+  # 6.3.3 Ensure Warn When Visiting A Fraudulent Website in Safari Is Enabled. (Automated)
+  # 6.3.4 Ensure Prevent Cross-site Tracking in Safari Is Enabled. (Automated) - Not Implemented
+  # 6.3.5 Audit Hide IP Address in Safari Setting. (Manual) - Not Implemented
+  # 6.3.6 Ensure Advertising Privacy Protection in Safari Is Enabled. (Automated) - Not Implemented
+  # 6.3.7 Ensure Show Full Website Address in Safari Is Enabled. (Automated) - Not Implemented
+  # 6.3.8 Audit Autofill. (Manual) - Not Implemented
+  # 6.3.9 Ensure Pop-up Windows Are Blocked. (Automated) - Not Implemented
+  # 6.3.10 Ensure Javascript Is Enabled. (Manual) - Not Implemented
+  # 6.3.11 Ensure Show Status Bar Is Enabled. (Automated) - Not Implemented
+  # 6.4.1 Ensure Secure Keyboard Entry Terminal.app Is Enabled. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/debian/cis_debian10.yml b/etc/ruleset/sca/debian/cis_debian10.yml
new file mode 100644
index 0000000000..6d3e3473ab
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian10.yml
@@ -0,0 +1,3397 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 10
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Linux 10 Benchmark v1.0.0 - 02-13-2020
+
+policy:
+  id: "cis_debian10"
+  file: "cis_debian10.yml"
+  name: "CIS Debian Linux 10 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 10."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version"
+  description: "Requirements for running the SCA scan against Debian/Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/debian_version"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  ############################################################
+  # 1 Initial Setup
+  ############################################################
+
+  # 1.1 Filesystem configuration
+  - id: 2500
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 2501
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 2502
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 2503
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vi /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 2504
+    title: "Ensure mounting of squashfs filesystems is disabled"
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf  Example: vi /etc/modprobe.d/squashfs.confand add the following line: install squashfs /bin/true  Run the following command to unload the squashfsmodule: # rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  - id: 2505
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  - id: 2506
+    title: "Ensure mounting of FAT filesystems is disabled"
+    description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/vfat.conf: install vfat /bin/true. Run the following command to unload the vfat module: rmmod vfat"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v vfat -> r:install /bin/true|Module vfat not found"
+      - "not c:lsmod -> r:vfat"
+
+  # 1.1.x Filesystem Configuration
+  - id: 2507
+    title: "Ensure /tmp is configured"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 2508
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp     OR      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodevto the /tmp mount options:  [Mount]   Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp:  # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 2509
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp       OR          Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuidto the /tmp mount options:[Mount]  Options=mode=1777,strictatime,noexec,nodev,nosuid  Run the following command to remount /tmp:# mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 2510
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add noexecto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp       OR      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexecto the /tmp mount options:  [Mount]  Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp: # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  - id: 2511
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 2512
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 2513
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 2514
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 2515
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 2516
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 2517
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 2518
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 2519
+    title: "Ensure nodev option set on /home partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 2520
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://manpages.debian.org/buster/initscripts/tmpfs.5.en.html
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  - id: 2521
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  - id: 2522
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  - id: 2523
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run one of the following commands:  Run the following command to disable autofs: # systemctl --now disable autofs    OR  Run the following command to remove autofs:  # apt purge autofs"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> enabled"
+
+  - id: 2524
+    title: "Disable USB Storage"
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/usb_storage.conf and add the following line: # install usb-storage /bin/true . Run the following command to unload the usb-storage module: # rmmod usb-storage"
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  # 1.3 Configure Sudo
+
+  - id: 2525
+    title: "Ensure sudo is installed"
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Install sudo using the following command. # apt install sudo OR # apt install sudo-ldap"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.sudo.ws/
+    condition: any
+    rules:
+      - "c:dpkg -s sudo -> r:install ok installed"
+      - "c:dpkg -s sudo-ldap -> r:install ok installed"
+
+  - id: 2526
+    title: "Ensure sudo commands use pty"
+    description: "sudo can be configured to run only froma pseudo-pty"
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing."
+    remediation: "edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: Defaults use_pty"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  - id: 2527
+    title: "Ensure sudo log file exists"
+    description: "sudo can use a custom log file"
+    rationale: "A sudo log file simplifies auditing of sudo commands"
+    remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line:   Defaults logfile="<PATH TO CUSTOM LOG FILE>"   Example    Defaults logfile="/var/log/sudo.log"'
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 1.4 Filesystem Integrity Checking
+  - id: 2528
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE: # apt install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit .  Notes: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 2529
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check, run the following command:    # crontab -u root -e    Add the following line to the crontab:    0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer
+    condition: all
+    rules:
+      - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
+      - "c:crontab -u root -l -> r:aide"
+
+  # 1.5 Secure Boot Settings
+  - id: 2530
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2531
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub-mkpasswd-pbkdf2     Enter password: <password>      Reenter password: <password> PBKDF2 hash of your password is <encrypted-password> Add the following into a custom /etc/grub.d configuration file: cat <<EOF     set superusers="<username>"   password_pbkdf2 <username> <encrypted-password>      EOF     The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS=  Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 2532
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.6 Additional Process Hardening
+
+  - id: 2533
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "journalctl | grep \"protection: active\"" -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 2534
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 2535
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  - id: 2536
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  # 1.7 Mandatory Access Control
+
+  - id: 2537
+    title: "Ensure AppArmor is installed"
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Install Apparmor. # apt install apparmor # apt install apparmor-utils"
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s apparmor-utils -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  - id: 2538
+    title: "Ensure AppArmor is enabled in the bootloader configuration"
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line   GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"      Run the following command to update the grub2 configuration # update-grub    Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor'
+
+  - id: 2539
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode"
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/*   OR   Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:apparmor_status -> r:0 processes are unconfined"
+
+  - id: 2540
+    title: "Ensure all AppArmor Profiles are enforcing"
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*profiles are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  # 1.8 Warning Banners
+  - id: 2541
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd"
+    compliance:
+      - cis: ["1.8.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+      - "not f:/etc/motd"
+
+  - id: 2542
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.8.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 2543
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.8.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 2544
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd"
+    compliance:
+      - cis: ["1.8.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2545
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue"
+    compliance:
+      - cis: ["1.8.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2546
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net"
+    compliance:
+      - cis: ["1.8.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2547
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]"
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true"
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+'
+
+  - id: 2548
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt -s upgrade -> r:^The following packages will be upgraded"
+
+  ############################################################
+  # 2 Services
+  ############################################################
+
+  - id: 2549
+    title: "Ensure xinetd is not installed"
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed."
+    remediation: "Run the following command to remove xinetd: # apt purge xinetd"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s xinetd -> r:install ok installed"
+
+  - id: 2550
+    title: "Ensure openbsd-inetd is not installed"
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following command to uninstall openbsd-inetd: apt purge openbsd-inetd"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+
+  - id: 2551
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: 'On systems where host based time synchronization is not available, configure systemd-timesyncd. If "full featured" and/or encrypted time synchronization is required, install chrony or NTP. To install chrony: # apt install chrony To install ntp: # apt install ntp On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.'
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+      - "c:systemctl is-enabled systemd-timesyncd -> enabled"
+
+  - id: 2552
+    title: "Ensure systemd-timesyncd is configured"
+    description: 'systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group "systemd- timesync" needs to be created on installation of systemd. Note: The systemd-timesyncd service specifically implements only SNTP. This minimalistic service will set the system clock for large offsets or slowly adjust it for smaller deltas. More complex use cases are not covered by systemd-timesyncd. This recommendation only applies if timesyncd is in use on the system.'
+    rationale: "Proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if timesyncd is in use on the system."
+    remediation: "Run the following command to enable systemd-timesyncd   # systemctl enable systemd-timesyncd.service  ||  Edit the file /etc/systemd/timesyncd.conf and add/modify the following lines:   NTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org   FallbackNTP=2.debian.pool.ntp.org 3.debian.pool.ntp.org    RootDistanceMax=1  || Run the following commands to start systemd-timesyncd.service   # systemctl start systemd-timesyncd.service   # timedatectl set-ntp true  || Notes: Servers listed and RootDistanceMax should be In Accordance With Local Policy some versions of systemd have been compiled without systemd-timesycnd. On these distributions, chrony or NTP should be used instead of systemd-timesycnd. Not all options are available on all versions of systemd-timesyncd"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd.service -> enabled"
+
+  - id: 2553
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server> Configure chrony to run as the chrony user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in /etc/init.d or /etc/systemd ."
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony/chrony.conf -> r:^server\.+|^pool\.+'
+
+  - id: 2554
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.4"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 2555
+    title: "Ensure the X Window system is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 2556
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Run the following command to disable avahi-daemon: # systemctl --now disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> enabled"
+
+  - id: 2557
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl --now disable cups"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> enabled"
+
+  - id: 2558
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dhcpd: # systemctl --now disable isc-dhcp-server # systemctl --now disable isc-dhcp-server6"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled isc-dhcp-server -> enabled"
+      - "c:systemctl is-enabled isc-dhcp-server6 -> enabled"
+
+  - id: 2559
+    title: "Ensure LDAP server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # systemctl --now disable slapd"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled slapd -> enabled"
+
+  - id: 2560
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind: # systemctl --now disable nfs-server # systemctl --now disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs-server -> enabled"
+      - "c:systemctl is-enabled rpcbind -> enabled"
+
+  - id: 2561
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # systemctl --now disable bind9"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled bind9 -> enabled"
+
+  - id: 2562
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # systemctl --now disable vsftpd"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> enabled"
+
+  - id: 2563
+    title: "Ensure HTTP Server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # systemctl --now disable apache2"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> enabled"
+
+  - id: 2564
+    title: "Ensure email services are not enabled"
+    description: "dovecot is an open source mail submission and transport server for Linux based systems."
+    rationale: "Unless mail transport services are to be provided by this system, it is recommended that the service be disabled or deleted to reduce the potential attack surface."
+    remediation: "Run one of the following commands to disable dovecot : # systemctl --now disable dovecot"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled dovecot -> enabled"
+
+  - id: 2565
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable smbd: # systemctl --now disable smbd"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smbd -> enabled"
+
+  - id: 2566
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # systemctl --now disable squid"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> enabled"
+
+  - id: 2567
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl --now disable snmpd"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> enabled"
+
+  - id: 2568
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/exim4/update-exim4.conf.conf and and or modify following lines to look like the lines below: dc_eximconfig_configtype='local' dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' Restart exim4: # systemctl restart exim4"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 2569
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # systemctl --now disable rsync"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled rsync -> enabled"
+
+  - id: 2570
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable nis: # systemctl --now disable nis"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nis -> enabled"
+
+  - id: 2571
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall nis : apt purge nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 2572
+    title: "Ensure rsh client is not installed"
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Uninstall rsh : apt purge rsh-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+
+  - id: 2573
+    title: "Ensure talk client is not installed"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Uninstall talk : apt purge talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 2574
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Uninstall telnet : # apt purge telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 2575
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Uninstall ldap-utils : # apt purge ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  ############################################################
+  # 3 Network Configuration
+  ############################################################
+  ############################################################
+  # 3.1 Disable unused network protocols and devices
+  ############################################################
+
+  # 3.1.1 Disable IPv6 (Not Scored)
+  - id: 2576
+    title: "Disable IPv6"
+    description: "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented."
+    rationale: "If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+    remediation: 'Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.6", "CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:ipv6.disable=1'
+
+  # 3.1.2 Ensure wireless interfaces are disabled (Scored)
+  - id: 2577
+    title: "Ensure wireless interfaces are disabled"
+    description: "Wireless networking is used when wired networks are unavailable. Debian contains a wireless tool kit to allow system administrators to configure and use wireless networks."
+    rationale: "If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable any wireless interfaces: # nmcli radio all off"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["15.4", "15.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.6"]
+    references:
+      - nmcli(1) - Linux man page
+    condition: all
+    rules:
+      - "c:nmcli radio wifi -> r:^disabled"
+      - "c:nmcli radio wwan -> r:^disabled"
+  ##########################################################
+  # 3.2 Network Parameters
+  ##########################################################
+  # 3.2.1 Ensure packet redirect sending is disabled
+  - id: 2578
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+  # 3.2.2 Ensure IP forwarding is disabled
+  - id: 2579
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Run the following command to restore the default parameter and set the active kernel parameter: # grep -Els \"^\\s*net\\.ipv4\\.ip_forward\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv4\\.ip_forward\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 IF IPv6 is enabled: Run the following command to restore the default parameter and set the active kernel parameter: # grep -Els \"^\\s*net\\.ipv6\\.conf\\.all\\.forwarding\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv6\\.conf\\.all\\.forwarding\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+
+  #############################################################
+  # 3.3 Network Parameters
+  #############################################################
+  # 3.3.1 Ensure source routed packets are not accepted
+  - id: 2580
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is enabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.3.2 Ensure ICMP redirects are not accepted
+  - id: 2581
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is enabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.3.3 Ensure secure ICMP redirects are not accepted
+  - id: 2582
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.3.4 Ensure suspicious packets are logged (Scored)
+  - id: 2583
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored
+  - id: 2584
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
+  - id: 2585
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
+  - id: 2586
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
+  - id: 2587
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
+  - id: 2588
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  #####################################################################
+  # 3.4 Uncommon Network Protocols
+  #####################################################################
+  # 3.4.1 Ensure DCCP is disabled (Scored)
+  - id: 2589
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  # 3.4.2 Ensure SCTP is disabled (Scored)
+  - id: 2590
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  # 3.4.3 Ensure RDS is disabled (Scored)
+  - id: 2591
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  # 3.4.4 Ensure TIPC is disabled (Scored)
+  - id: 2592
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  #################################################################
+  # 3.5 Firewall configuration
+  #################################################################
+  #################################################################
+  # 3.5.1 Ensure Firewall software is installed
+  #################################################################
+  # 3.5.1.1 Ensure a Firewall package is installed (Scored)
+  - id: 2593
+    title: "Ensure a Firewall package is installed"
+    description: "A Firewall package should be selected. Most firewall configuration utilities operate as a front end to nftables or iptables."
+    rationale: "A Firewall package is required for firewall management and configuration."
+    remediation: "Run one of the following commands to install the Firewall package that follows local site policy: To install UFW , run the following command: # apt install ufw To install nftables , run the following command: # apt install nftables To install iptables , run the following command: # apt install iptables"
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg -s ufw -> r:Status: install ok installed"
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - "c:dpkg -s iptables -> r:Status: install ok installed"
+  #################################################################
+  # 3.5.2 Configure UncomplicatedFirewall
+  #################################################################
+  # 3.5.2.1 Ensure ufw service is enabled (Scored)
+  - id: 2594
+    title: "Ensure ufw service is enabled"
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Ensure that the ufw service is enabled to protect your system."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system"
+    remediation: "Run the following command to enable ufw: # ufw enable"
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    reference:
+      - "http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html"
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ufw -> enabled"
+      - "c:ufw status -> Status: active"
+
+  # 3.5.2.2 Ensure default deny firewall policy (Scored)
+  - id: 2595
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed"
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(incoming)|reject\W+(incoming)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(outgoing)|reject\W+(outgoing)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(routed)|reject\W+(routed)'
+
+  # 3.5.2.3 Ensure loopback traffic is configured (Scored)
+  - id: 2596
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # sudo ufw deny in from 127.0.0.0/8 # sudo ufw deny in from ::1"
+    compliance:
+      - cis: ["3.5.2.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:Anywhere on lo\s*\t*ALLOW IN\s*\t*Anywhere'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*DENY IN\s*\t*127.0.0.0/8'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\) on lo\s*\t*ALLOW IN\s*\t*Anywhere \(v6\)'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*DENY IN\s*\t*::1'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*ALLOW OUT\s*\t*Anywhere on lo'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*ALLOW OUT\s*\t*Anywhere \(v6\) on lo'
+
+  ######################################################################
+  # 3.5.3 Configure nftables
+  ######################################################################
+
+  # 3.5.3.2 Ensure a table exists (Scored)
+  - id: 2597
+    title: "Ensure a table exists"
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    remediation: "Run the following command to create a table in nftables: # nft create table inet <table name> .Example: # nft create table inet filter"
+    compliance:
+      - cis: ["3.5.3.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.5.3.3 Ensure base chains exist (Scored)
+  - id: 2598
+    title: "Ensure base chains exist"
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } . Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0\\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }"
+    compliance:
+      - cis: ["3.5.3.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.5.3.6 Ensure default deny firewall policy (Scored)
+  - id: 2599
+    title: "Ensure default deny firewall policy"
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept , the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } . Example: # nft chain inet filter input { policy drop \\; } ; # nft chain inet filter forward { policy drop \\; } and # nft chain inet filter output { policy drop \\; }"
+    compliance:
+      - cis: ["3.5.3.6"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.5.3.7 Ensure nftables service is enabled (Scored)
+  - id: 2600
+    title: "Ensure nftables service is enabled"
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables"
+    compliance:
+      - cis: ["3.5.3.7"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> enabled"
+
+  #######################################################################
+  # 3.5.4 Configure iptables
+  #######################################################################
+  #######################################################################
+  # 3.5.4.1 Configure IPv4 iptables
+  #######################################################################
+  # 3.5.4.1.1 Ensure default deny firewall policy (Scored)
+  - id: 2601
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP; # iptables -P OUTPUT DROP; # iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.5.4.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)|Chain INPUT \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)|Chain FORWARD \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.5.4.1.2 Ensure loopback traffic is configured (Scored)
+  - id: 2602
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.5.4.1.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  #########################################################################
+  # 3.5.4.2 Configure IPv6 ip6tables
+  #########################################################################
+  # 3.5.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
+  - id: 2603
+    title: "Ensure IPv6 default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.4.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.5.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
+  - id: 2604
+    title: "Ensure IPv6 loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP"
+    compliance:
+      - cis: ["3.5.4.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  ############################################################
+  # 4 Logging and Auditing
+  ############################################################
+
+  - id: 2605
+    title: "Ensure auditd is installed"
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk"
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # apt install auditd audispd-plugins"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["AU.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s auditd -> r:install ok installed"
+      - "c:dpkg -s audispd-plugins -> r:install ok installed"
+
+  - id: 2606
+    title: "Ensure auditd service is enabled"
+    description: "Enable and start the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - nist_800_53: ["AU.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> enabled"
+
+  - id: 2607
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - nist_800_53: ["AU.2"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  - id: 2608
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["AU.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 2609
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 2610
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 2611
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change'
+
+  - id: 2612
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity'
+
+  - id: 2613
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules and add the following lines: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale      -w /etc/issue -p wa -k system-locale      -w /etc/issue.net -p wa -k system-locale     -w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale     For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules   and add the following lines:  -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale   -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale       -w /etc/issue -p wa -k system-locale          -w /etc/issue.net -p wa -k system-locale           -w /etc/hosts -p wa -k system-locale         -w /etc/network -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale'
+
+  - id: 2614
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy'
+
+  - id: 2615
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins'
+
+  - id: 2616
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins'
+
+  - id: 2617
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+
+  - id: 2618
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/directory ending in .rules  Example: vi /etc/audit/rules.d/audit.rules and add the following lines:    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access    |    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access                    For 64 bit systems Edit or create a file in the /etc/audit/rules.d/directory ending in .rules Example: vi /etc/audit/rules.d/access.rules and add the following lines:                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access     |  -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access     |    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access   |  -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access          Notes: Reloading the auditd config toset active settings requires the auditd service to be restarted, and may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+
+  - id: 2619
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts'
+
+  - id: 2620
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["6.2", "13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete'
+
+  - id: 2621
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope'
+
+  - id: 2622
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w <Path to sudo logfile> -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.9"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w \.+ && r:-p wa && r:-k actions'
+
+  - id: 2623
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  - id: 2624
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "d:/etc/audit/rules.d -> r:^99-finalize.rules$"
+      - 'd:/etc/audit/rules.d -> r:^99-finalize.rules$ -> r:^\s*\t*-e 2$'
+
+  # 4.2,1 Configure rsyslog
+  - id: 2625
+    title: "Ensure rsyslog is installed"
+    description: "The rsyslog software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslogsuch as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog: # apt install rsyslog"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+  - id: 2626
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> enabled"
+
+  - id: 2627
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 2628
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines: Newer syntax: <files to sent to the remote log server> action(type="omfwd" target="<FQDN or ip of loghost>" port="<port number>" protocol="tcp" ction.resumeRetryCount="<number of re-tries>"  queue.type="linkList" queue.size=<number of messages to queue>") Example: *.* action(type="omfwd" target="192.168.2.100" port"514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkList" queue.size="1000") Older syntax: *.* @@<FQDN or ip of loghost>'
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.* /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* action\.+target='
+
+  - id: 2629
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts"
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines: $ModLoad imtcp        $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog (Scored)
+  - id: 2630
+    title: "Ensure journald is configured to send logs to rsyslog"
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.5"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.9", "AU.4"]
+      - tsc: ["CC5.2", "CC7.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files (Scored)
+  - id: 2631
+    title: "Ensure journald is configured to compress large log files"
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line:   Compress=yes"
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*=\s*yes'
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
+  - id: 2632
+    title: "Ensure journald is configured to write logfiles to persistent disk"
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line:   Storage=persistent"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*=\s*persistent'
+
+  # 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+  - id: 2633
+    title: "Ensure permissions on all logfiles are configured"
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitivebdata is archived and protected."
+    remediation: 'Run the following command to set permissions on all existing log files: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC7.2"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  - id: 2634
+    title: "Ensure logrotate assigns appropriate permissions"
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit /etc/logrotate.conf and update the create line to read 0640 or more restrictive, following local site policy   Example: create 0640 root utmp"
+    compliance:
+      - cis: ["4.4"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'f:/etc/logrotate.conf -> r:^\s*\t*create\s*\t*0\d40|^\s*\t*create\s*\t*0\d00 && r:^\s*\t*create\s*\t*06\d0|^\s*\t*create\s*\t*04\d0|^\s*\t*create\s*\t*02\d0|^\s*\t*create\s*\t*00\d0'
+
+  ############################################################
+  # 5 Access, Authentication and Authorization
+  ############################################################
+  ############################################################
+  # 5.1 Configure cron
+  ############################################################
+  - id: 2635
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: systemctl --now enable cron"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 2636
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 2637
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 2638
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 2639
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 2640
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 2641
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+  - id: 2642
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d\d0/\w\w\w\w\w-----\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d\d0/\w\w\w\w\w-----\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ######################################################
+  # 5.2 SSH Server Configuration
+  ######################################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
+  - id: 2643
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured (Scored)
+  - id: 2644
+    title: "Ensure permissions on SSH private host key files are configured"
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated"
+    remediation: "Run the following commands to set ownership and permissions on the private SSH host key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/ssh_host_rsa_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ecdsa_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ed25519_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured (Scored)
+  - id: 2645
+    title: "Ensure permissions on SSH public host key files are configured"
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\; #find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/ssh_host_rsa_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ecdsa_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ed25519_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.4 Ensure SSH Protocol is not set to 1 (Scored)
+  - id: 2646
+    title: "Ensure SSH Protocol is not set to 1"
+    description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["4.5", "14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: none
+    rules:
+      - 'c:sshd -T -> r:Protocol\s*\t*1'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+  - id: 2647
+    title: "Ensure SSH LogLevel is appropriate"
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:LogLevel\s+INFO|LogLevel\s+VERBOSE'
+
+  # 5.2.6 Ensure SSH X11 forwarding is disabled (Scored)
+  - id: 2648
+    title: "Ensure SSH X11 forwarding is disabled"
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:X11Forwarding\s+no'
+
+  # 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+  - id: 2649
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
+  - id: 2650
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:IgnoreRhosts\s+yes'
+
+  # 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+  - id: 2651
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:HostbasedAuthentication\s+no'
+
+  # 5.2.10 Ensure SSH root login is disabled (Scored)
+  - id: 2652
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitRootLogin\s+no'
+
+  # 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+  - id: 2653
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitEmptyPasswords\s+no'
+
+  # 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+  - id: 2654
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitUserEnvironment\s+no'
+
+  # 5.2.13 Ensure only strong Ciphers are used (Scored)
+  - id: 2655
+    title: "Ensure only strong ciphers are used"
+    description: "This variable limits the ciphers that SSH can use during communication."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 5.2.14 Ensure only strong MAC algorithms are used (Scored)
+  - id: 2656
+    title: "Ensure only strong MAC algorithms are used"
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used (Scored)
+  - id: 2657
+    title: "Ensure only strong Key Exchange algorithms are used"
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received"
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks"
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.2.16 Ensure SSH Idle Timeout Interval is configured (Scored)
+  - id: 2658
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'c:sshd -T -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 2659
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  # 5.2.18 Ensure SSH access is limited (Scored)
+  - id: 2660
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  # 5.2.19 Ensure SSH warning banner is configured (Scored)
+  - id: 2661
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.2.20 Ensure SSH PAM is enabled (Scored)
+  - id: 2662
+    title: "Ensure SSH PAM is enabled"
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*usepam\s+yes'
+
+  # 5.2.21 Ensure SSH AllowTcpForwarding is disabled (Scored)
+  - id: 2663
+    title: "Ensure SSH AllowTcpForwarding is disabled"
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no"
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://www.ssh.com/ssh/tunneling/example
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowTcpForwarding\s+no'
+
+  - id: 2664
+    title: "Ensure SSH MaxStartups is configured"
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60"
+    compliance:
+      - cis: ["5.2.22"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*maxstartups\s+10:30:60'
+
+  # 5.2.23 Ensure SSH MaxSessions is limited (Scored)
+  - id: 2665
+    title: "Ensure SSH MaxSessions is limited"
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxSessions\s+(\d+) compare <= 10'
+
+  ######################################################
+  # 5.3 Configure PAM
+  ######################################################
+  # 5.3.1 Ensure password creation requirements are configured (Scored)
+  - id: 2666
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/pam.d/common-password -> !r:^# && n:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=(\d+) compare <=3'
+
+  # 5.3.2 Ensure lockout for failed password attempts is configured (Scored)
+  - id: 2667
+    title: "Ensure lockout for failed password attempts is configured"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Edit the /etc/pam.d/common-account file and add the account lines below: account    requisite    pam_deny.so      account    required    pam_tally2.so. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user. Notes:BUG In pam_tally2.so To work around this issue the addition of pam_tally2.so in the accounts section of the /etc/pam.d/common-account file has been added to the audit and remediation sections. pam_tally2 line must be added for the counter to reset to 0 when using sudo.     Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.'
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*requisite\s*\t*pam_deny.so'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*required\s*\t*pam_tally2.so'
+
+  # 5.3.3 Ensure password reuse is limited (Scored)
+  - id: 2668
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 2669
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  ####################################################
+  # 5.4 User Accounts and Environment
+  ####################################################
+  ####################################################
+  # 5.4.1 Set Shadow Password Suite Parameters
+  ####################################################
+  # 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
+  - id: 2670
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  # 5.4.1.2 Ensure minimum days between password changes is configured
+  - id: 2671
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+  - id: 2672
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+  - id: 2673
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+
+  # 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+  - id: 2674
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 2675
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 2676
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: readonly TMOUT=900 ; export TMOUT . Note that setting the value to readonly prevents unwanted modification during runtime."
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not d:/etc/profile.d -> .sh -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/bash.bashrc -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'd:/etc/profile.d -> .sh -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/bash.bashrc -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.6 Ensure access to the su command is restricted (Scored)
+  - id: 2677
+    title: "Ensure access to the su command is restricted"
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group='
+
+  ############################################################
+  # 6 System Maintenance
+  ############################################################
+
+  ############################################################
+  # 6.1 System File Permissions
+  ############################################################
+  # 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+  - id: 2678
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/gshadow- are configured (Scored)
+  - id: 2679
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-wx /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured (Scored)
+  - id: 2680
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the one following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured (Scored)
+  - id: 2681
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+  - id: 2682
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod u-x,go-rwx /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+  - id: 2683
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/shadow- : # chown root:shadow /etc/shadow- # chmod u-x,go-rwx /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+  - id: 2684
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-rwx /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
+  - id: 2685
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  ####################################################
+  # 6.2 User and Group Settings
+  ####################################################
+
+  # 6.2.1 Ensure password fields are not empty (Scored)
+  - id: 2686
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+  - id: 2687
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+  - id: 2688
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+  - id: 2689
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 6.2.6 Ensure root is the only UID 0 account (Scored)
+  - id: 2690
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.20 Ensure shadow group is empty (Scored)
+  - id: 2691
+    title: "Ensure shadow group is empty"
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/debian/cis_debian11.yml b/etc/ruleset/sca/debian/cis_debian11.yml
new file mode 100644
index 0000000000..1593fa727e
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian11.yml
@@ -0,0 +1,5033 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 11
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Linux 11 Benchmark v1.0.0 - 09-22-2022
+
+policy:
+  id: "cis_debian11"
+  file: "cis_debian11.yml"
+  name: "CIS Debian Linux 11 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 11."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version."
+  description: "Requirements for running the SCA scan against Debian Linux 11."
+  condition: all
+  rules:
+    - "f:/etc/debian_version -> r:11."
+    - "f:/proc/sys/kernel/ostype -> r:Linux"
+    - "f:/etc/os-release -> r:NAME= && r:Debian"
+    - "f:/etc/os-release -> r:VERSION= && r:11"
+
+checks:
+  ############################################################
+  # 1 Initial Setup
+  ############################################################
+
+  ############################################################
+  # 1.1 Filesystem configuration
+  ############################################################
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) - Not implemented
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) - Not implemented
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated) - Not implemented
+
+  ############################################################
+  # 1.1.2 Configure /tmp
+  ############################################################
+
+  # 1.1.2.1 Ensure /tmp is a separate partition (Automated)
+  - id: 29500
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount. For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0. Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs."
+    references:
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+      - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s+'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition (Automated)
+  - id: 29501
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s+ && r:nodev'
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition (Automated)
+  - id: 29502
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s+ && r:noexec'
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition (Automated)
+  - id: 29503
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s+ && r:nosuid'
+
+  ############################################################
+  # 1.1.3 Configure /var
+  ############################################################
+
+  # 1.1.3.1 Ensure separate partition exists for /var (Automated)
+  - id: 29504
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0006"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s+'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition (Automated)
+  - id: 29505
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s+ && r:nodev'
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition (Automated)
+  - id: 29506
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s+ && r:nosuid'
+
+  ############################################################
+  # 1.1.4 Configure /var/tmp
+  ############################################################
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp (Automated)
+  - id: 29507
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. - Fine grained control over the mount: Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s+'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated)
+  - id: 29508
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s+ && r:noexec'
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated)
+  - id: 29509
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s+ && r:nosuid'
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated)
+  - id: 29510
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s+ && r:nodev'
+
+  ############################################################
+  # 1.1.5 Configure /var/log
+  ############################################################
+  # 1.1.5.1 Ensure separate partition exists for /var/log (Automated)
+  - id: 29511
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. - Fine grained control over the mount: Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of log data: As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s+'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition (Automated)
+  - id: 29512
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s+ && r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition (Automated)
+  - id: 29513
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s+ && r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition (Automated)
+  - id: 29514
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s+ && r:nosuid'
+
+  ############################################################
+  # 1.1.6 Configure /var/log/audit
+  ############################################################
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated)
+  - id: 29515
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of audit data: As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s+'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated)
+  - id: 29516
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:^/var/log/audit && r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated)
+  - id: 29517
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:^/var/log/audit && r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated)
+  - id: 29518
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:^/var/log/audit && r:nosuid"
+
+  ############################################################
+  # 1.1.7 Configure /home
+  ############################################################
+
+  # 1.1.7.1 Ensure separate partition exists for /home (Automated)
+  - id: 29519
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. - Fine grained control over the mount: Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of user data: As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s+'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition (Automated)
+  - id: 29520
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s+ && r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition (Automated)
+  - id: 29521
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s+ && r:nosuid'
+
+  ############################################################
+  # 1.1.8 Configure /dev/shm
+  ############################################################
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition (Automated)
+  - id: 29522
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s+ && r:nodev'
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition (Automated)
+  - id: 29523
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm. NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:^/dev/shm && r:noexec"
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition (Automated)
+  - id: 29524
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:^/dev/shm && r:nosuid"
+
+  # 1.1.9 Disable Automounting (Automated)
+  - id: 29525
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # apt purge autofs OR if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1068", "T1203", "T1211", "T1212"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service: No such file or directory"
+      - "c:systemctl is-enabled autofs -> r:disabled"
+
+  # 1.1.10 Disable USB Storage (Automated) - Not implemented
+
+  ############################################################
+  # 1.2 Configure Software Updates
+  ############################################################
+
+  # 1.2.1 Ensure package manager repositories are configured (Manual)"
+
+  # 1.2.2 Ensure GPG keys are configured (Manual)
+
+  ############################################################
+  # 1.3 Filesystem Integrity Checking
+  ############################################################
+
+  # 1.3.1 Ensure AIDE is installed (Automated)
+  - id: 29526
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Run the following commands to initialize AIDE: # aideinit # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1036", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1565", "T1565.001"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide-common -> r:install ok installed"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked (Automated)
+  - id: 29527
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1036", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1565", "T1565.001"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  ############################################################
+  # 1.4 Secure Boot Settings
+  ############################################################
+
+  # 1.4.1 Ensure bootloader password is set (Automated)
+  - id: 29528
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time)."
+    impact: "If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing 'e' or access the GRUB 2 command line by pressing 'c' If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items. More Information: https://help.ubuntu.com/community/Grub2/Passwords."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> PBKDF2 hash of your password is <encrypted-password>. Add the following into a custom /etc/grub.d configuration file: cat <<EOF set superusers="<username>" password_pbkdf2 <username> <encrypted-password> EOF. The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted". Run the following command to update the grub2 configuration: # update-grub.'
+    references:
+      - https://help.ubuntu.com/community/Grub2/Passwords
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1046"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured (Automated)
+  - id: 29529
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod u-wx,go-rwx /boot/grub/grub.cfg."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Access:\s*\(0400/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication required for single user mode (Automated)
+  - id: 29530
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'f:/etc/shadow -> r:^root:\$\w'
+
+  ############################################################
+  # 1.5 Additional Process Hardening
+  ############################################################
+
+  # 1.5.1 Ensure address space layout randomization (ASLR) is enabled (Automated) - Not Implemented
+
+  # 1.5.2 Ensure prelink is not installed (Automated)
+  - id: 29531
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua . Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1055", "T1055.009", "T1065", "T1065.001"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1050"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' prelink -> r:dpkg-query: no packages found matching prelink"
+
+  # 1.5.3 Ensure Automatic Error Reporting is not enabled (Automated)
+  - id: 29532
+    title: "Ensure Automatic Error Reporting is not enabled."
+    description: "The Apport Error Reporting Service automatically generates crash reports for debugging."
+    rationale: "Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material."
+    remediation: "Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -- Run the following command to remove the apport package: # apt purge apport."
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - "c:systemctl is-active apport.service -> r:inactive"
+
+  # 1.5.4 Ensure core dumps are restricted (Automated)
+  - id: 29533
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0. IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0. Run the command: systemctl daemon-reload."
+    compliance:
+      - cis: ["1.5.4"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - "c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0"
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^fs.suid_dumpable = 0'
+      - "c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:^* hard core 0"
+
+  ############################################################
+  # 1.6 Mandatory Access Control
+  ############################################################
+
+  # 1.6.1.1 Ensure AppArmor is installed (Automated)
+  - id: 29534
+    title: "Ensure AppArmor is installed."
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Install AppArmor. # apt install apparmor apparmor-utils."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utils -> r:install ok installed"
+
+  # 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration (Automated)
+  - id: 29535
+    title: "Ensure AppArmor is enabled in the bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    rationale: "AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor". Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'
+
+  # 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode (Automated)
+  - id: 29536
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  # 1.6.1.4 Ensure all AppArmor Profiles are enforcing (Automated)
+  - id: 29537
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    references:
+      - AppArmor Documentation: http://wiki.apparmor.net/index.php/Documentation
+      - Ubuntu AppArmor Documentation: https://help.ubuntu.com/community/AppArmor
+      - SUSE AppArmor Documentation: https://www.suse.com/documentation/apparmor/
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*profiles are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  ############################################################
+  # 1.7 Command Line Warning Banners
+  ############################################################
+
+  # 1.7.1 Ensure message of the day is configured properly (Automated)
+  - id: 29538
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a ." command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.2 Ensure local login warning banner is configured properly (Automated)
+  - id: 29539
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a ." command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly (Automated)
+  - id: 29540
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured (Automated)
+  - id: 29541
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) OR run the following command to remove the /etc/motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured (Automated)
+  - id: 29542
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue)."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured (Automated)
+  - id: 29543
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net)."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ############################################################
+  # 1.8 GNOME Display Manager
+  ############################################################
+
+  # 1.8.1 Ensure GNOME Display Manager is removed (Automated)
+  - id: 29544
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to uninstall gdm3: # apt purge gdm3."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0002"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' gdm3 -> r:unknown ok not-installed|dpkg-query: no packages found matching gdm3"
+
+  # 1.8.2 Ensure GDM login banner is configured (Automated) - Not implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled (Automated) - Not implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle (Automated) - Not implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden (Automated) - Not implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated) - Not implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden - Not implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled (Automated) - Not implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden (Automated) - Not implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled (Automated)
+  - id: 29545
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm3/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1050"]
+    condition: any
+    rules:
+      - "not f:/etc/gdm3/custom.conf"
+      - 'not f:/etc/gdm3/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed (Automated)
+  - id: 29546
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Run the following command to update all packages following local site policy guidance on applying updates and patches: # apt upgrade OR # apt dist-upgrade."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - pci_dss_3.2.1: ["6.2"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - soc_2: ["CC7.1"]
+    condition: none
+    rules:
+      - "c:apt -s upgrade -> r:^The following packages will be upgraded"
+
+  ############################################################
+  # 2 Services
+  ############################################################
+
+  ############################################################
+  # 2.1 Configure Time Synchronization
+  # 2.1.1 Ensure time synchronization is in use
+  ############################################################
+
+  # 2.1.1.1 Ensure a single time synchronization daemon is in use (Automated) - Not implemented
+
+  ############################################################
+  # 2.1.2 Configure chrony
+  ############################################################
+
+  # 2.1.2.1 Ensure chrony is configured with authorized timeserver (Manual) - Not Implemented
+
+  # 2.1.2.2 Ensure chrony is running as user _chrony (Automated)
+  - id: 29547
+    title: "Ensure chrony is running as user _chrony."
+    description: "The chrony package is installed with a dedicated user account _chrony. This account is granted the access required by the chronyd service."
+    rationale: "The chronyd service should run with only the required privileges."
+    remediation: "Add or edit the user line to /etc/chrony/chrony.conf or a file ending in .conf in /etc/chrony/conf.d/: user _chrony OR If another time synchronization service is in use on the system, run the following command to remove chrony from the system: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - 'c:sh -c "ps -ef | grep chronyd | grep -v grep " -> r:chronyd\s'
+      - 'not c:sh -c "ps -ef |grep chronyd | grep -v grep " -> !r:^_chrony && r:chronyd\s'
+
+  # 2.1.2.3 Ensure chrony is enabled and running (Automated)
+  - id: 29548
+    title: "Ensure chrony is enabled and running."
+    description: "chrony is a daemon for synchronizing the system clock across the network."
+    rationale: "chrony needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF chrony is in use on the system, run the following commands: Run the following command to unmask chrony.service: # systemctl unmask chrony.service. Run the following command to enable and start chrony.service: # systemctl --now enable chrony.service OR If another time synchronization service is in use on the system, run the following command to remove chrony: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled chrony.service -> r:^enabled"
+      - "c:systemctl is-active chrony.service -> r:^active"
+
+  ############################################################
+  # 2.1.3 Configure systemd-timesyncd
+  ############################################################
+
+  # 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver (Manual)
+  - id: 29549
+    title: "Ensure systemd-timesyncd configured with authorized timeserver."
+    description: "- NTP= > A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service(8). systemd-timesyncd will contact all configured system or per-interface servers in turn, until one responds. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. This setting defaults to an empty list. - FallbackNTP= > A space-separated list of NTP server host names or IP addresses to be used as the fallback NTP servers. Any per-interface NTP servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via NTP= above. This setting is hence only relevant if no other NTP server information is known. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. If this option is not given, a compiled-in list of NTP servers is used."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: 'Edit or create a file in /etc/systemd/timesyncd.conf.d ending in .conf and add the NTP= and/or FallbackNTP= lines to the [Time] section: Example: [Time] NTP=time.nist.gov # Uses the generic name for NIST''s time servers -AND/OR- FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov # Space separated list of NIST time servers Note: Servers added to these line(s) should follow local site policy. NIST servers are for example. The timesyncd.conf.d directory may need to be created. Example script: The following example script will create the systemd-timesyncd drop-in configuration snippet: #!/usr/bin/env bash ntp_ts="time.nist.gov" ntp_fb="time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov" disfile="/etc/systemd/timesyncd.conf.d/50-timesyncd.conf" if ! find /etc/systemd -type f -name ''*.conf'' -exec grep -Ph ''^\h*NTP=\H+'' {} +; then [ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d ! grep -Pqs ''^\h*\[Time\]'' "$disfile" && echo "[Time]" >> "$disfile" echo "NTP=$ntp_ts" >> "$disfile" fi if ! find /etc/systemd -type f -name ''*.conf'' -exec grep -Ph ''^\h*FallbackNTP=\H+'' {} +; then [ ! -d /etc/systemd/timesyncd.conf.d ] && mkdir /etc/systemd/timesyncd.conf.d ! grep -Pqs ''^\h*\[Time\]'' "$disfile" && echo "[Time]" >> "$disfile" echo "FallbackNTP=$ntp_fb" >> "$disfile" fi Run the following command to reload the systemd-timesyncd configuration: # systemctl try-reload-or-restart systemd-timesyncd OR If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd.'
+    references:
+      - https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html
+      - https://tf.nist.gov/tf-cgi/servers.cgi
+    compliance:
+      - cis: ["2.1.3.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "d:/etc/systemd"
+      - 'd:/etc/systemd -> r:\.+.conf$'
+      - 'd:/etc/systemd -> r:\.+.conf$ -> r:^\s*\t*NTP=\w|^\s*\t*FallbackNTP=\w'
+
+  # 2.1.3.2 Ensure systemd-timesyncd is enabled and running (Automated)
+  - id: 29550
+    title: "Ensure systemd-timesyncd is enabled and running."
+    description: "systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network."
+    rationale: "systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF systemd-timesyncd is in use on the system, run the following commands: Run the following command to unmask systemd-timesyncd.service: # systemctl unmask systemd-timesyncd.service. Run the following command to enable and start systemd-timesyncd.service: # systemctl --now enable systemd-timesyncd.service OR If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd.service."
+    compliance:
+      - cis: ["2.1.3.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd.service -> r:^enabled"
+      - "c:systemctl is-active systemd-timesyncd.service -> r:^active"
+
+  ############################################################
+  # 2.1.4 Configure ntp
+  ############################################################
+
+  # 2.1.4.1 Ensure ntp access control is configured (Automated)
+  - id: 29551
+    title: "Ensure ntp access control is configured."
+    description: 'ntp Access Control Commands: restrict address [mask mask] [ippeerlimit int] [flag ...]. The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note: the text string default, with no mask option, may be used to indicate the default entry. The ippeerlimit directive limits the number of peer requests for each IP to int, where a value of -1 means "unlimited", the current default. A value of 0 means "none". There would usually be at most 1 peering request per IP, but if the remote peering requests are behind a proxy there could well be more than 1 per IP. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified: - kod - If this flag is set when an access violation occurs, a kiss-of-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped. - limited - Deny service if the packet spacing violates the lower limits specified in the discard command. A history of clients is kept using the monitoring capability of ntpd. Thus, monitoring is always active as long as there is a restriction entry with the limited flag. - lowpriotrap - Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. - noepeer - Deny ephemeral peer requests, even if they come from an authenticated source. Note that the ability to use a symmetric key for authentication may be restricted to one or more IPs or subnets via the third field of the ntp.keys file. This restriction is not enabled by default, to maintain backward compatibility. Expect noepeer to become the default in ntp-4.4. - nomodify - Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted. - noquery - Deny ntpq and ntpdc queries. Time service is not affected. - nopeer - Deny unauthenticated packets which would result in mobilizing a new association. This includes broadcast and symmetric active packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you''ll want a restrict source ... line as well that does not include the nopeer directive. - noserve - Deny all packets except ntpq and ntpdc queries. - notrap - Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpq control message protocol which is intended for use by remote event logging programs. - notrust - Deny service unless the packet is cryptographically authenticated. - ntpport - This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list.'
+    rationale: "If ntp is in use on the system, proper configuration is vital to ensuring time synchronization is accurate."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - http://www.ntp.org/
+    compliance:
+      - cis: ["2.1.4.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - "f:/etc/ntp.conf"
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+
+  # 2.1.4.2 Ensure ntp is configured with authorized timeserver (Manual)
+  - id: 29552
+    title: "Ensure ntp is configured with authorized timeserver."
+    description: 'The various modes are determined by the command keyword and the type of the required IP address. Addresses are classed by type as (s) a remote server or peer (IPv4 class A, B and C), (b) the broadcast address of a local interface, (m) a multicast address (IPv4 class D), or (r) a reference clock address (127.127.x.x). Note: That only those options applicable to each command are listed below. Use of options not listed may not be caught as an error, but may result in some weird and even destructive behavior. If the Basic Socket Interface Extensions for IPv6 (RFC-2553) is detected, support for the IPv6 address family is generated in addition to the default support of the IPv4 address family. In a few cases, including the reslist billboard generated by ntpq or ntpdc, IPv6 addresses are automatically generated. IPv6 addresses can be identified by the presence of colons ":" in the address field. IPv6 addresses can be used almost everywhere where IPv4 addresses can be used, with the exception of reference clock addresses, which are always IPv4. Note: In contexts where a host name is expected, a -4 qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a -6 qualifier forces DNS resolution to the IPv6 namespace. See IPv6 references for the equivalent classes for that address family. - pool - For type s addresses, this command mobilizes a persistent client mode association with a number of remote servers. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. - server - For type s and r addresses, this command mobilizes a persistent client mode association with the specified remote server or local radio clock. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. This command should not be used for type b or m addresses.'
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "Edit /etc/ntp.conf and add or edit server or pool lines as appropriate according to local site policy: <[server|pool]> <[remote-server|remote-pool]> Examples: pool mode: pool time.nist.gov iburst. server mode: server time-a-g.nist.gov iburst server 132.163.97.3 iburst server time-d-b.nist.gov iburst Run the following command to load the updated time sources into ntp running config: # systemctl restart ntp OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - http://www.ntp.org/
+      - https://tf.nist.gov/tf-cgi/servers.cgi
+    compliance:
+      - cis: ["2.1.4.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1498", "T1498.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "f:/etc/ntp.conf"
+      - 'f:/etc/ntp.conf -> r:^\s*\t*pool'
+
+  # 2.1.4.3 Ensure ntp is running as user ntp (Automated)
+  - id: 29553
+    title: "Ensure ntp is running as user ntp."
+    description: "The ntp package is installed with a dedicated user account ntp. This account is granted the access required by the ntpd daemon. Note: - If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped. - This recommendation only applies if ntp is in use on the system. - Only one time synchronization method should be in use on the system."
+    rationale: "The ntpd daemon should run with only the required privilege."
+    remediation: "Add or edit the following line in /etc/init.d/ntp: RUNASUSER=ntp. Run the following command to restart ntp.service: # systemctl restart ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - http://www.ntp.org/
+    compliance:
+      - cis: ["2.1.4.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - 'f:/etc/init.d/ntp -> r:^\s*\t*RUNASUSER\s*\t*=\s*\t*ntp$'
+      - 'c:sh -c "ps -ef | grep ntpd | grep -v grep " -> r:ntpd\s'
+      - 'not c:sh -c "ps -ef |grep ntpd | grep -v grep " -> !r:^ntp && r:ntpd\s'
+
+  # 2.1.4.4 Ensure ntp is enabled and running (Automated)
+  - id: 29554
+    title: "Ensure ntp is enabled and running."
+    description: "ntp is a daemon for synchronizing the system clock across the network."
+    rationale: "ntp needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF ntp is in use on the system, run the following commands: Run the following command to unmask ntp.service: # systemctl unmask ntp.service Run the following command to enable and start ntp.service: # systemctl --now enable ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp: # apt purge ntp."
+    compliance:
+      - cis: ["2.1.4.4"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ntp.service -> r:^enabled"
+      - "c:systemctl is-active ntp.service -> r:^active"
+
+  ############################################################
+  # 2.2 Special Purpose Services
+  ############################################################
+
+  # 2.2.1 Ensure X Window System is not installed (Automated)
+  - id: 29555
+    title: "Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime, if provided by your distribution.'
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' xserver-xorg -> r:unknown ok not-installed|dpkg-query: no packages found matching xserver-xorg"
+
+  # 2.2.2 Ensure Avahi Server is not installed (Automated)
+  - id: 29556
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to remove avahi-daemon: # systemctl stop avahi-daaemon.service # systemctl stop avahi-daemon.socket # apt purge avahi-daemon."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' avahi-daemon -> r:unknown ok not-installed|dpkg-query: no packages found matching avahi-daemon"
+
+  # 2.2.3 Ensure CUPS is not installed (Automated)
+  - id: 29557
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface."
+    impact: "Removing CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run one of the following commands to remove cups: # apt purge cups."
+    references:
+      - http://www.cups.org
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' cups -> r:unknown ok not-installed|dpkg-query: no packages found matching cups"
+
+  # 2.2.4 Ensure DHCP Server is not installed (Automated)
+  - id: 29558
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove isc-dhcp-server: # apt purge isc-dhcp-server."
+    references:
+      - http://www.isc.org/software/dhcp
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' isc-dhcp-server -> r:unknown ok not-installed|dpkg-query: no packages found matching isc-dhcp-server"
+
+  # 2.2.5 Ensure LDAP server is not installed (Automated)
+  - id: 29559
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove slapd: # apt purge slapd."
+    references:
+      - http://www.openldap.org
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' slapd -> r:unknown ok not-installed|dpkg-query: no packages found matching slapd"
+
+  # 2.2.6 Ensure NFS is not installed (Automated)
+  - id: 29560
+    title: "Ensure NFS is not installed."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares, it is recommended that the nfs-kernel-server package be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove nfs: # apt purge nfs-kernel-server."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nfs-kernel-server -> r:unknown ok not-installed|dpkg-query: no packages found matching nfs-kernel-server"
+
+  # 2.2.7 Ensure DNS Server is not installed (Automated)
+  - id: 29561
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable DNS server: # apt purge bind9."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' bind9 -> r:unknown ok not-installed|dpkg-query: no packages found matching bind9"
+
+  # 2.2.8 Ensure FTP Server is not installed (Automated)
+  - id: 29562
+    title: "Ensure FTP Server is not installed."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # apt purge vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' vsftpd -> r:unknown ok not-installed|dpkg-query: no packages found matching vsftpd"
+
+  # 2.2.9 Ensure HTTP server is not installed (Automated)
+  - id: 29563
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove apache: # apt purge apache2."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apache2 -> r:unknown ok not-installed|dpkg-query: no packages found matching apache2"
+
+  # 2.2.10 Ensure IMAP and POP3 server are not installed(Automated)
+  - id: 29564
+    title: "Ensure IMAP and POP3 server are not installed."
+    description: "dovecot-imapd and dovecot-pop3d are an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove dovecot-imapd and dovecot-pop3d: # apt purge dovecot-imapd dovecot-pop3d."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-imapd -> r:unknown ok not-installed|dpkg-query: no packages found matching dovecot-imapd"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-pop3d -> r:unknown ok not-installed|dpkg-query: no packages found matching dovecot-pop3d"
+
+  # 2.2.11 Ensure Samba is not installed (Automated)
+  - id: 29565
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # apt purge samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' samba -> r:unknown ok not-installed|dpkg-query: no packages found matching samba"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed (Automated)
+  - id: 29566
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove squid: # apt purge squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' squid -> r:unknown ok not-installed|dpkg-query: no packages found matching squid"
+
+  # 2.2.13 Ensure SNMP Server is not installed (Automated)
+  - id: 29567
+    title: "Ensure SNMP Server is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values."
+    remediation: "Run the following command to remove snmp: # apt purge snmp."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' snmp -> r:unknown ok not-installed|dpkg-query: no packages found matching snmp"
+
+  # 2.2.14 Ensure NIS Server is not installed (Automated)
+  - id: 29568
+    title: "Ensure NIS Server is not installed."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed and other, more secure services be used."
+    remediation: "Run the following command to remove nis: # apt purge nis."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:unknown ok not-installed|dpkg-query: no packages found matching nis"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode (Automated)
+  - id: 29569
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: This recommendation is designed around the postfix mail server. Depending on your environment you may have an alternative MTA installed such as exim4. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only. Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25 && r:\.*LISTEN && !r:127.0.0.1:25|[::1]:25'
+
+  # 2.2.16 Ensure rsync service is either not installed or masked (Automated)
+  - id: 29570
+    title: "Ensure rsync service is either not installed or masked."
+    description: "The rsync service can be used to synchronize files between systems over network links."
+    rationale: "The rsync service presents a security risk as it uses unencrypted protocols for communication. The rsync package should be removed to reduce the attack area of the system."
+    remediation: "Run the following command to remove rsync: # apt purge rsync OR Run the following commands to stop and mask rsync: # systemctl stop rsync # systemctl mask rsync."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsync -> r:unknown ok not-installed|dpkg-query: no packages found matching rsync"
+      - "c:systemctl is-active rsync -> r:^inactive"
+      - "c:systemctl is-enabled rsync -> r:^masked"
+
+  ############################################################
+  # 2.3 Service Clients
+  ############################################################
+  # 2.3.1 Ensure NIS Client is not installed (Automated)
+  - id: 29571
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall nis: # apt purge nis."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:unknown ok not-installed|dpkg-query: no packages found matching nis"
+
+  # 2.3.2 Ensure rsh client is not installed (Automated)
+  - id: 29572
+    title: "Ensure rsh client is not installed."
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall rsh: # apt purge rsh-client."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1041", "M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsh-client -> r:unknown ok not-installed|dpkg-query: no packages found matching rsh-client"
+
+  # 2.3.3 Ensure talk client is not installed (Automated)
+  - id: 29573
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall talk: # apt purge talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_mitigations: ["M1041", "M1042"]
+    condition: all
+    rules:
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' talk -> r:install ok installed|dpkg-query: no packages found matching talk"
+
+  # 2.3.4 Ensure telnet client is not installed (Automated)
+  - id: 29574
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall telnet: # apt purge telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_mitigations: ["M1041", "M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' telnet -> r:unknown ok not-installed|dpkg-query: no packages found matching telnet"
+
+  # 2.3.5 Ensure LDAP client is not installed (Automated)
+  - id: 29575
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Uninstall ldap-utils: # apt purge ldap-utils."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ldap-utils -> r:unknown ok not-installed|dpkg-query: no packages found matching ldap-utils"
+
+  # 2.3.6 Ensure RPC is not installed (Automated)
+  - id: 29576
+    title: "Ensure RPC is not installed."
+    description: "Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. It requires an RPC compliant client listening on a network port. The supporting package is rpcbind."
+    rationale: "If RPC is not required, it is recommended that this services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove rpcbind: # apt purge rpcbind."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rpcbind -> r:unknown ok not-installed|dpkg-query: no packages found matching rpcbind"
+
+  # 2.4 Ensure nonessential services are removed or masked (Manual) - Not Implemented
+
+  ############################################################
+  # 3 Network Configuration
+  ############################################################
+
+  ############################################################
+  # 3.1 Disable unused network protocols and devices
+  ############################################################
+
+  # 3.1.1 Ensure system is checked to determine if IPv6 is enabled (Manual) - Not Implemented
+  # 3.1.2 Ensure wireless interfaces are disabled (Automated) - Not Implemented
+  # 3.1.3 Ensure DCCP is disabled (Automated) - Not Implemented
+  # 3.1.4 Ensure SCTP is disabled (Automated) - Not Implemented
+  # 3.1.5 Ensure RDS is disabled (Automated) - Not Implemented
+  # 3.1.6 Ensure TIPC is disabled (Automated) - Not Implemented
+
+  ############################################################
+  # 3.2 Network Parameters (Host Only)
+  ############################################################
+
+  # 3.2.1 Ensure packet redirect sending is disabled (Automated) - Not Implemented
+  # 3.2.2 Ensure IP forwarding is disabled (Automated) - Not Implemented
+  # 3.3.1 Ensure source routed packets are not accepted (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) - Not Implemented
+
+  ############################################################
+  # 3.5 Firewall Configuration
+  ############################################################
+
+  ############################################################
+  # 3.5.1 Configure UncomplicatedFirewall
+  ############################################################
+
+  # 3.5.1.1.Ensure ufw is installed (Automated)
+  - id: 29577
+    title: "Ensure ufw is installed."
+    description: "The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. UFW is dependent on the iptables package."
+    remediation: "Run the following command to install Uncomplicated Firewall (UFW): # apt install ufw."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:install ok installed"
+
+  # 3.5.1.2 Ensure iptables-persistent is not installed with ufw (Automated)
+  - id: 29578
+    title: "Ensure iptables-persistent is not installed with ufw."
+    description: "The iptables-persistent is a boot-time loader for netfilter rules, iptables plugin."
+    rationale: "Running both ufw and the services included in the iptables-persistent package may lead to conflict."
+    remediation: "Run the following command to remove the iptables-persistent package: # apt purge iptables-persistent."
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' iptables-persistent -> r:unknown ok not-installed|dpkg-query: no packages found matching iptables-persistent"
+
+  # 3.5.1.3 Ensure ufw service is enabled (Automated)
+  - id: 29579
+    title: "Ensure ufw service is enabled."
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Notes: - When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall. - Run the following command before running ufw enable. # ufw allow proto tcp from any to any port 22. - The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy). - By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask the ufw daemon: # systemctl unmask ufw.service. Run the following command to enable and start the ufw daemon: # systemctl --now enable ufw.service active Run the following command to enable ufw: # ufw enable."
+    referencces:
+      - http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ufw.service -> r:^enabled"
+      - "c:systemctl is-active ufw -> r:^active"
+      - 'c:ufw status -> r:\sactive'
+
+  # 3.5.1.4 Ensure ufw loopback traffic is configured (Automated)
+  - id: 29580
+    title: "Ensure ufw loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1."
+    compliance:
+      - cis: ["3.5.1.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:Anywhere on lo\s*\t*ALLOW IN\s*\t*Anywhere'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*DENY IN\s*\t*127.0.0.0/8'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\) on lo\s*\t*ALLOW IN\s*\t*Anywhere \(v6\)'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*DENY IN\s*\t*::1'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*ALLOW OUT\s*\t*Anywhere on lo'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*ALLOW OUT\s*\t*Anywhere \(v6\) on lo'
+      - "c:systemctl is-enabled ufw.service -> r:^enabled"
+
+  # 3.5.1.5 Ensure ufw outbound connections are configured (Manual) - Not Implemented
+  # 3.5.1.6 Ensure ufw firewall rules exist for all open ports (Automated) - Not Implemented
+
+  # 3.5.1.7 Ensure ufw default deny firewall policy (Automated)
+  - id: 29581
+    title: "Ensure ufw default deny firewall policy."
+    description: "A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    impact: "Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny. ufw allow git, ufw allow in http, ufw allow out http <- required for apt to connect to repository, ufw allow in https, ufw allow out https, ufw allow out 53, ufw logging on."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed."
+    compliance:
+      - cis: ["3.5.1.7"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:^Default && r:deny\s+\(incoming\)|reject\s+\(incoming\)|disabled\s+\(incoming\) && r:deny\s+\(outgoing\)|reject\s+\(outgoing\)|disabled\s+\(outgoing\) && r:deny\s+\(routed\)|reject\s+\(routed\)|disabled\s+\(routed\)'
+      - "c:systemctl is-enabled ufw.service -> r:^enabled"
+      - 'c:ufw status -> r:\sactive'
+
+  ############################################################
+  # 3.5.2 Configure nftables
+  ############################################################
+
+  # 3.5.2.1 Ensure nftables is installed (Automated)
+  - id: 29582
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured. - Changing firewall settings while connected over the network can result in being locked out of the system."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install nftables: # apt install nftables."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nftables -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:unknown ok not-installed|dpkg-query: no packages found matching ufw|deinstall ok config-files"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' iptables -> r:unknown ok not-installed|dpkg-query: no packages found matching iptables|deinstall ok config-files"
+
+  # 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables (Automated)
+  - id: 29583
+    title: "Ensure ufw is uninstalled or disabled with nftables."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use."
+    rationale: "Running both the nftables service and ufw may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or disable ufw. Run the following command to remove ufw: # apt purge ufw. Run the following command to disable ufw: # ufw disable."
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nftables -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:unknown ok not-installed|dpkg-query: no packages found matching ufw|deinstall ok config-files"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' iptables -> r:unknown ok not-installed|dpkg-query: no packages found matching iptables|deinstall ok config-files"
+
+  # 3.5.2.3 Ensure iptables are flushed with nftables (Manual) - Not Implemented
+  - id: 29584
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.5.2.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nftables -> r:install ok installed"
+      - 'not c:sh -c "iptables -L | grep -Evi ''^chain|^target''" -> r:^\w+'
+      - 'not c:sh -c "ip6tables -L | grep -Evi ''^chain|^target''" -> r:^\w+'
+
+  # 3.5.2.4 Ensure a nftables table exists (Automated)
+  - id: 29585
+    title: "Ensure a nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables: # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:^table\s'
+
+  # 3.5.2.5 Ensure nftables base chains exist (Automated)
+  - id: 29586
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; }. Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.5.2.6 Ensure nftables loopback traffic is configured (Automated)
+  - id: 29587
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop. IF IPv6 is enabled on the system: Run the following command to implement the IPv6 loopback rule: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.5.2.6"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:iif "lo" accept'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip saddr 127.0.0.0/8'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip6 saddr ::1'
+
+  # 3.5.2.7 Ensure nftables outbound and established connections are configured (Manual) - Not Implemented"
+
+  # 3.5.2.8 Ensure nftables default deny firewall policy (Automated)
+  - id: 29588
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; }. Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.5.2.8"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "not c:nft list ruleset -> r:hook input && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook forward && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook output && !r:policy drop"
+
+  # 3.5.2.9 Ensure nftables service is enabled (Automated)
+  - id: 29589
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.5.2.9"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.5.2.10 Ensure nftables rules are permanent (Automated) - Not implemented
+
+  ############################################################
+  # 3.5.3 Configure iptables
+  ############################################################
+
+  ############################################################
+  # 3.5.3.1 Configure iptables software
+  ############################################################
+
+  # 3.5.3.1.1 Ensure iptables packages are installed (Automated)
+  - id: 29590
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-persistent # apt install iptables iptables-persistent."
+    compliance:
+      - cis: ["3.5.3.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:apt list iptables -> r:installed"
+      - "c:apt list iptables-persistent -> r:installed"
+
+  # 3.5.3.1.2 Ensure nftables is not installed with iptables (Automated)
+  - id: 29591
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # apt purge nftables."
+    compliance:
+      - cis: ["3.5.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+    condition: all
+    rules:
+      - "c:apt list iptables -> r:installed"
+      - "c:apt list iptables-persistent -> r:installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nftables -> r:unknown ok not-installed|dpkg-query: no packages found matching nftables|deinstall ok config-files"
+
+  # 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables (Automated)
+  - id: 29592
+    title: "Ensure ufw is uninstalled or disabled with iptables."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. - Uses a command-line interface consisting of a small number of simple commands. - Uses iptables for configuration."
+    rationale: "Running iptables.persistent with ufw enabled may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or stop and mask ufw Run the following command to remove ufw: # apt purge ufw OR Run the following commands to disable ufw: # ufw disable # systemctl stop ufw # systemctl mask ufw."
+    compliance:
+      - cis: ["3.5.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:unknown ok not-installed|dpkg-query: no packages found matching ufw|deinstall ok config-files"
+      - "c:ufw status -> r:inactive"
+      - "c:systemctl is-enabled ufw -> r:masked"
+
+  ############################################################
+  # 3.5.3.2 Configure IPv4 iptables
+  ############################################################
+
+  # 3.5.3.2.1 Ensure iptables default deny firewall policy (Automated)
+  - id: 29593
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Notes: - Changing firewall settings while connected over network can result in being locked out of the system. - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)|Chain INPUT \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)|Chain FORWARD \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.5.3.2.2 Ensure iptables loopback traffic is configured (Automated)
+  - id: 29594
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Notes: - Changing firewall settings while connected over network can result in being locked out of the system. - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.5.3.2.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.5.3.2.3 Ensure iptables outbound and established connections are configured (Manual) - Not Implemented
+  # 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports (Automated) - Not Implemented
+
+  ############################################################
+  # 3.5.3.3 Configure IPv6 ip6tables
+  ############################################################
+
+  # 3.5.3.3.1 Ensure ip6tables default deny firewall policy (Automated)
+  - id: 29595
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system. - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.3.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.5.3.3.2 Ensure ip6tables loopback traffic is configured (Automated)
+  - id: 29596
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). Note: - Changing firewall settings while connected over network can result in being locked out of the system. - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.5.3.3.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured (Manual)
+  # 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports (Automated) - Not Implemented
+
+  ############################################################
+  # 4 Logging and Auditing
+  ############################################################
+
+  ############################################################
+  # 4.1 Configure System Accounting (auditd)
+  # 4.1.1 Ensure auditing is enabled
+  ############################################################
+
+  # 4.1.1.1 Ensure auditd is installed (Automated)
+  - id: 29597
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd: # apt install auditd audispd-plugins."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' auditd -> r:install ok installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' audispd-plugins -> r:install ok installed"
+
+  # 4.1.1.2 Ensure auditd service is enabled and active (Automated)
+  - id: 29598
+    title: "Ensure auditd service is enabled and active."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable and start auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+      - "c:systemctl is-active auditd -> r:^active"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated)
+  - id: 29599
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX="audit=1". Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit=(\d+) compare == 1'
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient (Automated)
+  - id: 29600
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "In the kernel-level audit subsystem, a socket buffer queue is used to hold audit events. Whenever a new audit event is received, it is logged and prepared to be added to this queue. The kernel boot parameter audit_backlog_limit=N, with N representing the amount of messages, will ensure that a queue cannot grow beyond a certain size. If an audit event is logged which would grow the queue beyond this limit, then a failure occurs and is handled according to the system configuration."
+    rationale: "If an audit event is logged which would grow the queue beyond the audit_backlog_limit, then a failure occurs, auditd records will be lost, and potential malicious activity could go undetected."
+    remediation: 'Edit /etc/default/grub and add audit_backlog_limit=N to GRUB_CMDLINE_LINUX. The recommended size for N is 8192 or larger. Example: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192". Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit_backlog_limit=(\d+) compare >= 8192'
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured (Automated)
+  - id: 29601
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted (Automated)
+  - id: 29602
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full (Automated)
+  - id: 29603
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing. - Syslog, the audit daemon will issue a warning to syslog. - Suspend, the audit daemon will stop writing records to the disk. - single, the audit daemon will put the computer system in single user mode. - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt|^\s*\t*admin_space_left_action\s*\t*=\s*\t*single'
+
+  ############################################################
+  # 4.1.3 Configure auditd rules
+  ############################################################
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected (Automated)
+  - id: 29604
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf " -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope " >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n";fi.'
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=scope'
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=scope"
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=scope"
+
+  # 4.1.3.2 Ensure actions as another user are always logged (Automated)
+  - id: 29605
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. - 64 Bit systems Example: # printf " -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation " >> /etc/audit/rules.d/50-user_emulation.rules - Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected (Automated)
+  - id: 29606
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex: tune kernel clock. - settimeofday: set time using timeval and timezone structures. - stime: using seconds since 1/1/1970. - clock_settime: allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. - 64 Bit systems Example: # printf " -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change " >> /etc/audit/rules.d/50-time-change.rules - Load audit rules: Merge and load the rules into active configuration: # augenrules --load .Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change.'
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected (Automated)
+  - id: 29607
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname: set the systems host name. - setdomainname: set the systems domain name. The files being monitored are: > /etc/issue and /etc/issue.net - messages displayed pre-login. > /etc/hosts - file containing host names and associated IP addresses. > /etc/networks - symbolic names for networks. > /etc/network/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system''s network environment. - 64 Bit systems: Example: # printf " -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale " >> /etc/audit/rules.d/50-system_local.rules - Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network/|/etc/network/\s && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/network/|/etc/network/\\s && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected (Automated) - Not Implemented
+
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected (Automated)
+  - id: 29608
+    title: "Ensure unsuccessful file access attempts are collected."
+    description: "Monitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files: - creation - creat. - opening - open, openat. - truncation - truncate, ftruncate. An audit log record will only be written if all of the following criteria is met for the user when trying to access a file: - a non-privileged user (auid>=UID_MIN). - is not a Daemon event (auid=4294967295/unset/-1). - if the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)."
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts. 64 Bit systems Example: #{ UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access " >> /etc/audit/rules.d/50-access.rules || printf "ERROR: Variable ''UID_MIN'' is unset.\n" } Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi. 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.7"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected (Automated)
+  - id: 29609
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group: system groups. - /etc/passwd: system users. - /etc/gshadow: encrypted password for each group. - /etc/shadow: system user passwords. - /etc/security/opasswd: storage of old passwords if the relevant PAM module is in use. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf " -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity " >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected (Automated) - Not Implemented
+  - id: 29610
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files: chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr. In all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier "perm_mod".'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events. 64 Bit systems: Example: #{ UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod " >> /etc/audit/rules.d/50-perm_mod.rules || printf "ERROR: Variable ''UID_MIN'' is unset.\n" } Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi. 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.9"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b32 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+
+  # 4.1.3.10 Ensure successful file system mounts are collected (Automated)
+  - id: 29611
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. - 64 Bit systems Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F arch=b32 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts " >> /etc/audit/rules.d/50-mounts.rules || printf "ERROR: Variable ''UID_MIN'' is unset.\n"} - Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["CM-6"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0010"]
+      - mitre_mitigations: ["M1034"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected (Automated)
+  - id: 29612
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp: tracks all currently logged in users. - /var/log/wtmp: file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp: keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf " -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session " >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0001"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected (Automated)
+  - id: 29613
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog: maintain records of the last time a user successfully logged in. - /var/run/faillock: directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf " -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins " >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.9.4.2", "A.8.1.3"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0001"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected (Automated)
+  - id: 29614
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink: remove a file. - unlinkat: remove a file attribute. - rename: rename a file. - renameat: rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. - 64 Bit systems: Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete " >> /etc/audit/rules.d/50-delete.rules || printf "ERROR: Variable ''UID_MIN'' is unset.\n" } - Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+  - id: 29615
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor AppArmor, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor/ and /etc/apparmor.d/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/apparmor/ and /etc/apparmor.d/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the systems Mandatory Access Controls. Example: # printf " -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy " >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor/|/etc/apparmor\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d/|/etc/apparmor.d\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'c:auditctl -l -> r:^-w && r:/etc/apparmor/|/etc/apparmor\\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'c:auditctl -l -> r:^-w && r:/etc/apparmor.d/|/etc/apparmor.d\\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)
+  - id: 29616
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "The chcon command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. - 64 Bit systems: Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR:Variable ''UID_MIN'' is unset.\n" } - Load audit rules: Merge and load the rules into active configuration: # augenrules --load .Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated)
+  - id: 29617
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "This utility sets Access Control Lists (ACLs) of files and directories. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. - 64 Bit systems Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR:Variable ''UID_MIN'' is unset.\n" } Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated)
+  - id: 29618
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command. chacl is an IRIX-compatibility command, and is maintained for those users who are familiar with its use from either XFS or IRIX."
+    rationale: "chacl changes the ACL(s) for a file or directory. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. - 64 Bit systems: Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng " >> /etc/audit/rules.d/50-perm_chng.rules || printf "ERROR:Variable ''UID_MIN'' is unset.\n" } Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated)
+  - id: 29619
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "The usermod command modifies the system account files to reflect the changes that are specified on the command line. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: 'Create audit rules: Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. - 64 Bit systems Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod " >> /etc/audit/rules.d/50-usermod.rules || printf "ERROR:Variable ''UID_MIN'' is unset.\n" } Load audit rules: Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi - 32 Bit systems: Follow the same procedures as for 64 bit systems and ignore any entries with b64.'
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected (Automated)
+  - id: 29620
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module. - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided). - delete_module - delete a module. - create_module - create a loadable module entry. - query_module - query the kernel for various bits pertaining to modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: 'Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk ''/^\s*UID_MIN/{print $2}'' /etc/login.defs) [ -n "${UID_MIN}" ] && printf " -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules " >> /etc/audit/rules.d/50-kernel_modules.rules || printf "ERROR: Variable ''UID_MIN'' is unset.\n" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable (Automated)
+  - id: 29621
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: 'Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- "-e 2" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1", "9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sh -c "grep -iEh ''^\s*\t*-e 2\s*$'' /etc/audit/rules.d/*.rules | tail -1" -> r:^\s*\t*-e 2\s*$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same (Manual)
+  - id: 29622
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:/usr/sbin/augenrules && r:No change"
+
+  ############################################################
+  # 4.1.4 Configure auditd file access
+  ############################################################
+
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive (Automated) - Not Implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files (Automated) - Not Implemented
+
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files (Automated)
+  - id: 29623
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*log_group\s*\t*=\s*\t*adm|^\s*\t*log_group\s*\t*=\s*\t*root'
+      - 'c:sh -c "DIR_NAME=$(awk -F\"=\" ''/^\s*\t*log_file\s*\t*/ {print $2}'' /etc/audit/auditd.conf); stat -c \"%G\" $DIR_NAME" -> r:adm|root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive (Automated) - Not implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive (Automated)
+  - id: 29624
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %#a\" /etc/audit/*.rules" -> r:^/etc/audit && !r:640|600|400'
+      - 'not c:sh -c "stat -Lc \"%n %#a\" /etc/audit/*.conf" -> r:^/etc/audit && !r:640|600|400'
+      - 'not c:sh -c "stat -Lc \"%n %u %U %g %G\" /etc/audit/*.rules" -> r:^/etc/audit && !r:\s*0 root 0 root'
+      - 'not c:sh -c "stat -Lc \"%n %u %U %g %G\" /etc/audit/*.conf" -> r:^/etc/audit && !r:\s*0 root 0 root'
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root (Automated)
+  - id: 29625
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root (Automated)
+  - id: 29626
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive (Automated)
+  - id: 29627
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.9 Ensure audit tools are owned by root (Automated)
+  - id: 29628
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.10 Ensure audit tools belong to group root (Automated)
+  - id: 29629
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) - Not Implemented
+
+  ############################################################
+  # 4.2 Configure Logging
+  ############################################################
+
+  ############################################################
+  # 4.2.1 Configure journald
+  ############################################################
+  # 4.2.1.1 Ensure journald is configured to send logs to a remote log host
+
+  # 4.2.1.1.1 Ensure systemd-journal-remote is installed (Automated)
+  - id: 29630
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # apt install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.1.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' systemd-journal-remote -> r:install ok installed"
+
+  # 4.2.1.1.2 Ensure systemd-journal-remote is configured (Manual) - Not Implemented
+
+  # 4.2.1.1.3 Ensure systemd-journal-remote is enabled (Manual)
+  - id: 29631
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled systemd-journal-upload.service -> r:^\s*\t*enabled$'
+
+  # 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client (Automated)
+  - id: 29632
+    title: "Ensure journald is not configured to recieve logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal-remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now disable systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.1.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5", "10.2", "10.3"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:disabled"
+
+  # 4.2.1.2 Ensure journald service is enabled (Automated)
+  - id: 29633
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:static"
+
+  # 4.2.1.3 Ensure journald is configured to compress large log files (Automated)
+  - id: 29634
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["A1.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.002"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*\t*=\s*\t*yes'
+
+  # 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk (Automated)
+  - id: 29635
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*\t*=\s*\t*persistent'
+
+  # 4.2.1.5 Ensure journald is not configured to send logs to rsyslog (Manual)
+  - id: 29636
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3"]
+      - nist_sp_800-53: ["AU-7", "AU-6(3)"]
+      - soc_2: ["PL1.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*\t*=\s*\t*yes'
+
+  # 4.2.1.6 Ensure journald log rotation is configured per site policy (Manual) - Not Implemented
+  # 4.2.1.7 Ensure journald default file permissions configured (Manual) - Not Implemented
+
+  ############################################################
+  # 4.2.2 Configure rsyslog
+  ############################################################
+
+  # 4.2.2.1 Ensure rsyslog is installed (Automated)
+  - id: 29637
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # apt install rsyslog."
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsyslog -> r:install ok installed"
+
+  # 4.2.2.2 Ensure rsyslog service is enabled (Automated)
+  - id: 29638
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:enabled"
+
+  # 4.2.2.3 Ensure journald is configured to send logs to rsyslog (Manual)
+  - id: 29639
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3"]
+      - nist_sp_800-53: ["AU-7", "AU-6(3)"]
+      - soc_2: ["PL1.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*\t*=\s*\t*yes'
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*\t*=\s*\t*no'
+
+  # 4.2.2.4 Ensure rsyslog default file permissions are configured (Automated)
+  - id: 29640
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2", "AU.L2-3.3.1"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3", "10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5", "A.12.4.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode && !r:0640|0600|0400'
+      - 'not d:/etc/rsyslog.d/ -> r:\.+.conf -> r:^\s*\t*\$FileCreateMode && !r:0640|0600|0400'
+
+  # 4.2.2.5 Ensure logging is configured (Manual) - Not Implemented
+  # 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host (Manual) - Not Implemented
+
+  # 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client (Automated)
+  - id: 29641
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.2.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*module\(load="imtcp"\)|^\s*\t*input\(type="imtcp" port="514"\)|^\s*\t*\$InputTCPServerRun'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*module\(load="imtcp"\)|^\s*\t*input\(type="imtcp" port="514"\)|^\s*\t*\$InputTCPServerRun'
+
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership (Automated) - Not Implemented
+
+  ############################################################
+  # 5 Access, Authentication and Authorization
+  ############################################################
+
+  ############################################################
+  # 5.1 Configure time-based job schedulers
+  ############################################################
+
+  # 5.1.1 Ensure cron daemon is enabled and running (Automated)
+  - id: 29642
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable and start cron: # systemctl --now enable cron."
+    compliance:
+      - cis: ["5.1.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> r:enabled"
+      - 'c:systemctl status cron -> r:Active: active \(running\)'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Automated)
+  - id: 29643
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Automated)
+  - id: 29644
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Automated)
+  - id: 29645
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.daily directory: # chown root:root /etc/cron.daily/ # chmod og-rwx /etc/cron.daily/."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Automated)
+  - id: 29646
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.weekly directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Automated)
+  - id: 29647
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.monthly directory: # chown root:root /etc/cron.monthly/ # chmod og-rwx /etc/cron.monthly/."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
+  - id: 29648
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.d directory: # chown root:root /etc/cron.d/ # chmod og-rwx /etc/cron.d/."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users (Automated)
+  - id: 29649
+    title: "Ensure cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Notes: - Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy. - Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. - The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny: # rm /etc/cron.deny Run the following command to create /etc/cron.allow # touch /etc/cron.allow Run the following commands to set permissions and ownership for /etc/cron.allow: # chmod g-wx,o-rwx /etc/cron.allow # chown root:root /etc/cron.allow."
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat -Lc "%n %#a %u %U %g %G" /etc/cron.allow -> r:/etc/cron.allow 0640 0 root 0 root'
+
+  # 5.1.9 Ensure at is restricted to authorized users (Automated)
+  - id: 29650
+    title: "Ensure at is restricted to authorized users."
+    description: "Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/at.deny: # rm /etc/at.deny Run the following command to create /etc/at.allow # touch /etc/at.allow Run the following commands to set permissions and ownership for /etc/at.allow: # chmod g-wx,o-rwx /etc/at.allow # chown root:root /etc/at.allow."
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat -Lc "%n %#a %u %U %g %G" /etc/at.allow -> r:/etc/at.allow 0640 0 root 0 root'
+
+  ############################################################
+  # 5.2 Configure SSH Server
+  ############################################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+  - id: 29651
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured (Automated) - Not implemented
+
+  # 5.2.4 Ensure SSH access is limited (Automated)
+  - id: 29652
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: > The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: > The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: > The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: > The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*AllowUsers\s+\w+|^\s*\t*AllowGroups\s+\w+|^\s*\t*DenyUsers\s+\w+|^\s*\t*DenyGroups\s+\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate (Automated)
+  - id: 29653
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^LogLevel\s+INFO|^LogLevel\s+VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s*\t* && !r:INFO|VERBOSE'
+
+  # 5.2.6 Ensure SSH PAM is enabled (Automated)
+  - id: 29654
+    title: "Ensure SSH PAM is enabled."
+    description: "The UsePAM directive enables the Pluggable Authentication Module (PAM) interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication directives in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*usepam\s*\t*no'
+
+  # 5.2.7 Ensure SSH root login is disabled (Automated)
+  - id: 29655
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using SSH. The default is prohibit-password."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root. This limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitRootLogin\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\s*\t*yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled (Automated)
+  - id: 29656
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^HostbasedAuthentication\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\s*\t*yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Automated)
+  - id: 29657
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitEmptyPasswords\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\s*\t*yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Automated)
+  - id: 29658
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the SSH daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has SSH executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitUserEnvironment\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*PermitUserEnvironment\s*\t*yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled (Automated)
+  - id: 29659
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with SSH."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^IgnoreRhosts\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\s*\t*no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled (Automated)
+  - id: 29660
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^X11Forwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*X11Forwarding\s*\t*yes'
+
+  # 5.2.13 Ensure only strong Ciphers are used (Automated)
+  - id: 29661
+    title: "Ensure only strong Ciphers are used."
+    description: 'This variable limits the ciphers that SSH can use during communication. Note: - Some organizations may have stricter requirements for approved ciphers. - Ensure that ciphers used are in compliance with site policy. - The only "strong" ciphers currently FIPS 140-2 compliant are: aes256-ctr, aes192-ctr, aes128-ctr. - Supported ciphers in openSSH 8.2: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com.'
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack. - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors.'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers. Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr."
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2016-2183
+      - https://www.openssh.com/txt/cbc.adv
+      - https://nvd.nist.gov/vuln/detail/CVE-2008-5161
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc"
+
+  # 5.2.14 Ensure only strong MAC algorithms are used (Automated)
+  - id: 29662
+    title: "Ensure only strong MAC algorithms are used."
+    description: 'This variable limits the types of MAC algorithms that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved MACs. - Ensure that MACs used are in compliance with site policy. - The only "strong" MACs currently FIPS 140-2 approved are: hmac-sha2-256, hmac-sha2-512. - The Supported MACs are: hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, umac-64@openssh.co, umac-128@openssh.com, hmac-md5-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-sha2-256-etm@openss.com, hmac-sha2-512-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com.'
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs.Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256."
+    references:
+      - More information on SSH downgrade attacks can be found here: http://www.mitls.org/pages/attacks/SLOTH
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4", "16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used (Automated)
+  - id: 29663
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received. Notes: - Kex algorithms have a higher preference the earlier they appear in the list. - Some organizations may have stricter requirements for approved Key exchange algorithms. - Ensure that Key exchange algorithms used are in compliance with site policy. - The only Key Exchange Algorithms currently FIPS 140-2 approved are: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256. - The Key Exchange algorithms supported by OpenSSH 8.2 are: curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, sntrup4591761x25519-sha512@tinyssh.org."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.2.16 Ensure SSH AllowTcpForwarding is disabled (Automated)
+  - id: 29664
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and backdoors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments. In some environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - https://www.ssh.com/ssh/tunneling/example
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*\t*AllowTcpForwarding\s*\t*yes'
+
+  # 5.2.17 Ensure SSH warning banner is configured (Automated)
+  - id: 29665
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^banner\s/'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*banner\s*\t*/'
+
+  # 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less (Automated)
+  - id: 29666
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxAuthTries\s*\t*(\d+) compare > 4'
+
+  # 5.2.19 Ensure SSH MaxStartups is configured (Automated)
+  - id: 29667
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxStartups 10:30:60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -> n:^maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -> n:^maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*(\d+):\d+:\d+ compare > 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*\d+:(\d+):\d+ compare > 30'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*\d+:\d+:(\d+) compare > 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*maxstartups\s*\t*\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.20 Ensure SSH MaxSessions is set to 10 or less (Automated)
+  - id: 29668
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^maxsessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config ->  n:^\s*\t*maxsessions\s*\t*(\d+) compare > 10'
+
+  # 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less (Automated)
+  - id: 29669
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections. While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004", "T1499", "T1499.002"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^logingracetime\s(\d+) compare <= 60 && n:LoginGraceTime\s(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*logingracetime\s*\t*(\d+) compare <= 60 && n:^\s*\t*LoginGraceTime\s*\t*(\d+) compare != 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*logingracetime\s*\t*(\d+) compare > 60'
+
+  # 5.2.22 Ensure SSH Idle Timeout Interval is configured (Automated)
+  - id: 29670
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below is only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not and never had, intentionally, the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they where abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus it can no longer be abused disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option en-abled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinately, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3."
+    references:
+      - https://man.openbsd.org/sshd_config
+    compliance:
+      - cis: ["5.2.22"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^clientaliveinterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -> n:^clientalivecountmax\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare > 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*clientaliveinterval\s*\t*(\d+) compare == 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*clientalivecountmax\s*\t*(\d+) compare == 0'
+
+  ############################################################
+  # 5.3 Configure privilege escalation
+  ############################################################
+
+  # 5.3.1 Ensure sudo is installed (Automated)
+  - id: 29671
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "First determine is LDAP functionality is required. If so, then install sudo-ldap, else install sudo. Example: # apt install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1078", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+    condition: any
+    rules:
+      - "c: dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' sudo -> r:install ok installed"
+      - "c: dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' sudo-ldap -> r:install ok installed"
+
+  # 5.3.2 Ensure sudo commands use pty (Automated)
+  - id: 29672
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1548", "T1548.003"]
+      - mitre_tactics: ["TA0003"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists (Automated)
+  - id: 29673
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 5.3.4 Ensure users must provide password for privilege escalation (Automated)
+  - id: 29674
+    title: "Ensure users must provide password for privilege escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without (re-)authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user (re-)authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally (Automated)
+  - id: 29675
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly (Automated)
+  - id: 29676
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. This default is distribution specific. See audit section for further information."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset. See the following two examples: Defaults Defaults Defaults env_reset, timestamp_timeout=15 timestamp_timeout=15 env_reset."
+    references:
+      - https://www.sudo.ws/man/1.9.0/sudoers.man.html
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted (Automated)
+  - id: 29677
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  ############################################################
+  # 5.4 Configure PAM
+  ############################################################
+
+  # 5.4.1 Ensure password creation requirements are configured (Automated)
+  - id: 29678
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following options are set in the /etc/security/pwquality.conf file: - Password Length: > minlen = 14 - password must be 14 characters or more. - Password complexity: > minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR > dcredit = -1 - provide at least one digit. > ucredit = -1 - provide at least one uppercase character. > ocredit = -1 - provide at least one special character. > lcredit = -1 - provide at least one lowercase character."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "The following setting is a recommend example policy. Alter these values to conform to your own organization's password policies. Run the following command to install the pam_pwquality module: # apt install libpam-pwquality Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: minlen = 14 .Edit the file /etc/security/pwquality.conf and add or modify the following line for .password complexity to conform to site policy: Option 1 minclass = 4 Option 2 dcredit = -1, ucredit = -1, ocredit = -1, lcredit = -1."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minclass\s*\t*=\s*\t*(\d+) compare >= 4'
+      - 'not f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minlen\s*\t*=\s*\t*(\d+) compare < 14'
+      - 'not f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minclass\s*\t*=\s*\t*(\d+) compare < 4'
+
+  # 5.4.2 Ensure lockout for failed password attempts is configured (Automated)
+  - id: 29679
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the common PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. All configuration of faillock is located in /etc/security/faillock.conf and well commented. - deny > Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n tries. - fail_interval > The length of the interval, in seconds, during which the consecutive authentication failures must happen for the user account to be locked out. - unlock_time > The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock command. Set the lockout number and unlock time in accordance with local site policy."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "It is critical to test and validate any PAM changes before deploying. Any misconfiguration could cause the system to be inaccessible."
+    remediation: 'NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. Common auth: Edit /etc/pam.d/common-auth and ensure that faillock is configured. Note: It is critical to understand each line and the relevant arguments for successful implementation. The order of these entries is very specific. The pam_faillock.so lines surround the pam_unix.so line. The comment "Added to enable faillock" is shown to highlight the additional lines and their order in the file. # here are the per-package modules (the "Primary" block) auth required pam_faillock.so preauth # Added to enable faillock auth [success=1 default=ignore] pam_unix.so nullok auth [default=die] pam_faillock.so authfail # Added to enable faillock auth sufficient pam_faillock.so authsucc # Added to enable faillock # here''s the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn''t one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config Common account: Edit /etc/pam.d/common-account and ensure that the following stanza is at the end of the file. > account > required > pam_faillock.so. Fail lock configuration: Edit /etc/security/faillock.conf and configure it per your site policy. Example: deny = 4 > fail_interval = 900 > unlock time = 600.'
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - pci_dss_3.2.1: ["8.1.3"]
+      - pci_dss_4.0: ["8.2.4", "8.2.5"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.2", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_faillock.so\s*\t*preauth'
+      - 'f:/etc/pam.d/common-auth -> !r:^\s*\t*# && r:auth && r:default=die && r:\s*\t*pam_faillock.so && r:\s*\t*authfail'
+      - 'f:/etc/pam.d/common-auth -> !r:^\s*\t*# && r:auth\s*\t*sufficient\s*\t*pam_faillock.so\s*\t*authsucc'
+      - 'f:/etc/pam.d/common-account -> !r:^\s*\t*# && r:account\s*\t*required\s*\t*pam_faillock.so'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:fail_interval\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:unlock_time\s*\t*=\s*\t*(\d+) compare > 0 && n:unlock_time\s*\t*=\s*\t*(\d+) compare < 600'
+
+  # 5.4.3 Ensure password reuse is limited (Automated)
+  - id: 29680
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. Edit the /etc/pam.d/common-password file to include the remember= option of 5 or more. If this line doesn't exist, add the line directly above the line: password [success=1 default=ignore] pam_unix.so obscure yescrypt: Example: password required pam_pwhistory.so use_authtok remember=5."
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:\s*\t*password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.4.4 Ensure password hashing algorithm is up to date with the latest standards (Automated)
+  - id: 29681
+    title: "Ensure password hashing algorithm is up to date with the latest standards."
+    description: "The commands below change password encryption to yescrypt. All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The yescrypt algorithm provides much stronger hashing than previous available algorithms, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: these change only apply to accounts configured on the local system."
+    remediation: "NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. PAM Edit the /etc/pam.d/common-password file and ensure that no hashing algorithm option for pam_unix.so is set: password [success=1 default=ignore] try_first_pass remember=5 pam_unix.so obscure use_authtok - Login definitions: Edit /etc/login.defs and ensure that ENCRYPT_METHOD is set to yescrypt."
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: all
+    rules:
+      - 'not f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:yescrypt|md5|bigcrypt|sha256|sha512|blowfish'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD\s*\t*yescrypt'
+
+  # 5.4.5 Ensure all current passwords uses the configured hashing algorithm (Manual) - Not Implemented
+
+  ############################################################
+  # 5.5 User Accounts and Environment
+  ############################################################
+
+  ############################################################
+  # 5.5.1 Set Shadow Password Suite Parameters
+  ############################################################
+
+  # 5.5.1.1 Ensure minimum days between password changes is configured (Automated)
+  - id: 29682
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs : PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.5.1.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare == 0'
+
+  # 5.5.1.2 Ensure password expiration is 365 days or less (Automated)
+  - id: 29683
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. It is recommended that the PASS_MAX_DAYS parameter does not exceed 365 days and is greater than the value of PASS_MIN_DAYS."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    references:
+      - https://www.cisecurity.org/white-papers/cis-password-policy-guide/
+    compliance:
+      - cis: ["5.5.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.5.1.3 Ensure password expiration warning days is 7 or more (Automated)
+  - id: 29684
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.5.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.5.1.4 Ensure inactive password lock is 30 days or less (Automated)
+  - id: 29685
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.5.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.5.1.5 Ensure all users last password change date is in the past (Automated) - Not Implemented
+  # 5.5.2 Ensure system accounts are secured (Automated) - Not Implemented
+
+  # 5.5.3 Ensure default group for the root account is GID 0 (Automated)
+  - id: 29686
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.5.4 Ensure default user umask is 027 or more restrictive (Automated) - Not Implemented
+  # 5.5.5 Ensure default user umask is 027 or more restrictive (Automated) - Not Implemented
+
+  ############################################################
+  # 6 System Maintenance
+  ############################################################
+
+  ############################################################
+  # 6.1 System File Permissions
+  ############################################################
+
+  # 6.1.1 Ensure permissions on /etc/passwd are configured (Automated)
+  - id: 29687
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: any
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured (Automated)
+  - id: 29688
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: any
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured (Automated)
+  - id: 29689
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured (Automated)
+  - id: 29690
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group- -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured (Automated)
+  - id: 29691
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow to root and group to either root or shadow: # chown root:shadow /etc/shadow -OR- # chown root:root /etc/shadow Run the following command to remove excess permissions form /etc/shadow: # chmod u-x,g-wx,o-rwx /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:\s0 root 0 root && r:640|600|400|500'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured (Automated)
+  - id: 29692
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow- to root and group to either root or shadow: # chown root:shadow /etc/shadow- -OR- # chown root:root /etc/shadow- Run the following command to remove excess permissions form /etc/shadow-: # chmod u-x,g-wx,o-rwx /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:\s0 root 0 root && r:640|600|400|500'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured (Automated)
+  - id: 29693
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow to root and group to either root or shadow: # chown root:shadow /etc/gshadow -OR- # chown root:root /etc/gshadow Run the following command to remove excess permissions form /etc/gshadow: # chmod u-x,g-wx,o-rwx /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow  -> r:\s0 root 0 root && r:640|600|400|500'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured (Automated)
+  - id: 29694
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow- to root and group to either root or shadow: # chown root:shadow /etc/gshadow- -OR- # chown root:root /etc/gshadow- Run the following command to remove excess permissions form /etc/gshadow-: # chmod u-x,g-wx,o-rwx /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow-  -> r:\s0 root 0 root && r:640|600|400|500'
+
+  # 6.1.9 Ensure no world writable files exist (Automated) - Not implemented
+  # 6.1.10 Ensure no unowned files or directories exist (Automated) - Not implemented
+  # 6.1.11 Ensure no ungrouped files or directories exist (Automated) - Not implemented
+  # 6.1.12 Audit SUID executables (Manual) - Not Implemented
+  # 6.1.13 Audit SGID executables (Manual) - Not Implemented
+
+  ############################################################
+  # 6.2 Local User and Group Settings
+  ############################################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+  - id: 29695
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty (Automated)
+  - id: 29696
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group (Automated) - Not Implemented
+
+  # 6.2.4 Ensure shadow group is empty (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate UIDs exist (Automated)" - Not Implemented
+  # 6.2.6 Ensure no duplicate GIDs exist (Automated)" - Not Implemented
+  # 6.2.7 Ensure no duplicate user names exist (Automated) - Not Implemented
+  # 6.2.8 Ensure no duplicate group names exist (Automated) - Not Implemented
+  # 6.2.9 Ensure root PATH Integrity (Automated) - Not Implemented
+
+  # 6.2.10 Ensure root is the only UID 0 account (Automated)
+  - id: 29697
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.10"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.11 Ensure local interactive user home directories exist (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive users own their home directories (Automated) - Not Implemented
+  # 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - Not Implemented
+  # 6.2.14 Ensure no local interactive user has .netrc files (Automated) - Not Implemented
+  # 6.2.15 Ensure no local interactive user has .forward files (Automated) - Not Implemented
+  # 6.2.16 Ensure no local interactive user has .rhosts files (Automated) - Not Implemented
+  # 6.2.17 Ensure local interactive user dot files are not group or world writable (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/debian/cis_debian12.yml b/etc/ruleset/sca/debian/cis_debian12.yml
new file mode 100644
index 0000000000..f09ec028d3
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian12.yml
@@ -0,0 +1,3586 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 12
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Family Linux Benchmark v1.0.0 - 09-03-2020
+
+policy:
+  id: "cis_debian12"
+  file: "cis_debian12.yml"
+  name: "Center for Internet Security Debian Family Linux Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 12."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version."
+  description: "Requirements for running the SCA scan against Debian Linux 12."
+  condition: all
+  rules:
+    - "f:/etc/debian_version -> r:12."
+    - "f:/proc/sys/kernel/ostype -> r:Linux"
+    - "f:/etc/os-release -> r:NAME= && r:Debian"
+    - "f:/etc/os-release -> r:VERSION= && r:12"
+
+checks:
+  ############################################################
+  # 1 Initial Setup
+  ############################################################
+  # 1.1 Filesystem configuration
+  ############################################################
+  # 1.1.1 Disable unused filesystems
+  ############################################################
+
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)
+  - id: 33000
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/cramfs.conf and add the following line: install cramfs /bin/true Run the following command to unload the cramfs module: # rmmod cramfs."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Automated)
+  - id: 33001
+    title: "Ensure mounting of freevxfs filesystems is disabled."
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: rmmod freevxfs."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r: install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated)
+  - id: 33002
+    title: "Ensure mounting of jffs2 filesystems is disabled."
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2."
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  # 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated)
+  - id: 33003
+    title: "Ensure mounting of hfs filesystems is disabled."
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs."
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Automated)
+  - id: 33004
+    title: "Ensure mounting of hfsplus filesystems is disabled."
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus."
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  # 1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Manual)
+  - id: 33005
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Disabling squashfs will prevent the use of snap. Snap is a package manager for Linux for installing Snap packages. 'Snap' application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ('App store'), can be obtained from any source and can be therefore used for upstream software deployment. When snaps are deployed on versions of Linux, the Ubuntu app store is used as default back-end, but other stores can be enabled as well."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/squashfs.conf Add the following line: install squashfs /bin/true Run the following command to unload the squashfs module: # rmmod squashfs."
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.7 Ensure mounting of udf filesystems is disabled (Automated)
+  - id: 33006
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf."
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Ensure /tmp is configured (Automated)
+  - id: 33007
+    title: "Ensure /tmp is configured."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Notes: - If an entry for /tmp exists in /etc/fstab it will take precedence over entries in the tmp.mount file. - tmpfs can be resized using the size={size} parameter in /etc/fstab or on the Options line in the tmp.mount file. If we don't specify the size, it will be half the RAM. Resize tmpfs examples: - /etc/fstab tmpfs /tmp tmpfs rw,noexec,nodev,nosuid,size=2G 0 0 - tmp.mount [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,size=2G,noexec,nodev,nosuid."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. /tmp utilizing tmpfs can be resized using the size={size} parameter on the Options line on the tmp.mount file."
+    remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 OR Run the following commands to enable systemd /tmp mounting: Run the following command to create the tmp.mount file is the correct location: # cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/ Edit /etc/systemd/system/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,nosuid,nodev,noexec Run the following command to reload the systemd daemon with the unpdated tmp.mount unit file: # systemctl daemon-reload Run the following command to enable and start tmp.mount # systemctl --now enable tmp.mount."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - "c:mount -> r:tmpfs on /tmp type tmpfs"
+      - 'f:/etc/fstab -> !r:^\s*\t*# && r:tmpfs /tmp tmpfs'
+      - "c:systemctl is-enabled tmp.mount -> r:^enabled"
+
+  # 1.1.3 Ensure nodev option set on /tmp partition (Automated)
+  - id: 33008
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp OR IF systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/tmp\s && !r:nodev'
+
+  # 1.1.4 Ensure nosuid option set on /tmp partition (Automated)
+  - id: 33009
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nosuid /tmp."
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/tmp\s && !r:nosuid'
+
+  # 1.1.5 Ensure noexec option set on /tmp partition (Automated)
+  - id: 33010
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,noexec /tmp."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/tmp\s && !r:noexec'
+
+  # 1.1.6 Ensure separate partition exists for /var (Automated)
+  - id: 33011
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Note: When modifying /var it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\S+ on /var type ext4'
+
+  # 1.1.7 Ensure separate partition exists for /var/tmp (Automated)
+  - id: 33012
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\S+ on /var/tmp type ext4'
+
+  # 1.1.8 Ensure nodev option set on /var/tmp partition (Automated)
+  - id: 33013
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp."
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/var/tmp\s && !r:nodev'
+
+  # 1.1.9 Ensure nosuid option set on /var/tmp partition (Automated)
+  - id: 33014
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nosuid /var/tmp."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\S+ on /var/tmp type ext4 && r:nosuid'
+
+  # 1.1.10 Ensure noexec option set on /var/tmp partition (Automated)
+  - id: 33015
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/var/tmp\s && !r:noexec'
+
+  # 1.1.11 Ensure separate partition exists for /var/log (Automated)
+  - id: 33016
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data. Note: When modifying /var/log it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\S+ on /var/log type ext4'
+
+  # 1.1.12 Ensure separate partition exists for /var/log/audit (Automated)
+  - id: 33017
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory. Note: When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd , it may not perform as desired."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\S+ on /var/log/audit type ext4'
+
+  # 1.1.13 Ensure separate partition exists for /home (Automated)
+  - id: 33018
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - "c:mount -> r:/dev/xvdf1 on /home type ext4"
+
+  # 1.1.14 Ensure nodev option set on /home partition (Automated)
+  - id: 33019
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home."
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/var/tmp\s && !r:nodev'
+
+  # 1.1.15 Ensure nodev option set on /dev/shm partition (Automated)
+  - id: 33020
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm."
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/dev/shm\s && !r:nodev'
+
+  # 1.1.16 Ensure nosuid option set on /dev/shm partition (Automated)
+  - id: 33021
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/dev/shm\s && !r:nosuid'
+
+  # 1.1.17 Ensure noexec option set on /dev/shm partition (Automated)
+  - id: 33022
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm."
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - 'not c:mount -> r:\s*/dev/shm\s && !r:noexec'
+
+  # 1.1.18 Ensure nodev option set on removable media partitions (Manual) - Not Implemented
+  # 1.1.19 Ensure nosuid option set on removable media partitions (Manual) - Not Implemented
+  # 1.1.20 Ensure noexec option set on removable media partitions (Manual) - Not Implemented
+  # 1.1.21 Ensure sticky bit is set on all world-writable directories (Automated) - Not Implemented
+
+  # 1.1.22 Disable Automounting (Automated)
+  - id: 33023
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. Note: This control should align with the tolerance of the use of portable drives and optical media in the organization. On a server requiring an admin to manually mount media can be part of defense-in-depth to reduce the risk of unapproved software or information being introduced or proprietary software or information being exfiltrated. If admins commonly use flash drives and Server access has sufficient physical controls, requiring manual mounting may not increase security."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Run one of the following commands: Run the following command to disable autofs : # systemctl --now disable autofs OR Run the following command to remove autofs # apt purge autofs."
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["SI.1.213"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1215", "T1027", "T1045", "T1193", "T1194", "T1221", "T1200", "T1091"]
+      - nist_sp_800-53: ["SI-3"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled autofs -> r:disabled"
+      - "c:dpkg -s autofs -> r:package 'autofs' is not installed"
+
+  # 1.1.23 Disable USB Storage (Automated)
+  - id: 33024
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment. Note: An alternative solution to disabling the usb-storage module may be found in USBGuard. Use of USBGuard and construction of USB device policies should be done in alignment with site policy."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["SI.1.213"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1215", "T1027", "T1045", "T1193", "T1194", "T1221", "T1200", "T1091"]
+      - nist_sp_800-53: ["SI-3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ##################################################
+  # 1.2 Configure Software Updates
+  ##################################################
+  # 1.2.1 Ensure package manager repositories are configured (Manual) - Not Implemented
+  # 1.2.2 Ensure GPG keys are configured (Manual) - Not Implemented
+
+  ##################################################
+  # 1.3 Configure sudo
+  ##################################################
+
+  # 1.3.1 Ensure sudo is installed (Automated)
+  - id: 33025
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Note: Use the sudo-ldap package if you need LDAP support for sudoers."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Install sudo using the following command. # apt install sudo OR # apt install sudo-ldap."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.2.008", "IA.1.076", "IA.1.077", "SC.3.181"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: any
+    rules:
+      - "c:dpkg -s sudo -> r:install ok installed"
+      - "c:dpkg -s sudo-ldap -> r:install ok installed"
+
+  # 1.3.2 Ensure sudo commands use pty (Automated)
+  - id: 33026
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo-pty Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors. If the sudoers file is currently being edited you will receive a message to try again later."
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing."
+    remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.2.008", "IA.1.076", "IA.1.077", "SC.3.181"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d/ -> r: \.* -> r:Defaults\s*\t*use_pty'
+
+  # 1.3.3 Ensure sudo log file exists (Automated)
+  - id: 33027
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file. Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors. If the sudoers file is currently being edited you will receive a message to try again later."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12"]
+      - pci_dss_v3.2.1: ["10.1", "10.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:Defaults\s*\t*logfile=\S+'
+      - 'd:/etc/sudoers.d/ -> r: \.* -> r:Defaults\s*\t*logfile=\S+'
+
+  ###############################################
+  # 1.4 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.4.1 Ensure AIDE is installed (Automated)
+  - id: 33028
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aideinit # mv /var/lib/aide aide.db.new /var/lib/aide/aide.db."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.3.050"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:Status: install ok installed"
+      - "c:dpkg -s aide-common -> r:Status: install ok installed"
+
+  # 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
+  - id: 33029
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Notes: - The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy - systemd timers, timer file aidecheck.timer and service file aidecheck.service, have been included as an optional alternative to using cron - Ubuntu advises using /usr/bin/aide.wrapper rather than calling /usr/bin/aide directly in order to protect the database and prevent conflicts."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    reference:
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.3.050"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - 'c:systemctl status aidecheck.timer -> r:active\s*\(running\)'
+
+ #########################################
+ # 1.5 Secure Boot Settings
+ #########################################
+
+  # 1.5.1 Ensure permissions on bootloader config are configured (Automated)
+  - id: 33030
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. Notes: - This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. - Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod og-rwx /boot/grub/grub.cfg."
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0400/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.5.2 Ensure bootloader password is set (Automated)
+  - id: 33031
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters. Notes: - This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. - Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time)."
+    impact: "If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing 'e' or access the GRUB 2 command line by pressing 'c' If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items. More Information: https://help.ubuntu.com/community/Grub2/Passwords."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> PBKDF2 hash of your password is <encrypted-password>. Add the following into a custom /etc/grub.d configuration file: cat <<EOF set superusers="<username>" password_pbkdf2 <username> <encrypted-password> EOF. The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted". Run the following command to update the grub2 configuration: # update-grub.'
+    references:
+      - https://help.ubuntu.com/community/Grub2/Passwords
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  # 1.5.3 Ensure authentication required for single user mode (Automated)
+  - id: 33032
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root."
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'f:/etc/shadow -> r:^root:\$\w'
+
+ #############################################
+ # 1.6 Additional Process Hardening
+ #############################################
+
+  # 1.6.1 Ensure XD/NX support is enabled (Automated)
+  - id: 33033
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. Note: Ensure your system supports the XD or NX bit and has PAE support before implementing this recommendation as this may prevent it from booting if these are not supported by your hardware."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_csc_v7: ["8.3"]
+      - mitre_techniques: ["T1189", "T1190", "T1203", "T1212", "T1211", "T1068", "T1210", "T1117", "T1085", "T1080", "T1131", "T1003", "T1101"]
+      - nist_sp_800-53: ["SC-39", "SI-16"]
+    condition: all
+    rules:
+      - 'c:journalctl -> r:protection: active'
+
+  # 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Automated)
+  - id: 33034
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2."
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc_v7: ["8.3"]
+      - mitre_techniques: ["T1189", "T1190", "T1203", "T1212", "T1211", "T1068", "T1210", "T1117", "T1085", "T1080", "T1131", "T1003", "T1101"]
+      - nist_sp_800-53: ["SC-39", "SI-16"]
+    condition: any
+    rules:
+      - 'c:sysctl kernel.randomize_va_space -> r:kernel.randomize_va_space = 2'
+      - 'f:/etc/sysctl.conf -> r:kernel.randomize_va_space = 2'
+      - 'd:/etc/sysctl.d/ -> r:\.* -> r:kernel.randomize_va_space = 2'
+
+  # 1.6.3 Ensure prelink is disabled (Automated)
+  - id: 33035
+    title: "Ensure prelink is disabled."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink."
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.3.050"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s prelink -> r:package 'prelink' is not installed"
+
+  # 1.6.4 Ensure core dumps are restricted (Automated)
+  - id: 33036
+    title: "Ensure prelink is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload."
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - "f:/etc/security/limits.conf -> r:* hard core 0"
+      - 'd:/etc/security/limits.d -> r:\.*. -> r:* hard core 0'
+      - 'c:sysctl fs.suid_dumpable -> r:fs.suid_dumpable = 0'
+      - 'f:/etc/sysctl.conf -> r:fs.suid_dumpable = 0'
+      - 'd:/etc/sysctl.d/* -> r:\.* -> r:fs.suid_dumpable = 0'
+      - 'c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled'
+
+ ##############################################
+ # 1.7 Mandatory Access Control
+ ##############################################
+ # 1.7.1 Configure AppArmor
+ ##############################################
+
+  # 1.7.1.1 Ensure AppArmor is installed (Automated)
+  - id: 33037
+    title: "Ensure AppArmor is installed."
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:dpkg -s apparmor -> r:install ok installed'
+
+  # 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration (Automated)
+  - id: 33038
+    title: "Ensure AppArmor is enabled in the bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    rationale: "AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden."
+    remediation: "Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" Run the following command to update the grub2 configuration: # update-grub."
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:\s*linux && !r:apparmor=1'
+      - 'not f:/boot/grub/grub.cfg -> r:\s*linux && !r:security=apparmor'
+
+  # 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode (Automated)
+  - id: 33039
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> r:\d+ profiles are loaded || \d+ profiles are in enforce mode || \d+ profiles are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  # 1.7.1.4 Ensure all AppArmor Profiles are enforcing (Automated)
+  - id: 33040
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*profiles are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+ ########################################
+ # 1.8 Warning Banners
+ ########################################
+
+   # 1.8.1 Ensure message of the day is configured properly (Automated)
+  - id: 33041
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian'
+
+   # 1.8.2 Ensure permissions on /etc/issue.net are configured (Automated)
+  - id: 33042
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+   # 1.8.3 Ensure permissions on /etc/issue are configured (Automated)
+  - id: 33043
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+   # 1.8.4 Ensure permissions on /etc/motd are configured (Automated)
+  - id: 33044
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Note: If Message of the day is not needing, this file can be removed."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd OR Run the following command to remove the /etc/motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - "not f:/etc/motd"
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+   # 1.8.5 Ensure remote login warning banner is configured properly (Automated)
+  - id: 33045
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian'
+
+   # 1.8.6 Ensure local login warning banner is configured properly (Automated)
+  - id: 33046
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in."
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.8.6"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian'
+
+   # 1.9 Ensure GDM is removed or login is configured (Automated)
+  - id: 33047
+    title: "Ensure GDM is removed or login is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a graphical login is required, last logged in user display should be disabled, and a warning banner should be configured. displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user and apply an equivalent banner."
+    remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and edit or add the following: [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' disable-user-list=true Example banner message: Authorized uses only. All activity may be monitored and reported. Run the following command to re-load GDM on the next login or reboot: # dpkg-reconfigure gdm3."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:dpkg -s GDM -> r:install ok installed'
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:banner-message-enable=true'
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:banner-message-text=\S+'
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:disable-user-list=true'
+
+   # 1.10 Ensure updates, patches, and additional security software are installed (Manual)
+  - id: 33048
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality. Notes: - Site policy may mandate a testing period before install onto production systems for available updates. - upgrade - is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version. An update must be performed first so that apt knows that new versions of packages are available. - dist-upgrade - in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt has a \"smart\" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Run the following command to update all packages following local site policy guidance on applying updates and patches: # apt upgrade OR # apt dist-upgrade."
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v7: ["3.4","3.5"]
+      - cmmc_v2.0: ["MA.2.111"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078", "T1103", "T1017", "T1138", "T1189", "T1190", "T1212", "T1211", "T1068", "T1210", "T1495", "T1137", "T1075", "T1195", "T1019", "T1072", "T1100"]
+    condition: none
+    rules:
+      - "c:apt -s upgrade -> r:^The following packages will be upgraded"
+
+ ###################################
+ # 2 Services
+ ###################################
+ # 2.1 Special Purpose Services
+ ###################################
+ # 2.1.1 Time Synchronization
+ ###################################
+
+   # 2.1.1.1 Ensure time synchronization is in use (Automated)
+  - id: 33049
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Notes: - If access to a physical host's clock is available and configured according to site policy, this section can be skipped - Only one time synchronization method should be in use on the system - If access to a physical host's clock is available and configured according to site policy, systemd-timesyncd should be stopped and masked."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On systems where host based time synchronization is not available, configure systemd-timesyncd. If \"full featured\" and/or encrypted time synchronization is required, install chrony or NTP. To install chrony: # apt install chrony To install ntp: # apt install ntp On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.1.1.1"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.2.043"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.4"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd -> r:enabled"
+      - "c:dpkg -s chrony -> r:install ok installed"
+      - "c:dpkg -s ntp -> r:install ok installed"
+
+   # 2.1.1.2 Ensure systemd-timesyncd is configured (Manual)
+  - id: 33050
+    title: "Ensure systemd-timesyncd is configured."
+    description: "systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group \"systemd-timesync\" needs to be created on installation of systemd. Notes: - The systemd-timesyncd service specifically implements only SNTP. This minimalistic service will set the system clock for large offsets or slowly adjust it for smaller deltas. More complex use cases are not covered by systemd-timesyncd - If chrony or ntp are used, systemd-timesyncd should be stopped and masked, and this section skipped - This recommendation only applies if timesyncd is in use on the system - Only one time synchronization method should be in use on the system."
+    rationale: "Proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "- Remove additional time synchronization methods: Run the following commands to remove ntp and chrony: # apt purge ntp # apt purge chrony - Configure systemd-timesyncd: Run the following command to enable systemd-timesyncd # systemctl enable systemd-timesyncd.service edit the file /etc/systemd/timesyncd.conf and add/modify the following lines: NTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy FallbackNTP=2.debian.pool.ntp.org 3.debian.pool.ntp.org #Servers listed should be In Accordence With Local Policy RootDistanceMax=1 #should be In Accordence With Local Policy Run the following commands to start systemd-timesyncd.service # systemctl start systemd-timesyncd.service # timedatectl set-ntp true."
+    compliance:
+      - cis: ["2.1.1.2"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.2.043"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s ntp -> r:package 'ntp' is not installed"
+      - "c:dpkg -s chrony -> r:package 'chrony' is not installed"
+      - "c:systemctl is-enabled systemd-timesyncd.service -> r:enabled"
+      - "c:timedatectl status -> r:NTP enabled: yes | NTP synchronized: yes"
+
+   # 2.1.1.3 Ensure chrony is configured (Automated)
+  - id: 33051
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at: http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server. Notes: - If ntp or systemd-timesyncd are used, chrony should be removed and this section skipped - This recommendation only applies if chrony is in use on the system - Only one time synchronization method should be in use on the system."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Remove and/or disable additional time synchronization methods: Run the following command to remove ntp: # apt purge ntp Run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd Configure chrony: Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server> Add or edit the user line to /etc/chrony/chrony.conf: user _chrony."
+    compliance:
+      - cis: ["2.1.1.3"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.2.043"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s ntp -> r:package 'ntp' is not installed"
+      - "c:systemctl is-enabled systemd-timesyncd -> r:masked"
+      - 'f:/etc/chrony/chrony.conf -> r:server\s*\S+'
+      - 'c:ps -ef -> r:_chrony'
+
+   # 2.1.1.4 Ensure ntp is configured (Automated)
+  - id: 33052
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. Notes: - If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped - This recommendation only applies if ntp is in use on the system - Only one time synchronization method should be in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "- Remove and/or disable additional time synchronization methods: Run the following command to remove chrony: apt purge chrony Run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd - Configure ntp: Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp."
+    compliance:
+      - cis: ["2.1.1.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.2.043"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s chrony -> r:package 'ntp' is not installed"
+      - "c:systemctl is-enabled systemd-timesyncd -> r:masked"
+      - 'f:/etc/ntp.conf -> r:restrict -(d+) && r:default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery'
+      - 'f:/etc/ntp.conf -> r:restrict -6 && r:default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery'
+      - 'f:/etc/ntp.conf -> r:server\s*\S+'
+      - 'f:/etc/init.d/ntp -> r:RUNASUSER=ntp'
+
+   # 2.1.2 Ensure X Window System is not installed (Automated)
+  - id: 33053
+    title: "Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: "Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the \"headless\" Java packages for your specific Java runtime, if provided by your distribution."
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*."
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg* -> r:^\w\s*xserver-xorg'
+
+   # 2.1.3 Ensure Avahi Server is not installed (Automated)
+  - id: 33054
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to remove avahi-daemon: # systemctl stop avahi-daaemon.service # systemctl stop avahi-daemon.socket # apt purge avahi-daemon."
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s avahi-daemon -> r:package 'avahi-daemon' is not installed"
+
+   # 2.1.4 Ensure CUPS is not installed (Automated)
+  - id: 33055
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface."
+    impact: "Removing CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run one of the following commands to remove cups : # apt purge cups."
+    references:
+      - http://www.cups.org
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s cups -> r:package 'cups' is not installed"
+
+   # 2.1.5 Ensure DHCP Server is not installed (Automated)
+  - id: 33056
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove isc-dhcp-server: # apt purge isc-dhcp-server."
+    references:
+      - http://www.isc.org/software/dhcp.
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s isc-dhcp-server -> r:package 'isc-dhcp-server' is not installed"
+
+   # 2.1.6 Ensure LDAP server is not installed (Automated)
+  - id: 33057
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove slapd: # apt purge slapd."
+    references:
+      - http://www.openldap.org.
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s slapd -> r:package 'slapd' is not installed"
+
+   # 2.1.7 Ensure NFS is not installed (Automated)
+  - id: 33058
+    title: "Ensure NFS is not installed."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove nfs: # apt purge nfs-kernel-server."
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s nfs-kernel-server -> r:package 'nfs-kernel-server' is not installed"
+
+   # 2.1.8 Ensure DNS Server is not installed (Automated)
+  - id: 33059
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable DNS server: # apt purge bind9."
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s bind9 -> r:package 'bind9' is not installed"
+
+   # 2.1.9 Ensure FTP Server is not installed (Automated)
+  - id: 33060
+    title: "Ensure FTP Server is not installed."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. Note: Additional FTP servers also exist and should be audited."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # apt purge vsftpd."
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s vsftpd -> r:package 'vsftpd' is not installed"
+
+   # 2.1.10 Ensure HTTP server is not installed (Automated)
+  - id: 33061
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content. Note: Several httpd servers exist and can use other service names. apache2 and nginx are example services that provide an HTTP server. These and other services should also be audited."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove apache: # apt purge apache2."
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s apache2 -> r:package 'apache2' is not installed"
+
+   # 2.1.11 Ensure IMAP and POP3 server are not installed (Automated)
+  - id: 33062
+    title: "Ensure IMAP and POP3 server are not installed."
+    description: "dovecot-imapd and dovecot-pop3d are an open source IMAP and POP3 server for Linux based systems. Note: Several IMAP/POP3 servers exist and can use other service names. courier-imap and cyrus-imap are example services that provide a mail server. These and other services should also be audited."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove dovecot-imapd and dovecot-pop3d: # apt purge dovecot-imapd dovecot-pop3d."
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s dovecot-imapd -> r:package 'dovecot-imapd' is not installed"
+      - "c:dpkg -s dovecot-pop3d -> r:package 'dovecot-pop3d' is not installed"
+
+   # 2.1.12 Ensure Samba is not installed (Automated)
+  - id: 33063
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # apt purge samba."
+    compliance:
+      - cis: ["2.1.12"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s samba -> r:package 'samba' is not installed"
+
+  # 2.1.13 Ensure HTTP Proxy Server is not installed (Automated)
+  - id: 33064
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments. Note: Several HTTP proxy servers exist. These and other services should be checked."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove squid: # apt purge squid."
+    compliance:
+      - cis: ["2.1.13"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s squid -> r:package 'squid' is not installed"
+
+  # 2.1.14 Ensure SNMP Server is not installed (Automated)
+  - id: 33065
+    title: "Ensure SNMP Server is not installed."
+    description: "Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. \"SNMPv2 historic\" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values."
+    remediation: "Run the following command to remove snmpd: # apt purge snmpd."
+    compliance:
+      - cis: ["2.1.14"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s snmpd -> r:package 'snmpd' is not installed"
+
+  # 2.1.15 Ensure mail transfer agent is configured for local-only mode (Automated)
+  - id: 33066
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: This recommendation is designed around the exim4 mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/exim4/update-exim4.conf.conf and and or modify following lines to look like the lines below: dc_eximconfig_configtype='local' dc_local_interfaces='127.0.0.1 ; ::1' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' Restart exim4: # systemctl restart exim4."
+    compliance:
+      - cis: ["2.1.15"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25 && r:\.*LISTEN && !r:127.0.0.1:25|[::1]:25'
+
+  # 2.1.16 Ensure rsync service is not installed (Automated)
+  - id: 33067
+    title: "Ensure rsync service is not installed."
+    description: "The rsync service can be used to synchronize files between systems over network links."
+    rationale: "The rsync service presents a security risk as it uses unencrypted protocols for communication. The rsync package should be removed to reduce the attack area of the system."
+    remediation: "Run the following command to remove rsync: # apt purge rsync."
+    compliance:
+      - cis: ["2.1.16"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s rsync -> r:package 'rsync' is not installed"
+
+  # 2.1.17 Ensure NIS Server is not installed (Automated)
+  - id: 33068
+    title: "Ensure NIS Server is not installed."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed and other, more secure services be used."
+    remediation: "Run the following command to remove nis: # apt purge nis."
+    compliance:
+      - cis: ["2.1.17"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s nis -> r:package 'nis' is not installed"
+
+ #####################################
+ # 2.2 Service Clients
+ #####################################
+
+  # 2.2.1 Ensure NIS Client is not installed (Automated)
+  - id: 33069
+    title: "Ensure NIS Server is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall nis: apt purge nis."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - "c:dpkg -s nis -> r:package 'nis' is not installed"
+
+  # 2.2.2 Ensure rsh client is not installed (Automated)
+  - id: 33070
+    title: "Ensure rsh client is not installed."
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall rsh: apt purge rsh-client."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v7: ["4.5"]
+      - cmmc_v2.0: ["IA.3.083"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1098", "T1017", "T1110", "T1136", "T1530", "T1114", "T1133", "T1040", "T1076", "T1021", "T1539", "T1072", "T1078", "T1134", "T1067", "T1088", "T1175", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["2.3", "8.3", "8.3.1", "8.3.2"]
+    condition: all
+    rules:
+      - "c:dpkg -s rsh-client -> r:package 'rsh-client' is not installed"
+
+  # 2.2.3 Ensure talk client is not installed (Automated)
+  - id: 33071
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall talk: apt purge talk."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - "c:dpkg -s talk -> r:package 'talk' is not installed"
+
+  # 2.2.4 Ensure telnet client is not installed (Automated)
+  - id: 33072
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall telnet: # apt purge telnet."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v7: ["4.5"]
+      - cmmc_v2.0: ["IA.3.083"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1098", "T1017", "T1110", "T1136", "T1530", "T1114", "T1133", "T1040", "T1076", "T1021", "T1539", "T1072", "T1078", "T1134", "T1067", "T1088", "T1175", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["2.3", "8.3", "8.3.1", "8.3.2"]
+    condition: all
+    rules:
+      - "c:dpkg -s telnet -> r:package 'telnet' is not installed"
+
+  # 2.2.5 Ensure LDAP client is not installed (Automated)
+  - id: 33073
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Uninstall ldap-utils: # apt purge ldap-utils."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.2.063", "CM.3.069", "CM.4.073"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1191", "T1092", "T1175", "T1173", "T1519", "T1052", "T1210", "T1133", "T1118", "T1171", "T1170", "T1046", "T1137", "T1086", "T1164", "T1121", "T1076", "T1091", "T1180", "T1064", "T1184", "T1221", "T1127", "T1028"]
+      - nist_sp_800-53: ["CM-11"]
+    condition: all
+    rules:
+      - "c:dpkg -s ldap-utils -> r:package 'ldap-utils' is not installed"
+
+  # 2.2.6 Ensure RPC is not installed (Automated)
+  - id: 33074
+    title: "Ensure RPC is not installed."
+    description: "Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. It requires an RPC compliant client listening on a network port. The supporting package is rpcbind."
+    rationale: "If RPC is not required, it is recommended that this services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove rpcbind: # apt purge rpcbind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s rpcbind -> r:package 'rpcbind' is not installed"
+
+ # 2.3 Ensure nonessential services are removed or masked (Manual) - Not Implemented
+ ###################################################
+ # 3 Network Configuration
+ ###################################################
+ # 3.1 Disable unused network protocols and devices
+ ###################################################
+
+  # 3.1.1 Disable IPv6. (Manual) - Not Implemented
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+ ###################################################
+ # 3.2 Network Parameters (Host Only)
+ ###################################################
+  # 3.2.1 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+ #####################################################
+ # 3.3 Network Parameters (Host and Router)
+ #####################################################
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated)
+  - id: 33075
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:net.ipv4.icmp_echo_ignore_broadcasts = 1'
+      - 'f:/etc/sysctl.conf -> r:net.ipv4.icmp_echo_ignore_broadcasts = 1'
+      - 'd:/etc/sysctl.d -> r:\. -> r:net.ipv4.icmp_echo_ignore_broadcasts = 1'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated)
+  - id: 33076
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:net.ipv4.icmp_ignore_bogus_error_responses = 1'
+      - 'f:/etc/sysctl.conf -> r:net.ipv4.icmp_ignore_bogus_error_responses = 1'
+      - 'd:/etc/sysctl.d -> r:\. -> r:net.ipv4.icmp_ignore_bogus_error_responses = 1'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated)
+  - id: 33077
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: any
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:net.ipv4.tcp_syncookies = 1'
+      - 'f:/etc/sysctl.conf -> r:net.ipv4.tcp_syncookies = 1'
+      - 'd:/etc/sysctl.d -> r:\. -> r:net.ipv4.tcp_syncookies = 1'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+ ###################################################
+ # 3.5 Uncommon Network Protocols
+ ###################################################
+
+  # 3.5.1 Ensure DCCP is disabled. (Automated)
+  - id: 33078
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/dccp.conf Add the following line: install dccp /bin/true."
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:install /bin/true'
+      - 'not c:lsmod -> r:dccp'
+
+  # 3.5.2 Ensure SCTP is disabled. (Automated)
+  - id: 33079
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true."
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:install /bin/true'
+      - 'not c:lsmod -> r:sctp'
+
+  # 3.5.3 Ensure RDS is disabled. (Automated)
+  - id: 33080
+    title: "Ensure RDS is disabled."
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true."
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v rds -> r:install /bin/true'
+      - 'not c:lsmod -> r:rds'
+
+  # 3.5.4 Ensure TIPC is disabled. (Automated)
+  - id: 33081
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true."
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v tipc -> r:install /bin/true'
+      - 'not c:lsmod -> r:tipc'
+
+ ########################################
+ # 3.6 Firewall Configuration
+ ########################################
+ # 3.6.1 Configure UncomplicatedFirewall
+ ########################################
+
+  # 3.6.1.1 Ensure Uncomplicated Firewall is installed. (Automated)
+  - id: 33082
+    title: "Ensure Uncomplicated Firewall is installed."
+    description: "The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. UFW is dependent on the iptables package."
+    remediation: "Run the following command to install Uncomplicated Firewall (UFW): apt install ufw."
+    compliance:
+      - cis: ["3.6.1.1"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:dpkg -s ufw -> r:install ok installed'
+
+  # 3.6.1.2 Ensure iptables-persistent is not installed. (Automated)
+  - id: 33083
+    title: "Ensure iptables-persistent is not installed."
+    description: "The iptables-persistent is a boot-time loader for netfilter rules, iptables plugin."
+    rationale: "Running both ufw and the services included in the iptables-persistent package may lead to conflict."
+    remediation: "Run the following command to remove the iptables-persistent package: # apt purge iptables-persistent."
+    compliance:
+      - cis: ["3.6.1.2"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s iptables-persistent -> r:package 'iptables-persistent' is not installed"
+
+  # 3.6.1.3 Ensure ufw service is enabled. (Automated)
+  - id: 33084
+    title: "Ensure ufw service is enabled."
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Notes: - When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall. - Run the following command before running ufw enable. # ufw allow proto tcp from any to any port 22 - The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy) - By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to enable ufw: # ufw enable."
+    references:
+      - 'http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html'
+    compliance:
+      - cis: ["3.6.1.3"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled ufw -> r:enabled'
+      - 'c:ufw status -> r:Status: active'
+
+  # 3.6.1.4 Ensure loopback traffic is configured. (Automated) - Not Implemented
+  # 3.6.1.5 Ensure outbound connections are configured. (Manual) - Not Implemented
+  # 3.6.1.6 Ensure firewall rules exist for all open ports. (Manual) - Not Implemented
+
+  # 3.6.1.7 Ensure default deny firewall policy. (Automated)
+  - id: 33085
+    title: "Ensure default deny firewall policy."
+    description: "A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    impact: "Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny. ufw allow git ufw allow in http ufw allow in https ufw allow out 53 ufw logging on."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed."
+    compliance:
+      - cis: ["3.6.1.7"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+\(incoming\)|reject\W+\(incoming\)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+\(outgoing\)|reject\W+\(outgoing\)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+\(routed\)|reject\W+\(routed\)'
+
+ #############################################
+ # 3.6.2 Configure nftables
+ #############################################
+
+  # 3.6.2.1 Ensure nftables is installed. (Automated)
+  - id: 33086
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: - nftables is available in Linux kernel 3.13 and newer - Only one firewall utility should be installed and configured - Changing firewall settings while connected over the network can result in being locked out of the system."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install nftables: # apt install nftables."
+    compliance:
+      - cis: ["3.6.2.1"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:dpkg-query -s nftables -> r:install ok installed'
+
+  # 3.6.2.2 Ensure Uncomplicated Firewall is not installed or disabled. (Automated)
+  - id: 33087
+    title: "Ensure Uncomplicated Firewall is not installed or disabled."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use."
+    rationale: "Running both the nftables service and ufw may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or disable ufw Run the following command to remove ufw: # apt purge ufw Run the following command to disable ufw: # ufw disable."
+    compliance:
+      - cis: ["3.6.2.2"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: any
+    rules:
+      - "c:dpkg-query -s ufw -> r:package 'ufw' is not installed"
+      - 'c:ufw status -> r:inactive'
+
+  # 3.6.2.3 Ensure iptables are flushed. (Manual)
+  - id: 33088
+    title: "Ensure iptables are flushed."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.6.2.3"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: none
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT'
+      - 'c:ip6tables -L -> r:Chain INPUT'
+
+  # 3.6.2.4 Ensure a table exists. (Automated)
+  - id: 33089
+    title: "Ensure a table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.6.2.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:table inet'
+
+  # 3.6.2.5 Ensure base chains exist. (Automated)
+  - id: 33090
+    title: "Ensure base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.6.2.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:nft list ruleset -> r:type filter hook input priority 0'
+      - 'c:nft list ruleset -> r:type filter hook forward priority 0'
+      - 'c:nft list ruleset -> r:type filter hook output priority 0'
+
+  # 3.6.2.6 Ensure loopback traffic is configured. (Automated)
+  - id: 33091
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop IF IPv6 is enabled on the system: Run the following command to implement the IPv6 loopback rule: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.6.2.6"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:iif "lo" accept'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip saddr|ip6 saddr'
+
+  # 3.6.2.7 Ensure outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.6.2.8 Ensure default deny firewall policy. (Automated)
+  - id: 33092
+    title: "Ensure default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.6.2.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "not c:nft list ruleset -> r:hook input && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook forward && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook output && !r:policy drop"
+
+  # 3.6.2.9 Ensure nftables service is enabled. (Automated)
+  - id: 33093
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.6.2.9"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.6.2.10 Ensure nftables rules are permanent. (Automated) - Not Implemented
+ ########################################
+ # 3.6.3 Configure iptables
+ ########################################
+ # 3.6.3.1 Configure software
+ ########################################
+
+  # 3.6.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 33094
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-persistent # apt install iptables iptables-persistent."
+    compliance:
+      - cis: ["3.6.3.1.1"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "c:apt list iptables -> r:installed"
+      - "c:apt list iptables-persistent -> r:installed"
+
+  # 3.6.3.1.2 Ensure nftables is not installed. (Automated)
+  - id: 33095
+    title: "Ensure nftables is not installed."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # apt purge nftables."
+    compliance:
+      - cis: ["3.6.3.1.2"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s nftables -> r:package 'nftables' is not installed"
+
+  # 3.6.3.1.3 Ensure Uncomplicated Firewall is not installed or disabled. (Automated)
+  - id: 33096
+    title: "Ensure Uncomplicated Firewall is not installed or disabled."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. - Uses a command-line interface consisting of a small number of simple commands - Uses iptables for configuration."
+    rationale: "Running iptables.persistent with ufw enabled may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or stop and mask ufw Run the following command to remove ufw: # apt purge ufw OR Run the following commands to disable ufw: # ufw disable."
+    compliance:
+      - cis: ["3.6.3.1.3"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: any
+    rules:
+      - "c:dpkg-query -s ufw -> r:package 'ufw' is not installed"
+      - 'c:ufw status -> r:inactive'
+      - 'c:systemctl is-enabled ufw -> r:masked'
+
+ ############################################
+ # 3.6.3.2 Configure IPv4 iptables
+ ############################################
+  # 3.6.3.2.1 Ensure default deny firewall policy. (Automated)
+  - id: 33097
+    title: "Ensure default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.6.3.2.1"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)|Chain INPUT \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)|Chain FORWARD \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.6.3.2.2 Ensure loopback traffic is configured. (Automated)
+  - id: 33098
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.6.3.2.2"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.6.3.2.3 Ensure outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.6.3.2.4 Ensure firewall rules exist for all open ports. (Automated) - Not Implemented
+ ######################################
+ # 3.6.3.3 Configure IPv6 ip6tables
+ ######################################
+
+  # 3.6.3.3.1 Ensure IPv6 default deny firewall policy. (Automated)
+  - id: 33099
+    title: "Ensure IPv6 default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.6.3.3.1"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.6.3.3.2 Ensure IPv6 loopback traffic is configured. (Automated)
+  - id: 33100
+    title: "Ensure IPv6 loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.6.3.3.2"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.3.068"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.4"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.6.3.3.3 Ensure IPv6 outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.6.3.3.4 Ensure IPv6 firewall rules exist for all open ports. (Manual) - Not Implemented
+
+ ##############################################
+ # 4 Logging and Auditing
+ ##############################################
+ # 4.1 Configure System Accounting (auditd)
+ ##############################################
+ # 4.1.1 Ensure auditing is enabled
+ ##############################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 33101
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # apt install auditd audispd-plugins."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'c:dpkg -s auditd -> r:install ok installed'
+      - 'c:dpkg -s audispd-plugins -> r:install ok installed'
+
+  # 4.1.1.2 Ensure auditd service is enabled. (Automated)
+  - id: 33102
+    title: "Ensure auditd service is enabled."
+    description: "Enable and start the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd : # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled auditd -> r:enabled'
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 33103
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" Run the following command to update the grub2 configuration: # update-grub."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit=(\d+) compare == 1'
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 33104
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "during boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX=\"audit_backlog_limit=8192\" Run the following command to update the grub2 configuration: # update-grub."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !n:audit_backlog_limit=(\d+) compare >= 8192'
+
+ #######################################
+ # 4.1.2 Configure Data Retention
+ #######################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 33105
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. Notes: - The max_log_file parameter is measured in megabytes - Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations - Manual audit of custom configurations should be evaluated for effectiveness and completeness."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 33106
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 33107
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt|^\s*\t*admin_space_left_action\s*\t*=\s*\t*single'
+
+  # 4.1.3 Ensure events that modify date and time information are collected. (Automated)
+  - id: 33108
+    title: "Ensure events that modify date and time information are collected."
+    description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\" Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/time-change.rules Add the following lines: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/time-change.rules Add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["11.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:adjtimex && r:settimeofday|stime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:adjtimex && r:settimeofday|stime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.4 Ensure events that modify user/group information are collected. (Automated)
+  - id: 33109
+    title: "Ensure events that modify user/group information are collected."
+    description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/identity.rules Add the following lines: -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 33110
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules Add the following lines: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules Add the following lines: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["11.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32|-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32|-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 33111
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to /etc/apparmor and /etc/apparmor.d directories. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/MAC-policy.rules Add the following lines: -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["11.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor/|/etc/apparmor\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d/|/etc/apparmor.d\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'c:auditctl -l -> r:^-w && r:/etc/apparmor/|/etc/apparmor\\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'c:auditctl -l -> r:^-w && r:/etc/apparmor.d/|/etc/apparmor.d\\s+ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+
+  # 4.1.7 Ensure login and logout events are collected. (Automated)
+  - id: 33112
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/logins.rules Add the following lines: -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ['AC.2.010', 'SI.5.223', 'AC.4.032', 'IA.3.086', 'AC.3.019']
+      - iso_27001-2013: ['A.8.1.3', 'A.9.4.2']
+      - mitre_techniques: ["T1134", "T1197", "T1538", "T1530", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1076", "T1021", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ['AU-3']
+      - pci_dss_v3.2.1: ['10.2.4', '8.1.8', '10.2.5']
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins"
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins"
+      - "c:auditctl -l -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins"
+
+  # 4.1.8 Ensure session initiation information is collected. (Automated)
+  - id: 33113
+    title: "Ensure session initiation information is collected."
+    description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\" Notes: - The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp) - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/session.rules Add the following lines: -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ['AC.2.010', 'SI.5.223', 'AC.4.032', 'IA.3.086', 'AC.3.019']
+      - iso_27001-2013: ['A.8.1.3', 'A.9.4.2']
+      - mitre_techniques: ["T1134", "T1197", "T1538", "T1530", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1076", "T1021", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ['AU-3']
+      - pci_dss_v3.2.1: ['10.2.4', '8.1.8', '10.2.5']
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.9 Ensure discretionary access control permission modification events are collected. (Automated)
+  - id: 33114
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\" Notes: - Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs - If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/perm_mod.rules Add the following lines: -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/perm_mod.rules Add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_techniques: ["T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["11.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:chmod && r:fchmod && r:fchmodat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:chown && r:fchown && r:lchown && r:fchownat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_mod|key=perm_mod'
+      - 'c:auditctl -l -> r:^-a always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:setxattr && r:lsetxattr && r:fsetxattr && r:removexattr && r:lremovexattr && r:fremovexattr && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset  && r:-k perm_mod|key=perm_mod'
+
+  # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected. (Automated)
+  - id: 33115
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open , openat) and truncation ( truncate , ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\" Notes: - Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:_ # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs - If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules Add the following lines: -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/access.rules Add the following lines: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.3.050"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+
+  # 4.1.11 Ensure use of privileged commands is collected. (Automated) - Not Implemented
+
+  # 4.1.12 Ensure successful file system mounts are collected. (Automated)
+  - id: 33116
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user Notes: - Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:_ # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs - If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. - This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules Add the following lines: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/mounts.rules Add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 33117
+    title: "Ensure file deletion events by users are collected."
+    description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\". Notes: - Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:_ # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs - If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. - At a minimum, configure the audit system to collect file deletion events for all users and root. - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules Add the following lines: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/delete.rules Add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc_v7: ["13"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.14 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 33118
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"."
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/scope.rules Add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.5"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=scope'
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=scope"
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=scope"
+
+  # 4.1.15 Ensure system administrator command executions (sudo) are collected. (Automated)
+  - id: 33119
+    title: "Ensure system administrator command executions (sudo) are collected."
+    description: "sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: `vi /etc/audit/rules.d/actions.rules Add the following line: -a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: `vi /etc/audit/rules.d/actions.rules Add the following lines: -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions -a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc_v7: ["4.9"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1110", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.4"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_techniques: ["T1110", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209"]
+      - nist_sp_800-53: ["AU-3"]
+      - pci_dss_v3.2.1: ["10.2.4"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-C uid!=euid  && r:-F euid=0|-F auid >= 1000 |-F auid!=-1 |-F auid!=4294967295 && r:-S execve && r:-k actions|key=actions'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-C uid!=euid && r:-F euid=0|-F auid >= 1000 |-F auid!=-1 |-F auid!=4294967295  && r:-S execve && r:-k actions key=actions"
+
+  # 4.1.16 Ensure kernel module loading and unloading is collected. (Automated)
+  - id: 33120
+    title: "Ensure kernel module loading and unloading is collected."
+    description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\". Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:delete_module && r:-k modules|-F key=modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules|-F key=modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules|-F key=modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules|-F key=modules'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:delete_module && r:-k modules|-F key=modules"
+      - "c:auditctl -l -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules|-F key=modules"
+      - "c:auditctl -l -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules|-F key=modules"
+      - "c:auditctl -l -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules|-F key=modules"
+
+  # 4.1.17 Ensure the audit configuration is immutable. (Automated)
+  - id: 33121
+    title: "Ensure the audit configuration is immutable."
+    description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:-e 2'
+
+ #############################################
+ # 4.2 Configure Logging
+ #############################################
+ # 4.2.1 Configure rsyslog
+ #############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 33122
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is a recommended replacement to the original syslogd daemon which provide improvements over syslogd, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog: # apt install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+
+  # 4.2.1.2 Ensure rsyslog Service is enabled. (Automated)
+  - id: 33123
+    title: "Ensure rsyslog Service is enabled."
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following commands to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled rsyslog -> r:enabled'
+
+  # 4.2.1.3 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.4 Ensure rsyslog default file permissions configured. (Automated)
+  - id: 33124
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set every instance of $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode && !r:0640|0600|0400'
+      - 'not d:/etc/rsyslog.d/ -> r:\.+.conf -> r:^\s*\t*\$FileCreateMode && !r:0640|0600|0400'
+
+  # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host. (Automated) - Not Implemented
+  # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.. (Manual) - Not Implemented
+
+ ####################################
+ # 4.2.2 Configure journald
+ ####################################
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog. (Automated)
+  - id: 33125
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Notes: - This recommendation assumes that recommendation 4.2.1.5, \"Ensure rsyslog is configured to send logs to a remote log host\" has been implemented. - As noted in the journald man pages, journald logs may be exported to rsyslog either through the process mentioned here, or through a facility like systemd-journald.service. There are trade-offs involved in each implementation, where ForwardToSyslog will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service, on the other hand, will record bootup events, but may delay sending the information to rsyslog, leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system. - The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes."
+    references:
+      - 'https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf'
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v7: ["6.5"]
+      - cmmc_v2.0: ["AU.3.048"]
+      - pci_dss_v3.2.1: ["10.5.3", "10.5.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:ForwardToSyslog=yes'
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files. (Automated)
+  - id: 33126
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes."
+    references:
+      - 'https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf'
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-4"]
+      - pci_dss_v3.2.1: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:Compress=yes'
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 33127
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent."
+    references:
+      - 'https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf'
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:Storage=persistent'
+
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  # 4.4 Ensure logrotate assigns appropriate permissions. (Automated)
+  - id: 33128
+    title: "Ensure logrotate assigns appropriate permissions."
+    description: "Log files contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit /etc/logrotate.conf and update the create line to read 0640 or more restrictive, following local site policy Example: create 0640 root utmp."
+    compliance:
+      - cis: ["4.4"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+     - 'f:/etc/logrotate.conf -> r:create 0640'
+
+ ##############################################
+ # 5 Access, Authentication and Authorization
+ ##############################################
+ # 5.1 Configure time-based job schedulers
+ ##############################################
+
+  # 5.1.1 Ensure cron daemon is enabled and running. (Automated)
+  - id: 33129
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable and start cron: # systemctl --now enable cron."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v7: ["6.0"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled cron -> r:enabled'
+      - 'c:systemctl status cron -> r:Active: active \(running\)'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 33130
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 33131
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 33132
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.daily directory: # chown root:root /etc/cron.daily/ # chmod og-rwx /etc/cron.daily/."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 33133
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.weekly directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 33134
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.monthly directory: # chown root:root /etc/cron.monthly/ # chmod og-rwx /etc/cron.monthly/."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 33135
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.d directory: # chown root:root /etc/cron.d/ # chmod og-rwx /etc/cron.d/."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 33136
+    title: "Ensure cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Notes: - Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy - Even though a given user is not listed in cron.allow, cron jobs can still be run as that user - The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny: # rm /etc/cron.deny Run the following command to create /etc/cron.allow # touch /etc/cron.allow Run the following commands to set permissions and ownership for /etc/cron.allow: # chmod g-wx,o-rwx /etc/cron.allow # chown root:root /etc/cron.allow."
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0640/-rw-r-----\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 33137
+    title: "Ensure at is restricted to authorized users."
+    description: "Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/at.deny: # rm /etc/at.deny Run the following command to create /etc/at.allow # touch /etc/at.allow Run the following commands to set permissions and ownership for /etc/at.allow: # chmod g-wx,o-rwx /etc/at.allow # chown root:root /etc/at.allow."
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/at.allow -> r:^Access: \(0640/-rw-r-----\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+ #####################################
+ # 5.2 Configure SSH Server
+ #####################################
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 33138
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated)
+  - id: 33139
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated."
+    remediation: "Run the following commands to set ownership and permissions on the private SSH host key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' | xargs chown root:root # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' | xargs chmod 0600."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_rsa_key" -> r:600\s*\t*-rw------- && r:0\s*\t*root\s*\t*0\s*\t*root'
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_ecdsa_key" -> r:600\s*\t*-rw------- && r:0\s*\t*root\s*\t*0\s*\t*root'
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_ed25519_key" -> r:600\s*\t*-rw------- && r:0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated)
+  - id: 33140
+    title: "Ensure permissions on SSH public host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' | xargs chmod go-wx # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' | xargs chown root:root."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_rsa_key.pub" -> r:644\s*\t*-rw-r--r-- && r:0\s*\t*root\s*\t*0\s*\t*root'
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_ecdsa_key.pub" -> r:644\s*\t*-rw-r--r-- && r:0\s*\t*root\s*\t*0\s*\t*root'
+       - 'c:sh -c "stat -Lc ''%a %A %u %U  %g %G'' /etc/ssh/ssh_host_ed25519_key.pub" -> r:644\s*\t*-rw-r--r-- && r:0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 5.2.4 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 33141
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - 'https://www.ssh.com/ssh/sshd_config/'
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v7: ["6.2","6.3"]
+      - cmmc_v2.0: ["AU.2.042", "AU.5.055", "CM.2.065"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^LogLevel\s+INFO|^LogLevel\s+VERBOSE'
+
+  # 5.2.5 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 33142
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^X11Forwarding\s+no'
+
+  # 5.2.6 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 33143
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Note: Local site policy may be more restrictive."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["SI.5.223", "AC.4.032"]
+      - mitre_techniques: ["T1134", "T1197", "T1538", "T1530", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1076", "T1021", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s(\d+) compare <= 4'
+
+  # 5.2.7 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 33144
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^ignorerhosts\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 33145
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v7: ["16.3"]
+      - mitre_techniques: ["T1110", "T1098", "T1017", "T1136", "T1530", "T1114", "T1133", "T1040", "T1076", "T1021", "T1539", "T1072", "T1078", "T1134", "T1197", "T1538", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1537", "T1047", "T1084", "T1004"]
+      - pci_dss_v3.2.1: ["8.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^HostbasedAuthentication\s+no'
+
+  # 5.2.9 Ensure SSH root login is disabled. (Automated)
+  - id: 33146
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.2.008", "IA.1.076", "IA.1.077", "SC.3.181"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitRootLogin\s+no'
+
+  # 5.2.10 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 33147
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v7: ["16.3"]
+      - mitre_techniques: ["T1110", "T1098", "T1017", "T1136", "T1530", "T1114", "T1133", "T1040", "T1076", "T1021", "T1539", "T1072", "T1078", "T1134", "T1197", "T1538", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1537", "T1047", "T1084", "T1004"]
+      - pci_dss_v3.2.1: ["8.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitEmptyPasswords\s+no'
+
+  # 5.2.11 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 33148
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^PermitUserEnvironment\s+no'
+
+  # 5.2.12 Ensure only strong Ciphers are used. (Automated)
+  - id: 33149
+    title: "Ensure only strong Ciphers are used."
+    description: "This variable limits the ciphers that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved ciphers - Ensure that ciphers used are in compliance with site policy - The only \"strong\" ciphers currently FIPS 140-2 compliant are: o aes256-ctr o aes192-ctr o aes128-ctr - Supported ciphers in openSSH 8.2: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com."
+    rationale: "Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a \"Sweet32\" attack - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr."
+    references: 
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-2183
+    - https://www.openssh.com/txt/cbc.adv
+    - https://nvd.nist.gov/vuln/detail/CVE-2008-5161
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["SC.3.177", "SC.3.185"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+      - mitre_techniques: ["T1527", "T1119", "T1530", "T1114", "T1070", "T1208", "T1040", "T1145", "T1492", "T1493"]
+      - pci_dss_v3.2.1: ["4.1"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc"
+
+  # 5.2.13 Ensure only strong MAC algorithms are used. (Automated)
+  - id: 33150
+    title: "Ensure only strong MAC algorithms are used."
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved MACs - Ensure that MACs used are in compliance with site policy - The only \"strong\" MACs currently FIPS 140-2 approved are: o hmac-sha2-256 o hmac-sha2-512 - The Supported MACs are: hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256."
+    references:
+      - 'http://www.mitls.org/pages/attacks/SLOTH'
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v7: ["14.4","16.5"]
+      - cmmc_v2.0: ["SC.3.177", "SC.3.185", "IA.2.081"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+      - mitre_techniques: ["T1527", "T1119", "T1530", "T1114", "T1070", "T1208", "T1040", "T1145", "T1492", "T1493"]
+      - nist_sp_800-53: ["IA-5"]
+      - pci_dss_v3.2.1: ["4.1","8.2.1"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.14 Ensure only strong Key Exchange algorithms are used. (Automated)
+  - id: 33151
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Notes: - Kex algorithms have a higher preference the earlier they appear in the list - Some organizations may have stricter requirements for approved Key exchange algorithms - Ensure that Key exchange algorithms used are in compliance with site policy - The only Key Exchange Algorithms currently FIPS 140-2 approved are: o ecdh-sha2-nistp256 o ecdh-sha2-nistp384 o ecdh-sha2-nistp521 o diffie-hellman-group-exchange-sha256 o diffie-hellman-group16-sha512 o diffie-hellman-group18-sha512 o diffie-hellman-group14-sha256 - The Key Exchange algorithms supported by OpenSSH 8.2 are: curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup4591761x25519-sha512@tinyssh.org."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["SC.3.177", "SC.3.185"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+      - mitre_techniques: ["T1527", "T1119", "T1530", "T1114", "T1070", "T1208", "T1040", "T1145", "T1492", "T1493"]
+      - pci_dss_v3.2.1: ["4.1"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.2.15 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 33152
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: If the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time. Note: Local site policy may be more restrictive."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is 300 seconds (5 minutes) - The recommended ClientAliveCountMax setting is 3 - The ssh session would send three keep alive messages at 5 minute intervals. If no response is received after the third keep alive message, the ssh session would be terminated after 15 minutes."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 300 and ClientAliveCountMax of 3 or less: ClientAliveInterval 300 ClientAliveCountMax 3."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.2.010", "AC.3.019", "IA.3.086"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - mitre_techniques: ["T1110", "T1527", "T1176", "T1088", "T1081", "T1214", "T1530", "T1213", "T1038", "T1073", "T1482", "T1114", "T1044", "T1484", "T1525", "T1161", "T1031", "T1034", "T1145", "T1076", "T1053", "T1505", "T1528", "T1078"]
+      - pci_dss_v3.2.1: ["8.1.8", "10.2.5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:clientaliveinterval\s(\d+) compare >= 1 && n:clientaliveinterval\s(\d+) compare <= 300'
+      - 'c:sshd -T -> n:clientalivecountmax\s(\d+) compare >= 1 && n:clientalivecountmax\s(\d+) compare <= 3'
+
+  # 5.2.16 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 33153
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access. Note: Local site policy may be more restrictive."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^logingracetime\s(\d+) compare <= 60 && n:LoginGraceTime\s(\d+) compare >= 1'
+
+  # 5.2.17 Ensure SSH access is limited. (Automated)
+  - id: 33154
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers - Gives the system administrator the option of allowing specific users to ssh into the system o The list consists of space separated user names o Numeric user IDs are not recognized with this variable o A system administrator may restrict user access further by only allowing the allowed users to log in from a particular host by specifying the entry as < user>@<host> - AllowGroups - Gives the system administrator the option of allowing specific groups of users to ssh into the system o The list consists of space separated group names o Numeric group IDs are not recognized with this variable - DenyUsers - Gives the system administrator the option of denying specific users to ssh into the system o The list consists of space separated user names o Numeric user IDs are not recognized with this variable o If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host by specifying the entry as < user>@<host> - DenyGroups - Gives the system administrator the option of denying specific groups of users to ssh into the system o The list consists of space separated group names o Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> AllowGroups <grouplist> DenyUsers <userlist> DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.2.008", "IA.1.076", "IA.1.077", "SC.3.181"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1176", "T1501", "T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+'
+
+  # 5.2.18 Ensure SSH warning banner is configured. (Automated)
+  - id: 33155
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^banner\s/'
+
+  # 5.2.19 Ensure SSH PAM is enabled. (Automated)
+  - id: 33156
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to \"yes\" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^usepam\s+yes'
+
+  # 5.2.20 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 33157
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - 'https://www.ssh.com/ssh/tunneling/example'
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.3.068", "SC.5.230"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051"]
+      - nist_sp_800-53: ["SI-4"]
+      - pci_dss_v3.2.1: ["1.2.1", "2.2.2", "2.2.5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^AllowTcpForwarding\s+no'
+
+  # 5.2.21 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 33158
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Note: Local site policy may be more restrictive."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows or more restrictive: maxstartups 10:30:100."
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -> n:^maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -> n:^maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.22 Ensure SSH MaxSessions is limited. (Automated)
+  - id: 33159
+    title: "Ensure SSH MaxSessions is limited."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. Note: Local site policy may be more restrictive."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.22"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:maxsessions\s(\d+) compare <= 10'
+
+ ######################################
+ # 5.3 Configure PAM
+ ######################################
+
+  # 5.3.1 Ensure password creation requirements are configured. (Automated)
+  - id: 33160
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. The following options are set in the /etc/security/pwquality.conf file: - Password Length: o minlen = 14 - password must be 14 characters or more - Password complexity: o minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR o dcredit = -1 - provide at least one digit o ucredit = -1 - provide at least one uppercase character o ocredit = -1 - provide at least one special character o lcredit = -1 - provide at least one lowercase character The following is st in the /etc/pam.d/common-password file: - retry=3 - Allow 3 tries before sending back a failure. The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Run the following command to install the pam_pwquality module: apt install libpam-pwquality Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*\t*# && n:\s*\t*minclass\s*\t*=\s*\t*(\d+) compare >= 4'
+      - 'f:/etc/pam.d/common-password -> !r:^# && n:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=(\d+) compare <=3'
+
+  # 5.3.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 33161
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. - deny=n - n represents the number of failed attempts before the account is locked - unlock_time=n - n represents the number of seconds before the account is unlocked - audit - Will log the user name into the system log if the user is not found. - silent - Don't print informative messages. Set the lockout number and unlock time in accordance with local site policy. Notes: - Add pam_tally2 to the account section account required pam_tally2.so for the counter to reset to 0 when using sudo - Use of the \"audit\" keyword may log credentials in the case of user error during - authentication. This risk should be evaluated in the context of the site policies of your organization. If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Edit the /etc/pam.d/common-account file and add the account lines bellow: account requisite pam_deny.so account required pam_tally2.so."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.4.025", "PS.2.128", "IA.3.085"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_techniques: ["T1134", "T1197", "T1538", "T1530", "T1213", "T1089", "T1157", "T1044", "T1484", "T1054", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1034", "T1163", "T1076", "T1021", "T1053", "T1489", "T1051", "T1023", "T1165", "T1528", "T1501", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-2"]
+      - pci_dss_v3.2.1: ["8.1.3", "8.1.4"]
+    condition: all
+    rules:
+       - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+       - 'f:/etc/pam.d/common-auth -> n:deny\s*=\s*(\d+) compare <=5'
+       - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*requisite\s*\t*pam_deny.so'
+       - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*required\s*\t*pam_tally2.so'
+
+  # 5.3.3 Ensure password reuse is limited. (Automated)
+  - id: 33162
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Note: Changes only apply to accounts configured on the local system."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v7: ["16"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:\s*\t*password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 33163
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Notes: - Additional module options may be set, recommendation only covers those listed here. If it is determined that the password algorithm being used is not SHA-512, once it is - changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login - The following command can be used: # awk -F: '($3 >= $(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) && $1 != \"nfsnobody\") { print $1 }' /etc/passwd | xargs -n 1 chage -d 0 - Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/common-password -> r:sha512$"
+
+ ###################################################
+ # 5.4 User Accounts and Environment
+ ###################################################
+ # 5.4.1 Set Shadow Password Suite Parameters
+ ###################################################
+
+  # 5.4.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 33164
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days. Notes: - A value of -1 will disable password expiration - The password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.4.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 33165
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs : PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\$\.*:\d+:(\d+): compare == 0'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 33166
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 33167
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Note: A value of -1 would disable this setting."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - "not c:useradd -D -> r:^INACTIVE=-1"
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.4.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.4.2 Ensure system accounts are secured. (Automated) - Not Implemented
+
+  # 5.4.3 Ensure default group for the root account is GID 0. (Automated)
+  - id: 33168
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.2.007", "MP.2.120"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1015", "T1133", "T1200", "T1076", "T1051", "T1156", "T1146", "T1196", "T1081", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1145", "T1494", "T1035", "T1489", "T1198", "T1184", "T1165", "T1492", "T1169", "T1501", "T1080", "T1209", "T1134", "T1197", "T1538", "T1213", "T1044", "T1484", "T1159", "T1160", "T1152", "T1168", "T1162", "T1185", "T1031", "T1050", "T1075", "T1097", "T1163", "T1021", "T1053", "T1023", "T1528", "T1072", "T1537", "T1078", "T1047", "T1084", "T1004"]
+      - nist_sp_800-53: ["AC-3"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+  # 5.5 Ensure root login is restricted to system console. (Manual) - Not Implemented
+
+  # 5.6 Ensure access to the su command is restricted. (Automated)
+  - id: 33169
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.1.002", "CM.2.061", "SC.3.180"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1110", "T1003", "T1081", "T1097", "T1178", "T1072", "T1067", "T1495", "T1019", "T1177", "T1485", "T1486", "T1491", "T1488", "T1487", "T1490", "T1146", "T1148", "T1015", "T1133", "T1200", "T1076", "T1051", "T1176", "T1501", "T1087", "T1098", "T1139", "T1197", "T1092", "T1136", "T1011", "T1147", "T1130", "T1174", "T1053", "T1166", "T1206", "T1503", "T1214", "T1187", "T1208", "T1142", "T1075", "T1201", "T1145", "T1184", "T1537", "T1078", "T1077", "T1134", "T1017", "T1088", "T1175", "T1190", "T1210", "T1525", "T1215", "T1086", "T1055", "T1505", "T1035", "T1218", "T1169", "T1100", "T1047", "T1084", "T1028", "T1156", "T1196", "T1530", "T1089", "T1073", "T1157", "T1054", "T1070", "T1037", "T1036", "T1096", "T1034", "T1150", "T1504", "T1494", "T1489", "T1198", "T1165", "T1492", "T1080", "T1209", "T1112", "T1058", "T1173", "T1137", "T1539", "T1535", "T1506", "T1138", "T1044", "T1199"]
+      - nist_sp_800-53: ["AU-2", "CM-1", "CM-2", "CM-6", "CM-7", "IA-5", "IA-6", "SC-20", "SC-21"]
+      - pci_dss_v3.2.1: ["2.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+ #################################################
+ # 6 System Maintenance
+ #################################################
+ # 6.1 System File Permissions
+ #################################################
+
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 33170
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:^Access: \(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 6.1.3 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 33171
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd- : # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:^Access: \(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 6.1.4 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 33172
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group : # chown root:root /etc/group # chmod u-x,go-wx /etc/group."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:^Access: \(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 6.1.5 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 33173
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group- : # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:^Access: \(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$'
+
+  # 6.1.6 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 33174
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow to root and group to either root or shadow: # chown root:root /etc/shadow # chown root:shadow /etc/shadow Run the following command to remove excess permissions form /etc/shadow: # chmod u-x,g-wx,o-rwx /etc/shadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$|^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*\d+/\s*shadow\)$'
+
+  # 6.1.7 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 33175
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow- to root and group to either root or shadow: # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- Run the following command to remove excess permissions form /etc/shadow-: # chmod u-x,g-wx,o-rwx /etc/shadow-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$|^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*\d+/\s*shadow\)$'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 33176
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow to root and group to either root or shadow: # chown root:root /etc/gshadow # chown root:shadow /etc/gshadow Run the following command to remove excess permissions form /etc/gshadow: # chmod u-x,g-wx,o-rwx /etc/gshadow."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$|^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*\d+/\s*shadow\)$'
+
+  # 6.1.9 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 33177
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow- to root and group to either root or shadow: # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- Run the following command to remove excess permissions form /etc/gshadow-: # chmod u-x,g-wx,o-rwx /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["IA.2.081"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5", "IA-5 (1)"]
+      - pci_dss_v3.2.1: ["3.2", "8.2.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)$|^Access: \(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*\d+/\s*shadow\)$'
+
+  # 6.1.10 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+
+ #######################################
+ # 6.2 User and Group Settings
+ #######################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 33178
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Notes: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> r:^\w+:x:'
+
+  # 6.2.2 Ensure password fields are not empty. (Automated)
+  - id: 33179
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.2.078", "IA.2.079"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1134", "T1098", "T1017", "T1067", "T1088", "T1175", "T1136", "T1003", "T1214", "T1190", "T1210", "T1495", "T1525", "T1208", "T1215", "T1075", "T1097", "T1086", "T1055", "T1076", "T1053", "T1505", "T1035", "T1051", "T1218", "T1184", "T1169", "T1206", "T1019", "T1501", "T1072", "T1078", "T1100", "T1077", "T1047", "T1084", "T1028"]
+      - nist_sp_800-53: ["IA-5 (1)"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.4 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.5 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.6 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.7 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.8 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.9 Ensure no users have .rhosts files. (Automated) - Not Implemented
+
+  # 6.2.10 Ensure root is the only UID 0 account. (Automated)
+  - id: 33180
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.10"]
+      - cis_csc_v7: ["4.6"]
+      - cmmc_v2.0: ["AC.2.008"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1019", "T1098", "T1017", "T1043", "T1175", "T1136", "T1094", "T1482", "T1048", "T1190", "T1210", "T1133", "T1046", "T1145", "T1076", "T1494", "T1489", "T1051", "T1095", "T1072", "T1199", "T1065", "T1028", "T1112", "T1058", "T1198", "T1209"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.11 Ensure root PATH Integrity. (Automated) - Not Implemented
+  # 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.13 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.14 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.15 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.16 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.17 Ensure shadow group is empty. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/debian/cis_debian7.yml b/etc/ruleset/sca/debian/cis_debian7.yml
new file mode 100644
index 0000000000..45f5520742
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian7.yml
@@ -0,0 +1,2650 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 7
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015
+
+policy:
+  id: "cis_debian7"
+  file: "cis_debian7.yml"
+  name: "CIS Debian Linux 7 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 7."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version"
+  description: "Requirements for running the SCA scan against Debian/Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/debian_version"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 2 Filesystem Configuration
+
+  - id: 1000
+    title: "Create Separate Partition for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Configure /etc/fstab as appropriate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount."
+    compliance:
+      - cis: ["2.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 1001
+    title: "Set nodev option for /tmp Partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["2.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 1002
+    title: "Set nosuid option for /tmp Partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["2.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 1003
+    title: "Set noexec option for /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["2.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  - id: 1004
+    title: "Create Separate Partition for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["2.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 1005
+    title: "Bind mount the /var/tmp directory to /tmp"
+    description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp."
+    rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem."
+    remediation: "# mount --bind /tmp /var/tmp  and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0"
+    compliance:
+      - cis: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:findmnt -> r:/var/tmp && r:[/tmp]"
+      - 'f:/etc/fstab -> r:^/tmp && r:\s*/var/tmp\s* && r:bind'
+
+  - id: 1006
+    title: "Create Separate Partition for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["2.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 1007
+    title: "Create Separate Partition for /var/log/audit"
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["2.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 1008
+    title: "Create Separate Partition for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home.  For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["2.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 1009
+    title: "Add nodev Option to /home"
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["2.10"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 1010
+    title: "Add nodev Option to /run/shm Partition"
+    description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices."
+    rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information.  # mount -o remount,nodev /run/shm"
+    compliance:
+      - cis: ["2.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:nodev'
+
+  - id: 1011
+    title: "Add nosuid Option to /run/shm Partition"
+    description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information.  # mount -o remount,nosuid /run/shm"
+    compliance:
+      - cis: ["2.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:nosuid'
+
+  - id: 1012
+    title: "Add noexec Option to /run/shm Partition"
+    description: "Set noexec on the shared memory partition to prevent programs from executing from there."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm"
+    compliance:
+      - cis: ["2.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:noexec'
+
+  - id: 1013
+    title: "Disable Mounting of cramfs Filesystems"
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true"
+    compliance:
+      - cis: ["2.18"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:cramfs"
+
+  - id: 1014
+    title: "Disable Mounting of freevxfs Filesystems"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true"
+    compliance:
+      - cis: ["2.19"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:freevxfs"
+
+  - id: 1015
+    title: "Disable Mounting of jffs2 Filesystems"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true"
+    compliance:
+      - cis: ["2.20"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:jffs2"
+
+  - id: 1016
+    title: "Disable Mounting of hfs Filesystems"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true"
+    compliance:
+      - cis: ["2.21"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:hfs"
+
+  - id: 1017
+    title: "Disable Mounting of hfsplus Filesystems"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true"
+    compliance:
+      - cis: ["2.22"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:hfsplus"
+
+  - id: 1018
+    title: "Disable Mounting of squashfs Filesystems"
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true"
+    compliance:
+      - cis: ["2.23"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:squashfs"
+
+  - id: 1019
+    title: "Disable Mounting of udf Filesystems"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats"
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true"
+    compliance:
+      - cis: ["2.24"]
+      - pci_dss: ["2.2.5"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:/sbin/lsmod -> r:udf"
+
+  - id: 1020
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Disable autofs: # update-rc.d autofs disable"
+    compliance:
+      - cis: ["2.25"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *autofs* -> r:/etc/rc\d+.d/S\d+autofs'
+
+  # 3 Secure Boot Settings
+
+  - id: 1021
+    title: "Set User/Group Owner on bootloader config"
+    description: "Set the owner and group of your boot loaders config file to the root user. These instructions default to GRUB stored at /boot/grub/grub.cfg ."
+    rationale: "Setting the owner and group to root prevents non-root users from changing the file."
+    remediation: "Run the following to change ownership of /boot/grub/grub.cfg : # chown root:root /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["3.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 1022
+    title: "Set Permissions on bootloader config"
+    description: "Set permission on the your boot loaders config file to read and write for root only."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following to set the permissions fro /boot/grub/grub.cfg : # chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["3.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:^Access: \(0\d00/-\w\w\w------\)'
+
+  - id: 1023
+    title: "Set Boot Loader Password"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters"
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> Your PBKDF2 is <encrypted-password>  Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOF set superusers="<user-list>" password_pbkdf2 <user> <encrypted-password> EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following to update the grub configuration: # update-grub'
+    compliance:
+      - cis: ["3.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 1024
+    title: "Require authentication for Single-User mode"
+    description: "Setting a password for the root user will force authentication in single user mode."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["3.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+  ###########################################
+  # 4 Additional Process Hardening
+  ###########################################
+  # 4.1 Restrict Core Dumps (Scored)
+  - id: 1025
+    title: "Restrict Core Dumps"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to the /etc/security/limits.conf file.  * hard core 0     Add the following line to the /etc/sysctl.conf file.  fs.suid_dumpable = 0"
+    compliance:
+      - cis: ["4.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$'
+
+  # 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
+  - id: 1026
+    title: "Enable XD/NX Support on 32-bit x86 Systems"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["4.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "dmesg | grep NX" -> r:NX \(Execute Disable\) protection: active'
+
+  # 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 1027
+    title: "Enable Randomized Virtual Memory Region Placement"
+    description: "Set the system flag to force randomized virtual memory region placement."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Add the following line to the /etc/sysctl.conf file.  kernel.randomize_va_space = 2"
+    compliance:
+      - cis: ["4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  # 4.4 Disable prelink
+  - id: 1028
+    title: "Disable Prelink"
+    description: "The prelinking feature changes binaries in an attempt to decrease their startup time."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the command: # /usr/sbin/prelink -ua to restore binaries to a normal, non-prelinked state, then remove prelink: # apt-get purge prelink"
+    compliance:
+      - cis: ["4.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  - id: 1029
+    title: "Activate AppArmor"
+    description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model."
+    rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure."
+    remediation: 'Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted.'
+    compliance:
+      - cis: ["4.5"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*processes are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  ######################################
+  # 5 OS Services
+  ######################################
+  # 5.1.1 Ensure NIS is not installed (Scored)
+  - id: 1030
+    title: "Ensure NIS is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall the nis package: # apt-get purge nis"
+    compliance:
+      - cis: ["5.1.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  # 5.1.2 Ensure rsh server is not enabled (Scored)
+  - id: 1031
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd    #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind    #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd"
+    compliance:
+      - cis: ["5.1.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec"
+
+  # 5.1.3 Ensure rsh client is not installed (Scored)
+  - id: 1032
+    title: "Ensure rsh client is not installed"
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Uninstall the rsh-client and rsh-reload-client packages: # apt-get purge rsh-client rsh-reload-client"
+    compliance:
+      - cis: ["5.1.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+      - "c:dpkg -s rsh-redone-client -> r:install ok installed"
+
+  # 5.1.4 Ensure talk server is not enabled (Scored)
+  - id: 1033
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd    #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd"
+    compliance:
+      - cis: ["5.1.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk"
+
+  # 5.1.5 Ensure talk client is not installed (Scored)
+  - id: 1034
+    title: "Ensure talk client is not installed"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Uninstall the talk package: # apt-get purge talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  # 5.1.6 Ensure telnet server is not enabled (Scored)
+  - id: 1035
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd"
+    compliance:
+      - cis: ["5.1.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:telnet"
+
+  # 5.1.7 Ensure tftp-server is not enabled (Scored)
+  - id: 1036
+    title: "Ensure tftp-server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.1.7"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:tftp"
+
+  # 5.1.8 Ensure xinetd is not enabled (Scored)
+  - id: 1037
+    title: "Ensure xinetd is not enabled"
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests.  Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Disable xinetd: # update-rc.d xinetd disable"
+    compliance:
+      - cis: ["5.1.8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *xinetd* -> r:/etc/rc\d+.d/S\d+xinetd'
+
+  # 5.2 Ensure chargen is not enabled (Scored)
+  - id: 1038
+    title: "Ensure chargen is not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:chargen"
+
+  # 5.3 Ensure daytime is not enabled (Scored)
+  - id: 1039
+    title: "Ensure daytime is not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.3"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:daytime"
+
+  # 5.4 Ensure echo is not enabled (Scored)
+  - id: 1040
+    title: "Ensure echo is not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:echo"
+
+  # 5.5 Ensure discard is not enabled (Scored)
+  - id: 1041
+    title: "Ensure discard is not enabled"
+    description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:discard"
+
+  # 5.6 Ensure time is not enabled (Scored)
+  - id: 1042
+    title: "Ensure time is not enabled"
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal"
+    compliance:
+      - cis: ["5.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> !r:^# && r:time"
+
+  ###############################################
+  # 6 Special Purpose Services
+  ###############################################
+
+  # 6.1 Ensure the X Window system is not installed (Scored)
+  - id: 1043
+    title: "Ensure the X Window system is not installed"
+    description: "The X Window system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Window system is typically used on desktops where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Uninstall X Windows: # apt-get purge xserver-xorg-core*"
+    compliance:
+      - cis: ["6.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  # 6.2 Ensure Avahi Server is not enabled (Scored)
+  - id: 1044
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface."
+    remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable"
+    compliance:
+      - cis: ["6.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *avahi-daemon* -> r:/etc/rc\d+.d/S\d+avahi-daemon'
+
+  # 6.3 Ensure print server is not enabled (Scored)
+  - id: 1045
+    title: "Ensure print server is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Disable cups: # update-rc.d cups disable"
+    compliance:
+      - cis: ["6.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *cups* -> r:/etc/rc\d+.d/S\d+cups'
+
+  # 6.4 Ensure DHCP Server is not enabled (Scored)
+  - id: 1046
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface."
+    remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable"
+    references:
+      - "https://www.isc.org/dhcp/"
+    compliance:
+      - cis: ["6.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *isc-dhcp-server* -> r:/etc/rc\d+.d/S\d+isc-dhcp-server'
+
+  # 6.5 Configure Network Time Protocol (Scored)
+  - id: 1047
+    title: "Configure Network Time Protocol (NTP)"
+    description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server."
+    rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Install ntp: # apt-get install ntp    Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery     restrict -6 default kod nomodify notrap nopeer noquery    Also, make sure /etc/ntp.conf has at least one NTP server specified: server <ntp-server>    Note: <ntp-server> is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark."
+    compliance:
+      - cis: ["6.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "f:/etc/ntp.conf -> r:^restrict -4 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery"
+      - "f:/etc/ntp.conf -> r:^restrict -6 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery"
+      - 'f:/etc/ntp.conf -> r:^server\s\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  # 6.6 Ensure LDAP is not enabled (Scored)
+  - id: 1048
+    title: "Ensure LDAP is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Uninstall the slapd package: # apt-get purge slapd"
+    compliance:
+      - cis: ["6.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    references:
+      - http://www.openldap.org
+    condition: none
+    rules:
+      - "c:dpkg -s slapd -> r:install ok installed"
+
+  # 6.7 Ensure NFS and RPC are not enabled (Scored)
+  - id: 1049
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Disable rpcbind: # update-rc.d rpcbind disable    Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable"
+    compliance:
+      - cis: ["6.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *rpcbind* -> r:/etc/rc\d+.d/S\d+rpcbind'
+      - 'c:find /etc/ -name *nfs-kernel-server* -> r:/etc/rc\d+.d/S\d+nfs-kernel-server'
+
+  # 6.8 Ensure DNS Server is not enabled (Scored)
+  - id: 1050
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Disable bind9: # update-rc.d bind9 disable"
+    compliance:
+      - cis: ["6.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *bind9* -> r:/etc/rc\d+.d/S\d+bind9'
+
+  # 6.9 Ensure FTP Server is not enabled (Scored)
+  - id: 1051
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Disable vsftpd: # update-rc.d vsftpd disable"
+    compliance:
+      - cis: ["6.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *vsftpd* -> r:/etc/rc\d+.d/S\d+vsftp'
+
+  # 6.10 Ensure HTTP Server is not enabled (Scored)
+  - id: 1052
+    title: "Ensure HTTP Server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Disable apache2: # update-rc.d apache2 disable"
+    compliance:
+      - cis: ["6.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *apache2* -> r:/etc/rc\d+.d/S\d+apache2'
+
+  # 6.11 Ensure IMAP and POP Server is not enabled (Scored)
+  - id: 1053
+    title: "Ensure IMAP and POP server is not enabled"
+    description: "Dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface."
+    remediation: "Disable dovecot: # update-rc.d dovecot disable"
+    compliance:
+      - cis: ["6.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *dovecot* -> r:/etc/rc\d+.d/S\d+dovecot'
+
+  # 6.12 Ensure Samba is not enabled (Scored)
+  - id: 1054
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Disable samba: # update-rc.d samba disable"
+    compliance:
+      - cis: ["6.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *samba* -> r:/etc/rc\d+.d/S\d+samba'
+
+  # 6.13 Ensure HTTP Proxy Server is not enabled (Scored)
+  - id: 1055
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Disable squid3: # update-rc.d squid3 disable"
+    compliance:
+      - cis: ["6.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *squid3* -> r:/etc/rc\d+.d/S\d+squid3'
+
+  # 6.14 Ensure SNMP Server is not enabled (Scored)
+  - id: 1056
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used."
+    remediation: "Disable snmpd: # update-rc.d snmpd disable"
+    compliance:
+      - cis: ["6.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:find /etc/ -name *snmpd* -> r:/etc/rc\d+.d/S\d+snmpd'
+
+  # 6.15 Ensure Mail Transfer Agent for Local-Only Mode (Scored)
+  - id: 1057
+    title: "Configure Mail Transfer Agent for Local-Only Mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail.  If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1'    Run update-exim4.conf: # update-exim4.conf    Reload exim4 configuration: # service exim4 reload"
+    compliance:
+      - cis: ["6.15"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  # 6.16 Ensure rsync service is not enabled (Scored)
+  - id: 1058
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false"
+    compliance:
+      - cis: ["6.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "not c:dpkg -s rsync -> r:install ok installed"
+      - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false'
+
+  ###############################################
+  # 7 Network Configuration and Firewall
+  ###############################################
+  ###############################################
+  # 7.1 Modify Network Parameters
+  ###############################################
+
+  # 7.1.1 Disable IP Forwarding (Scored)
+  - id: 1059
+    title: "Disable IP Forwarding"
+    description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0."
+    rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+
+  # 7.1.2 Disable Send Packet Redirects (Scored)
+  - id: 1060
+    title: "Disable Send Packet Redirects"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0    net.ipv4.conf.default.send_redirects=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0    # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+
+  ###############################################
+  # 7.2 Modify Network Parameters (Host and Router)
+  ###############################################
+
+  # 7.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 1061
+    title: "Disable Source Routed Packet Acceptance"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0    net.ipv4.conf.default.accept_source_route=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0    # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+
+  # 7.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 1062
+    title: "Disable ICMP Redirect Acceptance"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0    net.ipv4.conf.default.accept_redirects=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0    # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+
+  # 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 1063
+    title: "Disable Secure ICMP Redirect Acceptance"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0    net.ipv4.conf.default.secure_redirects=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0    # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+
+  # 7.2.4 Log Suspicious Packets (Scored)
+  - id: 1064
+    title: "Log Suspicious Packets"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1    net.ipv4.conf.default.log_martians=1    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1    # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+
+  # 7.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 1065
+    title: "Enable Ignore Broadcast Requests"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+
+  # 7.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 1066
+    title: "Enable Bad Error Message Protection"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+
+  # 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
+  - id: 1067
+    title: "Enable RFC-recommended Source Route Validation"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1    net.ipv4.conf.default.rp_filter=1    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1    # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+
+  # 7.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 1068
+    title: "Enable TCP SYN Cookies"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1    # /sbin/sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["7.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+
+  # 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
+  - id: 1069
+    title: "Disable IPv6 Router Advertisements"
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0    net.ipv6.conf.default.accept_ra=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0    # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0    # /sbin/sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["7.3.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+
+  # 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
+  - id: 1070
+    title: "Disable IPv6 Redirect Acceptance"
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0    net.ipv6.conf.default.accept_redirects=0    Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0    # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0    # /sbin/sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["7.3.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+
+  # 7.3.3 Disable IPv6 (Not Scored)
+  - id: 1071
+    title: "Disable IPv6"
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1    net.ipv6.conf.default.disable_ipv6=1    net.ipv6.conf.lo.disable_ipv6=1    Run the following command or reboot to apply the changes: # sysctl -p"
+    compliance:
+      - cis: ["7.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "not c:ip addr -> r:inet6"
+
+  # 7.4.1 Install TCP Wrappers (Scored)
+  - id: 1072
+    title: "Install TCP Wrappers"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["7.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  # 7.4.2 Create /etc/hosts.allow (Not Scored)
+  - id: 1073
+    title: "Create /etc/hosts.allow"
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server."
+    remediation: 'Create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow  where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["7.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  # 7.4.3 Verify permissions on /etc/hosts.allow (Scored)
+  - id: 1074
+    title: "Verify permissions on /etc/hosts.allow"
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "If the permissions of the /etc/hosts.allow file are incorrect, run the following command to correct them: # /bin/chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["7.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:/bin/ls -l /etc/hosts.allow -> r:-rw-r--r--"
+
+  # 7.4.4 Create /etc/hosts.deny (Not Scored)
+  - id: 1075
+    title: "Create /etc/hosts.deny"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["7.4.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  # 7.4.5 Verify permissions on /etc/hosts.deny (Scored)
+  - id: 1076
+    title: "Verify permissions on /etc/hosts.deny"
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "If the permissions of the /etc/hosts.deny file are incorrect, run the following command to correct them: # /bin/chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["7.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:/bin/ls -l /etc/hosts.deny -> r:-rw-r--r--"
+
+  # 7.5.1 Disable DCCP (Not Scored)
+  - id: 1077
+    title: "Disable DCCP"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed  to reduce the potential attack surface."
+    remediation: '# echo "install dccp /bin/true" >> /etc/modprobe.d/CIS.conf'
+    compliance:
+      - cis: ["7.5.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "f:/etc/modprobe.d/CIS.conf"
+      - "f:/etc/modprobe.d/CIS.conf -> r:install dccp /bin/true"
+
+  # 7.5.2 Disable SCTP (Not Scored)
+  - id: 1078
+    title: "Disable SCTP"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: '# echo "install sctp /bin/true" >> /etc/modprobe.d/CIS.conf'
+    compliance:
+      - cis: ["7.5.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "f:/etc/modprobe.d/CIS.conf"
+      - "f:/etc/modprobe.d/CIS.conf -> r:install sctp /bin/true"
+
+  # 7.5.3 Disable RDS (Not Scored)
+  - id: 1079
+    title: "Disable RDS"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: '# echo "install rds /bin/true" >> /etc/modprobe.d/CIS.conf'
+    compliance:
+      - cis: ["7.5.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "f:/etc/modprobe.d/CIS.conf"
+      - "f:/etc/modprobe.d/CIS.conf -> r:install rds /bin/true"
+
+  # 7.5.4 Disable TIPC (Not Scored)
+  - id: 1080
+    title: "Disable TIPC"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: '# echo "install tipc /bin/true" >> /etc/modprobe.d/CIS.conf'
+    compliance:
+      - cis: ["7.5.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "f:/etc/modprobe.d/CIS.conf"
+      - "f:/etc/modprobe.d/CIS.conf -> r:install tipc /bin/true"
+
+  # 7.6 Deactivate Wireless Interfaces (Not Scored)
+  - id: 1081
+    title: "Deactivate Wireless Interfaces"
+    description: "Wireless networking is used when wired networks are unavailable. Debian provides the nmcli interface which allows system administrators to configure and use wireless networks."
+    rationale: "If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface."
+    remediation: "Use the following command to disable wireless: # nmcli nm wifi off"
+    compliance:
+      - cis: ["7.6"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nmcli nm wifi -> r:disabled"
+
+  # 7.7 Ensure Firewall is active (Scored)
+  - id: 1082
+    title: "Ensure Firewall is active"
+    description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall.  The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules.  Other methods are available which may be in use in your environment and may conflict with these steps."
+    rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports."
+    remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent    Enable the iptables-persistent service: # update-rc.d iptables-persistent enable"
+    compliance:
+      - cis: ["7.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s iptables -> r:install ok installed"
+      - "c:dpkg -s iptables-persistent -> r:install ok installed"
+      - 'c:find /etc/rc2.d -name *iptables-persistent* -> r:/etc/rc2.d/S\d+iptables-persistent'
+      - 'c:find /etc/rc3.d -name *iptables-persistent* -> r:/etc/rc3.d/S\d+iptables-persistent'
+      - 'c:find /etc/rc4.d -name *iptables-persistent* -> r:/etc/rc4.d/S\d+iptables-persistent'
+      - 'c:find /etc/rc5.d -name *iptables-persistent* -> r:/etc/rc5.d/S\d+iptables-persistent'
+
+  ###############################################
+  # 8 Logging and Auditing
+  ###############################################
+
+  ###############################################
+  # 8.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
+  - id: 1083
+    title: "Configure Audit Log Storage Size"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = <MB> Note: MB is the number of MegaBytes the file can be."
+    compliance:
+      - cis: ["8.1.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+'
+
+  # 8.1.1.2 Disable System on Audit Log Full (Not Scored)
+  - id: 1084
+    title: "Disable System on Audit Log Full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["8.1.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt'
+
+  # 8.1.1.3 Keep All Auditing Information (Scored)
+  - id: 1085
+    title: "Keep All Auditing Information"
+    description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["8.1.1.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs'
+
+  # 8.1.2 Install and Enable auditd Service (Scored)
+  - id: 1086
+    title: "Install and Enable auditd Service"
+    description: "Install and turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Install auditd: # apt-get install auditd If needed enable auditd in /etc/rc*.d: # update-rc.d auditd enable"
+    compliance:
+      - cis: ["8.1.2"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s auditd -> r:install ok installed"
+      - 'c:find /etc/rc2.d -name *auditd* -> r:/etc/rc2.d/S\d+auditd'
+      - 'c:find /etc/rc3.d -name *auditd* -> r:/etc/rc3.d/S\d+auditd'
+      - 'c:find /etc/rc4.d -name *auditd* -> r:/etc/rc4.d/S\d+auditd'
+      - 'c:find /etc/rc5.d -name *auditd* -> r:/etc/rc5.d/S\d+auditd'
+
+  # 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
+  - id: 1087
+    title: "Enable Auditing for Processes That Start Prior to auditd"
+    description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1"And run the following command to update the grub configuration: # update-grub'
+    compliance:
+      - cis: ["8.1.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*'
+
+  # 8.1.4 Record Events That Modify Date and Time Information (Scored)
+  - id: 1088
+    title: "Record Events That Modify Date and Time Information"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd"
+    compliance:
+      - cis: ["8.1.4"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/localtime && r:-p wa && r:-k time-change"
+
+  # 8.1.5 Record Events That Modify User/Group Information (Scored)
+  - id: 1089
+    title: "Record Events That Modify User/Group Information"
+    description: 'Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd"
+    compliance:
+      - cis: ["8.1.5"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd && r:-p wa && r:-k identity"
+
+  # 8.1.6 Record Events That Modify the System's Network Environment (Scored)
+  - id: 1090
+    title: "Record Events That Modify the System's Network Environment"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd"
+    compliance:
+      - cis: ["8.1.6"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname -k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/network && r:-p wa && r:-k system-locale"
+
+  # 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored)
+  - id: 1091
+    title: "Record Events That Modify the System's Mandatory Access Controls"
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory."
+    rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd"
+    compliance:
+      - cis: ["8.1.7"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ && r:-p wa && r:-k MAC-policy"
+
+  # 8.1.8 Collect Login and Logout Events (Scored)
+  - id: 1092
+    title: "Collect Login and Logout Events"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.&& r:rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd"
+    compliance:
+      - cis: ["8.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/faillog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog && r:-p wa && r:-k logins"
+
+  # 8.1.9 Collect Session Initiation Information (Scored)
+  - id: 1093
+    title: "Collect Session Initiation Information"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier "session." The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)"
+    compliance:
+      - cis: ["8.1.9"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/btmp && r:-p wa && r:-k session"
+
+  # 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
+  - id: 1094
+    title: "Collect Discretionary Access Control Permission Modification Events"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permis&& r:sions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd"
+    compliance:
+      - cis: ["8.1.10"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  # 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
+  - id: 1095
+    title: "Collect Unsuccessful Unauthorized Access Attempts to Files"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd"
+    compliance:
+      - cis: ["8.1.11"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  # 8.1.13 Collect Successful File System Mounts (Scored)
+  - id: 1096
+    title: "Collect Successful File System Mounts"
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user"
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd"
+    compliance:
+      - cis: ["8.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  # 8.1.14 Collect File Deletion Events by User (Scored)
+  - id: 1097
+    title: "Collect File Deletion Events by User"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd"
+    compliance:
+      - cis: ["8.1.14"]
+      - pci_dss: ["10.5.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  # 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
+  - id: 1098
+    title: "Collect Changes to System Administration Scope (sudoers)"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd"
+    compliance:
+      - cis: ["8.1.15"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /etc/sudoers && r:-p wa && r:-k scope"
+
+  # 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
+  - id: 1099
+    title: "Collect System Administrator Actions (sudolog)"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root"
+    compliance:
+      - cis: ["8.1.16"]
+      - cis_csc: ["5.1", "5.5"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.3", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log && r:-p wa && r:-k actions"
+
+  # 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
+  - id: 1100
+    title: "Collect Kernel Module Loading and Unloading"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
+    compliance:
+      - cis: ["8.1.17"]
+      - cis_csc: ["3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - tsc: ["CC7.2", "CC6.1", "CC7.3", "CC7.4", "CC6.8"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w /sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules"
+
+  # 8.1.18 Make the Audit Configuration Immutable (Scored)
+  - id: 1101
+    title: "Make the Audit Configuration Immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file"
+    compliance:
+      - cis: ["8.1.18"]
+      - cis_csc: ["3", "6"]
+      - pci_dss: ["10.5"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-e 2$"
+
+  ###############################################
+  # 8.2 Configure rsyslog
+  ###############################################
+
+  # 8.2.1 Install the rsyslog package (Scored)
+  - id: 1102
+    title: "Install the rsyslog package"
+    description: "The rsyslog package is a third party package that provides many enhancements to syslog, such as multi-threading, TCP communication, message filtering and data base support."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install the rsyslog package: # apt-get install rsyslog"
+    compliance:
+      - cis: ["8.2.2"]
+      - cis_csc: ["6.2"]
+    condition: all
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+
+  # 8.2.2 Ensure the rsyslog Service is activated (Scored)
+  - id: 1103
+    title: "Ensure the rsyslog Service is activated"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Enable rsyslog: # update-rc.d rsyslog enable"
+    compliance:
+      - cis: ["8.2.2"]
+      - cis_csc: ["6.2"]
+    condition: all
+    rules:
+      - 'c:find /etc/rc2.d -name *rsyslog* -> r:/etc/rc2.d/S\d+rsyslog'
+      - 'c:find /etc/rc3.d -name *rsyslog* -> r:/etc/rc3.d/S\d+rsyslog'
+      - 'c:find /etc/rc4.d -name *rsyslog* -> r:/etc/rc4.d/S\d+rsyslog'
+      - 'c:find /etc/rc5.d -name *rsyslog* -> r:/etc/rc5.d/S\d+rsyslog'
+
+  # 8.2.5 Configure rsyslog to send logs to a Remote Log Host (Scored)
+  - id: 1104
+    title: "Configure rsyslog to Send Logs to a Remote Log Host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system"
+    remediation: 'Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host).  *.* @@loghost.example.com    # Execute the following command to restart rsyslogd    # pkill -HUP rsyslogd    Note: The double "at" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.'
+    compliance:
+      - cis: ["8.2.5"]
+      - cis_csc: ["6.6"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t**.* @@\.+'
+
+  # 8.2.6 Accept remote rsyslog messages only on designated log hosts (Not Scored)
+  - id: 1105
+    title: "Accept Remote rsyslog Messages Only on Designated Log Hosts"
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so    $InputTCPServerRun 514    Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["8.2.6"]
+      - cis_csc: ["9.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad\s*\t*imtcp.so'
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t*\$InputTCPServerRun\s*\t*514'
+
+  ###############################################
+  # 8.3 Advanced Intrusion Detection Environment (AIDE)
+  ###############################################
+
+  # 8.3.1 Install AIDE (Scored)
+  - id: 1106
+    title: "Install AIDE"
+    description: "In some installations, AIDE is not installed automatically"
+    rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system."
+    remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    compliance:
+      - cis: ["8.3.1"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  # 8.3.2 Implement Periodic Execution of File Integrity (Scored)
+  - id: 1107
+    title: "Implement Periodic Execution of File Integrity"
+    description: "Implement periodic file checking, in compliance with site policy"
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy."
+    compliance:
+      - cis: ["8.3.2"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:crontab -u root -l -> !r:^# && r:\s*\t*/usr/sbin/aide\s*\t*--check'
+
+  ###############################################
+  # 9 System Access, Authentication and Authorization
+  #######################################################
+  # 9.1.1 Enable cron Daemon (Scored)
+  - id: 1108
+    title: "Enable cron Daemon"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them."
+    remediation: "Enable cron: # update-rc.d cron enable    Enable anacron: # update-rc.d anacron enable"
+    compliance:
+      - cis: ["9.1.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:find /etc/rc2.d -name *cron* -> r:/etc/rc2.d/S\d+cron'
+      - 'c:find /etc/rc3.d -name *cron* -> r:/etc/rc3.d/S\d+cron'
+      - 'c:find /etc/rc4.d -name *cron* -> r:/etc/rc4.d/S\d+cron'
+      - 'c:find /etc/rc5.d -name *cron* -> r:/etc/rc5.d/S\d+cron'
+      - 'c:find /etc/rc2.d -name *anacron* -> r:/etc/rc2.d/S\d+anacron'
+      - 'c:find /etc/rc3.d -name *anacron* -> r:/etc/rc3.d/S\d+anacron'
+      - 'c:find /etc/rc4.d -name *anacron* -> r:/etc/rc4.d/S\d+anacron'
+      - 'c:find /etc/rc5.d -name *anacron* -> r:/etc/rc5.d/S\d+anacron'
+
+  # 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
+  - id: 1109
+    title: "Set User/Group Owner and Permission on /etc/crontab"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["9.1.2"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
+  - id: 1110
+    title: "Set User/Group Owner and Permission on /etc/cron.hourly"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["9.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/d\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
+  - id: 1111
+    title: "Set User/Group Owner and Permission on /etc/cron.daily"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["9.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/d\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
+  - id: 1112
+    title: "Set User/Group Owner and Permission on /etc/cron.weekly"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["9.1.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/d\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
+  - id: 1113
+    title: "Set User/Group Owner and Permission on /etc/cron.monthly"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["9.1.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/d\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
+  - id: 1114
+    title: "Set User/Group Owner and Permission on /etc/cron.d"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["9.1.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/d\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.1.8 Restrict at/cron to Authorized Users (Scored)
+  - id: 1115
+    title: "Restrict at/cron to Authorized Users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "# /bin/rm /etc/cron.deny    # /bin/rm /etc/at.deny    # touch /etc/cron.allow    # touch /etc/at.allow    # chmod og-rwx /etc/cron.allow    # chmod og-rwx /etc/at.allow    # chown root:root /etc/cron.allow    # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["9.1.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - "c:stat -L -c%u-%g-%a /etc/cron.allow -> r:^0-0-600"
+      - "c:stat -L -c%u-%g-%a /etc/at.allow -> r:^0-0-600"
+
+  ###########################################
+  # 9.2 Configure PAM
+  ###########################################
+
+  # 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+  - id: 1116
+    title: "Set Password Creation Requirement Parameters Using pam_cracklib"
+    description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  # retry=3 - Allow 3 tries before sending back a failure.  # minlen=14 - password must be 14 characters or more # dcredit=-1 - provide at least one digit # ucredit=-1 - provide at least one uppercase character # ocredit=-1 - provide at least one special character # lcredit=-1 - provide at least one lowercase character    The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Install the libpam-cracklib package: # apt-get install libpam-cracklib 2) Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
+    compliance:
+      - cis: ["9.2.1"]
+      - pci_dss: ["8.2.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s libpam-cracklib -> r:install ok installed"
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so && r:retry=\d && n:minlen=(\d+) compare >= 14 && r:dcredit=-\d+ && r:ucredit=-\d+ && r:ocredit=-\d+ && r:lcredit=-\d+'
+
+  # 9.2.2 Set Lockout for Failed Password Attempts (Not Scored)
+  - id: 1117
+    title: "Set Lockout for Failed Password Attempts"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users.  Check the documentation for each secondary program for instructions on how to configure them to work with PAM.  Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900    Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user."
+    compliance:
+      - cis: ["9.2.2"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+'
+
+  # 9.2.3 Limit Password Reuse (Scored)
+  - id: 1118
+    title: "Limit Password Reuse"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.  Note that these change only apply to accounts configured on the local system."
+    remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore]  pam_unix.so obscure sha512 remember=5    Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy."
+    compliance:
+      - cis: ["9.2.3"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5'
+
+  ###########################################
+  # 9.3 Configure SSH
+  ###########################################
+  # 9.3.1 Set SSH Protocol to 2 (Scored)
+  - id: 1119
+    title: "Set SSH Protocol to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["9.3.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2'
+
+  # 9.3.2 Set LogLevel to INFO (Scored)
+  - id: 1120
+    title: "Set LogLevel to INFO"
+    description: "The INFO parameter specifices that record login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["9.3.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO'
+
+  # 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored)
+  - id: 1121
+    title: "Set Permissions on /etc/ssh/sshd_config"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "If the user and group ownership of the /etc/ssh/sshd_config file are incorrect, run the following command to correct them: # chown root:root /etc/ssh/sshd_config If the permissions are incorrect, run the following command to correct them: # chmod 600 /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["9.3.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/-\w\w-------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 9.3.4 Disable SSH X11 Forwarding (Scored)
+  - id: 1122
+    title: "Disable SSH X11 Forwarding"
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["9.3.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no'
+
+  # 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 1123
+    title: "Set SSH MaxAuthTries to 4 or Less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["9.3.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && n:MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 9.3.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 1124
+    title: "Set SSH IgnoreRhosts to Yes"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["9.3.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes'
+
+  # 9.3.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 1125
+    title: "Set SSH HostbasedAuthentication to No"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["9.3.7"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no'
+
+  # 9.3.8 Disable SSH Root Login (Scored)
+  - id: 1126
+    title: "Disable SSH Root Login"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["9.3.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no'
+
+  # 9.3.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 1127
+    title: "Set SSH PermitEmptyPasswords to No"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["9.3.9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no'
+
+  # 9.3.10 Do Not Allow Users to Set Environment Options (Scored)
+  - id: 1128
+    title: "Do Not Allow Users to Set Environment Options"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["9.3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no'
+
+  # 9.3.11 Use Only Approved Cipher in Counter Mode (Scored)
+  - id: 1129
+    title: "Use Only Approved Cipher in Counter Mode"
+    description: "This variable limits the types of ciphers that SSH can use during communication."
+    rationale: "Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
+    compliance:
+      - cis: ["9.3.11"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Ciphers\.+aes128-ctr'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Ciphers\.+aes192-ctr'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Ciphers\.+aes256-ctr'
+
+  # 9.3.12 Set Idle Timeout Interval for User Login (Scored)
+  - id: 1130
+    title: "Set Idle Timeout Interval for User Login"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening..  While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["9.3.12"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0'
+
+  # 9.3.13 Limit Access via SSH (Scored)
+  - id: 1131
+    title: "Limit Access via SSH"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["9.3.13"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:DenyUsers\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:DenyGroups\s+\w+'
+
+  # 9.3.14 Set SSH Banner (Scored)
+  - id: 1132
+    title: "Set SSH Banner"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["9.3.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue'
+
+  # 9.5 Restrict Access to the su Command (Scored)
+  - id: 1133
+    title: "Restrict Access to the su Command"
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid 2) Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file."
+    compliance:
+      - cis: ["9.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/su -> !r:^# && r:auth && r:required && r:pam_wheel.so && r:use_uid"
+      - "f:/etc/group -> !r:^# && r:wheel:"
+
+  ######################################
+  # 10 User Accounts and Environment
+  ######################################
+  # 10.1.1 Set Password Expiration Days (Scored)
+  - id: 1134
+    title: "Set Password Expiration Days"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90    Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>"
+    compliance:
+      - cis: ["10.1.1"]
+      - pci_dss: ["8.2.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> !r:^# && n:PASS_MAX_DAYS\s*\t*(\d+) compare <= 90'
+
+  # 10.1.2 Set Password Change Minimum Number of Days (Scored)
+  - id: 1135
+    title: "Set Password Change Minimum Number of Days"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7    Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>"
+    compliance:
+      - cis: ["10.1.2"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> !r:^# && n:PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 10.1.3 Set Password Expiring Warning Days (Scored)
+  - id: 1136
+    title: "Set Password Expiring Warning Days"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7    Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>"
+    compliance:
+      - cis: ["10.1.3"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> !r:^# && n:PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 10.3 Set Default Group for root Account (Scored)
+  - id: 1137
+    title: "Set Default Group for root Account"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "# usermod -g 0 root"
+    compliance:
+      - cis: ["10.3"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  # 10.4 Set Default umask for Users (Scored)
+  - id: 1138
+    title: "Set Default umask for Users"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system.  Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked."
+    remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077"
+    compliance:
+      - cis: ["10.4"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077'
+      - 'f:/etc/bash.bashrc -> !r:^# && r:umask\s*\t*077'
+
+  # 10.5 Lock Inactive User Accounts (Scored)
+  - id: 1139
+    title: "Lock Inactive User Accounts"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "# useradd -D -f 35"
+    compliance:
+      - cis: ["10.5"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 35'
+
+  ##########################################
+  # 11 Warning Banners
+  ##########################################
+  # 11.1 Set Warning Banner for Standard Login Services (Scored)
+  - id: 1140
+    title: "Set Warning Banner for Standard Login Services"
+    description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization."
+    remediation: '# touch /etc/motd    # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue    # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net    # chown root:root /etc/motd    # chmod 644 /etc/motd    # chown root:root /etc/issue    # chmod 644 /etc/issue    # chown root:root /etc/issue.net    # chmod 644 /etc/issue.net'
+    compliance:
+      - cis: ["11.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - "f:/etc/motd"
+      - "f:/etc/issue"
+      - "f:/etc/issue.net"
+      - "c:stat -L -c%u-%g-%a /etc/motd -> 0-0-644"
+      - "c:stat -L -c%u-%g-%a /etc/issue -> 0-0-644"
+      - "c:stat -L -c%u-%g-%a /etc/issue.net -> 0-0-644"
+
+  # 11.2 Remove OS Information from Login Warning Banners (Scored)
+  - id: 1141
+    title: "Remove OS Information from Login Warning Banners"
+    description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform."
+    rationale: 'Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in.'
+    remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v."
+    compliance:
+      - cis: ["11.2"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 11.3 Ensure GDM login banner is configured (Scored)
+  - id: 1142
+    title: "Ensure GDM login banner is configured"
+    description: "Debian defaults to using GNOME Display Manager for graphical login session management. KDM is also available as well as lightdm. Instructions are provided for GDM only, if you are using another display manager you will need to follow different procedures to audit and remediate this setting."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization."
+    remediation: "Uncomment or add the following lines to /etc/gdm3/greeter.gsettings :    banner-message-enable=true    banner-message-text='<banner-text>'"
+    compliance:
+      - cis: ["11.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - "f:/etc/gdm3/greeter.gsettings -> !r:^# && r:banner-message-enable=true"
+      - 'f:/etc/gdm3/greeter.gsettings -> !r:^# && r:banner-message-text=\.+'
+
+  ###############################################
+  # 12 Verify System File Permissions
+  ###############################################
+
+  # 12.1 Verify Permissions on /etc/passwd (Scored)
+  - id: 1143
+    title: "Verify permissions on /etc/passwd"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "If the permissions of the /etc/passwd file are incorrect, run the following command to correct them: # /bin/chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["12.1"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - "c:/bin/ls -l /etc/passwd -> r:-rw-r--r--"
+
+  # 12.2 Verify Permissions on /etc/shadow (Scored)
+  - id: 1144
+    title: "Verify permissions on /etc/shadow"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "If the permissions of the /etc/shadow file are incorrect, run the following command to correct them: # /bin/chmod 644 /etc/shadow"
+    compliance:
+      - cis: ["12.2"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - "c:/bin/ls -l /etc/shadow -> r:-rw-r-----"
+
+  # 12.3 Verify Permissions on /etc/group (Scored)
+  - id: 1145
+    title: "Verify permissions on /etc/group"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "If the permissions of the /etc/group file are incorrect, run the following command to correct them: # /bin/chmod 644 /etc/group"
+    compliance:
+      - cis: ["12.3"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - "c:/bin/ls -l /etc/group -> r:-rw-r--r--"
+
+  # 12.4 Verify User/Group Ownership on /etc/passwd
+  - id: 1146
+    title: "Verify User/Group Ownership on /etc/passwd"
+    description: "The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/passwd file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "If the user and group ownership of the /etc/passwd file are incorrect, run the following command to correct them: # /bin/chown root:root /etc/passwd"
+    compliance:
+      - cis: ["12.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:/bin/ls -l /etc/passwd -> r:root\s*\t*root'
+
+  # 12.5 Verify User/Group Ownership on /etc/shadow (Scored)
+  - id: 1147
+    title: "Verify User/Group Ownership on /etc/shadow"
+    description: "The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "If the ownership of the /etc/shadow file are incorrect, run the following command to correct them: # /bin/chown root:shadow /etc/shadow"
+    compliance:
+      - cis: ["12.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:/bin/ls -l /etc/shadow -> r:root\s*\t*shadow|root\s*\t*root'
+
+  # 12.6 Verify User/Group Ownership on /etc/group (Scored)
+  - id: 1148
+    title: "Verify User/Group Ownership on /etc/group"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "If the ownership of the /etc/group file are incorrect, run the following command to correct them: # /bin/chown root:root /etc/group"
+    compliance:
+      - cis: ["12.6"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:/bin/ls -l /etc/group -> r:root\s*\t*root'
+
+  ###############################################
+  # 13 Review User and Group Settings
+  ###############################################
+
+  # 13.1 Ensure Password Fields are Not Empty
+  - id: 1149
+    title: "Ensure Password Fields are Not Empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l <username>    Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["13.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File
+  - id: 1150
+    title: 'Verify No Legacy "+" Entries Exist in /etc/passwd File'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Delete these entries if they exist."
+    compliance:
+      - cis: ["13.2"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File
+  - id: 1151
+    title: 'Verify No Legacy "+" Entries Exist in /etc/shadow File'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Delete these entries if they exist."
+    compliance:
+      - cis: ["13.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 13.4 Verify No Legacy "+" Entries Exist in /etc/group File
+  - id: 1152
+    title: 'Verify No Legacy "+" Entries Exist in /etc/group File'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Delete these entries if they exist."
+    compliance:
+      - cis: ["13.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 13.5 Verify No UID 0 Accounts Exist Other Than root
+  - id: 1153
+    title: "Verify No UID 0 Accounts Exist Other Than root"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console."
+    remediation: "Delete any other entries that are displayed."
+    compliance:
+      - cis: ["13.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4", "CC8.1"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  # 13.20 Ensure shadow group is empty
+  - id: 1154
+    title: "Ensure shadow group is empty"
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["13.20"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/debian/cis_debian8.yml b/etc/ruleset/sca/debian/cis_debian8.yml
new file mode 100644
index 0000000000..a7e35e054b
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian8.yml
@@ -0,0 +1,2997 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 8
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018
+
+policy:
+  id: "cis_debian8"
+  file: "cis_debian8.yml"
+  name: "CIS Debian Linux 8 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 8."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version"
+  description: "Requirements for running the SCA scan against Debian/Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/debian_version"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1.1.1 Disable unused filesystems
+  - id: 1500
+    title: "Ensure mounting of cramfs filesystems is disabled"
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:cramfs"
+
+  - id: 1501
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 1502
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 1503
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 1504
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 1505
+    title: "Ensure mounting of squashfs filesystems is disabled"
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install squashfs /bin/true. 2) Run the following command to unload the squashfs module: # rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:squashfs"
+
+  - id: 1506
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Filesystem Configuration
+  - id: 1507
+    title: "Ensure /tmp is configured"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Configure /etc/fstab as appropriate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount."
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> enabled"
+
+  - id: 1508
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 1509
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 1510
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var.  For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 1511
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 1512
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 1513
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 1514
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 1515
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log.  For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 1516
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit.  For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 1517
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home.  For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 1518
+    title: "Ensure nodev option set on /home partition"
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["13", "15.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 1519
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  - id: 1520
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  - id: 1521
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  - id: 1522
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Disable autofs: # update-rc.d autofs disable"
+    compliance:
+      - cis: ["1.1.21"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> enabled"
+
+  # 1.3 Filesystem Integrity Checking
+  - id: 1523
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 1524
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy."
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:crontab -u root -l -> !r:^# && r:/usr/bin/aide && r:--check"
+
+  # 1.4 Secure Boot Settings
+  - id: 1525
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Access:\s*\(0\w00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 1526
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: '1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> Your PBKDF2 is <encrypted-password> 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOF set superusers="<user-list>" password_pbkdf2 <user> <encrypted-password> EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS="--class gnu-linux --class gnu --class os --unrestricted" 3) Run the following to update the grub configuration: # update-grub'
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 1527
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.5 Additional Process Hardening
+  - id: 1528
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to the /etc/security/limits.conf file.  * hard core 0     Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter:   # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  - id: 1529
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "dmesg | grep NX" -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 1530
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:=\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 1531
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && apt-get remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  # 1.6 Configure SELinux
+
+  - id: 1532
+    title: "Ensure SELinux is not disabled in bootloader configuration"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX=""  || Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:linux\.*selinux=0|linux\.*enforcing=0'
+
+  - id: 1533
+    title: "Ensure the SELinux state is enforcing"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled$'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  - id: 1534
+    title: "Ensure SELinux policy is configured"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  - id: 1535
+    title: "Ensure no unconfined daemons exist"
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+
+  - id: 1536
+    title: "Ensure AppArmor is enabled in the bootloader configuration"
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the appermor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line   GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"      update the grub configuration # update-grub    Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["1.6.2.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'
+
+  - id: 1537
+    title: "Ensure all AppArmor Profiles are enforcing"
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.2.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*processes are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  - id: 1538
+    title: "Ensure SELinux or AppArmor are installed"
+    description: "SELinux and AppArmor provide Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s selinux-basics -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  # 1.7 Warning Banners
+  - id: 1539
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 1540
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 1541
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 1542
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 1543
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 1544
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 1545
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]"
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true"
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+'
+
+  - id: 1546
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt-get -s upgrade -> r:^The following packages will be upgraded"
+
+  # 2 Services
+  - id: 1547
+    title: "Ensure xinetd is not installed"
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Run the following command to disable xinetd: # apt-get remove xinetd"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s xinetd -> r:install ok installed"
+
+  - id: 1548
+    title: "Ensure inetd is not installed"
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+      - "c:dpkg -s inetutils-inetd -> r:install ok installed"
+
+  - id: 1549
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using one of the following commands: # apt-get install ntp # apt-get install chrony     On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+
+  - id: 1550
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following:   restrict -4 default kod nomodify notrap nopeer noquery      restrict -6 default kod nomodify notrap nopeer noquery  . Add or edit server or pool lines to /etc/ntp.conf as appropriate:   server <remote-server> . Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file:   RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  - id: 1551
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server>"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony/chrony.conf -> r:^server\.+|^pool\.+'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 1552
+    title: "Ensure the X Window system is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: apt-get remove xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 1553
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> enabled"
+
+  - id: 1554
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl disable cups"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> enabled"
+
+  - id: 1555
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled isc-dhcp-server -> enabled"
+      - "c:systemctl is-enabled isc-dhcp-server6 -> enabled"
+
+  - id: 1556
+    title: "Ensure LDAP server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # systemctl disable slapd"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled slapd -> enabled"
+
+  - id: 1557
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs-server -> enabled"
+      - "c:systemctl is-enabled rpcbind -> enabled"
+
+  - id: 1558
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # systemctl disable bind9"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled bind9 -> enabled"
+
+  - id: 1559
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> enabled"
+
+  - id: 1560
+    title: "Ensure HTTP Server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # systemctl disable apache2"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> enabled"
+
+  - id: 1561
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "exim is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s exim4 -> r:install ok installed"
+
+  - id: 1562
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable smbd: # systemctl disable smbd"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smbd -> enabled"
+
+  - id: 1563
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # systemctl disable squid"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> enabled"
+
+  - id: 1564
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl disable snmpd"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> enabled"
+
+  - id: 1565
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only . Restart postfix: # systemctl restart postfix"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 1566
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # systemctl disable rsync"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled rsync -> enabled"
+
+  - id: 1567
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable nis: # systemctl disable nis"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nis -> enabled"
+
+  - id: 1568
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall the nis package: # apt-get remove nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 1569
+    title: "Ensure rsh client is not installed"
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin."
+    remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+      - "c:dpkg -s rsh-redone-client -> r:install ok installed"
+
+  - id: 1570
+    title: "Ensure talk client is not installed"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk: apt-get remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 1571
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet: # apt-get remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 1572
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Uninstall ldap-utils using the appropriate package manager or manual installation:   # apt-get remove ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  # 3 Network Configuration
+  - id: 1573
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+
+  - id: 1574
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0    net.ipv4.conf.default.send_redirects=0    Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0    # sysctl -w net.ipv4.conf.default.send_redirects=0    # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  - id: 1575
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$'
+
+  - id: 1576
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 1577
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  - id: 1578
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  - id: 1579
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  - id: 1580
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  - id: 1581
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  - id: 1582
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  - id: 1583
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.9"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  - id: 1584
+    title: "Install TCP Wrappers"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd    Notes: To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  - id: 1585
+    title: "Ensure /etc/hosts.allow is configured"
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: 'Run the following command to create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow. Where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  - id: 1586
+    title: "Ensure /etc/hosts.deny is configured"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Run the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  - id: 1587
+    title: "Verify permissions on /etc/hosts.allow"
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow :  # chown root:root /etc/hosts.allow  # chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 1588
+    title: "Verify permissions on /etc/hosts.deny"
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : # chown root:root /etc/hosts.deny  # chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  # 3.4 Uncommon Network Protocols
+
+  - id: 1589
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  - id: 1590
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  - id: 1591
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  - id: 1592
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  # 3.5 Firewall configuration
+
+  - id: 1593
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:iptables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 1594
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  - id: 1595
+    title: "Ensure IPv6 default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 1596
+    title: "Ensure IPv6 loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP"
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  - id: 1597
+    title: "Ensure iptables is installed"
+    description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables."
+    rationale: "iptables is required for firewall management and configuration."
+    remediation: "Run the following command to install iptables: # apt-get install iptables"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s iptables -> r:install ok installed"
+
+  # 3.7 Disable IPv6 (Not Scored)
+  - id: 1598
+    title: "Disable IPv6"
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: 'Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1"  Run the following command to update the grub2 configuration:  # update-grub'
+    compliance:
+      - cis: ["3.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:ipv6.disable=1'
+
+  # 4 Logging and Auditing
+
+  - id: 1599
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 1600
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 1601
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 1602
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl enable auditd"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: [CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> enabled"
+
+  - id: 1603
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: '1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  - id: 1604
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.3", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change"
+
+  - id: 1605
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity"
+
+  - id: 1606
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale"
+
+  - id: 1607
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy  | -w /usr/share/selinux/ -p wa -k MAC-policy On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/ && r:-p wa && r:-k MAC-policy"
+
+  - id: 1608
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins"
+
+  - id: 1609
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins"
+
+  - id: 1610
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  - id: 1611
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  - id: 1612
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  - id: 1613
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  - id: 1614
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  - id: 1615
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1", "5.5"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions"
+
+  - id: 1616
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules"
+
+  - id: 1617
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["3", "6"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$'
+
+  - id: 1618
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> enabled"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 1619
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 1620
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+'
+
+  - id: 1621
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts"
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 1622
+    title: "Ensure syslog-ng service is enabled"
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable rsyslog :   # systemctl enable syslog-ng"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled syslog-ng -> enabled"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 1623
+    title: "Ensure syslog-ng default file permissions configured"
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(06\d0\)|perm\(04\d0\)|perm\(02\d0\)|perm\(00\d0\) && r:perm\(0\d40\)|perm\(0\d00\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 1624
+    title: "Ensure syslog-ng is configured to send logs to a remote log host"
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 1625
+    title: "Ensure rsyslog or syslog-ng is installed"
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands: # apt-get install rsyslog # apt-get install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+      - "c:dpkg -s syslog-ng -> r:install ok installed"
+
+  # 5 Access, Authentication and Authorization
+  - id: 1626
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: systemctl enable cron"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 1627
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/\w\w\w-------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 1628
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 1629
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 1630
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 1631
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 1632
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 1633
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat -L -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00'
+      - 'c:stat -L -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00'
+
+  # 5.2 SSH Server Configuration
+
+  - id: 1634
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-\d00'
+
+  - id: 1635
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:Protocol\s*2'
+
+  - id: 1636
+    title: "Ensure SSH LogLevel is appropriate"
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:LogLevel\s+INFO|LogLevel\s+VERBOSE'
+
+  - id: 1637
+    title: "Ensure SSH X11 forwarding is disabled"
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    reference:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:X11Forwarding\s+no'
+
+  - id: 1638
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  - id: 1639
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:IgnoreRhosts\s+yes'
+
+  - id: 1640
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:HostbasedAuthentication\s+no'
+
+  - id: 1641
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitRootLogin\s+no'
+
+  - id: 1642
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitEmptyPasswords\s+no'
+
+  - id: 1643
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitUserEnvironment\s+no'
+
+  # 5.2.13 Ensure only strong ciphers are used (Scored)
+  - id: 1644
+    title: "Ensure only strong ciphers are used"
+    description: "This variable limits the ciphers that SSH can use during communication."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 5.2.14 Ensure only sytrong MAC algorithms are used (Scored)
+  - id: 1645
+    title: "Ensure only strong MAC algorithms are used"
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used (Scored)
+  - id: 1646
+    title: "Ensure only strong Key Exchange algorithms are used"
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received"
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks"
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  - id: 1647
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'c:sshd -T -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 1648
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  - id: 1649
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc: ["5.1", "5.8"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  - id: 1650
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.3 Configure PAM
+
+  - id: 1651
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.7", "16.12"]
+      - pci_dss: ["8.2.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s libpam-pwquality -> r:install ok installed"
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d'
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - "f:/etc/security/pwquality.conf -> !r:^# && r:dcredit"
+      - "f:/etc/security/pwquality.conf -> !r:^# && r:ucredit"
+      - "f:/etc/security/pwquality.conf -> !r:^# && r:ocredit"
+      - "f:/etc/security/pwquality.conf -> !r:^# && r:lcredit"
+
+  - id: 1652
+    title: "Ensure lockout for failed password attempts is configured"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.'
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+
+  - id: 1653
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 1654
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  # 5.4 User Accounts and Environment
+
+  - id: 1655
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  - id: 1656
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  - id: 1657
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  - id: 1658
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  - id: 1659
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 1660
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 1661
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc, /etc/profile files, and /etc/profile.d*.sh (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not d:/etc/profile.d -> .sh -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/bash.bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'd:/etc/profile.d -> .sh -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/bash.bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  - id: 1662
+    title: "Ensure access to the su command is restricted"
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root,<user list> Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so'
+      - 'f:/etc/group -> !r:^# && r:sudo:\w+:\d+:\.'
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+  - id: 1663
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
+  - id: 1664
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.4 Configure /etc/group permissions (Scored)
+  - id: 1665
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
+  - id: 1666
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-wx /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+  - id: 1667
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+  - id: 1668
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/shadow- : # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- # chmod o-rwx,g-rw /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\) && r:Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Configure /etc/group- permissions (Scored)
+  - id: 1669
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
+  - id: 1670
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-wx /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\) && r:Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.2 User and Group Settings
+
+  - id: 1671
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  - id: 1672
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  - id: 1673
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  - id: 1674
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  - id: 1675
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  - id: 1676
+    title: "Ensure shadow group is empty"
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/debian/cis_debian9.yml b/etc/ruleset/sca/debian/cis_debian9.yml
new file mode 100644
index 0000000000..cadeb1db2a
--- /dev/null
+++ b/etc/ruleset/sca/debian/cis_debian9.yml
@@ -0,0 +1,2955 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 9
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Debian Linux 9 Benchmark v1.0.1 - 01-13-2020
+
+policy:
+  id: "cis_debian9"
+  file: "cis_debian9.yml"
+  name: "CIS Debian Linux 9 Benchmark v1.0.1"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Debian version"
+  description: "Requirements for running the SCA scan against Debian/Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/debian_version"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1.1.1 Disable unused filesystems
+  - id: 2000
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 2001
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 2002
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 2003
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 2004
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  # 2 Filesystem Configuration
+  - id: 2005
+    title: "Ensure /tmp is configured"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> enabled"
+
+  - id: 2006
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs  Where=/tmp  Type=tmpfs  Options=mode=1777,strictatime,noexec,nodev,nosuid      and run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 2007
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 2008
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ."
+    remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  - id: 2009
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 2010
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 2011
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 2012
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 2013
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 2014
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 2015
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 2016
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 2017
+    title: "Ensure nodev option set on /home partition"
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 2018
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  - id: 2019
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  - id: 2020
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  - id: 2021
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: # systemctl disable autofs"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> r:^enabled"
+
+  # 1.3 Filesystem Integrity Checking
+  - id: 2022
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    reference:
+      - "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 2023
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: # crontab -u root -e   Add the following line to the crontab:   0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
+      - "c:crontab -u root -l -> !r:^# && r:/usr/bin/aide && r:--check"
+
+  # 1.4 Secure Boot Settings
+  - id: 2024
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2025
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2 Create a custom /etc/grub.d configuration file: If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 2026
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.5 Additional Process Hardening
+  - id: 2027
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  - id: 2028
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "dmesg | grep NX" -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 2029
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 2030
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  # 1.6 Configure SELinux
+
+  - id: 2031
+    title: "Ensure SELinux is enabled in the bootloader configuration"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Run the following command to configure GRUB and PAM and to create /.autorelabel:  # selinux-activate      Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line:     selinux=1  security=selinux              example:   GRUB_CMDLINE_LINUX_DEFAULT="quiet"     GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1" Run the following command to update the grub2configuration:    # update-grub'
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:selinux=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=selinux'
+
+  - id: 2032
+    title: "Ensure the SELinux state is enforcing"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: 'Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing   Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX= line: enforcing=1    Example:   GRUB_CMDLINE_LINUX_DEFAULT="quiet"  GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"   Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled$'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:enforcing=1'
+
+  - id: 2033
+    title: "Ensure SELinux policy is configured"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+default|^Loaded policy name:\s+mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*default|^\s*SELINUXTYPE\s*=\s*mls'
+
+  - id: 2034
+    title: "Ensure no unconfined daemons exist"
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+
+  - id: 2035
+    title: "Ensure AppArmor is enabled in the bootloader configuration"
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the appermor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line   GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"      update the grub configuration # update-grub    Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["1.6.2.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'
+
+  - id: 2036
+    title: "Ensure all AppArmor Profiles are enforcing"
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.2.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:apparmor status -> r:0 profiles are in complain mode"
+      - "c:apparmor status -> r:0 processes are unconfined"
+      - 'c:apparmor status -> n:(\d+) profiles are loaded compare > 0'
+
+  - id: 2037
+    title: "Ensure SELinux or AppArmor are installed"
+    description: "SELinux and AppArmor provide Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s selinux-basics -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  # 1.7 Warning Banners
+  - id: 2038
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian'
+
+  - id: 2039
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian'
+
+  - id: 2040
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian'
+
+  - id: 2041
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2042
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2043
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2044
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]"
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true"
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+'
+
+  - id: 2045
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt-get -s upgrade -> r:^The following packages will be upgraded"
+
+  # 2 Services
+  - id: 2046
+    title: "Ensure xinetd is not installed"
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed."
+    remediation: "Run the following commands to remove xinetd: # apt-get remove xinetd # apt-get purge xinetd"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:dpkg -s xinetd -> r:dpkg-query: package \.+ is not installed'
+
+  - id: 2047
+    title: "Ensure openbsd-inetd is not installed"
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+
+  - id: 2048
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using one of the following commands: # apt-get install ntp # apt-get install chrony     On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+
+  - id: 2049
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  - id: 2050
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server>"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 2051
+    title: "Ensure the X Window system is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: apt-get remove xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 2052
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> enabled"
+
+  - id: 2053
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl disable cups"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> enabled"
+
+  - id: 2054
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled isc-dhcp-server -> enabled"
+      - "c:systemctl is-enabled isc-dhcp-server6 -> enabled"
+
+  - id: 2055
+    title: "Ensure LDAP server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # systemctl disable slapd"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled slapd -> enabled"
+
+  - id: 2056
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs-server -> enabled"
+      - "c:systemctl is-enabled rpcbind -> enabled"
+
+  - id: 2057
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # systemctl disable bind9"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled bind9 -> enabled"
+
+  - id: 2058
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> enabled"
+
+  - id: 2059
+    title: "Ensure HTTP Server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # systemctl disable apache2"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> enabled"
+
+  - id: 2060
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "exim is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s exim4 -> r:install ok installed"
+
+  - id: 2061
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable smbd: # systemctl disable smbd"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smbd -> enabled"
+
+  - id: 2062
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # systemctl disable squid"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> enabled"
+
+  - id: 2063
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl disable snmpd"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> enabled"
+
+  - id: 2064
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only . Restart postfix: # systemctl restart postfix"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 2065
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # systemctl disable rsync"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled rsync -> enabled"
+
+  - id: 2066
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable nis: # systemctl disable nis"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nis -> enabled"
+
+  - id: 2067
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall the nis package: # apt-get remove nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 2068
+    title: "Ensure rsh client is not installed"
+    description: "The rshpackage contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin."
+    remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+      - "c:dpkg -s rsh-redone-client -> r:install ok installed"
+
+  - id: 2069
+    title: "Ensure talk client is not installed"
+    description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk: apt-get remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 2070
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet: # apt-get remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 2071
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # apt-get remove ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  # 3 Network Configuration
+  - id: 2072
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+
+  - id: 2073
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0    net.ipv4.conf.default.send_redirects=0    Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0    # sysctl -w net.ipv4.conf.default.send_redirects=0    # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  - id: 2074
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$'
+
+  - id: 2075
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects and net.ipv6.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 2076
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  - id: 2077
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  - id: 2078
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  - id: 2079
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  - id: 2080
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  - id: 2081
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  - id: 2082
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  - id: 2083
+    title: "Install TCP Wrappers"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  - id: 2084
+    title: "Ensure /etc/hosts.allow is configured"
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: 'Run the following command to create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow. Where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  - id: 2085
+    title: "Ensure /etc/hosts.deny is configured"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Run the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  - id: 2086
+    title: "Verify permissions on /etc/hosts.allow"
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow :  # chown root:root /etc/hosts.allow  # chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 2087
+    title: "Verify permissions on /etc/hosts.deny"
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : # chown root:root /etc/hosts.deny  # chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 2088
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  - id: 2089
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  - id: 2090
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  - id: 2091
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  # 3.5 Firewall configuration
+
+  - id: 2092
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:iptables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 2093
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  - id: 2094
+    title: "Ensure IPv6 default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 2095
+    title: "Ensure IPv6 loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP"
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  - id: 2096
+    title: "Ensure iptables is installed"
+    description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables."
+    rationale: "iptables is required for firewall management and configuration."
+    remediation: "Run the following command to install iptables: # apt-get install iptables"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s iptables -> r:install ok installed"
+
+  #########################################
+  # 4 Logging and Auditing
+  #########################################
+
+  - id: 2097
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 2098
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 2099
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 2100
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl enable auditd"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: [CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> enabled"
+
+  - id: 2101
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: '1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  - id: 2102
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.3", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change"
+
+  - id: 2103
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity"
+
+  - id: 2104
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale"
+
+  - id: 2105
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy  | -w /usr/share/selinux/ -p wa -k MAC-policy On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/|/etc/apparmor/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/|/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy"
+
+  - id: 2106
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins"
+
+  - id: 2107
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins"
+
+  - id: 2108
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  - id: 2109
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  - id: 2110
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  - id: 2111
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["6,2", "13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  - id: 2112
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  - id: 2113
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["4.9"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions"
+
+  - id: 2114
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules"
+
+  - id: 2115
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "c:tail -1 /etc/audit/audit.rules -> -e 2"
+
+  - id: 2116
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> enabled"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 2117
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 2118
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+'
+
+  - id: 2119
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts"
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 2120
+    title: "Ensure syslog-ng service is enabled"
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable rsyslog :   # systemctl enable syslog-ng"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled syslog-ng -> enabled"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 2121
+    title: "Ensure syslog-ng default file permissions configured"
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(06\d0\)|perm\(04\d0\)|perm\(02\d0\)|perm\(00\d0\) && r:perm\(0\d40\)|perm\(0\d00\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 2122
+    title: "Ensure syslog-ng is configured to send logs to a remote log host"
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 2123
+    title: "Ensure rsyslog or syslog-ng is installed"
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands: # apt-get install rsyslog # apt-get install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+      - "c:dpkg -s syslog-ng -> r:install ok installed"
+
+  #########################################
+  # 5 Access, Authentication and Authorization
+  #########################################
+
+  - id: 2124
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: systemctl enable cron"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 2125
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/\w\w\w-------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 2126
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 2127
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 2128
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 2129
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 2130
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 2131
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2 SSH Server Configuration
+
+  - id: 2132
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 2133
+    title: "Ensure SSH Protocol is set to 2"
+    description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2'
+
+  - id: 2134
+    title: "Ensure SSH LogLevel is appropriate"
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:LogLevel\s+INFO|LogLevel\s+VERBOSE'
+
+  - id: 2135
+    title: "Ensure SSH X11 forwarding is disabled"
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:X11Forwarding\s+no'
+
+  - id: 2136
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  - id: 2137
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:IgnoreRhosts\s+yes'
+
+  - id: 2138
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:HostbasedAuthentication\s+no'
+
+  - id: 2139
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitRootLogin\s+no'
+
+  - id: 2140
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitEmptyPasswords\s+no'
+
+  - id: 2141
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitUserEnvironment\s+no'
+
+  - id: 2142
+    title: "Ensure only strong ciphers are used"
+    description: "This variable limits the ciphers that SSH can use during communication."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  - id: 2143
+    title: "Ensure only strong MAC algorithms are used"
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  - id: 2144
+    title: "Ensure only strong Key Exchange algorithms are used"
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received"
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks"
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  - id: 2145
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'c:sshd -T -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  - id: 2146
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  - id: 2147
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  - id: 2148
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.3 Configure PAM
+
+  - id: 2149
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s libpam-pwquality -> r:install ok installed"
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d'
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  - id: 2150
+    title: "Ensure lockout for failed password attempts is configured"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Edit the /etc/pam.d/common-account file and add the account line bellow: account    required    pam_tally2.so. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user. Notes:BUG In pam_tally2.so To work around this issue the addition of pam_tally2.so in the accounts section of the /etc/pam.d/common-account file has been added to the audit and remediation sections. pam_tally2 line must be added for the counter to reset to 0 when using sudo.     Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.'
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+      - "f:/etc/pam.d/common-account -> !r:^# && r:pam_tally2.so"
+
+  - id: 2151
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 2152
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  # 5.4 User Accounts and Environment
+
+  - id: 2153
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  - id: 2154
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  - id: 2155
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  - id: 2156
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+
+  - id: 2157
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  - id: 2158
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 2159
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc, /etc/profile files, and /etc/profile.d*.sh (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not d:/etc/profile.d -> .sh -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/bash.bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'd:/etc/profile.d -> .sh -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/bash.bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  - id: 2160
+    title: "Ensure access to the su command is restricted"
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root,<user list> Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so'
+      - 'f:/etc/group -> !r:^# && r:sudo:\w+:\d+:\.'
+
+  ###############################
+  # 6 System Maintenance
+  ###############################
+
+  - id: 2161
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 2162
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/shadow- : # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- # chmod o-rwx,g-rw /etc/shadow-"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 2163
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "# chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-rw /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 2164
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2165
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the one following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 2166
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2167
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 2168
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.2 User and Group Settings
+
+  - id: 2169
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  - id: 2170
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  - id: 2171
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  - id: 2172
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  - id: 2173
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  - id: 2174
+    title: "Ensure shadow group is empty"
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - cis_csc: ["16"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/generic/sca_unix_audit.yml b/etc/ruleset/sca/generic/sca_unix_audit.yml
index e69de29bb2..b7d56d8ee2 100644
--- a/etc/ruleset/sca/generic/sca_unix_audit.yml
+++ b/etc/ruleset/sca/generic/sca_unix_audit.yml
@@ -0,0 +1,308 @@
+# Security Configuration Assessment
+# Audit for UNIX systems
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+
+policy:
+  id: "unix_audit"
+  file: "sca_unix_audit.yml"
+  name: "System audit for Unix based systems"
+  description: "Guidance for establishing a secure configuration for Unix based systems."
+  references:
+    - https://www.ssh.com/ssh/
+
+requirements:
+  title: "Check that the SSH service and password-related files are present on the system"
+  description: "Requirements for running the SCA scan against the Unix based systems policy."
+  condition: any
+  rules:
+    - "f:$sshd_file"
+    - "f:/etc/passwd"
+    - "f:/etc/shadow"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+  $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd
+
+checks:
+  - id: 3000
+    title: "SSH Hardening: Port should not be 22"
+    description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections."
+    rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port."
+    remediation: "Change the Port option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22$'
+
+  - id: 3001
+    title: "SSH Hardening: Protocol should be set to 2"
+    description: "The SSH protocol should not be 1."
+    rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses."
+    remediation: "Change the Protocol option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2'
+
+  - id: 3002
+    title: "SSH Hardening: Root account should not be able to log in"
+    description: "The option PermitRootLogin should be set to no."
+    rationale: 'The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses.'
+    remediation: "Change the PermitRootLogin option value in the sshd_config file."
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*PermitRootLogin\s*\t*no'
+
+  - id: 3003
+    title: "SSH Hardening: No Public Key authentication"
+    description: "The option PubkeyAuthentication should be set yes."
+    rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password."
+    remediation: "Change the PubkeyAuthentication option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes'
+
+  - id: 3004
+    title: "SSH Hardening: Password Authentication should be disabled"
+    description: "The option PasswordAuthentication should be set to no."
+    rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords."
+    remediation: "Change the PasswordAuthentication option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no'
+
+  - id: 3005
+    title: "SSH Hardening: Empty passwords should not be allowed"
+    description: "The option PermitEmptyPasswords should be set to no."
+    rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice."
+    remediation: "Change the PermitEmptyPasswords option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no'
+
+  - id: 3006
+    title: "SSH Hardening: Rhost or shost should not be used for authentication"
+    description: "The option IgnoreRhosts should be set to yes."
+    rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication."
+    remediation: "Change the IgnoreRhosts option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes'
+
+  - id: 3007
+    title: "SSH Hardening: Grace Time should be one minute or less."
+    description: "The option LoginGraceTime should be set to 60 or less."
+    rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate."
+    remediation: "Change the LoginGraceTime option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60'
+
+  - id: 3008
+    title: "SSH Hardening: Wrong Maximum number of authentication attempts"
+    description: "The option MaxAuthTries should be set to 4 or less."
+    rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4."
+    remediation: "Change the MaxAuthTries option value in the sshd_config file."
+    compliance:
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  - id: 3009
+    title: "SSH Hardening: Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no'
+
+  - id: 3010
+    title: "Ensure retry option for passwords is less than 3"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:password && r:requisite|required && r:pam_cracklib.so|pam_pwquality.so && n:retry\s*=\s*(\d+) compare <= 3'
+
+  - id: 3011
+    title: "Ensure passwords are longer than 14 characters"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14'
+
+  - id: 3012
+    title: "Ensure passwords contain at least one digit"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit\s*\t*='
+
+  - id: 3013
+    title: "Ensure passwords contain at least one lowercase character"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit\s*\t*='
+
+  - id: 3014
+    title: "Ensure passwords contain at least one uppercase character"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit\s*\t*='
+
+  - id: 3015
+    title: "Ensure passwords contain at least one special character"
+    description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy."
+    compliance:
+      - cis_csc: ["4.4", "5.7", "16.12"]
+    references:
+      - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit\s*\t*='
+
+  - id: 3016
+    title: "Ensure lockout for failed password attempts is configured"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900"
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+'
+
+  - id: 3017
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512"
+    compliance:
+      - cis_csc: ["16.14"]
+    condition: all
+    rules:
+      - 'f:$pam_d_files -> r:^password\.+pam_unix.so\.+sha512'
+
+  - id: 3018
+    title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256"
+    description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords."
+    remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256."
+    references:
+      - https://linux-audit.com/password-security-with-linux-etc-shadow-file/
+      - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$'
+
+  - id: 3019
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs."
+    compliance:
+      - cis_csc: ["4.4", "16"]
+    references:
+      - https://www.thegeekdiary.com/understanding-etclogin-defs-file
+    condition: any
+    rules:
+      - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365'
+
+  - id: 3020
+    title: "Ensure SELinux or AppArmor are installed"
+    description: "SELinux and AppArmor provide Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils"
+    compliance:
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - "c:dpkg -s selinux-basics -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  - id: 3021
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl disable cups"
+    compliance:
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - "https://www.cups.org"
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> r:^enabled"
+
+  - id: 3022
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl enable auditd"
+    compliance:
+      - cis_csc: ["6.2", "6.3"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
diff --git a/etc/ruleset/sca/hpux/cis_hpux_11i.yml b/etc/ruleset/sca/hpux/cis_hpux_11i.yml
new file mode 100644
index 0000000000..65deb7f4df
--- /dev/null
+++ b/etc/ruleset/sca/hpux/cis_hpux_11i.yml
@@ -0,0 +1,828 @@
+# Security Configuration Assessment
+# CIS Checks for HPUX 11i
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for HP-UX 11i from 09-17-2009
+
+policy:
+  id: "cis_hpux"
+  file: "cis_hpux_11i.yml"
+  name: "CIS HP-UX 11i Benchmark v1.5.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for HPUX version 11i. This guide was tested against HP-UX"
+  references:
+    - https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf
+
+requirements:
+  title: "Check HPUX version and bastille is not installed."
+  description: "Requirements for running the SCA scan against HPUX family."
+  condition: all
+  rules:
+    - "c:swlist HPUX*OE* -> r:HPUX11i"
+    - "not d:/opt/sec_mgmt/bastille/"
+
+checks:
+  #################################################################
+  # 1.1  Install patches and supplementary software
+  #################################################################
+
+  - id: 25001
+    title: "Install and configure HP-UX Secure Shell."
+    description: "OpenSSH is a popular free distribution of the standards-track SSH protocols which allows secure encrypted network logins and file transfers. HP-UX Secure Shell is HP's pre-compiled and supported version of OpenSSH."
+    rationale: "Common login and file transfer services such as telnet, FTP, rsh, rlogin, and rcp use insecure, clear-text protocols that are vulnerable to attack. OpenSSH provides a secure, encrypted replacement for these services. Security is improved by further constraining services in the default configuration."
+    remediation: 'Perform the following to install and securely configure Secure Shell (SSH) 1. Download and install HP-UX Secure Shell if not already installed on the system. 2. Perform the following post-installation actions to secure the SSH service: a. Change to the /opt/ssh/etc directory b. Open sshd_config c. Set the Protocol token to 2. If it is absent, add and set it. d. Set the X11Forwarding token to yes. If it is absent, add and set it. e. Set the IgnoreRhosts token to yes. If it is absent, add and set it. f. Set the RhostsAuthentication token to no. If it is absent, add and set it. g. Set the RhostsRSAAuthentication token to no. If it is absent, add and set it. h. Set the PermitRootLogin token to no. If it is absent, add and set it. i. Set the PermitEmptyPasswords token to no. If it is absent, add and set it. j. Set the Banner token to /etc/issue. If it is absent, add and set it. k. Set root as the owner of sshd_config and ssh_config. l. Set sys as the group owner of sshd_config and ssh_config. m. Restrict write access to sshd_config and ssh_config to the file owner. The following script will perform the above procedure: 13 | P a g e cd /opt/ssh/etc cp -p sshd_config sshd_config.tmp awk '' /^Protocol/ /^IgnoreRhosts/ /^RhostsAuthentication/ /^RhostsRSAAuthentication/ { $2 ="no" }; /(^#|^)PermitRootLogin/    { $1 = "PermitRootLogin"; $2 = "no" }; /^PermitEmptyPasswords/    { $2 = "no" }; /^#Banner/                 { $1 = "Banner"; $2 = "/etc/issue" } { print }'' sshd_config.tmp > sshd_config { $2 ="2"}; { $2 = "yes" }; { $2 = "no" }; rm -f sshd_config.tmp chown root:sys ssh_config sshd_config chmod go-w ssh_config sshd_config'
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_level: ["1"]
+    references:
+      - http://www.openssh.org/
+      - http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
+      - http://h20293.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=T1471AA
+    condition: all
+    rules:
+      - "c:swlist -l bundle SecureShell -> r:HP-UX Secure Shell"
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Protocol 2'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*X11Forwarding yes'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*IgnoreRhosts yes'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsAuthentication no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsRSAAuthentication no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitRootLogin no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitEmptyPasswords no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Banner /etc/issue'
+      - 'not c:sh -c "ls -la /opt/ssh/etc/sshd_config | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+      - 'not c:sh -c "ls -la /opt/ssh/etc/ssh_config | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  #################################################################
+  # 1.2 Minimize inetd network services
+  #################################################################
+
+  - id: 25002
+    title: "Disable Standard Services."
+    description: "The stock /etc/inetd.conf file shipped with HP-UX contains many services which are rarely used, or which have more secure alternatives. Indeed, after enabling SSH (see item 1.1.2) it may be possible to completely do away with all inetd-based services, since SSH provides both a secure login mechanism and a means of transferring files to and from the system. The steps articulated in the Remediation section will disable all services normally enabled in the HP-UX inetd.conf file. The rest of the actions in this section give the administrator the option of re-enabling certain services—in particular, the services that are disabled in the last two loops in the Action section below."
+    rationale: "The stock /etc/inetd.conf file shipped with HP-UX contains services that are rarely used or have more secure alternatives. Removing these from inetd will avoid exposure to possible security vulnerability in those services."
+    remediation: 'Perform the following to disable standard inetd-based services: 1. Change to the /etc directory 2. Open inetd.conf 3. Disable the following services by adding a comment character (#) to the beginning of its definition: a. echo b. discard c. daytime d. chargen e. dtspc f. exec g. ntalk h. finger i. uucp j. ident k. auth l. instl_boots m. registrar n. recserv o. rpc.rstatd p. rpc.rusersd q. rpc.rwalld r. rpc.sprayd s. rpc.cmsd t. kcms_server u. printer v. shell w. login h. finger x. telnet y. ftp z. tftp aa. bootps bb. kshell cc. klogin dd. rpc.rquotad ee. rpc.ttdbserver 4. Save inetd.conf. 5. Set root as the owner of inetd.conf. 6. Set sys as the group owner of inetd.conf. 7. Restrict write access to inetd.conf to the file owner. 8. Remove the executable and sticky bit from inetd.conf. 9. Invoke inetd to reread it''s config file: inetd -c The following script will perform the above procedure: cd /etc for svc in echo discard daytime chargen dtspc \ exec ntalk finger uucp ident auth \ instl_boots registrar recserv; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in rpc.rstatd rpc.rusersd rpc.rwalld \ rpc.sprayd rpc.cmsd kcms_server; do awk "/\\/$svc/ { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in printer shell login telnet ftp tftp \ bootps kshell klogin; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in rpc.rquotad rpc.ttdbserver; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ /etc/inetd.conf > /etc/inetd.conf.new cp inetd.conf.new inetd.conf done chown root:sys inetd.conf chmod go-w,a-xs inetd.conf rm -f /etc/inetd.conf.new inetd -c'
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_level: ["1"]
+    references:
+      - http://docs.hp.com/en/B2355-60130/inetd.conf.4.html
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*echo'
+      - 'not f:/etc/inetd.conf -> r:^\s*discard'
+      - 'not f:/etc/inetd.conf -> r:^\s*daytime'
+      - 'not f:/etc/inetd.conf -> r:^\s*chargen'
+      - 'not f:/etc/inetd.conf -> r:^\s*dtspc'
+      - 'not f:/etc/inetd.conf -> r:^\s*exec'
+      - 'not f:/etc/inetd.conf -> r:^\s*ntalk'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.rwalld'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.sprayd'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.cmsd'
+      - 'not f:/etc/inetd.conf -> r:^\s*kcms_server'
+      - 'not f:/etc/inetd.conf -> r:^\s*printer'
+      - 'not f:/etc/inetd.conf -> r:^\s*shell'
+      - 'not f:/etc/inetd.conf -> r:^\s*login'
+      - 'not f:/etc/inetd.conf -> r:^\s*finger'
+      - 'not f:/etc/inetd.conf -> r:^\s*uucp'
+      - 'not f:/etc/inetd.conf -> r:^\s*ident'
+      - 'not f:/etc/inetd.conf -> r:^\s*auth'
+      - 'not f:/etc/inetd.conf -> r:^\s*instl_boots'
+      - 'not f:/etc/inetd.conf -> r:^\s*registrar'
+      - 'not f:/etc/inetd.conf -> r:^\s*recserv'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.rstatd'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.rusersd'
+      - 'not f:/etc/inetd.conf -> r:^\s*telnet'
+      - 'not f:/etc/inetd.conf -> r:^\s*ftp'
+      - 'not f:/etc/inetd.conf -> r:^\s*tftp'
+      - 'not f:/etc/inetd.conf -> r:^\s*bootps'
+      - 'not f:/etc/inetd.conf -> r:^\s*kshell'
+      - 'not f:/etc/inetd.conf -> r:^\s*klogin'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.rquotad'
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.ttdbserver'
+      - 'not c:sh -c "ls -la /etc/inetd.conf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25003
+    title: "Only enable telnet if absolutely necessary."
+    description: "Re-enable telnet. Telnet uses an unencrypted network protocol, which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network, and also that the session can be hijacked by outsiders to gain access to the remote system. HP-UX Secure Shell (OpenSSH) provides an encrypted alternative to telnet (and other utilities) and should be used instead."
+    rationale: "There is a mission-critical reason that requires users to access the system via telnet instead of the more secure SSH protocol."
+    remediation: 'Perform the following to re-enable telnet: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the telnet service definition. 3. Add -b /etc/issue to the end of the telnet service definition. This will cause telnet to display the contents of /etc/issue to users attempting to access the system via telnet. 4. Save /etc/inetd.conf. The following script will perform the above procedure: awk ''/^#telnet/ { $1 = "telnet" print $0 " -b /etc/issue"; next} { print } '' inetd.conf > /etc/inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*telnet'
+
+  - id: 25004
+    title: "Only enable FTP if absolutely necessary."
+    description: "Re-enable ftp. Like telnet, the FTP protocol is unencrypted, which means passwords and other data transmitted during the session can be captured by sniffing the network, and that the FTP session itself can be hijacked by an external attacker. SSH provides two alternative, encrypted file transfer mechanisms, scp and sftp, which should be used instead of FTP. Even if FTP is required because the local system is an anonymous FTP server, consider requiring authenticated users on the system to transfer files via SSH-based protocols. For further information on restricting FTP access to the system, see item 1.6.2 below. Sites may also consider augmenting the 'ftpd -l' below with '-v' (10.x and 11.x) or '-L' (11.x only) for additional logging of FTP transactions, or with '-a' (11.x only) for fine grain FTP access control through the use of a configuration file - see the ftpd(1M) man page on your systems for details."
+    rationale: "This machine serves as an (anonymous) FTP server or other mission-critical role where data must be transferred via FTP instead of the more secure alternatives."
+    remediation: 'Perform the following to re-enable FTP: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the ftp service definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' /^#ftp/ { $1 = "ftp"; print $0; next} { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*ftp'
+
+  - id: 25005
+    title: "Only enable rlogin/remsh/rcp if absolutely necessary."
+    description: "Re-enable rlogin/remsh/rcp. SSH was designed to be a drop-in replacement for these protocols. Given the wide availability of free SSH implementations, there are few cases where these tools cannot be replaced with SSH (again, see item 1.2.1 - Install SSH)."
+    rationale: "There is a mission-critical reason to use rlogin/remsh/rcp instead of the more secure ssh/scp."
+    remediation: "Perform the following to re-enable rlogin/remsh/rcp: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the shell and login service definitions. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#shell/shell/; s/^#login/login/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*shell'
+      - 'not f:/etc/inetd.conf -> r:^\s*login'
+
+  - id: 25006
+    title: "Only enable TFTP if absolutely necessary."
+    description: "Re-enable TFTP. TFTP is typically used for network booting of diskless workstations, X-terminals, and other similar devices. TFTP is also used during network installs of systems via the HP-UX Ignite facility. Routers and other network devices may copy configuration data to remote systems via TFTP for backup."
+    rationale: "This system serves as a boot server or has other mission-critical roles where data must be transferred to and from this system via TFTP."
+    remediation: "Perform the following to re-enable TFTP: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the tftp service definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#tftp/tftp/' inetd.conf >inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new mkdir -p /var/opt/ignite"
+    compliance:
+      - cis: ["1.2.5"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*TFTP'
+
+  - id: 25007
+    title: "Only enable printer service if absolutely necessary."
+    description: "Re-enable rlpdaemon based printer service. rlpdaemon provides a BSD-compatible print server interface. Even machines that are print servers may wish to leave this service disabled if they do not need to support BSD-style printing."
+    rationale: "This machine a print server for your network."
+    remediation: "Perform the following to re-enable the rlpdaemon based printer service: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the printer definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure:  sed 's/^#printer/printer/' inetd.conf >inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.6"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*printer'
+
+  - id: 25008
+    title: "Only enable rquotad if absolutely necessary."
+    description: "Re-enable rquotad. rquotad allows NFS clients to enforce disk quotas on file systems that are mounted from the local system. If your site does not use disk quotas, then you may leave the rquotad service disabled."
+    rationale: "This system an NFS file server that requires the use of disk quotas."
+    remediation: 'Perform the following to re-enable rquotad: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the rquotad definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' $6 ~ /\/rpc.rquotad$/ { sub(/^#/, "") } { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.7"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*rquotad'
+
+  - id: 25009
+    title: "Only enable CDE-related daemons if absolutely necessary."
+    description: "Re-enable CDE-related daemons. The rpc.ttdbserver service supports HP's CDE windowing environment. This service has a history of security problems. Not only is it vital to keep up to date on vendor patches, but also never enable this service on any system which is not well protected by a complete network security infrastructure (including network and host-based firewalls, packet filters, and intrusion detection infrastructure). Note that since this service uses ONC RPC mechanisms, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on."
+    rationale: "There a mission-critical reason to run a CDE GUI on this system."
+    remediation: 'Perform the following to re-enable CDE-related daemons: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the rpc.ttdbserver 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' $6 ~ /\/rpc.ttdbserver$/ { sub(/^#/, "") } { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*rpc.ttdbserver'
+
+  - id: 25010
+    title: "Only enable Kerberos-related daemons if absolutely necessary."
+    description: "Re-enable Kerberos-related daemons. Kerberized rlogin/remsh offers a higher degree of security than traditional rlogin, remsh, or telnet by eliminating many clear-text password exchanges from the network. However it is still not as secure as SSH, which encrypts all traffic. Given the wide availability of free SSH implementations, there are few cases where these tools cannot be replaced with SSH."
+    rationale: "The Kerberos security system is in use at this site and there is a mission-critical reason that requires users to access this system via Kerberized rlogin/remsh, rather than the more secure SSH protocol."
+    remediation: "Perform the following to re-enable Kerberos-related daemons: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the klogin definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#kshell/kshell/; s/^#klogin/klogin/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.9"]
+    condition: any
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*klogin'
+      - 'not f:/etc/inetd.conf -> r:^\s*kshell'
+
+  - id: 25011
+    title: "Only enable BOOTP/DHCP daemon if absolutely necessary."
+    description: "Re-enable BOOTP/DHCP services. BOOTP/DHCP is a popular protocol for dynamically assigning IP addresses and other network information to systems on the network (rather than having administrators manually manage this information on each host). However, if this system is not a BOOTP/DHCP server for the network, there is no need to be running this service."
+    rationale: "This server a BOOTP/DHCP server for the network."
+    remediation: "Perform the following to re-enable BOOTP/DHCP services: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the bootps definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#bootps/bootps/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf"
+    compliance:
+      - cis: ["1.2.10"]
+    condition: all
+    rules:
+      - 'not f:/etc/inetd.conf -> r:^\s*bootps'
+
+  #################################################################
+  # 1.3 Minimize boot services
+  #################################################################
+
+  - id: 25012
+    title: "Disable login: prompts on serial ports."
+    description: "Disable the login: prompt on the system serial devices to make it more difficult for unauthorized users to attach modems, terminals, and other remote access devices to these ports."
+    rationale: "If there is not a mission-critical need to provide login capability from any serial ports (such as for a modem) then disabling the login: prompt on the system serial devices reduces the risk of unauthorized access via these ports."
+    remediation: "Perform the following to disable the login: prompt on the system serial devices: 1. Open /etc/inittab. 2. Disable each getty instance associated with a tty device by adding a comment character (#) to the beginning of the line. 3. Save /etc/inittab.* The following script will perform the above procedure: cp -p /etc/inittab /etc/inittab.tmp sed 's/^[^#].*getty.*tty.*$/#&/' \ /etc/inittab.tmp  > /etc/inittab rm -f /etc/inittab.tmp - Note that this action may safely be performed even if console access to the system is provided via the serial ports, as the line in the /etc/inittab file that corresponds to the console does not match the supplied pattern (i.e., it doesn't contain the string 'tty'). - Note that when serial port connectivity is needed, /etc/dialups and /etc/d_passwd can be set to require an extra password for serial port access. See the dialups(4) manual page for more information. - Note that by default in HP-UX 11i, only the console has a getty instance running on it."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not f:/etc/inittab -> !r:^# && r:getty"
+
+  - id: 25013
+    title: "Disable NIS/NIS+ related processes, if possible."
+    description: "Disable NIS/NIS+ related processes. Network Information Service (NIS) is a distributed database providing centralized control of names, addresses, services, and key configuration files throughout a network of servers and clients. NIS was formerly known as Yellow Pages (YP). NIS+ is a replacement for NIS services, and is more scalable, flexible, and secure. It adds a security system with authentication and authorization services to validate users on the network and to determine if they allowed to access or modify the information requested. However, both systems have known security vulnerabilities, and have been an entry point for security attacks."
+    rationale: "Eliminate exposure to NIS/NIS+ vulnerabilities by not running related daemons on hosts that are not NIS/NIS+ servers or clients."
+    remediation: "Perform the following to disable the startup of NIS/NIS+ related processes: ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \ -p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \ -p NISPLUS_CLIENT=0 /etc/rc.config.d/namesvrs"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/namesvrs -> r:^NIS_MASTER_SERVER=0"
+      - "f:/etc/rc.config.d/namesvrs -> r:^NIS_CLIENT=0"
+      - "f:/etc/rc.config.d/namesvrs -> r:^NIS_SLAVE_SERVER=0"
+      - "f:/etc/rc.config.d/namesvrs -> r:^NISPLUS_SERVER=0"
+      - "f:/etc/rc.config.d/namesvrs -> r:^NISPLUS_CLIENT=0"
+
+  - id: 25014
+    title: "Disable printer daemons, if possible."
+    description: "Disable printer daemons. The Technical Print Service (TPS) is a printer service used in the X-Windows and/or CDE environment. It is recommended that this service be disabled if the hosting system does not participate in print services The administrator may wish to consider converting to the LPRng print system (see http://www.lprng.org/) which was designed with security in mind and is widely portable across many different Unix platforms. Note, however, that LPRng is not supported by Hewlett-Packard."
+    rationale: "Disabling unused services, such as TPS, will reduce the remote and local attack surfaces of the hosting system."
+    remediation: 'Perform the following to disable printer daemons: 1. Set the LP parameter to zero in the lp system configuration file /etc/rc.config.d/lp 2. Set the XPRINTSERVERS parameter to an empty string in the tps system configuration file /etc/rc.config.d/tps The following script will perform the above procedure:  ch_rc -a -p XPRINTSERVERS="''''" /etc/rc.config.d/tps ch_rc -a -p LP=0 /etc/rc.config.d/lp'
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/lp -> r:^LP=0"
+      - 'f:/etc/rc.config.d/tps -> r:^XPRINTSERVERS="''''"'
+
+  - id: 25015
+    title: "Disable the CDE GUI login, if possible."
+    description: "CDE stands for 'Common Desktop Environment,' and is an environment for logging on to and interacting with your system via an X-windows type GUI interface from the console. Intended for use with workstation or desktop systems, this service is not commonly used with the server-class systems or in large enterprise environments. The X Windows-based CDE GUI services were developed with a different set of security expecations from those expected in many enterprise deployments, and have had a history of security issues. Unless there is a mission-critical need for a CDE GUI login to the system, this service should not be run to further reduce opportunities for security attacks."
+    rationale: "The X Windows-based CDE GUI on HP-UX systems has had a history of security issues, and should be disabled if unused."
+    remediation: 'Perform the following to disable the GUI login: ch_rc -a -p DESKTOP="" /etc/rc.config.d/desktop'
+    compliance:
+      - cis: ["1.3.4"]
+      - cis_level: ["1"]
+    condition: any
+    rules:
+      - "not f:/etc/rc.config.d/desktop"
+      - 'f:/etc/rc.config.d/desktop -> r:DESKTOP=""$'
+
+  - id: 25016
+    title: "Disable email server, if possible."
+    description: "Disable the sendmail daemon to avoid processing incoming email. It is possible to run a Unix system with the Sendmail daemon disabled and still allow users on that system to send email out from that machine. Running Sendmail in 'daemon mode' (with the -bd command-line option) is only required on machines that act as mail servers, receiving and processing email from other hosts on the network. The remediation below will result in a machine that can send email but not receive it. - Note that after disabling the -bd option on the local mail server on systems running Sendmail v8.12 or later (8.13 is currently shipped as part of HP-UX 11iv3), it is also necessary to modify the /etc/mail/submit.cf file. Find the line that reads 'D{MTAHost}localhost' and change localhost to the name of some other local mail server for the organization. This will cause email generated on the local system to be relayed to that mail server for further processing and delivery. - Note that if the system is an email server, the administrator is encouraged to search the Web for additional documentation on Sendmail security issues."
+    rationale: "Avoid potential vulnerabilities in the sendmail server if incoming email service is not used."
+    remediation: "Perform the following to disable the sendmail server: 1. Set the SENDMAIL_SERVER parameter to zero in the mailservs system configuration file. 2. Setup a cron job to run sendmail at regular intervals (e.g. every hour) in order to process queued, outgoing mail. The following script will perform the above procedure: ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.config.d/mailservs cd /var/spool/cron/crontabs crontab -l >root.tmp echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp crontab root.tmp rm -f root.tmp"
+    compliance:
+      - cis: ["1.3.5"]
+      - cis_level: ["1"]
+    references:
+      - http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf
+      - http://www.sendmail.org/
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/mailservs -> r:SENDMAIL_SERVER=0"
+      - 'c:crontab -l -> r:^\d+\.*sendmail -q'
+
+  - id: 25017
+    title: "Disable SNMP and OpenView Agents, if remote management or monitoring are not needed."
+    description: "Disable SNMP and OpenView agents if they are not needed. Note: If SNMP is used, it is recommended to change the default SNMP community string by modifying the get-community and set-community parameters in the SNMP configuration file /etc/SnmpAgent.d/snmpd.conf."
+    rationale: "If SNMP and OpenView agents are not needed, avoid potential security vulnerabilities in these programs by disabling them."
+    remediation: "Perform the following to disable the SNMP and OpenView Agents: cd /sbin/rc2.d mv -f S570SnmpFddi .NOS570SnmpFddi ch_rc -a -p SNMP_HPUNIX_START=0 \ /etc/rc.config.d/SnmpHpunix ch_rc -a -p SNMP_MASTER_START=0 \ /etc/rc.config.d/SnmpMaster ch_rc -a -p SNMP_MIB2_START=0 \ /etc/rc.config.d/SnmpMib2 ch_rc -a -p SNMP_TRAPDEST_START=0 \ /etc/rc.config.d/SnmpTrpDst ch_rc -a -p OSPFMIB=0 \ /etc/rc.config.d/netdaemons ch_rc -a -p OPCAGT=0 \ /etc/rc.config.d/opcagt"
+    compliance:
+      - cis: ["1.3.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not f:/sbin/rc2.d/S570SnmpFddi"
+      - "f:/etc/rc.config.d/SnmpHpunix -> r:SNMP_HPUNIX_START=0"
+      - "f:/etc/rc.config.d/SnmpMaster -> r:SNMP_MASTER_START=0"
+      - "f:/etc/rc.config.d/SnmpMib2 -> r:SNMP_MIB2_START=0"
+      - "f:/etc/rc.config.d/SnmpTrpDst -> r:SNMP_TRAPDEST_START=0"
+      - "f:/etc/rc.config.d/netdaemons -> r:OSPFMIB=0"
+      - "f:/etc/rc.config.d/opcagt -> r:OPCAGT=0"
+
+  - id: 25018
+    title: "Disable rarely used standard boot services."
+    description: 'Disable other standard boot services. Setting these variables in the /etc/rc.config.d configuration files will effectively disable a wide variety of infrequently used subsystems. Variables are merely set (rather than renaming or removing startup scripts) so that the local administrator can easily "restore" any of these services if they discover a mission-critical need to have it. Additionally, HP-UX patches tend to supply fresh copies of the startup scripts, so they may get inadvertently re- enabled, whereas setting configuration variables usually survives patch installs. Finally, setting configuration variables is the method recommended and supported by HP. Note that not all of the configuration files listed above will exist on all systems (some are only valid for certain releases, others only exist if certain OEM vendor software is installed). The rest of the actions in this section give the administrator the option of re-enabling certain services - in particular, the services that are disabled in the second block of the remediation section below. Rather than disabling and then re-enabling these services, experienced administrators may wish to simply disable only those services that they know are unnecessary for their systems. Note: that HP-UX 11.31 was the first version to support disablement of the NFS core services. Disablement on earlier versions is possible by moving /sbin/rc2.d/S400nfs.core to /sbin/rc2.d/.NOS400nfs.core, but there is some risk of system instability.'
+    rationale: "Avoid potential security vulnerabilities in infrequently used subsystems by disabling them."
+    remediation: 'Perform the following: ch_rc -a -p START_SNAPLUS=0 -p START_SNANODE=0 \ -p START_SNAINETD=0 /etc/rc.config.d/snaplus2 ch_rc -a -p MROUTED=0 -p RWHOD=0 \-p DDFA=0 \ -p START_RBOOTD=0 /etc/rc.config.d/netdaemons ch_rc -a -p RARPD=0 -p RDPD=0 /etc/rc.config.d/netconf ch_rc -a -p PTYDAEMON_START=0 /etc/rc.config.d/ptydaemon ch_rc -a -p VTDAEMON_START=0 /etc/rc.config.d/vt ch_rc -a -p NAMED=0 /etc/rc.config.d/namesvrs ch_rc -a -p START_I4LMD=0 /etc/rc.config.d/i4lmd ch_rc -a -p RUN_X_FONT_SERVER=0 /etc/rc.config.d/xfs ch_rc -a -p AUDIO_SERVER=0 /etc/rc.config.d/audio ch_rc -a -p SLSD_DAEMON=0 /etc/rc.config.d/slsd ch_rc -a -p RUN_SAMBA=0 /etc/rc.config.d/samba ch_rc -a -p RUN_CIFSCLIENT=0 \ /etc/rc.config.d/cifsclient ch_rc -a -p NFS_SERVER=0 \ -p NFS_CLIENT=0 /etc/rc.config.d/nfsconf ch_rc -a -p HPWS_APACHE_START=0 /etc/rc.config.d/hpws_apacheconf ch_rc -a -p NFS_CORE=0 /etc/rc.config.d/nfsconf'
+    compliance:
+      - cis: ["1.3.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/snaplus2 -> r:START_SNAPLUS=0"
+      - "f:/etc/rc.config.d/snaplus2 -> r:START_SNANODE=0"
+      - "f:/etc/rc.config.d/snaplus2 -> r:START_SNAINETD=0"
+      - "f:/etc/rc.config.d/netdaemons -> r:MROUTED=0"
+      - "f:/etc/rc.config.d/netdaemons -> r:RWHOD=0"
+      - "f:/etc/rc.config.d/netdaemons -> r:DDFA=0"
+      - "f:/etc/rc.config.d/netdaemons -> r:START_RBOOTD=0"
+      - "f:/etc/rc.config.d/netconf -> r:RARPD=0"
+      - "f:/etc/rc.config.d/netconf -> r:RDPD=0"
+      - "f:/etc/rc.config.d/ptydaemon -> r:PTYDAEMON_START=0"
+      - "f:/etc/rc.config.d/vt -> r:VTDAEMON_START=0"
+      - "f:/etc/rc.config.d/namesvrs -> r:NAMED=0"
+      - "f:/etc/rc.config.d/i4lmd -> r:START_I4LMD=0"
+      - "f:/etc/rc.config.d/xfs -> r:RUN_X_FONT_SERVER=0"
+      - "f:/etc/rc.config.d/audio -> r:AUDIO_SERVER=0"
+      - "f:/etc/rc.config.d/slsd -> r:SLSD_DAEMON=0"
+      - "f:/etc/rc.config.d/samba -> r:RUN_SAMBA=0"
+      - "f:/etc/rc.config.d/cifsclient -> r:RUN_CIFSCLIENT=0"
+      - "f:/etc/rc.config.d/nfsconf -> r:NFS_SERVER=0"
+      - "f:/etc/rc.config.d/nfsconf -> r:NFS_CLIENT=0"
+      - "f:/etc/rc.config.d/hpws_apacheconf -> r:HPWS_APACHE_START=0"
+      - "f:/etc/rc.config.d/hpws_nfsconf -> r:NFS_CORE=0"
+
+  - id: 25019
+    title: "Only enable Windows-compatibility server processes if absolutely necessary."
+    description: "Re-enable CIFS Server (Samba) services. HP-UX 11i includes the popular Open Source Samba server (HP-UX CIFS Server) for providing file and print services to Windows-based systems. This allows an HP-UX system to act as a file or print server on a Windows network, and even act as a Domain Controller (authentication server) to older Windows operating systems. However, if this functionality is not required by the site, this service should be disabled."
+    rationale: "This machine provides authentication, file sharing, or printer sharing services to systems running Microsoft Windows operating systems."
+    remediation: "Perform the following to re-enable CIFS Server: ch_rc -a -p RUN_SAMBA=1 /etc/rc.config.d/samba"
+    compliance:
+      - cis: ["1.3.8"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/samba -> r:RUN_SAMBA=0"
+
+  - id: 25020
+    title: "Only enable Windows-compatibility client processes if absolutely necessary."
+    description: "Re-enable the HP CIFS Client service."
+    rationale: "This system requires access to file systems from remote servers via the Windows (SMB) file services."
+    remediation: "Perform the following: ch_rc -a -p RUN_CIFSCLIENT=1 /etc/rc.config.d/cifsclient"
+    compliance:
+      - cis: ["1.3.9"]
+    condition: any
+    rules:
+      - "not f:/etc/rc.config.d/cifsclient"
+      - "f:/etc/rc.config.d/cifsclient -> r:RUN_CIFSCLIENT=0"
+
+  - id: 25021
+    title: "Only enable NFS server processes if absolutely necessary."
+    description: 'Re-enable the NFS file service. NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need to run the NFS server-related daemons on hosts that are not NFS servers. If the system is an NFS server, the admin should take reasonable precautions when exporting file systems, including restricting NFS access to a specific range of local IP addresses and exporting file systems "read-only" and "nosuid" where appropriate. For more information consult the exportfs(1M) manual page. Much higher levels of security can be achieved by combining NFS with secure RPC or Kerberos, although there is significant administrative overhead involved in this transition. Note that since this service uses ONC RPC mechanisms, it is important that the system''s RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 1.3.12 below. Also, note that some releases of Oracle software for HP-UX require NFS services in order to install properly. Therefore, the NFS server process may need to be started by hand on systems on which Oracle software is to be installed/updated. This can be accomplished by performing the following: 1. Temporarily set NFS_SERVER=1, /etc/rc.config.d/nfsconf 2. Execute:  /sbin/init.d/nfs.core start /sbin/init.d/nfs.server start 3. Install Oracle 4. Stop the NFS services:  /sbin/init.d/nfs.core stop /sbin/init.d/nfs.server stop 5. Disable the NFS services by resetting NFS_SERVER=0, NUM_NFSD=0, and NUM_NFSIOD=0 in /etc/rc.config.d/nfsconf.'
+    rationale: "This machine is a NFS file server."
+    remediation: "Perform the following: ch_rc -a -p NFS_SERVER=1 /etc/rc.config.d/nfsconf"
+    compliance:
+      - cis: ["1.3.10"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/nfsconf -> r:NFS_SERVER=0"
+      - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSD=0"
+      - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSIOD=0"
+
+  - id: 25022
+    title: "Only enable NFS client processes if absolutely necessary."
+    description: "Re-enable the NFS Client service. Again, unless there is a significant need for this system to acquire data via NFS, administrators should disable NFS-related services. Note that other file transfer schemes (such as rdist via SSH) can often be more secure than NFS for certain applications, although again the use of secure RPC or Kerberos can significantly improve NFS security. Also note that if the machine will be an NFS client, then the rpcbind process must be running (see Item 3.12 below). - Note that since this service uses ONC RPC mechanisms, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 3.12 below."
+    rationale: "This system must access file systems from remote servers via NFS."
+    remediation: "Perform the following: ch_rc -a -p NFS_CLIENT=1 /etc/rc.config.d/nfsconf"
+    compliance:
+      - cis: ["1.3.11"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/nfsconf -> r:NFS_CLIENT=0"
+
+  - id: 25023
+    title: "Only enable RPC-based services if absolutely necessary."
+    description: "Re-enable RPC-based services. RPC-based services typically use very weak or non-existent authentication and yet may share very sensitive information. Unless one of the services listed above is required on this machine, it is best to disable RPC-based tools completely. If you are unsure whether or not a particular third-party application requires RPC services, consult with the application vendor. Note that disabling this service by renaming the startup file may not survive the install of RPC-related patches."
+    rationale: "RPC-based services are used such as: - This machine is an NFS client or server. - This machine is an NIS (YP) or NIS+ client or server. - This machine runs a GUI or GUI-based administration tool. - The machine runs a third-party software application which is dependent on RPC support (example: FlexLM License managers)."
+    remediation: "Perform the following for 11.31 and later: ch_rc -a -p NFS_CORE=1 /etc/rc.config.d/nfsconf For 11.23 and prior:  mv -f /sbin/rc2.d/.NOS400nfs.core \ /sbin/rc2.d/400nfs.core"
+    compliance:
+      - cis: ["1.3.12"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/nfsconf -> r:NFS_CORE=0"
+
+  - id: 25024
+    title: "Only enable Web server if absolutely necessary."
+    description: "Re-enable the Web server suite. Even if this machine is a Web server, the local site may choose not to use the Web server provided with HP-UX in favor of a locally developed and supported Web environment. If the machine is a Web server, the administrator is encouraged to search the Web for additional documentation on Web server security. A good starting point is http://httpd.apache.org/docs-2.0/misc/security_tips.html. Note that this action only disables the default web server shipped with the system. Other webservers instances may still be running."
+    rationale: "There is a mission-critical reason why this system must run a Web server."
+    remediation: "Perform the following: ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p APACHE_START=1 /etc/rc.config.d/apacheconf ch_rc -a -p HPWS_APACHE32_START=1 /etc/rc.config.d/hpws_apache32conf ch_rc -a -p HPWS_TOMCAT_START=1 /etc/rc.config.d/hpws_tomcatconf ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p HPWS_WEBMIN_START=1 /etc/rc.config.d/hpws_webminconf"
+    compliance:
+      - cis: ["1.3.13"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/apacheconf -> r:APACHE_START=0"
+      - "f:/etc/rc.config.d/hpws_apache32conf -> r:HPWS_APACHE32_START=0"
+      - "f:/etc/rc.config.d/hpws_tomcatconf -> r:HPWS_TOMCAT_START=0"
+      - "f:/etc/rc.config.d/ns-ftrack -> r:NS_FTRACK=0"
+      - "f:/etc/rc.config.d/hpws_webminconf -> r:HPWS_WEBMIN_START=0"
+
+  - id: 25025
+    title: "Only enable BIND DNS server if absolutely necessary."
+    description: "Re-enable the BIND DNS service. The BIND DNS server, or named, maps IP addresses to hostnames across the Internet and supplies these services to other hosts on the local local network. Though it has been widely implemented, BIND has a long history of security flaws, especially in the BIND 8.x release tree generally shipped with HP-UX 11.x systems. Therefore, if you are going to run BIND, you should strongly consider moving to the BIND 9.x release-tree. HP has supported BIND 9 packages available from http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND9.2 . Or it is available directly from the Internet Software Consortium (the developers of BIND), whose website is at http://www.isc.org."
+    rationale: "There exists a mission-critical reason why this system must run a DNS server."
+    remediation: "Perform the following: 11.23 and prior: ch_rc -a -p NAMED=1 /etc/rc.config.d/namesvrs 11.31 and later: ch_rc -a -p NAMED=1 /etc/rc.config.d/namesvrs_dns"
+    compliance:
+      - cis: ["1.3.14"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/namesvrs_dns -> r:NAMED=0"
+
+  #################################################################
+  # 1.4 Kernel Tuning
+  #################################################################
+
+  - id: 25026
+    title: "Enable stack protection."
+    description: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. - Note that HP-UX 11i is much more capable in this and other security areas than older releases; therefore, administrators should strongly consider upgrading from older releases. - Note that this action requires a subsequent reboot to take effect in some versions of HP-UX."
+    rationale: "Buffer overflow exploits have been the basis for many of the recent highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system crackers exploit well-known buffer overflow problems in vendor-supplied and third-party software. Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement."
+    remediation: "For 11i v2 and later: kctune -K executable_stack=0 For 11i v1: /usr/sbin/kmtune -s executable_stack=0 && mk_kernel && kmupdate"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'c:sh -c "kctune | grep executable_stack" -> r:executable_stack\s+0'
+
+  - id: 25027
+    title: "Network parameter modifications."
+    description: "Modify the network parameter boot configuration file to meet current best practices. Note: HP-UX 11.11 systems require patch PHNE_25644 for ndd to set arp_cleanup_interval from /etc/rc.config.d/nddconf. - Bastille Note: Bastille performs a similar action but does not support the exact same changes."
+    rationale: "Network parameter default values should align with current best practices unless there is a specific need to use other values."
+    remediation: "Perform the following to update the default network parameter values: 1. Change to the /etc/rc.config.d directory 2. Open nddconf and review the comment lines on how to use the configuration file 3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index. 4. Save nddconf. - If creating this file for the first time: 1. Set root as the owner of nddconf. 2. Set sys as the group owner of nddconf. 3. Restrict write access to nddconf to the file owner. 4. Remove the executable and sticky bit from nddconf. If the existing nddconf file contains no entries, then the following script will perform the above procedure: cd /etc/rc.config.d cat <<EOF > nddconf # Increase size of half-open connection queue TRANSPORT_NAME[0]=tcp NDD_NAME[0]=tcp_syn_rcvd_max NDD_VALUE[0]=4096 # Reduce timeouts on ARP cache TRANSPORT_NAME[1]=arp NDD_NAME[1]=arp_cleanup_interval NDD_VALUE[1]=60000 # Drop source-routed packets TRANSPORT_NAME[2]=ip NDD_NAME[2]=ip_forward_src_routed NDD_VALUE[2]=0 # Don't forward directed broadcasts TRANSPORT_NAME[3]=ip NDD_NAME[3]=ip_forward_directed_broadcasts NDD_VALUE[3]=0 # Don't respond to unicast ICMP timestamp requests TRANSPORT_NAME[4]=ip NDD_NAME[4]=ip_respond_to_timestamp NDD_VALUE[4]=0 # Don't respond to broadcast ICMP tstamp reqs TRANSPORT_NAME[5]=ip NDD_NAME[5]=ip_respond_to_timestamp_broadcast NDD_VALUE[5]=0 # Don't respond to ICMP address mask requests TRANSPORT_NAME[6]=ip NDD_NAME[6]=ip_respond_to_address_mask_broadcast NDD_VALUE[6]=0 # Don‟t respond to broadcast echo requests TRANSPORT_NAME[7]=ip NDD_NAME[7]=ip_respond_to_echo_broadcast NDD_VALUE[7]=0 EOF chown root:sys nddconf chmod go-w,ug-s nddconf"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:ndd -get /dev/tcp tcp_syn_rcvd_max -> r:4096"
+      - "c:ndd -get /dev/arp arp_cleanup_interval -> r:60000"
+      - "c:ndd -get /dev/ip ip_forward_src_routed -> r:^0$"
+      - "c:ndd -get /dev/ip ip_forward_directed_broadcasts -> r:^0$"
+      - "c:ndd -get /dev/ip ip_respond_to_timestamp -> r:^0$"
+      - "c:ndd -get /dev/ip ip_respond_to_timestamp_broadcast -> r:^0$"
+      - "c:ndd -get /dev/ip ip_respond_to_address_mask_broadcast -> r:^0$"
+      - "c:ndd -get /dev/ip ip_respond_to_echo_broadcast -> r:^0$"
+      - 'not c:sh -c "ls -la /etc/rc.config.d/nddconf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25028
+    title: "Use more random TCP sequence numbers."
+    description: "Generate initial TCP sequence numbers that comply with RFC1948. - Note: In HP-UX 11i v1 and later, an algorithm largely compliant with RFC1948 is already used. However, setting the isn passphrase closes the small remaining gap, and adds entropy to the seed."
+    rationale: "Makes remote off-net session hijacking attacks more difficult."
+    remediation: "Perform the following to use more random TCP sequence numbers upon system startup: 1. Create/open the file /sbin/rc2.d/S999tcpisn 2. Add the following line: ndd -set /dev/tcp tcp_isn_passprase=<random string> replacing <random string> with a string of random characters. 3. Save the file. 4. Set root as the owner and bin as the group owner of the file. 5. Restrict write access to the file. 6. Set the execution bit for the file."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not c:ndd -get /dev/tcp tcp_isn_passphrase -> r:^\\w+$"
+      - 'not c:sh -c "ls -la /sbin/rc2.d/S999tcpisn | grep -v -e ^-r-xr-xr-x.*root.*bin | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25029
+    title: "Additional network parameter modifications."
+    description: "Configure networking to NOT forward TCP/IP packets between multiple networks, even if the machine has multiple network adapters connected to multiple networks."
+    rationale: "System is not going to be used as a firewall or gateway to pass network traffic between different networks."
+    remediation: "Perform the following to disable forwarding TCP/IP packets between networks: 1. Change to the /etc/rc.config.d directory 2. Open nddconf and review the comment lines on how to use the configuration file 3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index. 4. Save nddconf. If creating this file for the first time: 5. Set root as the owner of nddconf. 6. Set sys as the group owner of nddconf. 7. Restrict write access to nddconf to the file owner. 8. Remove the executable and sticky bit from nddconf. The following script will perform the above procedure properly if used as a follow-on from the script in item 1.4.2: cat <<EOF >> /etc/rc.config.d/nddconf # Don‟t act as a router TRANSPORT_NAME[8]=ip NDD_NAME[8]=ip_forwarding NDD_VALUE[8]=0 TRANSPORT_NAME[9]=ip NDD_NAME[9]=ip_send_redirects NDD_VALUE[9]=0 EOF"
+    compliance:
+      - cis: ["1.4.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:ndd -get /dev/ip ip_forwarding -> r:^0$"
+      - "c:ndd -get /dev/ip ip_send_redirects -> r:^0$"
+      - 'not c:sh -c "ls -la /etc/rc.config.d/nddconf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  #################################################################
+  # 1.5 File/Directory Permissions/Access
+  #################################################################
+
+  # List of find folders command may need to be configured to work in a customized HP-UX deployment
+  - id: 25030
+    title: "Resolve 'unowned' files and directories."
+    description: "Evaluate ownership of any files that are not owned by a locally defined user, and consider reassignment to an active user."
+    rationale: "Sometimes when administrators delete users from the system they neglect to remove all files owned by those users from the system. A new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended. It is a good idea to locate files that are owned by users or groups not listed in the system configuration files, and make sure to reset the ownership of these files to some active user on the system (in this example, 'bin') as appropriate."
+    remediation: 'Perform the following to identify "unowned" files and directories, and consider resetting ownership to a default owner and restricting access permissions: 1. Locate all local files that are owned by users or groups not listed in the system configuration files. find / \( -nouser -o -nogroup \) 2. Consider resetting user and group ownership of these files to a default active user (e.g. bin) chown bin:bin <filename> 3. Consider restricting world-write permissions, and removing any SUID/SGID bits on these files. chmod ug-s,o-w <filename> - Note: there is no reason for an application to require an unowned file, so these changes should be application-safe.'
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_level: ["1"]
+    condition: none
+    rules:
+      - 'c:find /bin \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /diskaldata \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /lib \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /opt \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /tmp \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /core \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /etc \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /sbin \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /usr \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /dev \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /home \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /net \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /stand \( -nouser -o -nogroup \) -> r:\w'
+      - 'c:find /var \( -nouser -o -nogroup \) -> r:\w'
+
+  #################################################################
+  # 1.6 System Access, Authentication, and Authorization
+  #################################################################
+
+  - id: 25031
+    title: "Enable Hidden Passwords."
+    description: "Enable hidden passwords by converting the system to a Trusted System or to use Shadow Passwords. - Note: do not perform this if the system runs applications that read the encrypted password entries in /etc/passwd directly."
+    rationale: "Without hidden passwords, an intruder could use any user's account to obtain hashed passwords and use crack or similar utilities to find easily guessed passwords. Password aging (covered in item 1.8.3) ensures that users change their passwords on a regular basis and helps stop the use of stolen passwords."
+    remediation: "Perform one of the following to convert the system to trusted mode or shadowed mode: A. Use the system management program smh or sam to convert to a trusted system -or- B. Use the command pwconv to convert to shadowed passwords."
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/shadow"
+
+  - id: 25032
+    title: "Restrict users who can access to FTP."
+    description: "Configure FTP to prevent certain users from accessing the system via FTP. The file ftpusers contains a list of users who are not allowed to access the system via FTP. Generally, only normal users should ever access the system via FTP - there should be no reason for 'system' type accounts to be transferring information via this mechanism. Certainly, the root account should never be allowed to transfer files directly via FTP. - Note: more fine-grained FTP access controls can be placed in /etc/ftpd/ftpaccess."
+    rationale: "Privileged users such as root and other 'system' type accounts should never be transferring information via such an insecure service as FTP."
+    remediation: "Perform the following to restrict default priviledged users from access to FTP: 1. Add the users root daemon bin sys adm lp uucp nuucp nobody hpdb useradm to the file /etc/ftpd/ftpusers (each user on a single line). 2. Set the file owner and group owner to the user bin. 3. Set the file permissions so that only the file owner has read or write perms and no user has execute permission (600). The following script will create and populate the ftpusers file as described above: for name in root daemon bin sys adm lp \ uucp nuucp nobody hpdb useradm do echo $name done >> $ftpusers sort -u $ftpusers > $ftpusers.tmp cp $ftpusers.tmp $ftpusers rm -f $ftpusers.tmp chown bin:bin $ftpusers chmod 600 $ftpusers"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/ftpd/ftpusers"
+      - "f:/etc/ftpd/ftpusers -> r:^root$"
+      - "f:/etc/ftpd/ftpusers -> r:^daemon$"
+      - "f:/etc/ftpd/ftpusers -> r:^bin$"
+      - "f:/etc/ftpd/ftpusers -> r:^adm$"
+      - "f:/etc/ftpd/ftpusers -> r:^lp$"
+      - "f:/etc/ftpd/ftpusers -> r:^uucp$"
+      - "f:/etc/ftpd/ftpusers -> r:^nuucp$"
+      - "f:/etc/ftpd/ftpusers -> r:^nobody$"
+      - "f:/etc/ftpd/ftpusers -> r:^hpdb$"
+      - "f:/etc/ftpd/ftpusers -> r:^useradm$"
+      - 'not c:sh -c "ls -la /etc/ftpd/ftpusers | grep -v -e ^-rw-------.*bin.*bin | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25033
+    title: "Prevent Syslog from accepting messages from the network."
+    description: "Prevent syslogd from accepting messages from the network. By default the system logging daemon, syslogd, listens for log messages from other systems on network port 514/udp. Unfortunately, the protocol used to transfer these messages does not include any form of authentication, so a malicious outsider could simply barrage the local system's Syslog port with spurious traffic—either as a denial-of-service attack on the system, or to fill up the local system's logging file systems so that subsequent attacks will not be logged. - Note: Do not perform this action if this machine is a log server, or needs to receive Syslog messages via the network from other systems. - Note: It is considered good practice to setup one or more machines as central 'log servers' to aggregate log traffic from all machines at a site. However, unless a system is set up to be one of these 'log server' systems, it should not be listening on 514/udp for incoming log messages."
+    rationale: "Disabling unused network services will reduce the remote attack surfaces of the hosting system."
+    remediation: 'Disable the syslog network option by doing the following: 1. Open the syslogd startup configuration file /etc/rc.config.d/syslogd 2. Add the parameter "-N" to the SYSLOGD_OPTS= line if it is not already present 3. Save and close the file. The following script will perform the procedure above: SYSLOGD_OPTS="`sh -c ". /etc/rc.config.d/syslogd ; \ echo "$SYSLOGD_OPTS"''`" if [[ "$SYSLOGD_OPTS" = *-N* ]]; then ch_rc -a -p SYSLOGD_OPTS="-N $SYSLOGD_OPTS" \ /etc/rc.config.d/syslogd fi'
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/syslogd -> r:^SYSLOGD_OPTS && r:-N"
+
+  - id: 25034
+    title: "Disable XDMCP port."
+    description: "Disable the XDMCP port for remote login services. The standard GUI login provided on most Unix systems can act as a remote login server to other devices (including X terminals and other workstations). Access control is handled via the Xaccess file—by default under HP-UX, this file allows any system on the network to get a remote login screen from the local system. This behavior can be overridden in the /etc/dt/config/Xaccess file."
+    rationale: "XDMCP is an unencrypted protocol that may reduce the confidentiality and integrity of data that traverses it."
+    remediation: "Perform the following to disable the XDMCP port: 1. Open the file /etc/dt/config/Xconfig. If it does not exist, copy it from /usr/dt/config/Xconfig. 2. Append the line Dtlogin.requestPort:0 to the file and close. The following script will perform the procedure above: if [ ! -f /etc/dt/config/Xconfig ]; then mkdir -p /etc/dt/config cp -p /usr/dt/config/Xconfig /etc/dt/config fi cd /etc/dt/config awk '/Dtlogin.requestPort:/ \ { print \"Dtlogin.requestPort: 0\"; next } { print }' Xconfig > Xconfig.new cp Xconfig.new Xconfig rm -f Xconfig.new"
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/dt/config/Xconfig"
+      - 'f:/etc/dt/config/Xconfig -> r:Dtlogin.requestPort:\s*0'
+
+  - id: 25035
+    title: "Configure IPFilter to allow only select communication."
+    description: "HP-UX IPFilter (B9901AA) is a stateful system firewall that controls IP packet flow in or out of a machine. It is installed by default on HP-UX 11iv2 (11.23) and later. On older systems, IPFilter can be obtained from http://www.hp.com/go/ipfilter. The rules below will work in an otherwise-empty ipf.conf file, or, if there are rules already present, it will block all that were not passed earlier in the ruleset. This is less likely to break things, but will allow more traffic through. Alternatively, you can instead take the pass lines below (not using the block rule), and change them into 'block in quick' rules, and place those at the top of the file. This will error on the side of blocking traffic. See ipf(5) for detail. Your ruleset can be tested using ipftest(1). Bastille note: if using to change and monitor the IPFilter firewall, ensure that rules are added to /etc/opt/sec_mgmt/bastille/ipf.customrules, and that Bastille is rerun with the last config file, so they will not be overwritten in a subsequent lockdown."
+    rationale: "Restricting incoming network traffic to explicitly allowed hosts will help prevent unauthorized access the system."
+    remediation: "Perform the following to add enable ipfilter and install a default ruleset to block unauthorized incoming connections: 1. Enable ipfilter: ipfilter -e 2. Append the following lines to /etc/opt/ipf/ipf.conf:  block in all pass in from <allowed net>/<mask> pass in from <allowed net>/<mask> replacing each <allowed net>/<mask> with an authorized IP address and mask. 3. Flush the old rules and read in the updated rules: ipf -Fa -f /etc/opt/ipf/ipf.conf The following script can be used to as a template for creating your own script to perform the procedure above: ipfilter -e cat <<EOF >> /etc/opt/ipf/ipf.conf block in all pass in from <allowed net>/<mask> pass in from <allowed net>/<mask> EOF ipf -Fa -f /etc/opt/ipf/ipf.conf"
+    compliance:
+      - cis: ["1.6.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "c:ipfilter -e -> r:IPFilter Enabled"
+      - "c:ipfstat -io -> r:block in from any to any"
+
+  - id: 25036
+    title: "Restrict at/cron to authorized users."
+    description: "The cron.allow and at.allow files are a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals. - Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. cron.allow only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator needs the ability to schedule jobs."
+    remediation: "Perform the following to restrict at/cron to root only: 1. Change to the /var/adm/cron directory 2. Archive or delete any existing cron.deny and at.deny files 3. Create or replace the cron.allow and at.allow files with a single line file containing just root 4. Ensure that the files are owned by root and group owned by sys 5. Ensure that no users have write/execute permission to the files, and that only root has read access to the files. The following script will perform the procedures above: cd /var/adm/cron rm -f cron.deny at.deny echo root >cron.allow echo root >at.allow chown root:sys cron.allow at.allow chmod 400 cron.allow at.allow"
+    compliance:
+      - cis: ["1.6.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not f:/var/adm/cron/cron.deny"
+      - "not f:/var/adm/cron/at.deny"
+      - "f:/var/adm/cron/cron.allow"
+      - "f:/var/adm/cron/at.allow"
+      - "f:/var/adm/cron/cron.allow -> r:root"
+      - "f:/var/adm/cron/at.allow -> r:root"
+      - 'not c:sh -c "ls -la /var/adm/cron/cron.allow | grep -v -e ^-r--------.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+      - 'not c:sh -c "ls -la /var/adm/cron/at.allow | grep -v -e ^-r--------.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25037
+    title: "Restrict crontab file permissions."
+    description: "The system crontab files are only accessed by the cron daemon (which runs with superuser privileges) and the crontab command (which is set-UID to root)."
+    rationale: "Allowing unprivileged users to read or (even worse) modify system crontab files can create the potential for a local user on the system to gain elevated privileges."
+    remediation: "Perform the following so that only root has access to the crontab files: 1. Change to the /var/spool/cron/crontabs directory 2. Change the file owner to root and file group owner to sys 3. Set file permissions so that only root has access to the files. The following script will perform the procedure above: cd /var/spool/cron/crontabs chown root:sys * chmod og-rwx *"
+    compliance:
+      - cis: ["1.6.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "ls -la /var/spool/cron/crontabs | grep -v -e ^-rwxrwx---.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 25038
+    title: "Restrict root logins to system console."
+    description: "Anonymous root logins should never be allowed except on the system console in emergency situations. At all other times, the administrator should access the system via an unprivileged account and use some authorized mechanism to gain additional privilege, such as the su command, the freely-available sudo package discussed in item SN.6, or the HP Role Based Authorization system also discussed in item SN.6. These mechanisms provide at least a limited audit trail in the event of problems."
+    rationale: "Anonymous root logins do not provide an audit trail, nor are subject to additional authorization provisions."
+    remediation: "Perform the following to restrict root logins to the system console only: 1. Replace the file /etc/securetty with a single line file containing console 2. Change the file owner to root and file group owner to sys 3. Set file permissions so that only root has access to the file. The following script will perform the procedure above:  echo console > /etc/securetty chown root:sys /etc/securetty chmod og-rwx /etc/securetty"
+    compliance:
+      - cis: ["1.6.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/securetty"
+      - "f:/etc/securetty -> r:console"
+      - 'c:sh -c "ls -la /etc/securetty | grep -e ^-rwxrwx---.*root.*sys | grep -v total" -> r:/etc/securetty'
+
+  - id: 25039
+    title: "Disable nobody access for secure RPC."
+    description: 'The keyserv process stores user keys that are utilized with the ONC secure RPC mechanism. The action below prevents keyserv from using default keys for the "nobody" user, effectively stopping this user from accessing information via secure RPC.'
+    rationale: "The default 'nobody' user should not be accessing information via secure RPC."
+    remediation: "Perform the following to disable nobody access for secure RPC: 1. Add the '-d' option to the KEYSERV_OPTIONS parameter in the system startup configuration file /etc/rc.config.d/namesvrs The following script will perform the procedure above: KEYSERV_OPTIONS=\"`sh -c '. /etc/rc.config.d/namesvrs ; echo \"$KEYSERV_OPTIONS\"'`\" ch_rc -a -p KEYSERV_OPTIONS=\"-d $KEYSERV_OPTIONS \" \ /etc/rc.config.d/namesvrs"
+    compliance:
+      - cis: ["1.6.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/namesvrs -> r:KEYSERV_OPTIONS= && r:-d"
+
+  #################################################################
+  # 1.7 Logging
+  #################################################################
+
+  - id: 25040
+    title: "Enable logging from inetd."
+    description: 'If inetd is running, it is a good idea to make use of the "logging" (-l) feature of the HP-UX inetd that logs information about the source of any network connections seen by the daemon, allowing the administrator (or software) to scan the logs for unusual activity. This is especially powerful when combined with the access control capabilities accessible through inetd''s /var/adm/inetd.sec configuration file. This information is logged via Syslog and by default HP-UX systems deposit this logging information in var/adm/syslog/syslog.log with other system log messages. Should the administrator wish to capture this information in a separate file, simply modify /etc/syslog.conf to log daemon.notice to some other log file destination. IPFilter, which comes with HP-UX, can log inetd and other connections or attempted connections with its "ipmon" daemon as either a compliment or alternative to inetd logging.'
+    rationale: "Logging information about the source of inetd network connections assists in the detection and identification of unusual activity that may be associated with security intrusions."
+    remediation: "Perform the following: ch_rc -a -p INETD_ARGS=-l /etc/rc.config.d/netdaemons"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/rc.config.d/netdaemons -> r:INETD_ARGS=-l"
+
+  - id: 25141
+    title: "Turn on additional logging for FTP daemon."
+    description: "If the FTP daemon is left on, it is recommended that the command logging (-L) and connection logging (-l) flags also be enabled to track FTP activity on the system, allowing the administrator (or software) to scan the logs for unusual activity. This is especially powerful when combined with the access control capabilities accessible through inetd's /var/adm/inetd.sec configuration file. Note that this setting has no effect if the FTP daemon remains de-activated from item 2.1. Also note that enabling command logging on the FTP daemon (HP-UX 11.x only) can cause user passwords to appear in clear-text form in the system logs, if the user accidentally types their password at the username prompt. Information about FTP sessions will be logged to Syslog and by default HP-UX systems deposit this logging information in /var/adm/syslog/syslog.log with other system log messages. Should the administrator wish to capture this information in a separate file, simply modify /etc/syslog.conf to log daemon.notice to some other log file destination."
+    rationale: "Logging information about the source of ftp network connections assists in the detection and identification of unusual activity that may be associated with security intrusions."
+    remediation: 'Perform the following to enable logging for the FTP daemon: 1. Change directory to /etc. 2. Open the inetd.conf file and locate the ftpd configuration entry line. 3. Add the "-L" and "-l" flags to the ftpd entry if not already present. 4. Save and close file. The following script will perform the procedure above: cd /etc awk ''/^ftpd/ && !/-L/ { $NF = $NF " -L" } /^ftpd/ && !/-l/ { $NF = $NF " -l" } { print }'' inetd.conf > inetd.conf.tmp cp inetd.conf.tmp inetd.conf rm -f inetd.conf.tmp'
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/inetd.conf -> r:^ftpd && r:-l"
+      - "f:/etc/inetd.conf -> r:^ftpd && r:-L"
+
+  #################################################################
+  # 1.8 User Accounts and Environment
+  #################################################################
+
+  - id: 25042
+    title: "Block system accounts."
+    description: "Accounts that are not being used by regular users should be locked. Not only should the password field for the account be set to an invalid string, but the shell field in the password file should contain an invalid shell. Access to the uucp and nuucp accounts is only needed when the deprecated Unix to Unix Copy (UUCP) service is in use. The other listed accounts should never require direct access. The actions below locks the passwords to these accounts (on systems converted to Trusted Mode only) and sets the login shell to /bin/false. Note that the above is not an exhaustive list of possible system/application accounts that could be installed on the system. An audit of all users on the system is the only way to be sure that only authorized accounts are in place."
+    rationale: "System accounts are not used by regular users, and almost never require direct access; thus, they should be locked to prevent accidental or malicious usage."
+    remediation: 'Perform the following to properly lock the following known system users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm daemon bin lp nobody noaccess hpdb useradm 1. Lock the account: passwd -l <user> 2. Set the login shell to an invalid program: /usr/sbin/usermod -s /bin/false <user> 3. If a trusted system, set the adminstrator lock: /usr/lbin/modprpw -m alock=YES <user> The following script will perform the procedure above: for user in www sys smbnull iwww owww sshd \ hpsmh named uucp nuucp adm daemon bin lp \ nobody noaccess hpdb useradm; do passwd -l "$user" /usr/sbin/usermod -s /bin/false "$user" if [[ -f /tcb ]]; then /usr/lbin/modprpw -m alock=YES "$user" fi done'
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^www && r:/bin/false"
+      - "f:/etc/passwd -> r:^sys && r:/bin/false"
+      - "f:/etc/passwd -> r:^smbnull && r:/bin/false"
+      - "f:/etc/passwd -> r:^iwww && r:/bin/false"
+      - "f:/etc/passwd -> r:^owww && r:/bin/false"
+      - "f:/etc/passwd -> r:^sshd && r:/bin/false"
+      - "f:/etc/passwd -> r:^hpsmh && r:/bin/false"
+      - "f:/etc/passwd -> r:^named && r:/bin/false"
+      - "f:/etc/passwd -> r:^uucp && r:/bin/false"
+      - "f:/etc/passwd -> r:^nuucp && r:/bin/false"
+      - "f:/etc/passwd -> r:^adm && r:/bin/false"
+      - "f:/etc/passwd -> r:^daemon && r:/bin/false"
+      - "f:/etc/passwd -> r:^bin && r:/bin/false"
+      - "f:/etc/passwd -> r:^lp && r:/bin/false"
+      - "f:/etc/passwd -> r:^nobody && r:/bin/false"
+      - "f:/etc/passwd -> r:^noaccess && r:/bin/false"
+      - "f:/etc/passwd -> r:^hpdb && r:/bin/false"
+      - "f:/etc/passwd -> r:^useradm && r:/bin/false"
+
+  - id: 25043
+    title: "Verify that there are no accounts with empty password fields."
+    description: 'An account with an empty password field means that anybody may log in as that user without providing a password at all. All accounts should have strong passwords or should be locked by using a password string like "*", "NP", or "*LOCKED*"'
+    rationale: "User accounts should have passwords, or be locked."
+    remediation: "Perform the following to ensure that no accounts have an empty password field: 1. Identify all user accounts with an empty password field: logins -p 2. Lock each account: passwd -l <user> 3. If a trusted system, set the administrator lock: /usr/lbin/modprpw -m alock=YES <user>"
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'not c:logins -p -> r:^\w'
+
+  - id: 25044
+    title: "Set account expiration parameters on active accounts."
+    description: "The commands below will set all active accounts (except the root account) to force password changes every 90 days (91 days when not running in HP-UX Trusted Mode) and then prevent password changes for seven days (one week) thereafter. Users will begin receiving warnings 30 days (28 days when not running in HP-UX Trusted Mode) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option). These are recommended starting values, but sites may choose to make them more restrictive depending on local policies."
+    rationale: "It is a good idea to force users to change passwords on a regular basis."
+    remediation: 'Perform the following to set password expiration parameters on all active accounts: 1. Identify all user accounts excluding root that are not locked, and for each: 2. Set password expiration parameters for the account (logname) by executing the following: passwd -x 91 -n 7 -w 28 <logname> for trusted systems, perform the following: /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 <logname> 3. Set the default account expiration parameters by appending the following lines to /etc/default/security: a. PASSWORD_MAXDAYS=91 b. PASSWORD_MINDAYS=7 c. PASSWORD_WARNDAYS=28 4. Set the default parameters for trusted systems with: /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30 The following script will perform the procedure above. logins -ox \ | awk -F: ''($8 != "LK" && $1 != "root") { print $1 }'' \ | while read logname; do passwd -x 91 -n 7 -w 28 "$logname" /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 \ "$logname" done echo PASSWORD_MAXDAYS=91 >> /etc/default/security echo PASSWORD_MINDAYS=7 >> /etc/default/security echo PASSWORD_WARNDAYS=28 >> /etc/default/security /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30'
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/etc/default/security -> n:^\s*PASSWORD_MAXDAYS=(\d+) compare <= 91'
+      - 'f:/etc/default/security -> n:^\s*PASSWORD_WARNDAYS=(\d+) compare <= 28'
+      - 'f:/etc/default/security -> n:^\s*PASSWORD_MINDAYS=(\d+) compare <= 7'
+
+  - id: 25045
+    title: "Set strong password enforcement policies."
+    description: "The policies set here are designed to force users to make better password choices when changing their passwords. Sites often have differing opinions on the optimal value of the MIN_PASSWORD_LENGTH and PASSWORD_HISTORY_DEPTH parameters. A minimum password length of seven is in line with industry standards, especially the Payment Card Industry (PCI) Security Standard; however, a longer value may be warranted if account locks are not enabled (item 1.6.10). A password history depth of ten combined with passwords that expire four times per year (item 1.8.3) means users will typically not re-use the same password in any given year. Requiring an upper/lowercase and special character password will dramatically increase the password search space and lower the chances for brute-force attack significantly. - Note: these settings are known to exist for HP-UX 11iv2, 0512 and later. The man page for security(5) will indicate if these exist on your particular system. Be sure to consult you local security standards before adopting the values given above."
+    rationale: "All users should use strong passwords."
+    remediation: "Perform the following to set strong password enforcement policies: 1. Change the following parameters in the /etc/default/security file to establish default password policies for new users: a. MIN_PASSORD_LENGTH=7 b. PASSWORD_HISTORY_DEPTH=10 c. PASSWORD_MIN_UPPER_CASE_CHARS=1 d. PASSWORD_MIN_DIGIT_CHARS=1 e. PASSWORD_MIN_SPECIAL_CHARS=1 f. PASSWORD_MIN_LOWER_CASE_CHARS=1 2. If using a trusted system, issue the following modprdef commands to disallow null or trivial passwords:  modprdef -m nullpw=NO modprdef -m rstrpw=YES The following script will perform the procedure above: modprdef -m nullpw=NO modprdef -m rstrpw=YES ch_rc -a -p MIN_PASSORD_LENGTH=7 /etc/default/security ch_rc -a -p PASSWORD_HISTORY_DEPTH=10 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_UPPER_CASE_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_DIGIT_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_SPECIAL_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_LOWER_CASE_CHARS=1 \ /etc/default/security modprdef -m nullpw=NO modprdef -m rstrpw=YES"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/etc/default/security -> r:^\s*MIN_PASSORD_LENGTH=(\d+) compare >= 7'
+      - 'f:/etc/default/security -> r:^\s*PASSWORD_HISTORY_DEPTH=(\d+) compare >= 10'
+      - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_UPPER_CASE_CHARS=(\d+) compare <= 1'
+      - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_DIGIT_CHARS=(\d+) compare >= 1'
+      - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_SPECIAL_CHARS=(\d+) compare >= 1'
+      - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_LOWER_CASE_CHARS=(\d+) compare >= 1'
+
+  - id: 25046
+    title: "Verify no legacy '+' entries exist in passwd and group files."
+    description: "'+' entries in various passwd and group files served as markers for systems to insert data from NIS maps at a certain point in a system configuration file. HP-UX does not use these markers, but they may exist in files that have been imported from other platforms. They should be deleted if they exist."
+    rationale: "Legacy '+' entries are no longer required on HP-UX systems, and may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Perform the following to remove any legacy '+' entries in passwd and group files: 1. Display legacy '+' entries: grep '^+:' /etc/passwd /etc/group 2. Remove any entries found from the passwd and group files."
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "not f:/etc/passwd -> r:^+:"
+      - "not f:/etc/group -> r:^+:"
+
+  - id: 25047
+    title: "Set default umask for users."
+    description: "Set the default umask to 077 so that files created by users will not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. - Bastille Note: sets the default umask, but uses a umask of 027 rather than the 077."
+    rationale: "Restricting access to files and directories created by a user from any other user on the system reduces the possibility of an unauthorized account accessing that user's files. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
+    remediation: 'Perform the following to set a default umask for users: 1. Change directory to /etc 2. Append the line umask 077 to the following files: a. profile b. csh.login c. d.profile d. d.login 3. Update the UMASK parameter to 077 in the file /etc/default/security The following script performs the procedure above: cd /etc for file in profile csh.login d.profile d.login do echo umask 077 >> "$file" done ch_rc -a -p UMASK=077 /etc/default/security'
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/etc/default/security -> r:^\s*UMASK=077'
+      - 'f:/etc/profile -> r:^\s*umask 077'
+      - 'f:/etc/csh.login -> r:^\s*umask 077'
+      - 'f:/etc/d.profile -> r:^\s*umask 077'
+      - 'f:/etc/d.login -> r:^\s*umask 077'
+
+  - id: 25048
+    title: "Set 'mesg n' as default for all users."
+    description: "Block the use of write or talk commands to contact the user at their terminal in order to slightly strengthen permissions on the user's tty device. Note that this setting is the default on HP-UX 11i."
+    rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
+    remediation: 'Perform the following: 1. Change directory to /etc 2. Append the line mesg n to the following files: a. profile b. csh.login c. d.profile d. d.login The following script performs the procedure above:  cd /etc for file in profile csh.login d.profile d.login do  echo mesg n >> "$file" done'
+    compliance:
+      - cis: ["1.8.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/etc/profile -> r:^\s*mesg n'
+      - 'f:/etc/csh.login -> r:^\s*mesg n'
+      - 'f:/etc/d.profile -> r:^\s*mesg n'
+      - 'f:/etc/d.login -> r:^\s*mesg n'
+
+  #################################################################
+  # 1.9 Warning Banners
+  #################################################################
+
+  - id: 25049
+    title: "Create warning banners for terminal-session logins."
+    description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, as well as for remote terminal-session logins such as through SSH or Telnet. /etc/motd is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed."
+    rationale: "Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system."
+    remediation: 'Perform the following to create warning banners for terminal-session logins: 1. Compose a default banner text string 2. Append this string to the files /etc/motd and /etc/motd 3. Change the owner to root and group owner to sys for the file /etc/motd 4. Change the owner to root and group owner to root for the file /etc/issue 5. Change file permissions to (644) for the files /etc/motd and /etc/issue The following script performs the procedure above: banner="Authorized users only. All activity may \ be monitored and reported." echo "$banner" >> /etc/motd echo "$banner" >> /etc/issue chown root:sys /etc/motd chown root:root /etc/issue chmod 644 /etc/motd /etc/issue'
+    compliance:
+      - cis: ["1.9.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/motd"
+      - "f:/etc/issue"
+      - 'c:ls -la /etc/motd -> r:^-rw-r--r--\.*root\.*sys'
+      - 'c:ls -la /etc/issue -> r:^-rw-r--r--\.*root\.*root'
+
+  - id: 25050
+    title: "Create warning banners for FTP daemon."
+    description: "The FTP daemon in HP-UX 11 is based on the popular Washington University FTP daemon (WU-FTPD), which is an Open Source program widely distributed on the Internet. Note that this setting has no effect if the FTP daemon remains de-activated from item 1.2.1."
+    rationale: "Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system."
+    remediation: 'Perform the following to install a default warning banner for the FTP daemon: 1. Ensure that an appropriate warning message exists in the /etc/issue file . 2. Append the line "banner /etc/issue" to the file /etc/ftpd/ftpaccess 3. Change file permissions to 600 for /etc/ftpd/ftpaccess 4. Change owner to root and group owner to sys for both /etc/ftpd and /etc/ftpd/ftpaccess The following script performs the procedure above: if [ -d /etc/ftpd ]; then echo "banner /etc/issue" >>/etc/ftpd/ftpaccess chmod 600 /etc/ftpd/ftpaccess chown root:sys /etc/ftpd /etc/ftpd/ftpaccess fi'
+    compliance:
+      - cis: ["1.9.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "d:/etc/ftpd"
+      - "f:/etc/ftpd/ftpaccess -> r:^banner /etc/issue"
+      - 'f:/etc/issue -> r:\w'
+      - 'c:sh -c "ls -la /etc/ftpd | grep -e ^-rw-------.*root.*sys | grep -v total" -> r:ftpd'
+      - 'c:sh -c "ls -la /etc/ftpd/ftpaccess | grep -e ^-rw-------.*root.*sys | grep -v total" -> r:ftpaccess'
diff --git a/etc/ruleset/sca/hpux/cis_hpux_11i_bastille.yml b/etc/ruleset/sca/hpux/cis_hpux_11i_bastille.yml
new file mode 100644
index 0000000000..74f90e93a6
--- /dev/null
+++ b/etc/ruleset/sca/hpux/cis_hpux_11i_bastille.yml
@@ -0,0 +1,801 @@
+# Security Configuration Assessment
+# CIS Checks for HPUX 11i
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for HP-UX 11i from 09-17-2009
+
+policy:
+  id: "cis_hpux_bastille"
+  file: "cis_hpux_11i_bastille.yml"
+  name: "CIS HP-UX 11i Benchmark"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for HPUX version 11i. This guide was tested against HP-UX using Bastille"
+  references:
+    - https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf
+    - https://myenterpriselicense.hpe.com/cwp-ui/free-software/B6849AA
+
+requirements:
+  title: "Check HPUX version, bastille is installed and a bastille report is present."
+  description: "Requirements for running the SCA scan against HPUX family."
+  condition: all
+  rules:
+    - "c:swlist HPUX*OE* -> r:HPUX11i"
+    - "d:/opt/sec_mgmt/bastille/"
+    - "f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"
+
+checks:
+  #################################################################
+  # 1.1  Install patches and supplementary software
+  #################################################################
+
+  - id: 30001
+    title: "Install and configure HP-UX Secure Shell."
+    description: "OpenSSH is a popular free distribution of the standards-track SSH protocols which allows secure encrypted network logins and file transfers. HP-UX Secure Shell is HP's pre-compiled and supported version of OpenSSH."
+    rationale: "Common login and file transfer services such as telnet, FTP, rsh, rlogin, and rcp use insecure, clear-text protocols that are vulnerable to attack. OpenSSH provides a secure, encrypted replacement for these services. Security is improved by further constraining services in the default configuration."
+    remediation: 'Perform the following to install and securely configure Secure Shell (SSH) 1. Download and install HP-UX Secure Shell if not already installed on the system. 2. Perform the following post-installation actions to secure the SSH service: a. Change to the /opt/ssh/etc directory b. Open sshd_config c. Set the Protocol token to 2. If it is absent, add and set it. d. Set the X11Forwarding token to yes. If it is absent, add and set it. e. Set the IgnoreRhosts token to yes. If it is absent, add and set it. f. Set the RhostsAuthentication token to no. If it is absent, add and set it. g. Set the RhostsRSAAuthentication token to no. If it is absent, add and set it. h. Set the PermitRootLogin token to no. If it is absent, add and set it. i. Set the PermitEmptyPasswords token to no. If it is absent, add and set it. j. Set the Banner token to /etc/issue. If it is absent, add and set it. k. Set root as the owner of sshd_config and ssh_config. l. Set sys as the group owner of sshd_config and ssh_config. m. Restrict write access to sshd_config and ssh_config to the file owner. The following script will perform the above procedure: 13 | P a g e cd /opt/ssh/etc cp -p sshd_config sshd_config.tmp awk '' /^Protocol/ /^IgnoreRhosts/ /^RhostsAuthentication/ /^RhostsRSAAuthentication/ { $2 ="no" }; /(^#|^)PermitRootLogin/    { $1 = "PermitRootLogin"; $2 = "no" }; /^PermitEmptyPasswords/    { $2 = "no" }; /^#Banner/                 { $1 = "Banner"; $2 = "/etc/issue" } { print }'' sshd_config.tmp > sshd_config { $2 ="2"}; { $2 = "yes" }; { $2 = "no" }; rm -f sshd_config.tmp chown root:sys ssh_config sshd_config chmod go-w ssh_config sshd_config'
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_level: ["1"]
+    references:
+      - http://www.openssh.org/
+      - http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
+      - http://h20293.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=T1471AA
+    condition: all
+    rules:
+      - "c:swlist -l bundle SecureShell -> r:HP-UX Secure Shell"
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Protocol 2'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*X11Forwarding yes'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*IgnoreRhosts yes'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsAuthentication no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsRSAAuthentication no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitRootLogin no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitEmptyPasswords no'
+      - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Banner /etc/issue'
+      - 'not c:sh -c "ls -la /opt/ssh/etc/sshd_config | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+      - 'not c:sh -c "ls -la /opt/ssh/etc/ssh_config | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 30002
+    title: "Use Bastille to report security configuration state."
+    description: "Bastille is a security hardening, lockdown tool supplied with HP-UX to assist administrators in securing their systems. Included is an assessment function that covers a wide range of lockdown items including most all items in this Benchmark. Bastille can serve as a reporting and audit tool. Appendix D provides a mapping of Benchmark items to related Bastille configuration items."
+    rationale: "An automated, tested, and vendor supported reporting tool such as Bastille is more efficient and less error-prone than most manual or custom scripted methods."
+    remediation: "Run Bastille to create an assessment report as shown: /opt/sec_mgmt/bastille/bin/bastille --assessnobrowser"
+    compliance:
+      - cis: ["1.1.3"]
+    references:
+      - https://www.hp.com/go/bastille
+    condition: all
+    rules:
+      - "f:/opt/sec_mgmt/bastille/bin/bastille"
+      - "f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"
+
+  #################################################################
+  # 1.2 Minimize inetd network services
+  #################################################################
+
+  - id: 30003
+    title: "Disable Standard Services."
+    description: "The stock /etc/inetd.conf file shipped with HP-UX contains many services which are rarely used, or which have more secure alternatives. Indeed, after enabling SSH (see item 1.1.2) it may be possible to completely do away with all inetd-based services, since SSH provides both a secure login mechanism and a means of transferring files to and from the system. The steps articulated in the Remediation section will disable all services normally enabled in the HP-UX inetd.conf file. The rest of the actions in this section give the administrator the option of re-enabling certain services—in particular, the services that are disabled in the last two loops in the Action section below."
+    rationale: "The stock /etc/inetd.conf file shipped with HP-UX contains services that are rarely used or have more secure alternatives. Removing these from inetd will avoid exposure to possible security vulnerability in those services."
+    remediation: 'Perform the following to disable standard inetd-based services: 1. Change to the /etc directory 2. Open inetd.conf 3. Disable the following services by adding a comment character (#) to the beginning of its definition: a. echo b. discard c. daytime d. chargen e. dtspc f. exec g. ntalk h. finger i. uucp j. ident k. auth l. instl_boots m. registrar n. recserv o. rpc.rstatd p. rpc.rusersd q. rpc.rwalld r. rpc.sprayd s. rpc.cmsd t. kcms_server u. printer v. shell w. login h. finger x. telnet y. ftp z. tftp aa. bootps bb. kshell cc. klogin dd. rpc.rquotad ee. rpc.ttdbserver 4. Save inetd.conf. 5. Set root as the owner of inetd.conf. 6. Set sys as the group owner of inetd.conf. 7. Restrict write access to inetd.conf to the file owner. 8. Remove the executable and sticky bit from inetd.conf. 9. Invoke inetd to reread it''s config file: inetd -c The following script will perform the above procedure: cd /etc for svc in echo discard daytime chargen dtspc \ exec ntalk finger uucp ident auth \ instl_boots registrar recserv; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in rpc.rstatd rpc.rusersd rpc.rwalld \ rpc.sprayd rpc.cmsd kcms_server; do awk "/\\/$svc/ { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in printer shell login telnet ftp tftp \ bootps kshell klogin; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf done for svc in rpc.rquotad rpc.ttdbserver; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ /etc/inetd.conf > /etc/inetd.conf.new cp inetd.conf.new inetd.conf done chown root:sys inetd.conf chmod go-w,a-xs inetd.conf rm -f /etc/inetd.conf.new inetd -c'
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_level: ["1"]
+    references:
+      - http://docs.hp.com/en/B2355-60130/inetd.conf.4.html
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.inetd_general="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_builtin="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_finger="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ident="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ntalk="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_recserv="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_time="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_uucp="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_dttools="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_printer="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_telnet="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ftp="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_rtools="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_tftp="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_printer="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ktools="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_bootp="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_rquotad="Y"'
+      - 'not c:sh -c "ls -la /etc/inetd.conf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w'
+
+  - id: 30004
+    title: "Only enable telnet if absolutely necessary."
+    description: "Re-enable telnet. Telnet uses an unencrypted network protocol, which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network, and also that the session can be hijacked by outsiders to gain access to the remote system. HP-UX Secure Shell (OpenSSH) provides an encrypted alternative to telnet (and other utilities) and should be used instead."
+    rationale: "There is a mission-critical reason that requires users to access the system via telnet instead of the more secure SSH protocol."
+    remediation: 'Perform the following to re-enable telnet: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the telnet service definition. 3. Add -b /etc/issue to the end of the telnet service definition. This will cause telnet to display the contents of /etc/issue to users attempting to access the system via telnet. 4. Save /etc/inetd.conf. The following script will perform the above procedure: awk ''/^#telnet/ { $1 = "telnet" print $0 " -b /etc/issue"; next} { print } '' inetd.conf > /etc/inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.2"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_telnet="Y"'
+
+  - id: 30005
+    title: "Only enable FTP if absolutely necessary."
+    description: "Re-enable ftp. Like telnet, the FTP protocol is unencrypted, which means passwords and other data transmitted during the session can be captured by sniffing the network, and that the FTP session itself can be hijacked by an external attacker. SSH provides two alternative, encrypted file transfer mechanisms, scp and sftp, which should be used instead of FTP. Even if FTP is required because the local system is an anonymous FTP server, consider requiring authenticated users on the system to transfer files via SSH-based protocols. For further information on restricting FTP access to the system, see item 1.6.2 below. Sites may also consider augmenting the 'ftpd -l' below with '-v' (10.x and 11.x) or '-L' (11.x only) for additional logging of FTP transactions, or with '-a' (11.x only) for fine grain FTP access control through the use of a configuration file - see the ftpd(1M) man page on your systems for details."
+    rationale: "This machine serves as an (anonymous) FTP server or other mission-critical role where data must be transferred via FTP instead of the more secure alternatives."
+    remediation: 'Perform the following to re-enable FTP: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the ftp service definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' /^#ftp/ { $1 = "ftp"; print $0; next} { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.3"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ftp="Y"'
+
+  - id: 30006
+    title: "Only enable rlogin/remsh/rcp if absolutely necessary."
+    description: "Re-enable rlogin/remsh/rcp. SSH was designed to be a drop-in replacement for these protocols. Given the wide availability of free SSH implementations, there are few cases where these tools cannot be replaced with SSH (again, see item 1.2.1 - Install SSH)."
+    rationale: "There is a mission-critical reason to use rlogin/remsh/rcp instead of the more secure ssh/scp."
+    remediation: "Perform the following to re-enable rlogin/remsh/rcp: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the shell and login service definitions. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#shell/shell/; s/^#login/login/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.4"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_rtools="Y"'
+
+  - id: 30007
+    title: "Only enable TFTP if absolutely necessary."
+    description: "Re-enable TFTP. TFTP is typically used for network booting of diskless workstations, X-terminals, and other similar devices. TFTP is also used during network installs of systems via the HP-UX Ignite facility. Routers and other network devices may copy configuration data to remote systems via TFTP for backup."
+    rationale: "This system serves as a boot server or has other mission-critical roles where data must be transferred to and from this system via TFTP."
+    remediation: "Perform the following to re-enable TFTP: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the tftp service definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#tftp/tftp/' inetd.conf >inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new mkdir -p /var/opt/ignite"
+    compliance:
+      - cis: ["1.2.5"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_tftp="Y"'
+
+  - id: 30008
+    title: "Only enable printer service if absolutely necessary."
+    description: "Re-enable rlpdaemon based printer service. rlpdaemon provides a BSD-compatible print server interface. Even machines that are print servers may wish to leave this service disabled if they do not need to support BSD-style printing."
+    rationale: "This machine a print server for your network."
+    remediation: "Perform the following to re-enable the rlpdaemon based printer service: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the printer definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure:  sed 's/^#printer/printer/' inetd.conf >inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.6"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_printer="Y"'
+
+  - id: 30009
+    title: "Only enable rquotad if absolutely necessary."
+    description: "Re-enable rquotad. rquotad allows NFS clients to enforce disk quotas on file systems that are mounted from the local system. If your site does not use disk quotas, then you may leave the rquotad service disabled."
+    rationale: "This system an NFS file server that requires the use of disk quotas."
+    remediation: 'Perform the following to re-enable rquotad: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the rquotad definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' $6 ~ /\/rpc.rquotad$/ { sub(/^#/, "") } { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.7"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_rquotad="Y"'
+
+  - id: 30010
+    title: "Only enable CDE-related daemons if absolutely necessary."
+    description: "Re-enable CDE-related daemons. The rpc.ttdbserver service supports HP's CDE windowing environment. This service has a history of security problems. Not only is it vital to keep up to date on vendor patches, but also never enable this service on any system which is not well protected by a complete network security infrastructure (including network and host-based firewalls, packet filters, and intrusion detection infrastructure). Note that since this service uses ONC RPC mechanisms, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on."
+    rationale: "There a mission-critical reason to run a CDE GUI on this system."
+    remediation: 'Perform the following to re-enable CDE-related daemons: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the rpc.ttdbserver 3. Save /etc/inetd.conf. The following script will perform the above procedure: awk '' $6 ~ /\/rpc.ttdbserver$/ { sub(/^#/, "") } { print } '' inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new'
+    compliance:
+      - cis: ["1.2.8"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_dttools="Y"'
+
+  - id: 30011
+    title: "Only enable Kerberos-related daemons if absolutely necessary."
+    description: "Re-enable Kerberos-related daemons. Kerberized rlogin/remsh offers a higher degree of security than traditional rlogin, remsh, or telnet by eliminating many clear-text password exchanges from the network. However it is still not as secure as SSH, which encrypts all traffic. Given the wide availability of free SSH implementations, there are few cases where these tools cannot be replaced with SSH."
+    rationale: "The Kerberos security system is in use at this site and there is a mission-critical reason that requires users to access this system via Kerberized rlogin/remsh, rather than the more secure SSH protocol."
+    remediation: "Perform the following to re-enable Kerberos-related daemons: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the klogin definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#kshell/kshell/; s/^#klogin/klogin/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf.new"
+    compliance:
+      - cis: ["1.2.9"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_ktools="Y"'
+
+  - id: 30012
+    title: "Only enable BOOTP/DHCP daemon if absolutely necessary."
+    description: "Re-enable BOOTP/DHCP services. BOOTP/DHCP is a popular protocol for dynamically assigning IP addresses and other network information to systems on the network (rather than having administrators manually manage this information on each host). However, if this system is not a BOOTP/DHCP server for the network, there is no need to be running this service."
+    rationale: "This server a BOOTP/DHCP server for the network."
+    remediation: "Perform the following to re-enable BOOTP/DHCP services: 1. Open /etc/inetd.conf. 2. Delete the comment character (#) from the bootps definition. 3. Save /etc/inetd.conf. The following script will perform the above procedure: sed 's/^#bootps/bootps/' \ inetd.conf > inetd.conf.new cp inetd.conf.new inetd.conf rm -f /etc/inetd.conf"
+    compliance:
+      - cis: ["1.2.10"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.deactivate_bootp="Y"'
+
+  #################################################################
+  # 1.3 Minimize boot services
+  #################################################################
+
+  - id: 30013
+    title: "Disable login: prompts on serial ports."
+    description: "Disable the login: prompt on the system serial devices to make it more difficult for unauthorized users to attach modems, terminals, and other remote access devices to these ports."
+    rationale: "If there is not a mission-critical need to provide login capability from any serial ports (such as for a modem) then disabling the login: prompt on the system serial devices reduces the risk of unauthorized access via these ports."
+    remediation: "Perform the following to disable the login: prompt on the system serial devices: 1. Open /etc/inittab. 2. Disable each getty instance associated with a tty device by adding a comment character (#) to the beginning of the line. 3. Save /etc/inittab.* The following script will perform the above procedure: cp -p /etc/inittab /etc/inittab.tmp sed 's/^[^#].*getty.*tty.*$/#&/' \ /etc/inittab.tmp  > /etc/inittab rm -f /etc/inittab.tmp - Note that this action may safely be performed even if console access to the system is provided via the serial ports, as the line in the /etc/inittab file that corresponds to the console does not match the supplied pattern (i.e., it doesn't contain the string 'tty'). - Note that when serial port connectivity is needed, /etc/dialups and /etc/d_passwd can be set to require an extra password for serial port access. See the dialups(4) manual page for more information. - Note that by default in HP-UX 11i, only the console has a getty instance running on it."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.serial_port_login="Y"'
+
+  - id: 30014
+    title: "Disable NIS/NIS+ related processes, if possible."
+    description: "Disable NIS/NIS+ related processes. Network Information Service (NIS) is a distributed database providing centralized control of names, addresses, services, and key configuration files throughout a network of servers and clients. NIS was formerly known as Yellow Pages (YP). NIS+ is a replacement for NIS services, and is more scalable, flexible, and secure. It adds a security system with authentication and authorization services to validate users on the network and to determine if they allowed to access or modify the information requested. However, both systems have known security vulnerabilities, and have been an entry point for security attacks."
+    rationale: "Eliminate exposure to NIS/NIS+ vulnerabilities by not running related daemons on hosts that are not NIS/NIS+ servers or clients."
+    remediation: "Perform the following to disable the startup of NIS/NIS+ related processes: ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \ -p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \ -p NISPLUS_CLIENT=0 /etc/rc.config.d/namesvrs"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_server="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_server="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_client="Y"'
+
+  - id: 30015
+    title: "Disable printer daemons, if possible."
+    description: "Disable printer daemons. The Technical Print Service (TPS) is a printer service used in the X-Windows and/or CDE environment. It is recommended that this service be disabled if the hosting system does not participate in print services The administrator may wish to consider converting to the LPRng print system (see http://www.lprng.org/) which was designed with security in mind and is widely portable across many different Unix platforms. Note, however, that LPRng is not supported by Hewlett-Packard."
+    rationale: "Disabling unused services, such as TPS, will reduce the remote and local attack surfaces of the hosting system."
+    remediation: 'Perform the following to disable printer daemons: 1. Set the LP parameter to zero in the lp system configuration file /etc/rc.config.d/lp 2. Set the XPRINTSERVERS parameter to an empty string in the tps system configuration file /etc/rc.config.d/tps The following script will perform the above procedure:  ch_rc -a -p XPRINTSERVERS="''''" /etc/rc.config.d/tps ch_rc -a -p LP=0 /etc/rc.config.d/lp'
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Printing.xprintserver="Y"'
+
+  - id: 30016
+    title: "Disable the CDE GUI login, if possible."
+    description: "CDE stands for 'Common Desktop Environment,' and is an environment for logging on to and interacting with your system via an X-windows type GUI interface from the console. Intended for use with workstation or desktop systems, this service is not commonly used with the server-class systems or in large enterprise environments. The X Windows-based CDE GUI services were developed with a different set of security expecations from those expected in many enterprise deployments, and have had a history of security issues. Unless there is a mission-critical need for a CDE GUI login to the system, this service should not be run to further reduce opportunities for security attacks."
+    rationale: "The X Windows-based CDE GUI on HP-UX systems has had a history of security issues, and should be disabled if unused."
+    remediation: 'Perform the following to disable the GUI login: ch_rc -a -p DESKTOP="" /etc/rc.config.d/desktop'
+    compliance:
+      - cis: ["1.3.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.gui_login="Y"'
+
+  - id: 30017
+    title: "Disable email server, if possible."
+    description: "Disable the sendmail daemon to avoid processing incoming email. It is possible to run a Unix system with the Sendmail daemon disabled and still allow users on that system to send email out from that machine. Running Sendmail in 'daemon mode' (with the -bd command-line option) is only required on machines that act as mail servers, receiving and processing email from other hosts on the network. The remediation below will result in a machine that can send email but not receive it. - Note that after disabling the -bd option on the local mail server on systems running Sendmail v8.12 or later (8.13 is currently shipped as part of HP-UX 11iv3), it is also necessary to modify the /etc/mail/submit.cf file. Find the line that reads 'D{MTAHost}localhost' and change localhost to the name of some other local mail server for the organization. This will cause email generated on the local system to be relayed to that mail server for further processing and delivery. - Note that if the system is an email server, the administrator is encouraged to search the Web for additional documentation on Sendmail security issues."
+    rationale: "Avoid potential vulnerabilities in the sendmail server if incoming email service is not used."
+    remediation: "Perform the following to disable the sendmail server: 1. Set the SENDMAIL_SERVER parameter to zero in the mailservs system configuration file. 2. Setup a cron job to run sendmail at regular intervals (e.g. every hour) in order to process queued, outgoing mail. The following script will perform the above procedure: ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.config.d/mailservs cd /var/spool/cron/crontabs crontab -l >root.tmp echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp crontab root.tmp rm -f root.tmp"
+    compliance:
+      - cis: ["1.3.5"]
+      - cis_level: ["1"]
+    references:
+      - http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf
+      - http://www.sendmail.org/
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Sendmail.sendmaildaemon="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Sendmail.sendmailcron="Y"'
+
+  - id: 30018
+    title: "Disable SNMP and OpenView Agents, if remote management or monitoring are not needed."
+    description: "Disable SNMP and OpenView agents if they are not needed. Note: If SNMP is used, it is recommended to change the default SNMP community string by modifying the get-community and set-community parameters in the SNMP configuration file /etc/SnmpAgent.d/snmpd.conf."
+    rationale: "If SNMP and OpenView agents are not needed, avoid potential security vulnerabilities in these programs by disabling them."
+    remediation: "Perform the following to disable the SNMP and OpenView Agents: cd /sbin/rc2.d mv -f S570SnmpFddi .NOS570SnmpFddi ch_rc -a -p SNMP_HPUNIX_START=0 \ /etc/rc.config.d/SnmpHpunix ch_rc -a -p SNMP_MASTER_START=0 \ /etc/rc.config.d/SnmpMaster ch_rc -a -p SNMP_MIB2_START=0 \ /etc/rc.config.d/SnmpMib2 ch_rc -a -p SNMP_TRAPDEST_START=0 \ /etc/rc.config.d/SnmpTrpDst ch_rc -a -p OSPFMIB=0 \ /etc/rc.config.d/netdaemons ch_rc -a -p OPCAGT=0 \ /etc/rc.config.d/opcagt"
+    compliance:
+      - cis: ["1.3.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="Y"'
+
+  - id: 30019
+    title: "Disable rarely used standard boot services."
+    description: 'Disable other standard boot services. Setting these variables in the /etc/rc.config.d configuration files will effectively disable a wide variety of infrequently used subsystems. Variables are merely set (rather than renaming or removing startup scripts) so that the local administrator can easily "restore" any of these services if they discover a mission-critical need to have it. Additionally, HP-UX patches tend to supply fresh copies of the startup scripts, so they may get inadvertently re- enabled, whereas setting configuration variables usually survives patch installs. Finally, setting configuration variables is the method recommended and supported by HP. Note that not all of the configuration files listed above will exist on all systems (some are only valid for certain releases, others only exist if certain OEM vendor software is installed). The rest of the actions in this section give the administrator the option of re-enabling certain services - in particular, the services that are disabled in the second block of the remediation section below. Rather than disabling and then re-enabling these services, experienced administrators may wish to simply disable only those services that they know are unnecessary for their systems. Note: that HP-UX 11.31 was the first version to support disablement of the NFS core services. Disablement on earlier versions is possible by moving /sbin/rc2.d/S400nfs.core to /sbin/rc2.d/.NOS400nfs.core, but there is some risk of system instability.'
+    rationale: "Avoid potential security vulnerabilities in infrequently used subsystems by disabling them."
+    remediation: 'Perform the following: ch_rc -a -p START_SNAPLUS=0 -p START_SNANODE=0 \ -p START_SNAINETD=0 /etc/rc.config.d/snaplus2 ch_rc -a -p MROUTED=0 -p RWHOD=0 \-p DDFA=0 \ -p START_RBOOTD=0 /etc/rc.config.d/netdaemons ch_rc -a -p RARPD=0 -p RDPD=0 /etc/rc.config.d/netconf ch_rc -a -p PTYDAEMON_START=0 /etc/rc.config.d/ptydaemon ch_rc -a -p VTDAEMON_START=0 /etc/rc.config.d/vt ch_rc -a -p NAMED=0 /etc/rc.config.d/namesvrs ch_rc -a -p START_I4LMD=0 /etc/rc.config.d/i4lmd ch_rc -a -p RUN_X_FONT_SERVER=0 /etc/rc.config.d/xfs ch_rc -a -p AUDIO_SERVER=0 /etc/rc.config.d/audio ch_rc -a -p SLSD_DAEMON=0 /etc/rc.config.d/slsd ch_rc -a -p RUN_SAMBA=0 /etc/rc.config.d/samba ch_rc -a -p RUN_CIFSCLIENT=0 \ /etc/rc.config.d/cifsclient ch_rc -a -p NFS_SERVER=0 \ -p NFS_CLIENT=0 /etc/rc.config.d/nfsconf ch_rc -a -p HPWS_APACHE_START=0 /etc/rc.config.d/hpws_apacheconf ch_rc -a -p NFS_CORE=0 /etc/rc.config.d/nfsconf'
+    compliance:
+      - cis: ["1.3.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_rbootd="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_server="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_client="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_ptydaemon="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Apache.deactivate_hpws_apache="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.license_server="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_core="Y"'
+
+  - id: 30020
+    title: "Only enable Windows-compatibility server processes if absolutely necessary."
+    description: "Re-enable CIFS Server (Samba) services. HP-UX 11i includes the popular Open Source Samba server (HP-UX CIFS Server) for providing file and print services to Windows-based systems. This allows an HP-UX system to act as a file or print server on a Windows network, and even act as a Domain Controller (authentication server) to older Windows operating systems. However, if this functionality is not required by the site, this service should be disabled."
+    rationale: "This machine provides authentication, file sharing, or printer sharing services to systems running Microsoft Windows operating systems."
+    remediation: "Perform the following to re-enable CIFS Server: ch_rc -a -p RUN_SAMBA=1 /etc/rc.config.d/samba"
+    compliance:
+      - cis: ["1.3.8"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_smbclient="Y"'
+
+  - id: 30021
+    title: "Only enable Windows-compatibility client processes if absolutely necessary."
+    description: "Re-enable the HP CIFS Client service."
+    rationale: "This system requires access to file systems from remote servers via the Windows (SMB) file services."
+    remediation: "Perform the following: ch_rc -a -p RUN_CIFSCLIENT=1 /etc/rc.config.d/cifsclient"
+    compliance:
+      - cis: ["1.3.9"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_smbsever="Y"'
+
+  - id: 30022
+    title: "Only enable NFS server processes if absolutely necessary."
+    description: 'Re-enable the NFS file service. NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need to run the NFS server-related daemons on hosts that are not NFS servers. If the system is an NFS server, the admin should take reasonable precautions when exporting file systems, including restricting NFS access to a specific range of local IP addresses and exporting file systems "read-only" and "nosuid" where appropriate. For more information consult the exportfs(1M) manual page. Much higher levels of security can be achieved by combining NFS with secure RPC or Kerberos, although there is significant administrative overhead involved in this transition. Note that since this service uses ONC RPC mechanisms, it is important that the system''s RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 1.3.12 below. Also, note that some releases of Oracle software for HP-UX require NFS services in order to install properly. Therefore, the NFS server process may need to be started by hand on systems on which Oracle software is to be installed/updated. This can be accomplished by performing the following: 1. Temporarily set NFS_SERVER=1, /etc/rc.config.d/nfsconf 2. Execute:  /sbin/init.d/nfs.core start /sbin/init.d/nfs.server start 3. Install Oracle 4. Stop the NFS services:  /sbin/init.d/nfs.core stop /sbin/init.d/nfs.server stop 5. Disable the NFS services by resetting NFS_SERVER=0, NUM_NFSD=0, and NUM_NFSIOD=0 in /etc/rc.config.d/nfsconf.'
+    rationale: "This machine is a NFS file server."
+    remediation: "Perform the following: ch_rc -a -p NFS_SERVER=1 /etc/rc.config.d/nfsconf"
+    compliance:
+      - cis: ["1.3.10"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_server="Y"'
+
+  - id: 30023
+    title: "Only enable NFS client processes if absolutely necessary."
+    description: "Re-enable the NFS Client service. Again, unless there is a significant need for this system to acquire data via NFS, administrators should disable NFS-related services. Note that other file transfer schemes (such as rdist via SSH) can often be more secure than NFS for certain applications, although again the use of secure RPC or Kerberos can significantly improve NFS security. Also note that if the machine will be an NFS client, then the rpcbind process must be running (see Item 3.12 below). - Note that since this service uses ONC RPC mechanisms, it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on. For more information see Item 3.12 below."
+    rationale: "This system must access file systems from remote servers via NFS."
+    remediation: "Perform the following: ch_rc -a -p NFS_CLIENT=1 /etc/rc.config.d/nfsconf"
+    compliance:
+      - cis: ["1.3.11"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_client="Y"'
+
+  - id: 30024
+    title: "Only enable RPC-based services if absolutely necessary."
+    description: "Re-enable RPC-based services. RPC-based services typically use very weak or non-existent authentication and yet may share very sensitive information. Unless one of the services listed above is required on this machine, it is best to disable RPC-based tools completely. If you are unsure whether or not a particular third-party application requires RPC services, consult with the application vendor. Note that disabling this service by renaming the startup file may not survive the install of RPC-related patches."
+    rationale: "RPC-based services are used such as: - This machine is an NFS client or server. - This machine is an NIS (YP) or NIS+ client or server. - This machine runs a GUI or GUI-based administration tool. - The machine runs a third-party software application which is dependent on RPC support (example: FlexLM License managers)."
+    remediation: "Perform the following for 11.31 and later: ch_rc -a -p NFS_CORE=1 /etc/rc.config.d/nfsconf For 11.23 and prior:  mv -f /sbin/rc2.d/.NOS400nfs.core \ /sbin/rc2.d/400nfs.core"
+    compliance:
+      - cis: ["1.3.12"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_core="Y"'
+
+  - id: 30025
+    title: "Only enable Web server if absolutely necessary."
+    description: "Re-enable the Web server suite. Even if this machine is a Web server, the local site may choose not to use the Web server provided with HP-UX in favor of a locally developed and supported Web environment. If the machine is a Web server, the administrator is encouraged to search the Web for additional documentation on Web server security. A good starting point is http://httpd.apache.org/docs-2.0/misc/security_tips.html. Note that this action only disables the default web server shipped with the system. Other webservers instances may still be running."
+    rationale: "There is a mission-critical reason why this system must run a Web server."
+    remediation: "Perform the following: ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p APACHE_START=1 /etc/rc.config.d/apacheconf ch_rc -a -p HPWS_APACHE32_START=1 /etc/rc.config.d/hpws_apache32conf ch_rc -a -p HPWS_TOMCAT_START=1 /etc/rc.config.d/hpws_tomcatconf ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p HPWS_WEBMIN_START=1 /etc/rc.config.d/hpws_webminconf"
+    compliance:
+      - cis: ["1.3.13"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Apache.deactivate_hpws_apache="Y"'
+
+  - id: 30026
+    title: "Only enable BIND DNS server if absolutely necessary."
+    description: "Re-enable the BIND DNS service. The BIND DNS server, or named, maps IP addresses to hostnames across the Internet and supplies these services to other hosts on the local local network. Though it has been widely implemented, BIND has a long history of security flaws, especially in the BIND 8.x release tree generally shipped with HP-UX 11.x systems. Therefore, if you are going to run BIND, you should strongly consider moving to the BIND 9.x release-tree. HP has supported BIND 9 packages available from http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=BIND9.2 . Or it is available directly from the Internet Software Consortium (the developers of BIND), whose website is at http://www.isc.org."
+    rationale: "There exists a mission-critical reason why this system must run a DNS server."
+    remediation: "Perform the following: 11.23 and prior: ch_rc -a -p NAMED=1 /etc/rc.config.d/namesvrs 11.31 and later: ch_rc -a -p NAMED=1 /etc/rc.config.d/namesvrs_dns"
+    compliance:
+      - cis: ["1.3.14"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_bind="Y"'
+
+  #################################################################
+  # 1.4 Kernel Tuning
+  #################################################################
+
+  - id: 30027
+    title: "Enable stack protection."
+    description: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. - Note that HP-UX 11i is much more capable in this and other security areas than older releases; therefore, administrators should strongly consider upgrading from older releases. - Note that this action requires a subsequent reboot to take effect in some versions of HP-UX."
+    rationale: "Buffer overflow exploits have been the basis for many of the recent highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system crackers exploit well-known buffer overflow problems in vendor-supplied and third-party software. Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement."
+    remediation: "For 11i v2 and later: kctune -K executable_stack=0 For 11i v1: /usr/sbin/kmtune -s executable_stack=0 && mk_kernel && kmupdate"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.stack_execute="Y"'
+
+  - id: 30028
+    title: "Network parameter modifications."
+    description: "Modify the network parameter boot configuration file to meet current best practices. Note: HP-UX 11.11 systems require patch PHNE_25644 for ndd to set arp_cleanup_interval from /etc/rc.config.d/nddconf. - Bastille Note: Bastille performs a similar action but does not support the exact same changes."
+    rationale: "Network parameter default values should align with current best practices unless there is a specific need to use other values."
+    remediation: "Perform the following to update the default network parameter values: 1. Change to the /etc/rc.config.d directory 2. Open nddconf and review the comment lines on how to use the configuration file 3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index. 4. Save nddconf. - If creating this file for the first time: 1. Set root as the owner of nddconf. 2. Set sys as the group owner of nddconf. 3. Restrict write access to nddconf to the file owner. 4. Remove the executable and sticky bit from nddconf. If the existing nddconf file contains no entries, then the following script will perform the above procedure: cd /etc/rc.config.d cat <<EOF > nddconf # Increase size of half-open connection queue TRANSPORT_NAME[0]=tcp NDD_NAME[0]=tcp_syn_rcvd_max NDD_VALUE[0]=4096 # Reduce timeouts on ARP cache TRANSPORT_NAME[1]=arp NDD_NAME[1]=arp_cleanup_interval NDD_VALUE[1]=60000 # Drop source-routed packets TRANSPORT_NAME[2]=ip NDD_NAME[2]=ip_forward_src_routed NDD_VALUE[2]=0 # Don't forward directed broadcasts TRANSPORT_NAME[3]=ip NDD_NAME[3]=ip_forward_directed_broadcasts NDD_VALUE[3]=0 # Don't respond to unicast ICMP timestamp requests TRANSPORT_NAME[4]=ip NDD_NAME[4]=ip_respond_to_timestamp NDD_VALUE[4]=0 # Don't respond to broadcast ICMP tstamp reqs TRANSPORT_NAME[5]=ip NDD_NAME[5]=ip_respond_to_timestamp_broadcast NDD_VALUE[5]=0 # Don't respond to ICMP address mask requests TRANSPORT_NAME[6]=ip NDD_NAME[6]=ip_respond_to_address_mask_broadcast NDD_VALUE[6]=0 # Don‟t respond to broadcast echo requests TRANSPORT_NAME[7]=ip NDD_NAME[7]=ip_respond_to_echo_broadcast NDD_VALUE[7]=0 EOF chown root:sys nddconf chmod go-w,ug-s nddconf"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.ndd="Y"'
+
+  - id: 30029
+    title: "Use more random TCP sequence numbers."
+    description: "Generate initial TCP sequence numbers that comply with RFC1948. - Note: In HP-UX 11i v1 and later, an algorithm largely compliant with RFC1948 is already used. However, setting the isn passphrase closes the small remaining gap, and adds entropy to the seed."
+    rationale: "Makes remote off-net session hijacking attacks more difficult."
+    remediation: "Perform the following to use more random TCP sequence numbers upon system startup: 1. Create/open the file /sbin/rc2.d/S999tcpisn 2. Add the following line: ndd -set /dev/tcp tcp_isn_passprase=<random string> replacing <random string> with a string of random characters. 3. Save the file. 4. Set root as the owner and bin as the group owner of the file. 5. Restrict write access to the file. 6. Set the execution bit for the file."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.tcp_isn="Y"'
+
+  - id: 30030
+    title: "Additional network parameter modifications."
+    description: "Configure networking to NOT forward TCP/IP packets between multiple networks, even if the machine has multiple network adapters connected to multiple networks."
+    rationale: "System is not going to be used as a firewall or gateway to pass network traffic between different networks."
+    remediation: "Perform the following to disable forwarding TCP/IP packets between networks: 1. Change to the /etc/rc.config.d directory 2. Open nddconf and review the comment lines on how to use the configuration file 3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index. 4. Save nddconf. If creating this file for the first time: 5. Set root as the owner of nddconf. 6. Set sys as the group owner of nddconf. 7. Restrict write access to nddconf to the file owner. 8. Remove the executable and sticky bit from nddconf. The following script will perform the above procedure properly if used as a follow-on from the script in item 1.4.2: cat <<EOF >> /etc/rc.config.d/nddconf # Don‟t act as a router TRANSPORT_NAME[8]=ip NDD_NAME[8]=ip_forwarding NDD_VALUE[8]=0 TRANSPORT_NAME[9]=ip NDD_NAME[9]=ip_send_redirects NDD_VALUE[9]=0 EOF"
+    compliance:
+      - cis: ["1.4.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.ndd="Y"'
+
+  #################################################################
+  # 1.5 File/Directory Permissions/Access
+  #################################################################
+
+  - id: 30131
+    title: "Resolve 'unowned' files and directories."
+    description: "Evaluate ownership of any files that are not owned by a locally defined user, and consider reassignment to an active user."
+    rationale: "Sometimes when administrators delete users from the system they neglect to remove all files owned by those users from the system. A new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended. It is a good idea to locate files that are owned by users or groups not listed in the system configuration files, and make sure to reset the ownership of these files to some active user on the system (in this example, 'bin') as appropriate."
+    remediation: 'Perform the following to identify "unowned" files and directories, and consider resetting ownership to a default owner and restricting access permissions: 1. Locate all local files that are owned by users or groups not listed in the system configuration files. find / \( -nouser -o -nogroup \) 2. Consider resetting user and group ownership of these files to a default active user (e.g. bin) chown bin:bin <filename> 3. Consider restricting world-write permissions, and removing any SUID/SGID bits on these files. chmod ug-s,o-w <filename> - Note: there is no reason for an application to require an unowned file, so these changes should be application-safe.'
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.unowned_files"Y"'
+
+  #################################################################
+  # 1.6 System Access, Authentication, and Authorization
+  #################################################################
+
+  - id: 30032
+    title: "Enable Hidden Passwords."
+    description: "Enable hidden passwords by converting the system to a Trusted System or to use Shadow Passwords. - Note: do not perform this if the system runs applications that read the encrypted password entries in /etc/passwd directly."
+    rationale: "Without hidden passwords, an intruder could use any user's account to obtain hashed passwords and use crack or similar utilities to find easily guessed passwords. Password aging (covered in item 1.8.3) ensures that users change their passwords on a regular basis and helps stop the use of stolen passwords."
+    remediation: "Perform one of the following to convert the system to trusted mode or shadowed mode: A. Use the system management program smh or sam to convert to a trusted system -or- B. Use the command pwconv to convert to shadowed passwords."
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.hidepasswords="Y"'
+
+  - id: 30033
+    title: "Restrict users who can access to FTP."
+    description: "Configure FTP to prevent certain users from accessing the system via FTP. The file ftpusers contains a list of users who are not allowed to access the system via FTP. Generally, only normal users should ever access the system via FTP - there should be no reason for 'system' type accounts to be transferring information via this mechanism. Certainly, the root account should never be allowed to transfer files directly via FTP. - Note: more fine-grained FTP access controls can be placed in /etc/ftpd/ftpaccess."
+    rationale: "Privileged users such as root and other 'system' type accounts should never be transferring information via such an insecure service as FTP."
+    remediation: "Perform the following to restrict default priviledged users from access to FTP: 1. Add the users root daemon bin sys adm lp uucp nuucp nobody hpdb useradm to the file /etc/ftpd/ftpusers (each user on a single line). 2. Set the file owner and group owner to the user bin. 3. Set the file permissions so that only the file owner has read or write perms and no user has execute permission (600). The following script will create and populate the ftpusers file as described above: for name in root daemon bin sys adm lp \ uucp nuucp nobody hpdb useradm do echo $name done >> $ftpusers sort -u $ftpusers > $ftpusers.tmp cp $ftpusers.tmp $ftpusers rm -f $ftpusers.tmp chown bin:bin $ftpusers chmod 600 $ftpusers"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:FTP.ftpusers="Y"'
+
+  - id: 30034
+    title: "Prevent Syslog from accepting messages from the network."
+    description: "Prevent syslogd from accepting messages from the network. By default the system logging daemon, syslogd, listens for log messages from other systems on network port 514/udp. Unfortunately, the protocol used to transfer these messages does not include any form of authentication, so a malicious outsider could simply barrage the local system's Syslog port with spurious traffic—either as a denial-of-service attack on the system, or to fill up the local system's logging file systems so that subsequent attacks will not be logged. - Note: Do not perform this action if this machine is a log server, or needs to receive Syslog messages via the network from other systems. - Note: It is considered good practice to setup one or more machines as central 'log servers' to aggregate log traffic from all machines at a site. However, unless a system is set up to be one of these 'log server' systems, it should not be listening on 514/udp for incoming log messages."
+    rationale: "Disabling unused network services will reduce the remote attack surfaces of the hosting system."
+    remediation: 'Disable the syslog network option by doing the following: 1. Open the syslogd startup configuration file /etc/rc.config.d/syslogd 2. Add the parameter "-N" to the SYSLOGD_OPTS= line if it is not already present 3. Save and close the file. The following script will perform the procedure above: SYSLOGD_OPTS="`sh -c ". /etc/rc.config.d/syslogd ; \ echo "$SYSLOGD_OPTS"''`" if [[ "$SYSLOGD_OPTS" = *-N* ]]; then ch_rc -a -p SYSLOGD_OPTS="-N $SYSLOGD_OPTS" \ /etc/rc.config.d/syslogd fi'
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.syslog_localonly="Y"'
+
+  - id: 30035
+    title: "Disable XDMCP port."
+    description: "Disable the XDMCP port for remote login services. The standard GUI login provided on most Unix systems can act as a remote login server to other devices (including X terminals and other workstations). Access control is handled via the Xaccess file—by default under HP-UX, this file allows any system on the network to get a remote login screen from the local system. This behavior can be overridden in the /etc/dt/config/Xaccess file."
+    rationale: "XDMCP is an unencrypted protocol that may reduce the confidentiality and integrity of data that traverses it."
+    remediation: "Perform the following to disable the XDMCP port: 1. Open the file /etc/dt/config/Xconfig. If it does not exist, copy it from /usr/dt/config/Xconfig. 2. Append the line Dtlogin.requestPort:0 to the file and close. The following script will perform the procedure above: if [ ! -f /etc/dt/config/Xconfig ]; then mkdir -p /etc/dt/config cp -p /usr/dt/config/Xconfig /etc/dt/config fi cd /etc/dt/config awk '/Dtlogin.requestPort:/ \ { print \"Dtlogin.requestPort: 0\"; next } { print }' Xconfig > Xconfig.new cp Xconfig.new Xconfig rm -f Xconfig.new"
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.xaccess="Y"'
+
+  - id: 30036
+    title: "Set default locking screensaver timeout."
+    description: "The default timeout is between 10 and 30 minutes of keyboard/mouse inactivity before a password-protected screen saver is invoked by the CDE session manager depending on the OS release and the locale. Uniformly reduce this default timeout value to 10 minutes (this setting can still be overridden by individual users in their own environment.)"
+    rationale: "Setting the inactivity timer to a low value will reduce the probability of a malicious entity compromising the system via the console."
+    remediation: 'Perform the following to set a default screensaver timeout for all environments: 1. For every sys.resources file in each directory in /usr/dt/config/ create a corresponding /etc/dt/config/*/sys.resources file if it does not already exist. 2. Append the following lines to each /etc/dt/config/*/sys.resources dtsession*saverTimeout: 10 dtsession*lockTimeout: 10 The following script will perform the procedure above: for file in /usr/dt/config/*/sys.resources; do dir="$(dirname "$file" | sed ''s|^/usr/|/etc/|'')" mkdir -p "$dir" echo ''dtsession*saverTimeout: 10'' >>"$dir/sys.resources" echo ''dtsession*lockTimeout: 10'' >>"$dir/sys.resources" done'
+    compliance:
+      - cis: ["1.6.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.screensaver_timeout="Y"'
+
+  - id: 30037
+    title: "Configure IPFilter to allow only select communication."
+    description: "HP-UX IPFilter (B9901AA) is a stateful system firewall that controls IP packet flow in or out of a machine. It is installed by default on HP-UX 11iv2 (11.23) and later. On older systems, IPFilter can be obtained from http://www.hp.com/go/ipfilter. The rules below will work in an otherwise-empty ipf.conf file, or, if there are rules already present, it will block all that were not passed earlier in the ruleset. This is less likely to break things, but will allow more traffic through. Alternatively, you can instead take the pass lines below (not using the block rule), and change them into 'block in quick' rules, and place those at the top of the file. This will error on the side of blocking traffic. See ipf(5) for detail. Your ruleset can be tested using ipftest(1). Bastille note: if using to change and monitor the IPFilter firewall, ensure that rules are added to /etc/opt/sec_mgmt/bastille/ipf.customrules, and that Bastille is rerun with the last config file, so they will not be overwritten in a subsequent lockdown."
+    rationale: "Restricting incoming network traffic to explicitly allowed hosts will help prevent unauthorized access the system."
+    remediation: "Perform the following to add enable ipfilter and install a default ruleset to block unauthorized incoming connections: 1. Enable ipfilter: ipfilter -e 2. Append the following lines to /etc/opt/ipf/ipf.conf:  block in all pass in from <allowed net>/<mask> pass in from <allowed net>/<mask> replacing each <allowed net>/<mask> with an authorized IP address and mask. 3. Flush the old rules and read in the updated rules: ipf -Fa -f /etc/opt/ipf/ipf.conf The following script can be used to as a template for creating your own script to perform the procedure above: ipfilter -e cat <<EOF >> /etc/opt/ipf/ipf.conf block in all pass in from <allowed net>/<mask> pass in from <allowed net>/<mask> EOF ipf -Fa -f /etc/opt/ipf/ipf.conf"
+    compliance:
+      - cis: ["1.6.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:IPFilter.configure_ipfilter="N"'
+
+  - id: 30038
+    title: "Restrict at/cron to authorized users."
+    description: "The cron.allow and at.allow files are a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals. - Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. cron.allow only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator needs the ability to schedule jobs."
+    remediation: "Perform the following to restrict at/cron to root only: 1. Change to the /var/adm/cron directory 2. Archive or delete any existing cron.deny and at.deny files 3. Create or replace the cron.allow and at.allow files with a single line file containing just root 4. Ensure that the files are owned by root and group owned by sys 5. Ensure that no users have write/execute permission to the files, and that only root has read access to the files. The following script will perform the procedures above: cd /var/adm/cron rm -f cron.deny at.deny echo root >cron.allow echo root >at.allow chown root:sys cron.allow at.allow chmod 400 cron.allow at.allow"
+    compliance:
+      - cis: ["1.6.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.cronuser="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.atuser="Y"'
+
+  - id: 30039
+    title: "Restrict crontab file permissions."
+    description: "The system crontab files are only accessed by the cron daemon (which runs with superuser privileges) and the crontab command (which is set-UID to root)."
+    rationale: "Allowing unprivileged users to read or (even worse) modify system crontab files can create the potential for a local user on the system to gain elevated privileges."
+    remediation: "Perform the following so that only root has access to the crontab files: 1. Change to the /var/spool/cron/crontabs directory 2. Change the file owner to root and file group owner to sys 3. Set file permissions so that only root has access to the files. The following script will perform the procedure above: cd /var/spool/cron/crontabs chown root:sys * chmod og-rwx *"
+    compliance:
+      - cis: ["1.6.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.crontabs_file="Y"'
+
+  - id: 30040
+    title: "Restrict root logins to system console."
+    description: "Anonymous root logins should never be allowed except on the system console in emergency situations. At all other times, the administrator should access the system via an unprivileged account and use some authorized mechanism to gain additional privilege, such as the su command, the freely-available sudo package discussed in item SN.6, or the HP Role Based Authorization system also discussed in item SN.6. These mechanisms provide at least a limited audit trail in the event of problems."
+    rationale: "Anonymous root logins do not provide an audit trail, nor are subject to additional authorization provisions."
+    remediation: "Perform the following to restrict root logins to the system console only: 1. Replace the file /etc/securetty with a single line file containing console 2. Change the file owner to root and file group owner to sys 3. Set file permissions so that only root has access to the file. The following script will perform the procedure above:  echo console > /etc/securetty chown root:sys /etc/securetty chmod og-rwx /etc/securetty"
+    compliance:
+      - cis: ["1.6.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.create_securetty="Y"'
+
+  - id: 30041
+    title: "Disable nobody access for secure RPC."
+    description: 'The keyserv process stores user keys that are utilized with the ONC secure RPC mechanism. The action below prevents keyserv from using default keys for the "nobody" user, effectively stopping this user from accessing information via secure RPC.'
+    rationale: "The default 'nobody' user should not be accessing information via secure RPC."
+    remediation: "Perform the following to disable nobody access for secure RPC: 1. Add the '-d' option to the KEYSERV_OPTIONS parameter in the system startup configuration file /etc/rc.config.d/namesvrs The following script will perform the procedure above: KEYSERV_OPTIONS=\"`sh -c '. /etc/rc.config.d/namesvrs ; echo \"$KEYSERV_OPTIONS\"'`\" ch_rc -a -p KEYSERV_OPTIONS=\"-d $KEYSERV_OPTIONS \" \ /etc/rc.config.d/namesvrs"
+    compliance:
+      - cis: ["1.6.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nobody_secure_rpc="N"'
+
+  #################################################################
+  # 1.7 Logging
+  #################################################################
+
+  - id: 30042
+    title: "Enable kernel-level auditing."
+    description: "If inetd is running, it is a good idea to make use of the 'logging' (-l) feature of the HP-UX inetd that logs information about the source of any network connections seen by the daemon, allowing the administrator (or software) to scan the logs for unusual activity. This is especially powerful when combined with the access control capabilities accessible through inetd‟s /var/adm/inetd.sec configuration file. This information is logged via Syslog and by default HP-UX systemsdeposit this logging information in var/adm/syslog/syslog.log with other system log messages. Should the administrator wish to capture this information in a separate file, simply modify /etc/syslog.conf to log daemon.notice to some other log file destination. IPFilter, which comes with HP-UX, can log inetd and other connections or attempted connections with its 'ipmon' daemon as either a compliment or alternative to inetd logging."
+    rationale: "By recording key system events in log files, kernel-level auditing provides a trail to detect and analyze security breaches. Moreover, this data can be used to detect potential security weakness, and also serves as a deterrent against system abuses."
+    remediation: "Use the Systems Management Homepage (SMH) facility to configure and enable the type and level of auditing appropriate for your environment."
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.system_auditing="Y"'
+
+  - id: 30043
+    title: "Enable logging from inetd."
+    description: 'If inetd is running, it is a good idea to make use of the "logging" (-l) feature of the HP-UX inetd that logs information about the source of any network connections seen by the daemon, allowing the administrator (or software) to scan the logs for unusual activity. This is especially powerful when combined with the access control capabilities accessible through inetd''s /var/adm/inetd.sec configuration file. This information is logged via Syslog and by default HP-UX systems deposit this logging information in var/adm/syslog/syslog.log with other system log messages. Should the administrator wish to capture this information in a separate file, simply modify /etc/syslog.conf to log daemon.notice to some other log file destination. IPFilter, which comes with HP-UX, can log inetd and other connections or attempted connections with its "ipmon" daemon as either a compliment or alternative to inetd logging.'
+    rationale: "Logging information about the source of inetd network connections assists in the detection and identification of unusual activity that may be associated with security intrusions."
+    remediation: "Perform the following: ch_rc -a -p INETD_ARGS=-l /etc/rc.config.d/netdaemons"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.log_inetd="Y"'
+
+  - id: 30144
+    title: "Turn on additional logging for FTP daemon."
+    description: "If the FTP daemon is left on, it is recommended that the command logging (-L) and connection logging (-l) flags also be enabled to track FTP activity on the system, allowing the administrator (or software) to scan the logs for unusual activity. This is especially powerful when combined with the access control capabilities accessible through inetd's /var/adm/inetd.sec configuration file. Note that this setting has no effect if the FTP daemon remains de-activated from item 2.1. Also note that enabling command logging on the FTP daemon (HP-UX 11.x only) can cause user passwords to appear in clear-text form in the system logs, if the user accidentally types their password at the username prompt. Information about FTP sessions will be logged to Syslog and by default HP-UX systems deposit this logging information in /var/adm/syslog/syslog.log with other system log messages. Should the administrator wish to capture this information in a separate file, simply modify /etc/syslog.conf to log daemon.notice to some other log file destination."
+    rationale: "Logging information about the source of ftp network connections assists in the detection and identification of unusual activity that may be associated with security intrusions."
+    remediation: 'Perform the following to enable logging for the FTP daemon: 1. Change directory to /etc. 2. Open the inetd.conf file and locate the ftpd configuration entry line. 3. Add the "-L" and "-l" flags to the ftpd entry if not already present. 4. Save and close file. The following script will perform the procedure above: cd /etc awk ''/^ftpd/ && !/-L/ { $NF = $NF " -L" } /^ftpd/ && !/-l/ { $NF = $NF " -l" } { print }'' inetd.conf > inetd.conf.tmp cp inetd.conf.tmp inetd.conf rm -f inetd.conf.tmp'
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - "f:/etc/inetd.conf -> r:^ftpd && r:-l"
+      - "f:/etc/inetd.conf -> r:^ftpd && r:-L"
+
+  #################################################################
+  # 1.8 User Accounts and Environment
+  #################################################################
+
+  - id: 30045
+    title: "Block system accounts."
+    description: "Accounts that are not being used by regular users should be locked. Not only should the password field for the account be set to an invalid string, but the shell field in the password file should contain an invalid shell. Access to the uucp and nuucp accounts is only needed when the deprecated Unix to Unix Copy (UUCP) service is in use. The other listed accounts should never require direct access. The actions below locks the passwords to these accounts (on systems converted to Trusted Mode only) and sets the login shell to /bin/false. Note that the above is not an exhaustive list of possible system/application accounts that could be installed on the system. An audit of all users on the system is the only way to be sure that only authorized accounts are in place."
+    rationale: "System accounts are not used by regular users, and almost never require direct access; thus, they should be locked to prevent accidental or malicious usage."
+    remediation: 'Perform the following to properly lock the following known system users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm daemon bin lp nobody noaccess hpdb useradm 1. Lock the account: passwd -l <user> 2. Set the login shell to an invalid program: /usr/sbin/usermod -s /bin/false <user> 3. If a trusted system, set the adminstrator lock: /usr/lbin/modprpw -m alock=YES <user> The following script will perform the procedure above: for user in www sys smbnull iwww owww sshd \ hpsmh named uucp nuucp adm daemon bin lp \ nobody noaccess hpdb useradm; do passwd -l "$user" /usr/sbin/usermod -s /bin/false "$user" if [[ -f /tcb ]]; then /usr/lbin/modprpw -m alock=YES "$user" fi done'
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.block_system_accounts="Y"'
+
+  - id: 30046
+    title: "Verify that there are no accounts with empty password fields."
+    description: 'An account with an empty password field means that anybody may log in as that user without providing a password at all. All accounts should have strong passwords or should be locked by using a password string like "*", "NP", or "*LOCKED*"'
+    rationale: "User accounts should have passwords, or be locked."
+    remediation: "Perform the following to ensure that no accounts have an empty password field: 1. Identify all user accounts with an empty password field: logins -p 2. Lock each account: passwd -l <user> 3. If a trusted system, set the administrator lock: /usr/lbin/modprpw -m alock=YES <user>"
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.lock_account_nopasswd="Y"'
+
+  - id: 30047
+    title: "Set account expiration parameters on active accounts."
+    description: "The commands below will set all active accounts (except the root account) to force password changes every 90 days (91 days when not running in HP-UX Trusted Mode) and then prevent password changes for seven days (one week) thereafter. Users will begin receiving warnings 30 days (28 days when not running in HP-UX Trusted Mode) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option). These are recommended starting values, but sites may choose to make them more restrictive depending on local policies."
+    rationale: "It is a good idea to force users to change passwords on a regular basis."
+    remediation: 'Perform the following to set password expiration parameters on all active accounts: 1. Identify all user accounts excluding root that are not locked, and for each: 2. Set password expiration parameters for the account (logname) by executing the following: passwd -x 91 -n 7 -w 28 <logname> for trusted systems, perform the following: /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 <logname> 3. Set the default account expiration parameters by appending the following lines to /etc/default/security: a. PASSWORD_MAXDAYS=91 b. PASSWORD_MINDAYS=7 c. PASSWORD_WARNDAYS=28 4. Set the default parameters for trusted systems with: /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30 The following script will perform the procedure above. logins -ox \ | awk -F: ''($8 != "LK" && $1 != "root") { print $1 }'' \ | while read logname; do passwd -x 91 -n 7 -w 28 "$logname" /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 \ "$logname" done echo PASSWORD_MAXDAYS=91 >> /etc/default/security echo PASSWORD_MINDAYS=7 >> /etc/default/security echo PASSWORD_WARNDAYS=28 >> /etc/default/security /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30'
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.PASSWORD_MAXDAYS="(\d+)" compare <= 91'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.PASSWORD_MINDAYS="(\d+)" compare <= 7'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.PASSWORD_WARNDAYS="(\d+)" compare <= 28'
+
+  - id: 30048
+    title: "Set strong password enforcement policies."
+    description: "The policies set here are designed to force users to make better password choices when changing their passwords. Sites often have differing opinions on the optimal value of the MIN_PASSWORD_LENGTH and PASSWORD_HISTORY_DEPTH parameters. A minimum password length of seven is in line with industry standards, especially the Payment Card Industry (PCI) Security Standard; however, a longer value may be warranted if account locks are not enabled (item 1.6.10). A password history depth of ten combined with passwords that expire four times per year (item 1.8.3) means users will typically not re-use the same password in any given year. Requiring an upper/lowercase and special character password will dramatically increase the password search space and lower the chances for brute-force attack significantly. - Note: these settings are known to exist for HP-UX 11iv2, 0512 and later. The man page for security(5) will indicate if these exist on your particular system. Be sure to consult you local security standards before adopting the values given above."
+    rationale: "All users should use strong passwords."
+    remediation: "Perform the following to set strong password enforcement policies: 1. Change the following parameters in the /etc/default/security file to establish default password policies for new users: a. MIN_PASSORD_LENGTH=7 b. PASSWORD_HISTORY_DEPTH=10 c. PASSWORD_MIN_UPPER_CASE_CHARS=1 d. PASSWORD_MIN_DIGIT_CHARS=1 e. PASSWORD_MIN_SPECIAL_CHARS=1 f. PASSWORD_MIN_LOWER_CASE_CHARS=1 2. If using a trusted system, issue the following modprdef commands to disallow null or trivial passwords:  modprdef -m nullpw=NO modprdef -m rstrpw=YES The following script will perform the procedure above: modprdef -m nullpw=NO modprdef -m rstrpw=YES ch_rc -a -p MIN_PASSORD_LENGTH=7 /etc/default/security ch_rc -a -p PASSWORD_HISTORY_DEPTH=10 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_UPPER_CASE_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_DIGIT_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_SPECIAL_CHARS=1 \ /etc/default/security ch_rc -a -p PASSWORD_MIN_LOWER_CASE_CHARS=1 \ /etc/default/security modprdef -m nullpw=NO modprdef -m rstrpw=YES"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.PASSWORD_HISTORY_DEPTH="(\d+) compare >= 10"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.MIN_PASSWORD_LENGTH="(\d+) compare >= 7"'
+
+  - id: 30049
+    title: "Verify no legacy '+' entries exist in passwd and group files."
+    description: "'+' entries in various passwd and group files served as markers for systems to insert data from NIS maps at a certain point in a system configuration file. HP-UX does not use these markers, but they may exist in files that have been imported from other platforms. They should be deleted if they exist."
+    rationale: "Legacy '+' entries are no longer required on HP-UX systems, and may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Perform the following to remove any legacy '+' entries in passwd and group files: 1. Display legacy '+' entries: grep '^+:' /etc/passwd /etc/group 2. Remove any entries found from the passwd and group files."
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="Y"'
+
+  - id: 30050
+    title: "No '.' or group/world-writable directory in root $PATH."
+    description: "Remove the current working directory ('.') or other world-writable directories from the root user's execution path. To execute a file in the current directory when „.‟ is not in the $PATH, use the format “./filename”."
+    rationale: "Including these paths in the root's executable path allows an attacker to gain superuser access if an administrator operating as root executes a Trojan horse program."
+    remediation: "Remove the following path components if they exist in the root user's $PATH: 1. current working directory ('.') 2. empty directories („::‟) 3. a trailing path seperator at the end of the $PATH (':') 4. any directory with world or group -write permissions set"
+    compliance:
+      - cis: ["1.8.6"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.root_path="Y"'
+
+  - id: 30051
+    title: "Secure user home directories."
+    description: "Remove group write and world access to all user home directories. While the modifications below are relatively benign, making global modifications to user home directories without alerting your user community can result in unexpected outages and unhappy users."
+    rationale: "Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges."
+    remediation: 'Perform the following to secure user home directories: 1. Identify all user accounts excluding root that are not locked, and for each of these user home directories: 2. Remove group write permission (g-w) and all other permissions (o-rwx) The following script will perform the procedure above: logins -ox \ | awk -F: ''($8 == "PS" && $1 != "root") { print $6 }'' \ | grep /home/ \ | while read dir do  chmod g-w,o-rwx "$dir" done'
+    compliance:
+      - cis: ["1.8.7"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.restrict_home="Y"'
+
+  - id: 30052
+    title: "No user dot-files should be group/world writable."
+    description: "Remove group and world write permissions from user dot-files. While the modifications below are relatively benign, making global modifications to user dot-files without alerting your user community can result in unexpected outages and unhappy users."
+    rationale: "Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges."
+    remediation: 'Perform the following: 1. Identify all user accounts excluding root that are not locked, and for each of these user home directories: 2. Remove group/other write permissions (go-w) from any files beginning with ''.'' The following script performs the procedure above: logins -ox \ | awk -F: ''($8 == "PS") { print $6 }'' \ | while read dir do ls -d "$dir/".[!.]* | while read file do  if [ ! -h "$file" -a -f "$file" ] then chmod go-w "$file" fi done done'
+    compliance:
+      - cis: ["1.8.8"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_dot_files="Y"'
+
+  - id: 30053
+    title: "Remove user .netrc, .rhosts and .shosts files."
+    description: "Remove user .netrc, .rhosts, and .shosts files. Note that making global modifications to user security files in their home directories without alerting your user community can result in unexpected outages and unhappy users."
+    rationale: ".netrc files may contain unencrypted passwords that may be used to attack other systems, while .rhosts and .shosts files used in conjunction with the BSD-style “r-commands” (rlogin, remsh, rcp) or SSH implement a weak form of authentication based on the network address or host name of the remote computer (which can be spoofed by a potential attacker to exploit the local system)."
+    remediation: 'Perform the following to remove user .netrc, .rhosts, and .shosts files. 1. Identify all user accounts, and for each existing home directory: 2. Remove .netrc, .rhosts, and .shosts files The following script performs the procedure above: logins -ox | cut -f6 -d: | while read h do for file in "$h/.netrc" "$h/.rhosts" "$h/.shosts" do  if [ -f "$file" ] then  echo "removing $file" rm -f "$file" fi done done'
+    compliance:
+      - cis: ["1.8.9"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_rc_files="Y"'
+
+  - id: 30054
+    title: "Set default umask for users."
+    description: "Set the default umask to 077 so that files created by users will not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. - Bastille Note: sets the default umask, but uses a umask of 027 rather than the 077."
+    rationale: "Restricting access to files and directories created by a user from any other user on the system reduces the possibility of an unauthorized account accessing that user's files. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
+    remediation: 'Perform the following to set a default umask for users: 1. Change directory to /etc 2. Append the line umask 077 to the following files: a. profile b. csh.login c. d.profile d. d.login 3. Update the UMASK parameter to 077 in the file /etc/default/security The following script performs the procedure above: cd /etc for file in profile csh.login d.profile d.login do echo umask 077 >> "$file" done ch_rc -a -p UMASK=077 /etc/default/security'
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.umask="077"'
+
+  - id: 30055
+    title: "Set 'mesg n' as default for all users."
+    description: "Block the use of write or talk commands to contact the user at their terminal in order to slightly strengthen permissions on the user's tty device. Note that this setting is the default on HP-UX 11i."
+    rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
+    remediation: 'Perform the following: 1. Change directory to /etc 2. Append the line mesg n to the following files: a. profile b. csh.login c. d.profile d. d.login The following script performs the procedure above:  cd /etc for file in profile csh.login d.profile d.login do  echo mesg n >> "$file" done'
+    compliance:
+      - cis: ["1.8.11"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.mesgn="Y"'
+
+  #################################################################
+  # 1.9 Warning Banners
+  #################################################################
+
+  - id: 30056
+    title: "Create warning banners for terminal-session logins."
+    description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, as well as for remote terminal-session logins such as through SSH or Telnet.  /etc/motd is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed."
+    rationale: "Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system."
+    remediation: "Perform the following to create warning banners for terminal-session logins: 1. Compose a default banner text string 2. Append this string to the files  /etc/motd and /etc/motd 3. Change the owner to root and group owner to sys  for the file /etc/motd 4. Change the owner to root and group owner to root for the file /etc/issue 5. Change file permissions to (644) for the files /etc/motd and /etc/issue"
+    compliance:
+      - cis: ["1.9.1"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.banners="Y"'
+
+  - id: 30057
+    title: "Create warning banners for GUI logins."
+    description: "The standard graphical login program for HP-UX requires the user to enter their username in one dialog box and their password in a second separate dialog. The commands below set the warning message on both to be the same message, but the site has the option of using different messages on each screen. The Dtlogin*greeting.labelString is the message for the first dialog where the user is prompted for their username, and .perslabelString is the message on the second dialog box. Note that system administrators may wish to consult with their site’s legal council about the specifics of any warning banners."
+    rationale: "Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system."
+    remediation: 'Perform the following to install default warning banners for GUI logins: 1. Create a default banner text string ($banner) 2. For each directory in /usr/dt/config that contains a Xresources file, copy that Xresources file into a corresponding directory in /etc/dt/config (creating the directory if needed) 3. Append the following lines (replacing $banner with the string in step 1) to each /etc/dt/config/*/Xresources file: a. Dtlogin*greeting.labelString: $banner b. Dtlogin*greeting.persLabelString: $banner 4. Change the owner to root and group owner to sys for each Xresource file 5. Change the file permissions to 644 for each Xresource file The following script performs the procedure above: banner="Authorized users only. All activity may \ be monitored and reported." for file in /usr/dt/config/*/Xresources; do dir="$(dirname "$file" | sed ''s|^/usr/|/etc/|'')" mkdir -p "$dir" if [ ! -f "$dir/Xresources" ]; then cp -p "$file" "$dir/Xresources" fi echo "Dtlogin*greeting.labelString: $banner" \ >> "$dir/Xresources" echo "Dtlogin*greeting.persLabelString: $banner" \ >> "$dir/Xresources" done chown root:sys /etc/dt/config/*/Xresources chmod 644 /etc/dt/config/*/Xresources'
+    compliance:
+      - cis: ["1.9.2"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:HP_UX.gui_banner="Y"'
+
+  - id: 30058
+    title: "Create warning banners for FTP daemon."
+    description: "The FTP daemon in HP-UX 11 is based on the popular Washington University FTP daemon (WU-FTPD), which is an Open Source program widely distributed on the Internet. Note that this setting has no effect if the FTP daemon remains de-activated from item 1.2.1."
+    rationale: "Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system."
+    remediation: 'Perform the following to install a default warning banner for the FTP daemon: 1. Ensure that an appropriate warning message exists in the /etc/issue file . 2. Append the line "banner /etc/issue" to the file /etc/ftpd/ftpaccess 3. Change file permissions to 600 for /etc/ftpd/ftpaccess 4. Change owner to root and group owner to sys for both /etc/ftpd and /etc/ftpd/ftpaccess The following script performs the procedure above: if [ -d /etc/ftpd ]; then echo "banner /etc/issue" >>/etc/ftpd/ftpaccess chmod 600 /etc/ftpd/ftpaccess chown root:sys /etc/ftpd /etc/ftpd/ftpaccess fi'
+    compliance:
+      - cis: ["1.9.3"]
+      - cis_level: ["1"]
+    condition: all
+    rules:
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:FTP.ftpbanner="Y"'
diff --git a/etc/ruleset/sca/mongodb/cis_mongodb_36.yml b/etc/ruleset/sca/mongodb/cis_mongodb_36.yml
new file mode 100644
index 0000000000..7ce999d32d
--- /dev/null
+++ b/etc/ruleset/sca/mongodb/cis_mongodb_36.yml
@@ -0,0 +1,277 @@
+# Security Configuration Assessment
+# CIS Checks for MongoDB
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for MongoDB 3.6 v1.0.0 - 31-12-2019
+
+policy:
+  id: "cis_mongodb"
+  file: "cis_mongodb_36.yml"
+  name: "CIS MongoDB 3.6 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for MongoDB version 3.6. This guide was tested against MongoDB 3.6 running on Ubuntu Linux and Windows but applies to other distributions as well"
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that MongoDB is installed on the system."
+  description: "Requirements for running the SCA scan against the MongoDB policy."
+  condition: any
+  rules:
+    - "f:/etc/mongodb.conf"
+    - "f:/etc/mongod.conf"
+
+variables:
+  $main-conf: /etc/mongod.conf
+
+checks:
+  #1 Installation and Patching
+  #1.1 Ensure the appropriate MongoDB software version/patches are installed - Not implemented
+
+  #2 Authentication
+  #2.1
+  - id: 22500
+    title: "Ensure Authentication is configured."
+    description: "This setting ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database. Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access. To authenticate as a user, you must provide a username, password, and the authentication database associated with that user."
+    rationale: "Failure to authenticate clients, users, servers can enable unauthorized access to the MongoDB database and can prevent tracing actions back to their sources."
+    remediation: "The authentication mechanism should be implemented before anyone accesses the MongoDB Server. To enable the authentication mechanism: Start the MongoDB instance without authentication. Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements. Open mongod.conf and change for authorization value to enabled. Restart the MongoDB instance."
+    compliance:
+      - cis: ["1.2"]
+      - cis_csc: ["16", "16.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/core/authentication/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A4 \"security:\"" -> r:authorization: "enabled"'
+
+  #2.2
+  - id: 22501
+    title: "Ensure that MongoDB does not bypass authentication via the localhost exception."
+    description: "MongoDB should not be set to bypass authentication via the localhost exception. The localhost exception allows the user to enable authorization before creating the first user in the system. When active, the localhost exception allows all connections from the localhost interface to have full access to that instance. The exception applies only when there are no users created in the MongoDB instance. Note: This recommendation only applies when there are no users created in the MongoDB instance."
+    rationale: "Disabling this exception will prevent unauthorized local access to the MongoDB database. It will also ensure the traceability of each database activity to a specific user. Localhost Exception allows direct connect to Mongod’s without any UN/PW."
+    remediation: "To disable local authentication on the MongoDB database, type OS Console Command: mongod --setParameter enableLocalhostAuthBypass=0, or manually configure use the setParameter option in the mongo configuration file to set it to false ."
+    compliance:
+      - cis: ["2.2"]
+      - cis_csc: ["16", "16.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/parameters/#param.enableLocalhostAuthBypass
+    condition: all
+    rules:
+      - 'f:$main-conf -> r:enableLocalhostAuthBypass: \(0|false\)'
+
+  #2.3
+  - id: 22502
+    title: "Ensure authentication is enabled in the sharded cluster."
+    description: "Authentication is enabled in a sharded cluster when the certificate or key files are created and configured for all components. This ensures that every client that accesses the cluster must provide credentials, to include MongoDB instances that access each other within the cluster. With keyfile authentication, each mongod or mongos instance in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod or mongos instances with the correct keyfile can join the sharded cluster. For Production Environment: x.509 certificate authentication with secure TSL/SSL connection must be used for authentication. For Development Purpose: Key file can be used as an authentication mechanism between the shared cluster. Keyfiles are bare-minimum forms of security and are best suited for testing or development environments."
+    rationale: "Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component. A MongoDB sharded cluster can enforce user authentication as well as internal authentication of its components to secure against unauthorized access."
+    remediation: "To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords. MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password."
+    compliance:
+      - cis: ["2.3"]
+      - cis_csc: ["16", "1.8"]
+    references:
+      - https://docs.mongodb.com/v3.6/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster-no-downtime/
+      - https://docs.mongodb.com/v3.6/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-x509-member-authentication/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 \"ssl:\"" -> r:PEMKeyFile'
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 "ssl:\"" -> r:clusterFile'
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 \"ssl:\"" -> r:CAFile'
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A10 \"security:\"" -> r:clusterAuthMode: "x509"'
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A10 \"security:\"" -> r:authenticationMechanisms: "MONGODB-X509"'
+
+  #3 Access Control
+  #3.1 - Requires mongo shell commands, currently not supported
+
+  #3.2
+  - id: 22503
+    title: "Ensure that MongoDB only listens for network connections on authorized interfaces."
+    description: "Ensuring that MongoDB runs in a trusted network environment involves limiting the network interfaces on which MongoDB instances listen for incoming connections. Any untrusted network connections should be dropped by MongoDB. Firewalls allow administrators to filter and control access to a system by providing granular control over network communications. For administrators of MongoDB, the following capabilities are important: 1. Limiting incoming traffic on a specific port to specific systems, 2. Limiting incoming traffic from untrusted hosts. On Linux systems, the iptables interface provides access to the underlying netfilter firewall. On Windows systems, netsh command line interface provides access to the underlying Windows Firewall."
+    rationale: "This configuration blocks connections from untrusted networks, leaving only systems on authorized and trusted networks able to attempt to connect to the MongoDB. If not configured, this may lead to unauthorized connections from untrusted networks to MongoDB."
+    remediation: "Configure the MongoDB configuration file to limit its exposure to only the network interfaces on which MongoDB instances should listen for incoming connections."
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc: ["9.1", "9.2"]
+    references:
+      - https://docs.mongodb.com/v3.6/tutorial/configure-linux-iptables-firewall/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-windows-netsh-firewall/
+      - https://docs.mongodb.com/v3.6/core/security-network/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 \"net:\"" -> r:bindIp'
+
+  #3.3
+  - id: 22504
+    title: "Ensure that MongoDB is run using a Least Privileges, dedicated service account."
+    description: "The MongoDB service should not be run using a privileged account such as 'root' because this unnecessarily exposes the operating system to high risk. This setting ensures that the monogd service runs as a least-privileged user."
+    rationale: "Using a non-privileged, dedicated service account restricts the database from accessing the critical areas of the operating system which are not required by MongoDB. This will also mitigate the potential for unauthorized access via a compromised, privileged account on the operating system. Anyone who has been a victim of viruses, worms, and other malicious software (malware) will appreciate the security principle of “least privilege.” If all processes ran with the minial set of privileges needed to perform the user's tasks, it would be more difficult for malware to infect a machine and propagate to other machines."
+    remediation: "1. Create a user which is only used for running Mongodb and directly related processes. This user must not have administrative rights to the system. Steps to create user. 2. Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user and then set ownership to mongodb user only. 3. Set the log files to only be writable by the mongod/mongos user and readable only by root."
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc: ["5.1", "4.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/tutorial/manage-users-and-roles/
+    condition: all
+    rules:
+      - 'not c:sh -c "ps -aef | grep mongod" -> r:root'
+
+  #3.4 - Requires mongo shell commands, currently not supported
+  #  - id: 22507
+  #    title: "Ensure that each role for each MongoDB database is needed and grants only the necessary privileges."
+
+  #3.5 - Requires mongo shell commands, currently not supported
+  #  - id: 22508
+  #    title: "Review User-Defined Roles."
+
+  #3.6 - Requires mongo shell commands, currently not supported
+  #  - id: 22509
+  #    title: "Review Superuser/Admin Roles."
+
+  #4 Data Encryption
+  #4.1
+  - id: 22505
+    title: "Ensure Encryption of Data in Transit TLS/SSL (Transport Encryption)."
+    description: "Use TLS or SSL to protect all incoming and outgoing connections. This should include using TLS or SSL to encrypt communication between the mongod and mongos components of a MongoDB client as well as between all applications and MongoDB. MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB’s network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client."
+    rationale: "This prevents sniffing of cleartext traffic between MongoDB components or performing a man-in-the-middle attack for MongoDB."
+    remediation: "Configure MongoDB servers to require the use of SSL or TLS to encrypt all MongoDB network communications. To implement SSL or TLS to encrypt all MongoDB network communication, perform the following steps: For mongod (“Primary daemon process for the MongoDB system”) In the configuration file /etc/mongod.conf , set the PEMKeyFile option to the certificate file’s path and then start the component"
+    compliance:
+      - cis: ["4.1"]
+      - cis_csc: ["14.2", "14.4"]
+    references:
+      - https://docs.mongodb.com/v3.6/core/security-transport-encryption/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-ssl/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-ssl-clients/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-x509-client-authentication/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-x509-member-authentication/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 \"ssl:\"" -> r:mode: "requireSSL"'
+
+  #4.2
+  - id: 22506
+    title: "Ensure Federal Information Processing Standard (FIPS) is enabled."
+    description: "The Federal Information Processing Standard (FIPS) is a computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. FIPS is a property of the encryption system and not the access control system. However, the environment requires FIPS compliant encryption and access control. Organizations must ensure that the access control system uses only FIPS-compliant encryption."
+    rationale: "FIPS is an industry standard which dictates how data should be encrypted at rest and during transmission."
+    remediation: "Configuring FIPS mode, ensure that your certificate is FIPS compliant. Run mongod or mongos instance in FIPS mode. Make changes to configuration file, to configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["14.2", "14.5", "14.4", "14.8"]
+    references:
+      - https://docs.mongodb.com/v3.6/tutorial/configure-fips/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A12 \"ssl:\"" -> r:FIPSMode: \(1|true\)'
+
+  #4.3 - Does not provide audit steps
+  #  - id: 22512
+  #    title: "Ensure Encryption of Data at Rest."
+
+  #5 Auditing
+  #5.1
+  - id: 22507
+    title: "Ensure that system activity is audited."
+    description: "Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls."
+    rationale: "System level logs can be handy while troubleshooting an operational problem or handling a security incident."
+    remediation: "Set the value of auditLog.destination to the appropriate value"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/tutorial/configure-auditing/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A4 \"auditLog\"" -> r:destination'
+
+  #5.2
+  - id: 22508
+    title: "Ensure that system activity is audited."
+    description: "MongoDB Enterprise supports auditing of various operations. When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions, Details, and Results. To specify which events to record, the audit feature includes the --auditFilter option. This check is only for Enterprise editions."
+    rationale: "All operations carried out on the database are logged. This helps in backtracking and tracing any incident that occurs."
+    remediation: "Set the audit filters based on the organization’s requirements."
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/audit-message/
+      - https://docs.mongodb.com/v3.6/tutorial/configure-audit-filters/
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A10 \"auditLog\"" -> r:filter'
+
+  #5.3
+  - id: 22509
+    title: "Ensure that audit filters are configured properly."
+    description: "The SystemLog.quiet option stops logging of information such as:connection events, authentication events, replication sync activitie, evidence of some potentially impactful commands being run (eg: drop , dropIndexes , validate ). This information should be logged whenever possible. This check is only for Enterprise editions."
+    rationale: "The use of SystemLog.quiet makes troubleshooting problems and investigating possible security incidents much more difficult."
+    remediation: "Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it."
+    compliance:
+      - cis: ["5.3"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet
+    condition: all
+    rules:
+      - 'f:$main-conf -> r:quiet: \(0|false\)'
+
+  #5.4
+  - id: 22510
+    title: "Ensure that new entries are appended to the end of the log file."
+    description: "By default, new log entries will overwrite old entries after a restart of the mongod or mongos service. Enabling the systemLog.logAppend setting causes new entries to be appended to the end of the log file rather than overwriting the existing content of the log when the mongod or mongos instance restarts."
+    rationale: "Allowing old entries to be overwritten by new entries instead of appending new entries to the end of the log may destroy old log data that is needed for a variety of purposes."
+    remediation: "Set systemLog.logAppend to true in the /etc/mongod.conf file."
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc: ["6.3", "6.4"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.logAppend
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A10 \"systemLog\"" -> r:logAppend: \(1|true\)'
+
+  #6 Operating System Hardening
+  #6.1
+  - id: 22511
+    title: "Ensure that MongoDB uses a non-default port."
+    description: "Changing the default port used by MongoDB makes it harder for attackers to find the database and target it."
+    rationale: "Standard ports are used in automated attacks and by attackers to verify which applications are running on a server."
+    remediation: "Change the port for MongoDB server to a number other than 27017."
+    compliance:
+      - cis: ["6.1"]
+      - cis_csc: ["9.2"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/default-mongodb-port/
+    condition: all
+    rules:
+      - "not f:$main-conf -> r:port: 27017"
+
+  #6.2 - Has to be done manually as it is specific to the MongoDB deployment
+  #  - id: 22518
+  #    title: "Ensure that operating system resource limits are set for MongoDB."
+
+  #6.3
+  - id: 22512
+    title: "Ensure that server-side scripting is disabled if not needed."
+    description: "MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce , group , and $where . If you do not use these operations, server-side scripting should be disabled."
+    rationale: "If server-side scripting is not needed and is not disabled, this introduces unnecessary risk which may allow an attacker to take advantage of insecure coding."
+    remediation: "If server-side scripting is not required, disable it by using the --noscripting option on the command line."
+    compliance:
+      - cis: ["6.3"]
+      - cis_csc: ["18.9", "9.2"]
+    references:
+      - https://docs.mongodb.com/v3.6/reference/configuration-options/#security.javascriptEnabled
+    condition: all
+    rules:
+      - 'c:sh -c "cat /etc/mongod.conf | grep \\-A10 \"security\"" -> r:javascriptEnabled: 0|false'
+# 7 File Permissions
+# 7.1 - Has to be done manually as it is specific to the MongoDB deployment
+#  - id: 22520
+#    title: "Ensure authentication file permissions are set correctly."
+
+# 7.2 - Has to be done manually as it is specific to the MongoDB deployment
+#  - id: 22521
+#    title: "Ensure that database file permissions are set correctly."
diff --git a/etc/ruleset/sca/nginx/cis_nginx_1.yml b/etc/ruleset/sca/nginx/cis_nginx_1.yml
new file mode 100644
index 0000000000..ee852fb34e
--- /dev/null
+++ b/etc/ruleset/sca/nginx/cis_nginx_1.yml
@@ -0,0 +1,865 @@
+# Security Configuration Assessment
+# CIS Checks for Debian Linux 10
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security NGINX Benchmark v1.0.0 - 02-28-2019
+
+policy:
+  id: "cis_nginx1"
+  file: "cis_nginx1.yml"
+  name: "CIS NGINX version 1.14.0 Benchmark v1.0.0"
+  description: "This document, CIS NGINX Benchmark, provides prescriptive guidance for establishing a secure configuration posture for NGINX version 1.14.0 running on Linux."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Ensure NGINX is installed"
+  description: "The CIS NGINX Benchmark recommends using the NGINX binary provided by your vendor for most situations. As an alternative, packages from nginx.org are available for a variety of platforms, including Linux and FreeBSD."
+  condition: all
+  rules:
+    - 'c:nginx -v -> r:nginx\sversion'
+
+checks:
+  ############################################################
+  # 1 Initial Setup
+  ############################################################
+
+  # 1.1 Installation
+
+  # 1.1.1 Ensure NGINX is installed (Scored)
+  # Already implemented in "requirements" block.
+
+  # 1.1.2 Ensure NGINX is installed from source (Not Scored)
+  # Not automatable
+
+  # 1.2 Configure Software Updates
+
+  # 1.2.1 Ensure package manager repositories are properly configured (Not Scored)
+  # Not automatable
+
+  # 1.2.2 Ensure the latest software package is installed (Not Scored)
+  # Not automatable
+
+  ############################################################
+  # 2 Basic Configuration
+  ############################################################
+
+  # 2.1 Minimize NGINX Modules
+
+  # 2.1.1 Ensure only required modules are installed (Not Scored)
+  # Not automatable
+
+  # 2.1.2 Ensure HTTP WebDAV module is not installed (Scored)
+  - id: 23000
+    title: "Ensure HTTP WebDAV module is not installed"
+    description: "The http_dav_module enables HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) as defined by RFC 4918. This enables file-based operations on your web server, such as the ability to create, delete, change and move files on your server. Most modern architectures have replaced this functionality with cloud-based object storage, in which case the module should not be installed."
+    rationale: "WebDAV functionality opens up an unnecessary path for exploiting your web server. Through misconfigurations of WebDAV operations, an attacker may be able to access and manipulate files on the server."
+    remediation: "To remove the http_dav_module, recompile nginx from source without the --withhttp_dav_module flag."
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/configure.html
+      - https://tools.ietf.org/html/rfc4918
+    condition: all
+    rules:
+      - 'c:sh -c "nginx -V 2>&1 | grep \"http_dav_module\""  -> r:^$'
+
+  # 2.1.3 Ensure modules with gzip functionality are disabled (Scored)
+  - id: 23001
+    title: "Ensure modules with gzip functionality are disabled"
+    description: "gzip is used for compression. Compression functionality should be disabled to prevent certain types of attacks from being performed successfully."
+    rationale: "Compression has been linked with the Breach attack and others. While the Breach attack has been mitigated with modern usages of the HTTP protocol, disabling the use of compression is considered a defense-in-depth strategy to mitigate other attacks."
+    remediation: "In order to disable the http_gzip_module, nginx must be recompiled from source. This can be accomplished using the below command in the folder you used during your original compilation. This must be done without the --with-http_gzip_static_module configuration directive. './configure --without-http_gzip_module'"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/configure.html
+      - http://nginx.org/en/docs/configure.html
+    condition: all
+    rules:
+      - 'c:sh -c "nginx -V 2>&1 | grep \"http_gzip_module\|http_gzip_static_module\"" -> r:^$'
+
+  # 2.1.4 Ensure the autoindex module is disabled (Scored)
+  - id: 23002
+    title: "Ensure the autoindex module is disabled"
+    description: "The autoindex module processes requests ending with the slash character. This feature enables directory listing, which could be useful in attacker reconnaissance, so it should be disabled."
+    rationale: "Automated directory listings may reveal information helpful to an attacker, such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed."
+    remediation: "Perform the following to disable the autoindex module: 1. Search the NGINX configuration files (nginx.conf and any included configuration files) to find autoindex directives. 'egrep -i '^\\s*autoindex\\s+' /etc/nginx/nginx.conf'. 'egrep -i '^\\s*autoindex\\s+' /etc/nginx/conf.d/*'. 2. Set the value for all autoindex directives to off, or remove those directives."
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/http/ngx_http_autoindex_module.htm
+    condition: none
+    rules:
+      - "f:/etc/nginx/nginx.conf -> r:autoindex on"
+      - "f:/etc/nginx/conf.d/default.conf -> r:autoindex on"
+
+  # 2.2 Account Security
+
+  # 2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Not Scored)
+  - id: 23003
+    title: "Ensure that NGINX is run using a non-privileged, dedicated service account"
+    description: "The nginx user directive designates which user account nginx worker processes run under. Ensuring a non-privileged, dedicated service account is used is a defense in depth measure to limit what an attacker who compromises the account can do."
+    rationale: "Running a web server under a non-privileged, dedicated service account helps mitigate the risk of lateral movement to other services or processes in the event the user account running the web services is compromised. The default user nobody is typically used for several processes, and if this is compromised, it could allow an attacker to have access to all processes running as that user."
+    remediation: "Add a system account for the nginx user with a home directory of /var/cache/nginx and a shell of /sbin/nologin so it does not have the ability to log in, then add the nginx user to be used by nginx: 'user add nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin'. Then add the nginx user to /etc/nginx/nginx.conf by adding the user directive as shown below: 'user nginx;'"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/ngx_core_module.html#user
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^user\s+nginx;'
+      - 'c:sudo -l -U nginx -> r:^User nginx is not allowed to run sudo\.*'
+      - 'c:groups nginx -> r:^nginx\s:\snginx$'
+
+  # 2.2.2 Ensure the NGINX service account is locked (Scored)
+  - id: 23004
+    title: "Ensure the NGINX service account is locked"
+    description: "The nginx user account should have a valid password, but the account should be locked. NOTE: If a different account is used to run nginx, that account's name should be substituted for nginx in the audit and remediation procedures."
+    rationale: "As a defense-in-depth measure, the nginx user account should be locked to prevent logins and to prevent someone from switching users to nginx using the password. In general, there shouldn't be a need for anyone to have to su as nginx, and when there is a need, sudo should be used instead, which would not require the nginx account password."
+    remediation: "Use the passwd command to lock the nginx service account: 'passwd -l nginx'"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:passwd -S nginx -> r:^nginx L\.+'
+
+  # 2.2.3 Ensure the NGINX service account has an invalid shell (Scored)
+  - id: 23005
+    title: "Ensure the NGINX service account has an invalid shell"
+    description: "The nginx account should not have the ability to log in, so the /sbin/nologin shell should be set for the account."
+    rationale: "The account used for nginx should only be used for the nginx service and does not need to have the ability to log in. This prevents an attacker who compromises the account to log in with it."
+    remediation: "Change the login shell for the nginx account to /sbin/nologin by using the following command: 'chsh -s /sbin/nologin nginx'"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - "c:grep nginx /etc/passwd -> r:/sbin/nologin"
+
+  # 2.3 Permissions and Ownership
+
+  # 2.3.1 Ensure NGINX directories and files are owned by root (Scored)
+  - id: 23006
+    title: "Ensure NGINX directories and files are owned by root"
+    description: "The owner and group of the /etc/nginx directory and its files should be root."
+    rationale: "Setting ownership to only those users in the root group and the root user will reduce the likelihood of unauthorized modifications to the nginx configuration files."
+    remediation: "Run the following command to ensure ownership and group ownership is set to root: 'chown -R root:root /etc/nginx'"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/nginx -> r:Access:\s*(" && r:Uid:\s+\(\.+root\)\s+Gid:\s+\(\.+root\)$'
+
+  # 2.3.2 Ensure access to NGINX directories and files is restricted (Scored)
+  - id: 23007
+    title: "Ensure access to NGINX directories and files is restricted"
+    description: "Permissions on the /etc/nginx directory should enforce the principle of least privilege."
+    rationale: "This ensures that only users who need access to configuration files are able to view them, thus preventing unauthorized access. Other users will need to use sudo in order to access these files."
+    remediation: "To set permissions to least privilege on the nginx configuration files, issue these commands: 'find /etc/nginx -type d | xargs chmod 750'. 'find /etc/nginx -type f | xargs chmod 640'"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["14"]
+    references:
+      - https://dev-sec.io/baselines/nginx/
+    condition: none
+    rules:
+      - "c:find /etc/nginx -type d -ls -> !r:^drwxr-x---"
+      - "c:find /etc/nginx -type f -ls -> !r:^-rw-r-----"
+
+  # 2.3.3 Ensure the NGINX process ID (PID) file is secured (Scored)
+  - id: 23008
+    title: "Ensure the NGINX process ID (PID) file is secured"
+    description: "The PID file stores the main process ID of the nginx process. This file should be protected from unauthorized modification."
+    rationale: "The PID file should be owned by root and the group root. It should also be readable to everyone, but only writable by root (permissions 644). This will prevent unauthorized modification of the PID file, which could cause a denial of service."
+    remediation: "If the PID file is not owned by root, issue this command: 'chown root:root /var/run/nginx.pid'. If the PID file has permissions greater than 644, issue this command: 'chown 644 /var/run/nginx.pid'"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:ls -l /var/run/nginx.pid -> r:^\.+\S+\s+root\s+root\s+\.+'
+
+  # 2.3.4 Ensure the core dump directory is secured (Not Scored)
+  - id: 23009
+    title: "Ensure the core dump directory is secured"
+    description: "Core dumps are snapshots of memory. The working_directorydirective is used to specify the directory NGINX attempts to create core dumps in. Core dumps will be disabled if the directory is not writable by the NGINX user. It is recommended that the working_directory directive be set to a directory that is owned by the root user and the group the NGINX process executes as, and is inaccessible to other users. Usually, production systems should not have this enabled."
+    rationale: "Core dumps may contain sensitive information that should not be accessible by other accounts on the system."
+    remediation: "Either remove the working_directory directive from the NGINX configuration files or ensure that the configured directory meets the following requirements: 1. It is not within the NGINX web document root. 2. It is owned by root and has a group ownership of the NGINX group: 'chown root:nginx /var/log/nginx'. 3. It has no read-write-search access permission for other users: 'chmod o-rwx /var/log/nginx'"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/#coredump
+    condition: none
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*working_directory'
+
+  # 2.4 Network Configuration
+
+  # 2.4.1 Ensure NGINX only listens for network connections on authorized ports (Not Scored)
+  - id: 23010
+    title: "Ensure NGINX only listens for network connections on authorized ports"
+    description: "NGINX can be configured to listen on any port, but it should be configured to listen on authorized ports only."
+    rationale: "Limiting the listening ports to only those that are authorized helps to ensure no unauthorized services are running through the use of nginx."
+    remediation: "If any ports are listening that are not authorized, comment out or delete the associated configuration for that listener."
+    compliance:
+      - cis: ["2.4.1"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:grep -ir " listen " /etc/nginx -> r:^\.+listen\s+80\s+\.*|^\.+listen\s+443\s+\.*|^\.+:443\s+\.*'
+
+  # 2.4.2 Ensure requests for unknown host names are rejected (Not Scored) - Not automatable
+
+  # 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored)
+  - id: 23011
+    title: "Ensure keepalive_timeout is 10 seconds or less, but not 0"
+    description: "Persistent connections are leveraged by all modern browsers to facilitate greater web performance. The keep-alive timeout limits the time a persistent connection may remain open. Setting the keep-alive timeout allows this timeout to be controlled on the server side."
+    rationale: "Setting a keep-alive timeout on the server side helps mitigate denial of service attacks that establish too many persistent connections, exhausting server resources."
+    remediation: "Find the HTTP or server block of your nginx configuration, and add the keepalive_timeout directive. Set it to 10 seconds or less, but not 0. This example command sets it to 10 seconds: 'keepalive_timeout 10;'"
+    compliance:
+      - cis: ["2.4.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
+    condition: any
+    rules:
+      - "c:grep -ir keepalive_timeout /etc/nginx -> r:^$"
+      - 'c:grep -ir keepalive_timeout /etc/nginx -> r:^\s*\t*keepalive_timeout\s+(\d+) compare <= 10 && r:^\s*\t*keepalive_timeout\s+(\d+) compare > 0;'
+
+  # 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored)
+  - id: 23012
+    title: "Ensure send_timeout is set to 10 seconds or less, but not 0"
+    description: "The send_timeout directive sets a timeout for transmitting a response to the client between two successive write operations."
+    rationale: "Setting the send_timeout directive on the server side helps mitigate slow HTTP denial of service attacks by ensuring write operations taking up large amounts of time are closed."
+    remediation: "Find the HTTP or server block of your nginx configuration, and add the send_timeout directive. Set it to 10 seconds or less, but not 0. 'send_timeout 10;'"
+    compliance:
+      - cis: ["2.4.4"]
+    references:
+      - https://www.owasp.org/index.php/SCG_WS_nginx
+      - http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
+    condition: any
+    rules:
+      - "c:grep -ir send_timeout /etc/nginx -> r:^$"
+      - 'c:grep -ir send_timeout /etc/nginx -> r:^\s*\t*send_timeout\s+(\d+) compare <= 10 && r:^\s*\t*send_timeout\s+(\d+) compare > 0;'
+
+  # 2.5 Information Disclosure
+
+  # 2.5.1 Ensure server_tokens directive is set to `off` (Scored)
+  - id: 23013
+    title: "Ensure server_tokens directive is set to `off`"
+    description: "The server_tokens directive is responsible for displaying the NGINX version number and operating system version on error pages and in the Server HTTP response header field. This information should not be displayed."
+    rationale: "Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Hiding the version will slow down and deter some potential attackers."
+    remediation: "To disable the server_tokens directive, set it to off inside a server block in your nginx.conf: 'server {...server_tokens off;...}'"
+    compliance:
+      - cis: ["2.5.1"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'c:curl -I 127.0.0.1 -> r:^\.*Server:\s+nginx/\.+'
+
+  # 2.5.2 Ensure default error and index.html pages do not reference NGINX (Scored)
+  - id: 23014
+    title: "Ensure default error and index.html pages do not reference NGINX"
+    description: "The default error and index.html pages for NGINX reveal that the server is NGINX. These default pages should be removed or modified so they do not advertise the underlying infrastructure of the server."
+    rationale: "By gathering information about the server, attackers can target attacks against its known vulnerabilities. Removing pages that disclose the server runs NGINX helps reduce targeted attacks on the server."
+    remediation: "Edit /usr/share/nginx/html/index.html andusr/share/nginx/html/50x.html and remove any lines that reference NGINX."
+    compliance:
+      - cis: ["2.5.2"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'c:grep -i nginx /usr/share/nginx/html/index.html -> r:\.+'
+      - 'c:grep -i nginx /usr/share/nginx/html/50x.html -> r:\.+'
+
+  # 2.5.3 Ensure hidden file serving is disabled (Not Scored)
+  - id: 23015
+    title: "Ensure hidden file serving is disabled"
+    description: "Disabling hidden files is a defense-in-depth mechanism to help prevent accidentally exposing sensitive information."
+    rationale: "Disabling hidden files prevents an attacker from being able to reference a hidden file that may be put in your location and have sensitive information, like .git files."
+    remediation: "Edit the nginx.conf file and add the following line: 'location ~ /\\. { deny all; return 404; }'"
+    compliance:
+      - cis: ["2.5.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://programming-review.com/nginx-disable-access-to-htaccess-file/
+    condition: all
+    rules:
+      - 'c:grep location /etc/nginx/nginx.conf -> r:^\s*location\s+~\s+/\\.\.*'
+
+  # 2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Scored)
+  - id: 23016
+    title: "Ensure the NGINX reverse proxy does not enable information disclosure"
+    description: "The server and x-powered-by header may specify the underlying technology used by an application. The NGINX reverse proxy may pass these headers if not explicitly directed to remove them."
+    rationale: "Attackers can conduct reconnaissance on a website using these response headers, then target attacks for specific known vulnerabilities associated with the underlying technologies. Removing these headers will reduce the likelihood of targeted attacks."
+    remediation: "Implement the below directives as part of your location block. Edit /etc/nginx/nginx.conf and add the following: 'location /docs {....proxy_hide_header X-Powered-By;proxy_hide_header Server;....}'"
+    compliance:
+      - cis: ["2.5.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - http://nginx.org/en/docs/http/ngx_http_proxy_module.html
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_hide_header\s+X-Powered-By;'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_hide_header\s+Server;'
+
+  ############################################################
+  # 3 Logging
+  ############################################################
+
+  # 3.1 Ensure detailed logging is enabled (Not Scored)
+  - id: 23017
+    title: "Ensure detailed logging is enabled"
+    description: "System logging should be configured to meet your organizational security and privacy policies. Enabling detailed logging to include information about events, event sources, timestamps, and users may assist in incident response activities. NOTE: Aim to keep sensitive information out of logs. For example, keep sensitive information out of query strings and URIs to avoid this."
+    rationale: "Performing detailed logging ensures that incident responders, auditors, and others are able to clearly view the activity that has occurred on your server."
+    remediation: "Edit the log format directive in /etc/nginx/nginx.conf so it logs everything needed to meet your organizational policies. The following variables may be considered as useful examples include in your log_format with descriptive logging. You should consult the NGINX documentation and your organizational policy to ensure you are logging sufficient information and removing sensitive information where needed. '$remote_addr - client address'. '$remote_user - the user if basic authentication is used'. '$status - the HTTP response status'. '$content_type - Content-Type request header field'. '$time_local - local time in the Common Log Format'. '$request_method - request method, usually GET or POST'. '$request - full original request line'. '$uri - normalized URI in request'. '$server_port - port of the server which accepted a request'. '$server_name - name of the server which accepted a request'. '$http_user_agent - user agent of the client requesting access'. '$http_x_forwarded_for - client address a proxy or load balancer is forwarding traffic for'"
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["6.3"]
+    references:
+      - http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$remote_addr'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$remote_user'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$status'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$content_type'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$time_local'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$request_method'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$request'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$uri'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$server_port'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$server_name'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$http_user_agent'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.*$http_x_forwarded_for'
+
+  # 3.2 Ensure access logging is enabled (Scored)
+  - id: 23018
+    title: "Ensure access logging is enabled"
+    description: "The access_log directive should be on for every core site. It is enabled by default."
+    rationale: "Access logging allows incident responders and auditors to investigate access to a system in the event of an incident."
+    remediation: "Ensure the access_log directive is configured for every core site your organization requires logging for. This should look similar to the below configuration snippet. You may use different log file locations based on your needs. 'access_log /var/log/nginx/host.access.log main;'"
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc: ["6.3"]
+    references:
+      - http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
+    condition: none
+    rules:
+      - 'c:grep -ir access_log /etc/nginx -> r:^\.*access_log\s+off;'
+
+  # 3.3 Ensure error logging is enabled and set to the info logging level (Scored)
+  - id: 23019
+    title: "Ensure error logging is enabled and set to the info logging level"
+    description: "All errors for applications should be logged."
+    rationale: "Error logging can be useful in identifying an attacker attempting to exploit a system and recreating an attacker's steps. Error logging also helps with identifying possible issues with an application."
+    remediation: "Edit /etc/nginx/nginx.conf so the error_log directive is present and not commented out. The error_log should be configured to the logging location of your choice. The configuration should look similar to the below: 'error_log /var/log/nginx/error.log info;'"
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc: ["6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*error_log\s+/var/log/nginx/error.log\s+info;'
+
+  # 3.4 Ensure log files are rotated (Scored)
+  - id: 23020
+    title: "Ensure log files are rotated"
+    description: "Log rotation ensures log files do not consume excessive disk space, potentially causing a denial of service."
+    rationale: "Log files are important to track activity that occurs on your server, but they take up significant amounts of space. Log rotation should be configured in order to ensure the logs do not consume so much disk space that logging becomes unavailable."
+    remediation: 'Follow the below procedure to change the default configuration to the recommended log rotation configuration. You may need to manually edit or change the below command if the configuration is not the default. To change log compression from daily to weekly: ''sed -i s/daily/weekly/ /etc/logrotate.d/nginx''. To change log rotation from every year to every 13 weeks: ''sed -i "s/rotate 52/rotate 13/" /etc/logrotate.d/nginx'''
+    compliance:
+      - cis: ["3.4"]
+      - cis_csc: ["6.3", "6.4"]
+    condition: all
+    rules:
+      - 'f:/etc/logrotate.d/nginx -> r:^\s*rotate\s+13'
+      - 'f:/etc/logrotate.d/nginx -> r:^\s*weekly'
+
+  # 3.5 Ensure error logs are sent to a remote syslog server (Not Scored)
+  - id: 23021
+    title: "Ensure error logs are sent to a remote syslog server"
+    description: "Centralized log management helps ensure logs are forensically sound and are available at a central location for auditing and incident investigation."
+    rationale: "A centralized logging solution aggregates logs from multiple systems to ensure logs can be referenced in the event systems are thought to be compromised. Centralized log servers are also often used to correlate logs for potential patterns of attack. If a centralized logging solution is not used and systems (and their logs) are believed to be compromised, then logs may not be permitted to be used as evidence."
+    remediation: "To enable central logging for your error logs, add the below line to your server block in your server configuration file. 192.168.2.1 should be replaced with the location of your central log server. 'error_log syslog:server=192.168.2.1 info;'"
+    compliance:
+      - cis: ["3.5"]
+      - cis_csc: ["6.5"]
+    references:
+      - http://nginx.org/en/docs/syslog.html
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*error_log\s+syslog:\.+\s+info;'
+
+  # 3.6 Ensure access logs are sent to a remote syslog server (Not Scored)
+  - id: 23022
+    title: "Ensure access logs are sent to a remote syslog server"
+    description: "Centralized log management helps ensure logs are forensically sound and are available at a central location for auditing and incident investigation."
+    rationale: "A centralized logging solution aggregates logs from multiple systems to ensure logs can be referenced in the event systems are thought to be compromised. Centralized log servers are also often used to correlate logs for potential patterns of attack. If a centralized logging solution is not used and systems (and their logs) are believed to be compromised, then logs may not be permitted to be used as evidence."
+    remediation: "To enable central logging for your access logs, add the below line to your server block in your server configuration file. 192.168.2.1 should be replaced with the location of your central log server. The local logging facility may be changed to any unconfigured facility on your server. 'access_log syslog:server=192.168.2.1,facility=local7,tag=nginx,severity=info combined;'"
+    compliance:
+      - cis: ["3.6"]
+      - cis_csc: ["6.5"]
+    references:
+      - http://nginx.org/en/docs/syslog.html
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*access_log\s+syslog:server\.+severity=info\.*;'
+
+  # 3.7 Ensure proxies pass source IP information (Scored)
+  - id: 23023
+    title: "Ensure proxies pass source IP information"
+    description: "The x-forwarded-for and remote address headers help identify and separate the originating client IP address of the user agent and the proxy IP address. The two types of addresses are the same, and one should always be present."
+    rationale: "Being able to identify the originating client IP address can help auditors or incident responders identify where the corresponding user came from. This may be useful in the event of an attack to analyze if the IP address is a good candidate for blocking. It may also be useful to correlate an attacker's actions."
+    remediation: "To ensure your proxy or load balancer will forward information about the client and the proxy to the application, you must set the below headers in your location block. Edit your location block so it shows the proxy_set_header directives for the client and the proxy as shown below. These headers are the exact same and there is no need to have both present. 'server {...location / {proxy_pass (Insert Application URL here);proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}'"
+    compliance:
+      - cis: ["3.7"]
+      - cis_csc: ["6.4", "6.7"]
+    references:
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
+      - http://nginx.org/en/docs/http/ngx_http_proxy_module.html
+    condition: any
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_set_header\s+XReal-IP\s+\.+'
+      - 'f:/etc/nginx/nginx.conf -> r:^\.+X-Forwarded-For\s+\$proxy_add_x_forwarded_for'
+
+  ############################################################
+  # 4 Encryption
+  ############################################################
+  # 4.1 TLS / SSL Configuration
+
+  # 4.1.1 Ensure HTTP is redirected to HTTPS (Scored)
+  - id: 23024
+    title: "Ensure HTTP is redirected to HTTPS"
+    description: "Browsers and clients establish encrypted connections with servers by leveraging HTTPS. Requests leveraging HTTP are unencrypted. Unencrypted requests should be redirected so they are encrypted. Any listening HTTP port on your web server should redirect to a server profile that uses encryption. The default HTTP (unencrypted) port is 80."
+    rationale: "Redirecting user agent traffic to HTTPS helps to ensure all user traffic is encrypted. Modern browsers alert users that your website is insecure when HTTPS is not used. This can decrease user trust in your website and ultimately result in decreased use of your web services. Redirection from HTTP to HTTPS couples security with usability; users are able to access your website even if they lack the security awareness to use HTTPS over HTTP when requesting your website."
+    remediation: "Edit your web server or proxy configuration file to redirect all unencrypted listening ports, such as port 80, using a redirection through the return directive (cisecurity.org is used as an example server name). 'server {listen 80;server_name cisecurity.org;return 301 https://$host$request_uri;}'"
+    compliance:
+      - cis: ["4.1.1"]
+      - cis_csc: ["5.1", "14.4"]
+    references:
+      - https://serversforhackers.com/c/redirect-http-to-https-nginx
+    condition: any
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*return\s+301\s+https://\.+'
+      - 'f:/etc/nginx/conf.d/default.conf -> r:^\s*return\s+301\s+https://\.+'
+
+  # 4.1.2 Ensure a trusted certificate and trust chain is installed (Not Scored)
+  - id: 23025
+    title: "Ensure a trusted certificate and trust chain is installed"
+    description: "Certificates and their trust chains are needed to establish the identity of a web server as legitimate and trusted. Certificate authorities validate a web server's identity and that you are the owner of that web server domain name."
+    rationale: "Without a certificate and full trust chain installed on your web server, modern browsers will flag your web server as untrusted."
+    remediation: "Use the following procedure to install a certificate and its signing certificate chain onto your web server, load balancer, or proxy. Step 1: Create the server's private key and a certificate signing request. The following command will create your certificate's private key with 2048-bit key strength. Optionally, this parameter may be changed to 4096 for greater security. It will also output your certificate signing request to the nginx.csr file in your present working directory. Step 2: Obtain a signed certificate from your certificate authority. Provide your chosen certificate authority with your certificate signing request. Follow your certificate authority's signing procedures in order to obtain a certificate and the certificate's trust chain. A full trust chain is typically delivered in .pem format. Step 3: Install certificate and signing certificate chain on your web server. Place the .pem file from your certificate authority into the directory of your choice. Locate your created key file from the command you used to generate your certificate signing request. Open your website configuration file and edit your encrypted listener to leverage the ssl_certificate and ssl_certificate_key directives for a web server as shown below. You should also inspect include files inside your nginx.conf. This should be part of the server block. After editing this file, you must recycle nginx services for these changes to take effect. This can be done with the following command: 'sudo service nginx restart'"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["14.2"]
+    references:
+      - http://nginx.org/en/docs/http/configuring_https_servers.html#chains
+      - https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
+      - https://support.globalsign.com/customer/portal/articles/1290470-installcertificate---nginx
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*ssl_certificate\s+\.+'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*ssl_certificate_key\s+\.+'
+
+  # 4.1.3 Ensure private key permissions are restricted (Scored)
+  - id: 23026
+    title: "Ensure private key permissions are restricted"
+    description: "The server's private key should be protected from unauthorized access by limiting access based on the principle of least privilege."
+    rationale: "A server's private key file should be restricted to 400 permissions. This ensures only the owner of the private key file can access it. This is the minimum necessary permissions for the server to operate. If the private key file is not protected, an unauthorized user with access to the server may be able to find the private key file and use it to decrypt traffic sent to your server."
+    remediation: "Run the following command on your key file to ensure its permissions are set to 400. The file name /etc/nginx/nginx.key should be replaced with the location of your key file. 'sudo chmod 400 /etc/nginx/nginx.key'"
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - "f:/etc/nginx/nginx.key"
+      - 'c:ls -l /etc/nginx/nginx.key -> r:^-r--------\.+'
+
+  # 4.1.4 Ensure only modern TLS protocols are used (Scored)
+  - id: 23027
+    title: "Ensure only modern TLS protocols are used"
+    description: "Only modern TLS protocols should be enabled in NGINX for all client connections and upstream connections. Removing legacy TLS and SSL protocols (SSL 3.0, TLS 1.0 and 1.1), and enabling emerging and stable TLS protocols (TLS 1.2), ensures users are able to take advantage of strong security capabilities and protects them from insecure legacy protocols."
+    rationale: "Why disable SSL 3.0: The POODLE Vulnerability allowed attackers to exploit SSL 3.0 to obtain cleartext information by exploiting weaknesses in CBC in 2014. SSL 3.0 is also no longer FIPS 140-2 compliant. Why disable TLS 1.0: TLS 1.0 was deprecated from use when PCI DSS Compliance mandated that it not be used for any applications processing credit card numbers in June 2018. TLS 1.0 does not make use of modern protections, and almost all user agents that do not support TLS 1.2 or higher are no longer supported by their vendor. Why disable TLS 1.1: Because of the increased security associated with higher versions of TLS, TLS 1.0 should be disabled. Modern browsers will begin to flag TLS 1.1 as deprecated in early 2019. Why enable TLS 1.2: TLS 1.2 takes advantage of several security features including modern cipher suites, perfect forward security, and authenticated encryption."
+    remediation: 'Run the following commands to change your ssl_protocols if they are already configured. This remediation advice assumes your nginx configuration file does not include server configuration outside of /etc/nginx/nginx.conf. You may have to also inspect the include files in your nginx.conf to ensure this is properly implemented. Web Server: ''sed -i "s/ssl_protocols[^;]*;/ssl_protocols TLSv1.2;/" /etc/nginx/nginx.conf''. Proxy. ''sed -i "s/proxy_ssl_protocols[^;]*;/proxy_ssl_protocols TLSv1.2;/" /etc/nginx/nginx.conf''. If your ssl_protocols are not already configured, this can be accomplished manually by opening your web server or proxy server configuration file and manually adding the directives. Web Server. ''server {ssl_protocols TLSv1.2;}''. Proxy. ''location / {proxy_pass cisecurity.org;proxy_ssl_protocols TLSv1.2;}'''
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
+      - https://www.cloudflare.com/learning-resources/tls-1-3/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*ssl_protocols\s+\.+'
+
+  #  4.1.5 Disable weak ciphers (Scored)
+  - id: 23028
+    title: "Disable weak ciphers"
+    description: "The ssl_ciphers directive should be used to configure the available ciphers on your web server, and the proxy_ssl_ciphers directive should be used to configure the available ciphers for your proxy. Weak ciphers should be disabled based on your company's policy or an industry best practice compliance profile. The ssl_prefer_server_ciphers should be used to ensure the user agent respects the server's preferred cipher order and does not set its own. If you are using a proxy or load balancer, you should use the proxy_ssl_ciphers directive to ensure your upstream connections are negotiated using secure ciphers."
+    rationale: "The use of strong ciphers is critical to maintaining strong encryption on your web server, load balancer, or proxy. Weak ciphers may compromise the security of your site or your users by allowing legacy user agents to connect to your site in a vulnerable way. You may also meet compliance concerns by ensuring that your upstream connections meet the same level of security if using a proxy or load balancer. The server should enforce the cipher preference on the server side to protect users from malicious actors on the client side."
+    remediation: "The following procedures may be used to implement industry standard cipher profiles if you have an existing profile defined. These profiles may be modified to meet the requirements defined in your company's policy. This procedure assumes that all server blocks will be in /etc/nginx/nginx.conf and not inside any included files in the configuration. Set the ssl_cipher directive as part of your server block, and set the proxy_ssl_ciphers directive as part of the location block for your upstream server."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.1", "14.4"]
+    references:
+      - CIS Apache HTTP Server Benchmark
+      - https://ssllabs.com
+      - https://mozilla.github.io/server-side-tls/ssl-config-generator/
+      - http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+      - https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
+      - https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
+      - https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/
+    condition: all
+    rules:
+      - 'c:grep -ir "ssl_prefer_server_ciphers on;" /etc/nginx/ -> r:\.+'
+
+  # 4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored)
+  - id: 23029
+    title: "Ensure custom Diffie-Hellman parameters are used"
+    description: "Custom Diffie-Hellman (DH) key exchange parameters should be used. DH Ephemeral (DHE) parameters with at least 2048 bits should be generated."
+    rationale: "Backward-compatible Perfect Forward Secrecy (PFS) ciphers (e.g. DHE-RSA-AES128-SHA256) should use strong and unique parameters. By default, NGINX will generate 1024-bit RSA keys for PFS ciphers; stronger alternatives should be used instead to provide betterprotection for data protected by encryption."
+    remediation: "Generate strong DHE (Ephemeral Diffie-Hellman) parameters using the following commands: 'mkdir /etc/nginx/ssl'. 'openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048'. 'chmod 400 /etc/nginx/ssl/dhparam.pem'. Alter the server configuration to use the new parameters: 'http {server {ssl_dhparam /etc/nginx/ssl/dhparam.pem;}}"
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["14.2"]
+    references:
+      - https://weakdh.org/sysadmin.html
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:\s*ssl_dhparam\s+\.+.'
+
+  # 4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Scored)
+  - id: 23030
+    title: "Ensure Online Certificate Status Protocol (OCSP) stapling is enabled"
+    description: "OCSP allows a user's browser or another user agent to verify the certificate it is seeing is not revoked. OCSP stapling ensures your server presents this information to the user's browser in a way that best meets the performance and security needs of your website. It polls the Certificate Authority's (CA) OCSP server at regular intervals to ensure it is continuously kept up to date. OCSP stapling helps improve performance and security, so it should be enabled."
+    rationale: "OCSP stapling protects your users from accessing a website where a private key is believed to be compromised. If a private key is compromised, an attacker may be able to obtain unauthorized access to the encrypted data transmitted by a user. Note: OCSP stapling, while a step forward from the older certificate revocation list model, does share similar risks. Between the time a certificate is revoked and the point where a new signed OCSP profile is requested, if a server's certificate has been revoked a user agent may not be informed."
+    remediation: 'Follow this procedure to enable OCSP validation. Step 1: Ensure your NGINX server has access to your CA''s OCSP server. Your CA''s OCSP server may be found on your CA''s website and will vary depending on your CA vendor. Issue the following command in order to check your connectivity to their site. ''curl -I "insert certificate authority ocsp server here"''. If you get a 200 code response, your server has access. Step 2. Enable OCSP on nginx. Implement the ssl_stapling and ssl_stapling_verify directives. The directive ssl_stapling enables OCSP stapling, and the directive ssl_stapling_verify enables verification of the OCSP responses on nginx. ''server {ssl_stapling on;ssl_stapling_verify on;}'''
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*ssl_stapling\s+on'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*ssl_stapling_verify\s+on'
+
+  # 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored)
+  - id: 23031
+    title: "Ensure HTTP Strict Transport Security (HSTS) is enabled"
+    description: "HTTP Strict Transport Security (HSTS) headers instruct a user agent on how to communicate with a web server. HSTS headers ensure the strict transport security policies built into browsers and other user agents are informed only to communicate over HTTPS. HSTS with long validity periods should be used to most effectively secure your user population. Strict-Transport-Security should have a long max-age, which is recommended to be at least six months in length. This ensures the browser remembers your website should only be accessible via HTTPS for this amount of time."
+    rationale: "HSTS headers help protect a server's users from accessing the server over unencrypted protocols. This header helps to prevent HTTP downgrade attacks."
+    remediation: 'Ensure the below snippet of code can be found in your server configuration for your proxy or web server. This will ensure the HSTS header is set with a validity period of six months, or 15768000 seconds. ''server {add_header Strict-Transport-Security "max-age=15768000;";}'''
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.1", "14.4"]
+    references:
+      - https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
+      - https://mozilla.github.io/server-side-tls/ssl-config-generator/
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-TransportSecurity#Preloading_Strict_Transport_Security
+      - https://hstspreload.org
+      - https://tools.ietf.org/html/rfc6797
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+Strict-Transport-Security\s+"max-age=15768000;"'
+
+  # 4.1.9 Ensure HTTP Public Key Pinning is enabled (Not Scored)
+  - id: 23032
+    title: "Ensure HTTP Public Key Pinning is enabled"
+    description: "HTTP Public Key Pinning, also known as certificate pinning, allows a site to specify exactly which certificates the browser or another user agent should accept. HTTP Public Key Pinning allows for the certificate rotation to be scheduled using backup fingerprints to ensure that user agent has both certificates stored. HTTP Public Key Pinning should be enabled."
+    rationale: "HTTP Public Key Pinning assists in preventing a user agent from falling victim to a forged certificate, such as man in the middle attacks."
+    remediation: 'Find the fingerprint of your certificate by referencing the fingerprint section of your certificate details. Take down the SHA256 fingerprint in this section as well as that of a backup certificate or the next scheduled certificate for the website. Insert your SHA256 fingerprint along with the below header to your server configuration: ''add_header Public-Key-Pins ''pinsha256="base64+primary==InsertPrimaryCertificateSHA256FingerPrintHere"; pinsha256="base64+backup==InsertBackupCertificateSHA256FingerPrintHere"; maxage=5184000;'''
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+Public-Key-Pins\s+\.+'
+
+  # 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored)
+  - id: 23033
+    title: "Ensure upstream server traffic is authenticated with a client certificate"
+    description: "Client certificate validation allows the upstream server to authenticate the identity of the client connecting to it. This assists in the establishment of mutual authentication between the client and the server."
+    rationale: "Using client certificate validation allows you to establish a trusted proxy server."
+    remediation: "In order to implement this recommendation, you must create a client certificate to be authenticated against and have it signed. Once you have a signed certificate, place the certificate in a location of your choice. In the below example, we use /etc/nginx/ssl/cert.pem. Implement the configuration as part of the location block: 'proxy_ssl_certificate /etc/nginx/ssl/nginx.pem; proxy_ssl_certificate_key /etc/nginx/ssl/nginx.key;'"
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["1.6"]
+    references:
+      - https://docs.nginx.com/nginx/admin-guide/security-controls/securing-httptraffic-upstream/
+      - http://www.staticshin.com/programming/proxy-ssl-cert-in-nginx.html
+      - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_ssl_certificate\s+\.+'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_ssl_certificate_key\s+\.+'
+
+  # 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored)
+  - id: 23034
+    title: "Ensure the upstream traffic server certificate is trusted"
+    description: "The NGINX server should be configured to validate the identity of the upstream server it is sending information to."
+    rationale: "Configuring NGINX to validate the identity of the upstream server helps mitigate the risk of a man in the middle attack occurring against your server."
+    remediation: "Obtain the full certificate chain of the upstream server in .pem format. Then reference that file in the location block as part of the proxy_ssl_trusted_certificate directive. Implement the proxy_ssl_trusted_certificate and proxy_ssl_verify directives as shown below as part of the location block you are using to send traffic to your upstream server. 'proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; proxy_ssl_verify on;'"
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://docs.nginx.com/nginx/admin-guide/security-controls/securing-httptraffic-upstream/
+      - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_ssl_trusted_certificate\s+\.+'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*proxy_ssl_verify\s+on'
+
+  # 4.1.12 Ensure your domain is preloaded (Not Scored) - Not automatable
+
+  # 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)
+  - id: 23035
+    title: "Ensure session resumption is disabled to enable perfect forward security"
+    description: "Session resumption for HTTPS sessions should be disabled so perfect forward secrecy can be achieved."
+    rationale: "Perfect forward secrecy is an encryption mechanism that enables past session keys to not be compromised even if the server's private key is compromised. If an attacker recorded all traffic to a server and stored it and then obtained the private key without perfect forward secrecy, all communications would be compromised. With perfect forward secrecy, session keys are generated using Diffie-Hellman for every session a user initiates, which isolates session compromise to only that communication session. Allowing session resumption breaks perfect forward secrecy; this expands the surface area for an attacker to compromise past sessions and communications with a server if they are able to compromise the session."
+    remediation: "Turn off the ssl_session_tickets directive as part of any server block in your nginx configuration. 'ssl_session_tickets off;'"
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.imperialviolet.org/2013/06/27/botchingpfs.html
+      - https://scotthelme.co.uk/perfect-forward-secrecy/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf ->r:^\s*ssl_session_tickets\s+off'
+
+  # 4.1.14 Ensure HTTP/2.0 is used (Not Scored)
+  - id: 23036
+    title: "Ensure HTTP/2.0 is used"
+    description: "HTTP/2.0 is an optimized and more secure version of the HTTP protocol. It should be enabled so users can take advantage of it. Note: Legacy user agents may not be able to connect to a server using HTTP/2.0."
+    rationale: "HTTP/2.0 introduces both performance benefits through full multiplexing and several security benefits. HTTP/2.0 has improved cipher suite requirements and blacklists. It also disables session renegotiation and TLS compression. This helps protect against vulnerabilities like CRIME and ensures we have stronger encryption."
+    remediation: "Open the nginx server configuration file and configure all listening ports with http2, similar to that of this example:"
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://mozilla.github.io/server-side-tls/ssl-config-generator/
+      - http://http2.github.io/http2-spec/
+    condition: all
+    rules:
+      - 'c:grep -ir http2 /etc/nginx -> r:^\.+listen\s+\.+http2\.*;'
+
+  ############################################################
+  # 5 Request Filtering and Restrictions
+  ############################################################
+
+  # 5.1 Access Control
+
+  # 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)
+  - id: 23037
+    title: "Ensure allow and deny filters limit access to specific IP addresses"
+    description: "IP-based restrictions act as a defense in depth mechanism. They allow you to whitelist legitimate paths to your applications and explicitly deny IP addresses you believe to be malicious."
+    rationale: "IP restrictions help you to only allow traffic based on the concept of least privilege. You may specify vlans, countries, or specific servers that may be allowed or denied on your site. It is recommended that you implicitly deny all traffic and only allow those with a legitimate use case to access your website if choosing to take this approach. This allows you to limit the surface area an attack may come from."
+    remediation: "Compile a list of network ranges or IP addresses you would want to access your web server or proxy. Then add these ranges with the allow directive. The deny directive should be included with all IP addresses implicitly denied. 'location / {allow 10.1.1.1;deny all;}'"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["5.1", "9.5"]
+    references:
+      - https://help.dreamhost.com/hc/en-us/articles/222784068-The-most-importantsteps-to-take-to-make-an-nginx-server-more-secure
+      - http://nginx.org/en/docs/http/ngx_http_access_module.html
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*allow\s+\.+;'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*deny\s+all\s*;'
+
+  # 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored)
+  # Not automatable
+
+  # 5.2 Request Limits
+
+  # 5.2.1 Ensure timeout values for reading the client header and body are set correctly (Scored)
+  - id: 23038
+    title: "Ensure timeout values for reading the client header and body are set correctly"
+    description: "The client_header_timeout and client_body_timeout directives define the time the server will wait for the header or body to be sent from the client. If the client does not send the entire header in this predefined timeframe, the server will send back a 408 request timeout error."
+    rationale: "Setting the client header and body timeouts help your server mitigate possible denial of service attacks. By timing out a request, the server is able to free up resources that may be waiting for the body or header."
+    remediation: "Find the HTTP or server block of your nginx configuration and add the client_header_timeout and client_body_timeout directives set to the configuration. The below example sets the timeouts to 10 seconds. 'client_body_timeout 10; client_header_timeout 10;'"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.owasp.org/index.php/SCG_WS_nginx
+      - https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slowhttp-attacks
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*client_body_timeout\s+10\s*;'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*client_header_timeout\s+10\s*;'
+
+  # 5.2.2 Ensure the maximum request body size is set correctly (Scored)
+  - id: 23039
+    title: "Ensure the maximum request body size is set correctly"
+    description: "The client_max_body_size directive sets the size of the request body that is allowed to read a client request. This defines the number of bytes allowed in a request and is equivalent to the Content-Length request header field."
+    rationale: "Limiting the size of the request body helps prevent unexpectedly long or large client requests from being passed to an application to perform buffer overflow attacks. This value should be set low enough to protect the application but high enough not to interfere with functionality and block legitimate request bodies."
+    remediation: "Find the HTTP or server block of your nginx configuration and add the client_max_body_size set to 100K in this block. The appropriate value may be different based on your application's needs. 'client_max_body_size 100K'"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
+      - http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+      - https://www.acunetix.com/blog/articles/nginx-server-security-hardeningconfiguration-1/
+      - https://www.tecmint.com/nginx-web-server-security-hardening-and-performancetips/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*client_max_body_size\s+100K'
+
+  # 5.2.3 Ensure the maximum buffer size for URIs is defined (Scored)
+  - id: 23040
+    title: "Ensure the maximum buffer size for URIs is defined"
+    description: "The large_client_header_buffers directive defines the number and size of buffers used within the URI. A request cannot exceed the size of this buffer when this directive is configured. The large_client_header_buffers directive should be set to restrict buffer usage. The number of buffers should generally set to two and the length be set to 1K; however, this may not be a good fit for your application and may need to be set differently."
+    rationale: "The large_client_header_buffers directive may assist in preventing buffer overflow attacks that leverage long URI query parameters."
+    remediation: "Open your nginx.conf file and locate your server or HTTP blocks. This may be added to the HTTP block for all configurations or the server block for more specific configurations to meet your needs. Add the below line to implement this recommendation: 'large_client_header_buffers 2 1k'"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
+      - https://www.owasp.org/index.php/Denial_of_Service_Cheat_Sheet
+      - http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*large_client_header_buffers\s+2\s+1k'
+
+  # 5.2.4 Ensure the number of connections per IP address is limited (Not Scored)
+  - id: 23041
+    title: "Ensure the number of connections per IP address is limited"
+    description: "The maximum number of simultaneous connections allowed from a single IP address to your server should be limited. It should be set to a value that meets your organizational policies."
+    rationale: "Limiting the number of simultaneous connections is an effective way to prevent slow denial of service attacks that try to use as many server resources as possible. This can also help prevent brute force attacks on a login page."
+    remediation: "Implement the below directives under the HTTP and server blocks of your nginx configuration or any include files. The below configuration creates a memory zone of 10 megabytes called limitperip. It will limit the number of connections per IP address to 10 simultaneous connections. The number of simultaneous connections to allow may be different depending on your organization's policies and use cases. 'http {limit_conn_zone $binary_remote_addr zone=limitperip:10m;server {limit_conn limitperip 10;}}'"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.nginx.com/resources/library/complete-nginx-cookbook/
+      - http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
+      - https://scotthelme.co.uk/mitigating-http-get-dos-attack/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*limit_conn_zone\s+\.*zone=limitperip:10m'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*limit_conn\s+\.*limitperip\s+10\s*'
+
+  # 5.2.5 Ensure rate limits by IP address are set (Not Scored)
+  - id: 23042
+    title: "Ensure rate limits by IP address are set"
+    description: "Rate limiting should be enabled to limit the number of requests an IP address may make to a server in a given period of time. The configuration values should be set based on your application's needs and your organizational policy."
+    rationale: "Rate limiting allows you to mitigate potential denial of service attacks as a defense in depth mechanism."
+    remediation: 'Implement the below directives under the HTTP and server blocks of your nginx configuration or any include files. The below configuration creates a memory zone of 10 megabytes called "ratelimit" and sets the number of requests per second that can be sent by any given IP address to 5. Further, this configuration sets a burst of 10 to ensure that requests may come more frequently and sets no delay to ensure that the bursting may be all at once and not queued. ''http {limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/s;server {location / {limit_req zone=ratelimit burst=10 nodelay;}}}'''
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://scotthelme.co.uk/mitigating-http-get-dos-attack/
+      - https://www.nginx.com/blog/rate-limiting-nginx/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*limit_req_zone\s+\.*zone=\.+:10m\s+rate=5r/s'
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*limit_req\s+\.*zone=\.+\s+burst=10\s+nodelay'
+
+  # 5.3 Browser Security
+
+  # 5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)
+  - id: 23043
+    title: "Ensure X-Frame-Options header is configured and enabled"
+    description: "The X-Frame-Options header should be set to allow specific websites or no sites at all to embed your website as an object within their own, depending on your organizational policy and application needs."
+    rationale: "The X-Frame-Options header allows you to mitigate the risk of clickjacking attacks."
+    remediation: 'Add the below to your server blocks in your nginx configuration. The policy should be configured to meet your organization''s needs. ''add_header X-Frame-Options "SAMEORIGIN";'''
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+      - https://scotthelme.co.uk/hardening-your-http-response-headers/
+      - https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
+      - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+X-Frame-Options\s+\.+;'
+
+  # 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored)
+  - id: 23044
+    title: "Ensure X-Content-Type-Options header is configured and enabled"
+    description: "The X-Content-Type-Options header should be used to force supported user agents to check an HTTP response's content type header with what is expected from the destination of the request."
+    rationale: 'Implementing the X-Content-Type-Options header with the "nosniff" directive helps to prevent drive-by download attacks where a user agent is sniffing content types in responses.'
+    remediation: 'Open the nginx configuration file that contains your server blocks. Add the below line into your server block to add X-Content-Type-Options header and direct your user agent to not sniff content types. ''add_header X-Content-Type-Options "nosniff";'''
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://scotthelme.co.uk/hardening-your-http-response-headers/
+      - https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
+      - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
+      - https://fetch.spec.whatwg.org/#x-content-type-options-header
+      - https://www.iana.org/assignments/message-headers/messageheaders.xml#perm-headers
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+X-Content-Type-Options\s+"nosniff"'
+
+  # 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)
+  - id: 23045
+    title: "Ensure the X-XSS-Protection Header is enabled and configured properly"
+    description: "The X-Xss-Protection Header allows you to leverage browser-based protections against cross-site scripting. This should be implemented on your web servers to protect your users and increase user trust in your site. Your policy should be set in blocking mode when possible to ensure the browser blocks a page if cross-site scripting is detected."
+    rationale: "X-Xss-Protection allows you to protect users whose browsers do not support Content Security Policy (generally older browsers), or protect users if you do not have a Content Security Policy."
+    remediation: 'Open your nginx configuration file that contains your server blocks. Add the below line into your server block to add Content-Security-Policy and direct your user agent to block reflected cross-site scripting. ''add_header X-Xss-Protection "1; mode=block";'''
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
+      - https://scotthelme.co.uk/hardening-your-http-response-headers/
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+X-Xss-Protection\s+"1;\s+mode=block"'
+
+  # 5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored)
+  - id: 23046
+    title: "Ensure that Content Security Policy (CSP) is enabled and configured properly"
+    description: "Content Security Policy allows administrators to specify the locations from which allowable scripts may be executed, or if scripts may be executed at all. Content Security Policy should be used to improve user trust of your website."
+    rationale: "Content Security Policies assist organizations in mitigating and reporting cross-site scripting (XSS) attacks."
+    remediation: 'Open your nginx configuration file that contains your server blocks. Add the below line into your server block to add Content-Security-Policy and direct your user agent to accept documents from only specific origins. ''add_header Content-Security-Policy "default-src ''self''";'''
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://scotthelme.co.uk/hardening-your-http-response-headers/
+      - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
+      - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+      - https://www.w3.org/TR/CSP3/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+Content-Security-Policy\s+"default-src\s+\pself\p"'
+
+  # 5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)
+  - id: 23047
+    title: "Ensure the Referrer Policy is enabled and configured properly"
+    description: "When an origin site directs a user to another site, a referrer is sent that identifies the URL the user came from. Depending on your site's specific use, this may present a privacy concern to your users. The Referrer Policy enables organizations to define what sites should see that a referral came from your site, which helps protect user privacy."
+    rationale: "A Referrer header may expose sensitive data in another web server's log if you use sensitive data in your URL parameters, such as personal information, username, and password or persistent sessions. Ultimately, depending on your application design, not using a properly configured Referrer Policy may allow session hijacking, credential gathering, or sensitive data exposure in a third party's logs."
+    remediation: 'Add the below line to the server blocks within your nginx configuration. The policy should be customized for your specific organization''s needs. The below policy will ensure your website is never allowed in a referrer. ''add_header Referrer-Policy "no-referrer";'''
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+      - https://www.w3.org/TR/referrer-policy/
+    condition: all
+    rules:
+      - 'f:/etc/nginx/nginx.conf -> r:^\s*add_header\s+Referrer-Policy\s+"no-referrer"'
diff --git a/etc/ruleset/sca/ol/9/cis_oracle_linux_9.yml b/etc/ruleset/sca/ol/9/cis_oracle_linux_9.yml
new file mode 100644
index 0000000000..81144d2251
--- /dev/null
+++ b/etc/ruleset/sca/ol/9/cis_oracle_linux_9.yml
@@ -0,0 +1,4478 @@
+# Security Configuration Assessment
+# Center for Internet Security Checks for Oracle Linux 9.
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software Foundation
+#
+#
+# Based on:
+# Center for Internet Security Oracle Linux 9 Benchmark v1.0.0 - 12-13-2022
+
+policy:
+  id: "cis_oracle_linux_9"
+  file: "cis_oracle_linux_9.yml"
+  name: "Center for Internet Security Oracle Linux 9 Benchmark v1.0.0."
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Oracle Linux 9 systems running on x86 and x64 platforms. This document was tested against Oracle Linux 9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Oracle Linux 9 family platform."
+  description: "Requirements for running the policy against Oracle Linux 9 family."
+  condition: all
+  rules:
+    - 'f:/etc/oracle-release -> r:^Oracle Linux && r:release\s*9'
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  ####################################
+  # 1 Initial Setup
+  ####################################
+  # 1.1 Filesystem Configuration
+  ####################################
+  # 1.1.1 Disable unused filesystems
+  ####################################
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled. (Automated) - Not Implemented
+  ####################################
+  # 1.1.2 Configure /tmp
+  ####################################
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 33500 
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 33501 
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 33502 
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 33503 
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ####################################
+  # 1.1.3 Configure /var
+  ####################################
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 33504 
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 33505 
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+  - id: 33506 
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nosuid"
+
+  ####################################
+  # 1.1.4 Configure /var/tmp
+  ####################################
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 33507 
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 33508 
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 33509 
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 33510 
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  ####################################
+  # 1.1.5 Configure /var/log
+  ####################################
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 33511 
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_techniques: ["T0005", "T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 33512 
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 33513 
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 33514 
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  ####################################
+  # 1.1.6 Configure /var/log/audit
+  ####################################
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 33515 
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 33516 
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 33517 
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 33518 
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  ####################################
+  # 1.1.7 Configure /home
+  ####################################
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 33519 
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 33520 
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 33521 
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  ####################################
+  # 1.1.8 Configure /dev/shm
+  ####################################
+  # 1.1.8.1 Ensure /dev/shm is a separate partition. (Automated)
+  - id: 33522 
+    title: "Ensure /dev/shm is a separate partition."
+    description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
+    rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
+    impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 tmpfs."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+
+  # 1.1.8.2 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 33523 
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.8.3 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 33524 
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.4 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 33525 
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.9 Disable USB Storage. (Automated) - Not Implemented
+  ####################################
+  #1.2 Configure Software Updates
+  ####################################
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 33526 
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "f:/etc/dnf/dnf.conf -> r:gpgcheck=1"
+      - 'd:/etc/yum.repos.d/ -> r:\. -> n:gpgcheck=(\d+) compare = 1'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  # 1.2.4 Ensure repo_gpgcheck is globally activated. (Manual)
+  - id: 33527 
+    title: "Ensure repo_gpgcheck is globally activated."
+    description: "The repo_gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, will perform a GPG signature check on the repodata."
+    rationale: "It is important to ensure that the repository data signature is always checked prior to installation to ensure that the software is not tampered with in any way."
+    impact: "Not all repositories, notably RedHat, support repo_gpgcheck. Take care to set this value to false (default) for particular repositories that do not support it. If enabled on repositories that do not support repo_gpgcheck installation of packages will fail. Research is required by the user to determine which repositories is configured on the local system and, from that list, which support repo_gpgcheck."
+    remediation: "Global configuration Edit /etc/dnf/dnf.conf and set repo_gpgcheck=1 in the [main] section. Example: [main] repo_gpgcheck=1 Per repository configuration First check that the particular repository support GPG checking on the repodata. Edit any failing files in /etc/yum.repos.d/* and set all instances starting with repo_gpgcheck to 1."
+    compliance:
+      - cis: ["1.2.4"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "f:/etc/dnf/dnf.conf -> r:repo_gpgcheck=1"
+
+ ######################################
+ # 1.3 Filesystem Integrity Checking
+ ######################################
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 33528 
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1565", "T1565.001"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 33529 
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1036", "T1036.005"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - 'c:systemctl status aidecheck.timer -> r:active\s*\t*\(running\)'
+
+  # 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+  - id: 33530 
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: "Add or update the following selection lines for to a file ending in .conf in the /etc/aide.conf.d/ directory or to /etc/aide.conf to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512."
+    compliance:
+      - cis: ["1.3.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+    condition: all
+    rules:
+      - 'f:/etc/aide.conf -> r:p+i+n+u+g+s+b+acl+xattrs+sha512'
+      - 'd:/etc/aide.conf.d/ -> r:\.*.conf -> r:p+i+n+u+g+s+b+acl+xattrs+sha512'
+
+ #############################
+ # 1.4 Secure Boot Settings
+ #############################
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 33531 
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password>."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1046"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - f:/boot/grub2/user.cfg
+      - f:/boot/grub2/user.cfg -> r:^\s*GRUB2_PASSWORD=grub.pbkdf2.sha512'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 33532 
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %#a %u %U %g %G" /boot/grub2/grub.cfg -> r:0\d00\s+0\s+root\s+0\s+root'
+      - 'c:stat -Lc "%n %#a %u %U %g %G" /boot/grub2/grubenv -> r:0400\s|0600\s && r:0\s+root\s+0\s+root'
+      - 'c:stat -Lc "%n %#a %u %U %g %G" /boot/grub2/user.cfg -> r:0400\s|0600\s && r:0\s+root\s+0\s+root'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 33533 
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 33534 
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+      - nist_sp_800-53: ["CM-6b"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+  ###############################################
+  # 1.6 Mandatory Access Control
+  ###############################################
+  ###############################################
+  # 1.6.1 Configure SELinux
+  ###############################################
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 33535 
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 33536 
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove the selinux=0 and enforcing=0 parameters: grubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi)\"."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 33537 
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 33538 
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 33539 
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 33540 
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 33541 
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q setroubleshoot -> r:package setroubleshoot is not installed"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 33542 
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q mcstrans -> r:package mcstrans is not installed"
+
+  ###############################################
+  # 1.7 Command Line Warning Banners
+  ###############################################
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 33543 
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|ol'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 33544 
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|ol'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 33545 
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|ol'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 33546 
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 33547 
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 33548 
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 1.8 GNOME Display Manager
+  ###############################################
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Automated)
+  - id: 33549 
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:rpm -q gdm -> r:package gdm is not installed'
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated) - Not Implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled. (Automated) - Not Implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle. (Automated) - Not Implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden. (Automated) - Not Implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled. (Automated) - Not Implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden. (Automated) - Not Implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled. (Automated) - Not Implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden. (Automated) - Not Implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled. (Automated)
+  - id: 33550 
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 33551 
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_mitigations: ["M1051"]
+      - mitre_tactics: ["TA0004", "TA0008"]
+      - mitre_techniques: ["T1211"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:dnf check-update -> r:Updating|Last metadata'
+      - 'c:dnf needs-restarting -r -> r:Reboot should not be necessary'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 33552 
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  ###############################################
+  # 2 Services
+  ###############################################
+  ###############################################
+  # 2.1 Time Synchronization
+  ###############################################
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 33553 
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 33554 
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  ###############################################
+  # 2.2 Special Purpose Services
+  ###############################################
+  # 2.2.1 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 33555 
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 33556 
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 33557 
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 33558 
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.5 Ensure DNS Server is not installed. (Automated)
+  - id: 33559 
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.6 Ensure VSFTP Server is not installed. (Automated)
+  - id: 33560 
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.7 Ensure TFTP Server is not installed. (Automated)
+  - id: 33561 
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    impact: "TFTP is often used to provide files for network booting such as for PXE based installation of servers."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.8 Ensure a web server is not installed. (Automated)
+  - id: 33562 
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.9 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 33563 
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.10 Ensure Samba is not installed. (Automated)
+  - id: 33564 
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.11 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 33565 
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.12 Ensure net-snmp is not installed. (Automated)
+  - id: 33566 
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.13 Ensure telnet-server is not installed. (Automated)
+  - id: 33567 
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.14 Ensure dnsmasq is not installed. (Automated)
+  - id: 33568 
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # dnf remove dnsmasq."
+    compliance:
+      - cis: ["2.2.14"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+    condition: all
+    rules:
+      - "c:rpm -q dnsmasq -> r:^package dnsmasq is not installed"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 33569 
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\.*:25\s && !r:127.0.0.1:25\s+|::1]:25\s+'
+
+  # 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 33570 
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-utils package is required as a dependency, the nfs-server service should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-utils package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 33571 
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1498", "T1498.002", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"
+
+  # 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked. (Automated)
+  - id: 33572 
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync-daemon package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync-daemon package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+  # 2.3.1 Ensure telnet client is not installed. (Automated)
+  - id: 33573 
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.2 Ensure LDAP client is not installed. (Automated)
+  - id: 33574 
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.3 Ensure TFTP client is not installed. (Automated)
+  - id: 33575 
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.3.4 Ensure FTP client is not installed. (Automated)
+  - id: 33576 
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.4 Ensure nonessential services listening on the system are removed or masked. (Manual) - Not Implemented
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Disable unused network protocols and devices
+  ###############################################
+  # 3.1.1 Ensure IPv6 status is identified. (Manual) - Not Implemented
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+  # 3.1.3 Ensure TIPC is disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.2 Network Parameters (Host Only)
+  ###############################################
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+  ###############################################
+  # 3.4 Configure Host Based Firewall
+  ###############################################
+  ###############################################
+  # 3.4.1 Configure a firewall utility
+  ###############################################
+
+  # 3.4.1.1 Ensure nftables is installed. (Automated)
+  - id: 33577 
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.1.2 Ensure a single firewall configuration utility is in use. (Automated) - Not Implemented
+  ###############################################
+  # 3.4.2 Configure firewall rules
+  ###############################################
+
+  # 3.4.2.1 Ensure firewalld default zone is set. (Automated)  - Not Implemented
+
+  # 3.4.2.2 Ensure at least one nftables table exists. (Automated)
+  - id: 33578 
+    title: "Ensure at least one nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "Without a table, nftables will not filter network traffic."
+    impact: "Adding or modifying firewall rules can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example if FirewallD is not in use on the system: # nft create table inet filter Note: FirewallD uses the table inet firewalld NFTables table that is created when FirewallD is installed."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.2.3 Ensure nftables base chains exist. (Automated)
+  - id: 33579 
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:filter hook input"
+      - "c:nft list ruleset -> r:filter hook forward"
+      - "c:nft list ruleset -> r:filter hook output"
+
+  # 3.4.2.4 Ensure host based firewall loopback traffic is configured. (Automated) - Not Implemented
+  # 3.4.2.5 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+  # 3.4.2.6 Ensure nftables established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.7 Ensure nftables default deny firewall policy. (Automated)
+  - id: 33580 
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "If NFTables utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables.service -> r:enabled"
+      - "not c:nft list ruleset -> r:hook input && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook forward && !r:policy drop"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 33581 
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 33582 
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to update the grub2 configuration with audit=1: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.3 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 33583 
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:audit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.1.4 Ensure auditd service is enabled. (Automated)
+  - id: 33584 
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 33585 
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 33586 
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 33587 
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shut down the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  #############################################
+  # 4.1.3 Configure auditd rules
+  #############################################
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 33588 
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 33589 
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 33590 
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: 'Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in.rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf " -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change " >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change.'
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 33591 
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/networks/ && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 33592 
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 33593 
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-mounts.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1034"]
+      - mitre_tactics: ["TA0010"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 33594 
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 33595 
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 33596 
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 33597 
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/apparmor && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-w && r:/etc/apparmor.d && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor.d && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 33598 
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 33599 
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 33600 
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 33601 
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 33602 
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 33603 
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2\" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-e 2"
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-e 2'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 33604 
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:No change$"
+
+ ########################################
+ # 4.1.4 Configure auditd file access
+ ########################################
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive. (Automated) - Not Implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files. (Automated) - Not Implemented
+
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files. (Automated)
+  - id: 33605 
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file\\s*=\\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*log_group\s*\t*=\s*\t*adm|^\s*\t*log_group\s*\t*=\s*\t*root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive. (Automated) - Not Implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive. (Automated)
+  - id: 33606 
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.rules" -> r:^/etc/audit && !r:640|600|400'
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.conf" -> r:^/etc/audit && !r:640|600|400'
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root. (Automated)
+  - id: 33607 
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root. (Automated)
+  - id: 33608 
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive. (Automated)
+  - id: 33609 
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.9 Ensure audit tools are owned by root. (Automated)
+  - id: 33610 
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.10 Ensure audit tools belong to group root. (Automated)
+  - id: 33611 
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 33612 
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 33613 
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1211", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 33614 
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog=yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 33615 
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has its own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual)
+  - id: 33616 
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 33617 
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside its operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. New format module(load="imtcp") input(type="imtcp" port="514") -OR- Old format $ModLoad imtcp $InputTCPServerRun Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:^\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+
+  ###############################################
+  # 4.2.2 Configure journald
+  ###############################################
+  # 4.2.2.1 Ensure journald is configured to send logs to a remote log host
+  ###############################################
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 33618 
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 33619 
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 33620 
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 33621 
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 33622 
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress\s*=\s*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 33623 
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 33624 
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  # 5.1 Configure time-based job schedulers
+  ###############################################
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 33625 
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 33626 
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to this file could provide unprivileged users with the ability to elevate their privileges. Read access to this file could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 33627 
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 33628 
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 33629 
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 33630 
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 33631 
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily, weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated) - Not Implemented
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated) - Not Implemented
+  ###############################################
+  # 5.2 Configure SSH Server
+  ###############################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 33632 
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod u-x,go-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 33633 
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set one or more of the parameters as follows: AllowUsers <userlist> -OR- AllowGroups <grouplist> -OR- DenyUsers <userlist> -OR- DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 33634 
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LogLevel parameter as follows: LogLevel VERBOSE OR LogLevel INFO Run the following command to comment out any LogLevel parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than VERBOSE or INFO: # grep -Pi '^\\h*LogLevel\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)' | while read -r l_out; do sed -ri \"/^\\s*LogLevel\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - "f:/etc/ssh/sshd_config -> r:loglevel"
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:loglevel'
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 33635 
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd as a non-root user."
+    remediation: "Edit or create a file in the directory /etc/ssh/sshd_config.d/ ending in *.conf or the /etc/ssh/sshd_config file and set the parameter as follows: UsePAM yes Run the following command to comment out any UsePAM parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*UsePAM\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*UsePAM\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.6"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sUsePAM\s+no'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\sUsePAM\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 33636 
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitRootLogin parameter as follows: PermitRootLogin no Run the following command to comment out any PermitRootLogin parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitRootLogin\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitRootLogin\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitRootLogin\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 33637 
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the HostbasedAuthentication parameter as follows: HostbasedAuthentication no Run the following command to comment out any HostbasedAuthentication parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*HostbasedAuthentication\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*HostbasedAuthentication\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 33638 
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitEmptyPasswords parameter as follows: PermitEmptyPasswords no Run the following command to comment out any PermitEmptyPasswords parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitEmptyPasswords\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitEmptyPasswords\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitEmptyPasswords\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 33639 
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitUserEnvironment parameter as follows: PermitUserEnvironment no Run the following command to comment out any PermitUserEnvironment parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitUserEnvironment\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitUserEnvironment\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 33640 
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter as follows: IgnoreRhosts yes Run the following command to comment out any IgnoreRhosts parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*IgnoreRhosts\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*IgnoreRhosts\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.11"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\s*ignorerhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 33641 
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the X11Forwarding parameter as follows: X11Forwarding no Run the following command to comment out any X11Forwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*X11Forwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*X11Forwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1210"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*X11Forwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\s*x11forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 33642 
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the AllowTcpForwarding parameter as follows: AllowTcpForwarding no Run the following command to comment out any AllowTcpForwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*AllowTcpForwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*AllowTcpForwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 33643 
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd /etc/ssh/sshd_config.d/*.conf # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> r:^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 33644 
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the Banner parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*/\w+'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 33645 
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows: MaxAuthTries 4 Run the following command to comment out any MaxAuthTries parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 4: # grep -Pi '^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*maxauthtries\\s+([5-9]|[1-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*MaxAuthTries\s*\t*(\d+) compare =< 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 33646 
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxStartups parameter as follows: MaxStartups 10:30:60 Run the following command to comment out any MaxStartups parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10:30:60: # grep -Pi '^\\s*maxstartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0- 9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0- 9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxStartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0- 9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1- 9]|[7-9][0-9]|[1-9][0-9][0-9]+)))/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare =< 10'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare =< 30'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare =< 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 33647 
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxSessions parameter as follows: MaxSessions 10 Run the following command to comment out any MaxSessions parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10 # grep -Pi '^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.18"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare => 10'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*MaxSessions\s+(\d+) compare => 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 33648 
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60 Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LoginGraceTime parameter as follows: LoginGraceTime 60 -or- LoginGraceTime 1m Run the following command to comment out any LoginGraceTime parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting equal to 0 or greater than 60 seconds: # grep -Pi '^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read - r l_out; do sed -ri \"/^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.19"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.*.conf -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 33649 
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below are only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not, and never had, intentionally the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus may no longer be abused to disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the ClientAliveInterval and ClientAliveCountMax parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3 Edit files ending in *.conf in the /etc/ssh/sshd_config.d/ directory and the /etc/ssh/sshd_config file and remove occurrences of the ClientAliveInterval and ClientAliveCountMax parameters not in accordance with local site policy. Run the following command to comment out any ClientAliveCountMax parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include the setting of 0 \"disabled\": # grep -Pi '^\\h*ClientAliveCountMax\\h+0\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*ClientAliveCountMax\\s+0/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare > 0'
+
+  ############################################################
+  # 5.3 Configure privilege escalation
+  ############################################################
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 33650 
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:dnf list sudo -> r:sudo"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 33651 
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026", "M1038"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 33652 
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files. Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate to manage the sudo log in accordance with your local policy."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 33653 
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 33654 
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 33655 
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 33656 
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 5.4 Configure authselect
+  ###############################################
+  # 5.4.1 Ensure custom authselect profile is used. (Manual)
+  - id: 33657 
+    title: "Ensure custom authselect profile is used."
+    description: "A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host."
+    rationale: "A custom profile is required to customize many of the pam options. When you deploy a profile, the profile is applied to every user logging into the given host."
+    remediation: 'Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> Example: # authselect create-profile custom-profile -b sssd --symlink-meta Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} Example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok.'
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["16.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - pci_dss_v3.2.1: ["6.3.2"]
+      - pci_dss_v4.0: ["6.3.1"]
+    condition: all
+    rules:
+      - 'c:authselect list -> r:^\w*\s*custom'
+      - "f:/etc/authselect/authselect.conf -> r:custom"
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 33658 
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  ###############################################
+  # 5.5 Configure PAM
+  ###############################################
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 33659 
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more Either of the following can be used to enforce complex passwords: - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.002", "T1110.003", "T1178.001", "T1178.002", "T1178.003", "T1178.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 33660 
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be greater than 0 and no greater than 5. unlock_time should be 0 (never), or 900 seconds or greater. Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare > 0 && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:unlock_time\s*\t*=\s*\t*(\d+) compare > 0 && n:unlock_time\s*\t*=\s*\t*(\d+) compare < 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 33661 
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwhistory\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt. (Automated)
+  - id: 33662 
+    title: "Ensure password hashing algorithm is SHA-512 or yescrypt."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash { for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256|yescrypt)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256|yescrypt)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' \"$file\" fi fi done authselect apply-changes } Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/libuser.conf -> r:^\s*\t*crypt_style\s*\t*=\s*\t*sha512|^\s*crypt_style\s*\t*=\s*\t*yescrypt'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD SHA512|^\s*\t*ENCRYPT_METHOD YESCRYPT'
+      - 'f:/etc/pam.d/password-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+
+  ###############################################
+  # 5.6 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.6.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 33663 
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 33664 
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs: PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\S*:\S*:(\d+):\S*:\S*:\S*:\S*:\S* compare < 1'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*::\S*:\S*:\S*:\S*:\S*'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 33665 
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 33666 
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*\t*(\d+) compare <= 30'
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 33667 
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+
+  # 5.6.6 Ensure root password is set. (Automated)
+  - id: 33668 
+    title: "Ensure root password is set."
+    description: "There are a number of methods to access the root account directly. Without a password set any user would be able to gain access and thus control over the entire system."
+    rationale: "Access to root should be secured at all times."
+    impact: "If there are any automated processes that relies on access to the root account without authentication, they will fail after remediation."
+    remediation: "Set the root password with: # passwd root."
+    compliance:
+      - cis: ["5.6.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:passwd -S root -> r:Password set"
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 33669 
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 33670 
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 33671 
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 33672 
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group- -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 33673 
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/shadow -> r:\s0 0/root 0/root'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 33674 
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow-: # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/shadow- ->  r:\s0 0/root 0/root'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 33675 
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow: # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow ->  r:\s0 0/root 0/root'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 33676 
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow- ->  r:\s0 0/root 0/root'
+
+  # 6.1.9 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.10 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit system file permissions. (Manual) - Not Implemented
+  ################################################
+  # 6.2 Local User and Group Settings
+  ################################################
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 33677 
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can use shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 33678 
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 33679 
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1548"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*root && n:^\w+:\S*:(\d+):\S*:\S*:\S*:\S* compare == 0'
+
+  # 6.2.10 Ensure local interactive user home directories exist. (Automated) - Not Implemented
+  # 6.2.11 Ensure local interactive users own their home directories. (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.13 Ensure no local interactive user has .netrc files. (Automated) - Not Implemented
+  # 6.2.14 Ensure no local interactive user has .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no local interactive user has .rhosts files. (Automated) - Not Implemented
+  # 6.2.16 Ensure local interactive user dot files are not group or world writable. (Automated) - Not Implemented
\ No newline at end of file
diff --git a/etc/ruleset/sca/oracledb/cis_oracle_database_19c.yml b/etc/ruleset/sca/oracledb/cis_oracle_database_19c.yml
new file mode 100644
index 0000000000..fd4e29b234
--- /dev/null
+++ b/etc/ruleset/sca/oracledb/cis_oracle_database_19c.yml
@@ -0,0 +1,1533 @@
+# Security Configuration Assessment
+# CIS Checks for Oracle Database 19c
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Oracle Database 19c Benchmark v1.0.0 - 09-21-2020
+
+policy:
+  id: "cis_oracle_database_19c"
+  file: "cis_oracle_database_19c.yml"
+  name: "CIS Benchmark for Oracle Database 19c v1.0.0"
+  description: "The Oracle installation version and patches should be the most recent that are compatible with the organization's operational needs."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+variables:
+  $listener_file: /u01/app/oracle/product/19.0.0/db_1/network/admin/listener.ora
+
+checks:
+  ###############################################
+  # 1 Oracle Database Installation and Patching Requirements
+  ###############################################
+  ###############################################
+  # 1.1 Ensure the Appropriate Version/Patches for Oracle Software Is Installed (Manual) - EXCLUDED
+  ###############################################
+  ###############################################
+  # 2 Oracle Parameter Settings
+  ###############################################
+  ###############################################
+  # 2.1 Listener Settings
+  ###############################################
+  # 2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'
+  - id: 24500
+    title: "Ensure 'extproc' Is Not Present in 'listener.ora'."
+    description: "extproc should be removed from the listener.ora to mitigate the risk that OS libraries can be invoked by the Oracle instance."
+    rationale: "extproc allows the database to run procedures from OS libraries. These library calls can, in turn, run any OS command."
+    remediation: "Remove extproc from the listener.ora file."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["18.9", "9.2"]
+    condition: none
+    rules:
+      - "f:$listener_file -> r:extproc"
+
+  # 2.1.2 Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON'
+  - id: 24501
+    title: "Ensure 'ADMIN_RESTRICTIONS_' Is Set to 'ON'."
+    description: "The admin_restrictions_<listener_name> setting  in  the listener.ora file can require that  any attempted real-time alteration  of  the parameters  in  the listener  via the set command file  be  refused unless  the listener.ora file is  manually  altered,  then  restarted by  a privileged  user."
+    rationale: "Blocking  unprivileged  users from  making  alterations of  the listener.ora file,  where remote  data/service  settings  are specified,  will  help  protect data  confidentiality."
+    remediation: "Use a text  editor  such  as  vi to set the admin_restrictions_<listener_name> to the value ON"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["5.1", "4.3"]
+    condition: any
+    rules:
+      - 'f:$listener_file -> r:\.+admin_restrictions_\.+ ON'
+
+  ###############################################
+  # 2.2 Database Settings
+  ###############################################
+  # 2.2.1 Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'
+  - id: 24502
+    title: "Ensure 'AUDIT_SYS_OPERATIONS' Is Set to 'TRUE'."
+    description: "The AUDIT_SYS_OPERATIONS setting  provides  for the auditing  of  all user  activities  conducted under the SYSOPER and SYSDBA accounts.  The setting should  be  set to  TRUE to enable  this auditing."
+    rationale: "If  the parameter AUDIT_SYS_OPERATIONS is FALSE,  all statements  except  for Startup/Shutdown  and Logon by  SYSDBA/SYSOPER users  are not audited."
+    remediation: "To  remediate this  setting,  execute the following SQL statement and restart the instance. ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE=SPFILE;"
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc: ["5.4", "6.2", "4.8", "6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME) = ''AUDIT_SYS_OPERATIONS'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+
+  # 2.2.2 Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED'
+  - id: 24503
+    title: "Ensure 'AUDIT_TRAIL' Is Set to 'DB', 'XML', 'OS', 'DB,EXTENDED', or 'XML,EXTENDED'."
+    description: "The audit_trail setting determines  whether or  not Oracle's  basic audit features  are enabled.  It  can be  set to  Operating System(OS); DB; DB,EXTENDED;  XML;  or  XML,EXTENDED. The value should  be  set according to  the needs of  the organization."
+    rationale: "Enabling  the basic auditing  features  for the Oracle  instance  permits the collection  of  data  to troubleshoot problems, as  well  as  provides  valuable  forensic  logs  in  the case  of  a system breach this  value should  be  set according to  the needs of  the organization."
+    remediation: "To  remediate this  setting,  execute one of  the following SQL statements  and restart the instance. ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML, EXTENDED SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = DB SCOPE = SPFILE; ALTER SYSTEM SET AUDIT_TRAIL = XML SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["6", "6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''AUDIT_TRAIL'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> r:^DB|^OS|^XML|^DB,EXTENDED|^XML,EXTENDED'
+
+  # 2.2.3 Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'
+  - id: 24504
+    title: "Ensure 'GLOBAL_NAMES' Is Set to 'TRUE'."
+    description: "The global_names setting  requires  that  the name  of  a database  link  matches that  of  the remote  database  it  will  connect to. This  setting should  have  a value of  TRUE."
+    rationale: "Not requiring database  connections to  match the domain  that  is  being called  remotely could  allow unauthorized  domain  sources to  potentially connect via brute-force tactics."
+    remediation: "To  remediate this  setting,  execute the following SQL statement. ALTER SYSTEM SET GLOBAL_NAMES = TRUE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''GLOBAL_NAMES'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT UPPER(V.VALUE), DECODE (V.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE V.CON_ID = B.CON_ID)) FROM V\\"\$SYSTEM_PARAMETER" V WHERE UPPER(NAME) = ''GLOBAL_NAMES'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^- | tail -n 1" -> r:TRUE'
+
+  # 2.2.4 Ensure 'OS_ROLES' Is Set to 'FALSE'
+  - id: 24505
+    title: "Ensure 'OS_ROLES' Is Set to 'FALSE'."
+    description: "The os_roles setting  permits externally  created groups  to  be  applied to  database management"
+    rationale: "Allowing  the OS  to  use external  groups  for database  management  could cause privilege overlaps  and generally weaken  security."
+    remediation: "ALTER SYSTEM SET OS_ROLES = FALSE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["16", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''OS_ROLES'';\" | sqlplus / as sysdba| grep -A 1 ^- | grep -v ^-" -> FALSE'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT UPPER(V.VALUE), DECODE (V.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE V.CON_ID = B.CON_ID)) FROM V\\"\$SYSTEM_PARAMETER" V WHERE UPPER(NAME) = ''OS_ROLES'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^- | tail -n 1" -> r:FALSE'
+
+  # 2.2.5 Ensure 'REMOTE_LISTENER' Is Empty
+  - id: 24506
+    title: "Ensure 'REMOTE_LISTENER' Is Empty."
+    description: "The remote_listener setting determines  whether or  not a valid listener  can be  established on  a system  separate  from  the database  instance. This  setting should  be  empty unless  the organization  specifically  needs a valid listener  on  a separate  system  or  on  nodes running Oracle RAC  instances"
+    rationale: "Permitting  a remote  listener  for connections to  the database  instance  can allow for the potential spoofing  of  connections and that  could compromise  data  confidentiality and integrity."
+    remediation: "ALTER SYSTEM SET REMOTE_LISTENER = '' SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9", "9.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''REMOTE_LISTENER'' AND VALUE IS NOT NULL;\" | sqlplus / as sysdba | grep -A 1 \"^SQL>\" | grep -v \"^SQL>\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT UPPER(V.VALUE), DECODE (V.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE V.CON_ID = B.CON_ID)) FROM V\\"\$SYSTEM_PARAMETER" V WHERE UPPER(NAME) = ''REMOTE_LISTENER'' AND VALUE IS NOT NULL;\" | sqlplus / as sysdba | grep -A 1 \"^SQL>\" | grep -v \"^SQL>\" -> r:no rows selected'
+
+  # 2.2.6 Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'
+  - id: 24507
+    title: "Ensure 'REMOTE_LOGIN_PASSWORDFILE' Is Set to 'NONE'."
+    description: "The remote_login_passwordfile setting specifies whether or  not Oracle  checks  for a password  file  during  login and how many  databases can use the password  file. The setting should  have  a value of  NONE or in  the event you are running DR/Data Guard,  EXCLUSIVE is an allowable value."
+    rationale: "The use of  this  sort  of  password  login file  could permit  unsecured,  privileged  connections to  the database."
+    remediation: "ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE = 'NONE' SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["16", "16.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''REMOTE_LOGIN_PASSWORDFILE'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> r:^NONE|^EXCLUSIVE'
+
+  # 2.2.7 Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'
+  - id: 24508
+    title: "Ensure 'REMOTE_OS_AUTHENT' Is Set to 'FALSE'."
+    description: "The remote_os_authent setting determines  whether or  not OS  'roles' with  the attendant privileges  are allowed for remote  client  connections.  This  setting should  have  a value of FALSE."
+    rationale: "Permitting  OS roles  for database  connections can allow the spoofing  of  connections and permit  granting  the privileges  of  an  OS  role  to  unauthorized  users to  make  connections, this value should  be  restricted  according to  the needs of  the organization."
+    remediation: "ALTER SYSTEM SET REMOTE_OS_AUTHENT = FALSE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["16", "16.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''REMOTE_OS_AUTHENT'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> FALSE'
+
+  # 2.2.8 Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'
+  - id: 24509
+    title: "Ensure 'REMOTE_OS_ROLES' Is Set to 'FALSE'."
+    description: "The remote_os_roles setting permits remote  users'  OS  roles to  be  applied to  database management.  This  setting should  have  a value of  FALSE."
+    rationale: "Allowing  remote  clients OS  roles to  have  permissions for database  management  could cause privilege overlaps  and generally weaken  security"
+    remediation: "ALTER SYSTEM SET REMOTE_OS_ROLES = FALSE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["16", "16.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''REMOTE_OS_ROLES'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> FALSE'
+
+  # 2.2.9 Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE'
+  - id: 24510
+    title: "Ensure 'SEC_CASE_SENSITIVE_LOGON' Is Set to 'TRUE' ."
+    description: "The SEC_CASE_SENSITIVE_LOGON information  determines  whether or  not case-sensitivity  is required for passwords during  login. Note: This parameter has been  deprecated  in  12.1  and higher  versions."
+    rationale: "Oracle  database  password  case-sensitivity  increases the pool  of  characters  that can  be chosen for the passwords,  making  brute-force password  attacks quite difficult."
+    remediation: "ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = TRUE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["16", "4.4"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SEC_CASE_SENSITIVE_LOGON'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+
+  # 2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less
+  - id: 24511
+    title: "Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or Less37."
+    description: "The SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter determines  how many  failed  login attempts  are allowed before  Oracle  closes  the login connection."
+    rationale: "Allowing  an  unlimited number  of  login attempts  for a user  connection  can facilitate  both brute-force  login attacks and the occurrence  of  denial-of-service."
+    remediation: "ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 3 SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["16.7"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SEC_MAX_FAILED_LOGIN_ATTEMPTS'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare <= 3'
+
+  # 2.2.11 Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to '(DROP,3)'
+  - id: 24512
+    title: "Ensure 'SEC_PROTOCOL_ERROR_FURTHER_ACTION' Is Set to '(DROP,3)'."
+    description: "The SEC_PROTOCOL_ERROR_FURTHER_ACTION setting determines  the Oracle  server's  response to bad/malformed packets received  from  the client. This  setting should  have  a value of (DROP,3),  which will  cause a connection  to  be  dropped after three bad/malformed packets."
+    rationale: "Bad packets received  from  the client  can potentially indicate  packet-based  attacks on  the system, such  as  TCP SYN Flood or  Smurf attacks,  which could result  in  a denial-ofservice  condition,  this  value should  be  set according to  the needs of  the organization."
+    remediation: "ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = '(DROP,3)' SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["18"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SEC_PROTOCOL_ERROR_FURTHER_ACTION'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> (DROP,3)'
+
+  # 2.2.12 Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'
+  - id: 24513
+    title: "Ensure 'SEC_PROTOCOL_ERROR_TRACE_ACTION' Is Set to 'LOG'."
+    description: "The SEC_PROTOCOL_ERROR_TRACE_ACTION setting determines  the Oracle's  server's  logging response  level to  bad/malformed packets received  from  the client  by  generating  ALERT, LOG, or  TRACE levels  of  detail  in  the log files.  This  setting should  have  a value of  LOG unless the  organization  has a compelling  reason  to  use a different value because LOG should  cause the necessary information to  be  logged. Setting the value as  TRACE can generate  an enormous amount  of  log output  and should  be  reserved  for debugging only."
+    rationale: "Bad packets received  from  the client  can potentially indicate  packet-based  attacks on  the system, which could result  in  a denial-of-service condition."
+    remediation: "ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SEC_PROTOCOL_ERROR_TRACE_ACTION'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> LOG'
+
+  # 2.2.13 Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'
+  - id: 24514
+    title: "Ensure 'SEC_RETURN_SERVER_RELEASE_BANNER' Is Set to 'FALSE'."
+    description: "The information about patch/update  release number  provides  information about the exact patch/update  release that  is  currently running on  the database. This  is  sensitive information that  should  not be  revealed  to  anyone  who requests  it."
+    rationale: "Allowing  the database  to  return  information about the patch/update  release number  could facilitate  unauthorized  users'  attempts  to  gain  access  based upon  known patch weaknesses."
+    remediation: "ALTER SYSTEM SET SEC_RETURN_SERVER_RELEASE_BANNER = FALSE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SEC_RETURN_SERVER_RELEASE_BANNER'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> FALSE'
+
+  # 2.2.14 Ensure 'SQL92_SECURITY' Is Set to 'TRUE'
+  - id: 24515
+    title: "Ensure 'SQL92_SECURITY' Is Set to 'TRUE'."
+    description: "The SQL92_SECURITY parameter  setting TRUE requires that  a user  must  also  be  granted the SELECT object privilege before  being able  to  perform UPDATE or DELETE operations on  tables that have  WHERE or  SET clauses.  The setting should  have  a value of  TRUE."
+    rationale: "A user  without SELECT privilege  can still infer the value stored  in  a column  by  referring to that column  in  a DELETE or UPDATE statement. This  setting prevents  inadvertent information disclosure  by  ensuring  that  only  users who already have  SELECT privilege  can execute the statements  that  would allow them  to  infer the stored  values."
+    remediation: "ALTER SYSTEM SET SQL92_SECURITY = TRUE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["18", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''SQL92_SECURITY'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT UPPER(V.VALUE), DECODE (V.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE V.CON_ID = B.CON_ID)) FROM V\\"\$SYSTEM_PARAMETER" V WHERE UPPER(NAME) = ''SQL92_SECURITY'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> r:TRUE'
+
+  # 2.2.15 Ensure '_trace_files_public' Is Set to 'FALSE' - EXCLUDED: this check requires database presets based on SCA appendix instructions
+
+  # 2.2.16 Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'
+  - id: 24516
+    title: "Ensure 'RESOURCE_LIMIT' Is Set to 'TRUE'."
+    description: "RESOURCE_LIMIT determines whether resource  limits  are enforced  in  database  profiles. This  setting should  have  a value of  TRUE."
+    rationale: "If  RESOURCE_LIMIT is set to  FALSE,  none  of  the system  resource  limits  that  are set in  any database  profiles  are enforced. If  RESOURCE_LIMIT is set to  TRUE, the limits  set in  database profiles are enforced."
+    remediation: "ALTER SYSTEM SET RESOURCE_LIMIT = TRUE SCOPE = SPFILE;"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT UPPER(VALUE) FROM V\\"\$SYSTEM_PARAMETER" WHERE UPPER(NAME)=''RESOURCE_LIMIT'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT UPPER(V.VALUE), DECODE (V.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE V.CON_ID = B.CON_ID)) FROM V\\"\$SYSTEM_PARAMETER" V WHERE UPPER(NAME) = ''RESOURCE_LIMIT'';\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> TRUE'
+
+  ###############################################
+  # 3 Oracle Connection and Login Restrictions
+  ###############################################
+  # 3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'
+  - id: 24517
+    title: "Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'."
+    description: "The FAILED_LOGIN_ATTEMPTS setting determines  how many  failed  login attempts  are permitted before  the system  locks the user's  account.  While different profiles  can have different  and more  restrictive settings, such  as  USERS and APPS, the minimum(s) recommended  here  should  be  set on  the DEFAULT profile."
+    rationale: "Repeated  failed  login attempts  can indicate  the initiation  of  a brute-force login attack, this value  should  be  set according to  the needs of  the organization. (See  the Notes for a warning on  a known bug that  can make  this  security  measure backfire.)"
+    remediation: "ALTER PROFILE <profile_name> LIMIT FAILED_LOGIN_ATTEMPTS 5;"
+    compliance:
+      - cis: ["3.1"]
+      - cis_csc: ["16.7"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''FAILED_LOGIN_ATTEMPTS''), ''UNLIMITED'',''9999'', P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''FAILED_LOGIN_ATTEMPTS'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE ) ;\" | sqlplus / as sysdba | grep -A 1 FAILED_LOGIN_ATTEMPTS | grep -v FAILED_LOGIN_ATTEMPTS" -> n:(\d+) compare <= 5'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''FAILED_LOGIN_ATTEMPTS'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''FAILED_LOGIN_ATTEMPTS'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 FAILED_LOGIN_ATTEMPTS | grep -v FAILED_LOGIN_ATTEMPTS | head -n 1" -> n:(\d+) compare <= 5'
+
+  # 3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'
+  - id: 24518
+    title: "Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'."
+    description: "The PASSWORD_LOCK_TIME setting  determines  how many  days  must  pass  for the user's account  to  be  unlocked  after the set number  of  failed  login attempts  has occurred. The suggested value for this  is  one day or  greater."
+    rationale: "Locking the user  account after repeated  failed  login attempts  can block further brute-force login attacks,  but can create  administrative  headaches as  this  account unlocking process always  requires  DBA intervention."
+    remediation: "ALTER PROFILE <profile_name> LIMIT PASSWORD_LOCK_TIME 1;"
+    compliance:
+      - cis: ["3.2"]
+      - cis_csc: ["16.7"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LOCK_TIME''), ''UNLIMITED'',''9999'', P.LIMIT)) < 1 AND P.RESOURCE_NAME = ''PASSWORD_LOCK_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 1'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LOCK_TIME''), ''UNLIMITED'',''9999'', P.LIMIT)) < 1 AND P.RESOURCE_NAME = ''PASSWORD_LOCK_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LOCK_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 1 AND P.RESOURCE_NAME = ''PASSWORD_LOCK_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 1'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LOCK_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 1 AND P.RESOURCE_NAME = ''PASSWORD_LOCK_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'
+  - id: 24519
+    title: "Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'."
+    description: "The PASSWORD_LIFE_TIME setting  determines  how long  a password  may be  used  before  the user  is  required  to  be  change  it. The suggested value for this  is  90  days  or  less."
+    rationale: "Allowing  passwords to  remain  unchanged for long  periods makes the success of  bruteforce  login attacks more  likely."
+    remediation: "ALTER PROFILE <profile_name> LIMIT PASSWORD_LIFE_TIME 90;"
+    compliance:
+      - cis: ["3.3"]
+      - cis_csc: ["16"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LIFE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) > 90 AND P.RESOURCE_NAME = ''PASSWORD_LIFE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 \"PASSWORD_LIFE_TIME\" | grep -v \"PASSWORD_LIFE_TIME\"" -> n:(\d+) compare <= 90'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LIFE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) > 90 AND P.RESOURCE_NAME = ''PASSWORD_LIFE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LIFE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'', P.LIMIT)) > 90 AND P.RESOURCE_NAME = ''PASSWORD_LIFE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 \"PASSWORD_LIFE_TIME\" | grep -v \"PASSWORD_LIFE_TIME\"" -> n:(\d+) compare <= 90'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_LIFE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'', P.LIMIT)) > 90 AND P.RESOURCE_NAME = ''PASSWORD_LIFE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 \"PASSWORD_LIFE_TIME\" | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.4 Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'
+  - id: 24520
+    title: "Ensure 'PASSWORD_REUSE_MAX' Is Greater than or Equal to '20'."
+    description: "The PASSWORD_REUSE_MAX setting  determines  how many  different passwords must  be  used before the user  is  allowed to  reuse a prior password. The suggested value for this  is  20 passwords  or  greater."
+    rationale: "Allowing  reuse of  a password  within  a short period  of  time  after the password's  initial use can make  the success of  both  social-engineering  and brute-force password-based  attacks more  likely."
+    remediation: "ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_MAX 20;"
+    compliance:
+      - cis: ["3.4"]
+      - cis_csc: ["16", "4.4"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_MAX''), ''UNLIMITED'',''9999'',P.LIMIT)) < 20 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_MAX'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 20'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_MAX''), ''UNLIMITED'',''9999'',P.LIMIT)) < 20 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_MAX'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_MAX'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 20 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_MAX'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 20'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_MAX'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 20 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_MAX'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.5 Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'
+  - id: 24521
+    title: "Ensure 'PASSWORD_REUSE_TIME' Is Greater than or Equal to '365'."
+    description: "The PASSWORD_REUSE_TIME setting determines  the amount  of  time  in  days  that  must  pass before the same  password  may be  reused. The suggested value for this  is 365  days  or greater."
+    rationale: "Reusing the same  password  after only  a short period  of  time  has passed  makes the success of  brute-force login attacks more  likely."
+    remediation: "ALTER PROFILE <profile_name> LIMIT PASSWORD_REUSE_TIME 365;"
+    compliance:
+      - cis: ["3.5"]
+      - cis_csc: ["16", "4.4"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) < 365 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 365'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) < 365 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 365 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^- | grep -v ^-" -> n:(\d+) compare >= 365'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_REUSE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) < 365 AND P.RESOURCE_NAME = ''PASSWORD_REUSE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.6 Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'
+  - id: 24522
+    title: "Ensure 'PASSWORD_GRACE_TIME' Is Less than or Equal to '5'."
+    description: "The PASSWORD_GRACE_TIME setting determines  how many  days  can pass  after the user's password expires before  the user's  login capability  is  automatically locked  out.  The suggested value for this  is  five  days  or  less."
+    rationale: "Locking the user  account after the expiration  of  the password  change  requirement's grace period  can help  prevent password-based  attacks against any forgotten or  disused accounts, while still allowing  the account and its information to  be  accessible  by  DBA intervention."
+    remediation: "ALTER PROFILE <profile_name> LIMIT PASSWORD_GRACE_TIME 5;"
+    compliance:
+      - cis: ["3.6"]
+      - cis_csc: ["16", "16.10", "16.9"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_GRACE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''PASSWORD_GRACE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^PASSWORD_GRACE_TIME | grep -v ^PASSWORD_GRACE_TIME" -> n:(\d+) compare <= 5'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_GRACE_TIME''), ''UNLIMITED'',''9999'',P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''PASSWORD_GRACE_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_GRACE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''PASSWORD_GRACE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^PASSWORD_GRACE_TIME | grep -v ^PASSWORD_GRACE_TIME" -> n:(\d+) compare <= 5'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''PASSWORD_GRACE_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) > 5 AND P.RESOURCE_NAME = ''PASSWORD_GRACE_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.7 Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles
+  - id: 24523
+    title: "Ensure 'PASSWORD_VERIFY_FUNCTION' Is Set for All Profiles."
+    description: "The PASSWORD_VERIFY_FUNCTION determines password  settings  requirements  when  a user password is  changed at  the SQL command prompt. It  should  be  set for all profiles. Note  that this setting does  not apply for users managed by  the Oracle  password  file."
+    rationale: "Through Oracle  database  profiles, password  complexity  rules (mixed  cases with  digits  and special characters),  blocking  of  simple  combinations, and enforcing change/history  settings can  potentially thwart  unauthorized  logins  by  an  unauthorized  user."
+    remediation: "Create  a custom  password  verification  function  which fulfills  the password  requirements  of the  organization."
+    compliance:
+      - cis: ["3.7"]
+      - cis_csc: ["16", "4.4"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE DECODE(P.LIMIT, ''DEFAULT'',(SELECT LIMIT FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME = P.RESOURCE_NAME), LIMIT) = ''NULL'' AND P.RESOURCE_NAME = ''PASSWORD_VERIFY_FUNCTION'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^PASSWORD_VERIFY_FUNCTION | grep -v ^PASSWORD_VERIFY_FUNCTION" -> NULL'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE DECODE(P.LIMIT, ''DEFAULT'',(SELECT LIMIT FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME = P.RESOURCE_NAME AND CON_ID = P.CON_ID), LIMIT) = ''NULL'' AND P.RESOURCE_NAME = ''PASSWORD_VERIFY_FUNCTION'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^PASSWORD_VERIFY_FUNCTION | grep -v ^PASSWORD_VERIFY_FUNCTION" -> NULL'
+
+  # 3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'
+  - id: 24524
+    title: "Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'."
+    description: "The SESSIONS_PER_USER setting determines  the maximum number  of  user  sessions  that  are allowed to  be  open  concurrently. The suggested value for this  is  10  or  less."
+    rationale: "Limiting  the number  of  the SESSIONS_PER_USER can help  prevent memory  resource exhaustion by  poorly  formed  requests  or  intentional denial-of-service attacks."
+    remediation: "ALTER PROFILE <profile_name> LIMIT SESSIONS_PER_USER 10;"
+    compliance:
+      - cis: ["3.8"]
+      - cis_csc: ["18", "16.7"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''SESSIONS_PER_USER'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) > 10 AND P.RESOURCE_NAME = ''SESSIONS_PER_USER'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep -A 1 ^SESSIONS_PER_USER | grep -v ^SESSIONS_PER_USER" -> n:(\d+) compare <= 10'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''SESSIONS_PER_USER'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'',P.LIMIT)) > 10 AND P.RESOURCE_NAME = ''SESSIONS_PER_USER'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE ) ORDER BY CON_ID, PROFILE, RESOURCE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''SESSIONS_PER_USER''), ''UNLIMITED'',''9999'',P.LIMIT)) > 10 AND P.RESOURCE_NAME = ''SESSIONS_PER_USER'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^SESSIONS_PER_USER | grep -v ^SESSIONS_PER_USER" -> n:(\d+) compare <= 10'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''SESSIONS_PER_USER''), ''UNLIMITED'',''9999'',P.LIMIT)) > 10 AND P.RESOURCE_NAME = ''SESSIONS_PER_USER'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120
+  - id: 24525
+    title: "Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'."
+    description: "The 'INACTIVE_ACCOUNT_TIME' setting determines  the maximum number  of  days  of inactivity (no logins  at  all)  after which the account will  be  locked. The suggested value for this  is  120 or  less."
+    rationale: "Setting 'INACTIVE_ACCOUNT_TIME' can help  with  deactivation  of  inactive  or  unused accounts."
+    remediation: "ALTER PROFILE <profile_name> LIMIT INACTIVE_ACCOUNT_TIME 120;"
+    compliance:
+      - cis: ["3.9"]
+      - cis_csc: ["18", "16.9"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''INACTIVE_ACCOUNT_TIME''), ''UNLIMITED'',''9999'', P.LIMIT)) > 120 AND P.RESOURCE_NAME = ''INACTIVE_ACCOUNT_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^INACTIVE_ACCOUNT_TIME | grep -v ^INACTIVE_ACCOUNT_TIME" -> n:(\d+) compare <= 120'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT P.PROFILE, P.RESOURCE_NAME, P.LIMIT FROM DBA_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT,''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM DBA_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''INACTIVE_ACCOUNT_TIME''), ''UNLIMITED'',''9999'', P.LIMIT)) > 120 AND P.RESOURCE_NAME = ''INACTIVE_ACCOUNT_TIME'' AND EXISTS ( SELECT ''X'' FROM DBA_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''INACTIVE_ACCOUNT_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'', P.LIMIT)) > 120 AND P.RESOURCE_NAME = ''INACTIVE_ACCOUNT_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep -A 1 ^INACTIVE_ACCOUNT_TIME | grep -v ^INACTIVE_ACCOUNT_TIME" -> n:(\d+) compare <= 120'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT P.PROFILE, P.RESOURCE_NAME, P.LIMIT, DECODE (P.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE P.CON_ID = B.CON_ID)) DATABASE FROM CDB_PROFILES P WHERE TO_NUMBER(DECODE(P.LIMIT, ''DEFAULT'',(SELECT DISTINCT DECODE(LIMIT,''UNLIMITED'',9999,LIMIT) FROM CDB_PROFILES WHERE PROFILE=''DEFAULT'' AND RESOURCE_NAME=''INACTIVE_ACCOUNT_TIME'' AND CON_ID = P.CON_ID), ''UNLIMITED'',''9999'', P.LIMIT)) > 120 AND P.RESOURCE_NAME = ''INACTIVE_ACCOUNT_TIME'' AND EXISTS ( SELECT ''X'' FROM CDB_USERS U WHERE U.PROFILE = P.PROFILE );\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  ##############################################
+  # 4 Users
+  ###############################################
+  # 4.1 Ensure All Default Passwords Are Changed
+  - id: 24526
+    title: "Ensure All Default Passwords Are Changed."
+    description: "Default passwords should  not be  used  by  Oracle  database  users."
+    rationale: "Default passwords should  be  considered  well  known to  attackers.  Consequently, if  default passwords remain  in  place,  any attacker  with  access  to  the database  can authenticate  as  the user  with  that  default password."
+    remediation: ""
+    compliance:
+      - cis: ["4.1"]
+      - cis_csc: ["5.3", "4.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT A.USERNAME FROM DBA_USERS_WITH_DEFPWD A, DBA_USERS B WHERE A.USERNAME = B.USERNAME AND B.ACCOUNT_STATUS = ''OPEN'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT A.USERNAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_USERS_WITH_DEFPWD A, CDB_USERS C WHERE A.USERNAME = C.USERNAME AND C.ACCOUNT_STATUS = ''OPEN'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> r:no rows selected'
+
+  # 4.2 Ensure All Sample Data And Users Have Been Removed
+  - id: 24527
+    title: "Ensure All Sample Data And Users Have Been Removed."
+    description: "Oracle  sample  schemas can be  used  to  create  sample  users (BI,HR,IX,OE,PM,SCOTT,SH),  with well-known default passwords,  particular  views,  and procedures/functions, in  addition  to tables and fictitious  data. The sample  schemas should  be  removed."
+    rationale: "The sample  schemas are typically not required  for production  operations  of  the database. The default users,  views,  and/or  procedures/functions  created by  sample  schemas could be  used  to  launch  exploits  against production  environments."
+    remediation: "$ORACLE_HOME/demo/schema/drop_sch.sql DROP USER SCOTT CASCADE;"
+    compliance:
+      - cis: ["4.2"]
+      - cis_csc: ["18.9", "4.7"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT USERNAME FROM DBA_USERS WHERE USERNAME IN (''BI'',''HR'',''IX'',''OE'',''PM'',''SCOTT'',''SH'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DISTINCT A.USERNAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_USERS A WHERE A.USERNAME IN (''BI'',''HR'',''IX'',''OE'',''PM'',''SCOTT'',''SH'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 4.3 Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User
+  - id: 24528
+    title: "Ensure 'DBA_USERS.AUTHENTICATION_TYPE' Is Not Set to 'EXTERNAL' for Any User."
+    description: "The authentication_type=''EXTERNAL'' setting  determines  whether or  not a user  can be authenticated  by  a remote  OS  to  allow access  to  the database  with  full  authorization.  This setting  should  not be  used."
+    rationale: "Allowing  remote  OS  authentication  of  a user  to  the database  can potentially allow supposed privileged users to  connect as  authenticated,  even  when  the remote  system  is compromised."
+    remediation: "ALTER USER <username> IDENTIFIED BY <password>;"
+    compliance:
+      - cis: ["4.3"]
+      - cis_csc: ["16", "16.2"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT USERNAME FROM DBA_USERS WHERE AUTHENTICATION_TYPE = ''EXTERNAL'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT A.USERNAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_USERS A WHERE AUTHENTICATION_TYPE = ''EXTERNAL'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 4.4 Ensure No Users Are Assigned the 'DEFAULT' Profile
+  - id: 24529
+    title: "Ensure No Users Are Assigned the 'DEFAULT' Profile."
+    description: "Upon  creation  database  users are assigned  to  the DEFAULT profile unless  otherwise specified.  No  users should  be  assigned  to  that  profile."
+    rationale: "Users should  be  created with  function-appropriate  profiles. The DEFAULT profile,  being defined by  Oracle, is  subject to  change  at  any time  (e.g. by  patch or  version update).  The DEFAULT profile has unlimited settings  that  are often required  by  the SYS user  when patching;  such  unlimited settings  should  be  tightly reserved  and not applied to unnecessary  users."
+    remediation: "ALTER USER <username> PROFILE <appropriate_profile>;"
+    compliance:
+      - cis: ["4.4"]
+      - cis_csc: ["16", "4.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT USERNAME FROM DBA_USERS WHERE PROFILE=''DEFAULT'' AND ACCOUNT_STATUS=''OPEN'' AND ORACLE_MAINTAINED = ''N'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT A.USERNAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_USERS A WHERE A.PROFILE=''DEFAULT'' AND A.ACCOUNT_STATUS=''OPEN'' AND A.ORACLE_MAINTAINED = ''N'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 4.5 Ensure 'SYS.USER$MIG' Has Been Dropped
+  - id: 24530
+    title: "Ensure 'SYS.USER$MIG' Has Been Dropped."
+    description: "The table sys.user$mig is created during  migration and contains  the Oracle  password hashes before  the migration starts. This  table should  be  dropped."
+    rationale: "The table sys.user$mig is not deleted after the migration.  An  attacker  could access  the table containing  the Oracle  password  hashes."
+    remediation: "DROP TABLE SYS.USER$MIG;"
+    compliance:
+      - cis: ["4.5"]
+      - cis_csc: ["16.14", "16.4"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT OWNER, TABLE_NAME FROM DBA_TABLES WHERE TABLE_NAME=''USER\$MIG'' AND OWNER=''SYS'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT OWNER, TABLE_NAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TABLES A WHERE TABLE_NAME=''USER\$MIG'' AND OWNER=''SYS'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 4.6 Ensure No Public Database Links Exist
+  - id: 24531
+    title: "Ensure No Public Database Links Exist."
+    description: "Public  Database  links are used  to  allow connections between databases."
+    rationale: "Using public  database  links in  the database  can allow anyone  with  a connection  to  the database  to  query,  update, insert, delete  data  on  a remote  database  depending on  the userid  that  is  part  of  the link."
+    remediation: "DROP PUBLIC DATABASE LINK <DB_LINK>;"
+    compliance:
+      - cis: ["4.6"]
+      - cis_csc: ["14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DB_LINK, HOST FROM DBA_DB_LINKS WHERE OWNER = ''PUBLIC'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT DB_LINK, HOST, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_DB_LINKS A WHERE OWNER = ''PUBLIC'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ##############################################
+  # 5 Privileges & Grants & ACLs
+  ###############################################
+  ###############################################
+  # 5.1 Excessive Table, View and Package Privileges
+  ###############################################
+  # 5.1.1 Public Privileges
+  ###############################################
+  # 5.1.1.1 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Network" Packages
+  - id: 24532
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on Network Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  Network packages  - DBMS_LDAP,  UTL_INADDR, UTL_TCP,  UTL_MAIL, UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and  type  HTTPURITYPE – provide PL/SQL  APIs  to  interact  or  access  remote  servers.  The PUBLIC  should  not be  able to execute these packages. • The Oracle  database  DBMS_LDAP package contains  functions and procedures  that enable programmers to  access  data  from  LDAP  servers. • The  Oracle  database  UTL_INADDR package  provides  an  API to  retrieve  host  names and IP  addresses of  local and remote  hosts. • The  Oracle  database  UTL_TCP package can be  used  to  read/write  file  to  TCP sockets on  the server  where the Oracle  instance  is  installed. • The  Oracle  database  UTL_MAIL package  can be  used  to  send  email from  the server where  the Oracle  instance  is  installed. • The  Oracle  database  UTL_SMTP package  can be  used  to  send  email from  the server where  the Oracle  instance  is  installed.  The user  PUBLIC should not be  able  to  execute UTL_SMTP. • The Oracle  database  UTL_DBWS package  can be  used  to  read/write  file  to  web-based applications  on  the server  where the Oracle  instance  is  installed.  This  package is  not automatically installed for security  reasons. • The  Oracle  database  UTL_ORAMTS package  can be  used  to  perform HTTP  requests. This  could be  used  to  send  information to  the outside.85 |  P a g e • The Oracle  database  UTL_HTTP package  can be  used  to  perform HTTP  requests. This could  be  used  to  send  information to  the outside. • The  Oracle  database  HTTPURITYPE object  type  can be  used  to  perform HTTP requests."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  packages  - DBMS_LDAP,  UTL_INADDR, UTL_TCP, UTL_MAIL,  UTL_SMTP, UTL_DBWS, UTL_ORAMTS, UTL_HTTP and  type  HTTPURITYPE can be  used  by unauthorized users to  create  specially crafted error messages  or  send  information to external servers.  The PUBLIC should not be  able  to  execute these packages. • The use of  the DBMS_LDAP package can be  used  to  create  specially crafted error messages  or  send  information via DNS to  the outside. • The  UTL_INADDR package  can be  used  to  create  specially crafted error messages  or send information via DNS to the  outside. • The  UTL_TCP package could allow an  unauthorized  user  to  corrupt the TCP stream used to  carry the protocols that  communicate with  the instance's  external communications. • The  UTL_MAIL package  could allow an  unauthorized  user  to  corrupt the SMTP function to  accept  or  generate  junk  mail  that  can result  in  a denial-of-service condition due to  network saturation. • The UTL_SMTP package  could allow an  unauthorized  user  to  corrupt the SMTP function to  accept  or  generate  junk  mail  that  can result  in  a denial-of-service condition due to  network saturation. • The UTL_DBWS package  could allow an  unauthorized  user  to  corrupt the HTTP stream used  to  carry the protocols that  communicate for the instance's  web-based external  communications. • The UTL_ORAMTS package  could be  used  to  send  (sensitive) information to  external websites.  The use of  this  package should  be  restricted  according to  the needs of  the organization. • The UTL_HTTP package  could be  used  to  send  (sensitive) information to  external websites. • The  use of this package should  be  restricted  according to  the needs of  the organization. • The ability to  perform HTTP  requests  could be  used  to  leak  information from  the database  to  an  external  destination."
+    remediation: "REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC; REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC; REVOKE EXECUTE ON UTL_TCP FROM PUBLIC; REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC; REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC; REVOKE EXECUTE ON UTL_DBWS FROM PUBLIC; REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC; REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC; REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;"
+    compliance:
+      - cis: ["5.1.1.1"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_LDAP'',''UTL_INADDR'',''UTL_TCP'',''UTL_MAIL'',''UTL_SMTP'',''UTL_DBWS'',''UTL_ORA MTS'',''UTL_HTTP'',''HTTPURITYPE'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_LDAP'',''UTL_INADDR'',''UTL_TCP'',''UTL_MAIL'',''UTL_SMTP'',''UTL_DBWS'',''UTL_ORA MTS'',''UTL_HTTP'',''HTTPURITYPE'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.1.2 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "File System" Packages
+  - id: 24533
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on File System Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  File  System  packages  - DBMS_ADVISOR, DBMS_LOB and  UTL_FILE – provide  PL/SQL  APIs  to  access  files on  the servers.  The user PUBLIC should  not be  able  to  execute these packages. • The Oracle  database  DBMS_ADVISOR package  can be  used  to  write files located on  the server  where the Oracle  instance  is  installed.  The user  PUBLIC  should  not be  able  to execute  DBMS_ADVISOR. • The Oracle  database  DBMS_LOB package  provides  subprograms that  can manipulate and  read/write  on  BLOB's, CLOB's, NCLOB's,  BFILE's,  and temporary LOB's.  The user PUBLIC should  not be  able  to  execute DBMS_LOB. • The Oracle  database  UTL_FILE package  can be  used  to  read/write  files located on the  server  where the Oracle  instance  is  installed.  The user  PUBLIC should not be  able to execute UTL_FILE."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  File  System  packages  - DBMS_ADVISOR, DBMS_LOB and  UTL_FILE – should not be  granted to  PUBLIC. • Use of  the DBMS_ADVISOR package  could allow an  unauthorized  user  to  corrupt operating system  files on  the instance's  host. • Use of  the DBMS_LOB package  could allow an  unauthorized  user  to  manipulate  BLOB's, CLOB's, NCLOB's,  BFILE's,  and temporary LOBs  on  the instance, either  destroying  data or causing a denial-of-service condition due to  corruption  of  disk  space. • Use  of  the UTL_FILE package  could allow a user  to  read  OS  files.  These files could contain sensitive information (e.g. passwords in  .bash_history)"
+    remediation: "REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC; REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC; REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;"
+    compliance:
+      - cis: ["6", "7"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_ADVISOR'',''DBMS_LOB'',''UTL_FILE'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_ADVISOR'',''DBMS_LOB'',''UTL_FILE'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.1.3 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Encryption" Packages
+  - id: 24534
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on Encryption Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  Encryption  packages  - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM – provide PL/SQL  APIs  to  perform functions related to  cryptography. The PUBLIC should not be  able  to  execute these packages. • The DBMS_CRYPTO settings  provide a toolset that  determines  the strength  of  the encryption  algorithm used  to  encrypt application data  and is  part  of  the SYS schema. The DES (56-bit key), 3DES (168-bit key), 3DES-2KEY (112-bit  key), AES (128/192/256-bit  keys),  and RC4 are available. • The  DBMS_OBFUSCATION_TOOLKIT provides one of  the tools that  determine the strength  of  the encryption  algorithm used  to  encrypt application data  and is  part  of the  SYS schema. The DES (56-bit key)  and 3DES (168-bit key)  are the only  two types available. • The  Oracle  database  DBMS_RANDOM package is  used  for generating  random  numbers but should  not be  used  for cryptographic purposes."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  Encryption  packages  - DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT and DBMS_RANDOM – should  not be  granted to  PUBLIC. • Execution of  the DBMS_CRYPTO procedures  by  the PUBLIC can  potentially endanger portions of  or  all of  the data  storage. • Allowing the PUBLIC privileges to  access  this  capability  can be  potentially harm  data storage. • Use of  the DBMS_RANDOM package can allow the unauthorized  application of  the random  number-generating function."
+    remediation: "REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC; REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC; REVOKE EXECUTE ON DBMS_RANDOM FROM PUBLIC;"
+    compliance:
+      - cis: ["5.1.1.3"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_CRYPTO'',''DBMS_OBFUSCATION_TOOLKIT'', ''DBMS_RANDOM'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_CRYPTO'',''DBMS_OBFUSCATION_TOOLKIT'', ''DBMS_RANDOM'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.1.4 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Java" Packages
+  - id: 24535
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on Java Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  Java  packages  - DBMS_JAVA and DBMS_JAVA_TEST – provide  APIs  to  run Java  classes or  grant Java  packages. The user  PUBLIC should not be  able  to  execute these packages. • The Oracle  database  DBMS_JAVA package can run Java  classes (e.g. OS  commands) or grant  Java  privileges. The user  PUBLIC should not be  able  to  execute DBMS_JAVA. • The  Oracle  database  DBMS_JAVA_TEST package  can run Java  classes (e.g. OS commands)  or  grant Java  privileges. The user  PUBLIC should not be  able  to  execute DBMS_JAVA_TEST."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  Java  packages  - DBMS_JAVA and DBMS_JAVA_TEST – should not be  granted to  PUBLIC. • The DBMS_JAVA package could allow an  attacker  to  run OS  commands  from  the database. • The DBMS_JAVA_TEST package  could allow an  attacker  to  run operating system commands from  the database."
+    remediation: "REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC; REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;"
+    compliance:
+      - cis: ["5.1.1.4"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_JAVA'',''DBMS_JAVA_TEST'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_JAVA'',''DBMS_JAVA_TEST'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.1.5 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "Job Scheduler" Packages
+  - id: 24536
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on Job Scheduler Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  Job Scheduler packages  - DBMS_SCHEDULER and  DBMS_JOB – provide  APIs  to  schedule  jobs. The user  PUBLIC should not be  able  to execute  these packages. • The Oracle  database  DBMS_SCHEDULER package  schedules and manages the database and  operating system  jobs. The user  PUBLIC should not be  able  to  execute DBMS_SCHEDULER. • The Oracle  database  DBMS_JOB package  schedules and manages the jobs  sent  to  the job queue and has been  superseded  by  the DBMS_SCHEDULER package, even  though DBMS_JOB has been  retained  for backwards compatibility.  The user  PUBLIC should not be  able  to  execute DBMS_JOB."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  Job Scheduler packages  - DBMS_SCHEDULER and  DBMS_JOB – should not be  granted to  the user  PUBLIC. • Use of  the DBMS_SCHEDULER package  could allow an  unauthorized  user  to  run database  or  operating system  jobs. • Use of  the DBMS_JOB package  could allow an  unauthorized  user  to  disable or overload the job queue.  It  has been  superseded  by  the DBMS_SCHEDULER package"
+    remediation: "REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC; REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;"
+    compliance:
+      - cis: ["6", "7"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_SCHEDULER'',''DBMS_JOB'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_SCHEDULER'',''DBMS_JOB'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.1.6 Ensure 'EXECUTE' is revoked from 'PUBLIC' on "SQL Injection Helper" Packages
+  - id: 24537
+    title: "Ensure 'EXECUTE' is revoked from 'PUBLIC' on SQL Injection Helper Packages."
+    description: "As  described below,  Oracle  Database  PL/SQL  SQL Injection Helper  Packages  packages  - DBMS_SQL, DBMS_XMLGEN,  DBMS_XMLQUERY,  DBMS_XLMSTORE,  DBMS_XLMSAVE and  DBMS_REDACT – provide APIs  to  schedule  jobs. The user  PUBLIC should not be  able  to  execute these packages. • The Oracle  database  DBMS_SQL package  is  used  for running dynamic SQL statements. • The DBMS_XMLGEN package takes an  arbitrary SQL query as  input,  converts  it  to  XML format, and returns the result  as  a CLOB. • The Oracle  package DBMS_XMLQUERY takes an  arbitrary SQL query,  converts  it  to  XML format, and returns the result. This  package is  similar to  DBMS_XMLGEN. • The  DBMS_XLMSTORE package provides  XML functionality.  It  accepts a table name  and XML as  input to  perform DML operations  against the table. • The  DBMS_XLMSAVE package  provides  XML functionality.  It  accepts a table name  and XML as  input and then  inserts into  or  updates that  table. • The  DBMS_REDACT package provides  an  interface to  Oracle  Data  Redaction,  which enables you to  mask  (redact)  data  that  is  returned  from  queries issued  by  lowprivileged users or  an  application."
+    rationale: "As  described below,  Oracle  Database  PL/SQL  SQL Injection Helper  Packages  packages  - DBMS_SQL, DBMS_XMLGEN,  DBMS_XMLQUERY,  DBMS_XLMSTORE,  DBMS_XLMSAVE and 'DBMS_REDACT'  – should  not be  granted to  PUBLIC. • The DBMS_SQL package  could allow privilege escalation  if  input validation  is  not done properly. • The  package DBMS_XMLGEN can be  used  to  search  the entire  database  for sensitive information like  credit  card  numbers • The package DBMS_XMLQUERY can be  used  to  search  the entire  database  for sensitive information like  credit  card  numbers.  Malicious users may be  able  to  exploit this package  as  an  auxiliary inject  function  in  a SQL injection attack. • Malicious users may be  able  to  exploit the DBMS_XLMSTORE package as  an  auxiliary inject  function  in  a SQL injection attack. • Malicious users may be  able  to  exploit the DBMS_XLMSAVE package  as  an  auxiliary inject  function  in  a SQL injection attack. • Malicious users may be  able  to  exploit DBMS_REDACT as  an  auxiliary inject  function in a SQL injection attack."
+    remediation: "REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC; REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC; REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC; REVOKE EXECUTE ON DBMS_XMLSAVE FROM PUBLIC; REVOKE EXECUTE ON DBMS_XMLSTORE FROM PUBLIC; REVOKE EXECUTE ON DBMS_AW FROM PUBLIC;REVOKE EXECUTE ON OWA_UTIL FROM PUBLIC; REVOKE EXECUTE ON DBMS_REDACT FROM PUBLIC;"
+    compliance:
+      - cis: ["5.1.1.6"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_SQL'', ''DBMS_XMLGEN'', ''DBMS_XMLQUERY'',''DBMS_XMLSTORE'',''DBMS_XMLSAVE'',''DBMS_AW'',''OWA_UTIL'',''DBMS_RED ACT'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_SQL'', ''DBMS_XMLGEN'', ''DBMS_XMLQUERY'',''DBMS_XMLSTORE'',''DBMS_XMLSAVE'',''DBMS_AW'',''OWA_UTIL'',''DBMS_RED ACT'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 5.1.2 Non-Default Privileges
+  ###############################################
+  # 5.1.2.1 Ensure 'EXECUTE' is not granted to 'PUBLIC' on "Non-default" Packages
+  - id: 24538
+    title: "Ensure 'EXECUTE' is not granted to 'PUBLIC' on Non-default Packages."
+    description: "The packages  described in  this  control are not granted to  PUBLIC by default (Non-default packages). These packages  should  not be  granted to  PUBLIC. • The Oracle  database  DBMS_BACKUP_RESTORE package is  used  for applying  PL/SQL commands to  the native  RMAN sequences. • The Oracle  database  DBMS_FILE_TRANSFER package  allows  a user  to  transfer  files from  one database  server  to  another. • The  Oracle  database  DBMS_SYS_SQL,DBMS_REPCAT_SQL_UTL, INITJVMAUX, DBMS_AQADM_SYS, DBMS_STREAMS_RPC, DBMS_PRVTAQIM,  LTADM and DBMS_IJOB packages are  shipped as  undocumented."
+    rationale: "As  described below,  these non-default group of  PL/SQL  packages, which are not granted to  PUBLIC by default,  packages  should  not be  granted to  PUBLIC. • The DBMS_BACKUP_RESTORE package can allow access  to  OS  files. • The  DBMS_FILE_TRANSFER package  could allow to  transfer  files from  one database server to  another without authorization to  do  so. • The DBMS_SYS_SQL package  could allow a user  to  run code  as  a different user without  entering  valid credentials. • The  DBMS_REPCAT_SQL_UTL package could allow an  unauthorized  user  to  run SQL commands  as  user  SYS. • The  INITJVMAUX package  could allow an  unauthorized  user  to  run SQL commands  as user SYS. • The  DBMS_AQADM_SYS package  could allow an  unauthorized  user  to  run SQL commands  as  user  SYS. • The  DBMS_STREAMS_RPC package  could allow an  unauthorized  user  to  run SQL commands  as  user  SYS.102 | P a g e • The DBMS_PRVTAQIM package could allow an  unauthorized  user  to  escalate  privileges because  any SQL statements  could be  executed  as  user SYS. • The LTADM package could allow an  unauthorized  user  to  run any SQL command as user SYS.  It  allows  privilege escalation  if  granted to  unprivileged  users. • The  DBMS_IJOB package could allow an  attacker  to  change  identities  by  using a different username  to  execute a database  job.  It  allows  a user  to  run database  jobs  in the  context of  another user."
+    remediation: "REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC; REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM PUBLIC; REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC; REVOKE EXECUTE ON DBMS_REPCAT_SQL_UTL FROM PUBLIC; REVOKE EXECUTE ON INITJVMAUX FROM PUBLIC; REVOKE EXECUTE ON DBMS_AQADM_SYS FROM PUBLIC; REVOKE EXECUTE ON DBMS_STREAMS_RPC FROM PUBLIC; REVOKE EXECUTE ON DBMS_PRVTAQIM FROM PUBLIC; REVOKE EXECUTE ON LTADM FROM PUBLIC; REVOKE EXECUTE ON DBMS_IJOB FROM PUBLIC; REVOKE EXECUTE ON DBMS_PDB_EXEC_SQL FROM PUBLIC;"
+    compliance:
+      - cis: ["5.1.2.1"]
+      - cis_csc: ["18", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE FROM DBA_TAB_PRIVS WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_BACKUP_RESTORE'',''DBMS_FILE_TRANSFER'',''DBMS_SYS_SQL'',''DBMS_REPCAT_SQL_U TL'',''INITJVMAUX'', ''DBMS_AQADM_SYS'',''DBMS_STREAMS_RPC'',''DBMS_PRVTAQIM'',''LTADM'', ''DBMS_IJOB'',''DBMS_PDB_EXEC_SQL'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE GRANTEE=''PUBLIC'' AND PRIVILEGE=''EXECUTE'' AND TABLE_NAME IN (''DBMS_BACKUP_RESTORE'',''DBMS_FILE_TRANSFER'',''DBMS_SYS_SQL'',''DBMS_REPCAT_SQL_U TL'',''INITJVMAUX'', ''DBMS_AQADM_SYS'',''DBMS_STREAMS_RPC'',''DBMS_PRVTAQIM'',''LTADM'', ''DBMS_IJOB'',''DBMS_PDB_EXEC_SQL'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 5.1.3 Other Privileges
+  ###############################################
+  # 5.1.3.1 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'
+  - id: 24539
+    title: "Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'AUD$'."
+    description: "The Oracle  database  SYS.AUD$ table  contains  all the audit records for the database  of  the non-Data  Manipulation  Language  (DML) events, such  as  ALTER,  DROP, and CREATE, and so forth. (DML  changes need  trigger-based audit events  to  record  data  alterations.) Unauthorized  grantees  should not  have  full  access  to  that  table."
+    rationale: "Permitting  non-privileged  users the authorization to  manipulate  the SYS.AUD$ table  can allow distortion  of  the audit records,  hiding  unauthorized  activities."
+    remediation: "REVOKE ALL ON AUD$ FROM <grantee>;"
+    compliance:
+      - cis: ["5.1.3.1"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME=''AUD\$'' AND OWNER = ''SYS'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE TABLE_NAME=''AUD\$'' AND OWNER = ''SYS'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.3.2 Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'
+  - id: 24540
+    title: "Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE' on 'DBA_%'."
+    description: "The Oracle  database  DBA_ views  show  all information which is  relevant  to  administrative accounts.  Unauthorized  grantees  should  not have  full  access  to  those views."
+    rationale: "Permitting  users the authorization to  manipulate  the DBA_ views  can expose  sensitive data."
+    remediation: "REVOKE ALL ON <DBA_%> FROM <Non-DBA/SYS grantee>;"
+    compliance:
+      - cis: ["5.1.3.2"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE,TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME LIKE ''DBA_%'' AND OWNER = ''SYS'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE,TABLE_NAME, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_TAB_PRIVS A WHERE TABLE_NAME LIKE ''DBA_%'' AND OWNER = ''SYS'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.1.3.3 Ensure 'ALL' Is Revoked on 'Sensitive' Tables
+  - id: 24541
+    title: "Ensure 'ALL' Is Revoked on 'Sensitive' Tables ."
+    description: "The Oracle  database  tables  listed  below may contain sensitive information,  and should  not be  accessible  to  unauthorized  users. • USER$, USER_HISTORY$,  XS$VERIFIERS and  DEFAULT_PWD$ may  contain password hashes. • CDB_LOCAL_ADMINAUTH$ and PDB_SYNC$ may contain DDLs. • LINK$ and SCHEDULER$_CREDENTIAL may contain encrypted passwords. • ENC$ may contains  encryption  keys. • HISTGRM$ and  HIST_HEAD$ may  contain sensitive data."
+    rationale: "Access  to  sensitive information such  as  hashed  passwords may allow unauthorized  users to decrypt  the passwords hashes  which could potentially result  in  complete  compromise  of the  database."
+    remediation: "REVOKE ALL ON SYS.CDB_LOCAL_ADMINAUTH$ FROM <grantee>; REVOKE ALL ON SYS.DEFAULT_PWD$ FROM <grantee>; REVOKE ALL ON SYS.ENC$ FROM <grantee>; REVOKE ALL ON SYS.HISTGRM$ FROM <grantee>; REVOKE ALL ON SYS.HIST_HEAD$ FROM <grantee>; REVOKE ALL ON SYS.LINK$ FROM <grantee>; REVOKE ALL ON SYS.PDB_SYNC$ FROM <grantee>; REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <grantee>; REVOKE ALL ON SYS.USER$ FROM <grantee>; REVOKE ALL ON SYS.USER_HISTORY$ FROM <grantee>; REVOKE ALL ON SYS.XS$VERIFIERS FROM <grantee>;"
+    compliance:
+      - cis: ["5.1.3.3"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM DBA_TAB_PRIVS WHERE TABLE_NAME in (''CDB_LOCAL_ADMINAUTH\$'',''DEFAULT_PWD\$'',''ENC\$'',''HISTGRM\$'',''HIST_HEAD\$'',''LINK\$'' ,''PDB_SYNC\$'',''SCHEDULER\$_CREDENTIAL'',''USER\$'',''USER_HISTORY\$'',''XS\$VERIFIERS'') AND OWNER = ''SYS'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT TABLE_NAME, PRIVILEGE, GRANTEE,DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) DATABASE FROM CDB_TAB_PRIVS A WHERE TABLE_NAME in (''CDB_LOCAL_ADMINAUTH\$'',''DEFAULT_PWD\$'',''ENC\$'',''HISTGRM\$'',''HIST_HEAD\$'',''LINK\$'' ,''PDB_SYNC\$'',''SCHEDULER\$_CREDENTIAL'',''USER\$'',''USER_HISTORY\$'',''XS\$VERIFIERS'') AND OWNER = ''SYS'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'') ORDER BY CON_ID, TABLE_NAME;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 5.2 Excessive System Privileges
+  ###############################################
+  # 5.2.1 Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24542
+    title: "Ensure '%ANY%' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  ANY keyword provides  the user  the capability  to  alter any item  in  the catalog of  the database. Unauthorized  grantees  should  not have  that  keyword assigned  to them"
+    rationale: "Authorization to  use the ANY expansion of  a privilege can allow an  unauthorized  user to potentially change  confidential  data  or  damage  the data  catalog."
+    remediation: "REVOKE '<ANY Privilege>' FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE ''%ANY%'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE LIKE ''%ANY%'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.2 Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'
+  - id: 24543
+    title: "Ensure 'DBA_SYS_PRIVS.%' Is Revoked from Unauthorized 'GRANTEE' with 'ADMIN_OPTION' Set to 'YES'."
+    description: "The Oracle  database  WITH_ADMIN privilege  allows  the designated  user  to  grant another user the  same  privileges. Unauthorized  grantees  should  not have  that  privilege."
+    rationale: "Assignment  of  the WITH_ADMIN privilege  can allow the granting  of  a restricted  privilege to an unauthorized  user."
+    remediation: "REVOKE <privilege> FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE ADMIN_OPTION=''YES'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE ADMIN_OPTION=''YES'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.3 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'
+  - id: 24544
+    title: "Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'OUTLN'."
+    description: "Remove  unneeded  EXECUTE ANY PROCEDURE privileges  from  OUTLN."
+    rationale: "Migrated  OUTLN users have  more  privileges  than  required."
+    remediation: "REVOKE EXECUTE ANY PROCEDURE FROM OUTLN;"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''EXECUTE ANY PROCEDURE'' AND GRANTEE=''OUTLN'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''EXECUTE ANY PROCEDURE'' AND GRANTEE=''OUTLN'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.4 Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'
+  - id: 24545
+    title: "Ensure 'EXECUTE ANY PROCEDURE' Is Revoked from 'DBSNMP'."
+    description: "Remove  unneeded  EXECUTE ANY PROCEDURE privileges  from  DBSNMP."
+    rationale: "Migrated  DBSNMP users  have  more  privileges  than  required."
+    remediation: "REVOKE EXECUTE ANY PROCEDURE FROM DBSNMP;"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''EXECUTE ANY PROCEDURE'' AND GRANTEE=''DBSNMP'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''EXECUTE ANY PROCEDURE'' AND GRANTEE=''DBSNMP'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.5 Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24546
+    title: "Ensure 'SELECT ANY DICTIONARY' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  SELECT ANY DICTIONARY privilege allows  the designated  user  to  access SYS schema objects.  Unauthorized  grantees  should  not have  that  privilege."
+    rationale: "SELECT ANY DICTIONARY is  a powerful  system  privilege which would allow an unauthorized user  to  gather  information about the database  through data  dictionary objects. Information collected could potentially be  used  to  exploit the database."
+    remediation: "REVOKE SELECT ANY DICTIONARY FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''SELECT ANY DICTIONARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''SELECT ANY DICTIONARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.6 Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24547
+    title: "Ensure 'SELECT ANY TABLE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  SELECT ANY TABLE privilege  allows  the designated  user  to  open  any table,  except  SYS,  to  view  it. Unauthorized  grantees  should  not have  that  privilege."
+    rationale: "Assignment  of  the SELECT ANY TABLE privilege  can allow the unauthorized  viewing of sensitive  data."
+    remediation: "REVOKE SELECT ANY TABLE FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''SELECT ANY TABLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''SELECT ANY TABLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.7 Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24548
+    title: "Ensure 'AUDIT SYSTEM' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  AUDIT SYSTEM privilege  allows  changes to  auditing  activities  on  the system. Unauthorized  grantees  should  not have  that  privilege."
+    rationale: "The AUDIT SYSTEM privilege  can allow the unauthorized  alteration  of  system  audit activities, such  as  disabling the creation  of  audit trails."
+    remediation: "REVOKE AUDIT SYSTEM FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''AUDIT SYSTEM'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''AUDIT SYSTEM'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.8 Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24549
+    title: "Ensure 'EXEMPT ACCESS POLICY' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  EXEMPT ACCESS POLICY keyword  provides  the user  the capability  to access all the table rows  regardless  of  row-level security  lockouts. Unauthorized  grantees should not have  that  keyword assigned  to  them."
+    rationale: "The EXEMPT ACCESS POLICY privilege  can allow an  unauthorized  user  to  potentially access and  change  data."
+    remediation: "REVOKE EXEMPT ACCESS POLICY FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["14.4", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''EXEMPT ACCESS POLICY'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''EXEMPT ACCESS POLICY'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.9 Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24550
+    title: "Ensure 'BECOME USER' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  BECOME USER privilege allows  the designated  user  to  inherit the rights of another user. Unauthorized  grantees  should  not have  that  privilege."
+    rationale: "The BECOME USER privilege can allow the unauthorized  use of  another user's  privileges, this capability should  be  restricted  according to  the needs of  the organization."
+    remediation: "REVOKE BECOME USER FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''BECOME USER'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''BECOME USER'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.10 Ensure 'CREATE PROCEDURE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24551
+    title: "Ensure 'CREATE PROCEDURE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  CREATE PROCEDURE privilege  allows  the designated  user  to  create  a stored  procedure that  will  fire  when  given the correct command sequence. Unauthorized grantees should  not have  that  privilege."
+    rationale: "The CREATE PROCEDURE privilege  can lead  to  severe  problems  in  unauthorized  hands,  such as rogue procedures  facilitating  data  theft or  denial-of-service by  corrupting  data  tables."
+    remediation: "REVOKE CREATE PROCEDURE FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''CREATE PROCEDURE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''CREATE PROCEDURE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.11 Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24552
+    title: "Ensure 'ALTER SYSTEM' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  ALTER SYSTEM privilege  allows  the designated  user  to  dynamically alter the instance's  running operations. Unauthorized  grantees  should  not have  that privilege."
+    rationale: "The ALTER SYSTEM privilege  can lead  to  severe  problems, such  as  the instance's  session being killed  or  the stopping  of  redo  log recording,  which would make  transactions unrecoverable."
+    remediation: "REVOKE ALTER SYSTEM FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''ALTER SYSTEM'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''ALTER SYSTEM'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.12 Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24553
+    title: "Ensure 'CREATE ANY LIBRARY' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  CREATE ANY LIBRARY privilege  allows  the designated  user  to  create objects  that  are associated  to  the shared  libraries.  Unauthorized  grantees  should  not have that privilege."
+    rationale: "The CREATE ANY LIBRARY privilege  can allow the creation  of  numerous  library-associated objects  and potentially corrupt the libraries'  integrity."
+    remediation: "REVOKE CREATE ANY LIBRARY FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''CREATE ANY LIBRARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''CREATE ANY LIBRARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.13 Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24554
+    title: "Ensure 'CREATE LIBRARY' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  CREATE LIBRARY privilege  allows  the designated  user  to  create  objects that  are associated  to  the shared  libraries.  Unauthorized  grantees  should  not have  that privilege."
+    rationale: "The CREATE LIBRARY privilege  can allow the creation  of  numerous  library-associated objects  and potentially corrupt the libraries'  integrity"
+    remediation: "REVOKE CREATE LIBRARY FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''CREATE LIBRARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''CREATE LIBRARY'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.14 Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24555
+    title: "Ensure 'GRANT ANY OBJECT PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  GRANT ANY OBJECT PRIVILEGE keyword  provides  the grantee the capability  to  grant access  to  any single  or  multiple  combinations  of  objects to  any grantee in  the catalog of  the database. Unauthorized  grantees  should  not have  that  keyword assigned  to  them."
+    rationale: "The GRANT ANY OBJECT PRIVILEGE capability can allow an  unauthorized  user  to  potentially access  or  change  confidential  data, or  damage  the data  catalog due to  potential complete instance access."
+    remediation: "REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''GRANT ANY OBJECT PRIVILEGE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''GRANT ANY OBJECT PRIVILEGE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.15 Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24556
+    title: "Ensure 'GRANT ANY ROLE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  GRANT ANY ROLE keyword  provides  the grantee the capability  to  grant any single  role  to  any grantee in  the catalog of  the database. Unauthorized  grantees  should not  have  that  keyword assigned  to  them."
+    rationale: "The GRANT ANY ROLE capability can allow an  unauthorized  user  to  potentially access  or change confidential  data  or  damage  the data  catalog due to  potential complete  instance access."
+    remediation: "REVOKE GRANT ANY ROLE FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''GRANT ANY ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''GRANT ANY ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.2.16 Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24557
+    title: "Ensure 'GRANT ANY PRIVILEGE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  GRANT ANY PRIVILEGE keyword provides  the grantee the capability  to grant  any single  privilege to  any item  in  the catalog of  the database. Unauthorized  grantees should not have  that  privilege."
+    rationale: "The GRANT ANY PRIVILEGE capability  can allow an  unauthorized  user  to  potentially access or change  confidential  data  or  damage  the data  catalog due to  potential complete  instance access."
+    remediation: "REVOKE GRANT ANY PRIVILEGE FROM <grantee>;"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE=''GRANT ANY PRIVILEGE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, PRIVILEGE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_SYS_PRIVS A WHERE PRIVILEGE=''GRANT ANY PRIVILEGE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 5.3 Excessive Role Privileges
+  ###############################################
+  # 5.3.1 Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24558
+    title: "Ensure 'SELECT_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  SELECT_CATALOG_ROLE provides  SELECT privileges on  all data dictionary views held  in  the SYS schema. Unauthorized  grantees  should  not have  that  role."
+    rationale: "Permitting  unauthorized  access  to  the SELECT_CATALOG_ROLE can allow the disclosure  of  all dictionary  data."
+    remediation: "REVOKE SELECT_CATALOG_ROLE FROM <grantee>;"
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE=''SELECT_CATALOG_ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, GRANTED_ROLE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_ROLE_PRIVS A WHERE GRANTED_ROLE=''SELECT_CATALOG_ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.3.2 Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24559
+    title: "Ensure 'EXECUTE_CATALOG_ROLE' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  EXECUTE_CATALOG_ROLE provides EXECUTE privileges  for a number  of packages and procedures  in  the data  dictionary  in  the SYS schema. Unauthorized  grantees should not have  that  role."
+    rationale: "Permitting  unauthorized  access  to  the EXECUTE_CATALOG_ROLE can  allow the disruption  of operations by  initialization  of  rogue procedures, this  capability  should  be  restricted according  to  the needs of  the organization."
+    remediation: "REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>;"
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE=''EXECUTE_CATALOG_ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM DBA_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM DBA_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT GRANTEE, GRANTED_ROLE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_ROLE_PRIVS A WHERE GRANTED_ROLE=''EXECUTE_CATALOG_ROLE'' AND GRANTEE NOT IN (SELECT USERNAME FROM CDB_USERS WHERE ORACLE_MAINTAINED=''Y'') AND GRANTEE NOT IN (SELECT ROLE FROM CDB_ROLES WHERE ORACLE_MAINTAINED=''Y'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 5.3.3 Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'
+  - id: 24560
+    title: "Ensure 'DBA' Is Revoked from Unauthorized 'GRANTEE'."
+    description: "The Oracle  database  DBA role  is  the default database  administrator role  provided  for the allocation  of  administrative  privileges. Unauthorized  grantees  should  not have  that  role."
+    rationale: "Assignment  of  the DBA role  to  an  ordinary  user  can provide a great number  of  unnecessary privileges  to  that  user  and open  the door  to  data  breaches, integrity violations, and denialof-service  conditions."
+    remediation: "REVOKE DBA FROM <grantee>;"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["5.1", "14.6"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT ''GRANT'' AS PATH, GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = ''DBA'' AND GRANTEE NOT IN (''SYS'', ''SYSTEM'') UNION SELECT ''PROXY'', PROXY || ''-'' || CLIENT, ''DBA'' FROM DBA_PROXIES WHERE CLIENT IN (SELECT GRANTEE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = ''DBA'');\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT ''GRANT'' AS PATH, GRANTEE, GRANTED_ROLE, DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) CON FROM CDB_ROLE_PRIVS A WHERE GRANTED_ROLE=''DBA'' AND GRANTEE NOT IN (''SYS'', ''SYSTEM'') UNION SELECT ''PROXY'', PROXY || ''-'' || CLIENT, ''DBA'', DECODE (A.CON_ID,0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) CON FROM CDB_PROXIES A WHERE CLIENT IN (SELECT GRANTEE FROM CDB_ROLE_PRIVS B WHERE GRANTED_ROLE = ''DBA'' AND A.CON_ID = B.CON_ID);\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 6 Audit/Logging Policies and Procedures
+  ###############################################
+  ###############################################
+  # 6.1 Traditional Auditing
+  ###############################################
+  # 6.1.1 Ensure the 'USER' Audit Option Is Enabled
+  - id: 24561
+    title: "Ensure the 'USER' Audit Option Is Enabled."
+    description: "The USER object allows  for creating  accounts  that  can interact  with  the database  according to  the roles and privileges  allotted  to  the account.  It  may also  own database  objects. Enabling the audit option  causes  auditing  of  all activities  and requests  to  create, drop  or alter  a user, including a user  changing  their own password. (The  latter  is  not audited by audit ALTER USER.)"
+    rationale: "Any unauthorized  attempts  to  create, drop  or  alter a user  should  cause concern,  whether successful  or  not.  Auditing  can also  be  useful  in  forensics if  an  account is  compromised,  and auditing  is  mandated  by  many  common  security  initiatives.  An  abnormally  high  number  of these  activities  in  a given period  might be  worth investigation.  Any failed  attempt to  drop  a user  or  create  a user  may be  worth further review."
+    remediation: "AUDIT USER;"
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''USER'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''USER'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.2 Ensure the 'ROLE' Audit Option Is Enabled
+  - id: 24562
+    title: "Ensure the 'ROLE' Audit Option Is Enabled."
+    description: "The ROLE object allows  for the creation  of  a set of  privileges  that  can be  granted to  users or other  roles.  Enabling  the audit option  causes  auditing  of  all attempts, successful  or  not,  to create,  drop, alter or  set roles."
+    rationale: "Roles are a key database  security  infrastructure  component.  Any attempt to  create, drop  or alter  a role  should  be  audited.  This  statement auditing  option  also  audits  attempts, successful  or  not,  to  set a role  in  a session.  Any unauthorized  attempts  to  create, drop  or alter  a role  may be  worthy  of  investigation.  Attempts  to  set a role  by  users without the role privilege  may warrant investigation."
+    remediation: "AUDIT ROLE;"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''ROLE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''ROLE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.3 Ensure the 'SYSTEM GRANT' Audit Option Is Enabled
+  - id: 24563
+    title: "Ensure the 'SYSTEM GRANT' Audit Option Is Enabled."
+    description: "Enabling  the audit option  for the SYSTEM GRANT object causes  auditing  of  any attempt, successful or  not,  to  grant or  revoke  any system  privilege or  role, regardless  of  privilege held  by  the user  attempting  the operation."
+    rationale: "Logging of  all grant and revokes (roles  and system  privileges) can provide forensic evidence about a pattern of  suspect/unauthorized  activities. Any unauthorized  attempt may be  cause for further investigation."
+    remediation: "AUDIT SYSTEM GRANT;"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["5.4", "4.8"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SYSTEM GRANT'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SYSTEM GRANT'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.4 Ensure the 'PROFILE' Audit Option Is Enabled
+  - id: 24564
+    title: "Ensure the 'PROFILE' Audit Option Is Enabled."
+    description: "The PROFILE object  allows  for the creation  of  a set of  database  resource  limits  that  can be assigned to  a user, so  that  that  user  cannot  exceed  those resource  limitations.  Enabling  the audit option  causes  auditing  of  all attempts, successful  or  not,  to  create, drop  or  alter any profile."
+    rationale: "As  profiles  are part  of  the database  security  infrastructure, auditing  the creation, modification, and deletion  of  profiles  is  recommended."
+    remediation: "AUDIT PROFILE;"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PROFILE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PROFILE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.5 Ensure the 'DATABASE LINK' Audit Option Is Enabled
+  - id: 24565
+    title: "Ensure the 'DATABASE LINK' Audit Option Is Enabled."
+    description: "Enabling  the audit option  for the DATABASE  LINK  object  causes  all activities  on  database links  to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the creation  or  dropping  of  a DATABASE LINK can provide forensic  evidence  about a pattern of  unauthorized  activities, the audit capability should be  enabled."
+    remediation: "AUDIT DATABASE LINK;"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DATABASE LINK'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DATABASE LINK'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.6 Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled
+  - id: 24566
+    title: "Ensure the 'PUBLIC DATABASE LINK' Audit Option Is Enabled."
+    description: "The PUBLIC DATABASE LINK object allows  for the creation  of  a public  link  for an application-based  user  to  access  the database  for connections/session creation. Enabling the  audit option  causes  all user  activities  involving the creation, alteration, or  dropping  of public links to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the creation, alteration, or  dropping  of  a PUBLIC DATABASE LINK can  provide forensic  evidence  about a pattern of  unauthorized  activities, the audit capability  should  be  enabled."
+    remediation: "AUDIT PUBLIC DATABASE LINK;"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PUBLIC DATABASE LINK'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PUBLIC DATABASE LINK'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.7 Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled
+  - id: 24567
+    title: "Ensure the 'PUBLIC SYNONYM' Audit Option Is Enabled."
+    description: "The PUBLIC SYNONYM object allows  for the creation  of  an  alternate description of  an  object. Public  synonyms  are accessible  by  all users that  have  the appropriate privileges  to  the underlying  object. Enabling  the audit option  causes  all user  activities  involving the creation or dropping  of  public  synonyms  to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the creation  or  dropping  of  a PUBLIC SYNONYM can provide  forensic  evidence  about a pattern of  unauthorized  activities, the audit capability should be  enabled."
+    remediation: "AUDIT PUBLIC SYNONYM;"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PUBLIC SYNONYM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PUBLIC SYNONYM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.8 Ensure the 'SYNONYM' Audit Option Is Enabled
+  - id: 24568
+    title: "Ensure the 'SYNONYM' Audit Option Is Enabled."
+    description: "The SYNONYM operation allows  for the creation  of  an  alternative name  for a database  object such as  a Java  class schema  object, materialized  view, operator, package,  procedure, sequence,  stored  function, table,  view, user-defined  object  type, or  even  another synonym. This synonym puts  a dependency  on  its target  and is  rendered  invalid if  the target  object  is changed/dropped. Enabling  the audit option  causes  all user  activities  involving the creation or dropping  of  synonyms  to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the creation  or  dropping  of  a SYNONYM can provide forensic  evidence  about a pattern of  suspect/unauthorized  activities, the audit capability should be  enabled."
+    remediation: "AUDIT SYNONYM;"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SYNONYM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SYNONYM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.9 Ensure the 'DIRECTORY' Audit Option Is Enabled
+  - id: 24569
+    title: "Ensure the 'DIRECTORY' Audit Option Is Enabled."
+    description: "The DIRECTORY object  allows  for the creation  of  a directory object  that  specifies an  alias for a directory on  the server  file  system, where the external  binary  file  LOBs (BFILEs)/  table data  are located.  Enabling  this  audit option  causes  all user  activities  involving the creation or dropping  of  a directory alias to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the creation  or  dropping  of  a DIRECTORY can provide forensic  evidence  about a pattern of  unauthorized  activities, the audit capability should be  enabled."
+    remediation: "AUDIT DIRECTORY;"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DIRECTORY'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DIRECTORY'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.10 Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled
+  - id: 24570
+    title: "Ensure the 'SELECT ANY DICTIONARY' Audit Option Is Enabled."
+    description: "The SELECT ANY DICTIONARY capability  allows  the user  to  view  the definitions of  all schema objects  in  the database. Enabling  the audit option  causes  all user  activities  involving this capability to  be  audited."
+    rationale: "As  the logging of  user  activities  involving the capability  to  access  the description of  all schema  objects in  the database  can provide forensic  evidence  about a pattern of unauthorized activities, the audit capability  should  be  enabled."
+    remediation: "AUDIT SELECT ANY DICTIONARY;"
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SELECT ANY DICTIONARY'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''SELECT ANY DICTIONARY'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.11 Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled
+  - id: 24571
+    title: "Ensure the 'GRANT ANY OBJECT PRIVILEGE' Audit Option Is Enabled."
+    description: "GRANT ANY OBJECT PRIVILEGE allows the user  to  grant or  revoke  any object  privilege, which  includes  privileges  on  tables, directories,  mining  models, etc.  Enabling  this  audit option  causes  auditing  of  all uses  of  that  privilege."
+    rationale: "Logging of  privilege grants  that  can lead  to  the creation, alteration, or  deletion  of  critical data,  the modification  of  objects,  object  privilege propagation and other such  activities  can be  critical  to  forensic  investigations."
+    remediation: "AUDIT GRANT ANY OBJECT PRIVILEGE;"
+    compliance:
+      - cis: ["6.1.11"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''GRANT ANY OBJECT PRIVILEGE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''GRANT ANY OBJECT PRIVILEGE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.12 Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled
+  - id: 24572
+    title: "Ensure the 'GRANT ANY PRIVILEGE' Audit Option Is Enabled."
+    description: "GRANT ANY PRIVILEGE allows  a user  to  grant any system  privilege,  including the most powerful privileges  typically available only  to  administrators  - to  change  the security infrastructure,  to  drop/add/modify users and more."
+    rationale: "Auditing  the use of  this  privilege is  part  of  a comprehensive auditing  policy  that  can help  in detecting  issues  and can be  useful  in  forensics."
+    remediation: "AUDIT GRANT ANY PRIVILEGE;"
+    compliance:
+      - cis: ["6.1.12"]
+      - cis_csc: ["5.4", "6.2", "4.8", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''GRANT ANY PRIVILEGE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''GRANT ANY PRIVILEGE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.13 Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled
+  - id: 24573
+    title: "Ensure the 'DROP ANY PROCEDURE' Audit Option Is Enabled."
+    description: "The AUDIT DROP ANY PROCEDURE command  is  auditing  the dropping  of  procedures. Enabling  the option  causes  auditing  of  all such  activities."
+    rationale: "Dropping  procedures  of  another user  could be  part  of  a privilege escalation  exploit and should  be  audited."
+    remediation: "AUDIT DROP ANY PROCEDURE;"
+    compliance:
+      - cis: ["6.1.13"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DROP ANY PROCEDURE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''DROP ANY PROCEDURE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled
+  - id: 24574
+    title: "Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled."
+    description: "The logging of  attempts  to  alter the audit trail in  the SYS.AUD$ table  (open for read/update/delete/view)  will  provide a record  of  any activities  that  may indicate unauthorized attempts  to  access  the audit trail.  Enabling  the audit option  will  cause these activities  to  be  audited."
+    rationale: "As  the logging of  attempts  to  alter the SYS.AUD$ table  can provide forensic  evidence  of  the initiation  of  a pattern of  unauthorized  activities, this  logging capability  should  be  enabled."
+    remediation: "AUDIT ALL ON SYS.AUD$ BY ACCESS;"
+    compliance:
+      - cis: ["6.1.14"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT * FROM CDB_OBJ_AUDIT_OPTS WHERE OBJECT_NAME=''AUD$'' AND ALT=''A/A'' AND AUD=''A/A'' AND COM=''A/A'' AND DEL=''A/A'' AND GRA=''A/A'' AND IND=''A/A'' AND INS=''A/A'' AND LOC=''A/A'' AND REN=''A/A'' AND SEL=''A/A'' AND UPD=''A/A'' AND FBK=''A/A'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.15 Ensure the 'PROCEDURE' Audit Option Is Enabled
+  - id: 24575
+    title: "Ensure the 'PROCEDURE' Audit Option Is Enabled."
+    description: "In  this  statement audit,  PROCEDURE means any procedure,  function, package or  library. Enabling this  audit option  causes  any attempt,  successful  or  not,  to  create  or  drop  any of these  types of  objects to  be  audited,  regardless  of  privilege or  lack  thereof.  Java  schema objects  (sources, classes,  and resources)  are considered  the same  as  procedures  for the purposes  of  auditing  SQL statements."
+    rationale: "Any unauthorized  attempts  to  create  or  drop  a procedure in  another's schema  should  cause concern,  whether successful  or  not.  Changes to  critical  stored  code  can dramatically  change the  behavior  of  the application and produce serious security  consequences, including enabling  privilege escalation  and introducing SQL injection vulnerabilities.  Audit records of such changes can be  helpful in  forensics."
+    remediation: "AUDIT PROCEDURE;"
+    compliance:
+      - cis: ["6.1.15"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PROCEDURE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''PROCEDURE'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.16 Ensure the 'ALTER SYSTEM' Audit Option Is Enabled
+  - id: 24576
+    title: "Ensure the 'ALTER SYSTEM' Audit Option Is Enabled."
+    description: "ALTER SYSTEM allows one to  change  instance  settings, including security  settings  and auditing  options.  Additionally, ALTER SYSTEM can  be  used  to  run operating system commands using undocumented  Oracle  functionality.  Enabling  the audit option  will  audit all attempts  to  perform ALTER SYSTEM, whether successful  or  not and regardless  of  whether or  not the ALTER SYSTEM privilege  is  held  by  the user  attempting  the action."
+    rationale: "Any unauthorized  attempt to  alter the system  should  be  cause for concern.  Alterations outside of  some  specified maintenance window  may be  of  concern.  In  forensics,  these audit records could be  quite useful."
+    remediation: "AUDIT ALTER SYSTEM;"
+    compliance:
+      - cis: ["6.1.16"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''ALTER SYSTEM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''ALTER SYSTEM'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.17 Ensure the 'TRIGGER' Audit Option Is Enabled
+  - id: 24577
+    title: "Ensure the 'TRIGGER' Audit Option Is Enabled."
+    description: "A TRIGGER may be  used  to  modify  DML actions or  invoke  other (recursive) actions when some types of  user-initiated  actions occur.  Enabling  this  audit option  will  cause auditing  of any  attempt,  successful  or  not,  to  create, drop, enable  or  disable any schema  trigger in  any schema  regardless  of  privilege or  lack  thereof.  For enabling  and disabling a trigger,  it covers both  ALTER TRIGGER and ALTER TABLE."
+    rationale: "Triggers  are often part  of  schema  security, data  validation  and other critical  constraints upon  actions and data. A trigger in  another schema  may be  used  to  escalate  privileges, redirect  operations, transform data  and perform other sorts of  perhaps undesired actions. Any  unauthorized  attempt to  create, drop  or  alter a trigger in  another schema  may be  cause for investigation."
+    remediation: "AUDIT TRIGGER;"
+    compliance:
+      - cis: ["6.1.17"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''TRIGGER'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''TRIGGER'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.1.18 Ensure the 'CREATE SESSION' Audit Option Is Enabled
+  - id: 24578
+    title: "Ensure the 'CREATE SESSION' Audit Option Is Enabled."
+    description: "Enabling  this  audit option  will  cause auditing  of  all attempts  to  connect to  the database, whether successful  or  not,  as  well  as  audit session disconnects/logoffs.  The commands  to audit  SESSION,  CONNECT or  CREATE SESSION all  accomplish  the same  thing - they  initiate statement  auditing  of  the connect statement used  to  create  a database  session."
+    rationale: "Auditing  attempts  to  connect to  the database  is  basic and mandated  by  most  security initiatives. Any attempt to  logon to  a locked  account,  failed  attempts  to  logon to  default accounts  or  an  unusually high  number  of  failed  logon attempts  of  any sort, for any user, in  a particular  time  period  may indicate  an  intrusion attempt.  In  forensics,  the logon record may  be  first in  a chain of  evidence  and contain information found in  no  other type  of  audit record  for the session.  Logon and logoff  in  the audit trail define  the period  and duration  of the  session."
+    remediation: "AUDIT SESSION;"
+    compliance:
+      - cis: ["6.1.18"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE FROM DBA_STMT_AUDIT_OPTS WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''CREATE SESSION'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"SELECT AUDIT_OPTION,SUCCESS,FAILURE, DECODE (A.CON_ID, 0,(SELECT NAME FROM V\\"\$DATABASE"), 1,(SELECT NAME FROM V\\"\$DATABASE"), (SELECT NAME FROM V\\"\$PDBS" B WHERE A.CON_ID = B.CON_ID)) FROM CDB_STMT_AUDIT_OPTS A WHERE USER_NAME IS NULL AND PROXY_NAME IS NULL AND SUCCESS = ''BY ACCESS'' AND FAILURE = ''BY ACCESS'' AND AUDIT_OPTION=''CREATE SESSION'';\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  ###############################################
+  # 6.2 Unified Auditing
+  ###############################################
+  # 6.2.1 Ensure the 'CREATE USER' Action Audit Is Enabled
+  - id: 24579
+    title: "Ensure the 'CREATE USER' Action Audit Is Enabled."
+    description: "The CREATE USER statement is  used  to create Oracle  database  accounts  and assign  database properties to  them. Enabling  this  unified action  audit causes  logging of  all CREATE USER statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  user  accounts, whether successful  or unsuccessful,  may provide clues and forensic  evidences about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all activities  involving CREATE USER."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE USER;"
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''CREATE USER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE USER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL ;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.2 Ensure the 'ALTER USER' Action Audit Is Enabled
+  - id: 24580
+    title: "Ensure the 'ALTER USER' Action Audit Is Enabled."
+    description: "The ALTER USER statement  is  used  to  change  database  users’  password, lock  accounts, and expire  passwords.  In  addition, this  statement is  used  to  change  database  properties  of  user accounts such  as  database  profiles, default and temporary tablespaces,  and tablespace quotas.  This  unified audit action  enables logging of  all ALTER USER statements,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  alter user  accounts, whether successful  or unsuccessful,  may provide clues and forensic  evidences about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all activities  involving ALTER USER."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER USER;"
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''ALTER USER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER USER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.3 Ensure the 'DROP USER' Audit Option Is Enabled
+  - id: 24581
+    title: "Ensure the 'DROP USER' Audit Option Is Enabled."
+    description: "The DROP USER statement is  used  to  drop  Oracle  database  accounts  and schemas associated with them. Enabling  this  unified action  audit enables logging of  all DROP USER statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by the  users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  user, whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  activities  involving DROP USER."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP USER;"
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''DROP USER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP USER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.4 Ensure the 'CREATE ROLE' Action Audit Is Enabled
+  - id: 24582
+    title: "Ensure the 'CREATE ROLE' Action Audit Is Enabled."
+    description: "An  Oracle  database  role  is  a collection  or  set of  privileges  that  can be  granted to  users or other  roles.  Roles may include system  privileges, object  privileges  or  other roles.  Enabling this unified audit action  enables logging of  all CREATE ROLE statements, whether successful or unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  roles,  whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving CREATE ROLE."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE ROLE;"
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''CREATE ROLE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE ROLE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.5 Ensure the 'ALTER ROLE' Action Audit Is Enabled
+  - id: 24583
+    title: "Ensure the 'ALTER ROLE' Action Audit Is Enabled."
+    description: "An  Oracle  database  role  is  a collection  or  set of  privileges  that  can be  granted to  users or other  roles.  Roles may include system  privileges, object  privileges  or  other roles.  The ALTER ROLE statement  is  used  to  change  the authorization needed  to  enable  a role. Enabling  this unified  action  audit causes  logging of  all ALTER ROLE statements,  whether successful  or unsuccessful,  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  alter roles,  whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving alteration  of  roles."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER ROLE;"
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''ALTER ROLE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER ROLE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.6 Ensure the 'DROP ROLE' Action Audit Is Enabled
+  - id: 24584
+    title: "Ensure the 'DROP ROLE' Action Audit Is Enabled."
+    description: "An  Oracle  database  role  is  a collection  or  set of  privileges  that  can be  granted to  users or other  roles.  Roles may include system  privileges, object  privileges  or  other roles.  Enabling this unified audit action  enables logging of  all DROP ROLE statements, successful  or unsuccessful,  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  roles,  whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving DROP ROLE."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP ROLE;"
+    compliance:
+      - cis: ["6.2.6"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''DROP ROLE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP ROLE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.7 Ensure the 'GRANT' Action Audit Is Enabled
+  - id: 24585
+    title: "Ensure the 'GRANT' Action Audit Is Enabled."
+    description: "GRANT statements  are used  to  grant privileges  to  Oracle  database  users and roles,  including the most  powerful  privileges  and roles typically available to  the database  administrators. Enabling  this  unified action  audit enables logging of  all GRANT statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "With  unauthorized  grants  and permissions,  a malicious user  may be  able  to  change  the security  of  the database, access/update confidential  data, or  compromise  the integrity of the  database. Logging and monitoring  of  all attempts  to  grant system  privileges, object privileges or  roles,  whether successful  or  unsuccessful, may provide forensic  evidence about  potential suspicious/unauthorized activities  as  well  as  privilege escalation  activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization security policies  and industry/government regulations may require logging of  all user activities involving GRANT."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS GRANT;"
+    compliance:
+      - cis: ["6.2.7"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''GRANT'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''GRANT'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.8 Ensure the 'REVOKE' Action Audit Is Enabled
+  - id: 24586
+    title: "Ensure the 'REVOKE' Action Audit Is Enabled."
+    description: "REVOKE statements are used  to  revoke  privileges  from  Oracle  database  users and roles. Enabling this  unified action  audit enables logging of  all REVOKE statements,  successful  or unsuccessful,  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  revoke  system  privileges, object  privileges  or roles, whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving REVOKE."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS REVOKE;"
+    compliance:
+      - cis: ["6.2.8"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''REVOKE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''REVOKE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.9 Ensure the 'CREATE PROFILE' Action Audit Is Enabled
+  - id: 24587
+    title: "Ensure the 'CREATE PROFILE' Action Audit Is Enabled."
+    description: "Oracle  database  profiles  are used  to  enforce resource  usage limits  and implement password  policies  such  as  password  complexity  rules and reuse restrictions. Enabling  this unified  action  audit enables logging of  all CREATE PROFILE statements,  whether successful or unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  profiles, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving creation  of  database  profiles."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROFILE;"
+    compliance:
+      - cis: ["6.2.9"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''CREATE PROFILE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE PROFILE'') AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.10 Ensure the 'ALTER PROFILE' Action Audit Is Enabled
+  - id: 24588
+    title: "Ensure the 'ALTER PROFILE' Action Audit Is Enabled."
+    description: "Oracle  database  profiles  are used  to  enforce resource  usage limits  and implement password  policies  such  as  password  complexity  rules and reuse restrictions. Enabling  this unified  action  audit enables logging of  all ALTER PROFILE statements, whether successful  or unsuccessful,  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  alter profiles, whether successful  or  unsuccessful, may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security policies and industry/government regulations may require logging of  all user  activities involving  alteration  of  database  profiles."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROFILE;"
+    compliance:
+      - cis: ["6.2.10"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''ALTER PROFILE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER PROFILE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.11 Ensure the 'DROP PROFILE' Action Audit Is Enabled
+  - id: 24589
+    title: "Ensure the 'DROP PROFILE' Action Audit Is Enabled ."
+    description: "Oracle  database  profiles  are used  to  enforce resource  usage limits  and implement password  policies  such  as  password  complexity  rules and reuse restrictions. Enabling  this unified  action  audit enables logging of  all DROP PROFILE statements,  whether successful  or unsuccessful,  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  profiles, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving dropping  database  profiles."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROFILE;"
+    compliance:
+      - cis: ["6.2.11"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''DROP PROFILE'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP PROFILE'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.12 Ensure the 'CREATE DATABASE LINK' Action Audit Is Enabled
+  - id: 24590
+    title: "Ensure the 'CREATE DATABASE LINK' Action Audit Is Enabled."
+    description: "Oracle  database  links are used  to  establish database-to-database  connections to  other databases.  These connections are available without further authentication  once  the link  is established. Enabling  this  unified action  audit causes  logging of  all CREATE DATABASE and CREATE PUBLIC DATABASE statements,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  database  links,  whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving creation  of  database  links."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE DATABASE LINK;"
+    compliance:
+      - cis: ["6.2.12"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''CREATE DATABASE LINK'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE DATABASE LINK'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.13 Ensure the 'ALTER DATABASE LINK' Action Audit Is Enabled
+  - id: 24591
+    title: "Ensure the 'ALTER DATABASE LINK' Action Audit Is Enabled."
+    description: "Oracle  database  links are used  to  establish database-to-database  connections to  other databases.  These connections are always  available without further authentication  once  the link  is  established.  Enabling  this  unified action  audit causes  logging of  all ALTER DATABASE and  ALTER PUBLIC DATABASE statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  alter database  links,  whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving alteration  of  database  links."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER DATABASE LINK;"
+    compliance:
+      - cis: ["6.2.13"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''ALTER DATABASE LINK'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER DATABASE LINK'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.14 Ensure the 'DROP DATABASE LINK' Action Audit Is Enabled
+  - id: 24592
+    title: "Ensure the 'DROP DATABASE LINK' Action Audit Is Enabled."
+    description: "Oracle  database  links are used  to  establish database-to-database  connections to  other databases.  These connections are always  available without further authentication  once  the link  is  established.  Enabling  this  unified action  audit causes  logging of  all DROP DATABASE and DROP PUBLIC DATABASE, whether successful  or  unsuccessful, statements  issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  database  links,  whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving dropping  database  links."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP DATABASE LINK;"
+    compliance:
+      - cis: ["6.2.14"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS (SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''DROP DATABASE LINK'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP DATABASE LINK'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.15 Ensure the 'CREATE SYNONYM' Action Audit Is Enabled
+  - id: 24593
+    title: "Ensure the 'CREATE SYNONYM' Action Audit Is Enabled."
+    description: "An  Oracle  database  synonym is  used  to  create  an  alternative name  for a database  object such as  table,  view, procedure,  java  object  or  even  another synonym,  etc.  Enabling  this unified  action  audit causes  logging of  all CREATE SYNONYM and  CREATE PUBLIC SYNONYM statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  synonyms, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving creation  of  synonyms  or public synonyms."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE SYNONYM;"
+    compliance:
+      - cis: ["6.2.15"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''CREATE SYNONYM'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE SYNONYM'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.16 Ensure the 'ALTER SYNONYM' Action Audit Is Enabled
+  - id: 24594
+    title: "Ensure the 'ALTER SYNONYM' Action Audit Is Enabled."
+    description: "An  Oracle  database  synonym is  used  to  create  an  alternative name  for a database  object such as  table,  view, procedure,  or  java  object, or  even  another synonym.  Enabling  this unified  action  audit causes  logging of  all ALTER SYNONYM and ALTER PUBLIC SYNONYM statements,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  alter synonyms, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving alteration  of  synonyms  or public synonyms."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYNONYM;"
+    compliance:
+      - cis: ["6.2.16"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY(''ALTER SYNONYM'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER SYNONYM'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.17 Ensure the 'DROP SYNONYM' Action Audit Is Enabled
+  - id: 24595
+    title: "Ensure the 'DROP SYNONYM' Action Audit Is Enabled."
+    description: "An  Oracle  database  synonym is  used  to  create  an  alternative name  for a database  object such as  table,  view, procedure,  or  java  object, or  even  another synonym.  Enabling  his unified action  audit causes  logging of  all DROP SYNONYM and  DROP PUBLIC SYNONYM statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  synonyms, whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities involving  dropping  of  synonyms  or  public  synonyms."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP SYNONYM;"
+    compliance:
+      - cis: ["6.2.17"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''DROP SYNONYM'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP SYNONYM'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.18 Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is Enabled
+  - id: 24596
+    title: "Ensure the 'SELECT ANY DICTIONARY' Privilege Audit Is Enabled."
+    description: "The SELECT ANY DICTIONARY system  privilege allows  the user  to  view  the definition  of  all schema  objects in  the database. It  grants  SELECT privileges on  the data  dictionary  objects to the  grantees, including SELECT on DBA_ views, V$ views, X$ views  and underlying  SYS tables such as  TAB$ and  OBJ$. This  privilege also  allows  grantees  to  create  stored  objects such  as procedures,  packages  and views on  the underlying  data  dictionary  objects.  Please  note  that this privilege does  not grant SELECT on tables  with  password  hashes  such  as  USER$, DEFAULT_PWD$,  LINK$,  and USER_HISTORY$.  Enabling  this  audit causes  logging of  activities that exercise  this  privilege."
+    rationale: "Logging and monitoring  of  all attempts  to  access  a data  dictionary, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving access  to  the database."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD PRIVILEGES SELECT ANY DICTIONARY;"
+    compliance:
+      - cis: ["6.2.18"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''SELECT ANY DICTIONARY'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''SELECT ANY DICTIONARY'' ) AND AUD.AUDIT_OPTION_TYPE = ''SYSTEM PRIVILEGE'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL ;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.19 Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is Enabled
+  - id: 24597
+    title: "Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is Enabled."
+    description: "The AUDSYS.AUD$UNIFIED holds  audit trail records generated by  the database. Enabling  this audit  action  causes  logging of  all access  attempts  to  the AUDSYS.AUD$UNIFIED, whether successful  or  unsuccessful, regardless  of  the privileges  held  by  the users to  issue such statements."
+    rationale: "Logging and monitoring  of  all attempts  to  access  the AUDSYS.AUD$UNIFIED, whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving access  to  this  table."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALL on AUDSYS.AUD$UNIFIED;"
+    compliance:
+      - cis: ["6.2.19"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''AUD$UNIFIED'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT OBJECT_NAME FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALL'' ) AND AUD.AUDIT_OPTION_TYPE = ''OBJECT ACTION'' AND AUD.OBJECT_SCHEMA = ''AUDSYS'' AND AUD.OBJECT_NAME = ''AUD$UNIFIED'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.OBJECT_NAME WHERE E.OBJECT_NAME IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.20 Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled
+  - id: 24598
+    title: "Ensure the 'CREATE PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled."
+    description: "Oracle  database  procedures, function, packages, and package bodies, which are stored within the database, are created to  perform business  functions and access  database  as defined  by  PL/SQL  code  and SQL statements  contained within  these objects.  Enabling  this unified  action  audit causes  logging of  all CREATE PROCEDURE, CREATE FUNCTION,  CREATE PACKAGE and  CREATE PACKAGE BODY statements, successful  or  unsuccessful, statements issued by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  procedures, functions,  packages  or package  bodies, whether successful  or  unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving creation  of  procedures, functions,  packages  or  package bodies."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE PROCEDURE, CREATE FUNCTION, CREATE PACKAGE, CREATE PACKAGE BODY;"
+    compliance:
+      - cis: ["6.2.20"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''CREATE PROCEDURE'',''CREATE FUNCTION'',''CREATE PACKAGE'',''CREATE PACKAGE BODY'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE PROCEDURE'',''CREATE FUNCTION'',''CREATE PACKAGE'',''CREATE PACKAGE BODY'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.21 Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled
+  - id: 24599
+    title: "Ensure the 'ALTER PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled."
+    description: "Oracle  database  procedures, functions,  packages, and package bodies, which are stored within the database, are created to  carry out business  functions and access  database  as defined  by  PL/SQL  code  and SQL statements  contained within  these objects.  Enabling  this unified  action  audit causes  logging of  all ALTER PROCEDURE,  ALTER FUNCTION, ALTER PACKAGE and ALTER PACKAGE BODY statements,  successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Unauthorized  alteration  of  procedures, functions,  packages  or  package bodies  may impact critical business  functions or  compromise  integrity of  the database. Logging and monitoring  of  all attempts, whether successful  or  unsuccessful, to  alter procedures, functions,  packages  or  package bodies  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving alteration  of  procedures, functions,  packages  or  package bodies."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER PROCEDURE, ALTER FUNCTION, ALTER PACKAGE, ALTER PACKAGE BODY;"
+    compliance:
+      - cis: ["6.2.21"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''ALTER PROCEDURE'',''ALTER FUNCTION'',''ALTER PACKAGE'',''ALTER PACKAGE BODY'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER PROCEDURE'',''ALTER FUNCTION'',''ALTER PACKAGE'',''ALTER PACKAGE BODY'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.22 Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled
+  - id: 24600
+    title: "Ensure the 'DROP PROCEDURE/FUNCTION/PACKAGE/PACKAGE BODY' Action Audit Is Enabled."
+    description: "Oracle  database  procedures, functions,  packages, and package bodies, which are stored within the database, are created to  carry out business  functions and access  database  as defined  by  PL/SQL  code  and SQL statements  contained within  these objects.  Enabling  this unified  action  audit causes  logging of  all DROP PROCEDURE, DROP FUNCTION,  DROP PACKAGE or DROP PACKAGE BODY statements, successful  or  unsuccessful, issued  by  the users regardless of the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts, whether successful  or  unsuccessful, to  drop procedures,  functions,  packages  or  package bodies  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving dropping  procedures, functions,  packages  or  package bodies."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP PROCEDURE, DROP FUNCTION, DROP PACKAGE, DROP PACKAGE BODY;"
+    compliance:
+      - cis: ["6.2.22"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS (SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''DROP PROCEDURE'',''DROP FUNCTION'',''DROP PACKAGE'',''DROP PACKAGE BODY'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP PROCEDURE'',''DROP FUNCTION'',''DROP PACKAGE'',''DROP PACKAGE BODY'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.23 Ensure the 'ALTER SYSTEM' Privilege Audit Is Enabled
+  - id: 24601
+    title: "Ensure the 'ALTER SYSTEM' Privilege Audit Is Enabled."
+    description: "The ALTER SYSTEM privilege  allows  the user  to  change  instance  settings  which could impact security posture,  performance or  normal  operation of  the database. Additionally, the ALTER SYSTEM privilege  may be  used  to  run operating system  commands  using undocumented Oracle functionality.  Enabling  this  unified audit causes  logging of  activities  that  involve exercise  of  this  privilege,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  execute ALTER SYSTEM statements,  whether successful  or  unsuccessful, may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  that  involve ALTER SYSTEM statements."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER SYSTEM;"
+    compliance:
+      - cis: ["6.2.23"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''ALTER SYSTEM'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER SYSTEM'' ) AND AUD.AUDIT_OPTION_TYPE = ''SYSTEM PRIVILEGE'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.24 Ensure the 'CREATE TRIGGER' Action Audit Is Enabled
+  - id: 24602
+    title: "Ensure the 'CREATE TRIGGER' Action Audit Is Enabled."
+    description: "Oracle  database  triggers  are executed  automatically when  specified conditions  on  the underlying  objects occur.  Trigger bodies  contain the code, quite often to  perform data validation,  ensure  data  integrity/security  or  enforce critical  constraints on  allowable actions on  data. Enabling  this  unified audit causes  logging of  all CREATE TRIGGER statements,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  create  triggers, whether successful  or unsuccessful,  may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving creation  of  triggers."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS CREATE TRIGGER;"
+    compliance:
+      - cis: ["6.2.24"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''CREATE TRIGGER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''CREATE TRIGGER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.25 Ensure the 'ALTER TRIGGER' Action Audit IS Enabled
+  - id: 24603
+    title: "Ensure the 'ALTER TRIGGER' Action Audit IS Enabled."
+    description: "Oracle  database  triggers  are executed  automatically when  specified conditions  on  the underlying  objects occur.  Trigger bodies  contain the code, quite often to  perform data validation,  ensure  data  integrity/security  or  enforce critical  constraints on  allowable actions on  data. Enabling  this  unified audit causes  logging of  all ALTER TRIGGER statements, whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by the  users to  issue such  statements."
+    rationale: "Unauthorized  alteration  of  triggers  may impact  critical  business  functions or  compromise integrity/security of  the database. Logging and monitoring  of  all attempts  to  alter triggers, whether successful  or  unsuccessful, may provide clues and forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of  all user  activities  involving alteration  of  triggers."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS ALTER TRIGGER;"
+    compliance:
+      - cis: ["6.2.25"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''ALTER TRIGGER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''ALTER TRIGGER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.26 Ensure the 'DROP TRIGGER' Action Audit Is Enabled
+  - id: 24604
+    title: "Ensure the 'DROP TRIGGER' Action Audit Is Enabled."
+    description: "Oracle  database  triggers  are executed  automatically when  specified conditions  on  the underlying  objects occur.  Trigger bodies  contain the code, quite often to  perform data validation,  ensure  data  integrity/security  or  enforce critical  constraints on  allowable actions on  data. Enabling  this  unified audit causes  logging of  all DROP TRIGGER statements, whether  successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by the  users to  issue such  statements."
+    rationale: "Logging and monitoring  of  all attempts  to  drop  triggers, whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving dropping  triggers."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS DROP TRIGGER;"
+    compliance:
+      - cis: ["6.2.26"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''DROP TRIGGER'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''DROP TRIGGER'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
+
+  # 6.2.27 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled
+  - id: 24605
+    title: "Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled."
+    description: "Oracle  database  users log on  to  the database  to  perform their work. Enabling  this  unified audit causes  logging of  all LOGON actions,  whether successful  or  unsuccessful, issued  by  the users regardless  of  the privileges  held  by  the users to  log into  the database. In  addition, LOGOFF action audit captures  logoff  activities. This  audit action  also  captures  logon/logoff  to the  open  database  by  SYSDBA and  SYSOPER."
+    rationale: "Logging and monitoring  of  all attempts  to  logon to  the database, whether successful  or unsuccessful,  may provide forensic  evidence  about potential suspicious/unauthorized activities. Any such  activities  may be  a cause for further investigation.  In  addition, organization  security  policies  and industry/government regulations may require logging of all  user  activities  involving LOGON and LOGOFF."
+    remediation: "ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY ADD ACTIONS LOGON, LOGOFF;"
+    compliance:
+      - cis: ["6.2.27"]
+      - cis_csc: ["6.2", "16", "6.3"]
+    condition: any
+    rules:
+      - 'c:sudo -u oracle bash -c ". ~/.bash_profile; echo \"WITH CIS_AUDIT(AUDIT_OPTION) AS ( SELECT * FROM TABLE( DBMSOUTPUT_LINESARRAY( ''LOGON'',''LOGOFF'' ) ) ), AUDIT_ENABLED AS ( SELECT DISTINCT AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES AUD WHERE AUD.AUDIT_OPTION IN (''LOGON'',''LOGOFF'' ) AND AUD.AUDIT_OPTION_TYPE = ''STANDARD ACTION'' AND EXISTS (SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES ENABLED WHERE ENABLED.SUCCESS = ''YES'' AND ENABLED.FAILURE = ''YES'' AND ENABLED.ENABLED_OPTION = ''BY USER'' AND ENABLED.ENTITY_NAME = ''ALL USERS'' AND ENABLED.POLICY_NAME = AUD.POLICY_NAME) ) SELECT C.AUDIT_OPTION FROM CIS_AUDIT C LEFT JOIN AUDIT_ENABLED E ON C.AUDIT_OPTION = E.AUDIT_OPTION WHERE E.AUDIT_OPTION IS NULL;\" | sqlplus / as sysdba | grep \"no rows selected\"" -> no rows selected'
diff --git a/etc/ruleset/sca/rhel/5/cis_rhel5_linux.yml b/etc/ruleset/sca/rhel/5/cis_rhel5_linux.yml
new file mode 100644
index 0000000000..f3e41d1915
--- /dev/null
+++ b/etc/ruleset/sca/rhel/5/cis_rhel5_linux.yml
@@ -0,0 +1,1047 @@
+# Security Configuration Assessment
+# CIS Checks for RHEL 5
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Red Hat Enterprise Linux 5 v2.2.0 - 03-02-2015
+
+policy:
+  id: "cis_rhel5_linux"
+  file: "cis_rhel5_linux.yml"
+  name: "CIS Red Hat Enterprise Linux 5 Benchmark v2.2.0"
+  description: "This document, Security Configuration Benchmark for Red Hat Enterprise Linux 5 provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux (RHEL) versions 5.0 - 5.11 running on x86 platforms."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RHEL5 version"
+  description: "Requirements for running the SCA scan against RHEL 5 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5"
+    - "f:/etc/redhat-release -> r:^CentOS && r:release 5"
+    - "f:/etc/redhat-release -> r:^Cloud && r:release 5"
+    - "f:/etc/redhat-release -> r:^Oracle && r:release 5"
+    - "f:/etc/redhat-release -> r:^Better && r:release 5"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1 /tmp: partition
+  - id: 3500
+    title: "Create Separate Partition for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code."
+    remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.1"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+      - CCE-14161-4
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  # 1.1.2 /tmp: nodev
+  - id: 3501
+    title: "Set nodev option for /tmp Partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-14412-1
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.3 /tmp: nosuid
+  - id: 3502
+    title: "Set nosuid option for /tmp Partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)."
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-14940-1
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.4 /tmp: noexec
+  - id: 3503
+    title: "Set noexec option for /tmp Partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-14412-1
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.5 Build considerations - Partition scheme.
+  - id: 3504
+    title: "Create Separate Partition for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.5"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+      - CCE-14777-7
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.6 bind mount /var/tmp to /tmp
+  - id: 3505
+    title: "Bind Mount the /var/tmp directory to /tmp"
+    description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected."
+    rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem."
+    remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0"
+    compliance:
+      - cis: ["1.1.6"]
+    references:
+      - CCE-14584-7
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.7 /var/log: partition
+  - id: 3506
+    title: "Create Separate Partition for /var/log"
+    description: "The /var/log directory is used by system services to store log data ."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.7"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+      - CCE-14011-1
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.8 /var/log/audit: partition
+  - id: 3507
+    title: "Create Separate Partition for /var/log/audit"
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
+    remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.8"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+      - CCE-14171-3
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.9 /home: partition
+  - id: 3508
+    title: "Create Separate Partition for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions."
+    compliance:
+      - cis: ["1.1.9"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+      - CCE-14559-9
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.10 /home: nodev
+  - id: 3509
+    title: "Add nodev Option to /home"
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.10"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4249-9
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.14 /dev/shm: nodev
+  - id: 3510
+    title: "Add nodev Option to /dev/shm Partition"
+    description: "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-15007-8
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nosuid
+  - id: 3511
+    title: "Add nosuid Option to /dev/shm Partition"
+    description: "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-14306-5
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.16 /dev/shm: noexec
+  - id: 3512
+    title: "Add noexec Option to /dev/shm Partition"
+    description: "Set noexec on the shared memory partition to prevent programs from executing from there."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-14927-8
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  ##########################################
+  # 1.2 Software Updates
+  ##########################################
+  # 1.2.5 Disable yum-updatesd (Scored)
+  - id: 3513
+    title: "Disable yum-updatesd"
+    description: "The yum-updatesd utility provides notification of updates that are available for your system."
+    rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly."
+    remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off"
+    compliance:
+      - cis: ["1.2.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - CCE-4218-4
+    condition: none
+    rules:
+      - "c:/sbin/chkconfig --list -> r:yum-updatesd && r::on"
+
+  ###############################################
+  # 1.4 Configure SELinux
+  ###############################################
+  # 1.4.1 enable selinux in /etc/grub.conf
+  - id: 3514
+    title: "Enable SELinux in /etc/grub.conf"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters"
+    rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten."
+    remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf."
+    compliance:
+      - cis: ["1.4.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3977-6
+    condition: none
+    rules:
+      - "f:/boot/grub/grub.conf -> r:selinux=0|enforcing=0"
+
+  # 1.4.2 Set selinux state
+  - id: 3515
+    title: "Set the SELinux State"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.4.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3999-0
+    condition: all
+    rules:
+      - "f:/etc/selinux/config -> r:^SELINUX=enforcing$"
+
+  # 1.4.3 Set seliux policy
+  - id: 3516
+    title: "Set the SELinux Policy"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3624-4
+    condition: all
+    rules:
+      - "f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$"
+
+  # 1.4.4 Remove SETroubleshoot
+  - id: 3517
+    title: "Remove SETroubleshoot"
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "rpm -qa setroubleshoot"
+    compliance:
+      - cis: ["1.4.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:/sbin/chkconfig --list -> r:setroubleshoot && r::on"
+
+  # 1.4.5 Disable MCS Translation service mcstrans
+  - id: 3518
+    title: "Disable MCS Translation Service (mcstrans)"
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
+    rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "# chkconfig mctrans off"
+    compliance:
+      - cis: ["1.4.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3668-1
+    condition: none
+    rules:
+      - "c:/sbin/chkconfig --list -> r:mctrans && r::on"
+
+  ###############################################
+  # 1.5  Secure Boot Settings
+  ###############################################
+  # 1.5.3 Set Boot Loader Password (Scored)
+  - id: 3519
+    title: "Set Boot Loader Password"
+    description: "Setting the boot loader password will require that the person who is rebooting system the must enter a password before being able to set command line boot parameters"
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: "Set a bootloader password"
+    compliance:
+      - cis: ["1.5.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3818-2
+    condition: all
+    rules:
+      - "f:/boot/grub/grub.conf -> !r:^# && r:password --md5"
+
+  # 1.5.4 Require Authentication for Single-User Mode (Scored)
+  - id: 3520
+    title: "Require Authentication for Single-User Mode"
+    description: "Since /etc/init determines what run state the system is in, setting the entry in /etc/inittab will force single user authentication."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin"
+    compliance:
+      - cis: ["1.5.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4241-6
+    condition: none
+    rules:
+      - "f:/etc/inittab -> r:^~:S:wait:/sbin/sulogin"
+
+  # 1.5.5 Disable Interactive Boot (Scored)
+  - id: 3521
+    title: "Disable Interactive Boot"
+    description: "The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ."
+    rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings."
+    remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ."
+    compliance:
+      - cis: ["1.5.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4245-7
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/init -> r:^PROMPT=no$"
+
+  ###############################################
+  # 1.6  Additional Process Hardening
+  ###############################################
+  # 1.6.1 Restrict Core Dumps (Scored)
+  - id: 3522
+    title: "Restrict Core Dumps"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0"
+    compliance:
+      - cis: ["1.6.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:/sbin/sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 3523
+    title: "Enable Randomized Virtual Memory Region Placement"
+    description: "Set the system flag to force randomized virtual memory region placement."
+    rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2"
+    compliance:
+      - cis: ["1.6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4146-7
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.6.2 Configure ExecShield (Scored)
+  - id: 3524
+    title: "Configure ExecShield"
+    description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1"
+    compliance:
+      - cis: ["1.6.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4168-1
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl kernel.exec-shield -> r:\s1$'
+
+  # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored)
+  # TODO
+  # 1.6.5 Disable Prelink (Scored)
+  - id: 3525
+    title: "Disable Prelink"
+    description: "Prelinking is a performance enhancing feature that decreases process start up time. It loads shared libraries into addresses for which the linking of required symbols has already been performed. After a binary has been prelinked, the addresses at which shared libraries is not changed, even if kernel.randomize_va_space is set to 1."
+    rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)."
+    remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no"
+    compliance:
+      - cis: ["1.6.5"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/prelink -> r:^PRELINKING=no$"
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 Remove Legacy Services
+  ###############################################
+  # 2.1.1 Remove telnet-server (Scored)
+  - id: 3526
+    title: "Remove telnet-server"
+    description: "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions."
+    remediation: "# yum erase telnet-server"
+    compliance:
+      - cis: ["2.1.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3390-2
+      - CCE-4330-7
+    condition: none
+    rules:
+      - "c:rpm -qa telnet-server -> r:telnet-server"
+
+  # Remove rsh-server (Scored)
+  - id: 3527
+    title: "Remove rsh-server"
+    description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "# yum erase rsh-server"
+    compliance:
+      - cis: ["2.1.3"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4308-3
+    condition: none
+    rules:
+      - "c:rpm -qa rsh-server -> r:rsh-server"
+
+  - id: 3528
+    title: "Remove NIS Client"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files"
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "# yum erase ypbind"
+    compliance:
+      - cis: ["2.1.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3705-1 (disable)
+      - CCE-4348-9 (uninstall)
+    condition: none
+    rules:
+      - "c:rpm -qa ypbind -> r:ypbind"
+
+  # 2.1.6 Remove NIS Server (Scored)
+  - id: 3529
+    title: "Remove NIS Server"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used."
+    remediation: "# yum erase ypserv"
+    compliance:
+      - cis: ["2.1.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3705-1 (disable)
+      - CCE-4348-9 (uninstall)
+    condition: none
+    rules:
+      - "c:rpm -qa ypserv -> r:ypserv"
+
+  # 2.1.7 Remove tftp (Scored)
+  - id: 3530
+    title: "Remove tftp-server"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "# yum erase tftp-server"
+    compliance:
+      - cis: ["2.1.8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4273-9 (disable)
+      - CCE-3916-4 (uninstall)
+    condition: none
+    rules:
+      - "c:rpm -qa tftpd -> r:tftpd"
+
+  # 2.1.9 Remove talk (Scored)
+  - id: 3531
+    title: "Remove talk-server"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "# yum erase talk-server"
+    compliance:
+      - cis: ["2.1.10"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa talk-server -> r:talk-server"
+
+  ###############################################
+  # 3 Special Purpose Services
+  ###############################################
+  # 3.2 Set Daemon umask (Scored)
+  - id: 3532
+    title: "Set Daemon umask"
+    description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process."
+    rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission."
+    remediation: "Add the following line to the /etc/sysconfig/init file. umask 027"
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/init -> umask 027"
+
+  # 3.3 Remove X Windows (Scored)
+  - id: 3533
+    title: "Remove X Windows"
+    description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'"
+    compliance:
+      - cis: ["3.3"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:/etc/inittab -> r:^\s*id:3:initdefault'
+      - "not c:yum grouplist X?Window?System -> r:Installed Groups"
+
+  # 3.1.1 Disable Avahi Server (Scored)
+  - id: 3534
+    title: "Disable Avahi Server"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration."
+    rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it."
+    remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf."
+    compliance:
+      - cis: ["3.1.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:/sbin/chkconfig --list -> r:avahi-daemon && r::on"
+
+  # 3.8 Disable NFS and RPC (Not Scored)
+  - id: 3535
+    title: "Disable NFS and RPC"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;"
+    compliance:
+      - cis: ["3.8"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on"
+
+  # 3.10 Remove FTP Server (Not Scored)
+  - id: 3536
+    title: "Remove FTP Server"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "# yum erase vsftpd"
+    compliance:
+      - cis: ["3.10"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa vsftpd -> r:vsftpd"
+
+  # 3.11 Remove HTTP Server (Not Scored)
+  - id: 3537
+    title: "Remove HTTP Server"
+    description: "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with Red Hat Linux is Apache."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "# yum erase httpd"
+    compliance:
+      - cis: ["3.11"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa httpd -> r:httpd"
+
+  # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
+  - id: 3538
+    title: "Remove Dovecot"
+    description: "Dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface."
+    remediation: "# yum erase dovecot"
+    compliance:
+      - cis: ["3.12"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa dovecot -> r:dovecot"
+
+  # 3.13 Remove Samba (Not Scored)
+  - id: 3539
+    title: "Remove Samba"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "# yum erase samba"
+    compliance:
+      - cis: ["3.13"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa samba -> r:samba"
+
+  # 3.14 Remove HTTP Proxy Server (Not Scored)
+  - id: 3540
+    title: "Remove HTTP Proxy Server"
+    description: "The default HTTP proxy package shipped with Red Hat Linux is squid."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "# yum erase squid"
+    compliance:
+      - cis: ["3.14"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa squid -> r:squid"
+
+  # 3.15 Remove SNMP Server (Not Scored)
+  - id: 3541
+    title: "Remove SNMP Server"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used."
+    remediation: "# yum erase net-snmp"
+    compliance:
+      - cis: ["3.15"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa net-snmp -> r:net-snmp"
+
+  ###############################################
+  # 4 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 4.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 4.1.1 Disable IP Forwarding (Scored)
+  - id: 3542
+    title: "Disable IP Forwarding"
+    description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0."
+    rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:"
+    compliance:
+      - cis: ["4.1.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3561-8
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  # 4.1.2 Disable Send Packet Redirects (Scored)
+  - id: 3543
+    title: "Disable Send Packet Redirects"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf"
+    compliance:
+      - cis: ["4.1.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4151-7
+      - CCE-4155-8
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 4.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 4.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 3544
+    title: "Disable Source Routed Packet Acceptance"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface."
+    remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4236-6
+      - CCE-4091-5
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 4.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 3545
+    title: "Disable ICMP Redirect Acceptance"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4217-6
+      - CCE-4186-3
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 3546
+    title: "Disable Secure ICMP Redirect Acceptance"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3472-8
+      - CCE-3339-9
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 4.2.4 Log Suspicious Packets (Scored)
+  - id: 3547
+    title: "Log Suspicious Packets"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4320-8
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 4.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 3548
+    title: "Enable Ignore Broadcast Requests"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address."
+    remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-3644-2
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 4.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 3549
+    title: "Enable Bad Error Message Protection"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4133-5
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
+  - id: 3550
+    title: "Enable RFC-recommended Source Route Validation"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed."
+    remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4080-8
+      - CCE-3840-6
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 4.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 3551
+    title: "Enable TCP SYN Cookies"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding."
+    remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match."
+    compliance:
+      - cis: ["4.2.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    references:
+      - CCE-4265-5
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  ###############################################
+  # 6 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 6.1 Configure SSH
+  ###############################################
+  # 6.2.1 Set SSH Protocol to 2 (Scored)
+  - id: 3552
+    title: "Set SSH Protocol to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["6.2.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - CCE-4245-7
+      - https://www.ssh.com/ssh/
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2'
+
+  # 6.2.2 Set LogLevel to INFO (Scored)
+  - id: 3553
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO'
+
+  # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 3554
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 3555
+    title: "Set SSH IgnoreRhosts to Yes"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["6.2.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - CCE-4250-7
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes'
+
+  # 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 3556
+    title: "Set SSH HostbasedAuthentication to No"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["6.2.7"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - CCE-4251-5
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+
+  # 6.2.8 Disable SSH Root Login (Scored)
+  - id: 3557
+    title: "Disable SSH Root Login"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["6.2.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - CCE-4252-3
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no'
+
+  # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 3558
+    title: "Set SSH PermitEmptyPasswords to No"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["6.2.9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - CCE-4256-4
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+
+  ###############################################
+  # 9 System Maintenance
+  ###############################################
+  ###############################################
+  # 9.2 Review User and Group Settings
+  ###############################################
+  # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 3559
+    title: "Verify No UID 0 Accounts Exist Other Than root"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["9.2.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - CCE-4009-7
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
diff --git a/etc/ruleset/sca/rhel/6/cis_rhel6_linux.yml b/etc/ruleset/sca/rhel/6/cis_rhel6_linux.yml
new file mode 100644
index 0000000000..e7798f3302
--- /dev/null
+++ b/etc/ruleset/sca/rhel/6/cis_rhel6_linux.yml
@@ -0,0 +1,3235 @@
+# Security Configuration Assessment
+# CIS Checks for RHEL 6
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Red Hat Enterprise Linux 6 v2.1.0 - 12-27-2017
+
+policy:
+  id: "cis_rhel6_linux"
+  file: "cis_rhel6_linux.yml"
+  name: "CIS Red Hat Enterprise Linux 6 Benchmark v2.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 6 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 6.9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RHEL6 version"
+  description: "Requirements for running the policy against RHEL 6 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6"
+    - "f:/etc/redhat-release -> r:^Cloud && r:release 6"
+    - "f:/etc/redhat-release -> r:^Oracle && r:release 6"
+    - "f:/etc/redhat-release -> r:^Better && r:release 6"
+    - "f:/etc/system-release -> r:^Amazon Linux AMI"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 cramfs: filesystem
+  - id: 4000
+    title: "Ensure mounting of cramfs filesystems is disabled"
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 freevxfs: filesystem
+  - id: 4001
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true. Run the following command to unload the freevxfs module: rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:install /bin/true|Module freevxfs not found"
+      - "not c:lsmod -> r:freevxfs"
+
+  # 1.1.1.3 jffs2: filesystem
+  - id: 4002
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true. Run the following command to unload the jffs2 module: rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:install /bin/true|Module jffs2 not found"
+      - "not c:lsmod -> r:jffs2"
+
+  # 1.1.1.4 hfs: filesystem
+  - id: 4003
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true. Run the following command to unload the hfs module: rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:install /bin/true|Module hfs not found"
+      - "not c:lsmod -> r:hfs"
+  # 1.1.1.5 hfsplus: filesystem
+  - id: 4004
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true. Run the following command to unload the hfsplus module: rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:install /bin/true|Module hfsplus not found"
+      - "not c:lsmod -> r:hfsplus"
+  # 1.1.1.6 squashfs: filesystem
+  - id: 4005
+    title: "Ensure mounting of squashfs filesystems is disabled"
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+  # 1.1.1.7 udfs: filesystem
+  - id: 4006
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true. Run the following command to unload the udf module: rmmod udf"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.1.8 FAT: filesystem
+  - id: 4007
+    title: "Ensure mounting of FAT filesystems is disabled"
+    description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install vfat /bin/true. Run the following command to unload the vfat module: rmmod vfat"
+    compliance:
+      - cis: ["1.1.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v vfat -> r:install /bin/true|Module vfat not found"
+      - "not c:lsmod -> r:vfat"
+
+  # 1.1.2 /tmp: partition
+  - id: 4008
+    title: "Ensure separate partition exists for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  # 1.1.3 /tmp: nodev
+  - id: 4009
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstabfile and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp:# mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.4 /tmp: nosuid
+  - id: 4010
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.5 /tmp: noexec
+  - id: 4011
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5)manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.6 Build considerations - Partition scheme.
+  - id: 4012
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.7 bind mount /var/tmp to /tmp
+  - id: 4013
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.8 nodev set on /var/tmp
+  - id: 4014
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  # 1.1.9 nosuid set on /var/tmp
+  - id: 4015
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  # 1.1.10 noexec set on /var/tmp
+  - id: 4016
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  # 1.1.11 /var/log: partition
+  - id: 4017
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data ."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.12 /var/log/audit: partition
+  - id: 4018
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.13 /home: partition
+  - id: 4019
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.14 /home: nodev
+  - id: 4020
+    title: "Ensure nodev option set on /home partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nodev
+  - id: 4021
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.16 /dev/shm: nosuid
+  - id: 4022
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.17 /dev/shm: noexec
+  - id: 4023
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  # 1.1.22 Disable Automounting
+  - id: 4024
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: # chkconfig autofs off"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list autofs -> r:^\s*\t*autofs\.*on'
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.2 Activate gpgcheck
+  - id: 4025
+    title: "Ensure gpgcheck is globally activated"
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Edit any failing files in /etc/yum.repos.d/* and set all instances of gpgcheck to ' 1 '."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:^gpgcheck=1"
+      - "not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck=0"
+
+      # 1.2.5 Disable the rhnsd Daemon (Not Scored)
+  - id: 4026
+    title: "Disable the rhnsd Daemon"
+    description: "The rhnsd daemon polls the Red Hat Network web site for scheduled actions and, if there are, executes those actions."
+    rationale: "Patch management policies may require that organizations test the impact of a patch before it is deployed in a production environment. Having patches automatically deployed could have a negative impact on the environment. It is best to not allow an action by default but only after appropriate consideration has been made. It is recommended that the service be disabled unless the risk is understood and accepted or you are running your own satellite . This item is not scored because organizations may have addressed the risk."
+    remediation: "Run the following command to disable rhnsd : # chkconfig rhnsd off"
+    compliance:
+      - cis: ["1.2.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'c:chkconfig --list rhnsd -> r:^rhnsd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off'
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 install AIDE
+  - id: 4027
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install aide: yum install aide // Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references: "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 AIDE regular checks
+  - id: 4028
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: crontab -u root -e // Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check  // Notes: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.  "
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:crontab -u root -l -> r:aide"
+      - "c:grep -r aide /etc/cron.* /etc/crontab -> r:aide"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+  # 1.4.1 Configure bootloader
+  - id: 4029
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub/grub.conf and linked as /boot/grub/menu.lst and /etc/grub.conf ."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.conf # chmod og-rwx /boot/grub/grub.conf"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub/grub.conf -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.2 Set Boot Loader Password (Scored)
+  - id: 4030
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: "Create an encrypted password with grub-md5-crypt: # grub-md5-crypt Password: <password>       Retype Password: <password> <encrypted-password>          Copy and paste the <encrypted-password> into the global section of /boot/grub/grub.conf : password --md5 <encrypted-password>"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^password --md5\s\.+'
+
+  # 1.4.3 Single user authentication
+  - id: 4031
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin':  SINGLE=/sbin/sulogin"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:SINGLE\s*=\s*/sbin/sulogin'
+
+  # 1.4.4 Ensure interactive boot is not enabled (Scored)
+  - id: 4032
+    title: "Ensure interactive boot is not enabled"
+    description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot . "
+    rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings. "
+    remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no"
+    compliance:
+      - cis: ["1.4.4"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/init -> r:PROMPT\s*=\s*no'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Restrict Core Dumps (Scored)
+  - id: 4033
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 XD/NX enabled
+  - id: 4034
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "dmesg | grep NX" -> r:NX \(Execute Disable\) protection: active'
+
+  # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 4035
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  # 1.5.4 Disable prelink
+  - id: 4036
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["3.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> package prelink is not installed"
+
+  ###############################################
+  # 1.6 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 SELinux not disabled
+  - id: 4037
+    title: "Ensure SELinux is not disabled in bootloader configuration"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines"
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel\.*selinux=0|^\s*\t*kernel\.*enforcing=0'
+
+  # 1.6.1.2 Set selinux state
+  - id: 4038
+    title: "Ensure the SELinux state is enforcing"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing"
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing'
+      - 'f:/etc/selinux/config -> r:^SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.3 Set selinux policy
+  - id: 4039
+    title: "Ensure SELinux policy is configured"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Policy from config file:\s+targeted|^Policy from config file:\s+mls'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Remove SETroubleshoot
+  - id: 4040
+    title: "Ensure SETroubleshoot is not installed"
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.5 Disable MCS Translation service mcstrans
+  - id: 4041
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed"
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf"
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  # 1.6.1.6 Ensure no unconfined daemons exist
+  - id: 4042
+    title: "Ensure no unconfined daemons exist"
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+  # 1.6.2 Install SELinux
+  - id: 4043
+    title: "Ensure SELinux is installed"
+    description: "SELinux provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install libselinux: yum install libselinux"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:rpm -q libselinux -> r:libselinux-\S+'
+
+  ###############################################
+  # 1.7  Warning Banners
+  ###############################################
+  # 1.7.1.1 Configure message of the day (Scored)
+  - id: 4044
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.2 Configure local login warning banner (Not Scored)
+  - id: 4045
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.3 Configure remote login warning banner (Not Scored)
+  - id: 4046
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.1.4 Configure /etc/motd permissions (Not Scored)
+  - id: 4047
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.1.5 Configure /etc/issue permissions (Scored)
+  - id: 4048
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+  # 1.7.1.6 Configure /etc/issue.net permissions (Not Scored)
+  - id: 4049
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.2 Ensure GDM login banner is configured (Scored)
+  - id: 4050
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Create the /etc/dconf/profile/gdm file with the following contents:  user-db:user   system-db:gdm        file-db:/usr/share/gdm/greeter-dconf-defaults     ||  Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message :   [org/gnome/login-screen]     banner-message-enable=true      banner-message-text='Authorized uses only. All activity may be monitored and reported.'   ||   Run the following command to update the system databases: dconf update"
+    compliance:
+      - cis: ["1.7.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-enable=true"
+      - 'f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-text=\.+'
+
+  # 1.8 Ensure updates, patches, and additional security software are installed (Not Scored)
+  - id: 4051
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Site policy may mandate a testing period before install onto production systems for available updates. The audit and remediation here only cover security updates. Non-security updates can be audited with and comparing against site policy: # yum check-update"
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: all
+    rules:
+      - "c:yum check-update --security -> r:No packages needed for security"
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 inetd Services
+  ###############################################
+  # 2.1.1 Disable chargen services (Scored)
+
+  - id: 4052
+    title: "Ensure chargen services are not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list chargen-dgram -> r:^\s*\t*chargen-dgram:\s*\t*on'
+      - 'c:chkconfig --list chargen-stream -> r:^\s*\t*chargen-stream:\s*\t*on'
+
+  # 2.1.2 Disable daytime services (Scored)
+  - id: 4053
+    title: "Ensure daytime services are not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list daytime-dgram -> r:^\s*\t*daytime-dgram:\s*\t*on'
+      - 'c:chkconfig --list daytime-stream -> r:^\s*\t*daytime-stream:\s*\t*on'
+
+  # 2.1.3 Disable discard services (Scored)
+  - id: 4054
+    title: "Ensure discard services are not enabled"
+    description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list discard-dgram -> r:^\s*\t*discard-dgram:\s*\t*on'
+      - 'c:chkconfig --list discard-stream -> r:^\s*\t*discard-stream:\s*\t*on'
+
+  # 2.1.4 Disable echo-dgram (Scored)
+  - id: 4055
+    title: "Ensure echo services are not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list echo-dgram -> r:^\s*\t*echo-dgram:\s*\t*on'
+      - 'c:chkconfig --list echo-stream -> r:^\s*\t*echo-stream:\s*\t*on'
+
+  # 2.1.5 Disable time-stream (Scored)
+  - id: 4056
+    title: "Ensure time services are not enabled"
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list time-dgram -> r:^\s*\t*time-dgram:\s*\t*on'
+      - 'c:chkconfig --list time-stream -> r:^\s*\t*time-stream:\s*\t*on'
+
+  # 2.1.6 Remove rsh-server (Scored)
+  - id: 4057
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Run the following commands to disable rsh, rlogin, and rexec: # chkconfig rsh off   # chkconfig rlogin off  # chkconfig rexec off"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rexec -> r:^\s*\t*rexec:\s*\t*on'
+      - 'c:chkconfig --list rlogin -> r:^\s*\t*rlogin:\s*\t*on'
+      - 'c:chkconfig --list rsh -> r:^\s*\t*rsh:\s*\t*on'
+
+  # 2.1.7 Remove talk server (Scored)
+  - id: 4058
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable talk: # chkconfig talk off"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list talk -> r:^\s*\t*talk:\s*\t*on'
+
+  # 2.1.8 Remove telnet-server (Scored)
+  - id: 4059
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to disable telnet: # chkconfig telnet off"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list telnet -> r:^\s*\t*telnet:\s*\t*on'
+
+  # 2.1.9 Ensure tftp server is not enabled (Scored)
+  - id: 4060
+    title: "Ensure tftp server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Run the following command to disable tftp: # chkconfig tftp off"
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list tftp -> r:^\s*\t*tftp:\s*\t*on'
+
+  # 2.1.10 Remove rsync service (Scored)
+  - id: 4061
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # chkconfig rsyncd off"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list rsync -> r:^\s*\t*rsync:\s*\t*on'
+
+  # 2.1.11 Remove xinetd (Scored)
+  - id: 4062
+    title: "Ensure xinetd is not enabled"
+    description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Run the following command to disable xinetd: # chkconfig xinetd off"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list xinetd -> r:^\s*\t*xinetd\.*on'
+
+  ##############################################
+  # 2.2 Remove Legacy Services
+  ###############################################
+
+  # 2.2.1.1 Ensure time synchronization is in use (Not Scored)
+  - id: 4063
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available run the following commands and verify either ntp or chrony is installed: # rpm -q ntp # rpm -q chrony  On virtual systems where host based time synchronization is available consult your virtualization software documentation and verify that host based synchronization is in use."
+    compliance:
+      - cis: ["2.2.2.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q ntp -> r:^package ntp is not installed"
+      - "not c:rpm -q chrony -> r:^package chrony is not installed"
+
+  # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored)
+  - id: 4064
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp'
+
+  # 2.2.1.3 Configure Network Time Protocol (Chrony) (Scored)
+  - id: 4065
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server>. 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony'
+
+  # 2.2.2 Remove X Windows (Scored)
+  - id: 4066
+    title: "Ensure X Window System is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11* -> r:^xorg-x11"
+
+  # 2.2.3 Disable Avahi Server (Scored)
+  - id: 4067
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon: # chkconfig avahi-daemon off"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list avahi-daemon -> r:^\s*\t*avahi-daemon\.*on'
+
+  # 2.2.4 Ensure CUPS is not enabled (Scored)
+  - id: 4068
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups : # chkconfig cups off"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list cups -> r:^\s*\t*cups\.*on'
+
+  # 2.2.5 Remove DHCP Server (Scored)
+  - id: 4069
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dhcpd: # chkconfig dhcpd off"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp
+    condition: none
+    rules:
+      - 'c:chkconfig --list dhcpd -> r:^\s*\t*dhcpd\.*on'
+
+  # 2.2.6 Remove LDAP Server (Scored)
+  - id: 4070
+    title: "Ensure LDAP Server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # chkconfig slapd off"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - More detailed documentation on OpenLDAP is available at https://www.openldap.org
+    condition: none
+    rules:
+      - 'c:chkconfig --list slapd -> r:^\s*\t*slapd\.*on'
+
+  # 2.2.7 Disable NFS and RPC (Scored)
+  - id: 4071
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # chkconfig nfs off; # chkconfig rpcbind off"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list nfs -> r:^\s*\t*nfs\.*on'
+      - 'c:chkconfig --list rpcbind -> r:^\s*\t*rpcbind\.*on'
+
+  # 2.2.8 Ensure DNS Server is not enabled (Scored)
+  - id: 4072
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named : # chkconfig named off"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list named -> r:^\s*\t*named\.*on'
+
+  # 2.2.9 Remove FTP Server (Scored)
+  - id: 4073
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list vsftpd -> r:^\s*\t*vsftpd\.*on'
+
+  # 2.2.10 Remove HTTP Server (Scored)
+  - id: 4074
+    title: "Ensure HTTP server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable httpd: # chkconfig httpd off"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list httpd -> r:^\s*\t*httpd\.*on'
+
+  # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored)
+  - id: 4075
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dovecot: # chkconfig dovecot off"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list dovecot -> r:^\s*\t*dovecot\.*on'
+
+  # 2.2.12 Remove Samba (Scored)
+  - id: 4076
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable smb: # chkconfig smb off"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list smb -> r:^\s*\t*smb\.*on'
+
+  # 2.2.13 Remove HTTP Proxy Server (Scored)
+  - id: 4077
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # chkconfig squid off"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list squid -> r:^\s*\t*squid\.*on'
+
+  # 2.2.14 Remove SNMP Server (Not Scored)
+  - id: 4078
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # chkconfig snmpd off"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list snmpd -> r:^\s*\t*snmpd\.*on'
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)
+  - id: 4079
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Restart postfix: # service postfix restart"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.+LISTEN'
+
+  # 2.2.16 Remove NIS Server (Scored)
+  - id: 4080
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable ypserv: # chkconfig ypserv off"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'c:chkconfig --list ypserv -> r:^\s*\t*ypserv\.*on'
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+  # 2.3.1 Remove NIS Client (Scored)
+  - id: 4081
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind: # yum remove ypbind"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed (Scored)
+  - id: 4082
+    title: "Ensure rsh client is not installed"
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Run the following command to uninstall rsh : # yum remove rsh"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed (Scored)
+  - id: 4083
+    title: "Ensure talk client is not installed"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk : # yum remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed (Scored)
+  - id: 4084
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet : # yum remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed (Scored)
+  - id: 4085
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # yum remove openldap-clients"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> package openldap-clients is not installed"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 3.1.1 Disable IP Forwarding (Scored)
+  - id: 4086
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  # 3.1.2 Disable Send Packet Redirects (Scored)
+  - id: 4087
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 3.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 3.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 4088
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 4089
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 4090
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.2.4 Log Suspicious Packets (Scored)
+  - id: 4091
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 4092
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 4093
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.7 Enable RFC-recommended Source Route Validation (Scored)
+  - id: 4094
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 4095
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  ###############################################
+  # 3.3 IPv6
+  ###############################################
+  # 3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored)
+  - id: 4096
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 and net.ipv6.conf.default.accept_ra = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0'
+
+  # 3.3.2 Ensure IPv6 redirects are not accepted (Not Scored)
+  - id: 4097
+    title: "Ensure IPv6 redirects are not accepted"
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0  || net.ipv6.conf.default.accept_redirects = 0 Then, run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirect /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0'
+
+  # 3.3.3 Ensure IPv6 is disabled (Not Scored)
+  - id: 4098
+    title: "Ensure IPv6 is disabled"
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: "Edit /boot/grub/grub.conf to include ipv6.disable=1 on all kernel lines."
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel && !r:ipv6.disable=1'
+
+  ###############################################
+  # 3.4 TCP Wrappers
+  ###############################################
+  # 3.4.1 Ensure TCP Wrappers is installed (Scored)
+  - id: 4099
+    title: "Ensure TCP Wrappers is installed"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Run the following command to install tcp_wrappers: yum install tcp_wrappers"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:rpm -q tcp_wrappers -> r:^tcp_wrappers-"
+      - "c:rpm -q tcp_wrappers-libs -> r:^tcp_wrappers-libs-"
+
+  # 3.4.3 Ensure /etc/hosts.deny is configured (Scored)
+  - id: 4100
+    title: "Ensure /etc/hosts.deny is configured"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: "Run the following command to create /etc/hosts.deny: echo 'ALL: ALL' >> /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'f:/etc/hosts.deny -> r:^ALL\s*:\s*ALL'
+
+  # 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)
+  - id: 4101
+    title: "Ensure permissions on /etc/hosts.allow are configured."
+    description: "The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow : chown root:root /etc/hosts.allow and chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)'
+
+  # 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)
+  - id: 4102
+    title: "Ensure permissions on /etc/hosts.deny are configured."
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : chown root:root /etc/hosts.deny and chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 3.5 Uncommon Network Protocols
+  ###############################################
+  # 3.5.1 Ensure DCCP is disabled (Not Scored)
+  - id: 4103
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v dccp -> r:install /bin/true"
+      - "not c:lsmod -> r:dccp"
+
+  # 3.5.2 Ensure SCTP is disabled (Not Scored)
+  - id: 4104
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v sctp -> r:install /bin/true"
+      - "not c:lsmod -> r:sctp"
+
+  # 3.5.3 Ensure RDS is disabled (Not Scored)
+  - id: 4105
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v rds -> r:install /bin/true"
+      - "not c:lsmod -> r:rds"
+
+  # 3.5.4 Ensure TIPC is disabled (Not Scored)
+  - id: 4106
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v tipc -> r:install /bin/true"
+      - "not c:lsmod -> r:tipc"
+
+  ###############################################
+  # 3.6 Firewall Configuration
+  ###############################################
+  # 3.6.1 Ensure iptables is installed (Scored)
+  - id: 4107
+    title: "Ensure iptables is installed"
+    description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables ."
+    rationale: "iptables is required for firewall management and configuration."
+    remediation: "Run the following command to install iptables : yum install iptables"
+    compliance:
+      - cis: ["3.6.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.1"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:iptables-"
+
+  # 3.6.2 Ensure default deny firewall policy (Scored)
+  - id: 4108
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: iptables -P INPUT DROP; iptables -P OUTPUT DROP and iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.6.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.6.3 Ensure loopback traffic is configured (Scored)
+  - id: 4109
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.6.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+
+  ###############################################
+  # 4.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure audit log storage size is configured (Not Scored)
+  - id: 4110
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file\s*=\s*\d+'
+
+  # 4.1.1.2 Ensure system is disabled when audit logs are full (Scored)
+  - id: 4111
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email   action_mail_acct = root   admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^admin_space_left_action\s*=\s*halt'
+
+  # 4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
+  - id: 4112
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2 Ensure auditd service is enabled (Scored)
+  - id: 4113
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd : # chkconfig auditd on"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list auditd -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
+  - id: 4114
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: "Edit /boot/grub/grub.conf to include audit=1 on all kernel lines. Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.conf -> r:^\s*\t*kernel && !r:audit=1'
+
+  # 4.1.4 Ensure events that modify date and time information are collected (Scored)
+  - id: 4115
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change   -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change   -a always,exit -F arch=b64 -S clock_settime -k time-change   -a always,exit -Farch=b32 -S clock_settime -k time-change   -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/localtime && r:-p wa && r:-k time-change"
+
+  # 4.1.5 Ensure events that modify user/group information are collected (Scored)
+  - id: 4116
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:    -w /etc/group -p wa -k identity    -w /etc/passwd -p wa -k identity    -w /etc/gshadow -p wa -k identity    -w /etc/shadow -p wa -k identity    -w /etc/security/opasswd -p wa -k identity"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/security/opasswd && r:-p wa && r:-k identity"
+
+  # 4.1.6 Ensure events that modify the system's network environment are collected (Scored)
+  - id: 4117
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations)."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale        For 64 bit systems add the following lines to the /etc/audit/audit.rules file:    -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale    -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale    -w /etc/issue -p wa -k system-locale    -w /etc/issue.net -p wa -k system-locale    -w /etc/hosts -p wa -k system-locale    -w /etc/sysconfig/network -p wa -k system-locale    -w /etc/sysconfig/network-scripts/ -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale"
+
+  # 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
+  - id: 4118
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/selinux/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:-w /usr/share/selinux/ && r:-p wa && r:-k MAC-policy"
+
+  # 4.1.8 Ensure login and logout events are collected (Scored)
+  - id: 4119
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:  -w /var/log/lastlog -p wa -k logins   -w /var/run/faillock/ -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/faillock/ && r:-p wa && r:-k logins"
+
+  # 4.1.9 Ensure session initiation information is collected (Scored)
+  - id: 4120
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file:   -w /var/run/utmp -p wa -k session   -w /var/log/wtmp -p wa -k logins   -w /var/log/btmp -p wa -k logins"
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["5.5", "16.10", "16.4"]
+      - pci_dss: ["10.3"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins"
+
+  # 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)
+  - id: 4121
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrem"
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["3.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  # 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
+  - id: 4122
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated  with system calls that control creation ( creat ), opening ( open , openat ) and truncation (  truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-  privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the  system call returned EACCES (permission denied to the file) or EPERM (some other  permanent error associated with the specific system call). All audit records will be tagged  with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access   -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EACCES && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-S ftruncate && r:-F exit=-EPERM && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k access"
+
+  # 4.1.13 Ensure successful file system mounts are collected (Scored)
+  - id: 4123
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts   -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts"
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k mounts"
+
+  # 4.1.14 Ensure file deletion events by users are collected (Scored)
+  - id: 4124
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   For 64 bit systems add the following lines to the /etc/audit/audit.rules file:   -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete"
+    compliance:
+      - cis: ["4.1.14"]
+      - pci_dss: ["10.5.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=500 && r:-F auid!=4294967295 && r:-k delete"
+
+  # 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored)
+  - id: 4125
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /etc/sudoers -p wa -k scope   -w /etc/sudoers.d/ -p wa -k scope"
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  # 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
+  - id: 4126
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1", "5.5"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /var/log/sudo.log && r:-p wa && r:-k actions"
+
+  # 4.1.17 Ensure kernel module loading and unloading is collected (Scored)
+  - id: 4127
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "Add the following line to the /etc/audit/audit.rules file:   -w /var/log/sudo.log -p wa -k actions"
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["3"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules"
+      - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.18 Ensure the audit configuration is immutable (Scored)
+  - id: 4128
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file.   -e 2"
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["3", "6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:tail -1 /etc/audit/audit.rules -> r:^-e 2"
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog Service is enabled (Scored)
+  - id: 4129
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lackblogging instead."
+    remediation: "Run the following command to enable rsyslog :   # chkconfig rsyslog on"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list rsyslog -> r:2:on && r:3:on && r:4:on && r:5:on"
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 4130
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0600|^\$FileCreateMode 0640|^\$FileCreateMode 0440|^\$FileCreateMode 0400|^\$FileCreateMode 0040|^\$FileCreateMode 0000'
+
+  # 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored)
+  - id: 4131
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host).   *.* @@loghost.example.com   Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep *.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf -> !r:# && r:*.* @@\.+'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 4132
+    title: "Ensure syslog-ng service is enabled"
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable syslog-ng :   # chkconfig syslog-ng on"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:chkconfig --list syslog-ng -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 4133
+    title: "Ensure syslog-ng default file permissions configured"
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(0600\)|perm\(0640\)|perm\(0440\)|perm\(0400\)|perm\(0000\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 4134
+    title: "Ensure syslog-ng is configured to send logs to a remote log host"
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> !r:^# && r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 4135
+    title: "Ensure rsyslog or syslog-ng is installed"
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands:   # yum install rsyslog   # yum install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "not c:rpm -q rsyslog -> package rsyslog is not installed"
+      - "not c:rpm -q syslog-ng -> package syslog-ng is not installed"
+
+  # 4.2.4 Ensure permissions on all logfiles are configured (Scored)
+  - id: 4136
+    title: "Ensure permissions on all logfiles are configured"
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitivebdata is archived and protected."
+    remediation: "Run the following command to set permissions on all existing log files: # find /var/log -type f -exec chmod g-wx,o-rwx {} +"
+    compliance:
+      - cis: ["4.2.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  ###############################################
+  # 5 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled (Scored)
+  - id: 4137
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron : # chkconfig crond on"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:chkconfig --list crond -> r:2:on && r:3:on && r:4:on && r:5:on"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 4138
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 4139
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 4140
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 4141
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 4142
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\w00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 4143
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+  - id: 4144
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/cron.deny -> r:No such file or directory$"
+      - "c:stat -L /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
+  - id: 4145
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: chown root:root /etc/ssh/sshd_config and chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Set SSH Protocol to 2 (Scored)
+  - id: 4146
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2'
+
+  # 5.2.3 Set LogLevel to INFO (Scored)
+  - id: 4147
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO'
+
+  # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 4148
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 4149
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 4150
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.2.8 Disable SSH Root Login (Scored)
+  - id: 4151
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no'
+
+  # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 4152
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
+  - id: 4153
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:PermitUserEnvironment\s*\t*no'
+
+  # 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
+  - id: 4154
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 and ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 300'
+      - 'f:$sshd_file -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 4155
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.13"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60'
+
+  # 5.2.14 Ensure SSH access is limited (Scored)
+  - id: 4156
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. DenyUsers The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. DenyGroups The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>; AllowGroups <grouplist>; DenyUsers <userlist> and DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1", "5.8"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:$sshd_file -> r:^\s*AllowUsers'
+      - 'f:$sshd_file -> r:^\s*AllowGroups'
+      - 'f:$sshd_file -> r:^\s*DenyUsers'
+      - 'f:$sshd_file -> r:^\s*DenyGroups'
+
+  # 5.2.15 Ensure SSH warning banner is configured (Scored)
+  - id: 4157
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  ###############################################
+  # 5.3 Configure PAM
+  ###############################################
+  # 5.3.1 Ensure password creation requirements are configured (Scored)
+  - id: 4158
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_cracklib.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_cracklib.so and to conform to site policy: password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["5.7", "16.12"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:grep pam_cracklib.so /etc/pam.d/password-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'c:grep pam_cracklib.so /etc/pam.d/system-auth -> r:try_first_pass && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  # 5.3.3 Ensure password reuse is limited (Scored)
+  - id: 4159
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: password sufficient pam_unix.so remember=5   or    password required pam_pwhistory.so remember=5"
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> n:^password\s+sufficient\s+pam_unix.so\.+remember=(\d+)|^password\s+required\s+pam_pwhistory.so\.+remember=(\d+) compare >= 5'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 4160
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown: password sufficient pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^password\s*sufficient\s*pam_unix.so\s*sha512'
+  ###############################################
+  # 5.4 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.4.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
+  - id: 4161
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 90 and modify user parameters for all users with a password set to match: chage --maxdays 90 <user>"
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+  - id: 4162
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 and modify user parameters for all users with a password set to match: chage --mindays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+  - id: 4163
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 and modify user parameters for all users with a password set to match: chage --warndays 7 <user>"
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+  - id: 4164
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: useradd -D -f 30 and modify user parameters for all users with a password set to match: chage --inactive 30 <user>"
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+  - id: 4165
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 4166
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bashrc -> n:^\s*\t*umask\s+(\d+) compare >= 027'
+      - 'f:/etc/profile -> n:^\s*\t*umask\s+(\d+) compare >= 027'
+      - 'd:/etc/profile.d -> .sh -> n:^\s*\t*umask\s+(\d+) compare >= 027'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 4167
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.6 Ensure access to the su command is restricted (Scored)
+  - id: 4168
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su ."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.2 Configure /etc/passwd permissions (Scored)
+  - id: 4169
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Configure /etc/shadow permissions (Scored)
+  - id: 4170
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following command to set permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 000 /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Configure /etc/group permissions (Scored)
+  - id: 4171
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Configure /etc/gshadow permissions (Scored)
+  - id: 4172
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following command to set permissions on /etc/gshadow: # chown root:root /etc/gshadow # chmod 000 /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Configure /etc/passwd- permissions (Scored)
+  - id: 4173
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Configure /etc/shadow- permissions (Scored)
+  - id: 4174
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/shadow-: # chown root:root /etc/shadow- # chmod 000 /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Configure /etc/group- permissions (Scored)
+  - id: 4175
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Configure /etc/gshadow- permissions (Scored)
+  - id: 4176
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 000 /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+  # 6.2.1 Check passwords fields (Scored)
+  - id: 4177
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: passwd -l <username> || Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Delete legacy entries in /etc/passwd (Scored)
+  - id: 4178
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 6.2.3 Delete legacy entries in /etc/shadow (Scored)
+  - id: 4179
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 6.2.4 Delete legacy entries in /etc/group (Scored)
+  - id: 4180
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy '+' entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 4181
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
diff --git a/etc/ruleset/sca/rhel/7/cis_rhel7_linux.yml b/etc/ruleset/sca/rhel/7/cis_rhel7_linux.yml
new file mode 100644
index 0000000000..bdfa8fec56
--- /dev/null
+++ b/etc/ruleset/sca/rhel/7/cis_rhel7_linux.yml
@@ -0,0 +1,4555 @@
+# Security Configuration Assessment
+# CIS Checks for RHEL 7.
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software Foundation
+#
+#
+# Based on:
+# Center for Internet Security Red Hat Enterprise Linux 7 Benchmark v3.1.1 - 05-21-2021
+
+policy:
+  id: "cis_rhel7_linux"
+  file: "cis_rhel7_linux.yml"
+  name: "CIS Red Hat Enterprise Linux 7 Benchmark v3.1.1"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 7 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 7."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RHEL7 family platform"
+  description: "Requirements for running the policy against RHEL 7 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7"
+    - "f:/etc/redhat-release -> r:^Cloud && r:release 7"
+    - "f:/etc/redhat-release -> r:^Oracle && r:release 7"
+    - "f:/etc/redhat-release -> r:^Better && r:release 7"
+    - "f:/etc/redhat-release -> r:^OpenVZ && r:release 7"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 4500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/cramfs.conf and add the following line: install cramfs /bin/true Run the following command to unload the cramfs module: # rmmod cramfs."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/true|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 4501
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'Disabling squashfs will prevent the use of snap. Snap is a package manager for Linux for installing Snap packages. "Snap" application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment. When snaps are deployed on versions of Linux, the Ubuntu app store is used as default back-end, but other stores can be enabled as well.'
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/squashfs.conf and add the following line: install squashfs /bin/true Run the following command to unload the squashfs module: # rmmod squashfs."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 4502
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf."
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Ensure /tmp is configured. (Automated)
+  - id: 4503
+    title: "Ensure /tmp is configured."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily."
+    remediation: "Create or update an entry for /tmp in either /etc/fstab OR in a systemd tmp.mount file: If /etc/fstab is used: configure /etc/fstab as appropriate. _ Example:_ tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp # mount -o remount,noexec,nodev,nosuid /tmp OR if systemd tmp.mount file is used: run the following command to create the file /etc/systemd/system/tmp.mount if it doesn't exist: # [ ! -f /etc/systemd/system/tmp.mount ] && cp -v /usr/lib/systemd/system/tmp.mount /etc/systemd/system/ Edit the file /etc/systemd/system/tmp.mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to reload the systemd daemon: # systemctl daemon-reload Run the following command to unmask and start tmp.mount: # systemctl --now unmask tmp.mount."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.4", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 4504
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local- fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp OR if systemd is used to mount /tmp:_ Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:noexec'
+
+  # 1.1.4 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 4505
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file OR the /etc/systemd/system/local- fs.target.wants/tmp.mount file: IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp OR if systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:nodev'
+
+  # 1.1.5 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 4506
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "IF /etc/fstab is used to mount /tmp Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp OR if systemd is used to mount /tmp: Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to restart the systemd daemon: # systemctl daemon-reload Run the following command to restart tmp.mount: # systemctl restart tmp.mount."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/tmp\s && !r:nosuid'
+
+  # 1.1.6 Ensure /dev/shm is configured. (Automated)
+  - id: 4507
+    title: "Ensure /dev/shm is configured."
+    description: "/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd."
+    rationale: "Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "Edit /etc/fstab and add or edit the following line: tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0 Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - 'f:/etc/fstab -> r:\s/dev/shm\s'
+
+  # 1.1.7 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 4508
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["2.6", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 4509
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.9 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 4510
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec,nodev,nosuid /dev/shm."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.10 Ensure separate partition exists for /var. (Automated)
+  - id: 4511
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.11 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 4512
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications and is intended for temporary files that are preserved across reboots."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.12 Ensure /var/tmp partition includes the noexec option. (Automated)
+  - id: 4513
+    title: "Ensure /var/tmp partition includes the noexec option."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:noexec'
+
+  # 1.1.13 Ensure /var/tmp partition includes the nodev option. (Automated)
+  - id: 4514
+    title: "Ensure /var/tmp partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add nodev to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp."
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:nodev'
+
+  # 1.1.14 Ensure /var/tmp partition includes the nosuid option. (Automated)
+  - id: 4515
+    title: "Ensure /var/tmp partition includes the nosuid option."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "For existing /var/tmp partitions, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nosuid /var/tmp."
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && !r:nosuid'
+
+  # 1.1.15 Ensure separate partition exists for /var/log. (Automated)
+  - id: 4516
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc_v8: ["4.1", "8.3"]
+      - cis_csc_v7: ["6.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["10.7", "11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["A1.1", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.16 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 4517
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd , it may not perform as desired."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.17 Ensure separate partition exists for /home. (Automated)
+  - id: 4518
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.18 Ensure /home partition includes the nodev option. (Automated)
+  - id: 4519
+    title: "Ensure /home partition includes the nodev option."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "For existing /home partitions, edit the /etc/fstab file and add nodev to the fourth field (mounting options) of the /home entry. See the fstab(5) manual page for more information. Run the following command to remount /home: # mount -o remount,nodev /home."
+    compliance:
+      - cis: ["1.1.18"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/home\s && !r:nodev'
+
+  # 1.1.19 Ensure removable media partitions include noexec option. (Automated)
+  - id: 4520
+    title: "Ensure removable media partitions include noexec option."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.19"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["2.6", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/etc/fstab\s && !r:noexec'
+
+  # 1.1.20 Ensure nodev option set on removable media partitions. (Automated)
+  - id: 4521
+    title: "Ensure nodev option set on removable media partitions."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.20"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/etc/fstab\s && !r:nodev'
+
+  # 1.1.21 Ensure nosuid option set on removable media partitions. (Automated)
+  - id: 4522
+    title: "Ensure nosuid option set on removable media partitions."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information."
+    compliance:
+      - cis: ["1.1.21"]
+      - cis_csc_v8: ["3.3", "4.1"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.3.1", "1.5.1", "2.1.1", "2.2.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:mount -> r:\s/etc/fstab\s && !r:nosuid'
+
+  # 1.1.22 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+
+  # 1.1.23 Disable Automounting. (Automated)
+  - id: 4523
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Run the following command to mask autofs: # systemctl --now mask autofs OR run the following command to remove autofs # yum remove autofs."
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service: No such file or directory"
+      - "c:systemctl is-enabled autofs -> r:disabled"
+      - 'not c:systemctl show "autofs.service" -> r:\s*unitfilestate=enabled'
+
+  # 1.1.24 Disable USB Storage. (Automated)
+  - id: 4524
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf Add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.24"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["8.4", "8.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+  # 1.2.2 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  # 1.2.3 Ensure gpgcheck is globally activated. (Automated)
+  - id: 4525
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/*.repo files determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/yum.conf and set 'gpgcheck=1' in the [main] section. Edit any failing files in /etc/yum.repos.d/*.repo and set all instances of gpgcheck to 1."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "f:/etc/yum.conf -> r:gpgcheck=1"
+      - 'd:/etc/yum.repos.d/ -> r:\.*.repo -> r:gpgcheck=1'
+
+  # 1.2.4 Ensure Red Hat Subscription Manager connection is configured. (Manual) - Not Implemented
+
+  # 1.2.5 Disable the rhnsd Daemon. (Manual) - Not Implemented
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 4526
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # yum install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 4527
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.servic"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 4528
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem - You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items.'
+    remediation: 'For newer grub2 based systems (Release 7.2 and newer), create an encrypted password with grub2-setpassword : # grub2-setpassword Enter password: <password> Confirm password: <password> OR For older grub2 based systems, create an encrypted password with grub2-mkpasswd- pbkdf2: # grub2-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> Your PBKDF2 is <encrypted-password> Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <<EOF set superusers="<username>" password_pbkdf2 <username> <encrypted-password> EOF Note: - If placing the information in a custom file, do not include the "cat << EOF" and "EOF" lines as the content is automatically added from these files - The superuser/user information and password should not be contained in the /etc/grub.d/00_header file. The information can be placed in any /etc/grub.d file as long as that file is incorporated into grub.cfg. It is preferable to enter this data into a custom file, such as /etc/grub.d/40_custom, so it is not overwritten should the Grub package be updated Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg.'
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/user.cfg -> r:^GRUB2_PASSWORD\s*=\.+'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 4529
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub2 configuration is usually grub.cfg. On newer grub2 systems the encrypted bootloader password is contained in user.cfg. If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration file(s): # chown root:root /boot/grub2/grub.cfg # test -f /boot/grub2/user.cfg && chown root:root /boot/grub2/user.cfg # chmod og-rwx /boot/grub2/grub.cfg # test -f /boot/grub2/user.cfg && chmod og-rwx /boot/grub2/user.cfg OR If the system uses UEFI, edit /etc/fstab and add the fmask=0077 option: Example: <device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0 Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/grubenv -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication required for single user mode. (Automated)
+  - id: 4530
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Note: The systemctl option --fail is synonymous with --job-mode=fail. Using either is acceptable."
+    rationale: "Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: 'Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default".'
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+      - 'f:/usr/lib/systemd/system/emergency.service -> r:ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"|ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+
+  # 1.5.1 Ensure core dumps are restricted. (Automated)
+  - id: 4531
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 If systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload."
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/limits.conf -> r:hard\s*\t*core\s*\t*0$'
+      - 'd:/etc/security/limits.d/ -> r:\. -> r:hard\s*\t*core\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+      - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+      - 'd:/etc/sysctl.d/ -> r:\. -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.2 Ensure XD/NX support is enabled. (Automated)
+  - id: 4532
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system. Note: Ensure your system supports the XD or NX bit and has PAE support before implementing this recommendation as this may prevent it from booting if these are not supported by your hardware."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:journalctl -> r:\s*protection:\s*\t*active'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated)
+  - id: 4533
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2."
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+      - 'f:/etc/sysctl.conf -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'd:/etc/sysctl.d -> r:\.* -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+
+  # 1.5.4 Ensure prelink is not installed. (Automated)
+  - id: 4534
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Run the following command to uninstall prelink: # yum remove prelink."
+    references:
+      - "http://www.nsa.gov/research/selinux"
+      - "http://www.nsa.gov/research/selinux/list.shtml"
+      - "http://docs.fedoraproject.org/selinux-faq"
+      - "http://docs.fedoraproject.org/selinux-user-guide"
+      - "http://docs.fedoraproject.org/selinux-managing-"
+      - "http://www.selinuxproject.org"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa prelink -> r:prelink"
+
+  ###############################################
+  # 1.6 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 4535
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # yum install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 4536
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Note: This recommendation is designed around the grub 2 bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg.'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 4537
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only. Note: If your organization requires stricter policies, ensure that they are set in the /etc/selinux/config file."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is enforcing or permissive. (Automated)
+  - id: 4538
+    title: "Ensure the SELinux mode is enforcing or permissive."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/SELinux-mode"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled$'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+      - "c:getenforce -> r:^Enforcing|^Permissive"
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 4539
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/selinux-mode"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+      - "c:getenforce -> r:^Enforcing"
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 4540
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains Note: Occasionally certain daemons such as backup or centralized management software may require running unconfined. Any such software should be carefully analyzed and documented before such an exception is made."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 4541
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to Uninstall setroubleshoot: # yum remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 4542
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  ###############################################
+  # 1.7  Warning Banners
+  ###############################################
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 4543
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 4544
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 4545
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 4546
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 4547
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 4548
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 4549
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # yum remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 4550
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user && r:system-db:gdm && r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:[org/gnome/login-screen]"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-enable=true"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-text="
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 4551
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user && r:system-db:gdm && r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:[org/gnome/login-screen]"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:disable-user-list=true"
+
+  # 1.8.4 Ensure XDCMP is not enabled. (Automated)
+  - id: 4552
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "f:/etc/gdm/custom.conf -> r:Enable=true"
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual) - Not Implemented
+
+  ###############################################
+  # 2.1 Remove Legacy Services
+  ###############################################
+
+  # 2.1.1 Ensure xinetd is not installed. (Automated)
+  - id: 4553
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # yum remove xinetd."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa xinetd -> r:xinetd"
+
+  # 2.2.1.1 Ensure time synchronization is in use. (Manual)
+  - id: 4554
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: - If another method for time synchronization is being used, this section may be skipped. - Only one time synchronization package should be installed."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run One of the following commands to install chrony or NTP: To install chrony, run the following command: # yum install chrony OR To install ntp, run the following command: # yum install ntp Note: On systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+      - "c:rpm -q ntp -> r:ntp-"
+
+  # 2.2.1.2 Ensure chrony is configured. (Automated)
+  - id: 4555
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. Note: This recommendation only applies if chrony is in use on the system."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\s*\t*\.+|^pool\s*\t*\.+'
+      - 'not c:ps -ef -> r:\.+/chronyd\s*\t*$ && !r:^\s*\t*chrony\s*\t*'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  # 2.2.1.3 Ensure ntp is configured. (Automated)
+  - id: 4556
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. Note: This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ''-u ntp:ntp'': OPTIONS="-u ntp:ntp" Reload the systemd daemon: systemctl daemon-reload Enable and start the ntp service: systemctl --now enable ntpd.'
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/ntp.conf"
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+
+  # 2.2.2 Ensure X11 Server components are not installed. (Automated)
+  - id: 4557
+    title: "Ensure X11 Server components are not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # yum remove xorg-x11-server*."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11-server* -> r:xorg-x11-server*"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 4558
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # yum remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+      - "c:rpm -q avahi-autoipd -> r:package avahi-autoipd is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 4559
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # yum remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 4560
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # yum remove dhcp."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.6 Ensure LDAP server is not installed. (Automated)
+  - id: 4561
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove openldap-servers: # yum remove openldap-servers."
+    references:
+      - "http://www.openldap.org."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-servers -> r:^package openldap-servers is not installed"
+
+  # 2.2.7 Ensure DNS Server is not installed. (Automated)
+  - id: 4562
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # yum remove bind."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.8 Ensure FTP Server is not installed. (Automated)
+  - id: 4563
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface. Note: Additional FTP servers also exist and should be removed if not required."
+    remediation: "Run the following command to remove vsftpd: # yum remove vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.9 Ensure HTTP server is not installed. (Automated)
+  - id: 4564
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be removed to reduce the potential attack surface. Notes: - Several http servers exist. apache, apache2, lighttpd, and nginx are example packages that provide an HTTP server. - These and other packages should also be audited, and removed if not required."
+    remediation: "Run the following command to remove httpd: # yum remove httpd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.10 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 4565
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Notes: - Several IMAP/POP3 servers exist and can use other service names. courier-imap and cyrus-imap are example services that provide a mail server. - These and other services should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot: # yum remove dovecot."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.11 Ensure Samba is not installed. (Automated)
+  - id: 4566
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # yum remove samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 4567
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # yum remove squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.13 Ensure net-snmp is not installed. (Automated)
+  - id: 4568
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # yum remove net-snmp."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.14 Ensure NIS server is not installed. (Automated)
+  - id: 4569
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # yum remove ypserv."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:^package ypserv is not installed"
+
+  # 2.2.15 Ensure telnet-server is not installed. (Automated)
+  - id: 4570
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # yum remove telnet-server."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.16 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 4571
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\.* && !r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.17 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 4572
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # yum remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 4573
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # yum remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"
+
+  # 2.2.19 Ensure rsync is not installed or the rsyncd service is masked. (Automated)
+  - id: 4574
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # yum remove rsync OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:^package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 4575
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # yum remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa ypbind -> r:ypbind"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 4576
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # yum remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa rsh -> r:rsh"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 4577
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # yum remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa talk -> r:talk"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 4578
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # yum remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 4579
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # yum remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Uncommon Network Protocols
+  ###############################################
+
+  # 3.1.1 Disable IPv6. (Manual)
+  - id: 4580
+    title: "Disable IPv6."
+    description: "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented."
+    rationale: "If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+    impact: "If IPv6 is disabled through sysctl config, SSH X11forwarding may no longer function as expected. We recommend that SSH X11fowarding be disabled, but if required, the following will allow for SSH X11forwarding with IPv6 disabled through sysctl config: Add the following line the /etc/ssh/sshd_config file: AddressFamily inet Run the following command to re-start the openSSH server: # systemctl restart sshd."
+    remediation: 'Use one of the two following methods to disable IPv6 on the system: To disable IPv6 through the GRUB2 config: Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Ru the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg OR To disable IPv6 through sysctl settings: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.disable_ipv6=1 # sysctl -w net.ipv6.conf.default.disable_ipv6=1 # sysctl -w net.ipv6.route.flush=1.'
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:^\s*kernelopts=\.+ipv6.disable=1'
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*\t*linux && !r:ipv6.disable=1'
+      - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:net.ipv6.conf.all.disable_ipv6\s*=\s*0'
+      - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:net.ipv6.conf.default.disable_ipv6\s*=\s*0'
+
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated)
+  - id: 4581
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Run the following commands to restore the default parameters and set the active kernel parameters: # grep -Els \"^\\s*net\\.ipv4\\.ip_forward\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv4\\.ip_forward\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 # grep -Els \"^\\s*net\\.ipv6\\.conf\\.all\\.forwarding\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv6\\.conf\\.all\\.forwarding\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.ip_forward\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.forwarding\s*=\s*1$'
+
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated)
+  - id: 4582
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated)
+  - id: 4583
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is not disabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated)
+  - id: 4584
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects and net.ipv6.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 IF IPv6 is not disabled Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated)
+  - id: 4585
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.3.4 Ensure suspicious packets are logged. (Automated)
+  - id: 4586
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated)
+  - id: 4587
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated)
+  - id: 4588
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated)
+  - id: 4589
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.7"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated)
+  - id: 4590
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated)
+  - id: 4591
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the system's ability to accept IPv6 router advertisements."
+    rationale: "It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "IF IPv6 is enabled: Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1."
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_raa -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.all.accept_raa\s*=\s*1$'
+      - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/etc/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/usr/lib/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+      - 'd:->/run/sysctl.d/ -> r:\.*.conf -> r:^net.ipv6.conf.default.accept_ra\s*=\s*1$'
+
+  ###############################################
+  # 3.4 Uncommon Network Protocols
+  ###############################################
+
+  # 3.4.1 Ensure DCCP is disabled. (Automated)
+  - id: 4592
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf Add the following line: install dccp /bin/true."
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:install\s*\t*/bin/true'
+      - "not c:lsmod -> r:dccp"
+
+  # 3.4.2 Ensure SCTP is disabled. (Automated)
+  - id: 4593
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf Add the following line: install sctp /bin/true."
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:install\s*\t*/bin/true'
+      - "not c:lsmod -> r:sctp"
+
+  ###############################################
+  # 3.5 Firewall Configuration
+  ###############################################
+  ###############################################
+  # 3.5.1 Ensure Firewall software is installed
+  ###############################################
+
+  # 3.5.1.1 Ensure firewalld is installed. (Automated)
+  - id: 4594
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # yum install firewalld iptables."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^firewalld-"
+      - "c:rpm -q iptables -> r:^iptables-"
+
+  # 3.5.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 4595
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # yum remove iptables-services."
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.5.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 4596
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. _Note: Support for using nftables as the back-end for firewalld was added in release v0.6.0. In Fedora 19 Linux derivatives, firewalld utilizes iptables as its back-end by default."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: firewalld may configured as the front-end to nftables. If this case, nftables should be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # yum remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nftables -> r:package nftables is not installed"
+      - 'not c:systemctl status nftables -> r:active \(running\)|\(exited\)'
+      - "c:systemctl is-enabled nftables -> r:masked"
+
+  # 3.5.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 4597
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.5.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "p:firewalld"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.5.1.5 Ensure firewalld default zone is set. (Automated) - Not Implemented
+  # 3.5.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) - Not Implemented
+  # 3.5.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+
+  # 3.5.2.1 Ensure nftables is installed. (Automated)
+  - id: 4598
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # yum install nftables."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.5.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 4599
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "p:firewalld"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.5.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 4600
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # yum remove iptables-services."
+    compliance:
+      - cis: ["3.5.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.5.2.4 Ensure iptables are flushed with nftables. (Manual)
+  - id: 4601
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - 'c:iptables -L -> !r:^\s*Chain|^\s*target && r:\s*\S+'
+      - 'c:ip6tables -L -> !r:^\s*Chain|^\s*target && r:\s*\S+'
+
+  # 3.5.2.5 Ensure an nftables table exists. (Automated)
+  - id: 4602
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.5.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 4603
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.5.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.5.2.7 Ensure nftables loopback traffic is configured. (Automated)
+  - id: 4604
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop IF IPv6 is enabled: Run the following command to implement the IPv6 loopback rules: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.5.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list ruleset -> r:iif "lo" accept'
+      - "c:nft list ruleset -> r:ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"
+
+  # 3.5.2.8 Ensure nftables outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.5.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 4605
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.5.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.5.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 4606
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.5.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.5.2.11 Ensure nftables rules are permanent. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.5.3 Configure iptables
+  ###############################################
+  ###############################################
+  # 3.5.3.1 Configure IPv4 iptables
+  ###############################################
+
+  # 3.5.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 4607
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # yum install iptables iptables-services."
+    compliance:
+      - cis: ["3.5.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:^iptables-"
+      - "c:rpm -q iptables-services -> r:iptables-services-"
+
+  # 3.5.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 4608
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # yum remove nftables."
+    compliance:
+      - cis: ["3.5.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+
+  # 3.5.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 4609
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.5.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q firewalld -> r:package firewalld is not installed"
+      - 'not c:systemctl status firewalld -> r:active \(running\)'
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  # 3.5.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 4610
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.5.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.5.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.5.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.5.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 4611
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.5.3.2.5 Ensure iptables rules are saved. (Automated) - Not Implemented
+
+  # 3.5.3.2.6 Ensure iptables is enabled and running. (Automated)
+  - id: 4612
+    title: "Ensure iptables is enabled and running."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.5.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:enabled"
+      - 'c:systemctl status iptables -> r:active \(running\)|\(exited\)'
+
+  ###############################################
+  # 3.5.3.3 Configure IPv6 ip6tables
+  ###############################################
+
+  # 3.5.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 4613
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.5.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.5.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 4614
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:ip6tables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:ip6tables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.5.3.3.5 Ensure ip6tables rules are saved. (Automated) - Not Implemented
+
+  # 3.5.3.3.6 Ensure ip6tables is enabled and running. (Automated)
+  - id: 4615
+    title: "Ensure ip6tables is enabled and running."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.5.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:^\s*kernelopts=\.+ipv6.disable=1'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+  ###############################################
+  # 4.1.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 4616
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # yum install audit audit-libs."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+      - "c:rpm -q audit-libs -> r:^audit-libs-"
+
+  # 4.1.1.2 Ensure auditd service is enabled and running. (Automated)
+  - id: 4617
+    title: "Ensure auditd service is enabled and running."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable and start auditd : # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+      - 'c:systemctl status auditd -> r:Active: active \(running\)'
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 4618
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected. Note: This recommendation is designed around the grub2 bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg.'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: none
+    rules:
+      - "f:/boot/grub2/grubenv -> r:kernelopts= && !r:audit=1"
+
+  ###############################################
+  # 4.1.2 Configure Data Retention
+  ###############################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 4619
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. Notes: - The max_log_file parameter is measured in megabytes. - Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 4620
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.2", "6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 4621
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^admin_space_left_action\s*=\s*halt'
+
+  # 4.1.2.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 4622
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: 'Edit /etc/default/grub and add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" Run the following command to update the grub2 configuration: # grub2-mkconfig -o /boot/grub2/grub.cfg.'
+    compliance:
+      - cis: ["4.1.2.4"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:^args=\.*\saudit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.3 Ensure events that modify date and time information are collected. (Automated)
+  - id: 4623
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: 'For 32 bit systems Edit or Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change.'
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:adjtimex && r:settimeofday|settimeofday -S stime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:adjtimex && r:settimeofday|settimeofday -S stime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.4 Ensure events that modify user/group information are collected. (Automated)
+  - id: 4624
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file. Note: Reloading the auditd config to set active settings may require a system reboot.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-identity.rules Add the following lines: -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/group -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/passwd -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/gshadow -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/shadow -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/security/opasswd -p wa -k identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 4625
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale.".'
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-system_local.rules Add the following lines: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-system_local.rules Add the following lines: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d -> r:.+.rules$"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 4626
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: - If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited. - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-MAC_policy.rules Add the following lines: -w /etc/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/selinux/ -p wa -k MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /usr/share/selinux/ -p wa -k MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.7 Ensure login and logout events are collected. (Automated)
+  - id: 4627
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - The file /var/log/lastlog maintain records of the last time a user successfully logged in. - The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module. Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-logins.rules Add the following lines: -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/lastlog -p wa -k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/run/faillock/ -p wa -k logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.8 Ensure session initiation information is collected. (Automated)
+  - id: 4628
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.". - Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-session.rules Add the following lines: -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/run/utmp -p wa -k session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/wtmp -p wa -k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/btmp -p wa -k logins'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected. (Automated)
+  - id: 4629
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open , openat) and truncation ( truncate , ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid>=1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\" Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-access.rules Add the following lines: -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-access.rules Add the following lines: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'd:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'c:auditctl -l -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'c:auditctl -l -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+
+  # 4.1.11 Ensure use of privileged commands is collected. (Automated) - Not Implemented
+
+  # 4.1.12 Ensure successful file system mounts are collected. (Automated)
+  - id: 4630
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-mounts.rules Add the following lines: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-mounts.rules Add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S mount-F auid>=1000 -F auid!=4294967295 -k mounts"
+      - "c:auditctl -l -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
+
+  # 4.1.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 4631
+    title: "Ensure file deletion events by users are collected."
+    description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for following system calls and tags them with the identifier \"delete\": - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat - rename a file attribute Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-deletion.rules Add the following lines: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-deletion.rules Add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
+      - "d:/etc/audit/rules.d -> r:.+.rules$ -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
+      - "c:auditctl -l -> r:-a always,exit && r:-F arch=b32|-F arch=b64 && r:-S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
+
+  # 4.1.14 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 4632
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers or a file in the /etc/sudoers.d directory will be written to when the file or its attributes have changed. Note: Reloading the auditd config to set active settings may require a system reboot."
+    rationale: "Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-scope.rules Add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope'
+
+  # 4.1.15 Ensure system administrator command executions (sudo) are collected. (Automated)
+  - id: 4633
+    title: "Ensure system administrator command executions (sudo) are collected."
+    description: "sudo provides users with temporary elevated privileges to perform operations. Monitor the administrator with temporary elevated privileges and the operation(s) they performed."
+    rationale: "creating an audit log of administrators with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed. Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command: # awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures. Reloading the auditd config to set active settings may require a system reboot."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/50-actions.rules Add the following line: -a exit,always -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules: Example: vi /etc/audit/rules.d/50-actions.rules Add the following lines: -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions -a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F euid=0 && r:-F auid!=4294967295 && r:-k actions|key=actions'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64|-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F euid=0 && r:-k actions|key=actions"
+
+  # 4.1.16 Ensure kernel module loading and unloading is collected. (Automated)
+  - id: 4634
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.'
+    rationale: "Monitoring the use of insmod , rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-modules.rules Add the following lines: -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/insmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/rmmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /sbin/modprobe && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-a && r:always,exit|exit,always && r:-F arch=b\d\d && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  # 4.1.17 Ensure the audit configuration is immutable. (Automated)
+  - id: 4635
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the following line at the end of the file: -e 2."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not d:/etc/audit/rules.d -> r:\.+.rules$ -> !r:\s*\t*-e 2$'
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 4636
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is a recommended replacement to the original syslogd daemon. rsyslog provides improvements over syslogd, including: connection-oriented (i.e. TCP) transmission of logs - - The option to log to database formats - Encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # yum install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog Service is enabled and running. (Automated)
+  - id: 4637
+    title: "Ensure rsyslog Service is enabled and running."
+    description: "rsyslog needs to be enabled and running to perform logging."
+    rationale: "If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable and start rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:enabled"
+      - 'c:systemctl status rsyslog -> r:active \(running\)'
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured. (Automated)
+  - id: 4638
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. The $FileCreateMode parameter specifies the file creation mode with which rsyslogd creates new files. If not specified, the value 0644 is used. Notes: - The value given must always be a 4-digit octal number, with the initial digit being zero. - This setting can be overridden by a less restrictive setting in any file ending in .conf in the /etc/rsyslog.d/ directory."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\.*.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.4 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host. (Automated)
+  - id: 4639
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead. Note: Ensure that the selection of logfiles being sent follows local site policy."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines: Newer syntax: <files to sent to the remote log server> action(type="omfwd" target="<FQDN or ip of loghost>" port="<port number>" protocol="tcp" action.resumeRetryCount="<number of re-tries>" queue.type="LinkedList" queue.size=<number of messages to queue>") Example: *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Older syntax: *.* @@<FQDN or ip of loghost> Example: *.* @@192.168.2.100 Run the following command to reload the rsyslog configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc_v8: ["8.9"]
+      - cis_csc_v7: ["6.6", "6.8"]
+      - nist_sp_800-53: ["AU-6(3)"]
+      - pci_dss_v3.2.1: ["10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.3.3"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
+  - id: 4640
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts."
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. Note: The $ModLoad imtcp line can have the .so extension added to the end of the module, or use the full path to the module."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and uncomment or add the following lines: $ModLoad imtcp $InputTCPServerRun 514 For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514 Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  ###############################################
+  # 4.2.2.1 Configure systemd journal remote
+  ###############################################
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog. (Automated)
+  - id: 4641
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: 'Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Notes: - This recommendation assumes that recommendation 4.2.1.5, "Ensure rsyslog is configured to send logs to a remote log host" has been implemented. - The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters - As noted in the journald man pages: journald logs may be exported to rsyslog either through the process mentioned here, or through a facility like systemd-journald.service. There are trade-offs involved in each implementation, where ForwardToSyslog will immediately capture all events (and forward to an external log server, if properly configured), but may not capture all boot-up activities. Mechanisms such as systemd-journald.service, on the other hand, will record bootup events, but may delay sending the information to rsyslog, leading to the potential for log manipulation prior to export. Be aware of the limitations of all tools employed to secure a system.'
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsyste"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v8: ["8.9"]
+      - cis_csc_v7: ["6.5"]
+      - nist_sp_800-53: ["AU-6(3)"]
+      - pci_dss_v3.2.1: ["10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.3.3"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files. (Automated)
+  - id: 4642
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsyste"
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*=\s*yes'
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 4643
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Note: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsyste"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*=\s*persistent'
+
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Manual)
+  - id: 4644
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information."
+    remediation: 'Run the following commands to set permissions on all existing log files: # find /var/log -type f -exec chmod g-wx,o-rwx "{}" + Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions.'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  # 4.2.4 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.1 Configure cron
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled and running. (Automated)
+  - id: 4645
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run. If another method for scheduling tasks is not being used, cron is used to execute them, and needs to be enabled and running."
+    remediation: "Run the following command to enable and start cron: # systemctl --now enable crond OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:enabled"
+      - 'c:systemctl status crond -> r:Active: active \(running\) since \w+ \d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 4646
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab: # chown root:root /etc/crontab # chmod u-x,og-rwx /etc/crontab OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 4647
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly/ directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/ OR Run the following command to remove cron # yum remove cronie."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 4648
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily directory: # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 4649
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly/ directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/ OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 4650
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly directory: # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 4651
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d/ directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d directory: # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d OR Run the following command to remove cron: # yum remove cronie."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 4652
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following command to remove /etc/cron.deny: # rm /etc/cron.deny Run the following command to create /etc/cron.allow # touch /etc/cron.allow Run the following commands to set the owner and permissions on /etc/cron.allow: # chown root:root /etc/cron.allow # chmod u-x,og-rwx /etc/cron.allow OR Run the following command to remove cron # yum remove cronie."
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat /etc/cron.deny -> r:No such file or directory$"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 4653
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following command to remove /etc/at.deny: # rm /etc/at.deny Run the following command to create /etc/at.allow # touch /etc/at.allow Run the following commands to set the owner and permissions on /etc/at.allow: # chown root:root /etc/at.allow # chmod u-x,og-rwx /etc/at.allow OR Run the following command to remove at: # yum remove at."
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 5.2 Configure sudo
+  ###############################################
+
+  # 5.2.1 Ensure sudo is installed. (Automated)
+  - id: 4654
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo. # yum install sudo."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.2.2 Ensure sudo commands use pty. (Automated)
+  - id: 4655
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo-pty Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later. The -f option allows you to tell visudo which file to edit."
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing. This can be mitigated by configuring sudo to run other commands only from a pseudo-pty, whether I/O logging is turned on or not."
+    remediation: "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.2.3 Ensure sudo log file exists. (Automated)
+  - id: 4656
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later. The -f option allows you to tell visudo which file to edit."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "Editing the sudo configuration incorrectly can cause sudo to stop functioning."
+    remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+
+  # 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 4657
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.3.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.3.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.3.4 Ensure SSH access is limited. (Automated)
+  - id: 4658
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["3.3", "5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "MP.L2-3.8.2", "SC.L2-3.13.3"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.3.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 4659
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - 'f:/etc/ssh/sshd_config ->!r:^# && r:loglevel\s*(VERBOSE|INFO)'
+
+  # 5.3.6 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 4660
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through an existing SSH shell session to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    impact: "X11 programs on the server will not be able to be forwarded to a ssh-client display."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^x11forwarding no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*x11forwarding\\s*\\t*yes"
+
+  # 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 4661
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.3.8 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 4662
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.3.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.3.9 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 4663
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.3.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.3.10 Ensure SSH root login is disabled. (Automated)
+  - id: 4664
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.3.10"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> !r:^# && r:PermitRootLogin\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.3.11 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 4665
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.3.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.3.12 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 4666
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing a Trojan's programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.3.12"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitUserEnvironment\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.3.13 Ensure only strong Ciphers are used. (Automated)
+  - id: 4667
+    title: "Ensure only strong Ciphers are used."
+    description: "This variable limits the ciphers that SSH can use during communication. Note: Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack - The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue - The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr."
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+    compliance:
+      - cis: ["5.3.13"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "c: sshd -T -> r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+      - "not f:/etc/ssh/sshd_config -> r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 5.3.14 Ensure only strong MAC algorithms are used. (Automated)
+  - id: 4668
+    title: "Ensure only strong MAC algorithms are used."
+    description: "This variable Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. Note: Some organizations may have stricter requirements for approved MACs. Ensure that MACs used are in compliance with site policy."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256."
+    references:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    compliance:
+      - cis: ["5.3.14"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.4", "16.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c: sshd -T -> r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+      - "not f:/etc/ssh/sshd_config -> r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.3.15 Ensure only strong Key Exchange algorithms are used. (Automated)
+  - id: 4669
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Note: Some organizations may have stricter requirements for approved Key Exchange algorithms. Ensure that Key Exchange algorithms used are in compliance with site policy."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2- nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange- sha256."
+    compliance:
+      - cis: ["5.3.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c: sshd -T -C user=root -> r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+      - "not f:/etc/ssh/sshd_config -> r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.3.16 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 4670
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.3.16"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*clientaliveinterval\s*\t*(\d+) compare => 1 &&  n:^\s*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -> n:^\s*clientalivecountmax\s*\t*(\d+) compare == 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*clientaliveinterval\s*\t*(\d+) compare => 1 &&  n:^\s*clientaliveinterval\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*clientalivecountmax\s*\t*(\d+) compare == 0'
+
+  # 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 4671
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.3.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*logingracetime\s*\t*(\d+) compare => 1 &&  n:^\s*logingracetime\s*\t*(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*logingracetime\s*\t*(\d+) compare => 1 &&  n:^\s*logingracetime\s*\t*(\d+) compare <= 60'
+
+  # 5.3.18 Ensure SSH warning banner is configured. (Automated)
+  - id: 4672
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.3.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  # 5.3.19 Ensure SSH PAM is enabled. (Automated)
+  - id: 4673
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(5) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.3.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*usepam\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*UsePAM\s+no'
+
+  # 5.3.20 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 4674
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.3.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2", "13.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*allowtcpforwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.3.21 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 4675
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.3.21"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.3.22 Ensure SSH MaxSessions is limited. (Automated)
+  - id: 4676
+    title: "Ensure SSH MaxSessions is limited."
+    description: "The MaxSessions parameter Specifies the maximum number of open sessions permitted per network connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.3.22"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare > 10'
+
+  ###############################################
+  # 5.4 Configure PAM
+  ###############################################
+
+  # 5.4.1 Ensure password creation requirements are configured. (Automated)
+  - id: 4677
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. The following options are set in the /etc/security/pwquality.conf file: Password Length: - minlen = 14 - password must be 14 characters or more Password complexity: - minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR - dcredit = -1 - provide at least one digit - ucredit = -1 - provide at least one uppercase character - ocredit = -1 - provide at least one special character - lcredit = -1 - provide at least one lowercase character The following is set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies. Notes: - Settings in /etc/security/pwquality.conf must use spaces around the = symbol. - Additional modules options may be set in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files."
+    rationale: "Strong passwords and limited attempts before locking an account protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so try_first_pass retry=3."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass"
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass"
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+
+  # 5.4.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 4678
+    title: "Ensure lockout for failed password attempts is configured."
+    description: 'Lock out users after n unsuccessful consecutive login attempts. These settings are commonly configured with the pam_faillock.so module. Some environments may continue using the pam_tally2.so module, where this older method may simplify automation in mixed environments. Set the lockout number in deny= to the policy in effect at your site. unlock_time=_n_ is the number of seconds the account remains locked after the number of attempts configured in deny=_n_ has been met. Notes: - Additional module options may be set, recommendation only covers those listed here. - When modifying authentication configuration using the authconfig utility, the system-auth and password-auth files are overwritten with the settings from the authconfig utility. This can be avoided by creating symbolic links in place of the configuration files, which authconfig recognizes and does not overwrite. These symbolic links are the default for Fedora 19 derived distributions. - Use of the "audit" keyword may log credentials in the case of user error during - authentication. This risk should be evaluated in the context of the site policies of your organization. If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so or the pam_tally2.so module, the user can be unlocked by issuing following commands. This command sets the failed count to 0, effectively unlocking the user. If pam_faillock.so is used: o o # faillock --user <username> --reset o o # pam_tally2 -u <username> --reset If pam_tally2.so is used:.'
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth and add the following lines: Modify the deny= and unlock_time= parameters to conform to local site policy, Not to be greater than deny=5 To use pam_faillock.so module, add the following lines to the auth section: auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 The auth sections should look similar to the following example: Note: The ordering on the lines in the auth section is important. The preauth line needs to below the line auth required pam_env.so and above all password validation lines. The authfail line needs to be after all password validation lines such as pam_sss.so. Incorrect order can cause you to be locked out of the system Example: auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 # <- Under "auth required pam_env.so" auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 # <- Last auth line before "auth requisite pam_succeed_if.so" auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so Add the following line to the account section: account required pam_faillock.so Example: account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_pam_succeed_if.so uid < 1000 quiet account required pam_permit.so OR To use the pam_tally2.so module, add the following line to the auth section: auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 The auth sections should look similar to the following example: Note: The ordering on the lines in the auth section is important. the additional line needs to below the line auth required pam_env.so and above all password validation lines. Example: auth required pam_env.so auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 # <- Under "auth required pam_env.so" auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so Add the following line to the account section: account required pam_tally2.so Example: account required pam_tally2.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_pam_succeed_if.so uid < 1000 quiet account required pam_permit.so.'
+    references:
+      - "https://access.redhat.com/documentation/en-"
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^\s*auth\.+required\.+pam_faillock.so\.+ && n:deny=(\d+) compare <= 5 && n:unlock_time=(\d+) compare >= 900'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*auth\.+required\.+pam_faillock.so\.+ && n:deny=(\d+) compare <= 5 && n:unlock_time=(\d+) compare >= 900'
+
+  # 5.4.3 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 4679
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Note: - These changes only apply to accounts configured on the local system. - Additional module options may be set, recommendation only covers those listed here."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords."
+    remediation: "Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include sha512 option and remove the md5 option for pam_unix.so: password sufficient pam_unix.so sha512 Note: - Any system accounts that need to be expired should be carefully done separately by the - system administrator to prevent any potential problems. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login, In accordance with local site policies. - To accomplish this, the following command can be used. o This command intentionally does not affect the root account. The root account's password will also need to be changed. # awk -F: '( $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $1 !~ /^(nfs)?nobody$/ && $1 != \"root\" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0."
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so && r:sha512'
+
+  # 5.4.4 Ensure password reuse is limited. (Automated)
+  - id: 4680
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Note: Additional module options may be set, recommendation only covers those listed here."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "Edit both the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: Note: Add or modify the line containing the pam_pwhistory.so after the first occurrence of password requisite: password required pam_pwhistory.so remember=5 Example: (Second line is modified) password requisite pam_pwquality.so try_first_pass local_users_only authtok_type= password required pam_pwhistory.so use_authtok remember=5 retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so."
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwquality\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  ###############################################
+  # 5.5 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.5.1 Set Shadow Password Suite Parameters
+  ###############################################
+
+  # 5.5.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 4681
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days. Notes: - A value of -1 will disable password expiration. - The password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials via a brute force attack, using already compromised credentials, or gaining the credentials by other means, can be limited by the age of the password. Therefore, reducing the maximum age of a password can also reduce an attacker's window of opportunity. Requiring passwords to be changed helps to mitigate the risk posed by the poor security practice of passwords being used for multiple accounts, and poorly implemented off-boarding and change of responsibility policies. This should not be considered a replacement for proper implementation of these policies and practices. Note: If it is believed that a user's password may have been compromised, the user's account should be locked immediately. Local policy should be followed to ensure the secure update of their password."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.5.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 4682
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs : PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.5.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+
+  # 5.5.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 4683
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.5.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.5.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 4684
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Note: A value of -1 would disable this setting."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.5.1.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.9"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.5.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.5.2 Ensure system accounts are secured. (Automated) - Not Implemented
+
+  # 5.5.3 Ensure default group for the root account is GID 0. (Automated)
+  - id: 4685
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.5.4 Ensure default user shell timeout is configured. (Automated)
+  - id: 4686
+    title: "Ensure default user shell timeout is configured."
+    description: "TMOUT is an environmental setting that determines the timeout of a shell in seconds. - TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0 disables - timeout. readonly TMOUT-Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time. -export TMOUT -exports the TMOUT variable System Wide Shell Configuration Files: -/etc/profile -used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter. -/etc/profile.d -/etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables. -/etc/bashrc -System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session."
+    remediation: "Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site policy. TMOUT should not exceed 900 or be equal to 0. Configure TMOUT in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc TMOUT configuration examples: - As multiple lines: TMOUT=900 readonly TMOUT export TMOUT - As a single line: readonly TMOUT=900 ; export TMOUT."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/bashrc -> !r:^# && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not c:grep -Rh TMOUT /etc/profile /etc/profile.d/*.sh -> !r:^# && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'f:/etc/bashrc -> !r:^# && n:readonly TMOUT\s*=\s*(\d+)\s*; compare <= 900 && r:export TMOUT\s*$'
+      - 'c:grep -Rh TMOUT /etc/profile /etc/profile.d/*.sh -> !r:^# && n:readonly TMOUT\s*=\s*(\d+)\s*; compare <= 900 && r:export TMOUT\s*$'
+
+  # 5.5.5 Ensure default user umask is configured. (Automated)
+  - id: 4687
+    title: "Ensure default user umask is configured."
+    description: "The user file-creation mode mask (umask) is use to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 (rwxrwxrwx), and for any newly created file it is 0666 (rw-rw-rw-). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode. umask can be set with either octal or Symbolic values: - Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027. If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. - Symbolic Value - Represented by a comma separated list for User u, group g, and world/other o. The permissions listed are not masked by umask. ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027. This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----. The default umask can be set to use the pam_umask module or in a System Wide Shell Configuration File. The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask by adding the umask command into a User Shell Configuration File, (.bash_profile or .bashrc), in their home directory. Setting the default umask: - pam_umask module: o will set the umask according to the system default in /etc/login.defs and user settings, solving the problem of different umask settings with different shells, display managers, remote sessions etc. o umask=<mask> value in the /etc/login.defs file is interpreted as Octal o Setting USERGROUPS_ENAB to yes in /etc/login.defs (default): will enable setting of the umask group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the <primary group name> userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user - System Wide Shell Configuration File: o /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter. o /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables. o /etc/bashrc - System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc. User Shell Configuration Files: - ~/.bash_profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells. - ~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login."
+    rationale: "Setting a secure default value for umask ensures that users make a conscious choice about their file permissions. A permissive umask value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users."
+    remediation: "Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all umask entries to follow local site policy. Any remaining entries should be: umask 027, umask u=rwx,g=rx,o= or more restrictive. Configure umask in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc Example: # vi /etc/profile.d/set_umask.sh umask 027 Run the following command and remove or modify the umask of any returned files: # grep -RPi '(^|^[^#]*)\\s*umask\\s+([0-7][0-7][01][0-7]\\b|[0-7][0-7][0-7][0- 6]\\b|[0-7][01][0-7]\\b|[0-7][0-7][0- 6]\\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}( ,o=[rwx]{0,3})?\\b)' /etc/login.defs /etc/profile* /etc/bashrc* Follow one of the following methods to set the default user umask: Edit /etc/login.defs and edit the UMASK and USERGROUPS_ENAB lines as follows: UMASK 027 USERGROUPS_ENAB no Edit the files /etc/pam.d/password-auth and /etc/pam.d/system-auth and add or edit the following: session optional pam_umask.so OR Configure umask in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc Example: /etc/profile.d/set_umask.sh umask 027 Note: this method only applies to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked."
+    compliance:
+      - cis: ["5.5.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1", "13"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.6 Ensure root login is restricted to system console. (Manual) - Not Implemented
+
+  # 5.7 Ensure access to the su command is restricted. (Automated)
+  - id: 4688
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^\s*\t*# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 4689
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd : # chown root:root /etc/passwd # chmod u-x,g-wx,o-wx /etc/passwd."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 4690
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd- : # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 4691
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow : # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.5 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 4692
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 4693
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 4694
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow : # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.8 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 4695
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group : # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 4696
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.10 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 4697
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Notes: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "If any accounts in the /etc/passwd file do not have a single x in the password field, run the following command to set these accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 4698
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.4 Ensure shadow group is empty. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 4699
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  # 6.2.10 Ensure root PATH Integrity. (Automated) - Not Implemented
+  # 6.2.11 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.12 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.14 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.17 Ensure no users have .rhosts files. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/rhel/8/cis_rhel8_linux.yml b/etc/ruleset/sca/rhel/8/cis_rhel8_linux.yml
new file mode 100644
index 0000000000..a288426c9e
--- /dev/null
+++ b/etc/ruleset/sca/rhel/8/cis_rhel8_linux.yml
@@ -0,0 +1,4706 @@
+# Security Configuration Assessment
+# CIS Checks for RHEL 8.
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software Foundation
+#
+#
+# Based on:
+# Center for Internet Security Red Hat Enterprise Linux 8 Benchmark v2.0.0 - 02-23-2022
+
+policy:
+  id: "cis_rhel8_linux"
+  file: "cis_rhel8_linux.yml"
+  name: "CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 8 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 8."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RHEL8 family platform"
+  description: "Requirements for running the policy against RHEL 8 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 8"
+    - "f:/etc/redhat-release -> r:^Cloud && r:release 8"
+    - "f:/etc/redhat-release -> r:^Oracle && r:release 8"
+    - "f:/etc/redhat-release -> r:^Better && r:release 8"
+    - "f:/etc/redhat-release -> r:^OpenVZ && r:release 8"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 5000
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs. Example: # printf "install cramfs /bin/false blacklist cramfs " >> /etc/modprobe.d/cramfs.conf Run the following command to unload the cramfs module: # modprobe -r cramfs.'
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/false|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*cramfs'
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 5001
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with the lines that reads install squashfs /bin/false and blacklist squashfs. Example: # printf "install squashfs /bin/false blacklist squashfs " >> /etc/modprobe.d/squashfs.conf Run the following command to unload the squashfs module: # modprobe -r squashfs.'
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/false|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*squashfs'
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 5002
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install udf /bin/false. Example: # printf "install udf /bin/false blacklist udf " >> /etc/modprobe.d/udf.conf Run the following command to unload the udf module: # modprobe -r udf.'
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/false|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d -> r:\.*.conf -> r:blacklist\t*\s*udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 5003
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 5004
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 5005
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 5006
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 5007
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 5008
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure noexec option set on /var partition. (Automated)
+  - id: 5009
+    title: "Ensure noexec option set on /var partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:noexec"
+
+  # 1.1.3.4 Ensure nosuid option set on /var partition. (Automated)
+  - id: 5010
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nosuid"
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 5011
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary file residing in /var/tmp is to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 5012
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 5013
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 5014
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 5015
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 5016
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 5017
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 5018
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 5019
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 5020
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 5021
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 5022
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 5023
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 5024
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 5025
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  # 1.1.7.4 Ensure usrquota option set on /home partition. (Automated)
+  - id: 5026
+    title: "Ensure usrquota option set on /home partition."
+    description: "The usrquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.user Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:usrquota"
+
+  # 1.1.7.5 Ensure grpquota option set on /home partition. (Automated)
+  - id: 5027
+    title: "Ensure grpquota option set on /home partition."
+    description: "The grpquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.group Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:grpquota"
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 5028
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 5029
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 5030
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 5031
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # dnf remove autofs Run the following command to disable autofs if it is required: # systemctl --now disable autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: any
+    rules:
+      - "c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service: No such file or directory"
+      - "c:systemctl is-enabled autofs -> r:disabled"
+
+  # 1.1.10 Disable USB Storage. (Automated)
+  - id: 5032
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.1 Ensure Red Hat Subscription Manager connection is configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.3 Ensure gpgcheck is globally activated. (Automated)
+  - id: 5033
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - "f:/etc/dnf/dnf.conf -> r:gpgcheck=1"
+      - 'd:/etc/yum.repos.d/ -> r:\. -> r:gpgcheck=1'
+
+  # 1.2.4 Ensure package manager repositories are configured. (Manual) - Not Implemented
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 5034
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:rpm -q aide -> r:aide-\S*'
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 5035
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.servic"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 5036
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password> Run the following command to update the grub2 configuration: # grub2-mkconfig -o \"$(dirname \"$(find /boot -type f \\( -name 'grubenv' -o - name 'grub.conf' -o -name 'grub.cfg' \\) -exec grep -Pl '^\\h*(kernelopts=|linux|kernel)' {} \\;)\")/grub.cfg\"."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/user.cfg -> r:^GRUB2_PASSWORD\s*=\.+'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 5037
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options. The grub2 configuration is usually grub.cfg. On newer grub2 systems the encrypted bootloader password is contained in user.cfg. If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration file(s): # [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg # [ -f /boot/grub2/grub.cfg ] && chmod og-rwx /boot/grub2/grub.cfg # [ -f /boot/grub2/grubenv ] && chown root:root /boot/grub2/grubenv # [ -f /boot/grub2/grubenv ] && chmod og-rwx /boot/grub2/grubenv # [ -f /boot/grub2/user.cfg ] && chown root:root /boot/grub2/user.cfg # [ -f /boot/grub2/user.cfg ] && chmod og-rwx /boot/grub2/user.cfg OR If the system uses UEFI, edit /etc/fstab and add the fmask=0077, uid=0, and gid=0 options: Example: <device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0 Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat -L /boot/grub2/grubenv -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication is required when booting into rescue mode. (Automated)
+  - id: 5038
+    title: "Ensure authentication is required when booting into rescue mode."
+    description: "Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials."
+    remediation: "The systemd drop-in files must be created if it is necessary to change the default settings: Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden: [Service] ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'f:/systemd-sulogin-shell -> r:ExecStart=-/usr/lib/systemd/systemd-sulogin-shell\s*rescue'
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/usr/lib/systemd/systemd-sulogin-shell\s*rescue'
+      - 'f:/etc/systemd/system/rescue.service.d -> r:ExecStart=-/usr/lib/systemd/systemd-sulogin-shell\s*rescue'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 5039
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 5040
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated)
+  - id: 5041
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: 'Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: Example: # printf " kernel.randomize_va_space = 2 " >> /etc/sysctl.d/60-kernel_sysctl.conf Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2.'
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  ###############################################
+  # 1.6 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 5042
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 5043
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: grubby --update-kernel ALL --remove-args 'selinux=0 enforcing=0'."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 5044
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 5045
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/selinux"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 5046
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/selinux"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s+enabled$'
+      - 'c:sestatus -> r:^Current mode:\s+enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s+enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 5047
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 5048
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 5049
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q mcstrans -> r:mcstrans"
+
+  ###############################################
+  # 1.7  Warning Banners
+  ###############################################
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 5050
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 5051
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 5052
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 5053
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 5054
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 5055
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 5056
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 5057
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user && r:system-db:gdm && r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:[org/gnome/login-screen]"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-enable=true"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:banner-message-text="
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 5058
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:user-db:user && r:system-db:gdm && r:file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:[org/gnome/login-screen]"
+      - "f:/etc/dconf/db/gdm.d/01-banner-message -> r:disable-user-list=true"
+
+  # 1.8.4 Ensure XDMCP is not enabled. (Automated)
+  - id: 5059
+    title: "Ensure XDMCP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.8.5 Ensure automatic mounting of removable media is disabled. (Automated)
+  - id: 5060
+    title: "Ensure automatic mounting of removable media is disabled."
+    description: "By default GNOME automatically mounts removable media when inserted as a convenience to the user."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Ensure that automatic mounting of media is disabled for all GNOME users: # cat << EOF >> /etc/dconf/db/local.d/00-media-automount [org/gnome/desktop/media-handling] automount=false automount-open=false EOF Apply the changes with: # dconf update."
+    references:
+      - "https://access.redhat.com/solutions/20107"
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - "c:gsettings get org.gnome.desktop.media-handling automount -> r:false"
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 5061
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 5062
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  ###############################################
+  # 2.1 Remove Legacy Services
+  ###############################################
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 5063
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 5064
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  # 2.2.1 Ensure xinetd is not installed. (Automated)
+  - id: 5065
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # dnf remove xinetd."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:^package xinetd is not installed"
+
+  # 2.2.2 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 5066
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 5067
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 5068
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 5069
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the rpm -q dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.6 Ensure DNS Server is not installed. (Automated)
+  - id: 5070
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.7 Ensure FTP Server is not installed. (Automated)
+  - id: 5071
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftpd -> r:^package ftpd is not installed"
+
+  # 2.2.8 Ensure VSFTP Server is not installed. (Automated)
+  - id: 5072
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as an FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.9 Ensure TFTP Server is not installed. (Automated)
+  - id: 5073
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.10 Ensure a web server is not installed. (Automated)
+  - id: 5074
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.11 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 5075
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.12 Ensure Samba is not installed. (Automated)
+  - id: 5076
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.13 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 5077
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.14 Ensure net-snmp is not installed. (Automated)
+  - id: 5078
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.15 Ensure NIS server is not installed. (Automated)
+  - id: 5079
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # dnf remove ypserv."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:^package ypserv is not installed"
+
+  # 2.2.16 Ensure telnet-server is not installed. (Automated)
+  - id: 5080
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.17 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 5081
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\.* && !r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 5082
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-package is required as a dependency, the nfs-server should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 5083
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q -> r:rpcbind package rpcbind is not installed"
+      - "c:systemctl is-enabled rpcbind rpcbind.socket -> r:masked"
+
+  # 2.2.20 Ensure rsync is not installed or the rsyncd service is masked. (Automated)
+  - id: 5084
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.20"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked"
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 5085
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # dnf remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q ypbind -> r:^package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 5086
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # dnf remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q rsh -> r:^package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 5087
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # dnf remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -q talk -> r:^package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 5088
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 5089
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.6 Ensure TFTP client is not installed. (Automated)
+  - id: 5090
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Uncommon Network Protocols
+  ###############################################
+
+  # 3.1.1 Verify if IPv6 is enabled on the system. (Manual)
+  - id: 5091
+    title: "Verify if IPv6 is enabled on the system."
+    description: "Internet Protocol Version 6 (IPv6) is the most recent version of Internet Protocol (IP). It's designed to supply IP addressing and additional security to support the predicted growth of connected devices."
+    rationale: "It is recommended that either IPv6 settings are configured OR IPv6 be disabled to reduce the attack surface of the system."
+    impact: "IETF RFC 4038 recommends that applications are built with an assumption of dual stack. If IPv6 is disabled through sysctl config, SSH X11forwarding may no longer function as expected. We recommend that SSH X11fowarding be disabled, but if required, the following will allow for SSH X11forwarding with IPv6 disabled through sysctl config: Add the following line the /etc/ssh/sshd_config file: AddressFamily inet Run the following command to re-start the openSSH server: # systemctl restart sshd."
+    remediation: 'If IPv6 is to be disabled, use one of the two following methods to disable IPv6 on the system: To disable IPv6 through the GRUB2 config, run the following command to add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: grubby --update-kernel ALL --args ''ipv6.disable=1'' OR To disable IPv6 through sysctl settings, set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: Example: # printf " net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 " >> /etc/sysctl.d/60-disable_ipv6.conf Run the following command to set the active kernel parameters: # { sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 sysctl -w net.ipv6.route.flush=1 }.'
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:^\s*kernelopts=\.+ipv6.disable=1'
+
+  # 3.1.2 Ensure SCTP is disabled. (Automated)
+  - id: 5092
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message-oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install sctp /bin/true " >> /etc/modprobe.d/sctp.conf.'
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v sctp -> r:^\s*install\s*/bin/true|Module sctp not found'
+      - "not c:lsmod -> r:sctp"
+
+  # 3.1.3 Ensure DCCP is disabled. (Automated)
+  - id: 5093
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install dccp /bin/true " >> /etc/modprobe.d/dccp.conf.'
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:modprobe -n -v dccp -> r:^\s*install\s*/bin/true|Module dccp not found'
+      - "not c:lsmod -> r:dccp"
+
+  # 3.1.4 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.4 Firewall Configuration
+  ###############################################
+  ###############################################
+  # 3.4.1 Ensure Firewall software is installed
+  ###############################################
+
+  # 3.4.1.1 Ensure firewalld is installed. (Automated)
+  - id: 5094
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # dnf install firewalld iptables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^firewalld-"
+      - "c:rpm -q iptables -> r:^iptables-"
+
+  # 3.4.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 5095
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 5096
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. Note: Support for using nftables as the back-end for firewalld was added in release v0.6.0. In Fedora 19 Linux derivatives, firewalld utilizes iptables as its back-end by default."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: firewalld may configured as the front-end to nftables. If this case, nftables should be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # dnf remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.4.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:systemctl status nftables -> r:Loaded:\s*disabled|Loaded:\s*masked|could not be found'
+      - 'c:systemctl status nftables -> r:Active:\s*inactive\s*\(dead\)|could not be found'
+      - "not p:nftables"
+
+  # 3.4.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 5097
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.4.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "p:firewalld"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.4.1.5 Ensure firewalld default zone is set. (Automated) Not Implemented
+  # 3.4.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) Not Implemented
+  # 3.4.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+
+  # 3.4.2.1 Ensure nftables is installed. (Automated)
+  - id: 5098
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 5099
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: "Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network-firewall zones to assign a level of trust to a network and its associated connections interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options."
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # dnf remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "p:firewalld"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.4.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 5100
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.2.4 Ensure iptables are flushed with nftables. (Manual)
+  - id: 5101
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.4.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - 'c:iptables -L -> !r:^\s*Chain|^\s*target && r:\s*\S+'
+      - 'c:ip6tables -L -> !r:^\s*Chain|^\s*target && r:\s*\S+'
+
+  # 3.4.2.5 Ensure an nftables table exists. (Automated)
+  - id: 5102
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.4.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.4.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 5103
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.4.2.7 Ensure nftables loopback traffic is configured. (Automated)
+  - id: 5104
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop. IF IPv6 is enabled on the system: Run the following command to implement the IPv6 loopback rule: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:iif "lo" accept'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip saddr 127.0.0.0/8'
+      - 'c:sh -c "nft list ruleset | awk ''/hook input/,/}/''" -> r:ip6 saddr ::1'
+
+  # 3.4.2.8 Ensure nftables outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 5105
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.4.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 5106
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.4.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "p:nftables"
+
+  # 3.4.2.11 Ensure nftables rules are permanent. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.4.3 Configure iptables
+  ###############################################
+  ###############################################
+  # 3.4.3.1 Configure IPv4 iptables
+  ###############################################
+
+  # 3.4.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 5107
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # dnf install iptables iptables-services."
+    compliance:
+      - cis: ["3.4.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables -> r:^iptables-"
+
+  # 3.4.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 5108
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # dnf remove nftables."
+    compliance:
+      - cis: ["3.4.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+
+  # 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 5109
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: "firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall zones to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options."
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "p:firewalld"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.4.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 5110
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.4.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.4.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 5111
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.4.3.2.5 Ensure iptables rules are saved. (Automated) - Not Implemented
+  # 3.4.3.2.6 Ensure iptables is enabled and active. (Automated)
+  - id: 5112
+    title: "Ensure iptables is enabled and active."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.4.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:^enabled"
+      - "c:systemctl is-active iptables -> r:^active"
+
+  ###############################################
+  # 3.4.3.3 Configure IPv6 ip6tables
+  ###############################################
+
+  # 3.4.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 5113
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.4.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+  # 3.4.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 5114
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L -> r:Chain INPUT \(policy DROP\)'
+      - 'c:ip6tables -L -> r:Chain FORWARD \(policy DROP\)'
+      - 'c:ip6tables -L -> r:Chain OUTPUT \(policy DROP\)'
+
+  # 3.4.3.3.5 Ensure ip6tables rules are saved. (Automated) - Not Implemented
+
+  # 3.4.3.3.6 Ensure ip6tables is enabled and active. (Automated)
+  - id: 5115
+    title: "Ensure ip6tables is enabled and active."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.4.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:^\s*kernelopts=\.+ipv6.disable=1'
+
+  ###############################################
+  # 4 Logging and Auditing
+  ###############################################
+  ###############################################
+  # 4.1.1 Configure System Accounting (auditd)
+  ###############################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 5116
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit audit-libs -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditd service is enabled. (Automated)
+  - id: 5117
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "p:auditd"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 5118
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to add audit=1 to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: none
+    rules:
+      - "f:/boot/grub2/grubenv -> r:kernelopts= && !r:audit=1"
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 5119
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:^args=\.*\saudit_backlog_limit=(\d+) compare >= 8192'
+
+  ###############################################
+  # 4.1.2 Configure Data Retention
+  ###############################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 5120
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 5121
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 5122
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^admin_space_left_action\s*=\s*halt'
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 5123
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d -> .rules -> r:-w /etc/sudoers && r:-p wa && r:-k scope"
+      - "d:/etc/audit/rules.d -> .rules -> r:-w /etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 5124
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 5125
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex settimeofday clock_settime stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b32 -S clock_settime -k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b64 -S clock_settime -k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/localtime -p wa -k time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 5126
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/sysconfig/network - additional information that is valid to all network interfaces - /etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v7: ["5.5"]
+      - iso_27001-2013: ["A.12.1.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/issue -p wa -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/issue.net -p wa -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/hosts -p wa -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/sysconfig/network -p wa -k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/sysconfig/network-scripts/ -p wa -k system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/sysconfig/network-scripts && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated)
+  - id: 5127
+    title: "Ensure unsuccessful file access attempts are collected."
+    description: "Monitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files: creation - creat - - opening - open , openat - truncation - truncate , ftruncate An audit log record will only be written if all of the following criteria is met for the user when trying to access a file: - a non-privileged user (auid>=UID_MIN) - - is not a Daemon event (auid=4294967295/unset/-1) if the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)."
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=- EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=- EPERM -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=- EACCES -F auid>=${UID_MIN} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=- EPERM -F auid>=${UID_MIN} -F auid!=unset -k access \" >> /etc/audit/rules.d/50-access.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.7"]
+      - cis_csc_v7: ["14.9"]
+      - iso_27001-2013: ["A.12.4.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EACCES && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:creat && r:open && r:openat && r:truncate && r:ftruncate && r:-F exit=-EPERM && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k access|key=access'
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 5128
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v7: ["4.8"]
+      - iso_27001-2013: ["A.12.4.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/group -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/passwd -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/gshadow -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/shadow -p wa -k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -w /etc/security/opasswd -p wa -k identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 5129
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non-privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-perm_mod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.10"]
+      - cis_csc_v7: ["5.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 5130
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/run/utmp -p wa -k session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/wtmp -p wa -k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/btmp -p wa -k logins'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 5131
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/log/lastlog -p wa -k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /var/run/faillock/ -p wa -k logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 5132
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.13"]
+      - cis_csc_v7: ["13"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 5133
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux/ and /usr/share/selinux/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /etc/selinux/ -p wa -k MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:-w /usr/share/selinux/ -p wa -k MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/usr/share/selinux && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 5134
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 5135
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-priv_cmd.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 5136
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k priv_cmd|-F key=priv_cmd'
+
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 5137
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 5138
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) # [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules \\ || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.19"]
+      - cis_csc_v7: ["5.1"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+    condition: all
+    rules:
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 5139
+    title: "Ensure the audit configuration is immutable."
+    description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag -e 2 forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings."
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the following line at the end of the file: -e 2."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not d:/etc/audit/rules.d -> r:\.+.rules$ -> !r:\s*\t*-e 2$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 5140
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:/usr/sbin/augenrules && r:No change"
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 5141
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 5142
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "p:rsyslog"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 5143
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 5144
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual)
+  - id: 5145
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.7 Ensure rsyslog is not configured to recieve logs from a remote client. (Automated)
+  - id: 5146
+    title: "Ensure rsyslog is not configured to recieve logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.+.conf$ -> r:^\s*\t*\$ModLoad imtcp|\s*\t*^\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+      - 'not f:/etc/rsyslog.conf -> r:^\s*\t*\$ModLoad imtcp|^\s*\t*\$InputTCPServerRun|^\s*\t*module load="imtcp"|^\s*\t*input type="imtcp" port="514"'
+
+  ###############################################
+  # 4.2.2.1 Configure systemd journal remote
+  ###############################################
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 5147
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:^systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 5148
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  ###############################################
+  # 4.2.2.1 Configure journald
+  ###############################################
+
+  # 4.2.2.1.4 Ensure journald is not configured to recieve logs from a remote client. (Automated)
+  - id: 5149
+    title: "Ensure journald is not configured to recieve logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 5150
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 5151
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*=\s*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 5152
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*=\s*persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 5153
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: none
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated)
+  - id: 5154
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files contain information from many services on the the local system, or in the event of a centralized log server, others systems logs as well. In general log files are found in /var/log/, although application can be configured to store logs elsewhere. Should your application store logs in another, ensure to run the same test on that location."
+    rationale: "It is important that log files have the correct permissions to ensure that sensitive data is protected and that only the appropriate users / groups have access to them."
+    remediation: 'Run the following command to set permissions on all existing log files in /var/log. Although the command is not destructive, ensure that the output of the audit procedure is captured in the event that the remediation causes issues. # find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod --changes g-wx,o-rwx "{}" + If there are services that logs to other locations, ensure that those log files have the appropriate permissions.'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.1 Configure cron
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 5155
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "p:crond"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 5156
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 5157
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 5158
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 5159
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 5160
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 5161
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 5162
+    title: "Ensure cron is restricted to authorized users."
+    description: "If cron is installed in the system, configure /etc/cron.allow to allow specific users to use these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following scritp to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow`: #!/usr/bin/env bash cron_fix() { if rpm -q cronie >/dev/null; then [ -e /etc/cron.deny ] && rm -f /etc/cron.deny [ ! -e /etc/cron.allow ] && touch /etc/cron.allow chown root:root /etc/cron.allow chmod u-x,go-rwx /etc/cron.allow else echo "cron is not installed on the system" fi } cron_fix OR Run the following command to remove cron: # dnf remove cronie.'
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/cron.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 5163
+    title: "Ensure at is restricted to authorized users."
+    description: "If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: 'Run the following script to remove /etc/at.deny, create /etc/at.allow, and set the file mode for /etc/at.allow: #!/usr/bin/env bash at_fix() { if rpm -q at >/dev/null; then [ -e /etc/at.deny ] && rm -f /etc/at.deny [ ! -e /etc/at.allow ] && touch /etc/at.allow chown root:root /etc/at.allow chmod u-x,go-rwx /etc/at.allow else echo "at is not installed on the system" fi } at_fix OR Run the following command to remove at: # dnf remove at.'
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:stat -L /etc/at.deny -> r:No such file or directory$"
+      - 'c:stat -L /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 5164
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated)
+  - id: 5165
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, the possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated."
+    remediation: "Run the following commands to set permissions, ownership, and group on the private SSH host key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,g-wx,o- rwx {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \\;."
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/ssh_host_rsa_key -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ecdsa_key -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ed25519_key -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated)
+  - id: 5166
+    title: "Ensure permissions on SSH public host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key files # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go- wx {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;."
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/ssh_host_rsa_key.pub -> r:^Access: \(0\d\d\d/\w\w\w\w\w\w-\w\w-\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ecdsa_key.pub -> r:^Access: \(0\d\d\d/\w\w\w\w\w\w-\w\w-\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat -L /etc/ssh/ssh_host_ed25519_key.pub -> r:^Access: \(0\d\d\d/\w\w\w\w\w\w-\w\w-\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 5167
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowGroups'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*DenyUsers'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*DenyGroups'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 5168
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*loglevel\s+INFO'
+      - "f:/etc/ssh/sshd_config -> r:loglevel"
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 5169
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sUsePAM\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 5170
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> !r:^# && r:PermitRootLogin\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 5171
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> !r:^# && r:HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 5172
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> !r:^# && r:PermitEmptyPasswords\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 5173
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 5174
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> !r:^# && r:ignorerhosts\s*\t*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 5175
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*X11Forwarding\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 5176
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 5177
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'f:/etc/sysconfig/sshd -> !r:^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 5178
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*\t*/etc/issue.net'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 5179
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 5180
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 5181
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 5182
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 5183
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare > 0 && n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare == 0'
+
+  ###############################################
+  # 5.3 Configure sudo
+  ###############################################
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 5184
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 5185
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 5186
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 5187
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 5188
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 5189
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 5190
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 5.4 Configure authselect
+  ###############################################
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual)
+  - id: 5191
+    title: "Ensure custom authselect profile is used."
+    description: "A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host."
+    rationale: "A custom profile is required to customize many of the pam options. When you deploy a profile, the profile is applied to every user logging into the given host."
+    remediation: "Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> Example: # authselect create-profile custom-profile -b sssd --symlink-meta Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} Example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["16.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - pci_dss_v3.2.1: ["6.3.2"]
+      - pci_dss_v4.0: ["6.3.1"]
+    condition: all
+    rules:
+      - "c:authselect current -> r:^Profile ID: custom/"
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 5192
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:authselect current -> r:with-faillock"
+      - "f:/etc/authselect/authselect.conf -> r:with-faillock"
+
+  ###############################################
+  # 5.5 Configure PAM
+  ###############################################
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 5193
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more ** Either of the following can be used to enforce complex passwords:** - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass"
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass"
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 5194
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater. Depending on the version you are running, follow one of the two methods bellow. Versions 8.2 and later: Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900 Versions 8.0 and 8.1: Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options. This script should be modified as needed to follow local site policy. #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=(0|[6-9]|[1- 9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/deny=\\S+/deny=5/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=\\d*\\b.*$' \"$file\"; then sed -r 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 deny=5 \\4/' $file fi if grep -P -- '^\\h*(auth\\h+required\\h+pam_faillock\\.so\\h+)([^#\\n\\r]+)?\\h+unlock_time=([1- 9]|[1-9][0-9]|[1-8][0-9][0-9])\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/unlock_time=\\S+/unlock_time=900/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+unlock_time=\\d*\\b.*$ ' \"$file\"; then sed -ri 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 unlock_time=900 \\4/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^\s*auth\.+required\.+pam_faillock.so\.+ && n:deny=(\d+) compare <= 5 && n:unlock_time=(\d+) compare >= 900'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*auth\.+required\.+pam_faillock.so\.+ && n:deny=(\d+) compare <= 5 && n:unlock_time=(\d+) compare >= 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 5195
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwquality\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 5196
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/password-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so && r:sha512'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so && r:sha512'
+
+  ###############################################
+  # 5.6 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.6.1 Set Shadow Password Suite Parameters
+  ###############################################
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 5197
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is 7 or more. (Automated)
+  - id: 5198
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 5199
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 5200
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*(\d+) compare <= 30'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated)
+  - id: 5201
+    title: "Ensure default user shell timeout is 900 seconds or less."
+    description: "TMOUT is an environmental setting that determines the timeout of a shell in seconds. - TMOUT=n - Sets the shell timeout to n seconds. A setting of TMOUT=0 disables - timeout. readonly TMOUT- Sets the TMOUT environmental variable as readonly, preventing unwanted modification during run-time. - export TMOUT - exports the TMOUT variable System Wide Shell Configuration Files: - /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter. - /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables. - /etc/bashrc - System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session."
+    remediation: "Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all TMOUT=_n_ entries to follow local site policy. TMOUT should not exceed 900 or be equal to 0. Configure TMOUT in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc TMOUT configuration examples: - As multiple lines: TMOUT=900 readonly TMOUT export TMOUT - As a single line: readonly TMOUT=900 ; export TMOUT."
+    compliance:
+      - cis: ["5.6.3"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'not f:/etc/bashrc -> !r:^# && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not c:grep -Rh TMOUT /etc/profile /etc/profile.d/*.sh -> !r:^# && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'f:/etc/bashrc -> !r:^# && n:readonly TMOUT\s*=\s*(\d+)\s*; compare <= 900 && r:export TMOUT\s*$'
+      - 'c:grep -Rh TMOUT /etc/profile /etc/profile.d/*.sh -> !r:^# && n:readonly TMOUT\s*=\s*(\d+)\s*; compare <= 900 && r:export TMOUT\s*$'
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 5202
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\w:\w:0'
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated)
+  - id: 5203
+    title: "Ensure default user umask is 027 or more restrictive."
+    description: "The user file-creation mode mask (umask) is use to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 (rwxrwxrwx), and for any newly created file it is 0666 (rw-rw-rw-). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode. umask can be set with either octal or Symbolic values: - Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027. If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively. - Symbolic Value - Represented by a comma separated list for User u, group g, and world/other o. The permissions listed are not masked by umask. ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027. This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----. The default umask can be set to use the pam_umask module or in a System Wide Shell Configuration File. The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask by adding the umask command into a User Shell Configuration File, (.bash_profile or .bashrc), in their home directory. Setting the default umask: - pam_umask module: o will set the umask according to the system default in /etc/login.defs and user settings, solving the problem of different umask settings with different shells, display managers, remote sessions etc. o umask=<mask> value in the /etc/login.defs file is interpreted as Octal o Setting USERGROUPS_ENAB to yes in /etc/login.defs (default): will enable setting of the umask group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the <primary group name> userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user - System Wide Shell Configuration File: o /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter. o /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables. o /etc/bashrc - System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc. User Shell Configuration Files: - ~/.bash_profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells. - ~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login."
+    rationale: "Setting a secure default value for umask ensures that users make a conscious choice about their file permissions. A permissive umask value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users."
+    remediation: "Review /etc/bashrc, /etc/profile, and all files ending in *.sh in the /etc/profile.d/ directory and remove or edit all umask entries to follow local site policy. Any remaining entries should be: umask 027, umask u=rwx,g=rx,o= or more restrictive. Configure umask in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc Example: # vi /etc/profile.d/set_umask.sh umask 027 Run the following command and remove or modify the umask of any returned files: # grep -RPi '(^|^[^#]*)\\s*umask\\s+([0-7][0-7][01][0-7]\\b|[0-7][0-7][0-7][0- 6]\\b|[0-7][01][0-7]\\b|[0-7][0-7][0- 6]\\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}( ,o=[rwx]{0,3})?\\b)' /etc/login.defs /etc/profile* /etc/bashrc* Follow one of the following methods to set the default user umask: Edit /etc/login.defs and edit the UMASK and USERGROUPS_ENAB lines as follows: UMASK 027 USERGROUPS_ENAB no Edit the files /etc/pam.d/password-auth and /etc/pam.d/system-auth and add or edit the following: session optional pam_umask.so OR Configure umask in one of the following files: - A file in the /etc/profile.d/ directory ending in .sh - /etc/profile - /etc/bashrc Example: /etc/profile.d/set_umask.sh umask 027 Note: this method only applies to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked."
+    compliance:
+      - cis: ["5.6.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+  # 6.1.2 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.3 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 5204
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 5205
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 5206
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group: # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 5207
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.7 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 5208
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 5209
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 5210
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.10 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 5211
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\w*/\s*\t*shadow\)'
+
+  # 6.1.11 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.14 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit SGID executables. (Manual) - Not Implemented
+
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+
+  # 6.2.1 Ensure password fields are not empty. (Automated)
+  - id: 5212
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.3 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.8 Ensure root is the only UID 0 account. (Automated)
+  - id: 5213
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: 'This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in recommendation "Ensure access to the su command is restricted".'
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  # 6.2.9 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.10 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.11 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.12 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' .netrc Files are not group or world accessible. (Automated) - Not Implemented
+  # 6.2.14 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .rhosts files. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/rhel/9/cis_rhel9_linux.yml b/etc/ruleset/sca/rhel/9/cis_rhel9_linux.yml
new file mode 100644
index 0000000000..6438c839d5
--- /dev/null
+++ b/etc/ruleset/sca/rhel/9/cis_rhel9_linux.yml
@@ -0,0 +1,4020 @@
+# Security Configuration Assessment
+# CIS Checks for RHEL 9
+# Copyright (C) 2022, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Red Hat Enterprise Linux 9 Benchmark v1.0.0 - 11-28-2022
+
+policy:
+  id: "cis_rhel9_linux"
+  file: "cis_rhel9_linux.yml"
+  name: "CIS Red Hat Enterprise Linux 9 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 9 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RHEL9 family platform."
+  description: "Requirements for running the policy against RHEL 9 family."
+  condition: any
+  rules:
+    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 9"
+    - "f:/etc/redhat-release -> r:^Cloud && r:release 9"
+    - "f:/etc/redhat-release -> r:^Oracle && r:release 9"
+    - "f:/etc/redhat-release -> r:^Better && r:release 9"
+    - "f:/etc/redhat-release -> r:^OpenVZ && r:release 9"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  ###############################################
+  # 1 Initial setup
+  ###############################################
+  ###############################################
+  # 1.1 Filesystem Configuration
+  ###############################################
+  ###############################################
+  # 1.1.1 Disable unused filesystems
+  ###############################################
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled - Not implemented
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled - Not implemented
+  ###############################################
+  # 1.1.2 Configure /tmp
+  ###############################################
+
+  # 1.1.2.1  Ensure /tmp is a separate partition (Automated)
+  - id: 28000
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition (Automated)
+  - id: 28001
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition (Automated)
+  - id: 28002
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition (Automated)
+  - id: 28003
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ###############################################
+  # 1.1.3 Configure /var
+  ###############################################
+
+  # 1.1.3.1 Ensure separate partition exists for /var (Automated)
+  - id: 28004
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - 'AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/'
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0006"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition (Automated)
+  - id: 28005
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition (Automated)
+  - id: 28006
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nosuid"
+
+  ###############################################
+  # 1.1.4 Configure /var/tmp
+  ###############################################
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp (Automated)
+  - id: 28007
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. - Fine grained control over the mount: Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - 'AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/'
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated)
+  - id: 28008
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated)
+  - id: 28009
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated)
+  - id: 28010
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  ###############################################
+  # 1.1.5 Configure /var/log
+  ###############################################
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log (Automated)
+  - id: 28011
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. - Fine grained control over the mount: Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of log data: As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition (Automated)
+  - id: 28012
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition (Automated)
+  - id: 28013
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition (Automated)
+  - id: 28014
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  ###############################################
+  # 1.1.6 Configure /var/log/audit
+  ###############################################
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated)
+  - id: 28015
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of audit data: As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated)
+  - id: 28016
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated)
+  - id: 28017
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated)
+  - id: 28018
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  ###############################################
+  # 1.1.7 Configure /home
+  ###############################################
+
+  # 1.1.7.1 Ensure separate partition exists for /home (Automated)
+  - id: 28019
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. - Fine grained control over the mount: Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of user data: As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition (Automated)
+  - id: 28020
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition (Automated)
+  - id: 28021
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  ###############################################
+  # 1.1.8 Configure /dev/shm
+  ###############################################
+
+  # 1.1.8.1 Ensure /dev/shm is a separate partition (Automated)
+  - id: 28022
+    title: "Ensure /dev/shm is a separate partition."
+    description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
+    rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
+    impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0."
+    references:
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+      - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+
+  # 1.1.8.2 Ensure nodev option set on /dev/shm partition (Automated)
+  - id: 28023
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1200"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.8.3 Ensure noexec option set on /dev/shm partition (Automated)
+  - id: 28024
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm. NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.4 Ensure nosuid option set on /dev/shm partition (Automated)
+  - id: 28025
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1038"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.9 Disable USB Storage (Automated) - Not Implemented
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+  # 1.2.1 Ensure GPG keys are configured (Manual) - Not implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated (Automated)
+  - id: 28026
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: 'Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i ''s/^gpgcheck\s*=\s*.*/gpgcheck=1/'' /etc/dnf/dnf.conf. Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name "*.repo" -exec echo "Checking:" {} \; -exec sed -i ''s/^gpgcheck\s*=\s*.*/gpgcheck=1/'' {} \;.'
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - nist_sp_800-53: ["SI-2"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - pci_dss_3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^\s*gpgcheck\s*=\s*1'
+      - 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck\s*=\s*0'
+
+  # 1.2.3 Ensure package manager repositories are configured (Manual) - Not implemented
+  # 1.2.4 Ensure repo_gpgcheck is globally activated (Manual) - Not implemented
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 Ensure AIDE is installed (Automated)
+  - id: 28027
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - nist_sp_800-53: ["AU-2"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+      - mitre_techniques: ["T1565", "T1565.001"]
+      - mitre_tactics: ["TA0001"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked (Automated)
+  - id: 28028
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check. Run the following command: # crontab -u root -e. Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - nist_sp_800-53: ["AU-2"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1036", "T1036.005"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  # 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) - Not implemented
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+
+  # 1.4.1 Ensure bootloader password is set (Automated)
+  - id: 28029
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c". If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem.'
+    remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword Enter password: <password> Confirm password: <password>."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1046"]
+    condition: all
+    rules:
+      - f:/boot/grub2/user.cfg
+      - f:/boot/grub2/user.cfg -> r:^\s*GRUB2_PASSWORD=grub.pbkdf2.sha512
+
+  # 1.4.2 Ensure permissions on bootloader config are configured (Automated)
+  - id: 28030
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub files contain information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1542"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%#a %u %U %g %G" /boot/grub2/grub.cfg -> r:0\d00\s+0\s+root\s+0\s+root'
+      - 'c:stat -Lc "%#a %u %U %g %G" /boot/grub2/grubenv -> r:0400\s|0600\s && r:0\s+root\s+0\s+root'
+      - 'c:stat -Lc "%#a %u %U %g %G" /boot/grub2/user.cfg -> r:0400\s|0600\s && r:0\s+root\s+0\s+root'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+
+  # 1.5.1 Ensure core dump storage is disabled (Automated)
+  - id: 28031
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled (Automated)
+  - id: 28032
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - nist_sp_800-53: ["CM-6b"]
+      - mitre_techniques: ["T1005"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Automated) - Not implemented - needs a script.
+  ###############################################
+  # 1.6 Mandatory Access Control
+  ###############################################
+  ###############################################
+  # 1.6.1 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 Ensure SELinux is installed (Automated)
+  - id: 28033
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated)
+  - id: 28034
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: 'Run the following command to remove the selinux=0 and enforcing=0 parameters: grubby --update-kernel ALL --remove-args "selinux=0 enforcing=0" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- ''\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b'' /boot/grub2 /boot/efi && grub2-mkconfig -o "$(grep -Prl -- ''\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b'' /boot/grub2 /boot/efi).'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured (Automated)
+  - id: 28035
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled (Automated)
+  - id: 28036
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing (Automated)
+  - id: 28037
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist (Automated)
+  - id: 28038
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1022"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed (Automated)
+  - id: 28039
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
+  - id: 28040
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  ###############################################
+  # 1.7 Command Line Warning Banners
+  ###############################################
+
+  # 1.7.1 Ensure message of the day is configured properly (Automated)
+  - id: 28041
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|rhel'
+
+  # 1.7.2 Ensure local login warning banner is configured properly (Automated)
+  - id: 28042
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|rhel'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly (Automated)
+  - id: 28043
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+      - mitre_tactics: ["TA0007"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|rhel'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured (Automated)
+  - id: 28044
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured (Automated)
+  - id: 28045
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured (Automated)
+  - id: 28046
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 1.8 GNOME Display Manager
+  ###############################################
+
+  # 1.8.1 Ensure GNOME Display Manager is removed (Automated)
+  - id: 28047
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - mitre_tactics: ["TA0002"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured (Automated) - Not implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled (Automated) - Not implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle (Automated) - Not implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden (Automated) - Not implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated) - Not implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - Not implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled (Automated) - Not implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden (Automated) - Not implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled (Automated)
+  - id: 28048
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user. - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1050"]
+    condition: none
+    rules:
+      - 'f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed (Manual)
+  - id: 28049
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update. Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - pci_dss_3.2.1: ["6.2"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - soc_2: ["CC7.1"]
+      - mitre_techniques: ["T1211"]
+      - mitre_tactics: ["TA0004", "TA0008"]
+      - mitre_mitigations: ["M1051"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy (Automated)
+  - id: 28050
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - https://access.redhat.com/articles/3642912#what-polices-are-provided-1
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - nist_sp_800-53: ["SC-8"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  ###############################################
+  # 2 Services
+  ###############################################
+  ###############################################
+  # 2.1 Time Synchronization
+  ###############################################
+
+  # 2.1.1 Ensure time synchronization is in use (Automated)
+  - id: 28051
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - nist_sp_800-53: ["AU-3", "AU-12"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured (Automated)
+  - id: 28052
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - nist_sp_800-53: ["AU-3", "AU-12"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  ###############################################
+  # 2.2 Special Purpose Services
+  ###############################################
+
+  # 2.2.1 Ensure xorg-x11-server-common is not installed (Automated)
+  - id: 28053
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed (Automated)
+  - id: 28054
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.3 Ensure CUPS is not installed (Automated)
+  - id: 28055
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "More detailed documentation on CUPS is available at the project homepage at http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed (Automated)
+  - id: 28056
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.5 Ensure DNS Server is not installed (Automated)
+  - id: 28057
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.6 Ensure VSFTP Server is not installed (Automated)
+  - id: 28058
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.7 Ensure TFTP Server is not installed (Automated)
+  - id: 28059
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    impact: "TFTP is often used to provide files for network booting such as for PXE based installation of servers."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.8 Ensure a web server is not installed (Automated)
+  - id: 28060
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.9 Ensure IMAP and POP3 server is not installed (Automated)
+  - id: 28061
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.10 Ensure Samba is not installed (Automated)
+  - id: 28062
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.11 Ensure HTTP Proxy Server is not installed (Automated)
+  - id: 28063
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.12 Ensure net-snmp is not installed (Automated)
+  - id: 28064
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.13 Ensure telnet-server is not installed (Automated)
+  - id: 28065
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3", "A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.14 Ensure dnsmasq is not installed (Automated)
+  - id: 28066
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # dnf remove dnsmasq."
+    compliance:
+      - cis: ["2.2.14"]
+      - nist_sp_800-53: ["CM-7"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q dnsmasq -> r:^package dnsmasq is not installed"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode (Automated)
+  - id: 28067
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only. Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked (Automated)
+  - id: 28068
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-utils package is required as a dependency, the nfs-server service should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-utils package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked (Automated)
+  - id: 28069
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1210", "T1498", "T1498.002", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"
+
+  # 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated)
+  - id: 28070
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync-daemon package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync-daemon package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  ###############################################
+  # 2.3 Service Clients
+  ###############################################
+  # 2.3.1 Ensure telnet client is not installed (Automated)
+  - id: 28071
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_mitigations: ["M1041", "M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+    # 2.3.2 Ensure LDAP client is not installed (Automated)
+  - id: 28072
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.3 Ensure TFTP client is not installed (Automated)
+  - id: 28073
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.3.4 Ensure FTP client is not installed (Automated)
+  - id: 28074
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked (Manual) - Not implemented
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Disable unused network protocols and devices
+  ###############################################
+  # 3.1.1 Ensure IPv6 status is identified (Manual) - Not implemented
+  # 3.1.2 Ensure wireless interfaces are disabled (Automated) - Not implemented
+  # 3.1.3 Ensure TIPC is disabled (Automated) - Not implemented
+  ###############################################
+  # 3.2 Network Parameters (Host Only)
+  ###############################################
+  # 3.2.1 Ensure IP forwarding is disabled (Automated) - Not implemented
+  # 3.2.2 Ensure packet redirect sending is disabled (Automated) - Not implemented
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+  # 3.3.1 Ensure source routed packets are not accepted (Automated) - Not implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted (Automated) - Not implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) - Not implemented
+  # 3.3.4 Ensure suspicious packets are logged (Automated) - Not implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) - Not implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored (Automated) - Not implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) - Not implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) - Not implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) - Not implemented
+  ###############################################
+  # 3.4 Configure Host Based Firewall
+  ###############################################
+  ###############################################
+  # 3.4.1 Configure a firewall utility
+  ###############################################
+
+  # 3.4.1.1 Ensure nftables is installed (Automated)
+  - id: 28075
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - nist_sp_800-53: ["CA-9"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_mitigations: ["M1031", "M1037"]
+    condition: all
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "c:rpm -q iptables -> r:^package iptables is not installed"
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.1.2 Ensure a single firewall configuration utility is in use (Automatic) - Not implemented
+  ###############################################
+  # 3.4.2 Configure firewall rules
+  ###############################################
+  # 3.4.2.1 Ensure firewalld default zone is set (Automated) - Not implemented
+  # 3.4.2.2 Ensure at least one nftables table exists (Automated)
+  - id: 28076
+    title: "Ensure at least one nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "Without a table, nftables will not filter network traffic."
+    impact: "Adding or modifying firewall rules can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example if FirewallD is not in use on the system: # nft create table inet filter Note: FirewallD uses the table inet firewalld NFTables table that is created when FirewallD is installed."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - nist_sp_800-53: ["CA-9"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+      - "c:rpm -q nftables -> r:^nftables-"
+
+    # 3.4.2.3 Ensure nftables base chains exist (Automated)
+  - id: 28077
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: 'Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \; } Example: # nft create chain inet filter input { type filter hook input priority 0 \; } # nft create chain inet filter forward { type filter hook forward priority 0 \; } # nft create chain inet filter output { type filter hook output priority 0 \; }.'
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - nist_sp_800-53: ["CA-9"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:filter hook input"
+      - "c:nft list ruleset -> r:filter hook forward"
+      - "c:nft list ruleset -> r:filter hook output"
+
+  # 3.4.2.4 Ensure host based firewall loopback traffic is configured (Automated) - Not implemented
+  # 3.4.2.5 Ensure firewalld drops unnecessary services and ports (Manual) - Not Implemented
+  # 3.4.2.6 Ensure nftables established connections are configured (Manual) - Not Implemented
+
+  # 3.4.2.7 Ensure nftables default deny firewall policy (Automated)
+  - id: 28078
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: 'If NFTables utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \; } Example: # nft chain inet filter input { policy drop \; } # nft chain inet filter forward { policy drop \; }.'
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - nist_sp_800-53: ["CA-9"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables.service -> r:enabled"
+      - "not c:nft list ruleset -> r:hook input && !r:policy drop"
+      - "not c:nft list ruleset -> r:hook forward && !r:policy drop"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+
+  # 4.1.1.1 Ensure auditd is installed (Automated).
+  - id: 28079
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd: # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AU-2", "AU-3", "AU-3(1)", "AU-12", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "9.4.5", "10.2"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled (Automated).
+  - id: 28080
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to update the grub2 configuration with audit=1: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.3 Ensure audit_backlog_limit is sufficient (Automated)
+  - id: 28081
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:^args=\.*\saudit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.1.4 Ensure auditd service is enabled (Automated)
+  - id: 28082
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured (Automated)
+  - id: 28083
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted (Automated)
+  - id: 28084
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - nist_sp_800-53: ["AU-8"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full (Automated)
+  - id: 28085
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root. set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - nist_sp_800-53: ["AU-2", "AU-8", "AU-12", "SI-5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  #############################################
+  # 4.1.3 Configure auditd rules
+  #############################################
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected (Automated)
+  - id: 28086
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: 'Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf " -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope " >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1047"]
+    condition: all
+    rules:
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+
+  # 4.1.3.2 Ensure actions as another user are always logged (Automated) - Not implemented
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected (Automated) - Not implemented
+  # 4.1.3.4 Ensure events that modify date and time information are collected (Automated) - Not implemented
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected (Automated) - Not implemented
+  # 4.1.3.6 Ensure use of privileged commands are collected (Automated) - Not implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected (Automated) - Not implemented
+  # 4.1.3.8 Ensure events that modify user/group information are collected (Automated) - Not implemented
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected (Automated) - Not implemented
+  # 4.1.3.10 Ensure successful file system mounts are collected (Automated) - Not implemented
+  # 4.1.3.11 Ensure session initiation information is collected (Automated) - Not implemented
+  # 4.1.3.12 Ensure login and logout events are collected (Automated) - Not implemented
+  # 4.1.3.13 Ensure file deletion events by users are collected (Automated) - Not implemented
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected (Automated) - Not implemented
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) - Not implemented
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) - Not implemented
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) - Not implemented
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) - Not implemented
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected (Automated) - Not implemented
+
+  # 4.1.3.20 Ensure the audit configuration is immutable (Automated)
+  - id: 28087
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: 'Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- "-e 2" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi.'
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2", "AU.L2-3.3.1"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1", "9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: any
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-e 2"
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-e 2'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same (Manual)
+  - id: 28088
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:No change$"
+
+  # 4.1.4 Configure auditd file access
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive (Automated) - Not implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files (Automated) - Not implemented
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files (Automated) - Not implemented
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive (Automated) - Not implemented
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive (Automated) - Not implemented
+  # 4.1.4.6 Ensure audit configuration files are owned by root (Automated) - Not implemented
+  # 4.1.4.7 Ensure audit configuration files belong to group root (Automated) - Not implemented
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive (Automated)
+  - id: 28089
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.9 Ensure audit tools are owned by root (Automated)
+  - id: 28090
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 4.1.4.10 Ensure audit tools belong to group root (Automated)
+  - id: 28091
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed (Automated)
+  - id: 28092
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled (Automated)
+  - id: 28093
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1211", "T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog (Manual)
+  - id: 28094
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - nist_sp_800-53: ["AC-3", "AU-2", "AU-4", "AU-12", "MP-2", "SI-5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3"]
+      - soc_2: ["PL1.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog=yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions configured (Automated)
+  - id: 28095
+    title: "Ensure rsyslog default file permissions configured."
+    description: "Rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has its own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - nist_sp_800-53: ["AC-3", "AU-2", "AU-4", "AU-12", "MP-2", "SI-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2", "AU.L2-3.3.1"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3", "10.2", "10.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1", "5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured (Manual) - Not implemented
+
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host (Manual)
+  - id: 28096
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client (Automated)
+  - id: 28097
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. New format: module(load="imtcp") input(type="imtcp" port="514") -OR- Old format: $ModLoad imtcp $InputTCPServerRun - Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6", "AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5", "10.2", "10.3"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - nist_sp_800-53: ["AU-7"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: none
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:^\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+
+  ###############################################
+  # 4.2.2 Configure journald
+  ###############################################
+  ###############################################
+  # 4.2.2.1 Ensure journald is configured to send logs to a remote log host
+  ###############################################
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed (Manual)
+  - id: 28098
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured (Manual) - Not implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled (Manual)
+  - id: 28099
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "CM-7", "SI-5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client (Automated)
+  - id: 28100
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6", "AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5", "10.2", "10.3"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled (Automated)
+  - id: 28101
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 28102
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - soc_2: ["A1.1"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1053"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress\s*=\s*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk (Automated)
+  - id: 28103
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - nist_sp_800-53: ["AU-7"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog (Manual)
+  - id: 28104
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3"]
+      - nist_sp_800-53: ["AU-7", "AU-6(3)"]
+      - soc_2: ["PL1.4"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_mitigations: ["M1029"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy (Manual) - Not implemented
+  # 4.2.2.7 Ensure journald default file permissions configured (Manual) - Not implemented
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured (Manual) - Not implemented
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.1 Configure time-based job schedulers
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled (Automated)
+  - id: 28105
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron : # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Automated)
+  - id: 28106
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to this file could provide unprivileged users with the ability to elevate their privileges. Read access to this file could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Automated)
+  - id: 28107
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Automated)
+  - id: 28108
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Automated)
+  - id: 28109
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Automated)
+  - id: 28110
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
+  - id: 28111
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily, weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users (Automated) - Not implemented
+  # 5.1.9 Ensure at/cron is restricted to authorized users (Automated) - Not implemented
+  ###############################################
+  # 5.2 Configure SSH Server
+  ###############################################
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
+  - id: 28112
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod u-x,go-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured (Automated) - Not implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured (Automated) - Not implemented
+
+  # 5.2.4 Ensure SSH access is limited (Automated)
+  - id: 28113
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameters as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1018"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate (Automated)
+  - id: 28114
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - nist_sp_800-53: ["AU-2", "AU-12", "SI-5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0005"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - "f:/etc/ssh/sshd_config -> r:loglevel"
+
+  # 5.2.6 Ensure SSH PAM is enabled (Automated)
+  - id: 28115
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sUsePAM\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled (Automated)
+  - id: 28116
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitRootLogin\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled (Automated)
+  - id: 28117
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Automated)
+  - id: 28118
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitEmptyPasswords\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Automated)
+  - id: 28119
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1021"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled (Automated)
+  - id: 28120
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled (Automated)
+  - id: 28121
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1210"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*X11Forwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled (Automated)
+  - id: 28122
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - https://www.ssh.com/ssh/tunneling/example
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_mitigations: ["M1042"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden (Automated)
+  - id: 28123
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd; # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - nist_sp_800-53: ["SC-8"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> r:^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured (Automated)
+  - id: 28124
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - mitre_mitigations: ["M1035"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*/\w+'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less (Automated)
+  - id: 28125
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured (Automated)
+  - id: 28126
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxStartups 10:30:60."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less (Automated)
+  - id: 28127
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - mitre_tactics: ["TA0040"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less (Automated)
+  - id: 28128
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.19"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1036"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured (Automated)
+  - id: 28129
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below are only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not, and never had, intentionally the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus may no longer be abused disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+      - "https://bugzilla.redhat.com/show_bug.cgi?id=1873547"
+      - "https://github.com/openssh/openssh-portable/blob/V_8_9/serverloop.c#L137"
+    compliance:
+      - cis: ["5.2.20"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare > 0'
+
+  ############################################################
+  # 5.3 Configure privilege escalation
+  ############################################################
+
+  # 5.3.1 Ensure sudo is installed (Automated)
+  - id: 28130
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo. # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.3.2 Ensure sudo commands use pty (Automated)
+  - id: 28131
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_mitigations: ["M1026", "M1038"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.3.3 Ensure sudo log file exists (Automated)
+  - id: 28132
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files. Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate to manage the sudo log in accordance with your local policy."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_mitigations: ["M1026"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # 5.3.4 Ensure users must provide password for escalation (Automated)
+  - id: 28133
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally (Automated)
+  - id: 28134
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly (Automated)
+  - id: 28135
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - https://www.sudo.ws/man/1.9.0/sudoers.man.html
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - soc_2: ["CC6.1", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted (Automated)
+  - id: 28136
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup. Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 5.4 Configure authselect
+  ###############################################
+  # 5.4.1 Ensure custom authselect profile is used (Manual)
+  - id: 28137
+    title: "Ensure custom authselect profile is used."
+    description: "A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host."
+    rationale: "A custom profile is required to customize many of the pam options. When you deploy a profile, the profile is applied to every user logging into the given host."
+    remediation: "Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> Example: # authselect create-profile custom-profile -b sssd --symlink-meta Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} Example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["16.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - pci_dss_3.2.1: ["6.3.2"]
+      - pci_dss_4.0: ["6.3.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+    condition: all
+    rules:
+      - 'c:authselect list -> r:^\w*\s*custom'
+      - "f:/etc/authselect/authselect.conf -> r:custom"
+
+  # 5.4.2 Ensure authselect includes with-faillock (Automated)
+  - id: 28138
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  ###############################################
+  # 5.5 Configure PAM
+  ###############################################
+  # 5.5.1 Ensure password creation requirements are configured (Automated)
+  - id: 28139
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more. Either of the following can be used to enforce complex passwords: - minclass=4 - provide at least four classes of characters for the new password. OR - dcredit=-1 - provide at least one digit. - ucredit=-1 - provide at least one uppercase character. - ocredit=-1 - provide at least one special character. - lcredit=-1 - provide at least one lowercase character. - The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy: minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Run the following script to update the system-auth and password-auth files: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.002", "T1110.003", "T1178.001", "T1178.002", "T1178.003", "T1178.004"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured (Automated)
+  - id: 28140
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked. - unlock_time=<n> - Time in seconds before the account is unlocked. Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be greater than 0 and no greater than 5. unlock_time should be 0 (never), or 900 seconds or greater. Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - pci_dss_3.2.1: ["8.1.3"]
+      - pci_dss_4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:unlock_time\s*\t*=\s*\t*(\d+) compare > 0 && n:unlock_time\s*\t*=\s*\t*(\d+) compare < 900'
+
+  # 5.5.3 Ensure password reuse is limited (Automated)
+  - id: 28141
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^#\\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwhistory\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt (Automated)
+  - id: 28142
+    title: "Ensure password hashing algorithm is SHA-512 or yescrypt."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: 'Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep ''custom/'')/$fn" if ! grep -Pq -- ''^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so(\h+[^#\n\r]+)? \h+sha512\b.*$'' "$file"; then if grep -Pq -- ''^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so(\h+[^#\n\r]+)? \h+(md5|blowfish|bigcrypt|sha256)\b.*$'' "$file"; then sed -ri ''s/(md5|blowfish|bigcrypt|sha256)/sha512/'' "$file" else sed -ri ''s/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix.so\s+)(.*)$/\1s ha512 \3/'' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID''s be immediately expired and forced to change their passwords on next login.'
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1041"]
+    condition: all
+    rules:
+      - 'f:/etc/libuser.conf -> r:^\s*\t*crypt_style\s*\t*=\s*\t*sha512|^\s*crypt_style\s*\t*=\s*\t*yescrypt'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD SHA512|^\s*\t*ENCRYPT_METHOD YESCRYPT'
+      - 'f:/etc/pam.d/password-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+
+  ###############################################
+  # 5.6 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.6.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.6.1.1 Ensure password expiration is 365 days or less (Automated)
+  - id: 28143
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is configured (Automated)
+  - id: 28144
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs: PASS_MIN_DAYS 1 and modify user parameters for all users with a password set to match: chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110.004"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> n:^\w+:\S*:\S*:(\d+):\S*:\S*:\S*:\S*:\S* compare < 1'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*::\S*:\S*:\S*:\S*:\S*'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more (Automated)
+  - id: 28145
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 and modify user parameters for all users with a password set to match: chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less (Automated)
+  - id: 28146
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: useradd -D -f 30 and modify user parameters for all users with a password set to match: chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*\t*(\d+) compare <= 30'
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past (Automated) - Not implemented
+  # 5.6.2 Ensure system accounts are secured (Automated) - Not implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0 (Automated)
+  - id: 28147
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.2", "CM.L2-3.4.7"]
+      - pci_dss_3.2.1: ["2.2", "11.5"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.5.1", "1.2.7", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.14.2.5"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive (Automated) - Not Implemented
+
+  # 5.6.6 Ensure root password is set (Automated)
+  - id: 28148
+    title: "Ensure root password is set."
+    description: "There are a number of methods to access the root account directly. Without a password set any user would be able to gain access and thus control over the entire system."
+    rationale: "Access to root should be secured at all times."
+    impact: "If there are any automated processes that relies on access to the root account without authentication, they will fail after remediation."
+    remediation: "Set the root password with: # passwd root."
+    compliance:
+      - cis: ["5.6.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - mitre_techniques: ["T1078"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1026"]
+    condition: all
+    rules:
+      - "c:passwd -S root -> r:Password set"
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+  # 6.1.1 Ensure permissions on /etc/passwd are configured (Automated)
+  - id: 28149
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured (Automated)
+  - id: 28150
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- -> r:0/root 0/root && r:644|640|604|600'
+
+    # 6.1.3 Ensure permissions on /etc/group are configured (Automated)
+  - id: 28151
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured (Automated)
+  - id: 28152
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/group- -> r:0/root 0/root && r:644|640|604|600'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured  (Automated)
+  - id: 28153
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/shadow -> r:\s0 0/root 0/root'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured (Automated)
+  - id: 28154
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow-: # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/shadow- ->  r:\s0 0/root 0/root'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured (Automated)
+  - id: 28155
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow: # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow ->  r:\s0 0/root 0/root'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured (Automated)
+  - id: 28156
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_mitigations: ["M1022"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow- ->  r:\s0 0/root 0/root'
+
+  # 6.1.9 Ensure no world writable files exist (Automated) - Not implemented
+  # 6.1.10 Ensure no unowned files or directories exist (Automated) - Not implemented, requires manual operation.
+  # 6.1.11 Ensure no ungrouped files or directories exist (Automated) - Not implemented, requires manual operation.
+  # 6.1.12 Ensure sticky bit is set on all world-writable directories (Automated) - Not implemented, requires manual operation.
+  # 6.1.13 Audit SUID executables (Manual) - Not implemented, requires manual operation.
+  # 6.1.14 Audit SGID executables (Manual) - Not implemented, requires manual operation.
+  # 6.1.15 Audit system file permissions (Manual) - Not implemented, requires manual operation.
+
+  ################################################
+  # 6.2 Local User and Group Settings
+  ################################################
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+  - id: 28157
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty (Automated)
+  - id: 28158
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: passwd -l <username>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_mitigations: ["M1027"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group - Not implemented, requires manual operation.
+  # 6.2.4 Ensure no duplicate UIDs exist - Not implemented, requires manual operation.
+  # 6.2.5 Ensure no duplicate GIDs exist - Not implemented, requires manual operation.
+  # 6.2.6 Ensure no duplicate user names exist - Not implemented, requires manual operation.
+  # 6.2.7 Ensure no duplicate group names exist - Not implemented, requires manual operation.
+  # 6.2.8 Ensure root PATH Integrity - Not implemented, requires manual operation.
+
+  # 6.2.9 Ensure root is the only UID 0 account (Automated)
+  - id: 28159
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - mitre_techniques: ["T1548"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_mitigations: ["M1026"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*root && n:^\w+:\S*:(\d+):\S*:\S*:\S*:\S* compare == 0'
+
+  # 6.2.10 Ensure local interactive users home directories exist - Not implemented, requires manual operation.
+  # 6.2.11 Ensure local interactive users own their home directories - Not implemented, requires manual operation.
+  # 6.2.12 Ensure local interactive users home directories are mode 750 or more restrictive - Not implemented, requires manual operation.
+  # 6.2.13 Ensure no local interactive users have .netrc files - Not implemented, requires manual operation.
+  # 6.2.14 Ensure no local interactive users have .forward files - Not implemented, requires manual operation.
+  # 6.2.15 Ensure no local interactive users have .rhosts files - Not implemented, requires manual operation.
+  # 6.2.16 Ensure local interactive user dot files are not group or world writable - Not implemented, requires manual operation.
diff --git a/etc/ruleset/sca/rocky/cis_rocky_linux_8.yml b/etc/ruleset/sca/rocky/cis_rocky_linux_8.yml
new file mode 100644
index 0000000000..2f7ee467e0
--- /dev/null
+++ b/etc/ruleset/sca/rocky/cis_rocky_linux_8.yml
@@ -0,0 +1,4183 @@
+# Security Configuration Assessment
+# CIS Checks for Rocky Linux 8
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Rocky Linux 8 Benchmark v1.0.0 - 03-29-2022
+
+policy:
+  id: "cis_rocky_linux_8"
+  file: "cis_rocky_linux_8.yml"
+  name: "CIS Rocky Linux 8 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Rocky Linux 8 systems running on x86_64 platforms.This document was tested against Rocky Linux 8."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RL8 family platform."
+  description: "Requirements for running the policy against RL 8 family."
+  condition: any
+  rules:
+    - 'f:/etc/redhat-release -> r:^Rocky Linux && r:release 8\p*'
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  ###############################################
+  # 1 Initial setup
+  ###############################################
+  ###############################################
+  # 1.1 Filesystem Configuration
+  ###############################################
+  ###############################################
+  # 1.1.1 Disable unused filesystems
+  ###############################################
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated)
+  - id: 30500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs. Example: # printf "install cramfs /bin/false blacklist cramfs " >> /etc/modprobe.d/cramfs.conf Run the following command to unload the cramfs module: # modprobe -r cramfs.'
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:install /bin/false|Module cramfs not found"
+      - "not c:lsmod -> r:cramfs"
+      - 'd:/etc/modprobe.d/ -> r:\.*.conf -> r:^blacklist\s+cramfs'
+
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 30501
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with the lines that reads install squashfs /bin/false and blacklist squashfs. Example: # printf "install squashfs /bin/false blacklist squashfs " >> /etc/modprobe.d/squashfs.conf Run the following command to unload the squashfs module: # modprobe -r squashfs.'
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/false|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d/ -> r:\.*.conf -> r:^blacklist\s+squashfs'
+
+  # 1.1.1.3 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 30502
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install udf /bin/false. Example: # printf "install udf /bin/false blacklist udf " >> /etc/modprobe.d/udf.conf Run the following command to unload the udf module: # modprobe -r udf.'
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/false|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d/ -> r:\.*.conf -> r:^blacklist\s+udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 30503
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 30504
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 30505
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 30506
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ###############################################
+  # 1.1.3 Configure /var
+  ###############################################
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 30507
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 30508
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure noexec option set on /var partition. (Automated)
+  - id: 30509
+    title: "Ensure noexec option set on /var partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:noexec"
+
+  # 1.1.3.4 Ensure nosuid option set on /var partition. (Automated)
+  - id: 30510
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ###############################################
+  # 1.1.4 Configure /var/tmp
+  ###############################################
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 30511
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary file residing in /var/tmp is to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 30512
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 30513
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 30514
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  ###############################################
+  # 1.1.5 Configure /var/log
+  ###############################################
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 30515
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contain the log files that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 30516
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 30517
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 30518
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  ###############################################
+  # 1.1.6 Configure /var/log/audit
+  ###############################################
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 30519
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contain the audit.log file that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 30520
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 30521
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 30522
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  ###############################################
+  # 1.1.7 Configure /home
+  ###############################################
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 30523
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 30524
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 30525
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  # 1.1.7.4 Ensure usrquota option set on /home partition. (Automated)
+  - id: 30526
+    title: "Ensure usrquota option set on /home partition."
+    description: "The usrquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.user Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:usrquota"
+      - "c:quotaon -p /home -> r:user quota"
+
+  # 1.1.7.5 Ensure grpquota option set on /home partition. (Automated)
+  - id: 30527
+    title: "Ensure grpquota option set on /home partition."
+    description: "The grpquota mount option allows for the filesystem to have disk quotas configured."
+    rationale: "To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern."
+    remediation: "Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home Create the quota database. This example will ignore any existing quota files. # quotacheck -cugv /home quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown. quotacheck: Scanning /dev/sdb [/home] done quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted. quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted. quotacheck: Checked 8 directories and 0 files quotacheck: Old file not found. quotacheck: Old file not found. Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail. # restorecon /home/aquota.group Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on."
+    compliance:
+      - cis: ["1.1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:grpquota"
+      - "c:quotaon -p /home -> r:user quota"
+
+  ###############################################
+  # 1.1.8 Configure /dev/shm
+  ###############################################
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 30528
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 30529
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 30530
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 30531
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # dnf remove autofs Run the following command to disable autofs if it is required: # systemctl --now disable autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service"
+      - "not c:systemctl is-enabled autofs -> r:enabled"
+
+  # 1.1.10 Disable USB Storage. (Automated)
+  - id: 30532
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb_storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: rmmod usb-storage."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+  # 1.2.1 Ensure GPG keys are configured (Manual) - Not Implemented
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 30533
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^\s*gpgcheck\s*=\s*1'
+      - 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck\s*=\s*0'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 30534
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 30535
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+  # 1.4.1 Ensure bootloader password is set. (Automated) - Not Implemented
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated) - Not Implemented
+  # 1.4.3 Ensure authentication is required when booting into rescue mode. (Automated)
+  - id: 30536
+    title: "Ensure authentication is required when booting into rescue mode."
+    description: "Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials."
+    remediation: "The systemd drop-in files must be created if it is necessary to change the default settings: Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden: [Service] ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/usr/lib/systemd/system/rescue.service -> r:ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
+      - 'd:/etc/systemd/system/rescue.service.d/ -> r:\.*.conf -> r:ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 30537
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 30538
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - nist_sp_800-53: ["CM-6b"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+  ###############################################
+  # 1.6 Mandatory Access Control
+  ###############################################
+  ###############################################
+  # 1.6.1 Configure SELinux
+  ###############################################
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 30539
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 30540
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: grubby --update-kernel ALL --remove-args 'selinux=0 enforcing=0'."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 30541
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 30542
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 30543
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux poli cy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 30544
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 30545
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 30546
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  ###############################################
+  # 1.7 Command Line Warning Banners
+  ###############################################
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 30547
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 30548
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 30549
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 30550
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 30551
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 30552
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 1.8 GNOME Display Manager
+  ###############################################
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Manual)
+  - id: 30553
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the GUI from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 30554
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Note: If a graphical login is not required, it should be removed to reduce the attack surface of the system."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/01-banner-message) [org/gnome/login-screen] banner-message-enable=true banner-message-text='<banner message>' Example Banner Text: 'Authorized users only. All activity may be monitored and reported.' Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dconf/profile/gdm -> r:^user-db:user\s*system-db:gdm\s*file-db:/usr/share/gdm/greeter-dconf-defaults$'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\.* -> r:s*\[org/gnome/login-screen\]\s*banner-message-enable=true\s*banner-message-text=\w+'
+
+  # 1.8.3 Ensure last logged in user display is disabled. (Automated)
+  - id: 30555
+    title: "Ensure last logged in user display is disabled."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Displaying the last logged in user eliminates half of the Userid/Password equation that an unauthorized person would need to log on. Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Notes: - - If a graphical login is not required, it should be removed to reduce the attack surface of the system. If a different GUI login service is in use and required on the system, consult your documentation to disable displaying the last logged on user."
+    remediation: "Edit or create the file /etc/dconf/profile/gdm and add the following: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Edit or create the file /etc/dconf/db/gdm.d/ and add the following: (This is typically /etc/dconf/db/gdm.d/00-login-screen) [org/gnome/login-screen] # Do not show the user list disable-user-list=true Run the following command to update the system databases: # dconf update."
+    compliance:
+      - cis: ["1.8.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dconf/profile/gdm -> r:^user-db:user\s*system-db:gdm\s*file-db:/usr/share/gdm/greeter-dconf-defaults$'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\.* -> r:s*\[org/gnome/login-screen\]\s*disable-user-list=true'
+
+  # 1.8.4 Ensure XDMCP is not enabled. (Automated)
+  - id: 30556
+    title: "Ensure XDMCP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line Enable=true."
+    references:
+      - "https://help.gnome.org/admin/gdm/2.32/configuration.html.en"
+    compliance:
+      - cis: ["1.8.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.8.5 Ensure automatic mounting of removable media is disabled. (Automated)
+  - id: 30557
+    title: "Ensure automatic mounting of removable media is disabled."
+    description: "By default GNOME automatically mounts removable media when inserted as a convenience to the user."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "Ensure that automatic mounting of media is disabled for all GNOME users: # cat << EOF >> /etc/dconf/db/local.d/00-media-automount [org/gnome/desktop/media-handling] automount=false automount-open=false EOF Apply the changes with: # dconf update."
+    references:
+      - "https://access.redhat.com/solutions/20107"
+    compliance:
+      - cis: ["1.8.5"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - "c:gsettings get org.gnome.desktop.media-handling automount -> r:false"
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 30558
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 30559
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  ###############################################
+  # 2 Services
+  ###############################################
+  ###############################################
+  # 2.1 Time Synchronization
+  ###############################################
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 30560
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 30561
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  ###############################################
+  # 2.2 Special Purpose Services
+  ###############################################
+  # 2.2.1 Ensure xinetd is not installed. (Automated)
+  - id: 30562
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed to reduce the attack surface are of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."
+    remediation: "Run the following command to remove xinetd: # dnf remove xinetd."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:^package xinetd is not installed"
+
+  # 2.2.2 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 30563
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.3 Ensure Avahi Server is not installed. (Automated)
+  - id: 30564
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi-autoipd and avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi-autoipd avahi."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi-autoipd -> r:^package avahi-autoipd is not installed"
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.4 Ensure CUPS is not installed. (Automated)
+  - id: 30565
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed. (Automated)
+  - id: 30566
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the rpm -q dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.6 Ensure DNS Server is not installed. (Automated)
+  - id: 30567
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.7 Ensure FTP Server is not installed. (Automated)
+  - id: 30568
+    title: "Ensure FTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.2.8 Ensure VSFTP Server is not installed. (Automated)
+  - id: 30569
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.9 Ensure TFTP Server is not installed. (Automated)
+  - id: 30570
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.10 Ensure a web server is not installed. (Automated)
+  - id: 30571
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.11 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 30572
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.12 Ensure Samba is not installed. (Automated)
+  - id: 30573
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.13 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 30574
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.14 Ensure net-snmp is not installed. (Automated)
+  - id: 30575
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.15 Ensure NIS server is not installed. (Automated)
+  - id: 30576
+    title: "Ensure NIS server is not installed."
+    description: "The ypserv package provides the Network Information Service (NIS). This service, formally known as Yellow Pages, is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the ypserv package be removed, and if required a more secure services be used."
+    remediation: "Run the following command to remove ypserv: # dnf remove ypserv."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:^package ypserv is not installed"
+
+  # 2.2.16 Ensure telnet-server is not installed. (Automated)
+  - id: 30577
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.17 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 30578
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 30579
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-package is required as a dependency, the nfs-server should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 30580
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind and rpcbind.socket services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"
+
+  # 2.2.20 Ensure rsync is not installed or the rsyncd service is masked. (Automated)
+  - id: 30581
+    title: "Ensure rsync is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.20"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:^package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 30582
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the ypbind package: # dnf remove ypbind."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:^package ypbind is not installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 30583
+    title: "Ensure rsh client is not installed."
+    description: "The rsh package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the rsh package: # dnf remove rsh."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:^package rsh is not installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 30584
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the talk package: # dnf remove talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:^package talk is not installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 30585
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 30586
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.6 Ensure TFTP client is not installed. (Automated)
+  - id: 30587
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Disable unused network protocols and devices
+  ###############################################
+  # 3.1.1 Verify if IPv6 is enabled on the system. (Manual) - Not Implemented
+  # 3.1.2 Ensure SCTP is disabled. (Automated)
+  - id: 30588
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install sctp /bin/true " >> /etc/modprobe.d/sctp.conf.'
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v sctp -> r:install /bin/true"
+      - "not c:lsmod -> r:sctp"
+
+  # 3.1.3 Ensure DCCP is disabled. (Automated)
+  - id: 30589
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: 'Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: printf " install dccp /bin/true " >> /etc/modprobe.d/dccp.conf.'
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v dccp -> r:install /bin/true"
+      - "not c:lsmod -> r:dccp"
+
+  # 3.1.4 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.2 Network Parameters (Host Only)
+  ###############################################
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+  ###############################################
+  # 3.4 Firewall Configuration
+  ###############################################
+  ###############################################
+  # 3.4.1 Configure firewalld
+  ###############################################
+  # 3.4.1.1 Ensure firewalld is installed. (Automated)
+  - id: 30590
+    title: "Ensure firewalld is installed."
+    description: "firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the iptables backend or provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables utility. firewalld replaces iptables as the default firewall management tool. Use the firewalld utility to configure a firewall for less complex firewalls. The utility is easy to use and covers the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the nft command line program."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. FirewallD is dependent on the iptables package."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install FirewallD and iptables: # dnf install firewalld iptables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:rpm -q firewalld iptables -> r:firewalld\w*|iptables\w*'
+
+  # 3.4.1.2 Ensure iptables-services not installed with firewalld. (Automated)
+  - id: 30591
+    title: "Ensure iptables-services not installed with firewalld."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both firewalld and the services included in the iptables-services package may lead to conflict."
+    impact: "Running both firewalld and iptables/ip6tables service may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services -> r:^package iptables-services is not installed"
+
+  # 3.4.1.3 Ensure nftables either not installed or masked with firewalld. (Automated)
+  - id: 30592
+    title: "Ensure nftables either not installed or masked with firewalld."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both firewalld and nftables may lead to conflict. Note: - Support for using nftables as the back-end for firewalld was added in release v0.6.0 firewalld may be configured as the front-end to nftables. If this case, nftables should - be stopped and masked instead of removed."
+    remediation: 'Run the following command to remove nftables: # dnf remove nftables OR Run the following command to stop and mask nftables" systemctl --now mask nftables.'
+    compliance:
+      - cis: ["3.4.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+      - "c:systemctl is-active nftables -> r:inactive"
+      - "c:systemctl is-enabled nftables -> r:masked"
+
+  # 3.4.1.4 Ensure firewalld service enabled and running. (Automated)
+  - id: 30593
+    title: "Ensure firewalld service enabled and running."
+    description: "firewalld.service enables the enforcement of firewall rules configured through firewalld."
+    rationale: "Ensure that the firewalld.service is enabled and running to enforce firewall rules configured through firewalld."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask firewalld # systemctl unmask firewalld Run the following command to enable and start firewalld # systemctl --now enable firewalld."
+    compliance:
+      - cis: ["3.4.1.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:enabled"
+      - "c:firewall-cmd --state -> r:running"
+
+  # 3.4.1.5 Ensure firewalld default zone is set. (Automated) - Not Implemented
+  # 3.4.1.6 Ensure network interfaces are assigned to appropriate zone. (Manual) - Not Implemented
+  # 3.4.1.7 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+  ###############################################
+  # 3.4.2 Configure firewall rules
+  ###############################################
+  # 3.4.2.1 Ensure nftables is installed. (Automated)
+  - id: 30594
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Note: - nftables is available in Linux kernel 3.13 and newer. - Only one firewall utility should be installed and configured."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.4.2.2 Ensure firewalld is either not installed or masked with nftables. (Automated)
+  - id: 30595
+    title: "Ensure firewalld is either not installed or masked with nftables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running both nftables.service and firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # dnf remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld package -> r:firewalld is not installed"
+      - "c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  # 3.4.2.3 Ensure iptables-services not installed with nftables. (Automated)
+  - id: 30596
+    title: "Ensure iptables-services not installed with nftables."
+    description: "The iptables-services package contains the iptables.service and ip6tables.service. These services allow for management of the Host Based Firewall provided by the iptables package."
+    rationale: "iptables.service and ip6tables.service are still supported and can be installed with the iptables-services package. Running both nftables and the services included in the iptables-services package may lead to conflict."
+    remediation: "Run the following commands to stop the services included in the iptables-services package and remove the iptables-services package # systemctl stop iptables # systemctl stop ip6tables # dnf remove iptables-services."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q iptables-services package -> r:iptables-services is not installed"
+
+  # 3.4.2.4 Ensure iptables are flushed with nftables. (Manual)
+  - id: 30597
+    title: "Ensure iptables are flushed with nftables."
+    description: "nftables is a replacement for iptables, ip6tables, ebtables and arptables."
+    rationale: "It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded."
+    remediation: "Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F."
+    compliance:
+      - cis: ["3.4.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: none
+    rules:
+      - "not c:iptables -L --state -> r:w*"
+      - "not c:ip6tables -L --state -> r:w*"
+  # 3.4.2.5 Ensure an nftables table exists. (Automated)
+  - id: 30598
+    title: "Ensure an nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.4.2.5"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+      - "c:rpm -q nftables -> r:^nftables-"
+
+  # 3.4.2.6 Ensure nftables base chains exist. (Automated)
+  - id: 30599
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:filter hook input"
+      - "c:nft list ruleset -> r:filter hook forward"
+      - "c:nft list ruleset -> r:filter hook output"
+
+  # 3.4.2.7 Ensure nftables loopback traffic is configured. (Automated) - Not Implemented
+  # 3.4.2.8 Ensure nftables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.2.9 Ensure nftables default deny firewall policy. (Automated)
+  - id: 30600
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:policy drop"
+      - "c:nft list ruleset -> r:policy drop"
+      - "c:nft list ruleset -> r:policy drop"
+
+  # 3.4.2.10 Ensure nftables service is enabled. (Automated)
+  - id: 30601
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.4.2.10"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.4.2.11 Ensure nftables rules are permanent. (Automated)
+  - id: 30602
+    title: "Ensure nftables rules are permanent."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/sysconfig/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered."
+    rationale: "Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot."
+    remediation: 'Edit the /etc/sysconfig/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot: Example: include "/etc/nftables/nftables.rules".'
+    compliance:
+      - cis: ["3.4.2.11"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/sysconfig/nftables.conf -> r:^include"
+
+  ############################################################
+  # 3.4.3 Configure iptables.
+  ############################################################
+  ############################################################
+  # 3.4.3.1 Configure iptables software.
+  ############################################################
+  # 3.4.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 30603
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-services # dnf install iptables iptables-services."
+    compliance:
+      - cis: ["3.4.3.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:rpm -q iptables iptables-services -> r:/iptables\w*|iptables-services\w*'
+
+  # 3.4.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 30604
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # dnf remove nftables."
+    compliance:
+      - cis: ["3.4.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9", "CM-7"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^package nftables is not installed"
+
+  # 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables. (Automated)
+  - id: 30605
+    title: "Ensure firewalld is either not installed or masked with iptables."
+    description: 'firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall "zones" to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options.'
+    rationale: "Running iptables.service and\\or ip6tables.service with firewalld.service may lead to conflict and unexpected results."
+    remediation: "Run the following command to remove firewalld # yum remove firewalld OR Run the following command to stop and mask firewalld # systemctl --now mask firewalld."
+    compliance:
+      - cis: ["3.4.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.8"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.1.6", "1.2.1", "1.3.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.1", "1.2.5", "1.4.1", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:systemctl status firewalld -> r:active (running)"
+      - "c:systemctl is-enabled firewalld -> r:masked"
+
+  ############################################################
+  # 3.4.3.2 Configure IPv4 iptables
+  ############################################################
+  # 3.4.3.2.1 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 30606
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.4.3.2.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:iptables -L INPUT -v -n -> r:chain input"
+      - "c:iptables -L OUTPUT -v -n -> r:chain output"
+
+  # 3.4.3.2.2 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.2.3 Ensure iptables rules exist for all open ports. (Automated) - Not implemented
+  # 3.4.3.2.4 Ensure iptables default deny firewall policy. (Automated)
+  - id: 30607
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.2.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:INPUT && r:policy DROP"
+      - "c:iptables -L -> r:FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:OUTPUT && r:policy DROP"
+
+  # 3.4.3.2.5 Ensure iptables rules are saved. (Automated) - Not Implemented
+  # 3.4.3.2.6 Ensure iptables is enabled and active. (Automated)
+  - id: 30608
+    title: "Ensure iptables is enabled and active."
+    description: "iptables.service is a utility for configuring and maintaining iptables."
+    rationale: "iptables.service will load the iptables rules saved in the file /etc/sysconfig/iptables at boot, otherwise the iptables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start iptables: # systemctl --now enable iptables."
+    compliance:
+      - cis: ["3.4.3.2.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled iptables -> r:enabled"
+      - "c:systemctl is-active iptables -> r:active"
+
+  ###############################################
+  # 3.4.3.3 Configure IPv6 ip6tables
+  ###############################################
+  # 3.4.3.3.1 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 30609
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.4.3.3.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:ACCEPT && r:all && r:lo\s*\t**'
+      - 'c:ip6tables -L INPUT -v -n -> r:DROP && r:all && r:*\s*\t** && r:::1'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:ACCEPT && r:all && r:*\s*\t*lo'
+
+  # 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+  # 3.4.3.3.4 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 30610
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.3.4"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:OUTPUT && r:policy DROP"
+
+  # 3.4.3.3.5 Ensure ip6tables rules are saved. (Automated) - Not Implemented
+  # 3.4.3.3.6 Ensure ip6tables is enabled and active. (Automated)
+  - id: 30611
+    title: "Ensure ip6tables is enabled and active."
+    description: "ip6tables.service is a utility for configuring and maintaining ip6tables."
+    rationale: "ip6tables.service will load the iptables rules saved in the file /etc/sysconfig/ip6tables at boot, otherwise the ip6tables rules will be cleared during a re-boot of the system."
+    remediation: "Run the following command to enable and start ip6tables: # systemctl --now start ip6tables."
+    compliance:
+      - cis: ["3.4.3.3.6"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ip6tables -> r:enabled"
+      - "c:systemctl is-active ip6tables -> r:active"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 30612
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_v3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditd service is enabled. (Automated)
+  - id: 30613
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 30614
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to add audit=1 to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 30615
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:^args=\.*\saudit_backlog_limit=(\d+) compare >= 8192'
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 30616
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 30617
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 30618
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root Set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  #############################################
+  # 4.1.3 Configure auditd rules
+  #############################################
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 30619
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated) - Not Implemented
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated) - Not Implemented
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated) - Not Implemented
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated) - Not Implemented
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated) - Not Implemented
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated) - Not Implemented
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated) - Not Implemented
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated) - Not Implemented
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated) - Not Implemented
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated) - Not Implemented
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated) - Not Implemented
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated) - Not Implemented
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated) - Not Implemented
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated) - Not Implemented
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 30620
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2\" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-e 2"
+      - 'd:/etc/audit/rules.d -> r:\.*.rules -> r:^-e 2'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 30621
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:No change$"
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 30622
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 30623
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 30624
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog=yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 30625
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual)
+  - id: 30626
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 30627
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:^\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+
+  ###############################################
+  # 4.2.2 Configure journald
+  ###############################################
+  ###############################################
+  # 4.2.2.1 Ensure journald is configured to send logs to a remote log host
+  ###############################################
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 30628
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 30629
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 30630
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 30631
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 30632
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress\s*=\s*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 30633
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 30634
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+  # 4.2.3 Ensure permissions on all logfiles are configured. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.1 Configure time-based job schedulers
+  ###############################################
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 30635
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 30636
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 30637
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 30638
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 30639
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 30640
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 30641
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated) - Not Implemented
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated) - Not Implemented
+  ###############################################
+  # 5.2 Configure SSH Server
+  ###############################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 30642
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 30643
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 30644
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - "f:/etc/ssh/sshd_config -> r:loglevel"
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 30645
+    title: "Ensure SSH PAM is enabled."
+    description: 'UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types.'
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sUsePAM\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 30646
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitRootLogin\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 30647
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 30648
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitEmptyPasswords\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 30649
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 30650
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 30651
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*X11Forwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 30652
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 30653
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> r:^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 30654
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*/\w+'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 30655
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 30656
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 30657
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 30658
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 30659
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. o The client alive messages are sent through the encrypted channel o Setting ClientAliveCountMax to 0 disables connection termination Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes) - The recommended ClientAliveCountMax setting is 0 - At the 15 minute interval, if the ssh session is inactive, the session will be terminated."
+    impact: "In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0: ClientAliveInterval 900 ClientAliveCountMax 0."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare > 0 && n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare == 0'
+
+  ############################################################
+  # 5.3 Configure privilege escalation
+  ############################################################
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 30660
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 30661
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 30662
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 30663
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 30664
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 30665
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 30666
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 5.4 Configure authselect
+  ###############################################
+  # 5.4.1 Ensure custom authselect profile is used. (Manual)
+  - id: 30667
+    title: "Ensure custom authselect profile is used."
+    description: "A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host."
+    rationale: "A custom profile is required to customize many of the pam options. When you deploy a profile, the profile is applied to every user logging into the given host."
+    remediation: "Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> Example: # authselect create-profile custom-profile -b sssd --symlink-meta Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} Example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["16.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - pci_dss_v3.2.1: ["6.3.2"]
+      - pci_dss_v4.0: ["6.3.1"]
+    condition: all
+    rules:
+      - 'c:authselect list -> r:^\w*\s*custom'
+      - "f:/etc/authselect/authselect.conf -> r:custom"
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 30668
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  ###############################################
+  # 5.5 Configure PAM
+  ###############################################
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 30669
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more ** Either of the following can be used to enforce complex passwords:** - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 30670
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater. Depending on the version you are running, follow one of the two methods bellow. Versions 8.2 and later: Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900 Versions 8.0 and 8.1: Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options. This script should be modified as needed to follow local site policy. #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=(0|[6-9]|[1- 9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/deny=\\S+/deny=5/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+deny=\\d*\\b.*$' \"$file\"; then sed -r 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 deny=5 \\4/' $file fi if grep -P -- '^\\h*(auth\\h+required\\h+pam_faillock\\.so\\h+)([^#\\n\\r]+)?\\h+unlock_time=([1- 9]|[1-9][0-9]|[1-8][0-9][0-9])\\b.*$' \"$file\"; then sed -ri '/pam_faillock.so/s/unlock_time=\\S+/unlock_time=900/g' \"$file\" elif ! grep -Pq -- '^\\h*auth\\h+required\\h+pam_faillock\\.so(\\h+[^#\\n\\r]+)?\\h+unlock_time=\\d*\\b.*$ ' \"$file\"; then sed -ri 's/^\\s*(auth\\s+required\\s+pam_faillock\\.so\\s+)([^{}#\\n\\r]+)?\\s*(\\{.*\\})?(.*)$ /\\1\\2\\3 unlock_time=900 \\4/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:unlock_time\s*\t*=\s*\t*(\d+) compare > 0 && n:unlock_time\s*\t*=\s*\t*(\d+) compare < 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 30671
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwhistory\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512. (Automated)
+  - id: 30672
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' $file fi fi done authselect apply-changes Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/libuser.conf -> r:^\s*\t*crypt_style\s*\t*=\s*\t*sha512'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD SHA512'
+      - 'f:/etc/pam.d/password-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+
+  ###############################################
+  # 5.6 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.6.1 Set Shadow Password Suite Parameters
+  ###############################################
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 30673
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is 7 or more. (Automated)
+  - id: 30674
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs : PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> n:^\w+:\S*:\S*:(\d+):\S*:\S*:\S*:\S*:\S* compare < 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*::\S*:\S*:\S*:\S*:\S*'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 30675
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 30676
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*\t*(\d+) compare <= 30'
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 30677
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+  # 6.1.1 Audit system file permissions. (Manual) - Not Implemented
+  # 6.1.2 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+  # 6.1.3 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 30678
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 30679
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 30680
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group: # chown root:root /etc/group # chmod u-x,g-wx,o-wx /etc/group."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 30681
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 30682
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 30683
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/shadow- : # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 30684
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0644/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.10 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 30685
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set owner, group, and permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.11 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.14 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit SGID executables. (Manual) - Not Implemented
+  ################################################
+  # 6.2 User and Group Settings
+  ################################################
+  # 6.2.1 Ensure password fields are not empty. (Automated)
+  - id: 30686
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> !r:^# && r:^\w+::'
+
+  # 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.3 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure root PATH Integrity. (Automated) - Not Implemented
+  # 6.2.8 Ensure root is the only UID 0 account. (Automated)
+  - id: 30687
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: 'This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in recommendation "Ensure access to the su command is restricted".'
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*root && n:^\w+:\S*:(\d+):\S*:\S*:\S*:\S* compare == 0'
+
+  # 6.2.9 Ensure all users' home directories exist. (Automated) - Not Implemented
+  # 6.2.10 Ensure users own their home directories. (Automated) - Not Implemented
+  # 6.2.11 Ensure users' home directories permissions are 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.12 Ensure users' dot files are not group or world writable. (Automated) - Not Implemented
+  # 6.2.13 Ensure users' .netrc Files are not group or world accessible. (Automated) - Not Implemented
+  # 6.2.14 Ensure no users have .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no users have .netrc files. (Automated) - Not Implemented
+  # 6.2.16 Ensure no users have .rhosts files. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/rocky/cis_rocky_linux_9.yml b/etc/ruleset/sca/rocky/cis_rocky_linux_9.yml
new file mode 100644
index 0000000000..2ce971b06c
--- /dev/null
+++ b/etc/ruleset/sca/rocky/cis_rocky_linux_9.yml
@@ -0,0 +1,4129 @@
+# Security Configuration Assessment
+# CIS Checks for Rocky Linux 9
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Rocky Linux 9 Benchmark v1.0.0 - 03-29-2022
+
+policy:
+  id: "cis_rocky_linux_9"
+  file: "cis_rocky_linux_9.yml"
+  name: "CIS Rocky Linux 9 Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Rocky Linux 9 systems running on x86_64 platforms.This document was tested against Rocky Linux 9."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check RL9 family platform."
+  description: "Requirements for running the policy against Rocky Linux 9 family."
+  condition: any
+  rules:
+    - 'f:/etc/redhat-release -> r:^Rocky Linux && r:release 9\p*'
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled. (Automated)
+  - id: 31500
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: 'As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software''s end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.'
+    remediation: "Run the following script to disable squashfs: #!/usr/bin/env bash { l_mname=\"squashfs\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/false|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+      - 'd:/etc/modprobe.d/ -> r:\.*.conf -> r:^blacklist\s+squashfs'
+
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled. (Automated)
+  - id: 31501
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    impact: "Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure."
+    remediation: "Run the following script to disable the udf filesystem: #!/usr/bin/env bash { l_mname=\"udf\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:install /bin/false|Module udf not found"
+      - "not c:lsmod -> r:udf"
+      - 'd:/etc/modprobe.d/ -> r:\.*.conf -> r:^blacklist\s+udf'
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 31502
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:^/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:enabled|static|generated"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 31503
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 31504
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 31505
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ###############################################
+  # 1.1.3 Configure /var
+  ###############################################
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 31506
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:^/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 31507
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+  - id: 31508
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  ###############################################
+  # 1.1.4 Configure /var/tmp
+  ###############################################
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 31509
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:^/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 31510
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 31511
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 31512
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  ###############################################
+  # 1.1.5 Configure /var/log
+  ###############################################
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 31513
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_techniques: ["T0005", "T1499", "T1499.001"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:^/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 31514
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nodev"
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 31515
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:noexec"
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 31516
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log -> r:nosuid"
+
+  ###############################################
+  # 1.1.6 Configure /var/log/audit
+  ###############################################
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 31517
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 31518
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:noexec"
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 31519
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nodev"
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 31520
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/log/audit -> r:nosuid"
+
+  ###############################################
+  # 1.1.7 Configure /home
+  ###############################################
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 31521
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:^/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 31522
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nodev"
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 31523
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /home -> r:nosuid"
+
+  ###############################################
+  # 1.1.8 Configure /dev/shm
+  ###############################################
+
+  # 1.1.8.1 Ensure /dev/shm is a separate partition. (Automated)
+  - id: 31524
+    title: "Ensure /dev/shm is a separate partition."
+    description: "The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC)."
+    rationale: "Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm."
+    impact: "Since the /dev/shm directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. /dev/shm utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 tmpfs."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+
+  # 1.1.8.2 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 31525
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nodev"
+
+  # 1.1.8.3 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 31526
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:noexec"
+
+  # 1.1.8.4 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 31527
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:^/dev/shm\s'
+      - "c:findmnt --kernel /dev/shm -> r:nosuid"
+
+  # 1.1.9 Disable USB Storage. (Automated)
+  - id: 31528
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files ensuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Run the following script to disable usb-storage: #!/usr/bin/env bash { l_mname=\"usb-storage\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$(tr '-' '_' <<< \"$l_mname\")\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["13.7"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.8.3.1"]
+      - mitre_mitigations: ["M1034"]
+      - mitre_tactics: ["TA0001", "TA0010"]
+      - mitre_techniques: ["T1091"]
+      - nist_sp_800-53: ["SC-18(4)"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  ###############################################
+  # 1.2 Configure Software Updates
+  ###############################################
+
+  # 1.2.1 Ensure GPG keys are configured. (Manual) - Not Implemented
+
+  # 1.2.2 Ensure gpgcheck is globally activated. (Automated)
+  - id: 31529
+    title: "Ensure gpgcheck is globally activated."
+    description: "The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation."
+    rationale: "It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source."
+    remediation: "Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\;."
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1195", "T1195.001"]
+      - nist_sp_800-53: ["SI-2"]
+      - pci_dss_3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/dnf/dnf.conf -> r:^\s*gpgcheck\s*=\s*1'
+      - 'not c:grep -Rh ^gpgcheck /etc/yum.repos.d/ -> r:gpgcheck\s*=\s*0'
+
+  # 1.2.3 Ensure package manager repositories are configured. (Manual) - Not Implemented
+  # 1.2.4 Ensure repo_gpgcheck is globally activated. (Manual) - Not Implemented
+
+  ###############################################
+  # 1.3 Filesystem Integrity Checking
+  ###############################################
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 31530
+    title: "Ensure AIDE is installed."
+    description: "Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # dnf install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz."
+    references:
+      - "http://aide.sourceforge.net/stable/manual.html"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1565", "T1565.001"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q aide -> r:aide-"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 31531
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1036", "T1036.005"]
+      - nist_sp_800-53: ["AU-2"]
+      - pci_dss_3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:active"
+
+  # 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+  - id: 31532
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: "Add or update the following selection lines for to a file ending in .conf in the /etc/aide.conf.d/ directory or to /etc/aide.conf to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512."
+    compliance:
+      - cis: ["1.3.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+    condition: all
+    rules:
+      - "f:/etc/aide/aide.conf"
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditctl\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditd\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/ausearch\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/aureport\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/autrace\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/augenrules\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+
+  ###############################################
+  # 1.4 Secure Boot Settings
+  ###############################################
+  # 1.4.1 Ensure bootloader password is set. (Automated) - Not Implemented
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated) - Not Implemented
+
+  ###############################################
+  # 1.5 Additional Process Hardening
+  ###############################################
+
+  # 1.5.1 Ensure core dump storage is disabled. (Automated)
+  - id: 31533
+    title: "Ensure core dump storage is disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems."
+    remediation: "Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*Storage\s*=\s*none'
+
+  # 1.5.2 Ensure core dump backtraces are disabled. (Automated)
+  - id: 31534
+    title: "Ensure core dump backtraces are disabled."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file."
+    rationale: "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system."
+    remediation: "Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/coredump.conf.html"
+    compliance:
+      - cis: ["1.5.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+      - nist_sp_800-53: ["CM-6b"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/coredump.conf -> r:^\s*ProcessSizeMax\s*=\s*0'
+
+  # 1.5.3 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+
+  ###############################################
+  # 1.6 Mandatory Access Control
+  ###############################################
+  ###############################################
+  # 1.6.1 Configure SELinux
+  ###############################################
+
+  # 1.6.1.1 Ensure SELinux is installed. (Automated)
+  - id: 31535
+    title: "Ensure SELinux is installed."
+    description: "SELinux provides Mandatory Access Control."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run the following command to install SELinux: # dnf install libselinux."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:rpm -q libselinux -> r:^libselinux-"
+
+  # 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration. (Automated)
+  - id: 31536
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    impact: "Files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all. To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode. This can be a long running process that should be accounted for as it may extend downtime during initial re-boot."
+    remediation: "Run the following command to remove the selinux=0 and enforcing=0 parameters: grubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- '\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b' /boot/grub2 /boot/efi)\"."
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+      - 'f:/boot/grub2/grub.cfg -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0'
+
+  # 1.6.1.3 Ensure SELinux policy is configured. (Automated)
+  - id: 31537
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+targeted$|^Loaded policy name:\s+mls$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls'
+
+  # 1.6.1.4 Ensure the SELinux mode is not disabled. (Automated)
+  - id: 31538
+    title: "Ensure the SELinux mode is not disabled."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future."
+    remediation: "Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive."
+    references:
+      - "https://access.redhat.com/documentation/en-"
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$|^Permissive$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive'
+
+  # 1.6.1.5 Ensure the SELinux mode is enforcing. (Automated)
+  - id: 31539
+    title: "Ensure the SELinux mode is enforcing."
+    description: "SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t."
+    rationale: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."
+    remediation: "Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing."
+    references:
+      - "https://access.redhat.com/documentation/en-"
+    compliance:
+      - cis: ["1.6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:getenforce -> r:^Enforcing$"
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  # 1.6.1.6 Ensure no unconfined services exist. (Automated)
+  - id: 31540
+    title: "Ensure no unconfined services exist."
+    description: "Unconfined processes run in unconfined domains."
+    rationale: "For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them."
+    remediation: "Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:unconfined_service_t"
+
+  # 1.6.1.7 Ensure SETroubleshoot is not installed. (Automated)
+  - id: 31541
+    title: "Ensure SETroubleshoot is not installed."
+    description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors."
+    rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled."
+    remediation: "Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot."
+    compliance:
+      - cis: ["1.6.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa setroubleshoot -> r:setroubleshoot"
+
+  # 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed. (Automated)
+  - id: 31542
+    title: "Ensure the MCS Translation Service (mcstrans) is not installed."
+    description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf."
+    rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system."
+    remediation: "Run the following command to uninstall mcstrans: # dnf remove mcstrans."
+    compliance:
+      - cis: ["1.6.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa mcstrans -> r:mcstrans"
+
+  ###############################################
+  # 1.7 Command Line Warning Banners
+  ###############################################
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 31543
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 31544
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 31545
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|rocky'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 31546
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 31547
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 31548
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  ###############################################
+  # 1.8 GNOME Display Manager
+  ###############################################
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Automated)
+  - id: 31549
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to remove the gdm package # dnf remove gdm."
+    references:
+      - "https://wiki.gnome.org/Projects/GDM"
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q gdm -> r:is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated)
+  - id: 31550
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Run the following script to verify that the banner message is enabled and set: #!/usr/bin/env bash { l_pkgoutput=\"\" if command -v dpkg-query > /dev/null 2>&1; then l_pq=\"dpkg-query -W\" elif command -v rpm > /dev/null 2>&1; then l_pq=\"rpm -q\" fi l_pcl=\"gdm gdm3\" # Space seporated list of packages to check for l_pn in $l_pcl; do $l_pq \"$l_pn\" > /dev/null 2>&1 && l_pkgoutput=\"$l_pkgoutput\\n - Package: \\\"$l_pn\\\" exists on the system\\n - checking configuration\" done if [ -n \"$l_pkgoutput\" ]; then l_gdmprofile=\"gdm\" # Set this to desired profile name IaW Local site policy l_bmessage=\"'Authorized uses only. All activity may be monitored and reported'\" # Set to desired banner message if [ ! -f \"/etc/dconf/profile/$l_gdmprofile\" ]; then echo \"Creating profile \\\"$l_gdmprofile\\\"\" echo -e \"user-db:user\\nsystem-db:$l_gdmprofile\\nfile- db:/usr/share/$l_gdmprofile/greeter-dconf-defaults\" > /etc/dconf/profile/$l_gdmprofile fi if [ ! -d \"/etc/dconf/db/$l_gdmprofile.d/\" ]; then echo \"Creating dconf database directory \\\"/etc/dconf/db/$l_gdmprofile.d/\\\"\" mkdir /etc/dconf/db/$l_gdmprofile.d/ fi if ! grep -Piq '^\\h*banner-message-enable\\h*=\\h*true\\b' /etc/dconf/db/$l_gdmprofile.d/*; then echo \"creating gdm keyfile for machine-wide settings\" if ! grep -Piq -- '^\\h*banner-message-enable\\h*=\\h*' /etc/dconf/db/$l_gdmprofile.d/*; then l_kfile=\"/etc/dconf/db/$l_gdmprofile.d/01-banner-message\" echo -e \"\\n[org/gnome/login-screen]\\nbanner-message-enable=true\" >> \"$l_kfile\" else l_kfile=\"$(grep -Pil -- '^\\h*banner-message-enable\\h*=\\h*' /etc/dconf/db/$l_gdmprofile.d/*)\" ! grep -Pq '^\\h*\\[org\\/gnome\\/login-screen\\]' \"$l_kfile\" && sed -ri '/^\\s*banner- message-enable/ i\\[org/gnome/login-screen]' \"$l_kfile\" ! grep -Pq '^\\h*banner-message-enable\\h*=\\h*true\\b' \"$l_kfile\" && sed -ri 's/^\\s*(banner-message-enable\\s*=\\s*)(\\S+)(\\s*.*$)/\\1true \\3//' \"$l_kfile\" # sed -ri '/^\\s*\\[org\\/gnome\\/login-screen\\]/ a\\\\nbanner-message-enable=true' \"$l_kfile\" fi fi if ! grep -Piq \"^\\h*banner-message-text=[\\'\\\"]+\\S+\" \"$l_kfile\"; then sed -ri \"/^\\s*banner-message-enable/ a\\banner-message-text=$l_bmessage\" \"$l_kfile\" fi dconf update else echo -e \"\\n\\n - GNOME Desktop Manager isn't installed\\n - Recommendation is Not Applicable\\n - No remediation required\\n\" fi } Note: - There is no character limit for the banner message. gnome-shell autodetects longer stretches of text and enters two column mode. - The banner message cannot be read from an external file. OR Run the following command to remove the gdm package: # dnf remove gdm."
+    references:
+      - "https://help.gnome.org/admin/system-admin-guide/stable/login-banner.html.en"
+    compliance:
+      - cis: ["1.8.2"]
+      - mitre_tactics: ["TA0007"]
+    condition: all
+    rules:
+      - 'f:/etc/dconf/profile/gdm -> r:^user-db:user\s*system-db:gdm\s*file-db:/usr/share/gdm/greeter-dconf-defaults$'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\.* -> r:s*\[org/gnome/login-screen\]\s*banner-message-enable=true\s*banner-message-text=\w+'
+
+  # 1.8.3 Ensure GDM disable-user-list option is enabled. (Automated) - Not Implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle. (Automated) - Not Implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden. (Automated) - Not Implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled. (Automated) - Not Implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden. (Automated) - Not Implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled. (Automated) - Not Implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden. (Automated) - Not Implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled. (Automated)
+  - id: 31551
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "not f:/etc/gdm3"
+      - 'not f:/etc/gdm3/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed. (Manual)
+  - id: 31552
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc_v8: ["7.3", "7.4"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - mitre_mitigations: ["M1051"]
+      - mitre_tactics: ["TA0004", "TA0008"]
+      - mitre_techniques: ["T1211"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" -> r:^\w'
+
+  # 1.10 Ensure system-wide crypto policy is not legacy. (Automated)
+  - id: 31553
+    title: "Ensure system-wide crypto policy is not legacy."
+    description: "The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package."
+    rationale: "If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457."
+    impact: "Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level."
+    remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies."
+    references:
+      - "https://access.redhat.com/articles/3642912#what-polices-are-provided-1"
+    compliance:
+      - cis: ["1.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - 'f:/etc/crypto-policies/config -> r:^\s*LEGACY'
+
+  ###############################################
+  # 2 Services
+  ###############################################
+  ###############################################
+  # 2.1 Time Synchronization
+  ###############################################
+
+  # 2.1.1 Ensure time synchronization is in use. (Automated)
+  - id: 31554
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "Run the following command to install chrony: # dnf install chrony."
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:rpm -q chrony -> r:^chrony-"
+
+  # 2.1.2 Ensure chrony is configured. (Automated)
+  - id: 31555
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: 'Add or edit server or pool lines to /etc/chrony.conf as appropriate: server <remote-server> Add or edit the OPTIONS in /etc/sysconfig/chronyd to include ''-u chrony'': OPTIONS="-u chrony".'
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-12", "AU-3"]
+      - pci_dss_3.2.1: ["10.4"]
+      - pci_dss_4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony.conf"
+      - 'f:/etc/chrony.conf -> r:^\s*\t*server|^\s*\t*pool'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*\t*OPTIONS\.*-u chrony'
+
+  ###############################################
+  # 2.2 Special Purpose Services
+  ###############################################
+
+  # 2.2.1 Ensure xorg-x11-server-common is not installed. (Automated)
+  - id: 31556
+    title: "Ensure xorg-x11-server-common is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime.'
+    remediation: "Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 31557
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi-autoipd -> r:^package avahi-autoipd is not installed"
+      - "c:rpm -q avahi -> r:^package avahi is not installed"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 31558
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system."
+    impact: "Disabling CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run the following command to remove cups: # dnf remove cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:^package cups is not installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 31559
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dhcp: # dnf remove dhcp-server."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"
+
+  # 2.2.5 Ensure DNS Server is not installed. (Automated)
+  - id: 31560
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove bind: # dnf remove bind."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:^package bind is not installed"
+
+  # 2.2.6 Ensure VSFTP Server is not installed. (Automated)
+  - id: 31561
+    title: "Ensure VSFTP Server is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # dnf remove vsftpd."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:^package vsftpd is not installed"
+
+  # 2.2.7 Ensure TFTP Server is not installed. (Automated)
+  - id: 31562
+    title: "Ensure TFTP Server is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    impact: "TFTP is often used to provide files for network booting such as for PXE based installation of servers."
+    remediation: "Run the following command to remove tftp-server: # dnf remove tftp-server."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp-server -> r:^package tftp-server is not installed"
+
+  # 2.2.8 Ensure a web server is not installed. (Automated)
+  - id: 31563
+    title: "Ensure a web server is not installed."
+    description: "Web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required."
+    remediation: "Run the following command to remove httpd and nginx: # dnf remove httpd nginx."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nginx -> r:^package nginx is not installed"
+      - "c:rpm -q httpd -> r:^package httpd is not installed"
+
+  # 2.2.9 Ensure IMAP and POP3 server is not installed. (Automated)
+  - id: 31564
+    title: "Ensure IMAP and POP3 server is not installed."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."
+    remediation: "Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:^package dovecot is not installed"
+      - "c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"
+
+  # 2.2.10 Ensure Samba is not installed. (Automated)
+  - id: 31565
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # dnf remove samba."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:^package samba is not installed"
+
+  # 2.2.11 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 31566
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required."
+    remediation: "Run the following command to remove the squid package: # dnf remove squid."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:^package squid is not installed"
+
+  # 2.2.12 Ensure net-snmp is not installed. (Automated)
+  - id: 31567
+    title: "Ensure net-snmp is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove net-snmpd: # dnf remove net-snmp."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:^package net-snmp is not installed"
+
+  # 2.2.13 Ensure telnet-server is not installed. (Automated)
+  - id: 31568
+    title: "Ensure telnet-server is not installed."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to remove the telnet-server package: # dnf remove telnet-server."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6", "9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet-server -> r:^package telnet-server is not installed"
+
+  # 2.2.14 Ensure dnsmasq is not installed. (Automated)
+  - id: 31569
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # dnf remove dnsmasq."
+    compliance:
+      - cis: ["2.2.14"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+    condition: all
+    rules:
+      - "c:rpm -q dnsmasq -> r:^package dnsmasq is not installed"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 31570
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\s*127.0.0.1:25\s*|\s*::1:25\s*'
+
+  # 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked. (Automated)
+  - id: 31571
+    title: "Ensure nfs-utils is not installed or the nfs-server service is masked."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-utils package is required as a dependency, the nfs-server service should be disabled and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-utils package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1210"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q nfs-utils -> r:^package nfs-utils is not installed"
+      - "c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"
+
+  # 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked. (Automated)
+  - id: 31572
+    title: "Ensure rpcbind is not installed or the rpcbind services are masked."
+    description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening."
+    rationale: "A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system."
+    impact: "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils package used for The Network File System (NFS), are dependent on the rpcbind package. If the rpcbind package is required as a dependency, the services rpcbind.service and rpcbind.socket should be stopped and masked to reduce the attack surface of the system."
+    remediation: "Run the following command to remove nfs-utils: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1498", "T1498.002", "T1543", "T1543.002"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
+      - "not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"
+
+  # 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked. (Automated)
+  - id: 31573
+    title: "Ensure rsync-daemon is not installed or the rsyncd service is masked."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked."
+    impact: "There are packages that are dependent on the rsync package. If the rsync package is removed, these packages will be removed as well. Before removing the rsync-daemon package, review any dependent packages to determine if they are required on the system. If a dependent package is required, mask the rsyncd service and leave the rsync-daemon package installed."
+    remediation: "Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd."
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:^package rsync is not installed"
+      - "c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"
+
+  # 2.3.1 Ensure telnet client is not installed. (Automated)
+  - id: 31574
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Run the following command to remove the telnet package: # dnf remove telnet."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:^package telnet is not installed"
+
+  # 2.3.2 Ensure LDAP client is not installed. (Automated)
+  - id: 31575
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Run the following command to remove the openldap-clients package: # dnf remove openldap-clients."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"
+
+  # 2.3.3 Ensure TFTP client is not installed. (Automated)
+  - id: 31576
+    title: "Ensure TFTP client is not installed."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files."
+    rationale: "TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files."
+    remediation: "Run the following command to remove tftp: # dnf remove tftp."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q tftp -> r:^package tftp is not installed"
+
+  # 2.3.4 Ensure FTP client is not installed. (Automated)
+  - id: 31577
+    title: "Ensure FTP client is not installed."
+    description: "FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server)."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove ftp: # dnf remove ftp."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ftp -> r:^package ftp is not installed"
+
+  # 2.4 Ensure nonessential services listening on the system are removed or masked. (Manual) - Not Implemented
+
+  ###############################################
+  # 3 Network Configuration
+  ###############################################
+  ###############################################
+  # 3.1 Disable unused network protocols and devices
+  ###############################################
+
+  # 3.1.1 Ensure IPv6 status is identified. (Manual) - Not Implemented
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  # 3.1.3 Ensure TIPC is disabled. (Automated)
+  - id: 31578
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Run the following script to disable tipc: #!/usr/bin/env bash { l_mname=\"tipc\" # set module name # Check if the module exists on the system if [ -z \"$(modprobe -n -v \"$l_mname\" 2>&1 | grep -Pi -- \"\\h*modprobe:\\h+FATAL:\\h+Module\\h+$l_mname\\h+not\\h+found\\h+in\\h+directory\")\" ]; then # Remediate loadable l_loadable=\"$(modprobe -n -v \"$l_mname\")\" [ \"$(wc -l <<< \"$l_loadable\")\" -gt \"1\" ] && l_loadable=\"$(grep -P -- \"(^\\h*install|\\b$l_mname)\\b\" <<< \"$l_loadable\")\" if ! grep -Pq -- '^\\h*install \\/bin\\/(true|false)' <<< \"$l_loadable\"; then echo -e \" - setting module: \\\"$l_mname\\\" to be not loadable\" echo -e \"install $l_mname /bin/false\" >> /etc/modprobe.d/\"$l_mname\".conf fi # Remediate loaded if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then echo -e \" - unloading module \\\"$l_mname\\\"\" modprobe -r \"$l_mname\" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- \"^\\h*blacklist\\h+$l_mname\\b\"; then echo -e \" - deny listing \\\"$l_mname\\\"\" echo -e \"blacklist $l_mname\" >> /etc/modprobe.d/\"$l_mname\".conf fi else echo -e \" - Nothing to remediate\\n - Module \\\"$l_mname\\\" doesn't exist on the system\" fi }."
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v7: ["9.2", "9.1"]
+      - iso_27001-2013: ["A.13.1.2", "A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1068", "T1210"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v tipc -> r:install /bin/true"
+      - "not c:lsmod -> r:tipc"
+
+  ###############################################
+  # 3.2 Network Parameters (Host Only)
+  ###############################################
+
+  # 3.2.1 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.3 Network Parameters (Host and Router)
+  ###############################################
+
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  ###############################################
+  # 3.4 Firewall Configuration
+  ###############################################
+  ###############################################
+  # 3.4.1 Configure firewalld
+  ###############################################
+
+  # 3.4.1.1 Ensure nftables is installed. (Automated)
+  - id: 31579
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    impact: "Changing firewall settings while connected over the network can result in being locked out of the system."
+    remediation: "Run the following command to install nftables # dnf install nftables."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:nftables-"
+
+  # 3.4.1.2 Ensure a single firewall configuration utility is in use. (Automated)
+  - id: 31580
+    title: "Ensure a single firewall configuration utility is in use."
+    description: "FirewallD - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed NFTables - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel Note: firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option."
+    rationale: "In order to configure firewall rules for nftables, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results."
+    remediation: "Run the following script to ensure that a single firewall utility is in use on the system: #!/usr/bin/env bash { l_output=\"\" l_output2=\"\" l_fwd_status=\"\" l_nft_status=\"\" l_fwutil_status=\"\" # Determine FirewallD utility Status rpm -q firewalld > /dev/null 2>&1 && l_fwd_status=\"$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)\" # Determine NFTables utility Status rpm -q nftables > /dev/null 2>&1 && l_nft_status=\"$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)\" l_fwutil_status=\"$l_fwd_status:$l_nft_status\" case $l_fwutil_status in enabled:active:masked:inactive|enabled:active:disabled:inactive) echo -e \"\\n - FirewallD utility is in use, enabled and active\\n - NFTables utility is correctly disabled or masked and inactive\\n - no remediation required\" ;; masked:inactive:enabled:active|disabled:inactive:enabled:active) echo -e \"\\n - NFTables utility is in use, enabled and active\\n - FirewallD utility is correctly disabled or masked and inactive\\n - no remediation required\" ;; enabled:active:enabled:active) echo -e \"\\n - Both FirewallD and NFTables utilities are enabled and active\\n - stopping and masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables ;; enabled:*:enabled:*) echo -e \"\\n - Both FirewallD and NFTables utilities are enabled\\n - remediating\" if [ \"$(awk -F: '{print $2}' <<< \"$l_fwutil_status\")\" = \"active\" ] && [ \"$(awk -F: '{print $4}' <<< \"$l_fwutil_status\")\" = \"inactive\" ]; then echo \" - masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables elif [ \"$(awk -F: '{print $4}' <<< \"$l_fwutil_status\")\" = \"active\" ] && [ \"$(awk -F: '{print $2}' <<< \"$l_fwutil_status\")\" = \"inactive\" ]; then echo \" - masking FirewallD utility\" systemctl stop firewalld && systemctl --now mask firewalld fi ;; *:active:*:active) echo -e \"\\n - Both FirewallD and NFTables utilities are active\\n - remediating\" if [ \"$(awk -F: '{print $1}' <<< \"$l_fwutil_status\")\" = \"enabled\" ] && [ \"$(awk -F: '{print $3}' <<< \"$l_fwutil_status\")\" != \"enabled\" ]; then echo \" - stopping and masking NFTables utility\" systemctl stop nftables && systemctl --now mask nftables elif [ \"$(awk -F: '{print $3}' <<< \"$l_fwutil_status\")\" = \"enabled\" ] && [ \"$(awk -F: '{print $1}' <<< \"$l_fwutil_status\")\" != \"enabled\" ]; then echo \" - stopping and masking FirewallD utility\" systemctl stop firewalld && systemctl --now mask firewalld fi ;; :enabled:active) echo -e \"\\n - NFTables utility is in use, enabled, and active\\n - FirewallD package is not installed\\n - no remediation required\" ;; :) echo -e \"\\n - Neither FirewallD or NFTables is installed.\\n - remediating\\n - installing NFTables\" dnf -q install nftables ;; *:*:) echo -e \"\\n - NFTables package is not installed on the system\\n - remediating\\n - installing NFTables\" dnf -q install nftables ;; *) echo -e \"\\n - Unable to determine firewall state\" ;; esac }."
+    references:
+      - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-"
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
+      - "not c:firewall-cmd --state -> r:^running"
+      - "c:systemctl is-enabled firewalld -> r:^masked"
+
+  # 3.4.2.1 Ensure firewalld default zone is set. (Automated) - Not Implemented
+
+  # 3.4.2.2 Ensure at least one nftables table exists. (Automated)
+  - id: 31581
+    title: "Ensure at least one nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "Without a table, nftables will not filter network traffic."
+    impact: "Adding or modifying firewall rules can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example if FirewallD is not in use on the system: # nft create table inet filter Note: FirewallD uses the table inet firewalld NFTables table that is created when FirewallD is installed."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list tables -> r:^table"
+
+  # 3.4.2.3 Ensure nftables base chains exist. (Automated)
+  - id: 31582
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.3"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:filter hook input"
+      - "c:nft list ruleset -> r:filter hook forward"
+      - "c:nft list ruleset -> r:filter hook output"
+
+  # 3.4.2.4 Ensure host based firewall loopback traffic is configured. (Automated) - Not Implemented
+  # 3.4.2.5 Ensure firewalld drops unnecessary services and ports. (Manual) - Not Implemented
+  # 3.4.2.6 Ensure nftables established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.7 Ensure nftables default deny firewall policy. (Automated)
+  - id: 31583
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. It is easier to explicitly permit acceptable usage than to deny unacceptable usage. Note: Changing firewall settings while connected over the network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "If NFTables utility is in use on your system: Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.7"]
+      - cis_csc_v8: ["4.4"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["CA-9"]
+      - pci_dss_3.2.1: ["1.1.4", "1.3.1"]
+      - pci_dss_4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:^nftables-"
+      - "c:nft list ruleset -> r:policy drop"
+      - "c:nft list ruleset -> r:policy drop"
+      - "c:nft list ruleset -> r:policy drop"
+
+  ############################################################
+  # 4 Logging and Auditing.
+  ############################################################
+  ############################################################
+  # 4.1 Configure System Accounting (auditd).
+  ############################################################
+  ############################################################
+  # 4.1.1 Ensure auditing is enabled.
+  ############################################################
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 31584
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # dnf install audit."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.2", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-3", "AU-3(1)", "SI-5"]
+      - pci_dss_3.2.1: ["10.1", "10.2", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["10.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:rpm -q audit -> r:^audit-"
+
+  # 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 31585
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: "Run the following command to update the grub2 configuration with audit=1: # grubby --update-kernel ALL --args 'audit=1'."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:grubby --info=ALL -> r:audit=1"
+
+  # 4.1.1.3 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 31586
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "The backlog limit has a default setting of 64."
+    rationale: "During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected."
+    remediation: "Run the following command to add audit_backlog_limit=<BACKLOG SIZE> to GRUB_CMDLINE_LINUX: # grubby --update-kernel ALL --args 'audit_backlog_limit=<BACKLOG SIZE>' Example: # grubby --update-kernel ALL --args 'audit_backlog_limit=8192'."
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:grubby --info=ALL -> n:^args=\.*\saudit_backlog_limit=(\d+) compare >= 8192'
+
+  # 4.1.1.4 Ensure auditd service is enabled. (Automated)
+  - id: 31587
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+
+  ############################################################
+  # 4.1.2 Configure Data Retention
+  ############################################################
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 31588
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 31589
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-8"]
+      - pci_dss_3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 31590
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shut down the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "AU-8", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  #############################################
+  # 4.1.3 Configure auditd rules
+  #############################################
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 31591
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - d:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers -p wa -k scope|-w /etc/sudoers -p wa key=scope
+      - c:auditctl -l -> r:-w /etc/sudoers.d -p wa -k scope|-w /etc/sudoers.d -p wa key=scope
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated) - Not Implemented
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated) - Not Implemented
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated) - Not Implemented
+  # 4.1.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated) - Not Implemented
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+  # 4.1.3.10 Ensure successful file system mounts are collected. (Automated) - Not Implemented
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated) - Not Implemented
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated) - Not Implemented
+  # 4.1.3.13 Ensure file deletion events by users are collected. (Automated) - Not Implemented
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated) - Not Implemented
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated) - Not Implemented
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated) - Not Implemented
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated) - Not Implemented
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated) - Not Implemented
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected. (Automated) - Not Implemented
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated) - Not Implemented
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 31592
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["4.1.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:augenrules --check -> r:No change$"
+
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive. (Automated) - Not Implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files. (Automated) - Not Implemented
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files. (Automated)
+  - id: 31593
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file\\s*=\\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:log_group\s*\t*= && !r:adm|root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive. (Automated) - Not Implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive. (Automated)
+  - id: 31594
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%n %a\" {} + -> r:\\w+ -> !r:000|040|200|400|600|240|440|640"
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root. (Automated)
+  - id: 31595
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.rules' -o -name '*.conf' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root. (Automated)
+  - id: 31596
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive. (Automated)
+  - id: 31597
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:\w+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 4.1.4.9 Ensure audit tools are owned by root. (Automated)
+  - id: 31598
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:root|\\s*'
+
+  # 4.1.4.10 Ensure audit tools belong to group root. (Automated)
+  - id: 31599
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755 && r:\s*\t*root\s*\t*root'
+
+  ###############################################
+  # 4.2 Configure Logging
+  ###############################################
+  # 4.2.1 Configure rsyslog
+  ###############################################
+
+  # 4.2.1.1 Ensure rsyslog is installed. (Automated)
+  - id: 31600
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # dnf install rsyslog."
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q rsyslog -> r:^rsyslog-"
+
+  # 4.2.1.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 31601
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1211", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 4.2.1.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 31602
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AC-3", "AU-12", "AU-2", "AU-4", "MP-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog=yes'
+
+  # 4.2.1.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 31603
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has its own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'
+
+  # 4.2.1.5 Ensure logging is configured. (Manual) - Not Implemented
+
+  # 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual)
+  - id: 31604
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="LinkedList" queue.size="1000") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* @@\.+'
+      - 'f:/etc/rsyslog.conf -> !r:# && r:^*.* action && r:target="'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* @@\.+'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:# && r:^*.* action && r:target="'
+
+  # 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 31605
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside its operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those files and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. New format module(load="imtcp") input(type="imtcp" port="514") -OR- Old format $ModLoad imtcp $InputTCPServerRun Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.1.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/rsyslog.conf -> !r:^\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+      - 'd:/etc/rsyslog.d/ -> r:*.conf -> !r:\s*# && r:ModLoad imtcp|InputTCPServerRun|load="imtcp"|type="imtcp"'
+
+  ###############################################
+  # 4.2.2 Configure journald
+  ###############################################
+  ###############################################
+  # 4.2.2.1 Ensure journald is configured to send logs to a remote log host
+  ###############################################
+
+  # 4.2.2.1.1 Ensure systemd-journal-remote is installed. (Manual)
+  - id: 31606
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.2.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:rpm -q systemd-journal-remote -> r:systemd-journal-remote-"
+
+  # 4.2.2.1.2 Ensure systemd-journal-remote is configured. (Manual) - Not Implemented
+
+  # 4.2.2.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 31607
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["4.2.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "CM-7", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 31608
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.2.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^masked"
+
+  # 4.2.2.2 Ensure journald service is enabled. (Automated)
+  - id: 31609
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 4.2.2.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 31610
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Compress\s*=\s*yes'
+
+  # 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 31611
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*Storage=persistent'
+
+  # 4.2.2.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 31612
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald.service."
+    compliance:
+      - cis: ["4.2.2.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006", "T1565"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> r:^\s*ForwardToSyslog'
+
+  # 4.2.2.6 Ensure journald log rotation is configured per site policy. (Manual) - Not Implemented
+  # 4.2.2.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership. (Automated) - Not Implemented
+  # 4.3 Ensure logrotate is configured. (Manual) - Not Implemented
+
+  ###############################################
+  # 5 Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.1 Configure time-based job schedulers
+  ###############################################
+
+  # 5.1.1 Ensure cron daemon is enabled. (Automated)
+  - id: 31613
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: # systemctl --now enable crond."
+    compliance:
+      - cis: ["5.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled crond -> r:^enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 31614
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to this file could provide unprivileged users with the ability to elevate their privileges. Read access to this file could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 31615
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : # chown root:root /etc/cron.hourly # chmod og-rwx /etc/cron.hourly."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 31616
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : # chown root:root /etc/cron.daily # chmod og-rwx /etc/cron.daily."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 31617
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : # chown root:root /etc/cron.weekly # chmod og-rwx /etc/cron.weekly."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 31618
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : # chown root:root /etc/cron.monthly # chmod og-rwx /etc/cron.monthly."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 31619
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily, weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.d : # chown root:root /etc/cron.d # chmod og-rwx /etc/cron.d."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access: \(0700/drwx------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated) - Not Implemented
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated) - Not Implemented
+
+  ###############################################
+  # 5.2 Configure SSH Server
+  ###############################################
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 31620
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod u-x,go-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access: \(0600/-rw-------\)\s*Uid: \(\s*0/\s*root\)\s*Gid: \(\s*0/\s*root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured. (Automated) - Not Implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 31621
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set one or more of the parameters as follows: AllowUsers <userlist> -OR- AllowGroups <grouplist> -OR- DenyUsers <userlist> -OR- DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w*|^\s*AllowGroups\s+\w*|^\s*DenyUsers\s+\w*|^\s*DenyGroups\s+\w*'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 31622
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LogLevel parameter as follows: LogLevel VERBOSE OR LogLevel INFO Run the following command to comment out any LogLevel parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than VERBOSE or INFO: # grep -Pi '^\\h*LogLevel\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)' | while read -r l_out; do sed -ri \"/^\\s*LogLevel\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-12", "AU-2", "SI-5"]
+      - pci_dss_3.2.1: ["10.2", "10.3"]
+      - pci_dss_4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*LogLevel\s+INFO'
+      - "f:/etc/ssh/sshd_config -> r:loglevel"
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 31623
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    impact: "If UsePAM is enabled, you will not be able to run sshd as a non-root user."
+    remediation: "Edit or create a file in the directory /etc/ssh/sshd_config.d/ ending in *.conf or the /etc/ssh/sshd_config file and set the parameter as follows: UsePAM yes Run the following command to comment out any UsePAM parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*UsePAM\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*UsePAM\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.6"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sUsePAM\s+no'
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 31624
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitRootLogin parameter as follows: PermitRootLogin no Run the following command to comment out any PermitRootLogin parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitRootLogin\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitRootLogin\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitRootLogin\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitRootLogin\s+yes'
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 31625
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the HostbasedAuthentication parameter as follows: HostbasedAuthentication no Run the following command to comment out any HostbasedAuthentication parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*HostbasedAuthentication\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*HostbasedAuthentication\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*HostbasedAuthentication\s*\t*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sHostbasedAuthentication\s+yes'
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 31626
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitEmptyPasswords parameter as follows: PermitEmptyPasswords no Run the following command to comment out any PermitEmptyPasswords parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitEmptyPasswords\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitEmptyPasswords\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitEmptyPasswords\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitEmptyPasswords\s+yes'
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 31627
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the PermitUserEnvironment parameter as follows: PermitUserEnvironment no Run the following command to comment out any PermitUserEnvironment parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*PermitUserEnvironment\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*PermitUserEnvironment\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*PermitUserEnvironment\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\sPermitUserEnvironment\s+yes'
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 31628
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter as follows: IgnoreRhosts yes Run the following command to comment out any IgnoreRhosts parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than yes # grep -Pi '^\\h*IgnoreRhosts\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'yes' | while read -r l_out; do sed -ri \"/^\\s*IgnoreRhosts\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.11"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:\s*ignorerhosts\s*yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*ignorerhosts\s+no'
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 31629
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the X11Forwarding parameter as follows: X11Forwarding no Run the following command to comment out any X11Forwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no # grep -Pi '^\\h*X11Forwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*X11Forwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1210"]
+      - nist_sp_800-53: ["CM-7"]
+      - pci_dss_3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*X11Forwarding\s*no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*x11forwarding\s+yes'
+
+  # 5.2.13 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 31630
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the AllowTcpForwarding parameter as follows: AllowTcpForwarding no Run the following command to comment out any AllowTcpForwarding parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting other than no: # grep -Pi '^\\h*AllowTcpForwarding\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi 'no' | while read -r l_out; do sed -ri \"/^\\s*AllowTcpForwarding\\s+/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 5.2.14 Ensure system-wide crypto policy is not over-ridden. (Automated)
+  - id: 31631
+    title: "Ensure system-wide crypto policy is not over-ridden."
+    description: "System-wide Crypto policy can be over-ridden or opted out of for openSSH."
+    rationale: "Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm."
+    remediation: "Run the following commands: # sed -ri \"s/^\\s*(CRYPTO_POLICY\\s*=.*)$/# \\1/\" /etc/sysconfig/sshd /etc/ssh/sshd_config.d/*.conf # systemctl reload sshd."
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SC-8"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'not f:/etc/sysconfig/sshd -> r:^\s*CRYPTO_POLICY='
+
+  # 5.2.15 Ensure SSH warning banner is configured. (Automated)
+  - id: 31632
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the Banner parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.15"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> r:^\s*Banner\s*/\w+'
+
+  # 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 31633
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxAuthTries parameter as follows: MaxAuthTries 4 Run the following command to comment out any MaxAuthTries parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 4: # grep -Pi '^\\h*maxauthtries\\h+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*maxauthtries\\s+([5-9]|[1-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.17 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 31634
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxStartups parameter as follows: MaxStartups 10:30:60 Run the following command to comment out any MaxStartups parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10:30:60: # grep -Pi '^\\s*maxstartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0- 9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0- 9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxStartups\\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0- 9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1- 9]|[7-9][0-9]|[1-9][0-9][0-9]+)))/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'c:sshd -T -C user=root -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 31635
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the MaxSessions parameter as follows: MaxSessions 10 Run the following command to comment out any MaxSessions parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting greater than 10 # grep -Pi '^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.18"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: any
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*MaxSessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*MaxSessions\s+(\d+) compare > 10'
+
+  # 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 31636
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60 Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the LoginGraceTime parameter as follows: LoginGraceTime 60 -or- LoginGraceTime 1m Run the following command to comment out any LoginGraceTime parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include any setting equal to 0 or greater than 60 seconds: # grep -Pi '^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read - r l_out; do sed -ri \"/^\\s*LoginGraceTime\\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0- 9]+|[^1]m)/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    compliance:
+      - cis: ["5.2.19"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+      - 'f:/etc/ssh/sshd_config -> n:^\s*LoginGraceTime\s*\t*(\d+) compare <= 60 && n:^\s*LoginGraceTime\s*\t*(\d+) compare > 0'
+
+  # 5.2.20 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 31637
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below are only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not, and never had, intentionally the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus may no longer be abused to disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinitely, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit or create a file ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file and set the ClientAliveInterval and ClientAliveCountMax parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3 Edit files ending in *.conf in the /etc/ssh/sshd_config.d/ directory and the /etc/ssh/sshd_config file and remove occurrences of the ClientAliveInterval and ClientAliveCountMax parameters not in accordence with local site policy. Run the following command to comment out any ClientAliveCountMax parameter entries in files ending in *.conf in the /etc/ssh/sshd_config.d/ directory or the /etc/ssh/sshd_config file that include the setting of 0 \"disabled\": # grep -Pi '^\\h*ClientAliveCountMax\\h+0\\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | while read -r l_out; do sed -ri \"/^\\s*ClientAliveCountMax\\s+0/s/^/# /\" \"$(awk -F: '{print $1}' <<< $l_out)\";done."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+    condition: all
+    rules:
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveInterval\s*\t*(\d+) compare > 0 && n:^\s*ClientAliveInterval\s*\t*(\d+) compare <= 900'
+      - 'c:sshd -T -C user=root -> n:^\s*ClientAliveCountMax\s*\t*(\d+) compare == 0'
+
+  ############################################################
+  # 5.3 Configure privilege escalation
+  ############################################################
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 31638
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Run the following command to install sudo # dnf install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:rpm -q sudo -> r:sudo-"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 31639
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH_TO_FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026", "M1038"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*Defaults\s+use_pty'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^\s*Defaults\s+use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 31640
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files. Creation of additional log files can cause disk space exhaustion if not correctly managed. You should configure logrotate to manage the sudo log in accordance with your local policy."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Defaults logfile="<PATH TO CUSTOM LOG FILE>" Example Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^Defaults logfile="'
+      - 'd:/etc/sudoers.d -> r:\. -> r:^Defaults\s+logfile="'
+
+  # 5.3.4 Ensure users must provide password for escalation. (Automated)
+  - id: 31641
+    title: "Ensure users must provide password for escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges. To include Ansible and AWS builds."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 31642
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*# && r:!authenticate'
+      - 'd:/etc/sudoers.d -> r:\. -> !r:^\s*# && r:!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 31643
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 5 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && r:timestamp_timeout\s*\t*=\s*\t*-1'
+      - 'not f:/etc/sudoers -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+      - 'not d:/etc/sudoers.d -> r:\.+ -> !r:^\s*\t*# && n:timestamp_timeout\s*\t*=\s*\t*(\d+) compare > 15'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 31644
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> r:^auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid'
+
+  ###############################################
+  # 5.4 Configure authselect
+  ###############################################
+
+  # 5.4.1 Ensure custom authselect profile is used. (Manual)
+  - id: 31645
+    title: "Ensure custom authselect profile is used."
+    description: "A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host."
+    rationale: "A custom profile is required to customize many of the pam options. When you deploy a profile, the profile is applied to every user logging into the given host."
+    remediation: "Run the following command to create a custom authselect profile: # authselect create-profile <custom-profile name> <options> Example: # authselect create-profile custom-profile -b sssd --symlink-meta Run the following command to select a custom authselect profile: # authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>} Example: # authselect select custom/custom-profile with-sudo with-faillock without-nullok."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["16.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - pci_dss_3.2.1: ["6.3.2"]
+      - pci_dss_4.0: ["6.3.1"]
+    condition: all
+    rules:
+      - 'c:authselect list -> r:^\w*\s*custom'
+      - "f:/etc/authselect/authselect.conf -> r:custom"
+
+  # 5.4.2 Ensure authselect includes with-faillock. (Automated)
+  - id: 31646
+    title: "Ensure authselect includes with-faillock."
+    description: "The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Run the following commands to include the with-faillock option to the current authselect profile: # authselect enable-feature with-faillock # authselect apply-changes."
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:required && r:pam_faillock.so"
+      - "f:/etc/pam.d/system-auth -> r:required && r:pam_faillock.so"
+
+  ###############################################
+  # 5.5 Configure PAM
+  ###############################################
+
+  # 5.5.1 Ensure password creation requirements are configured. (Automated)
+  - id: 31647
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. - try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. - retry=3 - Allow 3 tries before sending back a failure. - minlen=14 - password must be 14 characters or more Either of the following can be used to enforce complex passwords: - minclass=4 - provide at least four classes of characters for the new password OR - dcredit=-1 - provide at least one digit - ucredit=-1 - provide at least one uppercase character - ocredit=-1 - provide at least one special character - lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy minclass = 4 OR dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Run the following script to update the system-auth and password-auth files #!/usr/bin/env bash for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+.*enforce_for_r oot\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 enforce_for_root/' \"$file\" fi if grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=([4- 9]|[1-9][0-9]+)\\b.*$' \"$file\"; then sed -ri '/pwquality/s/retry=\\S+/retry=3/' \"$file\" elif ! grep -Pq -- '^\\h*password\\h+requisite\\h+pam_pwquality.so(\\h+[^#\\n\\r]+)?\\h+retry=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+requisite\\s+pam_pwquality.so\\s+)(.*)$/\\1\\2 retry=3/' \"$file\" fi done authselect apply-changes."
+    compliance:
+      - cis: ["5.5.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.002", "T1110.003", "T1178.001", "T1178.002", "T1178.003", "T1178.004"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/password-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - "f:/etc/pam.d/system-auth -> r:pam_pwquality.so && r:try_first_pass && r:retry="
+      - 'f:/etc/security/pwquality.conf -> n:^\s*minlen\s+\t*=\s+\t*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*minclass|^\s*\Scredit'
+
+  # 5.5.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 31648
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. - deny=<n> - Number of attempts before the account is locked - unlock_time=<n> - Time in seconds before the account is unlocked Note: The maximum configurable value for unlock_time is 604800."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users."
+    remediation: "Set password lockouts and unlock times to conform to site policy. deny should be greater than 0 and no greater than 5. unlock_time should be 0 (never), or 900 seconds or greater. Edit /etc/security/faillock.conf and update or add the following lines: deny = 5 unlock_time = 900."
+    compliance:
+      - cis: ["5.5.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_3.2.1: ["8.1.3"]
+      - pci_dss_4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:deny\s*\t*=\s*\t*(\d+) compare <= 5'
+      - 'not f:/etc/security/faillock.conf -> !r:^\s*\t*# && n:unlock_time\s*\t*=\s*\t*(\d+) compare > 0 && n:unlock_time\s*\t*=\s*\t*(\d+) compare < 900'
+
+  # 5.5.3 Ensure password reuse is limited. (Automated)
+  - id: 31649
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. - remember=<5> - Number of old passwords to remember."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note: These change only apply to accounts configured on the local system."
+    remediation: "Set remembered password history to conform to site policy. Run the following script to add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option: #!/usr/bin/env bash { file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/system-auth\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so\\s+([^# \\n\\r]+\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file elif grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_pwhistory\\.so\\h+([^#\\n\\ r]+\\h+)?.*$' \"$file\"; then sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_pwhistory\\.so/ s/$/ remember=5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/i password required pam_pwhistory.so remember=5 use_authtok' $file fi fi if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=([5-9]|[1-9][0-9]+)\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so\\h+([^#\\n\\r]+\\h +)?remember=\\d+\\b.*$' \"$file\"; then sed -ri 's/^\\s*(password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so\\s+([^#\\n\\r] +\\s+)?)(remember=\\S+\\s*)(\\s+.*)?$/\\1 remember=5 \\5/' $file else sed -ri '/^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix\\.so/ s/$/ remember=5/' $file fi fi authselect apply-changes }."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+requisite\.+pam_pwhistory\.so\.+ && n:remember=(\d+) compare >= 5'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*password\.+sufficient\.+pam_unix\.so\.+ && n:remember=(\d+) compare >= 5'
+
+  # 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt. (Automated)
+  - id: 31650
+    title: "Ensure password hashing algorithm is SHA-512 or yescrypt."
+    description: "A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password."
+    rationale: "The SHA-512 algorithm provides stronger hashing than other hashing algorithms used for password hashing with Linux, providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: These changes only apply to accounts configured on the local system."
+    remediation: "Set password hashing algorithm to sha512. Edit /etc/libuser.conf and edit of add the following line: crypt_style = sha512 Edit /etc/login.defs and edit or add the following line: ENCRYPT_METHOD SHA512 Run the following script to configure pam_unix.so to use the sha512 hashing algorithm: #!/usr/bin/env bash { for fn in system-auth password-auth; do file=\"/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn\" if ! grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+sha512\\b.*$' \"$file\"; then if grep -Pq -- '^\\h*password\\h+(requisite|required|sufficient)\\h+pam_unix\\.so(\\h+[^#\\n\\r]+)? \\h+(md5|blowfish|bigcrypt|sha256|yescrypt)\\b.*$' \"$file\"; then sed -ri 's/(md5|blowfish|bigcrypt|sha256|yescrypt)/sha512/' \"$file\" else sed -ri 's/(^\\s*password\\s+(requisite|required|sufficient)\\s+pam_unix.so\\s+)(.*)$/\\1s ha512 \\3/' \"$file\" fi fi done authselect apply-changes } Note: This only effects local users and passwords created after updating the files to use sha512. If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login."
+    compliance:
+      - cis: ["5.5.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - nist_sp_800-53: ["IA-5(1)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/libuser.conf -> r:^\s*\t*crypt_style\s*\t*=\s*\t*sha512'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD SHA512'
+      - 'f:/etc/pam.d/password-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+      - 'f:/etc/pam.d/system-auth -> r:^\s*\t*password\.+sufficient\.+pam_unix\.so'
+
+  ###############################################
+  # 5.6 User Accounts and Environment
+  ###############################################
+  ###############################################
+  # 5.6.1 Set Shadow Password Suite Parameters
+  ###############################################
+
+  # 5.6.1.1 Ensure password expiration is 365 days or less. (Automated)
+  - id: 31651
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    compliance:
+      - cis: ["5.6.1.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:(\d+):\S*:\S*:\S*:\S* compare > 365'
+
+  # 5.6.1.2 Ensure minimum days between password changes is configured. (Automated)
+  - id: 31652
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs: PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.6.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110.004"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS^\s*\t*(\d+) compare >=1'
+      - 'f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:(\d+): compare < 1'
+
+  # 5.6.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 31653
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.6.1.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> n:^\w+:\S*:\S*:\S*:\S*:(\d+):\S*:\S*:\S* compare >= 7'
+      - 'not f:/etc/shadow -> r:^\w+:\S*:\S*:\S*:\S*::\S*:\S*:\S*'
+
+  # 5.6.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 31654
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.6.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^\s*INACTIVE\s*=\s*\t*(\d+) compare <= 30'
+      - 'f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && n:^\w+:\S*:\S*:\S*:\S*:\S*:(\d+):\S*:\S* compare <= 30'
+      - 'not f:/etc/shadow -> !r:^\w+:!|^\w+:\p: && r:^\w+:\S*:\S*:\S*:\S*:\S*::\S*:\S*'
+
+  # 5.6.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+  # 5.6.2 Ensure system accounts are secured. (Automated) - Not Implemented
+  # 5.6.3 Ensure default user shell timeout is 900 seconds or less. (Automated) - Not Implemented
+
+  # 5.6.4 Ensure default group for the root account is GID 0. (Automated)
+  - id: 31655
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root account belongs to. This affects permissions of files that are created by the root account."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root account default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.6.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["CM-1", "CM-2", "CM-6", "CM-7", "IA-5"]
+      - pci_dss_3.2.1: ["11.5", "2.2"]
+      - pci_dss_4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/passwd -> r:^root:x:0:0"
+
+  # 5.6.5 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+  # 5.6.6 Ensure root password is set. (Automated) - Not Implemented
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.1 System File Permissions
+  ###############################################
+
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 31656
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 31657
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 31658
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 31659
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0644/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 31660
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow: # chown root:root /etc/shadow # chmod 0000 /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 31661
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/shadow-: # chown root:root /etc/shadow- # chmod 0000 /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 31662
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow: # chown root:root /etc/gshadow # chmod 0000 /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-3", "MP-2"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 31663
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set mode, owner, and group on /etc/gshadow-: # chown root:root /etc/gshadow- # chmod 0000 /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0000/----------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure no world writable files exist. (Automated) - Not Implemented
+  # 6.1.10 Ensure no unowned files or directories exist. (Automated) - Not Implemented
+  # 6.1.11 Ensure no ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.12 Ensure sticky bit is set on all world-writable directories. (Automated) - Not Implemented
+  # 6.1.13 Audit SUID executables. (Manual) - Not Implemented
+  # 6.1.14 Audit SGID executables. (Manual) - Not Implemented
+  # 6.1.15 Audit system file permissions. (Manual) - Not Implemented
+
+  ################################################
+  # 6.2 User and Group Settings
+  ################################################
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 31664
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can use shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 31665
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.4 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.5 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.9 Ensure root is the only UID 0 account. (Automated)
+  - id: 31666
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.9"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1548"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*root && n:^\w+:\S*:(\d+):\S*:\S*:\S*:\S* compare == 0'
+
+  # 6.2.10 Ensure local interactive user home directories exist. (Automated) - Not Implemented
+  # 6.2.11 Ensure local interactive users own their home directories. (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive. (Automated) - Not Implemented
+  # 6.2.13 Ensure no local interactive user has .netrc files. (Automated) - Not Implemented
+  # 6.2.14 Ensure no local interactive user has .forward files. (Automated) - Not Implemented
+  # 6.2.15 Ensure no local interactive user has .rhosts files. (Automated) - Not Implemented
+  # 6.2.16 Ensure local interactive user dot files are not group or world writable. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/sles/11/cis_sles11_linux.yml b/etc/ruleset/sca/sles/11/cis_sles11_linux.yml
new file mode 100644
index 0000000000..ae3b3d1105
--- /dev/null
+++ b/etc/ruleset/sca/sles/11/cis_sles11_linux.yml
@@ -0,0 +1,931 @@
+# Security Configuration Assessment
+# CIS Checks for SUSE SLES 11
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# CIS Benchmark for SUSE Linux Enterprise Server 11 v2.1.0 - 08-13-2020
+
+policy:
+  id: "cis_sles11_linux"
+  file: "cis_sles11_linux.yml"
+  name: "CIS SUSE Linux Enterprise 11 Benchmark v2.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise 11 systems running on x86 and x64 platforms. This document was tested against SUSE Linux Enterprise Server 11 SP4."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Suse 11 version"
+  description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 11"
+  condition: any
+  rules:
+    - "f:/etc/os-release -> r:SUSE Linux Enterprise Server 11"
+    - "f:/etc/SuSE-release -> r:SUSE Linux Enterprise Server 11"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # Section 1.1 - Filesystem Configuration
+  - id: 7000
+    title: "Ensure separate partition exists for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 7001
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 7002
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.5 /tmp: noexec
+  - id: 7003
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.6 Build considerations - Partition scheme.
+  - id: 7004
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 7005
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.12 /var/log/audit: partition
+  - id: 7006
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.13 /home: partition
+  - id: 7007
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 7008
+    title: "Ensure nodev option set on /home partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.  # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nodev
+  - id: 7009
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.16 /dev/shm: nosuid
+  - id: 7010
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.17 /dev/shm: noexec
+  - id: 7011
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  ###############################################
+  # 1.4  Secure Boot Settings
+  ###############################################
+  # 1.4.2 Set Boot Loader Password (Scored)
+  - id: 7012
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an <encrypted-password>. Copy and paste the <encrypted-password> into the global section of /boot/grub/menu.lst: password --md5 <encrypted-password>    Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - "f:/boot/grub/menu.lst -> r:^password --md5"
+
+  ###############################################
+  # 1.5  Additional Process Hardening
+  ###############################################
+  # 1.5.1 Restrict Core Dumps (Scored)
+  - id: 7013
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0."
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 7014
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2'
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 Remove Legacy Services
+  ###############################################
+  # Section 2.1 - inetd Services
+  - id: 7015
+    title: "Ensure chargen services are not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:chargen:|chargen-udp: && r::on"
+
+  - id: 7016
+    title: "Ensure daytime services are not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:daytime:|daytime-udp: && r::on"
+
+  - id: 7017
+    title: "Ensure discard services are not enabled"
+    description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:discard:|discard-udp: && r::on"
+
+  - id: 7018
+    title: "Ensure echo services are not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:echo:|echo-udp: && r::on"
+
+  - id: 7019
+    title: "Ensure time services are not enabled"
+    description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:time:|time-udp: && r::on"
+
+  - id: 7020
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["3.4", "9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on"
+
+  - id: 7021
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable talk: # chkconfig talk off"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:talk: && r::on"
+
+  - id: 7022
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to disable telnet: # chkconfig telnet off"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["3.4", "9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:telnet: && r::on"
+
+  - id: 7023
+    title: "Ensure tftp server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Run the following command to disable tftp: # chkconfig tftp off"
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:tftp: && r::on"
+
+  - id: 7024
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off"
+    compliance:
+      - cis: ["2.1.10", "2.2.17"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:rsync: && r::on"
+
+  ###############################################
+  # 2 Special Purpose Services
+  ###############################################
+  - id: 7025
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server.  This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery    Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>    Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: any
+    rules:
+      - "f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery"
+      - "f:/etc/ntp.conf -> r:restrict -6 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery"
+      - "f:/etc/ntp.conf -> r:^server|^pool"
+      - "f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp"
+
+  # 2.2.2 Remove X Windows (Scored)
+  - id: 7026
+    title: "Ensure X Window System is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11* -> r:^xorg-x11"
+
+  # 2.2.3 Disable Avahi Server (Scored)
+  - id: 7027
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality.  It is recommended to disable the service to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:avahi-daemon && r::on"
+
+  - id: 7028
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:dhcpd && r::on"
+
+  # 2.2.7 Disable NFS and RPC (Not Scored)
+  - id: 7029
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:nfs|rpcbind && r::on"
+
+  - id: 7030
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named : # chkconfig named off"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:named && r::on"
+
+  - id: 7031
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off  Notes: Additional FTP servers also exist and should be audited."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:vsftpd && r::on"
+
+  # 2.2.10 Remove HTTP Server (Not Scored)
+  - id: 7032
+    title: "Ensure HTTP server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface.  Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited."
+    remediation: "Run the following command to disable apache2 : # chkconfig apache2 off"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:apache2 && r::on"
+
+  - id: 7033
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "cyrus is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cyrus : # chkconfig cyrus off   Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:cyrus && r::on"
+
+  # 2.2.12 Remove Samba (Not Scored)
+  - id: 7034
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable smb : # chkconfig smb off"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:smb && r::on"
+
+  - id: 7035
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid : # chkconfig squid off"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:squid && r::on"
+
+  - id: 7036
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # chkconfig snmpd off    Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:snmpd && r::on"
+
+  - id: 7037
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used."
+    remediation: "Run the following command to disable ypserv : # chkconfig ypserv off"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:ypserv && r::on"
+
+  # Section 2.3 - Service Clients
+  - id: 7038
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa ypbind -> r:ypbind"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 3.1.1 Disable IP Forwarding (Scored)
+  - id: 7039
+    title: "Ensure IPv4 forwarding is disabled"
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+
+  # 3.1.2 Disable Send Packet Redirects (Scored)
+  - id: 7040
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0    net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:=\s*0$'
+
+  ###############################################
+  # 3.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 3.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 7041
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0    net.ipv4.conf.default.accept_source_route = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*0$'
+
+  # 3.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 7042
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0    net.ipv4.conf.default.accept_redirects = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*0$'
+
+  # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 7043
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0    net.ipv4.conf.default.secure_redirects = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*0$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*0$'
+
+  - id: 7044
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1    net.ipv4.conf.default.log_martians = 1.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*1$'
+
+  # 3.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 7045
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1    Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*1$'
+
+  # 3.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 7046
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*1$'
+
+  # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+  - id: 7047
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1    net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*1$'
+
+  # 3.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 7048
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*1$'
+
+  ###############################################
+  # 5 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+  # 5.2.2 Set SSH Protocol to 2 (Scored)
+  - id: 7049
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2'
+
+  # 5.2.3 Set LogLevel to INFO (Scored)
+  - id: 7050
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO'
+
+  # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 7051
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4'
+
+  # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 7052
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes'
+
+  # 5.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 7053
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no'
+
+  # 5.2.8 Disable SSH Root Login (Scored)
+  - id: 7054
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no.  Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no'
+
+  # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 7055
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+  # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 7056
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  - id: 7057
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username>.  Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
diff --git a/etc/ruleset/sca/sles/12/cis_sles12_linux.yml b/etc/ruleset/sca/sles/12/cis_sles12_linux.yml
new file mode 100644
index 0000000000..916783fccc
--- /dev/null
+++ b/etc/ruleset/sca/sles/12/cis_sles12_linux.yml
@@ -0,0 +1,926 @@
+# Security Configuration Assessment
+# CIS Checks for SUSE SLES 12
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# CIS Benchmark for SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017
+
+policy:
+  id: "cis_sles12_linux"
+  file: "cis_sles12_linux.yml"
+  name: "CIS SUSE Linux Enterprise 12 Benchmark v2.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise 12 systems running on x86 and x64 platforms. This document was tested against SUSE Linux Enterprise Server 12 SP3."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Suse 12 version"
+  description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 12"
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:SUSE Linux Enterprise Server 12"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # Section 1.1 - Filesystem Configuration
+  - id: 7500
+    title: "Ensure separate partition exists for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp.  For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 7501
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 7502
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.5 /tmp: noexec
+  - id: 7503
+    title: "Ensure noexec option set on /tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.  Run the following command to remount /tmp : # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.6 Build considerations - Partition scheme.
+  - id: 7504
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 7505
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.12 /var/log/audit: partition
+  - id: 7506
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.13 /home: partition
+  - id: 7507
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home.  For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.14 /home: nodev
+  - id: 7508
+    title: "Ensure nodev option set on /home partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.  # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    compliance:
+      - cis: ["1.1.14"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.15 /dev/shm: nodev
+  - id: 7509
+    title: "Ensure nodev option set on /dev/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm    Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0"
+    compliance:
+      - cis: ["1.1.15"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  # 1.1.16 /dev/shm: nosuid
+  - id: 7510
+    title: "Ensure nosuid option set on /dev/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm    Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0"
+    compliance:
+      - cis: ["1.1.16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.17 /dev/shm: noexec
+  - id: 7511
+    title: "Ensure noexec option set on /dev/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.  Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm    Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs  /dev/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  ###############################################
+  # 1.5  Additional Process Hardening
+  ###############################################
+  # 1.5.1 Restrict Core Dumps (Scored)
+  - id: 7512
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0.  Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0.  Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:\s0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored)
+  - id: 7513
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2.  Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$'
+
+  ###############################################
+  # 2 OS Services
+  ###############################################
+  ###############################################
+  # 2.1 Remove Legacy Services
+  ###############################################
+  # Section 2.1 - inetd Services
+  - id: 7514
+    title: "Ensure chargen services are not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:chargen:|chargen-udp: && r::on"
+
+  - id: 7515
+    title: "Ensure daytime services are not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:daytime:|daytime-udp && r::on"
+
+  - id: 7516
+    title: "Ensure discard services are not enabled"
+    description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off"
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:discard:|discard-udp: && r::on"
+
+  - id: 7517
+    title: "Ensure echo services are not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off"
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:echo:|echo-udp: && r::on"
+
+  - id: 7518
+    title: "Ensure time services are not enabled"
+    description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off"
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:time:|time-udp && r::on"
+
+  - id: 7519
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package."
+    remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off"
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["3.4", "9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on"
+
+  - id: 7520
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable talk: # chkconfig talk off"
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:talk: && r::on"
+
+  - id: 7521
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Run the following command to disable telnet: # chkconfig telnet off"
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["3.4", "9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:telnet: && r::on"
+
+  - id: 7522
+    title: "Ensure tftp server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Run the following command to disable tftp: # systemctl disable atftpd"
+    compliance:
+      - cis: ["2.1.9", "2.2.17"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:tftp: && r::on"
+
+  - id: 7523
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd"
+    compliance:
+      - cis: ["2.1.10", "2.2.18"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:chkconfig --list -> r:rsync: && r::on"
+
+  - id: 7524
+    title: "Ensure xinetd is not enabled"
+    description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled."
+    remediation: "Run the following command to disable xinetd : # systemctl disable xinetd"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled xinetd -> r:enabled"
+
+  ###############################################
+  # 2 Special Purpose Services
+  ###############################################
+  - id: 7525
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server.  This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery    restrict -6 default kod limited nomodify notrap nopeer noquery    Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server>    Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$'
+      - "f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp"
+
+  # 2.2.2 Remove X Windows (Scored)
+  - id: 7526
+    title: "Ensure X Window System is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa xorg-x11* -> r:^xorg-x11"
+
+  # 2.2.3 Disable Avahi Server (Scored)
+  - id: 7527
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality.  It is recommended to disable the service to reduce the potential attack surface."
+    remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> r:enabled"
+
+  - id: 7528
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd"
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled dhcpd -> r:enabled"
+
+  # 2.2.7 Disable NFS and RPC (Not Scored)
+  - id: 7529
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs -> r:enabled"
+      - "c:systemctl is-enabled rpcbind -> r:enabled"
+
+  - id: 7530
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable named : # systemctl disable named"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled named -> r:enabled"
+
+  - id: 7531
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd    Notes: Additional FTP servers also exist and should be audited."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> r:enabled"
+
+  # 2.2.10 Remove HTTP Server (Not Scored)
+  - id: 7532
+    title: "Ensure HTTP server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2 : # systemctl disable apache2    Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> r:enabled"
+
+  - id: 7533
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable dovecot : # systemctl disable dovecot    Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled dovecot -> r:enabled"
+
+  # 2.2.12 Remove Samba (Not Scored)
+  - id: 7534
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable smb : # systemctl disable smb"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smb -> r:enabled"
+
+  - id: 7535
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid : # systemctl disable squid    Notes: Several HTTP proxy servers exist. These and other services should be checked."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> r:enabled"
+
+  - id: 7536
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl disable snmpd    Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> r:enabled"
+
+  - id: 7537
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable ypserv : # systemctl disable ypserv"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled ypserv -> r:enabled"
+
+  # Section 2.3 - Service Clients
+  - id: 7538
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:rpm -qa ypbind -> r:ypbind"
+
+  ###############################################
+  # 3 Network Configuration and Firewalls
+  ###############################################
+  ###############################################
+  # 3.1 Modify Network Parameters (Host Only)
+  ###############################################
+  # 3.1.1 Disable IP Forwarding (Scored)
+  - id: 7539
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:\s0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  # 3.1.2 Disable Send Packet Redirects (Scored)
+  - id: 7540
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0    net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  ###############################################
+  # 3.2 Modify Network Parameters (Host and Router)
+  ###############################################
+  # 3.2.1 Disable Source Routed Packet Acceptance (Scored)
+  - id: 7541
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0    net.ipv4.conf.default.accept_source_route = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.2.2 Disable ICMP Redirect Acceptance (Scored)
+  - id: 7542
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0    net.ipv4.conf.default.accept_redirects = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
+  - id: 7543
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0    net.ipv4.conf.default.secure_redirects = 0.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  - id: 7544
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1    net.ipv4.conf.default.log_martians = 1.  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.2.5 Enable Ignore Broadcast Requests (Scored)
+  - id: 7545
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1    Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.6 Enable Bad Error Message Protection (Scored)
+  - id: 7546
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1."
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+  - id: 7547
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1    net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.2.8 Enable TCP SYN Cookies (Scored)
+  - id: 7548
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  ###############################################
+  # 5 System Access, Authentication and Authorization
+  ###############################################
+  ###############################################
+  # 5.2 Configure SSH
+  ###############################################
+  # 5.2.2 Set SSH Protocol to 2 (Scored)
+  - id: 7549
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$'
+
+  # 5.2.3 Set LogLevel to INFO (Scored)
+  - id: 7550
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO'
+
+  # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
+  - id: 7551
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored)
+  - id: 7552
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.2.7 Set SSH HostbasedAuthentication to No (Scored)
+  - id: 7553
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.2.8 Disable SSH Root Login (Scored)
+  - id: 7554
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no'
+
+  # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored)
+  - id: 7555
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no'
+
+  ###############################################
+  # 6 System Maintenance
+  ###############################################
+  ###############################################
+  # 6.2 Review User and Group Settings
+  ###############################################
+  # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+  - id: 7556
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  - id: 7557
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username>.  Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
diff --git a/etc/ruleset/sca/sles/15/cis_sles15_linux.yml b/etc/ruleset/sca/sles/15/cis_sles15_linux.yml
new file mode 100644
index 0000000000..ffa0ae2947
--- /dev/null
+++ b/etc/ruleset/sca/sles/15/cis_sles15_linux.yml
@@ -0,0 +1,3904 @@
+# Security Configuration Assessment
+# CIS Checks for SUSE SLES 15
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# CIS Benchmark for SUSE Linux Enterprise 15 v1.1.0 - 09-17-2021
+
+policy:
+  id: "cis_sles15_linux"
+  file: "cis_sles15_linux.yml"
+  name: "CIS SUSE Linux Enterprise 15 Benchmark v1.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise 12 systems running on x86 and x64 platforms. This document was tested against SUSE Linux Enterprise Server 15 SP1."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check SUSE 15 version"
+  description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 15"
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:SUSE Linux Enterprise Server 15"
+
+variables:
+  $sshd_file: /etc/ssh/sshd_config
+
+checks:
+  # Section 1.1 - Filesystem Configuration
+
+  # 1.1.1.1 Ensure mounting of squashfs filesystems is disabled
+  - id: 21000
+    title: Ensure mounting of squashfs filesystems is disabled.
+    description: >
+      The squashfs filesystem type is a compressed read-only Linux filesystem embedded in
+      small footprint systems (similar to cramfs ). A squashfs image can be used without having
+      to first decompress the image.
+    rationale: >
+      Removing support for unneeded filesystem types reduces the local attack surface of the
+      system. If this filesystem type is not needed, disable it.
+    remediation: >
+      Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
+      Example: vi /etc/modprobe.d/squashfs.conf
+      and add the following line:
+      install squashfs /bin/true
+
+      Run the following command to unload the squashfs module:
+      # modprobe -r squashfs
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["5.1"]
+    condition: any
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install"
+      - "c:modprobe -n -v squashfs -> r:squashfs"
+
+  # 1.1.1.2 Ensure mounting of udf filesystems is disabled
+  - id: 21001
+    title: Ensure mounting of udf filesystems is disabled.
+    description: >
+      The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and
+      ECMA-167 specifications. This is an open vendor filesystem type for data storage on a
+      broad range of media. This filesystem type is necessary to support writing DVDs and newer
+      optical disc formats.
+    rationale: >
+      Removing support for unneeded filesystem types reduces the local attack surface of the
+      system. If this filesystem type is not needed, disable it.
+    remediation: >
+      Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
+      Example: vi /etc/modprobe.d/udf.conf
+      and add the following line:
+      install udf /bin/true
+
+      Run the following command to unload the udf module:
+      # modprobe -r udf
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["5.1"]
+    condition: any
+    rules:
+      - "c:modprobe -n -v udf -> r:install"
+      - "c:modprobe -n -v udf -> r:udf"
+
+  # 1.1.1.3 Ensure mounting of FAT filesystems is limited - Not implemented
+  # 1.1.2 Ensure /tmp is configured - Not implemented
+
+  # 1.1.3 Ensure noexec option set on /tmp partition - Not implemented
+  - id: 21002
+    title: Ensure noexec option set on /tmp partition.
+    description: The noexec mount option specifies that the filesystem cannot contain executable binaries.
+    rationale: >
+      Since the /tmp filesystem is only intended for temporary file storage, set this option to
+      ensure that users cannot run executable binaries from /tmp .
+    remediation: >
+      Edit the /etc/fstab file OR the /etc/systemd/system/localfs.target.wants/tmp.mount file:
+
+      IF /etc/fstab is used to mount /tmp
+      Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp
+      partition. See the fstab(5) manual page for more information.
+      Run the following command to remount /tmp :
+
+      # mount -o remount,noexec /tmp
+
+      OR
+      IF systemd is used to mount /tmp:
+      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp
+      mount options:
+
+      [Mount]
+      Options=mode=1777,strictatime,noexec,nodev,nosuid
+
+      Run the following command to restart the systemd daemon:
+      # systemctl daemon-reload
+
+      Run the following command to restart tmp.mount
+      # systemctl restart tmp.mount
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  # 1.1.4 Ensure nodev option set on /tmp partition
+  - id: 21003
+    title: Ensure nodev option set on /tmp partition.
+    description: The nodev mount option specifies that the filesystem cannot contain special devices.
+    rationale: >
+      Since the /tmp filesystem is not intended to support devices, set this option to ensure that
+      users cannot attempt to create block or character special devices in /tmp .
+    remediation: >
+      Edit the /etc/fstab file OR the /etc/systemd/system/localfs.target.wants/tmp.mount file:
+      IF /etc/fstab is used to mount /tmp:
+      Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp
+      partition. See the fstab(5) manual page for more information.
+      Run the following command to remount /tmp :
+      # mount -o remount,nodev /tmp
+      OR
+      IF systemd is used to mount /tmp:
+      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp
+      mount options:
+      [Mount]
+      Options=mode=1777,strictatime,noexec,nodev,nosuid
+      Run the following command to restart the systemd daemon:
+      # systemctl daemon-reload
+
+      Run the following command to restart tmp.mount
+      # systemctl restart tmp.mount
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  # 1.1.5 Ensure nosuid option set on /tmp partition
+  - id: 21004
+    title: Ensure nosuid option set on /tmp partition.
+    description: The nosuid mount option specifies that the filesystem cannot contain setuid files.
+    rationale: >
+      Since the /tmp filesystem is only intended for temporary file storage, set this option to
+      ensure that users cannot create setuid files in /tmp.
+    remediation: >
+      IF /etc/fstab is used to mount /tmp
+      Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp
+      partition. See the fstab(5) manual page for more information.
+      Run the following command to remount /tmp :
+      # mount -o remount,nosuid /tmp
+
+      OR
+      IF systemd is used to mount /tmp:
+      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp
+      mount options:
+      [Mount]
+      Options=mode=1777,strictatime,noexec,nodev,nosuid
+
+      Run the following command to restart the systemd daemon:
+      # systemctl daemon-reload
+
+      Run the following command to restart tmp.mount:
+      # systemctl restart tmp.mount
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  # 1.1.6 Ensure /dev/shm is configured
+  - id: 21005
+    title: Ensure /dev/shm is configured.
+    description: >
+      /dev/shm is a traditional shared memory concept. One program will create a memory
+      portion, which other processes (if permitted) can access. If /dev/shm is not configured,
+      tmpfs will be mounted to /dev/shm by systemd.
+
+      Notes:
+        - An entry for /dev/shm in /etc/fstab will take precedence.
+        - tmpfs can be resized using the size={size} parameter in /etc/fstab. If we don't specify
+          the size, it will be half the RAM.
+
+      Resize tmpfs example:
+      tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,size=2G 0 0
+    rationale: >
+      Any user can upload and execute files inside the /dev/shm similar to the /tmp partition.
+      Configuring /dev/shm allows an administrator to set the noexec option on the mount,
+      making /dev/shm useless for an attacker to install executable code. It would also prevent an
+      attacker from establishing a hardlink to a system setuid program and wait for it to be
+      updated. Once the program was updated, the hardlink would be broken and the attacker
+      would have his own copy of the program. If the program happened to have a security
+      vulnerability, the attacker could continue to exploit the known flaw.
+    remediation: >
+      Edit /etc/fstab and add or edit the following line:
+      tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid 0 0
+
+      Run the following command to remount /dev/shm:
+      # mount -o remount,noexec,nodev,nosuid /dev/shm
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\.+\s+/dev/shm\s+'
+      - 'f:/etc/fstab -> r:\.+\s+/dev/shm\s+'
+
+  # 1.1.7 Ensure noexec option set on /dev/shm partition
+  - id: 21006
+    title: Ensure noexec option set on /dev/shm partition.
+    description: >
+      The noexec mount option specifies that the filesystem cannot contain executable binaries.
+      Note: /dev/shm is mounted automatically by systemd. /dev/shm needs to be added to
+      /etc/fstab to add mount options even though it is already being mounted on boot.
+    rationale: >
+      Setting this option on a file system prevents users from executing programs from shared
+      memory. This deters users from introducing potentially malicious software on the system.
+    remediation: >
+      Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the
+      /dev/shm partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /dev/shm:
+      # mount -o remount,noexec,nodev,nosuid /dev/shm
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["2.6", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  # 1.1.8 Ensure nodev option set on /dev/shm partition - Not implemented
+
+  # 1.1.9 Ensure nosuid option set on /dev/shm partition
+  - id: 21007
+    title: Ensure nosuid option set on /dev/shm partition.
+    description: >
+      The nosuid mount option specifies that the filesystem cannot contain setuid files.
+      Note: /dev/shm is mounted automatically by systemd. /dev/shm needs to be added to
+      /etc/fstab to add mount options even though it is already being mounted on boot.
+    rationale: >
+      Setting this option on a file system prevents users from introducing privileged programs
+      onto the system and allowing non-root users to execute them.
+    remediation: >
+      Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the
+      /dev/shm partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /dev/shm:
+      # mount -o remount,noexec,nodev,nosuid /dev/shm
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  # 1.1.10 Ensure separate partition exists for /var
+  - id: 21008
+    title: Ensure separate partition exists for /var.
+    description: >
+      The /var directory is used by daemons and other system services to temporarily store
+      dynamic data. Some directories created by these processes may be world-writable.
+
+      Note: When modifying /var it is advisable to bring the system to emergency mode (so auditd
+      is not running), rename the existing directory, mount the new file system, and migrate the
+      data over before returning to multiuser mode.
+    rationale: >
+      Since the /var directory may contain world-writable files and directories, there is a risk of
+      resource exhaustion if it is not bound to a separate partition.
+    remediation: >
+      For new installations, during installation create a custom partition setup and specify a
+      separate partition for /var .
+      For systems that were previously installed, create a new partition and configure
+      /etc/fstab as appropriate.
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["5.1"]
+    references:
+      - AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  # 1.1.11 Ensure separate partition exists for /var/tmp
+  - id: 21009
+    title: Ensure separate partition exists for /var/tmp.
+    description: >
+      The /var/tmp directory is a world-writable directory used for temporary storage by all
+      users and some applications and is intended for temporary files that are preserved across
+      reboots.
+
+      Note: tmpfs should not be used for /var/tmp/. tmpfs is a temporary filesystem that resides in
+      memory and/or swap partition(s). Files in tmpfs are automatically cleared at each bootup.
+    rationale: >
+      Since the /var/tmp directory is intended to be world-writable, there is a risk of resource
+      exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own
+      file system allows an administrator to set the noexec option on the mount, making
+      /var/tmp useless for an attacker to install executable code. It would also prevent an
+      attacker from establishing a hardlink to a system setuid program and wait for it to be
+      updated. Once the program was updated, the hardlink would be broken and the attacker
+      would have his own copy of the program. If the program happened to have a security
+      vulnerability, the attacker could continue to exploit the known flaw.
+    remediation: >
+      For new installations, during installation create a custom partition setup and specify a
+      separate partition for /var/tmp .
+      For systems that were previously installed, create a new partition and configure
+      /etc/fstab as appropriate.
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  # 1.1.12 Ensure noexec option set on /var/tmp partition
+  - id: 21010
+    title: Ensure noexec option set on /var/tmp partition.
+    description: The noexec mount option specifies that the filesystem cannot contain executable binaries.
+    rationale: >
+      Since the /var/tmp filesystem is only intended for temporary file storage, set this option to
+      ensure that users cannot run executable binaries from /var/tmp .
+    remediation: >
+      Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the
+      /var/tmp partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /var/tmp :
+      # mount -o remount,noexec /var/tmp
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  # 1.1.13 Ensure nodev option set on /var/tmp partition
+  - id: 21011
+    title: Ensure nodev option set on /var/tmp partition.
+    description: The nodev mount option specifies that the filesystem cannot contain special devices.
+    rationale: >
+      Since the /var/tmp filesystem is not intended to support devices, set this option to ensure
+      that users cannot attempt to create block or character special devices in /var/tmp .
+    remediation: >
+      Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the
+      /var/tmp partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /var/tmp :
+      # mount -o remount,nodev /var/tmp
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s+/var/tmp\s+ && r:nodev'
+
+  # 1.1.14 Ensure nosuid option set on /var/tmp partition
+  - id: 21012
+    title: Ensure nosuid option set on /var/tmp partition.
+    description: The nosuid mount option specifies that the filesystem cannot contain setuid files.
+    rationale: >
+      Since the /var/tmp filesystem is only intended for temporary file storage, set this option to
+      ensure that users cannot create setuid files in /var/tmp
+    remediation: >
+      Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the
+      /var/tmp partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /var/tmp :
+      # mount -o remount,nosuid /var/tmp
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s+/var/tmp\s+ && r:nosuid'
+
+  # 1.1.15 Ensure separate partition exists for /var/log
+  - id: 21013
+    title: Ensure separate partition exists for /var/log.
+    description: The /var/log directory is used by system services to store log data.
+    rationale: >
+      There are two important reasons to ensure that system logs are stored on a separate
+      partition: protection against resource exhaustion (since logs can grow quite large) and
+      protection of audit data.
+
+      Note: When modifying /var/log it is advisable to bring the system to emergency mode (so
+      auditd is not running), rename the existing directory, mount the new file system, and migrate
+      the data over before returning to multiuser mode.
+    remediation: >
+      For new installations, during installation create a custom partition setup and specify a
+      separate partition for /var/log .
+      For systems that were previously installed, create a new partition and configure
+      /etc/fstab as appropriate.
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["6.4"]
+    references:
+      - AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  # 1.1.16 Ensure separate partition exists for /var/log/audit
+  - id: 21014
+    title: Ensure separate partition exists for /var/log/audit.
+    description: >
+      The auditing daemon, auditd , stores log data in the /var/log/audit directory.
+
+      Note: When modifying /var/log/audit it is advisable to bring the system to emergency mode
+      (so auditd is not running), rename the existing directory, mount the new file system, and
+      migrate the data over before returning to multiuser mode.
+    rationale: >
+      There are two important reasons to ensure that data gathered by auditd is stored on a
+      separate partition: protection against resource exhaustion (since the audit.log file can
+      grow quite large) and protection of audit data. The audit daemon calculates how much free
+      space is left and performs actions based on the results. If other processes (such as syslog )
+      consume space in the same partition as auditd , it may not perform as desired.
+    remediation: >
+      For new installations, during installation create a custom partition setup and specify a
+      separate partition for /var/log/audit .
+      For systems that were previously installed, create a new partition and configure
+      /etc/fstab as appropriate.
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["6.4"]
+    references:
+      - AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  # 1.1.17 Ensure separate partition exists for /home
+  - id: 21015
+    title: Ensure separate partition exists for /home.
+    description: The /home directory is used to support disk storage needs of local users.
+    rationale: >
+      If the system is intended to support local users, create a separate partition for the /home
+      directory to protect against resource exhaustion and restrict the type of files that can be
+      stored under /home .
+    remediation: >
+      For new installations, during installation create a custom partition setup and specify a
+      separate partition for /home .
+      For systems that were previously installed, create a new partition and configure
+      /etc/fstab as appropriate.
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["5.1", "13"]
+    references:
+      - AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  # 1.1.18 Ensure nodev option set on /home partition
+  - id: 21016
+    title: Ensure nodev option set on /home partition.
+    description: >
+      The nodev mount option specifies that the filesystem cannot contain special devices.
+      Note: The actions in this recommendation refer to the /home partition, which is the default
+      user partition. If you have created other user partitions, it is recommended that the
+      Remediation and Audit steps be applied to these partitions as well.
+    rationale: >
+      Since the user partitions are not intended to support devices, set this option to ensure that
+      users cannot attempt to create block or character special devices.
+    remediation: >
+      Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home
+      partition. See the fstab(5) manual page for more information.
+
+      Run the following command to remount /home/ with the nodev mount option:
+      # mount -o remount,nodev /home
+    compliance:
+      - cis: ["1.1.18"]
+      - cis_csc: ["5.1", "13"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  # 1.1.19 Ensure noexec option set on removable media partitions - Not implemented
+  # 1.1.20 Ensure nodev option set on removable media partitions - Not implemented
+  # 1.1.21 Ensure nosuid option set on removable media partitions - Not implemented
+  # 1.1.22 Ensure sticky bit is set on all world-writable directories - Not implemented
+
+  # 1.1.23 Disable Automounting
+  - id: 21017
+    title: Disable Automounting.
+    description: >
+      autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.
+      Notes:
+        - Additional methods of disabling a service exist. Consult your distribution
+          documentation for appropriate methods.
+        - This control should align with the tolerance of the use of portable drives and optical
+          media in the organization.
+          - On a server requiring an admin to manually mount media can be part of
+            defense-in-depth to reduce the risk of unapproved software or information
+            being introduced or proprietary software or information being exfiltrated.
+          - If admins commonly use flash drives and Server access has sufficient physical
+            controls, requiring manual mounting may not increase security.
+    rationale: >
+      With automounting enabled anyone with physical access could attach a USB drive or disc
+      and have its contents available in system even if they lacked permissions to mount it
+      themselves.
+    remediation: >
+      Run the following command to mask autofs:
+      # systemctl --now mask autofs
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc: ["8.4", "8.5"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> r:enabled"
+
+  # 1.2.1 Ensure GPG keys are configured - Not implemented
+  # 1.2.2 Ensure package manager repositories are configured - Not implemented
+  # 1.2.3 Ensure gpgcheck is globally activated - Not implemented
+
+  # 1.3.1 Ensure sudo is installed
+  - id: 21018
+    title: Ensure sudo is installed.
+    description: >
+      sudo allows a permitted user to execute a command as the superuser or another user, as
+      specified by the security policy. The invoking user's real (not effective) user ID is used to
+      determine the user name with which to query the security policy.
+    rationale: >
+      sudo supports a plugin architecture for security policies and input/output logging. Third
+      parties can develop and distribute their own policy and I/O logging plugins to work
+      seamlessly with the sudo front end. The default security policy is sudoers, which is
+      configured via the file /etc/sudoers.
+
+      The security policy determines what privileges, if any, a user has to run sudo. The policy
+      may require that users authenticate themselves with a password or another authentication
+      mechanism. If authentication is required, sudo will exit if the user's password is not
+      entered within a configurable time limit. This limit is policy-specific.
+    remediation: >
+      Run the following command to install sudo.
+      # zypper install sudo
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["4"]
+    references:
+      - SUDO(8)
+    condition: none
+    rules:
+      - "c:rpm -q sudo -> r:not installed"
+
+  # 1.3.2 Ensure sudo commands use pty
+  - id: 21019
+    title: Ensure sudo commands use pty.
+    description: >
+      sudo can be configured to run only from a pseudo-pty
+
+      Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the
+      sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for
+      parse errors. If the sudoers file is currently being edited you will receive a message to try
+      again later. The -f option allows you to tell visudo which file to edit.
+    rationale: >
+      Attackers can run a malicious program using sudo, which would again fork a background
+      process that remains even when the main program has finished executing.
+      This can be mitigated by configuring sudo to run other commands only from a pseudo-pty,
+      whether I/O logging is turned on or not.
+    remediation: >
+      Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH
+      TO FILE> and add the following line:
+
+      Defaults use_pty
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["4"]
+    references:
+      - SUDO(8)
+    condition: all
+    rules:
+      - 'c:grep -REsih "^Defaults" /etc/sudoers /etc/sudoers.d -> r:^\wefaults\s+use_pty'
+
+  # 1.3.3 Ensure sudo log file exists
+  - id: 21020
+    title: Ensure sudo log file exists.
+    description: >
+      sudo can use a custom log file
+
+      Note: visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the
+      sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks
+      for parse errors. If the sudoers file is currently being edited you will receive a message to
+      try again later. The -f option allows you to tell visudo which file to edit.
+    rationale: A sudo log file simplifies auditing of sudo commands
+    remediation: >
+      edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH
+      TO FILE> and add the following line:
+      Defaults logfile="<PATH TO CUSTOM LOG FILE>"
+
+      Example
+      Defaults logfile="/var/log/sudo.log"
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_csc: ["6.3"]
+    references:
+      - SUDO(8)
+      - VISUDO(8)
+    condition: all
+    rules:
+      - 'c:grep -REsih "^Defaults" /etc/sudoers /etc/sudoers.d -> r:^\wefaults\s+logfile="\.+"'
+
+  # 1.4.1 Ensure AIDE is installed
+  - id: 21021
+    title: Ensure AIDE is installed.
+    description: >
+      AIDE takes a snapshot of filesystem state including modification times, permissions, and
+      file hashes which can then be used to compare against the current state of the filesystem to
+      detect modifications to the system.
+
+      Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up
+      their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus
+      avoiding false positives from AIDE.
+    rationale: >
+      By monitoring the filesystem state compromised files can be detected to prevent or limit
+      the exposure of accidental or malicious misconfigurations or modified binaries.
+    remediation: >
+      Configure AIDE as appropriate for your environment. Consult the AIDE documentation for
+      options.
+      Run the following command to install AIDE:
+      # zypper install aide
+
+      Run the following commands to initialize AIDE:
+      # aide --init
+      # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["14.9"]
+    references:
+      - AIDE stable manual: http://aide.sourceforge.net/stable/manual.html
+    condition: none
+    rules:
+      - "c:rpm -q aide -> r:not installed"
+
+  # 1.4.2 Ensure filesystem integrity is regularly checked - Not implemented
+
+  # 1.5.1 Ensure bootloader password is set
+  - id: 21022
+    title: Ensure bootloader password is set.
+    description: >
+      Setting the boot loader password will require that anyone rebooting the system must enter
+      a password before being able to set command line boot parameters
+
+      Notes:
+        - This recommendation is designed around the grub2 bootloader, if LILO or another
+          bootloader is in use in your environment enact equivalent settings. Replace
+          `/boot/grub2/grub.cfg with the appropriate grub configuration file for your
+          environment
+        - The information can be placed in any /etc/grub.d file as long as that file is
+          incorporated into grub.cfg
+          - The superuser/user information and password should not be contained in the
+            /etc/grub.d/00_header file.
+          - A custom file, such as /etc/grub.d/40_custom should be used so it is not
+            overwritten should the Grub package be updated.
+    rationale: >
+      Requiring a boot password upon execution of the boot loader will prevent an unauthorized
+      user from entering boot parameters or changing the boot partition. This prevents users
+      from weakening security (e.g. turning off SELinux at boot time).
+    remediation: >
+      Create an encrypted password with grub2-mkpasswd-pbkdf2:
+        # grub2-mkpasswd-pbkdf2
+        Enter password: <password>
+        Reenter password: <password>
+        Your PBKDF2 is <encrypted-password>
+
+      Add the following into /etc/grub.d/40_custom
+        set superusers="<username>"
+        password_pbkdf2 <username> <encrypted-password>
+
+      Run the following command to update the grub2 configuration:
+        # grub2-mkconfig -o /boot/grub2/grub.cfg
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["5.1"]
+    references:
+      - https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-grub2.html
+    condition: all
+    rules:
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*set superusers'
+      - 'f:/boot/grub2/grub.cfg -> r:^\s*password'
+
+  # 1.5.2 Ensure permissions on bootloader config are configured
+  - id: 21023
+    title: Ensure permissions on bootloader config are configured.
+    description: >
+      The grub configuration file contains information on boot settings and passwords for
+      unlocking boot options. The grub2 configuration is usually grub.cfg stored in
+      /boot/grub2/.
+
+      Notes:
+        - This recommendation is designed around the grub2 bootloader.
+        - If LILO or another bootloader is in use in your environment:
+          - Enact equivalent settings
+          - Replace /boot/grub2/grub.cfg and /boot/grub2/user.cfg with the
+            appropriate boot configuration files for your environment
+    rationale: >
+      Setting the permissions to read and write for root only prevents non-root users from
+      seeing the boot parameters or changing them. Non-root users who read the boot
+      parameters may be able to identify weaknesses in security upon boot and be able to exploit
+      them.
+    remediation: >
+      Run the following commands to set ownership and permissions on your grub
+      configuration:
+      # chown root:root /boot/grub2/grub.cfg
+      # chmod og-rwx /boot/grub2/grub.cfg
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /boot/grub2/grub.cfg -> r:^Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.5.3 Ensure authentication required for single user mode
+  - id: 21024
+    title: Ensure authentication required for single user mode.
+    description: >
+      Single user mode (rescue mode) is used for recovery when the system detects an issue
+      during boot or by manual selection from the bootloader.
+    rationale: >
+      Requiring authentication in single user mode (rescue mode) prevents an unauthorized user
+      from rebooting the system into single user to gain root privileges without credentials.
+    remediation: >
+      Edit /usr/lib/systemd/system/rescue.service and add/modify the following line:
+      ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+
+      Edit /usr/lib/systemd/system/emergency.service and add/modify the following line:
+      ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/usr/lib/systemd/system/rescue.service -> r:^ExecStart=\.*/systemd/systemd-sulogin-shell\s+rescue'
+      - 'f:/usr/lib/systemd/system/emergency.service -> r:^ExecStart=\.*/systemd/systemd-sulogin-shell\s+emergency'
+
+  # 1.6.1 Ensure core dumps are restricted
+  - id: 21025
+    title: Ensure core dumps are restricted.
+    description: >
+      A core dump is the memory of an executable program. It is generally used to determine
+      why a program aborted. It can also be used to glean confidential information from a core
+      file. The system provides the ability to set a soft limit for core dumps, but this can be
+      overridden by the user.
+    rationale: >
+      Setting a hard limit on core dumps prevents users from overriding the soft variable. If core
+      dumps are required, consider setting limits for user groups (see limits.conf(5) ). In
+      addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from
+      dumping core.
+    remediation: >
+      Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/*
+      file:
+      * hard core 0
+
+      Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      fs.suid_dumpable = 0
+
+      Run the following command to set the active kernel parameter:
+      # sysctl -w fs.suid_dumpable=0
+
+      If systemd-coredump is installed:
+      edit /etc/systemd/coredump.conf and add/modify the following lines:
+      Storage=none
+      ProcessSizeMax=0
+
+      Run the command:
+      systemctl daemon-reload
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+      - 'c:sysctl fs.suid_dumpable -> r:\s0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$'
+
+  # 1.6.2 Ensure XD/NX support is enabled
+  - id: 21026
+    title: Ensure XD/NX support is enabled.
+    description: >
+      Recent processors in the x86 family support the ability to prevent code execution on a per
+      memory page basis. Generically and on AMD processors, this ability is called No Execute
+      (NX), while on Intel processors it is called Execute Disable (XD). This ability can help
+      prevent exploitation of buffer overflow vulnerabilities and should be activated whenever
+      possible. Extra steps must be taken to ensure that this protection is enabled, particularly on
+      32-bit x86 systems. Other processors, such as Itanium and POWER, have included such
+      support since inception and the standard kernel for those platforms supports the feature.
+    rationale: >
+      Enabling any feature that can protect against buffer overflow attacks enhances the security
+      of the system.
+
+      Note: Ensure your system supports the XD or NX bit and has PAE support before implementing
+      this recommendation as this may prevent it from booting if these are not supported by your
+      hardware.
+    remediation: >
+      On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit
+      systems:
+      If necessary configure your bootloader to load the new kernel and reboot the system.
+      You may need to enable NX or XD support in your bios.
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["8.3"]
+    condition: all
+    rules:
+      - 'c:sh -c "journalctl | grep \"protection: active\"" -> r:\.*kernel: NX \(Execute Disable\) protection:\s*active'
+
+  # 1.6.3 Ensure address space layout randomization (ASLR) is enabled
+  - id: 21027
+    title: Ensure address space layout randomization (ASLR) is enabled.
+    description: >
+      Address space layout randomization (ASLR) is an exploit mitigation technique which
+      randomly arranges the address space of key data areas of a process.
+    rationale: >
+      Randomly placing virtual memory regions will make it difficult to write memory page
+      exploits as the memory placement will be consistently shifting.
+    remediation: >
+      Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      kernel.randomize_va_space = 2
+
+      Run the following command to set the active kernel parameter:
+      # sysctl -w kernel.randomize_va_space=2
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["8.3"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$'
+
+  # 1.6.4 Ensure prelink is disabled
+  - id: 21028
+    title: Ensure prelink is disabled.
+    description: >
+      prelinkis a program that modifies ELF shared libraries and ELF dynamically linked
+      binaries in such a way that the time needed for the dynamic linker to perform relocations
+      at startup significantly decreases.
+    rationale: >
+      The prelinking feature can interfere with the operation of AIDE, because it changes
+      binaries. Prelinking can also increase the vulnerability of the system if a malicious user is
+      able to compromise a common library such as libc.
+    remediation: >
+      Run the following command to restore binaries to normal:
+      # prelink -ua
+
+      Run the following command to uninstall prelink:
+      # zypper remove prelink
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_csc: ["14.9"]
+    condition: all
+    rules:
+      - "c:rpm -q prelink -> r:not installed"
+
+  # 1.7.1.1 Ensure AppArmor is installed
+  - id: 21029
+    title: Ensure AppArmor is installed.
+    description: AppArmor provides Mandatory Access Controls.
+    rationale: >
+      Without a Mandatory Access Control system installed only the default Discretionary Access
+      Control system will be available.
+    remediation: >
+      Run the following command to install AppArmor:
+      # zypper install -t pattern apparmor
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["14.6"]
+    condition: none
+    rules:
+      - "c:rpm -q apparmor-docs -> r:not installed"
+      - "c:rpm -q apparmor-parser -> r:not installed"
+      - "c:rpm -q apparmor-profiles -> r:not installed"
+      - "c:rpm -q apparmor-utils -> r:not installed"
+      - "c:rpm -q libapparmor1 -> r:not installed"
+
+  # 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - Not implemented
+  # 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - Not implemented
+  # 1.7.1.4 Ensure all AppArmor Profiles are enforcing - Not implemented
+
+  # 1.8.1.1 Ensure message of the day is configured properly
+  - id: 21030
+    title: Ensure message of the day is configured properly.
+    description: >
+      The contents of the /etc/motd file are displayed to users after login and function as a
+      message of the day for authenticated users.
+
+      Unix-based systems have typically displayed information about the OS release and patch
+      level upon logging in to the system. This information can be useful to developers who are
+      developing software for a particular OS platform. If mingetty(8) supports the following
+      options, they display operating system information: \m - machine architecture \r -
+      operating system release \s - operating system name \v - operating system version
+    rationale: >
+      Warning messages inform users who are attempting to login to the system of their legal
+      status regarding the system and must include the name of the organization that owns the
+      system and any monitoring policies that are in place. Displaying OS and patch level
+      information in login banners also has the side effect of providing detailed system
+      information to attackers attempting to target specific exploits of a system. Authorized users
+      can easily get this information by running the " uname -a " command once they have logged
+      in.
+    remediation: >
+      Edit the /etc/motd file with the appropriate contents according to your site policy, remove
+      any instances of \m , \r , \s , \v or references to the OS platform
+
+      OR
+
+      If the motd is not used, this file can be removed.
+      Run the following command to remove the motd file:
+      # rm /etc/motd
+    compliance:
+      - cis: ["1.8.1.1"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\m'
+      - 'f:/etc/motd -> r:\\r'
+      - 'f:/etc/motd -> r:\\s'
+      - 'f:/etc/motd -> r:\\v'
+
+  # 1.8.1.2 Ensure local login warning banner is configured properly
+  - id: 21031
+    title: Ensure local login warning banner is configured properly.
+    description: >
+      The contents of the /etc/issue file are displayed to users prior to login for local terminals.
+      Unix-based systems have typically displayed information about the OS release and patch
+      level upon logging in to the system. This information can be useful to developers who are
+      developing software for a particular OS platform. If mingetty(8) supports the following
+      options, they display operating system information: \m - machine architecture \r -
+      operating system release \s - operating system name \v - operating system version - or the
+      operating system's name
+    rationale: >
+      Warning messages inform users who are attempting to login to the system of their legal
+      status regarding the system and must include the name of the organization that owns the
+      system and any monitoring policies that are in place. Displaying OS and patch level
+      information in login banners also has the side effect of providing detailed system
+      information to attackers attempting to target specific exploits of a system. Authorized users
+      can easily get this information by running the " uname -a " command once they have logged
+      in.
+    remediation: >
+      Edit the /etc/issue file with the appropriate contents according to your site policy,
+      remove any instances of \m , \r , \s , \v or references to the OS platform
+      # echo "Authorized uses only. All activity may be monitored and reported." >
+      /etc/issue
+    compliance:
+      - cis: ["1.8.1.2"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\m'
+      - 'f:/etc/issue -> r:\\r'
+      - 'f:/etc/issue -> r:\\s'
+      - 'f:/etc/issue -> r:\\v'
+
+  # 1.8.1.3 Ensure remote login warning banner is configured properly
+  - id: 21032
+    title: Ensure remote login warning banner is configured properly.
+    description: >
+      The contents of the /etc/issue.net file are displayed to users prior to login for remote
+      connections from configured services.
+      Unix-based systems have typically displayed information about the OS release and patch
+      level upon logging in to the system. This information can be useful to developers who are
+      developing software for a particular OS platform. If mingetty(8) supports the following
+      options, they display operating system information: \m - machine architecture \r -
+      operating system release \s - operating system name \v - operating system version
+    rationale: >
+      Warning messages inform users who are attempting to login to the system of their legal
+      status regarding the system and must include the name of the organization that owns the
+      system and any monitoring policies that are in place. Displaying OS and patch level
+      information in login banners also has the side effect of providing detailed system
+      information to attackers attempting to target specific exploits of a system. Authorized users
+      can easily get this information by running the " uname -a " command once they have logged
+      in.
+    remediation: >
+      Edit the /etc/issue.net file with the appropriate contents according to your site policy,
+      remove any instances of \m , \r , \s , \v or references to the OS platform
+      # echo "Authorized uses only. All activity may be monitored and reported." >
+      /etc/issue.net
+    compliance:
+      - cis: ["1.8.1.3"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\m'
+      - 'f:/etc/issue.net -> r:\\r'
+      - 'f:/etc/issue.net -> r:\\s'
+      - 'f:/etc/issue.net -> r:\\v'
+
+  # 1.8.1.4 Ensure permissions on /etc/motd are configured
+  - id: 21033
+    title: Ensure permissions on /etc/motd are configured.
+    description: >
+      The contents of the /etc/motd file are displayed to users after login and function as a
+      message of the day for authenticated users.
+    rationale: >
+      If the /etc/motd file does not have the correct ownership it could be modified by
+      unauthorized users with incorrect or misleading information.
+    remediation: >
+      Run the following commands to set permissions on /etc/motd :
+      # chown root:root /etc/motd
+      # chmod u-x,go-wx /etc/motd
+    compliance:
+      - cis: ["1.8.1.4"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/motd -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.8.1.5 Ensure permissions on /etc/issue are configured
+  - id: 21034
+    title: Ensure permissions on /etc/issue are configured.
+    description: >
+      The contents of the /etc/issue file are displayed to users prior to login for local terminals.
+    rationale: >
+      If the /etc/issue file does not have the correct ownership it could be modified by
+      unauthorized users with incorrect or misleading information.
+    remediation: >
+      Run the following commands to set permissions on /etc/issue:
+      # chown root:root /etc/issue
+      # chmod u-x,go-wx /etc/issue
+    compliance:
+      - cis: ["1.8.1.5"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.8.1.6 Ensure permissions on /etc/issue.net are configured
+  - id: 21035
+    title: Ensure permissions on /etc/issue.net are configured.
+    description: >
+      The contents of the /etc/issue.net file are displayed to users prior to login for remote
+      connections from configured services.
+    rationale: >
+      If the /etc/issue.net file does not have the correct ownership it could be modified by
+      unauthorized users with incorrect or misleading information.
+    remediation: >
+      Run the following commands to set permissions on /etc/issue.net:
+      # chown root:root /etc/issue.net
+      # chmod u-x,go-wx /etc/issue.net
+    compliance:
+      - cis: ["1.8.1.6"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/issue.net -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed - Not implemented
+  # 1.10 Ensure GDM is removed or login is configured - Not implemented
+
+  # 2.1.1 Ensure xinetd is not installed
+  - id: 21036
+    title: Ensure xinetd is not installed.
+    description: >
+      The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced
+      the original inetd daemon. The xinetd daemon listens for well known services and
+      dispatches the appropriate daemon to properly respond to service requests.
+    rationale: >
+      If there are no xinetd services required, it is recommended that the package be removed to
+      reduce the attack surface are of the system.
+
+      Note: If an xinetd service or services are required, ensure that any xinetd service not required
+      is stopped and disabled
+    remediation: >
+      Run the following command to remove xinetd:
+      # zypper remove xinetd
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["2.6", "9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q xinetd -> r:not installed"
+
+  # 2.2.1.1 Ensure time synchronization is in use - Not implemented
+  # 2.2.1.2 Ensure systemd-timesyncd is configured - Not implemented
+
+  # 2.2.1.3 Ensure chrony is configured
+  - id: 21037
+    title: Ensure chrony is configured.
+    description: >
+      chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to
+      synchronize system clocks across a variety of systems and use a source that is highly
+      accurate. More information on chrony can be found at: http://chrony.tuxfamily.org/.
+      chrony can be configured to be a client and/or a server.
+    rationale: >
+      If chrony is in use on the system proper configuration is vital to ensuring time
+      synchronization is working properly.
+
+      Note: This recommendation only applies if chrony is in use on the system. If another method of
+      time synchronization is in use on the system, this recommendation can be skipped.
+    remediation: >
+      Add or edit server or pool lines to /etc/chrony.conf as appropriate:
+      server <remote-server>
+
+      Add or edit the OPTIONS in /etc/sysconfig/chronyd to include '-u chrony':
+      OPTIONS="-u chrony"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^\s*server\s+\.+'
+      - 'f:/etc/sysconfig/chronyd -> r:^\s*OPTIONS\s*=\s*"-u\s*chrony"'
+
+  # 2.2.2 Ensure X11 Server components are not installed
+  - id: 21038
+    title: Ensure X11 Server components are not installed.
+    description: >
+      The X Window System provides a Graphical User Interface (GUI) where users can have
+      multiple windows in which to run programs and various add on. The X Windows system is
+      typically used on workstations where users login, but not on servers where users typically
+      do not login.
+    rationale: >
+      Unless your organization specifically requires graphical login access via X Windows,
+      remove it to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove the X Windows Server packages:
+      # zypper remove xorg-x11-server*
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+    condition: none
+    rules:
+      - "c:rpm -qa -> r:^xorg-x11"
+
+  # 2.2.3 Ensure Avahi Server is not installed
+  - id: 21039
+    title: Ensure Avahi Server is not installed.
+    description: >
+      Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD
+      service discovery. Avahi allows programs to publish and discover services and hosts
+      running on a local network with no specific configuration. For example, a user can plug a
+      computer into a network and Avahi automatically finds printers to print to, files to look at
+      and people to talk to, as well as network services running on the machine.
+    rationale: >
+      Automatic discovery of network services is not normally required for system functionality.
+      It is recommended to remove this package to reduce the potential attack surface.
+    remediation: >
+      Run the following commands to stop, mask and remove avahi-autoipd and avahi:
+      # systemctl stop avahi-daemon.socket avahi-daemon.service
+      # zypper remove avahi-autoipd avahi
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q avahi -> r:not installed"
+      - "c:rpm -q avahi-autoipd -> r:not installed"
+
+  # 2.2.4 Ensure CUPS is not installed
+  - id: 21040
+    title: Ensure CUPS is not installed.
+    description: >
+      The Common Unix Print System (CUPS) provides the ability to print to both local and
+      network printers. A system running CUPS can also accept print jobs from remote systems
+      and print them to local printers. It also provides a web based remote administration
+      capability.
+    rationale: >
+      If the system does not need to print jobs or accept print jobs from other systems, it is
+      recommended that CUPS be removed to reduce the potential attack surface.
+
+      Note: Removing CUPS will prevent printing from the system
+    remediation: >
+      Run the following command to remove cups:
+      # zypper remove cups
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+    references:
+      - http://www.cups.org
+    condition: all
+    rules:
+      - "c:rpm -q cups -> r:not installed"
+
+  # 2.2.5 Ensure DHCP Server is not installed
+  - id: 21041
+    title: Ensure DHCP Server is not installed.
+    description: >
+      The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be
+      dynamically assigned IP addresses.
+    rationale: >
+      Unless a system is specifically set up to act as a DHCP server, it is recommended that the
+      dhcp package be removed to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove dhcp:
+      # zypper remove dhcp
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+    references:
+      - dhcpd(8)
+    condition: all
+    rules:
+      - "c:rpm -q dhcp -> r:not installed"
+
+  # 2.2.6 Ensure LDAP server is not installed
+  - id: 21042
+    title: Ensure LDAP server is not installed
+    description: >
+      The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for
+      NIS/YP. It is a service that provides a method for looking up information from a central
+      database.
+    rationale: >
+      If the system will not need to act as an LDAP server, it is recommended that the software be
+      removed to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove openldap-servers:
+      # zypper remove openldap2
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+    references:
+      - http://www.openldap.org
+    condition: all
+    rules:
+      - "c:rpm -q openldap2 -> r:not installed"
+
+  # 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked - Not implemented
+  # 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - Not implemented
+
+  # 2.2.9 Ensure DNS Server is not installed
+  - id: 21043
+    title: Ensure DNS Server is not installed.
+    description: >
+      The Domain Name System (DNS) is a hierarchical naming system that maps names to IP
+      addresses for computers, services and other resources connected to a network.
+    rationale: >
+      Unless a system is specifically designated to act as a DNS server, it is recommended that the
+      package be removed to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove bind:
+      # zypper remove bind
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q bind -> r:not installed"
+
+  # 2.2.10 Ensure FTP Server is not installed
+  - id: 21044
+    title: Ensure FTP Server is not installed.
+    description: >
+      FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring
+      files between a server and clients over a network, especially where no authentication is
+      necessary (permits anonymous users to connect to a server).
+    rationale: >
+      FTP does not protect the confidentiality of data or authentication credentials. It is
+      recommended SFTP be used if file transfer is required. Unless there is a need to run the
+      system as a FTP server (for example, to allow anonymous downloads), it is recommended
+      that the package be removed to reduce the potential attack surface.
+
+      Note: Additional FTP servers also exist and should be removed if not required.
+    remediation: >
+      Run the following command to remove vsftpd:
+      # zypper remove vsftpd
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q vsftpd -> r:not installed"
+
+  # 2.2.11 Ensure HTTP server is not installed
+  - id: 21045
+    title: Ensure HTTP server is not installed.
+    description: HTTP or web servers provide the ability to host web site content.
+    rationale: >
+      Unless there is a need to run the system as a web server, it is recommended that the
+      package be removed to reduce the potential attack surface.
+
+      Notes:
+        - Several http servers exist. apache, apache2, lighttpd, and nginx are example
+          packages that provide an HTTP server
+        - These and other packages should also be audited, and removed if not required
+    remediation: >
+      Run the following command to remove apache2:
+      # zypper remove apache2
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q apache2 -> r:not installed"
+
+  # 2.2.12 Ensure IMAP and POP3 server is not installed
+  - id: 21046
+    title: Ensure IMAP and POP3 server is not installed.
+    description: dovecot is an open source IMAP and POP3 server for Linux based systems.
+    rationale: >
+      Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended
+      that the package be removed to reduce the potential attack surface.
+
+      Notes:
+        - Several IMAP/POP3 servers exist and can use other service names. courier-imap and
+          cyrus-imap are example services that provide a mail server.
+        - These and other services should also be audited and the packages removed if not
+          required.
+    remediation: >
+      Run the following command to remove dovecot:
+      # zypper remove dovecot
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q dovecot -> r:not installed"
+
+  # 2.2.13 Ensure Samba is not installed
+  - id: 21047
+    title: Ensure Samba is not installed.
+    description: >
+      The Samba daemon allows system administrators to configure their Linux systems to share
+      file systems and directories with Windows desktops. Samba will advertise the file systems
+      and directories via the Server Message Block (SMB) protocol. Windows desktop users will
+      be able to mount these directories and file systems as letter drives on their systems.
+    rationale: >
+      If there is no need to mount directories and file systems to Windows systems, then this
+      package can be removed to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove samba:
+      # zypper remove samba
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q samba -> r:not installed"
+
+  # 2.2.14 Ensure HTTP Proxy Server is not installed
+  - id: 21048
+    title: Ensure HTTP Proxy Server is not installed.
+    description: Squid is a standard proxy server used in many distributions and environments.
+    rationale: >
+      Unless a system is specifically set up to act as a proxy server, it is recommended that the
+      squid package be removed to reduce the potential attack surface.
+
+      Note: Several HTTP proxy servers exist. These should be checked and removed unless required.
+    remediation: >
+      Run the following command to remove the squid package:
+      # zypper remove squid
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q squid -> r:not installed"
+
+  # 2.2.15 Ensure net-snmp is not installed
+  - id: 21049
+    title: Ensure net-snmp is not installed.
+    description: >
+      Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the
+      health and welfare of network equipment, computer equipment and devices like UPSs.
+        - Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157),
+          SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and
+          IPv6.
+        - Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was
+          dropped with the 4.0 release of the UCD-snmp package.
+        - The Simple Network Management Protocol (SNMP) server is used to listen for SNMP
+          commands from an SNMP management system, execute the commands or collect the
+          information and then send results back to the requesting system.
+    rationale: >
+      The SNMP server can communicate using SNMPv1, which transmits data in the clear and
+      does not require authentication to execute commands. SNMPv3 replaces the simple/clear
+      text password sharing used in SNMPv2 with more securely encoded parameters. If the the
+      SNMP service is not required, the net-snmp package should be removed to reduce the
+      attack surface of the system.
+
+      Note: If SNMP is required:
+        - The server should be configured for SNMP v3 only. User Authentication and Message
+          Encryption should be configured.
+        - If SNMP v2 is absolutely necessary, modify the community strings' values.
+    remediation: >
+      Run the following command to remove net-snmpd:
+      # zypper remove net-snmp
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["2.6", "9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q net-snmp -> r:not installed"
+
+  # 2.2.16 Ensure mail transfer agent is configured for local-only mode
+  - id: 21050
+    title: Ensure mail transfer agent is configured for local-only mode.
+    description: >
+      Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming
+      mail and transfer the messages to the appropriate user or mail server. If the system is not
+      intended to be a mail server, it is recommended that the MTA be configured to only process
+      local mail.
+    rationale: >
+      The software for all Mail Transfer Agents is complex and most have a long history of
+      security issues. While it is important to ensure that the system can process local mail
+      messages, it is not necessary to have the MTA's daemon listening on a port unless the
+      server is intended to be a mail server that receives and processes mail from other systems.
+      Notes:
+        - This recommendation is designed around the postfix mail server.
+        - Depending on your environment you may have an alternative MTA installed such as
+          sendmail. If this is the case consult the documentation for your installed MTA to
+          configure the recommended state.
+    remediation: >
+      Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If
+      the line already exists, change it to look like the line below:
+      inet_interfaces = loopback-only
+
+      Run the folloing command to restart postfix:
+      # systemctl restart postfix
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - 'f:/etc/postfix/main.cf -> r:^\s*inet_interfaces\s*=\s*loopback-only'
+
+  # 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
+  - id: 21051
+    title: Ensure rsync is not installed or the rsyncd service is masked.
+    description: The rsyncd service can be used to synchronize files between systems over network links.
+    rationale: >
+      Unless required, the rsync package should be removed to reduce the attack surface area of
+      the system.
+
+      The rsyncd service presents a security risk as it uses unencrypted protocols for
+      communication.
+
+      Note: If a required dependency exists for the rsync package, but the rsyncd service is not
+      required, the service should be masked.
+    remediation: >
+      Run the following command to remove the rsync package:
+      # zypper remove rsync
+
+      OR
+
+      Run the following command to mask the rsyncd service:
+      # systemctl --now mask rsyncd
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+    condition: any
+    rules:
+      - "c:rpm -q rsync -> r:not installed"
+      - "c:systemctl is-enabled rsyncd -> r:^masked"
+
+  # 2.2.18 Ensure NIS server is not installed
+  - id: 21052
+    title: Ensure NIS server is not installed.
+    description: >
+      The ypserv package provides the Network Information Service (NIS). This service, formally
+      known as Yellow Pages, is a client-server directory service protocol for distributing system
+      configuration files. The NIS server is a collection of programs that allow for the distribution
+      of configuration files.
+    rationale: >
+      The NIS service is inherently an insecure system that has been vulnerable to DOS attacks,
+      buffer overflows and has poor authentication for querying NIS maps. NIS generally has
+      been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is
+      recommended that the ypserv package be removed, and if required a more secure services
+      be used.
+    remediation: >
+      Run the following command to remove ypserv:
+      # zypper remove ypserv
+    compliance:
+      - cis: ["2.2.18"]
+      - cis_csc: ["2.6", "9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q ypserv -> r:not installed"
+
+  # 2.2.19 Ensure telnet-server is not installed
+  - id: 21053
+    title: Ensure telnet-server is not installed.
+    description: >
+      The telnet package contains the telnet daemon, which accepts connections from users
+      from other systems via the telnet protocol.
+    rationale: >
+      The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission
+      medium could allow a user with access to sniff network traffic the ability to steal
+      credentials. The ssh package provides an encrypted session and stronger security.
+    remediation: >
+      Run the following command to remove the telnet-server package:
+      # zypper remove telnet
+    compliance:
+      - cis: ["2.2.19"]
+      - cis_csc: ["2.6", "9.2"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:not installed"
+
+  # 2.3.1 Ensure NIS Client is not installed
+  - id: 21054
+    title: Ensure NIS Client is not installed.
+    description: >
+      The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server
+      directory service protocol used to distribute system configuration files. The NIS client (
+      ypbind ) was used to bind a machine to an NIS server and receive the distributed
+      configuration files.
+    rationale: >
+      The NIS service is inherently an insecure system that has been vulnerable to DOS attacks,
+      buffer overflows and has poor authentication for querying NIS maps. NIS generally has
+      been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is
+      recommended that the service be removed.
+    remediation: >
+      Run the following command to remove the ypbind package:
+      # zypper remove ypbind
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - "c:rpm -q ypbind -> r:not installed"
+
+  # 2.3.2 Ensure rsh client is not installed
+  - id: 21055
+    title: Ensure rsh client is not installed.
+    description: The rsh package contains the client commands for the rsh services.
+    rationale: >
+      These legacy clients contain numerous security exposures and have been replaced with the
+      more secure SSH package. Even if the server is removed, it is best to ensure the clients are
+      also removed to prevent users from inadvertently attempting to use these commands and
+      therefore exposing their credentials. Note that removing the rsh package removes the
+      clients for rsh , rcp and rlogin.
+    remediation: >
+      Run the following command to remove the rsh package:
+      # zypper remove rsh
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - "c:rpm -q rsh -> r:not installed"
+
+  # 2.3.3 Ensure talk client is not installed
+  - id: 21056
+    title: Ensure talk client is not installed.
+    description: >
+      The talk software makes it possible for users to send and receive messages across systems
+      through a terminal session. The talk client, which allows initialization of talk sessions, is
+      installed by default.
+    rationale: >
+      The software presents a security risk as it uses unencrypted protocols for communication.
+    remediation: >
+      Run the following command to remove the talk package:
+      # zypper remove talk
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - "c:rpm -q talk -> r:not installed"
+
+  # 2.3.4 Ensure telnet client is not installed
+  - id: 21057
+    title: Ensure telnet client is not installed.
+    description: >
+      The telnet package contains the telnet client, which allows users to start connections to
+      other systems via the telnet protocol.
+    rationale: >
+      The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission
+      medium could allow an unauthorized user to steal credentials. The ssh package provides
+      an encrypted session and stronger security and is included in most Linux distributions.
+    remediation: >
+      Run the following command to remove the telnet package:
+      # zypper remove telnet
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - "c:rpm -q telnet -> r:not installed"
+
+  # 2.3.5 Ensure LDAP client is not installed
+  - id: 21058
+    title: Ensure LDAP client is not installed.
+    description: >
+      The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for
+      NIS/YP. It is a service that provides a method for looking up information from a central
+      database.
+    rationale: >
+      If the system will not need to act as an LDAP client, it is recommended that the software be
+      removed to reduce the potential attack surface.
+    remediation: >
+      Run the following command to remove the openldap-clients package:
+      # zypper remove openldap2-clients
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+    condition: all
+    rules:
+      - "c:rpm -q openldap2-clients -> r:not installed"
+
+  # 2.4 Ensure nonessential services are removed or masked - Not implemented
+  # 3.1.1 Disable IPv6 - Not implemented
+  # 3.1.2 Ensure wireless interfaces are disabled - Not implemented
+  # 3.2.1 Ensure IP forwarding is disabled - Not implemented
+
+  # 3.2.2 Ensure packet redirect sending is disabled
+  - id: 21059
+    title: Ensure packet redirect sending is disabled
+    description: >
+      ICMP Redirects are used to send routing information to other hosts. As a host itself does
+      not act as a router (in a host only configuration), there is no need to send redirects.
+    rationale: >
+      An attacker could use a compromised host to send invalid ICMP redirects to other router
+      devices in an attempt to corrupt routing and have users access a system set up by the
+      attacker as opposed to a valid system.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.conf.all.send_redirects = 0
+      net.ipv4.conf.default.send_redirects = 0
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.conf.all.send_redirects=0
+      # sysctl -w net.ipv4.conf.default.send_redirects=0
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  # 3.3.1 Ensure source routed packets are not accepted - Not implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted - Not implemented
+
+  #3.3.3 Ensure secure ICMP redirects are not accepted
+  - id: 21060
+    title: Ensure secure ICMP redirects are not accepted.
+    description: >
+      Secure ICMP redirects are the same as ICMP redirects, except they come from gateways
+      listed on the default gateway list. It is assumed that these gateways are known to your
+      system, and that they are likely to be secure.
+    rationale: >
+      It is still possible for even known gateways to be compromised. Setting
+      net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table
+      updates by possibly compromised known gateways.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.conf.all.secure_redirects = 0
+      net.ipv4.conf.default.secure_redirects = 0
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.conf.all.secure_redirects=0
+      # sysctl -w net.ipv4.conf.default.secure_redirects=0
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.3.4 Ensure suspicious packets are logged
+  - id: 21061
+    title: Ensure suspicious packets are logged.
+    description: >
+      When enabled, this feature logs packets with un-routable source addresses to the kernel
+      log.
+    rationale: >
+      Enabling this feature and logging these packets allows an administrator to investigate the
+      possibility that an attacker is sending spoofed packets to their system.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.conf.all.log_martians = 1
+      net.ipv4.conf.default.log_martians = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.conf.all.log_martians=1
+      # sysctl -w net.ipv4.conf.default.log_martians=1
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.3.5 Ensure broadcast ICMP requests are ignored
+  - id: 21062
+    title: Ensure broadcast ICMP requests are ignored
+    description: >
+      Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all
+      ICMP echo and timestamp requests to broadcast and multicast addresses.
+    rationale: >
+      Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for
+      your network could be used to trick your host into starting (or participating) in a Smurf
+      attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast
+      messages with a spoofed source address. All hosts receiving this message and responding
+      would send echo-reply messages back to the spoofed address, which is probably not
+      routable. If many hosts respond to the packets, the amount of traffic on the network could
+      be significantly multiplied.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.3.6 Ensure bogus ICMP responses are ignored
+  - id: 21063
+    title: Ensure bogus ICMP responses are ignored.
+    description: >
+      Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus
+      responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from
+      filling up with useless log messages.
+    rationale: >
+      Some routers (and some attackers) will send responses that violate RFC-1122 and attempt
+      to fill up a log file system with many useless error messages.
+    remediation: >
+      Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.6"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.3.7 Ensure Reverse Path Filtering is enabled
+  - id: 21064
+    title: Ensure Reverse Path Filtering is enabled.
+    description: >
+      Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces
+      the Linux kernel to utilize reverse path filtering on a received packet to determine if the
+      packet was valid. Essentially, with reverse path filtering, if the return packet does not go
+      out the same interface that the corresponding source packet came from, the packet is
+      dropped (and logged if log_martians is set).
+    rationale: >
+      Setting these flags is a good way to deter attackers from sending your system bogus
+      packets that cannot be responded to. One instance where this feature breaks down is if
+      asymmetrical routing is employed. This would occur when using dynamic routing protocols
+      (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you
+      will not be able to enable this feature without breaking the routing.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.conf.all.rp_filter = 1
+      net.ipv4.conf.default.rp_filter = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.conf.all.rp_filter=1
+      # sysctl -w net.ipv4.conf.default.rp_filter=1
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.7"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.3.8 Ensure TCP SYN Cookies is enabled
+  - id: 21065
+    title: Ensure TCP SYN Cookies is enabled
+    description: >
+      When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the
+      half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN
+      cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the
+      SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that
+      encodes the source and destination IP address and port number and the time the packet
+      was sent. A legitimate connection would send the ACK packet of the three way handshake
+      with the specially crafted sequence number. This allows the system to verify that it has
+      received a valid response to a SYN cookie and allow the connection, even though there is no
+      corresponding SYN in the queue.
+    rationale: >
+      Attackers use SYN flood attacks to perform a denial of service attacked on a system by
+      sending many SYN packets without completing the three way handshake. This will quickly
+      use up slots in the kernel's half-open connection queue and prevent legitimate connections
+      from succeeding. SYN cookies allow the system to keep accepting valid connections, even if
+      under a denial of service attack.
+    remediation: >
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv4.tcp_syncookies = 1
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv4.tcp_syncookies=1
+      # sysctl -w net.ipv4.route.flush=1
+    compliance:
+      - cis: ["3.3.8"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+      - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted
+  - id: 21066
+    title: Ensure IPv6 router advertisements are not accepted
+    description: This setting disables the system's ability to accept IPv6 router advertisements.
+    rationale: >
+      It is recommended that systems do not accept router advertisements as they could be
+      tricked into routing traffic to compromised machines. Setting hard routes within the
+      system (usually a single default route to a trusted router) protects the system from bad
+      routes.
+    remediation: >
+      IF IPv6 is enabled:
+
+      Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
+      net.ipv6.conf.all.accept_ra = 0
+      net.ipv6.conf.default.accept_ra = 0
+
+      Run the following commands to set the active kernel parameters:
+      # sysctl -w net.ipv6.conf.all.accept_ra=0
+      # sysctl -w net.ipv6.conf.default.accept_ra=0
+      # sysctl -w net.ipv6.route.flush=1
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:\s*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:\s*0$'
+      - 'c:grep -Rh "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d -> r:^\s*net.ipv6.conf.all.accept_ra\s*=\s*0'
+      - 'c:grep -Rh "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d -> r:^\s*net.ipv6.conf.default.accept_ra\s*=\s*0'
+
+  # 3.4.1 Ensure DCCP is disabled
+  - id: 21067
+    title: Ensure DCCP is disabled
+    description: >
+      The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that
+      supports streaming media and telephony. DCCP provides a way to gain access to
+      congestion control, without having to do it at the application layer, but does not provide
+      insequence delivery.
+    rationale: >
+      If the protocol is not required, it is recommended that the drivers not be installed to reduce
+      the potential attack surface.
+    remediation: >
+      Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
+      Example: vim /etc/modprobe.d/dccp.conf
+      and add the following line:
+
+      install dccp /bin/true
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - 'c:grep -R dccp /etc/modprobe.d -> r:^/etc/modprobe.d/\.+.conf:\s*install\s+dccp\s+/bin/true'
+
+  # 3.4.2 Ensure SCTP is disabled
+  - id: 21068
+    title: Ensure SCTP is disabled
+    description: >
+      The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to
+      support message oriented communication, with several streams of messages in one
+      connection. It serves a similar function as TCP and UDP, incorporating features of both. It is
+      message-oriented like UDP, and ensures reliable in-sequence transport of messages with
+      congestion control like TCP.
+    rationale: >
+      If the protocol is not being used, it is recommended that kernel module not be loaded,
+      disabling the service to reduce the potential attack surface.
+    remediation: >
+      Edit or create a file in the /etc/modprobe.d/ directory ending in .conf
+      Example: vim /etc/modprobe.d/sctp.conf
+      and add the following line:
+
+      install sctp /bin/true
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - 'c:grep -R sctp /etc/modprobe.d -> r:^/etc/modprobe.d/\.+.conf:\s*install\s+sctp\s+/bin/true'
+
+  # 3.5.1.1 Ensure FirewallD is installed
+  - id: 21069
+    title: Ensure FirewallD is installed
+    description: >
+      firewalld is a firewall management tool for Linux operating systems. It provides firewall
+      features by acting as a front-end for the Linux kernel's netfilter framework via the iptables
+      backend or provides firewall features by acting as a front-end for the Linux kernel's
+      netfilter framework via the nftables utility.
+
+      FirewallD replaces iptables as the default firewall management tool. Use the firewalld
+      utility to configure a firewall for less complex firewalls. The utility is easy to use and covers
+      the typical use cases scenario. FirewallD supports both IPv4 and IPv6 networks and can
+      administer separate firewall zones with varying degrees of trust as defined in zone profiles.
+
+      Note: Starting in v0.6.0, FirewallD added support for acting as a front-end for the Linux
+      kernel's netfilter framework via the nftables userspace utility, acting as an alternative to the
+      nft command line program.
+    rationale: >
+      A firewall utility is required to configure the Linux kernel's netfilter framework via the
+      iptables or nftables back-end.
+
+      The Linux kernel's netfilter framework host-based firewall can protect against threats
+      originating from within a corporate network to include malicious mobile code and poorly
+      configured software on a host.
+
+      Note: Only one firewall utility should be installed and configured. FirewallD is dependent on
+      the iptables package.
+    remediation: >
+      Run the following command to install FirewallD and iptables:
+      # zypper install firewalld iptables
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.4"]
+    condition: none
+    rules:
+      - "c:rpm -q firewalld -> r:not installed"
+      - "c:rpm -q iptables -> r:not installed"
+
+  # 3.5.1.2 Ensure nftables is not installed or stopped and masked - Not implemented
+
+  # 3.5.1.3 Ensure firewalld service is enabled and running
+  - id: 21070
+    title: Ensure firewalld service is enabled and running
+    description: >
+      firewalld.service enables the enforcement of firewall rules configured through
+      firewalld
+    rationale: >
+      Ensure that the firewalld.service is enabled and running to enforce firewall rules
+      configured through firewalld
+    remediation: >
+      Run the following command to unmask firewalld
+      # systemctl unmask firewalld
+
+      Run the following command to enable and start firewalld
+      # systemctl --now enable firewalld
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled firewalld -> r:^enabled"
+      - "c:firewall-cmd --state -> r:^running"
+
+  # 3.5.1.4 Ensure default zone is set - Not implemented
+  # 3.5.1.5 Ensure network interfaces are assigned to appropriate zone - Not implemented
+  # 3.5.1.6 Ensure unnecessary services and ports are not accepted - Not implemented
+
+  # 3.5.2.1 Ensure nftables is installed
+  - id: 21071
+    title: Ensure nftables is installed
+    description: >
+      nftables provides a new in-kernel packet classification framework that is based on a
+      network-specific Virtual Machine (VM) and a new nft userspace command line tool.
+      nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure,
+      the connection tracking system, NAT, userspace queuing and logging subsystem.
+        Notes:
+          - nftables is available in Linux kernel 3.13 and newer.
+          - Only one firewall utility should be installed and configured.
+    rationale: >
+      nftables is a subsystem of the Linux kernel that can protect against threats originating from
+      within a corporate network to include malicious mobile code and poorly configured
+      software on a host.
+    remediation: >
+      Run the following command to install nftables
+      # zypper install nftables
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.4"]
+    condition: none
+    rules:
+      - "c:rpm -q nftables -> r:not installed"
+
+  # 3.5.2.2 Ensure firewalld is not installed or stopped and masked - Not implemented
+  # 3.5.2.3 Ensure iptables are flushed - Not implemented
+
+  # 3.5.2.4 Ensure a table exists
+  - id: 21072
+    title: Ensure a table exists.
+    description: >
+      Tables hold chains. Each table only has one address family and only applies to packets of
+      this family. Tables can have one of five families.
+    rationale: >
+      nftables doesn't have any default tables. Without a table being build, nftables will not filter
+      network traffic.
+    remediation: >
+      Run the following command to create a table in nftables
+      # nft create table inet <table name>
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:^table inet\s+\.+'
+
+  # 3.5.2.5 Ensure base chains exist
+  - id: 21073
+    title: Ensure base chains exist.
+    description: >
+      Chains are containers for rules. They exist in two kinds, base chains and regular chains. A
+      base chain is an entry point for packets from the networking stack, a regular chain may be
+      used as jump target and is used for better rule organization.
+    rationale: >
+      If a base chain doesn't exist with a hook for input, forward, and delete, packets that would
+      flow through those chains will not be touched by nftables.
+    remediation: >
+      Run the following command to create the base chains:
+      # nft create chain inet <table name> <base chain name> { type filter hook
+      <(input|forward|output)> priority 0 \; }
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - 'c:nft list ruleset -> !r:^# && r:type hook input\s+\.+'
+      - 'c:nft list ruleset -> !r:^# && r:type hook forward\s+\.+'
+      - 'c:nft list ruleset -> !r:^# && r:type hook output\s+\.+'
+
+  # 3.5.2.6 Ensure loopback traffic is configured
+  # 3.5.2.7 Ensure outbound and established connections are configured
+
+  # 3.5.2.8 Ensure default deny firewall policy
+  - id: 21074
+    title: Ensure default deny firewall policy.
+    description: >
+      Base chain policy is the default verdict that will be applied to packets reaching the end of
+      the chain.
+    rationale: >
+      There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall
+      will accept any packet that is not configured to be denied and the packet will continue
+      transversing the network stack.
+      It is easier to white list acceptable usage than to black list unacceptable usage.
+
+      Note: Changing firewall settings while connected over network can result in being locked
+      out of the system.
+    remediation: >
+      Run the following command for the base chains with the input, forward, and output hooks
+      to implement a default DROP policy:
+      # nft chain <table family> <table name> <chain name> { policy drop \; }
+
+      Example:
+      # nft chain inet filter input { policy drop \; }
+      # nft chain inet filter forward { policy drop \; }
+      # nft chain inet filter output { policy drop \; }
+    compliance:
+      - cis: ["3.5.2.8"]
+      - cis_csc: ["9.4"]
+    references:
+      - Manual Page nft
+    condition: all
+    rules:
+      - 'c:nft list ruleset -> !r:^# && r:type hook input\s+\.+policy\s+drop'
+      - 'c:nft list ruleset -> !r:^# && r:type hook forward\s+\.+policy\s+drop'
+      - 'c:nft list ruleset -> !r:^# && r:type hook output\s+\.+policy\s+drop'
+
+  # 3.5.2.9 Ensure nftables service is enabled
+  - id: 21075
+    title: Ensure nftables service is enabled
+    description: >
+      The nftables service allows for the loading of nftables rulesets during boot, or starting on
+      the nftables service
+    rationale: >
+      The nftables service restores the nftables rules from the rules files referenced in the
+      /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service
+    remediation: >
+      Run the following command to enable the nftables service:
+      # systemctl enable nftables
+    compliance:
+      - cis: ["3.5.2.9"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:^enabled"
+
+  # 3.5.2.10 Ensure nftables rules are permanent - Not implemented
+  # 3.5.3.1.1 Ensure iptables package is installed - Not implemented
+
+  # 3.5.3.1.2 Ensure nftables is not installed - Not implemented
+  - id: 21076
+    title: Ensure nftables is not installed
+    description: >
+      nftables is a subsystem of the Linux kernel providing filtering and classification of network
+      packets/datagrams/frames and is the successor to iptables.
+    rationale: >
+      Running both iptables and nftables may lead to conflict.
+    remediation: >
+      Run the following command to remove nftables:
+      # zypper remove nftables
+    compliance:
+      - cis: ["3.5.3.1.2"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - "c:rpm -q nftables -> r:not installed"
+
+  # 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - Not implemented
+
+  # 3.5.3.2.1 Ensure default deny firewall policy
+  - id: 21077
+    title: Ensure default deny firewall policy
+    description: >
+      A default deny all policy on connections ensures that any unconfigured network usage will
+      be rejected.
+    rationale: >
+      With a default accept policy the firewall will accept any packet that is not configured to be
+      denied. It is easier to white list acceptable usage than to black list unacceptable usage.
+
+      Note: Changing firewall settings while connected over network can result in being locked
+      out of the system.
+    remediation: >
+      Run the following commands to implement a default DROP policy:
+      # iptables -P INPUT DROP
+      # iptables -P OUTPUT DROP
+      # iptables -P FORWARD DROP
+    compliance:
+      - cis: ["3.5.3.2.1"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:^Chain INPUT \(policy DROP\)'
+      - 'c:iptables -L -> r:^Chain FORWARD \(policy DROP\)'
+      - 'c:iptables -L -> r:^Chain OUTPUT \(policy DROP\)'
+
+  # 3.5.3.2.2 Ensure loopback traffic is configured
+  - id: 21078
+    title: Ensure loopback traffic is configured
+    description: >
+      Configure the loopback interface to accept traffic. Configure all other interfaces to deny
+      traffic to the loopback network (127.0.0.0/8).
+    rationale: >
+      Loopback traffic is generated between processes on machine and is typically critical to
+      operation of the system. The loopback interface is the only place that loopback network
+      (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this
+      network as an anti-spoofing measure.
+
+      Note: Changing firewall settings while connected over network can result in being locked
+      out of the system.
+    remediation: >
+      Run the following commands to implement the loopback rules:
+      # iptables -A INPUT -i lo -j ACCEPT
+      # iptables -A OUTPUT -o lo -j ACCEPT
+      # iptables -A INPUT -s 127.0.0.0/8 -j DROP
+    compliance:
+      - cis: ["3.5.3.2.2"]
+      - cis_csc: ["9.4"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:^\s*\d+\s+\d+\s+ACCEPT\s+all\s+--\s+lo\s+*\s+0.0.0.0/0\s+0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:^\s*\d+\s+\d+\s+DROP\s+all\s+--\s+*\s+*\s+127.0.0.0/8\s+0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:^\s*\d+\s+\d+\s+ACCEPT\s+all\s+--\s+*\s+lo\s+0.0.0.0/0\s+0.0.0.0/0'
+
+  # 3.5.3.2.3 Ensure outbound and established connections are configured - Not implemented
+  # 3.5.3.2.4 Ensure firewall rules exist for all open ports - Not implemented
+  # 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Not implemented
+  # 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - Not implemented
+  # 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured - Not implemented
+  # 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports - Not implemented
+
+  # 4.1.1.1 Ensure auditd is installed
+  - id: 21079
+    title: Ensure auditd is installed
+    description: >
+      auditd is the userspace component to the Linux Auditing System. It's responsible for
+      writing audit records to the disk
+    rationale: >
+      The capturing of system events provides system administrators with information to allow
+      them to determine if unauthorized access to their system is occurring.
+    remediation: >
+      Run the following command to Install auditd
+      # zypper install audit
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - "c:rpm -q audit -> r:not installed"
+
+  # 4.1.1.2 Ensure auditd service is enabled and running
+  - id: 21080
+    title: Ensure auditd service is enabled and running
+    description: Turn on the auditd daemon to record system events.
+    rationale: >
+      The capturing of system events provides system administrators with information to allow
+      them to determine if unauthorized access to their system is occurring.
+    remediation: >
+      Run the following command to enable and start auditd:
+      # systemctl --now enable auditd
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+      - 'c:systemctl status auditd -> r:^\s*Active: active \(running\) since \.+'
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled - Not implemented
+
+  # 4.1.2.1 Ensure audit log storage size is configured
+  - id: 21081
+    title: Ensure audit log storage size is configured.
+    description: >
+      Configure the maximum size of the audit log file. Once the log reaches the maximum size, it
+      will be rotated and a new log file will be started.
+
+      Notes:
+        - The max_log_file parameter is measured in megabytes.
+        - Other methods of log rotation may be appropriate based on site policy. One example is
+          time-based rotation strategies which don't have native support in auditd
+          configurations. Manual audit of custom configurations should be evaluated for
+          effectiveness and completeness.
+    rationale: >
+      It is important that an appropriate size is determined for log files so that they do not impact
+      the system and audit data is not lost.
+    remediation: >
+      Set the following parameter in /etc/audit/auditd.conf in accordance with site policy:
+      max_log_file = <MB>
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file\s*=\s*\d+'
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted
+  - id: 21082
+    title: Ensure audit logs are not automatically deleted.
+    description: >
+      The max_log_file_action setting determines how to handle the audit log file reaching the
+      max file size. A value of keep_logs will rotate the logs but never delete old logs.
+    rationale: >
+      In high security contexts, the benefits of maintaining a long audit history exceed the cost of
+      storing the audit history.
+    remediation: >
+      Set the following parameter in /etc/audit/auditd.conf:
+      max_log_file_action = keep_logs
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc: ["6.2", "6.4"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*max_log_file_action\s*=\s*keep_logs'
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full
+  - id: 21083
+    title: Ensure system is disabled when audit logs are full.
+    description: The auditd daemon can be configured to halt the system when the audit logs are full.
+    rationale: >
+      In high security contexts, the risk of detecting unauthorized access or nonrepudiation
+      exceeds the benefit of the system's availability.
+    remediation: >
+      Set the following parameters in /etc/audit/auditd.conf:
+      space_left_action = email
+      action_mail_acct = root
+      admin_space_left_action = halt
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc: ["6.2", "6.4"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt'
+
+  # 4.1.2.4 Ensure audit_backlog_limit is sufficient - Not implemented
+  # 4.1.3 Ensure events that modify date and time information are collected - Not implemented
+
+  # 4.1.4 Ensure events that modify user/group information are collected
+  - id: 21084
+    title: Ensure events that modify user/group information are collected.
+    description: >
+      Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or
+      /etc/security/opasswd (old passwords, based on remember parameter in the PAM
+      configuration) files. The parameters in this section will watch the files to see if they have
+      been opened for write or have had attribute changes (e.g. permissions) and tag them with
+      the identifier "identity" in the audit log file.
+
+      Note: Reloading the auditd config to set active settings may require a system reboot.
+    rationale: >
+      Unexpected changes to these files could be an indication that the system has been
+      compromised and that an unauthorized user is attempting to hide their activities or
+      compromise additional accounts.
+    remediation: >
+      Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
+      Example: vi /etc/audit/rules.d/identity.rules
+      and add the following lines:
+
+      -w /etc/group -p wa -k identity
+      -w /etc/passwd -p wa -k identity
+      -w /etc/gshadow -p wa -k identity
+      -w /etc/shadow -p wa -k identity
+      -w /etc/security/opasswd -p wa -k identity
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'c:grep -R identity /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/group\s+-p\s+wa\s+-k\s+identity'
+      - 'c:grep -R identity /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/passwd\s+-p\s+wa\s+-k\s+identity'
+      - 'c:grep -R identity /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/gshadow\s+-p\s+wa\s+-k\s+identity'
+      - 'c:grep -R identity /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/shadow\s+-p\s+wa\s+-k\s+identity'
+      - 'c:grep -R identity /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/security/opasswd\s+-p\s+wa\s+-k\s+identity'
+      - 'c:sh -c "auditctl -l | grep identity" -> r:^\s*-w\s+/etc/group\s+-p\s+wa\s+-k\s+identity'
+      - 'c:sh -c "auditctl -l | grep identity" -> r:^\s*-w\s+/etc/passwd\s+-p\s+wa\s+-k\s+identity'
+      - 'c:sh -c "auditctl -l | grep identity" -> r:^\s*-w\s+/etc/gshadow\s+-p\s+wa\s+-k\s+identity'
+      - 'c:sh -c "auditctl -l | grep identity" -> r:^\s*-w\s+/etc/shadow\s+-p\s+wa\s+-k\s+identity'
+      - 'c:sh -c "auditctl -l | grep identity" -> r:^\s*-w\s+/etc/security/opasswd\s+-p\s+wa\s+-k\s+identity'
+
+  # 4.1.5 Ensure events that modify the system's network environment are collected - Not implemented
+
+  # 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected
+  - id: 21085
+    title: Ensure events that modify the system's Mandatory Access Controls are collected.
+    description: >
+      Monitor SELinux mandatory access controls. The parameters below monitor any write
+      access (potential additional, deletion or modification of files in the directory) or attribute
+      changes to the /etc/selinux/ and /usr/share/selinux/ directories.
+
+      Notes:
+        - If a different Mandatory Access Control method is used, changes to the corresponding
+          directories should be audited.
+        - Reloading the auditd config to set active settings requires the auditd service to be
+          restarted, and may require a system reboot.
+    rationale: >
+      Changes to files in the /etc/selinux/ and /usr/share/selinux/ directories could indicate
+      that an unauthorized user is attempting to modify access controls and change security
+      contexts, leading to a compromise of the system.
+    remediation: >
+      Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
+      Example: vi /etc/audit/rules.d/MAC_policy.rules
+      and add the following lines:
+
+      -w /etc/selinux/ -p wa -k MAC-policy
+      -w /usr/share/selinux/ -p wa -k MAC-policy
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+    condition: all
+    rules:
+      - 'c:grep -R MAC-policy /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/selinux/\s+-p\s+wa\s+-k\s+MAC-policy'
+      - 'c:grep -R MAC-policy /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/usr/share/selinux/\s+-p\s+wa\s+-k\s+MAC-policy'
+      - 'c:sh -c "auditctl -l | grep MAC-policy" -> r:^\s*-w\s+/etc/selinux/\s+-p\s+wa\s+-k\s+MAC-policy'
+      - 'c:sh -c "auditctl -l | grep MAC-policy" -> r:^\s*-w\s+/usr/share/selinux/\s+-p\s+wa\s+-k\s+MAC-policy'
+
+  # 4.1.7 Ensure login and logout events are collected
+  - id: 21086
+    title: Ensure login and logout events are collected.
+    description: >
+      Monitor login and logout events. The parameters below track changes to files associated
+      with login/logout events.
+        - The file /var/log/faillog tracks failed events from login.
+        - The file /var/log/lastlog maintain records of the last time a user successfully
+          logged in.
+        - The file /var/log/tallylog maintains records of failures via the pam_tally2
+          module
+      Note: Reloading the auditd config to set active settings requires the auditd service to be
+      restarted, and may require a system reboot.
+    rationale: >
+      Monitoring login/logout events could provide a system administrator with information
+      associated with brute force attacks against user logins.
+    remediation: >
+      Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
+      Example: vi /etc/audit/rules.d/logins.rules
+      and add the following lines:
+
+      -w /var/log/faillog -p wa -k logins
+      -w /var/log/lastlog -p wa -k logins
+      -w /var/log/tallylog -p wa -k logins
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+    condition: all
+    rules:
+      - 'c:grep -R logins /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/log/faillog\s+-p\s+wa\s+-k\s+logins'
+      - 'c:grep -R logins /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/log/lastlog\s+-p\s+wa\s+-k\s+logins'
+      - 'c:grep -R logins /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/log/tallylog\s+-p\s+wa\s+-k\s+logins'
+      - 'c:sh -c "auditctl -l | grep logins" -> r:^\s*-w\s+/var/log/faillog\s+-p\s+wa\s+-k\s+logins'
+      - 'c:sh -c "auditctl -l | grep logins" -> r:^\s*-w\s+/var/log/lastlog\s+-p\s+wa\s+-k\s+logins'
+      - 'c:sh -c "auditctl -l | grep logins" -> r:^\s*-w\s+/var/log/tallylog\s+-p\s+wa\s+-k\s+logins'
+
+  # 4.1.8 Ensure session initiation information is collected
+  - id: 21087
+    title: Ensure session initiation information is collected.
+    description: >
+      Monitor session initiation events. The parameters in this section track changes to the files
+      associated with session events. The file /var/run/utmp tracks all currently logged in users.
+      All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks
+      logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed
+      login attempts and can be read by entering the command /usr/bin/last -f
+      /var/log/btmp . All audit records will be tagged with the identifier "logins."
+
+      Notes:
+        - The last command can be used to read /var/log/wtmp (last with no parameters)
+          and /var/run/utmp (last -f /var/run/utmp)
+        - Reloading the auditd config to set active settings requires the auditd service to be
+          restarted, and may require a system reboot.
+    rationale: >
+      Monitoring these files for changes could alert a system administrator to logins occurring at
+      unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when
+      they do not normally log in).
+    remediation: >
+      Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
+      Example: vi /etc/audit/rules.d/session.rules
+      and add the following lines:
+
+      -w /var/run/utmp -p wa -k session
+      -w /var/log/wtmp -p wa -k logins
+      -w /var/log/btmp -p wa -k logins
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+    condition: all
+    rules:
+      - 'c:grep -RE "(session|logins)" /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/run/utmp\s+-p\s+wa\s+-k\s+session'
+      - 'c:grep -RE "(session|logins)" /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/log/wtmp\s+-p\s+wa\s+-k\s+logins'
+      - 'c:grep -RE "(session|logins)" /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/var/log/btmp\s+-p\s+wa\s+-k\s+logins'
+      - 'c:sh -c "auditctl -l | grep -E \"(session|logins)\"" -> r:^\s*-w\s+/var/run/utmp\s+-p\s+wa\s+-k\s+session'
+      - 'c:sh -c "auditctl -l | grep -E \"(session|logins)\"" -> r:^\s*-w\s+/var/log/wtmp\s+-p\s+wa\s+-k\s+logins'
+      - 'c:sh -c "auditctl -l | grep -E \"(session|logins)\"" -> r:^\s*-w\s+/var/log/btmp\s+-p\s+wa\s+-k\s+logins'
+
+  # 4.1.9 Ensure discretionary access control permission modification events are collected - Not implemented
+  # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - Not implemented
+  # 4.1.11 Ensure use of privileged commands is collected - Not implemented
+  # 4.1.12 Ensure successful file system mounts are collected - Not implemented
+  # 4.1.13 Ensure file deletion events by users are collected - Not implemented
+
+  # 4.1.14 Ensure changes to system administration scope (sudoers) is collected
+  - id: 21088
+    title: Ensure changes to system administration scope (sudoers) is collected
+    description: >
+      Monitor scope changes for system administrators. If the system has been properly
+      configured to force system administrators to log in as themselves first and then use the
+      sudo command to execute privileged commands, it is possible to monitor changes in scope.
+      The file /etc/sudoers or a file in the /etc/sudoers.d directory will be written to when the
+      file or its attributes have changed.
+
+      Notes: Reloading the auditd config to set active settings may require a system reboot.
+    rationale: >
+      Changes in the /etc/sudoers file, or a file in the /etc/sudoers.d/ directory can indicate
+      that an unauthorized change has been made to scope of system administrator activity.
+    remediation: >
+      Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
+      Example: vi /etc/audit/rules.d/scope.rules
+      and add the following lines:
+
+      -w /etc/sudoers -p wa -k scope
+      -w /etc/sudoers.d/ -p wa -k scope
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'c:grep -R scope /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/sudoers\s+-p\s+wa\s+-k\s+scope'
+      - 'c:grep -R scope /etc/audit/rules.d/ -> r:^/etc/audit/rules.d/\.+.rules:\s*-w\s+/etc/sudoers.d/\s+-p\s+wa\s+-k\s+scope'
+      - 'c:sh -c "auditctl -l | grep scope" -> r:^\s*-w\s+/etc/sudoers\s+-p\s+wa\s+-k\s+scope'
+      - 'c:sh -c "auditctl -l | grep scope" -> r:^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa\s+-k\s+scope'
+
+  # 4.1.15 Ensure system administrator actions (sudolog) are collected - Not implemented
+  # 4.1.16 Ensure kernel module loading and unloading is collected - Not implemented
+
+  # 4.1.17 Ensure the audit configuration is immutable
+  - id: 21089
+    title: Ensure the audit configuration is immutable.
+    description: >
+      Set system audit so that audit rules cannot be modified with auditctl . Setting the flag "-e
+      2" forces audit to be put in immutable mode. Audit changes can only be made on system
+      reboot.
+
+      Note: This setting will require the system to be rebooted to update the active auditd
+      configuration settings.
+    rationale: >
+      In immutable mode, unauthorized users cannot execute changes to the audit system to
+      potentially hide malicious activity and then put the audit rules back. Users would most
+      likely notice a system reboot and that could alert administrators of an attempt to make
+      unauthorized audit changes.
+    remediation: >
+      Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the following line
+      at the end of the file:
+
+      -e 2
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: all
+    rules:
+      - 'c:sh -c "grep -R \"^\s*[^#]\" /etc/audit/rules.d/ | tail -1" -> r:^/etc/audit/rules.d/\.+.rules:\s*-e\s+2\s*$'
+
+  # 4.2.1.1 Ensure rsyslog is installed
+  - id: 21090
+    title: Ensure rsyslog is installed.
+    description: >
+      The rsyslog software is a recommended replacement to the original syslogd daemon.
+      rsyslog provides improvements over syslogd, including:
+        - connection-oriented (i.e. TCP) transmission of logs
+        - The option to log to database formats
+        - Encryption of log data en route to a central logging server
+    rationale: >
+      The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission
+      of logs, the option to log to database formats, and the encryption of log data en route to a
+      central logging server) justify installing and configuring the package.
+    remediation: >
+      Run the following command to install rsyslog:
+      # zypper install rsyslog
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: none
+    rules:
+      - "c:rpm -q rsyslog -> r:not installed"
+
+  # 4.2.1.2 Ensure rsyslog Service is enabled and running
+  - id: 21091
+    title: Ensure rsyslog Service is enabled and running.
+    description: rsyslog needs to be enabled and running to perform logging
+    rationale: >
+      If the rsyslog service is not activated the system may default to the syslogd service or lack
+      logging instead.
+    remediation: >
+      Run the following command to enable and start rsyslog:
+      # systemctl --now enable rsyslog
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+      - 'c:systemctl status rsyslog -> r:^\s*Active: active \(running\) since \.+'
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured
+  - id: 21092
+    title: Ensure rsyslog default file permissions configured.
+    description: >
+      rsyslog will create logfiles that do not already exist on the system. This setting controls
+      what permissions will be applied to these newly created files.
+      The $FileCreateMode parameter specifies the file creation mode with which rsyslogd
+      creates new files. If not specified, the value 0644 is used.
+      Notes:
+        - The value given must always be a 4-digit octal number, with the initial digit being
+          zero.
+        - This setting can be overridden by a less restrictive setting in any file ending in .conf in
+          the /etc/rsyslog.d/ directory
+    rationale: >
+      It is important to ensure that log files have the correct permissions to ensure that sensitive
+      data is archived and protected.
+    remediation: >
+      Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to
+      0640 or more restrictive:
+
+      $FileCreateMode 0640
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+    references:
+      - See the rsyslog.conf(5) man page for more information.
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$FileCreateMode\s+0640'
+
+  # 4.2.1.4 Ensure logging is configured - Not implemented
+  # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host - Not implemented
+  # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - Not implemented
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog
+  - id: 21093
+    title: Ensure journald is configured to send logs to rsyslog.
+    description: >
+      Data from journald may be stored in volatile memory or persisted locally on the server.
+      Utilities exist to accept remote export of journald logs, however, use of the rsyslog service
+      provides a consistent means of log collection and export.
+
+      Notes:
+        - This recommendation assumes that recommendation 4.2.1.5, "Ensure rsyslog is
+          configured to send logs to a remote log host" has been implemented.
+        - The main configuration file /etc/systemd/journald.conf is read before any of the
+          custom *.conf files. If there are custom configs present, they override the main
+          configuration parameters
+        - As noted in the journald man pages: journald logs may be exported to rsyslog either
+          through the process mentioned here, or through a facility like systemdjournald.service. There are trade-offs involved in each implementation, where
+          ForwardToSyslog will immediately capture all events (and forward to an external log
+          server, if properly configured), but may not capture all boot-up activities. Mechanisms
+          such as systemd-journald.service, on the other hand, will record bootup events, but
+          may delay sending the information to rsyslog, leading to the potential for log
+          manipulation prior to export. Be aware of the limitations of all tools employed to
+          secure a system.
+    rationale: >
+      Storing log data on a remote host protects log integrity from local attacks. If an attacker
+      gains root access on the local system, they could tamper with or remove log data that is
+      stored on the local system.
+    remediation: >
+      Edit the /etc/systemd/journald.conf file and add the following line:
+      ForwardToSyslog=yes
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.5"]
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^ForwardToSyslog=yes"
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files
+  - id: 21094
+    title: Ensure journald is configured to compress large log files.
+    description: >
+      The journald system includes the capability of compressing overly large files to avoid filling
+      up the system with logs or making the log's size unmanageable.
+
+      Note: The main configuration file /etc/systemd/journald.conf is read before any of the
+      custom *.conf files. If there are custom configs present, they override the main configuration
+      parameters
+    rationale: >
+      Uncompressed large files may unexpectedly fill a filesystem leading to resource
+      unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem
+      impacts.
+    remediation: >
+      Edit the /etc/systemd/journald.conf file and add the following line:
+      Compress=yes
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc: ["6.4"]
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Compress=yes"
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk
+  - id: 21095
+    title: Ensure journald is configured to write logfiles to persistent disk.
+    description: >
+      Data from journald may be stored in volatile memory or persisted locally on the server.
+      Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the
+      server they are protected from loss.
+
+      Note: The main configuration file /etc/systemd/journald.conf is read before any of the
+      custom *.conf files. If there are custom configs present, they override the main configuration
+      parameters
+    rationale: >
+      Writing log data to disk will provide the ability to forensically reconstruct events which
+      may have impacted the operations or security of a system even after a system crash or
+      reboot.
+    remediation: >
+      Edit the /etc/systemd/journald.conf file and add the following line:
+      Storage=persistent
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Storage=persistent"
+
+  # 4.2.3 Ensure permissions on all logfiles are configured - Not implemented
+  # 4.2.4 Ensure logrotate is configured - Not implemented
+
+  # 5.1.1 Ensure cron daemon is enabled and running
+  - id: 21096
+    title: Ensure cron daemon is enabled and running
+    description: The cron daemon is used to execute batch jobs on the system.
+    rationale: >
+      While there may not be user jobs that need to be run on the system, the system does have
+      maintenance jobs that may include security monitoring that have to run. If another method
+      for scheduling tasks is not being used, cron is used to execute them, and needs to be
+      enabled and running.
+    remediation: >
+      Run the following command to enable and start cron:
+      # systemctl --now enable cron
+
+      OR
+
+      Run the following command to remove cron:
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> r:^enabled"
+      - 'c:systemctl status cron -> r:^\s*Active: active \(running\) since \.+'
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured
+  - id: 21097
+    title: Ensure permissions on /etc/crontab are configured.
+    description: >
+      The /etc/crontab file is used by cron to control its own jobs. The commands in this item
+      make sure that root is the user and group owner of the file and that only the owner can
+      access the file.
+    rationale: >
+      This file contains information on what system jobs are run by cron. Write access to these
+      files could provide unprivileged users with the ability to elevate their privileges. Read
+      access to these files could provide users with the ability to gain insight on system jobs that
+      run on the system and could provide them a way to gain unauthorized privileged access.
+    remediation: >
+      Run the following commands to set ownership and permissions on /etc/crontab:
+      # chown root:root /etc/crontab
+      # chmod u-x,og-rwx /etc/crontab
+
+      OR
+
+      Run the following command to remove cron:
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/crontab -> r:^Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured
+  - id: 21098
+    title: Ensure permissions on /etc/cron.hourly are configured.
+    description: >
+      This directory contains system cron jobs that need to run on an hourly basis. The files in
+      this directory cannot be manipulated by the crontab command, but are instead edited by
+      system administrators using a text editor. The commands below restrict read/write and
+      search access to user and group root, preventing regular users from accessing this
+      directory.
+    rationale: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    remediation: >
+      Run the following commands to set ownership and permissions on the /etc/cron.hourly/
+      directory:
+      # chown root:root /etc/cron.hourly/
+      # chmod og-rwx /etc/cron.hourly/
+
+      OR
+
+      Run the following command to remove cron
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.hourly/ -> r:^Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured
+  - id: 21099
+    title: Ensure permissions on /etc/cron.daily are configured.
+    description: >
+      The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis.
+      The files in this directory cannot be manipulated by the crontab command, but are instead
+      edited by system administrators using a text editor. The commands below restrict
+      read/write and search access to user and group root, preventing regular users from
+      accessing this directory.
+    rationale: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    remediation: >
+      Run the following commands to set ownership and permissions on /etc/cron.daily
+      directory:
+      # chown root:root /etc/cron.daily
+      # chmod og-rwx /etc/cron.daily
+
+      OR
+
+      Run the following command to remove cron:
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.daily/ -> r:^Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured
+  - id: 21100
+    title: Ensure permissions on /etc/cron.weekly are configured.
+    description: >
+      The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly
+      basis. The files in this directory cannot be manipulated by the crontab command, but are
+      instead edited by system administrators using a text editor. The commands below restrict
+      read/write and search access to user and group root, preventing regular users from
+      accessing this directory.
+    rationale: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    remediation: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.weekly -> r:^Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured
+  - id: 21101
+    title: Ensure permissions on /etc/cron.monthly are configured.
+    description: >
+      The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly
+      basis. The files in this directory cannot be manipulated by the crontab command, but are
+      instead edited by system administrators using a text editor. The commands below restrict
+      read/write and search access to user and group root, preventing regular users from
+      accessing this directory.
+    rationale: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    remediation: >
+      Run the following commands to set ownership and permissions on /etc/cron.monthly
+      directory:
+      # chown root:root /etc/cron.monthly
+      # chmod og-rwx /etc/cron.monthly
+
+      OR
+
+      Run the following command to remove cron:
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.monthly/ -> r:^Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured
+  - id: 21102
+    title: Ensure permissions on /etc/cron.d are configured.
+    description: >
+      The /etc/cron.d/ directory contains system cron jobs that need to run in a similar manner
+      to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more
+      granular control as to when they run. The files in this directory cannot be manipulated by
+      the crontab command, but are instead edited by system administrators using a text editor.
+      The commands below restrict read/write and search access to user and group root,
+      preventing regular users from accessing this directory.
+    rationale: >
+      Granting write access to this directory for non-privileged users could provide them the
+      means for gaining unauthorized elevated privileges. Granting read access to this directory
+      could give an unprivileged user insight in how to gain elevated privileges or circumvent
+      auditing controls.
+    remediation: >
+      Run the following commands to set ownership and permissions on /etc/cron.d directory:
+      # chown root:root /etc/cron.d
+      # chmod og-rwx /etc/cron.d
+
+      OR
+
+      Run the following command to remove cron:
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/cron.d -> r:^Access:\s*\(0700/drwx------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.8 Ensure cron is restricted to authorized users
+  - id: 21103
+    title: Ensure cron is restricted to authorized users.
+    description: >
+      If cron is installed in the system, configure /etc/cron.allow to allow specific users to use
+      these services. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any
+      user not specifically defined in those files is allowed to use cron. By removing the file, only
+      users in /etc/cron.allow are allowed to use cron.
+
+      Note: Even though a given user is not listed in cron.allow, cron jobs can still be run as that
+      user. The cron.allow file only controls administrative access to the crontab command for
+      scheduling and modifying cron jobs.
+    rationale: >
+      On many systems, only the system administrator is authorized to schedule cron jobs. Using
+      the cron.allow file to control who can run cron jobs enforces this policy. It is easier to
+      manage an allow list than a deny list. In a deny list, you could potentially add a user ID to
+      the system and forget to add it to the deny files.
+    remediation: >
+      Run the following command to remove /etc/cron.deny:
+      # rm /etc/cron.deny
+
+      Run the following command to create /etc/cron.allow
+      # touch /etc/cron.allow
+
+      Run the following commands to set the owner and permissions on /etc/cron.allow:
+      # chown root:root /etc/cron.allow
+      # chmod u-x,og-rwx /etc/cron.allow
+
+      OR
+
+      Run the following command to remove cron
+      # zypper remove cronie
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+    condition: all
+    rules:
+      - "not f:/etc/cron.deny"
+      - 'c:stat -L /etc/cron.allow -> r:^Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.1.9 Ensure at is restricted to authorized users
+  - id: 21104
+    title: Ensure at is restricted to authorized users.
+    description: >
+      If at is installed in the system, configure /etc/at.allow to allow specific users to use these
+      services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not
+      specifically defined in those files is allowed to use at. By removing the file, only users in
+      /etc/at.allow are allowed to use at.
+
+      Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user.
+      The at.allow file only controls administrative access to the at command for scheduling and
+      modifying at jobs.
+    rationale: >
+      On many systems, only the system administrator is authorized to schedule at jobs. Using
+      the at.allow file to control who can run at jobs enforces this policy. It is easier to manage
+      an allow list than a deny list. In a deny list, you could potentially add a user ID to the system
+      and forget to add it to the deny files.
+    remediation: >
+      Run the following command to remove /etc/at.deny:
+      # rm /etc/at.deny
+
+      Run the following command to create /etc/at.allow
+      # touch /etc/at.allow
+
+      Run the following commands to set the owner and permissions on /etc/at.allow:
+      # chown root:root /etc/at.allow
+      # chmod u-x,og-rwx /etc/at.allow
+
+      OR
+
+      Run the following command to remove at:
+      # zypper remove at
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc: ["16"]
+    condition: all
+    rules:
+      - "not f:/etc/at.deny"
+      - 'c:stat -L /etc/at.allow -> r:^Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
+  - id: 21114
+    title: Ensure permissions on /etc/ssh/sshd_config are configured
+    description: >
+      The /etc/ssh/sshd_config file contains configuration specifications for sshd. The
+      command below sets the owner and group of the file to root.
+    rationale: >
+      The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by nonprivileged users.
+    remediation: >
+      Run the following commands to set ownership and permissions on /etc/ssh/sshd_config:
+
+      # chown root:root /etc/ssh/sshd_config
+      # chmod og-rwx /etc/ssh/sshd_config
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/ssh/sshd_config -> r:^Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured - Not implemented
+  # 5.2.3 Ensure permissions on SSH public host key files are configured - Not implemented
+
+  # 5.2.4 Ensure SSH access is limited
+  - id: 21115
+    title: Ensure SSH access is limited.
+    description: >
+      There are several options available to limit which users and group can access the system
+      via SSH. It is recommended that at least one of the following options be leveraged:
+        - AllowUsers:
+          - The AllowUsers variable gives the system administrator the option of
+            allowing specific users to ssh into the system. The list consists of space
+            separated user names. Numeric user IDs are not recognized with this
+            variable. If a system administrator wants to restrict user access further by
+            only allowing the allowed users to log in from a particular host, the entry can
+            be specified in the form of user@host.
+        - AllowGroups:
+          - The AllowGroups variable gives the system administrator the option of
+            allowing specific groups of users to ssh into the system. The list consists of
+            space separated group names. Numeric group IDs are not recognized with
+            this variable.
+        - DenyUsers:
+          - The DenyUsers variable gives the system administrator the option of denying
+            specific users to ssh into the system. The list consists of space separated user
+            names. Numeric user IDs are not recognized with this variable. If a system
+            administrator wants to restrict user access further by specifically denying a
+            user's access from a particular host, the entry can be specified in the form of
+            user@host.
+        - DenyGroups:
+          - The DenyGroups variable gives the system administrator the option of
+            denying specific groups of users to ssh into the system. The list consists of
+            space separated group names. Numeric group IDs are not recognized with
+            this variable.
+    rationale: >
+      Restricting which users can remotely access the system via SSH will help ensure that only
+      authorized users access the system.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:
+      AllowUsers <userlist>
+
+      OR
+      AllowGroups <grouplist>
+
+      OR
+      DenyUsers <userlist>
+
+      OR
+      DenyGroups <grouplist>
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["4.3"]
+    condition: any
+    rules:
+      - 'c:sshd -T -> r:^\s*allowusers\s+\S+'
+      - 'c:sshd -T -> r:^\s*allowgroups\s+\S+'
+      - 'c:sshd -T -> r:^\s*denyusers\s+\S+'
+      - 'c:sshd -T -> r:^\s*denygroups\s+\S+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate
+  - id: 21116
+    title: Ensure SSH LogLevel is appropriate.
+    description: >
+      INFO level is the basic level that only records login activity of SSH users. In many situations,
+      such as Incident Response, it is important to determine when a particular user was active
+      on a system. The logout record can eliminate those users who disconnected, which helps
+      narrow the field.
+
+      VERBOSE level specifies that login and logout activity as well as the key fingerprint for any
+      SSH key used for login will be logged. This information is important for SSH key
+      management, especially in legacy environments.
+    rationale: >
+      SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
+      not recommended other than strictly for debugging SSH communications since it provides
+      so much data that it is difficult to identify important security information.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      LogLevel VERBOSE
+      OR
+      LogLevel INFO
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["6.2", "6.3"]
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    condition: any
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*VERBOSE'
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO'
+
+  # 5.2.6 Ensure SSH X11 forwarding is disabled
+  - id: 21117
+    title: Ensure SSH X11 forwarding is disabled.
+    description: >
+      The X11Forwarding parameter provides the ability to tunnel X11 traffic through the
+      connection to enable remote graphic connections.
+    rationale: >
+      Disable X11 forwarding unless there is an operational requirement to use X11 applications
+      directly. There is a small risk that the remote X11 servers of users who are logged in via
+      SSH with X11 forwarding could be compromised by other users on the X11 server. Note
+      that even if X11 forwarding is disabled, users can always install their own forwarders.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      X11Forwarding no
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*x11forwarding\s+no'
+
+  # 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
+  - id: 21118
+    title: Ensure SSH MaxAuthTries is set to 4 or less.
+    description: >
+      The MaxAuthTries parameter specifies the maximum number of authentication attempts
+      permitted per connection. When the login failure count reaches half the number, error
+      messages will be written to the syslog file detailing the login failure.
+    rationale: >
+      Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
+      brute force attacks to the SSH server. While the recommended setting is 4, set the number
+      based on site policy.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      MaxAuthTries 4
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.13"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.8 Ensure SSH IgnoreRhosts is enabled
+  - id: 21119
+    title: Ensure SSH IgnoreRhosts is enabled.
+    description: >
+      The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in
+      RhostsRSAAuthentication or HostbasedAuthentication.
+    rationale: Setting this parameter forces users to enter a password when authenticating with ssh.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      IgnoreRhosts yes
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["9.2"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes'
+
+  # 5.2.9 Ensure SSH HostbasedAuthentication is disabled
+  - id: 21120
+    title: Ensure SSH HostbasedAuthentication is disabled.
+    description: >
+      The HostbasedAuthentication parameter specifies if authentication is allowed through
+      trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public
+      key client host authentication. This option only applies to SSH Protocol Version 2.
+    rationale: >
+      Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf,
+      disabling the ability to use .rhosts files in SSH provides an additional layer of protection.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      HostbasedAuthentication no
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no'
+
+  # 5.2.10 Ensure SSH root login is disabled
+  - id: 21121
+    title: Ensure SSH root login is disabled.
+    description: >
+      The PermitRootLogin parameter specifies if the root user can log in using ssh. The default
+      is no.
+    rationale: >
+      Disallowing root logins over SSH requires system admins to authenticate using their own
+      individual account, then escalating to root via sudo or su. This in turn limits opportunity for
+      non-repudiation and provides a clear audit trail in the event of a security incident.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      PermitRootLogin no
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["4.3"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no'
+
+  # 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
+  - id: 21122
+    title: Ensure SSH PermitEmptyPasswords is disabled.
+    description: >
+      The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
+      with empty password strings.
+    rationale: >
+      Disallowing remote shell access to accounts that have an empty password reduces the
+      probability of unauthorized access to the system
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      PermitEmptyPasswords no
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["16.3"]
+    condition: all
+    rules:
+      - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no'
+
+  # 5.2.12 Ensure SSH PermitUserEnvironment is disabled
+  - id: 21123
+    title: Ensure SSH PermitUserEnvironment is disabled.
+    description: >
+      The PermitUserEnvironment option allows users to present environment options to the
+      ssh daemon.
+    rationale: >
+      Permitting users the ability to set environment variables through the SSH daemon could
+      potentially allow users to bypass security controls (e.g. setting an execution path that has
+      ssh executing a Trojan’s programs)
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      PermitUserEnvironment no
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*permituserenvironment\s+no'
+
+  # 5.2.13 Ensure only strong Ciphers are used
+  - id: 21124
+    title: Ensure only strong Ciphers are used.
+    description: >
+      This variable limits the ciphers that SSH can use during communication.
+      Notes:
+        - Some organizations may have stricter requirements for approved ciphers. Ensure that
+          ciphers used are in compliance with site policy
+        - The only "strong" ciphers currently FIPS 140-2 compliant are: aes256-ctr,aes192-
+          ctr,aes128-ctr
+        - CVE-2013-4548 referenced bellow applies to OpenSSH versions 6.2 and 6.3. If running
+          these versions of Open SSH, Please upgrade to version 6.4 or later to fix the
+          vulnerability, or disable AES-GCM in the server configuration
+
+      The Following are the supported ciphers in openSSH 7.9:
+      3des-cbc
+      aes128-cbc
+      aes192-cbc
+      aes256-cbc
+      aes128-ctr
+      aes192-ctr
+      aes256-ctr
+      aes128-gcm@openssh.com
+      aes256-gcm@openssh.com
+      chacha20-poly1305@openssh.com
+    rationale: >
+      Weak ciphers that are used for authentication to the cryptographic module cannot be relied
+      upon to provide confidentiality or integrity, and system data may be compromised.
+        - The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of
+          approximately four billion blocks, which makes it easier for remote attackers to
+          obtain cleartext data via a birthday attack against a long-duration encrypted session,
+          aka a "Sweet32" attack
+        - The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly
+          combine state data with key data during the initialization phase, which makes it
+          easier for remote attackers to conduct plaintext-recovery attacks against the initial
+          bytes of a stream by sniffing network traffic that occasionally relies on keys affected
+          by the Invariance Weakness, and then using a brute-force approach involving LSB
+          values, aka the "Bar Mitzvah" issue
+        - The passwords used during an SSH session encrypted with RC4 can be recovered by
+          an attacker who is able to capture and replay the session
+        - Error handling in the SSH protocol; Client and Server, when using a block cipher
+          algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote
+          attackers to recover certain plaintext data from an arbitrary block of ciphertext in
+          an SSH session via unknown vectors
+        - The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher
+          is used, does not properly initialize memory for a MAC context data structure, which
+          allows remote authenticated users to bypass intended ForceCommand and loginshell restrictions via packet data that provides a crafted callback address
+    remediation: >
+      Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma
+      separated list of the site approved ciphers
+
+      Example:
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-
+      gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["14.4"]
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2016-2183
+      - https://nvd.nist.gov/vuln/detail/CVE-2015-2808
+      - https://www.kb.cert.org/vuls/id/565052
+      - https://www.openssh.com/txt/cbc.adv
+      - https://nvd.nist.gov/vuln/detail/CVE-2008-5161
+      - https://nvd.nist.gov/vuln/detail/CVE-2013-4548
+      - https://www.kb.cert.org/vuls/id/565052
+      - https://www.openssh.com/txt/cbc.adv
+      - SSHD_CONFIG(5)
+    condition: none
+    rules:
+      - 'c:sshd -T -> r:^ciphers\s+ && r:3des-cbc'
+      - 'c:sshd -T -> r:^ciphers\s+ && r:aes128-cbc'
+      - 'c:sshd -T -> r:^ciphers\s+ && r:aes192-cbc'
+      - 'c:sshd -T -> r:^ciphers\s+ && r:aes256-cbc'
+
+  # 5.2.14 Ensure only strong MAC algorithms are used
+  - id: 21125
+    title: Ensure only strong MAC algorithms are used.
+    description: >
+      This variable limits the types of MAC algorithms that SSH can use during communication.
+      Notes:
+        - Some organizations may have stricter requirements for approved MACs. Ensure that
+          MACs used are in compliance with site policy
+        - The only "strong" MACs currently FIPS 140-2 approved are hmac-sha2-256 and hmacsha2-512
+
+      The Supported MACs are:
+      hmac-md5
+      hmac-md5-96
+      hmac-sha1
+      hmac-sha1-96
+      hmac-sha2-256
+      hmac-sha2-512
+      umac-64@openssh.com
+      umac-128@openssh.com
+      hmac-md5-etm@openssh.com
+      hmac-md5-96-etm@openssh.com
+      hmac-sha1-etm@openssh.com
+      hmac-sha1-96-etm@openssh.com
+      hmac-sha2-256-etm@openssh.com
+      hmac-sha2-512-etm@openssh.com
+      umac-64-etm@openssh.com
+      umac-128-etm@openssh.com
+    rationale: >
+      MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
+      exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of
+      attention as a weak spot that can be exploited with expanded computing power. An
+      attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the
+      SSH tunnel and capture credentials and information
+    remediation: >
+      Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma
+      separated list of the site approved MACs
+
+      Example:
+      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-
+      512,hmac-sha2-256
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["14.4", "16.5"]
+    references:
+      - http://www.mitls.org/pages/attacks/SLOTH
+      - SSHD_CONFIG(5)
+    condition: none
+    rules:
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-md5'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-md5-96'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-ripemd160'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-sha1'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-sha1-96'
+      - 'c:sshd -T -> r:^macs\s+ && r:umac-64@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:umac-128@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-md5-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-md5-96-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-ripemd160-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-sha1-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:hmac-sha1-96-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:umac-64-etm@openssh.com'
+      - 'c:sshd -T -> r:^macs\s+ && r:umac-128-etm@openssh.com'
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used
+  - id: 21126
+    title: Ensure only strong Key Exchange algorithms are used.
+    description: >
+      Key exchange is any method in cryptography by which cryptographic keys are exchanged
+      between two parties, allowing use of a cryptographic algorithm. If the sender and receiver
+      wish to exchange encrypted messages, each must be equipped to encrypt messages to be
+      sent and decrypt messages received
+
+      Notes:
+      Kex algorithms have a higher preference the earlier they appear in the list
+        - Some organizations may have stricter requirements for approved Key exchange
+          algorithms. Ensure that Key exchange algorithms used are in compliance with site
+          policy.
+        - The only Key Exchange Algorithms currently FIPS 140-2 approved are: ecdh-sha2-
+          nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchangesha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffiehellman-group14-sha256
+
+      The Key Exchange algorithms supported by OpenSSH 7.9 are:
+      curve25519-sha256
+      curve25519-sha256@libssh.org
+      diffie-hellman-group1-sha1
+      diffie-hellman-group14-sha1
+      diffie-hellman-group14-sha256
+      diffie-hellman-group16-sha512
+      diffie-hellman-group18-sha512
+      diffie-hellman-group-exchange-sha1
+      diffie-hellman-group-exchange-sha256
+      ecdh-sha2-nistp256
+      ecdh-sha2-nistp384
+      ecdh-sha2-nistp521
+    rationale: >
+      Key exchange methods that are considered weak should be removed. A key exchange
+      method may be weak because too few bits are used, or the hashing algorithm is considered
+      too weak. Using weak algorithms could expose connections to man-in-the-middle attacks
+    remediation: >
+      Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma
+      separated list of the site approved key exchange algorithms
+
+      Example
+      KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellmangroup14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-
+      sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffiehellman-group-exchange-sha256
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["14.4"]
+    condition: none
+    rules:
+      - 'c:sshd -T -> r:^kexalgorithms\s+ && r:diffie-hellman-group1-sha1'
+      - 'c:sshd -T -> r:^kexalgorithms\s+ && r:diffie-hellman-group14-sha1'
+      - 'c:sshd -T -> r:^kexalgorithms\s+ && r:diffie-hellman-group-exchange-sha1'
+
+  # 5.2.16 Ensure SSH Idle Timeout Interval is configured
+  - id: 21127
+    title: Ensure SSH Idle Timeout Interval is configured
+    description: >
+      The two options ClientAliveInterval and ClientAliveCountMax control the timeout of
+      ssh sessions.
+        - ClientAliveInterval sets a timeout interval in seconds after which if no data has
+          been received from the client, sshd will send a message through the encrypted
+          channel to request a response from the client. The default is 0, indicating that these
+          messages will not be sent to the client.
+        - ClientAliveCountMax sets the number of client alive messages which may be sent
+          without sshd receiving any messages back from the client. If this threshold is
+          reached while client alive messages are being sent, sshd will disconnect the client,
+          terminating the session. The default value is 3.
+            - The client alive messages are sent through the encrypted channel
+            - Setting ClientAliveCountMax to 0 disables connection termination
+
+      Example: If the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is
+      set to 3, the client ssh session will be terminated after 45 seconds of idle time.
+    rationale: >
+      Having no timeout value associated with a connection could allow an unauthorized user
+      access to another user's ssh session (e.g. user walks away from their computer and doesn't
+      lock the screen). Setting a timeout value reduces this risk.
+       The recommended ClientAliveInterval setting is 300 seconds (5 minutes)
+       The recommended ClientAliveCountMax setting is 3
+       The ssh session would send three keep alive messages at 5 minute intervals. If no
+      response is received after the third keep alive message, the ssh session would be
+      terminated after 15 minutes.
+    remediation: >
+      Having no timeout value associated with a connection could allow an unauthorized user
+      access to another user's ssh session (e.g. user walks away from their computer and doesn't
+      lock the screen). Setting a timeout value reduces this risk.
+        - The recommended ClientAliveInterval setting is 300 seconds (5 minutes)
+        - The recommended ClientAliveCountMax setting is 3
+        - The ssh session would send three keep alive messages at 5 minute intervals. If no
+          response is received after the third keep alive message, the ssh session would be
+          terminated after 15 minutes.
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["16.11"]
+    references:
+      - https://man.openbsd.org/sshd_config
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^clientaliveinterval\s+(\d+) compare >= 1'
+      - 'c:sshd -T -> n:^clientaliveinterval\s+(\d+) compare <= 300'
+      - 'c:sshd -T -> n:^ClientAliveCountMax\s+(\d+) compare <= 3'
+
+  # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
+  - id: 21128
+    title: Ensure SSH LoginGraceTime is set to one minute or less.
+    description: >
+      The LoginGraceTime parameter specifies the time allowed for successful authentication to
+      the SSH server. The longer the Grace period is the more open unauthenticated connections
+      can exist. Like other session controls in this session the Grace Period should be limited to
+      appropriate organizational limits to ensure the service is available for needed access.
+    rationale: >
+      Setting the LoginGraceTime parameter to a low number will minimize the risk of successful
+      brute force attacks to the SSH server. It will also limit the number of concurrent
+      unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set
+      the number based on site policy.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+      LoginGraceTime 60
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^logingracetime\s+(\d+) compare >= 1'
+      - 'c:sshd -T -> n:^logingracetime\s+(\d+) compare <= 60'
+
+  # 5.2.18 Ensure SSH warning banner is configured
+  - id: 21129
+    title: Ensure SSH warning banner is configured.
+    description: >
+      The Banner parameter specifies a file whose contents must be sent to the remote user
+      before authentication is permitted. By default, no banner is displayed.
+    rationale: >
+      Banners are used to warn connecting users of the particular site's policy regarding
+      connection. Presenting a warning message prior to the normal user login may assist the
+      prosecution of trespassers on the computer system.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+
+      Banner /etc/issue.net
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^banner\s+/etc/issue.net'
+
+  # 5.2.19 Ensure SSH PAM is enabled
+  - id: 21130
+    title: Ensure SSH PAM is enabled.
+    description: >
+      UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
+      enable PAM authentication using ChallengeResponseAuthentication and
+      PasswordAuthentication in addition to PAM account and session module processing for all
+      authentication types
+    rationale: >
+      When usePAM is set to yes, PAM runs through account and session types properly. This is
+      important if you want to restrict access to services based off of IP, time or other factors of
+      the account. Additionally, you can make sure users inherit certain environment variables
+      on login or disallow access to the server
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+
+      UsePAM yes
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^usepam\s+yes'
+
+  # 5.2.20 Ensure SSH AllowTcpForwarding is disabled
+  - id: 21131
+    title: Ensure SSH AllowTcpForwarding is disabled.
+    description: >
+      SSH port forwarding is a mechanism in SSH for tunneling application ports from the client
+      to the server, or servers to clients. It can be used for adding encryption to legacy
+      applications, going through firewalls, and some system administrators and IT professionals
+      use it for opening backdoors into the internal network from their home machines
+    rationale: >
+      Leaving port forwarding enabled can expose the organization to security risks and backdoors.
+
+      SSH connections are protected with strong encryption. This makes their contents invisible
+      to most deployed network monitoring and traffic filtering solutions. This invisibility carries
+      considerable risk potential if it is used for malicious purposes such as data exfiltration.
+      Cybercriminals or malware could exploit SSH to hide their unauthorized communications,
+      or to exfiltrate stolen data from the target network
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+
+      AllowTcpForwarding no
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc: ["9.2"]
+    references:
+      - https://www.ssh.com/ssh/tunneling/example
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^allowtcpforwarding\s+no'
+
+  # 5.2.21 Ensure SSH MaxStartups is configured
+  - id: 21132
+    title: Ensure SSH MaxStartups is configured.
+    description: >
+      The MaxStartups parameter specifies the maximum number of concurrent unauthenticated
+      connections to the SSH daemon.
+    rationale: >
+      To protect a system from denial of service due to a large number of pending authentication
+      connection attempts, use the rate limiting function of MaxStartups to protect availability of
+      sshd logins and prevent overwhelming the daemon.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+
+      maxstartups 10:30:60
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^maxstartups\s+10:30:60\s*$'
+
+  # 5.2.22 Ensure SSH MaxSessions is limited
+  - id: 21133
+    title: Ensure SSH MaxSessions is limited.
+    description: >
+      The MaxSessions parameter specifies the maximum number of open sessions permitted
+      from a given connection.
+    rationale: >
+      To protect a system from denial of service due to a large number of concurrent sessions,
+      use the rate limiting function of MaxSessions to protect availability of sshd logins and
+      prevent overwhelming the daemon.
+    remediation: >
+      Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+
+      MaxSessions 10
+    compliance:
+      - cis: ["5.2.22"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^maxsessions\s+(\d+) compare <= 10'
+
+  # 5.3.1 Ensure password creation requirements are configured - Not implemented
+  # 5.3.2 Ensure lockout for failed password attempts is configured - Not implemented
+
+  # 5.3.3 Ensure password reuse is limited
+  - id: 21134
+    title: Ensure password reuse is limited.
+    description: >
+      The /etc/security/opasswd file stores the users' old passwords and can be checked to
+      ensure that users are not recycling recent passwords.
+
+      Notes:
+      - Additional module options may be set, recommendation only covers those listed here.
+      - This setting only applies to local accounts.
+      - This option is configured with the remember=n module option in /etc/pam.d/commonpassword
+    rationale: >
+      Forcing users not to reuse their past passwords make it less likely that an attacker will be
+      able to guess the password.
+    remediation: >
+      Run the following command:
+      # pam-config -a --pwhistory --pwhistory-remember=5
+
+      OR
+
+      Edit the file /etc/pam.d/common-password to include the remember= option and conform to
+      site policy as shown:
+      password required pam_pwhistory.so remember=5
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+    condition: any
+    rules:
+      - 'f:/etc/pam.d/common-password -> n:^\s*password\t+requisite\t+pam_pwhistory\.so\t+remember\s*=\s*(\d+) compare >= 5'
+      - 'f:/etc/pam.d/common-password -> n:^\s*password\t+required\t+pam_pwhistory\.so\t+remember\s*=\s*(\d+) compare >= 5'
+
+  # 5.4.1.1 Ensure password hashing algorithm is SHA-512
+  - id: 21135
+    title: Ensure password hashing algorithm is SHA-512.
+    description: >
+      Login passwords are hashed and stored in the /etc/shadow file.
+
+      Note: These changes only apply to accounts configured on the local system.
+    rationale: >
+      The SHA-512 algorithm provides much stronger hashing than MD5, thus providing
+      additional protection to the system by increasing the level of effort for an attacker to
+      successfully determine passwords.
+    remediation: >
+      Edit the /etc/login.defs file and modify ENCRYPT_METHOD to SHA512:
+      ENCRYPT_METHOD sha512
+
+      Notes:
+        - Any system accounts that need to be expired should be carefully done separately by the
+          system administrator to prevent any potential problems
+        - If it is determined that the password algorithm being used is not SHA-512, once it is
+          changed, it is recommended that all user ID's be immediately expired and forced to
+          change their passwords on next login, In accordance with local site policies
+        - To accomplish this, the following command can be used
+          # awk -F: '( $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' &&
+          $1 != "nfsnobody" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["16.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> r:^\s*ENCRYPT_METHOD\s+SHA512'
+
+  # 5.4.1.2 Ensure password expiration is 365 days or less - Not implemented
+  # 5.4.1.3 Ensure minimum days between password changes is configured - Not implemented
+  # 5.4.1.4 Ensure password expiration warning days is 7 or more - Not implemented
+  # 5.4.1.5 Ensure inactive password lock is 30 days or less - Not implemented
+  # 5.4.1.6 Ensure all users last password change date is in the past - Not implemented
+  # 5.4.2 Ensure system accounts are secured - Not implemented
+
+  # 5.4.3 Ensure default group for the root account is GID 0
+  - id: 21136
+    title: Ensure default group for the root account is GID 0
+    description: >
+      The usermod command can be used to specify which group the root user belongs to. This
+      affects permissions of files that are created by the root user.
+    rationale: >
+      Using GID 0 for the root account helps prevent root -owned files from accidentally
+      becoming accessible to non-privileged users.
+    remediation: >
+      Run the following command to set the root user default group to GID 0 :
+      # usermod -g 0 root
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\S+:\S+:0:'
+
+  # 5.4.4 Ensure default user shell timeout is configured - Not implemented
+  # 5.4.5 Ensure default user umask is configured - Not implemented
+  # 5.5 Ensure root login is restricted to system console - Not implemented
+  # 5.6 Ensure access to the su command is restricted - Not implemented
+  # 6.1.1 Audit system file permissions
+
+  # 6.1.2 Ensure permissions on /etc/passwd are configured
+  - id: 21137
+    title: Ensure permissions on /etc/passwd are configured.
+    description: >
+      The /etc/passwd file contains user account information that is used by many system
+      utilities and therefore must be readable for these utilities to operate.
+    rationale: >
+      It is critical to ensure that the /etc/passwd file is protected from unauthorized write
+      access. Although it is protected by default, the file permissions could be changed either
+      inadvertently or through malicious actions.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/passwd:
+
+      # chown root:root /etc/passwd
+      # chmod u-x,g-wx,o-wx /etc/passwd
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/shadow are configured
+  - id: 21138
+    title: Ensure permissions on /etc/shadow are configured.
+    description: >
+      The /etc/shadow file is used to store the information about user accounts that is critical to
+      the security of those accounts, such as the hashed password and other security
+      information.
+    rationale: >
+      If attackers can gain read access to the /etc/shadow file, they can easily run a password
+      cracking program against the hashed password to break it. Other security information that
+      is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the
+      user accounts.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/shadow:
+
+      # chown root:root /etc/shadow
+      # chmod u-x,g-wx,o-rwx /etc/shadow
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow -> r:^Access:\s*\(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*15/\s*shadow\)'
+
+  # 6.1.4 Ensure permissions on /etc/group are configured
+  - id: 21139
+    title: Ensure permissions on /etc/group are configured.
+    description: >
+      The /etc/group file contains a list of all the valid groups defined in the system. The
+      command below allows read/write access for root and read access for everyone else.
+    rationale: >
+      The /etc/group file needs to be protected from unauthorized changes by non-privileged
+      users, but needs to be readable as this information is used with many non-privileged
+      programs.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/group :
+
+      # chown root:root /etc/group
+      # chmod u-x,g-wx,o-wx /etc/group
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/passwd- are configured
+  - id: 21140
+    title: Ensure permissions on /etc/passwd- are configured.
+    description: The /etc/passwd- file contains backup user account information.
+    rationale: >
+      It is critical to ensure that the /etc/passwd- file is protected from unauthorized access.
+      Although it is protected by default, the file permissions could be changed either
+      inadvertently or through malicious actions.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/passwd- :
+
+      # chown root:root /etc/passwd-
+      # chmod u-x,go-wx /etc/passwd
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/passwd -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured
+  - id: 21141
+    title: Ensure permissions on /etc/shadow- are configured
+    description: >
+      The /etc/shadow- file is used to store backup information about user accounts that is
+      critical to the security of those accounts, such as the hashed password and other security
+      information.
+    rationale: >
+      It is critical to ensure that the /etc/shadow- file is protected from unauthorized access.
+      Although it is protected by default, the file permissions could be changed either
+      inadvertently or through malicious actions.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/shadow-:
+
+      # chown root:shadow /etc/shadow-
+      # chmod u-x,g-wx,o-rwx /etc/shadow
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/shadow- -> r:^Access:\s*\(0640/-rw-r-----\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*15/\s*shadow\)'
+
+  # 6.1.7 Ensure permissions on /etc/group- are configured
+  - id: 21142
+    title: Ensure permissions on /etc/group- are configured.
+    description: The /etc/group- file contains a backup list of all the valid groups defined in the system.
+    rationale: >
+      It is critical to ensure that the /etc/group- file is protected from unauthorized access.
+      Although it is protected by default, the file permissions could be changed either
+      inadvertently or through malicious actions.
+    remediation: >
+      Run the following commands to set owner, group, and permissions on /etc/group-:
+
+      # chown root:root /etc/group-
+      # chmod u-x,go-wx /etc/group-
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["14.6"]
+    condition: all
+    rules:
+      - 'c:stat -L /etc/group- -> r:^Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*Gid:\s*\(\s*0/\s*root\)'
+
+  # 6.1.8 Ensure no world writable files exist - Not implemented
+  # 6.1.9 Ensure no unowned files or directories exist - Not implemented
+  # 6.1.10 Ensure no ungrouped files or directories exist - Not implemented
+  # 6.1.11 Audit SUID executables - Not implemented
+  # 6.1.12 Audit SGID executables - Not implemented
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
+  - id: 21143
+    title: Ensure accounts in /etc/passwd use shadowed passwords.
+    description: >
+      Local accounts can uses shadowed passwords. With shadowed passwords, The passwords
+      are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash.
+      Accounts with a shadowed password have an x in the second field in /etc/passwd.
+    rationale: >
+      The /etc/passwd file also contains information like user ID's and group ID's that are used
+      by many system programs. Therefore, the /etc/passwd file must remain world readable. In
+      spite of encoding the password with a randomly-generated one-way hash function, an
+      attacker could still break the system if they got access to the /etc/passwd file. This can be
+      mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd
+      file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write.
+      This helps mitigate the risk of an attacker gaining access to the encoded passwords with
+      which to perform a dictionary attack.
+
+      Notes:
+        - All accounts must have passwords or be locked to prevent the account from being used
+          by an unauthorized user.
+        - A user account with an empty second field in /etc/passwd allows the account to be
+          logged into by providing only the username.
+    remediation: >
+      If any accounts in the /etc/passwd file do not have a single x in the password field, run the
+      following command to set these accounts to use shadowed passwords:
+
+      # sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd
+
+      Investigate to determine if the account is logged in and what it is being used for, to
+      determine if it needs to be forced off.
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\.+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty
+  - id: 21144
+    title: Ensure /etc/shadow password fields are not empty.
+    description: >
+      An account with an empty password field means that anybody may log in as that user
+      without providing a password.
+    rationale: >
+      All accounts must have passwords or be locked to prevent the account from being used by
+      an unauthorized user.
+    remediation: >
+      If any accounts in the /etc/shadow file do not have a password, run the following command
+      to lock the account until it can be determined why it does not have a password:
+
+      # passwd -l <username>
+
+      Also, check to see if the account is logged in and investigate what it is being used for to
+      determine if it needs to be forced off.
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["4.4"]
+    condition: none
+    rules:
+      - "c:grep -E ^[^:]+:: /etc/shadow -> r:::"
+
+  # 6.2.3 Ensure root is the only UID 0 account
+  - id: 21145
+    title: Ensure root is the only UID 0 account.
+    description: Any account with UID 0 has superuser privileges on the system.
+    rationale: >
+      This access must be limited to only the default root account and only from the system
+      console. Administrative access must be through an unprivileged account using an approved
+      mechanism as noted in Item 5.6 Ensure access to the su command is restricted.
+    remediation: >
+      Remove any users other than root with UID 0 or assign them a new UID if appropriate.
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+# 6.2.4 Ensure root PATH Integrity - Not implemented
+# 6.2.5 Ensure all users' home directories exist - Not implemented
+# 6.2.6 Ensure users' home directories permissions are 750 or more restrictive - Not implemented
+# 6.2.7 Ensure users own their home directories - Not implemented
+# 6.2.8 Ensure users' dot files are not group or world writable - Not implemented
+# 6.2.9 6.2.9 Ensure no users have .forward files - Not implemented
+# 6.2.10 Ensure no users have .netrc files - Not implemented
+# 6.2.11 Ensure users' .netrc Files are not group or world accessible - Not implemented
+# 6.2.12 Ensure no users have .rhosts files - Not implemented
+# 6.2.13 Ensure all groups in /etc/passwd exist in /etc/group - Not implemented
+# 6.2.14 Ensure no duplicate UIDs exist - Not implemented
+# 6.2.15 Ensure no duplicate GIDs exist - Not implemented
+# 6.2.16 Ensure no duplicate user names exist - Not implemented
+# 6.2.17 Ensure no duplicate group names exist - Not implemented
+# 6.2.18 Ensure shadow group is empty - Not implemented
diff --git a/etc/ruleset/sca/sunos/cis_solaris11.4.yml b/etc/ruleset/sca/sunos/cis_solaris11.4.yml
new file mode 100644
index 0000000000..6718dc58c4
--- /dev/null
+++ b/etc/ruleset/sca/sunos/cis_solaris11.4.yml
@@ -0,0 +1,983 @@
+# Security Configuration Assessment
+# CIS Checks for Oracle Solaris 11.4
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Oracle Solaris 11.4 Benchmark v1.0.0 - 01-02-2020
+
+policy:
+  id: "cis_solaris11.4"
+  file: "cis_solaris11.4.yml"
+  name: "CIS Benchmark for Oracle Solaris 11.4 v1.0.0"
+  description: "This document, CIS Oracle Solaris 11.4 Benchmark v1.0.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11.4 on both x86 and SPARC platforms. This guide was tested against  Solaris 11.4 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11.4 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to beadjusted for future Solaris 11 updates."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Solaris version."
+  description: "Requirements for running the CIS benchmark against Solaris 11"
+  condition: all
+  rules:
+    - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11.4\s+'
+
+checks:
+  # 2 Disable Unnecessary Services
+  - id: 23500
+    title: "Configure TCP Wrappers."
+    description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections."
+    rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems,which can help identify unauthorized access attempts."
+    remediation: 'To disable this service, run the following commands: # inetadm -M tcp_wrappers=TRUE && echo "ALL: <net>/<mask>, <net/<mask>, …" > /etc/hosts.allow\ && echo "ALL: ALL" >/etc/hosts.deny'
+    compliance:
+      - cis: ["2.1"]
+    condition: all
+    rules:
+      - "c:inetadm -p -> r:^tcp_wrappers=TRUE"
+      - "f:/etc/hosts.deny"
+      - "f:/etc/hosts.allow"
+
+  - id: 23501
+    title: "Disable Local-only Graphical Login Environment."
+    description: "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disablesvc:/application/graphical-login/gdm:default"
+    compliance:
+      - cis: ["2.2"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/application/graphical-login/gdm:default -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 23502
+    title: "Configure sendmail Service for Local-Only Mode."
+    description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the localsystem will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely,emailmessages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. Analternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the localsystem, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only modeunless there is a specific requirement to completely disable it."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While itis important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listeningon a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false    # svcadm refresh sendmail    # svcadm restart sendmail"
+    compliance:
+      - cis: ["2.3"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:.25\s*\t*|:25\s*\t* && !r:127.0.0.1|::1'
+
+  - id: 23503
+    title: "Disable RPC Encryption Key."
+    description: 'The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is "secure NFS", which uses the Secure RPC mechanism to provide higher levels of securitythan the standard NFS protocols. ("Secure NFS" is unrelated to Kerberos authentication as a mechanism for providing higherlevels of NFS security. "Kerberized" NFS does not require the keyserv service to be running.)'
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv"
+    compliance:
+      - cis: ["2.4"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/rpc/keyserv -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 23504
+    title: "Disable Generic Security Services (GSS)."
+    description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes."
+    rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss"
+    compliance:
+      - cis: ["2.5"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/rpc/gss -> r:disabled|uninitialized|error"
+
+  - id: 23505
+    title: "Disable Apache Service."
+    description: "The Apache service provides an instance of the Apache web server."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache24"
+    compliance:
+      - cis: ["2.6"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/http:apache24 -> r:disabled|error"
+
+  - id: 23506
+    title: "Disable Kerberos TGT Expiration Warning."
+    description: "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be local only by default."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn"
+    compliance:
+      - cis: ["2.7"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/security/ktkt_warn -> r:disabled|uninitialized|error"
+
+  - id: 23507
+    title: "Disable NIS Client Services."
+    description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system."
+    rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client. If LDAP is not in use also disable nis/domain: # svcadm disable svc:/network/nis/domain"
+    compliance:
+      - cis: ["2.8"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/nis/client -> r:disabled|error"
+
+  - id: 23508
+    title: "Disable NIS Client Services (Domain - Scored)."
+    description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system."
+    rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client. If LDAP is not in use also disable nis/domain: # svcadm disable svc:/network/nis/domain"
+    compliance:
+      - cis: ["2.8-2.9"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/nis/domain -> r:disabled|error"
+
+  - id: 23509
+    title: "Disable NIS Server Services."
+    description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
+    rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server. If LDAP is not in use also disable nis/domain: # svcadm disable svc:/network/nis/domain"
+    compliance:
+      - cis: ["2.9"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/nis/server -> r:disabled|error"
+
+  - id: 23510
+    title: "Disable Removable Volume Manager (rmvolmgr - Scored)."
+    description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details."
+    rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/system/filesystem/rmvolmgr -> r:disabled|error"
+
+  - id: 23511
+    title: "Disable Removable Volume Manager."
+    description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details."
+    rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver"
+    compliance:
+      - cis: ["2.10"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/rpc/smserver -> r:disabled|error"
+
+  - id: 23512
+    title: "Disable automount Service."
+    description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs"
+    compliance:
+      - cis: ["2.11"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/system/filesystem/autofs -> r:disabled|error"
+
+  - id: 23513
+    title: "Disable Telnet Service."
+    description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security."
+    remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet"
+    compliance:
+      - cis: ["2.12"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/network/telnet -> r:disabled|error"
+
+  # 3 Kernel Tuning
+  - id: 23514
+    title: "Disable Response to Broadcast ICMPv4 Echo Request."
+    description: "This setting controls whether Solaris responds to broadcast ICMPv4 echo requests."
+    rationale: "Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _respond_to_echo_broadcast=0 ip"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _respond_to_echo_broadcast -co current ip -> r:0"
+      - "c:ipadm show-prop -p _respond_to_echo_broadcast -co persistent ip -> r:0"
+
+  - id: 23515
+    title: "Disable Response to ICMP Broadcast Netmask Requests."
+    description: "This setting controls whether Solaris will respond to ICMP broadcast netmask requests."
+    rationale: "Reduce attack surface by restricting this vector used for host and network discovery and to prevent denial of service attacks."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip"
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _respond_to_address_mask_broadcast -co current ip -> r:0"
+      - "c:ipadm show-prop -p _respond_to_address_mask_broadcast -co persistent ip -> r:0"
+
+  - id: 23516
+    title: "Enable Strong TCP Sequence Number Generation."
+    description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session."
+    rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this."
+    remediation: "To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp"
+    compliance:
+      - cis: ["3.3"]
+    condition: all
+    rules:
+      - "c:grep ^TCP_STRONG_ISS= /etc/default/inetinit -> r:2"
+
+  - id: 23517
+    title: "Disable Response to ICMP Broadcast Timestamp Requests."
+    description: "This setting controls whether Solaris will respond to ICMP broadcast timestamp requests."
+    rationale: "Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip"
+    compliance:
+      - cis: ["3.4"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _respond_to_timestamp_broadcast -co current ip -> r:0"
+      - "c:ipadm show-prop -p _respond_to_timestamp_broadcast -co persistent ip -> r:0"
+
+  - id: 23518
+    title: "Disable Source Packet Forwarding."
+    description: "This setting controls whether the IPv4 or IPv6 configuration will forward packets with IPv4 routing options or IPv6 routing headers."
+    rationale: "Keep this parameter disabled to prevent denial of service attacks through spoofed packets."
+    remediation: "To enforce this setting for IPv4 packets, use the command: # ipadm set-prop -p _forward_src_routed=0 ipv4. To enforce this setting for IPv6 packets, use the command: # ipadm set-prop -p _forward_src_routed=0 ipv6"
+    compliance:
+      - cis: ["3.5"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _forward_src_routed -co current ipv4 -> r:0"
+      - "c:ipadm show-prop -p _forward_src_routed -co persistent ipv4 -> r:0"
+      - "c:ipadm show-prop -p _forward_src_routed -co current ipv6 -> r:0"
+      - "c:ipadm show-prop -p _forward_src_routed -co persistent ipv6 -> r:0"
+
+  - id: 23519
+    title: "Disable Directed Broadcast Packet Forwarding."
+    description: "This setting controls whether Solaris forwards broadcast packets for a specific network if it is directly connected to the machine."
+    rationale: "Keep this parameter disabled to prevent denial of service attacks."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _forward_directed_broadcasts=0 ip"
+    compliance:
+      - cis: ["3.6"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _forward_directed_broadcasts -co current ip -> r:0"
+      - "c:ipadm show-prop -p _forward_directed_broadcasts -co persistent ip -> r:0"
+
+  - id: 23520
+    title: "Enable Stack Protection."
+    description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor-supplied and third party software."
+    rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed."
+    remediation: "To enable stack protection and block stack-smashing attacks, run the following: # sxadm delcust nxheap # sxadm delcust nxstack"
+    compliance:
+      - cis: ["3.7"]
+    condition: all
+    rules:
+      - "c:sxadm status -po extension,status,configuration nxheap -> r:nxheap:enabled.tagged-files:default.default"
+      - "c:sxadm status -po extension,status,configuration nxstack -> r:nxstack:enabled.all:default.default"
+
+  - id: 23521
+    title: "Restrict Core Dumps to Protected Directory."
+    description: "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
+    rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
+    remediation: "To implement the recommendation, run the commands: # chmod 700 /var/share/cores # coreadm -g /var/share/cores/core_%n_%f_%u_%g_%t_%p \ -e log -e global -e global-setid \ -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid"
+    compliance:
+      - cis: ["3.8"]
+    condition: all
+    rules:
+      - "c:coreadm -> r:global core file content: default"
+      - "c:coreadm -> r:init core file pattern: core"
+      - "c:coreadm -> r:init core file content: default"
+      - "c:coreadm -> r:global core dumps: disabled"
+      - "c:coreadm -> r:kernel zone core dumps: disabled"
+      - "c:coreadm -> r:per-process core dumps: enabled"
+      - "c:coreadm -> r:global setid core dumps: disabled"
+      - "c:coreadm -> r:per-process setid core dumps: disabled"
+      - "c:coreadm -> r:global core dump logging: disabled"
+      - "c:coreadm -> r:diagnostic core dumps: enabled"
+      - "c:coreadm -> r:retention policy: summary"
+      - "c:coreadm -> r:core diagnostic alert: enabled"
+      - 'c:stat -c%u-%g-%a /var/share/cores -> r:^\d-\d-700'
+
+  - id: 23522
+    title: "Disable Response to ICMP Timestamp Requests."
+    description: "This setting controls whether Solaris will respond to ICMP timestamp requests."
+    rationale: "Reduce attack surface by restricting this vector used for host discovery."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _respond_to_timestamp=0 ip"
+    compliance:
+      - cis: ["3.9"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _respond_to_timestamp -co current ip -> r:0"
+      - "c:ipadm show-prop -p _respond_to_timestamp -co persistent ip -> r:0"
+
+  - id: 23523
+    title: "Disable Response to Multicast Echo Request."
+    description: "These settings control whether Solaris responds to multicast IPv4 and IPv6 echo requests."
+    rationale: "Reduce attack surface by restricting this vector used for host discovery and to prevent denial of service attacks."
+    remediation: "To enforce this setting for IPv4 packets, use the command: # ipadm set-prop -p _respond_to_echo_multicast=0 ipv4. To enforce this setting for IPv6 packets, use the command: # ipadm set-prop -p _respond_to_echo_multicast=0 ipv6"
+    compliance:
+      - cis: ["3.10"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _respond_to_echo_multicast -co current ipv4 -> r:0"
+      - "c:ipadm show-prop -p _respond_to_echo_multicast -co persistent ipv4 -> r:0"
+      - "c:ipadm show-prop -p _respond_to_echo_multicast -co current ipv6 -> r:0"
+      - "c:ipadm show-prop -p _respond_to_echo_multicast -co persistent ipv6 -> r:0"
+
+  - id: 23524
+    title: "Ignore ICMP Redirect Messages."
+    description: "These settings control whether Solaris will ignore ICMP redirect messages."
+    rationale: "IP redirects should not be necessary in a well-designed and maintained network. Set to a value of 1 if there is a high risk for a DoS attack. Otherwise, the default value of 0 is sufficient."
+    remediation: "To enforce this setting for IPv4 packets, use the command: # ipadm set-prop -p _ignore_redirect=1 ipv4. To enforce this setting for IPv6 packets, use the command: # ipadm set-prop -p _ignore_redirect=1 ipv6"
+    compliance:
+      - cis: ["3.11"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _ignore_redirect -co current ipv4 -> r:1"
+      - "c:ipadm show-prop -p _ignore_redirect -co persistent ipv4 -> r:1"
+      - "c:ipadm show-prop -p _ignore_redirect -co current ipv6 -> r:1"
+      - "c:ipadm show-prop -p _ignore_redirect -co persistent ipv6 -> r:1"
+
+  - id: 23525
+    title: "Set Strict Multihoming."
+    description: "These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface."
+    rationale: "Enable this setting for systems that have interfaces that cross strict networking domains (for example, a firewall or a VPN node)."
+    remediation: "To enforce this setting for IPv4 packets, use the command: # ipadm set-prop -p _strict_dst_multihoming=1 ipv4. To enforce this setting for IPv6 packets, use the command: # ipadm set-prop -p _strict_dst_multihoming=1 ipv6"
+    compliance:
+      - cis: ["3.12"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _strict_dst_multihoming -co current ipv4 -> r:1"
+      - "c:ipadm show-prop -p _strict_dst_multihoming -co persistent ipv4 -> r:1"
+      - "c:ipadm show-prop -p _strict_dst_multihoming -co current ipv6 -> r:1"
+      - "c:ipadm show-prop -p _strict_dst_multihoming -co persistent ipv6 -> r:1"
+
+  - id: 23526
+    title: "Disable ICMP Redirect Messages."
+    description: "These setting controls whether Solaris sends ICMPv4 and ICMPv6 redirect messages."
+    rationale: "A malicious user can exploit the ability of the system to send ICMP redirects by continually sending packets to the system, forcing the system to respond with ICMP redirect messages, resulting in an adverse impact on the CPU performance of the system."
+    remediation: "To enforce this setting for IPv4 packets, use the command: # ipadm set-prop -p send_redirects=off ipv4. To enforce this setting for IPv6 packets, use the command: # ipadm set-prop -p send_redirects=off ipv6"
+    compliance:
+      - cis: ["3.13"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p send_redirects -co current ipv4 -> r:off"
+      - "c:ipadm show-prop -p send_redirects -co persistent ipv4 -> r:off"
+      - "c:ipadm show-prop -p send_redirects -co current ipv6 -> r:off"
+      - "c:ipadm show-prop -p send_redirects -co persistent ipv6 -> r:off"
+
+  - id: 23527
+    title: "Disable TCP Reverse IP Source Routing."
+    description: "This setting controls whether TCP reverses the IP source routing option for incoming connections."
+    rationale: "If IP source routing is needed for diagnostic purposes, enable it. Otherwise disable it."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _rev_src_routes=0 tcp"
+    compliance:
+      - cis: ["3.14"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _rev_src_routes -co current tcp -> r:0"
+      - "c:ipadm show-prop -p _rev_src_routes -co persistent tcp -> r:0"
+
+  - id: 23528
+    title: "Set Maximum Number of Half-open TCP Connections."
+    description: "This setting controls how many half-open connections can exist for a TCP port."
+    rationale: "It is necessary to control the number of completed connections to the system to provide some protection against Denial of Service attacks. Note that the value of 4096 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _conn_req_max_q0=4096 tcp"
+    compliance:
+      - cis: ["3.15"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _conn_req_max_q0 -co current tcp -> r:4096"
+      - "c:ipadm show-prop -p _conn_req_max_q0 -co persistent tcp -> r:4096"
+
+  - id: 23529
+    title: "Set Maximum Number of Incoming Connections."
+    description: "This setting controls the maximum number of incoming connections that can be accepted on a TCP port."
+    rationale: "Note that the value of 1024 is a minimum to establish a good security posture for this setting. In environments where connections numbers are high, such as a busy webserver, this value may need to be increased."
+    remediation: "To enforce this setting, use the command: # ipadm set-prop -p _conn_req_max_q=1024 tcp"
+    compliance:
+      - cis: ["3.16"]
+    condition: all
+    rules:
+      - "c:ipadm show-prop -p _conn_req_max_q -co current tcp -> r:1024"
+      - "c:ipadm show-prop -p _conn_req_max_q -co persistent tcp -> r:1024"
+
+  - id: 23530
+    title: "Disable Network Routing."
+    description: "The network routing daemon, in.routed, manages network routing tables. If enabled, it periodically supplies copies of the system's routing tables to any directly connected hosts and networks and picks up routes supplied to it from other networks and hosts."
+    rationale: "Routing Internet Protocol (RIP) is a legacy protocol with a number of security weaknesses including a lack of authentication, zoning, pruning, etc."
+    remediation: "To enforce this setting and disable IPv4 routing, use the command: # routeadm -d ipv4-forwarding -d ipv4-routing. To enforce this setting and disable IPv6 routing, use the command: # routeadm -d ipv6-forwarding -d ipv6-routing"
+    compliance:
+      - cis: ["3.17"]
+    condition: all
+    rules:
+      - 'c:routeadm -p -> r:ipv4-routing persistent=disabled \S+ current=disabled'
+      - 'c:routeadm -p -> r:ipv6-routing persistent=disabled \S+ current=disabled'
+      - 'c:routeadm -p -> r:ipv4-forwarding persistent=disabled \S+ current=disabled'
+      - 'c:routeadm -p -> r:ipv6-forwarding persistent=disabled \S+ current=disabled'
+
+  # 4 Auditing and Logging
+  - id: 23531
+    title: "Create CIS Audit Class."
+    description: "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit."
+    rationale: "To simplify administration, a CIS specific audit class should be created."
+    remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "c:grep :CIS /etc/security/audit_class -> r:0x0100000000000000:cis:CIS Solaris Benchmark"
+
+  - id: 23532
+    title: "Enable Auditing of Incoming Network Connections."
+    description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system."
+    rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service-specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
+    remediation: "To enforce this setting, use the commands to modify the /etc/security/audit_event file and add the cis audit class to the following audit events: # cp /etc/security/audit_event /etc/security/audit_event.orig # awk 'BEGIN{FS=:; OFS=:} {if ($2 ~ /AUE_ACCEPT|AUE_CONNECT|AUE_SOCKACCEPT|AUE_SOCKCONNECT|AUE_inetd_connect/) $4=$4,cis;} {print} ' etc/security/audit_event > /etc/security/audit_event.out # cp /etc/security/audit_event.out /etc/security/audit_event"
+    compliance:
+      - cis: ["4.2"]
+    condition: all
+    rules:
+      - 'c:grep AUE_ACCEPT /etc/security/audit_event -> r:^\d+:AUE_ACCEPT:'
+      - 'c:grep AUE_CONNECT /etc/security/audit_event -> r:^\d+:AUE_CONNECT:'
+      - 'c:grep AUE_SOCKACCEPT /etc/security/audit_event -> r:^\d+:AUE_SOCKACCEPT:'
+      - 'c:grep AUE_SOCKCONNECT /etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:'
+      - 'c:grep AUE_inetd_connect /etc/security/audit_event -> r:^\d+:AUE_inetd_connect:'
+
+  - id: 23533
+    title: "Enable Auditing of File Metadata Modification Events."
+    description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed."
+    rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
+    remediation: "To enforce this setting, use the commands to modify the /etc/security/audit_event file and add the cis audit class to the following audit events: # awk 'BEGIN{FS=:; OFS=:} {if ($2 ~ /AUE_CHMOD|AUE_CHOWN|AUE_FCHOWN|AUE_FCHMOD|AUE_LCHOWN|AUE_ACLSET|AUE_FACLSET/) $4=$4,cis;} {print} ' /etc/security/audit_event > /etc/security/audit_event.CIS # cp /etc/security/audit_event.CIS /etc/security/audit_event"
+    compliance:
+      - cis: ["4.3"]
+    condition: all
+    rules:
+      - 'c:grep AUE_CHMOD /etc/security/audit_event -> r:^\d+:AUE_CHMOD:'
+      - 'c:grep AUE_CHOWN /etc/security/audit_event -> r:^\d+:AUE_CHOWN:'
+      - 'c:grep AUE_FCHOWN /etc/security/audit_event -> r:^\d+:AUE_FCHOWN:'
+      - 'c:grep AUE_FCHMOD /etc/security/audit_event -> r:^\d+:AUE_FCHMOD:'
+      - 'c:grep AUE_LCHOWN /etc/security/audit_event -> r:^\d+:AUE_LCHOWN:'
+      - 'c:grep AUE_ACLSET /etc/security/audit_event -> r:^\d+:AUE_ACLSET:'
+      - 'c:grep AUE_FACLSET /etc/security/audit_event -> r:^\d+:AUE_FACLSET:'
+
+  - id: 23534
+    title: "Enable Auditing of Process and Privilege Events."
+    description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)."
+    rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
+    remediation: "To enforce this setting, use the commands to modify the /etc/security/audit_event file and add the cis audit class to the following audit events: # awk 'BEGIN{FS=:; OFS=:} {if ($2 ~ /AUE_CHROOT|AUE_SETREUID|AUE_SETREGID|AUE_FCHROOT|AUE_PFEXEC|AUE_SETUID|AUE_NICE|AUE_SETGID|AUE_PRIOCNTLSYS|AUE_SETEGID|AUE_SETEUID|AUE_SETPPRIV|AUE_SETSID|AUE_SETPGID/)$4=$4,cis;} {print} ' /etc/security/audit_event > /etc/security/audit_event.CIS # cp /etc/security/audit_event.CIS /etc/security/audit_event"
+    compliance:
+      - cis: ["4.4"]
+    condition: all
+    rules:
+      - 'c:grep AUE_CHROOT /etc/security/audit_event -> r:^\d+:AUE_CHROOT:'
+      - 'c:grep AUE_SETREUID /etc/security/audit_event -> r:^\d+:AUE_SETREUID:'
+      - 'c:grep AUE_SETREGID /etc/security/audit_event -> r:^\d+:AUE_SETREGID:'
+      - 'c:grep AUE_FCHROOT /etc/security/audit_event -> r:^\d+:AUE_FCHROOT:'
+      - 'c:grep AUE_PFEXEC /etc/security/audit_event -> r:^\d+:AUE_PFEXEC:'
+      - 'c:grep AUE_SETUID /etc/security/audit_event -> r:^\d+:AUE_SETUID:'
+      - 'c:grep AUE_NICE /etc/security/audit_event -> r:^\d+:AUE_NICE:'
+      - 'c:grep AUE_SETGID /etc/security/audit_event -> r:^\d+:AUE_SETGID:'
+      - 'c:grep AUE_PRIOCNTLSYS /etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:'
+      - 'c:grep AUE_SETEGID /etc/security/audit_event -> r:^\d+:AUE_SETEGID:'
+      - 'c:grep AUE_SETEUID /etc/security/audit_event -> r:^\d+:AUE_SETEUID:'
+      - 'c:grep AUE_SETPPRIV /etc/security/audit_event -> r:^\d+:AUE_SETPPRIV:'
+      - 'c:grep AUE_SETSID /etc/security/audit_event -> r:^\d+:AUE_SETSID:'
+      - 'c:grep AUE_SETPGID /etc/security/audit_event -> r:^\d+:AUE_SETPGID:'
+
+  - id: 23535
+    title: "Configure Solaris Auditing."
+    description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The cis class is a custom class that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/shares/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)."
+    rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
+    remediation: "To enforce this setting, use the commands: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis #auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # usermod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root 0 0 * * * /usr/sbin/audit -n # chown root:root /var/shares/audit # chmod 750 /var/shares/audit"
+    compliance:
+      - cis: ["4.5"]
+    condition: all
+    rules:
+      - "c:auditconfig -getcond -> r:audit condition = auditing"
+      - "c:auditconfig -getpolicy -> r:configured audit policies = argv,cnt,zonename"
+      - "c:auditconfig -getpolicy -> r:active audit policies = argv,cnt,zonename"
+      - "c:auditconfig -getflags -> r:configured user default audit flags = ad,ft,lo,ex,cis"
+      - "c:auditconfig -getflags -> r:active user default audit flags = ad,ft,lo,ex,cis"
+      - "c:auditconfig -getnaflags -> r:configured non-attributable audit flags = lo"
+      - "c:auditconfig -getnaflags -> r:active non-attributable audit flags = lo"
+      - 'c:auditconfig -getplugin audit_binfile -> r:Plugin: audit_binfile \(active\)'
+      - "c:auditconfig -getplugin audit_binfile -> r:Attributes: p_age=0h;p_dir=/var/audit;p_flags=all;p_fsize=0;p_minfree=1"
+      - "c:userattr audit_flags root -> r:lo,ad,ft,ex,cis:no"
+      - "c:ls -l /var/share/audit/*.not_terminated.* -> r:.not_terminated."
+
+  # 5 File/Directory Permissions/Access
+  - id: 23536
+    title: "Set Sticky Bit on World Writable Directories."
+    description: "When the so-called sticky bit (set with chmod +t) is set on a directory, then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file)."
+    rationale: "Files in directories that have had the 'sticky bit' set, can only be deleted by users that have both write permissions for the directory in which the file resides, as well as ownership of the file or directory, or has sufficient privilege. As this prevents users from overwriting each other's files, whether it be accidental or malicious, it is generally appropriate for most world-writable directories (e.g., /tmp). However, consult appropriate vendor documentation before blindly applying the sticky bit to any world writable directories found, in order to avoid breaking any application dependencies on a given directory."
+    remediation: "To set the sticky bit on a directory, run the following command: # chmod +t [directory name]"
+    compliance:
+      - cis: ["5.1"]
+    condition: all
+    rules:
+      - 'c:find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type d \( -perm -0002 -a ! -perm -1000 \) -ls -> r:^$'
+
+  # 6 System Access, Authentication, and Authorization
+  - id: 23537
+    title: "Disable login: Services on Serial Ports."
+    description: "The svccfg command provides service administration for the lower level of the Service Access Facility hierarchy and can be used to disable the ability to login on a particular port."
+    rationale: "Login services should not be enabled on any serial ports that are not strictly required to support the mission of the system. This action can be safely performed even when console access is provided using a serial port."
+    remediation: "Perform the following to implement the recommended state: # svcadm disable svc:/system/console-login:terma #svcadm disable svc:/system/console-login:termb"
+    compliance:
+      - cis: ["6.1"]
+    condition: all
+    rules:
+      - "c:svcs -Ho state svc:/system/console-login:terma -> r:disabled"
+      - "c:svcs -Ho state svc:/system/console-login:termb -> r:disabled"
+
+  - id: 23539
+    title: "Restrict at/cron to Authorized Users."
+    description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals."
+    rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)."
+    remediation: "Perform the following to implement the recommended state: # mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.cis # mv /etc/cron.d/at.deny /etc/cron.d/at.deny.cis # echo root > /etc/cron.d/cron.allow # cp /dev/null /etc/cron.d/at.allow # chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow # chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow"
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - "not f:/etc/cron.d/cron.deny"
+      - "not f:/etc/cron.d/at.deny"
+      - "c:cat /etc/cron.d/cron.allow -> r:root"
+      - "c:wc -l /etc/cron.d/at.allow -> r:0"
+
+  - id: 23540
+    title: "Set Default Screen Lock for GNOME Users."
+    description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment."
+    rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
+    remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # vi XScreenSaver: timeout: 0:10:00, lockTimeout: 0:00:00, lock: True # mv xScreenSaver.CIS xScreenSaver"
+    compliance:
+      - cis: ["6.4"]
+    condition: all
+    rules:
+      - "c:grep *timeout: /usr/share/X11/app-defaults/XScreenSaver -> r:0:10:00"
+      - "c:grep *lockTimeout: /usr/share/X11/app-defaults/XScreenSaver -> r:0:00:00"
+      - "c:grep *lock: /usr/share/X11/app-defaults/XScreenSaver -> r:True"
+
+  - id: 23541
+    title: "Remove Autologin Capabilities from the GNOME desktop."
+    description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in /etc/pam.d/gdm-autologin to allow users to access the system without a password."
+    rationale: "As automatic logins are a known security risk for other than kiosk types of systems, GNOME automatic login should be disabled in /etc/pam.d/gdm-autologin."
+    remediation: "Comment out or remove all lines from /etc/pam.d/gdm-autologin"
+    compliance:
+      - cis: ["6.5"]
+    condition: all
+    rules:
+      - "c:grep -vc ^# /etc/pam.d/gdm-autologin -> r:0"
+
+  - id: 23542
+    title: "Set Delay between Failed Login Attempts to 4."
+    description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the login incorrect message when a bad password is provided. The default value for SLEEPTIME is 4 seconds."
+    rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user."
+    remediation: "Perform the following to implement the recommended state: # cd /etc/default # cp login login.orig # nano login SLEEPTIME=4"
+    compliance:
+      - cis: ["6.6"]
+    condition: all
+    rules:
+      - "c:grep SLEEPTIME= /etc/default/login -> r:SLEEPTIME=4|#SLEEPTIME=4"
+
+  - id: 23543
+    title: "Disable Rhost-based Authentication for SSH."
+    description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with SSH."
+    remediation: "Perform the following to implement the recommended state: # nano /etc/ssh/sshd_config - IgnoreRhosts yes"
+    compliance:
+      - cis: ["6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes'
+
+  - id: 23545
+    title: "Disable root login for SSH."
+    description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host."
+    rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user."
+    remediation: "Perform the following to implement the recommended state: # nano /etc/ssh/sshd_config - PermitRootLogin no"
+    compliance:
+      - cis: ["6.9"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no'
+
+  - id: 23546
+    title: "Disable Host-based Authentication for Login-based Services."
+    description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world-readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user."
+    rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default."
+    remediation: "Edit /etc/pam.conf and any /etc/pam.d/* results from audit procedure and comment out or remove any pam_rhosts_auth lines: #rlogin auth sufficient pam_rhosts_auth.so.1 #rsh auth sufficient pam_rhosts_auth.so.1"
+    compliance:
+      - cis: ["6.10"]
+    condition: all
+    rules:
+      - 'c:grep pam_rhosts_auth /etc/pam.conf -> !r:\.+'
+      - "c:grep pam_rhosts_auth /etc/pam.d/rlogin -> r:^#"
+      - "c:grep pam_rhosts_auth.so.1 /etc/pam.d/rsh -> r:^#"
+
+  - id: 23547
+    title: "Blocking Authentication Using Empty/Null Passwords for SSH."
+    description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would."
+    rationale: "Permitting login without a password is inherently risky."
+    remediation: "Perform the following to implement the recommended state: Edit /etc/ssh/sshd_config - PermitEmptyPasswords no # svcadm restart svc:/network/ssh"
+    compliance:
+      - cis: ["6.11"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no'
+
+  - id: 23548
+    title: "Limit Consecutive Login Attempts for SSH."
+    description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits."
+    rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks."
+    remediation: "Edit /etc/ssh/sshd_config - MaxAuthTries 6 # svcadm restart svc:/network/ssh"
+    compliance:
+      - cis: ["6.12"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 6'
+
+  - id: 23549
+    title: "Disable X11 Forwarding for SSH."
+    description: "The X11 Forwarding parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface."
+    rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs."
+    remediation: "Perform the following to implement the recommended state: Edit /etc/ssh/sshd_config - X11Forwarding no # svcadm restart svc:/network/ssh"
+    compliance:
+      - cis: ["6.13"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no'
+
+  - id: 23550
+    title: 'Disable ."nobody" Access for RPC Encryption Key Storage Service'
+    description: "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC."
+    rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user."
+    remediation: "Perform the following to implement the recommended state: Edit /etc/default/keyserv - ENABLE NOBODY KEYS=NO or comment the line"
+    compliance:
+      - cis: ["6.14"]
+    condition: all
+    rules:
+      - "c:grep ENABLE_NOBODY_KEYS= /etc/default/keyserv -> r:=NO|^#|error"
+
+  - id: 23551
+    title: "Secure the GRUB Menu (Intel)."
+    description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console."
+    rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD-ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
+    remediation: "Run the following command to generate your password hash: # /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is <em><password_hash></em> Create the file /usr/lib/grub2/bios/etc/grub.d/01\_password: #!/bin/sh /usr/bin/cat > /rpool/boot/grub/password.cfg<<EOF # # GRUB password # set superusers=\"root\" password_pbkdf2 root <em><password_hash></em> EOF /usr/bin/chmod 600 /rpool/boot/grub/password.cfg /usr/bin/echo 'source  /@/boot/grub/password.cfg' Run the following to finalize the password configuration and set menu timeout: # /usr/bin/chmod 700 /usr/lib/grub2/bios/etc/grub.d/01_password # /usr/sbin/bootadm set-menu timeout=30 Changes will take effect on the next reboot."
+    compliance:
+      - cis: ["6.15"]
+    condition: all
+    rules:
+      - "c:psrinfo -pv -> r:GenuineIntel"
+      - "c:grep password.cfg /rpool/boot/grub/grub.cfg -> r:source /@/boot/grub/password.cfg"
+
+  - id: 23552
+    title: "Restrict root Login to System Console."
+    description: "Privileged access to the system via root must be accountable to a particular user."
+    rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems."
+    remediation: "Edit /etc/default/login - CONSOLE=/dev/console"
+    compliance:
+      - cis: ["6.16"]
+    condition: all
+    rules:
+      - "c:grep CONSOLE=/dev/console /etc/default/login -> r:^CONSOLE=/dev/console"
+
+  - id: 23553
+    title: "Set Retry Limit for Account Lockout."
+    description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u <username>. The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name."
+    rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user."
+    remediation: "Perform the following to implement the recommended state: edit /etc/default/login - RETRIES=3, edit /etc/security/policy.conf - LOCK_AFTER_RETRIES=YES. Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle Note: The root role is configured in this manner by default to prevent accidental lock out."
+    compliance:
+      - cis: ["6.17"]
+    condition: all
+    rules:
+      - "c:grep RETRIES= /etc/default/login -> r:=3"
+      - "c:grep LOCK_AFTER_RETRIES= /etc/security/policy.conf -> r:=YES"
+
+  # 7 User Accounts and Environment
+  - id: 23554
+    title: "Set Password Expiration Parameters on Active Accounts."
+    description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password"
+    rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 7 days (1 week) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)."
+    remediation: "Perform the following to implement the recommended state: Edit /etc/default/passwd - MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=1"
+    compliance:
+      - cis: ["7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/default/passwd -> !r:^# && r:MAXWEEKS && n:=\s*\t*(\d+) compare <= 13'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINWEEKS && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:WARNWEEKS && n:=\s*\t*(\d+) compare == 4'
+
+  - id: 23555
+    title: "Set Strong Password Creation Policies."
+    description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user."
+    rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter."
+    remediation: "Edit /etc/default/passwd with these values: PASSLENGTH=14 NAMECHECK=YES HISTORY=10 MINDIFF=3 MINUPPER=1 MINLOWER=1 MINSPECIAL=1 MINDIGIT=1 MAXREPEATS=1 WHITESPACE=YES DICTIONDBDIR=/var/passwd DICTIONLIST=/usr/share/lib/dict/words"
+    compliance:
+      - cis: ["7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/default/passwd -> !r:^# && r:PASSLENGTH && n:=\s*\t*(\d) compare == 14'
+      - 'f:/etc/default/passwd -> !r:^# && r:NAMECHECK && r:=\s*\t*yes'
+      - 'f:/etc/default/passwd -> !r:^# && r:HISTORY && n:=\s*\t*(\d+) compare == 10'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINDIFF && n:=\s*\t*(\d+) compare == 3'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINUPPER && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINLOWER && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINSPECIAL && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:MINDIGIT && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:MAXREPEATS && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:WHITESPACE && r:=\s*\t*yes'
+      - 'f:/etc/default/passwd -> !r:^# && r:DICTIONDBDIR && r:=\s*\t*/var/passwd'
+      - 'f:/etc/default/passwd -> !r:^# && r:DICTIONLIST && r:=\s*\t*/usr/share/lib/dict/words'
+
+  - id: 23556
+    title: "Set Default umask for users."
+    description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umaskby inserting the umaskcommand into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit /etc/default/login - UMASK=027"
+    compliance:
+      - cis: ["7.3"]
+    condition: all
+    rules:
+      - "c:grep ^UMASK= /etc/default/login -> r:027"
+
+  - id: 23557
+    title: "Default File Creation Mask for FTP Users."
+    description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server."
+    rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask."
+    remediation: "Edit /etc/proftpd.conf - Umask 027"
+    compliance:
+      - cis: ["7.4"]
+    condition: all
+    rules:
+      - "c:grep ^Umask /etc/proftpd.conf -> r:027"
+
+  - id: 23558
+    title: "Set mesg n as Default for All Users."
+    description: "The mesg n command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the users tty device."
+    rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
+    remediation: "Refer to documentation to execute a script to set mesg n"
+    compliance:
+      - cis: ["7.5"]
+    condition: all
+    rules:
+      - "c:grep ^mesg /etc/.login -> r:mesg n"
+      - "c:grep ^mesg /etc/profile -> r:mesg n"
+
+  # 8 Warning Banners
+  - id: 23560
+    title: "Create Warnings for Standard Login Services."
+    description: "The contents of the /etc/issue file are displayed prior to the login prompt on the systems console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organizations legal counsel for the appropriate wording as the examples below are for demonstration purposes only."
+    remediation: "Perform the following to implement the recommended state: # echo Authorized users only. All activity may be monitored and reported. > /etc/motd # echo Authorized users only. All activity may be monitored and reported. > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["8.1"]
+    condition: all
+    rules:
+      - "c:cat /etc/motd -> r:Authorized users only. All activity may be monitored and reported"
+      - 'c:ls -l /etc/motd -> r:^-rw-r--r--\s+1\s+root\s+sys'
+      - "c:cat /etc/issue -> r:Authorized users only. All activity may be monitored and reported"
+      - 'c:ls -l /etc/issue -> r:^-rw-r--r--\s+1\s+root\s+root'
+
+  - id: 23561
+    title: "Enable a Warning Banner for the FTP service."
+    description: "The action for this item sets a warning message for FTP users before they log in."
+    rationale: "If FTP is permitted for use in your environment, it is important to ensure that Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording."
+    remediation: "Perform the following to implement the recommended state: # echo DisplayConnect /etc/issue >> /etc/proftpd.conf # svcadm restart ftp"
+    compliance:
+      - cis: ["8.2"]
+    condition: all
+    rules:
+      - 'c:grep DisplayConnect /etc/proftpd.conf -> r:^DisplayConnect\.+/etc/issue'
+
+  - id: 23562
+    title: "Enable a Warning Banner for the SSH Service."
+    description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution."
+    rationale: "Performing these steps will ensure the appropriate legal caution is displayed to any user accessing the system via SSH."
+    remediation: "Edit /etc/ssh/sshd_config - Banner /etc/issue"
+    compliance:
+      - cis: ["8.3"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*/etc/issue'
+
+  - id: 23563
+    title: "Enable a Warning Banner for the GNOME Service."
+    description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user or group specific."
+    rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post-authentication. For more information, see the Oracle Solaris 11 Security Guidelines document."
+    remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=Security Message --filename=/etc/issue"
+    compliance:
+      - cis: ["8.4"]
+    condition: all
+    rules:
+      - 'c:grep Security /etc/gdm/Init/Default -> r:--title="Security Message" --filename=/etc/issue'
+
+  - id: 23564
+    title: "Check that the Banner Setting for telnet is Null."
+    description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system."
+    rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it should be disabled and all remote administrative/user connections take place by Secure Shell."
+    remediation: "Perform the following to implement the recommended state: edit /etc/default/telnetd - BANNER="
+    compliance:
+      - cis: ["8.5"]
+    condition: all
+    rules:
+      - "c:grep ^BANNER /etc/default/telnetd -> r:^BANNER=$"
+
+  # 9 System Maintenance
+  - id: 23565
+    title: "Check for Remote Consoles."
+    description: "The consadm command can be used to select or display alternate console devices."
+    rationale: "Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles have not been defined. The consadm -p command displays any alternate consoles that have been defined as auxiliary across reboots. If no remote consoles have been defined, there will be no output from this command."
+    remediation: "Perform the following to implement the recommended state: # /usr/sbin/consadm [-d device...]"
+    compliance:
+      - cis: ["9.1"]
+    condition: all
+    rules:
+      - "c:/usr/sbin/consadm -p -> r:^$"
+
+  - id: 23568
+    title: "Verify System Account Default Passwords."
+    description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts."
+    rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentally or intentionally been enabled."
+    remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l <em>[username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N <em>[username]"
+    compliance:
+      - cis: ["9.4"]
+    condition: all
+    rules:
+      - "f:/etc/shadow -> r:^daemon: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^lp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^adm: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^bin: && !r::NL:|:NP:"
+      - 'f:/etc/shadow -> r:^gdm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^noaccess: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^nobody: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^nobody4: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^openldap: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^unknown: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^webservd: && !r::\p*LK\p*:'
+      - "f:/etc/shadow -> r:^mysql: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^postgres: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^smmsp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^sys: && !r::NL:|:NP:"
+      - 'f:/etc/shadow -> r:^aiuser: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^dhcpserv: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^dladm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^ftp: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^netadm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^netcfg: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^pkg5srv: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^svctag: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^xvm: && !r::\p*LK\p*:'
+      - "f:/etc/shadow -> r:^upnp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^zfssnap: && !r::NL:|:NP:"
+
+  - id: 23569
+    title: "Verify System File Permissions."
+    description: "The pkg verify and command checks the accuracy of installed directory structures and files."
+    rationale: "It is important to ensure that system files and directories are maintained with the permissions they were intended to have from the OS vendor (Oracle)."
+    remediation: "Correct or justify any items discovered in the Audit step. Perform the following to set correct any identified package errors: # pkg fix. Exercise caution in running this command as it may reverse modifications implemented previously including some of those recommended by this document. Rather than use this command broadly, it is recommended that it be used more tactically to correct specific package problems when possible."
+    compliance:
+      - cis: ["9.5"]
+    condition: all
+    rules:
+      - "c:pkg verify -> !r:ERROR"
+
+  - id: 23570
+    title: "Ensure Password Fields are Not Empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)."
+    rationale: "All accounts must have passwords, be configured as Non-login, or be locked."
+    remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-login."
+    compliance:
+      - cis: ["9.6"]
+    condition: all
+    rules:
+      - "c:logins -p -> r:^$"
+
+  - id: 23571
+    title: "Verify No UID 0 Accounts Exist Other than root."
+    description: "Any account with UID 0 has superuser rights on the system."
+    rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC."
+    remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately."
+    compliance:
+      - cis: ["9.7"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  - id: 23572
+    title: "Ensure root PATH Integrity."
+    description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly."
+    rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program."
+    remediation: "Correct or justify any items discovered in the Audit step."
+    compliance:
+      - cis: ["9.8"]
+    condition: all
+    rules:
+      - "f:/etc/profile -> r::."
+      - "f:/root/.profile -> r::."
+      - "f:/root/.bashrc -> r::."
+      - "f:/etc/profile -> r:::"
+      - "f:/root/.profile -> r:::"
+      - "f:/root/.bashrc -> r:::"
+      - "f:/etc/profile -> r::$"
+      - "f:/root/.profile -> r::$"
+      - "f:/root/.bashrc -> r::$"
+
+  - id: 23578
+    title: "Check That Users Are Assigned Home Directories."
+    description: "passwd defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set."
+    rationale: "All users must be assigned a home directory in passwd."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy."
+    compliance:
+      - cis: ["9.14"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*::\.*'
+
+  - id: 23580
+    title: "Check for Duplicate UIDs."
+    description: "Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually modify passwd and change the UID field."
+    rationale: "Users must be assigned unique UIDs for accountability and to ensure appropriate access protections."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who share a common UID, and work with those users to determine the best course of action in accordance with site policy."
+    compliance:
+      - cis: ["9.16"]
+    condition: all
+    rules:
+      - "c:logins -d -> r:^$"
+
+  - id: 23585
+    title: "Find World Writable Files."
+    description: "Unix-based systems support variable settings to control access to files. World-writable files are the least secure. See the chmod man page for more information."
+    rationale: "Data in world-writable files can be read, modified, and potentially compromised by any user on the system. World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system integrity."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine the existence of any write access given for the other category (chmod o-w filename), and work with the owner to determine the best course of action in accordance with site policy."
+    compliance:
+      - cis: ["9.21"]
+    condition: all
+    rules:
+      - 'c:find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type f -perm -0002 -print -> r:^$'
+
+  - id: 23586
+    title: "Find SUID/SGID System Executables."
+    description: "The owner of a file can set the file permissions to run with the owner or group permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID/SGID program is to enable users to perform functions (such as changing their password), which requires root privileges."
+    rationale: "There are valid reasons for SUID/SGID programs, but it is important to identify and review such programs to ensure they are legitimate."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine the existence of any set-UID programs that do not belong on the system, and work with the owner (or system administrator) to determine the best course of action in accordance with site policy. Digital signatures on the Solaris Set-UID binaries can be verified with the elfsign utility, such as this example: # elfsign verify -e /usr/bin/su elfsign: verification of /usr/bin/su passed."
+    compliance:
+      - cis: ["9.22"]
+    condition: all
+    rules:
+      - "c:elfsign verify -e /usr/bin/su -> r:passed."
+
+  - id: 23587
+    title: "Find Un-owned Files and Directories."
+    description: "Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system."
+    rationale: "A new user who is assigned the deleted user's user ID or group ID may then end up owning these files, and thus have more access on the system than was intended."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine the existence of any files that are not attributed to current users or groups on the system, and determine the best course of action in accordance with site policy. Note that the Solaris OS is shipped with all files appropriately owned."
+    compliance:
+      - cis: ["9.23"]
+    condition: all
+    rules:
+      - 'c:find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o \( -nouser -o -nogroup \) -ls -> r:^$'
+
+  - id: 23588
+    title: "Find Files and Directories with Extended Attributes."
+    description: "Extended attributes are implemented as files in a shadow file system that is not generally visible via normal administration commands without special arguments."
+    rationale: "Attackers or malicious users could hide information, exploits, etc. in extended attribute areas. Since extended attributes are rarely used, it is important to find files with extended attributes set."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine the existence of any files having extended file attributes, and determine the best course of action in accordance with site policy. Note that the Solaris OS does not ship with files that have extended attributes."
+    compliance:
+      - cis: ["9.24"]
+    condition: all
+    rules:
+      - 'c:find / \( -fstype nfs -o -fstype cachefs -o -fstype autofs -o -fstype ctfs\ -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -xattr -ls -> r:^$'
diff --git a/etc/ruleset/sca/sunos/cis_solaris11.yml b/etc/ruleset/sca/sunos/cis_solaris11.yml
new file mode 100644
index 0000000000..142b2c17bf
--- /dev/null
+++ b/etc/ruleset/sca/sunos/cis_solaris11.yml
@@ -0,0 +1,703 @@
+# Security Configuration Assessment
+# CIS Checks for Oracle Solaris 11
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Oracle Solaris 11 Benchmark v1.1.0 - 09-30-2013
+
+policy:
+  id: "cis_solaris11"
+  file: "cis_solaris11.yml"
+  name: "CIS Benchmark for Oracle Solaris 11 v1.1.0"
+  description: "This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against  Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Solaris version"
+  description: "Requirements for running the CIS benchmark against Solaris 11"
+  condition: all
+  rules:
+    - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p'
+
+checks:
+  # 2 Disable Unnecessary Services
+  - id: 8000
+    title: "Disable Local-only Graphical Login Environment"
+    description: "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default"
+    compliance:
+      - cis: ["2.1"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/application/graphical-login/gdm:default -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8001
+    title: "Configure sendmail Service for Local-Only Mode"
+    description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false    # svcadm refresh sendmail    # svcadm restart sendmail"
+    compliance:
+      - cis: ["2.2"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:.25\s*\t*|:25\s*\t* && !r:127.0.0.1|::1'
+
+  - id: 8002
+    title: "Disable RPC Encryption Key"
+    description: 'The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is "secure NFS", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. ("Secure NFS" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. "Kerberized" NFS does not require the keyserv service to be running.)'
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv"
+    compliance:
+      - cis: ["2.3"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/rpc/keyserv -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8003
+    title: "Disable NIS Server Services"
+    description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server."
+    rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain"
+    compliance:
+      - cis: ["2.4"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/nis/server -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+      - 'c:svcs -xv svc:/network/nis/domain -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8004
+    title: "Disable NIS Client Services"
+    description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system."
+    rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client    # svcadm disable svc:/network/nis/domain"
+    compliance:
+      - cis: ["2.5"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/nis/client -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+      - 'c:svcs -xv svc:/network/nis/domain -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8005
+    title: "Disable Kerberos TGT Expiration Warning"
+    description: 'The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be "local only" by default.'
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn"
+    compliance:
+      - cis: ["2.6"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/security/ktkt_warn -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8006
+    title: "Disable Generic Security Services (GSS)"
+    description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes."
+    rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss"
+    compliance:
+      - cis: ["2.7"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/rpc/gss -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8007
+    title: "Disable Removable Volume Manager"
+    description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details."
+    rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports."
+    remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr    # svcadm disable svc:/network/rpc/smserver"
+    compliance:
+      - cis: ["2.8"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/system/filesystem/rmvolmgr -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+      - 'c:svcs -xv svc:/network/rpc/smserver -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8008
+    title: "Disable automount Service"
+    description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs"
+    compliance:
+      - cis: ["2.9"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/system/filesystem/autofs -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8009
+    title: "Disable Apache Service"
+    description: "The Apache service provides an instance of the Apache web server."
+    rationale: "This service should be disabled if it is not required."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22"
+    compliance:
+      - cis: ["2.10"]
+    references:
+      - https://httpd.apache.org/docs/2.0/misc/security_tips.html
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/http:apache22 -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8010
+    title: "Disable Local-only RPC Port Mapping Service"
+    description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only."
+    rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled."
+    remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind. If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section."
+    compliance:
+      - cis: ["2.11"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/rpc/bind -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  - id: 8011
+    title: "Configure TCP Wrappers"
+    description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections."
+    rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts."
+    remediation: 'To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net/<mask>, ..." > /etc/hosts.allow. Where each <net>/<mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system. 2) Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny. 3) Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE - To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE. To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true    # svcadm refresh rpc/bind. The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.'
+    compliance:
+      - cis: ["2.12"]
+    references:
+      - ipfilter(5) man page
+    condition: all
+    rules:
+      - "c:inetadm -p -> r:tcp_wrappers=TRUE"
+      - "f:/etc/hosts.allow"
+      - "f:/etc/hosts.deny"
+
+  - id: 8012
+    title: "Disable Telnet Service"
+    description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security."
+    remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet"
+    compliance:
+      - cis: ["2.13"]
+    condition: all
+    rules:
+      - 'c:svcs -xv svc:/network/telnet -> r:State:\sdisabled|State:\s-$|match\sany\sinstances'
+
+  # 3 Kernel Tuning
+  - id: 8013
+    title: "Restrict Core Dumps to Protected Directory"
+    description: "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core."
+    rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data."
+    remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores    # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid    If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid"
+    compliance:
+      - cis: ["3.1"]
+    condition: all
+    rules:
+      - "c:coreadm"
+      - "c:coreadm -> r:per-process core dumps: disabled"
+      - "c:coreadm -> r:per-process setid core dumps: disabled"
+      - 'c:stat -L -c%u-%g-%a /var/cores -> r:^\d-\d-700'
+
+  - id: 8014
+    title: "Enable Stack Protection"
+    description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor- supplied and third party software."
+    rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed."
+    remediation: 'To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! "`grep noexec_user_stack= /etc/system`" ]; then cat <<END_CFG >>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi'
+    compliance:
+      - cis: ["3.2"]
+    condition: all
+    rules:
+      - "f:/etc/system"
+      - 'f:/etc/system -> r:\s*\t*noexec_user_stack\s*\t*=\s*\t*1'
+      - 'f:/etc/system -> r:\s*\t*noexec_user_stack_log\s*\t*=\s*\t*1'
+
+  - id: 8015
+    title: "Enable Strong TCP Sequence Number Generation"
+    description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session."
+    rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this."
+    remediation: 'Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default    # awk ''/TCP_STRONG_ISS=/ { $1 = "TCP_STRONG_ISS=2" }; { print }'' inetinit > inetinit.CIS    # mv inetinit.CIS inetinit     To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp'
+    compliance:
+      - cis: ["3.3"]
+    condition: all
+    rules:
+      - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\s*\t*=\s*\t*2'
+      - "c:ipadm show-prop -p _strong_iss -co current tcp -> r:2"
+
+  # 4 Auditing and Logging
+  - id: 8016
+    title: "Create CIS Audit Class"
+    description: "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit."
+    rationale: "To simplify administration, a CIS specific audit class should be created."
+    remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark"
+    compliance:
+      - cis: ["4.1"]
+    condition: all
+    rules:
+      - "f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark"
+
+  - id: 8017
+    title: "Enable Auditing of Incoming Network Connections"
+    description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system."
+    rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity."
+    remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT    AUE_CONNECT    AUE_SOCKACCEPT    AUE_SOCKCONNECT    AUE_inetd_connect"
+    compliance:
+      - cis: ["4.2"]
+    condition: all
+    rules:
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_CONNECT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKACCEPT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_inetd_connect:\.+cis\.*'
+
+  - id: 8018
+    title: "Enable Auditing of File Metadata Modification Events"
+    description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed."
+    rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
+    remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD    AUE_CHOWN    AUE_FCHOWN    AUE_FCHMOD    AUE_LCHOWN    AUE_ACLSET    AUE_FACLSET"
+    compliance:
+      - cis: ["4.3"]
+    condition: all
+    rules:
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHOWN:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHOWN:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHMOD:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_LCHOWN:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACLSET:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_FACLSET:\.+cis\.*'
+
+  - id: 8019
+    title: "Enable Auditing of Process and Privilege Events"
+    description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)."
+    rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these."
+    remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT    AUE_SETREUID    AUE_SETREGID    AUE_FCHROOT    AUE_PFEXEC    AUE_SETUID    AUE_NICE    AUE_SETGID    AUE_PRIOCNTLSYS    AUE_SETEGID    AUE_SETEUID    AUE_SETPPRIV    AUE_SETSID    AUE_SETPGID"
+    compliance:
+      - cis: ["4.4"]
+    condition: all
+    rules:
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREUID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREGID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHROOT:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_PFEXEC:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETUID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_NICE:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETGID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEGID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEUID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPPRIV:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*'
+      - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*'
+
+  - id: 8020
+    title: "Configure Solaris Auditing"
+    description: 'Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The "cis" class is a "custom class" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).'
+    rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls."
+    remediation: "To enforce this setting, use the command: # auditconfig -conf    # auditconfig -setflags lo,ad,ft,ex,cis    # auditconfig -setnaflags lo     # auditconfig -setpolicy cnt,argv,zonename    # auditconfig -setplugin audit_binfile active p_minfree=1     # audit -s    # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root    # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n .  w q END_CRON    # chown root:root /var/audit    # chmod 750 /var/audit"
+    compliance:
+      - cis: ["4.5"]
+    condition: all
+    rules:
+      - "c:auditconfig -getcond -> audit condition = auditing"
+      - "c:auditconfig -getpolicy -> r:active audit policies = argv,cnt,zonename"
+      - 'c:auditconfig -getflags -> r:active user default audit flags = cis,ex,aa,ua,as,ss,lo,ft\(0x1000000800f1080,0x1000000800f1080\)'
+      - 'c:auditconfig -getnaflags -> r:active non-attributable audit flags = lo\(0x1000,0x1000\)'
+      - 'c:auditconfig -getplugin audit_binfile -> r:audit_binfile \(active\)'
+      - "c:userattr audit_flags root -> r:lo,ad,ft,ex,cis:no"
+      - "f:/var/spool/cron/crontabs/root -> r:/usr/sbin/audit -n"
+
+  # 5 File/Directory Permissions/Access
+  - id: 8021
+    title: "Default Service File Creation Mask"
+    description: "The default system file creation mask applies to processes that are started by init - including most system services. To ensure that files are not created with write access to anyone other than their owner, the default file creation mask should be set to 022. Some sites with more stringent security requirements may prefer to set this value to 077 to eliminate all permissions for group and world. Note that changing this value from the Solaris default of 022 may negatively impact services that may not be able to operate with a stricter setting."
+    rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world."
+    remediation: 'Perform the following to implement the recommended state:  # svccfg -s svc:/system/environment:init setprop umask/umask = astring: "022"'
+    compliance:
+      - cis: ["5.1"]
+    condition: all
+    rules:
+      - "c:svcprop -p umask/umask svc:/system/environment:init -> 022"
+
+  # 6 System Access, Authentication, and Authorization
+  - id: 8022
+    title: 'Disable "nobody" Access for RPC Encryption Key Storage Service'
+    description: "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC."
+    rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default # awk ''/ENABLE_NOBODY_KEYS=/ { $1 = "ENABLE_NOBODY_KEYS=NO" } { print }'' keyserv > keyserv.CIS    # mv keyserv.CIS keyserv'
+    compliance:
+      - cis: ["6.2"]
+    condition: all
+    rules:
+      - "f:/etc/default/keyserv"
+      - 'f:/etc/default/keyserv -> !r:^# && r:ENABLE_NOBODY_KEYS\s*\t*=\s*\t*NO'
+
+  - id: 8023
+    title: "Disable X11 Forwarding for SSH"
+    description: "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface."
+    rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^X11Forwarding / { $2 = "no" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh'
+    compliance:
+      - cis: ["6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no'
+
+  - id: 8024
+    title: "Limit Consecutive Login Attempts for SSH"
+    description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits."
+    rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^MaxAuthTries/ { $2 = "3" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh'
+    compliance:
+      - cis: ["6.4"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && n:MaxAuthTries\s*\t*(\d+) compare <= 3'
+
+  - id: 8025
+    title: "Disable Rhost-based Authentication for SSH"
+    description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with SSH."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^IgnoreRhosts/ { $2 = "yes" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS    # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh    This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed.'
+    compliance:
+      - cis: ["6.5"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes'
+
+  - id: 8026
+    title: "Disable root login for SSH"
+    description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host."
+    rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^PermitRootLogin/ { $2 = "no" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS    # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh'
+    compliance:
+      - cis: ["6.6"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no'
+
+  - id: 8027
+    title: "Blocking Authentication Using Empty/Null Passwords for SSH"
+    description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would."
+    rationale: "Permitting login without a password is inherently risky."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^PermitEmptyPasswords/ { $2 = "no" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS    # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh'
+    compliance:
+      - cis: ["6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no'
+
+  - id: 8028
+    title: "Disable Host-based Authentication for Login-based Services"
+    description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user."
+    rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default."
+    remediation: "Perform the following to implement the recommended state: # cd /etc    # cp pam.conf pam.conf.pre-CIS    # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS    # mv pam.conf.CIS pam.conf"
+    compliance:
+      - cis: ["6.8"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.conf -> r:^#\s*\t*rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1'
+      - 'f:/etc/pam.conf -> r:^#\s*\t*rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1'
+
+  - id: 8029
+    title: "Set Delay between Failed Login Attempts to 4"
+    description: 'The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the "login incorrect" message when a bad password is provided.'
+    rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default # awk ''/SLEEPTIME=/ { $1 = "SLEEPTIME=4" } { print }'' login > login.CIS # mv login.CIS login'
+    compliance:
+      - cis: ["6.10"]
+    condition: all
+    rules:
+      - 'f:/etc/default/login -> !r:^# && n:^SLEEPTIME\s*\t*=\s*\t*(\d+) compare >= 4'
+
+  - id: 8030
+    title: "Remove Autologin Capabilities from the GNOME desktop"
+    description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password."
+    rationale: 'As automatic logins are a known security risk for other than "kiosk" types of systems, GNOME automatic login should be disabled in pam.conf(4).'
+    remediation: 'Perform the following to implement the recommended state: # cd /etc    # awk ''/^gdm-autologin/ { $1="   #gdm-autologin" } { print }'' /etc/pam.conf > /etc/pam.conf.CIS    # mv pam.conf.CIS pam.conf'
+    compliance:
+      - cis: ["6.11"]
+    condition: none
+    rules:
+      - "f:/etc/pam.conf -> !r:^# && r:gdm-autologin"
+
+  - id: 8031
+    title: "Set Default Screen Lock for GNOME Users"
+    description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment."
+    rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user."
+    remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults    # cp XScreenSaver XScreenSaver.orig    # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS    # mv xScreenSaver.CIS xScreenSaver"
+    compliance:
+      - cis: ["6.12"]
+    condition: all
+    rules:
+      - "f:/usr/share/X11/app-defaults/XScreensaver"
+      - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*\d+:\d+:\d+'
+      - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*\d+:\d+:\d+'
+      - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true'
+
+  - id: 8032
+    title: "Restrict at/cron to Authorized Users"
+    description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals."
+    rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)."
+    remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d    # mv cron.deny cron.deny.cis    # mv at.deny at.deny.cis    # echo root > cron.allow    # cp /dev/null at.allow    # chown root:root cron.allow at.allow    # chmod 400 cron.allow at.allow"
+    compliance:
+      - cis: ["6.13"]
+    condition: all
+    rules:
+      - "not f:/etc/cron.d/cron.deny"
+      - "not f:/etc/cron.d/at.deny"
+      - "f:/etc/cron.d/cron.allow"
+      - "f:/etc/cron.d/cron.allow -> r:^root$"
+      - "f:/etc/cron.d/at.allow"
+      - 'c:wc -l /etc/cron.d/at.allow -> r:\s*0\s'
+
+  - id: 8033
+    title: "Restrict root Login to System Console"
+    description: "Privileged access to the system via root must be accountable to a particular user."
+    rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default # awk ''/CONSOLE=/ { print "CONSOLE=/dev/console"; next }; { print }'' login > login.CIS # mv login.CIS login'
+    compliance:
+      - cis: ["6.14"]
+    condition: all
+    rules:
+      - 'f:/etc/default/login -> !r:^# && r:CONSOLE|console && r:=\s*\t*/dev/console'
+
+  - id: 8034
+    title: "Set Retry Limit for Account Lockout"
+    description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u <username>). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name."
+    rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default    # awk ''/RETRIES=/ { $1 = "RETRIES=3" } { print }'' login >login.CIS    # mv login.CIS login    # cd /etc/security    # awk ''/LOCK_AFTER_RETRIES=/ { $1 = "LOCK_AFTER_RETRIES=YES" } { print }'' policy.conf > policy.conf.CIS    # mv policy.conf.CIS policy.conf    # svcadm restart svc:/system/name-service/cache     Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle'
+    compliance:
+      - cis: ["6.15"]
+    condition: all
+    rules:
+      - 'f:/etc/default/login -> !r:^# && r:retries|RETRIES && n:=\s*\t*(\d+) compare <=3'
+      - 'f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES|lock_after_retries && r:=\s*\t*yes'
+
+  - id: 8035
+    title: "Secure the GRUB Menu (Intel)"
+    description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console."
+    rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password."
+    remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub    grub> md5crypt    Password: [enter desired boot loader password]    Encrypted: [enter md5 password string]    grub> [enter control-C (^C)]    The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst    Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above]    Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe    lock"
+    compliance:
+      - cis: ["6.17"]
+    condition: all
+    rules:
+      - "f:/rpool/boot/grub/menu.lst"
+      - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5'
+
+  # 7 User Accounts and Environment
+  - id: 8036
+    title: "Set Password Expiration Parameters on Active Accounts"
+    description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password."
+    rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)."
+    remediation: 'Perform the following to implement the recommended state: # logins -ox | awk -F: ''($1 == "root" || $8 == "LK" || $8 == "NL")  { next } ;  { $cmd = "passwd" } ; ($11 91) { $cmd = $cmd " -x 91" }  ($10 < 7) { $cmd = $cmd " -n 7" }  ($12 < 28) { $cmd = $cmd " -w 28" }  ($cmd != "passwd") { print $cmd " " $1 }''  > /etc/CISupd_accounts    # /sbin/sh /etc/CISupd_accounts    # rm -f /etc/CISupd_accounts    # cd /etc/default    # grep -v WEEKS passwd > passwd.CIS    # cat <<EODefaults >> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults    # mv passwd.CIS passwd'
+    compliance:
+      - cis: ["7.1"]
+    condition: all
+    rules:
+      - 'f:/etc/default/passwd -> !r:^# && r:maxweeks|MAXWEEKS && n:=\s*\t*(\d+) compare <= 13'
+      - 'f:/etc/default/passwd -> !r:^# && r:minweeks|MINWEEKS && n:=\s*\t*(\d+) compare == 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:warnweeks|WARNWEEKS && n:=\s*\t*(\d+) compare == 4'
+
+  - id: 8037
+    title: "Set Strong Password Creation Policies"
+    description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user."
+    rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default    # awk ''/PASSLENGTH=/ { $1 = "PASSLENGTH=8" }; /NAMECHECK=/ { $1 = "NAMECHECK=YES" }; /HISTORY=/ { $1 = "HISTORY=10" }; /MINDIFF=/ { $1 = "MINDIFF=3" }; /MINALPHA=/ { $1 = "MINALPHA=2" }; /MINUPPER=/ { $1 = "MINUPPER=1" }; /MINLOWER=/ { $1 = "MINLOWER=1" }; /MINNONALPHA=/ { $1 = "MINNONALPHA=1" }; /MAXREPEATS=/ { $1 = "MAXREPEATS=0" }; /WHITESPACE=/ { $1 = "WHITESPACE=YES" }; /DICTIONDBDIR=/ { $1 = "DICTIONDBDIR=/var/passwd" }; /DICTIONLIST=/ { $1 = "DICTIONLIST=/usr/share/lib/dict/words" }; { print }'' passwd > passwd.CIS    # mv passwd.CIS passwd'
+    compliance:
+      - cis: ["7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/default/passwd -> !r:^# && r:passlength|PASSLENGTH && n:=\s*\t*(\d) compare <= 8'
+      - 'f:/etc/default/passwd -> !r:^# && r:namecheck|NAMECHECK && r:=\s*\t*yes'
+      - 'f:/etc/default/passwd -> !r:^# && r:history|HISTORY && n:=\s*\t*(\d+) compare >= 10'
+      - 'f:/etc/default/passwd -> !r:^# && r:mindiff|MINDIFF && n:=\s*\t*(\d+) compare >= 3'
+      - 'f:/etc/default/passwd -> !r:^# && r:minalpha|MINALPHA && n:=\s*\t*(\d+) compare >= 2'
+      - 'f:/etc/default/passwd -> !r:^# && r:minupper|MINUPPER && n:=\s*\t*(\d+) compare >= 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:minlower|MINLOWER && n:=\s*\t*(\d+) compare >= 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:minnonalpha|MINNONALPHA && n:=\s*\t*(\d+) compare >= 1'
+      - 'f:/etc/default/passwd -> !r:^# && r:maxrepeats|MAXREPEATS && r:=\s*\t*0'
+      - 'f:/etc/default/passwd -> !r:^# && r:whitespace|WHITESPACE && r:=\s*\t*yes'
+      - 'f:/etc/default/passwd -> !r:^# && r:dictiondbdir|DICTIONDBDIR && r:=\s*\t*/var/passwd'
+      - 'f:/etc/default/passwd -> !r:^# && r:dictionlist|DICTIONLIST && r:=\s*\t*/usr/share/lib/dict/words'
+
+  - id: 8038
+    title: "Set Default umask for users"
+    description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default    # awk ''/#UMASK=/ { $1 = "UMASK=027" } { print }'' login > login.CIS    # mv login.CIS login'
+    compliance:
+      - cis: ["7.3"]
+    condition: all
+    rules:
+      - 'f:/etc/default/login -> !r:^# && r:UMASK|umask && r:=\s*\t*027'
+
+  - id: 8039
+    title: "Set Default File Creation Mask for FTP Users"
+    description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server."
+    rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc    # if [ "`grep ''^Umask'' proftpd.conf`" ]; then awk ''/^Umask/ { $2 = "027" } { print }'' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo "Umask 027" >> proftpd.conf fi'
+    compliance:
+      - cis: ["7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/proftpd.conf -> !r:^# && r:Umask && r:\s*\t*027'
+
+  - id: 8040
+    title: 'Set "mesg n" as Default for All Users'
+    description: 'The "mesg n" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user''s tty device.'
+    rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc    # for file in profile .login ; do if [ "`grep mesg $file`" ]; then awk ''$1 == "mesg" { $2 = "n" } { print }'' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done'
+    compliance:
+      - cis: ["7.5"]
+    condition: all
+    rules:
+      - 'f:/etc/.login -> r:^mesg\s*\t*n'
+      - 'f:/etc/profile -> r:^mesg\s*\t*n'
+
+  # 8 Warning Banners
+  - id: 8041
+    title: "Create Warnings for Standard Login Services"
+    description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only."
+    remediation: 'Perform the following to implement the recommended state: # echo "Authorized users only. All activity may be monitored and reported." > /etc/motd    # echo "Authorized users only. All activity may be monitored and reported." > /etc/issue    # chown root:root /etc/issue    # chmod 644 /etc/issue'
+    compliance:
+      - cis: ["8.1"]
+    condition: all
+    rules:
+      - "f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported"
+      - "f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported"
+      - "c:stat -L -c%u-%g-%a /etc/issue -> r:^0-0-644"
+
+  - id: 8042
+    title: "Enable a Warning Banner for the SSH Service"
+    description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution."
+    remediation: 'Perform the following to implement the recommended state: # awk ''/^#Banner/ { $1 = "Banner" } { print }'' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS    # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config    # svcadm restart svc:/network/ssh'
+    compliance:
+      - cis: ["8.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*/etc/issue'
+
+  - id: 8043
+    title: "Enable a Warning Banner for the GNOME Service"
+    description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific."
+    rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document."
+    remediation: 'Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file.  /usr/bin/zenity --text-info --width=800 --height=300 --title="Security Message" --filename=/etc/issue'
+    compliance:
+      - cis: ["8.3"]
+    condition: all
+    rules:
+      - "f:/etc/gdm/Init/Default"
+      - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.'
+
+  - id: 8044
+    title: "Enable a Warning Banner for the FTP service"
+    description: "The action for this item sets a warning message for FTP users before they log in."
+    rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording."
+    remediation: 'Perform the following to implement the recommended state: # echo "DisplayConnect /etc/issue" >> /etc/proftpd.conf    # svcadm restart ftp'
+    compliance:
+      - cis: ["8.4"]
+    condition: all
+    rules:
+      - 'f:/etc/proftpd.conf -> !r:^# && r:DisplayConnect\s*\t*/etc/issue'
+
+  - id: 8045
+    title: "Check that the Banner Setting for telnet is Null"
+    description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system."
+    rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell."
+    remediation: 'Perform the following to implement the recommended state: # cd /etc/default # awk ''/^BANNER=/ { $1 = "BANNER=" }; { print }'' telnetd > telnetd.CIS    # mv telnetd.CIS telnetd'
+    compliance:
+      - cis: ["8.5"]
+    condition: none
+    rules:
+      - 'f:/etc/default/telnetd -> !r:^# && r:BANNER\s*\t*=\s*\t*\.'
+
+  # 9 System Maintenance
+  - id: 8046
+    title: "Verify System Account Default Passwords"
+    description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts."
+    rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentally or intentionally been enabled."
+    remediation: "To lock a single account, use the command: # passwd -d [username]    # passwd -l [username]    To configure a single account to be non-login, use the command: # passwd -d [username]    # passwd -N [username]"
+    compliance:
+      - cis: ["9.3"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^daemon: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^lp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^adm: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^bin: && !r::NL:|:NP:"
+      - 'f:/etc/shadow -> r:^gdm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^noaccess: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^nobody: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^nobody4: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^openldap: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^unknown: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^webservd: && !r::\p*LK\p*:'
+      - "f:/etc/shadow -> r:^mysql: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^nuuc: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^postgres: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^smmsp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^sys: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^uucp: && !r::NL:|:NP:"
+      - 'f:/etc/shadow -> r:^aiuser: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^dhcpserv: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^dladm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^ftp: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^netadm: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^netcfg: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^pkg5srv: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^svctag: && !r::\p*LK\p*:'
+      - 'f:/etc/shadow -> r:^xvm: && !r::\p*LK\p*:'
+      - "f:/etc/shadow -> r:^upnp: && !r::NL:|:NP:"
+      - "f:/etc/shadow -> r:^zfssnap: && !r::NL:|:NP:"
+
+  - id: 8047
+    title: "Ensure Password Fields are Not Empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)."
+    rationale: 'All accounts must have passwords, be configured as "Non-login," or be locked.'
+    remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini."
+    compliance:
+      - cis: ["9.4"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  - id: 8048
+    title: "Verify No UID 0 Accounts Exist Other than root"
+    description: "Any account with UID 0 has superuser rights on the system."
+    rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC."
+    remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately."
+    compliance:
+      - cis: ["9.5"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:'
+
+  - id: 8049
+    title: "Ensure root PATH Integrity"
+    description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly."
+    rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program."
+    remediation: "Correct or justify any items discovered in the Audit step."
+    compliance:
+      - cis: ["9.6"]
+    condition: none
+    rules:
+      - "f:/etc/profile -> r::."
+      - "f:/root/.profile -> r::."
+      - "f:/root/.bashrc -> r::."
+      - "f:/etc/profile -> r:::"
+      - "f:/root/.profile -> r:::"
+      - "f:/root/.bashrc -> r:::"
+      - "f:/etc/profile -> r::$"
+      - "f:/root/.profile -> r::$"
+      - "f:/root/.bashrc -> r::$"
+
+  - id: 8050
+    title: "Check That Users Are Assigned Home Directories"
+    description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set."
+    rationale: "All users must be assigned a home directory in passwd(4)."
+    remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy."
+    compliance:
+      - cis: ["9.12"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*::\.*'
diff --git a/etc/ruleset/sca/ubuntu/cis_ubuntu14_04.yml b/etc/ruleset/sca/ubuntu/cis_ubuntu14_04.yml
new file mode 100644
index 0000000000..04a604af87
--- /dev/null
+++ b/etc/ruleset/sca/ubuntu/cis_ubuntu14_04.yml
@@ -0,0 +1,3046 @@
+# Security Configuration Assessment
+# CIS Checks for Ubuntu Linux 14.04 LTS
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Ubuntu Linux 14.04 LTS Benchmark v2.1.0 - 12-28-2017
+
+policy:
+  id: "cis_ubuntu14-04"
+  file: "cis_ubuntu14_04.yml"
+  name: "CIS Ubuntu Linux 14.04 LTS Benchmark v2.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 14.04 LTS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Ubuntu version"
+  description: "Requirements for running the SCA scan against Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:Ubuntu"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1.1.1 Disable unused filesystems
+  - id: 19500
+    title: "Ensure mounting of cramfs filesystems is disabled"
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:cramfs"
+
+  - id: 19501
+    title: "Ensure mounting of freevxfs filesystems is disabled"
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 19502
+    title: "Ensure mounting of jffs2 filesystems is disabled"
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 19503
+    title: "Ensure mounting of hfs filesystems is disabled"
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 19504
+    title: "Ensure mounting of hfsplus filesystems is disabled"
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 19505
+    title: "Ensure mounting of udf filesystems is disabled"
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Filesystem Configuration
+  - id: 19506
+    title: "Ensure separate partition exists for /tmp"
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 19507
+    title: "Ensure nodev option set on /tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodevto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 19508
+    title: "Ensure nosuid option set on /tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 19509
+    title: "Ensure separate partition exists for /var"
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 19510
+    title: "Ensure separate partition exists for /var/tmp"
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 19511
+    title: "Ensure nodev option set on /var/tmp partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 19512
+    title: "Ensure nosuid option set on /var/tmp partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 19513
+    title: "Ensure noexec option set on /var/tmp partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 19514
+    title: "Ensure separate partition exists for /var/log"
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 19515
+    title: "Ensure separate partition exists for /var/log/audit"
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 19516
+    title: "Ensure separate partition exists for /home"
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 19517
+    title: "Ensure nodev option set on /home partition"
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 19518
+    title: "Ensure nodev option set on /run/shm partition"
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /run/shm: # mount -o remount,nodev /run/shm"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:nodev'
+
+  - id: 19519
+    title: "Ensure nosuid option set on /run/shm partition"
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /run/shm: # mount -o remount,nosuid /run/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:nosuid'
+
+  - id: 19520
+    title: "Ensure noexec option set on /run/shm partition"
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /run/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /run/shm: # mount -o remount,noexec /run/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/run/shm\s && r:noexec'
+
+  - id: 19521
+    title: "Disable Automounting"
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Remove or comment out start lines in /etc/init/autofs.conf: # start on runlevel [2345]"
+    compliance:
+      - cis: ["1.1.21"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config autofs -> r:^autofs"
+
+  # 1.3 Filesystem Integrity Checking
+  - id: 19522
+    title: "Ensure AIDE is installed"
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    reference:
+      - "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 19523
+    title: "Ensure filesystem integrity is regularly checked"
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: # crontab -u root -e   Add the following line to the crontab:   0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
+      - "c:crontab -u root -l -> !r:^# && r:/usr/bin/aide && r:--check"
+
+  # 1.4 Secure Boot Settings
+  - id: 19524
+    title: "Ensure permissions on bootloader config are configured"
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19525
+    title: "Ensure bootloader password is set"
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2    Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOF     set superusers="<username>"      password_pbkdf2 <username> <encrypted-password>  EOF     Run the following command to update the grub2 configuration:  # update-grub'
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 19526
+    title: "Ensure authentication required for single user mode"
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.5 Additional Process Hardening
+  - id: 19527
+    title: "Ensure core dumps are restricted"
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  - id: 19528
+    title: "Ensure XD/NX support is enabled"
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:dmesg -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 19529
+    title: "Ensure address space layout randomization (ASLR) is enabled"
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 19530
+    title: "Ensure prelink is disabled"
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  # 1.6 Configure SELinux
+  - id: 19531
+    title: "Ensure SELinux is not disabled in bootloader configuration"
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/gruband remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters:  GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX=""      Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:selinux=0'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:enforcing=0'
+
+  - id: 19532
+    title: "Ensure the SELinux state is enforcing"
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing "
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s*enabled$'
+      - 'c:sestatus -> r:^Current mode:\s*enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s*enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  - id: 19533
+    title: "Ensure SELinux policy is configured"
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=ubuntu"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+ubuntu|^Loaded policy name:\s+default|^Loaded policy name:\s+mls'
+      - 'f:/etc/selinux/config -> r:^Loaded policy name:\s+ubuntu|^\s*SELINUXTYPE\s*=\s*default|^\s*SELINUXTYPE\s*=\s*mls'
+
+  - id: 19534
+    title: "Ensure no unconfined daemons exist"
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+
+  - id: 19535
+    title: "Ensure AppArmor is not disabled in bootloader configuration"
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and remove all instances of apparmor=0 from all CMDLINE_LINUX parameters:    GRUB_CMDLINE_LINUX_DEFAULT="quiet"    GRUB_CMDLINE_LINUX=""Run the following command to pdate the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.2.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:apparmor=0'
+
+  - id: 19536
+    title: "Ensure all AppArmor Profiles are enforcing"
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.2.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:apparmor status -> r:0 profiles are in complain mode"
+      - "c:apparmor status -> r:0 processes are unconfined"
+      - 'c:apparmor status -> n:(\d+) profiles are loaded compare > 0'
+
+  - id: 19537
+    title: "Ensure SELinux or AppArmor are installed"
+    description: "SELinux and AppArmor provide Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux  Or: # apt-get install apparmor"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s selinux-basics -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  # 1.7 Warning Banners
+  - id: 19538
+    title: "Ensure message of the day is configured properly"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  - id: 19539
+    title: "Ensure local login warning banner is configured properly"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  - id: 19540
+    title: "Ensure remote login warning banner is configured properly"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  - id: 19541
+    title: "Ensure permissions on /etc/motd are configured"
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19542
+    title: "Ensure permissions on /etc/issue are configured"
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19543
+    title: "Ensure permissions on /etc/issue.net are configured"
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19544
+    title: "Ensure GDM login banner is configured"
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Create the /etc/dconf/profile/gdm file with the following contents:    user-db:user    system-db:gdm     file-db:/usr/share/gdm/greeter-dconf-defaults      Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message:    [org/gnome/login-screen]    banner-message-enable=true        banner-message-text='Authorized uses only. All activity may be monitored and reported.'   Run the following command to update the system databases: # dconf update"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:^user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:^system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:^file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^[org/gnome/login-screen]'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^banner-message-text=\.+'
+
+  - id: 19545
+    title: "Ensure updates, patches, and additional security software are installed"
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt-get -s upgrade -> r:^The following packages will be upgraded"
+
+  # 2 Services
+
+  - id: 19546
+    title: "Ensure chargen services are not enabled"
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with chargen from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all chargen services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^chargen"
+      - 'd:/etc/inetd.d -> r:\. -> r:^chargen'
+
+  - id: 19547
+    title: "Ensure daytime services are not enabled"
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with daytime from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all daytime services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^daytime"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^daytime'
+
+  - id: 19548
+    title: "Ensure discard services are not enabled"
+    description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with discard from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all discard services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^discard"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^discard'
+
+  - id: 19549
+    title: "Ensure echo services are not enabled"
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with echo from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all echo services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^echo"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^echo'
+
+  - id: 19550
+    title: "Ensure time services are not enabled"
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled"
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with time from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all time services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^time"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^time'
+
+  - id: 19551
+    title: "Ensure rsh server is not enabled"
+    description: "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package"
+    remediation: "Comment out or remove any lines starting with shell, login or exec from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all shell, login or exec services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^shell"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^shell'
+      - "f:/etc/inetd.conf -> r:^login"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^login'
+      - "f:/etc/inetd.conf -> r:^exec"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^exec'
+
+  - id: 19552
+    title: "Ensure talk server is not enabled"
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Comment out or remove any lines starting with talk or ntalk from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all talk or ntalk services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^talk"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^talk'
+      - "f:/etc/inetd.conf -> r:^ntalk"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^ntalk'
+
+  - id: 19553
+    title: "Ensure telnet server is not enabled"
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecureand unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Comment out or remove any lines starting with telnet from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all telnet services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^telnet"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^telnet'
+
+  - id: 19554
+    title: "Ensure tftp server is not enabled"
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftpd and atftp are both used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specificneed for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Comment out or remove any lines starting with tftp from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all tftp services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^tftp"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^tftp'
+
+  - id: 19555
+    title: "Ensure xinetd is not enabled"
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed."
+    remediation: "Remove or comment out start lines in /etc/init/xinetd.conf: # start on runlevel [2345]"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config xinetd -> r:^xinetd"
+
+  - id: 19556
+    title: "Ensure openbsd-inetd is not installed"
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+
+  - id: 19557
+    title: "Ensure time synchronization is in use"
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using one of the following commands: # apt-get install ntp # apt-get install chrony     On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+
+  - id: 19558
+    title: "Ensure ntp is configured"
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  - id: 19559
+    title: "Ensure chrony is configured"
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server>"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 19560
+    title: "Ensure the X Window system is not installed"
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: apt-get remove xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 19561
+    title: "Ensure Avahi Server is not enabled"
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Remove or comment out start lines in /etc/init/avahi-daemon.conf: #start on runlevel [2345]"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config avahi-daemon -> r:^avahi-daemon"
+
+  - id: 19562
+    title: "Ensure CUPS is not enabled"
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/cups.conf: #start on runlevel [2345]"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: all
+    rules:
+      - "c:initctl show-config cups -> r:^cups"
+
+  - id: 19563
+    title: "Ensure DHCP Server is not enabled"
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/isc-dhcp-server.conf and /etc/init/isc-dhcp-server6.conf: #start on runlevel [2345]"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config isc-dhcp-server -> r:^isc-dhcp-server"
+      - "c:initctl show-config isc-dhcp-server6 -> r:^isc-dhcp-server6"
+
+  - id: 19564
+    title: "Ensure LDAP server is not enabled"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # update-rc.d slapd disable"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: all
+    rules:
+      - 'c:ls /etc/rc*.d/S*slapd -> !r:\.+|No such file or directory'
+
+  - id: 19565
+    title: "Ensure NFS and RPC are not enabled"
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/rpcbind.conf: # start on start-rpcbind Run the following command to disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:ls /etc/rc*.d/S*nfs-kernel-serverr -> !r:\.+|No such file or directory'
+      - "c:initctl show-config rpcbind -> r:^rpcbind"
+
+  - id: 19566
+    title: "Ensure DNS Server is not enabled"
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable bind9: # update-rc.d bind9 disable"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c: ls /etc/rc*.d/S*bind9 -> !r:\.+|No such file or directory'
+
+  - id: 19567
+    title: "Ensure FTP Server is not enabled"
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/vsftpd.conf: # start on runlevel [2345] or net-device-up IFACE!=lo"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config vsftpd -> r:^vsftpd"
+
+  - id: 19568
+    title: "Ensure HTTP Server is not enabled"
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # update-rc.d apache2 disable"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:ls /etc/rc*.d/S*apache2 -> !r:\.+|No such file or directory'
+
+  - id: 19569
+    title: "Ensure IMAP and POP3 server is not enabled"
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be deleted to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/dovecot.conf: # start on runlevel [2345]"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config dovecot -> r:^dovecot"
+
+  - id: 19570
+    title: "Ensure Samba is not enabled"
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/smbd.conf: # start on (local-filesystems and net-device-up)"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config smbd -> r:^smbd"
+
+  - id: 19571
+    title: "Ensure HTTP Proxy Server is not enabled"
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Remove or comment out start lines in /etc/init/squid3.conf: # start on runlevel [2345]"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config squid3 -> r:^squid3"
+
+  - id: 19572
+    title: "Ensure SNMP Server is not enabled"
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # update-rc.d snmpd disable"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:ls /etc/rc*.d/S*snmpd -> !r:\.+|No such file or directory'
+
+  - id: 19573
+    title: "Ensure mail transfer agent is configured for local-only mode"
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only . Restart postfix: #  service postfix restart"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 19574
+    title: "Ensure rsync service is not enabled"
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Edit the /etc/default/rsync file and set RSYNC_ENABLE to false :RSYNC_ENABLE=false"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: all
+    rules:
+      - "f:/etc/default/rsync -> r:^RSYNC_ENABLE=false"
+
+  - id: 19575
+    title: "Ensure NIS Server is not enabled"
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Remove or comment out start lines in /etc/init/ypserv.conf:    #start on (started portmap ON_BOOT=     #or (started portmap ON_BOOT=y               #and ((filesystem and static-network-up) or failsafe-boot)))"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config ypserv -> r:^ypserv"
+
+  - id: 19576
+    title: "Ensure NIS Client is not installed"
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall the nis package: # apt-get remove nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 19577
+    title: "Ensure rsh client is not installed"
+    description: "The rshpackage contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin."
+    remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+      - "c:dpkg -s rsh-redone-client -> r:install ok installed"
+
+  - id: 19578
+    title: "Ensure talk client is not installed"
+    description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk: apt-get remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 19579
+    title: "Ensure telnet client is not installed"
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet: # apt-get remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 19580
+    title: "Ensure LDAP client is not installed"
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # apt-get remove ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  ############################
+  #  3 Network Configuration #
+  ############################
+
+  - id: 19581
+    title: "Ensure IP forwarding is disabled"
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # s # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  - id: 19582
+    title: "Ensure packet redirect sending is disabled"
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0    net.ipv4.conf.default.send_redirects=0    Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0    # sysctl -w net.ipv4.conf.default.send_redirects=0    # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  - id: 19583
+    title: "Ensure source routed packets are not accepted"
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 . Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0  # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  - id: 19584
+    title: "Ensure ICMP redirects are not accepted"
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 . Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0  # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 19585
+    title: "Ensure secure ICMP redirects are not accepted"
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  - id: 19586
+    title: "Ensure suspicious packets are logged"
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  - id: 19587
+    title: "Ensure broadcast ICMP requests are ignored"
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  - id: 19588
+    title: "Ensure bogus ICMP responses are ignored"
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  - id: 19589
+    title: "Ensure Reverse Path Filtering is enabled"
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  - id: 19590
+    title: "Ensure TCP SYN Cookies is enabled"
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  - id: 19591
+    title: "Ensure IPv6 router advertisements are not accepted"
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  - id: 19592
+    title: "Ensure IPv6 redirects are not accepted"
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirets as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 19593
+    title: "Ensure IPv6 is disabled"
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: 'Edit /etc/default/grub and add ''``ipv6.disable=1'' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1"     Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:ipv6.disable=1'
+
+  - id: 19594
+    title: "Install TCP Wrappers"
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  - id: 19595
+    title: "Ensure /etc/hosts.allow is configured"
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: 'Run the following command to create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow. Where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  - id: 19596
+    title: "Ensure /etc/hosts.deny is configured"
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Run the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  - id: 19597
+    title: "Verify permissions on /etc/hosts.allow"
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow :  # chown root:root /etc/hosts.allow  # chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 19598
+    title: "Verify permissions on /etc/hosts.deny"
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : # chown root:root /etc/hosts.deny  # chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 19599
+    title: "Ensure DCCP is disabled"
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  - id: 19600
+    title: "Ensure SCTP is disabled"
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  - id: 19601
+    title: "Ensure RDS is disabled"
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  - id: 19602
+    title: "Ensure TIPC is disabled"
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  # 3.5 Firewall configuration
+
+  - id: 19603
+    title: "Ensure default deny firewall policy"
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.6.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:iptables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 19604
+    title: "Ensure loopback traffic is configured"
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.6.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  #########################################
+  # 4 Logging and Auditing
+  #########################################
+
+  - id: 19605
+    title: "Ensure audit log storage size is configured"
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 19606
+    title: "Ensure system is disabled when audit logs are full"
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 19607
+    title: "Ensure audit logs are not automatically deleted"
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 19608
+    title: "Ensure auditd service is enabled"
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # update-rc.d auditd enable"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: [CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:ls /etc/rc*.d/S*auditd -> r:/etc/rc2.d/S37auditd  && r:/etc/rc3.d/S37auditd && r:/etc/rc4.d/S37auditd && r:/etc/rc5.d/S37auditd"
+
+  - id: 19609
+    title: "Ensure auditing for processes that start prior to auditd is enabled"
+    description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: '1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  - id: 19610
+    title: "Ensure events that modify date and time information are collected"
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.3", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change"
+
+  - id: 19611
+    title: "Ensure events that modify user/group information are collected"
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity"
+
+  - id: 19612
+    title: "Ensure events that modify the system's network environment are collected"
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale"
+
+  - id: 19613
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected"
+    description: "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy  | -w /usr/share/selinux/ -p wa -k MAC-policy On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/|/etc/apparmor/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/|/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy"
+
+  - id: 19614
+    title: "Ensure login and logout events are collected"
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins"
+
+  - id: 19615
+    title: "Ensure session initiation information is collected"
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins"
+
+  - id: 19616
+    title: "Ensure discretionary access control permission modification events are collected"
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  - id: 19617
+    title: "Ensure unsuccessful unauthorized file access attempts are collected"
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  - id: 19618
+    title: "Ensure successful file system mounts are collected"
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  - id: 19619
+    title: "Ensure file deletion events by users are collected"
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["6,2", "13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  - id: 19620
+    title: "Ensure changes to system administration scope (sudoers) is collected"
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  - id: 19621
+    title: "Ensure system administrator actions (sudolog) are collected"
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["4.9"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions"
+
+  - id: 19622
+    title: "Ensure kernel module loading and unloading is collected"
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules"
+
+  - id: 19623
+    title: "Ensure the audit configuration is immutable"
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - "c:tail -1 /etc/audit/audit.rules -> -e 2"
+
+  - id: 19624
+    title: "Ensure rsyslog Service is enabled"
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Set the proper start conditions in /etc/init/rsyslog.conf: start on filesystem"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:initctl show-config rsyslog -> r:^rsyslog"
+      - "c:initctl show-config rsyslog -> r:start on filesystem"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 19625
+    title: "Ensure rsyslog default file permissions configured"
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 19626
+    title: "Ensure rsyslog is configured to send logs to a remote log host"
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+'
+
+  - id: 19627
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts"
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 19628
+    title: "Ensure syslog-ng service is enabled"
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable rsyslog :   # update-rc.d syslog-ng enable"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:ls /etc/rc*.d/S*syslog-ng > r:/etc/rc2.d/S10syslog-ng  && r:/etc/rc3.d/S10syslog-ng && r:/etc/rc4.d/S10syslog-ng && r:/etc/rc5.d/S10syslog-ng"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 19629
+    title: "Ensure syslog-ng default file permissions configured"
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(06\d0\)|perm\(04\d0\)|perm\(02\d0\)|perm\(00\d0\) && r:perm\(0\d40\)|perm\(0\d00\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 19630
+    title: "Ensure syslog-ng is configured to send logs to a remote log host"
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 19631
+    title: "Ensure rsyslog or syslog-ng is installed"
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands: # apt-get install rsyslog # apt-get install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+      - "c:dpkg -s syslog-ng -> r:install ok installed"
+
+  #########################################
+  # 5 Access, Authentication and Authorization
+  #########################################
+
+  - id: 19632
+    title: "Ensure cron daemon is enabled"
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Edit start lines in /etc/init/cron.conf to match the following: start on runlevel [2345]"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:initctl show-config cron -> r:^cron"
+      - "c:initctl show-config cron -> r:start on runlevel [2345]"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 19633
+    title: "Ensure permissions on /etc/crontab are configured"
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0\d00/\w\w\w-------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 19634
+    title: "Ensure permissions on /etc/cron.hourly are configured"
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 19635
+    title: "Ensure permissions on /etc/cron.daily are configured"
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 19636
+    title: "Ensure permissions on /etc/cron.weekly are configured"
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 19637
+    title: "Ensure permissions on /etc/cron.monthly are configured"
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 19638
+    title: "Ensure permissions on /etc/cron.d are configured"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 19639
+    title: "Ensure at/cron is restricted to authorized users"
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2 SSH Server Configuration
+
+  - id: 19640
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured"
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 19641
+    title: "Ensure SSH Protocol is set to 2"
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2'
+
+  - id: 19642
+    title: "Ensure SSH LogLevel is set to INFO"
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*LogLevel\s+INFO'
+
+  - id: 19643
+    title: "Ensure SSH X11 forwarding is disabled"
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+no'
+
+  - id: 19644
+    title: "Ensure SSH MaxAuthTries is set to 4 or less"
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  - id: 19645
+    title: "Ensure SSH IgnoreRhosts is enabled"
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*IgnoreRhosts\s+yes'
+
+  - id: 19646
+    title: "Ensure SSH HostbasedAuthentication is disabled"
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*HostbasedAuthentication\s+no'
+
+  - id: 19647
+    title: "Ensure SSH root login is disabled"
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitRootLogin\s+no'
+
+  - id: 19648
+    title: "Ensure SSH PermitEmptyPasswords is disabled"
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitEmptyPasswords\s+no'
+
+  - id: 19649
+    title: "Ensure SSH PermitUserEnvironment is disabled"
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitUserEnvironment\s+no'
+
+  - id: 19650
+    title: "Ensure only approved MAC algorithms are used"
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  - id: 19651
+    title: "Ensure SSH Idle Timeout Interval is configured"
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  - id: 19652
+    title: "Ensure SSH LoginGraceTime is set to one minute or less"
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  - id: 19653
+    title: "Ensure SSH access is limited"
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  - id: 19654
+    title: "Ensure SSH warning banner is configured"
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.3 Configure PAM
+
+  - id: 19655
+    title: "Ensure password creation requirements are configured"
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s libpam-pwquality -> r:install ok installed"
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d'
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  - id: 19656
+    title: "Ensure lockout for failed password attempts is configured"
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. "
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+
+  - id: 19657
+    title: "Ensure password reuse is limited"
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 19658
+    title: "Ensure password hashing algorithm is SHA-512"
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  # 5.4 User Accounts and Environment
+
+  - id: 19659
+    title: "Ensure password expiration is 365 days or less"
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  - id: 19660
+    title: "Ensure minimum days between password changes is 7 or more"
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  - id: 19661
+    title: "Ensure password expiration warning days is 7 or more"
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  - id: 19662
+    title: "Ensure inactive password lock is 30 days or less"
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+
+  - id: 19663
+    title: "Ensure default group for the root account is GID 0"
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  - id: 19664
+    title: "Ensure default user umask is 027 or more restrictive"
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 19665
+    title: "Ensure default user shell timeout is 900 seconds or less"
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc, /etc/profile files, and /etc/profile.d*.sh (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  - id: 19666
+    title: "Ensure access to the su command is restricted"
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the wheel statement in the /etc/group file: wheel:x:10:root,<user list> Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so'
+      - 'f:/etc/group -> !r:^# && r:wheel:\w+:\d+:\.'
+
+  ###############################
+  # 6 System Maintenance
+  ###############################
+
+  - id: 19667
+    title: "Ensure permissions on /etc/passwd are configured"
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19668
+    title: "Ensure permissions on /etc/shadow are configured"
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the one following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 19669
+    title: "Ensure permissions on /etc/group are configured"
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19670
+    title: "Ensure permissions on /etc/gshadow are configured"
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 19671
+    title: "Ensure permissions on /etc/passwd- are configured"
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19672
+    title: "Ensure permissions on /etc/shadow- are configured"
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/shadow- : # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- # chmod o-rwx,g-rw /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 19673
+    title: "Ensure permissions on /etc/group- are configured"
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 19674
+    title: "Ensure permissions on /etc/gshadow- are configured"
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "# chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-rw /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.2 User and Group Settings
+
+  - id: 19675
+    title: "Ensure password fields are not empty"
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  - id: 19676
+    title: 'Ensure no legacy "+" entries exist in /etc/passwd'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  - id: 19677
+    title: 'Ensure no legacy "+" entries exist in /etc/shadow'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  - id: 19678
+    title: 'Ensure no legacy "+" entries exist in /etc/group'
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  - id: 19679
+    title: "Ensure root is the only UID 0 account"
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  - id: 19680
+    title: "Ensure shadow group is empty"
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - cis_csc: ["16"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/ubuntu/cis_ubuntu16_04.yml b/etc/ruleset/sca/ubuntu/cis_ubuntu16_04.yml
new file mode 100644
index 0000000000..6baf0148d5
--- /dev/null
+++ b/etc/ruleset/sca/ubuntu/cis_ubuntu16_04.yml
@@ -0,0 +1,3076 @@
+# Security Configuration Assessment
+# CIS Checks for Ubuntu Linux 16.04 LTS
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Ubuntu Linux 16.04 LTS Benchmark v1.1.0 - 09-08-2022
+
+policy:
+  id: "cis_ubuntu16-04"
+  file: "cis_ubuntu16_04.yml"
+  name: "CIS Ubuntu Linux 16.04 LTS Benchmark v1.1.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 16.04 LTS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Ubuntu version."
+  description: "Requirements for running the SCA scan against Ubuntu."
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:Ubuntu"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1.1.1 Disable unused filesystems
+
+  - id: 21500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:cramfs"
+
+  - id: 21501
+    title: "Ensure mounting of freevxfs filesystems is disabled."
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 21502
+    title: "Ensure mounting of jffs2 filesystems is disabled."
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 21503
+    title: "Ensure mounting of hfs filesystems is disabled."
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 21504
+    title: "Ensure mounting of hfsplus filesystems is disabled."
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 21505
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  # 1.1.2 Filesystem Configuration
+  - id: 21506
+    title: "Ensure separate partition exists for /tmp."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 21507
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodevto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 21508
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 21509
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 21510
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 21511
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 21512
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 21513
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 21514
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 21515
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 21516
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 21517
+    title: "Ensure nodev option set on /home partition."
+    description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 21518
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  - id: 21519
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  - id: 21520
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  - id: 21521
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run the following command to disable autofs: # systemctl disable autofs"
+    compliance:
+      - cis: ["1.1.21"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> r:^enabled"
+
+  # 1.3 Filesystem Integrity Checking
+  - id: 21522
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Run the following command to install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    reference:
+      - "AIDE stable manual: http://aide.sourceforge.net/stable/manual.html"
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 21523
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following command: # crontab -u root -e   Add the following line to the crontab:   0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
+      - "c:crontab -u root -l -> !r:^# && r:/usr/bin/aide && r:--check"
+
+  # 1.4 Secure Boot Settings
+  - id: 21524
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21525
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2    Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <<EOF     set superusers="<username>"      password_pbkdf2 <username> <encrypted-password>  EOF     Run the following command to update the grub2 configuration:  # update-grub'
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 21526
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.5 Additional Process Hardening
+  - id: 21527
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  - id: 21528
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:dmesg -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 21529
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 21530
+    title: "Ensure prelink is disabled."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following commands to restore binaries to normal and uninstall prelink: prelink -ua && yum remove prelink"
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  # 1.6 Configure SELinux
+
+  - id: 21531
+    title: "Ensure SELinux is not disabled in bootloader configuration."
+    description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters."
+    rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/gruband remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters:  GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX=""      Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:selinux=0'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:enforcing=0'
+
+  - id: 21532
+    title: "Ensure the SELinux state is enforcing."
+    description: "Set SELinux to enable when the system is booted."
+    rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing "
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^SELinux status:\s*enabled$'
+      - 'c:sestatus -> r:^Current mode:\s*enforcing$'
+      - 'c:sestatus -> r:^Mode from config file:\s*enforcing$'
+      - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing'
+
+  - id: 21533
+    title: "Ensure SELinux policy is configured."
+    description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met."
+    remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=ubuntu"
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sestatus -> r:^Loaded policy name:\s+ubuntu|^Loaded policy name:\s+default|^Loaded policy name:\s+mls'
+      - 'f:/etc/selinux/config -> r:^Loaded policy name:\s+ubuntu|^\s*SELINUXTYPE\s*=\s*default|^\s*SELINUXTYPE\s*=\s*mls'
+
+  - id: 21534
+    title: "Ensure no unconfined daemons exist."
+    description: "Daemons that are not defined in SELinux policy will inherit the security context of their parent process."
+    rationale: "Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t . This could cause the unintended consequence of giving the process more permission than it requires."
+    remediation: "Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:ps -eZ -> r:initrc && !r:tr|ps|egrep|bash|awk"
+
+  - id: 21535
+    title: "Ensure AppArmor is not disabled in bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and remove all instances of apparmor=0 from all CMDLINE_LINUX parameters:    GRUB_CMDLINE_LINUX_DEFAULT="quiet"    GRUB_CMDLINE_LINUX=""Run the following command to pdate the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.6.2.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:apparmor=0'
+
+  - id: 21536
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.2.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:apparmor status -> r:0 profiles are in complain mode"
+      - "c:apparmor status -> r:0 processes are unconfined"
+      - 'c:apparmor status -> n:(\d+) profiles are loaded compare > 0'
+
+  - id: 21537
+    title: "Ensure SELinux or AppArmor are installed."
+    description: "SELinux and AppArmor provide Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux  Or: # apt-get install apparmor"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s selinux-basics -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  # 1.7 Warning Banners
+  - id: 21538
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v."
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/motd -> r:\\v|\\r|\\m|\\s'
+
+  - id: 21539
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["5.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s'
+
+  - id: 21540
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s'
+
+  - id: 21541
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod 644 /etc/motd"
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21542
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod 644 /etc/issue"
+    compliance:
+      - cis: ["1.7.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21543
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod 644 /etc/issue.net"
+    compliance:
+      - cis: ["1.7.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21544
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Create the /etc/dconf/profile/gdm file with the following contents:    user-db:user    system-db:gdm     file-db:/usr/share/gdm/greeter-dconf-defaults      Create or edit the banner-message-enable and banner-message-text options in /etc/dconf/db/gdm.d/01-banner-message:    [org/gnome/login-screen]    banner-message-enable=true        banner-message-text='Authorized uses only. All activity may be monitored and reported.'   Run the following command to update the system databases: # dconf update"
+    compliance:
+      - cis: ["1.7.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/dconf/profile/gdm -> r:^user-db:user"
+      - "f:/etc/dconf/profile/gdm -> r:^system-db:gdm"
+      - "f:/etc/dconf/profile/gdm -> r:^file-db:/usr/share/gdm/greeter-dconf-defaults"
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^[org/gnome/login-screen]'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^banner-message-enable=true'
+      - 'd:/etc/dconf/db/gdm.d/ -> r:\. -> r:^banner-message-text=\.+'
+
+  - id: 21545
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.8"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt-get -s upgrade -> r:^The following packages will be upgraded"
+
+  # 2 Services
+
+  - id: 21546
+    title: "Ensure chargen services are not enabled."
+    description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with chargen from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all chargen services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^chargen"
+      - 'd:/etc/inetd.d -> r:\. -> r:^chargen'
+
+  - id: 21547
+    title: "Ensure daytime services are not enabled."
+    description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with daytime from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all daytime services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^daytime"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^daytime'
+
+  - id: 21548
+    title: "Ensure discard services are not enabled."
+    description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with discard from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all discard services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^discard"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^discard'
+
+  - id: 21549
+    title: "Ensure echo services are not enabled."
+    description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with echo from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all echo services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^echo"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^echo'
+
+  - id: 21550
+    title: "Ensure time services are not enabled."
+    description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled"
+    rationale: "Disabling this service will reduce the remote attack surface of the system."
+    remediation: "Comment out or remove any lines starting with time from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all time services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.5"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^time"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^time'
+
+  - id: 21551
+    title: "Ensure rsh server is not enabled."
+    description: "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text."
+    rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package"
+    remediation: "Comment out or remove any lines starting with shell, login or exec from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all shell, login or exec services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.6"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^shell"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^shell'
+      - "f:/etc/inetd.conf -> r:^login"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^login'
+      - "f:/etc/inetd.conf -> r:^exec"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^exec'
+
+  - id: 21552
+    title: "Ensure talk server is not enabled."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Comment out or remove any lines starting with talk or ntalk from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all talk or ntalk services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.7"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^talk"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^talk'
+      - "f:/etc/inetd.conf -> r:^ntalk"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^ntalk'
+
+  - id: 21553
+    title: "Ensure telnet server is not enabled."
+    description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecureand unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security."
+    remediation: "Comment out or remove any lines starting with telnet from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all telnet services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.8"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^telnet"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^telnet'
+
+  - id: 21554
+    title: "Ensure tftp server is not enabled."
+    description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftpd and atftp are both used to define and support a TFTP server."
+    rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specificneed for TFTP. In that case, extreme caution must be used when configuring the services."
+    remediation: "Comment out or remove any lines starting with tftp from /etc/inetd.conf and /etc/inetd.d/*. Set disable = yes on all tftp services in /etc/xinetd.conf and /etc/xinetd.d/* "
+    compliance:
+      - cis: ["2.1.9"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/inetd.conf -> r:^tftp"
+      - 'd:/etc/inetd.d/ -> r:\. -> r:^tftp'
+
+  - id: 21555
+    title: "Ensure xinetd is not enabled."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed."
+    remediation: "Run the following commands to diable xinetd: # systemctl disable xinetd"
+    compliance:
+      - cis: ["2.1.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled xinetd -> r:^enabled"
+
+  - id: 21556
+    title: "Ensure openbsd-inetd is not installed."
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd"
+    compliance:
+      - cis: ["2.1.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+
+  - id: 21557
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using one of the following commands: # apt-get install ntp # apt-get install chrony     On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization."
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+
+  - id: 21558
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  - id: 21559
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server>"
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony.conf -> r:^server\.+|^pool\.+'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 21560
+    title: "Ensure the X Window system is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Run the following command to remove the X Windows System packages: apt-get remove xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 21561
+    title: "Ensure Avahi Server is not enabled."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> enabled"
+
+  - id: 21562
+    title: "Ensure CUPS is not enabled."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl disable cups"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> enabled"
+
+  - id: 21563
+    title: "Ensure DHCP Server is not enabled."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled isc-dhcp-server -> enabled"
+      - "c:systemctl is-enabled isc-dhcp-server6 -> enabled"
+
+  - id: 21564
+    title: "Ensure LDAP server is not enabled."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # systemctl disable slapd"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled slapd -> enabled"
+
+  - id: 21565
+    title: "Ensure NFS and RPC are not enabled."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs-server -> enabled"
+      - "c:systemctl is-enabled rpcbind -> enabled"
+
+  - id: 21566
+    title: "Ensure DNS Server is not enabled."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # systemctl disable bind9"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled bind9 -> enabled"
+
+  - id: 21567
+    title: "Ensure FTP Server is not enabled."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> enabled"
+
+  - id: 21568
+    title: "Ensure HTTP Server is not enabled."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # systemctl disable apache2"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> enabled"
+
+  - id: 21569
+    title: "Ensure IMAP and POP3 server is not enabled."
+    description: "dovecot is an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dovecot: # systemctl disable dovecot"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled dovecot -> r:^enabled"
+
+  - id: 21570
+    title: "Ensure Samba is not enabled."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable smbd: # systemctl disable smbd"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smbd -> enabled"
+
+  - id: 21571
+    title: "Ensure HTTP Proxy Server is not enabled."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # systemctl disable squid"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> enabled"
+
+  - id: 21572
+    title: "Ensure SNMP Server is not enabled."
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl disable snmpd"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> enabled"
+
+  - id: 21573
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only . Restart postfix: # systemctl restart postfix"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:netstat -an -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 21574
+    title: "Ensure rsync service is not enabled."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # systemctl disable rsync"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled rsync -> enabled"
+
+  - id: 21575
+    title: "Ensure NIS Server is not enabled."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable nis: # systemctl disable nis"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nis -> enabled"
+
+  - id: 21576
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall the nis package: # apt-get remove nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 21577
+    title: "Ensure rsh client is not installed."
+    description: "The rshpackage contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin."
+    remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+      - "c:dpkg -s rsh-redone-client -> r:install ok installed"
+
+  - id: 21578
+    title: "Ensure talk client is not installed."
+    description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to uninstall talk: apt-get remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 21579
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Run the following command to uninstall telnet: # apt-get remove telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["2.6", "4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 21580
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run the following command to uninstall openldap-clients : # apt-get remove ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  ############################
+  #  3 Network Configuration #
+  ############################
+
+  - id: 21581
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0  Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # s # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+
+  - id: 21582
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0    net.ipv4.conf.default.send_redirects=0    Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0    # sysctl -w net.ipv4.conf.default.send_redirects=0    # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  - id: 21583
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 . Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0  # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+
+  - id: 21584
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 . Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0  # sysctl -w net.ipv4.route.flush=1 "
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 21585
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  - id: 21586
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  - id: 21587
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  - id: 21588
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  - id: 21589
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  - id: 21590
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  - id: 21591
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  - id: 21592
+    title: "Ensure IPv6 redirects are not accepted."
+    description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic."
+    rationale: "It is recommended that systems not accept ICMP redirets as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  - id: 21593
+    title: "Ensure IPv6 is disabled."
+    description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6."
+    rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system."
+    remediation: 'Edit /etc/default/grub and add ''``ipv6.disable=1'' to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="ipv6.disable=1"     Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["3", "11"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:ipv6.disable=1'
+
+  - id: 21594
+    title: "Install TCP Wrappers."
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  - id: 21595
+    title: "Ensure /etc/hosts.allow is configured."
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: 'Run the following command to create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow. Where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  - id: 21596
+    title: "Ensure /etc/hosts.deny is configured."
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Run the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  - id: 21597
+    title: "Verify permissions on /etc/hosts.allow."
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow :  # chown root:root /etc/hosts.allow  # chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 21598
+    title: "Verify permissions on /etc/hosts.deny."
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : # chown root:root /etc/hosts.deny  # chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.4.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 21599
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.5.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  - id: 21600
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.5.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  - id: 21601
+    title: "Ensure RDS is disabled."
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.5.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  - id: 21602
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.5.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  # 3.5 Firewall configuration
+
+  - id: 21603
+    title: "Ensure default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.6.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:iptables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:iptables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:iptables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  - id: 21604
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.6.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  #########################################
+  # 4 Logging and Auditing
+  #########################################
+
+  - id: 21605
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 21606
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 21607
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 21608
+    title: "Ensure auditd service is enabled."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl enable auditd"
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - tsc: [CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> enabled"
+
+  - id: 21609
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: '1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  - id: 21610
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.3", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change"
+
+  - id: 21611
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity"
+
+  - id: 21612
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale"
+
+  - id: 21613
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy  | -w /usr/share/selinux/ -p wa -k MAC-policy On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy"
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/|/etc/apparmor/ && r:-p wa && r:-k MAC-policy"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/|/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy"
+
+  - id: 21614
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins"
+
+  - id: 21615
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins"
+
+  - id: 21616
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
+
+  - id: 21617
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.11"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access"
+
+  - id: 21618
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"
+
+  - id: 21619
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["6,2", "13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"
+
+  - id: 21620
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope"
+
+  - id: 21621
+    title: "Ensure system administrator actions (sudolog) are collected."
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["4.9"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions"
+
+  - id: 21622
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules"
+      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32|-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules"
+
+  - id: 21623
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.18"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/audit.rules"
+      - "c:tail -1 /etc/audit/audit.rules -> -e 2"
+
+  - id: 21624
+    title: "Ensure rsyslog Service is enabled."
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> enabled"
+
+  # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
+  - id: 21625
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 21626
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+'
+
+  - id: 21627
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts."
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure syslog-ng service is enabled (Scored)
+  - id: 21628
+    title: "Ensure syslog-ng service is enabled."
+    description: "Once the syslog-ng package is installed it needs to be activated."
+    rationale: "If the syslog-ng service is not activated the system may default to the syslogd service or lack logging instead."
+    remediation: "Run the following command to enable rsyslog :   # systemctl enable syslog-ng"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled syslog-ng -> enabled"
+
+  # 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+  - id: 21629
+    title: "Ensure syslog-ng default file permissions configured."
+    description: "syslog-ng will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive syslog-ng data is archived and protected."
+    remediation: "Edit the /etc/syslog-ng/syslog-ng.conf and set perm option to 0640 or more restrictive:     options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); };"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:^options && r:perm\(06\d0\)|perm\(04\d0\)|perm\(02\d0\)|perm\(00\d0\) && r:perm\(0\d40\)|perm\(0\d00\)'
+
+  # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored)
+  - id: 21630
+    title: "Ensure syslog-ng is configured to send logs to a remote log host."
+    description: "The syslog-ng utility supports the ability to send logs it gathers to a remote log host or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).    destination logserver { tcp("logfile.example.com" port(514)); };    log { source(src); destination(logserver); };   Run the following command to reload the rsyslogd configuration: # pkill -HUP syslog-ng'
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/syslog-ng/syslog-ng.conf -> r:destination logserver"
+      - 'f:/etc/syslog-ng/syslog-ng.conf -> r:log\.+source\.+destination'
+
+  # 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored)
+  - id: 21631
+    title: "Ensure rsyslog or syslog-ng is installed."
+    description: "The rsyslog and syslog-ng software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslog and syslog-ng such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog or syslog-ng using one of the following commands: # apt-get install rsyslog # apt-get install syslog-ng"
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+      - "c:dpkg -s syslog-ng -> r:install ok installed"
+
+  #########################################
+  # 5 Access, Authentication and Authorization
+  #########################################
+
+  - id: 21632
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: systemctl enable cron"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 21633
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0\d00/\w\w\w-------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 21634
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 21635
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 21636
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 21637
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 21638
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 21639
+    title: "Ensure at/cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["16"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/at.allow -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2 SSH Server Configuration
+
+  - id: 21640
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  - id: 21641
+    title: "Ensure SSH Protocol is set to 2."
+    description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2'
+
+  - id: 21642
+    title: "Ensure SSH LogLevel is set to INFO."
+    description: "The INFO parameter specifies that login and logout activity will be logged."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*LogLevel\s+INFO'
+
+  - id: 21643
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+no'
+
+  - id: 21644
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  - id: 21645
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*IgnoreRhosts\s+yes'
+
+  - id: 21646
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*HostbasedAuthentication\s+no'
+
+  - id: 21647
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitRootLogin\s+no'
+
+  - id: 21648
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitEmptyPasswords\s+no'
+
+  - id: 21649
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:^\s*PermitUserEnvironment\s+no'
+
+  - id: 21650
+    title: "Ensure only approved MAC algorithms are used."
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  - id: 21651
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'f:/etc/ssh/sshd_config -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  - id: 21652
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+
+  - id: 21653
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  - id: 21654
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ssh/sshd_config -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.3 Configure PAM
+
+  - id: 21655
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+    condition: all
+    rules:
+      - "c:dpkg -s libpam-pwquality -> r:install ok installed"
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d'
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+
+  - id: 21656
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. "
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+
+  - id: 21657
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 21658
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  # 5.4 User Accounts and Environment
+
+  - id: 21659
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2.4"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  - id: 21660
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7'
+
+  - id: 21661
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  - id: 21662
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+
+  - id: 21663
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["3.6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  - id: 21664
+    title: "Ensure default user umask is 027 or more restrictive."
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["3.6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 21665
+    title: "Ensure default user shell timeout is 900 seconds or less."
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bashrc, /etc/profile files, and /etc/profile.d*.sh (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600"
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  - id: 21666
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the wheel statement in the /etc/group file: wheel:x:10:root,<user list> Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default."
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so'
+      - 'f:/etc/group -> !r:^# && r:wheel:\w+:\d+:\.'
+
+  ###############################
+  # 6 System Maintenance
+  ###############################
+
+  - id: 21667
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21668
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the one following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 21669
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21670
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 21671
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod 644 /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21672
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/shadow- : # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- # chmod o-rwx,g-rw /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  - id: 21673
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod 644 /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0\d\d\d/-\w\w-\w--\w--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 21674
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "# chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-rw /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.2 User and Group Settings
+
+  - id: 21675
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  - id: 21676
+    title: "Ensure no legacy + entries exist in /etc/passwd."
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  - id: 21677
+    title: "Ensure no legacy + entries exist in /etc/shadow"
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.3"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  - id: 21678
+    title: "Ensure no legacy + entries exist in /etc/group"
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  - id: 21679
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  - id: 21680
+    title: "Ensure shadow group is empty."
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - cis_csc: ["16"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/ubuntu/cis_ubuntu18_04.yml b/etc/ruleset/sca/ubuntu/cis_ubuntu18_04.yml
new file mode 100644
index 0000000000..b44053cbde
--- /dev/null
+++ b/etc/ruleset/sca/ubuntu/cis_ubuntu18_04.yml
@@ -0,0 +1,3486 @@
+# Security Configuration Assessment
+# CIS Checks for Ubuntu Linux 18.04 LTS
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Ubuntu Linux 18.04 LTS Benchmark v2.0.1 - 01-03-2020
+
+policy:
+  id: "cis_ubuntu18-04"
+  file: "cis_ubuntu18_04.yml"
+  name: "CIS Ubuntu Linux 18.04 LTS Benchmark v2.0.1"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 18.04 LTS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Ubuntu version."
+  description: "Requirements for running the SCA scan against Ubuntu Linux 18.04 LTS"
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:Ubuntu"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  ############################################################
+  # 1 Initial Setup
+  ############################################################
+
+  # 1.1 Filesystem configuration
+
+  - id: 18500
+    title: "Ensure mounting of cramfs filesystems is disabled."
+    description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it."
+    remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs"
+    compliance:
+      - cis: ["1.1.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:modprobe -n -v cramfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:cramfs"
+
+  - id: 18501
+    title: "Ensure mounting of freevxfs filesystems is disabled."
+    description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs"
+    compliance:
+      - cis: ["1.1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:freevxfs"
+
+  - id: 18502
+    title: "Ensure mounting of jffs2 filesystems is disabled."
+    description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2"
+    compliance:
+      - cis: ["1.1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true"
+      - "not c:lsmod -> r:jffs2"
+
+  - id: 18503
+    title: "Ensure mounting of hfs filesystems is disabled."
+    description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs"
+    compliance:
+      - cis: ["1.1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfs -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfs"
+
+  - id: 18504
+    title: "Ensure mounting of hfsplus filesystems is disabled."
+    description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vi /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus"
+    compliance:
+      - cis: ["1.1.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true"
+      - "not c:lsmod -> r:hfsplus"
+
+  - id: 18505
+    title: "Ensure mounting of squashfs filesystems is disabled."
+    description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf  Example: vi /etc/modprobe.d/squashfs.confand add the following line: install squashfs /bin/true  Run the following command to unload the squashfsmodule: # rmmod squashfs"
+    compliance:
+      - cis: ["1.1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
+      - "not c:lsmod -> r:squashfs"
+
+  - id: 18506
+    title: "Ensure mounting of udf filesystems is disabled."
+    description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf"
+    compliance:
+      - cis: ["1.1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v udf -> r:^install /bin/true"
+      - "not c:lsmod -> r:udf"
+
+  - id: 18507
+    title: "Ensure mounting of FAT filesystems is disabled."
+    description: "The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module."
+    rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/vfat.conf: install vfat /bin/true. Run the following command to unload the vfat module: rmmod vfat"
+    compliance:
+      - cis: ["1.1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - "c:modprobe --showconfig -> r:install vfat /bin/true|Module vfat not found"
+      - "not c:lsmod -> r:vfat"
+
+  # 1.1.x Filesystem Configuration
+  - id: 18508
+    title: "Ensure /tmp is configured."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount: [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+      - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s'
+
+  - id: 18509
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nodev /tmp     OR      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodevto the /tmp mount options:  [Mount]   Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp:  # mount -o remount,nodev /tmp"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nodev'
+
+  - id: 18510
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain set userid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,nosuid /tmp       OR          Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuidto the /tmp mount options:[Mount]  Options=mode=1777,strictatime,noexec,nodev,nosuid  Run the following command to remount /tmp:# mount -o remount,nosuid /tmp"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:nosuid'
+
+  - id: 18511
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add noexecto the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp: # mount -o remount,noexec /tmp       OR      Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexecto the /tmp mount options:  [Mount]  Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp: # mount -o remount,noexec /tmp"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/tmp\s && r:noexec'
+
+  - id: 18512
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var\s'
+
+  - id: 18513
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s'
+
+  - id: 18514
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp"
+    compliance:
+      - cis: ["1.1.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nodev'
+
+  - id: 18515
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp"
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:nosuid'
+
+  - id: 18516
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp"
+    compliance:
+      - cis: ["1.1.10"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/tmp\s && r:noexec'
+
+  - id: 18517
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.11"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log\s'
+
+  - id: 18518
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.12"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/var/log/audit\s'
+
+  - id: 18519
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    compliance:
+      - cis: ["1.1.13"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://tldp.org/HOWTO/LVM-HOWTO/
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s'
+
+  - id: 18520
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.  Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home"
+    compliance:
+      - cis: ["1.1.14"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/home\s && r:nodev'
+
+  - id: 18521
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm"
+    compliance:
+      - cis: ["1.1.15"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nodev'
+
+  - id: 18522
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm"
+    compliance:
+      - cis: ["1.1.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:nosuid'
+
+  - id: 18523
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm"
+    compliance:
+      - cis: ["1.1.17"]
+      - cis_csc: ["2.6", "8"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:mount -> r:\s/dev/shm\s && r:noexec'
+
+  - id: 18524
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves."
+    remediation: "Run one of the following commands:  Run the following command to disable autofs: # systemctl --now disable autofs    OR  Run the following command to remove autofs:  # apt purge autofs"
+    compliance:
+      - cis: ["1.1.22"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled autofs -> enabled"
+
+  - id: 18525
+    title: "Disable USB Storage."
+    description: "USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment."
+    rationale: "Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/usb_storage.conf and add the following line: # install usb-storage /bin/true . Run the following command to unload the usb-storage module: # rmmod usb-storage"
+    compliance:
+      - cis: ["1.1.23"]
+      - cis_csc: ["8.4", "8.5"]
+      - pci_dss: ["2.2.5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:/sbin/modprobe -n -v usb-storage -> r:install /bin/true"
+      - "not c:lsmod -> r:usb-storage"
+
+  # 1.3 Configure Sudo
+
+  - id: 18526
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "Install sudo using the following command. # apt install sudo OR # apt install sudo-ldap"
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.sudo.ws/
+    condition: any
+    rules:
+      - "c:dpkg -s sudo -> r:install ok installed"
+      - "c:dpkg -s sudo-ldap -> r:install ok installed"
+
+  - id: 18527
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only froma pseudo-pty"
+    rationale: "Attackers can run a malicious program using sudo, which would again fork a background process that remains even when the main program has finished executing."
+    remediation: "edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: Defaults use_pty"
+    compliance:
+      - cis: ["1.3.2"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  - id: 18528
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file"
+    rationale: "A sudo log file simplifies auditing of sudo commands"
+    remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line:   Defaults logfile="<PATH TO CUSTOM LOG FILE>"   Example    Defaults logfile="/var/log/sudo.log"'
+    compliance:
+      - cis: ["1.3.3"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 1.4 Filesystem Integrity Checking
+  - id: 18529
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE: # apt install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit .  Notes: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE."
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+
+  - id: 18530
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "Run the following commands: # cp ./config/aidecheck.service /etc/systemd/system/aidecheck.service  # cp ./config/aidecheck.timer /etc/systemd/system/aidecheck.timer   # chmod 0644 /etc/systemd/system/aidecheck.*  # systemctl reenable aidecheck.timer  # systemctl restart aidecheck.timer  # systemctl daemon-reload    OR  If cron will be used to schedule and run aide check, run the following command:    # crontab -u root -e    Add the following line to the crontab:    0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check"
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["11.5"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service
+      - https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer
+    condition: all
+    rules:
+      - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+'
+      - "c:crontab -u root -l -> r:aide"
+
+  # 1.5 Secure Boot Settings
+  - id: 18531
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg"
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 18532
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)."
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub-mkpasswd-pbkdf2     Enter password: <password>      Reenter password: <password> PBKDF2 hash of your password is <encrypted-password> Add the following into a custom /etc/grub.d configuration file: cat <<EOF     set superusers="<username>"   password_pbkdf2 <username> <encrypted-password>      EOF     The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS=  Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  - id: 18533
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root"
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  - id: 18534
+    title: "Ensure interactive boot is not enabled."
+    description: "Interactive boot allows console users to interactively select which services start on boot. Not all distributions support this capability.The PROMPT_FOR_CONFIRM option provides console users the ability to interactively boot the system and select which services to start on boot ."
+    rationale: " Turn off the PROMPT_FOR_CONFIRMoption on the console to prevent console users from potentially overriding established security settings."
+    remediation: "If interactive boot is available disable it."
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> r:^root:*:|^root:!:"
+
+  # 1.6 Additional Process Hardening
+
+  - id: 18535
+    title: "Ensure XD/NX support is enabled."
+    description: "Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature."
+    rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system."
+    remediation: "On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit systems: If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios."
+    compliance:
+      - cis: ["1.6.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "journalctl | grep \"protection: active\"" -> r:NX \(Execute Disable\) protection: active'
+
+  - id: 18536
+    title: "Ensure address space layout randomization (ASLR) is enabled."
+    description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process."
+    rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2"
+    compliance:
+      - cis: ["1.6.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$'
+      - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2'
+
+  - id: 18537
+    title: "Ensure prelink is disabled."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink"
+    compliance:
+      - cis: ["1.6.3"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s prelink -> r:install ok installed"
+
+  - id: 18538
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0"
+    compliance:
+      - cis: ["1.6.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$'
+      - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> !r:^# && r:=\s*\t*0$'
+      - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$'
+
+  # 1.7 Mandatory Access Control
+
+  - id: 18539
+    title: "Ensure AppArmor is installed."
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Install Apparmor. # apt install apparmor # apt install apparmor-utils"
+    compliance:
+      - cis: ["1.7.1.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s apparmor-utils -> r:install ok installed"
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  - id: 18540
+    title: "Ensure AppArmor is enabled in the bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwrittenby the bootloader boot parameters."
+    rationale: "AppArmor must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line   GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"      Run the following command to update the grub2 configuration # update-grub    Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["1.7.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1 && !r:/boot/memtest86+.bin'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor && !r:/boot/memtest86+.bin'
+
+  - id: 18541
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode."
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/*   OR   Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:apparmor_status -> r:0 processes are unconfined"
+
+  - id: 18542
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applicatons are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.7.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s*profiles are in complain mode'
+      - 'c:apparmor_status -> r:^0\s*processes are unconfined'
+
+  # 1.8 Warning Banners
+  - id: 18543
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd"
+    compliance:
+      - cis: ["1.8.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+      - "not f:/etc/motd"
+
+  - id: 18544
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue"
+    compliance:
+      - cis: ["1.8.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 18545
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version"
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net"
+    compliance:
+      - cis: ["1.8.1.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  - id: 18546
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd: # chown root:root /etc/motd # chmod u-x,go-wx /etc/motd"
+    compliance:
+      - cis: ["1.8.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 18547
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue"
+    compliance:
+      - cis: ["1.8.1.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 18548
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net"
+    compliance:
+      - cis: ["1.8.1.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  - id: 18549
+    title: "Ensure GDM login banner is configured."
+    description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems."
+    rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place."
+    remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'"
+    compliance:
+      - cis: ["1.8.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]"
+      - "f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true"
+      - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+'
+
+  - id: 18550
+    title: "Ensure updates, patches, and additional security software are installed."
+    description: "Periodically patches are released for included software either due to security flaws or to include additional functionality."
+    rationale: "Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected."
+    remediation: "Use your package manager to update all packages on the system according to site policy. Notes: Site policy may mandate a testing period before install onto production systems for available updates."
+    compliance:
+      - cis: ["1.9"]
+      - cis_csc: ["3.4", "3.5"]
+      - pci_dss: ["5.2"]
+      - nist_800_53: ["AU.6", "SI.4"]
+      - gpg_13: ["4.2"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2"]
+    condition: none
+    rules:
+      - "c:apt -s upgrade -> r:^The following packages will be upgraded"
+
+  ############################################################
+  # 2 Services
+  ############################################################
+
+  - id: 18551
+    title: "Ensure xinetd is not installed."
+    description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no xinetd services required, it is recommended that the package be removed."
+    remediation: "Run the following command to remove xinetd: # apt purge xinetd"
+    compliance:
+      - cis: ["2.1.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s xinetd -> r:install ok installed"
+
+  - id: 18552
+    title: "Ensure openbsd-inetd is not installed."
+    description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests."
+    rationale: "If there are no inetd services required, it is recommended that the daemon be removed."
+    remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd"
+    compliance:
+      - cis: ["2.1.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s openbsd-inetd -> r:install ok installed"
+
+  - id: 18553
+    title: "Ensure time synchronization is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: 'On systems where host based time synchronization is not available, configure systemd-timesyncd. If "full featured" and/or encrypted time synchronization is required, install chrony or NTP. To install chrony: # apt install chrony To install ntp: # apt install ntp On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.'
+    compliance:
+      - cis: ["2.2.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+      - "c:systemctl is-enabled systemd-timescynd -> enabled"
+
+  - id: 18554
+    title: "Ensure systemd-timesyncd is configured."
+    description: 'systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group "systemd- timesync" needs to be created on installation of systemd. Note: The systemd-timesyncd service specifically implements only SNTP. This minimalistic service will set the system clock for large offsets or slowly adjust it for smaller deltas. More complex use cases are not covered by systemd-timesyncd. This recommendation only applies if timesyncd is in use on the system.'
+    rationale: "Proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if timesyncd is in use on the system."
+    remediation: "Run the following command to enable systemd-timesyncd   # systemctl enable systemd-timesyncd.service  ||  Edit the file /etc/systemd/timesyncd.conf and add/modify the following lines in accordance with local site policy:    (1) NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org        (2) FallbackNTP=ntp.ubuntu.com 3.ubuntu.pool.ntp.org        (3) RootDistanceMaxSec=1    || Run the following commands to start systemd-timesyncd.service   # systemctl start systemd-timesyncd.service   # timedatectl set-ntp true  || Notes: Servers listed and RootDistanceMax should be In Accordance With Local Policy some versions of systemd have been compiled without systemd-timesycnd. On these distributions, chrony or NTP should be used instead of systemd-timesycnd. Not all options are available on all versions of systemd-timesyncd"
+    compliance:
+      - cis: ["2.2.1.2"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd.service -> enabled"
+
+  - id: 18555
+    title: "Ensure chrony is configured."
+    description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server."
+    rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system."
+    remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server <remote-server> Configure chrony to run as the chrony user by configuring the appropriate startup script for your distribution. Startup scripts are typically stored in /etc/init.d or /etc/systemd ."
+    compliance:
+      - cis: ["2.2.1.3"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/chrony/chrony.conf -> r:^server\.+|^pool\.+'
+
+  - id: 18556
+    title: "Ensure ntp is configured."
+    description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system."
+    rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server <remote-server> Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp"
+    compliance:
+      - cis: ["2.2.1.4"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - http://www.ntp.org/
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery'
+      - 'f:/etc/ntp.conf -> r:^server\.+|^pool\.+'
+      - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp'
+
+  # 2.2.2 Ensure the X Window system is not installed (Scored)
+  - id: 18557
+    title: "Ensure the X Window system is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*"
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.8", "CC7.1", "CC7.2", "CC8.1"]
+    condition: none
+    rules:
+      - 'c:dpkg -l xserver-xorg-core* -> r:^\wi\s*xserver-xorg'
+
+  - id: 18558
+    title: "Ensure Avahi Server is not enabled."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface."
+    remediation: "Run the following command to disable avahi-daemon: # systemctl --now disable avahi-daemon"
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled avahi-daemon -> enabled"
+
+  - id: 18559
+    title: "Ensure CUPS is not enabled."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable cups: # systemctl --now disable cups"
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.cups.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled cups -> enabled"
+
+  - id: 18560
+    title: "Ensure DHCP Server is not enabled."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface."
+    remediation: "Run the following commands to disable dhcpd: # systemctl --now disable isc-dhcp-server # systemctl --now disable isc-dhcp-server6"
+    references:
+      - https://www.isc.org/dhcp/
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled isc-dhcp-server -> enabled"
+      - "c:systemctl is-enabled isc-dhcp-server6 -> enabled"
+
+  - id: 18561
+    title: "Ensure LDAP server is not enabled."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable slapd: # systemctl --now disable slapd"
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://www.openldap.org
+    condition: none
+    rules:
+      - "c:systemctl is-enabled slapd -> enabled"
+
+  - id: 18562
+    title: "Ensure NFS and RPC are not enabled."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface."
+    remediation: "Run the following commands to disable nfs and rpcbind: # systemctl --now disable nfs-server # systemctl --now disable rpcbind"
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nfs-server -> enabled"
+      - "c:systemctl is-enabled rpcbind -> enabled"
+
+  - id: 18563
+    title: "Ensure DNS Server is not enabled."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable named: # systemctl --now disable bind9"
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled bind9 -> enabled"
+
+  - id: 18564
+    title: "Ensure FTP Server is not enabled."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable vsftpd: # systemctl --now disable vsftpd"
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled vsftpd -> enabled"
+
+  - id: 18565
+    title: "Ensure HTTP Server is not enabled."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable apache2: # systemctl --now disable apache2"
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled apache2 -> enabled"
+
+  - id: 18566
+    title: "Ensure email services are not enabled."
+    description: "dovecot is an open source mail submission and transport server for Linux based systems."
+    rationale: "Unless mail transport services are to be provided by this system, it is recommended that the service be disabled or deleted to reduce the potential attack surface."
+    remediation: "Run one of the following commands to disable dovecot : # systemctl --now disable dovecot"
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled dovecot -> enabled"
+
+  - id: 18567
+    title: "Ensure Samba is not enabled."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable smbd: # systemctl --now disable smbd"
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled smbd -> enabled"
+
+  - id: 18568
+    title: "Ensure HTTP Proxy Server is not enabled."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to disable squid: # systemctl --now disable squid"
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled squid -> enabled"
+
+  - id: 18569
+    title: "Ensure SNMP Server is not enabled."
+    description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system."
+    rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1."
+    remediation: "Run the following command to disable snmpd: # systemctl --now disable snmpd"
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled snmpd -> enabled"
+
+  - id: 18570
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems."
+    remediation: "Edit /etc/postfix/main.cf and add thefollowing line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below:   inet_interfaces = loopback-only   Restart postfix:    # systemctl restart postfix"
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1", "AC.4", "SC.7"]
+      - tsc: ["CC5.2", "CC6.4", "CC6.6", "CC6.7"]
+    condition: none
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.+LISTEN|::1:25\.*LISTEN'
+
+  - id: 18571
+    title: "Ensure rsync service is not enabled."
+    description: "The rsyncd service can be used to synchronize files between systems over network links."
+    rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Run the following command to disable rsync: # systemctl --now disable rsync"
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled rsync -> enabled"
+
+  - id: 18572
+    title: "Ensure NIS Server is not enabled."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used"
+    remediation: "Run the following command to disable nis: # systemctl --now disable nis"
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:systemctl is-enabled nis -> enabled"
+
+  - id: 18573
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    remediation: "Uninstall nis : apt purge nis"
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s nis -> r:install ok installed"
+
+  - id: 18574
+    title: "Ensure rsh client is not installed."
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ."
+    remediation: "Uninstall rsh : apt remove rsh-client"
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s rsh-client -> r:install ok installed"
+
+  - id: 18575
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    remediation: "Uninstall talk : apt remove talk"
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s talk -> r:install ok installed"
+
+  - id: 18576
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    remediation: "Uninstall telnet : # apt purge telnet"
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s telnet -> r:install ok installed"
+
+  - id: 18577
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Uninstall ldap-utils : # apt purge ldap-utils"
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "c:dpkg -s ldap-utils -> r:install ok installed"
+
+  ############################################################
+  # 3 Network Configuration
+  ############################################################
+
+  ##########################################################
+  # 3.1 Network Parameters
+  ##########################################################
+  # 3.1.1 Ensure packet redirect sending is disabled
+  - id: 18578
+    title: "Ensure packet redirect sending is disabled."
+    description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects."
+    rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$'
+
+  # 3.1.2 Ensure IP forwarding is disabled
+  - id: 18579
+    title: "Ensure IP forwarding is disabled."
+    description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not."
+    rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router."
+    remediation: "Run the following command to restore the default parameter and set the active kernel parameter: # grep -Els \"^\\s*net\\.ipv4\\.ip_forward\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv4\\.ip_forward\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 IF IPv6 is enabled: Run the following command to restore the default parameter and set the active kernel parameter: # grep -Els \"^\\s*net\\.ipv6\\.conf\\.all\\.forwarding\\s*=\\s*1\" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri \"s/^\\s*(net\\.ipv6\\.conf\\.all\\.forwarding\\s*)(=)(\\s*\\S+\\b).*$/# *REMOVED* \\1/\" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.1.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$'
+
+  #############################################################
+  # 3.2 Network Parameters
+  #############################################################
+  # 3.2.1 Ensure source routed packets are not accepted
+  - id: 18580
+    title: "Ensure source routed packets are not accepted."
+    description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used."
+    rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0     net.ipv6.conf.all.accept_source_route = 0    net.ipv6.conf.default.accept_source_route = 0   || Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1  # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$'
+
+  # 3.2.2 Ensure ICMP redirects are not accepted
+  - id: 18581
+    title: "Ensure ICMP redirects are not accepted."
+    description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables."
+    rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1  # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.2.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$'
+      - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$'
+
+  # 3.2.3 Ensure secure ICMP redirects are not accepted
+  - id: 18582
+    title: "Ensure secure ICMP redirects are not accepted."
+    description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure."
+    rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$'
+
+  # 3.2.4 Ensure suspicious packets are logged (Scored)
+  - id: 18583
+    title: "Ensure suspicious packets are logged."
+    description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log."
+    rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.4"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$'
+
+  # 3.2.5 Ensure broadcast ICMP requests are ignored
+  - id: 18584
+    title: "Ensure broadcast ICMP requests are ignored."
+    description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses."
+    rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$'
+
+  # 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
+  - id: 18585
+    title: "Ensure bogus ICMP responses are ignored."
+    description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages."
+    rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages."
+    remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$'
+
+  # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
+  - id: 18586
+    title: "Ensure Reverse Path Filtering is enabled."
+    description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)."
+    rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$'
+      - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$'
+      - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$'
+
+  # 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
+  - id: 18587
+    title: "Ensure TCP SYN Cookies is enabled."
+    description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue."
+    rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1"
+    compliance:
+      - cis: ["3.2.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$'
+      - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$'
+
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted (Scored)
+  - id: 18588
+    title: "Ensure IPv6 router advertisements are not accepted."
+    description: "This setting disables the systems ability to accept router advertisements"
+    rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes."
+    remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1"
+    compliance:
+      - cis: ["3.3.9"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$'
+      - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$'
+      - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$'
+
+  #####################################################################
+  # 3.3 TCP Wrappers
+  #####################################################################
+
+  # 3.3.1 Ensure TCP Weappers is installed (Not Scored)
+  - id: 18589
+    title: "Install TCP Wrappers."
+    description: "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it."
+    rationale: "TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it."
+    remediation: "Install tcpd : # apt-get install tcpd To verify if a service supports TCP Wrappers, run the following command: # ldd <path-to-daemon> | grep libwrap.so If there is any output, then the service supports TCP Wrappers."
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "c:dpkg -s tcpd -> r:install ok installed"
+
+  - id: 18590
+    title: "Ensure /etc/hosts.allow is configured."
+    description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file."
+    rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system."
+    remediation: 'Run the following command to create /etc/hosts.allow: # echo "ALL: <net>/<mask>, <net>/<mask>, ..." >/etc/hosts.allow. Where each <net>/<mask> combination  (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.'
+    compliance:
+      - cis: ["3.3.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.allow"
+
+  - id: 18591
+    title: "Ensure /etc/hosts.deny is configured."
+    description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file."
+    rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server."
+    remediation: 'Run the following command to create /etc/hosts.deny: # echo "ALL: ALL" >> /etc/hosts.deny'
+    compliance:
+      - cis: ["3.3.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - "f:/etc/hosts.deny"
+      - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL'
+
+  - id: 18592
+    title: "Verify permissions on /etc/hosts.allow are configured."
+    description: "The /etc/hosts.allow file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.allow :  # chown root:root /etc/hosts.allow  # chmod 644 /etc/hosts.allow"
+    compliance:
+      - cis: ["3.3.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.allow -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  - id: 18593
+    title: "Verify permissions on /etc/hosts.deny are configured."
+    description: "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate."
+    rationale: "It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/hosts.deny : # chown root:root /etc/hosts.deny  # chmod 644 /etc/hosts.deny"
+    compliance:
+      - cis: ["3.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/hosts.deny -> r:^Access: \(0644/-rw-r--r--\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)$'
+
+  #####################################################################
+  # 3.4 Uncommon Network Protocols
+  #####################################################################
+  # 3.4.1 Ensure DCCP is disabled (Scored)
+  - id: 18594
+    title: "Ensure DCCP is disabled."
+    description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery."
+    rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true"
+    compliance:
+      - cis: ["3.4.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v dccp -> r:install /bin/true"
+      - "c:lsmod -> r:dccp"
+
+  # 3.4.2 Ensure SCTP is disabled (Scored)
+  - id: 18595
+    title: "Ensure SCTP is disabled."
+    description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true"
+    compliance:
+      - cis: ["3.4.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v sctp -> r:install /bin/true"
+      - "c:lsmod -> r:sctp"
+
+  # 3.4.3 Ensure RDS is disabled (Scored)
+  - id: 18596
+    title: "Ensure RDS is disabled."
+    description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true"
+    compliance:
+      - cis: ["3.4.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v rds -> r:install /bin/true"
+      - "c:lsmod -> r:rds"
+
+  # 3.4.4 Ensure TIPC is disabled (Scored)
+  - id: 18597
+    title: "Ensure TIPC is disabled."
+    description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes."
+    rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface."
+    remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true"
+    compliance:
+      - cis: ["3.4.4"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: none
+    rules:
+      - "not c:modprobe -n -v tipc -> r:install /bin/true"
+      - "c:lsmod -> r:tipc"
+
+  #################################################################
+  # 3.5 Firewall configuration
+  #################################################################
+  #################################################################
+  # 3.5.1 Ensure Firewall software is installed
+  #################################################################
+  # 3.5.1.1 Ensure a Firewall package is installed (Scored)
+  - id: 18598
+    title: "Ensure a Firewall package is installed."
+    description: "A Firewall package should be selected. Most firewall configuration utilities operate as a front end to nftables or iptables."
+    rationale: "A Firewall package is required for firewall management and configuration."
+    remediation: "Run one of the following commands to install the Firewall package that follows local site policy: To install UFW , run the following command: # apt install ufw To install nftables , run the following command: # apt install nftables To install iptables , run the following command: # apt install iptables"
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.1"]
+      - tsc: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg -s ufw -> r:Status: install ok installed"
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - "c:dpkg -s iptables -> r:Status: install ok installed"
+  #################################################################
+  # 3.5.2 Configure UncomplicatedFirewall
+  #################################################################
+  # 3.5.2.1 Ensure ufw service is enabled (Scored)
+  - id: 18599
+    title: "Ensure ufw service is enabled."
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Ensure that the ufw service is enabled to protect your system."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system"
+    remediation: "Run the following command to enable ufw: # ufw enable"
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    reference:
+      - "http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html"
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ufw -> enabled"
+      - "c:ufw status -> Status: active"
+
+  # 3.5.2.2 Ensure default deny firewall policy (Scored)
+  - id: 18600
+    title: "Ensure default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed"
+    compliance:
+      - cis: ["3.5.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(incoming)|reject\W+(incoming)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(outgoing)|reject\W+(outgoing)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(routed)|reject\W+(routed)'
+
+  # 3.5.2.3 Ensure loopback traffic is configured (Scored)
+  - id: 18601
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ufw allow in on lo  # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1"
+    compliance:
+      - cis: ["3.5.2.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:Anywhere on lo\s*\t*ALLOW IN\s*\t*Anywhere'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*DENY IN\s*\t*127.0.0.0/8'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\) on lo\s*\t*ALLOW IN\s*\t*Anywhere \(v6\)'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*DENY IN\s*\t*::1'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*ALLOW OUT\s*\t*Anywhere on lo'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*ALLOW OUT\s*\t*Anywhere \(v6\) on lo'
+
+  ######################################################################
+  # 3.5.3 Configure nftables
+  ######################################################################
+
+  # 3.5.3.2 Ensure a table exists (Scored)
+  - id: 18602
+    title: "Ensure a table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    remediation: "Run the following command to create a table in nftables: # nft create table inet <table name> .Example: # nft create table inet filter"
+    compliance:
+      - cis: ["3.5.3.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.5.3.3 Ensure base chains exist (Scored)
+  - id: 18603
+    title: "Ensure base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } . Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0\\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }"
+    compliance:
+      - cis: ["3.5.3.3"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.5.3.6 Ensure default deny firewall policy (Scored)
+  - id: 18604
+    title: "Ensure default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept , the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } . Example: # nft chain inet filter input { policy drop \\; } ; # nft chain inet filter forward { policy drop \\; } and # nft chain inet filter output { policy drop \\; }"
+    compliance:
+      - cis: ["3.5.3.6"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.5.3.7 Ensure nftables service is enabled (Scored)
+  - id: 18605
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables"
+    compliance:
+      - cis: ["3.5.3.7"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> enabled"
+
+  #######################################################################
+  # 3.5.4 Configure iptables
+  #######################################################################
+  #######################################################################
+  # 3.5.4.1 Configure IPv4 iptables
+  #######################################################################
+  # 3.5.4.1.1 Ensure default deny firewall policy (Scored)
+  - id: 18606
+    title: "Ensure default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP; # iptables -P OUTPUT DROP; # iptables -P FORWARD DROP"
+    compliance:
+      - cis: ["3.5.4.1.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)|Chain INPUT \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)|Chain FORWARD \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.5.4.1.2 Ensure loopback traffic is configured (Scored)
+  - id: 18607
+    title: "Ensure loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP"
+    compliance:
+      - cis: ["3.5.4.1.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  #########################################################################
+  # 3.5.4.2 Configure IPv6 ip6tables
+  #########################################################################
+  # 3.5.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
+  - id: 18608
+    title: "Ensure IPv6 default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    compliance:
+      - cis: ["3.5.4.2.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.5.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
+  - id: 18609
+    title: "Ensure IPv6 loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP"
+    compliance:
+      - cis: ["3.5.4.2.2"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["1.2.1"]
+      - tsc: ["CC8.1"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.6 Ensure wireless interfaces are disabled (Scored)
+  - id: 18610
+    title: "Ensure wireless interfaces are disabled."
+    description: "Wireless networking is used when wired networks are unavailable. Ubuntu contains a wireless tool kit to allow system administrators to configure and use wireless networks."
+    rationale: "If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface."
+    remediation: "Run the following command to disable any wireless interfaces: # nmcli radio all off"
+    compliance:
+      - cis: ["3.6"]
+      - cis_csc: ["15.4", "15.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.6"]
+    references:
+      - nmcli(1) - Linux man page
+    condition: all
+    rules:
+      - "c:nmcli radio wifi -> r:^disabled"
+      - "c:nmcli radio wwan -> r:^disabled"
+
+  # 3.7 Disable IPv6 (Not Scored)
+  - id: 18611
+    title: "Disable IPv6."
+    description: "Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented."
+    rationale: "If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system."
+    remediation: 'Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX="ipv6.disable=1" Run the following command to update the grub2 configuration: # update-grub'
+    compliance:
+      - cis: ["3.7"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.6", "CC5.2"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:ipv6.disable=1'
+
+  ############################################################
+  # 4 Logging and Auditing
+  ############################################################
+
+  - id: 18612
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk"
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # apt install auditd audispd-plugins"
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["AU.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:dpkg -s auditd -> r:install ok installed"
+      - "c:dpkg -s audispd-plugins -> r:install ok installed"
+
+  - id: 18613
+    title: "Ensure auditd service is enabled."
+    description: "Enable and start the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable auditd: # systemctl --now enable auditd"
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1", "10.7"]
+      - nist_800_53: ["AU.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> enabled"
+
+  - id: 18614
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.2.6", "10.7"]
+      - nist_800_53: ["AU.2"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["35.7.d", "32.2"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: none
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1 && !r:/boot/memtest86+.bin'
+
+  - id: 18615
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB> Notes: The max_log_file parameter is measured in megabytes."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["AU.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  - id: 18616
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs"
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  - id: 18617
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt"
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt'
+
+  - id: 18618
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change"'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change"
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.4.2", "10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change'
+
+  - id: 18619
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity'
+
+  - id: 18620
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files."
+    rationale: 'Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."'
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules and add the following lines: -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale      -w /etc/issue -p wa -k system-locale      -w /etc/issue.net -p wa -k system-locale     -w /etc/hosts -p wa -k system-locale-w /etc/network -p wa -k system-locale     For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/system-locale.rules   and add the following lines:  -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale   -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale       -w /etc/issue -p wa -k system-locale          -w /etc/issue.net -p wa -k system-locale           -w /etc/hosts -p wa -k system-locale         -w /etc/network -p wa -k system-locale"
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale'
+
+  - id: 18621
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories."
+    rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy'
+
+  - id: 18622
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module"
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.2.1", "10.2.4", "10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins'
+
+  - id: 18623
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier "logins."'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc: ["4.9", "16.11", "16.13"]
+      - pci_dss: ["10.3"]
+      - nist_800_53: ["AC.7", "AU.14"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins'
+
+  - id: 18624
+    title: "Ensure discretionary access control permission modification events are collected."
+    description: 'Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."'
+    rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation."
+    remediation: "For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc: ["5.5"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod'
+
+  - id: 18625
+    title: "Ensure unsuccessful unauthorized file access attempts are collected."
+    description: 'Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access."'
+    rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system."
+    remediation: "For 32 bit systems Edit or create a file in the /etc/audit/rules.d/directory ending in .rules  Example: vi /etc/audit/rules.d/audit.rules and add the following lines:    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access    |    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access                    For 64 bit systems Edit or create a file in the /etc/audit/rules.d/directory ending in .rules Example: vi /etc/audit/rules.d/access.rules and add the following lines:                -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access     |  -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access     |    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access   |  -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access          Notes: Reloading the auditd config toset active settings requires the auditd service to be restarted, and may require a system reboot."
+    compliance:
+      - cis: ["4.1.10"]
+      - cis_csc: ["14.9"]
+      - pci_dss: ["10.2.4"]
+      - nist_800_53: ["AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access'
+
+  - id: 18626
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.12"]
+      - cis_csc: ["13"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts'
+
+  - id: 18627
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.13"]
+      - cis_csc: ["6.2", "13"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete'
+
+  - id: 18628
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."'
+    rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity."
+    remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.14"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["10.5.5"]
+      - nist_800_53: ["AU.14"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["PI1.4", "PI1.5", "CC7.1", "CC7.2", "CC7.3", "CC8.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope'
+
+  - id: 18629
+    title: "Ensure system administrator actions (sudolog) are collected."
+    description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log."
+    rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w <Path to sudo logfile> -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.15"]
+      - cis_csc: ["4.9"]
+      - pci_dss: ["10.2.2"]
+      - nist_800_53: ["AU.14", "AC.6", "AC.7"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w \.+ && r:-p wa && r:-k actions'
+
+  - id: 18630
+    title: "Ensure kernel module loading and unloading is collected."
+    description: 'Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".'
+    rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules."
+    remediation: "For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules. For 64 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot."
+    compliance:
+      - cis: ["4.1.16"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.7"]
+      - nist_800_53: ["AU.14", "AU.6"]
+      - gpg_13: ["7.9"]
+      - gdpr_IV: ["32.2", "35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules'
+
+  - id: 18631
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot."
+    compliance:
+      - cis: ["4.1.17"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.5"]
+      - nist_800_53: ["AU.9"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "d:/etc/audit/rules.d -> r:^99-finalize.rules$"
+      - 'd:/etc/audit/rules.d -> r:^99-finalize.rules$ -> r:^\s*\t*-e 2$'
+
+  # 4.2,1 Configure rsyslog
+  - id: 18632
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software are recommended replacements to the original syslogd daemon which provide improvements over syslogd , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server."
+    rationale: "The security enhancements of rsyslogsuch as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Install rsyslog: # apt install rsyslog"
+    compliance:
+      - cis: ["4.2.1.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: any
+    rules:
+      - "c:dpkg -s rsyslog -> r:install ok installed"
+  - id: 18633
+    title: "Ensure rsyslog Service is enabled."
+    description: "Once the rsyslog package is installed it needs to be activated."
+    rationale: "If the rsyslog service is not activated the system will not have a syslog service running."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog"
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.1"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1", "CC6.2", "CC6.3", "CC7.2", "CC7.3", "CC7.4"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> enabled"
+
+  - id: 18634
+    title: "Ensure rsyslog default file permissions configured."
+    description: "rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and set $FileCreateMode to 0640 or more restrictive:   $FileCreateMode 0640"
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC6.1", "CC7.2", "CC.7.3", "CC7.4"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\. -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  - id: 18635
+    title: "Ensure rsyslog is configured to send logs to a remote log host."
+    description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: 'Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines: Newer syntax: <files to sent to the remote log server> action(type="omfwd" target="<FQDN or ip of loghost>" port="<port number>" protocol="tcp" ction.resumeRetryCount="<number of re-tries>"  queue.type="linkList" queue.size=<number of messages to queue>") Example: *.* action(type="omfwd" target="192.168.2.100" port"514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkList" queue.size="1000") Older syntax: *.* @@<FQDN or ip of loghost>'
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc: ["6.6", "6.8"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - rsyslog.conf(5) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^*.* /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* action\.+target='
+
+  - id: 18636
+    title: "Ensure remote rsyslog messages are only accepted on designated log hosts."
+    description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port."
+    rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location."
+    remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines: $ModLoad imtcp        $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd"
+    compliance:
+      - cis: ["4.2.1.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["10.5.1"]
+    references:
+      - rsyslog.conf(8) man page
+    condition: all
+    rules:
+      - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp'
+      - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514'
+
+  # 4.2.2.1 Ensure journald is configured to send logs to rsyslog (Scored)
+  - id: 18637
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes"
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc: ["6.5"]
+      - pci_dss: ["10.5.3"]
+      - nist_800_53: ["CM.1", "AU.9", "AU.4"]
+      - tsc: ["CC5.2", "CC7.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 4.2.2.2 Ensure journald is configured to compress large log files (Scored)
+  - id: 18638
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line:   Compress=yes"
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc: ["6.4"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Compress\s*=\s*yes'
+
+  # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
+  - id: 18639
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line:   Storage=persistent"
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["10.7"]
+      - nist_800_53: ["CM.1", "AU.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#etcsystemdjournaldconf"
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*Storage\s*=\s*persistent'
+
+  # 4.2.3 Ensure permissions on all logfiles are configured (Scored)
+  - id: 18640
+    title: "Ensure permissions on all logfiles are configured."
+    description: "Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitivebdata is archived and protected."
+    remediation: 'Run the following command to set permissions on all existing log files: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" +'
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.5.1", "10.5.2"]
+      - nist_800_53: ["CM.1", "AU.9"]
+      - tsc: ["CC5.2", "CC7.2"]
+    condition: none
+    rules:
+      - 'c:find /var/log -type f -ls -> r:-\w\w\w\ww\w\w\w\w|-\w\w\w\w\wx\w\w\w|-\w\w\w\w\w\w\ww\w|-\w\w\w\w\w\wr\w\w|-\w\w\w\w\w\w\w\wx'
+
+  ############################################################
+  # 5 Access, Authentication and Authorization
+  ############################################################
+  ############################################################
+  # 5.1 Configure cron
+  ############################################################
+  - id: 18641
+    title: "Ensure cron daemon is enabled."
+    description: "The cron daemon is used to execute batch jobs on the system."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable cron: systemctl --now enable cron"
+    compliance:
+      - cis: ["5.1.1"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> enabled"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
+  - id: 18642
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : chown root:root /etc/crontab and chmod og-rwx /etc/crontab"
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
+  - id: 18643
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.hourly : chown root:root /etc/cron.hourly and chmod og-rwx /etc/cron.hourly"
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
+  - id: 18644
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.daily : chown root:root /etc/cron.daily and chmod og-rwx /etc/cron.daily"
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
+  - id: 18645
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.weekly : chown root:root /etc/cron.weekly and chmod og-rwx /etc/cron.weekly"
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
+  - id: 18646
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly"
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
+  - id: 18647
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
+  - id: 18648
+    title: "Ensure at/cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow"
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "f:/etc/at.allow"
+      - "not f:/etc/cron.deny"
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/cron.allow -> r:^Access: \(0\d\d0/\w\w\w\w\w-----\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/at.allow -> r:^Access: \(0\d\d0/\w\w\w\w\w-----\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  ######################################################
+  # 5.2 SSH Server Configuration
+  ######################################################
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
+  - id: 18649
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config"
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:^Access: \(0\d00/\w\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured (Scored)
+  - id: 18650
+    title: "Ensure permissions on SSH private host key files are configured."
+    description: "An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed."
+    rationale: "If an unauthorized user obtains the private SSH host key file, the host could be impersonated"
+    remediation: "Run the following commands to set ownership and permissions on the private SSH host key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \\; # find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;"
+    compliance:
+      - cis: ["5.2.2"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/ssh_host_rsa_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/ssh/ssh_host_ecdsa_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/ssh/ssh_host_ed25519_key -> r:^Access: \(0\d00/-\w\w\w------\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured (Scored)
+  - id: 18651
+    title: "Ensure permissions on SSH public host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following commands to set permissions and ownership on the SSH host public key files: # find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\; #find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;"
+    compliance:
+      - cis: ["5.2.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/ssh_host_rsa_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/ssh/ssh_host_ecdsa_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+      - 'c:stat /etc/ssh/ssh_host_ed25519_key.pub -> r:^Access: \(0\d\d\d/-\w\w\w\w--\w--\)  Uid: \(    0/    root\)   Gid: \(    0/    root\)$'
+
+  # 5.2.4 Ensure SSH Protocol is not set to 1 (Scored)
+  - id: 18652
+    title: "Ensure SSH Protocol is not set to 1."
+    description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure."
+    rationale: "SSH v1 suffers from insecurities that do not affect SSH v2. Notes: This command not longer exists in newer versions of SSH. This check is still being included for systems that may be running an older version of SSH. As of openSSH version 7.4 this parameter will not cause an issue when included."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2"
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc: ["4.5", "14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: none
+    rules:
+      - 'c:sshd -T -> r:Protocol\s*\t*1'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
+  - id: 18653
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO"
+    references:
+      - https://www.ssh.com/ssh/sshd_config/
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc: ["6.2", "6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:LogLevel\s+INFO|LogLevel\s+VERBOSE'
+
+  # 5.2.6 Ensure SSH X11 forwarding is disabled (Scored)
+  - id: 18654
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no"
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:X11Forwarding\s+no'
+
+  # 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+  - id: 18655
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4"
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+
+  # 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
+  - id: 18656
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with ssh."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes"
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:IgnoreRhosts\s+yes'
+
+  # 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
+  - id: 18657
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no"
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:HostbasedAuthentication\s+no'
+
+  # 5.2.10 Ensure SSH root login is disabled (Scored)
+  - id: 18658
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no."
+    rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no"
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitRootLogin\s+no'
+
+  # 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+  - id: 18659
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no"
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc: ["16.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitEmptyPasswords\s+no'
+
+  # 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
+  - id: 18660
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)"
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no"
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:PermitUserEnvironment\s+no'
+
+  # 5.2.13 Ensure only strong Ciphers are used (Scored)
+  - id: 18661
+    title: "Ensure only strong ciphers are used."
+    description: "This variable limits the ciphers that SSH can use during communication."
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised The DES, Triple DES, and Blowfish ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue The passwords used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors The mm_newkeys_from_blob function in monitor_wrap.c, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2015-2808"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2013-4548"
+      - "https://www.kb.cert.org/vuls/id/565052"
+      - "https://www.openssh.com/txt/cbc.adv"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 5.2.14 Ensure only strong MAC algorithms are used (Scored)
+  - id: 18662
+    title: "Ensure only strong MAC algorithms are used."
+    description: "This variable limits the types of MAC algorithms that SSH can use during communication."
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information"
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc: ["14.4", "16.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    reference:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    condition: none
+    rules:
+      - "c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used (Scored)
+  - id: 18663
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received"
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks"
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.7", "CC6.1", "CC7.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.2.16 Ensure SSH Idle Timeout Interval is configured (Scored)
+  - id: 18664
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time."
+    rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300    ClientAliveCountMax 0"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0'
+      - 'c:sshd -T -> n:ClientAliveCountMax\s*\t*(\d+) compare <= 3'
+
+  # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+  - id: 18665
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60"
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:LoginGraceTime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare >= 1'
+
+  # 5.2.18 Ensure SSH access is limited (Scored)
+  - id: 18666
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers <userlist>    AllowGroups <grouplist>    DenyUsers <userlist>    DenyGroups <grouplist>"
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+'
+
+  # 5.2.19 Ensure SSH warning banner is configured (Scored)
+  - id: 18667
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:Banner\s*\t*/etc/issue.net'
+
+  # 5.2.20 Ensure SSH PAM is enabled (Scored)
+  - id: 18668
+    title: "Ensure SSH PAM is enabled."
+    description: "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes"
+    compliance:
+      - cis: ["5.2.20"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*usepam\s+yes'
+
+  # 5.2.21 Ensure SSH AllowTcpForwarding is disabled (Scored)
+  - id: 18669
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no"
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://www.ssh.com/ssh/tunneling/example
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowTcpForwarding\s+no'
+
+  - id: 18670
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: maxstartups 10:30:60"
+    compliance:
+      - cis: ["5.2.22"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*maxstartups\s+10:30:60'
+
+  # 5.2.23 Ensure SSH MaxSessions is  set to 4 or less (Scored)
+  - id: 18671
+    title: "Ensure SSH MaxSessions is set to 4 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 4"
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxSessions\s+(\d+) compare <= 4'
+
+  ######################################################
+  # 5.3 Configure PAM
+  ######################################################
+  # 5.3.1 Ensure password creation requirements are configured (Scored)
+  - id: 18672
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)"
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "1) Run the following command to install the pam_pwquality module: apt install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14'
+      - 'f:/etc/pam.d/common-password -> !r:^# && n:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=(\d+) compare <=3'
+
+  # 5.3.2 Ensure lockout for failed password attempts is configured (Scored)
+  - id: 18673
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: 'Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Edit the /etc/pam.d/common-account file and add the account lines below: account    requisite    pam_deny.so      account    required    pam_tally2.so. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u <username> --reset. This command sets the failed count to 0, effectively unlocking the user. Notes:BUG In pam_tally2.so To work around this issue the addition of pam_tally2.so in the accounts section of the /etc/pam.d/common-account file has been added to the audit and remediation sections. pam_tally2 line must be added for the counter to reset to 0 when using sudo.     Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.'
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc: ["16.7"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*requisite\s*\t*pam_deny.so'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*required\s*\t*pam_tally2.so'
+
+  # 5.3.3 Ensure password reuse is limited (Scored)
+  - id: 18674
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here."
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.5"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare < 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && !r:remember'
+
+  # 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
+  - id: 18675
+    title: "Ensure password hashing algorithm is SHA-512."
+    description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system."
+    remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password [success=1 default=ignore] pam_unix.so sha512"
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["3.6.1", "8.2.1"]
+      - tsc: ["CC6.1", "CC6.7"]
+    condition: none
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so && !r:sha512'
+
+  ####################################################
+  # 5.4 User Accounts and Environment
+  ####################################################
+  ####################################################
+  # 5.4.1 Set Shadow Password Suite Parameters
+  ####################################################
+  # 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
+  - id: 18676
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 <user>. Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password."
+    compliance:
+      - cis: ["5.4.1.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'not f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare < 0'
+
+  # 5.4.1.2 Ensure minimum days between password changes is configured
+  - id: 18677
+    title: "Ensure minimum days between password changes is 7 or more."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.2"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+
+  # 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+  - id: 18678
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>. Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password."
+    compliance:
+      - cis: ["5.4.1.3"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+
+  # 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+  - id: 18679
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>. Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting."
+    compliance:
+      - cis: ["5.4.1.4"]
+      - cis_csc: ["4.4", "16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+
+  # 5.4.3 Ensure default group for the root account is GID 0 (Scored)
+  - id: 18680
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root"
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  # 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+  - id: 18681
+    title: "Ensure default user umask is 027 or more restrictive."
+    description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files ( .profile , .bashrc , etc.) in their home directories."
+    rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: umask 027"
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc: ["14.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/bash.bashrc -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'f:/etc/profile -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'f:/etc/profile -> !r:^\s*\t*# && n:umask \d\d(\d) compare != 7'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*\t*# && r:umask \d0\d|umask \d1\d|umask \d4\d|umask \d5\d'
+      - 'd:/etc/profile.d -> .sh -> !r:^\s*t*# && n:umask \d\d(\d) compare != 7'
+
+  # 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
+  - id: 18682
+    title: "Ensure default user shell timeout is 900 seconds or less."
+    description: "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds."
+    rationale: "Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+    remediation: "Edit the /etc/bash.bashrc , /etc/profile and /etc/profile.d/*.sh files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: readonly TMOUT=900 ; export TMOUT . Note that setting the value to readonly prevents unwanted modification during runtime."
+    compliance:
+      - cis: ["5.4.5"]
+      - cis_csc: ["16.11"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'not d:/etc/profile.d -> .sh -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/bash.bashrc -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'not f:/etc/profile -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare > 900'
+      - 'd:/etc/profile.d -> .sh -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/bash.bashrc -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'f:/etc/profile -> r:^\s*\t*readonly && n:TMOUT\s*\t*=\s*\t*(\d+) compare <= 900'
+
+  # 5.6 Ensure access to the su command is restricted (Scored)
+  - id: 18683
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su."
+    rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group='
+
+  ############################################################
+  # 6 System Maintenance
+  ############################################################
+
+  ############################################################
+  # 6.1 System File Permissions
+  ############################################################
+  # 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
+  - id: 18684
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd"
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/gshadow- are configured (Scored)
+  - id: 18685
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the one of the following chown commands as appropriate and the chmod to set permissions on /etc/gshadow- : # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- # chmod o-rwx,g-wx /etc/gshadow-"
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/shadow are configured (Scored)
+  - id: 18686
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run the one following commands to set permissions on /etc/shadow : # chown root:shadow /etc/shadow # chmod o-rwx,g-wx /etc/shadow"
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.5 Ensure permissions on /etc/group are configured (Scored)
+  - id: 18687
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group: # chown root:root /etc/group # chmod 644 /etc/group"
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
+  - id: 18688
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd-: # chown root:root /etc/passwd- # chmod u-x,go-rwx /etc/passwd-"
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
+  - id: 18689
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to set permissions on /etc/shadow- : # chown root:shadow /etc/shadow- # chmod u-x,go-rwx /etc/shadow-"
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/shadow- -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)|Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
+  - id: 18690
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group-: # chown root:root /etc/group- # chmod u-x,go-rwx /etc/group-"
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:Access:\s*\(0\d00/-\w\w-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.9 Ensure permissions on /etc/gshadow are configured (Scored)
+  - id: 18691
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group"
+    remediation: "Run the following commands to set permissions on /etc/gshadow : # chown root:shadow /etc/gshadow # chmod o-rwx,g-rw /etc/gshadow"
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'c:stat /etc/gshadow -> r:Access:\s*\(0\d\d0/-\w\w-\w-----\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  ####################################################
+  # 6.2 User and Group Settings
+  ####################################################
+
+  # 6.2.1 Ensure password fields are not empty (Scored)
+  - id: 18692
+    title: "Ensure password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <em><username></em>. Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc: ["4.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+  - id: 18693
+    title: "Ensure no legacy + entries exist in /etc/passwd"
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/passwd if they exist."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/passwd -> !r:^# && r:^+:"
+
+  # 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+  - id: 18694
+    title: "Ensure no legacy + entries exist in /etc/shadow"
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/shadow if they exist."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/shadow -> !r:^# && r:^+:"
+
+  # 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
+  - id: 18695
+    title: "Ensure no legacy + entries exist in /etc/group"
+    description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms."
+    rationale: "These entries may provide an avenue for attackers to gain privileged access on the system."
+    remediation: "Remove any legacy + entries from /etc/group if they exist."
+    compliance:
+      - cis: ["6.2.5"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+    condition: none
+    rules:
+      - "f:/etc/group -> !r:^# && r:^+:"
+
+  # 6.2.6 Ensure root is the only UID 0 account (Scored)
+  - id: 18696
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.6"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.20 Ensure shadow group is empty (Scored)
+  - id: 18697
+    title: "Ensure shadow group is empty."
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group."
+    compliance:
+      - cis: ["6.2.20"]
+      - pci_dss: ["10.2.5"]
+      - hipaa: ["164.312.b"]
+      - nist_800_53: ["AU.14", "AC.7"]
+      - tsc: ["CC7.2", "CC6.1", "CC6.8", "CC7.3", "CC7.4"]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+    condition: none
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+'
diff --git a/etc/ruleset/sca/ubuntu/cis_ubuntu20_04.yml b/etc/ruleset/sca/ubuntu/cis_ubuntu20_04.yml
new file mode 100644
index 0000000000..c22ce5e345
--- /dev/null
+++ b/etc/ruleset/sca/ubuntu/cis_ubuntu20_04.yml
@@ -0,0 +1,5128 @@
+# Security Configuration Assessment
+# CIS Checks for Ubuntu Linux 20.04 LTS
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Ubuntu Linux 20.04 LTS Benchmark v2.0.0 - 05-30-2023
+
+policy:
+  id: "cis_ubuntu20-04"
+  file: "cis_ubuntu20_04.yml"
+  name: "CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Ubuntu version."
+  description: "Requirements for running the SCA scan against Ubuntu Linux 20.04 LTS"
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:Ubuntu 20.04"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.4 Ensure mounting of hfs filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.6 Ensure mounting of squashfs filesystems is disabled. (Automated) - Not Implemented
+  # 1.1.1.7 Ensure mounting of udf filesystems is disabled. (Automated) - Not Implemented
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 19000
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount unit file: Using /etc/fstab: Configure /etc/fstab as appropriate: Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 -OR- Using a tmp.mount unit file: Run the following command to create the tmp.mount file is the correct location: # cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/ Edit /etc/systemd/system/tmp.mount to configure the /tmp mount: Example: # SPDX-License-Identifier: LGPL-2.1+ # # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Temporary Directory (/tmp) Documentation=https://systemd.io/TEMPORARY_DIRECTORIES Documentation=man:file-hierarchy(7) Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystem s ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,nosuid,nodev,noexec [Install] WantedBy=local-fs.target Run the following command to reload the systemd daemon with the updated tmp.mount unit file: # systemctl daemon-reload Run the following command to enable and start tmp.mount # systemctl --now enable tmp.mount Note: A reboot may be required to transition to /tmp mounted to tmpfs."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /tmp -> r:\s*/tmp\s'
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 19001
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:nodev'
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 19002
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022", "M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:noexec'
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 19003
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022", "M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /tmp -> r:\s*/tmp\s && r:nosuid'
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 19004
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var -> r:\s*/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 19005
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var -> r:\s*/var\s && r:nodev'
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+  - id: 19006
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var -> r:\s*/var\s && r:nosuid'
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 19007
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s'
+
+  # 1.1.4.2 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 19008
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c: findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:nodev'
+
+  # 1.1.4.3 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 19009
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022", "M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:noexec'
+
+  # 1.1.4.4 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 19010
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022", "M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/tmp -> r:\s*/var/tmp\s && r:nosuid'
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 19011
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log -> r:\s*/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 19012
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 19013
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 19014
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log -> r:\s*/var/log\s && r:nosuid'
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 19015
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log/audit -> r:\s*/var/log/audit\s'
+
+  # 1.1.6.2 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 19016
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log/audit -> r:\s*/var/log/audit\s && r:nodev'
+
+  # 1.1.6.3 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 19017
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log/audit -> r:\s*/var/log/audit\s && r:noexec'
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 19018
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /var/log/audit -> r:\s*/var/log/audit\s && r:nosuid'
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 19019
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /home -> r:\s*/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 19020
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create block or character special devices in /home."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /home -> r:\s*/home\s && r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 19021
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /home -> r:\s*/home\s && r:nosuid'
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 19022
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /dev/shm -> r:\s*/dev/shm\s && r:nodev'
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 19023
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm Note: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /dev/shm  -> r:\s*/dev/shm\s && r:noexec'
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 19024
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Example: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm Note: It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt -kn /dev/shm  -> r:\s*/dev/shm\s && r:nosuid'
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 19025
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in the filesystem even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations are considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # apt purge autofs -OR- if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1068", "T1203", "T1211", "T1212"]
+    condition: any
+    rules:
+      - "c: dpkg -s autofs -> r:package 'autofs' is not installed"
+      - "c: systemctl is-enabled autofs -> r:No such file or directory|disabled"
+
+  # 1.1.10 Disable USB Storage. (Automated) - Not Implemented
+
+  # 1.2.1 Ensure AIDE is installed. (Automated)
+  - id: 19026
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Run the following commands to initialize AIDE: # aideinit # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db."
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1036", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1565", "T1565.001"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s aide -> r:install ok installed"
+      - "c:dpkg -s aide-common -> r:install ok installed"
+
+  # 1.2.2 Ensure filesystem integrity is regularly checked. (Automated)
+  - id: 19027
+    title: "Ensure filesystem integrity is regularly checked."
+    description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem."
+    rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
+    remediation: "If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer."
+    references:
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service"
+      - "https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer"
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1036", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1565", "T1565.001"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
+      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
+      - "c:systemctl status aidecheck.timer -> r:Active: active"
+
+  # 1.3.1 Ensure updates, patches, and additional security software are installed. (Manual) - Not Implemented
+  # 1.3.2 Ensure package manager repositories are configured. (Manual) - Not Implemented
+  # 1.3.3 Ensure GPG keys are configured. (Manual) Not Implemented
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 19028
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a GRUB 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable to do so, the configuration files will have to be edited via a LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. A password will still be required to edit menu items. More Information: https://help.ubuntu.com/community/Grub2/Passwords.'
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> PBKDF2 hash of your password is <encrypted-password> Add the following into a custom /etc/grub.d configuration file: cat <<EOF set superusers="<username>" password_pbkdf2 <username> <encrypted-password> EOF The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1046"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1542"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password'
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 19029
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod u-x,go-rwx /boot/grub/grub.cfg."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0600/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\(0400/-r--------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication required for single user mode. (Automated)
+  - id: 19030
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^root:\p:'
+
+  # 1.5.1 Ensure prelink is not installed. (Automated)
+  - id: 19031
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink."
+    compliance:
+      - cis: ["1.5.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1055", "T1055.009", "T1065", "T1065.001"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s prelink -> r:package 'prelink' is not installed"
+
+  # 1.5.2 Ensure address space layout randomization (ASLR) is enabled. (Automated) - Not Implemented
+  # 1.5.3 Ensure ptrace_scope is restricted. (Automated) - Not Implemented
+
+  # 1.5.4 Ensure Automatic Error Reporting is not enabled. (Automated)
+  - id: 19032
+    title: "Ensure Automatic Error Reporting is not enabled."
+    description: "The Apport Error Reporting Service automatically generates crash reports for debugging."
+    rationale: "Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material."
+    remediation: "Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -- Run the following command to remove the apport package: # apt purge apport."
+    compliance:
+      - cis: ["1.5.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s apport -> !r:enabled"
+      - "c:systemctl is-active apport.service -> !r:active"
+
+  # 1.5.5 Ensure core dumps are restricted. (Automated) - Not Implemented
+
+  # 1.6.1.1 Ensure AppArmor is installed. (Automated)
+  - id: 19033
+    title: "Ensure AppArmor is installed."
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Install AppArmor. # apt install apparmor apparmor-utils."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:dpkg -s apparmor -> r:install ok installed"
+
+  # 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration. (Automated)
+  - id: 19034
+    title: "Ensure AppArmor is enabled in the bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    rationale: "AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:security=apparmor'
+
+  # 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode. (Automated)
+  - id: 19035
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+loaded compare > 0'
+      - "c:apparmor_status -> r:0 processes are unconfined"
+
+  # 1.6.1.4 Ensure all AppArmor Profiles are enforcing. (Automated)
+  - id: 19036
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+loaded compare > 0'
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+in\s+enforce\s+mode compare > 0'
+      - 'c:apparmor_status -> r:^0\s*profiles\s+are\s+in\s+complain\s+mode'
+      - 'c:apparmor_status -> r:^0\s*processes\s+are\s+unconfined'
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 19037
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform. Add or update the message text to follow local site policy. Example Text: # echo \"Authorized use only. All activity may be monitored and reported.\" > /etc/issue.net -- OR -- If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: any
+    rules:
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+      - "not f:/etc/motd"
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 19038
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform. Add or update the message text to follow local site policy. Example Text: # echo \"Authorized use only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 19039
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform. Add or update the message text to follow local site policy. Example Text: # echo \"Authorized use only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 19040
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) -- OR -- Run the following command to remove the /etc/motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - "not f:/etc/motd"
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 19041
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue)."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 19042
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net)."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Automated)
+  - id: 19043
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to uninstall gdm3: # apt purge gdm3."
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s gdm3 -> r: package 'gdm3' is not installed"
+
+  # 1.8.2 Ensure GDM login banner is configured. (Automated) - Not Implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled. (Automated) - Not Implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle. (Automated) - Not Implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden. (Automated) - Not Implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled. (Automated) - Not Implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden. (Automated) - Not Implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled. (Automated) - Not Implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden. (Automated) - Not Implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled. (Automated)
+  - id: 19044
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm3/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not f:/etc/gdm3/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 2.1.1.1 Ensure a single time synchronization daemon is in use. (Automated)
+  - id: 19045
+    title: "Ensure a single time synchronization daemon is in use."
+    description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: - On virtual systems where host based time synchronization is available consult your virtualization software documentation and verify that host based synchronization is in use and follows local site policy. In this scenario, this section should be skipped - Only one time synchronization method should be in use on the system. Configuring multiple time synchronization methods could lead to unexpected or unreliable results."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and ensures log files have consistent time records across the enterprise, which aids in forensic investigations."
+    remediation: "On physical systems, and virtual systems where host based time synchronization is not available. Select one of the three time synchronization daemons; chrony (1), systemd-timesyncd (2), or ntp (3), and following the remediation procedure for the selected daemon. Note: enabling more than one synchronization daemon could lead to unexpected or unreliable results: 1. chrony Run the following command to install chrony: # apt install chrony Run the following commands to stop and mask the systemd-timesyncd daemon: # systemctl stop systemd-timesyncd.service # systemctl --now mask systemd-timesyncd.service Run the following command to remove the ntp package: # apt purge ntp NOTE: - Subsection: Configure chrony should be followed - Subsections: Configure systemd-timesyncd and Configure ntp should be skipped 2. systemd-timesyncd Run the following command to remove the chrony package: # apt purge chrony Run the following command to remove the ntp package: # apt purge ntp NOTE: - Subsection: Configure systemd-timesyncd should be followed - Subsections: Configure chrony and Configure ntp should be skipped 3. ntp Run the following command to install ntp: # apt install ntp Run the following commands to stop and mask the systemd-timesyncd daemon: # systemctl stop systemd-timesyncd.service # systemctl --now mask systemd-timesyncd.service Run the following command to remove the chrony package: # apt purge chrony NOTE: - Subsection: Configure ntp should be followed - Subsections: Configure chrony and Configure systemd-timesyncd should be skipped."
+    compliance:
+      - cis: ["2.1.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: any
+    rules:
+      - "c:dpkg -s ntp -> r:install ok installed"
+      - "c:dpkg -s chrony -> r:install ok installed"
+      - "c:systemctl is-enabled systemd-timesyncd -> r:^enabled"
+
+  # 2.1.2.1 Ensure chrony is configured with authorized timeserver. (Manual)
+  - id: 19046
+    title: "Ensure chrony is configured with authorized timeserver."
+    description: "-> server - The server directive specifies an NTP server which can be used as a time source. The client-server relationship is strictly hierarchical: a client might synchronize its system time to that of the server, but the server's system time will never be influenced by that of a client. - This directive can be used multiple times to specify multiple servers. o The directive is immediately followed by either the name of the server, or its IP address. -> pool - The syntax of this directive is similar to that for the server directive, except that it is used to specify a pool of NTP servers rather than a single NTP server. The pool name is expected to resolve to multiple addresses which might change over time. - This directive can be used multiple times to specify multiple pools. - All options valid in the server directive can be used in this directive too."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "Edit /etc/chrony/chrony.conf or a file ending in .sources in /etc/chrony/sources.d/ and add or edit server or pool lines as appropriate according to local site policy: <[server|pool]> <[remote-server|remote-pool]> Examples: pool directive: pool time.nist.gov iburst maxsources 4 #The maxsources option is unique to the pool directive server directive: server time-a-g.nist.gov iburst server 132.163.97.3 iburst server time-d-b.nist.gov iburst Run one of the following commands to load the updated time sources into chronyd running config: # systemctl restart chronyd - OR if sources are in a .sources file - # chronyc reload sources OR If another time synchronization service is in use on the system, run the following command to remove chrony from the system: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:ps -ef -> r:^_chrony && r:/chronyd"
+      - 'f:/etc/chrony/chrony.conf -> r:^server\.+|^pool\.+'
+
+  # 2.1.2.2 Ensure chrony is running as user _chrony. (Automated)
+  - id: 19047
+    title: "Ensure chrony is running as user _chrony."
+    description: "The chrony package is installed with a dedicated user account _chrony. This account is granted the access required by the chronyd service."
+    rationale: "The chronyd service should run with only the required privileges."
+    remediation: "Add or edit the user line to /etc/chrony/chrony.conf or a file ending in .conf in /etc/chrony/conf.d/: user _chrony OR If another time synchronization service is in use on the system, run the following command to remove chrony from the system: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/chrony/chrony.conf -> r:^user _chrony"
+
+  # 2.1.2.3 Ensure chrony is enabled and running. (Automated)
+  - id: 19048
+    title: "Ensure chrony is enabled and running."
+    description: "chrony is a daemon for synchronizing the system clock across the network."
+    rationale: "chrony needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF chrony is in use on the system, run the following commands: Run the following command to unmask chrony.service: # systemctl unmask chrony.service Run the following command to enable and start chrony.service: # systemctl --now enable chrony.service OR If another time synchronization service is in use on the system, run the following command to remove chrony: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled chrony.service -> r:^enabled"
+      - "c:systemctl is-active chrony.service -> r:^active"
+
+  # 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver. (Automated)
+  - id: 19049
+    title: "Ensure systemd-timesyncd configured with authorized timeserver."
+    description: "NTP= - A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service(8). systemd-timesyncd will contact all configured system or per-interface servers in turn, until one responds. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. This setting defaults to an empty list. FallbackNTP= - A space-separated list of NTP server host names or IP addresses to be used as the fallback NTP servers. Any per-interface NTP servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via NTP= above. This setting is hence only relevant if no other NTP server information is known. When the empty string is assigned, the list of NTP servers is reset, and all prior assignments will have no effect. If this option is not given, a compiled-in list of NTP servers is used."
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "Edit /etc/systemd/timesyncd.conf and add the NTP= and/or FallbackNTP= lines to the [Time] section: Example: [Time] NTP=time.nist.gov # Uses the generic name for NIST's time servers -AND/OR- FallbackNTP=time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov # Space separated list of NIST time servers Note: Servers added to these line(s) should follow local site policy. NIST servers are for example. Example script: The following example script will add the example NIST time servers to /etc/systemd/timesyncd.conf #!/usr/bin/env bash { l_ntp_ts=\"time.nist.gov\" l_ntp_fb=\"time-a-g.nist.gov time-b-g.nist.gov time-c-g.nist.gov\" l_conf_file=\"/etc/systemd/timesyncd.conf\" if ! grep -Ph '^\\h*NTP=\\H+' \"$l_conf_file\"; then ! grep -Pqs '^\\h*\\[Time\\]' \"$l_conf_file\" && echo \"[Time]\" >> \"$l_conf_file\" echo \"NTP=$l_ntp_ts\" >> \"$l_conf_file\" fi if ! grep -Ph '^\\h*FallbackNTP=\\H+' \"$l_conf_file\"; then ! grep -Pqs '^\\h*\\[Time\\]' \"$l_conf_file\" && echo \"[Time]\" >> \"$l_conf_file\" echo \"FallbackNTP=$l_ntp_fb\" >> \"$l_conf_file\" fi } Run the following command to reload the systemd-timesyncd configuration: # systemctl try-reload-or-restart systemd-timesyncd -OR- If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd."
+    references:
+      - "https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html"
+      - "https://tf.nist.gov/tf-cgi/servers.cgi"
+    compliance:
+      - cis: ["2.1.3.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "d:/etc/systemd"
+      - 'd:/etc/systemd -> r:\.+.conf$'
+      - 'd:/etc/systemd -> r:\.+.conf$ -> r:^\s*NTP=|^\s*FallbackNTP='
+
+  # 2.1.3.2 Ensure systemd-timesyncd is enabled and running. (Manual)
+  - id: 19050
+    title: "Ensure systemd-timesyncd is enabled and running."
+    description: "systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network."
+    rationale: "systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF systemd-timesyncd is in use on the system, run the following commands: Run the following command to unmask systemd-timesyncd.service: # systemctl unmask systemd-timesyncd.service Run the following command to enable and start systemd-timesyncd.service: # systemctl --now enable systemd-timesyncd.service OR If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd.service."
+    compliance:
+      - cis: ["2.1.3.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd.service -> r:^enabled"
+      - "c:systemctl is-active systemd-timesyncd.service -> r:^active"
+
+  # 2.1.4.1 Ensure ntp access control is configured. (Automated)
+  - id: 19051
+    title: "Ensure ntp access control is configured."
+    description: 'ntp Access Control Commands: restrict address [mask mask] [ippeerlimit int] [flag ...] The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note: the text string default, with no mask option, may be used to indicate the default entry. The ippeerlimit directive limits the number of peer requests for each IP to int, where a value of -1 means "unlimited", the current default. A value of 0 means "none". There would usually be at most 1 peering request per IP, but if the remote peering requests are behind a proxy there could well be more than 1 per IP. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified: - kod - If this flag is set when an access violation occurs, a kiss-o''-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped. - limited - Deny service if the packet spacing violates the lower limits specified in the discard command. A history of clients is kept using the monitoring capability of ntpd. Thus, monitoring is always active as long as there is a restriction entry with the limited flag. - lowpriotrap - Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. - noepeer - Deny ephemeral peer requests, even if they come from an authenticated source. Note that the ability to use a symmetric key for authentication may be restricted to one or more IPs or subnets via the third field of the ntp.keys file. This restriction is not enabled by default, to maintain backward compatibility. Expect noepeer to become the default in ntp-4.4. - nomodify - Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted. - noquery - Deny ntpq and ntpdc queries. Time service is not affected. - nopeer - Deny unauthenticated packets which would result in mobilizing a new association. This includes broadcast and symmetric active packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you''ll want a restrict source ... line as well that does not include the nopeer directive. - noserve - Deny all packets except ntpq and ntpdc queries. - notrap - Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpq control message protocol which is intended for use by remote event logging programs. - notrust - Deny service unless the packet is cryptographically authenticated. - ntpport - This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list.'
+    rationale: "If ntp is in use on the system, proper configuration is vital to ensuring time synchronization is accurate."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - "http://www.ntp.org/"
+    compliance:
+      - cis: ["2.1.4.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1498", "T1498.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'f:/etc/ntp.conf -> r:^restrict\s*\t*-4\s*\t*default|^restrict\s*\t*default && r:\s*kod && r:\s*nomodify && r:\s*notrap && r:\s*nopeer && r:\s*noquery'
+      - 'f:/etc/ntp.conf -> r:^restrict\s*\t*-6\s*\t*default && r:\s*kod && r:\s*nomodify && r:\s*notrap && r:\s*nopeer && r:\s*noquery'
+
+  # 2.1.4.2 Ensure ntp is configured with authorized timeserver. (Manual)
+  - id: 19052
+    title: "Ensure ntp is configured with authorized timeserver."
+    description: 'The various modes are determined by the command keyword and the type of the required IP address. Addresses are classed by type as (s) a remote server or peer (IPv4 class A, B and C), (b) the broadcast address of a local interface, (m) a multicast address (IPv4 class D), or (r) a reference clock address (127.127.x.x). Note: That only those options applicable to each command are listed below. Use of options not listed may not be caught as an error, but may result in some weird and even destructive behavior. If the Basic Socket Interface Extensions for IPv6 (RFC-2553) is detected, support for the IPv6 address family is generated in addition to the default support of the IPv4 address family. In a few cases, including the reslist billboard generated by ntpq or ntpdc, IPv6 addresses are automatically generated. IPv6 addresses can be identified by the presence of colons ":" in the address field. IPv6 addresses can be used almost everywhere where IPv4 addresses can be used, with the exception of reference clock addresses, which are always IPv4. Note: In contexts where a host name is expected, a -4 qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a -6 qualifier forces DNS resolution to the IPv6 namespace. See IPv6 references for the equivalent classes for that address family. - pool - For type s addresses, this command mobilizes a persistent client mode association with a number of remote servers. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. - server - For type s and r addresses, this command mobilizes a persistent client mode association with the specified remote server or local radio clock. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. This command should not be used for type b or m addresses.'
+    rationale: "Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "Edit /etc/ntp.conf and add or edit server or pool lines as appropriate according to local site policy: <[server|pool]> <[remote-server|remote-pool]> Examples: pool mode: pool time.nist.gov iburst server mode: server time-a-g.nist.gov iburst server 132.163.97.3 iburst server time-d-b.nist.gov iburst Run the following command to load the updated time sources into ntp running config: # systemctl restart ntp OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - "http://www.ntp.org/"
+      - "https://tf.nist.gov/tf-cgi/servers.cgi"
+    compliance:
+      - cis: ["2.1.4.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1498", "T1498.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/ntp.conf -> r:^pool"
+      - "f:/etc/ntp.conf -> r:^server"
+
+  # 2.1.4.3 Ensure ntp is running as user ntp. (Automated)
+  - id: 19053
+    title: "Ensure ntp is running as user ntp."
+    description: "The ntp package is installed with a dedicated user account ntp. This account is granted the access required by the ntpd daemon Note: - If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped - This recommendation only applies if ntp is in use on the system - Only one time synchronization method should be in use on the system."
+    rationale: "The ntpd daemon should run with only the required privlidge."
+    remediation: "Add or edit the following line in /usr/lib/ntp/ntp-systemd-wrapper: RUNASUSER=ntp Run the following command to restart ntp.servocee: # systemctl restart ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - "http://www.ntp.org/"
+    compliance:
+      - cis: ["2.1.4.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/usr/lib/ntp/ntp-systemd-wrapper -> r:^RUNASUSER=ntp"
+
+  # 2.1.4.4 Ensure ntp is enabled and running. (Automated)
+  - id: 19054
+    title: "Ensure ntp is enabled and running."
+    description: "ntp is a daemon for synchronizing the system clock across the network."
+    rationale: "ntp needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF ntp is in use on the system, run the following commands: Run the following command to unmask ntp.service: # systemctl unmask ntp.service Run the following command to enable and start ntp.service: # systemctl --now enable ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp: # apt purge ntp."
+    compliance:
+      - cis: ["2.1.4.4"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ntp.service -> r:^enabled"
+      - "c:systemctl is-active ntp.service -> r:^active"
+
+  # 2.2.1 Ensure X Window System is not installed. (Automated)
+  - id: 19055
+    title: "Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime, if provided by your distribution.'
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' xserver-xorg -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' xserver-xorg -> r:install ok installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 19056
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to remove avahi-daemon: # systemctl stop avahi-daaemon.service # systemctl stop avahi-daemon.socket # apt purge avahi-daemon."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' avahi-daemon -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' avahi-daemon -> r:install ok installed"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 19057
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface."
+    impact: "Removing CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run one of the following commands to remove cups : # apt purge cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' cups -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' cups -> r:install ok installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 19058
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove isc-dhcp-server: # apt purge isc-dhcp-server."
+    references:
+      - "http://www.isc.org/software/dhcp."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' isc-dhcp-server -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' isc-dhcp-server -> r:install ok installed"
+
+  # 2.2.5 Ensure LDAP server is not installed. (Automated)
+  - id: 19059
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove slapd: # apt purge slapd."
+    references:
+      - "http://www.openldap.org."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' slapd -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' slapd -> r:install ok installed"
+
+  # 2.2.6 Ensure NFS is not installed. (Automated)
+  - id: 19060
+    title: "Ensure NFS is not installed."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares, it is recommended that the nfs-kernel-server package be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove nfs: # apt purge nfs-kernel-server."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nfs-kernel-server -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nfs-kernel-server -> r:install ok installed"
+
+  # 2.2.7 Ensure DNS Server is not installed. (Automated)
+  - id: 19061
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable DNS server: # apt purge bind9."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' bind9 -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' bind9 -> r:install ok installed"
+
+  # 2.2.8 Ensure FTP Server is not installed. (Automated)
+  - id: 19062
+    title: "Ensure FTP Server is not installed."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # apt purge vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' vsftpd -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' vsftpd -> r:install ok installed"
+
+  # 2.2.9 Ensure HTTP server is not installed. (Automated)
+  - id: 19063
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove apache2: # apt purge apache2."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apache2 -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apache2 -> r:install ok installed"
+
+  # 2.2.10 Ensure IMAP and POP3 server are not installed. (Automated)
+  - id: 19064
+    title: "Ensure IMAP and POP3 server are not installed."
+    description: "dovecot-imapd and dovecot-pop3d are an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove dovecot-imapd and dovecot-pop3d: # apt purge dovecot-imapd dovecot-pop3d."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-imapd -> r:install ok installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-pop3d -> r:install ok installed"
+
+  # 2.2.11 Ensure Samba is not installed. (Automated)
+  - id: 19065
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # apt purge samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' samba -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' samba -> r:install ok installed"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 19066
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove squid: # apt purge squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' squid -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' squid -> r:install ok installed"
+
+  # 2.2.13 Ensure SNMP Server is not installed. (Automated)
+  - id: 19067
+    title: "Ensure SNMP Server is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the snmpd package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove snmpd: # apt purge snmpd."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' snmp -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' snmp -> r:install ok installed"
+
+  # 2.2.14 Ensure NIS Server is not installed. (Automated)
+  - id: 19068
+    title: "Ensure NIS Server is not installed."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed and other, more secure services be used."
+    remediation: "Run the following command to remove nis: # apt purge nis."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:install ok installed"
+
+  # 2.2.15 Ensure dnsmasq is not installed. (Automated)
+  - id: 19069
+    title: "Ensure dnsmasq is not installed."
+    description: "dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services."
+    rationale: "Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove dnsmasq: # apt purge dnsmasq."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dnsmaq -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dnsmaq -> r:install ok installed"
+
+  # 2.2.16 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 19070
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as exim4. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:ss -lntu -> r:\.*:25\.*LISTEN && !r:127.0.0.1:25\.*LISTEN|::1:25\.*LISTEN'
+
+  # 2.2.17 Ensure rsync service is either not installed or is masked. (Automated)
+  - id: 19071
+    title: "Ensure rsync service is either not installed or is masked."
+    description: "The rsync service can be used to synchronize files between systems over network links."
+    rationale: "The rsync service presents a security risk as the rsync protocol is unencrypted. The rsync package should be removed or if required for dependencies, the rsync service should be stopped and masked to reduce the attack area of the system."
+    remediation: "Run the following command to remove rsync: # apt purge rsync -- OR -- Run the following commands to stop and mask rsync: # systemctl stop rsync # systemctl mask rsync."
+    compliance:
+      - cis: ["2.2.17"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsync -> r:unknown ok not-installed"
+      - "c:systemctl is-active rsync -> r:^inactive"
+      - "c:systemctl is-enabled rsync -> r:^masked"
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 19072
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall nis: # apt purge nis."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:install ok installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 19073
+    title: "Ensure rsh client is not installed."
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh-client package removes the clients for rsh, rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall rsh: # apt purge rsh-client."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsh-client -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsh-client -> r:install ok installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 19074
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall talk: # apt purge talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' talk -> r:unknown ok not-installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' talk -> r:no packages found matching talk"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' talk -> r:install ok installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 19075
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall telnet: # apt purge telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' telnet -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' telnet -> r:install ok installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 19076
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Uninstall ldap-utils: # apt purge ldap-utils."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ldap-utils -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ldap-utils -> r:install ok installed"
+
+  # 2.3.6 Ensure RPC is not installed. (Automated)
+  - id: 19077
+    title: "Ensure RPC is not installed."
+    description: 'Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. It requires an RPC compliant client listening on a network port. The supporting package is rpcbind.".'
+    rationale: "If RPC is not required, it is recommended that this services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove rpcbind: # apt purge rpcbind."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rpcbind -> r:unknown ok not-installed"
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rpcbind -> r:install ok installed"
+
+  # 2.4 Ensure nonessential services are removed or masked. (Manual) - Not Implemented
+
+  # 3.1.1 Ensure IPv6 status is identified. (Manual)
+  - id: 19078
+    title: "Ensure IPv6 status is identified."
+    description: "Internet Protocol Version 6 (IPv6) is the most recent version of Internet Protocol (IP). It's designed to supply IP addressing and additional security to support the predicted growth of connected devices. IPv6 is based on 128-bit addressing and can support 340 undecillion addresses, which is 340 followed by 36 zeroes. Features of IPv6 - Hierarchical addressing and routing infrastructure - Stateful and Stateless configuration - Support for quality of service (QoS) - An ideal protocol for neighboring node interaction."
+    rationale: "IETF RFC 4038 recommends that applications are built with an assumption of dual stack. It is recommended that IPv6 be enabled and configured in accordance with Benchmark recommendations. If dual stack and IPv6 are not used in your environment, IPv6 may be disabled to reduce the attack surface of the system, and recommendations pertaining to IPv6 can be skipped. Note: It is recommended that IPv6 be enabled and configured unless this is against local site policy."
+    impact: "IETF RFC 4038 recommends that applications are built with an assumption of dual stack. When enabled, IPv6 will require additional configuration to reduce risk to the system."
+    remediation: "Enable or disable IPv6 in accordance with system requirements and local site policy."
+    compliance:
+      - cis: ["3.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1557", "T1595", "T1595.001", "T1595.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "f:/sys/module/ipv6/parameters/disable -> r:^0$"
+
+  # 3.1.2 Ensure wireless interfaces are disabled. (Automated) - Not Implemented
+
+  # 3.1.3 Ensure bluetooth is disabled. (Automated)
+  - id: 19079
+    title: "Ensure bluetooth is disabled."
+    description: "Bluetooth is a short-range wireless technology standard that is used for exchanging data between devices over short distances. It employs UHF radio waves in the ISM bands, from 2.402 GHz to 2.48 GHz. It is mainly used as an alternative to wire connections."
+    rationale: "An attacker may be able to find a way to access or corrupt your data. One example of this type of activity is bluesnarfing, which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost."
+    impact: "Many personal electronic devices (PEDs) use Bluetooth technology. For example, you may be able to operate your computer with a wireless keyboard. Disabling Bluetooth will prevent these devices from connecting to the system."
+    remediation: "Run the following commands to stop and mask the Bluetooth service # systemctl stop bluetooth.service # systemctl mask bluetooth.service Note: A reboot may be required."
+    references:
+      - "https://www.cisa.gov/tips/st05-015"
+    compliance:
+      - cis: ["3.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "not c:systemctl is-enabled bluetooth.service -> r:^enabled"
+      - "not c:systemctl is-active bluetooth.service -> r:^active"
+
+  # 3.1.4 Ensure DCCP is disabled. (Automated) - Not Implemented
+  # 3.1.5 Ensure SCTP is disabled. (Automated) - Not Implemented
+  # 3.1.6 Ensure RDS is disabled. (Automated) Not Implemented
+  # 3.1.7 Ensure TIPC is disabled. (Automated) - Not Implemented
+
+  # 3.2.1 Ensure packet redirect sending is disabled. (Automated) - Not Implemented
+  # 3.2.2 Ensure IP forwarding is disabled. (Automated) - Not Implemented
+
+  # 3.3.1 Ensure source routed packets are not accepted. (Automated) - Not Implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted. (Automated) - Not Implemented
+  # 3.3.4 Ensure suspicious packets are logged. (Automated) - Not Implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored. (Automated) - Not Implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored. (Automated) - Not Implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled. (Automated) - Not Implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled. (Automated) - Not Implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted. (Automated) - Not Implemented
+
+  # 3.4.1.1 Ensure ufw is installed. (Automated)
+  - id: 19080
+    title: "Ensure ufw is installed."
+    description: "The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. UFW is dependent on the iptables package."
+    remediation: "Run the following command to install Uncomplicated Firewall (UFW): apt install ufw."
+    compliance:
+      - cis: ["3.4.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:install ok installed"
+
+  # 3.4.1.2 Ensure iptables-persistent is not installed with ufw. (Automated)
+  - id: 19081
+    title: "Ensure iptables-persistent is not installed with ufw."
+    description: "The iptables-persistent is a boot-time loader for netfilter rules, iptables plugin."
+    rationale: "Running both ufw and the services included in the iptables-persistent package may lead to conflict."
+    remediation: "Run the following command to remove the iptables-persistent package: # apt purge iptables-persistent."
+    compliance:
+      - cis: ["3.4.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s iptables-persistent -> r:package 'iptables-persistent' is not installed"
+
+  # 3.4.1.3 Ensure ufw service is enabled. (Automated)
+  - id: 19082
+    title: "Ensure ufw service is enabled."
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Note: - When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall. - Run the following command before running ufw enable. # ufw allow proto tcp from any to any port 22 - The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy) - By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask the ufw daemon: # systemctl unmask ufw.service Run the following command to enable and start the ufw daemon: # systemctl --now enable ufw.service active Run the following command to enable ufw: # ufw enable."
+    references:
+      - "http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html"
+    compliance:
+      - cis: ["3.4.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ufw.service -> r:enabled"
+      - "c:systemctl is-active ufw -> r:^active"
+      - "c:ufw status -> r:active"
+
+  # 3.4.1.4 Ensure ufw loopback traffic is configured. (Automated)
+  - id: 19083
+    title: "Ensure ufw loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1."
+    compliance:
+      - cis: ["3.4.1.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:Anywhere on lo\s*\t*ALLOW IN\s*\t*Anywhere'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*DENY IN\s*\t*127.0.0.0/8'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\) on lo\s*\t*ALLOW IN\s*\t*Anywhere \(v6\)'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*DENY IN\s*\t*::1'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*ALLOW OUT\s*\t*Anywhere on lo'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*\t*ALLOW OUT\s*\t*Anywhere \(v6\) on lo'
+
+  # 3.4.1.5 Ensure ufw outbound connections are configured. (Manual) - Not Implemented
+  # 3.4.1.6 Ensure ufw firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.1.7 Ensure ufw default deny firewall policy. (Automated)
+  - id: 19084
+    title: "Ensure ufw default deny firewall policy."
+    description: "A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    impact: "Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny. ufw allow git ufw allow in http ufw allow out http <- required for apt to connect to repository ufw allow in https ufw allow out https ufw allow out 53 ufw logging on."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed."
+    compliance:
+      - cis: ["3.4.1.7"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(incoming)|reject\W+(incoming)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(outgoing)|reject\W+(outgoing)'
+      - 'c:ufw status verbose -> r:^Default && r:deny\W+(routed)|reject\W+(routed)'
+
+  # 3.4.2.1 Ensure nftables is installed. (Automated)
+  - id: 19085
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: - nftables is available in Linux kernel 3.13 and newer - Only one firewall utility should be installed and configured - Changing firewall settings while connected over the network can result in being locked out of the system."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install nftables: # apt install nftables."
+    compliance:
+      - cis: ["3.4.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s nftables -> r:install ok installed"
+
+  # 3.4.2.2 Ensure ufw is uninstalled or disabled with nftables. (Automated)
+  - id: 19086
+    title: "Ensure ufw is uninstalled or disabled with nftables."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use."
+    rationale: "Running both the nftables service and ufw may lead to conflict and unexpected results."
+    remediation: "Run one of the following to either remove ufw or disable ufw and mask ufw.service: Run the following command to remove ufw: # apt purge ufw -OR- Run the following commands to disable ufw and mask ufw.service: # ufw disable # systemctl stop ufw.service # systemctl mask ufw.service Note: ufw disable needs to be run before systemctl mask ufw.service in order to correctly disable UFW."
+    compliance:
+      - cis: ["3.4.2.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "not c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:install ok installed"
+      - "c:ufw status -> r:inactive"
+      - "c:systemctl is-enabled ufw.service -> r:^masked"
+
+  # 3.4.2.3 Ensure iptables are flushed with nftables. (Manual) - Not Implemented
+
+  # 3.4.2.4 Ensure a nftables table exists. (Automated)
+  - id: 19087
+    title: "Ensure a nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.4.2.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.4.2.5 Ensure nftables base chains exist. (Automated)
+  - id: 19088
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.4.2.5"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input"
+      - "c:nft list ruleset -> r:hook forward"
+      - "c:nft list ruleset -> r:hook output"
+
+  # 3.4.2.6 Ensure nftables loopback traffic is configured. (Automated)
+  - id: 19089
+    title: "Ensure nftables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # nft add rule inet filter input iif lo accept # nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop -IF- IPv6 is enabled on the system: Run the following command to implement the IPv6 loopback rule: # nft add rule inet filter input ip6 saddr ::1 counter drop."
+    compliance:
+      - cis: ["3.4.2.6"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.4.2.7 Ensure nftables outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.2.8 Ensure nftables default deny firewall policy. (Automated)
+  - id: 19090
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.4.2.8"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.4.2.9 Ensure nftables service is enabled. (Automated)
+  - id: 19091
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.4.2.9"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.4.2.10 Ensure nftables rules are permanent. (Automated)
+  - id: 19092
+    title: "Ensure nftables rules are permanent."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and output base chains allow network traffic to be filtered."
+    rationale: "Changes made to nftables ruleset only affect the live system, you will also need to configure the nftables ruleset to apply on boot."
+    remediation: 'Edit the /etc/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot Example: # vi /etc/nftables.conf Add the line: include "/etc/nftables.rules".'
+    compliance:
+      - cis: ["3.4.2.10"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "f:/etc/nftables.conf -> r:include *"
+
+  # 3.4.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 19093
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-persistent # apt install iptables iptables-persistent."
+    compliance:
+      - cis: ["3.4.3.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:apt list iptables iptables-persistent -> r:installed,automatic"
+
+  # 3.4.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 19094
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # apt purge nftables."
+    compliance:
+      - cis: ["3.4.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nftables -> r:unknown ok not-installed"
+
+  # 3.4.3.1.3 Ensure ufw is uninstalled or disabled with iptables. (Automated)
+  - id: 19095
+    title: "Ensure ufw is uninstalled or disabled with iptables."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. - Uses a command-line interface consisting of a small number of simple commands - Uses iptables for configuration."
+    rationale: "Running iptables.persistent with ufw enabled may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or stop and mask ufw Run the following command to remove ufw: # apt purge ufw -OR- Run the following commands to disable ufw: # ufw disable # systemctl stop ufw # systemctl mask ufw Note: ufw disable needs to be run before systemctl mask ufw in order to correctly disable UFW."
+    compliance:
+      - cis: ["3.4.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ufw -> r:unknown ok not-installed"
+      - "c:ufw status -> r:inactive"
+      - "c:systemctl is-enabled ufw -> r:masked"
+      - "c:ufw status -> r:inactive"
+
+  # 3.4.3.2.1 Ensure iptables default deny firewall policy. (Automated)
+  - id: 19096
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy DROP\)|Chain INPUT \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy DROP\)|Chain FORWARD \(policy REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy DROP\)|Chain OUTPUT \(policy REJECT\)'
+
+  # 3.4.3.2.2 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 19097
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Notes: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.4.3.2.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.4.3.2.3 Ensure iptables outbound and established connections are configured. (Manual) - Not Implemented
+
+  # 3.4.3.2.4 Ensure iptables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 3.4.3.3.1 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 19098
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "IF IPv6 is enabled on your system: Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.4.3.3.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.4.3.3.2 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 19099
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.4.3.3.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0'
+
+  # 3.4.3.3.3 Ensure ip6tables outbound and established connections are configured. (Manual) - Not Implemented
+  # 3.4.3.3.4 Ensure ip6tables firewall rules exist for all open ports. (Automated) - Not Implemented
+
+  # 4.1.1 Ensure cron daemon is enabled and active. (Automated)
+  - id: 19100
+    title: "Ensure cron daemon is enabled and active."
+    description: "The cron daemon is used to execute batch jobs on the system. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable and start cron: # systemctl unmask cron # systemctl --now enable cron."
+    compliance:
+      - cis: ["4.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> r:^enabled"
+      - "c:systemctl status cron -> r:^active"
+
+  # 4.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 19101
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["4.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/crontab -> r:600\s*\t*-rw-------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 19102
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/."
+    compliance:
+      - cis: ["4.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.hourly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 19103
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.daily directory: # chown root:root /etc/cron.daily/ # chmod og-rwx /etc/cron.daily/."
+    compliance:
+      - cis: ["4.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.daily/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 19104
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.weekly directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/."
+    compliance:
+      - cis: ["4.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.weekly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 19105
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.monthly directory: # chown root:root /etc/cron.monthly/ # chmod og-rwx /etc/cron.monthly/."
+    compliance:
+      - cis: ["4.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.monthly/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 19106
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.d directory: # chown root:root /etc/cron.d/ # chmod og-rwx /etc/cron.d/."
+    compliance:
+      - cis: ["4.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.d/ -> r:700\s*\t*drwx------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 19107
+    title: "Ensure cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: - Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy - Even though a given user is not listed in cron.allow, cron jobs can still be run as that user - The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following script to: - Remove /etc/cron.deny if it exists - Create /etc/cron.allow if it doesn't exist - Change ownership of /etc/cron.allow to the root user - Change group ownership of /etc/cron.allow to the group crontab #!/usr/bin/env bash { if dpkg-query -W cron > /dev/null 2>&1; then l_file=\"/etc/cron.allow\" l_mask='0137' l_maxperm=\"$( printf '%o' $(( 0777 & ~$l_mask)) )\" if [ -e /etc/cron.deny ]; then echo -e \" - Removing \\\"/etc/cron.deny\\\"\" rm -f /etc/cron.deny fi if [ ! -e /etc/cron.allow ]; then echo -e \" - creating \\\"$l_file\\\"\" touch \"$l_file\" fi while read l_mode l_fown l_fgroup; do if [ $(( $l_mode & $l_mask )) -gt 0 ]; then echo -e \" - Removing excessive permissions from \\\"$l_file\\\"\" chmod u-x,g-wx,o-rwx \"$l_file\" fi if [ \"$l_fown\" != \"root\" ]; then echo -e \" - Changing owner on \\\"$l_file\\\" from: \\\"$l_fown\\\" to: \\\"root\\\"\" chown root \"$l_file\" fi if [ \"$l_fgroup\" != \"crontab\" ]; then echo -e \" - Changing group owner on \\\"$l_file\\\" from: \\\"$l_fgroup\\\" to: \\\"crontab\\\"\" chgrp crontab \"$l_file\" fi done < <(stat -Lc '%#a %U %G' \"$l_file\") else echo -e \"- cron is not installed on the system, no remediation required\\n\" fi }."
+    compliance:
+      - cis: ["4.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/cron.allow"
+      - "not f:/etc/cron.deny"
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/cron.allow -> r:640\s*\t*-rw-r-----\s*\t*0\s*\t*root\s*\t*0\s*\t*crontab'
+
+  # 4.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 19108
+    title: "Ensure at is restricted to authorized users."
+    description: "Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following script to: - Remove /etc/at.deny if it exists - Create /etc/at.allow if it doesn't exist - Change ownership of /etc/at.allow to the root user - Change group ownership of /etc/at.allow to the group root #!/usr/bin/env bash { if dpkg-query -W at > /dev/null 2>&1; then l_file=\"/etc/at.allow\" l_mask='0137' l_maxperm=\"$( printf '%o' $(( 0777 & ~$l_mask)) )\" if [ -e /etc/at.deny ]; then echo -e \" - Removing \\\"/etc/at.deny\\\"\" rm -f /etc/at.deny fi if [ ! -e /etc/at.allow ]; then echo -e \" - creating \\\"$l_file\\\"\" touch \"$l_file\" fi while read l_mode l_fown l_fgroup; do if [ $(( $l_mode & $l_mask )) -gt 0 ]; then echo -e \" - Removing excessive permissions from \\\"$l_file\\\"\" chmod u-x,g-wx,o-rwx \"$l_file\" fi if [ \"$l_fown\" != \"root\" ]; then echo -e \" - Changing owner on \\\"$l_file\\\" from: \\\"$l_fown\\\" to: \\\"root\\\"\" chown root \"$l_file\" fi if [ \"$l_fgroup\" != \"root\" ]; then echo -e \" - Changing group owner on \\\"$l_file\\\" from: \\\"$l_fgroup\\\" to: \\\"root\\\"\" chgrp root \"$l_file\" fi done < <(stat -Lc '%#a %U %G' \"$l_file\") else echo -e \"- cron is not installed on the system, no remediation required\\n\" fi }."
+    compliance:
+      - cis: ["4.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/at.allow"
+      - "not f:/etc/at.deny"
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/at.allow -> r:640\s*\t*-rw-r-----\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+
+  # 4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 19109
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The file /etc/ssh/sshd_config, and files ending in .conf in the /etc/ssh/sshd_config.d directory, contain configuration specifications for sshd."
+    rationale: "configuration specifications for sshd need to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following script to set ownership and permissions on /etc/ssh/sshd_config and files ending in .conf in the /etc/ssh/sshd_config.d directory: #!/usr/bin/env bash { chmod u-x,og-rwx /etc/ssh/sshd_config chown root:root /etc/ssh/sshd_config while IFS= read -r -d $'\\0' l_file; do if [ -e \"$l_file\" ]; then chmod u-x,og-rwx \"$l_file\" chown root:root \"$l_file\" fi done < <(find /etc/ssh/sshd_config.d -type f -print0) }."
+    compliance:
+      - cis: ["4.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%a %A %u %U  %g %G" /etc/ssh/sshd_config -> r:600\s*\t*-rw-------\s*\t*0\s*\t*root\s*\t*0\s*\t*root'
+      - 'c:sh -c "stat -L /etc/ssh/sshd_config.d/*.conf" -> r:Access:\s*\(0600/-rw-------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 4.2.2 Ensure permissions on SSH private host key files are configured. (Automated) - Not Implemented
+
+  # 4.2.3 Ensure permissions on SSH public host key files are configured. (Automated)
+  - id: 19110
+    title: "Ensure permissions on SSH public host key files are configured."
+    description: "An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authenticate successfully."
+    rationale: "If a public host key file is modified by an unauthorized user, the SSH service may be compromised."
+    remediation: "Run the following script to set mode, ownership, and group on the public SSH host key files: #!/usr/bin/env bash { l_pmask=\"0133\" l_maxperm=\"$( printf '%o' $(( 0777 & ~$l_pmask )) )\" awk '{print}' <<< \"$(find -L /etc/ssh -xdev -type f -exec stat -Lc \"%n %#a %U %G\" {} +)\" | (while read -r l_file l_mode l_owner l_group; do if file \"$l_file\" | grep -Pq ':\\h+OpenSSH\\h+(\\H+\\h+)?public\\h+key\\b'; then echo -e \" - Checking private key file: \\\"$l_file\\\"\" if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then echo -e \" - File: \\\"$l_file\\\" is mode \\\"$l_mode\\\" changing to mode: \\\"$l_maxperm\\\"\" chmod u-x,go-wx \"$l_file\" fi if [ \"$l_owner\" != \"root\" ]; then echo -e \" - File: \\\"$l_file\\\" is owned by: \\\"$l_owner\\\" changing owner to \\\"root\\\"\" chown root \"$l_file\" fi if [ \"$l_group\" != \"root\" ]; then echo -e \" - File: \\\"$l_file\\\" is owned by group \\\"$l_group\\\" changing to group \\\"root\\\"\" chgrp \"root\" \"$l_file\" fi fi done ) }."
+    compliance:
+      - cis: ["4.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0003", "TA0006"]
+      - mitre_techniques: ["T1557"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sh -c "find /etc/ssh -xdev -type f -name ''ssh_host_*_key.pub'' -exec stat {} \;" -> r:Access:\s*\( && !r:-rw-r--r--'
+
+  # 4.2.4 Ensure SSH access is limited. (Automated)
+  - id: 19111
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter above any Include entries as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist> Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location. If the Include location is not the default, /etc/ssh/sshd_config.d/*.conf, the audit will need to be modified to account for the Include location used."
+    compliance:
+      - cis: ["4.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*AllowUsers\s+\w+|^\s*AllowGroups\s+\w+|^\s*DenyUsers\s+\w+|^\s*DenyGroups\s+\w+'
+
+  # 4.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 19112
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: LogLevel VERBOSE OR LogLevel INFO Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["4.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*LogLevel\s+INFO|^\s*LogLevel\s+VERBOSE'
+      - 'not f:/etc/ssh/sshd_config -> !r:^\s*LogLevel\s+INFO|^\s*LogLevel\s+VERBOSE'
+      - 'not d:/etc/ssh/sshd_config.d/ -> r:\.*.conf$ -> !r:^\s*LogLevel\s+INFO|^\s*LogLevel\s+VERBOSE'
+
+  # 4.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 19113
+    title: "Ensure SSH PAM is enabled."
+    description: "The UsePAM directive enables the Pluggable Authentication Module (PAM) interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication directives in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: UsePAM yes Note: First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*usepam\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*usepam\s+no'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*usepam\s+no'
+
+  # 4.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 19114
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using SSH. The default is prohibit-password."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root. This limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: PermitRootLogin no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitRootLogin\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitRootLogin\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*PermitRootLogin\s+yes'
+
+  # 4.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 19115
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: HostbasedAuthentication no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.8"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*HostbasedAuthentication\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*HostbasedAuthentication\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*HostbasedAuthentication\s+yes'
+
+  # 4.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 19116
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: PermitEmptyPasswords no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.9"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitEmptyPasswords\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitEmptyPasswords\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*PermitEmptyPasswords\s+yes'
+
+  # 4.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 19117
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the SSH daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has SSH executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: PermitUserEnvironment no Note: First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.10"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*PermitUserEnvironment\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*PermitUserEnvironment\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*PermitUserEnvironment\s+yes'
+
+  # 4.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 19118
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with SSH."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: IgnoreRhosts yes Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.11"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*IgnoreRhosts\s+yes'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*IgnoreRhosts\s+no'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*IgnoreRhosts\s+no'
+
+  # 4.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 19119
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: X11Forwarding no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*X11Forwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*X11Forwarding\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*X11Forwarding\s+yes'
+
+  # 4.2.13 Ensure only strong Ciphers are used. (Automated)
+  - id: 19120
+    title: "Ensure only strong Ciphers are used."
+    description: 'This variable limits the ciphers that SSH can use during communication. Note: - Some organizations may have stricter requirements for approved ciphers. - Ensure that ciphers used are in compliance with site policy. - The only "strong" ciphers currently FIPS 140-2 compliant are: o aes256-ctr o aes192-ctr o aes128-ctr.'
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack. - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors.'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers above any Include entries: Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Note: First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+    compliance:
+      - cis: ["4.2.13"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "not c:sshd -T -> r:ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se"
+
+  # 4.2.14 Ensure only strong MAC algorithms are used. (Automated)
+  - id: 19121
+    title: "Ensure only strong MAC algorithms are used."
+    description: 'This variable limits the types of MAC algorithms that SSH can use during communication. Notes: - Some organizations may have stricter requirements for approved MACs. - Ensure that MACs used are in compliance with site policy. - The only "strong" MACs currently FIPS 140-2 approved are: o hmac-sha2-256 o hmac-sha2-512.'
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs above any Include entries: Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256,umac-128-etm@openssh.com,umac-128@openssh.com Note: First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    references:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    compliance:
+      - cis: ["4.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4", "16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "not c:sshd -T -> r:MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com"
+
+  # 4.2.15 Ensure only strong Key Exchange algorithms are used. (Automated)
+  - id: 19122
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Notes: - Kex algorithms have a higher preference the earlier they appear in the list - Some organizations may have stricter requirements for approved Key exchange algorithms - Ensure that Key exchange algorithms used are in compliance with site policy - The only Key Exchange Algorithms currently FIPS 140-2 approved are: o ecdh-sha2-nistp256 o ecdh-sha2-nistp384 o ecdh-sha2-nistp521 o diffie-hellman-group-exchange-sha256 o diffie-hellman-group16-sha512 o diffie-hellman-group18-sha512 o diffie-hellman-group14-sha256."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms above any Include entries: Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256 Note: First occurrence of a option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.15"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - "not c:sshd -T -> r:kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 4.2.16 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 19123
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and backdoors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments. In some environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: AllowTcpForwarding no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["4.2.16"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*AllowTcpForwarding\s+no'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*AllowTcpForwarding\s+yes'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*AllowTcpForwarding\s+yes'
+
+  # 4.2.17 Ensure SSH warning banner is configured. (Automated)
+  - id: 19124
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: Banner /etc/issue.net Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.17"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*banner\s*\t*/etc/issue.net'
+
+  # 4.2.18 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 19125
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: MaxAuthTries 4 Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.18"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4'
+      - 'not f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare > 4'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^MaxAuthTries\s*\t*([5-9]|[1-9][0-9]+)'
+
+  # 4.2.19 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 19126
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: MaxStartups 10:30:60 Note: First occurrence of an option takes precedence. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> r:^\s*maxstartups\s+10:30:60'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))'
+
+  # 4.2.20 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 19127
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: LoginGraceTime 60 Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.20"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:logingracetime\s*\t*(\d+) compare <= 60 && n:LoginGraceTime\s*\t*(\d+) compare != 0'
+      - 'not f:/etc/ssh/sshd_config -> r:\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)'
+
+  # 4.2.21 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 19128
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: MaxSessions 10 Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    compliance:
+      - cis: ["4.2.21"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*maxsessions\s+(\d+) compare <= 10'
+      - 'not f:/etc/ssh/sshd_config -> r:^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)'
+      - 'not d:/etc/ssh/sshd_config.d -> r:\.*.conf$ -> r:^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)'
+
+  # 4.2.22 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 19129
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "Note: To clarify, the two settings described below are only meant for idle connections from a protocol perspective and are not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not and never had, intentionally, the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they were abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus it can no longer be abused disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinately, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters above any Include entries according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3 Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["4.2.22"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:ClientAliveInterval\s*\t*(\d+) compare > 0'
+      - 'c:sshd -T -> n:clientalivecountmax\s*\t*(\d+) compare > 0'
+
+  # 4.3.1 Ensure sudo is installed. (Automated)
+  - id: 19130
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "First determine is LDAP functionality is required. If so, then install sudo-ldap, else install sudo. Example: # apt install sudo."
+    compliance:
+      - cis: ["4.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - "c:dpkg -s sudo -> r:install ok installed"
+      - "c:dpkg -s sudo-ldap -> r:install ok installed"
+
+  # 4.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 19131
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE> and add the following line: Defaults use_pty Note: - sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing problems with package manager or editor temporary/backup files. - Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. - Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. - Using a consistent number of leading zeroes in the file names can be used to avoid such problems."
+    compliance:
+      - cis: ["4.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1026", "M1038"]
+      - mitre_tactics: ["TA0001", "TA0003"]
+      - mitre_techniques: ["T1078", "T1078.003", "T1548", "T1548.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 4.3.3 Ensure sudo log file exists. (Automated)
+  - id: 19132
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Example: Defaults logfile="/var/log/sudo.log" Note: - sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing problems with package manager or editor temporary/backup files. - Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. - Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. - Using a consistent number of leading zeroes in the file names can be used to avoid such problems.'
+    compliance:
+      - cis: ["4.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile='
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*logfile='
+
+  # 4.3.4 Ensure users must provide password for privilege escalation. (Automated)
+  - id: 19133
+    title: "Ensure users must provide password for privilege escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without (re-)authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user (re-)authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["4.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078", "T1548"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - "f:/etc/sudoers -> !r:^# && r:*NOPASSWD"
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^# && r:*NOPASSWD'
+
+  # 4.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 19134
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["4.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> !r:^# && r:*\!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^# && r:*\!authenticate'
+
+  # 4.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 19135
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. This default is distribution specific. See audit section for further information."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on it's own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["4.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'c:sudo -V -> r:Authentication timestamp timeout:\s*\t*15.0 minutes'
+      - 'f:/etc/sudoers -> n:timestamp_timeout=(\d+) compare <=15'
+      - 'd:/etc/sudoers.d -> r:\.* -> n:timestamp_timeout=(\d+) compare <=15'
+
+  # 4.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 19136
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["4.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so && r:use_uid && r:group=\w+'
+
+  # 4.4.1 Ensure password creation requirements are configured. (Automated)
+  - id: 19137
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following options are set in the /etc/security/pwquality.conf file: - Password Length: o minlen = 14 - password must be 14 characters or more - Password complexity: o minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR o dcredit = -1 - provide at least one digit o ucredit = -1 - provide at least one uppercase character o ocredit = -1 - provide at least one special character o lcredit = -1 - provide at least one lowercase character."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "The following setting is a recommend example policy. Alter these values to conform to your own organization's password policies. Run the following command to install the pam_pwquality module: # apt install libpam-pwquality Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy: Option 1 minclass = 4 Option 2 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 Edit the /etc/pam.d/common-password file to include pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3."
+    compliance:
+      - cis: ["4.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && n:minlen\s*=\s*(\d+) compare >= 14'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && n:minclass\s*=\s*(\d+) compare >= 4'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && r:dcredit = -1'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && r:ucredit = -1'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && r:lcredit = -1'
+      - 'f:/etc/security/pwquality.conf -> !r:^\s*# && r:ocredit = -1'
+      - 'f:/etc/pam.d/common-password -> !r:^\s*# && n:password\s*requisite\s*pam_pwquality.so\s*retry=(\d+) compare <=3'
+
+  # 4.4.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 19138
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. - deny=n - n represents the number of failed attempts before the account is locked - unlock_time=n - n represents the number of seconds before the account is unlocked - audit - Will log the user name into the system log if the user is not found. - silent - Don't print informative messages. Set the lockout number and unlock time in accordance with local site policy."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Edit the /etc/pam.d/common-account file and add the account lines bellow: account requisite pam_deny.so account required pam_tally2.so."
+    compliance:
+      - cis: ["4.4.2"]
+      - cis_csc_v7: ["16.7"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d+ && r:unlock_time\s*=\s*\d+'
+      - 'f:/etc/pam.d/common-auth -> n:deny\s*=\s*(\d+) compare <=5'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*requisite\s*\t*pam_deny.so'
+      - 'f:/etc/pam.d/common-account -> !r:^# && r:account\s*\t*required\s*\t*pam_tally2.so'
+
+  # 4.4.3 Ensure password reuse is limited. (Automated)
+  - id: 19139
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs or unexpected behavior. This is example configuration. You configuration may differ based on previous changes to the files. Edit the /etc/pam.d/common-password file to include: - password required pam_pwhistory.so remember=5 - use_authtok on the pam_unix.so line Example: password required pam_pwhistory.so remember=5 password [success=1 default=ignore] pam_unix.so obscure sha512 use_authtok."
+    references:
+      - "https://manpages.ubuntu.com/manpages/focal/man8/pam_pwhistory.8.html"
+      - "https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1989731"
+    compliance:
+      - cis: ["4.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare => 5'
+      - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:success && r:default\s*=\s*ignore && r:pam_unix.so && r:use_authtok'
+
+  # 4.4.4 Ensure strong password hashing algorithm is configured. (Automated)
+  - id: 19140
+    title: "Ensure strong password hashing algorithm is configured."
+    description: "Hash functions behave as one-way functions by using mathematical operations that are extremely difficult and cumbersome to revert When a user is created, the password is run through a one-way hashing algorithm before being stored. When the user logs in, the password sent is run through the same one-way hashing algorithm and compared to the hash connected with the provided username. If the hashed password and the stored hash match, the login is valid."
+    rationale: "The SHA512 hashing algorithm provides stronger hashing than previous available algorithms like MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords."
+    remediation: "Note: - Pay special attention to the configuration. Incorrect configuration can cause system lock outs. - This is an example configuration. Your configuration may differ based on previous changes to the files. - The encryption method on the password success line for pam_unix.so and the ENCRYPT_METHOD line in /etc/login.defs should match. Edit the /etc/pam.d/common-password file and ensure that sha512 is included and the pam_unix.so success line: Example: password [success=1 default=ignore] pam_unix.so obscure sha512 use_authtok Edit /etc/login.defs and ensure that ENCRYPT_METHOD is set to SHA512. ENCRYPT_METHOD SHA512."
+    compliance:
+      - cis: ["4.4.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && r:sha512"
+
+  # 4.4.5 Ensure all current passwords uses the configured hashing algorithm. (Manual) - Not Implemented
+
+  # 4.5.1.1 Ensure minimum days between password changes is configured. (Automated)
+  - id: 19141
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs: PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["4.5.1.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 1'
+      - 'not f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:(\d+) compare < 1'
+
+  # 4.5.1.2 Ensure password expiration is 365 days or less. (Automated)
+  - id: 19142
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. It is recommended that the PASS_MAX_DAYS parameter does not exceed 365 days and is greater than the value of PASS_MIN_DAYS."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["4.5.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare > 0'
+      - 'not f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:(\d+) compare > 365'
+
+  # 4.5.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 19143
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["4.5.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'not f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:\d*:(\d+) compare < 7'
+
+  # 4.5.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 19144
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["4.5.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30'
+      - 'not c:useradd -D -> n:^INACTIVE=(\d+) compare < 0'
+      - 'not f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:\d*:\d+:(\d+) compare > 30'
+
+  # 4.5.1.5 Ensure all users last password change date is in the past. (Automated) - Not Implemented
+
+  # 4.5.1.6 Ensure the number of changed characters in a new password is configured. (Automated)
+  - id: 19145
+    title: "Ensure the number of changed characters in a new password is configured."
+    description: "The pwquality difok option sets the number of characters in a password that must not be present in the old password."
+    rationale: "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."
+    remediation: "Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or more: difok = 2."
+    compliance:
+      - cis: ["4.5.1.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:difok\s*\t*=\s*\t*(\d+) compare => 2'
+
+  # 4.5.1.7 Ensure preventing the use of dictionary words for passwords is configured. (Automated)
+  - id: 19146
+    title: "Ensure preventing the use of dictionary words for passwords is configured."
+    description: "The pwquality dictcheck option sets whether to check for the words from the cracklib dictionary."
+    rationale: "If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks."
+    remediation: "Edit or add the following line in /etc/security/pwquality.conf to a value of 1: dictcheck = 1."
+    compliance:
+      - cis: ["4.5.1.7"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:dictcheck\s*\t*=\s*\t*(\d+) compare = 1'
+
+  # 4.5.2 Ensure system accounts are secured. (Automated) - Not Implemented
+
+  # 4.5.3 Ensure default group for the root account is GID 0. (Automated)
+  - id: 19147
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["4.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:'
+
+  # 4.5.4 Ensure default user umask is 027 or more restrictive. (Automated) - Not Implemented
+
+  # 4.5.5 Ensure default user shell timeout is configured. (Automated) - Not Implemented
+
+  # 4.5.6 Ensure nologin is not listed in /etc/shells. (Automated)
+  - id: 19148
+    title: "Ensure nologin is not listed in /etc/shells."
+    description: "/etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh and available to be queried by other programs. Be aware that there are programs which consult this file to find out if a user is a normal user; for example, FTP daemons traditionally disallow access to users with shells not included in this file."
+    rationale: "A user can use chsh to change their configured shell. If a user has a shell configured that isn't in in /etc/shells, then the system assumes that they're somehow restricted. In the case of chsh it means that the user cannot change that value. Other programs might query that list and apply similar restrictions. By putting nologin in /etc/shells, any user that has nologin as its shell is considered a full, unrestricted user. This is not the expected behavior for nologin."
+    remediation: "Edit /etc/shells and remove any lines that include nologin."
+    compliance:
+      - cis: ["4.5.6"]
+    condition: all
+    rules:
+      - "not f:/etc/shells -> !r:^# && r:nologins"
+
+  # 4.5.7 Ensure maximum number of same consecutive characters in a password is configured. (Automated)
+  - id: 19149
+    title: "Ensure maximum number of same consecutive characters in a password is configured."
+    description: "The pwquality maxrepeat option sets the maximum number of allowed same consecutive characters in a new password."
+    rationale: "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised."
+    remediation: "Edit or add the following line in /etc/security/pwquality.conf to a value of 3 or less and not 0: maxrepeat = 3."
+    compliance:
+      - cis: ["4.5.7"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/security/pwquality.conf -> !r:^# && n:maxrepeat\s*\t*=\s*\t*(\d+) compare <=3'
+      - 'not f:/etc/security/pwquality.conf -> !r:^# && n:maxrepeat\s*\t*=\s*\t*(\d+) compare =0'
+
+  # 5.1.1.1.1 Ensure systemd-journal-remote is installed. (Automated)
+  - id: 19150
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # apt install systemd-journal-remote."
+    compliance:
+      - cis: ["5.1.1.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' systemd-journal-remote -> r:install ok installed"
+
+  # 5.1.1.1.2 Ensure systemd-journal-remote is configured. (Manual)
+  - id: 19151
+    title: "Ensure systemd-journal-remote is configured."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Edit the /etc/systemd/journal-upload.conf file and ensure the following lines are set per your environment: URL=192.168.50.42 ServerKeyFile=/etc/ssl/private/journal-upload.pem ServerCertificateFile=/etc/ssl/certs/journal-upload.pem TrustedCertificateFile=/etc/ssl/ca/trusted.pem Restart the service: # systemctl restart systemd-journal-upload."
+    compliance:
+      - cis: ["5.1.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journal-upload.conf -> r:URL="
+      - "f:/etc/systemd/journal-upload.conf -> r:ServerKeyFile="
+      - "f:/etc/systemd/journal-upload.conf -> r:ServerCertificateFile="
+      - "f:/etc/systemd/journal-upload.conf -> r:TrustedCertificateFile="
+
+  # 5.1.1.1.3 Ensure systemd-journal-remote is enabled. (Manual)
+  - id: 19152
+    title: "Ensure systemd-journal-remote is enabled."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service."
+    compliance:
+      - cis: ["5.1.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-upload.service -> r:^enabled"
+
+  # 5.1.1.1.4 Ensure journald is not configured to receive logs from a remote client. (Automated)
+  - id: 19153
+    title: "Ensure journald is not configured to receive logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. Note: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now disable systemd-journal-remote.socket."
+    compliance:
+      - cis: ["5.1.1.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:^disabled"
+
+  # 5.1.1.2 Ensure journald service is enabled. (Automated)
+  - id: 19154
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["5.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:^static"
+
+  # 5.1.1.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 19155
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file or a file ending in .conf in /etc/systemd/journald.conf.d/ and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["5.1.1.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Compress=yes"
+      - 'd:/etc/systemd/journald.conf.d -> r:\.* -> r:^Compress=yes'
+
+  # 5.1.1.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 19156
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file or a file ending in .conf in /etc/systemd/journald.conf.d/ and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["5.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^Storage=persistent"
+      - 'd:/etc/systemd/journald.conf.d -> r:\.* -> r:^Storage=persistent'
+
+  # 5.1.1.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 19157
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and files in /etc/systemd/journald.conf.d/ and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["5.1.1.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: any
+    rules:
+      - 'not f:/etc/systemd/journald.conf -> !r:^# && r:ForwardToSyslog\s*=\s*yes'
+      - 'not d:/etc/systemd/journald.conf.d -> r:\.* -> !r:^# && r:ForwardToSyslog\s*=\s*yes'
+
+  # 5.1.1.6 Ensure journald log rotation is configured per site policy. (Manual)
+  - id: 19158
+    title: "Ensure journald log rotation is configured per site policy."
+    description: "Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated."
+    rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files."
+    remediation: "Review /etc/systemd/journald.conf and verify logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritisation of parameters. The specific parameters for log rotation are: SystemMaxUse= SystemKeepFree= RuntimeMaxUse= RuntimeKeepFree= MaxFileSec=."
+    compliance:
+      - cis: ["5.1.1.6"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:SystemMaxUse="
+      - "f:/etc/systemd/journald.conf -> r:SystemKeepFree="
+      - "f:/etc/systemd/journald.conf -> r:RuntimeMaxUse="
+      - "f:/etc/systemd/journald.conf -> r:RuntimeKeepFree="
+      - "f:/etc/systemd/journald.conf -> r:MaxFileSec="
+
+  # 5.1.1.7 Ensure journald default file permissions configured. (Manual) - Not Implemented
+
+  # 5.1.2.1 Ensure rsyslog is installed. (Automated)
+  - id: 19159
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # apt install rsyslog."
+    compliance:
+      - cis: ["5.1.2.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsyslog -> r:install ok installed"
+
+  # 5.1.2.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 19160
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["5.1.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:^enabled"
+
+  # 5.1.2.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 19161
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["5.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - 'f:/etc/systemd/journald.conf -> r:^\s*\t*ForwardToSyslog\s*=\s*yes'
+
+  # 5.1.2.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 19162
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["5.1.2.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+      - 'd:/etc/rsyslog.d/ -> r:\.*.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0 && r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d00'
+
+  # 5.1.2.5 Ensure logging is configured. (Manual) - Not Implemented
+  # 5.1.2.6 Ensure rsyslog is configured to send logs to a remote log host. (Manual) - Not Implemented
+
+  # 5.1.2.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 19163
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["5.1.2.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not d:/etc/rsyslog.d -> r:\.*.conf$ -> !r:^# && r:module\(load="imtcp"\)|input\(type="imtcp" port="514"\)'
+      - 'not f:/etc/rsyslog.conf -> !r:^# && r:module\(load="imtcp"\)|input\(type="imtcp" port="514"\)'
+
+  # 5.1.3 Ensure all logfiles have appropriate access configured. (Automated) - Not Implemented
+
+  # 5.2.1.1 Ensure auditd is installed. (Automated)
+  - id: 19164
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # apt install auditd."
+    compliance:
+      - cis: ["5.2.1.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' auditd -> r: install ok installed"
+
+  # 5.2.1.2 Ensure auditd service is enabled and active. (Automated)
+  - id: 19165
+    title: "Ensure auditd service is enabled and active."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable and start auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["5.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:^enabled"
+      - "c:systemctl is-active auditd -> r:^active"
+
+  # 5.2.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 19166
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["5.2.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  # 5.2.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 19167
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "In the kernel-level audit subsystem, a socket buffer queue is used to hold audit events. Whenever a new audit event is received, it is logged and prepared to be added to this queue. The kernel boot parameter audit_backlog_limit=N, with N representing the amount of messages, will ensure that a queue cannot grow beyond a certain size. If an audit event is logged which would grow the queue beyond this limit, then a failure occurs and is handled according to the system configuration."
+    rationale: "If an audit event is logged which would grow the queue beyond the audit_backlog_limit, then a failure occurs, auditd records will be lost, and potential malicious activity could go undetected."
+    remediation: 'Edit /etc/default/grub and add audit_backlog_limit=N to GRUB_CMDLINE_LINUX. The recommended size for N is 8192 or larger. Example: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["5.2.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028", "M1047"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:audit_backlog_limit'
+
+  # 5.2.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 19168
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["5.2.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+'
+
+  # 5.2.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 19169
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["5.2.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs'
+
+  # 5.2.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 19170
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["5.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*space_left_action\s*=\s*email'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*action_mail_acct\s*=\s*root'
+      - 'f:/etc/audit/auditd.conf -> r:^\s*admin_space_left_action\s*=\s*halt|^\s*admin_space_left_action\s*=\s*single'
+
+  # 5.2.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 19171
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope|key=\\s*\t*scope'
+      - 'c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope|key=\\s*\t*scope'
+
+  # 5.2.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 19172
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=-1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 5.2.3.3 Ensure events that modify the sudo log file are collected. (Automated) - Not Implemented
+
+  # 5.2.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 19173
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: 'Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf " -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change.'
+    compliance:
+      - cis: ["5.2.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 5.2.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 19174
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/networks - symbolic names for networks - /etc/network/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_locale.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/networks/ && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 5.2.3.6 Ensure use of privileged commands are collected. (Automated) - Not Implemented
+  # 5.2.3.7 Ensure unsuccessful file access attempts are collected. (Automated) - Not Implemented
+
+  # 5.2.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 19175
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 5.2.3.9 Ensure discretionary access control permission modification events are collected. (Automated) - Not Implemented
+
+  # 5.2.3.10 Ensure successful file system mounts are collected. (Automated)
+  - id: 19176
+    title: "Ensure successful file system mounts are collected."
+    description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user."
+    rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful file system mounts. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b32 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>=$UID_MIN -F auid!=unset -k mounts \" >> /etc/audit/rules.d/50-mounts.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.10"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1034"]
+      - mitre_tactics: ["TA0010"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["CM-6"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k mounts|key=mounts'
+
+  # 5.2.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 19177
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 5.2.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 19178
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 5.2.3.13 Ensure file deletion events by users are collected. (Automated)
+  - id: 19179
+    title: "Ensure file deletion events by users are collected."
+    description: 'Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for: - unlink - remove a file - unlinkat - remove a file attribute - rename - rename a file - renameat rename a file attribute system calls and tags them with the identifier "delete".'
+    rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete \" >> /etc/audit/rules.d/50-delete.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.13"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:unlink && r:unlinkat && r:rename && r:renameat && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k delete|key=delete'
+
+  # 5.2.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 19180
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor AppArmor, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor/ and /etc/apparmor.d/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/apparmor/ and /etc/apparmor.d/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor.d && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 5.2.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. (Automated)
+  - id: 19181
+    title: "Ensure successful and unsuccessful attempts to use the chcon command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chcon command."
+    rationale: "The chcon command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chcon command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.15"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chcon && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|key=perm_chng'
+
+  # 5.2.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. (Automated)
+  - id: 19182
+    title: "Ensure successful and unsuccessful attempts to use the setfacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the setfacl command."
+    rationale: "This utility sets Access Control Lists (ACLs) of files and directories. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the setfacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.16"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/setfacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 5.2.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. (Automated)
+  - id: 19183
+    title: "Ensure successful and unsuccessful attempts to use the chacl command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the chacl command. chacl is an IRIX-compatibility command, and is maintained for those users who are familiar with its use from either XFS or IRIX."
+    rationale: "chacl changes the ACL(s) for a file or directory. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the chacl command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k perm_chng \" >> /etc/audit/rules.d/50-perm_chng.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.17"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/chacl && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k perm_chng|-F key=perm_chng'
+
+  # 5.2.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. (Automated)
+  - id: 19184
+    title: "Ensure successful and unsuccessful attempts to use the usermod command are recorded."
+    description: "The operating system must generate audit records for successful/unsuccessful uses of the usermod command."
+    rationale: "The usermod command modifies the system account files to reflect the changes that are specified on the command line. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter)."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor successful and unsuccessful attempts to use the usermod command. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k usermod \" >> /etc/audit/rules.d/50-usermod.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["5.2.3.18"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/sbin/usermod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k usermod|-F key=usermod'
+
+  # 5.2.3.19 Ensure kernel module loading unloading and modification is collected. (Automated)
+  - id: 19185
+    title: "Ensure kernel module loading unloading and modification is collected."
+    description: "Monitor the loading and unloading of kernel modules. All the loading / listing / dependency checking of modules is done by kmod via symbolic links. The following system calls control loading and unloading of modules: - init_module - load a module - finit_module - load a module (used when the overhead of using cryptographically signed modules to determine the authenticity of a module can be avoided) - delete_module - delete a module - create_module - create a loadable module entry - query_module - query the kernel for various bits pertaining to modules Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of modules."
+    rationale: "Monitoring the use of all the various ways to manipulate kernel modules could provide system administrators with evidence that an unauthorized change was made to a kernel module, possibly compromising the security of the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor kernel module modification. 64 Bit systems Example: # { UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs) [ -n \"${UID_MIN}\" ] && printf \" -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=${UID_MIN} -F auid!=unset -k kernel_modules \" >> /etc/audit/rules.d/50-kernel_modules.rules || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\" } Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.19"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S && r:init_module && r:finit_module && r:delete_module && r:create_module && r:query_module && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - 'c:auditctl -l-> r:^-a && r:always,exit|exit,always && r:-F path=/usr/bin/kmod && r:-F perm=x && r:-F auid>=\d+ && r:-F auid!=-1|-F auid!=4294967295|-F auid!=unset && r:-k kernel_modules|-F key=kernel_modules'
+      - "c:ls -l /usr/sbin/lsmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/rmmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/insmod -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modinfo -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/modprobe -> r:/bin/kmod"
+      - "c:ls -l /usr/sbin/depmod -> r:/bin/kmod"
+
+  # 5.2.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 19186
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2 \" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["5.2.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1028"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:sh -c "grep -iEh ''^\s*\t*-e 2\s*$'' /etc/audit/rules.d/*.rules | tail -1" -> r:^\s*\t*-e 2\s*$'
+
+  # 5.2.3.21 Ensure the running and on disk configuration is the same. (Manual)
+  - id: 19187
+    title: "Ensure the running and on disk configuration is the same."
+    description: "The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ. Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules."
+    rationale: "Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements."
+    remediation: 'If the rules are not aligned across all three () areas, run the following command to merge and load all rules: # augenrules --load Check if reboot is required. if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi.'
+    compliance:
+      - cis: ["5.2.3.21"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:augenrules --check -> r:^\s*/usr/sbin/augenrules && r:No change$'
+
+  # 5.2.4.1 Ensure audit log files are mode 0640 or less permissive. (Automated) - Not Implemented
+  # 5.2.4.2 Ensure only authorized users own audit log files. (Automated) - Not Implemented
+
+  # 5.2.4.3 Ensure only authorized groups are assigned ownership of audit log files. (Automated)
+  - id: 19188
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be group owned by adm: # find $(dirname $(awk -F\"=\" '/^\\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["5.2.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:^\s*\t*log_group\s*\t*=\s*\t*adm|^\s*\t*log_group\s*\t*=\s*\t*root'
+
+  # 5.2.4.4 Ensure the audit log directory is 0750 or more restrictive. (Automated) - Not Implemented
+
+  # 5.2.4.5 Ensure audit configuration files are 640 or more restrictive. (Automated)
+  - id: 19189
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["5.2.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.rules" -> r:^/etc/audit && !r:640|600|400'
+      - 'not c:sh -c "stat -Lc \"%n %a\" /etc/audit/*.conf" -> r:^/etc/audit && !r:640|600|400'
+
+  # 5.2.4.6 Ensure audit configuration files are owned by root. (Automated)
+  - id: 19190
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["5.2.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %U\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 5.2.4.7 Ensure audit configuration files belong to group root. (Automated)
+  - id: 19191
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["5.2.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.rules" -> r:^/etc/audit && !r:root'
+      - 'not c:sh -c "stat -Lc \"%n %G\" /etc/audit/*.conf" -> r:^/etc/audit && !r:root'
+
+  # 5.2.4.8 Ensure audit tools are 755 or more restrictive. (Automated)
+  - id: 19192
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["5.2.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 5.2.4.9 Ensure audit tools are owned by root. (Automated)
+  - id: 19193
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["5.2.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditctl -> r:^/sbin && !r:0 root 0 root'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/aureport -> r:^/sbin && !r:0 root 0 root'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/ausearch -> r:^/sbin && !r:0 root 0 root'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/autrace -> r:^/sbin && !r:0 root 0 root'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/auditd -> r:^/sbin && !r:0 root 0 root'
+      - 'not c:stat -c "%n %u %U %g %G" /sbin/augenrules -> r:^/sbin && !r:0 root 0 root'
+
+  # 5.2.4.10 Ensure audit tools belong to group root. (Automated)
+  - id: 19194
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["5.2.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditctl -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %a %U %G" /sbin/aureport -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %a %U %G" /sbin/ausearch -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %a %U %G" /sbin/autrace -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %a %U %G" /sbin/auditd -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+      - 'not c:stat -c "%n %a %U %G" /sbin/augenrules -> r:^/sbin && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 5.2.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+  - id: 19195
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: "Add or update the following selection lines for to a file ending in .conf in the /etc/aide/aide.conf.d/ or to /etc/aide/aide.conf to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512."
+    compliance:
+      - cis: ["5.2.4.11"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+    condition: all
+    rules:
+      - "f:/etc/aide/aide.conf -> r:/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512"
+      - "f:/etc/aide/aide.conf -> r:/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512"
+      - "f:/etc/aide/aide.conf -> r:/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512"
+      - "f:/etc/aide/aide.conf -> r:/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512"
+      - "f:/etc/aide/aide.conf -> r:/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512"
+      - "f:/etc/aide/aide.conf -> r:/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512"
+
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 19196
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd: # chmod u-x,go-wx /etc/passwd # chown root:root /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 19197
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/passwd-: # chmod u-x,go-wx /etc/passwd- # chown root:root /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/passwd- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 19198
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group: # chmod u-x,go-wx /etc/group # chown root:root /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 19199
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/group-: # chmod u-x,go-wx /etc/group- # chown root:root /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/group- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 19200
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow to root and group to either root or shadow: # chown root:shadow /etc/shadow -OR- # chown root:root /etc/shadow Run the following command to remove excess permissions form /etc/shadow: # chmod u-x,g-wx,o-rwx /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow -> r:0 root \d+ shadow|0 root 0 root && r: r:644|640|604|600|400|500'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 19201
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow- to root and group to either root or shadow: # chown root:shadow /etc/shadow- -OR- # chown root:root /etc/shadow- Run the following command to remove excess permissions form /etc/shadow-: # chmod u-x,g-wx,o-rwx /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shadow- -> r:0 root \d+ shadow|0 root 0 root && r: r:644|640|604|600|400|500'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 19202
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow to root and group to either root or shadow: # chown root:shadow /etc/gshadow -OR- # chown root:root /etc/gshadow Run the following command to remove excess permissions form /etc/gshadow: # chmod u-x,g-wx,o-rwx /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow -> r:0 root \d+ shadow|0 root 0 root && r: r:644|640|604|600|400|500'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 19203
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow- to root and group to either root or shadow: # chown root:shadow /etc/gshadow- -OR- # chown root:root /etc/gshadow- Run the following command to remove excess permissions form /etc/gshadow-: # chmod u-x,g-wx,o-rwx /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/gshadow- -> r:0 root \d+ shadow|0 root 0 root && r: r:644|640|604|600|400|500'
+
+  # 6.1.9 Ensure permissions on /etc/shells are configured. (Automated)
+  - id: 19204
+    title: "Ensure permissions on /etc/shells are configured."
+    description: "/etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh and available to be queried by other programs."
+    rationale: "It is critical to ensure that the /etc/shells file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following commands to remove excess permissions, set owner, and set group on /etc/shells: # chmod u-x,go-wx /etc/shells # chown root:root /etc/shells."
+    compliance:
+      - cis: ["6.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/shells- -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.10 Ensure permissions on /etc/opasswd are configured. (Automated)
+  - id: 19205
+    title: "Ensure permissions on /etc/opasswd are configured."
+    description: "/etc/security/opasswd and it's backup /etc/security/opasswd.old hold user's previous passwords if pam_unix or pam_pwhistory is in use on the system."
+    rationale: "It is critical to ensure that /etc/security/opasswd is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: 'Run the following commands to remove excess permissions, set owner, and set group on /etc/security/opasswd and /etc/security/opasswd.old is they exist: # [ -e "/etc/security/opasswd" ] && chmod u-x,go-rwx /etc/security/opasswd # [ -e "/etc/security/opasswd" ] && chown root:root /etc/security/opasswd # [ -e "/etc/security/opasswd.old" ] && chmod u-x,go-rwx /etc/security/opasswd.old # [ -e "/etc/security/opasswd.old" ] && chown root:root /etc/security/opasswd.old.'
+    compliance:
+      - cis: ["6.1.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat -Lc "%n %a %u %U %g %G" /etc/security/opasswds -> r:0 root 0 root && r:644|640|604|600|400|500'
+
+  # 6.1.11 Ensure world writable files and directories are secured. (Automated) - Not Implemented
+  # 6.1.12 Ensure no unowned or ungrouped files or directories exist. (Automated) - Not Implemented
+  # 6.1.13 Ensure SUID and SGID files are reviewed. (Manual) - - Not Implemented
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 19206
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 19207
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated) - Not Implemented
+  # 6.2.4 Ensure shadow group is empty. (Automated)
+  - id: 19208
+    title: "Ensure shadow group is empty."
+    description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group."
+    rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts."
+    remediation: "Run the following command to remove all users from the shadow group # sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\\1/' /etc/group Change the primary group of any users with shadow as their primary group. # usermod -g <primary group> <user>."
+    compliance:
+      - cis: ["6.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/group -> r:shadow:\w*:\d+:$'
+
+  # 6.2.5 Ensure no duplicate UIDs exist. (Automated) - Not Implemented
+  # 6.2.6 Ensure no duplicate GIDs exist. (Automated) - Not Implemented
+  # 6.2.7 Ensure no duplicate user names exist. (Automated) - Not Implemented
+  # 6.2.8 Ensure no duplicate group names exist. (Automated) - Not Implemented
+  # 6.2.9 Ensure root PATH Integrity. (Automated) - Not Implemented
+
+  # 6.2.10 Ensure root is the only UID 0 account. (Automated)
+  - id: 19209
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.10"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1548"]
+    condition: all
+    rules:
+      - 'not f:/etc/passwd -> !r:^\s*\t*# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.11 Ensure local interactive user home directories are configured. (Automated) - Not Implemented
+  # 6.2.12 Ensure local interactive user dot files access is configured. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/ubuntu/cis_ubuntu22_04.yml b/etc/ruleset/sca/ubuntu/cis_ubuntu22_04.yml
new file mode 100644
index 0000000000..7f8f1de27a
--- /dev/null
+++ b/etc/ruleset/sca/ubuntu/cis_ubuntu22_04.yml
@@ -0,0 +1,4491 @@
+# Security Configuration Assessment
+# CIS Checks for Ubuntu Linux 22.04 LTS
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# SCA policy for Ubuntu Linux 22.04 LTS based on Center for Internet Security Ubuntu Linux 22.04 LTS Benchmark v1.0.0 - 08-30-2022
+
+policy:
+  id: "cis_ubuntu22-04"
+  file: "cis_ubuntu22_04.yml"
+  name: "CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0."
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check Ubuntu version."
+  description: "Requirements for running the SCA scan against Ubuntu Linux 22.04 LTS"
+  condition: all
+  rules:
+    - "f:/etc/os-release -> r:Ubuntu 22.04"
+    - "f:/proc/sys/kernel/ostype -> Linux"
+
+checks:
+  # 1 Initial Setup
+  # 1.1 Filesystem Configuration
+  # 1.1.1 Disable unused filesystems
+  # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) - Not implemented
+  # 1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) - Not implemented
+  # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) - Not implemented
+
+  # 1.1.2.1 Ensure /tmp is a separate partition. (Automated)
+  - id: 28500
+    title: "Ensure /tmp is a separate partition."
+    description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
+    rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
+    impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
+    remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs."
+    references:
+      - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
+      - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
+    compliance:
+      - cis: ["1.1.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /tmp -> r:\s*/tmp\s'
+      - "c:systemctl is-enabled tmp.mount -> r:generated|enabled"
+
+  # 1.1.2.2 Ensure nodev option set on /tmp partition. (Automated)
+  - id: 28501
+    title: "Ensure nodev option set on /tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nodev"
+
+  # 1.1.2.3 Ensure noexec option set on /tmp partition. (Automated)
+  - id: 28502
+    title: "Ensure noexec option set on /tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:noexec"
+
+  # 1.1.2.4 Ensure nosuid option set on /tmp partition. (Automated)
+  - id: 28503
+    title: "Ensure nosuid option set on /tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: <device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp."
+    compliance:
+      - cis: ["1.1.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /tmp -> r:nosuid"
+
+  # 1.1.3.1 Ensure separate partition exists for /var. (Automated)
+  - id: 28504
+    title: "Ensure separate partition exists for /var."
+    description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable."
+    rationale: "The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var -> r:\s*/var\s'
+
+  # 1.1.3.2 Ensure nodev option set on /var partition. (Automated)
+  - id: 28505
+    title: "Ensure nodev option set on /var partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nodev"
+
+  # 1.1.3.3 Ensure nosuid option set on /var partition. (Automated)
+  - id: 28506
+    title: "Ensure nosuid option set on /var partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var."
+    remediation: "IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var."
+    compliance:
+      - cis: ["1.1.3.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var -> r:nosuid"
+
+  # 1.1.4.1 Ensure separate partition exists for /var/tmp. (Automated)
+  - id: 28507
+    title: "Ensure separate partition exists for /var/tmp."
+    description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary file residing in /var/tmp is to be preserved between reboots."
+    rationale: "The reasoning for mounting /var/tmp on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. Fine grained control over the mount Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.4.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/tmp -> r:\s*/var/tmp\s'
+
+  # 1.1.4.2 Ensure noexec option set on /var/tmp partition. (Automated)
+  - id: 28508
+    title: "Ensure noexec option set on /var/tmp partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:noexec"
+
+  # 1.1.4.3 Ensure nosuid option set on /var/tmp partition. (Automated)
+  - id: 28509
+    title: "Ensure nosuid option set on /var/tmp partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nosuid"
+
+  # 1.1.4.4 Ensure nodev option set on /var/tmp partition. (Automated)
+  - id: 28510
+    title: "Ensure nodev option set on /var/tmp partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp."
+    remediation: "IF the /var/tmp partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: <device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."
+    compliance:
+      - cis: ["1.1.4.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:findmnt --kernel /var/tmp -> r:nodev"
+
+  # 1.1.5.1 Ensure separate partition exists for /var/log. (Automated)
+  - id: 28511
+    title: "Ensure separate partition exists for /var/log."
+    description: "The /var/log directory is used by system services to store log data."
+    rationale: "The reasoning for mounting /var/log on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log directory contain the log files that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. Fine grained control over the mount Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of log data As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.5.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:\s*/var/log\s'
+
+  # 1.1.5.2 Ensure nodev option set on /var/log partition. (Automated)
+  - id: 28512
+    title: "Ensure nodev option set on /var/log partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:\s*/var/log\s && r:nodev'
+
+  # 1.1.5.3 Ensure noexec option set on /var/log partition. (Automated)
+  - id: 28513
+    title: "Ensure noexec option set on /var/log partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:\s*/var/log\s && r:noexec'
+
+  # 1.1.5.4 Ensure nosuid option set on /var/log partition. (Automated)
+  - id: 28514
+    title: "Ensure nosuid option set on /var/log partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log."
+    remediation: "IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: <device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log."
+    compliance:
+      - cis: ["1.1.5.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log -> r:\s*/var/log\s && r:nosuid'
+
+  # 1.1.6.1 Ensure separate partition exists for /var/log/audit. (Automated)
+  - id: 28515
+    title: "Ensure separate partition exists for /var/log/audit."
+    description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory."
+    rationale: "The reasoning for mounting /var/log/audit on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contain the audit.log file that can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.6.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:\s*/var/log/audit\s'
+
+  # 1.1.6.2 Ensure noexec option set on /var/log/audit partition. (Automated)
+  - id: 28516
+    title: "Ensure noexec option set on /var/log/audit partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:\s*/var/log/audit\s && r:noexec'
+
+  # 1.1.6.3 Ensure nodev option set on /var/log/audit partition. (Automated)
+  - id: 28517
+    title: "Ensure nodev option set on /var/log/audit partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:\s*/var/log/audit\s && r:nodev'
+
+  # 1.1.6.4 Ensure nosuid option set on /var/log/audit partition. (Automated)
+  - id: 28518
+    title: "Ensure nosuid option set on /var/log/audit partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit."
+    remediation: "IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: <device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit."
+    compliance:
+      - cis: ["1.1.6.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /var/log/audit -> r:\s*/var/log/audit\s && r:nosuid'
+
+  # 1.1.7.1 Ensure separate partition exists for /home. (Automated)
+  - id: 28519
+    title: "Ensure separate partition exists for /home."
+    description: "The /home directory is used to support disk storage needs of local users."
+    rationale: "The reasoning for mounting /home on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. Fine grained control over the mount Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of user data As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point."
+    impact: "Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations."
+    remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate."
+    references:
+      - "http://tldp.org/HOWTO/LVM-HOWTO/"
+    compliance:
+      - cis: ["1.1.7.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1499", "T1499.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:\s*/home\s'
+
+  # 1.1.7.2 Ensure nodev option set on /home partition. (Automated)
+  - id: 28520
+    title: "Ensure nodev option set on /home partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:\s*/home\s && r:nodev'
+
+  # 1.1.7.3 Ensure nosuid option set on /home partition. (Automated)
+  - id: 28521
+    title: "Ensure nosuid option set on /home partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home."
+    remediation: "IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: <device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home."
+    compliance:
+      - cis: ["1.1.7.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /home -> r:\s*/home\s && r:nosuid'
+
+  # 1.1.8.1 Ensure nodev option set on /dev/shm partition. (Automated)
+  - id: 28522
+    title: "Ensure nodev option set on /dev/shm partition."
+    description: "The nodev mount option specifies that the filesystem cannot contain special devices."
+    rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
+    remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1200"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:\s*/dev/shm\s && r:nodev'
+
+  # 1.1.8.2 Ensure noexec option set on /dev/shm partition. (Automated)
+  - id: 28523
+    title: "Ensure noexec option set on /dev/shm partition."
+    description: "The noexec mount option specifies that the filesystem cannot contain executable binaries."
+    rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
+    remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: <device> /dev/shm <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications."
+    compliance:
+      - cis: ["1.1.8.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1204", "T1204.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:\s*/dev/shm\s && r:noexec'
+
+  # 1.1.8.3 Ensure nosuid option set on /dev/shm partition. (Automated)
+  - id: 28524
+    title: "Ensure nosuid option set on /dev/shm partition."
+    description: "The nosuid mount option specifies that the filesystem cannot contain setuid files."
+    rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
+    remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm."
+    compliance:
+      - cis: ["1.1.8.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1038"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548", "T1548.001"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:findmnt --kernel /dev/shm -> r:\s*/dev/shm\s && r:nosuid'
+
+  # 1.1.9 Disable Automounting. (Automated)
+  - id: 28525
+    title: "Disable Automounting."
+    description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives."
+    rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
+    impact: "The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting."
+    remediation: "If there are no other packages that depends on autofs, remove the package with: # apt purge autofs OR if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs."
+    compliance:
+      - cis: ["1.1.9"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - mitre_techniques: ["T1068", "T1203", "T1211", "T1212"]
+    condition: all
+    rules:
+      - 'c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs\.service|disabled'
+
+  # 1.1.10 Disable USB Storage (Automated) - Not implemented
+
+  # 1.2.1 Ensure package manager repositories are configured (Manual) - Not implemented
+  # 1.2.2 Ensure GPG keys are configured (Manual) - Not implemented
+
+  # 1.3.1 Ensure AIDE is installed. (Automated)
+  - id: 28526
+    title: "Ensure AIDE is installed."
+    description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system."
+    rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries."
+    remediation: "Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Run the following commands to initialize AIDE: # aideinit # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db."
+    compliance:
+      - cis: ["1.3.1"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_techniques: ["T1036", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1565", "T1565.001"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s aide -> r:Status: install ok installed"
+      - "c:dpkg-query -s aide-common -> r:Status: install ok installed"
+
+  # 1.3.2 Ensure filesystem integrity is regularly checked (Automated) - Not implemented
+
+  # 1.4.1 Ensure bootloader password is set. (Automated)
+  - id: 28527
+    title: "Ensure bootloader password is set."
+    description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters."
+    rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time)."
+    impact: 'If password protection is enabled, only the designated superuser can edit a Grub 2 menu item by pressing "e" or access the GRUB 2 command line by pressing "c" If GRUB 2 is set up to boot automatically to a password-protected menu entry the user has no option to back out of the password prompt to select another menu entry. Holding the SHIFT key will not display the menu in this case. The user must enter the correct username and password. If unable, the configuration files will have to be edited via the LiveCD or other means to fix the problem You can add --unrestricted to the menu entries to allow the system to boot without entering a password. Password will still be required to edit menu items. More Information: https://help.ubuntu.com/community/Grub2/Passwords.'
+    remediation: 'Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> PBKDF2 hash of your password is <encrypted-password> Add the following into a custom /etc/grub.d configuration file: cat <<EOF set superusers="<username>" password_pbkdf2 <username> <encrypted-password> EOF The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS="--class gnu-linux --class gnu --class os --unrestricted" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["1.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1046"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1542"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/boot/grub/grub.cfg -> r:^\\s*\\t*set superusers="
+      - "f:/boot/grub/grub.cfg -> r:^\\s*\\t*password_pbkdf2\\s*\\t*\\w+"
+
+  # 1.4.2 Ensure permissions on bootloader config are configured. (Automated)
+  - id: 28528
+    title: "Ensure permissions on bootloader config are configured."
+    description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options."
+    rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."
+    remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod u-wx,go-rwx /boot/grub/grub.cfg."
+    compliance:
+      - cis: ["1.4.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005", "TA0007"]
+      - mitre_techniques: ["T1542"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /boot/grub/grub.cfg -> r:Access:\s*\t*\(0400/-r--------\) && r:Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 1.4.3 Ensure authentication required for single user mode. (Automated)
+  - id: 28529
+    title: "Ensure authentication required for single user mode."
+    description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader."
+    rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials."
+    remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root."
+    compliance:
+      - cis: ["1.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "f:/etc/shadow -> r:^root:\\$\\d+"
+
+  # 1.5.1 Ensure address space layout randomization (ASLR) is enabled (Automated) - Not implemented
+
+  # 1.5.2 Ensure prelink is not installed. (Automated)
+  - id: 28530
+    title: "Ensure prelink is not installed."
+    description: "prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases."
+    rationale: "The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc."
+    remediation: "Run the following command to restore binaries to normal: # prelink -ua Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink."
+    compliance:
+      - cis: ["1.5.2"]
+      - cis_csc_v8: ["3.14"]
+      - cis_csc_v7: ["14.9"]
+      - cmmc_v2.0: ["AC.L2-3.1.7"]
+      - hipaa: ["164.312(b)", "164.312(c)(1)", "164.312(c)(2)"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1055", "T1055.009", "T1065", "T1065.001"]
+      - nist_sp_800-53: ["AC-6(9)"]
+      - pci_dss_v3.2.1: ["10.2.1", "11.5"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - "c:dpkg-query -s prelink -> r:package 'prelink' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' prelink -> r:prelink\\s*\\t*unknown\\s*\\t*ok\\s*\\t*not-installed\\s*\\t*not-installed|no packages found matching prelink"
+
+  # 1.5.3 Ensure Automatic Error Reporting is not enabled. (Automated)
+  - id: 28531
+    title: "Ensure Automatic Error Reporting is not enabled."
+    description: "The Apport Error Reporting Service automatically generates crash reports for debugging."
+    rationale: "Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material."
+    remediation: "Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -- Run the following command to remove the apport package: # apt purge apport."
+    compliance:
+      - cis: ["1.5.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled apport.service -> r:disabled"
+      - "not f:/etc/default/apport -> n:enabled=(\\d+) compare != 0"
+      - "not c:systemctl is-active apport.service -> r:active"
+
+  # 1.5.4 Ensure core dumps are restricted. (Automated)
+  - id: 28532
+    title: "Ensure core dumps are restricted."
+    description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+    rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core."
+    remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload."
+    references:
+      - "http://wiki.apparmor.net/index.php/Documentation"
+      - "https://help.ubuntu.com/community/AppArmor"
+      - "https://www.suse.com/documentation/apparmor/"
+    compliance:
+      - cis: ["1.5.4"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1005"]
+    condition: all
+    rules:
+      - "c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0"
+      - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled"
+      - 'c:grep -Rh "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/ -> !r:^\s*\t*# && r:fs.suid_dumpable = 0'
+      - 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:\p hard core 0'
+
+  # 1.6.1.1 Ensure AppArmor is installed. (Automated)
+  - id: 28533
+    title: "Ensure AppArmor is installed."
+    description: "AppArmor provides Mandatory Access Controls."
+    rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available."
+    remediation: "Install AppArmor. # apt install apparmor."
+    compliance:
+      - cis: ["1.6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' apparmor -> r:install\\s+ok\\s+installed"
+
+  # 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration. (Automated)
+  - id: 28534
+    title: "Ensure AppArmor is enabled in the bootloader configuration."
+    description: "Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings."
+    rationale: "AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden."
+    remediation: 'Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["1.6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:security=apparmor'
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1'
+      - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor'
+
+  # 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode. (Automated)
+  - id: 28535
+    title: "Ensure all AppArmor Profiles are in enforce or complain mode."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+loaded compare > 0'
+      - 'c:apparmor_status -> r:^0\s+profiles\s+are\s+in\s+kill\s+mode'
+      - 'c:apparmor_status -> r:^0\s+profiles\s+are\s+in\s+unconfined\s+mode'
+      - "c:apparmor_status -> r:^0 processes are unconfined"
+
+  # 1.6.1.4 Ensure all AppArmor Profiles are enforcing. (Automated)
+  - id: 28536
+    title: "Ensure all AppArmor Profiles are enforcing."
+    description: "AppArmor profiles define what resources applications are able to access."
+    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated."
+    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted."
+    compliance:
+      - cis: ["1.6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1068", "T1565", "T1565.001", "T1565.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+loaded compare > 0'
+      - 'c:apparmor_status -> n:^(\d+)\s+profiles\s+are\s+in\s+enforce\s+mode compare > 0'
+      - 'c:apparmor_status -> r:^0\s+profiles\s+are\s+in\s+kill\s+mode'
+      - 'c:apparmor_status -> r:^0\s+profiles\s+are\s+in\s+unconfined\s+mode'
+      - 'c:apparmor_status -> r:^0\s*profiles\s+are\s+in\s+complain\s+mode'
+      - 'c:apparmor_status -> r:^0\s*processes\s+are\s+unconfined'
+
+  # 1.7.1 Ensure message of the day is configured properly. (Automated)
+  - id: 28537
+    title: "Ensure message of the day is configured properly."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR if the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: any
+    rules:
+      - 'not f:/etc/motd -> r:\\v|\\r|\\m|\s|Debian|Ubuntu'
+      - "not f:/etc/motd"
+
+  # 1.7.2 Ensure local login warning banner is configured properly. (Automated)
+  - id: 28538
+    title: "Ensure local login warning banner is configured properly."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue."
+    compliance:
+      - cis: ["1.7.2"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.3 Ensure remote login warning banner is configured properly. (Automated)
+  - id: 28539
+    title: "Ensure remote login warning banner is configured properly."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version."
+    rationale: 'Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in.'
+    remediation: "Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net."
+    compliance:
+      - cis: ["1.7.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1018", "T1082", "T1592", "T1592.004"]
+    condition: none
+    rules:
+      - 'f:/etc/issue.net -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu'
+
+  # 1.7.4 Ensure permissions on /etc/motd are configured. (Automated)
+  - id: 28540
+    title: "Ensure permissions on /etc/motd are configured."
+    description: "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users."
+    rationale: "If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/motd : # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) OR run the following command to remove the /etc/motd file: # rm /etc/motd."
+    compliance:
+      - cis: ["1.7.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*\t*Gid:\s*\(\s*0/\s*root\)'
+      - "not f:/etc/motd"
+
+  # 1.7.5 Ensure permissions on /etc/issue are configured. (Automated)
+  - id: 28541
+    title: "Ensure permissions on /etc/issue are configured."
+    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
+    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue : # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue)."
+    compliance:
+      - cis: ["1.7.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*\t*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.7.6 Ensure permissions on /etc/issue.net are configured. (Automated)
+  - id: 28542
+    title: "Ensure permissions on /etc/issue.net are configured."
+    description: "The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services."
+    rationale: "If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
+    remediation: "Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net)."
+    compliance:
+      - cis: ["1.7.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/issue.net -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*0/\s*root\)\s*\t*Gid:\s*\(\s*0/\s*root\)'
+
+  # 1.8.1 Ensure GNOME Display Manager is removed. (Automated)
+  - id: 28543
+    title: "Ensure GNOME Display Manager is removed."
+    description: "The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins."
+    rationale: "If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system."
+    impact: "Removing the GNOME Display manager will remove the Graphical User Interface (GUI) from the system."
+    remediation: "Run the following command to uninstall gdm3: # apt purge gdm3."
+    compliance:
+      - cis: ["1.8.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' gdm3 -> r:gdm\\s+unknown\\s+ok\\s+not-installed|no\\s+packages\\s+found\\s+matching\\s+gdm3"
+
+  # 1.8.2 Ensure GDM login banner is configured (Automated) - Not implemented
+  # 1.8.3 Ensure GDM disable-user-list option is enabled (Automated) - Not implemented
+  # 1.8.4 Ensure GDM screen locks when the user is idle (Automated) - Not implemented
+  # 1.8.5 Ensure GDM screen locks cannot be overridden (Automated) - Not implemented
+  # 1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated) - Not implemented
+  # 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) - Not implemented
+  # 1.8.8 Ensure GDM autorun-never is enabled (Automated) -  Not implemented
+  # 1.8.9 Ensure GDM autorun-never is not overridden (Automated) - Not implemented
+
+  # 1.8.10 Ensure XDCMP is not enabled. (Automated)
+  - id: 28544
+    title: "Ensure XDCMP is not enabled."
+    description: "X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays."
+    rationale: "XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server."
+    remediation: "Edit the file /etc/gdm3/custom.conf and remove the line: Enable=true."
+    compliance:
+      - cis: ["1.8.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1050"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1040", "T1056", "T1056.001", "T1557"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "not f:/etc/gdm3"
+      - 'not f:/etc/gdm3/custom.conf -> r:^\s*Enable\s*=\s*true'
+
+  # 1.9 Ensure updates, patches, and additional security software are installed (Manual) - Not implemented
+
+  # 2.1.1.1 Ensure a single time synchronization daemon is in use (Automated) - Not implemented
+  # 2.1.2.1 Ensure chrony is configured with authorized timeserver (Manual) - Not implemented
+
+  # 2.1.2.2 Ensure chrony is running as user _chrony. (Automated)
+  - id: 28545
+    title: "Ensure chrony is running as user _chrony."
+    description: "The chrony package is installed with a dedicated user account _chrony. This account is granted the access required by the chronyd service."
+    rationale: "The chronyd service should run with only the required privileges."
+    remediation: "Add or edit the user line to /etc/chrony/chrony.conf or a file ending in .conf in /etc/chrony/conf.d/: user _chrony OR If another time synchronization service is in use on the system, run the following command to remove chrony from the system: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: any
+    rules:
+      - 'c:ps -ef -> r:_chrony\.+chronyd'
+      - "c:systemctl is-enabled systemd-timesyncd.service -> r:enabled"
+
+  # 2.1.2.3 Ensure chrony is enabled and running. (Automated)
+  - id: 28546
+    title: "Ensure chrony is enabled and running."
+    description: "chrony is a daemon for synchronizing the system clock across the network."
+    rationale: "chrony needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF chrony is in use on the system, run the following commands: Run the following command to unmask chrony.service: # systemctl unmask chrony.service Run the following command to enable and start chrony.service: # systemctl --now enable chrony.service OR If another time synchronization service is in use on the system, run the following command to remove chrony: # apt purge chrony."
+    compliance:
+      - cis: ["2.1.2.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:ps -ef -> r:chronyd"
+      - "c:systemctl is-enabled chrony.service -> r:enabled"
+      - "c:systemctl is-active chrony.service -> r:active"
+
+  # 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver (Manual) - Not implemented
+
+  # 2.1.3.2 Ensure systemd-timesyncd is enabled and running. (Automated)
+  - id: 28547
+    title: "Ensure systemd-timesyncd is enabled and running."
+    description: "systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network."
+    rationale: "systemd-timesyncd needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF systemd-timesyncd is in use on the system, run the following commands: Run the following command to unmask systemd-timesyncd.service: # systemctl unmask systemd-timesyncd.service Run the following command to enable and start systemd-timesyncd.service: # systemctl --now enable systemd-timesyncd.service OR If another time synchronization service is in use on the system, run the following command to stop and mask systemd-timesyncd: # systemctl --now mask systemd-timesyncd.service."
+    compliance:
+      - cis: ["2.1.3.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-timesyncd.service -> r:enabled"
+      - "c:systemctl is-active systemd-timesyncd.service -> r:active"
+
+  # 2.1.4.1 Ensure ntp access control is configured. (Automated)
+  - id: 28548
+    title: "Ensure ntp access control is configured."
+    description: 'ntp Access Control Commands: restrict address [mask mask] [ippeerlimit int] [flag ...] The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note: the text string default, with no mask option, may be used to indicate the default entry. The ippeerlimit directive limits the number of peer requests for each IP to int, where a value of -1 means "unlimited", the current default. A value of 0 means "none". There would usually be at most 1 peering request per IP, but if the remote peering requests are behind a proxy there could well be more than 1 per IP. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified: - kod - If this flag is set when an access violation occurs, a kiss-o''-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped. - limited - Deny service if the packet spacing violates the lower limits specified in the discard command. A history of clients is kept using the monitoring capability of ntpd. Thus, monitoring is always active as long as there is a restriction entry with the limited flag. - lowpriotrap - Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. - noepeer - Deny ephemeral peer requests, even if they come from an authenticated source. Note that the ability to use a symmetric key for authentication may be restricted to one or more IPs or subnets via the third field of the ntp.keys file. This restriction is not enabled by default, to maintain backward compatibility. Expect noepeer to become the default in ntp-4.4. - nomodify - Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted. - noquery - Deny ntpq and ntpdc queries. Time service is not affected. - nopeer - Deny unauthenticated packets which would result in mobilizing a new association. This includes broadcast and symmetric active packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you''ll want a restrict source ... line as well that does not include the nopeer directive. - noserve - Deny all packets except ntpq and ntpdc queries. - notrap - Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpq control message protocol which is intended for use by remote event logging programs. - notrust - Deny service unless the packet is cryptographically authenticated. - ntpport - This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list.'
+    rationale: "If ntp is in use on the system, proper configuration is vital to ensuring time synchronization is accurate."
+    remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - "http://www.ntp.org/"
+    compliance:
+      - cis: ["2.1.4.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "f:/etc/ntp.conf -> r:restrict -4 default|restrict default && r:kod && r:notrap && r:nomodify && r:nopeer && r:noquery"
+      - "f:/etc/ntp.conf -> r:restrict -6 default && r:kod && r:notrap && r:nomodify && r:nopeer && r:noquery"
+
+  # 2.1.4.2 Ensure ntp is configured with authorized timeserver (Manual) - Not implemented
+
+  # 2.1.4.3 Ensure ntp is running as user ntp. (Automated)
+  - id: 28549
+    title: "Ensure ntp is running as user ntp."
+    description: "The ntp package is installed with a dedicated user account ntp. This account is granted the access required by the ntpd daemon Note: - If chrony or systemd-timesyncd are used, ntp should be removed and this section skipped - This recommendation only applies if ntp is in use on the system - Only one time synchronization method should be in use on the system."
+    rationale: "The ntpd daemon should run with only the required privlidge."
+    remediation: "Add or edit the following line in /etc/init.d/ntp: RUNASUSER=ntp Run the following command to restart ntp.servocee: # systemctl restart ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp from the system: # apt purge ntp."
+    references:
+      - "http://www.ntp.org/"
+    compliance:
+      - cis: ["2.1.4.3"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'c:ps -ef -> r:^ntp\.+ntpd'
+      - "f:/etc/init.d/ntp -> r:^\\s*\\t*RUNASUSER=ntp"
+
+  # 2.1.4.4 Ensure ntp is enabled and running. (Automated)
+  - id: 28550
+    title: "Ensure ntp is enabled and running."
+    description: "ntp is a daemon for synchronizing the system clock across the network."
+    rationale: "ntp needs to be enabled and running in order to synchronize the system to a timeserver. Time synchronization is important to support time sensitive security mechanisms and to ensure log files have consistent time records across the enterprise to aid in forensic investigations."
+    remediation: "IF ntp is in use on the system, run the following commands: Run the following command to unmask ntp.service: # systemctl unmask ntp.service Run the following command to enable and start ntp.service: # systemctl --now enable ntp.service OR If another time synchronization service is in use on the system, run the following command to remove ntp: # apt purge ntp."
+    compliance:
+      - cis: ["2.1.4.4"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ntp.service -> r:enabled"
+      - "c:systemctl is-active ntp.service -> r:active"
+
+  # 2.2.1 Ensure X Window System is not installed. (Automated)
+  - id: 28551
+    title: "Ensure X Window System is not installed."
+    description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login."
+    rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface."
+    impact: 'Many Linux systems run applications which require a Java runtime. Some Linux Java packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to avoid this dependency is to use the "headless" Java packages for your specific Java runtime, if provided by your distribution.'
+    remediation: "Remove the X Windows System packages: apt purge xserver-xorg*."
+    compliance:
+      - cis: ["2.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'c:dpkg-query -W -f="${binary:Package}\t${Status}\t${db:Status-Status}\n" xserver-xorg* -> r:no packages found matching|deinstall|not-installed'
+      - "c:dpkg-query -s xserver-xorg -> r:package 'xserver-xorg' is not installed"
+
+  # 2.2.2 Ensure Avahi Server is not installed. (Automated)
+  - id: 28552
+    title: "Ensure Avahi Server is not installed."
+    description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine."
+    rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface."
+    remediation: "Run the following commands to remove avahi-daemon: # systemctl stop avahi-daaemon.service # systemctl stop avahi-daemon.socket # apt purge avahi-daemon."
+    compliance:
+      - cis: ["2.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg-query -s avahi-daemon -> r:package 'avahi-daemon' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' avahi-daemon -> r:no packages found matching avahi-daemon|deinstall|not-installed"
+
+  # 2.2.3 Ensure CUPS is not installed. (Automated)
+  - id: 28553
+    title: "Ensure CUPS is not installed."
+    description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability."
+    rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface."
+    impact: "Removing CUPS will prevent printing from the system, a common task for workstation systems."
+    remediation: "Run one of the following commands to remove cups : # apt purge cups."
+    references:
+      - "http://www.cups.org."
+    compliance:
+      - cis: ["2.2.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s cups -> r:package 'cups' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' cups -> r:no packages found matching cups|deinstall|not-installed"
+
+  # 2.2.4 Ensure DHCP Server is not installed. (Automated)
+  - id: 28554
+    title: "Ensure DHCP Server is not installed."
+    description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses."
+    rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this package be removed to reduce the potential attack surface."
+    remediation: "Run the following command to remove isc-dhcp-server: # apt purge isc-dhcp-server."
+    references:
+      - "http://www.isc.org/software/dhcp."
+    compliance:
+      - cis: ["2.2.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s isc-dhcp-server -> r:package 'isc-dhcp-server' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' isc-dhcp-server -> r:no packages found matching isc-dhcp-server|deinstall|not-installed"
+
+  # 2.2.5 Ensure LDAP server is not installed. (Automated)
+  - id: 28555
+    title: "Ensure LDAP server is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove slapd: # apt purge slapd."
+    references:
+      - "http://www.openldap.org."
+    compliance:
+      - cis: ["2.2.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s slapd -> r:package 'slapd' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' slapd -> r:no packages found matching slapd|deinstall|not-installed"
+
+  # 2.2.6 Ensure NFS is not installed. (Automated)
+  - id: 28556
+    title: "Ensure NFS is not installed."
+    description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network."
+    rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove nfs: # apt purge nfs-kernel-server."
+    compliance:
+      - cis: ["2.2.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s nfs-kernel-server -> r:package 'nfs-kernel-server' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nfs-kernel-server -> r:no packages found matching nfs-kernel-server|deinstall|not-installed"
+
+  # 2.2.7 Ensure DNS Server is not installed. (Automated)
+  - id: 28557
+    title: "Ensure DNS Server is not installed."
+    description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network."
+    rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following commands to disable DNS server: # apt purge bind9."
+    compliance:
+      - cis: ["2.2.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s bind9 -> r:package 'bind9' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' bind9 -> r:no packages found matching bind9|deinstall|not-installed"
+
+  # 2.2.8 Ensure FTP Server is not installed. (Automated)
+  - id: 28558
+    title: "Ensure FTP Server is not installed."
+    description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files."
+    rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove vsftpd: # apt purge vsftpd."
+    compliance:
+      - cis: ["2.2.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s vsftpd -> r:package 'vsftpd' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' vsftpd -> r:no packages found matching vsftpd|deinstall|not-installed"
+
+  # 2.2.9 Ensure HTTP server is not installed. (Automated)
+  - id: 28559
+    title: "Ensure HTTP server is not installed."
+    description: "HTTP or web servers provide the ability to host web site content."
+    rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove apache: # apt purge apache2."
+    compliance:
+      - cis: ["2.2.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s apache2 -> r:package 'apache2' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apache2 -> r:no packages found matching apache2|deinstall|not-installed"
+
+  # 2.2.10 Ensure IMAP and POP3 server are not installed. (Automated)
+  - id: 28560
+    title: "Ensure IMAP and POP3 server are not installed."
+    description: "dovecot-imapd and dovecot-pop3d are an open source IMAP and POP3 server for Linux based systems."
+    rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface."
+    remediation: "Run one of the following commands to remove dovecot-imapd and dovecot-pop3d: # apt purge dovecot-imapd dovecot-pop3d."
+    compliance:
+      - cis: ["2.2.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s dovecot-imapd -> r:package 'dovecot-imapd' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-imapd -> r:no packages found matching dovecot-imapd|deinstall|not-installed"
+      - "c:dpkg-query -s dovecot-pop3d -> r:package 'dovecot-pop3d' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' dovecot-pop3d -> r:no packages found matching dovecot-pop3d|deinstall|not-installed"
+
+  # 2.2.11 Ensure Samba is not installed. (Automated)
+  - id: 28561
+    title: "Ensure Samba is not installed."
+    description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."
+    rationale: "If there is no need to mount directories and file systems to Windows systems, then this service should be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove samba: # apt purge samba."
+    compliance:
+      - cis: ["2.2.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1005", "T1039", "T1083", "T1135", "T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s samba -> r:package 'samba' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' samba -> r:no packages found matching samba|deinstall|not-installed"
+
+  # 2.2.12 Ensure HTTP Proxy Server is not installed. (Automated)
+  - id: 28562
+    title: "Ensure HTTP Proxy Server is not installed."
+    description: "Squid is a standard proxy server used in many distributions and environments."
+    rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface."
+    remediation: "Run the following command to remove squid: # apt purge squid."
+    compliance:
+      - cis: ["2.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s squid -> r:package 'squid' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' squid -> r:no packages found matching squid|deinstall|not-installed"
+
+  # 2.2.13 Ensure SNMP Server is not installed. (Automated)
+  - id: 28563
+    title: "Ensure SNMP Server is not installed."
+    description: 'Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. "SNMPv2 historic" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.'
+    rationale: "The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. If SNMP v2 is absolutely necessary, modify the community strings' values. -."
+    remediation: "Run the following command to remove snmp: # apt purge snmp."
+    compliance:
+      - cis: ["2.2.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s snmp -> r:package 'snmp' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' snmp -> r:no packages found matching snmp|deinstall|not-installed"
+  # 2.2.14 Ensure NIS Server is not installed. (Automated)
+  - id: 28564
+    title: "Ensure NIS Server is not installed."
+    description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed and other, more secure services be used."
+    remediation: "Run the following command to remove nis: # apt purge nis."
+    compliance:
+      - cis: ["2.2.14"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1210", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s nis -> r:package 'nis' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:no packages found matching nis|deinstall|not-installed"
+
+  # 2.2.15 Ensure mail transfer agent is configured for local-only mode. (Automated)
+  - id: 28565
+    title: "Ensure mail transfer agent is configured for local-only mode."
+    description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail."
+    rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as exim4. If this is the case consult the documentation for your installed MTA to configure the recommended state."
+    remediation: "Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only Run the following command to restart postfix: # systemctl restart postfix."
+    compliance:
+      - cis: ["2.2.15"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1018", "T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'not c:ss -lntu -> r:\.*:25\s && r:127.0.0.1:25\s+|::1]:25\s+'
+
+  # 2.2.16 Ensure rsync service is either not installed or masked. (Automated)
+  - id: 28566
+    title: "Ensure rsync service is either not installed or masked."
+    description: "The rsync service can be used to synchronize files between systems over network links."
+    rationale: "The rsync service presents a security risk as it uses unencrypted protocols for communication. The rsync package should be removed to reduce the attack area of the system."
+    remediation: "Run the following command to remove rsync: # apt purge rsync OR Run the following commands to stop and mask rsync: # systemctl stop rsync # systemctl mask rsync."
+    compliance:
+      - cis: ["2.2.16"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1105", "T1203", "T1210", "T1543", "T1543.002", "T1570"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' rsync -> r:no packages found matching rsync|deinstall|not-installed"
+      - 'c:systemctl is-active rsync" -> r:inactive'
+      - "c:systemctl is-enabled rsync -> r:masked|disabled"
+
+  # 2.3.1 Ensure NIS Client is not installed. (Automated)
+  - id: 28567
+    title: "Ensure NIS Client is not installed."
+    description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client was used to bind a machine to an NIS server and receive the distributed configuration files."
+    rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall nis: # apt purge nis."
+    compliance:
+      - cis: ["2.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s nis -> r:package 'nis' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' nis -> r:no packages found matching nis|deinstall|not-installed"
+
+  # 2.3.2 Ensure rsh client is not installed. (Automated)
+  - id: 28568
+    title: "Ensure rsh client is not installed."
+    description: "The rsh-client package contains the client commands for the rsh services."
+    rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall rsh: # apt purge rsh-client."
+    compliance:
+      - cis: ["2.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s rsh-client -> r:package 'rsh-client' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rsh-client -> r:no packages found matching rsh-client|deinstall|not-installed"
+
+  # 2.3.3 Ensure talk client is not installed. (Automated)
+  - id: 28569
+    title: "Ensure talk client is not installed."
+    description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default."
+    rationale: "The software presents a security risk as it uses unencrypted protocols for communication."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall talk: # apt purge talk."
+    compliance:
+      - cis: ["2.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s talk -> r:package 'talk' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' talk -> r:no packages found matching talk|deinstall|not-installed"
+
+  # 2.3.4 Ensure telnet client is not installed. (Automated)
+  - id: 28570
+    title: "Ensure telnet client is not installed."
+    description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol."
+    rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions."
+    impact: "Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse."
+    remediation: "Uninstall telnet: # apt purge telnet."
+    compliance:
+      - cis: ["2.3.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1041", "M1042"]
+      - mitre_tactics: ["TA0006", "TA0008"]
+      - mitre_techniques: ["T1040", "T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s telnet -> r:package 'telnet' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' telnet -> r:no packages found matching telnet|deinstall|not-installed"
+
+  # 2.3.5 Ensure LDAP client is not installed. (Automated)
+  - id: 28571
+    title: "Ensure LDAP client is not installed."
+    description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database."
+    rationale: "If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface."
+    impact: "Removing the LDAP client will prevent or inhibit using LDAP for authentication in your environment."
+    remediation: "Uninstall ldap-utils: # apt purge ldap-utils."
+    compliance:
+      - cis: ["2.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s ldap-utils -> r:package 'ldap-utils' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' ldap-utils -> r:no packages found matching ldap-utils|deinstall|not-installed"
+
+  # 2.3.6 Ensure RPC is not installed. (Automated)
+  - id: 28572
+    title: "Ensure RPC is not installed."
+    description: 'Remote Procedure Call (RPC) is a method for creating low level client server applications across different system architectures. It requires an RPC compliant client listening on a network port. The supporting package is rpcbind.".'
+    rationale: "If RPC is not required, it is recommended that this services be removed to reduce the remote attack surface."
+    remediation: "Run the following command to remove rpcbind: # apt purge rpcbind."
+    compliance:
+      - cis: ["2.3.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1203", "T1543", "T1543.002"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s rpcbind -> r:package 'rpcbind' is not installed"
+      - "c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' rpcbind -> r:no packages found matching rpcbind|deinstall|not-installed"
+
+  # 2.4 Ensure nonessential services are removed or masked (Manual) - Not implemented
+
+  # 3.1.1 Ensure system is checked to determine if IPv6 is enabled (Manual) - Not implemented
+
+  # 3.2.1 Ensure packet redirect sending is disabled (Automated) - Not implemented
+  # 3.2.2 Ensure IP forwarding is disabled (Automated) - Not implemented
+
+  # 3.3.1 Ensure source routed packets are not accepted (Automated) - Not implemented
+  # 3.3.2 Ensure ICMP redirects are not accepted (Automated) - Not implemented
+  # 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) - Not implemented
+  # 3.3.4 Ensure suspicious packets are logged (Automated) - Not implemented
+  # 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) - Not implemented
+  # 3.3.6 Ensure bogus ICMP responses are ignored (Automated) - Not implemented
+  # 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) - Not implemented
+  # 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) - Not implemented
+  # 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) - Not implemented
+
+  # 3.4.1 Ensure DCCP is disabled (Automated) - Not implemented
+  # 3.4.2 Ensure SCTP is disabled (Automated) - Not implemented
+  # 3.4.3 Ensure RDS is disabled (Automated) - Not implemented
+  # 3.4.4 Ensure TIPC is disabled (Automated) - Not implemented
+
+  # 3.5.1.1 Ensure ufw is installed. (Automated)
+  - id: 28573
+    title: "Ensure ufw is installed."
+    description: "The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall."
+    rationale: "A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. UFW is dependent on the iptables package."
+    remediation: "Run the following command to install Uncomplicated Firewall (UFW): apt install ufw."
+    compliance:
+      - cis: ["3.5.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s ufw -> r:Status: install ok installed"
+
+  # 3.5.1.2 Ensure iptables-persistent is not installed with ufw. (Automated)
+  - id: 28574
+    title: "Ensure iptables-persistent is not installed with ufw."
+    description: "The iptables-persistent is a boot-time loader for netfilter rules, iptables plugin."
+    rationale: "Running both ufw and the services included in the iptables-persistent package may lead to conflict."
+    remediation: "Run the following command to remove the iptables-persistent package: # apt purge iptables-persistent."
+    compliance:
+      - cis: ["3.5.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s ufw -> r:Status: install ok installed"
+      - "c:dpkg-query -s iptables-persistent -> r:is not installed"
+
+  # 3.5.1.3 Ensure ufw service is enabled. (Automated)
+  - id: 28575
+    title: "Ensure ufw service is enabled."
+    description: "UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Notes: - When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall. - Run the following command before running ufw enable. # ufw allow proto tcp from any to any port 22 - The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy) - By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable."
+    rationale: "The ufw service must be enabled and running in order for ufw to protect the system."
+    impact: "Changing firewall settings while connected over network can result in being locked out of the system."
+    remediation: "Run the following command to unmask the ufw daemon: # systemctl unmask ufw.service Run the following command to enable and start the ufw daemon: # systemctl --now enable ufw.service active Run the following command to enable ufw: # ufw enable."
+    references:
+      - "http://manpages.ubuntu.com/manpages/precise/en/man8/ufw.8.html"
+    compliance:
+      - cis: ["3.5.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled ufw.service -> r:^enabled"
+      - "c:systemctl is-active ufw -> r:^active"
+      - 'c:ufw status -> r:Status:\s+active'
+
+  # 3.5.1.4 Ensure ufw loopback traffic is configured. (Automated)
+  - id: 28576
+    title: "Ensure ufw loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6)."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1."
+    compliance:
+      - cis: ["3.5.1.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s ufw -> r:Status: install ok installed"
+      - 'c:ufw status verbose -> r:Anywhere on lo\s*ALLOW IN\s*Anywhere'
+      - 'c:ufw status verbose -> r:Anywhere\s*DENY IN\s*127.0.0.0/8'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\) on lo\s*ALLOW IN\s*Anywhere \(v6\)'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*DENY IN\s*::1'
+      - 'c:ufw status verbose -> r:Anywhere\s*\t*ALLOW OUT\s*Anywhere on lo'
+      - 'c:ufw status verbose -> r:Anywhere \(v6\)\s*ALLOW OUT\s*Anywhere \(v6\) on lo'
+
+  # 3.5.1.5 Ensure ufw outbound connections are configured (Manual) - Not implemented
+
+  # 3.5.1.6 Ensure ufw firewall rules exist for all open ports (Automated) - Not implemented
+
+  # 3.5.1.7 Ensure ufw default deny firewall policy. (Automated)
+  - id: 28577
+    title: "Ensure ufw default deny firewall policy."
+    description: "A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    impact: "Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny. ufw allow git ufw allow in http ufw allow out http <- required for apt to connect to repository ufw allow in https ufw allow out https ufw allow out 53 ufw logging on."
+    remediation: "Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed."
+    compliance:
+      - cis: ["3.5.1.7"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s ufw -> r:Status: install ok installed"
+      - 'c:ufw status verbose -> r:^Default: && r:deny\s+\(incoming\)|reject\s+\(incoming\)'
+      - 'c:ufw status verbose -> r:^Default: && r:deny\s+\(outgoing\)|reject\s+\(outgoing\)'
+      - 'c:ufw status verbose -> r:^Default: && r:deny\s+\(routed\)|reject\s+\(routed\)'
+
+  # 3.5.2.1 Ensure nftables is installed. (Automated)
+  - id: 28578
+    title: "Ensure nftables is installed."
+    description: "nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: - nftables is available in Linux kernel 3.13 and newer - Only one firewall utility should be installed and configured - Changing firewall settings while connected over the network can result in being locked out of the system."
+    rationale: "nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host."
+    remediation: "Run the following command to install nftables: # apt install nftables."
+    compliance:
+      - cis: ["3.5.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - "c:dpkg -s iptables -> r:package 'iptables' is not installed"
+      - "c:dpkg -s ufw -> r:package 'ufw' is not installed"
+
+  # 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables (Automated) - Not implemented
+  # 3.5.2.3 Ensure iptables are flushed with nftables (Manual) - Not implemented
+
+  # 3.5.2.4 Ensure a nftables table exists. (Automated)
+  - id: 28579
+    title: "Ensure a nftables table exists."
+    description: "Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families."
+    rationale: "nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic."
+    impact: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    remediation: "Run the following command to create a table in nftables # nft create table inet <table name> Example: # nft create table inet filter."
+    compliance:
+      - cis: ["3.5.2.4"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - 'c:nft list tables -> r:\w+'
+
+  # 3.5.2.5 Ensure nftables base chains exist. (Automated)
+  - id: 28580
+    title: "Ensure nftables base chains exist."
+    description: "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization."
+    rationale: "If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command to create the base chains: # nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }."
+    compliance:
+      - cis: ["3.5.2.5"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - 'c:nft list ruleset -> r:type\s+filter\s+hook\s+input\s+priority;'
+      - 'c:nft list ruleset -> r:type\s+filter\s+hook\s+forward\s+priority;'
+      - 'c:nft list ruleset -> r:type\s+filter\s+hook\s+output\s+priority;'
+
+  # 3.5.2.6 Ensure nftables loopback traffic is configured (Automated) - Not implemented
+  # 3.5.2.7 Ensure nftables outbound and established connections are configured (Manual) - Not implemented
+
+  # 3.5.2.8 Ensure nftables default deny firewall policy. (Automated)
+  - id: 28581
+    title: "Ensure nftables default deny firewall policy."
+    description: "Base chain policy is the default verdict that will be applied to packets reaching the end of the chain."
+    rationale: "There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system."
+    impact: "If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity. Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop."
+    remediation: "Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain <table family> <table name> <chain name> { policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; }."
+    compliance:
+      - cis: ["3.5.2.8"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - "c:nft list ruleset -> r:hook input && r:policy drop"
+      - "c:nft list ruleset -> r:hook forward && r:policy drop"
+      - "c:nft list ruleset -> r:hook output && r:policy drop"
+
+  # 3.5.2.9 Ensure nftables service is enabled. (Automated)
+  - id: 28582
+    title: "Ensure nftables service is enabled."
+    description: "The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service."
+    rationale: "The nftables service restores the nftables rules from the rules files referenced in the /etc/nftables.conf file during boot or the starting of the nftables service."
+    remediation: "Run the following command to enable the nftables service: # systemctl enable nftables."
+    compliance:
+      - cis: ["3.5.2.9"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s nftables -> r:Status: install ok installed"
+      - "c:systemctl is-enabled nftables -> r:enabled"
+
+  # 3.5.2.10 Ensure nftables rules are permanent (Automated) - Not implemented
+
+  # 3.5.3.1.1 Ensure iptables packages are installed. (Automated)
+  - id: 28583
+    title: "Ensure iptables packages are installed."
+    description: "iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames."
+    rationale: "A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall."
+    remediation: "Run the following command to install iptables and iptables-persistent # apt install iptables iptables-persistent."
+    compliance:
+      - cis: ["3.5.3.1.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:dpkg -s iptables -> r:Status: install ok installed"
+      - "c:dpkg -s iptables-persistent -> r:Status: install ok installed"
+      - "c:dpkg -s nftables -> r:package 'nftables' is not installed"
+      - "c:dpkg -s ufw -> r:package 'ufw' is not installed"
+
+  # 3.5.3.1.2 Ensure nftables is not installed with iptables. (Automated)
+  - id: 28584
+    title: "Ensure nftables is not installed with iptables."
+    description: "nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables."
+    rationale: "Running both iptables and nftables may lead to conflict."
+    remediation: "Run the following command to remove nftables: # apt purge nftables."
+    compliance:
+      - cis: ["3.5.3.1.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "not c:dpkg-query -s nftables -> r:install ok installed"
+      - "c:dpkg-query -s iptables -> r:install ok installed"
+
+  # 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables. (Automated)
+  - id: 28585
+    title: "Ensure ufw is uninstalled or disabled with iptables."
+    description: "Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. - Uses a command-line interface consisting of a small number of simple commands - Uses iptables for configuration."
+    rationale: "Running iptables.persistent with ufw enabled may lead to conflict and unexpected results."
+    remediation: "Run one of the following commands to either remove ufw or stop and mask ufw Run the following command to remove ufw: # apt purge ufw OR Run the following commands to disable ufw: # ufw disable # systemctl stop ufw # systemctl mask ufw."
+    compliance:
+      - cis: ["3.5.3.1.3"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "not c:dpkg-query -s ufw -> r:install ok installed"
+      - "c:dpkg-query -s iptables -> r:install ok installed"
+
+  # 3.5.3.2.1 Ensure iptables default deny firewall policy. (Automated)
+  - id: 28586
+    title: "Ensure iptables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.2.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L -> r:Chain INPUT \(policy && r:DROP\)|REJECT\)'
+      - 'c:iptables -L -> r:Chain FORWARD \(policy && r:DROP\)|REJECT\)'
+      - 'c:iptables -L -> r:Chain OUTPUT \(policy && r:DROP\)|REJECT\)'
+
+  # 3.5.3.2.2 Ensure iptables loopback traffic is configured. (Automated)
+  - id: 28587
+    title: "Ensure iptables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP."
+    compliance:
+      - cis: ["3.5.3.2.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.*\p\.*0.0.0.0/0\.*0.0.0.0/0'
+      - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.*\p\.*\p\.*127.0.0.0/8\.*0.0.0.0/0'
+      - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.*\p\.*lo\.*0.0.0.0/0\.*0.0.0.0/0'
+
+  # 3.5.3.2.3 Ensure iptables outbound and established connections are configured (Manual) - Not implemented
+  # 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports (Automated) - Not implemented
+
+  # 3.5.3.3.1 Ensure ip6tables default deny firewall policy. (Automated)
+  - id: 28588
+    title: "Ensure ip6tables default deny firewall policy."
+    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
+    remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
+    compliance:
+      - cis: ["3.5.3.3.1"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
+      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"
+
+  # 3.5.3.3.2 Ensure ip6tables loopback traffic is configured. (Automated)
+  - id: 28589
+    title: "Ensure ip6tables loopback traffic is configured."
+    description: "Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well."
+    rationale: "Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure."
+    remediation: "Run the following commands to implement the loopback rules: # ip6tables -A INPUT -i lo -j ACCEPT # ip6tables -A OUTPUT -o lo -j ACCEPT # ip6tables -A INPUT -s ::1 -j DROP."
+    compliance:
+      - cis: ["3.5.3.3.2"]
+      - cis_csc_v8: ["4.4", "4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - mitre_mitigations: ["M1031", "M1037"]
+      - mitre_tactics: ["TA0011"]
+      - mitre_techniques: ["T1562", "T1562.004"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
+      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.*\p\.*::/0\.*::/0'
+      - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.*\p\.*\p\.*::1\.*::/0'
+      - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.*\p\.*lo\.*::/0\.*::/0'
+
+  # 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured (Manual) - Not implemented
+  # 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports (Automated) - Not implemented
+
+  # 4.1.1.1 Ensure auditd is installed. (Automated)
+  - id: 28590
+    title: "Ensure auditd is installed."
+    description: "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to Install auditd # apt install auditd audispd-plugins."
+    compliance:
+      - cis: ["4.1.1.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s auditd -> r:install ok installed"
+      - "c:dpkg-query -s audispd-plugins -> r:install ok installed"
+
+  # 4.1.1.2 Ensure auditd service is enabled and active. (Automated)
+  - id: 28591
+    title: "Ensure auditd service is enabled and active."
+    description: "Turn on the auditd daemon to record system events."
+    rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring."
+    remediation: "Run the following command to enable and start auditd: # systemctl --now enable auditd."
+    compliance:
+      - cis: ["4.1.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled auditd -> r:enabled"
+      - "c:systemctl is-active auditd -> r:active"
+
+  # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled. (Automated)
+  - id: 28592
+    title: "Ensure auditing for processes that start prior to auditd is enabled."
+    description: "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup."
+    rationale: "Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected."
+    remediation: 'Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX="audit=1" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["4.1.1.3"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'not d:/boot -> r:\.*grub.cfg -> r:^\s*\t*linux && !r:audit=1'
+
+  # 4.1.1.4 Ensure audit_backlog_limit is sufficient. (Automated)
+  - id: 28593
+    title: "Ensure audit_backlog_limit is sufficient."
+    description: "In the kernel-level audit subsystem, a socket buffer queue is used to hold audit events. Whenever a new audit event is received, it is logged and prepared to be added to this queue. The kernel boot parameter audit_backlog_limit=N, with N representing the amount of messages, will ensure that a queue cannot grow beyond a certain size. If an audit event is logged which would grow the queue beyond this limit, then a failure occurs and is handled according to the system configuration."
+    rationale: "If an audit event is logged which would grow the queue beyond the audit_backlog_limit, then a failure occurs, auditd records will be lost, and potential malicious activity could go undetected."
+    remediation: 'Edit /etc/default/grub and add audit_backlog_limit=N to GRUB_CMDLINE_LINUX. The recommended size for N is 8192 or larger. Example: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" Run the following command to update the grub2 configuration: # update-grub.'
+    compliance:
+      - cis: ["4.1.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - 'not d:/boot -> r:\.*grub.cfg -> !r:audit_backlog_limit=\d+'
+
+  # 4.1.2.1 Ensure audit log storage size is configured. (Automated)
+  - id: 28594
+    title: "Ensure audit log storage size is configured."
+    description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started."
+    rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = <MB>."
+    compliance:
+      - cis: ["4.1.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - "f:/etc/audit/auditd.conf -> r:^\\s*max_log_file\\s*=\\s*\\d+"
+
+  # 4.1.2.2 Ensure audit logs are not automatically deleted. (Automated)
+  - id: 28595
+    title: "Ensure audit logs are not automatically deleted."
+    description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs."
+    rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history."
+    remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs."
+    compliance:
+      - cis: ["4.1.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - "f:/etc/audit/auditd.conf -> r:^\\s*max_log_file_action\\s*=\\s*keep_logs"
+
+  # 4.1.2.3 Ensure system is disabled when audit logs are full. (Automated)
+  - id: 28596
+    title: "Ensure system is disabled when audit logs are full."
+    description: "The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. - ignore, the audit daemon does nothing - Syslog, the audit daemon will issue a warning to syslog - Suspend, the audit daemon will stop writing records to the disk - single, the audit daemon will put the computer system in single user mode - halt, the audit daemon will shutdown the system."
+    rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability."
+    impact: "If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full."
+    remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt."
+    compliance:
+      - cis: ["4.1.2.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "d:/etc/audit"
+      - "f:/etc/audit/auditd.conf"
+      - "f:/etc/audit/auditd.conf -> r:^\\s*\\t*space_left_action\\s*=\\s*email"
+      - "f:/etc/audit/auditd.conf -> r:^\\s*\\t*action_mail_acct\\s*=\\s*root"
+      - "f:/etc/audit/auditd.conf -> r:^\\s*\\t*admin_space_left_action\\s*=\\s* && r:halt|single"
+
+  # 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected. (Automated)
+  - id: 28597
+    title: "Ensure changes to system administration scope (sudoers) is collected."
+    description: 'Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier "scope".'
+    rationale: "Changes in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators. Example: # printf \" -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope \" >> /etc/audit/rules.d/50-scope.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope'
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope"
+      - "c:auditctl -l -> r:^-w && r:/etc/sudoers.d && r:-p wa && r:-k scope"
+
+  # 4.1.3.2 Ensure actions as another user are always logged. (Automated)
+  - id: 28598
+    title: "Ensure actions as another user are always logged."
+    description: "sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user."
+    rationale: "Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo's logfile to verify if unauthorized commands have been executed."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor elevated privileges. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation \" >> /etc/audit/rules.d/50-user_emulation.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid  && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-C euid!=uid|-C uid!=euid && r:-F auid!=unset|-F auid!=1|-F auid!=4294967295 && r:-S execve && r:-k user_emulation|key=user_emulation"
+
+  # 4.1.3.3 Ensure events that modify the sudo log file are collected (Automated) - Not implemented
+
+  # 4.1.3.4 Ensure events that modify date and time information are collected. (Automated)
+  - id: 28599
+    title: "Ensure events that modify date and time information are collected."
+    description: 'Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the; - adjtimex - tune kernel clock - settimeofday - set time using timeval and timezone structures - stime - using seconds since 1/1/1970 - clock_settime - allows for the setting of several internal clocks and timers system calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as "time-change".'
+    rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change \" >> /etc/audit/rules.d/50-time-change.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example: -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change."
+    compliance:
+      - cis: ["4.1.3.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change'
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S && r:adjtimex && r:settimeofday && r:clock_settime && r:-k time-change|key=time-change"
+      - "c:auditctl -l -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change|key=time-change"
+
+  # 4.1.3.5 Ensure events that modify the system's network environment are collected. (Automated)
+  - id: 28600
+    title: "Ensure events that modify the system's network environment are collected."
+    description: "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit: - sethostname - set the systems host name - setdomainname - set the systems domain name The files being monitored are: - /etc/issue and /etc/issue.net - messages displayed pre-login - /etc/hosts - file containing host names and associated IP addresses - /etc/networks - symbolic names for networks - /etc/network/ - directory containing network interface scripts and configurations files."
+    rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them."
+    remediation: "Create audit rules Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment. 64 Bit systems Example: # printf \" -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale \" >> /etc/audit/rules.d/50-system_local.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi 32 Bit systems Follow the same procedures as for 64 bit systems and ignore any entries with b64."
+    compliance:
+      - cis: ["4.1.3.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/network/ && r:-p wa && r:-k system-locale|key=system-locale'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale'
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S && r:sethostname && r:setdomainname && r:-k system-locale|-F key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/network/ && r:-p wa && r:-k system-locale|key=system-locale"
+      - "c:auditctl -l -> r:^-w && r:/etc/networks && r:-p wa && r:-k system-locale|key=system-locale"
+
+  # 4.1.3.6 Ensure use of privileged commands are collected (Automated) - Not implemented
+  # 4.1.3.7 Ensure unsuccessful file access attempts are collected (Automated) - Not implemented
+
+  # 4.1.3.8 Ensure events that modify user/group information are collected. (Automated)
+  - id: 28601
+    title: "Ensure events that modify user/group information are collected."
+    description: 'Record events affecting the modification of user or group information, including that of passwords and old passwords if in use. - /etc/group - system groups - /etc/passwd - system users - /etc/gshadow - encrypted password for each group - /etc/shadow - system user passwords - /etc/security/opasswd - storage of old passwords if the relevant PAM module is in use The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.'
+    rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information. Example: # printf \" -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity \" >> /etc/audit/rules.d/50-identity.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.8"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.8"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.3"]
+      - mitre_mitigations: ["M1047"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity'
+      - "c:auditctl -l -> r:^-w && r:/etc/group && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity|key=identity"
+      - "c:auditctl -l -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity|key=identity"
+
+  # 4.1.3.9 Ensure discretionary access control permission modification events are collected (Automated) - Not implemented
+  # 4.1.3.10 Ensure successful file system mounts are collected (Automated) - Not implemented
+
+  # 4.1.3.11 Ensure session initiation information is collected. (Automated)
+  - id: 28602
+    title: "Ensure session initiation information is collected."
+    description: 'Monitor session initiation events. The parameters in this section track changes to the files associated with session events. - /var/run/utmp - tracks all currently logged in users. - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events. - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "session.".'
+    rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information. Example: # printf \" -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session \" >> /etc/audit/rules.d/50-session.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.11"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session'
+      - "c:auditctl -l -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k session|key=session"
+      - "c:auditctl -l -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k session|key=session"
+
+  # 4.1.3.12 Ensure login and logout events are collected. (Automated)
+  - id: 28603
+    title: "Ensure login and logout events are collected."
+    description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. - /var/log/lastlog - maintain records of the last time a user successfully logged in. - /var/run/faillock - directory maintains records of login failures via the pam_faillock module."
+    rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events. Example: # printf \" -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins \" >> /etc/audit/rules.d/50-login.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.12"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["4.9", "16.11", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.8.1.3", "A.9.4.2"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3", "AU-3(1)"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins'
+      - "c:auditctl -l -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins|key=logins"
+      - "c:auditctl -l -> r:^-w && r:/var/run/faillock && r:-p wa && r:-k logins|key=logins"
+
+  # 4.1.3.13 Ensure file deletion events by users are collected (Automated) - Not implemented
+
+  # 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. (Automated)
+  - id: 28604
+    title: "Ensure events that modify the system's Mandatory Access Controls are collected."
+    description: "Monitor AppArmor, an implementation of mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor/ and /etc/apparmor.d/ directories. Note: If a different Mandatory Access Control method is used, changes to the corresponding directories should be audited."
+    rationale: "Changes to files in the /etc/apparmor/ and /etc/apparmor.d/ directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system."
+    remediation: "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's Mandatory Access Controls. Example: # printf \" -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy \" >> /etc/audit/rules.d/50-MAC-policy.rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.14"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy|key=MAC-policy'
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+      - "c:auditctl -l -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy|key=MAC-policy"
+
+  # 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) - Not implemented
+  # 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) - Not implemented
+  # 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) - Not implemented
+  # 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) -  Not implemented
+  # 4.1.3.19 Ensure kernel module loading unloading and modification is collected (Automated) - Not implemented
+
+  # 4.1.3.20 Ensure the audit configuration is immutable. (Automated)
+  - id: 28605
+    title: "Ensure the audit configuration is immutable."
+    description: 'Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.'
+    rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes."
+    remediation: "Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2 \" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\n\"; fi."
+    compliance:
+      - cis: ["4.1.3.20"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+      - nist_sp_800-53: ["AC-3", "AU-3", "AU-3(1)", "MP-2"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - "d:/etc/audit/rules.d"
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$'
+      - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-e\s+2$'
+
+  # 4.1.3.21 Ensure the running and on disk configuration is the same (Manual) - Not implemented
+  # 4.1.4.1 Ensure audit log files are mode 0640 or less permissive (Automated) - Not implemented
+  # 4.1.4.2 Ensure only authorized users own audit log files (Automated) - Not implemented
+
+  # 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files. (Automated)
+  - id: 28606
+    title: "Ensure only authorized groups are assigned ownership of audit log files."
+    description: "Audit log files contain information about the system and system activity."
+    rationale: "Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality."
+    remediation: "Run the following command to configure the audit log files to be owned by adm group: # find $(dirname $(awk -F\"=\" '/^\\s*log_file\\s*=\\s*/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \\( ! -group adm -a ! -group root \\) -exec chgrp adm {} + Run the following command to configure the audit log files to be owned by the adm group: # chgrp adm /var/log/audit/ Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: # sed -ri 's/^\\s*#?\\s*log_group\\s*=\\s*\\S+(\\s*#.*)?.*$/log_group = adm\\1/' /etc/audit/auditd.conf Run the following command to restart the audit daemon to reload the configuration file: # systemctl restart auditd."
+    compliance:
+      - cis: ["4.1.4.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/audit/auditd.conf -> r:log_group\s*\t*= && !r:adm|root'
+
+  # 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive (Automated) - Not implemented
+
+  # 4.1.4.5 Ensure audit configuration files are 640 or more restrictive. (Automated)
+  - id: 28607
+    title: "Ensure audit configuration files are 640 or more restrictive."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to remove more permissive mode than 0640 from the audit configuration files: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec chmod u-x,g-wx,o-rwx {} +."
+    compliance:
+      - cis: ["4.1.4.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%n %a\" {} + -> r:\\w+ -> !r:000|040|200|400|600|240|440|640"
+
+  # 4.1.4.6 Ensure audit configuration files are owned by root. (Automated)
+  - id: 28608
+    title: "Ensure audit configuration files are owned by root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change ownership to root user: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -user root -exec chown root {} +."
+    compliance:
+      - cis: ["4.1.4.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.rules' -o -name '*.conf' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.7 Ensure audit configuration files belong to group root. (Automated)
+  - id: 28609
+    title: "Ensure audit configuration files belong to group root."
+    description: "Audit configuration files control auditd and what events are audited."
+    rationale: "Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events. Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident."
+    remediation: "Run the following command to change group to root: # find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) ! -group root -exec chgrp root {} +."
+    compliance:
+      - cis: ["4.1.4.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - "c:find /etc/audit/ -type f \\( -name '*.conf' -o -name '*.rules' \\) -exec stat -Lc \"%U\" {} + -> !r:root|\\s*"
+
+  # 4.1.4.8 Ensure audit tools are 755 or more restrictive. (Automated)
+  - id: 28610
+    title: "Ensure audit tools are 755 or more restrictive."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:\w+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+
+  # 4.1.4.9 Ensure audit tools are owned by root. (Automated)
+  - id: 28611
+    title: "Ensure audit tools are owned by root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to change the owner of the audit tools to the root user: # chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:root|\\s*'
+
+  # 4.1.4.10 Ensure audit tools belong to group root. (Automated)
+  - id: 28612
+    title: "Ensure audit tools belong to group root."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information."
+    remediation: "Run the following command to remove more permissive mode from the audit tools: # chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules Run the following command to change owner and group of the audit tools to root user and group: # chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules."
+    compliance:
+      - cis: ["4.1.4.10"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: none
+    rules:
+      - 'c:stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755 && r:\s*\t*root\s*\t*root'
+
+  # 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools. (Automated)
+  - id: 28613
+    title: "Ensure cryptographic mechanisms are used to protect the integrity of audit tools."
+    description: "Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators."
+    rationale: "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Attackers may replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. Audit tools should be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files."
+    remediation: 'Add or update the following selection lines for "/etc/aide/aide.conf" to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512.'
+    compliance:
+      - cis: ["4.1.4.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "f:/etc/aide/aide.conf"
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditctl\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/auditd\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/ausearch\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/aureport\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/autrace\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+      - 'f:/etc/aide/aide.conf -> r:/sbin/augenrules\s*\t*p\pi\pn\pu\pg\ps\pb\pacl\pxattrs\psha512'
+
+  # 4.2.1.1.1 Ensure systemd-journal-remote is installed. (Automated)
+  - id: 28614
+    title: "Ensure systemd-journal-remote is installed."
+    description: "Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management."
+    rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system."
+    remediation: "Run the following command to install systemd-journal-remote: # apt install systemd-journal-remote."
+    compliance:
+      - cis: ["4.2.1.1.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s systemd-journal-remote -> r:install ok installed"
+
+  # 4.2.1.1.2 Ensure systemd-journal-remote is configured (Manual) - Not implemented
+  # 4.2.1.1.3 Ensure systemd-journal-remote is enabled (Manual) - Not implemented
+
+  # 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client. (Automated)
+  - id: 28615
+    title: "Ensure journald is not configured to recieve logs from a remote client."
+    description: "Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: "Run the following command to disable systemd-journal-remote.socket: # systemctl --now disable systemd-journal-remote.socket."
+    compliance:
+      - cis: ["4.2.1.1.4"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journal-remote.socket -> r:disabled|No such file or directory"
+
+  # 4.2.1.2 Ensure journald service is enabled. (Automated)
+  - id: 28616
+    title: "Ensure journald service is enabled."
+    description: "Ensure that the systemd-journald service is enabled to allow capturing of logging events."
+    rationale: "If the systemd-journald service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why."
+    compliance:
+      - cis: ["4.2.1.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled systemd-journald.service -> r:static"
+
+  # 4.2.1.3 Ensure journald is configured to compress large log files. (Automated)
+  - id: 28617
+    title: "Ensure journald is configured to compress large log files."
+    description: "The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large."
+    rationale: "Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.3"]
+      - cis_csc_v8: ["8.2", "8.3"]
+      - cis_csc_v7: ["6.2", "6.3", "6.4"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1053"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1562", "T1562.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.7"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^\\s*\\t*Compress=yes"
+
+  # 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk. (Automated)
+  - id: 28618
+    title: "Ensure journald is configured to write logfiles to persistent disk."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot."
+    rationale: "Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.4"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r:^\\s*\\t*Storage=persistent"
+
+  # 4.2.1.5 Ensure journald is not configured to send logs to rsyslog. (Manual)
+  - id: 28619
+    title: "Ensure journald is not configured to send logs to rsyslog."
+    description: "Data from journald should be kept in the confines of the service and not forwarded on to other services."
+    rationale: "IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms."
+    remediation: "Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald."
+    compliance:
+      - cis: ["4.2.1.5"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_mitigations: ["M1029"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> !r:^\\s*\\t*ForwardToSyslog=yes"
+
+  # 4.2.1.6 Ensure journald log rotation is configured per site policy (Manual) - Not implemented
+  # 4.2.1.7 Ensure journald default file permissions configured (Manual) - Not implemented
+
+  # 4.2.2.1 Ensure rsyslog is installed. (Automated)
+  - id: 28620
+    title: "Ensure rsyslog is installed."
+    description: "The rsyslog software is recommended in environments where journald does not meet operation requirements."
+    rationale: "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package."
+    remediation: "Run the following command to install rsyslog: # apt install rsyslog."
+    compliance:
+      - cis: ["4.2.2.1"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1005", "T1070", "T1070.002"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:dpkg-query -s rsyslog -> r:install ok installed"
+
+  # 4.2.2.2 Ensure rsyslog service is enabled. (Automated)
+  - id: 28621
+    title: "Ensure rsyslog service is enabled."
+    description: "Once the rsyslog package is installed, ensure that the service is enabled."
+    rationale: "If the rsyslog service is not enabled to start on boot, the system will not capture logging events."
+    remediation: "Run the following command to enable rsyslog: # systemctl --now enable rsyslog."
+    compliance:
+      - cis: ["4.2.2.2"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.001"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled rsyslog -> r:enabled"
+
+  # 4.2.2.3 Ensure journald is configured to send logs to rsyslog. (Manual)
+  - id: 28622
+    title: "Ensure journald is configured to send logs to rsyslog."
+    description: "Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export."
+    rationale: "IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing."
+    remediation: "Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.2.3"]
+      - cis_csc_v8: ["8.2", "8.9"]
+      - cis_csc_v7: ["6.2", "6.3", "6.5"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-6(3)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "10.5.3", "10.5.4"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "10.3.3", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["PL1.4"]
+    condition: all
+    rules:
+      - "f:/etc/systemd/journald.conf -> r::^\\s*\\t*ForwardToSyslog=yes$"
+
+  # 4.2.2.4 Ensure rsyslog default file permissions are configured. (Automated)
+  - id: 28623
+    title: "Ensure rsyslog default file permissions are configured."
+    description: "RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files."
+    rationale: "It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected."
+    impact: "The systems global umask could override, but only making the file permissions stricter, what is configured in RSyslog with the FileCreateMode directive. RSyslog also has it's own $umask directive that can alter the intended file creation mode. In addition, consideration should be given to how FileCreateMode is used. Thus it is critical to ensure that the intended file creation mode is not overridden with less restrictive settings in /etc/rsyslog.conf, /etc/rsyslog.d/*conf files and that FileCreateMode is set before any file is created."
+    remediation: "Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog."
+    compliance:
+      - cis: ["4.2.2.4"]
+      - cis_csc_v8: ["3.3", "8.2"]
+      - cis_csc_v7: ["5.1", "6.2", "6.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)", "164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0007"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1083"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode 0640'
+      - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*\$FileCreateMode 0640'
+
+  # 4.2.2.5 Ensure logging is configured (Manual) - Not implemented
+  # 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host (Manual) - Not implemented
+
+  # 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client. (Automated)
+  - id: 28624
+    title: "Ensure rsyslog is not configured to receive logs from a remote client."
+    description: "RSyslog supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts."
+    rationale: "If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary."
+    remediation: 'Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf. Old format $ModLoad imtcp $InputTCPServerRun New format module(load="imtcp") input(type="imtcp" port="514") Restart the service: # systemctl restart rsyslog.'
+    compliance:
+      - cis: ["4.2.2.7"]
+      - cis_csc_v8: ["4.8", "8.2"]
+      - cis_csc_v7: ["6.2", "6.3", "9.2"]
+      - cmmc_v2.0: ["AU.L2-3.3.1", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1", "A.13.1.3"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1070", "T1070.002", "T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: none
+    rules:
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t*module\(load="imtcp"\)'
+      - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*module\(load="imtcp"\)'
+      - 'f:/etc/rsyslog.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)'
+      - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)'
+
+  # 4.2.3 Ensure all logfiles have appropriate permissions and ownership (Automated) - Not implemented
+
+  # 5.1.1 Ensure cron daemon is enabled and running. (Automated)
+  - id: 28625
+    title: "Ensure cron daemon is enabled and running."
+    description: "The cron daemon is used to execute batch jobs on the system. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them."
+    remediation: "Run the following command to enable and start cron: # systemctl --now enable cron."
+    compliance:
+      - cis: ["5.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.001"]
+    condition: all
+    rules:
+      - "c:systemctl is-enabled cron -> r:enabled"
+      - "c:systemctl status cron -> r:Active: active \\(running\\)"
+
+  # 5.1.2 Ensure permissions on /etc/crontab are configured. (Automated)
+  - id: 28626
+    title: "Ensure permissions on /etc/crontab are configured."
+    description: "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access."
+    remediation: "Run the following commands to set ownership and permissions on /etc/crontab : # chown root:root /etc/crontab # chmod og-rwx /etc/crontab."
+    compliance:
+      - cis: ["5.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/crontab -> r:Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.3 Ensure permissions on /etc/cron.hourly are configured. (Automated)
+  - id: 28627
+    title: "Ensure permissions on /etc/cron.hourly are configured."
+    description: "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.hourly directory: # chown root:root /etc/cron.hourly/ # chmod og-rwx /etc/cron.hourly/."
+    compliance:
+      - cis: ["5.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.hourly/ -> r:Access:\s*\t*\(0700/drwx------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.4 Ensure permissions on /etc/cron.daily are configured. (Automated)
+  - id: 28628
+    title: "Ensure permissions on /etc/cron.daily are configured."
+    description: "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.daily directory: # chown root:root /etc/cron.daily/ # chmod og-rwx /etc/cron.daily/."
+    compliance:
+      - cis: ["5.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.daily/ -> r:Access:\s*\t*\(0700/drwx------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.5 Ensure permissions on /etc/cron.weekly are configured. (Automated)
+  - id: 28629
+    title: "Ensure permissions on /etc/cron.weekly are configured."
+    description: "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.weekly directory: # chown root:root /etc/cron.weekly/ # chmod og-rwx /etc/cron.weekly/."
+    compliance:
+      - cis: ["5.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.weekly/ -> r:Access:\s*\t*\(0700/drwx------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.6 Ensure permissions on /etc/cron.monthly are configured. (Automated)
+  - id: 28630
+    title: "Ensure permissions on /etc/cron.monthly are configured."
+    description: "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.monthly directory: # chown root:root /etc/cron.monthly/ # chmod og-rwx /etc/cron.monthly/."
+    compliance:
+      - cis: ["5.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.monthly/ -> r:Access:\s*\t*\(0700/drwx------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.7 Ensure permissions on /etc/cron.d are configured. (Automated)
+  - id: 28631
+    title: "Ensure permissions on /etc/cron.d are configured."
+    description: "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls."
+    remediation: "Run the following commands to set ownership and permissions on the /etc/cron.d directory: # chown root:root /etc/cron.d/ # chmod og-rwx /etc/cron.d/."
+    compliance:
+      - cis: ["5.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002", "TA0007"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/cron.d/ -> r:Access:\s*\t*\(0700/drwx------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.8 Ensure cron is restricted to authorized users. (Automated)
+  - id: 28632
+    title: "Ensure cron is restricted to authorized users."
+    description: "Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron. Note: - Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy - Even though a given user is not listed in cron.allow, cron jobs can still be run as that user - The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs."
+    rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/cron.deny: # rm /etc/cron.deny Run the following command to create /etc/cron.allow # touch /etc/cron.allow Run the following commands to set permissions and ownership for /etc/cron.allow: # chmod g-wx,o-rwx /etc/cron.allow # chown root:root /etc/cron.allow."
+    compliance:
+      - cis: ["5.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not f:/etc/cron.deny"
+      - 'c:stat /etc/cron.allow -> r:Access:\s*\t*\(0640/-rw-r-----\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.1.9 Ensure at is restricted to authorized users. (Automated)
+  - id: 28633
+    title: "Ensure at is restricted to authorized users."
+    description: "Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at. Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy."
+    rationale: "On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files."
+    remediation: "Run the following commands to remove /etc/at.deny: # rm /etc/at.deny Run the following command to create /etc/at.allow # touch /etc/at.allow Run the following commands to set permissions and ownership for /etc/at.allow: # chmod g-wx,o-rwx /etc/at.allow # chown root:root /etc/at.allow."
+    compliance:
+      - cis: ["5.1.9"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0002"]
+      - mitre_techniques: ["T1053", "T1053.003"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - "not f:/etc/at.deny"
+      - 'c:stat /etc/at.allow -> r:Access:\s*\t*\(0640/-rw-r-----\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured. (Automated)
+  - id: 28634
+    title: "Ensure permissions on /etc/ssh/sshd_config are configured."
+    description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root."
+    rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users."
+    remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config."
+    compliance:
+      - cis: ["5.2.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1098", "T1098.004", "T1543", "T1543.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/ssh/sshd_config -> r:Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*root\)\s*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
+
+  # 5.2.2 Ensure permissions on SSH private host key files are configured (Automated) - Not implemented
+
+  # 5.2.3 Ensure permissions on SSH public host key files are configured (Automated) - Not implemented
+
+  # 5.2.4 Ensure SSH access is limited. (Automated)
+  - id: 28635
+    title: "Ensure SSH access is limited."
+    description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers: o The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. - AllowGroups: o The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers: o The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups: o The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable."
+    rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system."
+    remediation: "Edit the /etc/ssh/sshd_config file or a included configuration file to set one or more of the parameter as follows: AllowUsers <userlist> OR AllowGroups <grouplist> OR DenyUsers <userlist> OR DenyGroups <grouplist>."
+    compliance:
+      - cis: ["5.2.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1018"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:sshd -T -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+      - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+      - 'd:/etc/ssh/sshd_config.d -> r:\.* -> r:^\s*\t*Allowusers\s*\t*\w+|^\s*\t*Denyusers\s*\t*\w+|^\s*\t*Allowgroups\s*\t*\w+|^\s*\t*Denygroups\s*\t*\w+'
+
+  # 5.2.5 Ensure SSH LogLevel is appropriate. (Automated)
+  - id: 28636
+    title: "Ensure SSH LogLevel is appropriate."
+    description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments."
+    rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE OR LogLevel INFO."
+    references:
+      - "https://www.ssh.com/ssh/sshd_config/"
+    compliance:
+      - cis: ["5.2.5"]
+      - cis_csc_v8: ["8.2"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - hipaa: ["164.312(b)"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.2", "10.3"]
+      - pci_dss_v4.0: ["10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "5.3.4", "6.4.1", "6.4.2"]
+    condition: any
+    rules:
+      - "c:sshd -T -> r:^loglevel VERBOSE|^loglevel INFO"
+      - "not f:/etc/ssh/sshd_config -> !r:^\\s*\\t*loglevel\\s*\\t*VERBOSE|^\\s*\\t*loglevel\\s*\\t*INFO"
+
+  # 5.2.6 Ensure SSH PAM is enabled. (Automated)
+  - id: 28637
+    title: "Ensure SSH PAM is enabled."
+    description: "The UsePAM directive enables the Pluggable Authentication Module (PAM) interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication directives in addition to PAM account and session module processing for all authentication types."
+    rationale: "When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: UsePAM yes."
+    compliance:
+      - cis: ["5.2.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1021", "T1021.004"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^usepam yes"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*UsePAM\\s*\\t*no"
+
+  # 5.2.7 Ensure SSH root login is disabled. (Automated)
+  - id: 28638
+    title: "Ensure SSH root login is disabled."
+    description: "The PermitRootLogin parameter specifies if the root user can log in using SSH. The default is prohibit-password."
+    rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root. This limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no."
+    compliance:
+      - cis: ["5.2.7"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permitrootlogin no"
+      - "f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitRootLogin\\s*\\t*no"
+
+  # 5.2.8 Ensure SSH HostbasedAuthentication is disabled. (Automated)
+  - id: 28639
+    title: "Ensure SSH HostbasedAuthentication is disabled."
+    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication."
+    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no."
+    compliance:
+      - cis: ["5.2.8"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^hostbasedauthentication no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*HostBasedAuthentication\\s*\\t*yes"
+
+  # 5.2.9 Ensure SSH PermitEmptyPasswords is disabled. (Automated)
+  - id: 28640
+    title: "Ensure SSH PermitEmptyPasswords is disabled."
+    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
+    rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no."
+    compliance:
+      - cis: ["5.2.9"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["16.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permitemptypasswords no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitEmptyPasswords\\s*\\t*yes"
+
+  # 5.2.10 Ensure SSH PermitUserEnvironment is disabled. (Automated)
+  - id: 28641
+    title: "Ensure SSH PermitUserEnvironment is disabled."
+    description: "The PermitUserEnvironment option allows users to present environment options to the SSH daemon."
+    rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has SSH executing trojan'd programs)."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no."
+    compliance:
+      - cis: ["5.2.10"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1021"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^permituserenvironment no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*PermitUserEnvironment\\s*\\t*yes"
+
+  # 5.2.11 Ensure SSH IgnoreRhosts is enabled. (Automated)
+  - id: 28642
+    title: "Ensure SSH IgnoreRhosts is enabled."
+    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
+    rationale: "Setting this parameter forces users to enter a password when authenticating with SSH."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes."
+    compliance:
+      - cis: ["5.2.11"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^ignorerhosts yes"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*IgnoreRhosts\\s*\\t*no"
+
+  # 5.2.12 Ensure SSH X11 forwarding is disabled. (Automated)
+  - id: 28643
+    title: "Ensure SSH X11 forwarding is disabled."
+    description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections."
+    rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no."
+    compliance:
+      - cis: ["5.2.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1210"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^x11forwarding no"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*x11forwarding\\s*\\t*yes"
+
+  # 5.2.13 Ensure only strong Ciphers are used. (Automated)
+  - id: 28644
+    title: "Ensure only strong Ciphers are used."
+    description: 'This variable limits the ciphers that SSH can use during communication. Note: - Some organizations may have stricter requirements for approved ciphers. - Ensure that ciphers used are in compliance with site policy. - The only "strong" ciphers currently FIPS 140-2 compliant are: o aes256-ctr o aes192-ctr o aes128-ctr - Supported ciphers in openSSH 8.2: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com.'
+    rationale: 'Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - The Triple DES ciphers, as used in SSH, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain clear text data via a birthday attack against a long-duration encrypted session, aka a "Sweet32" attack. - Error handling in the SSH protocol; Client and Server, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plain text data from an arbitrary block of cipher text in an SSH session via unknown vectors.'
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the Ciphers line to contain a comma separated list of the site approved ciphers. Example: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr."
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2016-2183"
+      - "https://www.openssh.com/txt/cbc.adv"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2008-5161"
+    compliance:
+      - cis: ["5.2.13"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^Ciphers && r:3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc"
+
+  # 5.2.14 Ensure only strong MAC algorithms are used. (Automated)
+  - id: 28645
+    title: "Ensure only strong MAC algorithms are used."
+    description: 'This variable limits the types of MAC algorithms that SSH can use during communication. Note: - Some organizations may have stricter requirements for approved MACs. - Ensure that MACs used are in compliance with site policy. - The only "strong" MACs currently FIPS 140-2 approved are: o hmac-sha2-256 o hmac-sha2-512 - The Supported MACs are: hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com.'
+    rationale: "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information."
+    remediation: "Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated list of the site approved MACs. Example: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256."
+    references:
+      - "http://www.mitls.org/pages/attacks/SLOTH"
+    compliance:
+      - cis: ["5.2.14"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4", "16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^MACs && r:hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com"
+
+  # 5.2.15 Ensure only strong Key Exchange algorithms are used. (Automated)
+  - id: 28646
+    title: "Ensure only strong Key Exchange algorithms are used."
+    description: "Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Notes: - Kex algorithms have a higher preference the earlier they appear in the list - Some organizations may have stricter requirements for approved Key exchange algorithms - Ensure that Key exchange algorithms used are in compliance with site policy - The only Key Exchange Algorithms currently FIPS 140-2 approved are: o ecdh-sha2-nistp256 o ecdh-sha2-nistp384 o ecdh-sha2-nistp521 o diffie-hellman-group-exchange-sha256 o diffie-hellman-group16-sha512 o diffie-hellman-group18-sha512 o diffie-hellman-group14-sha256 - The Key Exchange algorithms supported by OpenSSH 8.2 are: curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup4591761x25519-sha512@tinyssh.org."
+    rationale: "Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks."
+    remediation: "Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- hellman-group-exchange-sha256."
+    compliance:
+      - cis: ["5.2.15"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1040", "T1557"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: none
+    rules:
+      - "c:sshd -T -> r:^kexalgorithms && r:diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1"
+
+  # 5.2.16 Ensure SSH AllowTcpForwarding is disabled. (Automated)
+  - id: 28647
+    title: "Ensure SSH AllowTcpForwarding is disabled."
+    description: "SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines."
+    rationale: "Leaving port forwarding enabled can expose the organization to security risks and backdoors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network."
+    impact: "SSH tunnels are widely used in many corporate environments. In some environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: AllowTcpForwarding no."
+    references:
+      - "https://www.ssh.com/ssh/tunneling/example"
+    compliance:
+      - cis: ["5.2.16"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - mitre_mitigations: ["M1042"]
+      - mitre_tactics: ["TA0008"]
+      - mitre_techniques: ["T1048", "T1048.002", "T1572"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^allowtcpforwarding && r:no$"
+      - "not f:/etc/ssh/sshd_config -> r:^\\s*\\t*AllowTcpForwarding\\s*\\t*yes"
+
+  # 5.2.17 Ensure SSH warning banner is configured. (Automated)
+  - id: 28648
+    title: "Ensure SSH warning banner is configured."
+    description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed."
+    rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net."
+    compliance:
+      - cis: ["5.2.17"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1035"]
+      - mitre_tactics: ["TA0001", "TA0007"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - "c:sshd -T -> r:^banner && r:/etc/issue.net$"
+
+  # 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less. (Automated)
+  - id: 28649
+    title: "Ensure SSH MaxAuthTries is set to 4 or less."
+    description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure."
+    rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4."
+    compliance:
+      - cis: ["5.2.18"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - "c:sshd -T -> n:^maxauthtries\\s+(\\d+) compare <= 4"
+      - "not f:/etc/ssh/sshd_config -> n:^\\s*\\t*maxauthtries\\s+(\\d+) compare > 4"
+
+  # 5.2.19 Ensure SSH MaxStartups is configured. (Automated)
+  - id: 28650
+    title: "Ensure SSH MaxStartups is configured."
+    description: "The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon."
+    rationale: "To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxStartups 10:30:60."
+    compliance:
+      - cis: ["5.2.19"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*maxstartups\s+(\d+):\d+:\d+ compare <= 10 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:(\d+):\d+ compare <= 30 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'c:sshd -T -> n:^\s*maxstartups\s+\d+:\d+:(\d+) compare <= 60 && n:^maxstartups\s+(\d+):\d+:\d+ compare >= 1'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*(\d+):\d+:\d+ compare > 10'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*(\d+):\d+:\d+ compare == 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:(\d+):\d+ compare > 30'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:(\d+):\d+ compare == 0'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:\d+:(\d+) compare > 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*MaxStartups\s*\t*\d+:\d+:(\d+) compare == 0'
+
+  # 5.2.20 Ensure SSH MaxSessions is set to 10 or less. (Automated)
+  - id: 28651
+    title: "Ensure SSH MaxSessions is set to 10 or less."
+    description: "The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection."
+    rationale: "To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxSessions 10."
+    compliance:
+      - cis: ["5.2.20"]
+      - mitre_tactics: ["TA0040"]
+      - mitre_techniques: ["T1499", "T1499.002"]
+    condition: all
+    rules:
+      - "c:sshd -T -> n:^maxsessions\\s*\\t*(\\d+) compare <= 10"
+      - "not f:/etc/ssh/sshd_config -> n:^^\\s*\\t*MaxSessions\\s+(\\d+) compare > 10"
+
+  # 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less. (Automated)
+  - id: 28652
+    title: "Ensure SSH LoginGraceTime is set to one minute or less."
+    description: "The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access."
+    rationale: "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections. While the recommended setting is 60 seconds (1 Minute), set the number based on site policy."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LoginGraceTime 60."
+    compliance:
+      - cis: ["5.2.21"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_mitigations: ["M1036"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003", "T1110.004", "T1499", "T1499.002"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'c:sshd -T -> n:^\s*logingracetime\s*(\d+) compare <= 60 && n:^logingracetime\s*(\d+) compare >= 1'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*LoginGraceTime\s*\t*(\d+) compare > 60'
+      - 'not f:/etc/ssh/sshd_config -> n:^\s*\t*LoginGraceTime\s*\t*(\d+) compare == 0'
+
+  # 5.2.22 Ensure SSH Idle Timeout Interval is configured. (Automated)
+  - id: 28653
+    title: "Ensure SSH Idle Timeout Interval is configured."
+    description: "NOTE: To clarify, the two settings described below is only meant for idle connections from a protocol perspective and not meant to check if the user is active or not. An idle user does not mean an idle connection. SSH does not and never had, intentionally, the capability to drop idle users. In SSH versions before 8.2p1 there was a bug that caused these values to behave in such a manner that they where abused to disconnect idle users. This bug has been resolved in 8.2p1 and thus it can no longer be abused disconnect idle users. The two options ClientAliveInterval and ClientAliveCountMax control the timeout of SSH sessions. Taken directly from man 5 sshd_config: - ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination."
+    rationale: "In order to prevent resource exhaustion, appropriate values should be set for both ClientAliveInterval and ClientAliveCountMax. Specifically, looking at the source code, ClientAliveCountMax must be greater than zero in order to utilize the ability of SSH to drop idle connections. If connections are allowed to stay open indefinately, this can potentially be used as a DDOS attack or simple resource exhaustion could occur over unreliable networks. The example set here is a 45 second timeout. Consult your site policy for network timeouts and apply as appropriate."
+    remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. Example: ClientAliveInterval 15 ClientAliveCountMax 3."
+    references:
+      - "https://man.openbsd.org/sshd_config"
+    compliance:
+      - cis: ["5.2.22"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003"]
+    condition: all
+    rules:
+      - "c:sshd -T -> -> n:^clientaliveinterval\\s*\\t*(\\d+) compare > 0"
+      - "c:sshd -T -> -> n:^clientalivecountmax\\s*\\t*(\\d+) compare > 0"
+
+  # 5.3.1 Ensure sudo is installed. (Automated)
+  - id: 28654
+    title: "Ensure sudo is installed."
+    description: "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy."
+    rationale: "sudo supports a plug-in architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plug-ins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers and any entries in /etc/sudoers.d. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-specific."
+    remediation: "First determine is LDAP functionality is required. If so, then install sudo-ldap, else install sudo. Example: # apt install sudo."
+    compliance:
+      - cis: ["5.3.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - "c:dpkg -s sudo -> r:install ok installed"
+      - "c:dpkg -s sudo-ldap -> r:install ok installed"
+
+  # 5.3.2 Ensure sudo commands use pty. (Automated)
+  - id: 28655
+    title: "Ensure sudo commands use pty."
+    description: "sudo can be configured to run only from a pseudo terminal (pseudo-pty)."
+    rationale: "Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f <PATH TO FILE> and add the following line: Defaults use_pty."
+    compliance:
+      - cis: ["5.3.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1548", "T1548.003"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*use_pty'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*Defaults\s*\t*use_pty'
+
+  # 5.3.3 Ensure sudo log file exists. (Automated)
+  - id: 28656
+    title: "Ensure sudo log file exists."
+    description: "sudo can use a custom log file."
+    rationale: "A sudo log file simplifies auditing of sudo commands."
+    impact: "WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files."
+    remediation: 'Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Example: Defaults logfile="/var/log/sudo.log".'
+    compliance:
+      - cis: ["5.3.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - mitre_tactics: ["TA0004"]
+      - mitre_techniques: ["T1562", "T1562.006"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*Defaults\s*\t*logfile=\S+.log'
+      - 'd:/etc/sudoers.d -> \.* -> r:^\s*\t*Defaults\s*\t*logfile=\S+.log'
+
+  # 5.3.4 Ensure users must provide password for privilege escalation. (Automated)
+  - id: 28657
+    title: "Ensure users must provide password for privilege escalation."
+    description: "The operating system must be configured so that users must provide a password for privilege escalation."
+    rationale: "Without (re-)authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user (re-)authenticate."
+    impact: "This will prevent automated processes from being able to elevate privileges."
+    remediation: "Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file."
+    compliance:
+      - cis: ["5.3.4"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*NOPASSWD'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*NOPASSWD'
+
+  # 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally. (Automated)
+  - id: 28658
+    title: "Ensure re-authentication for privilege escalation is not disabled globally."
+    description: "The operating system must be configured so that users must re-authenticate for privilege escalation."
+    rationale: "Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate."
+    remediation: "Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s)."
+    compliance:
+      - cis: ["5.3.5"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: none
+    rules:
+      - 'f:/etc/sudoers -> r:^\s*\t*!authenticate'
+      - 'd:/etc/sudoers.d -> r:\.* -> r:^\s*\t*!authenticate'
+
+  # 5.3.6 Ensure sudo authentication timeout is configured correctly. (Automated)
+  - id: 28659
+    title: "Ensure sudo authentication timeout is configured correctly."
+    description: "sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. This default is distribution specific. See audit section for further information."
+    rationale: "Setting a timeout value reduces the window of opportunity for unauthorized privileged access to another user."
+    remediation: "If the currently configured timeout is larger than 15 minutes, edit the file listed in the audit section with visudo -f <PATH TO FILE> and modify the entry timestamp_timeout= to 15 minutes or less as per your site policy. The value is in minutes. This particular entry may appear on its own, or on the same line as env_reset. See the following two examples: Defaults env_reset, timestamp_timeout=15 Defaults timestamp_timeout=15 Defaults env_reset."
+    references:
+      - "https://www.sudo.ws/man/1.9.0/sudoers.man.html"
+    compliance:
+      - cis: ["5.3.6"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'f:/etc/sudoers -> !r:^\s*\t*# && n:^\s*\t*timestamp_timeout=(\d+) compare <= 15 && n:^\s*\t*timestamp_timeout=(\d+) compare >= 0'
+      - 'd:/etc/sudoers.d -> r:\.* -> !r:^\s*\t*# && n:^\s*\t*timestamp_timeout=(\d+) compare <= 15 && n:^\s*\t*timestamp_timeout=(\d+) compare >= 0'
+      - 'c:sudo -V -> n:Authentication timestamp timeout:\s*\t*(\d+) compare <= 15 && n:Authentication timestamp timeout:\s*\t*(\d+) compare >= 0'
+
+  # 5.3.7 Ensure access to the su command is restricted. (Automated)
+  - id: 28660
+    title: "Ensure access to the su command is restricted."
+    description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in a specific groups to execute su. This group should be empty to reinforce the use of sudo for privileged access."
+    rationale: "Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program."
+    remediation: "Create an empty group that will be specified for use of the su command. The group should be named according to site policy. Example: # groupadd sugroup Add the following line to the /etc/pam.d/su file, specifying the empty group: auth required pam_wheel.so use_uid group=sugroup."
+    compliance:
+      - cis: ["5.3.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*required\s*pam_wheel.so && r:use_uid && r:group='
+
+  # 5.4.1 Ensure password creation requirements are configured. (Automated)
+  - id: 28661
+    title: "Ensure password creation requirements are configured."
+    description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following options are set in the /etc/security/pwquality.conf file: - Password Length: o minlen = 14 - password must be 14 characters or more - Password complexity: o minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others) OR o dcredit = -1 - provide at least one digit o ucredit = -1 - provide at least one uppercase character o ocredit = -1 - provide at least one special character o lcredit = -1 - provide at least one lowercase character."
+    rationale: "Strong passwords protect systems from being hacked through brute force methods."
+    remediation: "The following setting is a recommend example policy. Alter these values to conform to your own organization's password policies. Run the following command to install the pam_pwquality module: # apt install libpam-pwquality Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: minlen = 14 Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy: Option 1 minclass = 4 Option 2 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1."
+    compliance:
+      - cis: ["5.4.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - "c:apt list --installed libpam-pwquality -> r:libpam-pwquality"
+      - 'f:/etc/security/pwquality.conf -> n:^\s*\t*minlen\s+=\s+(\d+) compare >=14'
+      - 'f:/etc/security/pwquality.conf -> r:^\s*\t*minclass\s+=\s+4'
+
+  # 5.4.2 Ensure lockout for failed password attempts is configured. (Automated)
+  - id: 28662
+    title: "Ensure lockout for failed password attempts is configured."
+    description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the common PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. All configuration of faillock is located in /etc/security/faillock.conf and well commented. - deny - Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n tries. - fail_interval - The length of the interval, in seconds, during which the consecutive authentication failures must happen for the user account to be locked out - unlock_time - The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock command. Set the lockout number and unlock time in accordance with local site policy."
+    rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems."
+    impact: "It is critical to test and validate any PAM changes before deploying. Any misconfiguration could cause the system to be inaccessible."
+    remediation: 'NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. Common auth Edit /etc/pam.d/common-auth and ensure that faillock is configured. Note: It is critical to understand each line and the relevant arguments for successful implementation. The order of these entries is very specific. The pam_faillock.so lines surround the pam_unix.so line. The comment "Added to enable faillock" is shown to highlight the additional lines and their order in the file. # here are the per-package modules (the "Primary" block) auth required pam_faillock.so preauth # Added to enable faillock auth [success=1 default=ignore] pam_unix.so nullok auth [default=die] pam_faillock.so authfail # Added to enable faillock auth sufficient pam_faillock.so authsucc # Added to enable faillock # here''s the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn''t one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config Common account Edit /etc/pam.d/common-account and ensure that the following stanza is at the end of the file. account required pam_faillock.so Fail lock configuration Edit /etc/security/faillock.conf and configure it per your site policy. Example: deny = 4 fail_interval = 900 unlock time = 600.'
+    compliance:
+      - cis: ["5.4.2"]
+      - cis_csc_v8: ["6.2"]
+      - cis_csc_v7: ["16.7"]
+      - cmmc_v2.0: ["AC.L1-3.1.1"]
+      - hipaa: ["164.308(a)(3)(ii)(C)"]
+      - iso_27001-2013: ["A.9.2.6"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1110", "T1110.001", "T1110.003"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - pci_dss_v3.2.1: ["8.1.3"]
+      - pci_dss_v4.0: ["8.2.4", "8.2.5"]
+      - soc_2: ["CC6.2", "CC6.3"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-auth -> r:^\s*\t*auth\s*\t*required\s*\t*pam_faillock.so\s*\t*preauth'
+      - 'f:/etc/pam.d/common-auth -> r:^\s*\t*auth\s*\t*[default=die]\s*\t*pam_faillock.so\s*\t*authfail'
+      - 'f:/etc/pam.d/common-auth -> r:^\s*\t*auth\s*\t*sufficient\s*\t*pam_faillock.so\s*\t*authsucc'
+      - 'f:/etc/pam.d/common-account -> r:^\s*\t*account\s*\t*required\s*\t*pam_faillock.so'
+      - 'f:/etc/security/faillock.conf -> n:^\s*\t*deny\s*\t*=\s*\t*(\d+) compare <= 4'
+      - 'f:/etc/security/faillock.conf -> n:^\s*\t*fail_interval\s*\t*=\s*\t*(\d+) compare <= 900'
+      - 'not f:/etc/security/faillock.conf -> n:^\s*\t*unlock_time\s*\t*=\s*\t*(\d+) compare < 600 && n:^\s*\t*unlock_time\s*\t*=\s*\t*(\d+) compare > 0'
+
+  # 5.4.3 Ensure password reuse is limited. (Automated)
+  - id: 28663
+    title: "Ensure password reuse is limited."
+    description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords."
+    rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password."
+    remediation: "NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt remember=5."
+    compliance:
+      - cis: ["5.4.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/pam.d/common-password -> r:^\s*\t*password\s*\t*[success=1\s*\t*default=ignore]\s*\t*pam_unix.so\s*\t*obscure'
+      - 'f:/etc/pam.d/common-password -> n:^\s*\t*use_authtok\s*\t*try_first_pass\s*\t*yescrypt\s*\t*remember=(\d+) compare >= 5'
+
+  # 5.4.4 Ensure password hashing algorithm is up to date with the latest standards. (Automated)
+  - id: 28664
+    title: "Ensure password hashing algorithm is up to date with the latest standards."
+    description: "The commands below change password encryption to yescrypt. All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm."
+    rationale: "The yescrypt algorithm provides much stronger hashing than previous available algorithms, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note: these change only apply to accounts configured on the local system."
+    remediation: "NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files. PAM Edit the /etc/pam.d/common-password file and ensure that no hashing algorithm option for pam_unix.so is set: password try_first_pass remember=5 [success=1 default=ignore] pam_unix.so obscure use_authtok Login definitions Edit /etc/login.defs and ensure that ENCRYPT_METHOD is set to yescrypt."
+    compliance:
+      - cis: ["5.4.4"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1041"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1110", "T1110.002"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:yescrypt|md5|bigcrypt|sha256|sha512|blowfish'
+      - 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD\s*\t*yescrypt'
+
+  # 5.4.5 Ensure all current passwords uses the configured hashing algorithm (Manual) - Not implemented
+
+  # 5.5.1.1 Ensure minimum days between password changes is configured. (Automated)
+  - id: 28665
+    title: "Ensure minimum days between password changes is configured."
+    description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 1 or more days."
+    rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls."
+    remediation: "Set the PASS_MIN_DAYS parameter to 1 in /etc/login.defs : PASS_MIN_DAYS 1 Modify user parameters for all users with a password set to match: # chage --mindays 1 <user>."
+    compliance:
+      - cis: ["5.5.1.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS^\s*\t*(\d+) compare >=1'
+      - 'f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:(\d+): compare < 1'
+
+  # 5.5.1.2 Ensure password expiration is 365 days or less. (Automated)
+  - id: 28666
+    title: "Ensure password expiration is 365 days or less."
+    description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age."
+    rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. It is recommended that the PASS_MAX_DAYS parameter does not exceed 365 days and is greater than the value of PASS_MIN_DAYS."
+    remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : PASS_MAX_DAYS 365 Modify user parameters for all users with a password set to match: # chage --maxdays 365 <user>."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["5.5.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1110", "T1110.001", "T1110.002", "T1110.003", "T1110.004"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365'
+      - 'f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:(\d+) compare <= 365'
+
+  # 5.5.1.3 Ensure password expiration warning days is 7 or more. (Automated)
+  - id: 28667
+    title: "Ensure password expiration warning days is 7 or more."
+    description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days."
+    rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered."
+    remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 <user>."
+    compliance:
+      - cis: ["5.5.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0006"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7'
+      - 'f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:\d+:(\d+): compare >= 7'
+
+  # 5.5.1.4 Ensure inactive password lock is 30 days or less. (Automated)
+  - id: 28668
+    title: "Ensure inactive password lock is 30 days or less."
+    description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled."
+    rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies."
+    remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30 Modify user parameters for all users with a password set to match: # chage --inactive 30 <user>."
+    compliance:
+      - cis: ["5.5.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1078", "T1078.002", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare >= 30'
+      - 'c:useradd -D -> n:^INACTIVE=(\d+) compare == 0'
+      - "c:useradd -D -> r:^INACTIVE=-1"
+      - 'f:/etc/shadow -> !r:^\w+:\p: && n:^\w+:\S*:\d*:\d*:\d+:\d+:(\d+) compare > 30'
+
+  # 5.5.1.5 Ensure all users last password change date is in the past (Automated) -Not implemented
+  # 5.5.2 Ensure system accounts are secured (Automated) - Not implemented
+
+  # 5.5.3 Ensure default group for the root account is GID 0. (Automated)
+  - id: 28669
+    title: "Ensure default group for the root account is GID 0."
+    description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user."
+    rationale: "Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users."
+    remediation: "Run the following command to set the root user default group to GID 0 : # usermod -g 0 root."
+    compliance:
+      - cis: ["5.5.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1548"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'f:/etc/passwd -> r:^root:\S*:\S*:0:'
+
+  # 5.5.4 Ensure default user umask is 027 or more restrictive (Automated) - Not implemented
+  # 5.5.5 Ensure default user shell timeout is 900 seconds or less (Automated) - Not implemented
+
+  # 6.1.1 Ensure permissions on /etc/passwd are configured. (Automated)
+  - id: 28670
+    title: "Ensure permissions on /etc/passwd are configured."
+    description: "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate."
+    rationale: "It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod u-x,go-wx /etc/passwd."
+    compliance:
+      - cis: ["6.1.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.2 Ensure permissions on /etc/passwd- are configured. (Automated)
+  - id: 28671
+    title: "Ensure permissions on /etc/passwd- are configured."
+    description: "The /etc/passwd- file contains backup user account information."
+    rationale: "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/passwd- : # chown root:root /etc/passwd- # chmod u-x,go-wx /etc/passwd-."
+    compliance:
+      - cis: ["6.1.2"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/passwd- -> r:-rw-\.--\.-- && r:Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.3 Ensure permissions on /etc/group are configured. (Automated)
+  - id: 28672
+    title: "Ensure permissions on /etc/group are configured."
+    description: "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else."
+    rationale: "The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs."
+    remediation: "Run the following command to set permissions on /etc/group : # chown root:root /etc/group # chmod u-x,go-wx /etc/group."
+    compliance:
+      - cis: ["6.1.3"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group -> r:^Access:\s*\(0644/-rw-r--r--\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.4 Ensure permissions on /etc/group- are configured. (Automated)
+  - id: 28673
+    title: "Ensure permissions on /etc/group- are configured."
+    description: "The /etc/group- file contains a backup list of all the valid groups defined in the system."
+    rationale: "It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run the following command to set permissions on /etc/group- : # chown root:root /etc/group- # chmod u-x,go-wx /etc/group-."
+    compliance:
+      - cis: ["6.1.4"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'c:stat /etc/group- -> r:-rw-\.--\.-- && r:Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+
+  # 6.1.5 Ensure permissions on /etc/shadow are configured. (Automated)
+  - id: 28674
+    title: "Ensure permissions on /etc/shadow are configured."
+    description: "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow to root and group to either root or shadow: # chown root:root /etc/shadow # chown root:shadow /etc/shadow Run the following command to remove excess permissions form /etc/shadow: # chmod u-x,g-wx,o-rwx /etc/shadow."
+    compliance:
+      - cis: ["6.1.5"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/shadow -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat /etc/shadow -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.6 Ensure permissions on /etc/shadow- are configured. (Automated)
+  - id: 28675
+    title: "Ensure permissions on /etc/shadow- are configured."
+    description: "The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/shadow- to root and group to either root or shadow: # chown root:root /etc/shadow- # chown root:shadow /etc/shadow- Run the following command to remove excess permissions form /etc/shadow-: # chmod u-x,g-wx,o-rwx /etc/shadow-."
+    compliance:
+      - cis: ["6.1.6"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/shadow- -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat /etc/shadow- -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.7 Ensure permissions on /etc/gshadow are configured. (Automated)
+  - id: 28676
+    title: "Ensure permissions on /etc/gshadow are configured."
+    description: "The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow to root and group to either root or shadow: # chown root:root /etc/gshadow # chown root:shadow /etc/gshadow Run the following command to remove excess permissions form /etc/gshadow: # chmod u-x,g-wx,o-rwx /etc/gshadow."
+    compliance:
+      - cis: ["6.1.7"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/gshadow -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat /etc/gshadow -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.8 Ensure permissions on /etc/gshadow- are configured. (Automated)
+  - id: 28677
+    title: "Ensure permissions on /etc/gshadow- are configured."
+    description: "The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information."
+    rationale: "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions."
+    remediation: "Run one of the following commands to set ownership of /etc/gshadow- to root and group to either root or shadow: # chown root:root /etc/gshadow- # chown root:shadow /etc/gshadow- Run the following command to remove excess permissions form /etc/gshadow-: # chmod u-x,g-wx,o-rwx /etc/gshadow-."
+    compliance:
+      - cis: ["6.1.8"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - mitre_mitigations: ["M1022"]
+      - mitre_tactics: ["TA0005"]
+      - mitre_techniques: ["T1003", "T1003.008", "T1222", "T1222.002"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'c:stat /etc/gshadow- -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
+      - 'c:stat /etc/gshadow- -> r:^Access:\s*\(0640/-rw-r-----\)|Access:\s*\(0600/-rw-------\) && r:\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*\d+/\s*\t*shadow\)'
+
+  # 6.1.9 Ensure no world writable files exist (Automated) - Not implemented
+  # 6.1.10 Ensure no unowned files or directories exist (Automated) - Not implemented
+  # 6.1.11 Ensure no ungrouped files or directories exist (Automated) - Not implemented
+  # 6.1.12 Audit SUID executables (Manual) - Not implemented
+  # 6.1.13 Audit SGID executables (Manual) - Not implemented
+
+  # 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords. (Automated)
+  - id: 28678
+    title: "Ensure accounts in /etc/passwd use shadowed passwords."
+    description: "Local accounts can uses shadowed passwords. With shadowed passwords, The passwords are saved in shadow password file, /etc/shadow, encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd."
+    rationale: "The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow. The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack. Note: - All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. - A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username."
+    remediation: "Run the following command to set accounts to use shadowed passwords: # sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1003", "T1003.008"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^\w+:x:'
+
+  # 6.2.2 Ensure /etc/shadow password fields are not empty. (Automated)
+  - id: 28679
+    title: "Ensure /etc/shadow password fields are not empty."
+    description: "An account with an empty password field means that anybody may log in as that user without providing a password."
+    rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user."
+    remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l <username> Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off."
+    compliance:
+      - cis: ["6.2.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: none
+    rules:
+      - 'f:/etc/shadow -> r:^\w+::'
+
+  # 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group. (Automated)
+  - id: 28680
+    title: "Ensure all groups in /etc/passwd exist in /etc/group."
+    description: "Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group."
+    rationale: "Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed."
+    remediation: "Analyze the output of the Audit step above and perform the appropriate action to correct any discrepancies found."
+    compliance:
+      - cis: ["6.2.3"]
+      - mitre_mitigations: ["M1027"]
+      - mitre_tactics: ["TA0003"]
+      - mitre_techniques: ["T1222", "T1222.002"]
+    condition: all
+    rules:
+      - 'f:/etc/group -> !r:^# && r:shadow:\w*:\d+:$'
+
+  # 6.2.5 Ensure no duplicate UIDs exist (Automated) - Not implemented
+  # 6.2.6 Ensure no duplicate GIDs exist (Automated) - Not implemented
+  # 6.2.7 Ensure no duplicate user names exist (Automated) - Not implemented
+  # 6.2.8 Ensure no duplicate group names exist (Automated) - Not implemented
+  # 6.2.9 Ensure root PATH Integrity (Automated) - Not implemented
+
+  # 6.2.10 Ensure root is the only UID 0 account. (Automated)
+  - id: 28681
+    title: "Ensure root is the only UID 0 account."
+    description: "Any account with UID 0 has superuser privileges on the system."
+    rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted."
+    remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate."
+    compliance:
+      - cis: ["6.2.10"]
+      - mitre_mitigations: ["M1026"]
+      - mitre_tactics: ["TA0001"]
+      - mitre_techniques: ["T1548"]
+    condition: none
+    rules:
+      - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:'
+
+  # 6.2.11 Ensure local interactive user home directories exist (Automated) - Not implemented
+  # 6.2.12 Ensure local interactive users own their home directories (Automated) - Not implemented
+  # 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive (Automated) - Not implemented
+  # 6.2.14 Ensure no local interactive user has .netrc files (Automated) - Not implemented
+  # 6.2.15 Ensure no local interactive user has .forward files (Automated) - Not implemented
+  # 6.2.16 Ensure no local interactive user has .rhosts files (Automated) - Not implemented
+  # 6.2.17 Ensure local interactive user dot files are not group or world writable (Automated) - Not implemented
diff --git a/etc/ruleset/sca/windows/cis_win10_enterprise.yml b/etc/ruleset/sca/windows/cis_win10_enterprise.yml
new file mode 100644
index 0000000000..f776577b26
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win10_enterprise.yml
@@ -0,0 +1,6085 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 10 Enterprise
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# CIS Microsoft Windows 10 Enterprise (Release 21H2) Benchmark v1.12.0 - 02-15-2022
+
+policy:
+  id: "cis_win10_enterprise"
+  file: "cis_win10_enterprise.yml"
+  name: "CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10 Enterprise."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows 10"
+  description: "Requirements for running the CIS benchmark Domain Controller under Windows 10"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10'
+
+checks:
+  # 1.1 Password Policy
+  - id: 15500
+    title: "Ensure 'Enforce password history' is set to '24 or more password(s)'."
+    description: "This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs"
+    rationale: "The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Enforce password history"
+    compliance:
+      - cis: ["1.1.1"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24'
+
+  - id: 15501
+    title: "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare <= 365'
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0'
+
+  - id: 15502
+    title: "Ensure 'Minimum password age' is set to '1 or more day(s)'."
+    description: "This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s)). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual's user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password age \(days\):\s+(\d+) compare >= 1'
+
+  - id: 15503
+    title: "Ensure 'Minimum password length' is set to '14 or more character(s)'."
+    description: "This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password length:\s+(\d+) compare >= 14'
+
+  - id: 15505
+    title: "Ensure 'Relax minimum password length limits' is set to 'Enabled'."
+    description: "This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following Microsoft Security Blog. The recommended state for this setting is: Enabled. Note: This setting only affects local accounts on the computer. Domain accounts are only affected by settings on the Domain Controllers, because that is where domain accounts are stored."
+    rationale: "This setting will enable the enforcement of longer and generally stronger passwords or passphrases where MFA is not in use."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Relax minimum password length limits. Note: This setting is only available within the built-in OS security template of Windows 10 Release 2004 and Server 2022 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you must use a Windows 10 Release 2004 or Server 2022 system (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME)."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits -> 1'
+
+  - id: 15506
+    title: "Ensure 'Account lockout duration' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure the Account lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration"
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout duration \(minutes\):\s+(\d+) compare >= 15'
+
+  - id: 15507
+    title: "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'."
+    description: "This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold"
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare > 0'
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare <= 5'
+
+  - id: 15508
+    title: "Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Reset account lockout counter after setting determines the number of minutes that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after"
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout observation window \(minutes\):\s+(\d+) compare >= 15'
+
+  - id: 15509
+    title: "Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
+    description: "This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note that this setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings. The recommended state for this setting is: Disabled."
+    rationale: "In some organizations, it can be a daunting management challenge to maintain a regular schedule for periodic password changes for local accounts. Therefore, you may want to disable the built-in Administrator account instead of relying on regular password changes to protect it from attack. Another reason to disable this built-in account is that it cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID) and there are third-party tools that allow authentication by using the SID rather than the account name. This capability means that even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Administrator account status"
+    compliance:
+      - cis: ["2.3.1.1"]
+      - cis_csc: ["4.7"]
+    condition: any
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+      - "c:net user administrator -> r:The user name could not be found."
+
+  - id: 15510
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'."
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts"
+    compliance:
+      - cis: ["2.3.1.2"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  - id: 15511
+    title: "Ensure 'Accounts: Guest account status' is set to 'Disabled'."
+    description: "This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings."
+    rationale: "The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Guest account status"
+    compliance:
+      - cis: ["2.3.1.3"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - 'c:net user guest -> r:Account active\s+No'
+
+  - id: 15512
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'."
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only"
+    compliance:
+      - cis: ["2.3.1.4"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  - id: 15513
+    title: "Configure 'Accounts: Rename administrator account'."
+    description: "The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console)."
+    rationale: "The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. The built-in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are third-party tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename administrator account"
+    compliance:
+      - cis: ["2.3.1.5"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - "c:net user administrator -> r:The user name could not be found."
+
+  - id: 15514
+    title: "Configure 'Accounts: Rename guest account'."
+    description: "The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security."
+    rationale: "The Guest account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename guest account"
+    compliance:
+      - cis: ["2.3.1.6"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - "c:net user guest -> r:The user name could not be found."
+
+  - id: 15515
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. Important: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc: ["8.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  - id: 15516
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'."
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits"
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  - id: 15517
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'."
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media"
+    compliance:
+      - cis: ["2.3.4.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 2'
+
+  - id: 15518
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers"
+    compliance:
+      - cis: ["2.3.4.2"]
+      - pci_dss: ["2.2.4", "2.2.5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3", "CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  - id: 15519
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)"
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  - id: 15520
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)"
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  - id: 15521
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)"
+    compliance:
+      - cis: ["2.3.6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  - id: 15522
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'."
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes"
+    compliance:
+      - cis: ["2.3.6.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  - id: 15523
+    title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'."
+    description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Maximum machine account password age"
+    compliance:
+      - cis: ["2.3.6.5"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare <= 30'
+      - 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare > 0'
+
+  - id: 15524
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'."
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key"
+    compliance:
+      - cis: ["2.3.6.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  - id: 15525
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'."
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL"
+    compliance:
+      - cis: ["2.3.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  - id: 15526
+    title: "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'."
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Don't display last signed-in. Note: In older versions of Microsoft Windows, this setting was named Interactive logon: Do not display last user name, but it was renamed starting with Windows 10 Release 1703."
+    compliance:
+      - cis: ["2.3.7.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  - id: 15527
+    title: "Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'."
+    description: "This security setting determines the number of failed logon attempts that causes the machine to be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. The recommended state for this setting is: 10 or fewer invalid logon attempts, but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine account lockout threshold. Values from 1 to 3 will be interpreted as 4."
+    rationale: "If a machine is lost or stolen, or if an insider threat attempts a brute force password attack against the computer, it is important to ensure that BitLocker will lock the computer and therefore prevent a successful attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid logon attempts, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine account lockout threshold"
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts -> n:^(\d+) compare <=30'
+
+  - id: 15528
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'."
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit"
+    compliance:
+      - cis: ["2.3.7.4"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  - id: 15529
+    title: "Configure 'Interactive logon: Message text for users attempting to log on'."
+    description: "This policy setting specifies a text message that displays to users when they log on. Set the following group policy to a value that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Note: Any warning that you display should first be approved by your organization's legal and human resources representatives."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message text for users attempting to log on"
+    compliance:
+      - cis: ["2.3.7.5"]
+    condition: all
+    rules:
+      - 'not c:reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticetext -> r:\s+legalnoticetext\s+REG_SZ\s+$'
+
+  - id: 15530
+    title: "Configure 'Interactive logon: Message title for users attempting to log on'."
+    description: "This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message title for users attempting to log on"
+    compliance:
+      - cis: ["2.3.7.6"]
+    condition: all
+    rules:
+      - 'not c:reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticecaption -> r:\s+legalnoticecaption\s+REG_SZ\s+$'
+
+  - id: 15531
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'."
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
+    compliance:
+      - cis: ["2.3.7.7"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4'
+
+  - id: 15532
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'."
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration"
+    compliance:
+      - cis: ["2.3.7.8"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  - id: 15533
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher."
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior"
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$'
+
+  - id: 15534
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."
+    description: 'This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled.'
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)"
+    compliance:
+      - cis: ["2.3.8.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 15535
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)"
+    compliance:
+      - cis: ["2.3.8.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 15536
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'."
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers"
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
+
+  - id: 15537
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'."
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s)."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session"
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  - id: 15538
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)"
+    compliance:
+      - cis: ["2.3.9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 15539
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)"
+    compliance:
+      - cis: ["2.3.9.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 15540
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'."
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire"
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  - id: 15541
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level"
+    compliance:
+      - cis: ["2.3.9.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'
+
+  - id: 15542
+    title: "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
+    description: "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled."
+    rationale: "If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Allow anonymous SID/Name translation"
+    compliance:
+      - cis: ["2.3.10.1"]
+    condition: all
+    rules:
+      - 'c:powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" -> r:0'
+
+  - id: 15543
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'."
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts"
+    compliance:
+      - cis: ["2.3.10.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  - id: 15544
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'."
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares"
+    compliance:
+      - cis: ["2.3.10.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  - id: 15545
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication"
+    compliance:
+      - cis: ["2.3.10.4"]
+      - pci_dss: ["3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  - id: 15546
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'."
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users"
+    compliance:
+      - cis: ["2.3.10.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  - id: 15547
+    title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously"
+    compliance:
+      - cis: ["2.3.10.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S+'
+
+  - id: 15548
+    title: "Ensure 'Network access: Remotely accessible registry paths' is configured."
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub-paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion"
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths"
+    compliance:
+      - cis: ["2.3.10.7"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion'
+
+  - id: 15549
+    title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured."
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog"
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths"
+    compliance:
+      - cis: ["2.3.10.8"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\Eventlog'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\OLAP Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ContentIndex'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\SysmonLog'
+
+  - id: 15550
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'."
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares"
+    compliance:
+      - cis: ["2.3.10.9"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  - id: 15551
+    title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'."
+    description: 'This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note #2: If your organization is using Azure Advanced Threat Protection (APT), the service account, "AATP Service" will need to be added to the recommendation configuration. For more information on adding the "AATP Service" account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs.'
+    rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM"
+    compliance:
+      - cis: ["2.3.10.10"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)'
+
+  - id: 15552
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously"
+    compliance:
+      - cis: ["2.3.10.11"]
+      - cis_csc: ["3.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> \S+'
+
+  - id: 15553
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'."
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)."
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts"
+    compliance:
+      - cis: ["2.3.10.12"]
+      - pci_dss: ["7.1.3"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  # 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+  - id: 15554
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'."
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM"
+    compliance:
+      - cis: ["2.3.11.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> UseMachineId'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  # 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
+  - id: 15555
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'."
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback"
+    compliance:
+      - cis: ["2.3.11.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  # 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+  - id: 15556
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'."
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities"
+    compliance:
+      - cis: ["2.3.11.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  # 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+  - id: 15557
+    title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it."
+    rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos"
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'
+
+  # 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+  - id: 15558
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'."
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change"
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  # 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
+  - id: 15559
+    title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'."
+    description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled."
+    rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire"
+    compliance:
+      - cis: ["2.3.11.6"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+  - id: 15560
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'."
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level"
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel '
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  # 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
+  - id: 15561
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher."
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements"
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(\d+) compare >= 1'
+
+  # 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 15562
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200'
+
+  # 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 15563
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/288
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  - id: 15564
+    title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher."
+    description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark."
+    rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer"
+    compliance:
+      - cis: ["2.3.14.1"]
+      - cis_csc: ["3.11"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> n:(\d+) compare > 0'
+
+  # 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
+  - id: 15565
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'."
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non-Windows subsystems"
+    compliance:
+      - cis: ["2.3.15.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  # 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+  - id: 15566
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'."
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)"
+    compliance:
+      - cis: ["2.3.15.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  # 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+  - id: 15567
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account"
+    compliance:
+      - cis: ["2.3.17.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  - id: 15568
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'."
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
+    compliance:
+      - cis: ["2.3.17.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$'
+
+  - id: 15569
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users"
+    compliance:
+      - cis: ["2.3.17.3"]
+      - pci_dss: ["7.1.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  - id: 15570
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation"
+    compliance:
+      - cis: ["2.3.17.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  - id: 15571
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'."
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\\Program Files\\, including subfolders  - ...\\Windows\\system32\\; - ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations"
+    compliance:
+      - cis: ["2.3.17.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  - id: 15572
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode"
+    compliance:
+      - cis: ["2.3.17.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  - id: 15573
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'."
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation"
+    compliance:
+      - cis: ["2.3.17.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  - id: 15574
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'."
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %windir% - %windir%\\System32 - HKEY_LOCAL_MACHINE\\SOFTWARE. The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations"
+    compliance:
+      - cis: ["2.3.17.8"]
+      - pci_dss: ["6.5.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  - id: 15575
+    title: "Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'."
+    description: "Service supporting the audio gateway role of the Bluetooth Handsfree Profile. The recommended state for this setting is: Disabled."
+    rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Audio Gateway Service. Note: This service was first introduced in Windows 10 Release 1803. It appears to have replaced the older Bluetooth Handsfree Service (BthHFSrv), which was removed from Windows in that release (it is not simply a rename, but a different service)."
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService -> Start -> 4'
+
+  - id: 15576
+    title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."
+    description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled."
+    rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4'
+
+  - id: 15577
+    title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'."
+    description: "Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps."
+    rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager"
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4'
+
+  - id: 15578
+    title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'."
+    description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service"
+    compliance:
+      - cis: ["5.5"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4'
+
+  - id: 15579
+    title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise."
+    rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4'
+
+  - id: 15580
+    title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'."
+    description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled or Not Installed."
+    rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic 'file transfer application' functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service"
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4'
+
+  - id: 15581
+    title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'."
+    description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled."
+    rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to 'share' their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)"
+    compliance:
+      - cis: ["5.8"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4'
+
+  - id: 15582
+    title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'."
+    description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled."
+    rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper"
+    compliance:
+      - cis: ["5.9"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4'
+
+  - id: 15583
+    title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'."
+    description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)."
+    rationale: "The Linux Subsystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager"
+    compliance:
+      - cis: ["5.10"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4'
+
+  - id: 15584
+    title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables the server to be a File Transfer Protocol (FTP) server. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - FTP Server)."
+    rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service"
+    compliance:
+      - cis: ["5.11"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4'
+
+  - id: 15585
+    title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'."
+    description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled."
+    rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service"
+    compliance:
+      - cis: ["5.12"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4'
+
+  - id: 15586
+    title: "Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'."
+    description: "SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows feature (OpenSSH Server)."
+    rationale: "Hosting an SSH server from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any SSH server application installed on a workstation, not just the one supplied with Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\OpenSSH SSH Server"
+    compliance:
+      - cis: ["5.13"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd -> Start -> 4'
+
+  - id: 15587
+    title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'."
+    description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol"
+    compliance:
+      - cis: ["5.14"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4'
+
+  - id: 15588
+    title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'."
+    description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping"
+    compliance:
+      - cis: ["5.15"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4'
+
+  - id: 15589
+    title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'."
+    description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager"
+    compliance:
+      - cis: ["5.16"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4'
+
+  - id: 15590
+    title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'."
+    description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service"
+    compliance:
+      - cis: ["5.17"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4'
+
+  - id: 15591
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled'."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled. Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler"
+    compliance:
+      - cis: ["5.18"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  - id: 15592
+    title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'."
+    description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled."
+    rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support"
+    compliance:
+      - cis: ["5.19"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4'
+
+  - id: 15593
+    title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'."
+    description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. The recommended state for this setting is: Disabled."
+    rationale: "The function of this service is to provide a 'demand dial' type of functionality. In a high security environment, it is preferred that any remote 'dial' connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager"
+    compliance:
+      - cis: ["5.20"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4'
+
+  - id: 15594
+    title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'."
+    description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration"
+    compliance:
+      - cis: ["5.21"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4'
+
+  - id: 15595
+    title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'."
+    description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services"
+    compliance:
+      - cis: ["5.22"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4'
+
+  - id: 15596
+    title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'."
+    description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled."
+    rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector"
+    compliance:
+      - cis: ["5.23"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4'
+
+  - id: 15597
+    title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'."
+    description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled."
+    rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator"
+    compliance:
+      - cis: ["5.24"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4'
+
+  - id: 15598
+    title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'."
+    description: "Enables remote users to view and modify registry settings on this computer. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, exposing the registry to remote access is an increased security risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry"
+    compliance:
+      - cis: ["5.25"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4'
+
+  - id: 15599
+    title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'."
+    description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled."
+    rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access"
+    compliance:
+      - cis: ["5.26"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4'
+
+  - id: 15600
+    title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'."
+    description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server"
+    compliance:
+      - cis: ["5.27"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4'
+
+  - id: 15601
+    title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'."
+    description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))."
+    rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services"
+    compliance:
+      - cis: ["5.28"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4'
+
+  - id: 15602
+    title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))."
+    rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service"
+    compliance:
+      - cis: ["5.29"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4'
+
+  - id: 15603
+    title: "Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'."
+    description: "This service allows administrators to remotely access a command prompt using Emergency Management Services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows capability (Windows Emergency Management Services and Serial Console)."
+    rationale: "Allowing the use of a remotely accessible command prompt that provides the ability to perform remote management tasks on a computer is a security risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Special Administration Console Helper"
+    compliance:
+      - cis: ["5.30"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr -> Start -> 4'
+
+  - id: 15604
+    title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'."
+    description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled."
+    rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Note that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery"
+    compliance:
+      - cis: ["5.31"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4'
+
+  - id: 15605
+    title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'."
+    description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled."
+    rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host"
+    compliance:
+      - cis: ["5.32"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4'
+
+  - id: 15606
+    title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'."
+    description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)."
+    rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service"
+    compliance:
+      - cis: ["5.33"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4'
+
+  - id: 15607
+    title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'."
+    description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service"
+    compliance:
+      - cis: ["5.34"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4'
+
+  - id: 15608
+    title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'."
+    description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector"
+    compliance:
+      - cis: ["5.35"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4'
+
+  - id: 15609
+    title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'."
+    description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed."
+    rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service"
+    compliance:
+      - cis: ["5.36"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4'
+
+  - id: 15610
+    title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'."
+    description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled."
+    rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service"
+    compliance:
+      - cis: ["5.37"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4'
+
+  - id: 15611
+    title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'."
+    description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service"
+    compliance:
+      - cis: ["5.38"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4'
+
+  - id: 15612
+    title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'."
+    description: "This service manages Apps that are pushed to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Disabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)"
+    compliance:
+      - cis: ["5.39"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4'
+
+  - id: 15613
+    title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'."
+    description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled."
+    rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)"
+    compliance:
+      - cis: ["5.40"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4'
+
+  - id: 15614
+    title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'."
+    description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise."
+    rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service"
+    compliance:
+      - cis: ["5.41"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4'
+
+  - id: 15615
+    title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'."
+    description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service"
+    compliance:
+      - cis: ["5.42"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4'
+
+  - id: 15616
+    title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'."
+    description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager"
+    compliance:
+      - cis: ["5.43"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4'
+
+  - id: 15617
+    title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'."
+    description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save"
+    compliance:
+      - cis: ["5.44"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4'
+
+  - id: 15618
+    title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'."
+    description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service"
+    compliance:
+      - cis: ["5.45"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc -> Start -> 4'
+
+  - id: 15619
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state"
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  - id: 15620
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  - id: 15621
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  - id: 15622
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.1.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  - id: 15623
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  - id: 15624
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 15625
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 15626
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 15627
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state"
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  - id: 15628
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  - id: 15629
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  - id: 15630
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.2.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  - id: 15631
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  - id: 15632
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 15633
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 15634
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 15635
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state"
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  - id: 15636
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  - id: 15637
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  - id: 15638
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.3.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  - id: 15639
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules"
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  - id: 15640
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules"
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  - id: 15641
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  - id: 15642
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 15643
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 15644
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 15645
+    title: "Ensure 'Audit Credential Validation' is set to 'Success and Failure'."
+    description: "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - 4774: An account was mapped for logon. -  4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Credential Validation"
+    compliance:
+      - cis: ["17.1.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Credential Validation" -> r:Success and Failure'
+
+  - id: 15646
+    title: "Ensure 'Audit Application Group Management' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Application Group Management"
+    compliance:
+      - cis: ["17.2.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Application Group Management" -> r:Success and Failure'
+
+  - id: 15647
+    title: "Ensure 'Audit Security Group Management' is set to include 'Success'."
+    description: "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Security Group Management"
+    compliance:
+      - cis: ["17.2.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security Group Management" -> r:Success'
+
+  - id: 15648
+    title: "Ensure 'Audit User Account Management' is set to 'Success and Failure'."
+    description: "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management"
+    compliance:
+      - cis: ["17.2.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"User Account Management" -> r:Success and Failure'
+
+  - id: 15649
+    title: "Ensure 'Audit PNP Activity' is set to include 'Success'."
+    description: "This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Enabling this setting will allow a user to audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit PNP Activity"
+    compliance:
+      - cis: ["17.3.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Plug and Play Events" -> r:Success'
+
+  - id: 15650
+    title: "Ensure 'Audit Process Creation' is set to include 'Success'."
+    description: "This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit Process Creation"
+    compliance:
+      - cis: ["17.3.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Process Creation" -> r:Success'
+
+  - id: 15651
+    title: "Ensure 'Audit Account Lockout' is set to include 'Failure'."
+    description: "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Account Lockout"
+    compliance:
+      - cis: ["17.5.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Account Lockout" -> r:Failure'
+
+  - id: 15652
+    title: "Ensure 'Audit Group Membership' is set to include 'Success'."
+    description: "This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Group Membership"
+    compliance:
+      - cis: ["17.5.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Group Membership" -> r:Success'
+
+  - id: 15653
+    title: "Ensure 'Audit Logoff' is set to include 'Success'."
+    description: "This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logoff"
+    compliance:
+      - cis: ["17.5.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logoff" -> r:Success'
+
+  - id: 15654
+    title: "Ensure 'Audit Logon' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logon"
+    compliance:
+      - cis: ["17.5.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logon" -> r:Success and Failure'
+
+  - id: 15655
+    title: "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'."
+    description: "This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Other Logon/Logoff Events"
+    compliance:
+      - cis: ["17.5.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Logon/Logoff Events" -> r:Success and Failure'
+
+  - id: 15656
+    title: "Ensure 'Audit Special Logon' is set to include 'Success'."
+    description: "This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Special Logon"
+    compliance:
+      - cis: ["17.5.6"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Special Logon" -> r:Success'
+
+  - id: 15657
+    title: "Ensure 'Audit Detailed File Share' is set to include 'Failure'."
+    description: "This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Detailed File Share"
+    compliance:
+      - cis: ["17.6.1"]
+      - cis_csc: ["3.3", "8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Detailed File Share" -> r:Failure'
+
+  - id: 15658
+    title: "Ensure 'Audit File Share' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited."
+    rationale: "In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit File Share"
+    compliance:
+      - cis: ["17.6.2"]
+      - cis_csc: ["3.3", "8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"File Share" -> r:Success and Failure'
+
+  - id: 15659
+    title: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure."
+    rationale: "The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Other Object Access Events"
+    compliance:
+      - cis: ["17.6.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Object Access Events" -> r:Success and Failure'
+
+  - id: 15660
+    title: "Ensure 'Audit Removable Storage' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Removable Storage"
+    compliance:
+      - cis: ["17.6.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Removable Storage" -> r:Success and Failure'
+
+  - id: 15661
+    title: "Ensure 'Audit Audit Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Audit Policy Change"
+    compliance:
+      - cis: ["17.7.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Audit Policy Change" -> r:Success'
+
+  - id: 15662
+    title: "Ensure 'Audit Authentication Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authentication policy. Events for this subcategory include - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed.  - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authentication Policy Change"
+    compliance:
+      - cis: ["17.7.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authentication Policy Change" -> r:Success'
+
+  - id: 15663
+    title: "Ensure 'Audit Authorization Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change"
+    compliance:
+      - cis: ["17.7.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authorization Policy Change" -> r:Success'
+
+  - id: 15664
+    title: "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'."
+    description: "This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure"
+    rationale: "Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit MPSSVC Rule-Level Policy Change"
+    compliance:
+      - cis: ["17.7.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change" -> r:Success and Failure'
+
+  - id: 15665
+    title: "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'."
+    description: "This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure."
+    rationale: "This setting can help detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Other Policy Change Events"
+    compliance:
+      - cis: ["17.7.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Policy Change Events" -> r:Failure'
+
+  - id: 15666
+    title: "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - Impersonate a client after authentication - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Auditing this subcategory will create a high volume of events. Events for this subcategory include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Privilege Use\\Audit Sensitive Privilege Use"
+    compliance:
+      - cis: ["17.8.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Sensitive Privilege Use" -> r:Success and Failure'
+
+  - id: 15667
+    title: "Ensure 'Audit IPsec Driver' is set to 'Success and Failure'."
+    description: "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.- 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit IPsec Driver"
+    compliance:
+      - cis: ["17.9.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"IPsec Driver" -> r:Success and Failure'
+
+  - id: 15668
+    title: "Ensure 'Audit Other System Events' is set to 'Success and Failure'."
+    description: "This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure."
+    rationale: "Capturing these audit events may be useful for identifying when the Windows Firewall is not performing as expected."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Other System Events"
+    compliance:
+      - cis: ["17.9.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other System Events" -> r:Success and Failure'
+
+  - id: 15669
+    title: "Ensure 'Audit Security State Change' is set to include 'Success'."
+    description: "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some audit-able activity might not have been recorded. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change"
+    compliance:
+      - cis: ["17.9.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security State Change" -> r:Success'
+
+  - id: 15670
+    title: "Ensure 'Audit Security System Extension' is set to include 'Success'."
+    description: "This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with the Local Security Authority. - 4614: A notification package has been loaded by the Security Account Manager. - 4622: A security package has been loaded by the Local Security Authority. - 4697: A service was installed in the system. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security System Extension"
+    compliance:
+      - cis: ["17.9.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security System Extension" -> r:Success'
+
+  - id: 15671
+    title: "Ensure 'Audit System Integrity' is set to 'Success and Failure'."
+    description: "This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 : A monitored security event pattern has occurred. - 4816 : RPC detected an integrity violation while decrypting an incoming message. - 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - 5056: A cryptographic self test was performed. - 5057: A cryptographic primitive operation failed. - 5060: Verification operation failed. - 5061: Cryptographic operation. - 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit System Integrity"
+    compliance:
+      - cis: ["17.9.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"System Integrity" -> r:Success and Failure'
+
+  - id: 15672
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'."
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  - id: 15673
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'."
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow '
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+
+  - id: 15674
+    title: "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'."
+    description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow users to enable online speech recognition services. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow input personalization, but it was renamed to Allow users to enable online speech recognition services starting with the Windows 10 R1809 & Server 2019 Administrative Templates."
+    compliance:
+      - cis: ["18.1.2.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0'
+
+  - id: 15675
+    title: "Ensure 'Allow Online Tips' is set to 'Disabled'."
+    description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.3"]
+      - pci_dss: ["1.3.4"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0'
+
+  - id: 15676
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
+    compliance:
+      - cis: ["18.2.1"]
+      - cis_csc: ["5.2", "5.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  - id: 15677
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.2"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  - id: 15678
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.3"]
+      - cis_csc: ["5.2", "5.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  - id: 15679
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.4"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  - id: 15680
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.5"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  - id: 15681
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.6"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  - id: 15682
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'."
+    description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled."
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0'
+
+  - id: 15683
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'."
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver (recommended). Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4'
+
+  - id: 15684
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  - id: 15685
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  - id: 15686
+    title: "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'."
+    description: "This policy setting controls whether users that aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)."
+    rationale: "Restricting the installation of print drives to Administrators can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Limits print driver installation to Administrators. Note: This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required."
+    compliance:
+      - cis: ["18.3.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators -> 1'
+
+  - id: 15687
+    title: "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node'."
+    description: "This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: The B-node (broadcast) method only uses broadcasts. The P-node (point-to-point) method only uses name queries to a name server (WINS). The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to- point).                 Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured."
+    rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\NetBT NodeType configuration. Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.6"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2'
+
+  - id: 15688
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'."
+    description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled."
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.7"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  - id: 15689
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'."
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For additional information, see Microsoft Knowledge Base article 324737: How to turn on automatic logon in Windows. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  - id: 15690
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 15691
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting '
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 15692
+    title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'."
+    description: 'When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the "Save Password" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled.'
+    rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1'
+
+  - id: 15693
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'."
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  - id: 15694
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'."
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.6"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  - id: 15695
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'."
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  - id: 15696
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'."
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.8"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  - id: 15697
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'."
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs"
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.9"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  - id: 15698
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'."
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  - id: 15699
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.11"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 15700
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.12"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 15701
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'."
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.13"]
+      - pci_dss: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  - id: 15702
+    title: "Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher."
+    description: "This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs. The recommended state for this setting is: Enabled: Allow DoH. Configuring this setting to Enabled: Require DoH also conforms to the benchmark."
+    rationale: "DNS over HTTPS (DoH) helps protect against DNS spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. It can also help prevent man-in-the-middle (MitM) attacks because the session in-between is encrypted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark): Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Configure DNS over HTTPS (DoH) name resolution. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.1"]
+      - cis_csc: ["3.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy -> r:^2$|^3$'
+
+  - id: 15703
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0'
+
+  - id: 15704
+    title: "Ensure 'Enable Font Providers' is set to 'Disabled'."
+    description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.5.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0'
+
+  - id: 15705
+    title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
+    description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled."
+    rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.8.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0'
+
+  - id: 15706
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+
+  - id: 15707
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.2"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+
+  - id: 15708
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'."
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.10.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  - id: 15709
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."
+    description: "You can use this procedure to control a user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network. Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.2"]
+      - cis_csc: ["12.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  - id: 15710
+    title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."
+    description: "Although this 'legacy' setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled."
+    rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network. Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.3"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0'
+
+  - id: 15711
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.11.4"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  - id: 15712
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares''.'
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths. Additional guidance on the deployment of this security setting is available from the Microsoft Premier Field Engineering (PFE) Platforms TechNet Blog here: Guidance on Deployment of MS15-011 and MS15-014."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths. Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.14.1"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+
+  - id: 15713
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."
+    description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)"
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components removes a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents. Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state."
+    compliance:
+      - cis: ["18.5.19.2.1"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  - id: 15714
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'."
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now. Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.20.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  - id: 15715
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'."
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.20.2"]
+      - cis_csc: ["15.4", "15.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  - id: 15716
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'."
+    description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled: 3 = Prevent Wi-Fi when on Ethernet."
+    rationale: "Preventing bridged network connections can help prevent a user unknowingly allowing traffic to route between internal and external networks, which risks exposure to sensitive internal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3 = Prevent Wi-Fi when on Ethernet: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates. It was updated with a new Minimize Policy Options sub-setting starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.5.21.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 3'
+
+  - id: 15717
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'."
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.21.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  - id: 15718
+    title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services. - Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to. - Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user''s contacts have shared with them, and enables users on this device to share networks with their contacts. - Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled. Note: These features are also known by the name "Wi-Fi Sense".'
+    rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template wlansvc.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.23.2.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0'
+
+  - id: 15719
+    title: "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'."
+    description: "This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect."
+    rationale: "Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Allow Print Spooler to accept client connections. Note: This Group Policy path is provided by the Group Policy template printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers -> RegisterSpoolerRemoteRpcEndPoint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers -> RegisterSpoolerRemoteRpcEndPoint -> 2'
+
+  - id: 15720
+    title: "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When installing drivers for a new connection. Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall -> 0'
+
+  - id: 15721
+    title: "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When updating drivers for an existing connection. Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> UpdatePromptSettings'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint -> UpdatePromptSettings -> 0'
+
+  - id: 15722
+    title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'."
+    description: "This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. The recommended state for this setting is: Enabled."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Start Menu and Taskbar\\Turn off notifications network usage. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.7.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification -> 1'
+
+  - id: 15723
+    title: "Ensure 'Include command line in process creation events' is set to 'Enabled'."
+    description: "This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created. The recommended state for this setting is: Enabled. Note: This feature that this setting controls was not originally supported in workstation OSes older than Windows 8.1. However, in February 2015 Microsoft added support for the feature to Windows 7 and Windows 8.0 via an update - KB3004375. Therefore, this setting is also important to set on those older OSes."
+    rationale: "Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.3.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 1'
+
+  - id: 15724
+    title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'."
+    description: "Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients."
+    rationale: "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows from Windows Vista onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched at least through May 2018 (or later)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption Oracle Remediation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.1"]
+      - cis_csc: ["7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 0'
+
+  - id: 15725
+    title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'."
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled. Note: More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs"
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  - id: 15726
+    title: "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.1"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity -> 1'
+
+  - id: 15727
+    title: "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot and DMA Protection. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA protections to help protect data from being scraped from memory."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Secure Boot and DMA Protection: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Select Platform Security Level. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.2"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 3'
+
+  - id: 15728
+    title: "Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'."
+    description: "This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.3"]
+      - cis_csc: ["5.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity -> 1'
+
+  - id: 15729
+    title: "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'."
+    description: "This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked). Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "This setting will help protect this control from being enabled on a system that is not compatible which could lead to a crash or data loss."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to TRUE: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.4"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired -> 1'
+
+  - id: 15730
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'."
+    description: 'This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.'
+    rationale: "The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.5"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 1'
+
+  - id: 15731
+    title: "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'."
+    description: "Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled. Note: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Launch changes the way Windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Secure Launch Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.6"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch -> 1'
+
+  - id: 15732
+    title: "Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: Enabled. Note: This will not prevent the installation of basic hardware drivers, but does prevent associated 3rd-party utility software from automatically being installed under the context of the SYSTEM account."
+    rationale: "Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic 3rd-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Installation\\Prevent device metadata retrieval from the Internet. Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates, or with the Group Policy template DeviceSetup.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork -> 1'
+
+  - id: 15733
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'."
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.14.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["5.1.1"]
+      - nist_800_53: ["SI.3"]
+      - tsc: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  - id: 15734
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'."
+    description: 'The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked).'
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  - id: 15735
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'."
+    description: 'The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked).'
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.3"]
+      - pci_dss: ["11.5.1"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  - id: 15736
+    title: "Ensure 'Continue experiences on this device' is set to 'Disabled'."
+    description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled."
+    rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0'
+
+  - id: 15737
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'."
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy. Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.21.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+
+  - id: 15738
+    title: "Ensure 'Turn off access to the Store' is set to 'Enabled'."
+    description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled."
+    rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1'
+
+  - id: 15739
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'."
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.2"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  - id: 15740
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'."
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.3"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  - id: 15741
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'."
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  - id: 15742
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  - id: 15743
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  - id: 15744
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'."
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled. Note: This control affects printing over both HTTP and HTTPS."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  - id: 15745
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  - id: 15746
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'."
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  - id: 15747
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled''.'
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.10"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  - id: 15748
+    title: 'Ensure''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled''.'
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.11"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  - id: 15749
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.12"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  - id: 15750
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  - id: 15751
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'."
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.14"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+
+  - id: 15752
+    title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'."
+    description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic."
+    rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.25.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1'
+
+  - id: 15753
+    title: "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'."
+    description: "This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Enabled: Block All. Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher, and also requires a UEFI BIOS to function. Note #2: More information on this feature is available at this link: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) | Microsoft Docs."
+    rationale: "Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by the peripheral."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block All: Computer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA Protection\\Enumeration policy for external devices incompatible with Kernel DMA Protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.26.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy -> 0'
+
+  - id: 15754
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'."
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  - id: 15755
+    title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'."
+    description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1'
+
+  - id: 15756
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  - id: 15757
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'."
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.3"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  - id: 15758
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'."
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  - id: 15759
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  - id: 15760
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  - id: 15761
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.8.28.7"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  - id: 15762
+    title: "Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'."
+    description: "This setting determines whether Clipboard contents can be synchronized across devices. The recommended state for this setting is: Disabled."
+    rationale: "In high security environments, clipboard data should stay local to the system and not synced across devices, as it may contain very sensitive information that must be contained locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow Clipboard synchronization across devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.31.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard -> 0'
+
+  - id: 15763
+    title: "Ensure 'Allow upload of User Activities' is set to 'Disabled'."
+    description: "This policy setting determines whether published User Activities can be uploaded to the cloud. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow upload of User Activities. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.31.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities -> 0'
+
+  - id: 15764
+    title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.1"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'
+
+  - id: 15765
+    title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.2"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'
+
+  - id: 15766
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.5"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  - id: 15767
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.6"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  - id: 15768
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  - id: 15769
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  - id: 15770
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'."
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.37.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  - id: 15771
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'."
+    description: 'This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'' Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated.'
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.37.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  - id: 15772
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'."
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.48.5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  - id: 15773
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'."
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.48.11.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  - id: 15774
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'."
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.50.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  - id: 15775
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.53.1.1"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  - id: 15776
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'."
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.53.1.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  - id: 15777
+    title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'."
+    description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled."
+    rationale: "Users of a system could accidentally share sensitive data with other users on the same system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.1"]
+      - cis_csc: ["3.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0'
+
+  - id: 15778
+    title: "Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'."
+    description: "This setting manages non-Administrator users' ability to install Windows app packages. The recommended state for this setting is: Enabled."
+    rationale: "In a corporate managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Prevent non-admin users from installing packaged Windows apps. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 Release 2004 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall -> 1'
+
+  - id: 15779
+    title: "Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'."
+    description: "This policy setting specifies whether Windows apps can be activated by voice (apps and Cortana) while the system is locked. The recommended state for this setting is: Enabled: Force Deny."
+    rationale: "Access to any computer resource should not be allowed when the device is locked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Deny: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Privacy\\Let Windows apps activate with voice while the system is locked. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppPrivacy.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock -> 2'
+
+  - id: 15780
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'."
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.6.1"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  - id: 15781
+    title: "Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'."
+    description: "This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled."
+    rationale: "Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #3: In older Microsoft Windows Administrative Templates, this setting was initially named Block launching Windows Store apps with Windows Runtime API access from hosted content., but it was renamed starting with the Windows 10 Release 1803 Administrative Templates"
+    compliance:
+      - cis: ["18.9.6.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1'
+
+  - id: 15782
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.1"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  - id: 15783
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'."
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.2"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  - id: 15784
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'."
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay. Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.8.3"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  - id: 15785
+    title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'."
+    description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled."
+    rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.10.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1'
+
+  - id: 15786
+    title: "Ensure 'Allow Use of Camera' is set to 'Disabled'."
+    description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled."
+    rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.12.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0'
+
+  - id: 15787
+    title: "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'."
+    description: "This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud consumer account state content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent -> 1'
+
+  - id: 15788
+    title: "Ensure 'Turn off cloud optimized content' is set to 'Enabled'."
+    description: "This policy setting turns off cloud optimized content in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud optimized content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 20H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent -> 1'
+
+  - id: 15789
+    title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'."
+    description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions."
+    rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1'
+
+  - id: 15790
+    title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'."
+    description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always."
+    rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates."
+    compliance:
+      - cis: ["18.9.15.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> r:^1$|^2$'
+
+  - id: 15791
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'."
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  - id: 15792
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'."
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation. Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.16.2"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  - id: 15793
+    title: "Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'."
+    description: "This policy setting controls whether security questions can be used to reset local account passwords. The security question feature does not apply to domain accounts, only local accounts on the workstation. The recommended state for this setting is: Enabled."
+    rationale: "Users could establish security questions that are easily guessed or sleuthed by observing the user’s social media accounts, making it easier for a malicious actor to change the local user account password and gain access to the computer as that user account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Prevent the use of security questions for local accounts. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions -> 1'
+
+  - id: 15794
+    title: "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'."
+    description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise,  Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the  Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit  Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM"
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Diagnostic Data. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.17.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$'
+
+  - id: 15795
+    title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'."
+    description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage."
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1'
+
+  - id: 15796
+    title: "Ensure 'Disable OneSettings Downloads' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled."
+    rationale: "Sending data to a 3rd party vendor is a security concern and should only be done on an as-needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable OneSettings Downloads. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads -> 1'
+
+  - id: 15797
+    title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'."
+    description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled."
+    rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1'
+
+  - id: 15798
+    title: "Ensure 'Enable OneSettings Auditing' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog. The recommended state for this setting is: Enabled."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Enable OneSettings Auditing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing -> 1'
+
+  - id: 15799
+    title: "Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'."
+    description: "This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended)or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a 3rd-party vendor is a security concern and should only be done on an as-needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Diagnostic Log Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection -> 1'
+
+  - id: 15800
+    title: "Ensure 'Limit Dump Collection' is set to 'Enabled'."
+    description: "This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. Note: Dumps are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Dump Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection -> 1'
+
+  - id: 15801
+    title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows 10 Pro or Windows 10 Enterprise, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ‘Manage preview builds’). We have kept this setting in the benchmark to ensure that any older builds of Windows 10 in the environment are still enforced.'
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.8"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0'
+
+  - id: 15802
+    title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'."
+    description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported: - 0 = HTTP only, no peering. - 1 = HTTP blended with peering behind the same NAT. - 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 = HTTP blended with Internet Peering. - 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. The recommended state for this setting is any value EXCEPT: Enabled: Internet (3). Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet (3), so on other SKUs, be sure to set this to a different value."
+    rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet (3): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.18.1"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$'
+
+  - id: 15803
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.1.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  - id: 15804
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.1.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15805
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.2.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  - id: 15806
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.2.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  - id: 15807
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.3.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  - id: 15808
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.3.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15809
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.4.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  - id: 15810
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.4.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15811
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'."
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug- in/software."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.31.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  - id: 15812
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'."
+    description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled."
+    rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption. Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.31.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  - id: 15813
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'."
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode. Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.31.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  - id: 15814
+    title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'."
+    description: "By default, users can add their computer to a HomeGroup on a home network. The recommended state for this setting is: Enabled. Note: The HomeGroup feature is available in all workstation releases of Windows from Windows 7 through Windows 10 Release 1709. Microsoft removed the feature completely starting with Windows 10 Release 1803. However, if your environment still contains any Windows 10 Release 1709 (or older) workstations, then this setting remains important to disable HomeGroup on those systems."
+    rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sharing.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.36.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1'
+
+  - id: 15815
+    title: "Ensure 'Turn off location' is set to 'Enabled'."
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.41.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  - id: 15816
+    title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'."
+    description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.45.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0'
+
+  - id: 15817
+    title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'."
+    description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.1"]
+      - cis_csc: ["5.3"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1'
+
+  - id: 15818
+    title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. This setting can only be set by Group Policy. The recommended state for this setting is: Disabled."
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.4.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  - id: 15819
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.4.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+
+  - id: 15820
+    title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'."
+    description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: Enabled."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1'
+
+  - id: 15821
+    title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured."
+    description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) e6db77e5-3df2-4cf1-b95a-636979351e5b - 1 (Block persistence through WMI event subscription) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs"
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d, d4f940ab-401b-4efc-aadc-ad5f3c50688a, and e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.1.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1'
+
+  - id: 15822
+    title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'."
+    description: "This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block."
+    rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.3.1"]
+      - cis_csc: ["9.3", "10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'
+
+  - id: 15823
+    title: "Ensure 'Enable file hash computation feature' is set to 'Enabled'."
+    description: "This setting determines whether hash values are computed for files scanned by Microsoft Defender. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to monitor for suspicious and known malicious activity. File hashes are a reliable way of detecting changes to files, and can speed up the scan process by skipping files that have not changed since they were last scanned and determined to be safe. A changed file hash can also be cause for additional scrutiny."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.6.1"]
+      - cis_csc: ["10.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation -> 1'
+
+  - id: 15824
+    title: "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
+    description: "This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all downloaded files and attachments. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection -> 0'
+
+  - id: 15825
+    title: "Ensure 'Turn off real-time protection' is set to 'Disabled'."
+    description: "This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-time protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0'
+
+  - id: 15826
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'."
+    description: "This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.3"]
+      - cis_csc: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0'
+
+  - id: 15827
+    title: "Ensure 'Turn on script scanning' is set to 'Enabled'."
+    description: "This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.4"]
+      - cis_csc: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning -> 0'
+
+  - id: 15828
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'."
+    description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Reporting\\Configure Watson events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.11.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  - id: 15829
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Scan removable drives. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.12.1"]
+      - cis_csc: ["10.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  - id: 15830
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'."
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Microsoft Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.12.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  - id: 15831
+    title: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'."
+    description: "This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications, that can deliver adware or malware. The recommended state for this setting is: Enabled: Block. For more information, see this link: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs"
+    rationale: "Potentially unwanted applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. They should be blocked from installation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Configure detection for potentially unwanted applications. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.15"]
+      - cis_csc: ["2.5", "10.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1'
+
+  - id: 15832
+    title: "Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'."
+    description: "This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Microsoft Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Turn off Microsoft Defender AntiVirus. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed to Windows Defender Antivirus starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Turn off Microsoft Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates."
+    compliance:
+      - cis: ["18.9.47.16"]
+      - cis_csc: ["10.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0'
+
+  - id: 15833
+    title: "Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'."
+    description: "This policy setting specifies whether the news and interests feature is allowed on the device. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, apps and features such as news and interests on the Windows taskbar should be treated as a possible security risk due to the potential of data being sent back to 3rd parties, such as Microsoft. In addition, the app may display inappropriate news and interests within the feed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\News and interests\\Enable news and interests on the taskbar. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Feeds.admx/adml that is included with the Microsoft Windows 10 Release 21H1 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.57.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds -> 0'
+
+  - id: 15834
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'."
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a workstation, not just the one supplied with Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  - id: 15835
+    title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'."
+    description: "This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Enabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.64.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1'
+
+  - id: 15836
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'."
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.2.2"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  - id: 15837
+    title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'."
+    description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled."
+    rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was finally renamed (again) to Allow users to connect remotely by using Remote Desktop Services starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.2.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1'
+
+  - id: 15838
+    title: "Ensure 'Allow UI Automation redirection' is set to 'Disabled'."
+    description: "This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computers Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session. The recommended state for this setting is: Disabled. Note: Remote Desktop sessions dont currently support UI Automation redirection."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for UI Automation redirection within a Remote Desktop session is rare, and not supported at this time, but it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Allow UI Automation redirection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.65.3.3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection -> 0'
+
+  - id: 15839
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  - id: 15840
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'."
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  - id: 15841
+    title: "Ensure 'Do not allow location redirection' is set to 'Enabled'."
+    description: "This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for location data redirection within a Remote Desktop session is rare, so it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow location redirection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.65.3.3.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir -> 1'
+
+  - id: 15842
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  - id: 15843
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'."
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.6"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  - id: 15844
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'."
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  - id: 15845
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.2"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  - id: 15846
+    title: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'."
+    description: "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. The recommended state for this setting is: Enabled: SSL. Note: In spite of this setting being labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol."
+    rationale: "The native Remote Desktop Protocol (RDP) encryption is now considered a weak protocol, so enforcing the use of stronger Transport Layer Security (TLS) encryption for all RDP communications between clients and RD Session Host servers is preferred."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: SSL: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require use of specific security layer for remote (RDP) connections. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.3"]
+      - cis_csc: ["3.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 2'
+
+  - id: 15847
+    title: "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. The recommended state for this setting is: Enabled."
+    rationale: "Requiring that user authentication occur earlier in the remote connection process enhances security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require user authentication for remote connections by using Network Level Authentication. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was initially named Require user authentication using RDP 6.0 for remote connections, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.4"]
+      - cis_csc: ["3.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1'
+
+  - id: 15848
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'."
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.5"]
+      - cis_csc: ["3.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  - id: 15849
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'."
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0)."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less, but not Never (0): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.10.1"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/766
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0'
+
+  - id: 15850
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'."
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.10.2"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  - id: 15851
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'."
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.11.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  - id: 15852
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures. Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.66.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  - id: 15853
+    title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'."
+    description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0'
+
+  - id: 15854
+    title: "Ensure 'Allow Cortana' is set to 'Disabled'."
+    description: "This policy setting specifies whether Cortana is allowed on the device. The recommended state for this setting is: Disabled."
+    rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.3"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0'
+
+  - id: 15855
+    title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'."
+    description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. The recommended state for this setting is: Disabled."
+    rationale: "Access to any computer resource should not be allowed when the device is locked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0'
+
+  - id: 15856
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'."
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files. Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.67.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  - id: 15857
+    title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'."
+    description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0'
+
+  - id: 15858
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'."
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.72.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  - id: 15859
+    title: "Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'."
+    description: "This setting configures the launch of all apps from the Microsoft Store that came pre- installed or were downloaded. The recommended state for this setting is: Disabled. Note: This policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions. Note #2: The name of this setting and the Enabled/Disabled values are incorrectly worded - logically, the title implies that configuring it to Enabled will disable all apps from the Microsoft Store, and configuring it to Disabled will enable all apps from the Microsoft Store. The opposite is true (and is consistent with the GPME help text). This is a logical wording mistake by Microsoft in the Administrative Template."
+    rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Disable all apps from Microsoft Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable all apps from Windows Store, but it was renamed starting with the Windows 10 Release 1803 Administrative Templates."
+    compliance:
+      - cis: ["18.9.75.1"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1'
+
+  - id: 15860
+    title: "Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'."
+    description: "This policy setting denies access to the retail catalog in the Microsoft Store, but displays the private store. The recommended state for this setting is: Enabled."
+    rationale: "Allowing the private store will allow an organization to control the apps that users have access to add to a system. This will help ensure that unapproved malicious apps are not running on a system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Only display the private store within the Microsoft Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1607 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Only display the private store within the Windows Store app, but it was renamed starting with the Windows 10 Release 1803 Administrative Templates."
+    compliance:
+      - cis: ["18.9.75.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly -> 1'
+
+  - id: 15861
+    title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'."
+    description: "This setting enables or disables the automatic download and installation of Microsoft Store app updates. The recommended state for this setting is: Disabled."
+    rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.3"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4'
+
+  - id: 15862
+    title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'."
+    description: "Enables or disables the Microsoft Store offer to update to the latest version of Windows. The recommended state for this setting is: Enabled."
+    rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.4"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1'
+
+  - id: 15863
+    title: "Ensure 'Turn off the Store application' is set to 'Enabled'."
+    description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education."
+    rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.5"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions
+      - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1'
+
+  - id: 15864
+    title: "Ensure 'Allow widgets' is set to 'Disabled'."
+    description: "This policy setting specifies whether the widgets feature is allowed on the device. The widgets feature provides information such as, weather, news, sports, stocks, traffic, and entertainment (not an inclusive list). The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, apps and features such as widgets on the Windows taskbar should be treated as a possible security risk due to the potential of data being sent back to 3rd parties, such as Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Widgets\\Allow Widgets. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NewsAndInterests.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.81.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests -> 0'
+
+  - id: 15865
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'."
+    description: "This policy setting allows you to manage the behavior of Windows Defender SmartScreen. Windows Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block'
+
+  - id: 15866
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'."
+    description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. The recommended state for this setting is: Enabled."
+    rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 RTM (Release 1507) Administrative Templates, this setting was initially named Allows you to configure SmartScreen. In the Microsoft Windows 10 Release 1511 Administrative Templates, it was renamed to Turn off the SmartScreen Filter. In the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates, it was renamed (again) to Configure SmartScreen Filter. Finally, it was given its current name of Configure Windows Defender SmartScreen starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1'
+
+  - id: 15867
+    title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'."
+    description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. The recommended state for this setting is: Enabled."
+    rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was initially named Don't allow SmartScreen Filter warning overrides. In the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was renamed to Prevent bypassing SmartScreen prompts for sites. Finally, it was given its current name of Prevent bypassing Windows Defender SmartScreen prompts for sites starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1'
+
+  - id: 15868
+    title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'."
+    description: "This setting enables or disables the Windows Game Recording and Broadcasting features. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is allowed, users could record and broadcast session info to external sites, which is both a risk of accidentally exposing sensitive company data (on-screen) outside the company as well as a privacy concern."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GameDVR.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.87.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0'
+
+  - id: 15869
+    title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'."
+    description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled."
+    rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.89.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0'
+
+  - id: 15870
+    title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'."
+    description: "This policy setting determines whether Windows Ink items are allowed above the lock screen. The recommended state for this setting is: Enabled: On, but disallow access above lock OR Disabled."
+    rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.89.2"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$'
+
+  - id: 15871
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'."
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.1"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  - id: 15872
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'."
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.2"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  - id: 15873
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'."
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.3"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  - id: 15874
+    title: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'."
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in and lock last interactive user automatically after a restart. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Sign-in last interactive user automatically after a system-initiated restart, but it was renamed starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.9.91.1"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  - id: 15875
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'."
+    description: "This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark."
+    rationale: "Logs of PowerShell script input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.100.1"]
+      - cis_csc: ["8.8"]
+      - pci_dss: ["12.3.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 1'
+
+  - id: 15876
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'."
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.100.2"]
+      - pci_dss: ["12.3.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0'
+
+  - id: 15877
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled. Note: Clients that use Microsoft's Exchange Online service (Office 365) will require an exception to this recommendation, to instead have this setting set to Enabled. Exchange Online uses Basic authentication over HTTPS, and so the Exchange Online authentication traffic will still be safely encrypted."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  - id: 15878
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.2"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  - id: 15879
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  - id: 15880
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  - id: 15881
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  - id: 15882
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  - id: 15883
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.102.2.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  - id: 15884
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'."
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.103.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  - id: 15885
+    title: "Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'."
+    description: 'This policy setting enables or disables clipboard sharing with the Windows sandbox. The recommended state for this setting is: Disabled. Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and allows a temporary "clean install" virtual instance of Windows to be run inside the host, for the ostensible purpose of testing applications without making changes to the host.'
+    rationale: "Disabling copy and paste decreases the attack surface exposed by the Windows Sandbox and possible exposure of untrusted applications to the internal network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Sandbox\\Allow clipboard sharing with Windows Sandbox. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.104.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection -> 0'
+
+  - id: 15886
+    title: "Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'."
+    description: 'This policy setting enables or disables networking in the Windows Sandbox. Networking is achieved by creating a virtual switch on the host, and connecting the Windows Sandbox to it via a virtual Network Interface Card (NIC). The recommended state for this setting is: Disabled. Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and allows a temporary "clean install" virtual instance of Windows to be run inside the host, for the ostensible purpose of testing applications without making changes to the host.'
+    rationale: "Disabling network access decreases the attack surface exposed by the Windows Sandbox and exposure of untrusted applications to the internal network. Note: Per Microsoft, enabling networking in the Windows Sandbox can expose untrusted applications to the internal network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Sandbox\\Allow networking in Windows Sandbox. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.104.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking -> 0'
+
+  - id: 15887
+    title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'."
+    description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled."
+    rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Security\\App and browser protection\\Prevent users from modifying settings. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.105.2.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'
+
+  - id: 15888
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'."
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Legacy Policies\\No auto-restart with logged on users for scheduled automatic updates installations. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.1.1"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
+
+  - id: 15889
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'."
+    description: 'This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process.'
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.2.1"]
+      - cis_csc: ["7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  - id: 15890
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'."
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates'. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates: Scheduled install day. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.2.2"]
+      - cis_csc: ["7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 4'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  - id: 15891
+    title: 'Ensure ''Remove access to "Pause updates" feature'' is set to ''Enabled''.'
+    description: 'This policy removes access to "Pause updates" feature. The recommended state for this setting is: Enabled.'
+    rationale: "In order to ensure security and system updates are applied, system administrators should control when updates are applied to systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Remove access to \"Pause updates\" feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.2.3"]
+      - cis_csc: ["7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> SetDisablePauseUXAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> SetDisablePauseUXAccess -> 1'
+
+  - id: 15892
+    title: "Ensure 'Manage preview builds' is set to 'Disabled'."
+    description: "This policy setting manage which updates that are receive prior to the update being released. Dev Channel: Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release. Beta Channel: Ideal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release. Release Preview Channel (default): Insiders in the Release Preview Channel will have access to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before broad deployment within their organization. The recommended state for this setting is: Disabled. Note: Preview Build enrollment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview Builds, see: https://aka.ms/wipforbiz"
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Manage preview builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.4.1"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 1'
+
+  - id: 15893
+    title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'."
+    description: 'This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.'
+    rationale: "In a production environment, it is preferred to only use software and features that are publicly available, after they have gone through rigorous testing in beta."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.4.2"]
+      - cis_csc: ["2.5", "7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'
+
+  - id: 15894
+    title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'."
+    description: 'This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog'
+    rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.4.3"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0'
diff --git a/etc/ruleset/sca/windows/cis_win11_enterprise.yml b/etc/ruleset/sca/windows/cis_win11_enterprise.yml
new file mode 100644
index 0000000000..a773eee4ea
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win11_enterprise.yml
@@ -0,0 +1,6115 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 11 Enterprise
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark v1.0.0 for Microsoft Windows 11 Release 21H2 - 02-14-2022
+
+policy:
+  id: "cis_win11_enterprise_21H2"
+  file: "cis_win11_enterprise.yml"
+  name: "CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows 11"
+  description: "Requirements for running the CIS benchmark Domain Controller under Windows 11"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10'
+
+checks:
+  # 1.1 Password Policy
+  - id: 26000
+    title: "Ensure 'Enforce password history' is set to '24 or more password(s)'."
+    description: "This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs"
+    rationale: "The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Enforce password history"
+    compliance:
+      - cis: ["1.1.1"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24'
+
+  - id: 26001
+    title: "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare <= 365'
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0'
+
+  - id: 26002
+    title: "Ensure 'Minimum password age' is set to '1 or more day(s)'."
+    description: "This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s)). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual's user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password age \(days\):\s+(\d+) compare >= 1'
+
+  - id: 26003
+    title: "Ensure 'Minimum password length' is set to '14 or more character(s)'."
+    description: "This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password length:\s+(\d+) compare >= 14'
+
+  - id: 26004
+    title: "Ensure 'Password must meet complexity requirements' is set to 'Enabled'."
+    description: "This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) o A catch-all category of any Unicode character that does not fall under the    previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as '!'' or '@''. Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements"
+    compliance:
+      - cis: ["1.1.5"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'c:powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser -> r:ComplexityEnabled\s+: True'
+
+  - id: 26005
+    title: "Ensure 'Relax minimum password length limits' is set to 'Enabled'."
+    description: "This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following Microsoft Security Blog. The recommended state for this setting is: Enabled. Note: This setting only affects local accounts on the computer. Domain accounts are only affected by settings on the Domain Controllers, because that is where domain accounts are stored."
+    rationale: "This setting will enable the enforcement of longer and generally stronger passwords or passphrases where MFA is not in use."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Relax minimum password length limits. Note: This setting is only available within the built-in OS security template of Windows 10 Release 2004 and Server 2022 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you must use a Windows 10 Release 2004 or Server 2022 system (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME)."
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc: ["5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits -> 1'
+
+  - id: 26006
+    title: "Ensure 'Account lockout duration' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure the Account lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration"
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout duration \(minutes\):\s+(\d+) compare >= 15'
+
+  - id: 26007
+    title: "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'."
+    description: "This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold"
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare > 0'
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare <= 5'
+
+  - id: 26008
+    title: "Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Reset account lockout counter after setting determines the number of minutes that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after"
+    compliance:
+      - cis: ["1.2.3"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout observation window \(minutes\):\s+(\d+) compare >= 15'
+
+  - id: 26009
+    title: "Ensure 'Accounts: Administrator account status' is set to 'Disabled'."
+    description: "This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note that this setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings. The recommended state for this setting is: Disabled."
+    rationale: "In some organizations, it can be a daunting management challenge to maintain a regular schedule for periodic password changes for local accounts. Therefore, you may want to disable the built-in Administrator account instead of relying on regular password changes to protect it from attack. Another reason to disable this built-in account is that it cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID) and there are third-party tools that allow authentication by using the SID rather than the account name. This capability means that even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Administrator account status"
+    compliance:
+      - cis: ["2.3.1.1"]
+      - cis_csc: ["4.7"]
+    condition: any
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+      - "c:net user administrator -> r:The user name could not be found."
+
+  - id: 26010
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'."
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts"
+    compliance:
+      - cis: ["2.3.1.2"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  - id: 26011
+    title: "Ensure 'Accounts: Guest account status' is set to 'Disabled'."
+    description: "This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings."
+    rationale: "The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Guest account status"
+    compliance:
+      - cis: ["2.3.1.3"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - 'c:net user guest -> r:Account active\s+No'
+
+  - id: 26012
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'."
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only"
+    compliance:
+      - cis: ["2.3.1.4"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  - id: 26013
+    title: "Configure 'Accounts: Rename administrator account'."
+    description: "The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console)."
+    rationale: "The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. The built-in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are third-party tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename administrator account"
+    compliance:
+      - cis: ["2.3.1.5"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - "c:net user administrator -> r:The user name could not be found."
+
+  - id: 26014
+    title: "Configure 'Accounts: Rename guest account'."
+    description: "The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security."
+    rationale: "The Guest account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename guest account"
+    compliance:
+      - cis: ["2.3.1.6"]
+      - cis_csc: ["4.7"]
+    condition: all
+    rules:
+      - "c:net user guest -> r:The user name could not be found."
+
+  - id: 26015
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. Important: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc: ["8.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  - id: 26016
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'."
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits"
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  - id: 26017
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'."
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media"
+    compliance:
+      - cis: ["2.3.4.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 2'
+
+  - id: 26018
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers"
+    compliance:
+      - cis: ["2.3.4.2"]
+      - pci_dss: ["2.2.4", "2.2.5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3", "CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  - id: 26019
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)"
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  - id: 26020
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)"
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  - id: 26021
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)"
+    compliance:
+      - cis: ["2.3.6.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  - id: 26022
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'."
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes"
+    compliance:
+      - cis: ["2.3.6.4"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  - id: 26023
+    title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'."
+    description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Maximum machine account password age"
+    compliance:
+      - cis: ["2.3.6.5"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare <= 30'
+      - 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare > 0'
+
+  - id: 26024
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'."
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key"
+    compliance:
+      - cis: ["2.3.6.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  - id: 26025
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'."
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL"
+    compliance:
+      - cis: ["2.3.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  - id: 26026
+    title: "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'."
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Don't display last signed-in. Note: In older versions of Microsoft Windows, this setting was named Interactive logon: Do not display last user name, but it was renamed starting with Windows 10 Release 1703."
+    compliance:
+      - cis: ["2.3.7.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  - id: 26027
+    title: "Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'."
+    description: "This security setting determines the number of failed logon attempts that causes the machine to be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. The recommended state for this setting is: 10 or fewer invalid logon attempts, but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine account lockout threshold. Values from 1 to 3 will be interpreted as 4."
+    rationale: "If a machine is lost or stolen, or if an insider threat attempts a brute force password attack against the computer, it is important to ensure that BitLocker will lock the computer and therefore prevent a successful attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid logon attempts, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine account lockout threshold"
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc: ["4.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> MaxDevicePasswordFailedAttempts -> n:^(\d+) compare <=30'
+
+  - id: 26028
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'."
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit"
+    compliance:
+      - cis: ["2.3.7.4"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  - id: 26029
+    title: "Configure 'Interactive logon: Message text for users attempting to log on'."
+    description: "This policy setting specifies a text message that displays to users when they log on. Set the following group policy to a value that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Note: Any warning that you display should first be approved by your organization's legal and human resources representatives."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message text for users attempting to log on"
+    compliance:
+      - cis: ["2.3.7.5"]
+    condition: all
+    rules:
+      - 'not c:reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticetext -> r:\s+legalnoticetext\s+REG_SZ\s+$'
+
+  - id: 26030
+    title: "Configure 'Interactive logon: Message title for users attempting to log on'."
+    description: "This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message title for users attempting to log on"
+    compliance:
+      - cis: ["2.3.7.6"]
+    condition: all
+    rules:
+      - 'not c:reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticecaption -> r:\s+legalnoticecaption\s+REG_SZ\s+$'
+
+  - id: 26031
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'."
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
+    compliance:
+      - cis: ["2.3.7.7"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4'
+
+  - id: 26032
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'."
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration"
+    compliance:
+      - cis: ["2.3.7.8"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  - id: 26033
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher."
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior"
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$'
+
+  - id: 26034
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."
+    description: 'This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled.'
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)"
+    compliance:
+      - cis: ["2.3.8.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 26035
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)"
+    compliance:
+      - cis: ["2.3.8.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 26036
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'."
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers"
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
+
+  - id: 26037
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'."
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s)."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session"
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  - id: 26038
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)"
+    compliance:
+      - cis: ["2.3.9.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 26039
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)"
+    compliance:
+      - cis: ["2.3.9.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 26040
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'."
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire"
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  - id: 26041
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level"
+    compliance:
+      - cis: ["2.3.9.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'
+
+  - id: 26042
+    title: "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
+    description: "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled."
+    rationale: "If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Allow anonymous SID/Name translation"
+    compliance:
+      - cis: ["2.3.10.1"]
+    condition: all
+    rules:
+      - 'c:powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" -> r:0'
+
+  - id: 26043
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'."
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts"
+    compliance:
+      - cis: ["2.3.10.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  - id: 26044
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'."
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares"
+    compliance:
+      - cis: ["2.3.10.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  - id: 26045
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication"
+    compliance:
+      - cis: ["2.3.10.4"]
+      - pci_dss: ["3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  - id: 26046
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'."
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users"
+    compliance:
+      - cis: ["2.3.10.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  - id: 26047
+    title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously"
+    compliance:
+      - cis: ["2.3.10.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S+'
+
+  - id: 26048
+    title: "Ensure 'Network access: Remotely accessible registry paths' is configured."
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub-paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion"
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    remediation: >
+      To establish the recommended configuration via GP, in the following UI path:
+      Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths."
+      Set these values:
+      -"System\\CurrentControlSet\\Control\\ProductOptions"
+      -"System\\CurrentControlSet\\Control\\Server Applications"
+      -"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
+    compliance:
+      - cis: ["2.3.10.7"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion'
+
+  - id: 26049
+    title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured."
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog"
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    remediation: >
+      To establish the recommended configuration via GP, in the following UI path:
+      Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths
+      Set the following values:
+      -"System\\CurrentControlSet\\Control\\Print\\Printers"
+      -"System\\CurrentControlSet\\Services\\Eventlog"
+      -"SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print"
+      -"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex"
+      -"System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig"
+      -"System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration"
+      -"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog"
+
+    compliance:
+      - cis: ["2.3.10.8"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\Eventlog'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\OLAP Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ContentIndex'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\SysmonLog'
+
+  - id: 26050
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'."
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares"
+    compliance:
+      - cis: ["2.3.10.9"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  - id: 26051
+    title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'."
+    description: 'This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note #2: If your organization is using Azure Advanced Threat Protection (APT), the service account, "AATP Service" will need to be added to the recommendation configuration. For more information on adding the "AATP Service" account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs.'
+    rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM"
+    compliance:
+      - cis: ["2.3.10.10"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)'
+
+  - id: 26052
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously"
+    compliance:
+      - cis: ["2.3.10.11"]
+      - cis_csc: ["3.3"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> \S+'
+
+  - id: 26053
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'."
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)."
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts"
+    compliance:
+      - cis: ["2.3.10.12"]
+      - pci_dss: ["7.1.3"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  # 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+  - id: 26054
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'."
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM"
+    compliance:
+      - cis: ["2.3.11.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> UseMachineId'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  # 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
+  - id: 26055
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'."
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback"
+    compliance:
+      - cis: ["2.3.11.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  # 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+  - id: 26056
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'."
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities"
+    compliance:
+      - cis: ["2.3.11.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  # 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+  - id: 26057
+    title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it."
+    rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos"
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'
+
+  # 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+  - id: 26058
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'."
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change"
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  # 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
+  - id: 26059
+    title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'."
+    description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled."
+    rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire"
+    compliance:
+      - cis: ["2.3.11.6"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+  - id: 26060
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'."
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level"
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  # 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
+  - id: 26061
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher."
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements"
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(\d+) compare >= 1'
+
+  # 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 26062
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200'
+
+  # 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 26063
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/288
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  - id: 26064
+    title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher."
+    description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark."
+    rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer"
+    compliance:
+      - cis: ["2.3.14.1"]
+      - cis_csc: ["3.11"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> n:(\d+) compare > 0'
+
+  # 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
+  - id: 26065
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'."
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non-Windows subsystems"
+    compliance:
+      - cis: ["2.3.15.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  # 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+  - id: 26066
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'."
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)"
+    compliance:
+      - cis: ["2.3.15.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  # 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+  - id: 26067
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account"
+    compliance:
+      - cis: ["2.3.17.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  - id: 26068
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'."
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
+    compliance:
+      - cis: ["2.3.17.2"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$'
+
+  - id: 26069
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users"
+    compliance:
+      - cis: ["2.3.17.3"]
+      - pci_dss: ["7.1.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  - id: 26070
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation"
+    compliance:
+      - cis: ["2.3.17.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  - id: 26071
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'."
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\\Program Files\\, including subfolders  - ...\\Windows\\system32\\; - ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations"
+    compliance:
+      - cis: ["2.3.17.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  - id: 26072
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode"
+    compliance:
+      - cis: ["2.3.17.6"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  - id: 26073
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'."
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation"
+    compliance:
+      - cis: ["2.3.17.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  - id: 26074
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'."
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %windir% - %windir%\\System32 - HKEY_LOCAL_MACHINE\\SOFTWARE. The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations"
+    compliance:
+      - cis: ["2.3.17.8"]
+      - pci_dss: ["6.5.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  - id: 26075
+    title: "Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'."
+    description: "Service supporting the audio gateway role of the Bluetooth Handsfree Profile. The recommended state for this setting is: Disabled."
+    rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Audio Gateway Service. Note: This service was first introduced in Windows 10 Release 1803. It appears to have replaced the older Bluetooth Handsfree Service (BthHFSrv), which was removed from Windows in that release (it is not simply a rename, but a different service)."
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService -> Start -> 4'
+
+  - id: 26076
+    title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."
+    description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled."
+    rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4'
+
+  - id: 26077
+    title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'."
+    description: "Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps."
+    rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager"
+    compliance:
+      - cis: ["5.4"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4'
+
+  - id: 26078
+    title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'."
+    description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service"
+    compliance:
+      - cis: ["5.5"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4'
+
+  - id: 26079
+    title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise."
+    rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service"
+    compliance:
+      - cis: ["5.6"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4'
+
+  - id: 26080
+    title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'."
+    description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled or Not Installed."
+    rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic 'file transfer application' functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service"
+    compliance:
+      - cis: ["5.7"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4'
+
+  - id: 26081
+    title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'."
+    description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled."
+    rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to 'share' their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)"
+    compliance:
+      - cis: ["5.8"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4'
+
+  - id: 26082
+    title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'."
+    description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled."
+    rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper"
+    compliance:
+      - cis: ["5.9"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4'
+
+  - id: 26083
+    title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'."
+    description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)."
+    rationale: "The Linux Subsystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager"
+    compliance:
+      - cis: ["5.10"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4'
+
+  - id: 26084
+    title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables the server to be a File Transfer Protocol (FTP) server. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - FTP Server)."
+    rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service"
+    compliance:
+      - cis: ["5.11"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4'
+
+  - id: 26085
+    title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'."
+    description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled."
+    rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service"
+    compliance:
+      - cis: ["5.12"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4'
+
+  - id: 26086
+    title: "Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'."
+    description: "SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows feature (OpenSSH Server)."
+    rationale: "Hosting an SSH server from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any SSH server application installed on a workstation, not just the one supplied with Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\OpenSSH SSH Server"
+    compliance:
+      - cis: ["5.13"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd -> Start -> 4'
+
+  - id: 26087
+    title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'."
+    description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol"
+    compliance:
+      - cis: ["5.14"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4'
+
+  - id: 26088
+    title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'."
+    description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping"
+    compliance:
+      - cis: ["5.15"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4'
+
+  - id: 26089
+    title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'."
+    description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager"
+    compliance:
+      - cis: ["5.16"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4'
+
+  - id: 26090
+    title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'."
+    description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled."
+    rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service"
+    compliance:
+      - cis: ["5.17"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4'
+
+  - id: 26091
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled'."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled. Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler"
+    compliance:
+      - cis: ["5.18"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  - id: 26092
+    title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'."
+    description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled."
+    rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support"
+    compliance:
+      - cis: ["5.19"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4'
+
+  - id: 26093
+    title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'."
+    description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. The recommended state for this setting is: Disabled."
+    rationale: "The function of this service is to provide a 'demand dial' type of functionality. In a high security environment, it is preferred that any remote 'dial' connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager"
+    compliance:
+      - cis: ["5.20"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4'
+
+  - id: 26094
+    title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'."
+    description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration"
+    compliance:
+      - cis: ["5.21"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4'
+
+  - id: 26095
+    title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'."
+    description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services"
+    compliance:
+      - cis: ["5.22"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4'
+
+  - id: 26096
+    title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'."
+    description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled."
+    rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector"
+    compliance:
+      - cis: ["5.23"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4'
+
+  - id: 26097
+    title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'."
+    description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled."
+    rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator"
+    compliance:
+      - cis: ["5.24"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4'
+
+  - id: 26098
+    title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'."
+    description: "Enables remote users to view and modify registry settings on this computer. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, exposing the registry to remote access is an increased security risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry"
+    compliance:
+      - cis: ["5.25"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4'
+
+  - id: 26099
+    title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'."
+    description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled."
+    rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access"
+    compliance:
+      - cis: ["5.26"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4'
+
+  - id: 26100
+    title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'."
+    description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server"
+    compliance:
+      - cis: ["5.27"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4'
+
+  - id: 26101
+    title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'."
+    description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))."
+    rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services"
+    compliance:
+      - cis: ["5.28"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4'
+
+  - id: 26102
+    title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'."
+    description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))."
+    rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service"
+    compliance:
+      - cis: ["5.29"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4'
+
+  - id: 26103
+    title: "Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'."
+    description: "This service allows administrators to remotely access a command prompt using Emergency Management Services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows capability (Windows Emergency Management Services and Serial Console)."
+    rationale: "Allowing the use of a remotely accessible command prompt that provides the ability to perform remote management tasks on a computer is a security risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Special Administration Console Helper"
+    compliance:
+      - cis: ["5.30"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr -> Start -> 4'
+
+  - id: 26104
+    title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'."
+    description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled."
+    rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Note that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery"
+    compliance:
+      - cis: ["5.31"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4'
+
+  - id: 26105
+    title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'."
+    description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled."
+    rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host"
+    compliance:
+      - cis: ["5.32"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4'
+
+  - id: 26106
+    title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'."
+    description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)."
+    rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service"
+    compliance:
+      - cis: ["5.33"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4'
+
+  - id: 26107
+    title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'."
+    description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service"
+    compliance:
+      - cis: ["5.34"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4'
+
+  - id: 26108
+    title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'."
+    description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector"
+    compliance:
+      - cis: ["5.35"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4'
+
+  - id: 26109
+    title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'."
+    description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed."
+    rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service"
+    compliance:
+      - cis: ["5.36"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4'
+
+  - id: 26110
+    title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'."
+    description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled."
+    rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service"
+    compliance:
+      - cis: ["5.37"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4'
+
+  - id: 26111
+    title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'."
+    description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service"
+    compliance:
+      - cis: ["5.38"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4'
+
+  - id: 26112
+    title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'."
+    description: "This service manages Apps that are pushed to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Disabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)"
+    compliance:
+      - cis: ["5.39"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4'
+
+  - id: 26113
+    title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'."
+    description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled."
+    rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)"
+    compliance:
+      - cis: ["5.40"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4'
+
+  - id: 26114
+    title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'."
+    description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise."
+    rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service"
+    compliance:
+      - cis: ["5.41"]
+      - cis_csc: ["4.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4'
+
+  - id: 26115
+    title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'."
+    description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service"
+    compliance:
+      - cis: ["5.42"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4'
+
+  - id: 26116
+    title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'."
+    description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager"
+    compliance:
+      - cis: ["5.43"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4'
+
+  - id: 26117
+    title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'."
+    description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save"
+    compliance:
+      - cis: ["5.44"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4'
+
+  - id: 26118
+    title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'."
+    description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled."
+    rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service"
+    compliance:
+      - cis: ["5.45"]
+      - cis_csc: ["4.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc -> Start -> 4'
+
+  - id: 26119
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state"
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  - id: 26120
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  - id: 26121
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  - id: 26122
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.1.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  - id: 26123
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  - id: 26124
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 26125
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 26126
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 26127
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state"
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  - id: 26128
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  - id: 26129
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  - id: 26130
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.2.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  - id: 26131
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  - id: 26132
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 26133
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 26134
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 26135
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state"
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  - id: 26136
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections"
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  - id: 26137
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections"
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  - id: 26138
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification"
+    compliance:
+      - cis: ["9.3.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  - id: 26139
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules"
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  - id: 26140
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules"
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  - id: 26141
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  - id: 26142
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)"
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  - id: 26143
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets"
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  - id: 26144
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections"
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc: ["4.5", "8.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  - id: 26145
+    title: "Ensure 'Audit Credential Validation' is set to 'Success and Failure'."
+    description: "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - 4774: An account was mapped for logon. -  4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Credential Validation"
+    compliance:
+      - cis: ["17.1.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Credential Validation" -> r:Success and Failure'
+
+  - id: 26146
+    title: "Ensure 'Audit Application Group Management' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Application Group Management"
+    compliance:
+      - cis: ["17.2.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Application Group Management" -> r:Success and Failure'
+
+  - id: 26147
+    title: "Ensure 'Audit Security Group Management' is set to include 'Success'."
+    description: "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Security Group Management"
+    compliance:
+      - cis: ["17.2.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security Group Management" -> r:Success'
+
+  - id: 26148
+    title: "Ensure 'Audit User Account Management' is set to 'Success and Failure'."
+    description: "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management"
+    compliance:
+      - cis: ["17.2.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"User Account Management" -> r:Success and Failure'
+
+  - id: 26149
+    title: "Ensure 'Audit PNP Activity' is set to include 'Success'."
+    description: "This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Enabling this setting will allow a user to audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit PNP Activity"
+    compliance:
+      - cis: ["17.3.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Plug and Play Events" -> r:Success'
+
+  - id: 26150
+    title: "Ensure 'Audit Process Creation' is set to include 'Success'."
+    description: "This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit Process Creation"
+    compliance:
+      - cis: ["17.3.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Process Creation" -> r:Success'
+
+  - id: 26151
+    title: "Ensure 'Audit Account Lockout' is set to include 'Failure'."
+    description: "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Account Lockout"
+    compliance:
+      - cis: ["17.5.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Account Lockout" -> r:Failure'
+
+  - id: 26152
+    title: "Ensure 'Audit Group Membership' is set to include 'Success'."
+    description: "This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Group Membership"
+    compliance:
+      - cis: ["17.5.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Group Membership" -> r:Success'
+
+  - id: 26153
+    title: "Ensure 'Audit Logoff' is set to include 'Success'."
+    description: "This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logoff"
+    compliance:
+      - cis: ["17.5.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logoff" -> r:Success'
+
+  - id: 26154
+    title: "Ensure 'Audit Logon' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logon"
+    compliance:
+      - cis: ["17.5.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logon" -> r:Success and Failure'
+
+  - id: 26155
+    title: "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'."
+    description: "This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Other Logon/Logoff Events"
+    compliance:
+      - cis: ["17.5.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Logon/Logoff Events" -> r:Success and Failure'
+
+  - id: 26156
+    title: "Ensure 'Audit Special Logon' is set to include 'Success'."
+    description: "This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Special Logon"
+    compliance:
+      - cis: ["17.5.6"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Special Logon" -> r:Success'
+
+  - id: 26157
+    title: "Ensure 'Audit Detailed File Share' is set to include 'Failure'."
+    description: "This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Detailed File Share"
+    compliance:
+      - cis: ["17.6.1"]
+      - cis_csc: ["3.3", "8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Detailed File Share" -> r:Failure'
+
+  - id: 26158
+    title: "Ensure 'Audit File Share' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited."
+    rationale: "In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit File Share"
+    compliance:
+      - cis: ["17.6.2"]
+      - cis_csc: ["3.3", "8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"File Share" -> r:Success and Failure'
+
+  - id: 26159
+    title: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure."
+    rationale: "The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Other Object Access Events"
+    compliance:
+      - cis: ["17.6.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Object Access Events" -> r:Success and Failure'
+
+  - id: 26160
+    title: "Ensure 'Audit Removable Storage' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Removable Storage"
+    compliance:
+      - cis: ["17.6.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Removable Storage" -> r:Success and Failure'
+
+  - id: 26161
+    title: "Ensure 'Audit Audit Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Audit Policy Change"
+    compliance:
+      - cis: ["17.7.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Audit Policy Change" -> r:Success'
+
+  - id: 26162
+    title: "Ensure 'Audit Authentication Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authentication Policy Change"
+    compliance:
+      - cis: ["17.7.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authentication Policy Change" -> r:Success'
+
+  - id: 26163
+    title: "Ensure 'Audit Authorization Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change"
+    compliance:
+      - cis: ["17.7.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authorization Policy Change" -> r:Success'
+
+  - id: 26164
+    title: "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'."
+    description: "This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure"
+    rationale: "Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit MPSSVC Rule-Level Policy Change"
+    compliance:
+      - cis: ["17.7.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change" -> r:Success and Failure'
+
+  - id: 26165
+    title: "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'."
+    description: "This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure."
+    rationale: "This setting can help detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Other Policy Change Events"
+    compliance:
+      - cis: ["17.7.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Policy Change Events" -> r:Failure'
+
+  - id: 26166
+    title: "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - Impersonate a client after authentication - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Auditing this subcategory will create a high volume of events. Events for this subcategory include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Privilege Use\\Audit Sensitive Privilege Use"
+    compliance:
+      - cis: ["17.8.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Sensitive Privilege Use" -> r:Success and Failure'
+
+  - id: 26167
+    title: "Ensure 'Audit IPsec Driver' is set to 'Success and Failure'."
+    description: "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit IPsec Driver"
+    compliance:
+      - cis: ["17.9.1"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"IPsec Driver" -> r:Success and Failure'
+
+  - id: 26168
+    title: "Ensure 'Audit Other System Events' is set to 'Success and Failure'."
+    description: "This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure."
+    rationale: "Capturing these audit events may be useful for identifying when the Windows Firewall is not performing as expected."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Other System Events"
+    compliance:
+      - cis: ["17.9.2"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other System Events" -> r:Success and Failure'
+
+  - id: 26169
+    title: "Ensure 'Audit Security State Change' is set to include 'Success'."
+    description: "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some audit-able activity might not have been recorded. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change"
+    compliance:
+      - cis: ["17.9.3"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security State Change" -> r:Success'
+
+  - id: 26170
+    title: "Ensure 'Audit Security System Extension' is set to include 'Success'."
+    description: "This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with the Local Security Authority. - 4614: A notification package has been loaded by the Security Account Manager. - 4622: A security package has been loaded by the Local Security Authority. - 4697: A service was installed in the system. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security System Extension"
+    compliance:
+      - cis: ["17.9.4"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security System Extension" -> r:Success'
+
+  - id: 26171
+    title: "Ensure 'Audit System Integrity' is set to 'Success and Failure'."
+    description: "This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 : A monitored security event pattern has occurred. - 4816 : RPC detected an integrity violation while decrypting an incoming message. - 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - 5056: A cryptographic self test was performed. - 5057: A cryptographic primitive operation failed. - 5060: Verification operation failed. - 5061: Cryptographic operation. - 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit System Integrity"
+    compliance:
+      - cis: ["17.9.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"System Integrity" -> r:Success and Failure'
+
+  - id: 26172
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'."
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  - id: 26173
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'."
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+
+  - id: 26174
+    title: "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'."
+    description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow users to enable online speech recognition services. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow input personalization, but it was renamed to Allow users to enable online speech recognition services starting with the Windows 10 R1809 & Server 2019 Administrative Templates."
+    compliance:
+      - cis: ["18.1.2.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0'
+
+  - id: 26175
+    title: "Ensure 'Allow Online Tips' is set to 'Disabled'."
+    description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.3"]
+      - pci_dss: ["1.3.4"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0'
+
+  - id: 26176
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
+    compliance:
+      - cis: ["18.2.1"]
+      - cis_csc: ["5.2", "5.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  - id: 26177
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.2"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  - id: 26178
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.3"]
+      - cis_csc: ["5.2", "5.4"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  - id: 26179
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.4"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  - id: 26180
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.5"]
+      - cis_csc: ["5.2"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  - id: 26181
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings. Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.6"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  - id: 26182
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'."
+    description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled."
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0'
+
+  - id: 26183
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'."
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver (recommended). Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4'
+
+  - id: 26184
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  - id: 26185
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  - id: 26186
+    title: "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'."
+    description: "This policy setting controls whether users that aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)."
+    rationale: "Restricting the installation of print drives to Administrators can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Limits print driver installation to Administrators. Note: This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required."
+    compliance:
+      - cis: ["18.3.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators -> 1'
+
+  - id: 26187
+    title: "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node'."
+    description: "This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: The B-node (broadcast) method only uses broadcasts. The P-node (point-to-point) method only uses name queries to a name server (WINS). The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to- point).                 Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured."
+    rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\NetBT NodeType configuration. Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.6"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2'
+
+  - id: 26188
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'."
+    description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled."
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required."
+    compliance:
+      - cis: ["18.3.7"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  - id: 26189
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'."
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For additional information, see Microsoft Knowledge Base article 324737: How to turn on automatic logon in Windows. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc: ["3.11"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  - id: 26190
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 26191
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 26192
+    title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'."
+    description: 'When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the "Save Password" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled.'
+    rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1'
+
+  - id: 26193
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'."
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  - id: 26194
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'."
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.6"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  - id: 26195
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'."
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  - id: 26196
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'."
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.8"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  - id: 26197
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'."
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs"
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.9"]
+      - cis_csc: ["2.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  - id: 26198
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'."
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.10"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  - id: 26199
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.11"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 26200
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.12"]
+      - cis_csc: ["4.8"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 26201
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'."
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.4.13"]
+      - pci_dss: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  - id: 26202
+    title: "Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher."
+    description: "This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs. The recommended state for this setting is: Enabled: Allow DoH. Configuring this setting to Enabled: Require DoH also conforms to the benchmark."
+    rationale: "DNS over HTTPS (DoH) helps protect against DNS spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. It can also help prevent man-in-the-middle (MitM) attacks because the session in-between is encrypted."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark): Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Configure DNS over HTTPS (DoH) name resolution. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.1"]
+      - cis_csc: ["3.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy -> r:^2$|^3$'
+
+  - id: 26203
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0'
+
+  - id: 26204
+    title: "Ensure 'Enable Font Providers' is set to 'Disabled'."
+    description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.5.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0'
+
+  - id: 26205
+    title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
+    description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled."
+    rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.8.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0'
+
+  - id: 26206
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+
+  - id: 26207
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.2"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+
+  - id: 26208
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'."
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P-pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.10.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  - id: 26209
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."
+    description: "You can use this procedure to control a user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network. Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.2"]
+      - cis_csc: ["12.2"]
+      - pci_dss: ["1.3.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  - id: 26210
+    title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."
+    description: "Although this 'legacy' setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled."
+    rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network. Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.3"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0'
+
+  - id: 26211
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.11.4"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  - id: 26212
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares''.'
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths. Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.14.1"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+
+  - id: 26213
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."
+    description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)"
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components removes a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents. Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state."
+    compliance:
+      - cis: ["18.5.19.2.1"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  - id: 26214
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'."
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now. Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.20.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  - id: 26215
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'."
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.20.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  - id: 26216
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'."
+    description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled: 3 = Prevent Wi-Fi when on Ethernet."
+    rationale: "Preventing bridged network connections can help prevent a user unknowingly allowing traffic to route between internal and external networks, which risks exposure to sensitive internal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3 = Prevent Wi-Fi when on Ethernet: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates. It was updated with a new Minimize Policy Options sub-setting starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.5.21.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 3'
+
+  - id: 26217
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'."
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.21.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  - id: 26218
+    title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services. - Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to. - Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user''s contacts have shared with them, and enables users on this device to share networks with their contacts. - Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled. Note: These features are also known by the name "Wi-Fi Sense".'
+    rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template wlansvc.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.23.2.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0'
+
+  - id: 26219
+    title: "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'."
+    description: "This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect."
+    rationale: "Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Allow Print Spooler to accept client connections. Note: This Group Policy path is provided by the Group Policy template printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint -> 2'
+
+  - id: 26220
+    title: "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When installing drivers for a new connection. Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall -> 0'
+
+  - id: 26221
+    title: "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When updating drivers for an existing connection. Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings -> 0'
+
+  - id: 26222
+    title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'."
+    description: "This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. The recommended state for this setting is: Enabled."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Start Menu and Taskbar\\Turn off notifications network usage. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.7.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification -> 1'
+
+  - id: 26223
+    title: "Ensure 'Include command line in process creation events' is set to 'Enabled'."
+    description: "This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created. The recommended state for this setting is: Enabled. Note: This feature that this setting controls was not originally supported in workstation OSes older than Windows 8.1. However, in February 2015 Microsoft added support for the feature to Windows 7 and Windows 8.0 via an update - KB3004375. Therefore, this setting is also important to set on those older OSes."
+    rationale: "Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.3.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 1'
+
+  - id: 26224
+    title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'."
+    description: "Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients."
+    rationale: "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows from Windows Vista onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched at least through May 2018 (or later)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption Oracle Remediation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.1"]
+      - cis_csc: ["7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 0'
+
+  - id: 26225
+    title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'."
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled. Note: More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs"
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  - id: 26226
+    title: "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.1"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity -> 1'
+
+  - id: 26227
+    title: "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot and DMA Protection. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA protections to help protect data from being scraped from memory."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Secure Boot and DMA Protection: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Select Platform Security Level. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.2"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 3'
+
+  - id: 26228
+    title: "Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'."
+    description: "This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.3"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity -> 1'
+
+  - id: 26229
+    title: "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'."
+    description: "This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked). Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "This setting will help protect this control from being enabled on a system that is not compatible which could lead to a crash or data loss."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to TRUE: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.4"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired -> 1'
+
+  - id: 26230
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'."
+    description: 'This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.'
+    rationale: "The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.5"]
+      - cis_csc: ["10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 1'
+
+  - id: 26231
+    title: "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'."
+    description: "Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled. Note: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Launch changes the way Windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Secure Launch Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.5.6"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch -> 1'
+
+  - id: 26232
+    title: "Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: Enabled. Note: This will not prevent the installation of basic hardware drivers, but does prevent associated 3rd-party utility software from automatically being installed under the context of the SYSTEM account."
+    rationale: "Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic 3rd-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Installation\\Prevent device metadata retrieval from the Internet. Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates, or with the Group Policy template DeviceSetup.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork -> 1'
+
+  - id: 26233
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'."
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.14.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["5.1.1"]
+      - nist_800_53: ["SI.3"]
+      - tsc: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  - id: 26234
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'."
+    description: 'The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked).'
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  - id: 26235
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'."
+    description: 'The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked).'
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.3"]
+      - pci_dss: ["11.5.1"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  - id: 26236
+    title: "Ensure 'Continue experiences on this device' is set to 'Disabled'."
+    description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled."
+    rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0'
+
+  - id: 26237
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'."
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy. Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.21.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+
+  - id: 26238
+    title: "Ensure 'Turn off access to the Store' is set to 'Enabled'."
+    description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled."
+    rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1'
+
+  - id: 26239
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'."
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.2"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  - id: 26240
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'."
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.3"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  - id: 26241
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'."
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  - id: 26242
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  - id: 26243
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  - id: 26244
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'."
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled. Note: This control affects printing over both HTTP and HTTPS."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  - id: 26245
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  - id: 26246
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'."
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  - id: 26247
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled''.'
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.10"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  - id: 26248
+    title: 'Ensure ''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled''.'
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.11"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  - id: 26249
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.12"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  - id: 26250
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  - id: 26251
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'."
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.14"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+
+  - id: 26252
+    title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'."
+    description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic."
+    rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.25.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1'
+
+  - id: 26253
+    title: "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'."
+    description: "This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Enabled: Block All. Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher, and also requires a UEFI BIOS to function. Note #2: More information on this feature is available at this link: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) | Microsoft Docs."
+    rationale: "Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by the peripheral."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block All: Computer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA Protection\\Enumeration policy for external devices incompatible with Kernel DMA Protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.26.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy -> 0'
+
+  - id: 26254
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'."
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  - id: 26255
+    title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'."
+    description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1'
+
+  - id: 26256
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  - id: 26257
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'."
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.3"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  - id: 26258
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'."
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  - id: 26259
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  - id: 26260
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.6"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  - id: 26261
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.8.28.7"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  - id: 26262
+    title: "Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'."
+    description: "This setting determines whether Clipboard contents can be synchronized across devices. The recommended state for this setting is: Disabled."
+    rationale: "In high security environments, clipboard data should stay local to the system and not synced across devices, as it may contain very sensitive information that must be contained locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow Clipboard synchronization across devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.31.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard -> 0'
+
+  - id: 26263
+    title: "Ensure 'Allow upload of User Activities' is set to 'Disabled'."
+    description: "This policy setting determines whether published User Activities can be uploaded to the cloud. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow upload of User Activities. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.31.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities -> 0'
+
+  - id: 26264
+    title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.1"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'
+
+  - id: 26265
+    title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.2"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'
+
+  - id: 26266
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.5"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  - id: 26267
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.6"]
+      - cis_csc: ["4.3"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  - id: 26268
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  - id: 26269
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  - id: 26270
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'."
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.37.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  - id: 26271
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'."
+    description: 'This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'' Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated.'
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.37.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  - id: 26272
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'."
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.48.5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  - id: 26273
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'."
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.48.11.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  - id: 26274
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'."
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.50.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  - id: 26275
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.53.1.1"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  - id: 26276
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'."
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.53.1.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  - id: 26277
+    title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'."
+    description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled."
+    rationale: "Users of a system could accidentally share sensitive data with other users on the same system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.1"]
+      - cis_csc: ["3.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0'
+
+  - id: 26278
+    title: "Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'."
+    description: "This setting manages non-Administrator users' ability to install Windows app packages. The recommended state for this setting is: Enabled."
+    rationale: "In a corporate managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Prevent non-admin users from installing packaged Windows apps. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 Release 2004 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx -> BlockNonAdminUserInstall -> 1'
+
+  - id: 26279
+    title: "Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'."
+    description: "This policy setting specifies whether Windows apps can be activated by voice (apps and Cortana) while the system is locked. The recommended state for this setting is: Enabled: Force Deny."
+    rationale: "Access to any computer resource should not be allowed when the device is locked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Deny: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Privacy\\Let Windows apps activate with voice while the system is locked. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppPrivacy.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy -> LetAppsActivateWithVoiceAboveLock -> 2'
+
+  - id: 26280
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'."
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.6.1"]
+      - cis_csc: ["5.6"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  - id: 26281
+    title: "Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'."
+    description: "This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled."
+    rationale: "Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #3: In older Microsoft Windows Administrative Templates, this setting was initially named Block launching Windows Store apps with Windows Runtime API access from hosted content., but it was renamed starting with the Windows 10 Release 1803 Administrative Templates"
+    compliance:
+      - cis: ["18.9.6.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1'
+
+  - id: 26282
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.1"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  - id: 26283
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'."
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.2"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  - id: 26284
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'."
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay. Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.8.3"]
+      - cis_csc: ["10.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  - id: 26285
+    title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'."
+    description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled."
+    rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.10.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1'
+
+  - id: 26286
+    title: "Ensure 'Allow Use of Camera' is set to 'Disabled'."
+    description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled."
+    rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.12.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0'
+
+  - id: 26287
+    title: "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'."
+    description: "This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud consumer account state content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent -> 1'
+
+  - id: 26288
+    title: "Ensure 'Turn off cloud optimized content' is set to 'Enabled'."
+    description: "This policy setting turns off cloud optimized content in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud optimized content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 20H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent -> 1'
+
+  - id: 26289
+    title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'."
+    description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions."
+    rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1'
+
+  - id: 26290
+    title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'."
+    description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always."
+    rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates."
+    compliance:
+      - cis: ["18.9.15.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> r:^1$|^2$'
+
+  - id: 26291
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'."
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  - id: 26292
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'."
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation. Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.16.2"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  - id: 26293
+    title: "Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'."
+    description: "This policy setting controls whether security questions can be used to reset local account passwords. The security question feature does not apply to domain accounts, only local accounts on the workstation. The recommended state for this setting is: Enabled."
+    rationale: "Users could establish security questions that are easily guessed or sleuthed by observing the user’s social media accounts, making it easier for a malicious actor to change the local user account password and gain access to the computer as that user account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Prevent the use of security questions for local accounts. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> NoLocalPasswordResetQuestions -> 1'
+
+  - id: 26294
+    title: "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'."
+    description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit  Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM"
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Diagnostic Data. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.17.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$'
+
+  - id: 26295
+    title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'."
+    description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage."
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1'
+
+  - id: 26296
+    title: "Ensure 'Disable OneSettings Downloads' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled."
+    rationale: "Sending data to a 3rd party vendor is a security concern and should only be done on an as-needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable OneSettings Downloads. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads -> 1'
+
+  - id: 26297
+    title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'."
+    description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled."
+    rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1'
+
+  - id: 26298
+    title: "Ensure 'Enable OneSettings Auditing' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog. The recommended state for this setting is: Enabled."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Enable OneSettings Auditing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.5"]
+      - cis_csc: ["8.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing -> 1'
+
+  - id: 26299
+    title: "Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'."
+    description: "This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a 3rd-party vendor is a security concern and should only be done on an as-needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Diagnostic Log Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection -> 1'
+
+  - id: 26300
+    title: "Ensure 'Limit Dump Collection' is set to 'Enabled'."
+    description: "This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. Note: Dumps are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Dump Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection -> 1'
+
+  - id: 26301
+    title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows 10 Pro or Windows 10 Enterprise, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ‘Manage preview builds’). We have kept this setting in the benchmark to ensure that any older builds of Windows 10 in the environment are still enforced.'
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.17.8"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0'
+
+  - id: 26302
+    title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'."
+    description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported: - 0 = HTTP only, no peering. - 1 = HTTP blended with peering behind the same NAT. - 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 = HTTP blended with Internet Peering. - 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. The recommended state for this setting is any value EXCEPT: Enabled: Internet (3). Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet (3), so on other SKUs, be sure to set this to a different value."
+    rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet (3): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.18.1"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$'
+
+  - id: 26303
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.1.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  - id: 26304
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.1.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 26305
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.2.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  - id: 26306
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.2.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  - id: 26307
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.3.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  - id: 26308
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.3.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 26309
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.4.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  - id: 26310
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.4.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 26311
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'."
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug- in/software."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.31.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  - id: 26312
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'."
+    description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled."
+    rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption. Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.31.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  - id: 26313
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'."
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode. Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.31.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  - id: 26314
+    title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'."
+    description: "By default, users can add their computer to a HomeGroup on a home network. The recommended state for this setting is: Enabled. Note: The HomeGroup feature is available in all workstation releases of Windows from Windows 7 through Windows 10 Release 1709. Microsoft removed the feature completely starting with Windows 10 Release 1803. However, if your environment still contains any Windows 10 Release 1709 (or older) workstations, then this setting remains important to disable HomeGroup on those systems."
+    rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sharing.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.36.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1'
+
+  - id: 26315
+    title: "Ensure 'Turn off location' is set to 'Enabled'."
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.41.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  - id: 26316
+    title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'."
+    description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.45.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0'
+
+  - id: 26317
+    title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'."
+    description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.1"]
+      - cis_csc: ["5.3"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1'
+
+  - id: 26318
+    title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. This setting can only be set by Group Policy. The recommended state for this setting is: Disabled."
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.4.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  - id: 26319
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.4.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+
+  - id: 26320
+    title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'."
+    description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: Enabled."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1'
+
+  - id: 26321
+    title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured."
+    description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) e6db77e5-3df2-4cf1-b95a-636979351e5b - 1 (Block persistence through WMI event subscription) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs"
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d, d4f940ab-401b-4efc-aadc-ad5f3c50688a, and e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.1.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1'
+
+  - id: 26322
+    title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'."
+    description: "This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block."
+    rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.5.3.1"]
+      - cis_csc: ["9.3", "10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'
+
+  - id: 26323
+    title: "Ensure 'Enable file hash computation feature' is set to 'Enabled'."
+    description: "This setting determines whether hash values are computed for files scanned by Microsoft Defender. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to monitor for suspicious and known malicious activity. File hashes are a reliable way of detecting changes to files, and can speed up the scan process by skipping files that have not changed since they were last scanned and determined to be safe. A changed file hash can also be cause for additional scrutiny."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.6.1"]
+      - cis_csc: ["10.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation -> 1'
+
+  - id: 26324
+    title: "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
+    description: "This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all downloaded files and attachments. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection -> 0'
+
+  - id: 26325
+    title: "Ensure 'Turn off real-time protection' is set to 'Disabled'."
+    description: "This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-time protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0'
+
+  - id: 26326
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'."
+    description: "This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.3"]
+      - cis_csc: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0'
+
+  - id: 26327
+    title: "Ensure 'Turn on script scanning' is set to 'Enabled'."
+    description: "This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.9.4"]
+      - cis_csc: ["10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning -> 0'
+
+  - id: 26328
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'."
+    description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Reporting\\Configure Watson events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.11.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  - id: 26329
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Scan removable drives. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.12.1"]
+      - cis_csc: ["10.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  - id: 26330
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'."
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Microsoft Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.12.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  - id: 26331
+    title: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'."
+    description: "This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications, that can deliver adware or malware. The recommended state for this setting is: Enabled: Block. For more information, see this link: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs"
+    rationale: "Potentially unwanted applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. They should be blocked from installation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Configure detection for potentially unwanted applications. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.47.15"]
+      - cis_csc: ["2.5", "10.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1'
+
+  - id: 26332
+    title: "Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'."
+    description: "This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Microsoft Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Turn off Microsoft Defender AntiVirus. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed to Windows Defender Antivirus starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Turn off Microsoft Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates."
+    compliance:
+      - cis: ["18.9.47.16"]
+      - cis_csc: ["10.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0'
+
+  - id: 26333
+    title: "Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'."
+    description: "This policy setting specifies whether the news and interests feature is allowed on the device. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, apps and features such as news and interests on the Windows taskbar should be treated as a possible security risk due to the potential of data being sent back to 3rd parties, such as Microsoft. In addition, the app may display inappropriate news and interests within the feed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\News and interests\\Enable news and interests on the taskbar. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Feeds.admx/adml that is included with the Microsoft Windows 10 Release 21H1 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.57.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds -> 0'
+
+  - id: 26334
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'."
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a workstation, not just the one supplied with Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  - id: 26335
+    title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'."
+    description: "This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Enabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.64.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1'
+
+  - id: 26336
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'."
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.2.2"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  - id: 26337
+    title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'."
+    description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled."
+    rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was finally renamed (again) to Allow users to connect remotely by using Remote Desktop Services starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.2.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1'
+
+  - id: 26338
+    title: "Ensure 'Allow UI Automation redirection' is set to 'Disabled'."
+    description: "This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer's Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session. The recommended state for this setting is: Disabled. Note: Remote Desktop sessions don't currently support UI Automation redirection."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for UI Automation redirection within a Remote Desktop session is rare, and not supported at this time, but it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Allow UI Automation redirection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.65.3.3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection -> 0'
+
+  - id: 26339
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  - id: 26340
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'."
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  - id: 26341
+    title: "Ensure 'Do not allow location redirection' is set to 'Enabled'."
+    description: "This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for location data redirection within a Remote Desktop session is rare, so it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow location redirection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.65.3.3.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir -> 1'
+
+  - id: 26342
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  - id: 26343
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'."
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.3.6"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  - id: 26344
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'."
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.1"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  - id: 26345
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.2"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  - id: 26346
+    title: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'."
+    description: "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. The recommended state for this setting is: Enabled: SSL. Note: In spite of this setting being labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol."
+    rationale: "The native Remote Desktop Protocol (RDP) encryption is now considered a weak protocol, so enforcing the use of stronger Transport Layer Security (TLS) encryption for all RDP communications between clients and RD Session Host servers is preferred."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: SSL: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require use of specific security layer for remote (RDP) connections. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.3"]
+      - cis_csc: ["3.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 2'
+
+  - id: 26347
+    title: "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. The recommended state for this setting is: Enabled."
+    rationale: "Requiring that user authentication occur earlier in the remote connection process enhances security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require user authentication for remote connections by using Network Level Authentication. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was initially named Require user authentication using RDP 6.0 for remote connections, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.4"]
+      - cis_csc: ["3.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1'
+
+  - id: 26348
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'."
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.9.5"]
+      - cis_csc: ["3.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  - id: 26349
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'."
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0)."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less, but not Never (0): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.10.1"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/766
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0'
+
+  - id: 26350
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'."
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.10.2"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  - id: 26351
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'."
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.65.3.11.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  - id: 26352
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures. Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.66.1"]
+      - cis_csc: ["9.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  - id: 26353
+    title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'."
+    description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.2"]
+      - cis_csc: ["4.8"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0'
+
+  - id: 26354
+    title: "Ensure 'Allow Cortana' is set to 'Disabled'."
+    description: "This policy setting specifies whether Cortana is allowed on the device. The recommended state for this setting is: Disabled."
+    rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.3"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0'
+
+  - id: 26355
+    title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'."
+    description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. The recommended state for this setting is: Disabled."
+    rationale: "Access to any computer resource should not be allowed when the device is locked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.4"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0'
+
+  - id: 26356
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'."
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files. Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.67.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  - id: 26357
+    title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'."
+    description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.67.6"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0'
+
+  - id: 26358
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'."
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.72.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  - id: 26359
+    title: "Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'."
+    description: "This setting configures the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. The recommended state for this setting is: Disabled. Note: This policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions. Note #2: The name of this setting and the Enabled/Disabled values are incorrectly worded - logically, the title implies that configuring it to Enabled will disable all apps from the Microsoft Store, and configuring it to Disabled will enable all apps from the Microsoft Store. The opposite is true (and is consistent with the GPME help text). This is a logical wording mistake by Microsoft in the Administrative Template."
+    rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Disable all apps from Microsoft Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable all apps from Windows Store, but it was renamed starting with the Windows 10 Release 1803 Administrative Templates."
+    compliance:
+      - cis: ["18.9.75.1"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1'
+
+  - id: 26360
+    title: "Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'."
+    description: "This policy setting denies access to the retail catalog in the Microsoft Store, but displays the private store. The recommended state for this setting is: Enabled."
+    rationale: "Allowing the private store will allow an organization to control the apps that users have access to add to a system. This will help ensure that unapproved malicious apps are not running on a system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Only display the private store within the Microsoft Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1607 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Only display the private store within the Windows Store app, but it was renamed starting with the Windows 10 Release 1803 Administrative Templates."
+    compliance:
+      - cis: ["18.9.75.2"]
+      - cis_csc: ["2.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RequirePrivateStoreOnly -> 1'
+
+  - id: 26361
+    title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'."
+    description: "This setting enables or disables the automatic download and installation of Microsoft Store app updates. The recommended state for this setting is: Disabled."
+    rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.3"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4'
+
+  - id: 26362
+    title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'."
+    description: "Enables or disables the Microsoft Store offer to update to the latest version of Windows. The recommended state for this setting is: Enabled."
+    rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.4"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1'
+
+  - id: 26363
+    title: "Ensure 'Turn off the Store application' is set to 'Enabled'."
+    description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education."
+    rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.75.5"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions
+      - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1'
+
+  - id: 26364
+    title: "Ensure 'Allow widgets' is set to 'Disabled'."
+    description: "This policy setting specifies whether the widgets feature is allowed on the device. The widgets feature provides information such as, weather, news, sports, stocks, traffic, and entertainment (not an inclusive list). The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, apps and features such as widgets on the Windows taskbar should be treated as a possible security risk due to the potential of data being sent back to 3rd parties, such as Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Widgets\\Allow Widgets. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NewsAndInterests.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.81.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh -> AllowNewsAndInterests -> 0'
+
+  - id: 26365
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'."
+    description: "This policy setting allows you to manage the behavior of Windows Defender SmartScreen. Windows Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.1.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block'
+
+  - id: 26366
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'."
+    description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. The recommended state for this setting is: Enabled."
+    rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 RTM (Release 1507) Administrative Templates, this setting was initially named Allows you to configure SmartScreen. In the Microsoft Windows 10 Release 1511 Administrative Templates, it was renamed to Turn off the SmartScreen Filter. In the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates, it was renamed (again) to Configure SmartScreen Filter. Finally, it was given its current name of Configure Windows Defender SmartScreen starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1'
+
+  - id: 26367
+    title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'."
+    description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. The recommended state for this setting is: Enabled."
+    rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was initially named Don't allow SmartScreen Filter warning overrides. In the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was renamed to Prevent bypassing SmartScreen prompts for sites. Finally, it was given its current name of Prevent bypassing Windows Defender SmartScreen prompts for sites starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2.2"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1'
+
+  - id: 26368
+    title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'."
+    description: "This setting enables or disables the Windows Game Recording and Broadcasting features. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is allowed, users could record and broadcast session info to external sites, which is both a risk of accidentally exposing sensitive company data (on-screen) outside the company as well as a privacy concern."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GameDVR.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.87.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0'
+
+  - id: 26369
+    title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'."
+    description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled."
+    rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.89.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0'
+
+  - id: 26370
+    title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'."
+    description: "This policy setting determines whether Windows Ink items are allowed above the lock screen. The recommended state for this setting is: Enabled: On, but disallow access above lock OR Disabled."
+    rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.89.2"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$'
+
+  - id: 26371
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'."
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.1"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  - id: 26372
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'."
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.2"]
+      - cis_csc: ["5.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  - id: 26373
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'."
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.90.3"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  - id: 26374
+    title: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'."
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in and lock last interactive user automatically after a restart. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Sign-in last interactive user automatically after a system-initiated restart, but it was renamed starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.9.91.1"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  - id: 26375
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'."
+    description: "This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark."
+    rationale: "Logs of PowerShell script input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.100.1"]
+      - cis_csc: ["8.8"]
+      - pci_dss: ["12.3.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 1'
+
+  - id: 26376
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'."
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.100.2"]
+      - pci_dss: ["12.3.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0'
+
+  - id: 26377
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled. Note: Clients that use Microsoft's Exchange Online service (Office 365) will require an exception to this recommendation, to instead have this setting set to Enabled. Exchange Online uses Basic authentication over HTTPS, and so the Exchange Online authentication traffic will still be safely encrypted."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  - id: 26378
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.2"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  - id: 26379
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  - id: 26380
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.1"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  - id: 26381
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.2"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  - id: 26382
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2.3"]
+      - cis_csc: ["3.10"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  - id: 26383
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.102.2.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  - id: 26384
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'."
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.103.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  - id: 26385
+    title: "Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'."
+    description: 'This policy setting enables or disables clipboard sharing with the Windows sandbox. The recommended state for this setting is: Disabled. Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and allows a temporary "clean install" virtual instance of Windows to be run inside the host, for the ostensible purpose of testing applications without making changes to the host.'
+    rationale: "Disabling copy and paste decreases the attack surface exposed by the Windows Sandbox and possible exposure of untrusted applications to the internal network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Sandbox\\Allow clipboard sharing with Windows Sandbox. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.104.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowClipboardRedirection -> 0'
+
+  - id: 26386
+    title: "Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'."
+    description: 'This policy setting enables or disables networking in the Windows Sandbox. Networking is achieved by creating a virtual switch on the host, and connecting the Windows Sandbox to it via a virtual Network Interface Card (NIC). The recommended state for this setting is: Disabled. Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and allows a temporary "clean install" virtual instance of Windows to be run inside the host, for the ostensible purpose of testing applications without making changes to the host.'
+    rationale: "Disabling network access decreases the attack surface exposed by the Windows Sandbox and exposure of untrusted applications to the internal network. Note: Per Microsoft, enabling networking in the Windows Sandbox can expose untrusted applications to the internal network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Sandbox\\Allow networking in Windows Sandbox. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.104.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox -> AllowNetworking -> 0'
+
+  - id: 26387
+    title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'."
+    description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled."
+    rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Security\\App and browser protection\\Prevent users from modifying settings. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.105.2.1"]
+      - cis_csc: ["10.5"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'
+
+  - id: 26388
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'."
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Legacy Policies\\No auto-restart with logged on users for scheduled automatic updates installations. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.1.1"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
+
+  - id: 26389
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'."
+    description: 'This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process.'
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.2.1"]
+      - cis_csc: ["7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  - id: 26390
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'."
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates'. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates: Scheduled install day. Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.2.2"]
+      - cis_csc: ["7.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 4'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  - id: 26391
+    title: 'Ensure ''Remove access to "Pause updates" feature'' is set to ''Enabled''.'
+    description: 'This policy removes access to "Pause updates" feature. The recommended state for this setting is: Enabled.'
+    rationale: "In order to ensure security and system updates are applied, system administrators should control when updates are applied to systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Remove access to \"Pause updates\" feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.2.3"]
+      - cis_csc: ["7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> SetDisablePauseUXAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> SetDisablePauseUXAccess -> 1'
+
+  - id: 26392
+    title: "Ensure 'Manage preview builds' is set to 'Disabled'."
+    description: "This policy setting manage which updates that are receive prior to the update being released. Dev Channel: Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release. Beta Channel: Ideal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release. Release Preview Channel (default): Insiders in the Release Preview Channel will have access to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before broad deployment within their organization. The recommended state for this setting is: Disabled. Note: Preview Build enrollment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview Builds, see: https://aka.ms/wipforbiz"
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Manage preview builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.4.1"]
+      - cis_csc: ["2.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 1'
+
+  - id: 26393
+    title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'."
+    description: 'This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.'
+    rationale: "In a production environment, it is preferred to only use software and features that are publicly available, after they have gone through rigorous testing in beta."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates."
+    compliance:
+      - cis: ["18.9.108.4.2"]
+      - cis_csc: ["2.5", "7.3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'
+
+  - id: 26394
+    title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'."
+    description: 'This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog'
+    rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.108.4.3"]
+      - cis_csc: ["7.3"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0'
diff --git a/etc/ruleset/sca/windows/cis_win2012r2.yml b/etc/ruleset/sca/windows/cis_win2012r2.yml
new file mode 100644
index 0000000000..b2a6df7d84
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win2012r2.yml
@@ -0,0 +1,4106 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 2012 R2
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Microsoft Windows Server 2012 R2 v2.3.0 - 03-30-2018
+
+policy:
+  id: "cis_win2012r2"
+  file: "cis_win2012r2.yml"
+  name: "CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2012 R2."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows Server 2012 R2"
+  description: "Requirements for running the CIS benchmark under Windows Server 2012 R2"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2'
+
+checks:
+  # Section 1.1 - Password Policies
+  - id: 15000
+    title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age."
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37167-4"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60'
+
+  # Section 2.3 - Security Options
+  - id: 15001
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'"
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts."
+    compliance:
+      - cis: ["2.3.1.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36147-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  - id: 15002
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'"
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only."
+    compliance:
+      - cis: ["2.3.1.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37615-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  - id: 15003
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'"
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37850-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  - id: 15004
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'"
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc: ["6"]
+      - pci_dss: ["2.2.4", "10.7"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-35907-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  - id: 15005
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'"
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media."
+    default_value: "Disabled."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37701-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0'
+
+  - id: 15006
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'"
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers."
+    compliance:
+      - cis: ["2.3.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4", "2,2,5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3", "CC5.2"]
+    references:
+      - "CCE-37942-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  - id: 15007
+    title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)"
+    description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks."
+    compliance:
+      - cis: ["2.3.5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37848-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0'
+
+  - id: 15008
+    title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)"
+    description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements."
+    compliance:
+      - cis: ["2.3.5.2"]
+      - cis_csc: ["3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/
+      - "CCE-35904-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2'
+
+  - id: 15009
+    title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)"
+    description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes."
+    compliance:
+      - cis: ["2.3.5.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36921-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0'
+
+  - id: 15010
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)."
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36142-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  - id: 15011
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'"
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37130-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  - id: 15012
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'"
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37222-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  - id: 15013
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'"
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes."
+    compliance:
+      - cis: ["2.3.6.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37508-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  - id: 15014
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'"
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key."
+    compliance:
+      - cis: ["2.3.6.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37614-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  - id: 15015
+    title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'"
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name."
+    compliance:
+      - cis: ["2.3.7.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36056-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  - id: 15016
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'"
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL"
+    compliance:
+      - cis: ["2.3.7.2"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37637-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  - id: 15017
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'"
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit."
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38235-8"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  - id: 15018
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'"
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s) ."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s) : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
+    compliance:
+      - cis: ["2.3.7.6"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37439-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4'
+
+  - id: 15019
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'"
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration."
+    compliance:
+      - cis: ["2.3.7.7"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37622-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  - id: 15020
+    title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'"
+    description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled ."
+    rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer."
+    remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled:Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation"
+    compliance:
+      - cis: ["2.3.7.8"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38240-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1'
+
+  - id: 15021
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher"
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior."
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38333-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$'
+
+  - id: 15022
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.8.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36325-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 15023
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'"
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)."
+    compliance:
+      - cis: ["2.3.8.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36269-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 15024
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'"
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers."
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37863-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
+
+  - id: 15025
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'"
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session."
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc: ["3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38046-9"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  - id: 15026
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.9.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37864-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1'
+
+  - id: 15027
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'"
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)."
+    compliance:
+      - cis: ["2.3.9.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-35988-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1'
+
+  - id: 15028
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'"
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire."
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37972-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  - id: 15029
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher"
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client . Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level"
+    compliance:
+      - cis: ["2.3.9.5"]
+      - cis_csc: ["14"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n
+      - "CCE-36170-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel ->  n:^(\d+) compare >= 1'
+
+  # Section 2.3 - Security Options
+
+  - id: 15030
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'"
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts."
+    compliance:
+      - cis: ["2.3.10.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36316-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  - id: 15031
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'"
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)"
+    remediation: "To establish the recommended configuration via GP, set the following U path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares."
+    compliance:
+      - cis: ["2.3.10.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36316-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  - id: 15032
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'"
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication."
+    compliance:
+      - cis: ["2.3.10.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38119-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  - id: 15033
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'"
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users."
+    compliance:
+      - cis: ["2.3.10.5"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36148-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  - id: 15034
+    title: "Configure 'Network access: Named Pipes that can be accessed anonymously'"
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: - Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. - Level 1 - Member Server. The recommended state for this setting is: <blank> (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.6"]
+      - cis_csc: ["14.1", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38258-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc && r:netlogon && r:samr'
+
+  - id: 15035
+    title: "Configure 'Network access: Remotely accessible registry paths'"
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value."
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths."
+    compliance:
+      - cis: ["2.3.10.7"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37194-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Server Applications'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion'
+
+  - id: 15036
+    title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'"
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value."
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS"
+    compliance:
+      - cis: ["2.3.10.8"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36347-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\SysmonLog'
+
+  - id: 15037
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'"
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares."
+    compliance:
+      - cis: ["2.3.10.9"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36021-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  - id: 15038
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'"
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.10"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38095-6"
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.'
+  - id: 15039
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'"
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)."
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts."
+    compliance:
+      - cis: ["2.3.10.11"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1.3"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37623-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  - id: 15040
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'"
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM."
+    compliance:
+      - cis: ["2.3.11.1"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38341-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  - id: 15041
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'"
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback."
+    compliance:
+      - cis: ["2.3.11.2"]
+      - cis_csc: ["14"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37035-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  - id: 15042
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'"
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities."
+    compliance:
+      - cis: ["2.3.11.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38047-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  - id: 15043
+    title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting."
+    rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos."
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37755-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:r:2147483644|2147483640'
+
+  - id: 15044
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change."
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36326-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  - id: 15045
+    title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
+    description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced."
+    rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire."
+    compliance:
+      - cis: ["2.3.11.6"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36270-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  - id: 15046
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'"
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level."
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36173-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  - id: 15047
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher"
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements."
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36858-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1'
+
+  - id: 15048
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients."
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37553-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200'
+
+  - id: 15049
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers."
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/288
+      - "CCE-37835-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  - id: 15050
+    title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'"
+    description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server."
+    rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on."
+    compliance:
+      - cis: ["2.3.13.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36788-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0'
+
+  - id: 15051
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'"
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems."
+    compliance:
+      - cis: ["2.3.15.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37885-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  - id: 15052
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'"
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)."
+    compliance:
+      - cis: ["2.3.15.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37644-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  - id: 15053
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account."
+    compliance:
+      - cis: ["2.3.17.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36494-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  - id: 15054
+    title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'"
+    description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop."
+    compliance:
+      - cis: ["2.3.17.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36863-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0'
+
+  - id: 15055
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37029-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2'
+
+  - id: 15056
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users."
+    compliance:
+      - cis: ["2.3.17.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36864-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  - id: 15057
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation."
+    compliance:
+      - cis: ["2.3.17.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36533-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  - id: 15058
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'"
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window. -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations."
+    compliance:
+      - cis: ["2.3.17.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37057-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  - id: 15059
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36869-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  - id: 15060
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'"
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation."
+    compliance:
+      - cis: ["2.3.17.8"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36866-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  - id: 15061
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'"
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations."
+    compliance:
+      - cis: ["2.3.17.9"]
+      - pci_dss: ["6.5.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37064-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  ###############################################
+  # 9 Windows Firewall with Advanced Security
+  ###############################################
+  ###############################################
+  # 9.1 Domain Profile
+  ###############################################
+  # 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
+  - id: 15062
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state."
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36062-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  # 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+  - id: 15063
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38117-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  # 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
+  - id: 15064
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36146-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  # 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+  - id: 15065
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.1.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38041-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  # 9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'
+
+  - id: 15066
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37482-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  # 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
+
+  - id: 15067
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36088-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+  - id: 15068
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37523-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+  - id: 15069
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36393-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.2 Private Profile
+  ###############################################
+
+  # 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
+  - id: 15070
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state."
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38239-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  # 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+  - id: 15071
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38042-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  # 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
+  - id: 15072
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38332-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  # 9.2.4 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
+  - id: 15073
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.2.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37621-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  # 9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'
+  - id: 15074
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37569-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  # 9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
+  - id: 15075
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-38178-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+  - id: 15076
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-35972-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
+  - id: 15077
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37387-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.3 Public Profile
+  ###############################################
+
+  # 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'
+  - id: 15078
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state."
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37862-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  # 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+  - id: 15079
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36057-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  # 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
+  - id: 15080
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37434-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  # 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
+  - id: 15081
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.3.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38043-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  # 9.3.5 Ensure 'Windows Firewall: Public: Apply local firewall rules' is set to 'No'
+  - id: 15082
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules."
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37861-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  # 9.3.6 Ensure 'Windows Firewall: Public: Apply local connection security rules' is set to 'No'
+  - id: 15083
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules."
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36268-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  # 9.3.7 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'
+  - id: 15084
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37266-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  # 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater''
+  - id: 15085
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36395-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes''
+  - id: 15086
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37265-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.3.10 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes''
+  - id: 15087
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36394-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  # Section 18.1 - Control Panel
+  - id: 15088
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'"
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38347-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  - id: 15089
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'"
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38348-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+
+  # Section 18.2 - LAPS
+
+  - id: 15090
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
+    compliance:
+      - cis: ["18.2.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  - id: 15091
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  - id: 15092
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  - id: 15093
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.4"]
+      - cis_csc: ["5.7"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  - id: 15094
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.5"]
+      - cis_csc: ["5.7"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  - id: 15095
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.6"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  # Section 18.3 - MS Security Guide
+  - id: 15096
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'"
+    description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled."
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - https://www.microsoft.com/en-us/download/details.aspx?id=36036
+      - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
+      - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/
+      - "CCE-37069-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0'
+
+  - id: 15097
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'"
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service ( MRxSmb10 ), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled , as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver. Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft"
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc: ["9.1"]
+    references:
+      - https://www.microsoft.com/en-us/download/details.aspx?id=36036
+      - https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/
+      - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4'
+
+  - id: 15098
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'"
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled ."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858"
+      - "https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-managed-environments-with-ad-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  - id: 15099
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'"
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled ."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/"
+      - "https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  - id: 15100
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'"
+    description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled."
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft."
+    compliance:
+      - cis: ["18.3.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://www.microsoft.com/en-us/download/details.aspx?id=36036
+      - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a
+      - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/
+      - "CCE-38444-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  # Section 18.4 - MSS (Legacy)
+  - id: 15101
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'"
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37067-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  - id: 15102
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36871-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 15103
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36535-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  - id: 15104
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'"
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - nist_800_53: ["SC.5"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37988-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  # Section 18.4 - MSS (Legacy)
+  - id: 15105
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'"
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-36868-8"
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  - id: 15106
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'"
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36879-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  - id: 15107
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'"
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-38065-9"
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  - id: 15108
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'"
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled."
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.8"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36351-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  - id: 15109
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'"
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.9"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37993-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  - id: 15110
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.10"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-37846-3"
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 15111
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.11"]
+      - cis_csc: ["9"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - "CCE-36051-1"
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  - id: 15112
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36880-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  # Section 18.5 - Network
+
+  - id: 15113
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'"
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled ."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37450-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0'
+
+  - id: 15114
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'"
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38170-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0'
+
+  - id: 15115
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'"
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.9.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37959-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0'
+
+  - id: 15116
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'"
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.10.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37699-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  - id: 15117
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'"
+    description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    references:
+      - "CCE-38002-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  - id: 15118
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'"
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.11.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    references:
+      - "CCE-38188-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  - id: 15119
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'''
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares .'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template ( NetworkProvider.admx/adml ) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths Note: This Group Policy path does not exist by default. An additional Group Policy template ( NetworkProvider.admx/adml ) is required"
+    compliance:
+      - cis: ["18.5.14.1"]
+      - cis_csc: ["3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+
+  # Section 18.5 - Network
+  - id: 15120
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')"
+    description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)"
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents. Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state."
+    compliance:
+      - cis: ["18.5.19.2.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  - id: 15121
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'"
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now. Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.20.1"]
+      - cis_csc: ["15.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37481-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  - id: 15122
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'"
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.20.2"]
+      - cis_csc: ["15.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36109-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  - id: 15123
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'"
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.21.1"]
+      - cis_csc: ["12"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    references:
+      - "CCE-38338-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1'
+
+  # Section 18.5.21 - Windows Connection Manager
+  - id: 15124
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'"
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network."
+    compliance:
+      - cis: ["18.5.21.2"]
+      - cis_csc: ["12"]
+      - pci_dss: ["2.2.4", "1.3.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2", "CC6.1"]
+    references:
+      - "CCE-37627-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  # Section 18.8 - System
+  - id: 15125
+    title: "Ensure 'Include command line in process creation events' is set to 'Disabled'"
+    description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled."
+    rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.3.1"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36925-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0'
+
+  - id: 15126
+    title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'"
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled ."
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  - id: 15127
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'"
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -Good: The driver has been signed and has not been tampered with. -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.14.1"]
+      - cis_csc: ["8"]
+      - pci_dss: ["5.1.1"]
+      - nist_800_53: ["SI.3"]
+      - tsc: ["CC6.8"]
+    references:
+      - "CCE-37912-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  - id: 15128
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'"
+    description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)."
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.2"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36169-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  - id: 15129
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
+    description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)."
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.3"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["11.5.1"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "CCE-36169-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  - id: 15130
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'"
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.21.4"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37712-7"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+
+  # Section 18.8 - System
+  - id: 15131
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["6"]
+      - nist_800_53: ["SI.3"]
+    references:
+      - "CCE-36625-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  - id: 15132
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'"
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37911-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  - id: 15133
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'"
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36203-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  - id: 15134
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37163-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  - id: 15135
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'"
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.5"]
+      - cis_csc: ["7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36096-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  - id: 15136
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'"
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.6"]
+      - cis_csc: ["13.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36920-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  - id: 15137
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36352-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  - id: 15138
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'"
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36884-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  - id: 15139
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled'''
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.9"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38275-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  - id: 15140
+    title: 'Ensure ''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled'''
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.10"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37090-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  - id: 15141
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.11"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36628-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  - id: 15142
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'"
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.12"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36174-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  - id: 15143
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'"
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35964-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0'
+
+  - id: 15144
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'"
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.26.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36343-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  - id: 15145
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'"
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.1"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38353-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  - id: 15146
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.2"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37838-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  - id: 15147
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35894-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  - id: 15148
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'"
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.4"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35893-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  - id: 15149
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'"
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled . Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy  template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.27.5"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  - id: 15150
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'"
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.8.27.6"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37528-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  - id: 15151
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'"
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.33.6.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36881-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  - id: 15152
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'"
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.33.6.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37066-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  - id: 15153
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'"
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.35.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36388-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  - id: 15154
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.35.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37281-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  # Section 18.8.36 - Remote Procedure Call
+  - id: 15155
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'"
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr
+      - "CCE-37346-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  - id: 15156
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'"
+    description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers."
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients."
+    compliance:
+      - cis: ["18.8.36.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36559-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  - id: 15157
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'"
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.44.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38161-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  - id: 15158
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'"
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.44.11.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36648-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  - id: 15159
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'"
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.46.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36931-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  - id: 15160
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.49.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    references:
+      - "CCE-37843-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  - id: 15161
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'"
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server."
+    compliance:
+      - cis: ["18.8.49.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.3", "CC7.2"]
+    references:
+      - "CCE-37319-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  # Section 18.9 - Windows Components
+  - id: 15162
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.6.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38354-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  - id: 15163
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37636-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  - id: 15164
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'"
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38217-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  - id: 15165
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'"
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.8.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36875-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  - id: 15166
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'"
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.15.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37534-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  - id: 15167
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.15.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36512-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  - id: 15168
+    title: "Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings)"
+    description: "This setting configures the default action after detection and advanced ROP mitigation. The recommended state for this setting is: Default Action and Mitigation Settings - Enabled; Deep Hooks - Enabled;  Anti Detours - Enabled; Banned Functions - Enabled; Exploit Action - User Configured"
+    rationale: "These advanced mitigations for ROP mitigations apply to all configured software in EMET: Deep Hooks protects critical APIs and the subsequent lower level APIs used by the top level critical API. Anti Detours renders ineffective exploits that evade hooks by executing a copy of the hooked function prologue and then jump to the function past the prologue. Banned Functions will block calls to ntdll!LdrHotPatchRoutine to mitigate potential exploits abusing the API."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\Default Action and Mitigation Settings .Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38427-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> AntiDetours -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> BannedFunctions -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> DeepHooks -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> ExploitAction -> 2'
+
+  - id: 15169
+    title: "Ensure 'Default Protections for Internet Explorer' is set to 'Enabled'"
+    description: "This setting determines if recommended EMET mitigations are applied to Internet Explorer. The recommended state for this setting is: Enabled ."
+    rationale: "Applying EMET mitigations to Internet Explorer will help reduce the reliability of exploits that target it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\Default Protections for Internet Explorer Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38428-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Internet Explorer\iexplore.exe'
+
+  - id: 15170
+    title: "Ensure 'Default Protections for Popular Software' is set to 'Enabled'"
+    description: "This setting determines if recommended EMET mitigations are applied to the following popular software: 7-Zip; Adobe Photoshop; Foxit Reader; Google Chrome; Google Talk; iTunes; Microsoft Live Writer;Microsoft Lync Communicator ;Microsoft Photo Gallery ;Microsoft SkyDrive; mIRC; Mozilla Firefox; Mozilla Thunderbird; Opera;Pidgin ;QuickTime Player; RealPlayer; Safari; Skype; VideoLAN VLC; Winamp; Windows Live Mail; Windows Media Player; WinRAR; WinZip. The recommended state for this setting is: Enabled ."
+    rationale: "Applying EMET mitigations to popular software packages will help reduce the reliability of exploits that target them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\Default Protections for Popular Software Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.4"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36750-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\7-Zip\7z.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\7-Zip\7zFM.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\7-Zip\7zG.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Adobe\Adobe Photoshop CS*\Photoshop.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Foxit Reader\Foxit Reader.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Google\Chrome\Application\chrome.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Google\Google Talk\googletalk.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\iTunes\iTunes.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Microsoft Lync\communicator.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\mIRC\mirc.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Mozilla Firefox\firefox.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Mozilla Firefox\plugin-container.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Mozilla Thunderbird\plugin-container.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Mozilla Thunderbird\thunderbird.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Opera\*\opera.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Opera\opera.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Pidgin\pidgin.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\QuickTime\QuickTimePlayer.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Real\RealPlayer\realconverter.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Real\RealPlayer\realplay.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Safari\Safari.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\SkyDrive\SkyDrive.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Skype\Phone\Skype.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\VideoLAN\VLC\vlc.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Winamp\winamp.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Windows Live\Mail\wlmail.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Windows Live\Photo Gallery\WLXPhotoGallery.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Windows Live\Writer\WindowsLiveWriter.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Windows Media Player\wmplayer.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\WinRAR\rar.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\WinRAR\unrar.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\WinRAR\winrar.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\WinZip\winzip32.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\WinZip\winzip64.exe'
+
+  - id: 15171
+    title: "Ensure 'Default Protections for Recommended Software' is set to 'Enabled'"
+    description: "This setting determines if recommended EMET mitigations are applied to the following software: Adobe Acrobat; Adobe Acrobat Reader; Microsoft Office suite applications; Oracle Java; WordPad. The recommended state for this setting is: Enabled ."
+    rationale: "Applying EMET mitigations to recommended software will help reduce the reliability of exploits that target them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\Default Protections for Recommended Software Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.5"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36515-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Adobe\*\Reader\AcroRd32.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Adobe\Acrobat*\Acrobat\Acrobat.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Java\jre*\bin\java.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Java\jre*\bin\javaw.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Java\jre*\bin\javaws.exe'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\EXCEL.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\INFOPATH.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\LYNC.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\MSACCESS.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\MSPUB.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\OIS.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\OUTLOOK.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\POWERPNT.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\PPTVIEW.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\VISIO.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\VPREVIEW.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\OFFICE1*\WINWORD.EXE'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\Defaults -> *\Windows NT\Accessories\wordpad.exe'
+
+  - id: 15172
+    title: "Ensure 'System ASLR' is set to 'Enabled: Application Opt-In'"
+    description: "This setting determines how applications become enrolled in Address Space Layout Randomization (ASLR). The recommended state for this setting is: Enabled: Application Opt-In ."
+    rationale: "ASLR reduces the predictability of process memory, which in-turn helps reduce the reliability of exploits targeting memory corruption vulnerabilities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-In :Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\System ASLR Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.6"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38437-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> ASLR -> 3'
+
+  - id: 15173
+    title: "Ensure 'System DEP' is set to 'Enabled: Application Opt-Out'"
+    description: "This setting determines how applications become enrolled in Data Execution Protection (DEP). The recommended state for this setting is: Enabled: Application Opt-Out ."
+    rationale: "DEP marks pages of application memory as non-executable, which reduces a given exploit's ability to run attacker-controlled code."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\System DEP Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.7"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38438-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> DEP -> 2'
+
+  - id: 15174
+    title: "Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out'"
+    description: "This setting determines how applications become enrolled in Structured Exception Handler Overwrite Protection (SEHOP). The recommended state for this setting is: Enabled: Application Opt-Out ."
+    rationale: "When a software component suffers from a memory corruption vulnerability, an exploit may be able to overwrite memory that contains data structures that control how the software handles exceptions. By corrupting these structures in a controlled manner, an exploit may be able to execute arbitrary code. SEHOP verifies the integrity of those structures before they are used to handle exceptions, which reduces the reliability of exploits that leverage structured exception handler overwrites."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Application Opt-Out : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\EMET\\System SEHOP Note: This Group Policy path does not exist by default. An additional Group Policy template ( EMET.admx/adml ) is required - it is included with Microsoft Enhanced Mitigation Experience Toolkit (EMET)."
+    compliance:
+      - cis: ["18.9.24.7"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38438-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EMET\SysSettings -> SEHOP -> 2'
+
+  - id: 15175
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37775-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  - id: 15176
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37948-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15177
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.2.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37145-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  - id: 15178
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.2.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37695-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  - id: 15179
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.3.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-38276-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  - id: 15180
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.3.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37526-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15181
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.4.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36160-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  - id: 15182
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.4.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36092-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  - id: 15183
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'"
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.30.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37809-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  - id: 15184
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'"
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.30.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36660-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  - id: 15185
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'"
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.30.4"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36809-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  # Section 18.9 - System
+
+  # Section 18.9.39 - Location and Sensors
+  - id: 15186
+    title: "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'"
+    description: "This policy setting turns off the Windows Location Provider feature for the computer."
+    rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider."
+    compliance:
+      - cis: ["18.9.39.1.1"]
+    references:
+      - "CCE-38225-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1'
+
+  - id: 15187
+    title: "Ensure 'Turn off location' is set to 'Enabled'"
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.39.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36886-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  - id: 15188
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'"
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.9.52.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36939-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  - id: 15189
+    title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'"
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS."
+    rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version."
+    compliance:
+      - cis: ["18.9.52.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36939-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Onedrive -> DisableFileSync -> 1'
+
+  - id: 15190
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'"
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.2.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36223-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  - id: 15191
+    title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'"
+    description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.2.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37708-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1'
+
+  - id: 15192
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'"
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.3.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37696-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  - id: 15193
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'"
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.3.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36509-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  - id: 15194
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.3.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37778-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  - id: 15195
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.3.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37477-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  - id: 15196
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'"
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.9.1"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37929-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  - id: 15197
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'"
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.9.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37567-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  - id: 15198
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'"
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.9.3"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36627-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  - id: 15199
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'"
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.10.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37562-6"
+      - https://workbench.cisecurity.org/benchmarks/766
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+
+  - id: 15200
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'"
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.10.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37949-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  - id: 15201
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'"
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.11.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37946-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  - id: 15202
+    title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'"
+    description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.58.3.11.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38180-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1'
+
+  - id: 15203
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'"
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.1"]
+      - cis_csc: ["7.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37126-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  - id: 15204
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'"
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.60.2"]
+      - cis_csc: ["13.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38277-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  - id: 15205
+    title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'"
+    description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info."
+    rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.60.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36937-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3'
+
+  - id: 15206
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'"
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.65.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  # Section - 18.9.76.9 - Reporting
+
+  - id: 15207
+    title: "Ensure 'Configure local setting override for reporting to  Microsoft MAPS' is set to 'Disabled'"
+    description: 'This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Windows Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled .'
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.76.3.1"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36940-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  - id: 15208
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'"
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership   Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.76.3.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+
+  - id: 15209
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'"
+    description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus. The recommended state for this setting is: Enabled ."
+    rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.76.7.1"]
+      - cis_csc: ["8.1"]
+      - pci_dss: ["5.2"]
+    references:
+      - "CCE-38389-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0'
+
+  - id: 15210
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'"
+    description: "This policy setting allows you to configure whether or not Watson events are sent."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events."
+    compliance:
+      - cis: ["18.9.76.9.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36950-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  - id: 15211
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled ."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.76.10.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38409-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  - id: 15212
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'"
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled ."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.76.10.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36958-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  - id: 15213
+    title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'"
+    description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled ."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.76.14"]
+      - cis_csc: ["8.1"]
+      - pci_dss: ["5.2"]
+      - tsc: ["CC6.8"]
+    references:
+      - "CCE-36082-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0'
+
+  - id: 15214
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'"
+    description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.80.1.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-35859-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2'
+
+  - id: 15215
+    title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'"
+    description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data."
+    rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.81.2.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37112-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1'
+
+  - id: 15216
+    title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'"
+    description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled."
+    rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.81.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36978-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0'
+
+  - id: 15217
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'"
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36400-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  - id: 15218
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'"
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36919-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  - id: 15219
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'"
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.3"]
+      - cis_csc: ["7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37524-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  - id: 15220
+    title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'"
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.86.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36977-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  - id: 15221
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
+    description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release."
+    rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.95.1"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0'
+
+  - id: 15222
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'"
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.95.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0'
+
+  - id: 15223
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.1"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36310-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  - id: 15224
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.2"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37726-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  - id: 15225
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.3"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38318-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  - id: 15226
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.1"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36254-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  - id: 15227
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37927-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  - id: 15228
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.3"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38223-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  - id: 15229
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.97.2.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36000-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  - id: 15230
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'"
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.98.1"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36499-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  - id: 15231
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'"
+    description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.101.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36172-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  - id: 15232
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'"
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.101.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+    references:
+      - "CCE-36172-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  - id: 15233
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.101.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+    references:
+      - "CCE-37027-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
diff --git a/etc/ruleset/sca/windows/cis_win2016.yml b/etc/ruleset/sca/windows/cis_win2016.yml
new file mode 100644
index 0000000000..c30a8ca637
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win2016.yml
@@ -0,0 +1,6861 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 2016
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Microsoft Windows Server 2016 v2.0.0 - 04-14-2023
+
+policy:
+  id: "cis_win2016"
+  file: "cis_win2016.yml"
+  name: "CIS Microsoft Windows Server 2016 v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2016."
+  disclaimer: "Please note that the rules provide accurate results for Windows Server 2016 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows Server 2016"
+  description: "Requirements for running the CIS benchmark under Windows Server 2016"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2016'
+
+checks:
+  ###############################################
+  # 1 Account Policies
+  ###############################################
+  # 1.1 Password Policy
+  ###############################################
+  # 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'. (Automated) - Not Implemented
+
+  # 1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. (Automated)
+  - id: 16000
+    title: "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access."
+    impact: "If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.10"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 365'
+
+  # 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'. (Automated) - Not Implemented
+  # 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'. (Automated) - Not Implemented
+  # 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. (Automated) - Not Implemented
+  # 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. (Automated) - Not Implemented
+  ##############################################
+  # 1.2 Account Lockout Policy
+  ##############################################
+  # 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. (Automated) - Not Implemented
+  # 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'. (Automated) - Not Implemented
+  # 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'. (Manual) - Not Implemented
+  # 1.2.4 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. (Automated) - Not Implemented
+  #################################
+  # 2 Local Policies
+  #################################
+  # 2.1 Audit Policy
+  #################################
+  # 2.2 User Rights Assignment
+  #################################
+  # 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only). (Automated) - Not Implemented
+  # 2.2.3 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only). (Automated) - Not Implemented
+  # 2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.5 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.8 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only). (Automated) - Not Implemented
+  # 2.2.10 (L1) Ensure 'Back up files and directories' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.11 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. (Automated) - Not Implemented
+  # 2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'. (Automated) - Not Implemented
+  # 2.2.13 (L1) Ensure 'Create a pagefile' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.14 (L1) Ensure 'Create a token object' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.15 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. (Automated) - Not Implemented
+  # 2.2.16 (L1) Ensure 'Create permanent shared objects' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.17 (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.18 (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only). (Automated) - Not Implemented
+  # 2.2.19 (L1) Ensure 'Debug programs' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.20 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only). (Automated) - Not Implemented
+  # 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only). (Automated) - Not Implemented
+  # 2.2.22 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.23 (L1) Ensure 'Deny log on as a service' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.24 (L1) Ensure 'Deny log on locally' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only). (Automated) - Not Implemented
+  # 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only). (Automated) - Not Implemented
+  # 2.2.27 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.28 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only). (Automated) - Not Implemented
+  # 2.2.29 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.31 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only). (Automated) - Not Implemented
+  # 2.2.33 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.34 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.36 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only). (Automated) - Not Implemented
+  # 2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only). (Automated) - Not Implemented
+  # 2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.40 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.41 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.42 (L1) Ensure 'Profile single process' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.43 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. (Automated) - Not Implemented
+  # 2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.45 (L1) Ensure 'Restore files and directories' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.46 (L1) Ensure 'Shut down the system' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.47 (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only). (Automated) - Not Implemented
+  # 2.2.48 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'. (Automated) - Not Implemented
+
+  #######################################
+  # 2.3 Security Options
+  #######################################
+  # 2.3.1 Accounts
+  #######################################
+  # 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. (Automated)
+  - id: 16001
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'."
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    impact: "Users will not be able to log onto the computer with their Microsoft account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts."
+    compliance:
+      - cis: ["2.3.1.1"]
+      - cis_csc_v7: ["16.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  # 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only). (Automated)
+  - id: 16002
+    title: "Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)."
+    description: "This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings."
+    rationale: "The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data."
+    impact: "All network users will need to authenticate before they can access shared resources. If you disable the Guest account and the Network Access: Sharing and Security Model option is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. This policy setting should have little impact on most organizations because it is the default setting in Microsoft Windows 2000, Windows XP, and Windows Server™ 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Guest account status."
+    compliance:
+     - cis: ["2.3.1.2"]
+     - cis_csc_v8: ["4.7"]
+     - cis_csc_v7: ["16.8"]
+     - iso_27001-2013: ["A.9.2.1"]
+     - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+     - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+     - soc_2: ["CC6.3"]
+    condition: any
+    rules:
+      - 'c:net user guest -> r:Account active\s+No'
+      - 'c:net user guest -> r:The user name could not be found.'
+
+  # 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. (Automated)
+  - id: 16003
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'."
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only."
+    compliance:
+      - cis: ["2.3.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  # 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account'. (Automated) - Not Implemented
+  # 2.3.1.5 (L1) Configure 'Accounts: Rename guest account'. (Automated) - Not Implemented
+  #############################
+  # 2.3.2 Audit
+  #############################
+  # 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' (Automated)
+  - id: 16004
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. Important: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    impact: None - this is the default behavior.
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."
+    references:
+      - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing#to-ensure-that-advanced-audit-policy-configuration-settings-are-not-overwritten"
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_4.0: ["9.4.5", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  # 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'. (Automated)
+  - id: 16005
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'."
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  ###########################
+  # 2.3.3 DCOM
+  ###########################
+  # 2.3.4 Devices
+  ###########################
+  # 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'. (Automated)
+  - id: 16006
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'."
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc_v7: ["13.7"]
+      - iso_27001-2013: ["A.8.3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0'
+
+  # 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. (Automated)
+  - id: 16007
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers."
+    compliance:
+      - cis: ["2.3.4.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  ###########################
+  # 2.3.5 Domain controller
+  ###########################
+  # 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only). (Automated)
+  - id: 16008
+    title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)."
+    description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group."
+    impact: "None - this is the default behavior. Note that users (including those in the Server Operators group) are still able to create jobs by means of the Task Scheduler Wizard. However, those jobs will run in the context of the account that the user authenticates with when setting up the job."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks."
+    compliance:
+      - cis: ["2.3.5.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> SubmitControl'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> SubmitControl -> 0'
+
+  # 2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only). (Automated)
+  - id: 16009
+    title: "Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)."
+    description: "This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU. When the Create Vulnerable Connections list (allow list) is configured: - Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC. - Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC which is the same as the default (not necessary). Note: Warning from Microsoft - enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This policy should be used as a temporary measure for 3rd-party devices as you deploy updates. Once a 3rd-party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. The recommended state for this setting is: Not Configured."
+    rationale: "Enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to security risks. It is highly recommended that this setting not be used (i.e. be left completely unconfigured) so as not to add risk."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Not Configured: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow vulnerable Netlogon secure channel connections."
+    references:
+      - "https://go.microsoft.com/fwlink/?linkid=2133485"
+    compliance:
+      - cis: ["2.3.5.2"]
+    condition: none
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> VulnerableChannelAllowList'
+
+  # 2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only). (Automated)
+  - id: 16010
+    title: "Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)."
+    description: "This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS). The recommended state for this setting is: Always. Note: All LDAP clients must have the CVC-2017-8563 security update to be compatible with Domain Controllers that have this setting enabled. More information on this setting is available at: MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows."
+    rationale: 'Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users'' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against "man-in-the-middle" attacks using LDAP authentication over SSL/TLS (LDAPS).'
+    impact: "All LDAP clients must provide channel binding information over SSL/TLS (i.e. LDAPS). The LDAP server (Domain Controller) rejects authentication requests from clients that do not do so. Clients must have the CVC-2017-8563 security update to support this feature, and may have compatibility issues with this setting without the security update. This may also mean that LDAP authentication requests over SSL/TLS that previously worked may stop working until the security update is installed. When first deploying this setting, you may initially want to only set it to the alternate setting of When supported (instead of Always) on all Domain Controllers. This alternate, interim setting enables support for LDAP client channel binding but does not require it. Then set one DC that is not currently being targeted by LDAP clients to Always, and test each of the critical LDAP clients against that DC (and remediating as necessary), before deploying Always to the rest of the DCs. We also recommend using the new Event ID 3039 on your Domain Controllers (added with the March 2020 security update) to help locate clients that do not use Channel Binding Tokens (CBT) in their LDAPS connections. This new Event ID requires increasing the logging level of the 16 LDAP Interface Events portion of the NTDS service diagnostics to a value of 2 (Basic). For more information, please see Table 2: CBT events at this link: MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows Older OSes such as Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 (non-R2), will first require patches for Microsoft Security Advisory 973811, as well as all associated fixes, in order to be compatible with domain controllers that have this setting deployed. Note: Only Always is actually considered compliant to the CIS benchmark."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Always: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server channel binding token requirements Note: This Group Policy path requires the installation of the March 2020 (or later) Windows security update. With that update, Microsoft added this setting to the built-in OS security template."
+    compliance:
+      - cis: ["2.3.5.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LdapEnforceChannelBinding'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LdapEnforceChannelBinding -> 2'
+
+  # 2.3.5.4 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only). (Automated)
+  - id: 16011
+    title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)."
+    description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections. For more information on how to identify whether your DCs are being accessed via unsigned LDAP (and where those accesses are coming from), see this Microsoft TechNet blog article: Identifying Clear Text LDAP binds to your DC's - Practical Windows Security."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network."
+    impact: "Unless TLS/SSL is being used, the LDAP data signing option must be negotiated. Clients that do not support LDAP signing will be unable to run LDAP queries against the Domain Controllers. All Windows 2000-based computers in your organization that are managed from Windows Server 2003-based or Windows XP-based computers and that use Windows NT Challenge/Response (NTLM) authentication must have Windows 2000 Service Pack 3 (SP3) installed. Alternatively, these clients must have a registry change. For information about this registry change, see Microsoft Knowledge Base article 325465: Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools. Also, some non-Microsoft operating systems do not support LDAP signing. If you enable this policy setting, client computers that use those operating systems may be unable to access domain resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements."
+    compliance:
+      - cis: ["2.3.5.4"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2'
+
+  # 2.3.5.5 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only). (Automated)
+  - id: 16012
+    title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)."
+    description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes."
+    compliance:
+      - cis: ["2.3.5.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0'
+
+  ########################
+  # 2.3.6 Domain member
+  ########################
+  # 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. (Automated)
+  - id: 16013
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed. Therefore, you cannot enable the Domain member: Digitally encrypt or sign secure channel data (always) setting on Domain Controllers that support Windows 98 clients as members of the domain. Potential impacts can include the following: - The ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. - Logons from clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. - The ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted domain will be disabled. You can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers from trusted/trusting domains to Windows NT 4.0 with SP6a."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)."
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  # 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. (Automated)
+  - id: 16014
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  # 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. (Automated)
+  - id: 16015
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  # 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. (Automated)
+  - id: 16016
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'."
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes."
+    compliance:
+      - cis: ["2.3.6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  # 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. (Automated)
+  - id: 16017
+    title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'."
+    description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the passwords of computer accounts."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Maximum machine account password age."
+    compliance:
+      - cis: ["2.3.6.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 30'
+
+  # 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. (Automated)
+  - id: 16018
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'."
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)."
+    impact: "None - this is the default behavior. However, computers will not be able to join Windows NT 4.0 domains, and trusts between Active Directory domains and Windows NT-style domains may not work properly. Also, Domain Controllers with this setting configured will not allow older pre-Windows 2000 clients (that that do not support this policy setting) to join the domain."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key."
+    compliance:
+      - cis: ["2.3.6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  ##########################
+  # 2.3.7 Interactive logon
+  ##########################
+  # 2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'. (Automated)
+  - id: 16019
+    title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'."
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    impact: "The name of the last user to successfully log on will not be displayed in the Windows logon screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name Note: In newer versions of Microsoft Windows Server, starting with Windows Server 2019, this setting was renamed Interactive logon: Don't display last signed-in."
+    compliance:
+      - cis: ["2.3.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  # 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. (Automated)
+  - id: 16020
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'."
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    impact: "Users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. A smart card is a tamper-proof device that stores security information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL."
+    compliance:
+      - cis: ["2.3.7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  # 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. (Automated)
+  - id: 16021
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'."
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    impact: "The screen saver will automatically activate when the computer has been unattended for the amount of time specified. The impact should be minimal since the screen saver is enabled by default."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit."
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  # 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on'. (Automated) - Not Implemented
+  # 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on'. (Automated) - Not Implemented
+
+  # 2.3.7.6 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) (Automated)
+  - id: 16022
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)."
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location."
+    impact: "Users will be unable to log on to any computers if there is no Domain Controller available to authenticate them. Organizations may want to configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information will still be in the cache, even if a member of the IT department has recently logged on to their computer to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)."
+    compliance:
+      - cis: ["2.3.7.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4'
+
+  # 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. (Automated)
+  - id: 16023
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'."
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    impact: "Users will see a dialog box prompt to change their password each time that they log on to the domain when their password is configured to expire between 5 and 14 days."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration."
+    compliance:
+      - cis: ["2.3.7.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  # 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only). (Automated)
+  - id: 16024
+    title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)."
+    description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled."
+    rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer."
+    impact: "When the console on a computer is locked, either by a user or automatically by a screen saver time-out, the console can only be unlocked if a Domain Controller is available to re-authenticate the domain account that is being used to unlock the computer. If no Domain Controller is available, the user cannot unlock the computer."
+    remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation."
+    compliance:
+      - cis: ["2.3.7.8"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1'
+
+  # 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. (Automated)
+  - id: 16025
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher."
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    impact: "If you select Lock Workstation, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you select Force Logoff, users are automatically logged off when their smart card is removed. If you select Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the users off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy will function identically to Lock Workstation. Enforcing this setting on computers used by people who must log onto multiple computers in order to perform their duties could be frustrating and lower productivity. For example, if network administrators are limited to a single account but need to log into several computers simultaneously in order to effectively manage the network enforcing this setting will limit them to logging onto one computer at a time. For these reasons it is recommended that this setting only be enforced on workstations used for purposes commonly associated with typical users such as document creation and email."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior."
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$'
+
+  ###############################################
+  # 2.3.8 Microsoft network client
+  ###############################################
+  # 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. (Automated)
+  - id: 16026
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."
+    description: 'This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server - Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is - Enabled.'
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. (Automated)
+  - id: 16027
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "None - this is the default behavior. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)."
+    compliance:
+      - cis: ["2.3.8.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. (Automated)
+  - id: 16028
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'."
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    impact: "None - this is the default behavior. Some very old applications and operating systems such as MS-DOS, Windows for Workgroups 3.11, and Windows 95a may not be able to communicate with the servers in your organization by means of the SMB protocol."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers."
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1'
+
+  ############################################
+  # 2.3.9 Microsoft network server
+  ############################################
+  # 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. (Automated)
+  - id: 16029
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'."
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s)."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    impact: "There will be little impact because SMB sessions will be re-established automatically if the client resumes activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session."
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  # 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. (Automated)
+  - id: 16030
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.9.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. (Automated)
+  - id: 16031
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)."
+    compliance:
+      - cis: ["2.3.9.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. (Automated)
+  - id: 16032
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'."
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    impact: "None - this is the default behavior. If logon hours are not used in your organization, this policy setting will have no impact. If logon hours are used, existing user sessions will be forcibly terminated when their logon hours expire."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire."
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc_v8: ["5.6"]
+      - cis_csc_v7: ["16.13"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only). (Automated)
+  - id: 16033
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)."
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    impact: "All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. If configured to Accept if provided by client, the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. If configured to Required from client, the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection. If no SPN is provided by client, or the SPN provided does not match, the session is denied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level."
+    compliance:
+      - cis: ["2.3.9.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> SMBServerNameHardeningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'
+
+  ##################################
+  # 2.3.10 Network access
+  ##################################
+  # 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. (Automated)
+  - id: 16034
+    title: "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
+    description: "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled."
+    rationale: "If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Allow anonymous SID/Name translation."
+    compliance:
+      - cis: ["2.3.10.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> TurnOffAnonymousBlock'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> TurnOffAnonymousBlock -> 0'
+
+  # 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only). (Automated)
+  - id: 16035
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "None - this is the default behavior. It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts."
+    compliance:
+      - cis: ["2.3.10.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  # 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only). (Automated)
+  - id: 16036
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server. Users who access file and print servers anonymously will be unable to list the shared network resources on those servers; the users will have to authenticate before they can view the lists of shared folders and printers. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares."
+    compliance:
+      - cis: ["2.3.10.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous '
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  # 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. (Automated)
+  - id: 16037
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    impact: "Credential Manager will not store passwords and credentials on the computer. Users will be forced to enter passwords whenever they log on to their Passport account or other network resources that aren't accessible to their domain account. Testing has shown that clients running Windows Vista or Windows Server 2008 will be unable to connect to Distributed File System (DFS) shares in untrusted domains. Enabling this setting also makes it impossible to specify alternate credentials for scheduled tasks, this can cause a variety of problems. For example, some third-party backup products will no longer work. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory-based domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication."
+    compliance:
+      - cis: ["2.3.10.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  # 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. (Automated)
+  - id: 16038
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'."
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users."
+    compliance:
+      - cis: ["2.3.10.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  # 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only). (Automated)
+  - id: 16039
+    title: "Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)."
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    impact: "Null session access over named pipes will be disabled unless they are included, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. The BROWSER named pipe may need to be added to this list if the Computer Browser service is needed for supporting legacy components. The Computer Browser service is disabled by default."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:LSARPC && r:NETLOGON && r:SAMR'
+
+  # 2.3.10.7 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only). (Automated) - Not Implemented
+
+  # 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths' is configured. (Automated)
+  - id: 16040
+    title: "Configure 'Network access: Remotely accessible registry paths' is configured."
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called \"Network access: Remotely accessible registry paths and sub-paths\" in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion."
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    impact: "None - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Microsoft Baseline Security Analyzer and Microsoft Systems Management Server could fail, as they require remote access to the registry to properly monitor and manage computers. Note: If you want to allow remote access, you must also enable the Remote Registry service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths."
+    compliance:
+      - cis: ["2.3.10.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion'
+
+  # 2.3.10.9 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured. (Automated)
+  - id: 16041
+    title: "Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured."
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called \"Network access: Remotely accessible registry paths,\" the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog The recommended state for servers that hold the Active Directory Certificate Services Role with Certification Authority Role Service includes the above list and: System\\CurrentControlSet\\Services\\CertSvc The recommended state for servers that have the WINS Server Feature installed includes the above list and: System\\CurrentControlSet\\Services\\WINS."
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    impact: "None - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Microsoft Baseline Security Analyzer and Microsoft Systems Management Server could fail, as they require remote access to the registry to properly monitor and manage computers. Note: If you want to allow remote access, you must also enable the Remote Registry service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS."
+    compliance:
+      - cis: ["2.3.10.9"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS'
+
+  # 2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. (Automated)
+  - id: 16042
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'."
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    impact: "None - this is the default behavior. If you choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipes are required to maintain trust relationships between the domains, and then add the pipe to the Network access: Named pipes that can be accessed anonymously list: - COMNAP: SNA session access - COMNODE: SNA session access - SQL\\QUERY: SQL instance access - SPOOLSS: Spooler service - LLSRPC: License Logging service - NETLOGON: Net Logon service - LSARPC: LSA access - SAMR: Remote access to SAM objects - BROWSER: Computer Browser service Previous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increased hardening in Windows Server 2003 with SP1 these pipes must be explicitly added if needed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares."
+    compliance:
+      - cis: ["2.3.10.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  # 2.3.10.11 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only). (Automated)
+  - id: 16043
+    title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)."
+    description: 'This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note #2: This setting was originally only supported on Windows Server 2016 and newer, then support for it was added to Windows Server 2008 R2 and newer via the March 2017 security patches. Note #3: If your organization is using Azure Advanced Threat Protection (APT), the service account, "AATP Service" will need to be added to the recommendation configuration. For more information on adding the "AATP Service" account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs.'
+    rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM."
+    compliance:
+      - cis: ["2.3.10.11"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> restrictremotesam'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> restrictremotesam -> O:BAG:BAD:(A;;RC;;;BA)'
+
+  # 2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. (Automated)
+  - id: 16044
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.12"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.'
+
+  # 2.3.10.13 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. (Automated)
+  - id: 16045
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'."
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)."
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    impact: "None - this is the default configuration for domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts."
+    compliance:
+      - cis: ["2.3.10.13"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  # 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. (Automated)
+  - id: 16046
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'."
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    impact: "Services running as Local System that use Negotiate when reverting to NTLM authentication will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM."
+    compliance:
+      - cis: ["2.3.11.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  # 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. (Automated)
+  - id: 16047
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'."
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    impact: "Any applications that require NULL sessions for LocalSystem will not work as designed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback."
+    compliance:
+      - cis: ["2.3.11.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  # 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. (Automated)
+  - id: 16048
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'."
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    impact: "None - this is the default configuration for domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities."
+    compliance:
+      - cis: ["2.3.11.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  # 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' (Automated)
+  - id: 16049
+    title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it."
+    rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    impact: "If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. Note #2: Windows Server 2008 (non-R2) and below allow DES for Kerberos by default, but later OS versions do not. Note #3: Some prerequisites might need to be met on Domain Controllers to support Kerberos AES 128 and 256 bit encryption types, as well as enabling support for Kerberos AES 128 and 256 bit on user accounts (in account options) for this recommendation to work correctly. Note #4: If your organization uses Azure Files, please note that Microsoft did not introduce AES 256 Kerberos encryption support for it until AD DS authentication module v0.2.2. Please see this link for more information: https://docs.microsoft.com/en-us/azure/storage/files/ storage-troubleshoot-windows-file-connection-problems#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos."
+    reference:
+      - "https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption"
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'
+
+  # 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. (Automated)
+  - id: 16050
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'."
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    impact: "None - this is the default behavior. Earlier operating systems such as Windows 95, Windows 98, and Windows ME as well as some third-party applications will fail."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change."
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  # 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. (Manual)
+  - id: 16051
+    title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'."
+    description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled."
+    rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire."
+    compliance:
+      - cis: ["2.3.11.6"]
+      - cis_csc_v8: ["5.6"]
+      - cis_csc_v7: ["16.13"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'. (Automated)
+  - id: 16052
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'."
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to down-level domains - Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP - Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non-R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    impact: "Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; Domain Controllers refuse LM and NTLM (accept only NTLMv2 authentication). Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level."
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  # 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. (Automated)
+  - id: 16053
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher."
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    impact: "None - this is the default behavior. However, if you choose instead to configure the server to require LDAP signatures then you must also configure the client. If you do not configure the client it will not be able to communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts, because the caller will be told that the LDAP BIND command request failed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements."
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(\d+) compare >= 1'
+
+  # 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 16054
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    impact: "NTLM connections will fail if NTLMv2 protocol and strong encryption (128-bit) are not both negotiated. Client applications that are enforcing these settings will be unable to communicate with older servers that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients."
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200'
+
+  # 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Automated)'
+  - id: 16055
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    impact: "NTLM connections will fail if NTLMv2 protocol and strong encryption (128-bit) are not both negotiated. Server applications that are enforcing these settings will be unable to communicate with older servers that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers."
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  # 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'. (Automated)
+  - id: 16056
+    title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'."
+    description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server."
+    rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on."
+    compliance:
+      - cis: ["2.3.13.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0'
+
+  # 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. (Automated)
+  - id: 16057
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'."
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non - Windows subsystems."
+    compliance:
+      - cis: ["2.3.15.1"]
+      - cis_csc_v8: ["4.1", "5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - hipaa: ["164.312(a)(2)(i)"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "8.1", "8.1.1"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "12.5.2", "2.1.1", "2.2.1"]
+      - soc_2: ["CC6.1", "CC6.2", "CC6.3", "CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  # 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. (Automated)
+  - id: 16058
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'."
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)."
+    compliance:
+      - cis: ["2.3.15.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  # 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. (Automated)
+  - id: 16059
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: 'One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named "Administrator" because that user account was created for all installations of Windows. To address this risk, in Windows Vista or newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled.'
+    impact: "The built-in Administrator account uses Admin Approval Mode. Users that log on using the local Administrator account will be prompted for consent whenever a program requests an elevation in privilege, just like any other user would."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account."
+    compliance:
+      - cis: ["2.3.17.1"]
+      - cis_csc_v7: ["4.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  # 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher (Automated)
+  - id: 16060
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher."
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop. Configuring this setting to Prompt for credentials on the secure desktop also conforms to the benchmark."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    impact: "When an operation (including execution of a Windows binary) requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop or Prompt for credentials on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$'
+
+  # 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'. (Automated)
+  - id: 16061
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    impact: 'When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. Note: With this setting configured as recommended, the default error message displayed when a user attempts to perform an operation or run a program requiring privilege elevation (without Administrator rights) is "This program will not run. This program is blocked by group policy. For more information, contact your system administrator." Some users who are not used to seeing this message may believe that the operation or program they attempted to run is specifically blocked by group policy, as that is what the message seems to imply. This message may therefore result in user questions as to why that specific operation/program is blocked, when in fact, the problem is that they need to perform the operation or run the program with an Administrative account (or "Run as Administrator" if it is already an Administrator account), and they are not doing that.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users."
+    compliance:
+      - cis: ["2.3.17.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  # 2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. (Automated)
+  - id: 16062
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage."
+    impact: "When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation."
+    compliance:
+      - cis: ["2.3.17.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  # 2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. (Automated)
+  - id: 16063
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'."
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations."
+    compliance:
+      - cis: ["2.3.17.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  # 2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. (Automated)
+  - id: 16064
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    impact: "None - this is the default behavior. Users and administrators will need to learn to work with UAC prompts and adjust their work habits to use least privilege operations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  # 2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. (Automated)
+  - id: 16065
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'."
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation."
+    compliance:
+      - cis: ["2.3.17.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  # 2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. (Automated)
+  - id: 16066
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'."
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %windir% - %windir%\\System32 - HKEY_LOCAL_MACHINE\\SOFTWARE The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations."
+    compliance:
+      - cis: ["2.3.17.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  # 5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only). (Automated)
+  - id: 16067
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    impact: "Domain Controllers will not be able to prune published printers from Active Directory. By default, Domain Controllers prune printer objects from Active Directory if the computer that published them doesn't respond to contact requests. Domain Controllers will not be able to act as a print server, sharing printers for clients. Applications on and users logged in at Domain Controllers will not be able to print, including printing to files (such as Adobe Portable Document Format (PDF)) which uses the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  # 5.2 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only). (Automated)
+  - id: 16068
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    impact: "Member Servers will not be able to act as a print server, sharing printers for clients. Applications on and users logged in to Member Servers will not be able to print, including printing to files (such as Adobe Portable Document Format (PDF)) which uses the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  ###############################################
+  # 9 Windows Firewall with Advanced Security
+  ###############################################
+
+  ###############################################
+  # 9.1 Domain Profile
+  ###############################################
+
+  # 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 16069
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state."
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  # 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 16070
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  # 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 16071
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  # 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 16072
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.1.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  # 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. (Automated)
+  - id: 16073
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  # 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 16074
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 16075
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 16076
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.2 Private Profile
+  ###############################################
+
+  # 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 16077
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state."
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  # 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 16078
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  # 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 16079
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  # 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 16080
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.2.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  # 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'. (Automated)
+  - id: 16081
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  # 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 16082
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 16083
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 16084
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.3 Public Profile
+  ###############################################
+
+  # 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 16085
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state."
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  # 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 16086
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  # 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 16087
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  # 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 16088
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.3.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  # 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. (Automated)
+  - id: 16089
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    impact: "Administrators can still create firewall rules, but the rules will not be applied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules."
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  # 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. (Automated)
+  - id: 16090
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    impact: "Administrators can still create local connection security rules, but the rules will not be applied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules."
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  # 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'. (Automated)
+  - id: 16091
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  # 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 16092
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 16093
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 16094
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 17 Advanced Audit Policy Configuration
+  ###############################################
+
+  # 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'. (Automated)
+  - id: 16095
+    title: "Ensure 'Audit Credential Validation' is set to 'Success and Failure'."
+    description: "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - 4774: An account was mapped for logon. - 4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Credential Validation."
+    compliance:
+      - cis: ["17.1.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.12"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Credential Validation" -> r:Success and Failure'
+
+  # 17.1.2 (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only). (Automated)
+  - id: 16096
+    title: "Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)."
+    description: "This subcategory reports the results of events generated after a Kerberos authentication TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user. - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed. - 4772: A Kerberos authentication ticket request failed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Kerberos Authentication Service."
+    compliance:
+      - cis: ["17.1.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Kerberos Authentication Service" -> r:Success and Failure'
+
+  # 17.1.3 (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only). (Automated)
+  - id: 16097
+    title: "Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)."
+    description: "This subcategory reports the results of events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Kerberos Service Ticket requests (TGS requests) occur as part of service use and access requests by specific accounts. Auditing these events will record the IP address from which the account requested TGS, when TGS was requested, and which encryption type was used. - 4769: A Kerberos service ticket was requested. - 4770: A Kerberos service ticket was renewed. - 4773: A Kerberos service ticket request failed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Kerberos Service Ticket Operations."
+    compliance:
+      - cis: ["17.1.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Kerberos Service Ticket Operations" -> r:Success and Failure'
+
+  # 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'. (Automated)
+  - id: 16098
+    title: "Ensure 'Audit Application Group Management' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Application Group Management."
+    compliance:
+      - cis: ["17.2.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Application Group Management" -> r:Success and Failure'
+
+  # 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only). (Automated)
+  - id: 16099
+    title: "Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)."
+    description: "This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was created. - 4742: A computer account was changed. - 4743: A computer account was deleted. The recommended state for this setting is to include: Success."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Computer Account Management."
+    compliance:
+      - cis: ["17.2.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Computer Account Management" -> r:Success'
+
+  # 17.2.3 (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only). (Automated)
+  - id: 16100
+    title: "Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)."
+    description: "This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: - 4744: A security-disabled local group was created. - 4745: A security-disabled local group was changed. - 4746: A member was added to a security-disabled local group. - 4747: A member was removed from a security-disabled local group. - 4748: A security-disabled local group was deleted. - 4749: A security-disabled global group was created. - 4750: A security-disabled global group was changed. - 4751: A member was added to a security-disabled global group. - 4752: A member was removed from a security-disabled global group. - 4753: A security-disabled global group was deleted. - 4759: A security-disabled universal group was created. - 4760: A security-disabled universal group was changed. - 4761: A member was added to a security-disabled universal group. - 4762: A member was removed from a security-disabled universal group. - 4763: A security-disabled universal group was deleted. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may provide an organization with insight when investigating an incident. For example, when a given unauthorized user was added to a sensitive distribution group."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Distribution Group Management."
+    compliance:
+      - cis: ["17.2.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Distribution Group Management" -> r:Success'
+
+  # 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only). (Automated)
+  - id: 16101
+    title: "Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)."
+    description: "This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API was called. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Other Account Management Events."
+    compliance:
+      - cis: ["17.2.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Other Account Management Events" -> r:Success'
+
+  # 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to include 'Success'. (Automated)
+  - id: 16102
+    title: "Ensure 'Audit Security Group Management' is set to include 'Success'."
+    description: "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Security Group Management."
+    compliance:
+      - cis: ["17.2.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.6"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.2.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Security Group Management" -> r:Success'
+
+  # 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'. (Automated)
+  - id: 16103
+    title: "Ensure 'Audit User Account Management' is set to 'Success and Failure'."
+    description: "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management."
+    compliance:
+      - cis: ["17.2.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"User Account Management" -> r:Success and Failure'
+
+  # 17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success'. (Automated)
+  - id: 16104
+    title: "Ensure 'Audit PNP Activity' is set to include 'Success'."
+    description: "This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Enabling this setting will allow a user to audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit PNP Activity."
+    compliance:
+      - cis: ["17.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"PNP Activity" -> r:Success'
+
+  # 17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success'. (Automated)
+  - id: 16105
+    title: "Ensure 'Audit Process Creation' is set to include 'Success'."
+    description: "This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit Process Creation."
+    compliance:
+      - cis: ["17.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Process Creation" -> r:Success'
+
+  # 17.4.1 (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only). (Automated)
+  - id: 16106
+    title: "Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)."
+    description: "This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 4662 : An operation was performed on an object. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Access."
+    compliance:
+      - cis: ["17.4.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Directory Service Access" -> r:Failure'
+
+  # 17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only). (Automated)
+  - id: 16107
+    title: "Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)."
+    description: "This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 5136 : A directory service object was modified. - 5137 : A directory service object was created. - 5138 : A directory service object was undeleted. - 5139 : A directory service object was moved. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Changes."
+    compliance:
+      - cis: ["17.4.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Directory Service Changes" -> r:Success'
+
+  # 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'. (Automated)
+  - id: 16108
+    title: "Ensure 'Audit Account Lockout' is set to include 'Failure'."
+    description: "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Account Lockout."
+    compliance:
+      - cis: ["17.5.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.6"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.2.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Account Lockout" -> r:Failure'
+
+  # 17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success'. (Automated)
+  - id: 16109
+    title: "Ensure 'Audit Group Membership' is set to include 'Success'."
+    description: "This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Group Membership."
+    compliance:
+      - cis: ["17.5.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Group Membership" -> r:Success'
+
+  # 17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success'. (Automated)
+  - id: 16110
+    title: "Ensure 'Audit Logoff' is set to include 'Success'."
+    description: "This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logoff."
+    compliance:
+      - cis: ["17.5.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Logoff" -> r:Success'
+
+  # 17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure'. (Automated)
+  - id: 16111
+    title: "Ensure 'Audit Logon' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logon."
+    compliance:
+      - cis: ["17.5.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Logon" -> r:Success and Failure'
+
+  # 17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'. (Automated)
+  - id: 16112
+    title: "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'."
+    description: "This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Other Logon/Logoff Events."
+    compliance:
+      - cis: ["17.5.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Other Logon/Logoff Events" -> r:Success and Failure'
+
+  # 17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success'. (Automated)
+  - id: 16113
+    title: "Ensure 'Audit Special Logon' is set to include 'Success'."
+    description: "This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Special Logon."
+    compliance:
+      - cis: ["17.5.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Special Logon" -> r:Success'
+
+  # 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'. (Automated)
+  - id: 16114
+    title: "Ensure 'Audit Detailed File Share' is set to include 'Failure'."
+    description: "This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Detailed File Share."
+    compliance:
+      - cis: ["17.6.1"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.3", "14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Detailed File Share" -> r:Failure'
+
+  # 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure'. (Automated)
+  - id: 16115
+    title: "Ensure 'Audit File Share' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited."
+    rationale: "In an enterprise managed environment, it's important to track deletion, creation, modification, and access events for network shares. Any unusual file sharing activity may be useful in an investigation of potentially malicious activity."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit File Share."
+    compliance:
+      - cis: ["17.6.2"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.3", "14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"File Share" -> r:Success and Failure'
+
+  # 17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'. (Automated)
+  - id: 16116
+    title: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure."
+    rationale: "The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Other Object Access Events."
+    compliance:
+      - cis: ["17.6.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Audit Other Object Access Events" -> r:Success and Failure'
+
+  # 17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'. (Automated)
+  - id: 16117
+    title: "Ensure 'Audit Removable Storage' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Removable Storage."
+    compliance:
+      - cis: ["17.6.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Removable Storage" -> r:Success and Failure'
+
+  # 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'. (Automated)
+  - id: 16118
+    title: "Ensure 'Audit Audit Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Audit Policy Change."
+    compliance:
+      - cis: ["17.7.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Audit Policy Change" -> r:Success'
+
+  # 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'. (Automated)
+  - id: 16119
+    title: "Ensure 'Audit Authentication Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authentication Policy Change."
+    compliance:
+      - cis: ["17.7.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Authentication Policy Change" -> r:Success'
+
+  # 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'. (Automated)
+  - id: 16120
+    title: "Ensure 'Audit Authorization Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authorization policy. Events for this subcategory include: - 4703: A user right was adjusted. - 4704: A user right was assigned. - 4705: A user right was removed. - 4670: Permissions on an object were changed. - 4911: Resource attributes of the object were changed. - 4913: Central Access Policy on the object was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change."
+    compliance:
+      - cis: ["17.7.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Authorization Policy Change" -> r:Success'
+
+  # 17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'. (Automated)
+  - id: 16121
+    title: "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'."
+    description: "This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure."
+    rationale: "Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit MPSSVC Rule - Level Policy Change."
+    compliance:
+      - cis: ["17.7.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"MPSSVC Rule-Level Policy Change" -> r:Success and Failure'
+
+  # 17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'. (Automated)
+  - id: 16122
+    title: "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'."
+    description: "This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure."
+    rationale: "This setting can help detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Other Policy Change Events."
+    compliance:
+      - cis: ["17.7.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Other Policy Change Events" -> r:Failure'
+
+  # 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'. (Automated)
+  - id: 16123
+    title: "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Impersonate a client after authentication Auditing this subcategory will create a high volume of events. Events for this subcategory include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Privilege Use\\Audit Sensitive Privilege Use."
+    compliance:
+      - cis: ["17.8.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Sensitive Privilege Use" -> r:Success and Failure'
+
+  # 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'. (Automated)
+  - id: 16124
+    title: "Ensure 'Audit IPsec Driver' is set to 'Success and Failure'."
+    description: "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit IPsec Driver."
+    compliance:
+      - cis: ["17.9.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"IPsec Driver" -> r:Success and Failure'
+
+  # 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'. (Automated)
+  - id: 16125
+    title: "Ensure 'Audit Other System Events' is set to 'Success and Failure'."
+    description: "This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure."
+    rationale: "Capturing these audit events may be useful for identifying when the Windows Firewall is not performing as expected."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Other System Events."
+    compliance:
+      - cis: ["17.9.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Other System Events" -> r:Success and Failure'
+
+  # 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'. (Automated)
+  - id: 16126
+    title: "Ensure 'Audit Security State Change' is set to include 'Success'."
+    description: "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change."
+    compliance:
+      - cis: ["17.9.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Security State Change" -> r:Success'
+
+  # 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'. (Automated)
+  - id: 16127
+    title: "Ensure 'Audit Security System Extension' is set to include 'Success'."
+    description: "This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with the Local Security Authority. - 4614: A notification package has been loaded by the Security Account Manager. - 4622: A security package has been loaded by the Local Security Authority. - 4697: A service was installed in the system. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security System Extension."
+    compliance:
+      - cis: ["17.9.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"Security System Extension" -> r:Success'
+
+  # 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'. (Automated)
+  - id: 16128
+    title: "Ensure 'Audit System Integrity' is set to 'Success and Failure'."
+    description: "This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 : A monitored security event pattern has occurred. - 4816 : RPC detected an integrity violation while decrypting an incoming message. - 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - 5056: A cryptographic self test was performed. - 5057: A cryptographic primitive operation failed. - 5060: Verification operation failed. - 5061: Cryptographic operation. - 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit System Integrity."
+    compliance:
+      - cis: ["17.9.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol /get /subcategory:"System Integrity" -> r:Success and Failure'
+
+  ###############################################
+  # 18 Administrative Templates (Computer)
+  ###############################################
+  ###############################################
+  # 18.1 Control Panel
+  ###############################################
+
+  # 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. (Automated)
+  - id: 16129
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'."
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    impact: "If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  # 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. (Automated)
+  - id: 16130
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'."
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    impact: "If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+
+  # 18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. (Automated)
+  - id: 16131
+    title: "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'."
+    description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft."
+    impact: "Automatic learning of speech, inking, and typing stops and users cannot change its value via PC Settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow users to enable online speech recognition services Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow input personalization, but it was renamed to Allow users to enable online speech recognition services starting with the Windows 10 R1809 & Server 2019 Administrative Templates."
+    compliance:
+      - cis: ["18.1.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0'
+
+  # 18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled'. (Automated)
+  - id: 16132
+    title: "Ensure 'Allow Online Tips' is set to 'Disabled'."
+    description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Settings will not contact Microsoft content services to retrieve tips and help content."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.3"]
+      - cis_csc_v7: ["9.2", "9.3"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0'
+
+  # 18.3.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only). (Automated)
+  - id: 16133
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "No impact. When installed and registered properly, AdmPwd.dll takes no action unless given appropriate GPO commands during Group Policy refresh. It is not a memory-resident agent or service. In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc_v8: ["5.2", "5.4"]
+      - cis_csc_v7: ["4.4", "16.2"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  # 18.3.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only). (Automated)
+  - id: 16134
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: 'Planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc_v7: ["16.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  # 18.3.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only). (Automated)
+  - id: 16135
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "The local administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see recommendation Ensure LAPS AdmPwd GPO Extension / CSE is installed), the Active Directory domain schema and account permissions have been properly configured on the domain). In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc_v8: ["5.2", "5.4"]
+      - cis_csc_v7: ["4.4", "16.2"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  # 18.3.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only). (Automated)
+  - id: 16136
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to contain large letters + small letters + numbers + special characters."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  # 18.3.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only). (Automated)
+  - id: 16137
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to have a length of 15 characters (or more, if selected)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.5"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  # 18.3.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only). (Automated)
+  - id: 16138
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to have a maximum age of 30 days (or fewer, if selected)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.10"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  # 18.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only). (Automated)
+  - id: 16139
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)."
+    description: 'This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled.'
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0'
+
+  # 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'. (Automated)
+  - id: 16140
+    title: "Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'."
+    description: "This policy setting controls packet level privacy for Remote Procedure Call (RPC) incoming connections. The recommended state for this setting is: Enabled."
+    rationale: "A security bypass vulnerability (CVE-2021-1678 | Windows Print Spooler Spoofing Vulnerability) exists in the way the Printer RPC binding handles authentication for the remote Winspool interface. Enabling the RPC packet level privacy setting for incoming connections enforces the server-side to increase the authentication level to minimize this vulnerability."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure RPC packet level privacy setting for incoming connections Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    references:
+      - "https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1678"
+    compliance:
+      - cis: ["18.4.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print -> RpcAuthnLevelPrivacyEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print -> RpcAuthnLevelPrivacyEnabled -> 1'
+
+  # 18.4.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'. (Automated)
+  - id: 16141
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'."
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver (recommended). Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: 'Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy - "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog.'
+    impact: "Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: SMB1 Product Clearinghouse | Storage at Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "14.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4'
+
+  # 18.4.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'. (Automated)
+  - id: 16142
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled."
+    rationale: 'Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy - "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog.'
+    impact: "Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: SMB1 Product Clearinghouse | Storage at Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "14.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  # 18.4.5 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. (Automated)
+  - id: 16143
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    impact: "After you enable SEHOP, existing versions of Cygwin, Skype, and Armadillo-protected applications may not work correctly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. More information is available at MSKB 956607: How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  # 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled'. (Automated)
+  - id: 16144
+    title: "Ensure 'LSA Protection' is set to 'Enabled'."
+    description: "This policy setting controls whether the Local Security Authority Server Service (LSASS) process runs protected. The Local Security Authority (LSA), which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The recommended state for this setting is: Enabled. Note: This setting only applies to Windows Server 2012 R2 (and newer) except for Windows Server 2022 (and newer). See policy setting Configure LSASS to run as a protected process."
+    rationale: "The Windows Server 2012 R2 (and newer) provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. Enabling this setting provides added security for the credentials that LSA stores and manages."
+    impact: "If additional LSA protection is enabled, Administrators will not be able to debug a custom LSA plugin. A debugger cannot be attached to LSASS when it's a protected process. In general, there's no supported way to debug a running protected process."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\LSA Protection Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    references:
+      - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection"
+    compliance:
+      - cis: ["18.4.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RunAsPPL'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RunAsPPL -> 1'
+
+  # 18.4.7 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'. (Automated)
+  - id: 16145
+    title: "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'."
+    description: "This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: - The B-node (broadcast) method only uses broadcasts. - The P-node (point-to-point) method only uses name queries to a name server (WINS). - The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. - The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to-point). Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured."
+    rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts."
+    impact: "NetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\NetBT NodeType configuration Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new NetBT NodeType configuration setting."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2'
+
+  # 18.4.8 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'. (Automated)
+  - id: 16146
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'."
+    description: 'When WDigest authentication is enabled, Lsass.exe retains a copy of the user''s plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled.'
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    impact: "None - this is also the default configuration for Server 2012 R2 or newer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.8"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  # 18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'. (Automated)
+  - id: 16147
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'."
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For additional information, see Microsoft Knowledge Base article 324737: How to turn on automatic logon in Windows. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  # 18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)
+  - id: 16148
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    impact: "All incoming source routed packets will be dropped."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    reference:
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    compliance:
+      - cis: ["18.5.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)
+  - id: 16149
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    impact: "All incoming source routed packets will be dropped."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    reference:
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    compliance:
+      - cis: ["18.5.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.5.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. (Automated)
+  - id: 16150
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'."
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    impact: "When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  # 18.5.5 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. (Automated)
+  - id: 16151
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'."
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    impact: "Keep-alive packets are not sent by default by Windows. However, some applications may configure the TCP stack flag that requests keep-alive packets. For such configurations, you can lower this value from the default setting of two hours to five minutes to disconnect inactive sessions more quickly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  # 18.5.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. (Automated)
+  - id: 16152
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'."
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  # 18.5.7 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. (Automated)
+  - id: 16153
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'."
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer."
+    impact: "Windows will not automatically detect and configure default gateway addresses on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  # 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. (Automated)
+  - id: 16154
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'."
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs."
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.8"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  # 18.5.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' (Automated)
+  - id: 16155
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'."
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    impact: "Users will have to enter their passwords to resume their console sessions as soon as the grace period ends after screen saver activation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.9"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  # 18.5.10 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. (Automated)
+  - id: 16156
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    impact: "TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.10"]
+      - cis_csc_v8: ["4.2"]
+      - cis_csc_v7: ["11.1"]
+      - cmmc_v2.0: ["CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.3", "CM.L2-3.4.6", "CM.L2-3.4.7", "SC.L2-3.13.6"]
+      - nist_sp_800-53: ["AC-18(1)", "AC-18(3)", "CM-2", "CM-6", "CM-7", "CM-7(1)", "CM-9"]
+      - pci_dss_v3.2.1: ["1.1.1", "1.2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.4.2", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.5.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. (Automated)
+  - id: 16157
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    impact: "TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.11"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.5.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' (Automated)
+  - id: 16158
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'."
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    impact: "An audit event will be generated when the Security log reaches the 90% percent full threshold (or whatever lower value may be set) unless the log is configured to overwrite events as needed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.12"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.3", "6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  # 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. (Automated)
+  - id: 16159
+    title: "Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'."
+    description: "This policy setting specifies if the Domain Name System (DNS) client will perform name resolution over Network Basic Input/Output System (NetBIOS). NetBIOS is a legacy name resolution method for internal Microsoft networking that predates the use of DNS for that purpose (pre-Active Directory). Some legacy applications still require the use of NetBIOS for full functionality. The recommended state for this setting is: Enabled: Disable NetBIOS name resolution on public networks. Configuring this setting to Enabled: Disable NetBIOS name resolution also conforms to the benchmark."
+    rationale: 'NetBIOS does not perform authentication and can allow remote attackers to cause a denial of service by sending spoofed Name Conflicts or Name Release datagrams. This is also known as "NetBIOS Name Server Protocol Spoofing". Preventing the use of NetBIOS on public networks reduces the attack surface.'
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable NetBIOS name resolution on public networks: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Configure NetBIOS settings."
+    compliance:
+      - cis: ["18.6.4.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableNetbios'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableNetbios -> 1'
+
+  # 18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. (Automated)
+  - id: 16160
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    impact: "In the event DNS is unavailable a system will be unable to request it from other systems on the same subnet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.4.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 1'
+
+  # 18.6.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled'. (Automated)
+  - id: 16161
+    title: "Ensure 'Enable Font Providers' is set to 'Disabled'."
+    description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved."
+    impact: "Windows will not connect to an online font provider and will only enumerate locally-installed fonts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.5.1"]
+      - cis_csc_v8: ["16.5"]
+      - cis_csc_v7: ["18.4"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["12.3.4", "6.3.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0'
+
+  # 18.6.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'. (Automated)
+  - id: 16162
+    title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
+    description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled."
+    rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders."
+    impact: "The SMB client will reject insecure guest logons. This was not originally the default behavior in older versions of Windows, but Microsoft changed the default behavior starting with Windows Server 2016 R1709: Guest access in SMB2 disabled by default in Windows 10 and Windows Server 2016."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.8.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0'
+
+  # 18.6.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. (Automated)
+  - id: 16163
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.9.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0'
+
+  # 18.6.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. (Automated)
+  - id: 16164
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.9.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0'
+
+  # 18.6.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'. (Automated)
+  - id: 16165
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'."
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    impact: "Microsoft Peer-to-Peer Networking Services are turned off in their entirety, and all applications dependent on them will stop working."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P - pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.10.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  # 18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. (Automated)
+  - id: 16166
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."
+    description: "You can use this procedure to control a user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    impact: "Users cannot create or configure a Network Bridge."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.11.2"]
+      - cis_csc_v8: ["4.8", "12.2"]
+      - cis_csc_v7: ["11.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.2", "AC.L1-3.1.20", "AC.L1-3.1.22", "AC.L2-3.1.14", "AC.L2-3.1.16", "AC.L2-3.1.17", "AC.L2-3.1.3", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.5", "SC.L2-3.13.2", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["CP-6", "CP-7", "PL-8"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "1.2.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "1.3.1", "1.3.2", "1.3.3", "1.4.4", "11.4.5", "2.2.4", "6.4.1", "7.1", "7.2.5.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  # 18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. (Automated)
+  - id: 16167
+    title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."
+    description: 'Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled.'
+    rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices."
+    impact: "Mobile Hotspot cannot be enabled or configured by Administrators and non-Administrators alike."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.11.3"]
+      - cis_csc_v8: ["4.8", "12.2"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.2", "AC.L1-3.1.20", "AC.L1-3.1.22", "AC.L2-3.1.14", "AC.L2-3.1.16", "AC.L2-3.1.17", "AC.L2-3.1.3", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.5", "SC.L2-3.13.2", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CP-6", "CP-7", "PL-8"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "1.2.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "1.3.1", "1.3.2", "1.3.3", "1.4.4", "11.4.5", "2.2.4", "6.4.1", "7.1", "7.2.5.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 1'
+
+  # 18.6.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. (Automated)
+  - id: 16168
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    impact: "Domain users must elevate when setting a network's location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.11.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  # 18.6.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (Automated)
+  - id: 16169
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares''.'
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths. Additional guidance on the deployment of this security setting is available from the Microsoft Premier Field Engineering (PFE) Platforms TechNet Blog here: Guidance on Deployment of MS15-011 and MS15-014."
+    impact: "Windows only allows access to the specified UNC paths after fulfilling additional security requirements."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required - it is included with the MS15-011 / MSKB 3000483 security update or with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+
+  # 18.6.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)'). (Automated)
+  - id: 16170
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."
+    description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)."
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components removes a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed."
+    impact: "Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. Examples of Microsoft applications that may use IPv6 include: Remote Assistance, HomeGroup, DirectAccess, Windows Mail. This registry change is documented in Microsoft Knowledge Base article 929852: How to disable IPv6 or its components in Windows. Note: This registry change does not take effect until the next reboot."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state."
+    compliance:
+      - cis: ["18.6.19.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  # 18.6.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. (Automated)
+  - id: 16171
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'."
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    impact: "WCN operations are disabled over all media."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.20.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["15.4", "15.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  # 18.6.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. (Automated)
+  - id: 16172
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'."
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    impact: 'The WCN wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including "Set up a wireless router or access point" and "Add a wireless device" are disabled.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.20.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  # 18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections' (Automated)
+  - id: 16173
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'."
+    description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled: 1 = Minimize simultaneous connections."
+    rationale: "Preventing bridged network connections can help prevent a user unknowingly allowing traffic to route between internal and external networks, which risks exposure to sensitive internal data."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 = Minimize simultaneous connections: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates. It was updated with a new Minimize Policy Options sub-setting starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.6.21.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["15.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1'
+
+  # 18.6.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only). (Automated)
+  - id: 16174
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)."
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    impact: "The computer responds to automatic and manual network connection attempts based on the following circumstances: Automatic connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. - When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.21.2"]
+      - cis_csc_v7: ["12.4"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  # 18.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'. (Automated)
+  - id: 16175
+    title: "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'."
+    description: "This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect. Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled."
+    rationale: "Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service."
+    impact: "Provided that the Print Spooler service is not disabled, applications on and users logged in to servers will continue to be able to print from the server. However, the Print Spooler service will not accept client connections or allow users to share printers. Note that all printers that were already shared will continue to be shared. Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["18.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint -> 0'
+
+  # 18.7.2 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'. (Automated)
+  - id: 16176
+    title: "Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'."
+    description: "This policy setting determines whether Redirection Guard is enabled for the print spooler. Redirection Guard can prevent file redirections from being used within the print spooler. The recommended state for this setting is: Enabled: Redirection Guard Enabled."
+    rationale: "This setting prevents non-administrators from redirecting files within the print spooler process."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Redirection Guard Enabled: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure Redirection Guard Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520"
+    compliance:
+      - cis: ["18.7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RedirectionguardPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RedirectionguardPolicy -> 1'
+
+  # 18.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'. (Automated)
+  - id: 16177
+    title: "Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'."
+    description: "This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler. The recommended state for this setting is: Enabled: RPC over TCP."
+    rationale: "This setting prevents the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: RPC over TCP: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC connection settings: Protocol to use for outgoing RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/printing/windows-11-rpc-connection-updates-for-print#allow-rpc-over-tcp-communication"
+    compliance:
+      - cis: ["18.7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcUseNamedPipeProtocol'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcUseNamedPipeProtocol -> 1'
+
+  # 18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'. (Automated)
+  - id: 16178
+    title: "Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'."
+    description: "This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler. The recommended state for this setting is: Enabled: Default."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Default: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC connection settings: Use authentication for outgoing RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/printing/windows-11-rpc-connection-updates-for-print#allow-rpc-over-tcp-communication"
+    compliance:
+      - cis: ["18.7.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcAuthentication -> 1'
+
+  # 18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'. (Automated)
+  - id: 16179
+    title: "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'."
+    description: "This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use. The recommended state for this setting is: Enabled: RPC over TCP."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: RCP over TCP: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC listener settings: Configure protocol options for incoming RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcProtocols'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcProtocols -> 1'
+
+  # 18.7.6 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher (Automated)
+  - id: 16180
+    title: "Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher."
+    description: "This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use. The recommended state for this setting is: Enabled: Negotiate or higher."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Negotiate or higher: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC listener settings: Configure protocol options for incoming RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> ForceKerberosForRpc'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> ForceKerberosForRpc -> 1'
+
+  # 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'. (Automated)
+  - id: 16181
+    title: "Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'."
+    description: "This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. The recommended state for this setting is: Enabled: 0."
+    rationale: "Using dynamic ports for printing makes it more difficult for an attacker to know which port is being used and therefore which port to attack."
+    impact: "If your current print environment is configured for a specific TCP port, this setting may require a firewall change (if applicable) for continued printing."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC over TCP port Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcTcpPort'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC -> RpcTcpPort -> 0'
+
+  # 18.7.8 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'. (Automated)
+  - id: 16182
+    title: "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'."
+    description: "This policy setting controls whether users who aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481)."
+    rationale: "Restricting the installation of print drives to Administrators can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Printers\\Limits print driver installation to Administrators Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (and newer)."
+    references:
+      - "https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7"
+      - "https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators -> 1'
+
+  # 18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'. (Automated)
+  - id: 16183
+    title: "Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'."
+    description: "This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles."
+    rationale: "A Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-36958) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Manage processing of Queue-specific files Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+    compliance:
+      - cis: ["18.7.9"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> CopyFilesPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> CopyFilesPolicy -> 1'
+
+  # 18.7.10 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'. (Automated)
+  - id: 16184
+    title: "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When installing drivers for a new connection Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+      - "https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/"
+      - "https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall -> 1'
+
+  # 18.7.11 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'. (Automated)
+  - id: 16185
+    title: "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When updating drivers for an existing connection Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+      - "https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change"
+      - "https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.11"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings -> 1'
+
+  # 18.8.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'. (Automated)
+  - id: 16186
+    title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'."
+    description: "This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. The recommended state for this setting is: Enabled."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive third-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    impact: "Applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Start Menu and Taskbar\\Turn off notifications network usage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification -> 1'
+
+  # 18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'. (Automated)
+  - id: 16187
+    title: "Ensure 'Include command line in process creation events' is set to 'Enabled'."
+    description: "This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created. The recommended state for this setting is: Enabled. Note: This feature that this setting controls was not originally supported in server OSes older than Windows Server 2012 R2. However, in February 2015 Microsoft added support for the feature to Windows Server 2008 R2 and Windows Server 2012 (non-R2) via an update - KB3004375. Therefore, this setting is also important to set on those older OSes."
+    rationale: "Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents."
+    impact: 'Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data. Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called "Protected Event Logging" to better secure event log data. For assistance with protecting event logging, visit: About Logging Windows - PowerShell | Microsoft Docs.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2#protected-event-logging"
+    compliance:
+      - cis: ["18.9.3.1"]
+      - cis_csc_v8: ["8.8"]
+      - cis_csc_v7: ["8.8"]
+      - iso_27001-2013: ["A.12.14.1"]
+      - soc_2: ["CC5.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 1'
+
+  # 18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. (Automated)
+  - id: 16188
+    title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'."
+    description: "Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients."
+    rationale: "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows Server from Server 2008 (non-R2) onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched up through May 2018 (or later)."
+    impact: "Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. This setting should not be deployed until all remote hosts support the newest version, which is achieved by ensuring that all Microsoft security updates at least through May 2018 are installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption Oracle Remediation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 1'
+
+  # 18.9.4.2 (L1) Ensure 'Remote host allows delegation of non- exportable credentials' is set to 'Enabled'. (Automated)
+  - id: 16189
+    title: "Ensure 'Remote host allows delegation of non- exportable credentials' is set to 'Enabled'."
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled. Note: More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs."
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    impact: "The host will support the Restricted Admin Mode and Windows Defender Remote Credential Guard features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard"
+    compliance:
+      - cis: ["18.9.4.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["16.5"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  # 18.9.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. (Automated)
+  - id: 16190
+    title: "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity -> 1'
+
+  # 18.9.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher. (Automated)
+  - id: 16191
+    title: "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher."
+    description: "This policy setting specifies whether Virtualization Based Security (VBS) is enabled. VBS uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot or Secure Boot and DMA Protection. Note: VBS requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA protections to help protect data from being scraped from memory."
+    impact: "Choosing the Secure Boot option provides the system with as much protection as is supported by the computer's hardware. A system with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A system without IOMMUs will simply have Secure Boot enabled without DMA protection. Choosing the Secure Boot with DMA protection option requires the system to have IOMMUs in order to enable VBS. Without IOMMU hardware support, VBS will be disabled. Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Secure Boot or Secure Boot and DMA Protection: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Select Platform Security Level Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 3'
+
+  # 18.9.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'. (Automated)
+  - id: 16192
+    title: "Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'."
+    description: "This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Once this setting is turned on and active, Virtualization Based Security cannot be disabled solely via GPO or any other remote method. After removing the setting from GPO, the features must also be manually disabled locally at the machine using the steps provided at this link: Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity -> 1'
+
+  # 18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'. (Automated)
+  - id: 16193
+    title: "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'."
+    description: "This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked) Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "This setting will help protect this control from being enabled on a system that is not compatible which could lead to a crash or data loss."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to TRUE: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.4"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired -> 1'
+
+  # 18.9.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only). (Automated)
+  - id: 16194
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)."
+    description: 'This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock, but only on Member Servers (not Domain Controllers). Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.'
+    rationale: "The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. Warning #3: Once this setting is turned on and active, Credential Guard cannot be disabled solely via GPO or any other remote method. After removing the setting from GPO, the features must also be manually disabled locally at the machine using the steps provided at this link: Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock (on Member Servers only): Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.5"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 3'
+
+  # 18.9.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only). (Automated)
+  - id: 16195
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)."
+    description: "This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The recommended state for this setting is: Disabled on Domain Controllers. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Credential Guard is not useful on Domain Controllers and can cause crashes on them."
+    impact: "None - this is the default behavior. Warning: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.6"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 0'
+
+  # 18.9.5.7 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'. (Automated)
+  - id: 16196
+    title: "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'."
+    description: "Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Secure Launch Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.7"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch -> 1'
+
+  # 18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'. (Automated)
+  - id: 16197
+    title: "Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: Enabled. Note: This will not prevent the installation of basic hardware drivers, but does prevent associated third-party utility software from automatically being installed under the context of the SYSTEM account."
+    rationale: "Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic third-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs."
+    impact: "Standard users without administrator privileges will not be able to install associated third-party utility software for peripheral devices. This may limit the use of advanced features of those devices unless/until an administrator installs the associated utility software for the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Installation\\Prevent device metadata retrieval from the Internet Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates, or with the Group Policy template DeviceSetup.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.7.2"]
+      - cis_csc_v7: ["18.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork -> 1'
+
+  # 18.9.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. (Automated)
+  - id: 16198
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'."
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.13.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  # 18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. (Automated)
+  - id: 16199
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'."
+    description: 'The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked).'
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    impact: "Group Policies will be reapplied every time they are refreshed, which could have a slight impact on performance."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  # 18.9.19.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. (Automated)
+  - id: 16200
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'."
+    description: 'The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked).'
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    impact: "Group Policies will be reapplied even if they have not been changed, which could have a slight impact on performance."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  # 18.9.19.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'. (Automated)
+  - id: 16201
+    title: "Ensure 'Continue experiences on this device' is set to 'Disabled'."
+    description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled."
+    rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited."
+    impact: "The Windows device will not be discoverable by other devices, and cannot participate in cross-device experiences."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0'
+
+  # 18.9.19.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. (Automated)
+  - id: 16202
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'."
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.19.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0'
+
+  # 18.9.20.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. (Automated)
+  - id: 16203
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'."
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    impact: "Print drivers cannot be downloaded over HTTP. Note: This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.1"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.7"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  # 18.9.20.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. (Automated)
+  - id: 16204
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'."
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    impact: "Tablet PC users cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.20.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  # 18.9.20.1.3 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. (Automated)
+  - id: 16205
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'."
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    impact: "Users cannot start the handwriting recognition error reporting tool or send error reports to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  # 18.9.20.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. (Automated)
+  - id: 16206
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    impact: 'The "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  # 18.9.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. (Automated)
+  - id: 16207
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    impact: "Windows is prevented from downloading providers; only the service providers cached in the local registry are displayed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  # 18.9.20.1.6 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. (Automated)
+  - id: 16208
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'."
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled. Note: This control affects printing over both HTTP and HTTPS."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    impact: "The client computer will not be able to print to Internet printers over HTTP or HTTPS. Note: This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["13.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  # 18.9.20.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. (Automated)
+  - id: 16209
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    impact: "Users are blocked from connecting to Microsoft.com for online registration and they cannot register their copy of Windows online."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  # 18.9.20.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. (Automated)
+  - id: 16210
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'."
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    impact: "Search Companion does not download content updates during searches. Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  # 18.9.20.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. (Automated)
+  - id: 16211
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled''.'
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    impact: 'The task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  # 18.9.20.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. (Automated)
+  - id: 16212
+    title: 'Ensure ''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled''.'
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    impact: 'The "Publish to Web" task is removed from File and Folder tasks in Windows folders.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  # 18.9.20.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. (Automated)
+  - id: 16213
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    impact: "Windows Messenger will not collect usage information, and the user settings to enable the collection of usage information will not be shown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  # 18.9.20.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. (Automated)
+  - id: 16214
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    impact: "All users are opted out of the Windows Customer Experience Improvement Program."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  # 18.9.20.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. (Automated)
+  - id: 16215
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'."
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    impact: "Users are not given the option to report errors to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+
+  # 18.9.23.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. (Automated)
+  - id: 16216
+    title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'."
+    description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic."
+    rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.23.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1'
+
+  # 18.9.26.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. (Automated)
+  - id: 16217
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'."
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    impact: "Users will have input methods enabled for the system account on the sign-in page."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.26.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  # 18.9.27.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'. (Automated)
+  - id: 16218
+    title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'."
+    description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    impact: "The user cannot choose to show account details on the sign-in screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1'
+
+  # 18.9.27.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'. (Automated)
+  - id: 16219
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    impact: "The PC's network connectivity state cannot be changed without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  # 18.9.27.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. (Automated)
+  - id: 16220
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'."
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    impact: "The Logon UI will not enumerate any connected users on domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  # 18.9.27.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only). (Automated)
+  - id: 16221
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)."
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  # 18.9.27.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. (Automated)
+  - id: 16222
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    impact: "No app notifications are displayed on the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  # 18.9.27.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. (Automated)
+  - id: 16223
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    impact: "Users will not be able to set up or sign in with a picture password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  # 18.9.27.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. (Automated)
+  - id: 16224
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  # 18.9.32.6.1 (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. (Automated)
+  - id: 16225
+    title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state."
+    impact: "Network connectivity in standby (while on battery) is not guaranteed. This connectivity restriction currently only applies to WLAN networks only, but is subject to change (according to Microsoft)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'
+
+  # 18.9.32.6.2 (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. (Automated)
+  - id: 16226
+    title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state."
+    impact: "Network connectivity in standby (while plugged in) is not guaranteed. This connectivity restriction currently only applies to WLAN networks only, but is subject to change (according to Microsoft)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.2"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'
+
+  # 18.9.32.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. (Automated)
+  - id: 16227
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.3"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  # 18.9.32.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. (Automated)
+  - id: 16228
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  # 18.9.34.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. (Automated)
+  - id: 16229
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.34.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  # 18.9.34.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. (Automated)
+  - id: 16230
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    impact: "Users on this computer cannot use e-mail or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.34.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  # 18.9.35.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only). (Automated)
+  - id: 16231
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    impact: "RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.35.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  # 18.9.35.2 (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only). (Automated)
+  - id: 16232
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)."
+    description: 'This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended. Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated.'
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    impact: "Only authenticated RPC Clients will be allowed to connect to RPC servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.35.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  # 18.9.38.1 (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only). (Automated)
+  - id: 16233
+    title: "Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only)."
+    description: 'This policy setting allows you to configure how Domain Controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith''s attack" (ROCA) vulnerability. If this policy setting is enabled the following options are supported: Ignore: During authentication the Domain Controller will not probe any WHfB keys for the ROCA vulnerability. Audit: During authentication the Domain Controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). Block: During authentication the Domain Controller will block the use of WHfB keys that are subject to the ROCA vulnerability (vulnerable authentications will fail). The recommended state for this setting is: Enabled: Audit. Configuring this setting to Enabled: Block also conforms to the benchmark. Note: This setting only takes effect on Domain Controllers. Note #2: A reboot is not required for changes to this setting to take effect.'
+    rationale: 'The "Return of Coppersmith''s attack" or ROCA vulnerability is a cryptographic weakness in a widely used cryptographic library. An attacker can reveal secret keys (offline with no physical access to the affected device) on certified devices using this library. For more information on this vulnerability, visit ADV170012 - Security Update Guide - Microsoft - Vulnerability in TPM could allow Security Feature Bypass.'
+    impact: "This setting may affect vulnerable Trusted Platform Module (TPMs). To avoid issues, this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Audit (configuring to Enabled: Block also conforms to the benchmark): Computer Configuration\\Policies\\Administrative Templates\\System\\Security Account Manager\\Configure validation of ROCA-vulnerable WHfB keys during authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sam.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-15361"
+    compliance:
+      - cis: ["18.9.38.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM -> SamNGCKeyROCAValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM -> SamNGCKeyROCAValidation -> n:(\d+) compare >= 1'
+
+  # 18.9.46.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'. (Automated)
+  - id: 16234
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'."
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "MSDT cannot run in support mode, and no data can be collected or sent to the support provider."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  # 18.9.46.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. (Automated)
+  - id: 16235
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'."
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended."
+    impact: "Responsiveness events are not processed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.11.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  # 18.9.48.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'. (Automated)
+  - id: 16236
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'."
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising."
+    impact: "The advertising ID is turned off. Apps can't use the ID for experiences across apps."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.48.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  # 18.9.50.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. (Automated)
+  - id: 16237
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events."
+    impact: "You can set the local computer clock to synchronize time with NTP servers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.50.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  # 18.9.50.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only). (Automated)
+  - id: 16238
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)."
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled. Note: In most enterprise managed environments, you should not disable the Windows NTP Server on Domain Controllers, as it is very important for the operation of NT5DS (domain hierarchy-based) time synchronization."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.50.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  # 18.10.3.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. (Automated)
+  - id: 16239
+    title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'."
+    description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled."
+    rationale: "Users of a system could accidentally share sensitive data with other users on the same system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0'
+
+  # 18.10.5.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. (Automated)
+  - id: 16240
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'."
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    impact: "Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.5.1"]
+      - cis_csc_v8: ["5.6"]
+      - cis_csc_v7: ["16.2"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  # 18.10.7.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. (Automated)
+  - id: 16241
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    impact: "AutoPlay will not be allowed for MTP devices like cameras or phones."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.7.1"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  # 18.10.7.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. (Automated)
+  - id: 16242
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'."
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    impact: "AutoRun commands will be completely disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.7.2"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  # 18.10.7.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. (Automated)
+  - id: 16243
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'."
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    impact: "Autoplay will be disabled - users will have to manually launch setup or installation programs that are provided on removable media."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.7.3"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  # 18.10.8.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. (Automated)
+  - id: 16244
+    title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'."
+    description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled."
+    rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network."
+    impact: "Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.10.8.1.1"]
+      - cis_csc_v8: ["10.5"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1'
+
+  # 18.10.10.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled'. (Automated)
+  - id: 16245
+    title: "Ensure 'Allow Use of Camera' is set to 'Disabled'."
+    description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled."
+    rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk."
+    impact: "Users will not be able to utilize the camera on a system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.10.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0'
+
+  # 18.10.12.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'. (Automated)
+  - id: 16246
+    title: "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'."
+    description: "This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage."
+    impact: "Users will not be able to use Microsoft consumer accounts on the system, and associated Windows experiences will instead present default fallback content."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud consumer account state content Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.12.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent -> 1'
+
+  # 18.10.12.2 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. (Automated)
+  - id: 16247
+    title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'."
+    description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions."
+    rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a third-party."
+    impact: "Users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.12.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1'
+
+  # 18.10.13.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'. (Automated)
+  - id: 16248
+    title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'."
+    description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always."
+    rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use."
+    impact: "The pairing ceremony for connecting to new wireless display devices will always require a PIN."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates."
+    compliance:
+      - cis: ["18.10.13.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> r:^1$|^2$'
+
+  # 18.10.14.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'. (Automated)
+  - id: 16249
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'."
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    impact: "The password reveal button will not be displayed after a user types a password in the password entry text box."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  # 18.10.14.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. (Automated)
+  - id: 16250
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'."
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.14.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  # 18.10.15.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'. (Automated)
+  - id: 16251
+    title: "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'."
+    description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM."
+    rationale: "Sending any data to a third-party vendor is a security concern and should only be done on an as needed basis."
+    impact: "Note that setting values of 0 or 1 will degrade certain experiences on the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Diagnostic Data Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization"
+    compliance:
+      - cis: ["18.10.15.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 1'
+
+  # 18.10.15.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' (Automated)
+  - id: 16252
+    title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'."
+    description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage."
+    rationale: "Sending any data to a third-party vendor is a security concern and should only be done on an as needed basis."
+    impact: "The Connected User Experience and Telemetry service will be blocked from automatically using an authenticated proxy."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1'
+
+  # 18.10.15.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'. (Automated)
+  - id: 16253
+    title: "Ensure 'Disable OneSettings Downloads' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled."
+    rationale: "Sending data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Windows will not connect to the OneSettings service to download configuration settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable OneSettings Downloads Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads -> 1'
+
+  # 18.10.15.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'. (Automated)
+  - id: 16254
+    title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'."
+    description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled."
+    rationale: "Users should not be sending any feedback to third-party vendors in an enterprise managed environment."
+    impact: "Users will no longer see feedback notifications through the Windows Feedback app."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1'
+
+  # 18.10.15.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'. (Automated)
+  - id: 16255
+    title: "Ensure 'Enable OneSettings Auditing' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Event Log. The recommended state for this setting is: Enabled."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Windows will record attempts to connect with the OneSettings service to the Applications and Services Logs\\Microsoft\\Windows\\Privacy-Auditing\\Operational Event Log channel."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Enable OneSettings Auditing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.5"]
+      - cis_csc_v8: ["6.3"]
+      - cis_csc_v7: ["8.5"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["8.3"]
+      - soc_2: ["CC6.1", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing -> 1'
+
+  # 18.10.15.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'. (Automated)
+  - id: 16256
+    title: "Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'."
+    description: "This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited when recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Diagnostic logs and information such as crash dumps will not be collected for transmission to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Diagnostic Log Collection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection -> 1'
+
+  # 18.10.15.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled'. (Automated)
+  - id: 16257
+    title: "Ensure 'Limit Dump Collection' is set to 'Enabled'."
+    description: "This policy setting limits the type of memory dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. Note: Memory dumps are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited when recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Memory dumps can contain sensitive information - sending such data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Windows Error Reporting will not send full and/or heap memory dumps to Microsoft - they will be limited to kernel mini and/or user mode triage memory dumps (if sending optional diagnostic data is permitted)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Dump Collection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection -> 1'
+
+  # 18.10.15.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. (Automated)
+  - id: 16258
+    title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows Server 2016, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ''Manage preview builds''). We have kept this setting in the benchmark to ensure that any older builds of Windows Server 2016 in the environment are still enforced.'
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    impact: 'The item "Get Insider builds" will be unavailable.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.8"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0'
+
+  # 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 16259
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.1.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  # 18.10.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 16260
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.1.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 16261
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  # 18.10.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'. (Automated)
+  - id: 16262
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  # 18.10.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 16263
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.3.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  # 18.10.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 16264
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.3.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 16265
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.4.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  # 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 16266
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.4.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.29.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. (Automated)
+  - id: 16267
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'."
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug-in/software."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.29.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  # 18.10.29.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. (Automated)
+  - id: 16268
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'."
+    description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled."
+    rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.29.3"]
+      - cis_csc_v7: ["8.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  # 18.10.29.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. (Automated)
+  - id: 16269
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'."
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.29.4"]
+      - cis_csc_v7: ["8.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  # 18.10.37.1 (L2) Ensure 'Turn off location' is set to 'Enabled'. (Automated)
+  - id: 16270
+    title: "Ensure 'Turn off location' is set to 'Enabled'."
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    impact: "The location feature is turned off, and all programs on the computer are prevented from using location information from the location feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.37.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  # 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. (Automated)
+  - id: 16271
+    title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'."
+    description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Cellular text messages will not be backed up to (or restored from) Microsoft's cloud services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.41.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0'
+
+  # 18.10.42.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. (Automated)
+  - id: 16272
+    title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'."
+    description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    impact: "All applications and services on the device will be prevented from new authentications using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs. Authentications performed directly by the user in web browsers or in apps that use OAuth will remain unaffected."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.42.1"]
+      - cis_csc_v8: ["5.3"]
+      - cis_csc_v7: ["16.8"]
+      - cmmc_v2.0: ["IA.L2-3.5.6"]
+      - iso_27001-2013: ["A.9.2.1"]
+      - nist_sp_800-53: ["AC-2(3)"]
+      - pci_dss_v3.2.1: ["8.1.4"]
+      - pci_dss_v4.0: ["8.3.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1'
+
+  # 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. (Automated)
+  - id: 16273
+    title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'."
+    description: 'This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Microsft Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled.'
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  # 18.10.43.5.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. (Automated)
+  - id: 16274
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - - - (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.5.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0'
+
+  # 18.10.43.6.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. (Automated)
+  - id: 16275
+    title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'."
+    description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: Enabled."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    impact: "When a rule is triggered, a notification will be displayed from the Action Center."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.1.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1'
+
+  # 18.10.43.6.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured. (Automated)
+  - id: 16276
+    title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured."
+    description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 56a863a9-875e-4185-98a7-b882c64b5ce5 - 1 (Block abuse of exploited vulnerable signed drivers) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    impact: "When a rule is triggered, a notification will be displayed from the Action Center. Note: The following rules apply to Windows Server 2019 and 2022, but do not apply to Windows Server 2012 R2 and 2016: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (Block Win32 API calls from Office macro), d3e037e1-3eb8-44c8-a917-57927947596d (Block JavaScript or VBScript from launching downloaded executable content), and e6db77e5-3df2-4cf1-b95a-636979351e5b (Block persistence through WMI event subscription)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 56a863a9-875e-4185-98a7-b882c64b5ce5, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.1.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1'
+
+  # 18.10.43.6.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. (Automated)
+  - id: 16277
+    title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'."
+    description: "This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block."
+    rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet."
+    impact: "Users and applications will not be able to access dangerous domains."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.3.1"]
+      - cis_csc_v8: ["9.3", "10.5"]
+      - cis_csc_v7: ["7.4", "8.3"]
+      - cmmc_v2.0: ["SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.4", "11.4"]
+      - pci_dss_v4.0: ["1.2.6", "1.4.2"]
+      - soc_2: ["CC5.2", "CC6.6", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'
+
+  # 18.10.43.7.1 (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'. (Automated)
+  - id: 16278
+    title: "Ensure 'Enable file hash computation feature' is set to 'Enabled'."
+    description: "This setting determines whether hash values are computed for files scanned by Microsoft Defender. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to monitor for suspicious and known malicious activity. File hashes are a reliable way of detecting changes to files, and can speed up the scan process by skipping files that have not changed since they were last scanned and determined to be safe. A changed file hash can also be cause for additional scrutiny."
+    impact: "This setting could cause performance degradation during initial deployment and for users where new executable content is frequently being created (such as software developers), or where applications are frequently installed or updated. For more information on this setting, please visit Security baseline (FINAL): Windows 10 and Windows Server, version 2004 - Microsoft Tech Community - 1543631. Note: The impact of this setting should be monitored closely during deployment to ensure user and system performance impact is within acceptable limits."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation feature Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 2004 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.7.1"]
+      - cis_csc_v8: ["10.1"]
+      - cis_csc_v7: ["8.1"]
+      - cmmc_v2.0: ["SI.L1-3.14.2"]
+      - hipaa: ["164.308(a)(5)(ii)(B)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["5.1"]
+      - pci_dss_v4.0: ["5.1.1", "5.2.1", "5.2.2", "5.3.2"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation -> 1'
+
+  # 18.10.43.10.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. (Automated)
+  - id: 16279
+    title: "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
+    description: "This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all downloaded files and attachments Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus"
+    compliance:
+      - cis: ["18.10.43.10.1"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection -> 0'
+
+  # 18.10.43.10.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'. (Automated)
+  - id: 16280
+    title: "Ensure 'Turn off real-time protection' is set to 'Disabled'."
+    description: "This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real - time protection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus"
+    compliance:
+      - cis: ["18.10.43.10.2"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0'
+
+  # 18.10.43.10.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. (Automated)
+  - id: 16281
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'."
+    description: "This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default configuration."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.10.3"]
+      - cis_csc_v8: ["10.7"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0'
+
+  # 18.10.43.10.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled'. (Automated)
+  - id: 16282
+    title: "Ensure 'Turn on script scanning' is set to 'Enabled'."
+    description: "This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-worldwide"
+    compliance:
+      - cis: ["18.10.43.10.4"]
+      - cis_csc_v8: ["10.7"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning -> 0'
+
+  # 18.10.43.12.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled'. (Automated)
+  - id: 16283
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'."
+    description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns."
+    impact: "Watson events will not be sent to Microsoft automatically when a program or service crashes or fails."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.12.1"]
+      - cis_csc_v7: ["13.3"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  # 18.10.43.13.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled'. (Automated)
+  - id: 16284
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    impact: "Removable drives will be scanned during any type of scan by Microsoft Defender Antivirus."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Scan removable drives Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.13.1"]
+      - cis_csc_v8: ["10.4"]
+      - cis_csc_v7: ["8.4"]
+      - cmmc_v2.0: ["SC.L2-3.13.13", "SI.L1-3.14.5"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  # 18.10.43.13.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. (Automated)
+  - id: 16285
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'."
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Microsoft Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    impact: "E-mail scanning by Microsoft Defender Antivirus will be enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.13.2"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  # 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. (Automated)
+  - id: 16286
+    title: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'."
+    description: "This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications, that can deliver adware or malware. The recommended state for this setting is: Enabled: Block. For more information, see this link: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs."
+    rationale: "Potentially unwanted applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. They should be blocked from installation."
+    impact: "Applications that are identified by Microsoft as PUA will be blocked at download and install time."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Configure detection for potentially unwanted applications Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.16"]
+      - cis_csc_v8: ["10.6"]
+      - cis_csc_v7: ["2.7", "8.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["11.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1'
+
+  # 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'. (Automated)
+  - id: 16287
+    title: "Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'."
+    description: "This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Microsoft Defender Antivirus. Organizations that choose to purchase a reputable third-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Turn off Microsoft Defender AntiVirus Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Windows Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates."
+    compliance:
+      - cis: ["18.10.43.17"]
+      - cis_csc_v8: ["10.6"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["11.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware -> 0'
+
+  # 18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. (Automated)
+  - id: 16288
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'."
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a server, not just the one supplied with Windows Server."
+    impact: "Users can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the WinRT API. OneDrive doesn't appear in the navigation pane in File Explorer. OneDrive files aren't kept in sync with the cloud. Users can't automatically upload photos and videos from the camera roll folder. Note: If your organization uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive. Note #2: If your organization has decided to implement OneDrive for Business and therefore needs to except itself from this recommendation, we highly suggest that you also obtain and utilize the OneDrive.admx/adml template that is bundled with the latest OneDrive client, as noted at this link (this template is not included with the Windows Administrative Templates). Two alternative OneDrive settings in particular from that template are worth your consideration: - Allow syncing OneDrive accounts for only specific organizations - a computer - based setting that restricts OneDrive client connections to only approved tenant IDs. - Prevent users from synchronizing personal OneDrive accounts - a user-based setting that prevents use of consumer OneDrive (i.e. non-business)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.10.51.1"]
+      - cis_csc_v7: ["13.4"]
+      - iso_27001-2013: ["A.13.2.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  # 18.10.56.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'. (Automated)
+  - id: 16289
+    title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'."
+    description: "This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Enabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    impact: "Users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.56.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1'
+
+  # 18.10.57.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. (Automated)
+  - id: 16290
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'."
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    impact: "The password saving checkbox will be disabled for Remote Desktop clients and users will not be able to save passwords."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.2.2"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  # 18.10.57.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'. (Automated)
+  - id: 16291
+    title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'."
+    description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1'
+
+  # 18.10.57.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. (Automated)
+  - id: 16292
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect server data to local (client) COM ports."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  # 18.10.57.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'. (Automated)
+  - id: 16293
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'."
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    impact: "Drive redirection will not be possible. In most situations, traditional network drive mapping to file shares (including administrative shares) performed manually by the connected user will serve as a capable substitute to still allow file transfers when needed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  # 18.10.57.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. (Automated)
+  - id: 16294
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect server data to local (client) LPT ports."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  # 18.10.57.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. (Automated)
+  - id: 16295
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'."
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect their supported (local client) Plug and Play devices to the remote computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  # 18.10.57.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. (Automated)
+  - id: 16296
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'."
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    impact: "Users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They will be prompted for a password to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  # 18.10.57.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'. (Automated)
+  - id: 16297
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    impact: "Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  # 18.10.57.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. (Automated)
+  - id: 16298
+    title: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'."
+    description: "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. The recommended state for this setting is: Enabled: SSL. Note: In spite of this setting being labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol."
+    rationale: "The native Remote Desktop Protocol (RDP) encryption is now considered a weak protocol, so enforcing the use of stronger Transport Layer Security (TLS) encryption for all RDP communications between clients and RD Session Host servers is preferred."
+    impact: "TLS 1.0 will be required to authenticate to the RD Session Host server. If TLS is not supported, the connection fails. Note: By default, this setting will use a self-signed certificate for RDP connections. If your organization has established the use of a Public Key Infrastructure (PKI) for SSL/TLS encryption, then we recommend that you also configure the Server authentication certificate template setting to instruct RDP to use a certificate from your PKI instead of a self-signed one. Note that the certificate template used for this purpose must have “Client Authentication” configured as an Intended Purpose. Note also that a valid, non-expired certificate using the specified template must already be installed on the server for it to work. Note #2: Some third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as the SSL/TLS security layer will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: SSL: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require use of specific security layer for remote (RDP) connections Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.3"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 2'
+
+  # 18.10.57.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. (Automated)
+  - id: 16299
+    title: "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. The recommended state for this setting is: Enabled."
+    rationale: "Requiring that user authentication occur earlier in the remote connection process enhances security."
+    impact: "Only client computers that support Network Level Authentication can connect to the RD Session Host server. Note: Some third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as Network Level Authentication will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require user authentication for remote connections by using Network Level Authentication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was initially named Require user authentication using RDP 6.0 for remote connections, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.4"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1'
+
+  # 18.10.57.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. (Automated)
+  - id: 16300
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'."
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.5"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  # 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'. (Automated)
+  - id: 16301
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'."
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0)."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. In addition, session timeouts that are misconfigured or set for a long period of time can leave the system open to an attacker hijacking the session."
+    impact: "Remote Desktop Services will automatically disconnect active but idle sessions after 15 minutes (or the specified amount of time). The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. Note that idle session time limits do not apply to console sessions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less, but not Never (0): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.10.1"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0'
+
+  # 18.10.57.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. (Automated)
+  - id: 16302
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'."
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated. In addition, session timeouts that are misconfigured or set for a long period of time can leave the system open to an attacker hijacking the session."
+    impact: "Disconnected Remote Desktop sessions are deleted from the server after 1 minute. Note that disconnected session time limits do not apply to console sessions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.10.2"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  # 18.10.57.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. (Automated)
+  - id: 16303
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'."
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.11.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  # 18.10.57.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. (Automated)
+  - id: 16304
+    title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'."
+    description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.11.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1'
+
+  # 18.10.58.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. (Automated)
+  - id: 16305
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    impact: "Users cannot set the Feed Sync Engine to download an enclosure through the Feed property page. Developers cannot change the download setting through feed APIs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.58.1"]
+      - cis_csc_v8: ["9.4"]
+      - cis_csc_v7: ["7.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8"]
+      - iso_27001-2013: ["A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-11", "SC-18"]
+      - pci_dss_v4.0: ["2.2.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  # 18.10.59.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. (Automated)
+  - id: 16306
+    title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'."
+    description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Search and Cortana will not be permitted to search cloud sources like OneDrive and SharePoint."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.59.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0'
+
+  # 18.10.59.3 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. (Automated)
+  - id: 16307
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'."
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.59.3"]
+      - cis_csc_v7: ["14.8"]
+      - iso_27001-2013: ["A.10.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  # 18.10.59.4 (L2) Ensure 'Allow search highlights' is set to 'Disabled'. (Automated)
+  - id: 16308
+    title: "Ensure 'Allow search highlights' is set to 'Disabled'."
+    description: "This policy setting controls search highlights in the start menu search box and in search home. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to or received by any third-party since this data could contain sensitive information."
+    impact: 'Interesting, "informative", and "noteworthy" information about the current date will not be displayed (by Microsoft) to the user.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search highlights Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.59.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> EnableDynamicContentInWSB'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> EnableDynamicContentInWSB -> 0'
+
+  # 18.10.63.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. (Automated)
+  - id: 16309
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'."
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    impact: "The computer is prevented from sending data to Microsoft regarding its KMS client activation state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.63.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  # 18.10.76.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. (Automated)
+  - id: 16310
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'."
+    description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    impact: "Users will be warned before they are allowed to run unrecognized programs downloaded from the Internet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.10.76.2.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block'
+
+  # 18.10.80.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. (Automated)
+  - id: 16311
+    title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'."
+    description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled."
+    rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party."
+    impact: "The suggested apps in Windows Ink Workspace will not be allowed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.80.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0'
+
+  # 18.10.80.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'. (Automated)
+  - id: 16312
+    title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'."
+    description: "This policy setting determines whether Windows Ink items are allowed above the lock screen. The recommended state for this setting is: Enabled: On, but disallow access above lock OR Enabled: Disabled."
+    rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials."
+    impact: "Windows Ink Workspace will not be permitted above the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Enabled: Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.80.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 1'
+
+  # 18.10.81.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'. (Automated)
+  - id: 16313
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'."
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.1"]
+      - cis_csc_v8: ["2.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  # 18.10.81.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'. (Automated)
+  - id: 16314
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'."
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  # 18.10.81.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. (Automated)
+  - id: 16315
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'."
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.3"]
+      - cis_csc_v8: ["2.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  # 18.10.82.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'. (Automated)
+  - id: 16316
+    title: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'."
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    impact: "The device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. The user is required to present the logon credentials in order to proceed after restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in and lock last interactive user automatically after a restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Sign-in last interactive user automatically after a system-initiated restart, but it was renamed starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.10.82.1"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  # 18.10.87.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (Automated)
+  - id: 16317
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'."
+    description: "This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark."
+    rationale: "Logs of PowerShell script input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    impact: "PowerShell script input will be logged to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel, which can contain credentials and sensitive information. Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell logs, which could be exposed to users who have read-access to those logs. Microsoft provides a feature called \"Protected Event Logging\" to better secure event log data. For assistance with protecting event logging, visit: About Logging Windows - PowerShell | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2#protected-event-logging"
+    compliance:
+      - cis: ["18.10.87.1"]
+      - cis_csc_v8: ["8.8"]
+      - cis_csc_v7: ["8.8"]
+      - iso_27001-2013: ["A.12.14.1"]
+      - soc_2: ["CC5.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 1'
+
+  # 18.10.87.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'. (Automated)
+  - id: 16318
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'."
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Enabled."
+    rationale: "PowerShell transcript input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    impact: "PowerShell transcript input will be logged to the PowerShell_transcript output file, which is saved to the My Documents folder of each users' profile by default. Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell_transcript output file, which could be exposed to users who have read-access to the file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings?view=powershell-7.2#turn-on-powershell-transcription"
+    compliance:
+      - cis: ["18.10.87.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 1'
+
+  # 18.10.89.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'. (Automated)
+  - id: 16319
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  # 18.10.89.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Automated)
+  - id: 16320
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.2"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  # 18.10.89.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'. (Automated)
+  - id: 16321
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "The WinRM client will not use Digest authentication."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  # 18.10.89.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'. (Automated)
+  - id: 16322
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  # 18.10.89.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. (Automated)
+  - id: 16323
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  # 18.10.89.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Automated)
+  - id: 16324
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  # 18.10.89.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. (Automated)
+  - id: 16325
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    impact: "The WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on the computer. If this setting is later Disabled again, any values that were previously configured for RunAsPassword will need to be reset."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.89.2.4"]
+      - cis_csc_v7: ["14.3"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  # 18.10.90.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. (Automated)
+  - id: 16326
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'."
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    impact: "New Remote Shell connections are not allowed and are rejected by the server. Note: On Server 2012 (non-R2) and newer, due to design changes in the OS after Server 2008 R2, configuring this setting as prescribed will prevent the ability to add or remove Roles and Features (even locally) via the GUI. We therefore recommend that the necessary Roles and Features be installed prior to configuring this setting on a Level 2 server. Alternatively, Roles and Features can still be added or removed using the PowerShell commands Add-WindowsFeature or Remove-WindowsFeature in the Server Manager module, even with this setting configured."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.90.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  # 18.10.92.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. (Automated)
+  - id: 16327
+    title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'."
+    description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled."
+    rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified."
+    impact: "Local users cannot make changes in the Exploit protection settings area."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Security\\App and browser protection\\Prevent users from modifying settings Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.92.2.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'
+
+  # 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. (Automated)
+  - id: 16328
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'."
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Legacy Policies\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.1.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
+
+  # 18.10.93.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'. (Automated)
+  - id: 16329
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'."
+    description: 'This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a third-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the third-party patching process.'
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    impact: "Critical operating system updates and service packs will be installed as necessary."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.2.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  # 18.10.93.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. (Automated)
+  - id: 16330
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'."
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates'. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    impact: "If 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates', critical operating system updates and service packs will automatically download every day (at 3:00 A.M., by default)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  # 18.10.93.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled'. (Automated)
+  - id: 16331
+    title: "Ensure 'Manage preview builds' is set to 'Disabled'."
+    description: "This policy setting manage which updates that are receive prior to the update being released. Dev Channel: Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release. Beta Channel: Ideal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release. Release Preview Channel (default): Insiders in the Release Preview Channel will have access to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before broad deployment within their organization. The recommended state for this setting is: Disabled. Note: Preview Build enrollment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview Builds, see: https://aka.ms/wipforbiz."
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    impact: "Preview builds are prevented from installing on the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Manage preview builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows-insider/business/manage-builds"
+    compliance:
+      - cis: ["18.10.93.4.1"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0'
+
+  # 18.10.93.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'. (Automated)
+  - id: 16332
+    title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'."
+    description: 'This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.'
+    rationale: "In a production environment, it is preferred to only use software and features that are publicly available, after they have gone through rigorous testing in beta."
+    impact: "Feature Updates will be delayed until they are publicly released to general public by Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Select when Preview Builds and Feature Updates are received Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.4.2"]
+      - cis_csc_v8: ["2.5", "7.3"]
+      - cis_csc_v7: ["2.4"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9", "SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.8.1.1"]
+      - nist_sp_800-53: ["CM-7(5)", "SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8", "CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'
+
+  # 18.10.93.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'. (Automated)
+  - id: 16333
+    title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'."
+    description: 'This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog.'
+    rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.93.4.3"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0'
+
+  # 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.1.3.2 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.1.3.3 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. (Automated) - Not Implemented
+  # 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.6.6.1.1 (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. (Automated) - Not Implemented
+  # 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. (Automated) - Not Implemented
+  # 19.7.7.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.3 (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.4 (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.5 (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.25.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.40.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'. (Automated) - Not Implemented
+  # 19.7.42.2.1 (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'. (Automated) - Not Implemented
diff --git a/etc/ruleset/sca/windows/cis_win2019.yml b/etc/ruleset/sca/windows/cis_win2019.yml
new file mode 100644
index 0000000000..314ea36408
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win2019.yml
@@ -0,0 +1,4770 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 2016 RTM
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Microsoft Windows Server 2019 RTM (Release 1809) v1.0.1 - 11-22-2019
+
+policy:
+  id: "cis_win2019"
+  file: "cis_win2019.yml"
+  name: "CIS Microsoft Windows Server 2019 Benchmark v1.0.1"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2019."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows Server 2019 RTM"
+  description: "Requirements for running the CIS benchmark under Windows Server 2019 RTM"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2019'
+
+checks:
+  ###############################################
+  # 1 Account Policies
+  ###############################################
+  ###############################################
+  # 1.1 Password Policy
+  ###############################################
+
+  # 1.1.2 Maximum password age (Scored)
+  - id: 16500
+    title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age."
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37167-4"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60'
+
+  ###############################################
+  # 2 Local Policies
+  ###############################################
+  ###############################################
+  # 2.3 Security Options
+  ###############################################
+
+  # 2.3.1.2 Accounts: Block Microsoft accounts (Scored)
+  - id: 16501
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts"
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts."
+    compliance:
+      - cis: ["2.3.1.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36147-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  # 2.3.1.4 Accounts: Limit local account use of blank passwords to console logon only (Scored)
+  - id: 16502
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'"
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only."
+    compliance:
+      - cis: ["2.3.1.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37615-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  # 2.3.2.1 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Scored)
+  - id: 16503
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'"
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37850-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  # 2.3.2.2 Audit: Shut down system immediately if unable to log security audits (Scored)
+  - id: 16504
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'"
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc: ["6"]
+      - pci_dss: ["10.7"]
+    references:
+      - "CCE-35907-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  # 2.3.4.1 Devices: Allowed to format and eject removable media (Scored)
+  - id: 16505
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'"
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37701-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0'
+
+  # 2.3.4.2 Devices: Prevent users from installing printer drivers (Scored)
+  - id: 16506
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'"
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers."
+    compliance:
+      - cis: ["2.3.4.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4", "2.2.5"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC6.3", "CC5.2"]
+    references:
+      - "CCE-37942-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  # 2.3.5.1 Domain controller: Allow server operators to schedule tasks (Scored)
+  - id: 16507
+    title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)"
+    description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks."
+    compliance:
+      - cis: ["2.3.5.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37848-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0'
+
+  # 2.3.5.2 Domain controller: LDAP server signing requirements (Scored)
+  - id: 16508
+    title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)"
+    description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements."
+    compliance:
+      - cis: ["2.3.5.2"]
+      - cis_csc: ["3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/
+      - "CCE-35904-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2'
+
+  # 2.3.5.3 Domain controller: Refuse machine account password changes (Scored)
+  - id: 16509
+    title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)"
+    description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes."
+    compliance:
+      - cis: ["2.3.5.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36921-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0'
+
+  # 2.3.6.1 Domain member: Digitally encrypt or sign secure channel data (always) (Scored)
+  - id: 16510
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)."
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36142-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  # 2.3.6.2 Domain member: Digitally encrypt secure channel data (when possible) (Scored)
+  - id: 16511
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'"
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37130-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  # 2.3.6.3 Domain member: Digitally sign secure channel data (when possible) (Scored)
+  - id: 16512
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'"
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37222-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  # 2.3.6.4 Domain member: Disable machine account password changes (Scored)
+  - id: 16513
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'"
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes."
+    compliance:
+      - cis: ["2.3.6.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37508-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  # 2.3.6.6 Domain member: Require strong (Windows 2000 or later) session key (Scored)
+  - id: 16514
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'"
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key."
+    compliance:
+      - cis: ["2.3.6.6"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37614-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  # 2.3.7.1 Interactive logon: Do not require CTRL+ALT+DEL (Scored)
+  - id: 16515
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'"
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL"
+    compliance:
+      - cis: ["2.3.7.1"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37637-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  # 2.3.7.2 Interactive logon: Do not display last user name (Scored)
+  - id: 16516
+    title: "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'"
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Don't display last signed-in."
+    compliance:
+      - cis: ["2.3.7.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36056-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  # 2.3.7.3 Interactive logon: Machine inactivity limit (Scored)
+  - id: 16517
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'"
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit."
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38235-8"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  #  2.3.7.6 - Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)
+  - id: 16518
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'"
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)."
+    compliance:
+      - cis: ["2.3.7.6"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38240-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$'
+
+  # 2.3.7.7 Interactive logon: Prompt user to change password before expiration (Scored)
+  - id: 16519
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'"
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration."
+    compliance:
+      - cis: ["2.3.7.7"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37622-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  # 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only) (Scored)
+  - id: 16520
+    title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'"
+    description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled ."
+    rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer."
+    remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled:Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation"
+    compliance:
+      - cis: ["2.3.7.8"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38240-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1'
+
+  # 2.3.7.9 Interactive logon: Smart card removal behavior (Scored)
+  - id: 16521
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher"
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior."
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38333-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$'
+
+  # 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
+  - id: 16522
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.8.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36325-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
+  - id: 16523
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'"
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)."
+    compliance:
+      - cis: ["2.3.8.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36269-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
+  - id: 16524
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'"
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers."
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37863-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
+
+  # 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
+  - id: 16525
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'"
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session."
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc: ["3"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38046-9"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  # 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
+  - id: 16526
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'"
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.9.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37864-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
+  - id: 16527
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'"
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)."
+    compliance:
+      - cis: ["2.3.9.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-35988-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
+  - id: 16528
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'"
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire."
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37972-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher
+  - id: 16529
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher"
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level."
+    compliance:
+      - cis: ["2.3.9.5"]
+      - cis_csc: ["14"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n
+      - "CCE-36170-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'
+
+  # 2.3.10.2 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'
+  - id: 16530
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'"
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts."
+    compliance:
+      - cis: ["2.3.10.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36316-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  # 2.3.10.3 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'
+  - id: 16531
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'"
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)"
+    remediation: "To establish the recommended configuration via GP, set the following U path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares."
+    compliance:
+      - cis: ["2.3.10.3"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36316-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  # 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' (Scored)
+  - id: 16532
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'"
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication."
+    compliance:
+      - cis: ["2.3.10.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38119-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  # 2.3.10.5 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
+  - id: 16533
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'"
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users."
+    compliance:
+      - cis: ["2.3.10.5"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36148-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  # 2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
+  - id: 16534
+    title: "Configure 'Network access: Named Pipes that can be accessed anonymously'"
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (Domain Controller) LSARPC, NETLOGON, SAMR (Member Server) <blank> (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.6"]
+      - cis_csc: ["14.1", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38258-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:LSARPC && r:NETLOGON && r:SAMR'
+
+  # 2.3.10.8 Configure 'Network access: Remotely accessible registry paths'
+  - id: 16535
+    title: "Configure 'Network access: Remotely accessible registry paths'"
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value."
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths."
+    compliance:
+      - cis: ["2.3.10.8"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37194-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion'
+
+  # 2.3.10.9 Configure 'Network access: Remotely accessible registry paths and sub-paths'
+  - id: 16536
+    title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'"
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value."
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS"
+    compliance:
+      - cis: ["2.3.10.9"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36347-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS'
+
+  # 2.3.10.10 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
+  - id: 16537
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'"
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares."
+    compliance:
+      - cis: ["2.3.10.10"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36021-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  # 2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)
+  - id: 16538
+    title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'"
+    description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM"
+    compliance:
+      - cis: ["2.3.10.11"]
+      - cis_csc: ["5.1", "9.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> restrictremotesam -> O:BAG:BAD:(A;;RC;;;BA)'
+
+  # 2.3.10.12 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
+  - id: 16539
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'"
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)"
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.12"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38095-6"
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.'
+
+  # 2.3.10.13 Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
+  - id: 16540
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'"
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)"
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts."
+    compliance:
+      - cis: ["2.3.10.13"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["7.1.3"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37623-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  # 2.3.11.1 Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
+  - id: 16541
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'"
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM."
+    compliance:
+      - cis: ["2.3.11.1"]
+      - cis_csc: ["14", "16"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38341-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  # 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
+  - id: 16542
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'"
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback."
+    compliance:
+      - cis: ["2.3.11.2"]
+      - cis_csc: ["14"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37035-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  # 2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
+  - id: 16543
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'"
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities."
+    compliance:
+      - cis: ["2.3.11.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38047-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  # 2.3.11.4 Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
+  - id: 16544
+    title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting."
+    rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos."
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+    references:
+      - "CCE-37755-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'
+
+  # 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
+  - id: 16545
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change."
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36326-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  # 2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
+  - id: 16546
+    title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'"
+    description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced."
+    rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire."
+    compliance:
+      - cis: ["2.3.11.6"]
+      - cis_csc: ["16"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36270-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
+  - id: 16547
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'"
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level."
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36173-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  # 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
+  - id: 16548
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher"
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements."
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36858-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(\d+) compare >= 1'
+
+  # 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 16549
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients."
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37553-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200'
+
+  # 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
+  - id: 16550
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'"
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers."
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - https://workbench.cisecurity.org/benchmarks/288
+      - "CCE-37835-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  # 2.3.13.1 Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
+  - id: 16551
+    title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'"
+    description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server."
+    rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on."
+    compliance:
+      - cis: ["2.3.13.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36788-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0'
+
+  # 2.3.15.1 Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
+  - id: 16552
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'"
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems."
+    compliance:
+      - cis: ["2.3.15.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37885-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  # 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
+  - id: 16553
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'"
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)"
+    compliance:
+      - cis: ["2.3.15.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37644-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  # 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
+  - id: 16554
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account."
+    compliance:
+      - cis: ["2.3.17.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36494-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  # 2.3.17.2 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
+  - id: 16555
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'"
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37029-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$'
+
+  # 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
+  - id: 16556
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users."
+    compliance:
+      - cis: ["2.3.17.3"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36864-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  # 2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
+  - id: 16557
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation."
+    compliance:
+      - cis: ["2.3.17.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36533-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  # 2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
+  - id: 16558
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'"
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations."
+    compliance:
+      - cis: ["2.3.17.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37057-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  # 2.3.17.6 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
+  - id: 16559
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'"
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36869-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  # 2.3.17.7 Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
+  - id: 16560
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'"
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation."
+    compliance:
+      - cis: ["2.3.17.7"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36866-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  # 2.3.17.8 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
+  - id: 16561
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'"
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations."
+    compliance:
+      - cis: ["2.3.17.8"]
+      - pci_dss: ["6.5.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37064-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  ###############################################
+  # 9 Windows Firewall with Advanced Security
+  ###############################################
+
+  ###############################################
+  # 9.1 Domain Profile
+  ###############################################
+
+  # 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
+  - id: 16562
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state."
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36062-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  # 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
+  - id: 16563
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38117-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  # 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
+  - id: 16564
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36146-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  # 9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
+  - id: 16565
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.1.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38041-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  # 9.1.5 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'
+  - id: 16566
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37482-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  # 9.1.6 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'
+  - id: 16567
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36088-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
+  - id: 16568
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37523-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.1.8 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
+  - id: 16569
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36393-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.2 Private Profile
+  ###############################################
+
+  # 9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
+  - id: 16570
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state."
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38239-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  # 9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
+  - id: 16571
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38042-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  # 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
+  - id: 16572
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38332-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  # 9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
+  - id: 16573
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.2.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37621-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  # 9.2.5 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'
+  - id: 16574
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37569-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  # 9.2.6 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'
+  - id: 16575
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-38178-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.2.7 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
+  - id: 16576
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-35972-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.2.8 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
+  - id: 16577
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37387-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 9.3 Public Profile
+  ###############################################
+
+  # 9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
+  - id: 16578
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'"
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state."
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37862-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  # 9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
+  - id: 16579
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'"
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36057-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  # 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
+  - id: 16580
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'"
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc: ["9.2"]
+      - pci_dss: ["1.2.3"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37434-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  # 9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
+  - id: 16581
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'"
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.3.4"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38043-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  # 9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
+  - id: 16582
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules."
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37861-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  # 9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
+  - id: 16583
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules."
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36268-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  # 9.3.7 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'
+  - id: 16584
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'"
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name"
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37266-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  # 9.3.8 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'
+  - id: 16585
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'"
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36395-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'
+  - id: 16586
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37265-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.3.9 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'
+  - id: 16587
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'"
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc: ["6.2"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36394-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  ###############################################
+  # 17 Advanced Audit Policy Configuration
+  ###############################################
+
+  ###############################################
+  # 18 Administrative Templates (Computer)
+  ###############################################
+  ###############################################
+  # 18.1 Control Panel
+  ###############################################
+  # 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
+  - id: 16588
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'"
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38347-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  # 18.1.1.2 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
+  - id: 16589
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'"
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38348-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+  # 18.1.2.2 Ensure 'Allow input personalization' is set to 'Disabled'
+  - id: 16590
+    title: "Ensure 'Allow input personalization' is set to 'Disabled'"
+    description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.2.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38347-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0'
+
+  # 18.1.3 Ensure 'Allow Online Tips' is set to 'Disabled' (Scored)
+  - id: 16591
+    title: "Ensure 'Allow Online Tips' is set to 'Disabled'"
+    description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled ."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.3.4"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0'
+
+  ###############################################
+  # Section 18.2 - LAPS
+  ###############################################
+  # 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed
+  - id: 16592
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll"
+    compliance:
+      - cis: ["18.2.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  # 18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'
+  - id: 16593
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.2"]
+      - cis_csc: ["16.2"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  # 18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'
+  - id: 16594
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  # 18.2.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'
+  - id: 16595
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.4"]
+      - cis_csc: ["5.7"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  # 18.2.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'
+  - id: 16596
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.5"]
+      - cis_csc: ["5.7"]
+      - pci_dss: ["8.2.3"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  # 18.2.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'
+  - id: 16597
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'"
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.2.6"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2.4"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  ###############################################
+  # Section 18.3 - MS Security Guide
+  ###############################################
+  # 18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'
+  - id: 16598
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'"
+    description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled."
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc: ["5.8"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - https://www.microsoft.com/en-us/download/details.aspx?id=36036
+      - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
+      - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/
+      - "CCE-37069-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1'
+
+  # 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'
+  - id: 16599
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'"
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service ( MRxSmb10 ), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled , as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858"
+      - "https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-managed-environments-with-ad-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 1'
+
+  # 18.3.3 Ensure 'Configure SMB v1 server' is set to 'Disabled' (Scored)
+  - id: 16600
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'"
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled ."
+    rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858"
+      - "https://docs.microsoft.com/en-us/archive/blogs/staysafe/disable-smb-v1-in-managed-environments-with-ad-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy"
+      - "https://docs.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  # 18.3.4 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
+  - id: 16601
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'"
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled ."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/"
+      - "https://support.microsoft.com/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  # 18.3.5 (L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only) (Scored)
+  - id: 16602
+    title: "Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)'"
+    description: "This setting controls LDAP authentication over SSL/TLS to help make it more secure. The recommended state for this setting is: Enabled: Enabled, always (recommended) . Note: All LDAP clients must have the CVC-2017-8563 security update to be compatible with Domain Controllers that have this setting enabled."
+    rationale: "Configuring the LdapEnforceChannelBinding registry value can help to increase protection against 'man-in-the-middle attacks'. "
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled, always (recommended) : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Extended Protection for LDAP Authentication (Domain Controllers only) Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.5"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CVC-2017-8563"
+      - "https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry"
+      - "https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/"
+      - "https://technet.microsoft.com/library/security/973811"
+      - "https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LdapEnforceChannelBinding -> 2'
+
+  # 18.3.6 Ensure 'WDigest Authentication' is set to 'Disabled'
+  - id: 16603
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'"
+    description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server."
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required"
+    compliance:
+      - cis: ["18.3.6"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "http://www.microsoft.com/en-us/download/details.aspx?id=36036"
+      - "https://support.microsoft.com/en-us/kb/2871997"
+      - "https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  ###############################################
+  # 18.4 MSS (Legacy)
+  ###############################################
+  # 18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
+  - id: 16604
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'"
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37067-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  # 18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+  - id: 16605
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36871-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
+  - id: 16606
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'"
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36535-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.4.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
+  - id: 16607
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'"
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc: ["9"]
+      - nist_800_53: ["SC.5"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37988-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  # 18.4.5 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'
+  - id: 16608
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'"
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-36868-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  # 18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
+  - id: 16609
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'"
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.6"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.6"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36879-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  # 18.4.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
+  - id: 16610
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'"
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-38065-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  # 18.4.8 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
+  - id: 16611
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'"
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled."
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.8"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36351-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  # 18.4.9 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
+  - id: 16612
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'"
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.9"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-37993-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  # 18.4.10 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+  - id: 16613
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted."
+    compliance:
+      - cis: ["18.4.10"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-37846-3"
+      - "https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
+  - id: 16614
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'"
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted."
+    compliance:
+      - cis: ["18.4.11"]
+      - cis_csc: ["9"]
+      - pci_dss: ["1.3.3"]
+      - tsc: ["A1.1", "CC6.1", "CC7.2"]
+      - nist_800_53: ["SC.5"]
+    references:
+      - "CCE-36051-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.4.12 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
+  - id: 16615
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'"
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.4.12"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.7"]
+    references:
+      - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/
+      - "CCE-36880-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  ###############################################
+  # 18.5 Network
+  ###############################################
+  # 18.5.4.1 Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
+  - id: 16616
+    title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')"
+    description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names. A B-node (broadcast) system only uses broadcasts. A P-node (point-to-point) system uses only name queries to a name server (WINS). An M-node (mixed) system broadcasts first, then queries the name server (WINS). An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)."
+    rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD) : HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeType"
+    compliance:
+      - cis: ["18.5.4.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2'
+
+  # 18.5.4.2 Ensure 'Turn off multicast name resolution' is set to 'Enabled'
+  - id: 16617
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'"
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled ."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution ote: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.4.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37450-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0'
+
+  ###############################################
+  # 18.5.5 Fonts
+  ###############################################
+  # 18.5.5.1 Ensure 'Enable Font Providers' is set to 'Disabled' (Scored)
+  - id: 16618
+    title: "Ensure 'Enable Font Providers' is set to 'Disabled'"
+    description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider.The recommended state for this setting is: Disabled ."
+    rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.5.1"]
+      - cis_csc: ["3", "13"]
+      - pci_dss: ["6.4.5"]
+      - tsc: ["CC6.6", "CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0'
+
+  # 18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'
+  - id: 16619
+    title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'"
+    description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled ."
+    rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\LanmanWorkstation\\Enable insecure guest logons Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.8.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0'
+
+  # Section 18.5.9 - Link-Layer Topology Discovery
+  # 18.5.9.1 Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
+  - id: 16620
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'"
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver."
+    compliance:
+      - cis: ["18.5.9.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38170-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0'
+
+  # 18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
+  - id: 16621
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'"
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver."
+    compliance:
+      - cis: ["18.5.9.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37959-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0'
+
+  # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services
+  - id: 16622
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'"
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services."
+    compliance:
+      - cis: ["18.5.10.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37699-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  # 18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' (Scored)
+  - id: 16623
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'"
+    description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    references:
+      - "CCE-38002-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  # 18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' (Scored)
+  - id: 16624
+    title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'"
+    description: 'Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled .'
+    rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.5.11.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["1.3.5"]
+      - tsc: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0'
+
+  # 18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' (Scored)
+  - id: 16625
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'"
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled ."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.11.4"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38188-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  # 18.5.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'
+  - id: 16626
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'''
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares .'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template ( NetworkProvider.admx/adml ) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1"
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths Note: This Group Policy path does not exist by default. An additional Group Policy template ( NetworkProvider.admx/adml ) is required"
+    compliance:
+      - cis: ["18.5.14.1"]
+      - cis_csc: ["3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1 && r:RequireIntegrity=1'
+
+  # Section 18.5.19.2 - Parameters
+  # 18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') (Scored)
+  - id: 16627
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')"
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents."
+    compliance:
+      - cis: ["18.5.19.2.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.2"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  # Section 18.5.20 - Windows Connect Now
+  # 18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (Scored)
+  - id: 16628
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'"
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN)."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now."
+    compliance:
+      - cis: ["18.5.20.1"]
+      - cis_csc: ["15.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37481-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  # 18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' (Scored)
+  - id: 16629
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'"
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards."
+    compliance:
+      - cis: ["18.5.20.2"]
+      - cis_csc: ["15.4"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36109-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  # Section 18.5.21 - Windows Connection Manager
+  # 18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' (Scored)
+  - id: 16630
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'"
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.5.21.1"]
+      - cis_csc: ["12"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38338-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> n:(\d+) compare != 0'
+
+  # 18.5.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) (Scored)
+  - id: 16631
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'"
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network."
+    compliance:
+      - cis: ["18.5.21.2"]
+      - cis_csc: ["12"]
+      - pci_dss: ["1.3.4"]
+      - tsc: ["CC6.6"]
+    references:
+      - "CCE-37627-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  ###############################################
+  # 18.7 Start Menu and Taskbar
+  ###############################################
+
+  # 18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' (Scored)
+  - id: 16632
+    title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'"
+    description: "This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. The recommended state for this setting is: Enabled ."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Start Menu and Taskbar\\Turn off notifications network usage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.7.1.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification -> 1'
+
+  ###############################################
+  # 18.8 System
+  ###############################################
+  ######################################
+  # 18.8.3 Audit Process Creation
+  ######################################
+  - id: 16633
+    title: "Ensure 'Include command line in process creation events' is set to 'Disabled'"
+    description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled."
+    rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.3.1"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36925-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0'
+
+  ######################################
+  # 18.8.4 Credentials Delegation
+  ######################################
+  # 18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' (Scored)
+  - id: 16634
+    title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'"
+    description: "Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients ."
+    rationale: "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows Server from Server 2008 (non-R2) onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched up through May 2018 (or later)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients : Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption Oracle Remediation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 0'
+
+  # 18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' (Scored)
+  - id: 16635
+    title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'"
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled ."
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.4.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  ##########################################
+  # 18.8.14 Early Launch Antimalware
+  ##########################################
+  # 18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Scored)
+  - id: 16636
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'"
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.14.1"]
+      - cis_csc: ["8"]
+      - pci_dss: ["5.1.1"]
+      - nist_800_53: ["SI.3"]
+      - tsc: ["CC6.8"]
+    references:
+      - "CCE-37912-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  # 18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Scored)
+  - id: 16637
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'"
+    description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)."
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.2"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36169-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  # 18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' (Scored)
+  - id: 16638
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'"
+    description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)."
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.3"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["11.5.1"]
+      - tsc: ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"]
+    references:
+      - "CCE-36169-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  # 18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' (Scored)
+  - id: 16639
+    title: "Ensure 'Continue experiences on this device' is set to 'Disabled'"
+    description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled ."
+    rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.21.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["6.5.8"]
+      - nist_800_53: ["SA.11", "AU.14", "AC.7"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0'
+
+  # 18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' (Scored)
+  - id: 16640
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'"
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.21.5"]
+      - cis_csc: ["3.7"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37712-7"
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+
+  # 18.8.22.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' (Scored)
+  - id: 16641
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'"
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36625-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  # 18.8.22.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' (Scored)
+  - id: 16642
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'"
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.22.1.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37911-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  # 18.8.22.1.3 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' (Scored)
+  - id: 16643
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'"
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36203-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  # 18.8.22.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' (Scored)
+  - id: 16644
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.4"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37163-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  # 18.8.22.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' (Scored)
+  - id: 16645
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'"
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.5"]
+      - cis_csc: ["7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36096-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  # 18.8.22.1.6 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' (Scored)
+  - id: 16646
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'"
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.6"]
+      - cis_csc: ["13.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36920-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  # 18.8.22.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' (Scored)
+  - id: 16647
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36352-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  # 18.8.22.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' (Scored)
+  - id: 16648
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'"
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.8"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36884-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  # 18.8.22.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' (Scored)
+  - id: 16649
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled'''
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.9"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38275-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  # 18.8.22.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' (Scored)
+  - id: 16650
+    title: 'Ensure ''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled'''
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.10"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37090-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  # 18.8.22.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' (Scored)
+  - id: 16651
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'"
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.11"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36628-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  # 18.8.22.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' (Scored)
+  - id: 16652
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'"
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.12"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36174-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  # 18.8.22.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Scored)
+  - id: 16653
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'"
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.8.22.1.13"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35964-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+
+  ######################################
+  # 18.8.25 Kerberos
+  ######################################
+  # 18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (Scored)
+  - id: 16654
+    title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'"
+    description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic ."
+    rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic : Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.25.1"]
+      - cis_csc: ["1.6"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1'
+
+  # 18.8.26.1 (L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' (Scored)
+  - id: 16655
+    title: "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'"
+    description: "This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Enabled: Block All .    Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher, and also requires a UEFI BIOS to function."
+    rationale: "Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by the peripheral."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block All : Computer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA Protection\\Enumeration policy for external devices incompatible with Kernel DMA Protection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.26.1"]
+      - cis_csc: ["13.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36920-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy -> 0'
+
+  #######################################
+  # 18.8.27 Locale Services
+  #######################################
+  # 18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Scored)
+  - id: 16656
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'"
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.26.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36343-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  ################################################
+  # 18.8.28 Logon
+  ################################################
+  # 18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' (Scored)
+  - id: 16657
+    title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'"
+    description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen. The recommended state for this setting is: Enabled ."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1'
+
+  # 18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' (Scored)
+  - id: 16658
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'"
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.2"]
+      - cis_csc: ["5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38353-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  # 18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' (Scored)
+  - id: 16659
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'"
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.3"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.5"]
+    references:
+      - "CCE-37838-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  # 18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only) (Scored)
+  - id: 16660
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'"
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.4"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35894-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  # 18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' (Scored)
+  - id: 16661
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'"
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.5"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-35893-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  # 18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' (Scored)
+  - id: 16662
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'"
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled . Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy  template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.28.6"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  # 18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' (Scored)
+  - id: 16663
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'"
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.8.28.7"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37528-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  #######################################
+  # 18.8.31 OS Policies
+  #######################################
+  # 18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' (Scored)
+  - id: 16664
+    title: "Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'"
+    description: "This policy setting determines whether Clipboard contents can be synchronized across devices. The recommended state for this setting is: Disabled ."
+    rationale: "Due to privacy concerns, clipboard data should stay local to the system and not synced across devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow Clipboard synchronization across devices"
+    compliance:
+      - cis: ["18.8.31.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard -> 0'
+
+  # 18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' (Scored)
+  - id: 16665
+    title: "Ensure 'Allow upload of User Activities' is set to 'Disabled'"
+    description: "This policy setting determines whether published User Activities can be uploaded to the cloud. The recommended state for this setting is: Disabled ."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "TTo establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow upload of User Activities"
+    compliance:
+      - cis: ["18.8.31.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities -> 0'
+
+  #######################################
+  # 18.8.34 Power Management
+  #######################################
+  #######################################
+  # 18.8.34.6 Sleep Settings
+  #######################################
+  # 18.8.34.6.1 (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' (Scored)
+  - id: 16666
+    title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'"
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled ."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.1"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'
+
+  # 18.8.34.6.2 (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' (Scored)
+  - id: 16667
+    title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'"
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled ."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.34.6.2"]
+      - cis_csc: ["9"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'
+
+  # 18.8.34.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' (Scored)
+  - id: 16668
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'"
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.33.6.3"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36881-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  # 18.8.34.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' (Scored)
+  - id: 16669
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'"
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.33.6.4"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.2"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37066-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  # 18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' (Scored)
+  - id: 16670
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'"
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.35.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36388-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  # # 18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' (Scored)
+  - id: 16671
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'"
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.36.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37281-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  # 18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) (Scored)
+  - id: 16672
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'"
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.37.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr
+      - "CCE-37346-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  # 18.8.37.2 (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only) (Scored)
+  - id: 16673
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'"
+    description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers."
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients."
+    compliance:
+      - cis: ["18.8.37.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36559-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  # Section 18.8.45.5 - Microsoft Support Diagnostic Tool
+  # 18.8.45.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' (Scored)
+  - id: 16674
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'"
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider."
+    compliance:
+      - cis: ["18.8.45.5.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38161-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  # Section 18.8.45.11 - Windows Performance PerfTrack
+  # 18.8.45.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' (Scored)
+  - id: 16675
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'"
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack."
+    compliance:
+      - cis: ["18.8.45.11.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36648-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  # Section 18.8.47 User Profiles
+  # 18.8.47.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' (Scored)
+  - id: 16676
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'"
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID."
+    compliance:
+      - cis: ["18.8.47.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36931-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  # Section 18.8.50.1 - Time Providers
+  # 18.8.50.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' (Scored)
+  - id: 16677
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'"
+    description: "This policy setting specifies whether the Windows NTP Client is enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client."
+    compliance:
+      - cis: ["18.8.50.1.1"]
+      - cis_csc: ["6.1"]
+      - pci_dss: ["10.4"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC7.2"]
+    references:
+      - "CCE-37843-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  # 18.8.50.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) (Scored)
+  - id: 16678
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'"
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server."
+    compliance:
+      - cis: ["18.8.50.1.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - nist_800_53: ["AU.8"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37319-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  ################################################
+  # 18.9 Windows Components
+  ################################################
+
+  # 18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' (Scored)
+  - id: 16679
+    title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'"
+    description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled ."
+    rationale: "Users of a system could accidentally share sensitive data with other users on the same system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0'
+
+  # 18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' (Scored)
+  - id: 16680
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'"
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.6.1"]
+      - cis_csc: ["16.9"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-38354-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  # 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' (Scored)
+  - id: 16681
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'"
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.1"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37636-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  # 18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' (Scored)
+  - id: 16682
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'"
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.8.2"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38217-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  # 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' (Scored)
+  - id: 16683
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'"
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.8.3"]
+      - cis_csc: ["8.3"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36875-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  # 18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' (Scored)
+  - id: 16684
+    title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'"
+    description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled ."
+    rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.10.1.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1'
+
+  # 18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' (Scored)
+  - id: 16685
+    title: "Ensure 'Allow Use of Camera' is set to 'Disabled'"
+    description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled ."
+    rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.12.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0'
+
+  # 18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' (Scored)
+  - id: 16686
+    title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'"
+    description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled . Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions."
+    rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.13.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1'
+
+  # 18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' (Scored)
+  - id: 16687
+    title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'"
+    description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: 'Enabled: First Time' OR 'Enabled: Always'."
+    rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'Enabled: First Time' OR 'Enabled: Always' : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.14.1"]
+      - cis_csc: ["15.8"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 2'
+
+  # 18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' (Scored)
+  - id: 16688
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'"
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.15.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37534-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  # 18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' (Scored)
+  - id: 16689
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'"
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.15.2"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36512-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  # 18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' (Scored)
+  - id: 16690
+    title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'"
+    description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A value of 2 - Enhanced sends enhanced diagnostic and usage data. A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic . Note: If the Allow Telemetry setting is configured to 0 - Security [Enterprise Only] , then the options in Windows Update to defer upgrades and updates will have no effect. Note #2: In the Microsoft Windows 10 RTM (Release 1507) Administrative Templates, the zero value was named 0 - Off [Enterprise Only] , but it was renamed to 0 - Security [Enterprise Only] starting with the Windows 10 Release 1511 Administrative Templates."
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 1'
+
+  # 18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' (Scored)
+  - id: 16691
+    title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'"
+    description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage ."
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1'
+
+  # 18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' (Scored)
+  - id: 16692
+    title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'"
+    description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled ."
+    rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.3"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1'
+
+  # 18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' (Scored)
+  - id: 16693
+    title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'"
+    description: 'This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled . Note: This policy setting applies only to devices running Windows Server 2016, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (Rule 18.9.102.1.1). We have kept this setting in the benchmark to ensure that any older builds of Windows Server 2016 in the environment are still enforced.'
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.16.4"]
+      - cis_csc: ["3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0'
+
+  # 18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Scored)
+  - id: 16694
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.1.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37775-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  # 18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored)
+  - id: 16695
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.1.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37948-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Scored)
+  - id: 16696
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.2.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37145-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  # 18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' (Scored)
+  - id: 16697
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.2.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37695-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  # 18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Scored)
+  - id: 16698
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.3.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-38276-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  # 18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored)
+  - id: 16699
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.3.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-37526-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Scored)
+  - id: 16700
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'"
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.4.1"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36160-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  # 18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored)
+  - id: 16701
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'"
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.26.4.2"]
+      - cis_csc: ["6.3"]
+      - pci_dss: ["10.6.1"]
+      - nist_800_53: ["AU.6"]
+      - gpg13: ["4.12"]
+      - gdpr_IV: [35.7.d]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]
+    references:
+      - "CCE-36092-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' (Scored)
+  - id: 16702
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'"
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.30.2"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37809-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  # 18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Scored)
+  - id: 16703
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'"
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.30.3"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36660-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  # 18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Scored)
+  - id: 16704
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'"
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.30.4"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36809-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  # 18.9.39.2 Ensure 'Turn off location' is set to 'Enabled'
+  - id: 16705
+    title: "Ensure 'Turn off location' is set to 'Enabled'"
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.39.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36886-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  # 18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' (Scored)
+  - id: 16706
+    title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'"
+    description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled ."
+    rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.43.1"]
+      - cis_csc: ["9.1", "13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0'
+
+  # 18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' (Scored)
+  - id: 16707
+    title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'"
+    description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled ."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.44.1"]
+      - cis_csc: ["16"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1'
+
+  # 18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' (Scored)
+  - id: 16708
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'"
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.9.52.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36939-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  # 18.9.59.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Scored)
+  - id: 16709
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'"
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.2.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36223-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  # 18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
+  - id: 16710
+    title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'"
+    description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.2.1"]
+      - pci_dss: ["7.2"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37708-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1'
+
+  # 18.9.59.3.3.1 Ensure 'Do not allow COM port redirection' is set to 'Enabled'
+  - id: 16711
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'"
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.3.1"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37696-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  # 18.9.59.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' (Scored)
+  - id: 16712
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'"
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.3.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36509-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  # 18.9.59.3.3.3 Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
+  - id: 16713
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.3.3"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37778-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  # 18.9.59.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
+  - id: 16714
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.3.4"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37477-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  # 18.9.59.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' (Scored)
+  - id: 16715
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'"
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.9.1"]
+      - cis_csc: ["16.14"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37929-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  # 18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' (Scored)
+  - id: 16716
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'"
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.9.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37567-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  # 18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Scored)
+  - id: 16717
+    title: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'"
+    description: "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. The recommended state for this setting is: Enabled: SSL. Note: In spite of this setting being labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol."
+    rationale: "The native Remote Desktop Protocol (RDP) encryption is now considered a weak protocol, so enforcing the use of stronger Transport Layer Security (TLS) encryption for all RDP communications between clients and RD Session Host servers is preferred."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require use of specific security layer for remote (RDP) connections. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.9.5.3"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-CCE-36598-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 2'
+
+  # 18.9.59.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' (Scored)
+  - id: 16718
+    title: "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'"
+    description: "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. The recommended state for this setting is: Enabled."
+    rationale: "Requiring that user authentication occur earlier in the remote connection process enhances security."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.9.4"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36598-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1'
+
+  # 18.9.59.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' (Scored)
+  - id: 16719
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'"
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.9.5"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["8.2.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36627-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  # 18.9.59.3.10.1 Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
+  - id: 16720
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'"
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.10.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1.8"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37562-6"
+      - https://workbench.cisecurity.org/benchmarks/766
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0'
+
+  # 18.9.59.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
+  - id: 16721
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'"
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.10.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.1"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-37949-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  # 18.9.59.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' (Scored)
+  - id: 16722
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'"
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.11.1"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-37946-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  # 18.9.59.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' (Scored)
+  - id: 16723
+    title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'"
+    description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.59.3.11.2"]
+      - cis_csc: ["14.4"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-38180-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1'
+
+  # 18.9.60.1 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
+  - id: 16724
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'"
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.60.1"]
+      - cis_csc: ["7.2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-37126-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  # 18.9.61.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' (Scored)
+  - id: 16725
+    title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'"
+    description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search ."
+    rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.61.2"]
+      - cis_csc: ["9.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0'
+
+  # 18.9.61.3 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
+  - id: 16726
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'"
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.61.3"]
+      - cis_csc: ["13.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-38277-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  # 18.9.66.1 Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
+  - id: 16727
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'"
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.66.1"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  # 18.9.77.3.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' (Scored)
+  - id: 16728
+    title: "Ensure 'Configure local setting override for reporting to  Microsoft MAPS' is set to 'Disabled'"
+    description: 'This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Windows Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled .'
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.3.1"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36940-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  # 18.9.77.3.2 Ensure 'Join Microsoft MAPS' is set to 'Disabled'
+  - id: 16729
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'"
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership   Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.3.2"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+
+  # 18.9.77.7.1 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' (Scored)
+  - id: 16730
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'"
+    description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus. The recommended state for this setting is: Enabled ."
+    rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.7.1"]
+      - cis_csc: ["8.1"]
+      - pci_dss: ["5.2"]
+    references:
+      - "CCE-38389-3"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0'
+
+  # Section - 18.9.77.9 - Reporting
+  - id: 16731
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'"
+    description: "This policy setting allows you to configure whether or not Watson events are sent."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events."
+    compliance:
+      - cis: ["18.9.77.9.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-36950-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  # 18.9.77.10.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' (Scored)
+  - id: 16732
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled ."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.10.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-38409-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  # 18.9.77.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' (Scored)
+  - id: 16733
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'"
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled ."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.10.2"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-36958-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  # 18.9.77.13.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' (Scored)
+  - id: 16734
+    title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'"
+    description: "This policy setting controls Windows Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block ."
+    rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.13.3.1"]
+      - cis_csc: ["7"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'
+
+  # 18.9.77.14 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' (Scored)
+  - id: 16735
+    title: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'"
+    description: "This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications, that can deliver adware or malware. The recommended state for this setting is: Enabled: Block . For more information, see this link: Block potentially unwanted applications with Windows Defender Antivirus | Microsoft Docs"
+    rationale: "Potentially unwanted applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. They should be blocked from installation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Configure detection for potentially unwanted applications Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.77.14"]
+      - cis_csc: ["8"]
+      - pci_dss: ["2.2.3"]
+      - nist_800_53: ["CM.1"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1'
+
+  # 18.9.77.15 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' (Scored)
+  - id: 16736
+    title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'"
+    description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled ."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.77.15"]
+      - cis_csc: ["8.1"]
+      - pci_dss: ["5.2"]
+      - tsc: ["CC6.8"]
+    references:
+      - "CCE-36082-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0'
+
+  # 18.9.80.1.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
+  - id: 16737
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'"
+    description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.9.80.1.1"]
+      - cis_csc: ["2"]
+      - pci_dss: ["2.2.4"]
+      - nist_800_53: ["CM.1"]
+      - tsc: ["CC5.2"]
+    references:
+      - "CCE-35859-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block'
+
+  # 18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' (Scored)
+  - id: 16738
+    title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
+    description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled ."
+    rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.84.1"]
+      - cis_csc: ["13"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0'
+
+  # 18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' (Scored)
+  - id: 16739
+    title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'"
+    description: "This policy setting determines whether Windows Ink items are allowed above the lock screen. The recommended state for this setting is: Enabled: On, but disallow access above lock OR Disabled ."
+    rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.84.2"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 1'
+
+  # 18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'
+  - id: 16740
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'"
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.1"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36400-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  # 18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'
+  - id: 16741
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'"
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.2"]
+      - cis_csc: ["5.1"]
+      - pci_dss: ["7.1"]
+      - tsc: ["CC6.4"]
+    references:
+      - "CCE-36919-9"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  # 18.9.85.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
+  - id: 16742
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'"
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.85.3"]
+      - cis_csc: ["7"]
+      - pci_dss: ["2.2.5"]
+      - tsc: ["CC6.3"]
+    references:
+      - "CCE-37524-6"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  # 18.9.86.1 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
+  - id: 16743
+    title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'"
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.86.1"]
+      - cis_csc: ["16.5"]
+      - pci_dss: ["8.6"]
+      - tsc: ["CC6.1"]
+    references:
+      - "CCE-36977-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  # 18.9.95.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'
+  - id: 16744
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
+    description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release."
+    rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.95.1"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0'
+
+  # 18.9.95.2 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
+  - id: 16745
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'"
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.95.2"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0'
+
+  # 18.9.97.1.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+  - id: 16746
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.1"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36310-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  # 18.9.97.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+  - id: 16747
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.2"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37726-7"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  # 18.9.97.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled'
+  - id: 16748
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.1.3"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38318-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  # 18.9.97.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled'
+  - id: 16749
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.1"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36254-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  # 18.9.97.2.2 Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
+  - id: 16750
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.2"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-37927-1"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  # 18.9.97.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled'
+  - id: 16751
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.97.2.3"]
+      - cis_csc: ["16.13"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-38223-4"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  # 18.9.97.2.4 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
+  - id: 16752
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'"
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.97.2.4"]
+      - cis_csc: ["16.4"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36000-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  # 18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'
+  - id: 16753
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'"
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.98.1"]
+      - cis_csc: ["3.4"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "CCE-36499-2"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  # 18.9.99.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' (Scored)
+  - id: 16754
+    title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'"
+    description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled ."
+    rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Security\\App and browser protection\\Prevent users from modifying settings Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.99.2.1"]
+      - cis_csc: ["8.4"]
+      - pci_dss: ["12.3.8"]
+    references:
+      - "CCE-36000-8"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'
+
+  # 18.9.102.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' (Scored)
+  - id: 16755
+    title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'"
+    description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software. The recommended state for this setting is: Enabled: Disable preview builds ."
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.102.1.1"]
+      - cis_csc: ["3"]
+      - pci_dss: ["6.4.2"]
+      - tsc: ["CC6.6", "CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0'
+
+  # 18.9.102.1.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (Scored)
+  - id: 16756
+    title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'"
+    description: 'This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them: Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality. Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds. Release Preview: Receive builds of Windows just before Microsoft releases them to the general public. Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public. Semi-Annual Channel: Feature updates will arrive when they are declared Semi-Annual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment. The recommended state for this setting is: Enabled: Semi-Annual Channel, 180 or more days . Note: If the "Allow Telemetry" policy is set to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. Note #3: Prior to Windows Server 2016 R1709, values above 180 days are not recognized by the OS. Starting with Windows Server 2016 R1709, the maximum number of days you can defer is 365 days.'
+    rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.1.2"]
+      - cis_csc: ["3"]
+      - pci_dss: ["4.1"]
+      - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"]
+      - nist_800_53: ["SC.8"]
+      - tsc: ["CC6.1", "CC6.7", "CC7.2"]
+    references:
+      - "https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/"
+      - "https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'
+
+  # 18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (Scored)
+  - id: 16757
+    title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'"
+    description: 'This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days . Note: If the "Allow Telemetry" policy is set to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering'
+    rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days : Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template ( WindowsUpdate.admx/adml ) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.102.1.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/"
+      - "https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0'
+
+  # 18.9.102.2 Ensure 'Configure Automatic Updates' is set to 'Enabled'
+  - id: 16758
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'"
+    description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.2"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "CCE-36172-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  # 18.9.102.3 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
+  - id: 16759
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'"
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.102.2. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.3"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "CCE-36172-5"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  # 18.9.102.4 Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
+  - id: 16760
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.9.102.4"]
+      - cis_csc: ["4.5"]
+      - pci_dss: ["6.2"]
+      - nist_800_53: ["SI.2", "SA.11", "SI.4"]
+      - gpg_13: ["4.3"]
+      - gdpr_IV: ["35.7.d"]
+      - hipaa: ["164.312.b"]
+      - tsc: ["A1.2", "CC6.8"]
+    references:
+      - "CCE-37027-0"
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
diff --git a/etc/ruleset/sca/windows/cis_win2022.yml b/etc/ruleset/sca/windows/cis_win2022.yml
new file mode 100644
index 0000000000..81ed4d3f7d
--- /dev/null
+++ b/etc/ruleset/sca/windows/cis_win2022.yml
@@ -0,0 +1,7291 @@
+# Security Configuration Assessment
+# CIS Checks for Windows 2022 RTM
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation
+#
+# Based on:
+# Center for Internet Security Benchmark for Microsoft Windows Server 2022 v2.0.0 - 04-14-2023
+
+policy:
+  id: "cis_win2022"
+  file: "cis_win2022.yml"
+  name: "CIS Microsoft Windows Server 2022 Benchmark v2.0.0"
+  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2022. Please note that the rules provide accurate results for Microsoft Windows Server 2022 Operating Systems with the System language set to English. The SCA policy will work with other languages but the results will be less accurate due to some of the rules that depend on the System language."
+  references:
+    - https://www.cisecurity.org/cis-benchmarks/
+
+requirements:
+  title: "Check that the Windows platform is Windows Server 2022"
+  description: "Requirements for running the CIS benchmark under Windows Server 2022"
+  condition: all
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2022'
+
+checks:
+  # 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)
+  - id: 27000 
+    title: "Ensure 'Enforce password history' is set to '24 or more password(s)'."
+    description: "This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs."
+    rationale: "The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Enforce password history."
+    references:
+      - https://www.cisecurity.org/white-papers/cis-password-policy-guide/
+    compliance:
+      - cis: ["1.1.1"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.2"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24'
+
+  # 1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. (Automated)
+  - id: 27001 
+    title: "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'."
+    description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access."
+    impact: "If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.1.2"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.10"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare <= 365'
+      - 'c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0'
+
+  # 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'. (Automated)
+  - id: 27002 
+    title: "Ensure 'Minimum password age' is set to '1 or more day(s)'."
+    description: "This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective."
+    impact: "If an administrator sets a password for a user but wants that user to change the password when the user first logs on, the administrator must select the User must change password at next logon check box, or the user will not be able to change the password until the next day."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.10"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password age \(days\):\s+(\d+) compare >= 1'
+
+  # 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'. (Automated)
+  - id: 27003 
+    title: "Ensure 'Minimum password length' is set to '14 or more character(s)'."
+    description: 'This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "passphrase" is a better term than "password." In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization''s business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.'
+    rationale: "Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords."
+    impact: "Requirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. Note: Older versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.1.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Minimum password length:\s+(\d+) compare >= 14'
+
+  # 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. (Automated) - Not Implemented
+
+  # 1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'. (Automated)
+  - id: 27004 
+    title: "Ensure 'Relax minimum password length limits' is set to 'Enabled'."
+    description: "This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following Microsoft Security Blog. The recommended state for this setting is: Enabled. Note: This setting only affects local accounts on the computer. Domain accounts are only affected by settings on the Domain Controllers, because that is where domain accounts are stored."
+    rationale: "This setting will enable the enforcement of longer and generally stronger passwords or passphrases where MFA is not in use."
+    impact: "The Minimum password length setting may be configured higher than 14 characters. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Relax minimum password length limits Note: This setting is only available within the built-in OS security template of Windows 10 Release 2004 and Server 2022 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you must use a Windows 10 Release 2004 or Server 2022 system (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME)."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+      - "https://support.microsoft.com/en-us/topic/minimum-password-length-auditing-and-enforcement-on-certain-versions-of-windows-5ef7fecf-3325-f56b-cc10-4fd565aacc59"
+    compliance:
+      - cis: ["1.1.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits -> 1'
+
+  # 1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. (Automated) - Not Implemented
+
+  # 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. (Automated)
+  - id: 27005 
+    title: "Ensure 'Account lockout duration' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure the Account lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually."
+    impact: "Although it may seem like a good idea to configure this policy setting to never automatically unlock an account, such a configuration can increase the number of requests that your organization's help desk receives to unlock accounts that were locked by mistake."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.2.1"]
+      - cis_csc_v8: ["4.10"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.8", "SC.L2-3.13.9"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v4.0: ["8.3.4"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout duration \(minutes\):\s+(\d+) compare >= 15'
+
+  # 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'. (Automated)
+  - id: 27006 
+    title: "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'."
+    description: "This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts."
+    impact: "If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting may generate additional help desk calls. If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value. If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.2.2"]
+      - cis_csc_v8: ["4.10"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.8", "SC.L2-3.13.9"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v4.0: ["8.3.4"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare > 0'
+      - 'c:net.exe accounts -> n:Lockout threshold:\s+(\d+) compare <= 5'
+
+  # 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'. (Manual) - Not Implemented
+
+  # 1.2.4 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. (Automated)
+  - id: 27007 
+    title: "Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'."
+    description: "This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center."
+    rationale: "Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Reset account lockout counter after setting determines the number of minutes that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0."
+    impact: "If you do not configure this policy setting or if the value is configured to an interval that is too long, a DoS attack could occur. An attacker could maliciously attempt to log on to each user's account numerous times and lock out their accounts as described in the preceding paragraphs. If you do not configure the Reset account lockout counter after setting, administrators would have to manually unlock all accounts. If you configure this policy setting to a reasonable value the users would be locked out for some period, after which their accounts would unlock automatically. Be sure that you notify users of the values used for this policy setting so that they will wait for the lockout timer to expire before they call the help desk about their inability to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after."
+    references:
+      - "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+    compliance:
+      - cis: ["1.2.4"]
+      - cis_csc_v8: ["4.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.8", "SC.L2-3.13.9"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - pci_dss_v4.0: ["8.3.4"]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout observation window \(minutes\):\s+(\d+) compare >= 15'
+
+  # 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only). (Automated) - Not Implemented
+  # 2.2.3 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only). (Automated) - Not Implemented
+  # 2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.5 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.8 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only). (Automated) - Not Implemented
+  # 2.2.10 (L1) Ensure 'Back up files and directories' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.11 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. (Automated) - Not Implemented
+  # 2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'. (Automated) - Not Implemented
+  # 2.2.13 (L1) Ensure 'Create a pagefile' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.14 (L1) Ensure 'Create a token object' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.15 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. (Automated) - Not Implemented
+  # 2.2.16 (L1) Ensure 'Create permanent shared objects' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.17 (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.18 (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only). (Automated) - Not Implemented
+  # 2.2.19 (L1) Ensure 'Debug programs' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.20 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only). (Automated) - Not Implemented
+  # 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only). (Automated) - Not Implemented
+  # 2.2.22 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.23 (L1) Ensure 'Deny log on as a service' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.24 (L1) Ensure 'Deny log on locally' to include 'Guests'. (Automated) - Not Implemented
+  # 2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only). (Automated) - Not Implemented
+  # 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only). (Automated) - Not Implemented
+  # 2.2.27 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only). (Automated) - Not Implemented
+  # 2.2.28 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only). (Automated) - Not Implemented
+  # 2.2.29 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.31 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only). (Automated) - Not Implemented
+  # 2.2.33 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. (Automated) - Not Implemented
+  # 2.2.34 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.36 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only). (Automated) - Not Implemented
+  # 2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only). (Automated) - Not Implemented
+  # 2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One'. (Automated) - Not Implemented
+  # 2.2.40 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.41 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.42 (L1) Ensure 'Profile single process' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.43 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. (Automated) - Not Implemented
+  # 2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. (Automated) - Not Implemented
+  # 2.2.45 (L1) Ensure 'Restore files and directories' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.46 (L1) Ensure 'Shut down the system' is set to 'Administrators'. (Automated) - Not Implemented
+  # 2.2.47 (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only). (Automated) - Not Implemented
+  # 2.2.48 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'. (Automated) - Not Implemented
+
+  # 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. (Automated)
+  - id: 27008 
+    title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'."
+    description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    impact: "Users will not be able to log onto the computer with their Microsoft account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts."
+    compliance:
+      - cis: ["2.3.1.1"]
+      - cis_csc_v7: ["16.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3'
+
+  # 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only). (Automated)
+  - id: 27009 
+    title: "Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)."
+    description: "This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings."
+    rationale: "The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data."
+    impact: "All network users will need to authenticate before they can access shared resources. If you disable the Guest account and the Network Access: Sharing and Security Model option is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. This policy setting should have little impact on most organizations because it is the default setting in Microsoft Windows 2000, Windows XP, and Windows Server™ 2003."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Guest account status."
+    compliance:
+      - cis: ["2.3.1.2"]
+      - cis_csc_v8: ["4.7"]
+      - cis_csc_v7: ["16.8"]
+      - iso_27001-2013: ["A.9.2.1"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: any
+    rules:
+      - 'c:net user guest -> r:Account active\s+No'
+      - "c:net user guest -> r:The user name could not be found."
+
+  # 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. (Automated)
+  - id: 27010 
+    title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'."
+    description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled."
+    rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only."
+    compliance:
+      - cis: ["2.3.1.3"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'
+
+  # 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account'. (Automated)
+  - id: 27011 
+    title: "Configure 'Accounts: Rename administrator account'."
+    description: "The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Administrator account that was established when the domain was first created."
+    rationale: "The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. The built-in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are third-party tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on."
+    impact: "You will have to inform users who are authorized to use this account of the new account name. (The guidance for this setting assumes that the Administrator account was not disabled, which was recommended earlier in this chapter.)."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename administrator account."
+    compliance:
+      - cis: ["2.3.1.4"]
+      - cis_csc_v8: ["4.7"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:net user administrator -> r:The user name could not be found."
+
+  # 2.3.1.5 (L1) Configure 'Accounts: Rename guest account'. (Automated)
+  - id: 27012 
+    title: "Configure 'Accounts: Rename guest account'."
+    description: "The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Guest account that was established when the domain was first created."
+    rationale: "The Guest account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination."
+    impact: "There should be little impact, because the Guest account is disabled by default."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Rename guest account."
+    compliance:
+      - cis: ["2.3.1.5"]
+      - cis_csc_v8: ["4.7"]
+      - pci_dss_v3.2.1: ["2.1", "2.1.1"]
+      - pci_dss_v4.0: ["2.2.2", "2.3.1"]
+      - soc_2: ["CC6.3"]
+    condition: all
+    rules:
+      - "c:net user guest -> r:The user name could not be found."
+
+  # 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'. (Automated)
+  - id: 27013 
+    title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."
+    description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. Important: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance."
+    rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."
+    references:
+      - "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing#to-ensure-that-advanced-audit-policy-configuration-settings-are-not-overwritten"
+    compliance:
+      - cis: ["2.3.2.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.2", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1'
+
+  # 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'. (Automated)
+  - id: 27014 
+    title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'."
+    description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled."
+    rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits."
+    compliance:
+      - cis: ["2.3.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0'
+
+  # 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'. (Automated)
+  - id: 27015 
+    title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'."
+    description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators."
+    rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media."
+    compliance:
+      - cis: ["2.3.4.1"]
+      - cis_csc_v7: ["13.7"]
+      - iso_27001-2013: ["A.8.3.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0'
+
+  # 2.3.4.2 (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. (Automated)
+  - id: 27016 
+    title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."
+    description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators."
+    rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers."
+    compliance:
+      - cis: ["2.3.4.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1'
+
+  # 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only). (Automated)
+  - id: 27017 
+    title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)."
+    description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group."
+    impact: "None - this is the default behavior. Note that users (including those in the Server Operators group) are still able to create jobs by means of the Task Scheduler Wizard. However, those jobs will run in the context of the account that the user authenticates with when setting up the job."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks."
+    compliance:
+      - cis: ["2.3.5.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> SubmitControl'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> SubmitControl -> 0'
+
+  # 2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only). (Automated)
+  - id: 27018 
+    title: "Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)."
+    description: "This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU. When the Create Vulnerable Connections list (allow list) is configured: - Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC. - Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC which is the same as the default (not necessary). Note: Warning from Microsoft - enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This policy should be used as a temporary measure for 3rd-party devices as you deploy updates. Once a 3rd-party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. The recommended state for this setting is: Not Configured."
+    rationale: "Enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to security risks. It is highly recommended that this setting not be used (i.e. be left completely unconfigured) so as not to add risk."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Not Configured: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow vulnerable Netlogon secure channel connections."
+    references:
+      - "https://go.microsoft.com/fwlink/?linkid=2133485"
+    compliance:
+      - cis: ["2.3.5.2"]
+    condition: all
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> VulnerableChannelAllowList'
+
+  # 2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only). (Automated)
+  - id: 27019 
+    title: "Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)."
+    description: "This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS). The recommended state for this setting is: Always. Note: All LDAP clients must have the CVC-2017-8563 security update to be compatible with Domain Controllers that have this setting enabled. More information on this setting is available at: MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows."
+    rationale: 'Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users'' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against "man-in-the-middle" attacks using LDAP authentication over SSL/TLS (LDAPS).'
+    impact: "All LDAP clients must provide channel binding information over SSL/TLS (i.e. LDAPS). The LDAP server (Domain Controller) rejects authentication requests from clients that do not do so. Clients must have the CVC-2017-8563 security update to support this feature, and may have compatibility issues with this setting without the security update. This may also mean that LDAP authentication requests over SSL/TLS that previously worked may stop working until the security update is installed. When first deploying this setting, you may initially want to only set it to the alternate setting of When supported (instead of Always) on all Domain Controllers. This alternate, interim setting enables support for LDAP client channel binding but does not require it. Then set one DC that is not currently being targeted by LDAP clients to Always, and test each of the critical LDAP clients against that DC (and remediating as necessary), before deploying Always to the rest of the DCs. We also recommend using the new Event ID 3039 on your Domain Controllers (added with the March 2020 security update) to help locate clients that do not use Channel Binding Tokens (CBT) in their LDAPS connections. This new Event ID requires increasing the logging level of the 16 LDAP Interface Events portion of the NTDS service diagnostics to a value of 2 (Basic). For more information, please see Table 2: CBT events at this link: MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows Older OSes such as Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 (non-R2), will first require patches for Microsoft Security Advisory 973811, as well as all associated fixes, in order to be compatible with domain controllers that have this setting deployed. Note: Only Always is actually considered compliant to the CIS benchmark."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Always: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server channel binding token requirements Note: This Group Policy path requires the installation of the March 2020 (or later) Windows security update. With that update, Microsoft added this setting to the built-in OS security template."
+    compliance:
+      - cis: ["2.3.5.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LdapEnforceChannelBinding'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LdapEnforceChannelBinding -> 2'
+
+  # 2.3.5.4 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only). (Automated)
+  - id: 27020 
+    title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)."
+    description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections. For more information on how to identify whether your DCs are being accessed via unsigned LDAP (and where those accesses are coming from), see this Microsoft TechNet blog article: Identifying Clear Text LDAP binds to your DC's - Practical Windows Security."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network."
+    impact: "Unless TLS/SSL is being used, the LDAP data signing option must be negotiated. Clients that do not support LDAP signing will be unable to run LDAP queries against the Domain Controllers. All Windows 2000-based computers in your organization that are managed from Windows Server 2003-based or Windows XP-based computers and that use Windows NT Challenge/Response (NTLM) authentication must have Windows 2000 Service Pack 3 (SP3) installed. Alternatively, these clients must have a registry change. For information about this registry change, see Microsoft Knowledge Base article 325465: Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools. Also, some non-Microsoft operating systems do not support LDAP signing. If you enable this policy setting, client computers that use those operating systems may be unable to access domain resources."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements."
+    compliance:
+      - cis: ["2.3.5.4"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2'
+
+  # 2.3.5.5 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only). (Automated)
+  - id: 27021 
+    title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)."
+    description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes."
+    compliance:
+      - cis: ["2.3.5.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0'
+
+  # 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. (Automated)
+  - id: 27022 
+    title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed. Therefore, you cannot enable the Domain member: Digitally encrypt or sign secure channel data (always) setting on Domain Controllers that support Windows 98 clients as members of the domain. Potential impacts can include the following: - The ability to create or delete trust relationships with clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. - Logons from clients running versions of Windows earlier than Windows NT 4.0 with SP6a will be disabled. - The ability to authenticate other domains' users from a Domain Controller running a version of Windows earlier than Windows NT 4.0 with SP6a in a trusted domain will be disabled. You can enable this policy setting after you eliminate all Windows 9x clients from the domain and upgrade all Windows NT 4.0 servers and Domain Controllers from trusted/trusting domains to Windows NT 4.0 with SP6a."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)."
+    compliance:
+      - cis: ["2.3.6.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1'
+
+  # 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. (Automated)
+  - id: 27023 
+    title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.2"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1'
+
+  # 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. (Automated)
+  - id: 27024 
+    title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'."
+    description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled."
+    rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller."
+    impact: "None - this is the default behavior. However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. Windows 98 Second Edition clients do not support it unless they have Dsclient installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)."
+    compliance:
+      - cis: ["2.3.6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1'
+
+  # 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. (Automated)
+  - id: 27025 
+    title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'."
+    description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes."
+    compliance:
+      - cis: ["2.3.6.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0'
+
+  # 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. (Automated)
+  - id: 27026 
+    title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'."
+    description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations."
+    rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the passwords of computer accounts."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Maximum machine account password age."
+    compliance:
+      - cis: ["2.3.6.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 30'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
+
+  # 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. (Automated)
+  - id: 27027 
+    title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'."
+    description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled."
+    rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)."
+    impact: "None - this is the default behavior. However, computers will not be able to join Windows NT 4.0 domains, and trusts between Active Directory domains and Windows NT-style domains may not work properly. Also, Domain Controllers with this setting configured will not allow older pre-Windows 2000 clients (that that do not support this policy setting) to join the domain."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key."
+    compliance:
+      - cis: ["2.3.6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1'
+
+  # 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. (Automated)
+  - id: 27028 
+    title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'."
+    description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled."
+    rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has."
+    impact: "Users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for Windows logon. A smart card is a tamper-proof device that stores security information."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL."
+    compliance:
+      - cis: ["2.3.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0'
+
+  # 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'. (Automated)
+  - id: 27029 
+    title: "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'."
+    description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    impact: "The name of the last user to successfully log on will not be displayed in the Windows logon screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Don't display last signed-in Note: In older versions of Microsoft Windows, this setting was named Interactive logon: Do not display last user name, but it was renamed starting with Windows Server 2019."
+    compliance:
+      - cis: ["2.3.7.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1'
+
+  # 2.3.7.3 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. (Automated)
+  - id: 27030 
+    title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'."
+    description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit."
+    rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it."
+    impact: "The screen saver will automatically activate when the computer has been unattended for the amount of time specified. The impact should be minimal since the screen saver is enabled by default."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit."
+    compliance:
+      - cis: ["2.3.7.3"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900'
+
+  # 2.3.7.4 (L1) Configure 'Interactive logon: Message text for users attempting to log on'. (Automated)
+  - id: 27031 
+    title: "Configure 'Interactive logon: Message text for users attempting to log on'."
+    description: "This policy setting specifies a text message that displays to users when they log on. Configure this setting in a manner that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons-for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Note: Any warning that you display should first be approved by your organization's legal and human resources representatives."
+    impact: "Users will have to acknowledge a dialog box containing the configured text before they can log on to the computer. Note: Windows Vista and Windows XP Professional support logon banners that can exceed 512 characters in length and that can also contain carriage-return line-feed sequences. However, Windows 2000-based clients cannot interpret and display these messages. You must use a Windows 2000-based computer to create a logon message policy that applies to Windows 2000-based computers."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message text for users attempting to log on."
+    compliance:
+      - cis: ["2.3.7.4"]
+    condition: all
+    rules:
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system'
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -> legalnoticetext'
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -> legalnoticetext-> r:\w+'
+
+  # 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on'. (Automated)
+  - id: 27032 
+    title: "Configure 'Interactive logon: Message title for users attempting to log on'."
+    description: "This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization."
+    rationale: "Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process."
+    impact: "Users will have to acknowledge a dialog box with the configured title before they can log on to the computer."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Message title for users attempting to log on."
+    compliance:
+      - cis: ["2.3.7.5"]
+    condition: all
+    rules:
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system'
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -> legalnoticecaption'
+      - 'r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system -> legalnoticecaption -> r:\w+'
+
+  # 2.3.7.6 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) (Automated)
+  - id: 27033 
+    title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)."
+    description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)."
+    rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)."
+    compliance:
+      - cis: ["2.3.7.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4'
+
+  # 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. (Automated)
+  - id: 27034 
+    title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'."
+    description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days."
+    rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections."
+    impact: "Users will see a dialog box prompt to change their password each time that they log on to the domain when their password is configured to expire between 5 and 14 days."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration."
+    compliance:
+      - cis: ["2.3.7.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14'
+
+  # 2.3.7.8 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only). (Automated)
+  - id: 27035 
+    title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)."
+    description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled."
+    rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer."
+    impact: "When the console on a computer is locked, either by a user or automatically by a screen saver time-out, the console can only be unlocked if a Domain Controller is available to re-authenticate the domain account that is being used to unlock the computer. If no Domain Controller is available, the user cannot unlock the computer."
+    remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation."
+    compliance:
+      - cis: ["2.3.7.8"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1'
+
+  # 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. (Automated)
+  - id: 27036 
+    title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher."
+    description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark."
+    rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials."
+    impact: "If you select Lock Workstation, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you select Force Logoff, users are automatically logged off when their smart card is removed. If you select Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the users off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy will function identically to Lock Workstation. Enforcing this setting on computers used by people who must log onto multiple computers in order to perform their duties could be frustrating and lower productivity. For example, if network administrators are limited to a single account but need to log into several computers simultaneously in order to effectively manage the network enforcing this setting will limit them to logging onto one computer at a time. For these reasons it is recommended that this setting only be enforced on workstations used for purposes commonly associated with typical users such as document creation and email."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior."
+    compliance:
+      - cis: ["2.3.7.9"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$'
+
+  # 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. (Automated)
+  - id: 27037 
+    title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."
+    description: 'This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server; Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled.'
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. (Automated)
+  - id: 27038 
+    title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "None - this is the default behavior. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)."
+    compliance:
+      - cis: ["2.3.8.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. (Automated)
+  - id: 27039 
+    title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'."
+    description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled."
+    rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003."
+    impact: "None - this is the default behavior. Some very old applications and operating systems such as MS-DOS, Windows for Workgroups 3.11, and Windows 95a may not be able to communicate with the servers in your organization by means of the SMB protocol."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers."
+    compliance:
+      - cis: ["2.3.8.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
+
+  # 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. (Automated)
+  - id: 27040 
+    title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'."
+    description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s)."
+    rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive."
+    impact: "There will be little impact because SMB sessions will be re-established automatically if the client resumes activity."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session."
+    compliance:
+      - cis: ["2.3.9.1"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15'
+
+  # 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. (Automated)
+  - id: 27041 
+    title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'."
+    description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)."
+    compliance:
+      - cis: ["2.3.9.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1'
+
+  # 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. (Automated)
+  - id: 27042 
+    title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'."
+    description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled."
+    rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place."
+    impact: "The Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. The Windows 2000 Server, Windows 2000 Professional, Windows Server 2003, Windows XP Professional and Windows Vista implementations of the SMB file and print sharing protocol support mutual authentication, which prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Implementation of SMB signing may negatively affect performance, because each packet needs to be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a Domain Controller, file server, print server, and application server performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems will not be able to connect. However, if you completely disable all SMB signing, computers will be vulnerable to session hijacking attacks. When SMB signing policies are enabled on Domain Controllers running Windows Server 2003 and member computers running Windows Vista SP1 or Windows Server 2008 group policy processing will fail. A hotfix is available from Microsoft that resolves this issue; see Microsoft Knowledge Base article 950876 for more details: Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)."
+    compliance:
+      - cis: ["2.3.9.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1'
+
+  # 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. (Automated)
+  - id: 27043 
+    title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'."
+    description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled."
+    rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours."
+    impact: "None - this is the default behavior. If logon hours are not used in your organization, this policy setting will have no impact. If logon hours are used, existing user sessions will be forcibly terminated when their logon hours expire."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire."
+    compliance:
+      - cis: ["2.3.9.4"]
+      - cis_csc_v8: ["5.6"]
+      - cis_csc_v7: ["16.13"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1'
+
+  # 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only). (Automated)
+  - id: 27044 
+    title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)."
+    description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers."
+    rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources."
+    impact: "All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. If configured to Accept if provided by client, the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied. If configured to Required from client, the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection. If no SPN is provided by client, or the SPN provided does not match, the session is denied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level."
+    compliance:
+      - cis: ["2.3.9.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1'
+
+  # 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. (Automated)
+  - id: 27045 
+    title: "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'."
+    description: "This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled."
+    rationale: "If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Allow anonymous SID/Name translation."
+    compliance:
+      - cis: ["2.3.10.1"]
+    condition: all
+    rules:
+      - 'c:powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" -> r:0'
+
+  # 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only). (Automated)
+  - id: 27046 
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "None - this is the default behavior. It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts."
+    compliance:
+      - cis: ["2.3.10.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1'
+
+  # 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only). (Automated)
+  - id: 27047 
+    title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "It will be impossible to establish trusts with Windows NT 4.0-based domains. Also, client computers that run older versions of the Windows operating system such as Windows NT 3.51 and Windows 95 will experience problems when they try to use resources on the server. Users who access file and print servers anonymously will be unable to list the shared network resources on those servers; the users will have to authenticate before they can view the lists of shared folders and printers. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares."
+    compliance:
+      - cis: ["2.3.10.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1'
+
+  # 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. (Automated)
+  - id: 27048 
+    title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."
+    description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted."
+    rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user."
+    impact: "Credential Manager will not store passwords and credentials on the computer. Users will be forced to enter passwords whenever they log on to their Passport account or other network resources that aren't accessible to their domain account. Testing has shown that clients running Windows Vista or Windows Server 2008 will be unable to connect to Distributed File System (DFS) shares in untrusted domains. Enabling this setting also makes it impossible to specify alternate credentials for scheduled tasks, this can cause a variety of problems. For example, some third-party backup products will no longer work. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory-based domain account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication."
+    compliance:
+      - cis: ["2.3.10.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1'
+
+  # 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. (Automated)
+  - id: 27049 
+    title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'."
+    description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled."
+    rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users."
+    compliance:
+      - cis: ["2.3.10.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0'
+
+  # 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only). (Automated)
+  - id: 27050 
+    title: "Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)."
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    impact: "Null session access over named pipes will be disabled unless they are included, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. The BROWSER named pipe may need to be added to this list if the Computer Browser service is needed for supporting legacy components. The Computer Browser service is disabled by default."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:LSARPC'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:NETLOGON'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:SAMR'
+
+  # 2.3.10.7 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only). (Automated)
+  - id: 27051 
+    title: "Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)."
+    description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: <blank> (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously."
+    rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system."
+    impact: "Null session access over named pipes will be disabled unless they are included, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. The BROWSER named pipe may need to be added to this list if the Computer Browser service is needed for supporting legacy components. The Computer Browser service is disabled by default."
+    remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S+'
+
+  # 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths' is configured. (Automated)
+  - id: 27052 
+    title: "Configure 'Network access: Remotely accessible registry paths' is configured."
+    description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called \"Network access: Remotely accessible registry paths and sub-paths\" in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion."
+    rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users."
+    impact: "None - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Microsoft Baseline Security Analyzer and Microsoft Systems Management Server could fail, as they require remote access to the registry to properly monitor and manage computers. Note: If you want to allow remote access, you must also enable the Remote Registry service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths."
+    compliance:
+      - cis: ["2.3.10.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\Eventlog'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\OLAP Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ContentIndex'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Services\\SysmonLog'
+
+  # 2.3.10.9 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured. (Automated)
+  - id: 27053 
+    title: "Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured."
+    description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called \"Network access: Remotely accessible registry paths,\" the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog The recommended state for servers that hold the Active Directory Certificate Services Role with Certification Authority Role Service includes the above list and: System\\CurrentControlSet\\Services\\CertSvc The recommended state for servers that have the WINS Server Feature installed includes the above list and: System\\CurrentControlSet\\Services\\WINS."
+    rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack."
+    impact: "None - this is the default behavior. However, if you remove the default registry paths from the list of accessible ones, remote management tools such as the Microsoft Baseline Security Analyzer and Microsoft Systems Management Server could fail, as they require remote access to the registry to properly monitor and manage computers. Note: If you want to allow remote access, you must also enable the Remote Registry service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS."
+    compliance:
+      - cis: ["2.3.10.9"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog'
+
+  # 2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. (Automated)
+  - id: 27054 
+    title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'."
+    description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled."
+    rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment."
+    impact: "None - this is the default behavior. If you choose to enable this setting and are supporting Windows NT 4.0 domains, you should check if any of the named pipes are required to maintain trust relationships between the domains, and then add the pipe to the Network access: Named pipes that can be accessed anonymously list: - COMNAP: SNA session access - COMNODE: SNA session access - SQL\\QUERY: SQL instance access - SPOOLSS: Spooler service - LLSRPC: License Logging service - NETLOGON: Net Logon service - LSARPC: LSA access - SAMR: Remote access to SAM objects - BROWSER: Computer Browser service Previous to the release of Windows Server 2003 with Service Pack 1 (SP1) these named pipes were allowed anonymous access by default, but with the increased hardening in Windows Server 2003 with SP1 these pipes must be explicitly added if needed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares."
+    compliance:
+      - cis: ["2.3.10.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1'
+
+  # 2.3.10.11 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only). (Automated)
+  - id: 27055 
+    title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)."
+    description: 'This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note #2: This setting was originally only supported on Windows Server 2016 and newer, then support for it was added to Windows Server 2008 R2 and newer via the March 2017 security patches. Note #3: If your organization is using Azure Advanced Threat Protection (APT), the service account, "AATP Service" will need to be added to the recommendation configuration. For more information on adding the "AATP Service" account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs.'
+    rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM."
+    compliance:
+      - cis: ["2.3.10.11"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)'
+
+  # 2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. (Automated)
+  - id: 27056 
+    title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'."
+    description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: <blank> (i.e. None)."
+    rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to <blank> (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously."
+    compliance:
+      - cis: ["2.3.10.12"]
+      - cis_csc_v7: ["14.6"]
+      - iso_27001-2013: ["A.9.1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S+'
+
+  # 2.3.10.13 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. (Automated)
+  - id: 27057 
+    title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'."
+    description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)."
+    rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources."
+    impact: "None - this is the default configuration for domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts."
+    compliance:
+      - cis: ["2.3.10.13"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0'
+
+  # 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. (Automated)
+  - id: 27058 
+    title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'."
+    description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled."
+    rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection."
+    impact: "Services running as Local System that use Negotiate when reverting to NTLM authentication will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM."
+    compliance:
+      - cis: ["2.3.11.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> UseMachineId'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1'
+
+  # 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. (Automated)
+  - id: 27059 
+    title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'."
+    description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled."
+    rationale: "NULL sessions are less secure because by definition they are unauthenticated."
+    impact: "Any applications that require NULL sessions for LocalSystem will not work as designed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback."
+    compliance:
+      - cis: ["2.3.11.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'
+
+  # 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. (Automated)
+  - id: 27060 
+    title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'."
+    description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled."
+    rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks."
+    impact: "None - this is the default configuration for domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities."
+    compliance:
+      - cis: ["2.3.11.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'
+
+  # 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' (Automated)
+  - id: 27061 
+    title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."
+    description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it."
+    rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos."
+    compliance:
+      - cis: ["2.3.11.4"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4", "18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.17", "AC.L2-3.1.13", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.8", "SC.L2-3.13.15"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.13.1.1", "A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> r:2147483644|2147483640'
+
+  # 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. (Automated)
+  - id: 27062 
+    title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'."
+    description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled."
+    rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed."
+    impact: "None - this is the default behavior. Earlier operating systems such as Windows 95, Windows 98, and Windows ME as well as some third-party applications will fail."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change."
+    compliance:
+      - cis: ["2.3.11.5"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1'
+
+  # 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. (Manual) - Not Implemented
+
+  # 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'. (Automated)
+  - id: 27063 
+    title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'."
+    description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to down-level domains - Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP - Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM."
+    rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non-R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible."
+    impact: "Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; Domain Controllers refuse LM and NTLM (accept only NTLMv2 authentication). Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level."
+    compliance:
+      - cis: ["2.3.11.7"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5'
+
+  # 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. (Automated)
+  - id: 27064 
+    title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher."
+    description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark."
+    rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers."
+    impact: "None - this is the default behavior. However, if you choose instead to configure the server to require LDAP signatures then you must also configure the client. If you do not configure the client it will not be able to communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts, because the caller will be told that the LDAP BIND command request failed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements."
+    compliance:
+      - cis: ["2.3.11.8"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(\d+) compare >= 1'
+
+  # 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Automated)
+  - id: 27065 
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients."
+    compliance:
+      - cis: ["2.3.11.9"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NtlmMinClientSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NtlmMinClientSec -> 536870912'
+
+  # 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Automated)
+  - id: 27066 
+    title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'."
+    description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value."
+    rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers."
+    compliance:
+      - cis: ["2.3.11.10"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["18.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200'
+
+  # 2.3.13.1 (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'. (Automated)
+  - id: 27067 
+    title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'."
+    description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server."
+    rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on."
+    compliance:
+      - cis: ["2.3.13.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0'
+
+  # 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. (Automated)
+  - id: 27068 
+    title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'."
+    description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled."
+    rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non-Windows subsystems."
+    compliance:
+      - cis: ["2.3.15.1"]
+      - cis_csc_v8: ["4.1", "5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - hipaa: ["164.312(a)(2)(i)"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2", "8.1", "8.1.1"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "12.5.2", "2.1.1", "2.2.1"]
+      - soc_2: ["CC6.1", "CC6.2", "CC6.3", "CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1'
+
+  # 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. (Automated)
+  - id: 27069 
+    title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'."
+    description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled."
+    rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)."
+    compliance:
+      - cis: ["2.3.15.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode'
+      - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1'
+
+  # 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. (Automated)
+  - id: 27070 
+    title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled."
+    rationale: 'One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named "Administrator" because that user account was created for all installations of Windows. To address this risk, in Windows Vista or newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled.'
+    impact: "The built-in Administrator account uses Admin Approval Mode. Users that log on using the local Administrator account will be prompted for consent whenever a program requests an elevation in privilege, just like any other user would."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account."
+    compliance:
+      - cis: ["2.3.17.1"]
+      - cis_csc_v7: ["4.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1'
+
+  # 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt
+  - id: 27071 
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'."
+    description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop."
+    rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^1$|^2$'
+
+  # 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'. (Automated)
+  - id: 27072 
+    title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."
+    description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests."
+    rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run."
+    impact: 'When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. Note: With this setting configured as recommended, the default error message displayed when a user attempts to perform an operation or run a program requiring privilege elevation (without Administrator rights) is "This program will not run. This program is blocked by group policy. For more information, contact your system administrator." Some users who are not used to seeing this message may believe that the operation or program they attempted to run is specifically blocked by group policy, as that is what the message seems to imply. This message may therefore result in user questions as to why that specific operation/program is blocked, when in fact, the problem is that they need to perform the operation or run the program with an Administrative account (or "Run as Administrator" if it is already an Administrator account), and they are not doing that.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users."
+    compliance:
+      - cis: ["2.3.17.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0'
+
+  # 2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. (Automated)
+  - id: 27073 
+    title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled."
+    rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage."
+    impact: "When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation."
+    compliance:
+      - cis: ["2.3.17.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1'
+
+  # 2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. (Automated)
+  - id: 27074 
+    title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'."
+    description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\\Program Files\\, including subfolders - ...\\Windows\\System32\\ - ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled."
+    rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations."
+    compliance:
+      - cis: ["2.3.17.5"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1'
+
+  # 2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. (Automated)
+  - id: 27075 
+    title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'."
+    description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced."
+    rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system."
+    impact: "None - this is the default behavior. Users and administrators will need to learn to work with UAC prompts and adjust their work habits to use least privilege operations."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode."
+    compliance:
+      - cis: ["2.3.17.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1'
+
+  # 2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. (Automated)
+  - id: 27076 
+    title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'."
+    description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled."
+    rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation."
+    compliance:
+      - cis: ["2.3.17.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1'
+
+  # 2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. (Automated)
+  - id: 27077 
+    title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'."
+    description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %windir% - %windir%\\System32 - HKEY_LOCAL_MACHINE\\SOFTWARE The recommended state for this setting is: Enabled."
+    rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations."
+    compliance:
+      - cis: ["2.3.17.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1'
+
+  # 5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only). (Automated)
+  - id: 27078 
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    impact: "Domain Controllers will not be able to prune published printers from Active Directory. By default, Domain Controllers prune printer objects from Active Directory if the computer that published them doesn't respond to contact requests. Domain Controllers will not be able to act as a print server, sharing printers for clients. Applications on and users logged in at Domain Controllers will not be able to print, including printing to files (such as Adobe Portable Document Format (PDF)) which uses the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  # 5.2 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only). (Automated)
+  - id: 27079 
+    title: "Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)."
+    description: "This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled."
+    rationale: "Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service."
+    impact: "Member Servers will not be able to act as a print server, sharing printers for clients. Applications on and users logged in to Member Servers will not be able to print, including printing to files (such as Adobe Portable Document Format (PDF)) which uses the Print Spooler service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Print Spooler."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["5.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler -> Start -> 4'
+
+  # 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 27080 
+    title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state."
+    compliance:
+      - cis: ["9.1.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1'
+
+  # 9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 27081 
+    title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.1.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1'
+
+  # 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 27082 
+    title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.1.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0'
+
+  # 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 27083 
+    title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.1.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1'
+
+  # 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. (Automated)
+  - id: 27084 
+    title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.1.5"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+
+  # 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 27085 
+    title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.1.6"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 27086 
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.1.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 27087 
+    title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.1.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  # 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 27088 
+    title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state."
+    compliance:
+      - cis: ["9.2.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1'
+
+  # 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 27089 
+    title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.2.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1'
+
+  # 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 27090 
+    title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.2.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0'
+
+  # 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 27091 
+    title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.2.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1'
+
+  # 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'. (Automated)
+  - id: 27092 
+    title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.2.5"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+
+  # 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 27093 
+    title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.2.6"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 27094 
+    title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.2.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 27095 
+    title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.2.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  # 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. (Automated)
+  - id: 27096 
+    title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'."
+    description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)."
+    rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state."
+    compliance:
+      - cis: ["9.3.1"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1'
+
+  # 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. (Automated)
+  - id: 27097 
+    title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'."
+    description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)."
+    rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections."
+    compliance:
+      - cis: ["9.3.2"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1'
+
+  # 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'. (Automated)
+  - id: 27098 
+    title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'."
+    description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying."
+    rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections."
+    compliance:
+      - cis: ["9.3.3"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0'
+
+  # 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. (Automated)
+  - id: 27099 
+    title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'."
+    description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No."
+    rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall."
+    impact: "Windows Firewall will not display a notification when a program is blocked from receiving inbound connections."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification."
+    compliance:
+      - cis: ["9.3.4"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1'
+
+  # 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. (Automated)
+  - id: 27100 
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored."
+    rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy."
+    impact: "Administrators can still create firewall rules, but the rules will not be applied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules."
+    compliance:
+      - cis: ["9.3.5"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0'
+
+  # 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. (Automated)
+  - id: 27101 
+    title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'."
+    description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No."
+    rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack."
+    impact: "Administrators can still create local connection security rules, but the rules will not be applied."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules."
+    compliance:
+      - cis: ["9.3.6"]
+      - cis_csc_v8: ["4.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4"]
+      - pci_dss_v4.0: ["1.2.1"]
+      - soc_2: ["CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0'
+
+  # 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'. (Automated)
+  - id: 27102 
+    title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'."
+    description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log."
+    rationale: "If Windows Firewall events are not recorded it may be difficult or impossible for Administrators to analyze system issues or unauthorized activities of malicious users. Microsoft stores all firewall events as one file on the system (pfirewall.log). To improve logging, separate each firewall profile (domain, private, public) into its own distinct log file (domainfw.log, privatefw.log, publicfw.log) for better organization and identification of specific issues within each profile."
+    impact: "The log file will be stored in the specified file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name."
+    compliance:
+      - cis: ["9.3.7"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+
+  # 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'. (Automated)
+  - id: 27103 
+    title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'."
+    description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "The log file size will be limited to the specified size, old events will be overwritten by newer ones when the limit is reached."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)."
+    compliance:
+      - cis: ["9.3.8"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384'
+
+  # 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'. (Automated)
+  - id: 27104 
+    title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about dropped packets will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets."
+    compliance:
+      - cis: ["9.3.9"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1'
+
+  # 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'. (Automated)
+  - id: 27105 
+    title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'."
+    description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Information about successful connections will be recorded in the firewall log file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections."
+    compliance:
+      - cis: ["9.3.10"]
+      - cis_csc_v8: ["4.5", "8.5"]
+      - cis_csc_v7: ["9.4", "11.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.20", "AU.L2-3.3.1", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7", "SC-7(5)"]
+      - pci_dss_v3.2.1: ["1.1.4", "1.4", "10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["1.2.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.6", "CC7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1'
+
+  # 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'. (Automated)
+  - id: 27106 
+    title: "Ensure 'Audit Credential Validation' is set to 'Success and Failure'."
+    description: "This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - 4774: An account was mapped for logon. - 4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Credential Validation."
+    compliance:
+      - cis: ["17.1.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.12"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Credential Validation" -> r:Success and Failure'
+
+  # 17.1.2 (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only). (Automated)
+  - id: 27107 
+    title: "Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)."
+    description: "This subcategory reports the results of events generated after a Kerberos authentication TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user. - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed. - 4772: A Kerberos authentication ticket request failed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Kerberos Authentication Service."
+    compliance:
+      - cis: ["17.1.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Kerberos Authentication Service" -> r:Success and Failure'
+
+  # 17.1.3 (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only). (Automated)
+  - id: 27108 
+    title: "Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)."
+    description: "This subcategory reports the results of events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Kerberos Service Ticket requests (TGS requests) occur as part of service use and access requests by specific accounts. Auditing these events will record the IP address from which the account requested TGS, when TGS was requested, and which encryption type was used. - 4769: A Kerberos service ticket was requested. - 4770: A Kerberos service ticket was renewed. - 4773: A Kerberos service ticket request failed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Kerberos Service Ticket Operations."
+    compliance:
+      - cis: ["17.1.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Kerberos Service Ticket Operations" -> r:Success and Failure'
+
+  # 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'. (Automated)
+  - id: 27109 
+    title: "Ensure 'Audit Application Group Management' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Application Group Management."
+    compliance:
+      - cis: ["17.2.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Application Group Management" -> r:Success and Failure'
+
+  # 17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only). (Automated)
+  - id: 27110 
+    title: "Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)."
+    description: "This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was created. - 4742: A computer account was changed. - 4743: A computer account was deleted. The recommended state for this setting is to include: Success."
+    rationale: "Auditing events in this category may be useful when investigating an incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Computer Account Management."
+    compliance:
+      - cis: ["17.2.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Computer Account Management" -> r:Success'
+
+  # 17.2.3 (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only). (Automated)
+  - id: 27111 
+    title: "Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)."
+    description: "This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: - 4744: A security-disabled local group was created. - 4745: A security-disabled local group was changed. - 4746: A member was added to a security-disabled local group. - 4747: A member was removed from a security-disabled local group. - 4748: A security-disabled local group was deleted. - 4749: A security-disabled global group was created. - 4750: A security-disabled global group was changed. - 4751: A member was added to a security-disabled global group. - 4752: A member was removed from a security-disabled global group. - 4753: A security-disabled global group was deleted. - 4759: A security-disabled universal group was created. - 4760: A security-disabled universal group was changed. - 4761: A member was added to a security-disabled universal group. - 4762: A member was removed from a security-disabled universal group. - 4763: A security-disabled universal group was deleted. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may provide an organization with insight when investigating an incident. For example, when a given unauthorized user was added to a sensitive distribution group."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Distribution Group Management."
+    compliance:
+      - cis: ["17.2.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Distribution Group Management" -> r:Success'
+
+  # 17.2.4 (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only). (Automated)
+  - id: 27112 
+    title: "Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)."
+    description: "This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API was called. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Other Account Management Events."
+    compliance:
+      - cis: ["17.2.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Account Management Events" -> r:Success'
+
+  # 17.2.5 (L1) Ensure 'Audit Security Group Management' is set to include 'Success'. (Automated)
+  - id: 27113 
+    title: "Ensure 'Audit Security Group Management' is set to include 'Success'."
+    description: "This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Security Group Management."
+    compliance:
+      - cis: ["17.2.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.6"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.2.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security Group Management" -> r:Success'
+
+  # 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'. (Automated)
+  - id: 27114 
+    title: "Ensure 'Audit User Account Management' is set to 'Success and Failure'."
+    description: "This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management."
+    compliance:
+      - cis: ["17.2.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"User Account Management" -> r:Success and Failure'
+
+  # 17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success'. (Automated)
+  - id: 27115 
+    title: "Ensure 'Audit PNP Activity' is set to include 'Success'."
+    description: "This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Enabling this setting will allow a user to audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit PNP Activity."
+    compliance:
+      - cis: ["17.3.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Plug and Play Events" -> r:Success'
+
+  # 17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success'. (Automated)
+  - id: 27116 
+    title: "Ensure 'Audit Process Creation' is set to include 'Success'."
+    description: "This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Detailed Tracking\\Audit Process Creation."
+    compliance:
+      - cis: ["17.3.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Process Creation" -> r:Success'
+
+  # 17.4.1 (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only). (Automated)
+  - id: 27117 
+    title: "Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)."
+    description: "This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 4662 : An operation was performed on an object. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Access."
+    compliance:
+      - cis: ["17.4.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Directory Service Access" -> r:Failure'
+
+  # 17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only). (Automated)
+  - id: 27118 
+    title: "Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)."
+    description: "This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 5136 : A directory service object was modified. - 5137 : A directory service object was created. - 5138 : A directory service object was undeleted. - 5139 : A directory service object was moved. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Changes."
+    compliance:
+      - cis: ["17.4.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Directory Service Changes" -> r:Success'
+
+  # 17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'. (Automated)
+  - id: 27119 
+    title: "Ensure 'Audit Account Lockout' is set to include 'Failure'."
+    description: "This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Account Lockout."
+    compliance:
+      - cis: ["17.5.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.6"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.2.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Account Lockout" -> r:Failure'
+
+  # 17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success'. (Automated)
+  - id: 27120 
+    title: "Ensure 'Audit Group Membership' is set to include 'Success'."
+    description: "This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Group Membership."
+    compliance:
+      - cis: ["17.5.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Group Membership" -> r:Success'
+
+  # 17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success'. (Automated)
+  - id: 27121 
+    title: "Ensure 'Audit Logoff' is set to include 'Success'."
+    description: "This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logoff."
+    compliance:
+      - cis: ["17.5.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logoff" -> r:Success'
+
+  # 17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure'. (Automated)
+  - id: 27122 
+    title: "Ensure 'Audit Logon' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Logon."
+    compliance:
+      - cis: ["17.5.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Logon" -> r:Success and Failure'
+
+  # 17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'. (Automated)
+  - id: 27123 
+    title: "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'."
+    description: "This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Other Logon/Logoff Events."
+    compliance:
+      - cis: ["17.5.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Logon/Logoff Events" -> r:Success and Failure'
+
+  # 17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success'. (Automated)
+  - id: 27124 
+    title: "Ensure 'Audit Special Logon' is set to include 'Success'."
+    description: "This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Logon/Logoff\\Audit Special Logon."
+    compliance:
+      - cis: ["17.5.6"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3", "16.13"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Special Logon" -> r:Success'
+
+  # 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'. (Automated)
+  - id: 27125 
+    title: "Ensure 'Audit Detailed File Share' is set to include 'Failure'."
+    description: "This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure."
+    rationale: "Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Detailed File Share."
+    compliance:
+      - cis: ["17.6.1"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.3", "14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Detailed File Share" -> r:Failure'
+
+  # 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure'. (Automated)
+  - id: 27126 
+    title: "Ensure 'Audit File Share' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited."
+    rationale: "In an enterprise managed environment, it's important to track deletion, creation, modification, and access events for network shares. Any unusual file sharing activity may be useful in an investigation of potentially malicious activity."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit File Share."
+    compliance:
+      - cis: ["17.6.2"]
+      - cis_csc_v8: ["3.3", "8.5"]
+      - cis_csc_v7: ["6.3", "14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "AU.L2-3.3.1", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.12.4.1", "A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6", "AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3", "7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "7.1", "9.4.5"]
+      - soc_2: ["CC5.2", "CC6.1", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"File Share" -> r:Success and Failure'
+
+  # 17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'. (Automated)
+  - id: 27127 
+    title: "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure."
+    rationale: "The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Other Object Access Events."
+    compliance:
+      - cis: ["17.6.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Object Access Events" -> r:Success and Failure'
+
+  # 17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'. (Automated)
+  - id: 27128 
+    title: "Ensure 'Audit Removable Storage' is set to 'Success and Failure'."
+    description: "This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy."
+    rationale: "Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Object Access\\Audit Removable Storage."
+    compliance:
+      - cis: ["17.6.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Removable Storage" -> r:Success and Failure'
+
+  # 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'. (Automated)
+  - id: 27129 
+    title: "Ensure 'Audit Audit Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Audit Policy Change."
+    compliance:
+      - cis: ["17.7.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Audit Policy Change" -> r:Success'
+
+  # 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'. (Automated)
+  - id: 27130 
+    title: "Ensure 'Audit Authentication Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authentication Policy Change."
+    compliance:
+      - cis: ["17.7.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authentication Policy Change" -> r:Success'
+
+  # 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'. (Automated)
+  - id: 27131 
+    title: "Ensure 'Audit Authorization Policy Change' is set to include 'Success'."
+    description: "This subcategory reports changes in authorization policy. Events for this subcategory include: - 4703: A user right was adjusted. - 4704: A user right was assigned. - 4705: A user right was removed. - 4670: Permissions on an object were changed. - 4911: Resource attributes of the object were changed. - 4913: Central Access Policy on the object was changed. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change."
+    compliance:
+      - cis: ["17.7.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["5.5", "6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Authorization Policy Change" -> r:Success'
+
+  # 17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'. (Automated)
+  - id: 27132 
+    title: "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'."
+    description: "This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is: Success and Failure."
+    rationale: "Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit MPSSVC Rule-Level Policy Change."
+    compliance:
+      - cis: ["17.7.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change" -> r:Success and Failure'
+
+  # 17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'. (Automated)
+  - id: 27133 
+    title: "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'."
+    description: "This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure."
+    rationale: "This setting can help detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Other Policy Change Events."
+    compliance:
+      - cis: ["17.7.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other Policy Change Events" -> r:Failure'
+
+  # 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'. (Automated)
+  - id: 27134 
+    title: "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'."
+    description: "This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Impersonate a client after authentication Auditing this subcategory will create a high volume of events. Events for this subcategory include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Privilege Use\\Audit Sensitive Privilege Use."
+    compliance:
+      - cis: ["17.8.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Sensitive Privilege Use" -> r:Success and Failure'
+
+  # 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'. (Automated)
+  - id: 27135 
+    title: "Ensure 'Audit IPsec Driver' is set to 'Success and Failure'."
+    description: "This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit IPsec Driver."
+    compliance:
+      - cis: ["17.9.1"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"IPsec Driver" -> r:Success and Failure'
+
+  # 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'. (Automated)
+  - id: 27136 
+    title: "Ensure 'Audit Other System Events' is set to 'Success and Failure'."
+    description: "This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure."
+    rationale: "Capturing these audit events may be useful for identifying when the Windows Firewall is not performing as expected."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Other System Events."
+    compliance:
+      - cis: ["17.9.2"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Other System Events" -> r:Success and Failure'
+
+  # 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success'. (Automated)
+  - id: 27137 
+    title: "Ensure 'Audit Security State Change' is set to include 'Success'."
+    description: "This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change."
+    compliance:
+      - cis: ["17.9.3"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security State Change" -> r:Success'
+
+  # 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success'. (Automated)
+  - id: 27138 
+    title: "Ensure 'Audit Security System Extension' is set to include 'Success'."
+    description: "This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with the Local Security Authority. - 4614: A notification package has been loaded by the Security Account Manager. - 4622: A security package has been loaded by the Local Security Authority. - 4697: A service was installed in the system. The recommended state for this setting is to include: Success."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security System Extension."
+    compliance:
+      - cis: ["17.9.4"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"Security System Extension" -> r:Success'
+
+  # 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'. (Automated)
+  - id: 27139 
+    title: "Ensure 'Audit System Integrity' is set to 'Success and Failure'."
+    description: "This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 : A monitored security event pattern has occurred. - 4816 : RPC detected an integrity violation while decrypting an incoming message. - 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - 5056: A cryptographic self test was performed. - 5057: A cryptographic primitive operation failed. - 5060: Verification operation failed. - 5061: Cryptographic operation. - 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure."
+    rationale: "Auditing these events may be useful when investigating a security incident."
+    impact: "If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit System Integrity."
+    compliance:
+      - cis: ["17.9.5"]
+      - cis_csc_v8: ["8.5"]
+      - cis_csc_v7: ["6.3"]
+      - cmmc_v2.0: ["AU.L2-3.3.1"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - nist_sp_800-53: ["AU-3(1)", "AU-7"]
+      - pci_dss_v3.2.1: ["10.1", "10.2.2", "10.2.4", "10.2.5", "10.3"]
+      - pci_dss_v4.0: ["10.2", "10.2.1", "10.2.1.2", "10.2.1.5", "9.4.5"]
+      - soc_2: ["CC5.2", "CC7.2"]
+    condition: all
+    rules:
+      - 'c:auditpol.exe /get /subcategory:"System Integrity" -> r:Success and Failure'
+
+  # 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. (Automated)
+  - id: 27140 
+    title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'."
+    description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features."
+    impact: "If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1'
+
+  # 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. (Automated)
+  - id: 27141 
+    title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'."
+    description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents."
+    impact: "If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.1.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1'
+
+  # 18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. (Automated)
+  - id: 27142 
+    title: "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'."
+    description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled."
+    rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft."
+    impact: "Automatic learning of speech, inking, and typing stops and users cannot change its value via PC Settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow users to enable online speech recognition services Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow input personalization, but it was renamed to Allow users to enable online speech recognition services starting with the Windows 10 R1809 & Server 2019 Administrative Templates."
+    compliance:
+      - cis: ["18.1.2.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0'
+
+  # 18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled'. (Automated)
+  - id: 27143 
+    title: "Ensure 'Allow Online Tips' is set to 'Disabled'."
+    description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Settings will not contact Microsoft content services to retrieve tips and help content."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.1.3"]
+      - cis_csc_v7: ["9.2", "9.3"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0'
+
+  # 18.3.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only). (Automated)
+  - id: 27144 
+    title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "No impact. When installed and registered properly, AdmPwd.dll takes no action unless given appropriate GPO commands during Group Policy refresh. It is not a memory-resident agent or service. In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary."
+    remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll."
+    compliance:
+      - cis: ["18.3.1"]
+      - cis_csc_v8: ["5.2", "5.4"]
+      - cis_csc_v7: ["4.4", "16.2"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName'
+
+  # 18.3.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only). (Automated)
+  - id: 27145 
+    title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: 'Planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.2"]
+      - cis_csc_v7: ["16.10"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1'
+
+  # 18.3.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only). (Automated)
+  - id: 27146 
+    title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "The local administrator password is managed (provided that the LAPS AdmPwd GPO Extension / CSE is installed on the target computer (see recommendation Ensure LAPS AdmPwd GPO Extension / CSE is installed), the Active Directory domain schema and account permissions have been properly configured on the domain). In a disaster recovery scenario where Active Directory is not available, the local Administrator password will not be retrievable and a local password reset using a tool (such as Microsoft's Disaster and Recovery Toolset (DaRT) Recovery Image) may be necessary."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.3"]
+      - cis_csc_v8: ["5.2", "5.4"]
+      - cis_csc_v7: ["4.4", "16.2"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "IA.L2-3.5.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1'
+
+  # 18.3.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only). (Automated)
+  - id: 27147 
+    title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to contain large letters + small letters + numbers + special characters."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.4"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4'
+
+  # 18.3.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only). (Automated)
+  - id: 27148 
+    title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to have a length of 15 characters (or more, if selected)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.5"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["4.4"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - iso_27001-2013: ["A.9.4.3"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15'
+
+  # 18.3.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only). (Automated)
+  - id: 27149 
+    title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)."
+    description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations."
+    rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account."
+    impact: "LAPS-generated passwords will be required to have a maximum age of 30 days (or fewer, if selected)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)."
+    compliance:
+      - cis: ["18.3.6"]
+      - cis_csc_v8: ["5.2"]
+      - cis_csc_v7: ["16.10"]
+      - cmmc_v2.0: ["IA.L2-3.5.7"]
+      - pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30'
+
+  # 18.4.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only). (Automated)
+  - id: 27150 
+    title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)."
+    description: 'This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled.'
+    rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.1"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0'
+
+  # 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'. (Automated)
+  - id: 27151 
+    title: "Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'."
+    description: "This policy setting controls packet level privacy for Remote Procedure Call (RPC) incoming connections. The recommended state for this setting is: Enabled."
+    rationale: "A security bypass vulnerability (CVE-2021-1678 | Windows Print Spooler Spoofing Vulnerability) exists in the way the Printer RPC binding handles authentication for the remote Winspool interface. Enabling the RPC packet level privacy setting for incoming connections enforces the server-side to increase the authentication level to minimize this vulnerability."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure RPC packet level privacy setting for incoming connections Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    references:
+      - "https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1678"
+    compliance:
+      - cis: ["18.4.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print -> RpcAuthnLevelPrivacyEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print -> RpcAuthnLevelPrivacyEnabled -> 1'
+
+  # 18.4.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'. (Automated)
+  - id: 27152 
+    title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'."
+    description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver (recommended). Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems."
+    rationale: 'Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy - "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog.'
+    impact: "Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: SMB1 Product Clearinghouse | Storage at Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "14.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4'
+
+  # 18.4.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'. (Automated)
+  - id: 27153 
+    title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'."
+    description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled."
+    rationale: 'Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy - "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy - Microsoft Security Guidance blog.'
+    impact: "Some legacy OSes (e.g. Windows XP, Server 2003 or older), applications and appliances may no longer be able to communicate with the system once SMBv1 is disabled. We recommend careful testing be performed to determine the impact prior to configuring this as a widespread control, and where possible, remediate any incompatibilities found with the vendor of the incompatible system. Microsoft is also maintaining a thorough (although not comprehensive) list of known SMBv1 incompatibilities at this link: SMB1 Product Clearinghouse | Storage at Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2", "14.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1", "A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0'
+
+  # 18.4.5 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. (Automated)
+  - id: 27154 
+    title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'."
+    description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled."
+    rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option."
+    impact: "After you enable SEHOP, existing versions of Cygwin, Skype, and Armadillo-protected applications may not work correctly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. More information is available at MSKB 956607: How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems."
+    compliance:
+      - cis: ["18.4.5"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0'
+
+  # 18.4.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'. (Automated)
+  - id: 27155 
+    title: "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'."
+    description: "This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: - The B-node (broadcast) method only uses broadcasts. - The P-node (point-to-point) method only uses name queries to a name server (WINS). - The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. - The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to-point). Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured."
+    rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node (point-to-point) will prevent the system from sending out NetBIOS broadcasts."
+    impact: "NetBIOS name resolution queries will require a defined and available WINS server for external NetBIOS name resolution. If a WINS server is not defined or not reachable, and the desired hostname is not defined in the local cache, local LMHOSTS or HOSTS files, NetBIOS name resolution will fail."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\NetBT NodeType configuration Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new NetBT NodeType configuration setting."
+    compliance:
+      - cis: ["18.4.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2'
+
+  # 18.4.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'. (Automated)
+  - id: 27156 
+    title: "Ensure 'WDigest Authentication' is set to 'Disabled'."
+    description: 'When WDigest authentication is enabled, Lsass.exe retains a copy of the user''s plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled.'
+    rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft."
+    impact: "None - this is also the default configuration for Server 2012 R2 or newer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link."
+    compliance:
+      - cis: ["18.4.7"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0'
+
+  # 18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'. (Automated)
+  - id: 27157 
+    title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'."
+    description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For additional information, see Microsoft Knowledge Base article 324737: How to turn on automatic logon in Windows. The recommended state for this setting is: Disabled."
+    rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.1"]
+      - cis_csc_v8: ["3.11"]
+      - cis_csc_v7: ["16.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.19", "IA.L2-3.5.10", "MP.L2-3.8.1", "SC.L2-3.13.11", "SC.L2-3.13.16"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1"]
+      - nist_sp_800-53: ["SC-28", "SC-28(1)"]
+      - pci_dss_v3.2.1: ["3.4", "3.4.1", "8.2.1"]
+      - pci_dss_v4.0: ["3.1.1", "3.3.2", "3.3.3", "3.5.1", "3.5.1.2", "3.5.1.3", "8.3.2"]
+      - soc_2: ["CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0'
+
+  # 18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)
+  - id: 27158 
+    title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Automated)
+  - id: 27159 
+    title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'."
+    description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled."
+    rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2'
+
+  # 18.5.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. (Automated)
+  - id: 27160 
+    title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'."
+    description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled."
+    rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network."
+    impact: "When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router cannot be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.4"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0'
+
+  # 18.5.5 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. (Automated)
+  - id: 27161 
+    title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'."
+    description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)."
+    rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition."
+    impact: "Keep-alive packets are not sent by default by Windows. However, some applications may configure the TCP stack flag that requests keep-alive packets. For such configurations, you can lower this value from the default setting of two hours to five minutes to disconnect inactive sessions more quickly."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000'
+
+  # 18.5.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. (Automated)
+  - id: 27162 
+    title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'."
+    description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled."
+    rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.6"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1'
+
+  # 18.5.7 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. (Automated)
+  - id: 27163 
+    title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'."
+    description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled."
+    rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer."
+    impact: "Windows will not automatically detect and configure default gateway addresses on the computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0'
+
+  # 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. (Automated)
+  - id: 27164 
+    title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'."
+    description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs."
+    rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.8"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1'
+
+  # 18.5.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' (Automated)
+  - id: 27165 
+    title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'."
+    description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds."
+    rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.9"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5'
+
+  # 18.5.10 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. (Automated)
+  - id: 27166 
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    impact: "TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.10"]
+      - cis_csc_v8: ["4.2"]
+      - cis_csc_v7: ["11.1"]
+      - cmmc_v2.0: ["CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.3", "CM.L2-3.4.6", "CM.L2-3.4.7", "SC.L2-3.13.6"]
+      - nist_sp_800-53: ["AC-18(1)", "AC-18(3)", "CM-2", "CM-6", "CM-7", "CM-7(1)", "CM-9"]
+      - pci_dss_v3.2.1: ["1.1.1", "1.2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.4.2", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.5.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. (Automated)
+  - id: 27167 
+    title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'."
+    description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3."
+    rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer."
+    impact: "TCP starts a retransmission timer when each outbound segment is passed to the IP. If no acknowledgment is received for the data in a given segment before the timer expires, then the segment is retransmitted up to three times."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog."
+    compliance:
+      - cis: ["18.5.11"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3'
+
+  # 18.5.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' (Automated)
+  - id: 27168 
+    title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'."
+    description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated."
+    rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required."
+    compliance:
+      - cis: ["18.5.12"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.3", "6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90'
+
+  # 18.6.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher. (Automated)
+  - id: 27169 
+    title: "Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher."
+    description: "This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs. The recommended state for this setting is: Enabled: Allow DoH. Configuring this setting to Enabled: Require DoH also conforms to the benchmark."
+    rationale: "DNS over HTTPS (DoH) helps protect against DNS spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. It can also help prevent man-in-the-middle (MitM) attacks because the session in-between is encrypted."
+    impact: "If the option Enabled: Require DoH is chosen, this could limit third-party products from logging DNS traffic (in transit) as the traffic would be encrypted while in transit. The Require DoH option could also lead to domain-joined systems not functioning properly within the environment. The option Enabled: Allow DoH will perform DoH queries if the configured DNS servers support it. If they don't support it, classic name resolution will be used. This is the safest option. Note: Per Microsoft, don't enable the Enabled: Require DoH option for domain-joined computers as Active Directory Domain Services is heavily reliant on DNS because the Windows Server DNS Server service does not support DoH queries."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark): Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Configure DNS over HTTPS (DoH) name resolution Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support"
+    compliance:
+      - cis: ["18.6.4.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> DoHPolicy -> r:^2$|^3$'
+
+  # 18.6.4.2 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. (Automated)
+  - id: 27170 
+    title: "Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'."
+    description: "This policy setting specifies if the Domain Name System (DNS) client will perform name resolution over Network Basic Input/Output System (NetBIOS). NetBIOS is a legacy name resolution method for internal Microsoft networking that predates the use of DNS for that purpose (pre-Active Directory). Some legacy applications still require the use of NetBIOS for full functionality. The recommended state for this setting is: Enabled: Disable NetBIOS name resolution on public networks. Configuring this setting to Enabled: Disable NetBIOS name resolution also conforms to the benchmark."
+    rationale: 'NetBIOS does not perform authentication and can allow remote attackers to cause a denial of service by sending spoofed Name Conflicts or Name Release datagrams. This is also known as "NetBIOS Name Server Protocol Spoofing". Preventing the use of NetBIOS on public networks reduces the attack surface.'
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable NetBIOS name resolution on public networks: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Configure NetBIOS settings."
+    compliance:
+      - cis: ["18.6.4.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableNetbios'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableNetbios -> 2'
+
+  # 18.6.4.3 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. (Automated)
+  - id: 27171 
+    title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'."
+    description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled."
+    rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system. Note: To completely mitigate local name resolution poisoning, in addition to this setting, the properties of each installed NIC should also be set to Disable NetBIOS over TCP/IP (on the WINS tab in the NIC properties). Unfortunately, there is no global setting to achieve this that automatically applies to all NICs - it is a per-NIC setting that varies with different NIC hardware installations."
+    impact: "In the event DNS is unavailable a system will be unable to request it from other systems on the same subnet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.4.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0'
+
+  # 18.6.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled'. (Automated)
+  - id: 27172 
+    title: "Ensure 'Enable Font Providers' is set to 'Disabled'."
+    description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved."
+    impact: "Windows will not connect to an online font provider and will only enumerate locally-installed fonts."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.5.1"]
+      - cis_csc_v8: ["16.5"]
+      - cis_csc_v7: ["18.4"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["12.3.4", "6.3.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0'
+
+  # 18.6.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'. (Automated)
+  - id: 27173 
+    title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'."
+    description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled."
+    rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders."
+    impact: "The SMB client will reject insecure guest logons. This was not originally the default behavior in older versions of Windows, but Microsoft changed the default behavior starting with Windows Server 2016 R1709: Guest access in SMB2 disabled by default in Windows 10 and Windows Server 2016."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.8.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0'
+
+  # 18.6.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. (Automated)
+  - id: 27174 
+    title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.9.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0'
+
+  # 18.6.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. (Automated)
+  - id: 27175 
+    title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'."
+    description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled."
+    rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.9.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0'
+
+  # 18.6.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'. (Automated)
+  - id: 27176 
+    title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'."
+    description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking."
+    impact: "Microsoft Peer-to-Peer Networking Services are turned off in their entirety, and all applications dependent on them will stop working."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P-pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.10.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1'
+
+  # 18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. (Automated)
+  - id: 27177 
+    title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'."
+    description: "You can use this procedure to control a user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled."
+    rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network."
+    impact: "Users cannot create or configure a Network Bridge."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.11.2"]
+      - cis_csc_v8: ["4.8", "12.2"]
+      - cis_csc_v7: ["11.3"]
+      - cmmc_v2.0: ["AC.L1-3.1.2", "AC.L1-3.1.20", "AC.L1-3.1.22", "AC.L2-3.1.14", "AC.L2-3.1.16", "AC.L2-3.1.17", "AC.L2-3.1.3", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.5", "SC.L2-3.13.2", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.12.1.2"]
+      - nist_sp_800-53: ["CP-6", "CP-7", "PL-8"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "1.2.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "1.3.1", "1.3.2", "1.3.3", "1.4.4", "11.4.5", "2.2.4", "6.4.1", "7.1", "7.2.5.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0'
+
+  # 18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. (Automated)
+  - id: 27178 
+    title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'."
+    description: 'Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled.'
+    rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices."
+    impact: "Mobile Hotspot cannot be enabled or configured by Administrators and non-Administrators alike."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.11.3"]
+      - cis_csc_v8: ["4.8", "12.2"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["AC.L1-3.1.2", "AC.L1-3.1.20", "AC.L1-3.1.22", "AC.L2-3.1.14", "AC.L2-3.1.16", "AC.L2-3.1.17", "AC.L2-3.1.3", "CM.L2-3.4.1", "CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L1-3.13.5", "SC.L2-3.13.2", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - nist_sp_800-53: ["CP-6", "CP-7", "PL-8"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "1.2.3", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "1.3.1", "1.3.2", "1.3.3", "1.4.4", "11.4.5", "2.2.4", "6.4.1", "7.1", "7.2.5.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0'
+
+  # 18.6.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. (Automated)
+  - id: 27179 
+    title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'."
+    description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled."
+    rationale: "Allowing regular users to set a network location increases the risk and attack surface."
+    impact: "Domain users must elevate when setting a network's location."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.11.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1'
+
+  # 18.6.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (Automated)
+  - id: 27180 
+    title: 'Ensure ''Hardened UNC Paths'' is set to ''Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares''.'
+    description: 'This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.'
+    rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths."
+    impact: "Windows only allows access to the specified UNC paths after fulfilling additional security requirements."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\\\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\\\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths. Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required."
+    compliance:
+      - cis: ["18.6.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1'
+
+  # 18.6.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)'). (Automated)
+  - id: 27181 
+    title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')."
+    description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)."
+    rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components removes a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed."
+    impact: "Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. Examples of Microsoft applications that may use IPv6 include: Remote Assistance, HomeGroup, DirectAccess, Windows Mail. This registry change is documented in Microsoft Knowledge Base article 929852: How to disable IPv6 or its components in Windows. Note: This registry change does not take effect until the next reboot."
+    remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state."
+    compliance:
+      - cis: ["18.6.19.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255'
+
+  # 18.6.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. (Automated)
+  - id: 27182 
+    title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'."
+    description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled."
+    rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings."
+    impact: "WCN operations are disabled over all media."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.6.20.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["15.4", "15.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0'
+
+  # 18.6.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. (Automated)
+  - id: 27183 
+    title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'."
+    description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled."
+    rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface."
+    impact: 'The WCN wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including "Set up a wireless router or access point" and "Add a wireless device" are disabled.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.20.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1'
+
+  # 18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' (Automated)
+  - id: 27184 
+    title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'."
+    description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled: 3 = Prevent Wi-Fi when on Ethernet."
+    rationale: "Preventing bridged network connections can help prevent a user unknowingly allowing traffic to route between internal and external networks, which risks exposure to sensitive internal data."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3 = Prevent Wi-Fi when on Ethernet: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates. It was updated with a new Minimize Policy Options sub-setting starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.6.21.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["15.5"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 3'
+
+  # 18.6.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only). (Automated)
+  - id: 27185 
+    title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)."
+    description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled."
+    rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network."
+    impact: "The computer responds to automatic and manual network connection attempts based on the following circumstances: Automatic connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. - When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.6.21.2"]
+      - cis_csc_v7: ["12.4"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1'
+
+  # 18.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'. (Automated)
+  - id: 27186 
+    title: "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'."
+    description: "This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect. Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled."
+    rationale: "Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service."
+    impact: "Provided that the Print Spooler service is not disabled, applications on and users logged in to servers will continue to be able to print from the server. However, the Print Spooler service will not accept client connections or allow users to share printers. Note that all printers that were already shared will continue to be shared. Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+    compliance:
+      - cis: ["18.7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RegisterSpoolerRemoteRpcEndPoint -> 2'
+
+  # 18.7.2 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'. (Automated)
+  - id: 27187 
+    title: "Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'."
+    description: "This policy setting determines whether Redirection Guard is enabled for the print spooler. Redirection Guard can prevent file redirections from being used within the print spooler. The recommended state for this setting is: Enabled: Redirection Guard Enabled."
+    rationale: "This setting prevents non-administrators from redirecting files within the print spooler process."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Redirection Guard Enabled: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure Redirection Guard Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520"
+    compliance:
+      - cis: ["18.7.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RedirectionguardPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RedirectionguardPolicy -> 1'
+
+  # 18.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'. (Automated)
+  - id: 27188 
+    title: "Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'."
+    description: "This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler. The recommended state for this setting is: Enabled: RPC over TCP."
+    rationale: "This setting prevents the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: RPC over TCP: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC connection settings: Protocol to use for outgoing RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/printing/windows-11-rpc-connection-updates-for-print#allow-rpc-over-tcp-communication"
+    compliance:
+      - cis: ["18.7.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcUseNamedPipeProtocol'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcUseNamedPipeProtocol -> 1'
+
+  # 18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'. (Automated)
+  - id: 27189 
+    title: "Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'."
+    description: "This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler. The recommended state for this setting is: Enabled: Default."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Default: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC connection settings: Use authentication for outgoing RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/printing/windows-11-rpc-connection-updates-for-print#allow-rpc-over-tcp-communication"
+    compliance:
+      - cis: ["18.7.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcAuthentication -> 1'
+
+  # 18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'. (Automated)
+  - id: 27190 
+    title: "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'."
+    description: "This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use. The recommended state for this setting is: Enabled: RCP over TCP."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: RCP over TCP: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC listener settings: Configure protocol options for incoming RPC connections Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcProtocols'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcProtocols -> 7'
+
+  #  18.7.6 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher (Automated)
+  - id: 27191 
+    title: "Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher."
+    description: "This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use. The recommended state for this setting is: Enabled: Negotiate or higher.."
+    rationale: "This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method."
+    impact: "Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Negotiate or higher: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC listener settings: Configure protocol options for incoming RPC connections Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> ForceKerberosForRpc'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> ForceKerberosForRpc -> 1'
+
+  # 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'. (Automated)
+  - id: 27192 
+    title: "Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'."
+    description: "This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. The recommended state for this setting is: Enabled: 0."
+    rationale: "Using dynamic ports for printing makes it more difficult for an attacker to know which port is being used and therefore which port to attack."
+    impact: "If your current print environment is configured for a specific TCP port, this setting may require a firewall change (if applicable) for continued printing."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Configure RPC over TCP port Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    compliance:
+      - cis: ["18.7.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcTcpPort'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> RpcTcpPort -> n:^(\d+) compare <= 65535'
+
+  # 18.7.8 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'. (Automated)
+  - id: 27193 
+    title: "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'."
+    description: "This policy setting controls whether users who aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481)."
+    rationale: "Restricting the installation of print drives to Administrators can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Printers\\Limits print driver installation to Administrators Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (and newer)."
+    references:
+      - "https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7"
+      - "https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> RestrictDriverInstallationToAdministrators -> 1'
+
+  # 18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'. (Automated)
+  - id: 27194 
+    title: "Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'."
+    description: "This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles."
+    rationale: "A Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-36958) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploites this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights."
+    impact: "None - this is default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Manage processing of Queue-specific files Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+    compliance:
+      - cis: ["18.7.9"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> CopyFilesPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers -> CopyFilesPolicy -> 1'
+
+  # 18.7.10 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'. (Automated)
+  - id: 27195 
+    title: "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When installing drivers for a new connection Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+      - "https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/"
+      - "https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.10"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> NoWarningNoElevationOnInstall -> 0'
+
+  # 18.7.11 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'. (Automated)
+  - id: 27196 
+    title: "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'."
+    description: "This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481). This change overrides all Point and Print Group Policy settings and ensures that only Administrators can install printer drivers from a print server using Point and Print."
+    rationale: "Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks. Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt: Computer Configuration\\Policies\\Administrative Templates\\Printers\\Point and Print Restrictions: When updating drivers for an existing connection Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    references:
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"
+      - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958"
+      - "https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/"
+      - "https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872"
+    compliance:
+      - cis: ["18.7.11"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
+      - 'not r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint -> UpdatePromptSettings -> 0'
+
+  # 18.8.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'. (Automated)
+  - id: 27197 
+    title: "Ensure 'Turn off notifications network usage' is set to 'Enabled'."
+    description: "This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. The recommended state for this setting is: Enabled."
+    rationale: "Windows Push Notification Services (WNS) is a mechanism to receive third-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations."
+    impact: "Applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Start Menu and Taskbar\\Turn off notifications network usage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.8.1.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications -> NoCloudApplicationNotification -> 1'
+
+  # 18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'. (Automated)
+  - id: 27198 
+    title: "Ensure 'Include command line in process creation events' is set to 'Enabled'."
+    description: "This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created. The recommended state for this setting is: Enabled. Note: This feature that this setting controls was not originally supported in server OSes older than Windows Server 2012 R2. However, in February 2015 Microsoft added support for the feature to Windows Server 2008 R2 and Windows Server 2012 (non-R2) via an update - KB3004375. Therefore, this setting is also important to set on those older OSes."
+    rationale: "Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents."
+    impact: 'Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data. Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called "Protected Event Logging" to better secure event log data. For assistance with protecting event logging, visit: About Logging Windows - PowerShell | Microsoft Docs.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2#protected-event-logging"
+    compliance:
+      - cis: ["18.9.3.1"]
+      - cis_csc_v8: ["8.8"]
+      - cis_csc_v7: ["8.8"]
+      - iso_27001-2013: ["A.12.14.1"]
+      - soc_2: ["CC5.2", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 1'
+
+  # 18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. (Automated)
+  - id: 27199 
+    title: "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'."
+    description: "Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients."
+    rationale: "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows Server from Server 2008 (non-R2) onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched up through May 2018 (or later)."
+    impact: "Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. This setting should not be deployed until all remote hosts support the newest version, which is achieved by ensuring that all Microsoft security updates at least through May 2018 are installed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Encryption Oracle Remediation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.4.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters -> AllowEncryptionOracle -> 0'
+
+  # 18.9.4.2 (L1) Ensure 'Remote host allows delegation of non- exportable credentials' is set to 'Enabled'. (Automated)
+  - id: 27200 
+    title: "Ensure 'Remote host allows delegation of non- exportable credentials' is set to 'Enabled'."
+    description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled. Note: More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs."
+    rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft."
+    impact: "The host will support the Restricted Admin Mode and Windows Defender Remote Credential Guard features."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard"
+    compliance:
+      - cis: ["18.9.4.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["16.5"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1'
+
+  # 18.9.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. (Automated)
+  - id: 27201 
+    title: "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'."
+    description: "This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> EnableVirtualizationBasedSecurity -> 1'
+
+  # 18.9.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher. (Automated)
+  - id: 27202 
+    title: "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher."
+    description: "This policy setting specifies whether Virtualization Based Security (VBS) is enabled. VBS uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot or Secure Boot and DMA Protection. Note: VBS requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA protections to help protect data from being scraped from memory."
+    impact: "Choosing the Secure Boot option provides the system with as much protection as is supported by the computer's hardware. A system with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A system without IOMMUs will simply have Secure Boot enabled without DMA protection. Choosing the Secure Boot with DMA protection option requires the system to have IOMMUs in order to enable VBS. Without IOMMU hardware support, VBS will be disabled. Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Secure Boot or Secure Boot and DMA Protection: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Select Platform Security Level Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> RequirePlatformSecurityFeatures -> 3'
+
+  # 18.9.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'. (Automated)
+  - id: 27203 
+    title: "Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'."
+    description: "This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Once this setting is turned on and active, Virtualization Based Security cannot be disabled solely via GPO or any other remote method. After removing the setting from GPO, the features must also be manually disabled locally at the machine using the steps provided at this link: Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.3"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HypervisorEnforcedCodeIntegrity -> 1'
+
+  # 18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'. (Automated)
+  - id: 27204 
+    title: "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'."
+    description: "This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked) Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "This setting will help protect this control from being enabled on a system that is not compatible which could lead to a crash or data loss."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to TRUE: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.4"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> HVCIMATRequired -> 1'
+
+  # 18.9.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only). (Automated)
+  - id: 27205 
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)."
+    description: 'This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock, but only on Member Servers (not Domain Controllers). Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.'
+    rationale: "The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Warning #2: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. Warning #3: Once this setting is turned on and active, Credential Guard cannot be disabled solely via GPO or any other remote method. After removing the setting from GPO, the features must also be manually disabled locally at the machine using the steps provided at this link: Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock (on Member Servers only): Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.5"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 1'
+
+  # 18.9.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only). (Automated)
+  - id: 27206 
+    title: "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)."
+    description: "This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The recommended state for this setting is: Disabled on Domain Controllers. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Credential Guard is not useful on Domain Controllers and can cause crashes on them."
+    impact: "None - this is the default behavior. Warning: Enabling Windows Defender Credential Guard on Domain Controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. Manage Windows Defender Credential Guard (Windows 10) | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Credential Guard Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.6"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> LsaCfgFlags -> 0'
+
+  # 18.9.5.7 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'. (Automated)
+  - id: 27207 
+    title: "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'."
+    description: "Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs."
+    rationale: "Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment."
+    impact: "Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard\\Turn On Virtualization Based Security: Secure Launch Configuration Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.5.7"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -> ConfigureSystemGuardLaunch -> 1'
+
+  # 18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'. (Automated)
+  - id: 27208 
+    title: "Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: Enabled. Note: This will not prevent the installation of basic hardware drivers, but does prevent associated third-party utility software from automatically being installed under the context of the SYSTEM account."
+    rationale: "Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic third-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs."
+    impact: "Standard users without administrator privileges will not be able to install associated third-party utility software for peripheral devices. This may limit the use of advanced features of those devices unless/until an administrator installs the associated utility software for the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Device Installation\\Prevent device metadata retrieval from the Internet Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates, or with the Group Policy template DeviceSetup.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.7.2"]
+      - cis_csc_v7: ["18.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata -> PreventDeviceMetadataFromNetwork -> 1'
+
+  # 18.9.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. (Automated)
+  - id: 27209 
+    title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'."
+    description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical."
+    rationale: "This policy setting helps reduce the impact of malware that has already infected your system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.13.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3'
+
+  # 18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. (Automated)
+  - id: 27210 
+    title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'."
+    description: 'The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked).'
+    rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    impact: "Group Policies will be reapplied every time they are refreshed, which could have a slight impact on performance."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.2"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0'
+
+  # 18.9.19.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. (Automated)
+  - id: 27211 
+    title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'."
+    description: 'The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked).'
+    rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again."
+    impact: "Group Policies will be reapplied even if they have not been changed, which could have a slight impact on performance."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.3"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0'
+
+  # 18.9.19.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'. (Automated)
+  - id: 27212 
+    title: "Ensure 'Continue experiences on this device' is set to 'Disabled'."
+    description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled."
+    rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited."
+    impact: "The Windows device will not be discoverable by other devices, and cannot participate in cross-device experiences."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.19.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0'
+
+  # 18.9.19.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. (Automated)
+  - id: 27213 
+    title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'."
+    description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled."
+    rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.19.5"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.4"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.2"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy'
+
+  # 18.9.20.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. (Automated)
+  - id: 27214 
+    title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'."
+    description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled."
+    rationale: "Users might download drivers that include malicious code."
+    impact: "Print drivers cannot be downloaded over HTTP. Note: This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.1"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.7"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1'
+
+  # 18.9.20.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. (Automated)
+  - id: 27215 
+    title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'."
+    description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    impact: "Tablet PC users cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.20.1.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1'
+
+  # 18.9.20.1.3 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. (Automated)
+  - id: 27216 
+    title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'."
+    description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled."
+    rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user."
+    impact: "Users cannot start the handwriting recognition error reporting tool or send error reports to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1'
+
+  # 18.9.20.1.4 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. (Automated)
+  - id: 27217 
+    title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled."
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    impact: 'The "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1'
+
+  # 18.9.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. (Automated)
+  - id: 27218 
+    title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled."
+    rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature."
+    impact: "Windows is prevented from downloading providers; only the service providers cached in the local registry are displayed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1'
+
+  # 18.9.20.1.6 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. (Automated)
+  - id: 27219 
+    title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'."
+    description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled. Note: This control affects printing over both HTTP and HTTPS."
+    rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments."
+    impact: "The client computer will not be able to print to Internet printers over HTTP or HTTPS. Note: This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.6"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["13.3"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1'
+
+  # 18.9.20.1.7 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. (Automated)
+  - id: 27220 
+    title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled."
+    rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process."
+    impact: "Users are blocked from connecting to Microsoft.com for online registration and they cannot register their copy of Windows online."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1'
+
+  # 18.9.20.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. (Automated)
+  - id: 27221 
+    title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'."
+    description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled."
+    rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches."
+    impact: "Search Companion does not download content updates during searches. Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.8"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1'
+
+  # 18.9.20.1.9 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. (Automated)
+  - id: 27222 
+    title: 'Ensure ''Turn off the "Order Prints" picture task'' is set to ''Enabled''.'
+    description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.'
+    rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data."
+    impact: 'The task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.9"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1'
+
+  # 18.9.20.1.10 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. (Automated)
+  - id: 27223 
+    title: 'Ensure ''Turn off the "Publish to Web" task for files and folders'' is set to ''Enabled''.'
+    description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled."
+    rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization."
+    impact: 'The "Publish to Web" task is removed from File and Folder tasks in Windows folders.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.10"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1'
+
+  # 18.9.20.1.11 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. (Automated)
+  - id: 27224 
+    title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    impact: "Windows Messenger will not collect usage information, and the user settings to enable the collection of usage information will not be shown."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.11"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2'
+
+  # 18.9.20.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. (Automated)
+  - id: 27225 
+    title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled."
+    rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers."
+    impact: "All users are opted out of the Windows Customer Experience Improvement Program."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.12"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0'
+
+  # 18.9.20.1.13 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. (Automated)
+  - id: 27226 
+    title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'."
+    description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled."
+    rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error."
+    impact: "Users are not given the option to report errors to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.20.1.13"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1'
+
+  # 18.9.23.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. (Automated)
+  - id: 27227 
+    title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'."
+    description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic."
+    rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.23.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1'
+
+  # 18.9.24.1 (L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. (Automated)
+  - id: 27228 
+    title: "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'."
+    description: "This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Enabled: Block All. Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher, and also requires a UEFI BIOS to function. Note #2: More information on this feature is available at this link: Kernel DMA Protection for Thunderbolt (TM) 3 (Windows 10) | Microsoft Docs."
+    rationale: "Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by the peripheral."
+    impact: "External devices that are not compatible with DMA-remapping will not be enumerated and will not function unless/until the user has logged in successfully and has an unlocked user session. Once enumerated, these devices will continue to function, regardless of the state of the session. Devices that are compatible with DMA-remapping will be enumerated immediately, with their device memory isolated."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block All: Computer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA Protection\\Enumeration policy for external devices incompatible with Kernel DMA Protection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.24.1"]
+      - cis_csc_v7: ["1.4"]
+      - iso_27001-2013: ["A.8.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection -> DeviceEnumerationPolicy -> 0'
+
+  # 18.9.25.1 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'. (Automated)
+  - id: 27229 
+    title: "Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'."
+    description: "This policy setting controls the configuration under which the Local Security Authority Subsystem Service (LSASS) will load custom Security Support Provider/Authentication Package (SSP/AP). The recommended state for this setting is: Disabled."
+    rationale: "Vulnerabilities exist where attackers are able to intercept logon credentials via SSP/AP. Disabling Custom SSPs and APs to be loaded into LSASS minimizes this vulnerability."
+    impact: "Custom Security Support Provider/Authentication Packages will not be permitted to load this may impact some legitimate third-party packages."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Local Security Authority\\Allow Custom SSPs and APs to be loaded into LSASS."
+    references:
+      - "https://learn.microsoft.com/en-us/windows/win32/secauthn/ssp-aps-versus-ssps"
+    compliance:
+      - cis: ["18.9.25.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCustomSSPsAPs'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCustomSSPsAPs -> 0'
+
+  # 18.9.25.2 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'. (Automated)
+  - id: 27230 
+    title: "Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'."
+    description: "This policy setting controls whether the Local Security Authority Subservice Service (LSASS) runs in protected mode and also has the option to lock in protected mode with Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which includes the LSASS process, validates users for local and remote sign-ins and enforces local security policies. The recommended state for this setting is: Enabled: Enabled with UEFI Lock. Note: This additional protection to prevent reading memory and code injection by non-protected processes is supported by Windows 8.1 (and newer)."
+    rationale: "Provides added security for the credentials that LSA stores and manages. Enabling this setting with UEFI Lock prevents the setting from being changed remotely."
+    impact: "Once this setting has been applied (Enabled), removing the group policy setting (set to Not Configured) will not reverse the impact. In order to reverse the impact, you must explicitly configure this setting to Disabled and follow Microsoft's documentation on disabling the UEFI Lock."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled with UEFI Lock: Computer Configuration\\Policies\\Administrative Templates\\System\\Local Security Authority\\Configures LSASS to run as a protected process."
+    references:
+      - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection"
+      - "https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disabling-windows-defender-credential-guard-with-uefi-lock"
+    compliance:
+      - cis: ["18.9.25.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RunAsPPL'
+      - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RunAsPPL -> 1'
+
+  # 18.9.26.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. (Automated)
+  - id: 27231 
+    title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'."
+    description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled."
+    rationale: "This is a way to increase the security of the system account."
+    impact: "Users will have input methods enabled for the system account on the sign-in page."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.26.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1'
+
+  # 18.9.27.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'. (Automated)
+  - id: 27232 
+    title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'."
+    description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen. The recommended state for this setting is: Enabled."
+    rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on."
+    impact: "The user cannot choose to show account details on the sign-in screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.1"]
+      - cis_csc_v8: ["4.1"]
+      - cis_csc_v7: ["5.1"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "CM.L2-3.4.1", "CM.L2-3.4.2", "CM.L2-3.4.6", "CM.L2-3.4.7"]
+      - iso_27001-2013: ["A.14.2.5", "A.8.1.3"]
+      - nist_sp_800-53: ["CM-7(1)", "CM-9", "SA-10"]
+      - pci_dss_v3.2.1: ["11.5", "2.2"]
+      - pci_dss_v4.0: ["1.1.1", "1.2.1", "1.2.6", "1.2.7", "1.5.1", "2.1.1", "2.2.1"]
+      - soc_2: ["CC7.1", "CC8.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1'
+
+  # 18.9.27.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'. (Automated)
+  - id: 27233 
+    title: "Ensure 'Do not display network selection UI' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled."
+    rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows."
+    impact: "The PC's network connectivity state cannot be changed without signing into Windows."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1'
+
+  # 18.9.27.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. (Automated)
+  - id: 27234 
+    title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'."
+    description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    impact: "The Logon UI will not enumerate any connected users on domain-joined computers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1'
+
+  # 18.9.27.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only). (Automated)
+  - id: 27235 
+    title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)."
+    description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled."
+    rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.4"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0'
+
+  # 18.9.27.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. (Automated)
+  - id: 27236 
+    title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'."
+    description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled."
+    rationale: "App notifications might display sensitive business or personal data."
+    impact: "No app notifications are displayed on the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.5"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1'
+
+  # 18.9.27.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. (Automated)
+  - id: 27237 
+    title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it."
+    rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures."
+    impact: "Users will not be able to set up or sign in with a picture password."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.27.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1'
+
+  # 18.9.27.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. (Automated)
+  - id: 27238 
+    title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'."
+    description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled."
+    rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates."
+    compliance:
+      - cis: ["18.9.27.7"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0'
+
+  # 18.9.30.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. (Automated)
+  - id: 27239 
+    title: "Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'."
+    description: "This policy setting determines whether Clipboard contents can be synchronized across devices. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, clipboard data should stay local to the system and not synced across devices."
+    impact: "If you disable this policy setting, Clipboard contents cannot be shared to other devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow Clipboard synchronization across devices."
+    compliance:
+      - cis: ["18.9.30.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowCrossDeviceClipboard -> 0'
+
+  # 18.9.30.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'. (Automated)
+  - id: 27240 
+    title: "Ensure 'Allow upload of User Activities' is set to 'Disabled'."
+    description: "This policy setting determines whether published User Activities can be uploaded to the cloud. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Activities of type User Activity are not allowed to be uploaded to the cloud. The Timeline feature will not function across devices."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\OS Policies\\Allow upload of User Activities Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.30.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> UploadUserActivities -> 0'
+
+  # 18.9.32.6.1 (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. (Automated)
+  - id: 27241 
+    title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state."
+    impact: "Network connectivity in standby (while on battery) is not guaranteed. This connectivity restriction currently only applies to WLAN networks only, but is subject to change (according to Microsoft)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0'
+
+  # 18.9.32.6.2 (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. (Automated)
+  - id: 27242 
+    title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'."
+    description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state."
+    impact: "Network connectivity in standby (while plugged in) is not guaranteed. This connectivity restriction currently only applies to WLAN networks only, but is subject to change (according to Microsoft)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.2"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0'
+
+  # 18.9.32.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. (Automated)
+  - id: 27243 
+    title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.3"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1'
+
+  # 18.9.32.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. (Automated)
+  - id: 27244 
+    title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'."
+    description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.32.6.4"]
+      - cis_csc_v8: ["4.3"]
+      - cis_csc_v7: ["16.11"]
+      - cmmc_v2.0: ["AC.L2-3.1.10", "AC.L2-3.1.11"]
+      - hipaa: ["164.312(a)(2)(iii)"]
+      - iso_27001-2013: ["A.8.1.3"]
+      - nist_sp_800-53: ["AC-11", "AC-11(1)", "AC-12", "AC-2(5)"]
+      - pci_dss_v3.2.1: ["8.1.8"]
+      - pci_dss_v4.0: ["8.2.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1'
+
+  # 18.9.34.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. (Automated)
+  - id: 27245 
+    title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled."
+    rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.34.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0'
+
+  # 18.9.34.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. (Automated)
+  - id: 27246 
+    title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'."
+    description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled."
+    rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation."
+    impact: "Users on this computer cannot use e-mail or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.34.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0'
+
+  # 18.9.35.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only). (Automated)
+  - id: 27247 
+    title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)."
+    description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled."
+    rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users."
+    impact: "RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.35.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1'
+
+  # 18.9.35.2 (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only). (Automated)
+  - id: 27248 
+    title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)."
+    description: 'This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended. Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated.'
+    rationale: "Unauthenticated RPC communication can create a security vulnerability."
+    impact: "Only authenticated RPC Clients will be allowed to connect to RPC servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.35.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1'
+
+  # 18.9.38.1 (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only). (Automated)
+  - id: 27249 
+    title: "Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only)."
+    description: 'This policy setting allows you to configure how Domain Controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith''s attack" (ROCA) vulnerability. If this policy setting is enabled the following options are supported: Ignore: During authentication the Domain Controller will not probe any WHfB keys for the ROCA vulnerability. Audit: During authentication the Domain Controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). Block: During authentication the Domain Controller will block the use of WHfB keys that are subject to the ROCA vulnerability (vulnerable authentications will fail). The recommended state for this setting is: Enabled: Audit. Configuring this setting to Enabled: Block also conforms to the benchmark. Note: This setting only takes effect on Domain Controllers. Note #2: A reboot is not required for changes to this setting to take effect.'
+    rationale: 'The "Return of Coppersmith''s attack" or ROCA vulnerability is a cryptographic weakness in a widely used cryptographic library. An attacker can reveal secret keys (offline with no physical access to the affected device) on certified devices using this library. For more information on this vulnerability, visit ADV170012 - Security Update Guide - Microsoft - Vulnerability in TPM could allow Security Feature Bypass.'
+    impact: "This setting may affect vulnerable Trusted Platform Module (TPMs). To avoid issues, this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Audit (configuring to Enabled: Block also conforms to the benchmark): Computer Configuration\\Policies\\Administrative Templates\\System\\Security Account Manager\\Configure validation of ROCA-vulnerable WHfB keys during authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sam.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2017-15361"
+    compliance:
+      - cis: ["18.9.38.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM -> SamNGCKeyROCAValidation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM -> SamNGCKeyROCAValidation -> n:(\d+) compare >= 1'
+
+  # 18.9.46.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'. (Automated)
+  - id: 27250 
+    title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'."
+    description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "MSDT cannot run in support mode, and no data can be collected or sent to the support provider."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0'
+
+  # 18.9.46.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. (Automated)
+  - id: 27251 
+    title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'."
+    description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled."
+    rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended."
+    impact: "Responsiveness events are not processed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.46.11.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0'
+
+  # 18.9.48.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'. (Automated)
+  - id: 27252 
+    title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'."
+    description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled."
+    rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising."
+    impact: "The advertising ID is turned off. Apps can't use the ID for experiences across apps."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.9.48.1"]
+      - cis_csc_v7: ["9.2"]
+      - iso_27001-2013: ["A.13.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1'
+
+  # 18.9.50.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. (Automated)
+  - id: 27253 
+    title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'."
+    description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled."
+    rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events."
+    impact: "You can set the local computer clock to synchronize time with NTP servers."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.50.1.1"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1'
+
+  # 18.9.50.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only). (Automated)
+  - id: 27254 
+    title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)."
+    description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled. Note: In most enterprise managed environments, you should not disable the Windows NTP Server on Domain Controllers, as it is very important for the operation of NT5DS (domain hierarchy-based) time synchronization."
+    rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.9.50.1.2"]
+      - cis_csc_v8: ["8.4"]
+      - cis_csc_v7: ["6.1"]
+      - cmmc_v2.0: ["AU.L2-3.3.7"]
+      - iso_27001-2013: ["A.12.4.4"]
+      - nist_sp_800-53: ["AU-7"]
+      - pci_dss_v3.2.1: ["10.4"]
+      - pci_dss_v4.0: ["10.6", "10.6.1", "10.6.2", "10.6.3"]
+      - soc_2: ["CC4.1", "CC5.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0'
+
+  # 18.10.3.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. (Automated)
+  - id: 27255 
+    title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'."
+    description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled."
+    rationale: "Users of a system could accidentally share sensitive data with other users on the same system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.3.1"]
+      - cis_csc_v8: ["3.3"]
+      - cis_csc_v7: ["14.6"]
+      - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.3", "AC.L2-3.1.5", "MP.L2-3.8.2"]
+      - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
+      - iso_27001-2013: ["A.9.1.1"]
+      - nist_sp_800-53: ["AC-5", "AC-6"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - pci_dss_v4.0: ["1.3.1", "7.1"]
+      - soc_2: ["CC5.2", "CC6.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0'
+
+  # 18.10.5.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. (Automated)
+  - id: 27256 
+    title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'."
+    description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk."
+    impact: "Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.5.1"]
+      - cis_csc_v8: ["5.6"]
+      - cis_csc_v7: ["16.2"]
+      - nist_sp_800-53: ["AC-2(1)"]
+      - soc_2: ["CC6.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1'
+
+  # 18.10.7.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. (Automated)
+  - id: 27257 
+    title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'."
+    description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    impact: "AutoPlay will not be allowed for MTP devices like cameras or phones."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.7.1"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1'
+
+  # 18.10.7.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. (Automated)
+  - id: 27258 
+    title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'."
+    description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands."
+    rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog."
+    impact: "AutoRun commands will be completely disabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.7.2"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1'
+
+  # 18.10.7.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. (Automated)
+  - id: 27259 
+    title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'."
+    description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives."
+    rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer."
+    impact: "Autoplay will be disabled - users will have to manually launch setup or installation programs that are provided on removable media."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.7.3"]
+      - cis_csc_v8: ["10.3"]
+      - cis_csc_v7: ["8.5"]
+      - cmmc_v2.0: ["MP.L2-3.8.7"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255'
+
+  # 18.10.8.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. (Automated)
+  - id: 27260 
+    title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'."
+    description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled."
+    rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network."
+    impact: "Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.10.8.1.1"]
+      - cis_csc_v8: ["10.5"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1'
+
+  # 18.10.10.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled'. (Automated)
+  - id: 27261 
+    title: "Ensure 'Allow Use of Camera' is set to 'Disabled'."
+    description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled."
+    rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk."
+    impact: "Users will not be able to utilize the camera on a system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.10.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0'
+
+  # 18.10.12.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'. (Automated)
+  - id: 27262 
+    title: "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'."
+    description: "This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage."
+    impact: "Users will not be able to use Microsoft consumer accounts on the system, and associated Windows experiences will instead present default fallback content."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud consumer account state content Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.12.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableConsumerAccountStateContent -> 1'
+
+  # 18.10.12.2 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'. (Automated)
+  - id: 27263 
+    title: "Ensure 'Turn off cloud optimized content' is set to 'Enabled'."
+    description: "This policy setting turns off cloud optimized content in all Windows experiences. The recommended state for this setting is: Enabled."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Windows experiences that use the cloud optimized content client component, will present the default fallback content instead of customized content."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off cloud optimized content Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 20H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.12.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableCloudOptimizedContent -> 1'
+
+  # 18.10.12.3 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. (Automated)
+  - id: 27264 
+    title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'."
+    description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions."
+    rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a third-party."
+    impact: "Users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.12.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1'
+
+  # 18.10.13.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'. (Automated)
+  - id: 27265 
+    title: "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'."
+    description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always."
+    rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use."
+    impact: "The pairing ceremony for connecting to new wireless display devices will always require a PIN."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates."
+    compliance:
+      - cis: ["18.10.13.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> r:^1$|^2$'
+
+  # 18.10.14.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'. (Automated)
+  - id: 27266 
+    title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'."
+    description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled."
+    rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen."
+    impact: "The password reveal button will not be displayed after a user types a password in the password entry text box."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.14.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1'
+
+  # 18.10.14.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. (Automated)
+  - id: 27267 
+    title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'."
+    description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled."
+    rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.14.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0'
+
+  # 18.10.15.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'. (Automated)
+  - id: 27268 
+    title: "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'."
+    description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM."
+    rationale: "Sending any data to a third-party vendor is a security concern and should only be done on an as needed basis."
+    impact: "Note that setting values of 0 or 1 will degrade certain experiences on the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Diagnostic Data Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization"
+    compliance:
+      - cis: ["18.10.15.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$'
+
+  # 18.10.15.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' (Automated)
+  - id: 27269 
+    title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'."
+    description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage."
+    rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1'
+
+  # 18.10.15.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'. (Automated)
+  - id: 27270 
+    title: "Ensure 'Disable OneSettings Downloads' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled."
+    rationale: "Sending data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Windows will not connect to the OneSettings service to download configuration settings."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable OneSettings Downloads Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableOneSettingsDownloads -> 1'
+
+  # 18.10.15.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'. (Automated)
+  - id: 27271 
+    title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'."
+    description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled."
+    rationale: "Users should not be sending any feedback to third-party vendors in an enterprise managed environment."
+    impact: "Users will no longer see feedback notifications through the Windows Feedback app."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1'
+
+  # 18.10.15.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'. (Automated)
+  - id: 27272 
+    title: "Ensure 'Enable OneSettings Auditing' is set to 'Enabled'."
+    description: "This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Event Log. The recommended state for this setting is: Enabled."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "Windows will record attempts to connect with the OneSettings service to the Applications and Services Logs\\Microsoft\\Windows\\Privacy-Auditing\\Operational Event Log channel."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Enable OneSettings Auditing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.5"]
+      - cis_csc_v8: ["6.3"]
+      - cis_csc_v7: ["8.5"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["8.3"]
+      - soc_2: ["CC6.1", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> EnableOneSettingsAuditing -> 1'
+
+  # 18.10.15.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'. (Automated)
+  - id: 27273 
+    title: "Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'."
+    description: "This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited when recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Sending data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Diagnostic logs and information such as crash dumps will not be collected for transmission to Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Diagnostic Log Collection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDiagnosticLogCollection -> 1'
+
+  # 18.10.15.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled'. (Automated)
+  - id: 27274 
+    title: "Ensure 'Limit Dump Collection' is set to 'Enabled'."
+    description: "This policy setting limits the type of memory dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. Note: Memory dumps are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited when recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information."
+    rationale: "Memory dumps can contain sensitive information - sending such data to a third-party vendor is a security concern and should only be done on an as-needed basis."
+    impact: "Windows Error Reporting will not send full and/or heap memory dumps to Microsoft - they will be limited to kernel mini and/or user mode triage memory dumps (if sending optional diagnostic data is permitted)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Limit Dump Collection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> LimitDumpCollection -> 1'
+
+  # 18.10.15.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. (Automated)
+  - id: 27275 
+    title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'."
+    description: 'This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows Server 2016, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ''Manage preview builds''). We have kept this setting in the benchmark to ensure that any older builds of Windows Server 2016 in the environment are still enforced.'
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    impact: 'The item "Get Insider builds" will be unavailable.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.15.8"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0'
+
+  # 18.10.17.1 (L1) Ensure 'Enable App Installer' is set to 'Disabled'. (Automated)
+  - id: 27276 
+    title: "Ensure 'Enable App Installer' is set to 'Disabled'."
+    description: "This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer). The recommended state for this setting is: Disabled."
+    rationale: "Windows Package Manager is a command line tool can be used to discover, install, upgrade, remove and configure applications, and it can be used as a distribution channel for software packages containing tools and applications. Users should not have access to these types of development tools."
+    impact: "Users will not have access to the command line tool, winget to discover, install, upgrade, remove, configure, or distribute applications."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Desktop App Installer\\Enable App Installer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows/package-manager/"
+    compliance:
+      - cis: ["18.10.17.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller -> EnableAppInstaller'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds ->EnableAppInstaller -> 0'
+
+  # 18.10.17.2 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'. (Automated)
+  - id: 27277 
+    title: "Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'."
+    description: "This policy setting controls whether users can enable experimental features in the Windows Package Manager. The recommended state for this setting is Disabled."
+    rationale: "Windows Package Manager is a command line tool can be used to discover, install, upgrade, remove and configure applications, and it can be used as a distribution channel for software packages containing tools and applications. Users should not have access to experimental features."
+    impact: "Users will not have access to experimental features in the command line tool, winget to discover, install, upgrade, remove, configure, or distribute applications."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Desktop App Installer\\Enable App Installer Experimental Features Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows/package-manager/"
+    compliance:
+      - cis: ["18.10.17.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller -> EnableExperimentalFeatures'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableExperimentalFeatures -> 0'
+
+  # 18.10.17.3 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'. (Automated)
+  - id: 27278 
+    title: "Ensure 'Enable App Installer Hash Override' is set to 'Disabled'."
+    description: "This policy setting controls whether or not users can override the SHA256 security validation in the Windows Package Manager settings. The recommended state for this setting is: Disabled."
+    rationale: "Users should not have the ability to override SHA256 security validation."
+    impact: "Users will not have the ability to override the SHA256 security validation."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Desktop App Installer\\Enable App Installer Hash Override Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows/package-manager/"
+    compliance:
+      - cis: ["18.10.17.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller -> EnableHashOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableHashOverride -> 0'
+
+  # 18.10.17.4 (L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'. (Automated)
+  - id: 27279 
+    title: "Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'."
+    description: "This policy setting controls whether users can install packages from a website that is using the ms-appinstaller protocol. The ms-appinstaller protocol allows users to install an application by clicking a link on a website. The recommended state for this setting is: Disabled."
+    rationale: "Users should not have the ability to install an application by clicking a link on a website. If an unknown or malicious link is clicked, malicious software could be installed on the system."
+    impact: "Users will not have the ability to use the ms-appinstaller protocol to install applications by clicking a link on a website."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Desktop App Installer\\Enable App Installer ms-appinstaller protocol Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    references:
+      - "https://learn.microsoft.com/en-us/windows/package-manager/"
+    compliance:
+      - cis: ["18.10.17.4"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller -> EnableMSAppInstallerProtocol'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableMSAppInstallerProtocol -> 0'
+
+  # 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 27280 
+    title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.1.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0'
+
+  # 18.10.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 27281 
+    title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.1.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 27282 
+    title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.2.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0'
+
+  # 18.10.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'. (Automated)
+  - id: 27283 
+    title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.2.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608'
+
+  # 18.10.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 27284 
+    title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.3.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0'
+
+  # 18.10.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 27285 
+    title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.3.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. (Automated)
+  - id: 27286 
+    title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'."
+    description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting."
+    rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.4.1"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0'
+
+  # 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. (Automated)
+  - id: 27287 
+    title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'."
+    description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater."
+    rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users."
+    impact: "When event logs fill to capacity, they will stop recording information unless the retention method for each is set so that the computer will overwrite the oldest entries with the most recent ones. To mitigate the risk of loss of recent data, you can configure the retention method so that older events are overwritten as needed. The consequence of this configuration is that older events will be removed from the logs. Attackers can take advantage of such a configuration, because they can generate a large number of extraneous events to overwrite any evidence of their attack. These risks can be somewhat reduced if you automate the archival and backup of event log data. Ideally, all specifically monitored events should be sent to a server that uses Microsoft System Center Operations Manager (SCOM) or some other automated monitoring tool. Such a configuration is particularly important because an attacker who successfully compromises a server could clear the Security log. If all events are sent to a monitoring server, then you will be able to gather forensic information about the attacker's activities."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.26.4.2"]
+      - cis_csc_v8: ["8.3"]
+      - cis_csc_v7: ["6.4"]
+      - iso_27001-2013: ["A.12.4.1"]
+      - pci_dss_v3.2.1: ["10.7"]
+      - soc_2: ["A1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768'
+
+  # 18.10.29.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. (Automated)
+  - id: 27288 
+    title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'."
+    description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug-in/software."
+    rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.29.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0'
+
+  # 18.10.29.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. (Automated)
+  - id: 27289 
+    title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'."
+    description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled."
+    rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.29.3"]
+      - cis_csc_v7: ["8.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0'
+
+  # 18.10.29.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. (Automated)
+  - id: 27290 
+    title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'."
+    description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled."
+    rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.29.4"]
+      - cis_csc_v7: ["8.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0'
+
+  # 18.10.37.1 (L2) Ensure 'Turn off location' is set to 'Enabled'. (Automated)
+  - id: 27291 
+    title: "Ensure 'Turn off location' is set to 'Enabled'."
+    description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled."
+    rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments."
+    impact: "The location feature is turned off, and all programs on the computer are prevented from using location information from the location feature."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.37.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1'
+
+  # 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. (Automated)
+  - id: 27292 
+    title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'."
+    description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Cellular text messages will not be backed up to (or restored from) Microsoft's cloud services."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.41.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0'
+
+  # 18.10.42.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. (Automated)
+  - id: 27293 
+    title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'."
+    description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled."
+    rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems."
+    impact: "All applications and services on the device will be prevented from new authentications using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs. Authentications performed directly by the user in web browsers or in apps that use OAuth will remain unaffected."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.42.1"]
+      - cis_csc_v8: ["5.3"]
+      - cis_csc_v7: ["16.8"]
+      - cmmc_v2.0: ["IA.L2-3.5.6"]
+      - iso_27001-2013: ["A.9.2.1"]
+      - nist_sp_800-53: ["AC-2(3)"]
+      - pci_dss_v3.2.1: ["8.1.4"]
+      - pci_dss_v4.0: ["8.3.7"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1'
+
+  # 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. (Automated)
+  - id: 27294 
+    title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'."
+    description: 'This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Microsft Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled.'
+    rationale: "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.5.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0'
+
+  # 18.10.43.5.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. (Automated)
+  - id: 27295 
+    title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'."
+    description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - - - (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled."
+    rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.5.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting'
+
+  # 18.10.43.6.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. (Automated)
+  - id: 27296 
+    title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'."
+    description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: Enabled."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    impact: "When a rule is triggered, a notification will be displayed from the Action Center."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.1.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1'
+
+  # 18.10.43.6.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured. (Automated)
+  - id: 27297 
+    title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured."
+    description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 56a863a9-875e-4185-98a7-b882c64b5ce5 - 1 (Block abuse of exploited vulnerable signed drivers) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) e6db77e5-3df2-4cf1-b95a-636979351e5b - 1 (Block persistence through WMI event subscription) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs."
+    rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines."
+    impact: "When a rule is triggered, a notification will be displayed from the Action Center."
+    remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 56a863a9-875e-4185-98a7-b882c64b5ce5, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d, d4f940ab-401b-4efc-aadc-ad5f3c50688a, and e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.1.2"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1'
+
+  # 18.10.43.6.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. (Automated)
+  - id: 27298 
+    title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'."
+    description: "This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block."
+    rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet."
+    impact: "Users and applications will not be able to access dangerous domains."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Microsoft Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.6.3.1"]
+      - cis_csc_v8: ["9.3", "10.5"]
+      - cis_csc_v7: ["7.4", "8.3"]
+      - cmmc_v2.0: ["SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.1"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.4", "11.4"]
+      - pci_dss_v4.0: ["1.2.6", "1.4.2"]
+      - soc_2: ["CC5.2", "CC6.6", "CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1'
+
+  # 18.10.43.7.1 (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'. (Automated)
+  - id: 27299 
+    title: "Ensure 'Enable file hash computation feature' is set to 'Enabled'."
+    description: "This setting determines whether hash values are computed for files scanned by Microsoft Defender. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to monitor for suspicious and known malicious activity. File hashes are a reliable way of detecting changes to files, and can speed up the scan process by skipping files that have not changed since they were last scanned and determined to be safe. A changed file hash can also be cause for additional scrutiny."
+    impact: "This setting could cause performance degradation during initial deployment and for users where new executable content is frequently being created (such as software developers), or where applications are frequently installed or updated. For more information on this setting, please visit Security baseline (FINAL): Windows 10 and Windows Server, version 2004 - Microsoft Tech Community - 1543631. Note: The impact of this setting should be monitored closely during deployment to ensure user and system performance impact is within acceptable limits."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation feature Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 2004 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.7.1"]
+      - cis_csc_v8: ["10.1"]
+      - cis_csc_v7: ["8.1"]
+      - cmmc_v2.0: ["SI.L1-3.14.2"]
+      - hipaa: ["164.308(a)(5)(ii)(B)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["5.1"]
+      - pci_dss_v4.0: ["5.1.1", "5.2.1", "5.2.2", "5.3.2"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation -> 1'
+
+  # 18.10.43.10.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. (Automated)
+  - id: 27300 
+    title: "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'."
+    description: "This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all downloaded files and attachments Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus"
+    compliance:
+      - cis: ["18.10.43.10.1"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableIOAVProtection -> 0'
+
+  # 18.10.43.10.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'. (Automated)
+  - id: 27301 
+    title: "Ensure 'Turn off real-time protection' is set to 'Disabled'."
+    description: "This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-time protection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus"
+    compliance:
+      - cis: ["18.10.43.10.2"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0'
+
+  # 18.10.43.10.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. (Automated)
+  - id: 27302 
+    title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'."
+    description: "This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default configuration."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.10.3"]
+      - cis_csc_v8: ["10.7"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0'
+
+  # 18.10.43.10.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled'. (Automated)
+  - id: 27303 
+    title: "Ensure 'Turn on script scanning' is set to 'Enabled'."
+    description: "This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled."
+    rationale: "When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-worldwide"
+    compliance:
+      - cis: ["18.10.43.10.4"]
+      - cis_csc_v8: ["10.7"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-TimeProtection -> DisableScriptScanning -> 0'
+
+  # 18.10.43.12.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled'. (Automated)
+  - id: 27304 
+    title: "Ensure 'Configure Watson events' is set to 'Disabled'."
+    description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled."
+    rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns."
+    impact: "Watson events will not be sent to Microsoft automatically when a program or service crashes or fails."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.12.1"]
+      - cis_csc_v7: ["13.3"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1'
+
+  # 18.10.43.13.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled'. (Automated)
+  - id: 27305 
+    title: "Ensure 'Scan removable drives' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled."
+    rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer."
+    impact: "Removable drives will be scanned during any type of scan by Microsoft Defender Antivirus."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Scan removable drives Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.13.1"]
+      - cis_csc_v8: ["10.4"]
+      - cis_csc_v7: ["8.4"]
+      - cmmc_v2.0: ["SC.L2-3.13.13", "SI.L1-3.14.5"]
+      - hipaa: ["164.310(d)(1)"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v4.0: ["5.3.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0'
+
+  # 18.10.43.13.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. (Automated)
+  - id: 27306 
+    title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'."
+    description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled."
+    rationale: "Incoming e-mails should be scanned by an antivirus solution such as Microsoft Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software."
+    impact: "E-mail scanning by Microsoft Defender Antivirus will be enabled."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.13.2"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0'
+
+  # 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. (Automated)
+  - id: 27307 
+    title: "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'."
+    description: "This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications, that can deliver adware or malware. The recommended state for this setting is: Enabled: Block. For more information, see this link: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs."
+    rationale: "Potentially unwanted applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. They should be blocked from installation."
+    impact: "Applications that are identified by Microsoft as PUA will be blocked at download and install time."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Configure detection for potentially unwanted applications Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.43.16"]
+      - cis_csc_v8: ["10.6"]
+      - cis_csc_v7: ["2.7", "8.1"]
+      - iso_27001-2013: ["A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2"]
+      - pci_dss_v3.2.1: ["11.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> PUAProtection -> 1'
+
+  # 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'. (Automated)
+  - id: 27308 
+    title: "Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'."
+    description: "This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled."
+    rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Microsoft Defender Antivirus. Organizations that choose to purchase a reputable third-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Defender Antivirus\\Turn off Microsoft Defender AntiVirus Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Windows Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates."
+    compliance:
+      - cis: ["18.10.43.17"]
+      - cis_csc_v8: ["10.6"]
+      - cis_csc_v7: ["8.1"]
+      - iso_27001-2013: ["A.12.2.1"]
+      - pci_dss_v3.2.1: ["11.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware -> 0'
+
+  # 18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. (Automated)
+  - id: 27309 
+    title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'."
+    description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled."
+    rationale: "Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a server, not just the one supplied with Windows Server."
+    impact: "Users can't access OneDrive from the OneDrive app and file picker. Windows Store apps can't access OneDrive using the WinRT API. OneDrive doesn't appear in the navigation pane in File Explorer. OneDrive files aren't kept in sync with the cloud. Users can't automatically upload photos and videos from the camera roll folder. Note: If your organization uses Office 365, be aware that this setting will prevent users from saving files to OneDrive/SkyDrive. Note #2: If your organization has decided to implement OneDrive for Business and therefore needs to except itself from this recommendation, we highly suggest that you also obtain and utilize the OneDrive.admx/adml template that is bundled with the latest OneDrive client, as noted at this link (this template is not included with the Windows Administrative Templates). Two alternative OneDrive settings in particular from that template are worth your consideration: - Allow syncing OneDrive accounts for only specific organizations - a computer-based setting that restricts OneDrive client connections to only approved tenant IDs. - Prevent users from synchronizing personal OneDrive accounts - a user-based setting that prevents use of consumer OneDrive (i.e. non-business)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates."
+    compliance:
+      - cis: ["18.10.51.1"]
+      - cis_csc_v7: ["13.4"]
+      - iso_27001-2013: ["A.13.2.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1'
+
+  # 18.10.56.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'. (Automated)
+  - id: 27310 
+    title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'."
+    description: "This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Enabled."
+    rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users."
+    impact: "Users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.56.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1'
+
+  # 18.10.57.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. (Automated)
+  - id: 27311 
+    title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'."
+    description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server."
+    rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts."
+    impact: "The password saving checkbox will be disabled for Remote Desktop clients and users will not be able to save passwords."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.2.2"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1'
+
+  # 18.10.57.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'. (Automated)
+  - id: 27312 
+    title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'."
+    description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.2.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1'
+
+  # 18.10.57.3.3.1 (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'. (Automated)
+  - id: 27313 
+    title: "Ensure 'Allow UI Automation redirection' is set to 'Disabled'."
+    description: "This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer's Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session. The recommended state for this setting is: Disabled. Note: Remote Desktop sessions don't currently support UI Automation redirection."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for UI Automation redirection within a Remote Desktop session is rare, and not supported at this time, but it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    impact: "UI Automation clients on the local computer will not be able to interact with remote apps."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Allow UI Automation redirection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/dotnet/framework/ui-automation/ui-automation-overview"
+    compliance:
+      - cis: ["18.10.57.3.3.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection -> 0'
+
+  # 18.10.57.3.3.2 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. (Automated)
+  - id: 27314 
+    title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect server data to local (client) COM ports."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
+
+  # 18.10.57.3.3.3 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'. (Automated)
+  - id: 27315 
+    title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'."
+    description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled."
+    rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session."
+    impact: "Drive redirection will not be possible. In most situations, traditional network drive mapping to file shares (including administrative shares) performed manually by the connected user will serve as a capable substitute to still allow file transfers when needed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.3"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1'
+
+  # 18.10.57.3.3.4 (L2) Ensure 'Do not allow location redirection' is set to 'Enabled'. (Automated)
+  - id: 27316 
+    title: "Ensure 'Do not allow location redirection' is set to 'Enabled'."
+    description: "This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for location data redirection within a Remote Desktop session is rare, so it makes sense to reduce the number of unexpected avenues for malicious activity to occur."
+    impact: "Users will not be able to redirect their location data to the remote computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow location redirection Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.57.3.3.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLocationRedir -> 1'
+
+  # 18.10.57.3.3.5 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. (Automated)
+  - id: 27317 
+    title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'."
+    description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect server data to local (client) LPT ports."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.5"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1'
+
+  # 18.10.57.3.3.6 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. (Automated)
+  - id: 27318 
+    title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'."
+    description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer."
+    impact: "Users in a Remote Desktop Services session will not be able to redirect their supported (local client) Plug and Play devices to the remote computer."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.3.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1'
+
+  # 18.10.57.3.3.7 (L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'. (Automated)
+  - id: 27319 
+    title: "Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'."
+    description: "This policy setting controls the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g. Windows Hello for Business, security key, or other). The recommended state for this setting is: Enabled."
+    rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. To reduce this, resources inside the Remote Desktop session should not be allowed to use the local authenticator."
+    impact: "Users in a Remote Desktop Services session will not be able to authenticate to resources inside the Remote Desktop session using their local authenticator."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow WebAuthn redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.57.3.3.7"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableWebAuthn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableWebAuthn -> 1'
+
+  # 18.10.57.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. (Automated)
+  - id: 27320 
+    title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'."
+    description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled."
+    rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password."
+    impact: "Users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They will be prompted for a password to log on."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1'
+
+  # 18.10.57.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'. (Automated)
+  - id: 27321 
+    title: "Ensure 'Require secure RPC communication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled."
+    rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks."
+    impact: "Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1'
+
+  # 18.10.57.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. (Automated)
+  - id: 27322 
+    title: "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'."
+    description: "This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. The recommended state for this setting is: Enabled: SSL. Note: In spite of this setting being labeled SSL, it is actually enforcing Transport Layer Security (TLS) version 1.0, not the older (and less secure) SSL protocol."
+    rationale: "The native Remote Desktop Protocol (RDP) encryption is now considered a weak protocol, so enforcing the use of stronger Transport Layer Security (TLS) encryption for all RDP communications between clients and RD Session Host servers is preferred."
+    impact: "TLS 1.0 will be required to authenticate to the RD Session Host server. If TLS is not supported, the connection fails. Note: By default, this setting will use a self-signed certificate for RDP connections. If your organization has established the use of a Public Key Infrastructure (PKI) for SSL/TLS encryption, then we recommend that you also configure the Server authentication certificate template setting to instruct RDP to use a certificate from your PKI instead of a self-signed one. Note that the certificate template used for this purpose must have “Client Authentication” configured as an Intended Purpose. Note also that a valid, non-expired certificate using the specified template must already be installed on the server for it to work. Note #2: Some third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as the SSL/TLS security layer will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: SSL: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require use of specific security layer for remote (RDP) connections Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.3"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> SecurityLayer -> 2'
+
+  # 18.10.57.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. (Automated)
+  - id: 27323 
+    title: "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. The recommended state for this setting is: Enabled."
+    rationale: "Requiring that user authentication occur earlier in the remote connection process enhances security."
+    impact: "Only client computers that support Network Level Authentication can connect to the RD Session Host server. Note: Some third party two-factor authentication solutions (e.g. RSA Authentication Agent) can be negatively affected by this setting, as Network Level Authentication will expect the user's Windows password upon initial connection attempt (before the RDP logon screen), and once successfully authenticated, pass the credential along to that Windows session on the RDP host (to complete the login). If a two-factor agent is present and expecting a different credential at the RDP logon screen, this initial connection may result in a failed logon attempt, and also effectively cause a “double logon” requirement for each and every new RDP session."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require user authentication for remote connections by using Network Level Authentication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was initially named Require user authentication using RDP 6.0 for remote connections, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.4"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> UserAuthentication -> 1'
+
+  # 18.10.57.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. (Automated)
+  - id: 27324 
+    title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'."
+    description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level."
+    rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.9.5"]
+      - cis_csc_v8: ["3.10"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3'
+
+  # 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'. (Automated)
+  - id: 27325 
+    title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'."
+    description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0)."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. In addition, session timeouts that are misconfigured or set for a long period of time can leave the system open to an attacker hijacking the session."
+    impact: "Remote Desktop Services will automatically disconnect active but idle sessions after 15 minutes (or the specified amount of time). The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. Note that idle session time limits do not apply to console sessions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less, but not Never (0): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.10.1"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare != 0'
+
+  # 18.10.57.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. (Automated)
+  - id: 27326 
+    title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'."
+    description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute."
+    rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated. In addition, session timeouts that are misconfigured or set for a long period of time can leave the system open to an attacker hijacking the session."
+    impact: "Disconnected Remote Desktop sessions are deleted from the server after 1 minute. Note that disconnected session time limits do not apply to console sessions."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.10.2"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000'
+
+  # 18.10.57.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. (Automated)
+  - id: 27327 
+    title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'."
+    description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled."
+    rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.11.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1'
+
+  # 18.10.57.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. (Automated)
+  - id: 27328 
+    title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'."
+    description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.57.3.11.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1'
+
+  # 18.10.58.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. (Automated)
+  - id: 27329 
+    title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'."
+    description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled."
+    rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent."
+    impact: "Users cannot set the Feed Sync Engine to download an enclosure through the Feed property page. Developers cannot change the download setting through feed APIs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.58.1"]
+      - cis_csc_v8: ["9.4"]
+      - cis_csc_v7: ["7.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8"]
+      - iso_27001-2013: ["A.12.6.2"]
+      - nist_sp_800-53: ["CM-10", "CM-11", "SC-18"]
+      - pci_dss_v4.0: ["2.2.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1'
+
+  # 18.10.59.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. (Automated)
+  - id: 27330 
+    title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'."
+    description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search."
+    rationale: "Due to privacy concerns, data should never be sent to any third-party since this data could contain sensitive information."
+    impact: "Search and Cortana will not be permitted to search cloud sources like OneDrive and SharePoint."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.59.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0'
+
+  # 18.10.59.3 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. (Automated)
+  - id: 27331 
+    title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'."
+    description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled."
+    rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.59.3"]
+      - cis_csc_v7: ["14.8"]
+      - iso_27001-2013: ["A.10.1.1"]
+    condition: any
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
+
+  # 18.10.59.4 (L2) Ensure 'Allow search highlights' is set to 'Disabled'. (Automated)
+  - id: 27332 
+    title: "Ensure 'Allow search highlights' is set to 'Disabled'."
+    description: "This policy setting controls search highlights in the start menu search box and in search home. The recommended state for this setting is: Disabled."
+    rationale: "In a high security environment, data should never be sent to or received by any third-party since this data could contain sensitive information."
+    impact: 'Interesting, "informative", and "noteworthy" information about the current date will not be displayed (by Microsoft) to the user.'
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search highlights Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.59.4"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> EnableDynamicContentInWSB'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> EnableDynamicContentInWSB -> 0'
+
+  # 18.10.63.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. (Automated)
+  - id: 27333 
+    title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'."
+    description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled."
+    rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments."
+    impact: "The computer is prevented from sending data to Microsoft regarding its KMS client activation state."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.63.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1'
+
+  # 18.10.76.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. (Automated)
+  - id: 27334 
+    title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'."
+    description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass."
+    rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it."
+    impact: "Users will be warned before they are allowed to run unrecognized programs downloaded from the Internet."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates."
+    compliance:
+      - cis: ["18.10.76.2.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block'
+
+  # 18.10.80.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. (Automated)
+  - id: 27335 
+    title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'."
+    description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled."
+    rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party."
+    impact: "The suggested apps in Windows Ink Workspace will not be allowed."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.80.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0'
+
+  # 18.10.80.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'. (Automated)
+  - id: 27336 
+    title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'."
+    description: "This policy setting determines whether Windows Ink items are allowed above the lock screen. The recommended state for this setting is: Enabled: On, but disallow access above lock OR Enabled: Disabled."
+    rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials."
+    impact: "Windows Ink Workspace will not be permitted above the lock screen."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Enabled: Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.80.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$'
+
+  # 18.10.81.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'. (Automated)
+  - id: 27337 
+    title: "Ensure 'Allow user control over installs' is set to 'Disabled'."
+    description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled."
+    rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.1"]
+      - cis_csc_v8: ["2.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
+
+  # 18.10.81.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'. (Automated)
+  - id: 27338 
+    title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'."
+    description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled."
+    rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.2"]
+      - cis_csc_v8: ["5.4"]
+      - cis_csc_v7: ["4.3"]
+      - cmmc_v2.0: ["AC.L2-3.1.5", "AC.L2-3.1.6", "AC.L2-3.1.7", "SC.L2-3.13.3"]
+      - iso_27001-2013: ["A.9.2.3"]
+      - nist_sp_800-53: ["AC-6(2)", "AC-6(5)"]
+      - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
+      - soc_2: ["CC6.1", "CC6.3"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
+
+  # 18.10.81.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. (Automated)
+  - id: 27339 
+    title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'."
+    description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled."
+    rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.81.3"]
+      - cis_csc_v8: ["2.5"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'
+
+  # 18.10.82.1 (L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'. (Automated)
+  - id: 27340 
+    title: "Ensure 'Enable MPR notifications for the system' is set to 'Disabled'."
+    description: "This policy setting controls whether winlogon sends Multiple Provider Router (MPR) notifications. MPR handles communication between the Windows operating system and the installed network providers. MPR checks the registry to determine which providers are installed on the system and the order they are cycled through. The recommended state for this setting is: Disabled."
+    rationale: "MPR is a legacy utility that provides notifications to registered credential managers or network providers when there is a logon event or a password change event. Although this functionality can be used by legitimate applications, it can also be abused by attackers to harvest logon information."
+    impact: "Winlogon will not send Multiple Provider Router (MPR) notifications on the system."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Enable MPR notifications for the system Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (or newer)."
+    references:
+      - "https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520"
+      - "https://learn.microsoft.com/en-us/windows/win32/secauthn/multiple-provider-router"
+    compliance:
+      - cis: ["18.10.82.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> EnableMPR'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> EnableMPR -> 0'
+
+  # 18.10.82.2 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'. (Automated)
+  - id: 27341 
+    title: "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'."
+    description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled."
+    rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart."
+    impact: "The device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. The user is required to present the logon credentials in order to proceed after restart."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in and lock last interactive user automatically after a restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Sign-in last interactive user automatically after a system-initiated restart, but it was renamed starting with the Windows 10 Release 1903 Administrative Templates."
+    compliance:
+      - cis: ["18.10.82.2"]
+      - cis_csc_v7: ["16.11"]
+      - iso_27001-2013: ["A.8.1.3"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1'
+
+  # 18.10.87.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (Automated)
+  - id: 27342 
+    title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'."
+    description: "This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark."
+    rationale: "Logs of PowerShell script input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    impact: "PowerShell script input will be logged to the Applications and Services Logs\\Microsoft\\Windows\\PowerShell\\Operational Event Log channel, which can contain credentials and sensitive information. Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell logs, which could be exposed to users who have read-access to those logs. Microsoft provides a feature called \"Protected Event Logging\" to better secure event log data. For assistance with protecting event logging, visit: About Logging Windows - PowerShell | Microsoft Docs."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2#protected-event-logging"
+    compliance:
+      - cis: ["18.10.87.1"]
+      - cis_csc_v8: ["8.8"]
+      - cis_csc_v7: ["8.8"]
+      - iso_27001-2013: ["A.12.14.1"]
+      - soc_2: ["CC5.2", "CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 1'
+
+  # 18.10.87.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'. (Automated)
+  - id: 27343 
+    title: "Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'."
+    description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Enabled."
+    rationale: "PowerShell transcript input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred."
+    impact: "PowerShell transcript input will be logged to the PowerShell_transcript output file, which is saved to the My Documents folder of each users' profile by default. Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell_transcript output file, which could be exposed to users who have read-access to the file."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings?view=powershell-7.2#turn-on-powershell-transcription"
+    compliance:
+      - cis: ["18.10.87.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 1'
+
+  # 18.10.89.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'. (Automated)
+  - id: 27344 
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0'
+
+  # 18.10.89.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Automated)
+  - id: 27345 
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.2"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0'
+
+  # 18.10.89.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'. (Automated)
+  - id: 27346 
+    title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled."
+    rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "The WinRM client will not use Digest authentication."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.1.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0'
+
+  # 18.10.89.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'. (Automated)
+  - id: 27347 
+    title: "Ensure 'Allow Basic authentication' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled."
+    rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.1"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["16.5"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0'
+
+  # 18.10.89.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. (Automated)
+  - id: 27348 
+    title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.2"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0'
+
+  # 18.10.89.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Automated)
+  - id: 27349 
+    title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled."
+    rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.89.2.3"]
+      - cis_csc_v8: ["3.10"]
+      - cis_csc_v7: ["14.4"]
+      - cmmc_v2.0: ["AC.L2-3.1.13", "AC.L2-3.1.17", "IA.L2-3.5.10", "SC.L2-3.13.11", "SC.L2-3.13.15", "SC.L2-3.13.8"]
+      - hipaa: ["164.312(a)(2)(iv)", "164.312(e)(1)", "164.312(e)(2)(i)", "164.312(e)(2)(ii)"]
+      - iso_27001-2013: ["A.10.1.1", "A.13.1.1"]
+      - nist_sp_800-53: ["AC-17(2)", "SC-8", "SC-8(1)"]
+      - pci_dss_v3.2.1: ["2.1.1", "4.1", "4.1.1", "8.2.1"]
+      - pci_dss_v4.0: ["2.2.7", "4.1.1", "4.2.1", "4.2.1.2", "4.2.2", "8.3.2"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0'
+
+  # 18.10.89.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. (Automated)
+  - id: 27350 
+    title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'."
+    description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset."
+    rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials."
+    impact: "The WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on the computer. If this setting is later Disabled again, any values that were previously configured for RunAsPassword will need to be reset."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.89.2.4"]
+      - cis_csc_v7: ["14.3"]
+      - iso_27001-2013: ["A.13.1.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1'
+
+  # 18.10.90.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. (Automated)
+  - id: 27351 
+    title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'."
+    description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template."
+    rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec."
+    impact: "New Remote Shell connections are not allowed and are rejected by the server. Note: On Server 2012 (non-R2) and newer, due to design changes in the OS after Server 2008 R2, configuring this setting as prescribed will prevent the ability to add or remove Roles and Features (even locally) via the GUI. We therefore recommend that the necessary Roles and Features be installed prior to configuring this setting on a Level 2 server. Alternatively, Roles and Features can still be added or removed using the PowerShell commands Add-WindowsFeature or Remove-WindowsFeature in the Server Manager module, even with this setting configured."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.90.1"]
+      - cis_csc_v8: ["4.8"]
+      - cis_csc_v7: ["9.2"]
+      - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
+      - iso_27001-2013: ["A.13.1.3"]
+      - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
+      - soc_2: ["CC6.3", "CC6.6"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0'
+
+  # 18.10.92.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. (Automated)
+  - id: 27352 
+    title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'."
+    description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled."
+    rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified."
+    impact: "Local users cannot make changes in the Exploit protection settings area."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Security\\App and browser protection\\Prevent users from modifying settings Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.92.2.1"]
+      - cis_csc_v8: ["10.5"]
+      - cis_csc_v7: ["8.3"]
+      - nist_sp_800-53: ["SI-16"]
+      - pci_dss_v3.2.1: ["1.4"]
+      - soc_2: ["CC6.8"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1'
+
+  # 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. (Automated)
+  - id: 27353 
+    title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'."
+    description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
+    rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Legacy Policies\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.1.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
+
+  # 18.10.93.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'. (Automated)
+  - id: 27354 
+    title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'."
+    description: 'This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a third-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the third-party patching process.'
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    impact: "Critical operating system updates and service packs will be installed as necessary."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.2.1"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0'
+
+  # 18.10.93.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. (Automated)
+  - id: 27355 
+    title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'."
+    description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates'. It will have no impact if any other option is selected."
+    rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed."
+    impact: "If 4 - Auto download and schedule the install is selected in recommendation 'Configure Automatic Updates', critical operating system updates and service packs will automatically download every day (at 3:00 A.M., by default)."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage end user experience\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.2.2"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0'
+
+  # 18.10.93.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled'. (Automated)
+  - id: 27356 
+    title: "Ensure 'Manage preview builds' is set to 'Disabled'."
+    description: "This policy setting manage which updates that are receive prior to the update being released. Dev Channel: Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release. Beta Channel: Ideal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release. Release Preview Channel (default): Insiders in the Release Preview Channel will have access to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before broad deployment within their organization. The recommended state for this setting is: Disabled. Note: Preview Build enrollment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview Builds, see: https://aka.ms/wipforbiz."
+    rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds."
+    impact: "Preview builds are prevented from installing on the device."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Manage preview builds Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)."
+    references:
+      - "https://docs.microsoft.com/en-us/windows-insider/business/manage-builds"
+    compliance:
+      - cis: ["18.10.93.4.1"]
+      - cis_csc_v8: ["2.5"]
+      - cis_csc_v7: ["2.6"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9"]
+      - iso_27001-2013: ["A.12.5.1", "A.12.6.2"]
+      - nist_sp_800-53: ["CM-7(5)"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8"]
+    condition: any
+    rules:
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 1'
+
+  # 18.10.93.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'. (Automated)
+  - id: 27357 
+    title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'."
+    description: 'This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.'
+    rationale: "In a production environment, it is preferred to only use software and features that are publicly available, after they have gone through rigorous testing in beta."
+    impact: "Feature Updates will be delayed until they are publicly released to general public by Microsoft."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Select when Preview Builds and Feature Updates are received Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Select when Feature Updates are received, but it was renamed to Select when Preview Builds and Feature Updates are received starting with the Windows 10 Release 1709 Administrative Templates."
+    compliance:
+      - cis: ["18.10.93.4.2"]
+      - cis_csc_v8: ["2.5", "7.3"]
+      - cis_csc_v7: ["2.4"]
+      - cmmc_v2.0: ["CM.L2-3.4.6", "CM.L2-3.4.7", "CM.L2-3.4.8", "CM.L2-3.4.9", "SI.L1-3.14.1"]
+      - iso_27001-2013: ["A.8.1.1"]
+      - nist_sp_800-53: ["CM-7(5)", "SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - pci_dss_v4.0: ["1.2.5", "2.2.4"]
+      - soc_2: ["CC6.8", "CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180'
+
+  # 18.10.93.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'. (Automated)
+  - id: 27358 
+    title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'."
+    description: 'This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog.'
+    rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible."
+    impact: "None - this is the default behavior."
+    remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Manage updates offered from Windows Update\\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)."
+    compliance:
+      - cis: ["18.10.93.4.3"]
+      - cis_csc_v8: ["7.3"]
+      - cis_csc_v7: ["3.4", "3.5"]
+      - cmmc_v2.0: ["SI.L1-3.14.1"]
+      - nist_sp_800-53: ["SI-2(2)"]
+      - pci_dss_v3.2.1: ["6.2"]
+      - soc_2: ["CC7.1"]
+    condition: all
+    rules:
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0'
+
+  # 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.1.3.2 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.1.3.3 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. (Automated) - Not Implemented
+  # 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.6.6.1.1 (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. (Automated) - Not Implemented
+  # 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. (Automated) - Not Implemented
+  # 19.7.7.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.3 (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.4 (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.7.5 (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.25.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. (Automated) - Not Implemented
+  # 19.7.40.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'. (Automated) - Not Implemented
+  # 19.7.42.2.1 (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'. (Automated) - Not Implemented
diff --git a/etc/selinux/wazuh.te b/etc/selinux/wazuh.te
index e69de29bb2..dc8e34a0a2 100644
--- a/etc/selinux/wazuh.te
+++ b/etc/selinux/wazuh.te
@@ -0,0 +1,50 @@
+# Copyright (C) 2015, Wazuh Inc.
+# July 4, 2018.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+module wazuh 1.3;
+
+require {
+	type audisp_t;
+	type var_t;
+	type auditd_t;
+	type usr_t;
+	type auditd_etc_t;
+	class sock_file { create setattr unlink };
+	class process { noatsecure siginh rlimitinh };
+	class dir { remove_name add_name read write };
+	class file { getattr open read };
+	class capability { dac_override dac_read_search };
+	class lnk_file { read };
+}
+
+#============= audisp_t ==============
+allow audisp_t self: capability dac_override;
+
+allow audisp_t usr_t:dir { remove_name add_name read write };
+allow audisp_t usr_t:file getattr;
+
+allow audisp_t usr_t:sock_file { create setattr };
+allow audisp_t usr_t:file { open read };
+
+allow audisp_t var_t:dir { remove_name add_name read write };
+allow audisp_t var_t:file getattr;
+
+allow audisp_t var_t:sock_file { create setattr unlink };
+allow audisp_t var_t:file { open read };
+
+#============= auditd_t ==============
+
+allow auditd_t audisp_t:process { noatsecure siginh };
+
+allow auditd_t auditd_etc_t:lnk_file { read };
+allow auditd_t self:capability { dac_override dac_read_search };
+allow auditd_t var_t:file { getattr open read };
+allow auditd_t var_t:dir { remove_name add_name read write };
+allow auditd_t var_t:sock_file { create setattr unlink };
+
+allow auditd_t audisp_t:process rlimitinh;
diff --git a/packages/.gitignore b/packages/.gitignore
new file mode 100644
index 0000000000..be951dd1cc
--- /dev/null
+++ b/packages/.gitignore
@@ -0,0 +1,8 @@
+*.deb
+*.rpm
+*.zip
+*.pkg
+.sha512
+.cache
+output
+
diff --git a/packages/README.md b/packages/README.md
index e69de29bb2..a0df0f555e 100644
--- a/packages/README.md
+++ b/packages/README.md
@@ -0,0 +1,124 @@
+## Wazuh Package Builder Script
+
+This script automates the process of building Wazuh packages (manager or agent) for various architectures within a Docker container.
+
+**Features:**
+
+- Supports building packages for different targets (manager/agent).
+- Selectable architectures (amd64, i386, **ppc64le, arm64, armhf*).
+- Optional debug builds.
+- Generates checksums for built packages.
+- Builds legacy packages for CentOS 5 (RPM only).
+- Uses local source code or downloads from GitHub.
+- Builds future test packages (x.30.0).
+
+***Note:** Support for *ppc64le, arm64, and armhf* architectures **is not** currently **available** in the **workflow**.
+
+**Requirements:**
+
+- Docker installed and running.
+
+**Usage:**
+```
+wazuh# cd packages
+./generate_package.sh [OPTIONS]
+```
+
+**Options:**
+| Option     | Description                                            | Default               |
+|------------|----------------------------------------------------------|-----------------------|
+| -b, --branch | Git branch to use (optional)                          | master                |
+| -t, --target | Target package to build (required): manager or agent    | -                     |
+| -a, --architecture | Target architecture (optional): amd64, i386, etc. | -                     |
+| -j, --jobs  | Number of parallel jobs (optional)                       | 2                     |
+| -r, --revision | Package revision (optional)                          | 0                     |
+| -s, --store  | Destination path for the package (optional)            | (output folder created) |
+| -p, --path   | Installation path for the package (optional)           | /var/ossec             |
+| -d, --debug  | Build binaries with debug symbols (optional)           | no                     |
+| -c, --checksum | Generate checksum on the same directory (optional)   | no                     |
+| -l, --legacy | Build package for CentOS 5 (RPM only) (optional)        | no                     |
+| --dont-build-docker | Use a locally built Docker image (optional)      | no   |
+| --tag        | Tag to use with the Docker image (optional)             | -                     |
+| *--sources    | Path containing local Wazuh source code (optional)       | script path            |
+| **--is_stage | Use release name in package (optional)               | no                     |
+| --src        | Generate the source package (optional)                 | no                     |
+| --system | Package format to build (optional): rpm, deb (default)| deb                    |
+| -h, --help   | Show this help message                                 | -                     |
+
+***Note1:** If we don't use this flag, will the script use the current directory where *generate_package.sh* is located.
+
+****Note 2:** If the package is not a release package, a short hash commit based on the git command `git rev-parse --short HEAD` will be appended to the end of the name. The default length of the short hash is determined by the Git command [git rev-parse --short[=length]](https://git-scm.com/docs/git-rev-parse#Documentation/git-rev-parse.txt---shortlength:~:text=interpreted%20as%20usual.-,%2D%2Dshort%5B%3Dlength%5D,-Same%20as%20%2D%2Dverify).
+
+
+**Example Usage:**
+
+1. Build a manager package for amd64 architecture:
+./wazuh_package_builder.sh -t manager -a amd64 -s /tmp --system rpm
+
+2. Build a debug agent package for i386 architecture with checksum generation:
+./wazuh_package_builder.sh -t agent -a i386 -s /tmp -d -c --system rpm
+
+3. Build a legacy RPM package for CentOS 5 (agent):
+./wazuh_package_builder.sh -t agent -l -s /tmp --system rpm
+
+4. Build a package using local Wazuh source code:
+./wazuh_package_builder.sh -t manager -a amd64 --sources /path/to/wazuh/source --system rpm
+
+
+**Notes:**
+- For `--dont-build-docker` to work effectively, ensure a Docker image with the necessary build environment is already available.
+- For RPM packages, we use the following architecture equivalences:
+    * amd64 -> x86_64
+    * arm64 -> aarch64
+    * armhf -> armv7hl
+
+# Workflow
+
+## Generate and push builder images to GH
+
+```bash
+curl -L -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GH_WORKFLOW_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" --data-binary "@$(pwd)/wazuh-agent-test-amd64-rpm.json" "https://api.github.com/repos/wazuh/wazuh/actions/workflows/packages-upload-agent-images-amd.yml/dispatches"
+```
+
+Where the JSON looks like this:
+
+```json
+# cat wazuh-agent-test-amd64-rpm.json
+{
+    "ref":"4.9.0",
+    "inputs":
+        {
+         "tag":"auto",
+         "architecture":"amd64",
+         "system":"rpm",
+         "revision":"test",
+         "is_stage":"false",
+         "legacy":"false"
+        }
+}
+```
+
+## Generate packages
+
+```json
+curl -L -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GH_WORKFLOW_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" --data-binary "@$(pwd)/wazuh-agent-test-amd64-rpm.json" "https://api.github.com/repos/wazuh/wazuh/actions/workflows/packages-build-linux-agent-amd.yml/dispatches"
+```
+
+Where the JSON looks like this:
+```json
+# cat wazuh-agent-test-amd64-rpm.json
+{
+    "ref":"4.9.0",
+    "inputs":
+        {
+         "docker_image_tag":"auto",
+         "architecture":"amd64",
+         "system":"deb",
+         "revision":"test",
+         "is_stage":"false",
+         "legacy":"false",
+         "checksum":"false",
+     }
+}
+```
+
diff --git a/packages/build.sh b/packages/build.sh
new file mode 100755
index 0000000000..27efc6b051
--- /dev/null
+++ b/packages/build.sh
@@ -0,0 +1,121 @@
+#!/bin/bash
+
+# Wazuh package builder
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+set -e
+
+build_directories() {
+  local build_folder=$1
+  local wazuh_dir="$2"
+  local future="$3"
+
+  mkdir -p "${build_folder}"
+  wazuh_version="$(cat wazuh*/src/VERSION| cut -d 'v' -f 2)"
+
+  if [[ "$future" == "yes" ]]; then
+    wazuh_version="$(future_version "$build_folder" "$wazuh_dir" $wazuh_version)"
+    source_dir="${build_folder}/wazuh-${BUILD_TARGET}-${wazuh_version}"
+  else
+    package_name="wazuh-${BUILD_TARGET}-${wazuh_version}"
+    source_dir="${build_folder}/${package_name}"
+    cp -R $wazuh_dir "$source_dir"
+  fi
+  echo "$source_dir"
+}
+
+# Function to handle future version
+future_version() {
+  local build_folder="$1"
+  local wazuh_dir="$2"
+  local base_version="$3"
+
+  specs_path="$(find $wazuh_dir -name SPECS|grep $SYSTEM)"
+
+  local major=$(echo "$base_version" | cut -dv -f2 | cut -d. -f1)
+  local minor=$(echo "$base_version" | cut -d. -f2)
+  local version="${major}.30.0"
+  local old_name="wazuh-${BUILD_TARGET}-${base_version}"
+  local new_name=wazuh-${BUILD_TARGET}-${version}
+
+  local new_wazuh_dir="${build_folder}/${new_name}"
+  cp -R ${wazuh_dir} "$new_wazuh_dir"
+  find "$new_wazuh_dir" "${specs_path}" \( -name "*VERSION*" -o -name "*changelog*" \
+        -o -name "*.spec" \) -exec sed -i "s/${base_version}/${version}/g" {} \;
+  sed -i "s/\$(VERSION)/${major}.${minor}/g" "$new_wazuh_dir/src/Makefile"
+  sed -i "s/${base_version}/${version}/g" $new_wazuh_dir/src/init/wazuh-{server,client,local}.sh
+  echo "$version"
+}
+
+# Function to generate checksum and move files
+post_process() {
+  local file_path="$1"
+  local checksum_flag="$2"
+  local source_flag="$3"
+
+  if [[ "$checksum_flag" == "yes" ]]; then
+    sha512sum "$file_path" > /var/local/checksum/$(basename "$file_path").sha512
+  fi
+
+  if [[ "$source_flag" == "yes" ]]; then
+    mv "$file_path" /var/local/wazuh
+  fi
+}
+
+# Main script body
+
+# Script parameters
+export REVISION="$1"
+export JOBS="$2"
+debug="$3"
+checksum="$4"
+future="$5"
+legacy="$6"
+src="$7"
+
+build_dir="/build_wazuh"
+
+source helper_function.sh
+
+set -x
+
+# Download source code if it is not shared from the local host
+if [ ! -d "/wazuh-local-src" ] ; then
+    curl -sL https://github.com/wazuh/wazuh/tarball/${WAZUH_BRANCH} | tar zx
+    short_commit_hash="$(curl -s https://api.github.com/repos/wazuh/wazuh/commits/${WAZUH_BRANCH} \
+                          | grep '"sha"' | head -n 1| cut -d '"' -f 4 | cut -c 1-11)"
+else
+    if [ "${legacy}" = "no" ]; then
+      short_commit_hash="$(cd /wazuh-local-src && git rev-parse --short HEAD)"
+    else
+      # Git package is not available in the CentOS 5 repositories.
+      hash_commit=$(cat /wazuh-local-src/.git/$(cat /wazuh-local-src/.git/HEAD|cut -d" " -f2))
+      short_commit_hash="$(cut -c 1-11 <<< $hash_commit)"
+    fi
+fi
+
+# Build directories
+source_dir=$(build_directories "$build_dir/${BUILD_TARGET}" "wazuh*" $future)
+
+wazuh_version="$(cat $source_dir/src/VERSION| cut -d 'v' -f 2)"
+# TODO: Improve how we handle package_name
+# Changing the "-" to "_" between target and version breaks the convention for RPM or DEB packages.
+# For now, I added extra code that fixes it.
+package_name="wazuh-${BUILD_TARGET}-${wazuh_version}"
+specs_path="$(find $source_dir -name SPECS|grep $SYSTEM)"
+
+setup_build "$source_dir" "$specs_path" "$build_dir" "$package_name" "$debug"
+
+set_debug $debug $sources_dir
+
+# Installing build dependencies
+cd $sources_dir
+build_deps $legacy
+build_package $package_name $debug "$short_commit_hash" "$wazuh_version"
+
+# Post-processing
+get_package_and_checksum $wazuh_version $short_commit_hash $src
diff --git a/packages/debs/SPECS/wazuh_agent/debian/changelog b/packages/debs/SPECS/wazuh_agent/debian/changelog
new file mode 100644
index 0000000000..a5d5509337
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/changelog
@@ -0,0 +1,673 @@
+wazuh-agent (4.9.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 10 Jul 2024 00:00:00 +0000
+
+wazuh-agent (4.8.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 26 Jun 2024 00:00:00 +0000
+
+wazuh-agent (4.8.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 12 Jun 2024 00:00:00 +0000
+
+wazuh-agent (4.7.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 30 May 2024 00:00:00 +0000
+
+wazuh-agent (4.7.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 25 Apr 2024 00:00:00 +0000
+
+wazuh-agent (4.7.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 27 Feb 2024 00:00:00 +0000
+
+wazuh-agent (4.7.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 09 Jan 2024 00:00:00 +0000
+
+wazuh-agent (4.7.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 19 Dec 2023 00:00:00 +0000
+
+wazuh-agent (4.7.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 27 Nov 2023 00:00:00 +0000
+
+wazuh-agent (4.6.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 31 Oct 2023 00:00:00 +0000
+
+wazuh-agent (4.5.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 24 Oct 2023 00:00:00 +0000
+
+wazuh-agent (4.5.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 10 Oct 2023 00:00:00 +0000
+
+wazuh-agent (4.5.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 31 Aug 2023 00:00:00 +0000
+
+wazuh-agent (4.5.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-5-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 24 Aug 2023 15:56:43 +0000
+
+wazuh-agent (4.5.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 10 Aug 2023 15:56:43 +0000
+
+wazuh-agent (4.4.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 10 Jul 2023 15:56:43 +0000
+
+wazuh-agent (4.4.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 13 Jun 2023 12:31:50 +0000
+
+wazuh-agent (4.4.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 25 May 2023 12:31:50 +0000
+
+wazuh-agent (4.4.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 08 May 2023 12:31:50 +0000
+
+wazuh-agent (4.3.11-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-11.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 24 Apr 2023 15:00:00 +0000
+
+wazuh-agent (4.4.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 17 Apr 2023 12:31:50 +0000
+
+wazuh-agent (4.4.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 18 Jan 2023 12:31:50 +0000
+
+wazuh-agent (4.3.10-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 10 Nov 2022 15:00:00 +0000
+
+wazuh-agent (4.3.9-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 03 Oct 2022 15:00:00 +0000
+
+wazuh-agent (4.3.8-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 19 Sep 2022 15:00:00 +0000
+
+wazuh-agent (4.3.7-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 08 Aug 2022 15:00:00 +0000
+
+wazuh-agent (4.3.6-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 07 Jul 2022 15:00:00 +0000
+
+wazuh-agent (4.3.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 29 Jun 2022 15:00:00 +0000
+
+wazuh-agent (4.3.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 07 Jun 2022 15:41:39 +0000
+
+wazuh-agent (4.3.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 31 May 2022 15:41:39 +0000
+
+wazuh-agent (4.3.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 30 May 2022 15:41:39 +0000
+
+wazuh-agent (4.2.7-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-7.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sun, 29 May 2022 08:51:00 +0000
+
+wazuh-agent (4.3.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 18 May 2022 12:14:41 +0000
+
+wazuh-agent (4.3.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 05 May 2022 12:15:57 +0000
+
+wazuh-agent (4.2.6-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-6.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Fri, 25 Mar 2022 16:47:07 +0000
+
+wazuh-agent (4.2.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 15 Nov 2021 16:47:07 +0000
+
+wazuh-agent (4.2.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 21 Oct 2021 15:57:51 +0000
+
+wazuh-agent (4.2.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 06 Oct 2021 15:07:13 +0000
+
+wazuh-agent (4.2.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 28 Sep 2021 08:58:38 +0000
+
+wazuh-agent (4.2.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sat, 25 Sep 2021 07:04:22 +0000
+
+wazuh-agent (4.2.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-2-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 26 Apr 2021 11:51:55 +0000
+
+wazuh-agent (4.1.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 22 Apr 2021 16:50:05 +0000
+
+wazuh-agent (4.1.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 29 Mar 2021 16:23:09 +0000
+
+wazuh-agent (4.1.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sat, 20 Mar 2021 13:41:26 +0000
+
+wazuh-agent (4.1.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 08 Mar 2021 14:00:25 +0000
+
+wazuh-agent (4.1.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Fri, 05 Mar 2021 13:24:41 +0000
+
+wazuh-agent (4.1.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-1-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 19 Jan 2021 06:25:59 +0000
+
+ wazuh-agent (4.0.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-0-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 12 Jan 2021 09:30:15 +0000
+
+wazuh-agent (4.0.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-0-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 30 Nov 2020 10:00:15 +0000
+
+wazuh-agent (4.0.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-0-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 23 Nov 2020 12:16:36 +0000
+
+wazuh-agent (4.0.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-0-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sat, 31 Oct 2020 12:16:36 +0000
+
+wazuh-agent (4.0.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-4-0-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 19 Oct 2020 06:59:39 +0000
+
+ wazuh-manager (3.13.6-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-6.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 21 Sep 2022 15:00:00 +0000
+
+ wazuh-manager (3.13.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 24 Aug 2022 15:00:00 +0000
+
+ wazuh-manager (3.13.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 30 May 2022 15:00:00 +0000
+
+wazuh-agent (3.13.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sat, 24 Apr 2021 07:01:55 +0000
+
+wazuh-agent (3.13.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Fri, 21 Aug 2020 10:05:02 +0000
+
+wazuh-agent (3.13.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 14 Jul 2020 10:05:02 +0000
+
+wazuh-agent (3.13.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-13-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 29 Jun 2020 10:05:02 +0000
+
+wazuh-agent (3.12.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-12-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 9 Apr 2020 08:47:14 +0000
+
+wazuh-agent (3.12.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-12-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 8 Apr 2020 16:12:28 +0000
+
+wazuh-agent (3.12.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-12-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 25 Mar 2020 10:20:48 +0000
+
+wazuh-agent (3.11.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-11-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 24 Feb 2020 10:01:00 +0000
+
+wazuh-agent (3.11.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-11-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 22 Jan 2020 10:01:00 +0000
+
+wazuh-agent (3.11.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-11-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 7 Jan 2020 10:01:00 +0000
+
+wazuh-agent (3.11.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-11-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 26 Dec 2019 13:33:00 +0000
+
+wazuh-agent (3.11.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-11-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 7 Oct 2019 13:33:00 +0000
+
+wazuh-agent (3.10.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-10-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 23 Sep 2019 10:19:00 +0000
+
+wazuh-agent (3.10.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-10-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 19 Sep 2019 13:33:00 +0000
+
+wazuh-agent (3.10.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-10-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 26 Aug 2019 13:33:00 +0000
+
+wazuh-agent (3.9.5-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-5.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 8 Aug 2019 16:31:00 +0000
+
+wazuh-agent (3.9.4-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 12 Jul 2019 16:31:00 +0000
+
+wazuh-agent (3.9.3-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 11 Jun 2019 16:31:00 +0000
+
+wazuh-agent (3.9.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 6 Jun 2019 13:33:00 +0000
+
+wazuh-agent (3.9.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 6 May 2019 13:33:00 +0000
+
+wazuh-agent (3.9.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-9-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 25 Feb 2019 11:00:00 +0000
+
+wazuh-agent (3.8.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-8-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 30 Jan 2019 11:00:00 +0000
+
+wazuh-agent (3.8.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-8-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 24 Jan 2019 09:28:34 +0000
+
+wazuh-agent (3.8.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-8-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 16 Jan 2019 11:00:00 +0000
+
+wazuh-agent (3.7.2-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-7-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 10 Dec 2018 11:00:00 +0000
+
+wazuh-agent (3.7.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-7-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 12 Nov 2018 11:00:00 +0000
+
+wazuh-agent (3.7.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-7-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Sat, 10 Nov 2018 11:00:00 +0000
+
+wazuh-agent (3.6.1-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-6-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 3 Sep 2018 11:00:00 +0000
+
+wazuh-agent (3.6.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-6-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Fri, 24 Aug 2018 11:00:00 +0000
+
+wazuh-agent (3.5.0-RELEASE) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-5-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 25 Jul 2018 20:12:41 +0000
+
+wazuh-agent (3.4.0-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-4-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 28 Jun 2018 20:12:41 +0000
+
+wazuh-agent (3.3.1-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-3-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 14 Jun 2018 9:29:41 +0000
+
+wazuh-agent (3.3.0-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-3-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 07 Jun 2018 10:00:31 +0000
+
+wazuh-agent (3.2.4-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-2-4.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 30 May 2018 12:44:31 +0000
+
+wazuh-agent (3.2.3-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-2-3.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 15 May 2018 12:35:30 +0000
+
+wazuh-agent (3.2.2-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-2-2.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Tue, 13 Mar 2018 12:35:30 +0000
+
+wazuh-agent (3.2.1-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-2-1.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Wed, 21 Feb 2018 15:26:30 +0000
+
+wazuh-agent (3.2.0-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-2-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 11 Dec 2017 15:19:24 +0000
+
+
+wazuh-agent (3.1.0-1) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-1-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 19 Dec 2017 08:00:10 +0000
+
+
+wazuh-agent (3.0.0-2) stable; urgency=low
+
+  * More info: https://documentation.wazuh.com/current/release-notes/release-3-0-0.html
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 01 Nov 2017 08:00:10 +0000
+
+wazuh-agent (2.1.1-1) stable; urgency=low
+
+  * Labels configuration for agents to show data on alerts.
+  * Added group property for agents to customize shared files set.
+  * Send shared files to multiple agents in parallel.
+  * New decoder plugin for logs in JSON format with dynamic fields definition.
+  * Brought framework from API to Wazuh project.
+  * Show merged files MD5 checksum by agent_control and framework.
+  * New reliable request protocol for manager-agent communication.
+  * Remote agent upgrades with signed WPK packages.
+  * Added option for Remoted to prevent it from writing shared merged file.
+  * Added state for Agentd and Windows agent to notify connection state and metrics.
+  * Added new json log format for local file monitoring.
+  * Added OpenSCAP SSG datastream content for Ubuntu Trusty Tahr.
+  * Increased shared file delivery speed when using TCP.
+  * Increased TCP listening socket backlog.
+  * Changed Windows agent UI panel to show revision number instead of installation date.
+  * Group every decoded field (static and dynamic fields-1) into a data object for JSON alerts.
+  * Reload shared files by Remoted every 10 minutes.
+  * Increased string size limit for XML reader to 4096 bytes.
+  * Updated Logstash configuration and Elasticsearch mappings.
+  * Changed template fields structure for Kibana dashboards.
+  * Increased dynamic field limit to 1024, and default to 256.
+  * Changed agent buffer 'length' parameter to 'queue_size'.
+  * Changed some Rootcheck error messages to verbose logs.
+  * Removed unnecessary message by manage_agents advising to restart Wazuh manager.
+  * Fixed wrong queries to get last Syscheck and Rootcheck date.
+  * Prevent Logcollector keep-alives from being stored on archives.json.
+  * Fixed length of random message within keep-alives.
+  * Fixed Windows version detection for Windows 8 and newer.
+  * Fixed incorrect CIDR writing on client.keys by Authd.
+  * Fixed missing buffer flush by Analysisd when updating Rootcheck database.
+  * Stop Wazuh service before removing folder to reinstall.
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 01 Aug 2016 08:00:10 +0000
+
+wazuh-agent (2.1.0-1) stable; urgency=low
+
+  * Rotate and compress log feature.
+  * Labeling data for agents to be shown in alerts.
+  * New 'auth' configuration template.
+  * Make manage_agents capable of add and remove agents via Authd.
+  * Implemented XML configuration for Authd.
+  * Option -F for Authd to force insertion if it finds duplicated name.
+  * Local auth client to manage agent keys.
+  * Added OS name and version into global.db.
+  * Option for logging in JSON format.
+  * Allow maild to send through a sendmail-like executable (by James Le Cuirot).
+  * Leaky bucket-like buffer for agents to prevent network flooding.
+  * Allow Syslog client to read JSON alerts.
+  * Allow Mail reporter to read JSON alerts.
+  * Added internal option to tune Rootcheck sleep time.
+  * Added route-null Active Response script for Windows 2012 (by @CrazyLlama).
+  * Updated SQLite library to 3.19.2.
+  * Updated zlib to 1.2.11.
+  * Updated cJSON library to 1.4.7.
+  * Change some manage_agents option parameters.
+  * Run Auth in background by default.
+  * Log classification as debug, info, warning, error and critical.
+  * Limit number of reads per cycle by Logcollector to prevent log starvation.
+  * Limit OpenSCAP module's event forwarding speed.
+  * Increased debug level of repeated Rootcheck messages.
+  * Send events when OpenSCAP starts and finishes scans.
+  * Delete PID files when a process exits not due to a signal.
+  * Change error messages due to SSL handshake failure to debug messages.
+  * Force group addition on installation for compatibility with LDAP (thanks to Gary Feltham).
+  * Fixed compiling error on systems with no OpenSSL.
+  * Fixed compiling warning at manage_agents.
+  * Fixed ossec-control enable/disable help message.
+  * Fixed unique aperture of random device on Unix.
+  * Fixed file sum comparison bug at Syscheck realtime engine. (Thanks to Arshad Khan)
+  * Close analysisd if alert outputs are disabled for all formats.
+  * Read Windows version name for versions newer than Windows 8 / Windows Server 2012.
+  * Fixed error in Analysisd that wrote Syscheck and Rootcheck databases of re-added agents on deleted files.
+  * Fixed internal option to configure the maximum labels' cache time.
+  * Fixed Auth password parsing on client side.
+  * Fix bad agent ID assignation in Authd on i686 architecture.
+  * Fixed Logcollector misconfiguration in Windows agents.
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 01 Jul 2016 08:43:10 +0000
+
+wazuh-agent (2.0.1-1) stable; urgency=low
+
+  * Changed random data generator for a secure OS-provided generator.
+  * Changed Windows installer file name (depending on version).
+  * Linux distro detection using standard os-release file.
+  * Changed some URLs to documentation.
+  * Disable synchronization with SQLite databases for Syscheck by default.
+  * Minor changes at Rootcheck formatter for JSON alerts.
+  * Added debugging messages to Integrator logs.
+  * Show agent ID when possible on logs about incorrectly formatted messages.
+  * Use default maximum inotify event queue size.
+  * Show remote IP on encoding format errors when unencrypting messages.
+
+ -- Wazuh, Inc <info@wazuh.com>  Thu, 06 Jun 2017 08:43:10 +0000
+
+wazuh-agent (2.0-1) stable; urgency=low
+
+  * Wazuh-agent - base 2.0
+
+ -- Wazuh, Inc <info@wazuh.com>  Mon, 30 Sep 2016 08:43:10 +0000
diff --git a/packages/debs/SPECS/wazuh_agent/debian/compat b/packages/debs/SPECS/wazuh_agent/debian/compat
new file mode 100644
index 0000000000..7f8f011eb7
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/compat
@@ -0,0 +1 @@
+7
diff --git a/.github/workflows/.python-version b/packages/debs/SPECS/wazuh_agent/debian/conffiles
similarity index 100%
rename from .github/workflows/.python-version
rename to packages/debs/SPECS/wazuh_agent/debian/conffiles
diff --git a/packages/debs/SPECS/wazuh_agent/debian/control b/packages/debs/SPECS/wazuh_agent/debian/control
new file mode 100644
index 0000000000..c6c6cb0b1d
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/control
@@ -0,0 +1,14 @@
+Source: wazuh-agent
+Section: admin
+Priority: extra
+Maintainer: Wazuh, Inc <info@wazuh.com>
+Build-Depends: debhelper (>= 7.0.50~), make, gcc, linux-libc-dev, gawk, libaudit-dev, selinux-basics
+Standards-Version: 3.8.4
+Homepage: https://www.wazuh.com
+
+Package: wazuh-agent
+Architecture: any
+Depends: ${shlibs:Depends}, libc6 (>= 2.7), lsb-release, debconf, adduser
+Conflicts: ossec-hids-agent, wazuh-manager, ossec-hids, wazuh-api
+Breaks: ossec-hids-agent, wazuh-manager, ossec-hids
+Description: Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
diff --git a/packages/debs/SPECS/wazuh_agent/debian/copyright b/packages/debs/SPECS/wazuh_agent/debian/copyright
new file mode 100644
index 0000000000..1389198770
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/copyright
@@ -0,0 +1,38 @@
+This work was packaged for Debian by:
+
+    Wazuh, Inc <info@wazuh.com> on Wed, 10 Jul 2024 00:00:00 +0000
+
+It was downloaded from:
+
+    https://www.wazuh.com
+
+Upstream Authors:
+
+    dcid@dcid.me
+    Jia-BingJB_Cheng@trendmicro.com
+    vichargrave@gmail.com
+    ossec@michaelstarks.com
+    ddpbsd@gmail.com
+    scott@atomicorp.com
+    brad.lhotsky@gmail.com
+    jeremy@jeremyrossy.com
+    santiago.bassett@gmail.com
+    pedro@wazuh.com
+    alberto.rodriguez@wazuh.com
+    braulio@wazuh.com
+    jose.fernandez@wazuh.com
+
+Copyright:
+
+    GNU General Public License version 2.
+
+License:
+
+    GNU General Public License version 2.
+
+The Debian packaging is:
+
+    Copyright (C) 2015 Wazuh, Inc <info@wazuh.com>
+
+and is licensed under the GPL version 2,
+see "/usr/share/common-licenses/GPL-2".
diff --git a/packages/debs/SPECS/wazuh_agent/debian/postinst b/packages/debs/SPECS/wazuh_agent/debian/postinst
new file mode 100644
index 0000000000..d114d2efe6
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/postinst
@@ -0,0 +1,214 @@
+#!/bin/sh
+# postinst script for wazuh-agent
+# Wazuh, Inc 2015
+
+set -e
+
+case "$1" in
+    configure)
+
+    OS=$(lsb_release -si)
+    VER=$(lsb_release -sr)
+    DIR="/var/ossec"
+    USER="wazuh"
+    GROUP="wazuh"
+    WAZUH_GLOBAL_TMP_DIR="${DIR}/packages_files"
+    WAZUH_TMP_DIR="${WAZUH_GLOBAL_TMP_DIR}/agent_config_files"
+    SCRIPTS_DIR="${WAZUH_GLOBAL_TMP_DIR}/agent_installation_scripts"
+    SCA_BASE_DIR="${SCRIPTS_DIR}/sca"
+
+    OSMYSHELL="/sbin/nologin"
+
+    if [ -d /run/systemd/system ]; then
+        rm -f /etc/init.d/wazuh-agent
+    fi
+
+    if [ ! -f ${OSMYSHELL} ]; then
+        if [ -f "/bin/false" ]; then
+            OSMYSHELL="/bin/false"
+        fi
+    fi
+
+    if ! getent group ${GROUP} > /dev/null 2>&1; then
+        addgroup --system ${GROUP} > /dev/null 2>&1
+    fi
+    if ! getent passwd ${USER} > /dev/null 2>&1; then
+        adduser --system --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER} > /dev/null 2>&1
+    fi
+
+    if [ -z "$2" ] || [ -f ${WAZUH_TMP_DIR}/create_conf ] ; then
+
+        ${SCRIPTS_DIR}/gen_ossec.sh conf agent ${OS} ${VER} ${DIR} > ${DIR}/etc/ossec.conf
+        ${SCRIPTS_DIR}/add_localfiles.sh ${DIR} >> ${DIR}/etc/ossec.conf
+    else
+        ${SCRIPTS_DIR}/gen_ossec.sh conf agent ${OS} ${VER} ${DIR} > ${DIR}/etc/ossec.conf.new
+        chmod 660 ${DIR}/etc/ossec.conf.new
+    fi
+
+    # For the etc dir
+    if [ -f /etc/localtime ]; then
+        cp -pL /etc/localtime ${DIR}/etc/;
+        chmod 640 ${DIR}/etc/localtime
+        chown root:${GROUP} ${DIR}/etc/localtime
+    fi
+
+    # Restore the local rules, client.keys and local_decoder
+    if [ -f ${WAZUH_TMP_DIR}/client.keys ]; then
+        cp ${WAZUH_TMP_DIR}/client.keys ${DIR}/etc/client.keys
+    fi
+    # Restore ossec.conf configuration
+    if [ -f ${WAZUH_TMP_DIR}/ossec.conf ]; then
+        mv ${WAZUH_TMP_DIR}/ossec.conf ${DIR}/etc/ossec.conf
+    fi
+    # Restore internal options configuration
+    if [ -f ${WAZUH_TMP_DIR}/local_internal_options.conf ]; then
+        mv ${WAZUH_TMP_DIR}/local_internal_options.conf ${DIR}/etc/local_internal_options.conf
+    fi
+
+    # Install the SCA files
+    if [ -d "${SCA_BASE_DIR}" ]; then
+        . ${SCRIPTS_DIR}/src/init/dist-detect.sh
+
+        SCA_DIR="${DIST_NAME}/${DIST_VER}"
+
+        SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}"
+        mkdir -p ${DIR}/ruleset/sca
+
+        # Install the configuration files needed for this hosts
+        if [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}/sca.files" ]; then
+            SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}"
+        elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/sca.files" ]; then
+            SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}"
+        elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/sca.files" ]; then
+            SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}"
+        else
+            SCA_TMP_DIR="${SCA_BASE_DIR}/generic"
+        fi
+
+        SCA_TMP_FILE="${SCA_TMP_DIR}/sca.files"
+
+        if [ -r ${SCA_TMP_FILE} ]; then
+            rm -f ${DIR}/ruleset/sca/* || true
+
+            for sca_file in $(cat ${SCA_TMP_FILE}); do
+                mv ${SCA_BASE_DIR}/${sca_file} ${DIR}/ruleset/sca
+            done
+        fi
+
+        # Set correct permissions, owner and group. ruleset directory may be empty.
+        if [ -n "$(ls -A ${DIR}/ruleset/sca/)" ]; then
+            chmod --recursive u=rwX,g=rX,o= ${DIR}/ruleset/sca/
+            chown --recursive root:${GROUP} ${DIR}/ruleset/sca/
+        fi
+        # Delete the temporary directory
+        rm -rf ${SCA_BASE_DIR}
+
+    fi
+
+    # Restore group files
+    if [ -d ${WAZUH_TMP_DIR}/group ]; then
+        for file in ${WAZUH_TMP_DIR}/group/* ; do
+            mv ${file} ${DIR}/etc/shared/
+        done
+        rm -rf ${WAZUH_TMP_DIR}/group
+    fi
+
+    touch ${DIR}/logs/active-responses.log
+    chown wazuh:wazuh ${DIR}/logs/active-responses.log
+    chmod 0660 ${DIR}/logs/active-responses.log
+
+    # Check if SELinux is installed and enabled
+    if command -v getenforce > /dev/null 2>&1 && command -v semodule > /dev/null 2>&1; then
+        if [ $(getenforce) !=  "Disabled" ]; then
+            semodule -i ${DIR}/var/selinux/wazuh.pp
+            semodule -e wazuh
+        fi
+    fi
+
+    # Register and configure agent if Wazuh environment variables are defined
+    if [ -z "$2" ] ; then
+        ${SCRIPTS_DIR}/src/init/register_configure_agent.sh ${DIR} > /dev/null || :
+    fi
+
+    # Restoring file permissions
+    ${SCRIPTS_DIR}/restore-permissions.sh > /dev/null 2>&1 || :
+
+    if [ -f /etc/systemd/system/wazuh-agent.service ]; then
+        rm -f /etc/systemd/system/wazuh-agent.service
+        if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1; then
+            systemctl daemon-reload > /dev/null 2>&1
+        fi
+    fi
+
+    # Remove old ossec user and group if exists and change ownwership of files
+    if getent group ossec > /dev/null 2>&1; then
+        find ${DIR}/ -group ossec -user root -exec chown root:wazuh {} \; > /dev/null 2>&1 || true
+        if getent passwd ossec > /dev/null 2>&1; then
+            find ${DIR}/ -group ossec -user ossec -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+            deluser ossec > /dev/null 2>&1
+        fi
+        if getent passwd ossecm > /dev/null 2>&1; then
+            find ${DIR}/ -group ossec -user ossecm -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+            deluser ossecm > /dev/null 2>&1
+        fi
+        if getent passwd ossecr > /dev/null 2>&1; then
+            find ${DIR}/ -group ossec -user ossecr -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+            deluser ossecr > /dev/null 2>&1
+        fi
+        if getent group ossec > /dev/null 2>&1; then
+            delgroup ossec > /dev/null 2>&1
+        fi
+    fi
+
+    find ${DIR} -nogroup -exec chgrp ${GROUP} {} \; > /dev/null 2>&1
+    find ${DIR} -nouser -exec chown ${USER} {} \; > /dev/null 2>&1
+
+    if [ ! -z "$2" ]; then
+        if [ -f ${WAZUH_TMP_DIR}/wazuh.restart ] ; then
+            if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1; then
+                systemctl daemon-reload > /dev/null 2>&1
+                systemctl restart wazuh-agent.service > /dev/null 2>&1
+            elif command -v service > /dev/null 2>&1 ; then
+                service wazuh-agent restart > /dev/null 2>&1
+            else
+                ${DIR}/bin/wazuh-control restart > /dev/null 2>&1
+            fi
+        fi
+    fi
+
+    #Delete obsolete files
+    if [ -f /etc/ossec-init.conf ]; then
+        rm -f /etc/ossec-init.conf
+    fi
+
+    # Delete installation scripts
+    if [ -d ${SCRIPTS_DIR} ]; then
+        rm -rf ${SCRIPTS_DIR}
+    fi
+
+    # Delete tmp directory
+    if [ -d ${WAZUH_TMP_DIR} ]; then
+        rm -rf ${WAZUH_TMP_DIR}
+    fi
+
+    # If the parent directory is empty, delete it
+    if [ -z "$(ls -A ${WAZUH_GLOBAL_TMP_DIR})" ]; then
+        rm -rf ${WAZUH_GLOBAL_TMP_DIR}
+    fi
+
+    ;;
+
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >2
+        exit 1
+    ;;
+
+esac
+
+exit 0
diff --git a/packages/debs/SPECS/wazuh_agent/debian/postrm b/packages/debs/SPECS/wazuh_agent/debian/postrm
new file mode 100644
index 0000000000..8404ffdbbf
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/postrm
@@ -0,0 +1,109 @@
+#!/bin/sh
+# postrm script for wazuh-agent
+# Wazuh, Inc 2015
+
+set -e
+
+DIR="/var/ossec"
+WAZUH_TMP_DIR="${DIR}/packages_files/agent_config_files"
+
+case "$1" in
+    remove|failed-upgrade|abort-install|abort-upgrade|disappear)
+
+        if [ -d ${WAZUH_TMP_DIR} ]; then
+            rm -rf ${WAZUH_TMP_DIR}
+        fi
+
+        # Back up the old configuration files as .save
+        if [ ! -d ${DIR}/etc ]; then
+            mkdir -p ${DIR}/etc
+        fi
+
+        # If the directory is not empty, copy the files into ${DIR}/etc
+        if ls -A ${DIR}/tmp/conffiles > /dev/null 2>&1 ; then
+            mv ${DIR}/tmp/conffiles/* ${DIR}/etc
+        fi
+        rm -rf ${DIR}/tmp
+        if [ "$1" = "remove" ]; then
+            rm -rf ${DIR}/ruleset
+            rm -rf ${DIR}/var
+            rm -rf ${DIR}/logs
+            rm -rf ${DIR}/queue
+            rm -rf ${DIR}/etc/shared
+        fi
+
+        # Delete old .save
+        find ${DIR}/etc/ -type f  -name "*save" -exec rm -f {} \;
+
+        # Rename the files
+        find ${DIR}/etc/ -type f -exec mv {} {}.save \;
+
+        ;;
+
+        purge)
+
+        if getent passwd wazuh >/dev/null 2>&1; then
+            deluser wazuh > /dev/null 2>&1
+        fi
+        if getent group wazuh >/dev/null 2>&1; then
+            delgroup wazuh > /dev/null 2>&1
+        fi
+        rm -rf ${DIR}/*
+
+    ;;
+
+    upgrade)
+        # If the upgrade downgrades to earlier versions, restore ownership
+        if command -v ${DIR}/bin/ossec-control > /dev/null 2>&1; then
+
+            OSMYSHELL="/sbin/nologin"
+
+            if [ -d ${DIR}/logs/wazuh ]; then
+                mv ${DIR}/logs/wazuh ${DIR}/logs/ossec
+            fi
+
+            if [ -d ${DIR}/queue/sockets ]; then
+                mv ${DIR}/queue/sockets ${DIR}/queue/ossec
+            fi
+
+            if [ -f ${DIR}/queue/sockets/.agent_info ]; then
+                mv ${DIR}/queue/sockets/.agent_info ${DIR}/queue/ossec/
+            fi
+
+            rm -rf ${DIR}/queue/sockets > /dev/null 2>&1
+
+            if ! getent group ossec > /dev/null 2>&1; then
+                addgroup --system ossec > /dev/null 2>&1
+            fi
+
+            if ! getent passwd ossec > /dev/null 2>&1; then
+                adduser --system --home /var/ossec --shell ${OSMYSHELL} --ingroup ossec ossec > /dev/null 2>&1
+            fi
+
+            # Set the correct permissions to orphaned files (not owned by root)
+            find ${DIR} ! -group root -exec chgrp ossec {} \; > /dev/null 2>&1
+            find ${DIR} ! -user root -exec chown ossec {} \; > /dev/null 2>&1
+
+            # delete wazuh user and group
+            if getent passwd wazuh > /dev/null 2>&1; then
+                deluser wazuh
+            fi
+
+            if getent group wazuh > /dev/null 2>&1; then
+                delgroup wazuh
+            fi
+        fi
+
+        exit 0
+
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+
+    ;;
+
+esac
+
+exit 0
diff --git a/packages/debs/SPECS/wazuh_agent/debian/preinst b/packages/debs/SPECS/wazuh_agent/debian/preinst
new file mode 100644
index 0000000000..1a67be6bab
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/preinst
@@ -0,0 +1,91 @@
+#!/bin/sh
+# preinst script for wazuh-agent
+
+set -e
+
+# configuration variables
+DIR="/var/ossec"
+WAZUH_TMP_DIR="${DIR}/packages_files/agent_config_files"
+
+# environment configuration
+if [ ! -d ${WAZUH_TMP_DIR} ]; then
+    mkdir -p ${WAZUH_TMP_DIR}
+else
+    rm -rf ${WAZUH_TMP_DIR}
+    mkdir -p ${WAZUH_TMP_DIR}
+fi
+
+case "$1" in
+    install|upgrade)
+
+        if [ "$1" = "upgrade" ]; then
+
+            if [ ! -d "$DIR" ]; then
+                echo "Error: Directory $DIR does not exist. Cannot perform upgrade" >&2
+                exit 1
+            fi
+
+            if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet wazuh-agent > /dev/null 2>&1; then
+                systemctl stop wazuh-agent.service > /dev/null 2>&1
+                touch ${WAZUH_TMP_DIR}/wazuh.restart
+            elif command -v service > /dev/null 2>&1 && service wazuh-agent status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+                service wazuh-agent stop > /dev/null 2>&1
+                touch ${WAZUH_TMP_DIR}/wazuh.restart
+            elif ${DIR}/bin/wazuh-control status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+                touch ${WAZUH_TMP_DIR}/wazuh.restart
+            elif ${DIR}/bin/ossec-control status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+                touch ${WAZUH_TMP_DIR}/wazuh.restart
+            fi
+            ${DIR}/bin/ossec-control stop > /dev/null 2>&1 || ${DIR}/bin/wazuh-control stop > /dev/null 2>&1
+            
+            if [ -d ${DIR}/logs/ossec ]; then
+                mv ${DIR}/logs/ossec ${DIR}/logs/wazuh
+            fi
+            
+            if [ -d ${DIR}/queue/ossec ]; then
+                mv ${DIR}/queue/ossec ${DIR}/queue/sockets
+            fi
+        fi
+
+        if [ ! -z "$2" ] && [ ! -f ${DIR}/etc/ossec.conf ] ; then
+            touch ${WAZUH_TMP_DIR}/create_conf
+        fi
+
+        # Delete old service
+        if [ -f /etc/init.d/ossec ]; then
+            rm /etc/init.d/ossec
+        fi
+        # back up the current user rules
+        if [ -f ${DIR}/etc/client.keys ]; then
+            cp ${DIR}/etc/client.keys ${WAZUH_TMP_DIR}/client.keys
+        fi
+        if [ -f ${DIR}/etc/local_internal_options.conf ]; then
+            cp -p ${DIR}/etc/local_internal_options.conf ${WAZUH_TMP_DIR}/local_internal_options.conf
+        fi
+        if [ -f ${DIR}/etc/ossec.conf ]; then
+            cp -p ${DIR}/etc/ossec.conf ${WAZUH_TMP_DIR}/ossec.conf
+        fi
+
+        if [ -d ${DIR}/etc/shared ]; then
+            files="$(ls -A ${DIR}/etc/shared/*)"
+        fi
+
+        if [ ! -z "$files" ]; then
+            mkdir -p ${WAZUH_TMP_DIR}/group
+            cp -rp ${DIR}/etc/shared/* ${WAZUH_TMP_DIR}/group/
+        fi
+    ;;
+
+    abort-upgrade)
+
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+
+    ;;
+
+esac
+
+exit 0
diff --git a/packages/debs/SPECS/wazuh_agent/debian/prerm b/packages/debs/SPECS/wazuh_agent/debian/prerm
new file mode 100644
index 0000000000..5ffd70b01c
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/prerm
@@ -0,0 +1,108 @@
+#!/bin/sh
+# prerm script for wazuh-manager
+
+set -e
+
+DIR="/var/ossec"
+
+case "$1" in
+    upgrade|deconfigure)
+
+      # Stop the services before uninstalling the package
+      if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet wazuh-agent > /dev/null 2>&1; then
+          systemctl stop wazuh-agent > /dev/null 2>&1
+      elif command -v service > /dev/null 2>&1 && service wazuh-agent status 2>/dev/null | grep "running" > /dev/null 2>&1; then
+          service wazuh-agent stop > /dev/null 2>&1
+      fi
+      ${DIR}/bin/wazuh-control stop > /dev/null 2>&1
+
+      # Process: wazuh-execd
+      if pgrep -f "wazuh-execd" > /dev/null 2>&1; then
+        kill -15 $(pgrep -f "wazuh-execd") > /dev/null 2>&1
+      fi
+
+      if pgrep -f "wazuh-execd" > /dev/null 2>&1; then
+        kill -9 $(pgrep -f "wazuh-execd") > /dev/null 2>&1
+      fi
+
+      # Process: wazuh-agentd
+      if pgrep -f "wazuh-agentd" > /dev/null 2>&1; then
+        kill -15 $(pgrep -f "wazuh-agentd") > /dev/null 2>&1
+      fi
+
+      if pgrep -f "wazuh-agentd" > /dev/null 2>&1; then
+        kill -9 $(pgrep -f "wazuh-agentd") > /dev/null 2>&1
+      fi
+
+      # Process: wazuh-syscheckd
+      if pgrep -f "wazuh-syscheckd" > /dev/null 2>&1; then
+        kill -15 $(pgrep -f "wazuh-syscheckd") > /dev/null 2>&1
+      fi
+
+      if pgrep -f "wazuh-syscheckd" > /dev/null 2>&1; then
+        kill -9 $(pgrep -f "wazuh-syscheckd") > /dev/null 2>&1
+      fi
+
+      # Process: wazuh-logcollector
+      if pgrep -f "wazuh-logcollector" > /dev/null 2>&1; then
+        kill -15 $(pgrep -f "wazuh-logcollector") > /dev/null 2>&1
+      fi
+
+      if pgrep -f "wazuh-logcollector" > /dev/null 2>&1; then
+        kill -9 $(pgrep -f "wazuh-logcollector") > /dev/null 2>&1
+      fi
+
+      # Process: wazuh-modulesd
+      if pgrep -f "wazuh-modulesd" > /dev/null 2>&1; then
+        kill -15 $(pgrep -f "wazuh-modulesd") > /dev/null 2>&1
+      fi
+
+      if pgrep -f "wazuh-modulesd" > /dev/null 2>&1; then
+        kill -9 $(pgrep -f "wazuh-modulesd") > /dev/null 2>&1
+      fi
+
+    ;;
+
+    remove)
+
+      # Stop the services before uninstalling the package
+      # Check for systemd
+      if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet wazuh-agent > /dev/null 2>&1; then
+          systemctl stop wazuh-agent > /dev/null 2>&1
+      # Check for SysV
+      elif command -v service > /dev/null 2>&1 && service wazuh-agent status 2>/dev/null | grep "running" > /dev/null 2>&1; then
+          service wazuh-agent stop > /dev/null 2>&1
+      fi
+      ${DIR}/bin/wazuh-control stop > /dev/null 2>&1
+
+      # Save the conffiles
+      mkdir -p ${DIR}/tmp/conffiles
+      # Save the client.keys
+      if [ -f ${DIR}/etc/client.keys ]; then
+        cp -p ${DIR}/etc/client.keys ${DIR}/tmp/conffiles
+      fi
+      # Save the local_internal_options.conf
+      if [ -f ${DIR}/etc/local_internal_options.conf ]; then
+        cp -p ${DIR}/etc/local_internal_options.conf ${DIR}/tmp/conffiles
+      fi
+      # Save the ossec.conf
+      if [ -f ${DIR}/etc/ossec.conf ]; then
+        cp -p ${DIR}/etc/ossec.conf ${DIR}/tmp/conffiles
+      fi
+      
+    ;;
+
+    failed-upgrade)
+      if [ -f ${DIR}/bin/wazuh-control ]; then
+        ${DIR}/bin/wazuh-control stop > /dev/null 2>&1
+      fi
+    ;;
+
+    *)
+      echo "prerm called with unknown argument \`$1'" >&2
+      exit 1
+    ;;
+
+esac
+
+exit 0
diff --git a/packages/debs/SPECS/wazuh_agent/debian/rules b/packages/debs/SPECS/wazuh_agent/debian/rules
new file mode 100644
index 0000000000..b79b4ce99f
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/rules
@@ -0,0 +1,161 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+#
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+#
+# Modified to make a template file for a multi-binary package with separated
+# build-arch and build-indep targets  by Bill Allombert 2001
+
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE=1
+
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+
+export TARGET_DIR=${CURDIR}/debian/wazuh-agent
+
+# Package build options
+export INSTALLATION_DIR="/var/ossec"
+export INSTALLATION_SCRIPTS_DIR="${INSTALLATION_DIR}/packages_files/agent_installation_scripts"
+export JOBS="5"
+export DEBUG_ENABLED="no"
+export PATH="${PATH}"
+export LD_LIBRARY_PATH=""
+
+%:
+	dh $@
+
+override_dh_shlibdeps:
+
+override_dh_auto_configure:
+
+override_dh_auto_install:
+
+override_dh_install:
+
+	rm -rf $(INSTALLATION_DIR)/
+
+	# Build the binaries
+	make -C src deps TARGET=agent
+	make -j$(JOBS) -C src/ TARGET=agent USE_SELINUX=yes DEBUG=$(DEBUG_ENABLED)
+
+	USER_LANGUAGE="en" \
+	USER_NO_STOP="y" \
+	USER_INSTALL_TYPE="agent" \
+	USER_DIR="$(INSTALLATION_DIR)" \
+	USER_DELETE_DIR="y" \
+	USER_ENABLE_ACTIVE_RESPONSE="y" \
+	USER_ENABLE_SYSCHECK="y" \
+	USER_ENABLE_ROOTCHECK="y" \
+	USER_ENABLE_OPENSCAP="y" \
+	USER_ENABLE_CISCAT="y" \
+	USER_ENABLE_SYSCOLLECTOR="y" \
+	USER_UPDATE="n" \
+	USER_AGENT_SERVER_IP="MANAGER_IP" \
+	USER_CA_STORE="/path/to/my_cert.pem" \
+	USER_AUTO_START="n" \
+	./install.sh
+
+	# Copying init.d script
+	mkdir -p ${TARGET_DIR}/etc/init.d/
+	sed -i "s:WAZUH_HOME_TMP:${INSTALLATION_DIR}:g" src/init/templates/ossec-hids-debian.init
+
+	cp src/init/templates/ossec-hids-debian.init ${TARGET_DIR}/etc/init.d/wazuh-agent
+
+	# Copying systemd file
+	mkdir -p ${TARGET_DIR}/usr/lib/systemd/system/
+	sed -i "s:WAZUH_HOME_TMP:${INSTALLATION_DIR}:g" src/init/templates/wazuh-agent.service
+	install -m 0644 src/init/templates/wazuh-agent.service ${TARGET_DIR}/usr/lib/systemd/system/
+
+	# Generating permission restoration file for postinstall
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)
+
+	# Remove preinstalled log files
+	rm -rf $(INSTALLATION_DIR)/logs/*.log
+	rm -rf $(INSTALLATION_DIR)/logs/*.json
+
+	# Clean the preinstalled configuration assesment files
+	rm -rf ${TARGET_DIR}$(INSTALLATION_DIR)/ruleset/sca
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_DIR)/ruleset/sca
+
+	./gen_permissions.sh $(INSTALLATION_DIR)/ ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/restore-permissions.sh
+
+	# Copying to target
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_DIR)/
+	cp -r $(INSTALLATION_DIR)/. $(TARGET_DIR)$(INSTALLATION_DIR)/
+
+	# Copying install scripts to /usr/share
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/
+	cp gen_ossec.sh ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/
+	cp add_localfiles.sh ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/
+
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/src
+	cp src/VERSION ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/src/
+	cp src/REVISION ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/src/
+
+	# Install configuration assesment files and files templates
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/applications
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/generic
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/7
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/8
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/9
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/10
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/11
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/12
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/12/04
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/14/04
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/16/04
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/18/04
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/20/04
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/22/04
+
+	cp -r ruleset/sca/* ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca
+
+	cp etc/templates/config/generic/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/generic
+	cp etc/templates/config/generic/sca.manager.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/generic
+
+	cp etc/templates/config/debian/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian
+	cp etc/templates/config/debian/7/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/7
+	cp etc/templates/config/debian/8/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/8
+	cp etc/templates/config/debian/9/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/9
+	cp etc/templates/config/debian/10/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/10
+	cp etc/templates/config/debian/11/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/11
+	cp etc/templates/config/debian/12/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/debian/12
+
+	cp etc/templates/config/ubuntu/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu
+	cp etc/templates/config/ubuntu/12/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/12/04
+	cp etc/templates/config/ubuntu/14/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/14/04
+	cp etc/templates/config/ubuntu/16/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/16/04
+	cp etc/templates/config/ubuntu/18/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/18/04
+	cp etc/templates/config/ubuntu/20/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/20/04
+	cp etc/templates/config/ubuntu/22/04/sca.files ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/sca/ubuntu/22/04
+
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/src/init
+	cp -r src/init/*  ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/src/init
+
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/generic
+	cp -r etc/templates/config/generic ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/
+
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/debian
+	cp -r etc/templates/config/debian ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/
+
+	mkdir -p ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/ubuntu
+	cp -r etc/templates/config/ubuntu ${TARGET_DIR}$(INSTALLATION_SCRIPTS_DIR)/etc/templates/config/
+
+	# Copying systemd file
+	mkdir -p ${TARGET_DIR}/etc/systemd/system/
+	sed -i "s:WAZUH_HOME_TMP:${INSTALLATION_DIR}:g" src/init/templates/wazuh-agent.service
+	cp src/init/templates/wazuh-agent.service ${TARGET_DIR}/etc/systemd/system/
+
+override_dh_auto_clean:
+	$(MAKE) -C src clean
+
+
+override_dh_strip:
+	dh_strip --no-automatic-dbgsym
+
+.PHONY: override_dh_install override_dh_strip override_dh_auto_clean override_dh_auto_build override_dh_auto_configure
diff --git a/packages/debs/SPECS/wazuh_agent/debian/source/format b/packages/debs/SPECS/wazuh_agent/debian/source/format
new file mode 100644
index 0000000000..163aaf8d82
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/packages/debs/SPECS/wazuh_agent/debian/templates b/packages/debs/SPECS/wazuh_agent/debian/templates
new file mode 100644
index 0000000000..3dbe63d83f
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/templates
@@ -0,0 +1,4 @@
+Template: wazuh-agent/server-ip
+Type: string
+Default: 127.0.0.1
+Description: OSSEC server IP address for this agent. This server is also known as Manager and will receive information from the agent. You need to specify the IP address, the hostname is not valid. The agent still needs to be registered and started manually.
diff --git a/packages/debs/SPECS/wazuh_agent/debian/wazuh_agent.lintian_overrides b/packages/debs/SPECS/wazuh_agent/debian/wazuh_agent.lintian_overrides
new file mode 100644
index 0000000000..e1233f34da
--- /dev/null
+++ b/packages/debs/SPECS/wazuh_agent/debian/wazuh_agent.lintian_overrides
@@ -0,0 +1,9 @@
+wazuh-agent: embedded-library
+wazuh-agent: embedded-zlib
+wazuh-agent: possible-gpl-code-linked-with-openssl
+wazuh-agent: new-package-should-close-itp-bug
+wazuh-agent: possibly-insecure-handling-of-tmp-files-in-maintainer-script
+wazuh-agent: non-standard-dir-in-var
+wazuh-agent: file-in-unusual-dir
+wazuh-agent: hardening-no-fortify-functions
+wazuh-agent: hardening-no-relro
diff --git a/packages/debs/amd64/agent/Dockerfile b/packages/debs/amd64/agent/Dockerfile
new file mode 100644
index 0000000000..6896f77636
--- /dev/null
+++ b/packages/debs/amd64/agent/Dockerfile
@@ -0,0 +1,44 @@
+FROM debian:7
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Installing necessary packages
+RUN echo "deb http://archive.debian.org/debian/ wheezy contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb-src http://archive.debian.org/debian/ wheezy contrib main non-free" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install -y --force-yes apt-utils && \
+    apt-get install -y --force-yes \
+    curl gcc make sudo wget expect gnupg perl-base=5.14.2-21+deb7u3 perl \
+    libc-bin=2.13-38+deb7u10 libc6=2.13-38+deb7u10 libc6-dev build-essential \
+    cdbs devscripts equivs automake autoconf libtool libaudit-dev selinux-basics \
+    libdb5.1=5.1.29-5 libdb5.1-dev libssl1.0.0=1.0.1e-2+deb7u20 procps gawk libsigsegv2
+
+RUN apt-get update && apt-get build-dep python3.2 -y --force-yes
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ --disable-multilib \
+        --disable-libsanitizer && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64:${LD_LIBRARY_PATH}"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl CXX=/usr/local/gcc-9.4.0/bin/g++ \
+        CC=/usr/local/gcc-9.4.0/bin/gcc && \
+    make -j$(nproc) && make install && ln -s /usr/local/bin/cmake /usr/bin/cmake && \
+    cd / && rm -rf cmake-*
+
+# Add the script and helper_funcitons to build the Debian package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+ADD gen_permissions.sh /tmp/gen_permissions.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/debs/arm64/agent/Dockerfile b/packages/debs/arm64/agent/Dockerfile
new file mode 100644
index 0000000000..a79811426b
--- /dev/null
+++ b/packages/debs/arm64/agent/Dockerfile
@@ -0,0 +1,47 @@
+FROM arm64v8/debian:stretch
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Installing necessary packages
+RUN echo "deb http://archive.debian.org/debian stretch contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list && \
+    echo "deb-src http://archive.debian.org/debian stretch main" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install -y --allow-change-held-packages apt apt-utils  \
+    curl gcc g++ make sudo expect gnupg \
+    perl-base perl wget libc-bin libc6 libc6-dev \
+    build-essential cdbs devscripts equivs automake \
+    autoconf libtool libaudit-dev selinux-basics \
+    libdb5.3 libdb5.3 libssl1.0.2 gawk libsigsegv2
+
+# Add Debian's source repository and, Install NodeJS 12
+RUN apt-get update &&  apt-get build-dep python3.5 -y --allow-change-held-packages
+RUN curl -sL https://deb.nodesource.com/setup_12.x | bash - && \
+    apt-get install --allow-change-held-packages -y nodejs
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ --disable-multilib \
+        --disable-libsanitizer && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl && \
+    make -j$(nproc) && make install && ln -s /usr/local/bin/cmake /usr/bin/cmake && \
+    cd / && rm -rf cmake-*
+
+# Add the script to build the Debian package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+ADD gen_permissions.sh /tmp/gen_permissions.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/debs/armhf/agent/Dockerfile b/packages/debs/armhf/agent/Dockerfile
new file mode 100644
index 0000000000..a27b9d1347
--- /dev/null
+++ b/packages/debs/armhf/agent/Dockerfile
@@ -0,0 +1,48 @@
+FROM arm32v7/debian:stretch
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Installing necessary packages
+RUN echo "deb http://archive.debian.org/debian stretch contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list && \
+    echo "deb-src http://archive.debian.org/debian stretch main" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install -y --allow-change-held-packages apt-utils \
+    curl gcc make wget sudo expect gnupg perl-base \
+    perl libc-bin libc6 libc6-dev \
+    build-essential cdbs devscripts equivs automake autoconf libtool \
+    libaudit-dev selinux-basics util-linux libdb5.1 \
+    libssl1.1 libssl-dev gawk libsigsegv2 procps libc6-armel-cross g++
+
+# Add Debian's source repository and, Install NodeJS 12
+RUN apt-get build-dep python3.5 -y --allow-change-held-packages
+RUN curl -sL https://deb.nodesource.com/setup_12.x | bash - && \
+    apt-get install -y --allow-change-held-packages nodejs
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    linux32 ./contrib/download_prerequisites && \
+    linux32 ./configure --prefix=/usr/local/gcc-9.4.0 --with-arch=armv7-a \
+        --with-fpu=vfpv3-d16 --with-float=hard --enable-languages=c,c++ \
+       --disable-multilib --disable-libsanitizer && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxvf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    linux32 ./bootstrap --no-system-curl && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -s /usr/local/bin/cmake /usr/bin/cmake && cd / && rm -rf cmake-*
+
+# Add the script to build the Debian package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+ADD gen_permissions.sh /tmp/gen_permissions.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/debs/i386/agent/Dockerfile b/packages/debs/i386/agent/Dockerfile
new file mode 100644
index 0000000000..4e45fa3b04
--- /dev/null
+++ b/packages/debs/i386/agent/Dockerfile
@@ -0,0 +1,47 @@
+FROM i386/debian:7
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Installing necessary packages
+RUN echo "deb http://archive.debian.org/debian/ wheezy contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb-src http://archive.debian.org/debian/ wheezy contrib main non-free" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install -y --force-yes apt-utils && \
+    apt-get install -y --force-yes \
+    curl gcc-multilib make wget sudo expect gnupg perl-base=5.14.2-21+deb7u3 \
+    perl libc-bin=2.13-38+deb7u10 libc6=2.13-38+deb7u10 libc6-dev \
+    build-essential cdbs devscripts equivs automake autoconf libtool \
+    libaudit-dev selinux-basics util-linux libdb5.1=5.1.29-5 libdb5.1-dev \
+    libssl1.0.0=1.0.1e-2+deb7u20 gawk libsigsegv2 procps
+
+# Add Debian's source repository
+RUN apt-get update && apt-get build-dep python3.2 -y --force-yes
+RUN sed -i "s;/\* To add :#define SO_REUSEPORT 15 \*/;#define SO_REUSEPORT 15;g" /usr/include/asm-generic/socket.h
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    linux32 ./contrib/download_prerequisites && \
+    linux32 ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ \
+        --disable-multilib --disable-libsanitizer && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib:${LD_LIBRARY_PATH}"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxvf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    linux32 ./bootstrap --no-system-curl CXX=/usr/local/gcc-9.4.0/bin/g++ \
+        CC=/usr/local/gcc-9.4.0/bin/gcc && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -s /usr/local/bin/cmake /usr/bin/cmake && cd / && rm -rf cmake-*
+
+# Add the script to build the Debian package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+ADD gen_permissions.sh /tmp/gen_permissions.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/debs/ppc64le/agent/Dockerfile b/packages/debs/ppc64le/agent/Dockerfile
new file mode 100644
index 0000000000..a611151b9d
--- /dev/null
+++ b/packages/debs/ppc64le/agent/Dockerfile
@@ -0,0 +1,47 @@
+FROM ppc64le/debian:stretch
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get -v
+
+# Installing necessary packages
+RUN echo "deb http://archive.debian.org/debian stretch contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list && \
+    echo "deb-src http://archive.debian.org/debian stretch main" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install -y --allow-change-held-packages apt-utils && \
+    apt-get install -y --allow-change-held-packages \
+    curl gcc make sudo expect gnupg perl-base perl wget \
+    libc-bin libc6 libc6-dev build-essential \
+    cdbs devscripts equivs automake autoconf libtool libaudit-dev selinux-basics \
+    libdb5.3 libdb5.3 libssl1.0.2 gawk libsigsegv2
+
+RUN apt-get update && apt-get build-dep python3.5 -y --allow-change-held-packages
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ --disable-multilib \
+        --disable-libsanitizer && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64:${LD_LIBRARY_PATH}"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl CXX=/usr/local/gcc-9.4.0/bin/g++ \
+        CC=/usr/local/gcc-9.4.0/bin/gcc && \
+    make -j$(nproc) && make install && ln -s /usr/local/bin/cmake /usr/bin/cmake && \
+    cd / && rm -rf cmake-*
+
+# Add the script to build the Debian package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+ADD gen_permissions.sh /tmp/gen_permissions.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/debs/utils/gen_permissions.sh b/packages/debs/utils/gen_permissions.sh
new file mode 100755
index 0000000000..d2dc055ae2
--- /dev/null
+++ b/packages/debs/utils/gen_permissions.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env /bin/bash
+#
+# Wazuh restore permissions script generator (ver 0.1)
+# Copyright (C) 2019 Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+#
+# This scripts take 2 parameters, source_dir and target_dir
+# Remember: you must use gawk, be careful mawk is not compatible
+#
+# Usage: ./gen_permissions.sh /var/ossec/ ~/restore_permissions.sh
+
+set -euo pipefail
+
+find $1 -depth -printf '%m:%u:%g:%p\0' | awk -v RS='\0' -F: '
+BEGIN {
+    print "#!/bin/sh";
+    q = "\047";
+}
+{
+    gsub(q, q q "\\" q);
+    f = $0;
+    sub(/^[^:]*:[^:]*:[^:]*:/, "", f);
+    print "chown --", q $2 ":" $3 q, q f q, " > /dev/null 2>&1 || :";
+    print "chmod", $1, q f q, " > /dev/null 2>&1 || :";
+}' > $2
+chmod +x $2
diff --git a/packages/debs/utils/helper_function.sh b/packages/debs/utils/helper_function.sh
new file mode 100644
index 0000000000..02988d82d7
--- /dev/null
+++ b/packages/debs/utils/helper_function.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# DEB helper functions
+
+# Wazuh package builder
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+
+setup_build(){
+    sources_dir="$1"
+    specs_path="$2"
+    build_dir="$3"
+    package_name="$4"
+    debug="$5"
+
+    cp -pr ${specs_path}/wazuh-${BUILD_TARGET}/debian ${sources_dir}/debian
+    cp -p /tmp/gen_permissions.sh ${sources_dir}
+
+    # Generating directory structure to build the .deb package
+    cd ${build_dir}/${BUILD_TARGET} && tar -czf ${package_name}.orig.tar.gz "${package_name}"
+
+    # Configure the package with the different parameters
+    sed -i "s:RELEASE:${REVISION}:g" ${sources_dir}/debian/changelog
+    sed -i "s:export JOBS=.*:export JOBS=${JOBS}:g" ${sources_dir}/debian/rules
+    sed -i "s:export DEBUG_ENABLED=.*:export DEBUG_ENABLED=${debug}:g" ${sources_dir}/debian/rules
+    sed -i "s#export PATH=.*#export PATH=/usr/local/gcc-5.5.0/bin:${PATH}#g" ${sources_dir}/debian/rules
+    sed -i "s#export LD_LIBRARY_PATH=.*#export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}#g" ${sources_dir}/debian/rules
+    sed -i "s:export INSTALLATION_DIR=.*:export INSTALLATION_DIR=${INSTALLATION_PATH}:g" ${sources_dir}/debian/rules
+    sed -i "s:DIR=\"/var/ossec\":DIR=\"${INSTALLATION_PATH}\":g" ${sources_dir}/debian/{preinst,postinst,prerm,postrm}
+}
+
+set_debug(){
+    local debug="$1"
+    local sources_dir="$2"
+    if [[ "${debug}" == "yes" ]]; then
+        sed -i "s:dh_strip --no-automatic-dbgsym::g" ${sources_dir}/debian/rules
+    fi
+}
+
+build_deps(){
+    mk-build-deps -ir -t "apt-get -o Debug::pkgProblemResolver=yes -y"
+}
+
+build_package(){
+
+    if [[ "${ARCHITECTURE_TARGET}" == "amd64" ]] ||  [[ "${ARCHITECTURE_TARGET}" == "ppc64le" ]] || \
+        [[ "${ARCHITECTURE_TARGET}" == "arm64" ]]; then
+        debuild --rootcmd=sudo -b -uc -us -nc
+    elif [[ "${ARCHITECTURE_TARGET}" == "armhf" ]]; then
+        linux32 debuild --rootcmd=sudo -b -uc -us -nc
+    else
+        linux32 debuild --rootcmd=sudo -ai386 -b -uc -us -nc
+    fi
+    return $?
+}
+
+get_package_and_checksum(){
+    wazuh_version="$1"
+    short_commit_hash="$2"
+    base_name="wazuh-${BUILD_TARGET}_${wazuh_version}-${REVISION}"
+
+    if [[ "${ARCHITECTURE_TARGET}" == "ppc64le" ]]; then
+        deb_file="${base_name}_ppc64el.deb"
+    else
+        deb_file="${base_name}_${ARCHITECTURE_TARGET}.deb"
+    fi
+
+    if [[ "${IS_STAGE}" == "no" ]]; then
+        deb_file="$(sed "s/\.deb/_${short_commit_hash}&/" <<< "$deb_file")"
+    fi
+
+    pkg_path="${build_dir}/${BUILD_TARGET}"
+    if [[ "${checksum}" == "yes" ]]; then
+        cd ${pkg_path} && sha512sum wazuh-${BUILD_TARGET}*deb > /var/local/wazuh/${deb_file}.sha512
+    fi
+
+    find ${pkg_path} -type f -name "wazuh-${BUILD_TARGET}*deb" -exec mv {} /var/local/wazuh/${deb_file} \;
+}
diff --git a/packages/generate_package.sh b/packages/generate_package.sh
new file mode 100755
index 0000000000..a633688c2b
--- /dev/null
+++ b/packages/generate_package.sh
@@ -0,0 +1,264 @@
+#!/bin/bash
+
+# Wazuh package generator
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+set -ex
+CURRENT_PATH="$( cd $(dirname $0) ; pwd -P )"
+WAZUH_PATH="$(cd $CURRENT_PATH/..; pwd -P)"
+ARCHITECTURE="amd64"
+SYSTEM="deb"
+OUTDIR="${CURRENT_PATH}/output/"
+BRANCH=""
+REVISION="0"
+TARGET="agent"
+JOBS="2"
+DEBUG="no"
+SRC="no"
+BUILD_DOCKER="yes"
+DOCKER_TAG="latest"
+INSTALLATION_PATH="/var/ossec"
+CHECKSUM="no"
+FUTURE="no"
+LEGACY="no"
+IS_STAGE="no"
+
+
+trap ctrl_c INT
+
+clean() {
+    exit_code=$1
+
+    # Clean the files
+    find "${DOCKERFILE_PATH}" \( -name '*.sh' -o -name '*.tar.gz' -o -name 'wazuh-*' \) ! -name 'docker_builder.sh' -exec rm -rf {} +
+
+    exit ${exit_code}
+}
+
+ctrl_c() {
+    clean 1
+}
+
+download_file() {
+    URL=$1
+    DESTDIR=$2
+    if command -v curl > /dev/null 2>&1 ; then
+        (cd ${DESTDIR} && curl -sO ${URL})
+    elif command -v wget > /dev/null 2>&1 ; then
+        wget ${URL} -P ${DESTDIR} -q
+    fi
+}
+
+build_pkg() {
+    if [ "$LEGACY" = "yes" ]; then
+        REVISION="${REVISION}.el5"
+        TAR_URL="https://packages-dev.wazuh.com/utils/centos-5-i386-build/centos-5-i386.tar.gz"
+        TAR_FILE="${CURRENT_PATH}/${SYSTEM}s/${ARCHITECTURE}/legacy/centos-5-i386.tar.gz"
+        if [ ! -f "$TAR_FILE" ]; then
+            download_file ${TAR_URL} "${CURRENT_PATH}/${SYSTEM}s/${ARCHITECTURE}/legacy"
+        fi
+        DOCKERFILE_PATH="${CURRENT_PATH}/${SYSTEM}s/${ARCHITECTURE}/legacy"
+        CONTAINER_NAME="pkg_${SYSTEM}_legacy_builder_${ARCHITECTURE}"
+        if [ "$SYSTEM" != "rpm" ]; then
+            echo "Legacy mode is only available for RPM packages."
+            clean 1
+        fi
+    else
+        CONTAINER_NAME="pkg_${SYSTEM}_${TARGET}_builder_${ARCHITECTURE}"
+        if [ "${ARCHITECTURE}" = "arm64" ] || [ "${ARCHITECTURE}" = "ppc64le" ]; then
+            DOCKERFILE_PATH="${CURRENT_PATH}/${SYSTEM}s/${ARCHITECTURE}"
+        else
+            DOCKERFILE_PATH="${CURRENT_PATH}/${SYSTEM}s/${ARCHITECTURE}/${TARGET}"
+        fi
+    fi
+
+    # Copy the necessary files
+    cp ${CURRENT_PATH}/build.sh ${DOCKERFILE_PATH}
+    cp ${CURRENT_PATH}/${SYSTEM}s/utils/* ${DOCKERFILE_PATH}
+
+    # Build the Docker image
+    if [[ ${BUILD_DOCKER} == "yes" ]]; then
+        docker build -t ${CONTAINER_NAME}:${DOCKER_TAG} ${DOCKERFILE_PATH} || return 1
+    fi
+
+    # Build the Debian package with a Docker container
+    docker run -t --rm -v ${OUTDIR}:/var/local/wazuh:Z \
+        -e SYSTEM="$SYSTEM" \
+        -e BUILD_TARGET="${TARGET}" \
+        -e ARCHITECTURE_TARGET="${ARCHITECTURE}" \
+        -e INSTALLATION_PATH="${INSTALLATION_PATH}" \
+        -e IS_STAGE="${IS_STAGE}" \
+        -e WAZUH_BRANCH="${BRANCH}" \
+        ${CUSTOM_CODE_VOL} \
+        ${CONTAINER_NAME}:${DOCKER_TAG} \
+        ${REVISION} ${JOBS} ${DEBUG} \
+        ${CHECKSUM} ${FUTURE} ${LEGACY} ${SRC}|| return 1
+
+    echo "Package $(ls -Art ${OUTDIR} | tail -n 1) added to ${OUTDIR}."
+
+    return 0
+}
+
+build() {
+    build_pkg  || return 1
+    return 0
+}
+
+help() {
+    set +x
+    echo
+    echo "Usage: $0 [OPTIONS]"
+    echo
+    echo "    -b, --branch <branch>      [Optional] Select Git branch."
+    echo "    -t, --target <target>      [Required] Target package to build: manager or agent."
+    echo "    -a, --architecture <arch>  [Optional] Target architecture of the package [amd64/i386/ppc64le/arm64/armhf]."
+    echo "    -j, --jobs <number>        [Optional] Change number of parallel jobs when compiling the manager or agent. By default: 2."
+    echo "    -r, --revision <rev>       [Optional] Package revision. By default: 0."
+    echo "    -s, --store <path>         [Optional] Set the destination path of package. By default, an output folder will be created."
+    echo "    -p, --path <path>          [Optional] Installation path for the package. By default: /var/ossec."
+    echo "    -d, --debug                [Optional] Build the binaries with debug symbols. By default: no."
+    echo "    -c, --checksum             [Optional] Generate checksum on the same directory than the package. By default: no."
+    echo "    -l, --legacy               [Optional only for RPM] Build package for CentOS 5."
+    echo "    --dont-build-docker        [Optional] Locally built docker image will be used instead of generating a new one."
+    echo "    --tag                      [Optional] Tag to use with the docker image."
+    echo "    --sources <path>           [Optional] Absolute path containing wazuh source code. This option will use local source code instead of downloading it from GitHub. By default use the script path."
+    echo "    --is_stage                 [Optional] Use release name in package."
+    echo "    --system                   [Optional] Select Package OS [rpm, deb]. By default is 'deb'."
+    echo "    --src                      [Optional] Generate the source package in the destination directory."
+    echo "    --future                   [Optional] Build test future package x.30.0 Used for development purposes."
+    echo "    -h, --help                 Show this help."
+    echo
+    exit $1
+}
+
+
+main() {
+    while [ -n "$1" ]
+    do
+        case "$1" in
+        "-b"|"--branch")
+            if [ -n "$2" ]; then
+                BRANCH="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-h"|"--help")
+            help 0
+            ;;
+        "-t"|"--target")
+            if [ -n "$2" ]; then
+                TARGET="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-a"|"--architecture")
+            if [ -n "$2" ]; then
+                ARCHITECTURE="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-l"|"--legacy")
+            LEGACY="yes"
+            shift 1
+            ;;
+        "-j"|"--jobs")
+            if [ -n "$2" ]; then
+                JOBS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-r"|"--revision")
+            if [ -n "$2" ]; then
+                REVISION="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-p"|"--path")
+            if [ -n "$2" ]; then
+                INSTALLATION_PATH="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-d"|"--debug")
+            DEBUG="yes"
+            shift 1
+            ;;
+        "-c"|"--checksum")
+            CHECKSUM="yes"
+            shift 1
+            ;;
+        "--dont-build-docker")
+            BUILD_DOCKER="no"
+            shift 1
+            ;;
+        "--tag")
+            if [ -n "$2" ]; then
+                DOCKER_TAG="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-s"|"--store")
+            if [ -n "$2" ]; then
+                OUTDIR="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--sources")
+            if [ -n "$2" ]; then
+               CUSTOM_CODE_VOL="-v $2:/wazuh-local-src:Z"
+               shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--future")
+            FUTURE="yes"
+            shift 1
+            ;;
+        "--is_stage")
+            IS_STAGE="yes"
+            shift 1
+            ;;
+        "--src")
+            SRC="yes"
+            shift 1
+            ;;
+        "--system")
+            SYSTEM="$2"
+            shift 2
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    if [ -z "${CUSTOM_CODE_VOL}" ]; then
+        CUSTOM_CODE_VOL="-v $WAZUH_PATH:/wazuh-local-src:Z"
+    fi
+
+    build && clean 0
+    clean 1
+}
+
+main "$@"
diff --git a/src/common/data_provider/include/data_provider.hpp b/packages/installers/win32/wazuh_installer.wxs
similarity index 100%
rename from src/common/data_provider/include/data_provider.hpp
rename to packages/installers/win32/wazuh_installer.wxs
diff --git a/packages/macos/entitlements.plist b/packages/macos/entitlements.plist
new file mode 100644
index 0000000000..a9cc91fdd4
--- /dev/null
+++ b/packages/macos/entitlements.plist
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+    <key>com.apple.security.personal-information.photos-library</key>
+    <true/>
+    <key>com.apple.security.personal-information.addressbook</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-only</key>
+    <true/>
+    <key>com.apple.security.files.downloads.read-only</key>
+    <true/>
+    <key>com.apple.security.assets.pictures.read-only</key>
+    <true/>
+    <key>com.apple.security.assets.music.read-only</key>
+    <true/>
+    <key>com.apple.security.assets.movies.read-only</key>
+    <true/>
+  </dict>
+</plist>
diff --git a/packages/macos/generate_wazuh_packages.sh b/packages/macos/generate_wazuh_packages.sh
new file mode 100755
index 0000000000..b7445a8a0f
--- /dev/null
+++ b/packages/macos/generate_wazuh_packages.sh
@@ -0,0 +1,453 @@
+#!/bin/bash
+set -ex
+# Program to build and package OSX wazuh-agent
+# Wazuh package generator
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+export PATH=/usr/local/bin:/Applications/CMake.app/Contents/bin:/opt/homebrew/bin:/opt/homebrew/sbin:$PATH
+CURRENT_PATH="$( cd $(dirname ${0}) ; pwd -P )"
+ARCH="intel64"
+WAZUH_SOURCE_REPOSITORY="https://github.com/wazuh/wazuh"
+INSTALLATION_PATH="/Library/Ossec"    # Installation path.
+VERSION=""                            # Default VERSION (branch/tag).
+REVISION="1"                          # Package revision.
+BRANCH_TAG=""                         # Branch that will be downloaded to build package.
+DESTINATION="${CURRENT_PATH}/output" # Where package will be stored.
+JOBS="2"                              # Compilation jobs.
+VERBOSE="no"                          # Enables the full log by using `set -exf`.
+DEBUG="no"                            # Enables debug symbols while compiling.
+CHECKSUM="no"                         # Enables the checksum generation.
+IS_STAGE="no"                         # Enables release package naming.
+MAKE_COMPILATION="yes"                # Set whether or not to compile the code
+CERT_APPLICATION_ID=""                # Apple Developer ID certificate to sign Apps and binaries.
+CERT_INSTALLER_ID=""                  # Apple Developer ID certificate to sign pkg.
+KEYCHAIN=""                           # Keychain where the Apple Developer ID certificate is.
+KC_PASS=""                            # Password of the keychain.
+NOTARIZE="no"                         # Notarize the package for macOS Catalina.
+DEVELOPER_ID=""                       # Apple Developer ID.
+ALTOOL_PASS=""                        # Temporary Application password for altool.
+TEAM_ID=""                            # Team ID of the Apple Developer ID.
+pkg_name=""
+notarization_path=""
+
+trap ctrl_c INT
+
+function clean_and_exit() {
+    exit_code=$1
+    rm -rf "${SOURCES_DIRECTORY}"
+    if [ -z "$BRANCH_TAG" ]; then
+        make -C $WAZUH_PATH/src clean clean-deps
+    fi
+    ${CURRENT_PATH}/uninstall.sh
+
+    exit ${exit_code}
+}
+
+function ctrl_c() {
+    clean_and_exit 1
+}
+
+
+function notarize_pkg() {
+
+    # Notarize the macOS package
+    sleep_time="120"
+    build_timestamp="$(date +"%m%d%Y%H%M%S")"
+    if [ "${NOTARIZE}" = "yes" ]; then
+
+        if sudo xcrun notarytool submit ${1} --apple-id "${DEVELOPER_ID}" --team-id "${TEAM_ID}" --password "${ALTOOL_PASS}" --wait ; then
+            echo "Package is notarized and ready to go."
+            echo "Adding the ticket to the package."
+            if xcrun stapler staple -v "${1}" ; then
+                echo "Ticket added. Ready to release the package."
+                mkdir -p "${DESTINATION}/" && cp "${1}" "${DESTINATION}/"
+                return 0
+            else
+                echo "Something went wrong while adding the package."
+                clean_and_exit 1
+            fi
+        else
+            echo "Error notarizing the package."
+            clean_and_exit 1
+        fi
+    fi
+
+    return 0
+}
+
+function sign_binaries() {
+    if [ ! -z "${KEYCHAIN}" ] && [ ! -z "${CERT_APPLICATION_ID}" ] ; then
+        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}" > /dev/null
+        # Sign every single binary in Wazuh's installation. This also includes library files.
+        for bin in $(find ${INSTALLATION_PATH} -exec file {} \; | grep bit | cut -d: -f1); do
+            codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements ${ENTITLEMENTS_PATH} --deep --timestamp  --options=runtime --verbose=4 "${bin}"
+        done
+        security -v lock-keychain "${KEYCHAIN}" > /dev/null
+    fi
+}
+
+function sign_pkg() {
+    if [ ! -z "${KEYCHAIN}" ] && [ ! -z "${CERT_INSTALLER_ID}" ] ; then
+        # Unlock the keychain to use the certificate
+        security -v unlock-keychain -p "${KC_PASS}" "${KEYCHAIN}"  > /dev/null
+
+        # Sign the package
+        productsign --sign "${CERT_INSTALLER_ID}" --timestamp ${DESTINATION}/${pkg_name} ${DESTINATION}/${pkg_name}.signed
+        mv ${DESTINATION}/${pkg_name}.signed ${DESTINATION}/${pkg_name}
+
+        security -v lock-keychain "${KEYCHAIN}" > /dev/null
+    fi
+}
+
+function get_pkgproj_specs() {
+
+    VERSION="$1"
+    pkg_final_name="$2"
+
+    pkg_file="${WAZUH_PACKAGES_PATH}/specs/wazuh_agent_${ARCH}.pkgproj"
+
+    if [ ! -f "${pkg_file}" ]; then
+        echo "Warning: the file ${pkg_file} does not exists. Check the version selected."
+        exit 1
+    else
+        echo "Modifiying ${pkg_file} to match revision."
+        sed -i -e "s:>.*${VERSION}-.*<:>${pkg_final_name}<:g" "${pkg_file}"
+        cp "${pkg_file}" "${AGENT_PKG_FILE}"
+    fi
+
+    return 0
+}
+
+function build_package() {
+
+    # Download source code
+    if [ -n "$BRANCH_TAG" ]; then
+        SOURCES_DIRECTORY="${CURRENT_PATH}/repository"
+        WAZUH_PATH="${SOURCES_DIRECTORY}/wazuh"
+        git clone --depth=1 -b ${BRANCH_TAG} ${WAZUH_SOURCE_REPOSITORY} "${WAZUH_PATH}"
+    else
+        WAZUH_PATH="${CURRENT_PATH}/../.."
+    fi
+    short_commit_hash="$(cd "${WAZUH_PATH}" && git rev-parse --short HEAD)"
+
+    export CONFIG="${WAZUH_PATH}/etc/preloaded-vars.conf"
+    WAZUH_PACKAGES_PATH="${WAZUH_PATH}/packages/macos"
+    AGENT_PKG_FILE="${WAZUH_PACKAGES_PATH}/package_files/wazuh_agent_${ARCH}.pkgproj"
+    ENTITLEMENTS_PATH="${WAZUH_PACKAGES_PATH}/entitlements.plist"
+
+    VERSION=$(cat ${WAZUH_PATH}/src/VERSION | cut -d "-" -f1 | cut -c 2-)
+
+    # Define output package name
+    if [ $IS_STAGE == "no" ]; then
+        pkg_name="wazuh-agent_${VERSION}-${REVISION}_${ARCH}_${short_commit_hash}"
+    else
+        pkg_name="wazuh-agent-${VERSION}-${REVISION}.${ARCH}"
+    fi
+
+    get_pkgproj_specs $VERSION $pkg_name
+
+    if [ -d "${INSTALLATION_PATH}" ]; then
+
+        echo "\nThe wazuh agent is already installed on this machine."
+        echo "Removing it from the system."
+
+        ${CURRENT_PATH}/uninstall.sh
+    fi
+
+    ${WAZUH_PACKAGES_PATH}/package_files/build.sh "${INSTALLATION_PATH}" "${WAZUH_PATH}" ${JOBS} ${DEBUG} ${MAKE_COMPILATION}
+
+    # sign the binaries and the libraries
+    sign_binaries
+
+    # create package
+    if packagesbuild ${AGENT_PKG_FILE} --build-folder "${DESTINATION}/" ; then
+        echo "The wazuh agent package for macOS has been successfully built."
+        pkg_name+=".pkg"
+        sign_pkg
+        if [[ "${CHECKSUM}" == "yes" ]]; then
+            shasum -a512 "${DESTINATION}/${pkg_name}" > "${DESTINATION}/${pkg_name}.sha512"
+        fi
+        clean_and_exit 0
+    else
+        echo "ERROR: something went wrong while building the package."
+        clean_and_exit 1
+    fi
+}
+
+function help() {
+    set +x
+    echo "Usage: $0 [OPTIONS]"
+    echo
+    echo "  Build options:"
+    echo "    -a, --architecture <arch>     [Optional] Target architecture of the package [intel64/arm64]. By Default: intel64."
+    echo "    -b, --branch <branch>         [Optional] Select Git branch [${BRANCH}]."
+    echo "    -s, --store-path <path>       [Optional] Set the destination absolute path of package."
+    echo "    -j, --jobs <number>           [Optional] Number of parallel jobs when compiling."
+    echo "    -r, --revision <rev>          [Optional] Package revision that append to version e.g. x.x.x-rev"
+    echo "    -d, --debug                   [Optional] Build the binaries with debug symbols. By default: no."
+    echo "    -c, --checksum <path>         [Optional] Generate checksum on the desired path (by default, if no path is specified it will be generated on the same directory than the package)."
+    echo "    --is_stage                    [Optional] Use release name in package"
+    echo "    -nc, --not-compile            [Optional] Set whether or not to compile the code."
+    echo "    -h, --help                    [  Util  ] Show this help."
+    echo "    -i, --install-deps            [  Util  ] Install build dependencies (Packages)."
+    echo "    -x, --install-xcode           [  Util  ] Install X-Code and brew. Can't be executed as root."
+    echo "    -v, --verbose                 [  Util  ] Show additional information during the package generation."
+    echo "  Signing options:"
+    echo "    --keychain                    [Optional] Keychain where the Certificates are installed."
+    echo "    --keychain-password           [Optional] Password of the keychain."
+    echo "    --application-certificate     [Optional] Apple Developer ID certificate name to sign Apps and binaries."
+    echo "    --installer-certificate       [Optional] Apple Developer ID certificate name to sign pkg."
+    echo "    --notarize                    [Optional] Notarize the package for its distribution on macOS."
+    echo "    --notarize-path <path>        [Optional] Path of the package to be notarized."
+    echo "    --developer-id                [Optional] Your Apple Developer ID."
+    echo "    --team-id                     [Optional] Your Apple Team ID."
+    echo "    --altool-password             [Optional] Temporary password to use altool from Xcode."
+    echo
+    exit "$1"
+}
+
+
+
+function testdep() {
+
+    if command -v packagesbuild ; then
+        return 0
+    else
+        echo "Error: packagesbuild not found. Download and install dependencies."
+        echo "Use $0 -i for install it."
+        exit 1
+    fi
+}
+
+function install_deps() {
+
+    # Install packagesbuild tool
+    curl -O http://s.sudre.free.fr/Software/files/Packages.dmg
+
+    hdiutil attach Packages.dmg
+
+    cd /Volumes/Packages*
+
+    if sudo installer -package *Packages.pkg -target / ; then
+        echo "Packagesbuild was correctly installed."
+    else
+        echo "Something went wrong installing packagesbuild."
+    fi
+
+    echo "Installing build dependencies for $(uname -m) architecture."
+    if [ "$(uname -m)" = "arm64" ]; then
+        brew install gcc binutils autoconf automake libtool cmake
+    else
+        brew install cmake
+    fi
+    exit 0
+}
+
+function install_xcode() {
+
+    # Install brew tool. Brew will install X-Code if it is not already installed in the host.
+    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+
+    exit 0
+}
+
+function check_root() {
+
+    if [[ $EUID -ne 0 ]]; then
+        echo "This script must be run as root"
+        echo
+        exit 1
+    fi
+}
+
+function main() {
+
+    BUILD="yes"
+    while [ -n "$1" ]
+    do
+        case "$1" in
+        "-a"|"--architecture")
+            if [ -n "$2" ]; then
+                ARCH="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-b"|"--branch")
+            if [ -n "$2" ]; then
+                BRANCH_TAG="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-s"|"--store-path")
+            if [ -n "$2" ]; then
+                DESTINATION="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-j"|"--jobs")
+            if [ -n "$2" ]; then
+                JOBS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-r"|"--revision")
+            if [ -n "$2" ]; then
+                REVISION="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-h"|"--help")
+            help 0
+            ;;
+        "-i"|"--install-deps")
+            install_deps
+            ;;
+        "-x"|"--install-xcode")
+            install_xcode
+            ;;
+        "-v"|"--verbose")
+            VERBOSE="yes"
+            shift 1
+            ;;
+        "-d"|"--debug")
+            DEBUG="yes"
+            shift 1
+            ;;
+        "-c"|"--checksum")
+            CHECKSUM="yes"
+            shift 1
+            ;;
+        "--is_stage")
+            IS_STAGE="yes"
+            shift 1
+            ;;
+        "-nc"|"--not-compile")
+            MAKE_COMPILATION="no"
+            shift 1
+            ;;
+        "--keychain")
+            if [ -n "$2" ]; then
+                KEYCHAIN="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--keychain-password")
+            if [ -n "$2" ]; then
+                KC_PASS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--application-certificate")
+            if [ -n "$2" ]; then
+                CERT_APPLICATION_ID="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--installer-certificate")
+            if [ -n "$2" ]; then
+                CERT_INSTALLER_ID="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--notarize")
+            NOTARIZE="yes"
+            shift 1
+            ;;
+        "--notarize-path")
+            if [ -n "$2" ]; then
+                notarization_path="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--developer-id")
+            if [ -n "$2" ]; then
+                DEVELOPER_ID="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--team-id")
+            if [ -n "$2" ]; then
+                TEAM_ID="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--altool-password")
+            if [ -n "$2" ]; then
+                ALTOOL_PASS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    if [ ${VERBOSE} = "yes" ]; then
+        set -exf
+    fi
+
+    testdep
+
+    if [ "${ARCH}" != "intel64" ] && [ "${ARCH}" != "arm64" ]; then
+        echo "Error: architecture not supported."
+        echo "Supported architectures: intel64, arm64"
+        exit 1
+    fi
+
+    if [[ "${BUILD}" != "no" ]]; then
+        check_root
+        build_package
+        "${CURRENT_PATH}/uninstall.sh"
+    fi
+
+    if [ "${NOTARIZE}" = "yes" ]; then
+        if [ "${BUILD}" = "yes" ]; then
+            notarization_path="${DESTINATION}/${pkg_name}"
+        fi
+        if [ -z "${notarization_path}" ]; then
+            echo "The path of the package to be notarized has not been specified."
+            help 1
+        fi
+        notarize_pkg "${notarization_path}"
+    fi
+
+    if [ "${BUILD}" = "no" ] && [ "${NOTARIZE}" = "no" ]; then
+        echo "The branch has not been specified and notarization has not been selected."
+        help 1
+    fi
+
+    return 0
+}
+
+main "$@"
diff --git a/packages/macos/package_files/build.sh b/packages/macos/package_files/build.sh
new file mode 100755
index 0000000000..1a910fe316
--- /dev/null
+++ b/packages/macos/package_files/build.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# Program to build OSX wazuh-agent
+# Wazuh package generator
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+set -exf
+DESTINATION_PATH=$1
+SOURCES_PATH=$2
+BUILD_JOBS=$3
+DEBUG=$4
+MAKE_COMPILATION=$5
+INSTALLATION_SCRIPTS_DIR=${DESTINATION_PATH}/packages_files/agent_installation_scripts
+
+function configure() {
+    echo USER_LANGUAGE="en" > ${CONFIG}
+    echo USER_NO_STOP="y" >> ${CONFIG}
+    echo USER_INSTALL_TYPE="agent" >> ${CONFIG}
+    echo USER_DIR="${DESTINATION_PATH}" >> ${CONFIG}
+    echo USER_DELETE_DIR="y" >> ${CONFIG}
+    echo USER_CLEANINSTALL="y" >> ${CONFIG}
+    echo USER_BINARYINSTALL="y" >> ${CONFIG}
+    echo USER_AGENT_SERVER_IP="MANAGER_IP" >> ${CONFIG}
+    echo USER_ENABLE_SYSCHECK="y" >> ${CONFIG}
+    echo USER_ENABLE_ROOTCHECK="y" >> ${CONFIG}
+    echo USER_ENABLE_OPENSCAP="n" >> ${CONFIG}
+    echo USER_ENABLE_CISCAT="n" >> ${CONFIG}
+    echo USER_ENABLE_ACTIVE_RESPONSE="y" >> ${CONFIG}
+    echo USER_CA_STORE="n" >> ${CONFIG}
+}
+
+function build() {
+
+    configure
+
+    if [ "${MAKE_COMPILATION}" == "yes" ]; then
+    make -C ${SOURCES_PATH}/src deps TARGET=agent
+
+    echo "Generating Wazuh executables"
+    make -j $BUILD_JOBS -C ${SOURCES_PATH}/src DYLD_FORCE_FLAT_NAMESPACE=1 DEBUG=$DEBUG TARGET=agent build
+    fi
+
+    echo "Running install script"
+    ${SOURCES_PATH}/install.sh
+
+    find ${DESTINATION_PATH}/ruleset/sca/ -type f -exec rm -f {} \;
+
+    # Add the auxiliar script used while installing the package
+    mkdir -p ${INSTALLATION_SCRIPTS_DIR}/
+    cp ${SOURCES_PATH}/gen_ossec.sh ${INSTALLATION_SCRIPTS_DIR}/
+    cp ${SOURCES_PATH}/add_localfiles.sh ${INSTALLATION_SCRIPTS_DIR}/
+
+    mkdir -p ${INSTALLATION_SCRIPTS_DIR}/src/init
+    mkdir -p ${INSTALLATION_SCRIPTS_DIR}/etc/templates/config/{generic,darwin}
+
+    cp -r ${SOURCES_PATH}/etc/templates/config/generic ${INSTALLATION_SCRIPTS_DIR}/etc/templates/config
+    cp -r ${SOURCES_PATH}/etc/templates/config/darwin ${INSTALLATION_SCRIPTS_DIR}/etc/templates/config
+
+    find ${SOURCES_PATH}/src/init/ -name *.sh -type f -exec install -m 0640 {} ${INSTALLATION_SCRIPTS_DIR}/src/init \;
+
+    mkdir -p ${INSTALLATION_SCRIPTS_DIR}/sca/generic
+    mkdir -p ${INSTALLATION_SCRIPTS_DIR}/sca/darwin/{15,16,17,18,20,21,22,23}
+
+    cp -r ${SOURCES_PATH}/ruleset/sca/darwin ${INSTALLATION_SCRIPTS_DIR}/sca
+    cp -r ${SOURCES_PATH}/ruleset/sca/generic ${INSTALLATION_SCRIPTS_DIR}/sca
+    cp ${SOURCES_PATH}/etc/templates/config/generic/sca.files ${INSTALLATION_SCRIPTS_DIR}/sca/generic/
+
+    for n in $(seq 15 23); do
+        cp ${SOURCES_PATH}/etc/templates/config/darwin/$n/sca.files ${INSTALLATION_SCRIPTS_DIR}/sca/darwin/$n/
+    done
+
+    cp ${SOURCES_PATH}/src/VERSION ${INSTALLATION_SCRIPTS_DIR}/src/
+    cp ${SOURCES_PATH}/src/REVISION ${INSTALLATION_SCRIPTS_DIR}/src/
+}
+
+build
diff --git a/packages/macos/package_files/introduction.txt b/packages/macos/package_files/introduction.txt
new file mode 100644
index 0000000000..c854daab99
--- /dev/null
+++ b/packages/macos/package_files/introduction.txt
@@ -0,0 +1,9 @@
+Welcome to the Wazuh Agent Installer. 
+
+Wazuh is a free, open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
+
+This package will install the Wazuh agent in your system.
+
+Check out our documentation to learn more about Wazuh, and join our community where our team and other users can help you.
+
+To continue, click Next. 
diff --git a/packages/macos/package_files/postinstall.sh b/packages/macos/package_files/postinstall.sh
new file mode 100755
index 0000000000..e19f92c76f
--- /dev/null
+++ b/packages/macos/package_files/postinstall.sh
@@ -0,0 +1,186 @@
+#! /bin/bash
+# By Spransy, Derek" <DSPRANS () emory ! edu> and Charlie Scott
+# Modified by Santiago Bassett (http://www.wazuh.com) - Feb 2016
+# alterations by bil hays 2013
+# -Switched to bash
+# -Added some sanity checks
+# -Added routine to find the first 3 contiguous UIDs above 100,
+#  starting at 600 puts this in user space
+# -Added lines to append the ossec users to the group ossec
+#  so the the list GroupMembership works properly
+GROUP="wazuh"
+USER="wazuh"
+DIR="/Library/Ossec"
+INSTALLATION_SCRIPTS_DIR="${DIR}/packages_files/agent_installation_scripts"
+SCA_BASE_DIR="${INSTALLATION_SCRIPTS_DIR}/sca"
+
+if [ -f "${DIR}/WAZUH_PKG_UPGRADE" ]; then
+    upgrade="true"
+fi
+
+if [ -f "${DIR}/WAZUH_PKG_UPGRADE" ]; then
+    rm -f ${DIR}/WAZUH_PKG_UPGRADE
+fi
+
+if [ -f "${DIR}/WAZUH_RESTART" ]; then
+    restart="true"
+fi
+
+if [ -f "${DIR}/WAZUH_RESTART" ]; then
+    rm -f ${DIR}/WAZUH_RESTART
+fi
+
+if [ -n "${upgrade}" ]; then
+    echo "Restoring configuration files from ${DIR}/config_files/ to ${DIR}/etc/"
+    rm -rf ${DIR}/etc/{ossec.conf,client.keys,local_internal_options.conf,shared}
+    cp -rf ${DIR}/config_files/{ossec.conf,client.keys,local_internal_options.conf,shared} ${DIR}/etc/
+    rm -rf ${DIR}/config_files/
+fi
+
+# Default for all directories
+echo "Seting permissions and ownership for directories and files"
+chmod -R 750 ${DIR}/
+chown -R root:${GROUP} ${DIR}/
+
+chown -R root:wheel ${DIR}/bin
+chown -R root:wheel ${DIR}/lib
+
+# To the ossec queue (default for agentd to read)
+chown -R ${USER}:${GROUP} ${DIR}/queue/{alerts,diff,sockets,rids}
+
+chmod -R 770 ${DIR}/queue/{alerts,sockets}
+chmod -R 750 ${DIR}/queue/{diff,sockets,rids}
+
+# For the logging user
+chmod 770 ${DIR}/logs
+chown -R ${USER}:${GROUP} ${DIR}/logs
+find ${DIR}/logs/ -type d -exec chmod 750 {} \;
+find ${DIR}/logs/ -type f -exec chmod 660 {} \;
+
+chown -R root:${GROUP} ${DIR}/tmp
+chmod 1750 ${DIR}/tmp
+
+chmod 770 ${DIR}/etc
+chown ${USER}:${GROUP} ${DIR}/etc
+chmod 640 ${DIR}/etc/internal_options.conf
+chown root:${GROUP} ${DIR}/etc/internal_options.conf
+chmod 640 ${DIR}/etc/local_internal_options.conf
+chown root:${GROUP} ${DIR}/etc/local_internal_options.conf
+chmod 640 ${DIR}/etc/client.keys
+chown root:${GROUP} ${DIR}/etc/client.keys
+chmod 640 ${DIR}/etc/localtime
+chmod 770 ${DIR}/etc/shared # ossec must be able to write to it
+chown -R root:${GROUP} ${DIR}/etc/shared
+find ${DIR}/etc/shared/ -type f -exec chmod 660 {} \;
+chown root:${GROUP} ${DIR}/etc/ossec.conf
+chmod 660 ${DIR}/etc/ossec.conf
+chown root:${GROUP} ${DIR}/etc/wpk_root.pem
+chmod 640 ${DIR}/etc/wpk_root.pem
+
+
+chmod 770 ${DIR}/.ssh
+
+# For the /var/run
+chmod -R 770 ${DIR}/var
+chown -R root:${GROUP} ${DIR}/var
+
+# Check if the distribution detection script exists
+if [ -f "${INSTALLATION_SCRIPTS_DIR}/src/init/dist-detect.sh" ]; then
+    echo "Running the dist-detect.sh script..."
+    . "${INSTALLATION_SCRIPTS_DIR}/src/init/dist-detect.sh"
+else
+    echo "Error: dist-detect.sh script not found."
+fi
+
+if [ -z "${upgrade}" ]; then
+    echo "Generating Wazuh configuration for a fresh installation."
+
+    if [ -f "${INSTALLATION_SCRIPTS_DIR}/gen_ossec.sh" ]; then
+        ${INSTALLATION_SCRIPTS_DIR}/gen_ossec.sh conf agent ${DIST_NAME} ${DIST_VER}.${DIST_SUBVER} ${DIR} > ${DIR}/etc/ossec.conf
+        chown root:wazuh ${DIR}/etc/ossec.conf
+        chmod 0640 ${DIR}/etc/ossec.conf
+    else
+        echo "Error: ${INSTALLATION_SCRIPTS_DIR}/gen_ossec.sh script not found."
+    fi
+fi
+
+SCA_DIR="${DIST_NAME}/${DIST_VER}"
+mkdir -p ${DIR}/ruleset/sca
+
+SCA_TMP_DIR="${SCA_BASE_DIR}/${SCA_DIR}"
+
+# Install the configuration files needed for this hosts
+echo "Installing SCA configuration files..."
+if [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}/sca.files" ]; then
+    SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}"
+elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/sca.files" ]; then
+    SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}"
+elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/sca.files" ]; then
+    SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}"
+else
+    SCA_TMP_DIR="${SCA_BASE_DIR}/generic"
+fi
+
+SCA_TMP_FILE="${SCA_TMP_DIR}/sca.files"
+
+if [ -r ${SCA_TMP_FILE} ]; then
+
+    rm -f ${DIR}/ruleset/sca/* || true
+
+    for sca_file in $(cat ${SCA_TMP_FILE}); do
+        mv ${SCA_BASE_DIR}/${sca_file} ${DIR}/ruleset/sca
+    done
+fi
+
+# Register and configure agent if Wazuh environment variables are defined
+if [ -z "${upgrade}" ]; then
+    echo "Running the register_configure_agent.sh script..."
+    if [ -f "${INSTALLATION_SCRIPTS_DIR}/src/init/register_configure_agent.sh" ]; then
+        ${INSTALLATION_SCRIPTS_DIR}/src/init/register_configure_agent.sh ${DIR} > /dev/null || :
+    else
+        echo "Error: ${INSTALLATION_SCRIPTS_DIR}/src/init/register_configure_agent.sh script not found."
+    fi
+fi
+
+# Remove backup file created in register_configure_agent step
+if [ -e ${DIR}/etc/ossec.confre ]; then
+    rm -f ${DIR}/etc/ossec.confre || true
+fi
+
+# Install the service
+echo "Running the darwin-init.sh script..."
+if [ -f "${INSTALLATION_SCRIPTS_DIR}/src/init/darwin-init.sh" ]; then
+    ${INSTALLATION_SCRIPTS_DIR}/src/init/darwin-init.sh ${DIR}
+else
+    echo "Error: ${INSTALLATION_SCRIPTS_DIR}/src/init/darwin-init.sh script not found."
+fi
+
+# Remove temporary directory
+echo "Removing temporary files..."
+rm -rf ${DIR}/packages_files
+
+# Remove old ossec user and group if exists and change ownwership of files
+
+if [[ $(dscl . -read /Groups/ossec) ]]; then
+    echo "Changing group from Ossec to Wazuh"
+    find ${DIR}/ -group ossec -user root -exec chown root:wazuh {} \ > /dev/null 2>&1 || true
+    if [[ $(dscl . -read /Users/ossec) ]]; then
+        echo "Changing user from Ossec to Wazuh"
+        find ${DIR}/ -group ossec -user ossec -exec chown wazuh:wazuh {} \ > /dev/null 2>&1 || true
+        echo "Removing Ossec user"
+        sudo /usr/bin/dscl . -delete "/Users/ossec"
+    fi
+    echo "Removing Ossec group"
+    sudo /usr/bin/dscl . -delete "/Groups/ossec"
+fi
+
+# Remove 4.1.5 patch
+if [ -f ${DIR}/queue/alerts/sockets ]; then
+    echo "Removing 4.1.5 patch file socket"
+    rm ${DIR}/queue/alerts/sockets
+fi
+
+if [ -n "${upgrade}" ] && [ -n "${restart}" ]; then
+    echo "Restarting Wazuh..."
+    ${DIR}/bin/wazuh-control restart
+fi
diff --git a/packages/macos/package_files/preinstall.sh b/packages/macos/package_files/preinstall.sh
new file mode 100755
index 0000000000..aaaaa1e77c
--- /dev/null
+++ b/packages/macos/package_files/preinstall.sh
@@ -0,0 +1,158 @@
+#! /bin/bash
+# By Spransy, Derek" <DSPRANS () emory ! edu> and Charlie Scott
+# Modified by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+#####
+# This checks for an error and exits with a custom message
+# Returns zero on success
+# $1 is the message
+# $2 is the error code
+
+DIR="/Library/Ossec"
+
+if [ -d "${DIR}" ]; then
+    echo "A Wazuh agent installation was found in ${DIR}. Will perform an upgrade."
+
+    if [ -f "${DIR}/WAZUH_PKG_UPGRADE" ]; then
+        rm -f "${DIR}/WAZUH_PKG_UPGRADE"
+    fi
+    if [ -f "${DIR}/WAZUH_RESTART" ]; then
+        rm -f "${DIR}/WAZUH_RESTART"
+    fi
+
+    touch "${DIR}/WAZUH_PKG_UPGRADE"
+    upgrade="true"
+
+    if ${DIR}/bin/wazuh-control status | grep "is running" > /dev/null 2>&1; then
+        touch "${DIR}/WAZUH_RESTART"
+        restart="true"
+    elif ${DIR}/bin/ossec-control status | grep "is running" > /dev/null 2>&1; then
+        touch "${DIR}/WAZUH_RESTART"
+        restart="true"
+    fi
+fi
+
+# Stops the agent before upgrading it
+echo "Stopping the agent before upgrading it."
+
+if [ -f ${DIR}/bin/wazuh-control ]; then
+    ${DIR}/bin/wazuh-control stop
+elif [ -f ${DIR}/bin/ossec-control ]; then
+    ${DIR}/bin/ossec-control stop
+fi
+
+if [ -n "${upgrade}" ]; then
+    echo "Backing up configuration files to ${DIR}/config_files/"
+    mkdir -p ${DIR}/config_files/
+    cp -r ${DIR}/etc/{ossec.conf,client.keys,local_internal_options.conf,shared} ${DIR}/config_files/
+
+    if [ -d ${DIR}/logs/ossec ]; then
+        echo "Renaming ${DIR}/logs/ossec to ${DIR}/logs/wazuh"
+        mv ${DIR}/logs/ossec ${DIR}/logs/wazuh
+    fi
+
+    if [ -d ${DIR}/queue/ossec ]; then
+        echo "Renaming ${DIR}/queue/ossec to ${DIR}/queue/sockets"
+        mv ${DIR}/queue/ossec ${DIR}/queue/sockets
+    fi
+fi
+
+if [ -n "${upgrade}" ]; then
+    if pkgutil --pkgs | grep -i wazuh-agent-etc > /dev/null 2>&1 ; then
+        echo "Removing previous package receipt for wazuh-agent-etc"
+        pkgutil --forget com.wazuh.pkg.wazuh-agent-etc
+    fi
+fi
+
+if [[ ! -f "/usr/bin/dscl" ]]
+    then
+    echo "Error: I couldn't find dscl, dying here";
+    exit
+fi
+
+DSCL="/usr/bin/dscl";
+
+function check_errm
+{
+    if  [[ ${?} != "0" ]]
+        then
+        echo "${1}";
+        exit ${2};
+        fi
+}
+
+# get unique id numbers (uid, gid) that are greater than 100
+echo "Getting unique id numbers (uid, gid)"
+unset -v i new_uid new_gid idvar;
+declare -i new_uid=0 new_gid=0 i=100 idvar=0;
+while [[ $idvar -eq 0 ]]; do
+    i=$[i+1]
+    if [[ -z "$(/usr/bin/dscl . -search /Users uid ${i})" ]] && [[ -z "$(/usr/bin/dscl . -search /Groups gid ${i})" ]];
+        then
+        echo "Found available UID and GID: $i"
+        new_uid=$i
+        new_gid=$i
+        idvar=1
+        #break
+   fi
+done
+
+echo "UID available for wazuh user is:";
+echo ${new_uid}
+
+# Verify that the uid and gid exist and match
+if [[ $new_uid -eq 0 ]] || [[ $new_gid -eq 0 ]];
+    then
+    echo "Getting unique id numbers (uid, gid) failed!";
+    exit 1;
+fi
+if [[ ${new_uid} != ${new_gid} ]]
+    then
+    echo "I failed to find matching free uid and gid!";
+    exit 5;
+fi
+
+# Stops the agent before upgrading it
+if [ -f ${DIR}/bin/wazuh-control ]; then
+    ${DIR}/bin/wazuh-control stop
+elif [ -f ${DIR}/bin/ossec-control ]; then
+    ${DIR}/bin/ossec-control stop
+fi
+
+# Creating the group
+echo "Checking group..."
+if [[ $(dscl . -read /Groups/wazuh) ]]
+    then
+    echo "wazuh group already exists.";
+else
+    sudo ${DSCL} localhost -create /Local/Default/Groups/wazuh
+    check_errm "Error creating group wazuh" "67"
+    sudo ${DSCL} localhost -createprop /Local/Default/Groups/wazuh PrimaryGroupID ${new_gid}
+    sudo ${DSCL} localhost -createprop /Local/Default/Groups/wazuh RealName wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Groups/wazuh RecordName wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Groups/wazuh RecordType: dsRecTypeStandard:Groups
+    sudo ${DSCL} localhost -createprop /Local/Default/Groups/wazuh Password "*"
+fi
+
+# Creating the user
+echo "Checking user..."
+if [[ $(dscl . -read /Users/wazuh) ]]
+    then
+    echo "wazuh user already exists.";
+else
+    sudo ${DSCL} localhost -create /Local/Default/Users/wazuh
+    check_errm "Error creating user wazuh" "77"
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh RecordName wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh RealName wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh UserShell /usr/bin/false
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh NFSHomeDirectory /var/wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh UniqueID ${new_uid}
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh PrimaryGroupID ${new_gid}
+    sudo ${DSCL} localhost -append /Local/Default/Groups/wazuh GroupMembership wazuh
+    sudo ${DSCL} localhost -createprop /Local/Default/Users/wazuh Password "*"
+fi
+
+#Hide the fixed users
+echo "Hiding the fixed wazuh user"
+dscl . create /Users/wazuh IsHidden 1
\ No newline at end of file
diff --git a/packages/macos/specs/wazuh_agent_arm64.pkgproj b/packages/macos/specs/wazuh_agent_arm64.pkgproj
new file mode 100644
index 0000000000..9c463b1a19
--- /dev/null
+++ b/packages/macos/specs/wazuh_agent_arm64.pkgproj
@@ -0,0 +1,1255 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PACKAGES</key>
+	<array>
+		<dict>
+			<key>MUST-CLOSE-APPLICATION-ITEMS</key>
+			<array/>
+			<key>MUST-CLOSE-APPLICATIONS</key>
+			<false/>
+			<key>PACKAGE_FILES</key>
+			<dict>
+				<key>DEFAULT_INSTALL_LOCATION</key>
+				<string>/</string>
+				<key>HIERARCHY</key>
+				<dict>
+					<key>CHILDREN</key>
+					<array>
+						<dict>
+							<key>CHILDREN</key>
+							<array/>
+							<key>GID</key>
+							<integer>80</integer>
+							<key>PATH</key>
+							<string>Applications</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>509</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>CHILDREN</key>
+							<array>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>80</integer>
+									<key>PATH</key>
+									<string>Application Support</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Automator</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Documentation</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Extensions</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Filesystems</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Frameworks</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Input Methods</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Internet Plug-Ins</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>LaunchAgents</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>LaunchDaemons</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/.ssh</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>448</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/active-response</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/agentless</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/bin</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/internal_options.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/localtime</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/client.keys</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/local_internal_options.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/ossec.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/shared</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>504</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/wpk_root.pem</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+											</array>
+											<key>EXPANDED</key>
+											<true/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/etc</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>504</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/lib</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/logs</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/queue</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/tmp</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>1000</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/packages_files</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/var</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/wodles</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/ruleset</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+									</array>
+									<key>EXPANDED</key>
+									<true/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>/Library/Ossec</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>488</integer>
+									<key>TYPE</key>
+									<integer>3</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>PreferencePanes</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Preferences</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>80</integer>
+									<key>PATH</key>
+									<string>Printers</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>PrivilegedHelperTools</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>QuickLook</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>QuickTime</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Screen Savers</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Scripts</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Services</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Widgets</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+							</array>
+							<key>GID</key>
+							<integer>0</integer>
+							<key>PATH</key>
+							<string>Library</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>493</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>CHILDREN</key>
+							<array>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Shared</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>1023</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+							</array>
+							<key>GID</key>
+							<integer>80</integer>
+							<key>PATH</key>
+							<string>Users</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>493</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>GID</key>
+					<integer>0</integer>
+					<key>PATH</key>
+					<string>/</string>
+					<key>PATH_TYPE</key>
+					<integer>0</integer>
+					<key>PERMISSIONS</key>
+					<integer>493</integer>
+					<key>TYPE</key>
+					<integer>1</integer>
+					<key>UID</key>
+					<integer>0</integer>
+				</dict>
+				<key>PAYLOAD_TYPE</key>
+				<integer>0</integer>
+				<key>SHOW_INVISIBLE</key>
+				<false/>
+				<key>SPLIT_FORKS</key>
+				<true/>
+				<key>TREAT_MISSING_FILES_AS_WARNING</key>
+				<false/>
+				<key>VERSION</key>
+				<integer>4</integer>
+			</dict>
+			<key>PACKAGE_SCRIPTS</key>
+			<dict>
+				<key>POSTINSTALL_PATH</key>
+				<dict>
+					<key>PATH</key>
+					<string>postinstall.sh</string>
+					<key>PATH_TYPE</key>
+					<integer>1</integer>
+				</dict>
+				<key>PREINSTALL_PATH</key>
+				<dict>
+					<key>PATH</key>
+					<string>preinstall.sh</string>
+					<key>PATH_TYPE</key>
+					<integer>1</integer>
+				</dict>
+				<key>RESOURCES</key>
+				<array/>
+			</dict>
+			<key>PACKAGE_SETTINGS</key>
+			<dict>
+				<key>AUTHENTICATION</key>
+				<integer>1</integer>
+				<key>CONCLUSION_ACTION</key>
+				<integer>0</integer>
+				<key>FOLLOW_SYMBOLIC_LINKS</key>
+				<false/>
+				<key>IDENTIFIER</key>
+				<string>com.wazuh.pkg.wazuh-agent</string>
+				<key>LOCATION</key>
+				<integer>0</integer>
+				<key>NAME</key>
+				<string>agent</string>
+				<key>OVERWRITE_PERMISSIONS</key>
+				<false/>
+				<key>PAYLOAD_SIZE</key>
+				<integer>-1</integer>
+				<key>RELOCATABLE</key>
+				<false/>
+				<key>USE_HFS+_COMPRESSION</key>
+				<false/>
+				<key>VERSION</key>
+				<string>4.9.0-1</string>
+			</dict>
+			<key>TYPE</key>
+			<integer>0</integer>
+			<key>UUID</key>
+			<string>7BC88EDC-74AB-498A-992B-DE940686D898</string>
+		</dict>
+	</array>
+	<key>PROJECT</key>
+	<dict>
+		<key>PROJECT_COMMENTS</key>
+		<dict>
+			<key>NOTES</key>
+			<data>
+			PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1M
+			IDQuMDEvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIvaHRtbDQv
+			c3RyaWN0LmR0ZCI+CjxodG1sPgo8aGVhZD4KPG1ldGEgaHR0cC1l
+			cXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7
+			IGNoYXJzZXQ9VVRGLTgiPgo8bWV0YSBodHRwLWVxdWl2PSJDb250
+			ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4KPHRp
+			dGxlPjwvdGl0bGU+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29u
+			dGVudD0iQ29jb2EgSFRNTCBXcml0ZXIiPgo8bWV0YSBuYW1lPSJD
+			b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjE1MDQuODMiPgo8c3R5bGUg
+			dHlwZT0idGV4dC9jc3MiPgo8L3N0eWxlPgo8L2hlYWQ+Cjxib2R5
+			Pgo8L2JvZHk+CjwvaHRtbD4K
+			</data>
+		</dict>
+		<key>PROJECT_PRESENTATION</key>
+		<dict>
+			<key>BACKGROUND</key>
+			<dict/>
+			<key>INSTALLATION TYPE</key>
+			<dict>
+				<key>HIERARCHIES</key>
+				<dict>
+					<key>INSTALLER</key>
+					<dict>
+						<key>LIST</key>
+						<array>
+							<dict>
+								<key>DESCRIPTION</key>
+								<array/>
+								<key>OPTIONS</key>
+								<dict>
+									<key>HIDDEN</key>
+									<false/>
+									<key>STATE</key>
+									<integer>0</integer>
+								</dict>
+								<key>PACKAGE_UUID</key>
+								<string>7BC88EDC-74AB-498A-992B-DE940686D898</string>
+								<key>REQUIREMENTS</key>
+								<array/>
+								<key>TITLE</key>
+								<array>
+									<dict>
+										<key>LANGUAGE</key>
+										<string>English</string>
+										<key>VALUE</key>
+										<string>Wazuh Agent</string>
+									</dict>
+								</array>
+								<key>TOOLTIP</key>
+								<array/>
+								<key>TYPE</key>
+								<integer>0</integer>
+								<key>UUID</key>
+								<string>B5127C49-7EF4-4B73-97D7-2819981073A4</string>
+							</dict>
+						</array>
+						<key>REMOVED</key>
+						<dict/>
+					</dict>
+				</dict>
+				<key>MODE</key>
+				<integer>0</integer>
+			</dict>
+			<key>INSTALLATION_STEPS</key>
+			<array>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewIntroductionController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Introduction</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewReadMeController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>ReadMe</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewLicenseController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>License</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewDestinationSelectController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>TargetSelect</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewInstallationTypeController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>PackageSelection</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewInstallationController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Install</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewSummaryController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Summary</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+			</array>
+			<key>INTRODUCTION</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array>
+					<dict>
+						<key>LANGUAGE</key>
+						<string>English</string>
+						<key>VALUE</key>
+						<dict>
+							<key>PATH</key>
+							<string>introduction.txt</string>
+							<key>PATH_TYPE</key>
+							<integer>1</integer>
+						</dict>
+					</dict>
+				</array>
+			</dict>
+			<key>LICENSE</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array/>
+				<key>MODE</key>
+				<integer>0</integer>
+			</dict>
+			<key>README</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array/>
+			</dict>
+			<key>TITLE</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array>
+					<dict>
+						<key>LANGUAGE</key>
+						<string>English</string>
+						<key>VALUE</key>
+						<string>Wazuh Agent</string>
+					</dict>
+				</array>
+			</dict>
+		</dict>
+		<key>PROJECT_REQUIREMENTS</key>
+		<dict>
+			<key>LIST</key>
+			<array>
+				<dict>
+					<key>BEHAVIOR</key>
+					<integer>3</integer>
+					<key>DICTIONARY</key>
+					<dict>
+						<key>IC_REQUIREMENT_CPU_ARCHITECTURE_FAMILY</key>
+						<integer>3</integer>
+						<key>IC_REQUIREMENT_CPU_INTEL_ARCHITECTURE_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_CPU_MINIMUM_CPU_CORES_COUNT</key>
+						<integer>1</integer>
+						<key>IC_REQUIREMENT_CPU_MINIMUM_FREQUENCY</key>
+						<integer>866666</integer>
+						<key>IC_REQUIREMENT_CPU_POWERPC_ARCHITECTURE_TYPE</key>
+						<integer>0</integer>
+					</dict>
+					<key>IC_REQUIREMENT_CHECK_TYPE</key>
+					<integer>0</integer>
+					<key>IDENTIFIER</key>
+					<string>fr.whitebox.Packages.requirement.cpu</string>
+					<key>MESSAGE</key>
+					<array>
+						<dict>
+							<key>LANGUAGE</key>
+							<string>English</string>
+							<key>SECONDARY_VALUE</key>
+							<string></string>
+							<key>VALUE</key>
+							<string>This installer has been built for Apple Silicon architecture. It won't install in other platforms.</string>
+						</dict>
+					</array>
+
+					<key>NAME</key>
+					<string>Processor</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>BEHAVIOR</key>
+					<integer>3</integer>
+					<key>DICTIONARY</key>
+					<dict>
+						<key>IC_REQUIREMENT_OS_DISK_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_DISTRIBUTION_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_MINIMUM_VERSION</key>
+						<integer>100800</integer>
+					</dict>
+					<key>IC_REQUIREMENT_CHECK_TYPE</key>
+					<integer>1</integer>
+					<key>IDENTIFIER</key>
+					<string>fr.whitebox.Packages.requirement.os</string>
+					<key>MESSAGE</key>
+					<array/>
+					<key>NAME</key>
+					<string>Operating System</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+			</array>
+			<key>RESOURCES</key>
+			<array/>
+			<key>ROOT_VOLUME_ONLY</key>
+			<true/>
+		</dict>
+		<key>PROJECT_SETTINGS</key>
+		<dict>
+			<key>BUILD_FORMAT</key>
+			<integer>0</integer>
+			<key>BUILD_PATH</key>
+			<dict>
+				<key>PATH</key>
+				<string>build</string>
+				<key>PATH_TYPE</key>
+				<integer>1</integer>
+			</dict>
+			<key>EXCLUDED_FILES</key>
+			<array>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.DS_Store</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove .DS_Store files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove ".DS_Store" files created by the Finder.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.pbdevelopment</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove .pbdevelopment files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove ".pbdevelopment" files created by ProjectBuilder or Xcode.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>CVS</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.cvsignore</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.cvspass</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.svn</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.git</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.gitignore</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove SCM metadata</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove helper files and folders used by the CVS, SVN or Git Source Code Management systems.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>classes.nib</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>designable.db</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>info.nib</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Optimize nib files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove "classes.nib", "info.nib" and "designable.nib" files within .nib bundles.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>Resources Disabled</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove Resources Disabled folders</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove "Resources Disabled" folders.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>SEPARATOR</key>
+					<true/>
+				</dict>
+			</array>
+			<key>NAME</key>
+			<string>wazuh-agent-4.9.0-1.arm64</string>
+			<key>PAYLOAD_ONLY</key>
+			<false/>
+			<key>TREAT_MISSING_PRESENTATION_DOCUMENTS_AS_WARNING</key>
+			<false/>
+		</dict>
+	</dict>
+	<key>TYPE</key>
+	<integer>0</integer>
+	<key>VERSION</key>
+	<integer>2</integer>
+</dict>
+</plist>
diff --git a/packages/macos/specs/wazuh_agent_intel64.pkgproj b/packages/macos/specs/wazuh_agent_intel64.pkgproj
new file mode 100644
index 0000000000..743fd71890
--- /dev/null
+++ b/packages/macos/specs/wazuh_agent_intel64.pkgproj
@@ -0,0 +1,1254 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PACKAGES</key>
+	<array>
+		<dict>
+			<key>MUST-CLOSE-APPLICATION-ITEMS</key>
+			<array/>
+			<key>MUST-CLOSE-APPLICATIONS</key>
+			<false/>
+			<key>PACKAGE_FILES</key>
+			<dict>
+				<key>DEFAULT_INSTALL_LOCATION</key>
+				<string>/</string>
+				<key>HIERARCHY</key>
+				<dict>
+					<key>CHILDREN</key>
+					<array>
+						<dict>
+							<key>CHILDREN</key>
+							<array/>
+							<key>GID</key>
+							<integer>80</integer>
+							<key>PATH</key>
+							<string>Applications</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>509</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>CHILDREN</key>
+							<array>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>80</integer>
+									<key>PATH</key>
+									<string>Application Support</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Automator</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Documentation</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Extensions</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Filesystems</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Frameworks</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Input Methods</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Internet Plug-Ins</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>LaunchAgents</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>LaunchDaemons</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/.ssh</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>448</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/active-response</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/agentless</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/bin</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/internal_options.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/localtime</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/client.keys</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/local_internal_options.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/ossec.conf</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/shared</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>504</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+												<dict>
+													<key>CHILDREN</key>
+													<array/>
+													<key>GID</key>
+													<integer>0</integer>
+													<key>PATH</key>
+													<string>/Library/Ossec/etc/wpk_root.pem</string>
+													<key>PATH_TYPE</key>
+													<integer>0</integer>
+													<key>PERMISSIONS</key>
+													<integer>416</integer>
+													<key>TYPE</key>
+													<integer>3</integer>
+													<key>UID</key>
+													<integer>0</integer>
+												</dict>
+											</array>
+											<key>EXPANDED</key>
+											<true/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/etc</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>504</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/lib</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/logs</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/queue</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/tmp</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>1000</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/packages_files</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/var</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/wodles</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+										<dict>
+											<key>CHILDREN</key>
+											<array/>
+											<key>GID</key>
+											<integer>0</integer>
+											<key>PATH</key>
+											<string>/Library/Ossec/ruleset</string>
+											<key>PATH_TYPE</key>
+											<integer>0</integer>
+											<key>PERMISSIONS</key>
+											<integer>488</integer>
+											<key>TYPE</key>
+											<integer>3</integer>
+											<key>UID</key>
+											<integer>0</integer>
+										</dict>
+									</array>
+									<key>EXPANDED</key>
+									<true/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>/Library/Ossec</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>488</integer>
+									<key>TYPE</key>
+									<integer>3</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>PreferencePanes</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Preferences</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>80</integer>
+									<key>PATH</key>
+									<string>Printers</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>PrivilegedHelperTools</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>QuickLook</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>QuickTime</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Screen Savers</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Scripts</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Services</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Widgets</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>493</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+							</array>
+							<key>GID</key>
+							<integer>0</integer>
+							<key>PATH</key>
+							<string>Library</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>493</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>CHILDREN</key>
+							<array>
+								<dict>
+									<key>CHILDREN</key>
+									<array/>
+									<key>GID</key>
+									<integer>0</integer>
+									<key>PATH</key>
+									<string>Shared</string>
+									<key>PATH_TYPE</key>
+									<integer>0</integer>
+									<key>PERMISSIONS</key>
+									<integer>1023</integer>
+									<key>TYPE</key>
+									<integer>1</integer>
+									<key>UID</key>
+									<integer>0</integer>
+								</dict>
+							</array>
+							<key>GID</key>
+							<integer>80</integer>
+							<key>PATH</key>
+							<string>Users</string>
+							<key>PATH_TYPE</key>
+							<integer>0</integer>
+							<key>PERMISSIONS</key>
+							<integer>493</integer>
+							<key>TYPE</key>
+							<integer>1</integer>
+							<key>UID</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>GID</key>
+					<integer>0</integer>
+					<key>PATH</key>
+					<string>/</string>
+					<key>PATH_TYPE</key>
+					<integer>0</integer>
+					<key>PERMISSIONS</key>
+					<integer>493</integer>
+					<key>TYPE</key>
+					<integer>1</integer>
+					<key>UID</key>
+					<integer>0</integer>
+				</dict>
+				<key>PAYLOAD_TYPE</key>
+				<integer>0</integer>
+				<key>SHOW_INVISIBLE</key>
+				<false/>
+				<key>SPLIT_FORKS</key>
+				<true/>
+				<key>TREAT_MISSING_FILES_AS_WARNING</key>
+				<false/>
+				<key>VERSION</key>
+				<integer>4</integer>
+			</dict>
+			<key>PACKAGE_SCRIPTS</key>
+			<dict>
+				<key>POSTINSTALL_PATH</key>
+				<dict>
+					<key>PATH</key>
+					<string>postinstall.sh</string>
+					<key>PATH_TYPE</key>
+					<integer>1</integer>
+				</dict>
+				<key>PREINSTALL_PATH</key>
+				<dict>
+					<key>PATH</key>
+					<string>preinstall.sh</string>
+					<key>PATH_TYPE</key>
+					<integer>1</integer>
+				</dict>
+				<key>RESOURCES</key>
+				<array/>
+			</dict>
+			<key>PACKAGE_SETTINGS</key>
+			<dict>
+				<key>AUTHENTICATION</key>
+				<integer>1</integer>
+				<key>CONCLUSION_ACTION</key>
+				<integer>0</integer>
+				<key>FOLLOW_SYMBOLIC_LINKS</key>
+				<false/>
+				<key>IDENTIFIER</key>
+				<string>com.wazuh.pkg.wazuh-agent</string>
+				<key>LOCATION</key>
+				<integer>0</integer>
+				<key>NAME</key>
+				<string>agent</string>
+				<key>OVERWRITE_PERMISSIONS</key>
+				<false/>
+				<key>PAYLOAD_SIZE</key>
+				<integer>-1</integer>
+				<key>RELOCATABLE</key>
+				<false/>
+				<key>USE_HFS+_COMPRESSION</key>
+				<false/>
+				<key>VERSION</key>
+				<string>4.9.0-1</string>
+			</dict>
+			<key>TYPE</key>
+			<integer>0</integer>
+			<key>UUID</key>
+			<string>7BC88EDC-74AB-498A-992B-DE940686D898</string>
+		</dict>
+	</array>
+	<key>PROJECT</key>
+	<dict>
+		<key>PROJECT_COMMENTS</key>
+		<dict>
+			<key>NOTES</key>
+			<data>
+			PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1M
+			IDQuMDEvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIvaHRtbDQv
+			c3RyaWN0LmR0ZCI+CjxodG1sPgo8aGVhZD4KPG1ldGEgaHR0cC1l
+			cXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7
+			IGNoYXJzZXQ9VVRGLTgiPgo8bWV0YSBodHRwLWVxdWl2PSJDb250
+			ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4KPHRp
+			dGxlPjwvdGl0bGU+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29u
+			dGVudD0iQ29jb2EgSFRNTCBXcml0ZXIiPgo8bWV0YSBuYW1lPSJD
+			b2NvYVZlcnNpb24iIGNvbnRlbnQ9IjE1MDQuODMiPgo8c3R5bGUg
+			dHlwZT0idGV4dC9jc3MiPgo8L3N0eWxlPgo8L2hlYWQ+Cjxib2R5
+			Pgo8L2JvZHk+CjwvaHRtbD4K
+			</data>
+		</dict>
+		<key>PROJECT_PRESENTATION</key>
+		<dict>
+			<key>BACKGROUND</key>
+			<dict/>
+			<key>INSTALLATION TYPE</key>
+			<dict>
+				<key>HIERARCHIES</key>
+				<dict>
+					<key>INSTALLER</key>
+					<dict>
+						<key>LIST</key>
+						<array>
+							<dict>
+								<key>DESCRIPTION</key>
+								<array/>
+								<key>OPTIONS</key>
+								<dict>
+									<key>HIDDEN</key>
+									<false/>
+									<key>STATE</key>
+									<integer>0</integer>
+								</dict>
+								<key>PACKAGE_UUID</key>
+								<string>7BC88EDC-74AB-498A-992B-DE940686D898</string>
+								<key>REQUIREMENTS</key>
+								<array/>
+								<key>TITLE</key>
+								<array>
+									<dict>
+										<key>LANGUAGE</key>
+										<string>English</string>
+										<key>VALUE</key>
+										<string>Wazuh Agent</string>
+									</dict>
+								</array>
+								<key>TOOLTIP</key>
+								<array/>
+								<key>TYPE</key>
+								<integer>0</integer>
+								<key>UUID</key>
+								<string>B5127C49-7EF4-4B73-97D7-2819981073A4</string>
+							</dict>
+						</array>
+						<key>REMOVED</key>
+						<dict/>
+					</dict>
+				</dict>
+				<key>MODE</key>
+				<integer>0</integer>
+			</dict>
+			<key>INSTALLATION_STEPS</key>
+			<array>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewIntroductionController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Introduction</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewReadMeController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>ReadMe</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewLicenseController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>License</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewDestinationSelectController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>TargetSelect</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewInstallationTypeController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>PackageSelection</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewInstallationController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Install</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+				<dict>
+					<key>ICPRESENTATION_CHAPTER_VIEW_CONTROLLER_CLASS</key>
+					<string>ICPresentationViewSummaryController</string>
+					<key>INSTALLER_PLUGIN</key>
+					<string>Summary</string>
+					<key>LIST_TITLE_KEY</key>
+					<string>InstallerSectionTitle</string>
+				</dict>
+			</array>
+			<key>INTRODUCTION</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array>
+					<dict>
+						<key>LANGUAGE</key>
+						<string>English</string>
+						<key>VALUE</key>
+						<dict>
+							<key>PATH</key>
+							<string>introduction.txt</string>
+							<key>PATH_TYPE</key>
+							<integer>1</integer>
+						</dict>
+					</dict>
+				</array>
+			</dict>
+			<key>LICENSE</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array/>
+				<key>MODE</key>
+				<integer>0</integer>
+			</dict>
+			<key>README</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array/>
+			</dict>
+			<key>TITLE</key>
+			<dict>
+				<key>LOCALIZATIONS</key>
+				<array>
+					<dict>
+						<key>LANGUAGE</key>
+						<string>English</string>
+						<key>VALUE</key>
+						<string>Wazuh Agent</string>
+					</dict>
+				</array>
+			</dict>
+		</dict>
+		<key>PROJECT_REQUIREMENTS</key>
+		<dict>
+			<key>LIST</key>
+			<array>
+				<dict>
+					<key>BEHAVIOR</key>
+					<integer>2</integer>
+					<key>DICTIONARY</key>
+					<dict>
+						<key>IC_REQUIREMENT_CPU_ARCHITECTURE_FAMILY</key>
+						<integer>2</integer>
+						<key>IC_REQUIREMENT_CPU_INTEL_ARCHITECTURE_TYPE</key>
+						<integer>2</integer>
+						<key>IC_REQUIREMENT_CPU_MINIMUM_CPU_CORES_COUNT</key>
+						<integer>1</integer>
+						<key>IC_REQUIREMENT_CPU_MINIMUM_FREQUENCY</key>
+						<integer>866666</integer>
+						<key>IC_REQUIREMENT_CPU_POWERPC_ARCHITECTURE_TYPE</key>
+						<integer>0</integer>
+					</dict>
+					<key>IC_REQUIREMENT_CHECK_TYPE</key>
+					<integer>0</integer>
+					<key>IDENTIFIER</key>
+					<string>fr.whitebox.Packages.requirement.cpu</string>
+					<key>MESSAGE</key>
+					<array>
+						<dict>
+							<key>LANGUAGE</key>
+							<string>English</string>
+							<key>SECONDARY_VALUE</key>
+							<string></string>
+							<key>VALUE</key>
+							<string>This installer has been built for 64-bit Intel architecture.</string>
+						</dict>
+					</array>
+					<key>NAME</key>
+					<string>Processor</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>BEHAVIOR</key>
+					<integer>3</integer>
+					<key>DICTIONARY</key>
+					<dict>
+						<key>IC_REQUIREMENT_OS_DISK_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_DISTRIBUTION_TYPE</key>
+						<integer>0</integer>
+						<key>IC_REQUIREMENT_OS_MINIMUM_VERSION</key>
+						<integer>100800</integer>
+					</dict>
+					<key>IC_REQUIREMENT_CHECK_TYPE</key>
+					<integer>1</integer>
+					<key>IDENTIFIER</key>
+					<string>fr.whitebox.Packages.requirement.os</string>
+					<key>MESSAGE</key>
+					<array/>
+					<key>NAME</key>
+					<string>Operating System</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+			</array>
+			<key>RESOURCES</key>
+			<array/>
+			<key>ROOT_VOLUME_ONLY</key>
+			<true/>
+		</dict>
+		<key>PROJECT_SETTINGS</key>
+		<dict>
+			<key>BUILD_FORMAT</key>
+			<integer>0</integer>
+			<key>BUILD_PATH</key>
+			<dict>
+				<key>PATH</key>
+				<string>build</string>
+				<key>PATH_TYPE</key>
+				<integer>1</integer>
+			</dict>
+			<key>EXCLUDED_FILES</key>
+			<array>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.DS_Store</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove .DS_Store files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove ".DS_Store" files created by the Finder.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.pbdevelopment</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove .pbdevelopment files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove ".pbdevelopment" files created by ProjectBuilder or Xcode.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>CVS</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.cvsignore</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.cvspass</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.svn</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.git</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>.gitignore</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove SCM metadata</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove helper files and folders used by the CVS, SVN or Git Source Code Management systems.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>classes.nib</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>designable.db</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>info.nib</string>
+							<key>TYPE</key>
+							<integer>0</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Optimize nib files</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove "classes.nib", "info.nib" and "designable.nib" files within .nib bundles.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>PATTERNS_ARRAY</key>
+					<array>
+						<dict>
+							<key>REGULAR_EXPRESSION</key>
+							<false/>
+							<key>STRING</key>
+							<string>Resources Disabled</string>
+							<key>TYPE</key>
+							<integer>1</integer>
+						</dict>
+					</array>
+					<key>PROTECTED</key>
+					<true/>
+					<key>PROXY_NAME</key>
+					<string>Remove Resources Disabled folders</string>
+					<key>PROXY_TOOLTIP</key>
+					<string>Remove "Resources Disabled" folders.</string>
+					<key>STATE</key>
+					<true/>
+				</dict>
+				<dict>
+					<key>SEPARATOR</key>
+					<true/>
+				</dict>
+			</array>
+			<key>NAME</key>
+			<string>wazuh-agent-4.9.0-1.intel64</string>
+			<key>PAYLOAD_ONLY</key>
+			<false/>
+			<key>TREAT_MISSING_PRESENTATION_DOCUMENTS_AS_WARNING</key>
+			<false/>
+		</dict>
+	</dict>
+	<key>TYPE</key>
+	<integer>0</integer>
+	<key>VERSION</key>
+	<integer>2</integer>
+</dict>
+</plist>
diff --git a/packages/macos/uninstall.sh b/packages/macos/uninstall.sh
new file mode 100755
index 0000000000..b41510375a
--- /dev/null
+++ b/packages/macos/uninstall.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+## Stop and remove application
+sudo /Library/Ossec/bin/wazuh-control stop
+sudo /bin/rm -r /Library/Ossec*
+
+# remove launchdaemons
+/bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
+
+## remove StartupItems
+/bin/rm -rf /Library/StartupItems/WAZUH
+
+## Remove User and Groups
+/usr/bin/dscl . -delete "/Users/wazuh"
+/usr/bin/dscl . -delete "/Groups/wazuh"
+
+/usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
+/usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent-etc
+
+# In case it was installed via Puppet pkgdmg provider
+
+if [ -e /var/db/.puppet_pkgdmg_installed_wazuh-agent ]; then
+    rm -f /var/db/.puppet_pkgdmg_installed_wazuh-agent
+fi
+
+echo
+echo "Wazuh agent correctly removed from the system."
+echo
+
+exit 0
diff --git a/packages/rpms/SPECS/wazuh_agent.spec b/packages/rpms/SPECS/wazuh_agent.spec
new file mode 100644
index 0000000000..eddae2b984
--- /dev/null
+++ b/packages/rpms/SPECS/wazuh_agent.spec
@@ -0,0 +1,901 @@
+%if %{_debugenabled} == yes
+  %global _enable_debug_package 0
+  %global debug_package %{nil}
+  %global __os_install_post %{nil}
+  %define __strip /bin/true
+%endif
+
+%if %{_isstage} == no
+  %define _rpmfilename %%{NAME}_%%{VERSION}-%%{RELEASE}_%%{ARCH}_%{_hashcommit}.rpm
+%else
+  %define _rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm
+%endif
+
+Summary:     Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
+Name:        wazuh-agent
+Version:     %{_version}
+Release:     %{_release}
+License:     GPL
+Group:       System Environment/Daemons
+Source0:     %{name}-%{version}.tar.gz
+URL:         https://www.wazuh.com/
+BuildRoot:   %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Vendor:      Wazuh, Inc <info@wazuh.com>
+Packager:    Wazuh, Inc <info@wazuh.com>
+Requires(pre):    /usr/sbin/groupadd /usr/sbin/useradd
+Requires(postun): /usr/sbin/groupdel /usr/sbin/userdel
+Conflicts:   ossec-hids ossec-hids-agent wazuh-manager wazuh-local
+AutoReqProv: no
+
+Requires: coreutils
+%if 0%{?el} >= 6 || 0%{?rhel} >= 6
+BuildRequires: coreutils glibc-devel automake autoconf libtool policycoreutils-python perl
+%else
+BuildRequires: coreutils glibc-devel automake autoconf libtool policycoreutils perl
+%endif
+
+ExclusiveOS: linux
+
+%description
+Wazuh helps you to gain security visibility into your infrastructure by monitoring
+hosts at an operating system and application level. It provides the following capabilities:
+log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
+
+%prep
+%setup -q
+
+./gen_ossec.sh conf agent centos %rhel %{_localstatedir} > etc/ossec-agent.conf
+
+%build
+pushd src
+# Rebuild for agent
+make clean
+
+%if 0%{?el} >= 6 || 0%{?rhel} >= 6
+    make deps TARGET=agent
+    make -j%{_threads} TARGET=agent USE_SELINUX=yes DEBUG=%{_debugenabled}
+%else
+    %ifnarch amd64
+      MSGPACK="USE_MSGPACK_OPT=no"
+    %endif
+    deps_version=`cat Makefile | grep "DEPS_VERSION =" | cut -d " " -f 3`
+    make deps RESOURCES_URL=http://packages.wazuh.com/deps/${deps_version} TARGET=agent
+    make -j%{_threads} TARGET=agent USE_AUDIT=no USE_SELINUX=yes USE_EXEC_ENVIRON=no DEBUG=%{_debugenabled} ${MSGPACK}
+
+%endif
+
+popd
+
+%install
+# Clean BUILDROOT
+rm -fr %{buildroot}
+
+echo 'USER_LANGUAGE="en"' > ./etc/preloaded-vars.conf
+echo 'USER_NO_STOP="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_INSTALL_TYPE="agent"' >> ./etc/preloaded-vars.conf
+echo 'USER_DIR="%{_localstatedir}"' >> ./etc/preloaded-vars.conf
+echo 'USER_DELETE_DIR="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_ACTIVE_RESPONSE="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_SYSCHECK="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_ROOTCHECK="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_OPENSCAP="n"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_SYSCOLLECTOR="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_ENABLE_CISCAT="y"' >> ./etc/preloaded-vars.conf
+echo 'USER_UPDATE="n"' >> ./etc/preloaded-vars.conf
+echo 'USER_AGENT_SERVER_IP="MANAGER_IP"' >> ./etc/preloaded-vars.conf
+echo 'USER_CA_STORE="/path/to/my_cert.pem"' >> ./etc/preloaded-vars.conf
+echo 'USER_AUTO_START="n"' >> ./etc/preloaded-vars.conf
+./install.sh
+
+%if 0%{?el} < 6 || 0%{?rhel} < 6
+  mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}
+  touch ${RPM_BUILD_ROOT}%{_sysconfdir}/ossec-init.conf
+%endif
+
+# Create directories
+mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/.ssh
+
+# Copy the installed files into RPM_BUILD_ROOT directory
+cp -pr %{_localstatedir}/* ${RPM_BUILD_ROOT}%{_localstatedir}/
+mkdir -p ${RPM_BUILD_ROOT}/usr/lib/systemd/system/
+sed -i "s:WAZUH_HOME_TMP:%{_localstatedir}:g" src/init/templates/ossec-hids-rh.init
+install -m 0755 src/init/templates/ossec-hids-rh.init ${RPM_BUILD_ROOT}%{_initrddir}/wazuh-agent
+sed -i "s:WAZUH_HOME_TMP:%{_localstatedir}:g" src/init/templates/wazuh-agent.service
+install -m 0644 src/init/templates/wazuh-agent.service ${RPM_BUILD_ROOT}/usr/lib/systemd/system/
+
+# Clean the preinstalled configuration assesment files
+rm -f ${RPM_BUILD_ROOT}%{_localstatedir}/ruleset/sca/*
+
+# Install configuration assesment files and files templates
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/{generic}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/{1,2,2023}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/{8,7,6,5}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/ol/{9}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/{9,8,7,6,5}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/{11,12,15}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/{11,12}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/{29,30,31,32,33,34}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/almalinux/{8,9}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rocky/{8,9}
+
+cp -r ruleset/sca/{generic,centos,rhel,ol,sles,amazon,rocky,almalinux} ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp
+
+cp etc/templates/config/generic/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/generic
+
+cp etc/templates/config/amzn/1/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/1
+cp etc/templates/config/amzn/2/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2
+cp etc/templates/config/amzn/2023/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2023
+
+cp etc/templates/config/centos/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos
+cp etc/templates/config/centos/8/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/8
+cp etc/templates/config/centos/7/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/7
+cp etc/templates/config/centos/6/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/6
+cp etc/templates/config/centos/5/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/5
+
+cp etc/templates/config/ol/9/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/ol/9
+
+cp etc/templates/config/rhel/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel
+cp etc/templates/config/rhel/9/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/9
+cp etc/templates/config/rhel/8/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/8
+cp etc/templates/config/rhel/7/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/7
+cp etc/templates/config/rhel/6/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/6
+cp etc/templates/config/rhel/5/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/5
+
+cp etc/templates/config/sles/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles
+cp etc/templates/config/sles/11/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/11
+cp etc/templates/config/sles/12/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/12
+cp etc/templates/config/sles/15/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/15
+
+cp etc/templates/config/suse/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse
+cp etc/templates/config/suse/11/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/11
+cp etc/templates/config/suse/12/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/12
+
+cp etc/templates/config/fedora/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora
+cp etc/templates/config/fedora/29/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/29
+cp etc/templates/config/fedora/30/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/30
+cp etc/templates/config/fedora/31/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/31
+cp etc/templates/config/fedora/32/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/32
+cp etc/templates/config/fedora/33/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/33
+cp etc/templates/config/fedora/34/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/34
+
+cp etc/templates/config/almalinux/8/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/almalinux/8
+cp etc/templates/config/almalinux/9/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/almalinux/9
+
+cp etc/templates/config/rocky/8/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rocky/8
+cp etc/templates/config/rocky/9/sca.files ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rocky/9
+
+# Add configuration scripts
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/
+cp gen_ossec.sh ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/
+cp add_localfiles.sh ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/
+
+# Templates for initscript
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/src/init
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/generic
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/centos
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/rhel
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/suse
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/sles
+
+# Add SUSE initscript
+sed -i "s:WAZUH_HOME_TMP:%{_localstatedir}:g" src/init/templates/ossec-hids-suse.init
+cp -rp src/init/templates/ossec-hids-suse.init ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/src/init/
+
+# Copy scap templates
+cp -rp  etc/templates/config/generic/* ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/generic
+cp -rp  etc/templates/config/centos/* ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/centos
+cp -rp  etc/templates/config/rhel/* ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/rhel
+cp -rp  etc/templates/config/suse/* ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/suse
+cp -rp  etc/templates/config/sles/* ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/sles
+
+install -m 0640 src/init/*.sh ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/src/init
+
+# Add installation scripts
+cp src/VERSION ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/src/
+cp src/REVISION ${RPM_BUILD_ROOT}%{_localstatedir}/packages_files/agent_installation_scripts/src/
+
+exit 0
+
+%pre
+# Create the wazuh group if it doesn't exists
+if command -v getent > /dev/null 2>&1 && ! getent group wazuh > /dev/null 2>&1; then
+  groupadd -r wazuh
+elif ! getent group wazuh > /dev/null 2>&1; then
+  groupadd -r wazuh
+fi
+# Create the wazuh user if it doesn't exists
+if ! getent passwd wazuh > /dev/null 2>&1; then
+  useradd -g wazuh -G wazuh -d %{_localstatedir} -r -s /sbin/nologin wazuh
+fi
+
+# Stop the services to upgrade the package
+if [ $1 = 2 ]; then
+  if [ ! -d "%{_localstatedir}" ]; then
+    echo "Error: Directory %{_localstatedir} does not exist. Cannot perform upgrade" >&2
+    exit 1
+  fi
+
+  if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet wazuh-agent > /dev/null 2>&1; then
+    systemctl stop wazuh-agent.service > /dev/null 2>&1
+    touch %{_localstatedir}/tmp/wazuh.restart
+  # Check for SysV
+  elif command -v service > /dev/null 2>&1 && service wazuh-agent status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+    service wazuh-agent stop > /dev/null 2>&1
+    touch %{_localstatedir}/tmp/wazuh.restart
+  elif %{_localstatedir}/bin/wazuh-control status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+    touch %{_localstatedir}/tmp/wazuh.restart
+  elif %{_localstatedir}/bin/ossec-control status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+    touch %{_localstatedir}/tmp/wazuh.restart
+  fi
+  %{_localstatedir}/bin/ossec-control stop > /dev/null 2>&1 || %{_localstatedir}/bin/wazuh-control stop > /dev/null 2>&1
+fi
+
+%post
+
+echo "VERSION=\"$(%{_localstatedir}/bin/wazuh-control info -v)\"" > /etc/ossec-init.conf
+if [ $1 = 2 ]; then
+  if [ -d %{_localstatedir}/logs/ossec ]; then
+    rm -rf %{_localstatedir}/logs/wazuh
+    cp -rp %{_localstatedir}/logs/ossec %{_localstatedir}/logs/wazuh
+  fi
+
+  if [ -d %{_localstatedir}/queue/ossec ]; then
+    rm -rf %{_localstatedir}/queue/sockets
+    cp -rp %{_localstatedir}/queue/ossec %{_localstatedir}/queue/sockets
+  fi
+fi
+# If the package is being installed
+if [ $1 = 1 ]; then
+
+  touch %{_localstatedir}/logs/active-responses.log
+  chown wazuh:wazuh %{_localstatedir}/logs/active-responses.log
+  chmod 0660 %{_localstatedir}/logs/active-responses.log
+
+  . %{_localstatedir}/packages_files/agent_installation_scripts/src/init/dist-detect.sh
+
+  # Generating ossec.conf file
+  %{_localstatedir}/packages_files/agent_installation_scripts/gen_ossec.sh conf agent ${DIST_NAME} ${DIST_VER}.${DIST_SUBVER} %{_localstatedir} > %{_localstatedir}/etc/ossec.conf
+  chown root:wazuh %{_localstatedir}/etc/ossec.conf
+
+  # Add default local_files to ossec.conf
+  %{_localstatedir}/packages_files/agent_installation_scripts/add_localfiles.sh %{_localstatedir} >> %{_localstatedir}/etc/ossec.conf
+
+
+  # Register and configure agent if Wazuh environment variables are defined
+  %{_localstatedir}/packages_files/agent_installation_scripts/src/init/register_configure_agent.sh %{_localstatedir} > /dev/null || :
+fi
+
+if [[ -d /run/systemd/system ]]; then
+  rm -f %{_initrddir}/wazuh-agent
+fi
+
+# Delete the installation files used to configure the agent
+rm -rf %{_localstatedir}/packages_files
+
+# Remove unnecessary files from shared directory
+rm -f %{_localstatedir}/etc/shared/*.rpmnew
+
+#AlmaLinux
+if [ -r "/etc/almalinux-release" ]; then
+  DIST_NAME=almalinux
+  DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/almalinux-release`
+#Rocky
+elif [ -r "/etc/rocky-release" ]; then
+  DIST_NAME=rocky
+  DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/rocky-release`
+# CentOS
+elif [ -r "/etc/centos-release" ]; then
+  if grep -q "AlmaLinux" /etc/centos-release; then
+    DIST_NAME=almalinux
+  elif grep -q "Rocky" /etc/centos-release; then
+    DIST_NAME=almalinux
+  else
+    DIST_NAME="centos"
+  fi
+  DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/centos-release`
+# Fedora
+elif [ -r "/etc/fedora-release" ]; then
+    DIST_NAME="fedora"
+    DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/fedora-release`
+# Oracle Linux
+elif [ -r "/etc/oracle-release" ]; then
+    DIST_NAME="ol"
+    DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/oracle-release`
+# RedHat
+elif [ -r "/etc/redhat-release" ]; then
+  if grep -q "AlmaLinux" /etc/redhat-release; then
+    DIST_NAME=almalinux
+  elif grep -q "Rocky" /etc/redhat-release; then
+    DIST_NAME=almalinux
+  elif grep -q "CentOS" /etc/redhat-release; then
+      DIST_NAME="centos"
+  else
+      DIST_NAME="rhel"
+  fi
+  DIST_VER=`sed -rn 's/.* ([0-9]{1,2})\.*[0-9]{0,2}.*/\1/p' /etc/redhat-release`
+# SUSE
+elif [ -r "/etc/SuSE-release" ]; then
+  if grep -q "openSUSE" /etc/SuSE-release; then
+      DIST_NAME="generic"
+      DIST_VER=""
+  else
+      DIST_NAME="sles"
+      DIST_VER=`sed -rn 's/.*VERSION = ([0-9]{1,2}).*/\1/p' /etc/SuSE-release`
+  fi
+elif [ -r "/etc/os-release" ]; then
+  . /etc/os-release
+  DIST_NAME=$ID
+  DIST_VER=$(echo $VERSION_ID | sed -rn 's/[^0-9]*([0-9]+).*/\1/p')
+  if [ "X$DIST_VER" = "X" ]; then
+      DIST_VER="0"
+  fi
+  if [ "$DIST_NAME" = "amzn" ] && [ "$DIST_VER" != "2" ] && [ "$DIST_VER" != "2023" ]; then
+      DIST_VER="1"
+  fi
+  DIST_SUBVER=$(echo $VERSION_ID | sed -rn 's/[^0-9]*[0-9]+\.([0-9]+).*/\1/p')
+  if [ "X$DIST_SUBVER" = "X" ]; then
+      DIST_SUBVER="0"
+  fi
+else
+  DIST_NAME="generic"
+  DIST_VER=""
+fi
+
+SCA_DIR="${DIST_NAME}/${DIST_VER}"
+SCA_BASE_DIR="%{_localstatedir}/tmp/sca-%{version}-%{release}-tmp"
+mkdir -p %{_localstatedir}/ruleset/sca
+
+
+SCA_TMP_DIR="${SCA_BASE_DIR}/${SCA_DIR}"
+# Install the configuration files needed for this hosts
+if [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}/sca.files" ]; then
+  SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/${DIST_SUBVER}"
+elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}/sca.files" ]; then
+  SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}/${DIST_VER}"
+elif [ -r "${SCA_BASE_DIR}/${DIST_NAME}/sca.files" ]; then
+  SCA_TMP_DIR="${SCA_BASE_DIR}/${DIST_NAME}"
+else
+  SCA_TMP_DIR="${SCA_BASE_DIR}/generic"
+fi
+
+SCA_TMP_FILE="${SCA_TMP_DIR}/sca.files"
+if [ -r ${SCA_TMP_FILE} ]; then
+
+  rm -f %{_localstatedir}/ruleset/sca/* || true
+
+  for sca_file in $(cat ${SCA_TMP_FILE}); do
+    if [ -f ${SCA_BASE_DIR}/${sca_file} ]; then
+      mv ${SCA_BASE_DIR}/${sca_file} %{_localstatedir}/ruleset/sca
+    fi
+  done
+fi
+
+# Set the proper selinux context
+if ([ "X${DIST_NAME}" = "Xrhel" ] || [ "X${DIST_NAME}" = "Xcentos" ] || [ "X${DIST_NAME}" = "XCentOS" ]) && [ "${DIST_VER}" == "5" ]; then
+  if command -v getenforce > /dev/null 2>&1; then
+    if [ $(getenforce) !=  "Disabled" ]; then
+      chcon -t textrel_shlib_t  %{_localstatedir}/lib/libwazuhext.so
+      chcon -t textrel_shlib_t  %{_localstatedir}/lib/libwazuhshared.so
+    fi
+  fi
+else
+  # Add the SELinux policy
+  if command -v getenforce > /dev/null 2>&1 && command -v semodule > /dev/null 2>&1; then
+    if [ $(getenforce) != "Disabled" ]; then
+      semodule -i %{_localstatedir}/var/selinux/wazuh.pp
+      semodule -e wazuh
+    fi
+  fi
+fi
+
+# Restore ossec.conf permissions after upgrading
+chmod 0660 %{_localstatedir}/etc/ossec.conf
+
+# Remove old ossec user and group if exists and change ownwership of files
+
+if getent group ossec > /dev/null 2>&1; then
+  find %{_localstatedir}/ -group ossec -user root -exec chown root:wazuh {} \; > /dev/null 2>&1 || true
+  if getent passwd ossec > /dev/null 2>&1; then
+    find %{_localstatedir}/ -group ossec -user ossec -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+    userdel ossec > /dev/null 2>&1
+  fi
+  if getent passwd ossecm > /dev/null 2>&1; then
+    find %{_localstatedir}/ -group ossec -user ossecm -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+    userdel ossecm > /dev/null 2>&1
+  fi
+  if getent passwd ossecr > /dev/null 2>&1; then
+    find %{_localstatedir}/ -group ossec -user ossecr -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
+    userdel ossecr > /dev/null 2>&1
+  fi
+  if grep -q ossec /etc/group; then
+    groupdel ossec > /dev/null 2>&1
+  fi
+fi
+
+%preun
+
+if [ $1 = 0 ]; then
+
+  # Stop the services before uninstall the package
+  # Check for systemd
+  if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet wazuh-agent > /dev/null 2>&1; then
+    systemctl stop wazuh-agent.service > /dev/null 2>&1
+  # Check for SysV
+  elif command -v service > /dev/null 2>&1 && service wazuh-agent status 2>/dev/null | grep "is running" > /dev/null 2>&1; then
+    service wazuh-agent stop > /dev/null 2>&1
+  fi
+  %{_localstatedir}/bin/wazuh-control stop > /dev/null 2>&1
+
+  # Remove the SELinux policy
+  if command -v getenforce > /dev/null 2>&1 && command -v semodule > /dev/null 2>&1; then
+    if [ $(getenforce) != "Disabled" ]; then
+      if (semodule -l | grep wazuh > /dev/null); then
+        semodule -r wazuh > /dev/null
+      fi
+    fi
+  fi
+  # Remove the service file for SUSE hosts
+  if [ -f /etc/os-release ]; then
+    sles=$(grep "\"sles" /etc/os-release)
+  elif [ -f /etc/SuSE-release ]; then
+    sles=$(grep "SUSE Linux Enterprise Server" /etc/SuSE-release)
+  fi
+  if [ ! -z "$sles" ]; then
+    rm -f /etc/init.d/wazuh-agent
+  fi
+
+  # Remove SCA files
+  rm -f %{_localstatedir}/ruleset/sca/*
+
+fi
+
+%triggerin -- glibc
+[ -r %{_sysconfdir}/localtime ] && cp -fpL %{_sysconfdir}/localtime %{_localstatedir}/etc
+ chown root:wazuh %{_localstatedir}/etc/localtime
+ chmod 0640 %{_localstatedir}/etc/localtime
+
+%postun
+
+DELETE_WAZUH_USER_AND_GROUP=0
+
+# If the upgrade downgrades to earlier versions, it will create the ossec
+# group and user, we need to delete wazuh ones
+if [ $1 = 1 ]; then
+  if command -v %{_localstatedir}/bin/ossec-control > /dev/null 2>&1; then
+    find %{_localstatedir} -group wazuh -exec chgrp ossec {} +
+    find %{_localstatedir} -user wazuh -exec chown ossec {} +
+    DELETE_WAZUH_USER_AND_GROUP=1
+  fi
+
+  if [ ! -f %{_localstatedir}/etc/client.keys ]; then
+    if [ -f %{_localstatedir}/etc/client.keys.rpmsave ]; then
+      mv %{_localstatedir}/etc/client.keys.rpmsave %{_localstatedir}/etc/client.keys
+    elif [ -f %{_localstatedir}/etc/client.keys.rpmnew ]; then
+      mv %{_localstatedir}/etc/client.keys.rpmnew %{_localstatedir}/etc/client.keys
+    fi
+  fi
+fi
+
+# If the package is been uninstalled or we want to delete wazuh user and group
+if [ $1 = 0 ] || [ $DELETE_WAZUH_USER_AND_GROUP = 1 ]; then
+  # Remove the wazuh user if it exists
+  if getent passwd wazuh > /dev/null 2>&1; then
+    userdel wazuh >/dev/null 2>&1
+  fi
+  # Remove the wazuh group if it exists
+  if command -v getent > /dev/null 2>&1 && getent group wazuh > /dev/null 2>&1; then
+    groupdel wazuh >/dev/null 2>&1
+  elif getent group wazuh > /dev/null 2>&1; then
+    groupdel wazuh >/dev/null 2>&1
+  fi
+
+  if [ $1 = 0 ];then
+    # Remove lingering folders and files
+    rm -rf %{_localstatedir}/etc/shared/
+    rm -rf %{_localstatedir}/queue/
+    rm -rf %{_localstatedir}/var/
+    rm -rf %{_localstatedir}/bin/
+    rm -rf %{_localstatedir}/logs/
+    rm -rf %{_localstatedir}/backup/
+    rm -rf %{_localstatedir}/ruleset/
+    rm -rf %{_localstatedir}/tmp
+  fi
+fi
+
+# posttrans code is the last thing executed in a install/upgrade
+%posttrans
+if [ -f %{_sysconfdir}/systemd/system/wazuh-agent.service ]; then
+  rm -rf %{_sysconfdir}/systemd/system/wazuh-agent.service
+  systemctl daemon-reload > /dev/null 2>&1
+fi
+
+if [ -f %{_localstatedir}/tmp/wazuh.restart ]; then
+  rm -f %{_localstatedir}/tmp/wazuh.restart
+  if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 ; then
+    systemctl daemon-reload > /dev/null 2>&1
+    systemctl restart wazuh-agent.service > /dev/null 2>&1
+  elif command -v service > /dev/null 2>&1; then
+    service wazuh-agent restart > /dev/null 2>&1
+  else
+    %{_localstatedir}/bin/wazuh-control restart > /dev/null 2>&1
+  fi
+fi
+
+if [ -d %{_localstatedir}/logs/ossec ]; then
+  rm -rf %{_localstatedir}/logs/ossec/
+fi
+
+if [ -d %{_localstatedir}/queue/ossec ]; then
+  rm -rf %{_localstatedir}/queue/ossec/
+fi
+
+if [ -f %{_sysconfdir}/ossec-init.conf ]; then
+  rm -f %{_sysconfdir}/ossec-init.conf
+  rm -f %{_localstatedir}/etc/ossec-init.conf
+fi
+
+%clean
+rm -fr %{buildroot}
+
+%files
+%defattr(-,root,root)
+%config(missingok) %{_initrddir}/wazuh-agent
+%attr(640, root, wazuh) %verify(not md5 size mtime) %ghost %{_sysconfdir}/ossec-init.conf
+/usr/lib/systemd/system/wazuh-agent.service
+%dir %attr(750, root, wazuh) %{_localstatedir}
+%attr(750, root, wazuh) %{_localstatedir}/agentless
+%dir %attr(770, root, wazuh) %{_localstatedir}/.ssh
+%dir %attr(750, root, wazuh) %{_localstatedir}/active-response
+%dir %attr(750, root, wazuh) %{_localstatedir}/active-response/bin
+%attr(750, root, wazuh) %{_localstatedir}/active-response/bin/*
+%dir %attr(750, root, root) %{_localstatedir}/bin
+%attr(750, root, root) %{_localstatedir}/bin/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/backup
+%dir %attr(770, wazuh, wazuh) %{_localstatedir}/etc
+%attr(640, root, wazuh) %config(noreplace) %{_localstatedir}/etc/client.keys
+%attr(640, root, wazuh) %{_localstatedir}/etc/internal_options*
+%attr(640, root, wazuh) %{_localstatedir}/etc/localtime
+%attr(640, root, wazuh) %config(noreplace) %{_localstatedir}/etc/local_internal_options.conf
+%attr(660, root, wazuh) %config(noreplace) %{_localstatedir}/etc/ossec.conf
+%attr(640, root, wazuh) %{_localstatedir}/etc/wpk_root.pem
+%dir %attr(770, root, wazuh) %{_localstatedir}/etc/shared
+%attr(660, root, wazuh) %config(missingok,noreplace) %{_localstatedir}/etc/shared/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/lib
+%attr(750, root, wazuh) %{_localstatedir}/lib/*
+%dir %attr(770, wazuh, wazuh) %{_localstatedir}/logs
+%attr(660, wazuh, wazuh) %ghost %{_localstatedir}/logs/active-responses.log
+%attr(660, root, wazuh) %ghost %{_localstatedir}/logs/ossec.log
+%attr(660, root, wazuh) %ghost %{_localstatedir}/logs/ossec.json
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/logs/wazuh
+%dir %attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files
+%dir %attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/add_localfiles.sh
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/gen_ossec.sh
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/generic/*
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/centos/*
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/rhel/*
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/sles/*
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/etc/templates/config/suse/*
+%attr(750, root, root) %config(missingok) %{_localstatedir}/packages_files/agent_installation_scripts/src/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/queue
+%dir %attr(770, wazuh, wazuh) %{_localstatedir}/queue/sockets
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/diff
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/fim
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/fim/db
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/syscollector
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/syscollector/db
+%attr(640, root, wazuh) %{_localstatedir}/queue/syscollector/norm_config.json
+%dir %attr(770, wazuh, wazuh) %{_localstatedir}/queue/alerts
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/rids
+%dir %attr(750, wazuh, wazuh) %{_localstatedir}/queue/logcollector
+%dir %attr(750, root, wazuh) %{_localstatedir}/ruleset/
+%dir %attr(750, root, wazuh) %{_localstatedir}/ruleset/sca
+%attr(750, root, wazuh) %{_localstatedir}/lib/libdbsync.so
+%attr(750, root, wazuh) %{_localstatedir}/lib/librsync.so
+%attr(750, root, wazuh) %{_localstatedir}/lib/libsyscollector.so
+%attr(750, root, wazuh) %{_localstatedir}/lib/libsysinfo.so
+%attr(750, root, wazuh) %{_localstatedir}/lib/libstdc++.so.6
+%attr(750, root, wazuh) %{_localstatedir}/lib/libgcc_s.so.1
+%attr(750, root, wazuh) %{_localstatedir}/lib/libfimdb.so
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/generic
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/generic/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/1
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/1/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2023
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amzn/2023/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/sca.files
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/5
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/5/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/6
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/6/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/7
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/7/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/8
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/centos/8/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/ol/9
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/ol/9/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/sca.files
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/5
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/5/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/6
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/6/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/7
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/7/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/8
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/8/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/9
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rhel/9/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/sca.files
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/11
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/11/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/12
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/12/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/15
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/sles/15/*
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/sca.files
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/11
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/11/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/12
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/suse/12/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amazon
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/amazon/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/fedora/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/almalinux
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/almalinux/*
+%dir %attr(750, wazuh, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rocky
+%attr(640, root, wazuh) %config(missingok) %{_localstatedir}/tmp/sca-%{version}-%{release}-tmp/rocky/*
+%dir %attr(1770, root, wazuh) %{_localstatedir}/tmp
+%dir %attr(750, root, wazuh) %{_localstatedir}/var
+%dir %attr(770, root, wazuh) %{_localstatedir}/var/incoming
+%dir %attr(770, root, wazuh) %{_localstatedir}/var/run
+%dir %attr(770, root, wazuh) %{_localstatedir}/var/selinux
+%attr(640, root, wazuh) %{_localstatedir}/var/selinux/*
+%dir %attr(770, root, wazuh) %{_localstatedir}/var/upgrade
+%dir %attr(770, root, wazuh) %{_localstatedir}/var/wodles
+%dir %attr(750, root, wazuh) %{_localstatedir}/wodles
+%attr(750, root, wazuh) %{_localstatedir}/wodles/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/wodles/aws
+%attr(750, root, wazuh) %{_localstatedir}/wodles/aws/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/wodles/azure
+%attr(750, root, wazuh) %{_localstatedir}/wodles/azure/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/wodles/docker
+%attr(750, root, wazuh) %{_localstatedir}/wodles/docker/*
+%dir %attr(750, root, wazuh) %{_localstatedir}/wodles/gcloud
+%attr(750, root, wazuh) %{_localstatedir}/wodles/gcloud/*
+
+%changelog
+* Wed Jul 10 2024 support <info@wazuh.com> - 4.9.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html
+* Wed Jun 26 2024 support <info@wazuh.com> - 4.8.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html
+* Wed Jun 12 2024 support <info@wazuh.com> - 4.8.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html
+* Thu May 30 2024 support <info@wazuh.com> - 4.7.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-5.html
+* Thu Apr 25 2024 support <info@wazuh.com> - 4.7.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-4.html
+* Tue Feb 27 2024 support <info@wazuh.com> - 4.7.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-3.html
+* Tue Jan 09 2024 support <info@wazuh.com> - 4.7.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-2.html
+* Wed Dec 13 2023 support <info@wazuh.com> - 4.7.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html
+* Tue Nov 21 2023 support <info@wazuh.com> - 4.7.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html
+* Tue Oct 31 2023 support <info@wazuh.com> - 4.6.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html
+* Tue Oct 24 2023 support <info@wazuh.com> - 4.5.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html
+* Tue Oct 10 2023 support <info@wazuh.com> - 4.5.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html
+* Thu Aug 31 2023 support <info@wazuh.com> - 4.5.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html
+* Thu Aug 24 2023 support <info@wazuh.com> - 4.5.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-5.1.html
+* Thu Aug 10 2023 support <info@wazuh.com> - 4.5.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html
+* Mon Jul 10 2023 support <info@wazuh.com> - 4.4.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html
+* Tue Jun 13 2023 support <info@wazuh.com> - 4.4.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html
+* Thu May 25 2023 support <info@wazuh.com> - 4.4.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html
+* Mon May 08 2023 support <info@wazuh.com> - 4.4.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html
+* Mon Apr 24 2023 support <info@wazuh.com> - 4.3.11
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3.11.html
+* Mon Apr 17 2023 support <info@wazuh.com> - 4.4.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html
+* Wed Jan 18 2023 support <info@wazuh.com> - 4.4.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html
+* Thu Nov 10 2022 support <info@wazuh.com> - 4.3.10
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html
+* Mon Oct 03 2022 support <info@wazuh.com> - 4.3.9
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html
+* Wed Sep 21 2022 support <info@wazuh.com> - 3.13.6
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-6.html
+* Mon Sep 19 2022 support <info@wazuh.com> - 4.3.8
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html
+* Wed Aug 24 2022 support <info@wazuh.com> - 3.13.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-5.html
+* Mon Aug 08 2022 support <info@wazuh.com> - 4.3.7
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html
+* Thu Jul 07 2022 support <info@wazuh.com> - 4.3.6
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html
+* Wed Jun 29 2022 support <info@wazuh.com> - 4.3.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html
+* Tue Jun 07 2022 support <info@wazuh.com> - 4.3.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html
+* Tue May 31 2022 support <info@wazuh.com> - 4.3.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html
+* Mon May 30 2022 support <info@wazuh.com> - 4.3.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html
+* Mon May 30 2022 support <info@wazuh.com> - 3.13.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-4.html
+* Sun May 29 2022 support <info@wazuh.com> - 4.2.7
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-7.html
+* Wed May 18 2022 support <info@wazuh.com> - 4.3.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html
+* Thu May 05 2022 support <info@wazuh.com> - 4.3.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html
+* Fri Mar 25 2022 support <info@wazuh.com> - 4.2.6
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-6.html
+* Mon Nov 15 2021 support <info@wazuh.com> - 4.2.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-5.html
+* Thu Oct 21 2021 support <info@wazuh.com> - 4.2.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-4.html
+* Wed Oct 06 2021 support <info@wazuh.com> - 4.2.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-3.html
+* Tue Sep 28 2021 support <info@wazuh.com> - 4.2.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-2.html
+* Sat Sep 25 2021 support <info@wazuh.com> - 4.2.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-1.html
+* Mon Apr 26 2021 support <info@wazuh.com> - 4.2.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-2-0.html
+* Sat Apr 24 2021 support <info@wazuh.com> - 3.13.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-3.html
+* Thu Apr 22 2021 support <info@wazuh.com> - 4.1.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-5.html
+* Mon Mar 29 2021 support <info@wazuh.com> - 4.1.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-4.html
+* Sat Mar 20 2021 support <info@wazuh.com> - 4.1.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-3.html
+* Mon Mar 08 2021 support <info@wazuh.com> - 4.1.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-2.html
+* Fri Mar 05 2021 support <info@wazuh.com> - 4.1.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-1.html
+* Tue Jan 19 2021 support <info@wazuh.com> - 4.1.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-1-0.html
+* Mon Nov 30 2020 support <info@wazuh.com> - 4.0.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-0-3.html
+* Mon Nov 23 2020 support <info@wazuh.com> - 4.0.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-0-2.html
+* Sat Oct 31 2020 support <info@wazuh.com> - 4.0.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-0-1.html
+* Mon Oct 19 2020 support <info@wazuh.com> - 4.0.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-4-0-0.html
+* Fri Aug 21 2020 support <info@wazuh.com> - 3.13.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-2.html
+* Tue Jul 14 2020 support <info@wazuh.com> - 3.13.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-1.html
+* Mon Jun 29 2020 support <info@wazuh.com> - 3.13.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-13-0.html
+* Wed May 13 2020 support <info@wazuh.com> - 3.12.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-12-3.html
+* Thu Apr 9 2020 support <info@wazuh.com> - 3.12.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-12-2.html
+* Wed Apr 8 2020 support <info@wazuh.com> - 3.12.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-12-1.html
+* Wed Mar 25 2020 support <info@wazuh.com> - 3.12.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-12-0.html
+* Mon Feb 24 2020 support <info@wazuh.com> - 3.11.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-11-4.html
+* Wed Jan 22 2020 support <info@wazuh.com> - 3.11.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-11-3.html
+* Tue Jan 7 2020 support <info@wazuh.com> - 3.11.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-11-2.html
+* Thu Dec 26 2019 support <info@wazuh.com> - 3.11.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-11-1.html
+* Mon Oct 7 2019 support <info@wazuh.com> - 3.11.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-11-0.html
+* Mon Sep 23 2019 support <support@wazuh.com> - 3.10.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-10-2.html
+* Thu Sep 19 2019 support <support@wazuh.com> - 3.10.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-10-1.html
+* Mon Aug 26 2019 support <support@wazuh.com> - 3.10.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-10-0.html
+* Thu Aug 8 2019 support <support@wazuh.com> - 3.9.5
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-5.html
+* Fri Jul 12 2019 support <support@wazuh.com> - 3.9.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-4.html
+* Tue Jul 02 2019 support <support@wazuh.com> - 3.9.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-3.html
+* Tue Jun 11 2019 support <support@wazuh.com> - 3.9.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-2.html
+* Sat Jun 01 2019 support <support@wazuh.com> - 3.9.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-1.html
+* Mon Feb 25 2019 support <support@wazuh.com> - 3.9.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-9-0.html
+* Wed Jan 30 2019 support <support@wazuh.com> - 3.8.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-8-2.html
+* Thu Jan 24 2019 support <support@wazuh.com> - 3.8.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-8-1.html
+* Fri Jan 18 2019 support <support@wazuh.com> - 3.8.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-8-0.html
+* Wed Nov 7 2018 support <support@wazuh.com> - 3.7.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-7-0.html
+* Mon Sep 10 2018 support <info@wazuh.com> - 3.6.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-6-1.html
+* Fri Sep 7 2018 support <support@wazuh.com> - 3.6.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-6-0.html
+* Wed Jul 25 2018 support <support@wazuh.com> - 3.5.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-5-0.html
+* Wed Jul 11 2018 support <support@wazuh.com> - 3.4.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-4-0.html
+* Mon Jun 18 2018 support <support@wazuh.com> - 3.3.1
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-3-1.html
+* Mon Jun 11 2018 support <support@wazuh.com> - 3.3.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-3-0.html
+* Wed May 30 2018 support <support@wazuh.com> - 3.2.4
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-2-4.html
+* Thu May 10 2018 support <support@wazuh.com> - 3.2.3
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-2-3.html
+* Mon Apr 09 2018 support <support@wazuh.com> - 3.2.2
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-2-2.html
+* Wed Feb 21 2018 support <support@wazuh.com> - 3.2.1
+- More info: https://documentation.wazuh.com/current/release-notes/rerlease-3-2-1.html
+* Wed Feb 07 2018 support <support@wazuh.com> - 3.2.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-2-0.html
+* Thu Dec 21 2017 support <support@wazuh.com> - 3.1.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-1-0.html
+* Mon Nov 06 2017 support <support@wazuh.com> - 3.0.0
+- More info: https://documentation.wazuh.com/current/release-notes/release-3-0-0.html
+* Tue Jun 06 2017 support <support@wazuh.com> - 2.0.1
+- Changed random data generator for a secure OS-provided generator.
+- Changed Windows installer file name (depending on version).
+- Linux distro detection using standard os-release file.
+- Changed some URLs to documentation.
+- Disable synchronization with SQLite databases for Syscheck by default.
+- Minor changes at Rootcheck formatter for JSON alerts.
+- Added debugging messages to Integrator logs.
+- Show agent ID when possible on logs about incorrectly formatted messages.
+- Use default maximum inotify event queue size.
+- Show remote IP on encoding format errors when unencrypting messages.
+- Fix permissions in agent-info folder
+- Fix permissions in rids folder.
+* Fri Apr 21 2017 Jose Luis Ruiz <jose@wazuh.com> - 2.0
+- Changed random data generator for a secure OS-provided generator.
+- Changed Windows installer file name (depending on version).
+- Linux distro detection using standard os-release file.
+- Changed some URLs to documentation.
+- Disable synchronization with SQLite databases for Syscheck by default.
+- Minor changes at Rootcheck formatter for JSON alerts.
+- Added debugging messages to Integrator logs.
+- Show agent ID when possible on logs about incorrectly formatted messages.
+- Use default maximum inotify event queue size.
+- Show remote IP on encoding format errors when unencrypting messages.
+- Fixed resource leaks at rules configuration parsing.
+- Fixed memory leaks at rules parser.
+- Fixed memory leaks at XML decoders parser.
+- Fixed TOCTOU condition when removing directories recursively.
+- Fixed insecure temporary file creation for old POSIX specifications.
+- Fixed missing agentless devices identification at JSON alerts.
+- Fixed FIM timestamp and file name issue at SQLite database.
+- Fixed cryptographic context acquirement on Windows agents.
+- Fixed debug mode for Analysisd.
+- Fixed bad exclusion of BTRFS filesystem by Rootcheck.
+- Fixed compile errors on macOS.
+- Fixed option -V for Integrator.
+- Exclude symbolic links to directories when sending FIM diffs (by Stephan Joerrens).
+- Fixed daemon list for service reloading at wazuh-control.
+- Fixed socket waiting issue on Windows agents.
+- Fixed PCI_DSS definitions grouping issue at Rootcheck controls.
diff --git a/packages/rpms/amd64/agent/CentOS-Base.repo b/packages/rpms/amd64/agent/CentOS-Base.repo
new file mode 100644
index 0000000000..96f58800c0
--- /dev/null
+++ b/packages/rpms/amd64/agent/CentOS-Base.repo
@@ -0,0 +1,54 @@
+# CentOS-Base.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+
+[base]
+name=CentOS-$releasever - Base
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/centosplus/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#contrib - packages by Centos Users
+[contrib]
+name=CentOS-$releasever - Contrib
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/contrib/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+# SCLO - packages
+[centos-sclo-sclo]
+name=CentOS-$releasever - SCLO
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/sclo/$basearch/rh/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
diff --git a/packages/rpms/amd64/agent/Dockerfile b/packages/rpms/amd64/agent/Dockerfile
new file mode 100644
index 0000000000..298de7014c
--- /dev/null
+++ b/packages/rpms/amd64/agent/Dockerfile
@@ -0,0 +1,74 @@
+FROM centos:6
+
+# Install all the necessary tools to build the packages
+RUN rm /etc/yum.repos.d/* && echo "exactarch=1" >> /etc/yum.conf
+COPY CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
+RUN yum clean all && yum update -y
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+RUN yum install -y gcc make wget git \
+    openssh-clients sudo gnupg \
+    automake autoconf libtool policycoreutils-python \
+    yum-utils epel-release redhat-rpm-config rpm-devel \
+    autopoint gettext nspr nspr-devel \
+    nss nss-devel kenel-headers magic magic-devel \
+    db4 db4-devel zlib zlib-devel rpm-build bison \
+    sharutils bzip2-devel xz-devel lzo-devel \
+    e2fsprogs-devel libacl-devel libattr-devel \
+    openssl-devel libxml2-devel kexec-tools elfutils \
+    libarchive-devel elfutils-libelf-devel \
+    elfutils-libelf patchelf elfutils-devel libgcrypt-devel
+
+RUN yum-builddep python34 -y
+
+RUN curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
+RUN yum install -y nodejs
+
+RUN curl -OL http://packages.wazuh.com/utils/perl/perl-5.10.1.tar.gz && \
+    gunzip perl-5.10.1.tar.gz && tar -xf perl*.tar && \
+    cd /perl-5.10.1 && ./Configure -des -Dcc='gcc' -Dusethreads && \
+    make -j2 && make install && ln -fs /usr/local/bin/perl /bin/perl && \
+    cd / && rm -rf /perl-5.10.1*
+
+# Update rpmbuild, rpm and autoconf
+RUN curl -O http://packages.wazuh.com/utils/autoconf/autoconf-2.69.tar.gz && \
+    gunzip autoconf-2.69.tar.gz && tar xvf autoconf-2.69.tar && \
+    cd autoconf-2.69 && ./configure && make -j$(nproc) && \
+    make install && cd / && rm -rf autoconf-*
+
+RUN curl -O https://packages.wazuh.com/utils/libarchive/libarchive-3.1.2-12.el7.src.rpm && \
+    rpmbuild --rebuild libarchive-3.1.2-12.el7.src.rpm && rpm -Uvh /root/rpmbuild/RPMS/x86_64/* --nodeps && rm -rf libarchive-*
+
+RUN curl -O http://packages.wazuh.com/utils/rpm/rpm-4.15.1.tar.bz2 && \
+    tar -xjf rpm-4.15.1.tar.bz2 && cd rpm-4.15.1 && \
+    ./configure --without-lua && make -j$(nproc) && make install && cd / && rm -rf rpm-*
+
+RUN mkdir -p /usr/local/var/lib/rpm && \
+    cp /var/lib/rpm/Packages /usr/local/var/lib/rpm/Packages && \
+    /usr/local/bin/rpm --rebuilddb && rm -rf /root/rpmbuild
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ \
+        --disable-multilib --disable-libsanitizer && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl CC=/usr/local/gcc-9.4.0/bin/gcc \
+        CXX=/usr/local/gcc-9.4.0/bin/g++ && \
+    make -j$(nproc) && make install && cd / && rm -rf cmake-*
+
+# Add the scripts to build the RPM package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/rpms/arm64/agent/Dockerfile b/packages/rpms/arm64/agent/Dockerfile
new file mode 100644
index 0000000000..9d82d2115b
--- /dev/null
+++ b/packages/rpms/arm64/agent/Dockerfile
@@ -0,0 +1,83 @@
+FROM arm64v8/centos:7
+
+# Enable EPEL
+RUN yum install -y http://packages.wazuh.com/utils/pkg/epel-release-latest-7.noarch.rpm
+
+# Install all the necessary tools to build the packages
+RUN yum install -y gcc make wget git \
+    openssh-clients sudo gnupg file-devel\
+    automake autoconf libtool policycoreutils-python \
+    yum-utils system-rpm-config rpm-devel \
+    gettext nspr nspr-devel \
+    nss nss-devel libdb libdb-devel \
+    zlib zlib-devel rpm-build bison \
+    sharutils bzip2-devel xz-devel lzo-devel \
+    e2fsprogs-devel libacl-devel libattr-devel \
+    openssl-devel libxml2-devel kexec-tools elfutils \
+    libcurl-devel elfutils-libelf-devel \
+    elfutils-libelf patchelf elfutils-devel libgcrypt-devel \
+    libarchive-devel libarchive bluez-libs-devel bzip2 \
+    desktop-file-utils expat-devel findutils gcc-c++ gdbm-devel \
+    glibc-devel gmp-devel gnupg2 libappstream-glib \
+    libffi-devel libtirpc-devel libGL-devel libuuid-devel \
+    libX11-devel ncurses-devel pkgconfig readline-devel \
+    redhat-rpm-config sqlite-devel gdb tar tcl-devel tix-devel tk-devel \
+    valgrind-devel python-rpm-macros python34 nodejs
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ --disable-multilib \
+        --disable-libsanitizer --disable-bootstrap && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl CC=/usr/local/gcc-9.4.0/bin/gcc \
+        CXX=/usr/local/gcc-9.4.0/bin/g++ && \
+    make -j$(nproc) && make install && cd / && rm -rf cmake-*
+
+# Install Perl 5.10
+RUN curl -OL http://packages.wazuh.com/utils/perl/perl-5.10.1.tar.gz && \
+    gunzip perl-5.10.1.tar.gz && tar -xf perl*.tar && \
+    cd /perl-5.10.1 && ./Configure -des -Dcc='gcc' -Dusethreads && \
+    make -j2 && make install && ln -fs /usr/local/bin/perl /bin/perl && \
+    cd / && rm -rf /perl-5.10.1*
+
+RUN curl -O http://packages.wazuh.com/utils/openssl/openssl-1.1.1a.tar.gz && \
+    tar -xzf openssl-1.1.1a.tar.gz && cd openssl* && \
+    ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' && \
+    make -j $(nproc) && make install && cd / && rm -rf openssl-*
+
+RUN curl -O http://packages.wazuh.com/utils/nodejs/node-v12.16.1-linux-arm64.tar.xz && \
+    tar -xJf node-v12.16.1-linux-arm64.tar.xz && \
+    cd node-v12.16* && cp -R * /usr/local/ && cd / && rm -rf node-v*
+
+# Update rpmbuild, rpm and autoconf
+RUN curl -O http://packages.wazuh.com/utils/autoconf/autoconf-2.69.tar.gz && \
+    gunzip autoconf-2.69.tar.gz && tar xvf autoconf-2.69.tar && \
+    cd autoconf-2.69 && ./configure && \
+    make -j $(nproc) && make install && cd / && rm -rf autoconf-*
+
+RUN curl -O http://packages.wazuh.com/utils/rpm/rpm-4.15.1.tar.bz2 && \
+    tar -xjf rpm-4.15.1.tar.bz2 && cd rpm-4.15.1 && \
+    ./configure --without-lua && make -j $(nproc) && \
+    make install && cd / && rm -rf rpm-*
+
+RUN mkdir -p /usr/local/var/lib/rpm && \
+    cp /var/lib/rpm/Packages /usr/local/var/lib/rpm/Packages && \
+    /usr/local/bin/rpm --rebuilddb && rm -rf /root/rpmbuild
+
+# Add the scripts to build the RPM package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/rpms/armhf/agent/Dockerfile b/packages/rpms/armhf/agent/Dockerfile
new file mode 100644
index 0000000000..221cb36cdb
--- /dev/null
+++ b/packages/rpms/armhf/agent/Dockerfile
@@ -0,0 +1,67 @@
+FROM arm32v7/centos:7
+
+ADD build_deps.sh /build_deps.sh
+RUN sh build_deps.sh
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    linux32 ./contrib/download_prerequisites && \
+    linux32 ./configure --prefix=/usr/local/gcc-9.4.0 --with-arch=armv7-a \
+        --with-float=hard --with-fpu=vfpv3-d16 --enable-languages=c,c++ --disable-multilib \
+        --disable-libsanitizer && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    linux32 ./bootstrap --no-system-curl CC=/usr/local/gcc-9.4.0/bin/gcc \
+        CXX=/usr/local/gcc-9.4.0/bin/g++ && \
+    linux32 make -j$(nproc) && linux32 make install && cd / && rm -rf cmake-*
+
+# Install Perl 5.10
+RUN curl -OL http://packages.wazuh.com/utils/perl/perl-5.10.1.tar.gz && \
+    gunzip perl-5.10.1.tar.gz && tar -xf perl*.tar && \
+    cd /perl-5.10.1 && ./Configure -des -Dcc='gcc' -Dusethreads && \
+    make -j2 && make install && ln -fs /usr/local/bin/perl /bin/perl && \
+    cd / && rm -rf /perl-5.10.1*
+
+RUN curl -O http://packages.wazuh.com/utils/openssl/openssl-1.1.1a.tar.gz && \
+    tar -xzf openssl-1.1.1a.tar.gz && cd openssl* && \
+    linux32 ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' && \
+    linux32 make -j $(nproc) && linux32 make install && \
+    make install && cd / && rm -rf openssl-*
+
+RUN curl -O http://packages.wazuh.com/utils/nodejs/node-v4.9.1-linux-armv7l.tar.xz && \
+    tar -xJf node-v4.9.1-linux-armv7l.tar.xz && cd node-v4.9.1-linux-armv7l && cp -R * /usr/local/ && cd / && rm -rf node-v*
+
+# Update rpmbuild, rpm and autoconf
+RUN curl -O http://packages.wazuh.com/utils/autoconf/autoconf-2.69.tar.gz && \
+    gunzip autoconf-2.69.tar.gz && tar xvf autoconf-2.69.tar && \
+    cd autoconf-2.69 && linux32 ./configure && linux32 make -j $(nproc) && \
+    linux32 make install && cd / && rm -rf autoconf-*
+
+RUN curl -O http://packages.wazuh.com/utils/rpm/rpm-4.15.1.tar.bz2 && \
+    tar -xjf rpm-4.15.1.tar.bz2 && cd rpm-4.15.1 && \
+    linux32 ./configure --without-lua && linux32 make -j $(nproc) && \
+    linux32 make install && cd / && rm -rf rpm-*
+
+RUN echo "%_initddir              %{_sysconfdir}/rc.d/init.d" >> /root/.rpmmacros
+RUN echo "%_initrddir             %{_initddir}" >> /root/.rpmmacros
+RUN echo "%_arch                  armv7hl" >> /root/.rpmmacros
+
+RUN mkdir -p /usr/local/var/lib/rpm && \
+    cp /var/lib/rpm/Packages /usr/local/var/lib/rpm/Packages && \
+    /usr/local/bin/rpm --rebuilddb && rm -rf /root/rpmbuild
+
+# Add the scripts to build the RPM package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/rpms/i386/agent/CentOS-Base.repo b/packages/rpms/i386/agent/CentOS-Base.repo
new file mode 100644
index 0000000000..1cfb74d432
--- /dev/null
+++ b/packages/rpms/i386/agent/CentOS-Base.repo
@@ -0,0 +1,47 @@
+# CentOS-Base.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+
+
+[base]
+name=CentOS-$releasever - Base
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/os/i386/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/updates/i386/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/extras/i386/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/centosplus/i386/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#contrib - packages by Centos Users
+[contrib]
+name=CentOS-$releasever - Contrib
+baseurl=http://mirror.nsc.liu.se/centos-store/6.10/contrib/i386/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
diff --git a/packages/rpms/i386/agent/Dockerfile b/packages/rpms/i386/agent/Dockerfile
new file mode 100644
index 0000000000..9fa107f380
--- /dev/null
+++ b/packages/rpms/i386/agent/Dockerfile
@@ -0,0 +1,74 @@
+FROM i386/centos:6
+
+# Install all the necessary tools to build the packages
+RUN rm /etc/yum.repos.d/* && echo "exactarch=1" >> /etc/yum.conf
+COPY CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
+RUN yum clean all && yum update -y
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+RUN yum -y install util-linux-ng \
+    gcc-multilib make wget git openssh-clients \
+    sudo gnupg automake autoconf libtool \
+    policycoreutils-python yum-utils epel-release \
+    redhat-rpm-config rpm-devel autopoint gettext \
+    zlib zlib-devel nspr nspr-devel \
+    nss nss-devel kenel-headers magic magic-devel \
+    db4 db4-devel rpm-build bison \
+    sharutils bzip2-devel xz-devel lzo-devel \
+    e2fsprogs-devel libacl-devel libattr-devel \
+    openssl-devel libxml2-devel kexec-tools elfutils \
+    libarchive-devel elfutils-libelf-devel \
+    elfutils-libelf patchelf elfutils-devel libgcrypt-devel
+
+RUN yum-builddep python34 -y
+
+RUN curl -OL http://packages.wazuh.com/utils/perl/perl-5.10.1.tar.gz && \
+    gunzip perl-5.10.1.tar.gz && tar -xf perl*.tar && \
+    cd /perl-5.10.1 && ./Configure -des -Dcc='gcc' -Dusethreads && \
+    make -j2 && make install && ln -fs /usr/local/bin/perl /bin/perl && \
+    cd / && rm -rf /perl-5.10.1*
+
+# Update rpmbuild, rpm and autoconf
+RUN curl -O http://packages.wazuh.com/utils/autoconf/autoconf-2.69.tar.gz && \
+    gunzip autoconf-2.69.tar.gz && tar xvf autoconf-2.69.tar && \
+    cd autoconf-2.69 && linux32 ./configure && \
+    linux32 make -j$(nproc) && linux32 make install && cd / && rm -rf autoconf-*
+
+RUN curl -O https://packages.wazuh.com/utils/libarchive/libarchive-3.1.2-12.el7.src.rpm && \
+    linux32 rpmbuild --rebuild libarchive-3.1.2-12.el7.src.rpm --target i386 && \
+    rpm -Uvh /root/rpmbuild/RPMS/i386/* --nodeps && rm -rf libarchive-*
+
+RUN curl -O http://packages.wazuh.com/utils/rpm/rpm-4.15.1.tar.bz2 && \
+    tar -xjf rpm-4.15.1.tar.bz2 && cd rpm-4.15.1 && \
+    linux32 ./configure --without-lua && linux32 make -j$(nproc) && \
+    linux32 make install && cd / && rm -rf rpm-*
+
+RUN mkdir -p /usr/local/var/lib/rpm && \
+    cp /var/lib/rpm/Packages /usr/local/var/lib/rpm/Packages && \
+    /usr/local/bin/rpm --rebuilddb && rm -rf /root/rpmbuild
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    linux32 ./contrib/download_prerequisites && \
+    linux32 ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ \
+        --disable-multilib --disable-libsanitizer && \
+    linux32 make -j$(nproc) && linux32 make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    linux32 ./bootstrap --no-system-curl CC=/usr/local/gcc-9.4.0/bin/gcc \
+        CXX=/usr/local/gcc-9.4.0/bin/g++ && \
+    linux32 make -j$(nproc) && linux32 make install && cd / && rm -rf cmake-*
+
+# Add the scripts to build the RPM package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/rpms/ppc64le/agent/Dockerfile b/packages/rpms/ppc64le/agent/Dockerfile
new file mode 100644
index 0000000000..923fa769e1
--- /dev/null
+++ b/packages/rpms/ppc64le/agent/Dockerfile
@@ -0,0 +1,57 @@
+FROM ppc64le/centos:7
+# Install all the necessary tools to build the packages
+
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+RUN yum -y install centos-release-scl
+RUN mv /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo.old
+RUN mv /etc/yum.repos.d/CentOS-SCLo-scl.repo /etc/yum.repos.d/CentOS-SCLo-scl.repo.old
+
+RUN yum -y install gcc make wget git \
+    openssh-clients rpm-build sudo gnupg \
+    automake autoconf libtool policycoreutils-python \
+    yum-utils epel-release redhat-rpm-config rpm-devel
+
+# Warning: this repo has been disabled by the vendor
+RUN mv /etc/yum.repos.d/CentOS-Sources.repo /etc/yum.repos.d/CentOS-Sources.repo.old
+RUN yum-builddep python34 -y
+
+RUN yum install -y \
+    http://packages.wazuh.com/utils/nodejs/nodejs-8.9.4-2.el7.ppc64le.rpm \
+    http://packages.wazuh.com/utils/nodejs/nodejs-devel-8.9.4-2.el7.ppc64le.rpm \
+    http://packages.wazuh.com/utils/nodejs/npm-5.6.0-1.8.9.4.2.el7.ppc64le.rpm \
+    http://packages.wazuh.com/utils/nodejs/nodejs-debuginfo-8.9.4-2.el7.ppc64le.rpm
+
+RUN curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && \
+    tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && \
+    ./contrib/download_prerequisites && \
+    ./configure --prefix=/usr/local/gcc-9.4.0 --enable-languages=c,c++ \
+        --disable-multilib --disable-libsanitizer && \
+    make -j$(nproc) && make install && \
+    ln -fs /usr/local/gcc-9.4.0/bin/g++ /usr/bin/c++ && \
+    ln -fs /usr/local/gcc-9.4.0/bin/gcc /usr/bin/cc && cd / && rm -rf gcc-*
+
+ENV CPLUS_INCLUDE_PATH "/usr/local/gcc-9.4.0/include/c++/9.4.0/"
+ENV LD_LIBRARY_PATH "/usr/local/gcc-9.4.0/lib64/"
+ENV PATH "/usr/local/gcc-9.4.0/bin:${PATH}"
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && \
+    ./bootstrap --no-system-curl CC=/usr/local/gcc-9.4.0/bin/gcc \
+        CXX=/usr/local/gcc-9.4.0/bin/g++ && \
+    make -j$(nproc) && make install && cd / && rm -rf cmake-* && \
+    ln -sf /usr/bin/rpmbuild /usr/local/bin/rpmbuild
+
+# Install Perl 5.10
+RUN curl -OL http://packages.wazuh.com/utils/perl/perl-5.10.1.tar.gz && \
+    gunzip perl-5.10.1.tar.gz && tar -xf perl*.tar && \
+    cd /perl-5.10.1 && ./Configure -des -Dcc='gcc' -Dusethreads && \
+    make -j2 && make install && ln -fs /usr/local/bin/perl /bin/perl && \
+    cd / && rm -rf /perl-5.10.1*
+
+# Add the scripts to build the RPM package
+ADD build.sh /usr/local/bin/build_package
+RUN chmod +x /usr/local/bin/build_package
+ADD helper_function.sh /usr/local/bin/helper_function.sh
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/build_package"]
diff --git a/packages/rpms/utils/build_deps.sh b/packages/rpms/utils/build_deps.sh
new file mode 100644
index 0000000000..eae66870c5
--- /dev/null
+++ b/packages/rpms/utils/build_deps.sh
@@ -0,0 +1,318 @@
+rpm_url="http://packages.wazuh.com/utils/armv7hl"
+rpm -ivh --force --ignorearch --nodeps \
+${rpm_url}/iproute-4.11.0-25.el7_7.2.armv7hl.rpm \
+${rpm_url}/dhclient-4.2.5-79.el7.centos.armv7hl.rpm \
+${rpm_url}/audit-libs-python-2.8.5-4.el7.armv7hl.rpm \
+${rpm_url}/audit-libs-2.8.5-4.el7.armv7hl.rpm \
+${rpm_url}/autoconf-2.69-11.el7.noarch.rpm \
+${rpm_url}/automake-1.13.4-3.el7.noarch.rpm \
+${rpm_url}/bash-4.2.46-34.el7.armv7hl.rpm \
+${rpm_url}/binutils-2.27-43.base.el7.armv7hl.rpm \
+${rpm_url}/bison-3.0.4-2.el7.armv7hl.rpm \
+${rpm_url}/bluez-libs-devel-5.44-6.el7.armv7hl.rpm \
+${rpm_url}/bluez-libs-5.44-6.el7.armv7hl.rpm \
+${rpm_url}/bzip2-devel-1.0.6-13.el7.armv7hl.rpm \
+${rpm_url}/bzip2-libs-1.0.6-13.el7.armv7hl.rpm \
+${rpm_url}/bzip2-1.0.6-13.el7.armv7hl.rpm \
+${rpm_url}/ca-certificates-2019.2.32-76.el7_7.noarch.rpm \
+${rpm_url}/checkpolicy-2.5-8.el7.armv7hl.rpm \
+${rpm_url}/chkconfig-1.7.4-1.el7.armv7hl.rpm \
+${rpm_url}/coreutils-8.22-24.el7.armv7hl.rpm \
+${rpm_url}/cpio-2.11-27.el7.armv7hl.rpm \
+${rpm_url}/cpp-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/desktop-file-utils-0.23-2.el7.armv7hl.rpm \
+${rpm_url}/diffutils-3.3-5.el7.armv7hl.rpm \
+${rpm_url}/dracut-network-033-568.el7.armv7hl.rpm \
+${rpm_url}/dracut-033-568.el7.armv7hl.rpm \
+${rpm_url}/dwz-0.11-3.el7.armv7hl.rpm \
+${rpm_url}/e2fsprogs-devel-1.42.9-17.el7.armv7hl.rpm \
+${rpm_url}/e2fsprogs-libs-1.42.9-17.el7.armv7hl.rpm \
+${rpm_url}/elfutils-devel-0.176-4.el7.armv7hl.rpm \
+${rpm_url}/elfutils-libelf-devel-0.176-4.el7.armv7hl.rpm \
+${rpm_url}/elfutils-libelf-0.176-4.el7.armv7hl.rpm \
+${rpm_url}/elfutils-libs-0.176-4.el7.armv7hl.rpm \
+${rpm_url}/elfutils-0.176-4.el7.armv7hl.rpm \
+${rpm_url}/emacs-filesystem-24.3-23.el7.noarch.rpm \
+${rpm_url}/ethtool-4.8-10.el7.armv7hl.rpm \
+${rpm_url}/expat-devel-2.1.0-11.el7.armv7hl.rpm \
+${rpm_url}/expat-2.1.0-11.el7.armv7hl.rpm \
+${rpm_url}/file-devel-5.11-36.el7.armv7hl.rpm \
+${rpm_url}/file-libs-5.11-36.el7.armv7hl.rpm \
+${rpm_url}/file-5.11-36.el7.armv7hl.rpm \
+${rpm_url}/findutils-4.5.11-6.el7.armv7hl.rpm \
+${rpm_url}/fipscheck-lib-1.4.1-6.el7.armv7hl.rpm \
+${rpm_url}/gawk-4.0.2-4.el7_3.1.armv7hl.rpm \
+${rpm_url}/gcc-c%2B%2B-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/gcc-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/gdb-7.6.1-119.el7.armv7hl.rpm \
+${rpm_url}/gdbm-devel-1.10-8.el7.armv7hl.rpm \
+${rpm_url}/gdbm-1.10-8.el7.armv7hl.rpm \
+${rpm_url}/gettext-libs-0.19.8.1-3.el7.armv7hl.rpm \
+${rpm_url}/gettext-0.19.8.1-3.el7.armv7hl.rpm \
+${rpm_url}/git-1.8.3.1-21.el7_7.armv7hl.rpm \
+${rpm_url}/glib2-2.56.1-5.el7.armv7hl.rpm \
+${rpm_url}/glibc-devel-2.17-307.el7.1.armv7hl.rpm \
+${rpm_url}/glibc-headers-2.17-307.el7.1.armv7hl.rpm \
+${rpm_url}/glibc-2.17-307.el7.1.armv7hl.rpm \
+${rpm_url}/gmp-devel-6.0.0-15.el7.armv7hl.rpm \
+${rpm_url}/gmp-6.0.0-15.el7.armv7hl.rpm \
+${rpm_url}/gnupg2-2.0.22-5.el7_5.armv7hl.rpm \
+${rpm_url}/grep-2.20-3.el7.armv7hl.rpm \
+${rpm_url}/gzip-1.5-10.el7.armv7hl.rpm \
+${rpm_url}/info-5.1-5.el7.armv7hl.rpm \
+${rpm_url}/json-glib-1.4.2-2.el7.armv7hl.rpm \
+${rpm_url}/kexec-tools-2.0.15-43.el7.armv7hl.rpm \
+${rpm_url}/krb5-devel-1.15.1-46.el7.armv7hl.rpm \
+${rpm_url}/krb5-libs-1.15.1-46.el7.armv7hl.rpm \
+${rpm_url}/less-458-9.el7.armv7hl.rpm \
+${rpm_url}/libX11-devel-1.6.7-2.el7.armv7hl.rpm \
+${rpm_url}/libX11-1.6.7-2.el7.armv7hl.rpm \
+${rpm_url}/libXft-devel-2.3.2-2.el7.armv7hl.rpm \
+${rpm_url}/libacl-devel-2.2.51-15.el7.armv7hl.rpm \
+${rpm_url}/libacl-2.2.51-15.el7.armv7hl.rpm \
+${rpm_url}/libappstream-glib-0.7.8-2.el7.armv7hl.rpm \
+${rpm_url}/libarchive-devel-3.1.2-14.el7_7.armv7hl.rpm \
+${rpm_url}/libarchive-3.1.2-14.el7_7.armv7hl.rpm \
+${rpm_url}/libassuan-2.1.0-3.el7.armv7hl.rpm \
+${rpm_url}/libattr-devel-2.4.46-13.el7.armv7hl.rpm \
+${rpm_url}/libattr-2.4.46-13.el7.armv7hl.rpm \
+${rpm_url}/libcgroup-0.41-21.el7.armv7hl.rpm \
+${rpm_url}/libcom_err-devel-1.42.9-17.el7.armv7hl.rpm \
+${rpm_url}/libcom_err-1.42.9-17.el7.armv7hl.rpm \
+${rpm_url}/libcroco-0.6.12-4.el7.armv7hl.rpm \
+${rpm_url}/libcurl-7.29.0-57.el7.armv7hl.rpm \
+${rpm_url}/libdb-devel-5.3.21-25.el7.armv7hl.rpm \
+${rpm_url}/libdb-5.3.21-25.el7.armv7hl.rpm \
+${rpm_url}/libedit-3.0-12.20121213cvs.el7.armv7hl.rpm \
+${rpm_url}/libffi-devel-3.0.13-19.el7.armv7hl.rpm \
+${rpm_url}/libffi-3.0.13-19.el7.armv7hl.rpm \
+${rpm_url}/libgcab1-0.7-4.el7_4.armv7hl.rpm \
+${rpm_url}/libgcc-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/libgcrypt-devel-1.5.3-14.el7.armv7hl.rpm \
+${rpm_url}/libgcrypt-1.5.3-14.el7.armv7hl.rpm \
+${rpm_url}/libgomp-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/libgpg-error-devel-1.12-3.el7.armv7hl.rpm \
+${rpm_url}/libgpg-error-1.12-3.el7.armv7hl.rpm \
+${rpm_url}/libicu-50.2-3.el7.armv7hl.rpm \
+${rpm_url}/libmpc-1.0.1-3.el7.armv7hl.rpm \
+${rpm_url}/libselinux-python-2.5-15.el7.armv7hl.rpm \
+${rpm_url}/libsemanage-python-2.5-14.el7.armv7hl.rpm \
+${rpm_url}/libsepol-2.5-10.el7.armv7hl.rpm \
+${rpm_url}/libsoup-2.62.2-2.el7.armv7hl.rpm \
+${rpm_url}/libstdc%2B%2B-devel-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/libstdc%2B%2B-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/libtirpc-devel-0.2.4-0.16.el7.armv7hl.rpm \
+${rpm_url}/libtirpc-0.2.4-0.16.el7.armv7hl.rpm \
+${rpm_url}/libtool-2.4.2-22.el7_3.armv7hl.rpm \
+${rpm_url}/libunistring-0.9.3-9.el7.armv7hl.rpm \
+${rpm_url}/libuuid-devel-2.23.2-63.el7.armv7hl.rpm \
+${rpm_url}/libuuid-2.23.2-63.el7.armv7hl.rpm \
+${rpm_url}/libuv-1.37.0-1.el7.armv7hl.rpm \
+${rpm_url}/libxcb-devel-1.13-1.el7.armv7hl.rpm \
+${rpm_url}/libxml2-devel-2.9.1-6.el7.4.armv7hl.rpm \
+${rpm_url}/libxml2-python-2.9.1-6.el7.4.armv7hl.rpm \
+${rpm_url}/libxml2-2.9.1-6.el7.4.armv7hl.rpm \
+${rpm_url}/lua-5.1.4-15.el7.armv7hl.rpm \
+${rpm_url}/lzo-devel-2.06-8.el7.armv7hl.rpm \
+${rpm_url}/lzo-minilzo-2.06-8.el7.armv7hl.rpm \
+${rpm_url}/lzo-2.06-8.el7.armv7hl.rpm \
+${rpm_url}/m4-1.4.16-10.el7.armv7hl.rpm \
+${rpm_url}/make-3.82-24.el7.armv7hl.rpm \
+${rpm_url}/man-db-2.6.3-11.el7.armv7hl.rpm \
+${rpm_url}/mpfr-3.1.1-4.el7.armv7hl.rpm \
+${rpm_url}/ncurses-devel-5.9-14.20130511.el7_4.armv7hl.rpm \
+${rpm_url}/ncurses-libs-5.9-14.20130511.el7_4.armv7hl.rpm \
+${rpm_url}/nodejs-6.17.1-1.el7.armv7hl.rpm \
+${rpm_url}/npm-3.10.10-1.6.17.1.1.el7.armv7hl.rpm \
+${rpm_url}/nspr-devel-4.21.0-1.el7.armv7hl.rpm \
+${rpm_url}/nspr-4.21.0-1.el7.armv7hl.rpm \
+${rpm_url}/nss-devel-3.44.0-7.el7_7.armv7hl.rpm \
+${rpm_url}/nss-pem-1.0.3-7.el7.armv7hl.rpm \
+${rpm_url}/nss-softokn-devel-3.44.0-8.el7_7.armv7hl.rpm \
+${rpm_url}/nss-softokn-3.44.0-8.el7_7.armv7hl.rpm \
+${rpm_url}/nss-sysinit-3.44.0-7.el7_7.armv7hl.rpm \
+${rpm_url}/nss-util-devel-3.44.0-4.el7_7.armv7hl.rpm \
+${rpm_url}/nss-util-3.44.0-4.el7_7.armv7hl.rpm \
+${rpm_url}/nss-3.44.0-7.el7_7.armv7hl.rpm \
+${rpm_url}/openldap-2.4.44-21.el7_6.armv7hl.rpm \
+${rpm_url}/openssh-clients-7.4p1-21.el7.armv7hl.rpm \
+${rpm_url}/openssh-7.4p1-21.el7.armv7hl.rpm \
+${rpm_url}/openssl-devel-1.0.2k-19.el7.armv7hl.rpm \
+${rpm_url}/openssl-libs-1.0.2k-19.el7.armv7hl.rpm \
+${rpm_url}/pam-1.1.8-23.el7.armv7hl.rpm \
+${rpm_url}/patch-2.7.1-12.el7_7.armv7hl.rpm \
+${rpm_url}/patchelf-0.9-10.el7.armv7hl.rpm \
+${rpm_url}/pcre-8.32-17.el7.armv7hl.rpm \
+${rpm_url}/perl-Carp-1.26-244.el7.noarch.rpm \
+${rpm_url}/perl-Data-Dumper-2.145-3.el7.armv7hl.rpm \
+${rpm_url}/perl-Error-0.17020-2.el7.noarch.rpm \
+${rpm_url}/perl-Exporter-5.68-3.el7.noarch.rpm \
+${rpm_url}/perl-File-Path-2.09-2.el7.noarch.rpm \
+${rpm_url}/perl-File-Temp-0.23.01-3.el7.noarch.rpm \
+${rpm_url}/perl-Getopt-Long-2.40-3.el7.noarch.rpm \
+${rpm_url}/perl-Git-1.8.3.1-21.el7_7.noarch.rpm \
+${rpm_url}/perl-PathTools-3.40-5.el7.armv7hl.rpm \
+${rpm_url}/perl-TermReadKey-2.30-20.el7.armv7hl.rpm \
+${rpm_url}/perl-Test-Harness-3.28-3.el7.noarch.rpm \
+${rpm_url}/perl-Text-ParseWords-3.29-4.el7.noarch.rpm \
+${rpm_url}/perl-Thread-Queue-3.02-2.el7.noarch.rpm \
+${rpm_url}/perl-constant-1.27-2.el7.noarch.rpm \
+${rpm_url}/perl-srpm-macros-1-8.el7.noarch.rpm \
+${rpm_url}/perl-threads-1.87-4.el7.armv7hl.rpm \
+${rpm_url}/perl-5.16.3-295.el7.armv7hl.rpm \
+${rpm_url}/pinentry-0.8.1-17.el7.armv7hl.rpm \
+${rpm_url}/pkgconfig-0.27.1-4.el7.armv7hl.rpm \
+${rpm_url}/policycoreutils-python-2.5-34.el7.armv7hl.rpm \
+${rpm_url}/policycoreutils-2.5-34.el7.armv7hl.rpm \
+${rpm_url}/popt-devel-1.13-16.el7.armv7hl.rpm \
+${rpm_url}/popt-1.13-16.el7.armv7hl.rpm \
+${rpm_url}/pth-2.0.7-23.el7.armv7hl.rpm \
+${rpm_url}/python-IPy-0.75-6.el7.noarch.rpm \
+${rpm_url}/python-kitchen-1.1.1-5.el7.noarch.rpm \
+${rpm_url}/python-libs-2.7.5-88.el7.armv7hl.rpm \
+${rpm_url}/python-rpm-macros-3-32.el7.noarch.rpm \
+${rpm_url}/python-srpm-macros-3-32.el7.noarch.rpm \
+${rpm_url}/python-2.7.5-88.el7.armv7hl.rpm \
+${rpm_url}/python34-libs-3.4.10-4.el7.armv7hl.rpm \
+${rpm_url}/python34-3.4.10-4.el7.armv7hl.rpm \
+${rpm_url}/readline-devel-6.2-11.el7.armv7hl.rpm \
+${rpm_url}/readline-6.2-11.el7.armv7hl.rpm \
+${rpm_url}/redhat-rpm-config-9.1.0-88.el7.centos.noarch.rpm \
+${rpm_url}/rpm-build-libs-4.11.3-43.el7.armv7hl.rpm \
+${rpm_url}/rpm-build-4.11.3-43.el7.armv7hl.rpm \
+${rpm_url}/rpm-devel-4.11.3-43.el7.armv7hl.rpm \
+${rpm_url}/rpm-libs-4.11.3-43.el7.armv7hl.rpm \
+${rpm_url}/rpm-4.11.3-43.el7.armv7hl.rpm \
+${rpm_url}/rsync-3.1.2-10.el7.armv7hl.rpm \
+${rpm_url}/sed-4.2.2-6.el7.armv7hl.rpm \
+${rpm_url}/setools-libs-3.3.8-4.el7.armv7hl.rpm \
+${rpm_url}/sharutils-4.13.3-8.el7.armv7hl.rpm \
+${rpm_url}/snappy-1.1.0-3.el7.armv7hl.rpm \
+${rpm_url}/sqlite-devel-3.7.17-8.el7_7.1.armv7hl.rpm \
+${rpm_url}/sqlite-3.7.17-8.el7_7.1.armv7hl.rpm \
+${rpm_url}/sudo-1.8.23-9.el7.armv7hl.rpm \
+${rpm_url}/systemd-219-73.el7.1.armv7hl.rpm \
+${rpm_url}/tar-1.26-35.el7.armv7hl.rpm \
+${rpm_url}/tcl-devel-8.5.13-8.el7.armv7hl.rpm \
+${rpm_url}/tcl-8.5.13-8.el7.armv7hl.rpm \
+${rpm_url}/tix-devel-8.4.3-12.el7.armv7hl.rpm \
+${rpm_url}/tix-8.4.3-12.el7.armv7hl.rpm \
+${rpm_url}/tk-devel-8.5.13-6.el7.armv7hl.rpm \
+${rpm_url}/tk-8.5.13-6.el7.armv7hl.rpm \
+${rpm_url}/unzip-6.0-21.el7.armv7hl.rpm \
+${rpm_url}/valgrind-devel-3.15.0-11.el7.armv7hl.rpm \
+${rpm_url}/valgrind-3.15.0-11.el7.armv7hl.rpm \
+${rpm_url}/vim-minimal-7.4.629-6.el7.armv7hl.rpm \
+${rpm_url}/xorg-x11-proto-devel-2018.4-1.el7.noarch.rpm \
+${rpm_url}/xz-devel-5.2.2-1.el7.armv7hl.rpm \
+${rpm_url}/xz-libs-5.2.2-1.el7.armv7hl.rpm \
+${rpm_url}/xz-5.2.2-1.el7.armv7hl.rpm \
+${rpm_url}/yum-utils-1.1.31-53.el7.noarch.rpm \
+${rpm_url}/yum-3.4.3-167.el7.centos.noarch.rpm \
+${rpm_url}/zip-3.0-11.el7.armv7hl.rpm \
+${rpm_url}/zlib-devel-1.2.7-18.el7.armv7hl.rpm \
+${rpm_url}/zlib-1.2.7-18.el7.armv7hl.rpm \
+${rpm_url}/fipscheck-1.4.1-6.el7.armv7hl.rpm \
+${rpm_url}/libatomic-4.8.5-39.el7.armv7hl.rpm \
+${rpm_url}/jasper-1.900.1-33.el7.armv7hl.rpm \
+${rpm_url}/jasper-devel-1.900.1-33.el7.armv7hl.rpm \
+${rpm_url}/jasper-libs-1.900.1-33.el7.armv7hl.rpm \
+${rpm_url}/jasper-utils-1.900.1-33.el7.armv7hl.rpm \
+${rpm_url}/kernel-headers-5.4.28-200.el7.armv7hl.rpm \
+${rpm_url}/glibc-common-2.17-307.el7.1.armv7hl.rpm \
+${rpm_url}/keyutils-libs-devel-1.5.8-3.el7.armv7hl.rpm \
+${rpm_url}/libmnl-1.0.3-7.el7.armv7hl.rpm \
+${rpm_url}/iptables-1.4.21-34.el7.armv7hl.rpm \
+${rpm_url}/iptables-devel-1.4.21-34.el7.armv7hl.rpm \
+${rpm_url}/hostname-3.13-3.el7_7.1.armv7hl.rpm \
+${rpm_url}/initscripts-9.49.49-1.el7.armv7hl.rpm \
+${rpm_url}/dhcp-4.2.5-79.el7.centos.armv7hl.rpm \
+${rpm_url}/dhcp-devel-4.2.5-79.el7.centos.armv7hl.rpm \
+${rpm_url}/dhcp-libs-4.2.5-79.el7.centos.armv7hl.rpm \
+${rpm_url}/dhcp-common-4.2.5-79.el7.centos.armv7hl.rpm \
+${rpm_url}/bind-export-devel-9.11.4-16.P2.el7.armv7hl.rpm \
+${rpm_url}/bind-export-libs-9.11.4-16.P2.el7.armv7hl.rpm \
+${rpm_url}/libkadm5-1.15.1-46.el7.armv7hl.rpm \
+${rpm_url}/libselinux-2.5-15.el7.armv7hl.rpm \
+${rpm_url}/libselinux-devel-2.5-15.el7.armv7hl.rpm \
+${rpm_url}/libverto-0.2.5-4.el7.armv7hl.rpm \
+${rpm_url}/libverto-devel-0.2.5-4.el7.armv7hl.rpm \
+${rpm_url}/groff-base-1.22.2-8.el7.armv7hl.rpm \
+${rpm_url}/libX11-common-1.6.7-2.el7.noarch.rpm \
+${rpm_url}/libxcb-devel-1.13-1.el7.armv7hl.rpm \
+${rpm_url}/libXft-2.3.2-2.el7.armv7hl.rpm \
+${rpm_url}/pkgconfig-0.27.1-4.el7.armv7hl.rpm \
+${rpm_url}/glib-networking-2.56.1-1.el7.armv7hl.rpm \
+${rpm_url}/libxcb-1.13-1.el7.armv7hl.rpm \
+${rpm_url}/groff-base-1.22.2-8.el7.armv7hl.rpm \
+${rpm_url}/libpipeline-1.2.3-3.el7.armv7hl.rpm \
+${rpm_url}/ncurses-5.9-14.20130511.el7_4.armv7hl.rpm \
+${rpm_url}/ncurses-base-5.9-14.20130511.el7_4.noarch.rpm \
+${rpm_url}/nss-softokn-freebl-devel-3.44.0-8.el7_7.armv7hl.rpm \
+${rpm_url}/nss-softokn-freebl-3.44.0-8.el7_7.armv7hl.rpm \
+${rpm_url}/perl-libs-5.16.3-295.el7.armv7hl.rpm \
+${rpm_url}/perl-Scalar-List-Utils-1.27-248.el7.armv7hl.rpm \
+${rpm_url}/perl-Pod-Usage-1.63-3.el7.noarch.rpm \
+${rpm_url}/perl-Time-Local-1.2300-2.el7.noarch.rpm \
+${rpm_url}/perl-Pod-Simple-3.28-4.el7.noarch.rpm \
+${rpm_url}/perl-threads-shared-1.43-6.el7.armv7hl.rpm \
+${rpm_url}/perl-macros-5.16.3-295.el7.armv7hl.rpm \
+${rpm_url}/libjpeg-turbo-1.2.90-8.el7.armv7hl.rpm \
+${rpm_url}/libjpeg-turbo-devel-1.2.90-8.el7.armv7hl.rpm \
+${rpm_url}/libjpeg-turbo-utils-1.2.90-8.el7.armv7hl.rpm \
+${rpm_url}/freetype-2.8-14.el7.armv7hl.rpm \
+${rpm_url}/freetype-devel-2.8-14.el7.armv7hl.rpm \
+${rpm_url}/fontconfig-2.13.0-4.3.el7.armv7hl.rpm \
+${rpm_url}/fontconfig-devel-2.13.0-4.3.el7.armv7hl.rpm \
+${rpm_url}/libXrender-0.9.10-1.el7.armv7hl.rpm \
+${rpm_url}/libXrender-devel-0.9.10-1.el7.armv7hl.rpm \
+${rpm_url}/libXau-1.0.8-2.1.el7.armv7hl.rpm \
+${rpm_url}/libXau-devel-1.0.8-2.1.el7.armv7hl.rpm \
+${rpm_url}/perl-Filter-1.49-3.el7.armv7hl.rpm \
+${rpm_url}/perl-Socket-2.010-5.el7.armv7hl.rpm \
+${rpm_url}/perl-Storable-2.45-3.el7.armv7hl.rpm \
+${rpm_url}/perl-Time-HiRes-1.9725-3.el7.armv7hl.rpm \
+${rpm_url}/libselinux-utils-2.5-15.el7.armv7hl.rpm \
+${rpm_url}/systemd-libs-219-73.el7.1.armv7hl.rpm \
+${rpm_url}/libglvnd-glx-1.0.1-0.8.git5baa1e5.el7.armv7hl.rpm \
+${rpm_url}/mesa-libGLU-9.0.0-4.el7.armv7hl.rpm \
+${rpm_url}/mesa-libGLU-devel-9.0.0-4.el7.armv7hl.rpm \
+${rpm_url}/freeglut-3.0.0-8.el7.armv7hl.rpm \
+${rpm_url}/freeglut-devel-3.0.0-8.el7.armv7hl.rpm \
+${rpm_url}/libnetfilter_conntrack-1.0.6-1.el7_3.armv7hl.rpm \
+${rpm_url}/libnetfilter_conntrack-devel-1.0.6-1.el7_3.armv7hl.rpm \
+${rpm_url}/libnfnetlink-1.0.1-4.el7.armv7hl.rpm \
+${rpm_url}/libnfnetlink-devel-1.0.1-4.el7.armv7hl.rpm \
+${rpm_url}/sysvinit-tools-2.88-14.dsf.el7.armv7hl.rpm \
+${rpm_url}/libcap-devel-2.22-11.el7.armv7hl.rpm \
+${rpm_url}/libcap-2.22-11.el7.armv7hl.rpm \
+${rpm_url}/libsepol-2.5-10.el7.armv7hl.rpm \
+${rpm_url}/libsepol-devel-2.5-10.el7.armv7hl.rpm \
+${rpm_url}/libnetfilter_conntrack-1.0.6-1.el7_3.armv7hl.rpm \
+${rpm_url}/libnetfilter_conntrack-devel-1.0.6-1.el7_3.armv7hl.rpm \
+${rpm_url}/glib2-devel-2.56.1-5.el7.armv7hl.rpm \
+${rpm_url}/glib2-2.56.1-5.el7.armv7hl.rpm \
+${rpm_url}/gsettings-desktop-schemas-devel-3.28.0-3.el7.armv7hl.rpm \
+${rpm_url}/gsettings-desktop-schemas-3.28.0-3.el7.armv7hl.rpm \
+${rpm_url}/gnutls-3.3.29-9.el7_6.armv7hl.rpm \
+${rpm_url}/libproxy-0.4.11-11.el7.armv7hl.rpm \
+${rpm_url}/libproxy-devel-0.4.11-11.el7.armv7hl.rpm \
+${rpm_url}/perl-podlators-2.5.1-3.el7.noarch.rpm \
+${rpm_url}/perl-Pod-Perldoc-3.20-4.el7.noarch.rpm \
+${rpm_url}/perl-Encode-2.51-7.el7.armv7hl.rpm \
+${rpm_url}/perl-Pod-Escapes-1.04-295.el7.noarch.rpm \
+${rpm_url}/dejavu-sans-fonts-2.33-6.el7.noarch.rpm \
+${rpm_url}/fontpackages-filesystem-1.44-8.el7.noarch.rpm \
+${rpm_url}/libglvnd-1.0.1-0.8.git5baa1e5.el7.armv7hl.rpm \
+${rpm_url}/libXext-1.3.3-3.el7.armv7hl.rpm \
+${rpm_url}/libXext-devel-1.3.3-3.el7.armv7hl.rpm \
+${rpm_url}/libglvnd-1.0.1-0.8.git5baa1e5.el7.armv7hl.rpm \
+${rpm_url}/mesa-libGL-18.3.4-7.el7.armv7hl.rpm \
+${rpm_url}/mesa-libGL-devel-18.3.4-7.el7.armv7hl.rpm \
+${rpm_url}/gl-manpages-1.1-7.20130122.el7.noarch.rpm \
+${rpm_url}/libICE-1.0.9-9.el7.armv7hl.rpm \
+${rpm_url}/libICE-devel-1.0.9-9.el7.armv7hl.rpm \
+${rpm_url}/wget-1.14-18.el7_6.1.armv7hl.rpm \
+${rpm_url}/libcurl-devel-7.29.0-57.el7.armv7hl.rpm \
+${rpm_url}/cmake3-data-3.17.3-3.el7.noarch.rpm \
+${rpm_url}/cmake3-3.17.3-3.el7.armv7hl.rpm
diff --git a/packages/rpms/utils/helper_function.sh b/packages/rpms/utils/helper_function.sh
new file mode 100644
index 0000000000..3e4e4a59f2
--- /dev/null
+++ b/packages/rpms/utils/helper_function.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# RPM helper functions
+
+# Wazuh package builder
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+rpmbuild="rpmbuild"
+rpm_build_dir="" # To be define on setup_build
+
+setup_build(){
+    sources_dir="$1"
+    specs_path="$2"
+    build_dir="$3"
+    package_name="$4"
+
+    rpm_build_dir=${build_dir}/rpmbuild
+
+    mkdir -p ${rpm_build_dir}/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
+
+    cp ${specs_path}/wazuh-${BUILD_TARGET}.spec ${rpm_build_dir}/SPECS/${package_name}.spec
+
+    # Generating source tar.gz
+    cd ${build_dir}/${BUILD_TARGET} && tar czf "${rpm_build_dir}/SOURCES/${package_name}.tar.gz" "${package_name}"
+}
+
+set_debug(){
+    local debug="$1"
+    if [[ "${debug}" == "no" ]]; then
+        echo '%debug_package %{nil}' > /etc/rpm/macros
+    fi
+}
+
+build_deps(){
+    local legacy="$1"
+    if [ "${legacy}" = "no" ]; then
+        echo "%_source_filedigest_algorithm 8" >> /root/.rpmmacros
+        echo "%_binary_filedigest_algorithm 8" >> /root/.rpmmacros
+        if [ "${BUILD_TARGET}" = "agent" ]; then
+            echo " %rhel 6" >> /root/.rpmmacros
+            echo " %centos 6" >> /root/.rpmmacros
+            echo " %centos_ver 6" >> /root/.rpmmacros
+            echo " %dist .el6" >> /root/.rpmmacros
+            echo " %el6 1" >> /root/.rpmmacros
+        fi
+        rpmbuild="/usr/local/bin/rpmbuild"
+    fi
+}
+
+build_package(){
+    package_name="$1"
+    debug="$2"
+    short_commit_hash="$3"
+    wazuh_version="$4"
+
+    if [ "${ARCHITECTURE_TARGET}" = "i386" ] || [ "${ARCHITECTURE_TARGET}" = "armhf" ]; then
+        linux="linux32"
+    fi
+
+    if [ "${ARCHITECTURE_TARGET}" = "armhf" ]; then
+        ARCH="armv7hl"
+    elif [ "${ARCHITECTURE_TARGET}" = "arm64" ]; then
+        ARCH="aarch64"
+    elif [ "${ARCHITECTURE_TARGET}" = "amd64" ]; then
+        ARCH="x86_64"
+    elif [[ "${ARCHITECTURE_TARGET}" == "i386" ]] || [[ "${ARCHITECTURE_TARGET}" == "ppc64le" ]]; then
+        ARCH=${ARCHITECTURE_TARGET}
+    else
+        echo "Invalid architecture selected. Choose: [armhf, arm64, amd64, i386, ppc64le]"
+        return 1
+    fi
+
+    $linux $rpmbuild --define "_sysconfdir /etc" --define "_topdir ${rpm_build_dir}" \
+        --define "_threads ${JOBS}" --define "_release ${REVISION}" --define "_isstage ${IS_STAGE}" \
+        --define "_localstatedir ${INSTALLATION_PATH}" --define "_debugenabled ${debug}" \
+        --define "_version ${wazuh_version}" --define "_hashcommit ${short_commit_hash}" \
+        --target $ARCH -ba ${rpm_build_dir}/SPECS/${package_name}.spec
+    return $?
+}
+
+get_package_and_checksum(){
+    src="$3"
+    export RPM_NAME=$(ls -R ${rpm_build_dir}/RPMS | grep "\.rpm$")
+    export SRC_NAME=$(ls -R ${rpm_build_dir}/SRPMS | grep "\.src\.rpm$")
+
+    if [[ "${checksum}" == "yes" ]]; then
+        cd "${rpm_build_dir}/RPMS" && sha512sum $RPM_NAME > /var/local/wazuh/$RPM_NAME.sha512
+        if [[ "${src}" == "yes" ]]; then
+            cd "${rpm_build_dir}/SRPMS" && sha512sum $SRC_NAME > /var/local/wazuh/$SRC_NAME.sha512
+        fi
+    fi
+
+    if [[ "${src}" == "yes" ]]; then
+        mv ${rpm_build_dir}/SRPMS/$SRC_NAME /var/local/wazuh
+    else
+        mv ${rpm_build_dir}/RPMS/$RPM_NAME /var/local/wazuh
+    fi
+}
diff --git a/packages/windows/Dockerfile b/packages/windows/Dockerfile
new file mode 100644
index 0000000000..79fd0b2f0f
--- /dev/null
+++ b/packages/windows/Dockerfile
@@ -0,0 +1,16 @@
+FROM ubuntu:22.04
+
+# Installing necessary packages
+RUN apt-get update && \
+    apt-get install -y --allow-change-held-packages gcc g++ gcc-mingw-w64 g++-mingw-w64 nsis make wget unzip \
+    curl perl binutils zip libssl-dev
+
+RUN curl -OL http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && \
+    tar -zxvf cmake-3.18.3.tar.gz && \
+    cd cmake-3.18.3 && \
+    ./bootstrap && make -j$(nproc) && make install && \
+    ln -s /usr/local/bin/cmake /usr/bin/cmake && cd / && rm -rf cmake-*
+
+ADD entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/packages/windows/entrypoint.sh b/packages/windows/entrypoint.sh
new file mode 100755
index 0000000000..03e5e5920f
--- /dev/null
+++ b/packages/windows/entrypoint.sh
@@ -0,0 +1,33 @@
+#! /bin/bash
+
+set -ex
+
+JOBS=$1
+DEBUG=$2
+ZIP_NAME=$3
+TRUST_VERIFICATION=$4
+CA_NAME=$5
+
+# Compile the wazuh agent for Windows
+FLAGS="-j ${JOBS} IMAGE_TRUST_CHECKS=${TRUST_VERIFICATION} CA_NAME=\"${CA_NAME}\" "
+
+if [[ "${DEBUG}" = "yes" ]]; then
+    FLAGS+="DEBUG=1 "
+fi
+
+if [ -z "${BRANCH}"]; then
+    mkdir /wazuh-local-src
+    cp -r /local-src/* /wazuh-local-src
+else
+    URL_REPO=https://github.com/wazuh/wazuh/archive/${BRANCH}.zip
+
+    # Download the wazuh repository
+    wget -O wazuh.zip ${URL_REPO} && unzip wazuh.zip
+fi
+
+bash -c "make -C /wazuh-*/src deps TARGET=winagent ${FLAGS}"
+bash -c "make -C /wazuh-*/src TARGET=winagent ${FLAGS}"
+
+rm -rf /wazuh-*/src/external
+
+zip -r /shared/${ZIP_NAME} /wazuh-*
diff --git a/packages/windows/generate_compiled_windows_agent.sh b/packages/windows/generate_compiled_windows_agent.sh
new file mode 100755
index 0000000000..96d5ba60a4
--- /dev/null
+++ b/packages/windows/generate_compiled_windows_agent.sh
@@ -0,0 +1,153 @@
+#! /bin/bash
+set -ex
+
+BRANCH=""
+JOBS="4"
+ZIP_NAME=""
+DEBUG="no"
+OUTDIR="$(pwd)"
+TRUST_VERIFICATION="1"
+BUILD_DOCKER="yes"
+DOCKER_TAG="latest"
+CA_NAME="DigiCert Assured ID Root CA"
+CUSTOM_CODE_VOL=""
+DOCKERFILE_PATH="./"
+DOCKER_IMAGE_NAME="compile_windows_agent"
+TAG=$1
+
+
+help() {
+    set +x
+    echo
+    echo "Usage: $0 [OPTIONS]"
+    echo
+    echo "    -b, --branch <branch>     [Optional] Select Git branch to compile Wazuh code."
+    echo "    --sources <path>          [Optional] Absolute path containing wazuh source code. This option will use local source code instead of downloading it from GitHub. By default: '../../src'."
+    echo "    -o, --output <rev>        [Required] Name to the output package."
+    echo "    -j, --jobs <number>       [Optional] Change number of parallel jobs when compiling the Windows agent. By default: 4."
+    echo "    -s, --store <path>        [Optional] Set the directory where the package will be stored. By default the current path."
+    echo "    -d, --debug               [Optional] Build the binaries with debug symbols. By default: no."
+    echo "    -t, --trust_verification  [Optional] Build the binaries with trust load images verification. By default: 1 (only warnings)."
+    echo "    -c, --ca_name <CA name>   [Optional] CA name to be used to verify the trust of the agent. By default: DigiCert Assured ID Root CA."
+    echo "    --dont-build-docker       [Optional] Locally built docker image will be used instead of generating a new one."
+    echo "    --tag                     [Optional] Tag to use with the docker image."
+    echo "    -h, --help                Show this help."
+    echo
+    exit $1
+}
+
+
+main() {
+    while [ -n "$1" ]
+    do
+        case "$1" in
+        "-b"|"--branch")
+            if [ -n "$2" ]; then
+                BRANCH="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-h"|"--help")
+            help 0
+            ;;
+        "-j"|"--jobs")
+            if [ -n "$2" ]; then
+                JOBS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-o"|"--output")
+            if [ -n "$2" ]; then
+                ZIP_NAME="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-d"|"--debug")
+            DEBUG="yes"
+            shift 1
+            ;;
+        "-s"|"--store")
+            if [ -n "$2" ]; then
+                OUTDIR="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-t"|"--trust_verification")
+            if [ -n "$2" ]; then
+                TRUST_VERIFICATION="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-c"|"--ca_name")
+            if [ -n "$2" ]; then
+                CA_NAME="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--dont-build-docker")
+            BUILD_DOCKER="no"
+            shift 1
+            ;;
+        "--tag")
+            if [ -n "$2" ]; then
+                DOCKER_TAG="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--sources")
+            if [ -n "$2" ]; then
+                CUSTOM_CODE_VOL="-v $2:/local-src:Z"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    if [ -z "${ZIP_NAME}" ]; then
+        help |grep -B5 --color "^.*--output.*$" & exit 1
+    fi
+
+    if [ ! -d "${OUTDIR}" ]; then
+        echo "Creating building directory at ${OUTDIR}"
+        mkdir -p ${OUTDIR}
+    fi
+
+    if [ -z "${CUSTOM_CODE_VOL}" ]; then
+        cd ../..
+        CUSTOM_CODE_VOL="-v $(pwd):/local-src:Z"
+        cd packages/windows
+    fi
+
+    if [[ ${BUILD_DOCKER} == "yes" ]]; then
+        docker build -t ${DOCKER_IMAGE_NAME}:${DOCKER_TAG} ./ || exit 1
+    fi
+
+    if [ -n "${BRANCH}" ]; then
+        ENV_BRANCH="-e BRANCH=${BRANCH}"
+    fi
+
+    docker run --rm -v ${OUTDIR}:/shared ${CUSTOM_CODE_VOL} ${ENV_BRANCH} ${DOCKER_IMAGE_NAME}:${DOCKER_TAG} ${JOBS} ${DEBUG} ${ZIP_NAME} ${TRUST_VERIFICATION} "${CA_NAME}" || exit 1
+    echo "Package $(ls -Art ${OUTDIR} | tail -n 1) added to ${OUTDIR}."
+
+    exit 0
+}
+
+main "$@"
diff --git a/packages/windows/generate_wazuh_msi.ps1 b/packages/windows/generate_wazuh_msi.ps1
new file mode 100644
index 0000000000..99ec154b1c
--- /dev/null
+++ b/packages/windows/generate_wazuh_msi.ps1
@@ -0,0 +1,86 @@
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+param (
+    [string]$MSI_NAME = "wazuh-agent.msi",
+    [string]$SIGN = "no",
+    [string]$WIX_TOOLS_PATH = "",
+    [string]$SIGN_TOOLS_PATH = "",
+    [switch]$help
+    )
+
+$CANDLE_EXE = "candle.exe"
+$LIGHT_EXE = "light.exe"
+$SIGNTOOL_EXE = "signtool.exe"
+
+if(($help.isPresent)) {
+    "
+    This tool can be used to generate the Windows Wazuh agent msi package.
+
+    PARAMETERS TO BUILD WAZUH-AGENT MSI (OPTIONALS):
+        1. MSI_NAME: MSI package name output.
+        2. SIGN: yes or no. By default 'no'.
+        3. WIX_TOOLS_PATH: Wix tools path.
+        4. SIGN_TOOLS_PATH: sign tools path.
+
+    USAGE:
+
+        * WAZUH:
+          $ ./generate_wazuh_msi.ps1  -MSI_NAME {{ NAME }} -SIGN {{ yes|no }} -WIX_TOOLS_PATH {{ PATH }} -SIGN_TOOLS_PATH {{ PATH }}
+
+            Build a devel msi:    $ ./generate_wazuh_msi.ps1 -MSI_NAME wazuh-agent_4.9.0-0_windows_0ceb378.msi -SIGN no
+            Build a prod msi:     $ ./generate_wazuh_msi.ps1 -MSI_NAME wazuh-agent-4.9.0-1.msi -SIGN yes
+    "
+    Exit
+}
+
+# Get Power Shell version.
+$PSversion = $PSVersionTable.PSVersion.Major
+if ($PSversion -eq $null) {
+    $PSversion = 1 # $PSVersionTable is new with Powershell 2.0
+}
+
+function BuildWazuhMsi(){
+    Write-Host "MSI_NAME = $MSI_NAME"
+
+    if($WIX_TOOLS_PATH -ne ""){
+        $CANDLE_EXE = $WIX_TOOLS_PATH + "/" + $CANDLE_EXE
+        $LIGHT_EXE = $WIX_TOOLS_PATH + "/" + $LIGHT_EXE
+    }
+
+    if($SIGN_TOOLS_PATH -ne ""){
+        $SIGNTOOL_EXE = $SIGN_TOOLS_PATH + "/" + $SIGNTOOL_EXE
+    }
+
+    if($SIGN -eq "yes"){
+        # Sign .exe files and the InstallerScripts.vbs
+        Write-Host "Signing .exe files..."
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 ".\*.exe"
+        Write-Host "Signing .vbs files..."
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 ".\InstallerScripts.vbs"
+        Write-Host "Signing .dll files..."
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\*.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 ".\*.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\data_provider\build\bin\sysinfo.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\shared_modules\dbsync\build\bin\dbsync.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\shared_modules\rsync\build\bin\rsync.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\wazuh_modules\syscollector\build\bin\syscollector.dll"
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /fd SHA256 /td SHA256 "..\syscheckd\build\bin\libfimdb.dll"
+    }
+
+    Write-Host "Building MSI installer..."
+
+    & $CANDLE_EXE -nologo .\wazuh-installer.wxs -out "wazuh-installer.wixobj" -ext WixUtilExtension -ext WixUiExtension
+    & $LIGHT_EXE ".\wazuh-installer.wixobj" -out $MSI_NAME -ext WixUtilExtension -ext WixUiExtension
+
+    if($SIGN -eq "yes"){
+        Write-Host "Signing $MSI_NAME..."
+        & $SIGNTOOL_EXE sign /a /tr http://timestamp.digicert.com /d $MSI_NAME /fd SHA256 /td SHA256 $MSI_NAME
+    }
+}
+
+############################
+# MAIN
+############################
+
+BuildWazuhMsi
diff --git a/packages/wpk/README.md b/packages/wpk/README.md
new file mode 100644
index 0000000000..439916f8f6
--- /dev/null
+++ b/packages/wpk/README.md
@@ -0,0 +1,68 @@
+# WPK package
+
+In this repository, you can find the necessary tools to build a WPK package.
+
+## Building WPK packages
+
+Usage: ./generate_wpk_package.sh [OPTIONS]
+It is required to use -k or --aws-wpk-key, --aws-wpk-cert parameters
+
+    -t,   --target-system <target> [Required] Select target wpk to build [linux/windows/macos].
+    -b,   --branch <branch>        [Required] Select Git branch.
+    -d,   --destination <path>     [Required] Set the destination path of package.
+    -pn,  --package-name <name>    [Required] Path to package file (rpm, deb, apk, msi, pkg) to pack in wpk.
+    -o,   --output <name>          [Required] Name to the output package.
+    -k,   --key-dir <path>         [Optional] Set the WPK key path to sign package.
+    --aws-wpk-key                  [Optional] AWS Secrets manager Name/ARN to get WPK private key.
+    --aws-wpk-cert                 [Optional] AWS secrets manager Name/ARN to get WPK certificate.
+    --aws-wpk-key-region           [Optional] AWS Region where secrets are stored.
+    -c,   --checksum               [Optional] Generate checksum on destination folder. By default: no.
+    --dont-build-docker            [Optional] Locally built docker image will be used instead of generating a new one. By default: yes.
+    --tag <name>                   [Optional] Tag to use with the docker image.
+    -h,   --help                   Show this help.
+
+Please, visit the following link for the full WPK packages building documentation: [Generate Wazuh WPK packages automatically.](https://documentation.wazuh.com/current/development/packaging/generate-wpk-package.html)
+
+## Workflows
+
+There are workflows to generate both the necessary Docker images and to generate the WPKs of each of the operating systems:
+
+- packages-upload-wpk-images.yml
+It is responsible for building and uploading the images necessary for the WPK script to our ghcr bucket. The image name for all systems it is 'common_wpk_builder'. The parameters it accepts are:
+  - docker_image_tag:
+          Tag name of the Docker image to be uploaded.
+          Use 'developer' to set branch name as tag.
+          Use 'auto' to set branch version as tag.
+          If using a custom tag, use only '-', '_', '.' and alphanumeric characters.
+          Default is 'auto'.
+  - source_reference:
+          Branch from wazuh/wazuh repository to use.
+
+- packages-build-wpk.yml
+It is responsible for generating the WPKs for each system using the generate_wpk_package script. The parameters it accepts are:
+  - source_reference:
+          Branch/tag of wazuh/wazuh to generate WPKs.
+  - docker_image_tag:
+          Specify the docker tag used to build the package.
+          Use 'developer' to set branch name as tag.
+          Use 'auto' to set branch version as tag.
+          Default is 'auto'.
+  - wpk_reference:
+          Package URL with the package to be packed in the WPK.
+  - is_stage:
+          Should set development/production nomenclature
+          True if WPK name should have production format.
+          False if WPK name should have developer format.
+          Default is 'false'.
+  - checksum:
+          Generate package checksum
+          Default is 'false'.
+
+## Contribute
+
+If you want to contribute to our project please don't hesitate to send a pull request. You can also join our users [mailing list](https://groups.google.com/d/forum/wazuh) by sending an email to [wazuh+subscribe@googlegroups.com](mailto:wazuh+subscribe@googlegroups.com)or join to our Slack channel by filling this [form](https://wazuh.com/community/join-us-on-slack/) to ask questions and participate in discussions.
+
+## License and copyright
+
+WAZUH
+Copyright (C) 2015 Wazuh Inc.  (License GPLv2)
diff --git a/packages/wpk/common/Dockerfile b/packages/wpk/common/Dockerfile
new file mode 100644
index 0000000000..cf76ec51e0
--- /dev/null
+++ b/packages/wpk/common/Dockerfile
@@ -0,0 +1,13 @@
+FROM debian:9
+RUN echo "deb http://archive.debian.org/debian stretch contrib main non-free" > /etc/apt/sources.list && \
+    echo "deb http://archive.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list && \
+    apt-get update && \
+    apt-get -y install --allow-change-held-packages python git curl jq python3 python3-pip libffi-dev && \
+    pip3 install --upgrade cryptography==2.9.2 awscli
+
+ADD wpkpack.py /usr/local/bin/wpkpack
+ADD run.sh /usr/local/bin/run
+VOLUME /var/local/wazuh
+VOLUME /etc/wazuh
+VOLUME /etc/wazuh/checksum
+ENTRYPOINT ["/usr/local/bin/run"]
diff --git a/packages/wpk/generate_wpk_package.sh b/packages/wpk/generate_wpk_package.sh
new file mode 100755
index 0000000000..25302e947e
--- /dev/null
+++ b/packages/wpk/generate_wpk_package.sh
@@ -0,0 +1,267 @@
+#!/bin/bash
+
+# Program to build the Wazuh WPK packages
+# Wazuh package generator
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+CURRENT_PATH="$( cd $(dirname ${0}) ; pwd -P )"
+COMMON_BUILDER="common_wpk_builder"
+COMMON_BUILDER_DOCKERFILE="${CURRENT_PATH}/common"
+CHECKSUM="no"
+
+trap ctrl_c INT
+
+
+function pack_wpk() {
+    local BRANCH="${1}"
+    local DESTINATION="${2}"
+    local CONTAINER_NAME="${3}"
+    local PACKAGE_NAME="${4}"
+    local OUT_NAME="${5}"
+    local CHECKSUM="${6}"
+    local AWS_REGION="${7}"
+    local WPK_KEY="${8}"
+    local WPK_CERT="${9}"
+
+    if [[ "${CHECKSUM}" == "yes" ]]; then
+        CHECKSUM_FLAG="-c"
+    fi
+    if [ -n "${KEYDIR}" ]; then
+        MOUNT_KEYDIR_FLAG="-v ${KEYDIR}:/etc/wazuh:Z"
+    fi
+    if [ -n "${WPK_KEY}" ]; then
+        WPK_KEY_FLAG="--aws-wpk-key ${WPK_KEY}"
+    fi
+    if [ -n "${WPK_CERT}" ]; then
+        WPK_CERT_FLAG="--aws-wpk-cert ${WPK_CERT}"
+    fi
+
+    docker run -t --rm ${MOUNT_KEYDIR_FLAG} -v ${DESTINATION}:/var/local/wazuh:Z -v ${PKG_PATH}:/var/pkg:Z -v ${DESTINATION}:/var/local/checksum:Z \
+        -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" -e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
+        ${CONTAINER_NAME}:${DOCKER_TAG} -b ${BRANCH} -o ${OUT_NAME} --aws-wpk-key-region ${AWS_REGION} ${WPK_KEY_FLAG} ${WPK_CERT_FLAG} -pn ${PACKAGE_NAME} ${CHECKSUM_FLAG}
+
+    return $?
+}
+
+
+function build_container() {
+    local CONTAINER_NAME="${1}"
+    local DOCKERFILE_PATH="${2}"
+
+    cp run.sh wpkpack.py ${DOCKERFILE_PATH}
+    docker build -t ${CONTAINER_NAME}:${DOCKER_TAG} ${DOCKERFILE_PATH}
+}
+
+
+function help() {
+    echo
+    echo "Usage: ${0} [OPTIONS]"
+    echo "It is required to use -k or --aws-wpk-key, --aws-wpk-cert parameters"
+    echo
+    echo "    -t,   --target-system <target> [Required] Select target wpk to build [linux/windows/macos]."
+    echo "    -b,   --branch <branch>        [Required] Select Git branch."
+    echo "    -d,   --destination <path>     [Required] Set the destination path of package."
+    echo "    -pn,  --package-name <name>    [Required] Path to package file (rpm, deb, apk, msi, pkg) to pack in wpk."
+    echo "    -o,   --output <name>          [Required] Name to the output package."
+    echo "    -k,   --key-dir <path>         [Optional] Set the WPK key path to sign package."
+    echo "    --aws-wpk-key                  [Optional] AWS Secrets manager Name/ARN to get WPK private key."
+    echo "    --aws-wpk-cert                 [Optional] AWS secrets manager Name/ARN to get WPK certificate."
+    echo "    --aws-wpk-key-region           [Optional] AWS Region where secrets are stored."
+    echo "    -c,   --checksum               [Optional] Generate checksum on destination folder. By default: no."
+    echo "    --dont-build-docker            [Optional] Locally built docker image will be used instead of generating a new one. By default: yes."
+    echo "    --tag <name>                   [Optional] Tag to use with the docker image."
+    echo "    -h,   --help                   Show this help."
+    echo
+    exit ${1}
+}
+
+
+function clean() {
+    local DOCKERFILE_PATH="${1}"
+    local exit_code="${2}"
+
+    rm -f ${DOCKERFILE_PATH}/*.sh ${DOCKERFILE_PATH}/wpkpack.py
+
+    return 0
+}
+
+
+ctrl_c() {
+    clean 1
+}
+
+
+function main() {
+    local TARGET=""
+    local BRANCH=""
+    local DESTINATION="${CURRENT_PATH}/output"
+    local CONTAINER_NAME=""
+    local PKG_NAME=""
+    local OUT_NAME=""
+    local WPK_KEY=""
+    local WPK_CERT=""
+    local AWS_REGION="us-east-1"
+    local BUILD_DOCKER="yes"
+    local DOCKER_TAG="latest"
+
+    local HAVE_BRANCH=false
+    local HAVE_DESTINATION=false
+    local HAVE_TARGET=false
+    local HAVE_KEYDIR=false
+    local HAVE_PKG_NAME=false
+    local HAVE_OUT_NAME=false
+    local HAVE_WPK_KEY=false
+    local HAVE_WPK_CERT=false
+
+    while [ -n "${1}" ]
+    do
+        case "${1}" in
+        "-t"|"--target-system")
+            if [ -n "${2}" ]; then
+                if [[ "${2}" == "linux" || "${2}" == "windows" || "${2}" == "macos" ]]; then
+                    local TARGET="${2}"
+                    local HAVE_TARGET=true
+                    shift 2
+                else
+                    echo "Target system must be linux, windows or macos"
+                    help 1
+                fi
+            else
+                echo "ERROR: Missing target system."
+                help 1
+            fi
+            ;;
+        "-b"|"--branch")
+            if [ -n "${2}" ]; then
+                local BRANCH="${2}"
+                local HAVE_BRANCH=true
+                shift 2
+            else
+                echo "ERROR: Missing branch."
+                help 1
+            fi
+            ;;
+        "-d"|"--destination")
+            if [ -n "${2}" ]; then
+                local DESTINATION="${2}"
+                local HAVE_DESTINATION=true
+                shift 2
+            else
+                echo "ERROR: Missing destination directory."
+                help 1
+            fi
+            ;;
+        "-k"|"--key-dir")
+            if [ -n "${2}" ]; then
+                if [[ "${2: -1}" != "/" ]]; then
+                    KEYDIR="${2}/"
+                    local HAVE_KEYDIR=true
+                else
+                    KEYDIR="${2}"
+                    local HAVE_KEYDIR=true
+                fi
+                shift 2
+            fi
+            ;;
+        "-pn"|"--package-name")
+            if [ -n "${2}" ]; then
+                local HAVE_PKG_NAME=true
+                local PKG_NAME="${2}"
+                PKG_PATH=`echo ${PKG_NAME}| rev|cut -d'/' -f2-|rev`
+                PKG_NAME=`basename ${PKG_NAME}`
+                shift 2
+            else
+                echo "ERROR: Missing package file"
+                help 1
+            fi
+            ;;
+        "-o"|"--output")
+            if [ -n "${2}" ]; then
+                local HAVE_OUT_NAME=true
+                local OUT_NAME="${2}"
+                shift 2
+            else
+                echo "ERROR: Missing output name."
+                help 1
+            fi
+            ;;
+        "--aws-wpk-key")
+            if [ -n "${2}" ]; then
+                local HAVE_WPK_KEY=true
+                local WPK_KEY="${2}"
+                shift 2
+            fi
+            ;;
+        "--aws-wpk-cert")
+            if [ -n "${2}" ]; then
+                local HAVE_WPK_CERT=true
+                local WPK_CERT="${2}"
+                shift 2
+            fi
+            ;;
+        "--aws-wpk-key-region")
+            if [ -n "${2}" ]; then
+                local AWS_REGION="${2}"
+                shift 2
+            fi
+            ;;
+        "-c"|"--checksum")
+            local CHECKSUM="yes"
+            shift 1
+            ;;
+        "--dont-build-docker")
+            BUILD_DOCKER="no"
+            shift 1
+            ;;
+        "--tag")
+            if [ -n "$2" ]; then
+                DOCKER_TAG="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "-h"|"--help")
+            help 0
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    if [[ "${HAVE_KEYDIR}" == false && ("${HAVE_WPK_KEY}" == false || "${HAVE_WPK_CERT}" == false) ]]; then
+        echo "ERROR: Option -k or -wk, -wc must be set."
+        help 1
+    fi
+
+    if [[ "${HAVE_TARGET}" == true ]] && [[ "${HAVE_BRANCH}" == true ]] && [[ "${HAVE_DESTINATION}" == true ]] && [[ "${HAVE_OUT_NAME}" == true ]]; then
+        if [[ "${TARGET}" == "linux" || "${TARGET}" == "windows" || "${TARGET}" == "macos" ]]; then
+            if [[ "${HAVE_PKG_NAME}" == true ]]; then
+                if [[ "${BUILD_DOCKER}" == "yes" ]]; then
+                    build_container ${COMMON_BUILDER} ${COMMON_BUILDER_DOCKERFILE} || clean ${COMMON_BUILDER_DOCKERFILE} 1
+                fi
+                local CONTAINER_NAME="${COMMON_BUILDER}"
+                pack_wpk ${BRANCH} ${DESTINATION} ${CONTAINER_NAME} ${PKG_NAME} ${OUT_NAME} ${CHECKSUM} ${CHECKSUMDIR} ${AWS_REGION} ${WPK_KEY} ${WPK_CERT} || clean ${COMMON_BUILDER_DOCKERFILE} 1
+                clean ${COMMON_BUILDER_DOCKERFILE} 0
+            else
+                echo "ERROR: Cannot build WPK without a package."
+                help 1
+            fi
+        else
+            echo "ERROR: Target system must be linux, windows or macos."
+            help 1
+        fi
+    else
+        echo "ERROR: Need more parameters"
+        help 1
+    fi
+
+    return 0
+}
+
+main "$@"
diff --git a/packages/wpk/run.sh b/packages/wpk/run.sh
new file mode 100755
index 0000000000..299a4acaf1
--- /dev/null
+++ b/packages/wpk/run.sh
@@ -0,0 +1,166 @@
+#!/bin/bash
+set -x
+DIRECTORY="wazuh*"
+REPOSITORY="https://github.com/wazuh/wazuh"
+REFERENCE=""
+OUT_NAME=""
+CHECKSUM="no"
+PKG_NAME=""
+HAVE_PKG_NAME_WIN=false
+HAVE_PKG_NAME_MAC=false
+HAVE_PKG_NAME_LINUX=false
+AWS_REGION="us-east-1"
+KEYPATH="/etc/wazuh"
+WPKCERT="${KEYPATH}/wpkcert.pem"
+WPKKEY="${KEYPATH}/wpkcert.key"
+OUTDIR="/var/local/wazuh"
+CHECKSUMDIR="/var/local/checksum"
+
+
+help() {
+    set +x
+    echo
+    echo "Usage: ${0} [OPTIONS]"
+    echo "It is required to use -k or --aws-wpk-key, --aws-wpk-cert parameters"
+    echo
+    echo "    -b,   --branch <branch>      [Required] Select Git branch or tag e.g. master"
+    echo "    -o,   --output <name>        [Required] Name to the output package."
+    echo "    -pn,  --package-name <name>  [Required] Path to package file (rpm, deb, apk, msi, pkg) to pack in wpk."
+    echo "    -c,   --checksum             [Optional] Whether Generate checksum or not."
+    echo "    --aws-wpk-key                [Optional] AWS Secrets manager Name/ARN to get WPK private key."
+    echo "    --aws-wpk-cert               [Optional] AWS secrets manager Name/ARN to get WPK certificate."
+    echo "    --aws-wpk-key-region         [Optional] AWS Region where secrets are stored."
+    echo "    -h,   --help                 Show this help."
+    echo
+    exit ${1}
+}
+
+main() {
+    while [ -n "${1}" ]
+    do
+        case "${1}" in
+        "-b"|"--branch")
+            if [ -n "${2}" ]; then
+                REFERENCE="${2}"
+                shift 2
+            else
+                echo "ERROR: Missing branch."
+                help 1
+            fi
+            ;;
+        "-o"|"--output")
+            if [ -n "${2}" ]; then
+                OUT_NAME="${2}"
+                shift 2
+            else
+                echo "ERROR: Missing output name."
+                help 1
+            fi
+            ;;
+        "-pn"|"--package-name")
+            if [ -n "${2}" ]; then
+                PKG_NAME="${2}"
+                if [ "${PKG_NAME: -4}" == ".msi" ]; then
+                    HAVE_PKG_NAME_WIN=true
+                elif [ "${PKG_NAME: -4}" == ".pkg" ]; then
+                    HAVE_PKG_NAME_MAC=true
+                elif [ "${PKG_NAME: -4}" == ".rpm" ]; then
+                    HAVE_PKG_NAME_LINUX=true
+                elif [ "${PKG_NAME: -4}" == ".deb" ]; then
+                    HAVE_PKG_NAME_LINUX=true
+                elif [ "${PKG_NAME: -4}" == ".apk" ]; then
+                    HAVE_PKG_NAME_LINUX=true
+                else
+                    echo "ERROR: missing package file."
+                    help 1
+                fi
+                shift 2
+            fi
+            ;;
+        "-c"|"--checksum")
+            CHECKSUM="yes"
+            shift 1
+            ;;
+        "--aws-wpk-key")
+            if [ -n "${2}" ]; then
+                AWS_WPK_KEY="${2}"
+                shift 2
+            fi
+            ;;
+        "--aws-wpk-cert")
+            if [ -n "${2}" ]; then
+                AWS_WPK_CERT="${2}"
+                shift 2
+            fi
+            ;;
+        "--aws-wpk-key-region")
+            if [ -n "${2}" ]; then
+                AWS_REGION="${2}"
+                shift 2
+            fi
+          ;;
+        "-h"|"--help")
+            help 0
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    if [ -n "${AWS_WPK_CERT}" ] && [ -n "${AWS_WPK_KEY}" ]; then
+        mkdir -p ${KEYPATH}
+        aws --region=${AWS_REGION} secretsmanager get-secret-value --secret-id ${AWS_WPK_CERT} | jq . > wpkcert.pem.json
+        jq .SecretString wpkcert.pem.json | tr -d '"' | sed 's|\\n|\n|g' > ${WPKCERT}
+        rm -f wpkcert.pem.json
+        aws --region=${AWS_REGION} secretsmanager get-secret-value --secret-id ${AWS_WPK_KEY} | jq . > wpkcert.key.json
+        jq .SecretString wpkcert.key.json | tr -d '"' | sed 's|\\n|\n|g' > ${WPKKEY}
+        rm -f wpkcert.key.json
+    fi
+
+    # Get Wazuh
+    curl -sL ${REPOSITORY}/tarball/${REFERENCE} | tar zx
+    cd ${DIRECTORY}
+
+    # Create package
+    if [ -z "${OUTPUT}" ]
+    then
+        OUTPUT="${OUTDIR}/${OUT_NAME}"
+        mkdir -p ${OUTDIR}
+    fi
+
+    # Compress and sign package
+    if [ "${HAVE_PKG_NAME_WIN}" == true ]; then
+        CURRENT_DIR=$(pwd)
+        echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1"
+        cd ${OUTDIR}
+        cp ${CURRENT_DIR}/src/win32/{upgrade.bat,do_upgrade.ps1} .
+        cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
+        wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1
+        rm -f upgrade.bat do_upgrade.ps1 ${PKG_NAME}
+    elif [ "${HAVE_PKG_NAME_MAC}" == true ] || [ "${HAVE_PKG_NAME_LINUX}" == true ]; then
+        CURRENT_DIR=$(pwd)
+        echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer.sh"
+        cd ${OUTDIR}
+        cp ${CURRENT_DIR}/src/init/pkg_installer.sh .
+        cp ${CURRENT_DIR}/upgrade.sh .
+        cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
+        wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer.sh
+        rm -f upgrade.sh pkg_installer.sh ${PKG_NAME}
+    else
+        echo "ERROR: a package (MSI/PKG/RPM/DEB) is needed to build the WPK"
+        help 1
+    fi
+
+    echo "PACKED FILE -> ${OUTPUT}"
+    cd ${OUTDIR}
+
+    if [[ ${CHECKSUM} == "yes" ]]; then
+        mkdir -p ${CHECKSUMDIR}
+        sha512sum "${OUT_NAME}" > "${CHECKSUMDIR}/${OUT_NAME}.sha512"
+    fi
+}
+
+if [ "${BASH_SOURCE[0]}" = "${0}" ]
+then
+    main "$@"
+fi
diff --git a/packages/wpk/wpkpack.py b/packages/wpk/wpkpack.py
new file mode 100755
index 0000000000..8ae6a90021
--- /dev/null
+++ b/packages/wpk/wpkpack.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+
+# Tool to build and compress the WPK package
+# Wazuh package generator
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+from io import SEEK_SET, SEEK_END
+from sys import argv, stderr, exit
+from tempfile import mkstemp
+from os import listdir, remove, close
+from os.path import isfile, isdir
+import gzip
+from shutil import copyfileobj
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding, utils
+from cryptography.hazmat.primitives import serialization, hashes
+
+MAGIC = b'WPK256\0'
+HASH = hashes.SHA256()
+PADDING = padding.PKCS1v15()
+BUFLEN = 4096
+
+
+def mergecreate(path, tag = None):
+    with open(path, 'w') as f:
+        if tag:
+            f.write('#{0}\n'.format(tag))
+
+
+def mergeappend(merged, sources):
+    with open(merged, 'ab') as f:
+        for s in sources:
+            _mergeappend(f, s)
+
+def _mergeappend(fm, source):
+    if isfile(source):
+        with open(source, 'rb') as fs:
+            fs.seek(0, SEEK_END)
+            size = fs.tell()
+            fs.seek(0, SEEK_SET)
+            fm.write('!{0} {1}\n'.format(size, source).encode())
+            copyfileobj(fs, fm)
+    elif isdir(source):
+        for d in listdir(source):
+            _mergeappend(fm, '{0}/{1}'.format(source, d))
+    else:
+        raise Exception
+
+
+def compress(source, target):
+    with open(source, 'rb') as fin:
+        with gzip.open(target, 'wb') as fout:
+            copyfileobj(fin, fout)
+
+
+def sign(source_path, target_path, cert_path, priv_path):
+    hasher = hashes.Hash(HASH, default_backend())
+
+    with open(priv_path, 'rb') as fkey:
+        key = serialization.load_pem_private_key(fkey.read(), password=None, backend=default_backend())
+
+    with open(source_path, 'rb') as filein:
+        buf = filein.read(BUFLEN)
+
+        while buf:
+            hasher.update(buf)
+            buf = filein.read(BUFLEN)
+
+        digest = hasher.finalize()
+        signature = key.sign(digest, PADDING, utils.Prehashed(HASH))
+
+        with open(target_path, 'wb') as fileout:
+            fileout.write(MAGIC)
+
+            with open(cert_path, 'rb') as filecert:
+                copyfileobj(filecert, fileout)
+
+            fileout.write(b'\0' + signature)
+            filein.seek(0, SEEK_SET)
+            copyfileobj(filein, fileout)
+
+
+if __name__ == '__main__':
+    if len(argv) < 4:
+        stderr.write('Syntax: {0} <pack> <cert> <key> <content> [ <content> ... ]\n'.format(argv[0]))
+        exit(1)
+
+    pack = argv[1]
+    fd, merged = mkstemp()
+    close(fd)
+
+    try:
+        mergecreate(merged, pack)
+        mergeappend(merged, argv[4:])
+    except Exception as error:
+        remove(merged)
+        raise error
+
+    fd, zipped = mkstemp()
+    close(fd)
+    compress(merged, zipped)
+    remove(merged)
+
+    try:
+        sign(zipped, pack, argv[2], argv[3])
+    finally:
+        remove(zipped)
diff --git a/src/Doxyfile b/src/Doxyfile
new file mode 100644
index 0000000000..1f8ba83c10
--- /dev/null
+++ b/src/Doxyfile
@@ -0,0 +1,2427 @@
+# Doxyfile 1.8.13
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project.
+#
+# All text after a double hash (##) is considered a comment and is placed in
+# front of the TAG it is preceding.
+#
+# All text after a single hash (#) is considered a comment and will be ignored.
+# The format is:
+# TAG = value [value, ...]
+# For lists, items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (\" \").
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file
+# that follow. The default is UTF-8 which is also the encoding used for all text
+# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv
+# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv
+# for the list of possible encodings.
+# The default value is: UTF-8.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
+# double-quotes, unless you are using Doxywizard) that should identify the
+# project for which the documentation is generated. This name is used in the
+# title of most generated pages and in a few other places.
+# The default value is: My Project.
+
+PROJECT_NAME           = "WAZUH"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
+# could be handy for archiving the generated documentation or if some version
+# control system is used.
+
+PROJECT_NUMBER         = "v5.0.0-50000"
+
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer a
+# quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          = "Source code documentation"
+
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
+
+PROJECT_LOGO           =
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
+# into which the generated documentation will be written. If a relative path is
+# entered, it will be relative to the location where doxygen was started. If
+# left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       =
+
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
+# directories (in 2 levels) under the output directory of each output format and
+# will distribute the generated files over these directories. Enabling this
+# option can be useful when feeding doxygen a huge amount of source files, where
+# putting all generated files in the same directory would otherwise causes
+# performance problems for the file system.
+# The default value is: NO.
+
+CREATE_SUBDIRS         = NO
+
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES    = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
+# The default value is: English.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
+# descriptions after the members that are listed in the file and class
+# documentation (similar to Javadoc). Set to NO to disable this.
+# The default value is: YES.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
+# description of a member or function before the detailed description
+#
+# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+# The default value is: YES.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator that is
+# used to form the text in various listings. Each string in this list, if found
+# as the leading text of the brief description, will be stripped from the text
+# and the result, after processing the whole list, is used as the annotated
+# text. Otherwise, the brief description is used as-is. If left blank, the
+# following values are used ($name is automatically replaced with the name of
+# the entity):The $name class, The $name widget, The $name file, is, provides,
+# specifies, contains, represents, a, an and the.
+
+ABBREVIATE_BRIEF       = "The $name class" \
+                         "The $name widget" \
+                         "The $name file" \
+                         is \
+                         provides \
+                         specifies \
+                         contains \
+                         represents \
+                         a \
+                         an \
+                         the
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# doxygen will generate a detailed section even if there is only a brief
+# description.
+# The default value is: NO.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+# The default value is: NO.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
+# before files name in the file list and in the header files. If set to NO the
+# shortest path that makes the file name unique will be used
+# The default value is: YES.
+
+FULL_PATH_NAMES        = YES
+
+# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
+# Stripping is only done if one of the specified strings matches the left-hand
+# part of the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the path to
+# strip.
+#
+# Note that you can specify absolute paths here, but also relative paths, which
+# will be relative from the directory where doxygen is started.
+# This tag requires that the tag FULL_PATH_NAMES is set to YES.
+
+STRIP_FROM_PATH        =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
+# path mentioned in the documentation of a class, which tells the reader which
+# header file to include in order to use a class. If left blank only the name of
+# the header file containing the class definition is used. Otherwise one should
+# specify the list of include paths that are normally passed to the compiler
+# using the -I flag.
+
+STRIP_FROM_INC_PATH    =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
+# less readable) file names. This can be useful is your file systems doesn't
+# support long names like on DOS, Mac, or CD-ROM.
+# The default value is: NO.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
+# first line (until the first dot) of a Javadoc-style comment as the brief
+# description. If set to NO, the Javadoc-style will behave just like regular Qt-
+# style comments (thus requiring an explicit @brief command for a brief
+# description.)
+# The default value is: NO.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
+# line (until the first dot) of a Qt-style comment as the brief description. If
+# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
+# requiring an explicit \brief command for a brief description.)
+# The default value is: NO.
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
+# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
+# a brief description. This used to be the default behavior. The new default is
+# to treat a multi-line C++ comment block as a detailed description. Set this
+# tag to YES if you prefer the old behavior instead.
+#
+# Note that setting this tag to YES also means that rational rose comments are
+# not recognized any more.
+# The default value is: NO.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
+# documentation from any documented member that it re-implements.
+# The default value is: YES.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
+# The default value is: NO.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
+# uses this value to replace tabs by spaces in code fragments.
+# Minimum value: 1, maximum value: 16, default value: 4.
+
+TAB_SIZE               = 4
+
+# This tag can be used to specify a number of aliases that act as commands in
+# the documentation. An alias has the form:
+# name=value
+# For example adding
+# "sideeffect=@par Side Effects:\n"
+# will allow you to put the command \sideeffect (or @sideeffect) in the
+# documentation, which will result in a user-defined paragraph with heading
+# "Side Effects:". You can put \n's in the value part of an alias to insert
+# newlines.
+
+ALIASES                =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
+# only. Doxygen will then generate output that is more tailored for C. For
+# instance, some of the names that are used will be different. The list of all
+# members will be omitted, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
+# Python sources only. Doxygen will then generate output that is more tailored
+# for that language. For instance, namespaces will be presented as packages,
+# qualified scopes will look different, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources. Doxygen will then generate output that is tailored for Fortran.
+# The default value is: NO.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for VHDL.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given
+# extension. Doxygen has a built-in mapping, but you can override or extend it
+# using this tag. The format is ext=language, where ext is a file extension, and
+# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
+#
+# Note: For files without extension you can use no_extension as a placeholder.
+#
+# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
+# the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
+# according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you can
+# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
+# case of backward compatibilities issues.
+# The default value is: YES.
+
+MARKDOWN_SUPPORT       = YES
+
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS   = 0
+
+# When enabled doxygen tries to link words that correspond to documented
+# classes, or namespaces to their corresponding documentation. Such a link can
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
+# The default value is: YES.
+
+AUTOLINK_SUPPORT       = YES
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should set this
+# tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string);
+# versus func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+# The default value is: NO.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+# The default value is: NO.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
+# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen
+# will parse them like normal C++ but will assume all classes use public instead
+# of private inheritance when no explicit protection keyword is present.
+# The default value is: NO.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate
+# getter and setter methods for a property. Setting this option to YES will make
+# doxygen to replace the get and set methods by a property in the documentation.
+# This will only work if the methods are indeed getting or setting a simple
+# type. If this is not the case, or you want to show the methods anyway, you
+# should set this option to NO.
+# The default value is: YES.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+# The default value is: NO.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
+# Set the SUBGROUPING tag to YES to allow class member groups of the same type
+# (for instance a group of public functions) to be put as a subgroup of that
+# type (e.g. under the Public Functions section). Set it to NO to prevent
+# subgrouping. Alternatively, this can be done per class using the
+# \nosubgrouping command.
+# The default value is: YES.
+
+SUBGROUPING            = YES
+
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
+# are shown inside the group in which they are included (e.g. using \ingroup)
+# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
+# and RTF).
+#
+# Note that this feature does not work in combination with
+# SEPARATE_MEMBER_PAGES.
+# The default value is: NO.
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
+# with only public data fields or simple typedef fields will be shown inline in
+# the documentation of the scope in which they are defined (i.e. file,
+# namespace, or group documentation), provided this scope is documented. If set
+# to NO, structs, classes, and unions are shown on a separate page (for HTML and
+# Man pages) or section (for LaTeX and RTF).
+# The default value is: NO.
+
+INLINE_SIMPLE_STRUCTS  = NO
+
+# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
+# enum is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically be
+# useful for C code in case the coding convention dictates that all compound
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+# The default value is: NO.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
+# cache is used to resolve symbols given their name and scope. Since this can be
+# an expensive process and often the same symbol appears multiple times in the
+# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
+# doxygen will become slower. If the cache is too large, memory is wasted. The
+# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
+# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
+# symbols. At the end of a run doxygen will report the cache usage and suggest
+# the optimal cache size from a speed point of view.
+# Minimum value: 0, maximum value: 9, default value: 0.
+
+LOOKUP_CACHE_SIZE      = 0
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
+# documentation are documented, even if no documentation was available. Private
+# class members and static file members will be hidden unless the
+# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
+# Note: This will also disable the warnings about undocumented members that are
+# normally produced when WARNINGS is set to YES.
+# The default value is: NO.
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
+# be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
+# scope will be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PACKAGE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
+# included in the documentation.
+# The default value is: NO.
+
+EXTRACT_STATIC         = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
+# only classes defined in header files are included. Does not have any effect
+# for Java sources.
+# The default value is: YES.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. If set to YES, local methods,
+# which are defined in the implementation section but not in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
+# included.
+# The default value is: NO.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base name of
+# the file that contains the anonymous namespace. By default anonymous namespace
+# are hidden.
+# The default value is: NO.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
+# undocumented members inside documented classes or files. If set to NO these
+# members will be included in the various overviews, but no documentation
+# section is generated. This option has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy. If set
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
+# (class|struct|union) declarations. If set to NO, these declarations will be
+# included in the documentation.
+# The default value is: NO.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
+# documentation blocks found inside the body of a function. If set to NO, these
+# blocks will be appended to the function's detailed documentation block.
+# The default value is: NO.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation that is typed after a
+# \internal command is included. If the tag is set to NO then the documentation
+# will be excluded. Set it to YES to include the internal documentation.
+# The default value is: NO.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
+# names in lower-case letters. If set to YES, upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+# The default value is: system dependent.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
+# their full class and namespace scopes in the documentation. If set to YES, the
+# scope will be hidden.
+# The default value is: NO.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
+# the files that are included by a file in the documentation of that file.
+# The default value is: YES.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
+# files with double quotes in the documentation rather than with sharp brackets.
+# The default value is: NO.
+
+FORCE_LOCAL_INCLUDES   = NO
+
+# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
+# documentation for inline members.
+# The default value is: YES.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
+# (detailed) documentation of file and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order.
+# The default value is: YES.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
+# descriptions of file, namespace and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
+# The default value is: NO.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
+# (brief and detailed) documentation of class members so that constructors and
+# destructors are listed first. If set to NO the constructors will appear in the
+# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
+# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
+# member documentation.
+# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
+# detailed member documentation.
+# The default value is: NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
+# of group names into alphabetical order. If set to NO the group names will
+# appear in their defined order.
+# The default value is: NO.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
+# fully-qualified names, including namespaces. If set to NO, the class list will
+# be sorted only by class name, not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the alphabetical
+# list.
+# The default value is: NO.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
+# type resolution of all parameters of a function it will reject a match between
+# the prototype and the implementation of a member function even if there is
+# only one candidate or it is obvious which candidate to choose by doing a
+# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
+# accept a match between prototype and implementation in such cases.
+# The default value is: NO.
+
+STRICT_PROTO_MATCHING  = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
+# list. This list is created by putting \bug commands in the documentation.
+# The default value is: YES.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
+# the deprecated list. This list is created by putting \deprecated commands in
+# the documentation.
+# The default value is: YES.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional documentation
+# sections, marked by \if <section_label> ... \endif and \cond <section_label>
+# ... \endcond blocks.
+
+ENABLED_SECTIONS       =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
+# initial value of a variable or macro / define can have for it to appear in the
+# documentation. If the initializer consists of more lines than specified here
+# it will be hidden. Use a value of 0 to hide initializers completely. The
+# appearance of the value of individual variables and macros / defines can be
+# controlled using \showinitializer or \hideinitializer command in the
+# documentation regardless of this setting.
+# Minimum value: 0, maximum value: 10000, default value: 30.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
+# The default value is: YES.
+
+SHOW_USED_FILES        = YES
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
+# will remove the Files entry from the Quick Index and from the Folder Tree View
+# (if specified).
+# The default value is: YES.
+
+SHOW_FILES             = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
+# page. This will remove the Namespaces entry from the Quick Index and from the
+# Folder Tree View (if specified).
+# The default value is: YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command command input-file, where command is the value of the
+# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
+# by doxygen. Whatever the program writes to standard output is used as the file
+# version. For an example see the documentation.
+
+FILE_VERSION_FILTER    =
+
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option. You can
+# optionally specify a file name after the option, if omitted DoxygenLayout.xml
+# will be used as the name of the layout file.
+#
+# Note that if you run doxygen from a directory containing a file called
+# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
+# tag is left empty.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
+# the reference definitions. This must be a list of .bib files. The .bib
+# extension is automatically appended if omitted. This requires the bibtex tool
+# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
+# For LaTeX the style of the bibliography can be controlled using
+# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
+# search path. See also \cite for info how to create references.
+
+CITE_BIB_FILES         =
+
+#---------------------------------------------------------------------------
+# Configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated to
+# standard output by doxygen. If QUIET is set to YES this implies that the
+# messages are off.
+# The default value is: NO.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
+# this implies that the warnings are on.
+#
+# Tip: Turn warnings on while writing the documentation.
+# The default value is: YES.
+
+WARNINGS               = YES
+
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
+# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
+# will automatically be disabled.
+# The default value is: YES.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some parameters
+# in a documented function, or documenting parameters that don't exist or using
+# markup commands wrongly.
+# The default value is: YES.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
+# are documented, but have no documentation for their parameters or return
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
+# The default value is: NO.
+
+WARN_NO_PARAMDOC       = YES
+
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR          = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that doxygen
+# can produce. The string should contain the $file, $line, and $text tags, which
+# will be replaced by the file and line number from which the warning originated
+# and the warning text. Optionally the format may contain $version, which will
+# be replaced by the version of the file (if it could be obtained via
+# FILE_VERSION_FILTER)
+# The default value is: $file:$line: $text.
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning and error
+# messages should be written. If left blank the output is written to standard
+# error (stderr).
+
+WARN_LOGFILE           =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag is used to specify the files and/or directories that contain
+# documented source files. You may enter file names like myfile.cpp or
+# directories like /usr/src/myproject. Separate the files or directories with
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
+# Note: If this tag is empty the current directory is searched.
+
+INPUT                  =
+
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
+# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
+# documentation (see: http://www.gnu.org/software/libiconv) for the list of
+# possible encodings.
+# The default value is: UTF-8.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
+
+FILE_PATTERNS          = *.c \
+                         *.h \
+                         *.cpp \
+                         *.hpp
+
+# The RECURSIVE tag can be used to specify whether or not subdirectories should
+# be searched for input files as well.
+# The default value is: NO.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should be
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+#
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
+
+EXCLUDE                = external \
+                         tests
+
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
+# from the input.
+# The default value is: NO.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories.
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
+# AClass::ANamespace, ANamespace::*Test
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories use the pattern */test/*
+
+EXCLUDE_SYMBOLS        =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or directories
+# that contain example code fragments that are included (see the \include
+# command).
+
+EXAMPLE_PATH           =
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank all
+# files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude commands
+# irrespective of the value of the RECURSIVE tag.
+# The default value is: NO.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or directories
+# that contain images that are to be included in the documentation (see the
+# \image command).
+
+IMAGE_PATH             =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command:
+#
+# <filter> <input-file>
+#
+# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
+# name of an input file. Doxygen will then use the output that the filter
+# program writes to standard output. If FILTER_PATTERNS is specified, this tag
+# will be ignored.
+#
+# Note that the filter must not add or remove lines; it is applied before the
+# code is scanned, but not when the output code is generated. If lines are added
+# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+INPUT_FILTER           =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form: pattern=filter
+# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
+# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
+# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+FILTER_PATTERNS        =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will also be used to filter the input files that are used for
+# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# The default value is: NO.
+
+FILTER_SOURCE_FILES    = NO
+
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
+# it is also possible to disable source filtering for a specific pattern using
+# *.ext= (so without naming a filter).
+# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
+
+FILTER_SOURCE_PATTERNS =
+
+# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
+# is part of the input, its contents will be placed on the main page
+# (index.html). This can be useful if you have a project on for instance GitHub
+# and want to reuse the introduction page also for the doxygen output.
+
+USE_MDFILE_AS_MAINPAGE =
+
+#---------------------------------------------------------------------------
+# Configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
+# generated. Documented entities will be cross-referenced with these sources.
+#
+# Note: To get rid of all source code in the generated output, make sure that
+# also VERBATIM_HEADERS is set to NO.
+# The default value is: NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body of functions,
+# classes and enums directly into the documentation.
+# The default value is: NO.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
+# special comment blocks from generated source code fragments. Normal C, C++ and
+# Fortran comments will always remain visible.
+# The default value is: YES.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
+# function all documented functions referencing it will be listed.
+# The default value is: NO.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES then for each documented function
+# all documented entities called/used by that function will be listed.
+# The default value is: NO.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
+# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
+# link to the documentation.
+# The default value is: YES.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
+# source code will show a tooltip with additional information such as prototype,
+# brief description and links to the definition and documentation. Since this
+# will make the HTML file larger and loading of large files a bit slower, you
+# can opt to disable this feature.
+# The default value is: YES.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+SOURCE_TOOLTIPS        = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code will
+# point to the HTML generated by the htags(1) tool instead of doxygen built-in
+# source browser. The htags tool is part of GNU's global source tagging system
+# (see http://www.gnu.org/software/global/global.html). You will need version
+# 4.8.6 or higher.
+#
+# To use it do the following:
+# - Install the latest version of global
+# - Enable SOURCE_BROWSER and USE_HTAGS in the config file
+# - Make sure the INPUT points to the root of the source tree
+# - Run doxygen as normal
+#
+# Doxygen will invoke htags (and that will in turn invoke gtags), so these
+# tools must be available from the command line (i.e. in the search path).
+#
+# The result: instead of the source browser generated by doxygen, the links to
+# source code will now point to the output of htags.
+# The default value is: NO.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
+# verbatim copy of the header file for each class for which an include is
+# specified. Set to NO to disable this.
+# See also: Section \class.
+# The default value is: YES.
+
+VERBATIM_HEADERS       = YES
+
+# If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the
+# clang parser (see: http://clang.llvm.org/) for more accurate parsing at the
+# cost of reduced performance. This can be particularly helpful with template
+# rich C++ code for which doxygen's built-in parser lacks the necessary type
+# information.
+# Note: The availability of this option depends on whether or not doxygen was
+# generated with the -Duse-libclang=ON option for CMake.
+# The default value is: NO.
+
+CLANG_ASSISTED_PARSING = NO
+
+# If clang assisted parsing is enabled you can provide the compiler with command
+# line options that you would normally use when invoking the compiler. Note that
+# the include paths will already be set by doxygen for the files and directories
+# specified with INPUT and INCLUDE_PATH.
+# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
+
+CLANG_OPTIONS          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
+# compounds will be generated. Enable this if the project contains a lot of
+# classes, structs, unions or interfaces.
+# The default value is: YES.
+
+ALPHABETICAL_INDEX     = YES
+
+# In case all classes in a project start with a common prefix, all classes will
+# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
+# can be used to specify a prefix (or a list of prefixes) that should be ignored
+# while generating the index headers.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+IGNORE_PREFIX          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
+# The default value is: YES.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_OUTPUT            = documentation
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
+# generated HTML page (for example: .htm, .php, .asp).
+# The default value is: .html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
+# each generated HTML page. If the tag is left blank doxygen will generate a
+# standard header.
+#
+# To get valid HTML the header file that includes any scripts and style sheets
+# that doxygen needs, which is dependent on the configuration options used (e.g.
+# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
+# default header using
+# doxygen -w html new_header.html new_footer.html new_stylesheet.css
+# YourConfigFile
+# and then modify the file new_header.html. See also section "Doxygen usage"
+# for information on how to generate the default header that doxygen normally
+# uses.
+# Note: The header is subject to change so you typically have to regenerate the
+# default header when upgrading to a newer version of doxygen. For a description
+# of the possible markers and block names see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_HEADER            =
+
+# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
+# generated HTML page. If the tag is left blank doxygen will generate a standard
+# footer. See HTML_HEADER for more information on how to generate a default
+# footer and what special commands can be used inside the footer. See also
+# section "Doxygen usage" for information on how to generate the default footer
+# that doxygen normally uses.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FOOTER            =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
+# sheet that is used by each HTML page. It can be used to fine-tune the look of
+# the HTML output. If left blank doxygen will generate a default style sheet.
+# See also section "Doxygen usage" for information on how to generate the style
+# sheet that doxygen normally uses.
+# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
+# it is more robust and this tag (HTML_STYLESHEET) will in the future become
+# obsolete.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_STYLESHEET        =
+
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
+# created by doxygen. Using this option one can overrule certain style aspects.
+# This is preferred over using HTML_STYLESHEET since it does not replace the
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_STYLESHEET  =
+
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
+# files will be copied as-is; there are no commands or markers available.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_FILES       =
+
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
+# will adjust the colors in the style sheet and background images according to
+# this color. Hue is specified as an angle on a colorwheel, see
+# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
+# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
+# purple, and 360 is red again.
+# Minimum value: 0, maximum value: 359, default value: 220.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
+# in the HTML output. For a value of 0 the output will use grayscales only. A
+# value of 255 will produce the most vivid colors.
+# Minimum value: 0, maximum value: 255, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
+# luminance component of the colors in the HTML output. Values below 100
+# gradually make the output lighter, whereas values above 100 make the output
+# darker. The value divided by 100 is the actual gamma applied, so 80 represents
+# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
+# change the gamma.
+# Minimum value: 40, maximum value: 240, default value: 80.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting this
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_TIMESTAMP         = NO
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
+# shown in the various tree structured indices initially; the user can expand
+# and collapse entries dynamically later on. Doxygen will expand the tree to
+# such a level that at most the specified number of entries are visible (unless
+# a fully collapsed tree already exceeds this amount). So setting the number of
+# entries 1 will produce a full collapsed tree by default. 0 is a special value
+# representing an infinite number of entries and will result in a full expanded
+# tree by default.
+# Minimum value: 0, maximum value: 9999, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_INDEX_NUM_ENTRIES = 100
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files will be
+# generated that can be used as input for Apple's Xcode 3 integrated development
+# environment (see: http://developer.apple.com/tools/xcode/), introduced with
+# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a
+# Makefile in the HTML output directory. Running make will produce the docset in
+# that directory and running make install will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
+# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_DOCSET        = NO
+
+# This tag determines the name of the docset feed. A documentation feed provides
+# an umbrella under which multiple documentation sets from a single provider
+# (such as a company or product suite) can be grouped.
+# The default value is: Doxygen generated docs.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# This tag specifies a string that should uniquely identify the documentation
+# set bundle. This should be a reverse domain-name style string, e.g.
+# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
+# The default value is: org.doxygen.Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
+# The default value is: Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
+# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
+# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
+# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on
+# Windows.
+#
+# The HTML Help Workshop contains a compiler that can convert all HTML output
+# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
+# files are now used as the Windows 98 help format, and will replace the old
+# Windows help format (.hlp) on all Windows platforms in the future. Compressed
+# HTML files also contain an index, a table of contents, and you can search for
+# words in the documentation. The HTML workshop also contains a viewer for
+# compressed HTML files.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_HTMLHELP      = NO
+
+# The CHM_FILE tag can be used to specify the file name of the resulting .chm
+# file. You can add a path in front of the file if the result should not be
+# written to the html output directory.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_FILE               =
+
+# The HHC_LOCATION tag can be used to specify the location (absolute path
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
+# doxygen will try to run the HTML help compiler on the generated index.hhp.
+# The file has to be specified with full path.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+HHC_LOCATION           =
+
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+GENERATE_CHI           = NO
+
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
+# and project file content.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_INDEX_ENCODING     =
+
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members to
+# the table of contents of the HTML help documentation and to the tree view.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+TOC_EXPAND             = NO
+
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
+# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
+# (.qch) of the generated HTML documentation.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_QHP           = NO
+
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
+# the file name of the resulting .qch file. The path specified is relative to
+# the HTML output folder.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
+# Project output. For more information please see Qt Help Project / Namespace
+# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace).
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
+# Help Project output. For more information please see Qt Help Project / Virtual
+# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual-
+# folders).
+# The default value is: doc.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
+# filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's filter section matches. Qt Help Project / Filter Attributes (see:
+# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# The QHG_LOCATION tag can be used to specify the location of Qt's
+# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
+# generated .qhp file.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
+# generated, together with the HTML files, they form an Eclipse help plugin. To
+# install this plugin and make it available under the help contents menu in
+# Eclipse, the contents of the directory containing the HTML and XML files needs
+# to be copied into the plugins directory of eclipse. The name of the directory
+# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
+# After copying Eclipse needs to be restarted before the help appears.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the Eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have this
+# name. Each documentation set should have its own identifier.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# If you want full control over the layout of the generated HTML pages it might
+# be necessary to disable the index and replace it with your own. The
+# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
+# of each HTML page. A value of NO enables the index and the value YES disables
+# it. Since the tabs in the index contain the same information as the navigation
+# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+DISABLE_INDEX          = YES
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information. If the tag
+# value is set to YES, a side panel will be generated containing a tree-like
+# index structure (just like the one that is generated for HTML Help). For this
+# to work a browser that supports JavaScript, DHTML, CSS and frames is required
+# (i.e. any modern browser). Windows users are probably better off using the
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
+# further fine-tune the look of the index. As an example, the default style
+# sheet generated by doxygen has an example that shows how to put an image at
+# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
+# the same information as the tab index, you could consider setting
+# DISABLE_INDEX to YES when enabling this option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_TREEVIEW      = YES
+
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
+# doxygen will group on one line in the generated HTML documentation.
+#
+# Note that a value of 0 will completely suppress the enum values from appearing
+# in the overview section.
+# Minimum value: 0, maximum value: 20, default value: 4.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
+# to set the initial width (in pixels) of the frame in which the tree is shown.
+# Minimum value: 0, maximum value: 1500, default value: 250.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+TREEVIEW_WIDTH         = 250
+
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
+# external symbols imported via tag files in a separate window.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+EXT_LINKS_IN_WINDOW    = NO
+
+# Use this tag to change the font size of LaTeX formulas included as images in
+# the HTML documentation. When you change the font size after a successful
+# doxygen run you need to manually remove any form_*.png images from the HTML
+# output directory to force them to be regenerated.
+# Minimum value: 8, maximum value: 50, default value: 10.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_FONTSIZE       = 10
+
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are not
+# supported properly for IE 6.0, but are supported on all modern browsers.
+#
+# Note that when changing this option you need to delete any form_*.png files in
+# the HTML output directory before the changes have effect.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
+# http://www.mathjax.org) which uses client side Javascript for the rendering
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
+# installed or if you want to formulas look prettier in the HTML output. When
+# enabled you may also need to install MathJax separately and configure the path
+# to it using the MATHJAX_RELPATH option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you can set the default output format to be used for
+# the MathJax output. See the MathJax site (see:
+# http://docs.mathjax.org/en/latest/output.html) for more details.
+# Possible values are: HTML-CSS (which is slower, but has the best
+# compatibility), NativeMML (i.e. MathML) and SVG.
+# The default value is: HTML-CSS.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_FORMAT         = HTML-CSS
+
+# When MathJax is enabled you need to specify the location relative to the HTML
+# output directory using the MATHJAX_RELPATH option. The destination directory
+# should contain the MathJax.js script. For instance, if the mathjax directory
+# is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
+# Content Delivery Network so you can quickly see the result without installing
+# MathJax. However, it is strongly recommended to install a local copy of
+# MathJax from http://www.mathjax.org before deployment.
+# The default value is: http://cdn.mathjax.org/mathjax/latest.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
+# extension names that should be enabled during MathJax rendering. For example
+# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_EXTENSIONS     =
+
+# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
+# of code that will be used on startup of the MathJax code. See the MathJax site
+# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
+# example see the documentation.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_CODEFILE       =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
+# the HTML output. The underlying search engine uses javascript and DHTML and
+# should work on any modern browser. Note that when using HTML help
+# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
+# there is already a search function so this one should typically be disabled.
+# For large projects the javascript based search engine can be slow, then
+# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
+# search using the keyboard; to jump to the search box use <access key> + S
+# (what the <access key> is depends on the OS and browser, but it is typically
+# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
+# key> to jump into the search results window, the results can be navigated
+# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
+# the search. The filter options can be selected when the cursor is inside the
+# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
+# to select a filter and <Enter> or <escape> to activate or cancel the filter
+# option.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+SEARCHENGINE           = YES
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a web server instead of a web client using Javascript. There
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SERVER_BASED_SEARCH    = NO
+
+# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
+# script for searching. Instead the search results are written to an XML file
+# which needs to be processed by an external indexer. Doxygen will invoke an
+# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
+# search results.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/).
+#
+# See the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH        = NO
+
+# The SEARCHENGINE_URL should point to a search engine hosted by a web server
+# which will return the search results when EXTERNAL_SEARCH is enabled.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/). See the section "External Indexing and
+# Searching" for details.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHENGINE_URL       =
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
+# search data is written to a file for indexing by an external tool. With the
+# SEARCHDATA_FILE tag the name of this file can be specified.
+# The default file is: searchdata.xml.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHDATA_FILE        = searchdata.xml
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
+# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
+# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
+# projects and redirect the results back to the right project.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH_ID     =
+
+# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
+# projects other than the one defined by this configuration file, but that are
+# all added to the same external search index. Each project needs to have a
+# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
+# to a relative location where the documentation can be found. The format is:
+# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTRA_SEARCH_MAPPINGS  =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
+# The default value is: YES.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked.
+#
+# Note that when enabling USE_PDFLATEX this option is only used for generating
+# bitmaps for formulas in the HTML output, but not in the Makefile that is
+# written to the output directory.
+# The default file is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
+# index for LaTeX.
+# The default file is: makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used by the
+# printer.
+# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
+# 14 inches) and executive (7.25 x 10.5 inches).
+# The default value is: a4.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PAPER_TYPE             = a4
+
+# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
+# If left blank no extra packages will be included.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+EXTRA_PACKAGES         =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
+# generated LaTeX document. The header should contain everything until the first
+# chapter. If it is left blank doxygen will generate a standard header. See
+# section "Doxygen usage" for information on how to let doxygen write the
+# default header to a separate file.
+#
+# Note: Only use a user-defined header if you know what you are doing! The
+# following commands have a special meaning inside the header: $title,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HEADER           =
+
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
+# generated LaTeX document. The footer should contain everything after the last
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
+#
+# Note: Only use a user-defined footer if you know what you are doing!
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_FOOTER           =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
+
+# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the LATEX_OUTPUT output
+# directory. Note that the files will be copied as-is; there are no commands or
+# markers available.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_FILES      =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
+# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
+# contain links (just like the HTML output) instead of page references. This
+# makes the output suitable for online browsing using a PDF viewer.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
+# higher quality PDF documentation.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
+# command to the generated LaTeX files. This will instruct LaTeX to keep running
+# if errors occur, instead of asking the user for help. This option is also used
+# when generating formulas in HTML.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BATCHMODE        = NO
+
+# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
+# index chapters (such as File Index, Compound Index, etc.) in the output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HIDE_INDICES     = NO
+
+# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
+# code with syntax highlighting in the LaTeX output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. See
+# http://en.wikipedia.org/wiki/BibTeX and \cite for more info.
+# The default value is: plain.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BIB_STYLE        = plain
+
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
+# RTF output is optimized for Word 97 and may not look too pretty with other RTF
+# readers/editors.
+# The default value is: NO.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: rtf.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
+# contain hyperlink fields. The RTF file will contain links (just like the HTML
+# output) instead of page references. This makes the output suitable for online
+# browsing using Word or some other Word compatible readers that support those
+# fields.
+#
+# Note: WordPad (write) and others do not support links.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's config
+# file, i.e. a series of assignments. You only have to provide replacements,
+# missing definitions are set to their default value.
+#
+# See also section "Doxygen usage" for information on how to generate the
+# default style sheet that doxygen normally uses.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_STYLESHEET_FILE    =
+
+# Set optional variables used in the generation of an RTF document. Syntax is
+# similar to doxygen's config file. A template extensions file can be generated
+# using doxygen -e rtf extensionFile.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_EXTENSIONS_FILE    =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
+# classes and files.
+# The default value is: NO.
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it. A directory man3 will be created inside the directory specified by
+# MAN_OUTPUT.
+# The default directory is: man.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to the generated
+# man pages. In case the manual section does not start with a number, the number
+# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
+# optional.
+# The default value is: .3.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_EXTENSION          = .3
+
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR             =
+
+# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
+# will generate one additional man file for each entity documented in the real
+# man page(s). These additional files only source the real man page, but without
+# them the man command would be unable to find the correct page.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
+# captures the structure of the code including all documentation.
+# The default value is: NO.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: xml.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_OUTPUT             = xml
+
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
+# listings (including syntax highlighting and cross-referencing information) to
+# the XML output. Note that enabling this will significantly increase the size
+# of the XML output.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to the DOCBOOK output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
+# that can be used to generate PDF.
+# The default value is: NO.
+
+GENERATE_DOCBOOK       = NO
+
+# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
+# front of it.
+# The default directory is: docbook.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_OUTPUT         = docbook
+
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
+#---------------------------------------------------------------------------
+# Configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
+# file that captures the structure of the code including all documentation.
+#
+# Note that this feature is still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
+# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
+# output from the Perl module output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
+# formatted so it can be parsed by a human reader. This is useful if you want to
+# understand what is going on. On the other hand, if this tag is set to NO, the
+# size of the Perl module output will be much smaller and Perl will parse it
+# just the same.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file are
+# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
+# so different doxyrules.make files included by the same Makefile don't
+# overwrite each other's variables.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
+# C-preprocessor directives found in the sources and include files.
+# The default value is: YES.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+MACRO_EXPANSION        = YES
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
+# INCLUDE_PATH will be searched if a #include is found.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by the
+# preprocessor.
+# This tag requires that the tag SEARCH_INCLUDES is set to YES.
+
+INCLUDE_PATH           =
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will be
+# used.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+INCLUDE_FILE_PATTERNS  =
+
+# The PREDEFINED tag can be used to specify one or more macro names that are
+# defined before the preprocessor is started (similar to the -D option of e.g.
+# gcc). The argument of the tag is a list of macros of the form: name or
+# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
+# is assumed. To prevent a macro definition from being undefined via #undef or
+# recursively expanded use the := operator instead of the = operator.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+PREDEFINED             = "ENABLE_AUDIT"
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_AS_DEFINED      =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
+# removed.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES tag can be used to specify one or more tag files. For each tag
+# file the location of the external documentation should be added. The format of
+# a tag file without this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where loc1 and loc2 can be relative or absolute paths or URLs. See the
+# section "Linking to external documentation" for more information about the use
+# of tag files.
+# Note: Each tag file must have a unique name (where the name does NOT include
+# the path). If a tag file is not located in the directory in which doxygen is
+# run, you must also specify the path to the tagfile here.
+
+TAGFILES               =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
+# tag file that is based on the input files it reads. See section "Linking to
+# external documentation" for more information about the usage of tag files.
+
+GENERATE_TAGFILE       =
+
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
+# The default value is: NO.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
+# listed.
+# The default value is: YES.
+
+EXTERNAL_GROUPS        = YES
+
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
+# the related pages index. If set to NO, only the current project's pages will
+# be listed.
+# The default value is: YES.
+
+EXTERNAL_PAGES         = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
+# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
+# NO turns the diagrams off. Note that this option also works with HAVE_DOT
+# disabled, but it is recommended to install and use dot, since it yields more
+# powerful graphs.
+# The default value is: YES.
+
+CLASS_DIAGRAMS         = YES
+
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES the inheritance and collaboration graphs will hide inheritance
+# and usage relations if the target is undocumented or is not a class.
+# The default value is: YES.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz (see:
+# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
+# Bell Labs. The other options in this section have no effect if this option is
+# set to NO
+# The default value is: YES.
+
+HAVE_DOT               = YES
+
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
+# to run in parallel. When set to 0 doxygen will base this on the number of
+# processors available in the system. You can set it explicitly to a value
+# larger than 0 to get control over the balance between CPU load and processing
+# speed.
+# Minimum value: 0, maximum value: 32, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_NUM_THREADS        = 0
+
+# When you want a differently looking font in the dot files that doxygen
+# generates you can specify the font name using DOT_FONTNAME. You need to make
+# sure dot is able to find the font, which can be done by putting it in a
+# standard location or by setting the DOTFONTPATH environment variable or by
+# setting DOT_FONTPATH to the directory containing the font.
+# The default value is: Helvetica.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTNAME           = Helvetica
+
+# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
+# dot graphs.
+# Minimum value: 4, maximum value: 24, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the default font as specified with
+# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
+# the path where dot can find it using this tag.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTPATH           =
+
+# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
+# each documented class showing the direct and indirect inheritance relations.
+# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
+# graph for each documented class showing the direct and indirect implementation
+# dependencies (inheritance, containment, and class references variables) of the
+# class with other documented classes.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
+# groups, showing the direct groups dependencies.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LOOK               = YES
+
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
+# class node. If there are many fields or methods and many nodes the graph may
+# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
+# number of items for each type to make the size more manageable. Set this to 0
+# for no limit. Note that the threshold may be exceeded by 50% before the limit
+# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
+# but if the number exceeds 15, the total amount of fields shown is limited to
+# 10.
+# Minimum value: 0, maximum value: 100, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LIMIT_NUM_FIELDS   = 50
+
+# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
+# collaboration graphs will show the relations between templates and their
+# instances.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
+# YES then doxygen will generate a graph for each documented file showing the
+# direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDE_GRAPH          = YES
+
+# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
+# set to YES then doxygen will generate a graph for each documented file showing
+# the direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDED_BY_GRAPH      = NO
+
+# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALL_GRAPH             = YES
+
+# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALLER_GRAPH           = YES
+
+# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
+# hierarchy of all classes instead of a textual one.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
+# dependencies a directory has on other directories in a graphical way. The
+# dependency relations are determined by the #include relations between the
+# files in the directories.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
+# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
+# to make the SVG files visible in IE 9+ (other browsers do not have this
+# requirement).
+# Possible values are: png, png:cairo, png:cairo:cairo, png:cairo:gd, png:gd,
+# png:gd:gd, jpg, jpg:cairo, jpg:cairo:gd, jpg:gd, jpg:gd:gd, gif, gif:cairo,
+# gif:cairo:gd, gif:gd, gif:gd:gd, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
+# The default value is: png.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_IMAGE_FORMAT       = png
+
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+#
+# Note that this requires a modern browser other than Internet Explorer. Tested
+# and working are Firefox, Chrome, Safari, and Opera.
+# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
+# the SVG files visible. Older versions of IE do not have SVG support.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INTERACTIVE_SVG        = NO
+
+# The DOT_PATH tag can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_PATH               =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the \dotfile
+# command).
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOTFILE_DIRS           =
+
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the \mscfile
+# command).
+
+MSCFILE_DIRS           =
+
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH      =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE      =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH  =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
+# that will be shown in the graph. If the number of nodes in a graph becomes
+# larger than this value, doxygen will truncate the graph, which is visualized
+# by representing a node as a red box. Note that doxygen if the number of direct
+# children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
+# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# Minimum value: 0, maximum value: 10000, default value: 50.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
+# generated by dot. A depth value of 3 means that only nodes reachable from the
+# root by following a path via at most 3 edges will be shown. Nodes that lay
+# further from the root node will be omitted. Note that setting this option to 1
+# or 2 may greatly reduce the computation time needed for large code bases. Also
+# note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+# Minimum value: 0, maximum value: 1000, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, because dot on Windows does not seem
+# to support this out of the box.
+#
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10) support
+# this, this feature is disabled by default.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
+# explaining the meaning of the various boxes and arrows in the dot generated
+# graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
+# files that are used to generate the various graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_CLEANUP            = YES
diff --git a/src/modules/active_response/tests/CMakeLists.txt b/src/common/agent_messages_adapter/CMakeLists.txt
similarity index 100%
rename from src/modules/active_response/tests/CMakeLists.txt
rename to src/common/agent_messages_adapter/CMakeLists.txt
diff --git a/src/common/agent_messages_adapter/include/agent_messages_adapter.h b/src/common/agent_messages_adapter/include/agent_messages_adapter.h
new file mode 100644
index 0000000000..62f51c15de
--- /dev/null
+++ b/src/common/agent_messages_adapter/include/agent_messages_adapter.h
@@ -0,0 +1,47 @@
+/*
+ * Utils Agent Messages Adapter
+ * Copyright (C) 2015, Wazuh Inc.
+ * Dec 29, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _AGENT_MESSAGES_HELPER_HPP
+#define _AGENT_MESSAGES_HELPER_HPP
+
+#include "hash_op.h"
+
+/**
+ * @brief Duplicator method for hash table
+ *
+ * @param data
+ * @return void*
+ */
+void *agent_data_hash_duplicator(void* data);
+
+/**
+ * @brief Takes a syscollector delta message and adapts it to a format compatible with the defined flatbuffer schema.
+ *
+ * @param data Agent message.
+ * @param name Name of the agent.
+ * @param id Id of the agent.
+ * @param ip Ip of the agent.
+ * @return char* Returns a string representation of the JSON formatted message. Must be freed by the caller.
+ */
+char* adapt_delta_message(const char* data, const char* name, const char* id, const char* ip, const OSHash *agent_data_hash);
+
+/**
+ * @brief Takes a syscollector synchronization message and adapts it to a format compatible with the defined flatbuffer schema.
+ *
+ * @param data Agent message.
+ * @param name Name of the agent.
+ * @param id Id of the agent.
+ * @param ip Ip of the agent.
+ * @return char* Returns a string representation of the JSON formatted message. Must be freed by the caller.
+ */
+char* adapt_sync_message(const char* data, const char* name, const char* id, const char* ip, const OSHash *agent_data_hash);
+
+#endif // _AGENT_MESSAGES_HELPER_HPP
diff --git a/src/common/agent_messages_adapter/src/agent_messages_adapter.c b/src/common/agent_messages_adapter/src/agent_messages_adapter.c
new file mode 100644
index 0000000000..a7ce273722
--- /dev/null
+++ b/src/common/agent_messages_adapter/src/agent_messages_adapter.c
@@ -0,0 +1,133 @@
+/*
+ * Utils Agent Messages Adapter
+ * Copyright (C) 2015, Wazuh Inc.
+ * Dec 29, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "agent_messages_adapter.h"
+#include "cJSON.h"
+#include "defs.h"
+#include <stdbool.h>
+
+void *agent_data_hash_duplicator(void* data) {
+    return cJSON_Duplicate((cJSON*)data, true);
+}
+
+char* adapt_delta_message(const char* data, const char* name, const char* id, const char* ip, const OSHash *agent_data_hash) {
+    cJSON* j_msg_to_send = NULL;
+    cJSON* j_agent_info = NULL;
+    cJSON* j_msg = NULL;
+    cJSON* j_agent_data = NULL;
+    char* msg_to_send = NULL;
+
+    j_msg = cJSON_Parse(data);
+    if (!j_msg) {
+        return NULL;
+    } else {
+        // Legacy agents prior to 4.2 used a different message format that isn't supported
+        if (cJSON_GetObjectItem(j_msg, "ID") && cJSON_GetObjectItem(j_msg, "timestamp")) {
+            cJSON_Delete(j_msg);
+            return NULL;
+        }
+    }
+
+    j_msg_to_send = cJSON_CreateObject();
+
+    j_agent_info = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(j_agent_info, "agent_id", id);
+    cJSON_AddStringToObject(j_agent_info, "agent_ip", ip);
+    cJSON_AddStringToObject(j_agent_info, "agent_name", name);
+
+    if (NULL != agent_data_hash) {
+        // Getting agent context
+        j_agent_data = OSHash_Get_ex_dup(agent_data_hash, id, agent_data_hash_duplicator);
+        if (cJSON_IsString(cJSON_GetObjectItem(j_agent_data, "version"))) {
+            cJSON_AddItemToObject(j_agent_info, "agent_version", cJSON_DetachItemFromObject(j_agent_data, "version"));
+        }
+        cJSON_Delete(j_agent_data);
+    } else {
+        // A NULL agent_data_hash is received when the helper is executed from the manager side. Syscollector messages are not received by remoted module for agent 000.
+        cJSON_AddItemToObject(j_agent_info, "agent_version", cJSON_CreateString(__ossec_version));
+    }
+
+    cJSON_AddItemToObject(j_msg_to_send, "agent_info", j_agent_info);
+
+    cJSON_AddItemToObject(j_msg_to_send, "data_type", cJSON_DetachItemFromObject(j_msg, "type"));
+
+    cJSON_AddItemToObject(j_msg_to_send, "data", cJSON_DetachItemFromObject(j_msg, "data"));
+    cJSON_AddItemToObject(j_msg_to_send, "operation", cJSON_DetachItemFromObject(j_msg, "operation"));
+
+    msg_to_send = cJSON_PrintUnformatted(j_msg_to_send);
+
+    cJSON_Delete(j_msg_to_send);
+    cJSON_Delete(j_msg);
+
+    return msg_to_send;
+}
+
+char* adapt_sync_message(const char* data, const char* name, const char* id, const char* ip, const OSHash *agent_data_hash) {
+    cJSON* j_msg_to_send = NULL;
+    cJSON* j_agent_info = NULL;
+    cJSON* j_msg = NULL;
+    cJSON* j_data = NULL;
+    cJSON* j_agent_data = NULL;
+    char* msg_to_send = NULL;
+
+    j_msg = cJSON_Parse(data);
+    if (!j_msg) {
+        return NULL;
+    } else {
+        // Legacy agents prior to 4.2 used a different message format that isn't supported
+        if (cJSON_GetObjectItem(j_msg, "ID") && cJSON_GetObjectItem(j_msg, "timestamp")) {
+            cJSON_Delete(j_msg);
+            return NULL;
+        }
+    }
+
+    j_msg_to_send = cJSON_CreateObject();
+
+    j_agent_info = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(j_agent_info, "agent_id", id);
+    cJSON_AddStringToObject(j_agent_info, "agent_ip", ip);
+    cJSON_AddStringToObject(j_agent_info, "agent_name", name);
+
+    if (NULL != agent_data_hash) {
+        // Getting agent context
+        j_agent_data = OSHash_Get_ex_dup(agent_data_hash, id, agent_data_hash_duplicator);
+        if (cJSON_IsString(cJSON_GetObjectItem(j_agent_data, "version"))) {
+                cJSON_AddItemToObject(j_agent_info, "agent_version", cJSON_DetachItemFromObject(j_agent_data, "version"));
+        }
+        cJSON_Delete(j_agent_data);
+    } else {
+        // A NULL agent_data_hash is received when the helper is executed from the manager side. Syscollector messages are not received by remoted module for agent 000.
+        cJSON_AddItemToObject(j_agent_info, "agent_version", cJSON_CreateString(__ossec_version));
+    }
+
+    cJSON_AddItemToObject(j_msg_to_send, "agent_info", j_agent_info);
+
+    cJSON_AddItemToObject(j_msg_to_send, "data_type", cJSON_DetachItemFromObject(j_msg, "type"));
+
+    cJSON* j_data_msg = cJSON_GetObjectItem(j_msg, "data");
+    if (j_data_msg) {
+        j_data = cJSON_CreateObject();
+        cJSON_AddItemToObject(j_data, "attributes_type", cJSON_DetachItemFromObject(j_msg, "component"));
+        for (cJSON* j_item = j_data_msg->child; j_item; j_item = j_item->next) {
+            cJSON_AddItemToObject(j_data, j_item->string, cJSON_Duplicate(cJSON_GetObjectItem(j_data_msg, j_item->string), true));
+        }
+        cJSON_AddItemToObject(j_msg_to_send, "data", j_data);
+    }
+
+    msg_to_send = cJSON_PrintUnformatted(j_msg_to_send);
+
+    cJSON_Delete(j_msg_to_send);
+    cJSON_Delete(j_msg);
+
+    return msg_to_send;
+}
diff --git a/src/modules/aws/tests/CMakeLists.txt b/src/common/atomic/CMakeLists.txt
similarity index 100%
rename from src/modules/aws/tests/CMakeLists.txt
rename to src/common/atomic/CMakeLists.txt
diff --git a/src/common/atomic/include/atomic.h b/src/common/atomic/include/atomic.h
new file mode 100644
index 0000000000..cd52c20c30
--- /dev/null
+++ b/src/common/atomic/include/atomic.h
@@ -0,0 +1,58 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Common API for dealing with atomic operations */
+
+#ifndef ATOMIC_H
+#define ATOMIC_H
+
+#include <pthread.h>
+#include "pthreads_op.h"
+
+#define ATOMIC_INT_INITIALIZER(v) { .data = v, .mutex = PTHREAD_MUTEX_INITIALIZER}
+
+typedef struct atomic_int_s {
+    int data;
+    pthread_mutex_t mutex;
+} atomic_int_t;
+
+/**
+ * @brief Thread safe function to get the the value of an atomic int.
+ *
+ * @param atomic atomic_int_t structure to get the data value.
+ * @return int A copy of the atomic_int value.
+ */
+int atomic_int_get(atomic_int_t *atomic);
+
+/**
+ * @brief Thread safe function to set the value of an atomic int
+ *
+ * @param atomic atomic_int_t structure to be updated.
+ * @param value Integer value that will be used to set the atomic int value.
+ */
+void atomic_int_set(atomic_int_t *atomic, int value);
+
+/**
+ * @brief Thread safe function to increment the value of an atomic int by one.
+ *
+ * @param atomic atomic_int_t structure to be updated.
+ * @return The final value of the atomic int.
+ */
+int atomic_int_inc(atomic_int_t *atomic);
+
+/**
+ * @brief Thread safe function to decrement the value of an atomic int by one.
+ *
+ * @param atomic atomic_int_t structure to be updated.
+ * @return The final value of the atomic int.
+ */
+int atomic_int_dec(atomic_int_t *atomic);
+
+#endif // ATOMIC_H
diff --git a/src/common/atomic/src/atomic.c b/src/common/atomic/src/atomic.c
new file mode 100644
index 0000000000..e70a3d0a58
--- /dev/null
+++ b/src/common/atomic/src/atomic.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 18, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+
+int atomic_int_get(atomic_int_t *atomic) {
+    assert(atomic != NULL);
+
+    int retval = 0;
+
+    w_mutex_lock(&atomic->mutex);
+    retval = atomic->data;
+    w_mutex_unlock(&atomic->mutex);
+
+    return retval;
+}
+
+void atomic_int_set(atomic_int_t *atomic, int value) {
+    assert(atomic != NULL);
+
+    w_mutex_lock(&atomic->mutex);
+    atomic->data = value;
+    w_mutex_unlock(&atomic->mutex);
+}
+
+int atomic_int_inc(atomic_int_t *atomic) {
+    assert(atomic != NULL);
+
+    int retval = 0;
+    w_mutex_lock(&atomic->mutex);
+    atomic->data++;
+    retval = atomic->data;
+    w_mutex_unlock(&atomic->mutex);
+    return retval;
+};
+
+int atomic_int_dec(atomic_int_t *atomic) {
+    assert(atomic != NULL);
+
+    int retval = 0;
+    w_mutex_lock(&atomic->mutex);
+    atomic->data--;
+    retval = atomic->data;
+    w_mutex_unlock(&atomic->mutex);
+    return retval;
+}
diff --git a/src/common/atomic/tests/unit/tests/CMakeLists.txt b/src/common/atomic/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..a495af2d6d
--- /dev/null
+++ b/src/common/atomic/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_atomic")
+
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "-Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_mutex_unlock \
+                                -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "-Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_mutex_unlock")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/atomic/tests/unit/tests/test_atomic.c b/src/common/atomic/tests/unit/tests/test_atomic.c
new file mode 100644
index 0000000000..643804a81e
--- /dev/null
+++ b/src/common/atomic/tests/unit/tests/test_atomic.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#include "../../headers/atomic.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+
+static void test_atomic_int_get(void **state) {
+    atomic_int_t test_variable = ATOMIC_INT_INITIALIZER(1231);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    int ret = atomic_int_get(&test_variable);
+
+    assert_int_equal(ret, 1231);
+}
+
+static void test_atomic_int_set(void **state) {
+    atomic_int_t test_variable = ATOMIC_INT_INITIALIZER(1231);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    atomic_int_set(&test_variable, 2718);
+
+    assert_int_equal(test_variable.data, 2718);
+}
+
+static void test_atomic_int_inc(void **state) {
+    atomic_int_t test_variable = ATOMIC_INT_INITIALIZER(1231);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    int ret = atomic_int_inc(&test_variable);
+
+    assert_int_equal(ret, 1232);
+}
+
+static void test_atomic_int_dec(void **state) {
+    atomic_int_t test_variable = ATOMIC_INT_INITIALIZER(1231);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    int ret = atomic_int_dec(&test_variable);
+
+    assert_int_equal(ret, 1230);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_atomic_int_get),
+        cmocka_unit_test(test_atomic_int_set),
+        cmocka_unit_test(test_atomic_int_inc),
+        cmocka_unit_test(test_atomic_int_dec),
+        };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/atomic/tests/unit/wrappers/atomic_wrappers.c b/src/common/atomic/tests/unit/wrappers/atomic_wrappers.c
new file mode 100644
index 0000000000..1818f1065b
--- /dev/null
+++ b/src/common/atomic/tests/unit/wrappers/atomic_wrappers.c
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "atomic_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_atomic_int_get(atomic_int_t *atomic) {
+    check_expected_ptr(atomic);
+    return mock();
+}
+
+void __wrap_atomic_int_set(atomic_int_t *atomic, __attribute__((unused)) int value) {
+    check_expected_ptr(atomic);
+    atomic->data = mock();
+}
+
+int __wrap_atomic_int_inc(atomic_int_t *atomic) {
+    check_expected_ptr(atomic);
+    return mock();
+}
+
+int __wrap_atomic_int_dec(atomic_int_t *atomic) {
+    check_expected_ptr(atomic);
+    return mock();
+}
diff --git a/src/common/atomic/tests/unit/wrappers/atomic_wrappers.h b/src/common/atomic/tests/unit/wrappers/atomic_wrappers.h
new file mode 100644
index 0000000000..96d6482b3b
--- /dev/null
+++ b/src/common/atomic/tests/unit/wrappers/atomic_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#ifndef ATOMIC_WRAPPERS
+#define ATOMIC_WRAPPERS
+
+#include "../../../../headers/atomic.h"
+
+int __wrap_atomic_int_get(atomic_int_t *atomic);
+
+void __wrap_atomic_int_set(atomic_int_t *atomic, __attribute__((unused)) int value);
+
+int __wrap_atomic_int_inc(atomic_int_t *atomic);
+
+int __wrap_atomic_int_dec(atomic_int_t *atomic);
+
+#endif //ATOMIC_WRAPPERS
diff --git a/src/modules/azure/tests/CMakeLists.txt b/src/common/audit_op/CMakeLists.txt
similarity index 100%
rename from src/modules/azure/tests/CMakeLists.txt
rename to src/common/audit_op/CMakeLists.txt
diff --git a/src/common/audit_op/include/audit_op.h b/src/common/audit_op/include/audit_op.h
new file mode 100644
index 0000000000..65532c8635
--- /dev/null
+++ b/src/common/audit_op/include/audit_op.h
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 18, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef AUDIT_OP_H
+#define AUDIT_OP_H
+
+#ifdef ENABLE_AUDIT
+#include <linux/audit.h>
+#include <libaudit.h>
+#include <private.h>
+
+#define ADD_RULE 1
+#define DELETE_RULE 2
+
+/**
+ * @struct w_audit_rule
+ * @brief Stores the specification of an Audit rule.
+ */
+typedef struct {
+    char *path; ///< Path of the folder.
+    int perm; ///< Permission access type.
+    char *key;  ///< Filter key.
+} w_audit_rule;
+
+
+typedef enum _audit_mode {
+    AUDIT_ERROR = -1,
+    AUDIT_DISABLED,
+    AUDIT_ENABLED,
+    AUDIT_IMMUTABLE
+} audit_mode;
+
+
+/**
+ * @brief Allocate the memory for the rule_list and set it's free function.
+ */
+void init_audit_rule_list();
+
+
+/**
+ * @brief Adds a rule to loaded rules list.
+ *
+ * @param element Struct w_audit_rule to be added.
+ */
+void audit_rules_list_append(w_audit_rule *element);
+
+
+/**
+ * @brief Checks if the audit rule is loaded.
+ *
+ * @param path Path of the folder.
+ * @param perms Permission access type.
+ * @param key Filter key.
+ * @retval -1 If error.
+ * @retval 0 Rule not loaded.
+ * @retval 1 Rule loaded.
+ */
+int search_audit_rule(const char *path, int perms, const char *key);
+
+
+/**
+ * @brief Deallocates the memory used by a rules list.
+ *
+ */
+void audit_rules_list_free();
+
+
+/**
+ * @brief Get loaded rules list from audit kernel. audit_free_list() must be called to free memory used.
+ *
+ * @param fd Audit netlink socket.
+ * @return -1 on error and 1 on success.
+ */
+int audit_get_rule_list(int fd);
+
+
+/**
+ * @brief Read reply from Audit kernel.
+ *
+ * @param fd Audit netlink socket.
+ */
+void kernel_get_reply(int fd);
+
+
+/**
+ * @brief Process audit reply of loaded rules.
+ *
+ * @param rep Pointer to audit_reply struct.
+ * @return 0 on invalid response and 1 on success.
+ */
+int audit_print_reply(struct audit_reply *rep);
+
+
+/**
+ * @brief Converts Audit relative paths into absolute paths.
+ *
+ * @param cwd Current directory.
+ * @param path Relative path of the file.
+ * @return Absolute path.
+ */
+char *audit_clean_path(char *cwd, char *path);
+
+
+/**
+ * @brief Restart Auditd service.
+ *
+ * @return Returns -1 on error and 0 if the service was restarted.
+ */
+int audit_restart(void);
+
+
+/**
+ * @brief Add or delete rules.
+ *
+ * @param action Values `#ADD_RULE` or `#DELETE_RULE`
+ * @param path Path of the folder.
+ * @param permissions Permission access type.
+ * @param key Filter key.
+ * @return The return value is <= 0 on error,
+ *         otherwise it is the netlink sequence id number.
+ */
+int audit_manage_rules(int action, const char *path, int permissions, const char *key);
+
+
+/**
+ * @brief Adds an Audit rule.
+ *
+ * @param path Path of the folder.
+ * @param perms Permission access type.
+ * @param key Filter key.
+ * @return The return value is <= 0 on error,
+ *         otherwise it is the netlink sequence id number.
+ */
+int audit_add_rule(const char *path, int perms, const char *key);
+
+
+/**
+ * @brief Deletes an Audit rule.
+ *
+ * @param path Path of the folder.
+ * @param perms Permission access type.
+ * @param key Filter key.
+ * @return The return value is <= 0 on error,
+ *         otherwise it is the netlink sequence id number.
+ */
+int audit_delete_rule(const char *path, int perms, const char *key);
+
+/**
+ * @brief Function that frees the data memory of a node in the list.
+ *
+ * @param rule Data of a node in a list (OSListNode.data)
+ */
+void clear_audit_rule(w_audit_rule *rule);
+
+#endif /* ENABLE_AUDIT */
+#endif /* AUDIT_OP_H */
diff --git a/src/common/audit_op/src/audit_op.c b/src/common/audit_op/src/audit_op.c
new file mode 100644
index 0000000000..acee5d6e59
--- /dev/null
+++ b/src/common/audit_op/src/audit_op.c
@@ -0,0 +1,352 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 18, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef ENABLE_AUDIT
+
+#include "shared.h"
+#include "audit_op.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#define static
+#endif
+
+#define AUDIT_PERMISSIONS (AUDIT_PERM_EXEC | AUDIT_PERM_WRITE | AUDIT_PERM_READ | AUDIT_PERM_ATTR)
+
+static OSList *audit_rules_list;
+
+// ******* Funtions to operate with list of rules ******* //
+
+void clear_audit_rule(w_audit_rule *rule) {
+    os_free(rule->path);
+    os_free(rule->key);
+    os_free(rule);
+}
+
+
+void init_audit_rule_list() {
+    if (audit_rules_list == NULL) {
+        audit_rules_list = OSList_Create();
+        OSList_SetFreeDataPointer(audit_rules_list, (void (*)(void *))clear_audit_rule);
+    }
+}
+
+
+void audit_rules_list_append(w_audit_rule *element) {
+    if (element == NULL || audit_rules_list == NULL) {
+        return; //LCOV_EXCL_LINE
+    }
+
+    OSList_AddData(audit_rules_list, element);
+}
+
+
+int search_audit_rule(const char *path, int perms, const char *key) {
+    OSListNode *node = NULL;
+    w_audit_rule *rule = NULL;
+    if (path == NULL || key == NULL || audit_rules_list == NULL) {
+        return -1;
+    }
+
+    for (node = OSList_GetFirstNode(audit_rules_list); node != NULL; node = OSList_GetNextNode(audit_rules_list)) {
+        rule = (w_audit_rule *) node->data;
+        if (rule->perm == perms && strcmp(rule->path, path) == 0 && strcmp(rule->key, key) == 0) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+void audit_rules_list_free() {
+    if (audit_rules_list == NULL) {
+        return; //LCOV_EXCL_LINE
+    }
+
+    OSList_CleanNodes(audit_rules_list);
+    os_free(audit_rules_list);
+}
+
+int audit_get_rule_list(int fd) {
+    if (audit_rules_list == NULL) {
+        init_audit_rule_list();
+    }
+
+    OSList_CleanNodes(audit_rules_list);
+
+    int rc = audit_send(fd, AUDIT_LIST_RULES, NULL, 0);
+    if (rc < 0 && rc != -EINVAL) {
+        merror("Error sending rule list data request (%s)",strerror(-rc));
+        return -1;
+    }
+
+    kernel_get_reply(fd);
+    return 1;
+}
+
+
+int audit_print_reply(struct audit_reply *rep) {
+    char *key = NULL;
+    char *path = NULL;
+    int perm = 0;
+    char perms[5] = {0};
+    unsigned int i, offset = 0;
+
+    if (rep->type == AUDIT_LIST_RULES) {
+        for (i = 0; i < rep->ruledata->field_count; i++) {
+            int field = rep->ruledata->fields[i] & ~AUDIT_OPERATORS;
+
+            if (field == AUDIT_DIR || field == AUDIT_WATCH) {
+                free(path);
+                path = strndup(rep->ruledata->buf + offset, rep->ruledata->values[i]);
+                offset += rep->ruledata->values[i];
+            } else if (field == AUDIT_FILTERKEY) {
+                free(key);
+                if (rep->ruledata->values[i]) {
+                    key = strndup(rep->ruledata->buf + offset, rep->ruledata->values[i]); //LCOV_EXCL_LINE
+                    offset += rep->ruledata->values[i]; //LCOV_EXCL_LINE
+                } else {
+                    key = strdup("");
+                }
+            } else if (field == AUDIT_PERM) {
+                int val = perm = rep->ruledata->values[i];
+                perms[0] = 0;
+                if (val & AUDIT_PERM_READ)
+                    strcat(perms, "r");
+                if (val & AUDIT_PERM_WRITE)
+                    strcat(perms, "w");
+                if (val & AUDIT_PERM_EXEC)
+                    strcat(perms, "x");
+                if (val & AUDIT_PERM_ATTR)
+                    strcat(perms, "a");
+            }
+        }
+        if (path && key) {
+            mdebug2("Audit rule loaded: -w %s -p %s -k %s",path, perms, key);
+            if (audit_rules_list) {
+                w_audit_rule *rule;
+                os_calloc(1, sizeof(w_audit_rule), rule);
+
+                rule->path = strdup(path);
+                rule->perm = perm & AUDIT_PERMISSIONS;
+                rule->key = strdup(key);
+                audit_rules_list_append(rule);
+            }
+        }
+
+        free(key);
+        free(path);
+        return 1;
+    }
+    return 0;
+}
+
+
+void kernel_get_reply(int fd) {
+    int i, retval;
+    int timeout = 40;
+    struct audit_reply rep;
+    fd_set read_mask;
+    FD_ZERO(&read_mask);
+    FD_SET(fd, &read_mask);
+
+    for (i = 0; i < timeout; i++) {
+        struct timeval t;
+
+        t.tv_sec  = 0;
+        t.tv_usec = 100000;
+
+        do {
+            retval = select(fd + 1, &read_mask, NULL, NULL, &t);
+        } while (retval < 0 && errno == EINTR);
+
+        retval = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+        if (retval > 0) {
+            if (rep.type == NLMSG_ERROR && rep.error->error == 0) {
+                i = 0;
+                continue;
+            }
+
+            if (retval = audit_print_reply(&rep), retval == 0) {
+                break;
+            } else {
+                i = 0;
+            }
+        }
+    }
+}
+
+
+char *audit_clean_path(char *cwd, char *path) {
+
+    char *file_ptr = path;
+    char *cwd_ptr = strdup(cwd);
+
+    int j, ptr = 0;
+
+    while (file_ptr[ptr] != '\0' && strlen(file_ptr) >= 3) {
+        if (file_ptr[ptr] == '.' && file_ptr[ptr + 1] == '.' && file_ptr[ptr + 2] == '/') {
+            file_ptr += 3;
+            ptr = 0;
+            for(j = strlen(cwd_ptr); cwd_ptr[j] != '/' && j >= 0; j--);
+            cwd_ptr[j] = '\0';
+        } else
+            ptr++;
+    }
+
+    char *full_path;
+    os_malloc(strlen(cwd) + strlen(path) + 2, full_path);
+    snprintf(full_path, strlen(cwd) + strlen(path) + 2, "%s/%s", cwd_ptr, file_ptr);
+
+    free(cwd_ptr);
+
+    return full_path;
+}
+
+
+int audit_restart(void) {
+
+    wfd_t * wfd;
+    int status;
+    char buffer[4096];
+    char *service_path = NULL;
+
+    if (get_binary_path("service", &service_path) < 0) {
+        mdebug1("Binary '%s' not found in default paths, the full path will not be used.", service_path);
+    }
+    char * command[] = { service_path, "auditd", "restart", NULL };
+
+    if (wfd = wpopenv(*command, command, W_BIND_STDERR), !wfd) {
+        merror("Could not launch command to restart Auditd: %s (%d)", strerror(errno), errno);
+        os_free(service_path);
+        return -1;
+    }
+
+    // Print stderr
+    while (fgets(buffer, sizeof(buffer), wfd->file_out)) {
+        mdebug1("auditd: %s", buffer);
+    }
+
+    switch (status = wpclose(wfd), WEXITSTATUS(status)) {
+    case 0:
+        os_free(service_path);
+        return 0;
+    case 127:
+        // exec error
+        merror("Could not launch command to restart Auditd.");
+        os_free(service_path);
+        return -1;
+    default:
+        merror("Could not restart Auditd service.");
+        os_free(service_path);
+        return -1;
+    }
+}
+
+
+int audit_manage_rules(int action, const char *path, int permissions, const char *key) {
+
+    int retval, output;
+    int type;
+    struct stat buf;
+    int audit_handler;
+
+    audit_handler = audit_open();
+    if (audit_handler < 0) {
+        return (-1);
+    }
+
+    struct audit_rule_data *myrule = NULL;
+    os_malloc(sizeof(struct audit_rule_data), myrule);
+    memset(myrule, 0, sizeof(struct audit_rule_data));
+
+    // Check path
+    type = AUDIT_DIR;
+
+    if (stat(path, &buf) != 0) {
+        mdebug2(FIM_STAT_FAILED, path, errno, strerror(errno));
+        retval = -1;
+        goto end;
+    }
+
+    // Set watcher
+    output = audit_add_watch_dir(type, &myrule, path);
+    if (output) {
+        mdebug2("audit_add_watch_dir = (%d) %s", output, audit_errno_to_name(abs(output)));
+        retval = -1;
+        goto end;
+    }
+
+    // Set permissions
+    output = audit_update_watch_perms(myrule, permissions);
+    if (output) {
+        mdebug2("audit_update_watch_perms = (%d) %s", output, audit_errno_to_name(abs(output)));
+        retval = -1;
+        goto end;
+    }
+
+    // Set key
+    int flags = AUDIT_FILTER_EXIT & AUDIT_FILTER_MASK;
+
+    if (strlen(key) > (AUDIT_MAX_KEY_LEN - 5)) {
+        retval = -1;
+        goto end;
+    }
+
+    char *cmd;
+    os_malloc(sizeof(char) * AUDIT_MAX_KEY_LEN + 1, cmd);
+
+    if (snprintf(cmd, AUDIT_MAX_KEY_LEN, "key=%s", key) < 0) {
+        //LCOV_EXCL_START
+        free(cmd);
+        retval = -1;
+        goto end;
+        //LCOV_EXCL_STOP
+    } else {
+        output = audit_rule_fieldpair_data(&myrule, cmd, flags);
+        if (output) {
+            mdebug2("audit_rule_fieldpair_data = (%d) %s", output, audit_errno_to_name(abs(output)));
+            free(cmd);
+            retval = -1;
+            goto end;
+        }
+        free(cmd);
+    }
+
+    // Add/Delete rule
+    if (action == ADD_RULE) {
+        retval = audit_add_rule_data(audit_handler, myrule, flags, AUDIT_ALWAYS);
+    } else if (action == DELETE_RULE){
+        retval = audit_delete_rule_data(audit_handler, myrule, flags, AUDIT_ALWAYS);
+    } else {
+        retval = -1;
+        goto end;
+    }
+
+    if (retval <= 0 && retval != -EEXIST) {
+        mdebug2("Can't add or delete a rule (%d) = %s", retval, audit_errno_to_name(abs(retval)));
+    }
+
+end:
+    audit_rule_free_data(myrule);
+    audit_close(audit_handler);
+    return retval;
+}
+
+
+int audit_add_rule(const char *path, int perms, const char *key) {
+    return audit_manage_rules(ADD_RULE, path, perms, key);
+}
+
+
+int audit_delete_rule(const char *path, int perms, const char *key) {
+    return audit_manage_rules(DELETE_RULE, path, perms, key);
+}
+
+#endif
diff --git a/src/common/audit_op/tests/unit/tests/CMakeLists.txt b/src/common/audit_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..e1d6bde979
--- /dev/null
+++ b/src/common/audit_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_audit_op")
+list(APPEND shared_tests_flags "-Wl,--wrap,audit_send -Wl,--wrap,popen \
+                                -Wl,--wrap,select -Wl,--wrap,audit_get_reply -Wl,--wrap,wpopenv -Wl,--wrap,fgets \
+                                -Wl,--wrap,wpclose -Wl,--wrap,audit_open -Wl,--wrap,audit_add_watch_dir \
+                                -Wl,--wrap,audit_update_watch_perms -Wl,--wrap,audit_errno_to_name -Wl,--wrap,wfopen \
+                                -Wl,--wrap,audit_rule_fieldpair_data -Wl,--wrap,fopen -Wl,--wrap,audit_add_rule_data \
+                                -Wl,--wrap,audit_delete_rule_data -Wl,--wrap,audit_close -Wl,--wrap,fclose \
+                                -Wl,--wrap,fflush -Wl,--wrap,fprintf -Wl,--wrap,fread -Wl,--wrap,fseek \
+                                -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fgetpos -Wl,--wrap=fgetc \
+                                -Wl,--wrap,get_binary_path ${DEBUG_OP_WRAPPERS}")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/audit_op/tests/unit/tests/test_audit_op.c b/src/common/audit_op/tests/unit/tests/test_audit_op.c
new file mode 100644
index 0000000000..e4a34737b6
--- /dev/null
+++ b/src/common/audit_op/tests/unit/tests/test_audit_op.c
@@ -0,0 +1,605 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#ifndef TEST_WINAGENT
+#include "../wrappers/externals/audit/libaudit_wrappers.h"
+#endif
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/posix/select_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/exec_op_wrappers.h"
+#include "../wrappers/wazuh/shared/binaries_op_wrappers.h"
+#include "../wrappers/common.h"
+#include "../headers/audit_op.h"
+#include "../headers/defs.h"
+#include "../headers/exec_op.h"
+#include "../headers/list_op.h"
+
+#define PERMS (AUDIT_PERM_WRITE | AUDIT_PERM_ATTR)
+
+extern OSList *audit_rules_list;
+
+/* auxiliary structs */
+
+typedef struct __audit_replies {
+    struct audit_reply *reply1;
+    struct audit_reply *reply2;
+    struct audit_reply *reply3;
+}audit_replies;
+
+/* setups/teardowns */
+
+static int group_setup(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void **state) {
+    test_mode = 0;
+    audit_rules_list_free();
+    return 0;
+}
+
+static int test_setup_kernel_get_reply(void **state) {
+    audit_replies *replies = calloc(1, sizeof(audit_replies));
+
+    struct audit_reply *reply1 = calloc(1, sizeof(struct audit_reply));
+    struct audit_reply *reply2 = calloc(1, sizeof(struct audit_reply));
+    struct audit_reply *reply3 = calloc(1, sizeof(struct audit_reply));
+
+    reply1->type = NLMSG_ERROR;
+    reply1->error = calloc(1, sizeof(struct nlmsgerr));
+    reply1->error->error = 0;
+
+    reply2->type = AUDIT_LIST_RULES;
+    reply2->ruledata = calloc(1, sizeof(struct audit_rule_data));
+    reply2->ruledata->field_count = 0;
+
+    replies->reply1 = reply1;
+    replies->reply2 = reply2;
+    replies->reply3 = reply3;
+
+    *state = replies;
+
+    return 0;
+}
+
+static int test_teardown_kernel_get_reply(void **state) {
+    audit_replies *replies = *state;
+
+    free(replies->reply3);
+    free(replies->reply2->ruledata);
+    free(replies->reply2);
+    free(replies->reply1->error);
+    free(replies->reply1);
+    free(replies);
+
+    return 0;
+}
+
+static int test_setup_print_reply(void **state) {
+    struct audit_reply *reply = calloc(1, sizeof(struct audit_reply));
+
+    reply->type = AUDIT_LIST_RULES;
+    reply->ruledata = calloc(1, sizeof(struct audit_rule_data));
+    reply->ruledata->field_count = 4;
+    reply->ruledata->fields[0] = AUDIT_DIR;
+    reply->ruledata->values[0] = 0;
+    reply->ruledata->fields[1] = AUDIT_FILTERKEY;
+    reply->ruledata->values[1] = 0;
+    reply->ruledata->fields[3] = AUDIT_PERM;
+    reply->ruledata->values[3] = AUDIT_PERM_EXEC | AUDIT_PERM_WRITE | AUDIT_PERM_READ | AUDIT_PERM_ATTR;
+
+    *state = reply;
+
+    return 0;
+}
+
+static int test_teardown_print_reply(void **state) {
+    struct audit_reply *reply = *state;
+
+    free(reply->ruledata);
+    free(reply);
+
+    return 0;
+}
+
+static int test_teardown_free_path(void **state) {
+    char *path = *state;
+
+    free(path);
+
+    return 0;
+}
+
+static int test_setup_file(void **state) {
+    wfd_t * wfd = calloc(1, sizeof(wfd_t));
+
+    *state = wfd;
+
+    return 0;
+}
+
+static int test_teardown_file(void **state) {
+    wfd_t * wfd = *state;
+
+    free(wfd);
+
+    return 0;
+}
+
+/* tests */
+
+static void test_audit_get_rule_list_error(void **state) {
+    (void) state;
+
+    expect_value(__wrap_audit_send, fd, 0);
+    expect_value(__wrap_audit_send, type, 1013);
+    expect_any(__wrap_audit_send, data);
+    will_return(__wrap_audit_send, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "Error sending rule list data request (Operation not permitted)");
+
+    int ret = audit_get_rule_list(0);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_get_rule_list(void **state) {
+    (void) state;
+
+    expect_value(__wrap_audit_send, fd, 0);
+    expect_value(__wrap_audit_send, type, AUDIT_LIST_RULES);
+    expect_any(__wrap_audit_send, data);
+    will_return(__wrap_audit_send, 0);
+
+    will_return_always(__wrap_select, 0);
+
+    expect_value_count(__wrap_audit_get_reply, fd, 0, 40);
+    expect_value_count(__wrap_audit_get_reply, block, GET_REPLY_NONBLOCKING, 40);
+    will_return_always(__wrap_audit_get_reply, 0);
+
+    int ret = audit_get_rule_list(0);
+
+    assert_int_equal(ret, 1);
+    assert_non_null(audit_rules_list);
+}
+
+static void test_kernel_get_reply(void **state) {
+    audit_replies *replies = *state;
+
+    will_return(__wrap_select, -1);
+    will_return(__wrap_select, 0);
+
+    expect_value(__wrap_audit_get_reply, fd, 0);
+    expect_value(__wrap_audit_get_reply, block, GET_REPLY_NONBLOCKING);
+    will_return(__wrap_audit_get_reply, replies->reply1);
+    will_return(__wrap_audit_get_reply, 1);
+
+    will_return(__wrap_select, 0);
+
+    expect_value(__wrap_audit_get_reply, fd, 0);
+    expect_value(__wrap_audit_get_reply, block, GET_REPLY_NONBLOCKING);
+    will_return(__wrap_audit_get_reply, replies->reply2);
+    will_return(__wrap_audit_get_reply, 1);
+
+    will_return(__wrap_select, 0);
+
+    expect_value(__wrap_audit_get_reply, fd, 0);
+    expect_value(__wrap_audit_get_reply, block, GET_REPLY_NONBLOCKING);
+    will_return(__wrap_audit_get_reply, replies->reply3);
+    will_return(__wrap_audit_get_reply, 1);
+
+    errno = EINTR;
+
+    kernel_get_reply(0);
+
+    errno = 0;
+}
+
+static void test_audit_print_reply(void **state) {
+    struct audit_reply *reply = *state;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Audit rule loaded: -w  -p rwxa -k ");
+
+    int ret = audit_print_reply(reply);
+    w_audit_rule *rule = (w_audit_rule *) OSList_GetFirstNode(audit_rules_list)->data;
+
+    assert_int_equal(ret, 1);
+    assert_non_null(audit_rules_list->first_node);
+    assert_string_equal(rule->path, "");
+    assert_string_equal(rule->key, "");
+    assert_int_equal(rule->perm, (AUDIT_PERM_EXEC | AUDIT_PERM_WRITE | AUDIT_PERM_READ | AUDIT_PERM_ATTR));
+    assert_int_equal(audit_rules_list->currently_size, 1);
+}
+
+static void test_audit_clean_path(void **state) {
+    char *path = "../test/file";
+    char *cwd = "/home/folder";
+
+    char *full_path = audit_clean_path(cwd, path);
+
+    *state = full_path;
+
+    assert_string_equal(full_path, "/home/test/file");
+}
+
+static void test_audit_restart(void **state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char *service_path = NULL;
+    service_path = strdup("/path/to/service");
+    expect_string(__wrap_get_binary_path, command, "service");
+    will_return(__wrap_get_binary_path, service_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "test");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "auditd: test");
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_wpclose, 0);
+
+    int ret = audit_restart();
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_audit_restart_open_error(void **state) {
+    char *service_path = NULL;
+    service_path = strdup("/path/to/service");
+    expect_string(__wrap_get_binary_path, command, "service");
+    will_return(__wrap_get_binary_path, service_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "Could not launch command to restart Auditd: Success (0)");
+
+    int ret = audit_restart();
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_restart_close_exec_error(void **state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char *service_path = NULL;
+    service_path = strdup("/path/to/service");
+    expect_string(__wrap_get_binary_path, command, "service");
+    will_return(__wrap_get_binary_path, service_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "test");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "auditd: test");
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_wpclose, 0x7f00);
+
+    expect_string(__wrap__merror, formatted_msg, "Could not launch command to restart Auditd.");
+
+    int ret = audit_restart();
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_restart_close_error(void **state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char *service_path = NULL;
+    service_path = strdup("/path/to/service");
+    expect_string(__wrap_get_binary_path, command, "service");
+    will_return(__wrap_get_binary_path, service_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "test");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "auditd: test");
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_wpclose, 0xff00);
+
+    expect_string(__wrap__merror, formatted_msg, "Could not restart Auditd service.");
+
+    int ret = audit_restart();
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_rules_list_append(void **state) {
+    (void) state;
+
+    int i;
+    for(i = 0; i < 30; ++i) {
+        w_audit_rule *rule = calloc(1, sizeof(w_audit_rule));
+        rule->path = strdup("/test/file");
+        rule->key = strdup("key");
+        rule->perm = PERMS;
+        OSList_AddData(audit_rules_list, rule);
+    }
+
+    assert_int_equal(audit_rules_list->currently_size, 31);
+}
+
+static void test_search_audit_rule(void **state) {
+    (void) state;
+
+    int ret = search_audit_rule("/test/file", PERMS, "key");
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_search_audit_rule_null(void **state) {
+    (void) state;
+
+    int ret = search_audit_rule(NULL, PERMS, NULL);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_search_audit_rule_not_found(void **state) {
+    (void) state;
+
+    int ret = search_audit_rule("/test/search2", (PERMS | AUDIT_PERM_EXEC)  , "search2");
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_audit_add_rule(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 0);
+
+    expect_string(__wrap_audit_rule_fieldpair_data, pair, "key=bin-folder");
+    expect_value(__wrap_audit_rule_fieldpair_data, flags, AUDIT_FILTER_EXIT & AUDIT_FILTER_MASK);
+    will_return(__wrap_audit_rule_fieldpair_data, 0);
+
+    will_return(__wrap_audit_add_rule_data, 1);
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_add_rule("/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_audit_delete_rule(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 0);
+
+    expect_string(__wrap_audit_rule_fieldpair_data, pair, "key=bin-folder");
+    expect_value(__wrap_audit_rule_fieldpair_data, flags, AUDIT_FILTER_EXIT & AUDIT_FILTER_MASK);
+    will_return(__wrap_audit_rule_fieldpair_data, 0);
+
+    will_return(__wrap_audit_delete_rule_data, -1);
+
+    will_return(__wrap_audit_errno_to_name, "AUDIT ERROR");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Can't add or delete a rule (-1) = AUDIT ERROR");
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_delete_rule("/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_open_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, -1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/folder/path", PERMS, "key-test");
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_stat_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6222): Stat() function failed on: '/folder/path' due to [(2)-(No such file or directory)]");
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/folder/path", PERMS, "key-test");
+
+    errno = 0;
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_add_dir_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 1);
+
+    will_return(__wrap_audit_errno_to_name, "AUDIT ERROR");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "audit_add_watch_dir = (1) AUDIT ERROR");
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_update_perms_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 1);
+
+    will_return(__wrap_audit_errno_to_name, "AUDIT ERROR");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "audit_update_watch_perms = (1) AUDIT ERROR");
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_key_length_error(void **state) {
+    (void) state;
+
+    char *key = "this is a very long key - this is a very long key - this is a very long key - this is a very long key - this is a very long key -"
+                "this is a very long key - this is a very long key - this is a very long key - this is a very long key - this is a very long key -"
+                "this is a very long key - this is a very long key - this is a very long key - this is a very long key - this is a very long key -"
+                "this is a very long key - this is a very long key - this is a very long key - this is a very long key - this is a very long key -"
+                "this is a very long key - this is a very long key - this is a very long key - this is a very long key - this is a very long key";
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 0);
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/usr/bin", PERMS, key);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_fieldpair_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 0);
+
+    expect_string(__wrap_audit_rule_fieldpair_data, pair, "key=bin-folder");
+    expect_value(__wrap_audit_rule_fieldpair_data, flags, AUDIT_FILTER_EXIT & AUDIT_FILTER_MASK);
+    will_return(__wrap_audit_rule_fieldpair_data, 1);
+
+    will_return(__wrap_audit_errno_to_name, "AUDIT ERROR");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "audit_rule_fieldpair_data = (1) AUDIT ERROR");
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(ADD_RULE, "/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_audit_manage_rules_action_error(void **state) {
+    (void) state;
+
+    will_return(__wrap_audit_open, 1);
+
+    expect_value(__wrap_audit_add_watch_dir, type, AUDIT_DIR);
+    expect_string(__wrap_audit_add_watch_dir, path, "/usr/bin");
+    will_return(__wrap_audit_add_watch_dir, 0);
+
+    expect_value(__wrap_audit_update_watch_perms, perms, AUDIT_PERM_WRITE | AUDIT_PERM_ATTR);
+    will_return(__wrap_audit_update_watch_perms, 0);
+
+    expect_string(__wrap_audit_rule_fieldpair_data, pair, "key=bin-folder");
+    expect_value(__wrap_audit_rule_fieldpair_data, flags, AUDIT_FILTER_EXIT & AUDIT_FILTER_MASK);
+    will_return(__wrap_audit_rule_fieldpair_data, 0);
+
+    will_return(__wrap_audit_close, 1);
+
+    int ret = audit_manage_rules(-1, "/usr/bin", PERMS, "bin-folder");
+
+    assert_int_equal(ret, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_audit_get_rule_list_error),
+        cmocka_unit_test(test_audit_get_rule_list),
+        cmocka_unit_test_setup_teardown(test_kernel_get_reply, test_setup_kernel_get_reply, test_teardown_kernel_get_reply),
+        cmocka_unit_test_setup_teardown(test_audit_print_reply, test_setup_print_reply, test_teardown_print_reply),
+        cmocka_unit_test_teardown(test_audit_clean_path, test_teardown_free_path),
+        cmocka_unit_test_setup_teardown(test_audit_restart, test_setup_file, test_teardown_file),
+        cmocka_unit_test(test_audit_restart_open_error),
+        cmocka_unit_test_setup_teardown(test_audit_restart_close_exec_error, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_audit_restart_close_error, test_setup_file, test_teardown_file),
+        cmocka_unit_test(test_audit_rules_list_append),
+        cmocka_unit_test(test_search_audit_rule),
+        cmocka_unit_test(test_search_audit_rule_null),
+        cmocka_unit_test(test_search_audit_rule_not_found),
+        cmocka_unit_test(test_audit_add_rule),
+        cmocka_unit_test(test_audit_delete_rule),
+        cmocka_unit_test(test_audit_manage_rules_open_error),
+        cmocka_unit_test(test_audit_manage_rules_stat_error),
+        cmocka_unit_test(test_audit_manage_rules_add_dir_error),
+        cmocka_unit_test(test_audit_manage_rules_update_perms_error),
+        cmocka_unit_test(test_audit_manage_rules_key_length_error),
+        cmocka_unit_test(test_audit_manage_rules_fieldpair_error),
+        cmocka_unit_test(test_audit_manage_rules_action_error),
+    };
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.c b/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.c
new file mode 100644
index 0000000000..d959575e83
--- /dev/null
+++ b/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.c
@@ -0,0 +1,45 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "audit_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_audit_add_rule(__attribute__((unused)) const char *path,
+                          __attribute__((unused)) int perms,
+                          __attribute__((unused)) const char *key) {
+    return mock();
+}
+
+int __wrap_audit_get_rule_list(__attribute__((unused)) int fd) {
+    return mock();
+}
+
+int __wrap_audit_restart() {
+    return mock();
+}
+
+int __wrap_audit_set_db_consistency() {
+    return 1;
+}
+
+int __wrap_search_audit_rule(__attribute__((unused)) const char *path,
+                             __attribute__((unused)) int perms,
+                             __attribute__((unused)) const char *key) {
+    return mock();
+}
+
+int __wrap_audit_delete_rule(const char *path, int perms, const char *key) {
+    check_expected_ptr(path);
+    check_expected(perms);
+    check_expected_ptr(key);
+    return mock_type(int);
+}
diff --git a/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.h b/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.h
new file mode 100644
index 0000000000..fabf9986df
--- /dev/null
+++ b/src/common/audit_op/tests/unit/wrappers/audit_op_wrappers.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef AUDIT_OP_WRAPPERS_H
+#define AUDIT_OP_WRAPPERS_H
+
+int __wrap_audit_add_rule(const char *path, int perms, const char *key);
+
+int __wrap_audit_get_rule_list(int fd);
+
+int __wrap_audit_restart();
+
+int __wrap_audit_set_db_consistency();
+
+int __wrap_search_audit_rule(const char *path, int perms, const char *key);
+
+int __wrap_audit_delete_rule(const char *path, int perms, const char *key);
+
+#endif
diff --git a/src/modules/docker/tests/CMakeLists.txt b/src/common/b64/CMakeLists.txt
similarity index 100%
rename from src/modules/docker/tests/CMakeLists.txt
rename to src/common/b64/CMakeLists.txt
diff --git a/src/common/b64/src/b64.c b/src/common/b64/src/b64.c
new file mode 100644
index 0000000000..6d1650686c
--- /dev/null
+++ b/src/common/b64/src/b64.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C), 2000-2004 by the monit project group.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/* base64 encoding/decoding
+ * Author: Jan-Henrik Haukeland <hauk@tildeslash.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define TRUE    1
+#define FALSE   0
+
+/* Prototypes */
+static int is_base64(char c);
+static char encode(unsigned char u);
+static unsigned char decode(char c);
+
+/* Base64 encode and return size data in 'src'. The caller must free the
+ * returned string.
+ * Returns encoded string otherwise NULL
+ */
+char *encode_base64(int size, const char *src)
+{
+    int i;
+    char *out, *p;
+
+    if (!src) {
+        return NULL;
+    }
+
+    if (!size) {
+        size = strlen((char *)src);
+    }
+
+    out = (char *)calloc(sizeof(char), size * 4 / 3 + 4);
+    if (!out) {
+        return NULL;
+    }
+
+    p = out;
+
+    for (i = 0; i < size; i += 3) {
+        unsigned char b1 = 0, b2 = 0, b3 = 0, b4 = 0, b5 = 0, b6 = 0, b7 = 0;
+
+        b1 = src[i];
+
+        if (i + 1 < size) {
+            b2 = src[i + 1];
+        }
+
+        if (i + 2 < size) {
+            b3 = src[i + 2];
+        }
+
+        b4 = b1 >> 2;
+        b5 = ((b1 & 0x3) << 4) | (b2 >> 4);
+        b6 = ((b2 & 0xf) << 2) | (b3 >> 6);
+        b7 = b3 & 0x3f;
+
+        *p++ = encode(b4);
+        *p++ = encode(b5);
+
+        if (i + 1 < size) {
+            *p++ = encode(b6);
+        } else {
+            *p++ = '=';
+        }
+
+        if (i + 2 < size) {
+            *p++ = encode(b7);
+        } else {
+            *p++ = '=';
+        }
+    }
+
+    return out;
+}
+
+/* Decode the base64 encoded string 'src' into the memory pointed to by
+ * 'dest'. The dest buffer is NUL terminated.
+ * Returns NULL in case of error
+ */
+char *decode_base64(const char *src)
+{
+    if (src && *src) {
+        char *dest;
+        unsigned char *p;
+        int k, l = strlen(src) + 1;
+        unsigned char *buf;
+
+        /* The size of the dest will always be less than the source */
+        dest = (char *)calloc(sizeof(char), l + 13);
+        if (!dest) {
+            return (NULL);
+        }
+
+        p = (unsigned char *)dest;
+
+        buf = (unsigned char *) malloc(l);
+        if (!buf) {
+            free(dest);
+            return (NULL);
+        }
+
+        /* Ignore non base64 chars as per the POSIX standard */
+        for (k = 0, l = 0; src[k]; k++) {
+            if (is_base64(src[k])) {
+                buf[l++] = src[k];
+            }
+        }
+
+        for (k = 0; k < l; k += 4) {
+            char c1 = 'A', c2 = 'A', c3 = 'A', c4 = 'A';
+            unsigned char b1 = 0, b2 = 0, b3 = 0, b4 = 0;
+
+            c1 = buf[k];
+
+            if (k + 1 < l) {
+                c2 = buf[k + 1];
+            }
+
+            if (k + 2 < l) {
+                c3 = buf[k + 2];
+            }
+
+            if (k + 3 < l) {
+                c4 = buf[k + 3];
+            }
+
+            b1 = decode(c1);
+            b2 = decode(c2);
+            b3 = decode(c3);
+            b4 = decode(c4);
+
+            *p++ = ((b1 << 2) | (b2 >> 4) );
+
+            if (c3 != '=') {
+                *p++ = (((b2 & 0xf) << 4) | (b3 >> 2) );
+            }
+
+            if (c4 != '=') {
+                *p++ = (((b3 & 0x3) << 6) | b4 );
+            }
+
+        }
+
+        free(buf);
+
+        return (dest);
+    }
+    return (NULL);
+}
+
+static char encode(unsigned char u)
+{
+    if (u < 26) {
+        return 'A' + u;
+    }
+    if (u < 52) {
+        return 'a' + (u - 26);
+    }
+    if (u < 62) {
+        return '0' + (u - 52);
+    }
+    if (u == 62) {
+        return '+';
+    }
+
+    return '/';
+}
+
+/* Decode a base64 character */
+static unsigned char decode(char c)
+{
+    if (c >= 'A' && c <= 'Z') {
+        return (c - 'A');
+    }
+    if (c >= 'a' && c <= 'z') {
+        return (c - 'a' + 26);
+    }
+    if (c >= '0' && c <= '9') {
+        return (c - '0' + 52);
+    }
+    if (c == '+') {
+        return 62;
+    }
+
+    return 63;
+}
+
+/* Returns TRUE if 'c' is a valid base64 character, otherwise FALSE */
+static int is_base64(char c)
+{
+    if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') ||
+        (c >= '0' && c <= '9') || (c == '+')             ||
+        (c == '/')             || (c == '=')) {
+
+        return TRUE;
+    }
+    return FALSE;
+}
diff --git a/src/common/b64/tests/unit/wrappers/b64_wrappers.c b/src/common/b64/tests/unit/wrappers/b64_wrappers.c
new file mode 100644
index 0000000000..930440c1d2
--- /dev/null
+++ b/src/common/b64/tests/unit/wrappers/b64_wrappers.c
@@ -0,0 +1,38 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "b64_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <errno.h>
+
+char *__wrap_encode_base64(int size, const char *src) {
+    check_expected(size);
+    check_expected(src);
+    return mock_type(char *);
+}
+
+void expect_encode_base64(int size, const char *src, char * ret) {
+    expect_value(__wrap_encode_base64, size, size);
+    expect_string(__wrap_encode_base64, src, src);
+    will_return(__wrap_encode_base64, strdup(ret));
+}
+
+char *__wrap_decode_base64(const char *src) {
+    check_expected(src);
+    return mock_type(char *);
+}
+
+void expect_decode_base64(const char *src, char * ret) {
+    expect_string(__wrap_decode_base64, src, src);
+    will_return(__wrap_decode_base64, strdup(ret));
+}
diff --git a/src/common/b64/tests/unit/wrappers/b64_wrappers.h b/src/common/b64/tests/unit/wrappers/b64_wrappers.h
new file mode 100644
index 0000000000..b40d36d653
--- /dev/null
+++ b/src/common/b64/tests/unit/wrappers/b64_wrappers.h
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef B64_WRAPPERS_H
+#define B64_WRAPPERS_H
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+#ifdef WIN32
+#include <stdint.h>
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+char *__wrap_encode_base64(int size, const char *src);
+void expect_encode_base64(int size, const char *src, char * ret);
+
+char *__wrap_decode_base64(const char *src);
+void expect_decode_base64(const char *src, char * ret);
+
+#endif
diff --git a/src/modules/fim/tests/CMakeLists.txt b/src/common/binaries_op/CMakeLists.txt
similarity index 100%
rename from src/modules/fim/tests/CMakeLists.txt
rename to src/common/binaries_op/CMakeLists.txt
diff --git a/src/common/binaries_op/include/binaries_op.h b/src/common/binaries_op/include/binaries_op.h
new file mode 100644
index 0000000000..ae3b6d1d91
--- /dev/null
+++ b/src/common/binaries_op/include/binaries_op.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * May, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef BINARIES_OP_H
+#define BINARIES_OP_H
+
+/**
+ * @brief Check if the binary exists in the default path and complete the path parameter with the full_path.
+ *
+ * @param command Command searched for.
+ * @param validated_comm Variable to be filled with full_path in case of success, or with the original command if it was not found in any path.
+ * @retval -1 If it was not found on any path.
+ * @retval 0 If it was found.
+ */
+int get_binary_path(const char *binary, char **validated_comm);
+
+#endif /* BINARIES_OP_H */
diff --git a/src/common/binaries_op/src/binaries_op.c b/src/common/binaries_op/src/binaries_op.c
new file mode 100644
index 0000000000..0f34556c95
--- /dev/null
+++ b/src/common/binaries_op/src/binaries_op.c
@@ -0,0 +1,87 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * May, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+
+
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#define getenv wrap_getenv
+#endif
+#endif
+
+int get_binary_path(const char *binary, char **validated_comm) {
+#ifdef WIN32
+    const char sep[2] = ";";
+#else
+    const char sep[2] = ":";
+#endif
+    char *path;
+    char *full_path;
+    char *validated = NULL;
+    char *env_path = NULL;
+    char *env_path_copy = NULL;
+    char *save_ptr = NULL;
+
+    if (isabspath(binary)) {
+        // Check binary full path
+        if (IsFile(binary) == -1) {
+            if (validated_comm) {
+                *validated_comm = strdup(binary);
+            }
+            return OS_INVALID;
+        }
+        validated = strdup(binary);
+
+    } else {
+
+        env_path = getenv("PATH");
+
+        if (!env_path) {
+            if (validated_comm) {
+                *validated_comm = strdup(binary);
+            }
+            return OS_INVALID;
+        }
+        os_strdup(env_path, env_path_copy);
+        path = strtok_r(env_path_copy, sep, &save_ptr);
+
+        while (path != NULL) {
+            os_calloc(strlen(path) + strlen(binary) + 2, sizeof(char), full_path);
+#ifdef WIN32
+            snprintf(full_path, strlen(path) + strlen(binary) + 2, "%s\\%s", path, binary);
+#else
+            snprintf(full_path, strlen(path) + strlen(binary) + 2, "%s/%s", path, binary);
+#endif
+            if (IsFile(full_path) == 0) {
+                validated = strdup(full_path);
+                os_free(full_path);
+                break;
+            }
+            os_free(full_path);
+            path = strtok_r(NULL, sep, &save_ptr);
+        }
+
+        // Check binary found
+        if (validated == NULL) {
+            if (validated_comm) {
+                *validated_comm = strdup(binary);
+            }
+            os_free(env_path_copy);
+            return OS_INVALID;
+        }
+    }
+
+    if (validated_comm) {
+        *validated_comm = strdup(validated);
+    }
+    os_free(validated);
+    os_free(env_path_copy);
+    return OS_SUCCESS;
+}
diff --git a/src/common/binaries_op/tests/unit/tests/CMakeLists.txt b/src/common/binaries_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..e1e59438a4
--- /dev/null
+++ b/src/common/binaries_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_binaries_op")
+set(BINARIES_OP_BASE_FLAGS "-Wl,--wrap,IsFile -Wl,--wrap,wfopen")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${BINARIES_OP_BASE_FLAGS} -Wl,--wrap,get_windows_file_time_epoch,--wrap,mdebug2 \
+                                -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${BINARIES_OP_BASE_FLAGS} -Wl,--wrap,getenv")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/binaries_op/tests/unit/tests/test_binaries_op.c b/src/common/binaries_op/tests/unit/tests/test_binaries_op.c
new file mode 100644
index 0000000000..53c22f0907
--- /dev/null
+++ b/src/common/binaries_op/tests/unit/tests/test_binaries_op.c
@@ -0,0 +1,317 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include "shared.h"
+#include "../headers/binaries_op.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+#ifndef TEST_WINAGENT
+extern char * __real_getenv(const char *name);
+char * __wrap_getenv(const char *name) {
+    if (!test_mode) {
+        return __real_getenv(name);
+    }
+    check_expected(name);
+    return mock_type(char *);
+}
+#endif
+
+#ifdef TEST_WINAGENT
+void test_get_binary_path_full_path_found(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("c:\\home\\test\\uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "c:\\home\\test\\uname");
+
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_full_path_not_found(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("c:\\home\\test\\uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "c:\\home\\test\\uname");
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_first(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "c:\\home\\test";
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "c:\\home\\test\\uname");
+
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_usr_bin(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "c:\\home\\test;c:\\usr\\bin";
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "c:\\usr\\bin\\uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "c:\\usr\\bin\\uname");
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_not_found(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "c:\\home\\test;c:\\usr\\bin";
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "c:\\usr\\bin\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "uname");
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_first_validated_null(void **state) {
+    char path[OS_BUFFER_SIZE] = "c:\\home\\test";
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", NULL);
+
+    assert_int_equal(ret, OS_SUCCESS);
+}
+
+void test_get_binary_path_not_found_validated_null(void **state) {
+    char path[OS_BUFFER_SIZE] = "c:\\home\\test;c:\\usr\\bin";
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "c:\\home\\test\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "c:\\usr\\bin\\uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("uname", NULL);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_get_binary_path_envpath_null(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(wrap_getenv, name, "PATH");
+    will_return(wrap_getenv, NULL);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "uname");
+    os_free(cmd_path);
+}
+#else
+void test_get_binary_path_full_path_found(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("/home/test/uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "/home/test/uname");
+
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_full_path_not_found(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("/home/test/uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "/home/test/uname");
+
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_first(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "/home/test";
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "/home/test/uname");
+
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_usr_bin(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "/home/test:/usr/bin";
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "/usr/bin/uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(cmd_path, "/usr/bin/uname");
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_not_found(void **state) {
+    char *cmd_path = NULL;
+    char path[OS_BUFFER_SIZE] = "/home/test:/usr/bin";
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "/usr/bin/uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "uname");
+    os_free(cmd_path);
+}
+
+void test_get_binary_path_first_validated_null(void **state) {
+    char path[OS_BUFFER_SIZE] = "/home/test";
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, 0);
+
+    int ret = get_binary_path("uname", NULL);
+
+    assert_int_equal(ret, OS_SUCCESS);
+}
+
+void test_get_binary_path_not_found_validated_null(void **state) {
+    char path[OS_BUFFER_SIZE] = "/home/test:/usr/bin";
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, path);
+
+    expect_string(__wrap_IsFile, file, "/home/test/uname");
+    will_return(__wrap_IsFile, -1);
+
+    expect_string(__wrap_IsFile, file, "/usr/bin/uname");
+    will_return(__wrap_IsFile, -1);
+
+    int ret = get_binary_path("uname", NULL);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_get_binary_path_envpath_null(void **state) {
+    char *cmd_path = NULL;
+
+    expect_string(__wrap_getenv, name, "PATH");
+    will_return(__wrap_getenv, NULL);
+
+    int ret = get_binary_path("uname", &cmd_path);
+
+    assert_int_equal(ret, OS_INVALID);
+    assert_string_equal(cmd_path, "uname");
+    os_free(cmd_path);
+}
+#endif
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_get_binary_path_full_path_found),
+        cmocka_unit_test(test_get_binary_path_full_path_not_found),
+        cmocka_unit_test(test_get_binary_path_first),
+        cmocka_unit_test(test_get_binary_path_usr_bin),
+        cmocka_unit_test(test_get_binary_path_not_found),
+        cmocka_unit_test(test_get_binary_path_first_validated_null),
+        cmocka_unit_test(test_get_binary_path_not_found_validated_null),
+        cmocka_unit_test(test_get_binary_path_envpath_null),
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.c b/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.c
new file mode 100644
index 0000000000..a9940afa53
--- /dev/null
+++ b/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.c
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "binaries_op_wrappers.h"
+#include <string.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_get_binary_path(const char *command, char **path) {
+    check_expected(command);
+    *path = (char*)mock_ptr_type(char*);
+
+    return mock_type(int);
+}
diff --git a/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.h b/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.h
new file mode 100644
index 0000000000..fbe4ff622b
--- /dev/null
+++ b/src/common/binaries_op/tests/unit/wrappers/binaries_op_wrappers.h
@@ -0,0 +1,17 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef BINARIES_OP_WRAPPERS_H
+#define BINARIES_OP_WRAPPERS_H
+
+
+int __wrap_get_binary_path(const char *command, char **path);
+
+#endif
diff --git a/src/common/byteArrayHelper/CMakeLists.txt b/src/common/byteArrayHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/byteArrayHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/byteArrayHelper/include/byteArrayHelper.h b/src/common/byteArrayHelper/include/byteArrayHelper.h
new file mode 100644
index 0000000000..5db744900a
--- /dev/null
+++ b/src/common/byteArrayHelper/include/byteArrayHelper.h
@@ -0,0 +1,41 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 15, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _BYTE_ARRAY_HELPER_H
+#define _BYTE_ARRAY_HELPER_H
+
+#include <string>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    static int32_t toInt32BE(uint8_t const* bytes)
+    {
+        return static_cast<int32_t>(bytes[3]) |
+               static_cast<int32_t>(bytes[2]) << 8 |
+               static_cast<int32_t>(bytes[1]) << 16 |
+               static_cast<int32_t>(bytes[0]) << 24;
+    }
+
+    static int32_t toInt32LE(uint8_t const* bytes)
+    {
+        return static_cast<int32_t>(bytes[0]) |
+               static_cast<int32_t>(bytes[1]) << 8 |
+               static_cast<int32_t>(bytes[2]) << 16 |
+               static_cast<int32_t>(bytes[3]) << 24;
+    }
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _BYTE_ARRAY_HELPER_H
diff --git a/src/common/byteArrayHelper/tests/CMakeLists.txt b/src/common/byteArrayHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..1813464183
--- /dev/null
+++ b/src/common/byteArrayHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "byteArrayHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/byteArrayHelper/tests/byteArrayHelper_test.cpp b/src/common/byteArrayHelper/tests/byteArrayHelper_test.cpp
new file mode 100644
index 0000000000..78a3f80952
--- /dev/null
+++ b/src/common/byteArrayHelper/tests/byteArrayHelper_test.cpp
@@ -0,0 +1,31 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "byteArrayHelper_test.h"
+#include "byteArrayHelper.h"
+
+void ByteArrayHelperTest::SetUp() {};
+
+void ByteArrayHelperTest::TearDown() {};
+
+constexpr uint8_t bufferBE[] = {0x12, 0x34, 0x56, 0x78};
+constexpr uint8_t bufferLE[] = {0x78, 0x56, 0x34, 0x12};
+constexpr int32_t result {305419896};
+
+TEST_F(ByteArrayHelperTest, toInt32BE)
+{
+    EXPECT_EQ(result, Utils::toInt32BE(bufferBE));
+}
+
+TEST_F(ByteArrayHelperTest, toInt32LE)
+{
+    EXPECT_EQ(result, Utils::toInt32LE(bufferLE));
+}
diff --git a/src/common/byteArrayHelper/tests/byteArrayHelper_test.h b/src/common/byteArrayHelper/tests/byteArrayHelper_test.h
new file mode 100644
index 0000000000..20dfe12217
--- /dev/null
+++ b/src/common/byteArrayHelper/tests/byteArrayHelper_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef BYTE_ARRAY_TESTS_H
+#define BYTE_ARRAY_TESTS_H
+#include "gtest/gtest.h"
+
+class ByteArrayHelperTest : public ::testing::Test
+{
+    protected:
+
+        ByteArrayHelperTest() = default;
+        virtual ~ByteArrayHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //BYTE_ARRAY_TESTS_H
diff --git a/src/common/byteArrayHelper/tests/main.cpp b/src/common/byteArrayHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/byteArrayHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/cmdHelper/CMakeLists.txt b/src/common/cmdHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/cmdHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/cmdHelper/include/cmdHelper.h b/src/common/cmdHelper/include/cmdHelper.h
new file mode 100644
index 0000000000..dd1653813e
--- /dev/null
+++ b/src/common/cmdHelper/include/cmdHelper.h
@@ -0,0 +1,52 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CMD_HELPER_H
+#define _CMD_HELPER_H
+
+#include <string>
+#include <iostream>
+#include <cstdio>
+#include <memory>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    struct FileSmartDeleter
+    {
+        void operator()(FILE* file)
+        {
+            pclose(file);
+        }
+    };
+    static std::string exec(const std::string& cmd, const size_t bufferSize = 128)
+    {
+        const std::unique_ptr<FILE, FileSmartDeleter> file{popen(cmd.c_str(), "r")};
+        char buffer[bufferSize];
+        std::string result;
+
+        if (file)
+        {
+            while (fgets(buffer, bufferSize, file.get()))
+            {
+                result += buffer;
+            }
+        }
+
+        return result;
+    }
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _CMD_HELPER_H
\ No newline at end of file
diff --git a/src/common/cmdHelper/tests/CMakeLists.txt b/src/common/cmdHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..b512d618ce
--- /dev/null
+++ b/src/common/cmdHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "cmdHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/cmdHelper/tests/cmdHelper_test.cpp b/src/common/cmdHelper/tests/cmdHelper_test.cpp
new file mode 100644
index 0000000000..3ea9a09167
--- /dev/null
+++ b/src/common/cmdHelper/tests/cmdHelper_test.cpp
@@ -0,0 +1,30 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "cmdHelper_test.h"
+#include "cmdHelper.h"
+
+void CmdUtilsTest::SetUp() {};
+
+void CmdUtilsTest::TearDown() {};
+#ifdef WIN32
+TEST_F(CmdUtilsTest, CmdVersion)
+{
+    const auto result{Utils::exec("ver")};
+    EXPECT_FALSE(result.empty());
+}
+#else
+TEST_F(CmdUtilsTest, CmdUname)
+{
+    const auto result{Utils::exec("uname")};
+    EXPECT_FALSE(result.empty());
+}
+#endif
\ No newline at end of file
diff --git a/src/common/cmdHelper/tests/cmdHelper_test.h b/src/common/cmdHelper/tests/cmdHelper_test.h
new file mode 100644
index 0000000000..d9b939ad97
--- /dev/null
+++ b/src/common/cmdHelper/tests/cmdHelper_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef CMD_HELPER_TESTS_H
+#define CMD_HELPER_TESTS_H
+#include <gtest/gtest.h>
+
+class CmdUtilsTest : public ::testing::Test
+{
+    protected:
+
+        CmdUtilsTest() = default;
+        virtual ~CmdUtilsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //CMD_HELPER_TESTS_H
diff --git a/src/common/cmdHelper/tests/main.cpp b/src/common/cmdHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/cmdHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/commonDefs.h b/src/common/commonDefs.h
new file mode 100644
index 0000000000..1f0ff13cca
--- /dev/null
+++ b/src/common/commonDefs.h
@@ -0,0 +1,155 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _COMMON_DEFS_H_
+#define _COMMON_DEFS_H_
+
+#include "cJSON.h"
+#include <stdarg.h>
+
+/**
+ * @brief Represents the different host types to be used.
+ */
+typedef enum
+{
+    MANAGER = 0,
+    AGENT   = 1
+} HostType;
+
+/**
+ * @brief Represents the database type to be used.
+ */
+typedef enum
+{
+    UNDEFINED = 0,  /*< Undefined database. */
+    SQLITE3   = 1,  /*< SQLite3 database.   */
+} DbEngineType;
+
+/**
+ * @brief Configures how the engine manages the database at startup.
+ */
+typedef enum
+{
+    VOLATILE   = 0,  /*< Removes the DB every time .                          */
+    PERSISTENT = 1,  /*< The DB is kept and the correct version is checked.   */
+} DbManagement;
+
+
+/**
+ * @brief Represents the database operation events.
+ */
+typedef enum
+{
+    MODIFIED = 0,   /*< Database modificaton operation.         */
+    DELETED  = 1,   /*< Database deletion operation.            */
+    INSERTED = 2,   /*< Database insertion operation.           */
+    MAX_ROWS = 3,   /*< Database has reached max rows number.   */
+    DB_ERROR = 4,   /*< Internal failure.                       */
+    SELECTED = 5,   /*< Database select operation.              */
+    GENERIC = 6     /*< Generic result for reuse.               */
+} ReturnTypeCallback;
+
+/**
+ * @brief Represents the handle associated with database creation.
+ */
+typedef void* DBSYNC_HANDLE;
+
+/**
+ * @brief Represents the transaction handle associated with a database instance.
+ */
+typedef void* TXN_HANDLE;
+
+/**
+ * @brief Represents the handle associated with the remote synch.
+ */
+typedef void* RSYNC_HANDLE;
+
+/**
+ * @brief Callback function for results
+ *
+ * @param result_type Enumeration value indicating what action was taken.
+ * @param result_json Json which describe the change.
+ * @param user_data   User data space returned.
+ *
+ * @details Callback called for each obtained result, after evaluating changes between two snapshots.
+ */
+typedef void((*result_callback_t)(ReturnTypeCallback result_type, const cJSON* result_json, void* user_data));
+
+/**
+ * @brief Callback function for agent-manager sync.
+ *
+ * @param buffer      Buffer used to sync between agent and manager.
+ * @param buffer_size Buffer's size.
+ * @param user_data   User data space returned.
+ *
+ * @details Callback called for each obtained result, after evaluating changes between two snapshots.
+ */
+typedef void((*sync_id_callback_t)(const void* buffer, size_t buffer_size, void* user_data));
+
+/**
+ *  @struct callback_data_t
+ *  This struct contains the result callback will be called for each result
+ *  and user data space returned in each callback call.
+ *  The instance of this structure lives in the library's consumer ecosystem.
+ */
+typedef struct
+{
+    /*@{*/
+    result_callback_t callback;     /**< Result callback. */
+    void* user_data;                /**< User data space returned in each callback. */
+    /*@}*/
+} callback_data_t;
+
+/**
+ *  @struct sync_callback_data_t
+ *  This struct contains a callback used to synchronize the information between agent and manager
+ *  and user data space returned in each callback call.
+ *  The instance of this structure lives in the library's consumer ecosystem.
+ */
+typedef struct
+{
+    /*@{*/
+    sync_id_callback_t callback;     /**< Sync ID callback. */
+    void* user_data;                 /**< User data space returned in each callback. */
+    /*@}*/
+} sync_callback_data_t;
+
+/**
+ * @brief Callback function for user defined logging.
+ *
+ * @param msg Message to be logged.
+ *
+ * @details Useful to get deeper information during the dbsync interaction.
+ */
+typedef void((*log_fnc_t)(const char* msg));
+
+/**
+ * @brief Callback function for user defined logging but adding a tag, the file name,
+ * the line number and the name of the function where the log was generated.
+ *
+ * @param level    Level of the log.
+ * @param tag      Tag to identify the log.
+ * @param file     File name where the log is generated.
+ * @param line     Line number where the log is generated.
+ * @param func     Function name where the log is generated.
+ * @param msg      Message to be logged.
+ * @param args     Variable list args.
+ */
+typedef void ((*full_log_fnc_t)(int level, const char* tag, const char* file, int line, const char* func, const char* msg, va_list args));
+
+/**
+* @brief Definition to indicate the unlimited queue.
+*
+* @details It's used to define the unlimited queue size.
+*/
+#define UNLIMITED_QUEUE_SIZE 0
+
+#endif // _COMMON_DEFS_H_
diff --git a/src/modules/gcp/tests/CMakeLists.txt b/src/common/cryptography/CMakeLists.txt
similarity index 100%
rename from src/modules/gcp/tests/CMakeLists.txt
rename to src/common/cryptography/CMakeLists.txt
diff --git a/src/common/cryptography/include/cryptography.h b/src/common/cryptography/include/cryptography.h
new file mode 100644
index 0000000000..540e1fb194
--- /dev/null
+++ b/src/common/cryptography/include/cryptography.h
@@ -0,0 +1,68 @@
+/*
+ * Cryptography windows helper.
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 16, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CRYPTOGRAPHY_H
+#define _CRYPTOGRAPHY_H
+
+#ifdef WIN32
+#include <windows.h>
+#include "os_err.h"
+
+/**
+ * @brief Verify the signature of a PE file.
+ *
+ * @param path PE file name.
+ * @param error_message Pre-allocated buffer to store the error message.
+ * @param error_message_size Size of the error_message buffer.
+ * @return ERROR_SUCCESS if the signature is valid, ERROR_INVALID_PARAMETER if the file is not a PE file,
+ *         ERROR_FILE_NOT_FOUND if the file does not exist, or another error code.
+ */
+DWORD verify_pe_signature(const wchar_t *path, char* error_message, int error_message_size);
+
+/**
+ * @brief Verify the signature of a file using the Windows Catalog.
+ *
+ * @param path Path to the file.
+ * @param error_message Pre-allocated buffer to store the error message.
+ * @param error_message_size Size of the error_message buffer.
+ * @return int ERROR_SUCCESS on success otherwise error code.
+ */
+DWORD verify_hash_catalog(wchar_t *path, char* error_message, int error_message_size);
+
+/**
+ * @brief Calculate the SHA256 hash of a file.
+ *
+ * @param path Path to the file.
+ * @param hash Buffer to store the hash.
+ * @param hash_size Size of the hash buffer.
+ * @param error_message Pre-allocated buffer to store the error message.
+ * @param error_message_size Size of the error_message buffer.
+ * @return int ERROR_SUCCESS on success otherwise error code.
+ */
+DWORD get_file_hash(const wchar_t *path, BYTE **hash, DWORD *hash_size, char* error_message, int error_message_size);
+
+/**
+ * @brief Verify the authenticity of a file by both its signature and hash. The file is not trusted if both method fail.
+ *
+ * @param file_path The path to the file to verify its auhtenticity.
+ * @return w_err_t Returns OS_SUCCESS if at least one of the methods succeed, otherwise OS_INVALID.
+ */
+w_err_t verify_hash_and_pe_signature(wchar_t *file_path);
+
+/**
+ * @brief Check if the CA is available.
+ *
+ * @return DWORD ERROR_SUCCESS if the CA is available, otherwise error code.
+ */
+DWORD check_ca_available();
+
+#endif // WIN32
+#endif // _CRYPTOGRAPHY_H
diff --git a/src/common/cryptography/src/cryptography.c b/src/common/cryptography/src/cryptography.c
new file mode 100644
index 0000000000..e721712092
--- /dev/null
+++ b/src/common/cryptography/src/cryptography.c
@@ -0,0 +1,549 @@
+/*
+ * Cryptography windows helper.
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 16, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/**************************************************************************************
+    WARNING: all the logging functions of this file must use the plain_ variant
+    to avoid calling any external library that could be loaded during the signature
+    verification.
+
+    Also, all os_ functions that contain merror_exit were avoided for the same reason.
+**************************************************************************************/
+
+#include "shared.h"
+#include "cryptography.h"
+
+#ifdef WIN32
+#include <windows.h>
+#include <wintrust.h>
+#include <softpub.h>
+#include <mscat.h>
+
+DWORD verify_pe_signature(const wchar_t *path, char* error_message, int error_message_size)
+{
+    // Get full path if path is a relative path.
+    // This is needed because WinVerifyTrust only accepts full paths.
+    // If path is already a full path, GetFullPathName will return the same path.
+
+    wchar_t full_path[MAX_PATH];
+    DWORD last_error = ERROR_SUCCESS;
+
+    if (!GetFullPathNameW(path, MAX_PATH, full_path, NULL)) {
+        last_error = GetLastError();
+        snprintf(error_message,
+                error_message_size,
+                "GetFullPathNameW failed with error %lu for '%S': %s",
+                last_error, path, win_strerror(last_error));
+
+        return ERROR_INVALID_DATA;
+    }
+
+    WINTRUST_DATA WinTrustData = {0};
+    WINTRUST_FILE_INFO WinTrustFileInfo = {0};
+    GUID policy_GUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
+
+    WinTrustFileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);
+    WinTrustFileInfo.pcwszFilePath = full_path;
+    WinTrustFileInfo.hFile = NULL;
+    WinTrustFileInfo.pgKnownSubject = NULL;
+
+    WinTrustData.cbStruct = sizeof(WINTRUST_DATA);
+    WinTrustData.pPolicyCallbackData = NULL;
+    WinTrustData.pSIPClientData = NULL;
+    WinTrustData.dwUIChoice = WTD_UI_NONE;
+    WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
+    WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;
+    WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
+    WinTrustData.hWVTStateData = NULL;
+    WinTrustData.pwszURLReference = NULL;
+    // We avoid revocation check across the network
+    WinTrustData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL;
+    WinTrustData.dwUIContext = 0;
+    WinTrustData.pFile = &WinTrustFileInfo;
+
+    DWORD status = WinVerifyTrust(INVALID_HANDLE_VALUE, &policy_GUID, &WinTrustData);
+
+    switch (status) {
+    case ERROR_SUCCESS:
+        snprintf(error_message,
+                error_message_size,
+                "PE signature verification succeeded for %S", full_path);
+        break;
+    case TRUST_E_NOSIGNATURE:
+        last_error = GetLastError();
+
+        if ((DWORD)TRUST_E_NOSIGNATURE == last_error ||
+            (DWORD)TRUST_E_SUBJECT_FORM_UNKNOWN == last_error ||
+            (DWORD)TRUST_E_PROVIDER_UNKNOWN == last_error) {
+            // The file was not signed.
+            snprintf(error_message,
+                    error_message_size,
+                    "No signature found for '%S'.",
+                    full_path);
+        }
+        else
+        {
+            // The signature was not valid or there was an error opening the file.
+            snprintf(error_message,
+                    error_message_size,
+                    "An unknown error occurred trying to verify the signature of the \"%S\" file.",
+                    full_path);
+        }
+        break;
+    case TRUST_E_SUBJECT_FORM_UNKNOWN:
+        // Trust provider does not support the form specified for the subject.
+        snprintf(error_message,
+                error_message_size,
+                "The form of file '%S' is not supported by trust provider.",
+                full_path);
+        break;
+    case TRUST_E_ACTION_UNKNOWN:
+        // Trust provider does not support the specified action
+        snprintf(error_message,
+                error_message_size,
+                "Provider doesn't support verify action for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_PROVIDER_UNKNOWN:
+        // Trust provider is not recognized on this system.
+        snprintf(error_message,
+                error_message_size,
+                "No trusted provider found for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_EXPLICIT_DISTRUST:
+        /*
+        The hash that represents the subject or the publisher is not allowed by the admin or user.
+        Signer's certificate is in the Untrusted Publishers store.
+        */
+        snprintf(error_message,
+                error_message_size,
+                "The signature is present, but specifically disallowed for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_SUBJECT_NOT_TRUSTED:
+        // Subject failed the specified verification action.
+        snprintf(error_message,
+                error_message_size,
+                "The signature is present, but not trusted by the user for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_FAIL:
+        snprintf(error_message,
+                error_message_size,
+                "The signature of file '%S' is invalid or not found.",
+                full_path);
+        break;
+    case TRUST_E_BAD_DIGEST:
+        // File might be corrupt.
+        snprintf(error_message,
+                error_message_size,
+                "The file '%S' or its signature is corrupt.",
+                full_path);
+        break;
+    case CERT_E_EXPIRED:
+        // Signer's certificate was expired.
+        snprintf(error_message,
+                error_message_size,
+                "The signature of file '%S' is expired.",
+                full_path);
+        break;
+    case CERT_E_REVOKED:
+        // Signer's certificate was revoked.
+        snprintf(error_message,
+                error_message_size,
+                "The signature of file '%S' was revoked.",
+                full_path);
+        break;
+    case CRYPT_E_REVOKED:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate or signature of file '%S' has been revoked.",
+                full_path);
+        break;
+    case CERT_E_UNTRUSTEDROOT:
+        // A certification chain processed correctly, but terminated in a root certificate that is not trusted by the
+        // trust provider.
+        snprintf(error_message,
+                error_message_size,
+                "The signature of file '%S' terminated in a root certificate that is not trusted.",
+                full_path);
+        break;
+    case CRYPT_E_SECURITY_SETTINGS:
+        /*
+        The hash that represents the subject or the publisher was not explicitly trusted by the admin and the
+        admin policy has disabled user trust. No signature, publisher or time stamp errors.
+        */
+        snprintf(error_message,
+                error_message_size,
+                "The hash representing the subject or the publisher wasn't explicitly trusted for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_SYSTEM_ERROR:
+        // A system-level error occurred while verifying trust.
+        snprintf(error_message,
+                error_message_size,
+                "A system-level error occurred while verifying trust for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_NO_SIGNER_CERT:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate for the signer of file '%S' is invalid or not found.",
+                full_path);
+        break;
+    case TRUST_E_COUNTER_SIGNER:
+        snprintf(error_message,
+                error_message_size,
+                "One of the counter signatures was not valid for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_CERT_SIGNATURE:
+        snprintf(error_message,
+                error_message_size,
+                "The signature of the certificate can not be verified for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_TIME_STAMP:
+        snprintf(error_message,
+                error_message_size,
+                "The timestamp signature or certificate could not be verified or is malformed for file '%S'.",
+                full_path);
+        break;
+    case TRUST_E_BASIC_CONSTRAINTS:
+        snprintf(error_message,
+                error_message_size,
+                "The basic constraints of the certificate for file '%S' are invalid or missing.",
+                full_path);
+        break;
+    case TRUST_E_FINANCIAL_CRITERIA:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate for file '%S' does not meet or contain the Authenticode financial extensions.",
+                full_path);
+        break;
+    case CERT_E_CHAINING:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate chain to a trusted root authority could not be built for file '%S'.",
+                full_path);
+        break;
+    case CERT_E_UNTRUSTEDTESTROOT:
+        snprintf(error_message,
+                error_message_size,
+                "The root certificate for file '%S' is a testing certificate, "
+                "and policy settings disallow test certificates.",
+                full_path);
+        break;
+    case CERT_E_WRONG_USAGE:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate for file '%S' is not valid for the requested usage.",
+                full_path);
+        break;
+    case CERT_E_INVALID_NAME:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate name for file '%S' is invalid. Either the name is not included in the permitted "
+                "list, or it is explicitly excluded.",
+                full_path);
+        break;
+    case CERT_E_INVALID_POLICY:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate policy for file '%S' is invalid.",
+                full_path);
+        break;
+    case CERT_E_CRITICAL:
+    case CERT_E_PURPOSE:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate for file '%S' is being used for a purpose other than the purpose specified"
+                " by its CA.",
+                full_path);
+        break;
+    case CERT_E_VALIDITYPERIODNESTING:
+        snprintf(error_message,
+                error_message_size,
+                "The validity periods of the certification chain do not nest correctly for file '%S'.",
+                full_path);
+        break;
+    case CRYPT_E_NO_REVOCATION_CHECK:
+        snprintf(error_message,
+                error_message_size,
+                "The revocation function was unable to check revocation for the certificate of file '%S'.",
+                full_path);
+        break;
+    case CRYPT_E_REVOCATION_OFFLINE:
+        snprintf(error_message,
+                error_message_size,
+                "It was not possible to check revocation because the revocation server was offline for file '%S'.",
+                full_path);
+        break;
+    case CERT_E_REVOCATION_FAILURE:
+        snprintf(error_message,
+                error_message_size,
+                "The revocation process could not continue, and the certificate could not be checked for file "
+                "'%S'.",
+                full_path);
+        break;
+    case CERT_E_CN_NO_MATCH:
+        snprintf(error_message,
+                error_message_size,
+                "The certificate's CN name does not match the passed value for file '%S'.",
+                full_path);
+        break;
+    case CERT_E_ROLE:
+        snprintf(error_message,
+                error_message_size,
+                "A certificate for file '%S' that can only be used as an end-entity is being used as a CA or "
+                "vice versa.",
+                full_path);
+        break;
+    default:
+        last_error = GetLastError();
+        snprintf(error_message,
+                error_message_size,
+                "WinVerifyTrust returned '%lX' for '%S'. GetLastError returned '%lX'. %s",
+                status,
+                full_path,
+                last_error,
+                win_strerror(last_error));
+        status = ERROR_INVALID_DATA;
+    }
+
+    // Any hWVTStateData must be released by a call with close.
+    WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
+    WinVerifyTrust(INVALID_HANDLE_VALUE, &policy_GUID, &WinTrustData);
+
+    return status;
+}
+
+DWORD get_file_hash(const wchar_t *path, BYTE **hash, DWORD *hash_size, char* error_message, int error_message_size)
+{
+    DWORD result = ERROR_SUCCESS;
+    DWORD last_error = ERROR_SUCCESS;
+
+    // Get full path if path is a relative path.
+    // This is needed because CryptCATAdminCalcHashFromFileHandle only accepts full paths.
+    // If path is already a full path, GetFullPathName will return the same path.
+    wchar_t full_path[MAX_PATH];
+
+    if (GetFullPathNameW(path, MAX_PATH, full_path, NULL)) {
+        // Open file for hash calculation.
+        HANDLE handle_file = CreateFileW(full_path,
+                                         GENERIC_READ,
+                                         FILE_SHARE_READ,
+                                         NULL,
+                                         OPEN_EXISTING,
+                                         FILE_ATTRIBUTE_NORMAL,
+                                         NULL);
+
+        if (handle_file != INVALID_HANDLE_VALUE) {
+
+            // Calculate hash of the file.
+            if (CryptCATAdminCalcHashFromFileHandle(handle_file, hash_size, NULL, 0)) {
+
+                if (*hash_size == 0) {
+                    result = ERROR_INVALID_DATA;
+                    last_error = GetLastError();
+                    snprintf(error_message,
+                            error_message_size,
+                            "CryptCATAdminCalcHashFromFileHandle failed because hash size is zero with error %lu "
+                            "for '%S': %s",
+                            last_error,
+                            full_path,
+                            win_strerror(last_error));
+                } else {
+                    *hash = (__typeof__(*hash)) calloc(1, *hash_size);
+
+                    if (!CryptCATAdminCalcHashFromFileHandle(handle_file, hash_size, *hash, 0)) {
+                        result = GetLastError();
+                        snprintf(error_message,
+                                error_message_size,
+                                "CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error "
+                                "%lu for '%S': %s",
+                                result,
+                                full_path,
+                                win_strerror(result));
+                        os_free(*hash);
+                    }
+                }
+            } else {
+                result = GetLastError();
+                snprintf(error_message,
+                        error_message_size,
+                        "CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error %lu for "
+                        "'%S': %s",
+                        result,
+                        full_path,
+                        win_strerror(result));
+            }
+        } else {
+            result = ERROR_FILE_NOT_FOUND;
+            last_error = GetLastError();
+            snprintf(error_message,
+                    error_message_size,
+                    "CreateFileW failed with error %lu for '%S': %s",
+                    last_error,
+                    full_path,
+                    win_strerror(last_error));
+        }
+        // Close file handle.
+        CloseHandle(handle_file);
+
+    } else {
+        result = ERROR_INVALID_DATA;
+        last_error = GetLastError();
+        snprintf(error_message,
+                error_message_size,
+                "GetFullPathNameW failed with error %lu for '%S'. %s",
+                last_error,
+                path,
+                win_strerror(last_error));
+    }
+
+    return result;
+}
+
+DWORD check_ca_available() {
+    // Check if the CA is available in the system.
+    // If the CA is not available, the function returns some error code.
+    // If the CA is available, the function returns ERROR_SUCCESS.
+    DWORD result = ERROR_INVALID_DATA;
+    HCERTSTORE cert_store = NULL;
+    PCCERT_CONTEXT cert_context = NULL;
+    char *ca_name = NULL;
+
+    // Open the certificate store.
+    cert_store = CertOpenSystemStore(0, "ROOT");
+    // Check if the certificate store was opened successfully.
+    if (cert_store) {
+        // Get the first certificate in the store.
+        cert_context = CertEnumCertificatesInStore(cert_store, NULL);
+
+        while (cert_context) {
+            // Get the certificate's CN name size.
+            int req_size = CertGetNameString(cert_context,
+                                             CERT_NAME_SIMPLE_DISPLAY_TYPE,
+                                             0,
+                                             NULL,
+                                             NULL,
+                                             0);
+
+            ca_name = (__typeof__(ca_name)) calloc(req_size, sizeof(char));
+
+            // Get the certificate's CN name.
+            if (CertGetNameString(cert_context,
+                                  CERT_NAME_SIMPLE_DISPLAY_TYPE,
+                                  0,
+                                  NULL,
+                                  ca_name,
+                                  req_size)) {
+                // Check if the certificate's CN name matches the CA name.
+                if (strncmp(ca_name, CA_NAME, sizeof(CA_NAME) - 1) == 0) {
+                    result = ERROR_SUCCESS;
+                    os_free(ca_name);
+                    break;
+                }
+            }
+            os_free(ca_name);
+            // Get the next certificate in the store.
+            cert_context = CertEnumCertificatesInStore(cert_store, cert_context);
+        }
+
+        // Close the certificate store.
+        if (!CertCloseStore(cert_store, 0)) {
+            plain_merror("CertCloseStore failed with error %lu: %s", GetLastError(), win_strerror(GetLastError()));
+        }
+    } else {
+        // Log error if the certificate store could not be opened.
+        result = GetLastError();
+        plain_merror("CertOpenSystemStore failed with error %lu: %s", result, win_strerror(result));
+    }
+
+    return result;
+}
+
+DWORD verify_hash_catalog(wchar_t *file_path, char* error_message, int error_message_size)
+{
+    HCATADMIN catalog_administrator = NULL;
+    HCATINFO catalog_context = NULL;
+    GUID policy_GUID = DRIVER_ACTION_VERIFY;
+    BYTE *hash = NULL;
+    DWORD hash_size = 0;
+    DWORD result = get_file_hash(file_path, &hash, &hash_size, error_message, error_message_size);
+
+    if (ERROR_SUCCESS == result) {
+        if (CryptCATAdminAcquireContext(&catalog_administrator, &policy_GUID, 0)) {
+            // Search for the catalog file.
+            // If the file is not signed, the function returns NULL.
+            // If the file is signed, the function returns a handle to the catalog file.
+
+            if (catalog_context = CryptCATAdminEnumCatalogFromHash(catalog_administrator,
+                                                                   hash,
+                                                                   hash_size,
+                                                                   0,
+                                                                   NULL), catalog_context) {
+                CryptCATAdminReleaseCatalogContext(catalog_administrator, catalog_context, 0);
+                snprintf(error_message,
+                        error_message_size,
+                        "Hash verification succeeded for '%S'",
+                        file_path);
+            } else {
+                result = GetLastError();
+                snprintf(error_message,
+                        error_message_size,
+                        "CryptCATAdminEnumCatalogFromHash failed with error %lu for '%S': %s",
+                        result,
+                        file_path,
+                        win_strerror(result));
+            }
+            CryptCATAdminReleaseContext(catalog_administrator, 0);
+        } else {
+            result = GetLastError();
+            snprintf(error_message,
+                    error_message_size,
+                    "CryptCATAdminAcquireContext failed with error %lu for '%S': %s",
+                    result,
+                    file_path,
+                    win_strerror(result));
+        }
+        os_free(hash);
+    }
+    return result;
+}
+
+w_err_t verify_hash_and_pe_signature(wchar_t *file_path) {
+    DWORD pe_result  = ERROR_SUCCESS;
+    DWORD hash_result = ERROR_SUCCESS;
+    w_err_t retval = OS_SUCCESS;
+    char pe_error_message[OS_SIZE_1024] = {0};
+    char hash_error_message[OS_SIZE_1024] = {0};
+
+    pe_result = verify_pe_signature(file_path, pe_error_message, OS_SIZE_1024);
+
+    if (ERROR_SUCCESS != pe_result) {
+        hash_result = verify_hash_catalog(file_path, hash_error_message, OS_SIZE_1024);
+        if (ERROR_SUCCESS != hash_result) {
+            plain_minfo("Trust verification of a module failed by using the signature method. %s", pe_error_message);
+            plain_minfo("Trust verification of a module failed by using the hash method. %s", hash_error_message);
+            retval = OS_INVALID;
+        } else {
+            plain_mdebug1("%s", hash_error_message);
+        }
+    } else {
+        plain_mdebug1("%s", pe_error_message);
+    }
+
+    return retval;
+}
+
+#endif /* WIN32 */
diff --git a/src/common/data_provider/CMakeLists.txt b/src/common/data_provider/CMakeLists.txt
index e69de29bb2..3522608a01 100644
--- a/src/common/data_provider/CMakeLists.txt
+++ b/src/common/data_provider/CMakeLists.txt
@@ -0,0 +1,252 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysinfo)
+
+if(NOT CMAKE_BUILD_TYPE)
+  set(CMAKE_BUILD_TYPE Release)
+endif()
+
+enable_testing()
+
+get_filename_component(SRC_FOLDER     ${CMAKE_SOURCE_DIR}/../ ABSOLUTE)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+include(CheckCXXSourceCompiles)
+set(CMAKE_CXX_STANDARD 17)
+#Check if std::optional is available, therefore C++17 is available
+check_cxx_source_compiles("
+    #include <optional>
+    int main() {
+        std::optional<int> o;
+        return 0;
+    }
+" HAS_OPTIONAL)
+
+if(NOT HAS_OPTIONAL AND NOT CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  set(CMAKE_CXX_STANDARD 14)
+endif()
+
+#Check if filesystem is available
+check_cxx_source_compiles("
+    #include <filesystem>
+    int main() {
+        std::filesystem::path p;
+        return 0;
+    }
+" HAS_FILESYSTEM)
+
+if(HAS_FILESYSTEM OR CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_definitions(-DHAS_STDFILESYSTEM=true)
+else()
+  add_definitions(-DHAS_STDFILESYSTEM=false)
+endif()
+
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+set(CMAKE_CXX_FLAGS "-Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2")
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g")
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3")
+else()
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3 -s")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-g -fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
+
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${SRC_FOLDER}/headers/)
+include_directories(${SRC_FOLDER}/external/sqlite/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+include_directories(${SRC_FOLDER}/external/cJSON/)
+include_directories(${SRC_FOLDER}/external/procps/)
+include_directories(${SRC_FOLDER}/external/bzip2/)
+include_directories(${SRC_FOLDER}/external/openssl/include/)
+include_directories(${SRC_FOLDER}/shared_modules/utils)
+include_directories(${SRC_FOLDER}/shared_modules/common/)
+include_directories(${SRC_FOLDER}/external/openssl/include/)
+include_directories(${SRC_FOLDER}/external/libplist/bin/include/)
+include_directories(${SRC_FOLDER}/external/libdb/build_unix/)
+if(NOT CMAKE_CHECK_CENTOS5) # Avoid incompatible libraries in CentOS 5 and Red Hat 5
+  include_directories(${SRC_FOLDER}/external/pacman/lib/libalpm/)
+  include_directories(${SRC_FOLDER}/external/libarchive/libarchive/)
+  include_directories(${SRC_FOLDER}/external/rpm/builddir/output/include/)
+endif(NOT CMAKE_CHECK_CENTOS5)
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  # Avoid download externals from http-request submodule
+  set(EXTERNAL_RES "")
+  set(PRECOMPILED_EXTERNAL_RES "")
+  include_directories(${SRC_FOLDER}/shared_modules/http-request/include/)
+  include_directories(${SRC_FOLDER}/shared_modules/http-request/shared/)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  link_directories(${INSTALL_PREFIX}/lib)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+link_directories(${SRC_FOLDER})
+link_directories(${SRC_FOLDER}/external/sqlite/)
+link_directories(${SRC_FOLDER}/external/cJSON/)
+link_directories(${SRC_FOLDER}/external/procps/)
+link_directories(${SRC_FOLDER}/external/bzip2/)
+link_directories(${SRC_FOLDER}/external/libplist/bin/lib/)
+link_directories(${SRC_FOLDER}/external/libdb/build_unix/)
+if(NOT CMAKE_CHECK_CENTOS5) # Avoid incompatible libraries in CentOS 5 and Red Hat 5
+link_directories(${SRC_FOLDER}/external/pacman/lib/libalpm/)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+link_directories(${SRC_FOLDER}/external/rpm/builddir/)
+endif(NOT CMAKE_CHECK_CENTOS5)
+link_directories(${SRC_FOLDER}/external/openssl/)
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  link_directories(${SRC_FOLDER}/shared_modules/http-request/build)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  link_directories(${SRC_FOLDER}/external/curl/lib/.libs/)
+
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*Win.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsInfoWin.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*Windows.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/*Windows.cpp")
+  add_definitions(-DWIN32=1
+                  -D_WIN32_WINNT=0x600
+                  -DWIN_EXPORT)
+elseif(CMAKE_CHECK_CENTOS5)
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*Linux.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*Linux.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/packageLinuxParser.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/packageLinuxParserRpmLegacy.cpp")
+  add_definitions(-DLINUX_TYPE=LinuxType::LEGACY) # Partial compilation in legacy systems
+elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*Linux.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*Linux.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/packageLinux*.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/rpm*.cpp")
+  add_definitions(-DLINUX_TYPE=LinuxType::STANDARD) # Standard compilation in compatible systems
+elseif(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+  if(${CMAKE_HOST_SYSTEM_PROCESSOR} MATCHES "arm64.*|ARM64.*")
+    file(GLOB SYSINFO_SRC
+        "${CMAKE_SOURCE_DIR}/src/*Mac.cpp"
+        "${CMAKE_SOURCE_DIR}/src/*CommonBSD.cpp"
+        "${CMAKE_SOURCE_DIR}/src/packages/*Mac.cpp"
+        "${CMAKE_SOURCE_DIR}/src/network/*BSD.cpp"
+        "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp"
+        "${CMAKE_SOURCE_DIR}/src/hardware/*ARMMac.cpp")
+  else()
+    file(GLOB SYSINFO_SRC
+        "${CMAKE_SOURCE_DIR}/src/*Mac.cpp"
+        "${CMAKE_SOURCE_DIR}/src/*CommonBSD.cpp"
+        "${CMAKE_SOURCE_DIR}/src/packages/*Mac.cpp"
+        "${CMAKE_SOURCE_DIR}/src/network/*BSD.cpp"
+        "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp"
+        "${CMAKE_SOURCE_DIR}/src/hardware/*X86_64Mac.cpp")
+  endif()
+elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*FreeBSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/*CommonBSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*BSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp")
+elseif(CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*OpenBSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/*CommonBSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*BSD.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp")
+elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS")
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/UtilsWrapperUnix.cpp"
+      "${CMAKE_SOURCE_DIR}/src/*Solaris.cpp"
+      "${CMAKE_SOURCE_DIR}/src/packages/*Solaris.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/networkSolarisHelper.cpp"
+      "${CMAKE_SOURCE_DIR}/src/network/*Solaris.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp")
+else()
+  file(GLOB SYSINFO_SRC
+      "${CMAKE_SOURCE_DIR}/src/*Unix.cpp"
+      "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+
+add_library(sysinfo SHARED
+    ${SYSINFO_SRC}
+    ${CMAKE_SOURCE_DIR}/src/sysInfo.cpp
+    ${SRC_FOLDER}/${RESOURCE_OBJ})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  target_link_libraries(sysinfo psapi iphlpapi ws2_32)
+  set_target_properties(sysinfo PROPERTIES
+      PREFIX ""
+      SUFFIX ".dll"
+      LINK_FLAGS "-Wl,--add-stdcall-alias"
+      POSITION_INDEPENDENT_CODE 0 # this is to avoid MinGW warning;
+      # MinGW generates position-independent-code for DLL by default
+  )
+elseif(UNIX AND NOT APPLE)
+  if(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    string(REPLACE ";" ":" CXX_IMPLICIT_LINK_DIRECTORIES_STR "${CMAKE_CXX_IMPLICIT_LINK_DIRECTORIES}")
+    string(REPLACE ";" ":" PLATFORM_REQUIRED_RUNTIME_PATH_STR "${CMAKE_PLATFORM_REQUIRED_RUNTIME_PATH}")
+    target_link_libraries(sysinfo -Wl,-blibpath:${INSTALL_PREFIX}/lib:${CXX_IMPLICIT_LINK_DIRECTORIES_STR}:${PLATFORM_REQUIRED_RUNTIME_PATH_STR})
+  elseif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+    # Do nothing for HP-UX
+  else()
+    string(APPEND CMAKE_SHARED_LINKER_FLAGS " -Wl,-rpath=$ORIGIN")
+  endif(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+elseif(APPLE)
+  find_library(iokit_lib IOKit)
+  if(NOT iokit_lib)
+    message(FATAL_ERROR "IOKit library not found! Aborting...")
+  endif()
+  find_library(corefoundation_lib CoreFoundation)
+  if(NOT corefoundation_lib)
+    message(FATAL_ERROR "CoreFoundation library not found! Aborting...")
+  endif()
+  target_link_libraries(sysinfo cjson ${SRC_FOLDER}/external/libplist/bin/lib/libplist-2.0.a ${iokit_lib} ${corefoundation_lib})
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+target_link_libraries(sysinfo wazuhext)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  set(CURL_DEP "wazuhext")
+  target_link_libraries(sysinfo urlrequest db)
+  if(CMAKE_CHECK_CENTOS5)
+      set(USE_HTTP 1)
+  endif(CMAKE_CHECK_CENTOS5)
+  add_subdirectory(${SRC_FOLDER}/shared_modules/http-request ${SRC_FOLDER}/shared_modules/http-request/build)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+
+if(APPLE)
+  add_custom_command(TARGET sysinfo
+    POST_BUILD COMMAND
+    ${CMAKE_INSTALL_NAME_TOOL} -id "@rpath/libsysinfo.dylib"
+    $<TARGET_FILE:sysinfo>)
+endif(APPLE)
+
+if(UNIT_TEST)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_link_libraries(sysinfo -fprofile-arcs)
+  else()
+    target_link_libraries(sysinfo gcov)
+  endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+  add_subdirectory(tests)
+else()
+  if(FSANITIZE)
+      target_link_libraries(sysinfo gcov)
+  endif(FSANITIZE)
+  add_subdirectory(testtool)
+endif(UNIT_TEST)
diff --git a/src/common/data_provider/include/sysInfo.h b/src/common/data_provider/include/sysInfo.h
new file mode 100644
index 0000000000..47639027d9
--- /dev/null
+++ b/src/common/data_provider/include/sysInfo.h
@@ -0,0 +1,139 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+
+#ifndef _SYS_INFO_H
+#define _SYS_INFO_H
+
+// Define EXPORTED for any platform
+#include "commonDefs.h"
+#ifdef WAZUH_UNIT_TESTING
+#define EXPORTED
+#else
+#ifndef EXPORTED
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+#endif
+#endif
+
+#include "cJSON.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief Obtains the hardware information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_hardware(cJSON** js_result);
+
+/**
+ * @brief Obtains the installed packages information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_packages(cJSON** js_result);
+
+/**
+ * @brief Obtains the Operating System information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_os(cJSON** js_result);
+
+/**
+ * @brief Obtains the processes information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_processes(cJSON** js_result);
+
+/**
+ * @brief Obtains the network information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_networks(cJSON** js_result);
+
+/**
+ * @brief Obtains the ports information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_ports(cJSON** js_result);
+
+/**
+ * @brief Frees the \p js_data information.
+ *
+ * @param js_data Information to be freed.
+ */
+EXPORTED void sysinfo_free_result(cJSON** js_data);
+
+/**
+ * @brief Obtains the processes information from the current OS being analyzed.
+ *
+ * @param callback Resulting single process data where the specific information will be stored.
+ *
+ * return 0 on success, -1 otherwhise.
+ */
+EXPORTED int sysinfo_processes_cb(callback_data_t cb);
+
+/**
+ * @brief Obtains the packages information from the current OS being analyzed.
+ *
+ * @param callback Resulting single package data where the specific information will be stored.
+ *
+ * return 0 on success, -1 otherwhise.
+ */
+EXPORTED int sysinfo_packages_cb(callback_data_t cb);
+
+/**
+ * @brief Obtains the hotfixes information from the current OS being analyzed.
+ *
+ * @param js_result Resulting json where the specific information will be stored.
+ *
+ * @return 0 on success, -1 otherwise.
+ */
+EXPORTED int sysinfo_hotfixes(cJSON** js_result);
+
+
+typedef int(*sysinfo_networks_func)(cJSON** jsresult);
+typedef int(*sysinfo_os_func)(cJSON** jsresult);
+typedef int(*sysinfo_processes_func)(cJSON** jsresult);
+typedef void(*sysinfo_free_result_func)(cJSON** jsresult);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif //_SYS_INFO_H
diff --git a/src/common/data_provider/include/sysInfo.hpp b/src/common/data_provider/include/sysInfo.hpp
new file mode 100644
index 0000000000..025d9a9a8c
--- /dev/null
+++ b/src/common/data_provider/include/sysInfo.hpp
@@ -0,0 +1,63 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYS_INFO_HPP
+#define _SYS_INFO_HPP
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+#include "sysInfoInterface.h"
+
+constexpr auto KByte
+{
+    1024
+};
+
+class EXPORTED SysInfo: public ISysInfo
+{
+    public:
+        SysInfo() = default;
+        // LCOV_EXCL_START
+        virtual ~SysInfo() = default;
+        // LCOV_EXCL_STOP
+        nlohmann::json hardware();
+        nlohmann::json packages();
+        nlohmann::json os();
+        nlohmann::json processes();
+        nlohmann::json networks();
+        nlohmann::json ports();
+        void packages(std::function<void(nlohmann::json&)>);
+        void processes(std::function<void(nlohmann::json&)>);
+        nlohmann::json hotfixes();
+    private:
+        virtual nlohmann::json getHardware() const;
+        virtual nlohmann::json getPackages() const;
+        virtual nlohmann::json getOsInfo() const;
+        virtual nlohmann::json getProcessesInfo() const;
+        virtual nlohmann::json getNetworks() const;
+        virtual nlohmann::json getPorts() const;
+        virtual nlohmann::json getHotfixes() const;
+        virtual void getPackages(std::function<void(nlohmann::json&)>) const;
+        virtual void getProcessesInfo(std::function<void(nlohmann::json&)>) const;
+};
+
+#endif //_SYS_INFO_HPP
diff --git a/src/common/data_provider/include/sysInfoInterface.h b/src/common/data_provider/include/sysInfoInterface.h
new file mode 100644
index 0000000000..4ea2caa75f
--- /dev/null
+++ b/src/common/data_provider/include/sysInfoInterface.h
@@ -0,0 +1,36 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 9, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYS_INFO_INTERFACE
+#define _SYS_INFO_INTERFACE
+
+#include "json.hpp"
+
+class ISysInfo
+{
+    public:
+        ISysInfo() = default;
+        // LCOV_EXCL_START
+        virtual ~ISysInfo() = default;
+        // LCOV_EXCL_STOP
+        virtual nlohmann::json hardware() = 0;
+        virtual nlohmann::json packages() = 0;
+        virtual nlohmann::json os() = 0;
+        virtual nlohmann::json processes() = 0;
+        virtual nlohmann::json networks() = 0;
+        virtual nlohmann::json ports() = 0;
+        virtual nlohmann::json hotfixes() = 0;
+        virtual void packages(std::function<void(nlohmann::json&)>) = 0;
+        virtual void processes(std::function<void(nlohmann::json&)>) = 0;
+
+};
+
+#endif //_SYS_INFO_INTERFACE
diff --git a/src/common/data_provider/qa/hardware_schema.json b/src/common/data_provider/qa/hardware_schema.json
new file mode 100644
index 0000000000..0d8c604665
--- /dev/null
+++ b/src/common/data_provider/qa/hardware_schema.json
@@ -0,0 +1,45 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+        "hw": {
+            "type": "object",
+            "properties": {
+                "board_serial": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "cpu_cores": {
+                    "type": "integer"
+                },
+                "cpu_mhz": {
+                    "type": "number"
+                },
+                "cpu_name": {
+                    "type": "string"
+                },
+                "ram_free": {
+                    "type": "integer"
+                },
+                "ram_total": {
+                    "type": "integer"
+                },
+                "ram_usage": {
+                    "type": "integer"
+                }
+            },
+            "required": [
+                "board_serial",
+                "cpu_cores",
+                "cpu_mhz",
+                "cpu_name",
+                "ram_free",
+                "ram_total",
+                "ram_usage"
+            ]
+        }
+    },
+    "required": [
+        "hw"
+    ]
+}
diff --git a/src/common/data_provider/qa/network_schema.json b/src/common/data_provider/qa/network_schema.json
new file mode 100644
index 0000000000..b7f2ce34a8
--- /dev/null
+++ b/src/common/data_provider/qa/network_schema.json
@@ -0,0 +1,201 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+        "networks": {
+            "type": "object",
+            "properties": {
+                "iface": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "IPv4": {
+                                "type": "array",
+                                "items": {
+                                    "type": "object",
+                                    "properties": {
+                                        "address": {
+                                            "type": "string",
+                                            "format": "ipv4"
+                                        },
+                                        "broadcast": {
+                                            "type": "string",
+                                            "format": "ipv4"
+                                        },
+                                        "dhcp": {
+                                            "type": "string",
+                                            "enum": [
+                                                "enabled",
+                                                "disabled",
+                                                "unknown"
+                                            ]
+                                        },
+                                        "metric": {
+                                            "type": "string"
+                                        },
+                                        "netmask": {
+                                            "type": "string",
+                                            "format": "ipv4"
+                                        }
+                                    },
+                                    "required": [
+                                        "address",
+                                        "broadcast",
+                                        "dhcp",
+                                        "metric",
+                                        "netmask"
+                                    ]
+                                }
+                            },
+                            "IPv6": {
+                                "type": "array",
+                                "items": {
+                                    "type": "object",
+                                    "properties": {
+                                        "address": {
+                                            "type": "string",
+                                            "format": "ipv6"
+                                        },
+                                        "broadcast": {
+                                            "type": "string"
+                                        },
+                                        "dhcp": {
+                                            "type": "string",
+                                            "enum": [
+                                                "enabled",
+                                                "disabled",
+                                                "unknown"
+                                            ]
+                                        },
+                                        "metric": {
+                                            "type": "string"
+                                        },
+                                        "netmask": {
+                                            "type": "string"
+                                        }
+                                    },
+                                    "required": [
+                                        "address",
+                                        "broadcast",
+                                        "dhcp",
+                                        "metric",
+                                        "netmask"
+                                    ]
+                                }
+                            },
+                            "adapter": {
+                                "type": "string"
+                            },
+                            "gateway": {
+                                "type": "string"
+                            },
+                            "mac": {
+                                "type": "string"
+                            },
+                            "mtu": {
+                                "type": "integer"
+                            },
+                            "name": {
+                                "type": "string"
+                            },
+                            "rx_bytes": {
+                                "type": "integer"
+                            },
+                            "rx_dropped": {
+                                "type": "integer"
+                            },
+                            "rx_errors": {
+                                "type": "integer"
+                            },
+                            "rx_packets": {
+                                "type": "integer"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "up",
+                                    "down",
+                                    "unknown"
+                                ]
+                            },
+                            "tx_bytes": {
+                                "type": "integer"
+                            },
+                            "tx_dropped": {
+                                "type": "integer"
+                            },
+                            "tx_errors": {
+                                "type": "integer"
+                            },
+                            "tx_packets": {
+                                "type": "integer"
+                            },
+                            "type": {
+                                "type": "string"
+                            }
+                        },
+                        "required": [
+                            "adapter",
+                            "gateway",
+                            "mac",
+                            "mtu",
+                            "name",
+                            "rx_bytes",
+                            "rx_dropped",
+                            "rx_errors",
+                            "rx_packets",
+                            "state",
+                            "tx_bytes",
+                            "tx_dropped",
+                            "tx_errors",
+                            "tx_packets",
+                            "type"
+                        ],
+                        "if": {
+                            "properties": {
+                                "state": {
+                                    "anyOf": [
+                                        {
+                                            "const": "unknown"
+                                        },
+                                        {
+                                            "const": "down"
+                                        }
+                                    ]
+                                }
+                            }
+                        },
+                        "then": {
+                            "properties": {
+                                "mac": {
+                                    "anyOf": [
+                                        {
+                                            "pattern": "^([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})$"
+                                        },
+                                        {
+                                            "const": ""
+                                        }
+                                    ]
+                                }
+                            }
+                        },
+                        "else": {
+                            "properties": {
+                                "mac": {
+                                    "pattern": "^([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})$"
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            "required": [
+                "iface"
+            ]
+        }
+    },
+    "required": [
+        "networks"
+    ]
+}
diff --git a/src/common/data_provider/qa/packages_schema.json b/src/common/data_provider/qa/packages_schema.json
new file mode 100644
index 0000000000..e53351318a
--- /dev/null
+++ b/src/common/data_provider/qa/packages_schema.json
@@ -0,0 +1,81 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+        "packages": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "properties": {
+                    "name": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "version": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "vendor": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "install_time": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "location": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "architecture": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "groups": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "description": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "size": {
+                        "type": "integer"
+                    },
+                    "priority": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "multiarch": {
+                        "type": "string"
+                    },
+                    "source": {
+                        "type": "string",
+                        "minLength": 1
+                    },
+                    "format": {
+                        "type": "string",
+                        "minLength": 1
+                    }
+                },
+                "required": [
+                    "name",
+                    "version",
+                    "vendor",
+                    "install_time",
+                    "location",
+                    "architecture",
+                    "groups",
+                    "description",
+                    "size",
+                    "priority",
+                    "source",
+                    "format"
+                ]
+            }
+        }
+    },
+    "required": [
+        "packages"
+    ]
+}
diff --git a/src/common/data_provider/qa/ports_schema.json b/src/common/data_provider/qa/ports_schema.json
new file mode 100644
index 0000000000..3ac964d7ba
--- /dev/null
+++ b/src/common/data_provider/qa/ports_schema.json
@@ -0,0 +1,92 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "Ports Schema for test tool",
+    "type": "object",
+    "properties": {
+        "ports": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "properties": {
+                    "inode": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "local_ip": {
+                        "type": "string",
+                        "anyOf": [
+                            {
+                                "format": "ipv4"
+                            },
+                            {
+                                "format": "ipv6"
+                            }
+                        ]
+                    },
+                    "local_port": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "pid": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "process": {
+                        "type": "string"
+                    },
+                    "protocol": {
+                        "type": "string",
+                        "enum": [
+                            "udp",
+                            "udp6",
+                            "tcp",
+                            "tcp6"
+                        ]
+                    },
+                    "remote_ip": {
+                        "type": "string",
+                        "anyOf": [
+                            {
+                                "format": "ipv4"
+                            },
+                            {
+                                "format": "ipv6"
+                            }
+                        ]
+                    },
+                    "remote_port": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "rx_queue": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "state": {
+                        "type": "string"
+                    },
+                    "tx_queue": {
+                        "type": "integer",
+                        "minimum": 0
+                    }
+                },
+                "required": [
+                    "inode",
+                    "local_ip",
+                    "local_port",
+                    "pid",
+                    "process",
+                    "protocol",
+                    "remote_ip",
+                    "remote_port",
+                    "rx_queue",
+                    "state",
+                    "tx_queue"
+                ]
+            }
+        }
+    },
+    "required": [
+        "ports"
+    ]
+}
diff --git a/src/common/data_provider/qa/requirements.txt b/src/common/data_provider/qa/requirements.txt
new file mode 100644
index 0000000000..876fb2f398
--- /dev/null
+++ b/src/common/data_provider/qa/requirements.txt
@@ -0,0 +1,2 @@
+pytest==7.2.2
+jsonschema==4.17.3
diff --git a/src/common/data_provider/qa/test_hardware.py b/src/common/data_provider/qa/test_hardware.py
new file mode 100644
index 0000000000..3085a8e6f2
--- /dev/null
+++ b/src/common/data_provider/qa/test_hardware.py
@@ -0,0 +1,56 @@
+import json
+import platform
+import subprocess
+from pathlib import Path
+
+import pytest
+from jsonschema import validate
+from jsonschema.exceptions import ValidationError
+
+
+def call_binary(binary_path):
+    try:
+        # Run the binary and capture its output
+        result = subprocess.run(
+            [binary_path], capture_output=True, check=True, text=True)
+        return result.stdout.strip()
+    except subprocess.CalledProcessError as e:
+        raise RuntimeError(f"Error while executing the binary: {e}") from e
+
+
+def validate_hardware_json(json_data):
+    # Path to the schema file
+    schema_file = Path("qa", "hardware_schema.json")
+
+    # Load the schema from the file
+    with open(schema_file, "r") as f:
+        hardware_schema = json.load(f)
+
+    try:
+        # Validate the JSON data against the schema
+        validate(instance=json_data, schema=hardware_schema)
+    except ValidationError as e:
+        # If the validation fails, print the error message
+        pytest.fail(f"The output does not comply with the schema: {e}")
+
+
+def test_json_output():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path)
+
+    # Verify that the output is valid JSON
+    try:
+        json_data = json.loads(output)
+    except json.JSONDecodeError as e:
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+    # Validate that the JSON complies with the schema
+    validate_hardware_json(json_data)
diff --git a/src/common/data_provider/qa/test_macports.py b/src/common/data_provider/qa/test_macports.py
new file mode 100644
index 0000000000..5f2740fe01
--- /dev/null
+++ b/src/common/data_provider/qa/test_macports.py
@@ -0,0 +1,51 @@
+import json
+import platform
+import subprocess
+from pathlib import Path
+
+import pytest
+import sys
+from jsonschema import validate
+from jsonschema.exceptions import ValidationError
+
+
+def call_binary(binary_path, parameter):
+    try:
+        # Run the binary and capture its output
+        result = subprocess.run(
+            [binary_path, parameter], capture_output=True, check=True, text=True)
+        return result.stdout.strip()
+    except subprocess.CalledProcessError as e:
+        raise RuntimeError(f"Error while executing the binary: {e}") from e
+
+
+def validate_json_output(json_data):
+    contains_pkg = False
+    for package in json_data['packages']:
+        if package['format'] == "macports":
+            contains_pkg = True
+            break
+    if not contains_pkg:
+        pytest.fail(f"The output does not contain any macports package")
+
+
+@pytest.mark.skipif(sys.platform != "darwin", reason="test for MacOS only")
+def test_json_output():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool"
+    binary_path_folder = "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path, "--packages")
+    # Verify that the output is valid JSON
+    try:
+        json_data = json.loads(output)
+    except json.JSONDecodeError as e:
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+    # Validate that the JSON output contains macports packages.
+    validate_json_output(json_data)
diff --git a/src/common/data_provider/qa/test_network.py b/src/common/data_provider/qa/test_network.py
new file mode 100644
index 0000000000..de6d094dfb
--- /dev/null
+++ b/src/common/data_provider/qa/test_network.py
@@ -0,0 +1,58 @@
+import json
+import platform
+import subprocess
+from pathlib import Path
+
+import pytest
+from jsonschema import validate
+from jsonschema.exceptions import ValidationError
+
+
+def call_binary(binary_path):
+    # Run the binary and capture its output
+    command =  f"{binary_path}" if platform.system() == "Windows" else f"sudo {binary_path}"
+    result = subprocess.run(command, capture_output=True, check=False, text=True, shell=True)
+    if result.returncode != 0 or result.stderr:
+        print(result.stdout)
+        print(result.stderr)
+        pytest.fail("The execution of the test tool failed.")
+    return result.stdout.strip()
+
+def validate_network_json(json_data):
+    # Path to the schema file
+    schema_file = Path("qa", "network_schema.json")
+
+    # Load the schema from the file
+    with open(schema_file, "r") as f:
+        network_schema = json.load(f)
+
+    try:
+        # Validate the JSON data against the schema
+        validate(instance=json_data, schema=network_schema)
+    except ValidationError as e:
+        # If the validation fails, print the error message
+        print(json_data)
+        pytest.fail(f"The output does not comply with the schema: {e}")
+
+
+def test_json_output():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path)
+
+    # Verify that the output is valid JSON
+    try:
+        json_data = json.loads(output)
+    except json.JSONDecodeError as e:
+        print(output)
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+    # Validate that the JSON complies with the schema
+    validate_network_json(json_data)
diff --git a/src/common/data_provider/qa/test_packages.py b/src/common/data_provider/qa/test_packages.py
new file mode 100644
index 0000000000..f37d6f6a6d
--- /dev/null
+++ b/src/common/data_provider/qa/test_packages.py
@@ -0,0 +1,139 @@
+import json
+import platform
+import subprocess
+from pathlib import Path
+
+import pytest
+import sys
+from jsonschema import validate
+from jsonschema.exceptions import ValidationError
+
+
+def call_binary(binary_path, parameter):
+    try:
+        command =  f"{binary_path}" if platform.system() == "Windows" else f"sudo {binary_path}"
+        # Run the binary and capture its output
+        result = subprocess.run(
+            [command, parameter], capture_output=True, check=False, text=True, shell=True)
+        return result.stdout.strip()
+    except subprocess.CalledProcessError as e:
+        raise RuntimeError(f"Error while executing the binary: {e}") from e
+
+
+def validate_packages_json(json_data):
+    # Path to the schema file
+    schema_file = Path("qa", "packages_schema.json")
+
+    # Load the schema from the file
+    with open(schema_file, "r") as f:
+        packages_schema = json.load(f)
+
+    try:
+        # Validate the JSON data against the schema
+        validate(instance=json_data, schema=packages_schema)
+    except ValidationError as e:
+        # If the validation fails, print the error message
+        if len(e.absolute_path) >= 3:
+            pkg_name=json_data['packages'][e.absolute_path[1]]['name']
+            pkg_format=json_data['packages'][e.absolute_path[1]]['format']
+            pytest.fail(f"The output for package '{pkg_name}' with format '{pkg_format}' does not comply with the schema, in the field '{e.absolute_path[2]}': {e}")
+        else:
+            pytest.fail(f"The output does not comply with the schema: {e}")
+
+
+def test_json_output():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path, "--packages")
+    # Verify that the output is valid JSON
+    try:
+        json_data = json.loads(output)
+    except json.JSONDecodeError as e:
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+    # Validate that the JSON complies with the schema
+    validate_packages_json(json_data)
+
+def test_packages_pypi():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path, "--packages")
+
+    # Call pip3 and get the list of installed packages
+    result = subprocess.run(
+        ["pip3", "list", "--format", "json"], capture_output=True, check=False, text=True)
+    pip_output = result.stdout.strip()
+
+    # Compare the list of installed packages with the list from the binary
+    try:
+        pip_json_data = json.loads(pip_output)
+        json_data = json.loads(output)
+
+        # Check if each element of pip_json_data exists in json_data array.
+        for pkg in pip_json_data:
+            found = False
+            for pkg2 in json_data['packages']:
+                if pkg['name'] == pkg2['name'] and pkg['version'] == pkg2['version']:
+                    found = True
+                    break
+            assert found, f"The package {pkg['name']} is not found in the output of the binary"
+
+    except json.JSONDecodeError as e:
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+@pytest.mark.skipif(sys.platform == "win32", reason="test for Linux and macOS only")
+def test_packages_npm():
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path, "--packages")
+
+    # Call npm and get the list of installed packages
+    if platform.system() == "Windows":
+        result = subprocess.run(
+            ["npm", "list", "--json"], capture_output=True, check=False, text=True, shell=True)
+    else:
+        result = subprocess.run(
+            ["npm", "list", "-g","--json"], capture_output=True, check=False, text=True)
+
+    npm_output = result.stdout.strip()
+
+    # Compare the list of installed packages with the list from the binary
+    try:
+        npm_json_data = json.loads(npm_output)
+        json_data = json.loads(output)
+
+        # Check if each element of npm_json_data exists in json_data array.
+        for pkg in npm_json_data['dependencies']:
+            # Exclude if starts with @
+            if pkg.startswith('@'):
+                continue
+            found = False
+            for pkg2 in json_data['packages']:
+                if pkg == pkg2['name']:
+                    found = True
+                    break
+            assert found, f"The package {pkg} is not found in the output of the binary"
+
+    except json.JSONDecodeError as e:
+        pytest.fail(f"The output is not valid JSON: {e}")
diff --git a/src/common/data_provider/qa/test_ports.py b/src/common/data_provider/qa/test_ports.py
new file mode 100644
index 0000000000..58ff24b612
--- /dev/null
+++ b/src/common/data_provider/qa/test_ports.py
@@ -0,0 +1,72 @@
+import json
+import platform
+import subprocess
+from pathlib import Path
+
+import pytest
+from jsonschema import validate
+from jsonschema.exceptions import ValidationError
+
+
+def call_binary(binary_path):
+    """This method runs the binary and capture its output.
+
+    Args:
+        binary_path: the path of the binary to run.
+
+    Returns:
+        _type_: the standard output of the binary execution.
+    """
+    command =  f"{binary_path}" if platform.system() == "Windows" else f"sudo {binary_path}"
+    result = subprocess.run(command, capture_output=True, check=False, text=True, shell=True)
+    if result.returncode != 0 or result.stderr:
+        print(result.stdout)
+        print(result.stderr)
+        pytest.fail("The execution of the test tool failed.")
+    return result.stdout.strip()
+
+def validate_ports_json(json_data):
+    """Validates the output against the schema.
+
+    Args:
+        json_data: the JSON data to validate.
+    """
+    # Path to the schema file
+    schema_file = Path("qa", "ports_schema.json")
+
+    # Load the schema from the file
+    with open(schema_file, "r") as f:
+        ports_schema = json.load(f)
+
+    try:
+        # Validate the JSON data against the schema
+        validate(instance=json_data, schema=ports_schema)
+    except ValidationError as e:
+        # If the validation fails, print the error message
+        print(json_data)
+        pytest.fail(f"The output does not comply with the schema: {e}")
+
+
+def test_json_output():
+    """This method tests the output of the test tool against the proper schema.
+    """
+    # Path to the shared library
+    binary_filename = "sysinfo_test_tool.exe" if platform.system() == "Windows" else "sysinfo_test_tool"
+    binary_path_folder = "C:\\data_provider" if platform.system() == "Windows" else "build/bin"
+    binary_path = Path(binary_path_folder, binary_filename)
+
+    # Ensure the binary exists
+    assert binary_path.exists(), f"The binary is not found at {binary_path}"
+
+    # Call the binary and get the JSON output
+    output = call_binary(binary_path)
+
+    # Verify that the output is valid JSON
+    try:
+        json_data = json.loads(output)
+    except json.JSONDecodeError as e:
+        print(output)
+        pytest.fail(f"The output is not valid JSON: {e}")
+
+    # Validate that the JSON complies with the schema
+    validate_ports_json(json_data)
diff --git a/src/common/data_provider/src/UtilsWrapperUnix.cpp b/src/common/data_provider/src/UtilsWrapperUnix.cpp
new file mode 100644
index 0000000000..896fd757bb
--- /dev/null
+++ b/src/common/data_provider/src/UtilsWrapperUnix.cpp
@@ -0,0 +1,40 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 17, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <cerrno>
+#include <cstring>
+#include <system_error>
+
+#include "UtilsWrapperUnix.hpp"
+
+int UtilsWrapperUnix::createSocket(int domain, int type, int protocol)
+{
+    auto fd { socket(domain, type, protocol) };
+
+    if (-1 == fd)
+    {
+        throw std::system_error{errno, std::system_category(), std::strerror(errno)};
+    }
+
+    return fd;
+}
+
+int UtilsWrapperUnix::ioctl(int fd, unsigned long request, char* argp)
+{
+    const auto retVal { ::ioctl(fd, request, argp) };
+
+    if (-1 == retVal)
+    {
+        throw std::system_error{errno, std::system_category(), std::strerror(errno)};
+    }
+
+    return retVal;
+}
diff --git a/src/common/data_provider/src/UtilsWrapperUnix.hpp b/src/common/data_provider/src/UtilsWrapperUnix.hpp
new file mode 100644
index 0000000000..69b7780943
--- /dev/null
+++ b/src/common/data_provider/src/UtilsWrapperUnix.hpp
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 17, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _UTILS_WRAPPER_UNIX_H
+#define _UTILS_WRAPPER_UNIX_H
+
+#include <stdexcept>
+
+#include <sys/socket.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <stropts.h>
+
+class UtilsWrapperUnix
+{
+    public:
+        static int createSocket(int domain, int type, int protocol);
+        static int ioctl(int fd, unsigned long request, char* argp);
+};
+
+#endif // _UTILS_WRAPPER_UNIX_H
diff --git a/src/common/data_provider/src/hardware/architectureDependantARMMac.cpp b/src/common/data_provider/src/hardware/architectureDependantARMMac.cpp
new file mode 100644
index 0000000000..208214a2b5
--- /dev/null
+++ b/src/common/data_provider/src/hardware/architectureDependantARMMac.cpp
@@ -0,0 +1,138 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "hardwareWrapperImplMac.h"
+
+#if (MAC_OS_X_VERSION_MAX_ALLOWED < 120000)
+#define kIOMainPortDefault kIOMasterPortDefault
+#endif
+
+double getMhz(IOsPrimitivesMac* osPrimitives)
+{
+    constexpr auto MHz{1000000};
+    uint64_t cpuHz = 0;
+
+    auto matching = osPrimitives->IOServiceMatching("AppleARMIODevice");
+
+    if (matching == nullptr)
+    {
+        throw std::system_error
+        {
+            0,
+            std::system_category(),
+            "Error on library function call IOServiceMatching."
+        };
+    }
+
+    io_iterator_t device_it = 0;
+    auto kr = osPrimitives->IOServiceGetMatchingServices(kIOMainPortDefault, matching, &device_it);
+
+    if (kr != KERN_SUCCESS)
+    {
+        throw std::system_error
+        {
+            kr,
+            std::system_category(),
+            "Error on library function call IOServiceGetMatchingServices."
+        };
+    }
+
+    DEFER([osPrimitives, device_it]()
+    {
+        osPrimitives->IOObjectRelease(device_it);
+    });
+
+    io_object_t device = 0;
+
+    while ((device = osPrimitives->IOIteratorNext(device_it)))
+    {
+        DEFER([osPrimitives, device]()
+        {
+            osPrimitives->IOObjectRelease(device);
+        });
+
+        io_name_t buf;
+        kr = osPrimitives->IORegistryEntryGetName(device, buf);
+
+        if (kr != KERN_SUCCESS)
+        {
+            continue;
+        }
+
+        std::string name(buf);
+
+        if (name.compare("pmgr"))
+        {
+            continue;
+        }
+
+        CFMutableDictionaryRef properties;
+        kr = osPrimitives->IORegistryEntryCreateCFProperties(device, &properties, kCFAllocatorDefault, kNilOptions);
+
+        if (kr != KERN_SUCCESS)
+        {
+            throw std::system_error
+            {
+                kr,
+                std::system_category(),
+                "Error on library function call IORegistryEntryCreateCFProperties."
+            };
+        }
+
+        DEFER([osPrimitives, properties]()
+        {
+            osPrimitives->CFRelease(properties);
+        });
+
+        // voltage-states5-sram contains the performance cores available frequencies
+        CFStringRef cfkey = osPrimitives->CFStringCreateWithCString(kCFAllocatorDefault, "voltage-states5-sram", kCFStringEncodingUTF8);
+        DEFER([osPrimitives, cfkey]()
+        {
+            osPrimitives->CFRelease(cfkey);
+        });
+
+        auto p_cores_freq_property = static_cast<CFDataRef>(osPrimitives->CFDictionaryGetValue(properties, cfkey));
+
+        if (p_cores_freq_property == nullptr)
+        {
+            throw std::system_error
+            {
+                0,
+                std::system_category(),
+                "Error on library function call CFDictionaryGetValue."
+            };
+        }
+
+        auto p_cores_freq_type = osPrimitives->CFGetTypeID(p_cores_freq_property);
+
+        if (p_cores_freq_type != osPrimitives->CFDataGetTypeID())
+        {
+            throw std::system_error
+            {
+                0,
+                std::system_category(),
+                "CF type id of p_cores_freq_property is not Data type id."
+            };
+        }
+
+        size_t length = osPrimitives->CFDataGetLength(p_cores_freq_property);
+
+        // The frequencies are in hz, saved in an array as little endian 4 byte integers
+        for (size_t i = 0; i < length - 3; i += sizeof(uint32_t))
+        {
+            uint32_t cur_freq = 0;
+            osPrimitives->CFDataGetBytes(p_cores_freq_property, osPrimitives->CFRangeMake(i, sizeof(uint32_t)), reinterpret_cast<UInt8*>(&cur_freq));
+            cpuHz = std::max(cpuHz, static_cast<uint64_t>(cur_freq));
+        }
+    }
+
+    return static_cast<double>(cpuHz) / MHz;
+}
diff --git a/src/common/data_provider/src/hardware/architectureDependantX86_64Mac.cpp b/src/common/data_provider/src/hardware/architectureDependantX86_64Mac.cpp
new file mode 100644
index 0000000000..f985e70820
--- /dev/null
+++ b/src/common/data_provider/src/hardware/architectureDependantX86_64Mac.cpp
@@ -0,0 +1,32 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "hardwareWrapperImplMac.h"
+
+double getMhz(IOsPrimitivesMac* osPrimitives)
+{
+    constexpr auto MHz{1000000};
+    uint64_t cpuHz{0};
+    size_t len{sizeof(cpuHz)};
+    int ret{osPrimitives->sysctlbyname("hw.cpufrequency", &cpuHz, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading cpu frequency."
+        };
+    }
+
+    return static_cast<double>(cpuHz) / MHz;
+}
diff --git a/src/common/data_provider/src/hardware/factoryHardwareFamilyCreator.h b/src/common/data_provider/src/hardware/factoryHardwareFamilyCreator.h
new file mode 100644
index 0000000000..137a274247
--- /dev/null
+++ b/src/common/data_provider/src/hardware/factoryHardwareFamilyCreator.h
@@ -0,0 +1,45 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FACTORY_HARDWARE_FAMILY_CREATOR_H
+#define _FACTORY_HARDWARE_FAMILY_CREATOR_H
+
+#include <memory>
+#include "json.hpp"
+#include "hardwareInterface.h"
+#include "hardwareWrapperInterface.h"
+#include "hardwareImplMac.h"
+#include "sharedDefs.h"
+
+template <OSPlatformType osType>
+class FactoryHardwareFamilyCreator final
+{
+    public:
+        static std::shared_ptr<IOSHardware> create(const std::shared_ptr<IOSHardwareWrapper>& /*wrapperInterface*/)
+        {
+            throw std::runtime_error
+            {
+                "Error creating network data retriever."
+            };
+        }
+};
+
+template <>
+class FactoryHardwareFamilyCreator<OSPlatformType::BSDBASED> final
+{
+    public:
+        static std::shared_ptr<IOSHardware> create(const std::shared_ptr<IOSHardwareWrapper>& wrapperInterface)
+        {
+            return FactoryBSDHardware::create(wrapperInterface);
+        }
+};
+
+#endif // _FACTORY_HARDWARE_FAMILY_CREATOR_H
diff --git a/src/common/data_provider/src/hardware/hardwareImplMac.h b/src/common/data_provider/src/hardware/hardwareImplMac.h
new file mode 100644
index 0000000000..6a85065bd8
--- /dev/null
+++ b/src/common/data_provider/src/hardware/hardwareImplMac.h
@@ -0,0 +1,50 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _HARDWARE_IMPL_MAC_H
+#define _HARDWARE_IMPL_MAC_H
+
+#include "hardwareInterface.h"
+#include "hardwareWrapperInterface.h"
+
+class OSHardwareMac final : public IOSHardware
+{
+        std::shared_ptr<IOSHardwareWrapper> m_wrapper;
+    public:
+        explicit OSHardwareMac(const std::shared_ptr<IOSHardwareWrapper>& wrapper)
+            : m_wrapper(wrapper)
+        { }
+        // LCOV_EXCL_START
+        ~OSHardwareMac() = default;
+        // LCOV_EXCL_STOP
+
+        void buildHardwareData(nlohmann::json& hardware) override
+        {
+            hardware["board_serial"] = m_wrapper->boardSerial();
+            hardware["cpu_name"] = m_wrapper->cpuName();
+            hardware["cpu_cores"] = m_wrapper->cpuCores();
+            hardware["cpu_mhz"] = m_wrapper->cpuMhz();
+            hardware["ram_total"] = m_wrapper->ramTotal();
+            hardware["ram_free"] = m_wrapper->ramFree();
+            hardware["ram_usage"] = m_wrapper->ramUsage();
+        }
+};
+
+class FactoryBSDHardware final
+{
+    public:
+        static std::shared_ptr<IOSHardware>create(const std::shared_ptr<IOSHardwareWrapper>& wrapper)
+        {
+            return std::make_shared<OSHardwareMac>(wrapper);
+        }
+};
+
+#endif // _HARDWARE_IMPL_MAC_H
diff --git a/src/common/data_provider/src/hardware/hardwareInterface.h b/src/common/data_provider/src/hardware/hardwareInterface.h
new file mode 100644
index 0000000000..33525165d1
--- /dev/null
+++ b/src/common/data_provider/src/hardware/hardwareInterface.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _HARDWARE_INTERFACE_H
+#define _HARDWARE_INTERFACE_H
+
+#include "json.hpp"
+
+class IOSHardware
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IOSHardware() = default;
+        // LCOV_EXCL_STOP
+        virtual void buildHardwareData(nlohmann::json& hardware) = 0;
+};
+
+#endif // _HARDWARE_INTERFACE_H
diff --git a/src/common/data_provider/src/hardware/hardwareWrapperImplMac.h b/src/common/data_provider/src/hardware/hardwareWrapperImplMac.h
new file mode 100644
index 0000000000..701571c987
--- /dev/null
+++ b/src/common/data_provider/src/hardware/hardwareWrapperImplMac.h
@@ -0,0 +1,180 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _HARDWARE_WRAPPER_IMPL_MAC_H
+#define _HARDWARE_WRAPPER_IMPL_MAC_H
+
+#include <sys/sysctl.h>
+#include "hardwareWrapperInterface.h"
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "defer.hpp"
+#include "osPrimitivesInterfaceMac.h"
+#include "utilsWrapperMac.hpp"
+#include "sharedDefs.h"
+
+
+double getMhz(IOsPrimitivesMac* osPrimitives = nullptr);
+
+template <class TOsPrimitivesMac>
+class OSHardwareWrapperMac final : public IOSHardwareWrapper, public TOsPrimitivesMac
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~OSHardwareWrapperMac() = default;
+        // LCOV_EXCL_STOP
+
+        std::string boardSerial() const
+        {
+            std::string ret{UNKNOWN_VALUE};
+            const auto rawData{UtilsWrapperMac::exec("system_profiler SPHardwareDataType | grep Serial")};
+
+            if (!rawData.empty())
+                ret = Utils::trim(rawData.substr(rawData.find(":")), " :\t\r\n");
+
+            return ret;
+        }
+
+        std::string cpuName() const
+        {
+            size_t len{0};
+            auto ret{this->sysctlbyname("machdep.cpu.brand_string", nullptr, &len, nullptr, 0)};
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error getting cpu name size."
+                };
+            }
+
+            const auto spBuff{std::make_unique<char[]>(len + 1)};
+
+            if (!spBuff)
+            {
+                throw std::runtime_error
+                {
+                    "Error allocating memory to read the cpu name."
+                };
+            }
+
+            ret = this->sysctlbyname("machdep.cpu.brand_string", spBuff.get(), &len, nullptr, 0);
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error getting cpu name"
+                };
+            }
+
+            spBuff.get()[len] = 0;
+            return std::string{reinterpret_cast<const char*>(spBuff.get())};
+        }
+
+        int cpuCores() const
+        {
+            int cores{0};
+            size_t len{sizeof(cores)};
+            const std::vector<int> mib{CTL_HW, HW_NCPU};
+            const auto ret{this->sysctl(const_cast<int*>(mib.data()), mib.size(), &cores, &len, nullptr, 0)};
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error reading cpu cores number."
+                };
+            }
+
+            return cores;
+        }
+
+        double cpuMhz()
+        {
+            return getMhz(static_cast<IOsPrimitivesMac*>(this));
+        }
+
+        uint64_t ramTotal() const
+        {
+            uint64_t ramTotal{0};
+            size_t len{sizeof(ramTotal)};
+            auto ret{this->sysctlbyname("hw.memsize", &ramTotal, &len, nullptr, 0)};
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error reading total RAM."
+                };
+            }
+
+            return ramTotal / KByte;
+        }
+
+        uint64_t ramFree() const
+        {
+            u_int pageSize{0};
+            size_t len{sizeof(pageSize)};
+            auto ret{this->sysctlbyname("vm.pagesize", &pageSize, &len, nullptr, 0)};
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error reading page size."
+                };
+            }
+
+            uint64_t freePages{0};
+            len = sizeof(freePages);
+            ret = this->sysctlbyname("vm.page_free_count", &freePages, &len, nullptr, 0);
+
+            if (ret)
+            {
+                throw std::system_error
+                {
+                    ret,
+                    std::system_category(),
+                    "Error reading pages free count."
+                };
+            }
+
+            return (freePages * pageSize) / KByte;
+        }
+
+        uint64_t ramUsage() const
+        {
+            uint64_t ret{0};
+            const auto ramTotal{this->ramTotal()};
+
+            if (ramTotal)
+            {
+                ret = 100 - (100 * ramFree() / ramTotal);
+            }
+
+            return ret;
+        }
+};
+
+
+#endif // _HARDWARE_WRAPPER_IMPL_MAC_H
diff --git a/src/common/data_provider/src/hardware/hardwareWrapperInterface.h b/src/common/data_provider/src/hardware/hardwareWrapperInterface.h
new file mode 100644
index 0000000000..04169133cc
--- /dev/null
+++ b/src/common/data_provider/src/hardware/hardwareWrapperInterface.h
@@ -0,0 +1,33 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _HARDWARE_WRAPPER_INTERFACE_H
+#define _HARDWARE_WRAPPER_INTERFACE_H
+
+#include <cstdint>
+#include <string>
+
+class IOSHardwareWrapper
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IOSHardwareWrapper() = default;
+        // LCOV_EXCL_STOP
+
+        virtual std::string boardSerial() const = 0;
+        virtual std::string cpuName() const = 0;
+        virtual int cpuCores() const = 0;
+        virtual double cpuMhz() = 0;
+        virtual uint64_t ramTotal() const = 0;
+        virtual uint64_t ramFree() const = 0;
+        virtual uint64_t ramUsage() const = 0;
+};
+#endif // _HARDWARE_WRAPPER_INTERFACE_H
diff --git a/src/common/data_provider/src/network/inetworkInterface.h b/src/common/data_provider/src/network/inetworkInterface.h
new file mode 100644
index 0000000000..c2a3830892
--- /dev/null
+++ b/src/common/data_provider/src/network/inetworkInterface.h
@@ -0,0 +1,39 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_INTERFACE_H
+#define _NETWORK_INTERFACE_H
+
+#include "json.hpp"
+
+class IOSNetwork
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IOSNetwork() = default;
+        // LCOV_EXCL_STOP
+        virtual void buildNetworkData(nlohmann::json& network) = 0;
+};
+
+
+struct LinkStats
+{
+    unsigned int rxPackets;    /* total packets received */
+    unsigned int txPackets;    /* total packets transmitted */
+    int64_t rxBytes;                /* total bytes received */
+    int64_t txBytes;                /* total bytes transmitted */
+    unsigned int rxErrors;     /* bad packets received */
+    unsigned int txErrors;     /* packet transmit problems */
+    unsigned int rxDropped;    /* no space in linux buffers */
+    unsigned int txDropped;    /* no space available in linux */
+};
+
+#endif // _NETWORK_INTERFACE_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/network/inetworkWrapper.h b/src/common/data_provider/src/network/inetworkWrapper.h
new file mode 100644
index 0000000000..b92bbc98cf
--- /dev/null
+++ b/src/common/data_provider/src/network/inetworkWrapper.h
@@ -0,0 +1,41 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 26, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_INTERFACE_WRAPPER_H
+#define _NETWORK_INTERFACE_WRAPPER_H
+#include "inetworkInterface.h"
+
+class INetworkInterfaceWrapper
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~INetworkInterfaceWrapper() = default;
+        // LCOV_EXCL_STOP
+        virtual int family() const = 0;
+        virtual std::string name() const = 0;
+        virtual std::string adapter() const = 0;
+        virtual std::string address() const = 0;
+        virtual std::string netmask() const = 0;
+        virtual std::string broadcast() const = 0;
+        virtual std::string addressV6() const = 0;
+        virtual std::string netmaskV6() const = 0;
+        virtual std::string broadcastV6() const = 0;
+        virtual std::string gateway() const = 0;
+        virtual std::string metrics() const = 0;
+        virtual std::string metricsV6() const = 0;
+        virtual std::string dhcp() const = 0;
+        virtual uint32_t mtu() const = 0;
+        virtual LinkStats stats() const = 0;
+        virtual std::string type() const = 0;
+        virtual std::string state() const = 0;
+        virtual std::string MAC() const = 0;
+};
+#endif // _NETWORK_INTERFACE_WRAPPER_H
diff --git a/src/common/data_provider/src/network/networkBSDWrapper.h b/src/common/data_provider/src/network/networkBSDWrapper.h
new file mode 100644
index 0000000000..7456fe9582
--- /dev/null
+++ b/src/common/data_provider/src/network/networkBSDWrapper.h
@@ -0,0 +1,251 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 26, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_BSD_WRAPPER_H
+#define _NETWORK_BSD_WRAPPER_H
+
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/if_dl.h>
+#include <sstream>
+#include <iomanip>
+#include <net/route.h>
+#include <sys/sysctl.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include "inetworkWrapper.h"
+#include "networkHelper.h"
+#include "makeUnique.h"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+
+static const std::map<std::pair<int, int>, std::string> NETWORK_INTERFACE_TYPE =
+{
+    { std::make_pair(IFT_ETHER, IFT_ETHER),                     "ethernet"       },
+    { std::make_pair(IFT_ISO88023, IFT_ISO88023),               "CSMA/CD"        },
+    { std::make_pair(IFT_ISO88024, IFT_ISO88025),               "token ring"     },
+    { std::make_pair(IFT_FDDI, IFT_FDDI),                       "FDDI"           },
+    { std::make_pair(IFT_PPP, IFT_PPP),                         "point-to-point" },
+    { std::make_pair(IFT_ATM, IFT_ATM),                         "ATM"            },
+};
+
+class NetworkBSDInterface final : public INetworkInterfaceWrapper
+{
+        ifaddrs* m_interfaceAddress;
+        const std::string m_scanTime;
+
+    public:
+        explicit NetworkBSDInterface(ifaddrs* addrs)
+            : m_interfaceAddress{addrs}
+        {
+            if (!addrs)
+            {
+                throw std::runtime_error { "Nullptr instances of network interface" };
+            }
+        }
+
+        std::string name() const override
+        {
+            return m_interfaceAddress->ifa_name ? Utils::substrOnFirstOccurrence(m_interfaceAddress->ifa_name, ":") : "";
+        }
+
+        std::string adapter() const override
+        {
+            return "";
+        }
+
+        int family() const override
+        {
+            return m_interfaceAddress->ifa_addr ? m_interfaceAddress->ifa_addr->sa_family : AF_UNSPEC;
+        }
+
+        std::string address() const override
+        {
+            return m_interfaceAddress->ifa_addr ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       this->family(),
+                       &(reinterpret_cast<sockaddr_in*>(m_interfaceAddress->ifa_addr))->sin_addr) : "";
+        }
+
+        std::string netmask() const override
+        {
+            return m_interfaceAddress->ifa_netmask ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       m_interfaceAddress->ifa_netmask->sa_family,
+                       &(reinterpret_cast<sockaddr_in*>(m_interfaceAddress->ifa_netmask))->sin_addr) : "";
+        }
+
+        std::string broadcast() const override
+        {
+            return m_interfaceAddress->ifa_dstaddr ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       m_interfaceAddress->ifa_dstaddr->sa_family,
+                       &(reinterpret_cast<sockaddr_in*>(m_interfaceAddress->ifa_dstaddr))->sin_addr) : "";
+        }
+
+        std::string addressV6() const override
+        {
+            return m_interfaceAddress->ifa_addr ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       m_interfaceAddress->ifa_addr->sa_family,
+                       &(reinterpret_cast<sockaddr_in6*>(m_interfaceAddress->ifa_addr))->sin6_addr) : "";
+        }
+
+        std::string netmaskV6() const override
+        {
+            return m_interfaceAddress->ifa_netmask ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       m_interfaceAddress->ifa_netmask->sa_family,
+                       &(reinterpret_cast<sockaddr_in6*>(m_interfaceAddress->ifa_netmask))->sin6_addr) : "";
+        }
+
+        std::string broadcastV6() const override
+        {
+            return m_interfaceAddress->ifa_dstaddr ?
+                   Utils::NetworkHelper::IAddressToBinary(
+                       m_interfaceAddress->ifa_dstaddr->sa_family,
+                       &(reinterpret_cast<sockaddr_in6*>(m_interfaceAddress->ifa_dstaddr))->sin6_addr) : "";
+        }
+
+        std::string gateway() const override
+        {
+            std::string retVal;
+            size_t tableSize { 0 };
+            int mib[] = { CTL_NET, AF_ROUTE, 0, AF_UNSPEC, NET_RT_FLAGS, RTF_UP | RTF_GATEWAY };
+
+            if (sysctl(mib, sizeof(mib) / sizeof(int), nullptr, &tableSize, nullptr, 0) == 0)
+            {
+                std::unique_ptr<char[]> table { std::make_unique<char[]>(tableSize) };
+
+                if (sysctl(mib, sizeof(mib) / sizeof(int), table.get(), &tableSize, nullptr, 0) == 0)
+                {
+                    size_t messageLength { 0 };
+
+                    for (char* p = table.get(); p < table.get() + tableSize; p += messageLength)
+                    {
+                        auto msg { reinterpret_cast<rt_msghdr*>(p) };
+                        auto sa { reinterpret_cast<sockaddr*>(msg + 1) };
+                        auto sdl { reinterpret_cast<sockaddr_dl*>(m_interfaceAddress->ifa_addr) };
+
+                        if (sdl &&
+                                (msg->rtm_addrs & RTA_GATEWAY) == RTA_GATEWAY &&
+                                msg->rtm_index == sdl->sdl_index)
+                        {
+                            auto sock { reinterpret_cast<sockaddr*>(reinterpret_cast<char*>(sa) + ROUNDUP(sa->sa_len)) };
+
+                            if (sock && AF_INET == sock->sa_family)
+                            {
+                                retVal = Utils::NetworkHelper::IAddressToBinary(AF_INET, &reinterpret_cast<sockaddr_in*>(sock)->sin_addr);
+                            }
+
+                            break;
+                        }
+
+                        messageLength = msg->rtm_msglen;
+                    }
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string metrics() const override
+        {
+            return "";
+        }
+
+        std::string metricsV6() const override
+        {
+            return "";
+        }
+
+        std::string dhcp() const override
+        {
+            return "unknown";
+        }
+
+        uint32_t mtu() const override
+        {
+            return m_interfaceAddress->ifa_data ? reinterpret_cast<if_data*>(m_interfaceAddress->ifa_data)->ifi_mtu : 0;
+        }
+
+        LinkStats stats() const override
+        {
+            const auto stats { reinterpret_cast<if_data*>(m_interfaceAddress->ifa_data) };
+            LinkStats retVal {};
+
+            if (stats)
+            {
+                retVal.txPackets    = stats->ifi_opackets;
+                retVal.rxPackets    = stats->ifi_ipackets;
+                retVal.txBytes      = stats->ifi_obytes;
+                retVal.rxBytes      = stats->ifi_ibytes;
+                retVal.txErrors     = stats->ifi_oerrors;
+                retVal.rxErrors     = stats->ifi_ierrors;
+                retVal.rxDropped    = stats->ifi_iqdrops;
+            }
+
+            return retVal;
+        }
+
+        std::string type() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+
+            if (m_interfaceAddress->ifa_addr)
+            {
+                auto sdl { reinterpret_cast<struct sockaddr_dl*>(m_interfaceAddress->ifa_addr) };
+                const auto type { Utils::NetworkHelper::getNetworkTypeStringCode(sdl->sdl_type, NETWORK_INTERFACE_TYPE) };
+                retVal = type.empty() ? UNKNOWN_VALUE : type;
+            }
+
+            return retVal;
+        }
+
+        std::string state() const override
+        {
+            return m_interfaceAddress->ifa_flags & IFF_UP ? "up" : "down";
+        }
+
+        std::string MAC() const override
+        {
+            std::string retVal { "00:00:00:00:00:00" };
+            auto sdl { reinterpret_cast<struct sockaddr_dl*>(m_interfaceAddress->ifa_addr) };
+            std::stringstream ss;
+
+            if (sdl && MAC_ADDRESS_COUNT_SEGMENTS == sdl->sdl_alen)
+            {
+                auto macAddress { &sdl->sdl_data[sdl->sdl_nlen] };
+
+                if (macAddress)
+                {
+                    for (auto i = 0ull; i < MAC_ADDRESS_COUNT_SEGMENTS; ++i)
+                    {
+                        ss << std::hex << std::setfill('0') << std::setw(2);
+                        ss << static_cast<int>(static_cast<uint8_t>(macAddress[i]));
+
+                        if (i != MAC_ADDRESS_COUNT_SEGMENTS - 1)
+                        {
+                            ss << ":";
+                        }
+                    }
+
+                    retVal = ss.str();
+                }
+            }
+
+            return retVal;
+        }
+};
+
+#endif //_NETWORK_BSD_WRAPPER_H
diff --git a/src/common/data_provider/src/network/networkFamilyDataAFactory.h b/src/common/data_provider/src/network/networkFamilyDataAFactory.h
new file mode 100644
index 0000000000..5502e75df2
--- /dev/null
+++ b/src/common/data_provider/src/network/networkFamilyDataAFactory.h
@@ -0,0 +1,76 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_FAMILY_DATA_AFACTORY_H
+#define _NETWORK_FAMILY_DATA_AFACTORY_H
+
+#include <memory>
+#include "json.hpp"
+#include "networkInterfaceLinux.h"
+#include "networkInterfaceBSD.h"
+#include "networkInterfaceWindows.h"
+#include "networkInterfaceSolaris.h"
+#include "sharedDefs.h"
+
+template <OSPlatformType osType>
+class FactoryNetworkFamilyCreator final
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& /*interface*/)
+        {
+            throw std::runtime_error
+            {
+                "Error creating network data retriever."
+            };
+        }
+};
+
+template <>
+class FactoryNetworkFamilyCreator<OSPlatformType::LINUX> final
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+        {
+            return FactoryLinuxNetwork::create(interfaceWrapper);
+        }
+};
+
+template <>
+class FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED> final
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+        {
+            return FactoryBSDNetwork::create(interfaceWrapper);
+        }
+};
+
+template <>
+class FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS> final
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+        {
+            return FactoryWindowsNetwork::create(interfaceWrapper);
+        }
+};
+
+template <>
+class FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS> final
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+        {
+            return FactorySolarisNetwork::create(interfaceWrapper);
+        }
+};
+
+#endif // _NETWORK_FAMILY_DATA_AFACTORY_H
diff --git a/src/common/data_provider/src/network/networkInterfaceBSD.cpp b/src/common/data_provider/src/network/networkInterfaceBSD.cpp
new file mode 100644
index 0000000000..e3a8d87ad8
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceBSD.cpp
@@ -0,0 +1,114 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <ifaddrs.h>
+#include "networkInterfaceBSD.h"
+#include "networkBSDWrapper.h"
+
+std::shared_ptr<IOSNetwork> FactoryBSDNetwork::create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+{
+    std::shared_ptr<IOSNetwork> ret;
+
+    if (interfaceWrapper)
+    {
+        const auto family { interfaceWrapper->family() };
+
+        if (AF_INET == family)
+        {
+            ret = std::make_shared<BSDNetworkImpl<AF_INET>>(interfaceWrapper);
+        }
+        else if (AF_INET6 == family)
+        {
+            ret = std::make_shared<BSDNetworkImpl<AF_INET6>>(interfaceWrapper);
+        }
+        else if (AF_LINK == family)
+        {
+            ret = std::make_shared<BSDNetworkImpl<AF_LINK>>(interfaceWrapper);
+        }
+
+        // else: The current interface family is not supported
+    }
+    else
+    {
+        throw std::runtime_error { "Error nullptr interfaceWrapper instance." };
+    }
+
+    return ret;
+}
+
+template <>
+void BSDNetworkImpl<AF_INET>::buildNetworkData(nlohmann::json& network)
+{
+    // Get IPv4 address
+    const auto address { m_interfaceAddress->address() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv4JS {};
+        ipv4JS["address"] = address;
+        ipv4JS["netmask"] = m_interfaceAddress->netmask();
+        ipv4JS["broadcast"] = m_interfaceAddress->broadcast();
+        ipv4JS["metric"] = m_interfaceAddress->metrics();
+        ipv4JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv4"].push_back(ipv4JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV4 address." };
+    }
+}
+template <>
+void BSDNetworkImpl<AF_INET6>::buildNetworkData(nlohmann::json& network)
+{
+    const auto address { m_interfaceAddress->addressV6() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv6JS {};
+        ipv6JS["address"] = address;
+        ipv6JS["netmask"] = m_interfaceAddress->netmaskV6();
+        ipv6JS["broadcast"] = m_interfaceAddress->broadcastV6();
+        ipv6JS["metric"] = m_interfaceAddress->metricsV6();
+        ipv6JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv6"].push_back(ipv6JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV4 address." };
+    }
+}
+template <>
+void BSDNetworkImpl<AF_LINK>::buildNetworkData(nlohmann::json& network)
+{
+    /* Get stats of interface */
+
+    network["name"] = m_interfaceAddress->name();
+    network["adapter"] = m_interfaceAddress->adapter();
+    network["state"] = m_interfaceAddress->state();
+    network["type"] = m_interfaceAddress->type();
+    network["mac"] = m_interfaceAddress->MAC();
+
+    const auto stats { m_interfaceAddress->stats() };
+
+    network["tx_packets"] = stats.txPackets;
+    network["rx_packets"] = stats.rxPackets;
+    network["tx_bytes"] = stats.txBytes;
+    network["rx_bytes"] = stats.rxBytes;
+    network["tx_errors"] = stats.txErrors;
+    network["rx_errors"] = stats.rxErrors;
+    network["tx_dropped"] = stats.txDropped;
+    network["rx_dropped"] = stats.rxDropped;
+
+    network["mtu"] = m_interfaceAddress->mtu();
+    network["gateway"] = m_interfaceAddress->gateway();
+}
diff --git a/src/common/data_provider/src/network/networkInterfaceBSD.h b/src/common/data_provider/src/network/networkInterfaceBSD.h
new file mode 100644
index 0000000000..16524c8969
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceBSD.h
@@ -0,0 +1,38 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_BSD_H
+#define _NETWORK_BSD_H
+
+#include "inetworkInterface.h"
+#include "inetworkWrapper.h"
+
+class FactoryBSDNetwork
+{
+    public:
+        static std::shared_ptr<IOSNetwork>create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper);
+};
+
+template <unsigned short osNetworkType>
+class BSDNetworkImpl final : public IOSNetwork
+{
+        const std::shared_ptr<INetworkInterfaceWrapper> m_interfaceAddress;
+    public:
+        explicit BSDNetworkImpl(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceAddress)
+            : m_interfaceAddress(interfaceAddress)
+        { }
+        void buildNetworkData(nlohmann::json& /*network*/) override
+        {
+            throw std::runtime_error { "Non implemented specialization." };
+        }
+};
+
+#endif // _NETWORK_BSD_H
diff --git a/src/common/data_provider/src/network/networkInterfaceLinux.cpp b/src/common/data_provider/src/network/networkInterfaceLinux.cpp
new file mode 100644
index 0000000000..0cb72f4b78
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceLinux.cpp
@@ -0,0 +1,114 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <netdb.h>
+#include <ifaddrs.h>
+#include "networkInterfaceLinux.h"
+#include "networkLinuxWrapper.h"
+
+std::shared_ptr<IOSNetwork> FactoryLinuxNetwork::create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+{
+    std::shared_ptr<IOSNetwork> ret;
+
+    if (interfaceWrapper)
+    {
+        const auto family { interfaceWrapper->family() };
+
+        if (AF_INET == family)
+        {
+            ret = std::make_shared<LinuxNetworkImpl<AF_INET>>(interfaceWrapper);
+        }
+        else if (AF_INET6 == family)
+        {
+            ret = std::make_shared<LinuxNetworkImpl<AF_INET6>>(interfaceWrapper);
+        }
+        else if (AF_PACKET == family)
+        {
+            ret = std::make_shared<LinuxNetworkImpl<AF_PACKET>>(interfaceWrapper);
+        }
+
+        // else: The current interface family is not supported
+    }
+    else
+    {
+        throw std::runtime_error { "Error nullptr interfaceWrapper instance." };
+    }
+
+    return ret;
+}
+
+template <>
+void LinuxNetworkImpl<AF_INET>::buildNetworkData(nlohmann::json& network)
+{
+    // Get IPv4 address
+    const auto address { m_interfaceAddress->address() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv4JS { };
+        ipv4JS["address"] = address;
+        ipv4JS["netmask"] = m_interfaceAddress->netmask();
+        ipv4JS["broadcast"] = m_interfaceAddress->broadcast();
+        ipv4JS["metric"] = m_interfaceAddress->metrics();
+        ipv4JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv4"].push_back(ipv4JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV4 address." };
+    }
+}
+template <>
+void LinuxNetworkImpl<AF_INET6>::buildNetworkData(nlohmann::json& network)
+{
+    const auto address { m_interfaceAddress->addressV6() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv6JS {};
+        ipv6JS["address"] = address;
+        ipv6JS["netmask"] = m_interfaceAddress->netmaskV6();
+        ipv6JS["broadcast"] = m_interfaceAddress->broadcastV6();
+        ipv6JS["metric"] = m_interfaceAddress->metricsV6();
+        ipv6JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv6"].push_back(ipv6JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV6 address." };
+    }
+}
+template <>
+void LinuxNetworkImpl<AF_PACKET>::buildNetworkData(nlohmann::json& network)
+{
+    /* Get stats of interface */
+    network["name"]    = m_interfaceAddress->name();
+    network["adapter"] = m_interfaceAddress->adapter();
+    network["type"]    = m_interfaceAddress->type();
+    network["state"]   = m_interfaceAddress->state();
+    network["mac"]     = m_interfaceAddress->MAC();
+
+    const auto stats { m_interfaceAddress->stats() };
+
+    network["tx_packets"] = stats.txPackets;
+    network["rx_packets"] = stats.rxPackets;
+    network["tx_bytes"] = stats.txBytes;
+    network["rx_bytes"] = stats.rxBytes;
+    network["tx_errors"] = stats.txErrors;
+    network["rx_errors"] = stats.rxErrors;
+    network["tx_dropped"] = stats.txDropped;
+    network["rx_dropped"] = stats.rxDropped;
+
+    network["mtu"] = m_interfaceAddress->mtu();
+    network["gateway"] = m_interfaceAddress->gateway();
+}
diff --git a/src/common/data_provider/src/network/networkInterfaceLinux.h b/src/common/data_provider/src/network/networkInterfaceLinux.h
new file mode 100644
index 0000000000..a8652b5e50
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceLinux.h
@@ -0,0 +1,42 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_LINUX_H
+#define _NETWORK_LINUX_H
+
+#include "inetworkInterface.h"
+#include "inetworkWrapper.h"
+
+
+class FactoryLinuxNetwork
+{
+    public:
+        static std::shared_ptr<IOSNetwork>create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper);
+};
+
+template <unsigned short osNetworkType>
+class LinuxNetworkImpl final : public IOSNetwork
+{
+        std::shared_ptr<INetworkInterfaceWrapper> m_interfaceAddress;
+    public:
+        explicit LinuxNetworkImpl(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceAddress)
+            : m_interfaceAddress(interfaceAddress)
+        { }
+        // LCOV_EXCL_START
+        ~LinuxNetworkImpl() = default;
+        // LCOV_EXCL_STOP
+        void buildNetworkData(nlohmann::json& /*network*/) override
+        {
+            throw std::runtime_error { "Non implemented specialization." };
+        }
+};
+
+#endif // _NETWORK_LINUX_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/network/networkInterfaceSolaris.cpp b/src/common/data_provider/src/network/networkInterfaceSolaris.cpp
new file mode 100644
index 0000000000..9f9daa157e
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceSolaris.cpp
@@ -0,0 +1,112 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 21, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "networkInterfaceSolaris.h"
+#include "sys/socket.h"
+
+
+std::shared_ptr<IOSNetwork> FactorySolarisNetwork::create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+{
+    std::shared_ptr<IOSNetwork> ret;
+
+    if (interfaceWrapper)
+    {
+        const auto family { interfaceWrapper->family() };
+
+        if (AF_INET == family)
+        {
+            ret = std::make_shared<SolarisNetworkImpl<AF_INET>>(interfaceWrapper);
+        }
+        else if (AF_INET6 == family)
+        {
+            ret = std::make_shared<SolarisNetworkImpl<AF_INET6>>(interfaceWrapper);
+        }
+        else if (AF_UNSPEC == family)
+        {
+            ret = std::make_shared<SolarisNetworkImpl<AF_UNSPEC>>(interfaceWrapper);
+        }
+
+        // else: unknown family
+    }
+    else
+    {
+        throw std::runtime_error { "Error nullptr interfaceWrapper instance." };
+    }
+
+    return ret;
+}
+
+template <>
+void SolarisNetworkImpl<AF_INET>::buildNetworkData(nlohmann::json& network)
+{
+    const auto address { m_interfaceAddress->address() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv4JS { };
+        ipv4JS["address"] = address;
+        ipv4JS["netmask"] = m_interfaceAddress->netmask();
+        ipv4JS["broadcast"] = m_interfaceAddress->broadcast();
+        ipv4JS["metric"] = m_interfaceAddress->metrics();
+        ipv4JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv4"].push_back(ipv4JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV4 address." };
+    }
+}
+template <>
+void SolarisNetworkImpl<AF_INET6>::buildNetworkData(nlohmann::json& network)
+{
+    const auto address { m_interfaceAddress->addressV6() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv6JS {};
+        ipv6JS["address"] = address;
+        ipv6JS["netmask"] = m_interfaceAddress->netmaskV6();
+        ipv6JS["broadcast"] = m_interfaceAddress->broadcastV6();
+        ipv6JS["metric"] = m_interfaceAddress->metricsV6();
+        ipv6JS["dhcp"]   = m_interfaceAddress->dhcp();
+
+        network["IPv6"].push_back(ipv6JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV6 address." };
+    }
+}
+
+template <>
+void SolarisNetworkImpl<AF_UNSPEC>::buildNetworkData(nlohmann::json& network)
+{
+    // Extraction of common adapter data
+    network["name"]       = m_interfaceAddress->name();
+    network["adapter"]    = m_interfaceAddress->adapter();
+    network["state"]      = m_interfaceAddress->state();
+    network["type"]       = m_interfaceAddress->type();
+    network["mac"]        = m_interfaceAddress->MAC();
+
+    const auto stats { m_interfaceAddress->stats() };
+    network["tx_packets"] = stats.txPackets;
+    network["rx_packets"] = stats.rxPackets;
+    network["tx_bytes"]   = stats.txBytes;
+    network["rx_bytes"]   = stats.rxBytes;
+    network["tx_errors"]  = stats.txErrors;
+    network["rx_errors"]  = stats.rxErrors;
+    network["tx_dropped"] = stats.txDropped;
+    network["rx_dropped"] = stats.rxDropped;
+
+    network["mtu"]        = m_interfaceAddress->mtu();
+    network["gateway"]    = m_interfaceAddress->gateway();
+}
diff --git a/src/common/data_provider/src/network/networkInterfaceSolaris.h b/src/common/data_provider/src/network/networkInterfaceSolaris.h
new file mode 100644
index 0000000000..c83a00755b
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceSolaris.h
@@ -0,0 +1,42 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 21, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_INTERFACE_SOLARIS_H
+#define _NETWORK_INTERFACE_SOLARIS_H
+#include <stdexcept>
+
+#include "inetworkInterface.h"
+#include "inetworkWrapper.h"
+
+class FactorySolarisNetwork
+{
+    public:
+        static std::shared_ptr<IOSNetwork>create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper);
+};
+
+template <unsigned short osNetworkType>
+class SolarisNetworkImpl final : public IOSNetwork
+{
+        std::shared_ptr<INetworkInterfaceWrapper> m_interfaceAddress;
+    public:
+        explicit SolarisNetworkImpl(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceAddress)
+            : m_interfaceAddress(interfaceAddress)
+        { }
+        // LCOV_EXCL_START
+        ~SolarisNetworkImpl() = default;
+        // LCOV_EXCL_STOP
+        void buildNetworkData(nlohmann::json& /*network*/) override
+        {
+            throw std::runtime_error { "Specialization not implemented" };
+        }
+};
+
+#endif // _NETWORK_INTERFACE_SOLARIS_H
diff --git a/src/common/data_provider/src/network/networkInterfaceWindows.cpp b/src/common/data_provider/src/network/networkInterfaceWindows.cpp
new file mode 100644
index 0000000000..910f28a105
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceWindows.cpp
@@ -0,0 +1,121 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 4, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <ws2tcpip.h>
+#include "windowsHelper.h"
+#include "networkInterfaceWindows.h"
+#include "networkWindowsWrapper.h"
+
+std::shared_ptr<IOSNetwork> FactoryWindowsNetwork::create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceWrapper)
+{
+    std::shared_ptr<IOSNetwork> ret;
+
+    if (interfaceWrapper)
+    {
+        const auto family { interfaceWrapper->family() };
+
+        if (Utils::NetworkWindowsHelper::IPV4 == family)
+        {
+            ret = std::make_shared<WindowsNetworkImpl<Utils::NetworkWindowsHelper::IPV4>>(interfaceWrapper);
+        }
+        else if (Utils::NetworkWindowsHelper::IPV6 == family)
+        {
+            ret = std::make_shared<WindowsNetworkImpl<Utils::NetworkWindowsHelper::IPV6>>(interfaceWrapper);
+        }
+        else if (Utils::NetworkWindowsHelper::COMMON_DATA == family)
+        {
+            ret = std::make_shared<WindowsNetworkImpl<Utils::NetworkWindowsHelper::COMMON_DATA>>(interfaceWrapper);
+        }
+
+        // else: The current interface family is not supported
+    }
+    else
+    {
+        throw std::runtime_error { "Error nullptr interfaceWrapper instance." };
+    }
+
+    return ret;
+}
+
+template <>
+void WindowsNetworkImpl<Utils::NetworkWindowsHelper::UNDEF>::buildNetworkData(nlohmann::json& /*network*/)
+{
+    throw std::runtime_error { "Invalid network adapter family." };
+}
+
+template <>
+void WindowsNetworkImpl<Utils::NetworkWindowsHelper::IPV4>::buildNetworkData(nlohmann::json& networkV4)
+{
+    // Get IPv4 address
+    const auto address { m_interfaceAddress->address() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv4JS;
+        ipv4JS["address"] = address;
+        ipv4JS["netmask"] =  m_interfaceAddress->netmask();
+        ipv4JS["broadcast"] = m_interfaceAddress->broadcast();
+        ipv4JS["metric"] = m_interfaceAddress->metrics();
+        ipv4JS["dhcp"] = m_interfaceAddress->dhcp();
+
+        networkV4["IPv4"].push_back(ipv4JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV4 address." };
+    }
+}
+
+template <>
+void WindowsNetworkImpl<Utils::NetworkWindowsHelper::IPV6>::buildNetworkData(nlohmann::json& networkV6)
+{
+    const auto address { m_interfaceAddress->addressV6() };
+
+    if (!address.empty())
+    {
+        nlohmann::json ipv6JS { };
+        ipv6JS["address"] = address;
+        ipv6JS["netmask"] = m_interfaceAddress->netmaskV6();
+        ipv6JS["broadcast"] = m_interfaceAddress->broadcastV6();
+        ipv6JS["metric"] = m_interfaceAddress->metricsV6();
+        ipv6JS["dhcp"] = m_interfaceAddress->dhcp();
+
+        networkV6["IPv6"].push_back(ipv6JS);
+    }
+    else
+    {
+        throw std::runtime_error { "Invalid IpV6 address." };
+    }
+}
+
+template <>
+void WindowsNetworkImpl<Utils::NetworkWindowsHelper::COMMON_DATA>::buildNetworkData(nlohmann::json& networkCommon)
+{
+    // Extraction of common adapter data
+    networkCommon["name"]       = m_interfaceAddress->name();
+    networkCommon["adapter"]    = m_interfaceAddress->adapter();
+    networkCommon["state"]      = m_interfaceAddress->state();
+    networkCommon["type"]       = m_interfaceAddress->type();
+    networkCommon["mac"]        = m_interfaceAddress->MAC();
+
+    const auto stats { m_interfaceAddress->stats() };
+    networkCommon["tx_packets"] = stats.txPackets;
+    networkCommon["rx_packets"] = stats.rxPackets;
+    networkCommon["tx_bytes"]   = stats.txBytes;
+    networkCommon["rx_bytes"]   = stats.rxBytes;
+    networkCommon["tx_errors"]  = stats.txErrors;
+    networkCommon["rx_errors"]  = stats.rxErrors;
+    networkCommon["tx_dropped"] = stats.txDropped;
+    networkCommon["rx_dropped"] = stats.rxDropped;
+
+    networkCommon["mtu"]        = m_interfaceAddress->mtu();
+    networkCommon["gateway"]    = m_interfaceAddress->gateway();
+}
diff --git a/src/common/data_provider/src/network/networkInterfaceWindows.h b/src/common/data_provider/src/network/networkInterfaceWindows.h
new file mode 100644
index 0000000000..70bd04e255
--- /dev/null
+++ b/src/common/data_provider/src/network/networkInterfaceWindows.h
@@ -0,0 +1,41 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_INTERFACE_WINDOWS_H
+#define _NETWORK_INTERFACE_WINDOWS_H
+
+#include "inetworkInterface.h"
+#include "inetworkWrapper.h"
+
+class FactoryWindowsNetwork
+{
+    public:
+        static std::shared_ptr<IOSNetwork> create(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceAddress);
+};
+
+template <int osNetworkType>
+class WindowsNetworkImpl final : public IOSNetwork
+{
+        std::shared_ptr<INetworkInterfaceWrapper> m_interfaceAddress;
+    public:
+        explicit WindowsNetworkImpl(const std::shared_ptr<INetworkInterfaceWrapper>& interfaceAddress)
+            : m_interfaceAddress(interfaceAddress)
+        { }
+        // LCOV_EXCL_START
+        ~WindowsNetworkImpl() = default;
+        // LCOV_EXCL_STOP
+        void buildNetworkData(nlohmann::json& /*network*/) override
+        {
+            throw std::runtime_error { "Non implemented specialization." };
+        }
+};
+
+#endif // _NETWORK_INTERFACE_WINDOWS_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/network/networkLinuxWrapper.h b/src/common/data_provider/src/network/networkLinuxWrapper.h
new file mode 100644
index 0000000000..7149ca32aa
--- /dev/null
+++ b/src/common/data_provider/src/network/networkLinuxWrapper.h
@@ -0,0 +1,551 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_LINUX_WRAPPER_H
+#define _NETWORK_LINUX_WRAPPER_H
+
+#include <ifaddrs.h>
+#include <net/if_arp.h>
+#include <sys/socket.h>
+#include "inetworkWrapper.h"
+#include "networkHelper.h"
+#include "filesystemHelper.h"
+#include "stringHelper.h"
+#include "sharedDefs.h"
+
+#ifndef ARPHRD_TUNNEL
+#define ARPHRD_TUNNEL   768     /* IPIP tunnel.  */
+#endif
+#ifndef ARPHRD_TUNNEL6
+#define ARPHRD_TUNNEL6  769     /* IPIP6 tunnel.  */
+#endif
+#ifndef ARPHRD_FRAD
+#define ARPHRD_FRAD 770             /* Frame Relay Access Device.  */
+#endif
+#ifndef ARPHRD_SKIP
+#define ARPHRD_SKIP 771     /* SKIP vif.  */
+#endif
+#ifndef ARPHRD_LOOPBACK
+#define ARPHRD_LOOPBACK 772     /* Loopback device.  */
+#endif
+#ifndef ARPHRD_LOCALTLK
+#define ARPHRD_LOCALTLK 773     /* Localtalk device.  */
+#endif
+#ifndef ARPHRD_FDDI
+#define ARPHRD_FDDI 774     /* Fiber Distributed Data Interface. */
+#endif
+#ifndef ARPHRD_BIF
+#define ARPHRD_BIF  775             /* AP1000 BIF.  */
+#endif
+#ifndef ARPHRD_SIT
+#define ARPHRD_SIT  776     /* sit0 device - IPv6-in-IPv4.  */
+#endif
+#ifndef ARPHRD_IPDDP
+#define ARPHRD_IPDDP    777     /* IP-in-DDP tunnel.  */
+#endif
+#ifndef ARPHRD_IPGRE
+#define ARPHRD_IPGRE    778     /* GRE over IP.  */
+#endif
+#ifndef ARPHRD_PIMREG
+#define ARPHRD_PIMREG   779     /* PIMSM register interface.  */
+#endif
+#ifndef ARPHRD_HIPPI
+#define ARPHRD_HIPPI    780     /* High Performance Parallel I'face. */
+#endif
+#ifndef ARPHRD_ASH
+#define ARPHRD_ASH  781     /* (Nexus Electronics) Ash.  */
+#endif
+#ifndef ARPHRD_ECONET
+#define ARPHRD_ECONET   782     /* Acorn Econet.  */
+#endif
+#ifndef ARPHRD_IRDA
+#define ARPHRD_IRDA 783     /* Linux-IrDA.  */
+#endif
+#ifndef ARPHRD_FCPP
+#define ARPHRD_FCPP 784     /* Point to point fibrechanel.  */
+#endif
+#ifndef ARPHRD_FCAL
+#define ARPHRD_FCAL 785     /* Fibrechanel arbitrated loop.  */
+#endif
+#ifndef ARPHRD_FCPL
+#define ARPHRD_FCPL 786     /* Fibrechanel public loop.  */
+#endif
+#ifndef ARPHRD_FCFABRIC
+#define ARPHRD_FCFABRIC 787     /* Fibrechanel fabric.  */
+#endif
+#ifndef ARPHRD_IEEE802_TR
+#define ARPHRD_IEEE802_TR 800       /* Magic type ident for TR.  */
+#endif
+#ifndef ARPHRD_IEEE80211
+#define ARPHRD_IEEE80211 801        /* IEEE 802.11.  */
+#endif
+#ifndef ARPHRD_IEEE80211_PRISM
+#define ARPHRD_IEEE80211_PRISM 802  /* IEEE 802.11 + Prism2 header.  */
+#endif
+#ifndef ARPHRD_IEEE80211_RADIOTAP
+#define ARPHRD_IEEE80211_RADIOTAP 803   /* IEEE 802.11 + radiotap header.  */
+#endif
+#ifndef ARPHRD_IEEE802154
+#define ARPHRD_IEEE802154 804       /* IEEE 802.15.4 header.  */
+#endif
+#ifndef ARPHRD_IEEE802154_PHY
+#define ARPHRD_IEEE802154_PHY 805 /* IEEE 802.15.4 PHY header.  */
+#endif
+
+static const std::map<std::pair<int, int>, std::string> NETWORK_INTERFACE_TYPE =
+{
+    { std::make_pair(ARPHRD_ETHER, ARPHRD_ETHER),               "ethernet"          },
+    { std::make_pair(ARPHRD_PRONET, ARPHRD_PRONET),             "token ring"        },
+    { std::make_pair(ARPHRD_PPP, ARPHRD_PPP),                   "point-to-point"    },
+    { std::make_pair(ARPHRD_ATM, ARPHRD_ATM),                   "ATM"               },
+    { std::make_pair(ARPHRD_IEEE1394, ARPHRD_IEEE1394),         "firewire"          },
+    { std::make_pair(ARPHRD_TUNNEL, ARPHRD_IRDA),               "tunnel"            },
+    { std::make_pair(ARPHRD_FCPP, ARPHRD_FCFABRIC),             "fibrechannel"      },
+    { std::make_pair(ARPHRD_IEEE802_TR, ARPHRD_IEEE802154_PHY), "wireless"          },
+};
+
+static const std::map<std::string, std::string> DHCP_STATUS =
+{
+    { "dhcp",                   "enabled"           },
+    { "yes",                    "enabled"           },
+    { "static",                 "disabled"          },
+    { "none",                   "disabled"          },
+    { "no",                     "disabled"          },
+    { "manual",                 "disabled"          },
+    { "bootp",                  "BOOTP"             },
+};
+
+namespace GatewayFileFields
+{
+    enum
+    {
+        Iface,
+        Destination,
+        Gateway,
+        Flags,
+        RefCnt,
+        Use,
+        Metric,
+        Mask,
+        MTU,
+        Window,
+        IRTT,
+        Size
+    };
+}
+
+namespace DebianInterfaceConfig
+{
+    enum Config
+    {
+        Type,
+        Name,
+        Family,
+        Method,
+        Size
+    };
+}
+
+namespace RHInterfaceConfig
+{
+    enum Config
+    {
+        Key,
+        Value,
+        Size
+    };
+}
+
+namespace NetDevFileFields
+{
+    enum
+    {
+        Iface,
+        RxBytes,
+        RxPackets,
+        RxErrors,
+        RxDropped,
+        RxFifo,
+        RxFrame,
+        RxCompressed,
+        RxMulticast,
+        TxBytes,
+        TxPackets,
+        TxErrors,
+        TxDropped,
+        TxFifo,
+        TxColls,
+        TxCarrier,
+        TxCompressed,
+        FieldsQuantity
+    };
+}
+
+class NetworkLinuxInterface final : public INetworkInterfaceWrapper
+{
+        ifaddrs* m_interfaceAddress;
+        std::string m_gateway;
+        std::string m_metrics;
+
+        static std::string getNameInfo(const sockaddr* inputData, const socklen_t socketLen)
+        {
+            auto retVal { std::make_unique<char[]>(NI_MAXHOST) };
+
+            if (inputData)
+            {
+                const auto result { getnameinfo(inputData,
+                                                socketLen,
+                                                retVal.get(), NI_MAXHOST,
+                                                NULL, 0, NI_NUMERICHOST) };
+
+                if (result != 0)
+                {
+                    throw std::runtime_error
+                    {
+                        "Cannot get socket address information, Code: " + result
+                    };
+                }
+            }
+
+            return retVal.get();
+        }
+
+        static std::string getRedHatDHCPStatus(const std::vector<std::string>& fields)
+        {
+            std::string retVal { "enabled" };
+            const auto value { fields.at(RHInterfaceConfig::Value) };
+
+            const auto it { DHCP_STATUS.find(value) };
+
+            if (DHCP_STATUS.end() != it)
+            {
+                retVal = it->second;
+            }
+
+            return retVal;
+        }
+
+        static std::string getDebianDHCPStatus(const std::string& family, const std::vector<std::string>& fields)
+        {
+            std::string retVal { "enabled" };
+
+            if (fields.at(DebianInterfaceConfig::Family).compare(family) == 0)
+            {
+                const auto method { fields.at(DebianInterfaceConfig::Method) };
+
+                const auto it { DHCP_STATUS.find(method) };
+
+                if (DHCP_STATUS.end() != it)
+                {
+                    retVal = it->second;
+                }
+            }
+
+            return retVal;
+        }
+
+    public:
+        explicit NetworkLinuxInterface(ifaddrs* addrs)
+            : m_interfaceAddress{ addrs }
+            , m_gateway{UNKNOWN_VALUE}
+        {
+            if (!addrs)
+            {
+                throw std::runtime_error { "Nullptr instances of network interface" };
+            }
+            else
+            {
+                auto fileData { Utils::getFileContent(std::string(WM_SYS_NET_DIR) + "route") };
+                const auto ifName { this->name() };
+
+                if (!fileData.empty())
+                {
+                    auto lines { Utils::split(fileData, '\n') };
+
+                    for (auto& line : lines)
+                    {
+                        line = Utils::rightTrim(line);
+                        Utils::replaceAll(line, "\t", " ");
+                        Utils::replaceAll(line, "  ", " ");
+                        const auto fields { Utils::split(line, ' ') };
+
+                        if (GatewayFileFields::Size == fields.size() &&
+                                fields.at(GatewayFileFields::Iface).compare(ifName) == 0)
+                        {
+                            auto address { static_cast<uint32_t>(std::stol(fields.at(GatewayFileFields::Gateway), 0, 16)) };
+                            m_metrics = fields.at(GatewayFileFields::Metric);
+
+                            if (address)
+                            {
+                                m_gateway = Utils::NetworkHelper::IAddressToBinary(AF_INET, reinterpret_cast<in_addr*>(&address));
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        std::string name() const override
+        {
+            return m_interfaceAddress->ifa_name ? Utils::substrOnFirstOccurrence(m_interfaceAddress->ifa_name, ":") : "";
+        }
+
+        std::string adapter() const override
+        {
+            return "";
+        }
+
+        int family() const override
+        {
+            return m_interfaceAddress->ifa_addr ? m_interfaceAddress->ifa_addr->sa_family : AF_PACKET;
+        }
+
+        std::string address() const override
+        {
+            return m_interfaceAddress->ifa_addr ? getNameInfo(m_interfaceAddress->ifa_addr, sizeof(struct sockaddr_in)) : "";
+        }
+
+        std::string netmask() const override
+        {
+            return m_interfaceAddress->ifa_netmask ? getNameInfo(m_interfaceAddress->ifa_netmask, sizeof(struct sockaddr_in)) : "";
+        }
+
+        std::string broadcast() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+
+            if (m_interfaceAddress->ifa_ifu.ifu_broadaddr)
+            {
+                retVal = getNameInfo(m_interfaceAddress->ifa_ifu.ifu_broadaddr, sizeof(struct sockaddr_in));
+            }
+            else
+            {
+                const auto netmask { this->netmask() };
+                const auto address { this->address() };
+
+                if (address.size() && netmask.size())
+                {
+                    const auto broadcast { Utils::NetworkHelper::getBroadcast(address, netmask) };
+                    retVal =  broadcast.empty() ? UNKNOWN_VALUE : broadcast;
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string addressV6() const override
+        {
+            return m_interfaceAddress->ifa_addr ? Utils::splitIndex(getNameInfo(m_interfaceAddress->ifa_addr, sizeof(struct sockaddr_in6)), '%', 0) : "";
+        }
+
+        std::string netmaskV6() const override
+        {
+            return m_interfaceAddress->ifa_netmask ? getNameInfo(m_interfaceAddress->ifa_netmask, sizeof(struct sockaddr_in6)) : "";
+        }
+
+        std::string broadcastV6() const override
+        {
+            return m_interfaceAddress->ifa_ifu.ifu_broadaddr ? getNameInfo(m_interfaceAddress->ifa_ifu.ifu_broadaddr, sizeof(struct sockaddr_in6)) : "";
+        }
+
+        std::string gateway() const override
+        {
+            return m_gateway;
+        }
+
+        std::string metrics() const override
+        {
+            return m_metrics;
+        }
+
+        std::string metricsV6() const override
+        {
+            return "";
+        }
+
+        std::string dhcp() const override
+        {
+            auto fileData { Utils::getFileContent(WM_SYS_IF_FILE) };
+            std::string retVal { "unknown" };
+            const auto family { this->family() };
+            const auto ifName { this->name() };
+
+            if (!fileData.empty())
+            {
+                const auto lines { Utils::split(fileData, '\n') };
+
+                for (const auto& line : lines)
+                {
+                    const auto fields { Utils::split(line, ' ') };
+
+                    if (DebianInterfaceConfig::Size == fields.size())
+                    {
+                        if (fields.at(DebianInterfaceConfig::Type).compare("iface") == 0 &&
+                                fields.at(DebianInterfaceConfig::Name).compare(ifName) == 0)
+                        {
+                            if (AF_INET == family)
+                            {
+                                retVal = getDebianDHCPStatus("inet", fields);
+                                break;
+                            }
+                            else if (AF_INET6 == family)
+                            {
+                                retVal = getDebianDHCPStatus("inet6", fields);
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+            else
+            {
+                const auto fileName { "ifcfg-" + ifName };
+                fileData = Utils::getFileContent(WM_SYS_IF_DIR_RH + fileName);
+                fileData = fileData.empty() ? Utils::getFileContent(WM_SYS_IF_DIR_SUSE + fileName) : fileData;
+
+                if (!fileData.empty())
+                {
+                    const auto lines { Utils::split(fileData, '\n') };
+
+                    for (const auto& line : lines)
+                    {
+                        const auto fields { Utils::split(line, '=') };
+
+                        if (fields.size() == RHInterfaceConfig::Size)
+                        {
+                            if (AF_INET == family)
+                            {
+                                if (fields.at(RHInterfaceConfig::Key).compare("BOOTPROTO") == 0)
+                                {
+                                    retVal = getRedHatDHCPStatus(fields);
+                                    break;
+                                }
+                            }
+                            else if (AF_INET6 == family)
+                            {
+                                if (fields.at(RHInterfaceConfig::Key).compare("DHCPV6C") == 0)
+                                {
+                                    retVal = getRedHatDHCPStatus(fields);
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+            return retVal;
+        }
+
+        uint32_t mtu() const override
+        {
+            uint32_t retVal { 0 };
+            const auto mtuFileContent { Utils::getFileContent(std::string(WM_SYS_IFDATA_DIR) + this->name() + "/mtu") };
+
+            if (!mtuFileContent.empty())
+            {
+                retVal =  std::stol(Utils::splitIndex(mtuFileContent, '\n', 0));
+            }
+
+            return retVal;
+        }
+
+        LinkStats stats() const override
+        {
+            LinkStats retVal {};
+
+            try
+            {
+                const auto devData { Utils::getFileContent(std::string(WM_SYS_NET_DIR) + "dev") };
+
+                if (!devData.empty())
+                {
+                    auto lines { Utils::split(devData, '\n') };
+                    lines.erase(lines.begin());
+                    lines.erase(lines.begin());
+
+                    for (auto& line : lines)
+                    {
+                        line = Utils::trim(line);
+                        Utils::replaceAll(line, "\t", " ");
+                        Utils::replaceAll(line, "  ", " ");
+                        Utils::replaceAll(line, ": ", " ");
+                        const auto fields { Utils::split(line, ' ') };
+
+                        if (NetDevFileFields::FieldsQuantity == fields.size())
+                        {
+                            if (fields.at(NetDevFileFields::Iface).compare(this->name()) == 0)
+                            {
+                                retVal.rxBytes = std::stoul(fields.at(NetDevFileFields::RxBytes));
+                                retVal.txBytes = std::stoul(fields.at(NetDevFileFields::TxBytes));
+                                retVal.rxPackets = std::stoul(fields.at(NetDevFileFields::RxPackets));
+                                retVal.txPackets = std::stoul(fields.at(NetDevFileFields::TxPackets));
+                                retVal.rxErrors = std::stoul(fields.at(NetDevFileFields::RxErrors));
+                                retVal.txErrors = std::stoul(fields.at(NetDevFileFields::TxErrors));
+                                retVal.rxDropped = std::stoul(fields.at(NetDevFileFields::RxDropped));
+                                retVal.txDropped = std::stoul(fields.at(NetDevFileFields::TxDropped));
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+            catch (...)
+            {
+            }
+
+            return retVal;
+        }
+
+        std::string type() const override
+        {
+            const auto networkTypeCode { Utils::getFileContent(std::string(WM_SYS_IFDATA_DIR) + this->name() + "/type") };
+            std::string type { UNKNOWN_VALUE };
+
+            if (!networkTypeCode.empty())
+            {
+                type = Utils::NetworkHelper::getNetworkTypeStringCode(std::stoi(networkTypeCode), NETWORK_INTERFACE_TYPE);
+            }
+
+            return type;
+        }
+
+        std::string state() const override
+        {
+            const std::string operationalState { Utils::getFileContent(std::string(WM_SYS_IFDATA_DIR) + this->name() + "/operstate") };
+
+            std::string state { UNKNOWN_VALUE };
+
+            if (!operationalState.empty())
+            {
+                state = Utils::splitIndex(operationalState, '\n', 0);
+            }
+
+            return state;
+        }
+
+        std::string MAC() const override
+        {
+            const std::string macContent { Utils::getFileContent(std::string(WM_SYS_IFDATA_DIR) + this->name() + "/address")};
+
+            std::string mac { UNKNOWN_VALUE };
+
+            if (!macContent.empty())
+            {
+                mac = Utils::splitIndex(macContent, '\n', 0);
+            }
+
+            return mac;
+        }
+};
+
+#endif // _NETWORK_LINUX_WRAPPER_H
diff --git a/src/common/data_provider/src/network/networkSolarisHelper.cpp b/src/common/data_provider/src/network/networkSolarisHelper.cpp
new file mode 100644
index 0000000000..1d552d6576
--- /dev/null
+++ b/src/common/data_provider/src/network/networkSolarisHelper.cpp
@@ -0,0 +1,31 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <sys/sockio.h>
+#include "networkSolarisHelper.hpp"
+#include "UtilsWrapperUnix.hpp"
+#include <iostream>
+
+int NetworkSolarisHelper::getInterfacesCount(int fd, sa_family_t family)
+{
+    auto interfaceCount { 0 };
+
+    struct lifnum ifn = { .lifn_family = family, .lifn_flags = 0, .lifn_count = 0 };
+
+    UtilsWrapperUnix::ioctl(fd, SIOCGLIFNUM, reinterpret_cast<char*>(&ifn));
+    interfaceCount = ifn.lifn_count;
+    return interfaceCount;
+}
+
+void NetworkSolarisHelper::getInterfacesConfig(int fd, lifconf& networkInterfacesConf)
+{
+    UtilsWrapperUnix::ioctl(fd, SIOCGLIFCONF, reinterpret_cast<char*>(&networkInterfacesConf));
+}
diff --git a/src/common/data_provider/src/network/networkSolarisHelper.hpp b/src/common/data_provider/src/network/networkSolarisHelper.hpp
new file mode 100644
index 0000000000..d39d6e7ff8
--- /dev/null
+++ b/src/common/data_provider/src/network/networkSolarisHelper.hpp
@@ -0,0 +1,24 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_SOLARIS_HELPER_H
+#define _NETWORK_SOLARIS_HELPER_H
+
+#include <net/if.h>
+
+class NetworkSolarisHelper final
+{
+    public:
+        static int getInterfacesCount(int fd, sa_family_t family);
+        static void getInterfacesConfig(int fd, lifconf& networkInterface);
+};
+
+#endif //_NETWORK_SOLARIS_HELPER_H
diff --git a/src/common/data_provider/src/network/networkSolarisWrapper.hpp b/src/common/data_provider/src/network/networkSolarisWrapper.hpp
new file mode 100644
index 0000000000..106af37adf
--- /dev/null
+++ b/src/common/data_provider/src/network/networkSolarisWrapper.hpp
@@ -0,0 +1,431 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_SOLARIS_WRAPPER_H
+#define _NETWORK_SOLARIS_WRAPPER_H
+
+#include <vector>
+#include <map>
+#include <algorithm>
+#include <sys/sockio.h>
+#include <arpa/inet.h>
+#include <net/if_arp.h>
+
+#include "inetworkWrapper.h"
+#include "UtilsWrapperUnix.hpp"
+#include "sharedDefs.h"
+#include "networkHelper.h"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+
+enum ROUTING_FIELDS
+{
+    ROUTING_DESTINATION,
+    ROUTING_GATEWAY,
+    ROUTING_FLAGS,
+    ROUTING_REF,
+    ROUTING_USE,
+    ROUTING_IFACE_NAME,
+    ROUTING_SIZE_FIELDS
+};
+
+enum MAC_FIELDS
+{
+    MAC_FIELD_NAME,
+    MAC_ADDRESS,
+    MAC_SIZE_FIELDS
+};
+
+class NetworkSolarisInterface final : public INetworkInterfaceWrapper
+{
+        lifreq* m_networkInterface;
+        const int m_fileDescriptor;
+        const sa_family_t m_family;
+        const uint64_t m_interfaceFlags;
+
+    public:
+        explicit NetworkSolarisInterface(const sa_family_t family, int fd, std::pair<lifreq*, uint64_t> interface)
+            : m_networkInterface {interface.first}
+            , m_fileDescriptor {fd}
+            , m_family {family}
+            , m_interfaceFlags {interface.second}
+        {
+        }
+
+        std::string name() const override
+        {
+            return m_networkInterface->lifr_name ? m_networkInterface->lifr_name : "";
+        }
+
+        std::string adapter() const override
+        {
+            return "";
+        }
+
+        int family() const override
+        {
+            return m_family;
+        }
+
+        std::string address() const override
+        {
+            std::string address;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFADDR, reinterpret_cast<char*>(m_networkInterface));
+                struct sockaddr_in* data = reinterpret_cast<struct sockaddr_in*>(&m_networkInterface->lifr_addr);
+                address = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin_addr);
+            }
+            catch (...)
+            {
+            }
+
+            return address;
+        }
+
+        std::string netmask() const override
+        {
+            std::string address;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFNETMASK, reinterpret_cast<char*>(m_networkInterface));
+                struct sockaddr_in* data = reinterpret_cast<struct sockaddr_in*>(&m_networkInterface->lifr_addr);
+                address = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin_addr);
+            }
+            catch (...)
+            {
+            }
+
+            return address;
+        }
+
+        std::string broadcast() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+
+            if (m_interfaceFlags & IFF_BROADCAST)
+            {
+                try
+                {
+                    UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFBRDADDR, reinterpret_cast<char*>(m_networkInterface));
+                    struct sockaddr_in* data = reinterpret_cast<struct sockaddr_in*>(&m_networkInterface->lifr_broadaddr);
+                    retVal = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin_addr);
+                }
+                catch (...)
+                {
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string addressV6() const override
+        {
+            std::string address;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFADDR, reinterpret_cast<char*>(m_networkInterface));
+                struct sockaddr_in6* data = reinterpret_cast<struct sockaddr_in6*>(&m_networkInterface->lifr_addr);
+                address = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin6_addr);
+            }
+            catch (...)
+            {
+            }
+
+            return address;
+        }
+
+        std::string netmaskV6() const override
+        {
+            std::string address;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFNETMASK, reinterpret_cast<char*>(m_networkInterface));
+                struct sockaddr_in6* data = reinterpret_cast<struct sockaddr_in6*>(&m_networkInterface->lifr_addr);
+                address = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin6_addr);
+            }
+            catch (...)
+            {
+            }
+
+            return address;
+        }
+
+        std::string broadcastV6() const override
+        {
+            std::string retVal;
+
+            if (m_interfaceFlags & IFF_BROADCAST)
+            {
+                try
+                {
+                    UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFBRDADDR, reinterpret_cast<char*>(m_networkInterface));
+                    struct sockaddr_in6* data = reinterpret_cast<struct sockaddr_in6*>(&m_networkInterface->lifr_addr);
+                    retVal = Utils::NetworkHelper::IAddressToBinary(this->family(), &data->sin6_addr);
+                }
+                catch (...)
+                {
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string gateway() const override
+        {
+            std::string retVal;
+            const auto buffer { Utils::exec("netstat -rn") };
+
+            if (!buffer.empty())
+            {
+                const auto lines { Utils::split(buffer, '\n') };
+
+                for (auto line : lines)
+                {
+                    Utils::replaceAll(line, "  ", " ");
+                    const auto fields { Utils::split(line, ' ') };
+
+                    if (fields.size() == ROUTING_SIZE_FIELDS && fields.front().compare("default") == 0)
+                    {
+                        if (fields[ROUTING_IFACE_NAME].compare(this->name()) == 0)
+                        {
+                            retVal = fields[ROUTING_GATEWAY];
+                        }
+
+                        break;
+                    }
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string metrics() const override
+        {
+            std::string metric;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFMETRIC, reinterpret_cast<char*>(m_networkInterface));
+                metric = std::to_string(m_networkInterface->lifr_metric);
+            }
+            catch (...)
+            {
+            }
+
+            return metric;
+        }
+
+        std::string metricsV6() const override
+        {
+            std::string metric;
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFMETRIC, reinterpret_cast<char*>(m_networkInterface));
+                metric = std::to_string(m_networkInterface->lifr_metric);
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << e.what() << '\n';
+            }
+
+            return metric;
+        }
+
+        std::string dhcp() const override
+        {
+            return m_interfaceFlags & IFF_DHCPRUNNING ? "enabled" : "disabled";
+        }
+
+        uint32_t mtu() const override
+        {
+            uint32_t retVal { 0 };
+
+            try
+            {
+                UtilsWrapperUnix::ioctl(m_fileDescriptor, SIOCGLIFMTU, reinterpret_cast<char*>(m_networkInterface));
+                retVal = m_networkInterface->lifr_mtu;
+            }
+            catch (...)
+            {
+            }
+
+            return retVal;
+        }
+
+        LinkStats stats() const override
+        {
+            auto buffer { Utils::exec("kstat -n " + this->name() + " -c net", 256) };
+            LinkStats statistic { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+            if (!buffer.empty())
+            {
+                constexpr auto RX_PACKET_INDEX  { "ipackets64" };
+                constexpr auto RX_BYTES_INDEX   { "rbytes64" };
+                constexpr auto TX_PACKET_INDEX  { "opackets64" };
+                constexpr auto TX_BYTES_INDEX   { "obytes64" };
+                constexpr auto RX_DROPS_INDEX   { "dl_idrops" };
+                constexpr auto TX_DROPS_INDEX   { "dl_odrops" };
+                constexpr auto RX_ERRORS_INDEX  { "ierrors" };
+                constexpr auto TX_ERRORS_INDEX  { "oerrors" };
+
+                std::map<std::string, int> data;
+                auto value { 0 };
+                size_t valueSize { 0 };
+                auto lines { Utils::split(buffer, '\n') };
+
+                lines.erase(lines.begin());
+                lines.erase(lines.begin());
+                lines.erase(lines.end());
+
+                try
+                {
+                    for (auto& line : lines)
+                    {
+                        Utils::replaceAll(line, "\t", " ");
+                        Utils::replaceAll(line, "  ", " ");
+                        auto fields { Utils::split(line, ' ') };
+
+                        value = std::stoi(fields.back(), &valueSize);
+
+                        if (fields.back().size() == valueSize)
+                        {
+                            data[fields.at(1)] = value;
+                        }
+                        else
+                        {
+                            data[fields.at(1)] = 0;
+                        }
+                    }
+                }
+                catch (...)
+                {
+                }
+
+                auto it {data.find(RX_PACKET_INDEX)};
+
+                statistic.rxPackets = static_cast<unsigned int>( it != data.end() ? data.at(RX_PACKET_INDEX) : 0);
+                it = data.find(RX_BYTES_INDEX);
+                statistic.rxBytes   = static_cast<unsigned int>( it != data.end() ? data.at(RX_BYTES_INDEX)  : 0);
+                it = data.find(TX_PACKET_INDEX);
+                statistic.txPackets = static_cast<unsigned int>( it != data.end() ? data.at(TX_PACKET_INDEX) : 0);
+                it = data.find(TX_BYTES_INDEX);
+                statistic.txBytes   = static_cast<unsigned int>( it != data.end() ? data.at(TX_BYTES_INDEX)  : 0);
+                it = data.find(RX_DROPS_INDEX);
+                statistic.rxDropped = static_cast<unsigned int>( it != data.end() ? data.at(RX_DROPS_INDEX)  : 0);
+                it = data.find(TX_DROPS_INDEX);
+                statistic.txDropped = static_cast<unsigned int>( it != data.end() ? data.at(TX_DROPS_INDEX)  : 0);
+                it = data.find(RX_ERRORS_INDEX);
+                statistic.rxErrors  = static_cast<unsigned int>( it != data.end() ? data.at(RX_ERRORS_INDEX) : 0);
+                it = data.find(TX_ERRORS_INDEX);
+                statistic.txErrors  = static_cast<unsigned int>( it != data.end() ? data.at(TX_ERRORS_INDEX) : 0);
+            }
+
+            return statistic;
+        }
+
+        std::string type() const override
+        {
+            const auto buffer { Utils::exec("dladm show-phys " + this->name(), 512) };
+            constexpr auto COLUMN_TYPE_INTERFACE { "MEDIA" };
+            std::string type;
+
+            if (!buffer.empty() && (buffer.find("unknown subcommand") == std::string::npos))
+            {
+                auto lines { Utils::split(buffer, '\n') };
+                std::vector<std::string> headers;
+                std::vector<std::string> values;
+
+                for (auto line : lines)
+                {
+                    Utils::replaceAll(line, "\t", "");
+                    Utils::replaceAll(line, "  ", " ");
+
+                    if (headers.size() == 0)
+                    {
+                        headers = Utils::split(line, ' ');
+                    }
+                    else
+                    {
+                        values = Utils::split(line, ' ');
+                    }
+                }
+
+                try
+                {
+                    const auto it = std::find(headers.begin(), headers.end(), COLUMN_TYPE_INTERFACE);
+
+                    if (it != headers.end() && values.size() > static_cast<size_t>(it - headers.begin()))
+                    {
+                        type = values.at(it - headers.begin());
+                    }
+                }
+                catch (...)
+                {
+                }
+            }
+
+            return type;
+        }
+
+        std::string state() const override
+        {
+            return m_interfaceFlags & IFF_UP ? "up" : "down";
+        }
+
+        std::string MAC() const override
+        {
+            std::string mac { UNKNOWN_VALUE };
+            const auto buffer { Utils::exec("ifconfig " + this->name()) };
+
+            if (!buffer.empty())
+            {
+                const auto lines { Utils::split(buffer, '\n') };
+
+                for (auto line : lines)
+                {
+                    Utils::replaceAll(line, "\t", "");
+                    const auto fields { Utils::split(line, ' ') };
+
+                    if (fields.size() == MAC_SIZE_FIELDS && fields.front().compare("ether") == 0)
+                    {
+                        auto components { Utils::split(fields[MAC_ADDRESS], ':') };
+                        std::stringstream value { };
+
+                        value << std::hex << std::setfill('0');
+
+                        for (auto& item : components)
+                        {
+                            std::transform(item.begin(), item.end(), item.begin(), ::toupper);
+                            value << std::setw(2) << item;
+
+                            if (&item != &components.back())
+                            {
+                                value << ":";
+                            }
+                        }
+
+                        mac = value.str();
+                        break;
+                    }
+                }
+            }
+
+            return mac;
+        }
+};
+
+#endif // _NETWORK_SOLARIS_WRAPPER_H
diff --git a/src/common/data_provider/src/network/networkWindowsWrapper.h b/src/common/data_provider/src/network/networkWindowsWrapper.h
new file mode 100644
index 0000000000..dedec064c3
--- /dev/null
+++ b/src/common/data_provider/src/network/networkWindowsWrapper.h
@@ -0,0 +1,511 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 5, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_WINDOWS_WRAPPER_H
+#define _NETWORK_WINDOWS_WRAPPER_H
+
+#include <sstream>
+#include <iomanip>
+#include <ifdef.h>
+#include <iptypes.h>
+#include <netioapi.h>
+#include "windowsHelper.h"
+#include "inetworkWrapper.h"
+#include "makeUnique.h"
+#include "sharedDefs.h"
+
+static const std::map<int, std::string> NETWORK_INTERFACE_TYPES =
+{
+    { IF_TYPE_ETHERNET_CSMACD, "ethernet"       },
+    { IF_TYPE_ISO88025_TOKENRING, "token ring"     },
+    { IF_TYPE_PPP, "point-to-point" },
+    { IF_TYPE_ATM, "ATM"            },
+    { IF_TYPE_IEEE80211, "wireless"       },
+    { IF_TYPE_TUNNEL, "tunnel"         },
+    { IF_TYPE_IEEE1394, "firewire"       },
+};
+
+static const std::map<IF_OPER_STATUS, std::string> NETWORK_OPERATIONAL_STATUS =
+{
+    { IfOperStatusUp, "up"             },
+    { IfOperStatusDown, "down"           },
+    { IfOperStatusTesting, "testing"        },          // In testing mode
+    { IfOperStatusUnknown, "unknown"        },
+    { IfOperStatusDormant, "dormant"        },          // In a pending state, waiting for some external event
+    { IfOperStatusNotPresent, "notpresent"     },       // Interface down because of any component is not present (hardware typically)
+    { IfOperStatusLowerLayerDown, "lowerlayerdown" },   // This interface depends on a lower layer interface which is down
+};
+
+class NetworkWindowsInterface final : public INetworkInterfaceWrapper
+{
+    public:
+        explicit NetworkWindowsInterface(Utils::NetworkWindowsHelper::NetworkFamilyTypes family,
+                                         const PIP_ADAPTER_ADDRESSES& addrs,
+                                         const PIP_ADAPTER_UNICAST_ADDRESS& unicastAddress,
+                                         const PIP_ADAPTER_INFO& adapterInfo)
+            : m_interfaceFamily(family)
+            , m_interfaceAddress(addrs)
+            , m_currentUnicastAddress(unicastAddress)
+            , m_adapterInfo(adapterInfo)
+        {
+            if (!addrs)
+            {
+                throw std::runtime_error { "Nullptr instance of network interface" };
+            }
+
+            if (Utils::NetworkWindowsHelper::NetworkFamilyTypes::UNDEF == family)
+            {
+                throw std::runtime_error { "Undefined network instance family value" };
+            }
+        }
+
+        std::string name() const override
+        {
+            return getAdapterEncodedUTF8(m_interfaceAddress->FriendlyName);
+        }
+
+        std::string adapter() const override
+        {
+            return getAdapterEncodedUTF8(m_interfaceAddress->Description);
+        }
+
+        int family() const override
+        {
+            return m_interfaceFamily;
+        }
+
+        std::string address() const override
+        {
+            std::string retVal;
+
+            if (m_currentUnicastAddress)
+            {
+                retVal = Utils::NetworkWindowsHelper::IAddressToString(this->adapterFamily(),
+                                                                       (reinterpret_cast<sockaddr_in*>(m_currentUnicastAddress->Address.lpSockaddr))->sin_addr);
+            }
+
+            return retVal;
+        }
+
+        std::string addressV6() const override
+        {
+            std::string retVal;
+
+            if (m_currentUnicastAddress)
+            {
+                if (Utils::isVistaOrLater())
+                {
+                    retVal = Utils::NetworkWindowsHelper::IAddressToString(this->adapterFamily(),
+                                                                           (reinterpret_cast<sockaddr_in6*>(m_currentUnicastAddress->Address.lpSockaddr))->sin6_addr);
+                }
+                else
+                {
+                    // Windows XP
+                    const auto ipv6Address { reinterpret_cast<sockaddr_in6*>(m_currentUnicastAddress->Address.lpSockaddr) };
+                    retVal = Utils::NetworkWindowsHelper::getIpV6Address(ipv6Address->sin6_addr.u.Byte);
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string netmask() const override
+        {
+            std::string retVal;
+
+            if (Utils::isVistaOrLater())
+            {
+                ULONG mask { 0 };
+                static auto pfnGetConvertLengthToIpv4Mask { Utils::getConvertLengthToIpv4MaskFunctionAddress() };
+
+                if (pfnGetConvertLengthToIpv4Mask)
+                {
+                    if (m_currentUnicastAddress && !pfnGetConvertLengthToIpv4Mask(m_currentUnicastAddress->OnLinkPrefixLength, &mask))
+                    {
+                        retVal = Utils::NetworkWindowsHelper::IAddressToString(this->adapterFamily(), *(reinterpret_cast<in_addr*>(&mask)));
+                    }
+                }
+            }
+            else
+            {
+                // Windows XP mechanism
+                const auto address { this->address() };
+                const auto interfaceAddress { findInterfaceMatch(address) };
+
+                if (interfaceAddress)
+                {
+                    retVal = interfaceAddress->IpMask.String;
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string netmaskV6() const override
+        {
+            std::string retVal;
+
+            if (m_currentUnicastAddress && Utils::isVistaOrLater())
+            {
+                // Get ipv6Netmask based on current OnLinkPrefixLength value
+                retVal = Utils::NetworkWindowsHelper::ipv6Netmask(m_currentUnicastAddress->OnLinkPrefixLength);
+            }
+
+            // Windows XP netmask IPv6 is not supported
+            return retVal;
+        }
+
+        std::string broadcast() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto address { this->address() };
+            const auto netmask { this->netmask() };
+
+            if (address.size() && netmask.size())
+            {
+                const auto broadcast { Utils::NetworkWindowsHelper::broadcastAddress(address, netmask) };
+                retVal = broadcast.empty() ? UNKNOWN_VALUE : broadcast;
+            }
+
+            return retVal;
+        }
+
+        std::string broadcastV6() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string gateway() const override
+        {
+            std::string retVal;
+            constexpr auto GATEWAY_SEPARATOR { "," };
+
+            if (Utils::isVistaOrLater())
+            {
+                auto gatewayAddress { m_interfaceAddress->FirstGatewayAddress };
+
+                while (gatewayAddress)
+                {
+                    const auto gatewayFamily { gatewayAddress->Address.lpSockaddr->sa_family };
+                    const auto sockAddress   { gatewayAddress->Address.lpSockaddr };
+
+                    if (AF_INET == gatewayFamily)
+                    {
+                        retVal += Utils::NetworkWindowsHelper::IAddressToString(gatewayFamily,
+                                                                                (reinterpret_cast<sockaddr_in*>(sockAddress))->sin_addr);
+                        retVal += GATEWAY_SEPARATOR;
+                    }
+                    else if (AF_INET6 == gatewayFamily)
+                    {
+                        retVal += Utils::NetworkWindowsHelper::IAddressToString(gatewayFamily,
+                                                                                (reinterpret_cast<sockaddr_in6*>(sockAddress))->sin6_addr);
+                        retVal += GATEWAY_SEPARATOR;
+                    }
+
+                    gatewayAddress = gatewayAddress->Next;
+                }
+            }
+            else
+            {
+                // Under Windows XP, the only way to retrieve IPv4 gateway addresses is through GetAdaptersInfo()
+                PIP_ADDR_STRING currentGWAddress { nullptr };
+                PIP_ADAPTER_INFO currentAdapterInfo { m_adapterInfo };
+                bool foundMatch { false };
+
+                while (currentAdapterInfo && !foundMatch)
+                {
+                    if (!(MIB_IF_TYPE_LOOPBACK == currentAdapterInfo->Type))
+                    {
+                        if (currentAdapterInfo->Index == m_interfaceAddress->IfIndex)
+                        {
+                            // Found an interface match.
+                            currentGWAddress = &(currentAdapterInfo->GatewayList);
+
+                            while (currentGWAddress)
+                            {
+                                retVal += currentGWAddress->IpAddress.String;
+                                retVal += GATEWAY_SEPARATOR;
+                                currentGWAddress = currentGWAddress->Next;
+                            }
+
+                            foundMatch = true;
+                        }
+                    }
+
+                    currentAdapterInfo = currentAdapterInfo->Next;
+                }
+            }
+
+            if (retVal.empty())
+            {
+                retVal = UNKNOWN_VALUE;
+            }
+            else
+            {
+                // Remove last GATEWAY_SEPARATOR (,)
+                retVal = retVal.substr(0, retVal.size() - 1);
+            }
+
+            return retVal;
+        }
+
+        std::string metrics() const override
+        {
+            std::string retVal;
+
+            if (Utils::isVistaOrLater())
+            {
+                retVal = std::to_string(m_interfaceAddress->Ipv4Metric);
+            }
+
+            // XP structure does not support Ipv4Metric information
+            return retVal;
+        }
+
+        std::string metricsV6() const override
+        {
+            std::string retVal;
+
+            if (Utils::isVistaOrLater())
+            {
+                retVal = std::to_string(m_interfaceAddress->Ipv6Metric);
+            }
+
+            // XP structure does not support Ipv6Metric information
+            return retVal;
+        }
+
+        std::string dhcp() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto family { this->adapterFamily() };
+
+            if (AF_INET == family)
+            {
+                const bool ipv4DHCPEnabled
+                {
+                    (m_interfaceAddress->Flags & IP_ADAPTER_DHCP_ENABLED)&& (m_interfaceAddress->Flags & IP_ADAPTER_IPV4_ENABLED)
+                };
+                retVal = ipv4DHCPEnabled ? "enabled" : "disabled";
+            }
+            else if (AF_INET6 == family)
+            {
+                const bool ipv6DHCPEnabled
+                {
+                    (m_interfaceAddress->Flags & IP_ADAPTER_DHCP_ENABLED)&& (m_interfaceAddress->Flags & IP_ADAPTER_IPV6_ENABLED)
+                };
+                retVal = ipv6DHCPEnabled ? "enabled" : "disabled";
+            }
+
+            return retVal;
+        }
+
+        uint32_t mtu() const override
+        {
+            return m_interfaceAddress->Mtu;
+        }
+
+        LinkStats stats() const override
+        {
+            return Utils::isVistaOrLater() ? statsVistaOrLater()
+                   : statsXP();
+        }
+
+        std::string type() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto interfaceType { NETWORK_INTERFACE_TYPES.find(m_interfaceAddress->IfType) };
+
+            if (NETWORK_INTERFACE_TYPES.end() != interfaceType)
+            {
+                retVal = interfaceType->second;
+            }
+
+            return retVal;
+        }
+
+        std::string state() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto opStatus { NETWORK_OPERATIONAL_STATUS.find(m_interfaceAddress->OperStatus) };
+
+            if (NETWORK_OPERATIONAL_STATUS.end() != opStatus)
+            {
+                retVal = opStatus->second;
+            }
+
+            return retVal;
+        }
+
+        std::string MAC() const override
+        {
+            std::string retVal { "00:00:00:00:00:00" };
+            constexpr auto MAC_ADDRESS_LENGTH { 6 };
+
+            if (MAC_ADDRESS_LENGTH == m_interfaceAddress->PhysicalAddressLength)
+            {
+                std::stringstream ss;
+
+                for (unsigned int idx = 0; idx < MAC_ADDRESS_LENGTH; ++idx)
+                {
+                    ss << std::hex << std::setfill('0') << std::setw(2);
+                    ss << static_cast<int>(static_cast<uint8_t>(m_interfaceAddress->PhysicalAddress[idx]));
+
+                    if (MAC_ADDRESS_LENGTH - 1 != idx)
+                    {
+                        ss << ":";
+                    }
+                }
+
+                retVal = ss.str();
+            }
+
+            return retVal;
+        }
+
+    private:
+
+        std::string getAdapterEncodedUTF8(const std::wstring& name) const
+        {
+            const std::string utf8AdapterName { Utils::NetworkWindowsHelper::getAdapterNameStr(name) };
+            return utf8AdapterName.empty() ? " " : utf8AdapterName;
+        }
+
+        int adapterFamily() const
+        {
+            return m_currentUnicastAddress ? m_currentUnicastAddress->Address.lpSockaddr->sa_family
+                   : AF_UNSPEC;
+        }
+
+        PIP_ADDR_STRING findInterfaceMatch(const std::string& address) const
+        {
+            PIP_ADDR_STRING currentInterfaceAddr { nullptr };
+            PIP_ADAPTER_INFO currentAdapterInfo { m_adapterInfo };
+            bool foundMatch { false };
+
+            while (currentAdapterInfo && !foundMatch)
+            {
+                if (!(MIB_IF_TYPE_LOOPBACK == currentAdapterInfo->Type))
+                {
+                    if (currentAdapterInfo->Index == m_interfaceAddress->IfIndex)
+                    {
+                        // Found an interface match. Now we need an IPv4 match.
+                        currentInterfaceAddr = &(currentAdapterInfo->IpAddressList);
+
+                        while (currentInterfaceAddr)
+                        {
+                            if (strncmp(address.c_str(), currentInterfaceAddr->IpAddress.String, address.length()) == 0)
+                            {
+                                // IPv4 match found
+                                break;
+                            }
+
+                            currentInterfaceAddr = currentInterfaceAddr->Next;
+                        }
+
+                        foundMatch = true;
+                    }
+                }
+
+                currentAdapterInfo = currentAdapterInfo->Next;
+            }
+
+            return currentInterfaceAddr;
+        }
+
+        LinkStats statsVistaOrLater() const
+        {
+            LinkStats retVal {};
+            auto ifRow { std::make_unique<MIB_IF_ROW2>() };
+
+            if (!ifRow)
+            {
+                throw std::system_error
+                {
+                    static_cast<int>(GetLastError()),
+                    std::system_category(),
+                    "Unable to allocate memory for MIB_IF_ROW2 struct."
+                };
+            }
+
+            ifRow->InterfaceIndex = (0 != m_interfaceAddress->IfIndex) ? m_interfaceAddress->IfIndex
+                                    : m_interfaceAddress->Ipv6IfIndex;
+
+            if (0 != ifRow->InterfaceIndex)
+            {
+                static auto pfnGetIfEntry2 { Utils::getIfEntry2FunctionAddress() };
+
+                if (pfnGetIfEntry2)
+                {
+                    if (NO_ERROR == pfnGetIfEntry2(ifRow.get()))
+                    {
+                        const auto txPackets { ifRow->OutUcastPkts + ifRow->OutNUcastPkts };
+                        const auto rxPackets { ifRow->InUcastPkts  + ifRow->InNUcastPkts  };
+                        retVal.txPackets = txPackets;
+                        retVal.rxPackets = rxPackets;
+                        retVal.txBytes   = ifRow->OutOctets;
+                        retVal.rxBytes   = ifRow->InOctets;
+                        retVal.txErrors  = ifRow->OutErrors;
+                        retVal.rxErrors  = ifRow->InErrors;
+                        retVal.txDropped = ifRow->OutDiscards;
+                        retVal.rxDropped = ifRow->InDiscards;
+                    }
+                }
+            }
+
+            return retVal;
+        }
+
+        LinkStats statsXP() const
+        {
+            LinkStats retVal {};
+            auto ifRow { std::make_unique<MIB_IFROW>() };
+
+            if (!ifRow)
+            {
+                throw std::system_error
+                {
+                    static_cast<int>(GetLastError()),
+                    std::system_category(),
+                    "Unable to allocate memory for MIB_IFROW struct."
+                };
+            }
+
+            ifRow->dwIndex = (0 != m_interfaceAddress->IfIndex) ? m_interfaceAddress->IfIndex
+                             : m_interfaceAddress->Ipv6IfIndex;
+
+            if (0 != ifRow->dwIndex)
+            {
+                if (NO_ERROR == GetIfEntry(ifRow.get()))
+                {
+                    const auto txPackets { ifRow->dwOutUcastPkts + ifRow->dwOutNUcastPkts };
+                    const auto rxPackets { ifRow->dwInUcastPkts  + ifRow->dwInNUcastPkts  };
+                    retVal.txPackets = txPackets;
+                    retVal.rxPackets = rxPackets;
+                    retVal.txBytes   = ifRow->dwOutOctets;
+                    retVal.rxBytes   = ifRow->dwInOctets;
+                    retVal.txErrors  = ifRow->dwOutErrors;
+                    retVal.rxErrors  = ifRow->dwInErrors;
+                    retVal.txDropped = ifRow->dwOutDiscards;
+                    retVal.rxDropped = ifRow->dwInDiscards;
+                }
+            }
+
+            return retVal;
+        }
+
+        Utils::NetworkWindowsHelper::NetworkFamilyTypes m_interfaceFamily;
+        PIP_ADAPTER_ADDRESSES                           m_interfaceAddress;
+        PIP_ADAPTER_UNICAST_ADDRESS                     m_currentUnicastAddress;
+        PIP_ADAPTER_INFO                                m_adapterInfo;  // XP needed structure
+};
+
+#endif //_NETWORK_WINDOWS_WRAPPER_H
diff --git a/src/common/data_provider/src/osinfo/sysOsInfoInterface.h b/src/common/data_provider/src/osinfo/sysOsInfoInterface.h
new file mode 100644
index 0000000000..95c926783d
--- /dev/null
+++ b/src/common/data_provider/src/osinfo/sysOsInfoInterface.h
@@ -0,0 +1,58 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYS_OS_INFO_INTERFACE_H
+#define _SYS_OS_INFO_INTERFACE_H
+
+#include <string>
+#include <memory>
+#include "json.hpp"
+
+class ISysOsInfoProvider
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~ISysOsInfoProvider() = default;
+        virtual std::string name() const = 0;
+        virtual std::string version() const = 0;
+        virtual std::string majorVersion() const = 0;
+        virtual std::string minorVersion() const = 0;
+        virtual std::string build() const = 0;
+        virtual std::string release() const = 0;
+        virtual std::string displayVersion() const = 0;
+        virtual std::string machine() const = 0;
+        virtual std::string nodeName() const = 0;
+        // LCOV_EXCL_STOP
+};
+
+
+class SysOsInfo
+{
+    public:
+        SysOsInfo() =  default;
+        ~SysOsInfo() = default;
+        static void setOsInfo(const std::shared_ptr<ISysOsInfoProvider>& osInfoProvider,
+                              nlohmann::json& output)
+        {
+            output["os_name"] = osInfoProvider->name();
+            output["os_major"] = osInfoProvider->majorVersion();
+            output["os_minor"] = osInfoProvider->minorVersion();
+            output["os_build"] = osInfoProvider->build();
+            output["os_version"] = osInfoProvider->version();
+            output["hostname"] = osInfoProvider->nodeName();
+            output["os_release"] = osInfoProvider->release();
+            output["os_display_version"] = osInfoProvider->displayVersion();
+            output["architecture"] = osInfoProvider->machine();
+            output["os_platform"] = "windows";
+        }
+};
+
+#endif //_SYS_OS_INFO_INTERFACE_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/osinfo/sysOsInfoWin.cpp b/src/common/data_provider/src/osinfo/sysOsInfoWin.cpp
new file mode 100644
index 0000000000..1d8ba2bc83
--- /dev/null
+++ b/src/common/data_provider/src/osinfo/sysOsInfoWin.cpp
@@ -0,0 +1,367 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <winsock2.h>
+#include <windows.h>
+#include <versionhelpers.h>
+#include <sysinfoapi.h>
+#include <map>
+#include "sysOsInfoWin.h"
+#include "sysOsInfoWin.h"
+#include "stringHelper.h"
+#include "registryHelper.h"
+#include "sharedDefs.h"
+
+static std::string getVersion(const bool isMinor = false)
+{
+    std::string version;
+
+    if (IsWindowsVistaOrGreater())
+    {
+        DWORD versionNumber {};
+        Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)"};
+
+        if (IsWindows8OrGreater()
+                && currentVersion.dword(isMinor ? "CurrentMinorVersionNumber" : "CurrentMajorVersionNumber", versionNumber))
+        {
+            version = std::to_string(versionNumber);
+        }
+        else
+        {
+            enum OS_VERSION
+            {
+                MAJOR_VERSION,
+                MINOR_VERSION,
+                MAX_VERSION
+            };
+            const auto fullVersion{currentVersion.string("CurrentVersion")};
+            const auto majorAndMinor{Utils::split(fullVersion, '.')};
+
+            if (majorAndMinor.size() == MAX_VERSION)
+            {
+                version = isMinor ? majorAndMinor[MINOR_VERSION] : majorAndMinor[MAJOR_VERSION];
+            }
+        }
+    }
+    else
+    {
+        OSVERSIONINFOEX osvi{};
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+
+        if (GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi)))
+        {
+            version = std::to_string(isMinor ? osvi.dwMinorVersion : osvi.dwMajorVersion);
+        }
+        else
+        {
+            osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+
+            if (GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi)))
+            {
+                version = std::to_string(isMinor ? osvi.dwMinorVersion : osvi.dwMajorVersion);
+            }
+        }
+    }
+
+    return version;
+}
+
+static std::string getBuild()
+{
+    std::string build;
+
+    if (IsWindowsVistaOrGreater())
+    {
+        Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)"};
+        build = currentVersion.string("CurrentBuildNumber");
+    }
+    else
+    {
+        OSVERSIONINFOEX osvi{};
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+
+        if (GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi)))
+        {
+            build = std::to_string(osvi.dwBuildNumber & 0xFFFF);
+        }
+        else
+        {
+            osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+
+            if (GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi)))
+            {
+                build = std::to_string(osvi.dwBuildNumber & 0xFFFF);
+            }
+        }
+    }
+
+    return build;
+}
+
+static std::string getBuildRevision()
+{
+    std::string buildRevision;
+
+    if (IsWindows8OrGreater())
+    {
+        DWORD ubr {};
+
+        Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)", KEY_READ | KEY_WOW64_64KEY};
+
+        if (currentVersion.dword("UBR", ubr))
+        {
+            buildRevision = std::to_string(ubr);
+        }
+    }
+
+    return buildRevision;
+}
+
+static std::string getRelease(const std::string& build)
+{
+    static const std::string SERVICE_PACK_PREFIX{"Service Pack"};
+    static const std::map<std::string, std::string> BUILD_RELEASE_MAP
+    {
+        {"10240", "1507"},
+        {"10586", "1511"},
+        {"14393", "1607"},
+        {"15063", "1709"},
+        {"17134", "1803"},
+        {"17763", "1809"},
+        {"18362", "1903"},
+        {"18363", "1909"},
+    };
+    std::string release;
+    Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)"};
+
+    if (IsWindows8OrGreater())
+    {
+        if (!currentVersion.string("ReleaseId", release))
+        {
+            const auto it{BUILD_RELEASE_MAP.find(build)};
+
+            if (it != BUILD_RELEASE_MAP.end())
+            {
+                release = it->second;
+            }
+        }
+    }
+
+    if (release.empty())
+    {
+        std::string sp;
+
+        if (currentVersion.string("CSDVersion", sp))
+        {
+            if (Utils::startsWith(sp, SERVICE_PACK_PREFIX))
+            {
+                release = "sp" + Utils::trim(sp.substr(SERVICE_PACK_PREFIX.size()));
+            }
+        }
+        else
+        {
+            Utils::Registry currentVersion64{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)", KEY_READ | KEY_WOW64_64KEY};
+
+            if (currentVersion64.string("CSDVersion", sp))
+            {
+                if (Utils::startsWith(sp, SERVICE_PACK_PREFIX))
+                {
+                    release = "sp" + Utils::trim(sp.substr(SERVICE_PACK_PREFIX.size()));
+                }
+            }
+        }
+    }
+
+    return release;
+}
+
+static std::string getDisplayVersion()
+{
+    std::string display_version;
+    Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)"};
+
+    if (!currentVersion.string("DisplayVersion", display_version))
+    {
+        display_version = UNKNOWN_VALUE;
+    }
+
+    return display_version;
+}
+
+static std::string getName()
+{
+    std::string name;
+    static const std::string MSFT_PREFIX{"Microsoft"};
+    constexpr auto SM_SERVER32_VALUE{89};//www.docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getsystemmetrics
+    //https://learn.microsoft.com/en-us/windows/win32/winprog64/example-of-registry-reflection-and-redirection-on-wow64
+    Utils::Registry currentVersion{HKEY_LOCAL_MACHINE, R"(SOFTWARE\Microsoft\Windows NT\CurrentVersion)", KEY_WOW64_64KEY | KEY_READ};
+
+    if (currentVersion.string("ProductName", name))
+    {
+        name = Utils::startsWith(name, MSFT_PREFIX) ? name : MSFT_PREFIX + " " + name;
+
+        const auto build { getBuild() };
+        std::string errorMessage;
+
+        try
+        {
+            size_t valueSize = 0;
+            const auto value { std::stoi(build, &valueSize) };
+
+            if (build.size() == valueSize)
+            {
+                constexpr int FIRST_BUILD_WINDOWS11{ 22000 };
+
+                if (value >= FIRST_BUILD_WINDOWS11)
+                {
+                    constexpr auto MSFT_VERSION {"Microsoft Windows 10"};
+                    constexpr auto MSFT_VERSION_REPLACED {"Microsoft Windows 11"};
+                    Utils::replaceAll(name, MSFT_VERSION, MSFT_VERSION_REPLACED);
+                }
+            }
+        }
+        catch (...)
+        {
+
+        }
+    }
+    else if (IsWindowsVistaOrGreater())
+    {
+        name = "Windows undefined version";
+    }
+    else
+    {
+        OSVERSIONINFOEX osvi{};
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+        auto result{GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi))};
+
+        if (!result)
+        {
+            osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+            result = GetVersionEx (reinterpret_cast<OSVERSIONINFO*>(&osvi));
+        }
+
+        if (result)
+        {
+            if (osvi.dwMajorVersion == 5)
+            {
+                if (osvi.dwMajorVersion <= 1)
+                {
+                    name = osvi.dwMajorVersion == 0 ? "Microsoft Windows 2000" : "Microsoft Windows XP";
+                }
+                else
+                {
+                    SYSTEM_INFO si{};
+                    GetNativeSystemInfo(&si);
+
+                    if (osvi.wProductType == VER_NT_WORKSTATION && si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64)
+                    {
+                        name = "Microsoft Windows XP Professional x64 Edition";
+                    }
+                    else if (GetSystemMetrics(SM_SERVER32_VALUE))
+                    {
+                        name = "Microsoft Windows Server 2003 R2";
+                    }
+                    else
+                    {
+                        name = "Microsoft Windows Server 2003";
+                    }
+                }
+            }
+        }
+    }
+
+    return name.empty() ? "Microsoft Windows" : name;
+}
+
+static std::string getMachine()
+{
+    static const std::map<std::string, std::string> ARCH_MAP
+    {
+        {"AMD64",   "x86_64"},
+        {"IA64",    "x86_64"},
+        {"ARM64",   "x86_64"},
+        {"x86",     "i686"},
+    };
+    std::string machine { UNKNOWN_VALUE };
+    Utils::Registry environment{HKEY_LOCAL_MACHINE, R"(System\CurrentControlSet\Control\Session Manager\Environment)"};
+    const auto arch{environment.string("PROCESSOR_ARCHITECTURE")};
+    const auto it{ARCH_MAP.find(arch)};
+
+    if (it != ARCH_MAP.end())
+    {
+        machine = it->second;
+    }
+
+    return machine;
+}
+
+static std::string getNodeName()
+{
+    std::string nodeName;
+    Utils::Registry activeComputerName{HKEY_LOCAL_MACHINE, R"(System\CurrentControlSet\Control\ComputerName\ActiveComputerName)"};
+
+    if (!activeComputerName.string("ComputerName", nodeName))
+    {
+        nodeName = UNKNOWN_VALUE;
+    }
+
+    return nodeName;
+}
+
+SysOsInfoProviderWindows::SysOsInfoProviderWindows()
+    : m_majorVersion{getVersion()}
+    , m_minorVersion{getVersion(true)}
+    , m_build{getBuild()}
+    , m_buildRevision{getBuildRevision()}
+    , m_version{m_majorVersion + "." + m_minorVersion + "." + m_build}
+    , m_release{getRelease(m_build)}
+    , m_displayVersion{getDisplayVersion()}
+    , m_name{getName()}
+    , m_machine{getMachine()}
+    , m_nodeName{getNodeName()}
+{
+}
+std::string SysOsInfoProviderWindows::name() const
+{
+    return m_name;
+}
+std::string SysOsInfoProviderWindows::version() const
+{
+    return m_buildRevision.empty() ? m_version : m_version + "." + m_buildRevision;
+}
+std::string SysOsInfoProviderWindows::majorVersion() const
+{
+    return m_majorVersion;
+}
+std::string SysOsInfoProviderWindows::minorVersion() const
+{
+    return m_minorVersion;
+}
+std::string SysOsInfoProviderWindows::build() const
+{
+    return m_buildRevision.empty() ? m_build : m_build + "." + m_buildRevision;
+}
+std::string SysOsInfoProviderWindows::release() const
+{
+    return m_release;
+}
+std::string SysOsInfoProviderWindows::displayVersion() const
+{
+    return m_displayVersion;
+}
+std::string SysOsInfoProviderWindows::machine() const
+{
+    return m_machine;
+}
+std::string SysOsInfoProviderWindows::nodeName() const
+{
+    return m_nodeName;
+}
diff --git a/src/common/data_provider/src/osinfo/sysOsInfoWin.h b/src/common/data_provider/src/osinfo/sysOsInfoWin.h
new file mode 100644
index 0000000000..ec22a0c31f
--- /dev/null
+++ b/src/common/data_provider/src/osinfo/sysOsInfoWin.h
@@ -0,0 +1,47 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYS_OS_INFO_WINDOWS_H
+#define _SYS_OS_INFO_WINDOWS_H
+
+#include "sysOsInfoInterface.h"
+
+class SysOsInfoProviderWindows final : public ISysOsInfoProvider
+{
+    public:
+        SysOsInfoProviderWindows();
+        ~SysOsInfoProviderWindows() = default;
+        std::string name() const override;
+        std::string version() const override;
+        std::string majorVersion() const override;
+        std::string minorVersion() const override;
+        std::string build() const override;
+        std::string release() const override;
+        std::string displayVersion() const override;
+        std::string machine() const override;
+        std::string nodeName() const override;
+    private:
+        const std::string m_majorVersion;
+        const std::string m_minorVersion;
+        const std::string m_build;
+        const std::string m_buildRevision;
+        const std::string m_version;
+        const std::string m_release;
+        const std::string m_displayVersion;
+        const std::string m_name;
+        const std::string m_machine;
+        const std::string m_nodeName;
+};
+
+
+
+
+#endif //_SYS_OS_INFO_WINDOWS_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/osinfo/sysOsParsers.cpp b/src/common/data_provider/src/osinfo/sysOsParsers.cpp
new file mode 100644
index 0000000000..e214578f83
--- /dev/null
+++ b/src/common/data_provider/src/osinfo/sysOsParsers.cpp
@@ -0,0 +1,454 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "osinfo/sysOsParsers.h"
+#include "stringHelper.h"
+#include "filesystemHelper.h"
+#include "sharedDefs.h"
+
+static bool parseUnixFile(const std::vector<std::pair<std::string, std::string>>& keyMapping,
+                          const char separator,
+                          std::istream& in,
+                          nlohmann::json& info)
+{
+    bool ret{false};
+    std::string fileContent(std::istreambuf_iterator<char>(in), {});
+    std::map<std::string, std::string> fileKeyValueMap;
+    std::map<std::string, std::string>::iterator itFileKeyValue;
+
+    Utils::splitMapKeyValue(fileContent, separator, fileKeyValueMap);
+
+    for (const auto& keyMappingEntry : keyMapping)
+    {
+        if (info.find(keyMappingEntry.second) == info.end())
+        {
+            if ((itFileKeyValue = fileKeyValueMap.find(keyMappingEntry.first)) != fileKeyValueMap.end())
+            {
+                info[keyMappingEntry.second] = itFileKeyValue->second;
+                ret = true;
+            }
+        }
+    }
+
+    return ret;
+}
+
+
+static bool findCodeNameInString(const std::string& in,
+                                 std::string& output)
+{
+    const auto end{in.rfind(")")};
+    const auto start{in.rfind("(")};
+    const bool ret
+    {
+        start != std::string::npos&& end != std::string::npos
+    };
+
+    if (ret)
+    {
+        output = Utils::trim(in.substr(start + 1, end - (start + 1)));
+    }
+
+    return ret;
+}
+
+static void findMajorMinorVersionInString(const std::string& in,
+                                          nlohmann::json& output)
+{
+    constexpr auto PATCH_VERSION_PATTERN{"^[0-9]+\\.[0-9]+\\.([0-9]+)\\.*"};
+    constexpr auto MINOR_VERSION_PATTERN{"^[0-9]+\\.([0-9]+)\\.*"};
+    constexpr auto MAJOR_VERSION_PATTERN{"^([0-9]+)\\.*"};
+    std::string version;
+    std::regex pattern{MAJOR_VERSION_PATTERN};
+
+    if (Utils::findRegexInString(in, version, pattern, 1))
+    {
+        output["os_major"] = version;
+    }
+
+    pattern = MINOR_VERSION_PATTERN;
+
+    if (Utils::findRegexInString(in, version, pattern, 1))
+    {
+        output["os_minor"] = version;
+    }
+
+    pattern = PATCH_VERSION_PATTERN;
+
+    if (Utils::findRegexInString(in, version, pattern, 1))
+    {
+        output["os_patch"] = version;
+    }
+}
+
+
+static bool findVersionInStream(std::istream& in,
+                                nlohmann::json& output,
+                                const std::string& regex,
+                                const size_t matchIndex = 0,
+                                const std::string& start = "")
+{
+    bool ret{false};
+    std::string line;
+    std::string data;
+    std::regex pattern{regex};
+
+    while (std::getline(in, line))
+    {
+        line = Utils::trim(line);
+        ret |= Utils::findRegexInString(line, data, pattern, matchIndex, start);
+
+        if (ret)
+        {
+            output["os_version"] = data;
+            findMajorMinorVersionInString(data, output);
+        }
+
+        if (findCodeNameInString(line, data))
+        {
+            output["os_codename"] = data;
+        }
+    }
+
+    return ret;
+}
+
+bool UnixOsParser::parseFile(std::istream& in, nlohmann::json& info)
+{
+    constexpr auto SEPARATOR{'='};
+    static const std::vector<std::pair<std::string, std::string>> KEY_MAPPING
+    {
+        {"NAME",             "os_name"},
+        {"VERSION",          "os_version"},
+        {"VERSION_ID",       "os_version"},
+        {"ID",               "os_platform"},
+        {"BUILD_ID",         "os_build"},
+        {"VERSION_CODENAME", "os_codename"}
+    };
+    const auto ret {parseUnixFile(KEY_MAPPING, SEPARATOR, in, info)};
+
+    if (ret && info.find("os_version") != info.end())
+    {
+        findMajorMinorVersionInString(info["os_version"], info);
+    }
+
+    return ret;
+}
+
+bool UbuntuOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    constexpr auto DISTRIB_FIELD{"DISTRIB_DESCRIPTION"};
+    static const std::string CODENAME_FIELD{"DISTRIB_CODENAME"};
+    bool ret{false};
+    std::string line;
+    std::regex pattern{PATTERN_MATCH};
+
+    while (std::getline(in, line))
+    {
+        line = Utils::trim(line);
+        std::string match;
+
+        if (Utils::findRegexInString(line, match, pattern, 0, DISTRIB_FIELD))
+        {
+            output["os_version"] = match;
+            findMajorMinorVersionInString(match, output);
+            ret = true;
+        }
+        else if (Utils::startsWith(line, CODENAME_FIELD))
+        {
+            output["os_codename"] = Utils::trim(line.substr(CODENAME_FIELD.size()), " =");
+            ret = true;
+        }
+    }
+
+    output["os_name"] = "Ubuntu";
+    output["os_platform"] = "ubuntu";
+    return ret;
+}
+
+bool CentosOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+
+    if (!output.contains("os_name")) output["os_name"] = "Centos Linux";
+
+    if (!output.contains("os_platform")) output["os_platform"] = "centos";
+
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool BSDOsParser::parseUname(const std::string& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    std::string match;
+    std::regex pattern{PATTERN_MATCH};
+    const auto ret {Utils::findRegexInString(in, match, pattern)};
+
+    if (ret)
+    {
+        output["os_version"] = match;
+        findMajorMinorVersionInString(match, output);
+    }
+
+    output["os_name"] = "BSD";
+    output["os_platform"] = "bsd";
+    return ret;
+}
+
+bool RedHatOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    static const std::string FIRST_DELIMITER{"release"};
+    static const std::string SECOND_DELIMITER{"("};
+    bool ret{false};
+    std::string data;
+
+    if (std::getline(in, data))
+    {
+        //format is: OSNAME release VERSION (CODENAME)
+        auto pos{data.find(FIRST_DELIMITER)};
+
+        if (pos != std::string::npos)
+        {
+            output["os_name"] = Utils::trim(data.substr(0, pos));
+            data = data.substr(pos + FIRST_DELIMITER.size());
+            pos = data.find(SECOND_DELIMITER);
+            ret = true;
+        }
+
+        if (pos != std::string::npos)
+        {
+            const auto fullVersion{Utils::trim(data.substr(0, pos))};
+            const auto versions{Utils::split(fullVersion, '.')};
+            output["os_version"] = fullVersion;
+            output["os_major"] = versions[0];
+
+            if (versions.size() > 1)
+            {
+                output["os_minor"] = versions[1];
+            }
+
+            output["os_codename"] = Utils::trim(data.substr(pos), " ()");
+        }
+
+        output["os_platform"] = "rhel";
+
+    }
+
+    return ret;
+}
+
+bool DebianOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    output["os_name"] = "Debian GNU/Linux";
+    output["os_platform"] = "debian";
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool ArchOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    output["os_name"] = "Arch Linux";
+    output["os_platform"] = "arch";
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool SlackwareOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    output["os_name"] = "Slackware";
+    output["os_platform"] = "slackware";
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool GentooOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9].*\.[0-9]*)"};
+    output["os_name"] = "Gentoo";
+    output["os_platform"] = "gentoo";
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool SuSEOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto SEPARATOR{'='};
+    static const std::vector<std::pair<std::string, std::string>> KEY_MAPPING
+    {
+        {"VERSION",          "os_version"},
+        {"CODENAME",         "os_codename"},
+    };
+    output["os_name"] = "SuSE Linux";
+    output["os_platform"] = "suse";
+    const auto ret{ parseUnixFile(KEY_MAPPING, SEPARATOR, in, output) };
+
+    if (ret)
+    {
+        findMajorMinorVersionInString(output["os_version"], output);
+    }
+
+    return ret;
+}
+
+bool FedoraOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"([0-9]+\.*)"};
+    output["os_name"] = "Fedora";
+    output["os_platform"] = "fedora";
+    const auto ret{ findVersionInStream(in, output, PATTERN_MATCH) };
+
+    if (ret)
+    {
+        findMajorMinorVersionInString(output["os_version"], output);
+    }
+
+    return ret;
+}
+
+bool SolarisOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    const std::string HEADER_STRING{"Solaris "};
+    output["os_name"] = "SunOS";
+    output["os_platform"] = "sunos";
+    std::string line;
+    size_t pos{std::string::npos};
+
+    while (pos == std::string::npos && std::getline(in, line))
+    {
+        line = Utils::trim(line);
+        pos = line.find(HEADER_STRING);
+
+        if (std::string::npos != pos)
+        {
+            line = line.substr(pos + HEADER_STRING.size());
+            pos = line.find(" ");
+
+            if (pos != std::string::npos)
+            {
+                line = line.substr(0, pos);
+            }
+
+            output["os_version"] = Utils::trim(line);
+            findMajorMinorVersionInString(Utils::trim(line), output);
+        }
+    }
+
+    return std::string::npos == pos ? false : true;
+}
+
+bool HpUxOsParser::parseUname(const std::string& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"(B\.([0-9].*\.[0-9]*))"};
+    std::string match;
+    std::regex pattern{PATTERN_MATCH};
+    const auto ret {Utils::findRegexInString(in, match, pattern, 1)};
+
+    if (ret)
+    {
+        output["os_version"] = match;
+        findMajorMinorVersionInString(match, output);
+    }
+
+    output["os_name"] = "HP-UX";
+    output["os_platform"] = "hp-ux";
+    return ret;
+}
+
+bool AlpineOsParser::parseFile(std::istream& in, nlohmann::json& output)
+{
+    constexpr auto PATTERN_MATCH{R"((?:[0-9]+\.)?(?:[0-9]+\.)?(?:[0-9]+))"};
+    output["os_name"] = "Alpine Linux";
+    output["os_platform"] = "alpine";
+    return findVersionInStream(in, output, PATTERN_MATCH);
+}
+
+bool MacOsParser::parseSwVersion(const std::string& in, nlohmann::json& output)
+{
+    constexpr auto SEPARATOR{':'};
+    static const std::vector<std::pair<std::string, std::string>> KEY_MAPPING
+    {
+        {"ProductVersion",  "os_version"},
+        {"BuildVersion",    "os_build"},
+    };
+    output["os_platform"] = "darwin";
+    std::stringstream data{in};
+    const auto ret{ parseUnixFile(KEY_MAPPING, SEPARATOR, data, output) };
+
+    if (ret)
+    {
+        findMajorMinorVersionInString(output["os_version"], output);
+    }
+
+    return ret;
+}
+
+bool MacOsParser::parseSystemProfiler(const std::string& in, nlohmann::json& output)
+{
+    constexpr auto SEPARATOR{':'};
+    static const std::vector<std::pair<std::string, std::string>> KEY_MAPPING
+    {
+        {"System Version", "os_name"},
+    };
+    std::stringstream data{in};
+    nlohmann::json info;
+    auto ret{ parseUnixFile(KEY_MAPPING, SEPARATOR, data, info) };
+
+    if (ret)
+    {
+        constexpr auto PATTERN_MATCH{R"(^([^\s]+) [^\s]+ [^\s]+$)"};
+        std::string match;
+        std::regex pattern{PATTERN_MATCH};
+
+        if (Utils::findRegexInString(info["os_name"], match, pattern, 1))
+        {
+            output["os_name"] = std::move(match);
+        }
+        else
+        {
+            ret = false;
+        }
+    }
+
+    return ret;
+}
+
+bool MacOsParser::parseUname(const std::string& in, nlohmann::json& output)
+{
+    static const std::map<std::string, std::string> MAC_CODENAME_MAP
+    {
+        {"10", "Snow Leopard"},
+        {"11", "Lion"},
+        {"12", "Mountain Lion"},
+        {"13", "Mavericks"},
+        {"14", "Yosemite"},
+        {"15", "El Capitan"},
+        {"16", "Sierra"},
+        {"17", "High Sierra"},
+        {"18", "Mojave"},
+        {"19", "Catalina"},
+        {"20", "Big Sur"},
+        {"21", "Monterey"},
+        {"22", "Ventura"},
+        {"23", "Sonoma"},
+    };
+    constexpr auto PATTERN_MATCH{"[0-9]+"};
+    std::string match;
+    std::regex pattern{PATTERN_MATCH};
+    const auto ret {Utils::findRegexInString(in, match, pattern, 0)};
+
+    if (ret)
+    {
+        const auto it{MAC_CODENAME_MAP.find(match)};
+        output["os_codename"] = it != MAC_CODENAME_MAP.end() ? it->second : "";
+    }
+
+    return ret;
+}
diff --git a/src/common/data_provider/src/osinfo/sysOsParsers.h b/src/common/data_provider/src/osinfo/sysOsParsers.h
new file mode 100644
index 0000000000..448dcee08b
--- /dev/null
+++ b/src/common/data_provider/src/osinfo/sysOsParsers.h
@@ -0,0 +1,237 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYS_OS_PARSERS_H
+#define _SYS_OS_PARSERS_H
+
+#include <istream>
+#include "json.hpp"
+
+struct ISysOsParser
+{
+    // LCOV_EXCL_START
+    virtual ~ISysOsParser() = default;
+    // LCOV_EXCL_STOP
+    virtual bool parseFile(std::istream& /*in*/, nlohmann::json& /*output*/)
+    {
+        return false;
+    }
+    virtual bool parseUname(const std::string& /*in*/, nlohmann::json& /*output*/)
+    {
+        return false;
+    }
+};
+
+class UnixOsParser : public ISysOsParser
+{
+    public:
+        UnixOsParser() = default;
+        ~UnixOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class UbuntuOsParser : public ISysOsParser
+{
+    public:
+        UbuntuOsParser() = default;
+        ~UbuntuOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class CentosOsParser : public ISysOsParser
+{
+    public:
+        CentosOsParser() = default;
+        ~CentosOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class BSDOsParser : public ISysOsParser
+{
+    public:
+        BSDOsParser() = default;
+        ~BSDOsParser() = default;
+        bool parseUname(const std::string& in, nlohmann::json& output) override;
+};
+
+class RedHatOsParser : public ISysOsParser
+{
+    public:
+        RedHatOsParser() = default;
+        ~RedHatOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class DebianOsParser : public ISysOsParser
+{
+    public:
+        DebianOsParser() = default;
+        ~DebianOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class ArchOsParser : public ISysOsParser
+{
+    public:
+        ArchOsParser() = default;
+        ~ArchOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class SlackwareOsParser : public ISysOsParser
+{
+    public:
+        SlackwareOsParser() = default;
+        ~SlackwareOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class GentooOsParser : public ISysOsParser
+{
+    public:
+        GentooOsParser() = default;
+        ~GentooOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class SuSEOsParser : public ISysOsParser
+{
+    public:
+        SuSEOsParser() = default;
+        ~SuSEOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class FedoraOsParser : public ISysOsParser
+{
+    public:
+        FedoraOsParser() = default;
+        ~FedoraOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class SolarisOsParser : public ISysOsParser
+{
+    public:
+        SolarisOsParser() = default;
+        ~SolarisOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class HpUxOsParser : public ISysOsParser
+{
+    public:
+        HpUxOsParser() = default;
+        ~HpUxOsParser() = default;
+        bool parseUname(const std::string& in, nlohmann::json& output) override;
+};
+
+class AlpineOsParser : public ISysOsParser
+{
+    public:
+        AlpineOsParser() = default;
+        ~AlpineOsParser() = default;
+        bool parseFile(std::istream& in, nlohmann::json& output) override;
+};
+
+class MacOsParser
+{
+    public:
+        MacOsParser() = default;
+        ~MacOsParser() = default;
+        bool parseSwVersion(const std::string& in, nlohmann::json& output);
+        bool parseSystemProfiler(const std::string& in, nlohmann::json& output);
+        bool parseUname(const std::string& in, nlohmann::json& output);
+};
+
+class FactorySysOsParser final
+{
+    public:
+        static std::unique_ptr<ISysOsParser> create(const std::string& platform)
+        {
+            if (platform == "ubuntu")
+            {
+                return std::make_unique<UbuntuOsParser>();
+            }
+
+            if (platform == "centos")
+            {
+                return std::make_unique<CentosOsParser>();
+            }
+
+            if (platform == "unix")
+            {
+                return std::make_unique<UnixOsParser>();
+            }
+
+            if (platform == "bsd")
+            {
+                return std::make_unique<BSDOsParser>();
+            }
+
+            if (platform == "fedora")
+            {
+                return std::make_unique<FedoraOsParser>();
+            }
+
+            if (platform == "solaris")
+            {
+                return std::make_unique<SolarisOsParser>();
+            }
+
+            if (platform == "debian")
+            {
+                return std::make_unique<DebianOsParser>();
+            }
+
+            if (platform == "gentoo")
+            {
+                return std::make_unique<GentooOsParser>();
+            }
+
+            if (platform == "slackware")
+            {
+                return std::make_unique<SlackwareOsParser>();
+            }
+
+            if (platform == "suse")
+            {
+                return std::make_unique<SuSEOsParser>();
+            }
+
+            if (platform == "arch")
+            {
+                return std::make_unique<ArchOsParser>();
+            }
+
+            if (platform == "rhel")
+            {
+                return std::make_unique<RedHatOsParser>();
+            }
+
+            if (platform == "hp-ux")
+            {
+                return std::make_unique<HpUxOsParser>();
+            }
+
+            if (platform == "alpine")
+            {
+                return std::make_unique<AlpineOsParser>();
+            }
+
+            throw std::runtime_error
+            {
+                "Unsupported platform."
+            };
+        }
+};
+
+#endif //_SYS_OS_PARSERS_H
diff --git a/src/common/data_provider/src/packages/appxWindowsWrapper.h b/src/common/data_provider/src/packages/appxWindowsWrapper.h
new file mode 100644
index 0000000000..2766d9066e
--- /dev/null
+++ b/src/common/data_provider/src/packages/appxWindowsWrapper.h
@@ -0,0 +1,434 @@
+/* * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 23, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <ctime>
+#include <algorithm>
+#include <stdexcept>
+#include <string>
+#include <set>
+#include <vector>
+#include "ipackageWrapper.h"
+#include "registryHelper.h"
+#include "windowsHelper.h"
+#include "stringHelper.h"
+#include "sharedDefs.h"
+
+constexpr auto APPLICATION_STORE_REGISTRY        {"SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages"};
+constexpr auto APPLICATION_INSTALL_TIME_REGISTRY {"SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families"};
+constexpr auto APPLICATION_VENDOR_REGISTRY       {"SOFTWARE\\Classes"};
+constexpr auto FILE_ASSOCIATIONS_REGISTRY        { "\\Capabilities\\FileAssociations" };
+constexpr auto URL_ASSOCIATIONS_REGISTRY         { "\\Capabilities\\URLAssociations" };
+constexpr auto CACHE_NAME_REGISTRY               { "SOFTWARE\\Classes\\Local Settings\\MrtCache" };
+constexpr auto STORE_APPLICATION_DATABASE        { "C:\\Program Files\\WindowsApps" };
+constexpr auto PREFIX_LOCALIZATION               { "@{" };
+
+
+class AppxWindowsWrapper final : public IPackageWrapper
+{
+    public:
+
+        explicit AppxWindowsWrapper(const HKEY key, const std::string& userId, const std::string& appName, const std::set<std::string>& cacheRegistry)
+            : m_key{ key },
+              m_userId{ userId },
+              m_appName{ appName },
+              m_format{ "win" },
+              m_cacheReg{ cacheRegistry }
+        {
+            getInformationPackages();
+        }
+
+        ~AppxWindowsWrapper() = default;
+
+        std::string name() const override
+        {
+            return m_name;
+        }
+
+        std::string version() const override
+        {
+            return m_version;
+        }
+
+        std::string groups() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string description() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string architecture() const override
+        {
+            return m_architecture;
+        }
+
+        std::string format() const override
+        {
+            return m_format;
+        }
+
+        std::string osPatch() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string source() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string location() const override
+        {
+            return m_location;
+        }
+
+        std::string priority() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        int size() const override
+        {
+            return 0;
+        }
+
+        std::string vendor() const override
+        {
+            return m_vendor;
+        }
+
+        std::string install_time() const override
+        {
+            return m_installTime;
+        }
+
+        std::string multiarch() const override
+        {
+            return std::string();
+        }
+
+    private:
+        HKEY m_key;
+        std::string m_userId;
+        std::string m_appName;
+        std::string m_format;
+        std::string m_name;
+        std::string m_version;
+        std::string m_vendor;
+        std::string m_architecture;
+        std::string m_location;
+        std::string m_installTime;
+        std::set<std::string> m_cacheReg;
+
+        bool isRegistryValid()
+        {
+            Utils::Registry registry(m_key, m_userId + "\\" + APPLICATION_STORE_REGISTRY + "\\" + m_appName, KEY_READ | KEY_ENUMERATE_SUB_KEYS);
+
+            return registry.enumerate().size() != 0;
+        }
+
+        void getInformationPackages()
+        {
+            if (isRegistryValid())
+            {
+                enum
+                {
+                    INDEX_NAME,
+                    INDEX_VERSION,
+                    INDEX_ARCHITECTURE,
+                    INDEX_VOID,
+                    INDEX_UUID,
+                    INDEX_COUNT
+                };
+                const auto fields { Utils::split(m_appName, '_') }; //The name format is <complete name>_<Version>_<Architecture>_<UUID>
+
+                if (fields.size() >= INDEX_COUNT)
+                {
+                    const Utils::Registry packageReg(m_key, m_userId + "\\" + APPLICATION_STORE_REGISTRY + "\\" + m_appName);
+
+                    m_version = fields.at(INDEX_VERSION);
+                    m_architecture = getArchitecture(fields.at(INDEX_ARCHITECTURE));
+                    m_location = getLocation(packageReg);
+                    m_installTime = getInstallTime(fields.at(INDEX_NAME), fields.at(INDEX_UUID));
+                    m_name = getName(fields.at(INDEX_NAME), packageReg);
+                    m_vendor = getVendor(packageReg);
+
+                }
+
+                /*
+                 * If the package location is not in application store database provided by Windows then it is thrown away.
+                 * https://answers.microsoft.com/en-us/windows/forum/all/what-is-cprogram-fileswindows-apps-hidden-folder/783b5a18-c44d-46f7-b638-e98054b7c2a8
+                 */
+                if (m_location.find(STORE_APPLICATION_DATABASE) == std::string::npos)
+                {
+                    m_name.clear();
+                    m_vendor.clear();
+                    m_architecture.clear();
+                    m_version.clear();
+                    m_location.clear();
+                }
+            }
+        }
+
+        /*
+         * @brief Gets packages architecture.
+         *
+         * @param[in] field Field where the architecture type is.
+         *
+         * Type are:
+         *          - x64
+         *          - x86
+         *
+         * @return Return app architecture.
+         */
+        const std::string getArchitecture(const std::string& field)
+        {
+            std::string architecture { UNKNOWN_VALUE };
+
+            if (!field.compare("x64"))
+            {
+                architecture = "x86_64";
+            }
+            else if (!field.compare("x86"))
+            {
+                architecture = "i686";
+            }
+
+            return architecture;
+        }
+
+        /*
+         * Get the path where the application was installed.
+         *
+         * @param[in] registry  Registry object pointing to where the data is.
+         *
+         * @return Return package location.
+         */
+        const std::string getLocation(const Utils::Registry& registry)
+        {
+            std::string location;
+
+            return registry.string("PackageRootFolder", location) ? location : UNKNOWN_VALUE;
+        }
+
+
+        const std::string getInstallTime(const std::string& name, const std::string& uuid)
+        {
+            std::string installTime { UNKNOWN_VALUE };
+            unsigned long long int value;
+
+            // Name of main registry is: app_Name + _ + app_UUID
+            const auto mainRegistry {name + "_" + uuid};
+
+            try
+            {
+                const Utils::Registry installTimeRegistry {Utils::Registry(m_key, m_userId + "\\" + APPLICATION_INSTALL_TIME_REGISTRY + "\\" + mainRegistry + "\\" + m_appName)};
+
+                if (installTimeRegistry.qword("InstallTime", value))
+                {
+                    installTime = Utils::buildTimestamp(value);
+                }
+            }
+            catch (...)
+            {
+            }
+
+            return installTime;
+        }
+
+        /*
+         * @brief Get application name.
+         *
+         * @param[in] fullName Full application name.
+         * @param[in] registry Registry object pointing to where the data is located.
+         *
+         * @return Return name application.
+         */
+        const std::string getName(const std::string& fullName, const Utils::Registry& registry)
+        {
+            std::string name;
+
+            /*
+             * Example of  fullName
+             *
+             * Microsoft.Windows.Search
+             * Microsoft.SkypeApp
+             */
+            const auto keyName { Utils::split(fullName, '.').back() }; // Will only use the last vector element.
+
+            try
+            {
+                for (const auto& folder : registry.enumerate())
+                {
+                    std::string value;
+                    const Utils::Registry nameReg(m_key, m_userId  + "\\" + APPLICATION_STORE_REGISTRY + "\\" + m_appName + "\\" + folder + "\\Capabilities");
+
+                    if (nameReg.string("ApplicationName", value))
+                    {
+                        name = value;
+                        break;
+                    }
+                }
+
+                /*
+                 * If the name starts with "@{" string then we need to look for the name on the cache registry.
+                 * The name obtained is the key for the app name.
+                 */
+                if (Utils::startsWith(name, PREFIX_LOCALIZATION))
+                {
+                    name = searchNameFromCacheRegistry(keyName, name);
+                }
+            }
+            catch (...)
+            {
+                name.clear();
+            }
+
+            return name;
+        }
+
+        /*
+         * @brief Get application vendor name.
+         *
+         * @param[in] registry Registry object that points to where the sub-registries with the names of the registry with the data are located.
+         *
+         * @return Returns the vendor name
+         */
+        const std::string getVendor(const Utils::Registry& registry)
+        {
+            std::string vendor;
+
+            try
+            {
+                for (const auto& folder : registry.enumerate())
+                {
+                    const Utils::Registry fileReg(m_key, m_userId + "\\" + APPLICATION_STORE_REGISTRY + "\\" + m_appName + "\\" + folder + FILE_ASSOCIATIONS_REGISTRY, KEY_READ | KEY_QUERY_VALUE);
+                    vendor = searchPublisher(fileReg);
+
+                    if (vendor.empty())
+                    {
+                        const Utils::Registry urlReg(m_key, m_userId + "\\"  + APPLICATION_STORE_REGISTRY + "\\" + m_appName + "\\" + folder + URL_ASSOCIATIONS_REGISTRY, KEY_READ | KEY_QUERY_VALUE);
+                        vendor = searchPublisher(urlReg);
+                    }
+
+                    if (!vendor.empty())
+                    {
+                        break;
+                    }
+                }
+            }
+            catch (...)
+            {
+                vendor.clear();
+            }
+
+            return vendor;
+        }
+
+        /*
+         * @brief Search the name application in the cache registry.
+         *
+         * @param[in] appName Abbreviation of the name application to look for in the cache registry.
+         * @param[in] nameKey Name key where is the name application
+         *
+         * @return Return the name application.
+         */
+        const std::string searchNameFromCacheRegistry(const std::string& appName, const std::string& nameKey)
+        {
+            std::string registry;
+            std::string name;
+            auto findCacheName
+            {
+                [&appName](const std::string folder)
+                {
+                    return folder.find(appName) != std::string::npos;
+                }
+            };
+
+            const auto folder = std::find_if(m_cacheReg.begin(), m_cacheReg.end(), findCacheName);
+            // Search for the name of the folder containing the application name
+
+            if (folder != m_cacheReg.end())
+            {
+                registry = *folder;
+            }
+
+            if (!registry.empty())
+            {
+                name = searchKeyOnSubRegistries(m_userId + "\\" + CACHE_NAME_REGISTRY + "\\" + registry, nameKey);
+            }
+
+            return Utils::startsWith(name, PREFIX_LOCALIZATION) ? "" : name;
+        }
+
+        /*
+         * @brief Search the key on the registry and sub-registries.
+         *
+         * @param[in] path Start path where you want to search.
+         * @param[in] key Name key to look for
+         *
+         * @return Return the value of the key.
+         */
+        const std::string searchKeyOnSubRegistries(const std::string& path, const std::string& key)
+        {
+            std::string value;
+            const Utils::Registry registry(m_key, path);
+
+            if (!registry.string(key, value))
+            {
+                for (const auto& folder : Utils::Registry(m_key, path).enumerate())
+                {
+                    const std::string tempPath { path + "\\" + folder };
+                    value = searchKeyOnSubRegistries(tempPath, key);
+
+                    if (!value.empty())
+                    {
+                        break;
+                    }
+                }
+            }
+
+            return value;
+        }
+
+        /*
+         * @brief Search the publisher name in a registry.
+         *
+         * @param[in] registry Registry object used to obtain the information.
+         *
+         * @return Returns the publisher name found.
+         */
+        const std::string searchPublisher(const Utils::Registry& registry)
+        {
+            std::string publisher;
+
+            for (const auto& value : registry.enumerateValueKey())
+            {
+                std::string data;
+                std::string vendorRegistry;
+
+                registry.string(value, vendorRegistry);
+                const Utils::Registry pubRegistry(m_key, m_userId  + "\\" + APPLICATION_VENDOR_REGISTRY + "\\" + vendorRegistry + "\\Application");
+
+                if (pubRegistry.string("ApplicationCompany", data))
+                {
+                    if (!Utils::startsWith(data, PREFIX_LOCALIZATION))
+                    {
+                        publisher = data;
+                        break;
+                    }
+                }
+            }
+
+            return publisher;
+        }
+};
+
diff --git a/src/common/data_provider/src/packages/berkeleyDbWrapper.h b/src/common/data_provider/src/packages/berkeleyDbWrapper.h
new file mode 100644
index 0000000000..4765221a82
--- /dev/null
+++ b/src/common/data_provider/src/packages/berkeleyDbWrapper.h
@@ -0,0 +1,74 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _BERKELEY_DB_WRAPPER_H
+#define _BERKELEY_DB_WRAPPER_H
+
+#include "iberkeleyDbWrapper.h"
+
+struct BerkeleyRpmDbDeleter final
+{
+    void operator()(DB* db)
+    {
+        db->close(db, 0);
+    }
+    void operator()(DBC* cursor)
+    {
+        cursor->c_close(cursor);
+    }
+};
+
+class BerkeleyDbWrapper final : public IBerkeleyDbWrapper
+{
+    private:
+        std::unique_ptr<DB, BerkeleyRpmDbDeleter>  m_db;
+        std::unique_ptr<DBC, BerkeleyRpmDbDeleter> m_cursor;
+    public:
+        int32_t getRow(DBT& key, DBT& data) override
+        {
+            std::memset(&key, 0, sizeof(DBT));
+            std::memset(&data, 0, sizeof(DBT));
+            return m_cursor->c_get(m_cursor.get(), &key, &data, DB_NEXT);
+        }
+        // LCOV_EXCL_START
+        ~BerkeleyDbWrapper() = default;
+        // LCOV_EXCL_STOP
+        explicit BerkeleyDbWrapper(const std::string& directory)
+        {
+            int ret;
+            DB* dbp;
+            DBC* cursor;
+
+            if ((ret = db_create(&dbp, NULL, 0)) != 0)
+            {
+                throw std::runtime_error { db_strerror(ret) };
+            }
+
+            m_db = std::unique_ptr<DB, BerkeleyRpmDbDeleter>(dbp);
+
+            // Set Big-endian order by default
+            m_db->set_lorder(m_db.get(), 1234);
+
+            if ((ret = m_db->open(m_db.get(), NULL, directory.c_str(), NULL, DB_HASH, DB_RDONLY, 0)) != 0)
+            {
+                throw std::runtime_error { std::string("Failed to open database '") + directory + "': " + db_strerror(ret) };
+            }
+
+            if ((ret = m_db->cursor(m_db.get(), NULL, &cursor, 0)) != 0)
+            {
+                throw std::runtime_error { std::string("Error creating cursor: ") + db_strerror(ret) };
+            }
+
+            m_cursor = std::unique_ptr<DBC, BerkeleyRpmDbDeleter>(cursor);
+        }
+};
+
+#endif // _BERKELEY_DB_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/berkeleyRpmDbHelper.h b/src/common/data_provider/src/packages/berkeleyRpmDbHelper.h
new file mode 100644
index 0000000000..e782d43dc2
--- /dev/null
+++ b/src/common/data_provider/src/packages/berkeleyRpmDbHelper.h
@@ -0,0 +1,211 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 15, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _BERKELEY_RPM_DB_HELPER_H
+#define _BERKELEY_RPM_DB_HELPER_H
+
+#include <string>
+#include <memory>
+#include <map>
+#include <vector>
+#include <algorithm>
+#include "byteArrayHelper.h"
+#include "berkeleyDbWrapper.h"
+
+#define TAG_NAME        1000
+#define TAG_VERSION     1001
+#define TAG_RELEASE     1002
+#define TAG_EPOCH       1003
+#define TAG_SUMMARY     1004
+#define TAG_ITIME       1008
+#define TAG_SIZE        1009
+#define TAG_VENDOR      1011
+#define TAG_GROUP       1016
+#define TAG_SOURCE      1044
+#define TAG_ARCH        1022
+
+constexpr auto RPM_DATABASE {"/var/lib/rpm/Packages"};
+constexpr unsigned int FIRST_ENTRY_OFFSET { 8u };
+constexpr unsigned int ENTRY_SIZE { 16u };
+constexpr int INT32_TYPE { 4 };
+constexpr int STRING_TYPE { 6 };
+constexpr int STRING_VECTOR_TYPE { 9 };
+
+//This constant is defined with this value in the RPM source code (header.c)
+constexpr int HEADER_TAGS_MAX { 65535 };
+
+struct BerkeleyHeaderEntry final
+{
+    std::string tag;
+    int type;
+    int offset;
+    int count;
+};
+
+const std::vector<std::pair<int32_t, std::string>> TAG_NAMES =
+{
+    { std::make_pair(TAG_NAME, "name") },
+    { std::make_pair(TAG_ARCH, "architecture") },
+    { std::make_pair(TAG_SUMMARY, "description") },
+    { std::make_pair(TAG_SIZE, "size") },
+    { std::make_pair(TAG_EPOCH, "epoch") },
+    { std::make_pair(TAG_RELEASE, "release") },
+    { std::make_pair(TAG_VERSION, "version") },
+    { std::make_pair(TAG_VENDOR, "vendor") },
+    { std::make_pair(TAG_ITIME, "install_time") },
+    { std::make_pair(TAG_GROUP, "group") }
+};
+
+class BerkeleyRpmDBReader final
+{
+    private:
+        bool m_firstIteration;
+        std::shared_ptr<IBerkeleyDbWrapper> m_dbWrapper;
+
+        std::vector<BerkeleyHeaderEntry> parseHeader(const DBT& data)
+        {
+            auto bytes { reinterpret_cast<uint8_t*>(data.data) };
+            std::vector<BerkeleyHeaderEntry> retVal;
+            constexpr auto BYTE_SIZE_INT32{ sizeof(int32_t) };
+
+            if (data.size >= FIRST_ENTRY_OFFSET)
+            {
+                const auto indexSize { Utils::toInt32BE(bytes) };
+
+                const auto dataSize { Utils::toInt32BE(bytes + BYTE_SIZE_INT32) };
+
+                const auto estimatedHeaderTagSize { FIRST_ENTRY_OFFSET + indexSize* ENTRY_SIZE + dataSize };
+
+                if (indexSize > 0 && indexSize < HEADER_TAGS_MAX && estimatedHeaderTagSize <= data.size)
+                {
+                    bytes = &bytes[FIRST_ENTRY_OFFSET];
+
+                    retVal.resize(indexSize);
+
+                    auto ucp { reinterpret_cast<uint8_t*>(bytes) };
+
+                    // Read all indexes
+                    for (auto i = 0; i < indexSize; ++i)
+                    {
+                        const auto tag { Utils::toInt32BE(ucp) };
+                        ucp += BYTE_SIZE_INT32;
+
+                        const auto it
+                        {
+                            std::find_if(TAG_NAMES.begin(),
+                                         TAG_NAMES.end(),
+                                         [tag](const auto & pair)
+                            {
+                                return tag == pair.first;
+                            })
+                        };
+
+                        if (TAG_NAMES.end() != it)
+                        {
+                            retVal[i].tag = it->second;
+
+                            retVal[i].type = Utils::toInt32BE(ucp);
+                            ucp += BYTE_SIZE_INT32;
+
+                            retVal[i].offset = Utils::toInt32BE(ucp);
+                            ucp += BYTE_SIZE_INT32;
+
+                            retVal[i].count = Utils::toInt32BE(ucp);
+                            ucp += BYTE_SIZE_INT32;
+                        }
+                        else
+                        {
+                            ucp += ENTRY_SIZE - BYTE_SIZE_INT32;
+                        }
+                    }
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string parseBody(const std::vector<BerkeleyHeaderEntry>& header, const DBT& data)
+        {
+            std::string retVal;
+
+            if (!header.empty())
+            {
+                auto bytes { reinterpret_cast<char*>(data.data) + FIRST_ENTRY_OFFSET + (ENTRY_SIZE * header.size()) };
+
+                for (const auto& TAG : TAG_NAMES)
+                {
+                    const auto it
+                    {
+                        std::find_if(header.begin(),
+                                     header.end(),
+                                     [&TAG](const auto & headerEntry)
+                        {
+                            return TAG.second.compare(headerEntry.tag) == 0;
+                        })
+                    };
+
+                    if (it != header.end())
+                    {
+                        auto ucp { &bytes[it->offset] };
+
+                        if (STRING_TYPE == it->type)
+                        {
+                            retVal += ucp;
+                        }
+                        else if (INT32_TYPE == it->type)
+                        {
+                            retVal += std::to_string(Utils::toInt32BE(reinterpret_cast<uint8_t*>(ucp)));
+                        }
+                        else if (STRING_VECTOR_TYPE == it->type)
+                        {
+                            retVal += ucp;
+                        }
+                    }
+
+                    retVal += "\t";
+                }
+
+                retVal += "\n";
+            }
+
+            return retVal;
+        }
+
+    public:
+        std::string getNext()
+        {
+            std::string retVal;
+            DBT key, data;
+            int cursorRet;
+
+            if (m_firstIteration)
+            {
+                if (cursorRet = m_dbWrapper->getRow(key, data), cursorRet == 0)
+                {
+                    m_firstIteration = false;
+                }
+            }
+
+            if (cursorRet = m_dbWrapper->getRow(key, data), cursorRet == 0)
+            {
+                retVal = parseBody(parseHeader(data), data);
+            }
+
+            return retVal;
+        }
+        explicit BerkeleyRpmDBReader(std::shared_ptr<IBerkeleyDbWrapper> dbWrapper)
+            : m_firstIteration { true }
+            , m_dbWrapper { dbWrapper }
+        { }
+
+        ~BerkeleyRpmDBReader() { }
+};
+#endif // _BERKELEY_RPM_DB_HELPER_H
diff --git a/src/common/data_provider/src/packages/brewWrapper.h b/src/common/data_provider/src/packages/brewWrapper.h
new file mode 100644
index 0000000000..9584b0e8f0
--- /dev/null
+++ b/src/common/data_provider/src/packages/brewWrapper.h
@@ -0,0 +1,146 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _BREW_WRAPPER_H
+#define _BREW_WRAPPER_H
+
+#include "ipackageWrapper.h"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include "filesystemHelper.h"
+
+class BrewWrapper final : public IPackageWrapper
+{
+    public:
+        explicit BrewWrapper(const PackageContext& ctx)
+            : m_name{ctx.package}
+            , m_version{Utils::splitIndex(ctx.version, '_', 0)}
+            , m_groups{UNKNOWN_VALUE}
+            , m_description {UNKNOWN_VALUE}
+            , m_architecture{UNKNOWN_VALUE}
+            , m_format{"pkg"}
+            , m_source{"homebrew"}
+            , m_location{ctx.filePath}
+            , m_priority{UNKNOWN_VALUE}
+            , m_size{0}
+            , m_vendor{UNKNOWN_VALUE}
+            , m_installTime{UNKNOWN_VALUE}
+        {
+            const auto rows { Utils::split(Utils::getFileContent(ctx.filePath + "/" + ctx.package + "/" + ctx.version + "/.brew/" + ctx.package + ".rb"), '\n')};
+
+            for (const auto& row : rows)
+            {
+                auto rowParsed { Utils::trim(row) };
+
+                if (Utils::startsWith(rowParsed, "desc "))
+                {
+                    Utils::replaceFirst(rowParsed, "desc ", "");
+                    Utils::replaceAll(rowParsed, "\"", "");
+                    m_description = rowParsed;
+                    break;
+                }
+            }
+
+            /* Some brew packages have the version in the name separated by a '@'
+              but we'll only remove the last occurrence if it matches with a version
+              in case there is a '@' in the package name */
+            const auto pos { m_name.rfind('@') };
+
+            if (pos != std::string::npos)
+            {
+                if (std::isdigit(m_name[pos + 1]))
+                {
+                    m_name.resize(pos);
+                }
+            }
+        }
+
+        ~BrewWrapper() = default;
+
+        std::string name() const override
+        {
+            return m_name;
+        }
+        std::string version() const override
+        {
+            return m_version;
+        }
+        std::string groups() const override
+        {
+            return m_groups;
+        }
+        std::string description() const override
+        {
+            return m_description;
+        }
+        std::string architecture() const override
+        {
+            return m_architecture;
+        }
+        std::string format() const override
+        {
+            return m_format;
+        }
+        std::string osPatch() const override
+        {
+            return m_osPatch;
+        }
+        std::string source() const override
+        {
+            return m_source;
+        }
+        std::string location() const override
+        {
+            return m_location;
+        }
+        std::string vendor() const override
+        {
+            return m_vendor;
+        }
+
+        std::string priority() const override
+        {
+            return m_priority;
+        }
+
+        int size() const override
+        {
+            return m_size;
+        }
+
+        std::string install_time() const override
+        {
+            return m_installTime;
+        }
+
+        std::string multiarch() const override
+        {
+            return m_multiarch;
+        }
+    private:
+        std::string m_name;
+        std::string m_version;
+        std::string m_groups;
+        std::string m_description;
+        std::string m_architecture;
+        const std::string m_format;
+        std::string m_osPatch;
+        const std::string m_source;
+        const std::string m_location;
+        std::string m_priority;
+        int m_size;
+        std::string m_vendor;
+        std::string m_installTime;
+        std::string m_multiarch;
+};
+
+
+#endif //_BREW_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/iberkeleyDbWrapper.h b/src/common/data_provider/src/packages/iberkeleyDbWrapper.h
new file mode 100644
index 0000000000..66e53369b9
--- /dev/null
+++ b/src/common/data_provider/src/packages/iberkeleyDbWrapper.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _IBERKELEY_DB_WRAPPER_H
+#define _IBERKELEY_DB_WRAPPER_H
+
+#include <memory>
+#include <cstring>
+#include "db.h"
+
+class IBerkeleyDbWrapper
+{
+    public:
+        virtual int32_t getRow(DBT& key, DBT& data) = 0;
+        // LCOV_EXCL_START
+        virtual ~IBerkeleyDbWrapper() = default;
+        // LCOV_EXCL_STOP
+        IBerkeleyDbWrapper() = default;
+};
+
+#endif // _IBERKELEY_DB_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/ipackageInterface.h b/src/common/data_provider/src/packages/ipackageInterface.h
new file mode 100644
index 0000000000..fc1b253dde
--- /dev/null
+++ b/src/common/data_provider/src/packages/ipackageInterface.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_INTERFACE_H
+#define _PACKAGE_INTERFACE_H
+
+#include "json.hpp"
+
+class IPackage
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IPackage() = default;
+        // LCOV_EXCL_STOP
+        virtual void buildPackageData(nlohmann::json& package) = 0;
+};
+
+#endif // _PACKAGE_INTERFACE_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/packages/ipackageWrapper.h b/src/common/data_provider/src/packages/ipackageWrapper.h
new file mode 100644
index 0000000000..145b7bed19
--- /dev/null
+++ b/src/common/data_provider/src/packages/ipackageWrapper.h
@@ -0,0 +1,37 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_INTERFACE_WRAPPER_H
+#define _PACKAGE_INTERFACE_WRAPPER_H
+#include "ipackageInterface.h"
+
+class IPackageWrapper
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IPackageWrapper() = default;
+        // LCOV_EXCL_STOP
+        virtual std::string name() const = 0;
+        virtual std::string version() const = 0;
+        virtual std::string groups() const = 0;
+        virtual std::string description() const = 0;
+        virtual std::string architecture() const = 0;
+        virtual std::string format() const = 0;
+        virtual std::string osPatch() const = 0;
+        virtual std::string source() const = 0;
+        virtual std::string location() const = 0;
+        virtual std::string priority() const = 0;
+        virtual int size() const = 0;
+        virtual std::string vendor() const = 0;
+        virtual std::string install_time() const = 0;
+        virtual std::string multiarch() const = 0;
+};
+#endif // _PACKAGE_INTERFACE_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/macportsWrapper.h b/src/common/data_provider/src/packages/macportsWrapper.h
new file mode 100644
index 0000000000..dd89ee0b8a
--- /dev/null
+++ b/src/common/data_provider/src/packages/macportsWrapper.h
@@ -0,0 +1,186 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 06, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _MACPORTS_WRAPPER_H
+#define _MACPORTS_WRAPPER_H
+
+#include "ipackageWrapper.h"
+#include "sqliteWrapperTemp.h"
+#include "sharedDefs.h"
+
+const std::map<std::string, int> columnIndexes
+{
+    {"name", 0},
+    {"version", 1},
+    {"date", 2},
+    {"location", 3},
+    {"archs", 4}
+};
+
+#define DATE_STR_SIZE 20
+
+class MacportsWrapper final : public IPackageWrapper
+{
+    public:
+        explicit MacportsWrapper(SQLite::IStatement& stmt)
+            : m_version{UNKNOWN_VALUE}
+            , m_groups {UNKNOWN_VALUE}
+            , m_description {UNKNOWN_VALUE}
+            , m_architecture{UNKNOWN_VALUE}
+            , m_format{"macports"}
+            , m_osPatch {UNKNOWN_VALUE}
+            , m_source{UNKNOWN_VALUE}
+            , m_location{UNKNOWN_VALUE}
+            , m_priority{UNKNOWN_VALUE}
+            , m_size{0}
+            , m_vendor{UNKNOWN_VALUE}
+            , m_installTime{UNKNOWN_VALUE}
+        {
+            getPkgData(stmt);
+        }
+
+        ~MacportsWrapper() = default;
+
+        std::string name() const override
+        {
+            return m_name;
+        }
+        std::string version() const override
+        {
+            return m_version;
+        }
+        std::string groups() const override
+        {
+            return m_groups;
+        }
+        std::string description() const override
+        {
+            return m_description;
+        }
+        std::string architecture() const override
+        {
+            return m_architecture;
+        }
+        std::string format() const override
+        {
+            return m_format;
+        }
+        std::string osPatch() const override
+        {
+            return m_osPatch;
+        }
+        std::string source() const override
+        {
+            return m_source;
+        }
+        std::string location() const override
+        {
+            return m_location;
+        }
+        std::string vendor() const override
+        {
+            return m_vendor;
+        }
+
+        std::string priority() const override
+        {
+            return m_priority;
+        }
+
+        int size() const override
+        {
+            return m_size;
+        }
+
+        std::string install_time() const override
+        {
+            return m_installTime;
+        }
+
+        std::string multiarch() const override
+        {
+            return m_multiarch;
+        }
+    private:
+        void getPkgData(SQLite::IStatement& stmt)
+        {
+            const int& columnsNumber = columnIndexes.size();
+
+            if (stmt.columnsCount() == columnsNumber)
+            {
+                const auto& name {stmt.column(columnIndexes.at("name"))};
+                const auto& version {stmt.column(columnIndexes.at("version"))};
+                const auto& date {stmt.column(columnIndexes.at("date"))};
+                const auto& location {stmt.column(columnIndexes.at("location"))};
+                const auto& archs {stmt.column(columnIndexes.at("archs"))};
+
+                if (name->hasValue())
+                {
+                    m_name = name->value(std::string {});
+                }
+
+                if (version->hasValue())
+                {
+                    const auto versionStr = version->value(std::string{});
+
+                    if (!versionStr.empty())
+                    {
+                        m_version = versionStr;
+                    }
+                }
+
+                if (date->hasValue())
+                {
+                    char formattedTime[DATE_STR_SIZE] {0};
+                    const long epochTime = date->value(std::int64_t {});
+                    std::strftime(formattedTime, sizeof(formattedTime), "%Y/%m/%d %H:%M:%S", std::localtime(&epochTime));
+                    m_installTime = formattedTime;
+                }
+
+                if (location->hasValue())
+                {
+                    const auto locationStr = location->value(std::string {});
+
+                    if (!locationStr.empty())
+                    {
+                        m_location = locationStr;
+                    }
+                }
+
+                if (archs->hasValue())
+                {
+                    const auto archsStr = archs->value(std::string {});
+
+                    if (!archsStr.empty())
+                    {
+                        m_architecture = archsStr;
+                    }
+                }
+            }
+        }
+
+        std::string m_name;
+        std::string m_version;
+        std::string m_groups;
+        std::string m_description;
+        std::string m_architecture;
+        const std::string m_format;
+        std::string m_osPatch;
+        std::string m_source;
+        std::string m_location;
+        std::string m_multiarch;
+        std::string m_priority;
+        int m_size;
+        std::string m_vendor;
+        std::string m_installTime;
+};
+
+# endif // _MACPORTS_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/modernPackageDataRetriever.hpp b/src/common/data_provider/src/packages/modernPackageDataRetriever.hpp
new file mode 100644
index 0000000000..02d3811b81
--- /dev/null
+++ b/src/common/data_provider/src/packages/modernPackageDataRetriever.hpp
@@ -0,0 +1,58 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 29, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _MODERN_PACKAGE_DATA_RETRIEVER_HPP
+#define _MODERN_PACKAGE_DATA_RETRIEVER_HPP
+
+#include "json.hpp"
+#include "sharedDefs.h"
+#include <functional>
+#include <map>
+
+#if defined(HAS_STDFILESYSTEM) && HAS_STDFILESYSTEM==true
+#include "packages/packagesNPM.hpp"
+#include "packages/packagesPYPI.hpp"
+#else
+class PYPI
+{
+    public:
+        void getPackages(const std::set<std::string>& /*paths*/, std::function<void(nlohmann::json&)> /*callback*/);
+};
+class NPM
+{
+    public:
+        void getPackages(const std::set<std::string>& /*paths*/, std::function<void(nlohmann::json&)> /*callback*/);
+};
+#endif
+
+template <bool>
+class ModernFactoryPackagesCreator final
+{
+    public:
+        static void getPackages(const std::map<std::string, std::set<std::string>>& /*paths*/, std::function<void(nlohmann::json&)> /*callback*/)
+        {
+        }
+};
+
+// Standard template to extract package information in fully compatible Linux
+// systems
+template <>
+class ModernFactoryPackagesCreator<true> final
+{
+    public:
+        static void getPackages(const std::map<std::string, std::set<std::string>>& paths, std::function<void(nlohmann::json&)> callback)
+        {
+            PYPI().getPackages(paths.at("PYPI"), callback);
+            NPM().getPackages(paths.at("NPM"), callback);
+        }
+};
+
+#endif  // _MODERN_PACKAGE_DATA_RETRIEVER_HPP
diff --git a/src/common/data_provider/src/packages/packageFamilyDataAFactory.h b/src/common/data_provider/src/packages/packageFamilyDataAFactory.h
new file mode 100644
index 0000000000..e3ed4a9dd7
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageFamilyDataAFactory.h
@@ -0,0 +1,66 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_FAMILY_DATA_AFACTORY_H
+#define _PACKAGE_FAMILY_DATA_AFACTORY_H
+
+#include <memory>
+#include "json.hpp"
+#include "packageMac.h"
+#include "packageSolaris.h"
+#include "sharedDefs.h"
+
+template <OSPlatformType osType>
+class FactoryPackageFamilyCreator final
+{
+    public:
+        static std::shared_ptr<IPackage> create(const std::pair<PackageContext, int>& /*ctx*/)
+        {
+            throw std::runtime_error
+            {
+                "Error creating package data retriever."
+            };
+        }
+
+        static std::shared_ptr<IPackage> create(const std::shared_ptr<IPackageWrapper>& /*pkgwrapper*/)
+        {
+            throw std::runtime_error
+            {
+                "Error creating package data retriever."
+            };
+        }
+};
+
+template <>
+class FactoryPackageFamilyCreator<OSPlatformType::BSDBASED> final
+{
+    public:
+        static std::shared_ptr<IPackage> create(const std::pair<PackageContext, int>& ctx)
+        {
+            return FactoryBSDPackage::create(ctx);
+        }
+        static std::shared_ptr<IPackage> create(const std::pair<SQLite::IStatement&, const int>& ctx)
+        {
+            return FactoryBSDPackage::create(ctx);
+        }
+};
+
+template <>
+class FactoryPackageFamilyCreator<OSPlatformType::SOLARIS> final
+{
+    public:
+        static std::shared_ptr<IPackage> create(const std::shared_ptr<IPackageWrapper>& packageWrapper)
+        {
+            return FactorySolarisPackage::create(packageWrapper);
+        }
+};
+
+#endif // _PACKAGE_FAMILY_DATA_AFACTORY_H
diff --git a/src/common/data_provider/src/packages/packageLinuxApkParserHelper.h b/src/common/data_provider/src/packages/packageLinuxApkParserHelper.h
new file mode 100644
index 0000000000..2b2ed235ef
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxApkParserHelper.h
@@ -0,0 +1,89 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015-2021, Wazuh Inc.
+ * January 03, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_APK_PARSER_HELPER_H
+#define _PACKAGE_LINUX_APK_PARSER_HELPER_H
+
+#include "json.hpp"
+#include "sharedDefs.h"
+#include <typeindex>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace PackageLinuxHelper
+{
+    static const std::map<char, std::pair<std::type_index, std::string>> s_mapAlpineFields =
+    {
+        {'P', {typeid(std::string), "name"}},
+        {'V', {typeid(std::string), "version"}},
+        {'A', {typeid(std::string), "architecture"}},
+        {'I', {typeid(int32_t), "size"}},
+        {'T', {typeid(std::string), "description"}},
+    };
+
+    static nlohmann::json parseApk(const std::vector<std::pair<char, std::string>>& entries)
+    {
+        nlohmann::json packageInfo;
+
+        packageInfo["architecture"] = UNKNOWN_VALUE;
+        packageInfo["size"] = 0;
+        packageInfo["format"] = "apk";
+        packageInfo["vendor"] = "Alpine Linux";
+        packageInfo["install_time"] = UNKNOWN_VALUE;
+        packageInfo["location"] = UNKNOWN_VALUE;
+        packageInfo["groups"] = UNKNOWN_VALUE;
+        packageInfo["priority"] = UNKNOWN_VALUE;
+        packageInfo["source"] = UNKNOWN_VALUE;
+        // The multiarch field won't have a default value
+
+        // Lambda to check if a string is empty and assign default value.
+        const auto loadData = [&packageInfo](const std::pair<std::type_index, std::string>& key,
+                                             const std::string & value)
+        {
+            if (!value.empty())
+            {
+                if (key.first == typeid(std::string))
+                {
+                    packageInfo[key.second] = value;
+                }
+                else if (key.first == typeid(int32_t))
+                {
+                    try
+                    {
+                        packageInfo[key.second] = std::stol(value);
+                    }
+                    catch (const std::exception&)
+                    {
+                        packageInfo[key.second] = 0;
+                    }
+                }
+            }
+        };
+
+        for (const auto& item : entries)
+        {
+            loadData(s_mapAlpineFields.at(item.first), item.second);
+        }
+
+        if (!packageInfo.contains("name") ||
+                !packageInfo.contains("version"))
+        {
+            packageInfo.clear();
+        }
+
+        return packageInfo;
+    }
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _PACKAGE_LINUX_APK_PARSER_HELPER_H
diff --git a/src/common/data_provider/src/packages/packageLinuxDataRetriever.h b/src/common/data_provider/src/packages/packageLinuxDataRetriever.h
new file mode 100644
index 0000000000..3a310ccdc4
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxDataRetriever.h
@@ -0,0 +1,123 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_DATA_RETRIEVER_H
+#define _PACKAGE_LINUX_DATA_RETRIEVER_H
+
+#include <memory>
+#include "filesystemHelper.h"
+#include "json.hpp"
+#include "sharedDefs.h"
+#include "utilsWrapperLinux.hpp"
+
+/**
+ * @brief Fills a JSON object with all available pacman-related information
+ * @param libPath  Path to pacman's database directory
+ * @param callback Callback to be called for every single element being found
+ */
+void getPacmanInfo(const std::string& libPath, std::function<void(nlohmann::json&)> callback);
+
+/**
+ * @brief Fills a JSON object with all available rpm-related information
+ * @param callback Callback to be called for every single element being found
+ */
+void getRpmInfo(std::function<void(nlohmann::json&)> callback);
+
+/**
+ * @brief Fills a JSON object with all available rpm-related information for legacy Linux.
+ * @param callback Callback to be called for every single element being found
+ */
+void getRpmInfoLegacy(std::function<void(nlohmann::json&)> callback);
+
+/**
+ * @brief Fills a JSON object with all available dpkg-related information
+ * @param libPath  Path to dpkg's database directory
+ * @param callback Callback to be called for every single element being found
+ */
+void getDpkgInfo(const std::string& libPath, std::function<void(nlohmann::json&)> callback);
+
+/**
+ * @brief Fills a JSON object with all available apk-related information
+ * @param libPath Path to apk's database directory
+ * @param callback Callback to be called for every single element being found
+ */
+void getApkInfo(const std::string& libPath, std::function<void(nlohmann::json&)> callback);
+
+
+/**
+ * @brief Fills a JSON object with all available snap-related information
+ * @param callback Callback to be called for every single element being found
+ */
+void getSnapInfo(std::function<void(nlohmann::json&)> callback);
+
+// Exception template
+template <LinuxType linuxType>
+class FactoryPackagesCreator final
+{
+    public:
+        static void getPackages(std::function<void(nlohmann::json&)> /*callback*/)
+        {
+            throw std::runtime_error
+            {
+                "Error creating package data retriever."
+            };
+        }
+};
+
+// Standard template to extract package information in fully compatible Linux systems
+template <>
+class FactoryPackagesCreator<LinuxType::STANDARD> final
+{
+    public:
+        static void getPackages(std::function<void(nlohmann::json&)> callback)
+        {
+            if (Utils::existsDir(DPKG_PATH))
+            {
+                getDpkgInfo(DPKG_STATUS_PATH, callback);
+            }
+
+            if (Utils::existsDir(PACMAN_PATH))
+            {
+                getPacmanInfo(PACMAN_PATH, callback);
+            }
+
+            if (Utils::existsDir(RPM_PATH))
+            {
+                getRpmInfo(callback);
+            }
+
+            if (Utils::existsDir(APK_PATH))
+            {
+                getApkInfo(APK_DB_PATH, callback);
+            }
+
+            if (Utils::existsDir(SNAP_PATH))
+            {
+                getSnapInfo(callback);
+            }
+        }
+};
+
+// Template to extract package information in partially incompatible Linux systems
+template <>
+class FactoryPackagesCreator<LinuxType::LEGACY> final
+{
+    public:
+        static void getPackages(std::function<void(nlohmann::json&)> callback)
+        {
+            if (Utils::existsDir(RPM_PATH))
+            {
+                getRpmInfoLegacy(callback);
+            }
+        }
+};
+
+#endif // _PACKAGE_LINUX_DATA_RETRIEVER_H
diff --git a/src/common/data_provider/src/packages/packageLinuxParserApk.cpp b/src/common/data_provider/src/packages/packageLinuxParserApk.cpp
new file mode 100644
index 0000000000..9b9496f003
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserApk.cpp
@@ -0,0 +1,49 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 19, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "json.hpp"
+#include <fstream>
+#include "packageLinuxApkParserHelper.h"
+
+void getApkInfo(const std::string& fileName, std::function<void(nlohmann::json&)> callback)
+{
+    std::ifstream apkDb(fileName);
+    std::string line {};
+    std::vector<std::pair<char, std::string>> data;
+
+    // https://wiki.alpinelinux.org/wiki/Apk_spec#APKINDEX_Format
+    std::array<char, 5> keys{'P', 'V', 'A', 'I', 'T'};
+    const auto separator = ':';
+
+    if (apkDb.is_open())
+    {
+        while (getline(apkDb, line))
+        {
+            if (!line.empty())
+            {
+                if (std::find(std::cbegin(keys), std::cend(keys), line.front()) != std::cend(keys))
+                {
+                    data.emplace_back(line.front(), line.substr(line.find_first_of(separator) + 1));
+                }
+            }
+            else
+            {
+                auto packageInfo = PackageLinuxHelper::parseApk(data);
+                data.clear();
+
+                if (!packageInfo.empty())
+                {
+                    callback(packageInfo);
+                }
+            }
+        }
+    }
+}
diff --git a/src/common/data_provider/src/packages/packageLinuxParserDeb.cpp b/src/common/data_provider/src/packages/packageLinuxParserDeb.cpp
new file mode 100644
index 0000000000..c02f4a6abe
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserDeb.cpp
@@ -0,0 +1,50 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sharedDefs.h"
+#include "packageLinuxParserHelper.h"
+#include <fstream>
+
+void getDpkgInfo(const std::string& fileName, std::function<void(nlohmann::json&)> callback)
+{
+    std::fstream file{fileName, std::ios_base::in};
+
+    if (file.is_open())
+    {
+        while (file.good())
+        {
+            std::string line;
+            std::vector<std::string> data;
+
+            do
+            {
+                std::getline(file, line);
+
+                if (line.front() == ' ') //additional info
+                {
+                    data.back() = data.back() + line + "\n";
+                }
+                else
+                {
+                    data.push_back(line + "\n");
+                }
+            }
+            while (!line.empty()); //end of package item info
+
+            auto packageInfo = PackageLinuxHelper::parseDpkg(data);
+
+            if (!packageInfo.empty())
+            {
+                callback(packageInfo);
+            }
+        }
+    }
+}
diff --git a/src/common/data_provider/src/packages/packageLinuxParserExtra.cpp b/src/common/data_provider/src/packages/packageLinuxParserExtra.cpp
new file mode 100644
index 0000000000..62bab5b234
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserExtra.cpp
@@ -0,0 +1,60 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sharedDefs.h"
+#include <alpm.h>
+#include <package.h>
+#include "packageLinuxParserHelperExtra.h"
+
+
+struct AlmpDeleter final
+{
+    void operator()(alpm_handle_t* pArchHandle)
+    {
+        alpm_release(pArchHandle);
+    }
+};
+
+void getPacmanInfo(const std::string& libPath, std::function<void(nlohmann::json&)> callback)
+{
+    constexpr auto ROOT_PATH {"/"};
+    alpm_errno_t err {ALPM_ERR_OK};
+    auto pArchHandle {alpm_initialize(ROOT_PATH, libPath.c_str(), &err)};
+
+    if (!pArchHandle)
+    {
+        throw std::runtime_error
+        {
+            std::string{"alpm_initialize failure: "} + alpm_strerror(err)
+        };
+    }
+
+    const std::unique_ptr<alpm_handle_t, AlmpDeleter> spDbHandle{pArchHandle};
+    auto pDbLocal {alpm_get_localdb(spDbHandle.get())};
+
+    if (!pDbLocal)
+    {
+        throw std::runtime_error
+        {
+            std::string{"alpm_get_localdb failure: "} + alpm_strerror(alpm_errno(spDbHandle.get()))
+        };
+    }
+
+    for (auto pArchItem{alpm_db_get_pkgcache(pDbLocal)}; pArchItem; pArchItem = alpm_list_next(pArchItem))
+    {
+        auto packageInfo = PackageLinuxHelper::parsePacman(pArchItem);
+
+        if (!packageInfo.empty())
+        {
+            callback(packageInfo);
+        }
+    }
+}
diff --git a/src/common/data_provider/src/packages/packageLinuxParserHelper.h b/src/common/data_provider/src/packages/packageLinuxParserHelper.h
new file mode 100644
index 0000000000..13966a4779
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserHelper.h
@@ -0,0 +1,270 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_PARSER_HELPER_H
+#define _PACKAGE_LINUX_PARSER_HELPER_H
+
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include "json.hpp"
+#include "timeHelper.h"
+#include "sharedDefs.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+#include <sstream>
+
+// Parse helpers for standard Linux packaging systems (rpm, dpkg, ...)
+namespace PackageLinuxHelper
+{
+
+    static nlohmann::json parseDpkg(const std::vector<std::string>& entries)
+    {
+        std::map<std::string, std::string> info;
+        nlohmann::json ret;
+
+        for (const auto& entry : entries)
+        {
+            const auto pos{entry.find(":")};
+
+            if (pos != std::string::npos)
+            {
+                const auto key{Utils::trim(entry.substr(0, pos))};
+                const auto value{Utils::trim(entry.substr(pos + 1), " \n")};
+                info[key] = value;
+            }
+        }
+
+        /*
+           According to dpkg documentation, the status of the package consists in three fields separated by spaces:
+           'SELECTION_STATE FLAG PACKAGE_STATE'.
+
+           SELECTION_STATE: the desired action to take by the package manager. It could be 'install', 'hold',
+                            'deinstall', 'purge', or 'unknown'.
+           FLAG: indicates if the package requires a reinstall or if no issues were found. It could be 'ok',
+                 or 'reinstreq'.
+           PACKAGE_STATE: this is the real status of package at this moment. It could be 'not-installed',
+                          'config-files', 'half-installed', 'unpacked', 'half-configured', 'triggers-awaited',
+                          'triggers-pending', or 'installed'.
+
+           We'll collect packages in any selection state, with 'ok' FLAG and 'installed' PACKAGE_STATE.
+         */
+        if (!info.empty() && info.at("Status").find("ok installed") != std::string::npos)
+        {
+            ret["name"] = info.at("Package");
+
+            std::string priority {UNKNOWN_VALUE};
+            std::string groups {UNKNOWN_VALUE};
+            // The multiarch field won't have a default value
+            std::string multiarch;
+            std::string architecture {UNKNOWN_VALUE};
+            std::string source {UNKNOWN_VALUE};
+            std::string version {UNKNOWN_VALUE};
+            std::string vendor {UNKNOWN_VALUE};
+            std::string description {UNKNOWN_VALUE};
+            int size                 { 0 };
+
+            auto it{info.find("Priority")};
+
+            if (it != info.end())
+            {
+                priority = it->second;
+            }
+
+            it = info.find("Section");
+
+            if (it != info.end())
+            {
+                groups = it->second;
+            }
+
+            it = info.find("Installed-Size");
+
+            if (it != info.end())
+            {
+                size = stol(it->second);
+            }
+
+            it = info.find("Multi-Arch");
+
+            if (it != info.end())
+            {
+                multiarch = it->second;
+            }
+
+            it = info.find("Architecture");
+
+            if (it != info.end())
+            {
+                architecture = it->second;
+            }
+
+            it = info.find("Source");
+
+            if (it != info.end())
+            {
+                source = it->second;
+            }
+
+            it = info.find("Version");
+
+            if (it != info.end())
+            {
+                version = it->second;
+            }
+
+            it = info.find("Maintainer");
+
+            if (it != info.end())
+            {
+                vendor = it->second;
+            }
+
+            it = info.find("Description");
+
+            if (it != info.end())
+            {
+                description = Utils::substrOnFirstOccurrence(it->second, "\n");
+            }
+
+            ret["priority"]     = priority;
+            ret["groups"]       = groups;
+            ret["size"]         = size;
+            ret["multiarch"]    = multiarch;
+            ret["architecture"] = architecture;
+            ret["source"]       = source;
+            ret["version"]      = version;
+            ret["format"]       = "deb";
+            ret["location"]     = UNKNOWN_VALUE;
+            ret["vendor"]       = vendor;
+            ret["install_time"] = UNKNOWN_VALUE;
+            ret["description"]  = description;
+            ret["location"]     = UNKNOWN_VALUE;
+        }
+
+        return ret;
+    }
+
+    static nlohmann::json parseSnap(const nlohmann::json& info)
+    {
+        nlohmann::json ret;
+
+        std::string name;
+        std::string version;
+        std::string vendor       { UNKNOWN_VALUE };
+        std::string install_time { UNKNOWN_VALUE };
+        std::string description  { UNKNOWN_VALUE };
+        int         size         { 0 };
+        bool        hasName      { false };
+        bool        hasVersion   { false };
+
+        if (info.contains("name"))
+        {
+            name = info.at("name");
+
+            if (name.length())
+            {
+                hasName = true;
+            }
+        }
+
+        if (info.contains("version"))
+        {
+            version = info.at("version");
+
+            if (version.length())
+            {
+                hasVersion = true;
+            }
+        }
+
+        if (!(hasVersion && hasName))
+        {
+            ret.clear();
+            return ret;
+        }
+
+        if (info.contains("publisher"))
+        {
+            auto& publisher = info.at("publisher");
+
+            if (publisher.contains("display-name"))
+            {
+                vendor = publisher.at("display-name");
+            }
+        }
+
+        if (info.contains("install-date"))
+        {
+            struct std::tm tm;
+            std::istringstream iss(info.at("install-date").get<std::string>());
+            iss >> std::get_time(&tm, "%Y-%m-%dT%H:%M:%S");
+            std::ostringstream oss;
+            oss << std::put_time(&tm, "%Y/%m/%d %H:%M:%S");
+            install_time = oss.str();
+        }
+
+        if (info.contains("summary"))
+        {
+            description = info.at("summary");
+        }
+
+        if (info.contains("installed-size"))
+        {
+            auto& data = info.at("installed-size");
+
+            if (data.is_number())
+            {
+                size = data.get<int>();
+            }
+            else if (data.is_string())
+            {
+                const auto& stringData = data.get_ref<const std::string&>();
+
+                if (stringData.length())
+                {
+                    try
+                    {
+                        size = std::stoi( stringData );
+                    }
+                    catch (const std::exception& e)
+                    {
+                        size = 0;
+                    }
+                }
+            }
+        }
+
+        ret["name"]             = name;
+        ret["location"]         = "/snap/" + name;
+        ret["version"]          = version;
+        ret["vendor"]           = vendor;
+        ret["install_time"]     = install_time;
+        ret["description"]      = description;
+        ret["size"]             = size;
+        ret["source"]           = "snapcraft";
+        ret["format"]           = "snap";
+
+        ret["priority"]         = UNKNOWN_VALUE;
+        ret["multiarch"]        = UNKNOWN_VALUE;
+        ret["architecture"]     = UNKNOWN_VALUE;
+        ret["groups"]           = UNKNOWN_VALUE;
+
+        return ret;
+    }
+
+
+};
+
+#pragma GCC diagnostic pop
+
+#endif // _PACKAGE_LINUX_PARSER_HELPER_H
diff --git a/src/common/data_provider/src/packages/packageLinuxParserHelperExtra.h b/src/common/data_provider/src/packages/packageLinuxParserHelperExtra.h
new file mode 100644
index 0000000000..0ff307e2f8
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserHelperExtra.h
@@ -0,0 +1,78 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_PARSER_HELPER_EXTRA_H
+#define _PACKAGE_LINUX_PARSER_HELPER_EXTRA_H
+
+#include <fstream>
+#include "sharedDefs.h"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "json.hpp"
+#include "timeHelper.h"
+#include <alpm.h>
+#include <package.h>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+
+// Parse helper for partially incompatible Linux packaging systems (pacman, ...)
+namespace PackageLinuxHelper
+{
+    static nlohmann::json parsePacman(const alpm_list_t* pItem)
+    {
+        const auto pArchPkg{reinterpret_cast<alpm_pkg_t*>(pItem->data)};
+        nlohmann::json packageInfo;
+        std::string groups;
+        static const auto alpmWrapper
+        {
+            [] (auto pkgData)
+            {
+                return pkgData ? pkgData : "";
+            }
+        };
+
+        packageInfo["name"]         = alpmWrapper(alpm_pkg_get_name(pArchPkg));
+        packageInfo["size"]         = alpm_pkg_get_isize(pArchPkg);
+        packageInfo["install_time"] = Utils::getTimestamp(static_cast<time_t>(alpm_pkg_get_installdate(pArchPkg)));
+
+        for (auto group{alpm_pkg_get_groups(pArchPkg)}; group; group = alpm_list_next(group))
+        {
+            if (group->data)
+            {
+                const std::string groupString{reinterpret_cast<char*>(group->data)};
+                groups  += groupString + "-";
+            }
+        }
+
+        packageInfo["groups"]       = groups.empty() ? UNKNOWN_VALUE : groups.substr(0, groups.size() - 1);
+        const std::string version          = alpmWrapper(alpm_pkg_get_version(pArchPkg));
+        packageInfo["version"]      = version.empty() ? UNKNOWN_VALUE : version;
+        packageInfo["location"]     = UNKNOWN_VALUE;
+        const std::string architecture = alpmWrapper(alpm_pkg_get_arch(pArchPkg));
+        packageInfo["architecture"] = architecture.empty() ? UNKNOWN_VALUE : architecture;
+        packageInfo["priority"]         = UNKNOWN_VALUE;
+        packageInfo["format"]       = "pacman";
+        packageInfo["vendor"]       = "Arch Linux";
+        packageInfo["source"]       = UNKNOWN_VALUE;
+        const std::string description = alpmWrapper(alpm_pkg_get_desc(pArchPkg));
+        packageInfo["description"]  = description.empty() ? UNKNOWN_VALUE : description;
+        // The multiarch field won't have a default value
+
+        return packageInfo;
+    }
+
+};
+
+#pragma GCC diagnostic pop
+
+#endif // _PACKAGE_LINUX_PARSER_HELPER_EXTRA_H
diff --git a/src/common/data_provider/src/packages/packageLinuxParserRpm.cpp b/src/common/data_provider/src/packages/packageLinuxParserRpm.cpp
new file mode 100644
index 0000000000..bf9d6054c3
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserRpm.cpp
@@ -0,0 +1,100 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "packageLinuxDataRetriever.h"
+#include "iberkeleyDbWrapper.h"
+#include "berkeleyRpmDbHelper.h"
+#include "sharedDefs.h"
+#include "packageLinuxRpmParserHelper.h"
+#include "packageLinuxRpmParserHelperLegacy.h"
+#include "filesystemHelper.h"
+#include "stringHelper.h"
+#include "rpmlib.h"
+
+void getRpmInfo(std::function<void(nlohmann::json&)> callback)
+{
+
+    const auto rpmDefaultQuery
+    {
+        [](std::function<void(nlohmann::json&)> cb)
+        {
+            const auto rawRpmPackagesInfo{ UtilsWrapperLinux::exec("rpm -qa --qf '%{name}\t%{arch}\t%{summary}\t%{size}\t%{epoch}\t%{release}\t%{version}\t%{vendor}\t%{installtime:date}\t%{group}\t\n'") };
+
+            if (!rawRpmPackagesInfo.empty())
+            {
+                const auto rows { Utils::split(rawRpmPackagesInfo, '\n') };
+
+                for (const auto& row : rows)
+                {
+                    auto package = PackageLinuxHelper::parseRpm(row);
+
+                    if (!package.empty())
+                    {
+                        cb(package);
+                    }
+                }
+            }
+        }
+    };
+
+    if (!UtilsWrapperLinux::existsRegular(RPM_DATABASE))
+    {
+        // We are probably using RPM >= 4.16 – get the packages from librpm.
+        try
+        {
+            RpmPackageManager rpm{std::make_shared<RpmLib>()};
+
+            for (const auto& p : rpm)
+            {
+                auto packageJson = PackageLinuxHelper::parseRpm(p);
+
+                if (!packageJson.empty())
+                {
+                    callback(packageJson);
+                }
+            }
+        }
+        catch (...)
+        {
+            rpmDefaultQuery(callback);
+        }
+
+    }
+    else
+    {
+        try
+        {
+            BerkeleyRpmDBReader db {std::make_shared<BerkeleyDbWrapper>(RPM_DATABASE)};
+            auto row = db.getNext();
+
+            // Get the packages from the Berkeley DB.
+            while (!row.empty())
+            {
+                auto package = PackageLinuxHelper::parseRpm(row);
+
+                if (!package.empty())
+                {
+                    callback(package);
+                }
+
+                row = db.getNext();
+            }
+        }
+        catch (...)
+        {
+            rpmDefaultQuery(callback);
+        }
+
+    }
+
+
+
+}
diff --git a/src/common/data_provider/src/packages/packageLinuxParserRpmLegacy.cpp b/src/common/data_provider/src/packages/packageLinuxParserRpmLegacy.cpp
new file mode 100644
index 0000000000..add4086375
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserRpmLegacy.cpp
@@ -0,0 +1,33 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "packageLinuxDataRetriever.h"
+#include "iberkeleyDbWrapper.h"
+#include "sharedDefs.h"
+#include "berkeleyRpmDbHelper.h"
+#include "packageLinuxRpmParserHelperLegacy.h"
+
+void getRpmInfoLegacy(std::function<void(nlohmann::json&)> callback)
+{
+    BerkeleyRpmDBReader db {std::make_shared<BerkeleyDbWrapper>(RPM_DATABASE)};
+    auto row = db.getNext();
+
+    // Get the packages from the Berkeley DB.
+    while (!row.empty())
+    {
+        auto package = PackageLinuxHelper::parseRpm(row);
+
+        if (!package.empty())
+        {
+            callback(package);
+        }
+
+        row = db.getNext();
+    }
+}
diff --git a/src/common/data_provider/src/packages/packageLinuxParserSnap.cpp b/src/common/data_provider/src/packages/packageLinuxParserSnap.cpp
new file mode 100644
index 0000000000..05ef33a6c2
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxParserSnap.cpp
@@ -0,0 +1,43 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sharedDefs.h"
+#include "packageLinuxParserHelper.h"
+#include "UNIXSocketRequest.hpp"
+
+void getSnapInfo(std::function<void(nlohmann::json&)> callback)
+{
+    UNIXSocketRequest::instance().get(
+        HttpUnixSocketURL("/run/snapd.socket", "http://localhost/v2/snaps"),
+        [&](const std::string & result)
+    {
+        auto feed = nlohmann::json::parse(result, nullptr, false).at("result");
+
+        if (feed.is_discarded())
+        {
+            std::cerr << "Error parsing JSON feed\n";
+        }
+
+        for (const auto& entry : feed)
+        {
+            nlohmann::json mapping = PackageLinuxHelper::parseSnap(entry);
+
+            if (!mapping.empty())
+            {
+                callback(mapping);
+            }
+        }
+    },
+    [&](const std::string & result, const long responseCode)
+    {
+        std::cerr << "Error retrieving packages using snap unix-socket (" << responseCode << ") " << result << "\n";
+    });
+}
+
diff --git a/src/common/data_provider/src/packages/packageLinuxRpmParserHelper.h b/src/common/data_provider/src/packages/packageLinuxRpmParserHelper.h
new file mode 100644
index 0000000000..024a2738fe
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxRpmParserHelper.h
@@ -0,0 +1,64 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_RPM_PARSER_HELPER_H
+#define _PACKAGE_LINUX_RPM_PARSER_HELPER_H
+
+#include "json.hpp"
+#include "rpmPackageManager.h"
+#include "sharedDefs.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+
+namespace PackageLinuxHelper
+{
+    static nlohmann::json parseRpm(const RpmPackageManager::Package& package)
+    {
+        nlohmann::json ret;
+        auto version { package.version };
+
+        if (package.epoch)
+        {
+            version = std::to_string(package.epoch) + ":" + version;
+        }
+
+        if (!package.release.empty())
+        {
+            version += "-" + package.release;
+        }
+
+        if (package.name.compare("gpg-pubkey") != 0 && !package.name.empty())
+        {
+            ret["name"]         = package.name;
+            ret["size"]         = package.size;
+            ret["install_time"] = package.installTime;
+            ret["location"]     = UNKNOWN_VALUE;
+            ret["groups"]       = package.group;
+            ret["version"]      = version;
+            ret["priority"]     = UNKNOWN_VALUE;
+            ret["architecture"] = package.architecture;
+            ret["source"]       = UNKNOWN_VALUE;
+            ret["format"]       = "rpm";
+            ret["vendor"]       = package.vendor;
+            ret["description"]  = package.description;
+            // The multiarch field won't have a default value
+        }
+
+        return ret;
+    }
+
+};
+
+#pragma GCC diagnostic pop
+
+#endif // _PACKAGE_LINUX_RPM_PARSER_HELPER_H
diff --git a/src/common/data_provider/src/packages/packageLinuxRpmParserHelperLegacy.h b/src/common/data_provider/src/packages/packageLinuxRpmParserHelperLegacy.h
new file mode 100644
index 0000000000..3053aa9051
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageLinuxRpmParserHelperLegacy.h
@@ -0,0 +1,82 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_LINUX_RPM_PARSER_LEGACY_HELPER_H
+#define _PACKAGE_LINUX_RPM_PARSER_LEGACY_HELPER_H
+
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include "json.hpp"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+
+namespace PackageLinuxHelper
+{
+
+    static nlohmann::json parseRpm(const std::string& packageInfo)
+    {
+        nlohmann::json ret;
+        const auto fields { Utils::split(packageInfo, '\t') };
+        constexpr auto DEFAULT_VALUE { "(none)" };
+
+        if (RPMFields::RPM_FIELDS_SIZE <= fields.size())
+        {
+            std::string name             { fields.at(RPMFields::RPM_FIELDS_NAME) };
+
+            if (name.compare("gpg-pubkey") != 0 && !name.empty())
+            {
+                std::string size         { fields.at(RPMFields::RPM_FIELDS_PACKAGE_SIZE) };
+                std::string install_time { fields.at(RPMFields::RPM_FIELDS_INSTALLTIME) };
+                std::string groups       { fields.at(RPMFields::RPM_FIELDS_GROUPS) };
+                std::string version      { fields.at(RPMFields::RPM_FIELDS_VERSION) };
+                std::string architecture { fields.at(RPMFields::RPM_FIELDS_ARCHITECTURE) };
+                std::string vendor       { fields.at(RPMFields::RPM_FIELDS_VENDOR) };
+                std::string description  { fields.at(RPMFields::RPM_FIELDS_SUMMARY) };
+
+                std::string release      { fields.at(RPMFields::RPM_FIELDS_RELEASE) };
+                std::string epoch        { fields.at(RPMFields::RPM_FIELDS_EPOCH) };
+
+                if (!epoch.empty() && epoch.compare(DEFAULT_VALUE) != 0)
+                {
+                    version = epoch + ":" + version;
+                }
+
+                if (!release.empty() && release.compare(DEFAULT_VALUE) != 0)
+                {
+                    version += "-" + release;
+                }
+
+                ret["name"]         = name;
+                ret["size"]         = size.empty() || size.compare(DEFAULT_VALUE) == 0 ? 0 : stoi(size);
+                ret["install_time"] = install_time.empty() || install_time.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : install_time;
+                ret["location"]     = UNKNOWN_VALUE;
+                ret["groups"]       = groups.empty() || groups.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : groups;
+                ret["version"]      = version.empty() || version.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : version;
+                ret["priority"]     = UNKNOWN_VALUE;
+                ret["architecture"] = architecture.empty() || architecture.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : architecture;
+                ret["source"]       = UNKNOWN_VALUE;
+                ret["format"]       = "rpm";
+                ret["vendor"]       = vendor.empty() || vendor.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : vendor;
+                ret["description"]  = description.empty() || description.compare(DEFAULT_VALUE) == 0 ? UNKNOWN_VALUE : description;
+                // The multiarch field won't have a default value
+            }
+        }
+
+        return ret;
+    }
+
+};
+
+#pragma GCC diagnostic pop
+
+#endif // _PACKAGE_LINUX_RPM_PARSER_LEGACY_HELPER_H
diff --git a/src/common/data_provider/src/packages/packageMac.cpp b/src/common/data_provider/src/packages/packageMac.cpp
new file mode 100644
index 0000000000..00d86eafe2
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageMac.cpp
@@ -0,0 +1,73 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "packageMac.h"
+#include "sharedDefs.h"
+#include "brewWrapper.h"
+#include "pkgWrapper.h"
+#include "macportsWrapper.h"
+
+std::shared_ptr<IPackage> FactoryBSDPackage::create(const std::pair<PackageContext, int>& ctx)
+{
+    std::shared_ptr<IPackage> ret;
+
+    if (ctx.second == BREW)
+    {
+        ret = std::make_shared<BSDPackageImpl>(std::make_shared<BrewWrapper>(ctx.first));
+    }
+    else if (ctx.second == PKG)
+    {
+        ret = std::make_shared<BSDPackageImpl>(std::make_shared<PKGWrapper>(ctx.first));
+    }
+    else
+    {
+        throw std::runtime_error { "Error creating BSD package data retriever." };
+    }
+
+    return ret;
+}
+
+std::shared_ptr<IPackage> FactoryBSDPackage::create(const std::pair<SQLite::IStatement&, const int>& ctx)
+{
+    std::shared_ptr<IPackage> ret;
+
+    if (ctx.second == MACPORTS)
+    {
+        ret = std::make_shared<BSDPackageImpl>(std::make_shared<MacportsWrapper>(ctx.first));
+    }
+    else
+    {
+        throw std::runtime_error { "Error creating BSD package data retriever." };
+    }
+
+    return ret;
+}
+
+BSDPackageImpl::BSDPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper)
+    : m_packageWrapper(packageWrapper)
+{ }
+
+void BSDPackageImpl::buildPackageData(nlohmann::json& package)
+{
+    package["name"] = m_packageWrapper->name();
+    package["version"] = m_packageWrapper->version();
+    package["groups"] = m_packageWrapper->groups();
+    package["description"] = m_packageWrapper->description();
+    package["architecture"] = m_packageWrapper->architecture();
+    package["format"] = m_packageWrapper->format();
+    package["source"] = m_packageWrapper->source();
+    package["location"] = m_packageWrapper->location();
+    package["priority"] = m_packageWrapper->priority();
+    package["size"] = m_packageWrapper->size();
+    package["vendor"] = m_packageWrapper->vendor();
+    package["install_time"] = m_packageWrapper->install_time();
+    package["multiarch"] = m_packageWrapper->multiarch();
+}
diff --git a/src/common/data_provider/src/packages/packageMac.h b/src/common/data_provider/src/packages/packageMac.h
new file mode 100644
index 0000000000..987d09b168
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageMac.h
@@ -0,0 +1,42 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_MAC_H
+#define _PACKAGE_MAC_H
+
+#include "ipackageInterface.h"
+#include "ipackageWrapper.h"
+#include "sqliteWrapperTemp.h"
+
+struct PackageContext
+{
+    std::string filePath;
+    std::string package;
+    std::string version;
+};
+
+class FactoryBSDPackage
+{
+    public:
+        static std::shared_ptr<IPackage>create(const std::pair<PackageContext, int>& ctx);
+        static std::shared_ptr<IPackage>create(const std::pair<SQLite::IStatement&, const int>& ctx);
+};
+
+class BSDPackageImpl final : public IPackage
+{
+        const std::shared_ptr<IPackageWrapper> m_packageWrapper;
+    public:
+        explicit BSDPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper);
+
+        void buildPackageData(nlohmann::json& package) override;
+};
+
+#endif // _PACKAGE_MAC_H
diff --git a/src/common/data_provider/src/packages/packageSolaris.cpp b/src/common/data_provider/src/packages/packageSolaris.cpp
new file mode 100644
index 0000000000..f815fb5f8d
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageSolaris.cpp
@@ -0,0 +1,38 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 11, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "packageSolaris.h"
+
+std::shared_ptr<IPackage> FactorySolarisPackage::create(const std::shared_ptr<IPackageWrapper>& pkgWrapper)
+{
+    return std::make_shared<SolarisPackageImpl>(pkgWrapper);
+}
+
+SolarisPackageImpl::SolarisPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper)
+    : m_packageWrapper(packageWrapper)
+{ }
+
+void SolarisPackageImpl::buildPackageData(nlohmann::json& package)
+{
+    package["name"] = m_packageWrapper->name();
+    package["version"] = m_packageWrapper->version();
+    package["groups"] = m_packageWrapper->groups();
+    package["description"] = m_packageWrapper->description();
+    package["architecture"] = m_packageWrapper->architecture();
+    package["format"] = m_packageWrapper->format();
+    package["source"] = m_packageWrapper->source();
+    package["location"] = m_packageWrapper->location();
+    package["priority"] = m_packageWrapper->priority();
+    package["size"] = m_packageWrapper->size();
+    package["vendor"] = m_packageWrapper->vendor();
+    package["install_time"] = m_packageWrapper->install_time();
+    // The multiarch field won't have a default value
+}
diff --git a/src/common/data_provider/src/packages/packageSolaris.h b/src/common/data_provider/src/packages/packageSolaris.h
new file mode 100644
index 0000000000..0104f36739
--- /dev/null
+++ b/src/common/data_provider/src/packages/packageSolaris.h
@@ -0,0 +1,39 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 11, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+
+#ifndef _PACKAGE_SOLARIS_H
+#define _PACKAGE_SOLARIS_H
+
+#include "ipackageInterface.h"
+#include "ipackageWrapper.h"
+
+class FactorySolarisPackage
+{
+    public:
+        static std::shared_ptr<IPackage>create(const std::shared_ptr<IPackageWrapper>& pkgWrapper);
+};
+
+class SolarisPackageImpl final : public IPackage
+{
+        const std::shared_ptr<IPackageWrapper> m_packageWrapper;
+
+    public:
+        explicit SolarisPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper);
+
+        // LCOV_EXCL_START
+        ~SolarisPackageImpl() = default;
+        // LCOV_EXCL_STOP
+
+        void buildPackageData(nlohmann::json& packge) override;
+};
+
+#endif // _PACKAGE_SOLARIS_H
diff --git a/src/common/data_provider/src/packages/packagesNPM.hpp b/src/common/data_provider/src/packages/packagesNPM.hpp
new file mode 100644
index 0000000000..4acb9b1359
--- /dev/null
+++ b/src/common/data_provider/src/packages/packagesNPM.hpp
@@ -0,0 +1,138 @@
+/*
+ * Wazuh data provider.
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGES_NPM_HPP
+#define _PACKAGES_NPM_HPP
+
+#include "fileSystem.hpp"
+#include "stdFileSystemHelper.hpp"
+#include "json.hpp"
+#include "jsonIO.hpp"
+#include "sharedDefs.h"
+#include <filesystem>
+#include <fstream>
+#include <iostream>
+#include <set>
+
+template<typename TFileSystem = RealFileSystem, typename TJsonReader = JsonIO<nlohmann::json>>
+class NPM final
+    : public TFileSystem
+    , public TJsonReader
+{
+        void parsePackage(const std::filesystem::path& folderPath, std::function<void(nlohmann::json&)>& callback)
+        {
+            // Map to match fields
+            static const std::map<std::string, std::string> NPM_FIELDS
+            {
+                {"name", "name"},
+                {"version", "version"},
+                {"description", "description"},
+                {"homepage", "source"},
+            };
+            const auto path = folderPath / "package.json";
+
+            try
+            {
+                if (TFileSystem::exists(path))
+                {
+                    // Read json from filesystem path.
+                    const auto packageJson = TJsonReader::readJson(path);
+                    nlohmann::json packageInfo;
+
+                    packageInfo["groups"] = UNKNOWN_VALUE;
+                    packageInfo["description"] = UNKNOWN_VALUE;
+                    packageInfo["architecture"] = UNKNOWN_VALUE;
+                    packageInfo["format"] = "npm";
+                    packageInfo["source"] = UNKNOWN_VALUE;
+                    packageInfo["location"] = path.string();
+                    packageInfo["priority"] = UNKNOWN_VALUE;
+                    packageInfo["size"] = 0;
+                    packageInfo["vendor"] = UNKNOWN_VALUE;
+                    packageInfo["install_time"] = UNKNOWN_VALUE;
+                    // The multiarch field won't have a default value
+
+                    // Iterate over fields
+                    for (const auto& [key, value] : NPM_FIELDS)
+                    {
+                        if (packageJson.contains(key) && packageJson.at(key).is_string())
+                        {
+                            packageInfo[value] = packageJson.at(key);
+                        }
+                    }
+
+                    if (packageInfo.contains("name") && packageInfo.contains("version"))
+                    {
+                        callback(packageInfo);
+                    }
+                }
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << "Error reading NPM package: " << path.string() << ", " << e.what() << std::endl;
+            }
+        }
+
+        void exploreExpandedPaths(const std::deque<std::string>& expandedPaths,
+                                  std::function<void(nlohmann::json&)> callback)
+        {
+            for (const auto& expandedPath : expandedPaths)
+            {
+                try
+                {
+                    // Exist and is a directory
+                    const auto nodeModulesFolder {std::filesystem::path(expandedPath) / "node_modules"};
+
+                    if (TFileSystem::exists(nodeModulesFolder))
+                    {
+                        for (const auto& packageFolder : TFileSystem::directory_iterator(nodeModulesFolder))
+                        {
+                            if (TFileSystem::is_directory(packageFolder))
+                            {
+                                parsePackage(packageFolder, callback);
+                            }
+                        }
+                    }
+                }
+                catch (const std::exception& e)
+                {
+                    // Ignore exception, continue with next folder
+                }
+            }
+        }
+
+    public:
+        NPM() = default;
+        ~NPM() = default;
+
+        void getPackages(const std::set<std::string>& osRootFolders, std::function<void(nlohmann::json&)> callback)
+        {
+
+            // Iterate over node_modules folders
+            for (const auto& osRootFolder : osRootFolders)
+            {
+                try
+                {
+                    std::deque<std::string> expandedPaths;
+
+                    // Expand paths
+                    Utils::expandAbsolutePath(osRootFolder, expandedPaths);
+                    // Explore expanded paths
+                    exploreExpandedPaths(expandedPaths, callback);
+                }
+                catch (const std::exception& e)
+                {
+                    // Ignore exception, continue with next folder
+                }
+            }
+        }
+};
+
+#endif // _PACKAGES_NPM_HPP
diff --git a/src/common/data_provider/src/packages/packagesPYPI.hpp b/src/common/data_provider/src/packages/packagesPYPI.hpp
new file mode 100644
index 0000000000..15197ab492
--- /dev/null
+++ b/src/common/data_provider/src/packages/packagesPYPI.hpp
@@ -0,0 +1,159 @@
+/*
+ * Wazuh data provider.
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGES_PYPI_HPP
+#define _PACKAGES_PYPI_HPP
+
+#include "fileIO.hpp"
+#include "fileSystem.hpp"
+#include "stdFileSystemHelper.hpp"
+#include "json.hpp"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include <iostream>
+#include <set>
+
+const static std::map<std::string, std::string> FILE_MAPPING_PYPI {{"egg-info", "PKG-INFO"}, {"dist-info", "METADATA"}};
+
+template<typename TFileSystem = RealFileSystem, typename TFileIO = FileIO>
+class PYPI final : public TFileSystem, public TFileIO
+{
+        void parseMetadata(const std::filesystem::path& path, std::function<void(nlohmann::json&)>& callback)
+        {
+            // Map to match fields
+            static const std::map<std::string, std::string> PYPI_FIELDS {{"Name: ", "name"},
+                {"Version: ", "version"},
+                {"Summary: ", "description"},
+                {"Home-page: ", "source"},
+                {"Author: ", "vendor"}};
+
+            // Parse the METADATA file
+            nlohmann::json packageInfo;
+
+            packageInfo["groups"] = UNKNOWN_VALUE;
+            packageInfo["description"] = UNKNOWN_VALUE;
+            packageInfo["architecture"] = UNKNOWN_VALUE;
+            packageInfo["format"] = "pypi";
+            packageInfo["source"] = UNKNOWN_VALUE;
+            packageInfo["location"] = path.string();
+            packageInfo["priority"] = UNKNOWN_VALUE;
+            packageInfo["size"] = 0;
+            packageInfo["vendor"] = UNKNOWN_VALUE;
+            packageInfo["install_time"] = UNKNOWN_VALUE;
+            // The multiarch field won't have a default value
+
+            TFileIO::readLineByLine(path,
+                                    [&packageInfo](const std::string & line) -> bool
+            {
+                const auto it {
+                    std::find_if(PYPI_FIELDS.begin(),
+                                 PYPI_FIELDS.end(),
+                                 [&line](const auto & element)
+                    {
+                        return Utils::startsWith(line, element.first);
+                    })};
+
+                if (PYPI_FIELDS.end() != it)
+                {
+                    const auto& [key, value] {*it};
+
+                    if (!packageInfo.contains(value))
+                    {
+                        packageInfo[value] = Utils::trim(line.substr(key.length()), "\r");
+                    }
+                }
+                return true;
+            });
+
+            // Check if we have a name and version
+            if (packageInfo.contains("name") && packageInfo.contains("version"))
+            {
+                callback(packageInfo);
+            }
+        }
+
+        void findCorrectPath(const std::filesystem::path& path, std::function<void(nlohmann::json&)> callback)
+        {
+            try
+            {
+                const auto filename = path.filename().string();
+
+                for (const auto& [key, value] : FILE_MAPPING_PYPI)
+                {
+                    if (filename.find(key) != std::string::npos)
+                    {
+                        if (TFileSystem::is_regular_file(path))
+                        {
+                            parseMetadata(path, callback);
+                        }
+                        else if (TFileSystem::is_directory(path))
+                        {
+                            parseMetadata(path / value, callback);
+                        }
+                        else
+                        {
+                            // Do nothing
+                        }
+                    }
+                }
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << "Error parsing PYPI package: " << path.string() << ", " << e.what() << std::endl;
+            }
+        }
+        void exploreExpandedPaths(const std::deque<std::string>& expandedPaths,
+                                  std::function<void(nlohmann::json&)> callback)
+        {
+            for (const auto& expandedPath : expandedPaths)
+            {
+                try
+                {
+                    // Exist and is a directory
+                    if (TFileSystem::exists(expandedPath) && TFileSystem::is_directory(expandedPath))
+                    {
+                        for (const std::filesystem::path& path : TFileSystem::directory_iterator(expandedPath))
+                        {
+                            findCorrectPath(path, callback);
+                        }
+                    }
+                }
+                catch (const std::exception&)
+                {
+                    // Do nothing, continue with the next path
+                }
+            }
+        }
+
+    public:
+        void getPackages(const std::set<std::string>& osRootFolders, std::function<void(nlohmann::json&)> callback)
+        {
+
+            for (const auto& osFolder : osRootFolders)
+            {
+                std::deque<std::string> expandedPaths;
+
+                try
+                {
+                    // Expand paths
+                    Utils::expandAbsolutePath(osFolder, expandedPaths);
+                    // Explore expanded paths
+                    exploreExpandedPaths(expandedPaths, callback);
+                }
+                catch (const std::exception&)
+                {
+                    // Do nothing, continue with the next path
+                }
+            }
+        }
+};
+
+#endif // _PACKAGES_PYPI_HPP
diff --git a/src/common/data_provider/src/packages/packagesWindows.cpp b/src/common/data_provider/src/packages/packagesWindows.cpp
new file mode 100644
index 0000000000..4e19114dac
--- /dev/null
+++ b/src/common/data_provider/src/packages/packagesWindows.cpp
@@ -0,0 +1,39 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 24, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "packagesWindows.h"
+#include "appxWindowsWrapper.h"
+#include "sharedDefs.h"
+
+std::shared_ptr<IPackage> FactoryWindowsPackage::create(const HKEY key, const std::string& userId, const std::string& nameApp, const std::set<std::string>& cacheRegistry)
+{
+    return std::make_shared<WindowsPackageImpl>(std::make_shared<AppxWindowsWrapper>(key, userId, nameApp, cacheRegistry));
+}
+
+WindowsPackageImpl::WindowsPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper)
+    : m_packageWrapper(packageWrapper)
+{ }
+
+void WindowsPackageImpl::buildPackageData(nlohmann::json& package)
+{
+    package["name"] = m_packageWrapper->name();
+    package["version"] = m_packageWrapper->version();
+    package["vendor"] = m_packageWrapper->vendor();
+    package["install_time"] = m_packageWrapper->install_time();
+    package["location"] = m_packageWrapper->location();
+    package["architecture"] = m_packageWrapper->architecture();
+    package["groups"] = m_packageWrapper->groups();
+    package["description"] = m_packageWrapper->description();
+    package["size"] = m_packageWrapper->size();
+    package["priority"] = m_packageWrapper->priority();
+    package["source"] = m_packageWrapper->source();
+    package["format"] = m_packageWrapper->format();
+}
diff --git a/src/common/data_provider/src/packages/packagesWindows.h b/src/common/data_provider/src/packages/packagesWindows.h
new file mode 100644
index 0000000000..1153c19e7e
--- /dev/null
+++ b/src/common/data_provider/src/packages/packagesWindows.h
@@ -0,0 +1,38 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 24, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGE_WINDOWS_H
+#define _PACKAGE_WINDOWS_H
+
+#include <winsock2.h>
+#include <windows.h>
+#include <set>
+#include "ipackageInterface.h"
+#include "ipackageWrapper.h"
+
+class FactoryWindowsPackage
+{
+    public:
+        static std::shared_ptr<IPackage>create(const HKEY key, const std::string& userId, const std::string& nameApp, const std::set<std::string>& cacheRegistry);
+};
+
+class WindowsPackageImpl final : public IPackage
+{
+    private:
+        const std::shared_ptr<IPackageWrapper> m_packageWrapper;
+    public:
+        explicit WindowsPackageImpl(const std::shared_ptr<IPackageWrapper>& packageWrapper);
+
+        void buildPackageData(nlohmann::json& package) override;
+};
+
+#endif // _PACKAGE_WINDOWS_H
+
diff --git a/src/common/data_provider/src/packages/packagesWindowsParserHelper.h b/src/common/data_provider/src/packages/packagesWindowsParserHelper.h
new file mode 100644
index 0000000000..e131a82914
--- /dev/null
+++ b/src/common/data_provider/src/packages/packagesWindowsParserHelper.h
@@ -0,0 +1,216 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PACKAGES_WINDOWS_PARSER_HELPER_H
+#define _PACKAGES_WINDOWS_PARSER_HELPER_H
+
+#include <regex>
+#include "json.hpp"
+#include "registryHelper.h"
+#include "stringHelper.h"
+
+
+namespace PackageWindowsHelper
+{
+    constexpr auto WIN_REG_HOTFIX {"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages"};
+    constexpr auto VISTA_REG_HOTFIX {"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\HotFix"};
+    constexpr auto WIN_REG_PRODUCT_HOTFIX {"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products"};
+    constexpr auto WIN_REG_WOW_HOTFIX {"SOFTWARE\\WOW6432Node\\Microsoft\\Updates"};
+
+    static std::string extractHFValue(std::string input)
+    {
+        constexpr auto KB_FORMAT_REGEX_STR { "(KB+[0-9]{6,})"};
+        static std::regex rex{KB_FORMAT_REGEX_STR};
+        std::string ret;
+        input = Utils::toUpperCase(input);
+        std::smatch match;
+
+        if (std::regex_search(input, match, rex))
+        {
+            // KB format is correct
+            ret = match[1];
+        }
+
+        return ret;
+    }
+
+    static void getHotFixFromReg(const HKEY key, const std::string& subKey, std::set<std::string>& hotfixes)
+    {
+        try
+        {
+            Utils::Registry root{key, subKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+            const auto callback
+            {
+                [&key, &subKey, &hotfixes](const std::string & package)
+                {
+                    if (Utils::startsWith(package, "Package_"))
+                    {
+                        auto hfValue { extractHFValue(package) };
+
+                        if (!hfValue.empty())
+                        {
+                            hotfixes.insert(std::move(hfValue));
+                        }
+                        else if (package.find("RollupFix") != std::string::npos)
+                        {
+                            std::string value;
+                            Utils::Registry packageReg{key, subKey + "\\" + package, KEY_WOW64_64KEY | KEY_READ};
+
+                            if (packageReg.string("InstallLocation", value))
+                            {
+                                auto rollUpValue { extractHFValue(value) };
+
+                                if (!rollUpValue.empty())
+                                {
+                                    hotfixes.insert(std::move(rollUpValue));
+                                }
+                            }
+                        }
+                    }
+                }
+            };
+            root.enumerate(callback);
+        }
+        catch (...)
+        {
+        }
+    }
+
+    static void getHotFixFromRegNT(const HKEY key, const std::string& subKey, std::set<std::string>& hotfixes)
+    {
+        try
+        {
+            const auto callback
+            {
+                [&key, &subKey, &hotfixes](const std::string & package)
+                {
+                    auto hfValue { extractHFValue(package) };
+
+                    if (!hfValue.empty())
+                    {
+                        hotfixes.insert(std::move(hfValue));
+                    }
+                }
+            };
+            Utils::Registry root{key, subKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+            root.enumerate(callback);
+
+        }
+        catch (...)
+        {
+        }
+    }
+
+    static void getHotFixFromRegWOW(const HKEY key, const std::string& subKey, std::set<std::string>& hotfixes)
+    {
+        try
+        {
+            const auto callback
+            {
+                [&key, &subKey, &hotfixes](const std::string & packageKey)
+                {
+                    const auto callbackKey
+                    {
+                        [&key, &subKey, &packageKey, &hotfixes](const std::string & package)
+                        {
+                            auto hfValue { extractHFValue(package) };
+
+                            if (!hfValue.empty())
+                            {
+                                hotfixes.insert(std::move(hfValue));
+                            }
+                        }
+                    };
+                    Utils::Registry packageReg{key, subKey + "\\" + packageKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+                    packageReg.enumerate(callbackKey);
+                }
+            };
+            Utils::Registry root{key, subKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+            root.enumerate(callback);
+        }
+        catch (...)
+        {
+        }
+
+    }
+
+    static void getHotFixFromRegProduct(const HKEY key, const std::string& subKey, std::set<std::string>& hotfixes)
+    {
+        try
+        {
+            const auto callback
+            {
+                [&key, &subKey, &hotfixes](const std::string & packageKey)
+                {
+                    const auto callbackKey
+                    {
+                        [&key, &subKey, &packageKey, &hotfixes](const std::string & package)
+                        {
+
+                            if (Utils::startsWith(package, "InstallProperties"))
+                            {
+
+                                Utils::Registry packageReg{key, subKey + "\\" + packageKey + "\\" + package, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+                                std::string value;
+
+                                if (packageReg.string("DisplayName", value))
+                                {
+                                    auto hfValue { extractHFValue(value) };
+
+                                    if (!hfValue.empty())
+                                    {
+                                        hotfixes.insert(std::move(hfValue));
+                                    }
+                                }
+                            }
+                            else if (Utils::startsWith(package, "Patches"))
+                            {
+                                const auto callbackPatch
+                                {
+                                    [&key, &subKey, &packageKey, &package, &hotfixes](const std::string & packagePatch)
+                                    {
+
+                                        Utils::Registry packageReg{key, subKey + "\\" + packageKey + "\\" + package + "\\" + packagePatch, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+                                        std::string value;
+
+                                        if (packageReg.string("DisplayName", value))
+                                        {
+                                            auto hfValue { extractHFValue(value) };
+
+                                            if (!hfValue.empty())
+                                            {
+                                                hotfixes.insert(std::move(hfValue));
+                                            }
+                                        }
+                                    }
+                                };
+                                Utils::Registry rootPatch{key, subKey + "\\" + packageKey + "\\" + package, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+                                rootPatch.enumerate(callbackPatch);
+
+                            }
+                        }
+                    };
+                    Utils::Registry rootKey{key, subKey + "\\" + packageKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+                    rootKey.enumerate(callbackKey);
+                }
+            };
+            Utils::Registry root{key, subKey, KEY_WOW64_64KEY | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+            root.enumerate(callback);
+
+        }
+        catch (...)
+        {
+        }
+
+    }
+};
+
+#endif // _PACKAGES_WINDOWS_PARSER_HELPER_H
diff --git a/src/common/data_provider/src/packages/pkgWrapper.h b/src/common/data_provider/src/packages/pkgWrapper.h
new file mode 100644
index 0000000000..3fc2879cb1
--- /dev/null
+++ b/src/common/data_provider/src/packages/pkgWrapper.h
@@ -0,0 +1,277 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PKG_WRAPPER_H
+#define _PKG_WRAPPER_H
+
+#include <fstream>
+#include <istream>
+#include <regex>
+#include "stringHelper.h"
+#include "ipackageWrapper.h"
+#include "sharedDefs.h"
+#include "plist/plist.h"
+#include "filesystemHelper.h"
+
+static const std::string APP_INFO_PATH      { "Contents/Info.plist" };
+static const std::string PLIST_BINARY_START { "bplist00"            };
+static const std::string UTILITIES_FOLDER   { "/Utilities"          };
+
+class PKGWrapper final : public IPackageWrapper
+{
+    public:
+        explicit PKGWrapper(const PackageContext& ctx)
+            : m_version{UNKNOWN_VALUE}
+            , m_groups{UNKNOWN_VALUE}
+            , m_description {UNKNOWN_VALUE}
+            , m_architecture{UNKNOWN_VALUE}
+            , m_format{"pkg"}
+            , m_source {UNKNOWN_VALUE}
+            , m_location {UNKNOWN_VALUE}
+            , m_priority {UNKNOWN_VALUE}
+            , m_size {0}
+            , m_vendor{UNKNOWN_VALUE}
+            , m_installTime {UNKNOWN_VALUE}
+        {
+            getPkgData(ctx.filePath + "/" + ctx.package + "/" + APP_INFO_PATH);
+        }
+
+        ~PKGWrapper() = default;
+
+        std::string name() const override
+        {
+            return m_name;
+        }
+        std::string version() const override
+        {
+            return m_version;
+        }
+        std::string groups() const override
+        {
+            return m_groups;
+        }
+        std::string description() const override
+        {
+            return m_description;
+        }
+        std::string architecture() const override
+        {
+            return m_architecture;
+        }
+        std::string format() const override
+        {
+            return m_format;
+        }
+        std::string osPatch() const override
+        {
+            return m_osPatch;
+        }
+        std::string source() const override
+        {
+            return m_source;
+        }
+        std::string location() const override
+        {
+            return m_location;
+        }
+        std::string vendor() const override
+        {
+            return m_vendor;
+        }
+
+        std::string priority() const override
+        {
+            return m_priority;
+        }
+
+        int size() const override
+        {
+            return m_size;
+        }
+
+        std::string install_time() const override
+        {
+            return m_installTime;
+        }
+
+        std::string multiarch() const override
+        {
+            return m_multiarch;
+        }
+
+    private:
+        void getPkgData(const std::string& filePath)
+        {
+            const auto isBinaryFnc
+            {
+                [&filePath]()
+                {
+                    // If first line is "bplist00" it's a binary plist file
+                    std::fstream file {filePath, std::ios_base::in};
+                    std::string line;
+                    return std::getline(file, line) && Utils::startsWith(line, PLIST_BINARY_START);
+                }
+            };
+            const auto isBinary { isBinaryFnc() };
+            constexpr auto BUNDLEID_PATTERN{R"(^[^.]+\.([^.]+).*$)"};
+            static std::regex bundleIdRegex{BUNDLEID_PATTERN};
+
+            static const auto getValueFnc
+            {
+                [](const std::string & val)
+                {
+                    const auto start{val.find(">")};
+                    const auto end{val.rfind("<")};
+                    return val.substr(start + 1, end - start - 1);
+                }
+            };
+
+            const auto getDataFnc
+            {
+                [this, &filePath](std::istream & data)
+                {
+                    std::string line;
+                    std::string bundleShortVersionString;
+                    std::string bundleVersion;
+
+                    while (std::getline(data, line))
+                    {
+                        line = Utils::trim(line, " \t");
+
+                        if (line == "<key>CFBundleName</key>" &&
+                                std::getline(data, line))
+                        {
+                            m_name = getValueFnc(line);
+                        }
+                        else if (line == "<key>CFBundleShortVersionString</key>" &&
+                                 std::getline(data, line))
+                        {
+                            bundleShortVersionString = getValueFnc(line);
+                        }
+                        else if (line == "<key>CFBundleVersion</key>" &&
+                                 std::getline(data, line))
+                        {
+                            bundleVersion = getValueFnc(line);
+                        }
+                        else if (line == "<key>LSApplicationCategoryType</key>" &&
+                                 std::getline(data, line))
+                        {
+                            auto groups = getValueFnc(line);
+
+                            if (!groups.empty())
+                            {
+                                m_groups = groups;
+                            }
+                        }
+                        else if (line == "<key>CFBundleIdentifier</key>" &&
+                                 std::getline(data, line))
+                        {
+                            auto description = getValueFnc(line);
+
+                            if (!description.empty())
+                            {
+                                m_description = description;
+                                std::string vendor;
+
+                                if (Utils::findRegexInString(m_description, vendor, bundleIdRegex, 1))
+                                {
+                                    m_vendor = vendor;
+                                }
+                            }
+                        }
+                    }
+
+                    if (!bundleShortVersionString.empty())
+                    {
+                        if (Utils::startsWith(bundleVersion, bundleShortVersionString))
+                        {
+                            m_version = bundleVersion;
+                        }
+                        else
+                        {
+                            m_version = bundleShortVersionString;
+                        }
+                    }
+
+                    m_architecture = UNKNOWN_VALUE;
+                    m_multiarch = UNKNOWN_VALUE;
+                    m_priority = UNKNOWN_VALUE;
+                    m_size = 0;
+                    m_installTime = UNKNOWN_VALUE;
+                    m_source = filePath.find(UTILITIES_FOLDER) ? "utilities" : "applications";
+                    m_location = filePath;
+                }
+            };
+
+            if (isBinary)
+            {
+                auto xmlContent { binaryToXML(filePath) };
+                getDataFnc(xmlContent);
+            }
+            else
+            {
+                std::fstream file { filePath, std::ios_base::in };
+
+                if (file.is_open())
+                {
+                    getDataFnc(file);
+                }
+            }
+        }
+
+        std::stringstream binaryToXML(const std::string& filePath)
+        {
+            std::string xmlContent;
+            plist_t rootNode { nullptr };
+            const auto binaryContent { Utils::getBinaryContent(filePath) };
+
+            // plist C++ APIs calls - to be used when Makefile and external are updated.
+            // const auto dataFromBin { PList::Structure::FromBin(binaryContent) };
+            // const auto xmlContent { dataFromBin->ToXml() };
+
+            // Content binary file to plist representation
+            plist_from_bin(binaryContent.data(), binaryContent.size(), &rootNode);
+
+            if (nullptr != rootNode)
+            {
+                char* xml { nullptr };
+                uint32_t length { 0 };
+                // plist binary representation to XML
+                plist_to_xml(rootNode, &xml, &length);
+
+                if (nullptr != xml)
+                {
+                    xmlContent.assign(xml, xml + length);
+                    plist_to_xml_free(xml);
+                    plist_free(rootNode);
+                }
+            }
+
+            return std::stringstream{xmlContent};
+        }
+
+        std::string m_name;
+        std::string m_version;
+        std::string m_groups;
+        std::string m_description;
+        std::string m_architecture;
+        const std::string m_format;
+        std::string m_osPatch;
+        std::string m_source;
+        std::string m_location;
+        std::string m_multiarch;
+        std::string m_priority;
+        int m_size;
+        std::string m_vendor;
+        std::string m_installTime;
+};
+
+#endif //_PKG_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/rpmPackageManager.cpp b/src/common/data_provider/src/packages/rpmPackageManager.cpp
new file mode 100644
index 0000000000..49d4beaf8a
--- /dev/null
+++ b/src/common/data_provider/src/packages/rpmPackageManager.cpp
@@ -0,0 +1,175 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "rpmPackageManager.h"
+
+#include <exception>
+#include <map>
+#include <stdexcept>
+#include <vector>
+#include <iostream>
+
+// For O_RDONLY
+#include <fcntl.h>
+
+bool RpmPackageManager::ms_instantiated = false;
+
+RpmPackageManager::RpmPackageManager(std::shared_ptr<IRpmLibWrapper>&& wrapper)
+    : m_rpmlib{wrapper}
+{
+    if (ms_instantiated)
+    {
+        throw std::runtime_error("there is another RPM instance already created");
+    }
+
+    if (m_rpmlib->rpmReadConfigFiles(nullptr, nullptr))
+    {
+        throw std::runtime_error("rpmReadConfigFiles failed");
+    }
+
+    ms_instantiated = true;
+}
+
+RpmPackageManager::~RpmPackageManager()
+{
+    m_rpmlib->rpmFreeRpmrc();
+    ms_instantiated = false;
+}
+
+std::string RpmPackageManager::Iterator::getAttribute(rpmTag tag) const
+{
+    std::string retval;
+
+    if (m_rpmlib->headerGet(m_header, tag, m_dataContainer, HEADERGET_DEFAULT))
+    {
+        auto cstr {m_rpmlib->rpmtdGetString(m_dataContainer)};
+
+        if (cstr)
+        {
+            retval = cstr;
+        }
+    }
+
+    return retval;
+}
+
+uint64_t RpmPackageManager::Iterator::getAttributeNumber(rpmTag tag) const
+{
+    uint64_t retval {};
+
+    if (m_rpmlib->headerGet(m_header, tag, m_dataContainer, HEADERGET_DEFAULT))
+    {
+        retval = m_rpmlib->rpmtdGetNumber(m_dataContainer);
+    }
+
+    return retval;
+}
+
+const RpmPackageManager::Iterator RpmPackageManager::END_ITERATOR{};
+
+RpmPackageManager::Iterator::Iterator()
+    : m_end{true}
+{
+
+}
+
+RpmPackageManager::Iterator::Iterator(std::shared_ptr<IRpmLibWrapper>& rpmlib)
+    : m_end{false},
+      m_rpmlib{rpmlib},
+      m_transactionSet{rpmlib->rpmtsCreate()}
+{
+    if (!m_transactionSet)
+    {
+        throw std::runtime_error("rpmtsCreate failed");
+    }
+
+    if (rpmlib->rpmtsOpenDB(m_transactionSet, O_RDONLY))
+    {
+        m_rpmlib->rpmtsFree(m_transactionSet);
+        throw std::runtime_error("rpmtsOpenDB failed");
+    }
+
+    if (rpmlib->rpmtsRun(m_transactionSet, nullptr, 0))
+    {
+        m_rpmlib->rpmtsCloseDB(m_transactionSet);
+        m_rpmlib->rpmtsFree(m_transactionSet);
+        throw std::runtime_error("rpmtsRun failed");
+    }
+
+    m_dataContainer = rpmlib->rpmtdNew();
+
+    if (!m_dataContainer)
+    {
+        m_rpmlib->rpmtsCloseDB(m_transactionSet);
+        m_rpmlib->rpmtsFree(m_transactionSet);
+        throw std::runtime_error("rpmtdNew failed");
+    }
+
+    m_matches = rpmlib->rpmtsInitIterator(m_transactionSet, RPMTAG_NAME, nullptr, 0);
+
+    if (!m_matches)
+    {
+        m_rpmlib->rpmtdFree(m_dataContainer);
+        m_rpmlib->rpmtsCloseDB(m_transactionSet);
+        m_rpmlib->rpmtsFree(m_transactionSet);
+        throw std::runtime_error("rpmtsInitIterator failed");
+    }
+
+    // Prepare for first call to dereference (*) operator.
+    ++(*this);
+}
+
+RpmPackageManager::Iterator::~Iterator()
+{
+    if (m_transactionSet)
+    {
+        m_rpmlib->rpmtsCloseDB(m_transactionSet);
+        m_rpmlib->rpmtsFree(m_transactionSet);
+    }
+
+    if (m_dataContainer)
+    {
+        m_rpmlib->rpmtdFree(m_dataContainer);
+    }
+
+    if (m_matches)
+    {
+        m_rpmlib->rpmdbFreeIterator(m_matches);
+    }
+}
+
+void RpmPackageManager::Iterator::operator++()
+{
+    m_header = m_rpmlib->rpmdbNextIterator(m_matches);
+
+    if (!m_header)
+    {
+        m_end = true;
+    }
+}
+
+RpmPackageManager::Package RpmPackageManager::Iterator::operator*()
+{
+    Package p;
+    p.name = getAttribute(RPMTAG_NAME);
+    p.version = getAttribute(RPMTAG_VERSION);
+    p.release = getAttribute(RPMTAG_RELEASE);
+    p.epoch = getAttributeNumber(RPMTAG_EPOCH);
+    p.summary = getAttribute(RPMTAG_SUMMARY);
+    p.installTime = std::to_string(getAttributeNumber(RPMTAG_INSTALLTIME));
+    p.size = getAttributeNumber(RPMTAG_SIZE);
+    p.vendor = getAttribute(RPMTAG_VENDOR);
+    p.group = getAttribute(RPMTAG_GROUP);
+    p.source = getAttribute(RPMTAG_SOURCE);
+    p.architecture = getAttribute(RPMTAG_ARCH);
+    p.description = getAttribute(RPMTAG_DESCRIPTION);
+    return p;
+}
diff --git a/src/common/data_provider/src/packages/rpmPackageManager.h b/src/common/data_provider/src/packages/rpmPackageManager.h
new file mode 100644
index 0000000000..94387886bd
--- /dev/null
+++ b/src/common/data_provider/src/packages/rpmPackageManager.h
@@ -0,0 +1,88 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef _RPM_PACKAGE_MANAGER_H
+#define _RPM_PACKAGE_MANAGER_H
+
+#include <string>
+#include <vector>
+#include <memory>
+
+#include <rpm/header.h>
+#include <rpm/rpmdb.h>
+#include <rpm/rpmlib.h>
+#include <rpm/rpmts.h>
+
+#include "rpmlibWrapper.h"
+
+// Provides an iterable abstraction for retrieving installed RPM packages.
+class RpmPackageManager final
+{
+    public:
+        explicit RpmPackageManager(std::shared_ptr<IRpmLibWrapper>&& wrapper);
+        // LCOV_EXCL_START
+        ~RpmPackageManager();
+        // LCOV_EXCL_STOP
+        struct Package
+        {
+            std::string name;
+            std::string version;
+            std::string release;
+            uint64_t epoch = 0;
+            std::string summary;
+            std::string installTime;
+            uint64_t size = 0;
+            std::string vendor;
+            std::string group;
+            std::string source;
+            std::string architecture;
+            std::string description;
+        };
+
+        struct Iterator final
+        {
+                bool operator!=(const Iterator& other)
+                {
+                    return m_end != other.m_end;
+                };
+                void operator++();
+                Package operator*();
+                ~Iterator();
+            private:
+                // Used for end iterator
+                Iterator();
+                // Used for regular iterator
+                Iterator(std::shared_ptr<IRpmLibWrapper>& rpmlib);
+                std::string getAttribute(rpmTag tag) const;
+                uint64_t getAttributeNumber(rpmTag tag) const;
+                bool m_end = false;
+                std::shared_ptr<IRpmLibWrapper> m_rpmlib;
+                rpmts m_transactionSet = nullptr;
+                rpmdbMatchIterator m_matches = nullptr;
+                rpmtd m_dataContainer = nullptr;
+                Header m_header = nullptr;
+                friend class RpmPackageManager;
+        };
+        static const Iterator END_ITERATOR;
+        Iterator begin()
+        {
+            return Iterator{m_rpmlib};
+        }
+        const Iterator& end() const
+        {
+            return END_ITERATOR;
+        }
+    private:
+        static bool ms_instantiated;
+        std::shared_ptr<IRpmLibWrapper> m_rpmlib;
+};
+
+#endif // _RPM_PACKAGE_MANAGER_H
diff --git a/src/common/data_provider/src/packages/rpmlib.h b/src/common/data_provider/src/packages/rpmlib.h
new file mode 100644
index 0000000000..30406809db
--- /dev/null
+++ b/src/common/data_provider/src/packages/rpmlib.h
@@ -0,0 +1,95 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "rpmlibWrapper.h"
+
+#ifndef _RPMLIB_H
+#define _RPMLIB_H
+
+class RpmLib final : public IRpmLibWrapper
+{
+    public:
+        int rpmReadConfigFiles(const char* file, const char* target) override
+        {
+            return ::rpmReadConfigFiles(file, target);
+        }
+
+        void rpmFreeRpmrc() override
+        {
+            ::rpmFreeRpmrc();
+        }
+
+        rpmtd rpmtdNew() override
+        {
+            return ::rpmtdNew();
+        }
+
+        void rpmtdFree(rpmtd td) override
+        {
+            ::rpmtdFree(td);
+        }
+
+        rpmts rpmtsCreate() override
+        {
+            return ::rpmtsCreate();
+        }
+
+        int rpmtsOpenDB(rpmts ts, int dbmode) override
+        {
+            return ::rpmtsOpenDB(ts, dbmode);
+        }
+
+        int rpmtsCloseDB(rpmts ts) override
+        {
+            return ::rpmtsCloseDB(ts);
+        }
+
+        rpmts rpmtsFree(rpmts ts) override
+        {
+            return ::rpmtsFree(ts);
+        }
+
+        int headerGet(Header h, rpmTagVal tag, rpmtd td, headerGetFlags flags) override
+        {
+            return ::headerGet(h, tag, td, flags);
+        }
+
+        const char* rpmtdGetString(rpmtd td) override
+        {
+            return ::rpmtdGetString(td);
+        }
+
+        uint64_t rpmtdGetNumber(rpmtd td) override
+        {
+            return ::rpmtdGetNumber(td);
+        }
+
+        int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet) override
+        {
+            return ::rpmtsRun(ts, okProbs, ignoreSet);
+        }
+
+        rpmdbMatchIterator rpmtsInitIterator(const rpmts ts, rpmDbiTagVal rpmtag, const void* keypointer, size_t keylen) override
+        {
+            return ::rpmtsInitIterator(ts, rpmtag, keypointer, keylen);
+        }
+
+        Header rpmdbNextIterator(rpmdbMatchIterator mi) override
+        {
+            return ::rpmdbNextIterator(mi);
+        }
+
+        rpmdbMatchIterator rpmdbFreeIterator(rpmdbMatchIterator mi) override
+        {
+            return ::rpmdbFreeIterator(mi);
+        }
+};
+#endif //_RPMLIB_H
diff --git a/src/common/data_provider/src/packages/rpmlibWrapper.h b/src/common/data_provider/src/packages/rpmlibWrapper.h
new file mode 100644
index 0000000000..7a5337e298
--- /dev/null
+++ b/src/common/data_provider/src/packages/rpmlibWrapper.h
@@ -0,0 +1,43 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef _RPMLIB_WRAPPER_H
+#define _RPMLIB_WRAPPER_H
+
+#include <rpm/header.h>
+#include <rpm/rpmdb.h>
+#include <rpm/rpmlib.h>
+#include <rpm/rpmts.h>
+
+class IRpmLibWrapper
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IRpmLibWrapper() = default;
+        // LCOV_EXCL_STOP
+        virtual int rpmReadConfigFiles(const char* file, const char* target) = 0;
+        virtual void rpmFreeRpmrc() = 0;
+        virtual rpmtd rpmtdNew() = 0;
+        virtual void rpmtdFree(rpmtd td) = 0;
+        virtual rpmts rpmtsCreate() = 0;
+        virtual int rpmtsOpenDB(rpmts ts, int dbmode) = 0;
+        virtual int rpmtsCloseDB(rpmts ts) = 0;
+        virtual rpmts rpmtsFree(rpmts ts) = 0;
+        virtual int headerGet(Header h, rpmTagVal tag, rpmtd td, headerGetFlags flags) = 0;
+        virtual const char* rpmtdGetString(rpmtd td) = 0;
+        virtual uint64_t rpmtdGetNumber(rpmtd td) = 0;
+        virtual int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet) = 0;
+        virtual rpmdbMatchIterator rpmtsInitIterator(const rpmts ts, rpmDbiTagVal rpmtag, const void* keypointer, size_t keylen) = 0;
+        virtual Header rpmdbNextIterator(rpmdbMatchIterator mi) = 0;
+        virtual rpmdbMatchIterator rpmdbFreeIterator(rpmdbMatchIterator mi) = 0;
+};
+
+#endif // _RPMLIB_WRAPPER_H
diff --git a/src/common/data_provider/src/packages/solarisWrapper.h b/src/common/data_provider/src/packages/solarisWrapper.h
new file mode 100644
index 0000000000..7dde0958a2
--- /dev/null
+++ b/src/common/data_provider/src/packages/solarisWrapper.h
@@ -0,0 +1,244 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SOLARIS_WRAPPER_H
+#define _SOLARIS_WRAPPER_H
+
+#include <fstream>
+#include <map>
+#include <regex>
+
+#include "ipackageWrapper.h"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+
+constexpr auto NAME_FILE_INFO   { "pkginfo" };
+constexpr auto NAME_FIELD       { "PKG" };
+constexpr auto ARCH_FIELD       { "ARCH" };
+constexpr auto VERSION_FIELD    { "VERSION" };
+constexpr auto GROUPS_FIELD     { "CATEGORY" };
+constexpr auto DESC_FIELD       { "NAME" };
+constexpr auto LOCATION_FIELD   { "SUNW_PKG_DIR" };
+constexpr auto VENDOR_FIELD     { "VENDOR" };
+constexpr auto INSTALL_TIME_FIELD { "INSTDATE" };
+
+// Date format is Oct 06 2015 08:51
+enum DateFormat
+{
+    MONTH_INDEX,
+    DAY_INDEX,
+    YEAR_INDEX,
+    TIME_INDEX,
+    DATE_FORMAT_SIZE
+};
+
+// VERSION=1.2.3,REVISION=1234
+enum VersionFields
+{
+    VERSION_VALUE_INDEX,
+    REVISION_KEY_VALUE_INDEX
+};
+
+static const std::map<std::string, std::string> MONTH =
+{
+    {"Jan", "01"},
+    {"Feb", "02"},
+    {"Mar", "03"},
+    {"Apr", "04"},
+    {"May", "05"},
+    {"Jun", "06"},
+    {"Jul", "07"},
+    {"Aug", "08"},
+    {"Sep", "09"},
+    {"Oct", "10"},
+    {"Nov", "11"},
+    {"Dec", "12"}
+};
+
+class SolarisWrapper final : public IPackageWrapper
+{
+    public:
+        SolarisWrapper(const std::string& pkgDirectory)
+            : m_format{"pkg"}
+        {
+            getPkgData(pkgDirectory);
+        }
+
+        ~SolarisWrapper() = default;
+
+
+        std::string name() const override
+        {
+            std::string name;
+            auto it {m_data.find(NAME_FIELD)};
+
+            if (it != m_data.end())
+            {
+                constexpr auto VENDOR_NAME_PKG_PATTERN  { "^[A-Z+-]{1,4}" };
+                std::regex namePkgRegex { VENDOR_NAME_PKG_PATTERN };
+                std::smatch match;
+                name = it->second;
+
+                if (std::regex_search(name, match, namePkgRegex))
+                {
+                    name = match.suffix();
+                }
+            }
+
+            return name;
+        }
+
+        std::string version() const override
+        {
+            std::string version;
+            auto it {m_data.find(VERSION_FIELD)};
+
+            if (it != m_data.end())
+            {
+                version = it->second;
+                const auto fields { Utils::split(version, ',') };
+
+                if (fields.size() > 1)
+                {
+                    version = fields.at(VERSION_VALUE_INDEX);
+                }
+            }
+
+            return version;
+        }
+
+        std::string groups() const override
+        {
+            auto it {m_data.find(GROUPS_FIELD)};
+
+            return it != m_data.end() ? it->second : UNKNOWN_VALUE;
+        }
+
+        std::string description() const override
+        {
+            auto it {m_data.find(DESC_FIELD)};
+
+            return it != m_data.end() ? it->second : UNKNOWN_VALUE;
+        }
+
+        std::string architecture() const override
+        {
+            auto it {m_data.find(ARCH_FIELD)};
+
+            return it != m_data.end() ? it->second : UNKNOWN_VALUE;
+        }
+
+        std::string format() const override
+        {
+            return m_format;
+        }
+
+        std::string osPatch() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string source() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        std::string location() const override
+        {
+            std::string retVal {UNKNOWN_VALUE};
+            auto it {m_data.find(LOCATION_FIELD)};
+
+            if (it != m_data.end() && !it->second.empty())
+            {
+                retVal = it->second;
+            }
+
+            return retVal;
+        }
+
+        std::string priority() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        int size() const override
+        {
+            return 0;
+        }
+
+        std::string vendor() const override
+        {
+            auto it {m_data.find(VENDOR_FIELD)};
+
+            return it != m_data.end() ? it->second : UNKNOWN_VALUE;
+        }
+
+        std::string install_time() const override
+        {
+            std::stringstream installTime;
+            auto it { m_data.find(INSTALL_TIME_FIELD) };
+
+            if (it != m_data.end())
+            {
+                const  auto fields { Utils::split(it->second, ' ') };
+
+                try
+                {
+                    installTime << std::setw(4) << std::setfill('0') << fields.at(YEAR_INDEX);
+                    installTime << '/' << std::setw(2) << std::setfill('0') << MONTH.at(fields.at(MONTH_INDEX));
+                    installTime << '/' << std::setw(2) << std::setfill('0') << fields.at(DAY_INDEX);
+                    installTime << ' ' << fields.at(TIME_INDEX) << ":00";
+                }
+                catch (...)
+                {
+                }
+            }
+
+            return installTime.str();
+        }
+
+        std::string multiarch() const override
+        {
+            return std::string();
+        }
+
+    private:
+        std::string m_format;
+        std::map<std::string, std::string> m_data;
+
+        void getPkgData(const std::string& pkgDirectory)
+        {
+            std::fstream file { pkgDirectory + "/" + NAME_FILE_INFO, std::ios_base::in };
+            constexpr auto KEY { 0 };
+            constexpr auto VALUE { 1 };
+
+            if (file.is_open())
+            {
+                std::string line;
+
+                while (file.good())
+                {
+                    std::getline(file, line);
+                    // Convert 'line' to UTF-8
+                    Utils::ISO8859ToUTF8(line);
+                    const auto fields { Utils::split(line, '=') };
+
+                    if (fields.size() > 1)
+                    {
+                        m_data[fields.at(KEY)] = fields.at(VALUE);
+                    }
+
+                }
+            }
+        }
+};
+
+#endif // _SOLARIS_WRAPPER_H
diff --git a/src/common/data_provider/src/ports/iportInterface.h b/src/common/data_provider/src/ports/iportInterface.h
new file mode 100644
index 0000000000..5d03a10fd2
--- /dev/null
+++ b/src/common/data_provider/src/ports/iportInterface.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_INTERFACE_H
+#define _PORT_INTERFACE_H
+
+#include <memory>
+#include "json.hpp"
+
+class IOSPort
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IOSPort() = default;
+        // LCOV_EXCL_STOP
+        virtual void buildPortData(nlohmann::json& port) = 0;
+};
+
+#endif // _PORT_INTERFACE_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/ports/iportWrapper.h b/src/common/data_provider/src/ports/iportWrapper.h
new file mode 100644
index 0000000000..4e47fda98d
--- /dev/null
+++ b/src/common/data_provider/src/ports/iportWrapper.h
@@ -0,0 +1,50 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_WRAPPER_H
+#define _PORT_WRAPPER_H
+#include "iportInterface.h"
+
+enum LinuxPortsFieldsData
+{
+    ENTRY,
+    LOCAL_ADDRESS,
+    REMOTE_ADDRESS,
+    STATE,
+    QUEUE,
+    TIMER_ACTIVE,
+    RETRANSMITION,
+    UID,
+    TIMEOUT,
+    INODE,
+    SIZE_LINUX_PORT_FIELDS
+};
+
+
+class IPortWrapper
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IPortWrapper() = default;
+        // LCOV_EXCL_STOP
+        virtual std::string protocol() const = 0;
+        virtual std::string localIp() const = 0;
+        virtual int32_t localPort() const = 0;
+        virtual std::string remoteIP() const = 0;
+        virtual int32_t remotePort() const = 0;
+        virtual int32_t txQueue() const = 0;
+        virtual int32_t rxQueue() const = 0;
+        virtual int64_t inode() const = 0;
+        virtual std::string state() const = 0;
+        virtual int32_t pid() const = 0;
+        virtual std::string processName() const = 0;
+};
+#endif // _PORT_WRAPPER_H
diff --git a/src/common/data_provider/src/ports/portBSDWrapper.h b/src/common/data_provider/src/ports/portBSDWrapper.h
new file mode 100644
index 0000000000..a595702332
--- /dev/null
+++ b/src/common/data_provider/src/ports/portBSDWrapper.h
@@ -0,0 +1,177 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_BSD_WRAPPER_H
+#define _PORT_BSD_WRAPPER_H
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+#include "iportWrapper.h"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+
+static const std::map<int32_t, std::string> PORTS_TYPE =
+{
+    { SOCKINFO_TCP,                        "tcp"            },
+    { SOCKINFO_IN,                         "udp"            }
+};
+
+static const std::map<int32_t, std::string> STATE_TYPE =
+{
+    { TSI_S_ESTABLISHED,                     "established"    },
+    { TSI_S_SYN_SENT,                        "syn_sent"       },
+    { TSI_S_SYN_RECEIVED,                    "syn_recv"       },
+    { TSI_S_FIN_WAIT_1,                      "fin_wait1"      },
+    { TSI_S_FIN_WAIT_2,                      "fin_wait2"      },
+    { TSI_S_TIME_WAIT,                       "time_wait"      },
+    { TSI_S_CLOSED,                          "close"          },
+    { TSI_S__CLOSE_WAIT,                     "close_wait"     },
+    { TSI_S_LAST_ACK,                        "last_ack"       },
+    { TSI_S_LISTEN,                          "listening"      },
+    { TSI_S_CLOSING,                         "closing"        }
+};
+
+struct ProcessInfo
+{
+    int32_t pid;
+    std::string processName;
+    bool operator<(const ProcessInfo& src) const
+    {
+        return this->pid < src.pid;
+    }
+};
+
+class BSDPortWrapper final : public IPortWrapper
+{
+        ProcessInfo m_processInformation;
+        std::shared_ptr<socket_fdinfo> m_spSocketInfo;
+
+    public:
+        explicit BSDPortWrapper(const ProcessInfo& processInformation, const std::shared_ptr<socket_fdinfo>& socketInfo)
+            : m_processInformation { processInformation }
+            , m_spSocketInfo { socketInfo }
+        {
+            if (!m_spSocketInfo)
+            {
+                throw std::runtime_error {"Invalid socket FD information"};
+            }
+        };
+        ~BSDPortWrapper() = default;
+
+        std::string protocol() const override
+        {
+            std::string retVal;
+            const auto it { PORTS_TYPE.find(m_spSocketInfo->psi.soi_kind) };
+
+            if (it != PORTS_TYPE.end())
+            {
+                retVal = AF_INET6 == m_spSocketInfo->psi.soi_family ? it->second + "6" : it->second;
+            }
+
+            return  retVal;
+        }
+        std::string localIp() const override
+        {
+            char ipAddress[NI_MAXHOST] { 0 };
+
+            if (AF_INET6 == m_spSocketInfo->psi.soi_family)
+            {
+                sockaddr_in6 socketAddressIn6{};
+                socketAddressIn6.sin6_family = m_spSocketInfo->psi.soi_family;
+                socketAddressIn6.sin6_addr = static_cast<in6_addr>(m_spSocketInfo->psi.soi_proto.pri_in.insi_laddr.ina_6);
+                getnameinfo(reinterpret_cast<sockaddr*>(&socketAddressIn6), sizeof(socketAddressIn6), ipAddress, sizeof(ipAddress), nullptr, 0, NI_NUMERICHOST);
+            }
+            else if (AF_INET == m_spSocketInfo->psi.soi_family)
+            {
+                sockaddr_in socketAddressIn{};
+                socketAddressIn.sin_family = m_spSocketInfo->psi.soi_family;
+                socketAddressIn.sin_addr = static_cast<in_addr>(m_spSocketInfo->psi.soi_proto.pri_in.insi_laddr.ina_46.i46a_addr4);
+                getnameinfo(reinterpret_cast<sockaddr*>(&socketAddressIn), sizeof(socketAddressIn), ipAddress, sizeof(ipAddress), nullptr, 0, NI_NUMERICHOST);
+            }
+
+            return Utils::substrOnFirstOccurrence(ipAddress, "%");
+        }
+        int32_t localPort() const override
+        {
+            return ntohs(m_spSocketInfo->psi.soi_proto.pri_in.insi_lport);
+        }
+        std::string remoteIP() const override
+        {
+            char ipAddress[NI_MAXHOST] { 0 };
+
+            if (AF_INET6 == m_spSocketInfo->psi.soi_family)
+
+            {
+                sockaddr_in6 socketAddressIn6{};
+                socketAddressIn6.sin6_family = m_spSocketInfo->psi.soi_family;
+                socketAddressIn6.sin6_addr = static_cast<in6_addr>(m_spSocketInfo->psi.soi_proto.pri_in.insi_faddr.ina_6);
+                getnameinfo(reinterpret_cast<sockaddr*>(&socketAddressIn6), sizeof(socketAddressIn6), ipAddress, sizeof(ipAddress), nullptr, 0, NI_NUMERICHOST);
+            }
+            else if (AF_INET == m_spSocketInfo->psi.soi_family)
+            {
+                sockaddr_in socketAddressIn{};
+                socketAddressIn.sin_family = m_spSocketInfo->psi.soi_family;
+                socketAddressIn.sin_addr = static_cast<in_addr>(m_spSocketInfo->psi.soi_proto.pri_in.insi_faddr.ina_46.i46a_addr4);
+                getnameinfo(reinterpret_cast<sockaddr*>(&socketAddressIn), sizeof(socketAddressIn), ipAddress, sizeof(ipAddress), nullptr, 0, NI_NUMERICHOST);
+            }
+
+            return Utils::substrOnFirstOccurrence(ipAddress, "%");
+        }
+        int32_t remotePort() const override
+        {
+            return ntohs(m_spSocketInfo->psi.soi_proto.pri_in.insi_fport);
+        }
+        int32_t txQueue() const override
+        {
+            return 0;
+        }
+        int32_t rxQueue() const override
+        {
+            return 0;
+        }
+        int64_t inode() const override
+        {
+            return 0;
+        }
+        std::string state() const override
+        {
+            std::string retVal;
+
+            const auto itProtocol { PORTS_TYPE.find(m_spSocketInfo->psi.soi_kind) };
+
+            if (PORTS_TYPE.end() != itProtocol && SOCKINFO_TCP == itProtocol->first)
+            {
+                const auto itState { STATE_TYPE.find(m_spSocketInfo->psi.soi_proto.pri_tcp.tcpsi_state) };
+
+                if (itState != STATE_TYPE.end())
+                {
+                    retVal = itState->second;
+                }
+            }
+
+            return retVal;
+        }
+
+        int32_t pid() const override
+        {
+            return m_processInformation.pid;
+        }
+
+        std::string processName() const override
+        {
+            return m_processInformation.processName;
+        }
+
+};
+
+
+#endif //_PORT_BSD_WRAPPER_H
diff --git a/src/common/data_provider/src/ports/portImpl.h b/src/common/data_provider/src/ports/portImpl.h
new file mode 100644
index 0000000000..6f0f4afa45
--- /dev/null
+++ b/src/common/data_provider/src/ports/portImpl.h
@@ -0,0 +1,45 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_IMPL_H
+#define _PORT_IMPL_H
+
+#include "iportInterface.h"
+#include "iportWrapper.h"
+#include "sharedDefs.h"
+
+class PortImpl final : public IOSPort
+{
+    private:
+        std::shared_ptr<IPortWrapper> m_spPortRawData;
+    public:
+        explicit PortImpl(const std::shared_ptr<IPortWrapper>& portRawData)
+            : m_spPortRawData(portRawData)
+        { }
+        // LCOV_EXCL_START
+        ~PortImpl() = default;
+        // LCOV_EXCL_STOP
+        void buildPortData(nlohmann::json& port) override
+        {
+            port["protocol"] = m_spPortRawData->protocol();
+            port["local_ip"] = m_spPortRawData->localIp();
+            port["local_port"] = m_spPortRawData->localPort();
+            port["remote_ip"] = m_spPortRawData->remoteIP();
+            port["remote_port"] = m_spPortRawData->remotePort();
+            port["tx_queue"] = m_spPortRawData->txQueue();
+            port["rx_queue"] = m_spPortRawData->rxQueue();
+            port["inode"] = m_spPortRawData->inode();
+            port["state"] = m_spPortRawData->state();
+            port["pid"] = m_spPortRawData->pid();
+            port["process"] = m_spPortRawData->processName();
+        }
+};
+#endif // _PORT_IMPL_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/ports/portLinuxWrapper.h b/src/common/data_provider/src/ports/portLinuxWrapper.h
new file mode 100644
index 0000000000..772001c7f3
--- /dev/null
+++ b/src/common/data_provider/src/ports/portLinuxWrapper.h
@@ -0,0 +1,277 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_LINUX_WRAPPER_H
+#define _PORT_LINUX_WRAPPER_H
+
+#include <netinet/tcp.h>
+#include "iportWrapper.h"
+#include "sharedDefs.h"
+#include "bits/stdc++.h"
+
+constexpr int IPV6_ADDRESS_HEX_SIZE { 32 };
+
+enum AddressField
+{
+    IP,
+    PORT,
+    ADDRESS_FIELD_SIZE
+};
+
+enum QueueField
+{
+    TX,
+    RX,
+    QUEUE_FIELD_SIZE
+};
+
+static const std::map<PortType, std::string> PORTS_TYPE =
+{
+    { UDP_IPV4,                            "udp"            },
+    { UDP_IPV6,                            "udp6"           },
+    { TCP_IPV4,                            "tcp"            },
+    { TCP_IPV6,                            "tcp6"           }
+};
+
+static const std::map<PortType, Protocol> PROTOCOL_TYPE =
+{
+    { UDP_IPV4,                            UDP              },
+    { UDP_IPV6,                            UDP              },
+    { TCP_IPV4,                            TCP              },
+    { TCP_IPV6,                            TCP              }
+};
+
+static const std::map<PortType, IPVersion> IPVERSION_TYPE =
+{
+    { UDP_IPV4,                            IPV4             },
+    { UDP_IPV6,                            IPV6             },
+    { TCP_IPV4,                            IPV4             },
+    { TCP_IPV6,                            IPV6             }
+};
+
+static const std::map<int32_t, std::string> STATE_TYPE =
+{
+    { TCP_ESTABLISHED,                     "established"    },
+    { TCP_SYN_SENT,                        "syn_sent"       },
+    { TCP_SYN_RECV,                        "syn_recv"       },
+    { TCP_FIN_WAIT1,                       "fin_wait1"      },
+    { TCP_FIN_WAIT2,                       "fin_wait2"      },
+    { TCP_TIME_WAIT,                       "time_wait"      },
+    { TCP_CLOSE,                           "close"          },
+    { TCP_CLOSE_WAIT,                      "close_wait"     },
+    { TCP_LAST_ACK,                        "last_ack"       },
+    { TCP_LISTEN,                          "listening"      },
+    { TCP_CLOSING,                         "closing"        }
+};
+
+class LinuxPortWrapper final : public IPortWrapper
+{
+        std::vector<std::string> m_fields;
+        PortType m_type;
+        std::vector<std::string> m_remoteAddresses;
+        std::vector<std::string> m_localAddresses;
+        std::vector<std::string> m_queue;
+
+        static std::string IPv4Address(const std::string& hexRawAddress)
+        {
+            std::stringstream ss;
+            in_addr addr;
+            ss << std::hex << hexRawAddress;
+            ss >> addr.s_addr;
+            return Utils::NetworkHelper::IAddressToBinary(AF_INET, &addr);
+        }
+
+        static std::string IPv6Address(const std::string& hexRawAddress)
+        {
+            std::string retVal;
+
+            const auto hexAddressLength { hexRawAddress.length() };
+
+            if (hexAddressLength == IPV6_ADDRESS_HEX_SIZE)
+            {
+                in6_addr sin6 {};
+                auto index { 0l };
+
+                for (auto i = 0ull; i < hexAddressLength; i += CHAR_BIT)
+                {
+                    std::stringstream ss;
+                    ss << std::hex << hexRawAddress.substr(CHAR_BIT * index, CHAR_BIT);
+                    ss >> sin6.s6_addr32[index];
+                    ++index;
+                }
+
+                retVal =  Utils::NetworkHelper::IAddressToBinary(AF_INET6, &sin6);
+            }
+
+            return retVal;
+        }
+
+    public:
+        explicit LinuxPortWrapper(const PortType type, const std::string& row)
+            : m_fields{ Utils::split(row, ' ') }
+            , m_type { type }
+            , m_remoteAddresses { std::move(Utils::split(m_fields.at(REMOTE_ADDRESS), ':')) }
+            , m_localAddresses { std::move(Utils::split(m_fields.at(LOCAL_ADDRESS), ':')) }
+            , m_queue { std::move(Utils::split(m_fields.at(QUEUE), ':')) }
+        { }
+
+        ~LinuxPortWrapper() = default;
+        std::string protocol() const override
+        {
+            std::string retVal;
+
+            const auto it { PORTS_TYPE.find(m_type) };
+
+            if (PORTS_TYPE.end() != it)
+            {
+                retVal = it->second;
+            }
+
+            return retVal;
+        }
+
+        std::string localIp() const override
+        {
+            std::string retVal;
+
+            if (m_localAddresses.size() == AddressField::ADDRESS_FIELD_SIZE)
+            {
+                if (IPVERSION_TYPE.at(m_type) == IPV4)
+                {
+                    retVal = IPv4Address(m_localAddresses.at(AddressField::IP));
+                }
+                else if (IPVERSION_TYPE.at(m_type) == IPV6)
+                {
+                    retVal = IPv6Address(m_localAddresses.at(AddressField::IP));
+                }
+            }
+
+            return retVal;
+        }
+        int32_t localPort() const override
+        {
+            int32_t retVal { -1 };
+
+            if (m_localAddresses.size() == AddressField::ADDRESS_FIELD_SIZE)
+            {
+                std::stringstream ss;
+                ss << std::hex << m_localAddresses.at(AddressField::PORT);
+                ss >> retVal;
+            }
+
+            return retVal;
+        }
+        std::string remoteIP() const override
+        {
+            std::string retVal;
+
+            if (m_remoteAddresses.size() == AddressField::ADDRESS_FIELD_SIZE)
+            {
+                if (IPVERSION_TYPE.at(m_type) == IPV4)
+                {
+                    retVal = IPv4Address(m_remoteAddresses.at(AddressField::IP));
+                }
+                else if (IPVERSION_TYPE.at(m_type) == IPV6)
+                {
+                    retVal = IPv6Address(m_remoteAddresses.at(AddressField::IP));
+                }
+            }
+
+            return retVal;
+        }
+        int32_t remotePort() const override
+        {
+            int32_t retVal { -1 };
+
+            if (m_remoteAddresses.size() == AddressField::ADDRESS_FIELD_SIZE)
+            {
+                std::stringstream ss;
+                ss << std::hex << m_remoteAddresses.at(AddressField::PORT);
+                ss >> retVal;
+            }
+
+            return retVal;
+        }
+        int32_t txQueue() const override
+        {
+            int32_t retVal { -1 };
+
+            if (m_queue.size() == QueueField::QUEUE_FIELD_SIZE)
+            {
+                std::stringstream ss;
+                ss << std::hex << m_queue.at(QueueField::TX);
+                ss >> retVal;
+            }
+
+            return retVal;
+        }
+        int32_t rxQueue() const override
+        {
+            int32_t retVal { -1 };
+
+            if (m_queue.size() == QueueField::QUEUE_FIELD_SIZE)
+            {
+                std::stringstream ss;
+                ss << std::hex << m_queue.at(QueueField::RX);
+                ss >> retVal;
+            }
+
+            return retVal;
+        }
+        int64_t inode() const override
+        {
+            int64_t retVal { -1 };
+
+            try
+            {
+                retVal = static_cast<int64_t>(std::stoll(m_fields.at(INODE)));
+            }
+            catch (...)
+            {}
+
+            return retVal;
+        }
+        std::string state() const override
+        {
+            std::string retVal;
+            const auto it { PROTOCOL_TYPE.find(m_type) };
+
+            if (PROTOCOL_TYPE.end() != it && TCP == it->second)
+            {
+                std::stringstream ss;
+                int32_t state { 0 };
+                ss << std::hex << m_fields.at(STATE);
+                ss >> state;
+
+                const auto itState { STATE_TYPE.find(state) };
+
+                if (STATE_TYPE.end() != itState)
+                {
+                    retVal = itState->second;
+                }
+            }
+
+            return retVal;
+        }
+
+        std::string processName() const override
+        {
+            return UNKNOWN_VALUE;
+        }
+
+        int32_t pid() const override
+        {
+            return {};
+        }
+};
+
+
+#endif //_PORT_LINUX_WRAPPER_H
\ No newline at end of file
diff --git a/src/common/data_provider/src/ports/portWindowsWrapper.h b/src/common/data_provider/src/ports/portWindowsWrapper.h
new file mode 100644
index 0000000000..d8d95b6b6c
--- /dev/null
+++ b/src/common/data_provider/src/ports/portWindowsWrapper.h
@@ -0,0 +1,190 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PORT_WINDOWS_WRAPPER_H
+#define _PORT_WINDOWS_WRAPPER_H
+#include <ws2ipdef.h>
+#include "iportWrapper.h"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include "windowsHelper.h"
+
+static const std::map<int32_t, std::string> STATE_TYPE =
+{
+    { MIB_TCP_STATE_ESTAB,                 "established"    },
+    { MIB_TCP_STATE_SYN_SENT,              "syn_sent"       },
+    { MIB_TCP_STATE_SYN_RCVD,              "syn_recv"       },
+    { MIB_TCP_STATE_FIN_WAIT1,             "fin_wait1"      },
+    { MIB_TCP_STATE_FIN_WAIT2,             "fin_wait2"      },
+    { MIB_TCP_STATE_TIME_WAIT,             "time_wait"      },
+    { MIB_TCP_STATE_CLOSED,                "close"          },
+    { MIB_TCP_STATE_CLOSE_WAIT,            "close_wait"     },
+    { MIB_TCP_STATE_LAST_ACK,              "last_ack"       },
+    { MIB_TCP_STATE_LISTEN,                "listening"      },
+    { MIB_TCP_STATE_CLOSING,               "closing"        },
+    { MIB_TCP_STATE_DELETE_TCB,            "delete_tcp"     }
+};
+
+static const std::map<pid_t, std::string> SYSTEM_PROCESSES =
+{
+    { 0,                                   "System Idle Process"   },
+    { 4,                                   "System"                },
+};
+
+struct PortTables
+{
+    std::unique_ptr<MIB_TCPTABLE_OWNER_PID []> tcp;
+    std::unique_ptr<MIB_TCP6TABLE_OWNER_PID []> tcp6;
+    std::unique_ptr<MIB_UDPTABLE_OWNER_PID []> udp;
+    std::unique_ptr<MIB_UDP6TABLE_OWNER_PID []> udp6;
+};
+
+class WindowsPortWrapper final : public IPortWrapper
+{
+        const std::string m_protocol;
+        const int32_t m_localPort;
+        const std::string m_localIpAddress;
+        const int32_t m_remotePort;
+        const std::string m_remoteIpAddress;
+        const uint32_t m_state;
+        const uint32_t m_pid;
+        const std::string m_processName;
+
+        static std::string getIpV4Address(const DWORD addr)
+        {
+            in_addr ipaddress;
+            ipaddress.S_un.S_addr = addr;
+            return Utils::NetworkWindowsHelper::IAddressToString(AF_INET, ipaddress);
+        }
+
+        static std::string getProcessName(const std::map<pid_t, std::string> processDataList, const pid_t pid)
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto itSystemProcess { SYSTEM_PROCESSES.find(pid) } ;
+
+            if (SYSTEM_PROCESSES.end() != itSystemProcess)
+            {
+                retVal = itSystemProcess->second;
+            }
+            else
+            {
+                const auto itCurrentProcessList { processDataList.find(pid) } ;
+                {
+                    if (processDataList.end() != itCurrentProcessList)
+                    {
+                        retVal = itCurrentProcessList->second;
+                    }
+                }
+            }
+
+            return retVal;
+        }
+        WindowsPortWrapper() = delete;
+    public:
+        WindowsPortWrapper(const _MIB_TCPROW_OWNER_PID& data, const std::map<pid_t, std::string>& processDataList)
+            : m_protocol { "tcp" }
+            , m_localPort { ntohs(data.dwLocalPort) }
+            , m_localIpAddress { getIpV4Address(data.dwLocalAddr) }
+            , m_remotePort { ntohs(data.dwRemotePort) }
+            , m_remoteIpAddress { getIpV4Address(data.dwRemoteAddr) }
+            , m_state { data.dwState }
+            , m_pid { data.dwOwningPid }
+            , m_processName { getProcessName(processDataList, data.dwOwningPid) }
+        { }
+
+        WindowsPortWrapper(const _MIB_TCP6ROW_OWNER_PID& data, const std::map<pid_t, std::string>& processDataList)
+            : m_protocol { "tcp6" }
+            , m_localPort { ntohs(data.dwLocalPort) }
+            , m_localIpAddress { Utils::NetworkWindowsHelper::getIpV6Address(data.ucLocalAddr) }
+            , m_remotePort { ntohs(data.dwRemotePort) }
+            , m_remoteIpAddress { Utils::NetworkWindowsHelper::getIpV6Address(data.ucRemoteAddr) }
+            , m_state { data.dwState }
+            , m_pid { data.dwOwningPid }
+            , m_processName { getProcessName(processDataList, data.dwOwningPid) }
+        { }
+
+        WindowsPortWrapper(const _MIB_UDPROW_OWNER_PID& data, const std::map<pid_t, std::string>& processDataList)
+            : m_protocol { "udp" }
+            , m_localPort { ntohs(data.dwLocalPort) }
+            , m_localIpAddress { getIpV4Address(data.dwLocalAddr) }
+            , m_remotePort { 0 }
+            , m_state { 0 }
+            , m_pid { data.dwOwningPid }
+            , m_processName { getProcessName(processDataList, data.dwOwningPid) }
+        { }
+
+        WindowsPortWrapper(const _MIB_UDP6ROW_OWNER_PID& data, const std::map<pid_t, std::string>& processDataList)
+            : m_protocol("udp6")
+            , m_localPort { ntohs(data.dwLocalPort) }
+            , m_localIpAddress { Utils::NetworkWindowsHelper::getIpV6Address(data.ucLocalAddr) }
+            , m_remotePort { 0 }
+            , m_state { 0 }
+            , m_pid { data.dwOwningPid }
+            , m_processName { getProcessName(processDataList, data.dwOwningPid) }
+        { }
+
+        ~WindowsPortWrapper() = default;
+        std::string protocol() const override
+        {
+            return m_protocol;
+        }
+        std::string localIp() const override
+        {
+            return m_localIpAddress;
+        }
+        int32_t localPort() const override
+        {
+            return m_localPort;
+        }
+        std::string remoteIP() const override
+        {
+            return m_remoteIpAddress;
+        }
+        int32_t remotePort() const override
+        {
+            return m_remotePort;
+        }
+        int32_t txQueue() const override
+        {
+            return {};
+        }
+        int32_t rxQueue() const override
+        {
+            return {};
+        }
+        int64_t inode() const override
+        {
+            return {};
+        }
+        std::string state() const override
+        {
+            std::string retVal { UNKNOWN_VALUE };
+            const auto itState { STATE_TYPE.find(m_state) };
+
+            if (STATE_TYPE.end() != itState)
+            {
+                retVal = itState->second;
+            }
+
+            return retVal;
+        }
+        int32_t pid() const override
+        {
+            return m_pid;
+        }
+        std::string processName() const override
+        {
+            return Utils::EncodingWindowsHelper::stringAnsiToStringUTF8(m_processName);
+        }
+};
+
+
+#endif //_PORT_WINDOWS_WRAPPER_H
diff --git a/src/common/data_provider/src/sharedDefs.h b/src/common/data_provider/src/sharedDefs.h
new file mode 100644
index 0000000000..08f4dbe45b
--- /dev/null
+++ b/src/common/data_provider/src/sharedDefs.h
@@ -0,0 +1,137 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SHARED_DEFS_H
+#define _SHARED_DEFS_H
+
+#include <set>
+#include <string>
+
+constexpr auto WM_SYS_HW_DIR {"/sys/class/dmi/id/board_serial"};
+constexpr auto WM_SYS_CPU_DIR {"/proc/cpuinfo"};
+constexpr auto WM_SYS_CPU_FREC_DIR {"/sys/devices/system/cpu/"};
+constexpr auto WM_SYS_MEM_DIR {"/proc/meminfo"};
+constexpr auto WM_SYS_IFDATA_DIR {"/sys/class/net/"};
+constexpr auto WM_SYS_IF_FILE {"/etc/network/interfaces"};
+constexpr auto WM_SYS_IF_DIR_RH {"/etc/sysconfig/network-scripts/"};
+constexpr auto WM_SYS_IF_DIR_SUSE {"/etc/sysconfig/network/"};
+constexpr auto WM_SYS_NET_DIR {"/proc/net/" };
+constexpr auto WM_SYS_PROC_DIR {"/proc/"};
+
+constexpr auto DPKG_PATH {"/var/lib/dpkg/"};
+constexpr auto DPKG_STATUS_PATH {"/var/lib/dpkg/status"};
+
+constexpr auto RPM_PATH {"/var/lib/rpm/"};
+
+constexpr auto PACMAN_PATH {"/var/lib/pacman"};
+
+constexpr auto APK_PATH {"/lib/apk/db"};
+constexpr auto APK_DB_PATH {"/lib/apk/db/installed"};
+constexpr auto SNAP_PATH {"/var/lib/snapd"};
+
+constexpr auto UNKNOWN_VALUE {" "};
+constexpr auto MAC_ADDRESS_COUNT_SEGMENTS
+{
+    6ull
+};
+
+#define ROUNDUP(a) ((a) > 0 ? (1 + (((a)-1) | (sizeof(long) - 1))) : sizeof(long))
+
+enum OSPlatformType
+{
+    LINUX,
+    BSDBASED,
+    WINDOWS,
+    SOLARIS
+};
+
+enum LinuxType
+{
+    STANDARD,
+    LEGACY
+};
+
+enum PortType
+{
+    UDP_IPV4,
+    UDP_IPV6,
+    TCP_IPV4,
+    TCP_IPV6,
+    SIZE_PORT_TYPE
+};
+
+enum Protocol
+{
+    TCP,
+    UDP,
+    PROTOCOL_SIZE
+};
+
+enum IPVersion
+{
+    IPV4,
+    IPV6,
+    IPVERSION_SIZE
+};
+
+enum MacOsPackageTypes
+{
+    PKG,
+    BREW,
+    MACPORTS
+};
+
+enum RPMFields
+{
+    RPM_FIELDS_NAME,
+    RPM_FIELDS_ARCHITECTURE,
+    RPM_FIELDS_SUMMARY,
+    RPM_FIELDS_PACKAGE_SIZE,
+    RPM_FIELDS_EPOCH,
+    RPM_FIELDS_RELEASE,
+    RPM_FIELDS_VERSION,
+    RPM_FIELDS_VENDOR,
+    RPM_FIELDS_INSTALLTIME,
+    RPM_FIELDS_GROUPS,
+    RPM_FIELDS_SIZE
+};
+
+enum MacOSArchitecture
+{
+    X86_64,
+    ARM64
+};
+
+static const std::set<std::string> UNIX_PYPI_DEFAULT_BASE_DIRS
+{
+    "/usr/lib/python*/*-packages",
+    "/usr/lib64/python*/*-packages",
+    "/usr/local/lib/python*/*-packages",
+    "/home/*/.local/lib/python*/*-packages",
+    "/root/.local/lib/python*/*-packages",
+    "/opt/homebrew/lib",
+    "/Library/Python",
+    "/Library/Frameworks/Python.framework/Versions/*/lib/python*/*-packages",
+};
+
+static const std::set<std::string> UNIX_NPM_DEFAULT_BASE_DIRS
+{
+    "/usr/local/lib",
+    "/opt/homebrew/lib",
+    "/usr/lib",
+    "/home/*/.npm-global/lib",
+    "/Users/*/.npm-global/lib",
+    "/home/*/.nvm/versions/node/v*/lib",
+    "/root/.nvm/versions/node/v*/lib",
+    "/opt/local/lib",
+};
+
+#endif //_SHARED_DEFS_H
diff --git a/src/common/data_provider/src/sysInfo.cpp b/src/common/data_provider/src/sysInfo.cpp
new file mode 100644
index 0000000000..eafa5b79e6
--- /dev/null
+++ b/src/common/data_provider/src/sysInfo.cpp
@@ -0,0 +1,291 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfo.hpp"
+#include "sysInfo.h"
+#include "cjsonSmartDeleter.hpp"
+
+nlohmann::json SysInfo::hardware()
+{
+    return getHardware();
+}
+
+nlohmann::json SysInfo::packages()
+{
+    return getPackages();
+}
+
+nlohmann::json SysInfo::os()
+{
+    return getOsInfo();
+}
+
+nlohmann::json SysInfo::processes()
+{
+    return getProcessesInfo();
+}
+
+nlohmann::json SysInfo::networks()
+{
+    return getNetworks();
+}
+
+nlohmann::json SysInfo::ports()
+{
+    return getPorts();
+}
+
+void SysInfo::processes(std::function<void(nlohmann::json&)> callback)
+{
+    getProcessesInfo(callback);
+}
+
+void SysInfo::packages(std::function<void(nlohmann::json&)> callback)
+{
+    getPackages(callback);
+}
+
+nlohmann::json SysInfo::hotfixes()
+{
+    return getHotfixes();
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+int sysinfo_hardware(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& hw          {info.hardware()};
+            *js_result = cJSON_Parse(hw.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+int sysinfo_packages(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& packages    {info.packages()};
+            *js_result = cJSON_Parse(packages.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+int sysinfo_os(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& os          {info.os()};
+            *js_result = cJSON_Parse(os.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+int sysinfo_processes(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& processes   {info.processes()};
+            *js_result = cJSON_Parse(processes.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+int sysinfo_networks(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& networks    {info.networks()};
+            *js_result = cJSON_Parse(networks.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+int sysinfo_ports(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& ports       {info.ports()};
+            *js_result = cJSON_Parse(ports.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+void sysinfo_free_result(cJSON** js_data)
+{
+    if (*js_data)
+    {
+        cJSON_Delete(*js_data);
+    }
+}
+int sysinfo_packages_cb(callback_data_t callback_data)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (callback_data.callback)
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(GENERIC, spJson.get(), callback_data.user_data);
+                }
+            };
+            // LCOV_EXCL_START
+            SysInfo info;
+            // LCOV_EXCL_STOP
+            info.packages(callbackWrapper);
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+
+int sysinfo_processes_cb(callback_data_t callback_data)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (callback_data.callback)
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(GENERIC, spJson.get(), callback_data.user_data);
+                }
+            };
+            // LCOV_EXCL_START
+            SysInfo info;
+            // LCOV_EXCL_STOP
+            info.processes(callbackWrapper);
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+
+int sysinfo_hotfixes(cJSON** js_result)
+{
+    auto retVal { -1 };
+
+    try
+    {
+        if (js_result)
+        {
+            SysInfo info;
+            const auto& hotfixes       {info.hotfixes()};
+            *js_result = cJSON_Parse(hotfixes.dump().c_str());
+            retVal = 0;
+        }
+    }
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+
+    return retVal;
+}
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/common/data_provider/src/sysInfoCommonBSD.cpp b/src/common/data_provider/src/sysInfoCommonBSD.cpp
new file mode 100644
index 0000000000..80751689c8
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoCommonBSD.cpp
@@ -0,0 +1,48 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "filesystemHelper.h"
+#include "networkUnixHelper.h"
+#include "network/networkBSDWrapper.h"
+#include "network/networkFamilyDataAFactory.h"
+
+nlohmann::json SysInfo::getNetworks() const
+{
+    nlohmann::json networks;
+
+    std::unique_ptr<ifaddrs, Utils::IfAddressSmartDeleter> interfacesAddress;
+    std::map<std::string, std::vector<ifaddrs*>> networkInterfaces;
+    Utils::NetworkUnixHelper::getNetworks(interfacesAddress, networkInterfaces);
+
+    for (const auto& interface : networkInterfaces)
+    {
+        nlohmann::json ifaddr {};
+
+        for (const auto addr : interface.second)
+        {
+            const auto networkInterfacePtr { FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(std::make_shared<NetworkBSDInterface>(addr)) };
+
+            if (networkInterfacePtr)
+            {
+                networkInterfacePtr->buildNetworkData(ifaddr);
+            }
+        }
+
+        networks["iface"].push_back(ifaddr);
+    }
+
+    return networks;
+}
+
diff --git a/src/common/data_provider/src/sysInfoFreeBSD.cpp b/src/common/data_provider/src/sysInfoFreeBSD.cpp
new file mode 100644
index 0000000000..0d3a80bad0
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoFreeBSD.cpp
@@ -0,0 +1,262 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "osinfo/sysOsParsers.h"
+#include <sys/sysctl.h>
+#include <sys/vmmeter.h>
+#include <sys/utsname.h>
+#include "sharedDefs.h"
+
+static void getMemory(nlohmann::json& info)
+{
+    constexpr auto vmPageSize{"vm.stats.vm.v_page_size"};
+    constexpr auto vmTotal{"vm.vmtotal"};
+    uint64_t ram{0};
+    const std::vector<int> mib{CTL_HW, HW_PHYSMEM};
+    size_t len{sizeof(ram)};
+    auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), &ram, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading total RAM."
+        };
+    }
+
+    const auto ramTotal{ram / KByte};
+    info["ram_total"] = ramTotal;
+    u_int pageSize{0};
+    len = sizeof(pageSize);
+    ret = sysctlbyname(vmPageSize, &pageSize, &len, nullptr, 0);
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading page size."
+        };
+    }
+
+    struct vmtotal vmt {};
+
+    len = sizeof(vmt);
+
+    ret = sysctlbyname(vmTotal, &vmt, &len, nullptr, 0);
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading total memory."
+        };
+    }
+
+    const auto ramFree{(vmt.t_free * pageSize) / KByte};
+    info["ram_free"] = ramFree;
+    info["ram_usage"] = 100 - (100 * ramFree / ramTotal);
+}
+
+
+static int getCpuMHz()
+{
+    unsigned long cpuMHz{0};
+    constexpr auto clockRate{"hw.clockrate"};
+    size_t len{sizeof(cpuMHz)};
+    const auto ret{sysctlbyname(clockRate, &cpuMHz, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading cpu frequency."
+        };
+    }
+
+    return cpuMHz;
+}
+
+static std::string getSerialNumber()
+{
+    return UNKNOWN_VALUE;
+}
+
+static int getCpuCores()
+{
+    int cores{0};
+    size_t len{sizeof(cores)};
+    const std::vector<int> mib{CTL_HW, HW_NCPU};
+    const auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), &cores, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading cpu cores number."
+        };
+    }
+
+    return cores;
+}
+
+static std::string getCpuName()
+{
+    const std::vector<int> mib{CTL_HW, HW_MODEL};
+    size_t len{0};
+    auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), nullptr, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting cpu name size."
+        };
+    }
+
+    const auto spBuff{std::make_unique<char[]>(len + 1)};
+
+    if (!spBuff)
+    {
+        throw std::runtime_error
+        {
+            "Error allocating memory to read the cpu name."
+        };
+    }
+
+    ret = sysctl(const_cast<int*>(mib.data()), mib.size(), spBuff.get(), &len, nullptr, 0);
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting cpu name"
+        };
+    }
+
+    spBuff.get()[len] = 0;
+    return std::string{reinterpret_cast<const char*>(spBuff.get())};
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    nlohmann::json ret;
+    getPackages([&ret](nlohmann::json & data)
+    {
+        ret.push_back(data);
+    });
+    return ret;
+}
+
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    // Currently not supported for this OS
+    return nlohmann::json {};
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+    const auto spParser{FactorySysOsParser::create("bsd")};
+
+    if (!spParser->parseUname(Utils::exec("uname -r"), ret))
+    {
+        ret["os_name"] = "BSD";
+        ret["os_platform"] = "bsd";
+        ret["os_version"] = UNKNOWN_VALUE;
+    }
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    return ret;
+}
+
+nlohmann::json SysInfo::getPorts() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json {};
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // Currently not supported for this OS.
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> callback) const
+{
+    const auto query{Utils::exec(R"(pkg query -a "%n|%m|%v|%q|%c")")};
+
+    if (!query.empty())
+    {
+        const auto lines{Utils::split(query, '\n')};
+
+        for (const auto& line : lines)
+        {
+            const auto data{Utils::split(line, '|')};
+            nlohmann::json package;
+            package["name"] = data[0];
+            package["vendor"] = data[1];
+            package["version"] = data[2];
+            package["install_time"] = UNKNOWN_VALUE;
+            package["location"] = UNKNOWN_VALUE;
+            package["architecture"] = data[3];
+            package["groups"] = UNKNOWN_VALUE;
+            package["description"] = data[4];
+            package["size"] = 0;
+            package["priority"] = UNKNOWN_VALUE;
+            package["source"] = UNKNOWN_VALUE;
+            package["format"] = "pkg";
+            // The multiarch field won't have a default value
+
+            callback(package);
+        }
+    }
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoLinux.cpp b/src/common/data_provider/src/sysInfoLinux.cpp
new file mode 100644
index 0000000000..8a3ad10ba4
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoLinux.cpp
@@ -0,0 +1,611 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <fstream>
+#include <iostream>
+#include <regex>
+#include <sys/utsname.h>
+#include "packages/modernPackageDataRetriever.hpp"
+#include "sharedDefs.h"
+#include "stringHelper.h"
+#include "filesystemHelper.h"
+#include "cmdHelper.h"
+#include "osinfo/sysOsParsers.h"
+#include "sysInfo.hpp"
+#include "readproc.h"
+#include "networkUnixHelper.h"
+#include "networkHelper.h"
+#include "network/networkLinuxWrapper.h"
+#include "network/networkFamilyDataAFactory.h"
+#include "ports/portLinuxWrapper.h"
+#include "ports/portImpl.h"
+#include "packages/berkeleyRpmDbHelper.h"
+#include "packages/packageLinuxDataRetriever.h"
+#include "linuxInfoHelper.h"
+
+using ProcessInfo = std::unordered_map<int64_t, std::pair<int32_t, std::string>>;
+
+struct ProcTableDeleter
+{
+    void operator()(PROCTAB* proc)
+    {
+        closeproc(proc);
+    }
+    void operator()(proc_t* proc)
+    {
+        freeproc(proc);
+    }
+};
+
+using SysInfoProcessesTable = std::unique_ptr<PROCTAB, ProcTableDeleter>;
+using SysInfoProcess        = std::unique_ptr<proc_t, ProcTableDeleter>;
+
+static void parseLineAndFillMap(const std::string& line, const std::string& separator, std::map<std::string, std::string>& systemInfo)
+{
+    const auto pos{line.find(separator)};
+
+    if (pos != std::string::npos)
+    {
+        const auto key{Utils::trim(line.substr(0, pos), " \t\"")};
+        const auto value{Utils::trim(line.substr(pos + 1), " \t\"")};
+        systemInfo[key] = value;
+    }
+}
+
+static bool getSystemInfo(const std::string& fileName, const std::string& separator, std::map<std::string, std::string>& systemInfo)
+{
+    std::string info;
+    std::fstream file{fileName, std::ios_base::in};
+    const bool ret{file.is_open()};
+
+    if (ret)
+    {
+        std::string line;
+
+        while (file.good())
+        {
+            std::getline(file, line);
+            parseLineAndFillMap(line, separator, systemInfo);
+        }
+    }
+
+    return ret;
+}
+
+static nlohmann::json getProcessInfo(const SysInfoProcess& process)
+{
+    nlohmann::json jsProcessInfo{};
+    // Current process information
+    jsProcessInfo["pid"]        = std::to_string(process->tid);
+    jsProcessInfo["name"]       = process->cmd;
+    jsProcessInfo["state"]      = &process->state;
+    jsProcessInfo["ppid"]       = process->ppid;
+    jsProcessInfo["utime"]      = process->utime;
+    jsProcessInfo["stime"]      = process->stime;
+    std::string commandLine;
+    std::string commandLineArgs;
+
+    if (process->cmdline && process->cmdline[0])
+    {
+        commandLine = process->cmdline[0];
+
+        for (int idx = 1; process->cmdline[idx]; ++idx)
+        {
+            const auto cmdlineArgSize { sizeof(process->cmdline[idx]) };
+
+            if (strnlen(process->cmdline[idx], cmdlineArgSize) != 0)
+            {
+                commandLineArgs += process->cmdline[idx];
+
+                if (process->cmdline[idx + 1])
+                {
+                    commandLineArgs += " ";
+                }
+            }
+        }
+    }
+
+    jsProcessInfo["cmd"]        = commandLine;
+    jsProcessInfo["argvs"]      = commandLineArgs;
+    jsProcessInfo["euser"]      = process->euser;
+    jsProcessInfo["ruser"]      = process->ruser;
+    jsProcessInfo["suser"]      = process->suser;
+    jsProcessInfo["egroup"]     = process->egroup;
+    jsProcessInfo["rgroup"]     = process->rgroup;
+    jsProcessInfo["sgroup"]     = process->sgroup;
+    jsProcessInfo["fgroup"]     = process->fgroup;
+    jsProcessInfo["priority"]   = process->priority;
+    jsProcessInfo["nice"]       = process->nice;
+    jsProcessInfo["size"]       = process->size;
+    jsProcessInfo["vm_size"]    = process->vm_size;
+    jsProcessInfo["resident"]   = process->vm_rss;
+    jsProcessInfo["share"]      = process->share;
+    jsProcessInfo["start_time"] = Utils::timeTick2unixTime(process->start_time);
+    jsProcessInfo["pgrp"]       = process->pgrp;
+    jsProcessInfo["session"]    = process->session;
+    jsProcessInfo["tgid"]       = process->tgid;
+    jsProcessInfo["tty"]        = process->tty;
+    jsProcessInfo["processor"]  = process->processor;
+    jsProcessInfo["nlwp"]       = process->nlwp;
+    return jsProcessInfo;
+}
+
+static std::string getSerialNumber()
+{
+    std::string serial;
+    std::fstream file{WM_SYS_HW_DIR, std::ios_base::in};
+
+    if (file.is_open())
+    {
+        file >> serial;
+    }
+    else
+    {
+        serial = UNKNOWN_VALUE;
+    }
+
+    return serial;
+}
+
+static std::string getCpuName()
+{
+    std::string retVal { UNKNOWN_VALUE };
+    std::map<std::string, std::string> systemInfo;
+    getSystemInfo(WM_SYS_CPU_DIR, ":", systemInfo);
+    const auto& it { systemInfo.find("model name") };
+
+    if (it != systemInfo.end())
+    {
+        retVal = it->second;
+    }
+
+    return retVal;
+}
+
+static int getCpuCores()
+{
+    int retVal { 0 };
+    std::map<std::string, std::string> systemInfo;
+    getSystemInfo(WM_SYS_CPU_DIR, ":", systemInfo);
+    const auto& it { systemInfo.find("processor") };
+
+    if (it != systemInfo.end())
+    {
+        retVal = std::stoi(it->second) + 1;
+    }
+
+    return retVal;
+}
+
+static int getCpuMHz()
+{
+    int retVal { 0 };
+    std::map<std::string, std::string> systemInfo;
+    getSystemInfo(WM_SYS_CPU_DIR, ":", systemInfo);
+
+    const auto& it { systemInfo.find("cpu MHz") };
+
+    if (it != systemInfo.end())
+    {
+        retVal = std::stoi(it->second) + 1;
+    }
+    else
+    {
+        int cpuFreq { 0 };
+        const auto cpusInfo { Utils::enumerateDir(WM_SYS_CPU_FREC_DIR) };
+        constexpr auto CPU_FREQ_DIRNAME_PATTERN {"cpu[0-9]+"};
+        const std::regex cpuDirectoryRegex {CPU_FREQ_DIRNAME_PATTERN};
+
+        for (const auto& cpu : cpusInfo)
+        {
+            if (std::regex_match(cpu, cpuDirectoryRegex))
+            {
+                std::fstream file{WM_SYS_CPU_FREC_DIR + cpu + "/cpufreq/cpuinfo_max_freq", std::ios_base::in};
+
+                if (file.is_open())
+                {
+                    std::string frequency;
+                    std::getline(file, frequency);
+
+                    try
+                    {
+                        cpuFreq = std::stoi(frequency);  // Frequency on KHz
+
+                        if (cpuFreq > retVal)
+                        {
+                            retVal = cpuFreq;
+                        }
+                    }
+                    catch (...)
+                    {
+                    }
+                }
+            }
+        }
+
+        retVal /= 1000;  // Convert frequency from KHz to MHz
+    }
+
+    return retVal;
+}
+
+static void getMemory(nlohmann::json& info)
+{
+    std::map<std::string, std::string> systemInfo;
+    getSystemInfo(WM_SYS_MEM_DIR, ":", systemInfo);
+
+    auto memTotal{ 1ull };
+    auto memFree{ 0ull };
+
+    const auto& itTotal { systemInfo.find("MemTotal") };
+
+    if (itTotal != systemInfo.end())
+    {
+        memTotal = std::stoull(itTotal->second);
+    }
+
+    const auto& itAvailable { systemInfo.find("MemAvailable") };
+    const auto& itFree { systemInfo.find("MemFree") };
+
+    if (itAvailable != systemInfo.end())
+    {
+        memFree = std::stoull(itAvailable->second);
+    }
+    else if (itFree != systemInfo.end())
+    {
+        memFree = std::stoull(itFree->second);
+    }
+
+    const auto ramTotal { memTotal == 0 ? 1 : memTotal };
+    info["ram_total"] = ramTotal;
+    info["ram_free"] = memFree;
+    info["ram_usage"] = 100 - (100 * memFree / ramTotal);
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    nlohmann::json packages;
+    getPackages([&packages](nlohmann::json & data)
+    {
+        packages.push_back(data);
+    });
+    return packages;
+}
+
+static bool getOsInfoFromFiles(nlohmann::json& info)
+{
+    bool ret{false};
+    const std::vector<std::string> UNIX_RELEASE_FILES{"/etc/os-release", "/usr/lib/os-release"};
+    constexpr auto CENTOS_RELEASE_FILE{"/etc/centos-release"};
+    static const std::vector<std::pair<std::string, std::string>> PLATFORMS_RELEASE_FILES
+    {
+        {"centos",      CENTOS_RELEASE_FILE     },
+        {"fedora",      "/etc/fedora-release"   },
+        {"rhel",        "/etc/redhat-release"   },
+        {"gentoo",      "/etc/gentoo-release"   },
+        {"suse",        "/etc/SuSE-release"     },
+        {"arch",        "/etc/arch-release"     },
+        {"debian",      "/etc/debian_version"   },
+        {"slackware",   "/etc/slackware-version"},
+        {"ubuntu",      "/etc/lsb-release"      },
+        {"alpine",      "/etc/alpine-release"   },
+    };
+    const auto parseFnc
+    {
+        [&info](const std::string & fileName, const std::string & platform)
+        {
+            std::fstream file{fileName, std::ios_base::in};
+
+            if (file.is_open())
+            {
+                const auto spParser{FactorySysOsParser::create(platform)};
+                return spParser->parseFile(file, info);
+            }
+
+            return false;
+        }
+    };
+
+    for (const auto& unixReleaseFile : UNIX_RELEASE_FILES)
+    {
+        ret |= parseFnc(unixReleaseFile, "unix");
+    }
+
+    if (ret)
+    {
+        ret |= parseFnc(CENTOS_RELEASE_FILE, "centos");
+    }
+    else
+    {
+        for (const auto& platform : PLATFORMS_RELEASE_FILES)
+        {
+            if (parseFnc(platform.second, platform.first))
+            {
+                ret = true;
+                break;
+            }
+        }
+    }
+
+    return ret;
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+
+    if (!getOsInfoFromFiles(ret))
+    {
+        ret["os_name"] = "Linux";
+        ret["os_platform"] = "linux";
+        ret["os_version"] = UNKNOWN_VALUE;
+    }
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    return ret;
+}
+
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    nlohmann::json jsProcessesList{};
+
+    getProcessesInfo([&jsProcessesList](nlohmann::json & processInfo)
+    {
+        // Append the current json process object to the list of processes
+        jsProcessesList.push_back(processInfo);
+    });
+
+    return jsProcessesList;
+}
+
+nlohmann::json SysInfo::getNetworks() const
+{
+    nlohmann::json networks;
+
+    std::unique_ptr<ifaddrs, Utils::IfAddressSmartDeleter> interfacesAddress;
+    std::map<std::string, std::vector<ifaddrs*>> networkInterfaces;
+    Utils::NetworkUnixHelper::getNetworks(interfacesAddress, networkInterfaces);
+
+    for (const auto& interface : networkInterfaces)
+    {
+        nlohmann::json ifaddr {};
+
+        for (auto addr : interface.second)
+        {
+            const auto networkInterfacePtr { FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(std::make_shared<NetworkLinuxInterface>(addr)) };
+
+            if (networkInterfacePtr)
+            {
+                networkInterfacePtr->buildNetworkData(ifaddr);
+            }
+        }
+
+        networks["iface"].push_back(ifaddr);
+    }
+
+    return networks;
+}
+
+
+ProcessInfo portProcessInfo(const std::string& procPath, const std::deque<int64_t>& inodes)
+{
+    ProcessInfo ret;
+    auto getProcessName = [](const std::string & filePath) -> std::string
+    {
+        // Get stat file content.
+        std::string processInfo { UNKNOWN_VALUE };
+        const std::string statContent {Utils::getFileContent(filePath)};
+
+        const auto openParenthesisPos {statContent.find("(")};
+        const auto closeParenthesisPos {statContent.find(")")};
+
+        if (openParenthesisPos != std::string::npos && closeParenthesisPos != std::string::npos)
+        {
+            processInfo = statContent.substr(openParenthesisPos + 1, closeParenthesisPos - openParenthesisPos - 1);
+        }
+
+        return processInfo;
+    };
+
+    auto findInode = [](const std::string & filePath) -> int64_t
+    {
+        constexpr size_t MAX_LENGTH {256};
+        char buffer[MAX_LENGTH];
+
+        if (-1 == readlink(filePath.c_str(), buffer, MAX_LENGTH))
+        {
+            throw std::system_error(errno, std::system_category(), "readlink");
+        }
+
+        // ret format is "socket:[<num>]".
+        const std::string bufferStr {buffer};
+        const auto openBracketPos {bufferStr.find("[")};
+        const auto closeBracketPos {bufferStr.find("]")};
+        const auto match {bufferStr.substr(openBracketPos + 1, closeBracketPos - openBracketPos - 1)};
+
+        return std::stoll(match);
+    };
+
+    if (Utils::existsDir(procPath))
+    {
+        std::vector<std::string> procFiles = Utils::enumerateDir(procPath);
+
+        // Iterate proc directory.
+        for (const auto& procFile : procFiles)
+        {
+            // Only directories that represent a PID are inspected.
+            const std::string procFilePath {procPath + "/" + procFile};
+
+            if (Utils::isNumber(procFile) && Utils::existsDir(procFilePath))
+            {
+                // Only fd directory is inspected.
+                const std::string pidFilePath {procFilePath + "/fd"};
+
+                if (Utils::existsDir(pidFilePath))
+                {
+                    std::vector<std::string> fdFiles = Utils::enumerateDir(pidFilePath);
+
+                    // Iterate fd directory.
+                    for (const auto& fdFile : fdFiles)
+                    {
+                        // Only sysmlinks that represent a socket are read.
+                        const std::string fdFilePath {pidFilePath + "/" + fdFile};
+
+                        if (!Utils::startsWith(fdFile, ".") && Utils::existsSocket(fdFilePath))
+                        {
+                            try
+                            {
+                                int64_t inode {findInode(fdFilePath)};
+
+                                if (std::any_of(inodes.cbegin(), inodes.cend(), [&](const auto it)
+                            {
+                                return it == inode;
+                            }))
+                                {
+                                    std::string statPath {procFilePath + "/" + "stat"};
+                                    std::string processName = getProcessName(statPath);
+                                    int32_t pid { std::stoi(procFile) };
+
+                                    ret.emplace(std::make_pair(inode, std::make_pair(pid, processName)));
+                                }
+                            }
+                            catch (const std::exception& e)
+                            {
+                                std::cerr << "Error: " << e.what() << std::endl;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    return ret;
+}
+
+nlohmann::json SysInfo::getPorts() const
+{
+    nlohmann::json ports;
+    std::deque<int64_t> inodes;
+
+    for (const auto& portType : PORTS_TYPE)
+    {
+        const auto fileContent { Utils::getFileContent(WM_SYS_NET_DIR + portType.second) };
+        auto rows { Utils::split(fileContent, '\n') };
+        auto fileBody { false };
+
+        for (auto& row : rows)
+        {
+            nlohmann::json port {};
+
+            try
+            {
+                if (fileBody)
+                {
+                    row = Utils::trim(row);
+                    Utils::replaceAll(row, "\t", " ");
+                    Utils::replaceAll(row, "  ", " ");
+                    std::make_unique<PortImpl>(std::make_shared<LinuxPortWrapper>(portType.first, row))->buildPortData(port);
+                    inodes.push_back(port.at("inode"));
+                    ports.push_back(std::move(port));
+                }
+
+                fileBody = true;
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << "Error while parsing port: " << e.what() << std::endl;
+            }
+        }
+    }
+
+
+    if (!inodes.empty())
+    {
+        ProcessInfo ret = portProcessInfo(WM_SYS_PROC_DIR, inodes);
+
+        for (auto& port : ports)
+        {
+            try
+            {
+                auto portInode = port.at("inode");
+
+                if (ret.find(portInode) != ret.end())
+                {
+                    std::pair<int32_t, std::string> processInfoPair = ret.at(portInode);
+                    port["pid"] = processInfoPair.first;
+                    port["process"] = processInfoPair.second;
+                }
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << "Error while parsing pid and process from ports: " << e.what() << std::endl;
+            }
+        }
+    }
+
+    return ports;
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> callback) const
+{
+
+    const SysInfoProcessesTable spProcTable
+    {
+        openproc(PROC_FILLMEM | PROC_FILLSTAT | PROC_FILLSTATUS | PROC_FILLARG | PROC_FILLGRP | PROC_FILLUSR | PROC_FILLCOM | PROC_FILLENV)
+    };
+
+    SysInfoProcess spProcInfo { readproc(spProcTable.get(), nullptr) };
+
+    while (nullptr != spProcInfo)
+    {
+        // Get process information object and push it to the caller
+        auto processInfo = getProcessInfo(spProcInfo);
+        callback(processInfo);
+        spProcInfo.reset(readproc(spProcTable.get(), nullptr));
+    }
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> callback) const
+{
+    FactoryPackagesCreator<LINUX_TYPE>::getPackages(callback);
+    std::map<std::string, std::set<std::string>> searchPaths =
+    {
+        {"PYPI", UNIX_PYPI_DEFAULT_BASE_DIRS},
+        {"NPM", UNIX_NPM_DEFAULT_BASE_DIRS}
+    };
+    ModernFactoryPackagesCreator<HAS_STDFILESYSTEM>::getPackages(searchPaths, callback);
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoMac.cpp b/src/common/data_provider/src/sysInfoMac.cpp
new file mode 100644
index 0000000000..02ef4dd0a5
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoMac.cpp
@@ -0,0 +1,460 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "filesystemHelper.h"
+#include "osinfo/sysOsParsers.h"
+#include <libproc.h>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/proc.h>
+#include <sys/proc_info.h>
+#include <sys/sysctl.h>
+#include <sys/utsname.h>
+#include "ports/portBSDWrapper.h"
+#include "ports/portImpl.h"
+#include "packages/packageFamilyDataAFactory.h"
+#include "packages/packageMac.h"
+#include "hardware/factoryHardwareFamilyCreator.h"
+#include "hardware/hardwareWrapperImplMac.h"
+#include "osPrimitivesImplMac.h"
+#include "sqliteWrapperTemp.h"
+#include "packages/modernPackageDataRetriever.hpp"
+
+const std::string MAC_APPS_PATH{"/Applications"};
+const std::string MAC_UTILITIES_PATH{"/Applications/Utilities"};
+const std::string MACPORTS_DB_NAME {"registry.db"};
+const std::string MACPORTS_QUERY {"SELECT name, version, date, location, archs FROM ports WHERE state = 'installed';"};
+constexpr auto MAC_ROSETTA_DEFAULT_ARCH {"arm64"};
+
+using ProcessTaskInfo = struct proc_taskallinfo;
+
+static const std::vector<int> s_validFDSock =
+{
+    {
+        SOCKINFO_TCP,
+        SOCKINFO_IN
+    }
+};
+
+static const std::map<std::string, int> s_mapPackagesDirectories =
+{
+    { "/Applications", PKG },
+    { "/Applications/Utilities", PKG},
+    { "/System/Applications", PKG},
+    { "/System/Applications/Utilities", PKG},
+    { "/System/Library/CoreServices", PKG},
+    { "/usr/local/Cellar", BREW},
+    { "/opt/local/var/macports/registry", MACPORTS}
+};
+
+static nlohmann::json getProcessInfo(const ProcessTaskInfo& taskInfo, const pid_t pid)
+{
+    nlohmann::json jsProcessInfo{};
+    jsProcessInfo["pid"]        = std::to_string(pid);
+    jsProcessInfo["name"]       = taskInfo.pbsd.pbi_name;
+
+    jsProcessInfo["state"]      = UNKNOWN_VALUE;
+    jsProcessInfo["ppid"]       = taskInfo.pbsd.pbi_ppid;
+
+    const auto eUser { getpwuid(taskInfo.pbsd.pbi_uid) };
+
+    if (eUser)
+    {
+        jsProcessInfo["euser"]  = eUser->pw_name;
+    }
+
+    const auto rUser { getpwuid(taskInfo.pbsd.pbi_ruid) };
+
+    if (rUser)
+    {
+        jsProcessInfo["ruser"]  = rUser->pw_name;
+    }
+
+    const auto rGroup { getgrgid(taskInfo.pbsd.pbi_rgid) };
+
+    if (rGroup)
+    {
+        jsProcessInfo["rgroup"] = rGroup->gr_name;
+    }
+
+    jsProcessInfo["priority"]   = taskInfo.ptinfo.pti_priority;
+    jsProcessInfo["nice"]       = taskInfo.pbsd.pbi_nice;
+    jsProcessInfo["vm_size"]    = taskInfo.ptinfo.pti_virtual_size / KByte;
+    jsProcessInfo["start_time"] = taskInfo.pbsd.pbi_start_tvsec;
+    return jsProcessInfo;
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    FactoryHardwareFamilyCreator<OSPlatformType::BSDBASED>::create(std::make_shared<OSHardwareWrapperMac<OsPrimitivesMac>>())->buildHardwareData(hardware);
+    return hardware;
+}
+
+static void getPackagesFromPath(const std::string& pkgDirectory, const int pkgType, std::function<void(nlohmann::json&)> callback)
+{
+    if (MACPORTS == pkgType)
+    {
+        if (Utils::existsRegular(pkgDirectory + "/" + MACPORTS_DB_NAME))
+        {
+            try
+            {
+                std::shared_ptr<SQLite::IConnection> sqliteConnection = std::make_shared<SQLite::Connection>(pkgDirectory + "/" + MACPORTS_DB_NAME);
+
+                SQLite::Statement stmt
+                {
+                    sqliteConnection,
+                    MACPORTS_QUERY
+                };
+
+                std::pair<SQLite::IStatement&, const int&> pkgContext {std::make_pair(std::ref(stmt), std::cref(pkgType))};
+
+                while (SQLITE_ROW == stmt.step())
+                {
+                    try
+                    {
+                        nlohmann::json jsPackage;
+                        FactoryPackageFamilyCreator<OSPlatformType::BSDBASED>::create(pkgContext)->buildPackageData(jsPackage);
+
+                        if (!jsPackage.at("name").get_ref<const std::string&>().empty())
+                        {
+                            // Only return valid content packages
+                            callback(jsPackage);
+                        }
+                    }
+                    catch (const std::exception& e)
+                    {
+                        std::cerr << e.what() << std::endl;
+                    }
+                }
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << e.what() << std::endl;
+            }
+        }
+    }
+    else
+    {
+        const auto packages { Utils::enumerateDir(pkgDirectory) };
+
+        for (const auto& package : packages)
+        {
+            if (PKG == pkgType)
+            {
+                if (Utils::endsWith(package, ".app"))
+                {
+                    try
+                    {
+                        nlohmann::json jsPackage;
+                        FactoryPackageFamilyCreator<OSPlatformType::BSDBASED>::create(std::make_pair(PackageContext{pkgDirectory, package, ""}, pkgType))->buildPackageData(jsPackage);
+
+                        if (!jsPackage.at("name").get_ref<const std::string&>().empty())
+                        {
+                            // Only return valid content packages
+                            callback(jsPackage);
+                        }
+                    }
+                    catch (const std::exception& e)
+                    {
+                        std::cerr << e.what() << std::endl;
+                    }
+                }
+            }
+            else if (BREW == pkgType)
+            {
+                if (!Utils::startsWith(package, "."))
+                {
+                    const auto packageVersions { Utils::enumerateDir(pkgDirectory + "/" + package) };
+
+                    for (const auto& version : packageVersions)
+                    {
+                        if (!Utils::startsWith(version, "."))
+                        {
+                            try
+                            {
+                                nlohmann::json jsPackage;
+                                FactoryPackageFamilyCreator<OSPlatformType::BSDBASED>::create(std::make_pair(PackageContext{pkgDirectory, package, version}, pkgType))->buildPackageData(jsPackage);
+
+                                if (!jsPackage.at("name").get_ref<const std::string&>().empty())
+                                {
+                                    // Only return valid content packages
+                                    callback(jsPackage);
+                                }
+                            }
+                            catch (const std::exception& e)
+                            {
+                                std::cerr << e.what() << std::endl;
+                            }
+                        }
+                    }
+                }
+            }
+
+            // else: invalid package
+        }
+    }
+
+
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    nlohmann::json jsPackages;
+    getPackages([&jsPackages](nlohmann::json & package)
+    {
+        jsPackages.push_back(package);
+    });
+    return jsPackages;
+}
+
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    nlohmann::json jsProcessesList{};
+
+    getProcessesInfo([&jsProcessesList](nlohmann::json & processInfo)
+    {
+        // Append the current json process object to the list of processes
+        jsProcessesList.push_back(processInfo);
+    });
+
+    return jsProcessesList;
+}
+
+static bool isRunningOnRosetta()
+{
+
+    /* Rosetta is a translation process that allows users to run
+     *  apps that contain x86_64 instructions on Apple silicon.
+     * The sysctl.proc_translated indicates if current process is being translated
+     *   from x86_64 to arm64 (1) or not (0).
+     * If sysctl.proc_translated flag cannot be found, the current process is
+     *  nativally running on x86_64.
+     * Ref: https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment
+    */
+    constexpr auto PROCESS_TRANSLATED {1};
+    auto retVal {false};
+    auto isTranslated{0};
+    auto len{sizeof(isTranslated)};
+    const auto result{sysctlbyname("sysctl.proc_translated", &isTranslated, &len, NULL, 0)};
+
+    if (result)
+    {
+        if (errno != ENOENT)
+        {
+            throw std::system_error
+            {
+                result,
+                std::system_category(),
+                "Error reading rosetta status."
+            };
+        }
+    }
+    else
+    {
+        retVal = PROCESS_TRANSLATED == isTranslated;
+    }
+
+    return retVal;
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+    MacOsParser parser;
+    parser.parseSwVersion(Utils::exec("sw_vers"), ret);
+    parser.parseUname(Utils::exec("uname -r"), ret);
+
+    if (!parser.parseSystemProfiler(Utils::exec("system_profiler SPSoftwareDataType"), ret))
+    {
+        ret["os_name"] = "macOS";
+    }
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    if (isRunningOnRosetta())
+    {
+        ret["architecture"] = MAC_ROSETTA_DEFAULT_ARCH;
+    }
+
+    return ret;
+}
+
+static void getProcessesSocketFD(std::map<ProcessInfo, std::vector<std::shared_ptr<socket_fdinfo>>>& processSocket)
+{
+    int32_t maxProcess { 0 };
+    auto maxProcessLen { sizeof(maxProcess) };
+
+    if (!sysctlbyname("kern.maxproc", &maxProcess, &maxProcessLen, nullptr, 0))
+    {
+        auto pids { std::make_unique<pid_t[]>(maxProcess) };
+        const auto processesCount { proc_listallpids(pids.get(), maxProcess) };
+
+        for (auto i = 0 ; i < processesCount ; ++i)
+        {
+            const auto pid { pids[i] };
+
+            proc_bsdinfo processInformation {};
+
+            if (proc_pidinfo(pid, PROC_PIDTBSDINFO, 0, &processInformation, PROC_PIDTBSDINFO_SIZE) != -1)
+            {
+                const std::string processName { processInformation.pbi_name };
+                const ProcessInfo processData { pid, processName };
+
+                const auto processFDBufferSize { proc_pidinfo(pid, PROC_PIDLISTFDS, 0, 0, 0) };
+
+                if (processFDBufferSize != -1)
+                {
+                    auto processFDInformationBuffer { std::make_unique<char[]>(processFDBufferSize) };
+
+                    if (proc_pidinfo(pid, PROC_PIDLISTFDS, 0, processFDInformationBuffer.get(), processFDBufferSize) != -1)
+                    {
+                        auto processFDInformation { reinterpret_cast<proc_fdinfo*>(processFDInformationBuffer.get())};
+
+                        for (auto j = 0ul; j < processFDBufferSize / PROC_PIDLISTFD_SIZE; ++j )
+                        {
+                            if (PROX_FDTYPE_SOCKET == processFDInformation[j].proc_fdtype)
+                            {
+                                auto socketInfo { std::make_shared<socket_fdinfo>() };
+
+                                if (PROC_PIDFDSOCKETINFO_SIZE == proc_pidfdinfo(pid, processFDInformation[j].proc_fd, PROC_PIDFDSOCKETINFO, socketInfo.get(), PROC_PIDFDSOCKETINFO_SIZE))
+                                {
+                                    if (socketInfo && std::find(s_validFDSock.begin(), s_validFDSock.end(), socketInfo->psi.soi_kind) != s_validFDSock.end())
+                                    {
+                                        processSocket[processData].push_back(socketInfo);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+nlohmann::json SysInfo::getPorts() const
+{
+    nlohmann::json ports;
+    std::map<ProcessInfo, std::vector<std::shared_ptr<socket_fdinfo>>> fdMap;
+    getProcessesSocketFD(fdMap);
+
+    for (const auto& processInfo : fdMap)
+    {
+        for (const auto& fdSocket : processInfo.second )
+        {
+            nlohmann::json port;
+            std::make_unique<PortImpl>(std::make_shared<BSDPortWrapper>(processInfo.first, fdSocket))->buildPortData(port);
+
+            const auto portFound
+            {
+                std::find_if(ports.begin(), ports.end(),
+                             [&port](const auto & element)
+                {
+                    return 0 == port.dump().compare(element.dump());
+                })
+            };
+
+            if (ports.end() == portFound)
+            {
+                ports.push_back(port);
+            }
+        }
+    }
+
+    return ports;
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> callback) const
+{
+    int32_t maxProc{};
+    size_t len { sizeof(maxProc) };
+    const auto ret { sysctlbyname("kern.maxproc", &maxProc, &len, NULL, 0) };
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading kernel max processes."
+        };
+    }
+
+    const auto spPids         { std::make_unique<pid_t[]>(maxProc) };
+    const auto processesCount { proc_listallpids(spPids.get(), maxProc) };
+
+    for (int index = 0; index < processesCount; ++index)
+    {
+        ProcessTaskInfo taskInfo{};
+        const auto pid { spPids.get()[index] };
+        const auto sizeTask
+        {
+            proc_pidinfo(pid, PROC_PIDTASKALLINFO, 0, &taskInfo, PROC_PIDTASKALLINFO_SIZE)
+        };
+
+        if (PROC_PIDTASKALLINFO_SIZE == sizeTask)
+        {
+            auto processInfo = getProcessInfo(taskInfo, pid);
+            callback(processInfo);
+        }
+    }
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> callback) const
+{
+    for (const auto& packageDirectory : s_mapPackagesDirectories)
+    {
+        const auto pkgDirectory { packageDirectory.first };
+
+        if (Utils::existsDir(pkgDirectory))
+        {
+            getPackagesFromPath(pkgDirectory, packageDirectory.second, callback);
+        }
+    }
+
+    // Add all the unix default paths
+    std::set<std::string> pypyMacOSPaths =
+    {
+        UNIX_PYPI_DEFAULT_BASE_DIRS.begin(),
+        UNIX_PYPI_DEFAULT_BASE_DIRS.end()
+    };
+
+    // Add macOS specific paths
+    pypyMacOSPaths.emplace("/Library/Python/*/*-packages");
+    pypyMacOSPaths.emplace("/Library/Frameworks/Python.framework/Versions/*/lib/python*/*-packages");
+    pypyMacOSPaths.emplace(
+        "/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/*/lib/python*/*-packages");
+    pypyMacOSPaths.emplace("/System/Library/Frameworks/Python.framework/*-packages");
+
+    static const std::map<std::string, std::set<std::string>> searchPaths =
+    {
+        {"PYPI", pypyMacOSPaths},
+        {"NPM", UNIX_NPM_DEFAULT_BASE_DIRS}
+    };
+    ModernFactoryPackagesCreator<HAS_STDFILESYSTEM>::getPackages(searchPaths, callback);
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoOpenBSD.cpp b/src/common/data_provider/src/sysInfoOpenBSD.cpp
new file mode 100644
index 0000000000..3dd8131d14
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoOpenBSD.cpp
@@ -0,0 +1,235 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "timeHelper.h"
+#include "osinfo/sysOsParsers.h"
+#include "stringHelper.h"
+#include "sharedDefs.h"
+#include <sys/sysctl.h>
+#include <sys/utsname.h>
+
+static void getMemory(nlohmann::json& info)
+{
+    uint64_t ram{0};
+    const std::vector<int> mib{CTL_HW, HW_PHYSMEM};
+    size_t len{sizeof(ram)};
+    auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), &ram, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading total RAM."
+        };
+    }
+
+    const auto ramTotal{ram / KByte};
+    info["ram_total"] = ramTotal;
+    info["ram_free"] = 0;
+    info["ram_usage"] = 0;
+}
+
+static int getCpuMHz()
+{
+    unsigned long cpuMHz{0};
+    const std::vector<int> mib{CTL_HW, HW_CPUSPEED};
+    size_t len{sizeof(cpuMHz)};
+    const auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), &cpuMHz, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading cpu frequency."
+        };
+    }
+
+    return cpuMHz;
+}
+
+static std::string getSerialNumber()
+{
+    const std::vector<int> mib{CTL_HW, HW_SERIALNO};
+    size_t len{0};
+    auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), nullptr, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting board serial size."
+        };
+    }
+
+    const auto spBuff{std::make_unique<char[]>(len + 1)};
+
+    if (!spBuff)
+    {
+        throw std::runtime_error
+        {
+            "Error allocating memory to read the board serial."
+        };
+    }
+
+    ret = sysctl(const_cast<int*>(mib.data()), mib.size(), spBuff.get(), &len, nullptr, 0);
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting board serial"
+        };
+    }
+
+    spBuff.get()[len] = 0;
+    return std::string{reinterpret_cast<const char*>(spBuff.get())};
+}
+
+static int getCpuCores()
+{
+    int cores{0};
+    size_t len{sizeof(cores)};
+    const std::vector<int> mib{CTL_HW, HW_NCPU};
+    const auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), &cores, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error reading cpu cores number."
+        };
+    }
+
+    return cores;
+}
+
+static std::string getCpuName()
+{
+    const std::vector<int> mib{CTL_HW, HW_MODEL};
+    size_t len{0};
+    auto ret{sysctl(const_cast<int*>(mib.data()), mib.size(), nullptr, &len, nullptr, 0)};
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting cpu name size."
+        };
+    }
+
+    const auto spBuff{std::make_unique<char[]>(len + 1)};
+
+    if (!spBuff)
+    {
+        throw std::runtime_error
+        {
+            "Error allocating memory to read the cpu name."
+        };
+    }
+
+    ret = sysctl(const_cast<int*>(mib.data()), mib.size(), spBuff.get(), &len, nullptr, 0);
+
+    if (ret)
+    {
+        throw std::system_error
+        {
+            ret,
+            std::system_category(),
+            "Error getting cpu name"
+        };
+    }
+
+    spBuff.get()[len] = 0;
+    return std::string{reinterpret_cast<const char*>(spBuff.get())};
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    // Currently not supported for this OS
+    return nlohmann::json {};
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    // Currently not supported for this OS
+    return nlohmann::json {};
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+    const auto spParser{FactorySysOsParser::create("bsd")};
+
+    if (!spParser->parseUname(Utils::exec("uname -r"), ret))
+    {
+        ret["os_name"] = "BSD";
+        ret["os_platform"] = "bsd";
+        ret["os_version"] = UNKNOWN_VALUE;
+    }
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    return ret;
+}
+
+nlohmann::json SysInfo::getPorts() const
+{
+    // Currently not supported for this OS
+    return nlohmann::json {};
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // Currently not supported for this OS.
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // Currently not supported for this OS.
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoSolaris.cpp b/src/common/data_provider/src/sysInfoSolaris.cpp
new file mode 100644
index 0000000000..9a104400f6
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoSolaris.cpp
@@ -0,0 +1,237 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 11, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <fstream>
+#include <sys/utsname.h>
+#include <unistd.h>
+
+#include "osinfo/sysOsParsers.h"
+#include "sharedDefs.h"
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "timeHelper.h"
+#include "filesystemHelper.h"
+#include "packages/packageSolaris.h"
+#include "packages/solarisWrapper.h"
+#include "packages/packageFamilyDataAFactory.h"
+#include "network/networkSolarisHelper.hpp"
+#include "network/networkSolarisWrapper.hpp"
+#include "network/networkFamilyDataAFactory.h"
+#include "UtilsWrapperUnix.hpp"
+#include "uniqueFD.hpp"
+
+constexpr auto SUN_APPS_PATH {"/var/sadm/pkg/"};
+
+
+static void getOsInfoFromUname(nlohmann::json& info)
+{
+    bool result{false};
+    std::string platform;
+    const auto osPlatform{Utils::exec("uname")};
+
+    constexpr auto SOLARIS_RELEASE_FILE{"/etc/release"};
+    const auto spParser{FactorySysOsParser::create("solaris")};
+    std::fstream file{SOLARIS_RELEASE_FILE, std::ios_base::in};
+    result = spParser && file.is_open() && spParser->parseFile(file, info);
+
+    if (!result)
+    {
+        info["os_name"] = "Unix";
+        info["os_platform"] = "Unix";
+        info["os_version"] = UNKNOWN_VALUE;
+    }
+}
+
+static std::string getSerialNumber()
+{
+    return UNKNOWN_VALUE;
+}
+
+static std::string getCpuName()
+{
+    return UNKNOWN_VALUE;
+}
+
+static int getCpuMHz()
+{
+    return 0;
+}
+
+static int getCpuCores()
+{
+    return 0;
+}
+
+static void getMemory(nlohmann::json& /*info*/)
+{
+
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+static void getPackagesFromPath(const std::string& pkgDirectory, std::function<void(nlohmann::json&)> callback)
+{
+    const auto packages { Utils::enumerateDir(pkgDirectory) };
+
+    for (const auto& package : packages)
+    {
+        nlohmann::json jsPackage;
+        const auto fullPath {  pkgDirectory + package };
+        const auto pkgWrapper{ std::make_shared<SolarisWrapper>(fullPath) };
+
+        FactoryPackageFamilyCreator<OSPlatformType::SOLARIS>::create(pkgWrapper)->buildPackageData(jsPackage);
+
+        if (!jsPackage.at("name").get_ref<const std::string&>().empty())
+        {
+            // Only return valid content packages
+            callback(jsPackage);
+        }
+    }
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    nlohmann::json packages;
+
+    getPackages([&packages](nlohmann::json & data)
+    {
+        packages.push_back(data);
+    });
+
+    return packages;
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+    getOsInfoFromUname(ret);
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    return ret;
+}
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    return nlohmann::json();
+}
+nlohmann::json SysInfo::getNetworks() const
+{
+    nlohmann::json networks;
+    Utils::UniqueFD socketV4 ( UtilsWrapperUnix::createSocket(AF_INET, SOCK_DGRAM, 0) );
+    Utils::UniqueFD socketV6 ( UtilsWrapperUnix::createSocket(AF_INET6, SOCK_DGRAM, 0) );
+    const auto interfaceCount { NetworkSolarisHelper::getInterfacesCount(socketV4.get(), AF_UNSPEC) };
+
+    if (interfaceCount > 0)
+    {
+        std::vector<lifreq> buffer(interfaceCount);
+        lifconf lifc =
+        {
+            AF_UNSPEC,
+            0,
+            static_cast<int>(buffer.size() * sizeof(lifreq)),
+            reinterpret_cast<caddr_t>(buffer.data())
+        };
+
+        NetworkSolarisHelper::getInterfacesConfig(socketV4.get(), lifc);
+
+        std::map<std::string, std::vector<std::pair<lifreq*, uint64_t>>> interfaces;
+
+        for (auto& item : buffer)
+        {
+            struct lifreq interfaceReq = {};
+            std::memcpy(interfaceReq.lifr_name, item.lifr_name, sizeof(item.lifr_name));
+
+            if (-1 != UtilsWrapperUnix::ioctl(AF_INET == item.lifr_addr.ss_family ? socketV4.get() : socketV6.get(),
+                                              SIOCGLIFFLAGS,
+                                              reinterpret_cast<char*>(&interfaceReq)))
+            {
+                if ((IFF_UP & interfaceReq.lifr_flags) && !(IFF_LOOPBACK & interfaceReq.lifr_flags))
+                {
+                    interfaces[item.lifr_name].push_back(std::make_pair(&item, interfaceReq.lifr_flags));
+                }
+            }
+        }
+
+        for (const auto& item : interfaces)
+        {
+            if (item.second.size())
+            {
+                const auto firstItem { item.second.front() };
+                const auto firstItemFD { AF_INET == firstItem.first->lifr_addr.ss_family ? socketV4.get() : socketV6.get() };
+
+                nlohmann::json network;
+
+                for (const auto& itemr : item.second)
+                {
+                    if (AF_INET == itemr.first->lifr_addr.ss_family)
+                    {
+                        // IPv4 data
+                        const auto wrapper { std::make_shared<NetworkSolarisInterface>(AF_INET, socketV4.get(), itemr) };
+                        FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(wrapper)->buildNetworkData(network);
+                    }
+                    else if (AF_INET6 == itemr.first->lifr_addr.ss_family)
+                    {
+                        // IPv6 data
+                        const auto wrapper { std::make_shared<NetworkSolarisInterface>(AF_INET6, socketV6.get(), itemr) };
+                        FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(wrapper)->buildNetworkData(network);
+                    }
+                }
+
+                const auto wrapper { std::make_shared<NetworkSolarisInterface>(AF_UNSPEC, firstItemFD, firstItem) };
+                FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(wrapper)->buildNetworkData(network);
+
+                networks["iface"].push_back(network);
+            }
+        }
+    }
+
+    return networks;
+}
+nlohmann::json SysInfo::getPorts() const
+{
+    return nlohmann::json();
+}
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // TODO
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> callback) const
+{
+    const auto pkgDirectory { SUN_APPS_PATH };
+
+    if (Utils::existsDir(pkgDirectory))
+    {
+        getPackagesFromPath(pkgDirectory, callback);
+    }
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoUnix.cpp b/src/common/data_provider/src/sysInfoUnix.cpp
new file mode 100644
index 0000000000..45fa2785ed
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoUnix.cpp
@@ -0,0 +1,130 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 23, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <fstream>
+#include <sys/utsname.h>
+#include "osinfo/sysOsParsers.h"
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "timeHelper.h"
+#include "sharedDefs.h"
+
+static void getOsInfoFromUname(nlohmann::json& info)
+{
+    bool result{false};
+    std::string platform;
+    const auto osPlatform{Utils::exec("uname")};
+
+    if (osPlatform.find("SunOS") != std::string::npos)
+    {
+        constexpr auto SOLARIS_RELEASE_FILE{"/etc/release"};
+        const auto spParser{FactorySysOsParser::create("solaris")};
+        std::fstream file{SOLARIS_RELEASE_FILE, std::ios_base::in};
+        result = spParser && file.is_open() && spParser->parseFile(file, info);
+    }
+    else if (osPlatform.find("HP-UX") != std::string::npos)
+    {
+        const auto spParser{FactorySysOsParser::create("hp-ux")};
+        result = spParser && spParser->parseUname(Utils::exec("uname -r"), info);
+    }
+
+    if (!result)
+    {
+        info["os_name"] = "Unix";
+        info["os_platform"] = "Unix";
+        info["os_version"] = UNKNOWN_VALUE;
+    }
+}
+
+
+static std::string getSerialNumber()
+{
+    return UNKNOWN_VALUE;
+}
+
+static std::string getCpuName()
+{
+    return UNKNOWN_VALUE;
+}
+
+static int getCpuMHz()
+{
+    return 0;
+}
+
+static int getCpuCores()
+{
+    return 0;
+}
+
+static void getMemory(nlohmann::json& /*info*/)
+{
+
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    return nlohmann::json {};
+}
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    struct utsname uts {};
+    getOsInfoFromUname(ret);
+
+    if (uname(&uts) >= 0)
+    {
+        ret["sysname"] = uts.sysname;
+        ret["hostname"] = uts.nodename;
+        ret["version"] = uts.version;
+        ret["architecture"] = uts.machine;
+        ret["release"] = uts.release;
+    }
+
+    return ret;
+}
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    return nlohmann::json();
+}
+nlohmann::json SysInfo::getNetworks() const
+{
+    return nlohmann::json();
+}
+nlohmann::json SysInfo::getPorts() const
+{
+    return nlohmann::json();
+}
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // TODO
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> /*callback*/) const
+{
+    // TODO
+}
+
+nlohmann::json SysInfo::getHotfixes() const
+{
+    // Currently not supported for this OS.
+    return nlohmann::json();
+}
diff --git a/src/common/data_provider/src/sysInfoWin.cpp b/src/common/data_provider/src/sysInfoWin.cpp
new file mode 100644
index 0000000000..9254d3b1e1
--- /dev/null
+++ b/src/common/data_provider/src/sysInfoWin.cpp
@@ -0,0 +1,951 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <ws2tcpip.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+#include <winternl.h>
+#include <ntstatus.h>
+#include <iphlpapi.h>
+#include <memory>
+#include <list>
+#include <set>
+#include <system_error>
+#include <winternl.h>
+#include <ntstatus.h>
+#include <netioapi.h>
+#include "sysinfoapi.h"
+#include "sysInfo.hpp"
+#include "cmdHelper.h"
+#include "stringHelper.h"
+#include "registryHelper.h"
+#include "defs.h"
+#include "osinfo/sysOsInfoWin.h"
+#include "windowsHelper.h"
+#include "encodingWindowsHelper.h"
+#include "network/networkWindowsWrapper.h"
+#include "network/networkFamilyDataAFactory.h"
+#include "ports/portWindowsWrapper.h"
+#include "ports/portImpl.h"
+#include "packages/packagesWindowsParserHelper.h"
+#include "packages/packagesWindows.h"
+#include "packages/appxWindowsWrapper.h"
+#include "packages/packagesPYPI.hpp"
+#include "packages/packagesNPM.hpp"
+#include "packages/modernPackageDataRetriever.hpp"
+
+constexpr auto CENTRAL_PROCESSOR_REGISTRY {"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"};
+const std::string UNINSTALL_REGISTRY{"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"};
+constexpr auto SYSTEM_IDLE_PROCESS_NAME {"System Idle Process"};
+constexpr auto SYSTEM_PROCESS_NAME {"System"};
+
+static const std::map<std::string, DWORD> gs_firmwareTableProviderSignature
+{
+    {"ACPI", 0x41435049},
+    {"FIRM", 0x4649524D},
+    {"RSMB", 0x52534D42}
+};
+
+class SysInfoProcess final
+{
+    public:
+        SysInfoProcess(const DWORD pId, const HANDLE processHandle)
+            : m_pId{ pId },
+              m_hProcess{ processHandle },
+              m_creationTime{},
+              m_kernelModeTime{},
+              m_userModeTime{},
+              m_pageFileUsage{},
+              m_virtualSize{}
+        {
+            setProcessTimes();
+            setProcessMemInfo();
+        }
+
+        ~SysInfoProcess() = default;
+
+        std::string cmd()
+        {
+            std::string ret;
+            const auto spReadBuff { std::make_unique<char[]>(OS_MAXSTR) };
+
+            // Get full Windows kernel path for the process
+            if (spReadBuff && GetProcessImageFileName(m_hProcess, spReadBuff.get(), OS_MAXSTR))
+            {
+                // Convert Windows kernel path to a valid Win32 filepath
+                // E.g.: "\Device\HarddiskVolume1\Windows\system32\notepad.exe" -> "C:\Windows\system32\notepad.exe"
+                ntPath2Win32Path(spReadBuff.get(), ret);
+            }
+
+            // else: Unable to retrieve executable path from current process.
+            return ret;
+        }
+
+        ULONGLONG creationTime() const
+        {
+            //convert Win32 Epoch(1 January 1601 00:00:00) to Unix Epoch(1 January 1970 00:00:00)
+            return m_creationTime.QuadPart - WINDOWS_UNIX_EPOCH_DIFF_SECONDS;
+        }
+
+        ULONGLONG kernelModeTime() const
+        {
+            return m_kernelModeTime.QuadPart;
+        }
+
+        ULONGLONG userModeTime() const
+        {
+            return m_userModeTime.QuadPart;
+        }
+
+        DWORD pageFileUsage() const
+        {
+            return m_pageFileUsage;
+        }
+
+        DWORD virtualSize() const
+        {
+            return m_virtualSize;
+        }
+
+        DWORD sessionId() const
+        {
+            DWORD ret{};
+
+            if (!ProcessIdToSessionId(m_pId, &ret))
+            {
+                // Unable to retrieve session ID from current process.
+            }
+
+            return ret;
+        }
+
+    private:
+        using SystemDrivesMap  = std::map<std::string, std::string>;
+
+        void setProcessTimes()
+        {
+            constexpr auto TO_SECONDS_VALUE { 10000000ULL };
+            FILETIME lpCreationTime{};
+            FILETIME lpExitTime{};
+            FILETIME lpKernelTime{};
+            FILETIME lpUserTime{};
+
+            if (GetProcessTimes(m_hProcess, &lpCreationTime, &lpExitTime, &lpKernelTime, &lpUserTime))
+            {
+                // Copy the kernel mode filetime high and low parts and convert it to seconds
+                m_kernelModeTime.LowPart = lpKernelTime.dwLowDateTime;
+                m_kernelModeTime.HighPart = lpKernelTime.dwHighDateTime;
+                m_kernelModeTime.QuadPart /= TO_SECONDS_VALUE;
+
+                // Copy the user mode filetime high and low parts and convert it to seconds
+                m_userModeTime.LowPart = lpUserTime.dwLowDateTime;
+                m_userModeTime.HighPart = lpUserTime.dwHighDateTime;
+                m_userModeTime.QuadPart /= TO_SECONDS_VALUE;
+
+                // Copy the creation filetime high and low parts and convert it to seconds
+                m_creationTime.LowPart = lpCreationTime.dwLowDateTime;
+                m_creationTime.HighPart = lpCreationTime.dwHighDateTime;
+                m_creationTime.QuadPart /= TO_SECONDS_VALUE;
+
+            }
+
+            // else: Unable to retrieve kernel mode and user mode times from current process.
+        }
+
+        void setProcessMemInfo()
+        {
+            PROCESS_MEMORY_COUNTERS pMemCounters{};
+
+            // Get page file usage and virtual size
+            // Reference: https://stackoverflow.com/a/1986486
+            if (GetProcessMemoryInfo(m_hProcess, &pMemCounters, sizeof(pMemCounters)))
+            {
+                m_pageFileUsage = pMemCounters.PagefileUsage;
+                m_virtualSize   = pMemCounters.WorkingSetSize + pMemCounters.PagefileUsage;
+            }
+
+            // else: Unable to retrieve page file usage from current process
+        }
+
+        static SystemDrivesMap getNtWin32DrivesMap()
+        {
+            SystemDrivesMap ret;
+
+            // Get the total amount of available logical drives
+            // The input size must not include the NULL terminator
+            auto spLogicalDrives { std::make_unique<char[]>(OS_MAXSTR) };
+            auto res { GetLogicalDriveStrings(OS_MAXSTR - 1, spLogicalDrives.get()) };
+
+            if (res <= 0 || res > OS_MAXSTR)
+            {
+                throw std::system_error
+                {
+                    static_cast<int>(GetLastError()),
+                    std::system_category(),
+                    "Unable to parse logical drive strings."
+                };
+            }
+
+            const auto logicalDrives { Utils::splitNullTerminatedStrings(spLogicalDrives.get()) };
+
+            for (const auto& logicalDrive : logicalDrives)
+            {
+                const auto normalizedName { logicalDrive.back() == L'\\' ? logicalDrive.substr(0, logicalDrive.length() - 1) : logicalDrive };
+                const auto spDosDevice { std::make_unique<char[]>(OS_MAXSTR) };
+                res = QueryDosDevice(normalizedName.c_str(), spDosDevice.get(), OS_MAXSTR);
+
+                if (res)
+                {
+                    // Make the NT Path <-> DOS Path mapping
+                    ret[spDosDevice.get()] = logicalDrive;
+                }
+            }
+
+            // At least one logical drive couldn't be mapped, trying another use of QueryDosDevice
+            if (logicalDrives.size() != ret.size())
+            {
+                // We avoid using OS_MAXSTR on Windows XP
+                const auto spPhysicalDevices { std::make_unique<char[]>(OS_SIZE_32768) };
+
+                if (QueryDosDevice(nullptr, spPhysicalDevices.get(), OS_SIZE_32768))
+                {
+                    const auto tokens = Utils::splitNullTerminatedStrings(spPhysicalDevices.get());
+                    const auto spDosDevice { std::make_unique<char[]>(OS_SIZE_32768) };
+
+                    for (const auto& token : tokens)
+                    {
+
+                        // Checking if token is found in logicalDrives to avoid a large map with unnecessary volumes.
+                        // logicalDrives contains a slash at the end but the result of QueryDosDevice doesn't.
+                        auto startsWithLambda = [&](const auto & logicalDrive)
+                        {
+                            return Utils::startsWith(logicalDrive, token);
+                        };
+
+                        if (std::find_if(logicalDrives.begin(),
+                                         logicalDrives.end(),
+                                         startsWithLambda) == logicalDrives.end())
+                        {
+                            continue;
+                        }
+
+                        res = QueryDosDevice(token.c_str(), spDosDevice.get(), OS_SIZE_32768);
+
+                        if (res && ret.find(spDosDevice.get()) == ret.end())
+                        {
+                            ret[spDosDevice.get()] = token + '\\';
+
+                            if (logicalDrives.size() == ret.size())
+                            {
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+
+            return ret;
+        }
+
+        bool fillOutput(const SystemDrivesMap& drivesMap, const std::string& ntPath, std::string& outbuf)
+        {
+            const auto it
+            {
+                std::find_if(drivesMap.begin(), drivesMap.end(),
+                             [&ntPath](const auto & key) -> bool
+                {
+                    return Utils::startsWith(ntPath, key.first);
+                })
+            };
+
+            const bool ret { it != drivesMap.end() };
+
+            if (ret)
+            {
+                outbuf = it->second + ntPath.substr(it->first.size() + 1);
+            }
+
+            return ret;
+        }
+
+        void ntPath2Win32Path(const std::string& ntPath, std::string& outbuf)
+        {
+            static SystemDrivesMap s_drivesMap { getNtWin32DrivesMap() };
+
+            if (!fillOutput(s_drivesMap, ntPath, outbuf))
+            {
+                s_drivesMap = getNtWin32DrivesMap();
+
+                if (!fillOutput(s_drivesMap, ntPath, outbuf))
+                {
+                    // If after re-fill the drives map DOS drive is not found, NTPath path will
+                    // be returned.
+                    outbuf = ntPath;
+                }
+            }
+        }
+
+        const DWORD     m_pId;
+        HANDLE          m_hProcess;
+        ULARGE_INTEGER  m_creationTime;
+        ULARGE_INTEGER  m_kernelModeTime;
+        ULARGE_INTEGER  m_userModeTime;
+        DWORD           m_pageFileUsage;
+        DWORD           m_virtualSize;
+};
+
+
+static bool isSystemProcess(const DWORD pid)
+{
+    return pid == 0 || pid == 4;
+}
+
+static std::string processName(const PROCESSENTRY32& processEntry)
+{
+    std::string ret;
+    const DWORD pId { processEntry.th32ProcessID };
+
+    if (isSystemProcess(pId))
+    {
+        ret = (pId == 0) ? SYSTEM_IDLE_PROCESS_NAME : SYSTEM_PROCESS_NAME;
+    }
+    else
+    {
+        ret = processEntry.szExeFile;
+    }
+
+    return ret;
+}
+
+static nlohmann::json getProcessInfo(const PROCESSENTRY32& processEntry)
+{
+    nlohmann::json jsProcessInfo{};
+    const auto pId { processEntry.th32ProcessID };
+    const auto processHandle { OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pId) };
+
+    if (processHandle)
+    {
+        SysInfoProcess process(pId, processHandle);
+
+        // Current process information
+        jsProcessInfo["name"]       = Utils::EncodingWindowsHelper::stringAnsiToStringUTF8(processName(processEntry));
+        jsProcessInfo["cmd"]        = Utils::EncodingWindowsHelper::stringAnsiToStringUTF8((isSystemProcess(pId)) ? "none" : process.cmd());
+        jsProcessInfo["stime"]      = process.kernelModeTime();
+        jsProcessInfo["size"]       = process.pageFileUsage();
+        jsProcessInfo["ppid"]       = processEntry.th32ParentProcessID;
+        jsProcessInfo["priority"]   = processEntry.pcPriClassBase;
+        jsProcessInfo["pid"]        = std::to_string(pId);
+        jsProcessInfo["session"]    = process.sessionId();
+        jsProcessInfo["nlwp"]       = processEntry.cntThreads;
+        jsProcessInfo["utime"]      = process.userModeTime();
+        jsProcessInfo["vm_size"]    = process.virtualSize();
+        jsProcessInfo["start_time"] = process.creationTime();
+        CloseHandle(processHandle);
+    }
+
+    return jsProcessInfo;
+}
+
+static void getPackagesFromReg(const HKEY key, const std::string& subKey, std::function<void(nlohmann::json&)> returnCallback, const REGSAM access = 0)
+{
+    try
+    {
+        const auto callback
+        {
+            [&](const std::string & package)
+            {
+                std::string value;
+                nlohmann::json packageJson;
+                Utils::Registry packageReg{key, subKey + "\\" + package, access | KEY_READ};
+
+                std::string name;
+                std::string version;
+                std::string vendor;
+                std::string install_time;
+                std::string location;
+                std::string architecture;
+
+                if (packageReg.string("DisplayName", value))
+                {
+                    name = value;
+                }
+
+                if (packageReg.string("DisplayVersion", value))
+                {
+                    version = value;
+                }
+
+                if (packageReg.string("Publisher", value))
+                {
+                    vendor = value;
+                }
+
+                if (packageReg.string("InstallDate", value))
+                {
+                    try
+                    {
+                        install_time = Utils::normalizeTimestamp(value, packageReg.keyModificationDate());
+                    }
+                    catch (const std::exception& e)
+                    {
+                        install_time = packageReg.keyModificationDate();
+                    }
+                }
+                else
+                {
+                    install_time = packageReg.keyModificationDate();
+                }
+
+                if (packageReg.string("InstallLocation", value))
+                {
+                    location = value;
+                }
+                else
+                {
+                    location = UNKNOWN_VALUE;
+                }
+
+                if (!name.empty())
+                {
+                    if (access & KEY_WOW64_32KEY)
+                    {
+                        architecture = "i686";
+                    }
+                    else if (access & KEY_WOW64_64KEY)
+                    {
+                        architecture = "x86_64";
+                    }
+                    else
+                    {
+                        architecture = UNKNOWN_VALUE;
+                    }
+
+                    packageJson["name"]         = std::move(name);
+                    packageJson["description"]  = UNKNOWN_VALUE;
+                    packageJson["version"]      = version.empty() ? UNKNOWN_VALUE : std::move(version);
+                    packageJson["groups"]       = UNKNOWN_VALUE;
+                    packageJson["priority"]       = UNKNOWN_VALUE;
+                    packageJson["size"]           = 0;
+                    packageJson["vendor"]       = vendor.empty() ? UNKNOWN_VALUE : std::move(vendor);
+                    packageJson["source"]       = UNKNOWN_VALUE;
+                    packageJson["install_time"] = install_time.empty() ? UNKNOWN_VALUE : std::move(install_time);
+                    packageJson["location"]     = location.empty() ? UNKNOWN_VALUE : std::move(location);
+                    packageJson["architecture"] = std::move(architecture);
+                    packageJson["format"]       = "win";
+
+                    returnCallback(packageJson);
+                }
+            }
+        };
+        Utils::Registry root{key, subKey, access | KEY_ENUMERATE_SUB_KEYS | KEY_READ};
+        root.enumerate(callback);
+    }
+    catch (...)
+    {
+    }
+}
+
+static void getStorePackages(const HKEY key, const std::string& user, std::function<void(nlohmann::json&)> returnCallback)
+{
+    std::set<std::string> cacheReg;
+
+    try
+    {
+        for (const auto& registry : Utils::Registry{key, user + "\\" + CACHE_NAME_REGISTRY, KEY_READ | KEY_ENUMERATE_SUB_KEYS}.enumerate())
+        {
+            cacheReg.insert(registry);
+        }
+
+        const auto callback
+        {
+            [&](const std::string & nameApp)
+            {
+                nlohmann::json jsPackage;
+
+                FactoryWindowsPackage::create(key, user, nameApp, cacheReg)->buildPackageData(jsPackage);
+
+                if (!jsPackage.at("name").get_ref<const std::string&>().empty())
+                {
+                    // Only return valid content packages
+                    returnCallback(jsPackage);
+                }
+            }
+        };
+
+        Utils::Registry root(key, user + "\\" + APPLICATION_STORE_REGISTRY, KEY_READ | KEY_ENUMERATE_SUB_KEYS);
+        root.enumerate(callback);
+    }
+    catch (...)
+    {
+    }
+}
+
+static std::string getSerialNumber()
+{
+    std::string ret;
+
+    if (Utils::isVistaOrLater())
+    {
+        static auto pfnGetSystemFirmwareTable{Utils::getSystemFirmwareTableFunctionAddress()};
+
+        if (pfnGetSystemFirmwareTable)
+        {
+            const auto size {pfnGetSystemFirmwareTable(gs_firmwareTableProviderSignature.at("RSMB"), 0, nullptr, 0)};
+
+            if (size)
+            {
+                const auto spBuff{std::make_unique<unsigned char[]>(size)};
+
+                if (spBuff)
+                {
+                    // Get raw SMBIOS firmware table
+                    if (pfnGetSystemFirmwareTable(gs_firmwareTableProviderSignature.at("RSMB"), 0, spBuff.get(), size) == size)
+                    {
+                        PRawSMBIOSData smbios{reinterpret_cast<PRawSMBIOSData>(spBuff.get())};
+                        // Parse SMBIOS structures
+                        ret = Utils::getSerialNumberFromSmbios(smbios->SMBIOSTableData, smbios->Length);
+                    }
+                }
+            }
+        }
+    }
+    else
+    {
+        const auto rawData{Utils::exec("wmic baseboard get SerialNumber")};
+        const auto pos{rawData.find("\r\n")};
+
+        if (pos != std::string::npos)
+        {
+            ret = Utils::trim(rawData.substr(pos), " \t\r\n");
+        }
+        else
+        {
+            ret = UNKNOWN_VALUE;
+        }
+    }
+
+    return ret;
+}
+
+static std::string getCpuName()
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY);
+    return reg.string("ProcessorNameString");
+}
+
+static int getCpuMHz()
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY);
+    return reg.dword("~MHz");
+}
+
+static int getCpuCores()
+{
+    SYSTEM_INFO siSysInfo{};
+    GetSystemInfo(&siSysInfo);
+    return siSysInfo.dwNumberOfProcessors;
+}
+
+static void getMemory(nlohmann::json& info)
+{
+    MEMORYSTATUSEX statex;
+    statex.dwLength = sizeof(statex);
+
+    if (GlobalMemoryStatusEx(&statex))
+    {
+        info["ram_total"] = statex.ullTotalPhys / KByte;
+        info["ram_free"] = statex.ullAvailPhys / KByte;
+        info["ram_usage"] = statex.dwMemoryLoad;
+    }
+    else
+    {
+        throw std::system_error
+        {
+            static_cast<int>(GetLastError()),
+            std::system_category(),
+            "Error calling GlobalMemoryStatusEx"
+        };
+    }
+}
+
+nlohmann::json SysInfo::getHardware() const
+{
+    nlohmann::json hardware;
+    hardware["board_serial"] = getSerialNumber();
+    hardware["cpu_name"] = getCpuName();
+    hardware["cpu_cores"] = getCpuCores();
+    hardware["cpu_mhz"] = double(getCpuMHz());
+    getMemory(hardware);
+    return hardware;
+}
+
+static void fillProcessesData(std::function<void(PROCESSENTRY32)> func)
+{
+    PROCESSENTRY32 processEntry{};
+    processEntry.dwSize = sizeof(PROCESSENTRY32);
+    const auto processesSnapshot { CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) };
+
+    if (INVALID_HANDLE_VALUE != processesSnapshot)
+    {
+        if (Process32First(processesSnapshot, &processEntry))
+        {
+            do
+            {
+                func(processEntry);
+            }
+            while (Process32Next(processesSnapshot, &processEntry));
+        }
+        else
+        {
+            CloseHandle(processesSnapshot);
+            throw std::system_error
+            {
+                static_cast<int>(GetLastError()),
+                std::system_category(),
+                "Unable to retrieve process information from the snapshot."
+            };
+        }
+
+        CloseHandle(processesSnapshot);
+
+    }
+    else
+    {
+        throw std::system_error
+        {
+            static_cast<int>(GetLastError()),
+            std::system_category(),
+            "Unable to create process snapshot."
+        };
+    }
+}
+
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    nlohmann::json jsProcessesList{};
+
+    getProcessesInfo([&jsProcessesList](nlohmann::json & data)
+    {
+        jsProcessesList.push_back(data);
+    });
+
+    return jsProcessesList;
+}
+
+nlohmann::json SysInfo::getPackages() const
+{
+    nlohmann::json ret;
+    getPackages([&ret](nlohmann::json & data)
+    {
+        ret.push_back(data);
+    });
+    return ret;
+}
+
+nlohmann::json SysInfo::getOsInfo() const
+{
+    nlohmann::json ret;
+    const auto spOsInfoProvider
+    {
+        std::make_shared<SysOsInfoProviderWindows>()
+    };
+    SysOsInfo::setOsInfo(spOsInfoProvider, ret);
+    return ret;
+}
+
+nlohmann::json SysInfo::getNetworks() const
+{
+    nlohmann::json networks {};
+    std::unique_ptr<IP_ADAPTER_INFO, Utils::IPAddressSmartDeleter> adapterInfo;
+    std::unique_ptr<IP_ADAPTER_ADDRESSES, Utils::IPAddressSmartDeleter> adaptersAddresses;
+    Utils::NetworkWindowsHelper::getAdapters(adaptersAddresses);
+
+    if (!Utils::isVistaOrLater())
+    {
+        // Get additional IPv4 info - Windows XP only
+        Utils::NetworkWindowsHelper::getAdapterInfo(adapterInfo);
+    }
+
+    auto rawAdapterAddresses { adaptersAddresses.get() };
+
+    while (rawAdapterAddresses)
+    {
+        nlohmann::json netInterfaceInfo {};
+
+        if ((IF_TYPE_SOFTWARE_LOOPBACK != rawAdapterAddresses->IfType) ||
+                (0 != rawAdapterAddresses->IfIndex || 0 != rawAdapterAddresses->Ipv6IfIndex))
+        {
+            // Ignore either loopback and invalid IPv4/IPv6 indexes interfaces
+
+            auto unicastAddress { rawAdapterAddresses->FirstUnicastAddress };
+
+            while (unicastAddress)
+            {
+                const auto lpSockAddr { unicastAddress->Address.lpSockaddr };
+
+                if (lpSockAddr)
+                {
+                    const auto unicastAddressFamily { lpSockAddr->sa_family };
+
+                    if (AF_INET == unicastAddressFamily)
+                    {
+                        // IPv4 data
+                        FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(std::make_shared<NetworkWindowsInterface>(Utils::NetworkWindowsHelper::IPV4, rawAdapterAddresses, unicastAddress,
+                                                                                                                               adapterInfo.get()))->buildNetworkData(netInterfaceInfo);
+                    }
+                    else if (AF_INET6 == unicastAddressFamily)
+                    {
+                        // IPv6 data
+                        FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(std::make_shared<NetworkWindowsInterface>(Utils::NetworkWindowsHelper::IPV6, rawAdapterAddresses, unicastAddress,
+                                                                                                                               adapterInfo.get()))->buildNetworkData(netInterfaceInfo);
+                    }
+                }
+
+                unicastAddress = unicastAddress->Next;
+            }
+
+            // Common data
+            FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(std::make_shared<NetworkWindowsInterface>(Utils::NetworkWindowsHelper::COMMON_DATA, rawAdapterAddresses, unicastAddress,
+                                                                                                                   adapterInfo.get()))->buildNetworkData(netInterfaceInfo);
+
+            networks["iface"].push_back(netInterfaceInfo);
+        }
+
+        rawAdapterAddresses = rawAdapterAddresses->Next;
+    }
+
+    return networks;
+}
+
+template <class T, typename TableClass>
+void getTablePorts(TableClass ownerId, int32_t tcpipVersion, std::unique_ptr<T []>& tableList, std::function<DWORD(T*, DWORD*, bool, int32_t, TableClass)> GetTable)
+{
+    TableClass classId { ownerId };
+    DWORD size { 0 };
+
+    if (ERROR_INSUFFICIENT_BUFFER == GetTable(nullptr, &size, true, tcpipVersion, classId))
+    {
+        tableList = std::make_unique<T []>(size);
+
+        if (tableList)
+        {
+            if (NO_ERROR != GetTable(tableList.get(), &size, true, tcpipVersion, classId))
+            {
+                throw std::runtime_error("Error when get table information");
+            }
+        }
+    }
+}
+
+template<typename T>
+void expandPortData(T data, const std::map<pid_t, std::string>& processDataList, nlohmann::json& result)
+{
+    if (data)
+    {
+        for (auto i = 0ul; i < data->dwNumEntries; ++i)
+        {
+            nlohmann::json port;
+            std::make_unique<PortImpl>(std::make_shared<WindowsPortWrapper>(data->table[i], processDataList))->buildPortData(port);
+            result.push_back(port);
+        }
+    }
+}
+
+nlohmann::json SysInfo::getPorts() const
+{
+    nlohmann::json ports;
+    std::map<pid_t, std::string> processDataList;
+    PortTables portTable;
+
+    fillProcessesData([&processDataList](const auto & processEntry)
+    {
+        processDataList[processEntry.th32ProcessID] = processEntry.szExeFile;
+    });
+
+    getTablePorts<MIB_TCPTABLE_OWNER_PID, TCP_TABLE_CLASS>(
+        TCP_TABLE_OWNER_PID_ALL,
+        AF_INET,
+        portTable.tcp,
+        [](MIB_TCPTABLE_OWNER_PID * table, DWORD * size, bool order, int32_t tcpipVersion, TCP_TABLE_CLASS tableClass)
+    {
+        return GetExtendedTcpTable(table, size, order, tcpipVersion, tableClass, 0);
+    } );
+    expandPortData(portTable.tcp.get(), processDataList, ports);
+
+    getTablePorts<MIB_TCP6TABLE_OWNER_PID, TCP_TABLE_CLASS>(
+        TCP_TABLE_OWNER_PID_ALL,
+        AF_INET6,
+        portTable.tcp6,
+        [](MIB_TCP6TABLE_OWNER_PID * table, DWORD * size, bool order, int32_t tcpipVersion, TCP_TABLE_CLASS tableClass)
+    {
+        return GetExtendedTcpTable(table, size, order, tcpipVersion, tableClass, 0);
+    } );
+    expandPortData(portTable.tcp6.get(), processDataList, ports);
+
+    getTablePorts<MIB_UDPTABLE_OWNER_PID, UDP_TABLE_CLASS>(
+        UDP_TABLE_OWNER_PID,
+        AF_INET,
+        portTable.udp,
+        [](MIB_UDPTABLE_OWNER_PID * table, DWORD * size, bool order, int32_t tcpipVersion, UDP_TABLE_CLASS tableClass)
+    {
+        return GetExtendedUdpTable(table, size, order, tcpipVersion, tableClass, 0);
+    } );
+    expandPortData(portTable.udp.get(), processDataList, ports);
+
+    getTablePorts<MIB_UDP6TABLE_OWNER_PID, UDP_TABLE_CLASS>(
+        UDP_TABLE_OWNER_PID,
+        AF_INET6,
+        portTable.udp6,
+        [](MIB_UDP6TABLE_OWNER_PID * table, DWORD * size, bool order, int32_t tcpipVersion, UDP_TABLE_CLASS tableClass)
+    {
+        return GetExtendedUdpTable(table, size, order, tcpipVersion, tableClass, 0);
+    } );
+    expandPortData(portTable.udp6.get(), processDataList, ports);
+
+    return ports;
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)> callback) const
+{
+    fillProcessesData([&callback](const auto & processEntry)
+    {
+        auto processInfo = getProcessInfo(processEntry);
+
+        if (!processInfo.empty())
+        {
+            callback(processInfo);
+        }
+    });
+}
+
+void expandFromRegistry(const HKEY key, const std::string& subKey, const std::string& field, std::function<void(const std::string&)> postAction)
+{
+    std::vector<std::string> installPaths;
+
+    // Get install path from registry
+    Utils::expandRegistryPath(key, subKey, installPaths);
+
+    // Get install path from registry expanded keys.
+    for (const auto& versionKey : installPaths)
+    {
+        try
+        {
+            // Get install path from registry, based on version key.
+            const auto dir {Utils::Registry {key, versionKey, KEY_READ | KEY_WOW64_64KEY}.string(field)};
+            // Add install path to dirList.
+            postAction(dir);
+        }
+        catch (const std::exception& e)
+        {
+            // Ignore errors.
+        }
+    }
+}
+
+const std::set<std::string> getPythonDirectories()
+{
+    std::set<std::string> pythonDirList;
+
+    const auto postAction = [&](const std::string & pythonDir)
+    {
+        pythonDirList.insert(pythonDir + R"(Lib\site-packages)");
+        pythonDirList.insert(pythonDir + R"(Lib\dist-packages)");
+    };
+
+    try
+    {
+        expandFromRegistry(HKEY_USERS, R"(*\SOFTWARE\Python\PythonCore\*\InstallPath)", "", postAction);
+        expandFromRegistry(HKEY_LOCAL_MACHINE, R"(SOFTWARE\Python\PythonCore\*\InstallPath)", "", postAction);
+    }
+    catch (const std::exception&)
+    {
+        // Ignore errors.
+    }
+
+    return pythonDirList;
+}
+
+const std::set<std::string> getNodeDirectories()
+{
+    std::set<std::string> nodeDirList;
+
+    const auto postAction = [&](const std::string & nodeDir)
+    {
+        nodeDirList.insert(nodeDir);
+    };
+
+    try
+    {
+        expandFromRegistry(HKEY_USERS, R"(*\SOFTWARE\Node.js)", "InstallPath", postAction);
+        expandFromRegistry(HKEY_LOCAL_MACHINE, R"(SOFTWARE\Node.js)", "InstallPath", postAction);
+        nodeDirList.insert(R"(C:\Users\*\AppData\Roaming\npm)");
+        nodeDirList.insert(R"(C:\Users\*)");
+    }
+    catch (const std::exception&)
+    {
+        // Ignore errors.
+    }
+
+    return nodeDirList;
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)> callback) const
+{
+    std::set<std::string> set;
+
+    auto fillList {[&callback, &set](nlohmann::json & data)
+    {
+        const std::string key {data.at("name").get_ref<const std::string&>() +
+                               data.at("version").get_ref<const std::string&>()};
+        const auto result {set.insert(key)};
+
+        if (result.second)
+        {
+            callback(data);
+        }
+    }};
+
+    getPackagesFromReg(HKEY_LOCAL_MACHINE, UNINSTALL_REGISTRY, fillList, KEY_WOW64_64KEY);
+    getPackagesFromReg(HKEY_LOCAL_MACHINE, UNINSTALL_REGISTRY, fillList, KEY_WOW64_32KEY);
+
+    for (const auto& user : Utils::Registry {HKEY_USERS, "", KEY_READ | KEY_ENUMERATE_SUB_KEYS}.enumerate())
+    {
+        getPackagesFromReg(HKEY_USERS, user + "\\" + UNINSTALL_REGISTRY, fillList);
+        getStorePackages(HKEY_USERS, user, fillList);
+    }
+
+    const std::map<std::string, std::set<std::string>> searchPaths =
+    {
+        {"PYPI", getPythonDirectories()},
+        {"NPM", getNodeDirectories()}
+    };
+
+    ModernFactoryPackagesCreator<HAS_STDFILESYSTEM>::getPackages(searchPaths, callback);
+}
+nlohmann::json SysInfo::getHotfixes() const
+{
+    std::set<std::string> hotfixes;
+    PackageWindowsHelper::getHotFixFromReg(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_HOTFIX, hotfixes);
+    PackageWindowsHelper::getHotFixFromRegNT(HKEY_LOCAL_MACHINE, PackageWindowsHelper::VISTA_REG_HOTFIX, hotfixes);
+    PackageWindowsHelper::getHotFixFromRegWOW(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_WOW_HOTFIX, hotfixes);
+    PackageWindowsHelper::getHotFixFromRegProduct(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_PRODUCT_HOTFIX, hotfixes);
+
+    nlohmann::json ret;
+
+    for (auto& hotfix : hotfixes)
+    {
+        nlohmann::json hotfixValue;
+        hotfixValue["hotfix"] = std::move(hotfix);
+        ret.push_back(std::move(hotfixValue));
+    }
+
+    return ret;
+}
diff --git a/src/common/data_provider/src/utilsWrapperLinux.cpp b/src/common/data_provider/src/utilsWrapperLinux.cpp
new file mode 100644
index 0000000000..9fee6fbd4b
--- /dev/null
+++ b/src/common/data_provider/src/utilsWrapperLinux.cpp
@@ -0,0 +1,24 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "utilsWrapperLinux.hpp"
+#include "cmdHelper.h"
+#include "filesystemHelper.h"
+
+std::string UtilsWrapperLinux::exec(const std::string& cmd, const size_t bufferSize)
+{
+    return Utils::exec(cmd, bufferSize);
+}
+
+bool UtilsWrapperLinux::existsRegular(const std::string& path)
+{
+    return Utils::existsRegular(path);
+}
diff --git a/src/common/data_provider/src/utilsWrapperLinux.hpp b/src/common/data_provider/src/utilsWrapperLinux.hpp
new file mode 100644
index 0000000000..e2a3dd87ac
--- /dev/null
+++ b/src/common/data_provider/src/utilsWrapperLinux.hpp
@@ -0,0 +1,25 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef _UTILS_WRAPPER_LINUX_H
+#define _UTILS_WRAPPER_LINUX_H
+
+#include <string>
+
+
+class UtilsWrapperLinux final
+{
+    public:
+        static std::string exec(const std::string& cmd, const size_t bufferSize = 128);
+        static bool existsRegular(const std::string& path);
+};
+
+#endif // _UTILS_WRAPPER_LINUX_H
diff --git a/src/common/data_provider/src/utilsWrapperMac.cpp b/src/common/data_provider/src/utilsWrapperMac.cpp
new file mode 100644
index 0000000000..0e07332e22
--- /dev/null
+++ b/src/common/data_provider/src/utilsWrapperMac.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "utilsWrapperMac.hpp"
+#include "cmdHelper.h"
+
+std::string UtilsWrapperMac::exec(const std::string& cmd, const size_t bufferSize)
+{
+    return Utils::exec(cmd, bufferSize);
+}
diff --git a/src/common/data_provider/src/utilsWrapperMac.hpp b/src/common/data_provider/src/utilsWrapperMac.hpp
new file mode 100644
index 0000000000..79e7a97b76
--- /dev/null
+++ b/src/common/data_provider/src/utilsWrapperMac.hpp
@@ -0,0 +1,24 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef _UTILS_WRAPPER_MAC_H
+#define _UTILS_WRAPPER_MAC_H
+
+#include <string>
+
+
+class UtilsWrapperMac final
+{
+    public:
+        static std::string exec(const std::string& cmd, const size_t bufferSize = 128);
+};
+
+#endif // _UTILS_WRAPPER_MAC_H
diff --git a/src/common/data_provider/tests/CMakeLists.txt b/src/common/data_provider/tests/CMakeLists.txt
index e69de29bb2..6e488f0b4a 100644
--- a/src/common/data_provider/tests/CMakeLists.txt
+++ b/src/common/data_provider/tests/CMakeLists.txt
@@ -0,0 +1,46 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(unit_tests)
+
+get_filename_component(SRC_FOLDER ${CMAKE_SOURCE_DIR}/../ ABSOLUTE)
+
+include_directories(${CMAKE_SOURCE_DIR})
+include_directories(${SRC_FOLDER}/shared_modules/utils)
+
+include_directories(${SRC_FOLDER}/external/googletest/googletest/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googlemock/include/)
+link_directories(${SRC_FOLDER}/external/googletest/lib/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  add_subdirectory(sysInfoPackagesLinuxHelper)
+  add_subdirectory(sysInfoPackagesBerkeleyDB)
+  add_subdirectory(sysInfoNetworkLinux)
+  add_subdirectory(sysInfoNetworkSolaris)
+  add_subdirectory(sysInfoRpmPackageManager)
+  add_subdirectory(sysInfoPackageLinuxParserRpm)
+  add_subdirectory(sysInfoPackagesSolaris)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+  add_subdirectory(sysInfoHardwareMac)
+  add_subdirectory(sysInfoNetworkBSD)
+  add_subdirectory(sysInfoPackagesMAC)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
+  add_subdirectory(sysInfoNetworkBSD)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+  add_subdirectory(sysInfoNetworkBSD)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_subdirectory(sysInfoWin)
+  add_subdirectory(sysInfoNetworkWindows)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+
+if(HAS_FILESYSTEM OR CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_subdirectory(sysInfoPackages)
+endif()
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -fprofile-arcs ")
+else()
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -lgcov ")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_subdirectory(sysInfo)
+add_subdirectory(sysInfoPorts)
diff --git a/src/common/data_provider/tests/mocks/MockFileIO.hpp b/src/common/data_provider/tests/mocks/MockFileIO.hpp
new file mode 100644
index 0000000000..04e61cb322
--- /dev/null
+++ b/src/common/data_provider/tests/mocks/MockFileIO.hpp
@@ -0,0 +1,24 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _MOCKFILEIO_HPP
+#define _MOCKFILEIO_HPP
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+#include <filesystem>
+
+class MockFileIO
+{
+    public:
+        MOCK_METHOD(void, readLineByLine, (const std::filesystem::path&, const std::function<bool(const std::string&)>&), ());
+};
+
+#endif // _MOCKFILEIO_HPP
diff --git a/src/common/data_provider/tests/mocks/MockFileSystem.hpp b/src/common/data_provider/tests/mocks/MockFileSystem.hpp
new file mode 100644
index 0000000000..f466fd5fbe
--- /dev/null
+++ b/src/common/data_provider/tests/mocks/MockFileSystem.hpp
@@ -0,0 +1,29 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _MOCKFILESYSTEM_HPP
+#define _MOCKFILESYSTEM_HPP
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+#include <filesystem>
+
+template <typename T>
+class MockFileSystem
+{
+    public:
+        MOCK_METHOD(bool, exists, (const std::filesystem::path&), ());
+        MOCK_METHOD(bool, is_regular_file, (const std::filesystem::path&), ());
+        MOCK_METHOD(bool, is_directory, (const std::filesystem::path&), ());
+        MOCK_METHOD(T, directory_iterator, (const std::filesystem::path&), ());
+};
+
+#endif  // _MOCKFILESYSTEM_HPP
diff --git a/src/common/data_provider/tests/mocks/MockJsonIO.hpp b/src/common/data_provider/tests/mocks/MockJsonIO.hpp
new file mode 100644
index 0000000000..04843c3a4e
--- /dev/null
+++ b/src/common/data_provider/tests/mocks/MockJsonIO.hpp
@@ -0,0 +1,25 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _MOCKJSONIO_HPP
+#define _MOCKJSONIO_HPP
+
+#include "json.hpp"
+#include "gtest/gtest.h"
+#include <filesystem>
+#include "gmock/gmock.h"
+
+class MockJsonIO
+{
+    public:
+        MOCK_METHOD(nlohmann::json, readJson, (const std::filesystem::path&), ());
+};
+
+#endif // _MOCKJSONIO_HPP
diff --git a/src/common/data_provider/tests/sysInfo/CMakeLists.txt b/src/common/data_provider/tests/sysInfo/CMakeLists.txt
new file mode 100644
index 0000000000..d5cbd20c71
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/CMakeLists.txt
@@ -0,0 +1,50 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysinfo_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/sysInfo.cpp"
+    "${CMAKE_SOURCE_DIR}/src/osinfo/sysOsParsers.cpp")
+
+add_executable(sysinfo_unit_test
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(sysinfo_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(sysinfo_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME sysinfo_unit_test
+         COMMAND sysinfo_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfo/main.cpp b/src/common/data_provider/tests/sysInfo/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.cpp b/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.cpp
new file mode 100644
index 0000000000..39ab2351f0
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.cpp
@@ -0,0 +1,663 @@
+/*
+ * Wazuh SysInfoParsers
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfoParsers_test.h"
+#include "osinfo/sysOsParsers.h"
+
+void SysInfoParsersTest::SetUp() {};
+
+void SysInfoParsersTest::TearDown()
+{
+};
+
+TEST_F(SysInfoParsersTest, BaseClass)
+{
+    ISysOsParser parser;
+    nlohmann::json output;
+    std::stringstream info;
+    EXPECT_FALSE(parser.parseFile(info, output));
+    EXPECT_FALSE(parser.parseUname("", output));
+}
+
+TEST_F(SysInfoParsersTest, UnixLinux)
+{
+    constexpr auto UNIX_RELEASE_FILE
+    {
+        R"(
+        NAME="Ubuntu"
+        VERSION="20.04.1 LTS (Focal Fossa) "
+        ID=ubuntu
+        ID_LIKE=debian
+        PRETTY_NAME="Ubuntu 20.04.1 LTS"
+        VERSION_ID="20.04"
+        HOME_URL="https://www.ubuntu.com/"
+        SUPPORT_URL="https://help.ubuntu.com/"
+        BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+        PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+        VERSION_CODENAME=focal
+        UBUNTU_CODENAME=focal
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{UNIX_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("20.04.1 LTS (Focal Fossa)", output["os_version"]);
+    EXPECT_EQ("Ubuntu", output["os_name"]);
+    EXPECT_EQ("ubuntu", output["os_platform"]);
+    EXPECT_EQ("focal", output["os_codename"]);
+    EXPECT_EQ("20", output["os_major"]);
+    EXPECT_EQ("04", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, UnixCentos)
+{
+    constexpr auto UNIX_RELEASE_FILE
+    {
+        R"(
+        NAME="CentOS Linux"
+        VERSION="8 (Core) "
+        ID="centos"
+        ID_LIKE="rhel fedora"
+        VERSION_ID="8"
+        PLATFORM_ID="platform:el8"
+        PRETTY_NAME="CentOS Linux 8 (Core) "
+        ANSI_COLOR="0;31"
+        CPE_NAME="cpe:/o:centos:centos:8"
+        HOME_URL="https://www.centos.org/"
+        BUG_REPORT_URL="https://bugs.centos.org/"
+
+        CENTOS_MANTISBT_PROJECT="CentOS-8"
+        CENTOS_MANTISBT_PROJECT_VERSION="8"
+        REDHAT_SUPPORT_PRODUCT="centos"
+        REDHAT_SUPPORT_PRODUCT_VERSION="8"
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{UNIX_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("8 (Core)", output["os_version"]);
+    EXPECT_EQ("CentOS Linux", output["os_name"]);
+    EXPECT_EQ("centos", output["os_platform"]);
+    EXPECT_EQ("8", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, UnixArch)
+{
+    constexpr auto UNIX_RELEASE_FILE
+    {
+        R"(
+        NAME="Arch Linux"
+        PRETTY_NAME="Arch Linux"
+        ID=arch
+        BUILD_ID=rolling
+        ANSI_COLOR="38;2;23;147;209"
+        HOME_URL="https://www.archlinux.org/"
+        DOCUMENTATION_URL="https://wiki.archlinux.org/"
+        SUPPORT_URL="https://bbs.archlinux.org/"
+        BUG_REPORT_URL="https://bugs.archlinux.org/"
+        LOGO=archlinux
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{UNIX_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("Arch Linux", output["os_name"]);
+    EXPECT_EQ("arch", output["os_platform"]);
+}
+
+TEST_F(SysInfoParsersTest, UnixAlpine)
+{
+    constexpr auto UNIX_RELEASE_FILE
+    {
+        R"(
+        NAME="Alpine Linux"
+        ID=alpine
+        VERSION_ID=3.17.1
+        PRETTY_NAME="Alpine Linux v3.17"
+        HOME_URL="https://alpinelinux.org/"
+        BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{UNIX_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("3.17.1", output["os_version"]);
+    EXPECT_EQ("Alpine Linux", output["os_name"]);
+    EXPECT_EQ("alpine", output["os_platform"]);
+    EXPECT_EQ("3", output["os_major"]);
+    EXPECT_EQ("17", output["os_minor"]);
+    EXPECT_EQ("1", output["os_patch"]);
+}
+
+
+TEST_F(SysInfoParsersTest, Ubuntu)
+{
+    constexpr auto UBUNTU_RELEASE_FILE
+    {
+        R"(DISTRIB_ID=Ubuntu
+          DISTRIB_RELEASE=20.04
+          DISTRIB_CODENAME=focal
+          DISTRIB_DESCRIPTION='Ubuntu 20.04.1 LTS')"
+    };
+    nlohmann::json output;
+    std::stringstream info{UBUNTU_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("ubuntu")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("20.04.1", output["os_version"]);
+    EXPECT_EQ("Ubuntu", output["os_name"]);
+    EXPECT_EQ("ubuntu", output["os_platform"]);
+    EXPECT_EQ("focal", output["os_codename"]);
+    EXPECT_EQ("20", output["os_major"]);
+    EXPECT_EQ("04", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Centos)
+{
+    constexpr auto CENTOS_RELEASE_FILE
+    {
+        "CentOS Linux release 8.2.2004 (Core)"
+    };
+    nlohmann::json output;
+    std::stringstream info{CENTOS_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("centos")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("8.2.2004", output["os_version"]);
+    EXPECT_EQ("Centos Linux", output["os_name"]);
+    EXPECT_EQ("centos", output["os_platform"]);
+    EXPECT_EQ("Core", output["os_codename"]);
+    EXPECT_EQ("8", output["os_major"]);
+    EXPECT_EQ("2", output["os_minor"]);
+    EXPECT_EQ("2004", output["os_patch"]);
+}
+
+TEST_F(SysInfoParsersTest, CentosStream)
+{
+    constexpr auto CENTOS_STREAM_RELEASE_FILE
+    {
+        "NAME=\"CentOS Stream\"\n"
+        "VERSION=\"9\"\n"
+        "ID=\"centos\"\n"
+        "ID_LIKE=\"rhel fedora\"\n"
+        "VERSION_ID=\"9\"\n"
+        "PLATFORM_ID=\"platform:el9\"\n"
+        "PRETTY_NAME=\"CentOS Stream 9\"\n"
+        "ANSI_COLOR=\"0;31\"\n"
+        "LOGO=\"fedora-logo-icon\"\n"
+        "CPE_NAME=\"cpe:/o:centos:centos:9\"\n"
+        "HOME_URL=\"https://centos.org/\"\n"
+        "BUG_REPORT_URL=\"https://bugzilla.redhat.com/\"\n"
+        "REDHAT_SUPPORT_PRODUCT=\"Red Hat Enterprise Linux 9\"\n"
+        "REDHAT_SUPPORT_PRODUCT_VERSION=\"CentOS Stream\"\n"
+    };
+    nlohmann::json output;
+    std::stringstream info{CENTOS_STREAM_RELEASE_FILE};
+    const auto spParser1{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser1->parseFile(info, output));
+    info.clear();
+    info.seekg(0, std::ios::beg);
+    info << CENTOS_STREAM_RELEASE_FILE;
+    const auto spParser2{FactorySysOsParser::create("centos")};
+    EXPECT_FALSE(spParser2->parseFile(info, output));
+    EXPECT_EQ("9", output["os_major"]);
+    EXPECT_EQ("CentOS Stream", output["os_name"]);
+    EXPECT_EQ("centos", output["os_platform"]);
+    EXPECT_EQ("9", output["os_version"]);
+}
+
+TEST_F(SysInfoParsersTest, CentosBased)
+{
+    constexpr auto ROCKY_LINUX_RELEASE_FILE
+    {
+        "NAME=\"Rocky Linux\"\n"
+        "VERSION=\"8.8 (Green Obsidian)\"\n"
+        "ID=\"rocky\"\n"
+        "ID_LIKE=\"rhel centos fedora\"\n"
+        "VERSION_ID=\"8.8\"\n"
+        "PLATFORM_ID=\"platform:el8\"\n"
+        "PRETTY_NAME=\"Rocky Linux 8.8 (Green Obsidian)\"\n"
+        "ANSI_COLOR=\"0;32\"\n"
+        "LOGO=\"fedora-logo-icon\"\n"
+        "CPE_NAME=\"cpe:/o:rocky:rocky:8:GA\"\n"
+        "HOME_URL=\"https://rockylinux.org/\"\n"
+        "BUG_REPORT_URL=\"https://bugs.rockylinux.org/\"\n"
+        "SUPPORT_END=\"2029-05-31\"\n"
+        "ROCKY_SUPPORT_PRODUCT=\"Rocky-Linux-8\"\n"
+        "ROCKY_SUPPORT_PRODUCT_VERSION=\"8.8\"\n"
+        "REDHAT_SUPPORT_PRODUCT=\"Rocky Linux\"\n"
+        "REDHAT_SUPPORT_PRODUCT_VERSION=\"8.8\"\n"
+    };
+    nlohmann::json output;
+    std::stringstream info{ROCKY_LINUX_RELEASE_FILE};
+    const auto spParser1{FactorySysOsParser::create("unix")};
+    EXPECT_TRUE(spParser1->parseFile(info, output));
+    info.clear();
+    info.seekg(0, std::ios::beg);
+    info << ROCKY_LINUX_RELEASE_FILE;
+    const auto spParser2{FactorySysOsParser::create("centos")};
+    EXPECT_TRUE(spParser2->parseFile(info, output));
+    EXPECT_EQ("Green Obsidian", output["os_codename"]);
+    EXPECT_EQ("8", output["os_major"]);
+    EXPECT_EQ("8", output["os_minor"]);
+    EXPECT_EQ("Rocky Linux", output["os_name"]);
+    EXPECT_EQ("rocky", output["os_platform"]);
+    EXPECT_EQ("8.8", output["os_version"]);
+}
+
+TEST_F(SysInfoParsersTest, BSDFreeBSD)
+{
+    constexpr auto FREE_BSD_UNAME
+    {
+        "12.1-STABLE"
+    };
+    nlohmann::json output;
+    const auto spParser{FactorySysOsParser::create("bsd")};
+    EXPECT_TRUE(spParser->parseUname(FREE_BSD_UNAME, output));
+    EXPECT_EQ("12.1", output["os_version"]);
+    EXPECT_EQ("BSD", output["os_name"]);
+    EXPECT_EQ("bsd", output["os_platform"]);
+    EXPECT_EQ("12", output["os_major"]);
+    EXPECT_EQ("1", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, BSDOpenBSD)
+{
+    constexpr auto FREE_BSD_UNAME
+    {
+        "6.6"
+    };
+    nlohmann::json output;
+    const auto spParser{FactorySysOsParser::create("bsd")};
+    EXPECT_TRUE(spParser->parseUname(FREE_BSD_UNAME, output));
+    EXPECT_EQ("6.6", output["os_version"]);
+    EXPECT_EQ("BSD", output["os_name"]);
+    EXPECT_EQ("bsd", output["os_platform"]);
+    EXPECT_EQ("6", output["os_major"]);
+    EXPECT_EQ("6", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, RedHatCentos)
+{
+    constexpr auto REDHAT_RELEASE_FILE
+    {
+        "CentOS release 5.11 (Final)"
+    };
+    nlohmann::json output;
+    std::stringstream info{REDHAT_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("rhel")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("5.11", output["os_version"]);
+    EXPECT_EQ("CentOS", output["os_name"]);
+    EXPECT_EQ("rhel", output["os_platform"]);
+    EXPECT_EQ("Final", output["os_codename"]);
+    EXPECT_EQ("5", output["os_major"]);
+    EXPECT_EQ("11", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, RedHatFedora)
+{
+    constexpr auto REDHAT_RELEASE_FILE
+    {
+        "Fedora release 22 (Twenty Two)"
+    };
+    nlohmann::json output;
+    std::stringstream info{REDHAT_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("rhel")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("22", output["os_version"]);
+    EXPECT_EQ("Fedora", output["os_name"]);
+    EXPECT_EQ("rhel", output["os_platform"]);
+    EXPECT_EQ("Twenty Two", output["os_codename"]);
+    EXPECT_EQ("22", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, RedHatServer)
+{
+    constexpr auto REDHAT_RELEASE_FILE
+    {
+        "Red Hat Enterprise Linux Server release 7.2 (Maipo)"
+    };
+    nlohmann::json output;
+    std::stringstream info{REDHAT_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("rhel")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("7.2", output["os_version"]);
+    EXPECT_EQ("Red Hat Enterprise Linux Server", output["os_name"]);
+    EXPECT_EQ("rhel", output["os_platform"]);
+    EXPECT_EQ("Maipo", output["os_codename"]);
+    EXPECT_EQ("7", output["os_major"]);
+    EXPECT_EQ("2", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, RedHatLinux)
+{
+    constexpr auto REDHAT_RELEASE_FILE
+    {
+        "Red Hat Enterprise Linux ES release 3 (Taroon Update 4)"
+    };
+    nlohmann::json output;
+    std::stringstream info{REDHAT_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("rhel")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("3", output["os_version"]);
+    EXPECT_EQ("Red Hat Enterprise Linux ES", output["os_name"]);
+    EXPECT_EQ("rhel", output["os_platform"]);
+    EXPECT_EQ("Taroon Update 4", output["os_codename"]);
+    EXPECT_EQ("3", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, Debian)
+{
+    constexpr auto DEBIAN_VERSION_FILE
+    {
+        "10.6"
+    };
+    nlohmann::json output;
+    std::stringstream info{DEBIAN_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("debian")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("10.6", output["os_version"]);
+    EXPECT_EQ("Debian GNU/Linux", output["os_name"]);
+    EXPECT_EQ("debian", output["os_platform"]);
+    EXPECT_EQ("10", output["os_major"]);
+    EXPECT_EQ("6", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Arch)
+{
+    constexpr auto ARCH_VERSION_FILE
+    {
+        "10.6"
+    };
+    nlohmann::json output;
+    std::stringstream info{ARCH_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("arch")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("10.6", output["os_version"]);
+    EXPECT_EQ("Arch Linux", output["os_name"]);
+    EXPECT_EQ("arch", output["os_platform"]);
+    EXPECT_EQ("10", output["os_major"]);
+    EXPECT_EQ("6", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Slackware)
+{
+    constexpr auto SLACKWARE_VERSION_FILE
+    {
+        "Slackware 14.1"
+    };
+    nlohmann::json output;
+    std::stringstream info{SLACKWARE_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("slackware")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("14.1", output["os_version"]);
+    EXPECT_EQ("Slackware", output["os_name"]);
+    EXPECT_EQ("slackware", output["os_platform"]);
+    EXPECT_EQ("14", output["os_major"]);
+    EXPECT_EQ("1", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Gentoo)
+{
+    constexpr auto GENTOO_VERSION_FILE
+    {
+        "Gentoo Base System release 2.6"
+    };
+    nlohmann::json output;
+    std::stringstream info{GENTOO_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("gentoo")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("2.6", output["os_version"]);
+    EXPECT_EQ("Gentoo", output["os_name"]);
+    EXPECT_EQ("gentoo", output["os_platform"]);
+    EXPECT_EQ("2", output["os_major"]);
+    EXPECT_EQ("6", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, SuSE)
+{
+    constexpr auto OPENSUSE_VERSION_FILE
+    {
+        R"(
+        openSUSE 13.1 (x86_64)
+        VERSION = 13.1
+        CODENAME = Bottle
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{OPENSUSE_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("suse")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("13.1", output["os_version"]);
+    EXPECT_EQ("SuSE Linux", output["os_name"]);
+    EXPECT_EQ("suse", output["os_platform"]);
+    EXPECT_EQ("Bottle", output["os_codename"]);
+    EXPECT_EQ("13", output["os_major"]);
+    EXPECT_EQ("1", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Fedora)
+{
+    constexpr auto FEDORA_VERSION_FILE
+    {
+        "Fedora release 22 (Twenty Two)"
+    };
+    nlohmann::json output;
+    std::stringstream info{FEDORA_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("fedora")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("22", output["os_version"]);
+    EXPECT_EQ("Fedora", output["os_name"]);
+    EXPECT_EQ("fedora", output["os_platform"]);
+    EXPECT_EQ("Twenty Two", output["os_codename"]);
+    EXPECT_EQ("22", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, Solaris)
+{
+    constexpr auto SOLARIS_VERSION_FILE
+    {
+        R"(
+                                     Oracle Solaris 11.3 X86
+          Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
+                                    Assembled 06 October 2015
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{SOLARIS_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("solaris")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("11.3", output["os_version"]);
+    EXPECT_EQ("SunOS", output["os_name"]);
+    EXPECT_EQ("sunos", output["os_platform"]);
+    EXPECT_EQ("11", output["os_major"]);
+    EXPECT_EQ("3", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Solaris1)
+{
+    constexpr auto SOLARIS_VERSION_FILE
+    {
+        R"(
+                            Oracle Solaris 10 1/13 s10x_u11wos_24a X86
+           Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
+                            Assembled 17 January 2013
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{SOLARIS_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("solaris")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("10", output["os_version"]);
+    EXPECT_EQ("SunOS", output["os_name"]);
+    EXPECT_EQ("sunos", output["os_platform"]);
+    EXPECT_EQ("10", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, Solaris2)
+{
+    constexpr auto SOLARIS_VERSION_FILE
+    {
+        R"(
+                            Solaris 10 5/09 s10x_u7wos_08 X86
+           Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+                                Use is subject to license terms.
+                                Assembled 17 January 2013
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{SOLARIS_VERSION_FILE};
+    const auto spParser{FactorySysOsParser::create("solaris")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("10", output["os_version"]);
+    EXPECT_EQ("SunOS", output["os_name"]);
+    EXPECT_EQ("sunos", output["os_platform"]);
+    EXPECT_EQ("10", output["os_major"]);
+}
+
+TEST_F(SysInfoParsersTest, HPUX)
+{
+    // https://docstore.mik.ua/manuals/hp-ux/en/5992-4826/pr01s02.html
+    constexpr auto HPUX_UNAME
+    {
+        "B.11.23"
+    };
+    nlohmann::json output;
+    const auto spParser{FactorySysOsParser::create("hp-ux")};
+    EXPECT_TRUE(spParser->parseUname(HPUX_UNAME, output));
+    EXPECT_EQ("11.23", output["os_version"]);
+    EXPECT_EQ("HP-UX", output["os_name"]);
+    EXPECT_EQ("hp-ux", output["os_platform"]);
+    EXPECT_EQ("11", output["os_major"]);
+    EXPECT_EQ("23", output["os_minor"]);
+}
+
+TEST_F(SysInfoParsersTest, Alpine)
+{
+    constexpr auto ALPINE_RELEASE_FILE
+    {
+        R"(
+        3.17.1
+        )"
+    };
+    nlohmann::json output;
+    std::stringstream info{ALPINE_RELEASE_FILE};
+    const auto spParser{FactorySysOsParser::create("alpine")};
+    EXPECT_TRUE(spParser->parseFile(info, output));
+    EXPECT_EQ("3.17.1", output["os_version"]);
+    EXPECT_EQ("Alpine Linux", output["os_name"]);
+    EXPECT_EQ("alpine", output["os_platform"]);
+    EXPECT_EQ("3", output["os_major"]);
+    EXPECT_EQ("17", output["os_minor"]);
+    EXPECT_EQ("1", output["os_patch"]);
+}
+
+TEST_F(SysInfoParsersTest, UknownPlatform)
+{
+    EXPECT_THROW(FactorySysOsParser::create("some unknown platform"), std::runtime_error);
+}
+
+TEST_F(SysInfoParsersTest, MacOS)
+{
+    constexpr auto MACOS_SW_VERSION
+    {
+        R"(
+        ProductName:	Mac OS X
+        ProductVersion:	10.14.6
+        BuildVersion:	18G103
+        )"
+    };
+    constexpr auto MACOS_SYSTEM_PROFILER
+    {
+        R"(
+        Software:
+
+          System Software Overview:
+
+            System Version: macOS 10.14.6 (18G103)
+            Kernel Version: Darwin 18.7.0
+            Boot Volume: mojave
+            Boot Mode: Normal
+            Computer Name: macos-mojave-vm
+            User Name: System Administrator (root)
+            Secure Virtual Memory: Enabled
+            System Integrity Protection: Enabled
+            Time since boot: 58 minutes
+        )"
+    };
+    constexpr auto MACOS_UNAME
+    {
+        "18.7.0"
+    };
+    nlohmann::json output;
+    MacOsParser parser;
+    EXPECT_TRUE(parser.parseSwVersion(MACOS_SW_VERSION, output));
+    EXPECT_TRUE(parser.parseSystemProfiler(MACOS_SYSTEM_PROFILER, output));
+    EXPECT_TRUE(parser.parseUname(MACOS_UNAME, output));
+    EXPECT_EQ("10.14.6", output["os_version"]);
+    EXPECT_EQ("macOS", output["os_name"]);
+    EXPECT_EQ("darwin", output["os_platform"]);
+    EXPECT_EQ("18G103", output["os_build"]);
+    EXPECT_EQ("Mojave", output["os_codename"]);
+    EXPECT_EQ("10", output["os_major"]);
+    EXPECT_EQ("14", output["os_minor"]);
+    EXPECT_EQ("6", output["os_patch"]);
+}
+
+TEST_F(SysInfoParsersTest, MacOSOsDefaultName)
+{
+    constexpr auto MACOS_SW_VERSION
+    {
+        R"(
+        ProductName:	Mac OS X
+        ProductVersion:	10.14.6
+        BuildVersion:	18G103
+        )"
+    };
+    constexpr auto MACOS_SYSTEM_PROFILER
+    {
+        R"(
+        Software:
+
+          System Software Overview:
+
+            System Version: macOS (18G103)
+            Kernel Version: Darwin 18.7.0
+            Boot Volume: mojave
+            Boot Mode: Normal
+            Computer Name: macos-mojave-vm
+            User Name: System Administrator (root)
+            Secure Virtual Memory: Enabled
+            System Integrity Protection: Enabled
+            Time since boot: 58 minutes
+        )"
+    };
+    constexpr auto MACOS_UNAME
+    {
+        "18.7.0"
+    };
+    nlohmann::json output;
+    MacOsParser parser;
+    EXPECT_TRUE(parser.parseSwVersion(MACOS_SW_VERSION, output));
+    EXPECT_FALSE(parser.parseSystemProfiler(MACOS_SYSTEM_PROFILER, output));
+    EXPECT_TRUE(parser.parseUname(MACOS_UNAME, output));
+    // default name is responsability of the caller
+    EXPECT_EQ(output["os_name"], nullptr);
+    EXPECT_EQ("10.14.6", output["os_version"]);
+    EXPECT_EQ("darwin", output["os_platform"]);
+    EXPECT_EQ("18G103", output["os_build"]);
+    EXPECT_EQ("Mojave", output["os_codename"]);
+    EXPECT_EQ("10", output["os_major"]);
+    EXPECT_EQ("14", output["os_minor"]);
+    EXPECT_EQ("6", output["os_patch"]);
+}
diff --git a/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.h b/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.h
new file mode 100644
index 0000000000..fac7e670ea
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysInfoParsers_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PARSERS_TEST_H
+#define _SYSINFO_PARSERS_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoParsersTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoParsersTest() = default;
+        virtual ~SysInfoParsersTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PARSERS_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfo/sysInfo_test.cpp b/src/common/data_provider/tests/sysInfo/sysInfo_test.cpp
new file mode 100644
index 0000000000..43fe728e12
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysInfo_test.cpp
@@ -0,0 +1,318 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfo_test.h"
+#include "sysInfo.hpp"
+#include "sysInfo.h"
+#include "cjsonSmartDeleter.hpp"
+
+void SysInfoTest::SetUp() {};
+
+void SysInfoTest::TearDown()
+{
+};
+
+auto PROCESSES_EXPECTED
+{
+    R"([{"test":"processes"}])"_json
+};
+
+auto PACKAGES_EXPECTED
+{
+    R"([{"test":"packages"}])"_json
+};
+
+using ::testing::_;
+using ::testing::DoAll;
+using ::testing::Return;
+
+nlohmann::json SysInfo::getHardware() const
+{
+    return "";
+}
+nlohmann::json SysInfo::getPackages() const
+{
+    return "";
+}
+nlohmann::json SysInfo::getOsInfo() const
+{
+    return "";
+}
+nlohmann::json SysInfo::getProcessesInfo() const
+{
+    return {};
+}
+nlohmann::json SysInfo::getNetworks() const
+{
+    return {};
+}
+nlohmann::json SysInfo::getPorts() const
+{
+    return {};
+}
+nlohmann::json SysInfo::getHotfixes() const
+{
+    return {};
+}
+
+void SysInfo::getPackages(std::function<void(nlohmann::json&)>callback) const
+{
+    callback(PACKAGES_EXPECTED);
+}
+
+void SysInfo::getProcessesInfo(std::function<void(nlohmann::json&)>callback) const
+{
+    callback(PROCESSES_EXPECTED);
+}
+
+class CallbackMock
+{
+    public:
+        CallbackMock() = default;
+        ~CallbackMock() = default;
+        MOCK_METHOD(void, callbackMock, (ReturnTypeCallback type, std::string), ());
+        MOCK_METHOD(void, callbackMock, (nlohmann::json&), ());
+};
+
+static void callback(const ReturnTypeCallback type,
+                     const cJSON* json,
+                     void* ctx)
+{
+    CallbackMock* wrapper { reinterpret_cast<CallbackMock*>(ctx)};
+    const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(json) };
+    wrapper->callbackMock(type, std::string(spJsonBytes.get()));
+}
+
+class SysInfoWrapper: public SysInfo
+{
+    public:
+        SysInfoWrapper() = default;
+        ~SysInfoWrapper() = default;
+        MOCK_METHOD(nlohmann::json, getHardware, (), (const override));
+        MOCK_METHOD(nlohmann::json, getPackages, (), (const override));
+        MOCK_METHOD(nlohmann::json, getOsInfo, (), (const override));
+        MOCK_METHOD(nlohmann::json, getProcessesInfo, (), (const override));
+        MOCK_METHOD(nlohmann::json, getNetworks, (), (const override));
+        MOCK_METHOD(nlohmann::json, getPorts, (), (const override));
+        MOCK_METHOD(nlohmann::json, getHotfixes, (), (const override));
+        MOCK_METHOD(void, getPackages, (std::function<void(nlohmann::json&)>), (const override));
+        MOCK_METHOD(void, getProcessesInfo, (std::function<void(nlohmann::json&)>), (const override));
+
+};
+
+TEST_F(SysInfoTest, hardware)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getHardware()).WillOnce(Return("hardware"));
+    const auto result {info.hardware()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, packages_cb)
+{
+    SysInfoWrapper info;
+    CallbackMock wrapper;
+
+    auto expectedValue1
+    {
+        R"({"architecture":"x86_64","hostname":"TINACHO","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 95","os_release":"sp1","os_version":"6.1.7601"})"_json
+    };
+
+    auto expectedValue2
+    {
+        R"({"architecture":"x86_64","hostname":"OCTACORE","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 3.1","os_release":"sp1","os_version":"6.1.7601"})"_json
+    };
+
+    const auto packagesCallback
+    {
+        [&wrapper](nlohmann::json & data)
+        {
+            wrapper.callbackMock(data);
+        }
+    };
+    EXPECT_CALL(info, getPackages(_)).WillOnce(DoAll(
+                                                   testing::InvokeArgument<0>(expectedValue1),
+                                                   testing::InvokeArgument<0>(expectedValue2)));
+    EXPECT_CALL(wrapper, callbackMock(expectedValue1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedValue2)).Times(1);
+    info.packages(packagesCallback);
+}
+
+TEST_F(SysInfoTest, packages)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getPackages()).WillOnce(Return("packages"));
+    const auto result {info.packages()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, processes_cb)
+{
+    SysInfoWrapper info;
+    CallbackMock wrapper;
+
+    auto expectedValue1
+    {
+        R"({"argvs":"180","cmd":"sleep","egroup":"root","euser":"root","fgroup":"root","name":"sleep","nice":0,"nlwp":1,"pgrp":2478,"pid":"193797","ppid":2480,"priority":20,"processor":2,"resident":148,"rgroup":"root","ruser":"root","session":2478,"sgroup":"root","share":132,"size":2019,"start_time":6244007,"state":"S","stime":0,"suser":"root","tgid":193797,"tty":0,"utime":0,"vm_size":8076})"_json
+    };
+
+    auto expectedValue2
+    {
+        R"({"argvs":"181","cmd":"ls","egroup":"dword","euser":"dword","fgroup":"dword","name":"sleep","nice":0,"nlwp":1,"pgrp":2478,"pid":"193797","ppid":2480,"priority":20,"processor":2,"resident":148,"rgroup":"root","ruser":"root","session":2478,"sgroup":"root","share":132,"size":2019,"start_time":6244007,"state":"S","stime":0,"suser":"root","tgid":193797,"tty":0,"utime":0,"vm_size":8076})"_json
+    };
+
+    const auto processesCallback
+    {
+        [&wrapper](nlohmann::json & data)
+        {
+            wrapper.callbackMock(data);
+        }
+    };
+    EXPECT_CALL(info, getProcessesInfo(_)).WillOnce(DoAll(
+                                                        testing::InvokeArgument<0>(expectedValue1),
+                                                        testing::InvokeArgument<0>(expectedValue2)));
+    EXPECT_CALL(wrapper, callbackMock(expectedValue1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedValue2)).Times(1);
+    info.processes(processesCallback);
+}
+
+TEST_F(SysInfoTest, processes)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getProcessesInfo()).WillOnce(Return("processes"));
+    const auto result {info.processes()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, network)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getNetworks()).WillOnce(Return("networks"));
+    const auto result {info.networks()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, ports)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getPorts()).WillOnce(Return("ports"));
+    const auto result {info.ports()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, os)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getOsInfo()).WillOnce(Return("osinfo"));
+    const auto result {info.os()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, hotfixes)
+{
+    SysInfoWrapper info;
+    EXPECT_CALL(info, getHotfixes()).WillOnce(Return("hotfixes"));
+    const auto result {info.hotfixes()};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(SysInfoTest, hardware_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_hardware(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, packages_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_packages(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, packages_cb_c_interface)
+{
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(GENERIC, PACKAGES_EXPECTED.dump())).Times(1);
+    EXPECT_EQ(0, sysinfo_packages_cb(callbackData));
+}
+
+TEST_F(SysInfoTest, packages_cb_c_interface_test_empty_callback)
+{
+    callback_data_t cb_data = { .callback = NULL, .user_data = NULL };
+    EXPECT_EQ(-1, sysinfo_packages_cb(cb_data));
+}
+
+TEST_F(SysInfoTest, processes_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_processes(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, processes_cb_c_interface)
+{
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(GENERIC, PROCESSES_EXPECTED.dump())).Times(1);
+    EXPECT_EQ(0, sysinfo_processes_cb(callbackData));
+}
+
+TEST_F(SysInfoTest, processes_cb_c_interface_test_empty_callback)
+{
+    callback_data_t cb_data = { .callback = NULL, .user_data = NULL };
+    EXPECT_EQ(-1, sysinfo_processes_cb(cb_data));
+}
+
+TEST_F(SysInfoTest, network_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_networks(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, ports_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_ports(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, os_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_os(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, hotfixes_c_interface)
+{
+    cJSON* object = NULL;
+    EXPECT_EQ(0, sysinfo_hotfixes(&object));
+    EXPECT_TRUE(object);
+    EXPECT_NO_THROW(sysinfo_free_result(&object));
+}
+
+TEST_F(SysInfoTest, c_interfaces_bad_params)
+{
+    EXPECT_EQ(-1, sysinfo_hardware(NULL));
+    EXPECT_EQ(-1, sysinfo_packages(NULL));
+    EXPECT_EQ(-1, sysinfo_processes(NULL));
+    EXPECT_EQ(-1, sysinfo_ports(NULL));
+    EXPECT_EQ(-1, sysinfo_os(NULL));
+    EXPECT_EQ(-1, sysinfo_hotfixes(NULL));
+}
diff --git a/src/common/data_provider/tests/sysInfo/sysInfo_test.h b/src/common/data_provider/tests/sysInfo/sysInfo_test.h
new file mode 100644
index 0000000000..6ba3147aaf
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysInfo_test.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_TEST_H
+#define _SYSINFO_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoTest() = default;
+        virtual ~SysInfoTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfo/sysOsInfo_test.cpp b/src/common/data_provider/tests/sysInfo/sysOsInfo_test.cpp
new file mode 100644
index 0000000000..851d2597cb
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysOsInfo_test.cpp
@@ -0,0 +1,66 @@
+/*
+ * Wazuh SysOsInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 5, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysOsInfo_test.h"
+#include "osinfo/sysOsInfoWin.h"
+
+void SysOsInfoTest::SetUp() {};
+
+void SysOsInfoTest::TearDown()
+{
+};
+using ::testing::_;
+using ::testing::Return;
+
+class SysOsInfoProviderWrapper : public ISysOsInfoProvider
+{
+    public:
+        SysOsInfoProviderWrapper() = default;
+        ~SysOsInfoProviderWrapper() = default;
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, version, (), (const override));
+        MOCK_METHOD(std::string, majorVersion, (), (const override));
+        MOCK_METHOD(std::string, minorVersion, (), (const override));
+        MOCK_METHOD(std::string, build, (), (const override));
+        MOCK_METHOD(std::string, release, (), (const override));
+        MOCK_METHOD(std::string, displayVersion, (), (const override));
+        MOCK_METHOD(std::string, machine, (), (const override));
+        MOCK_METHOD(std::string, nodeName, (), (const override));
+};
+
+
+TEST_F(SysOsInfoTest, setOsInfoSchema)
+{
+    nlohmann::json output;
+    const auto pOsInfoProvider{new SysOsInfoProviderWrapper};
+    const std::shared_ptr<ISysOsInfoProvider> spOsInfoProvider
+    {
+        pOsInfoProvider
+    };
+    EXPECT_CALL(*pOsInfoProvider, name()).WillOnce(Return("Microsoft Windows 10 Home"));
+    EXPECT_CALL(*pOsInfoProvider, version()).WillOnce(Return("10.0.18362"));
+    EXPECT_CALL(*pOsInfoProvider, majorVersion()).WillOnce(Return("10"));
+    EXPECT_CALL(*pOsInfoProvider, minorVersion()).WillOnce(Return("0"));
+    EXPECT_CALL(*pOsInfoProvider, build()).WillOnce(Return("18362"));
+    EXPECT_CALL(*pOsInfoProvider, release()).WillOnce(Return("1903"));
+    EXPECT_CALL(*pOsInfoProvider, displayVersion()).WillOnce(Return("19H1"));
+    EXPECT_CALL(*pOsInfoProvider, machine()).WillOnce(Return("x86_64"));
+    EXPECT_CALL(*pOsInfoProvider, nodeName()).WillOnce(Return("DESKTOP-U7Q6UQV"));
+    SysOsInfo::setOsInfo(spOsInfoProvider, output);
+    EXPECT_EQ("x86_64", output.at("architecture"));
+    EXPECT_EQ("DESKTOP-U7Q6UQV", output.at("hostname"));
+    EXPECT_EQ("18362", output.at("os_build"));
+    EXPECT_EQ("10", output.at("os_major"));
+    EXPECT_EQ("0", output.at("os_minor"));
+    EXPECT_EQ("Microsoft Windows 10 Home", output.at("os_name"));
+    EXPECT_EQ("1903", output.at("os_release"));
+    EXPECT_EQ("19H1", output.at("os_display_version"));
+    EXPECT_EQ("10.0.18362", output.at("os_version"));
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfo/sysOsInfo_test.h b/src/common/data_provider/tests/sysInfo/sysOsInfo_test.h
new file mode 100644
index 0000000000..319da6e280
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfo/sysOsInfo_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 5, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_OS_TEST_H
+#define _SYSINFO_OS_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysOsInfoTest : public ::testing::Test
+{
+
+    protected:
+
+        SysOsInfoTest() = default;
+        virtual ~SysOsInfoTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_OS_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/CMakeLists.txt b/src/common/data_provider/tests/sysInfoHardwareMac/CMakeLists.txt
new file mode 100644
index 0000000000..78e1e264cb
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/CMakeLists.txt
@@ -0,0 +1,67 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoHardwareMac_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "${CMAKE_SOURCE_DIR}/src/hardware/*X86_64Mac.cpp"
+    "sysInfoHardwareMac_test.cpp"
+    "sysInfoHardwareWrapperMac_test.cpp"
+    "main.cpp")
+
+add_executable(sysInfoHardwareMac_unit_test
+    ${sysinfo_UNIT_TEST_SRC})
+
+target_link_libraries(sysInfoHardwareMac_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    cjson
+)
+
+add_test(NAME sysInfoHardwareMac_unit_test
+         COMMAND sysInfoHardwareMac_unit_test)
+
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} MATCHES "arm64.*|ARM64.*")
+    file(GLOB sysinfo_ARM_UNIT_TEST_SRC
+        "${CMAKE_SOURCE_DIR}/src/hardware/*ARMMac.cpp"
+        "sysInfoHardwareWrapperARMMac_test.cpp"
+        "main.cpp")
+
+    add_executable(sysInfoHardwareARMMac_unit_test
+        ${sysinfo_ARM_UNIT_TEST_SRC})
+
+    find_library(iokit_lib IOKit)
+    if(NOT iokit_lib)
+        message(FATAL_ERROR "IOKit library not found! Aborting...")
+    endif()
+    find_library(corefoundation_lib CoreFoundation)
+    if(NOT corefoundation_lib)
+        message(FATAL_ERROR "CoreFoundation library not found! Aborting...")
+    endif()
+        
+    target_link_libraries(sysInfoHardwareARMMac_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        cjson
+        ${iokit_lib}
+        ${corefoundation_lib}
+    )
+
+    add_test(NAME sysInfoHardwareARMMac_unit_test
+            COMMAND sysInfoHardwareARMMac_unit_test)
+endif()
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/main.cpp b/src/common/data_provider/tests/sysInfoHardwareMac/main.cpp
new file mode 100644
index 0000000000..95d69aa6e7
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/osPrimitives_mock.h b/src/common/data_provider/tests/sysInfoHardwareMac/osPrimitives_mock.h
new file mode 100644
index 0000000000..c4e6e9207b
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/osPrimitives_mock.h
@@ -0,0 +1,57 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _OS_PRIMITIVES_MOCK_H
+#define _OS_PRIMITIVES_MOCK_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class UtilsMock
+{
+    public:
+        MOCK_METHOD(std::string, exec, (const std::string&, const size_t));
+};
+
+static UtilsMock* gs_utils_mock = NULL;
+
+std::string UtilsWrapperMac::exec(const std::string& cmd, const size_t bufferSize)
+{
+    return gs_utils_mock->exec(cmd, bufferSize);
+}
+
+class OsPrimitivesMacMock: public IOsPrimitivesMac
+{
+    public:
+        OsPrimitivesMacMock() = default;
+        virtual ~OsPrimitivesMacMock() = default;
+
+        MOCK_METHOD(int, sysctl, (int* name, u_int namelen, void* oldp, size_t* oldlenp, void* newp, size_t newlen), (const override));
+        MOCK_METHOD(int, sysctlbyname, (const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen), (const override));
+
+        MOCK_METHOD(CFMutableDictionaryRef, IOServiceMatching, (const char* name), (const override));
+        MOCK_METHOD(kern_return_t, IOServiceGetMatchingServices, (mach_port_t mainPort, CFDictionaryRef matching, io_iterator_t* existing), (const override));
+        MOCK_METHOD(io_object_t, IOIteratorNext, (io_iterator_t iterator), (const override));
+        MOCK_METHOD(kern_return_t, IORegistryEntryGetName, (io_registry_entry_t entry, io_name_t name), (const override));
+        MOCK_METHOD(kern_return_t, IORegistryEntryCreateCFProperties, (io_registry_entry_t entry, CFMutableDictionaryRef* properties, CFAllocatorRef allocator, IOOptionBits options), (const override));
+        MOCK_METHOD(kern_return_t, IOObjectRelease, (io_object_t object), (const override));
+
+        MOCK_METHOD(CFStringRef, CFStringCreateWithCString, (CFAllocatorRef alloc, const char* cStr, CFStringEncoding encoding), (const override));
+        MOCK_METHOD(const void*, CFDictionaryGetValue, (CFDictionaryRef theDict, const void* key), (const override));
+        MOCK_METHOD(CFTypeID, CFGetTypeID, (CFTypeRef cf), (const override));
+        MOCK_METHOD(CFTypeID, CFDataGetTypeID, (), (const override));
+        MOCK_METHOD(CFIndex, CFDataGetLength, (CFDataRef theData), (const override));
+        MOCK_METHOD(void, CFDataGetBytes, (CFDataRef theData, CFRange range, UInt8* buffer), (const override));
+        MOCK_METHOD(CFRange, CFRangeMake, (CFIndex loc, CFIndex len), (const override));
+        MOCK_METHOD(void, CFRelease, (CFTypeRef cf), (const override));
+};
+
+#endif //_OS_PRIMITIVES_MOCK_H
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.cpp b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.cpp
new file mode 100644
index 0000000000..074fa4df4e
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.cpp
@@ -0,0 +1,57 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoHardwareMac_test.h"
+#include "hardware/factoryHardwareFamilyCreator.h"
+#include "hardware/hardwareWrapperInterface.h"
+#include "json.hpp"
+
+void SysInfoHardwareMacTest::SetUp() {};
+
+void SysInfoHardwareMacTest::TearDown() {};
+
+using ::testing::Return;
+
+class OSHardwareWrapperMacMock: public IOSHardwareWrapper
+{
+    public:
+        OSHardwareWrapperMacMock() = default;
+        virtual ~OSHardwareWrapperMacMock() = default;
+        MOCK_METHOD(std::string, boardSerial, (), (const override));
+        MOCK_METHOD(std::string, cpuName, (), (const override));
+        MOCK_METHOD(int, cpuCores, (), (const override));
+        MOCK_METHOD(double, cpuMhz, (), (override));
+        MOCK_METHOD(uint64_t, ramTotal, (), (const override));
+        MOCK_METHOD(uint64_t, ramFree, (), (const override));
+        MOCK_METHOD(uint64_t, ramUsage, (), (const override));
+};
+
+TEST_F(SysInfoHardwareMacTest, Test_BuildHardwareData_Succeed)
+{
+    auto mock { std::make_shared<OSHardwareWrapperMacMock>() };
+    nlohmann::json hardware {};
+    EXPECT_CALL(*mock, boardSerial()).WillOnce(Return("H2WH91N3Q6NY"));
+    EXPECT_CALL(*mock, cpuName()).WillOnce(Return("Macmini9,1"));
+    EXPECT_CALL(*mock, cpuCores()).WillOnce(Return(8));
+    EXPECT_CALL(*mock, cpuMhz()).WillOnce(Return(3204.0));
+    EXPECT_CALL(*mock, ramTotal()).WillOnce(Return(16777216));
+    EXPECT_CALL(*mock, ramFree()).WillOnce(Return(8388608));
+    EXPECT_CALL(*mock, ramUsage()).WillOnce(Return(50));
+    EXPECT_NO_THROW(FactoryHardwareFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildHardwareData(hardware));
+
+    EXPECT_EQ("H2WH91N3Q6NY", hardware.at("board_serial").get_ref<nlohmann::json::string_t&>());
+    EXPECT_EQ("Macmini9,1", hardware.at("cpu_name").get_ref<nlohmann::json::string_t&>());
+    EXPECT_EQ((int)8, hardware.at("cpu_cores").get_ref<nlohmann::json::number_integer_t&>());
+    EXPECT_EQ((double)3204.0, hardware.at("cpu_mhz").get_ref<nlohmann::json::number_float_t&>());
+    EXPECT_EQ((uint64_t)16777216, hardware.at("ram_total").get_ref<nlohmann::json::number_unsigned_t&>());
+    EXPECT_EQ((uint64_t)8388608, hardware.at("ram_free").get_ref<nlohmann::json::number_unsigned_t&>());
+    EXPECT_EQ((uint64_t)50, hardware.at("ram_usage").get_ref<nlohmann::json::number_unsigned_t&>());
+}
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.h b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.h
new file mode 100644
index 0000000000..47b073c9fe
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareMac_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_HARDWARE_MAC_TEST_H
+#define _SYSINFO_HARDWARE_MAC_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoHardwareMacTest : public ::testing::Test
+{
+    protected:
+        SysInfoHardwareMacTest() = default;
+        virtual ~SysInfoHardwareMacTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_HARDWARE_MAC_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.cpp b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.cpp
new file mode 100644
index 0000000000..33ea325716
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.cpp
@@ -0,0 +1,183 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoHardwareWrapperARMMac_test.h"
+#include "hardware/hardwareWrapperImplMac.h"
+#include "osPrimitivesInterfaceMac.h"
+#include "osPrimitives_mock.h"
+#include "IOKit/IOKitLib.h"
+#include "CoreFoundation/CFBase.h"
+
+using ::testing::_;
+using ::testing::Return;
+
+void SysInfoHardwareWrapperARMMacTest::SetUp() {};
+
+void SysInfoHardwareWrapperARMMacTest::TearDown() {};
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(reinterpret_cast<CFMutableDictionaryRef>(1)));
+    EXPECT_CALL(*wrapper, IOServiceGetMatchingServices(_, _, _))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, IOIteratorNext(_))
+    .WillOnce(Return(1))
+    .WillOnce(Return(0));
+    EXPECT_CALL(*wrapper, IORegistryEntryGetName(_, _))
+    .WillOnce([](io_registry_entry_t entry, io_name_t name)
+    {
+        (void)entry;
+        strncpy(name, "pmgr", sizeof(io_name_t));
+        return KERN_SUCCESS;
+    });
+    EXPECT_CALL(*wrapper, IORegistryEntryCreateCFProperties(_, _, kCFAllocatorDefault, kNilOptions))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFStringCreateWithCString(kCFAllocatorDefault, "voltage-states5-sram", kCFStringEncodingUTF8))
+    .WillOnce(Return(reinterpret_cast<CFStringRef>(1)));
+    EXPECT_CALL(*wrapper, CFDictionaryGetValue(_, _))
+    .WillOnce(Return(reinterpret_cast<void*>(1)));
+    EXPECT_CALL(*wrapper, CFGetTypeID(_))
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, CFDataGetTypeID())
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, CFDataGetLength(_))
+    .WillOnce(Return(32));
+    EXPECT_CALL(*wrapper, CFRangeMake(_, sizeof(uint32_t)))
+    .WillRepeatedly([](CFIndex loc, CFIndex len)
+    {
+        CFRange range;
+        range.location = loc;
+        range.length = len;
+        return range;
+    });
+    EXPECT_CALL(*wrapper, CFDataGetBytes(_, _, _))
+    .WillRepeatedly([](CFDataRef theData, CFRange range, UInt8 * buffer)
+    {
+        (void)theData;
+        (void)range;
+        *reinterpret_cast<uint32_t*>(buffer) = 3280896;
+    });
+    EXPECT_CALL(*wrapper, IOObjectRelease(_))
+    .WillRepeatedly(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFRelease(_)).Times(2);
+
+    double ret = 0.0;
+    EXPECT_NO_THROW(ret = wrapper->cpuMhz());
+    EXPECT_DOUBLE_EQ(ret, (double)3280896 / 1000000);
+}
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Failed_IOServiceMatching)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(nullptr));
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Failed_IOServiceGetMatchingServices)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(reinterpret_cast<CFMutableDictionaryRef>(1)));
+    EXPECT_CALL(*wrapper, IOServiceGetMatchingServices(_, _, _))
+    .WillOnce(Return(KERN_FAILURE));
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Failed_IORegistryEntryCreateCFProperties)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(reinterpret_cast<CFMutableDictionaryRef>(1)));
+    EXPECT_CALL(*wrapper, IOServiceGetMatchingServices(_, _, _))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, IOIteratorNext(_))
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, IORegistryEntryGetName(_, _))
+    .WillOnce([](io_registry_entry_t entry, io_name_t name)
+    {
+        (void)entry;
+        strncpy(name, "pmgr", sizeof(io_name_t));
+        return KERN_SUCCESS;
+    });
+    EXPECT_CALL(*wrapper, IORegistryEntryCreateCFProperties(_, _, kCFAllocatorDefault, kNilOptions))
+    .WillOnce(Return(KERN_FAILURE));
+    EXPECT_CALL(*wrapper, IOObjectRelease(_))
+    .WillRepeatedly(Return(KERN_SUCCESS));
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Failed_CFDictionaryGetValue)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(reinterpret_cast<CFMutableDictionaryRef>(1)));
+    EXPECT_CALL(*wrapper, IOServiceGetMatchingServices(_, _, _))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, IOIteratorNext(_))
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, IORegistryEntryGetName(_, _))
+    .WillOnce([](io_registry_entry_t entry, io_name_t name)
+    {
+        (void)entry;
+        strncpy(name, "pmgr", sizeof(io_name_t));
+        return KERN_SUCCESS;
+    });
+    EXPECT_CALL(*wrapper, IORegistryEntryCreateCFProperties(_, _, kCFAllocatorDefault, kNilOptions))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFStringCreateWithCString(kCFAllocatorDefault, "voltage-states5-sram", kCFStringEncodingUTF8))
+    .WillOnce(Return(reinterpret_cast<CFStringRef>(1)));
+    EXPECT_CALL(*wrapper, CFDictionaryGetValue(_, _))
+    .WillOnce(Return(nullptr));
+    EXPECT_CALL(*wrapper, IOObjectRelease(_))
+    .WillRepeatedly(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFRelease(_)).Times(2);
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperARMMacTest, Test_CpuMhz_Failed_CFGetTypeID)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, IOServiceMatching("AppleARMIODevice"))
+    .WillOnce(Return(reinterpret_cast<CFMutableDictionaryRef>(1)));
+    EXPECT_CALL(*wrapper, IOServiceGetMatchingServices(_, _, _))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, IOIteratorNext(_))
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, IORegistryEntryGetName(_, _))
+    .WillOnce([](io_registry_entry_t entry, io_name_t name)
+    {
+        (void)entry;
+        strncpy(name, "pmgr", sizeof(io_name_t));
+        return KERN_SUCCESS;
+    });
+    EXPECT_CALL(*wrapper, IORegistryEntryCreateCFProperties(_, _, kCFAllocatorDefault, kNilOptions))
+    .WillOnce(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFStringCreateWithCString(kCFAllocatorDefault, "voltage-states5-sram", kCFStringEncodingUTF8))
+    .WillOnce(Return(reinterpret_cast<CFStringRef>(1)));
+    EXPECT_CALL(*wrapper, CFDictionaryGetValue(_, _))
+    .WillOnce(Return(reinterpret_cast<void*>(1)));
+    EXPECT_CALL(*wrapper, CFGetTypeID(_))
+    .WillOnce(Return(2));
+    EXPECT_CALL(*wrapper, CFDataGetTypeID())
+    .WillOnce(Return(1));
+    EXPECT_CALL(*wrapper, IOObjectRelease(_))
+    .WillRepeatedly(Return(KERN_SUCCESS));
+    EXPECT_CALL(*wrapper, CFRelease(_)).Times(2);
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.h b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.h
new file mode 100644
index 0000000000..faccc8bda1
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperARMMac_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_HARDWARE_WRAPPER_ARM_MAC_TEST_H
+#define _SYSINFO_HARDWARE_WRAPPER_ARM_MAC_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoHardwareWrapperARMMacTest : public ::testing::Test
+{
+    protected:
+        SysInfoHardwareWrapperARMMacTest() = default;
+        virtual ~SysInfoHardwareWrapperARMMacTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_HARDWARE_WRAPPER_ARM_MAC_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.cpp b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.cpp
new file mode 100644
index 0000000000..d375030132
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.cpp
@@ -0,0 +1,430 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <cstring>
+#include "sysInfoHardwareWrapperMac_test.h"
+#include "hardware/hardwareWrapperImplMac.h"
+#include "osPrimitivesInterfaceMac.h"
+#include "osPrimitives_mock.h"
+
+void SysInfoHardwareWrapperMacTest::SetUp() {};
+
+void SysInfoHardwareWrapperMacTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuName_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname(_, _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldp;
+        (void)newp;
+        (void)newlen;
+        *oldlenp = 8;
+        return 0;
+    })
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)newp;
+        (void)newlen;
+        strncpy(static_cast<char*>(oldp), "CpuName", 8);
+        *oldlenp = 8;
+        return 0;
+    });
+    std::string ret;
+    EXPECT_NO_THROW(ret = wrapper->cpuName());
+    EXPECT_STREQ(ret.c_str(), "CpuName");
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuName_Failed_Sysctl1)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname(_, _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldp;
+        (void)newp;
+        (void)newlen;
+        *oldlenp = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->cpuName(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuName_Failed_Sysctl2)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname(_, _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldp;
+        (void)newp;
+        (void)newlen;
+        *oldlenp = 8;
+        return 0;
+    })
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldp;
+        (void)newp;
+        (void)newlen;
+        *oldlenp = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->cpuName(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuCores_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctl(_, _, _, _, _, _))
+    .WillOnce([](int* name, u_int namelen, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)namelen;
+        (void)newp;
+        (void)newlen;
+        *static_cast<int*>(oldp) = 8;
+        *oldlenp = sizeof(int);
+        return 0;
+    });
+    int ret = 0;
+    EXPECT_NO_THROW(ret = wrapper->cpuCores());
+    EXPECT_EQ(ret, 8);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuCores_Failed_Sysctl)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctl(_, _, _, _, _, _))
+    .WillOnce([](int* name, u_int namelen, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)namelen;
+        (void)oldp;
+        (void)newp;
+        (void)newlen;
+        *oldlenp = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->cpuCores(), std::system_error);
+}
+
+
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuMhz_WithCpuFrequency_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.cpufrequency", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 3280896;
+        return 0;
+    });
+    double ret = 0.0;
+    EXPECT_NO_THROW(ret = wrapper->cpuMhz());
+    EXPECT_DOUBLE_EQ(ret, (double)3280896 / 1000000);
+}
+
+
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_CpuMhz_WithoutCpuFrequency_Failed_Sysctlbyname)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.cpufrequency", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+
+    EXPECT_THROW(wrapper->cpuMhz(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamTotal_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 17179869184;
+        return 0;
+    });
+    uint64_t ret = 0;
+    EXPECT_NO_THROW(ret = wrapper->ramTotal());
+    EXPECT_EQ(ret, (uint64_t)17179869184 / 1024);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamTotal_Failed_Sysctlbyname)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramTotal(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamFree_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<u_int*>(oldp) = 16384;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.page_free_count", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 342319;
+        return 0;
+    });
+    uint64_t ret = 0;
+    EXPECT_NO_THROW(ret = wrapper->ramFree());
+    EXPECT_EQ(ret, (uint64_t)(16384) * 342319 / 1024);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamFree_Failed_Sysctlbyname1)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramFree(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamFree_Failed_Sysctlbyname2)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<u_int*>(oldp) = 16384;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.page_free_count", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramFree(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamUsage_Succeed)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 17179869184;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<u_int*>(oldp) = 16384;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.page_free_count", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 342319;
+        return 0;
+    });
+    uint64_t ret = 0;
+    EXPECT_NO_THROW(ret = wrapper->ramUsage());
+    EXPECT_EQ(ret, (uint64_t)(100 - (100 * ((uint64_t)16384 * 342319 / 1024) / ((uint64_t)17179869184 / 1024))));
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamUsage_Succeed_TotalRamZero)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return 0;
+    });
+    uint64_t ret = 0;
+    EXPECT_NO_THROW(ret = wrapper->ramUsage());
+    EXPECT_EQ(ret, (uint64_t)0);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamUsage_Failed_Sysctlbyname1)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramUsage(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamUsage_Failed_Sysctlbyname2)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 17179869184;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<u_int*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramUsage(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_RamUsage_Failed_Sysctlbyname3)
+{
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*wrapper, sysctlbyname("hw.memsize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 17179869184;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.pagesize", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<u_int*>(oldp) = 16384;
+        return 0;
+    });
+    EXPECT_CALL(*wrapper, sysctlbyname("vm.page_free_count", _, _, _, _))
+    .WillOnce([](const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen)
+    {
+        (void)name;
+        (void)oldlenp;
+        (void)newp;
+        (void)newlen;
+        *static_cast<uint64_t*>(oldp) = 0;
+        return -1;
+    });
+    EXPECT_THROW(wrapper->ramUsage(), std::system_error);
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_BoardSerial_Succeed)
+{
+    auto utils_mock { std::make_shared<UtilsMock>() };
+    gs_utils_mock = utils_mock.get();
+
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("      Serial Number (system): H2WH91N3Q6NY\n"));
+
+    std::string ret;
+    EXPECT_NO_THROW(ret = wrapper->boardSerial());
+    EXPECT_STREQ(ret.c_str(), "H2WH91N3Q6NY");
+}
+
+TEST_F(SysInfoHardwareWrapperMacTest, Test_BoardSerial_Failed_UnknowValue)
+{
+    auto utils_mock { std::make_shared<UtilsMock>() };
+    gs_utils_mock = utils_mock.get();
+
+    auto wrapper { std::make_shared<OSHardwareWrapperMac<OsPrimitivesMacMock>>() };
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return(""));
+
+    std::string ret;
+    EXPECT_NO_THROW(ret = wrapper->boardSerial());
+    EXPECT_STREQ(ret.c_str(), UNKNOWN_VALUE);
+}
diff --git a/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.h b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.h
new file mode 100644
index 0000000000..5f96f39333
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoHardwareMac/sysInfoHardwareWrapperMac_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_HARDWARE_WRAPPER_MAC_TEST_H
+#define _SYSINFO_HARDWARE_WRAPPER_MAC_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoHardwareWrapperMacTest : public ::testing::Test
+{
+    protected:
+        SysInfoHardwareWrapperMacTest() = default;
+        virtual ~SysInfoHardwareWrapperMacTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_HARDWARE_WRAPPER_MAC_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoNetworkBSD/CMakeLists.txt b/src/common/data_provider/tests/sysInfoNetworkBSD/CMakeLists.txt
new file mode 100644
index 0000000000..e01b9d528b
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkBSD/CMakeLists.txt
@@ -0,0 +1,32 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoNetworkBSD_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/network/networkInterfaceBSD.cpp")
+
+add_executable(sysInfoNetworkBSD_unit_test 
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoNetworkBSD_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    dl
+)
+add_test(NAME sysInfoNetworkBSD_unit_test
+         COMMAND sysInfoNetworkBSD_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkBSD/main.cpp b/src/common/data_provider/tests/sysInfoNetworkBSD/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkBSD/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.cpp b/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.cpp
new file mode 100644
index 0000000000..e7b18929bd
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.cpp
@@ -0,0 +1,148 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <sys/socket.h>
+#include "sysInfoNetworkBSD_test.h"
+#include "network/networkInterfaceBSD.h"
+#include "network/networkFamilyDataAFactory.h"
+
+void SysInfoNetworkBSDTest::SetUp() {};
+
+void SysInfoNetworkBSDTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoNetworkBSDWrapperMock: public INetworkInterfaceWrapper
+{
+    public:
+        SysInfoNetworkBSDWrapperMock() = default;
+        virtual ~SysInfoNetworkBSDWrapperMock() = default;
+        MOCK_METHOD(int, family, (), (const override));
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, address, (), (const override));
+        MOCK_METHOD(std::string, netmask, (), (const override));
+        MOCK_METHOD(std::string, broadcast, (), (const override));
+        MOCK_METHOD(std::string, addressV6, (), (const override));
+        MOCK_METHOD(std::string, netmaskV6, (), (const override));
+        MOCK_METHOD(std::string, broadcastV6, (), (const override));
+        MOCK_METHOD(std::string, metrics, (), (const override));
+        MOCK_METHOD(std::string, metricsV6, (), (const override));
+        MOCK_METHOD(std::string, gateway, (), (const override));
+        MOCK_METHOD(std::string, dhcp, (), (const override));
+        MOCK_METHOD(uint32_t, mtu, (), (const override));
+        MOCK_METHOD(LinkStats, stats, (), (const override));
+        MOCK_METHOD(std::string, type, (), (const override));
+        MOCK_METHOD(std::string, state, (), (const override));
+        MOCK_METHOD(std::string, MAC, (), (const override));
+        MOCK_METHOD(std::string, adapter, (), (const override));
+};
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_INET_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkBSDWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_INET)
+{
+    auto mock { std::make_shared<SysInfoNetworkBSDWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return("192.168.0.1"));
+    EXPECT_CALL(*mock, netmask()).Times(1).WillOnce(Return("255.255.255.0"));
+    EXPECT_CALL(*mock, broadcast()).Times(1).WillOnce(Return("192.168.0.255"));
+    EXPECT_CALL(*mock, metrics()).Times(1).WillOnce(Return(" "));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return(" "));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv4"))
+    {
+        EXPECT_EQ("192.168.0.1", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("255.255.255.0", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("192.168.0.255", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ(" ", element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ(" ", element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_INET6_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkBSDWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_INET6)
+{
+    auto mock { std::make_shared<SysInfoNetworkBSDWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return("2001:db8:85a3:8d3:1319:8a2e:370:7348"));
+    EXPECT_CALL(*mock, netmaskV6()).Times(1).WillOnce(Return("2001:db8:abcd:0012:ffff:ffff:ffff:ffff"));
+    EXPECT_CALL(*mock, broadcastV6()).Times(1).WillOnce(Return("2001:db8:85a3:8d3:1319:8a2e:370:0000"));
+    EXPECT_CALL(*mock, metricsV6()).Times(1).WillOnce(Return(" "));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return(" "));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv6"))
+    {
+        EXPECT_EQ("2001:db8:85a3:8d3:1319:8a2e:370:7348", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("2001:db8:abcd:0012:ffff:ffff:ffff:ffff", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("2001:db8:85a3:8d3:1319:8a2e:370:0000", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ(" ", element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ(" ", element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_LINK)
+{
+    auto mock { std::make_shared<SysInfoNetworkBSDWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_LINK));
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("eth01"));
+    EXPECT_CALL(*mock, type()).Times(1).WillOnce(Return("ethernet"));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return("up"));
+    EXPECT_CALL(*mock, MAC()).Times(1).WillOnce(Return("00:A0:C9:14:C8:29"));
+    EXPECT_CALL(*mock, stats()).Times(1).WillOnce(Return(LinkStats{0, 1, 2, 3, 4, 5, 6, 7}));
+    EXPECT_CALL(*mock, mtu()).Times(1).WillOnce(Return(1500));
+    EXPECT_CALL(*mock, gateway()).Times(1).WillOnce(Return("8.8.4.4"));
+    EXPECT_CALL(*mock, adapter()).Times(1).WillOnce(Return(""));
+
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(mock)->buildNetworkData(ifaddr));
+
+    EXPECT_EQ("eth01", ifaddr.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("ethernet", ifaddr.at("type").get_ref<const std::string&>());
+    EXPECT_EQ("up", ifaddr.at("state").get_ref<const std::string&>());
+    EXPECT_EQ("00:A0:C9:14:C8:29", ifaddr.at("mac").get_ref<const std::string&>());
+
+    EXPECT_EQ(1, ifaddr.at("tx_packets").get<int32_t>());
+    EXPECT_EQ(0, ifaddr.at("rx_packets").get<int32_t>());
+    EXPECT_EQ(3, ifaddr.at("tx_bytes").get<int32_t>());
+    EXPECT_EQ(2, ifaddr.at("rx_bytes").get<int32_t>());
+    EXPECT_EQ(5, ifaddr.at("tx_errors").get<int32_t>());
+    EXPECT_EQ(4, ifaddr.at("rx_errors").get<int32_t>());
+    EXPECT_EQ(6, ifaddr.at("rx_dropped").get<int32_t>());
+
+    EXPECT_EQ(1500, ifaddr.at("mtu").get<int32_t>());
+
+    EXPECT_EQ("8.8.4.4", ifaddr.at("gateway").get_ref<const std::string&>());
+}
+
+TEST_F(SysInfoNetworkBSDTest, Test_AF_UNSPEC_THROW_NULLPTR)
+{
+    nlohmann::json ifaddr {};
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::BSDBASED>::create(nullptr)->buildNetworkData(ifaddr));
+}
diff --git a/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.h b/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.h
new file mode 100644
index 0000000000..967390c30e
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkBSD/sysInfoNetworkBSD_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_NETWORK_BSD_TEST_H
+#define _SYSINFO_NETWORK_BSD_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoNetworkBSDTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoNetworkBSDTest() = default;
+        virtual ~SysInfoNetworkBSDTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_NETWORK_BSD_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkLinux/CMakeLists.txt b/src/common/data_provider/tests/sysInfoNetworkLinux/CMakeLists.txt
new file mode 100644
index 0000000000..603fa88635
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkLinux/CMakeLists.txt
@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoNetworkLinux_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/network/networkInterfaceLinux.cpp")
+
+add_executable(sysInfoNetworkLinux_unit_test 
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoNetworkLinux_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    dl
+)
+
+add_test(NAME sysInfoNetworkLinux_unit_test
+         COMMAND sysInfoNetworkLinux_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkLinux/main.cpp b/src/common/data_provider/tests/sysInfoNetworkLinux/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkLinux/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.cpp b/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.cpp
new file mode 100644
index 0000000000..0fd2f56878
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.cpp
@@ -0,0 +1,186 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <ifaddrs.h>
+#include "sysInfoNetworkLinux_test.h"
+#include "network/networkInterfaceLinux.h"
+#include "network/networkFamilyDataAFactory.h"
+
+void SysInfoNetworkLinuxTest::SetUp() {};
+
+void SysInfoNetworkLinuxTest::TearDown()
+{
+};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoNetworkLinuxWrapperMock: public INetworkInterfaceWrapper
+{
+    public:
+        SysInfoNetworkLinuxWrapperMock() = default;
+        virtual ~SysInfoNetworkLinuxWrapperMock() = default;
+        MOCK_METHOD(int, family, (), (const override));
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, address, (), (const override));
+        MOCK_METHOD(std::string, netmask, (), (const override));
+        MOCK_METHOD(std::string, broadcast, (), (const override));
+        MOCK_METHOD(std::string, addressV6, (), (const override));
+        MOCK_METHOD(std::string, netmaskV6, (), (const override));
+        MOCK_METHOD(std::string, broadcastV6, (), (const override));
+        MOCK_METHOD(std::string, gateway, (), (const override));
+        MOCK_METHOD(std::string, metrics, (), (const override));
+        MOCK_METHOD(std::string, metricsV6, (), (const override));
+        MOCK_METHOD(std::string, dhcp, (), (const override));
+        MOCK_METHOD(uint32_t, mtu, (), (const override));
+        MOCK_METHOD(LinkStats, stats, (), (const override));
+        MOCK_METHOD(std::string, type, (), (const override));
+        MOCK_METHOD(std::string, state, (), (const override));
+        MOCK_METHOD(std::string, MAC, (), (const override));
+        MOCK_METHOD(std::string, adapter, (), (const override));
+};
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_INET_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_INET)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return("192.168.0.1"));
+    EXPECT_CALL(*mock, netmask()).Times(1).WillOnce(Return("255.255.255.0"));
+    EXPECT_CALL(*mock, broadcast()).Times(1).WillOnce(Return("192.168.0.255"));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return("8.8.8.8"));
+    EXPECT_CALL(*mock, metrics()).Times(1).WillOnce(Return("100"));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv4"))
+    {
+        EXPECT_EQ("192.168.0.1", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("255.255.255.0", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("192.168.0.255", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ("8.8.8.8", element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ("100", element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_INET6_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_INET6)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return("2001:db8:85a3:8d3:1319:8a2e:370:7348"));
+    EXPECT_CALL(*mock, netmaskV6()).Times(1).WillOnce(Return("2001:db8:abcd:0012:ffff:ffff:ffff:ffff"));
+    EXPECT_CALL(*mock, broadcastV6()).Times(1).WillOnce(Return("2001:db8:85a3:8d3:1319:8a2e:370:0000"));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return("8.8.8.8"));
+    EXPECT_CALL(*mock, metricsV6()).Times(1).WillOnce(Return("100"));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv6"))
+    {
+        EXPECT_EQ("2001:db8:85a3:8d3:1319:8a2e:370:7348", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("2001:db8:abcd:0012:ffff:ffff:ffff:ffff", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("2001:db8:85a3:8d3:1319:8a2e:370:0000", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ("8.8.8.8", element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ("100", element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_PACKET)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_PACKET));
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("eth01"));
+    EXPECT_CALL(*mock, adapter()).Times(1).WillOnce(Return("adapter"));
+    EXPECT_CALL(*mock, type()).Times(1).WillOnce(Return("ethernet"));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return("up"));
+    EXPECT_CALL(*mock, MAC()).Times(1).WillOnce(Return("00:A0:C9:14:C8:29"));
+    EXPECT_CALL(*mock, stats()).Times(1).WillOnce(Return(LinkStats{0, 1, 2, 3, 4, 5, 6, 7}));
+    EXPECT_CALL(*mock, mtu()).Times(1).WillOnce(Return(1500));
+    EXPECT_CALL(*mock, gateway()).Times(1).WillOnce(Return("10.2.2.50"));
+
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+
+    EXPECT_EQ("eth01", ifaddr.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("adapter", ifaddr.at("adapter").get_ref<const std::string&>());
+    EXPECT_EQ("ethernet", ifaddr.at("type").get_ref<const std::string&>());
+    EXPECT_EQ("up", ifaddr.at("state").get_ref<const std::string&>());
+    EXPECT_EQ("00:A0:C9:14:C8:29", ifaddr.at("mac").get_ref<const std::string&>());
+
+    EXPECT_EQ(1, ifaddr.at("tx_packets").get<int32_t>());
+    EXPECT_EQ(0, ifaddr.at("rx_packets").get<int32_t>());
+    EXPECT_EQ(3, ifaddr.at("tx_bytes").get<int32_t>());
+    EXPECT_EQ(2, ifaddr.at("rx_bytes").get<int32_t>());
+    EXPECT_EQ(5, ifaddr.at("tx_errors").get<int32_t>());
+    EXPECT_EQ(4, ifaddr.at("rx_errors").get<int32_t>());
+    EXPECT_EQ(7, ifaddr.at("tx_dropped").get<int32_t>());
+    EXPECT_EQ(6, ifaddr.at("rx_dropped").get<int32_t>());
+
+    EXPECT_EQ(1500u, ifaddr.at("mtu").get<uint32_t>());
+    EXPECT_EQ("10.2.2.50", ifaddr.at("gateway").get_ref<const std::string&>());
+}
+
+TEST_F(SysInfoNetworkLinuxTest, Test_AF_UNSPEC_THROW_NULLPTR)
+{
+    nlohmann::json ifaddr {};
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(nullptr)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkLinuxTest, Test_Gateway_7546)
+{
+    auto mock { std::make_shared<SysInfoNetworkLinuxWrapperMock>() };
+    nlohmann::json ifaddr {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_PACKET));
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("eth01"));
+    EXPECT_CALL(*mock, adapter()).Times(1).WillOnce(Return("adapter"));
+    EXPECT_CALL(*mock, type()).Times(1).WillOnce(Return("ethernet"));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return("up"));
+    EXPECT_CALL(*mock, MAC()).Times(1).WillOnce(Return("00:A0:C9:14:C8:29"));
+    EXPECT_CALL(*mock, stats()).Times(1).WillOnce(Return(LinkStats{0, 1, 2, 3, 4, 5, 6, 7}));
+    EXPECT_CALL(*mock, mtu()).Times(1).WillOnce(Return(1500));
+    EXPECT_CALL(*mock, gateway()).Times(1).WillOnce(Return("A12BA8C0")); // Gateway value in hexa: A12BA8C0
+
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::LINUX>::create(mock)->buildNetworkData(ifaddr));
+
+    EXPECT_EQ("eth01", ifaddr.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("adapter", ifaddr.at("adapter").get_ref<const std::string&>());
+    EXPECT_EQ("ethernet", ifaddr.at("type").get_ref<const std::string&>());
+    EXPECT_EQ("up", ifaddr.at("state").get_ref<const std::string&>());
+    EXPECT_EQ("00:A0:C9:14:C8:29", ifaddr.at("mac").get_ref<const std::string&>());
+
+    EXPECT_EQ(1, ifaddr.at("tx_packets").get<int32_t>());
+    EXPECT_EQ(0, ifaddr.at("rx_packets").get<int32_t>());
+    EXPECT_EQ(3, ifaddr.at("tx_bytes").get<int32_t>());
+    EXPECT_EQ(2, ifaddr.at("rx_bytes").get<int32_t>());
+    EXPECT_EQ(5, ifaddr.at("tx_errors").get<int32_t>());
+    EXPECT_EQ(4, ifaddr.at("rx_errors").get<int32_t>());
+    EXPECT_EQ(7, ifaddr.at("tx_dropped").get<int32_t>());
+    EXPECT_EQ(6, ifaddr.at("rx_dropped").get<int32_t>());
+    EXPECT_EQ(1500, ifaddr.at("mtu").get<int32_t>());
+    EXPECT_EQ("A12BA8C0", ifaddr.at("gateway").get_ref<const std::string&>());
+}
diff --git a/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.h b/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.h
new file mode 100644
index 0000000000..bc2deff3fe
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkLinux/sysInfoNetworkLinux_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_NETWORK_LINUX_TEST_H
+#define _SYSINFO_NETWORK_LINUX_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoNetworkLinuxTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoNetworkLinuxTest() = default;
+        virtual ~SysInfoNetworkLinuxTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_NETWORK_LINUX_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkSolaris/CMakeLists.txt b/src/common/data_provider/tests/sysInfoNetworkSolaris/CMakeLists.txt
new file mode 100644
index 0000000000..175f51814f
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkSolaris/CMakeLists.txt
@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoNetworkSolaris_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/network/networkInterfaceSolaris.cpp")
+
+add_executable(sysInfoNetworkSolaris_unit_test
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoNetworkSolaris_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    dl
+)
+
+add_test(NAME sysInfoNetworkSolaris_unit_test
+         COMMAND sysInfoNetworkSolaris_unit_test)
diff --git a/src/common/data_provider/tests/sysInfoNetworkSolaris/main.cpp b/src/common/data_provider/tests/sysInfoNetworkSolaris/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkSolaris/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.cpp b/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.cpp
new file mode 100644
index 0000000000..5cd4baa14d
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.cpp
@@ -0,0 +1,150 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <sys/socket.h>
+
+#include "sysInfoNetworkSolaris_test.h"
+#include "network/networkFamilyDataAFactory.h"
+
+void SysInfoNetworkSolarisTest::SetUp() {};
+
+void SysInfoNetworkSolarisTest::TearDown()
+{
+};
+
+using ::testing::_;
+using ::testing::Return;
+
+class sysInfoNetworkSolarisWrapperMock : public INetworkInterfaceWrapper
+{
+    public:
+        sysInfoNetworkSolarisWrapperMock() = default;
+        virtual ~sysInfoNetworkSolarisWrapperMock() = default;
+        MOCK_METHOD( int, family, (), (const, override));
+        MOCK_METHOD( std::string, name, (), (const, override));
+        MOCK_METHOD( std::string, adapter, (), (const, override));
+        MOCK_METHOD( std::string, address, (), (const, override));
+        MOCK_METHOD( std::string, netmask, (), (const, override));
+        MOCK_METHOD( std::string, broadcast, (), (const, override));
+        MOCK_METHOD( std::string, addressV6, (), (const, override));
+        MOCK_METHOD( std::string, netmaskV6, (), (const, override));
+        MOCK_METHOD( std::string, broadcastV6, (), (const, override));
+        MOCK_METHOD( std::string, gateway, (), (const, override));
+        MOCK_METHOD( std::string, metrics, (), (const, override));
+        MOCK_METHOD( std::string, metricsV6, (), (const, override));
+        MOCK_METHOD( std::string, dhcp, (), (const, override));
+        MOCK_METHOD( uint32_t, mtu, (), (const, override));
+        MOCK_METHOD( LinkStats, stats, (), (const, override));
+        MOCK_METHOD( std::string, type, (), (const, override));
+        MOCK_METHOD( std::string, state, (), (const, override));
+        MOCK_METHOD( std::string, MAC, (), (const, override));
+};
+
+TEST_F(SysInfoNetworkSolarisTest, Test_AF_INET_THROW)
+{
+    auto mock { std::make_shared<sysInfoNetworkSolarisWrapperMock>() };
+    nlohmann::json ifaddr { };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkSolarisTest, Test_AF_INET)
+{
+    auto mock { std::make_shared<sysInfoNetworkSolarisWrapperMock>() };
+    nlohmann::json ifaddr { };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return("192.168.0.47"));
+    EXPECT_CALL(*mock, netmask()).Times(1).WillOnce(Return("255.255.255.0"));
+    EXPECT_CALL(*mock, broadcast()).Times(1).WillOnce(Return("192.168.0.255"));
+    EXPECT_CALL(*mock, metrics()).Times(1).WillOnce(Return("0"));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return("disabled"));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv4"))
+    {
+        EXPECT_EQ("192.168.0.47", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("255.255.255.0", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("192.168.0.255", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ("0", element.at("metric").get_ref<const std::string&>());
+        EXPECT_EQ("disabled", element.at("dhcp").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkSolarisTest, Test_AF_INET6_THROW)
+{
+    auto mock { std::make_shared<sysInfoNetworkSolarisWrapperMock>() };
+    nlohmann::json ifaddr { };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildNetworkData(ifaddr));
+}
+
+TEST_F(SysInfoNetworkSolarisTest, Test_AF_INET6)
+{
+    auto mock { std::make_shared<sysInfoNetworkSolarisWrapperMock>() };
+    nlohmann::json ifaddr { };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_INET6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return("fe80::a00:27ff:fedd:cc5b"));
+    EXPECT_CALL(*mock, netmaskV6()).Times(1).WillOnce(Return("ffc0::"));
+    EXPECT_CALL(*mock, broadcastV6()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, metricsV6()).Times(1).WillOnce(Return("0"));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return("enabled"));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildNetworkData(ifaddr));
+
+    for (auto& element : ifaddr.at("IPv6"))
+    {
+        EXPECT_EQ("fe80::a00:27ff:fedd:cc5b", element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ("ffc0::", element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ("", element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ("0", element.at("metric").get_ref<const std::string&>());
+        EXPECT_EQ("enabled", element.at("dhcp").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkSolarisTest, Test_AF_UNSPEC)
+{
+    auto mock { std::make_shared<sysInfoNetworkSolarisWrapperMock>() };
+    nlohmann::json ifaddr { };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(AF_UNSPEC));
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("net0"));
+    EXPECT_CALL(*mock, adapter()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return("up"));
+    EXPECT_CALL(*mock, type()).Times(1).WillOnce(Return("Ethernet"));
+    EXPECT_CALL(*mock, MAC()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, stats()).Times(1).WillOnce(Return(LinkStats{436300, 220902, 641204623, 12252455, 0, 0, 0, 0}));
+    EXPECT_CALL(*mock, mtu()).Times(1).WillOnce(Return(1500u));
+    EXPECT_CALL(*mock, gateway()).Times(1).WillOnce(Return("10.0.2.2"));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildNetworkData(ifaddr));
+
+    EXPECT_EQ("net0", ifaddr.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("", ifaddr.at("adapter").get_ref<const std::string&>());
+    EXPECT_EQ("up", ifaddr.at("state").get_ref<const std::string&>());
+    EXPECT_EQ("Ethernet", ifaddr.at("type").get_ref<const std::string&>());
+    EXPECT_EQ("", ifaddr.at("mac").get_ref<const std::string&>());
+
+    EXPECT_EQ(220902u, ifaddr.at("tx_packets").get<uint32_t>());
+    EXPECT_EQ(436300u, ifaddr.at("rx_packets").get<uint32_t>());
+    EXPECT_EQ(12252455u, ifaddr.at("tx_bytes").get<uint32_t>());
+    EXPECT_EQ(641204623u, ifaddr.at("rx_bytes").get<uint32_t>());
+    EXPECT_EQ(0u, ifaddr.at("tx_errors").get<uint32_t>());
+    EXPECT_EQ(0u, ifaddr.at("rx_errors").get<uint32_t>());
+    EXPECT_EQ(0u, ifaddr.at("tx_dropped").get<uint32_t>());
+    EXPECT_EQ(0u, ifaddr.at("rx_dropped").get<uint32_t>());
+
+    EXPECT_EQ(1500u, ifaddr.at("mtu").get<uint32_t>());
+    EXPECT_EQ("10.0.2.2", ifaddr.at("gateway").get_ref<const std::string&>());
+}
+
+TEST_F(SysInfoNetworkSolarisTest, Test_THROW_NULLPTR)
+{
+    nlohmann::json ifaddr { };
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::SOLARIS>::create(nullptr)->buildNetworkData(ifaddr));
+}
diff --git a/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.h b/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.h
new file mode 100644
index 0000000000..46e47bac28
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkSolaris/sysInfoNetworkSolaris_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_NETWORK_SOLARIS_TEST_H
+#define _SYSINFO_NETWORK_SOLARIS_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoNetworkSolarisTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoNetworkSolarisTest() = default;
+        virtual ~SysInfoNetworkSolarisTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_NETWORK_SOLARIS_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoNetworkWindows/CMakeLists.txt b/src/common/data_provider/tests/sysInfoNetworkWindows/CMakeLists.txt
new file mode 100644
index 0000000000..46774207b0
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkWindows/CMakeLists.txt
@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoNetworkWindows_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/network/networkInterfaceWindows.cpp")
+
+add_executable(sysInfoNetworkWindows_unit_test
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoNetworkWindows_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    -static-libgcc -static-libstdc++
+)
+
+add_test(NAME sysInfoNetworkWindows_unit_test
+         COMMAND sysInfoNetworkWindows_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkWindows/main.cpp b/src/common/data_provider/tests/sysInfoNetworkWindows/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkWindows/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.cpp b/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.cpp
new file mode 100644
index 0000000000..4127913b96
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.cpp
@@ -0,0 +1,164 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "windowsHelper.h"
+#include "sysInfoNetworkWindows_test.h"
+#include "network/networkInterfaceWindows.h"
+#include "network/networkFamilyDataAFactory.h"
+
+void SysInfoNetworkWindowsTest::SetUp() {};
+
+void SysInfoNetworkWindowsTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoNetworkWindowsWrapperMock: public INetworkInterfaceWrapper
+{
+    public:
+        SysInfoNetworkWindowsWrapperMock() = default;
+        virtual ~SysInfoNetworkWindowsWrapperMock() = default;
+        MOCK_METHOD(int, family, (), (const override));
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, adapter, (), (const override));
+        MOCK_METHOD(std::string, address, (), (const override));
+        MOCK_METHOD(std::string, netmask, (), (const override));
+        MOCK_METHOD(std::string, broadcast, (), (const override));
+        MOCK_METHOD(std::string, addressV6, (), (const override));
+        MOCK_METHOD(std::string, netmaskV6, (), (const override));
+        MOCK_METHOD(std::string, broadcastV6, (), (const override));
+        MOCK_METHOD(std::string, gateway, (), (const override));
+        MOCK_METHOD(std::string, metrics, (), (const override));
+        MOCK_METHOD(std::string, metricsV6, (), (const override));
+        MOCK_METHOD(std::string, dhcp, (), (const override));
+        MOCK_METHOD(uint32_t, mtu, (), (const override));
+        MOCK_METHOD(LinkStats, stats, (), (const override));
+        MOCK_METHOD(std::string, type, (), (const override));
+        MOCK_METHOD(std::string, state, (), (const override));
+        MOCK_METHOD(std::string, MAC, (), (const override));
+};
+
+TEST_F(SysInfoNetworkWindowsTest, Test_IPV4_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkWindowsWrapperMock>() };
+    nlohmann::json networkInfo {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(Utils::NetworkWindowsHelper::IPV4));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(mock)->buildNetworkData(networkInfo));
+}
+
+TEST_F(SysInfoNetworkWindowsTest, Test_IPV6_THROW)
+{
+    auto mock { std::make_shared<SysInfoNetworkWindowsWrapperMock>() };
+    nlohmann::json networkInfo {};
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(Utils::NetworkWindowsHelper::IPV6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return(""));
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(mock)->buildNetworkData(networkInfo));
+}
+
+TEST_F(SysInfoNetworkWindowsTest, Test_AF_UNSPEC_THROW_NULLPTR)
+{
+    nlohmann::json networkInfo {};
+    EXPECT_ANY_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(nullptr)->buildNetworkData(networkInfo));
+}
+
+TEST_F(SysInfoNetworkWindowsTest, Test_IPV4)
+{
+    auto mock { std::make_shared<SysInfoNetworkWindowsWrapperMock>() };
+    nlohmann::json networkInfo {};
+    const std::string address   { "192.168.0.1" };
+    const std::string netmask   { "255.255.255.0" };
+    const std::string broadcast { "192.168.0.255" };
+    const std::string dhcp      { "8.8.8.8" };
+    const std::string metrics   { "25" };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(Utils::NetworkWindowsHelper::IPV4));
+    EXPECT_CALL(*mock, address()).Times(1).WillOnce(Return(address));
+    EXPECT_CALL(*mock, netmask()).Times(1).WillOnce(Return(netmask));
+    EXPECT_CALL(*mock, broadcast()).Times(1).WillOnce(Return(broadcast));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return(dhcp));
+    EXPECT_CALL(*mock, metrics()).Times(1).WillOnce(Return(metrics));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(mock)->buildNetworkData(networkInfo));
+
+    for (auto& element : networkInfo.at("IPv4"))
+    {
+        EXPECT_EQ(address, element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ(netmask, element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ(broadcast, element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ(dhcp, element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ(metrics, element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkWindowsTest, Test_IPV6)
+{
+    auto mock { std::make_shared<SysInfoNetworkWindowsWrapperMock>() };
+    nlohmann::json networkInfo {};
+    const std::string address   { "2001:db8:85a3:8d3:1319:8a2e:370:7348" };
+    const std::string netmask   { "2001:db8:abcd:0012:ffff:ffff:ffff:ffff" };
+    const std::string broadcast { "2001:db8:85a3:8d3:1319:8a2e:370:0000" };
+    const std::string dhcp      { "8.8.8.8" };
+    const std::string metrics   { "25" };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(Utils::NetworkWindowsHelper::IPV6));
+    EXPECT_CALL(*mock, addressV6()).Times(1).WillOnce(Return(address));
+    EXPECT_CALL(*mock, netmaskV6()).Times(1).WillOnce(Return(netmask));
+    EXPECT_CALL(*mock, broadcastV6()).Times(1).WillOnce(Return(broadcast));
+    EXPECT_CALL(*mock, dhcp()).Times(1).WillOnce(Return(dhcp));
+    EXPECT_CALL(*mock, metricsV6()).Times(1).WillOnce(Return(metrics));
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(mock)->buildNetworkData(networkInfo));
+
+    for (auto& element : networkInfo.at("IPv6"))
+    {
+        EXPECT_EQ(address, element.at("address").get_ref<const std::string&>());
+        EXPECT_EQ(netmask, element.at("netmask").get_ref<const std::string&>());
+        EXPECT_EQ(broadcast, element.at("broadcast").get_ref<const std::string&>());
+        EXPECT_EQ(dhcp, element.at("dhcp").get_ref<const std::string&>());
+        EXPECT_EQ(metrics, element.at("metric").get_ref<const std::string&>());
+    }
+}
+
+TEST_F(SysInfoNetworkWindowsTest, Test_COMMON_DATA)
+{
+    auto mock { std::make_shared<SysInfoNetworkWindowsWrapperMock>() };
+    nlohmann::json networkInfo {};
+    const std::string name      { "eth01" };
+    const std::string type      { "2001:db8:abcd:0012:ffff:ffff:ffff:ffff" };
+    const std::string state     { "up" };
+    const std::string MAC       { "00:A0:C9:14:C8:29" };
+    const uint32_t mtu          { 1500 };
+    const std::string gateway   { "10.2.2.50" };
+    EXPECT_CALL(*mock, family()).Times(1).WillOnce(Return(Utils::NetworkWindowsHelper::COMMON_DATA));
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return(name));
+    EXPECT_CALL(*mock, type()).Times(1).WillOnce(Return(type));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return(state));
+    EXPECT_CALL(*mock, MAC()).Times(1).WillOnce(Return(MAC));
+    EXPECT_CALL(*mock, stats()).Times(1).WillOnce(Return(LinkStats{0, 1, 2, 3, 4, 5, 6, 7}));
+    EXPECT_CALL(*mock, mtu()).Times(1).WillOnce(Return(mtu));
+    EXPECT_CALL(*mock, gateway()).Times(1).WillOnce(Return(gateway));
+
+    EXPECT_NO_THROW(FactoryNetworkFamilyCreator<OSPlatformType::WINDOWS>::create(mock)->buildNetworkData(networkInfo));
+
+    EXPECT_EQ(name, networkInfo.at("name").get_ref<const std::string&>());
+    EXPECT_EQ(type, networkInfo.at("type").get_ref<const std::string&>());
+    EXPECT_EQ(state, networkInfo.at("state").get_ref<const std::string&>());
+    EXPECT_EQ(MAC, networkInfo.at("mac").get_ref<const std::string&>());
+
+    EXPECT_EQ(1, networkInfo.at("tx_packets").get<int32_t>());
+    EXPECT_EQ(0, networkInfo.at("rx_packets").get<int32_t>());
+    EXPECT_EQ(3, networkInfo.at("tx_bytes").get<int32_t>());
+    EXPECT_EQ(2, networkInfo.at("rx_bytes").get<int32_t>());
+    EXPECT_EQ(5, networkInfo.at("tx_errors").get<int32_t>());
+    EXPECT_EQ(4, networkInfo.at("rx_errors").get<int32_t>());
+    EXPECT_EQ(7, networkInfo.at("tx_dropped").get<int32_t>());
+    EXPECT_EQ(6, networkInfo.at("rx_dropped").get<int32_t>());
+
+    EXPECT_EQ(mtu, networkInfo.at("mtu").get<uint32_t>());
+    EXPECT_EQ(gateway, networkInfo.at("gateway").get_ref<const std::string&>());
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.h b/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.h
new file mode 100644
index 0000000000..988b0206f6
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoNetworkWindows/sysInfoNetworkWindows_test.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_NETWORK_WINDOWS_TEST_H
+#define _SYSINFO_NETWORK_WINDOWS_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoNetworkWindowsTest : public ::testing::Test
+{
+    protected:
+
+        SysInfoNetworkWindowsTest() = default;
+        virtual ~SysInfoNetworkWindowsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_NETWORK_WINDOWS_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/CMakeLists.txt
new file mode 100644
index 0000000000..c241b184c3
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/CMakeLists.txt
@@ -0,0 +1,32 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoPackageLinuxParserRPM_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB PARSER_SRC "${CMAKE_SOURCE_DIR}/src/packages/packageLinuxParserRpm.cpp")
+file(GLOB RPM_SRC "${CMAKE_SOURCE_DIR}/src/packages/rpm*.cpp")
+
+add_executable(sysInfoPackageLinuxParserRPM_unit_test
+    ${sysinfo_UNIT_TEST_SRC}
+    ${RPM_SRC}
+    ${PARSER_SRC})
+set_property(TARGET sysInfoPackageLinuxParserRPM_unit_test PROPERTY COMPILE_FLAGS "-Wno-unused-parameter")
+target_link_libraries(sysInfoPackageLinuxParserRPM_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    dl
+)
+
+add_test(NAME sysInfoPackageLinuxParserRPM_unit_test
+         COMMAND sysInfoPackageLinuxParserRPM_unit_test)
diff --git a/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/main.cpp b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/main.cpp
new file mode 100644
index 0000000000..2095dde077
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.cpp b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.cpp
new file mode 100644
index 0000000000..c532a3a381
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.cpp
@@ -0,0 +1,576 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sysInfoPackageLinuxParserRPM_test.hpp"
+#include "packages/packageLinuxDataRetriever.h"
+#include "packages/berkeleyRpmDbHelper.h"
+#include <rpm/header.h>
+#include <rpm/rpmdb.h>
+#include <rpm/rpmlib.h>
+#include <rpm/rpmts.h>
+#include <db.h>
+
+
+using ::testing::_;
+using ::testing::Return;
+using ::testing::DoAll;
+using ::testing::SetArgPointee;
+using ::testing::AnyNumber;
+
+class UtilsMock
+{
+    public:
+        MOCK_METHOD(std::string, exec, (const std::string&, const size_t));
+        MOCK_METHOD(bool, existsRegular, (const std::string& path));
+};
+
+static UtilsMock* gs_utils_mock = NULL;
+
+std::string UtilsWrapperLinux::exec(const std::string& cmd, const size_t bufferSize)
+{
+    return gs_utils_mock->exec(cmd, bufferSize);
+}
+bool UtilsWrapperLinux::existsRegular(const std::string& path)
+{
+    return gs_utils_mock->existsRegular(path);
+}
+
+class RpmLibMock
+{
+    public:
+        MOCK_METHOD(int, rpmReadConfigFiles, (const char* file, const char* target));
+        MOCK_METHOD(void, rpmFreeRpmrc, ());
+        MOCK_METHOD(rpmtd, rpmtdNew, ());
+        MOCK_METHOD(rpmtd, rpmtdFree, (rpmtd td));
+        MOCK_METHOD(rpmts, rpmtsCreate, ());
+        MOCK_METHOD(int, rpmtsOpenDB, (rpmts ts, int dbmode));
+        MOCK_METHOD(int, rpmtsCloseDB, (rpmts ts));
+        MOCK_METHOD(rpmts, rpmtsFree, (rpmts ts));
+        MOCK_METHOD(int, headerGet, (Header h, rpmTagVal tag, rpmtd td, headerGetFlags flags));
+        MOCK_METHOD(const char*, rpmtdGetString, (rpmtd td));
+        MOCK_METHOD(uint64_t, rpmtdGetNumber, (rpmtd td));
+        MOCK_METHOD(int, rpmtsRun, (rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet));
+        MOCK_METHOD(rpmdbMatchIterator, rpmtsInitIterator, (const rpmts ts, rpmDbiTagVal rpmtag, const void* keypointer, size_t keylen));
+        MOCK_METHOD(Header, rpmdbNextIterator, (rpmdbMatchIterator mi));
+        MOCK_METHOD(rpmdbMatchIterator, rpmdbFreeIterator, (rpmdbMatchIterator mi));
+};
+
+static RpmLibMock* gs_rpm_mock = NULL;
+
+int rpmReadConfigFiles(const char* file, const char* target)
+{
+    return gs_rpm_mock->rpmReadConfigFiles(file, target);
+}
+void rpmFreeRpmrc()
+{
+    gs_rpm_mock->rpmFreeRpmrc();
+}
+rpmtd rpmtdNew()
+{
+    return gs_rpm_mock->rpmtdNew();
+}
+rpmtd rpmtdFree(rpmtd td)
+{
+    return gs_rpm_mock->rpmtdFree(td);
+}
+rpmts rpmtsCreate()
+{
+    return gs_rpm_mock->rpmtsCreate();
+}
+int rpmtsOpenDB(rpmts ts, int dbmode)
+{
+    return gs_rpm_mock->rpmtsOpenDB(ts, dbmode);
+}
+int rpmtsCloseDB(rpmts ts)
+{
+    return gs_rpm_mock->rpmtsCloseDB(ts);
+}
+rpmts rpmtsFree(rpmts ts)
+{
+    return gs_rpm_mock->rpmtsFree(ts);
+}
+int headerGet(Header h, rpmTagVal tag, rpmtd td, headerGetFlags flags)
+{
+    return gs_rpm_mock->headerGet(h, tag, td, flags);
+}
+const char* rpmtdGetString(rpmtd td)
+{
+    return gs_rpm_mock->rpmtdGetString(td);
+}
+uint64_t rpmtdGetNumber(rpmtd td)
+{
+    return gs_rpm_mock->rpmtdGetNumber(td);
+}
+int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet)
+{
+    return gs_rpm_mock->rpmtsRun(ts, okProbs, ignoreSet);
+}
+rpmdbMatchIterator rpmtsInitIterator(const rpmts ts, rpmDbiTagVal rpmtag, const void* keypointer, size_t keylen)
+{
+    return gs_rpm_mock->rpmtsInitIterator(ts, rpmtag, keypointer, keylen);
+}
+Header rpmdbNextIterator(rpmdbMatchIterator mi)
+{
+    return gs_rpm_mock->rpmdbNextIterator(mi);
+}
+rpmdbMatchIterator rpmdbFreeIterator(rpmdbMatchIterator mi)
+{
+    return gs_rpm_mock->rpmdbFreeIterator(mi);
+}
+
+class LibDBMock
+{
+    public:
+        MOCK_METHOD(int, db_create, (DB**, DB_ENV*, u_int32_t));
+        MOCK_METHOD(char*, db_strerror, (int));
+        MOCK_METHOD(int, set_lorder, (DB*, int));
+        MOCK_METHOD(int, open, (DB*, DB_TXN*, const char*, const char*, DBTYPE, u_int32_t, int));
+        MOCK_METHOD(int, cursor, (DB*, DB_TXN*, DBC**, u_int32_t));
+        MOCK_METHOD(int, c_get, (DBC*, DBT*, DBT*, u_int32_t));
+        MOCK_METHOD(int, c_close, (DBC* cursor));
+        MOCK_METHOD(int, close, (DB*, u_int32_t));
+};
+
+static LibDBMock* gs_libdb_mock = NULL;
+
+int db_create(DB** dbp, DB_ENV* dbenv, u_int32_t flags)
+{
+    return gs_libdb_mock->db_create(dbp, dbenv, flags);
+}
+char* db_strerror(int error)
+{
+    return gs_libdb_mock->db_strerror(error);
+}
+int db_set_lorder(DB* dbp, int lorder)
+{
+    return gs_libdb_mock->set_lorder(dbp, lorder);
+}
+int db_open(DB* db, DB_TXN* txnid, const char* file, const char* database, DBTYPE type, u_int32_t flags, int mode)
+{
+    return gs_libdb_mock->open(db, txnid, file, database, type, flags, mode);
+}
+int db_cursor(DB* db, DB_TXN* txnid, DBC** cursorp, u_int32_t flags)
+{
+    return gs_libdb_mock->cursor(db, txnid, cursorp, flags);
+}
+int db_c_get(DBC* cursor, DBT* key, DBT* data, u_int32_t flags)
+{
+    return gs_libdb_mock->c_get(cursor, key, data, flags);
+}
+int db_c_close(DBC* cursor)
+{
+    return gs_libdb_mock->c_close(cursor);
+}
+int db_close(DB* db, u_int32_t flags)
+{
+    return gs_libdb_mock->close(db, flags);
+}
+
+class CallbackMock
+{
+    public:
+        CallbackMock() = default;
+        ~CallbackMock() = default;
+        MOCK_METHOD(void, callbackMock, (nlohmann::json&), ());
+};
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFromBerkleyDB)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"architecture":"amd64","description":"The Open Source Security Platform","format":"rpm","groups":"test","install_time":"5","name":"Wazuh","size":321,"vendor":"The Wazuh Team","version":"123:4.4-1","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto libdb_mock { std::make_unique<LibDBMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_libdb_mock = libdb_mock.get();
+
+    DB db {};
+    DBC cursor {};
+
+    db.set_lorder = db_set_lorder;
+    db.open = db_open;
+    db.cursor = db_cursor;
+    db.close = db_close;
+    cursor.c_get = db_c_get;
+    cursor.c_close = db_c_close;
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(true));
+    EXPECT_CALL(*libdb_mock, db_create(_, _, _)).Times(1).WillOnce(DoAll(SetArgPointee<0>(&db), Return(0)));
+    EXPECT_CALL(*libdb_mock, set_lorder(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, open(_, _, _, _, _, _, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, cursor(_, _, _, _)).Times(1).WillOnce(DoAll(SetArgPointee<2>(&cursor), Return(0)));
+
+    // Emulate data stored in database
+
+    std::string name { "Wazuh" };
+    std::string version { "4.4" };
+    std::string release { "1" };
+    int epoch { 123 };
+    std::string summary { "The Open Source Security Platform" };
+    int itime { 5 };
+    int size { 321 };
+    std::string vendor { "The Wazuh Team" };
+    std::string group { "test" };
+    std::string source { "github" };
+    std::string arch { "amd64" };
+
+    const auto total_fields {11};
+    const auto total_fields_len
+    {
+        (name.length() + version.length() + release.length() + summary.length() + vendor.length() + group.length() + source.length() + arch.length() + 9) +
+        (sizeof(epoch) + sizeof(itime) + sizeof(size))
+    };
+
+    const auto total_len {FIRST_ENTRY_OFFSET + ENTRY_SIZE* total_fields + total_fields_len + 1};
+
+    DBT data {}, key {};
+    char bytes[total_len] {};
+    int bytes_count {};
+
+    char* cp;
+    int* ip;
+
+    data.data = bytes;
+    data.size = total_len;
+
+    cp = bytes;
+
+    auto entry
+    {
+        [&cp, &bytes_count](int tag, int type, unsigned int len)
+        {
+            // Name
+            int32_t* tmp = reinterpret_cast<int32_t*>(cp);
+            *tmp = __builtin_bswap32(tag);
+            cp += sizeof(int32_t);
+            // type
+            tmp = reinterpret_cast<int32_t*>(cp);
+            *tmp = __builtin_bswap32(type);
+            cp += sizeof(int32_t);
+            //offset
+            tmp = reinterpret_cast<int32_t*>(cp);
+            *tmp = __builtin_bswap32(bytes_count);
+            bytes_count += len;
+            cp += sizeof(int32_t);
+            // unused data
+            cp += sizeof(int32_t);
+        }
+    };
+
+
+    auto content_string
+    {
+        [&cp](std::string value)
+        {
+            strcpy(cp, value.c_str());
+            cp += value.length() + 1;
+        }
+    };
+    auto content_int
+    {
+        [&cp](int value)
+        {
+            int32_t* tmp = reinterpret_cast<int32_t*>(cp);
+            *tmp = __builtin_bswap32(value);
+            cp += sizeof(int);
+        }
+    };
+
+
+    {
+        // Header
+        ip = reinterpret_cast<int32_t*>(cp);
+        *ip = __builtin_bswap32(total_fields);
+        cp += sizeof(int);
+        ip = reinterpret_cast<int32_t*>(cp);
+        *ip = __builtin_bswap32(total_fields_len);
+        cp += sizeof(int);
+    }
+
+    entry(TAG_NAME, STRING_TYPE, name.length() + 1);
+    entry(TAG_VERSION, STRING_TYPE, version.length() + 1);
+    entry(TAG_RELEASE, STRING_TYPE, release.length() + 1);
+    entry(TAG_EPOCH, INT32_TYPE, sizeof(epoch));
+    entry(TAG_SUMMARY, STRING_TYPE, summary.length() + 1);
+    entry(TAG_ITIME, INT32_TYPE, sizeof(itime));
+    entry(TAG_SIZE, INT32_TYPE, sizeof(size));
+    entry(TAG_VENDOR, STRING_TYPE, vendor.length() + 1);
+    entry(TAG_GROUP, STRING_TYPE, group.length() + 1);
+    entry(TAG_SOURCE, STRING_TYPE, source.length() + 1);
+    entry(TAG_ARCH, STRING_TYPE, arch.length() + 1);
+
+    content_string(name);
+    content_string(version);
+    content_string(release);
+    content_int(epoch);
+    content_string(summary);
+    content_int(itime);
+    content_int(size);
+    content_string(vendor);
+    content_string(group);
+    content_string(source);
+    content_string(arch);
+
+
+    EXPECT_CALL(*libdb_mock, c_get(_, _, _, _)).Times(3)
+    .WillOnce(DoAll(SetArgPointee<1>(key), SetArgPointee<2>(data), Return(0)))
+    .WillOnce(DoAll(SetArgPointee<1>(key), SetArgPointee<2>(data), Return(0)))
+    .WillOnce(Return(1));
+    EXPECT_CALL(*libdb_mock, c_close(_)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, close(_, _)).Times(1).WillOnce(Return(0));
+
+
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & packageInfo)
+    {
+        wrapper.callbackMock(packageInfo);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFromLibRPM)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"name":"1","architecture":"2","description":"3","size":4,"version":"5:7-6","vendor":"8","install_time":"9","groups":"10","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto rpm_mock { std::make_unique<RpmLibMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_rpm_mock = rpm_mock.get();
+    rpmts ts = (rpmts) 0x123;
+    rpmtd td = (rpmtd) 0x123;
+    rpmdbMatchIterator mi = (rpmdbMatchIterator) 0x123;
+    Header header = (Header) 0x123;
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(false));
+    EXPECT_CALL(*rpm_mock, rpmReadConfigFiles(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*rpm_mock, rpmtsCreate()).Times(1).WillOnce(Return(ts));
+
+
+    EXPECT_CALL(*rpm_mock, rpmtsOpenDB(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*rpm_mock, rpmtsRun(_, _, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*rpm_mock, rpmtdNew()).Times(1).WillOnce(Return(td));
+    EXPECT_CALL(*rpm_mock, rpmtsInitIterator(_, _, _, _)).Times(1).WillOnce(Return(mi));
+    EXPECT_CALL(*rpm_mock, rpmdbNextIterator(_)).WillOnce(Return(header)).WillOnce(Return(nullptr));
+    EXPECT_CALL(*rpm_mock, rpmtsCloseDB(_)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*rpm_mock, rpmtsFree(_)).Times(1).WillOnce(Return(nullptr));
+    EXPECT_CALL(*rpm_mock, rpmtdFree(_)).Times(1).WillOnce(Return(nullptr));
+    EXPECT_CALL(*rpm_mock, rpmdbFreeIterator(_)).Times(1).WillOnce(Return(nullptr));
+    EXPECT_CALL(*rpm_mock, rpmFreeRpmrc());
+
+    EXPECT_CALL(*rpm_mock, headerGet(_, _, _, _)).Times(AnyNumber()).WillRepeatedly(Return(1));
+
+    EXPECT_CALL(*rpm_mock, rpmtdGetString(_)) \
+    .WillOnce(Return("1")) \
+    .WillOnce(Return("7")) \
+    .WillOnce(Return("6")) \
+    .WillOnce(Return("summary")) \
+    .WillOnce(Return("8")) \
+    .WillOnce(Return("10")) \
+    .WillOnce(Return("source")) \
+    .WillOnce(Return("2")) \
+    .WillOnce(Return("3"));
+    EXPECT_CALL(*rpm_mock, rpmtdGetNumber(_)).WillOnce(Return(5)).WillOnce(Return(9)).WillOnce(Return(4));
+
+
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFallbackFromLibRPM)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"name":"1","architecture":"2","description":"3","size":4,"version":"5:7-6","vendor":"8","install_time":"9","groups":"10","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+    auto expectedPackage2 =
+        R"({"name":"11","architecture":"12","description":"13","size":14,"version":"15:17-16","vendor":"18","install_time":"19","groups":"20","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto rpm_mock { std::make_unique<RpmLibMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_rpm_mock = rpm_mock.get();
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(false));
+    EXPECT_CALL(*rpm_mock, rpmReadConfigFiles(_, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("1\t2\t3\t4\t5\t6\t7\t8\t9\t10\t\n11\t12\t13\t14\t15\t16\t17\t18\t19\t20\t\n"));
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage2)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFallbackFromBerkleyDBConfigError)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"name":"1","architecture":"2","description":"3","size":4,"version":"5:7-6","vendor":"8","install_time":"9","groups":"10","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+    auto expectedPackage2 =
+        R"({"name":"11","architecture":"12","description":"13","size":14,"version":"15:17-16","vendor":"18","install_time":"19","groups":"20","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto libdb_mock { std::make_unique<LibDBMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_libdb_mock = libdb_mock.get();
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(true));
+    EXPECT_CALL(*libdb_mock, db_create(_, _, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*libdb_mock, db_strerror(_)).Times(1).WillOnce(Return(const_cast<char*>("test")));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("1\t2\t3\t4\t5\t6\t7\t8\t9\t10\t\n11\t12\t13\t14\t15\t16\t17\t18\t19\t20\t\n"));
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage2)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFallbackFromBerkleyDBOpenError)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"name":"1","architecture":"2","description":"3","size":4,"version":"5:7-6","vendor":"8","install_time":"9","groups":"10","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+    auto expectedPackage2 =
+        R"({"name":"11","architecture":"12","description":"13","size":14,"version":"15:17-16","vendor":"18","install_time":"19","groups":"20","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto libdb_mock { std::make_unique<LibDBMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_libdb_mock = libdb_mock.get();
+
+    DB db {};
+
+    db.set_lorder = db_set_lorder;
+    db.open = db_open;
+    db.close = db_close;
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(true));
+    EXPECT_CALL(*libdb_mock, db_create(_, _, _)).Times(1).WillOnce(DoAll(SetArgPointee<0>(&db), Return(0)));
+    EXPECT_CALL(*libdb_mock, set_lorder(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, open(_, _, _, _, _, _, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*libdb_mock, db_strerror(_)).Times(1).WillOnce(Return(const_cast<char*>("test")));
+    EXPECT_CALL(*libdb_mock, close(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("1\t2\t3\t4\t5\t6\t7\t8\t9\t10\t\n11\t12\t13\t14\t15\t16\t17\t18\t19\t20\t\n"));
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage2)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, rpmFallbackFromBerkleyDBCursorError)
+{
+    CallbackMock wrapper;
+
+    auto expectedPackage1 =
+        R"({"name":"1","architecture":"2","description":"3","size":4,"version":"5:7-6","vendor":"8","install_time":"9","groups":"10","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+    auto expectedPackage2 =
+        R"({"name":"11","architecture":"12","description":"13","size":14,"version":"15:17-16","vendor":"18","install_time":"19","groups":"20","format":"rpm","location":" ","priority":" ","source":" "})"_json;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto libdb_mock { std::make_unique<LibDBMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_libdb_mock = libdb_mock.get();
+
+    DB db {};
+
+    db.set_lorder = db_set_lorder;
+    db.open = db_open;
+    db.close = db_close;
+    db.cursor = db_cursor;
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(true));
+    EXPECT_CALL(*libdb_mock, db_create(_, _, _)).Times(1).WillOnce(DoAll(SetArgPointee<0>(&db), Return(0)));
+    EXPECT_CALL(*libdb_mock, set_lorder(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, open(_, _, _, _, _, _, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*libdb_mock, cursor(_, _, _, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*libdb_mock, db_strerror(_)).Times(1).WillOnce(Return(const_cast<char*>("test")));
+    EXPECT_CALL(*libdb_mock, close(_, _)).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("1\t2\t3\t4\t5\t6\t7\t8\t9\t10\t\n11\t12\t13\t14\t15\t16\t17\t18\t19\t20\t\n"));
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedPackage2)).Times(1);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, emptyRpmFallback)
+{
+    CallbackMock wrapper;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto rpm_mock { std::make_unique<RpmLibMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_rpm_mock = rpm_mock.get();
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(false));
+    EXPECT_CALL(*rpm_mock, rpmReadConfigFiles(_, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(wrapper, callbackMock(_)).Times(0);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+}
+
+TEST(SysInfoPackageLinuxParserRPM_test, invalidPackageParsingRpmFallback)
+{
+    CallbackMock wrapper;
+
+    auto utils_mock { std::make_unique<UtilsMock>() };
+    auto rpm_mock { std::make_unique<RpmLibMock>() };
+    auto libdb_mock { std::make_unique<LibDBMock>() };
+
+    gs_utils_mock = utils_mock.get();
+    gs_rpm_mock = rpm_mock.get();
+
+    EXPECT_CALL(*utils_mock, existsRegular(_)).Times(1).WillOnce(Return(false));
+    EXPECT_CALL(*rpm_mock, rpmReadConfigFiles(_, _)).Times(1).WillOnce(Return(1));
+    EXPECT_CALL(*utils_mock, exec(_, _)).Times(1).WillOnce(Return("this is not a valid rpm -qa output"));
+    EXPECT_CALL(wrapper, callbackMock(_)).Times(0);
+
+    getRpmInfo([&wrapper](nlohmann::json & data)
+    {
+        wrapper.callbackMock(data);
+    });
+}
diff --git a/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.hpp b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.hpp
new file mode 100644
index 0000000000..267c352e07
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackageLinuxParserRpm/sysInfoPackageLinuxParserRPM_test.hpp
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 17, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PACKAGES_LINUX_PARSER_RPM_TEST_H
+#define _SYSINFO_PACKAGES_LINUX_PARSER_RPM_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoPackagesLinuxParserRPMTest : public ::testing::Test
+{
+    protected:
+
+        SysInfoPackagesLinuxParserRPMTest() = default;
+        virtual ~SysInfoPackagesLinuxParserRPMTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PACKAGES_LINUX_PARSER_RPM_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoPackages/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackages/CMakeLists.txt
new file mode 100644
index 0000000000..ea4aff7097
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/CMakeLists.txt
@@ -0,0 +1,28 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoPackages_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/src/packages)
+include_directories(${CMAKE_SOURCE_DIR}/../shared_modules/utils/tests/mocks)
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+add_executable(sysInfoPackages_unit_test
+    ${sysinfo_UNIT_TEST_SRC})
+
+target_link_libraries(sysInfoPackages_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+)
+
+add_test(NAME sysInfoPackages_unit_test COMMAND sysInfoPackages_unit_test)
diff --git a/src/common/data_provider/tests/sysInfoPackages/main.cpp b/src/common/data_provider/tests/sysInfoPackages/main.cpp
new file mode 100644
index 0000000000..20f93fb38f
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.cpp b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.cpp
new file mode 100644
index 0000000000..2be6c2a71c
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.cpp
@@ -0,0 +1,184 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoPackagesNPM_test.hpp"
+
+using testing::_;
+using testing::Return;
+using testing::ReturnRef;
+
+TEST_F(NPMTest, getPackages_ValidPackagesTest)
+{
+    std::vector<std::filesystem::path> fakePackages = {"/fake/node_modules/package1", "/fake/node_modules/package2"};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillRepeatedly(Return(fakePackages));
+
+    nlohmann::json fakePackageJson1 = {{"name", "TestPackage1"}, {"version", "1.0.0"}};
+    nlohmann::json fakePackageJson2 = {{"name", "TestPackage2"}, {"version", "2.0.0"}};
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package1/package.json")))
+    .WillOnce(Return(fakePackageJson1));
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package2/package.json")))
+    .WillOnce(Return(fakePackageJson2));
+
+    bool foundPackage1 = false;
+    bool foundPackage2 = false;
+
+    auto callback = [&](nlohmann::json & json)
+    {
+        if (json.at("name") == "TestPackage1" && json.at("version") == "1.0.0")
+        {
+            foundPackage1 = true;
+        }
+        else if (json.at("name") == "TestPackage2" && json.at("version") == "2.0.0")
+        {
+            foundPackage2 = true;
+        }
+    };
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders, callback);
+
+    EXPECT_TRUE(foundPackage1);
+    EXPECT_TRUE(foundPackage2);
+}
+
+TEST_F(NPMTest, getPackages_NoPackagesFoundTest)
+{
+    std::vector<std::filesystem::path> fakePackages = {};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillRepeatedly(Return(fakePackages));
+
+    bool callbackCalled = false;
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders, [&](nlohmann::json&)
+    {
+        callbackCalled = true;
+    });
+
+    EXPECT_FALSE(callbackCalled);
+}
+
+TEST_F(NPMTest, getPackages_NoPackageJsonTest)
+{
+    std::vector<std::filesystem::path> fakePackages = {"/fake/node_modules/package1"};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillRepeatedly(Return(fakePackages));
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package1/package.json")))
+    .WillOnce(Return(nlohmann::json()));
+
+    bool callbackCalled = false;
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders, [&](nlohmann::json&)
+    {
+        callbackCalled = true;
+    });
+
+    EXPECT_FALSE(callbackCalled);
+}
+
+TEST_F(NPMTest, getPackages_InvalidPackageJsonNameTest)
+{
+    std::vector<std::filesystem::path> fakePackages = {"/fake/node_modules/package1"};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillRepeatedly(Return(fakePackages));
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package1/package.json")))
+    .WillOnce(Return(nlohmann::json::parse(R"({"name": 1})")));
+
+    bool callbackCalled = false;
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders, [&](nlohmann::json&)
+    {
+        callbackCalled = true;
+    });
+
+    EXPECT_FALSE(callbackCalled);
+}
+
+TEST_F(NPMTest, getPackages_InvalidPackageJsonVersionTest)
+{
+    std::vector<std::filesystem::path> fakePackages = {"/fake/node_modules/package1"};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillRepeatedly(Return(fakePackages));
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package1/package.json")))
+    .WillOnce(Return(nlohmann::json::parse(R"({"name": "TestPackage1", "version": 1})")));
+
+    bool callbackCalled = false;
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders, [&](nlohmann::json&)
+    {
+        callbackCalled = true;
+    });
+
+    EXPECT_FALSE(callbackCalled);
+}
+
+TEST_F(NPMTest, getPackages_ValidPackageJson2Test)
+{
+    std::vector<std::filesystem::path> fakePackages = {"/fake/node_modules/package1", "/fake/node_modules/package2"};
+
+    EXPECT_CALL(*npm, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*npm, directory_iterator(_)).WillOnce(Return(fakePackages));
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package1/package.json")))
+    .WillOnce(Return(nlohmann::json::parse(R"({"name": "TestPackage1", "version": "1.0.0"})")));
+
+    EXPECT_CALL(*npm, readJson(std::filesystem::path("/fake/node_modules/package2/package.json")))
+    .WillOnce(Return(nlohmann::json::parse(R"({"name": "TestPackage2", "version": "1.0.0"})")));
+
+    bool callbackCalledFirst = false;
+    bool callbackCalledSecond = false;
+
+    std::set<std::string> folders = {"/fake"};
+
+    npm->getPackages(folders,
+                     [&](nlohmann::json & j)
+    {
+        if (j.at("name") == "TestPackage1" && j.at("version") == "1.0.0")
+        {
+            callbackCalledFirst = true;
+        }
+        else if (j.at("name") == "TestPackage2" && j.at("version") == "1.0.0")
+        {
+            callbackCalledSecond = true;
+        }
+        else
+        {
+            FAIL();
+        }
+    });
+
+    EXPECT_TRUE(callbackCalledFirst);
+    EXPECT_TRUE(callbackCalledSecond);
+}
+
diff --git a/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.hpp b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.hpp
new file mode 100644
index 0000000000..de7d7d4da8
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesNPM_test.hpp
@@ -0,0 +1,38 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NPMTEST_HPP
+#define _NPMTEST_HPP
+
+#include "gtest/gtest.h"
+#include "MockFileSystem.hpp"
+#include "MockJsonIO.hpp"
+#include "packagesNPM.hpp"
+
+class NPMTest : public ::testing::Test
+{
+    protected:
+        std::unique_ptr<NPM<MockFileSystem<std::vector<std::filesystem::path>>, MockJsonIO>> npm;
+
+        void SetUp() override
+        {
+            npm = std::make_unique<NPM<MockFileSystem<std::vector<std::filesystem::path>>, MockJsonIO>>();
+        }
+
+        void TearDown() override
+        {
+            npm.reset();
+        }
+};
+
+
+
+#endif // _NPMTEST_HPP
diff --git a/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.cpp b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.cpp
new file mode 100644
index 0000000000..1e9557d927
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.cpp
@@ -0,0 +1,394 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoPackagesPYPI_test.hpp"
+
+using testing::_;
+using testing::Return;
+using testing::ReturnRef;
+
+TEST_F(PYPITest, getPackagesTest)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/file1", "/fake/dir/file2", "/fake/dir/file3"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+
+    EXPECT_CALL(*pypi, is_directory(_))
+    .WillRepeatedly(Return(true));
+
+    EXPECT_CALL(*pypi, directory_iterator(_))
+    .WillRepeatedly(Return(fakeFiles));
+
+    EXPECT_CALL(*pypi, readLineByLine(_, _))
+    .WillRepeatedly(Return());
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_NoFilesInDirectoryTest)
+{
+    std::vector<std::filesystem::path> fakeFiles = {};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_NonDirectoryPathTest)
+{
+    EXPECT_CALL(*pypi, exists(_))
+    .WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_))
+    .WillRepeatedly(Return(false));
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+    pypi->getPackages(folders, callback);
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_OneValidPackageTestEggInfo)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/egg-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {"Name: TestPackage", "Version: 1.0.0"};
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/egg-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_EQ(capturedJson.at("name"), "TestPackage");
+    EXPECT_EQ(capturedJson.at("version"), "1.0.0");
+}
+
+TEST_F(PYPITest, getPackages_OneValidPackageTestNoRegularFileDistInfo)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(false));
+
+    std::vector<std::string> fakePackageLines = {"Name: TestPackage", "Version: 1.0.0"};
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/dist-info/METADATA"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_EQ(capturedJson.at("name"), "TestPackage");
+    EXPECT_EQ(capturedJson.at("version"), "1.0.0");
+}
+
+TEST_F(PYPITest, getPackages_OneValidPackageTestDistInfo)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {"Name: TestPackage", "Version: 1.0.0"};
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/dist-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_EQ(capturedJson.at("name"), "TestPackage");
+    EXPECT_EQ(capturedJson.at("version"), "1.0.0");
+}
+
+TEST_F(PYPITest, getPackages_OneValidPackageTestNoRegularFileEggInfo)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/egg-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(false));
+
+    std::vector<std::string> fakePackageLines = {"Name: TestPackage", "Version: 1.0.0"};
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/egg-info/PKG-INFO"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_EQ(capturedJson.at("name"), "TestPackage");
+    EXPECT_EQ(capturedJson.at("version"), "1.0.0");
+}
+
+
+TEST_F(PYPITest, getPackages_MultipleValidPackagesTest)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir1/egg-info", "/fake/dir2/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines1 = {"Name: TestPackage1", "Version: 1.0.0"};
+    std::vector<std::string> fakePackageLines2 = {"Name: TestPackage2", "Version: 2.0.0"};
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir1/egg-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines1)
+        {
+            callback(line);
+        }
+    });
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir2/dist-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines2)
+        {
+            callback(line);
+        }
+    });
+
+    bool foundPackage1 = false;
+    bool foundPackage2 = false;
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & json)
+    {
+        if (json.at("name") == "TestPackage1" && json.at("version") == "1.0.0")
+        {
+            foundPackage1 = true;
+        }
+        else if (json.at("name") == "TestPackage2" && json.at("version") == "2.0.0")
+        {
+            foundPackage2 = true;
+        }
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(foundPackage1);
+    EXPECT_TRUE(foundPackage2);
+}
+
+TEST_F(PYPITest, getPackages_InvalidPackageTest_NoLines)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/egg-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {};
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/egg-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_InvalidPackageTest_InvalidLines)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {"Invalid: TestPackage", "Invalid: 1.0.0"};
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/dist-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_InvalidPackageTest_MissingName)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {"Version: 1.0.0"};
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/dist-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    EXPECT_TRUE(capturedJson.empty());
+}
+
+TEST_F(PYPITest, getPackages_InvalidPackageTest_MissingVersion)
+{
+    std::vector<std::filesystem::path> fakeFiles = {"/fake/dir/dist-info"};
+
+    EXPECT_CALL(*pypi, exists(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, is_directory(_)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*pypi, directory_iterator(_)).WillRepeatedly(Return(fakeFiles));
+    EXPECT_CALL(*pypi, is_regular_file(_)).WillRepeatedly(Return(true));
+
+    std::vector<std::string> fakePackageLines = {"Name: TestPackage"};
+
+    EXPECT_CALL(*pypi, readLineByLine(std::filesystem::path("/fake/dir/dist-info"), _)).WillOnce([&](const std::filesystem::path&, const std::function<bool(const std::string&)>& callback)
+    {
+        for (const auto& line : fakePackageLines)
+        {
+            callback(line);
+        }
+    });
+
+    nlohmann::json capturedJson;
+    auto callback = [&](nlohmann::json & j)
+    {
+        capturedJson = j;
+    };
+
+    std::set<std::string> folders = { "/usr/local/lib/python3.9/site-packages" };
+
+    pypi->getPackages(folders, callback);
+
+    std::cout << capturedJson.dump(4) << std::endl;
+    EXPECT_TRUE(capturedJson.empty());
+}
diff --git a/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.hpp b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.hpp
new file mode 100644
index 0000000000..9b4985e292
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackages/sysInfoPackagesPYPI_test.hpp
@@ -0,0 +1,36 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PYPITEST_HPP
+#define _PYPITEST_HPP
+
+#include "gtest/gtest.h"
+#include "MockFileSystem.hpp"
+#include "MockFileIO.hpp"
+#include "packagesPYPI.hpp"
+
+class PYPITest : public ::testing::Test
+{
+    protected:
+        std::unique_ptr<PYPI<MockFileSystem<std::vector<std::filesystem::path>>, MockFileIO>> pypi;
+
+        void SetUp() override
+        {
+            pypi = std::make_unique<PYPI<MockFileSystem<std::vector<std::filesystem::path>>, MockFileIO>>();
+        }
+
+        void TearDown() override
+        {
+            pypi.reset();
+        }
+};
+
+#endif // _PYPITEST_HPP
diff --git a/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/CMakeLists.txt
new file mode 100644
index 0000000000..96a4b131cf
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/CMakeLists.txt
@@ -0,0 +1,30 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoPackagesBerkeleyDB_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+add_executable(sysInfoPackagesBerkeleyDB_unit_test
+    ${sysinfo_UNIT_TEST_SRC})
+
+target_link_libraries(sysInfoPackagesBerkeleyDB_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    proc
+    dl
+)
+
+add_test(NAME sysInfoPackagesBerkeleyDB_unit_test
+         COMMAND sysInfoPackagesBerkeleyDB_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/main.cpp b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/main.cpp
new file mode 100644
index 0000000000..bf3d6b13da
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.cpp b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.cpp
new file mode 100644
index 0000000000..4b20a5911e
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.cpp
@@ -0,0 +1,304 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoPackagesBerkeleyDB_test.h"
+#include "packages/berkeleyRpmDbHelper.h"
+
+using ::testing::_;
+using ::testing::Return;
+using ::testing::DoAll;
+using ::testing::SetArgReferee;
+
+void SysInfoPackagesBerkeleyDBTest::SetUp() {};
+void SysInfoPackagesBerkeleyDBTest::TearDown() {};
+
+class BerkeleyDbWrapperMock final : public IBerkeleyDbWrapper
+{
+    public:
+        BerkeleyDbWrapperMock() = default;
+        virtual ~BerkeleyDbWrapperMock() = default;
+        MOCK_METHOD(int32_t, getRow, (DBT& key, DBT& data), (override));
+};
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, EmptyTable)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(2)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(1)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    reader.getNext();
+}
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, EmptyTableTwoCallsCheckHeaderOmit)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(3)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(1)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(1)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    reader.getNext();
+    reader.getNext();
+}
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, TableTwoCallsCheckOutput)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+    char bytes[FIRST_ENTRY_OFFSET + ENTRY_SIZE * 3 + 6 + 13 + 4 + 1];
+    memset(bytes, 0, sizeof(bytes));
+    char* cp;
+    int* ip;
+
+    data.data = bytes;
+    data.size = FIRST_ENTRY_OFFSET + ENTRY_SIZE * 3 + 6 + 13 + 4;
+
+    cp = (char*) bytes;
+
+    // index lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(3);
+    cp += 4;
+
+    // Data lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(23);
+    cp += 4;
+
+    // Name
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(TAG_NAME);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(STRING_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = 0;
+    cp += 4;
+
+    // unused data
+    cp += 4;
+
+    // Description
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(TAG_SUMMARY);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(STRING_VECTOR_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(6);
+    cp += 4;
+
+    cp += 4;
+
+    // size
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(TAG_SIZE);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(INT32_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(19);
+    cp += 4;
+
+    cp += 4;
+
+    strcpy(cp, "Wazuh");
+    cp += 6;
+
+    strcpy(cp, "The Best EDR");
+    cp += 13;
+
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(1);
+    cp += 4;
+
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(2)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    EXPECT_EQ("Wazuh\t\tThe Best EDR\t1\t\t\t\t\t\t\t\n", reader.getNext());
+}
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, TableTwoCallsCheckOutputWithMissingTag)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+    char bytes[FIRST_ENTRY_OFFSET + ENTRY_SIZE * 3 + 6 + 13 + 4 + 1];
+    memset(bytes, 0, sizeof(bytes));
+    char* cp;
+    int* ip;
+
+    data.data = bytes;
+    data.size = FIRST_ENTRY_OFFSET + ENTRY_SIZE * 3 + 6 + 13 + 4;
+
+    cp = (char*) bytes;
+
+    // index lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(3);
+    cp += 4;
+
+    // Data lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(23);
+    cp += 4;
+
+    // Name
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(TAG_NAME);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(STRING_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = 0;
+    cp += 4;
+
+    // unused data
+    cp += 4;
+
+    // Description
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(0);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(STRING_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(6);
+    cp += 4;
+
+    cp += 4;
+
+    // size
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(TAG_SIZE);
+    cp += 4;
+
+    // type
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(INT32_TYPE);
+    cp += 4;
+
+    //offset
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(19);
+    cp += 4;
+
+    cp += 4;
+
+    strcpy(cp, "Wazuh");
+    cp += 6;
+
+    strcpy(cp, "The Best EDR");
+    cp += 13;
+
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(1);
+    cp += 4;
+
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(2)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    EXPECT_EQ("Wazuh\t\t\t1\t\t\t\t\t\t\t\n", reader.getNext());
+}
+
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, TableTwoCallsCheckOutputNoHeader)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+
+    data.data = nullptr;
+    data.size = 4;
+
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(2)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    EXPECT_TRUE(reader.getNext().empty());
+}
+
+TEST_F(SysInfoPackagesBerkeleyDBTest, TableTwoCallsCheckOutputHeaderWithNoData)
+{
+    DBT data, key;
+    memset(&key, 0, sizeof(key));
+    memset(&data, 0, sizeof(data));
+    char bytes[FIRST_ENTRY_OFFSET + 1];
+    memset(bytes, 0, sizeof(bytes));
+    char* cp;
+    int* ip;
+
+    data.data = bytes;
+    data.size = 8;
+
+    cp = (char*) bytes;
+
+    // index lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(3);
+    cp += 4;
+
+    // Data lenght
+    ip = (int32_t*)cp;
+    *ip = __builtin_bswap32(23);
+    cp += 4;
+
+    const auto& dbWrapper { std::make_shared<BerkeleyDbWrapperMock>() };
+    EXPECT_CALL(*dbWrapper, getRow(_, _))
+    .Times(2)
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)))
+    .WillOnce(DoAll(SetArgReferee<0>(key), SetArgReferee<1>(data), Return(0)));
+    BerkeleyRpmDBReader reader(dbWrapper);
+    EXPECT_TRUE(reader.getNext().empty());
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.h b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.h
new file mode 100644
index 0000000000..7b3d97b876
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesBerkeleyDB/sysInfoPackagesBerkeleyDB_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
+#define _SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoPackagesBerkeleyDBTest : public ::testing::Test
+{
+    protected:
+
+        SysInfoPackagesBerkeleyDBTest() = default;
+        virtual ~SysInfoPackagesBerkeleyDBTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/CMakeLists.txt
new file mode 100644
index 0000000000..e551503966
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/CMakeLists.txt
@@ -0,0 +1,34 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoPackagesLinuxHelper_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+add_executable(sysInfoPackagesLinuxHelper_unit_test
+    ${sysinfo_UNIT_TEST_SRC})
+
+target_link_libraries(sysInfoPackagesLinuxHelper_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    alpm
+    archive
+    ssl
+    crypto
+    cjson
+    proc
+    dl
+)
+
+add_test(NAME sysInfoPackagesLinuxHelper_unit_test
+         COMMAND sysInfoPackagesLinuxHelper_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/main.cpp b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.cpp b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.cpp
new file mode 100644
index 0000000000..c18cb3bea7
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.cpp
@@ -0,0 +1,747 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoPackagesLinuxHelper_test.h"
+#include "packages/packageLinuxParserHelper.h"
+#include "packages/packageLinuxParserHelperExtra.h"
+#include "packages/packageLinuxRpmParserHelper.h"
+#include "packages/packageLinuxRpmParserHelperLegacy.h"
+#include "packages/packageLinuxApkParserHelper.h"
+#include "packages/rpmPackageManager.h"
+#include <alpm.h>
+#include <package.h>
+#include <handle.h>
+#include "sharedDefs.h"
+
+using ::testing::_;
+using ::testing::Return;
+
+void SysInfoPackagesLinuxHelperTest::SetUp() {};
+void SysInfoPackagesLinuxHelperTest::TearDown() {};
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformation)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t3\t24.el5\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("3:1.5-24.el5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationLibRpm)
+{
+    RpmPackageManager::Package input;
+    input.name = "mktemp";
+    input.size = 15432;
+    input.installTime = "1425472738";
+    input.group = "System Environment/Base";
+    input.version = "1.5";
+    input.architecture = "x86_64";
+    input.vendor = "CentOS";
+    input.description = "A small utility for safely making /tmp files.";
+    input.epoch = 3;
+    input.release = "24.el5";
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(input) };
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("3:1.5-24.el5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationGPG)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "gpg-pubkey\tx86_64\tA small utility for safely making /tmp files.\t15432\t3\t24.el5\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_TRUE(jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationGPGLibRPM)
+{
+    RpmPackageManager::Package input;
+    input.name = "gpg-pubkey";
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(input) };
+    EXPECT_TRUE(jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationUnknownInEmpty)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "curl\t\t\t\t\t\t\t\t\t\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("curl", jsPackageInfo["name"]);
+    EXPECT_EQ(0, jsPackageInfo["size"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["install_time"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["groups"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["version"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["vendor"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["description"]);
+}
+
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonEpoch)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t\t24.el5\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("1.5-24.el5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmNoEpochNoReleaseLibRpm)
+{
+    RpmPackageManager::Package input;
+    input.name = "mktemp";
+    input.size = 15432;
+    input.installTime = "1425472738";
+    input.group = "System Environment/Base";
+    input.version = "4.16";
+    input.architecture = "x86_64";
+    input.vendor = "CentOS";
+    input.description = "A small utility for safely making /tmp files.";
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(input) };
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("4.16", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmNoEpochLibRpm)
+{
+    RpmPackageManager::Package input;
+    input.name = "mktemp";
+    input.size = 15432;
+    input.installTime = "1425472738";
+    input.group = "System Environment/Base";
+    input.version = "4.16";
+    input.architecture = "x86_64";
+    input.vendor = "CentOS";
+    input.description = "A small utility for safely making /tmp files.";
+    input.epoch = 1;
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(input) };
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("1:4.16", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonEpochNonRelease)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t\t\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("1.5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonRelease)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t3\t\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("3:1.5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonEpochWithNone)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t(none)\t24.el5\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("1.5-24.el5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonReleaseWithNone)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t3\t(none)\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("3:1.5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseRpmInformationNonEpochNonReleaseWithNone)
+{
+    constexpr auto RPM_PACKAGE_CENTOS
+    {
+        "mktemp\tx86_64\tA small utility for safely making /tmp files.\t15432\t(none)\t(none)\t1.5\tCentOS\t1425472738\tSystem Environment/Base\t"
+    };
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseRpm(RPM_PACKAGE_CENTOS) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("mktemp", jsPackageInfo["name"]);
+    EXPECT_EQ(15432, jsPackageInfo["size"]);
+    EXPECT_EQ("1425472738", jsPackageInfo["install_time"]);
+    EXPECT_EQ("System Environment/Base", jsPackageInfo["groups"]);
+    EXPECT_EQ("1.5", jsPackageInfo["version"]);
+    EXPECT_EQ("x86_64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("rpm", jsPackageInfo["format"]);
+    EXPECT_EQ("CentOS", jsPackageInfo["vendor"]);
+    EXPECT_EQ("A small utility for safely making /tmp files.", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseDpkgInformation)
+{
+    constexpr auto PACKAGE_INFO     {"Package: zlib1g-dev"};
+    constexpr auto STATUS_INFO      {"Status: install ok installed"};
+    constexpr auto PRIORITY_INFO    {"Priority: optional"};
+    constexpr auto SECTION_INFO     {"Section: libdevel"};
+    constexpr auto SIZE_INFO        {"Installed-Size: 591"};
+    constexpr auto VENDOR_INFO      {"Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>"};
+    constexpr auto ARCH_INFO        {"Architecture: amd64"};
+    constexpr auto MULTIARCH_INFO   {"Multi-Arch: same"};
+    constexpr auto SOURCE_INFO      {"Source: zlib"};
+    constexpr auto VERSION_INFO     {"Version: 1:1.2.11.dfsg-2ubuntu1.2"};
+    constexpr auto DESCRIPTION_INFO
+    {
+        "Description: compression library - development\n\
+         zlib is a library implementing the deflate compression method found\n\
+         in gzip and PKZIP.  This package includes the development support\n\
+         files."
+    };
+    std::vector<std::string> packagesList;
+    packagesList.push_back(PACKAGE_INFO);
+    packagesList.push_back(STATUS_INFO);
+    packagesList.push_back(PRIORITY_INFO);
+    packagesList.push_back(SECTION_INFO);
+    packagesList.push_back(SIZE_INFO);
+    packagesList.push_back(VENDOR_INFO);
+    packagesList.push_back(ARCH_INFO);
+    packagesList.push_back(MULTIARCH_INFO);
+    packagesList.push_back(SOURCE_INFO);
+    packagesList.push_back(VERSION_INFO);
+    packagesList.push_back(DESCRIPTION_INFO);
+    const auto& jsPackageInfo { PackageLinuxHelper::parseDpkg(packagesList) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("zlib1g-dev", jsPackageInfo["name"]);
+    EXPECT_EQ("optional", jsPackageInfo["priority"]);
+    EXPECT_EQ(591, jsPackageInfo["size"]);
+    EXPECT_EQ("libdevel", jsPackageInfo["groups"]);
+    EXPECT_EQ("same", jsPackageInfo["multiarch"]);
+    EXPECT_EQ("1:1.2.11.dfsg-2ubuntu1.2", jsPackageInfo["version"]);
+    EXPECT_EQ("amd64", jsPackageInfo["architecture"]);
+    EXPECT_EQ("deb", jsPackageInfo["format"]);
+    EXPECT_EQ("Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", jsPackageInfo["vendor"]);
+    EXPECT_EQ("compression library - development", jsPackageInfo["description"]);
+    EXPECT_EQ("zlib", jsPackageInfo["source"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parsePacmanInformation)
+{
+    __alpm_list_t   mock        {};
+    __alpm_pkg_t    data        {};
+    __alpm_handle_t dataHandle  {};
+    __alpm_list_t   dataGroups  {};
+
+    constexpr auto PKG_GROUP    {"wazuh"};
+    constexpr auto PKG_ARCH     {"x86_64"};
+    constexpr auto PKG_NAME     {"firefox"};
+    constexpr auto PKG_DESC     {"Standalone web browser from mozilla.org"};
+    constexpr auto PKG_VERSION  {"86.0-2"};
+
+    data.handle        = &dataHandle;
+    data.groups        = &dataGroups;
+    data.isize         = 1;
+    data.installdate   = 0;
+    data.groups->next  = nullptr;
+    data.name          = const_cast<char*>(PKG_NAME);
+    data.groups->data  = const_cast<char*>(PKG_GROUP);
+    data.version       = const_cast<char*>(PKG_VERSION);
+    data.arch          = const_cast<char*>(PKG_ARCH);
+    data.desc          = const_cast<char*>(PKG_DESC);
+    mock.data          = &data;
+    data.ops           = &default_pkg_ops;
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parsePacman(&mock) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ(PKG_NAME, jsPackageInfo["name"]);
+    EXPECT_EQ(1, jsPackageInfo["size"]);
+    EXPECT_EQ("1970/01/01 00:00:00", jsPackageInfo["install_time"]);
+    EXPECT_EQ(PKG_GROUP, jsPackageInfo["groups"]);
+    EXPECT_EQ(PKG_VERSION, jsPackageInfo["version"]);
+    EXPECT_EQ(PKG_ARCH, jsPackageInfo["architecture"]);
+    EXPECT_EQ("pacman", jsPackageInfo["format"]);
+    EXPECT_EQ("Arch Linux", jsPackageInfo["vendor"]);
+    EXPECT_EQ(PKG_DESC, jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parsePacmanMultipleGroups)
+{
+    __alpm_list_t   mock            {};
+    __alpm_pkg_t    data            {};
+    __alpm_handle_t dataHandle      {};
+    __alpm_list_t   dataFirstGroup  {};
+    __alpm_list_t   dataSecondGroup {};
+    __alpm_list_t   dataThirdGroup  {};
+    __alpm_list_t   dataFourthGroup {};
+
+    dataFirstGroup.data    = const_cast<char*>("Wazuh");
+    dataFirstGroup.next    = &dataSecondGroup;
+    dataSecondGroup.data   = const_cast<char*>("test");
+    dataSecondGroup.next   = &dataThirdGroup;
+    dataThirdGroup.data    = const_cast<char*>("Arch");
+    dataThirdGroup.next    = &dataFourthGroup;
+    dataFourthGroup.data   = const_cast<char*>("lorem");
+    dataFourthGroup.next   = nullptr;
+
+    data.isize             = 0;
+    data.installdate       = 0;
+    data.name              = nullptr;
+    data.version           = nullptr;
+    data.arch              = nullptr;
+    data.desc              = nullptr;
+    data.handle            = &dataHandle;
+    data.groups            = &dataFirstGroup;
+    mock.data              = &data;
+    data.ops               = &default_pkg_ops;
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parsePacman(&mock) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("Wazuh-test-Arch-lorem", jsPackageInfo["groups"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parsePacmanInformationNull)
+{
+    __alpm_list_t   mock        {};
+    __alpm_pkg_t    data        {};
+    __alpm_handle_t dataHandle  {};
+    __alpm_list_t   dataGroups  {};
+
+    data.handle        = &dataHandle;
+    data.groups        = &dataGroups;
+    data.isize         = 0;
+    data.installdate   = 0;
+    data.groups->next  = nullptr;
+    data.name          = nullptr;
+    data.groups->data  = nullptr;
+    data.version       = nullptr;
+    data.arch          = nullptr;
+    data.desc          = nullptr;
+    mock.data          = &data;
+    data.ops           = &default_pkg_ops;
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parsePacman(&mock) };
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("", jsPackageInfo["name"]);
+    EXPECT_EQ(0, jsPackageInfo["size"]);
+    EXPECT_EQ("1970/01/01 00:00:00", jsPackageInfo["install_time"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["groups"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["version"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["architecture"]);
+    EXPECT_EQ("pacman", jsPackageInfo["format"]);
+    EXPECT_EQ("Arch Linux", jsPackageInfo["vendor"]);
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkNameKeyNotFound)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('V', "1.2.3-r4"));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ(true, jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkVersionKeyNotFound)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', "musl"));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ(true, jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkArchitectureKeyNotFound)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', "musl"));
+    input.push_back(std::pair<char, std::string>('V', "1.2.3-r4"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ("musl", jsPackageInfo.at("name"));
+    EXPECT_EQ("1.2.3-r4", jsPackageInfo.at("version"));
+    EXPECT_EQ(UNKNOWN_VALUE, jsPackageInfo.at("architecture"));
+    EXPECT_EQ(634880, jsPackageInfo.at("size"));
+    EXPECT_EQ("the musl c library (libc) implementation", jsPackageInfo.at("description"));
+    EXPECT_EQ("apk", jsPackageInfo.at("format"));
+    EXPECT_EQ("Alpine Linux", jsPackageInfo.at("vendor"));
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkNameValueEmpty)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', ""));
+    input.push_back(std::pair<char, std::string>('V', "1.2.3-r4"));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ(true, jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkVersionValueEmpty)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', "musl"));
+    input.push_back(std::pair<char, std::string>('V', ""));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ(true, jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkSizeValueEmpty)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', "musl"));
+    input.push_back(std::pair<char, std::string>('V', "1.2.3-r4"));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', ""));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ("musl", jsPackageInfo.at("name"));
+    EXPECT_EQ("1.2.3-r4", jsPackageInfo.at("version"));
+    EXPECT_EQ("x86_64", jsPackageInfo.at("architecture"));
+    EXPECT_EQ(0, jsPackageInfo.at("size"));
+    EXPECT_EQ("the musl c library (libc) implementation", jsPackageInfo.at("description"));
+    EXPECT_EQ("apk", jsPackageInfo.at("format"));
+    EXPECT_EQ("Alpine Linux", jsPackageInfo.at("vendor"));
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseApkSuccess)
+{
+    std::vector<std::pair<char, std::string>> input;
+    input.push_back(std::pair<char, std::string>('P', "musl"));
+    input.push_back(std::pair<char, std::string>('V', "1.2.3-r4"));
+    input.push_back(std::pair<char, std::string>('A', "x86_64"));
+    input.push_back(std::pair<char, std::string>('I', "634880"));
+    input.push_back(std::pair<char, std::string>('T', "the musl c library (libc) implementation"));
+
+    const auto& jsPackageInfo { PackageLinuxHelper::parseApk(input) };
+    EXPECT_EQ("musl", jsPackageInfo.at("name"));
+    EXPECT_EQ("1.2.3-r4", jsPackageInfo.at("version"));
+    EXPECT_EQ(634880, jsPackageInfo.at("size"));
+    EXPECT_EQ("the musl c library (libc) implementation", jsPackageInfo.at("description"));
+    EXPECT_EQ("apk", jsPackageInfo.at("format"));
+    EXPECT_EQ("Alpine Linux", jsPackageInfo.at("vendor"));
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapCorrectMapping)
+{
+    const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"(
+            {
+            "id": "rw36mkAjdIKl13dzfwyxP87cejpyIcct",
+            "title": "gnome-3-38-2004",
+            "summary": "Shared GNOME 3.38 Ubuntu stack",
+            "description": "This snap includes a GNOME 3.38 stack (the base libraries and desktop \nintegration components) and shares it through the content interface. \n",
+            "icon": "/v2/icons/gnome-3-38-2004/icon",
+            "installed-size": 363151360,
+            "name": "gnome-3-38-2004",
+            "publisher": {
+                "id": "canonical",
+                "username": "canonical",
+                "display-name": "Canonical",
+                "validation": "verified"
+            },
+            "developer": "canonical",
+            "status": "active",
+            "type": "app",
+            "base": "core20",
+            "version": "0+git.6f39565",
+            "channel": "latest/stable",
+            "tracking-channel": "latest/stable/ubuntu-22.04",
+            "ignore-validation": false,
+            "revision": "119",
+            "confinement": "strict",
+            "private": false,
+            "devmode": false,
+            "jailmode": false,
+            "contact": "",
+            "mounted-from": "/var/lib/snapd/snaps/gnome-3-38-2004_119.snap",
+            "media": [
+                {
+                "type": "icon",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2021/01/icon_FvbmexL.png"
+                }
+            ],
+            "install-date": "2022-11-23T20:33:59.025662696-03:00"
+            }
+        )"_json) };
+
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ("gnome-3-38-2004", jsPackageInfo["name"]);
+    EXPECT_EQ(363151360, jsPackageInfo["size"]);
+    EXPECT_EQ("2022/11/23 20:33:59", jsPackageInfo["install_time"]);
+    EXPECT_EQ(" ", jsPackageInfo["groups"]);
+    EXPECT_EQ("0+git.6f39565", jsPackageInfo["version"]);
+    EXPECT_EQ(" ", jsPackageInfo["architecture"]);
+    EXPECT_EQ("snap", jsPackageInfo["format"]);
+    EXPECT_EQ("Canonical", jsPackageInfo["vendor"]);
+    EXPECT_EQ("Shared GNOME 3.38 Ubuntu stack", jsPackageInfo["description"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapInvalidInputName)
+{
+    const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"(
+            {
+            "id": "rw36mkAjdIKl13dzfwyxP87cejpyIcct",
+            "title": "gnome-3-38-2004",
+            "summary": "Shared GNOME 3.38 Ubuntu stack",
+            "description": "This snap includes a GNOME 3.38 stack (the base libraries and desktop \nintegration components) and shares it through the content interface. \n",
+            "icon": "/v2/icons/gnome-3-38-2004/icon",
+            "installed-size": 363151360,
+            "publisher": {
+                "id": "canonical",
+                "username": "canonical",
+                "display-name": "Canonical",
+                "validation": "verified"
+            },
+            "developer": "canonical",
+            "status": "active",
+            "type": "app",
+            "base": "core20",
+            "version": "0+git.6f39565",
+            "channel": "latest/stable",
+            "tracking-channel": "latest/stable/ubuntu-22.04",
+            "ignore-validation": false,
+            "revision": "119",
+            "confinement": "strict",
+            "private": false,
+            "devmode": false,
+            "jailmode": false,
+            "contact": "",
+            "mounted-from": "/var/lib/snapd/snaps/gnome-3-38-2004_119.snap",
+            "media": [
+                {
+                "type": "icon",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2021/01/icon_FvbmexL.png"
+                }
+            ],
+            "install-date": "2022-11-23T20:33:59.025662696-03:00"
+            }
+        )"_json) };
+
+    EXPECT_TRUE(jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapInvalidInputVersion)
+{
+    const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"(
+            {
+            "id": "rw36mkAjdIKl13dzfwyxP87cejpyIcct",
+            "title": "gnome-3-38-2004",
+            "summary": "Shared GNOME 3.38 Ubuntu stack",
+            "description": "This snap includes a GNOME 3.38 stack (the base libraries and desktop \nintegration components) and shares it through the content interface. \n",
+            "icon": "/v2/icons/gnome-3-38-2004/icon",
+            "installed-size": 363151360,
+            "name": "gnome-3-38-2004",
+            "publisher": {
+                "id": "canonical",
+                "username": "canonical",
+                "display-name": "Canonical",
+                "validation": "verified"
+            },
+            "developer": "canonical",
+            "status": "active",
+            "type": "app",
+            "base": "core20",
+            "channel": "latest/stable",
+            "tracking-channel": "latest/stable/ubuntu-22.04",
+            "ignore-validation": false,
+            "revision": "119",
+            "confinement": "strict",
+            "private": false,
+            "devmode": false,
+            "jailmode": false,
+            "contact": "",
+            "mounted-from": "/var/lib/snapd/snaps/gnome-3-38-2004_119.snap",
+            "media": [
+                {
+                "type": "icon",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2021/01/icon_FvbmexL.png"
+                }
+            ],
+            "install-date": "2022-11-23T20:33:59.025662696-03:00"
+            }
+        )"_json) };
+
+    EXPECT_TRUE(jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapValidSizeAsString)
+{
+    const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"(
+            {
+            "id": "rw36mkAjdIKl13dzfwyxP87cejpyIcct",
+            "title": "gnome-3-38-2004",
+            "summary": "Shared GNOME 3.38 Ubuntu stack",
+            "description": "This snap includes a GNOME 3.38 stack (the base libraries and desktop \nintegration components) and shares it through the content interface. \n",
+            "icon": "/v2/icons/gnome-3-38-2004/icon",
+            "installed-size": "363151360",
+            "name": "gnome-3-38-2004",
+            "publisher": {
+                "id": "canonical",
+                "username": "canonical",
+                "display-name": "Canonical",
+                "validation": "verified"
+            },
+            "developer": "canonical",
+            "status": "active",
+            "type": "app",
+            "base": "core20",
+            "version": "0+git.6f39565",
+            "channel": "latest/stable",
+            "tracking-channel": "latest/stable/ubuntu-22.04",
+            "ignore-validation": false,
+            "revision": "119",
+            "confinement": "strict",
+            "private": false,
+            "devmode": false,
+            "jailmode": false,
+            "contact": "",
+            "mounted-from": "/var/lib/snapd/snaps/gnome-3-38-2004_119.snap",
+            "media": [
+                {
+                "type": "icon",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2021/01/icon_FvbmexL.png"
+                }
+            ],
+            "install-date": "2022-11-23T20:33:59.025662696-03:00"
+            }
+        )"_json) };
+
+    EXPECT_FALSE(jsPackageInfo.empty());
+    EXPECT_EQ(363151360, jsPackageInfo["size"]);
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapEmptyJSON)
+{
+    const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"({})"_json) };
+
+    EXPECT_TRUE(jsPackageInfo.empty());
+}
+
+TEST_F(SysInfoPackagesLinuxHelperTest, parseSnapWrongJSON)
+{
+    EXPECT_NO_THROW(
+    {
+        const auto& jsPackageInfo { PackageLinuxHelper::parseSnap( R"(curl: (7) Couldn't connect to server)") };
+        EXPECT_TRUE(jsPackageInfo.empty());
+    });
+}
+
diff --git a/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.h b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.h
new file mode 100644
index 0000000000..8e5d72e5a0
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesLinuxHelper/sysInfoPackagesLinuxHelper_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PACKAGES_LINUX_HELPER_TEST_H
+#define _SYSINFO_PACKAGES_LINUX_HELPER_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoPackagesLinuxHelperTest : public ::testing::Test
+{
+    protected:
+
+        SysInfoPackagesLinuxHelperTest() = default;
+        virtual ~SysInfoPackagesLinuxHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PACKAGES_LINUX_HELPER_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackagesMAC/CMakeLists.txt
new file mode 100644
index 0000000000..00efe06ffc
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/CMakeLists.txt
@@ -0,0 +1,37 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoMacPackage_unit_test)
+
+# Copy input files to the build directory
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/src/packages/packageMac.cpp")
+
+add_executable(sysInfoMacPackage_unit_test 
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoMacPackage_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+)
+
+if(APPLE)
+  target_link_libraries(sysInfoMacPackage_unit_test ${SRC_FOLDER}/external/libplist/bin/lib/libplist-2.0.a)
+endif(APPLE)
+
+add_test(NAME sysInfoMacPackage_unit_test
+         COMMAND sysInfoMacPackage_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_LongVersion.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_LongVersion.app/Contents/Info.plist
new file mode 100644
index 0000000000..5c43def7e5
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_LongVersion.app/Contents/Info.plist
@@ -0,0 +1,440 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.operasoftware.Opera</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>100.0.4815.54</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoDescription.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoDescription.app/Contents/Info.plist
new file mode 100644
index 0000000000..4da7a34a63
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoDescription.app/Contents/Info.plist
@@ -0,0 +1,438 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>100.0.4815.54</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoGroups.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoGroups.app/Contents/Info.plist
new file mode 100644
index 0000000000..7882f34c2e
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoGroups.app/Contents/Info.plist
@@ -0,0 +1,438 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.operasoftware.Opera</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>100.0.4815.54</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoName.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoName.app/Contents/Info.plist
new file mode 100644
index 0000000000..aee92344fe
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoName.app/Contents/Info.plist
@@ -0,0 +1,438 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.operasoftware.Opera</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>100.0.4815.54</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVendor.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVendor.app/Contents/Info.plist
new file mode 100644
index 0000000000..a278e466b1
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVendor.app/Contents/Info.plist
@@ -0,0 +1,440 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>description_text</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>100.0.4815.54</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVersion.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVersion.app/Contents/Info.plist
new file mode 100644
index 0000000000..040f1c5165
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_NoVersion.app/Contents/Info.plist
@@ -0,0 +1,436 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.operasoftware.Opera</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_ShortVersion.app/Contents/Info.plist b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_ShortVersion.app/Contents/Info.plist
new file mode 100644
index 0000000000..5dc545b85b
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/input_files/PKGWrapperTest_ShortVersion.app/Contents/Info.plist
@@ -0,0 +1,440 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleDisplayName</key>
+	<string>Opera</string>
+	<key>CFBundleDocumentTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>adr</string>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Bookmark File</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>OBok</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webloc</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web Location</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>ilht</string>
+				<string>ilft</string>
+				<string>ilfi</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>htm</string>
+				<string>html</string>
+				<string>xhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+				<string>mhtml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>MIME HTML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>xml</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>XML</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>HTML</string>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>opdownload</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Opera Download</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>txt</string>
+				<string>text</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Text Document</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>gif</string>
+				<string>giff</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>GIF</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>GIFf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>png</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PNG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>PNGf</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>jpg</string>
+				<string>jpeg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>JPEG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>JPEG</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>url</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>LINK</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>LINK</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>info</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Info</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>svg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SVG</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>TEXT</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>swf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>SWF</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>mht</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeName</key>
+			<string>Web archive</string>
+			<key>CFBundleTypeOSTypes</key>
+			<array>
+				<string>MHTM</string>
+			</array>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>oga</string>
+				<string>ogg</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>audio/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Audio</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>ogv</string>
+				<string>ogm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/ogg</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>Ogg Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>pdf</string>
+			</array>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>application/pdf</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>PDF Document</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webm</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>video/webm</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebM Video</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeExtensions</key>
+			<array>
+				<string>webp</string>
+			</array>
+			<key>CFBundleTypeMIMETypes</key>
+			<array>
+				<string>image/webp</string>
+			</array>
+			<key>CFBundleTypeName</key>
+			<string>WebP Image</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>NSPersistentStoreTypeKey</key>
+			<string>Binary</string>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>org.chromium.extension</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleTypeIconFile</key>
+			<string>OperaDocs.icns</string>
+			<key>CFBundleTypeRole</key>
+			<string>Viewer</string>
+			<key>LSItemContentTypes</key>
+			<array>
+				<string>com.operasoftware.extension</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleExecutable</key>
+	<string>Opera</string>
+	<key>CFBundleGetInfoString</key>
+	<string>Opera 100.0, Copyright (C) 2012-2016, Opera Software.</string>
+	<key>CFBundleIconFile</key>
+	<string>app.icns</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.operasoftware.Opera</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Opera</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>100.0</string>
+	<key>CFBundleSignature</key>
+	<string>OPRA</string>
+	<key>CFBundleURLTypes</key>
+	<array>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>http URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>http</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>https URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>https</string>
+			</array>
+		</dict>
+		<dict>
+			<key>CFBundleURLName</key>
+			<string>file URL</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>file</string>
+			</array>
+		</dict>
+	</array>
+	<key>CFBundleVersion</key>
+	<string>Text different from CFBundleShortVersionString</string>
+	<key>DTCompiler</key>
+	<string>com.apple.compilers.llvm.clang.1_0</string>
+	<key>DTSDKBuild</key>
+	<string>21E226</string>
+	<key>DTSDKName</key>
+	<string>macosx13.3</string>
+	<key>DTXcode</key>
+	<string>1430</string>
+	<key>DTXcodeBuild</key>
+	<string>14E222b</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.productivity</string>
+	<key>LSEnvironment</key>
+	<dict>
+		<key>MallocNanoZone</key>
+		<string>0</string>
+	</dict>
+	<key>LSFileQuarantineEnabled</key>
+	<true/>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.11.0</string>
+	<key>NSAppleScriptEnabled</key>
+	<true/>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>OperaCrApplication</string>
+	<key>NSRequiresAquaSystemAppearance</key>
+	<true/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+	<key>NSUserActivityTypes</key>
+	<array>
+		<string>NSUserActivityTypeBrowsingWeb</string>
+	</array>
+	<key>OSAScriptingDefinition</key>
+	<string>scripting.sdef</string>
+	<key>UTExportedTypeDeclarations</key>
+	<array>
+		<dict>
+			<key>UTTypeConformsTo</key>
+			<array>
+				<string>public.data</string>
+			</array>
+			<key>UTTypeDescription</key>
+			<string>Chromium Extra</string>
+			<key>UTTypeIdentifier</key>
+			<string>org.chromium.extension</string>
+			<key>UTTypeTagSpecification</key>
+			<dict>
+				<key>public.filename-extension</key>
+				<array>
+					<string>crx</string>
+				</array>
+			</dict>
+		</dict>
+	</array>
+</dict>
+</plist>
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/main.cpp b/src/common/data_provider/tests/sysInfoPackagesMAC/main.cpp
new file mode 100644
index 0000000000..cefdb8183b
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.cpp b/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.cpp
new file mode 100644
index 0000000000..f9c39d1be1
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.cpp
@@ -0,0 +1,226 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 20, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "pkgWrapper_test.h"
+#include "packages/packageMac.h"
+#include "packages/pkgWrapper.h"
+#include <unistd.h>
+#include <iostream>
+
+void PKGWrapperTest::SetUp() {};
+
+void PKGWrapperTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+
+TEST_F(PKGWrapperTest, LongVersion)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_LongVersion.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), "100.0.4815.54");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), "com.operasoftware.Opera");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), "operasoftware");
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, ShortVersion)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_ShortVersion.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), "100.0");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), "com.operasoftware.Opera");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), "operasoftware");
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, NoName)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_NoName.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "");
+    EXPECT_EQ(wrapper->version(), "100.0.4815.54");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), "com.operasoftware.Opera");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), "operasoftware");
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, NoVersion)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_NoVersion.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), " ");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), "com.operasoftware.Opera");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), "operasoftware");
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, NoGroups)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_NoGroups.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), "100.0.4815.54");
+    EXPECT_EQ(wrapper->groups(), " ");
+    EXPECT_EQ(wrapper->description(), "com.operasoftware.Opera");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), "operasoftware");
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, NoDescription)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_NoDescription.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), "100.0.4815.54");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), " ");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
+
+TEST_F(PKGWrapperTest, NoVendor)
+{
+    std::string inputPath;
+    inputPath += getwd(NULL);
+    inputPath += "/input_files";
+    std::string package { "PKGWrapperTest_NoVendor.app" };
+
+    struct PackageContext ctx
+    {
+        inputPath, package, ""
+    };
+    std::shared_ptr<PKGWrapper> wrapper;
+    EXPECT_NO_THROW(wrapper = std::make_shared<PKGWrapper>(ctx));
+    EXPECT_EQ(wrapper->name(), "Opera");
+    EXPECT_EQ(wrapper->version(), "100.0.4815.54");
+    EXPECT_EQ(wrapper->groups(), "public.app-category.productivity");
+    EXPECT_EQ(wrapper->description(), "description_text");
+    EXPECT_EQ(wrapper->architecture(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->format(), "pkg");
+    EXPECT_EQ(wrapper->osPatch(), "");
+    EXPECT_EQ(wrapper->source(), "utilities");
+    EXPECT_EQ(wrapper->location(), inputPath + "/" + package + "/" + APP_INFO_PATH);
+    EXPECT_EQ(wrapper->vendor(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->priority(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->size(), 0);
+    EXPECT_EQ(wrapper->install_time(), UNKNOWN_VALUE);
+    EXPECT_EQ(wrapper->multiarch(), UNKNOWN_VALUE);
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.h b/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.h
new file mode 100644
index 0000000000..37b994af7c
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/pkgWrapper_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 20, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _PKGWRAPPER_TEST_H
+#define _PKGWRAPPER_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class PKGWrapperTest : public ::testing::Test
+{
+    protected:
+        PKGWrapperTest() = default;
+        virtual ~PKGWrapperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_PKGWRAPPER_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.cpp b/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.cpp
new file mode 100644
index 0000000000..f73a30cf32
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.cpp
@@ -0,0 +1,204 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoMacPackages_test.h"
+#include "packages/packageMac.h"
+#include "packages/macportsWrapper.h"
+#include "mocks/sqliteWrapperTempMock.h"
+#include "sqliteWrapperTemp.h"
+
+void SysInfoMacPackagesTest::SetUp() {};
+
+void SysInfoMacPackagesTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+using ::testing::An;
+using ::testing::ByMove;
+
+class SysInfoMacPackagesWrapperMock: public IPackageWrapper
+{
+    public:
+        SysInfoMacPackagesWrapperMock() = default;
+        virtual ~SysInfoMacPackagesWrapperMock() = default;
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, version, (), (const override));
+        MOCK_METHOD(std::string, groups, (), (const override));
+        MOCK_METHOD(std::string, description, (), (const override));
+        MOCK_METHOD(std::string, architecture, (), (const override));
+        MOCK_METHOD(std::string, format, (), (const override));
+        MOCK_METHOD(std::string, osPatch, (), (const override));
+        MOCK_METHOD(std::string, source, (), (const override));
+        MOCK_METHOD(std::string, location, (), (const override));
+        MOCK_METHOD(std::string, priority, (), (const override));
+        MOCK_METHOD(int, size, (), (const override));
+        MOCK_METHOD(std::string, vendor, (), (const override));
+        MOCK_METHOD(std::string, install_time, (), (const override));
+        MOCK_METHOD(std::string, multiarch, (), (const override));
+};
+
+TEST_F(SysInfoMacPackagesTest, Test_SPEC_Data)
+{
+    auto mock { std::make_shared<SysInfoMacPackagesWrapperMock>() };
+    nlohmann::json packages {};
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("1"));
+    EXPECT_CALL(*mock, version()).Times(1).WillOnce(Return("2"));
+    EXPECT_CALL(*mock, groups()).Times(1).WillOnce(Return("3"));
+    EXPECT_CALL(*mock, description()).Times(1).WillOnce(Return("4"));
+    EXPECT_CALL(*mock, architecture()).Times(1).WillOnce(Return("5"));
+    EXPECT_CALL(*mock, format()).Times(1).WillOnce(Return("6"));
+    EXPECT_CALL(*mock, source()).Times(1).WillOnce(Return("7"));
+    EXPECT_CALL(*mock, location()).Times(1).WillOnce(Return("8"));
+    EXPECT_CALL(*mock, priority()).Times(1).WillOnce(Return("9"));
+    EXPECT_CALL(*mock, size()).Times(1).WillOnce(Return(10));
+    EXPECT_CALL(*mock, vendor()).Times(1).WillOnce(Return("11"));
+    EXPECT_CALL(*mock, install_time()).Times(1).WillOnce(Return("12"));
+    EXPECT_CALL(*mock, multiarch()).Times(1).WillOnce(Return("13"));
+
+    EXPECT_NO_THROW(std::make_unique<BSDPackageImpl>(mock)->buildPackageData(packages));
+    EXPECT_EQ("1", packages.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("2", packages.at("version").get_ref<const std::string&>());
+    EXPECT_EQ("3", packages.at("groups").get_ref<const std::string&>());
+    EXPECT_EQ("4", packages.at("description").get_ref<const std::string&>());
+    EXPECT_EQ("5", packages.at("architecture").get_ref<const std::string&>());
+    EXPECT_EQ("6", packages.at("format").get_ref<const std::string&>());
+    EXPECT_EQ("7", packages.at("source").get_ref<const std::string&>());
+    EXPECT_EQ("8", packages.at("location").get_ref<const std::string&>());
+    EXPECT_EQ("9", packages.at("priority").get_ref<const std::string&>());
+    EXPECT_EQ(10, packages.at("size").get<const int>());
+    EXPECT_EQ("11", packages.at("vendor").get_ref<const std::string&>());
+    EXPECT_EQ("12", packages.at("install_time").get_ref<const std::string&>());
+    EXPECT_EQ("13", packages.at("multiarch").get_ref<const std::string&>());
+}
+
+TEST_F(SysInfoMacPackagesTest, macPortsValidData)
+{
+    auto mockStatement { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement, columnsCount()).WillOnce(Return(5));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const std::string&>()))
+    .WillOnce(Return("neovim"));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("0.8.1"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const int64_t&>()))
+    .WillOnce(Return(1690831043));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const std::string&>()))
+    .WillOnce(Return("/opt/local/var/macports/software/neovim/neovim-0.8.1.tgz"));
+    auto mockColumn_5 {std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const std::string&>()))
+    .WillOnce(Return("x86_64"));
+
+    EXPECT_CALL(*mockColumn_1, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_2, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_3, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_4, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_5, hasValue()).WillOnce(Return(true));
+
+    EXPECT_CALL(*mockStatement, column(0)).WillOnce(Return(ByMove(std::move(mockColumn_1))));
+    EXPECT_CALL(*mockStatement, column(1)).WillOnce(Return(ByMove(std::move(mockColumn_2))));
+    EXPECT_CALL(*mockStatement, column(2)).WillOnce(Return(ByMove(std::move(mockColumn_3))));
+    EXPECT_CALL(*mockStatement, column(3)).WillOnce(Return(ByMove(std::move(mockColumn_4))));
+    EXPECT_CALL(*mockStatement, column(4)).WillOnce(Return(ByMove(std::move(mockColumn_5))));
+
+    MacportsWrapper macportsMock(*mockStatement);
+
+    EXPECT_EQ(macportsMock.name(), "neovim");
+    EXPECT_EQ(macportsMock.version(), "0.8.1");
+    EXPECT_FALSE(macportsMock.install_time().empty());
+    EXPECT_EQ(macportsMock.location(), "/opt/local/var/macports/software/neovim/neovim-0.8.1.tgz");
+    EXPECT_EQ(macportsMock.architecture(), "x86_64");
+}
+
+TEST_F(SysInfoMacPackagesTest, macPortsValidDataEmptyFields)
+{
+    auto mockStatement { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement, columnsCount()).WillOnce(Return(5));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const std::string&>()))
+    .WillOnce(Return("neovim"));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return(""));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const int64_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const std::string&>()))
+    .WillOnce(Return(""));
+    auto mockColumn_5 {std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const std::string&>()))
+    .WillOnce(Return(""));
+
+    EXPECT_CALL(*mockColumn_1, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_2, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_3, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_4, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_5, hasValue()).WillOnce(Return(true));
+
+    EXPECT_CALL(*mockStatement, column(0)).WillOnce(Return(ByMove(std::move(mockColumn_1))));
+    EXPECT_CALL(*mockStatement, column(1)).WillOnce(Return(ByMove(std::move(mockColumn_2))));
+    EXPECT_CALL(*mockStatement, column(2)).WillOnce(Return(ByMove(std::move(mockColumn_3))));
+    EXPECT_CALL(*mockStatement, column(3)).WillOnce(Return(ByMove(std::move(mockColumn_4))));
+    EXPECT_CALL(*mockStatement, column(4)).WillOnce(Return(ByMove(std::move(mockColumn_5))));
+
+    MacportsWrapper macportsMock(*mockStatement);
+
+    EXPECT_EQ(macportsMock.name(), "neovim");
+    // Empty string fields are replaced with space.
+    EXPECT_EQ(macportsMock.version(), " ");
+    EXPECT_FALSE(macportsMock.install_time().empty());
+    EXPECT_EQ(macportsMock.location(), " ");
+    EXPECT_EQ(macportsMock.architecture(), " ");
+}
+
+TEST_F(SysInfoMacPackagesTest, macPortsValidDataEmptyName)
+{
+    auto mockStatement { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement, columnsCount()).WillOnce(Return(5));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const std::string&>()))
+    .WillOnce(Return(""));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("0.8.1"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const int64_t&>()))
+    .WillOnce(Return(1690831043));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const std::string&>()))
+    .WillOnce(Return("/opt/local/var/macports/software/neovim/neovim-0.8.1.tgz"));
+    auto mockColumn_5 {std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const std::string&>()))
+    .WillOnce(Return("x86_64"));
+
+    EXPECT_CALL(*mockColumn_1, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_2, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_3, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_4, hasValue()).WillOnce(Return(true));
+    EXPECT_CALL(*mockColumn_5, hasValue()).WillOnce(Return(true));
+
+    EXPECT_CALL(*mockStatement, column(0)).WillOnce(Return(ByMove(std::move(mockColumn_1))));
+    EXPECT_CALL(*mockStatement, column(1)).WillOnce(Return(ByMove(std::move(mockColumn_2))));
+    EXPECT_CALL(*mockStatement, column(2)).WillOnce(Return(ByMove(std::move(mockColumn_3))));
+    EXPECT_CALL(*mockStatement, column(3)).WillOnce(Return(ByMove(std::move(mockColumn_4))));
+    EXPECT_CALL(*mockStatement, column(4)).WillOnce(Return(ByMove(std::move(mockColumn_5))));
+
+    MacportsWrapper macportsMock(*mockStatement);
+
+    // Packages with empty string names are discarded.
+    EXPECT_EQ(macportsMock.name(), "");
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.h b/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.h
new file mode 100644
index 0000000000..bae4bb4841
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesMAC/sysInfoMacPackages_test.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_MAC_PACKAGES_TEST_H
+#define _SYSINFO_MAC_PACKAGES_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoMacPackagesTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoMacPackagesTest() = default;
+        virtual ~SysInfoMacPackagesTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_MAC_PACKAGES_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPackagesSolaris/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPackagesSolaris/CMakeLists.txt
new file mode 100644
index 0000000000..a3e3c0a43b
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesSolaris/CMakeLists.txt
@@ -0,0 +1,31 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoSolarisPackage_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+	"${CMAKE_SOURCE_DIR}/src/packages/packageSolaris.cpp")
+
+add_executable(sysInfoSolarisPackage_unit_test 
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoSolarisPackage_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+)
+
+add_test(NAME sysInfoSolarisPackage_unit_test
+	COMMAND sysInfoSolarisPackage_unit_test)
diff --git a/src/common/data_provider/tests/sysInfoPackagesSolaris/main.cpp b/src/common/data_provider/tests/sysInfoPackagesSolaris/main.cpp
new file mode 100644
index 0000000000..4e4f649247
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesSolaris/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.cpp b/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.cpp
new file mode 100644
index 0000000000..ba18c78cc7
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.cpp
@@ -0,0 +1,76 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoSolarisPackages_test.h"
+#include "packages/packageFamilyDataAFactory.h"
+#include "packages/packageSolaris.h"
+
+void SysInfoSolarisPackagesTest::SetUp() {};
+
+void SysInfoSolarisPackagesTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoSolarisPackagesWrapperMock: public IPackageWrapper
+{
+    public:
+        SysInfoSolarisPackagesWrapperMock() = default;
+        virtual ~SysInfoSolarisPackagesWrapperMock() = default;
+        MOCK_METHOD(std::string, name, (), (const override));
+        MOCK_METHOD(std::string, version, (), (const override));
+        MOCK_METHOD(std::string, groups, (), (const override));
+        MOCK_METHOD(std::string, description, (), (const override));
+        MOCK_METHOD(std::string, architecture, (), (const override));
+        MOCK_METHOD(std::string, format, (), (const override));
+        MOCK_METHOD(std::string, osPatch, (), (const override));
+        MOCK_METHOD(std::string, source, (), (const override));
+        MOCK_METHOD(std::string, location, (), (const override));
+        MOCK_METHOD(std::string, priority, (), (const override));
+        MOCK_METHOD(int, size, (), (const override));
+        MOCK_METHOD(std::string, vendor, (), (const override));
+        MOCK_METHOD(std::string, install_time, (), (const override));
+        MOCK_METHOD(std::string, multiarch, (), (const override));
+};
+
+TEST_F(SysInfoSolarisPackagesTest, Test_Success_Data)
+{
+    auto mock { std::make_shared<SysInfoSolarisPackagesWrapperMock>() };
+    nlohmann::json packages {};
+
+    EXPECT_CALL(*mock, name()).Times(1).WillOnce(Return("libstdc++6"));
+    EXPECT_CALL(*mock, version()).Times(1).WillOnce(Return("5.5.0"));
+    EXPECT_CALL(*mock, groups()).Times(1).WillOnce(Return("application"));
+    EXPECT_CALL(*mock, description()).Times(1).WillOnce(Return("libstdc++6 - The GNU Compiler Collection, libstdc++.so.6"));
+    EXPECT_CALL(*mock, architecture()).Times(1).WillOnce(Return("i386"));
+    EXPECT_CALL(*mock, format()).Times(1).WillOnce(Return("pkg"));
+    EXPECT_CALL(*mock, source()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, location()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, priority()).Times(1).WillOnce(Return(""));
+    EXPECT_CALL(*mock, size()).Times(1).WillOnce(Return(0));
+    EXPECT_CALL(*mock, vendor()).Times(1).WillOnce(Return("Oracle corporation"));
+    EXPECT_CALL(*mock, install_time()).Times(1).WillOnce(Return("2022/01/13 14:48:58"));
+
+    EXPECT_NO_THROW(FactoryPackageFamilyCreator<OSPlatformType::SOLARIS>::create(mock)->buildPackageData(packages));
+
+    EXPECT_EQ("libstdc++6", packages.at("name").get_ref<const std::string&>());
+    EXPECT_EQ("5.5.0", packages.at("version").get_ref<const std::string&>());
+    EXPECT_EQ("application", packages.at("groups").get_ref<const std::string&>());
+    EXPECT_EQ("libstdc++6 - The GNU Compiler Collection, libstdc++.so.6", packages.at("description").get_ref<const std::string&>());
+    EXPECT_EQ("i386", packages.at("architecture").get_ref<const std::string&>());
+    EXPECT_EQ("pkg", packages.at("format").get_ref<const std::string&>());
+    EXPECT_EQ("", packages.at("source").get_ref<const std::string&>());
+    EXPECT_EQ("", packages.at("location").get_ref<const std::string&>());
+    EXPECT_EQ("", packages.at("priority").get_ref<const std::string&>());
+    EXPECT_EQ(0, packages.at("size").get<const int>());
+    EXPECT_EQ("Oracle corporation", packages.at("vendor").get_ref<const std::string&>());
+    EXPECT_EQ("2022/01/13 14:48:58", packages.at("install_time").get_ref<const std::string&>());
+}
diff --git a/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.h b/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.h
new file mode 100644
index 0000000000..ee94b89dd6
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPackagesSolaris/sysInfoSolarisPackages_test.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_SOLARIS_PACKAGES_TEST_H
+#define _SYSINFO_SOLARIS_PACKAGES_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoSolarisPackagesTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoSolarisPackagesTest() = default;
+        virtual ~SysInfoSolarisPackagesTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_SOLARIS_PACKAGES_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoPorts/CMakeLists.txt b/src/common/data_provider/tests/sysInfoPorts/CMakeLists.txt
new file mode 100644
index 0000000000..8c9b37eeff
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPorts/CMakeLists.txt
@@ -0,0 +1,32 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoPort_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSINFO_SRC
+    "${CMAKE_SOURCE_DIR}/ports/portImpl.h")
+
+add_executable(sysInfoPort_unit_test
+    ${sysinfo_UNIT_TEST_SRC}
+    ${SYSINFO_SRC})
+
+target_link_libraries(sysInfoPort_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+)
+
+add_test(NAME sysInfoPort_unit_test
+         COMMAND sysInfoPort_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPorts/main.cpp b/src/common/data_provider/tests/sysInfoPorts/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPorts/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.cpp b/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.cpp
new file mode 100644
index 0000000000..4a7feb0b7c
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.cpp
@@ -0,0 +1,69 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 10, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysInfoPort_test.h"
+#include "ports/portImpl.h"
+
+void SysInfoPortTest::SetUp() {};
+
+void SysInfoPortTest::TearDown()
+{
+};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoPortWrapperMock: public IPortWrapper
+{
+    public:
+        SysInfoPortWrapperMock() = default;
+        virtual ~SysInfoPortWrapperMock() = default;
+        MOCK_METHOD(std::string, protocol, (), (const override));
+        MOCK_METHOD(std::string, localIp, (), (const override));
+        MOCK_METHOD(int32_t, localPort, (), (const override));
+        MOCK_METHOD(std::string, remoteIP, (), (const override));
+        MOCK_METHOD(int32_t, remotePort, (), (const override));
+        MOCK_METHOD(int32_t, txQueue, (), (const override));
+        MOCK_METHOD(int32_t, rxQueue, (), (const override));
+        MOCK_METHOD(int64_t, inode, (), (const override));
+        MOCK_METHOD(std::string, state, (), (const override));
+        MOCK_METHOD(int32_t, pid, (), (const override));
+        MOCK_METHOD(std::string, processName, (), (const override));
+};
+
+TEST_F(SysInfoPortTest, Test_SPEC_Data)
+{
+    auto mock { std::make_shared<SysInfoPortWrapperMock>() };
+    nlohmann::json port {};
+    EXPECT_CALL(*mock, protocol()).Times(1).WillOnce(Return("1"));
+    EXPECT_CALL(*mock, localIp()).Times(1).WillOnce(Return("2"));
+    EXPECT_CALL(*mock, localPort()).Times(1).WillOnce(Return(3));
+    EXPECT_CALL(*mock, remoteIP()).Times(1).WillOnce(Return("4"));
+    EXPECT_CALL(*mock, remotePort()).Times(1).WillOnce(Return(5));
+    EXPECT_CALL(*mock, txQueue()).Times(1).WillOnce(Return(6));
+    EXPECT_CALL(*mock, rxQueue()).Times(1).WillOnce(Return(7));
+    EXPECT_CALL(*mock, inode()).Times(1).WillOnce(Return(4274126910));
+    EXPECT_CALL(*mock, state()).Times(1).WillOnce(Return("9"));
+    EXPECT_CALL(*mock, pid()).Times(1).WillOnce(Return(10));
+    EXPECT_CALL(*mock, processName()).Times(1).WillOnce(Return("11"));
+
+    EXPECT_NO_THROW(std::make_unique<PortImpl>(mock)->buildPortData(port));
+    EXPECT_EQ("1", port.at("protocol").get_ref<const std::string&>());
+    EXPECT_EQ("2", port.at("local_ip").get_ref<const std::string&>());
+    EXPECT_EQ(3, port.at("local_port").get<int32_t>());
+    EXPECT_EQ("4", port.at("remote_ip").get_ref<const std::string&>());
+    EXPECT_EQ(5, port.at("remote_port").get<int32_t>());
+    EXPECT_EQ(6, port.at("tx_queue").get<int32_t>());
+    EXPECT_EQ(7, port.at("rx_queue").get<int32_t>());
+    EXPECT_EQ(4274126910, port.at("inode").get<int64_t>());
+    EXPECT_EQ("9", port.at("state").get_ref<const std::string&>());
+    EXPECT_EQ(10, port.at("pid").get<int32_t>());
+    EXPECT_EQ("11", port.at("process").get_ref<const std::string&>());
+}
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.h b/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.h
new file mode 100644
index 0000000000..442020f4a9
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoPorts/sysInfoPort_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PORT_TEST_H
+#define _SYSINFO_PORT_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoPortTest : public ::testing::Test
+{
+
+    protected:
+
+        SysInfoPortTest() = default;
+        virtual ~SysInfoPortTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PORT_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoRpmPackageManager/CMakeLists.txt b/src/common/data_provider/tests/sysInfoRpmPackageManager/CMakeLists.txt
new file mode 100644
index 0000000000..9615a5dc21
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoRpmPackageManager/CMakeLists.txt
@@ -0,0 +1,29 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(RpmPackageManager_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB RPM_UNIT_TEST_SRC "*.cpp")
+file(GLOB RPM_SRC "${CMAKE_SOURCE_DIR}/src/packages/rpm*.cpp")
+
+add_executable(Rpm_unit_test ${RPM_UNIT_TEST_SRC} ${RPM_SRC})
+
+target_link_libraries(Rpm_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    proc
+    dl
+)
+
+add_test(NAME Rpm_unit_test
+         COMMAND Rpm_unit_test)
diff --git a/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.cpp b/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.cpp
new file mode 100644
index 0000000000..01c31af0bb
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.cpp
@@ -0,0 +1,377 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 22, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "RpmPackageManager_test.h"
+#include "packages/rpmlibWrapper.h"
+#include "packages/rpmPackageManager.h"
+#include <rpm/rpmtag.h>
+
+#include <fcntl.h>
+
+using ::testing::_;
+using ::testing::Return;
+using ::testing::DoAll;
+using ::testing::SetArgReferee;
+
+// We are using NiceMock to avoid having to use ON_CALL excessively.
+using ::testing::NiceMock;
+
+void RpmLibTest::SetUp() {};
+void RpmLibTest::TearDown() {};
+
+class RpmLibMock : public IRpmLibWrapper
+{
+    public:
+        RpmLibMock() = default;
+        virtual ~RpmLibMock() override {};
+        MOCK_METHOD(int, rpmReadConfigFiles, (const char* file, const char* target), (override));
+        MOCK_METHOD(void, rpmFreeRpmrc, (), (override));
+        MOCK_METHOD(rpmtd, rpmtdNew, (), (override));
+        MOCK_METHOD(void, rpmtdFree, (rpmtd td), (override));
+        MOCK_METHOD(rpmts, rpmtsCreate, (), (override));
+        MOCK_METHOD(int, rpmtsOpenDB, (rpmts ts, int dbmode), (override));
+        MOCK_METHOD(int, rpmtsCloseDB, (rpmts ts), (override));
+        MOCK_METHOD(rpmts, rpmtsFree, (rpmts ts), (override));
+        MOCK_METHOD(int, headerGet, (Header h, rpmTagVal tag, rpmtd td, headerGetFlags flags), (override));
+        MOCK_METHOD(const char*, rpmtdGetString, (rpmtd td), (override));
+        MOCK_METHOD(uint64_t, rpmtdGetNumber, (rpmtd td), (override));
+        MOCK_METHOD(int, rpmtsRun, (rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet), (override));
+        MOCK_METHOD(rpmdbMatchIterator, rpmtsInitIterator, (const rpmts ts, rpmDbiTagVal rpmtag, const void* keypointer, size_t keylen), (override));
+        MOCK_METHOD(Header, rpmdbNextIterator, (rpmdbMatchIterator mi), (override));
+        MOCK_METHOD(rpmdbMatchIterator, rpmdbFreeIterator, (rpmdbMatchIterator mi), (override));
+};
+
+
+TEST(RpmLibTest, MissingConfFiles)
+{
+    auto mock {std::make_shared<RpmLibMock>()};
+    EXPECT_CALL(*mock, rpmReadConfigFiles(_, _)).WillOnce(Return(-1));
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmReadConfigFiles failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, MultipleInstances)
+{
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    RpmPackageManager otherRpm{mock};
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "there is another RPM instance already created");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, RAII)
+{
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    EXPECT_CALL(*mock, rpmReadConfigFiles(_, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmFreeRpmrc());
+    {
+        RpmPackageManager rpm{mock};
+    }
+}
+
+TEST(RpmLibTest, TransactionSetCreateFailure)
+{
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(nullptr));
+
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+
+            for (const auto& p : rpm)
+            {
+            }
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmtsCreate failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, OpenDatabaseFailure)
+{
+    const auto tsMock = reinterpret_cast<rpmts>(0x45);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtsOpenDB(tsMock, _)).WillOnce(Return(-1));
+
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+
+            for (const auto& p : rpm)
+            {
+            }
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmtsOpenDB failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+// Tests mostly the construction and destruction of RpmPackageManager::Iterator
+TEST(RpmLibTest, TransactionSetRunFailure)
+{
+    const auto tsMock = reinterpret_cast<rpmts>(0x45);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtsOpenDB(tsMock, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(-1));
+
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+
+            for (const auto& p : rpm)
+            {
+            }
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmtsRun failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, TagDataContainerCreateFailure)
+{
+    const auto tsMock = reinterpret_cast<rpmts>(0x45);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtsOpenDB(tsMock, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtdNew()).WillOnce(nullptr);
+
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+
+            for (const auto& p : rpm)
+            {
+            }
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmtdNew failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, IteratorInitFailure)
+{
+    const auto tsMock = reinterpret_cast<rpmts>(0x45);
+    const auto tdMock = reinterpret_cast<rpmtd>(0x4D);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtsOpenDB(tsMock, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtdNew()).WillOnce(Return(tdMock));
+    EXPECT_CALL(*mock, rpmtsInitIterator(tsMock, 1000, _, _)).WillOnce(Return(nullptr));
+
+    EXPECT_THROW(
+    {
+        try
+        {
+            RpmPackageManager rpm{mock};
+
+            for (const auto& p : rpm)
+            {
+            }
+        }
+        catch (const std::runtime_error& e)
+        {
+            EXPECT_STREQ(e.what(), "rpmtsInitIterator failed");
+            throw;
+        }
+    }, std::runtime_error);
+}
+
+TEST(RpmLibTest, NoPackages)
+{
+    const auto tsMock = reinterpret_cast<rpmts>(0x45);
+    const auto tdMock = reinterpret_cast<rpmtd>(0x4D);
+    const auto tsIteratorMock = reinterpret_cast<rpmdbMatchIterator>(0x41);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    std::vector<RpmPackageManager::Package> packages;
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtsOpenDB(tsMock, O_RDONLY)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtdNew()).WillOnce(Return(tdMock));
+    EXPECT_CALL(*mock, rpmtsInitIterator(tsMock, 1000, _, _)).WillOnce(Return(tsIteratorMock));
+    EXPECT_CALL(*mock, rpmdbNextIterator(tsIteratorMock)).WillOnce(Return(nullptr));
+
+    EXPECT_CALL(*mock, rpmtsCloseDB(tsMock));
+    EXPECT_CALL(*mock, rpmtsFree(tsMock));
+    EXPECT_CALL(*mock, rpmtdFree(tdMock));
+    EXPECT_CALL(*mock, rpmdbFreeIterator(tsIteratorMock));
+
+    {
+        RpmPackageManager rpm{mock};
+
+        for (const auto& p : rpm)
+        {
+        }
+    }
+}
+
+TEST(RpmLibTest, SinglePackage)
+{
+    auto tsMock = reinterpret_cast<rpmts>(0x45);
+    auto tdMock = reinterpret_cast<rpmtd>(0x4D);
+    auto headerMock = reinterpret_cast<Header>(0xFE);
+    auto tsIteratorMock = reinterpret_cast<rpmdbMatchIterator>(0x41);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtdNew()).WillOnce(Return(tdMock));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsInitIterator(tsMock, 1000, _, _)).WillOnce(Return(tsIteratorMock));
+
+    EXPECT_CALL(*mock, rpmdbNextIterator(_)).WillOnce(Return(headerMock)).WillOnce(nullptr);
+
+    EXPECT_CALL(*mock, headerGet(headerMock, _, tdMock, HEADERGET_DEFAULT)).WillRepeatedly(Return(1));
+    EXPECT_CALL(*mock, rpmtdGetString(_)).Times(9).WillOnce(Return("name"))
+    .WillOnce(Return("version"))
+    .WillOnce(Return("release"))
+    .WillOnce(Return("summary"))
+    .WillOnce(Return("vendor"))
+    .WillOnce(Return("group"))
+    .WillOnce(Return("source"))
+    .WillOnce(Return("arch"))
+    .WillOnce(Return("description"));
+    EXPECT_CALL(*mock, rpmtdGetNumber(_)).Times(3)
+    .WillOnce(Return(1)) // epoch
+    .WillOnce(Return(20)) // installtime
+    .WillOnce(Return(20)); // size
+
+    std::vector<RpmPackageManager::Package> packages;
+    {
+        RpmPackageManager rpm{mock};
+
+        for (const auto& p : rpm)
+        {
+            EXPECT_EQ(p.name, "name");
+            EXPECT_EQ(p.release, "release");
+            EXPECT_EQ(p.epoch, uint64_t{1});
+            EXPECT_EQ(p.summary, "summary");
+            EXPECT_EQ(p.installTime, "20");
+            EXPECT_EQ(p.size, uint64_t{20});
+            EXPECT_EQ(p.vendor, "vendor");
+            EXPECT_EQ(p.group, "group");
+            EXPECT_EQ(p.source, "source");
+            EXPECT_EQ(p.architecture, "arch");
+            EXPECT_EQ(p.description, "description");
+        }
+    }
+}
+
+TEST(RpmLibTest, TwoPackages)
+{
+    auto tsMock = reinterpret_cast<rpmts>(0x45);
+    auto tdMock = reinterpret_cast<rpmtd>(0x4D);
+    auto headerMock = reinterpret_cast<Header>(0xFE);
+    auto tsIteratorMock = reinterpret_cast<rpmdbMatchIterator>(0x41);
+    auto mock {std::make_shared<NiceMock<RpmLibMock>>()};
+    EXPECT_CALL(*mock, rpmtsCreate()).WillOnce(Return(tsMock));
+    EXPECT_CALL(*mock, rpmtdNew()).WillOnce(Return(tdMock));
+    EXPECT_CALL(*mock, rpmtsRun(tsMock, nullptr, _)).WillOnce(Return(0));
+    EXPECT_CALL(*mock, rpmtsInitIterator(tsMock, 1000, _, _)).WillOnce(Return(tsIteratorMock));
+
+    EXPECT_CALL(*mock, rpmdbNextIterator(_)).WillOnce(Return(headerMock))
+    .WillOnce(Return(headerMock))
+    .WillOnce(nullptr);
+
+    EXPECT_CALL(*mock, headerGet(headerMock, _, tdMock, HEADERGET_DEFAULT)).WillRepeatedly(Return(1));
+    EXPECT_CALL(*mock, rpmtdGetString(_)).Times(18).WillOnce(Return("name"))
+    .WillOnce(Return("version"))
+    .WillOnce(Return("release"))
+    .WillOnce(Return("summary"))
+    .WillOnce(Return("vendor"))
+    .WillOnce(Return("group"))
+    .WillOnce(Return("source"))
+    .WillOnce(Return("arch"))
+    .WillOnce(Return("description"))
+    .WillOnce(Return("name"))
+    .WillOnce(Return("version"))
+    .WillOnce(Return("release"))
+    .WillOnce(Return("summary"))
+    .WillOnce(Return("vendor"))
+    .WillOnce(Return("group"))
+    .WillOnce(Return("source"))
+    .WillOnce(Return("arch"))
+    .WillOnce(Return("description"));
+    EXPECT_CALL(*mock, rpmtdGetNumber(_)).Times(6).WillOnce(Return(1)) // epoch
+    .WillOnce(Return(20)) // installtime
+    .WillOnce(Return(20)) // size
+    .WillOnce(Return(1)) // epoch
+    .WillOnce(Return(20)) // installtime
+    .WillOnce(Return(20)); // size
+
+
+    std::vector<RpmPackageManager::Package> packages;
+    RpmPackageManager rpm{mock};
+    auto count {0};
+
+    for (const auto& p : rpm)
+    {
+        EXPECT_EQ(p.name, "name");
+        EXPECT_EQ(p.release, "release");
+        EXPECT_EQ(p.epoch, uint64_t{1});
+        EXPECT_EQ(p.summary, "summary");
+        EXPECT_EQ(p.installTime, "20");
+        EXPECT_EQ(p.size, uint64_t{20});
+        EXPECT_EQ(p.vendor, "vendor");
+        EXPECT_EQ(p.group, "group");
+        EXPECT_EQ(p.source, "source");
+        EXPECT_EQ(p.architecture, "arch");
+        EXPECT_EQ(p.description, "description");
+        count++;
+    }
+
+    EXPECT_EQ(count, 2);
+}
diff --git a/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.h b/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.h
new file mode 100644
index 0000000000..d26994e2b4
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoRpmPackageManager/RpmPackageManager_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
+#define _SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class RpmLibTest : public ::testing::Test
+{
+    protected:
+
+        RpmLibTest() = default;
+        virtual ~RpmLibTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_PACKAGES_BERKELEY_DB_TEST_H
diff --git a/src/common/data_provider/tests/sysInfoRpmPackageManager/main.cpp b/src/common/data_provider/tests/sysInfoRpmPackageManager/main.cpp
new file mode 100644
index 0000000000..bf3d6b13da
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoRpmPackageManager/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * March 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoWin/CMakeLists.txt b/src/common/data_provider/tests/sysInfoWin/CMakeLists.txt
new file mode 100644
index 0000000000..dac07faab4
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoWin/CMakeLists.txt
@@ -0,0 +1,29 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysInfoWindows_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB sysinfo_UNIT_TEST_SRC
+    "*.cpp")
+
+    add_executable(sysInfoWindows_unit_test
+    ${sysinfo_UNIT_TEST_SRC})
+
+target_link_libraries(sysInfoWindows_unit_test
+    debug gtestd
+    debug gmockd
+    debug gtest_maind
+    debug gmock_maind
+    optimized gtest
+    optimized gmock
+    optimized gtest_main
+    optimized gmock_main
+    pthread
+    sqlite3
+    cjson
+    -static-libgcc -static-libstdc++
+)
+
+add_test(NAME sysInfoWindows_unit_test
+         COMMAND sysInfoWindows_unit_test)
\ No newline at end of file
diff --git a/src/common/data_provider/tests/sysInfoWin/main.cpp b/src/common/data_provider/tests/sysInfoWin/main.cpp
new file mode 100644
index 0000000000..fad15dcd42
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoWin/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.cpp b/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.cpp
new file mode 100644
index 0000000000..8cf5d58dc2
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.cpp
@@ -0,0 +1,104 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysInfoWin_test.h"
+#include "packages/packagesWindowsParserHelper.h"
+
+void SysInfoWinTest::SetUp() {};
+
+void SysInfoWinTest::TearDown()
+{};
+
+TEST_F(SysInfoWinTest, test_extract_HFValue_7618)
+{
+    // Invalid cases
+    EXPECT_EQ("", PackageWindowsHelper::extractHFValue("KB"));
+    EXPECT_EQ("", PackageWindowsHelper::extractHFValue("KBAAAAAA"));
+    EXPECT_EQ("", PackageWindowsHelper::extractHFValue("AABBEEKB25A34111"));
+    // Valid cases
+    EXPECT_EQ("KB976902", PackageWindowsHelper::extractHFValue("KB976902\\KB976932\\SUPPORT\\SSU\\SAND\\5A42A8EB"));
+    EXPECT_EQ("KB976932", PackageWindowsHelper::extractHFValue("KB976932\\SAND\\87C8A3D4"));
+    EXPECT_EQ("KB2534111", PackageWindowsHelper::extractHFValue("KB2534111.MSU\\8847D77D"));
+    EXPECT_EQ("KB2534111", PackageWindowsHelper::extractHFValue("KBKBKBKBKB2534111"));
+    EXPECT_EQ("KB2534111", PackageWindowsHelper::extractHFValue("KB2534111"));
+}
+
+TEST_F(SysInfoWinTest, testHF_Valids_Format)
+{
+    std::set<std::string> ret;
+    constexpr auto KB_FORMAT_REGEX_OK { "(KB+[0-9]{6,})"};
+    constexpr auto KB_ONLY_FORMAT_REGEX { "(KB)"};
+    constexpr auto KB_NO_NUMBERS_FORMAT_REGEX { "(KB+[a-z])"};
+    constexpr auto KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX { "(KB+[0-9]{6,}+[aA-zZ])"};
+    PackageWindowsHelper::getHotFixFromReg(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_HOTFIX, ret);
+
+    for (const auto& hf : ret)
+    {
+        EXPECT_TRUE(std::regex_match(hf, std::regex(KB_FORMAT_REGEX_OK)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_ONLY_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_NO_NUMBERS_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX)));
+    }
+}
+
+TEST_F(SysInfoWinTest, testHF_NT_Valids_Format)
+{
+    std::set<std::string> ret;
+    constexpr auto KB_FORMAT_REGEX_OK { "(KB+[0-9]{6,})"};
+    constexpr auto KB_ONLY_FORMAT_REGEX { "(KB)"};
+    constexpr auto KB_NO_NUMBERS_FORMAT_REGEX { "(KB+[a-z])"};
+    constexpr auto KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX { "(KB+[0-9]{6,}+[aA-zZ])"};
+    PackageWindowsHelper::getHotFixFromRegNT(HKEY_LOCAL_MACHINE, PackageWindowsHelper::VISTA_REG_HOTFIX, ret);
+
+    for (const auto& hf : ret)
+    {
+        EXPECT_TRUE(std::regex_match(hf, std::regex(KB_FORMAT_REGEX_OK)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_ONLY_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_NO_NUMBERS_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX)));
+    }
+}
+
+TEST_F(SysInfoWinTest, testHF_WOW_Valids_Format)
+{
+    std::set<std::string> ret;
+    constexpr auto KB_FORMAT_REGEX_OK { "(KB+[0-9]{6,})"};
+    constexpr auto KB_ONLY_FORMAT_REGEX { "(KB)"};
+    constexpr auto KB_NO_NUMBERS_FORMAT_REGEX { "(KB+[a-z])"};
+    constexpr auto KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX { "(KB+[0-9]{6,}+[aA-zZ])"};
+    PackageWindowsHelper::getHotFixFromRegWOW(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_WOW_HOTFIX, ret);
+
+    for (const auto& hf : ret)
+    {
+        EXPECT_TRUE(std::regex_match(hf, std::regex(KB_FORMAT_REGEX_OK)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_ONLY_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_NO_NUMBERS_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX)));
+    }
+}
+
+TEST_F(SysInfoWinTest, testHF_PRODUCT_Valids_Format)
+{
+    std::set<std::string> ret;
+    constexpr auto KB_FORMAT_REGEX_OK { "(KB+[0-9]{6,})"};
+    constexpr auto KB_ONLY_FORMAT_REGEX { "(KB)"};
+    constexpr auto KB_NO_NUMBERS_FORMAT_REGEX { "(KB+[a-z])"};
+    constexpr auto KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX { "(KB+[0-9]{6,}+[aA-zZ])"};
+    PackageWindowsHelper::getHotFixFromRegProduct(HKEY_LOCAL_MACHINE, PackageWindowsHelper::WIN_REG_PRODUCT_HOTFIX, ret);
+
+    for (const auto& hf : ret)
+    {
+        EXPECT_TRUE(std::regex_match(hf, std::regex(KB_FORMAT_REGEX_OK)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_ONLY_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_NO_NUMBERS_FORMAT_REGEX)));
+        EXPECT_FALSE(std::regex_match(hf, std::regex(KB_WITH_NUMBERS_AND_LETTERS_FORMAT_REGEX)));
+    }
+}
diff --git a/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.h b/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.h
new file mode 100644
index 0000000000..e2364e3c38
--- /dev/null
+++ b/src/common/data_provider/tests/sysInfoWin/sysInfoWin_test.h
@@ -0,0 +1,29 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SYSINFO_WIN_TEST_H
+#define _SYSINFO_WIN_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysInfoWinTest : public ::testing::Test
+{
+    protected:
+
+        SysInfoWinTest() = default;
+        virtual ~SysInfoWinTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSINFO_WIN_TEST_H
\ No newline at end of file
diff --git a/src/common/data_provider/testtool/CMakeLists.txt b/src/common/data_provider/testtool/CMakeLists.txt
new file mode 100644
index 0000000000..3a86541ec5
--- /dev/null
+++ b/src/common/data_provider/testtool/CMakeLists.txt
@@ -0,0 +1,74 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sysinfo_test_tool)
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+include_directories(${SRC_FOLDER}/shared_modules/common/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+
+link_directories(${SRC_FOLDER}/external/procps/)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-g -Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2 -std=c++14")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-pthread -fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_definitions(-DWIN32=1)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(sysinfo_test_tool
+               ${sysinfo_TESTTOOL_SRC}
+               ${CMAKE_SOURCE_DIR}/testtool/main.cpp)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(sysinfo_test_tool
+        sysinfo
+        psapi
+        iphlpapi
+        ws2_32
+        -static-libstdc++
+    )
+elseif (CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+    target_link_libraries(sysinfo_test_tool
+        sysinfo
+        pthread)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "AIX" OR CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+    target_link_libraries(sysinfo_test_tool
+        sysinfo
+        dl
+        pthread
+    )
+else()
+    target_link_libraries(sysinfo_test_tool
+        sysinfo
+        dl
+        pthread
+        proc
+    )
+
+    if(SOLARIS)
+        target_link_libraries(sysinfo_test_tool
+            sysinfo
+            nsl
+            socket
+        )
+    endif(SOLARIS)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(APPLE)
+  add_custom_command(TARGET sysinfo_test_tool
+    POST_BUILD COMMAND
+    ${CMAKE_INSTALL_NAME_TOOL} -change "@rpath/libsysinfo.dylib" "@executable_path/../lib/libsysinfo.dylib"
+    $<TARGET_FILE:sysinfo_test_tool>)
+add_custom_command(TARGET sysinfo_test_tool
+    POST_BUILD COMMAND
+    ${CMAKE_INSTALL_NAME_TOOL} -change "@rpath/libwazuhext.dylib" "@executable_path/../../../libwazuhext.dylib"
+    $<TARGET_FILE:sysinfo_test_tool>)
+endif(APPLE)
diff --git a/src/common/data_provider/testtool/Readme.md b/src/common/data_provider/testtool/Readme.md
new file mode 100644
index 0000000000..2fec199ece
--- /dev/null
+++ b/src/common/data_provider/testtool/Readme.md
@@ -0,0 +1,46 @@
+# Data Provider Testing Tool
+## Index
+1. [Purpose](#purpose)
+2. [Compile Wazuh](#compile-wazuh)
+3. [How to use the tool](#how-to-use-the-tool)
+
+## Purpose
+The Data Provider Testing Tool was created to test and validate the data obtained by the module's execution. This tool works as a black box where an user will be able execute it and analyze the output data as desired.
+
+## Compile Wazuh
+In order compile the solution on a specific wazuh target, the project needs to be built either in release or debug mode.
+```
+make TARGET=server|agent <DEBUG=1>
+```
+
+## How to use the tool
+```
+Usage: sysinfo_test_tool [options]
+```
+
+The information output will vary based on the Operating System the tool is being executed.
+A brief example could be similar to the following one:
+
+```
+[{"hotfix":"KB12345678"},{"hotfix":"KB87654321"}]
+{"board_serial":" ","cpu_cores":6,"cpu_mhz":801.0,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":4659652,"ram_total":32746472,"ram_usage":86}
+[{"architecture":"amd64","description":"query and manipulate user account information\n The AccountService project provides a set of D-Bus\n interfaces for querying and manipulating user account\n information and an implementation of these interfaces,\n based on the useradd, usermod and userdel commands.","format":"deb","groups":"admin","multiarch":" ","name":"accountsservice","priority":"optional","size":"452","source":" ","vendor":"Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>","version":"0.6.55-0ubuntu12~20.04.4"}],
+[{"argvs":"splash","cmd":"/sbin/init","egroup":"root","euser":"root","fgroup":"root","name":"systemd","nice":0,"nlwp":1,"pgrp":1,"pid":"1","ppid":0,"priority":20,"processor":2,"resident":3438,"rgroup":"root","ruser":"root","session":1,"sgroup":"root","share":2149,"size":42401,"start_time":23,"state":"S","stime":11365,"suser":"root","tgid":1,"tty":0,"utime":1005,"vm_size":169604},{"argvs":"","cmd":"","egroup":"root","euser":"root","fgroup":"root","name":"kthreadd","nice":0,"nlwp":1,"pgrp":0,"pid":"2","ppid":0,"priority":20,"processor":4,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":23,"state":"S","stime":7,"suser":"root","tgid":2,"tty":0,"utime":0,"vm_size":0}],
+{"iface":[{"adapter":" ","gateway":" ","mac":"d4:5d:64:51:07:5d","mtu":"1500","name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"down","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},{"adapter":" ","gateway":" ","mac":"0a:00:27:00:00:00","mtu":"1500","name":"vboxnet0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"down","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},{"IPv4":{"address":"192.168.92.1","broadcast":"192.168.92.255","dhcp":"unknown","metric":"0","netmask":"255.255.255.0"},"IPv6":{"address":"fe80::250:56ff:fec0:1","broadcast":"","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"},
+{"architecture":"x86_64","host_name":"martin-PC","os_codename":"focal","os_major":"20","os_minor":"04","os_name":"Ubuntu","os_patch":"2","os_platform":"ubuntu","os_version":"20.04.2 LTS (Focal Fossa)","release":"5.4.0-65-generic","sysname":"Linux","version":"#73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021"},
+{"architecture":"x86_64","host_name":"martin-PC","os_codename":"focal","os_major":"20","os_minor":"04","os_name":"Ubuntu","os_patch":"2","os_platform":"ubuntu","os_version":"20.04.2 LTS (Focal Fossa)","release":"5.4.0-65-generic","sysname":"Linux","version":"#73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021"}]
+```
+
+### Optional arguments:
+
+|Argument|Description|
+|---|---|
+| `--hardware`     | Prints the current Operating System hardware information only. Example: `sysinfo_test_tool --hardware`                               |
+| `--networks`     | Prints the current Operating System networks information only. Example: `sysinfo_test_tool --networks`                               |
+| `--packages`     | Prints the current Operating System packages information only. Example: `sysinfo_test_tool --packages`                               |
+| `--processes`    | Prints the current Operating System processes information only. Example: `sysinfo_test_tool --processes`                             |
+| `--packages-cb`  | Prints the current Operating System packages information only with callbacks mechanism. Example: `sysinfo_test_tool --packages-cb`   |
+| `--processes-cb` | Prints the current Operating System processes information only with callbacks mechanism. Example: `sysinfo_test_tool --processes-cb` |
+| `--ports`        | Prints the current Operating System ports information only. Example: `sysinfo_test_tool --ports`                                     |
+| `--os`           | Prints the current Operating System information only. Example: `sysinfo_test_tool --os`                                              |
+| `--hotfixes`     | Prints the current Operating System hotfixes information only. Example: `sysinfo_test_tool --hotfixes`                               |
diff --git a/src/common/data_provider/testtool/cmdLineActions.h b/src/common/data_provider/testtool/cmdLineActions.h
new file mode 100644
index 0000000000..a4bfe2e22a
--- /dev/null
+++ b/src/common/data_provider/testtool/cmdLineActions.h
@@ -0,0 +1,130 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 13, 2021
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CMD_LINE_ACTIONS_H_
+#define _CMD_LINE_ACTIONS_H_
+
+#include <string.h>
+
+constexpr auto HARDWARE_ACTION     { "--hardware"};
+constexpr auto NETWORKS_ACTION     { "--networks"};
+constexpr auto PACKAGES_ACTION     { "--packages"};
+constexpr auto PROCESSES_ACTION    { "--processes"};
+constexpr auto PORTS_ACTION        { "--ports"};
+constexpr auto OS_ACTION           { "--os"};
+constexpr auto HOTFIXES_ACTION     { "--hotfixes"};
+constexpr auto PROCESSES_CB_ACTION { "--processes-cb"};
+constexpr auto PACKAGES_CB_ACTION  { "--packages-cb"};
+
+class CmdLineActions final
+{
+    public:
+        CmdLineActions(const char* argv[])
+            : m_hardware          { HARDWARE_ACTION     == std::string(argv[1]) }
+            , m_networks          { NETWORKS_ACTION     == std::string(argv[1]) }
+            , m_packages          { PACKAGES_ACTION     == std::string(argv[1]) }
+            , m_processes         { PROCESSES_ACTION    == std::string(argv[1]) }
+            , m_ports             { PORTS_ACTION        == std::string(argv[1]) }
+            , m_os                { OS_ACTION           == std::string(argv[1]) }
+            , m_hotfixes          { HOTFIXES_ACTION     == std::string(argv[1]) }
+            , m_processesCallback { PROCESSES_CB_ACTION == std::string(argv[1]) }
+            , m_packagesCallback  { PACKAGES_CB_ACTION  == std::string(argv[1]) }
+
+        {}
+
+        bool hardwareArg() const
+        {
+            return m_hardware;
+        };
+
+        bool networksArg() const
+        {
+            return m_networks;
+        };
+
+        bool packagesArg() const
+        {
+            return m_packages;
+        };
+
+        bool processesArg() const
+        {
+            return m_processes;
+        };
+
+        bool portsArg() const
+        {
+            return m_ports;
+        };
+
+        bool osArg() const
+        {
+            return m_os;
+        };
+
+        bool hotfixesArg() const
+        {
+            return m_hotfixes;
+        };
+
+        bool packagesCallbackArg() const
+        {
+            return m_packagesCallback;
+        };
+
+        bool processesCallbackArg() const
+        {
+            return m_processesCallback;
+        };
+
+
+        static void showHelp()
+        {
+            std::cout << "\nUsage: sysinfo_test_tool [options]\n"
+                      << "Options:\n"
+                      << "\t<without args> \tPrints the complete Operating System information.\n"
+                      << "\t--hardware \tPrints the current Operating System hardware information.\n"
+                      << "\t--networks \tPrints the current Operating System networks information.\n"
+                      << "\t--packages \tPrints the current Operating System packages information.\n"
+                      << "\t--processes \tPrints the current Operating System processes information.\n"
+                      << "\t--packages-cb \tPrints the current Operating System packages using callbacks to return information.\n"
+                      << "\t--processes-cb \tPrints the current Operating System processes using callback to return information.\n"
+                      << "\t--ports \tPrints the current Operating System ports information.\n"
+                      << "\t--os \t\tPrints the current Operating System information.\n"
+                      << "\t--hotfixes \tPrints the current Operating System hotfixes information.\n"
+                      << "\nExamples:"
+                      << "\n\t./sysinfo_test_tool"
+                      << "\n\t./sysinfo_test_tool --hardware"
+                      << "\n\t./sysinfo_test_tool --networks"
+                      << "\n\t./sysinfo_test_tool --packages"
+                      << "\n\t./sysinfo_test_tool --processes"
+                      << "\n\t./sysinfo_test_tool --ports"
+                      << "\n\t./sysinfo_test_tool --os"
+                      << "\n\t./sysinfo_test_tool --hotfixes"
+                      << "\n\t./sysinfo_test_tool --processes-cb"
+                      << "\n\t./sysinfo_test_tool --packages-cb"
+                      << std::endl;
+        }
+
+    private:
+        const bool m_hardware;
+        const bool m_networks;
+        const bool m_packages;
+        const bool m_processes;
+        const bool m_ports;
+        const bool m_os;
+        const bool m_hotfixes;
+        const bool m_processesCallback;
+        const bool m_packagesCallback;
+
+};
+
+#endif // _CMD_LINE_ACTIONS_H_
diff --git a/src/common/data_provider/testtool/main.cpp b/src/common/data_provider/testtool/main.cpp
new file mode 100644
index 0000000000..31452c5c80
--- /dev/null
+++ b/src/common/data_provider/testtool/main.cpp
@@ -0,0 +1,171 @@
+/*
+ * Wazuh SysInfo
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 25, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <iostream>
+#include "cmdLineActions.h"
+#include "sysInfo.hpp"
+#include "sysInfo.h"
+
+constexpr auto JSON_PRETTY_SPACES
+{
+    2
+};
+
+class SysInfoPrinter final
+{
+    public:
+        SysInfoPrinter() = default;
+
+        void printHardwareInfo()
+        {
+            m_data["hw"] = m_sysinfo.hardware();
+        }
+
+        void printNetworksInfo()
+        {
+            m_data["networks"] = m_sysinfo.networks();
+        }
+
+        void printOSInfo()
+        {
+            m_data["os"] = m_sysinfo.os();
+        }
+
+        void printPackagesInfo()
+        {
+            m_data["packages"] = m_sysinfo.packages();
+        }
+
+        void printProcessesInfo()
+        {
+            m_data["processes"] = m_sysinfo.processes();
+        }
+
+        void printPortsInfo()
+        {
+            m_data["ports"] = m_sysinfo.ports();
+        }
+
+        void printHotfixes()
+        {
+            m_data["hotfixes"] = m_sysinfo.hotfixes();
+        }
+
+        void printData()
+        {
+            std::cout << m_data.dump(JSON_PRETTY_SPACES) << std::endl;
+        }
+
+        void printProcessesInfoCallback()
+        {
+            m_sysinfo.processes([this](nlohmann::json & process)
+            {
+                m_data["processes_cb"].push_back(process);
+            });
+        }
+
+        void printPackagesInfoCallback()
+        {
+            m_sysinfo.packages([this](nlohmann::json & package)
+            {
+                m_data["packages_cb"].push_back(package);
+            });
+        }
+
+    private:
+        SysInfo m_sysinfo;
+        nlohmann::json m_data;
+};
+
+int main(int argc, const char* argv[])
+{
+    try
+    {
+        SysInfoPrinter printer;
+
+        if (argc == 1)
+        {
+            // Calling testtool without parameters - default all
+            printer.printHardwareInfo();
+            printer.printNetworksInfo();
+            printer.printOSInfo();
+            printer.printPackagesInfo();
+            printer.printProcessesInfo();
+            printer.printPortsInfo();
+            printer.printHotfixes();
+            printer.printData();
+            printer.printPackagesInfoCallback();
+            printer.printProcessesInfoCallback();
+        }
+        else if (argc == 2)
+        {
+            CmdLineActions cmdLineArgs(argv);
+
+            if (cmdLineArgs.hardwareArg())
+            {
+                printer.printHardwareInfo();
+            }
+            else if (cmdLineArgs.networksArg())
+            {
+                printer.printNetworksInfo();
+            }
+            else if (cmdLineArgs.osArg())
+            {
+                printer.printOSInfo();
+            }
+            else if (cmdLineArgs.packagesArg())
+            {
+                printer.printPackagesInfo();
+            }
+            else if (cmdLineArgs.processesArg())
+            {
+                printer.printProcessesInfo();
+            }
+            else if (cmdLineArgs.portsArg())
+            {
+                printer.printPortsInfo();
+            }
+            else if (cmdLineArgs.hotfixesArg())
+            {
+                printer.printHotfixes();
+            }
+            else if (cmdLineArgs.packagesCallbackArg())
+            {
+                printer.printPackagesInfoCallback();
+            }
+            else if (cmdLineArgs.processesCallbackArg())
+            {
+                printer.printProcessesInfoCallback();
+            }
+            else
+            {
+                throw std::runtime_error
+                {
+                    "Action value: " + std::string(argv[1]) + " not found."
+                };
+            }
+
+            printer.printData();
+        }
+        else
+        {
+            throw std::runtime_error
+            {
+                "Multiple action are not allowed"
+            };
+        }
+    }
+    catch (const std::exception& e)
+    {
+        std::cerr << "Error getting system information: " << e.what() << std::endl;
+        CmdLineActions::showHelp();
+    }
+}
diff --git a/src/common/dbsync/CMakeLists.txt b/src/common/dbsync/CMakeLists.txt
index e69de29bb2..5844620ea6 100644
--- a/src/common/dbsync/CMakeLists.txt
+++ b/src/common/dbsync/CMakeLists.txt
@@ -0,0 +1,109 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbsync)
+
+enable_testing()
+
+if(NOT CMAKE_BUILD_TYPE)
+  set(CMAKE_BUILD_TYPE Release)
+endif()
+
+get_filename_component(SHARED_MODULES ${CMAKE_SOURCE_DIR}/../ ABSOLUTE)
+get_filename_component(SRC_FOLDER     ${CMAKE_SOURCE_DIR}/../../ ABSOLUTE)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2 -std=c++14 -pthread")
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g")
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3")
+else()
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3 -s")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-g -fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
+
+if(APPLE)
+  set(CMAKE_MACOSX_RPATH 1)
+endif(APPLE)
+
+include_directories(${SRC_FOLDER}/external/sqlite/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+include_directories(${SRC_FOLDER}/external/cJSON/)
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+include_directories(${SHARED_MODULES}/utils/)
+include_directories(${SHARED_MODULES}/common/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  link_directories(${INSTALL_PREFIX}/lib)
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+link_directories(${SRC_FOLDER})
+link_directories(${SRC_FOLDER}/external/sqlite/)
+link_directories(${SRC_FOLDER}/external/cJSON/)
+
+file(GLOB DBSYNC_SRC
+    "${CMAKE_SOURCE_DIR}/src/*.cpp"
+    "${CMAKE_SOURCE_DIR}/src/sqlite/*.cpp")
+
+add_library(dbsync SHARED
+    ${DBSYNC_SRC}
+    ${SRC_FOLDER}/${RESOURCE_OBJ})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_definitions(-DWIN_EXPORT)
+  set_target_properties(dbsync PROPERTIES
+        PREFIX ""
+        SUFFIX ".dll"
+        LINK_FLAGS "-Wl,--add-stdcall-alias"
+        POSITION_INDEPENDENT_CODE 0 # this is to avoid MinGW warning;
+        # MinGW generates position-independent-code for DLL by default
+  )
+elseif(UNIX AND NOT APPLE)
+  if(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX" AND NOT CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+    string(APPEND CMAKE_SHARED_LINKER_FLAGS " -Wl,-rpath=$ORIGIN")
+  endif(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX" AND NOT CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+target_link_libraries(dbsync wazuhext)
+
+if(CMAKE_BUILD_TYPE STREQUAL "Release")
+  if(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    string(REPLACE ";" ":" CXX_IMPLICIT_LINK_DIRECTORIES_STR "${CMAKE_CXX_IMPLICIT_LINK_DIRECTORIES}")
+    string(REPLACE ";" ":" PLATFORM_REQUIRED_RUNTIME_PATH_STR "${CMAKE_PLATFORM_REQUIRED_RUNTIME_PATH}")
+    target_link_libraries(dbsync -Wl,-blibpath:${INSTALL_PREFIX}/lib:${CXX_IMPLICIT_LINK_DIRECTORIES_STR}:${PLATFORM_REQUIRED_RUNTIME_PATH_STR})
+  endif(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+endif(CMAKE_BUILD_TYPE STREQUAL "Release")
+
+
+if(UNIT_TEST)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_link_libraries(dbsync -fprofile-arcs)
+  else()
+    target_link_libraries(dbsync gcov)
+  endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+  add_subdirectory(tests)
+  add_subdirectory(integrationTests)
+endif(UNIT_TEST)
+
+if(NOT DEFINED COVERITY AND NOT DEFINED UNIT_TEST)
+  if(FSANITIZE)
+      target_link_libraries(dbsync gcov)
+  endif(FSANITIZE)
+  add_subdirectory(example)
+  add_subdirectory(testtool)
+endif(NOT DEFINED COVERITY AND NOT DEFINED UNIT_TEST)
diff --git a/src/common/dbsync/dbsync_doxygen.conf b/src/common/dbsync/dbsync_doxygen.conf
new file mode 100644
index 0000000000..0f4cd5feea
--- /dev/null
+++ b/src/common/dbsync/dbsync_doxygen.conf
@@ -0,0 +1,2494 @@
+# Doxyfile 1.8.13
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project.
+#
+# All text after a double hash (##) is considered a comment and is placed in
+# front of the TAG it is preceding.
+#
+# All text after a single hash (#) is considered a comment and will be ignored.
+# The format is:
+# TAG = value [value, ...]
+# For lists, items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (\" \").
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file
+# that follow. The default is UTF-8 which is also the encoding used for all text
+# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv
+# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv
+# for the list of possible encodings.
+# The default value is: UTF-8.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
+# double-quotes, unless you are using Doxywizard) that should identify the
+# project for which the documentation is generated. This name is used in the
+# title of most generated pages and in a few other places.
+# The default value is: My Project.
+
+PROJECT_NAME           = "DBSync"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
+# could be handy for archiving the generated documentation or if some version
+# control system is used.
+
+PROJECT_NUMBER         =
+
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer a
+# quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          =
+
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
+
+PROJECT_LOGO           =
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
+# into which the generated documentation will be written. If a relative path is
+# entered, it will be relative to the location where doxygen was started. If
+# left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = doxygen
+
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
+# directories (in 2 levels) under the output directory of each output format and
+# will distribute the generated files over these directories. Enabling this
+# option can be useful when feeding doxygen a huge amount of source files, where
+# putting all generated files in the same directory would otherwise causes
+# performance problems for the file system.
+# The default value is: NO.
+
+CREATE_SUBDIRS         = NO
+
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES    = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
+# The default value is: English.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
+# descriptions after the members that are listed in the file and class
+# documentation (similar to Javadoc). Set to NO to disable this.
+# The default value is: YES.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
+# description of a member or function before the detailed description
+#
+# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+# The default value is: YES.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator that is
+# used to form the text in various listings. Each string in this list, if found
+# as the leading text of the brief description, will be stripped from the text
+# and the result, after processing the whole list, is used as the annotated
+# text. Otherwise, the brief description is used as-is. If left blank, the
+# following values are used ($name is automatically replaced with the name of
+# the entity):The $name class, The $name widget, The $name file, is, provides,
+# specifies, contains, represents, a, an and the.
+
+ABBREVIATE_BRIEF       = "The $name class" \
+                         "The $name widget" \
+                         "The $name file" \
+                         is \
+                         provides \
+                         specifies \
+                         contains \
+                         represents \
+                         a \
+                         an \
+                         the
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# doxygen will generate a detailed section even if there is only a brief
+# description.
+# The default value is: NO.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+# The default value is: NO.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
+# before files name in the file list and in the header files. If set to NO the
+# shortest path that makes the file name unique will be used
+# The default value is: YES.
+
+FULL_PATH_NAMES        = YES
+
+# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
+# Stripping is only done if one of the specified strings matches the left-hand
+# part of the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the path to
+# strip.
+#
+# Note that you can specify absolute paths here, but also relative paths, which
+# will be relative from the directory where doxygen is started.
+# This tag requires that the tag FULL_PATH_NAMES is set to YES.
+
+STRIP_FROM_PATH        =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
+# path mentioned in the documentation of a class, which tells the reader which
+# header file to include in order to use a class. If left blank only the name of
+# the header file containing the class definition is used. Otherwise one should
+# specify the list of include paths that are normally passed to the compiler
+# using the -I flag.
+
+STRIP_FROM_INC_PATH    =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
+# less readable) file names. This can be useful is your file systems doesn't
+# support long names like on DOS, Mac, or CD-ROM.
+# The default value is: NO.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
+# first line (until the first dot) of a Javadoc-style comment as the brief
+# description. If set to NO, the Javadoc-style will behave just like regular Qt-
+# style comments (thus requiring an explicit @brief command for a brief
+# description.)
+# The default value is: NO.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
+# line (until the first dot) of a Qt-style comment as the brief description. If
+# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
+# requiring an explicit \brief command for a brief description.)
+# The default value is: NO.
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
+# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
+# a brief description. This used to be the default behavior. The new default is
+# to treat a multi-line C++ comment block as a detailed description. Set this
+# tag to YES if you prefer the old behavior instead.
+#
+# Note that setting this tag to YES also means that rational rose comments are
+# not recognized any more.
+# The default value is: NO.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
+# documentation from any documented member that it re-implements.
+# The default value is: YES.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
+# The default value is: NO.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
+# uses this value to replace tabs by spaces in code fragments.
+# Minimum value: 1, maximum value: 16, default value: 4.
+
+TAB_SIZE               = 4
+
+# This tag can be used to specify a number of aliases that act as commands in
+# the documentation. An alias has the form:
+# name=value
+# For example adding
+# "sideeffect=@par Side Effects:\n"
+# will allow you to put the command \sideeffect (or @sideeffect) in the
+# documentation, which will result in a user-defined paragraph with heading
+# "Side Effects:". You can put \n's in the value part of an alias to insert
+# newlines.
+
+ALIASES                =
+
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding "class=itcl::class"
+# will allow you to use the command class in the itcl::class meaning.
+
+TCL_SUBST              =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
+# only. Doxygen will then generate output that is more tailored for C. For
+# instance, some of the names that are used will be different. The list of all
+# members will be omitted, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_FOR_C  = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
+# Python sources only. Doxygen will then generate output that is more tailored
+# for that language. For instance, namespaces will be presented as packages,
+# qualified scopes will look different, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources. Doxygen will then generate output that is tailored for Fortran.
+# The default value is: NO.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for VHDL.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given
+# extension. Doxygen has a built-in mapping, but you can override or extend it
+# using this tag. The format is ext=language, where ext is a file extension, and
+# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
+#
+# Note: For files without extension you can use no_extension as a placeholder.
+#
+# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
+# the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
+# according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you can
+# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
+# case of backward compatibilities issues.
+# The default value is: YES.
+
+MARKDOWN_SUPPORT       = YES
+
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS   = 0
+
+# When enabled doxygen tries to link words that correspond to documented
+# classes, or namespaces to their corresponding documentation. Such a link can
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
+# The default value is: YES.
+
+AUTOLINK_SUPPORT       = YES
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should set this
+# tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string);
+# versus func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+# The default value is: NO.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+# The default value is: NO.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
+# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen
+# will parse them like normal C++ but will assume all classes use public instead
+# of private inheritance when no explicit protection keyword is present.
+# The default value is: NO.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate
+# getter and setter methods for a property. Setting this option to YES will make
+# doxygen to replace the get and set methods by a property in the documentation.
+# This will only work if the methods are indeed getting or setting a simple
+# type. If this is not the case, or you want to show the methods anyway, you
+# should set this option to NO.
+# The default value is: YES.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+# The default value is: NO.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
+# Set the SUBGROUPING tag to YES to allow class member groups of the same type
+# (for instance a group of public functions) to be put as a subgroup of that
+# type (e.g. under the Public Functions section). Set it to NO to prevent
+# subgrouping. Alternatively, this can be done per class using the
+# \nosubgrouping command.
+# The default value is: YES.
+
+SUBGROUPING            = YES
+
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
+# are shown inside the group in which they are included (e.g. using \ingroup)
+# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
+# and RTF).
+#
+# Note that this feature does not work in combination with
+# SEPARATE_MEMBER_PAGES.
+# The default value is: NO.
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
+# with only public data fields or simple typedef fields will be shown inline in
+# the documentation of the scope in which they are defined (i.e. file,
+# namespace, or group documentation), provided this scope is documented. If set
+# to NO, structs, classes, and unions are shown on a separate page (for HTML and
+# Man pages) or section (for LaTeX and RTF).
+# The default value is: NO.
+
+INLINE_SIMPLE_STRUCTS  = NO
+
+# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
+# enum is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically be
+# useful for C code in case the coding convention dictates that all compound
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+# The default value is: NO.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
+# cache is used to resolve symbols given their name and scope. Since this can be
+# an expensive process and often the same symbol appears multiple times in the
+# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
+# doxygen will become slower. If the cache is too large, memory is wasted. The
+# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
+# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
+# symbols. At the end of a run doxygen will report the cache usage and suggest
+# the optimal cache size from a speed point of view.
+# Minimum value: 0, maximum value: 9, default value: 0.
+
+LOOKUP_CACHE_SIZE      = 0
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
+# documentation are documented, even if no documentation was available. Private
+# class members and static file members will be hidden unless the
+# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
+# Note: This will also disable the warnings about undocumented members that are
+# normally produced when WARNINGS is set to YES.
+# The default value is: NO.
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
+# be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
+# scope will be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PACKAGE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
+# included in the documentation.
+# The default value is: NO.
+
+EXTRACT_STATIC         = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
+# only classes defined in header files are included. Does not have any effect
+# for Java sources.
+# The default value is: YES.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. If set to YES, local methods,
+# which are defined in the implementation section but not in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
+# included.
+# The default value is: NO.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base name of
+# the file that contains the anonymous namespace. By default anonymous namespace
+# are hidden.
+# The default value is: NO.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
+# undocumented members inside documented classes or files. If set to NO these
+# members will be included in the various overviews, but no documentation
+# section is generated. This option has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy. If set
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
+# (class|struct|union) declarations. If set to NO, these declarations will be
+# included in the documentation.
+# The default value is: NO.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
+# documentation blocks found inside the body of a function. If set to NO, these
+# blocks will be appended to the function's detailed documentation block.
+# The default value is: NO.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation that is typed after a
+# \internal command is included. If the tag is set to NO then the documentation
+# will be excluded. Set it to YES to include the internal documentation.
+# The default value is: NO.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
+# names in lower-case letters. If set to YES, upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+# The default value is: system dependent.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
+# their full class and namespace scopes in the documentation. If set to YES, the
+# scope will be hidden.
+# The default value is: NO.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
+# the files that are included by a file in the documentation of that file.
+# The default value is: YES.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
+# files with double quotes in the documentation rather than with sharp brackets.
+# The default value is: NO.
+
+FORCE_LOCAL_INCLUDES   = NO
+
+# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
+# documentation for inline members.
+# The default value is: YES.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
+# (detailed) documentation of file and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order.
+# The default value is: YES.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
+# descriptions of file, namespace and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
+# The default value is: NO.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
+# (brief and detailed) documentation of class members so that constructors and
+# destructors are listed first. If set to NO the constructors will appear in the
+# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
+# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
+# member documentation.
+# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
+# detailed member documentation.
+# The default value is: NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
+# of group names into alphabetical order. If set to NO the group names will
+# appear in their defined order.
+# The default value is: NO.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
+# fully-qualified names, including namespaces. If set to NO, the class list will
+# be sorted only by class name, not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the alphabetical
+# list.
+# The default value is: NO.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
+# type resolution of all parameters of a function it will reject a match between
+# the prototype and the implementation of a member function even if there is
+# only one candidate or it is obvious which candidate to choose by doing a
+# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
+# accept a match between prototype and implementation in such cases.
+# The default value is: NO.
+
+STRICT_PROTO_MATCHING  = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
+# list. This list is created by putting \bug commands in the documentation.
+# The default value is: YES.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
+# the deprecated list. This list is created by putting \deprecated commands in
+# the documentation.
+# The default value is: YES.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional documentation
+# sections, marked by \if <section_label> ... \endif and \cond <section_label>
+# ... \endcond blocks.
+
+ENABLED_SECTIONS       =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
+# initial value of a variable or macro / define can have for it to appear in the
+# documentation. If the initializer consists of more lines than specified here
+# it will be hidden. Use a value of 0 to hide initializers completely. The
+# appearance of the value of individual variables and macros / defines can be
+# controlled using \showinitializer or \hideinitializer command in the
+# documentation regardless of this setting.
+# Minimum value: 0, maximum value: 10000, default value: 30.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
+# The default value is: YES.
+
+SHOW_USED_FILES        = YES
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
+# will remove the Files entry from the Quick Index and from the Folder Tree View
+# (if specified).
+# The default value is: YES.
+
+SHOW_FILES             = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
+# page. This will remove the Namespaces entry from the Quick Index and from the
+# Folder Tree View (if specified).
+# The default value is: YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command command input-file, where command is the value of the
+# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
+# by doxygen. Whatever the program writes to standard output is used as the file
+# version. For an example see the documentation.
+
+FILE_VERSION_FILTER    =
+
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option. You can
+# optionally specify a file name after the option, if omitted DoxygenLayout.xml
+# will be used as the name of the layout file.
+#
+# Note that if you run doxygen from a directory containing a file called
+# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
+# tag is left empty.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
+# the reference definitions. This must be a list of .bib files. The .bib
+# extension is automatically appended if omitted. This requires the bibtex tool
+# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
+# For LaTeX the style of the bibliography can be controlled using
+# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
+# search path. See also \cite for info how to create references.
+
+CITE_BIB_FILES         =
+
+#---------------------------------------------------------------------------
+# Configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated to
+# standard output by doxygen. If QUIET is set to YES this implies that the
+# messages are off.
+# The default value is: NO.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
+# this implies that the warnings are on.
+#
+# Tip: Turn warnings on while writing the documentation.
+# The default value is: YES.
+
+WARNINGS               = YES
+
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
+# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
+# will automatically be disabled.
+# The default value is: YES.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some parameters
+# in a documented function, or documenting parameters that don't exist or using
+# markup commands wrongly.
+# The default value is: YES.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
+# are documented, but have no documentation for their parameters or return
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
+# The default value is: NO.
+
+WARN_NO_PARAMDOC       = NO
+
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR          = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that doxygen
+# can produce. The string should contain the $file, $line, and $text tags, which
+# will be replaced by the file and line number from which the warning originated
+# and the warning text. Optionally the format may contain $version, which will
+# be replaced by the version of the file (if it could be obtained via
+# FILE_VERSION_FILTER)
+# The default value is: $file:$line: $text.
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning and error
+# messages should be written. If left blank the output is written to standard
+# error (stderr).
+
+WARN_LOGFILE           =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag is used to specify the files and/or directories that contain
+# documented source files. You may enter file names like myfile.cpp or
+# directories like /usr/src/myproject. Separate the files or directories with
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
+# Note: If this tag is empty the current directory is searched.
+
+INPUT                  = include
+
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
+# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
+# documentation (see: http://www.gnu.org/software/libiconv) for the list of
+# possible encodings.
+# The default value is: UTF-8.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
+
+FILE_PATTERNS          = *.c \
+                         *.cc \
+                         *.cxx \
+                         *.cpp \
+                         *.c++ \
+                         *.java \
+                         *.ii \
+                         *.ixx \
+                         *.ipp \
+                         *.i++ \
+                         *.inl \
+                         *.idl \
+                         *.ddl \
+                         *.odl \
+                         *.h \
+                         *.hh \
+                         *.hxx \
+                         *.hpp \
+                         *.h++ \
+                         *.cs \
+                         *.d \
+                         *.php \
+                         *.php4 \
+                         *.php5 \
+                         *.phtml \
+                         *.inc \
+                         *.m \
+                         *.markdown \
+                         *.md \
+                         *.mm \
+                         *.dox \
+                         *.py \
+                         *.pyw \
+                         *.f90 \
+                         *.f95 \
+                         *.f03 \
+                         *.f08 \
+                         *.f \
+                         *.for \
+                         *.tcl \
+                         *.vhd \
+                         *.vhdl \
+                         *.ucf \
+                         *.qsf
+
+# The RECURSIVE tag can be used to specify whether or not subdirectories should
+# be searched for input files as well.
+# The default value is: NO.
+
+RECURSIVE              = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should be
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+#
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
+
+EXCLUDE                =
+
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
+# from the input.
+# The default value is: NO.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories.
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
+# AClass::ANamespace, ANamespace::*Test
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories use the pattern */test/*
+
+EXCLUDE_SYMBOLS        =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or directories
+# that contain example code fragments that are included (see the \include
+# command).
+
+EXAMPLE_PATH           =
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank all
+# files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude commands
+# irrespective of the value of the RECURSIVE tag.
+# The default value is: NO.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or directories
+# that contain images that are to be included in the documentation (see the
+# \image command).
+
+IMAGE_PATH             =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command:
+#
+# <filter> <input-file>
+#
+# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
+# name of an input file. Doxygen will then use the output that the filter
+# program writes to standard output. If FILTER_PATTERNS is specified, this tag
+# will be ignored.
+#
+# Note that the filter must not add or remove lines; it is applied before the
+# code is scanned, but not when the output code is generated. If lines are added
+# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+INPUT_FILTER           =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form: pattern=filter
+# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
+# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
+# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+FILTER_PATTERNS        =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will also be used to filter the input files that are used for
+# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# The default value is: NO.
+
+FILTER_SOURCE_FILES    = NO
+
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
+# it is also possible to disable source filtering for a specific pattern using
+# *.ext= (so without naming a filter).
+# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
+
+FILTER_SOURCE_PATTERNS =
+
+# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
+# is part of the input, its contents will be placed on the main page
+# (index.html). This can be useful if you have a project on for instance GitHub
+# and want to reuse the introduction page also for the doxygen output.
+
+USE_MDFILE_AS_MAINPAGE =
+
+#---------------------------------------------------------------------------
+# Configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
+# generated. Documented entities will be cross-referenced with these sources.
+#
+# Note: To get rid of all source code in the generated output, make sure that
+# also VERBATIM_HEADERS is set to NO.
+# The default value is: NO.
+
+SOURCE_BROWSER         = NO
+
+# Setting the INLINE_SOURCES tag to YES will include the body of functions,
+# classes and enums directly into the documentation.
+# The default value is: NO.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
+# special comment blocks from generated source code fragments. Normal C, C++ and
+# Fortran comments will always remain visible.
+# The default value is: YES.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
+# function all documented functions referencing it will be listed.
+# The default value is: NO.
+
+REFERENCED_BY_RELATION = NO
+
+# If the REFERENCES_RELATION tag is set to YES then for each documented function
+# all documented entities called/used by that function will be listed.
+# The default value is: NO.
+
+REFERENCES_RELATION    = NO
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
+# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
+# link to the documentation.
+# The default value is: YES.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
+# source code will show a tooltip with additional information such as prototype,
+# brief description and links to the definition and documentation. Since this
+# will make the HTML file larger and loading of large files a bit slower, you
+# can opt to disable this feature.
+# The default value is: YES.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+SOURCE_TOOLTIPS        = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code will
+# point to the HTML generated by the htags(1) tool instead of doxygen built-in
+# source browser. The htags tool is part of GNU's global source tagging system
+# (see http://www.gnu.org/software/global/global.html). You will need version
+# 4.8.6 or higher.
+#
+# To use it do the following:
+# - Install the latest version of global
+# - Enable SOURCE_BROWSER and USE_HTAGS in the config file
+# - Make sure the INPUT points to the root of the source tree
+# - Run doxygen as normal
+#
+# Doxygen will invoke htags (and that will in turn invoke gtags), so these
+# tools must be available from the command line (i.e. in the search path).
+#
+# The result: instead of the source browser generated by doxygen, the links to
+# source code will now point to the output of htags.
+# The default value is: NO.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
+# verbatim copy of the header file for each class for which an include is
+# specified. Set to NO to disable this.
+# See also: Section \class.
+# The default value is: YES.
+
+VERBATIM_HEADERS       = YES
+
+# If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the
+# clang parser (see: http://clang.llvm.org/) for more accurate parsing at the
+# cost of reduced performance. This can be particularly helpful with template
+# rich C++ code for which doxygen's built-in parser lacks the necessary type
+# information.
+# Note: The availability of this option depends on whether or not doxygen was
+# generated with the -Duse-libclang=ON option for CMake.
+# The default value is: NO.
+
+CLANG_ASSISTED_PARSING = NO
+
+# If clang assisted parsing is enabled you can provide the compiler with command
+# line options that you would normally use when invoking the compiler. Note that
+# the include paths will already be set by doxygen for the files and directories
+# specified with INPUT and INCLUDE_PATH.
+# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
+
+CLANG_OPTIONS          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
+# compounds will be generated. Enable this if the project contains a lot of
+# classes, structs, unions or interfaces.
+# The default value is: YES.
+
+ALPHABETICAL_INDEX     = YES
+
+# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
+# which the alphabetical index list will be split.
+# Minimum value: 1, maximum value: 20, default value: 5.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all classes will
+# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
+# can be used to specify a prefix (or a list of prefixes) that should be ignored
+# while generating the index headers.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+IGNORE_PREFIX          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
+# The default value is: YES.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
+# generated HTML page (for example: .htm, .php, .asp).
+# The default value is: .html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
+# each generated HTML page. If the tag is left blank doxygen will generate a
+# standard header.
+#
+# To get valid HTML the header file that includes any scripts and style sheets
+# that doxygen needs, which is dependent on the configuration options used (e.g.
+# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
+# default header using
+# doxygen -w html new_header.html new_footer.html new_stylesheet.css
+# YourConfigFile
+# and then modify the file new_header.html. See also section "Doxygen usage"
+# for information on how to generate the default header that doxygen normally
+# uses.
+# Note: The header is subject to change so you typically have to regenerate the
+# default header when upgrading to a newer version of doxygen. For a description
+# of the possible markers and block names see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_HEADER            =
+
+# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
+# generated HTML page. If the tag is left blank doxygen will generate a standard
+# footer. See HTML_HEADER for more information on how to generate a default
+# footer and what special commands can be used inside the footer. See also
+# section "Doxygen usage" for information on how to generate the default footer
+# that doxygen normally uses.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FOOTER            =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
+# sheet that is used by each HTML page. It can be used to fine-tune the look of
+# the HTML output. If left blank doxygen will generate a default style sheet.
+# See also section "Doxygen usage" for information on how to generate the style
+# sheet that doxygen normally uses.
+# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
+# it is more robust and this tag (HTML_STYLESHEET) will in the future become
+# obsolete.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_STYLESHEET        =
+
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
+# created by doxygen. Using this option one can overrule certain style aspects.
+# This is preferred over using HTML_STYLESHEET since it does not replace the
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_STYLESHEET  =
+
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
+# files will be copied as-is; there are no commands or markers available.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_FILES       =
+
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
+# will adjust the colors in the style sheet and background images according to
+# this color. Hue is specified as an angle on a colorwheel, see
+# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
+# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
+# purple, and 360 is red again.
+# Minimum value: 0, maximum value: 359, default value: 220.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
+# in the HTML output. For a value of 0 the output will use grayscales only. A
+# value of 255 will produce the most vivid colors.
+# Minimum value: 0, maximum value: 255, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
+# luminance component of the colors in the HTML output. Values below 100
+# gradually make the output lighter, whereas values above 100 make the output
+# darker. The value divided by 100 is the actual gamma applied, so 80 represents
+# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
+# change the gamma.
+# Minimum value: 40, maximum value: 240, default value: 80.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting this
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_TIMESTAMP         = NO
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
+# shown in the various tree structured indices initially; the user can expand
+# and collapse entries dynamically later on. Doxygen will expand the tree to
+# such a level that at most the specified number of entries are visible (unless
+# a fully collapsed tree already exceeds this amount). So setting the number of
+# entries 1 will produce a full collapsed tree by default. 0 is a special value
+# representing an infinite number of entries and will result in a full expanded
+# tree by default.
+# Minimum value: 0, maximum value: 9999, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_INDEX_NUM_ENTRIES = 100
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files will be
+# generated that can be used as input for Apple's Xcode 3 integrated development
+# environment (see: http://developer.apple.com/tools/xcode/), introduced with
+# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a
+# Makefile in the HTML output directory. Running make will produce the docset in
+# that directory and running make install will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
+# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_DOCSET        = NO
+
+# This tag determines the name of the docset feed. A documentation feed provides
+# an umbrella under which multiple documentation sets from a single provider
+# (such as a company or product suite) can be grouped.
+# The default value is: Doxygen generated docs.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# This tag specifies a string that should uniquely identify the documentation
+# set bundle. This should be a reverse domain-name style string, e.g.
+# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
+# The default value is: org.doxygen.Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
+# The default value is: Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
+# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
+# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
+# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on
+# Windows.
+#
+# The HTML Help Workshop contains a compiler that can convert all HTML output
+# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
+# files are now used as the Windows 98 help format, and will replace the old
+# Windows help format (.hlp) on all Windows platforms in the future. Compressed
+# HTML files also contain an index, a table of contents, and you can search for
+# words in the documentation. The HTML workshop also contains a viewer for
+# compressed HTML files.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_HTMLHELP      = NO
+
+# The CHM_FILE tag can be used to specify the file name of the resulting .chm
+# file. You can add a path in front of the file if the result should not be
+# written to the html output directory.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_FILE               =
+
+# The HHC_LOCATION tag can be used to specify the location (absolute path
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
+# doxygen will try to run the HTML help compiler on the generated index.hhp.
+# The file has to be specified with full path.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+HHC_LOCATION           =
+
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+GENERATE_CHI           = NO
+
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
+# and project file content.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_INDEX_ENCODING     =
+
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members to
+# the table of contents of the HTML help documentation and to the tree view.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+TOC_EXPAND             = NO
+
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
+# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
+# (.qch) of the generated HTML documentation.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_QHP           = NO
+
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
+# the file name of the resulting .qch file. The path specified is relative to
+# the HTML output folder.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
+# Project output. For more information please see Qt Help Project / Namespace
+# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace).
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
+# Help Project output. For more information please see Qt Help Project / Virtual
+# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual-
+# folders).
+# The default value is: doc.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
+# filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's filter section matches. Qt Help Project / Filter Attributes (see:
+# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# The QHG_LOCATION tag can be used to specify the location of Qt's
+# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
+# generated .qhp file.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
+# generated, together with the HTML files, they form an Eclipse help plugin. To
+# install this plugin and make it available under the help contents menu in
+# Eclipse, the contents of the directory containing the HTML and XML files needs
+# to be copied into the plugins directory of eclipse. The name of the directory
+# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
+# After copying Eclipse needs to be restarted before the help appears.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the Eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have this
+# name. Each documentation set should have its own identifier.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# If you want full control over the layout of the generated HTML pages it might
+# be necessary to disable the index and replace it with your own. The
+# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
+# of each HTML page. A value of NO enables the index and the value YES disables
+# it. Since the tabs in the index contain the same information as the navigation
+# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+DISABLE_INDEX          = NO
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information. If the tag
+# value is set to YES, a side panel will be generated containing a tree-like
+# index structure (just like the one that is generated for HTML Help). For this
+# to work a browser that supports JavaScript, DHTML, CSS and frames is required
+# (i.e. any modern browser). Windows users are probably better off using the
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
+# further fine-tune the look of the index. As an example, the default style
+# sheet generated by doxygen has an example that shows how to put an image at
+# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
+# the same information as the tab index, you could consider setting
+# DISABLE_INDEX to YES when enabling this option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_TREEVIEW      = NO
+
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
+# doxygen will group on one line in the generated HTML documentation.
+#
+# Note that a value of 0 will completely suppress the enum values from appearing
+# in the overview section.
+# Minimum value: 0, maximum value: 20, default value: 4.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
+# to set the initial width (in pixels) of the frame in which the tree is shown.
+# Minimum value: 0, maximum value: 1500, default value: 250.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+TREEVIEW_WIDTH         = 250
+
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
+# external symbols imported via tag files in a separate window.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+EXT_LINKS_IN_WINDOW    = NO
+
+# Use this tag to change the font size of LaTeX formulas included as images in
+# the HTML documentation. When you change the font size after a successful
+# doxygen run you need to manually remove any form_*.png images from the HTML
+# output directory to force them to be regenerated.
+# Minimum value: 8, maximum value: 50, default value: 10.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_FONTSIZE       = 10
+
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are not
+# supported properly for IE 6.0, but are supported on all modern browsers.
+#
+# Note that when changing this option you need to delete any form_*.png files in
+# the HTML output directory before the changes have effect.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
+# http://www.mathjax.org) which uses client side Javascript for the rendering
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
+# installed or if you want to formulas look prettier in the HTML output. When
+# enabled you may also need to install MathJax separately and configure the path
+# to it using the MATHJAX_RELPATH option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you can set the default output format to be used for
+# the MathJax output. See the MathJax site (see:
+# http://docs.mathjax.org/en/latest/output.html) for more details.
+# Possible values are: HTML-CSS (which is slower, but has the best
+# compatibility), NativeMML (i.e. MathML) and SVG.
+# The default value is: HTML-CSS.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_FORMAT         = HTML-CSS
+
+# When MathJax is enabled you need to specify the location relative to the HTML
+# output directory using the MATHJAX_RELPATH option. The destination directory
+# should contain the MathJax.js script. For instance, if the mathjax directory
+# is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
+# Content Delivery Network so you can quickly see the result without installing
+# MathJax. However, it is strongly recommended to install a local copy of
+# MathJax from http://www.mathjax.org before deployment.
+# The default value is: http://cdn.mathjax.org/mathjax/latest.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
+# extension names that should be enabled during MathJax rendering. For example
+# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_EXTENSIONS     =
+
+# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
+# of code that will be used on startup of the MathJax code. See the MathJax site
+# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
+# example see the documentation.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_CODEFILE       =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
+# the HTML output. The underlying search engine uses javascript and DHTML and
+# should work on any modern browser. Note that when using HTML help
+# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
+# there is already a search function so this one should typically be disabled.
+# For large projects the javascript based search engine can be slow, then
+# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
+# search using the keyboard; to jump to the search box use <access key> + S
+# (what the <access key> is depends on the OS and browser, but it is typically
+# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
+# key> to jump into the search results window, the results can be navigated
+# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
+# the search. The filter options can be selected when the cursor is inside the
+# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
+# to select a filter and <Enter> or <escape> to activate or cancel the filter
+# option.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+SEARCHENGINE           = YES
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a web server instead of a web client using Javascript. There
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SERVER_BASED_SEARCH    = NO
+
+# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
+# script for searching. Instead the search results are written to an XML file
+# which needs to be processed by an external indexer. Doxygen will invoke an
+# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
+# search results.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/).
+#
+# See the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH        = NO
+
+# The SEARCHENGINE_URL should point to a search engine hosted by a web server
+# which will return the search results when EXTERNAL_SEARCH is enabled.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/). See the section "External Indexing and
+# Searching" for details.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHENGINE_URL       =
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
+# search data is written to a file for indexing by an external tool. With the
+# SEARCHDATA_FILE tag the name of this file can be specified.
+# The default file is: searchdata.xml.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHDATA_FILE        = searchdata.xml
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
+# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
+# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
+# projects and redirect the results back to the right project.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH_ID     =
+
+# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
+# projects other than the one defined by this configuration file, but that are
+# all added to the same external search index. Each project needs to have a
+# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
+# to a relative location where the documentation can be found. The format is:
+# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTRA_SEARCH_MAPPINGS  =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
+# The default value is: YES.
+
+GENERATE_LATEX         = YES
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked.
+#
+# Note that when enabling USE_PDFLATEX this option is only used for generating
+# bitmaps for formulas in the HTML output, but not in the Makefile that is
+# written to the output directory.
+# The default file is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
+# index for LaTeX.
+# The default file is: makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used by the
+# printer.
+# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
+# 14 inches) and executive (7.25 x 10.5 inches).
+# The default value is: a4.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PAPER_TYPE             = a4
+
+# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
+# If left blank no extra packages will be included.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+EXTRA_PACKAGES         =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
+# generated LaTeX document. The header should contain everything until the first
+# chapter. If it is left blank doxygen will generate a standard header. See
+# section "Doxygen usage" for information on how to let doxygen write the
+# default header to a separate file.
+#
+# Note: Only use a user-defined header if you know what you are doing! The
+# following commands have a special meaning inside the header: $title,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HEADER           =
+
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
+# generated LaTeX document. The footer should contain everything after the last
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
+#
+# Note: Only use a user-defined footer if you know what you are doing!
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_FOOTER           =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
+
+# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the LATEX_OUTPUT output
+# directory. Note that the files will be copied as-is; there are no commands or
+# markers available.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_FILES      =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
+# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
+# contain links (just like the HTML output) instead of page references. This
+# makes the output suitable for online browsing using a PDF viewer.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
+# higher quality PDF documentation.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
+# command to the generated LaTeX files. This will instruct LaTeX to keep running
+# if errors occur, instead of asking the user for help. This option is also used
+# when generating formulas in HTML.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BATCHMODE        = NO
+
+# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
+# index chapters (such as File Index, Compound Index, etc.) in the output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HIDE_INDICES     = NO
+
+# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
+# code with syntax highlighting in the LaTeX output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. See
+# http://en.wikipedia.org/wiki/BibTeX and \cite for more info.
+# The default value is: plain.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BIB_STYLE        = plain
+
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
+# RTF output is optimized for Word 97 and may not look too pretty with other RTF
+# readers/editors.
+# The default value is: NO.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: rtf.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
+# contain hyperlink fields. The RTF file will contain links (just like the HTML
+# output) instead of page references. This makes the output suitable for online
+# browsing using Word or some other Word compatible readers that support those
+# fields.
+#
+# Note: WordPad (write) and others do not support links.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's config
+# file, i.e. a series of assignments. You only have to provide replacements,
+# missing definitions are set to their default value.
+#
+# See also section "Doxygen usage" for information on how to generate the
+# default style sheet that doxygen normally uses.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_STYLESHEET_FILE    =
+
+# Set optional variables used in the generation of an RTF document. Syntax is
+# similar to doxygen's config file. A template extensions file can be generated
+# using doxygen -e rtf extensionFile.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_EXTENSIONS_FILE    =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
+# classes and files.
+# The default value is: NO.
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it. A directory man3 will be created inside the directory specified by
+# MAN_OUTPUT.
+# The default directory is: man.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to the generated
+# man pages. In case the manual section does not start with a number, the number
+# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
+# optional.
+# The default value is: .3.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_EXTENSION          = .3
+
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR             =
+
+# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
+# will generate one additional man file for each entity documented in the real
+# man page(s). These additional files only source the real man page, but without
+# them the man command would be unable to find the correct page.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
+# captures the structure of the code including all documentation.
+# The default value is: NO.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: xml.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_OUTPUT             = xml
+
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
+# listings (including syntax highlighting and cross-referencing information) to
+# the XML output. Note that enabling this will significantly increase the size
+# of the XML output.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to the DOCBOOK output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
+# that can be used to generate PDF.
+# The default value is: NO.
+
+GENERATE_DOCBOOK       = NO
+
+# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
+# front of it.
+# The default directory is: docbook.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_OUTPUT         = docbook
+
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
+#---------------------------------------------------------------------------
+# Configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
+# file that captures the structure of the code including all documentation.
+#
+# Note that this feature is still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
+# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
+# output from the Perl module output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
+# formatted so it can be parsed by a human reader. This is useful if you want to
+# understand what is going on. On the other hand, if this tag is set to NO, the
+# size of the Perl module output will be much smaller and Perl will parse it
+# just the same.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file are
+# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
+# so different doxyrules.make files included by the same Makefile don't
+# overwrite each other's variables.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
+# C-preprocessor directives found in the sources and include files.
+# The default value is: YES.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
+# INCLUDE_PATH will be searched if a #include is found.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by the
+# preprocessor.
+# This tag requires that the tag SEARCH_INCLUDES is set to YES.
+
+INCLUDE_PATH           =
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will be
+# used.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+INCLUDE_FILE_PATTERNS  =
+
+# The PREDEFINED tag can be used to specify one or more macro names that are
+# defined before the preprocessor is started (similar to the -D option of e.g.
+# gcc). The argument of the tag is a list of macros of the form: name or
+# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
+# is assumed. To prevent a macro definition from being undefined via #undef or
+# recursively expanded use the := operator instead of the = operator.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+PREDEFINED             =
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_AS_DEFINED      =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
+# removed.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES tag can be used to specify one or more tag files. For each tag
+# file the location of the external documentation should be added. The format of
+# a tag file without this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where loc1 and loc2 can be relative or absolute paths or URLs. See the
+# section "Linking to external documentation" for more information about the use
+# of tag files.
+# Note: Each tag file must have a unique name (where the name does NOT include
+# the path). If a tag file is not located in the directory in which doxygen is
+# run, you must also specify the path to the tagfile here.
+
+TAGFILES               =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
+# tag file that is based on the input files it reads. See section "Linking to
+# external documentation" for more information about the usage of tag files.
+
+GENERATE_TAGFILE       =
+
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
+# The default value is: NO.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
+# listed.
+# The default value is: YES.
+
+EXTERNAL_GROUPS        = YES
+
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
+# the related pages index. If set to NO, only the current project's pages will
+# be listed.
+# The default value is: YES.
+
+EXTERNAL_PAGES         = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
+# interpreter (i.e. the result of 'which perl').
+# The default file (with absolute path) is: /usr/bin/perl.
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
+# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
+# NO turns the diagrams off. Note that this option also works with HAVE_DOT
+# disabled, but it is recommended to install and use dot, since it yields more
+# powerful graphs.
+# The default value is: YES.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see:
+# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where
+# the mscgen tool resides. If left empty the tool is assumed to be found in the
+# default search path.
+
+MSCGEN_PATH            =
+
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES the inheritance and collaboration graphs will hide inheritance
+# and usage relations if the target is undocumented or is not a class.
+# The default value is: YES.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz (see:
+# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
+# Bell Labs. The other options in this section have no effect if this option is
+# set to NO
+# The default value is: YES.
+
+HAVE_DOT               = NO
+
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
+# to run in parallel. When set to 0 doxygen will base this on the number of
+# processors available in the system. You can set it explicitly to a value
+# larger than 0 to get control over the balance between CPU load and processing
+# speed.
+# Minimum value: 0, maximum value: 32, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_NUM_THREADS        = 0
+
+# When you want a differently looking font in the dot files that doxygen
+# generates you can specify the font name using DOT_FONTNAME. You need to make
+# sure dot is able to find the font, which can be done by putting it in a
+# standard location or by setting the DOTFONTPATH environment variable or by
+# setting DOT_FONTPATH to the directory containing the font.
+# The default value is: Helvetica.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTNAME           = Helvetica
+
+# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
+# dot graphs.
+# Minimum value: 4, maximum value: 24, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the default font as specified with
+# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
+# the path where dot can find it using this tag.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTPATH           =
+
+# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
+# each documented class showing the direct and indirect inheritance relations.
+# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
+# graph for each documented class showing the direct and indirect implementation
+# dependencies (inheritance, containment, and class references variables) of the
+# class with other documented classes.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
+# groups, showing the direct groups dependencies.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LOOK               = NO
+
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
+# class node. If there are many fields or methods and many nodes the graph may
+# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
+# number of items for each type to make the size more manageable. Set this to 0
+# for no limit. Note that the threshold may be exceeded by 50% before the limit
+# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
+# but if the number exceeds 15, the total amount of fields shown is limited to
+# 10.
+# Minimum value: 0, maximum value: 100, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
+# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
+# collaboration graphs will show the relations between templates and their
+# instances.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
+# YES then doxygen will generate a graph for each documented file showing the
+# direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDE_GRAPH          = YES
+
+# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
+# set to YES then doxygen will generate a graph for each documented file showing
+# the direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
+# hierarchy of all classes instead of a textual one.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
+# dependencies a directory has on other directories in a graphical way. The
+# dependency relations are determined by the #include relations between the
+# files in the directories.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
+# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
+# to make the SVG files visible in IE 9+ (other browsers do not have this
+# requirement).
+# Possible values are: png, png:cairo, png:cairo:cairo, png:cairo:gd, png:gd,
+# png:gd:gd, jpg, jpg:cairo, jpg:cairo:gd, jpg:gd, jpg:gd:gd, gif, gif:cairo,
+# gif:cairo:gd, gif:gd, gif:gd:gd, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
+# The default value is: png.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_IMAGE_FORMAT       = png
+
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+#
+# Note that this requires a modern browser other than Internet Explorer. Tested
+# and working are Firefox, Chrome, Safari, and Opera.
+# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
+# the SVG files visible. Older versions of IE do not have SVG support.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INTERACTIVE_SVG        = NO
+
+# The DOT_PATH tag can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_PATH               =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the \dotfile
+# command).
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOTFILE_DIRS           =
+
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the \mscfile
+# command).
+
+MSCFILE_DIRS           =
+
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH      =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE      =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH  =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
+# that will be shown in the graph. If the number of nodes in a graph becomes
+# larger than this value, doxygen will truncate the graph, which is visualized
+# by representing a node as a red box. Note that doxygen if the number of direct
+# children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
+# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# Minimum value: 0, maximum value: 10000, default value: 50.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
+# generated by dot. A depth value of 3 means that only nodes reachable from the
+# root by following a path via at most 3 edges will be shown. Nodes that lay
+# further from the root node will be omitted. Note that setting this option to 1
+# or 2 may greatly reduce the computation time needed for large code bases. Also
+# note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+# Minimum value: 0, maximum value: 1000, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, because dot on Windows does not seem
+# to support this out of the box.
+#
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10) support
+# this, this feature is disabled by default.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
+# explaining the meaning of the various boxes and arrows in the dot generated
+# graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
+# files that are used to generate the various graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_CLEANUP            = YES
diff --git a/src/common/dbsync/example/CMakeLists.txt b/src/common/dbsync/example/CMakeLists.txt
new file mode 100644
index 0000000000..c3f1d5ed95
--- /dev/null
+++ b/src/common/dbsync/example/CMakeLists.txt
@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbsync_example)
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-Wall -Wextra -std=c++14")
+
+add_executable(dbsync_example 
+    "${CMAKE_SOURCE_DIR}/example/main.cpp" )
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(dbsync_example
+        dbsync
+        pthread
+        -static-libgcc -static-libstdc++
+    )
+elseif(CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+    target_link_libraries(dbsync_example
+        dbsync
+        pthread)
+else()
+    target_link_libraries(dbsync_example
+        dbsync
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
diff --git a/src/common/dbsync/example/main.cpp b/src/common/dbsync/example/main.cpp
new file mode 100644
index 0000000000..3dd87a28ea
--- /dev/null
+++ b/src/common/dbsync/example/main.cpp
@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <time.h>
+#include "dbsync.h"
+#include <iostream>
+#include <chrono>
+
+static void log_to_cout(const char* msg)
+{
+    if (msg)
+    {
+        std::cout << msg << std::endl;
+    }
+}
+
+void callback(const ReturnTypeCallback value, const cJSON* json)
+{
+    if (ReturnTypeCallback::DELETED == value)
+    {
+        std::cout << "deleted event: " << std::endl;
+    }
+    else if (ReturnTypeCallback::MODIFIED == value)
+    {
+        std::cout << "modified event: " << std::endl;
+    }
+    else if (ReturnTypeCallback::INSERTED == value)
+    {
+        std::cout << "inserted event: " << std::endl;
+    }
+
+    char* result_json = cJSON_Print(json);
+    std::cout << result_json << std::endl;
+    cJSON_free(result_json);
+}
+int main()
+{
+    std::string sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    std::string insert_sql{ "{\"table\":\"processes\",\"data\":[{\"pid\":4,\"name\":\"System\",\"path\":\"\",\"cmdline\":\"\",\"state\":\"\",\"cwd\":\"\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1},{\"pid\":5,\"name\":\"System\",\"path\":\"\",\"cmdline\":\"\",\"state\":\"\",\"cwd\":\"\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1},{\"pid\":6,\"name\":\"System\",\"path\":\"\",\"cmdline\":\"\",\"state\":\"\",\"cwd\":\"\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1}]}"};
+    std::string update_sql{ "{\"table\":\"processes\",\"data\":[{\"pid\":4,\"name\":\"Systemsss\",\"path\":\"/var/etc\",\"cmdline\":\"44\",\"state\":\"\",\"cwd\":\"aa\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1},{\"pid\":53,\"name\":\"System\",\"path\":\"\",\"cmdline\":\"\",\"state\":\"\",\"cwd\":\"\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1},{\"pid\":5,\"name\":\"Systemaa\",\"path\":\"\",\"cmdline\":\"\",\"state\":\"\",\"cwd\":\"\",\"root\":\"\",\"uid\":-1,\"gid\":-1,\"euid\":-1,\"egid\":-1,\"suid\":-1,\"sgid\":-1,\"on_disk\":-1,\"wired_size\":-1,\"resident_size\":-1,\"total_size\":-1,\"user_time\":-1,\"system_time\":-1,\"disk_bytes_read\":-1,\"disk_bytes_written\":-1,\"start_time\":-1,\"parent\":0,\"pgroup\":-1,\"threads\":164,\"nice\":-1,\"is_elevated_token\":false,\"elapsed_time\":-1,\"handle_count\":-1,\"percent_processor_time\":-1}]}]}"};
+    cJSON* json_insert { cJSON_Parse(insert_sql.c_str()) };
+    cJSON* json_update { cJSON_Parse(update_sql.c_str()) } ;
+    cJSON* json_result { nullptr };
+    dbsync_initialize(&log_to_cout);
+    auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, "temp.db", sql.c_str()) };
+
+    if (0 != handle)
+    {
+        if (0 == dbsync_insert_data(handle, json_insert))
+        {
+            do
+            {
+                auto t_start {std::chrono::high_resolution_clock::now()};
+
+                //dbsync_update_with_snapshot_cb(handle, json_update, (void *)&callback);
+                if (0 == dbsync_update_with_snapshot(handle, json_update, &json_result))
+                {
+                    auto t_end {std::chrono::high_resolution_clock::now()};
+                    std::cout << "duration: " << std::chrono::duration_cast<std::chrono::microseconds>(t_end - t_start).count() << std::endl;
+                    char* result_print = cJSON_Print(json_result);
+                    std::cout << result_print << std::endl;
+                    cJSON_free(result_print);
+                    dbsync_free_result(&json_result);
+                }
+                else
+                {
+                    std::cout << "Error updating with snapshot." << std::endl;
+                }
+            }
+            while (getc(stdin) != 'q');
+        }
+
+        dbsync_teardown();
+    }
+
+    cJSON_Delete(json_update);
+    cJSON_Delete(json_insert);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/src/common/dbsync/images/dbsyncTestToolArchDiagram.png b/src/common/dbsync/images/dbsyncTestToolArchDiagram.png
new file mode 100644
index 0000000000..d5c3a8053b
Binary files /dev/null and b/src/common/dbsync/images/dbsyncTestToolArchDiagram.png differ
diff --git a/src/common/dbsync/include/db_exception.h b/src/common/dbsync/include/db_exception.h
new file mode 100644
index 0000000000..1295089cad
--- /dev/null
+++ b/src/common/dbsync/include/db_exception.h
@@ -0,0 +1,101 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBSYNC_EXCEPTION_H
+#define _DBSYNC_EXCEPTION_H
+#include <stdexcept>
+#include <string>
+
+using DBSyncExceptionType = const std::pair<int, std::string>;
+
+DBSyncExceptionType FACTORY_INSTANTATION           { std::make_pair(1, "Unspecified type during factory instantiation")         };
+DBSyncExceptionType INVALID_HANDLE                 { std::make_pair(2, "Invalid handle value.")                                 };
+DBSyncExceptionType INVALID_TRANSACTION            { std::make_pair(3, "Invalid transaction value.")                            };
+DBSyncExceptionType SQLITE_CONNECTION_ERROR        { std::make_pair(4, "No connection available for executions.")               };
+DBSyncExceptionType EMPTY_DATABASE_PATH            { std::make_pair(5, "Empty database store path.")                            };
+DBSyncExceptionType EMPTY_TABLE_METADATA           { std::make_pair(6, "Empty table metadata.")                                 };
+DBSyncExceptionType INVALID_PARAMETERS             { std::make_pair(7, "Invalid parameters.")                                   };
+DBSyncExceptionType DATATYPE_NOT_IMPLEMENTED       { std::make_pair(8, "Datatype not implemented.")                             };
+DBSyncExceptionType SQL_STMT_ERROR                 { std::make_pair(9, "Invalid SQL statement.")                                };
+DBSyncExceptionType INVALID_PK_DATA                { std::make_pair(10, "Primary key not found.")                               };
+DBSyncExceptionType INVALID_COLUMN_TYPE            { std::make_pair(11, "Invalid column field type.")                           };
+DBSyncExceptionType INVALID_DATA_BIND              { std::make_pair(12, "Invalid data to bind.")                                };
+DBSyncExceptionType INVALID_TABLE                  { std::make_pair(13, "Invalid table.")                                       };
+DBSyncExceptionType INVALID_DELETE_INFO            { std::make_pair(14, "Invalid information provided for deletion.")           };
+DBSyncExceptionType BIND_FIELDS_DOES_NOT_MATCH     { std::make_pair(15, "Invalid information provided for statement creation.") };
+DBSyncExceptionType STEP_ERROR_CREATE_STMT         { std::make_pair(16, "Error creating table.")                                };
+DBSyncExceptionType STEP_ERROR_ADD_STATUS_FIELD    { std::make_pair(17, "Error adding status field.")                           };
+DBSyncExceptionType STEP_ERROR_UPDATE_STATUS_FIELD { std::make_pair(18, "Error updating status field.")                         };
+DBSyncExceptionType STEP_ERROR_DELETE_STATUS_FIELD { std::make_pair(19, "Error deleting status field.")                         };
+DBSyncExceptionType DELETE_OLD_DB_ERROR            { std::make_pair(20, "Error deleting old db.")                               };
+DBSyncExceptionType MIN_ROW_LIMIT_BELOW_ZERO       { std::make_pair(21, "Invalid row limit, values below 0 not allowed.")       };
+DBSyncExceptionType ERROR_COUNT_MAX_ROWS           { std::make_pair(22, "Count is less than 0.")                                };
+DBSyncExceptionType STEP_ERROR_UPDATE_STMT         { std::make_pair(23, "Error upgrading DB.")                                  };
+
+namespace DbSync
+{
+    /**
+     *   This class should be used by concrete types to report errors.
+    */
+    class dbsync_error : public std::exception
+    {
+        public:
+            __attribute__((__returns_nonnull__))
+            const char* what() const noexcept override
+            {
+                return m_error.what();
+            }
+
+            int id() const noexcept
+            {
+                return m_id;
+            }
+
+            dbsync_error(const int id,
+                         const std::string& whatArg)
+                : m_id{ id }
+                , m_error{ whatArg }
+            {}
+
+            explicit dbsync_error(const std::pair<int, std::string>& exceptionInfo)
+                : m_id{ exceptionInfo.first }
+                , m_error{ exceptionInfo.second }
+            {}
+
+        private:
+            /// an exception object as storage for error messages
+            const int m_id;
+            std::runtime_error m_error;
+    };
+
+    /**
+     *   This class should be used by concrete types to report errors.
+    */
+    class max_rows_error : public std::exception
+    {
+        public:
+            __attribute__((__returns_nonnull__))
+            const char* what() const noexcept override
+            {
+                return m_error.what();
+            }
+
+            explicit max_rows_error(const std::string& whatArg)
+                : m_error{ whatArg }
+            {}
+
+        private:
+            /// an exception object as storage for error messages
+            std::runtime_error m_error;
+    };
+}
+
+#endif // _DBSYNC_EXCEPTION_H
diff --git a/src/common/dbsync/include/dbsync.h b/src/common/dbsync/include/dbsync.h
new file mode 100644
index 0000000000..6c9a093f1a
--- /dev/null
+++ b/src/common/dbsync/include/dbsync.h
@@ -0,0 +1,265 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBSYNC_H_
+#define _DBSYNC_H_
+
+// Define EXPORTED for any platform
+#ifndef EXPORTED
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+#endif
+
+#include "commonDefs.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief Initializes the shared library.
+ *
+ * @param log_function pointer to log function to be used by the dbsync.
+ */
+EXPORTED void dbsync_initialize(log_fnc_t log_function);
+
+/**
+ * @brief Creates a new DBSync instance (wrapper)
+ *
+ * @param host_type          Dynamic library host type to be used.
+ * @param db_type            Database type to be used (currently only supported SQLITE3)
+ * @param path               Path where the local database will be created.
+ * @param sql_statement      SQL sentence to create tables in a SQL engine.
+ *
+ * @note db_management will be DbManagement::VOLATILE as default and upgrade_statements will be NULL.
+ *
+ * @return Handle instance to be used for common sql operations (cannot be used by more than 1 thread).
+ */
+EXPORTED DBSYNC_HANDLE dbsync_create(const HostType      host_type,
+                                     const DbEngineType  db_type,
+                                     const char*         path,
+                                     const char*         sql_statement);
+
+/**
+ * @brief Creates a new DBSync instance (wrapper)
+ *
+ * @param host_type          Dynamic library host type to be used.
+ * @param db_type            Database type to be used (currently only supported SQLITE3)
+ * @param path               Path where the local database will be created.
+ * @param sql_statement      SQL sentence to create tables in a SQL engine.
+ * @param upgrade_statements SQL sentences to upgrade tables in a SQL engine.
+ *
+ * @note db_management will be DbManagement::PERSISTENT as default.
+ *
+ * @return Handle instance to be used for common sql operations (cannot be used by more than 1 thread).
+ */
+EXPORTED DBSYNC_HANDLE dbsync_create_persistent(const HostType      host_type,
+                                                const DbEngineType  db_type,
+                                                const char*         path,
+                                                const char*         sql_statement,
+                                                const char**        upgrade_statements);
+
+/**
+ * @brief Turns off the services provided by the shared library.
+ */
+EXPORTED void dbsync_teardown(void);
+
+/**
+ * @brief Creates a database transaction based on the supplied information.
+ *
+ * @param handle         Handle obtained from the \ref dbsync_create method call.
+ * @param tables         Tables to be created in the transaction.
+ * @param thread_number  Number of worker threads for processing data. If 0 hardware concurrency
+ *                       value will be used.
+ * @param max_queue_size Max data number to hold/queue to be processed.
+ * @param callback_data  This struct contain the result callback will be called for each result
+ *                       and user data space returned in each callback call.
+ *
+ * @return Handle instance to be used in transacted operations.
+ */
+EXPORTED TXN_HANDLE dbsync_create_txn(const DBSYNC_HANDLE handle,
+                                      const cJSON*        tables,
+                                      const unsigned int  thread_number,
+                                      const unsigned int  max_queue_size,
+                                      callback_data_t     callback_data);
+
+/**
+ * @brief Closes the \p txn database transaction.
+ *
+ * @param txn     Database transaction to be closed.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_close_txn(const TXN_HANDLE txn);
+
+/**
+ * @brief Synchronizes the \p js_input data using the \p txn current
+ *  database transaction.
+ *
+ * @param txn      Database transaction to be used for \ref js_input data sync.
+ * @param js_input JSON information to be synchronized.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_sync_txn_row(const TXN_HANDLE txn,
+                                 const cJSON*     js_input);
+
+/**
+ * @brief Generates triggers that execute actions to maintain consistency between tables.
+ *
+ * @param handle        Handle assigned as part of the \ref dbsync_create method.
+ * @param js_input      JSON information with tables relationship.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_add_table_relationship(const DBSYNC_HANDLE handle,
+                                           const cJSON*        js_input);
+
+/**
+ * @brief Insert the \p js_insert data in the database.
+ *
+ * @param handle    Handle assigned as part of the \ref dbsync_create method().
+ * @param js_insert JSON information with values to be inserted.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_insert_data(const DBSYNC_HANDLE handle,
+                                const cJSON*        js_insert);
+
+/**
+ * @brief Sets the max rows in the \p table table.
+ *
+ * @param handle   Handle assigned as part of the \ref dbsync_create method().
+ * @param table    Table name to apply the max rows configuration.
+ * @param max_rows Max rows number to be applied in the table \p table table.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_set_table_max_rows(const DBSYNC_HANDLE handle,
+                                       const char*         table,
+                                       const long long     max_rows);
+
+/**
+ * @brief Inserts (or modifies) a database record.
+ *
+ * @param handle         Handle instance assigned as part of the \ref dbsync_create method().
+ * @param input          JSON information used to add/modified a database record.
+ * @param callback_data  This struct contains the result callback that will be called for each result
+ *                       and user data space returned in each callback call.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_sync_row(const DBSYNC_HANDLE handle,
+                             const cJSON*        js_input,
+                             callback_data_t     callback_data);
+
+/**
+ * @brief Select data, based in \p json_data_input data, from the database table.
+ *
+ * @param handle          Handle assigned as part of the \ref dbsync_create method().
+ * @param js_data_input   JSON with table name, fields, filters and options to apply in the query.
+ * @param callback_data   This struct contain the result callback will be called for each result
+ *                        and user data space returned in each callback call.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_select_rows(const DBSYNC_HANDLE handle,
+                                const cJSON*        js_data_input,
+                                callback_data_t     callback_data);
+
+/**
+ * @brief Deletes a database table record and its relationships based on \p js_key_values value.
+ *
+ * @param handle        Handle instance assigned as part of the \ref dbsync_create method().
+ * @param js_key_values JSON information to be applied/deleted in the database.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_delete_rows(const DBSYNC_HANDLE handle,
+                                const cJSON*        js_key_values);
+
+/**
+ * @brief Gets the deleted rows (diff) from the database.
+ *
+ * @param txn             Database transaction to be used.
+ * @param callback_data   This struct contain the result callback will be called for each result
+ *                        and user data space returned in each callback call.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_get_deleted_rows(const TXN_HANDLE  txn,
+                                     callback_data_t   callback_data);
+
+/**
+ * @brief Updates data table with \p js_snapshot information. \p js_result value will
+ *  hold/contain the results of this operation (rows insertion, modification and/or deletion).
+ *
+ * @param handle      Handle instance assigned as part of the \ref dbsync_create method().
+ * @param js_snapshot JSON information with snapshot values.
+ * @param js_result   JSON with deletes, creations and modifications (diffs) in rows.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ *
+ * @details The \p js_result resulting data should be freed using the \ref dbsync_free_result function.
+ */
+EXPORTED int dbsync_update_with_snapshot(const DBSYNC_HANDLE handle,
+                                         const cJSON*        js_snapshot,
+                                         cJSON**             js_result);
+
+/**
+ * @brief Update data table, based on json_raw_snapshot bulk data based on json string.
+ *
+ * @param handle          Handle assigned as part of the \ref dbsync_create method().
+ * @param js_snapshot     JSON with snapshot values.
+ * @param callback_data   This struct contain the result callback will be called for each result
+ *                        and user data space returned in each callback call.
+ *
+ * @return 0 if succeeded,
+ *         specific error code (OS dependent) otherwise.
+ */
+EXPORTED int dbsync_update_with_snapshot_cb(const DBSYNC_HANDLE handle,
+                                            const cJSON*        js_snapshot,
+                                            callback_data_t     callback_data);
+
+/**
+ * @brief Deallocate cJSON result data.
+ *
+ * @param js_data JSON information be be deallocated.
+ *
+ * @details This function should only be used to free result objects obtained
+ *  from the interface.
+ */
+EXPORTED void dbsync_free_result(cJSON** js_data);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // _DBSYNC_H_
diff --git a/src/common/dbsync/include/dbsync.hpp b/src/common/dbsync/include/dbsync.hpp
index e69de29bb2..be4c493989 100644
--- a/src/common/dbsync/include/dbsync.hpp
+++ b/src/common/dbsync/include/dbsync.hpp
@@ -0,0 +1,403 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 13, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBSYNC_HPP_
+#define _DBSYNC_HPP_
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+#include <functional>
+#include "json.hpp"
+#include "db_exception.h"
+#include "commonDefs.h"
+#include "builder.hpp"
+
+using ResultCallbackData = const std::function<void(ReturnTypeCallback, const nlohmann::json&) >;
+
+class EXPORTED DBSync
+{
+    public:
+        /**
+        * @brief Initializes the shared library.
+        *
+        * @param logFunction pointer to log function to be used by the dbsync.
+        */
+        static void initialize(std::function<void(const std::string&)> logFunction);
+
+        /**
+         * @brief Explicit DBSync Constructor.
+         *
+         * @param hostType          Dynamic library host type to be used.
+         * @param dbType            Database type to be used (currently only supported SQLITE3)
+         * @param path              Path where the local database will be created.
+         * @param sqlStatement      SQL sentence to create tables in a SQL engine.
+         * @param dbManagement      Database management type to be used at startup.
+         * @param upgradeStatements SQL sentences to be executed when upgrading the database.
+         *
+         */
+        explicit DBSync(const HostType                  hostType,
+                        const DbEngineType              dbType,
+                        const std::string&              path,
+                        const std::string&              sqlStatement,
+                        const DbManagement              dbManagement = DbManagement::VOLATILE,
+                        const std::vector<std::string>& upgradeStatements = {});
+
+        /**
+         * @brief DBSync Constructor.
+         *
+         * @param handle     handle to point another dbsync instance.
+         *
+         */
+        DBSync(const DBSYNC_HANDLE handle);
+        // LCOV_EXCL_START
+        virtual ~DBSync();
+        // LCOV_EXCL_STOP
+
+        /**
+         * @brief Generates triggers that execute actions to maintain consistency between tables.
+         *
+         * @param jsInput      JSON information with tables relationship.
+         *
+         */
+        virtual void addTableRelationship(const nlohmann::json& jsInput);
+
+        /**
+         * @brief Insert the \p jsInsert data in the database.
+         *
+         * @param jsInsert JSON information with values to be inserted.
+         *
+         */
+        virtual void insertData(const nlohmann::json& jsInsert);
+
+        /**
+         * @brief Sets the max rows in the \p table table.
+         *
+         * @param table    Table name to apply the max rows configuration.
+         * @param maxRows  Max rows number to be applied in the table \p table table.
+         *
+         *
+         * @details The table will work as a queue if the limit is exceeded.
+         */
+        virtual void setTableMaxRow(const std::string& table,
+                                    const long long    maxRows);
+
+        /**
+         * @brief Inserts (or modifies) a database record.
+         *
+         * @param jsInput        JSON information used to add/modified a database record.
+         * @param callbackData   Result callback(std::function) will be called for each result.
+         *
+         */
+        virtual void syncRow(const nlohmann::json& jsInput,
+                             ResultCallbackData    callbackData);
+
+        /**
+         * @brief Select data, based in \p jsInput data, from the database table.
+         *
+         * @param jsInput         JSON with table name, fields and filters to apply in the query.
+         * @param callbackData    Result callback(std::function) will be called for each result.
+         *
+         */
+        virtual void selectRows(const nlohmann::json& jsInput,
+                                ResultCallbackData    callbackData);
+
+        /**
+         * @brief Deletes a database table record and its relationships based on \p jsInput value.
+         *
+         * @param jsInput JSON information to be applied/deleted in the database.
+         *
+         */
+        virtual void deleteRows(const nlohmann::json& jsInput);
+
+        /**
+         * @brief Updates data table with \p jsInput information. \p jsResult value will
+         *  hold/contain the results of this operation (rows insertion, modification and/or deletion).
+         *
+         * @param jsInput    JSON information with snapshot values.
+         * @param jsResult   JSON with deletes, creations and modifications (diffs) in rows.
+         *
+         */
+        virtual void updateWithSnapshot(const nlohmann::json& jsInput,
+                                        nlohmann::json&       jsResult);
+
+        /**
+         * @brief Update data table, based on json_raw_snapshot bulk data based on json string.
+         *
+         * @param jsInput       JSON with snapshot values.
+         * @param callbackData  Result callback(std::function) will be called for each result.
+         *
+         */
+        virtual void updateWithSnapshot(const nlohmann::json& jsInput,
+                                        ResultCallbackData    callbackData);
+
+        /**
+         * @brief Turns off the services provided by the shared library.
+         */
+        static void teardown();
+
+        /**
+         * @brief Get current dbsync handle in the instance.
+         *
+         * @return DBSYNC_HANDLE to be used in all internal calls.
+         */
+        DBSYNC_HANDLE handle()
+        {
+            return m_dbsyncHandle;
+        }
+    private:
+        DBSYNC_HANDLE m_dbsyncHandle;
+        bool m_shouldBeRemoved;
+};
+
+class EXPORTED DBSyncTxn
+{
+    public:
+        /**
+         * @brief DBSync Transaction constructor
+         *
+         * @param handle         Handle obtained from the \ref DBSync instance.
+         * @param tables         Tables to be created in the transaction.
+         * @param threadNumber   Number of worker threads for processing data. If 0 hardware concurrency
+         *                       value will be used.
+         * @param maxQueueSize   Max data number to hold/queue to be processed.
+         * @param callbackData   Result callback(std::function) will be called for each result.
+         *
+         * @details If the max queue size is reached then this will be processed synchronously.
+         */
+        explicit DBSyncTxn(const DBSYNC_HANDLE   handle,
+                           const nlohmann::json& tables,
+                           const unsigned int    threadNumber,
+                           const unsigned int    maxQueueSize,
+                           ResultCallbackData    callbackData);
+        /**
+         * @brief DBSync transaction Constructor.
+         *
+         * @param handle     handle to point another dbsync transaction instance.
+         *
+         */
+        DBSyncTxn(const TXN_HANDLE handle);
+
+        /**
+         * @brief Destructor closes the database transaction.
+         *
+         */
+        // LCOV_EXCL_START
+        virtual ~DBSyncTxn();
+        // LCOV_EXCL_STOP
+
+        /**
+         * @brief Synchronizes the \p jsInput data.
+         *
+         * @param jsInput JSON information to be synchronized.
+         *
+         */
+        virtual void syncTxnRow(const nlohmann::json& jsInput);
+
+        /**
+         * @brief Gets the deleted rows (diff) from the database.
+         *
+         * @param callbackData    Result callback(std::function) will be called for each result.
+         *
+         */
+        virtual void getDeletedRows(ResultCallbackData callbackData);
+
+        /**
+         * @brief Get current dbsync transaction handle in the instance.
+         *
+         * @return TXN_HANDLE to be used in all internal calls.
+         */
+        TXN_HANDLE handle()
+        {
+            return m_txn;
+        }
+
+    private:
+        TXN_HANDLE m_txn;
+        bool m_shouldBeRemoved;
+};
+
+template <typename T>
+class EXPORTED Query : public Utils::Builder<T>
+{
+    protected:
+        nlohmann::json m_jsQuery;
+    public:
+        Query() = default;
+        // LCOV_EXCL_START
+        virtual ~Query() = default;
+        // LCOV_EXCL_STOP
+        nlohmann::json& query()
+        {
+            return m_jsQuery;
+        }
+
+        /**
+         * @brief Set table name.
+         *
+         * @param table Table name to be queried.
+         *
+         */
+        T& table(const std::string& table)
+        {
+            m_jsQuery["table"] = table;
+            return static_cast<T&>(*this); // Return reference to self
+        }
+
+};
+
+class EXPORTED SelectQuery final : public Query<SelectQuery>
+{
+    public:
+        SelectQuery() = default;
+        // LCOV_EXCL_START
+        virtual ~SelectQuery() = default;
+        // LCOV_EXCL_STOP
+
+        /**
+         * @brief Set fields to be queried.
+         *
+         * @param fields Fields to be queried.
+         *
+         */
+        SelectQuery& columnList(const std::vector<std::string>& fields);
+
+        /**
+        * @brief Set filter to be applied in the query.
+        *
+        * @param filter Filter to be applied in the query.
+        *
+        */
+        SelectQuery& rowFilter(const std::string& filter);
+
+        /**
+         * @brief Set distinct flag to be applied in the query.
+         *
+         * @param distinct Distinct flag.
+         *
+         */
+        SelectQuery& distinctOpt(const bool distinct);
+
+        /**
+         * @brief Set order by field to be applied in the query.
+         *
+         * @param orderBy Order by field.
+         *
+         */
+        SelectQuery& orderByOpt(const std::string& orderBy);
+
+        /**
+         * @brief Set count/limit to be applied in the query.
+         *
+         * @param count Count/limit flag.
+         *
+         */
+        SelectQuery& countOpt(const uint32_t count);
+
+};
+
+class EXPORTED DeleteQuery final : public Query<DeleteQuery>
+{
+    public:
+        DeleteQuery() = default;
+        // LCOV_EXCL_START
+        virtual ~DeleteQuery() = default;
+        // LCOV_EXCL_STOP
+        /**
+         * @brief Set data to be deleted.
+         *
+         * @param filter Filter to be applied in the query.
+         *
+         */
+        DeleteQuery& data(const nlohmann::json& data);
+
+        /**
+         * @brief Set filter to be applied in the query.
+         *
+         * @param filter Filter to be applied in the query.
+         *
+         */
+        DeleteQuery& rowFilter(const std::string& filter);
+
+        /**
+         * @brief Reset all data to be deleted.
+         *
+         */
+        DeleteQuery& reset();
+};
+
+class EXPORTED InsertQuery final : public Query<InsertQuery>
+{
+    public:
+        InsertQuery() = default;
+        // LCOV_EXCL_START
+        virtual ~InsertQuery() = default;
+        // LCOV_EXCL_STOP
+
+        /**
+         * @brief Set data to be inserted.
+         *
+         * @param data Data to be inserted.
+         */
+        InsertQuery& data(const nlohmann::json& data);
+
+        /**
+         * @brief Reset all data to be inserted.
+         *
+         */
+        InsertQuery& reset();
+};
+
+class EXPORTED SyncRowQuery final : public Query<SyncRowQuery>
+{
+    public:
+        SyncRowQuery() = default;
+        // LCOV_EXCL_START
+        virtual ~SyncRowQuery() = default;
+        // LCOV_EXCL_STOP
+
+        /**
+         * @brief Set data to be updated.
+         *
+         * @param data Data to be updated.
+         */
+        SyncRowQuery& data(const nlohmann::json& data);
+
+        /**
+         * @brief Set column to be ignored when comparing row values.
+         *
+         * @param column Name of the column to be ignored.
+         */
+        SyncRowQuery& ignoreColumn(const std::string& column);
+
+        /**
+         * @brief Make this query return the old data as well.
+         */
+        SyncRowQuery& returnOldData();
+
+        /**
+         * @brief Reset all data to be inserted.
+         *
+         */
+        SyncRowQuery& reset();
+};
+
+#endif // _DBSYNC_HPP_
diff --git a/src/common/dbsync/integrationTests/CMakeLists.txt b/src/common/dbsync/integrationTests/CMakeLists.txt
new file mode 100644
index 0000000000..a9dfc84ad8
--- /dev/null
+++ b/src/common/dbsync/integrationTests/CMakeLists.txt
@@ -0,0 +1,17 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(integration_tests)
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googletest/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googlemock/include/)
+
+link_directories(${SRC_FOLDER}/external/googletest/lib/)
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -fprofile-arcs ")
+else()
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -lgcov ")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_subdirectory(fim)
diff --git a/src/common/dbsync/integrationTests/Readme.md b/src/common/dbsync/integrationTests/Readme.md
new file mode 100644
index 0000000000..f3fe812d3d
--- /dev/null
+++ b/src/common/dbsync/integrationTests/Readme.md
@@ -0,0 +1,30 @@
+# Integration Tests
+## Index
+1. [Compile Wazuh](#compile-wazuh)
+2. [Compile and run unit tests for Linux targets](#compile-and-run-unit-tests-for-linux-targets)
+
+## Compile Wazuh
+In order to run unit tests on a specific wazuh target, the project needs to be built with the `DEBUG` and `TEST` options as shown below:
+```
+make deps RESOURCES_URL=file:///path/to/deps/
+make TARGET=server|agent DEBUG=1 TEST=1
+```
+
+## Compile and run unit tests for Linux targets
+In order to run unit tests for dbsync, these need to be built using [CMake](#installing\ cmake) version 3.12 or higher.
+
+Navigate into `wazuh/src/dbsync/` and run the following commands:
+```
+mkdir build
+cd build
+cmake -DEXTERNAL_LIB=~/path/to/wazuh/src/external/ -DCMAKE_BUILD_TYPE=Debug -DUNIT_TEST=ON ..
+cmake --build .
+```
+
+### Running a specific test
+In case you need to run a specific test, navigate into the subdirectory where the test resides and run it as you would any other Linux binary. As an example, if you want to run tests on `string_helper.cpp`
+```
+cd bin
+./string_helper_unit_test
+```
+The output of the test will be written directly into the console.
diff --git a/src/common/dbsync/integrationTests/fim/CMakeLists.txt b/src/common/dbsync/integrationTests/fim/CMakeLists.txt
new file mode 100644
index 0000000000..6dc5e99630
--- /dev/null
+++ b/src/common/dbsync/integrationTests/fim/CMakeLists.txt
@@ -0,0 +1,53 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fim_integration_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+file(GLOB INTERFACE_UNITTEST_SRC
+    "*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+add_executable(fim_integration_test 
+    ${INTERFACE_UNITTEST_SRC} 
+    ${DBSYNC_IMP_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fim_integration_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        cjson
+        sqlite3
+        pthread
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(fim_integration_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        cjson
+        sqlite3
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+add_test(NAME fim_integration_test
+         COMMAND fim_integration_test)
\ No newline at end of file
diff --git a/src/common/dbsync/integrationTests/fim/fimDbDump.h b/src/common/dbsync/integrationTests/fim/fimDbDump.h
new file mode 100644
index 0000000000..f8db70ff52
--- /dev/null
+++ b/src/common/dbsync/integrationTests/fim/fimDbDump.h
@@ -0,0 +1,3827 @@
+#ifndef _FIM_DB_DUMP_H
+#define _FIM_DB_DUMP_H
+constexpr auto FIM_SQL_DB_DUMP
+{
+    R"(
+	PRAGMA foreign_keys=OFF;
+	BEGIN TRANSACTION;
+	CREATE TABLE entry_path (    path TEXT NOT NULL,    inode_id INTEGER,    mode INTEGER,    last_event INTEGER,    entry_type INTEGER,    scanned INTEGER,    options INTEGER,    checksum TEXT NOT NULL,    PRIMARY KEY(path));
+	INSERT INTO entry_path VALUES('/boot/grub2/fonts/unicode.pf2',1,0,1596489273,0,1,131583,'96482cde495f716fcd66a71a601fbb905c13b426');
+	INSERT INTO entry_path VALUES('/boot/grub2/grubenv',2,0,1596489273,0,1,131583,'e041159610c7ec18490345af13f7f49371b56893');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/datehook.mod',3,0,1596489273,0,1,131583,'f83bc87319566e270fcece2fae4910bc18fe7355');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_whirlpool.mod',4,0,1596489273,0,1,131583,'d59ffd58d107b9398ff5a809097f056b903b3c3e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gzio.mod',5,0,1596489273,0,1,131583,'e4a541bdcf17cb5435064881a1616befdc71f871');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/jpeg.mod',6,0,1596489273,0,1,131583,'caf5c83327a87e0761207bff87a5e9502015bea4');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/multiboot2.mod',7,0,1596489273,0,1,131583,'b592335e7c7fc09ac15a988e8abd5fed505cb0f4');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_idea.mod',8,0,1596489273,0,1,131583,'4e3c0581110a01fc8ac4f7e8fb0cb4a52f41a4dd');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/legacy_password_test.mod',9,0,1596489273,0,1,131583,'ae7b2b96051b6ffb120b59665e1d7009f1956b76');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lvm.mod',10,0,1596489273,0,1,131583,'ee9cd89cc6bb462e3150983dd630e3641654b1ba');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mul_test.mod',11,0,1596489273,0,1,131583,'c4c835fbaee6323b3a0f3c4de4dfb2497ef19cb8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/terminfo.mod',12,0,1596489273,0,1,131583,'8386797dfdb49d2d0d25a4941d935153530f24d2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/probe.mod',13,0,1596489273,0,1,131583,'fad91edcaacc3eaffc67cb5fee89f43a7f6a53ae');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/relocator.mod',14,0,1596489273,0,1,131583,'b973ea0095e7245dd2d7969eb4b3f74b36c0b74d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/font.mod',15,0,1596489273,0,1,131583,'82a8bb0bee51108575866e41cd61bd40208100d7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/functional_test.mod',16,0,1596489273,0,1,131583,'6d5afa152f30f49ef2802ecdb1591cebd369c009');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pata.mod',17,0,1596489273,0,1,131583,'738d8f88d414d3967937a8b4e07f1a3c0ebd3882');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/sleep_test.mod',18,0,1596489273,0,1,131583,'8a21e0101c204ea315e629b782b712aef9422be9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/backtrace.mod',19,0,1596489273,0,1,131583,'1e3204cae86fffaf576692353a1dffb1eba9d02f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbserial_usbdebug.mod',20,0,1596489273,0,1,131583,'53ce744eb7e7a5cc01649ddd29c2049ddef8df33');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/http.mod',21,0,1596489273,0,1,131583,'693db1124d21cc328d0cdaab3fe4fee29cca1b4e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bsd.mod',22,0,1596489273,0,1,131583,'005a6665eacff22c9d926dc36f75b41e0125ef00');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mmap.mod',23,0,1596489273,0,1,131583,'957330abc995ee1d24d1cd4b10f10b5741deb73c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbserial_common.mod',24,0,1596489273,0,1,131583,'542de28038b392e2c97654febdb58b983c3818e3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbserial_ftdi.mod',25,0,1596489273,0,1,131583,'bd5b6aeded4d8895126c5f2180db781c2d2bbca5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/vga.mod',26,0,1596489273,0,1,131583,'5b4de5b1613e923bd3bde7a2a5413f868e0333d6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/jfs.mod',27,0,1596489273,0,1,131583,'dd99e101d97d5cdee746c902bde351647b816bb2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/net.mod',28,0,1596489273,0,1,131583,'7145fa0708fcaf601e491c531aa780a3a5e84e78');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/extcmd.mod',29,0,1596489273,0,1,131583,'91c572b94085c9eae1cd0cefcc18e883877757fe');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_seed.mod',30,0,1596489273,0,1,131583,'a433478b72b079e5c42a796697f3ec76ea12105a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/zfscrypt.mod',31,0,1596489273,0,1,131583,'4cb261b18c3606707986aec7a94a0c5a3e05b65c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/keylayouts.mod',32,0,1596489273,0,1,131583,'27a3708c6e1a0ba1c2520739d4b9b31e5dc8b0bd');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/romfs.mod',33,0,1596489273,0,1,131583,'23ee9f8c5b780cb3f0a0f87101ba00fc564436f9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/iso9660.mod',34,0,1596489273,0,1,131583,'e9f7fdb21fb0734dbddc5f56571e04c146464231');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/reiserfs.mod',35,0,1596489273,0,1,131583,'2d8a6335524d3ff25d952ded722c2090248df39c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minicmd.mod',36,0,1596489273,0,1,131583,'0f24876fcaf7f3c210217edec0463000fb251ad5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gptsync.mod',37,0,1596489273,0,1,131583,'2cf2fd19faafaff0f1d6b011ebddffa7da1246d0');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_des.mod',38,0,1596489273,0,1,131583,'180ede02c97fa7bd594853e7a47bd6a7f4b85322');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/memdisk.mod',39,0,1596489273,0,1,131583,'5d1725d27cf0b5f4a5464529884b4a89d436efe3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/acpi.mod',40,0,1596489273,0,1,131583,'2e6e1fb0658245de7341cd91e164cb37daef44a4');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usb.mod',41,0,1596489273,0,1,131583,'688ebe8289e149a2c13a57adfd115039fcdbe08c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_arcfour.mod',42,0,1596489273,0,1,131583,'a224115a9d0d8c4321f120fb9b13b823e20c4349');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/testspeed.mod',43,0,1596489273,0,1,131583,'b52ef149695fc1042bda198ae80b57d6b0d47dbf');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/strtoull_test.mod',44,0,1596489273,0,1,131583,'7568b390feedb171415973353a722e9aa82c1002');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/setjmp.mod',45,0,1596489273,0,1,131583,'e5fbe5dfab0449e83ee38d844e6ccb2eb1c097bb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mpi.mod',46,0,1596489273,0,1,131583,'61f169f7b842cdd7fb048245d70f708678228988');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/biosdisk.mod',47,0,1596489273,0,1,131583,'41b7e58efdb06cd6cb3011f90aadbfea50d78abe');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hfsplus.mod',48,0,1596489273,0,1,131583,'0545958701517fe38f1ce28a20fd59ab55755080');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/terminal.lst',49,0,1596489273,0,1,131583,'945936268236e796e558b9af4c273a80d46b2d26');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/drivemap.mod',50,0,1596489273,0,1,131583,'247997993df93d60d975ec215dcfdca2cb6873c8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video.mod',51,0,1596489273,0,1,131583,'a3462e35afce79d049a84ad4b44275c07d4de50a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_msdos.mod',52,0,1596489273,0,1,131583,'ef515ad99cf8d7b8dbd10348a5da0ba81ffb2811');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/squash4.mod',53,0,1596489273,0,1,131583,'cc8c03f4a2d75bf08649fd9a1563236e9cc8de99');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/at_keyboard.mod',54,0,1596489273,0,1,131583,'07bddf2677b8746bda77bc8166d748fe06c20fbe');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/tftp.mod',55,0,1596489273,0,1,131583,'bd90ff1d5d244213863ad3f819e691b0563652c6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hexdump.mod',56,0,1596489273,0,1,131583,'88679104300dc4dcacbd40ec1b25ac7ecb5196c5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_cast5.mod',57,0,1596489273,0,1,131583,'e9dbadf17078d397dd33b7c551e58fafda77d08a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lspci.mod',58,0,1596489273,0,1,131583,'7050814854b1f4cf202b9121dd8a3997d79d7819');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bufio.mod',59,0,1596489273,0,1,131583,'937b98952853bc3a779c73da95809389c57fdf97');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/eval.mod',60,0,1596489273,0,1,131583,'2040a63a286eeb8bb2c9f5140db8f590d1fff330');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cbfs.mod',61,0,1596489273,0,1,131583,'6c687ec49a56b0c593896836ec8b4d74843b2086');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/odc.mod',62,0,1596489273,0,1,131583,'743792479f36a7c6fab468f757504efb76dde481');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pxe.mod',63,0,1596489273,0,1,131583,'e6a546635989ebdff4b0a8f5b1d980d5fa8d1f0f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/blocklist.mod',64,0,1596489273,0,1,131583,'7fe7b37bb76c46561955de6ee4b70698e40be79b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/vga_text.mod',65,0,1596489273,0,1,131583,'fc077c13f3183ce43f102a131f33d33adb48e623');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/xzio.mod',66,0,1596489273,0,1,131583,'85cd95e89bcb27260beb23b9333c0f23952ab39a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video_fb.mod',67,0,1596489273,0,1,131583,'2b530d799a3c2b1f11b0d5df0cb8ade84e7e19a7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbtest.mod',68,0,1596489273,0,1,131583,'159645aacb69ae81268c16d11a8425e6e8196fe2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/sleep.mod',69,0,1596489273,0,1,131583,'685b83e2c90b8fa58660ec591c470c3bd6d57b3c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video_bochs.mod',70,0,1596489273,0,1,131583,'25cf9406ca1e486e32b5badf22dac8e46e719d72');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mdraid09.mod',71,0,1596489273,0,1,131583,'54ca18e9342eb89d4f3eaf60496866f71ac88743');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/crypto.lst',72,0,1596489273,0,1,131583,'5ce96305f526ef9e1b5c9d550e7311256edf7bd5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cpuid.mod',73,0,1596489273,0,1,131583,'bcb7f7ca500c2e86144c855c2d0ffac45577ff80');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/parttool.mod',74,0,1596489273,0,1,131583,'80492ca687cedd01c89e904687d3f408cd800c20');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/geli.mod',75,0,1596489273,0,1,131583,'66859dd970db0a02c489f69a7b9b53efc70dba8c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pbkdf2.mod',76,0,1596489273,0,1,131583,'991e2463ac1af82987368c48e531b9df97407787');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/raid5rec.mod',77,0,1596489273,0,1,131583,'819834596c1bec8936a26c9efb81cb6cefe68de3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/exfat.mod',78,0,1596489273,0,1,131583,'30e6dfd13917f551071b4b073e51534c3e817e5e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/serial.mod',79,0,1596489273,0,1,131583,'1285a104002ace3cd622b2f2b7c469ce37f1823b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cryptodisk.mod',80,0,1596489273,0,1,131583,'4ae227b407a1cf93411907098bd10f93013b2e95');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/videotest_checksum.mod',81,0,1596489273,0,1,131583,'3b5f086da1ec218d6ce6fc4f880d50f838063ab1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/div.mod',82,0,1596489273,0,1,131583,'376926e469f33f8ce4e8e3d885b69722967607d2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cat.mod',83,0,1596489273,0,1,131583,'6669bd303e0b03c3b00cd5772b74bde1349cfa9e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_amiga.mod',84,0,1596489273,0,1,131583,'9154421c4dc4d848d374b504d7d8ef631b133e3a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_apple.mod',85,0,1596489273,0,1,131583,'89e48d72d450e3bcc6be80e06304f292fc3798d7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_sun.mod',86,0,1596489273,0,1,131583,'3416485dc51424b741d7db8974f19accb4b859d7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/search.mod',87,0,1596489273,0,1,131583,'9f1357cf34cba70baad6121124b82eea01bc4b62');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cbmemc.mod',88,0,1596489273,0,1,131583,'81b205556a1111006420d26f5b3fb7aaee6af7b2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/sendkey.mod',89,0,1596489273,0,1,131583,'3428c330f3260e54157daf779c1ddb49a0ffa93f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/chain.mod',90,0,1596489273,0,1,131583,'6b94ca525f7960faafae111fe8e31d1d1f013dba');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/help.mod',91,0,1596489273,0,1,131583,'823ad1d805d78f64925225c90e24b269e08243f6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lsmmap.mod',92,0,1596489273,0,1,131583,'5a510f12bbd4dff047437353f6383ea16666ad90');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/crypto.mod',93,0,1596489273,0,1,131583,'534beaaa25055fbdc201778d30823a11053f0382');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix2_be.mod',94,0,1596489273,0,1,131583,'644d83019a69db5030afd02475ae4920d663c002');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/testload.mod',95,0,1596489273,0,1,131583,'2508bd9221de3d0afd1f3a2fea885b787e3de995');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ntldr.mod',96,0,1596489273,0,1,131583,'8af2fea087f2a884f570d86e67b8ed3cd852df06');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbms.mod',97,0,1596489273,0,1,131583,'ddca296cee920737209d27f7d860e4b1bd53f9aa');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_camellia.mod',98,0,1596489273,0,1,131583,'ff3a4a27cf9f837060fe333e99a75949f8411cc1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/freedos.mod',99,0,1596489273,0,1,131583,'d86a83cf869ba5d6a6a9e5c726a7a7c76bbd4b6b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/affs.mod',100,0,1596489273,0,1,131583,'4698bca90539a8e02709e45cae309e37c243ebe6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/time.mod',101,0,1596489273,0,1,131583,'2adfd7972634040115bb78785c23b856775f11e2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/password_pbkdf2.mod',102,0,1596489273,0,1,131583,'67e0508f50f8a6f02398486884b0907ce926c28a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/xnu.mod',103,0,1596489273,0,1,131583,'5f3e979a0bb6a25db10ee959aaf17bcb3b486e0c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/elf.mod',104,0,1596489273,0,1,131583,'12d42ebe380d031e661f9e408e4ccc8a2f99ed66');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cmdline_cat_test.mod',105,0,1596489273,0,1,131583,'927fd06b8c023e5ccd976b9da762af3fe06dd6c3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/date.mod',106,0,1596489273,0,1,131583,'a33b05cbcf4d7a586161370e6a332655f33a6bb1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/exfctest.mod',107,0,1596489273,0,1,131583,'13d4aa7e891e9bb4e047ee7c14f978666bae89f9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/msdospart.mod',108,0,1596489273,0,1,131583,'2c37c0d744cbb43efe574f0676e876398974723f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/fs.lst',109,0,1596489273,0,1,131583,'a87140e5b83e950e36d1c4b5f0bd9899606b1f34');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/scsi.mod',110,0,1596489273,0,1,131583,'90a8a77c2311872b3261fd22012ca42bf55a5c5d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ufs1.mod',111,0,1596489273,0,1,131583,'f350da22f899da38bca8063a473f3303efa808f5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/sfs.mod',112,0,1596489273,0,1,131583,'a2c4305a472541f4d3b3d59e883a4e4fa5821a76');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ata.mod',113,0,1596489273,0,1,131583,'ea3139ada78461210f6fdf2d28297982fb55f7df');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/play.mod',114,0,1596489273,0,1,131583,'4df3535b6073da757e1ba36b6baa33c9db8ad295');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/xnu_uuid_test.mod',115,0,1596489273,0,1,131583,'22e30c9aaa02e97a4a4dfb747e14f747d88a2e38');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/zfsinfo.mod',116,0,1596489273,0,1,131583,'895f0ce362a64aece549c8548463385e55fdf8cc');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/tar.mod',117,0,1596489273,0,1,131583,'6bd1e59858330ed0478a90e400403747be04474f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lzopio.mod',118,0,1596489273,0,1,131583,'64e198216feb0ab9b4615452cec86ed356ee3fac');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/core.img',119,0,1596489273,0,1,131583,'d224f6d1ffc8b6fe2eec329bda220b2e5b5ef159');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/png.mod',120,0,1596489273,0,1,131583,'7e09635c9984f96ab5880f2879396cd8f28b1fb0');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_gpt.mod',121,0,1596489273,0,1,131583,'1df3a3b29fffb2e3a2fb101797993d17e50b3f66');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/raid6rec.mod',122,0,1596489273,0,1,131583,'aef0484bc8fb46f77814a507f75e9c1b58f7289a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cbls.mod',123,0,1596489273,0,1,131583,'4ebfa68344b93a04af4e7a5bd2ebf09b36cd5f3b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/afs.mod',124,0,1596489273,0,1,131583,'ee67bb284cb0f8dec661e80f3fb07ec92a8ee852');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mdraid09_be.mod',125,0,1596489273,0,1,131583,'1c0f0db005b38e00f4f77fd49c6d90f9a44d495b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bitmap_scale.mod',126,0,1596489273,0,1,131583,'a9c828fb1625acb55a065a45ecd618220cddcccc');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/shift_test.mod',127,0,1596489273,0,1,131583,'7a16f5235d39808ec93dd05ccebe786a5435cc49');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pbkdf2_test.mod',128,0,1596489273,0,1,131583,'dcfab683311c4f6fbb8c00bbf065fa0927e1df9c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/test.mod',129,0,1596489273,0,1,131583,'5b5422bdd2e1a6ffa57978545f73e3ec78a2ecf1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gfxterm.mod',130,0,1596489273,0,1,131583,'6e27849f7ff4308d364cd61ca92ccf28f9cdb4d7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_tiger.mod',131,0,1596489273,0,1,131583,'44d9e0095fefb705b262f9e61706fbf7f12f2687');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gdb.mod',132,0,1596489273,0,1,131583,'80507a97ba61cbc19165af48507bbec57938ff35');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_blowfish.mod',133,0,1596489273,0,1,131583,'a963e353523866355b90087d7e6e16b378c658d5');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cbtime.mod',134,0,1596489273,0,1,131583,'91cf9cbba0d5e0d312b4496a86eb0f3554a86381');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_rfc2268.mod',135,0,1596489273,0,1,131583,'eca9814f9925ef7e480235200a82d812b92ea654');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_md4.mod',136,0,1596489273,0,1,131583,'7a2bde0f39e0efbc2595ca8289ac61f7539d24f4');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/zfs.mod',137,0,1596489273,0,1,131583,'d2b841007cfae2193ac5c3909cfb769b8a999fb8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ohci.mod',138,0,1596489273,0,1,131583,'e21a0a3d9aaa5f6fb16aee6abeb9ec19013ef7d2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/boot.img',139,0,1596489273,0,1,131583,'168113d412831455443259f1e20f6ed8992c5918');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/xnu_uuid.mod',140,0,1596489273,0,1,131583,'5bd449f11e829c9860e2bbdcf69ec1e2c0d8858b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/true.mod',141,0,1596489273,0,1,131583,'f3a89c31c9b94ae1152ac3b1d49db2fb27b89032');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/spkmodem.mod',142,0,1596489273,0,1,131583,'7e70cb5fe3d325a16b799498951be2338a393f24');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/command.lst',143,0,1596489273,0,1,131583,'83984d5cbccd4c84b27e1aceb1072f1eb27a8a91');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/password.mod',144,0,1596489273,0,1,131583,'d362ebc97c6eab7480065b6688b899d6dafa0cb8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/tga.mod',145,0,1596489273,0,1,131583,'92f653c4accdb5cab8a765e09db8e704bf78cb59');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/trig.mod',146,0,1596489273,0,1,131583,'6b483ca5e2219a903640969540f466d79b077df9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_acorn.mod',147,0,1596489273,0,1,131583,'b7109bba7af39457471a0cbe740bd9cb75422856');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/aout.mod',148,0,1596489273,0,1,131583,'92db8789a6c27f8fff6d6bd7f1913765759befa0');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/xfs.mod',149,0,1596489273,0,1,131583,'334cbfd2d08b936a7a009cb30d21637e99bb1515');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/file.mod',150,0,1596489273,0,1,131583,'6114f4df8414d467e36bbb8b6af7cee14b35f6ca');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gfxterm_background.mod',151,0,1596489273,0,1,131583,'1a55fae4d790f855a2d07ba5be4d01634b62dae6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/nilfs2.mod',152,0,1596489273,0,1,131583,'1af242d623bc003d3e59f84e5603487789122582');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_sha512.mod',153,0,1596489273,0,1,131583,'a60b990479b2287d72b6ac62538a3a0b237ed4d3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cmostest.mod',154,0,1596489273,0,1,131583,'a0ce48a2a8654241bd0528de63a58ed764de5f22');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_rijndael.mod',155,0,1596489273,0,1,131583,'d8c05cc344792f84ff3547e2a6efbf811ef77282');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix3_be.mod',156,0,1596489273,0,1,131583,'2eb15b41d6a56b8f6fd9462d678373cb267c37c3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ls.mod',157,0,1596489273,0,1,131583,'ae677488e6ebce072354468ef9547efbf1d369e7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix2.mod',158,0,1596489273,0,1,131583,'932a7bebcb10073e25db2419d8e160b73c53adee');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gfxterm_menu.mod',159,0,1596489273,0,1,131583,'0131baf7b07bef64dad814dbe43cb8a882bbca49');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_sunpc.mod',160,0,1596489273,0,1,131583,'438ef503ecce87b36c5075a00b4614ee846d0020');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/all_video.mod',161,0,1596489273,0,1,131583,'d45014f8117cd99c6a5cb80f0ab53a04160ca148');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cbtable.mod',162,0,1596489273,0,1,131583,'29c14419ef3da5f97101f0f82795fabbc7a7d49d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/iorw.mod',163,0,1596489273,0,1,131583,'4784056cfe0f968ff85b5785645e48b5418ff4b9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_serpent.mod',164,0,1596489273,0,1,131583,'382e7a80c94a4a2e45aefb4c597e0558f6ce51bc');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/efiemu.mod',165,0,1596489273,0,1,131583,'255219cfaee91b933b06e97e51d641665bb9d75d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ntfscomp.mod',166,0,1596489273,0,1,131583,'0b02586d23eb1a09ce92ca3c18adc8f92c8c9a8a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ext2.mod',167,0,1596489273,0,1,131583,'c07dc5de4ab99df55eb9125a2e44e537e36416fb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hfspluscomp.mod',168,0,1596489273,0,1,131583,'1858c6bc459954754f3fe2099ac399b3c1e92443');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_sha256.mod',169,0,1596489273,0,1,131583,'930147fec7483ec40289d504fee642655f9d334b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/read.mod',170,0,1596489273,0,1,131583,'5feb348591cf66cda7b38ef9276280ff3e9372a1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/truecrypt.mod',171,0,1596489273,0,1,131583,'8d0ceadf51260cb308eb0a8273916bd84e2e6587');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/procfs.mod',172,0,1596489273,0,1,131583,'1891ba9ca4c1fb43cebe677c2f82de9100596031');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_rsa.mod',173,0,1596489273,0,1,131583,'4f8f77b83b0c9240c77b404a775adb77ed0455cf');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/random.mod',174,0,1596489273,0,1,131583,'fbb8267f7c284ee3757e586224a0239558e166bb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/halt.mod',175,0,1596489273,0,1,131583,'b00d7413e231744ec02c332069376bb27e7a1a1b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/videoinfo.mod',176,0,1596489273,0,1,131583,'afe5ed60fd00f0b2a7efa68039fdbf05c9e2da7b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/uhci.mod',177,0,1596489273,0,1,131583,'a3c477ef1abb781a3d70911852c83f2c3d880561');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/macbless.mod',178,0,1596489273,0,1,131583,'fae53d25533518d0bb97c4e27c2a8c4db75946ee');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hello.mod',179,0,1596489273,0,1,131583,'fb30c115a3ec2a9231e5b124831bc306488fdb01');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/diskfilter.mod',180,0,1596489273,0,1,131583,'74b589d51c9eb8142d15eb25248be8c97110740d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video_colors.mod',181,0,1596489273,0,1,131583,'6c50a4e1b3cffaffcff3da71f509a1f00e3dfad9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/div_test.mod',182,0,1596489273,0,1,131583,'dc07bf17c7f6d51c23e1e13d19c7e9be1b55a3ce');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/test_blockarg.mod',183,0,1596489273,0,1,131583,'c8e9f559b3eefbe23bd08aa3af4a1cdff5ddc19c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pci.mod',184,0,1596489273,0,1,131583,'538d6856c21b0f806a1ccd85dea21745c571ee38');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cmosdump.mod',185,0,1596489273,0,1,131583,'b54504245eb8711fa76c8cdee8f8d47f9696f05b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/plan9.mod',186,0,1596489273,0,1,131583,'848ec998483199af5830900d713a2aaf4c7de4ec');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/setjmp_test.mod',187,0,1596489273,0,1,131583,'0fabd8c6ebdd4491affc03ba1bc292c04c4b8bdb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/loopback.mod',188,0,1596489273,0,1,131583,'19e84fd506e2874d49c388e3d79ded36626c023c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video_cirrus.mod',189,0,1596489273,0,1,131583,'b0fb4fad33fa7f95698906127484d490e7354e70');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/newc.mod',190,0,1596489273,0,1,131583,'e324e1fd2a89d6f7cd69194aebe22b9cfda8bcdf');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/blscfg.mod',191,0,1596489273,0,1,131583,'3dd00a8f9ea661c0fa1c4f8d2218696893379baa');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/adler32.mod',192,0,1596489273,0,1,131583,'6b759a2342b6e9466b13879d3f7af2cbb33c130c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/syslinuxcfg.mod',193,0,1596489273,0,1,131583,'681cd7bfe37a8aa0f059530c9b78a2bcb2f4c659');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/verify.mod',194,0,1596489273,0,1,131583,'2897c72aac29cd3c1bcd1b4251b885f2daeee452');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/tr.mod',195,0,1596489273,0,1,131583,'22574da06feff79bb44e73dd96ced0999136c86b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix.mod',196,0,1596489273,0,1,131583,'9e280c060965b2660621fcd5bfbb81748293f9ac');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/search_fs_file.mod',197,0,1596489273,0,1,131583,'8bb622793d06ac7402078f1c01f1e3cf38b91fad');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/progress.mod',198,0,1596489273,0,1,131583,'c570d1fe0e52019174841429610d4375156ab432');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/memrw.mod',199,0,1596489273,0,1,131583,'7c38f94975fcfd8db703f675b3d8cc0364eaa88e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ntfs.mod',200,0,1596489273,0,1,131583,'77942ac5e20f9f3f1aec34a11a5eb4197fe12474');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/udf.mod',201,0,1596489273,0,1,131583,'a50fce397ef8c9866d167b7e32524446298437cf');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ldm.mod',202,0,1596489273,0,1,131583,'2621e5c46caa4f1ba0f8a351b36c47c2eda4558b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/vbe.mod',203,0,1596489273,0,1,131583,'453bce6567267785a4a2edd853dd07e595b95a5f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pcidump.mod',204,0,1596489273,0,1,131583,'31b72e4ed606661432f87ad44653964492087160');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bitmap.mod',205,0,1596489273,0,1,131583,'98c816055b54ed53616380087f52f7ae2e132223');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_dfly.mod',206,0,1596489273,0,1,131583,'81119c8693a9afd5dfaa527b25fa1e2ab8c970f6');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/fshelp.mod',207,0,1596489273,0,1,131583,'ffbc43c73c5f53f5d9bc87504f8bde4f7be8781e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/disk.mod',208,0,1596489273,0,1,131583,'7de9a37168b2c753c410b4d8df25a1b54e516d62');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cpio.mod',209,0,1596489273,0,1,131583,'35d4bcb24213358d5e0b6b0ff09e410e772aa688');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ctz_test.mod',210,0,1596489273,0,1,131583,'3b364554d006b0b5b5dde3c9a1ebc2ccb0d2adf2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/loadenv.mod',211,0,1596489273,0,1,131583,'ac046778ea101df6be4c940e73b65febe9803222');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bswap_test.mod',212,0,1596489273,0,1,131583,'8256df78215dec98006e06042e8208f708ad0424');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/pxechain.mod',213,0,1596489273,0,1,131583,'dbb49eac76e4c72b1ab43b0175df708f6ddb487e');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ehci.mod',214,0,1596489273,0,1,131583,'604a9211dc5429e6eef229b82ee7f5d62eea1510');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/multiboot.mod',215,0,1596489273,0,1,131583,'e69e387d59187098c25f91c543db3597ff76dc67');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_md5.mod',216,0,1596489273,0,1,131583,'e84d46ba1bab44177b63632b2e1fee7641cd2002');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cs5536.mod',217,0,1596489273,0,1,131583,'fe514410d852ecff4e49686b1910f5bf7b20d125');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/search_label.mod',218,0,1596489273,0,1,131583,'dc4910eeba7b1dd05d92b2472d2f8b7de47f2d59');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cmp.mod',219,0,1596489273,0,1,131583,'9452d32fcd0c4e73929abac900089a0ad6a02c7d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lsapm.mod',220,0,1596489273,0,1,131583,'12889db46573c65ec98a86dcc74b616fc8a93c6b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_plan.mod',221,0,1596489273,0,1,131583,'ad56916688c661206bbffb87d02e00749360a096');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/linux.mod',222,0,1596489273,0,1,131583,'5f0a5a22da1ed25afc0e2e97617884b7b1e5a1fe');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hashsum.mod',223,0,1596489273,0,1,131583,'2293cd660e87297030582ce805afc102db7f979f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/dm_nv.mod',224,0,1596489273,0,1,131583,'efc08706f8a2269c6ce7dd246d336d3f2c95aafb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hdparm.mod',225,0,1596489273,0,1,131583,'7a45403c64cbd0b61f31a507722748a274ec0203');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_rmd160.mod',226,0,1596489273,0,1,131583,'6fe7165bf41645abee2225c3f0c9d704e775d6d2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/luks.mod',227,0,1596489273,0,1,131583,'66eaceb2b93fe2e5e79c60545e2392c4b84a0d87');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_crc.mod',228,0,1596489273,0,1,131583,'47cd00868410514969a6eeab91cef0a5a6b53bc3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/boot.mod',229,0,1596489273,0,1,131583,'e752cc35c37c96fc1d98210f3de1c0c22657c0db');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mdraid1x.mod',230,0,1596489273,0,1,131583,'88ed8b647c9d5e5e7e6d7e5378577ffade744204');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/configfile.mod',231,0,1596489273,0,1,131583,'19eec1adaa2bafcc9df2d09312d0d240170bd8c1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usb_keyboard.mod',232,0,1596489273,0,1,131583,'1024e0e895d54350cc2ebe70d5b550d6262eec81');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ufs2.mod',233,0,1596489273,0,1,131583,'7db3adf137026568b21f0f7674e67504803b4d4b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/partmap.lst',234,0,1596489273,0,1,131583,'502654a1720fbf4c67ba16191f0c7ed57f9d235f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/legacycfg.mod',235,0,1596489273,0,1,131583,'ebea00ef2f34f9300c910c2f02fdcbae0e652b32');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/usbserial_pl2303.mod',236,0,1596489273,0,1,131583,'3b6c73a45380de36faf78c9ec0f83a1553e253cb');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/normal.mod',237,0,1596489273,0,1,131583,'077d65f1533b54dc4b21cdd92d65d1c32dd0595d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/macho.mod',238,0,1596489273,0,1,131583,'683ba6ea35463c4919ff06e393ece10b75c3f701');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/crc64.mod',239,0,1596489273,0,1,131583,'6fe6585b5d9115bc0dc7fb02ae9c4d2af745de98');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ahci.mod',240,0,1596489273,0,1,131583,'dd292b9630ac5b1fff8cd72b66a4d7025c85c637');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/datetime.mod',241,0,1596489273,0,1,131583,'45f0717f95dd954c91589ddaf2c8d09d01036970');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gettext.mod',242,0,1596489273,0,1,131583,'5cc97f9c5aeef63eb5782d62c73a613964af2a2f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/parttool.lst',243,0,1596489273,0,1,131583,'b2d37bd4a8545f25cefd00b53cac06c079462fe9');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/video.lst',244,0,1596489273,0,1,131583,'0e321e68779f80979817cc9ac55072512a959151');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/lsacpi.mod',245,0,1596489273,0,1,131583,'42ebc060e901d613bff165ba37d89dd44cf5d9ca');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_dvh.mod',246,0,1596489273,0,1,131583,'ca0f1f9d726710ecdbbda2b1f40225fd40cd965f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_twofish.mod',247,0,1596489273,0,1,131583,'c48898e5e0e897d1462e7f43e685dde64bbab1a1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/archelp.mod',248,0,1596489273,0,1,131583,'af1bd762e24c57ff32a0598e9e52e0f6a309ca61');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cpio_be.mod',249,0,1596489273,0,1,131583,'db90e350fc5f6fc8a1915d62f4c8f3a2e0e21cd8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/keystatus.mod',250,0,1596489273,0,1,131583,'acae9747b47ce90085de043cc0e8cd5587e24f08');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_sha1.mod',251,0,1596489273,0,1,131583,'28adae8b9d3e69ba199c1147a05fca0df17b9c4f');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/cmp_test.mod',252,0,1596489273,0,1,131583,'69b4e920d0cbc7120f2645966cd947088ca3d91b');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/setpci.mod',253,0,1596489273,0,1,131583,'7156ab2b441120a826a8e4789597abf3fa8966c0');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix3.mod',254,0,1596489273,0,1,131583,'36efaa8fb8511c928d0c984eec0687eaea1c3c24');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/ufs1_be.mod',255,0,1596489273,0,1,131583,'bed39445529a0895ce57de59322368730911be97');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/f2fs.mod',256,0,1596489273,0,1,131583,'84c67f5d8d17cb428feb334b4205dd8f32216508');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/fat.mod',257,0,1596489273,0,1,131583,'630d8ed863953fe86de8bb32f43ddaf92c854b15');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/terminal.mod',258,0,1596489273,0,1,131583,'fece73f388d5e20014db570d3b64430e1b8b0265');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/btrfs.mod',259,0,1596489273,0,1,131583,'8826b9fe2ced77ce250780b636b8bddff3b0e3dc');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/mda_text.mod',260,0,1596489273,0,1,131583,'ce0108a5ffd0e33616fa7976f8cd72b3e69ae99a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/moddep.lst',261,0,1596489273,0,1,131583,'6ab777519234e50bbb5a806592e6f64f1eb012f3');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/regexp.mod',262,0,1596489273,0,1,131583,'1d57358a38540d664864e6bde5d098c46dc068c7');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/search_fs_uuid.mod',263,0,1596489273,0,1,131583,'a5e6c719553eebc5b6c9ba546102871681ff865c');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/part_bsd.mod',264,0,1596489273,0,1,131583,'c5d09498c6a3ccd3c60b18269294f39559fc2f62');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/hfs.mod',265,0,1596489273,0,1,131583,'c6fe6d5c9c250cb0ecd9901bd8a44701f6d88044');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/bfs.mod',266,0,1596489273,0,1,131583,'25d070abc2605db8729d8df7066fde8733404f15');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/priority_queue.mod',267,0,1596489273,0,1,131583,'3e8029bc80d0e4c8b13fe502a70702649a05469d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/modinfo.sh',268,0,1596489273,0,1,131583,'60804b3fa165abab2574de4e32ca45708a26419a');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/morse.mod',269,0,1596489273,0,1,131583,'a26d1c7387d978a332df5bbde65cb26f5b4fbcde');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gfxmenu.mod',270,0,1596489273,0,1,131583,'2d8eca42edf6b95f3bade58e2eebc4ec73f69ad8');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/echo.mod',271,0,1596489273,0,1,131583,'1e0c36ea7f777195ad88d1193d01e126c7fa8eea');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/reboot.mod',272,0,1596489273,0,1,131583,'381c91937f93e03b6770e2abce0b448d78ad65d1');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/nativedisk.mod',273,0,1596489273,0,1,131583,'e74a1f988c5a2ff1532049b89142c99d9193761d');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/signature_test.mod',274,0,1596489273,0,1,131583,'8cbdaa9994aea71e71e6fd531ca94e6a86f89d36');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/gcry_dsa.mod',275,0,1596489273,0,1,131583,'815e4f748a1cce07d34ad0ac9ade1b3f65bae8f2');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/videotest.mod',276,0,1596489273,0,1,131583,'85be3a029126926ec54b422c0705a8524b4f4fbd');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/offsetio.mod',277,0,1596489273,0,1,131583,'34386e88d5644ac5b75107dfd323e6c0093ec223');
+	INSERT INTO entry_path VALUES('/boot/grub2/i386-pc/minix_be.mod',278,0,1596489273,0,1,131583,'966e3c3c74dc6cb0d0ca20099f3eeb0fdf2bdc8c');
+	INSERT INTO entry_path VALUES('/boot/grub2/grub.cfg',279,0,1596489273,0,1,131583,'2bdaf620f152f05f8f1bfedaa71fc6ddf08114a1');
+	INSERT INTO entry_path VALUES('/boot/grub2/device.map',280,0,1596489273,0,1,131583,'408a38a707f1469e948f569ea89987068503b2d9');
+	INSERT INTO entry_path VALUES('/boot/.vmlinuz-4.18.0-193.6.3.el8_2.x86_64.hmac',281,0,1596489273,0,1,131583,'0b020357aac71b5de3f3fc05173cd2232a381ffd');
+	INSERT INTO entry_path VALUES('/boot/vmlinuz-0-rescue-11ea666f4c814dcba1f2af00cacde937',282,0,1596489273,0,1,131583,'51b103e419338478e747071095ad58fdd479b61d');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-147.8.1.el8_1.x86_64.img',283,0,1596489274,0,1,131583,'0410e64978531233ad3c33c32d0d0304b9676a72');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-147.8.1.el8_1.x86_64kdump.img',284,0,1596489274,0,1,131583,'05314fc27bc7b6a52c23eac77873ab8cffd4c6ad');
+	INSERT INTO entry_path VALUES('/boot/System.map-4.18.0-147.el8.x86_64',285,0,1596489274,0,1,131583,'340f4c55ee3e94fd96e416f8afa94943e6b1cc30');
+	INSERT INTO entry_path VALUES('/boot/initramfs-0-rescue-11ea666f4c814dcba1f2af00cacde937.img',286,0,1596489274,0,1,131583,'b790f06cc1739701d3adb9e876c11de37015f76f');
+	INSERT INTO entry_path VALUES('/boot/System.map-4.18.0-147.8.1.el8_1.x86_64',287,0,1596489274,0,1,131583,'55a4c4d3f262a2012f262b131ef66efb3a0851ff');
+	INSERT INTO entry_path VALUES('/boot/config-4.18.0-193.6.3.el8_2.x86_64',288,0,1596489274,0,1,131583,'4d2b3b97f67d2994e15d00356c335cda2f048af6');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-193.6.3.el8_2.x86_64.img',289,0,1596489274,0,1,131583,'750b5536ea0b56b0b99c8ae394b7cda0bc864b31');
+	INSERT INTO entry_path VALUES('/boot/.vmlinuz-4.18.0-147.8.1.el8_1.x86_64.hmac',290,0,1596489274,0,1,131583,'f1dcbf820ccc35c081307c81b44e3104b7ac1dbd');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-147.el8.x86_64.img',291,0,1596489274,0,1,131583,'98cb5a91f154c3d27a990b187dc71e032c83afaf');
+	INSERT INTO entry_path VALUES('/boot/.vmlinuz-4.18.0-147.el8.x86_64.hmac',292,0,1596489274,0,1,131583,'c7b2a3bd6308a9a563c3b69606275e8e0d129793');
+	INSERT INTO entry_path VALUES('/boot/vmlinuz-4.18.0-193.6.3.el8_2.x86_64',293,0,1596489274,0,1,131583,'0c04e9c37c7d490e9dc504de8396ce4ca1c03274');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-147.el8.x86_64kdump.img',294,0,1596489274,0,1,131583,'7b3c9ada533312b67a927025fb4f20a2b7e4e93d');
+	INSERT INTO entry_path VALUES('/boot/loader/entries/11ea666f4c814dcba1f2af00cacde937-4.18.0-147.8.1.el8_1.x86_64.conf',295,0,1596489274,0,1,131583,'f026a39370b30cda181433356db7ac82a3f99f32');
+	INSERT INTO entry_path VALUES('/boot/loader/entries/11ea666f4c814dcba1f2af00cacde937-4.18.0-147.el8.x86_64.conf',296,0,1596489274,0,1,131583,'d476dc4116ee3d600207967b55be65af28486851');
+	INSERT INTO entry_path VALUES('/boot/loader/entries/11ea666f4c814dcba1f2af00cacde937-4.18.0-193.6.3.el8_2.x86_64.conf',297,0,1596489274,0,1,131583,'ea4cc218fed4222900d5013f86c241d4c6bdb759');
+	INSERT INTO entry_path VALUES('/boot/loader/entries/11ea666f4c814dcba1f2af00cacde937-0-rescue.conf',298,0,1596489274,0,1,131583,'57ff1a76d3e50c0f252a19165787db5c258e4915');
+	INSERT INTO entry_path VALUES('/boot/vmlinuz-4.18.0-147.el8.x86_64',299,0,1596489275,0,1,131583,'94ad1ed361ed101c1781372e2cef2013b3bf0614');
+	INSERT INTO entry_path VALUES('/boot/initramfs-4.18.0-193.6.3.el8_2.x86_64kdump.img',300,0,1596489275,0,1,131583,'84930d125540fe164d6fbfef9b0176935a19b10b');
+	INSERT INTO entry_path VALUES('/boot/System.map-4.18.0-193.6.3.el8_2.x86_64',301,0,1596489275,0,1,131583,'1ab82e9ecf46bb8d354a0e6366444d57cc0bfbc9');
+	INSERT INTO entry_path VALUES('/boot/config-4.18.0-147.el8.x86_64',302,0,1596489275,0,1,131583,'e20f9587c0303b94d0743f7f2d4208bf1716ba70');
+	INSERT INTO entry_path VALUES('/boot/config-4.18.0-147.8.1.el8_1.x86_64',303,0,1596489275,0,1,131583,'65906fafe4705e9092ae75451bcd581b3ad504ec');
+	INSERT INTO entry_path VALUES('/boot/vmlinuz-4.18.0-147.8.1.el8_1.x86_64',304,0,1596489275,0,1,131583,'f91b14fae6b93ebe5442e14f64f37b8c1fa60761');
+	INSERT INTO entry_path VALUES('/etc/fstab',305,0,1596489275,0,1,131583,'f92dccc9fb1794ac8cfb585c1f2647186fb691ab');
+	INSERT INTO entry_path VALUES('/etc/crypttab',306,0,1596489275,0,1,131583,'4d78a1cc72a94643dbeedd4a88fe63d70a5b2529');
+	INSERT INTO entry_path VALUES('/etc/resolv.conf',307,0,1596639747,0,1,131583,'e8b0f1c53d70bf709b48f760024d0e2d524961e9');
+	INSERT INTO entry_path VALUES('/etc/dnf/modules.d/javapackages-runtime.module',308,0,1596489275,0,1,131583,'c8393d25d5493bbd2511337243f37d4c62b02e96');
+	INSERT INTO entry_path VALUES('/etc/dnf/modules.d/llvm-toolset.module',309,0,1596489275,0,1,131583,'7837d74f1ef094b52b2f1f4bbc6df375652fa748');
+	INSERT INTO entry_path VALUES('/etc/dnf/modules.d/python36.module',310,0,1596489275,0,1,131583,'9ad8efcd8cc842b57034ebd33eeab2a41369f243');
+	INSERT INTO entry_path VALUES('/etc/dnf/modules.d/satellite-5-client.module',311,0,1596489275,0,1,131583,'7618206005bb51b294cf958979c5e70b8cd9b1b8');
+	INSERT INTO entry_path VALUES('/etc/dnf/modules.d/virt.module',312,0,1596489275,0,1,131583,'10b9e7333b51b40672f311c9a1577d904f0bb5f1');
+	INSERT INTO entry_path VALUES('/etc/dnf/vars/contentdir',313,0,1596489275,0,1,131583,'446160794cc044bf0a34820ad1f6b66104b3aa27');
+	INSERT INTO entry_path VALUES('/etc/dnf/vars/infra',314,0,1596489275,0,1,131583,'1d96b95ad834ee9c2d2f7b41d83bfae5ff760626');
+	INSERT INTO entry_path VALUES('/etc/dnf/dnf.conf',315,0,1596489275,0,1,131583,'f06febb201041bff3e36b4cc6d674f19dd0552d6');
+	INSERT INTO entry_path VALUES('/etc/dnf/plugins/copr.conf',316,0,1596489275,0,1,131583,'49132877f0ef7450bb029db5d0bfb09942db1caf');
+	INSERT INTO entry_path VALUES('/etc/dnf/plugins/debuginfo-install.conf',317,0,1596489275,0,1,131583,'651f65864336f2bc28a5f7cf45d57565796fff0b');
+	INSERT INTO entry_path VALUES('/etc/dnf/plugins/spacewalk.conf',318,0,1596489275,0,1,131583,'dbad580436e7b6ad2195cc2f1b31a8fa4d5b7043');
+	INSERT INTO entry_path VALUES('/etc/dnf/plugins/product-id.conf',319,0,1596489275,0,1,131583,'5f27ab7c27a39cef1266390888d97975c835ef1f');
+	INSERT INTO entry_path VALUES('/etc/dnf/plugins/subscription-manager.conf',320,0,1596489275,0,1,131583,'a12e7ff240f2f7d4ea27ce4ccb1f4ce4ad7e3b5b');
+	INSERT INTO entry_path VALUES('/etc/dnf/protected.d/dnf.conf',321,0,1596489275,0,1,131583,'7b24eb7d763596f0ac84dcc0bd9bcf9c2a8179e4');
+	INSERT INTO entry_path VALUES('/etc/dnf/protected.d/systemd.conf',322,0,1596489275,0,1,131583,'7fee610f2e08c0091a6a4e4bc96029036b8ecb00');
+	INSERT INTO entry_path VALUES('/etc/dnf/protected.d/yum.conf',323,0,1596489275,0,1,131583,'edb710d7ca1721068ae0417991c2578c3cabcad0');
+	INSERT INTO entry_path VALUES('/etc/dnf/protected.d/sudo.conf',324,0,1596489275,0,1,131583,'ebf9361064c1cd2e462dabd069c335c38df813ab');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-sil-nuosu.conf',325,0,1596489275,0,1,131583,'9a6a66f9a17367b470313a76f47f4d2841c5cd47');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/31-cantarell.conf',326,0,1596489275,0,1,131583,'8343e8c6c728e899b61c9e50b56d5244da1486d0');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-tai-viet.conf',327,0,1596489275,0,1,131583,'944c3ba9fcf9a273747a7d45875552f1438fe116');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-fallback-backwards.conf',328,0,1596489275,0,1,131583,'b5223bdd486051c71ddaf885acf1adb74608f97f');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-bengali.conf',329,0,1596489275,0,1,131583,'dafb1f27b086c79cd6145fa9b6b0fc0a44468ef5');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/59-liberation-mono.conf',330,0,1596489275,0,1,131583,'5c2133509f84d1f9e33edad5254e65132231f200');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/59-lohit-devanagari.conf',331,0,1596489275,0,1,131583,'5dfe5a246f143e116e27ef76af3f72ce837def33');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/59-liberation-sans.conf',332,0,1596489275,0,1,131583,'cedf052221ce40c405bd5548e3a19ba58152384c');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-smc-meera.conf',333,0,1596489275,0,1,131583,'c8b12197154027f273f94619cc50a10ce2a32c76');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/20-unhint-small-dejavu-sans.conf',334,0,1596489275,0,1,131583,'e2f954b184a9846c3e1c97bb1bb448e29e8d7760');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-sil-padauk.conf',335,0,1596489275,0,1,131583,'575d038338d7aceddad1cff7a0fce7be4112dd51');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/57-dejavu-sans.conf',336,0,1596489275,0,1,131583,'79df74248c5b793fcdf429a2a3e88384d2f4b074');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-1-lohit-devanagari.conf',337,0,1596489275,0,1,131583,'6abb40136016a664a94de50f2b6df18d8c471222');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-google-droid-sans.conf',338,0,1596489275,0,1,131583,'dba951c018dc0811a5470c7136f403e61f3bfba5');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-gujarati.conf',339,0,1596489275,0,1,131583,'0ce276a32366380b76cad503c159b451997548bd');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/10-hinting-slight.conf',340,0,1596489275,0,1,131583,'0be516e3e34c3b6c9f2eca9a981bce0401b1d816');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/30-lohit-gurmukhi.conf',341,0,1596489275,0,1,131583,'b1a19082b2f714fa72d229a2626247fb95e4cfd7');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/10-scale-bitmap-fonts.conf',342,0,1596489275,0,1,131583,'a60c25823b913a237c283b8423ac99efae38d4ab');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-gurmukhi.conf',343,0,1596489275,0,1,131583,'115702466dedce2ebf1d403c51963a03cb7781ca');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/20-unhint-small-vera.conf',344,0,1596489275,0,1,131583,'a3ee268ebe75fe6b5e04a51ca83e08902816c452');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-kannada.conf',345,0,1596489275,0,1,131583,'392333442380873a1b4f80b70117ade218ff2d4b');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/25-unhint-nonlatin.conf',346,0,1596489275,0,1,131583,'a826e7f5ef4db394bb96913f5816f221a5210797');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/30-lohit-odia.conf',347,0,1596489275,0,1,131583,'b37c2b9b521c24245614fb2afe91b060253eb512');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/30-metric-aliases.conf',348,0,1596489275,0,1,131583,'9854ae8cc5e4432b91c360e743ab65adfdc45faa');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-stix.conf',349,0,1596489275,0,1,131583,'f6e7202d0504768e8ce047aa32e2a12cae00c22e');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/40-nonlatin.conf',350,0,1596489275,0,1,131583,'7dbaa5d06c37efa30e04a8f8e948a095ad4f48f1');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/45-generic.conf',351,0,1596489275,0,1,131583,'c37b1e9f15b8c389fd99a12696f3036a7a5a5c36');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/45-latin.conf',352,0,1596489275,0,1,131583,'549e24de350230e1ec3054f154c7a5e9138a1596');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/49-sansserif.conf',353,0,1596489275,0,1,131583,'c3d8b66a6600591002215922bc42356cfabed8dc');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/50-user.conf',354,0,1596489275,0,1,131583,'17f566ce9ce9ca4e8b8c05f6fdc4fe184f044cdc');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/51-local.conf',355,0,1596489275,0,1,131583,'4ef5c21120bd66ec259f794ffd10bc2ca60f0bef');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/60-generic.conf',356,0,1596489275,0,1,131583,'81ec3d44c02d2c02db2ac6710d69ca96cf5b1a0b');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/60-latin.conf',357,0,1596489275,0,1,131583,'ed483a727f7eed57898affb481c7746ac77c745f');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-odia.conf',358,0,1596489275,0,1,131583,'43d773329ed648e13681ad2551549e306a485039');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-fonts-persian.conf',359,0,1596489275,0,1,131583,'647f19a0004ff3604d75f6974717ede17d9b2666');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-nonlatin.conf',360,0,1596489275,0,1,131583,'6adb15885d453a3321f20f98be8ef31502f9fa37');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/69-unifont.conf',361,0,1596489275,0,1,131583,'16431ff085a7fdc505bc3dee257d00f1c21c778a');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/80-delicious.conf',362,0,1596489275,0,1,131583,'d4464a3008ffcb14515fb2e979ebda4dda4445e9');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/90-synthetic.conf',363,0,1596489275,0,1,131583,'6c041ff51e13f060c4b7a18ea92f8749a4391340');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/README',364,0,1596489275,0,1,131583,'7e867bb078948aa8fe2d18832e5485731b429166');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-bookman.conf',365,0,1596489275,0,1,131583,'ff682ba5a2a61331a4899d32b07e45a817fa55e0');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-c059.conf',366,0,1596489275,0,1,131583,'ab81746247faf06c00bdefdf4891e3a88b70ba6d');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-tamil.conf',367,0,1596489275,0,1,131583,'32969aab32926d0544a2f9d8e770e9aa6434566f');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-d050000l.conf',368,0,1596489275,0,1,131583,'9bf73108a02e90da6c492bb587cef076d832ae80');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-gothic.conf',369,0,1596489275,0,1,131583,'0ab1206872f026e8992441461f99a674c48dc5f0');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-telugu.conf',370,0,1596489275,0,1,131583,'249e55e6d3d43aa9fd0ca601eb5b1d531862edae');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-nimbus-mono-ps.conf',371,0,1596489275,0,1,131583,'eedbf866829543309c8be97b2e41785e5edf2655');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-paktype-naskh-basic.conf',372,0,1596489275,0,1,131583,'92e802851dcc95e68822e61272592e14e9b6c295');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-nimbus-roman.conf',373,0,1596489275,0,1,131583,'a1f6cdb2f214a7f403b9e7db6f7eba51d88b639d');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/57-paratype-pt-sans.conf',374,0,1596489275,0,1,131583,'28107e99fae1adcde074144125021d0fe5b328ac');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-nimbus-sans.conf',375,0,1596489275,0,1,131583,'d29146f8190215614766781f38f4bde6aa001021');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-p052.conf',376,0,1596489275,0,1,131583,'67c01fcf7ef2b38bb3924e2a6db52c47df253f1c');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-khmeros-base.conf',377,0,1596489275,0,1,131583,'d6ac65834d002524d3ed1bf0607f0da75d6c719b');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-standard-symbols-ps.conf',378,0,1596489275,0,1,131583,'a0706fb234c455f31df011fd113ef8d0697aa702');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-urw-z003.conf',379,0,1596489275,0,1,131583,'0afc1149a63292cccfe85f8875212dac72689304');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/29-paps.conf',380,0,1596489275,0,1,131583,'60274cfa431a7ad807a4ad836b8067f34ef1048e');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-google-noto-sans-cjk-ttc.conf',381,0,1596489275,0,1,131583,'8594f107cdb86a81962fb9a9749f5cab5359469c');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-lisu.conf',382,0,1596489275,0,1,131583,'38017312b892d8d2b2de4d6635740723b01d870c');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-google-noto-serif-cjk-ttc.conf',383,0,1596489275,0,1,131583,'6609624230ef4efc9de20e2360044e333a6656b1');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-mandaic.conf',384,0,1596489275,0,1,131583,'b7359ff480ec257188779d74d25ea6c6e39cc533');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/57-dejavu-serif.conf',385,0,1596489275,0,1,131583,'050d5061bead29a564b8f3b9e5852f944c574a1e');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-meetei-mayek.conf',386,0,1596489275,0,1,131583,'9671cb5aada07311e776cc81fa3f9c030cd7bd75');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/69-gnu-free-mono.conf',387,0,1596489275,0,1,131583,'940115fe2ee1efcf5a2d0a9270537f838e4a0d73');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-google-noto-sans-sinhala.conf',388,0,1596489275,0,1,131583,'1b775706b56b615299e29b8cefd153f717276fe5');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/69-gnu-free-sans.conf',389,0,1596489275,0,1,131583,'4c81b6e0373cd1df9a612cf1c176a91630a5fb2a');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-tagalog.conf',390,0,1596489275,0,1,131583,'b453f1acc36c1008c60ed8ee4b3d4cd37a2549ca');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/61-julietaula-montserrat.conf',391,0,1596489275,0,1,131583,'a6653e6c30bfa6430e441589d0e1e3ba74b97a1a');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-google-noto-sans-tai-tham.conf',392,0,1596489275,0,1,131583,'634c6631cd5717e471943eafefef360a8654c183');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/69-gnu-free-serif.conf',393,0,1596489275,0,1,131583,'80714c8b71ddd5db5d0abacaae65e8b12a5c14b7');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-jomolhari.conf',394,0,1596489275,0,1,131583,'9028a05be48242030a80a718b831b833ca66261c');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/20-unhint-small-dejavu-sans-mono.conf',395,0,1596489275,0,1,131583,'5a52a72582a1f8834f75f434de13182cae379661');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/66-sil-abyssinica.conf',396,0,1596489275,0,1,131583,'76fd2a8a426d441b1042e09900d8aa0cae01adf8');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/57-dejavu-sans-mono.conf',397,0,1596489275,0,1,131583,'2e1c770cb165b48fa63d0851c38833a4447a818b');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/65-0-lohit-assamese.conf',398,0,1596489275,0,1,131583,'5a73f575cedeb5df0e55e1f3965488e67833e179');
+	INSERT INTO entry_path VALUES('/etc/fonts/conf.d/20-unhint-small-dejavu-serif.conf',399,0,1596489275,0,1,131583,'093a6c722f89ae833ff18a7144bf0f8f288aee97');
+	INSERT INTO entry_path VALUES('/etc/fonts/fonts.conf',400,0,1596489275,0,1,131583,'f3fb8516bb76ce6964a72689ad2b7c6908e5dcae');
+	INSERT INTO entry_path VALUES('/etc/X11/fontpath.d/xorg-x11-fonts-Type1',401,0,1596489275,0,1,131583,'28f0826e88a44e32f66a28498521ddd28073d4e7');
+	INSERT INTO entry_path VALUES('/etc/X11/fontpath.d/liberation-mono-fonts',402,0,1596489275,0,1,131583,'ab7e195d54cdfb7d9ee02a272c5bcd39ea465c13');
+	INSERT INTO entry_path VALUES('/etc/X11/fontpath.d/liberation-sans-fonts',403,0,1596489275,0,1,131583,'0f18757298617339ee09fd34d6ee4106d3e3230f');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinitrc.d/50-systemd-user.sh',404,0,1596489275,0,1,131583,'666c6989d7f683e9947fe0bbdcc01c8436df85b5');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinitrc.d/00-start-message-bus.sh',405,0,1596489275,0,1,131583,'80861cdf15a356cdf27b92ffa6d749c73222e430');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinitrc.d/localuser.sh',406,0,1596489275,0,1,131583,'19d4522452e57957b9f1f2d798d386ec88db3baf');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/Xclients',407,0,1596489275,0,1,131583,'6767e750ee436e6eda21f79b01a1532b7e85bd54');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/Xsession',408,0,1596489275,0,1,131583,'52361d93b882496b34f98f9d54728d8a29178c85');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinitrc',409,0,1596489275,0,1,131583,'4e24c99734bf29205e1e66f71c3c01f893ae008c');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinitrc-common',410,0,1596489275,0,1,131583,'ba9b7c643ef0a234550a1170c9c4e214697b87d3');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinput.d/ibus.conf',411,0,1596489275,0,1,131583,'41d23d13b52af830746799180c815ee95d766a17');
+	INSERT INTO entry_path VALUES('/etc/X11/xinit/xinputrc',412,0,1596489275,0,1,131583,'bde6a74ea5b48918e461bacdb0f691399322ebab');
+	INSERT INTO entry_path VALUES('/etc/X11/xorg.conf.d/00-keyboard.conf',413,0,1596489275,0,1,131583,'75a0c7f8fcd9d3508d72985392aa43cd0462c0b2');
+	INSERT INTO entry_path VALUES('/etc/X11/Xmodmap',414,0,1596489275,0,1,131583,'2c11059cd9f6794f49fa8fee21819ae9ecdc628b');
+	INSERT INTO entry_path VALUES('/etc/X11/Xresources',415,0,1596489275,0,1,131583,'f0828fae9d7e02cf102dc5b91ab742724ddaca7c');
+	INSERT INTO entry_path VALUES('/etc/X11/Xsession.d/60xbrlapi',416,0,1596489275,0,1,131583,'d9793fbb319aa701e63992b6f45317e3ecdb3e0f');
+	INSERT INTO entry_path VALUES('/etc/skel/.bash_logout',417,0,1596489275,0,1,131583,'f13a83d459a2a290e699dd23d5829bdbe97c5921');
+	INSERT INTO entry_path VALUES('/etc/skel/.bash_profile',418,0,1596489275,0,1,131583,'e98b979c3b80b0ec588e68ea1962a5f0b00a498b');
+	INSERT INTO entry_path VALUES('/etc/skel/.bashrc',419,0,1596489275,0,1,131583,'82a3c4b321f10c89f9f8edd9b8d41c500fa6dd50');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/calendars.properties',420,0,1596489275,0,1,131583,'e446df83fdfdaba3e77ee347933ef1aa7bb52b4b');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/logging.properties',421,0,1596489275,0,1,131583,'7eaa9a3dd8a28aca2f7c29de3d2bc3d9a8c20ba2');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/policy/unlimited/US_export_policy.jar',422,0,1596489275,0,1,131583,'e44ca8f83868d7b07b79b9de6547d7381c6490e5');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/policy/unlimited/local_policy.jar',423,0,1596489275,0,1,131583,'953536683dcbae53b2be45ae5b7594a383c71356');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/policy/limited/US_export_policy.jar',424,0,1596489275,0,1,131583,'1607f8e9d99db5de3f1eef645ab2fef9d3aaab0b');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/policy/limited/local_policy.jar',425,0,1596489275,0,1,131583,'6e1beee0d2f4a70aeab037897266b5b930d00b20');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/java.policy',426,0,1596489275,0,1,131583,'d5669b044bc28ae95126c7b9297a25fc79950539');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/java.security',427,0,1596489275,0,1,131583,'576724d1a15519745e7fcbb01416e8e7eae60e2c');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/nss.cfg',428,0,1596489275,0,1,131583,'2b16d64db81e85aeb5a8abaae69aef02afb04b41');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/blacklisted.certs',429,0,1596489275,0,1,131583,'f94d84f4219db7da6fdde316a875e3b66af4282e');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/cacerts',430,0,1596489275,0,1,131583,'1eed0a46bcecf0ee4cac53e418f02f3ad03b8a70');
+	INSERT INTO entry_path VALUES('/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.252.b09-3.el8_2.x86_64/lib/security/nss.fips.cfg',431,0,1596489275,0,1,131583,'71c1c9e294cbf2e2ddf4dcee8487832404ab96ba');
+	INSERT INTO entry_path VALUES('/etc/java/eclipse.conf',432,0,1596489275,0,1,131583,'df85155ae92d482acb9f1863e3cb40b54e142cc7');
+	INSERT INTO entry_path VALUES('/etc/java/font.properties',433,0,1596489275,0,1,131583,'d96356bba5a0e3c6675ff384fa133bda53294d46');
+	INSERT INTO entry_path VALUES('/etc/java/java.conf',434,0,1596489275,0,1,131583,'4d21f54d58a0657567941184df20002ead936f80');
+	INSERT INTO entry_path VALUES('/etc/libreport/events/report_Uploader.conf',435,0,1596489275,0,1,131583,'954b08c7cee2135f1c98b602d5ebe3b24c4a18c4');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/collect_dnf.conf',436,0,1596489275,0,1,131583,'e5272bc1c5609254677529518ed51416c4c7a10c');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/rhtsupport_event.conf',437,0,1596489275,0,1,131583,'70faaea9ae98a275d7678e64ded766b126451ae2');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/uploader_event.conf',438,0,1596489275,0,1,131583,'e3804b8a7b14cb52487b243569af71b48d3c474a');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/bugzilla_anaconda_event.conf',439,0,1596489275,0,1,131583,'d35fd1f3e18d8cbc7449efe1543ecd8ec259b44e');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/emergencyanalysis_event.conf',440,0,1596489275,0,1,131583,'4eeb6787928e56b540a9843af2c5a9ad12b3847b');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/mdadm_event.conf',441,0,1596489275,0,1,131583,'70a76144e1c4e45173d2b3475482b8c3f42abcec');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/abrt_dbus_event.conf',442,0,1596489275,0,1,131583,'781f4da5cc9a134d35ad76a76817c10c67f27d21');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/abrt_event.conf',443,0,1596489275,0,1,131583,'bb00347ba6d4d08b10a3c5ff4f24394176185532');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/smart_event.conf',444,0,1596489275,0,1,131583,'dc99b85d742807dc6e09e53766312d86dfbbb479');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/koops_event.conf',445,0,1596489275,0,1,131583,'931f75661bb6092326ee720cbf27457ce8f3e3e0');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/python3_event.conf',446,0,1596489275,0,1,131583,'b7375439997a806621dc2baadbfbfdbb9458e7bb');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/xorg_event.conf',447,0,1596489275,0,1,131583,'00d991cae03cca70b08788fb55c287ca3a5ac618');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/vmcore_event.conf',448,0,1596489275,0,1,131583,'f9d0db8c58e32a2e9084f4b0c1f3db58428aa07b');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/ccpp_event.conf',449,0,1596489275,0,1,131583,'a52aa1df6951ccdce2b04d14c6b986c1f1fa2fcd');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/gconf_event.conf',450,0,1596489275,0,1,131583,'900b7a400887156c6eb5d55ec3de0f6252085d3d');
+	INSERT INTO entry_path VALUES('/etc/libreport/events.d/vimrc_event.conf',451,0,1596489275,0,1,131583,'95c01fd8ab74551d077749f2694ad19b1f5b45fa');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/rhtsupport.conf',452,0,1596489275,0,1,131583,'b67684ea17094dbced13ee8eab71c9ba80e65e8d');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/upload.conf',453,0,1596489275,0,1,131583,'c5a19ebbdc3c9a0cb8e29f1acb20217d4347c6f6');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/bugzilla_format_anaconda.conf',454,0,1596489275,0,1,131583,'0bd5eb44cabeab62b87896f6bc78bfdafaccd101');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/bugzilla_formatdup_anaconda.conf',455,0,1596489275,0,1,131583,'1ab423b2ac546b11dc511aee610b2060a97c4299');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/ureport.conf',456,0,1596489275,0,1,131583,'a0d2ad8024a5d803bb2dcf905a598c6d11236ce3');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_koops_format.conf',457,0,1596489275,0,1,131583,'24b3fc4d537d6bc876e7108599892a933375a279');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_python3_format.conf',458,0,1596489275,0,1,131583,'a4916cb023ae8b9711243cd68abb4332d2f475e4');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_xorg_format.conf',459,0,1596489275,0,1,131583,'8156656332b67fbe11666983d7b83ece5eceb6c3');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_vmcore_format.conf',460,0,1596489275,0,1,131583,'a6d2e163bac6ab76805cacad78689a8c359cc306');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_ccpp_format.conf',461,0,1596489275,0,1,131583,'f389a831e07eccb785bfb939d50baf9ff9e7b827');
+	INSERT INTO entry_path VALUES('/etc/libreport/plugins/catalog_journal_ccpp_format.conf',462,0,1596489275,0,1,131583,'0c054e221df956940f99c71c2fe138a9ecdb9e75');
+	INSERT INTO entry_path VALUES('/etc/libreport/workflows.d/report_uploader.conf',463,0,1596489275,0,1,131583,'a7f715b6e85bdbf7b39f50bb9bebe09ca1f40d41');
+	INSERT INTO entry_path VALUES('/etc/libreport/workflows.d/anaconda_event.conf',464,0,1596489275,0,1,131583,'1e20206f7404a2c4510d89eb3c82b099c966fd33');
+	INSERT INTO entry_path VALUES('/etc/libreport/workflows.d/report_rhel.conf',465,0,1596489275,0,1,131583,'b907dd307926f994b0d9213740b7228577a702e6');
+	INSERT INTO entry_path VALUES('/etc/libreport/workflows.d/report_rhel_add_data.conf',466,0,1596489275,0,1,131583,'faf325c780e8af1035a62f70af073c065aefcf0c');
+	INSERT INTO entry_path VALUES('/etc/libreport/workflows.d/report_uReport.conf',467,0,1596489275,0,1,131583,'19215c133c73f10c90e56cf1ce16be59e71420c7');
+	INSERT INTO entry_path VALUES('/etc/libreport/forbidden_words.conf',468,0,1596489275,0,1,131583,'c95f7ed111946b234f19ae6282b9c8264b98be51');
+	INSERT INTO entry_path VALUES('/etc/libreport/ignored_words.conf',469,0,1596489275,0,1,131583,'3478f892feda02277085e673a97d4743965e6a59');
+	INSERT INTO entry_path VALUES('/etc/libreport/libreport.conf',470,0,1596489275,0,1,131583,'d0f964aea1453f220ff52fbcab36a5407ab745d7');
+	INSERT INTO entry_path VALUES('/etc/libreport/report_event.conf',471,0,1596489275,0,1,131583,'e6a711fa89a8bd31bf27858d6b60789e467c8199');
+	INSERT INTO entry_path VALUES('/etc/libreport/cert-api.access.redhat.com.pem',472,0,1596489275,0,1,131583,'bc78e7190eafcaf5832a775d1f4875df428113ca');
+	INSERT INTO entry_path VALUES('/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial',473,0,1596489275,0,1,131583,'c342ce88d29558c7e8550af96de15fbb71b2f609');
+	INSERT INTO entry_path VALUES('/etc/pki/rpm-gpg/RPM-GPG-KEY-centostesting',474,0,1596489275,0,1,131583,'b1c7475a5ff9aefc7b076688271bb338076b550b');
+	INSERT INTO entry_path VALUES('/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8',475,0,1596489275,0,1,131583,'a4036c45b3b1d787370c35020cd1fe4da36762a3');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/edk2/README',476,0,1596489275,0,1,131583,'102e2be9b30a6d52daba8d9d9941d4fc3626a7fa');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/edk2/cacerts.bin',477,0,1596489275,0,1,131583,'626514c2aef9c146783db3511491e94305a05645');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/README',478,0,1596489275,0,1,131583,'35340851fc2d3738cb800348034eeb434dc8f562');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/java/README',479,0,1596489275,0,1,131583,'88dcbb2e081b073c5e010a96e6c32810bdb3c0de');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/java/cacerts',480,0,1596489275,0,1,131583,'e6363e6b8ff1369c94006cf15f7f20c09bf24923');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/openssl/README',481,0,1596489275,0,1,131583,'03c6c1355f92e8131d10ca00b9e792f5ed7c5bb0');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',482,0,1596489275,0,1,131583,'b5d6824858f0034d8b562fe33805cb625fdb2766');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/pem/README',483,0,1596489275,0,1,131583,'056ae5360ea43548cf9e4f2aa9ef5358a8dbf43d');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',484,0,1596489275,0,1,131583,'10695b07e7315b5af21cf3b4eb978c33f967a082');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem',485,0,1596489275,0,1,131583,'d2c473a5cf74fd56dbe307223228acc273737e88');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem',486,0,1596489275,0,1,131583,'02456f80a5673251ea86e8be642f78e6098f3965');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/README',487,0,1596489275,0,1,131583,'508ce96b77b2d85021a9c8000082a2ccfbf70fbc');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/ca-legacy.conf',488,0,1596489275,0,1,131583,'2f36d3bd1b07856a35aa3e7114fd06b76cd4d906');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/source/README',489,0,1596489275,0,1,131583,'f6e59ce6990cb8e7b0c22811a12c634dc8dea903');
+	INSERT INTO entry_path VALUES('/etc/pki/ca-trust/source/ca-bundle.legacy.crt',490,0,1596489275,0,1,131583,'9d6f535640e631846d5890243c5f6fb3921e8e69');
+	INSERT INTO entry_path VALUES('/etc/pki/java/cacerts',491,0,1596489275,0,1,131583,'b1a62419faf897b12a93a6dec29fc7a4e4985d42');
+	INSERT INTO entry_path VALUES('/etc/pki/tls/cert.pem',492,0,1596489275,0,1,131583,'ea747eb4684407e4a5cf98e8e4845ffb68128ad8');
+	INSERT INTO entry_path VALUES('/etc/pki/tls/certs/ca-bundle.crt',493,0,1596489275,0,1,131583,'5033e0d379d92ea145036869557fba0e3b226927');
+	INSERT INTO entry_path VALUES('/etc/pki/tls/certs/ca-bundle.trust.crt',494,0,1596489275,0,1,131583,'05f2211e193eb4653c5a648fddc5501b518c559f');
+	INSERT INTO entry_path VALUES('/etc/pki/tls/ct_log_list.cnf',495,0,1596489275,0,1,131583,'e244baf907652b9b981adc29f7a430f401ff887e');
+	INSERT INTO entry_path VALUES('/etc/pki/tls/openssl.cnf',496,0,1596489275,0,1,131583,'c82c02e2ea13cd9cd9b4404ebd3b646d0e1bd246');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/cert8.db',497,0,1596489275,0,1,131583,'cecef1b820ffa95f6214c72c553d3fee61fa3e67');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/cert9.db',498,0,1596489275,0,1,131583,'60cf768cad01e8b419a0c557b0af76ee3ebb1ad3');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/key3.db',499,0,1596489275,0,1,131583,'fd72cc7cc378a8b0ca31f18d7a647003aedcbb89');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/key4.db',500,0,1596489275,0,1,131583,'4fd9e3067dc8ab1e4f217e4076967c5722cb3f86');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/pkcs11.txt',501,0,1596489275,0,1,131583,'d26a0e791ec2e3bc509c7337ea45f8807b9cef06');
+	INSERT INTO entry_path VALUES('/etc/pki/nssdb/secmod.db',502,0,1596489275,0,1,131583,'f1f2f9f6a45769ceba22ff4b7e6f94ce52de34b7');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd/GPG-KEY-Hughski-Limited',503,0,1596489275,0,1,131583,'67ff98978626421fbecedbdd4ff1a9719c12da63');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware',504,0,1596489275,0,1,131583,'47294daa26a7c2c1c0cfc36181915278876e1ed0');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service',505,0,1596489275,0,1,131583,'547fd31347c3fb42dbd7e53583789435dbcdb8b7');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd/LVFS-CA.pem',506,0,1596489275,0,1,131583,'aac9841afa68d32d857d97609055fb843bceee06');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata',507,0,1596489275,0,1,131583,'77b609ad787140f6212191d16a4104ca937d16e8');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service',508,0,1596489275,0,1,131583,'1a0fc020dd37e9fc1a61f4f436f2dce481b73876');
+	INSERT INTO entry_path VALUES('/etc/pki/fwupd-metadata/LVFS-CA.pem',509,0,1596489275,0,1,131583,'7cd624a3cd4c28fb409bff02740f1f1988b707ec');
+	INSERT INTO entry_path VALUES('/etc/rpm/macros.dist',510,0,1596489275,0,1,131583,'770a42568fd0226107c46f7487d5c1d5d7c53f24');
+	INSERT INTO entry_path VALUES('/etc/GREP_COLORS',511,0,1596489275,0,1,131583,'0d5bd085d12cbba1a248bd7c7356eb7a266a38f5');
+	INSERT INTO entry_path VALUES('/etc/rdma/ibacm_opts.cfg',512,0,1596489275,0,1,131583,'bb89415743069af29e5bd25f9ce4c52e441a6ebe');
+	INSERT INTO entry_path VALUES('/etc/rdma/mlx4.conf',513,0,1596489275,0,1,131583,'1c670d04a0b18168fe29abdc3d8fab5004124534');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/infiniband.conf',514,0,1596489275,0,1,131583,'2a42656b2677d24ab41d0cafee9c549cf433998f');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/iwarp.conf',515,0,1596489275,0,1,131583,'9d0bb2b0d04baa79a16a7f2763153c5f18831bd1');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/iwpmd.conf',516,0,1596489275,0,1,131583,'20ecdb062fd2baf8137dc7945b046b2a3daa96f2');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/opa.conf',517,0,1596489275,0,1,131583,'3c007af993edd68b5a64d63e43258626086a78d1');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/rdma.conf',518,0,1596489275,0,1,131583,'8e068d04fec0c10f6b57ccb08abf3b7fc5b321f9');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/roce.conf',519,0,1596489275,0,1,131583,'b4bfcdc95a3baf0512381e902bb1952b24eee33a');
+	INSERT INTO entry_path VALUES('/etc/rdma/modules/srp_daemon.conf',520,0,1596489275,0,1,131583,'52d86b32b670904348326c13a480790eea17fb0c');
+	INSERT INTO entry_path VALUES('/etc/rdma/rdma.conf',521,0,1596489275,0,1,131583,'4828c18992401e3886c07ec059b20c23d59a57e9');
+	INSERT INTO entry_path VALUES('/etc/rdma/sriov-vfs',522,0,1596489275,0,1,131583,'06b0518022ae00e84087b4b76d62800ce8f10db5');
+	INSERT INTO entry_path VALUES('/etc/centos-release',523,0,1596489275,0,1,131583,'acd307ea3a74e42a002d4aab0f7e5d590e858939');
+	INSERT INTO entry_path VALUES('/etc/iproute2/bpf_pinning',524,0,1596489275,0,1,131583,'67d70ae618a5a638c714a5fce0ccb24d57c69c99');
+	INSERT INTO entry_path VALUES('/etc/iproute2/ematch_map',525,0,1596489275,0,1,131583,'30be1a286d2dcb623d83d7f176165d503b0a5af4');
+	INSERT INTO entry_path VALUES('/etc/iproute2/group',526,0,1596489275,0,1,131583,'3ad87b24758fce8621e13bcd4d2857c32f2ebe7f');
+	INSERT INTO entry_path VALUES('/etc/iproute2/nl_protos',527,0,1596489275,0,1,131583,'7ddb1bf2166471592fe4d24690b8426f1421babd');
+	INSERT INTO entry_path VALUES('/etc/iproute2/rt_dsfield',528,0,1596489275,0,1,131583,'d384e1aeec4bd6ca518dabc81ab0586241348dc8');
+	INSERT INTO entry_path VALUES('/etc/iproute2/rt_protos',529,0,1596489275,0,1,131583,'53e76a8562a51b684993e01709a285f2766b83c8');
+	INSERT INTO entry_path VALUES('/etc/iproute2/rt_realms',530,0,1596489275,0,1,131583,'fe0386009f951862e20ed184da4236fac5a6bff7');
+	INSERT INTO entry_path VALUES('/etc/iproute2/rt_scopes',531,0,1596489275,0,1,131583,'48d6a0be237b4c13e4cc7e61daa9947ecf939d2f');
+	INSERT INTO entry_path VALUES('/etc/iproute2/rt_tables',532,0,1596489275,0,1,131583,'45f2abdb1a39cdca1f7cd6ef442f690352d985c7');
+	INSERT INTO entry_path VALUES('/etc/centos-release-upstream',533,0,1596489275,0,1,131583,'f690b6c176cedba845dc04ae5ae8e0baf57967c3');
+	INSERT INTO entry_path VALUES('/etc/gss/mech.d/gssproxy.conf',534,0,1596489275,0,1,131583,'6f93cbe5452ffbe47c85889c6b5baf1ab4470795');
+	INSERT INTO entry_path VALUES('/etc/lvm/lvm.conf',535,0,1596489275,0,1,131583,'281929c591632c96af5006cf5a40f88b74bdd6c3');
+	INSERT INTO entry_path VALUES('/etc/lvm/lvmlocal.conf',536,0,1596489275,0,1,131583,'3e4a212e4a1a267d688e3602d0d48ff1c6dd0532');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/cache-mq.profile',537,0,1596489275,0,1,131583,'c2b47df1446b32c3c7b2393d49c67ed6da693d4c');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/cache-smq.profile',538,0,1596489275,0,1,131583,'6ac5ec36e97ebf6b363817b3b52e5386d60ad699');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/command_profile_template.profile',539,0,1596489275,0,1,131583,'d74ab7ad3ccd0a882f89a67aba0fcb2fb42e5a26');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/lvmdbusd.profile',540,0,1596489275,0,1,131583,'f85dd11b9c49c382c368bcacab68e561cf387f95');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/metadata_profile_template.profile',541,0,1596489275,0,1,131583,'46513cdd23fc8cec056b1e8d4fb028fdffaa5491');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/thin-generic.profile',542,0,1596489275,0,1,131583,'9f9c20f8ac7b01c6f849d8be0ef7e7183624afbf');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/thin-performance.profile',543,0,1596489275,0,1,131583,'7c40d173e6798c7174a2b15fad1050a5108bfbf8');
+	INSERT INTO entry_path VALUES('/etc/lvm/profile/vdo-small.profile',544,0,1596489275,0,1,131583,'f9ba288927cf76577d81ceff9cbad9dc9a8e23c2');
+	INSERT INTO entry_path VALUES('/etc/issue',545,0,1596489275,0,1,131583,'4333f6e1f6c1ef69cce2d612c7bffcc5352fde3a');
+	INSERT INTO entry_path VALUES('/etc/openldap/ldap.conf',546,0,1596489275,0,1,131583,'d608d33bc3372a795a307a9f40ca0886be3767c3');
+	INSERT INTO entry_path VALUES('/etc/issue.net',547,0,1596489275,0,1,131583,'b3b302e5361cd5705b71f61fb4950435a8377b4e');
+	INSERT INTO entry_path VALUES('/etc/prelink.conf.d/grub2.conf',548,0,1596489275,0,1,131583,'bf1863a78b1ef3eecc805227c1fc6d3879ece0ca');
+	INSERT INTO entry_path VALUES('/etc/os-release',549,0,1596489275,0,1,131583,'a037fcee969d9c0f7f9b269829091c7f7d6515e7');
+	INSERT INTO entry_path VALUES('/etc/selinux/semanage.conf',550,0,1596489275,0,1,131583,'7a2740ce15ae0ab275bbe1d33701a292b6e19a2b');
+	INSERT INTO entry_path VALUES('/etc/selinux/config',551,0,1596489275,0,1,131583,'701431525f18959ab0b8a908a91223d7c3fe7a97');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/.policy.sha512',552,0,1596489275,0,1,131583,'14b130c32d48818fcdc0c31bb656fadf25c0f0b8');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/booleans.subs_dist',553,0,1596489275,0,1,131583,'d5320f7b05117b202d9b000f871977a357d496f1');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/customizable_types',554,0,1596489275,0,1,131583,'faa6b476fdf6696957ec2f6cd52873a74beee5c6');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/dbus_contexts',555,0,1596489275,0,1,131583,'b27741f90ca7e6489aca976f7d6991e166d8f4df');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/default_contexts',556,0,1596489275,0,1,131583,'1c71604418ac8f4b4c3159b765e118a6630f4fee');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/default_type',557,0,1596489275,0,1,131583,'a6b71183d9518c01526617fba8d4134fd38893cf');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/failsafe_context',558,0,1596489275,0,1,131583,'916191f741d5ce6942c8a514199dcff918cea027');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts',559,0,1596489275,0,1,131583,'07ebcab83a4b8da0a62bf47acc8ff70c03b523d5');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.homedirs',560,0,1596489275,0,1,131583,'7fbd4aacfc64db54a220cf70ba53631a000087cb');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.local',561,0,1596489275,0,1,131583,'449d71d10a34feace0952ee38e0eb3dfc3e0aca9');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.subs',562,0,1596489275,0,1,131583,'14eb9d09b3c7a9c287e0916e276b711a7364179d');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.subs_dist',563,0,1596489275,0,1,131583,'5954c55a7c5e0cd53d09098872dfbccecf3b8fe9');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/media',564,0,1596489275,0,1,131583,'a45e0f6134a37e9ba47170ef1aca59ac8fbefffc');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.bin',565,0,1596489275,0,1,131583,'9861171cf0a9f7614153568026933ac7cb04275a');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin',566,0,1596489275,0,1,131583,'c185f73c219652cb0c4ed44856bcb17e79c5ccd7');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/initrc_context',567,0,1596489275,0,1,131583,'02ae89cd996a4227fede87aab50bfe92ebe59de0');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/lxc_contexts',568,0,1596489275,0,1,131583,'527bcae216d411f72e26ca71b8bd3177b91a5a7a');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/openssh_contexts',569,0,1596489275,0,1,131583,'6c2747b2c203c7b39fc49bf85de4e92f03b77096');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/removable_context',570,0,1596489275,0,1,131583,'12cc886d9af4ba42d90ac5c888cb49b9d3800ed9');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/securetty_types',571,0,1596489275,0,1,131583,'7bf581870424e8c6aaf89d2de55eed0efc24f26b');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/sepgsql_contexts',572,0,1596489275,0,1,131583,'02b086f54ce28645b69b0c93500d5f9d175a2d0e');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/snapperd_contexts',573,0,1596489275,0,1,131583,'24f519b20d70ce7e0daeb6fce69cc686f625ed21');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/systemd_contexts',574,0,1596489275,0,1,131583,'0383ae5ff536f42a4595ec00a0084f4697f25947');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/userhelper_context',575,0,1596489275,0,1,131583,'95ea91d018886ba329e304de38e1575f6fd8328f');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/guest_u',576,0,1596489275,0,1,131583,'295308743ba5798d9bd8a9bf9470c6f20a820bf8');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/root',577,0,1596489275,0,1,131583,'e17cd684d09a6174c53e7e38639c130ed03c37e3');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/staff_u',578,0,1596489275,0,1,131583,'133266a9350f37bad684d0e85317bc773302a464');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/sysadm_u',579,0,1596489275,0,1,131583,'02e350934abd86a72e83621b612ddb2f0ca2b31a');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/unconfined_u',580,0,1596489275,0,1,131583,'65f02b2083fb2aaeb35188355e5bf12f9b319e2c');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/user_u',581,0,1596489275,0,1,131583,'cb9c6a65c2285f1705cc17e415fbae5b2d8ed067');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/users/xguest_u',582,0,1596489275,0,1,131583,'8c586c2631bd892b5c3646ac65454b4cb698e92d');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/virtual_domain_context',583,0,1596489275,0,1,131583,'3583a472b26a35102d9a762ca42f0bf891d2c0bb');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/virtual_image_context',584,0,1596489275,0,1,131583,'c91a62181d9452ab2781c41f9007450fc03ffa92');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/contexts/x_contexts',585,0,1596489275,0,1,131583,'c2d3a08f7377db85a9a2b5c7931e295990d7e689');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/policy/policy.31',586,0,1596489275,0,1,131583,'12455bba82d25bd027df402bb0f30ed9b0010ed8');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/setrans.conf',587,0,1596489275,0,1,131583,'9403e98209455627e880442a39b8f8646e18cd56');
+	INSERT INTO entry_path VALUES('/etc/selinux/targeted/seusers',588,0,1596489275,0,1,131583,'e568a289e726db9667748bc4a5e291d86147b8ee');
+	INSERT INTO entry_path VALUES('/etc/dhcp/dhclient.d/chrony.sh',589,0,1596489275,0,1,131583,'e29193da6548a02c39ea22f69555aa8438305e87');
+	INSERT INTO entry_path VALUES('/etc/dhcp/dhclient.conf',590,0,1596489275,0,1,131583,'935da380c18e7ca3040794a77d900298e21e6213');
+	INSERT INTO entry_path VALUES('/etc/redhat-release',591,0,1596489275,0,1,131583,'8051f6d92d63c825f285aa1a989c37dc19c9e596');
+	INSERT INTO entry_path VALUES('/etc/xattr.conf',592,0,1596489275,0,1,131583,'7e77ced553b4831899d4fae5c8f47d5d5cbea70e');
+	INSERT INTO entry_path VALUES('/etc/alsa/state-daemon.conf',593,0,1596489275,0,1,131583,'f4503d11041ee910c88313078904ee5418d0c376');
+	INSERT INTO entry_path VALUES('/etc/alsa/alsactl.conf',594,0,1596489275,0,1,131583,'dcd568111381aaca181006ea469297a8f001c4bc');
+	INSERT INTO entry_path VALUES('/etc/alsa/conf.d/50-pulseaudio.conf',595,0,1596489275,0,1,131583,'5c6e1fa48ed6754083cd46360275e02f69c1a7a6');
+	INSERT INTO entry_path VALUES('/etc/alsa/conf.d/99-pulseaudio-default.conf',596,0,1596489275,0,1,131583,'97054f7bd347b0f5f6c752301736ba4153cdd7e1');
+	INSERT INTO entry_path VALUES('/etc/system-release',597,0,1596489275,0,1,131583,'f54b57ace457d1af8294f1cf00e07e018a15bf8c');
+	INSERT INTO entry_path VALUES('/etc/kernel/install.d/20-grubby.install',598,0,1596489275,0,1,131583,'33fdefe54a8a38014ea76ca34f6908809c765add');
+	INSERT INTO entry_path VALUES('/etc/kernel/install.d/90-loaderentry.install',599,0,1596489275,0,1,131583,'b7b362149da83d38ee45086c83999b3d66b201cb');
+	INSERT INTO entry_path VALUES('/etc/kernel/postinst.d/51-dracut-rescue-postinst.sh',600,0,1596489275,0,1,131583,'2d86c5fa1a53113a119880d8b8615ab6ee092318');
+	INSERT INTO entry_path VALUES('/etc/lsm/lsmd.conf',601,0,1596489275,0,1,131583,'4fc4cbccd3a5cce3d386137448046c100e7daeb9');
+	INSERT INTO entry_path VALUES('/etc/lsm/pluginconf.d/sim.conf',602,0,1596489275,0,1,131583,'1a1988650135b8b1fc8a1b34e7ecc1afdd593f0e');
+	INSERT INTO entry_path VALUES('/etc/system-release-cpe',603,0,1596489275,0,1,131583,'731b0db7c19567e7600101c2d93dc46c5a7d6f27');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-AppStream.repo',604,0,1596489275,0,1,131583,'eeb46d0e85f635cd8595afc3447b21686c8fedb3');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Base.repo',605,0,1596489275,0,1,131583,'e24f1dfcba64d3dea78c6840893c77539f44638f');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-CR.repo',606,0,1596489275,0,1,131583,'3c8f423821f62047826eadb840a2a8166d433a38');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Debuginfo.repo',607,0,1596489275,0,1,131583,'9780fa3f9debc183385ee4e5c929f11b97afd47d');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Extras.repo',608,0,1596489275,0,0,131583,'7b75248a90972b5649ebcc901b12cc0f78986ef3');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-HA.repo',609,0,1596489275,0,0,131583,'5c66d89ea09993d21326abcc31d6c7e59ca74c6e');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Media.repo',610,0,1596489275,0,0,131583,'a011ecc49ea4364794b744db07fcf66366ab4fe8');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-PowerTools.repo',611,0,1596489275,0,0,131583,'873bbd522c9ff3c3e13b78f3a6fa090a1cb1bbaa');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Sources.repo',612,0,1596489275,0,0,131583,'02395f2765fe3f0f913554e4798eed9dbba0bf33');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Vault.repo',613,0,1596489275,0,0,131583,'b7d2466d8df8cf037ef2b98f2f286f2bde3276b0');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-centosplus.repo',614,0,1596489275,0,0,131583,'b3673c3d784abb2c4c7b026f7ce360ee99261963');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-fasttrack.repo',615,0,1596489275,0,0,131583,'c60b37bfdd3b17e1d2362b7fb49d1f3876606fa9');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/sublime-text.repo',616,0,1596489275,0,0,131583,'712e2cf4569729e19951758459ef3008cc9be354');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/CentOS-Devel.repo',617,0,1596489275,0,0,131583,'bd481465d04efe10feb72b27daeea8b0d2b0f16b');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/epel-modular.repo',618,0,1596489275,0,0,131583,'2b4103f9a0f4a9a62dae9e527d8f7fb5a3e96664');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/epel-playground.repo',619,0,1596489275,0,0,131583,'bcdb9c003490780c0bc05c6a00f0d8646ca710fb');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/epel-testing-modular.repo',620,0,1596489275,0,0,131583,'43bca36eee62ff2743c659819e9700f24c8f7c03');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/epel-testing.repo',621,0,1596489275,0,0,131583,'17d6585a3a53397974b32cc8718d2f1b5d5c7e2e');
+	INSERT INTO entry_path VALUES('/etc/yum.repos.d/epel.repo',622,0,1596489275,0,0,131583,'016a64d720edd5df2cf6cd843b05d51cffcef196');
+	INSERT INTO entry_path VALUES('/etc/krb5.conf',623,0,1596489275,0,0,131583,'2425647248e464a48010873e0a33ecd60243ca9b');
+	INSERT INTO entry_path VALUES('/etc/aliases',624,0,1596489275,0,0,131583,'3119d478ef429fb4945e22edc7972c20b2febcc0');
+	INSERT INTO entry_path VALUES('/etc/krb5.conf.d/crypto-policies',625,0,1596489275,0,0,131583,'96a1ce65759de23df8cd1ad98403beb9a05b8cfe');
+	INSERT INTO entry_path VALUES('/etc/krb5.conf.d/kcm_default_ccache',626,0,1596489275,0,0,131583,'456684c669642b2b3afb65642e04a42eebfea1ff');
+	INSERT INTO entry_path VALUES('/etc/bashrc',627,0,1596489275,0,0,131583,'98ea9993a6fb305114a61254ce85aa4a7db6dab5');
+	INSERT INTO entry_path VALUES('/etc/netconfig',628,0,1596489275,0,0,131583,'6b630e1bf9176e8423c3ee606bb5a0cd8c318954');
+	INSERT INTO entry_path VALUES('/etc/csh.cshrc',629,0,1596489275,0,0,131583,'1ede6fe710955dcaa3983713de4f3da81dc606f4');
+	INSERT INTO entry_path VALUES('/etc/ssl/certs',630,0,1596489275,0,0,131583,'675854d027042f2cb3ce31a21aa644054847205d');
+	INSERT INTO entry_path VALUES('/etc/cups/cups-browsed.conf',631,0,1596489275,0,0,131583,'1c0af5181e08c60d3b74777a5bbaebc34f877e2d');
+	INSERT INTO entry_path VALUES('/etc/cups/classes.conf',632,0,1596489275,0,0,131583,'1a6da4b5882446ce5ee991a022c38aaf387753da');
+	INSERT INTO entry_path VALUES('/etc/cups/client.conf',633,0,1596489275,0,0,131583,'161c8e0e38f15b6cef4f3d3f3812616bdce1498c');
+	INSERT INTO entry_path VALUES('/etc/cups/cups-files.conf',634,0,1596489275,0,0,131583,'cb28f38c7d6bc2209cb4acdb0d82ae6c8bed1af5');
+	INSERT INTO entry_path VALUES('/etc/cups/cups-files.conf.default',635,0,1596489275,0,0,131583,'28cd9f2e9c8906de0a91ad706d131790e674b250');
+	INSERT INTO entry_path VALUES('/etc/cups/cupsd.conf',636,0,1596489275,0,0,131583,'0d7c7fcd328b13b3463dd551b4a42e4c1ae4ec49');
+	INSERT INTO entry_path VALUES('/etc/cups/cupsd.conf.default',637,0,1596489275,0,0,131583,'d4eb4a91dd459d8b524dbe856b398c23fb1bd05b');
+	INSERT INTO entry_path VALUES('/etc/cups/lpoptions',638,0,1596489275,0,0,131583,'f53d2b591d3084ecd15655d4f80555df91bb61a2');
+	INSERT INTO entry_path VALUES('/etc/cups/printers.conf',639,0,1596489275,0,0,131583,'3fd9a8daae2680cae808f89305301244d4dd3a53');
+	INSERT INTO entry_path VALUES('/etc/cups/snmp.conf',640,0,1596489275,0,0,131583,'acda5da5f6fd9be7b23a8dd1888e7f1d18e6edd6');
+	INSERT INTO entry_path VALUES('/etc/cups/snmp.conf.default',641,0,1596489275,0,0,131583,'3ac9e985d1cad89d1753584581e387cd780cdf47');
+	INSERT INTO entry_path VALUES('/etc/cups/subscriptions.conf',642,0,1596489275,0,0,131583,'dbe571f41efd015fe3d79ea37d3b8c31ac87ce79');
+	INSERT INTO entry_path VALUES('/etc/cups/subscriptions.conf.O',643,0,1596489275,0,0,131583,'5255f06f2e020789ae8c3c867860c5cd17ab6447');
+	INSERT INTO entry_path VALUES('/etc/csh.login',644,0,1596489275,0,0,131583,'6e47dd244af3fc223aed2745d4dfea62bb98fccc');
+	INSERT INTO entry_path VALUES('/etc/nsswitch.conf.bak',645,0,1596489275,0,0,131583,'f959be77a3891fb5ede8b43510026640592ac726');
+	INSERT INTO entry_path VALUES('/etc/environment',646,0,1596489275,0,0,131583,'8e08fde625774ce634d7bc1e1751232afc446768');
+	INSERT INTO entry_path VALUES('/etc/login.defs',647,0,1596489275,0,0,131583,'41b90e4d5ba59963a7062561d9927c188e83fa6e');
+	INSERT INTO entry_path VALUES('/etc/ethertypes',648,0,1596489275,0,0,131583,'1dbd40d698ff01ac7467f42a6229f8934a16e23e');
+	INSERT INTO entry_path VALUES('/etc/.pwd.lock',649,0,1596489275,0,0,131583,'82dd97ca6c36c09ade33f3b62354c40cb2e6c251');
+	INSERT INTO entry_path VALUES('/etc/exports',650,0,1596489275,0,0,131583,'94f936d4be485a868244b14d6ce5336a0413d33e');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/mlx4.conf',651,0,1596489275,0,0,131583,'2f7e2d0655462e70d1a561e852222fdcae0af3bf');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/truescale.conf',652,0,1596489275,0,0,131583,'5c26805f0185cdddc5631f1ef905409de8c36192');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/kvm.conf',653,0,1596489275,0,0,131583,'9327934546bbd295a0949e3d0d63562c53eabfc8');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/vhost.conf',654,0,1596489275,0,0,131583,'2cf184386f2a5fe8040ea809031653befb15783c');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/nvdimm-security.conf',655,0,1596489275,0,0,131583,'d3e76c4fba306963f4ff6d454a93833eec4033af');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/lockd.conf',656,0,1596489275,0,0,131583,'19066f2b1535374ad5b41f7428544e41fde49c39');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/tuned.conf',657,0,1596489275,0,0,131583,'5368195982f3455925eac13b47342aabf0e5c4c7');
+	INSERT INTO entry_path VALUES('/etc/modprobe.d/firewalld-sysctls.conf',658,0,1596489275,0,0,131583,'cbfc2a6c09bd4e290767fdc555e04c659e5fddd1');
+	INSERT INTO entry_path VALUES('/etc/filesystems',659,0,1596489275,0,0,131583,'269317a42d7aea190b321a99d9537cedd8586160');
+	INSERT INTO entry_path VALUES('/etc/depmod.d/dist.conf',660,0,1596489275,0,0,131583,'f5cd23db1c8123b5b6ee18e3c2d6e2692fdd5f4d');
+	INSERT INTO entry_path VALUES('/etc/depmod.d/kvdo.conf',661,0,1596489275,0,0,131583,'88ff39b4d21612c9c5ba2470e33a609cd459b9fb');
+	INSERT INTO entry_path VALUES('/etc/group',662,0,1596489275,0,0,131583,'ada8175a151960dc9e5d8b773ba665801da08c30');
+	INSERT INTO entry_path VALUES('/etc/security/pwquality.conf',663,0,1596489275,0,0,131583,'29ddc977cd09951078103ec2bb07a14e3182fac0');
+	INSERT INTO entry_path VALUES('/etc/security/access.conf',664,0,1596489275,0,0,131583,'464164e387d65ed3d6c38e6a0b83ba5cf338aa86');
+	INSERT INTO entry_path VALUES('/etc/security/chroot.conf',665,0,1596489275,0,0,131583,'63536cfd34939576a670accccea04c281b026108');
+	INSERT INTO entry_path VALUES('/etc/security/console.apps/config-util',666,0,1596489275,0,0,131583,'5aac751439f61578247c07a85313a8df679aa8bd');
+	INSERT INTO entry_path VALUES('/etc/security/console.apps/liveinst',667,0,1596489275,0,0,131583,'2cddd6250d5654a6c4d6282e9a2deea99f37f4f2');
+	INSERT INTO entry_path VALUES('/etc/security/console.apps/subscription-manager',668,0,1596489275,0,0,131583,'47e2a690a7aee92cd3e1549d0a1632c6d86d11bd');
+	INSERT INTO entry_path VALUES('/etc/security/console.handlers',669,0,1596489275,0,0,131583,'2e1558eb35896b4569e7bc189db9d99978553aa6');
+	INSERT INTO entry_path VALUES('/etc/security/console.perms',670,0,1596489275,0,0,131583,'8aab73043e0579adeaef8c82151fb4cffa095dbd');
+	INSERT INTO entry_path VALUES('/etc/security/group.conf',671,0,1596489275,0,0,131583,'1542a50664832c73609c4b3a5ff92f0e71fe87e7');
+	INSERT INTO entry_path VALUES('/etc/security/limits.conf',672,0,1596489275,0,0,131583,'1fae21b68ef5920dfd4aa9473bb2410183317397');
+	INSERT INTO entry_path VALUES('/etc/security/namespace.conf',673,0,1596489275,0,0,131583,'c20dd559eb3037f1af1c2e9287e5b6f2935c479d');
+	INSERT INTO entry_path VALUES('/etc/security/namespace.init',674,0,1596489275,0,0,131583,'b4e55eb136899004fb29b295e40aeb1c88727ced');
+	INSERT INTO entry_path VALUES('/etc/security/opasswd',675,0,1596489275,0,0,131583,'772d6cd39e1ff6fe4a08dc12ef8ea909f1074073');
+	INSERT INTO entry_path VALUES('/etc/security/pam_env.conf',676,0,1596489275,0,0,131583,'fe237a55d77da66b3c2d395aab7aa34161eaee57');
+	INSERT INTO entry_path VALUES('/etc/security/sepermit.conf',677,0,1596489275,0,0,131583,'4e5337a59048f081888b6793cd04d9a3f005c28f');
+	INSERT INTO entry_path VALUES('/etc/security/time.conf',678,0,1596489275,0,0,131583,'85312867fd73b6ed7dd1323b8133d2748e7a9ae1');
+	INSERT INTO entry_path VALUES('/etc/security/faillock.conf',679,0,1596489275,0,0,131583,'9a94deb1e4b0b95eac984aac302a92f9e46f3133');
+	INSERT INTO entry_path VALUES('/etc/gshadow',680,0,1596489275,0,0,131583,'008821b7788ef13e56a68c35bed5497784970237');
+	INSERT INTO entry_path VALUES('/etc/group-',681,0,1596489275,0,0,131583,'327c07e574ebb38765d1b0fd1d46da1cdfc75246');
+	INSERT INTO entry_path VALUES('/etc/host.conf',682,0,1596489275,0,0,131583,'1fb43459ec91efc34328a523dbfd406bb4281259');
+	INSERT INTO entry_path VALUES('/etc/gshadow-',683,0,1596489275,0,0,131583,'e544b8604ae8952f8bdc82c563f545c8abd15c24');
+	INSERT INTO entry_path VALUES('/etc/hosts',684,0,1596489275,0,0,131583,'1cc5a465e6cae0fc2c569c12cd55732d7cce1c87');
+	INSERT INTO entry_path VALUES('/etc/pam.d/vlock',685,0,1596489275,0,0,131583,'e698e0c7e6fb9998a6280b0c2aed3f0a01075dc3');
+	INSERT INTO entry_path VALUES('/etc/pam.d/config-util',686,0,1596489275,0,0,131583,'fd98eea6a258db348518365531308e74b43a9b81');
+	INSERT INTO entry_path VALUES('/etc/pam.d/other',687,0,1596489275,0,0,131583,'2d0998a8748d7bbee1ee3d4dbbd8f37d9abfe212');
+	INSERT INTO entry_path VALUES('/etc/pam.d/login',688,0,1596489275,0,0,131583,'b2e94ca119bbcbd1edb7dafc0e4989ee8a0a3374');
+	INSERT INTO entry_path VALUES('/etc/pam.d/remote',689,0,1596489275,0,0,131583,'53b603d17db6637a02a501ad103b77aa9824d486');
+	INSERT INTO entry_path VALUES('/etc/pam.d/runuser',690,0,1596489275,0,0,131583,'c012b781455643f0f529485e09f9c1b25a68b913');
+	INSERT INTO entry_path VALUES('/etc/pam.d/runuser-l',691,0,1596489275,0,0,131583,'07b8b164b4423dc1e624a60e7cc7259c6e9decda');
+	INSERT INTO entry_path VALUES('/etc/pam.d/su',692,0,1596489275,0,0,131583,'ab85e339bcc568eb462cd294f0ded2fd9d991fbc');
+	INSERT INTO entry_path VALUES('/etc/pam.d/su-l',693,0,1596489275,0,0,131583,'b30a734f1736c56dcc51090e94240935ca7bcc72');
+	INSERT INTO entry_path VALUES('/etc/pam.d/systemd-user',694,0,1596489275,0,0,131583,'1b609b7140bda1a56f6ac457ab35bce2896c5953');
+	INSERT INTO entry_path VALUES('/etc/pam.d/polkit-1',695,0,1596489275,0,0,131583,'8b5844777bfda76f9a4376521a0c82e258e2130b');
+	INSERT INTO entry_path VALUES('/etc/pam.d/crond',696,0,1596489275,0,0,131583,'8d144a731320bfb5bb1b4049c7bf37ac0fe19240');
+	INSERT INTO entry_path VALUES('/etc/pam.d/passwd',697,0,1596489275,0,0,131583,'2cb1dd58fa4d5bbe7e944b0288b3900320f87d17');
+	INSERT INTO entry_path VALUES('/etc/pam.d/xserver',698,0,1596489275,0,0,131583,'09a67381a3edaa57dc210cf07f9e6622fb18dc9f');
+	INSERT INTO entry_path VALUES('/etc/pam.d/cups',699,0,1596489275,0,0,131583,'d23f9a24d4b1278fe6d265b6f96082e91c6b1284');
+	INSERT INTO entry_path VALUES('/etc/pam.d/cockpit',700,0,1596489275,0,0,131583,'480a504d020707730c4b2cc72fe6d86685549a49');
+	INSERT INTO entry_path VALUES('/etc/pam.d/vmtoolsd',701,0,1596489275,0,0,131583,'782ec57c13830009b47d7473ee0666ad427f619f');
+	INSERT INTO entry_path VALUES('/etc/pam.d/sssd-shadowutils',702,0,1596489275,0,0,131583,'f3b688713477663511fd15bb1ea79fbfb1398311');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-autologin',703,0,1596489275,0,0,131583,'2e0728dd033b733b2b3ee29d29df2974c6e841e7');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-fingerprint',704,0,1596489275,0,0,131583,'3ac670eca00997bd983e875cca4e10f20a1dc7df');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-launch-environment',705,0,1596489275,0,0,131583,'615cd4cbe41c607021b8df4308da6cdc732cf431');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-password',706,0,1596489275,0,0,131583,'53957c5815e513859eaf27c46b9738d92fe6651c');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-pin',707,0,1596489275,0,0,131583,'97dc02fe8f68c251624e7fee13305329bea069a9');
+	INSERT INTO entry_path VALUES('/etc/pam.d/gdm-smartcard',708,0,1596489275,0,0,131583,'977d41caed9cb0a8d43b6a66c2ee83067090a014');
+	INSERT INTO entry_path VALUES('/etc/pam.d/liveinst',709,0,1596489275,0,0,131583,'fe60bd62d65a8ee0cac12fa6b86ff939758de359');
+	INSERT INTO entry_path VALUES('/etc/pam.d/sshd',710,0,1596489275,0,0,131583,'0d9da83fe1fc20415d3ef6e760750c7529a0c35c');
+	INSERT INTO entry_path VALUES('/etc/pam.d/chfn',711,0,1596489275,0,0,131583,'c9b616681646dc2cdab1e94124e7c470499c4e9b');
+	INSERT INTO entry_path VALUES('/etc/pam.d/chsh',712,0,1596489275,0,0,131583,'8f7010f056fd87bcf90a64860306cbe5a0d334ee');
+	INSERT INTO entry_path VALUES('/etc/pam.d/atd',713,0,1596489275,0,0,131583,'171a4777727f3da79987840d35dd0c716b46ec69');
+	INSERT INTO entry_path VALUES('/etc/pam.d/ppp',714,0,1596489275,0,0,131583,'82388ac02a4df37aae4f191fa515ed3f604c03fc');
+	INSERT INTO entry_path VALUES('/etc/pam.d/sudo',715,0,1596489275,0,0,131583,'ac843c343e90af40da7d2de954b76e0b336e2d98');
+	INSERT INTO entry_path VALUES('/etc/pam.d/sudo-i',716,0,1596489275,0,0,131583,'61a7ac339d584822d940d0d29ad1fcb6f3911c0d');
+	INSERT INTO entry_path VALUES('/etc/pam.d/system-auth',717,0,1596489275,0,0,131583,'9796b5e2230d94e01ec6946434eaae89b1df14d3');
+	INSERT INTO entry_path VALUES('/etc/pam.d/password-auth',718,0,1596489275,0,0,131583,'f2e204347a3ab4d0c7797f9b71c9450e407a5eef');
+	INSERT INTO entry_path VALUES('/etc/pam.d/fingerprint-auth',719,0,1596489275,0,0,131583,'233de4d7a4e8c0f44253e4d706e36c52a25a94f2');
+	INSERT INTO entry_path VALUES('/etc/pam.d/smartcard-auth',720,0,1596489275,0,0,131583,'9327255e4aaeae335f3a9eea29b00416872327eb');
+	INSERT INTO entry_path VALUES('/etc/pam.d/postlogin',721,0,1596489275,0,0,131583,'c7fdb39dbacaed1a7a6b5834650b822bce13faf5');
+	INSERT INTO entry_path VALUES('/etc/pam.d/subscription-manager',722,0,1596489275,0,0,131583,'f9a2d5315f8c9bd8787e8a94d79b6b77dedb08c4');
+	INSERT INTO entry_path VALUES('/etc/inputrc',723,0,1596489275,0,0,131583,'047af3aa62aabf7d647687a9a3e0f16f674a6e92');
+	INSERT INTO entry_path VALUES('/etc/dracut.conf',724,0,1596489275,0,0,131583,'e83a53567ee183e9cbf48dee7310237459560ddd');
+	INSERT INTO entry_path VALUES('/etc/motd',725,0,1596489275,0,0,131583,'74bf57784a8cb64d485dce2aecf73d50ee015420');
+	INSERT INTO entry_path VALUES('/etc/passwd-',726,0,1596489275,0,0,131583,'5c9b9db582c9bb7434eadce1222c1411163ff363');
+	INSERT INTO entry_path VALUES('/etc/networks',727,0,1596489275,0,0,131583,'60b898b83b2eb0b1712eed21aa08504169f5e9bb');
+	INSERT INTO entry_path VALUES('/etc/shadow-',728,0,1596489275,0,0,131583,'b87ef26ebb808c6c694eb9f7a0027212ae17b9c9');
+	INSERT INTO entry_path VALUES('/etc/passwd',729,0,1596489275,0,0,131583,'7736276ff85ca562627c269e33c36629e48876f4');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/bind.config',730,0,1596489275,0,0,131583,'21502dfcd568c81e466f78733811d502e523d4cf');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/gnutls.config',731,0,1596489275,0,0,131583,'aee40b55c7b1257da5a313cfacc95315c4d2f098');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/java.config',732,0,1596489275,0,0,131583,'610b1d6291d46a708a2f85c4a1612099f7d676c5');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/krb5.config',733,0,1596489275,0,0,131583,'f625dc186eeb41645a6e9980ece7bc613bee4c8b');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/libreswan.config',734,0,1596489275,0,0,131583,'8c4cbae94157b5edd7badc5a0da9447ba6fc3244');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/libssh.config',735,0,1596489275,0,0,131583,'aee93c02dc0331a6a43af6ee8fa7585bb2528d38');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/nss.config',736,0,1596489275,0,0,131583,'140e35121155c65cb996eaae9c55a93ee63981cc');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/opensshserver.config',737,0,1596489275,0,0,131583,'6fcc3f21965857ce50c8bb0fe16b86476f803c40');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/openssh.config',738,0,1596489275,0,0,131583,'38663ec2a699880344ccd6bec4eb79b9da9560ad');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/opensslcnf.config',739,0,1596489275,0,0,131583,'459333c55f8f5481a4802edfb5884c0f4ddcaab1');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/back-ends/openssl.config',740,0,1596489275,0,0,131583,'f8751da8e88cdf68ae318e82c8f5cc549952d4ad');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/config',741,0,1596489275,0,0,131583,'8f6cd33e239f8f8f30399b9668b883621d9fdbe4');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/local.d/nss-p11-kit.config',742,0,1596489275,0,0,131583,'cf8049fb2a0640d1d51eb861a794e6f8f83d0792');
+	INSERT INTO entry_path VALUES('/etc/crypto-policies/state/current',743,0,1596489275,0,0,131583,'d68471474ba3476bda055af893c9a726a1ea507e');
+	INSERT INTO entry_path VALUES('/etc/printcap',744,0,1596489275,0,0,131583,'743ca6e505e979b8c073f66fc9998f26b145b428');
+	INSERT INTO entry_path VALUES('/etc/profile',745,0,1596489275,0,0,131583,'ba948fbef2e7747fac6c2c0f2eae01c72d6872c6');
+	INSERT INTO entry_path VALUES('/etc/profile.d/csh.local',746,0,1596489275,0,0,131583,'ee8881e021369fbf890f2c2fa8128c2bc44d5b9b');
+	INSERT INTO entry_path VALUES('/etc/profile.d/lang.csh',747,0,1596489275,0,0,131583,'048e0ff0d68c756853c4d5d76895bbaeacde1958');
+	INSERT INTO entry_path VALUES('/etc/profile.d/lang.sh',748,0,1596489275,0,0,131583,'8d82993769b42cbddeb2847cbd01572fa9df7794');
+	INSERT INTO entry_path VALUES('/etc/profile.d/sh.local',749,0,1596489275,0,0,131583,'68c6a9545c4019ffa189245cf3206a81e0ad6882');
+	INSERT INTO entry_path VALUES('/etc/profile.d/vte.sh',750,0,1596489275,0,0,131583,'e60fae2f185171237cac8de7720404527e08fe87');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorgrep.csh',751,0,1596489275,0,0,131583,'4ea83f0057732f95de1f43e0513f8c546cdf8a19');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorgrep.sh',752,0,1596489275,0,0,131583,'09eaef5268d250ea3658426b3e78cf01044cdd05');
+	INSERT INTO entry_path VALUES('/etc/profile.d/which2.csh',753,0,1596489275,0,0,131583,'66cf77a1159a2d53bfea2be15a5ab9d8de850d55');
+	INSERT INTO entry_path VALUES('/etc/profile.d/which2.sh',754,0,1596489275,0,0,131583,'b2a381fc8347061f656f7d4f8f7f7a1484bee99b');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorxzgrep.csh',755,0,1596489275,0,0,131583,'f7bb1074fbd4a8ecc00623c40ed7d3b58ba875a3');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorxzgrep.sh',756,0,1596489275,0,0,131583,'f7a5bdd2865c77f2562442fd8ccae20493590bc6');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorls.csh',757,0,1596489275,0,0,131583,'4013322c49a1735540df9ef96f1c7e260183ea7e');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorls.sh',758,0,1596489275,0,0,131583,'90748df1d171022f7c68a766f15c470fb4adc5fb');
+	INSERT INTO entry_path VALUES('/etc/profile.d/less.csh',759,0,1596489275,0,0,131583,'f932c010384d83bb64382d8b00cff542ee481228');
+	INSERT INTO entry_path VALUES('/etc/profile.d/less.sh',760,0,1596489275,0,0,131583,'dae75940f6235dae6e493a8c7b40678bddeb188d');
+	INSERT INTO entry_path VALUES('/etc/profile.d/bash_completion.sh',761,0,1596489275,0,0,131583,'8a65a44bb40d625780eda55244529892c6fa93db');
+	INSERT INTO entry_path VALUES('/etc/profile.d/gawk.csh',762,0,1596489275,0,0,131583,'ecd03bd1d842f1f365b6b622927bd37a9253c51e');
+	INSERT INTO entry_path VALUES('/etc/profile.d/gawk.sh',763,0,1596489275,0,0,131583,'383941dd342454703fc8c92ffc114d396bfd55aa');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorzgrep.csh',764,0,1596489275,0,0,131583,'d03001b0120c15eb6aa3a2ea11f395c01147d193');
+	INSERT INTO entry_path VALUES('/etc/profile.d/colorzgrep.sh',765,0,1596489275,0,0,131583,'a25e68221a6786579e96fc2eb8f7c3d34e968a12');
+	INSERT INTO entry_path VALUES('/etc/profile.d/flatpak.sh',766,0,1596489275,0,0,131583,'fb8483cf8ac73feb2c95899fa2801d3375e04e04');
+	INSERT INTO entry_path VALUES('/etc/profile.d/vim.csh',767,0,1596489275,0,0,131583,'3d1a0dddba18ff025ec7928adce2a4d1ba0af6e8');
+	INSERT INTO entry_path VALUES('/etc/profile.d/vim.sh',768,0,1596489275,0,0,131583,'67445a2c27259861dbae25dd494068522845f9dc');
+	INSERT INTO entry_path VALUES('/etc/profile.d/PackageKit.sh',769,0,1596489275,0,0,131583,'d5d1d7bdd29665b983afc4358da37a49a8255862');
+	INSERT INTO entry_path VALUES('/etc/protocols',770,0,1596489275,0,0,131583,'a3368d471282e00d7a23ad34eb13076fa3c93035');
+	INSERT INTO entry_path VALUES('/etc/rc.local',771,0,1596489275,0,0,131583,'328bcf5c8eb1b425bc8d558a0461eeab779b036a');
+	INSERT INTO entry_path VALUES('/etc/services',772,0,1596489275,0,0,131583,'dbbb345f018223c256feda72f976fc35cce9d27f');
+	INSERT INTO entry_path VALUES('/etc/inittab',773,0,1596489275,0,0,131583,'69fbb9c25da31b834bc0501a76e5f2a350db19b1');
+	INSERT INTO entry_path VALUES('/etc/shadow',774,0,1596489275,0,0,131583,'907012ea849e9bd434fcd5c03adbf685e7e9a33b');
+	INSERT INTO entry_path VALUES('/etc/sysctl.conf',775,0,1596489275,0,0,131583,'78b3d97c56f6efd6ff0aac9924392925ddf14d4f');
+	INSERT INTO entry_path VALUES('/etc/shells',776,0,1596489275,0,0,131583,'fe20263369f49868ec8b4185b66afce8a8125208');
+	INSERT INTO entry_path VALUES('/etc/systemd/coredump.conf',777,0,1596489275,0,0,131583,'2c6c2c47814df760e27bc36dabb4a8db96c265e3');
+	INSERT INTO entry_path VALUES('/etc/systemd/journald.conf',778,0,1596489275,0,0,131583,'c790e785204f7643b2a3813f000265bb69bc7735');
+	INSERT INTO entry_path VALUES('/etc/systemd/logind.conf',779,0,1596489275,0,0,131583,'170d036c3ab3a69b85e31bc62f2080206c857f54');
+	INSERT INTO entry_path VALUES('/etc/systemd/resolved.conf',780,0,1596489275,0,0,131583,'fa526c33046fe36d07123e4e3a9ffff25d2c370e');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/syslog.service',781,0,1596489275,0,0,131583,'46aaf3d1d1c1fb0ffb5bc43ab45f93938901373a');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/remote-fs.target',782,0,1596489275,0,0,131583,'c6070d9aa6749de4bde5e6c0fa8baf50d1ab6f05');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/NetworkManager.service',783,0,1596489275,0,0,131583,'cb1114d03ef9e73b7116724c1645802efed39ef8');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/crond.service',784,0,1596489275,0,0,131583,'39b14e8a5dc816e391a73f27f36de52b9941e08b');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/ksm.service',785,0,1596489275,0,0,131583,'18df3ef9098c20c25f7ea629ee0b463d1995338f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/ksmtuned.service',786,0,1596489275,0,0,131583,'5f4edab1edc2bd42b84abd22f790aa7193d8ab95');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/rpcbind.service',787,0,1596489275,0,0,131583,'7fa00972e8bb877043b8664bd18bef0fb988ce33');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/chronyd.service',788,0,1596489275,0,0,131583,'67b163af5baee6a1533fe92616c5b2a874b2139b');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/libstoragemgmt.service',789,0,1596489275,0,0,131583,'eeaab8683cccf931a60f7a7cbf09409d13a6862f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/auditd.service',790,0,1596489275,0,0,131583,'76b9ad46d78cf6df3249b42dbfa7161a4cb693e3');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/mdmonitor.service',791,0,1596489275,0,0,131583,'03283d9c9e82f50a3889911eaabb9f74c3ac3cd0');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/cups.path',792,0,1596489275,0,0,131583,'dba2575b39ede1a6a5a8e254d1251819a0a2ec75');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/abrtd.service',793,0,1596489275,0,0,131583,'b7433afe71dbf45aa6043c4d7177433fb03182af');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/abrt-oops.service',794,0,1596489275,0,0,131583,'d44a49f05bbfec19c2cd86d9cc4acbaf475da41b');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/dnf-makecache.timer',795,0,1596489275,0,0,131583,'2e2456b8e436d4c853a022bf49b1accbd0460afc');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/abrt-xorg.service',796,0,1596489275,0,0,131583,'250062d232831eee503fe204a773ce758538185e');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/libvirtd.service',797,0,1596489275,0,0,131583,'fdbfaf330a52ae713d9f845db3e3f8392feecd81');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/vmtoolsd.service',798,0,1596489275,0,0,131583,'27cf60845be26d786b52498e6c87a396d67a78a6');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/sssd.service',799,0,1596489275,0,0,131583,'81653d32295a8eb30195566028510a29e469a53a');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/kdump.service',800,0,1596489275,0,0,131583,'929cce49d4c846d6f73fd6c6ec8e7016a587c1b0');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/abrt-vmcore.service',801,0,1596489275,0,0,131583,'bc1c83576e553e8c05eb5071479df2bb7f85ecae');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/rsyslog.service',802,0,1596489275,0,0,131583,'5c88112f9d20799eb0116a054d0c88350f6a3e2f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/nfs-client.target',803,0,1596489275,0,0,131583,'ba20544f806ef40537609bc479014c29d3048e3e');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/abrt-ccpp.service',804,0,1596489275,0,0,131583,'f9f287ae8babac48470485b9bacfd5d25d00aff1');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/tuned.service',805,0,1596489275,0,0,131583,'925375511efa1af41bffec60f7930d3825d06164');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/sshd.service',806,0,1596489275,0,0,131583,'566e71c043a4a319e5a06329afc851c067c21b40');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/vdo.service',807,0,1596489275,0,0,131583,'6d540f1c6895d8456d075121bec824fdd6f6b92e');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/firewalld.service',808,0,1596489275,0,0,131583,'d7e9d865b2e780f275ce2e0904397bfa628efebf');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/ModemManager.service',809,0,1596489275,0,0,131583,'908888c5466d71cc7a2a62fb56c8ba5df4f23dca');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/avahi-daemon.service',810,0,1596489275,0,0,131583,'d14a59593a3a073579ae8c92c9d5fd0569034e58');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/atd.service',811,0,1596489275,0,0,131583,'04fe18f2c657ab4fb8c8c401058d26f3f5ae5468');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/mcelog.service',812,0,1596489275,0,0,131583,'f0de77d02db4c11db7f05dc6b2c6e29dfa1219c8');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/smartd.service',813,0,1596489275,0,0,131583,'cda4389f32d41aff51d54e8c0795ffa7b2227d6c');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/irqbalance.service',814,0,1596489275,0,0,131583,'090c97177a76788ba0cf7fe83da764530b0e749e');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/wazuh-manager.service',815,0,1596489275,0,0,131583,'92b534adaad20ae46f396bd29d61a6ff30fa256c');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/netcf-transaction.service',816,0,1596489275,0,0,131583,'d9ddd3f6e65639bf9cf97531936dfadf8d22fed4');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/multi-user.target.wants/rhsmcertd.service',817,0,1596489275,0,0,131583,'600e302004632ee1a928bc265f4a58759c5a7f21');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/getty.target.wants/getty@tty1.service',818,0,1596489275,0,0,131583,'7f07d5019e16d544a1bc58b2994333ca461f6443');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service',819,0,1596489275,0,0,131583,'bc008c2417d178e840fa1b3ba3a15fb268ffb012');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service',820,0,1596489275,0,0,131583,'d5f94b0204f52e4c09827a030f342ac7768f211a');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/selinux-autorelabel-mark.service',821,0,1596489275,0,0,131583,'fb4d2d3e2ea6085b8d932e081b4d3ddb82d1fa8a');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/multipathd.service',822,0,1596489275,0,0,131583,'3cacd40ffa63c4b83a092024a2b58e8d90684378');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/lvm2-monitor.service',823,0,1596489275,0,0,131583,'feb51cf44a6d374cba2babf1f7c9d81a517ad0f5');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/lvm2-lvmpolld.socket',824,0,1596489275,0,0,131583,'b3468adea93628b176c224c0afc7b823beeb1e06');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/import-state.service',825,0,1596489275,0,0,131583,'72c33d71fa7b10798324fb9f0ad4b781474a2de1');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/loadmodules.service',826,0,1596489275,0,0,131583,'a90acc23db510eebcc34f1332596be56231e1533');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/iscsi.service',827,0,1596489275,0,0,131583,'ec781ac641d8f8f1cff9a3326eaf3161557e39d8');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/rngd.service',828,0,1596489275,0,0,131583,'01d58070327686060a04fc5ddbbb82471e6ad99a');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/nis-domainname.service',829,0,1596489275,0,0,131583,'30bfcca7cdde246517dc7a8b6d37e18065ba522f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sysinit.target.wants/iscsi-onboot.service',830,0,1596489275,0,0,131583,'9de92cde2bd2065c6fb16d2322a635fb32e6da43');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/graphical.target.wants/accounts-daemon.service',831,0,1596489275,0,0,131583,'48788d0f4394f9beeec9bbc07f6f58dd61be1873');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/graphical.target.wants/rtkit-daemon.service',832,0,1596489275,0,0,131583,'0d5c66d50c6565f55a267238033ebdc8cdddfa08');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/graphical.target.wants/udisks2.service',833,0,1596489275,0,0,131583,'ecd9b61904ef5152c6b9407ba88e7ed4c4824aa5');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.bluez.service',834,0,1596489275,0,0,131583,'ce4afa943f3cf8ea0972cdc22a12edaea0023300');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/bluetooth.target.wants/bluetooth.service',835,0,1596489275,0,0,131583,'eeda045cc042378d03fc21e13fb5d5fdb510235f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/multipathd.socket',836,0,1596489275,0,0,131583,'f477c5edbabe36aaee3dcecd9720d55a959e9e58');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/dm-event.socket',837,0,1596489275,0,0,131583,'6da3ad968571df60203929bcad506f0073247235');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/cups.socket',838,0,1596489275,0,0,131583,'fad19028dd74f1485e617158c4b62166ef883ca0');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/iscsiuio.socket',839,0,1596489275,0,0,131583,'ef521aa8270724e25a50c31f979447bd7310b8e3');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/iscsid.socket',840,0,1596489275,0,0,131583,'9c45f8b769ae49946284c42acefe4641dc6efaa7');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/virtlogd.socket',841,0,1596489275,0,0,131583,'637193274803052d3890b7122ca2e1472e7116b2');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/virtlockd.socket',842,0,1596489275,0,0,131583,'d382ab790d0fefdbdaa22f8a2d34538f197c5f21');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/sssd-kcm.socket',843,0,1596489275,0,0,131583,'46bf45bd9d23731aec0e1711c89e9a014411a0a8');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/avahi-daemon.socket',844,0,1596489275,0,0,131583,'8cb716176cfa9f5473660957b5499509497ce6ad');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/sockets.target.wants/rpcbind.socket',845,0,1596489275,0,0,131583,'3905d99ae5311fcc4ba1562094d542e2711dabee');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/timers.target.wants/unbound-anchor.timer',846,0,1596489275,0,0,131583,'161d6ffc0dcfb30aea1324e2b64598289cc7f3e4');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.freedesktop.timedate1.service',847,0,1596489275,0,0,131583,'085c4e64162e68c7bc1d281e3b899a441bdcc872');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/printer.target.wants/cups.service',848,0,1596489275,0,0,131583,'e9679baa99e7173c4b0882baf03e9c4eee29a8ef');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/vmtoolsd.service.requires/vgauthd.service',849,0,1596489275,0,0,131583,'90ed20c30b823a06706565d33922bcd82a38c5cc');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/display-manager.service',850,0,1596489275,0,0,131583,'19473d75686cb35682d72305a1c09a35bfba5997');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/nfs-server.service.requires/nfs-convert.service',851,0,1596489275,0,0,131583,'abdcdba4a86ae4fccc3df0068260201d7ab03f28');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/nfs-mountd.service.requires/nfs-convert.service',852,0,1596489275,0,0,131583,'0224efa2f3dfa13600496ee4679d73d5356294c0');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/nfs-idmapd.service.requires/nfs-convert.service',853,0,1596489275,0,0,131583,'f3b3c87699eaac883825ad8c0ae3c0acdec8b80f');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/nfs-blkmap.service.requires/nfs-convert.service',854,0,1596489275,0,0,131583,'f0482b813d4606009c25f2c055986a5e2e309e22');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/rpc-statd.service.requires/nfs-convert.service',855,0,1596489275,0,0,131583,'a47b369e21b86b2ecb20fe0cdde89789904f7d1c');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/rpc-gssd.service.requires/nfs-convert.service',856,0,1596489275,0,0,131583,'e2908801912641417b89425012aaa70e19fe5f9b');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/rpc-statd-notify.service.requires/nfs-convert.service',857,0,1596489275,0,0,131583,'dee952d50d5bf01ef80d5c2beaea51c187d72189');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/remote-fs.target.wants/nfs-client.target',858,0,1596489275,0,0,131583,'5d7916e0e8bbdbf591fe0234f7971128df71a892');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service',859,0,1596489275,0,0,131583,'410913526f20675f58c94f1e6ea05a7a357e40b1');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.freedesktop.ModemManager1.service',860,0,1596489275,0,0,131583,'5b37601414ce061418e022472b8d43b357502bb6');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.freedesktop.Avahi.service',861,0,1596489275,0,0,131583,'68e68db79ff7723c58d9ec947e0eb7c16476e945');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/basic.target.wants/microcode.service',862,0,1596489275,0,0,131583,'2d1b0dd8a48a1ca9f2dcb6a132efeb429212f9da');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/default.target',863,0,1596489275,0,0,131583,'ad8c963b8eb107ea75ee8abfe8ced580cc581e21');
+	INSERT INTO entry_path VALUES('/etc/systemd/system/dbus-org.freedesktop.resolve1.service',864,0,1596489275,0,0,131583,'32b0c01c1e02e458a0574f7cd83cb9d8dce3f6be');
+	INSERT INTO entry_path VALUES('/etc/systemd/system.conf',865,0,1596489275,0,0,131583,'259ceda5327cba08688b239a9f1c9e832bcdea27');
+	INSERT INTO entry_path VALUES('/etc/systemd/user/default.target.wants/pulseaudio.service',866,0,1596489275,0,0,131583,'f6b926ccb7ceb43184b9d656634b37c149184612');
+	INSERT INTO entry_path VALUES('/etc/systemd/user/sockets.target.wants/pulseaudio.socket',867,0,1596489275,0,0,131583,'c49683270cdc3ec0987baa84dc2423dfe044bb0d');
+	INSERT INTO entry_path VALUES('/etc/systemd/user/dbus-org.bluez.obex.service',868,0,1596489275,0,0,131583,'132048d38af8bf2345422cecdd063bc5d42594e8');
+	INSERT INTO entry_path VALUES('/etc/systemd/user.conf',869,0,1596489275,0,0,131583,'f52386cf1e3c10d271383e6b488dcf4e996cb0de');
+	INSERT INTO entry_path VALUES('/etc/subgid',870,0,1596489275,0,0,131583,'f435a605d6d4abf87b750e4dfe16a24127dc326a');
+	INSERT INTO entry_path VALUES('/etc/sysctl.d/99-sysctl.conf',871,0,1596489275,0,0,131583,'5d921e0a2e15b6a1f6897737b982817618a8cf37');
+	INSERT INTO entry_path VALUES('/etc/subuid',872,0,1596489275,0,0,131583,'ac1e97907e0fe73dafaa6c307e8f2b9697f386bb');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/redefine_filedir',873,0,1596489275,0,0,131583,'fb13101e3c3c4de227b09ba5f27ec6cc60637ebd');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/gluster',874,0,1596489275,0,0,131583,'0f44c99969560d130be3e8418585373a344a8812');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/lldpad',875,0,1596489275,0,0,131583,'3dc754dca916074b9aea05558a99be8743e3db3f');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/lldptool',876,0,1596489275,0,0,131583,'b5adda2f067c7a0c7e4a36ab1734d7efcd744c92');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/authselect-completion.sh',877,0,1596489275,0,0,131583,'0120a0238fa9e548051f7472569316d97f0863c0');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/fcoeadm',878,0,1596489275,0,0,131583,'fd21b9088c137a95868d543ddad9d0b03d9814d6');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/fcoemon',879,0,1596489275,0,0,131583,'a580daaba7a5465faad094508202cbabac827712');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/vdo',880,0,1596489275,0,0,131583,'7c29806c3029c0bb76be8eb8b1905e5d739a71b4');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/vdostats',881,0,1596489275,0,0,131583,'51314f9d339e446e4d11bc35dc9c6a1a2e9768f9');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/itweb-settings.bash',882,0,1596489275,0,0,131583,'e9c5395b83f9cd49a3ba064825294b2717858608');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/javaws.bash',883,0,1596489275,0,0,131583,'0112976f5f5cd2ffccd24273ef82cf04ed5c0524');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/policyeditor.bash',884,0,1596489275,0,0,131583,'8c75f08876f043f7f704ac00d6a5cc7fe9da5a36');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/bpftool',885,0,1596489275,0,0,131583,'62dc6547f5c926871c65f1511a04a7dba5ec9539');
+	INSERT INTO entry_path VALUES('/etc/bash_completion.d/iprconfig',886,0,1596489275,0,0,131583,'958b559985fde4b825bfbbd59c0873ba708e1c23');
+	INSERT INTO entry_path VALUES('/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json',887,0,1596489275,0,0,131583,'671b2c6669971e6710ff1661465a33d39b635741');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/ip6tables-config',888,0,1596489275,0,0,131583,'76d9013d9b8c5094fbdeaf31b1215300bf2d03fc');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/iptables-config',889,0,1596489275,0,0,131583,'63b1efbb900038f4030fdc08b647e7e7097ba505');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/ebtables-config',890,0,1596489275,0,0,131583,'5defe1bd335994a351cb56a3b8ac9afdc4d38529');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/nftables.conf',891,0,1596489275,0,0,131583,'0802e342c1e4529e755ddc49085dccd697a0c9d6');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/trace-cmd.conf',892,0,1596489275,0,0,131583,'2a0eebf1eef03267b80fdeae36089d49847f5ea3');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/network-scripts/ifcfg-ens33',893,0,1596489275,0,0,131583,'62e1cedf274c94375880bff4beb3ba34df2d63bb');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/samba',894,0,1596489275,0,0,131583,'7682394b52e854f00579150a5ab2775fee38859c');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/run-parts',895,0,1596489275,0,0,131583,'75fcbd825679bb192dd1400034f237a9646d28e0');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/crond',896,0,1596489275,0,0,131583,'ab9ef728008ecd1957be997935e8635922518c35');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/ksm',897,0,1596489275,0,0,131583,'e8c7c3ad5f12e2ad11eac60446bbff2c5364bb61');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/rpcbind',898,0,1596489275,0,0,131583,'d2f60326930c2a43aef24e7941de4717711e6a32');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/selinux',899,0,1596489275,0,0,131583,'58383589882c46a54627747fdd603ff35ce6b240');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/cbq/avpkt',900,0,1596489275,0,0,131583,'48175205e66de56e12acf47542211cb0edd91d61');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/cbq/cbq-0000.example',901,0,1596489275,0,0,131583,'163263b0044d926150cd1fcc06f114d98b2eefac');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/chronyd',902,0,1596489275,0,0,131583,'ececf9ea2393eff3fa9e51268cd2c7150468c71a');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/cpupower',903,0,1596489275,0,0,131583,'d2f713e2f556b0140a8cd63d12790384a5f76aa6');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/saslauthd',904,0,1596489275,0,0,131583,'ae4832007a0be85346b8270a80bfc874d285b546');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/raid-check',905,0,1596489275,0,0,131583,'bbcc7c2f50bfb0cbdb8cc127264e7dc12a6f146d');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/wpa_supplicant',906,0,1596489275,0,0,131583,'ba047d19ebb971146e7dff63cee3a9c55e89aa58');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/radvd',907,0,1596489275,0,0,131583,'3bfb043084f574e3d1d6d8689626bf994ff97179');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/grub',908,0,1596489275,0,0,131583,'8d110d5aa4657b95289ce3507631351c0d470bf2');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/rhn/up2date',909,0,1596489275,0,0,131583,'1318dde3d4eaade3e88cb0fc6fb70020d58442be');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/libvirtd',910,0,1596489275,0,0,131583,'3faf140e84a929b70a498f961d80a7ac8d512200');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/virtlockd',911,0,1596489275,0,0,131583,'6aace28c8c8d167fb281432d96690ebad058f617');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/virtlogd',912,0,1596489275,0,0,131583,'a91268218b59e7fa218daca022dc65f4ce496241');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/kdump',913,0,1596489275,0,0,131583,'f21525c3ec31cc074d170592aa706bc2614fc8fa');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/rsyslog',914,0,1596489275,0,0,131583,'907c544b4007c85ae9bb186681b60abe668d2211');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/sshd',915,0,1596489275,0,0,131583,'a3da7136a499e5661defdcae41928396a2e28be1');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/fcoe',916,0,1596489275,0,0,131583,'13caaa8e1fad0fc6a70428ce7ff978ba22a23042');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/firewalld',917,0,1596489275,0,0,131583,'67a8d8fcf4d67ced6370e96d99b0a612eb0ce8f6');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/atd',918,0,1596489275,0,0,131583,'61b84377a69cb5a3a4b7635b00c0ab0ddb96b6ad');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/autofs',919,0,1596489275,0,0,131583,'79ad98edbceaf87ce78fe587d416bef72ab1bfca');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/smartmontools',920,0,1596489275,0,0,131583,'45161fa719c0c31d3e15600ee52bb393d1db8f45');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/qemu-ga',921,0,1596489275,0,0,131583,'832db8dc102ac8f45c479ded7b35af10c61d9b74');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/irqbalance',922,0,1596489275,0,0,131583,'925800abbebc826bc7233479c6f6332413311be4');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/man-db',923,0,1596489275,0,0,131583,'ea5d9a2aea52d95c4ad2bf9c9a381035297e8e9f');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/kernel',924,0,1596489275,0,0,131583,'a75bd2ca0f5163c7bd65fd899f0a2ca71f09cc8b');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/authconfig',925,0,1596489275,0,0,131583,'4877cc102d74fdf50549f9edb899cff6352e8770');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/network',926,0,1596489275,0,0,131583,'df366a278a3af6b1ed81a0604ff531651f3e69cc');
+	INSERT INTO entry_path VALUES('/etc/sysconfig/anaconda',927,0,1596489275,0,0,131583,'1a647ee3a7f9710333cc31fc2a864a66eaf73e51');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/xdg-user-dirs.desktop',928,0,1596489275,0,0,131583,'4d62bc924b66fe9e200c4446d45b02727f5b9b8e');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gsettings-data-convert.desktop',929,0,1596489275,0,0,131583,'ced8307d92ce9ab010f127065fd3297a7f20a352');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/geoclue-demo-agent.desktop',930,0,1596489275,0,0,131583,'339f8eba3957159d39ac4d7675ae059d37257f85');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/at-spi-dbus-bus.desktop',931,0,1596489275,0,0,131583,'1ba36b2b2b5cdfa2dcc5319aeba08a40696d2916');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-keyring-pkcs11.desktop',932,0,1596489275,0,0,131583,'a85562206d8676f0564d82a1dc86ed0264f7f951');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-keyring-secrets.desktop',933,0,1596489275,0,0,131583,'e1d962108ac58ca1a82a98715554dc1adfc1b47d');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-keyring-ssh.desktop',934,0,1596489275,0,0,131583,'b5ce8a8e5255d130a19e6d0c7c4fdff2397c25e4');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/abrt-applet.desktop',935,0,1596489275,0,0,131583,'c2633d9a0f426861f66cfba68c8eba1bf6d86016');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/tracker-extract.desktop',936,0,1596489275,0,0,131583,'3368f3e8b207e77127f7352061190c3c4cc52425');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/tracker-miner-apps.desktop',937,0,1596489275,0,0,131583,'bca4b20d982bf61f4ce57423f462ffd842eb9bd4');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/tracker-miner-fs.desktop',938,0,1596489275,0,0,131583,'35160017558adc1537e76644994faefaf50185a2');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/tracker-store.desktop',939,0,1596489275,0,0,131583,'a58504405f2f1f834ed667b4a44bb3fff4372287');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.A11ySettings.desktop',940,0,1596489275,0,0,131583,'861922644abc4712b899dbc55d4a667f54f24b4d');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-software-service.desktop',941,0,1596489275,0,0,131583,'70535f6da18965a46a2458e2baffb115187d1028');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Account.desktop',942,0,1596489275,0,0,131583,'7f8128b6efda5216ed1d0dbb6cd1893051748874');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/vmware-user.desktop',943,0,1596489275,0,0,131583,'1974b1e9135d98d4b5dccebc3913bd9bd6e925fd');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Clipboard.desktop',944,0,1596489275,0,0,131583,'16142d1b2a04ba5ecfeabf54308159320b42f6a5');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/orca-autostart.desktop',945,0,1596489275,0,0,131583,'8b9d714dc700fea579cde65ea606b023fa7835df');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Color.desktop',946,0,1596489275,0,0,131583,'6e340464601f87cdfa058cb2c437d35351509f9e');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/user-dirs-update-gtk.desktop',947,0,1596489275,0,0,131583,'162da1e53b0f9eecc46c4e7f1e099c08cd4a008c');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Datetime.desktop',948,0,1596489275,0,0,131583,'fd8d43db93c55437dd1b45819f836300eb5568a7');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-initial-setup-first-login.desktop',949,0,1596489275,0,0,131583,'aace589c523488e98e9a6eff6ff0b8060bc03d87');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Housekeeping.desktop',950,0,1596489275,0,0,131583,'e7578546443303ef1bab5f340fd08b2e4d41f282');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/pulseaudio.desktop',951,0,1596489275,0,0,131583,'5849d5c473d5ae71962d5665b5c8cf09f5acc2e4');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Keyboard.desktop',952,0,1596489275,0,0,131583,'f610a513d99e67ecd15c17ff4d3ea4b386281782');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/spice-vdagent.desktop',953,0,1596489275,0,0,131583,'bb4c34589c8d3449d7c6df9f5c58fde5fa30d305');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.MediaKeys.desktop',954,0,1596489275,0,0,131583,'9ed96264feef77612a5111300236ee10cafb54d5');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Mouse.desktop',955,0,1596489275,0,0,131583,'da621bcf7e03dd55fb2c0c0ba00be832a9725f6c');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Power.desktop',956,0,1596489275,0,0,131583,'7b6878037baa8e1af27d7e259ba7c649516ba5e3');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-welcome-tour.desktop',957,0,1596489275,0,0,131583,'efb5e4298b88af1918a398164e83d1f67c7a3ee1');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.PrintNotifications.desktop',958,0,1596489275,0,0,131583,'553923c515426f5b53e63cb81e1e7da6c4463e1a');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Rfkill.desktop',959,0,1596489275,0,0,131583,'cc62aac2697b560e12e8587a52a7c08714122678');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.DiskUtilityNotify.desktop',960,0,1596489275,0,0,131583,'86404cabfc324cf730df25fd8f632a46ca6e3ce2');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.ScreensaverProxy.desktop',961,0,1596489275,0,0,131583,'5ae9f83e8897314fc9cf4f25c5518f89853ac5cc');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Sharing.desktop',962,0,1596489275,0,0,131583,'5f95f1540cbe2c91d570edc561a98d6d012f5f1d');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop',963,0,1596489275,0,0,131583,'7878bb624324d49ae38f1b37105016e5ce8e5e9d');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Sound.desktop',964,0,1596489275,0,0,131583,'40ed4a30c665ea0df7949b4c7946e21ec1ab4ec6');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.Wacom.desktop',965,0,1596489275,0,0,131583,'334473766576ff0c7f82583cab0bd5f5213737b9');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/org.gnome.SettingsDaemon.XSettings.desktop',966,0,1596489275,0,0,131583,'6711490e1b997fc849c595e82ea3b063fe5687cf');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-shell-overrides-migration.desktop',967,0,1596489275,0,0,131583,'d1e136a81966bf812373f0d92ee0aa3a93170e3b');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/liveinst-setup.desktop',968,0,1596489275,0,0,131583,'cf4afad5c74b709a9260e1e666f702b115e13151');
+	INSERT INTO entry_path VALUES('/etc/xdg/autostart/gnome-initial-setup-copy-worker.desktop',969,0,1596489275,0,0,131583,'1993775da0f3dafdca0ad15d763f428083905bbd');
+	INSERT INTO entry_path VALUES('/etc/xdg/menus/applications.menu',970,0,1596489275,0,0,131583,'a2e192df241ccd7e3e26dc154937d2336c612b6c');
+	INSERT INTO entry_path VALUES('/etc/xdg/menus/gnome-applications.menu',971,0,1596489275,0,0,131583,'f4d015db77de2b7eab1e8fe29c3a7ec82bb6a6a1');
+	INSERT INTO entry_path VALUES('/etc/xdg/user-dirs.conf',972,0,1596489275,0,0,131583,'d07d2826c3dd634d1be69d666014eb55d241d586');
+	INSERT INTO entry_path VALUES('/etc/xdg/user-dirs.defaults',973,0,1596489275,0,0,131583,'5c68f9b47cb634361c882c703e7388e472a335bc');
+	INSERT INTO entry_path VALUES('/etc/xdg/systemd/user',974,0,1596489275,0,0,131583,'4ad8b4d858fd913f7ab7e945493d7eacd6385568');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/dnf',975,0,1596489275,0,0,131583,'ccf86b8f5881dbfd5e84d7e997665399e0481595');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/samba',976,0,1596489275,0,0,131583,'83b477d72243b1a11cceec52dd465968f3ebf115');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/chrony',977,0,1596489275,0,0,131583,'86a7e0be22a93ffa5255d568d2dfb4bad4516dd2');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/numad',978,0,1596489275,0,0,131583,'993047c522dbd75ccbac61270d73f4052d52a7f4');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/wpa_supplicant',979,0,1596489275,0,0,131583,'c8c02cfa82ddca9aedc88f3fd00d32f7397ca3b6');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/cups',980,0,1596489275,0,0,131583,'78f8bd89b425e95ef3678c23b075979db3b592c2');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/iscsiuiolog',981,0,1596489275,0,0,131583,'d4c1824cf17cc7eba7243d18de38107c103b6177');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/up2date',982,0,1596489275,0,0,131583,'9893ceee28253aea8ecdad691b058f08e55ed401');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/libvirtd',983,0,1596489275,0,0,131583,'080d074077b7fca09a936d638b930073761b5e03');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/sssd',984,0,1596489275,0,0,131583,'b915735e30d60ce47d9a4d83315466f9c4fd3633');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/bootlog',985,0,1596489275,0,0,131583,'e0a4eda9759f910db3e1b1f70adf5a61b9ebcb78');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/btmp',986,0,1596489275,0,0,131583,'8d57d8c2742236ae205ce5cca951779b7a66ed96');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/wtmp',987,0,1596489275,0,0,131583,'9f8e5b348de8b5827ded685b0575b65614b8a1ff');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/syslog',988,0,1596489275,0,0,131583,'f476afcfb6568cf0bd6d6dd1f096ffab48892f92');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/libvirtd.qemu',989,0,1596489275,0,0,131583,'09c4f1ead5c70a225776308b6cbc016a8b64949b');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/glusterfs',990,0,1596489275,0,0,131583,'d537176a18f013e682741421a01c3f1a9cb2a49e');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/ppp',991,0,1596489275,0,0,131583,'80672010c64bafff438ad258a4da0cb4fb8738b1');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/psacct',992,0,1596489275,0,0,131583,'a69271db135f07375b7b589d96cb572262e0776f');
+	INSERT INTO entry_path VALUES('/etc/logrotate.d/subscription-manager',993,0,1596489275,0,0,131583,'e8908d79d3db9eb699dff92385ba4d64573095c8');
+	INSERT INTO entry_path VALUES('/etc/hp/hplip.conf',994,0,1596489275,0,0,131583,'7b2b49d92a61234f3f0095e28694d9333a68ccd1');
+	INSERT INTO entry_path VALUES('/etc/rhsm/syspurpose/valid_fields.json',995,0,1596489275,0,0,131583,'58b349490529da7a77546107cd004a3a5aeba816');
+	INSERT INTO entry_path VALUES('/etc/rhsm/syspurpose/syspurpose.json',996,0,1596489275,0,0,131583,'f9b3005c75c2b09fe6dc99af240ef1f8d543c4fd');
+	INSERT INTO entry_path VALUES('/etc/rhsm/logging.conf',997,0,1596489275,0,0,131583,'f210ec47344aef2fae0060a37667c7bbdd12d742');
+	INSERT INTO entry_path VALUES('/etc/rhsm/rhsm.conf',998,0,1596489275,0,0,131583,'cc8a43e870a0382747b0abdc46d58b43bbca2d92');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf',999,0,1596489275,0,0,131583,'433739a971871d9829a0d8bbaf1d1b5350828d3a');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf.d/kernel-4.18.0-147.el8.x86_64.conf',1000,0,1596489275,0,0,131583,'0459d61ac56d2df620990c4c003de9d5a717a22d');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf.d/libiscsi-x86_64.conf',1001,0,1596489275,0,0,131583,'ace31ee729c72e0df0767abcceda558dbb6d4072');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf.d/bind-export-x86_64.conf',1002,0,1596489275,0,0,131583,'4123244c5497171db0628ada435cae7fe0f93b88');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf.d/kernel-4.18.0-147.8.1.el8_1.x86_64.conf',1003,0,1596489275,0,0,131583,'da6bfd3d913bc18b865b3d677cf97f341e630526');
+	INSERT INTO entry_path VALUES('/etc/ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf',1004,0,1596489275,0,0,131583,'16a1bff4ee0f05d9b2bccc7891c59a8c72527a91');
+	INSERT INTO entry_path VALUES('/etc/grub.d/00_header',1005,0,1596489275,0,0,131583,'fd0e4dab40db1105d82ca07bf939e063cbd1ac87');
+	INSERT INTO entry_path VALUES('/etc/grub.d/01_menu_auto_hide',1006,0,1596489275,0,0,131583,'7db17c77f2cc147e8eca906d72e1a59edb114ab6');
+	INSERT INTO entry_path VALUES('/etc/grub.d/01_users',1007,0,1596489275,0,0,131583,'b802fa90d4745b24e3877a37e91841ff0fd35d0d');
+	INSERT INTO entry_path VALUES('/etc/grub.d/10_linux',1008,0,1596489275,0,0,131583,'5d3aa698c545a5cbb85c2bccfd8ad7fe8625fab5');
+	INSERT INTO entry_path VALUES('/etc/grub.d/20_linux_xen',1009,0,1596489275,0,0,131583,'1b8d437962edf9cbdb8e5427f14b8b37ce9bd359');
+	INSERT INTO entry_path VALUES('/etc/grub.d/20_ppc_terminfo',1010,0,1596489275,0,0,131583,'0c973ad065166fce8837d6aa50055d34ca598c56');
+	INSERT INTO entry_path VALUES('/etc/grub.d/30_os-prober',1011,0,1596489275,0,0,131583,'c72725c976ecde0e768b92524cff97ae0b1844ae');
+	INSERT INTO entry_path VALUES('/etc/grub.d/30_uefi-firmware',1012,0,1596489275,0,0,131583,'ce0a1f59d757ad636a4db4feac789a512ab05ee9');
+	INSERT INTO entry_path VALUES('/etc/grub.d/40_custom',1013,0,1596489275,0,0,131583,'7da1249a8e428b03979088b8040ce878bafe66c4');
+	INSERT INTO entry_path VALUES('/etc/grub.d/41_custom',1014,0,1596489275,0,0,131583,'3c8a48f55a4f4a88b99fb23c511c2f68233fc23b');
+	INSERT INTO entry_path VALUES('/etc/grub.d/README',1015,0,1596489275,0,0,131583,'8c9acb96018a3a0463bd1016653a3b56aca60c0a');
+	INSERT INTO entry_path VALUES('/etc/grub.d/00_tuned',1016,0,1596489275,0,0,131583,'c084ceba56cd7cd8ae90892ade76477b0ade3a34');
+	INSERT INTO entry_path VALUES('/etc/nsswitch.conf',1017,0,1596489275,0,0,131583,'6f0d480767db9de5fb3fcbdfc3368c7c021d7d71');
+	INSERT INTO entry_path VALUES('/etc/default/useradd',1018,0,1596489275,0,0,131583,'bff5ebf78b9ef8eb2957ca89dd21828429792eb2');
+	INSERT INTO entry_path VALUES('/etc/default/grub',1019,0,1596489275,0,0,131583,'630f3cd426fc64e4adc29ecaff245b996de7a114');
+	INSERT INTO entry_path VALUES('/etc/ssh/moduli',1020,0,1596489275,0,0,131583,'f7aa799a0d117aef32e64ca8db6fd26bc6961177');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_config',1021,0,1596489275,0,0,131583,'3dd5c9ec3a31a27ed89a42c00842c20bf92e8c5a');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_config.d/05-redhat.conf',1022,0,1596489275,0,0,131583,'600835af7313f3a493777da19c355984759e8323');
+	INSERT INTO entry_path VALUES('/etc/ssh/sshd_config',1023,0,1596489275,0,0,131583,'bf2b498ea13d1d3de22dbbe20025f6ff09c5208d');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_ecdsa_key',1024,0,1596489275,0,0,131583,'6a97fb4a3bb804223794c86c3d661a52fc9080a4');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_ecdsa_key.pub',1025,0,1596489275,0,0,131583,'31310c90bf53325bb2662fef31c5923f4b55fa74');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_ed25519_key',1026,0,1596489275,0,0,131583,'d8dae11b4198172642906d3313358f299c75fa51');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_ed25519_key.pub',1027,0,1596489275,0,0,131583,'96cd2f7cec873b479f9b576495559f871c8f1a96');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_rsa_key',1028,0,1596489275,0,0,131583,'8e1b03a9ca74a247b9084e75cb963f6d28741bf5');
+	INSERT INTO entry_path VALUES('/etc/ssh/ssh_host_rsa_key.pub',1029,0,1596489275,0,0,131583,'4d7a915e69459b58b32b372638b614d2c49872e5');
+	INSERT INTO entry_path VALUES('/etc/rpc',1030,0,1596489275,0,0,131583,'b799cd934c830d5ea433cff3ef7f83522c0c0aae');
+	INSERT INTO entry_path VALUES('/etc/ld.so.cache',1031,0,1596489275,0,0,131583,'f1fe7df6cade12e60977e8b2ef9e6723656a8d61');
+	INSERT INTO entry_path VALUES('/etc/gcrypt/random.conf',1032,0,1596489275,0,0,131583,'8a234b6232272ff776bae7a4d847f673db341396');
+	INSERT INTO entry_path VALUES('/etc/vimrc',1033,0,1596489275,0,0,131583,'f8a6830abe7db46db499e4313576e81f034977ff');
+	INSERT INTO entry_path VALUES('/etc/libaudit.conf',1034,0,1596489275,0,0,131583,'122862b95d9905e183bba3461aa6f2d25e6b099e');
+	INSERT INTO entry_path VALUES('/etc/libnl/classid',1035,0,1596489275,0,0,131583,'91685a9145bb909ef32ec0fcf396669072065ae2');
+	INSERT INTO entry_path VALUES('/etc/libnl/pktloc',1036,0,1596489275,0,0,131583,'e0efc68169bb21797756b6fe6020d1d36e2ffb06');
+	INSERT INTO entry_path VALUES('/etc/alternatives/libnssckbi.so.x86_64',1037,0,1596489275,0,0,131583,'0df17eada844dcc516f65e59ae1de12d1192c981');
+	INSERT INTO entry_path VALUES('/etc/alternatives/keytool',1038,0,1596489275,0,0,131583,'a78c0b5c221e4a2c42937a421967b931bfeb671b');
+	INSERT INTO entry_path VALUES('/etc/alternatives/servertool',1039,0,1596489275,0,0,131583,'c05232c68031cc989f66ee2767452e2463782884');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pack200.1.gz',1040,0,1596489275,0,0,131583,'0f49c20ad9ec230f5a253835a66b8fbf3885b0fe');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jre_1.8.0_openjdk',1041,0,1596489275,0,0,131583,'de0eb08840188ab4c302f2cd48ad06f2d611fded');
+	INSERT INTO entry_path VALUES('/etc/alternatives/python',1042,0,1596489275,0,0,131583,'79f16012fe9a66c12c5f43492a098ef00c7ff591');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ld',1043,0,1596489275,0,0,131583,'5f1d5a5bab26fa224f78504a389ccf7302a87457');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lp',1044,0,1596489275,0,0,131583,'587bb5fc3bff39c23c90f9d1b1664680c6823efa');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpstat',1045,0,1596489275,0,0,131583,'2b68cfbfa9c0b7c21463741cff90172db87ca0e1');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpman',1046,0,1596489275,0,0,131583,'78269a1cfb7a66152bd54b2102511263f61eaa45');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lprmman',1047,0,1596489275,0,0,131583,'de3f35d3e75e475ea0b8783e7547c04a75446e02');
+	INSERT INTO entry_path VALUES('/etc/alternatives/tnameserv',1048,0,1596489275,0,0,131583,'0068868f96091b9e529f5c7a5015131b4bf8ed27');
+	INSERT INTO entry_path VALUES('/etc/alternatives/rmid.1.gz',1049,0,1596489275,0,0,131583,'dd44fd91990aec0efe516de6e907d5d3ca1d4838');
+	INSERT INTO entry_path VALUES('/etc/alternatives/mkisofs',1050,0,1596489275,0,0,131583,'a733f287ab42146c4ad1597a8a75a9d55b83624e');
+	INSERT INTO entry_path VALUES('/etc/alternatives/mkisofs-mkisofsman',1051,0,1596489275,0,0,131583,'d4dfd8b83fbe0eed8a2315743351700a42e779cc');
+	INSERT INTO entry_path VALUES('/etc/alternatives/mkisofs-mkhybrid',1052,0,1596489275,0,0,131583,'3ad75cda5276123a39ec7d9c199145322ce57589');
+	INSERT INTO entry_path VALUES('/etc/alternatives/mkisofs-mkhybridman',1053,0,1596489275,0,0,131583,'de8171d788a7d6683320d1c915c68a35d300fbe4');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpcman',1054,0,1596489275,0,0,131583,'20c55ac294b60f5467f1664ce1d76180b40b58ba');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ifdown',1055,0,1596489275,0,0,131583,'906deeaee89c0bed346217c6e01ea6cae1e82b9b');
+	INSERT INTO entry_path VALUES('/etc/alternatives/xinputrc',1056,0,1596489275,0,0,131583,'6d31d0bb87861abd7a93663c7dcb29d42ba56896');
+	INSERT INTO entry_path VALUES('/etc/alternatives/cups_backend_smb',1057,0,1596489275,0,0,131583,'d263598a83b8487a67b1f2b5cf70862a0d111a78');
+	INSERT INTO entry_path VALUES('/etc/alternatives/java',1058,0,1596489275,0,0,131583,'cb784a1024d8e23aae3badf6047fc7a5cb4b03ae');
+	INSERT INTO entry_path VALUES('/etc/alternatives/orbd',1059,0,1596489275,0,0,131583,'e14370aba55a91429da4c23a7ee0ce8e034c0118');
+	INSERT INTO entry_path VALUES('/etc/alternatives/unpack200',1060,0,1596489275,0,0,131583,'5a345f0c5ed9780a89e92d0dd242ebcee4333c70');
+	INSERT INTO entry_path VALUES('/etc/alternatives/servertool.1.gz',1061,0,1596489275,0,0,131583,'16776d05ebe65e405921595b5d6eab437f035d9b');
+	INSERT INTO entry_path VALUES('/etc/alternatives/python3',1062,0,1596489275,0,0,131583,'3cc495c1f32fba444f17ad00a46fb6beb506d8d8');
+	INSERT INTO entry_path VALUES('/etc/alternatives/python3-man',1063,0,1596489275,0,0,131583,'725a90f5015f3b8678f488fd3639a69594554cda');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pip3',1064,0,1596489275,0,0,131583,'02ae5cb41656aa194c0b6c28ef6ee6fed1666f21');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pip-3',1065,0,1596489275,0,0,131583,'ebaf229074d7c8a2544ad6f37eac75ef1e58ab62');
+	INSERT INTO entry_path VALUES('/etc/alternatives/easy_install-3',1066,0,1596489275,0,0,131583,'889447401911c4599f583023dbb8be09b11185f5');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pydoc3',1067,0,1596489275,0,0,131583,'a3421c2fab885ce2e1b1a2d7b3e9070c50001942');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pydoc-3',1068,0,1596489275,0,0,131583,'eb088edad19ffac3023460c27f26ea5c5163f029');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pyvenv-3',1069,0,1596489275,0,0,131583,'536aa6d9c6750bc9c8b30f9a64823320f178cb31');
+	INSERT INTO entry_path VALUES('/etc/alternatives/nmap',1070,0,1596489275,0,0,131583,'552da8edd4f963fd3d61caa10ec4d70c563258fe');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ncman',1071,0,1596489275,0,0,131583,'81d3e1eb996f856438b2eedbe9a9bd8826046590');
+	INSERT INTO entry_path VALUES('/etc/alternatives/javaws.noarch',1072,0,1596489275,0,0,131583,'68140ad6ddd42664d18746ed59bbb463f56ed6a8');
+	INSERT INTO entry_path VALUES('/etc/alternatives/itweb-settings',1073,0,1596489275,0,0,131583,'b427f429702fd0de948e9c5ad24d61d32190e3ab');
+	INSERT INTO entry_path VALUES('/etc/alternatives/policyeditor',1074,0,1596489275,0,0,131583,'655c30b610b0309c986043e9a641e601bacd8d17');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ControlPanel',1075,0,1596489275,0,0,131583,'51df2e9b6563457669fdb900d123d3d525bae885');
+	INSERT INTO entry_path VALUES('/etc/alternatives/javaws.1.gz',1076,0,1596489275,0,0,131583,'f63dc2614c0d5f87880871cfceff91ec1695b214');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ControlPanel.1.gz',1077,0,1596489275,0,0,131583,'b0a4d44964dce0172573f0ec3289b6de2b409dac');
+	INSERT INTO entry_path VALUES('/etc/alternatives/pack200',1078,0,1596489275,0,0,131583,'95beca3a4292e2004c2b0e6d68e7200512cf3c23');
+	INSERT INTO entry_path VALUES('/etc/alternatives/java.1.gz',1079,0,1596489275,0,0,131583,'59cb8cbcbcd0220dc89e5b534ea39a470d1fc1a9');
+	INSERT INTO entry_path VALUES('/etc/alternatives/tnameserv.1.gz',1080,0,1596489275,0,0,131583,'37b9bf4c0a713e5e50f1868320e5ec71f448213c');
+	INSERT INTO entry_path VALUES('/etc/alternatives/unversioned-python-man',1081,0,1596489275,0,0,131583,'de936dad077990ae504d6eda0960bb1e3660e1e5');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print',1082,0,1596489275,0,0,131583,'eadacae57e2b3a7cf975f8dd24e6784c70834bcc');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpq',1083,0,1596489275,0,0,131583,'e39c0257bdf4b122f11dfbf06202dbc4a8cbdd7e');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpc',1084,0,1596489275,0,0,131583,'9ff2d46db40874e2bd4e5cc2e126f80998548795');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpqman',1085,0,1596489275,0,0,131583,'bbdb071070b2a9603c195ee3b13212e7304e2a5f');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lpstatman',1086,0,1596489275,0,0,131583,'699709fa35ff80f798d169d096067e3a11fb5807');
+	INSERT INTO entry_path VALUES('/etc/alternatives/cifs-idmap-plugin',1087,0,1596489275,0,0,131583,'f172883fa66e62affa77b4c4e19996fb40d2c179');
+	INSERT INTO entry_path VALUES('/etc/alternatives/policytool',1088,0,1596489275,0,0,131583,'9d583b78a534b749055705ac94b025f112383f11');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jjs.1.gz',1089,0,1596489275,0,0,131583,'d1654358c54b516449da3c0c3db5d819c1f9bd7d');
+	INSERT INTO entry_path VALUES('/etc/alternatives/policytool.1.gz',1090,0,1596489275,0,0,131583,'5a8388d00a2a21ad8446c72bf9e9a36d9c5952c9');
+	INSERT INTO entry_path VALUES('/etc/alternatives/rmiregistry.1.gz',1091,0,1596489275,0,0,131583,'cdc2861f3bade4ecd4989286b088ae7a27318fe1');
+	INSERT INTO entry_path VALUES('/etc/alternatives/unpack200.1.gz',1092,0,1596489275,0,0,131583,'e475b8b833bab5216f19b61e0cc52cbebf66e236');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jjs',1093,0,1596489275,0,0,131583,'2ccf481a316b1d30e8d21777839e2f2f21df7e24');
+	INSERT INTO entry_path VALUES('/etc/alternatives/rmid',1094,0,1596489275,0,0,131583,'afb7922b805c4993e061b6cb277c309458a68102');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jre',1095,0,1596489275,0,0,131583,'5f39d1117e26b1eb581a8b93a062935250d8faa5');
+	INSERT INTO entry_path VALUES('/etc/alternatives/orbd.1.gz',1096,0,1596489275,0,0,131583,'4b6d71711fedd122ce5db48526be9b4e97455208');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jre_1.8.0',1097,0,1596489275,0,0,131583,'ac8f1e6977b25875bcad4beeb1ce08bc533a991b');
+	INSERT INTO entry_path VALUES('/etc/alternatives/libwbclient.so.0.15-64',1098,0,1596489275,0,0,131583,'b5afb9ae32887b5ca5148ca944089072295e92a2');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-cancel',1099,0,1596489275,0,0,131583,'fe2508d0e879f321e97a3150827a1731d94e5efd');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lprm',1100,0,1596489275,0,0,131583,'7eb712fd1866359e967b693f76d52a84e4cddce6');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-cancelman',1101,0,1596489275,0,0,131583,'95f15baf5d94ebc15e6e9ce3112b8dffd1e95080');
+	INSERT INTO entry_path VALUES('/etc/alternatives/print-lprman',1102,0,1596489275,0,0,131583,'9cbb936688ff5c603b96e491909b1ec2deca10d8');
+	INSERT INTO entry_path VALUES('/etc/alternatives/ifup',1103,0,1596489275,0,0,131583,'837e0872086b41e88262a800820626fad3b6c024');
+	INSERT INTO entry_path VALUES('/etc/alternatives/rmiregistry',1104,0,1596489275,0,0,131583,'86b93243c8a00a7c771be50f2fe7a2c0aebd2347');
+	INSERT INTO entry_path VALUES('/etc/alternatives/keytool.1.gz',1105,0,1596489275,0,0,131583,'18581c8c0369101b169f074206c567eedabed612');
+	INSERT INTO entry_path VALUES('/etc/alternatives/jre_openjdk',1106,0,1596489275,0,0,131583,'0e61290caf5cc70b288ac87a906fad9c323a7129');
+	INSERT INTO entry_path VALUES('/etc/init.d',1107,0,1596489275,0,0,131583,'20ffa34a33c495ba617e9256f02660bb98fa946b');
+	INSERT INTO entry_path VALUES('/etc/rc.d/init.d/README',1108,0,1596489275,0,0,131583,'e83eee483f650f27dd43607570cdebcc0e299ef2');
+	INSERT INTO entry_path VALUES('/etc/rc.d/init.d/functions',1109,0,1596489275,0,0,131583,'65011f6e21c268e1c8f3844b96178281c27ea377');
+	INSERT INTO entry_path VALUES('/etc/rc.d/rc.local',1110,0,1596489275,0,0,131583,'ecd5e52c4ff3018265b12e0d3a9b59f7f4dfd70c');
+	INSERT INTO entry_path VALUES('/etc/machine-id',1111,0,1596489275,0,0,131583,'6bce4443b9ea3f4b1bf33791e3eeae966e226e1a');
+	INSERT INTO entry_path VALUES('/etc/rc0.d',1112,0,1596489275,0,0,131583,'901cecee18fedc03d08cd0e50dad151b9f94f5b5');
+	INSERT INTO entry_path VALUES('/etc/localtime',1113,0,1596489275,0,0,131583,'47a565c089c5048f880142f4367c5b4df6e046ba');
+	INSERT INTO entry_path VALUES('/etc/rc1.d',1114,0,1596489275,0,0,131583,'c148fa62c25948d0ac6cd5525c748652e793b7b5');
+	INSERT INTO entry_path VALUES('/etc/rc2.d',1115,0,1596489275,0,0,131583,'ec661e698ef07e52b9524e9eb25a71b760a60e63');
+	INSERT INTO entry_path VALUES('/etc/udev/rules.d/70-persistent-ipoib.rules',1116,0,1596489275,0,0,131583,'da61ed2749b7068ce631dbe776a2ab2cad4b4e70');
+	INSERT INTO entry_path VALUES('/etc/udev/udev.conf',1117,0,1596489275,0,0,131583,'ec7eef4ae1cad2b41833b01d2b9edefc78be2acb');
+	INSERT INTO entry_path VALUES('/etc/udev/hwdb.bin',1118,0,1596489275,0,0,131583,'0d73ed92ea24351ac659ea01f3b35fdc2350c5c9');
+	INSERT INTO entry_path VALUES('/etc/gdm/Init/Default',1119,0,1596489275,0,0,131583,'e8a7ab1b8f4dbdb3ea342bc8ebd769d5d9969876');
+	INSERT INTO entry_path VALUES('/etc/gdm/PostLogin/Default.sample',1120,0,1596489275,0,0,131583,'38caa1070072dee0a9a9c2afe1b5d9d623c78eab');
+	INSERT INTO entry_path VALUES('/etc/gdm/PostSession/Default',1121,0,1596489275,0,0,131583,'7cd003dd044ac2c41c4969e4428fd8d36191f362');
+	INSERT INTO entry_path VALUES('/etc/gdm/PreSession/Default',1122,0,1596489275,0,0,131583,'3eabb259a0ec8c9b9e96c0bac247266ec13481e8');
+	INSERT INTO entry_path VALUES('/etc/gdm/Xsession',1123,0,1596489275,0,0,131583,'1dcea753b1b17b3ee2c6e76b4d4e98b7ddef473b');
+	INSERT INTO entry_path VALUES('/etc/gdm/custom.conf',1124,0,1596489275,0,0,131583,'55a01b35b09f6c7aac09b2d9389dfda932214f5f');
+	INSERT INTO entry_path VALUES('/etc/rc3.d',1125,0,1596489275,0,0,131583,'c28626ef91fe1601e71fd22ab4aec36dd0ea6a63');
+	INSERT INTO entry_path VALUES('/etc/tcsd.conf',1126,0,1596489275,0,0,131583,'b2a51162bd3950b433556a8bec13df6e791c72f0');
+	INSERT INTO entry_path VALUES('/etc/rc4.d',1127,0,1596489275,0,0,131583,'a6ffbd8c0aed863c8bb35300417a4a05237b51c3');
+	INSERT INTO entry_path VALUES('/etc/asound.conf',1128,0,1596489275,0,0,131583,'2504cef89d2d30d3d0dcf5b5ec4e553c43cf8377');
+	INSERT INTO entry_path VALUES('/etc/rc5.d',1129,0,1596489275,0,0,131583,'ac5e379fce3550fcf1fc31b5f7d19072b1225485');
+	INSERT INTO entry_path VALUES('/etc/pulse/client.conf',1130,0,1596489275,0,0,131583,'e19fb88ba84b0ab71c804e1959e3ee5beaa278ac');
+	INSERT INTO entry_path VALUES('/etc/pulse/daemon.conf',1131,0,1596489275,0,0,131583,'04e15f712e02bd206ffeb0fc2e58fef4994abadc');
+	INSERT INTO entry_path VALUES('/etc/pulse/default.pa',1132,0,1596489275,0,0,131583,'f95c2fb106989e8c750709b0f56e7fd76ce06069');
+	INSERT INTO entry_path VALUES('/etc/pulse/system.pa',1133,0,1596489275,0,0,131583,'5f7bd44b3cbc7ab77ad806f2c677f0bd6f26d1a3');
+	INSERT INTO entry_path VALUES('/etc/rc6.d',1134,0,1596489275,0,0,131583,'3814f3dc33fc9e3155955ee9694d67d1c1108e2c');
+	INSERT INTO entry_path VALUES('/etc/abrt/abrt.conf',1135,0,1596489275,0,0,131583,'f7ead95c35890783c27e91625c95922dfce65842');
+	INSERT INTO entry_path VALUES('/etc/abrt/plugins/xorg.conf',1136,0,1596489275,0,0,131583,'f4bbbe192a8dea9de710e8a9f6cbc9238438c857');
+	INSERT INTO entry_path VALUES('/etc/abrt/plugins/oops.conf',1137,0,1596489275,0,0,131583,'2e3ee73789863ced5a01da5b927c65d8475428f1');
+	INSERT INTO entry_path VALUES('/etc/abrt/plugins/python3.conf',1138,0,1596489275,0,0,131583,'0f61fd757ca7b1ba83266c791189e3cfba884786');
+	INSERT INTO entry_path VALUES('/etc/abrt/plugins/vmcore.conf',1139,0,1596489275,0,0,131583,'dacc10856c7846c3b5b0084187c80ab4a69ff18f');
+	INSERT INTO entry_path VALUES('/etc/abrt/plugins/CCpp.conf',1140,0,1596489275,0,0,131583,'420dd29052a255e733063a8fbeeea51ed96858dd');
+	INSERT INTO entry_path VALUES('/etc/abrt/abrt-action-save-package-data.conf',1141,0,1596489275,0,0,131583,'7d835389b09da200c115665d8a64583f71ddaf03');
+	INSERT INTO entry_path VALUES('/etc/abrt/gpg_keys.conf',1142,0,1596489275,0,0,131583,'f615840ec8a35a5536218ea834f8f8558c5f9dc0');
+	INSERT INTO entry_path VALUES('/etc/yum/pluginconf.d',1143,0,1596489275,0,0,131583,'c4f4986a13f48eb891f8ded64277ff0c03096895');
+	INSERT INTO entry_path VALUES('/etc/yum/protected.d',1144,0,1596489275,0,0,131583,'0483ff1e617ff12937d52345355474aa4068e726');
+	INSERT INTO entry_path VALUES('/etc/yum/vars',1145,0,1596489275,0,0,131583,'1f69b03460e4cc28be31824f411a3157cea6c76d');
+	INSERT INTO entry_path VALUES('/etc/magic',1146,0,1596489275,0,0,131583,'f075326ec20804b0589f8c8e4671421450e1b05f');
+	INSERT INTO entry_path VALUES('/etc/fuse.conf',1147,0,1596489275,0,0,131583,'e7e32b93a5f7fcb3f6ffb9b392a209318795551a');
+	INSERT INTO entry_path VALUES('/etc/fcoe/cfg-ethx',1148,0,1596489275,0,0,131583,'cda83db7af4eaa817f9f740e2bc834240ba65738');
+	INSERT INTO entry_path VALUES('/etc/request-key.conf',1149,0,1596489275,0,0,131583,'f87bd98d51601bf581001aa025d5759b45d92cc0');
+	INSERT INTO entry_path VALUES('/etc/request-key.d/id_resolver.conf',1150,0,1596489275,0,0,131583,'fceee1cb074289c004b80835d41a4dfabcadc1fb');
+	INSERT INTO entry_path VALUES('/etc/request-key.d/cifs.idmap.conf',1151,0,1596489275,0,0,131583,'5753bfd01e961dd8dff323b7d455e0c61caaf616');
+	INSERT INTO entry_path VALUES('/etc/request-key.d/cifs.spnego.conf',1152,0,1596489275,0,0,131583,'ee3aadd6afa2a0ebfcc7e33b18b173664e447674');
+	INSERT INTO entry_path VALUES('/etc/sgml/docbook/xmlcatalog',1153,0,1596489275,0,0,131583,'00b3dabc09758952ebbd91a5c7e6aa7a93c644c7');
+	INSERT INTO entry_path VALUES('/etc/xml/catalog',1154,0,1596489275,0,0,131583,'e8b9990a5a366615e697b8dd5d6db5a30a96862b');
+	INSERT INTO entry_path VALUES('/etc/xml/mallard/catalog',1155,0,1596489275,0,0,131583,'015a9d19c36834b7597d21ac5954552092010821');
+	INSERT INTO entry_path VALUES('/etc/nftables/main.nft',1156,0,1596489275,0,0,131583,'8f59d7da468d0678a1b457726f4653751d154ab6');
+	INSERT INTO entry_path VALUES('/etc/nftables/nat.nft',1157,0,1596489275,0,0,131583,'23bd4501c476dbddac96dd1f77b59f847c65a4c2');
+	INSERT INTO entry_path VALUES('/etc/nftables/osf/pf.os',1158,0,1596489275,0,0,131583,'09e399524f38d43a6cf172551c35aeb75f04753c');
+	INSERT INTO entry_path VALUES('/etc/nftables/router.nft',1159,0,1596489275,0,0,131583,'0d8e707bcde98a1e5aa93291de1f314d59547a57');
+	INSERT INTO entry_path VALUES('/etc/groff/site-tmac/man.local',1160,0,1596489275,0,0,131583,'9a628942630226e7fcb13cb2180c9e77a7c072b2');
+	INSERT INTO entry_path VALUES('/etc/groff/site-tmac/mdoc.local',1161,0,1596489275,0,0,131583,'36b1653b6a9a3880a2c53de737427e577deda58e');
+	INSERT INTO entry_path VALUES('/etc/polkit-1/rules.d/50-default.rules',1162,0,1596489275,0,0,131583,'ee6cc35c9061096ccb81bd3e1833f378069ec025');
+	INSERT INTO entry_path VALUES('/etc/polkit-1/rules.d/49-polkit-pkla-compat.rules',1163,0,1596489275,0,0,131583,'ad37203191761fde217babb367789b2a0325a95e');
+	INSERT INTO entry_path VALUES('/etc/virc',1164,0,1596489275,0,0,131583,'29ba4a6cd1f54109396e9971b1d2fa3974cbab61');
+	INSERT INTO entry_path VALUES('/etc/NetworkManager/NetworkManager.conf',1165,0,1596489275,0,0,131583,'5a82c04ab68bb2f8faaefa831662e3e07169ab52');
+	INSERT INTO entry_path VALUES('/etc/NetworkManager/dispatcher.d/20-chrony',1166,0,1596489275,0,0,131583,'9e387b650f30daf55e1f8529b88e9380bb08beef');
+	INSERT INTO entry_path VALUES('/etc/NetworkManager/dispatcher.d/04-iscsi',1167,0,1596489275,0,0,131583,'5953203d53c9dc2ca8e8a0a9ea1b7d0530b07f6d');
+	INSERT INTO entry_path VALUES('/etc/NetworkManager/dispatcher.d/11-dhclient',1168,0,1596489275,0,0,131583,'052f5e1575cb59c352f1b5016b4dfced33bcecf9');
+	INSERT INTO entry_path VALUES('/etc/DIR_COLORS',1169,0,1596489275,0,0,131583,'acd985b12ac3a56a7d36c37f1c7209b3afbfeffd');
+	INSERT INTO entry_path VALUES('/etc/sasl2/qemu-kvm.conf',1170,0,1596489275,0,0,131583,'942f4eba55d963cd934ef82b3cf52401df82247f');
+	INSERT INTO entry_path VALUES('/etc/sasl2/libvirt.conf',1171,0,1596489275,0,0,131583,'122a5cddb924e524acfff290fb036b2510920160');
+	INSERT INTO entry_path VALUES('/etc/ppp/chap-secrets',1172,0,1596489275,0,0,131583,'6c2b032dc990a47e2064fb225bd4e7d5ecf89bc2');
+	INSERT INTO entry_path VALUES('/etc/ppp/eaptls-client',1173,0,1596489275,0,0,131583,'fc905c5780e3d2c2f54effd710f8f6434f77df58');
+	INSERT INTO entry_path VALUES('/etc/ppp/eaptls-server',1174,0,1596489275,0,0,131583,'586185822a5eb876c80025704676100245068a39');
+	INSERT INTO entry_path VALUES('/etc/ppp/ip-down',1175,0,1596489275,0,0,131583,'8235fc2f66f935fa6cba5505b1482ab0bfe746a4');
+	INSERT INTO entry_path VALUES('/etc/ppp/ip-down.ipv6to4',1176,0,1596489275,0,0,131583,'df847f8e79b2c519e8b893590b7da03414ad4f52');
+	INSERT INTO entry_path VALUES('/etc/ppp/ip-up',1177,0,1596489275,0,0,131583,'c9f6a237a246b5818b774094bd99fc179e7222ea');
+	INSERT INTO entry_path VALUES('/etc/ppp/ip-up.ipv6to4',1178,0,1596489275,0,0,131583,'c07694ff79d0c9e1a48334d5dbda83c167995f25');
+	INSERT INTO entry_path VALUES('/etc/ppp/ipv6-down',1179,0,1596489275,0,0,131583,'e7d74b7aac625e8b6be400d3388ce5dd4d7711b4');
+	INSERT INTO entry_path VALUES('/etc/ppp/ipv6-up',1180,0,1596489275,0,0,131583,'3e9fd329a740e6203011ff0f4d4e6e5099b305ed');
+	INSERT INTO entry_path VALUES('/etc/ppp/options',1181,0,1596489275,0,0,131583,'ad481d869669f1de257371ecb05b71ebc070d226');
+	INSERT INTO entry_path VALUES('/etc/ppp/pap-secrets',1182,0,1596489275,0,0,131583,'7d1501d0950bb0f47486c99390bb6a33b19bd717');
+	INSERT INTO entry_path VALUES('/etc/DIR_COLORS.256color',1183,0,1596489275,0,0,131583,'cdf02bb8eafd8384ece838946d8f994010d855b8');
+	INSERT INTO entry_path VALUES('/etc/papersize',1184,0,1596489275,0,0,131583,'f958a9c4d2cdcde241d965d090f7aa858b3416f2');
+	INSERT INTO entry_path VALUES('/etc/favicon.png',1185,0,1596489275,0,0,131583,'192aa1dcfc018191b98c362a77bc4ea642bd1432');
+	INSERT INTO entry_path VALUES('/etc/DIR_COLORS.lightbgcolor',1186,0,1596489275,0,0,131583,'6b2c63179c9c4feb183f02ff74c50485bd1c353f');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/distro.d/locks/20-authselect',1187,0,1596489275,0,0,131583,'8262bfd27723e9338f264ed3cdca061b6e74d175');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/distro.d/20-authselect',1188,0,1596489275,0,0,131583,'b58254a033985fec98696d3698ee671b493dd6fa');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/ibus.d/00-upstream-settings',1189,0,1596489275,0,0,131583,'cd21907a3208cbe8a362be0b498d99cefc157d82');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/ibus',1190,0,1596489275,0,0,131583,'7f50affd1fd2163d9823ef268e3e19c385f4cc0a');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/site',1191,0,1596489275,0,0,131583,'c6b02e5166eb910a8708e695bb13b5c1cf78b64d');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/local',1192,0,1596489275,0,0,131583,'e5e575a90370f0a1f0fd275ac1d5e1aeb678070a');
+	INSERT INTO entry_path VALUES('/etc/dconf/db/distro',1193,0,1596489275,0,0,131583,'16a19b992567b32efc77586968e2bbd808964971');
+	INSERT INTO entry_path VALUES('/etc/dconf/profile/user',1194,0,1596489275,0,0,131583,'ce5661ff3f181f65229ec8ec9d592b1cca65ab73');
+	INSERT INTO entry_path VALUES('/etc/dconf/profile/ibus',1195,0,1596489275,0,0,131583,'73fe71027c326912c9a3d1d73350adf6ac037714');
+	INSERT INTO entry_path VALUES('/etc/mtools.conf',1196,0,1596489275,0,0,131583,'4d720a72d11752684834299843d68511f932ce43');
+	INSERT INTO entry_path VALUES('/etc/libssh/libssh_client.config',1197,0,1596489275,0,0,131583,'5cc441f47f8500ca1d846efef9142a98dff49fb8');
+	INSERT INTO entry_path VALUES('/etc/libssh/libssh_server.config',1198,0,1596489275,0,0,131583,'a4eb120ec4c8e93cfbed9ee2a975289b4f8c646d');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/session.conf',1199,0,1596489275,0,0,131583,'495051b08bc3c097aa364f769636ceb3e07dfae8');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.conf',1200,0,1596489275,0,0,131583,'7fced93e5e64774f56e56663297e592cb65a92bc');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf',1201,0,1596489275,0,0,131583,'e5a92966a4ef5eea2af935e8346537eaf1de8ca7');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/nm-dispatcher.conf',1202,0,1596489275,0,0,131583,'04a9d1d87c1fa3f3255723f6368b7477a528702a');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/nm-ifcfg-rh.conf',1203,0,1596489275,0,0,131583,'ca624c76b9f1105d5a8f436aa1c34e590ceb1a96');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf',1204,0,1596489275,0,0,131583,'bf46536cc5a6aaccbaf158d7d51df45d43a63f1c');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.gnome.GConf.Defaults.conf',1205,0,1596489275,0,0,131583,'ddf628bb46443cb68a233bc127726fc24328909c');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.Accounts.conf',1206,0,1596489275,0,0,131583,'ec1edf99ae08207c47852202af556023470e4c4a');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/bluetooth.conf',1207,0,1596489275,0,0,131583,'b553bd5829fbb5af1a1c740d14c90eff3261c551');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.UPower.conf',1208,0,1596489275,0,0,131583,'f96d523410bd8aea791534e34927d071c71bb6b1');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf',1209,0,1596489275,0,0,131583,'0c0875015e631204db219fb3101b77c66f429941');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.GeoClue2.conf',1210,0,1596489275,0,0,131583,'c8727b0227a641e6e9f01593a2707fb5359760fd');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf',1211,0,1596489275,0,0,131583,'e043fe0cba797e7d823aada18bfe6b0d95b10ca6');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/pulseaudio-system.conf',1212,0,1596489275,0,0,131583,'548b5a27cacb69daac5b657b0e4cd23b4b39ab0a');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf',1213,0,1596489275,0,0,131583,'40f41b7e3f9d70a73af4d6d6bc1044ac9863b46b');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/net.hadess.SwitcherooControl.conf',1214,0,1596489275,0,0,131583,'9a4b0539dc18a25631e332ba5c623fb4a61659dd');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/teamd.conf',1215,0,1596489275,0,0,131583,'cb8dbd001871122f70cc4458b15e8bfc0d26cc84');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.opensuse.CupsPkHelper.Mechanism.conf',1216,0,1596489275,0,0,131583,'2f4e5b184f5d0c6c7dd72b8bcf91d0ac1bffbdfc');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.selinux.conf',1217,0,1596489275,0,0,131583,'be9be25a6e0e0054ff0108eb587888f50253955f');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/net.hadess.SensorProxy.conf',1218,0,1596489275,0,0,131583,'a29282cc3066006a36967db120b11b52c57cb159');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.SubscriptionManager.conf',1219,0,1596489275,0,0,131583,'efcb7362b4f678ac2cda8a17fa0a5aaf7a1a1838');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.NewPrinterNotification.conf',1220,0,1596489275,0,0,131583,'e9d18e1dd5f1fe510c74e16efea1c9bccac3d2cd');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.PrinterDriversInstaller.conf',1221,0,1596489275,0,0,131583,'6295e8ef4a10064c13567327654cb8322734d7da');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/blivet.conf',1222,0,1596489275,0,0,131583,'0a9d77d3894120b7043fece8b586adecb959e3c0');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf',1223,0,1596489275,0,0,131583,'18c49cc73597e96022228d1acc6342c05759a167');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf',1224,0,1596489275,0,0,131583,'21ee6a7b67cf822186e3c500956f8133503d7ee8');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/wpa_supplicant.conf',1225,0,1596489275,0,0,131583,'492b28ac09ee9f4037095303fe50da1aa0fd139a');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/dnsmasq.conf',1226,0,1596489275,0,0,131583,'3e8dc2f051f74ceb32c523190a0fc711abb767ae');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/oddjob.conf',1227,0,1596489275,0,0,131583,'d13c41fadb0579f85ae6a4832c54d6143900ab61');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/oddjob-mkhomedir.conf',1228,0,1596489275,0,0,131583,'8fd91710f5abc2f4607e974a98a7c837964b5841');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/cups.conf',1229,0,1596489275,0,0,131583,'60116cdb98f3c265b6eae303c4d62fc5069e781f');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.fwupd.conf',1230,0,1596489275,0,0,131583,'e2fb54bf1cc14bdca495193502fc798389bc9c17');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/dbus-abrt.conf',1231,0,1596489275,0,0,131583,'b379994d0ce6a8369a17413f7256c9aad4716f89');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.problems.daemon.conf',1232,0,1596489275,0,0,131583,'0c60e7ad0a27680ef5c1113615abe4b392583ac6');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.realmd.conf',1233,0,1596489275,0,0,131583,'32b7a7e4267fbc71fd3df0c2894e9a0a3f77be86');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf',1234,0,1596489275,0,0,131583,'05367c5689133972a78e345ded3361d35e6bcf5f');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/gdm.conf',1235,0,1596489275,0,0,131583,'1f1a4e713c8a65d50ae344b440a1d2b99105c044');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.tuned.conf',1236,0,1596489275,0,0,131583,'08364246a36799b1579e821ea3717137b0ce9368');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/org.freedesktop.ModemManager1.conf',1237,0,1596489275,0,0,131583,'c6d26a90d6471904912bfd325fd10dfd7b36e4f6');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/avahi-dbus.conf',1238,0,1596489275,0,0,131583,'01f3f651f756e89b5ed4ffdecb00e7da2e1470ca');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.RHSM1.Facts.conf',1239,0,1596489275,0,0,131583,'79ac148383b9999ce30428460a71543924db1430');
+	INSERT INTO entry_path VALUES('/etc/dbus-1/system.d/com.redhat.RHSM1.conf',1240,0,1596489275,0,0,131583,'a2e82aec76f56ed39b0557ab37e05b82be4e3cf7');
+	INSERT INTO entry_path VALUES('/etc/samba/lmhosts',1241,0,1596489275,0,0,131583,'fa33a18903be87a06f394ba3b6fc69eeead5b39b');
+	INSERT INTO entry_path VALUES('/etc/samba/smb.conf',1242,0,1596489275,0,0,131583,'892d00b25184dbf641ecfd3d05f2f3997256314d');
+	INSERT INTO entry_path VALUES('/etc/samba/smb.conf.example',1243,0,1596489275,0,0,131583,'5d9b95af98e7e9c242eee176273a35e61a3e0256');
+	INSERT INTO entry_path VALUES('/etc/sudoers',1244,0,1596489275,0,0,131583,'a153b783e0ffa627f8d36ae3a70907de7be924a9');
+	INSERT INTO entry_path VALUES('/etc/bindresvport.blacklist',1245,0,1596489275,0,0,131583,'6a6dc2058418c2ad13f114a06027d13226216572');
+	INSERT INTO entry_path VALUES('/etc/nanorc',1246,0,1596489275,0,0,131583,'b51d577b439239aa9bbd2a76f9848c122a83f2b3');
+	INSERT INTO entry_path VALUES('/etc/sestatus.conf',1247,0,1596489275,0,0,131583,'789101493d91c852ce328c9dba8a674cf2a87491');
+	INSERT INTO entry_path VALUES('/etc/gconf/2/path',1248,0,1596489275,0,0,131583,'b9d53372752fc2fd257d91f483c340b4e2100fac');
+	INSERT INTO entry_path VALUES('/etc/bluetooth/main.conf',1249,0,1596489275,0,0,131583,'7e0aa0296db655841be5bbec6fc5107c6baac5b7');
+	INSERT INTO entry_path VALUES('/etc/UPower/UPower.conf',1250,0,1596489275,0,0,131583,'ce241c6d271f365ccbcfcca2505bce51ea87f98e');
+	INSERT INTO entry_path VALUES('/etc/geoclue/geoclue.conf',1251,0,1596489275,0,0,131583,'43fbd6475103b9fa80da4a6f571ccea2c428dc8e');
+	INSERT INTO entry_path VALUES('/etc/pbm2ppa.conf',1252,0,1596489275,0,0,131583,'c301b7d0d4727c234f7e335891db557a6e39204a');
+	INSERT INTO entry_path VALUES('/etc/libuser.conf',1253,0,1596489275,0,0,131583,'ea79d4129769a1a66cfe71af0b3e8ffa3b9eee0f');
+	INSERT INTO entry_path VALUES('/etc/libblockdev/conf.d/00-default.cfg',1254,0,1596489275,0,0,131583,'e874c2a16cc767149ea3f631fe95a990d8c759d1');
+	INSERT INTO entry_path VALUES('/etc/PackageKit/PackageKit.conf',1255,0,1596489275,0,0,131583,'cf9991c3fbd3b57a5c16eda4ebf0df26a67550d5');
+	INSERT INTO entry_path VALUES('/etc/PackageKit/Vendor.conf',1256,0,1596489275,0,0,131583,'80af73452b037d819f3a8f6a1c1be2dc994b19b6');
+	INSERT INTO entry_path VALUES('/etc/PackageKit/CommandNotFound.conf',1257,0,1596489275,0,0,131583,'c77ff43ae808fb791ea66a06069acfa783142051');
+	INSERT INTO entry_path VALUES('/etc/cron.daily/logrotate',1258,0,1596489275,0,0,131583,'c6ac4e893bd0a00a3ff0f465196a4a35f72ebf43');
+	INSERT INTO entry_path VALUES('/etc/cron.daily/rhsmd',1259,0,1596489275,0,0,131583,'cd42493ba83d5be6279323bb1534d0be25c42d95');
+	INSERT INTO entry_path VALUES('/etc/cron.hourly/0anacron',1260,0,1596489275,0,0,131583,'8b4903ab05f8d857bcd645886bd211c1447a47f7');
+	INSERT INTO entry_path VALUES('/etc/crontab',1261,0,1596489275,0,0,131583,'d5df0810c2b6b4cb2ed81d2f3c740b5a405e6567');
+	INSERT INTO entry_path VALUES('/etc/cron.d/0hourly',1262,0,1596489275,0,0,131583,'2c537faf78ceadd33af5bcdf43cfc8d48fe0d3b8');
+	INSERT INTO entry_path VALUES('/etc/cron.d/raid-check',1263,0,1596489275,0,0,131583,'282ee20d2590c177fece7a7a63eb3fd1b6455a2f');
+	INSERT INTO entry_path VALUES('/etc/cron.deny',1264,0,1596489275,0,0,131583,'39bb12bcb5cd8f2b277f0a9c5b9e8514b855b459');
+	INSERT INTO entry_path VALUES('/etc/subgid-',1265,0,1596489275,0,0,131583,'cd05d5de2f0a85d71ffb3252d3cb4f4375333376');
+	INSERT INTO entry_path VALUES('/etc/anacrontab',1266,0,1596489275,0,0,131583,'7893bfd727f41fee7ee3b47641f0770e070d45d2');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/bnxt_re.driver',1267,0,1596489275,0,0,131583,'5784a0c602010a1d9ee6e2c8747f48a850f55f99');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/cxgb4.driver',1268,0,1596489275,0,0,131583,'d136d422f19e2238879ae2df7ce195620a57260b');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/hfi1verbs.driver',1269,0,1596489275,0,0,131583,'d70b506a28180c31cc0ef734462d9ad473ce43b4');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/hns.driver',1270,0,1596489275,0,0,131583,'d98dd9cab8015c905d75282f6a6b78838cc01051');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/i40iw.driver',1271,0,1596489275,0,0,131583,'9ba9d0e95e4ac2c28d02eafb3a210d2b33431c4b');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/mlx4.driver',1272,0,1596489275,0,0,131583,'b23168f52babe49114a9234c2ce325bb93de08f7');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/mlx5.driver',1273,0,1596489275,0,0,131583,'3adde589c7fb49a1afd0ac7fd9484e5da2997a06');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/qedr.driver',1274,0,1596489275,0,0,131583,'1f64023f28984246d6b944530baf6a9198c6790a');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/rxe.driver',1275,0,1596489275,0,0,131583,'36a0602aa0475f57e4d30dff3dc6e6ac85a9f909');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/vmw_pvrdma.driver',1276,0,1596489275,0,0,131583,'8a8dc443b955ef6bc7114588e890f879fcaf1345');
+	INSERT INTO entry_path VALUES('/etc/libibverbs.d/siw.driver',1277,0,1596489275,0,0,131583,'a5a30583e16d59fdf7af92b74e9ef0f9a72ae1fd');
+	INSERT INTO entry_path VALUES('/etc/pnm2ppa.conf',1278,0,1596489275,0,0,131583,'9958d147c76cc6caf487d6a58ac9d6d35fc25c48');
+	INSERT INTO entry_path VALUES('/etc/ksmtuned.conf',1279,0,1596489275,0,0,131583,'59b513db008763ff9275306957bc9214f67c18fb');
+	INSERT INTO entry_path VALUES('/etc/qemu-kvm/bridge.conf',1280,0,1596489275,0,0,131583,'8cab05077094b2216043413426b6cfd4b8a2c30e');
+	INSERT INTO entry_path VALUES('/etc/idmapd.conf',1281,0,1596489275,0,0,131583,'46b094fd8e5352114301e7d11d5fac9a727dabff');
+	INSERT INTO entry_path VALUES('/etc/ndctl/keys/keys.readme',1282,0,1596489275,0,0,131583,'2e03290e712304ae1dd12a01a04c9a50bc7dd72d');
+	INSERT INTO entry_path VALUES('/etc/ndctl/monitor.conf',1283,0,1596489275,0,0,131583,'a145259e14f36f70545f68ee1e4e09876548f3e2');
+	INSERT INTO entry_path VALUES('/etc/mailcap',1284,0,1596489275,0,0,131583,'8790e83d71f0b1c01d55d6ce62c0ae8554da5e66');
+	INSERT INTO entry_path VALUES('/etc/trusted-key.key',1285,0,1596489275,0,0,131583,'5539cd6e1646db9cdff3129af07fce34c3a57f22');
+	INSERT INTO entry_path VALUES('/etc/gssproxy/99-nfs-client.conf',1286,0,1596489275,0,0,131583,'5878db2fd98ed9be4a3b026e216251677db3230a');
+	INSERT INTO entry_path VALUES('/etc/gssproxy/gssproxy.conf',1287,0,1596489275,0,0,131583,'4ba8c6f5a88b5d680124bd480c3731808e977936');
+	INSERT INTO entry_path VALUES('/etc/gssproxy/24-nfs-server.conf',1288,0,1596489275,0,0,131583,'84ab4de4901bc4ed168554403f9e120c1437a191');
+	INSERT INTO entry_path VALUES('/etc/unbound/icannbundle.pem',1289,0,1596489275,0,0,131583,'01f126335e6b447a7a7a108fa2e5c1af10d82c1d');
+	INSERT INTO entry_path VALUES('/etc/unbound/root.key',1290,0,1596489275,0,0,131583,'e8d774b12ff11b962e81d3a3f6a114e12c382723');
+	INSERT INTO entry_path VALUES('/etc/chrony.conf',1291,0,1596489275,0,0,131583,'c709e8a280c480bb73758bb3e9fba7a7c4963747');
+	INSERT INTO entry_path VALUES('/etc/chrony.keys',1292,0,1596489275,0,0,131583,'730805ad49e7bc6000982485c26c5678e13d54b9');
+	INSERT INTO entry_path VALUES('/etc/mime.types',1293,0,1596489275,0,0,131583,'fd903c38e5976568d79303e983a19e883d78a29c');
+	INSERT INTO entry_path VALUES('/etc/fprintd.conf',1294,0,1596489275,0,0,131583,'27f7a0295790752b9821d296379d400052f69664');
+	INSERT INTO entry_path VALUES('/etc/brlapi.key',1295,0,1596489275,0,0,131583,'68b0f34440fbf539d2b8bda8f9b5bbbfd3c2bc55');
+	INSERT INTO entry_path VALUES('/etc/brltty/Attributes/invleft_right.atb',1296,0,1596489275,0,0,131583,'829c369d27594408a4064d01760908ca060dbe37');
+	INSERT INTO entry_path VALUES('/etc/brltty/Attributes/left_right.atb',1297,0,1596489275,0,0,131583,'c0f64834fa1ca51ebc249d2cdd9521e79d738f99');
+	INSERT INTO entry_path VALUES('/etc/brltty/Attributes/upper_lower.atb',1298,0,1596489275,0,0,131583,'28fbd4bac25fdde9de2bb3cdd23f5d57a8152988');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/af.ctb',1299,0,1596489275,0,0,131583,'8d9a457632dd4cbf9285523c011cc65ea2e23881');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/am.ctb',1300,0,1596489275,0,0,131583,'320b9cb935defe3cf0dd12f5b11ac56d0f7946e5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/countries.cti',1301,0,1596489275,0,0,131583,'44046fac94292ef1e695221c4c15cb042f1ad710');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/de-basis.ctb',1302,0,1596489275,0,0,131583,'47e1ced1e98aad978c4ca9b8a2b5cee0806b8661');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/de-kurzschrift.ctb',1303,0,1596489275,0,0,131583,'db40884fb2dea7e6d634035029b138823054496d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/de-vollschrift.ctb',1304,0,1596489275,0,0,131583,'12f0770287b30ae2a412255c782ac97e7603a5a9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/en-ueb-g2.ctb',1305,0,1596489275,0,0,131583,'0333fd90cb711f9171530cbf3ed5c09d61c488cb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/en-us-g2.ctb',1306,0,1596489275,0,0,131583,'ec6aac692121772671f1cf9bef8e2f963511a5df');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/es.ctb',1307,0,1596489275,0,0,131583,'cbebb4cd1430369347c71161fcf55439e320d890');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/fr-abrege.ctb',1308,0,1596489275,0,0,131583,'6bc9a343e2e7ee29142359b15c05d71ecdfb105b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/fr-integral.ctb',1309,0,1596489275,0,0,131583,'eab348474d35a603d3e717091cc5c60587b20282');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ha.ctb',1310,0,1596489275,0,0,131583,'eb57db4bc79f173ec75bbf577c043610bf37cb15');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/id.ctb',1311,0,1596489275,0,0,131583,'170b40959590c361a2506f50d585d0466e4e4899');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ipa.ctb',1312,0,1596489275,0,0,131583,'101286be264ebf91844a7e571b657c1162929d93');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ja.ctb',1313,0,1596489275,0,0,131583,'6b5af6f1cc755c302c4d8ae49a5dd92b817b200d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ko-g1.ctb',1314,0,1596489275,0,0,131583,'342aa0a3fa6f0e0f2a10b28b927d217320a8b67c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ko-g2.ctb',1315,0,1596489275,0,0,131583,'ea164182f19d62d3b71e807f35f3421507fb80c2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ko.ctb',1316,0,1596489275,0,0,131583,'8f9d314b5e4fd1cb009f91554d4122d0f390912f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/latex-access.ctb',1317,0,1596489275,0,0,131583,'b937ed60617a5d04ed8933258b3df1ca6943a071');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/letters-latin.cti',1318,0,1596489275,0,0,131583,'58e3b1bf5750f8da53d501bd3ebf6f37c4a1cbf1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/lt.ctb',1319,0,1596489275,0,0,131583,'fda990e58d7813dd651e09ab875cd0aa7680be48');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/mg.ctb',1320,0,1596489275,0,0,131583,'e3734f29513ccd912a24ead0f813024082eede23');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/mun.ctb',1321,0,1596489275,0,0,131583,'242d6eb53a4e7f098d7ca2e8663dc2f9a4c6d2c6');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/nabcc.cti',1322,0,1596489275,0,0,131583,'c69d42b881ec53b40ba55f88c6b7f78bd2803c04');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/nl.ctb',1323,0,1596489275,0,0,131583,'825fa5b6e02bf15f5695efad25b7a99a8f488f4d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/ny.ctb',1324,0,1596489275,0,0,131583,'f1eee20ca0268132da3c50623da7c161b8628282');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/pt.ctb',1325,0,1596489275,0,0,131583,'80aecb101df7a0933347818165b0aeefc7de01f8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/si.ctb',1326,0,1596489275,0,0,131583,'72dc246b8b26ce5784cf57b64c6aa87dd1642c61');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/spaces.cti',1327,0,1596489275,0,0,131583,'6da5c345a8d85cc002d137491c3b148013d9e7b4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/sw.ctb',1328,0,1596489275,0,0,131583,'bf7ddb2a65cf0924c09b75bb176be08192e9f63d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/th.ctb',1329,0,1596489275,0,0,131583,'03aa6dc9f27cd6b6eb4e5132566e1353b91bca86');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/zh-tw-ucb.ctb',1330,0,1596489275,0,0,131583,'e78c86c16efde79f30dd55e6ae0a35fbde864551');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/zh-tw.ctb',1331,0,1596489275,0,0,131583,'582504ba780211e78c005257d0e5405d09645b6b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Contraction/zu.ctb',1332,0,1596489275,0,0,131583,'c04d5ad75052f3554f4619fd0fcb3005014de149');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/abt_basic.kti',1333,0,1596489275,0,0,131583,'00c6780bb0cb0bd50fa169fb3d877c885f5ab2ac');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/abt_extra.kti',1334,0,1596489275,0,0,131583,'da8618474b4dcf00aa244c3771aa3d5e137afd6f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/abt_large.ktb',1335,0,1596489275,0,0,131583,'b18d3c2385884ad894f197dc08039a030ac62474');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/abt_small.ktb',1336,0,1596489275,0,0,131583,'2dc2af3daffcdaa0d2729932c89c1091b6b916e5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc-etouch.kti',1337,0,1596489275,0,0,131583,'0304f7a5c7d49e6b4290406531c1546dc73868e7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc-smartpad.kti',1338,0,1596489275,0,0,131583,'7362dde9e3c003b65e2dfda7a6917771822da327');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc-thumb.kti',1339,0,1596489275,0,0,131583,'1859647e954eacf682b5b7ae40b4c2de4619c80c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc.kti',1340,0,1596489275,0,0,131583,'840c8d0383f2f2a00c64abfff953526be67f4417');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc640.ktb',1341,0,1596489275,0,0,131583,'0cfa139760b364c8f8328a87be1b95b6fe97ddf1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/bc680.ktb',1342,0,1596489275,0,0,131583,'967f7d7719c6d50fdcd810309e314f5f38050484');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/el.ktb',1343,0,1596489275,0,0,131583,'28e6457cf1787b9131f881ce743f97613da554fb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/sat_basic.kti',1344,0,1596489275,0,0,131583,'5b6ce747d4663c9e1986bb702cefd0f54166375a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/sat_extra.kti',1345,0,1596489275,0,0,131583,'467c1b892ca4dfee276f63fb5c679db0a0f723d8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/sat_large.ktb',1346,0,1596489275,0,0,131583,'e0dce92d90256d543ca43fcf280fd09797d9a836');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/sat_small.ktb',1347,0,1596489275,0,0,131583,'d956b659555d4c3f607d64772857668dd30ef039');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/al/voyager.ktb',1348,0,1596489275,0,0,131583,'e95a66881630f3060347e7416cd1e122293d03e7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/at/all.ktb',1349,0,1596489275,0,0,131583,'6d8059e8077d7cd148828fb3400373333db5de83');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ba/all.txt',1350,0,1596489275,0,0,131583,'9d4ac9f79529fe76b1d058038d1fb5fd1809a432');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bd/all.txt',1351,0,1596489275,0,0,131583,'aae9f46f140515c33ae1e59346ca42eb3026f3ea');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bg/all.ktb',1352,0,1596489275,0,0,131583,'d6b1a98920c4d08013c06b41b5be54d95103f3e7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bl/18.txt',1353,0,1596489275,0,0,131583,'a78ac08c989a65fc0f33303dae07ba6c699f1274');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bl/40_m20_m40.txt',1354,0,1596489275,0,0,131583,'ff5f9321dfcb827df8bbe30d11ca337502ce3d4e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/b9b10.kti',1355,0,1596489275,0,0,131583,'d5bd18bb8e34f9c994c269f0204cd231eae0fe58');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/b9b11b10.kti',1356,0,1596489275,0,0,131583,'8a18949fb98df5f5d923356b801813ce71ec186f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/command.kti',1357,0,1596489275,0,0,131583,'4f5c3c448331f19cba210ce36ec49989a3fdd341');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/connect.ktb',1358,0,1596489275,0,0,131583,'177afbee962c0a79b84d2f4cec32accb03b4058e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/conny.ktb',1359,0,1596489275,0,0,131583,'039a3b23e965ff40232095ac1585ed7af0f8d7e6');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/d6.kti',1360,0,1596489275,0,0,131583,'3b1fc4670cf619c7720021f78c986f0f07aefd54');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/default.ktb',1361,0,1596489275,0,0,131583,'9c1e073279e3087f1378cf21df1e7baac27ac82d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/display6.kti',1362,0,1596489275,0,0,131583,'d8347e1186a6fae77220c9837631bb7f66d3863d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/display7.kti',1363,0,1596489275,0,0,131583,'51bbbde5f3e9a5fafca64b5fcb0c14083eab845c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/dm80p.ktb',1364,0,1596489275,0,0,131583,'560b7036aea4c582eb2f55a8e059589d40ac18e1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/front10.kti',1365,0,1596489275,0,0,131583,'d3a4fddbd99432bcedd4e0bec881bbbbf966d7bb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/front6.kti',1366,0,1596489275,0,0,131583,'aa5df201439a08ca77a8783bc7e5d9333e8bc5b7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/horizontal.kti',1367,0,1596489275,0,0,131583,'efe88978cdc40779ffe24773ea3ccff6830d938a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/inka.ktb',1368,0,1596489275,0,0,131583,'1f9f44ca5dcd305c5b72ece6f8ba1918382d8b2b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/keyboard.kti',1369,0,1596489275,0,0,131583,'84f2f5bb1d2dc440fb076b803d4649e32c653fe1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/orbit.ktb',1370,0,1596489275,0,0,131583,'4e330e152bf9990e433b8f38c21efd0f65ce8c30');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/pro.ktb',1371,0,1596489275,0,0,131583,'63b98722a32010dbdf18e8742ae4969d3f2b2f40');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/pronto.ktb',1372,0,1596489275,0,0,131583,'e59a003d14df82f4dec24e06be71762c0ee28130');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/pv.ktb',1373,0,1596489275,0,0,131583,'3f46c16c35b5f749b089d335be98c31433c2b6f4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/rb.ktb',1374,0,1596489275,0,0,131583,'4996dd26efcaf80a04bdddcbf8aa042f9126818d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/routing.kti',1375,0,1596489275,0,0,131583,'2f0e931fa999919515c6576fa61593af411fd49f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/routing6.kti',1376,0,1596489275,0,0,131583,'490724811c0b5853021a78de3e0812e73d568995');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/routing7.kti',1377,0,1596489275,0,0,131583,'a53e597c9d1896dcb1876ce840bd487a08d76923');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/status.kti',1378,0,1596489275,0,0,131583,'b4bbfab10e1afdfee9f15658784690dc86bd3f32');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/sv.ktb',1379,0,1596489275,0,0,131583,'ee92d4b05d2863156d4b518e82b01a0258491a76');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/ultra.ktb',1380,0,1596489275,0,0,131583,'893fa25c9dcd459342d6b5c736792832b8ff5e16');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/v40.ktb',1381,0,1596489275,0,0,131583,'046738c6ab067ec33b0c739d077b99f8d65d5981');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/v80.ktb',1382,0,1596489275,0,0,131583,'60b253d0f6c517f9d04f85a470a152dfee9848bf');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/vertical.kti',1383,0,1596489275,0,0,131583,'829a1593dcea65eb43def85a9123a68b61384ef9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/vk.ktb',1384,0,1596489275,0,0,131583,'4ef1b377971ca5b3da221d85e6d4e72466a95ca0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bm/wheels.kti',1385,0,1596489275,0,0,131583,'a3a6e0c80c161dcde57db7aaec873e1e6943872e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bn/all.ktb',1386,0,1596489275,0,0,131583,'d689fe850cd678aec41625c7bdd8e66dbd32444f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bn/input.kti',1387,0,1596489275,0,0,131583,'74a637be76b274b1c18044ac0953209bd17cfb0d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/bp/all.kti',1388,0,1596489275,0,0,131583,'d928d3e1db8078bdda1db3dcd767ecaa24c5913e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/cb/all.ktb',1389,0,1596489275,0,0,131583,'d9bd424bb2a124667ea27480bd4ad633d03f2e1c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ce/all.ktb',1390,0,1596489275,0,0,131583,'04c31e85757d6e94835fd94b073947f0f915a0d5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ce/novem.ktb',1391,0,1596489275,0,0,131583,'700586955ee3283df64fc206f70b288112f4d4d4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/chords.kti',1392,0,1596489275,0,0,131583,'0b3dede5b75eb2e8c9890ff401d2d6bba9ba0cb1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ec/all.txt',1393,0,1596489275,0,0,131583,'4e022b927f400686287f2b8018d92dcb369b3c7f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ec/spanish.txt',1394,0,1596489275,0,0,131583,'bbed09ebf3c0433cb7aa2faa56b2ca2d41c17a03');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/all.txt',1395,0,1596489275,0,0,131583,'ff3cee5648956cb4a34f93948a9034b8da934b31');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/braille.kti',1396,0,1596489275,0,0,131583,'37980ada45f63f41dec42a1532b49c161665e90c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/clio.ktb',1397,0,1596489275,0,0,131583,'81984c0ef502e5515b3124de3fdfaceccabcb5ef');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/common.kti',1398,0,1596489275,0,0,131583,'5ee94468aafd62e292c43259d90836e3b6d6e65d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/esys_large.ktb',1399,0,1596489275,0,0,131583,'b19580efb08fa7d27024c98f74ccfee9289f75cc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/esys_medium.ktb',1400,0,1596489275,0,0,131583,'67d6ed21a673da8d7d08fb074cc5e4d1d2ede62c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/esys_small.ktb',1401,0,1596489275,0,0,131583,'3e4ae701711e7bb09547303ef8742fa6421f35ef');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/esytime.ktb',1402,0,1596489275,0,0,131583,'27d43c76624c4e12a7f0738ca2322a32bae2cb10');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/iris.ktb',1403,0,1596489275,0,0,131583,'4396c7264eefbcea338f75e0590045cbf74cb2d1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/joysticks.kti',1404,0,1596489275,0,0,131583,'5da5a9f29cadd36e23470779dde194c5d2a30b2d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/routing.kti',1405,0,1596489275,0,0,131583,'6a8cb8e3c7faa14b9c04f01c84f3d4b805f43e9e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/sw12.kti',1406,0,1596489275,0,0,131583,'e6022c4ecc6515048a2dc6115c91d8ed309e5d9c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/sw34.kti',1407,0,1596489275,0,0,131583,'22c3eccc6ff7ea383dda449dd01c21b33399d670');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/eu/sw56.kti',1408,0,1596489275,0,0,131583,'e2a4b88947110a6f8820c9ea505a07d2cc3dfef7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/bumpers.kti',1409,0,1596489275,0,0,131583,'937dd9eb99a6dd590c1a16ab702efdbbf97ea80b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/common.kti',1410,0,1596489275,0,0,131583,'d8579d80627180a8da45a15c2fd6a1ee7e9f3e4a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/focus_basic.ktb',1411,0,1596489275,0,0,131583,'875be0a17f39a2a9a1ab1f5ed0c487371b455d9f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/focus_basic.kti',1412,0,1596489275,0,0,131583,'2a407bcec0931a1741c90787f1f2c5da5a9c715e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/focus_large.ktb',1413,0,1596489275,0,0,131583,'3826c74c675e5089b7895bad2f8f4c22bdd32a10');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/focus_small.ktb',1414,0,1596489275,0,0,131583,'924760cd901d20979b5febe73c267f1c5e0f8933');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/pacmate.ktb',1415,0,1596489275,0,0,131583,'bb3214c4a7949d1cde17f828b99cd561230320fd');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/fs/rockers.kti',1416,0,1596489275,0,0,131583,'b2eb62393246b59c8221cf1dfdcc5356fbb3391d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hd/mbl.ktb',1417,0,1596489275,0,0,131583,'c71fa58b291d99a6c152e309cf90ebea62fe25dc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hd/pfl.ktb',1418,0,1596489275,0,0,131583,'a5925cf700f14a08e7d77c3a967fdead3f04a087');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/beetle.ktb',1419,0,1596489275,0,0,131583,'4e2bd0244044e98aaa0663408fa4bb914528b18f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/braille.kti',1420,0,1596489275,0,0,131583,'8bf10992e86bb5dc8448e0df66d2b84563630fdd');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/common.kti',1421,0,1596489275,0,0,131583,'1cbe091854e23e8ef08c2c1d96becaabfb356819');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/contexts.kti',1422,0,1596489275,0,0,131583,'9aaee7fcdad02f4c7e86c3d7fa82069f9a681d2f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/edge.ktb',1423,0,1596489275,0,0,131583,'38a26a1d07a2ea7ed0b0099cf5de34e4ac8c9a89');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/f14.kti',1424,0,1596489275,0,0,131583,'b12614791893d29a7ce6d626ddf2ba1db81fec3d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/f18.kti',1425,0,1596489275,0,0,131583,'e324bf998d51348c327ebfc3f7152384d27e4089');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/fnkey.kti',1426,0,1596489275,0,0,131583,'8fa523b6adafd8ac79548cdca73db168052dd4dc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/left.kti',1427,0,1596489275,0,0,131583,'87f6afc47d645bb5284408cfaf9fd48c7a1e29e9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/letters.kti',1428,0,1596489275,0,0,131583,'f440984e44a5b887e12f43d9b88a7ab06454c5fe');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/pan.ktb',1429,0,1596489275,0,0,131583,'99436fdcfb3b959746484531ae8453eb5c256dfc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/pan.kti',1430,0,1596489275,0,0,131583,'1f9a756eec6b2995cbda32fb5b9b5c38771dcf39');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/qwerty.ktb',1431,0,1596489275,0,0,131583,'73d94d0fb89459ccbd5e26f77effa41e5aedf42c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/qwerty.kti',1432,0,1596489275,0,0,131583,'225f6c9f43fb09a66af0f7184cc49f3d6c253d66');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/right.kti',1433,0,1596489275,0,0,131583,'4b750ac1b0c13207639d73caab0eff1e4c5a1264');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/scroll.ktb',1434,0,1596489275,0,0,131583,'19635d73783a4957c788afc6f24ba42a2950763e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/scroll.kti',1435,0,1596489275,0,0,131583,'fe146593c72c89e3bc331984f2a2925c47eeb97d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hm/sync.ktb',1436,0,1596489275,0,0,131583,'355d20c4a8c8d006fe15184ef4e48716e6bfcd98');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/ab40.ktb',1437,0,1596489275,0,0,131583,'74638eb70f04f93a8bc63484b6cc58f0b6a1c731');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/alo.ktb',1438,0,1596489275,0,0,131583,'c2941226823142dbe92d7ebfc36f838abce75908');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/as40.ktb',1439,0,1596489275,0,0,131583,'b8a72b83674f22fbc632e1276b0508e0f0a77617');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/bb.ktb',1440,0,1596489275,0,0,131583,'192f1b38a0c3001c281728f29d70ab3764121342');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/bkwm.ktb',1441,0,1596489275,0,0,131583,'bc76f40f5fe1f1024c9a1ea5ba7e3cf869e53fd9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/brln.ktb',1442,0,1596489275,0,0,131583,'924c86e947a39211dd0e873516e31ec615afcc02');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/bs.kti',1443,0,1596489275,0,0,131583,'6bfcf6cb9293ec234ea89f6de1094efe2cb4e5a7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/bs40.ktb',1444,0,1596489275,0,0,131583,'a0ef9e9e87ce6a5c755e0184ca5144a8d8c8ef26');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/bs80.ktb',1445,0,1596489275,0,0,131583,'788de5befc65f285eab33c1f1fad670754c57e91');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/cb40.ktb',1446,0,1596489275,0,0,131583,'80f10276c3dc9b11f64e6d54c2e43142fe295f21');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/dots.kti',1447,0,1596489275,0,0,131583,'edc0bafc963738923fc3536434e0047c3fba42de');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/easy.ktb',1448,0,1596489275,0,0,131583,'1689b1b160e4cc7da60c6b490d245f238342533d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/input.kti',1449,0,1596489275,0,0,131583,'d093857cfadeb384a2ac599cdb119124cc19b131');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/joystick.kti',1450,0,1596489275,0,0,131583,'25781e4536ed843ba9d8a241129f303550f33870');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/keypad.kti',1451,0,1596489275,0,0,131583,'f85a8618ee08dd3f41775ec0b7fbbc31ef84d8f9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/mc88.ktb',1452,0,1596489275,0,0,131583,'ec0921b40231d9f27a41f8ebbc1cc8f7590e0d05');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/mdlr.ktb',1453,0,1596489275,0,0,131583,'9bcac6501aff8453be4b8d9edb22268eba066631');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/me.kti',1454,0,1596489275,0,0,131583,'2f69c47ef3f726c521215aaaeaf936420fc8283f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/me64.ktb',1455,0,1596489275,0,0,131583,'10ea5b30212df36a454af4a1aba9452d82965732');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/me88.ktb',1456,0,1596489275,0,0,131583,'cf9eae6eba0bac67370c94a74842bcc1ba67eadc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/rockers.kti',1457,0,1596489275,0,0,131583,'687758cffdcc213020242d596d48ccc58cd75f50');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ht/wave.ktb',1458,0,1596489275,0,0,131583,'93e00788d7bd5404ff45554cdd7ed5448d2503fb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/B80.ktb',1459,0,1596489275,0,0,131583,'1f4f6f7d10a37640b4d9ab083685323a18756a14');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/BI14.ktb',1460,0,1596489275,0,0,131583,'2ec23e100b48f5c1292d48d62a542f0bb06a411e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/BI32.ktb',1461,0,1596489275,0,0,131583,'41df847606f861b90ca666b140331038d4761e32');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/BI40.ktb',1462,0,1596489275,0,0,131583,'ef7f3c6b9ca0d36738715686ccfebe4a0f02ed94');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/braille.kti',1463,0,1596489275,0,0,131583,'53bed4c4c5037d7e116c62d064a03e3646860418');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/command.kti',1464,0,1596489275,0,0,131583,'fd16ff06e008bbd4d978ceee981159b6bf22858e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/joystick.kti',1465,0,1596489275,0,0,131583,'6bc29f16583f55d6d46208ca332b9ba5954fc3ef');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/thumb.kti',1466,0,1596489275,0,0,131583,'d5ba04a6e4d9c04f13a9e7bd2928e7229bdbee78');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/hw/touch.ktb',1467,0,1596489275,0,0,131583,'35c503c4af971dd42d7aaa8241f77c26c9fc34cc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ic/all.ktb',1468,0,1596489275,0,0,131583,'8058809dfe07b1c633dfe1b1a6c11c4aff7bda1a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ir/all.kti',1469,0,1596489275,0,0,131583,'efc3bf401b9cdbaba8e01c6fddf57218f8728fde');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ir/brl.ktb',1470,0,1596489275,0,0,131583,'037f947f6676d55db906d171fae76c0ffcbcf72d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ir/pc.ktb',1471,0,1596489275,0,0,131583,'c6757dee16cf42cf3b44039ecc4b3c2a0ea42d64');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/lb/all.txt',1472,0,1596489275,0,0,131583,'4a12cb8335453670bdcb41ff23aafb3635dd7a95');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/lt/all.txt',1473,0,1596489275,0,0,131583,'604aab090919d1b9fc987411a2f68ad0573bdc2b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mb/all.txt',1474,0,1596489275,0,0,131583,'899784119e87b5fcb781b74c69a7d3ec82f20e75');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/common.kti',1475,0,1596489275,0,0,131583,'6337893286e65ea9c8b10f9380babe1dc881d62f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/default.ktb',1476,0,1596489275,0,0,131583,'112f0600cdabe1da0c33c7fb02356134736b96f2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/fk.ktb',1477,0,1596489275,0,0,131583,'441cf35912c8dcf83783d49a00dcdee21370b06e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/fk_s.ktb',1478,0,1596489275,0,0,131583,'c7fd870324d7756067f39957788bd2177c69220b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/fkeys.kti',1479,0,1596489275,0,0,131583,'1898ae9f5e33c3a5b5d57b4117c2bf7736231cc8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/kbd.ktb',1480,0,1596489275,0,0,131583,'8ecf5dabe46cadf64a773cc717e04d4b0a537b0f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/keyboard.kti',1481,0,1596489275,0,0,131583,'ee4b6578d5ac742464b4f0a9b3a69be8e2596de2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/md/status.kti',1482,0,1596489275,0,0,131583,'aa23111587deb80fc74d5dd568c221dba7355984');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/menu.kti',1483,0,1596489275,0,0,131583,'358183675b4ad6e4ead3b4cf44819d1de3c38c93');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mm/common.kti',1484,0,1596489275,0,0,131583,'ed1bb1b7ccf7fab54a06e94ab012d6b7c4ee2743');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mm/pocket.ktb',1485,0,1596489275,0,0,131583,'a134b4a8edcfe9152eee990e6ed4b91ad0fffb55');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mm/smart.ktb',1486,0,1596489275,0,0,131583,'9d064b97b2c26e37a522b1c0bf108c0854e50a36');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mn/all.txt',1487,0,1596489275,0,0,131583,'8efc770ae965fca59b8b17c9f0622fbfbb75753b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_3.ktb',1488,0,1596489275,0,0,131583,'d713fcaeb49de1f07fff62332ac37fadc6cdfe68');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_3.kti',1489,0,1596489275,0,0,131583,'e237934440286904672e829af848534dfc39d181');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_3s.ktb',1490,0,1596489275,0,0,131583,'49fab3d30c595edfa24c90f665cdcf31d1b442bd');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_6.ktb',1491,0,1596489275,0,0,131583,'137aa7465d4683304e1881b638ee1079fafedecf');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_6.kti',1492,0,1596489275,0,0,131583,'8fd84ded911b378d9ce1381ae6d01681ebc39544');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd1_6s.ktb',1493,0,1596489275,0,0,131583,'78bcf28c0c1c9d585840e1177bb475c42fcf7682');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/bd2.ktb',1494,0,1596489275,0,0,131583,'51325a97b6d230e362db3eae6afb25a659b3d924');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/mt/status.kti',1495,0,1596489275,0,0,131583,'5dcbd04c6ad415808cbc472e88fbaf75930f55fd');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/np/all.ktb',1496,0,1596489275,0,0,131583,'d61a202a04a098e57e58ef4c2337d3b6b9cd234c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pg/all.ktb',1497,0,1596489275,0,0,131583,'8c44785f24e6f8a05fe96991aad049378fe26acf');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/2d_l.ktb',1498,0,1596489275,0,0,131583,'b405c08766f685ce590ec10a33383f62eef57292');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/2d_s.ktb',1499,0,1596489275,0,0,131583,'d32f7c39954693e0afa5b11c43a1f0f4bdd3549b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/bar.kti',1500,0,1596489275,0,0,131583,'365892bff3b678ed493b55f2606f1a2276dcb26c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/c.ktb',1501,0,1596489275,0,0,131583,'80f44731d032f2a279d44527d294bc17196dd6d5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/c_486.ktb',1502,0,1596489275,0,0,131583,'bb4e599a96efe9eaf3a0741367f0b5d96333b04c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el2d_80s.ktb',1503,0,1596489275,0,0,131583,'73d9cc47171e73f35faba842bdf9c0bae7fbf7e6');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el40c.ktb',1504,0,1596489275,0,0,131583,'e1f34ee1bf094ce707d981ba2cb4874aa7a6c82b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el40s.ktb',1505,0,1596489275,0,0,131583,'b73d15d59a4ebfcad530cb601152b2917101bca4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el60c.ktb',1506,0,1596489275,0,0,131583,'3fd74edf19046397349ed86d7632ebe6aceeb940');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el66s.ktb',1507,0,1596489275,0,0,131583,'37fd7a378089114355534d064573dc3f03130c3c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el70s.ktb',1508,0,1596489275,0,0,131583,'0861a034f7dc68932418c45b2f45b98cb71139e3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el80_ii.ktb',1509,0,1596489275,0,0,131583,'84e1931daec6011f64a4a1e8075179cc3c5b0dfe');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el80c.ktb',1510,0,1596489275,0,0,131583,'bb9326c5c1d556cea6380465cf63888d8020ab95');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el80s.ktb',1511,0,1596489275,0,0,131583,'46f8527adcfd6e9bfe35da9c04e09652897f8bdc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el_2d_40.ktb',1512,0,1596489275,0,0,131583,'376fcbb49a8ea659bdcec0a725b3f9deea7ed857');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el_2d_66.ktb',1513,0,1596489275,0,0,131583,'77016cadc9d2b85285aa17361f18bc7c3a29e62f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el_2d_80.ktb',1514,0,1596489275,0,0,131583,'d7289e993f9f412b8e14819bfb5da2ad720b1e17');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el_40_p.ktb',1515,0,1596489275,0,0,131583,'d19c8ded01118955b7bd37abad139f4c95fe8a10');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/el_80.ktb',1516,0,1596489275,0,0,131583,'a7b709f4bdc463adce345e9f2f3dc80ffbad5a9d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/elb_tr_20.ktb',1517,0,1596489275,0,0,131583,'45f9676a8585276a1fa59acc73fbf38f58f23a87');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/elb_tr_32.ktb',1518,0,1596489275,0,0,131583,'481a7b22a294fe7594728b315f12bad76da3b5d4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/elba_20.ktb',1519,0,1596489275,0,0,131583,'54dbadb5c2c92c7afe4d1f5bf455770a41488e21');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/elba_32.ktb',1520,0,1596489275,0,0,131583,'78fcd216f566d0c88ab6a38f75ccfbd752446e70');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/front13.kti',1521,0,1596489275,0,0,131583,'373e5418c8586aba3cf2ac9e5ff7feb9d6b485d4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/front9.kti',1522,0,1596489275,0,0,131583,'f6b554d089073e580edee61ffd2172233883a7be');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/ib_80.ktb',1523,0,1596489275,0,0,131583,'8520a46bb9039493a17e8b85f32572a82e8d8633');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/keyboard.kti',1524,0,1596489275,0,0,131583,'d4237c9063201e691979755c78a006ee34146c35');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/keys.kti',1525,0,1596489275,0,0,131583,'ca570a8d4a54d70d09b9ece4efae77a82c2636f4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/live.ktb',1526,0,1596489275,0,0,131583,'7c4d354dee7f5faaa1b1dee330c29afbdd8bf65a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/routing.kti',1527,0,1596489275,0,0,131583,'56e395a70714156120beddd8558d18f79e88dba3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status0.kti',1528,0,1596489275,0,0,131583,'576871d70713cb01eaeb76fb9762bedaf94ff1f1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status13.kti',1529,0,1596489275,0,0,131583,'444e022944940264aa776555510c39e8a8454b63');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status2.kti',1530,0,1596489275,0,0,131583,'7db1a7521b823db3a95ae535e71163e5d5eb5833');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status20.kti',1531,0,1596489275,0,0,131583,'4885281b7c575ab30f7a1b5d8f789b1cb2e82bc4');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status22.kti',1532,0,1596489275,0,0,131583,'6fb66f379b20b1e865c4877242c9417e6f77c897');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/status4.kti',1533,0,1596489275,0,0,131583,'ce9a7ec0c8a626baf99c374678dd020b6d9dc5c3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/switches.kti',1534,0,1596489275,0,0,131583,'9a66349282928535264f1082b68e82df6a16714f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/pm/trio.ktb',1535,0,1596489275,0,0,131583,'903a2f62dda44fa9a2d325c33aa460ada0aac2ac');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/sk/bdp.ktb',1536,0,1596489275,0,0,131583,'7677b15f624107fe1a94b0b5c9d7ba6bce5fa1b2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/sk/ntk.ktb',1537,0,1596489275,0,0,131583,'e71e4644d65a7bcde8c42b29c0e3f784d64a5ae0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/tn/all.txt',1538,0,1596489275,0,0,131583,'bc516fcc1298be1e0b10e98f1804a8fd7a4c42fe');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/toggle.kti',1539,0,1596489275,0,0,131583,'9b580935eb2d579e77db80a80342faef15ccab08');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav.kti',1540,0,1596489275,0,0,131583,'0e3f8713e88fa41204268c0fc14b2c94179e9661');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav20.ktb',1541,0,1596489275,0,0,131583,'c7061bd9285c0d93d88d4c2d8a29f1f554ba4865');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav40.ktb',1542,0,1596489275,0,0,131583,'e70f8d982f5cab79fc21d298dd5b8142cb9cf6ba');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav80.ktb',1543,0,1596489275,0,0,131583,'ba7af8a4fe9da9440555f823705985d24177d219');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav_large.kti',1544,0,1596489275,0,0,131583,'ddac58ec47ff876a152736d9c0d6caac78450863');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/nav_small.kti',1545,0,1596489275,0,0,131583,'4d853d1a90e3f9a44fc1fbe718aa96ad9bc42b47');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb.kti',1546,0,1596489275,0,0,131583,'83088e3e4bc10bb78fa566e5315f7382c861bc71');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb40.ktb',1547,0,1596489275,0,0,131583,'419ef39d2877790c30579233ec0c13d688d9fdbf');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb65.ktb',1548,0,1596489275,0,0,131583,'33f0e22822ac49fa365b38850c7aae5d576f76cb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb80.ktb',1549,0,1596489275,0,0,131583,'ee56c088ae4c344563a9b75858a2a9f1fbe09a6a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb_large.kti',1550,0,1596489275,0,0,131583,'0c0131c0aef1d677cf817330db9444a48dba37bc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/pb_small.kti',1551,0,1596489275,0,0,131583,'a748a7248c0a1309b79e256e51435965d73aa01b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/ts/routing.kti',1552,0,1596489275,0,0,131583,'c007abdffa35dd5e0323952d96d69a62a995b0de');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/tt/all.txt',1553,0,1596489275,0,0,131583,'ba2439954b4b1fc8a0df7a354cdaac2336c3dc26');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vd/all.txt',1554,0,1596489275,0,0,131583,'d911d3b00ce211fd533a129eaf6e58b90628d1e3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vo/all.ktb',1555,0,1596489275,0,0,131583,'069fcb696603023cb707767cfdc86c4c6f2e82d9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vo/all.kti',1556,0,1596489275,0,0,131583,'13a2926392d26f40c9ed76fb0a5f8c671fcb0cee');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vo/bp.ktb',1557,0,1596489275,0,0,131583,'73d23205e4ccb56118690316dd3c4ad28d148444');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vr/all.txt',1558,0,1596489275,0,0,131583,'c95915c8a73ce09c011a7d4efdc7cadc7f186be7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/vs/all.txt',1559,0,1596489275,0,0,131583,'b8e9050183d7e8f42f0a6be3688dce04c4934447');
+	INSERT INTO entry_path VALUES('/etc/brltty/Input/xw/all.txt',1560,0,1596489275,0,0,131583,'2ab1f8004dc992f87fe01de34629ddc5bcaa9322');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/braille.ktb',1561,0,1596489275,0,0,131583,'b1c34c66aa5fd21e61f5600662563156b05726c0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/braille.kti',1562,0,1596489275,0,0,131583,'045eec9764f28353e44d6085678f8d0441a5bddc');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/desktop.ktb',1563,0,1596489275,0,0,131583,'452415895d4a4ef9bdbcc62be0329e20fb181be6');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/desktop.kti',1564,0,1596489275,0,0,131583,'fe864748f837300668196deaea6632fcaaba9e52');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/keypad.ktb',1565,0,1596489275,0,0,131583,'0ccbdc0e363f2776d225189190fac564d6bf8cf9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/kp_say.kti',1566,0,1596489275,0,0,131583,'6e5f5c814cf7f9b54d4b32cbc114345e4be44355');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/kp_speak.kti',1567,0,1596489275,0,0,131583,'1f72dc82ef5970f84337810be85ae86672e8115c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/laptop.ktb',1568,0,1596489275,0,0,131583,'b649b6d0948405f8344d7ddd72bf6ebd665d6096');
+	INSERT INTO entry_path VALUES('/etc/brltty/Keyboard/sun_type6.ktb',1569,0,1596489275,0,0,131583,'975951a29feac2d635ca2c819854b88b53ad1193');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/no-generic.ttb',1570,0,1596489275,0,0,131583,'8e498b31ae728ac7482e4dda11d69f75c4750830');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ar.ttb',1571,0,1596489275,0,0,131583,'3881ce039d47e1f23c39fd13d6029e7e73b9012e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/no-oup.ttb',1572,0,1596489275,0,0,131583,'340ea47610e7dc282e702bbba83b6ccb134bd229');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/as.ttb',1573,0,1596489275,0,0,131583,'192a59c2b8e04f9d0849ab52d29eae406fc71144');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/lt.ttb',1574,0,1596489275,0,0,131583,'0b320007b62e829e2acd637cf9e97978d02b28c7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ascii-basic.tti',1575,0,1596489275,0,0,131583,'df8294ed48cba2d26d02872ce803a81eaa4a06ac');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/no.ttb',1576,0,1596489275,0,0,131583,'8044fe26d8f2dee7e81bea3d274ce5f9c6609b39');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/awa.ttb',1577,0,1596489275,0,0,131583,'27e0a53c518dded607daf5770f3438bd1dc68b3d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-alias.tti',1578,0,1596489275,0,0,131583,'ee792d8e08fa690f09ca15ddb927e3e54c67681e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bengali.tti',1579,0,1596489275,0,0,131583,'c418ac4ff7d6526d6db2ff08964b678f47d1742b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-dot6.tti',1580,0,1596489275,0,0,131583,'72a894f26c1e3618c3b02256ac3e865dfb39aaf0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bg.ttb',1581,0,1596489275,0,0,131583,'42bc29163c750b5dba88647ba11e01828bc10787');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-dot8.tti',1582,0,1596489275,0,0,131583,'e45cb5fd97dc3f65b004a9db420e7b2b4022bbf5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bh.ttb',1583,0,1596489275,0,0,131583,'fef78ad2418c87dc5d2cce4c1afc4fb7e453642e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-french.tti',1584,0,1596489275,0,0,131583,'11279ef444b174ea453b0fdc4819fab9eecb3136');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/blocks.tti',1585,0,1596489275,0,0,131583,'63809729b4abc5b20a22c4605eab17d7473b850d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-nemd8.tti',1586,0,1596489275,0,0,131583,'20814a0747eaa8c84d026745de288fa96f5a0750');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bn.ttb',1587,0,1596489275,0,0,131583,'72f03fc791d02cc46921f6210af999b865682726');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/num-nemeth.tti',1588,0,1596489275,0,0,131583,'a91d9b28d174c3a987f6509e785c70836eeeb619');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bo.ttb',1589,0,1596489275,0,0,131583,'88f74e1d5b1963ce2cd1623628d1bef1e5f9ed79');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/nwc.ttb',1590,0,1596489275,0,0,131583,'a6a2d43cd22890ed543e5ac096d6030953090286');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/boxes.tti',1591,0,1596489275,0,0,131583,'ee04fea5ad8aaf1c94af3adbf5004a4412dd3b0c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/or.ttb',1592,0,1596489275,0,0,131583,'85521e55e8adf3b65ef24cba4e20b50f8785374d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/bra.ttb',1593,0,1596489275,0,0,131583,'32e97428f38eb89089ffe90a5e6a176a822ba848');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/oriya.tti',1594,0,1596489275,0,0,131583,'291feebe7ff1678cff4c0a27ae6f7f47628c0e3b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/brf.ttb',1595,0,1596489275,0,0,131583,'a3597dbf291834172179f4b48370fcb154383eba');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/pa.ttb',1596,0,1596489275,0,0,131583,'9c3bfec570a19f0bf00f2d8d0b9edd86ec25ef62');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/common.tti',1597,0,1596489275,0,0,131583,'a0a754a6975ae7282ba1a9661c742cbed87d81e1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/pi.ttb',1598,0,1596489275,0,0,131583,'06bbef7ecf482ce59b99b478aceab8d0b1cb5a37');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/cs.ttb',1599,0,1596489275,0,0,131583,'b0944669d0976b665bebf0d5e45cb375dda691c5');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/kru.ttb',1600,0,1596489275,0,0,131583,'59e41018667e778a4eeece49a590430bfcaabf29');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ctl-latin.tti',1601,0,1596489275,0,0,131583,'95fbdb00871fcb2bcf2ba77ae1a1179aae259fb2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/pl.ttb',1602,0,1596489275,0,0,131583,'c437c422b5f9e44303db2fc210ea67b520af161f');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/cy.ttb',1603,0,1596489275,0,0,131583,'ccd5bcb77bc8de578b11e6d95053afb515cad3e8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/pt.ttb',1604,0,1596489275,0,0,131583,'552ad3d1437f27c8998ff0c27764e01689dabfad');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/da-1252.ttb',1605,0,1596489275,0,0,131583,'2342a231a6d81ef600ce39bcdd3422eb306deb17');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/punc-alternate.tti',1606,0,1596489275,0,0,131583,'6bdf1aa3a5a91e5cf1cb091e4d77ad93fa88ae9e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/da-lt.ttb',1607,0,1596489275,0,0,131583,'d2f13ba18c346a9ff0586c9829e10632ba8f85ed');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/punc-basic.tti',1608,0,1596489275,0,0,131583,'3ab175252d691d6ff42521330d30a889e78b5d64');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/da.ttb',1609,0,1596489275,0,0,131583,'b3d0aa4e949592ae2417045b13fde59522605693');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ml.ttb',1610,0,1596489275,0,0,131583,'17f4bcbcc72deeccf5e9251453f80f5b6a711238');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/de-chess.tti',1611,0,1596489275,0,0,131583,'084e3ff777e7d19a6b2c3ab19e34709dbf2dd2f2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/punc-tibetan.tti',1612,0,1596489275,0,0,131583,'a9eca3b0053306fdeaf0f2f364db6e0596de2a12');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/de.ttb',1613,0,1596489275,0,0,131583,'14afa11d474b42e92bfb954c7c6b118468b382f8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mi.ttb',1614,0,1596489275,0,0,131583,'7be65a6f031609d198ef64588f44a84f40cd84c3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/devanagari.tti',1615,0,1596489275,0,0,131583,'1186c6ef9c70ac0c9d9292fd831082bcc9450b52');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ro.ttb',1616,0,1596489275,0,0,131583,'9b61388e062eeefcd411113714442e383e0a9cd9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/dra.ttb',1617,0,1596489275,0,0,131583,'178428762bd572278b4795003aaf64414e4ad9df');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ru.ttb',1618,0,1596489275,0,0,131583,'47bf8d32ddd8992645b9827d3b33c32a4494460e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/el.ttb',1619,0,1596489275,0,0,131583,'013327ffcc8d81f5455677bebcd878339b93a20d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mni.ttb',1620,0,1596489275,0,0,131583,'6ef52c393450d697a7b039d091d4fed014dc0583');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en-chess.tti',1621,0,1596489275,0,0,131583,'3d4ced2b8c1d060114202f1305c79eb9c3f8e3b1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mr.ttb',1622,0,1596489275,0,0,131583,'ebe45cd77dd5aebf5461375c03624cf12adcec06');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en-na-ascii.tti',1623,0,1596489275,0,0,131583,'f88ee34fc1d84e1d235570136e32cc1210f571a0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mt.ttb',1624,0,1596489275,0,0,131583,'886843e075c37e4b45bddebeefea00e83d5e73e9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en-nabcc.ttb',1625,0,1596489275,0,0,131583,'37ffdbbf4aec7e8564e872b24b01b4b254f8232d');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sa.ttb',1626,0,1596489275,0,0,131583,'8fc82337c627f2bad46b890d9b1d09c610fa9528');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en.ttb',1627,0,1596489275,0,0,131583,'72f593c2b1b6b8c7723f97c1c65771fd2f045247');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sat.ttb',1628,0,1596489275,0,0,131583,'e9141d71b36f02d2a3d630d828b6f1292f066d59');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en_CA.ttb',1629,0,1596489275,0,0,131583,'cb6b2ec77cd8e436bfe65b46c740d0831dc84049');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sd.ttb',1630,0,1596489275,0,0,131583,'9055cd676f098bdf54640e2325507d30b0152feb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en_GB.ttb',1631,0,1596489275,0,0,131583,'95c7bddffba5723774004a11ed68cb2660e6ded2');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sk.ttb',1632,0,1596489275,0,0,131583,'64476b43a0571da18b4b70379e44ebf59d6ca6c7');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/en_US.ttb',1633,0,1596489275,0,0,131583,'4c6b23bde30e53f7303f0e3c56c8e518f8c10d46');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sl.ttb',1634,0,1596489275,0,0,131583,'45b28454b8dbe4763544a325c99d915a38982ff3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/eo.ttb',1635,0,1596489275,0,0,131583,'e4ac3308e271d14eed595fdc963627d81d78ee21');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/spaces.tti',1636,0,1596489275,0,0,131583,'ad7e26b5c53d10d5d14721c9afc1b589bbda6958');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/es.ttb',1637,0,1596489275,0,0,131583,'358835c39df1e843b9345a40f3348972d3f032c0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sv-1989.ttb',1638,0,1596489275,0,0,131583,'7daf85675435089b0195cbbdc9686d737fcdc153');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/et.ttb',1639,0,1596489275,0,0,131583,'82c0e94f0590b69483e4ff66276dd1a9c44ba947');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sv-1996.ttb',1640,0,1596489275,0,0,131583,'21302101bb1b07a848a9d15457f74271a2acf319');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fi.ttb',1641,0,1596489275,0,0,131583,'da2ae51b7d3b4c3502734e609375d3cda80d39c0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sv.ttb',1642,0,1596489275,0,0,131583,'bac8f6d822ac70e7c7ef4393756754378e7e2eab');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr-2007.ttb',1643,0,1596489275,0,0,131583,'e34a4fa20abf1d5f93e1cd64692d5a29edd18083');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mun.ttb',1644,0,1596489275,0,0,131583,'5dad419c3a7448af602658e7f2b2a518a7e9dfc9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr-cbifs.ttb',1645,0,1596489275,0,0,131583,'ccca9e03adbd5bafb12034c6505bec33399c78e8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/sw.ttb',1646,0,1596489275,0,0,131583,'c75334419ffc3b7c4cfff3f6c0c4fba18dec5b00');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr-vs.ttb',1647,0,1596489275,0,0,131583,'fea03c95d032b8f9787ecfa27fe5fa3532071f12');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ta.ttb',1648,0,1596489275,0,0,131583,'089568f5477898cdeea230af234708a07f402d81');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr.ttb',1649,0,1596489275,0,0,131583,'ec521754e6032a7f9f4ed4fae1ed7b9e1ad94226');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/tamil.tti',1650,0,1596489275,0,0,131583,'cd10755cf4107b7f5b45ecdb39c6ed1f7db589ac');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr_CA.ttb',1651,0,1596489275,0,0,131583,'df09ff15b20da4cd289637e15c2b5e1cfc7cb23e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/te.ttb',1652,0,1596489275,0,0,131583,'128de2b4d8804d19f1aa7a275fec47ca628a0f27');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/fr_FR.ttb',1653,0,1596489275,0,0,131583,'ef15e9da1bc4e03dec3fa71e6b01bb08ba22acb8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/telugu.tti',1654,0,1596489275,0,0,131583,'b9775538e13b1e36d75a3b063cafe7f2f951fe78');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ga.ttb',1655,0,1596489275,0,0,131583,'1108ab5cc8893d957b8490d33ca7239317cbee16');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/tr.ttb',1656,0,1596489275,0,0,131583,'89a2d2297894162ef72913ffcbe6f1fc0ba6e432');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/gd.ttb',1657,0,1596489275,0,0,131583,'a76b4f4380f8454ffbffad839ff57538b9abbf66');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/uk.ttb',1658,0,1596489275,0,0,131583,'fc25639687ef46e9d35c80b757ad11b7647388ab');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/gon.ttb',1659,0,1596489275,0,0,131583,'83282e17101e95937d88f126cf10dfeb1b193fca');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/vi.ttb',1660,0,1596489275,0,0,131583,'e1e1aa0347b69809326643c5cdd875393e3d8a82');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/greek.tti',1661,0,1596489275,0,0,131583,'7749971b151d58bf66bab8a540ed0c27910d3740');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/gu.ttb',1662,0,1596489275,0,0,131583,'232f1789e09eada26339c3e7b247062784a247d8');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mwr.ttb',1663,0,1596489275,0,0,131583,'5cd79156148944fcca0ceb92c65e9a13f2442877');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/gujarati.tti',1664,0,1596489275,0,0,131583,'4f91f23ce57514f186a5e7eae4d606e832d69112');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ne.ttb',1665,0,1596489275,0,0,131583,'36a9e885c77af0cd5832d8d6882b81b745e687af');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/gurmukhi.tti',1666,0,1596489275,0,0,131583,'77f7d2a0cb7f352a62a2bf688eaa911918c2e65a');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/he.ttb',1667,0,1596489275,0,0,131583,'ecc677a7ebe33194f09a184439ec95fcc463b8fb');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/hi.ttb',1668,0,1596489275,0,0,131583,'6c22bc5523ac1cf05378775e05323c27d0a65c72');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/hr.ttb',1669,0,1596489275,0,0,131583,'b773859bf8184f735413251ba18ca5867bf343d3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/hu.ttb',1670,0,1596489275,0,0,131583,'47b181c9580291388425b5d2d02e60945a7a9002');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/hy.ttb',1671,0,1596489275,0,0,131583,'2c613da78727a03e3cdd187e80f54fc03af3c3e0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/is.ttb',1672,0,1596489275,0,0,131583,'26aea44230ff7787f2a337e2f2488ea9186fd16c');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/it.ttb',1673,0,1596489275,0,0,131583,'12c9465b77b6a99c5e18e808e8c2e22866f67558');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/kannada.tti',1674,0,1596489275,0,0,131583,'25d29c1a9d0671c19981631104e5c4b6327711e0');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/kha.ttb',1675,0,1596489275,0,0,131583,'9a6316758814065dd8312c51b1f3ce34e49fb5dd');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/kn.ttb',1676,0,1596489275,0,0,131583,'09e46be8eb3b8870c98663a530daf221d3e9148e');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/kok.ttb',1677,0,1596489275,0,0,131583,'7d0e6753797816400ac6619edba4d9b56380deef');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ltr-alias.tti',1678,0,1596489275,0,0,131583,'e32353cf16e06ca2fc06315e042cdb0fd2b92b37');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/new.ttb',1679,0,1596489275,0,0,131583,'bf7913f527f533bbbf03f47a3de618fa15a2f252');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ltr-cyrillic.tti',1680,0,1596489275,0,0,131583,'de025ae909e23da677c67df9138ed581e8bf7f54');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/nl.ttb',1681,0,1596489275,0,0,131583,'acd3910e2575991f801fa036eff1e6a879754fd9');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ltr-dot8.tti',1682,0,1596489275,0,0,131583,'c798d5a1a24702de38a5bc111ae95e8d489b932b');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ltr-latin.tti',1683,0,1596489275,0,0,131583,'310c256eb233cc5bf25ad348a2d5ca2b0b6636e6');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/nl_BE.ttb',1684,0,1596489275,0,0,131583,'f499c499681bb63a9fd24af1ee9b1e741bdb1fa1');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/ltr-tibetan.tti',1685,0,1596489275,0,0,131583,'670f25a4ee7f87300e49c00165cb97592aa42f15');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/lv.ttb',1686,0,1596489275,0,0,131583,'a8cbbd6f48ee15e7d7353b2b48f4f80fd85be6b3');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/nl_NL.ttb',1687,0,1596489275,0,0,131583,'f225d11d5cfaea9d0009d90974a44441af9de165');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/malayalam.tti',1688,0,1596489275,0,0,131583,'f417032cbcb125941e8aa70feb28b8e335bfaf13');
+	INSERT INTO entry_path VALUES('/etc/brltty/Text/mg.ttb',1689,0,1596489275,0,0,131583,'f50d833ebcc186272e7890dd44b056f1ed07a9bd');
+	INSERT INTO entry_path VALUES('/etc/brltty.conf',1690,0,1596489275,0,0,131583,'48766b26ee8530cd39f30ed1e7c6a517a0458e2e');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/espeak-ng.conf',1691,0,1596489275,0,0,131583,'bcf60ce221c41d339a2b49b200e35ce3b7acc7eb');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/cicero.conf',1692,0,1596489275,0,0,131583,'c6bfed9478144db55fe54b762ebca1eaf711ad32');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/dtk-generic.conf',1693,0,1596489275,0,0,131583,'d7cf3f1bd695ba8f80c2e4e6c9c4b66ece296741');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/epos-generic.conf',1694,0,1596489275,0,0,131583,'821cf746f8bfd342f863026b23a26c792267385c');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/ibmtts.conf',1695,0,1596489275,0,0,131583,'ce24d5fd5616c2ced6d205c59e684ba9a2b191d4');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/ivona.conf',1696,0,1596489275,0,0,131583,'155ae02d93ee7e677b7e32044f7da3efae39fa9e');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/llia_phon-generic.conf',1697,0,1596489275,0,0,131583,'a25c81cc8622250ce8d8935bbe30e17dd6d4b4ca');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/pico-generic.conf',1698,0,1596489275,0,0,131583,'ecbd91180660018036c688e16d6c797c30e91463');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/modules/swift-generic.conf',1699,0,1596489275,0,0,131583,'9be4ab496cdba071925145041f50c27ad2604e1a');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/clients/emacs.conf',1700,0,1596489275,0,0,131583,'7608de5962f020a4b133c52b0a2300317820be4b');
+	INSERT INTO entry_path VALUES('/etc/speech-dispatcher/speechd.conf',1701,0,1596489275,0,0,131583,'44f85496e44f57e4b1f96015064f431b4c5790de');
+	INSERT INTO entry_path VALUES('/etc/sane.d/abaton.conf',1702,0,1596489275,0,0,131583,'da9749b1301169f5ad08cde3c0f36ec984a5ba3d');
+	INSERT INTO entry_path VALUES('/etc/sane.d/plustek.conf',1703,0,1596489275,0,0,131583,'00691c7d07110fab1631f4d6544fb990d7815150');
+	INSERT INTO entry_path VALUES('/etc/sane.d/agfafocus.conf',1704,0,1596489275,0,0,131583,'75dc43a7f49b2780f97817ce97b15d8f8b200f78');
+	INSERT INTO entry_path VALUES('/etc/sane.d/apple.conf',1705,0,1596489275,0,0,131583,'af1ef8efda3b257f135a30f4b10538921cb535d8');
+	INSERT INTO entry_path VALUES('/etc/sane.d/artec.conf',1706,0,1596489275,0,0,131583,'c4e8974bc5d809db0cee39666594622046a97fbe');
+	INSERT INTO entry_path VALUES('/etc/sane.d/plustek_pp.conf',1707,0,1596489275,0,0,131583,'ab47e29588584262713060a0aadd477a9f852acc');
+	INSERT INTO entry_path VALUES('/etc/sane.d/artec_eplus48u.conf',1708,0,1596489275,0,0,131583,'0de0924412d69a5e61b3099bc642dfd4b778ebd9');
+	INSERT INTO entry_path VALUES('/etc/sane.d/qcam.conf',1709,0,1596489275,0,0,131583,'7d0ef3e4e0195d29cc056d4dbf4bcc90db731263');
+	INSERT INTO entry_path VALUES('/etc/sane.d/avision.conf',1710,0,1596489275,0,0,131583,'1eda44a6aa22602a028653a3e0da4f91af58cfc4');
+	INSERT INTO entry_path VALUES('/etc/sane.d/bh.conf',1711,0,1596489275,0,0,131583,'0c4196c712e8677b2fedbdd67b12b0acd30eabc1');
+	INSERT INTO entry_path VALUES('/etc/sane.d/canon.conf',1712,0,1596489275,0,0,131583,'a716864b6d4e4b23e1537dbea0b9750dcdef531a');
+	INSERT INTO entry_path VALUES('/etc/sane.d/ricoh.conf',1713,0,1596489275,0,0,131583,'c935b1a50d5630c2ae548e02c4347a172edd09bb');
+	INSERT INTO entry_path VALUES('/etc/sane.d/canon630u.conf',1714,0,1596489275,0,0,131583,'0bd55b4a20d95f74695005dec51a491d84dc2089');
+	INSERT INTO entry_path VALUES('/etc/sane.d/rts8891.conf',1715,0,1596489275,0,0,131583,'cd6ad1ef42f5ecfef98121dbf624056a2cd4f918');
+	INSERT INTO entry_path VALUES('/etc/sane.d/canon_dr.conf',1716,0,1596489275,0,0,131583,'31e4ee58c9d777d46b515058d559934fbcfe3779');
+	INSERT INTO entry_path VALUES('/etc/sane.d/saned.conf',1717,0,1596489275,0,0,131583,'835d8b9efc4b24f2816752112da7a8cdaa13e121');
+	INSERT INTO entry_path VALUES('/etc/sane.d/canon_pp.conf',1718,0,1596489275,0,0,131583,'dc47ca90823013c904bcce6f91ef48cf81f4d367');
+	INSERT INTO entry_path VALUES('/etc/sane.d/s9036.conf',1719,0,1596489275,0,0,131583,'86d8c86a8018e8de49c01727e4befa451c9df151');
+	INSERT INTO entry_path VALUES('/etc/sane.d/cardscan.conf',1720,0,1596489275,0,0,131583,'acdf1f761e3b48dad87f7fac423135fc4bab3b0e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/sceptre.conf',1721,0,1596489275,0,0,131583,'659be3d6915dd0928efc399a8bab5fb94808a63e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/coolscan.conf',1722,0,1596489275,0,0,131583,'99e7fdcc742005be422c6f6b6b519a4060e01309');
+	INSERT INTO entry_path VALUES('/etc/sane.d/sharp.conf',1723,0,1596489275,0,0,131583,'0c8df62aab9c3a57ac8d6f89b2ba856de2194c95');
+	INSERT INTO entry_path VALUES('/etc/sane.d/coolscan2.conf',1724,0,1596489275,0,0,131583,'55f3e5101e771cc6324834c91c873e05baa20034');
+	INSERT INTO entry_path VALUES('/etc/sane.d/sm3840.conf',1725,0,1596489275,0,0,131583,'cf04999a0a8c6072958ad8ed35a1e543bf6c8037');
+	INSERT INTO entry_path VALUES('/etc/sane.d/coolscan3.conf',1726,0,1596489275,0,0,131583,'6242d85042ccb1812995cdc6b9f28dc82e4e9023');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dc210.conf',1727,0,1596489275,0,0,131583,'9d1e9b8305bd33f526b3abd693522e782afece62');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dc240.conf',1728,0,1596489275,0,0,131583,'aaa569d166197b9377590f05e88f6e086dc6e2a4');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dc25.conf',1729,0,1596489275,0,0,131583,'5887411dfae7722ada9bc4f15856a9afcd1630da');
+	INSERT INTO entry_path VALUES('/etc/sane.d/u12.conf',1730,0,1596489275,0,0,131583,'cbd87b93511d5bc413227b6468c8d874ee71945e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dell1600n_net.conf',1731,0,1596489275,0,0,131583,'6d31894687932a128dd9642fbfc19b3ce7b56d97');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dll.conf',1732,0,1596489275,0,0,131583,'2110e35eb1804804d93d4c9df5543b5962d6d6be');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dll.d/hpaio',1733,0,1596489275,0,0,131583,'c6663705ab65491b2f89063b49eeae15b5715b52');
+	INSERT INTO entry_path VALUES('/etc/sane.d/dmc.conf',1734,0,1596489275,0,0,131583,'df64660800d7c225c78efc97a7431323234fdbc6');
+	INSERT INTO entry_path VALUES('/etc/sane.d/umax.conf',1735,0,1596489275,0,0,131583,'903db81a20862813e6c28d10f7e01a0af90d9b51');
+	INSERT INTO entry_path VALUES('/etc/sane.d/epjitsu.conf',1736,0,1596489275,0,0,131583,'f327385c431abc11daeaac7ff0c9e427798a958b');
+	INSERT INTO entry_path VALUES('/etc/sane.d/epson.conf',1737,0,1596489275,0,0,131583,'77c3854ee4c8a898e336e66bab2cea605214e8aa');
+	INSERT INTO entry_path VALUES('/etc/sane.d/epson2.conf',1738,0,1596489275,0,0,131583,'9adacf7c19936ae66ecae56e889e804ba172c3e4');
+	INSERT INTO entry_path VALUES('/etc/sane.d/umax1220u.conf',1739,0,1596489275,0,0,131583,'b738593eaea9455b2ba2c5fb0f3d6462d707add9');
+	INSERT INTO entry_path VALUES('/etc/sane.d/epsonds.conf',1740,0,1596489275,0,0,131583,'cde0ca0213986529e4f2448e0e3b0cad800decbb');
+	INSERT INTO entry_path VALUES('/etc/sane.d/umax_pp.conf',1741,0,1596489275,0,0,131583,'8f743f19376214872de4fbd2029a84e6d54af293');
+	INSERT INTO entry_path VALUES('/etc/sane.d/fujitsu.conf',1742,0,1596489275,0,0,131583,'7bcd153a6527f11e71aa48c44a702fc5ca6fbbb5');
+	INSERT INTO entry_path VALUES('/etc/sane.d/v4l.conf',1743,0,1596489275,0,0,131583,'f7c065ac688d5a65b87ce2b4a8f2a3fdedba93f7');
+	INSERT INTO entry_path VALUES('/etc/sane.d/genesys.conf',1744,0,1596489275,0,0,131583,'394eaa68febd3177e1ed85c8a61737da85ea5a38');
+	INSERT INTO entry_path VALUES('/etc/sane.d/xerox_mfp.conf',1745,0,1596489275,0,0,131583,'2efb165122f8b6c16f854b71190ae4ed3bbb9c58');
+	INSERT INTO entry_path VALUES('/etc/sane.d/gphoto2.conf',1746,0,1596489275,0,0,131583,'b5e89893c50e3e7033aec45ac25e5e817e6e6d55');
+	INSERT INTO entry_path VALUES('/etc/sane.d/gt68xx.conf',1747,0,1596489275,0,0,131583,'d2f9f277bbf4c0d92594cec0f12850a4f553e80f');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hp.conf',1748,0,1596489275,0,0,131583,'d570ca5345e08c5114fbe91205d122e7752f1851');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hp3900.conf',1749,0,1596489275,0,0,131583,'c96989e3c88f7d6190b0ed3d7cfed40d588e4023');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hp4200.conf',1750,0,1596489275,0,0,131583,'ce12aa763281fcee7485330e4317cfcf6e8cc6c9');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hp5400.conf',1751,0,1596489275,0,0,131583,'e3462dd1bc446c3108efaf724996ff22633bc39f');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hpsj5s.conf',1752,0,1596489275,0,0,131583,'7d8c503617500a7b5158d93cd681789ebb8330b3');
+	INSERT INTO entry_path VALUES('/etc/sane.d/hs2p.conf',1753,0,1596489275,0,0,131583,'e59bbda1c9386c95a3227ae86304b64def0d1b5d');
+	INSERT INTO entry_path VALUES('/etc/sane.d/ibm.conf',1754,0,1596489275,0,0,131583,'c0d340cc03b8498ad7619352e368b30511f768ca');
+	INSERT INTO entry_path VALUES('/etc/sane.d/kodak.conf',1755,0,1596489275,0,0,131583,'64a101827f7bb040639420e6efe5519e1c0271ef');
+	INSERT INTO entry_path VALUES('/etc/sane.d/kodakaio.conf',1756,0,1596489275,0,0,131583,'af9cd218b78819d73f6db6d5966f328573d70404');
+	INSERT INTO entry_path VALUES('/etc/sane.d/kvs1025.conf',1757,0,1596489275,0,0,131583,'a0807ed03d0a8fe543cb05de52e2d710368e6dc2');
+	INSERT INTO entry_path VALUES('/etc/sane.d/leo.conf',1758,0,1596489275,0,0,131583,'8d8c71c300e002ba23237915a01cc69b7fed4ee6');
+	INSERT INTO entry_path VALUES('/etc/sane.d/lexmark.conf',1759,0,1596489275,0,0,131583,'7ee154606ab696f010942fe4c332eaadd9f88e32');
+	INSERT INTO entry_path VALUES('/etc/sane.d/ma1509.conf',1760,0,1596489275,0,0,131583,'751b8dceebc5b82ce735a25a0a7c3d72064425a4');
+	INSERT INTO entry_path VALUES('/etc/sane.d/magicolor.conf',1761,0,1596489275,0,0,131583,'50dae18a80561a369f4ef2f9720fa1544ee48e8b');
+	INSERT INTO entry_path VALUES('/etc/sane.d/matsushita.conf',1762,0,1596489275,0,0,131583,'4550fb931de9a499df561b64b4e9776e5b4fa26b');
+	INSERT INTO entry_path VALUES('/etc/sane.d/microtek.conf',1763,0,1596489275,0,0,131583,'0492fa587bf76f817596b80b3819cec69ba9ca9e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/microtek2.conf',1764,0,1596489275,0,0,131583,'8fa4d78566443972f43cdbb0d9724d9a9721f72a');
+	INSERT INTO entry_path VALUES('/etc/sane.d/mustek.conf',1765,0,1596489275,0,0,131583,'e3c8487ca49053c590fe73218b33696ecef432ee');
+	INSERT INTO entry_path VALUES('/etc/sane.d/mustek_pp.conf',1766,0,1596489275,0,0,131583,'ed54320182dcdcf023cfc82ecd8825db5b0cef0c');
+	INSERT INTO entry_path VALUES('/etc/sane.d/mustek_usb.conf',1767,0,1596489275,0,0,131583,'0943a5a81fa3cfb40275666c2e722a0caac90ad6');
+	INSERT INTO entry_path VALUES('/etc/sane.d/nec.conf',1768,0,1596489275,0,0,131583,'750dd0dc2217d479848f20aeecbe529ed7c88b16');
+	INSERT INTO entry_path VALUES('/etc/sane.d/net.conf',1769,0,1596489275,0,0,131583,'71fba43bc9b1ba7456ce5905319a62544a244400');
+	INSERT INTO entry_path VALUES('/etc/sane.d/p5.conf',1770,0,1596489275,0,0,131583,'6416090b4649a41c25d7221d53b262d6cf2dc071');
+	INSERT INTO entry_path VALUES('/etc/sane.d/pie.conf',1771,0,1596489275,0,0,131583,'40aa4b43eaf535dafd78d1e69cb486e5fabe9925');
+	INSERT INTO entry_path VALUES('/etc/sane.d/pieusb.conf',1772,0,1596489275,0,0,131583,'c941c57d181ec2f234b0127127a79bba7ad4da0e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/pixma.conf',1773,0,1596489275,0,0,131583,'01dacd2e92a99410e92f998a941daa24aa9d4e26');
+	INSERT INTO entry_path VALUES('/etc/sane.d/snapscan.conf',1774,0,1596489275,0,0,131583,'cbffa4019f7fafe35f392d539515405421f1f27f');
+	INSERT INTO entry_path VALUES('/etc/sane.d/sp15c.conf',1775,0,1596489275,0,0,131583,'2c2e9974b37658146ce1d5daebf4acc8aad78d0c');
+	INSERT INTO entry_path VALUES('/etc/sane.d/st400.conf',1776,0,1596489275,0,0,131583,'e6df8ba092a9ee191d79bdd6ba6872ffb3698586');
+	INSERT INTO entry_path VALUES('/etc/sane.d/stv680.conf',1777,0,1596489275,0,0,131583,'d32a8e5216949a1f065fc0640b8cc7bbe673bd1a');
+	INSERT INTO entry_path VALUES('/etc/sane.d/tamarack.conf',1778,0,1596489275,0,0,131583,'c0c2db886e3014e6b8dbc49d8e4e41c92d2b5edd');
+	INSERT INTO entry_path VALUES('/etc/sane.d/teco1.conf',1779,0,1596489275,0,0,131583,'be42212d384598b6dfe6227e0c276f6efd307904');
+	INSERT INTO entry_path VALUES('/etc/sane.d/teco2.conf',1780,0,1596489275,0,0,131583,'7c20672672366c64e322408ad4d1885261308d9e');
+	INSERT INTO entry_path VALUES('/etc/sane.d/teco3.conf',1781,0,1596489275,0,0,131583,'5cf500e7179029e5a382800bf83fe958fe5ef9e1');
+	INSERT INTO entry_path VALUES('/etc/sane.d/test.conf',1782,0,1596489275,0,0,131583,'de3fcca92fc572f85cef120a9f967d0a32e134bf');
+	INSERT INTO entry_path VALUES('/etc/pipewire/pipewire.conf',1783,0,1596489275,0,0,131583,'908772546ad80fe2630715cb48376cc14fca7aaa');
+	INSERT INTO entry_path VALUES('/etc/cupshelpers/preferreddrivers.xml',1784,0,1596489275,0,0,131583,'26a040bc9234b92b40d85e342501101bac1a7984');
+	INSERT INTO entry_path VALUES('/etc/audit/audit-stop.rules',1785,0,1596489275,0,0,131583,'7bf4fdd0572c8bbc193b50f9bcd85feb8b03cc46');
+	INSERT INTO entry_path VALUES('/etc/audit/auditd.conf',1786,0,1596489275,0,0,131583,'68ce598e99217d1e1eeb109aeb8a676d0c0f1444');
+	INSERT INTO entry_path VALUES('/etc/audit/plugins.d/af_unix.conf',1787,0,1596489275,0,0,131583,'48bc25aa8289de13e34d5eeb31d868be21beaa30');
+	INSERT INTO entry_path VALUES('/etc/audit/plugins.d/sedispatch.conf',1788,0,1596489275,0,0,131583,'eaadcd52cc9402b071e87dd1249c8dda818509ce');
+	INSERT INTO entry_path VALUES('/etc/audit/rules.d/audit.rules',1789,0,1596489275,0,0,131583,'45990abd38d4799936fec327b49f6fb09e30482f');
+	INSERT INTO entry_path VALUES('/etc/audit/audit.rules',1790,0,1596489275,0,0,131583,'2a9bda4566e2a92d923092cb6771c3e9fcc2863f');
+	INSERT INTO entry_path VALUES('/etc/authselect/user-nsswitch.conf',1791,0,1596489275,0,0,131583,'c3fa3e0c50b4aceda36025ec8961c04bea6072a5');
+	INSERT INTO entry_path VALUES('/etc/authselect/system-auth',1792,0,1596489275,0,0,131583,'e36446d9477454d4340df9fd2b99fd66c8af6d30');
+	INSERT INTO entry_path VALUES('/etc/authselect/password-auth',1793,0,1596489275,0,0,131583,'4df423f5ef1abe23ac100557e9a24e919556ef18');
+	INSERT INTO entry_path VALUES('/etc/authselect/fingerprint-auth',1794,0,1596489275,0,0,131583,'bd1a5bc750b1f1228150af424977bf74c000d3e7');
+	INSERT INTO entry_path VALUES('/etc/authselect/smartcard-auth',1795,0,1596489275,0,0,131583,'cfe0ef97ff818097dc63bba019c16388d7cc9a6f');
+	INSERT INTO entry_path VALUES('/etc/authselect/postlogin',1796,0,1596489275,0,0,131583,'98f69b0610f9af4b8ffa9e9c054ee129334b6c81');
+	INSERT INTO entry_path VALUES('/etc/authselect/nsswitch.conf',1797,0,1596489275,0,0,131583,'a9bf816893c6cd5d6a82b063bed7dc69520ae483');
+	INSERT INTO entry_path VALUES('/etc/authselect/dconf-db',1798,0,1596489275,0,0,131583,'3855dab5f2509b3c0bdb4576c8947c88b279d564');
+	INSERT INTO entry_path VALUES('/etc/authselect/dconf-locks',1799,0,1596489275,0,0,131583,'0d47c74f9662cb14985f6637ce7b6b6983bf3b2b');
+	INSERT INTO entry_path VALUES('/etc/authselect/authselect.conf',1800,0,1596489275,0,0,131583,'e0a494160fda916f1a0063f93b030520715a99db');
+	INSERT INTO entry_path VALUES('/etc/setroubleshoot/setroubleshoot.conf',1801,0,1596489275,0,0,131583,'7ed2f665cea33eaa4879febe465ebc879f26eca2');
+	INSERT INTO entry_path VALUES('/etc/wpa_supplicant/wpa_supplicant.conf',1802,0,1596489275,0,0,131583,'6956556c87ddc92e248e989a4bb344f43ec892d8');
+	INSERT INTO entry_path VALUES('/etc/locale.conf',1803,0,1596489275,0,0,131583,'937da9bfa9fab92033b1a6025b7e6fb7a1065d6b');
+	INSERT INTO entry_path VALUES('/etc/dnsmasq.conf',1804,0,1596489275,0,0,131583,'b08095c60f9b85563752a5da6853591d8adc2852');
+	INSERT INTO entry_path VALUES('/etc/hostname',1805,0,1596489275,0,0,131583,'db666a5572d3c28285380b3e1ae04117c01c4d3d');
+	INSERT INTO entry_path VALUES('/etc/oddjobd.conf',1806,0,1596489275,0,0,131583,'d48cd87e747cabdfb46f78d4fa17c8b0889b8b81');
+	INSERT INTO entry_path VALUES('/etc/oddjobd.conf.d/oddjobd-introspection.conf',1807,0,1596489275,0,0,131583,'cb5a3458a30041c888d324ee2d4d4a3e91af95a2');
+	INSERT INTO entry_path VALUES('/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf',1808,0,1596489275,0,0,131583,'e2ea84f7819726067f877a199780e1930064b8e2');
+	INSERT INTO entry_path VALUES('/etc/radvd.conf',1809,0,1596489275,0,0,131583,'9da5525b9986894d83038dd205e1e2fe003b941c');
+	INSERT INTO entry_path VALUES('/etc/fwupd/daemon.conf',1810,0,1596489275,0,0,131583,'530a4b8eef4221e7f0b2bf458a30cecbb2655cbc');
+	INSERT INTO entry_path VALUES('/etc/fwupd/redfish.conf',1811,0,1596489275,0,0,131583,'475f5be5b9d41fe2f6ca07b7a34055f20a4e56e2');
+	INSERT INTO entry_path VALUES('/etc/fwupd/remotes.d/fwupd.conf',1812,0,1596489275,0,0,131583,'fc3e21e14a190101a48cef5df1b3fb180e58804d');
+	INSERT INTO entry_path VALUES('/etc/fwupd/remotes.d/lvfs-testing.conf',1813,0,1596489275,0,0,131583,'b11da5e6d2205d5fb02512a8cbeb880c5d2472d5');
+	INSERT INTO entry_path VALUES('/etc/fwupd/remotes.d/lvfs.conf',1814,0,1596489275,0,0,131583,'fcc999efa7ecd296009c7d80b20077565dd760ef');
+	INSERT INTO entry_path VALUES('/etc/fwupd/remotes.d/vendor.conf',1815,0,1596489275,0,0,131583,'73d13392d9d9a9f0a1fc0b63012cf49691e4c629');
+	INSERT INTO entry_path VALUES('/etc/fwupd/uefi.conf',1816,0,1596489275,0,0,131583,'f2af92082ffd4f140872b9f5e93a750960e59950');
+	INSERT INTO entry_path VALUES('/etc/vconsole.conf',1817,0,1596489275,0,0,131583,'9c209e2445d6b9f78187418326489a07517103c8');
+	INSERT INTO entry_path VALUES('/etc/dleyna-server-service.conf',1818,0,1596489275,0,0,131583,'9938ebfb1d31af0dcd03c5bcf383f0f5b44f0aeb');
+	INSERT INTO entry_path VALUES('/etc/iscsi/iscsid.conf',1819,0,1596489275,0,0,131583,'97f31e32a9069e393fea38ed48635725b8730fdd');
+	INSERT INTO entry_path VALUES('/etc/iscsi/initiatorname.iscsi',1820,0,1596489275,0,0,131583,'ac3176d75f75b86585a5796d1388f0652bd7a638');
+	INSERT INTO entry_path VALUES('/etc/libvirt/libvirt-admin.conf',1821,0,1596489275,0,0,131583,'4da43368c8c8b116467ba1ce9e4d3315535e551b');
+	INSERT INTO entry_path VALUES('/etc/libvirt/libvirt.conf',1822,0,1596489275,0,0,131583,'d43f21f78f5c087f6c2059d952acc6db190e33c1');
+	INSERT INTO entry_path VALUES('/etc/libvirt/libvirtd.conf',1823,0,1596489275,0,0,131583,'d4faff13a029a69974c7a4f56440aae3c11294a1');
+	INSERT INTO entry_path VALUES('/etc/libvirt/virtlockd.conf',1824,0,1596489275,0,0,131583,'5f8615b6d45ff43b664c61b5d9e9a852a6868d11');
+	INSERT INTO entry_path VALUES('/etc/libvirt/virtlogd.conf',1825,0,1596489275,0,0,131583,'8628bf9380905c1c6796738da6556c1ca16370ac');
+	INSERT INTO entry_path VALUES('/etc/libvirt/qemu/networks/autostart/default.xml',1826,0,1596489275,0,0,131583,'2d3b5bede24a812c207a21d91ecded0c1a016a8f');
+	INSERT INTO entry_path VALUES('/etc/libvirt/qemu/networks/default.xml',1827,0,1596489275,0,0,131583,'11fe873972c17b13e8174ebfd0964d78a5a5db3b');
+	INSERT INTO entry_path VALUES('/etc/libvirt/qemu-lockd.conf',1828,0,1596489275,0,0,131583,'bfc3d3a60a49afd63ae43e8d84a83735c3616c9d');
+	INSERT INTO entry_path VALUES('/etc/libvirt/qemu.conf',1829,0,1596489275,0,0,131583,'9f7e28c5fa0dfe2ab4d0c89118bc2ddb81c86a2d');
+	INSERT INTO entry_path VALUES('/etc/issue.d/cockpit.issue',1830,0,1596489275,0,0,131583,'827bda8b09ca4817af66ef606941b5116a1b9c9e');
+	INSERT INTO entry_path VALUES('/etc/motd.d/cockpit',1831,0,1596489275,0,0,131583,'0d817c7ed9319c8b8c8def49a02fc0a6f54d2679');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/poweroff-vm-default',1832,0,1596489275,0,0,131583,'2103a830d6cbd9abff02c3b8fa5b7a53697ff5ec');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/poweron-vm-default',1833,0,1596489275,0,0,131583,'2dc567960b52ceca4d6e739d5aea76378b2231fd');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/resume-vm-default',1834,0,1596489275,0,0,131583,'051d839f312f0fcb80eace69a5858a3b732a0908');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/scripts/vmware/network',1835,0,1596489275,0,0,131583,'b8ce7e573e38c2c90307c8cd35085205eabca05d');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/statechange.subr',1836,0,1596489275,0,0,131583,'05b797287a75b653d3a7f74cd7fc88bafe19df90');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/suspend-vm-default',1837,0,1596489275,0,0,131583,'22db8e14569bbc8f86b8d7bf24e3dd2d5bc60a77');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/XMLSchema-hasFacetAndProperty.xsd',1838,0,1596489275,0,0,131583,'339882cceee60d499119e104916bce88831bc3b3');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/XMLSchema-instance.xsd',1839,0,1596489275,0,0,131583,'16abe2befbdf8c827407f1bb1d862b796dd1328c');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/XMLSchema.dtd',1840,0,1596489275,0,0,131583,'5383e5392ce1244e82f6b244b6b599ad105063d4');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/XMLSchema.xsd',1841,0,1596489275,0,0,131583,'89f3406720bd34aaaf96466e215206dd79785b65');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/catalog.xml',1842,0,1596489275,0,0,131583,'1b84a2e6ca58d7b2d1a30906a66b88ca0f2100ae');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/datatypes.dtd',1843,0,1596489275,0,0,131583,'d1206860e7a51f9b1b2b50070f988a005cceb6b9');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd',1844,0,1596489275,0,0,131583,'96aee50f4c0a2a0ce277f4a759a0f996f3a555e6');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/xenc-schema.xsd',1845,0,1596489275,0,0,131583,'6c3f657c1216febd750e5529e2df3a77bda202ac');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/xml.xsd',1846,0,1596489275,0,0,131583,'385db4fbb6ce7ab4a0e7749d754a0e787a60e349');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth/schemas/xmldsig-core-schema.xsd',1847,0,1596489275,0,0,131583,'165d7e9304274b5d7fa0c2b302de424b207c51a5');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/vgauth.conf',1848,0,1596489275,0,0,131583,'70f9c98f4f4220761358aa1ebd6be8a5c41a8a8a');
+	INSERT INTO entry_path VALUES('/etc/vmware-tools/tools.conf.example',1849,0,1596489275,0,0,131583,'096febac1a01349507d988ffd0ea71e937eb787c');
+	INSERT INTO entry_path VALUES('/etc/cifs-utils/idmap-plugin',1850,0,1596489275,0,0,131583,'93b5969804ae66866e359c6311c6f98093ce3c19');
+	INSERT INTO entry_path VALUES('/etc/rwtab.d/sssd',1851,0,1596489275,0,0,131583,'af7290465f48364ac84bc52256fe204703478d39');
+	INSERT INTO entry_path VALUES('/etc/rwtab.d/logrotate',1852,0,1596489275,0,0,131583,'fb9f95725138949d42a95d7495602b2490c87aa6');
+	INSERT INTO entry_path VALUES('/etc/mke2fs.conf',1853,0,1596489275,0,0,131583,'831f5c80da2fcd9bf6ae68465147400aa9467e81');
+	INSERT INTO entry_path VALUES('/etc/kdump.conf',1854,0,1596489275,0,0,131583,'8dc0d80fb0b666b8fc26a8f45249c632e2e502aa');
+	INSERT INTO entry_path VALUES('/etc/man_db.conf',1855,0,1596489275,0,0,131583,'20440911d38831f073e0dd4006f1f50478cc425f');
+	INSERT INTO entry_path VALUES('/etc/makedumpfile.conf.sample',1856,0,1596489275,0,0,131583,'01660db51348f896606500721d62bf83fc0c1772');
+	INSERT INTO entry_path VALUES('/etc/udisks2/udisks2.conf',1857,0,1596489275,0,0,131583,'91cafbe2799bff4d15fc5ec2ad5ff76199179c51');
+	INSERT INTO entry_path VALUES('/etc/plymouth/plymouthd.conf',1858,0,1596489275,0,0,131583,'9de627c4ff4f6f19e41eb53cb5b9ce12a13d0ced');
+	INSERT INTO entry_path VALUES('/etc/ossec-init.conf',1859,0,1596489275,0,0,131583,'d7e9a9d3db687dc20541d8c416e00a115b89480d');
+	INSERT INTO entry_path VALUES('/etc/logrotate.conf',1860,0,1596489275,0,0,131583,'c76c8ff6d7e52b4764b99420ad8a0edea6a976b8');
+	INSERT INTO entry_path VALUES('/etc/.updated',1861,0,1596489275,0,0,131583,'4f707f4d0579e26b9b1eda0fcfcd84c7244be7ad');
+	INSERT INTO entry_path VALUES('/etc/rsyslog.conf',1862,0,1596489275,0,0,131583,'b6e7682f5d43537921399847a8dd348ef8150a18');
+	INSERT INTO entry_path VALUES('/etc/gdbinit',1863,0,1596489275,0,0,131583,'9b1c59275fbe37ad0e9e3c4060ab330f9d0c8f90');
+	INSERT INTO entry_path VALUES('/etc/nfs.conf',1864,0,1596489275,0,0,131583,'da3d55f360b9e26937582557bccbc353e36f7578');
+	INSERT INTO entry_path VALUES('/etc/nfsmount.conf',1865,0,1596489275,0,0,131583,'293d5b044da1d2f4b98be4fa6407fb9e185d1e8e');
+	INSERT INTO entry_path VALUES('/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json',1866,0,1596489275,0,0,131583,'7057439ba8cd5996173c561df4973b79f3cb9e25');
+	INSERT INTO entry_path VALUES('/etc/tuned/active_profile',1867,0,1596489275,0,0,131583,'3498743218e330a81f851f856cf8e0f6d04705ee');
+	INSERT INTO entry_path VALUES('/etc/tuned/bootcmdline',1868,0,1596489275,0,0,131583,'0256a2cfc5187225d58a1db857a7e55cc174a27f');
+	INSERT INTO entry_path VALUES('/etc/tuned/profile_mode',1869,0,1596489275,0,0,131583,'55ee4527fde4c111bcbcfd32dfb065cde32e6a61');
+	INSERT INTO entry_path VALUES('/etc/tuned/tuned-main.conf',1870,0,1596489275,0,0,131583,'4df29c60b9ef23f5a760b250f1addb4d61b35852');
+	INSERT INTO entry_path VALUES('/etc/yum.conf',1871,0,1596489275,0,0,131583,'e100589b9f75b293ea2fc718fb39ecedddf1f381');
+	INSERT INTO entry_path VALUES('/etc/grub2.cfg',1872,0,1596489275,0,0,131583,'55a8b844400af6a0667b497f98c4167deab6683d');
+	INSERT INTO entry_path VALUES('/etc/firewalld/firewalld.conf',1873,0,1596489275,0,0,131583,'dfb3bfed1713d97a9bc11fd77a9204709efc9651');
+	INSERT INTO entry_path VALUES('/etc/firewalld/lockdown-whitelist.xml',1874,0,1596489275,0,0,131583,'e83e43895fec2eb37a2a8370dda162b4820d6b66');
+	INSERT INTO entry_path VALUES('/etc/firewalld/zones/public.xml',1875,0,1596489275,0,0,131583,'9fca5a8731750a15c08b6538ed83910596e5b50e');
+	INSERT INTO entry_path VALUES('/etc/firewalld/zones/public.xml.old',1876,0,1596489275,0,0,131583,'fdc3560036d02d6b3401a244a8d6be3fe0e36146');
+	INSERT INTO entry_path VALUES('/etc/wgetrc',1877,0,1596489275,0,0,131583,'a2fbef8f81af27155dcee5e3927ff6243593b91a');
+	INSERT INTO entry_path VALUES('/etc/pinforc',1878,0,1596489275,0,0,131583,'c3c6d33159759b87c865b229df1cf8a3aabfc8e8');
+	INSERT INTO entry_path VALUES('/etc/sos.conf',1879,0,1596489275,0,0,131583,'5cbd6e4721d0aa2c414dacd9a00026855217df03');
+	INSERT INTO entry_path VALUES('/etc/avahi/avahi-daemon.conf',1880,0,1596489275,0,0,131583,'d5659b0d1cf6641d2c375bb797093625d7922a57');
+	INSERT INTO entry_path VALUES('/etc/avahi/etc/localtime',1881,0,1596489275,0,0,131583,'df3597a2789ae5e001bb22e74e41a3b5e75fb42a');
+	INSERT INTO entry_path VALUES('/etc/avahi/hosts',1882,0,1596489275,0,0,131583,'f151cfdba59fbf34ca9249db9990c245aa73a566');
+	INSERT INTO entry_path VALUES('/etc/at.deny',1883,0,1596489275,0,0,131583,'00e5f280bb409defe01844ac44fba191fec2ab2d');
+	INSERT INTO entry_path VALUES('/etc/auto.master',1884,0,1596489275,0,0,131583,'eae6ed390738887940dd5455e9055b9ac0847df6');
+	INSERT INTO entry_path VALUES('/etc/auto.misc',1885,0,1596489275,0,0,131583,'ce01a3d54f1a035f4af684c46adc5e8b7adb9080');
+	INSERT INTO entry_path VALUES('/etc/auto.net',1886,0,1596489275,0,0,131583,'5e61a8da42ed0d2575f236ec253039fec8b829bb');
+	INSERT INTO entry_path VALUES('/etc/auto.smb',1887,0,1596489275,0,0,131583,'4bcbf99f648a786f342a12b53ef0f6e59a193ee6');
+	INSERT INTO entry_path VALUES('/etc/autofs.conf',1888,0,1596489275,0,0,131583,'8b16d02558acc2c3768baf8bd74a7dd0f5fb61a7');
+	INSERT INTO entry_path VALUES('/etc/enscript.cfg',1889,0,1596489275,0,0,131583,'2420890d62a786ef20bf6fb593b4345f19dad659');
+	INSERT INTO entry_path VALUES('/etc/autofs_ldap_auth.conf',1890,0,1596489275,0,0,131583,'53736a6405795c79713f4af54992e6eb540ad56f');
+	INSERT INTO entry_path VALUES('/etc/mcelog/mcelog.conf',1891,0,1596489275,0,0,131583,'6081cf45e412df3d1ea27a81280966ee02a3dc35');
+	INSERT INTO entry_path VALUES('/etc/mcelog/triggers/cache-error-trigger',1892,0,1596489275,0,0,131583,'846ddf51ee42731158121d8dc13418db8ed29635');
+	INSERT INTO entry_path VALUES('/etc/mcelog/triggers/dimm-error-trigger',1893,0,1596489275,0,0,131583,'21f51394c0dc0ee9cbc4b732d6b667149ca1fe98');
+	INSERT INTO entry_path VALUES('/etc/mcelog/triggers/page-error-trigger',1894,0,1596489275,0,0,131583,'75bb472f590905e7aa56f1f6d3773e42ee0fffd1');
+	INSERT INTO entry_path VALUES('/etc/mcelog/triggers/socket-memory-error-trigger',1895,0,1596489275,0,0,131583,'c7451458016372358cb1edb35250ba062955f37c');
+	INSERT INTO entry_path VALUES('/etc/subuid-',1896,0,1596489275,0,0,131583,'378d9c3871d13d3ca595a627bafa6a5fcbba7065');
+	INSERT INTO entry_path VALUES('/etc/updatedb.conf',1897,0,1596489275,0,0,131583,'cc13717d42e975680ca4c99e599b06c85d8f6289');
+	INSERT INTO entry_path VALUES('/etc/smartmontools/smartd.conf',1898,0,1596489275,0,0,131583,'2ac3f70b76033b7c1ea9cb205bbf6661678730c8');
+	INSERT INTO entry_path VALUES('/etc/smartmontools/smartd_warning.sh',1899,0,1596489275,0,0,131583,'5a142ccbd0a8cd8acb40cd461808a5f244d7349f');
+	INSERT INTO entry_path VALUES('/etc/qemu-ga/fsfreeze-hook',1900,0,1596489275,0,0,131583,'ccd3867f638a34e564628636af42d89cfaa61c9e');
+	INSERT INTO entry_path VALUES('/etc/services.rpmnew',1901,0,1596489275,0,0,131583,'12dbfc1d95d639aa987618fc2acdd5b46a595768');
+	INSERT INTO entry_path VALUES('/etc/sudo-ldap.conf',1902,0,1596489275,0,0,131583,'557a4db79c67a96c25ce893187e7afef6ebced73');
+	INSERT INTO entry_path VALUES('/etc/sudo.conf',1903,0,1596489275,0,0,131583,'05cba9b054b9c2a27edf5c1ee6446be97bfc1f31');
+	INSERT INTO entry_path VALUES('/etc/nsswitch.conf.rpmnew',1904,0,1596489275,0,0,131583,'b7760d81ca72a551c76b8eb2b4b30ddcdd0629b5');
+	INSERT INTO entry_path VALUES('/bin',4185,0,1596489884,0,0,131583,'d4d78779b3fc938daf66c2e370fee8b40c394b5a');
+	INSERT INTO entry_path VALUES('/sbin',4186,0,1596489884,0,0,131583,'cdbc22c438201ab272c0bc486dff8654f47cbbbc');
+	CREATE TABLE entry_data (    dev INTEGER,    inode INTEGER,    size INTEGER,    perm TEXT,    attributes TEXT,    uid INTEGER,    gid INTEGER,    user_name TEXT,    group_name TEXT,    hash_md5 TEXT,    hash_sha1 TEXT,    hash_sha256 TEXT,    mtime INTEGER,    PRIMARY KEY(dev, inode));
+	INSERT INTO entry_data VALUES(2049,301,2560080,'rw-r--r--',NULL,0,0,'root','root','03a48cc9eb032c95489a8e31d9327288','dc4ea4b5e2132dc4f0d0328c4e27d443c9eda830','969216e8dfabf75993d6d990a1357211cf84d86b2366c41d0c0ab79a2f702759',1591914514);
+	INSERT INTO entry_data VALUES(2049,314,1024,'rw-------',NULL,0,0,'root','root','01dd45bc1295f596ffcc268bde53efae','012b2b2b4e906b47db267eebb27b800cd168d16f','1aaafccccaf4c79fe1b4820d8e4beb04e03be68bb9db821a2f9eb8517bd6137f',1596036742);
+	INSERT INTO entry_data VALUES(2049,119,2020,'rw-r--r--',NULL,0,0,'root','root','59f343e72863aceaf70a41f44bf9a1a3','477f80c902e94d3d290c029bdfd05e060196bff8','606effe7374f3b4b170a4efd5393e95a30d52d11277f2f4fc417ed1d7456b83d',1591914513);
+	INSERT INTO entry_data VALUES(2049,61,34048,'rw-r--r--',NULL,0,0,'root','root','281e9f03cdb05e4e2db2742f3183e3fc','f59980ac51cabecdfe8de7eabfac86803ee59a5d','253ced42fcbe930fb32b4c16a4365f0d929df6e1d2c9df7433bfaf7f18faeb2f',1591914513);
+	INSERT INTO entry_data VALUES(2049,82,11308,'rw-r--r--',NULL,0,0,'root','root','c7080e6fc1a0c57196013c2cc242c196','811ca8a2a1558ee2d365d3574d95ec77c2bc5c40','1ff1fceec8db72d629afd41c92e411d23291f6d3af0cb9cce4a894011cdc2e91',1591914513);
+	INSERT INTO entry_data VALUES(2049,127,9892,'rw-r--r--',NULL,0,0,'root','root','58697f4998bb8dc704b5187e292d2388','a429a127a635e17f2067b2e180e4e08c759b4ac9','652845879a8cf5242f419f1e343832942e7e1e32f54f84676701c78912ab4106',1591914513);
+	INSERT INTO entry_data VALUES(2049,207,22916,'rw-r--r--',NULL,0,0,'root','root','5268b747577d972ade5c02c621f4a441','35f8ab076be0c68a1cdad42417545f36a88520b2','b51b9caef7540138b08f6993e45fe156707a01ca6c77280fe6fa0b0a4d18f35d',1591914514);
+	INSERT INTO entry_data VALUES(2049,124,4672,'rw-r--r--',NULL,0,0,'root','root','afa70b69d4cb897aef3a0e01e7cfb3d0','727835f5a75fec653488915fdb671c965aa039d0','e7d1fe74955ef6af52dbb654619945fa245b48dabfe2e02d667031f37a760fc0',1591914513);
+	INSERT INTO entry_data VALUES(2049,146,14632,'rw-r--r--',NULL,0,0,'root','root','82a39322093de87079a7fb20a23df3b2','9190fb713d8d171fa3858409ddbb4b0649552c92','08e9c82ffa863028a99d714099ecce779414255e60139e4cdb155102d6091ec6',1591914513);
+	INSERT INTO entry_data VALUES(2049,160,8804,'rw-r--r--',NULL,0,0,'root','root','0dc2a7ec7b69fe8c6982db9c1c0d03f4','dee01437b5d17bc9c68329f969e3a7cceb1cc2f0','aa9be22450d237f6ae2619e2453f240bb1ddf1c7e2e5968a51957ba015a7a5b2',1591914513);
+	INSERT INTO entry_data VALUES(2049,203,2360,'rw-r--r--',NULL,0,0,'root','root','f1e936116bdfb3272d14f51e2132d311','b531c31fca8b034b7ee8626d5a325e0f981b46b1','c3b7c6b445f5b088850068c3b46f0d0b74a431b2b0bb5532568623e65fcff338',1591914514);
+	INSERT INTO entry_data VALUES(2049,179,18948,'rw-r--r--',NULL,0,0,'root','root','c59504768d00e7a7d03fc1e939e18668','eb90580f5f78ee69cae91f04fc7ab9780324ddc4','9b149eb99e1a8a6ed10d063a0a62fdd3c0e35112a23284ae617b0e0a40b0484d',1591914513);
+	INSERT INTO entry_data VALUES(2049,185,3552,'rw-r--r--',NULL,0,0,'root','root','28bbe4fc1f429ba6e0e527ee729db10f','1db83c680cd86d75c9ae6b36964e788ff63acdca','fbb3f73b373584a7ca5d5879fd9834d3a2ac60bda2618d7eb297f174eae8778c',1591914513);
+	INSERT INTO entry_data VALUES(2049,236,20772,'rw-r--r--',NULL,0,0,'root','root','477de4f769de3867c737a8c41565159d','8f3432c94472a0e5c2b7cb357ad3a210ad049493','6d77f9e6bbbc05d38e488230c04569ddfacc520c92a6c7eeb8df06b49914d776',1591914514);
+	INSERT INTO entry_data VALUES(2049,142,20912,'rw-r--r--',NULL,0,0,'root','root','96c704890329bbb877884fdae40faa91','075ce066830748eac5cfa7b30b6fd8e12232df7e','4e7684180fa5e1d36601e431f9a6de58fc2fae1ff7037e059606914e47fdbe69',1591914513);
+	INSERT INTO entry_data VALUES(2049,66,36136,'rw-r--r--',NULL,0,0,'root','root','57fef92bc93f29b82b5bac7fbc301893','f528f33098c88d18750d19307aa49d1040b3d559','2478bf35f19f8e27da6d1b5e3c6761e9fd292a9bd5fc5c7f605a2485cec1e6f6',1591914513);
+	INSERT INTO entry_data VALUES(2049,261,6708,'rw-r--r--',NULL,0,0,'root','root','61093905d769cfbff83188fe57eaf1fb','01805e3606be86ed5befb41acd169f03509ac692','edad2214c0d9a3a61329bb65f88963349ad36f5bcaa8159ad642de75358e829d',1591914514);
+	INSERT INTO entry_data VALUES(2049,153,2712,'rw-r--r--',NULL,0,0,'root','root','1e79572f4b1c96700720ccab1d63af0c','b4f2a80a9723317ef837c43fe72b02e62588c82b','68d4cf591fab2922bdabb84f981bb7cbffc47ccee69b413bab244492b4321696',1591914513);
+	INSERT INTO entry_data VALUES(2049,47,1552,'rw-r--r--',NULL,0,0,'root','root','806b4ba94db21982a155ed2fafdbe559','141bcb202a203fd4e2f50d6e92e881c74c75de3d','32662d9715a41c6e2e3678a53f2a6e7c1191b65a7700e1df3e93a1ccd9682ed7',1591914513);
+	INSERT INTO entry_data VALUES(2049,270,1748,'rw-r--r--',NULL,0,0,'root','root','1934fe136a72b87d6c9f749b2ddbf330','433bcea1e3b33278286cb7bbf31d43405be234f1','804c21321f240ff6e14fde62be2c274c2f5accd0f58c4d5516fd2aa185145cff',1591914514);
+	INSERT INTO entry_data VALUES(2049,112,7952,'rw-r--r--',NULL,0,0,'root','root','bb0cc903f87862d105bf055e8eb43024','28f896a9320e419a797a01cf626000d4b3e8d3a6','ed853483e9deba07f8b3c13e6f048a326d0aeeffa5e1ac9594543006d4d7570d',1591914513);
+	INSERT INTO entry_data VALUES(2049,65,41756,'rw-r--r--',NULL,0,0,'root','root','7d59cc8c7c816cdc7f627fcc7338ff22','71ed41f63f1b9ee16921e2233fb60aa843a1b19e','d5020a61479062ab8e894c827e740cd2f71bee557a9f77700d4dd001956c1df1',1591914513);
+	INSERT INTO entry_data VALUES(2049,194,12004,'rw-r--r--',NULL,0,0,'root','root','48ca2643a66a0d227d9259851d831166','8d3e6f04b95a4d69e366dbdf3de9908ad5de2eb5','4a36964b7b8a8145afcd515f3d618e06b4880f1985ab25333539f0b39134de80',1591914514);
+	INSERT INTO entry_data VALUES(2049,267,2600,'rw-r--r--',NULL,0,0,'root','root','55a289678146c634157260fa062b28a1','a12dc61cef249f6f5c42740377fd88b1cec381c4','6d4d8710876f737c245f3d12fe6aec11ad901179c4e9573faa8fa21400624210',1591914514);
+	INSERT INTO entry_data VALUES(2049,268,2912,'rw-r--r--',NULL,0,0,'root','root','4de009fc5918a6997df71a7f05dc4512','4715f396ef2ac73de540cb71f310c1b1dd23a1ca','4f4aff3fb268ffca872a4944fefd3c73d53de46d21013f9df23ba74905fc5e47',1591914514);
+	INSERT INTO entry_data VALUES(2049,273,6008,'rw-r--r--',NULL,0,0,'root','root','fdb16a14fc876ec8dd283a264adb6fe3','4898159e3a4d0aacea5d9065fa5f55bd18ed0be8','fa9bfbc2cfd1f94db479537716189c7f6387cc288dcb973e6be020b1b2dc7b16',1591914514);
+	INSERT INTO entry_data VALUES(2049,122,9076,'rw-r--r--',NULL,0,0,'root','root','4d81abc0f96360a92b55b0d881b4dc2f','d568129c42beba270e8e2a1ed3ca8a73daed7c7f','6ed20b95ecacf395d693e6b82b5b060d0887e4a01de37b5f64232419f2bbda0d',1591914513);
+	INSERT INTO entry_data VALUES(2049,211,99392,'rw-r--r--',NULL,0,0,'root','root','c67d69b236bf3fbfce8568722f819c3d','0fbd76c740142936d320284c95c523bff499a1b0','a8673b265f84140363881eab7180564bb11f8504b286e4ded75cd1cd56715a07',1591914514);
+	INSERT INTO entry_data VALUES(2049,133,6328,'rw-r--r--',NULL,0,0,'root','root','17cdb3c42562a3224046d60dabcd8264','16c66b4e40bf0b4e50f7de11f6d19d20273ede36','118124b13f9bc25c9ab3823a2c58a61065f6a74e8665c3a96d90f61f6718748d',1591914513);
+	INSERT INTO entry_data VALUES(2049,38,19692,'rw-r--r--',NULL,0,0,'root','root','63eda41c06dc9872e23fb9da242079b7','83fed8db8ba6aea95810c0285cca05bc79ec1cd7','b9bfe2c51c89a1cebeaa99d1e5de32ba67a7ee714171a0ac0db6c35718643724',1591914512);
+	INSERT INTO entry_data VALUES(2049,289,7116,'rw-r--r--',NULL,0,0,'root','root','e4168330f5316b681218f1410dd426b8','09820938182845c66ad28ebb8d309d57ce40e344','bf8805306bd5914d16318bbe3f7533f43c7499a2f6b1962a13de2227baa30f9d',1591914514);
+	INSERT INTO entry_data VALUES(2049,136,6032,'rw-r--r--',NULL,0,0,'root','root','d758ca6ef579771d13a9cc0e8f2f2566','4b706a05531b498937198ae4044348fb42bd2cd1','6f7873092ae5e39c2d831451aad6a85d6b4b4532624683a2f9122c89ed89064a',1591914513);
+	INSERT INTO entry_data VALUES(2049,238,5712,'rw-r--r--',NULL,0,0,'root','root','61034f0ba2801c84a00e010a95d6693d','5ab4fbc3680e53ef49d24574a7791a2a0a6d9993','256de606dbf5cdb75ddf1f1d153d72a8e9bf4735fa3dfd6ec8de7b233d328d23',1591914514);
+	INSERT INTO entry_data VALUES(2049,116,12192,'rw-r--r--',NULL,0,0,'root','root','dc36c3a136af9346320f988b23eb0251','11e1f1c50f5ee8893c482ab7c9595ac3b50f5198','fe0c1533d186388d87b4a0f9ae2ce98f9e0b7ae9174bd27291f5a81fd45c518f',1591914513);
+	INSERT INTO entry_data VALUES(2049,234,12060,'rw-r--r--',NULL,0,0,'root','root','1006aeac14de3b2033c81553168eff49','e5e27a69d5290caf68af563b24b4b76e9e8630f6','6207eabcae878261364cf50fdab99c8376595d34e8bb74a64eccac3ffd4620e6',1591914514);
+	INSERT INTO entry_data VALUES(2049,180,4212,'rw-r--r--',NULL,0,0,'root','root','f8e2981acd04f8632f2a413cc9dce01c','bbb2b1cbe782d25d3eb45a4dd8a883ba1ac63a41','a27add5af83b93dd16c3a526653b2099e26ed4f940a603ba24f55efc4f328062',1591914513);
+	INSERT INTO entry_data VALUES(2049,79,4692,'rw-r--r--',NULL,0,0,'root','root','05e67b0d4590d3e077513cb771add015','415c17c764dccc93cf97e19dcaabbec7103a2ec4','ffa7548c7a646fd9f93a1cd403c879072d57bb093e4978eda94c4b528d04b400',1591914513);
+	INSERT INTO entry_data VALUES(2049,118,24668,'rw-r--r--',NULL,0,0,'root','root','685752521203d44d90555164df1c9d87','150d8479a7543ad1acc54c78c2d1f197933740e6','8529f1af747fc0c32ba77137dd22795749eeaa5a67ab1de446c6c3b13d17aefd',1591914513);
+	INSERT INTO entry_data VALUES(2049,176,2472,'rw-r--r--',NULL,0,0,'root','root','b834f64b0dc9eae968ea21ccc2379b87','0ab4bcebf2374d9e665e1f767b15a205e8c46d4b','50908bfebf41d19bc44abe75c3651b6eee1dcec0ea53a0615a62140e6e611b9a',1591914513);
+	INSERT INTO entry_data VALUES(2049,27,13480,'rw-r--r--',NULL,0,0,'root','root','130cd9f937b338957f4079b783959228','66f40c37ef8502cc329b20ff91f4014d16db623e','9efc5d164bbc0a86bbb9295032bb252d8ad00879b3268a01e1c03be69e78fdac',1591914511);
+	INSERT INTO entry_data VALUES(2049,252,14912,'rw-r--r--',NULL,0,0,'root','root','6b15a3b0fbd232a0bde9db4ea394b537','b9d8087e27787da6606aeba53386fa8786a19991','370c8a28b1bcf61cc67e3255eccf147a3243015ec3891cd3143ef55b424198b2',1591914514);
+	INSERT INTO entry_data VALUES(2049,89,2288,'rw-r--r--',NULL,0,0,'root','root','75914ab73d0f43f09424481893f39e36','e9f59559b5188d39f20d7d60af77cc63f36f7f2e','5f0444b8232e7c8e47a151a09d8cab3b794057d8432ebc97f512af406fa3d291',1591914513);
+	INSERT INTO entry_data VALUES(2049,193,2648,'rw-r--r--',NULL,0,0,'root','root','5b24c74f2d9b688a88fbcd0b76e1ec71','7b64f71dc44f1bcf0f5be039e37ec4a66525ee3c','f26513fbdd54dc2aa9e03341be711d83e5a92caa8c116af3911a479c4f543643',1591914514);
+	INSERT INTO entry_data VALUES(2049,159,2340,'rw-r--r--',NULL,0,0,'root','root','7ab25de71f80a81143e72f2ae47617ad','8d5da4f1891b5f688f743ec8fda6eb0bc4ef40b0','15523e1a33eb96f9f5814cb6f90ed64b2814ac1f2a7d6f74a149d2b876acf7dd',1591914513);
+	INSERT INTO entry_data VALUES(2049,254,708,'rw-r--r--',NULL,0,0,'root','root','aa7d699dd96b908af72e9c4dde667d99','e78f331a518958f916d22157c42242ad758ca9bd','96d6695f91d5b2558ccd726d41cb116236f96a97edb7a367c4393827014c42ef',1591914514);
+	INSERT INTO entry_data VALUES(2049,200,40980,'rw-r--r--',NULL,0,0,'root','root','7307198ab7fc679d9090f12d66b24207','96445e989f92b26f18ab400215259e7ea76e72c2','53a6ce0b1b1a818af9fc2a9010b2d4afac2c495e27cec65f06bd81843e04231b',1591914514);
+	INSERT INTO entry_data VALUES(2049,51,6704,'rw-r--r--',NULL,0,0,'root','root','091bbc66905d0a2a8671a94f485c4a00','9a70c36188e3f7580b71a22e2beeb47c081e36a5','e3ef6787acd48651a18ddb15f9ce44f03c8edb95d7745a812f873367e2e3c14b',1591914513);
+	INSERT INTO entry_data VALUES(2049,105,11040,'rw-r--r--',NULL,0,0,'root','root','087074d8a8510c460229e1b8ed8df063','8aa718d943a7c6b19b3b5d25d7c2fd41d058e623','e86b5555be670ea5de58fbc011fea83f480e194bf5a02be841666eee42ee2664',1591914513);
+	INSERT INTO entry_data VALUES(2049,298,202,'rw-r--r--',NULL,0,0,'root','root','856085d1f37cba1306b52fc4e83e5c99','6c7060768d902648afecbd6009403855f8e65297','9c52240a53b4c310abd3532a41f46ffa229585bc85b1607b8b604e4ce242ade8',1591914514);
+	INSERT INTO entry_data VALUES(2049,36,6344,'rw-r--r--',NULL,0,0,'root','root','02354770e6e355e93a27fe5483b5b8e1','60b5fef713b7099af56c89ec735067ce32110447','811e1e69b8cfdb268877293b607ca761d6989fa016175a46bc30c506961a8733',1591914512);
+	INSERT INTO entry_data VALUES(2049,275,8696,'rw-r--r--',NULL,0,0,'root','root','f63dfeff16de99835380668045004564','1c0b9b2c430636b01ef0a641dc319ed40e6ab752','5aed506157d8a76e6f17be193a07f1ab0166210d6cdd0c52c327e74b0bceaeb4',1591914514);
+	INSERT INTO entry_data VALUES(2049,245,2896,'rw-r--r--',NULL,0,0,'root','root','8c9a49b29fab3c6b00c0735f374b7f39','ef314779804783cc13f9710ce1f1a9de884c9043','7ff78dda2475e304bfc56f3cc6b1db7e2333ebda68a181720cecd2fdbc48fd38',1591914514);
+	INSERT INTO entry_data VALUES(2049,157,10264,'rw-r--r--',NULL,0,0,'root','root','65a04b5658721d339411f010504df3bf','291b96799bd61ede7e77e103b17d38c0d6807f4e','18902fcc191452ee8f9cffc653246c56c64b8fe38cb8f9f5984427960b9262e8',1591914513);
+	INSERT INTO entry_data VALUES(2049,43,5536,'rw-r--r--',NULL,0,0,'root','root','a452fa2917a35fce96e5018d1472c61d','5e49e21990df10d75a11df63ad2e513ec526b2d4','4b8cfb4cfcd8b5c3d4c4734ce8e26398532d1d26274b7abae865303831055952',1591914513);
+	INSERT INTO entry_data VALUES(2049,195,7424,'rw-r--r--',NULL,0,0,'root','root','91a61848380ad5e2441449b4a91f8a15','106588542f8d3c38864732e06e361570ed88b3cf','5457825d6e52e3c185c855d9abbbcdd2b136d633a3178aa8e7101db56d0bfdca',1591914514);
+	INSERT INTO entry_data VALUES(2049,101,3556,'rw-r--r--',NULL,0,0,'root','root','2d0f1991e6565fa85252e0f3b760929e','70830fbf303dce625f572aa72eab00571314b796','e93bdaf956a0d78c934d5cc89225b0baa8fcbb1206a0cc7a660d346a97ca6064',1591914513);
+	INSERT INTO entry_data VALUES(2049,110,20936,'rw-r--r--',NULL,0,0,'root','root','147980d4b6c2e4b200f4361047bb29e8','51a532d550217341025fdc3718d7ab463abd16da','759c6e92974a2f029cca9c413e4b786f1024e415e8d7d9303a6e4b23dd0f41cc',1591914513);
+	INSERT INTO entry_data VALUES(2049,156,5456,'rw-r--r--',NULL,0,0,'root','root','ee9f4bfd14e926af0557d5eba6e6a874','5f72ec7ea78be48f13861563515052abec3ca8a3','1860e09d4377d1e966c3d9c92fd65abcc5f23d3433ea0bccd9076e22002a5a68',1591914513);
+	INSERT INTO entry_data VALUES(2049,70,2836,'rw-r--r--',NULL,0,0,'root','root','845d4084cea6a95b128070a913a9390c','1b89d9f3a7b9a418ff6fe16382318a0af736d8ed','94d19310dadd71aaf858ebd21872b281fc3135e303bff9de96190d02d252c720',1591914513);
+	INSERT INTO entry_data VALUES(2049,56,1736,'rw-r--r--',NULL,0,0,'root','root','7d476c0a29e4b35e6c218d50dabc0737','6d4b958dd2ffb6133bc795141aa332e217a2a176','1dcca4b7a3ee8d476a497c26d06d8206541e4629636b19c5f2558f77c2655189',1591914513);
+	INSERT INTO entry_data VALUES(2049,74,5076,'rw-r--r--',NULL,0,0,'root','root','2c3321e2243ef308cb116d65af05a37c','9c767d8d4a587b93ec45090a80cd35cc0962d04a','d21c70e52adee054da3f92b8c89cf817107e6d9c192b0712830bc1d7567df4a9',1591914513);
+	INSERT INTO entry_data VALUES(2049,225,3500,'rw-r--r--',NULL,0,0,'root','root','c7c40102b6b1b504a5ed3f451bd05fc7','ac32b590d7f5a870a7553914906897a809bc31f0','022f440e6fa396a29c5b876852b52f98c143f3d72bc83f83d1977c2cddd70ff8',1591914514);
+	INSERT INTO entry_data VALUES(2049,201,4924,'rw-r--r--',NULL,0,0,'root','root','2dec4186e702e20b549ae0154478853f','db3723022436981a3c856f4527865d4a780f3bad','dac821ed5b03b0328bd2c78741929c8b103b25a67cedc3535c6a84285e853953',1591914514);
+	INSERT INTO entry_data VALUES(2049,57,2732,'rw-r--r--',NULL,0,0,'root','root','0be7ee4eb740afc08926cfa7a6551c83','eb78c0b570fc92fe4b561254573e2bc5bfc61058','61ff1dbb761e6d8c3c040cd665fff31516708083af88dc888d4b970a382c73be',1591914513);
+	INSERT INTO entry_data VALUES(2049,274,2948,'rw-r--r--',NULL,0,0,'root','root','52128af2ee3c2295164891889d6f1587','43dc8c4eed0b4870d404c139c2d98bfd61cd613c','d99609814fa4982703b4d20f6d875a5878ca9532d1563aad906db2d1d988d733',1591914514);
+	INSERT INTO entry_data VALUES(2049,287,26196,'rw-r--r--',NULL,0,0,'root','root','8b87eb82b520ba54fa70719d1cb4e53c','bc9b2d3b2b344639f15ce8de077b3ceb1081e583','d75dfc86d18b9d3d094bb5c87cd4386008196013b9a6858837fcbc9fc93e0d2b',1591914514);
+	INSERT INTO entry_data VALUES(2049,279,34228,'rw-r--r--',NULL,0,0,'root','root','5c95c97c8d23a44641e386d76c82715d','23585dca6d91872cf96864d936c91876ab55a60c','0946d9f58bd46eb04a4ab96ee090513a27f10af2f6458d0ed5e46d88c44c9592',1591914514);
+	INSERT INTO entry_data VALUES(2049,266,4588,'rw-r--r--',NULL,0,0,'root','root','47a67e4715e724f7d77909961cbdcb0a','89dd65f9219861fbe08828f54aa1af075336592b','2c1ee13a3dbe2a76fb17eb5ca4ae008fa74eb141657e737886fdf269c53fd660',1591914514);
+	INSERT INTO entry_data VALUES(2049,151,2372,'rw-r--r--',NULL,0,0,'root','root','e273c4b0e4420e207d6bd7856dc54bb2','aa1da4f451e2e3cfb0b59d9596b6d97b896197c5','a55f82508cd3e0f3f08c276fe6be59137cc26a39fec6dc5c7a1ad1e38ddd1aca',1591914513);
+	INSERT INTO entry_data VALUES(2049,276,8124,'rw-r--r--',NULL,0,0,'root','root','bf5be9d6861e646ac3287820d8549679','bced8ddb346b1cf3416b684f5dcabde55583c316','902f46572c49a60e6f9db32c54873979be48e60fbac773753cee05e4351464bc',1591914514);
+	INSERT INTO entry_data VALUES(2049,171,2408,'rw-r--r--',NULL,0,0,'root','root','f0b6ad7ce5be3c8412b08d1c78e28dad','1b9f0c882068110ae942de2af81affaa0c83f94b','abd90c56dd5fae54cc69a0fd38fac5ec1c2d242159b6371b7c3931d9d7b1e255',1591914513);
+	INSERT INTO entry_data VALUES(2049,297,936,'rw-r--r--',NULL,0,0,'root','root','6a3f58db454b17a0a339323b3e134a6b','ff00d28114398cf1a052329494d63aceeb8ff29a','1b766f38a94927fe9b7bc1e809f0363e778e14c601e800faea271a2e75d3fc43',1591914514);
+	INSERT INTO entry_data VALUES(2049,104,2016,'rw-r--r--',NULL,0,0,'root','root','8123280da16b60f0b0850ff4fec97d20','8a9b299469a27335736ebfc745c42a3aea53df0b','ad74b71c4240ad99c4e4f1f89803f67b2be61c7bdfc26471d9e9fecdcdb3b936',1591914513);
+	INSERT INTO entry_data VALUES(2049,255,5840,'rw-r--r--',NULL,0,0,'root','root','faac555da5ba1bf9b79118dfe35577aa','4bd55006227670fa0ef7f2b6b662c700597f0eac','1b57e5178667c60811211ccd22ca3e159b11080f66189bfd4dcbf516a6375821',1591914514);
+	INSERT INTO entry_data VALUES(2049,69,7604,'rw-r--r--',NULL,0,0,'root','root','628b12ea71368320536baec53de60d11','a1756ba855b30cc2b9603249452170f795577d19','4058bc095c3a095840cbb58dc65544077a630fc184849b16f6cd044d17c21c83',1591914513);
+	INSERT INTO entry_data VALUES(2049,263,1712,'rw-r--r--',NULL,0,0,'root','root','35f76af9bc3e340536dbe6b8b5311b49','703eaf75ac46641c7e3cb875cab3f81317a347cb','8d9c7f2cc2458659e148d54c16c69f616d9176af013d62d3259f9f9e719d2a56',1591914514);
+	INSERT INTO entry_data VALUES(2049,206,1664,'rw-r--r--',NULL,0,0,'root','root','19ea516f1cc1ce88f14a1d3208d8888d','bfc784e39a5ba239828cfa4bde75d03bcbbf7e39','603a92f93cc0c9590bf8a32bcf905549cc7f5b59b6c166c11370236ddc5773eb',1591914514);
+	INSERT INTO entry_data VALUES(2049,63,7612,'rw-r--r--',NULL,0,0,'root','root','7ef60e13f4a57d85903ebf0e4e238236','83fe7aa709de8ec75b8065cd58c82cbb70acc34f','391edd3292d41dd2ef283fc3b12a54677b8e73dc292d0c35f215d2594dda1909',1591914513);
+	INSERT INTO entry_data VALUES(2049,253,10292,'rw-r--r--',NULL,0,0,'root','root','570c96acb80617a50c5d953f13f295bb','bc2bd64aec4eff4e7042538691949b3b7c99b3e5','25c6d2996b4e934fd69a8e7d02848b84e06fbd2c53ac67ba0d8dd0fbfac9b862',1591914514);
+	INSERT INTO entry_data VALUES(2049,111,13760,'rw-r--r--',NULL,0,0,'root','root','7f0b1bd11e2c0d01aa65d41fe3768c7d','5d09f1bbc7ee6b4ed765dba1250a9fec48f7e834','9121f9c1d046955f7583543a72e9f61e60c895b3fd0e7a79ec6948e74a5c4342',1591914513);
+	INSERT INTO entry_data VALUES(2049,282,2572,'rw-r--r--',NULL,0,0,'root','root','f44b9b14e15fd24bef582368bae892c5','3972820d4a7a0a3c32bc17342e1961a225fd6e5d','c140a6b27c1bd88c475e647502aced79b065ffcecebf1d250880ef677567b1a2',1591914514);
+	INSERT INTO entry_data VALUES(2049,128,1292,'rw-r--r--',NULL,0,0,'root','root','76607153251da8100dd0712664351342','96050f165f8dac8bc88de843b50ab0d568106302','f13772335d78ed62a4cacc80118d70863c76d364061154b3c6b7ef7090d4ba41',1591914513);
+	INSERT INTO entry_data VALUES(2049,72,3592,'rw-r--r--',NULL,0,0,'root','root','7da6cdb0ed8603d199de0dcaa0311950','c87f12c532c1335f54695a56be33209a3f48d8a9','22d8a3a61a42a28ecf32e87f18096eecc3a268fdb2e8a2751142221df4ab7536',1591914513);
+	INSERT INTO entry_data VALUES(2049,233,2232,'rw-r--r--',NULL,0,0,'root','root','df470e584bbabb34b91d72d433c97ac3','cc8dab7b5ceab98b2c4627d5726ff634886e2ee8','e43e9b621ada1bd053e18c87bb6f399809ee8916b949f3a12cd5a00b77ea2964',1591914514);
+	INSERT INTO entry_data VALUES(2049,235,2528,'rw-r--r--',NULL,0,0,'root','root','bcb4a210dd0f9bfb2eee98789316acb6','bc73baf67143ca2c2d7d03c350d713c47c630df1','5094e530a39b5cfd6e89a0815d4359d2e8f1fa0afb03df4405726c5c13a00932',1591914514);
+	INSERT INTO entry_data VALUES(2049,249,2032,'rw-r--r--',NULL,0,0,'root','root','ac1e22a175f6e233888a4d216801bd87','6aa3b9ffde1021ec1a6b1ab2bd2b43e87128bf50','abd4964813dc6a32a10b585fb8c24380cce97277b127ac8e196319c7bb36cd20',1591914514);
+	INSERT INTO entry_data VALUES(2049,242,4364,'rw-r--r--',NULL,0,0,'root','root','d16a25638814bcf67ce979b788d8b586','b9e965471835890dfce0dca8bd55de66653d8f27','3e1632f075b829bdae3a378a3044eb5253350f3b514b608a4256d385c2be3bce',1591914514);
+	INSERT INTO entry_data VALUES(2049,78,3032,'rw-r--r--',NULL,0,0,'root','root','8a0c782c9a19904fe860e2340e56dc4f','77c3547862ac12e3fa517da8945d2e257284fe2a','a674ac9344ed92be4ea5733227b0b5ee8f7fbaa33a01829079e8a984d07650dd',1591914513);
+	INSERT INTO entry_data VALUES(2049,250,8124,'rw-r--r--',NULL,0,0,'root','root','c6b7f555f72d77087ca7264bceb1910a','4f2e01ba2504a7161fbd8ffa635b2f7ba1bb3091','73c35d23f7ed24d22fb89e487f74d10ca2df1dde96ba4ec3bdd90fb50c720837',1591914514);
+	INSERT INTO entry_data VALUES(2049,84,4432,'rw-r--r--',NULL,0,0,'root','root','36ba6a9009a6bd32c5a776d82cb7cde9','c437a6a61901d2d71d86ca8cbd7de52c63228d1f','78a0cf3f04e73c4e607327576f8f77c57d3386b5941bfe40e7011d3b2b817ed5',1591914513);
+	INSERT INTO entry_data VALUES(2049,99,3052,'rw-r--r--',NULL,0,0,'root','root','d33848822a61a0faa77ca4166c8879f7','40cdef2d6f893ebea93618a82e8c47fb308f2909','65155b13de4577b9e888f58112c98191efe6fc4ffdbd4a4e30b36b94ec905452',1591914513);
+	INSERT INTO entry_data VALUES(2049,154,2072,'rw-r--r--',NULL,0,0,'root','root','ad29c9c2a4bc8a3f2d5bb681ebce4104','8ac30a81171073bff84877b683cd25209152e4d4','e98fcdc453a7c33bbba0e2ecffa30337a93a0052e90fb8199ea77a39dc1e7e11',1591914513);
+	INSERT INTO entry_data VALUES(2049,109,6436,'rw-r--r--',NULL,0,0,'root','root','f9c423fa9f3d50a1c232f5e84336e796','eb76fab4c27b1a2c6e2a50116edee3fbdeb36151','e6d28f9bbaf10ef5133615d29c8ed125dd662648c003c77d744627707b666a6f',1591914513);
+	INSERT INTO entry_data VALUES(2049,186,5716,'rw-r--r--',NULL,0,0,'root','root','f5ba69072b718efcf1a247801c86c8a2','bc8576bfde167373274b44aa0555fcce28c307bd','ab460da5a38078b938ce53562d0e9f409ab26352350ec3ca20cf187d8c7885d7',1591914513);
+	INSERT INTO entry_data VALUES(2049,187,3092,'rw-r--r--',NULL,0,0,'root','root','6937dfac9ea790e17fd422c235ed506d','4a479881fc54532c088e33ef056dd088186d13f3','3a8b51b257e9ace31b3d5a5a6851eb736f36f284e3a874e48dd951c231d81677',1591914513);
+	INSERT INTO entry_data VALUES(2049,223,2944,'rw-r--r--',NULL,0,0,'root','root','97a3e4b3937ff435f68cfb63c9f659ff','e37d98413f23d5ee43f25a56ec095210c8404026','386c2f4afb271d91ce946c7bbef1f2b7820fb032cb9fcfef38ea2ae1d480bf5b',1591914514);
+	INSERT INTO entry_data VALUES(2049,262,9852,'rw-r--r--',NULL,0,0,'root','root','a868b464414cb6597c483848fda994ff','570820ba2ef3ab9ad6ea8d7090a6312bf19eb47b','0b83dc566fb4221d5ce1554c13ba70583ac9721c945072a193e0dabf3ed0e125',1591914514);
+	INSERT INTO entry_data VALUES(2049,97,52224,'rw-r--r--',NULL,0,0,'root','root','389c8a4beb6a05e4d1b9d9ab21cdddae','ad8f186eddea1e64f0ea1354642533ec0cf3c94d','4e02af9188cf068bc9d12d0ae6cc33af91aa906327ee1295b7b0ec2fdc98a543',1591914513);
+	INSERT INTO entry_data VALUES(2049,144,3084,'rw-r--r--',NULL,0,0,'root','root','d730cdf309c94983fec7ff9e74ce6ceb','ab654da61b4b7985fe59b11829d70c418dcbe72d','6cbd20ed32694b3edf2bb9fb74588914e6e732223d5570cec69fa40d6afc3467',1591914513);
+	INSERT INTO entry_data VALUES(2049,31,7352,'rw-r--r--',NULL,0,0,'root','root','d749fcaca89b13121f60b4c0602ed9ea','ee100990ae90710d032f969a42b5948fad538170','76f6a2f6ff62a6d08f07d9b9a2db9e75215088c68d88bb763b4a97930811c6f3',1591914511);
+	INSERT INTO entry_data VALUES(2049,197,1844,'rw-r--r--',NULL,0,0,'root','root','0e8af73499e5df158dd021d1464ba661','bb3cec3335264a5ca8317d2c7889d6ca939e78b4','fb4aae2ea083c3bff5a3f5bf88ff572f564b0d3fbbed94c3f1900e299f6c4149',1591914514);
+	INSERT INTO entry_data VALUES(2049,259,3644,'rw-r--r--',NULL,0,0,'root','root','47b6b6dc4753a13e7a0efa03298644fa','8c2823cad2abac17bba7abd5edfede87b950f569','7ebf4f74af0d01f5553d7744d6d2ad1b8eef0ab14da1b6f4f97b6bfba2c6e221',1591914514);
+	INSERT INTO entry_data VALUES(2049,284,36188,'rw-r--r--',NULL,0,0,'root','root','015bd95e5f4f5134e5e3e49e190af5f0','b16968adb0e56b844a8626416b2b7667981125b6','c5fa0b350d35195173168c5e796038db2c69773ae866039dc628e2d7c958b77e',1591914514);
+	INSERT INTO entry_data VALUES(2049,54,5840,'rw-r--r--',NULL,0,0,'root','root','4c07689dc6bd8d872952d9b944556099','441ed1b63c0b3d2a2c6060dfdef31b189d473a9f','6caf2d91a2b4582c3318ea6e9f02fe6fa5cdd3587f7ab3e4fb25e92a8f28b14c',1591914513);
+	INSERT INTO entry_data VALUES(2049,86,3256,'rw-r--r--',NULL,0,0,'root','root','95edc895591371aa6763577a8be20a9c','562ce8a31925cfbe26ff48e75646df7352cf9a90','d992f0cd145897beda07c1f1812808bab8d7a730c0ca593a07b5bd9eaf7f6372',1591914513);
+	INSERT INTO entry_data VALUES(2049,117,2600,'rw-r--r--',NULL,0,0,'root','root','2a04d434afac0a3120531bfdfe0d6a76','3f4f9ef29eaa489628a3f454c372a4ce3d1424e8','888f7813c183c06af903f40a273932480fa3dc10dfa200054e552125ce55d6ff',1591914513);
+	INSERT INTO entry_data VALUES(2049,131,1540,'rw-r--r--',NULL,0,0,'root','root','7ad5af67f4f34c8677075c517e137d71','0c0f81f7259c1a89d946a8acbd14e419bd7c0a96','9d3062953414ad02999c47684236e94821c3b8f50ebb3b1b75d92125150502ea',1591914513);
+	INSERT INTO entry_data VALUES(2049,202,2960,'rw-r--r--',NULL,0,0,'root','root','98e89393cb3ab0feedef272c4b4ba655','eb839ddd9dbf5aa41f334d0d8f08c745f116e6f1','86f7003937d94c6cc01d3e7a770f0bc0e7370c15effb0c1a219ac330f4858896',1591914514);
+	INSERT INTO entry_data VALUES(2049,293,219,'rw-r--r--',NULL,0,0,'root','root','4f72bc2bcabe379b4fe0f7e1bbd03c04','f091655c7ac7314eb0df21931415de47628d621f','32fc7f5de8c0a5dc0b1e7eb609ca31a77eb3475539e1d97a4543dca1b9b26c57',1591914514);
+	INSERT INTO entry_data VALUES(2049,240,6776,'rw-r--r--',NULL,0,0,'root','root','0899342c40744f1151bd3d373e1b1930','c0bc100b01937c883effc6f91e6bce6634ced009','8ff5ca878f24bb5fb03e86cb9de6dd32fd320d67cf12d0d91c9b9dd99195475e',1591914514);
+	INSERT INTO entry_data VALUES(2049,218,7260,'rw-r--r--',NULL,0,0,'root','root','ec4cfcc5d69649724e75d16840810855','da46b87c67d7e843828023e8b3951611b61745f1','673428122b278d2992058df147120345a1963f68e96ad587515377daea11d7ef',1591914514);
+	INSERT INTO entry_data VALUES(2049,264,7172,'rw-r--r--',NULL,0,0,'root','root','df38d83bbb5d7ca336324a0c0228a6fa','1f45a325e73270989a8cd4fbba66eb9d5d78b186','4cbfc3d5a40d6c651113915f6fa67de1e27f388ec8cfffa1a1cd782b21844950',1591914514);
+	INSERT INTO entry_data VALUES(2049,45,7792,'rw-r--r--',NULL,0,0,'root','root','15139b32c839b605ab2c50ca26705562','69d3b97faaff6d000d974fc3c9161732c5c110c2','ea0cb5407e2759fe951e9fcc1d046d0f882dce5b5392dd8e760965ab7d5cc665',1591914513);
+	INSERT INTO entry_data VALUES(2049,170,3328,'rw-r--r--',NULL,0,0,'root','root','32368fee58bf4ebf42d6f1cbe71714f7','6ea5fe302e40ac3137428cfc9d0e4d9d6f90f5a0','8e885d16b5123354efa1c24f5a3864bc7aed0f958efc2731943115cd3c48d124',1591914513);
+	INSERT INTO entry_data VALUES(2049,286,2168,'rw-r--r--',NULL,0,0,'root','root','533c613858017ef63fc4efdb98783a33','dcc76680c346e681d11e3024efbdfee6793cca99','637ddcf848564260504334bce6b388547f14f1f0395f7f974346036f2a853348',1591914514);
+	INSERT INTO entry_data VALUES(2049,290,7412,'rw-r--r--',NULL,0,0,'root','root','36dc70e11515ecf4b6d7a68a7ede5ffc','bd3762b13efc1d2a77f9b3198e05431b319499a0','828233e63344b36ff9a03e5ad6ef1883563d6fe907dfde3f09a190f6c8a869f6',1591914514);
+	INSERT INTO entry_data VALUES(2049,166,4396,'rw-r--r--',NULL,0,0,'root','root','4e6ec7f95eb74d414a949011a648d94b','22f3c9201680196acca79f6752590a553e0a126a','34c1b9257cda8aa4be2af40130f7ab6de945dbe8993fc1b52ad05f56fa5d494f',1591914513);
+	INSERT INTO entry_data VALUES(2049,163,7380,'rw-r--r--',NULL,0,0,'root','root','b87f69d0ba2ad5c716e64f0ef77b30fe','32f3a4985f905955836bc3dfae0c0decbe2457ac','a7ea07f5719b01f9706d033ce1112fccdd628d406f2b907c21ae36536cde0b17',1591914513);
+	INSERT INTO entry_data VALUES(2049,303,30422,'rw-r--r--',NULL,0,0,'root','root','93f3dba1287b5362f96be88b15578578','6684cb02a1fc23bf3ca328b18891546a15612c49','5f5d7a3020c0236db56b0ccfbbc135cc406e2080463d9f5ee8dbb195fc8d7904',1591914514);
+	INSERT INTO entry_data VALUES(2049,172,10408,'rw-r--r--',NULL,0,0,'root','root','b4933937f772a59d85383a0d02cf0dc0','8e8d995426adcf70313890cc04a1dd9f0410bb15','59e5e0fdb28a733d2b2a45b4c2f136ffa30342f6c212a15d4aecdd3799091a3a',1591914513);
+	INSERT INTO entry_data VALUES(2049,243,2628,'rw-r--r--',NULL,0,0,'root','root','13a7460561e46a968e5e58bc0be99f88','baee29c3fb60ea23e072b16624adf44a02529e37','e321b6df0666815209fd85988c25967802512d9402cf89a752e793c0672835e1',1591914514);
+	INSERT INTO entry_data VALUES(2049,208,2932,'rw-r--r--',NULL,0,0,'root','root','f9dba136b325a74ad795d6d09ac1110c','8e22c2b8affe558d76e37b7f5050b899666f248a','491d86bcbab644aa20e260576681bc66ed55f5d9d55f6373f48a69d1d670c13b',1591914514);
+	INSERT INTO entry_data VALUES(2049,76,4104,'rw-r--r--',NULL,0,0,'root','root','a61a14818df5d7a58056de8c19a36b1c','7fb8153cfc1f3ac25459d35ee8086b248ce79744','15146d8c71732faccafc1e4ff386d37388ab65610bd1a733d9828c67d5eda2e1',1591914513);
+	INSERT INTO entry_data VALUES(2049,33,9200,'rw-r--r--',NULL,0,0,'root','root','323c35347cb4aa946e9891b645f8b522','d441c1f806e168ecbc72ee46306d909cf43fd7d2','5c81eb976d99ab4a788eee3fdefeeee314ab99ff27fb4fd88c6a2302430b4772',1591914512);
+	INSERT INTO entry_data VALUES(2049,173,2472,'rw-r--r--',NULL,0,0,'root','root','c47511d0407e22045745cb5edcd66e94','6d4203d50e6e32d0a50d175ddb02e7a4048a4f43','03ef41f156c1bfdd689671819e71d45554a03274c7f6ad5fcbf482a6896e2c46',1591914513);
+	INSERT INTO entry_data VALUES(2049,55,5724,'rw-r--r--',NULL,0,0,'root','root','8a81c3ec50cb0340417ea5cc541ed113','8b61e272a041f29a96364c86a2fb579cfe8c05e2','a03ba9d21edcbe793fc433a09a084ba0994de2b3f2f6d61d7f08467c24be0dd5',1591914513);
+	INSERT INTO entry_data VALUES(2049,147,3308,'rw-r--r--',NULL,0,0,'root','root','92516445a47781ebcf36d6db4e32ee77','c7b4d4c83b620a1058b4cf3c20fa7150a0c182b8','a6df8f7db7db771c69a2ac69c7491ca647ae9e5c18ed0973d7d225ff458bc9ff',1591914513);
+	INSERT INTO entry_data VALUES(2049,265,2392,'rw-r--r--',NULL,0,0,'root','root','0b3d603798719a255d601c2fdc28a557','82e4ddcf3ac424fa072a10a8a08633f8a07e27ec','15752fe5bff9b98f0fa9920fd830a75185ba842523761380fa2bbdd479fe8227',1591914514);
+	INSERT INTO entry_data VALUES(2049,181,7752,'rw-r--r--',NULL,0,0,'root','root','3457239b61fa38dc5e15852ca97b0d8d','1142f09c37aa155ef991c5c1512b853175b13f9e','ad6273b8e89df6b7688180f8d881d11e0cdd56483b243242d37ea8aeda1f04f2',1591914513);
+	INSERT INTO entry_data VALUES(2049,75,12516,'rw-r--r--',NULL,0,0,'root','root','ed6ace0c639216a58bc3247d244bb632','903f0726d8c777efecfd3fab49432f9bbf25f102','b1f6e86d9cf82e04dfa6603514e26a3777fb375015c90d0930e608593fd0a81d',1591914513);
+	INSERT INTO entry_data VALUES(2049,58,15256,'rw-r--r--',NULL,0,0,'root','root','4995de58c2188402d93341affda0a3f8','df0a880e027c3ca3cc13d6ec321d421d1431ae54','860be74c529f53d5709d3d7af6eb8960ebbd3c432148acabf23b4d5502a38942',1591914513);
+	INSERT INTO entry_data VALUES(2049,64,26724,'rw-r--r--',NULL,0,0,'root','root','57c52d03e06f89e5489898bbbac17a60','7729377d4186fe40e718150cafcb088e6ab5be4e','fa17f704ba719ac423b933113f11c3c09f1693d77b473347cf419d9db28a9dd0',1591914513);
+	INSERT INTO entry_data VALUES(2049,93,11908,'rw-r--r--',NULL,0,0,'root','root','47a9925c203cef75110d91c43e77ec96','e1216872a7fd6704052bfada53b4f65b181273d1','bfc6e3ef7940f499a23129f597346ef1dad2a632bf57370a6881a91cdee06392',1591914513);
+	INSERT INTO entry_data VALUES(2049,81,3344,'rw-r--r--',NULL,0,0,'root','root','dde30f8f8e9161b03e82a814b620ef82','fc8f1445513a44f09135fba91a93536165133012','8133cbda0cb057326dd7949c523fa190efd33cdba7c4e25890c3a0b6028931b0',1591914513);
+	INSERT INTO entry_data VALUES(2049,28,3920,'rw-r--r--',NULL,0,0,'root','root','63d0339465de881f2ca9c9cf62e7687f','840d2ca1e668b602e12e5903ae74e92cf7abb75f','f88bad87445f8d768fe80fcdb8fb4e7d83115a53e24b6de769b597d19d703244',1591914511);
+	INSERT INTO entry_data VALUES(2049,125,4336,'rw-r--r--',NULL,0,0,'root','root','ea2dd384c17ceb03cb807cb3620fc925','5495a74e4efabd9f79a0d502fecbd810ad6dd82f','8f4fab608faae15731005a1fb30d139ae8f1b71fea8b57b9986909fa111a4968',1591914513);
+	INSERT INTO entry_data VALUES(2049,288,57820,'rw-r--r--',NULL,0,0,'root','root','2634fd2bc16da70d140cf60cc2736005','f92c7bd4c965b8d69c0113f953a4b6b354711892','b95aed744ce3236baa5a5d42e04e653c493a17f1fc0601c5de733a38aad8ccab',1591914514);
+	INSERT INTO entry_data VALUES(2049,229,14224,'rw-r--r--',NULL,0,0,'root','root','d6dafa318b34fa10072b2c529a42aec3','b252e9a40ae3a472277681696cea5f17f4777df1','322d038968712e926785898e48a5c9ae17b99a8c45ae05d57a38f9d4ff4ebb6d',1591914514);
+	INSERT INTO entry_data VALUES(2049,304,512,'rw-r--r--',NULL,0,0,'root','root','9201847872c0184eca7085a2819546cb','9d8531cc219e8122e3a36a3ae423495bad85b3b3','9663c79ce83646cc98ce1b498c28d40fc234e32688b240d617ead616732f5206',1591914514);
+	INSERT INTO entry_data VALUES(2049,285,2724,'rw-r--r--',NULL,0,0,'root','root','7400ea42998a002c3c718f83991a2fd0','04b2206589df14d54f90712c909893edbcf8cfec','b76bed0f10b964912eabf6353fa78ef5802ea4b14085139387c70bf0db8742ac',1591914514);
+	INSERT INTO entry_data VALUES(2049,212,1448,'rw-r--r--',NULL,0,0,'root','root','3107bafad36da00be6f27fc99f130695','0611603c7d44e6951d639f1f25e89deccbb8f203','53bdd852d4bed0a5e8afc72a6dca59c00d6175827db8af7f176a87cfeb1bb192',1591914514);
+	INSERT INTO entry_data VALUES(2049,155,2512,'rw-r--r--',NULL,0,0,'root','root','033b21cbf5e35b31047d761304174c37','284574b92cbefd01c6b7e4913f782cae77e0f862','65a6a0a19c15c288dce534bd2df039dcd3d2da5cdf9421c0f1db95442c9b1ba0',1591914513);
+	INSERT INTO entry_data VALUES(2049,292,3932,'rw-r--r--',NULL,0,0,'root','root','f37fdf5f3bfbee1e553e417766605988','46dbea9083be34c81a33d74edbf978949e8ad578','efee2bfceeb07ba53811b68152bb569f552e848a784374ee2d2d06832ea0ce8b',1591914514);
+	INSERT INTO entry_data VALUES(2049,257,2224,'rw-r--r--',NULL,0,0,'root','root','d5c899fb82eb1959c106fe7da2e912a7','e846efab7c2f9bda6fc6d24c72468cb3ad4e2735','2dccb2ac84cb19cbb63384a15ae80b7ea4717fe5d5867d0df6a9b4a8a0122e58',1591914514);
+	INSERT INTO entry_data VALUES(2049,196,6440,'rw-r--r--',NULL,0,0,'root','root','6e86fff250fe337626974395ea23fbbe','e7abc0d33eeca5c3911fd7c51d84c399947002ef','e8347423e5c830335cb536c6301669417c150cb834cc8a97fde3dcc2efc17191',1591914514);
+	INSERT INTO entry_data VALUES(2049,210,1872,'rw-r--r--',NULL,0,0,'root','root','c8c985c232bf12a4d8dd4526414e5dee','c09a3f81782c8d2b55b4ce6f2c0849525944d299','a9956f533ec0fd2ad751846034df6965d943757d9ce28b6f39bc7edb1e374060',1591914514);
+	INSERT INTO entry_data VALUES(2049,231,2100,'rw-r--r--',NULL,0,0,'root','root','4e37497e64c578be844d8bc94c43d6ae','d84afd10ab921619fe4f644aaa474c136abdd623','241d6ad506fac2f87eccb9d7cbdeb8653291a389a008bf0be782048e54d4b2dd',1591914514);
+	INSERT INTO entry_data VALUES(2049,39,1248,'rw-r--r--',NULL,0,0,'root','root','fdba5f23c517dd1966359ece7d8fd280','1c3b68ed6ddde6ec1d64503945edee16c3f20ed9','81b8afcb0244000c4e5baf44299c1816e473fcfb0b0eea4d82a1f12b67e21724',1591914512);
+	INSERT INTO entry_data VALUES(2049,283,11076,'rw-r--r--',NULL,0,0,'root','root','a7d71d67fcb8d400c1a3bddb9390ec1b','85e9f87c7445fb85c65a114bcc784944f2fc6d30','b0d551b85f6ae7128b7043a3979f182def14b1cbd83b6f734319aecbf1b3d477',1591914514);
+	INSERT INTO entry_data VALUES(2049,140,21776,'rw-r--r--',NULL,0,0,'root','root','56fb48e0c77e6d62256e979ede0d3a29','bbf524afeb86bf9f106d92177df281d2306edf34','3d8182fa2578b4bf6e8afb93954cdc62a194f6c510040712eb9f4f295db179fd',1591914513);
+	INSERT INTO entry_data VALUES(2049,129,3284,'rw-r--r--',NULL,0,0,'root','root','7b49bcb3fe943b5603d03eb390f61848','ee514539d3ae06a20b46fd4a054270faf3b93e83','4e328b932daeb13a1789cf8ea76170c9efee3af7c61a9d038a738f04ed2bb591',1591914513);
+	INSERT INTO entry_data VALUES(2049,215,9616,'rw-r--r--',NULL,0,0,'root','root','3e2719b0ff925f6460c540ba9e1c897f','48aa6f942e067a662b8412b5ee4113c825d489b5','69491e1c4edf414779ec55303c8f294de46e5fd3e8c5d99e4cf8dc7f8a78845c',1591914514);
+	INSERT INTO entry_data VALUES(2049,52,9416,'rw-r--r--',NULL,0,0,'root','root','6d7cabd554ceb05f2471fd8eeba2172e','7b11e2acabaaa63f3c56ff863a1db552f4e4d5af','0f222774dcd8500c593b6898a41438892c70e1d9f310e1f0749a14acd6d829b0',1591914513);
+	INSERT INTO entry_data VALUES(2049,90,2520,'rw-r--r--',NULL,0,0,'root','root','c30ade12da56beca2856f1d778b8e501','586b334e37743885d14f31ee36ed26aca69a3e65','0afe01a7193bd59af7fe29379a33bd99755490c572b40a3651ba8e4b2510441c',1591914513);
+	INSERT INTO entry_data VALUES(2049,30,22084,'rw-r--r--',NULL,0,0,'root','root','66ce221b550b2c6c1d15d08dd1f47f4b','5106ccdba7848b0822b6e941fe108491416f2d70','f71a835e06a0a9fa2bbd4f96c81e11c9e4b598ceb9e72a20226beff1e544355c',1591914511);
+	INSERT INTO entry_data VALUES(2049,190,5748,'rw-r--r--',NULL,0,0,'root','root','c399f0ed9348bb2a3fcecee270b7f85b','7a704fada0dc44c812917a055609f0037531371d','9e0ae17db4bcdf607b2faf876a6f7817359263a722be4380341d181ed31f2a47',1591914513);
+	INSERT INTO entry_data VALUES(2049,148,4640,'rw-r--r--',NULL,0,0,'root','root','51de83ee95aed10b2fc4d18aa5a10c4e','a3c3f8161cb74689bb663ba6720733b7362d81d6','bd0998f3e96cec7309610895d5fca0853a1ff9739d039951db8d8fd9c99d7c54',1591914513);
+	INSERT INTO entry_data VALUES(2049,184,5488,'rw-r--r--',NULL,0,0,'root','root','efdfd9e870677307e8b30d3adf76b0ae','8cdec3179decee3e1456bbedbd5b8717716d2c8a','3f5ddc67511088bae7cd56510ca20cab1c20af7680f8cfba5c3ee1150c66c3d0',1591914513);
+	INSERT INTO entry_data VALUES(2049,77,5452,'rw-r--r--',NULL,0,0,'root','root','25b1fcdd46d16d7b6b613f31abba82e3','22b49f09c07ddbbd99711443f39ff1cc7a8766b6','c94790877adcd8a5da6d62cd8fc1a01f26ad71d30cd7ce83383ba6303c2512e6',1591914513);
+	INSERT INTO entry_data VALUES(2049,251,2080,'rw-r--r--',NULL,0,0,'root','root','f2e30b7e2573d003fc83040d6358fe6f','a3380d24ab2885c79c1b2e2c2e48f0dc5b219316','59d85802bcd1cd693a19dfce96c05a2bf3b11891c4723fa85685c44a15ce7fea',1591914514);
+	INSERT INTO entry_data VALUES(2049,37,580,'rw-r--r--',NULL,0,0,'root','root','bec1691ff8804ae965f7c086efab019a','f34cd290bf74d9f19e8233eccf6f1b3c5b551b7e','e676b0ef7fda492b2cd057a025893b4674bcd9dce786ef4c4392d5d56433b7e6',1591914512);
+	INSERT INTO entry_data VALUES(2049,80,1336,'rw-r--r--',NULL,0,0,'root','root','feeb32825151fc584088751e3abe2528','c5012e406be95d6f5410a92049d6f9b20956993c','6ada2f09e3daeaad7d3c7e7fe9f1eba50c68dc9c01542c1e3358a70ebed5a69e',1591914513);
+	INSERT INTO entry_data VALUES(2049,107,3544,'rw-r--r--',NULL,0,0,'root','root','7d24afcfef20ca0592e9296bb0797b44','fee02c2358404d4c33c857ad8b059d1e650299cb','b908de40ccd60dda7cf18b0a4a2e2aa4e400627afb741c2e4b297c493e33439f',1591914513);
+	INSERT INTO entry_data VALUES(2049,40,63152,'rw-r--r--',NULL,0,0,'root','root','482d298264c73d14f78c823ac246e7b0','fa6ee196e4233f023adca614ad626830cf491152','50b8a589738437662d1a7beddc5149f4c8aad825d7b0eb2fe17cb81f9ecbd906',1591914512);
+	INSERT INTO entry_data VALUES(2049,50,35264,'rw-r--r--',NULL,0,0,'root','root','83890adfd9467bb8192c4ecfbca3ca16','ea69365792118e2410a84a30e92273dcb9ad6051','362c726eae25746f16daacbb0c2a7b10fd81b595034016c43eaba23215b0c5b6',1591914513);
+	INSERT INTO entry_data VALUES(2049,221,6240,'rw-r--r--',NULL,0,0,'root','root','322d3b10179bf42535932e752d965601','5c9a11a5f14e048b59dec2172e3ab84fc0821e86','d4b94f7426062f913a220264d2044e0ef7271f32399a98a9752f866934655e09',1591914514);
+	INSERT INTO entry_data VALUES(2049,132,8928,'rw-r--r--',NULL,0,0,'root','root','75d43d1a33e344a6160094eec77fd344','8ba22620be147461246e99574a85978b29c92b41','78e1ba72b5692a0546a3a38b8655060acffcd789182f07031c60c3969fa36de2',1591914513);
+	INSERT INTO entry_data VALUES(2049,108,4840,'rw-r--r--',NULL,0,0,'root','root','87acaed4181baa310dde2db34c83b43c','d87b55ddee7d7240b5d2f68517844e22b25d6dd0','f2ccf1666a141f939b0840768b64bf9861a5f0c86a0768ee5a9b892744920989',1591914513);
+	INSERT INTO entry_data VALUES(2049,48,5664,'rw-r--r--',NULL,0,0,'root','root','257f9eeb9d26e108e1894c27c0b70ccd','9f7e309f7f03a287f0a071d373e204c47f9ce76e','145e3d40354724344522474716e4e5acd6f8cbb8d5db4fe39500be11c3427280',1591914513);
+	INSERT INTO entry_data VALUES(2049,226,1744,'rw-r--r--',NULL,0,0,'root','root','10c174959798c8c7be7f2d38e9b5838e','7696e8d1d9f5ce8629263f29562f3cf8e62c9346','eab4f3529aa71d341fd2b62811ab77dfa40ffacb1493ac11354e8a3931baa53a',1591914514);
+	INSERT INTO entry_data VALUES(2049,214,4236,'rw-r--r--',NULL,0,0,'root','root','7cee7747ea6b88fb646e1c58bb245682','a0532d5ef353dfcbb49cdba3ec5e12cfbde2aa93','f6aea9e8a1c19a9cca31a1249f90016ae2516235bd6ce48128de224abdcb5442',1591914514);
+	INSERT INTO entry_data VALUES(2049,189,2828,'rw-r--r--',NULL,0,0,'root','root','77b4d5644f1b5a09d290df843f597eba','57631845434acbab8e06022c94f1a9c75471a069','7ff4e2ed646879c0c6ce32d29181a3aab5f52f14314e1e580bb24a3c0ea519e5',1591914513);
+	INSERT INTO entry_data VALUES(2049,34,2408,'rw-r--r--',NULL,0,0,'root','root','8a37547f1565f7fadba2081111bdda87','df851edb2502a940a3649a555987dddf5b270ab3','ad566e5a955b8a577cbd66a1a042ed4ab36d21322e8cecc9a9dc45c9c5e4059f',1591914512);
+	INSERT INTO entry_data VALUES(2049,220,4768,'rw-r--r--',NULL,0,0,'root','root','9e17d70a0a453cf1caa1217deb4e92b9','de7065c508b53d6b5895bf4eb26a51fe96941a2a','fed98cca4c89d7602940d564a241fb8ff64bcf35db7943a36072eb62cfeaf0b2',1591914514);
+	INSERT INTO entry_data VALUES(2049,83,6148,'rw-r--r--',NULL,0,0,'root','root','632f4e3f714e502ec7c35ec448b5b293','c6aa2dfc3c8a120137a4c89f1466dec11978e2fc','0cbf3f949530a6d7d2e8cb3c93d9700ad15a45fa8679d9a1aaec8be793d12281',1591914513);
+	INSERT INTO entry_data VALUES(2049,280,4724,'rw-r--r--',NULL,0,0,'root','root','1cdfb6fc278c6af52a6402762375ee32','6004be8483d3c766b0dff1a860181422079c654e','89f82a0577e7bffb9bf1e3ebbfe8562e21aa6a4b1704ba7933f3ca7ebeb5d340',1591914514);
+	INSERT INTO entry_data VALUES(2049,228,8664,'rw-r--r--',NULL,0,0,'root','root','8fe46f952a1ceb62e02a7381775b32d3','a00d7458c14cfb55d0b2d41fbef938d066d43cfc','b13c7587880d5040373ba470dd6f6bc556951a16967fc796be1f19b7794b6d6a',1591914514);
+	INSERT INTO entry_data VALUES(2049,165,4244,'rw-r--r--',NULL,0,0,'root','root','e4b4436ac0f99703aa2961d36e4c379f','eea9b746b99e70448191cfc5407a1e6afa6cb80d','2f3e6f1b8de0dd474d69e7dfcc283af98fe6d70e1c98da62c8243ca11f2b2c28',1591914513);
+	INSERT INTO entry_data VALUES(2049,96,1356,'rw-r--r--',NULL,0,0,'root','root','f8b56ada80da88d13eb69d33ebb6e9da','ca1f2b00277e1f90fdb7fc9869c3abc93220296d','9e00466e60ec3c3c795c06c1226c4f5efd205b98bdfb98bacd0811ee1434b43d',1591914513);
+	INSERT INTO entry_data VALUES(2049,126,15728,'rw-r--r--',NULL,0,0,'root','root','913b3faf3df0b94eda7508a108a1c22a','6405e8cdca5a393146e5e1d755fbb88c2a8238dd','d18c00c9993bb0dc3b61a9bc4c50f8c6508cf4c1282a3bd10fc8f333bf37d7b9',1591914513);
+	INSERT INTO entry_data VALUES(2049,278,6272,'rw-r--r--',NULL,0,0,'root','root','f49190895e0af51393716f1f2f829f40','8d3a1a879e1f734660ffaf118e015936b918d18c','223403f4aded39845317cd0a1b59ad2776be64db57ee048cb48367132569ea84',1591914514);
+	INSERT INTO entry_data VALUES(2049,130,7392,'rw-r--r--',NULL,0,0,'root','root','b7ce99f516d3580c0faef9914640534f','975b9bdd0d6d15e9106786caeb0169138f17ea75','deaa8f803597c99b642723c3558bbe0f162b07969025d3753592da99159e83de',1591914513);
+	INSERT INTO entry_data VALUES(2049,183,1548,'rw-r--r--',NULL,0,0,'root','root','45786f421a94681682924628a31c99c8','70a5134a5d51669561b495543ce1dd3c534716b7','4106b63c369595f9d054c8c410502d3d86f1a4bf2d4b77c48b93d3e0cdc814c3',1591914513);
+	INSERT INTO entry_data VALUES(2049,161,1948,'rw-r--r--',NULL,0,0,'root','root','1326df842a77a341a469b2f7a71c4c79','6c72e0f794ea0ccdedb1fde50f4589a6ecb8c31a','6eaf28247f118cbac5effd6cc8832dc54741a54e964176bb5c70526bd09ba16b',1591914513);
+	INSERT INTO entry_data VALUES(2049,88,1584,'rw-r--r--',NULL,0,0,'root','root','a4ee83a24527a0cbe42e87de07ead045','6f1a798ab6a9cce9d2cb4efba71676b367010705','b5c9ed2268b4be4ccf249855792a3d3993d53d785daf43903653506b1b3d8e4b',1591914513);
+	INSERT INTO entry_data VALUES(2049,168,8524,'rw-r--r--',NULL,0,0,'root','root','a380e289909a68825f5d394ce048a6cc','6e857d484d92855f410065d4a6187605e18595b0','a039661f189a99b17d2f7f638206a905ed25a3d070ff64255b9a6e102f5703ad',1591914513);
+	INSERT INTO entry_data VALUES(2049,256,1888,'rw-r--r--',NULL,0,0,'root','root','3ebbaf040a7660f8669ea68b1b826874','d41947ef7472493000bafb9b57f763f0ad354c44','61b7e066aadb72d54ded74bded052fa80c841493df256a4739f93ed7d5e1d827',1591914514);
+	INSERT INTO entry_data VALUES(2049,138,3632,'rw-r--r--',NULL,0,0,'root','root','2641864548459f8ff7658a4778230bcd','441e352d1005669a4a2475f055af60b3277a8eab','1043039899ad492d562968681101426dafa1d3c778f77c01752f495057c4e73a',1591914513);
+	INSERT INTO entry_data VALUES(2049,277,9076,'rw-r--r--',NULL,0,0,'root','root','77d797e5b9d1d91e321aa9aea957e51d','95b438da6c7c8b70a24cc430ce10aa78a5cc6804','e253544dc74c4c6a7d02f9586060a4d5054d250b6f298d5dfa80277486d77b7e',1591914514);
+	INSERT INTO entry_data VALUES(2049,213,3852,'rw-r--r--',NULL,0,0,'root','root','f24faff29642ed82df4e7b791c78245c','39d7bc0a22f9f8da7d00475d60e06465c2f679d8','f2b4d3a61a5de743291bbe75ede53fada42bdc4917a4d9d04c7b2eb89212ea64',1591914514);
+	INSERT INTO entry_data VALUES(2049,59,13504,'rw-r--r--',NULL,0,0,'root','root','a2037e8fbbbcc131cf76f32c503e12c1','7c83b47000b94a96d9a9636277e366bf6769f4e1','f83ea00212ec0351e36cd34eed3fb8a82bb3378e1d261dced7218ac1bf051b0b',1591914513);
+	INSERT INTO entry_data VALUES(2049,29,1648,'rw-r--r--',NULL,0,0,'root','root','91062e7b29c29488cdd3342c1cc9f335','e70a663195d867626f3dd6795d7172297a47f8d1','511a124e3aae5c91fc3f05c33d5cc18f5b290b043c98deb64926864e5ee9e051',1591914511);
+	INSERT INTO entry_data VALUES(2049,162,24144,'rw-r--r--',NULL,0,0,'root','root','7ed936b81666e01037660b3effd6a954','959f526db6ec07a7033e82769fc5b6aacedc5a09','467392004d1ec3039486879b6742a1adc57cba248bce0d0ea81adfd8dcd96810',1591914513);
+	INSERT INTO entry_data VALUES(2049,272,16084,'rw-r--r--',NULL,0,0,'root','root','1ab47ebce393251eb4dd2277193a83a0','a43e0309c3054552d24ca593a1b8380c1efb5e66','86e057b88349ac12144dad4997b2906e3e50d63fbd4820af441b6202f834eff8',1591914514);
+	INSERT INTO entry_data VALUES(2049,199,2824,'rw-r--r--',NULL,0,0,'root','root','37883c5e87c1b6e8c17b1cc28d629864','e295d64734757d946dbbf294d72edf62a36ab157','fd10efc5332dbc649f99818d92928bf7a20c9f4d6f4b48e73b69470a50c9c429',1591914514);
+	INSERT INTO entry_data VALUES(2049,182,5232,'rw-r--r--',NULL,0,0,'root','root','c05f4ed2531030d831ba1a65ca8621f7','e673081643d8b16b877fb888e6dbf491d2137d37','f39be693aea31e8a363469f9bc3cc5553f03db9b74aff6657cdc6118aefd6c65',1591914513);
+	INSERT INTO entry_data VALUES(2049,244,3936,'rw-r--r--',NULL,0,0,'root','root','2d14a6fe7c00ca3b155256212936a783','a4f31eb2373ce60cf3664e00de816a9c92b5fb42','c140fab39bdf266c81f25bbc27f3f3b363d88cdb9a78f0c2d4e2570defcbaf1e',1591914514);
+	INSERT INTO entry_data VALUES(2049,191,2796,'rw-r--r--',NULL,0,0,'root','root','6491f7a804953f61e7e4f3e9c376323f','50caacd41097ed864f9940e865ec880ab0537a1c','2d1d8c3244a4e006b4fc4f555577c9f5960abd533929a52b20fccd80e505d93d',1591914514);
+	INSERT INTO entry_data VALUES(2049,178,3312,'rw-r--r--',NULL,0,0,'root','root','a36e4ff9015b8ef3e91c24449b8bb250','98cba66ccb352eac6db2104f48146146235416fb','8abd28254ba7a73711c98ef0b6564d6fe08301ba1781d2088e9af5d45f1bb660',1591914513);
+	INSERT INTO entry_data VALUES(2049,219,15076,'rw-r--r--',NULL,0,0,'root','root','6be390cb7c9750196cd660e9a5d1afd8','3cfd73c9572a4385be8f86e58c3b3e817f99af31','1c07ce15e46177adca76d265093918f0b333b471f22a7f992f5ef4880468fdb9',1591914514);
+	INSERT INTO entry_data VALUES(2049,216,12376,'rw-r--r--',NULL,0,0,'root','root','8ff8c22c1b733b550a5dec0148fc3cdf','399cea5373ff0beaf1b56920fc9c75738fef63f4','23cdfbc2c670b5808f7042cc1733683fdf94224038f39e64147d79721d5ad87d',1591914514);
+	INSERT INTO entry_data VALUES(2049,139,10592,'rw-r--r--',NULL,0,0,'root','root','bbb582edf817afc39407a99fc48735ec','a51bfe82035eabd381c6bd46b0efeae219534479','3db477ab18eb3bf0cdd5e670658c3dfa9aa918f6715a6de48963aa1fe2ee8c96',1591914513);
+	INSERT INTO entry_data VALUES(2049,271,12968,'rw-r--r--',NULL,0,0,'root','root','173f8f50ecb6c1b7e61de0b95896c6c4','2870c1215524a28c202f6b149422526ad4519a2f','e4eaa5f610d0af9e0f7c344012837ba940c6fc14ad1e37b628007dff6ea54fcf',1591914514);
+	INSERT INTO entry_data VALUES(2049,164,3096,'rw-r--r--',NULL,0,0,'root','root','cc9eb4991aa138ea3de8790f0fc05aa8','80b97d88f73bc94249e2b07ee066a34e0ab53ff3','507a9051deb3c92a76f547627ba1b748cbcd4f9fa40de5901174edda105d9f11',1591914513);
+	INSERT INTO entry_data VALUES(2049,53,3032,'rw-r--r--',NULL,0,0,'root','root','05cc91055a6d5a1823c8e555de8685ca','f681e4892941c8c3b04b0faa4f255611f383fa44','fd75c32841f4158d71895c9e10b6e3851cb82300315fa029b4d461d007f1d2c4',1591914513);
+	INSERT INTO entry_data VALUES(2049,239,2064,'rw-r--r--',NULL,0,0,'root','root','bb1fe5f8a6b8b24cadd6b9ebf22ad0ca','c2b822a1e43f4ef91fbdc2e2495dc8cb7899efc0','df8b0c5002cd91e6b992e65206feeba5b49e069fb1190b33522c5a225195635b',1591914514);
+	INSERT INTO entry_data VALUES(2049,87,4064,'rw-r--r--',NULL,0,0,'root','root','4eaf2a6e94dac001b6d447c1e5a05323','12eabb87985cc6c9328f2fa151ab11c6d486c5e4','6e981ea6983e976ac7a275e97c718d556bc21e343201d804f4c1afa329b7ec15',1591914513);
+	INSERT INTO entry_data VALUES(2049,123,3436,'rw-r--r--',NULL,0,0,'root','root','fcbfad528ee1ddb45040a7a1e5c6dcf9','e7fd287e38821c45cfaa6dca63e43ef310f6b2ee','747a53f6552712f839c42637d1e8986019d55e4188a8a335b6fdb14e94d4c404',1591914513);
+	INSERT INTO entry_data VALUES(2049,100,3500,'rw-r--r--',NULL,0,0,'root','root','8813889cbd6205d5f692dc0c9099806d','9a907bfdb9be62a97ede9039ce8a2bf90fb81b68','4bbda0c5ae89a9833733c23b713c788f102b81df9b742d64a00e0832b0e05d2b',1591914513);
+	INSERT INTO entry_data VALUES(2049,115,2128,'rw-r--r--',NULL,0,0,'root','root','cd83af3ba42cbc0859cc4dd586018083','594c6740b90bc431f6c993512b5bb8aa2a0395a0','9865606e1c4045d70c24754317704025fe759bc42e51af5ccf66270a8b6ff3d9',1591914513);
+	INSERT INTO entry_data VALUES(2049,145,7984,'rw-r--r--',NULL,0,0,'root','root','6d396cce53c43ba48a458f38b53db8b4','a68b19fb6b915f7ca3514f6e97474ca0ac6fbd56','d203193e3d3cc4410e2868244c830f03e7aa1be1c4fd3c22ba2cdcd69e31f428',1591914513);
+	INSERT INTO entry_data VALUES(2049,67,3060,'rw-r--r--',NULL,0,0,'root','root','8cf483b93d0ee245c30487fc3b9db088','93dc0bcc3f25c5d932eb14c98a4a30d791fa6b7a','f551d6dacd0d14f0aba9f22e8d2e5357e3fcc4c26939b12b34b58f3957a3e751',1591914513);
+	INSERT INTO entry_data VALUES(2049,204,3220,'rw-r--r--',NULL,0,0,'root','root','6863ae3b46ffd18cd1def29a357af874','628175fccd113b7555bd4e409d6c5db9c763ace9','1cbc9bc625b92cc29ae4837d3fc1c29439c336e5b46ea3eddbd3880b11f73153',1591914514);
+	INSERT INTO entry_data VALUES(2049,46,20908,'rw-r--r--',NULL,0,0,'root','root','61705036ff21768484bde3f8ef165496','180f807986bbc9bfe0babd659a1d40a2ea5eeab8','c45bef5422163278facba50940063b1f14f69a62793952fed5955f9e6b0f40f6',1591914513);
+	INSERT INTO entry_data VALUES(2049,205,21424,'rw-r--r--',NULL,0,0,'root','root','97be6bc1f1c489972b026d025fd476ac','eb25e09fdb390f857fb69359d00b220d5942e83e','d676a4cdd8ca84be97f3dc2c6db5594815dac9e4c5ab9b95d67ae87338b6c2bd',1591914514);
+	INSERT INTO entry_data VALUES(2049,26,5368,'rw-r--r--',NULL,0,0,'root','root','3990d19057e682c7e5e3ded7101d72e9','ed1c90f194db8d90067104da7a076cd5a229d4e0','cbd16ee3b21a34fbd0873a023b03c44b74674ca3c49f4872e97c79a03db34416',1591914511);
+	INSERT INTO entry_data VALUES(2049,113,5200,'rw-r--r--',NULL,0,0,'root','root','3d0de4e1050113fd41e74f29eac97fe8','89f40d0c15eeb8eb3f5c4c8c036cb442d86f2b2c','d0067096756935a7a6c031d0e7f5f59182e2f6b74270d189663c6ba13b36ae20',1591914513);
+	INSERT INTO entry_data VALUES(2049,248,3836,'rw-r--r--',NULL,0,0,'root','root','f7427483d325508bf2e586dc6c155c66','22deb00bb1f32abde45d0d507679614df861c288','eff28c8611a3146a3d86754d704b6672a446d5d29130394d0e1b5ac199b949eb',1591914514);
+	INSERT INTO entry_data VALUES(2049,92,2432,'rw-r--r--',NULL,0,0,'root','root','a1b7eb4643b307029d920aeeba3bb02e','21b4ee75700ec9ee6ddad4431344bf151b33f78e','4ce1ac44e614a144830e292e5e223a4055cef865ebe1f5db5dc212d774ca3a6c',1591914513);
+	INSERT INTO entry_data VALUES(2049,152,2832,'rw-r--r--',NULL,0,0,'root','root','12b254107c4dadf94bb628a5a18ad44e','993a53456fc18a82b98d67053c48e26f9209d044','221a92b8f8cab06dd8e6e34d11822daa8d8d7c207403ebb9f4eb2ea5fa3e43ff',1591914513);
+	INSERT INTO entry_data VALUES(2049,247,2212,'rw-r--r--',NULL,0,0,'root','root','f26f522e4ade88cb981578da66cfd1c2','3a11ed164de78abfa6a1d9890dda1b57bd48934f','c53fa7d9fcac46ca3a3ca597dfef32125881db27a7d7f1fc6eb122989c62ff1f',1591914514);
+	INSERT INTO entry_data VALUES(2049,143,12208,'rw-r--r--',NULL,0,0,'root','root','50fcb96e7c18a36ee86e5df1b8bad86c','389ab44feade0264a2578ace8a87a524caef654e','8e989e5832c865f52ea3b28514077488c4602b1b420c3a91c126c3a7adbcd651',1591914513);
+	INSERT INTO entry_data VALUES(2049,91,6268,'rw-r--r--',NULL,0,0,'root','root','f3d6c54c5667fbc301bc41e70077b31d','a58aa6827515edac821980b3dbc9eb6097088f4f','ac5bb7c6b90763be251070decb08fbfa8c8c60862a735b3d908f1254f81536f9',1591914513);
+	INSERT INTO entry_data VALUES(2049,85,2372,'rw-r--r--',NULL,0,0,'root','root','4c59207be84a68f49a1dcb3bbec1ac52','ced0e95f6dc180008f0f12170d7710afecbd2864','b85f7b1794d5a7202fab45cdf0deb71effcab0b9895f1fe5c8d94b2ee2f85ed2',1591914513);
+	INSERT INTO entry_data VALUES(2049,95,8028,'rw-r--r--',NULL,0,0,'root','root','9b928990aea79321e7df7d4166061084','1789b9895fafbf5d03e29c23b1f9820e4602d9c3','4e5b4c9c4f91c6b48c461ffe788cb2486cf21312f8fbfe2f21436774d8abe22f',1591914513);
+	INSERT INTO entry_data VALUES(2049,32,13792,'rw-r--r--',NULL,0,0,'root','root','14f40f21ff1aa78d544c000a3702c5f7','19b183574d6abeb7089068358825e3887063e9d4','598fe444f9f7502ea1c863a2bff4962b7aee7374e5930f60c3511c3f5df4ad2b',1591914511);
+	INSERT INTO entry_data VALUES(2049,158,8552,'rw-r--r--',NULL,0,0,'root','root','f682025c896cdd8e0c210139e480a458','67e5ad249948bf19e3ddffac8940767e879a5de6','276778817df940e8222919f0a889560691449708aad16fa29e4dfa50bfd1301d',1591914513);
+	INSERT INTO entry_data VALUES(2049,114,11352,'rw-r--r--',NULL,0,0,'root','root','6a69b8e8d05718ae841a235e90e6372f','0aef631c5ec4881fdb12f0b8d4faa0989307a2fc','622a9ed0645ef26359003cd80ea88460bc86b012b5c6276e99f3131e0efadea6',1591914513);
+	INSERT INTO entry_data VALUES(2049,62,3012,'rw-r--r--',NULL,0,0,'root','root','c3bbdc144018ea6c8ce791c9adb68c03','12a9b682ccf15f2dff906334248c9e7134ca3d28','9f86e9e1b9865f9ceb9cf05ce703445d021431249f9bcbd04ee99a18a99cfdae',1591914513);
+	INSERT INTO entry_data VALUES(2049,175,2448,'rw-r--r--',NULL,0,0,'root','root','f1b54179eac7f7765564f759f8d61741','3253df239eb1f4516792baaf53f73949ed0f56ff','24734f0f4662faca90ce306d47220047526929f1cf842375d362bac7187ad3ea',1591914513);
+	INSERT INTO entry_data VALUES(2049,98,2528,'rw-r--r--',NULL,0,0,'root','root','38376bebcc33e72b24081c77c2ff898f','ee061d192da47a1093c41715508b662d0fce7ee7','c93cf5cb5ba131456a2f56f9c294960bb67b074132fbe4e0ffda75aca5e230c5',1591914513);
+	INSERT INTO entry_data VALUES(2049,260,5312,'rw-r--r--',NULL,0,0,'root','root','0d71e16f41e3fbff5718f2b6d651dbbd','f63865175d3192df1d15e1aad38933b8122f1ef6','bc23b5d69708af7f9d5aae4d5447afa07c78b9f186c0fbaa3f50bcaaa58c5f2f',1591914514);
+	INSERT INTO entry_data VALUES(2049,224,7292,'rw-r--r--',NULL,0,0,'root','root','9ba858727d2b191db7820d7108cc66cd','bc32185f32e96180577a659b58b10911711db82e','e28f7ad3416bd84b75054458fe1525609a01813b04c0d7f4ee25545565cc71c1',1591914514);
+	INSERT INTO entry_data VALUES(2049,294,111,'rw-r--r--',NULL,0,0,'root','root','02b988d7196362ddf27caaecf35c23dc','b5a777a9c9d1d484b9f133987047bca324a9c01e','85a3d5f84d20723a27c1442b861be44fbf58a4525eefe2ccbb2b5f7ceb21e8be',1591914514);
+	INSERT INTO entry_data VALUES(2049,141,34768,'rw-r--r--',NULL,0,0,'root','root','625397210c568104d229b903b3c2cfa5','97202680cd9191cbbec21f7af71acbd96fd582f1','ce1b53fe02e531c3b91e5fc9bd2bbb51b6c001d05ea5c1043226d5fe7a5f34e6',1591914513);
+	INSERT INTO entry_data VALUES(2049,269,3308,'rw-r--r--',NULL,0,0,'root','root','25e8e4221181ecd8d865fff7548d7999','cb936f780649803bf4cc4ae99c63c21b90d1b2be','90252eb19a9e141a875e59b691b2032f40e63a224666e8f62fb41e3aa55b1f7e',1591914514);
+	INSERT INTO entry_data VALUES(2049,217,157732,'rw-r--r--',NULL,0,0,'root','root','b5c3bf99b96102774def9fc1450bec4a','15a0d8ee9b4cc124f7a64ef3fa29d111496f5269','2cd1d8602dd33efdadb92efbe366a85861a5b536d71bf987f79182e48bd94dbf',1591914514);
+	INSERT INTO entry_data VALUES(2049,167,11852,'rw-r--r--',NULL,0,0,'root','root','56bd1b9fa6f0c6164f4e4175a7cdf302','80a6e51cd2f126571bc3c1f8bb029dfe7077915a','c1ddead0b2e3b5f54584aac634cda9327f9a322b620883d36f20f0f1fe185528',1591914513);
+	INSERT INTO entry_data VALUES(2049,106,2136,'rw-r--r--',NULL,0,0,'root','root','fa36599c72a1ccd81936a4279ea3c0b1','8eec8cdc30f2c8503ed20e8a831082a047740297','21957b68eedfe0f2af0edfede15e032be822fe75634e6d7c6b2ebae5cdd55c64',1591914513);
+	INSERT INTO entry_data VALUES(2049,35,21752,'rw-r--r--',NULL,0,0,'root','root','afbccec3a183931425b57e4de9b32e93','15ef85eccf98e360e467d7c3d86ee44f3b59603e','af56acddae5b53a5984d782b7dfa70e7291ea0762ba77488961de5f601998e80',1591914512);
+	INSERT INTO entry_data VALUES(2049,121,2256,'rw-r--r--',NULL,0,0,'root','root','ca5116481ae6b50daa9259eb37e3862e','2b1baa7dcfbbf514a466c1fac3ac0505653b50e8','823df6a6e51f25024f9e905cc3d81bad85781db5c868783514a7024c10711279',1591914513);
+	INSERT INTO entry_data VALUES(2049,71,6188,'rw-r--r--',NULL,0,0,'root','root','aa64e3ec87770b0f8d74c5e968943164','699fc3e628596a40f33c7d5402aeb042db12b18c','8cc8854ec3b21e87b8f72d96473c46a065d648f84ceac6997f2ce37c0df8f71e',1591914513);
+	INSERT INTO entry_data VALUES(2049,295,17,'rw-r--r--',NULL,0,0,'root','root','3190a91d3075032543740d0998971d77','408f07c267ffdb9554b69138616a472fe4207026','6de6036ef0dc8a908e4cc248ef1d8aab87172e722d8c5bad9e137fd43994e0fe',1591914514);
+	INSERT INTO entry_data VALUES(2049,296,33,'rw-r--r--',NULL,0,0,'root','root','2f829a013450ff2e08413abb3c31a5b5','14d5f37bb99895715eba4ab9501b37fa94d98497','e00d826bccbbb732a5d916c54f6c02bf9f15da704467e344330d0cf30230a7bf',1591914514);
+	INSERT INTO entry_data VALUES(2049,150,5980,'rw-r--r--',NULL,0,0,'root','root','3077bfdc196178b697d148c4c35ea9b2','b4cce783cc887bacf34beda3041373fb6822ec59','8b5db9b74c4ab242d4beb202b21d9115a43ebdbedb361aa9a5d0e739dd201b0a',1591914513);
+	INSERT INTO entry_data VALUES(2049,241,1896,'rw-r--r--',NULL,0,0,'root','root','a92c4bf903a18cfa94be9fd182817214','3a564f4e91bf77870b4714ecdcbb1888973f9e65','39fba8efe84333e18b01d408075cd8523fc4f73ff6ce598f0d1a763b7e10cf23',1591914514);
+	INSERT INTO entry_data VALUES(2049,60,53732,'rw-r--r--',NULL,0,0,'root','root','dd0a7e44b28e0478b38de240e9256a18','059ff931393c25c1439ac4762734f1baa5c10f12','7c428d36794dc1b24138c9db186f1575106c3c347c39e92dc1754eb9f3d823a2',1591914513);
+	INSERT INTO entry_data VALUES(2049,41,3852,'rw-r--r--',NULL,0,0,'root','root','919fd6f54762694fe5501c7bc90cbe8e','06999ff24acf7256834a01f9a7b260ce2421f8c8','d0c3549dc87d5adf7231fb77a42e29043c2026bc782e745de4a0ded63c0f12f6',1591914512);
+	INSERT INTO entry_data VALUES(2049,102,3568,'rw-r--r--',NULL,0,0,'root','root','de48282ff74aa39b2130971cafada1d5','528d9b4c5cfff255b01c282127ff238d5cc75086','54fa5fa0fea1a806eacc9bddbd5fab5564edbef96355d7f7cbd5574a8fbe0f35',1591914513);
+	INSERT INTO entry_data VALUES(2049,134,2260,'rw-r--r--',NULL,0,0,'root','root','6ec8cf3ec64b28e31eaa0d5da9fdb2e5','4316474656a71b24559fdf979b9afc77cd38bf42','d69f0e84fb2b0802de1ec0a0ade5d146cdc778c21c4360afba66893e6278f373',1591914513);
+	INSERT INTO entry_data VALUES(2049,44,10220,'rw-r--r--',NULL,0,0,'root','root','9f1d2d8b47e303574f722cb6c10556b3','e334ec73a9a2c1803b8d030ecd3067cc7d24d800','89909ca3cfc996422f7241b8897ea5446b2c596061789c8ea81fabb85583d6e7',1591914513);
+	INSERT INTO entry_data VALUES(2049,94,6216,'rw-r--r--',NULL,0,0,'root','root','05820d04be4bd78a58f52b01809c43bb','a21650efce478d347267f8108f97f774795971e6','00ab8dff8e1b5448d5a08185671fee1ee59f4c60418338902a1da085eba657d4',1591914513);
+	INSERT INTO entry_data VALUES(2049,258,6888,'rw-r--r--',NULL,0,0,'root','root','f47d992c65f3da9186c4ff4ece7e2130','affedadb6e6d2bce2cb4fe4eba7273a4d649159d','fd6170416e8d1724036a3f9c8be7383efde4051624131a9190b935e60c050c50',1591914514);
+	INSERT INTO entry_data VALUES(2049,188,5488,'rw-r--r--',NULL,0,0,'root','root','a5cf32e5da32f4263ecb5fab33b22a68','83eecf1b6e19cd6d11bc93ec76f96d9673591162','7695f4521759558dbffd4f32013052094a5d272f091b0572d305094ae97585fb',1591914513);
+	INSERT INTO entry_data VALUES(2049,222,7644,'rw-r--r--',NULL,0,0,'root','root','0d7d5fefbf7863734913a5b29279e92d','73da35b3b3515c9f0a202bbdcf0c17db604144e2','207150aa4571bfabc9c4e4debdf13a2f2f547832fc536a27fc0fd252805d7a87',1591914514);
+	INSERT INTO entry_data VALUES(2049,135,10456,'rw-r--r--',NULL,0,0,'root','root','b3ebf5a80098d3e8a2bc8f8a14dcd893','512f05fe717c9e5fbf65ff9d2fd60764dd8cfa69','4787f7fa144b526044d887ca8d5e339c8aeca95f6abfb94e2cfecb1b0350a601',1591914513);
+	INSERT INTO entry_data VALUES(2049,137,7908,'rw-r--r--',NULL,0,0,'root','root','cf63f1836ac87d459af8195839715881','1dffbe1b7ed1ff6241d0e85a6efc3a0fb6b99b0b','b958fd8072c2b8b99327e98055ec67de52f2c590ed360b18814ded8863039adc',1591914513);
+	INSERT INTO entry_data VALUES(2049,177,5456,'rw-r--r--',NULL,0,0,'root','root','409d7d7f8c0b4e647068035f0a8eccb9','7bedbe13d580d9a066496a1ec35a090ed5132487','cb5c74e4e111c58666dedb811fbec237adfcf88d061262a050b9cae05e499351',1591914513);
+	INSERT INTO entry_data VALUES(2049,68,32184,'rw-r--r--',NULL,0,0,'root','root','a48b9476c68536cb51f5ba866d1e3e42','3e883beb5fa556796f8de8b7223617e461d0080b','e6db76e7c311675e37e830103c18d32ec46a5c11c99f9b0af841d438690a3ef7',1591914513);
+	INSERT INTO entry_data VALUES(2049,169,2820,'rw-r--r--',NULL,0,0,'root','root','2bc5613c191c2ac33e81ce0dfa5a12f7','768981ef895e4711340966532f7ee6e4430e9503','5e443dcb9c2e2b1a70c234004ab5234b15bf67de7f37c3918f7f642e635218a2',1591914513);
+	INSERT INTO entry_data VALUES(2049,291,5449,'rw-r--r--',NULL,0,0,'root','root','c87acce0e6fbc96ad188d9aa22fc8ca7','a824270e013406ca86333dfceea5d684f01e0020','67b61d3738ca83a0ac3f1eca4f9f187ffb471465d91572678a4ff5d87a2a8993',1591914514);
+	INSERT INTO entry_data VALUES(2049,232,86864,'rw-r--r--',NULL,0,0,'root','root','03626db7bcb369750f4156c4bab2edb0','635439cca99d78a1fe9f4c7e110275b2ef291b9c','abf9e8231f37c0d58b2434f0dfef0932bf8f7271eca86fdb0c86d2132f18e56e',1591914514);
+	INSERT INTO entry_data VALUES(2049,246,3952,'rw-r--r--',NULL,0,0,'root','root','abf92df7c0c647dc5d24d4acbcc291c6','b1effa65663d72d3793763b09dd53bb32a69e04e','102e6506835a1502a34aad9f0965863c9e76692704987772bd6a7150d7f7a263',1591914514);
+	INSERT INTO entry_data VALUES(2049,237,3404,'rw-r--r--',NULL,0,0,'root','root','ced529c2019dc604cbcc0c2c1670dc68','e17990b416bde44deb475e2b1171032a94065d19','65c113d574926067c0ca3dc0475280b79fd55952d9c4cdfaf4ddfb9d0b8ddb35',1591914514);
+	INSERT INTO entry_data VALUES(2049,103,9644,'rw-r--r--',NULL,0,0,'root','root','1e0b031585c06894e8bb331624bb009e','efbe29f1e5cb0e7a903b75add7f8c6c483c47484','c870c752283f7996aa22a84189ca602b675de45e31c19662b50b7d803887d388',1591914513);
+	INSERT INTO entry_data VALUES(2049,49,10140,'rw-r--r--',NULL,0,0,'root','root','c168b2f1e66dfcc449d38b2615d1c257','5db88c236474d4b24bfb2194ac28a2bbb8407aaa','9c2a6f77dcaf6df83b7a9c3c38e55bcda1ff1cfa918f14eb6d35bdecdf288ab5',1591914513);
+	INSERT INTO entry_data VALUES(2049,174,2200,'rw-r--r--',NULL,0,0,'root','root','c74cea7b9b16c78b2341fd3ec0e5e5cd','4c5c87bff8052aad81aa9cc14cb6e2e66c2ca829','f2568c371646252e4e582d4662eab11dd3b2b0069c89f7f48fdf7db615402271',1591914513);
+	INSERT INTO entry_data VALUES(2049,299,2608,'rw-r--r--',NULL,0,0,'root','root','cc57db811963895918288fcaac87b5aa','e2f8457d060dd66ed3b745ef758d668bd48025e8','1446dfc625fdc852225912b97e9cb9b16c0489202bc595b952114c5bfe222803',1591914514);
+	INSERT INTO entry_data VALUES(2049,198,2824,'rw-r--r--',NULL,0,0,'root','root','c2d68e8328613bf6693b2f850fc7c220','c6a79a4c8969b3c221a6f2c11b3218703e9a8a87','efda48fe416d351bdc487f8e532cf53e124fcc42d6d821518a8146bd2c4ed8fc',1591914514);
+	INSERT INTO entry_data VALUES(2049,73,56252,'rw-r--r--',NULL,0,0,'root','root','94bea3a0412aabd07dc1b7df2c70cbc4','949e2d299c63249944ebfd0c5897be0c50015a01','657c378cfa7f83d5871a433c3b7e884e4520ff69b1186a9f4640ad31d409a716',1591914513);
+	INSERT INTO entry_data VALUES(2049,42,2536,'rw-r--r--',NULL,0,0,'root','root','d94ade51d7601d9f3dcf30628a0114fb','9f87eb76fbc32407156a00e5a85460fa425dbe47','40f114a16292e0700c7534a9b3348eecca5206662a1097bdb1b4574f8c156c85',1591914513);
+	INSERT INTO entry_data VALUES(2049,230,1968,'rw-r--r--',NULL,0,0,'root','root','d81221f3965865ad1db663fee3450f3c','ad8d7a7cff04c9b422ab7414655a4a0ff619e6d1','e715a48ffbe82d750a95da036e696fff5e0216247f5e67664b885340a5cd35c2',1591914514);
+	INSERT INTO entry_data VALUES(2049,209,5372,'rw-r--r--',NULL,0,0,'root','root','5448f5a626fa59ddf0a7cc7d7ca8038e','69d8f0428bc5e63ea2e024884e1345436abdb300','590ff5314bf419a129f3a43c3e9c79599184408c517e3a40f754475f7b9fbb94',1591914514);
+	INSERT INTO entry_data VALUES(2049,149,6700,'rw-r--r--',NULL,0,0,'root','root','b0d976afdd5bf137c458beb6f46976fe','4cb88df7a7b6f595569f9f786cd021956ed7c55c','72001df5fbf7a195fd34458e62f87f74237872792c478e1e633ad609508d6129',1591914513);
+	INSERT INTO entry_data VALUES(2049,120,2760,'rw-r--r--',NULL,0,0,'root','root','c5b7f2f6079c125983d3af44be0f1aec','b54b6df4ee6a78ab7b06e0a480208882f6a73633','4ca5fcf66f833725229c06e6efb6054d982ca04fac8afe2bfd4f7749b6bce880',1591914513);
+	INSERT INTO entry_data VALUES(2049,281,4840,'rw-r--r--',NULL,0,0,'root','root','1c7a9eb69dc4c6ca9742926b967df9c3','9b1074bef8bae0f1887c956bb2c4bbddb5b70027','d32854a48f26bc13bf22a0aa389e568dd4e81fb64ba9c0217ee3a7c0d6a64580',1591914514);
+	INSERT INTO entry_data VALUES(2049,227,1780,'rw-r--r--',NULL,0,0,'root','root','122ec03d3781353f85cddfa0f9ddc138','0c8ef4dee446d7dfbfbdb5c5948310abf9a5a460','71b3c693944509dfea3afe055f18a776f7ae467a235313ad747895a4493336ef',1591914514);
+	INSERT INTO entry_data VALUES(2049,192,5492,'rw-r--r--',NULL,0,0,'root','root','66888bec954168c985ccd0d666e2e643','e56fb4200e969ec54246f690737ed9c845f2a6e5','f48d29b805628b154634f4ba65e7354da4b2bff103fbe0dd631577862fe6d889',1591914514);
+	INSERT INTO entry_data VALUES(2049,306,5140,'rw-r--r--',NULL,0,0,'root','root','c9fb8dfc50852c43967e19e21bcf82a9','c27292026ab730817152aca078a0ea94a555ff1c','983a281c5bdd00a44edd267c4dbfdc7d059d4edc9a293a4027da18c493a8daaa',1591914517);
+	INSERT INTO entry_data VALUES(2049,23,64,'rw-r--r--',NULL,0,0,'root','root','307bc3ed39cad2e46e8852d1f96a81e0','5bdcea1652a554f631d99d62120e1454e684f60e','ce43d63318b69c8a407da790076ea11f3518ff07ee1ccfb417aaa5ee09a443b3',1591914511);
+	INSERT INTO entry_data VALUES(2049,317,172,'rw-r--r--',NULL,0,0,'root','root','1dc71134b387e2b684067a9b494e5474','1e95898ea62df1c9f1f0530cb959a4b81545552e','90f607a0a9dca48846f22ad75f090ff7228505dcb75be1b5f4eeef9b3b0a09c0',1591787821);
+	INSERT INTO entry_data VALUES(2049,21,8106744,'rwxr-xr-x',NULL,0,0,'root','root','024de7df0e14d3e4364ef29c86906670','2c3fd79aa482927984f8b850a71a744b82ad5e27','91e58e93a9bf4d05c7b189dca10e791f414a114154714f9b0ee8630aa8776653',1591914381);
+	INSERT INTO entry_data VALUES(2049,302,26090308,'rw-------',NULL,0,0,'root','root','5db80ba0d15e6096fcb118d91e871877','b64b5e22b58427ec3ab2804207152cd0e8ca270a','df1508f95d0de3486c771a5ff53c72725654be54ab7d887e4bb56d8b55744639',1592310545);
+	INSERT INTO entry_data VALUES(2049,313,17761176,'rw-------',NULL,0,0,'root','root','95591f366ab25d4490df424b48446967','fcd01a00681d18a7a64bd6ca0a62dd40453fa1c2','769ae12880e6b9cfe0f91ef434b81393fda28c215013e2bbc153314ba7ad0956',1592310390);
+	INSERT INTO entry_data VALUES(2049,16,3838259,'rw-------',NULL,0,0,'root','root','76a47c4d2e44ba9fdf27994e2cafd24a','4315d89aa7c601fa998b0a6bf1f0e4a9e8ca8e7b','04b7d388a9ff29e7d46dde815a59564e85a2d8bc6f411346890078bfb10601aa',1575496724);
+	INSERT INTO entry_data VALUES(2049,22,71384753,'rw-------',NULL,0,0,'root','root','bc9b9026cfbcbaab6d70e2e0472829cf','6558f286bde5389d5e92fa00bb76e16bf730da39','e2d02d4e1767f07b32031d861a69a637ecc38b1c0f7f15c57ee6e721dfb00334',1591914437);
+	INSERT INTO entry_data VALUES(2049,308,3841765,'rw-------',NULL,0,0,'root','root','3210ec474ae0177907c10d2976bda2e0','d868eca9075ed0c72a304c31408bd6dec86e18cd','fa93207c03510f019c41a52b8ba069cde018541bb5ee7fd6aeae029ae6f6c521',1586440600);
+	INSERT INTO entry_data VALUES(2049,316,187643,'rw-r--r--',NULL,0,0,'root','root','f6d34dc42577285d50b38dfc76071cf6','f9fdef750cd6b43ec966bb769cdb18e7e8eed655','336b07c009a20a7c39d805803fdc804ef36b9152302bccafaf191da9f04ae243',1591787843);
+	INSERT INTO entry_data VALUES(2049,319,26125407,'rw-------',NULL,0,0,'root','root','7c97f8a3f2e4487292af812ee9b602da','629a5f1a3094d60a814424aa49d576a2f6c7889a','fba5ccd925868fe0d4e5208484db01b85c3bac984e1cfd7684c139cef34e461a',1592310528);
+	INSERT INTO entry_data VALUES(2049,310,172,'rw-r--r--',NULL,0,0,'root','root','fbaba53e018ab65c445a2acc19a9633d','b0f356147f4282a33d7ec533f8aa3b37acd45d63','1c3e4c3816a95011d2744adc943de0672f8fcde43f5958f3971a63903fcd8b80',1586440582);
+	INSERT INTO entry_data VALUES(2049,312,26089816,'rw-------',NULL,0,0,'root','root','a1d5f77decc4c72bde99c52c24f4820b','5733f48d9497aa57222dc194f51185b585b2b9d1','f10b010bf08cafc3cef6900fd37b322f31b8527c5c667ca00f0d4a4e73e3e34d',1592310366);
+	INSERT INTO entry_data VALUES(2049,18,166,'rw-r--r--',NULL,0,0,'root','root','861fe9dfbe8955d87d9a267dadd82efc','9947125e1d08324e97719a75f155235b5a18bea0','b425833740fb96e5f4762ead4f5e1c7c951b3b7e86c109c2d5ad75e94d2a053d',1575496704);
+	INSERT INTO entry_data VALUES(2049,307,8913656,'rwxr-xr-x',NULL,0,0,'root','root','3cb5a4661a70c21eaafe2aab7e6b5e24','96242118ab7bcb9f53640903ffb78c4fc6dc7d7e','5a1494eaec137a424a4af01984f6040601bceb22070e36e4822117782475c54b',1591787848);
+	INSERT INTO entry_data VALUES(2049,305,17332690,'rw-------',NULL,0,0,'root','root','bfc9942ab7115b3cc051d598c44b2339','0cd2cf29252ea320fb2ecbdb59c2c67e1ad9cc80','869b332064199e63947fceb4d8a2efc47dce8096151cd009e5bb715c6ba4eab8',1591922713);
+	INSERT INTO entry_data VALUES(2049,311,353,'rw-r--r--',NULL,0,0,'root','root','f4f9e9a7ed56e2427b8194767623dbb3','b135957eb13a70ea0e091debd5cc9418ff2dfc48','91e1ea7e494902808102ed8da9600acd15cc0a3d150a0aafce4568099fbf9831',1591922773);
+	INSERT INTO entry_data VALUES(2049,19,323,'rw-r--r--',NULL,0,0,'root','root','655e6308a1c55663d80121bd3494173c','ce99aa893374050799e39d64df2566539475dc9d','4e14235f7f697b437b7d55b2530888fb3893785392636cf8252d8bda7168520a',1591914437);
+	INSERT INTO entry_data VALUES(2049,318,353,'rw-r--r--',NULL,0,0,'root','root','cb79aeb98bca4ec01170ca4682cebcb8','8833b21cea230c7a59cdd2a4f2bd2309f1709567','3a48d70b4c7170899aeabdcfd909faa348c8688411e3bd14d012a14c9e6a044a',1592310460);
+	INSERT INTO entry_data VALUES(2049,24,395,'rw-r--r--',NULL,0,0,'root','root','8a987afc3ba4290e28234b6e61fecbb9','ebd1cf81205ed1ee4462032ca6c09e03ad6e6a48','6db7104c84a0253735562b3577d74014d3e56e2d51da212928e93dcad9325e2c',1591914437);
+	INSERT INTO entry_data VALUES(2049,15,8106744,'rwxr-xr-x',NULL,0,0,'root','root','024de7df0e14d3e4364ef29c86906670','2c3fd79aa482927984f8b850a71a744b82ad5e27','91e58e93a9bf4d05c7b189dca10e791f414a114154714f9b0ee8630aa8776653',1575496730);
+	INSERT INTO entry_data VALUES(2049,320,17775749,'rw-------',NULL,0,0,'root','root','7ce4cf8863036d12f664055c2b164710','eca65f2a79d46ee33558ce435df783d5c66c7704','1506b42def50279d315e188d43b3c423d43e9c2c21f31d0aaa0d66834034ff7f',1592316110);
+	INSERT INTO entry_data VALUES(2049,315,3910484,'rw-------',NULL,0,0,'root','root','91d5158f2fc59ce055a763dc62a50e05','db22dc1def262ff4b146e5c36c67451e3ed659da','fe8b2665298eab5ad32c06ad1e05e3e528b8683baecadff32ee6b850410e79b9',1591787842);
+	INSERT INTO entry_data VALUES(2049,17,184613,'rw-r--r--',NULL,0,0,'root','root','1c840ca854736d5b198f593bfe6ba59c','d4ee1bd375a7ab7dc552be52ce27ba62434c8273','a6627206c73bfd6d5f7ae8770753ec9526c47efc758c944b82f4f7f87563295c',1575496725);
+	INSERT INTO entry_data VALUES(2049,309,184825,'rw-r--r--',NULL,0,0,'root','root','ea6bf7ba7bc281b199cd7bd0fb7866f3','57cf89f11be2e0a68143512650fd7621fbaada20','f56ba3cfe6853804f93ba4870135f8ac57118a97f65020d4e76af7b60e1ffe83',1586440600);
+	INSERT INTO entry_data VALUES(2049,20,8106744,'rwxr-xr-x',NULL,0,0,'root','root','f193b321de77e6f69685caca42a7edfb','103746689d2882cee0b1ade42955a1c260cf2ed2','b979e456e48751bb3cacf7775d49cdf3203cd66d74189b3df7ee1b883ea13bfb',1586440608);
+	INSERT INTO entry_data VALUES(2051,16777347,615,'rw-r--r--',NULL,0,0,'root','root','de6cdfe8b7ee3daec4c0630ece457ade','86a3225ce8460805be15e937b940123c9a9c2da2','49a33a49f0a4b5944b97f955c222a009a61629d7466704bf672f9fb2d2716988',1591914001);
+	INSERT INTO entry_data VALUES(2051,16777348,0,'rw-------',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914001);
+	INSERT INTO entry_data VALUES(2051,17154866,73,'rw-r--r--',NULL,0,0,'root','root','31f20b21cdf5f427a50e4aa776b84cfb','db21ecacf22aee3e2ccd7f176f364cf21d14e866','78b45e7e36786c38d01057e97d64c666b8606a9473d5aad43d138c16b0ceb71d',1596639746);
+	INSERT INTO entry_data VALUES(2051,50331779,87,'rw-r--r--',NULL,0,0,'root','root','23d986200dafe0561505e5d482ade4d4','a182bc39484dcca444a2a786c24a31303cee188f','46a6ccf9ab42bd66c45b63e06b27b2e034028ee5d7da7b14e745330c8ce3c0f7',1591914015);
+	INSERT INTO entry_data VALUES(2051,50331780,70,'rw-r--r--',NULL,0,0,'root','root','2a4dabe7755cb272827200609c74fd51','3d95007c1b25911332f232396bdab136ddad982d','26f6ee4838c5136569036e6c87e77380610988a93abc14018e3f912d1d7dd9df',1591914015);
+	INSERT INTO entry_data VALUES(2051,50331781,60,'rw-r--r--',NULL,0,0,'root','root','35d0263728666699b059f70d29505b7f','41fd915ce6df674d5ac0cce5f07cdf5b5a1a8957','b4bc0fa28fc0244ec87342b62b0ff79c5682bf6c19d0ac86a8d057bb128bde97',1591914015);
+	INSERT INTO entry_data VALUES(2051,50331782,80,'rw-r--r--',NULL,0,0,'root','root','ab29ebad122d229305f11026112f6ff6','cba0665927e9ee2cb1da32e79294f4c52c69f5f3','d64f78a0e140d0520c433079a9029fda8fc11af68d21b58864db729b6fa623b4',1591914015);
+	INSERT INTO entry_data VALUES(2051,50331783,53,'rw-r--r--',NULL,0,0,'root','root','2ffd3dc14c8b6c04d3469386e9571905','77677a7be94d0ab9939b97b9b93c9e16069b1217','798f96f12ddc80f337a5ff8d3482182ab95dac16712ae37cf12507412f2513c3',1591914015);
+	INSERT INTO entry_data VALUES(2051,50342463,7,'rw-r--r--',NULL,0,0,'root','root','0d12069f957b7ad4c01a0cb91e962ffe','ddd16aa943d19b4d1704555006dc3d657424ac3b','96171c133b33b6db82fe59ca91d45a5dc2803bba19501f00e06d243514da1f76',1591146169);
+	INSERT INTO entry_data VALUES(2051,50345536,6,'rw-r--r--',NULL,0,0,'root','root','72e6225074d4688085433eea256544e8','37a5b5b0f3e67d1661a8e20bb06f934f85f7cd41','394924622dfba63003e3b0eb4bdf696c73c71e55c83c12d5a74e87a31c944779',1591146169);
+	INSERT INTO entry_data VALUES(2051,35459515,108,'rw-r--r--',NULL,0,0,'root','root','cb73abb862c70ea686f6dc32d68abf7c','aeefb5d8201390aee81435c2a048dca74c462bcb','1557f960a39d444375a3a28994eb082fdab2887a16da2b677ba181658f2512b7',1574675696);
+	INSERT INTO entry_data VALUES(2051,51765269,351,'rw-r--r--',NULL,0,0,'root','root','8c1cdd9a5f28c87ade66631fdfd08508','30710c20cb6c3f80776238c017bbe3d35735af79','37e657939cf24783ab4ead7e58718173f4370d25af1e292413afe38c2536b669',1574679892);
+	INSERT INTO entry_data VALUES(2051,51765270,30,'rw-r--r--',NULL,0,0,'root','root','97c680635411a61c060f6a835e72b948','76830a74912549f993519471871cea760e56554b','88a070b6abbd97161cfc34ae51c121ba04b09752b15b2ecb2616d13c3ea58aef',1574679892);
+	INSERT INTO entry_data VALUES(2051,51765288,177,'rw-r--r--',NULL,0,0,'root','root','dd3dc1f8d170e79d06de4c6b371ac7e7','0f316acac012b2672fe65ecad042df31f3d6f42b','5c51f6908f7461030bd688fee7dfd99077807c9f051e363529429c8ea8253cdd',1573704982);
+	INSERT INTO entry_data VALUES(2051,52697011,17,'rw-r--r--',NULL,0,0,'root','root','ba1268312e8c0d42be3187035cfca891','1f709fd426c64c8abe2f943ba165c77127559b86','84c1c0c956a492cadbfd2cec581ef678c190e3e245f0d61665eb0f66b8b34fd6',1591813210);
+	INSERT INTO entry_data VALUES(2051,52697012,213,'rw-r--r--',NULL,0,0,'root','root','97f46e2cecb266b18180aee3fb630492','7e0c1156d1000c86c10ece487502a7a882950c25','13dcb073278bbb06aa78a2a6aaeaa56d82c61166c6e635b6dbbe5f6c22222e34',1592316888);
+	INSERT INTO entry_data VALUES(2051,11217,4,'rw-r--r--',NULL,0,0,'root','root','0235d5a369041e5cb0b9bd4fbd153168','44802b4599dd6b62d00636f397c973d81ae1942a','b6f0d7b9f4d69e86833ec77802d3af8e5ecc5b9820e1fe0d774b7922e1da57fe',1574675696);
+	INSERT INTO entry_data VALUES(2051,1127601,21,'rw-r--r--',NULL,0,0,'root','root','a6137ffec55992b5c8fe1ba2b03c5119','7cecb182f0322c0bda2b5d2807e87f39efead915','5a5aa0a6cdfb432f890351ebd1f62d05f9a04d5aa58f57d0758686afaa8d3617',1589213939);
+	INSERT INTO entry_data VALUES(2051,2166029,4,'rw-r--r--',NULL,0,0,'root','root','023e84808d70a20ab9211394aed061d2','4dd6d88be17377c60d9f36dd58c6b21872662daa','633e249364390d0039a36eae62b88d487e4dc524fe0a5dd166d955ed77a92524',1574675696);
+	INSERT INTO entry_data VALUES(2051,2082166,5,'rw-r--r--',NULL,0,0,'root','root','eb2d505950d2b192bacebba7e4ff8a28','e6954cbbb88891e75caa7405f1eecf4e1b222576','a27ae320c7b23801236352fc8185a281fff4c8181bbb7f358453795b0a39077f',1587696010);
+	INSERT INTO entry_data VALUES(2051,52344858,50,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557810531);
+	INSERT INTO entry_data VALUES(2051,50338181,50,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557787818);
+	INSERT INTO entry_data VALUES(2051,52272036,66,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,50345958,63,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52332517,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800075);
+	INSERT INTO entry_data VALUES(2051,50345965,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587692993);
+	INSERT INTO entry_data VALUES(2051,52332519,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1559226425);
+	INSERT INTO entry_data VALUES(2051,50345971,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587692993);
+	INSERT INTO entry_data VALUES(2051,52330421,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557810651);
+	INSERT INTO entry_data VALUES(2051,50345977,65,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,52344863,51,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557810568);
+	INSERT INTO entry_data VALUES(2051,50345978,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,52332520,59,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1559226425);
+	INSERT INTO entry_data VALUES(2051,50352745,58,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792635);
+	INSERT INTO entry_data VALUES(2051,52332529,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800029);
+	INSERT INTO entry_data VALUES(2051,50970419,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52332531,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800097);
+	INSERT INTO entry_data VALUES(2051,50970420,59,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52332532,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800097);
+	INSERT INTO entry_data VALUES(2051,50970421,58,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52332541,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1559153284);
+	INSERT INTO entry_data VALUES(2051,50970422,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52332543,51,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800218);
+	INSERT INTO entry_data VALUES(2051,50970423,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52344868,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557810978);
+	INSERT INTO entry_data VALUES(2051,50970424,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970425,48,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970426,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970427,50,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970428,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970429,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970430,48,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970431,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,52344832,53,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800218);
+	INSERT INTO entry_data VALUES(2051,50970496,54,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970497,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970498,48,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970499,50,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970500,50,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557583502);
+	INSERT INTO entry_data VALUES(2051,50970501,978,'rw-r--r--',NULL,0,0,'root','root','42d13304ed2e9e5b60b74d6ed29b3729','3884e90f9059ca6a5563f5efd6ae3ced3ab18bd9','f15acc29263815e7e04144a4b125e826a50557cdfb44dfc20cea5dcd869c6ea1',1528977676);
+	INSERT INTO entry_data VALUES(2051,51669431,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,51669433,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52344840,54,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557800217);
+	INSERT INTO entry_data VALUES(2051,51669435,53,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,51669437,51,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52344842,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1558101962);
+	INSERT INTO entry_data VALUES(2051,51669439,59,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52344850,62,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557803256);
+	INSERT INTO entry_data VALUES(2051,51669441,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52344851,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557803216);
+	INSERT INTO entry_data VALUES(2051,51669443,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,51669445,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,52330423,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557795628);
+	INSERT INTO entry_data VALUES(2051,51669447,64,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,51669449,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557812132);
+	INSERT INTO entry_data VALUES(2051,51995432,456,'rw-r--r--',NULL,0,0,'root','root','ac8e47eff3e165f76ca3c62fca483539','ca797bc35372b2c9a4dec70de44290a799720939','fcd8f22887f08923bfdcdaab199c90ee1f74db96601ca474095436beb0ab6cc0',1557803055);
+	INSERT INTO entry_data VALUES(2051,52330429,67,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1573233226);
+	INSERT INTO entry_data VALUES(2051,52266475,62,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52330430,68,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1573233226);
+	INSERT INTO entry_data VALUES(2051,52266479,65,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52332493,53,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,52266483,70,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52330431,54,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1578414442);
+	INSERT INTO entry_data VALUES(2051,52266486,65,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52332481,54,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1578414442);
+	INSERT INTO entry_data VALUES(2051,52266490,65,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52332507,62,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557795669);
+	INSERT INTO entry_data VALUES(2051,52266493,66,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557792828);
+	INSERT INTO entry_data VALUES(2051,52332483,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1578414442);
+	INSERT INTO entry_data VALUES(2051,52332503,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557795539);
+	INSERT INTO entry_data VALUES(2051,52332485,70,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,52344856,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557810728);
+	INSERT INTO entry_data VALUES(2051,52332486,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,52332508,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557799990);
+	INSERT INTO entry_data VALUES(2051,52332492,66,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580878);
+	INSERT INTO entry_data VALUES(2051,34059362,2643,'rw-r--r--',NULL,0,0,'root','root','5e9e9eea1fec8a196560d27b32d765cd','bcb4534969fec001b3de881325b5921eaed836a9','6998a61d8d67912564e7e1c32a367e031b98435b7b5e77be2857c0e10478ad8e',1557583502);
+	INSERT INTO entry_data VALUES(2051,18209124,26,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557814048);
+	INSERT INTO entry_data VALUES(2051,21011924,32,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587692993);
+	INSERT INTO entry_data VALUES(2051,16957324,32,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587692993);
+	INSERT INTO entry_data VALUES(2051,34029900,203,'rwxr-xr-x',NULL,0,0,'root','root','2ee060284ff5e00b38440d71ceefaad2','b3662f6014752df44d42fdbc5b5ad1656a16039a','8de4483a0c44a7719a66c4c86f6d6d3011feb4729b61b82015cd74cbce313cf3',1529665909);
+	INSERT INTO entry_data VALUES(2051,34074738,558,'rwxr-xr-x',NULL,0,0,'root','root','86c9c6dd7cb31e773a1dd3ca058a3c16','4566a9486653f5782496dcaa868a6580da7da1a9','688c7e307e41936e92d9f2798e0d00c14b9d5943ac8c8ba11f6893491c15ed01',1573230730);
+	INSERT INTO entry_data VALUES(2051,34087016,543,'rwxr-xr-x',NULL,0,0,'root','root','b1010d518eae97609af1264e24263549','b2d9841b1400cfa2b66fdb281c61ddf13cc7f4fd','9bc75259c0de4d0f858d4ffb552b5085f17307d16346644a4f007841a3bfebac',1557813538);
+	INSERT INTO entry_data VALUES(2051,17817701,2317,'rwxr-xr-x',NULL,0,0,'root','root','7e6f1af9deed7aae2bbe2b349ad59dd5','cdf7d1d449ef6cf210f80505ed2c84e940bd1d28','b6fb27613ade37a739a747fe0dd458740fc8ceed88e91af2517da3310acf5d25',1557813538);
+	INSERT INTO entry_data VALUES(2051,17817702,3548,'rwxr-xr-x',NULL,0,0,'root','root','0668b57caef28d9056094eb10a14814a','df04b078fe96c3d82e91b947db8e8e7fabe0c4d2','7e2b2949e0f6b7a34f73c6859ad7447df80bb51509b13cb9caef5ea7622afde2',1557813538);
+	INSERT INTO entry_data VALUES(2051,17817703,1486,'rwxr-xr-x',NULL,0,0,'root','root','89a778164222eca8723ca509f64d4494','eecea249cd99c75089719d61407d9638b3f2d7ce','a22a0e0fcdef9afbdcede0cb512a0543bf689aead74c73117a6f2154f4578433',1557813538);
+	INSERT INTO entry_data VALUES(2051,17817704,1870,'rw-r--r--',NULL,0,0,'root','root','39a4c42e85c610542636142117557657','a47b5a6ea1ce581a2a553c795e7b2d80cdfffd78','2e85e210432afd3f6db3c1aee502cf4ee6eef478c9e99fcf38fc66174d7e93b3',1557813538);
+	INSERT INTO entry_data VALUES(2051,34314253,548,'rw-r--r--',NULL,0,0,'root','root','a5d0dedab84c1b4ffd0c8d96440a46fa','4b112dd8c9407814b1df0f82607d0510f632259c','672dd0984cde30533a607d1178f9cd36c2fe441b010645e79f34dab56b574f36',1587692818);
+	INSERT INTO entry_data VALUES(2051,18196959,26,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310203);
+	INSERT INTO entry_data VALUES(2051,52352989,311,'rw-r--r--',NULL,0,0,'root','root','23f00195dd73b9827d6a629c126bdcd5','412ea5d08570b38f32539d8fa1a33ef93c9bb59e','8f07fd15a9aae98c0bc52c79fc7064e3d284855c33c2f57b5b240e30eb479ab3',1591914518);
+	INSERT INTO entry_data VALUES(2051,1392071,547,'rw-r--r--',NULL,0,0,'root','root','aa263364488ba03ab0d6b969cd956541','d4f47f10d65a8a9ee467df0d8feaf62806e47351','44088171eef3b117ebc7a99ecc1aee3ec0bf2d5ef85bc9691908c52779ea3dfc',1557813538);
+	INSERT INTO entry_data VALUES(2051,1392072,493,'rw-r--r--',NULL,0,0,'root','root','c313c2c7aeb0484e1dabec933f9042fd','1058adfb7acfc085934b772594aff79016162e7d','d2980d932a5aea6b48f8c1b57aca2b11693a78d35014ac21c80f0cfba5e0926c',1557813538);
+	INSERT INTO entry_data VALUES(2051,17959814,71,'rw-r--r--',NULL,0,0,'root','root','eede68a4305c2a5d75a688587827811c','cd35b832bca8b899b954bfb350181912bb79b22f','e9a48ec553fa4366a6c59729a8752d44ef3a8dc839cee0bf099c21652cebed37',1558100574);
+	INSERT INTO entry_data VALUES(2051,33721186,18,'rw-r--r--',NULL,0,0,'root','root','6a5bc1cc5f80a48b540bc09d082b5855','66296908ae73bd0b72b71fb15b413e9c7b81c69d','2584c4ba8b0d2a52d94023f420b7e356a1b1a3f2291ad5eba06683d58c48570d',1573230100);
+	INSERT INTO entry_data VALUES(2051,33721196,141,'rw-r--r--',NULL,0,0,'root','root','5fe6b8bf98bb94c55447ae48fb3202d4','3dd5fa8ddb34c23b4c2bac9754004e2a3aa01605','28bc81aadfd6e6639675760dc11dddd4ed1fcbd08f423224a93c09802552b87e',1573230100);
+	INSERT INTO entry_data VALUES(2051,33721197,312,'rw-r--r--',NULL,0,0,'root','root','1b08fd258c46fd9b04651d095429491a','1e76dc368dfca068aa8569a1e4146b762fdffbb4','30a80bfce3d108d6878cf13dfb1f3a1ea15b141dbdc5bc5803f4ab40a2a39f9c',1573230100);
+	INSERT INTO entry_data VALUES(2051,2102132,2479,'rw-r--r--',NULL,0,0,'root','root','fd47532d0c6ae3bec63f2f1ce3336a6b','e969a98067073c789b02168b211277eb393db634','9b72cfad9723c8b33eed3e18bda69be3f50740f8c11456487d3098e288359bfa',1591745577);
+	INSERT INTO entry_data VALUES(2051,4566113,2455,'rw-r--r--',NULL,0,0,'root','root','809c50033f825eff7fc70419aaf30317','89da8094484891f9ec1fa40c6c8b61f94c5869d0','ce1688fe641099954572ea856953035b5188e2ca228705001368250337b9b232',1591745577);
+	INSERT INTO entry_data VALUES(2051,36158739,538,'rw-r--r--',NULL,0,0,'root','root','83fdf844381126271be8d0013c275ae9','df320d5d773300d68ea3beb0b7c0c5fe34fe5722','a4f552bccbbb71cd47cdb698fc2c39d9f4151d319fa957c9c8d9228b765e1281',1388534400);
+	INSERT INTO entry_data VALUES(2051,35459505,556,'rw-r--r--',NULL,0,0,'root','root','29d572561191eaef1c4a1c45e0db1e5f','6b4a666fbd6447b4b84548e9e1b12a1471b0a4a2','4df4d6efd5f179a200cd4a55a5e894ec68cf36cfcb91a90693ef8f345dd7cd42',1388534400);
+	INSERT INTO entry_data VALUES(2051,1571770,538,'rw-r--r--',NULL,0,0,'root','root','83fdf844381126271be8d0013c275ae9','df320d5d773300d68ea3beb0b7c0c5fe34fe5722','a4f552bccbbb71cd47cdb698fc2c39d9f4151d319fa957c9c8d9228b765e1281',1388534400);
+	INSERT INTO entry_data VALUES(2051,4566117,942,'rw-r--r--',NULL,0,0,'root','root','f1df7ef2b4e1202ed35a7afe246b2da3','ba8327b4aaa6899f07204298b551b134dfa3ceaf','db055eaa2ea0f7cd2fa3301963cd9f320cfeba1dc874b70148289a0a7aa12e34',1388534400);
+	INSERT INTO entry_data VALUES(2051,1571769,2567,'rw-r--r--',NULL,0,0,'root','root','fb70580fc6a4b1da1107e311ecd24550','0f5615748a51cda1d38882866d6d330b52681507','c22944481deab4fd7c2b7668fc9aaedf28b2424edd71c1fbd13100fc2a5621e6',1591745577);
+	INSERT INTO entry_data VALUES(2051,4566118,46551,'rw-r--r--',NULL,0,0,'root','root','5532ae412eb03a4d96c6d1280e3be796','6b582907d3876eef0f3d1e8718cd464031634f2a','8fb83baab68ddce43fad08d695e154c0ae0e99f29427d136143e04e9080c15d1',1388534400);
+	INSERT INTO entry_data VALUES(2051,4566119,139,'rw-r--r--',NULL,0,0,'root','root','03c091e20ff2e135939da2274f77edf9','f7b6c99614cc6a4b4f069460ed182929d2405139','23bd7a7b5898c74141925bc02f2c786770f8474768926d4fe4a9354543679702',1591745945);
+	INSERT INTO entry_data VALUES(2051,4566114,1273,'rw-r--r--',NULL,0,0,'root','root','bbebcf13680e71ec2ee562524da02660','c5c005c29a80493f5c31cd7eb629ac1b9c752404','1fbea394e634630894cf72de02df1846f32f3bb2067b3cb596700e4dd923f4b5',1591745577);
+	INSERT INTO entry_data VALUES(2051,4566122,21,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591746201);
+	INSERT INTO entry_data VALUES(2051,4566121,124,'rw-r--r--',NULL,0,0,'root','root','d18cf5c42ad61924f7385b9a2f4ea0b0','b7ba867a93e06e5e71813a84750992f61620f10f','c3926d63a03e08f8a95c42d25b297b03bfa7b8b1b079f0cffd992172aa6ea4a6',1591745945);
+	INSERT INTO entry_data VALUES(2051,1392099,739,'rw-r--r--',NULL,0,0,'root','root','8b8c2251e0880f11ee17539073fe2e47','e37b4b35b8ecc6f9fe07479a5e2f2fad06548d2f','74d842e2f41eb9929da3a126f2075581126d0a00aca3a7aa2071a3981415a8c0',1559251811);
+	INSERT INTO entry_data VALUES(2051,1392100,13475,'rw-r--r--',NULL,0,0,'root','root','19ade5b6466de3dbc3897f90bddc52fb','ecdcbd81d6ea6cad693f4bfa500ae77f8271b16d','097f35caf2f4e5dc99eeccc65fa47f8c7aadab82c7dad15a0f198d1d3bcf316c',1533568146);
+	INSERT INTO entry_data VALUES(2051,1392101,480,'rw-r--r--',NULL,0,0,'root','root','15f418f414e974cbadb4aada9dfffb7c','de0fbe21ff132eb50dd88aef3190e9e82339f9c9','acae7e53019dac467760662152391fede208efefb2c0dd993d204b5f889a0f59',1559251811);
+	INSERT INTO entry_data VALUES(2051,51408204,422,'rw-r--r--',NULL,0,0,'root','root','b0bf42a2c7074b74b1c265bd80bafa79','ffe5e0a0554be659fe481a2a1b04d085d32064f1','25fc64aa56096c736f57d364332900ecccc2119f3c0234df91df9c4ec54c802b',1588805168);
+	INSERT INTO entry_data VALUES(2051,1894089,813,'rw-r--r--',NULL,0,0,'root','root','3ff8807e1bcbac1d2812d6a36d4f0287','d19eba9f751edaf8120bb8b9b722cea99fb4f60f','cc0feca59af66ea18656fc5774b78f586b97864965cf1add75b3f9944678e999',1574675696);
+	INSERT INTO entry_data VALUES(2051,1343833,235,'rw-r--r--',NULL,0,0,'root','root','4c3ce7d0d7feaab7c902392b44496f96','d1ee39b3bd626a1611a1e80406463f226fe513c7','47963d3a35d0c75cd37a2adc4b164f2c36abbec8241e1a05ad898dce5fcaa401',1588805168);
+	INSERT INTO entry_data VALUES(2051,1392089,38,'rw-r--r--',NULL,0,0,'root','root','6b2bc45988783e8ebe92518becda373a','d9b510b26a1c1cb6105fe372c060af767a62a189','10a8ae4578af702977bd0d92c79b3011295494d09f4d7ec11b9cb436419b7775',1588805168);
+	INSERT INTO entry_data VALUES(2051,1472816,655,'rw-r--r--',NULL,0,0,'root','root','9ca04b750a0f89876ee66ea8ddd85334','d462c4c33d40b916db7357a3ef4588da2e9c7b18','2c8ed41a1943e3cb5f5c15c12c35c84bf2fc1ec7a1b95af2e86eded6fb3d70e2',1588805168);
+	INSERT INTO entry_data VALUES(2051,1698891,290,'rw-r--r--',NULL,0,0,'root','root','66c8f3769e74311c09baa63810119be0','24cc3e29c871c833ecd79bba4cdc1048b7972a8d','9687b18a62a3ec8d165b61f097ff9b1aa9cbf21d2904e7b53ee6e379eee234a5',1588805168);
+	INSERT INTO entry_data VALUES(2051,1077606,157,'rw-r--r--',NULL,0,0,'root','root','1b32627f1b632601a78993fd06de972f','bad5175f3c05a9a72d5f1569fc428eb0dd8c1945','3be891aeb2aeb7e9b5b3264b316dd618291290f359f38308c6b6b663e986f692',1587699487);
+	INSERT INTO entry_data VALUES(2051,2032463,592,'rw-r--r--',NULL,0,0,'root','root','802865356395e860d75f0eaefef13e30','49485e161bcbdd0b0bf8105f93756ed008716c48','46e1caa3ec4778d5373787bdd2b65f3f77ce1a9321317ff6d228124712e68473',1574181761);
+	INSERT INTO entry_data VALUES(2051,2032473,5702,'rw-r--r--',NULL,0,0,'root','root','6f901aff2030243e72b15c8807b7941e','26a2474941291fabe303e13e65e92366e8465a6a','443404a583f50aada4d626f3569efd262b828b3d79ea52873869fdd0013a2199',1574181758);
+	INSERT INTO entry_data VALUES(2051,2032474,999,'rw-r--r--',NULL,0,0,'root','root','18b8268de92504e71ee885e97ff41f36','c14c6dadc402bf3a4dafcba9f5ea9b412ccfd5a5','8003fd3bcfa6d8213fee76de875d5a07a8fb769cc3fd68388cbd6a2b8dbcb242',1574181759);
+	INSERT INTO entry_data VALUES(2051,2032494,2009,'rw-r--r--',NULL,0,0,'root','root','991cacf372f334127732896538eb3152','faae202fc69d7a8354c73af2d4c65bed89ac6dab','d37a3d7e6f81eb5d942ee2e731a75522c21e62101ea478243a59b5a5da22b252',1574181759);
+	INSERT INTO entry_data VALUES(2051,2040058,1586,'rw-r--r--',NULL,0,0,'root','root','a0947e81cb348d2dab70989a0418a8ad','10eaff20bc705d8b86e368af337dd56f19b0f32c','add64a9cc569340fa1069baa1205501028614a909e1118ecddda79b28a610354',1574181759);
+	INSERT INTO entry_data VALUES(2051,2040062,1165,'rw-r--r--',NULL,0,0,'root','root','4f1cdad050403a3bca8fd78b8ffebfa1','a866808a313f63714a08dc485ebdaf275eb55311','8f22006d9934ece36f2ff7e9848f59ffdef39768d8d82dfed3029b41e2dfbe80',1574181759);
+	INSERT INTO entry_data VALUES(2051,2087619,2596,'rw-r--r--',NULL,0,0,'root','root','2b1ce85b65b0488c138f5e96cd8bd28a','ee6d1c05cc8b164efbb93c831d513007fbe1cd5c','8f8c18b5efa5218499eb9fd661718db17bd33043d64c263399e27013e6516141',1574181759);
+	INSERT INTO entry_data VALUES(2051,2143984,5704,'rw-r--r--',NULL,0,0,'root','root','c9a47a7fd6dde72d06291b50bd367fec','4756cec600fa266db0201d592e8121309cc32851','b450d49b97a4145d0fbf1c386f39be792bc55bad952b39bc795eedcdd4585cc7',1574181759);
+	INSERT INTO entry_data VALUES(2051,2143985,472,'rw-r--r--',NULL,0,0,'root','root','7a7b7683d2cd35cc47741e11b9227797','8383cb5bbe7498794c096e88080f8bf6fd762cb7','3611bee3b6d5ee7bccd71031909758a96f763aee4b4beb7e549d20b47df6e24a',1574181759);
+	INSERT INTO entry_data VALUES(2051,2143986,1259,'rw-r--r--',NULL,0,0,'root','root','3e7a0e0f4ed2b56e97cfc8de49b63b6a','155cfa97678872744d23e05e911554211d40a26b','28e0c03f1bfc51544057e4f79a71ad27575ce807856ebc50c6bde0fea783c359',1574181759);
+	INSERT INTO entry_data VALUES(2051,17764176,602,'rw-r--r--',NULL,0,0,'root','root','bb8a795496a39cb7f9b763de0fb3c520','aff51171b760f7558150d0d527c99fb7cbc30e6e','9fa368011b7d2862e4d4e55439bd5a69a7d684569e3487b2bfa069942188ebab',1588805168);
+	INSERT INTO entry_data VALUES(2051,17817710,337,'rw-r--r--',NULL,0,0,'root','root','d84dd006e5e2d64b2561e0500ca88575','4d153659fd50193a280d5a0401b61f15794770d1','53e49154f3838168143a71434e48c1c796fc8986799a4e589203b4b03bbd7b00',1588805168);
+	INSERT INTO entry_data VALUES(2051,17847089,2124,'rw-r--r--',NULL,0,0,'root','root','2e3bb66b972c3c27623668b6e632245e','4e001ce96922d555672b4b09402d21a0ff392670','7c841616acb948c530c11e7cfe3839ea5a5c4698ee1026087b2141a2f70a61fa',1588805168);
+	INSERT INTO entry_data VALUES(2051,17847090,2513,'rw-r--r--',NULL,0,0,'root','root','0efe1868e1c766d474bfa35d614ac85f','465331c243bfc82badca840668c138f9a6b36dbb','ea72313d809f80e198f70e49c12ee449ecbca8bb83747dd3e80eb30bb973d16c',1588805168);
+	INSERT INTO entry_data VALUES(2051,17961971,1384,'rw-r--r--',NULL,0,0,'root','root','9a4981217f229adfec9b730b82680241','fcd28f3185562baf9643e89c08586582e8393ca8','f84385bceab3dea243e0f26b7bd9471a960159e1f7c5bfbfaa730645c3d38788',1588805168);
+	INSERT INTO entry_data VALUES(2051,18264378,86,'rw-r--r--',NULL,0,0,'root','root','573ef42204a61985af3e0cf12707a0dc','f1b69af5f5b06f98634a0bcf279e3fe4f450bceb','97be216f5753d850d8d5d2e1dcf7513fce1ae97a9d82290250d3ed93dd02f92e',1574181759);
+	INSERT INTO entry_data VALUES(2051,18272288,143,'rw-r--r--',NULL,0,0,'root','root','728b514b498a4ca1bf160790ef8df58b','478b66f04c619c50b5026b9fede54bd63a4e219d','6e65dec3a08e7eed6a042dc6d3dbee668409ba98abe6e732ba9d29eab3f12e87',1574181759);
+	INSERT INTO entry_data VALUES(2051,18272293,83,'rw-r--r--',NULL,0,0,'root','root','0fae1e940bee6477755462f1fff78f1f','d7eba9a23a9da88deffd618d3bead6228f8a0d22','1ff8fedcf1e9779fc0004b90faa7aa246ac5a42a63a8cadeb31292b86366a2d7',1574181759);
+	INSERT INTO entry_data VALUES(2051,18304649,82,'rw-r--r--',NULL,0,0,'root','root','a5624e61f30a6e3ad0db9e765cffaa7c','edd729c713a7d96c5a14ba9d6aecaff0d4ad339e','94a6ed7542202a763f08ac02f8a232dcd8979f47d417b9278eace0652aaae33d',1574181759);
+	INSERT INTO entry_data VALUES(2051,18396928,108,'rw-r--r--',NULL,0,0,'root','root','b856bd778e59fbe8a92f446866457582','cb3e1ad9ebf781ef2c95a615e1cd915e8ba9bf32','bf3f80954d43374891951dc84ab743d19faf06a642cc6ff6a4b704204d1e4955',1574181759);
+	INSERT INTO entry_data VALUES(2051,18396929,82,'rw-r--r--',NULL,0,0,'root','root','059ec69943b6695b0a4441686bffd3cb','cd2937c867d9005ac0e63cd36e49863f0777d4d7','4195df588ce89e959ffdd005d446c86e023b1cd9b96c4a7f399799853b01d64b',1574181759);
+	INSERT INTO entry_data VALUES(2051,34087024,212,'rw-r--r--',NULL,0,0,'root','root','a45f2183ae47bf7ea32858e8bd4fd8c9','81313153600aca24a20273a085a06120081b7eda','228db1531a578519cbcebf2e8c579a616881b81a114bb6f9bb77ed55a513b7c5',1588805169);
+	INSERT INTO entry_data VALUES(2051,34187894,225,'rw-r--r--',NULL,0,0,'root','root','938477da65e48cc9bc9666f5139d9c70','dc5cd9e29a29cba179a6aada071c0ae17296d1d5','0354580a23cc18f6b7c2e0423eabe11474ee8f4117edcaf6c8c7a91a4a839809',1588805169);
+	INSERT INTO entry_data VALUES(2051,34273056,977,'rw-r--r--',NULL,0,0,'root','root','f43d16705f709b7250d07b688f1d2589','fbc5ff75b7dee55ebcf8a209eb870acb89c9c759','bb73d5c0c85f350560bc05b2e904918abb01a7fc38b2f6770b31d37a43167a1a',1588805169);
+	INSERT INTO entry_data VALUES(2051,34273057,1026,'rw-r--r--',NULL,0,0,'root','root','fa21fd485b344f7693b8902251323441','52bb3acb58448f5997a0094c6a00835cc2495f84','cba4e61a28f44a0edfe8dc1f518c48aa6f64ad685bb3188a0679aac4097219b9',1588805169);
+	INSERT INTO entry_data VALUES(2051,34273058,120,'rw-r--r--',NULL,0,0,'root','root','5a9708ef40bc51a2d94fec70b987134b','6baae490a34c9ebdd45b4b910ac9d22836b918f6','ce2e12292ee841f9affab5b058363229833862803979fd1892219728b3591090',1588805169);
+	INSERT INTO entry_data VALUES(2051,34059388,294,'rw-r--r--',NULL,0,0,'root','root','2e60311cff7057ed02cd08fc9828f231','64126bd2c70d510d2afc1bbbad481e5edd9c9149','c4a38da9611fb753e41749c2d644b494065b04d5949f825845c654038f37d712',1588805170);
+	INSERT INTO entry_data VALUES(2051,34064341,900,'rw-r--r--',NULL,0,0,'root','root','1f66a4bc83e286f1f6eab9cceaa9699e','51a345431763714e9245998c5addb1f3036dd2fa','2cd58a21da64f4581ea11e576a0e97c9c9d98892adac6d6d636d1b9dff27ae6a',1588805170);
+	INSERT INTO entry_data VALUES(2051,34064342,290,'rw-r--r--',NULL,0,0,'root','root','a8a2d67aff17e24961df11e11a383bd6','14e7a07d59bc6edf6766db819420298d03f08372','c20a76179eda56d25e8a7c197fb07c62c20850625a7dab84d8cc3e0a94b7d7a0',1588805167);
+	INSERT INTO entry_data VALUES(2051,34064343,2408,'rw-r--r--',NULL,0,0,'root','root','fa5450f70e7700ea4b15afd6dc4a86d3','45a23b48af4d7b2728912b8a13cbb0c2452b0627','8abc13e069bf177e6c7f5203d4dc180aa09b224cab0db5c840fc29858959b834',1588805167);
+	INSERT INTO entry_data VALUES(2051,34187122,4586,'rw-------',NULL,0,0,'root','root','583771a069be7890ea6312360b9b8dc6','d27826c3796ac3cbf50ef3fc8494bbf33c2ec03a','294c45aa7554b04a6d1e99504fb0368a2de6937fca866f9d741db13bd3644181',1588805168);
+	INSERT INTO entry_data VALUES(2051,16777397,1683,'rw-r--r--',NULL,0,0,'root','root','2fc218c1a38e25bcc16c13e76fc02adb','165f370be82c42611d5a78baf9317ba2ef6bb3c9','146059788b214d7ba0dd70c1cf21111e594c6cfde201da8a9a88fe7101be8a78',1591146221);
+	INSERT INTO entry_data VALUES(2051,20054135,1687,'rw-r--r--',NULL,0,0,'root','root','7f5baa033ffb6d42a06fd734a6a075c9','24ff41ad412c6b4a638111cbc6701ec89dafac1d','c9c03d66017969a4e7cc2378cac520d726d87e1f24422ec28a96065e43ce8c4a',1591146221);
+	INSERT INTO entry_data VALUES(2051,17154876,1627,'rw-r--r--',NULL,0,0,'root','root','6494b13311caf38e11eaa575a83c2c57','2d776ec5051cd8e37d6c29070cf78e649ce59ac1','cd1db21a863185127f2e3b264c97fb1c6c44c316385707999041ea475c110d1c',1576685329);
+	INSERT INTO entry_data VALUES(2051,1086379,566,'rw-r--r--',NULL,0,0,'root','root','b0fcc69ec559512540920136c106c049','751dd2582a3cc4bbb46f9ea1145bd8e3f59c6e6f','757c28eddb0634b74e6482d16324193be27eee41864c1f96c447020dae14b44f',1576091811);
+	INSERT INTO entry_data VALUES(2051,1106654,161250,'r--r--r--',NULL,0,0,'root','root','a2d497e516bff96499571c899b94b61f','830180e079003d5126e7a21be579239fb7c036c7','44d6753d89f34162f1155be9822424e6dd0947545618cbc648e25d2a90f050a3',1591922630);
+	INSERT INTO entry_data VALUES(2051,52664617,560,'rw-r--r--',NULL,0,0,'root','root','f234453a09e4e815fcc1f777c1d123c5','3c68219ad0bbe17c9773c5701ab34ad4d08a01a6','146ff96c60a8ee32bbcf2da59d624d6ecfbab7ef7442529d46d8d63064d8ca58',1576091811);
+	INSERT INTO entry_data VALUES(2051,20054194,726,'rw-r--r--',NULL,0,0,'root','root','b7caadb545403bbf421f80f5ac0ccb1f','6f501ecef2660fe2ad027b83a8165fbfce71ea27','7bb8781320fb3ff84e76c7e7e4a9c3813879c4f1943710a3b0140b31efacfd32',1576091811);
+	INSERT INTO entry_data VALUES(2051,17649567,161905,'r--r--r--',NULL,0,0,'root','root','aa56ab9fa4056aaee85a613c72aaa715','c01dd4f30da5cd8dd440faa3196a5b2f272675fc','5939c02139735a501c48cc4018fd81bccb9070aac99b9eaf9e819e9e47ab242a',1591922630);
+	INSERT INTO entry_data VALUES(2051,34024393,787,'rw-r--r--',NULL,0,0,'root','root','6157e0cd485cc847eea08e651ce672c9','1b007d0cde2d4791df3363c6fa6a22f0263031a4','6c812d1ec8ce5bde2216cc42be33021d6345fbea05c14f50c52191a38c175ea9',1576091811);
+	INSERT INTO entry_data VALUES(2051,34024400,261737,'r--r--r--',NULL,0,0,'root','root','4994f73e2ae2ab307504e28a619f5b07','3730e29b7ee1c7b28b9f2503b09bd00e98ebc0c1','783afbe969507d69974ac554c43615c02a00225602f92770fd67dc5cd0166eb1',1591922630);
+	INSERT INTO entry_data VALUES(2051,50829110,898,'rw-r--r--',NULL,0,0,'root','root','8d1ec9274f7f58fc21fdb92926ee17a0','2e9c850350cb6adc069c023f9a619d08377bdcbd','27362e773c8b6bb065a455a66badb05e2652720bab8ade9ab91f0404cf827dab',1576091811);
+	INSERT INTO entry_data VALUES(2051,50829116,222148,'r--r--r--',NULL,0,0,'root','root','b475cf36adf453881631cf53cadde457','2428a0c59e55b1afbc44be237f728b09f0fb0008','c594b2d8cd9a41518152c0dadeff734c173705a8708ae3561b9f88714f09add6',1591922630);
+	INSERT INTO entry_data VALUES(2051,50829119,173023,'r--r--r--',NULL,0,0,'root','root','9b7d83f057490e4a5990843af8d97d69','a34f6b6938147c9fd87a6362f0d96a4bb70e2c90','001b349d23a023be81084e96547adebfd6045e281e19171b103a049ce3b46eeb',1591922630);
+	INSERT INTO entry_data VALUES(2051,50833408,0,'r--r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591922630);
+	INSERT INTO entry_data VALUES(2051,34023645,166,'rw-r--r--',NULL,0,0,'root','root','2b2f570722f9c5a7f19e8f2a885253c1','4c0ea7b4623886d2246b9b113fafd1670ba42cb1','6c7b9287c41c171c64b358fc7331b8a9ae969fc2d00d997d88bcbf4da0de598a',1576091811);
+	INSERT INTO entry_data VALUES(2051,34024394,980,'rw-r--r--',NULL,0,0,'root','root','962f2b1b8477e4e317fc650e11a50c8e','b28450f457cc833ecf7af7dbe4d6c1feb0ec4208','400b96da374503fa6b6350a867347082d0c90e05ba4d02cc6b51b11229199c4d',1576091811);
+	INSERT INTO entry_data VALUES(2051,1106645,932,'rw-r--r--',NULL,0,0,'root','root','fe5a4775c334dfb9c64c19a6b4407dc9','1b475ca8d961e4afc37af6483ff75322cdf28692','86184318d451bec55d70c84e618cbfe10c8adb7dc893964ce4aaecff99d83433',1576091811);
+	INSERT INTO entry_data VALUES(2051,4566640,59,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591922629);
+	INSERT INTO entry_data VALUES(2051,50829112,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1576091956);
+	INSERT INTO entry_data VALUES(2051,1106647,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1576091956);
+	INSERT INTO entry_data VALUES(2051,17649560,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1576091956);
+	INSERT INTO entry_data VALUES(2051,17649563,55,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1576091956);
+	INSERT INTO entry_data VALUES(2051,1127494,412,'rw-r--r--',NULL,0,0,'root','root','5b561a90362b8eb9127c792c3f5902e0','a2587c4e97408b64274e5e052b74e3754892c13a','f1c1803d13d1d0b755b13b23c28bd4e20e07baf9f2b744c9337ba5866aa0ec3b',1587697252);
+	INSERT INTO entry_data VALUES(2051,1127495,11225,'rw-r--r--',NULL,0,0,'root','root','8e9c837c4cca7345ea69016005fc4163','e5df9d328b9ecdde506a678ce429b4ffab8b6038','af49f6cc959e96df354a9a9442814fcccc6d3e1ed6fa2d4af123d2e2987b66f1',1587697252);
+	INSERT INTO entry_data VALUES(2051,50989729,65536,'rw-r--r--',NULL,0,0,'root','root','a5ae49867124ac75f029a9a33af31bad','d272a7b58364862613d44261c5744f7a336bf177','e45105a21696a26c834cfaa3f664c42426c99546094e22fbe3a5e1dd3fbc1f33',1587694817);
+	INSERT INTO entry_data VALUES(2051,50989730,9216,'rw-r--r--',NULL,0,0,'root','root','7a326ad3c543092441bfe0604ef84cab','4c4fbf904aeab73abd5f631325d952b596df6172','607ea7d84d11f7803b0bf3e3e95afa822d7264a7e88e67efd1049c745bfb091c',1591915789);
+	INSERT INTO entry_data VALUES(2051,50989731,16384,'rw-r--r--',NULL,0,0,'root','root','9315689bbd9f28ceebd47894f99fccbd','7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5','6115cab6d646a05dd6b63e21c488da6bc36975f6e5ad8d6371c30a166c41cddc',1587694817);
+	INSERT INTO entry_data VALUES(2051,50989732,11264,'rw-r--r--',NULL,0,0,'root','root','edf6ae620dd47b75afbb64b80a1aa0ad','7f3f6b76fe4be732291a673b76c2d8df124ef07b','107aa14ee529ca2c5fb73c376e21f29b834c23c672ad0449742dfba80e778e2b',1591915789);
+	INSERT INTO entry_data VALUES(2051,50989733,451,'rw-r--r--',NULL,0,0,'root','root','c1d46e3bffc57abeac3e9416cb85adc2','e769da5e3e5569cf4128ebee8f082493fd9f813e','c56e10dfe5ea38b882421ef0c8c2ad445274c6a4db1dc1a9a6dcdc930d2a9848',1587694813);
+	INSERT INTO entry_data VALUES(2051,50989734,16384,'rw-r--r--',NULL,0,0,'root','root','73bc040a0542bba387e6dd7fb9fd7d23','bd748cf6e1465a1bbe6e751b72ffc0076aff0b50','3790a5404f6b7edb652544eb75bfaa8f1c515f41ef14369248151d7c52cd249e',1587694817);
+	INSERT INTO entry_data VALUES(2051,18250269,1702,'rw-r--r--',NULL,0,0,'root','root','885ac785ffef40dfcc4f8ea765fa07d4','5d3d6fcd861eb1d63e9582797afd7b24e0015490','1e339240bcfc5350f591e001299128b6c69ec4490393b3d32740b2df120b8d9a',1541600262);
+	INSERT INTO entry_data VALUES(2051,18250270,2169,'rw-r--r--',NULL,0,0,'root','root','de0622638572a2f6a6e29fa83f387eea','35310e9fe46db36a6d7b54f90a94cef0035c8002','1fa524d00c7e9a7aa9b1219f4d81aa7cd9a73568ada92323c98773dc2fa089f6',1541600262);
+	INSERT INTO entry_data VALUES(2051,18250271,959,'rw-r--r--',NULL,0,0,'root','root','5abbdc42a8e3d9e60039ab658700ec71','4ea455666ed56f9bf5aba072f85186bd3dd6637e','5e95c0c35c50b3fb287b150199e890bedf6eeec65a39d843e048ca0e5f7a359a',1541600262);
+	INSERT INTO entry_data VALUES(2051,18250272,1679,'rw-r--r--',NULL,0,0,'root','root','d9dff488bd9051268984da014f0be43d','67746dbbbd41b21b6b2bcd34531ca43ccc344fdf','6b46718d04424994c07a2b158680b47c354c019d62cfaeec6745c8753c3b1321',1541600262);
+	INSERT INTO entry_data VALUES(2051,34489826,2169,'rw-r--r--',NULL,0,0,'root','root','2ace8894994764ae32e391bc0c68e398','4d38e535b3e98fc307ab1d40bd7608507d5b1780','20a789b778a835b579fe96c5686f281619d0e1d33321b9df8c61ad2714f72877',1541600262);
+	INSERT INTO entry_data VALUES(2051,34492297,959,'rw-r--r--',NULL,0,0,'root','root','5abbdc42a8e3d9e60039ab658700ec71','4ea455666ed56f9bf5aba072f85186bd3dd6637e','5e95c0c35c50b3fb287b150199e890bedf6eeec65a39d843e048ca0e5f7a359a',1541600262);
+	INSERT INTO entry_data VALUES(2051,34492298,1679,'rw-r--r--',NULL,0,0,'root','root','d9dff488bd9051268984da014f0be43d','67746dbbbd41b21b6b2bcd34531ca43ccc344fdf','6b46718d04424994c07a2b158680b47c354c019d62cfaeec6745c8753c3b1321',1541600262);
+	INSERT INTO entry_data VALUES(2051,33577693,66,'rw-r--r--',NULL,0,0,'root','root','f6ef1a1ab0ef089abdaf2f6ecef3a66a','b5ed4d39c362ef8ad7ea2d6d7bd9c729edd15125','ac1de6c6cd2c05b8411d4ab341e98c64d7699606900f628de5e7834c96c5f818',1591146169);
+	INSERT INTO entry_data VALUES(2051,17167649,94,'rw-r--r--',NULL,0,0,'root','root','6dae2e66d0089d8479b14855d4203497','3e31ab9b1a70f6dbf441b2cb6fe9b6f6f8497c07','e94e50735e137e769b40e230f019d5be755571129e0f7669c4570bb45c5c162e',1557534342);
+	INSERT INTO entry_data VALUES(2051,34176939,7269,'rw-r--r--',NULL,0,0,'root','root','6f3df6aa6263e65829a1cb4c27c71f3c','d302546361b48151a008363fd1db1e18ef2c2961','74266630838b6a7dae29e7f6cc1e08e0d9b8c11e3583fec424f5b1d239199b6c',1587747472);
+	INSERT INTO entry_data VALUES(2051,34176940,1245,'rw-r--r--',NULL,0,0,'root','root','a06176747bd47a53781f1b53e00b8171','7ad316728c538e4d106e62daa55f73e10e3cce6c','d1bc415a178d38b79827490c10a0f9e995bb93c650e75ea9893564ced6169cf6',1587747472);
+	INSERT INTO entry_data VALUES(2051,51436195,299,'rw-r--r--',NULL,0,0,'root','root','1eb28a5ccbebf1de7797b75065324883','310e9cfd131d4229ac77603dc8d7ea70f345e0b1','0507bf37c139ae826758118f6991c3b63d752180ebfedebeaa6c788e6650e792',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436196,74,'rw-r--r--',NULL,0,0,'root','root','001c8d29daa075a0c9560e529a5e14ee','929e3f673eca34a3eefae53c8cd106216c2fffed','d5769b639f5724d4530882dd230ebba17b59977dd7d62b637eb8b6acdd2985e4',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436197,69,'rw-r--r--',NULL,0,0,'root','root','cd1424f775fd71a3fb67cc57a256096c','bae25e0d2754c61bff9373d35f99a637e902b223','3be3c54ed1ce9318bf0e0b4f6ab4b0f906e2dd20231387afab9f1e442449a8ee',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436198,253,'rw-r--r--',NULL,0,0,'root','root','0e038b26ed691ba2138fcf7b3caddd7d','4a7b1525ab73e9a2fdbe540dc7c4425040b7f110','9a7148eff882fb859d9a1d1288b3010b403c9f81d2dd7b6311b105bb7b68fb9d',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436199,413,'rw-r--r--',NULL,0,0,'root','root','9d9b988f24ced2a998b75e8d10a6dc6b','4331634ea4e67d69b4fe24e7ea87261e29aee7c4','195c07ed8654953624409940b29e38fe15e0391f9112c89f7ceb9bdb8bde5367',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436200,99,'rw-r--r--',NULL,0,0,'root','root','c712f44e341157684d7e0d48909fd209','4451036b9fcb484566dd3ef054d7df7ae0265c19','b75b5d2a7b1dcf4393fed163a1df179191bcd3d05a9de85a1c4a37f6c7d8ee5f',1570013858);
+	INSERT INTO entry_data VALUES(2051,51436201,75,'rw-r--r--',NULL,0,0,'root','root','86343b6ea6852b37fe5c4fb03ebb2868','9178c4a4beb42d45fd62c78cf64b44a8865d989e','cf3fc7f7df8ce0c4d70f129837022870d53e4b4a4223d35f23f769297bcc5051',1570013858);
+	INSERT INTO entry_data VALUES(2051,34176941,553,'rw-r--r--',NULL,0,0,'root','root','e72dbb2cccc517116dec00b819d068e0','fe21ddd732b08451f2f5d33b383e9c16f416bd6b','91080d89fb10dbb26a300d10971cdd899d957e859d210bf81a8a91bbc45b153d',1587747472);
+	INSERT INTO entry_data VALUES(2051,34176942,1781,'rw-r--r--',NULL,0,0,'root','root','169118e0e1ebe9c6b0f936a8b0847ac6','214ae6a46b3daddc4b9be8de20ab2c42adfc8a22','c37d4663c61a0bf77a864ffa082ead8d63c730620ab3ebfdf68d3f695e42688e',1587747472);
+	INSERT INTO entry_data VALUES(2051,16828412,38,'rw-r--r--',NULL,0,0,'root','root','09c8628375d8fbac27555418f8f62840','9444ac836064ad70ed2e97a5f0bfcd7a62b2a844','2270da6918b57d65c4fdbe6a7d0ec09eafeb786f3649ffaa98d331640842ea19',1591146169);
+	INSERT INTO entry_data VALUES(2051,34071648,85,'rw-r--r--',NULL,0,0,'root','root','fd070252e6e9996bd04d9d59e4ce21eb','4a42a4c2f078e0a2c3845bc5c0a57c17adc144bb','beb2c6dbeb8c7bcc056a7ebaad1c213bc7204b63f2e7e2d47f0e64f5c8b6ce22',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071649,81,'rw-r--r--',NULL,0,0,'root','root','0e0f36cafc6a9cf76bc704cfd8f96ece','66a78e8a71aef6e6eac5684fbd98c10722168d07','0b1d73102310eedcb0b6a6f1b104c40d9d7a33ab5150c88a4698d0d6ab2b8659',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071650,31,'rw-r--r--',NULL,0,0,'root','root','3aea2c0e0dd75e13a5f8f48f2936915f','96881d20ee9d521b74d4bde6c12d6f1bdb210c96','422704225f2cdc53e6a5387a3a35a4bcfd8eabd40e4bc143dfb82ffb5571acd9',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071651,262,'rw-r--r--',NULL,0,0,'root','root','393e42fa549d0974eb66d576675779c2','c9a8e6c59067f0d6bc5fcc4a6cea0b5bddaf314f','ca77fbc6bfbc56c9b4c4780b7b336da24ceaf3af3b657937e3076aa48c5d460b',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071652,735,'rw-r--r--',NULL,0,0,'root','root','ef115004c1a0a4160efe6b9d445ac004','f6de80fb49a46e4dff9c443a99f3dfe1cdd760c7','5baf6453cd30fa05aa3c3ba134e4f5c214f75fcc0c5a51a0faaa86b3f06a962b',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071653,201,'rw-r--r--',NULL,0,0,'root','root','7b2dc3e981ec34331766ba9d219670aa','a8b5cf52ccb44cf699e3d409bd8c24fc677ddc26','27930b58e402c31974c446c77cd89f79ff6c9ac3632a694490322af13b0e4003',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071654,112,'rw-r--r--',NULL,0,0,'root','root','7137bdf40e8d58c87ac7e3bba503767f','ab64726fcfeb050b86ab31825cb7b2ec6700002d','2f0bfd37d31eb05e75b42908d0eeb61bc3394ba4e5a5f110ed3ae2e5fb9e92af',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071655,92,'rw-r--r--',NULL,0,0,'root','root','6298b8df09e9bda23ea7da49021ca457','71a4c71af485bca57a562b6d0c73fec23a93c11c','a84a4480b5925624c5ac3ff059faf9af42858e7f9224c06270df3f15baacc9c1',1586215010);
+	INSERT INTO entry_data VALUES(2051,34071656,87,'rw-r--r--',NULL,0,0,'root','root','a1313318d6778fe6b8c680248ef5a463','da6ecd3c272b22a495a7498c1da2e68348b8e22b','08c418b8469951cd5c59da91e4b116cd62cb125478dfac12e5f5067d4d07ad3f',1586215010);
+	INSERT INTO entry_data VALUES(2051,16828413,51,'rw-r--r--',NULL,0,0,'root','root','15f898a67f7e7e42833cb731bad25104','552ea2632a86213e645a1f58225cab90814c0c9f','68116d88b20b07eb9ad07d0434bd99f7e542b135537419e211d6302129e049f3',1591146169);
+	INSERT INTO entry_data VALUES(2051,17934249,189,'rw-r--r--',NULL,0,0,'root','root','8d53c198562ff4a53598e263fdbbc4c5','5c40cf33f1f7ce0518294c6c5355360bccf06d34','5161a2f363053663ec3e03e215d3f9b95d97a1fc512d23f198b9f8f01230ae31',1586216332);
+	INSERT INTO entry_data VALUES(2051,51480768,102343,'rw-r--r--',NULL,0,0,'root','root','d7397df01cb93559b92d726d6b0d91e7','b323528cc39cc5fe2473b111fba698bd39a55965','1f45aa02abf54504cf644d9b9652810acd0cfd3c085f288f372cf19ae603a039',1587747213);
+	INSERT INTO entry_data VALUES(2051,51480773,2301,'rw-r--r--',NULL,0,0,'root','root','eeccf159eb1e1af87ca0c141235822b2','7053cdf14e76d16ec5f3eef89bbb4b96ae069b6f','b139318795177f0e2b9f325a67d16879750fd927b1a10dbb137a95e596cabde0',1587747213);
+	INSERT INTO entry_data VALUES(2051,51480772,531,'r--r--r--',NULL,0,0,'root','root','9df1883c03bac9d3041e75745cb5e0ec','aadb0de5d199ecb88b3de9dab1660e02eb40e6e3','d3f840a4d985f67b4d7c98c5ce0639cb775eb93c1810cc17c947c3d924def19a',1581415167);
+	INSERT INTO entry_data VALUES(2051,51480775,339,'r--r--r--',NULL,0,0,'root','root','d27b7f0947c6ac21944c05e6098b9850','39731d354b979b4915f05ffddd23ce111989a99d','e0a300ab3b467c229fe46552ca1e6d3d41eaf198c1d143ff418af27af65af798',1581415167);
+	INSERT INTO entry_data VALUES(2051,51480776,3020,'r--r--r--',NULL,0,0,'root','root','3bab119bec857c31a53725da2d0a9408','8b59245f78cc0d95062d73d5e8bab55e23d729ee','0e9a8757ceab5b853841b022598b0b26c075aadfbc7e8bb9ba6b5ac696944256',1587747213);
+	INSERT INTO entry_data VALUES(2051,51480777,2309,'r--r--r--',NULL,0,0,'root','root','ffa904d375ce53ebb6befe7d65cf391a','db32ce9ab241142386bd74d09f7600c342c10c62','3305ee7b92b0cc05e97147cd653719532686036d83d0631100147bec52fe8ba0',1581415167);
+	INSERT INTO entry_data VALUES(2051,51480778,828,'r--r--r--',NULL,0,0,'root','root','bccbaf503cb8f0adb5b4f841f7c1f735','7e5f6a182c55edc06a5284cbfcd3836ad131c661','122570662c0cd25c346fffd790278051d5519e5100a879dc92b05e452cba601a',1587747213);
+	INSERT INTO entry_data VALUES(2051,51480779,76,'r--r--r--',NULL,0,0,'root','root','f57ede2b5b249024766c51a223e15ed5','47c461a156fa36047993149a76b87ae888fdc4ba','72ce438bf8c5413099187edd317761df1e64b444f76eb6a28df89a0160308fac',1581415167);
+	INSERT INTO entry_data VALUES(2051,51480780,80,'r--r--r--',NULL,0,0,'root','root','f4de81439550553043e04f019a48a827','2ee9d412fd9e704835ca9cc8195f7ce43cae9ddf','bac3bfcde4b7036dd9b2fe31506f12005871552791fccfdb3b94d3b5156ad2b9',1581415167);
+	INSERT INTO entry_data VALUES(2051,51480781,563,'r--r--r--',NULL,0,0,'root','root','da26d10e71e517a6f02ff0d53395e3c9','5dc8dad4683be86ab08258205979f3af31fcd240','6a1511d72c80b4c8cb86f384c0f60ea0d1a4a74936a591b08068332a4cd8b9da',1581415167);
+	INSERT INTO entry_data VALUES(2051,16943873,23,'rw-r--r--',NULL,0,0,'root','root','f078fe086dfc22f64b5dca2e1b95de2c','5c76e3b565c91e21bee303f15c728c71e6b39540','188029a4a5fc320b6157195899bf6d424610d385949a857a811d992602fa48c9',1591146169);
+	INSERT INTO entry_data VALUES(2051,34017336,900,'rw-r--r--',NULL,0,0,'root','root','e7c06c0b5fe8cad7d945c5c9b5c2d767','767578de65b6f21acb7d5299881e9e00b6cad314','3bea281bbd267ed31c02249d9ce4c7659d764c6c36b0f0c81a39e4c810236eb2',1580832045);
+	INSERT INTO entry_data VALUES(2051,16943874,22,'rw-r--r--',NULL,0,0,'root','root','af04594bde4a54fe2c2ef7447d9f969e','95fee903a60d67d0bc0f1c11b909ec0527c2b39d','17657f4ee63966a9c7687e97028b9ca514f6e9bcbefec4b7f4e81ac861eb3483',1591146169);
+	INSERT INTO entry_data VALUES(2051,50809412,220,'rw-r--r--',NULL,0,0,'root','root','321ec6fd36bce09ed68b854270b9136c','aa500fc804df002eb5f9b2aa2403f56cd9bd180c','57e5db885f2f147a5521feee5c64ffb843634f4a805b3c387b5169dfa1e5a5da',1586876036);
+	INSERT INTO entry_data VALUES(2051,16943872,21,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591146169);
+	INSERT INTO entry_data VALUES(2051,33730413,2425,'rw-r--r--',NULL,0,0,'root','root','9bb3b8f7bcfcc8f17201ecd9c935a8d4','02aed933de9e78204e405638f2dd58f3c0772bba','68d403bca3d7bd2e90d00cf44622dc0598817197994812e06367df0c239b1204',1586839102);
+	INSERT INTO entry_data VALUES(2051,34213127,548,'rw-r--r--',NULL,0,0,'root','root','eab350e0c5241d4394c2099bf86e9312','61a40e1faa78b234462d16dffbdb3fb869442406','10f667337a47c3868695b2944b36d340b014e261241e38c5ce63923df38cfa11',1591914171);
+	INSERT INTO entry_data VALUES(2051,34214356,129,'rw-r--r--',NULL,0,0,'root','root','ca7729fc236d4135fda1a756ac105797','b2ff60ba0d44ea3d17879b0e18f1c81e10e8e6c4','8d37548126535cd74f9f3d2f7e9aa21ac39f5b3bc55f28274746a85984da8279',1591813978);
+	INSERT INTO entry_data VALUES(2051,34213129,2367,'rw-r--r--',NULL,0,0,'root','root','54152dcd60db409072cc7e00f0118f68','d6a58a3ce11276a40ddd60dcc037c0fa5fd15bc9','7433cf7d3d6d35d0790bbb0f49bc32986dc13483407d7eca5611cb8b2b0eedd4',1591813978);
+	INSERT INTO entry_data VALUES(2051,51480802,262,'rw-r--r--',NULL,0,0,'root','root','4f3161e07c771b81ac303f21dd424acf','e5d69169db4109dd4fb7eb6feba0398e36e4e614','8d2beb838d537959a01dd6026a545b8209182c1708a604489667af9ccd7e9a8a',1591813978);
+	INSERT INTO entry_data VALUES(2051,51480803,195,'rw-r--r--',NULL,0,0,'root','root','b1c42884fa5bdbde53d64cff469374fd','d44d38f4467cf5614675b0767aef7f9aa44952c5','33115c8ae83b6d571d45099e1758b571209e2808eed26389ffc50c1d5409cb37',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480804,1111,'rw-r--r--',NULL,0,0,'root','root','e750ff6a9c6a37357ac5375fbaf72015','2f58dfbf03ecf812a07c4a47b1d4d808c6f337d3','f380d2bee554ce43f49b1a0ee94e83074a00d49c64149161e45942fedaaeb5ef',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480805,114,'rw-r--r--',NULL,0,0,'root','root','162e92bfb15d2fad4b8d008691064833','24e10b0ceb9f233f25297b2a871108369125e2a0','8583ca57f622a7ef83c25b1234a40fe8ac5e89cba4e75b8f20da4f206c830a48',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480806,29,'rw-r--r--',NULL,0,0,'root','root','940b12538b676287b3c33e68426898ac','e19dc00953303aa0329c0253d99062c7ffb9bcfb','50e3c030d2451b2871ca4084e1cb1da2fc20e1cc0d1ff717d9a86ab8c9224bf8',1591813942);
+	INSERT INTO entry_data VALUES(2051,1479775,396858,'rw-r--r--',NULL,0,0,'root','root','ae119cd0ab4dc800498512699a8dc1a6','b82428ad797d11bf90a54a444a4fbd3c7b0b4481','9d720cbcdb616340112ca6916f65be061c79a77a52ad44b350d0e210b8330469',1592310135);
+	INSERT INTO entry_data VALUES(2051,1479776,13770,'rw-r--r--',NULL,0,0,'root','root','765a2b71895bb5a38425c4f3db2fc8a2','0c432d54c3237be042d0ab9fabcbb88f7af80f48','6c6b89d7c466ed6c214c677ee23f5185c6054fac1960059e89edfd06a21ca345',1592310135);
+	INSERT INTO entry_data VALUES(2051,1527754,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813978);
+	INSERT INTO entry_data VALUES(2051,1527755,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813978);
+	INSERT INTO entry_data VALUES(2051,1529037,565,'rw-r--r--',NULL,0,0,'root','root','b36d4bcfbe789d55bca1e97fd083aae5','642e26c1b56f11f6f72c1135c1a0f863f302905c','482119bf723ad6ae921bf7ff84232e4cfe5f1bb6a23c8e9161b651e023b67871',1591813978);
+	INSERT INTO entry_data VALUES(2051,1527757,139,'rw-r--r--',NULL,0,0,'root','root','3c867677892c0a15dc0b9e9811cc2c49','4241384aa031191cb0596c41973645dd9ea61fca','08062b1ce71faab6f7a21a62b6cb71a88b275e7f36fad087d29fd7e0f121d13d',1591813942);
+	INSERT INTO entry_data VALUES(2051,1539323,559524,'rw-r--r--',NULL,0,0,'root','root','85dc011ee6f31cd3be362680dba7e6dc','5c6cad1bf29273fb9bc4cbd06463830a2caebd5e','5d741683659b9dcdc6094bdfa20cebd76641bb7eced4224edb13762e352d7926',1592310135);
+	INSERT INTO entry_data VALUES(2051,1539324,18938,'rw-r--r--',NULL,0,0,'root','root','2cd92cbcf4238397f0a21c955d85a90d','4ccb273aa52d518884a4fb32f5b915f2a904eda6','36c96cd95c613f3ce27fa9d19600f5ce3b6e0f5f8c60e47c7c315c0612e53d88',1592310135);
+	INSERT INTO entry_data VALUES(2051,51480807,30,'rw-r--r--',NULL,0,0,'root','root','99866a62735a38b2bf839233c1a1689d','6a7a64e05c08246eed857b6f696d57cf770ae790','8564f22331cfac1d241b73064f15e1a5ffae1133f81f6592187d6d9cf673f277',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480808,372,'rw-r--r--',NULL,0,0,'root','root','bb8fd5bd4e017cd31f9a06e2e1110abb','aca41ffec604c79a9e73f10c7f528485915d29d6','38987683b036cfcf99f7656992ee4eb62042bd978c8ff6742826f039c5a40909',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480809,27,'rw-r--r--',NULL,0,0,'root','root','10b72bc068306e02f6f2b008154b259d','296d4bf60f3d27a8e851a8a661dcef1327f05fc1','3740c377103868efd081e872e3f28216ebf17b4535fd4ef3a074333915cff334',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480810,33,'rw-r--r--',NULL,0,0,'root','root','e56a6b14d2bed27405d2066af463df9f','bd689abffabce3b57e52f4808bb6abea08b03c32','e1fa3269417ef83475c62ed5fd9477da3a3f0518b699b35ad6edfb8044ef4f46',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480811,74,'rw-r--r--',NULL,0,0,'root','root','ee2445f940ed1b33e778a921cde8ad9e','6f5135dd841c8f8a00553476e3cdb68942a18736','dd0f14d1f02077d066f0f4b332fa4ed4ba352c560a62a6f628cb82df4de4a345',1591813978);
+	INSERT INTO entry_data VALUES(2051,51480812,1170,'rw-r--r--',NULL,0,0,'root','root','eea86cd9c44d40ad67a5eba484c451cb','382767b9b6575d5e142f0d429991c84c21a7d64a','c4a79bf016230fdb72a4ee61be011c3e63471c1978071f20cff3d78c36bd9854',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480813,53,'rw-r--r--',NULL,0,0,'root','root','ba4ad542f3d3f4defab67b3b0145f533','8bb12245af4cb120648068847adf3306a4a8cd2b','6669d66bfcc2aaa964253460196d90e17244d1ca474a7e46ffb3ce986afc3efe',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480814,57,'rw-r--r--',NULL,0,0,'root','root','ee907d56ba81b1303c4867e8a89a3049','c4ac9d7894ec9bc1f5754c74c5748fb23c3f60d2','b76cc49f30816e6ec08a4bf3f48cab11f3c0c159624e8c3abe52b52f5e6816f0',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480815,33,'rw-r--r--',NULL,0,0,'root','root','75772faeefee7c4b05818e64a39fb9d4','ff792d32d6e76a37b588bebc577257a2726a0118','6a5dac6f77bd507632b1042e967c3374f32e0619365f9f1625439bf28c935582',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929476,342,'rw-r--r--',NULL,0,0,'root','root','abf865a769a9ecde7f3d5cafea6fe40e','d882ca0a8b4193842afb8716a0d332c8ae59241e','5df7577357f8bb35e2332bba3c959db0c2bd22f38f8dc5906e7f42c4581a6456',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929477,724,'rw-r--r--',NULL,0,0,'root','root','7f1a4f5f05f47e635a6748be3c85a78b','5e233fd4054d0b963ff9afe3d9a6944a5027b73c','5dd9dd32c0629125704da29c372e56e17e766dec365585bbcacb9259ebeccbd6',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929478,562,'rw-r--r--',NULL,0,0,'root','root','5344040011eda8ec49685ad828ea0b8b','4028693021c6162f7bb29af6a94083e47f969683','7829739ed9feff4578eee8abcc9cb55a647bd73d189c4cc222999de2d4cddd3b',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929479,589,'rw-r--r--',NULL,0,0,'root','root','404dded66aa6628514d949bef45ec371','8063b58ebd5da510ed38afbde51b4b0d6e8f2fa9','7e88a2ba07eaa2b7130b7ea6ba35f124189a266844ec22baa114d54db17e999f',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929480,612,'rw-r--r--',NULL,0,0,'root','root','e07ee80b50d69f5dddc43c06138c8066','5fc55c31a05a8f1b70270d789202eeb1b99cc20b','03296b3f0d372cc054fde17cd56360fd12a18ff640d41ee907d6c43cd619a2ff',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929481,381,'rw-r--r--',NULL,0,0,'root','root','d6234d380187d35214a49020ba5c3e75','04b1c54511dfcf4c37c007efec445921bb1d8f0a','03a7f6913b7375ccf9dc5a666a08a788a5c3bdc16a8aac9058c4378e2083b525',1591813942);
+	INSERT INTO entry_data VALUES(2051,17929482,400,'rw-r--r--',NULL,0,0,'root','root','9da5e92875b1f116ea5e879e1138fc41','80403b47b9d6657cf0ab3bdfe41665ea82877246','0cb844e8fdb86671c44561a38c2116cc8d743f09460746fa7f53bafafcf82e97',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480816,62,'rw-r--r--',NULL,0,0,'root','root','92345cc8a4236439f6f8dfbd05f9e40e','f41e2de1f6f456172794ef168a9e0c89fd0f7b52','8e7fb0018bd239d06926a009de845619163e8f8111596cfae0157d914ec1c10d',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480817,71,'rw-r--r--',NULL,0,0,'root','root','b21a69d3423d2e085d5195e25922eaa1','0ce9444d98334d8bec859a9f69e3504d80285af7','2d74091c97b82bdc91d50b5ccde9ce59eb6565dc9a63d3bb9a2049ed72843d09',1591813942);
+	INSERT INTO entry_data VALUES(2051,51480818,2920,'rw-r--r--',NULL,0,0,'root','root','9dde3f5e3ddac42b9e99a4613c972b97','f9507fe47c6df8d8a9fb9ff0656cb1397b69fcb1','4762fa117dfad29fd5fbd5e51c562e237f9538204ffd1cc717e77c14e5dd6a28',1591813942);
+	INSERT INTO entry_data VALUES(2051,51213477,8618673,'rw-r--r--',NULL,0,0,'root','root','c635d602e976ba93e7aa5264676b36a7','b567ebf244a939d8215acbdcc7f5ae358ab8c80e','4d6e735cb02195ef63f01e2ea339853cdf4d609f8a80cc426fbafa458b7051bc',1592310135);
+	INSERT INTO entry_data VALUES(2051,34213132,607,'rw-r--r--',NULL,0,0,'root','root','ae70362b6fa2af117bd6e293ce232069','4d5b540f3ec52885519eff66dfcce77c2b20773f','ef53c74ff844d0b66411cecfbb3fe6e301c8a819f78864c126cdf95a15d165fe',1591813978);
+	INSERT INTO entry_data VALUES(2051,34254086,73,'rw-r--r--',NULL,0,0,'root','root','7740af6096412805bf8f173f10171b19','fb84c530eca1b3b2f5b343d6ddede4b391fa2ba5','cedf81a7200afb4054ab296ee3c8468e24118332b6a99f0075e2f8148f5f1d91',1592310135);
+	INSERT INTO entry_data VALUES(2051,1571067,417,'rwxr-xr-x',NULL,0,0,'root','root','437a986c691e21eeb452c4ebfb02f992','03155eac6b5ea3a22ba3256012f84459d605c3ef','7bbe9f0320c68ea4a5a6c810d3ebe2ca030be34e15c85051592a5ae92a429bec',1574177411);
+	INSERT INTO entry_data VALUES(2051,51808097,513,'rw-r--r--',NULL,0,0,'root','root','3350b1bccc90879175df419e2cb2491b','4125a99a723a3309d929471c1c24aa144f1a559f','2fdf1f93579dc1e3cbf9518ece2e3eda50a385dc63b070eb63f5f7b794149410',1587737807);
+	INSERT INTO entry_data VALUES(2051,16828415,14,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591146169);
+	INSERT INTO entry_data VALUES(2051,17167654,642,'rw-r--r--',NULL,0,0,'root','root','d1e7e7add29e247fdcf2a098fe5b37a0','54113a3771fd7b2b8bb63ccf0a899ac9af88f685','c1259ead36165a9477c9e1948500fb1ae58f33140d2c8b9fdf09ae54425d62b6',1481310673);
+	INSERT INTO entry_data VALUES(2051,1579019,54,'rw-r--r--',NULL,0,0,'root','root','1e5dc5424e5e27f9dd9cfc3b42e48ed2','c8ceb7c2c1049df341e90a0f4a455458c55eb701','dac5bcbc40573271783cadadcfa479eb9cb87cc00f185fe667c6169612ad6d77',1591914182);
+	INSERT INTO entry_data VALUES(2051,1579017,203,'rw-r--r--',NULL,0,0,'root','root','929f6ce2e0d106f8d52ca46f86d8a04b','cbf24daf0f11783437932cc163387735ab539b47','d52c17724b9fced7156d02c06890c3ad392e4dbe63a20fafdf7174354d71533e',1586589954);
+	INSERT INTO entry_data VALUES(2051,18276984,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1573230269);
+	INSERT INTO entry_data VALUES(2051,18276985,201,'rw-r--r--',NULL,0,0,'root','root','b7fd8068d12e5e23b65da5dd6b1c76a1','34be433b175130fa04e53996ca20dd9183a5ad89','89d452a26c518fec74ed8b9420d772424bad01051c345ce5c2fd5deb76653234',1573230268);
+	INSERT INTO entry_data VALUES(2051,16943875,14,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591146169);
+	INSERT INTO entry_data VALUES(2051,17154840,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586876036);
+	INSERT INTO entry_data VALUES(2051,17159067,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586876036);
+	INSERT INTO entry_data VALUES(2051,2674355,1566,'rwxr-xr-x',NULL,0,0,'root','root','c6a1bbfc436eb27562f637251d4137f1','f09d1bd2896fcfacdb4e98d5d9302a938f0a1b5f','b05e9f82c5543a1da75fc2817ad43263baf72ca480bd850e20c563f801d133e9',1587698663);
+	INSERT INTO entry_data VALUES(2051,17959809,36,'rw-r--r--',NULL,0,0,'root','root','8193c162e36c48bca537483c899650f4','cfa395f233e55820934f4c4bf2ffb4f11540015a','c61abbdf071ef2c5b9845f443c83ad0fbe37c0ddd3224fabe83889674737a938',1587696850);
+	INSERT INTO entry_data VALUES(2051,34476934,32,'rw-r--r--',NULL,0,0,'root','root','4103af235ca65ec02e21f97a84ca9733','dbcbfee8c267fa8f435f4a999746b4496e4a8fe6','5fb9afbdc9e8c3de706e956a6dbe61e933cf5f2d724bd3fcfbf8fc85466899f7',1587696058);
+	INSERT INTO entry_data VALUES(2051,16943878,23,'rw-r--r--',NULL,0,0,'root','root','2bbad94719eac5d859787ab6e97d1ff1','e8415579a23185cca3bccbff8f9a4b72ccc045b5','54c701dd1ed293e03c931055aceb61b0cb5cd4aa61908b7e42c0d5f4ce8a719f',1591146169);
+	INSERT INTO entry_data VALUES(2051,2078,731,'rw-r--r--',NULL,0,0,'root','root','349e00330684b1b1443904956aa0b241','f945fe1ad48aa9c367d2a131a4f7a659db6c1967','0e3a78178a75c13d71cfc2fafb3072a009733414a90802b2b67ccc7279e050cd',1591146169);
+	INSERT INTO entry_data VALUES(2051,2079,712,'rw-r--r--',NULL,0,0,'root','root','7449031222431c7cbac19313af55aca4','640746d2388b9500b300e2a45878e81e5473aa83','ee7da6f7be6623cc6da7613777def9c9801073d725f686eb4e3812584e3e417d',1591146169);
+	INSERT INTO entry_data VALUES(2051,2080,1043,'rw-r--r--',NULL,0,0,'root','root','6fb23052b64a430692d5ca98bb7d0836','2265eae6e3abb826307ae0b90d5855258e7bd702','4f781d85bd6ee94a6017abcf31751eb178138037769c51c59fdf978976d0c6f6',1591146169);
+	INSERT INTO entry_data VALUES(2051,2081,668,'rw-r--r--',NULL,0,0,'root','root','3c6ac7c1ed1f8f1db2a506ee0b484701','3233cc20293ab5f6d7b95da7956de5ed8655cfe2','fc4f39ea86eb19b225d839fb87e00ef2f739fc3f1bc69bae4ef59041706d72ec',1591146169);
+	INSERT INTO entry_data VALUES(2051,2082,756,'rw-r--r--',NULL,0,0,'root','root','a7f366f5ca5fd545fb1d4fc4177bec1b','83848e679e460bff4a32d73ad7a5cbe83589d5f6','337836cba39c52316fae9f5ba867ad7d7e1ade8134a47ea03b2c408639df0915',1591146169);
+	INSERT INTO entry_data VALUES(2051,2083,738,'rw-r--r--',NULL,0,0,'root','root','f7ef135ab54dd6b7aa722fcb6fe266be','8789af6f7349a7f1da517195917a896da2668013','54b661466dc2496653be171a855f2b4461aade859279c6de7a88cb271be71e69',1591146169);
+	INSERT INTO entry_data VALUES(2051,2084,928,'rw-r--r--',NULL,0,0,'root','root','1b59d3c55898f25f7e2e8993bda94ea6','9dd70255e317d89401afe5f8cf79f4d9c831fcb6','bc8973f360fbca2f501eca1e6bc2578a95f566fcaa6973fbc18e8c1fc0a1df43',1591146169);
+	INSERT INTO entry_data VALUES(2051,2085,736,'rw-r--r--',NULL,0,0,'root','root','fa72216542b88872eb4af7de07b8b528','c35df1f41bfeb1e00fdd8d335c977795763176ca','55b140630a42bd023ff40be2cf0d5fab51f89718f5d4a908ef64bd9b3538b120',1591146169);
+	INSERT INTO entry_data VALUES(2051,2086,1382,'rw-r--r--',NULL,0,0,'root','root','ee21c873034b57083d6ec3185ffbc144','fe24c98e4c6018119413f5f6a9f7661c2d980ebf','786f6399086b63b88366cbea5d8efd2a5316a5c75d787b6d0e88c726b0db59e6',1591146169);
+	INSERT INTO entry_data VALUES(2051,2087,74,'rw-r--r--',NULL,0,0,'root','root','3a5843b14a9f5e8362d745b361787c0b','19c1202985925836681db1c8b17f46d61ebeba33','863945c3ab656685e362bbb9f0843ddd2af74fcb4acadb5f4734381b990ed793',1591146169);
+	INSERT INTO entry_data VALUES(2051,2088,798,'rw-r--r--',NULL,0,0,'root','root','4c31233297febec14ccc49d2cd140e50','1ccfd3bd7f9fd6995c24743e8f425c0d35f4da9b','f4e068d64d48026d29ad38f4d28800daf61e24655c0914d509fb22548e19fbc2',1591146169);
+	INSERT INTO entry_data VALUES(2051,2089,338,'rw-r--r--',NULL,0,0,'root','root','4769fb88f81dce841efe0ea20b582cb1','e34603f0c327f91a7fc3e2f959bc84b0079fecc6','785b6808af71111422b319e36501afde57ee58c6a3473476df2dded7676133fc',1591146169);
+	INSERT INTO entry_data VALUES(2051,3772367,192,'rw-r--r--',NULL,0,0,'root','root','72662d3345395f23096068f03f7e8fcf','d769d5dc4cc1c424c696b1f1d479de3a95ce13d9','b101f8ef7a18f944a9c450a6223750228c8b3da15eddae95bf6ed4391b1f3209',1591916208);
+	INSERT INTO entry_data VALUES(2051,2076,743,'rw-r--r--',NULL,0,0,'root','root','9236cf726d7961ffec71bfde6b723bc7','0f43a46eb0849ad0888686439fbfec77f77c202a','c2568f2cf213079788362f36dfb4988512a91ae608412814e61428161061db88',1591146169);
+	INSERT INTO entry_data VALUES(2051,1392098,1167,'rw-r--r--',NULL,0,0,'root','root','a36f450ae71b30536645205c796417c4','ea55abcc7a4cac9d007d10b0858a10e932f3ee16','ff2abec1d6a4ecb980a50d621206f10e0a7ad2ecdd50feb560574068a09afd37',1576685329);
+	INSERT INTO entry_data VALUES(2051,1392112,1249,'rw-r--r--',NULL,0,0,'root','root','9ad92466d8af5d4f0c3a9674815deab2','4fa0c233f569a72e0b331bfbc0019f4e19770832','b7484be246acec80ff6af98c489dfbdfa88d532489d019cf88a2915e4aed16fe',1576685329);
+	INSERT INTO entry_data VALUES(2051,1392114,1266,'rw-r--r--',NULL,0,0,'root','root','e4073a7644260ee0855b4949ee07c1c8','1480c7579cb4d8ff640c905949740184a7f6aa92','5c619f5942384ede5b68f6952cb10fec295b421ff82e97f3dc691cbdbe057a35',1576685329);
+	INSERT INTO entry_data VALUES(2051,1392116,1203,'rw-r--r--',NULL,0,0,'root','root','65204d769599d7cfa0e980f4594cbcc1','697a13f3dcdc5a6f4f3fb17b63debb3f844c3968','56ce173058ec1549015f5dcfccfc10761943a026f87e834c30526b401ae1df12',1576685329);
+	INSERT INTO entry_data VALUES(2051,1392118,1104,'rw-r--r--',NULL,0,0,'root','root','aec3f0e37163e23d2233c1a619a50cfc','8e04ad7a046ff8f295f8d9ea02cb3664a071799d','3ccd0a0cf1a099cd8d383ff3929ee8e0a99949a194832b4ffde7119abb2df15f',1576685329);
+	INSERT INTO entry_data VALUES(2051,17354425,812,'rw-r--r--',NULL,0,0,'root','root','c523bd80412c3f7aae8cfdcefd9a15d4','deb5d9f2b3d2b3357098b231e67c1ebff44d0a9f','003cd0a16a54e9ff1e852cb08b8d5b0b3df17ac8f8cc382537097d82e35251b2',1587735337);
+	INSERT INTO entry_data VALUES(2051,16943879,1529,'rw-r--r--',NULL,0,0,'root','root','852dab9087d52b29a2aa324791a07c6c','41b96f30cc6b111373281bb4a549d252acff8d61','a4c569569f893bc22fbe696c459f8fba0fe4565022637300b705b54a95c47bce',1586215878);
+	INSERT INTO entry_data VALUES(2051,34020395,42,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587735630);
+	INSERT INTO entry_data VALUES(2051,34633884,494,'rw-r--r--',NULL,0,0,'root','root','949ab98e8574d054df7becca5af59e7c','c7c16d9d205b9e552a3b9dd5da4c4d59b234f0ce','91b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6f',1587700098);
+	INSERT INTO entry_data VALUES(2051,16943882,3019,'rw-r--r--',NULL,0,0,'root','root','7c1e9273dee2deeb971b73e9e0fd4d48','f6fdaa8f3d0462c507a3072fc215289317f07bcf','d925e7ec2fdd6861be5f3a6d5a08a1ff13a10d23ebbb8d26717b1b75ca4f118f',1586215878);
+	INSERT INTO entry_data VALUES(2051,17611847,767,'rw-r--r--',NULL,0,0,'root','root','ca8db53e3af4d735335c2607d21c7195','36852ec5ce61da5aebd8f23ecd2f17434f457367','86ee43cde79ed4afdbcc697d74fe80cb3d9b261feab550f45beeedfba7ff9fbd',1573245337);
+	INSERT INTO entry_data VALUES(2051,16943883,1629,'rw-r--r--',NULL,0,0,'root','root','cd983cb662c7e44e22fb5b91f31ea544','1c2bcab952118b4477236014b833d65c2d44470c','51e9d0f4d05d1ba38da624f4c063808361faf53f3d140f5a331ebf8db029384e',1586215878);
+	INSERT INTO entry_data VALUES(2051,34024396,16,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1576091956);
+	INSERT INTO entry_data VALUES(2051,18234613,26949,'rw-r--r--',NULL,0,0,'root','root','bb75b33ea09680d13452d025f26c6e62','e98b5a71234c36f385c1d0636318a630f3f1ac73','33230136bcc6f3da69e5323911d8500201610762c87e4c58eb4c72b03c7526c9',1587049660);
+	INSERT INTO entry_data VALUES(2051,18229561,0,'rw-------',NULL,0,7,'root','lp','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587697202);
+	INSERT INTO entry_data VALUES(2051,18229562,0,'rw-r--r--',NULL,0,7,'root','lp','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587697202);
+	INSERT INTO entry_data VALUES(2051,18242344,3000,'rw-r-----',NULL,0,7,'root','lp','f8da975c317b42b9aef8b67d3c9775fd','24baaa20f2896eea7a889414098bd343f1026156','4c39f9a1fa9a4941ebfe5c3790802076005ddba000bd121efb086ab585ba3d95',1592310137);
+	INSERT INTO entry_data VALUES(2051,18275436,3000,'rw-r-----',NULL,0,7,'root','lp','f8da975c317b42b9aef8b67d3c9775fd','24baaa20f2896eea7a889414098bd343f1026156','4c39f9a1fa9a4941ebfe5c3790802076005ddba000bd121efb086ab585ba3d95',1587697195);
+	INSERT INTO entry_data VALUES(2051,18229565,6278,'rw-r-----',NULL,0,7,'root','lp','964b508a556426c6ae5a97ffa77c1a6c','daab778ad12546dd0b6407f2c5beda75913a7507','c00b880d56a722fedcedbd032422baa6d0f86daacd9b66f1d3b4bed10da3d1bd',1587697195);
+	INSERT INTO entry_data VALUES(2051,18229564,6278,'rw-r-----',NULL,0,7,'root','lp','964b508a556426c6ae5a97ffa77c1a6c','daab778ad12546dd0b6407f2c5beda75913a7507','c00b880d56a722fedcedbd032422baa6d0f86daacd9b66f1d3b4bed10da3d1bd',1587697195);
+	INSERT INTO entry_data VALUES(2051,18229567,0,'rw-r--r--',NULL,0,7,'root','lp','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587697202);
+	INSERT INTO entry_data VALUES(2051,18229568,0,'rw-------',NULL,0,7,'root','lp','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587697202);
+	INSERT INTO entry_data VALUES(2051,18229569,142,'rw-r--r--',NULL,0,7,'root','lp','47b8f1c3fecdc44e3d1fdee4b9eeb3f5','328d2bcd079f4fa7f9e1fee7cd73c63f4aeb8576','1004acf5cb62b6cbedbf75250aa8a96355bcc5a49969af2095f6ac6e64081465',1587697195);
+	INSERT INTO entry_data VALUES(2051,18229566,142,'rw-r-----',NULL,0,7,'root','lp','47b8f1c3fecdc44e3d1fdee4b9eeb3f5','328d2bcd079f4fa7f9e1fee7cd73c63f4aeb8576','1004acf5cb62b6cbedbf75250aa8a96355bcc5a49969af2095f6ac6e64081465',1587697195);
+	INSERT INTO entry_data VALUES(2051,18210945,110,'rw-r-----',NULL,0,7,'root','lp','ef4ab836ce1c0937527212b51c3e920f','093dd8c386eeb90f6dfab391be23f0a281d9a037','e2d3dae80adb721575770ebfd44adc7926c51b589dfd08a858495a6739ab2a0f',1596481554);
+	INSERT INTO entry_data VALUES(2051,18209128,410,'rw-r-----',NULL,0,7,'root','lp','4da3ca578bfd40efbcf6a526aabaacc3','963eeebe256620f64ff93e309c8408f2f757e5b3','4dddbf90aba8700801789e04ba17508344b0d852273177a0dc18f20c514601ea',1596036920);
+	INSERT INTO entry_data VALUES(2051,16943884,1078,'rw-r--r--',NULL,0,0,'root','root','172c92712f7967c0ec57d8fea60fd3c0','beb623b3f928f58bad07b06f130bc7e60dfb28cf','792cec9fd4aaa93a5a759ad2dbfc2289c561cb39df57b50fbebb4a40b82c23fc',1586215878);
+	INSERT INTO entry_data VALUES(2051,17154856,1498,'rw-r--r--',NULL,0,0,'root','root','3f42301be3bdad8d8f786170cdcc7ded','477a92d769f5a16948dbc66fc7bd899410cff003','2005fea527b6203e9e1f3f8ce5290ffa4df8ebffd50e5b592cb4502d5de2dbd3',1573008188);
+	INSERT INTO entry_data VALUES(2051,16943886,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586215878);
+	INSERT INTO entry_data VALUES(2051,17647373,2027,'rw-r--r--',NULL,0,0,'root','root','871bc72fe80572425a9529c6d39166d1','e7653ff73925910d04bf04287a2ecd36a20883e1','6a0bdce3ba6298a5a7979d80b4a31ea1c68c22cc6736df3b6e1467997f5377c8',1573240864);
+	INSERT INTO entry_data VALUES(2051,16943887,1362,'rw-r--r--',NULL,0,0,'root','root','ee5e7e011cc749f71939d5417fe17d9b','07eb268f4ccd95249f0e5b62e73c546d2d213cba','ed38f9d644befc87eb41a8649c310073240d9a8cd75b2f9c115b5d9d7e5d033c',1536580263);
+	INSERT INTO entry_data VALUES(2051,17611853,0,'rw-------',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914123);
+	INSERT INTO entry_data VALUES(2051,16943888,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1536580263);
+	INSERT INTO entry_data VALUES(2051,1438647,1004,'rw-r--r--',NULL,0,0,'root','root','533498977140d6c0786a8d56b2d70afa','7d04b51b9532669d5fd8f80537421b1d02de82c1','c72ecf38af7291c1fcf00fd65b65530e8db48166d4b41100654013e20017144e',1570013858);
+	INSERT INTO entry_data VALUES(2051,1438648,92,'rw-r--r--',NULL,0,0,'root','root','536793beb03e3a6d17da977fd6fb51df','b211cc6deea455bd8bfbefea147909c6df23803a','028b57e66dfdcbb1dde664b1f885b46c7f2237bec393fc974458650a5d924d28',1587747464);
+	INSERT INTO entry_data VALUES(2051,1449962,358,'rw-r--r--',NULL,0,0,'root','root','2ce61cc3456b05c5bfc0ac737a475bb3','d43399a44d32b05f927419cdb4fdfbd4132705e3','9ab7f0565e6af908350387b83ee95755250ee2e6822af787c1c2e5e9388ddcd5',1590680838);
+	INSERT INTO entry_data VALUES(2051,1449963,111,'rw-r--r--',NULL,0,0,'root','root','9e43871a14971e361cebe4f102829161','18f36cb83e134ad7b856bbf2d28f532b54d733d2','a523b6e2082ab5b913c9541295424ce7f3ff7f8161e6f21c7a8f64d23dd22313',1590680838);
+	INSERT INTO entry_data VALUES(2051,1991558,119,'rw-r--r--',NULL,0,0,'root','root','00db623826861ff5b381ed28bf3a128d','1c60519ef99a4e671b8654004ada49e78241a81c','6787c6ae864420969123813909d9e97399e5ea243009a5f4509db3965fd9b85f',1586216568);
+	INSERT INTO entry_data VALUES(2051,2142331,747,'rw-r--r--',NULL,0,0,'root','root','b1cf2004522433fcc9b5ad7acbb1306d','2102b6863dfedd3140bcdce24263f92d28316868','cc03dea8b034ee5703f67b9086b5651e8528ad74770ac0ff52ab3f011ba838dc',1587699739);
+	INSERT INTO entry_data VALUES(2051,1721897,674,'rw-r--r--',NULL,0,0,'root','root','72688131394bcce818f818e2bae98846','1b8ccbdcaac1956b7c48529efbfb32e76355b1ca','5e8f341f27d6ae3048f41f12c310db5fa3999ec842cb39c5f547deb461a9e308',1576084396);
+	INSERT INTO entry_data VALUES(2051,773564,158,'rw-r--r--',NULL,0,0,'root','root','829340508a72f5f876e131bfe21f1bb0','9530e0dfaab0ced00e0ac617aaaba5086e713f0c','120a02e9b88ba74949224eca7385825e39880f5687f739ade07d94ee22ffe325',1587697347);
+	INSERT INTO entry_data VALUES(2051,16943889,66,'rw-r--r--',NULL,0,0,'root','root','48f4ebe8a6d9662bbcc16e547f20c677','f27be95d40c6cdd69350ca46e1d5a186d7212b9b','ba1ed4fe76cd63c37dbd44a040921db7810c4b63f46ee6635779627a4a36a196',1536580263);
+	INSERT INTO entry_data VALUES(2051,50955417,116,'rw-r--r--',NULL,0,0,'root','root','3a6a059e04b951923f6d83b7ed327e0e','d5a6456f6aba16f8d43d30ea67d81a11a0181dc6','ea02e4313278315e15acc3276a0d87ca5d151faafdb77a6379ca643316ed9f43',1586228812);
+	INSERT INTO entry_data VALUES(2051,50756595,115,'rw-r--r--',NULL,0,0,'root','root','59b6201cc8365634bc7e88c6f704793f','5b18537d5fa5c715f672fff65e788f92273e9740','a68a3d8bbb28216cda9eb6ca35b74ad7547a34a4d2b3fa446fb67079305bc4c7',1584400467);
+	INSERT INTO entry_data VALUES(2051,17597320,1042,'rw-r--r--',NULL,0,0,'root','root','a091b77514876e90b897e045a20cc1a5','92c6ce1441deca32d0c8e576951addd414e1a29d','41edb555b91ffde5e1f44e08a959d8302aa6bba8af7842ee60dfde65c05d4af4',1592310224);
+	INSERT INTO entry_data VALUES(2051,34024434,2151,'rw-r--r--',NULL,0,0,'root','root','1f814b47cc24ab813961e2939d1db23c','8e1dde40834f87a44cd6cbe209c3bbcc45ab9ac0','77976ab8c2b73c5951600cb43526076c28a650677988df1c9a8e981ea9d65c9f',1486734608);
+	INSERT INTO entry_data VALUES(2051,34024439,4564,'rw-r--r--',NULL,0,0,'root','root','dc21d0fd769d655b311d785670e5c6ae','e2a2cfb8bbf2f3ec5b1b65a1cb8aa1d7e1ace604','f68915c4eb637aacbfa01cf26dc469a73f70acb0495efc4b074ecbc626bcb345',1586989713);
+	INSERT INTO entry_data VALUES(2051,34026048,82,'rw-r--r--',NULL,0,0,'root','root','09a026b0ae024cf839f7e8e013e5742a','efac78e86579a5ee2cd275522c55da3ad507f7e7','7fb959ba2053842c5e0d60605a5ed7528fca2727414700cf3783c3f1309d2f30',1586989714);
+	INSERT INTO entry_data VALUES(2051,17844126,24,'rw-r--r--',NULL,0,0,'root','root','1a219a22b79f078abfa0bc3876c98934','744de9e5a2c4f0b7f126a83149fc577ce685049f','bd3f4ee7828affcb3a6a61962ecf5e0ed22363609286ed10495f294beb0baaff',1557590154);
+	INSERT INTO entry_data VALUES(2051,18378784,421,'rw-r--r--',NULL,0,0,'root','root','80b735e9cc833e5809c90532624d6237','04696bec5d827789f2e466852bb8a49f93bfccba','4d9506c9a211e65e57d403da0f050d5584c774bb7c49a44e083ddb371cc1f0f4',1541674499);
+	INSERT INTO entry_data VALUES(2051,18295718,62,'rw-r--r--',NULL,0,0,'root','root','0dcc0460106b6140156f936106958519','525219ea2a085fcc0bd9f12f78ff7f0ae1e0bcc6','8d3b98d42937ff23722bd8869457988dfdf85b3ecac8363b51a26f7c5ba32a87',1591813211);
+	INSERT INTO entry_data VALUES(2051,34026049,624,'rw-r--r--',NULL,0,0,'root','root','3b52317e9d5a4f81639363e2ac5246dd','571d6ee7161f8df30e3707954e3dbee3dd878b68','51d0a7ff736763340d192e07c3ff423f0de85347ab849c3065d18212590e1119',1586989714);
+	INSERT INTO entry_data VALUES(2051,34026050,939,'rw-r--r--',NULL,0,0,'root','root','f795677bdae0359a69d63330a4680057','b8c55210c705509bd225346a1888d9fa93c61492','d1fd01ea23a67467ef8196a118752d1ee5a6f31982af9f5cc810a708a37d0472',1586989714);
+	INSERT INTO entry_data VALUES(2051,34026052,3635,'rw-r--r--',NULL,0,0,'root','root','f1e26e8db6f7abd2d697d7dad3422c36','251da41358d9e88d303e192a0bb216f19c774483','41df4bc646811997d0390c6d37d839d2aef4a9a1a940c44ee1a798a9dc1ac864',1586989716);
+	INSERT INTO entry_data VALUES(2051,34026053,2422,'rw-r--r--',NULL,0,0,'root','root','03e886ce446289e291df588a96ee5c56','ab3650bcfa282b6e363bda173c3bde56bc57e1b1','185b151a665848d8ee518342b9a88a2d64898b0b1a2d01b12be731f75d48943b',1586989717);
+	INSERT INTO entry_data VALUES(2051,34026054,1440,'rw-r--r--',NULL,0,0,'root','root','6424c99a62ddf4b7d3ca713bb06ded89','239860a486a350256bea8d0a1e032a18fbfd1fc1','d0c3045ba5071b8375fde6165d4e4db9b69f49af5d2525cecd2bca1cb7538552',1586989718);
+	INSERT INTO entry_data VALUES(2051,34026055,1016,'rwxr-xr-x',NULL,0,0,'root','root','d9e6a7c85e966427ef23a04ec6c7000f','0bde0dbd7776db602fadf3b7f0676e314b094d5a','2d76094c06f10839c566ef64bde5624c325aeab7991e7f5d776c5310e8f41932',1586989718);
+	INSERT INTO entry_data VALUES(2051,34026056,0,'rw-------',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586989723);
+	INSERT INTO entry_data VALUES(2051,34026057,2972,'rw-r--r--',NULL,0,0,'root','root','ddee4a931170dc21b4e0b9bb28e02a7b','1b7c088fb216a16b6da3149c0f1a86494ec8f282','ff4956721a3f53e56e25ffffde62fe4fa0267e5dd94c3411def12de50322fb8f',1586989715);
+	INSERT INTO entry_data VALUES(2051,34026058,419,'rw-r--r--',NULL,0,0,'root','root','d41c74654734a5c069a37bfc02f0a6d4','0519a9bbe7b0dbd3c58df9b3fbf4cf9724e132ff','885ec2a43042ad88d7f849e5e1cbef4e34e58229764a84a927c0e09cd7d47d70',1586989720);
+	INSERT INTO entry_data VALUES(2051,34026059,2179,'rw-r--r--',NULL,0,0,'root','root','06e05c6079e839c8833ac7c3abfde192','f534f75c1e5be8ef028b9daf90836e531e929579','6802adfc8efc6168f87e98e960fa7d15e516a295fef7a6472ef5359527e886ff',1586989721);
+	INSERT INTO entry_data VALUES(2051,34268724,2232,'rw-r--r--',NULL,0,0,'root','root','b18e9d32842d2c78def830709861b165','1098feff41d66f2498aaa47a0875d2aeee64006b','6209097352db267635e00812bf419e9d1b010850280b4d7a064e106ee70ac4bb',1586989715);
+	INSERT INTO entry_data VALUES(2051,17597321,838,'---------',NULL,0,0,'root','root','91af702d4081d8c866d689f05a724f85','11f96fba78539b7a971a1eab5e304fd801523de1','dabf60ccb43a69ec106175ae6c3e3a0bc68c20941911e8748782e582e1c447ec',1592310224);
+	INSERT INTO entry_data VALUES(2051,18234583,1030,'rw-r--r--',NULL,0,0,'root','root','65f1c61ea86225cd313da6a2df2b001b','77d43fae135f5de87fbddf53fd9c299e201b45f2','daa6365c9ab08b94f745d52f82d44deec283a6024ff87bb53a17c56b0332e46d',1592310190);
+	INSERT INTO entry_data VALUES(2051,16943892,9,'rw-r--r--',NULL,0,0,'root','root','4eb63731c9f5e30903ac4fc07a7fe3d6','b10cafadc043aec4056a948914f011bc39d2ec13','380f5fe21d755923b44203b58ca3c8b9681c485d152bd5d7e3914f67d821d32a',1536580263);
+	INSERT INTO entry_data VALUES(2051,17649571,829,'---------',NULL,0,0,'root','root','52e49aa449bb4837c8190133f26b7c1f','7882274a62b9e7920da6676e158e33281b994160','3bec0e9f5553904b7cdd9e695d8a9729f7be9275d2a906b7a14a1b2a66d6d706',1592310190);
+	INSERT INTO entry_data VALUES(2051,16943893,158,'rw-r--r--',NULL,0,0,'root','root','54fb6627dbaa37721048e4549db3224d','7335999eb54c15c67566186bdfc46f64e0d5a1aa','498f494232085ec83303a2bc6f04bea840c2b210fbbeda31a46a6e5674d4fc0e',1536580263);
+	INSERT INTO entry_data VALUES(2051,50833440,84,'rw-r--r--',NULL,0,0,'root','root','7ddd3d661b917ab94d398a5d88033ed6','78019fce4e04bfb2982519eafde397e42bf4499a','9d9f31573c7a460a72742f73e0ad78143cc7b8775566243257f6e4eb160a5856',1557584724);
+	INSERT INTO entry_data VALUES(2051,50840006,232,'rw-r--r--',NULL,0,0,'root','root','ac222217925c4552d63a8982a1c2937c','3b6d7f0993e886aa70019c9966ac1b7be50a7218','4f10f27a970924ba9f636f2d5fdb4267c3ada93f7b4eee1bc3ad05c33406e76c',1586989723);
+	INSERT INTO entry_data VALUES(2051,50840008,154,'rw-r--r--',NULL,0,0,'root','root','af140f3d3ae7fcf504f103e72256cfef','0105569be974f158b40109314ddefa6f5a7b6620','c5c2a7c1f8dfbefa5df66cd32a7b754266d6375471d43cea06b8bea937d24b40',1586989723);
+	INSERT INTO entry_data VALUES(2051,50840195,715,'rw-r--r--',NULL,0,0,'root','root','24e6c432b51878bb018ef5114e82eae6','eeee40b6839235735ee393376cc308f1fd745182','83a11cc8be700a8e2ef107a15350a3f4f2253d554daf4f90149fbea823953cde',1587731938);
+	INSERT INTO entry_data VALUES(2051,50840196,640,'rw-r--r--',NULL,0,0,'root','root','902312e1ee7461e734d9b2dcc635bc0d','c5c2839be364e27a2aa641e7dae27d8079b3833d','dd90767b2883bfb2bee6c27acc794bcea58bf3436cc2180ccfca0e822b6c0145',1587731938);
+	INSERT INTO entry_data VALUES(2051,50840197,143,'rw-r--r--',NULL,0,0,'root','root','b8b44b045259525e0fae9e38fdb2aeeb','5eee0c00c9193b8cfc26a85605a4a10727844295','2d430cb6628248953568010427d663f3305856f3cb055955c2239bea226c5280',1587731938);
+	INSERT INTO entry_data VALUES(2051,50840198,138,'rw-r--r--',NULL,0,0,'root','root','2106ea05877e8913f34b2c77fa02be45','ba76bbb7fd56968bb1bd438758c0ec3570b36c5e','be9329a8b26e3cfd4af879fe60900f646f8188f3fbe491688f23d4d8b491c5b1',1587731938);
+	INSERT INTO entry_data VALUES(2051,50840199,566,'rw-r--r--',NULL,0,0,'root','root','8db82514e3ad38e04fc202150ba33362','a01f6ecbb2a402f827238d0c18b893e7ce28ed72','6b08d1c3f556df6bf412834710f949e9adb6d6d566e850918e8f6eb18a5da96a',1587731938);
+	INSERT INTO entry_data VALUES(2051,50840200,137,'rw-r--r--',NULL,0,0,'root','root','756fef5687fecc0d986e5951427b0c4f','4847d6a186c2054aac587fe73fff59aaab57f0a7','4d10241676e97e5e8d8935e5c8e8f6cb2f871afb881059715f155909be9ebd77',1587731938);
+	INSERT INTO entry_data VALUES(2051,50877982,248,'rw-r--r--',NULL,0,0,'root','root','7fff582452eb2ac2056ff98c0a1cdc29','a949793436413f97d0be02dd6e97cd6d115f103a','5deae3d161c4dafbe39bdddf019f104b11a15d6576f15dd83f5554f313624fb6',1589213939);
+	INSERT INTO entry_data VALUES(2051,50989738,155,'rw-r--r--',NULL,0,0,'root','root','038eb4e924b8027bfe852e63edb998de','d85610f343af3ade3a38925cbe82c740ed622f13','a4454c54582a86fd4560321b22ffb7639485968438a07d5412fadc102d62cf49',1586408418);
+	INSERT INTO entry_data VALUES(2051,51433435,328,'rw-r--r--',NULL,0,0,'root','root','3e7d81fb6b78b5205dcad27e1763e6ca','2fd2b2dbd6f17551d1517f8909b39a93da4f001e','c24cdbc3b4b9190de2487dce65cf45c651a03f218b975b4ca60990af65228b02',1573231664);
+	INSERT INTO entry_data VALUES(2051,51453540,168,'rw-r--r--',NULL,0,0,'root','root','30403e9c4f0c4ad73ed7ccebd50024ca','f5d02fcba5c94512071591b4fd65b4cdc1f8a18c','0fe34a8fecd71df3dea92e3aeaa8243b136b71e2853263c65fd89969bd2f8425',1586228938);
+	INSERT INTO entry_data VALUES(2051,51469991,163,'rw-r--r--',NULL,0,0,'root','root','3a78b7163c9f27314c0f8d3658f3813c','dec53ae26830183d60fd6ad2efe833a46592d933','fd24e23ab6da064a1c600eb7e174cf268336b4976a607242164bb81e0aa633f9',1587696653);
+	INSERT INTO entry_data VALUES(2051,51708291,146,'r--r--r--',NULL,0,0,'root','root','bb713ba94821433dbf61113eaa532a31','c85cd2de95746ba23d67a3a7898214263e2495a0','206f33c384472282e665daf5811966cc04fc3efb81f3dee8dfa9e671350aa31f',1587697195);
+	INSERT INTO entry_data VALUES(2051,51729664,997,'rw-r--r--',NULL,0,0,'root','root','c3564aa2e146af42d15d431f20ecbcda','2dfd84f20b4a8130531eae66130e1628e70caa2c','d3d3305e6f1e5a7f2f7ec3d1f048a7b0cd694502e621b1099b02c806b5bbeef0',1584036084);
+	INSERT INTO entry_data VALUES(2051,51795580,278,'rw-r--r--',NULL,0,0,'root','root','f85c50b935b0a615704889449cab324f','d897d43f88b9024b40fa7ae591a5de78c1b084c2','2fa34cba5adfa69a809851f589516bca75083d33c70879036d1c0ab27a3388c7',1567325481);
+	INSERT INTO entry_data VALUES(2051,51796840,214,'rw-r--r--',NULL,0,0,'root','root','b6a400894f4644feb716aa6523b9d54f','130cf767a6a3f7ba1109cc49422bff103d94c0c5','6aca7b020cf85fe4df6d8148d6a046a24080e571c7a90c230b71d3caab1e7f97',1587700094);
+	INSERT INTO entry_data VALUES(2051,51905327,622,'rw-r--r--',NULL,0,0,'root','root','f45d1f28d7e558de17680c00c72d51d4','72c0a29a7a44cb7b4182e520751cb6c33003862f','ede89a0aa68cbaf7fb29f5a6cc1063f8c367533cf0dc9cfd0727b76181c65d7d',1533150001);
+	INSERT INTO entry_data VALUES(2051,51905328,561,'rw-r--r--',NULL,0,0,'root','root','b002e36e6fbc0246de8f18070c173e4b','7bdfa84aee37a02f9cb02da3c9152b56f9f85baa','d44904a5727270d2b922e888720977c4d77402c5116f1dc17f4f73b38213689f',1530035946);
+	INSERT INTO entry_data VALUES(2051,50872992,307,'rw-r--r--',NULL,0,0,'root','root','feb3dc66a221fae6cf3a86333843f44b','7b65abc657b73565349946ca2e9834f2276bc337','5c9c828365e144c542e0eb74be3f315995791a0d64f56517ab36b8ccf69cd984',1530035946);
+	INSERT INTO entry_data VALUES(2051,51905330,787,'rw-r--r--',NULL,0,0,'root','root','8c5559db19adf578ca52f94fc7f4199c','274fe98053a6582abd103ee0076a5b69eff55586','552bd7808a4e4f103d2e7b50359d8dbfddc7d5512f1a228353ba72c21f78db08',1530035946);
+	INSERT INTO entry_data VALUES(2051,51905331,800,'rw-r--r--',NULL,0,0,'root','root','a4e3ccec304ada4c6282ff7eaf8de5de','b62fece126dc11daffaa8a1b264b90048e4fce3f','240a7ab7b12e16a7fff34a5b77aca1bb51bf384192c6c859b5ee6fb402869dee',1530035946);
+	INSERT INTO entry_data VALUES(2051,51905332,553,'rw-r--r--',NULL,0,0,'root','root','dd87cbf7f32e459581275e0ac7bc4614','4dff9b37d5b10d57b8aec1530bc9134b6e6a7adb','cc8e41422bb57873ab2070499d4b6926b87cc946a1e5e7af474abd84ff3beb65',1530035946);
+	INSERT INTO entry_data VALUES(2051,51914692,97,'rw-r--r--',NULL,0,0,'root','root','f5be82be51135cf46de5955695f67c0d','e8ab5619510d079170be11f36d87395baac6341b','e9a3ecb7b3c93380225a72f850e77ee52b94fbd7a9cf695e79eb58d9234627e0',1541674499);
+	INSERT INTO entry_data VALUES(2051,51976869,727,'rw-r--r--',NULL,0,0,'root','root','b3f59b8270fc2d992e97bbcce9415dce','e2426263841acf87c318394df863574edf78d954','443b9656478e67d1bff41f28707e5588449b302e50c9a5832e2762ee8fc731ed',1580832092);
+	INSERT INTO entry_data VALUES(2051,52149605,192,'rw-r--r--',NULL,0,0,'root','root','20697b6a640ccd785cb8c96ac8c1ff7c','ac5c3c1ec8dde52a86d2c8a386679728f5503fe0','78735eb88739700bd80f8dfadf177373e0180e838268c42b8cdb87e514cef81d',1587731938);
+	INSERT INTO entry_data VALUES(2051,52149616,192,'rw-r--r--',NULL,0,0,'root','root','20697b6a640ccd785cb8c96ac8c1ff7c','ac5c3c1ec8dde52a86d2c8a386679728f5503fe0','78735eb88739700bd80f8dfadf177373e0180e838268c42b8cdb87e514cef81d',1587731938);
+	INSERT INTO entry_data VALUES(2051,52195452,272,'rw-r--r--',NULL,0,0,'root','root','000d2f30379d2bf8af09f51416e863ec','11822d1ac37d30c9f099f9dca831b139d58bbd0a','33e3d5ae213ba007258f08cb72554efd2457d6d696803b3eece1dbe9582a5017',1557580342);
+	INSERT INTO entry_data VALUES(2051,52201880,144,'rw-r--r--',NULL,0,0,'root','root','f621e5f4c67b70a30f446fa397b9c9be','d02d51331f721043451b6072acf1f9cabe687099','acca24f68821c0a0c9b078b1deef3299f76d530239565db7384519e62e1b6fc5',1582821877);
+	INSERT INTO entry_data VALUES(2051,52187908,154,'rw-r--r--',NULL,0,0,'root','root','0cc140b209ed38e197c924d9ea4c2276','f21aec4084871deacde12030a49ac58cd331992c','c4c4a5cbed390e2a6775111803a7434805cfd43bbfd308b1f3f78eb80f0f9189',1587696011);
+	INSERT INTO entry_data VALUES(2051,52187909,178,'rw-r--r--',NULL,0,0,'root','root','5bb637cb9f055e4d16f88c42e1ac53a5','20d53096a6057ff741e0580501ac64d7f7f4b32a','268616ef041372c9cdc170df1b4deea85cbf67928b17451759bfd24ac689b803',1587696011);
+	INSERT INTO entry_data VALUES(2051,50840012,27,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,50840009,29,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,50840007,32,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,50840011,30,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,50840010,25,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,52697014,97,'rw-r--r--',NULL,0,0,'root','root','f5be82be51135cf46de5955695f67c0d','e8ab5619510d079170be11f36d87395baac6341b','e9a3ecb7b3c93380225a72f850e77ee52b94fbd7a9cf695e79eb58d9234627e0',1591813211);
+	INSERT INTO entry_data VALUES(2051,16943894,942,'rw-r--r--',NULL,0,0,'root','root','18cd1eb1adf5eebaf01962c713047726','9d617d967d95f53d757e148cc69c18b362c78a37','3df12b75483c9019090f18bdf46c47399959eddc2b721cf9b563f4010a89a830',1536580263);
+	INSERT INTO entry_data VALUES(2051,17649592,117,'rw-r--r--',NULL,0,0,'root','root','ba391d392aaa72d5f90d9ae2403b0b0e','9b43154f3d37334e24e289703eafd5809f290966','e157d2c2ca987ece9fb284b2def670904f959dce0ca1f82076dfbf6858516fcb',1587698663);
+	INSERT INTO entry_data VALUES(2051,16943895,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1536580263);
+	INSERT INTO entry_data VALUES(2051,16943890,2753,'rw-r--r--',NULL,0,0,'root','root','62000aface01a9e34d37992660d34e2e','7b9b6310d9ef6288ad2a5cf4fa05d9ae4a49742a','fe6408ade1ee6fe1918ac43ce2178fa11a42c36c9a5bbeb0e741fc9c2394361d',1592310190);
+	INSERT INTO entry_data VALUES(2051,16943896,58,'rw-r--r--',NULL,0,0,'root','root','03f670845fe199955f9a0babecbda9a0','5c3cb9c5e7b7f4a6a1929c35727da7651e6c5bf4','ae89ab2e35076a070ae7cf5b0edf600c3ea6999e15db9b543ef35dfc76d37cb1',1536580263);
+	INSERT INTO entry_data VALUES(2051,17649575,1287,'---------',NULL,0,0,'root','root','624e515f191e708ea243790bd05b6cf0','61cbb10fe47c0faf21b04569d68628de34ff0d54','79430361804539d5e0b81113c1bdd60a0e992755b61a4d645a1dc4029cf5cd4d',1592310190);
+	INSERT INTO entry_data VALUES(2051,17597318,2827,'rw-r--r--',NULL,0,0,'root','root','2c97cdffa130e3bfb3de3a002314fd5a','b1c7dca427aec4b3dc95a1df7bb94df174c5971c','89a7582d640f8815698caa9c3a85de80c2c37404225bc117ba0a412729b73cb7',1592310224);
+	INSERT INTO entry_data VALUES(2051,17655906,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655874,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655877,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655897,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655898,48,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655899,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655900,429,'rw-r--r--',NULL,0,0,'root','root','59d7b6dd7b2f0f6bcc9b1b39726ac7dd','c4a0b6c7927e5429dda06734706ea0cbd8c2c9b8','49a4e75f746eb148d77bb0a1c0018ad5fa23fcff7e833e0f63b2d971528e1404',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655902,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655901,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655903,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,17655905,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310426);
+	INSERT INTO entry_data VALUES(2051,1127510,688,'rw-r--r--',NULL,0,0,'root','root','b8dfc9aa75d1cf76cdffdfa3f8044da7','a233d61f19d0b8568c4963c988a35a4e1f562e4e','f3efd2462de1d6408d2de1d48b4fc0fecc9609254222fccc6cc82cae32303281',1575035870);
+	INSERT INTO entry_data VALUES(2051,34064358,46,'rw-r--r--',NULL,0,0,'root','root','5e42bbe87ce90e64f0a9f5e1261f6458','93bb1b1d1b3b785df78dbfc468e919d3e65bc394','412a816c552839a1fed29fb36e53ac7515876b24150d9001731e385425b66502',1587694813);
+	INSERT INTO entry_data VALUES(2051,34029246,8,'rw-r--r--',NULL,0,0,'root','root','1d678750144b505bab7845dbb47e9e6a','3e0085ee611a9cf4ff7133da0360718b436baaeb','ecae097fb02a733ac98c03d7527fd923d5c9607c6a02feb5f0d388375f3e70dc',1592310426);
+	INSERT INTO entry_data VALUES(2051,16943898,233,'rw-r--r--',NULL,0,0,'root','root','dc208a34b021823564a290720169534e','72ebd61cd29193f572f2f0f4aa8a5a121ae10dd4','f809352567a37d932b014311cf626774b97b63ec06d4f7bdd8a9cfcc34c691d9',1536580263);
+	INSERT INTO entry_data VALUES(2051,16943885,2123,'rw-r--r--',NULL,0,0,'root','root','bd2b1d7b91d7adb74afc1395fceca369','dc98eddcfbd16c3b5af55b53192e3389e1a61ff0','b68fe1cd69c9cd923e5dece44bbb6239f3c6e8f747770f6779093b807ba21e99',1586215878);
+	INSERT INTO entry_data VALUES(2051,33577777,80,'rw-r--r--',NULL,0,0,'root','root','d9c561e5b700242855b1e8a4d0b5053f','13f50b8589668cb1e668ece7d5907fc3a3b88901','07a2a80f1386c89941b3da4cda68790afe19f7425a14e01acdc2fbddb73b5508',1586215878);
+	INSERT INTO entry_data VALUES(2051,33577774,2486,'rw-r--r--',NULL,0,0,'root','root','163a33dce5d02988464095d1815772e2','1de064f099d6824aa85aeb293ce4115f03bbf6a7','ca36c6c6c22c6f2df04529ef468d808c61eba3324189dbb3d56351b288920ac2',1586215878);
+	INSERT INTO entry_data VALUES(2051,34315921,2312,'rw-r--r--',NULL,0,0,'root','root','2354b053db970656c55e084f6a165155','86358a0a6e1cd1993f1235e3aeb38a3b71c66fc1','1315a04361297386158bb7cde1910d4f74d7f57784b4bb87187704a94100edd7',1586215878);
+	INSERT INTO entry_data VALUES(2051,33577780,81,'rw-r--r--',NULL,0,0,'root','root','be43c8d87fdb0cc063c452a9a612dd1e','4008fb3787fe37f16b9530eccfdaa4563c93b920','3c5de252d65ae8c40e54c21be09dc574ca3641d036d7b44174939a7e64863920',1586215878);
+	INSERT INTO entry_data VALUES(2051,33590459,2092,'rw-r--r--',NULL,0,0,'root','root','321d53b66b9e1b359c2061fac21fb935','a8d71004393dc0641a5203be0144dcbe1c5251a6','3557d021ff57057aa721506394a3a1598cfeb4a8ddd32c3aa8740c227ccf4a9f',1557812924);
+	INSERT INTO entry_data VALUES(2051,33729677,196,'rw-r--r--',NULL,0,0,'root','root','a63b2c73bf857ce4db39d9548e55fb35','6da63d9debe9ce564bac9e533288cc14f1d74d04','74d270fe4476fdcba60df7d00c808e11681ac918f335c951cba4f118532a4b8c',1557534342);
+	INSERT INTO entry_data VALUES(2051,33729678,201,'rw-r--r--',NULL,0,0,'root','root','f16cbc6051d62c630fbb61c260974f79','1e39e9c628803da5b6f5a5d9e77fbe3cfefc996a','89008d115c5bbd783b985d8cab18e935978c83e362043ffc981063ffed74e1c7',1557534342);
+	INSERT INTO entry_data VALUES(2051,35473624,120,'rw-r--r--',NULL,0,0,'root','root','58b689d91938f60983551dfb114bfa0a','61ff86612e528816ed3c09f2a1b0284db5f17041','221bba387a72034809035fb1929740eae081cc5b7b17323faf6b8238248b1a48',1586218077);
+	INSERT INTO entry_data VALUES(2051,33729692,333,'rw-r--r--',NULL,0,0,'root','root','a7411316762f9df34924827c03eb438b','2b0087a00fee6c5808f42dbcf771a8dc1b31defa','63692d40ba8d5460f17a5697a13909dbe42cd48293972513275510ac8db3d753',1586218077);
+	INSERT INTO entry_data VALUES(2051,33730400,162,'rw-r--r--',NULL,0,0,'root','root','303b274febdc6686651ae1da64f4ad0a','96528a77660de1de1a2b2aae1966b6160ef1b5f6','67e78cc79449a9eacb0be5bfe833f443508bc5602ce81af1847f20f0be1de25a',1557536413);
+	INSERT INTO entry_data VALUES(2051,33730401,183,'rw-r--r--',NULL,0,0,'root','root','a6a4905d48fa22ebf616bc02d53d1773','ea95aafbca745e35c7db37efd783f9e60139009c','0446ca350ab8205a36deeab4c39413a87ea8b61588fe8385658c1083aad8fa3f',1557536413);
+	INSERT INTO entry_data VALUES(2051,33788999,1741,'rw-r--r--',NULL,0,0,'root','root','3f31961dedb4fa3ee04ca5eb964b4c9b','2cef60a88bf67536e6f5256a61da64052ff4ce97','4160b0617d2bd5f04c492b8563f9571e6142db895ce2d8095952c30fd0f840ec',1591804218);
+	INSERT INTO entry_data VALUES(2051,33789000,1606,'rw-r--r--',NULL,0,0,'root','root','e7abc8af49cfce54d51f3080bcfeb9d6','58a09064e36061fd402bc0a921f80f7a43f4f56b','e11541f9844babdccebb2c5e14dc29eeb17ada3603b0a9632ce67fbe0db1ffa9',1591804218);
+	INSERT INTO entry_data VALUES(2051,33789055,500,'rw-r--r--',NULL,0,0,'root','root','da9690d166771ef7232682af37c3ba5e','a7519eaf44643717ca3ff5620c4057baaf1b747d','c117d4f9360e5a7c926f7662b647e9f1d06129817bba8386e4e8b27a01d1040b',1557583849);
+	INSERT INTO entry_data VALUES(2051,33790307,253,'rw-r--r--',NULL,0,0,'root','root','21d61628da2d55a7daa5a503ba1d159e','d7cb5121015442064baa5458bda795063ccf679a','7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891',1557583849);
+	INSERT INTO entry_data VALUES(2051,33801813,664,'rw-r--r--',NULL,0,0,'root','root','6caf94804f6065c3bb5099a70229efbd','89c8681a950bf2baa3f3924ae9bb966c79405458','2413bda36fb998b070ebb345fc58cb04d8ef22c442de57121d46734048601f0c',1557580524);
+	INSERT INTO entry_data VALUES(2051,33802529,1107,'rw-r--r--',NULL,0,0,'root','root','b3d9e29a36f945b2065b2f88d18dadaa','8885907baec3899ef96764a08bbe053455224b76','9ba2af9853121df6dd5edff9254a2946e39eab8dc6513348fea28f739ee96648',1513274025);
+	INSERT INTO entry_data VALUES(2051,33802530,757,'rw-r--r--',NULL,0,0,'root','root','bfc054c0862d0fad98ca641b951c7061','e69dfc5c1b719471f65c11b88325b80ae7e373e7','70621a3b586d3d523b020e76977633b444a70013ba50e1ea901a3a07a676f15f',1513274025);
+	INSERT INTO entry_data VALUES(2051,34020367,216,'rw-r--r--',NULL,0,0,'root','root','b0e91d7ea35e338ff8518d0a9fd05803','d3e397f3bf4e587535b1494dcbd429392795b6e2','61da8a541c165502ac1258589686fd072a3f08e50838c45616e4d014fa9153ba',1573232472);
+	INSERT INTO entry_data VALUES(2051,34020368,220,'rw-r--r--',NULL,0,0,'root','root','5a8725a28ca92f044c3ebfd85fce1de0','c11812ea09f3f050f3af4dc680a1e9670d7c32da','873ff1677c3430a2d90fa6257ddd5b511cc480cf7098b1cfbb246b5af9044a82',1573232472);
+	INSERT INTO entry_data VALUES(2051,34247978,813,'rw-r--r--',NULL,0,0,'root','root','a436ca989fae0ca12c0225ba94d8640c','e0cf204dad9358cab23b31a3dbadd002be5e8e8a','899f16d9e719013a61e66b95558e7af5d2119b217691ed7afd8a02ed9897d00b',1576164315);
+	INSERT INTO entry_data VALUES(2051,34642552,106,'rw-r--r--',NULL,0,0,'root','root','4287e54bed64a55269f0c3e078a7926b','e4b5a31316e758f32a72e2e6ca0242c7b92f2d18','c7aebeeffcef1d6b6349135141cb08d2277c149d8ac4edcd6c24379b1eac2f61',1573499306);
+	INSERT INTO entry_data VALUES(2051,34642553,248,'rw-r--r--',NULL,0,0,'root','root','747472b157b55d7369b65dd311a68e63','55e991f4fa0ccb11f8dc790db11cd4072ace672b','de2fb132edec41d3d146ca4cccd9521793153f4e18d00ac02ae818bc36f07292',1573499306);
+	INSERT INTO entry_data VALUES(2051,34279774,1336,'rw-r--r--',NULL,0,0,'root','root','e8f314560ab7462d93476f5405b12c60','7eac2496d668b917c7f689affee4401843f52745','b163babb1707c99f66682481bb8ebe2e511754a14705e2a49a347616e73b92b9',1586900184);
+	INSERT INTO entry_data VALUES(2051,16943900,6568,'rw-r--r--',NULL,0,0,'root','root','ed3b33d96ef727f0af65f2e7c40360fd','f72135c1eae65b2eff3217cb656ec1101ddb892e','d0e614d3ac7c6d9f6fe7b6c8ac678f26cca185de66f5dd34b56e634b2398a8cd',1536580263);
+	INSERT INTO entry_data VALUES(2051,17649568,13,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1589213939);
+	INSERT INTO entry_data VALUES(2051,16943901,692361,'rw-r--r--',NULL,0,0,'root','root','f4af4adfb5241fbe9b5a6c9eea104388','d9071beafc1d07eaf5234b0a49fb8e8f0daf0101','4962fb4941ae7f6be6bacdd1049f4764aa76de0ad94b4654e38936b632b8e957',1591971931);
+	INSERT INTO entry_data VALUES(2051,17656743,490,'rw-r--r--',NULL,0,0,'root','root','0002745baa5dd355a51a285bfe5d93fa','386799c03f52526b60930141d9ee95bb73d0cdd2','1065b3ed2e54f8ec03162a2930b5063f1b30b00c16f28f303029a51ca0bd4470',1589213939);
+	INSERT INTO entry_data VALUES(2051,17597319,1307,'---------',NULL,0,0,'root','root','e7995bcb97f95287598f49593d17e70c','8d757a76e22285cf0746d05e30da8f1c693d3d3b','1c733e6c150552fbdbfc27d203716a38c865d5baf0469214c0d1121784fb93bd',1592310224);
+	INSERT INTO entry_data VALUES(2051,17673252,449,'rw-r--r--',NULL,0,0,'root','root','324c073ebf5a4811bf7fd5610f170350','d599534a0fc9ac7757ed53aef73a9e39c90e49a3','51d16ee2e7eef12dd42e924af6b835861e8b79d11921ba0418d7d0aec7a2a93b',1589213939);
+	INSERT INTO entry_data VALUES(2051,16943903,44,'rw-r--r--',NULL,0,0,'root','root','9e0b03919f96a45f9eb5ee09b6266727','23c79830c4c6cdaf90348347e9c982c28708b315','4ec4e8c524a4f10ca5898ccfaa6d29e7e08aff3a681f6bafbb62e7bec91aa154',1536580263);
+	INSERT INTO entry_data VALUES(2051,17673256,615,'rw-r--r--',NULL,0,0,'root','root','2ad769b57d77224f7a460141e3f94258','b4561daf7e6d1206bdbd3b2460f8d06efed6b59b','4032348fa013bb5c24316549716d58619360c0bfbf257c233d767734f3bd6306',1529665909);
+	INSERT INTO entry_data VALUES(2051,17673257,1027,'rw-r--r--',NULL,0,0,'root','root','9edd93f29a4d0ea4cde83c49662a8335','18ab85c7e26fdaddd2f74ec4b0507aade610af8a','5665c17814395153b05370a06c1c6cd5b24060ab58b76883535296bac922f7e1',1529665909);
+	INSERT INTO entry_data VALUES(2051,17673258,1041,'rw-r--r--',NULL,0,0,'root','root','c6bbccedddaaaffe2938e445982d8aa3','f6e2ca1ac04149d296d9e624a4036add25c0e0e5','42ab0ff7f9cadf64f599d12cb73a74a782e0668f604c574eaf35f62d709d5863',1589213890);
+	INSERT INTO entry_data VALUES(2051,17673259,631,'rw-r--r--',NULL,0,0,'root','root','ac49eceda9817cd78f8bf03ec22b1694','f8b088541d75fa7e5f5d1386f4a42ebb5794c75d','eac03bf7ac4bdd7b58650617c3e189a085f700c7c8d656c007e84953e682dd75',1589213890);
+	INSERT INTO entry_data VALUES(2051,34034663,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914129);
+	INSERT INTO entry_data VALUES(2051,1165311,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914129);
+	INSERT INTO entry_data VALUES(2051,1277865,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914139);
+	INSERT INTO entry_data VALUES(2051,1438551,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914157);
+	INSERT INTO entry_data VALUES(2051,1449983,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914158);
+	INSERT INTO entry_data VALUES(2051,1460096,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914158);
+	INSERT INTO entry_data VALUES(2051,1527744,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914171);
+	INSERT INTO entry_data VALUES(2051,1572289,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914180);
+	INSERT INTO entry_data VALUES(2051,1972231,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914205);
+	INSERT INTO entry_data VALUES(2051,1991469,38,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914208);
+	INSERT INTO entry_data VALUES(2051,1996042,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914209);
+	INSERT INTO entry_data VALUES(2051,2017528,33,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914211);
+	INSERT INTO entry_data VALUES(2051,2032485,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914214);
+	INSERT INTO entry_data VALUES(2051,2032498,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914214);
+	INSERT INTO entry_data VALUES(2051,2032499,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914214);
+	INSERT INTO entry_data VALUES(2051,2041602,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914214);
+	INSERT INTO entry_data VALUES(2051,2044888,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914216);
+	INSERT INTO entry_data VALUES(2051,2067255,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914217);
+	INSERT INTO entry_data VALUES(2051,2076599,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914218);
+	INSERT INTO entry_data VALUES(2051,2087497,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914219);
+	INSERT INTO entry_data VALUES(2051,2087623,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914219);
+	INSERT INTO entry_data VALUES(2051,2106266,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914225);
+	INSERT INTO entry_data VALUES(2051,2143968,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,2143991,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914232);
+	INSERT INTO entry_data VALUES(2051,2165118,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914236);
+	INSERT INTO entry_data VALUES(2051,2166035,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914236);
+	INSERT INTO entry_data VALUES(2051,2175989,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,2647633,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914257);
+	INSERT INTO entry_data VALUES(2051,2647764,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914258);
+	INSERT INTO entry_data VALUES(2051,2705326,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,2705341,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,2705354,38,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,2707495,38,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914264);
+	INSERT INTO entry_data VALUES(2051,2707503,42,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914264);
+	INSERT INTO entry_data VALUES(2051,4482367,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591918061);
+	INSERT INTO entry_data VALUES(2051,1460159,49,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310020);
+	INSERT INTO entry_data VALUES(2051,5233535,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310157);
+	INSERT INTO entry_data VALUES(2051,17680162,38,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914129);
+	INSERT INTO entry_data VALUES(2051,34071617,57,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914139);
+	INSERT INTO entry_data VALUES(2051,1277867,58,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914139);
+	INSERT INTO entry_data VALUES(2051,1343815,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914146);
+	INSERT INTO entry_data VALUES(2051,1460104,42,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914158);
+	INSERT INTO entry_data VALUES(2051,1514488,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914171);
+	INSERT INTO entry_data VALUES(2051,1514489,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914171);
+	INSERT INTO entry_data VALUES(2051,1991565,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914208);
+	INSERT INTO entry_data VALUES(2051,1991566,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914208);
+	INSERT INTO entry_data VALUES(2051,2029288,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914213);
+	INSERT INTO entry_data VALUES(2051,2707479,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914264);
+	INSERT INTO entry_data VALUES(2051,2804987,46,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914288);
+	INSERT INTO entry_data VALUES(2051,1343826,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310393);
+	INSERT INTO entry_data VALUES(2051,17779307,47,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914148);
+	INSERT INTO entry_data VALUES(2051,17828067,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914155);
+	INSERT INTO entry_data VALUES(2051,18300740,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914220);
+	INSERT INTO entry_data VALUES(2051,34083614,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914152);
+	INSERT INTO entry_data VALUES(2051,34083616,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914152);
+	INSERT INTO entry_data VALUES(2051,51441733,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914158);
+	INSERT INTO entry_data VALUES(2051,51480769,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914171);
+	INSERT INTO entry_data VALUES(2051,51712647,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914211);
+	INSERT INTO entry_data VALUES(2051,51740218,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914213);
+	INSERT INTO entry_data VALUES(2051,51753346,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914213);
+	INSERT INTO entry_data VALUES(2051,51776938,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914216);
+	INSERT INTO entry_data VALUES(2051,51776939,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914216);
+	INSERT INTO entry_data VALUES(2051,51966962,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914235);
+	INSERT INTO entry_data VALUES(2051,52195434,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,51441783,38,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310113);
+	INSERT INTO entry_data VALUES(2051,1553606,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914177);
+	INSERT INTO entry_data VALUES(2051,34269884,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914180);
+	INSERT INTO entry_data VALUES(2051,18250244,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914211);
+	INSERT INTO entry_data VALUES(2051,51796771,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914217);
+	INSERT INTO entry_data VALUES(2051,34602391,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914229);
+	INSERT INTO entry_data VALUES(2051,18396139,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,34616682,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,51928177,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,2143967,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,18396141,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,34616684,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,51928179,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,2143970,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914231);
+	INSERT INTO entry_data VALUES(2051,34715541,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914257);
+	INSERT INTO entry_data VALUES(2051,34715559,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914258);
+	INSERT INTO entry_data VALUES(2051,34738097,44,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,52195569,41,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914262);
+	INSERT INTO entry_data VALUES(2051,34862687,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914519);
+	INSERT INTO entry_data VALUES(2051,35710462,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1589213939);
+	INSERT INTO entry_data VALUES(2051,17673243,1713,'rw-r--r--',NULL,0,0,'root','root','a05fefe51696920cffa0e082b3d901a3','d9fdce897644bedd7f1601f72e9baafbb47dbe05','690f1d62077c450adc3888e07a757ba7f5f4417bac5a1aa8482349f4c24e3ae0',1589213890);
+	INSERT INTO entry_data VALUES(2051,51415684,40,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914155);
+	INSERT INTO entry_data VALUES(2051,1416382,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914155);
+	INSERT INTO entry_data VALUES(2051,51455923,34,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914160);
+	INSERT INTO entry_data VALUES(2051,17673261,1130,'rw-r--r--',NULL,0,0,'root','root','675370e2d80a4ad957202e68c1b4aaee','fcd7704f0e456f0b811b0e1b3a4ebfd95f90e330','a698d971bc314dff4fae66325e81e1723deb45cf3cd31a4402f1729e69c4a73e',1529665909);
+	INSERT INTO entry_data VALUES(2051,18345363,20,'rw-r--r--',NULL,0,0,'root','root','fcd31cfdcded30268784a7366609a89f','e53204b6fb8cbcfa6871e4c89bf12fd0193c2c5c','f5657275e3cfb2af09d05940138254f42bbe2f459ad72646133df536e4618901',1591914551);
+	INSERT INTO entry_data VALUES(2051,1127604,14,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1589213939);
+	INSERT INTO entry_data VALUES(2051,18345362,20,'rw-r--r--',NULL,0,0,'root','root','fcd31cfdcded30268784a7366609a89f','e53204b6fb8cbcfa6871e4c89bf12fd0193c2c5c','f5657275e3cfb2af09d05940138254f42bbe2f459ad72646133df536e4618901',1591914551);
+	INSERT INTO entry_data VALUES(2051,33801812,1465,'rw-r--r--',NULL,0,0,'root','root','13a362b2aef36688baafa6e623aa9d87','a2717e7424295ce48b4a501309ec135db100a1a5','08fe09c5cc4c4af025771a034b0c2c1655a65402997cb6ef3dfd60ec1e38605b',1557580524);
+	INSERT INTO entry_data VALUES(2051,34213133,11521,'rwxr--r--',NULL,0,0,'root','root','ad48087710d90cf6156c2a93df776047','675eff85123f6fc43bd11ef48dda8b304add700a','7ffe5c38b575e1be379f9492df03bbec78d5f773bad76784d323e681aa5445a7',1553008039);
+	INSERT INTO entry_data VALUES(2051,34476935,1098,'rw-r--r--',NULL,0,0,'root','root','09f9315f6d8382217a221ee94dd100d7','ce9b712c3645994f1d5309a3432d4265afc8fd68','08460af3b2e5de4c64491f7024da3501e57cd0d274fc5dae1466b59db9df832d',1573245596);
+	INSERT INTO entry_data VALUES(2051,34487901,2589,'rw-r--r--',NULL,0,0,'root','root','1d1f2b6b85c6e35c5f3bf0eb3e07e6fa','3bbf6d2a5fdcf909ef9e3f0192e4bab935fd9480','8d269212b10c140518cfb222ec028380e98a1b819b211e89fe459634f9de2943',1573245596);
+	INSERT INTO entry_data VALUES(2051,34508457,6481,'rw-r--r--',NULL,0,0,'root','root','30cef59324948a72f73f10445ef26d3b','0378b1d6fb66f1fc8d9b706541c215641f4e2cee','4adf0c34c4c9d4ee1f0beebf42584065fab3e3bc2b296a52a6fcc9633d58b74d',1560418755);
+	INSERT INTO entry_data VALUES(2051,34279763,2021,'rw-r--r--',NULL,0,0,'root','root','44ce29ace313eabf4b7f518ec625bc04','42061004296f578165496f982cd7f41dc058da0e','a353d34e2a0d2f8f9897d71d58528de03ce39d737150be8d014be645e90ed9b0',1586227475);
+	INSERT INTO entry_data VALUES(2051,34279764,911,'rw-r--r--',NULL,0,0,'root','root','b9e74376b7a9fdd345565390aac69f7e','d7e5868f61cc300f6426fc636501a3ae97dd6ba6','8a275c0a093439e30f7f276e62e9fd42624b751daa4b89e157270fb3c27915a7',1586227475);
+	INSERT INTO entry_data VALUES(2051,34212456,5109,'rw-r--r--',NULL,0,0,'root','root','a3253232905bffb754a603084e8e927d','d5f4d34422179cf3bba0777dcc76651528949835','8e5149e1a8210d96fa5d4fc4203049f61d514b569f4771c70f02e83a8fd91258',1581551022);
+	INSERT INTO entry_data VALUES(2051,34647557,1187,'rw-r--r--',NULL,0,0,'root','root','aed20b4278511fa818db9cdd69354130','b518515a37a164276bcbc09e10076ae54c380777','0b5d68028ee3f67f319d31c95d3868a97f8e3d4fc01fd9d3e4bd21c4c6e81751',1581551022);
+	INSERT INTO entry_data VALUES(2051,34647574,346,'rw-r--r--',NULL,0,0,'root','root','2c38e8a779d50d5d12746a7dd52b98aa','1d6ece28f007d522188829f3a901e48c8632b7eb','4ffc1895c42eafb5c7897c962773a7bf238affc8077344358aac42f4bef58ed4',1569937138);
+	INSERT INTO entry_data VALUES(2051,34647575,1011,'rw-r--r--',NULL,0,0,'root','root','b16a1907776f3317b241c31e0b6e0696','8f74e8fe9f84cb7b68e9e45ac4d2ec526dec3160','fdc306d481ce8636a7f892bd237080b06a0d96c60c975e1d2fa2d4e85f5f1ffa',1569937138);
+	INSERT INTO entry_data VALUES(2051,34647576,332,'rw-r--r--',NULL,0,0,'root','root','2ef509e0fd379d4d199bb8df774fb48d','3fc0847b9ad33fcd55313f4cfcb792fbdd1b77bd','1e5637d40d4d7a4f4834386b3826c848ea5862c950b26d4919643fb8f02e563f',1569937139);
+	INSERT INTO entry_data VALUES(2051,34810989,30375,'rw-r--r--',NULL,0,0,'root','root','0c3c3e320ef3a984f16c047f1e2484d5','7692bcbd429510b61274328f0567eaaeeb36bea0','331d644fd061d0d57093e47eb141cb7b9e1b18e230922c912653ee7d366ed56b',1591788093);
+	INSERT INTO entry_data VALUES(2051,34813457,829,'rw-r--r--',NULL,0,0,'root','root','1215cec8b7cc508972f66f19e46f65b1','03d7a880c71632d606aa519f0c7d44dee6664d36','d7adaa848f305ef544d4c8a3ebf83a655f7e3160444eaaf4d752218c76d87aad',1524690905);
+	INSERT INTO entry_data VALUES(2051,51937081,314,'rw-r--r--',NULL,0,0,'root','root','332a7cffa69102648a83e6819cefe5e3','a3486c43ca6547ec07d99f9246d687fe64c9f865','1c0d9d9190f1f5ceb924cbf458bc5c5c0067e46073836f9a36fbd5b6c8371b67',1576186804);
+	INSERT INTO entry_data VALUES(2051,710963,2134,'rw-------',NULL,0,0,'root','root','e8f111b7f7d311b3049e4ab99af2bd6b','04a8b94700daebe208fbd680968dfaa05f5f2345','2d95f9f9d24e8df7fd5bae3f0bc90c3175faf18502639f192891bec37508f9c8',1587736314);
+	INSERT INTO entry_data VALUES(2051,710964,2116,'rw-------',NULL,0,0,'root','root','45b45ac19782d38673233287ea9b5c98','dc60d011d6333b65b05fb83e13f102d58d687dce','2ce0c1aaf75939989f6972e1c993f43d54f21a67852123381bbebf21757510c9',1587736314);
+	INSERT INTO entry_data VALUES(2051,718049,417,'rw-------',NULL,0,0,'root','root','b28d109e658a41ab454035795b51f567','8c7db9bec27699436b2a143efc0c0704dd426e72','9ed565e6e58aeb3e537ba088c59eb8fff43812203b6c04dd94c4214c639b9ab9',1587736314);
+	INSERT INTO entry_data VALUES(2051,718046,364,'rw-------',NULL,0,0,'root','root','cea7e94cb023c0360b46a55a386b8691','205bb0f4bddf662df3b998ac82da67f93faf5a69','f44f65f65570548ffa188b25fb05a6a82527041986a621d307f59c0e2566a396',1587736237);
+	INSERT INTO entry_data VALUES(2051,892233,211,'rw-r--r--',NULL,0,0,'root','root','db0f8d0c58ce82766ae639333a9f3cbb','97fb950014f572199478d34d76e00e0042e72b98','a39b59dd31f35cb5c925de74aa68b3c031a9efed39d750e264d0915841849079',1573255304);
+	INSERT INTO entry_data VALUES(2051,18345349,310,'rw-r--r--',NULL,0,0,'root','root','f1640b910077281490b2a1e5be315a49','dfc797e41898530b68671bac87c038d0fe9cf4d8','1499b820b2a27ce91a2e77827da89d40928fcaf1ab258ebaf2324b2eaf519610',1591914520);
+	INSERT INTO entry_data VALUES(2051,1313512,428,'rw-r--r--',NULL,0,0,'root','root','6c447748a064d631435dbef0a3dcf32f','936ff703842da421aff49bbfd64f77c0a5ae2b3c','f2d11032015ef917f4af50f3933d432fa744b5f846ab4d980247e329e52d34bc',1587696086);
+	INSERT INTO entry_data VALUES(2051,1438543,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557580631);
+	INSERT INTO entry_data VALUES(2051,1438544,110,'rw-r--r--',NULL,0,0,'root','root','bf644ac15632af6a3788e5de7be13080','8d5d344ff475f0a500870e486c7bbafbea1a23c6','f6e6c5ff94824545c9fee7e87857e49d4c4e966c6b5d8395190be08f7f2d2002',1573231664);
+	INSERT INTO entry_data VALUES(2051,1449965,168,'rw-r--r--',NULL,0,0,'root','root','c0ce121ba97e33ce95e0c91b001da8e3','e9ca76e26261da722c1a15d53720e3af23469b81','b09247099b0f8e349f1f446fba307abc5c10169ab29c67b3dd3aa54f16f5d4a2',1590680837);
+	INSERT INTO entry_data VALUES(2051,1514491,73,'rw-r--r--',NULL,0,0,'root','root','d4c74d1be9f98344af138a15ad3b6f8c','08246ff18d12cee01e5c9391c6ba8f5597cac936','06314bf7c28d155fcd1f72b82eda63528467536452dfcd359d4633588d1056d0',1587696258);
+	INSERT INTO entry_data VALUES(2051,1527749,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914171);
+	INSERT INTO entry_data VALUES(2051,34254736,11,'rw-r--r--',NULL,0,0,'root','root','de08f397138caf0c99bda7e7322b2172','fa269fdd8d59147488014b065ecdf1a87e8edba2','7543500f2e41aff849af5fa42f1eb82a685ddbbb9bc2e7fbf8236ca3313a7ab7',1586215010);
+	INSERT INTO entry_data VALUES(2051,34254737,79,'rw-r--r--',NULL,0,0,'root','root','760fb2971fb9b19e62564169e0bd94f9','58c6b36901f69b9679494424db7434baa4bc0b21','2fb324679183dbeb7750cc44ce0eed882f7bf51896a6d13044ff8a05b1f0e1c2',1586215010);
+	INSERT INTO entry_data VALUES(2051,1571068,46,'rw-r--r--',NULL,0,0,'root','root','590d7bb33f50f6f307b1f7c756a472d1','0c2a47f61841fb1ab40320999fb65f3458543cbc','5a45c4e8b194ca1287be9649b24263e10f93c16c17fd0465d881b78183bf4ac3',1574177491);
+	INSERT INTO entry_data VALUES(2051,1979131,150,'rw-r--r--',NULL,0,0,'root','root','262aebbf4e305c53d22d17b4c23f47e1','3efdc1f9851cf68842d7bf22a6df0ecfeeaffca4','5056f752a9fb3514030df4696c3ac46b2c191905e49485d14ce43790cf6dcb54',1591788087);
+	INSERT INTO entry_data VALUES(2051,1991552,429,'rw-r--r--',NULL,0,0,'root','root','0905be002bd0e4b4eb9265833e55cab2','4e927e548172a313da8b2588a68f91bc8ef915ff','45394f7413e0426d54af7a632a0148ea6d67687c02fcbd750261bba4838b2277',1573230726);
+	INSERT INTO entry_data VALUES(2051,1991607,2915,'rw-r--r--',NULL,0,0,'root','root','637bccdf80fcd5054fa3c8467373ffb6','41e4f52b052899a499ddd940b3a66cc00be327a7','78a8b6301ea32b28c7f1144f9123fb761043f5d37d3aec8a2deab0ebe0d59a81',1587697301);
+	INSERT INTO entry_data VALUES(2051,1996054,258,'rw-r--r--',NULL,0,0,'root','root','f229fb9d5a8410b48c2460077b1e281f','8efb0f73e191f0eaf519950841ffed6fe447d1dd','779400a93cf9da80ead14a35e0cbe394c14b22a1f9a4404037977dab7b320220',1586217217);
+	INSERT INTO entry_data VALUES(2051,2005193,186,'rw-r--r--',NULL,0,0,'root','root','579b464b743f5d4eebd895c92f15c960','9ccb50ae689f74764cb88e6f4d3acf8696d83b5b','ef40bc27d62bd10236cfe597b80e0395c63b6353fba12c913140ab2d1b9a4c60',1586215439);
+	INSERT INTO entry_data VALUES(2051,1539282,15,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586876034);
+	INSERT INTO entry_data VALUES(2051,34501193,1796,'rw-r--r--',NULL,0,0,'root','root','3e823102b2329ee4a447dbd07fbe94ce','5238dac811f636ac6b35858418beb382fc8ece96','1bbaa0f615e704cce2a7d603f4ebf8c3c461d0f6ff6ca245c9cfb251ededb632',1519028309);
+	INSERT INTO entry_data VALUES(2051,2044877,1136,'rw-r--r--',NULL,0,0,'root','root','e8d0642de5ba5dfcbebfa165b7af4404','d16752f0166365b6a9848b657e3c54ab9c6343b2','1fdb290cf29d54dbd95f12dfa546cc6fd7e51f4898222dc590077be50036a68e',1590686158);
+	INSERT INTO entry_data VALUES(2051,2044878,55,'rw-r--r--',NULL,0,0,'root','root','de3684752181bda812f7bf4ef983654c','8534782447bb7cbccfddb803b0587a4c3186fc91','818a97705c7bdd5d318ea0d4794c266d8363848913f4f6649c10a087ca06d77e',1590686158);
+	INSERT INTO entry_data VALUES(2051,2044879,53,'rw-r--r--',NULL,0,0,'root','root','f33a6d6f8f6b5ea9a6991f4b89adab6f','c0d230b4e782b92d33528765da40488f90f22c6e','07c59bdc5c635d0788ce90b7625b3f9ceb14c2075f1e9d4ad705379230ebeecc',1590686158);
+	INSERT INTO entry_data VALUES(2051,2081850,1746,'rw-r--r--',NULL,0,0,'root','root','bc6ef2bc56c4ebc90e5382e9f37b81aa','2006229dd7e49dc25d998fbf397902f1d841d208','b7fc12c35adc95dfd184fc69ba6d3a6b6120a84f02722a2b578e644ba442b543',1587748025);
+	INSERT INTO entry_data VALUES(2051,2106253,196,'rw-r--r--',NULL,0,0,'root','root','2dd909cb96f91060d206c4936dac51ee','1309f659e209a025ca3a0d07ccc8a867768dc7e7','2a8f12865b8084756d8fc3bb49fd6f9217e79e92c68e5195f1d7ed5db2bc6097',1587692798);
+	INSERT INTO entry_data VALUES(2051,1571773,591,'rw-r-----',NULL,0,0,'root','root','5c2e3f8c34a2cf96203260fb1ec8c74a','78d67a5f93aedcf87715141b2de7bd547e388471','46ee32063f83283d50355b61cde088c0ae4129c88f94954ba9ddebc10a69ed6c',1580832092);
+	INSERT INTO entry_data VALUES(2051,2166052,169,'rw-r--r--',NULL,0,0,'root','root','88af39e3347cc9f61703c6045c549c3f','f039cd87d2007461cc81b9c5a1955942ac197c3a','1f8ac4ff2887ff57887d2dccc04749210d70e3330c9d777d803cc29da7b12d14',1586227475);
+	INSERT INTO entry_data VALUES(2051,2647460,73,'rw-r--r--',NULL,0,0,'root','root','fab924f9b334d93153b1d8a11f3fbe17','93fd66ac522a2bb9a80b6351d6e6a6cdd36d62af','4c2256e3454e6763950157cc5ae6f910c549622684081fccf13821a3da08e3b7',1587697347);
+	INSERT INTO entry_data VALUES(2051,2705334,403,'rw-r--r--',NULL,0,0,'root','root','ac1471fe22f63f666dc7d31173f47ea0','984d69936870c6a28f0f504681ea8198ebe1d90c','6d93ffd140d05b26f86f3c24ca0a8ad3e674f5e5dea5b2b31540128eeba3b287',1557580342);
+	INSERT INTO entry_data VALUES(2051,2705340,339,'rw-r--r--',NULL,0,0,'root','root','bd802776991773fd22c5b59590eec1a7','4befb91889dea0116b0b215ab9408f54ee9ed384','d95fc4b88c02dafcd771e35f7422f4f03642687187a17613d3f2b0fb48caaad4',1587698126);
+	INSERT INTO entry_data VALUES(2051,2707482,186,'rw-r--r--',NULL,0,0,'root','root','6633ee643a86ab581247f0f513f36d26','ac504d7e03af0efe377b5ded80040749d263ebbd','f64f561dc2948f58d5121d7df6fce361116f2c7b1e9ed4bd036ec928a179790a',1557589086);
+	INSERT INTO entry_data VALUES(2051,2707496,911,'rw-r--r--',NULL,0,0,'root','root','b52869319c8c2bbe0c87a5454267954c','da3961e8e2b426ecc3a101fcd1a1a8433f61a8fe','6db95bf9b84934a5e46e25a46c40a7780be46466b6fdef1e99c1cd1114eb1024',1590680980);
+	INSERT INTO entry_data VALUES(2051,2707499,903,'rw-r--r--',NULL,0,0,'root','root','afec8571065c7b394116f80ef51f3bb1','ca9ffbe059726928e6c29a960d1731707af0139c','0a865c315a3e2445deb70facd1657741fcfbf871c42f3dcea99aea81e85fdb39',1576253261);
+	INSERT INTO entry_data VALUES(2051,2712647,310,'rw-r--r--',NULL,0,0,'root','root','408dd2974a5677e46aba25a4240a55b6','bce86210c77f6ac1c01bf2aa5f255ca970914c72','5e6010aaf8f2a47923c21ee10dc717232ca94f0c708bcbdbafe2e769179265d5',1557586501);
+	INSERT INTO entry_data VALUES(2051,1062588,185,'rw-r--r--',NULL,0,0,'root','root','86d3b64a3dde6b620f65d8ec8998e283','46d1cf55f2137ab4fcefcfedfb538cabb9dfef6e','0fc6849c6ffe2bc6c3d7a84b25efe95bf79aade0fabb0679eb2168dbb5336d12',1592310169);
+	INSERT INTO entry_data VALUES(2051,3299397,25,'rw-r--r--',NULL,0,0,'root','root','21f242b78d3cdb9540a47190da7c0da1','93659f565acf10472f9f7d3fb6751f297cd2c252','44e8bd2222cb353a01dc1e4a69e39543329af953c586169a3c63accdc183b342',1591914517);
+	INSERT INTO entry_data VALUES(2051,3299398,22,'rw-r--r--',NULL,0,0,'root','root','58bfe26480df2d26e2707741e0f0f08f','0f0c8c7740bac56cf21dadd215609e01b44a0d07','e05448de070c484792c45da30821ba6051b81dd2c8e9719bb4a08a7e2d168a2d',1591914520);
+	INSERT INTO entry_data VALUES(2051,3299400,112,'rw-r--r--',NULL,0,0,'root','root','72e00dff302bb61baf19189f5432a9b3','2b99ff17f35cfb658e39380633ba22d701dfb0e9','38efa2596fc91c09358c0ed4de2629d6ea1409fa5694e42a1d12d169af226c4a',1591914552);
+	INSERT INTO entry_data VALUES(2051,33796913,212,'rw-r--r--',NULL,0,0,'root','root','19075979fa4ac105aa08763bd68e9589','ff1d54faf116ee0b4e9ba7cc3ca537a09e9f3334','ea05f42fe125aaa3fade8ec6b2b3addbd2754dcf4d8b309dc33f6cdf983f24ba',1503298673);
+	INSERT INTO entry_data VALUES(2051,34075273,7741,'rw-r--r--',NULL,0,0,'root','root','824263f44070f29ad7d25fdb144d04ef','69026ba9040a91e30db32fcae35bb743bed0fa4d','6f3fa256ef25f606d2b5bc4cec49116d079ce21e8037d0db3d092a804e2ebf60',1557791309);
+	INSERT INTO entry_data VALUES(2051,34036245,227,'rw-r--r--',NULL,0,0,'root','root','0103d06ba39d32da3e537748b40a97a8','0e7c6537178fdbb5017503fae426f08591fa724b','250ca8799e193f7713a8213a7ad8f121976a046e6b95a278c22dc192de3c1482',1586211108);
+	INSERT INTO entry_data VALUES(2051,34176710,296,'rw-r--r--',NULL,0,0,'root','root','21ebd35f03ac0755eee867e20a15e479','b0a345be95f35ec441a2509ed0d0b2f282ffdef5','047cf5ebc8fca68f7abc02e0f33f62bd59e32e839c31a17d5747610c8fcd85ef',1557788117);
+	INSERT INTO entry_data VALUES(2051,34495604,8313,'rw-r--r--',NULL,0,0,'root','root','8d45f72d7ee5c155b6e5e93fbe779e71','7468a7f6c78557283f0b3b04dcd93eedab373ef7','c1389020a29b7a761cde1e844d842110e99bcce8b6ae2d2d7d14fcef53711caf',1557792432);
+	INSERT INTO entry_data VALUES(2051,34495605,7932,'rw-r--r--',NULL,0,0,'root','root','cac8654c70cf2e1e27235d1cf01c4fe3','6e06cc2da3ad8146d9928aff8bba710e6e4a2fca','0430785db5d2584ae29255f6bbb56e055e3361948a6d5133aae4368ddfec2b97',1557792432);
+	INSERT INTO entry_data VALUES(2051,34495606,6468,'rw-r--r--',NULL,0,0,'root','root','e2ad7651eaa0d4677070fd1b2bb9bdea','13336ff6b2e81a1ced00ff1a68eda3e5e5a447af','5a6fe75ab827bf0a56d1ad41d8d3ed945fd81b4c58da6744d1936e01da90232d',1557792432);
+	INSERT INTO entry_data VALUES(2051,34499454,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1574181767);
+	INSERT INTO entry_data VALUES(2051,34534872,4880,'rw-r--r--',NULL,0,0,'root','root','e0862a8410233a318f231075886f324b','bc2cee2eb715a193284a6d44ad4d77461e313fba','213533a2123d1559a91cac84f31098979763e85e84582412b1138bd4901c9c14',1557889542);
+	INSERT INTO entry_data VALUES(2051,34534873,5234,'rw-r--r--',NULL,0,0,'root','root','974a54129d9e170745cdacf7d2f35729','26160d4003ae4bfa69cb7739b7e88e67dabd4624','75c7a3306fb58e6643889dffd56013dfedced84e3063ce394e5bdb3dbee0a3af',1557889541);
+	INSERT INTO entry_data VALUES(2051,34534874,5954,'rw-r--r--',NULL,0,0,'root','root','89522107b17957803c9713bd856b9ded','b7daa084a23937530d85bd0fcd2103ea44b0ce6f','bede14301ad37cdf4b9d7dc806f0a9b16f7480efd4de2d2ae4b53b3bdf1a1d0c',1557889540);
+	INSERT INTO entry_data VALUES(2051,34536596,5474,'rw-r--r--',NULL,0,0,'root','root','458fdeee041f585a6324992422e68088','caa57a09e1a66322a9467f5331e7ba075d58b89f','72dae76a9db9c9bed48fb38ed2b5de37f6dc2c5d7d0e017a6be8179ac2e744e2',1557812190);
+	INSERT INTO entry_data VALUES(2051,34247995,246,'rw-r--r--',NULL,0,0,'root','root','e5f0ddb4a231e00a8b0fe50f5acf7f20','06ff9fa124ec6e0cd9266b7e386e1b4b6bf6ac0c','435bdd67f680de2d45ff88b472eab005260de19f398b5510e6f87134e9436286',1588207857);
+	INSERT INTO entry_data VALUES(2051,33685221,144,'rw-r--r--',NULL,0,0,'root','root','7fa1049367b09779b9e048cd087ea8c8','bbb0eb3208412f6732a1544107ed5c5d0f38ecab','d523981af7c9df8b8f33db1fe709825f2e71ade29b994d96bac333eb5241fade',1587695192);
+	INSERT INTO entry_data VALUES(2051,34247996,239,'rw-r--r--',NULL,0,0,'root','root','e7c848d9ed80a2045c072cea3837f212','157eae0890785f88d9f8b4e5ec4c2ee5eb77b5f2','ef5fa7954f24bbe2d30ae2f39c15795a12f2db0a0b01c94f7381eee8e8927083',1588207857);
+	INSERT INTO entry_data VALUES(2051,34212461,208,'rw-r--r--',NULL,0,0,'root','root','e7f6b38a1564a9be025b4d6eea6784f9','49fb315fd7d8b6da359eaeed06f60aa12a72742e','3365ac8b571917ce45945d12a62a0fe91d52c2b45c5028d9ce3bfb56b6356a0c',1587697579);
+	INSERT INTO entry_data VALUES(2051,34247997,238,'rw-r--r--',NULL,0,0,'root','root','ee5548bf2d48f581344289ac100d9315','b666479bedb63f93a5fe891168f9392918d06268','9119bb2cd0ac773b76f26b09fffad6b1955a6b5e48bfd94931f474af43d59c5f',1588207857);
+	INSERT INTO entry_data VALUES(2051,34639268,272,'rw-r--r--',NULL,0,0,'root','root','e7854362a688070c5ae51fc5d107787d','35b45830e282078fa13a961164556fac1776b8e3','dc170b4af2a46a9b4c1243842ab393b32946cf1f21501ed8d831aabf26e214d1',1558102064);
+	INSERT INTO entry_data VALUES(2051,34247998,230,'rw-r--r--',NULL,0,0,'root','root','d787750a6b8155cd86339637c40d3190','22ee140de277a7b02d8fb3931641b694f2076ff3','210374b832065ccb483a43203e99fe5c3cb2b96bd0a7d8a1cf9748561c0e891d',1588207857);
+	INSERT INTO entry_data VALUES(2051,34715483,11420,'rw-r--r--',NULL,0,0,'root','root','4d239281b4d26672589bfe2bc62f90fb','685c980fda7260298bc527c13bf01cfd1cd6fe17','3e3d0e866f87e3c3d9e5b5b3568364c351212cced6f6161ac3da76b54a8d2893',1557877094);
+	INSERT INTO entry_data VALUES(2051,34247999,236,'rw-r--r--',NULL,0,0,'root','root','e448f42c954a29742c77e433e583ccf7','1022b5a92bade7939e1b22105cc5f2a94c5037e9','c7646ec85038adb73aff6efbf0f63638ad3c6cd486a8309c832c70e3f20de40c',1588207857);
+	INSERT INTO entry_data VALUES(2051,34619966,2961,'rw-r--r--',NULL,0,0,'root','root','8823e7dbfd6a7254e483c68ff879b98a','3b12ea67f706cfe2b0d0e08bd81bdc6c09e8853c','301b2f9cd5b089c8a31fdd1e635373e818bfb81b68b968c425e8205d83d1c9a0',1558970052);
+	INSERT INTO entry_data VALUES(2051,34298054,244,'rw-r--r--',NULL,0,0,'root','root','2ea24c9ba7b686654f2f8d866f329c4a','01db46bbbe1a593f09b16e68d01d097dca1762fa','20047abb6c3fa774020e8bc9f607bd4cf3b9ff6e408bdde4ca4b3488174d88ee',1588207857);
+	INSERT INTO entry_data VALUES(2051,34715485,4973,'rw-r--r--',NULL,0,0,'root','root','bc4ca8baa860aa3f9e7050010f1b6d8c','251fb8c4df4771244b8cb1e83cff363e6616b8a2','d6ec191d8b37910d466aadb2c33687e3fe8b3fbdc89931ce239c38645400659c',1573251228);
+	INSERT INTO entry_data VALUES(2051,34298055,236,'rw-r--r--',NULL,0,0,'root','root','12cbb7aee26615d0db632e54efe77cb5','12b1cfb30ec6db8f72ae952c9d52953575476a97','bd561813e77f0d0f07111a42a16662cf74a552935dd60d465c9c2131e275ffdb',1588207857);
+	INSERT INTO entry_data VALUES(2051,34738085,191,'rw-r--r--',NULL,0,0,'root','root','01aad1b5600731334531a651ad6ea46b','78b6ee6347bd9dd58f46fbfcc2fcd3a54629a3e5','931234b8b0cb88a105700977e75ca0ce31114af9322da6c3d21557205e92c453',1573486871);
+	INSERT INTO entry_data VALUES(2051,34298056,240,'rw-r--r--',NULL,0,0,'root','root','dc9af7aeee1204a295e1dd5a7f48b144','2cac51669d32e632acfdf77772f212c754fe3c84','7b0dfa0858358abc3fb3a38694842c3b812ceb51bec9399011eadae66c53a942',1588207857);
+	INSERT INTO entry_data VALUES(2051,34298058,230,'rw-r--r--',NULL,0,0,'root','root','b011d578579c0838214f111424b27a75','23e2e8a0a33784fea8c11764d1dad4ff9e457b9a','6e6edac7717030da9babcc91b5a67d161d777d439245704f62de8e69368e4e60',1588207857);
+	INSERT INTO entry_data VALUES(2051,34298059,230,'rw-r--r--',NULL,0,0,'root','root','c9311d7c280844ad886ee665598d5a34','096a61b1d39208f8ac6b59be554c2675a7e20534','d0b1e313412f76f6b0f81ee365a6d15640602171fbb441360004a93ea9fa1def',1588207857);
+	INSERT INTO entry_data VALUES(2051,34619967,162,'rw-r--r--',NULL,0,0,'root','root','1dacb725ade268b00bd697c70de16e2d','672b065e62a50a70cd55f1de960235dcc73715f2','b8470028f5e12a369568f0d68fa35bb4f8cd4d98309d952ce14ac9bec059fbcd',1558970052);
+	INSERT INTO entry_data VALUES(2051,34298060,258,'rw-r--r--',NULL,0,0,'root','root','8a328a67f3503f225d14786b84d453d1','2478fae74ad164f0be50d02dcec9265f17212124','85bdf3348acdcb0fb683585850dc800e5b56875ca2e47900fb346cadd14753ea',1588207857);
+	INSERT INTO entry_data VALUES(2051,34306618,232,'rw-r--r--',NULL,0,0,'root','root','f9123094248c0bcccf9b414b3b37119e','84eed154cab745b162d63984af9b571c1a2871ea','0fb724dc6357199708a19d4cea14514c03a16ea611acdb2de98249a0fe100f1c',1588207857);
+	INSERT INTO entry_data VALUES(2051,34620021,203,'rw-r--r--',NULL,0,0,'root','root','22990c92d7e4cc2fdf10f0094303a772','8de720717bdf8bb554e4657bfff507d6d2c78fc8','161de0722255fc69db2e20b7bc4c61e050012dbe793da9fe128bd0b39159563c',1557887758);
+	INSERT INTO entry_data VALUES(2051,34306619,254,'rw-r--r--',NULL,0,0,'root','root','ed4d5caac7a4b5e6d29beae9f97af849','0b33086c965a5074495479419542c7369ef32df8','7198072e5e5fd66af2e59cc141777f7ded06085f3a4f232b0dd052bc6541263d',1588207857);
+	INSERT INTO entry_data VALUES(2051,34306620,234,'rw-r--r--',NULL,0,0,'root','root','9923012b0024428615475ee6f01934ec','db299956546edf45211884682a02ff79786c1a14','33cd23a7bd614d81c2151365b89b68715cf7b09a43e5e40b58aeea49f6f39d72',1588207857);
+	INSERT INTO entry_data VALUES(2051,34306621,238,'rw-r--r--',NULL,0,0,'root','root','5bb4807b8150cd20abe0c5859c915e9e','37054c803a7ffa7bd9f14b9349459c0e06b0dbbc','482861fd1e1473337d98d71df3ca6f568fc04acc5a9c2e4a53fd5918e56f7af0',1588207857);
+	INSERT INTO entry_data VALUES(2051,34499516,230,'rw-r--r--',NULL,0,0,'root','root','6862e561415a9698d6005e7c3ce47085','2298a5e016da2c51371b752de431a31e78850331','8b7c70877e3528a6b6bef236f9c8e2989e5213fcf36b840b782ea82c3e7512c4',1588207857);
+	INSERT INTO entry_data VALUES(2051,34524534,230,'rw-r--r--',NULL,0,0,'root','root','55d390c58b411be80196e0c255212def','886f67e55a599bf26148890809946af4ef8f1c9f','fdfc39a15c40e3b64bae403ceb1c6f04b373d3c49928ec7a0b57f613b8e13045',1588207857);
+	INSERT INTO entry_data VALUES(2051,34524536,238,'rw-r--r--',NULL,0,0,'root','root','f40b368cd52230df1215be55a37b89e6','429ddfa5244f9a85ec3582dba4fc68b436ceb378','0a16e064b2b040b2bf150d53fd90eb96f9acb99a591705640b000ead5bf0e44b',1588207857);
+	INSERT INTO entry_data VALUES(2051,34371128,141,'rw-r--r--',NULL,0,0,'root','root','4a1a37754f81812ca6dc6eb668030eb3','521ed7f737163ea6bb23bf49307a316a6eaf260b','0490916c090f763e48c84d3cbafaa65b1bdb9d0d215af309f5770c11027b3479',1587699374);
+	INSERT INTO entry_data VALUES(2051,34011812,227,'rw-r--r--',NULL,0,0,'root','root','a6c103f833cdf278b6924b31ff762a78','0c8871107bba5a877bd45b3322da61a9d47b161f','4f22bef9b2f70a0d57cacb414a9587492bdc709b4f698b3bc124efa243b3ebc0',1541674499);
+	INSERT INTO entry_data VALUES(2051,34619965,281,'rw-r--r--',NULL,0,0,'root','root','34f74073a74201f9caf9c33dc4a6a625','570b31cbc6ecd213090a6f28110229f86a12ad47','fbb65e3f646025b14d1a2d7fe7b09f150df9a706bdb10d614e5aaef671269a9e',1558970052);
+	INSERT INTO entry_data VALUES(2051,34251611,10278,'rw-r--r--',NULL,0,0,'root','root','71667a0431aa90389724a60bacec9c80','274158919fb7ed74a6afd7a0c2624021223ecaf3','b4040e05f71b3a1b02924fc44a113741d7e05763ff76dda06f9d51d6f22ea644',1586227663);
+	INSERT INTO entry_data VALUES(2051,33790317,10278,'rw-r--r--',NULL,0,0,'root','root','71667a0431aa90389724a60bacec9c80','274158919fb7ed74a6afd7a0c2624021223ecaf3','b4040e05f71b3a1b02924fc44a113741d7e05763ff76dda06f9d51d6f22ea644',1381856853);
+	INSERT INTO entry_data VALUES(2051,17323942,414,'rw-r--r--',NULL,0,0,'root','root','602a95ec7fe4068512bebb712c41102d','6c46b7f8b80c1af902dd428498153fc33707db04','435ecfed78ebd03efc6257c2aafb211b7136e2e1a9e466d42dfaa7a16acfd4f7',1372261126);
+	INSERT INTO entry_data VALUES(2051,17323943,418,'rw-r--r--',NULL,0,0,'root','root','b8595963fe74aeb65e854ba9da7f1acb','274c2b1fc417f3816432d73239c434dc02ae0b0c','49eb605821e8f5ebd7a1fa5966e56f55adf92ee0bac42b00610aa906d7fdf032',1372261126);
+	INSERT INTO entry_data VALUES(2051,17673263,18,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1589213939);
+	INSERT INTO entry_data VALUES(2051,50345964,212,'rw-r--r--',NULL,0,0,'root','root','7a01cf247c620c86e8af7d8492141847','6b7ead6591e3ad417aac46cae676ce4bb3d33967','32fc5ad9665f8bf30720d1774d16d79762f551c8cc2924ff47f4996e3ca0f458',1574675696);
+	INSERT INTO entry_data VALUES(2051,51232581,155,'rw-r--r--',NULL,0,0,'root','root','b920ae82cb212d7659960891f91816b3','a71db0c295e8c9a1a2ace80a6a1cd30a97d51a82','f604fd7e23b83e87da346e11f8d34e9840f89ec62ebd77814cbd69884125d5b5',1587696086);
+	INSERT INTO entry_data VALUES(2051,51522287,160,'rw-r--r--',NULL,0,0,'root','root','6a3178c4670de7de393d9365e2793740','3e951f2cbc844463a11a6dc3422f45e472c3422b','aee9a5b8addf07ad4a0241cd19ccf06062d884014580a37889f737250e731045',1557483777);
+	INSERT INTO entry_data VALUES(2051,51699534,106,'rw-r--r--',NULL,0,0,'root','root','f44e42a78c67d7beb60d73729631bd65','4ef1f5103ca41ee65e1a80de55dbfce459d51c11','76aa948b850198708d0d5dcc7cf33a2101492896250688ae05f3c5f0cfd18c0b',1433243791);
+	INSERT INTO entry_data VALUES(2051,51699560,100,'rw-r--r--',NULL,0,0,'root','root','d733a9bdf0a1eb9881395a1cbbfdcb5b','acac162a1edf508b6dbfb99742add927f41f2c4c','ede97ccde62ac5fb2ca99c0590139b407bd55342f9d5ca8ed4d40157f0be0c43',1586217217);
+	INSERT INTO entry_data VALUES(2051,51708290,71,'rw-r--r--',NULL,0,0,'root','root','6e12b94567b28b6841c6ce8f2c0b99f1','17a46e4ced283c406675d72c2f936f3eefdb510e','15d8e3cf9a79a78ced5d968e14c64420f8b643baac5b9a06f7d041abebdd9901',1587696170);
+	INSERT INTO entry_data VALUES(2051,51740215,172,'rw-r--r--',NULL,0,0,'root','root','2c613efb2a4204f87d3a5940ee1f6965','0fb9970702f9b85e20234591c85434fd6e2acb93','3a8ce9bc90493d44bc241bc1e3dc8b0a61ee63e4ece88cab5f70fba8c6a1a44e',1572888039);
+	INSERT INTO entry_data VALUES(2051,51758754,32,'rw-r--r--',NULL,0,0,'root','root','dbaa26cb029cff52c5b1959de72d8cdd','47a5a2cef6a622beb67638eeeb8b9e7ec125891a','beb4bfc3c709f0393929a52be7d9fcf9f97d8aeec734b19ae01222b9b75543d4',1519028309);
+	INSERT INTO entry_data VALUES(2051,51776920,165,'rw-r--r--',NULL,0,0,'root','root','07c99d1b26b30055fb4d1fc26652dc94','cad59652ae088e2bec077b8d4fef9e9e1c44bd71','e3195d55350c4048b112c418f13d22252bc1be3f2af351d46f051eccba6b5ba2',1590686158);
+	INSERT INTO entry_data VALUES(2051,51796843,237,'rw-r--r--',NULL,0,0,'root','root','20560e410d77c44eb404fd70dd7becb6','e969278fff3a471998e97c67f52734f93d36a61a','a95890608da8f44f59b5ee4011027392df092f74594e3756d54e69da6311c544',1587700098);
+	INSERT INTO entry_data VALUES(2051,51854400,91,'rw-r--r--',NULL,0,0,'root','root','0f1e42d11052c238718996029ffb809b','03dae30807dec6bd530f14d5a2c4f5a6630cc48c','f8384c13504a01676cedb4aeea4e0ac9c1eec8000a5dedc74e524c25c4c656ec',1586985970);
+	INSERT INTO entry_data VALUES(2051,51854426,130,'rw-r--r--',NULL,0,0,'root','root','faee58f89e7829dd7ece494aac8f0da2','4da628b9862bd0d93e2d66db63cf9896f64cc1e4','74ff2d491021efd84d1efc765032483728cb77d9f8091db2b0bd1c2eb172ee91',1519034768);
+	INSERT INTO entry_data VALUES(2051,51854427,145,'rw-r--r--',NULL,0,0,'root','root','46cd7ecb1810441bd450987a976f5540','93d805505cf27700ee05425271db044f130e126e','81eec3d3e01e4263ffc6aab6aeee74f3b260f1df4c692525312608f7a60db048',1519034785);
+	INSERT INTO entry_data VALUES(2051,51854429,226,'rw-r--r--',NULL,0,0,'root','root','d17fa06e5dbacaf93b87f33b7d73dcd1','6e119e4cd9df22a9e1ef94c0c1c67123d6ba17d3','eeff8bd1158b04d8ae48aacde206b40971ce865f079e00c8d39f89374bcce212',1587692798);
+	INSERT INTO entry_data VALUES(2051,51928182,142,'rw-r--r--',NULL,0,0,'root','root','3e69942456971307a2d7c97e3ac75713','0edf72fdd5e160a0f5fe8295c12bf389d3752640','96e7b68d85415296e8a7416573b5414757078ed7d6be839508f68ec62225f2ee',1590686158);
+	INSERT INTO entry_data VALUES(2051,51415702,758,'rw-r--r--',NULL,0,0,'root','root','e2f0381f1a11f5f34baea43002a45f56','8a29a925402d4872497c735b6bcf74b6ae2a34e5','e764d56be0dafbe7594c3f470df194054b9ed1b22c2f8b8b0664efc0ecdcf039',1553008039);
+	INSERT INTO entry_data VALUES(2051,52201879,136,'rw-r--r--',NULL,0,0,'root','root','0f78e65fa0f06220419afd0fc1ada0ee','82001415e96709f65fba711928cfe63845e93c73','98bf2a8710810e4dcb1e21ecabb36c4cd883fef07c2fbd52800294720afa9bff',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201905,408,'rw-r--r--',NULL,0,0,'root','root','40fa0c22f088349772483cac1a81ec43','c4e4c4aa97a6b76af56260351fdb720f1a9798f1','086c194dc2ac32abb4142b0a4cd1ccd55550ce19908997b040312367537dcc3f',1557588540);
+	INSERT INTO entry_data VALUES(2051,52697013,71,'rw-r--r--',NULL,0,0,'root','root','ca449cb6548c3f120a9dfab925ffbf01','b22d9706e089796d4640638825c794d4a9adeed1','f6741706fb0c10bb14c1cc9dd4ba3d29d25c68d39b8a967b87cbb137228afbb4',1591813210);
+	INSERT INTO entry_data VALUES(2051,33600039,995,'rw-r--r--',NULL,0,0,'root','root','70335aa03122e6d4f07de58f8abf852c','cf05d6dcf5f2a0ef6317853cd0e64c4a2b48e7ab','1e194437fb89b044a826447cf9a1dd4246adb42313ced13d743dc27ccb4b3234',1573237929);
+	INSERT INTO entry_data VALUES(2051,50544375,276,'rw-r--r--',NULL,0,0,'root','root','c5cc5a46096673cd9d5360b633885bd4','e5e146ab85a8fd4eba8eb83d9671b39ff1648d3e','439a31ea3c26b109b6cad6e506b919e0a193a3fe7c8c6d17545a9706d9b38912',1591813210);
+	INSERT INTO entry_data VALUES(2051,51470696,2,'rw-r--r--',NULL,0,0,'root','root','99914b932bd37a50b983c5e7c90ae93b','bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f','44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a',1592316001);
+	INSERT INTO entry_data VALUES(2051,34616667,1662,'rw-r--r--',NULL,0,0,'root','root','131fe186bbd071842bcc79d594c30802','2b6e7d65a28fad4695cb2412fddd55a4d964d8b3','4ed0003574a0f7f5429d408655a2adfaa4aa8972ac691d2343cc701d4fced2f9',1591813210);
+	INSERT INTO entry_data VALUES(2051,34616668,2975,'rw-r--r--',NULL,0,0,'root','root','f08662481d3d3fd58660c0ca5fbda5bc','d6e0d5744ab6ce1a80e5c9d0f04f6165a5fd8a1d','653aa6322198f577101e44d3e9aabda3ef8d6ea2db1023b2d2b7723b0a9df3c5',1591813210);
+	INSERT INTO entry_data VALUES(2051,17154855,28,'rw-r--r--',NULL,0,0,'root','root','cb878ee72257736aafffff720130ca9c','52ab6b95985c3fb925765d081bc9b36a048ec825','239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',1588351745);
+	INSERT INTO entry_data VALUES(2051,50931769,67,'r--r--r--',NULL,0,0,'root','root','9a4f7856c392530ee740c42842054e28','12e5c0b42455ce6ed847628b3aa41a4a3139b0f9','1ca6e7d9f5ff5c0467d35dcb94ddafde91f4a73ff3f871cc6f724509e427da37',1575496711);
+	INSERT INTO entry_data VALUES(2051,51441780,17,'rw-r--r--',NULL,0,0,'root','root','e389eed4775fd4e8e472b6c79f5ad4df','9295fa7e905c5c20e87ce5fb1b866bfed09ef8c0','fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3',1588818040);
+	INSERT INTO entry_data VALUES(2051,51729682,26,'rw-r--r--',NULL,0,0,'root','root','fda462cefbb3ca0b84e2b36f993c242f','6d31aac9e86ea194fdb458f0752ff00d49757a8a','efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e',1587736471);
+	INSERT INTO entry_data VALUES(2051,50839994,67,'r--r--r--',NULL,0,0,'root','root','9a4f7856c392530ee740c42842054e28','12e5c0b42455ce6ed847628b3aa41a4a3139b0f9','1ca6e7d9f5ff5c0467d35dcb94ddafde91f4a73ff3f871cc6f724509e427da37',1586440588);
+	INSERT INTO entry_data VALUES(2051,50757362,67,'r--r--r--',NULL,0,0,'root','root','9a4f7856c392530ee740c42842054e28','12e5c0b42455ce6ed847628b3aa41a4a3139b0f9','1ca6e7d9f5ff5c0467d35dcb94ddafde91f4a73ff3f871cc6f724509e427da37',1591787828);
+	INSERT INTO entry_data VALUES(2051,1127554,8958,'rwxr-xr-x',NULL,0,0,'root','root','c5db3c716d4282230ba79b6e74c0cb54','a085037aa00ca91f82ad4066894296d818b27bc8','743941ab18c77a20675c4c0c690319c71f6ba92d1075cae664eafcc2b6bc0d74',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127555,1240,'rwxr-xr-x',NULL,0,0,'root','root','bf56ef0b401a0e529124abeb238ee7e3','875b11f764eb4afafe30189f1e6022855ac009b0','d22dfe22de75c8a2a2d92cdb07afff7879f5a91e143c98891c99448fed157dc5',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127556,232,'rwxr-xr-x',NULL,0,0,'root','root','eabf2f5e3255b31e8f43bef77571e8e5','3e1a566639cb21276720c52a3b39bb68f6126d26','f9905c834aecc9dba0212f48a8e37ea31e62fb2c74eb6861886ac4b5b7f6d5ee',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127557,13434,'rwxr-xr-x',NULL,0,0,'root','root','8fe78a9af882e856a2a9cabedd032f8b','4ebc333d4fc88807c27db75e04ff02de73daba6c','f3fb97e6cd4c4799476a75ce1dac02382e2a80d048f7eb68dde5d3391b02c192',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127558,11696,'rwxr-xr-x',NULL,0,0,'root','root','accda82d8c1a35ebf2a59c5112b8c57a','ab382ab72efe42bae4610e8c8ff250e48b9a427a','8c670820dfd86377181ec50bf1def3560acf9c3bd74296c8c280bd890ce26652',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127559,2559,'rwxr-xr-x',NULL,0,0,'root','root','d179ff0dec9acc442c7fb6125bf6d92c','a2f5d858e2e4ee788f01406e547b5d911ee39ffa','04bbdddbfffae9db98fc15e5ed69068cf2f46f275f7825c8ae9cd6bfae8a3982',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127560,10670,'rwxr-xr-x',NULL,0,0,'root','root','08269c9cb322398b1bdb281d4dd460c1','b2227ba68815ed6d20a70ce82e994ff5a240891e','8e276be8f8615239aa9adaa01b4c0d6593f97ea9b8be86c014a5c9f37ae2a469',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127561,1412,'rwxr-xr-x',NULL,0,0,'root','root','17f567784326731a3d425f9521a62f6d','22934936569161ec98265a0320134c4dbde2a911','177bccaff2181723bb840c4d5dafeee4855d307e8f815859ab7d9e374bf7a859',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127562,214,'rwxr-xr-x',NULL,0,0,'root','root','babe7de352fe18de5a238569cf4b8a11','5d989d09680d4b94fbcf39e66d778dcd11243e7c','894dd8e4ca1bb62e055f674f9390a39c4643ebdd1014702feef000c47e36a003',1586876036);
+	INSERT INTO entry_data VALUES(2051,1127563,216,'rwxr-xr-x',NULL,0,0,'root','root','7bb4eb43ee7cb6d6f52df3dd2bde84e9','6645b8d065764aafd748a191ffb74eb92b8b6938','53b73afdcaf6e591fdec64eb60fa006e70979e32f161998e7d4da1812c304bb6',1586876036);
+	INSERT INTO entry_data VALUES(2051,1113130,483,'rw-r--r--',NULL,0,0,'root','root','be58f42dfe74feb6eeb98c6a843c743f','7330684105b8e3df69f7a7a0af1436610f254f58','cd72738c7dfd3b205e4e91528c0d25169bb3e8e6ebeec11c916662d8d0c3e47c',1586876036);
+	INSERT INTO entry_data VALUES(2051,2044889,1043,'rwxr-xr-x',NULL,0,0,'root','root','35f073c541c8347b6fdf26edade0dd9f','d00d0fc190997896bb18b13309a4649bd832a1ac','d3b2696b4e1dd9e986f85af30afe0e325f7d21d1170000916212cc5a8336a4e9',1576084396);
+	INSERT INTO entry_data VALUES(2051,17647360,29,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,1086399,119,'rw-r--r--',NULL,0,0,'root','root','ebdf46b79f9b414353c9ae8aba4d55cc','6f1f531b22afb49512a303bfb127274372543352','b121fd1b90c1a2fb6081a137dd7b441c7e7fec61bc17ca60db401a952d7b8825',1573240864);
+	INSERT INTO entry_data VALUES(2051,1721904,308,'rw-r--r--',NULL,0,0,'root','root','d2cd6cc055216fccef395ca21f632941','535ffc2fd0e51d090db73980e66cf45cc353f831','319d375331190fa0d06d198d454f9fc70b136cb48e9891919cd386bac2651992',1592310215);
+	INSERT INTO entry_data VALUES(2051,18241966,577388,'rw-r--r--',NULL,0,0,'root','root','6fe064066e7fae1cda47dc6c718217da','7dfe5c06534ee0b2b7dd4c1a9236d40dcb511b04','dd20c204d77670dc8b4943e921b1af6b9102afdb18d5471996eb88b4e616a935',1580832092);
+	INSERT INTO entry_data VALUES(2051,18241969,1716,'rw-r--r--',NULL,0,0,'root','root','69fb4d5bbff2dfb034fd3c289b0250bb','b91b91a89ae8545736275d3978137ddf01dc93eb','03e44ddc71f8383422217d641ee64965b124fbeee7eef534ae0b04974428763d',1580832092);
+	INSERT INTO entry_data VALUES(2051,18241971,831,'rw-r--r--',NULL,0,0,'root','root','e865565e1f7f79f6ca9d964761d2a36f','083aac8e69de5a956d93facb85e015800d7a7011','bc58ac212fd2907c366506b3b6e2b32c710d0cdf0b41e7cedd32629ccb5ea298',1580832092);
+	INSERT INTO entry_data VALUES(2051,18396125,4425,'rw-------',NULL,0,0,'root','root','a30794106b401d77cdebd4281d4769a3','e481dd1572580a07413d01c70c9526f4cdeec082','5235c49f05030bf4a7704bcfbf60ccdd613bdb0fd2caceb8118bd7375619c590',1580832092);
+	INSERT INTO entry_data VALUES(2051,18345370,492,'rw-r-----',NULL,0,982,'root','ssh_keys','ad452f5f7aadfc8e57481b23d72158e1','42318926974200a7354236d160102e2ba36fa632','5233a5b78a4afed6fc8c2f6e86dde547ce467f6874b36f27311adce203cd9f60',1591914570);
+	INSERT INTO entry_data VALUES(2051,18345371,162,'rw-r--r--',NULL,0,0,'root','root','f74e5eb2adc0b88ed1b811cad125f673','f927e8e5de81b9a4b6cd662e58455c030ca6cd1d','b5f133985abe1fd113f616288fdbe8fc7a34769881b84e55d763b83428ceb9c2',1591914570);
+	INSERT INTO entry_data VALUES(2051,18345372,387,'rw-r-----',NULL,0,982,'root','ssh_keys','b844693827ecca18cf9bb3255dedaf88','717dd45f26eba1615f3c5b32ac43907853d5b3df','55471ed0aa91c3a350b8b7bc67eae2c9dd9460860e703b29cafa450b6feb3e8c',1591914570);
+	INSERT INTO entry_data VALUES(2051,18345373,82,'rw-r--r--',NULL,0,0,'root','root','3990babeb1f2b11fc5c2218300de066c','3c969bcc77d09f9b6d6b52a2370ad331381a684a','3a72183cad631ae8ceba7fd138be15cf75cc569c6784ea53b7130f06ec3c20e6',1591914570);
+	INSERT INTO entry_data VALUES(2051,18345380,2578,'rw-r-----',NULL,0,982,'root','ssh_keys','e4b06ec439adab000051c85b68fadcb3','ed0fe7374944e74885069b7f60814b0c989f791f','670d57eb4c42446f206249380f24c32ac320bf887ff14c4c19c8d313e8d9e927',1591914573);
+	INSERT INTO entry_data VALUES(2051,18345381,554,'rw-r--r--',NULL,0,0,'root','root','7a3d96027f8775ae5b9e9a6dec35525b','34b7d6982859c1c6aeaf51523875f69c22231cc0','4750481ee7e5426761d15b847c4461b11144743a2e0f2cfbb6999652a86ad5bd',1591914573);
+	INSERT INTO entry_data VALUES(2051,17154857,1634,'rw-r--r--',NULL,0,0,'root','root','9a193ca4152451fd351ef647e73b96d7','8c68c8283757db3e910865b245077387f9166a08','3b24a975dcde688434258566813a83ce256a4c73efd7a8a9c3998327b0b4de68',1533100247);
+	INSERT INTO entry_data VALUES(2051,17937674,71760,'rw-r--r--',NULL,0,0,'root','root','18df59017a11e01515e0162315001fc9','fc7b8a09fd32674e0d6313a61af55ac281a1c4bc','0cbad92c57c933e33af9b75a583fbf8de7198e4b9e228662bcbfd0736b42c71b',1592316723);
+	INSERT INTO entry_data VALUES(2051,33726019,157,'rw-r--r--',NULL,0,0,'root','root','4072b0e8d70a779e52aac17b1009816b','3ad0fe469b84957c6e9ae21f4fee66ea29233fea','639bd7d4df19f8e810433e7158f2e2c0b8d8034b9276562f255dd13b108403e5',1573239695);
+	INSERT INTO entry_data VALUES(2051,17314588,1982,'rw-r--r--',NULL,0,0,'root','root','237404196df68fb16a384d904e89f181','e5e2d229264f29b51d45029156e8eca9a13fad8a','e6de2b43a7e46635e5c84a8ceee4c8006951a3164635983a0c57b40429608b79',1573499306);
+	INSERT INTO entry_data VALUES(2051,17163570,191,'rw-r-----',NULL,0,0,'root','root','cdc703f9d27f0d980271a9e95d0f18b2','f86b14eb6371b0d99b968dabc1b853b99530cb8a','d48318c90620fde96cb6a8e6eb1eb64663b21200f9d1d053f9e3b4fce24a2543',1572897344);
+	INSERT INTO entry_data VALUES(2051,33726035,1130,'rw-r--r--',NULL,0,0,'root','root','3e07259e58674631830b152e983ca995','7298b03e52d7437adffb0baca2c950678b3d0e4a','812cc071fd86a2746fb3cb18cb69dbbed88c07209545d16eaf8cd3db4c861a33',1586222031);
+	INSERT INTO entry_data VALUES(2051,33726036,1532,'rw-r--r--',NULL,0,0,'root','root','7613dbc41b2dc3258195b6b6abd0f179','33a3c909289ad7c9a4fa11450510da23c26728d3','ac3ef9fac354fdc1e46c13bf090be098f60c783f3b44ba330abcbbf6953f4ee4',1586222031);
+	INSERT INTO entry_data VALUES(2051,17197204,34,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914082);
+	INSERT INTO entry_data VALUES(2051,17729990,76,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729996,79,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730004,80,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730013,59,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17200363,22,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310031);
+	INSERT INTO entry_data VALUES(2051,17765866,15,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310052);
+	INSERT INTO entry_data VALUES(2051,17777348,16,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777351,20,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777354,32,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777357,34,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17729997,78,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730006,77,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17843166,20,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914159);
+	INSERT INTO entry_data VALUES(2051,17843167,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914159);
+	INSERT INTO entry_data VALUES(2051,17843168,20,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914159);
+	INSERT INTO entry_data VALUES(2051,17843169,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914159);
+	INSERT INTO entry_data VALUES(2051,17777359,33,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17727126,22,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310155);
+	INSERT INTO entry_data VALUES(2051,18196960,33,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310203);
+	INSERT INTO entry_data VALUES(2051,17762589,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310217);
+	INSERT INTO entry_data VALUES(2051,17729985,73,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729991,73,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729998,78,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730008,83,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,18229160,18,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229161,34,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229162,15,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229163,16,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229164,25,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229165,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229166,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18229167,19,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914207);
+	INSERT INTO entry_data VALUES(2051,18275403,13,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914215);
+	INSERT INTO entry_data VALUES(2051,18275404,29,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914215);
+	INSERT INTO entry_data VALUES(2051,18445779,21,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,18445780,29,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,18445781,27,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,18445782,29,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,18445783,37,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,18445784,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914239);
+	INSERT INTO entry_data VALUES(2051,17729992,76,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730000,77,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730009,82,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17690879,43,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310031);
+	INSERT INTO entry_data VALUES(2051,17777346,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777349,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777352,18,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777355,33,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777358,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17340426,39,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310217);
+	INSERT INTO entry_data VALUES(2051,17729993,79,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730001,76,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730005,83,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730007,84,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730010,82,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729989,72,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729994,73,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17729999,64,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730003,77,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730012,64,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17163541,45,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310427);
+	INSERT INTO entry_data VALUES(2051,17777347,20,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777350,18,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777353,36,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17777356,33,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310136);
+	INSERT INTO entry_data VALUES(2051,17727125,20,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310155);
+	INSERT INTO entry_data VALUES(2051,17729995,80,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730002,80,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17730011,64,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310297);
+	INSERT INTO entry_data VALUES(2051,17163581,11,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557533960);
+	INSERT INTO entry_data VALUES(2051,1127602,1161,'rw-r--r--',NULL,0,0,'root','root','21795efaa60983ef066b243f5c12cfca','f7d59c077d437ce49d1c213ed7aafc0063b4edcc','fef38973bf1224275f42ecb6f40b2976299112105426ab39dc7579ad7816ec78',1589213891);
+	INSERT INTO entry_data VALUES(2051,1553217,18440,'rw-r--r--',NULL,0,0,'root','root','57bed2e997d412c12dcdb96929f9f1a9','74c931dd5107719934073a9146a219b3f6847d13','2062236f863ea8ff0924ba0aab3ae3dda58288d85396eaf7954da8995885548b',1575977370);
+	INSERT INTO entry_data VALUES(2051,50877983,474,'rw-r--r--',NULL,0,0,'root','root','3fa22b9a0afc2e2a6c3a6007990ed432','a9c0ca9c8f569842bc2adb3644d933257105bf01','beda7ff45cad675e294455dbd5fb6662644d72888310556542a901e93aefed2e',1589213939);
+	INSERT INTO entry_data VALUES(2051,17680156,33,'r--r--r--',NULL,0,0,'root','root','906f6f0c331e07aefd1ca8f364d302ac','e521f63093d94435d0fa9dc68932de0de058814f','5a8e9a163f62f000a8b3264eb807df935deb8c4a3bb76d45bfc578327dfa4100',1591914129);
+	INSERT INTO entry_data VALUES(2051,17777373,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,17154862,52,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591922889);
+	INSERT INTO entry_data VALUES(2051,17164992,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,17164993,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,17841706,628,'rw-r--r--',NULL,0,0,'root','root','0cdea0fa81f0df2a0bc627e78619a89e','e37f6ecf8a5c1572295740d9371978a189468379','99afe66978f6e6a744e959f4b823dec8ad0aa1dc3146b0b3dec8da40e2a6b66a',1570013858);
+	INSERT INTO entry_data VALUES(2051,50904441,215,'rw-r--r--',NULL,0,0,'root','root','37a2a23e4b603deddbe2c84d6c8230ec','aad0275444585bf6d724cbbaaa487139987bea8c','96d43c3414fcdd70cf114c9f1290f2f9240b42b03a077de7e89b4fa2b7d4aa14',1529665909);
+	INSERT INTO entry_data VALUES(2051,50904436,9339625,'r--r--r--',NULL,0,0,'root','root','2780a6a203dc7027221371de33b33df3','2094f60a77121b20b18ea405d04f0000a82a59b7','888b011c96608d90fac8a7178e2d81be9bb37f24482df3974bf2a3aaaa63b4be',1592310549);
+	INSERT INTO entry_data VALUES(2051,34602378,2619,'rwxr-xr-x',NULL,0,0,'root','root','cf4415ad9808ef0096a8b7852ddea7ca','4f11ce180a28f93df6aa8526bff4e833fa8730c3','262e4ac5cf51c27e204ffed26c0c05650c120f0a94e7eae7f3410d201f4126cb',1587696183);
+	INSERT INTO entry_data VALUES(2051,51905326,441,'rwxr-xr-x',NULL,0,0,'root','root','ea12aa729c8c6c09ac7643f0dfba5726','b2a1252047928e244b673de0fdd49039524052bf','2e705b4ae9c0a0f8a906046ff5b4f17a562fe6a4812d859be75fbe9ed675d15b',1447165358);
+	INSERT INTO entry_data VALUES(2051,2129648,18,'rwxr-xr-x',NULL,0,0,'root','root','faa25c6c7940f930d70538c673a39726','cdba55b02314b489d2a99382ae511860f6971df2','a22b39ba67059f012c3964439401939238cbea01b166aa3c1268105039e246d7',1587696183);
+	INSERT INTO entry_data VALUES(2051,18364593,258,'rwxr-xr-x',NULL,0,0,'root','root','230165e8c40035a23a4a053a98d32ea6','02125b6a1a44bb5ad91af05b010404fd778d94ff','4002622b377be03f5fcfbe4289db9b1c79ae6998f8b461f8137a706e3701f914',1587696183);
+	INSERT INTO entry_data VALUES(2051,18364544,21,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587696185);
+	INSERT INTO entry_data VALUES(2051,18364595,226,'rw-r--r--',NULL,0,0,'root','root','0b56e955f20dfe3476227f20513939a6','48bc91cc95576dc19da0911f186ebc2a28b9441a','0f8bef6650785f36b7145547c168918f525544712f0887cc981a934ac771f9d8',1587696183);
+	INSERT INTO entry_data VALUES(2051,17164994,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,16943902,7046,'rw-------',NULL,59,59,'tss','tss','839ba642d4de3d2115db7170bd0b6cba','21f2525bf009265e832e4f447989827ef52dd651','eb009b7d1132ac33411e8f838c7e272606c8dd1d8944bc8b82ee28f9114e82fc',1576255453);
+	INSERT INTO entry_data VALUES(2051,17164995,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,17682322,55,'rw-r--r--',NULL,0,0,'root','root','1c9cf478bb79baae4939470b606609d0','c9c901c214a03433c53a7c86d16c0126f52c3fde','3b7fe1f8fd9bb7e1c80fddd31c592bc5b7b7d39e322ded8303c742b2bc1bec31',1587698085);
+	INSERT INTO entry_data VALUES(2051,17164996,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,50982664,1201,'rw-r--r--',NULL,0,0,'root','root','8b3370534afb418ddd70a890af171609','bbdcbe707c38ff91c7c5db54c6d54d7602fbbcdf','d0d540fb91846959eee355e4a24b21c3282792d2d83102453c0a30e3de2f7b62',1573251224);
+	INSERT INTO entry_data VALUES(2051,51410198,2374,'rw-r--r--',NULL,0,0,'root','root','fead1fb2c0d74be2b92b1661b2b0a988','2745f34d6f6986121718919de5e824f91d570e1f','c8bb517c980cbe57e0a042d1ceb8c71babc1ab033b8d48269d7a26ab34efd6bf',1573251224);
+	INSERT INTO entry_data VALUES(2051,51410199,4771,'rw-r--r--',NULL,0,0,'root','root','7e3194e750f8b1c2f9d915399139b074','54e7bc35732102c7dc636b18e3a6fc80192b0e14','352fa342f8e61dcfaf7deb3d3efcd915509ad789d09a4e1dabfd86895ce5cee0',1573251224);
+	INSERT INTO entry_data VALUES(2051,51410200,2046,'rw-r--r--',NULL,0,0,'root','root','d506a717451b57190db339eec5956fa4','7f2e03904c6b18486b97678ade3b4d3db1689e76','a4e66e0a540847e11f0187fd8e0e0428fd8f4b5ae3f0ff17849c37f12233c504',1573251224);
+	INSERT INTO entry_data VALUES(2051,17164997,10,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591813840);
+	INSERT INTO entry_data VALUES(2051,17719865,2434,'rw-r--r--',NULL,0,0,'root','root','d10acec6d2c5658e6e4a7c4b8d93465d','a3fd6e6c8ea7c8b0a8bea09f6268dcc1e4f7cc0a','53432b47b36fec9ca121900e0303ec4675cf0dbb8be6d68ee0b60c4bc59a3491',1574181758);
+	INSERT INTO entry_data VALUES(2051,34499419,302,'rw-r--r--',NULL,0,0,'root','root','d14b94ad89b43f5afc112055705ebe68','4b20bc54a9f05ad0dd6094ba38a633b2f43341c4','29397c510495576f09f887544ca3a2da2827280068d4895b600fadf689e8b019',1574181759);
+	INSERT INTO entry_data VALUES(2051,34499425,400,'rw-r--r--',NULL,0,0,'root','root','dd7e93106f465467fd47eff7a8d2c666','f1cac11a3b6e3db3b834341d67e6646db6279f38','1bd132de4df67bdb6850ca1b183d8b810ba717e7911ebd9d49fb22c87d649730',1574181758);
+	INSERT INTO entry_data VALUES(2051,34501196,204,'rw-r--r--',NULL,0,0,'root','root','1ecf30990ac5948a8e3bd7b8c1cd944f','f04e21d9f37edd0e8c2ba27d75d498654764398c','7c74b1efa10fe7a8d0b4a6f8ca88b270b3e2ac7ef54965812abd8c03802ce409',1574181758);
+	INSERT INTO entry_data VALUES(2051,34524526,160,'rw-r--r--',NULL,0,0,'root','root','d4484aaf02fa70ff3748920d113de8a1','dedf2ac600c881034db72b5e69c514d9b91cd9a0','24033f10ed4eb6f3ee43a3e12c9af440a212c5e04e42fa602f7bbc38c8636f4d',1574181758);
+	INSERT INTO entry_data VALUES(2051,34616702,3277,'rw-r--r--',NULL,0,0,'root','root','9a25140359f225e51b4afdceb7d8eb8e','19d37c5dc7b1a6cd4727153b7f253323c2d073b1','73a5ba7ad795fb3b89b688bb032c51c73545933d3ad778e6889303b53460042a',1574181758);
+	INSERT INTO entry_data VALUES(2051,18234581,898,'rw-r--r--',NULL,0,0,'root','root','b22748bbd8acd292562d8ce8500321f0','1d744b299e1bf8c90e0fbfdd5477aead62c5b17c','46081ef79e063ef025f9d653ae9ea6923d9e08059f1a8586d1fdc631da341337',1574181758);
+	INSERT INTO entry_data VALUES(2051,18234606,31,'rw-r--r--',NULL,0,0,'root','root','b6fa2f81eab31d579be78e777b4246cf','729195bf6d203c66044a45eaf422ea9bc2a458e4','3cd3c9255a5ebc2738f1ff8735a4600479865457632bc37ec44a0fb84ac2dd1e',1574181758);
+	INSERT INTO entry_data VALUES(2051,52136019,14,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587758264);
+	INSERT INTO entry_data VALUES(2051,51967026,18,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587758264);
+	INSERT INTO entry_data VALUES(2051,51976864,11,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587758264);
+	INSERT INTO entry_data VALUES(2051,17217779,111,'rw-r--r--',NULL,0,0,'root','root','272913026300e7ae9b5e2d51f138e674','12793eea11e30fa4476a9715e0141d766091d563','58219ec4bfe06d84640b4e86341feb3099cb078146c9eee73ec55152819df247',1586218548);
+	INSERT INTO entry_data VALUES(2051,17610756,38,'rw-r--r--',NULL,0,0,'root','root','464a1a320cb1cf48fcbc83e190fd4c31','87482858508c556e4a1c53595852638cac7b3546','e9a67590220197d8c8a29dfeae51cfa37172fdda0a347e13c3f41571a69a4318',1557581513);
+	INSERT INTO entry_data VALUES(2051,51976910,677,'rw-r--r--',NULL,0,0,'root','root','b74b1e2335b267eb86c67f17b4a9f2eb','1e2cdebf19cafe6d33082c66e0188e346af2e0e9','0ebf41f6b15ba0f7d6093990aa148e132a8169512e4602fbf5419d00364b3d11',1586227475);
+	INSERT INTO entry_data VALUES(2051,17227346,1787,'rw-r--r--',NULL,0,0,'root','root','8ad8d7d3deb6e3fbaaf483ed94fb6284','9574527f11b91a76ae2fa05ae5ad6fd0f5f4022a','87f286e86f12eb096e98663649116d375439ea0c689883ce9a3aa3a210b611cc',1557537593);
+	INSERT INTO entry_data VALUES(2051,18396123,354,'rw-r--r--',NULL,0,0,'root','root','9a889e1c78f4913fcfc4d78419d9ad95','e35ddb4c6910eeb19c847ee241049c038c22c4ae','22b3b8bac086ed351013e3a11beecefa8ae6ee9ab7e7cde177a6517466952790',1587699739);
+	INSERT INTO entry_data VALUES(2051,18576029,50,'rw-r--r--',NULL,0,0,'root','root','4c95734a68b45b65a5dc7b108836427b','a7cf48b7ba7e94e8b7ad3d7235b7a1259dcf2a9a','39bd0c7870bd738ef48ff0b1c828a058ce1ebfee1780e74059f3350edfc6dc53',1586229409);
+	INSERT INTO entry_data VALUES(2051,18576030,52,'rw-r--r--',NULL,0,0,'root','root','db5289bad3063aea58e1814380259a28','dbf37431bccf17053c2769ea8f83fdc3b9a9f1a3','86a0c2e5c684bea4e872ce3bfbb58d531cd9ac835063676db0991989d28960ef',1586229409);
+	INSERT INTO entry_data VALUES(2051,634201,236,'rw-r--r--',NULL,0,0,'root','root','bb14fd04645ded2edbbfccf8a75ff7cd','ad6629adc63882584cb77f8ad33d20cc8043f9b6','4ac20909f5e55b0cb0fae87be9ba6ecf5efe358e94a4671c7e3214d93f5c1d18',1557589011);
+	INSERT INTO entry_data VALUES(2051,17230195,2167,'rw-r--r--',NULL,0,0,'root','root','1bfdc1e0ad822d96aea76665a9289729','8ff881333ac2635726be110725e069f9c32ea3b1','c2706624e63494be473dc40dea6de3240ace8c6799f02888adafcad3f627f088',1591914217);
+	INSERT INTO entry_data VALUES(2051,17337603,1051,'rw-r--r--',NULL,0,0,'root','root','b54b09a0a49c2817666a36cfae1848ab','8738bd134332bd0bb3972521646359b2958b63b0','53291adfd48c6c81c2b293059ceac2543c17f8ad3ed055a03b15f1fbc4d8c333',1557800397);
+	INSERT INTO entry_data VALUES(2051,33790296,1704,'rw-------',NULL,0,0,'root','root','61cc948b0c5ca5f686145457e397fb9c','d2e0180cb1b976bdb575a3bcf2493339967e5001','f8780c9c38fc04f314cce402f245316845d7f23a2913b80c44224a826a313872',1587736343);
+	INSERT INTO entry_data VALUES(2051,33790297,743,'rw-------',NULL,0,0,'root','root','24abde9b9a3e798a683c0b09771bde22','0aac128b3a4f7a1bc059c5c468aed1481cbee341','37e5c3f7455e80dd0f8523a430be2d896654c4a76fe80a394038eebc2885b81c',1587736343);
+	INSERT INTO entry_data VALUES(2051,50917335,28884,'rw-------',NULL,0,0,'root','root','c0c61c3c290f6f515068359ce10e6cf4','c8c8bf54f8a1926e8091aa35639b7e026450bb54','2e49e6bd24a07b7691937c5683cfdb15dbb1b7ce7c5a37865ad28d71ea2b6ed5',1575316823);
+	INSERT INTO entry_data VALUES(2051,33790298,407,'rw-------',NULL,0,0,'root','root','12c7a9fbacc31110b88119b5611418e6','70bebf390f94e1462db0e1f56c60dd9440111484','9ac0b57d68489316b617629a949a29e37c80741c392874697bab64161cbfe71b',1587736343);
+	INSERT INTO entry_data VALUES(2051,830027,118,'rw-r--r--',NULL,0,0,'root','root','5deefec4996a4bcd3724e8b6aefc414d','8dac4807de817ffdddaee4df7f7b4eeeb6f4503b','2a9b04b812172d746d686decd7969b44137492e83ac61b99bb5803bad04c79cc',1559058508);
+	INSERT INTO entry_data VALUES(2051,830028,112,'rw-r--r--',NULL,0,0,'root','root','04644d8f393540eef2884dab48646ae9','baac8399c5ad5a1b2cf7dffdb6d8ff2053309605','6babb13bce8cde7849cb356be61f883edaeedc0b8168a028021b3b3f2da0b3cb',1559058508);
+	INSERT INTO entry_data VALUES(2051,50989739,326,'rw-r--r--',NULL,0,0,'root','root','7e85ad72aa5219bc7a80718984e08dd8','83b5f32c7e19d7e0b075c9e017f273ad01bbc8f8','4192b104907809623aa7ca4c58e1527da19710bae6278abe96f88d9f2d6430e9',1504554774);
+	INSERT INTO entry_data VALUES(2051,50989762,974,'rw-r--r--',NULL,0,0,'root','root','828a4b66b4e09a6c645ef7cd1d6eb22f','a5f23e6f7a151fcecbc3b5be190f43752444fa1d','43fb533d3b2c548fd43b4f14b9d1f1a76a33db16d6e88299e1aab21859ec7f7d',1557588287);
+	INSERT INTO entry_data VALUES(2051,17280554,1204,'rw-r--r--',NULL,0,0,'root','root','e767930a89a9f8c14d7f1eb7adb3b7d3','965d3a900d20e4d79a0780acdd69acd24fc56e1d','8a94ac63b055207d9fdac097cb4c590d9c5f8fd6d0b1ecdaed5e122ad1cb7d25',1573499306);
+	INSERT INTO entry_data VALUES(2051,1996089,2187,'rw-r--r--',NULL,0,0,'root','root','e1e55e13320c78b40bed9e86e5801439','881a947a3c195f42a8ce25af29f0efcfd0f310cd','2f32379873312693fad87561aebff2e8a5af78b1b1125f0ab32ae1672e5726e0',1584552270);
+	INSERT INTO entry_data VALUES(2051,34269885,428,'rwxr-xr-x',NULL,0,0,'root','root','8748a663f0b1943ea491858f414a6b26','99bb49bf9e6b5bbaedca5568934c41c1acfc0c46','302511d18a24935e277d8cbccc74ec3f2812c4bf0d01c0f76291f582b4e42266',1557483777);
+	INSERT INTO entry_data VALUES(2051,34173653,100,'rwxr-xr-x',NULL,0,0,'root','root','86db4edc232693a6a09a46cb4fdf6888','ae7d9b3aa6559950a19d08c447195fbb2ec9ad01','7973dbc4f86506289fcf64255475598a9c6e153465c73633589961d96d2621af',1587698476);
+	INSERT INTO entry_data VALUES(2051,34017318,1062,'rwxr-xr-x',NULL,0,0,'root','root','1bb77c99774acefd4810d72567801055','3b171f68c117dccd4ce3a50c50aa6c0c1f1c2c1b','752fff425446e7e9007d663775cfc87a2d63e5ecb9a723350c7481c8c02e0f99',1587737722);
+	INSERT INTO entry_data VALUES(2051,17284976,4536,'rw-r--r--',NULL,0,0,'root','root','2308ed82a23b4c7b3f2505cbc29d2391','a8630aec55d0fbf42df57dd2f7d81006bddc6e6e','072e38a284d7872cc0efc30a546245b724aca2469de9ce870e11d4bc684fdc74',1591804268);
+	INSERT INTO entry_data VALUES(2051,1449964,1795,'rw-r--r--',NULL,0,0,'root','root','4c8f770ec31fd2eb43709736f28ff9c0','b9627f5b45481e6f33151bab403ba21549a97df5','0f41714f6a173749e8bc3dcefeb6d12f837e8a696c3b8d3528b5d452b2f9f431',1524587447);
+	INSERT INTO entry_data VALUES(2051,2044876,1764,'rw-r--r--',NULL,0,0,'root','root','09c4fa846e8e27bfa3ab3325900d63ea','26637be52184558639de82339f8aaea4fc0c307c','84c04725edaa537f63461512f674048e9d68d87a6af4c2173a372d0fb431d946',1590686158);
+	INSERT INTO entry_data VALUES(2051,52201882,78,'rw-------',NULL,0,0,'root','root','d1cb45f1aedb9500ab1c325f887d8f84','861ce252ecb5db84886c0a0465b633bed57ab615','3cba937f859ba788113a85b711c83224ad7209a9f737d4e6636fcd8c625d9fc2',1582821877);
+	INSERT INTO entry_data VALUES(2051,52201883,349,'rw-------',NULL,0,0,'root','root','53f9b4c6a722d1e9f27e835508881f59','38fb06aa95dc037cb7da900f376593a88da6a055','d94dd72c65ea513f421082cb9647fb6108c5cdcdd122591646ff145f6bf21608',1582821877);
+	INSERT INTO entry_data VALUES(2051,52201884,405,'rw-------',NULL,0,0,'root','root','a562fb1e7778ee22f1ca224690656ebd','cd373c0fe92e9ea10d2f56ca534548421c8c922a','969006c56ead5b6b08d58e14a4dcfee4958b6b6d443da0adec38f19648dd6cc1',1582821877);
+	INSERT INTO entry_data VALUES(2051,52195567,386,'rwxr-xr-x',NULL,0,0,'root','root','b657ca9981090cd5e71fc3d9259f2dbe','f7b7f4f07f6e94bdebe38c70c1aeb7f0a1e315fd','55900b8a91172a98f22043095f396d69dc7d403f1df3095005e179884cff5d12',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201885,3214,'rwxr-xr-x',NULL,0,0,'root','root','213c08c571f8de8605091e99fe2c0908','fa26cd6cba041367ee9c1fc3f4e573a11d9038d1','c4f685c132a5fe2732980ae9bc2f6b48fb89ab30296efcb496720b1bb9424bbb',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201886,430,'rwxr-xr-x',NULL,0,0,'root','root','e54c0cad0527eee4dbbdcd44f5bc18e6','2d9d51af46e39cfe0b54cbf47b9e5a3bc8f0495c','4e466f54cbef6c1543a0a1b6d2d519002b71702dacfd8fe1f62b1256a21f9c51',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201887,6426,'rwxr-xr-x',NULL,0,0,'root','root','c731579cb81ebb0a93fd4b6965ef4585','f262ab628099f1a206ba5b36444f15d51018f8d7','dca868bbb6ff3365c4b524062a6303a1c603f6f9a7039904db0e5848ddcc4bf8',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201888,1687,'rwxr-xr-x',NULL,0,0,'root','root','8543a57888938fbb4e3d1b27cf3844f4','f916fc40fe2879c71875254206cd974cb4cea913','b1302a1c745a7165744bb48e69fee00f6a64a3b7a1c351c0990f9a82173d00a3',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201889,3182,'rwxr-xr-x',NULL,0,0,'root','root','914a8349f59d4ee48d3ccbef922e2fc3','1247b5bdf1b06083475c2f34a6a59f14eae3ac6e','867cf3c5f2440479ed337156c0fbf06e20f1dfb45f82ab31d9f207002c680e83',1582821824);
+	INSERT INTO entry_data VALUES(2051,52201891,5,'rw-r--r--',NULL,0,0,'root','root','300f139554327e63b13b44a2e3040ce0','419b5d659501bae14b686b9ea888a10d2052fe41','d8c9f2728aa278ebcd33ccedf3ad309a866870ad5fb93a03526b4b7655c9e911',1582821877);
+	INSERT INTO entry_data VALUES(2051,52201892,77,'rw-------',NULL,0,0,'root','root','e0d80e4e091ba0ca3688784467a8205d','dd8cbc07cafd4e4634fe6a684e9bd3706243aed9','8de2c69d96c7ea261d4dbaa0568e0bfcfcd2df2ae5f0e9e344d22f84d63c67fc',1582821877);
+	INSERT INTO entry_data VALUES(2051,17284977,5214,'rw-r--r--',NULL,0,0,'root','root','e9eead4e40fbb132140d203296ca3222','9a181451bc46db234e8187f2dcd188a6810a2cf9','8c9c27b9174495d8ab52fc23bf7e0a3dcb03717c9f482db8397a332ea1f7f0b1',1591804268);
+	INSERT INTO entry_data VALUES(2051,17313823,68,'rw-r--r--',NULL,0,0,'root','root','805daddc73c4924362f0c07f939b3d3c','dba1245b5fea991e95bd18a506c0148c0d7de4eb','45d4092eaee6f02f2cc68e27fa7bdac6d84af6ed36a01052d195621f8aaccfb9',1557798537);
+	INSERT INTO entry_data VALUES(2051,17715693,56,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1564503935);
+	INSERT INTO entry_data VALUES(2051,17284978,4618,'rw-r--r--',NULL,0,0,'root','root','9be41fe79917ca570b47d43e4aaf5fdc','9bb273079658705ede3f1c0b9d068b900b711c7c','a916630bf30483eea24eae54a6596eb9640f54285065d0dbf56fe0d240153426',1591804268);
+	INSERT INTO entry_data VALUES(2051,3299396,27,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352988,24,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914517);
+	INSERT INTO entry_data VALUES(2051,51695151,1529,'rw-r--r--',NULL,0,0,'root','root','eb2ccb379f1fa206a5c10346ceb03dec','47e97193c614c60d1a7deb08f24cba665fdc8c74','e1411d7ae42aaf7fb369651b9ecdd9964ea79fa6608602afae9d36d61b481f40',1533717237);
+	INSERT INTO entry_data VALUES(2051,34071657,2931,'rw-r--r--',NULL,0,0,'root','root','f37d89e2197f141e5c633184f4ea4c00','d9e15805bbd9f2d1dbec9aa67b53229e37e00615','b6af6b563fb514a226f14fe8c4b6b063e5c85122674e16536170b0e7249d4ce5',1592310501);
+	INSERT INTO entry_data VALUES(2051,34855594,104,'rw-r--r--',NULL,0,0,'root','root','2da3e1395184530703044e5cd073cdfe','af8e9fa912eb3c447a758cb53d54a029a17a40a3','2476c96d5d0610260fe4f6403a3d48bdb4f5e821c767ee1d06bdb21a8ee522fa',1591914325);
+	INSERT INTO entry_data VALUES(2051,34855595,104,'rw-r--r--',NULL,0,0,'root','root','2e92d559e073cb20856e1cab07c63f1a','22573e8822ebd1cf0556ad5ae9173254b8c9d601','addefb24b41bf12bc6ba35ef6cd548a71a9c336851452b13c954047cbb967277',1591914325);
+	INSERT INTO entry_data VALUES(2051,34071658,731,'rw-r--r--',NULL,0,0,'root','root','79aaab0ba50dd517b76f7f2e0ab89428','0646fbbed1c89a754b103ea20ffb48d972034cf3','05cbededfee46fcc00d6365ea5c73cfcab24288950b709292594449783f6b8be',1592310501);
+	INSERT INTO entry_data VALUES(2051,17727130,61,'rw-r--r--',NULL,0,0,'root','root','81f119708c51ee550c611eb8c3ddf66e','4b3285d83987385476498e623c2ee209e9d5680f','c2ddf38d99fa5b11903ee8cdd99bb1159daf25143743a786d693fcdde3448f6b',1557789641);
+	INSERT INTO entry_data VALUES(2051,18360988,28,'rw-r--r--',NULL,0,0,'root','root','0f61b729d3b8cdad8b54d663f38dc652','bf8fb1eebe5f22e32b20a62cf770ed993f8912b0','878076c001c36895c74001982cbc454e4557b469e660d1943f51ce132614a7f3',1533716954);
+	INSERT INTO entry_data VALUES(2051,17300767,2620,'rw-r--r--',NULL,0,0,'root','root','8195cba880913d0e0ae47408f67842cf','efdc817b8da21651cf391b39a63e15fabe6247ad','581bc875fc72a0f2e5aa508488e0ae44b18bfdebad2799c529c3d6e4661029c4',1557586911);
+	INSERT INTO entry_data VALUES(2051,50757364,178,'rw-r--r--',NULL,0,0,'root','root','3c90d8b54ff54c04a2f109cdca65fd97','a6e1ceeafd504e054e7a2a3353075cb074aca524','332db0f675f29a2f1295486489cd5b2d0fb9ead138674e8c890b2e69daa50035',1573234353);
+	INSERT INTO entry_data VALUES(2051,50757365,179,'rw-r--r--',NULL,0,0,'root','root','3b1b7af2b2d6160a46e8885e565c61fe','0911fe4a751bb3f55f4a19d6e2e325a330707ab4','49916aec157e76edd6ede61aa8c942741aa4316a104d0bf001f777e01606bd8b',1573234353);
+	INSERT INTO entry_data VALUES(2051,17610763,838,'rw-r--r--',NULL,0,0,'root','root','cc8ea0872ace9945b8fcfc232c316be2','5c5593f2393d535c2bea7feb3af805be7bc33587','2218b9313dc6d2e07d85751f318124cc5138787358ae1039703321cf6b35602a',1573230886);
+	INSERT INTO entry_data VALUES(2051,17610764,833,'rw-r--r--',NULL,0,0,'root','root','ba0df1208e214a87771671053c29dbe7','506b33756193a1c6c380b2eb840d8eb45c3a4ea1','a6f50dc70ef082a110dcdb164579cd2af221b90226c5e0aca237edcad98a1c26',1573230886);
+	INSERT INTO entry_data VALUES(2051,51821146,638,'rw-r--r--',NULL,0,0,'root','root','0dedb93eacf6345970d527e5d257cd20','db68fa781821cae501d779954e20037fb43b412c','28067ad27702251ba38d9794738cb81e18ce2151d26b3d103a33b4107c2f9877',1586408421);
+	INSERT INTO entry_data VALUES(2051,50662047,465,'rw-r--r--',NULL,0,0,'root','root','5711a76c31a3763750fe2c331741f679','b3a34cb49178391dc68a3cb1118671d7da87a78f','d4ac24338101aef3456e8432415e87bc7fd9e64dd2c65e740ad6305e1caf39f3',1584552269);
+	INSERT INTO entry_data VALUES(2051,50989822,387,'rw-r--r--',NULL,0,0,'root','root','e50b02b9e236bf5cb10c91a8cf667745','a972e115cbf9609609a585144a6259be381949ac','c5d66a89b6c96c1386e63a948ac2216e4c9f6680611b61d2e923bc3c04a5ab85',1584552269);
+	INSERT INTO entry_data VALUES(2051,50789896,9740,'rw-r--r--',NULL,0,0,'root','root','8f852d42a88db904ac397532149cd8ab','2bfcc4d7ca9c5eb2346fe3e62db18a0e398c3567','e035417ff2475f8d16b703d1aae45dad5faafcf1d0ec7bdaad53655e344637e7',1584552269);
+	INSERT INTO entry_data VALUES(2051,51277132,570,'rw-r--r--',NULL,0,0,'root','root','3ea24e15b6c242b23a21df10105b05d6','36c9829436fef45a3d9ecf868fada77e61c096c9','ea4ed02e9aa7ef47f3d748f8060b522d450cc80e21fed75426694b1560dad85e',1557791309);
+	INSERT INTO entry_data VALUES(2051,51433356,917,'rw-r--r--',NULL,0,0,'root','root','06247d62052029ead7d9ec1ef9457f42','506f2f6a927951d24976c8c7589929c1c3b139db','5325a89e7d57cb42e5ac1cb65dc99981c6d3a22da7b21e8e3cbb0da8c021ae6a',1586229015);
+	INSERT INTO entry_data VALUES(2051,51320255,1315,'rw-r--r--',NULL,0,0,'root','root','0082f8d27dd4b79f4ebff501d3314e37','040e24ce8f347c606e6a2fdb6adf57af3db9cd68','7985072a62e0999b52cb89e045311ebb999a45b79890d81d12d42f1c1d30aa1a',1587693389);
+	INSERT INTO entry_data VALUES(2051,51325095,1555,'rw-r--r--',NULL,0,0,'root','root','430f5223b0dcb2b9a1bc60463b842818','4be4db97c593c1a4bcedae473f6c9cde2dc69bac','e657a66bc6b23b51355ca4146aa08168c962eef61e3140ea182073244fdd5875',1557812277);
+	INSERT INTO entry_data VALUES(2051,51325111,711,'rw-r--r--',NULL,0,0,'root','root','652bbc5447d45f60e5b4dfd236912226','086738ff1d9db0fd02f5fbe9035b76115836716d','5d36f87a10c49258e7b726560043d6e69d5659698c44908d604591e094dd2303',1586211106);
+	INSERT INTO entry_data VALUES(2051,51325112,1411,'rw-r--r--',NULL,0,0,'root','root','925cbdc7584b120247d00b3e9a0acb95','bab3d7591691ee5f8c6fa7fb98ed0466afb0cbd2','e038ad22fdcb24e5429ecd378bab2f0902c30d9a734624eafb073c554e86ca24',1586211106);
+	INSERT INTO entry_data VALUES(2051,51410194,1075,'rw-r--r--',NULL,0,0,'root','root','b25a6fdfd2c34e01338ec6f83556a190','e191c149ecdbb2bcdcde2257f74172f236e03e57','369313124f11724765052e3e8248a00e5d55f1485ddfb7645e457771a4559aee',1245183668);
+	INSERT INTO entry_data VALUES(2051,51410197,1084,'rw-r--r--',NULL,0,0,'root','root','3c47ffdd82462606b3cccef9276497a7','1b031b490344777b25d502facd6eed1864da510b','6a8fd2b0868682f017c6cff55d99ede7d01c54d0f6e69143ed3c320e73b2088c',1471956610);
+	INSERT INTO entry_data VALUES(2051,51277236,1331,'rw-r--r--',NULL,0,0,'root','root','fded44ee0c8edb7e65b9649570db3574','11e851ce9e22e9974cbabf021f4d5cd7c7bd2e17','339423556c312205c1ca187f67b01aeb130def06a51d6816a2a72465fd15267d',1586900184);
+	INSERT INTO entry_data VALUES(2051,51433455,929,'rw-r--r--',NULL,0,0,'root','root','a7b0f6e367e694a4043bdbdc30a5cc02','ed9668bf17f5e76189d5d1264cc22d465bba9f45','cf7d67df68d2e5e93012a8c42ae273a41b9cd8f3857e1a2a3bbaa0e8b1532397',1476880004);
+	INSERT INTO entry_data VALUES(2051,51441760,409,'rw-r--r--',NULL,0,0,'root','root','8c7bde3ac780831e2a3d05c6670e3271','924dce1482ea083e70138d3974e7405d25464d18','bb09ec2ddcfaf57e36c87d868abb39ab9f02737850bcc915f66fcfe90e556049',1544345838);
+	INSERT INTO entry_data VALUES(2051,51516993,535,'rw-r--r--',NULL,0,0,'root','root','f7466ca8af066dfbaa8489006e02d28c','6cf26c24ed6ec768f43d144c76e74d4b15fb4b4b','dc69f123c73aa0891a83889d7cb8055906e0218dc4c894199fc285386f45fd68',1558100409);
+	INSERT INTO entry_data VALUES(2051,51453379,535,'rw-r--r--',NULL,0,0,'root','root','f2108fa4b9121d3f3d84b8c21a1ecefd','b1c873a268f1b33c324f5a1f15bb310384f817f0','c61012885a96effafb8769c969f35ec37872ed074064d0995ea76c8e32d71ab9',1587693477);
+	INSERT INTO entry_data VALUES(2051,51551449,2073,'rw-r--r--',NULL,0,0,'root','root','beb81e07b9f2cb45b2212145310ed55f','87dc58d484b83c0ee6f87c7ba49e63b6c5ad22a0','4dd9804f5dcb9736e64b9c9c37cce2db67db2d37cfae353c65875d519407242a',1557795223);
+	INSERT INTO entry_data VALUES(2051,52697010,1390,'rw-r--r--',NULL,0,0,'root','root','47841ab9393fcfe81c87900932bedead','985d87fa01468157dc56ab03587702beba8f33e7','3ca54b2046d1f7f6f9be0cd9758c934a1080eda412dde8b6b6d6fd9f471201ba',1591813210);
+	INSERT INTO entry_data VALUES(2051,51686639,1007,'rw-r--r--',NULL,0,0,'root','root','8df3896101328880517f530c11fff877','bef5c49cf4a8fa7d90cc39723acac8155f2f18e3','117e6080383d13756a0a7a54dcf2e9eef85f426b6ed26f7fc436c584c0195ce9',1557811231);
+	INSERT INTO entry_data VALUES(2051,51686640,1016,'rw-r--r--',NULL,0,0,'root','root','d81013f5bfeece9858706aed938e16bb','1de558ae636d2ef249e48fd34a594ca24567526a','e21ac5fdb30399f0cc99b27d490752c82a7d6bfdea891959533519111c4f0e33',1557811231);
+	INSERT INTO entry_data VALUES(2051,51522281,400,'rw-r--r--',NULL,0,0,'root','root','04f4cc308cbdf25e5fca9f9917946ca0','79e29b38ef38f1d1ac602b9897ebe87a7ebf51c1','b2d0d3ded6f945599e2890ef208993743cf94244d5ea20194260be5f095068b9',1533924137);
+	INSERT INTO entry_data VALUES(2051,51699382,771,'rw-r--r--',NULL,0,0,'root','root','49edd08e5a1c88e56e11d076fb7f68b7','835fe8f862164380a0a686df2898a278afe89d63','5e8475ddfdc8cf232617c9e17273bc133051d4a1a0605ba089a25b6c319f21a3',1587693087);
+	INSERT INTO entry_data VALUES(2051,51699383,2079,'rw-r--r--',NULL,0,0,'root','root','f7db9c763fbb67ac503036f30e1fc55e','6cf82174c3e31117d176e696cc8d285bcc0db256','d4b663605dadf69c7deab87532851962853754ecee5c9e490b77511315d12375',1587693087);
+	INSERT INTO entry_data VALUES(2051,51699557,743,'rw-r--r--',NULL,0,0,'root','root','77a160f09c62981e4576042bb153d00b','d5bc4ce860a528cb28c6c2ed31bd1abf53aac28b','e5a24b54f6db045b68c72b5e555a62db388207b68f0b7137add0117af9f56841',1586217217);
+	INSERT INTO entry_data VALUES(2051,51699572,475,'rw-r--r--',NULL,0,0,'root','root','d5ffbe82978229b3a3b402ed9752a04c','efea4e6972e564b34af947a19c7953d9e1d84875','65b25dc51ba9fd414201ed8146f1d23af6c20c3feff364638f136759648d8a42',1590018930);
+	INSERT INTO entry_data VALUES(2051,51699579,2429,'rw-r--r--',NULL,0,0,'root','root','2002fd6b2ec467a862e6967fc93738b9','7419cf2fb4cf0bdaae9698053ecd97f6c0a01ae1','a5c409ac60b4ec97dd713e986dec730a2fd3ef32577eaf4f3b99284c27b0231f',1557802604);
+	INSERT INTO entry_data VALUES(2051,51706691,1863,'rw-r--r--',NULL,0,0,'root','root','9e84b998e77160bec0c6dfd972e3435f','477ab231b15a61d4bf3aa6c3a7594763cdb42cb8','d2c9c153eb63540340561a508d3c6c397bffdf45f43ba700699644c033db0ab1',1488092559);
+	INSERT INTO entry_data VALUES(2051,51708289,460,'r--r--r--',NULL,0,0,'root','root','d5468770ee5bfc22bc8ab67da1078b30','15df28e9f05b39a37e17e7d7f01d28d41aa0d7e2','e1beffe2226f87cb1196c590ee43fa84a7b018c2236ab1098de1f5cd02788e98',1587697195);
+	INSERT INTO entry_data VALUES(2051,51482005,1043,'rw-r--r--',NULL,0,0,'root','root','68da0ed066cc29f37b8a7531fd29a939','06352dbcbd248bd8d98804e10bb6a20102fbd3d6','cb7019b93443ed9172068f47f3c23841877577d391707c206dcaa65287ca33f3',1541600262);
+	INSERT INTO entry_data VALUES(2051,51753407,957,'rw-r--r--',NULL,0,0,'root','root','9f0370a932092b224cb25f92a9e4d2ae','ee6e20f1dc8ed4c71a57bb94ff30fc8d4f7d86cc','9aea18eed09b3291532f4b1a6017c3419373a39eaffa24e76ac2ee0918bbdb8a',1574181761);
+	INSERT INTO entry_data VALUES(2051,51758531,447,'rw-r--r--',NULL,0,0,'root','root','d024702664d4482f626f5dd8dff74806','3ecc5c70445d669607ef508f784ef94c50d123ab','374077afa041c7aeb2fc7c54242f352c68ae4506f17402cfa608349a5589a318',1574181758);
+	INSERT INTO entry_data VALUES(2051,51532679,404,'rw-r--r--',NULL,0,0,'root','root','9184abb0e531a9c05013b202f2c9c6d9','8eda5999144630ea060f00c75307142c1004277b','a64f63319f93c39e5874b7a93870e1d8fd35348dbc028526c73e7d57fe2f6c93',1587698157);
+	INSERT INTO entry_data VALUES(2051,51650476,971,'rw-r--r--',NULL,0,0,'root','root','1dd60de5281192369006d9a698a50bd7','14b73dc9c4e9c9a5aae66e1f69c018ed1990de4b','7db68294aedbc1891e2aa2db7f761fa95fe77b73e6c4d593ccbaa648baa4acfc',1522741353);
+	INSERT INTO entry_data VALUES(2051,50872991,3883,'rw-r--r--',NULL,0,0,'root','root','04171376f385fd33eade3368b8cd4082','f16ba84e5f0508bc844ca5a12b3b9a8e2316560e','e5ce53f9dd19a1d3a3dd4f221b3b1c3a90448c95cceddc4386ca49a999977a36',1587696173);
+	INSERT INTO entry_data VALUES(2051,51712653,587,'rw-r--r--',NULL,0,0,'root','root','d8820ebfe78ef0a32ad9ccde1f038487','4171d942dc0c89d9c74abfe8f264aa9f75f6428b','0bfcf1225e7b9b915695f97a03303e3acd827b7924fcfd13254522f28fc1db1c',1576084396);
+	INSERT INTO entry_data VALUES(2051,52136026,422,'rw-r--r--',NULL,0,0,'root','root','91eb7792b1dd55d40bc36cff94c96aac','80414de34e0e02502149caa2a3701cf013ae8dcf','459854fdc2369748579e252c2aa6445f018bd4ca7292765df9ef4ba46c29b855',1587697092);
+	INSERT INTO entry_data VALUES(2051,52195390,1142,'rw-r--r--',NULL,0,0,'root','root','8a05005e28390e7706bc2dbcbdb7f66f','b5ecc70a32db1e2c5aea7cc2d73b260dad0d5579','b1e51bf3ff20ab16b8954d8a999f69966dded889d29b75cea25a726b6b9b12dc',1557580549);
+	INSERT INTO entry_data VALUES(2051,52697008,1430,'rw-r--r--',NULL,0,0,'root','root','4438cfda558c3fd03cf435e25a1e3fb2','4bf92eca09d195507ded146c802515c67a0a1830','9bb6e50838639814a369e51818903ec60b06bf455b4b66ba16e20684ea52f1e1',1591813210);
+	INSERT INTO entry_data VALUES(2051,52697009,2534,'rw-r--r--',NULL,0,0,'root','root','739255e5712eac580b28df85b091a36a','6eaa9d7bec71eaf1c0ad9c7e478eb25dabacdfe7','4af89b4667980b1dc2e370306d649e3c97bcd6372d44009d7093061aabc8b785',1591813210);
+	INSERT INTO entry_data VALUES(2051,17746611,20,'rw-r--r--',NULL,0,0,'root','root','0eea71665fb6890c06421fd13aa3f849','c7f9a550b77ece79052aa1a630098b911883abde','081ef9d5367595d16e30b4b4549d9f43537320508b4ce0788963e10e4f808857',1587696086);
+	INSERT INTO entry_data VALUES(2051,17746612,706,'rw-r--r--',NULL,0,0,'root','root','ac65ae74857db694e51f99b10c3ff843','ce182aeb87fcfc66620f7c5ee0308e6a8021f852','30e58aa44c7370ab4edac1b7b896a69fe6a7f6f6d6e3210fc757ae9b9e81a757',1587696086);
+	INSERT INTO entry_data VALUES(2051,18275437,11327,'rw-r--r--',NULL,0,0,'root','root','03c3f48307824c824d2be0e1ce915d6e','b39495cb29658cf4cc116a15acde9a2a075071e2','5064e01653b98f8456fb749c4e24f454287a9266a3d19fb7c2b03c1d2f1a3f7c',1587696086);
+	INSERT INTO entry_data VALUES(2051,19433088,4326,'r--r-----',NULL,0,0,'root','root','6609a6a864941d896b6bab81d15898ca','f1651e8dcb1141c5537cc6fe8fd1056b0cb9c682','acf57efda03cdfe3f4d5af32fe8b820ab66369f369ee937c57797ee8c32f9955',1591915918);
+	INSERT INTO entry_data VALUES(2051,17611846,429,'rw-r--r--',NULL,0,0,'root','root','d059d75700d95b4056c7688855fc1c2b','8ae78076d532ee274b9b7737c4920a2b6c9ddc34','3eef9865b1123a43ebe87fec9d9379ff0735fe85fc9c46480c548fcb0ef2fe10',1573245337);
+	INSERT INTO entry_data VALUES(2051,18644483,9450,'rw-r--r--',NULL,0,0,'root','root','c3f998f6b832432a2066a585d06d2c9b','c1f46afcae4dc0311d7fb0551f40188841e9d7c2','bd86cb55a464f661c0573df848021233443ff3a5738227c1973ff7b411bfedd2',1557587032);
+	INSERT INTO entry_data VALUES(2051,17716138,216,'rw-r--r--',NULL,0,0,'root','root','8f42efd9d1efe717f27267e6a4286453','40eafd4789444f5e6740be309f429b579df02778','7237d8d48517c7788589ba5a78ec41d28da0f0ae2f9cf06f68b2de154c233416',1587693956);
+	INSERT INTO entry_data VALUES(2051,51277134,1448,'rw-r--r--',NULL,0,0,'root','root','4aa1ae9c67f14d6c5d5ea320f134852a','956ee2895e2d3e68d0b84388f09d8b44b515afd6','5a256c96b79dfe9f7961352cd035a4683aba336c3fd3b8efe6e3644d1f69e868',1557791307);
+	INSERT INTO entry_data VALUES(2051,51469956,4419,'rw-r--r--',NULL,0,0,'root','root','05b62252979ae14af0df0e2e28b27391','3085239ae10a74a47008834cf2a2050bb7411442','9b427459a6ff8ed54fe0f4c86833dabf5406aff6d2ffb200528633b1ba7d1433',1587693389);
+	INSERT INTO entry_data VALUES(2051,17814563,2836,'rw-r--r--',NULL,0,0,'root','root','eb556142a81614d894e56f38524a4f62','8e4c49ed4cad5e4ed73e583775526f586c008626','312aa323a2d431b5970c4cbb11aff09b12b422d3b2ec0337e045f9abf575b090',1557812277);
+	INSERT INTO entry_data VALUES(2051,17779287,3379,'rw-r--r--',NULL,0,0,'root','root','ebf4afa1ca37607f96174e63d5e0d8ac','bcbaaa79a0207ab28abbd9871e7ff0cff8c39a0b','4afb50d17d54a3e62e150b5189a3251869d40fa293a71cff30dbea530e2a7183',1586211106);
+	INSERT INTO entry_data VALUES(2051,18643980,1362,'rw-r--r--',NULL,0,0,'root','root','2992b4f15bf5288a382b912c1ab28b38','ca70562789fc9528198aa4307dd883d5b7300de0','966703da36571b207125011407b102c20e8edc0d16ced485152d395a3bcc36b2',1557806788);
+	INSERT INTO entry_data VALUES(2051,17814572,2391,'rw-r--r--',NULL,0,0,'root','root','6bd2bb550f448cb81c6f0cbf806b936f','8b9495d785912d6fd7a757ee8ad7b631886e9d52','bc8aa93ad61547a0ab70d373d7b68bc4b95b017009d1403c194fca6660ab5517',1437678973);
+	INSERT INTO entry_data VALUES(2051,1392109,885,'rw-r--r--',NULL,0,0,'root','root','999c2e5c7f70e9a26d788737a5ded662','079052d9480dbf03ffafb941397f278bc7f80e3a','e46a92159ea487e103feee5b5f82c14faf35466e08c4bec78ea61ae07ab6b849',1530699651);
+	INSERT INTO entry_data VALUES(2051,1418232,706,'rw-r--r--',NULL,0,0,'root','root','71da11578968301072133d233e91cd1e','6fce7e5a37d234f012eec1639e89633d44759212','8407f5c9bbcdbf33f23e97e67710b5794180a8b8c471ecc04829da690cf77fd5',1586900183);
+	INSERT INTO entry_data VALUES(2051,1418233,2015,'rw-r--r--',NULL,0,0,'root','root','45b9a724d9267af820bc54b5d12c5920','8a96f926e557536af930b66ff1f2171e938ecfa0','0aa011f552f333560cdb6aadb26cf5eae744ed9490bae24a64d408aaeb5b0346',1586900183);
+	INSERT INTO entry_data VALUES(2051,2647776,1998,'rw-r--r--',NULL,0,0,'root','root','6719d19ab6f41944cc47859bce4de009','81e5604878936e04246d8e91705bb00801ad39be','069f0c5f5dd9d1613b8c3d5e5a133c6a96788bafebfd50f488c2fe9b2ac38be3',1586900184);
+	INSERT INTO entry_data VALUES(2051,34540477,189,'rwxr-xr-x',NULL,0,0,'root','root','51d8e0f92da9b5c46437bb7c31c961ff','e6ebba94d8b62b1d7d2e4fdacc74a129b24fe208','a2b9806ef76e901d9d19173acc13cbead3ce816d726f2736b34f4381f4d28106',1515067126);
+	INSERT INTO entry_data VALUES(2051,34616665,654,'rwx------',NULL,0,0,'root','root','54400098bcd9287da13f0007df22cee6','0d9404cafd5556a1b3bd7ad9a3c83f94367803b3','a96477689aa1926529d5a1160ccd708ba9113807fae7af4d46d0c937abd97f85',1591813211);
+	INSERT INTO entry_data VALUES(2051,51433443,575,'rwxr-xr-x',NULL,0,0,'root','root','dad41aafed538fc612c040975fc38301','5b7a81eed2c30ee01b6eefdb83b06b5d96fcc4d0','1d0005fe0496baaa54a56ab242a84d5007f5596ec585ea03a0125f708ad8582e',1573231664);
+	INSERT INTO entry_data VALUES(2051,17817963,451,'rw-r--r--',NULL,0,0,'root','root','c39252b11aad842fcb75e05c6a27eef8','09767e814c22a93daba80e274dcbe00e0e7a8b99','59e73f3778332c2270a16544dd1333725bf9d01213119b6d50e05bdd5db31cba',1557580631);
+	INSERT INTO entry_data VALUES(2051,51433434,128,'rw-r--r--',NULL,0,0,'root','root','1638f7fe39f7f52c412e1705a0bc52d1','9cfb68c9669bd0c043766982025e890a42ef2455','ad03f0fdb025e5b5a1c7f83cce837bb3ef8acfc8276efec6a17d39ec5a34756e',1573231664);
+	INSERT INTO entry_data VALUES(2051,51699521,108,'rw-r--r--',NULL,0,0,'root','root','367636170f3ac44df6a117e3cbf7e4ba','dc4d0f265ac6e0152395d743c46381c029d0be96','956a26928fc240bc49ea9c6ddacf775193998a1c10ef00b858f0c7d51bb6f10a',1587697301);
+	INSERT INTO entry_data VALUES(2051,17817964,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1573231664);
+	INSERT INTO entry_data VALUES(2051,16943905,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1536580263);
+	INSERT INTO entry_data VALUES(2051,17817968,541,'rw-r--r--',NULL,0,0,'root','root','8241db83d5edf01c71734e41e383e205','f214de2f59a3c99e831758e76bcd2f39ccc43c57','bb6371d86936214cabbfc5e70d71375a8ab0b71e45e2c34db08e61f94da8efc7',1573231664);
+	INSERT INTO entry_data VALUES(2051,51436209,15,'rw-r--r--',NULL,0,0,'root','root','dfdc62acff60833950aa76845b3dd974','2a943d56b6f907f36a63a4e9ee441630bd2669a9','c7136c1d45c90f78c5e134a7daee681fcf1bd16c43885abb64d4da72813d6801',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436210,13,'rw-r--r--',NULL,0,0,'root','root','813a775ac8e335dc5b8a0f927f7df8ae','c44d956aac316141fdc30aa15bb6d56967345520','64e2ed1ef77866e67a75d5c18434cc4302f9b60b7476ffc0cacbdb08cff1dfcb',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436211,17,'rw-r--r--',NULL,0,0,'root','root','20cd8c1046d62aba32fa4c949a5db80b','de9381d5ec798035c03f9177cfc0a7eed9b0a2a8','d8e7ae34ff4871e802d97492c89dbdd476de03da7eb40cdedb61bd3facf9fa8b',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436212,11,'rw-r--r--',NULL,0,0,'root','root','c505e0f70fb172afd48acc33a733acde','be6dcdece84609a71a4d071b70d4f582dbad46bf','5b259b9bdd5161cf99a5b9fa00de67b9bf26aeac9a29798d0e65f679e9615bfc',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436213,13,'rw-r--r--',NULL,0,0,'root','root','0c578834d36b026c283bab90016e1e03','dc967be5421b610b34a68ba23829e67c3a9054b9','b9f2da2d3d200dc52f985cdd5ba095a4c32f789d4f47966996c4031ac485d1df',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436214,12,'rw-r--r--',NULL,0,0,'root','root','6bfeea2b2666f6ffd09ce5ffa6a94b12','87a645e3931baa24799ab0e85300d4e91708b1a6','2d5e45d321eab72381e06b30ff0df8dee3d950e7baae1d3cdbe3c25f81508094',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436215,12,'rw-r--r--',NULL,0,0,'root','root','3fef613081d2d483e9680be82e18e0fe','435fbfd63391a93e7de8436d4d2514c6f5da5d71','1432d9d75eef15e990ba9bfe03ff607925a664289707971c03881c6ec9b475dc',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436216,12,'rw-r--r--',NULL,0,0,'root','root','181182a2b8a7dd604cdfbbcd1f873e13','e2dbb809b3d0b10f2bad49801b9af3ad763394c9','f6bb7127e88a2d7a2849488e3c7ce21432033179a80c6b664aaa3190dbd57645',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436217,11,'rw-r--r--',NULL,0,0,'root','root','98676a4e0bc992ee80998b8599039434','e8bfded64e3ebed0efd0c37a805105beb145a515','e859b597a231e03a5a71fe6a61017092fadf9d2531bc9fb3ce0fb8b1f1cbd655',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436218,18,'rw-r--r--',NULL,0,0,'root','root','2ae063cb52092f09bbcccc7c6cafad69','7f896ef009a96ca468cb3e788fa38c158790c696','472d479077fe3f5bcb3c4c41ebb3b691345ccf6419f99f5cf3b01cd0b9d65ca9',1587747464);
+	INSERT INTO entry_data VALUES(2051,51436202,11,'rw-r--r--',NULL,0,0,'root','root','4cad034f720e49b931e7e05da889c919','e61b24f5298664f10bcfda1c930113f91dd4d43c','6880fb6aef93692098955b3b93b6bb33e315b199e4d46a5c6618993301b16ada',1587747464);
+	INSERT INTO entry_data VALUES(2051,18643981,6300,'rw-r--r--',NULL,0,0,'root','root','3676ff18df9214fbe9e6f0c1d27c02c7','3cc78c6fc6b0f594ac0d5e093b85fe51df0050ff','723d85ffc5e12c892e42ca613906e0ac6091c44081c868643d12c7738f333d41',1557806793);
+	INSERT INTO entry_data VALUES(2051,17843139,478,'rw-r--r--',NULL,0,0,'root','root','9a1e2cf8bad225de6f7bdd6fa3ef88ba','056d4293ff4892dd9462ce2c487fec91311f99ea','c3f5b4b7de4bddaa9ac39a8c0c9479dda65e2d44ed692dcef90a6fad28d214b0',1590680837);
+	INSERT INTO entry_data VALUES(2051,17843141,13,'rw-r--r--',NULL,0,0,'root','root','f9f6c4e2324482d26e6b3c6d6cecd518','44672ea88562770928a9019933047f3cfe75bc42','13deacdf79d5afb01c48984cc3cd5291341ca5b28d43298e804dc511ce581895',1590680980);
+	INSERT INTO entry_data VALUES(2051,17843174,4849,'rw-r--r--',NULL,0,0,'root','root','fdb959029d9da0a6349245b459957735','3d3f45a3dbae31ceb6e0cdb8859fd04d99034a0a','f4ea7d0f932e6f78928e6715f1e21040e8e66eac02e8507020b75a10e2bd73ff',1587699739);
+	INSERT INTO entry_data VALUES(2051,34476930,36,'rw-r--r--',NULL,0,0,'root','root','214c9369c568e58bfca9f32370448b9a','e000234b31c6b2c43c9c4c42f7b9c7937b466d73','ff69a391465072df28d314f8a059a5f33692773724e2e7e60d1e60abd5906dec',1572284287);
+	INSERT INTO entry_data VALUES(2051,17843191,2022,'rw-r--r--',NULL,0,0,'root','root','ec6138ad4809095bf457ce3f5abbc243','75d52e2909488829dc25e8a815033ae820135229','f30bd694c0654a5626b3508e882a6cefd0440813fd7ac58c6022df21ca077156',1572284287);
+	INSERT INTO entry_data VALUES(2051,16816851,272,'rw-r--r--',NULL,0,0,'root','root','3e38929163fd6bed0375f571d694f32c','090b783b8909ce484ac7201225ad491f9ec8a4c3','9e701bfd119a566cd01950a1fa4049e3d0caf8cad684228ff04afb232aa911b8',1494507602);
+	INSERT INTO entry_data VALUES(2051,17844981,750,'rw-r--r--',NULL,0,0,'root','root','61b661695f4da8ebe35c18c164a1443a','db7c60b18b39702cc02f5e33c30d89eefa876efa','bd07ccf456087836912562263fe491b4c2ab484a02ba59d2a9d23506223e602c',1587736471);
+	INSERT INTO entry_data VALUES(2051,34251637,276,'rw-------',NULL,0,0,'root','root','b4cc264d7f04b480ed85b7dbc34c214a','0fd091d3acd62718b84af64851e25373ae6bb389','712cf6d953944c98dfb2a4ec2d64cb6bc4dead6d53bad05759667d7d7125f834',1586216332);
+	INSERT INTO entry_data VALUES(2051,34251638,11,'rw-------',NULL,0,0,'root','root','87302bfde98edf52e8c92f0002a575ce','ba60013f7f6e0d7f462964f370a216d16edd3ff2','db5af5485c3f7b5c9fc5defc097e905c8c6dedb6b05e6df9bc3ef8844a119611',1586216332);
+	INSERT INTO entry_data VALUES(2051,34616641,152,'rw-------',NULL,0,0,'root','root','215696bfcc2fe3ced2f250945cb45182','df8063fece969e6de2065a892f3d2738e912ae29','1bf3dc8e116852054b032bdda53b48c4ac6ef2611bbce9757becb3b2f39a0887',1587699739);
+	INSERT INTO entry_data VALUES(2051,1534149,13026,'rw-r--r--',NULL,0,0,'root','root','24a426d59b61524623695f1b849f159b','25226420456666f1b104a3b5c014d939eb13b26f','053cbf806a57e7759b8b8ad9cb21d65229b53b4c2b73feece2c62a3aff153b87',1591710959);
+	INSERT INTO entry_data VALUES(2051,1534206,939,'rw-r--r--',NULL,0,0,'root','root','9e7bc2d110f4f14d148ec04c1b6263ec','2710c79f7ba90006f5b6cc4adaf1101c1b4a2bae','e52ee294f481582b7732a58a627cc35e7d6641b3c35ee5c4b5d19b68fd2e3c18',1591711069);
+	INSERT INTO entry_data VALUES(2051,17859327,1085,'rw-r--r--',NULL,0,0,'root','root','740ecd95c964c04370bea43f88657dc5','2bfdf1ec26681f3644cffc11e83e06d5f8a41617','e3625924723687e91803be3deacdeab51cac1c02c30af78ada9d10582fc01bbc',1591965525);
+	INSERT INTO entry_data VALUES(2051,17929473,540,'rw-r-----',NULL,0,989,'root','chrony','96999221eeef476bd49fe97b97503126','ee371db853223931542672caffe82cd385fcf498','14932958d0ef92c5559483fca2f3da37a687cbf06f1bafe776d616b8673abcde',1557483777);
+	INSERT INTO entry_data VALUES(2051,16816852,60352,'rw-r--r--',NULL,0,0,'root','root','fe1c8ca29d393aa92185f612b0252271','99aeef01f6a67ec1f42e9755346d8c77f67d285d','4abf96380a36528f2ba411d028494dc4f985a78e81b3c0897a819fe399fc6184',1494507602);
+	INSERT INTO entry_data VALUES(2051,17959769,20,'rw-r--r--',NULL,0,0,'root','root','8dcabaa2bdaf7bbbe48582b3bb4422e7','0f1d85ba707bd39d43b6933a4d86fb17f7322dad','8fe5484b23983ad777db20c75afc136cd53341b8220b0c425cb4e7a6fde37a01',1586909190);
+	INSERT INTO entry_data VALUES(2051,17959811,33,'rw-r-----',NULL,0,988,'root','brlapi','9f952c74b9ea1c0b24e9ce35966fa652','fc2d7796c19e6c68621b33c72e5fc2ce4b7b1f6b','9a18121332ca23c91534bf53062c4a8abbdd8eb3143dde096fc4e8e66dffc5f3',1591914181);
+	INSERT INTO entry_data VALUES(2051,51526513,1017,'rw-r--r--',NULL,0,0,'root','root','c2788e89fe8cc9f383861d4766174d56','f431823e6ebeec15cf7de6a8bfd09430674848b6','39dc32c010315715c54eb64c0c047e48010b298255d0bf24ac4f80e938c72fd9',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526514,1009,'rw-r--r--',NULL,0,0,'root','root','d4d25e9be0f49720564ac2bfcd6a3d6a','6254abffcb28b5f1ccde84476da23e12a729b6c2','cfe6ad11e2035ec469e5e346648f000ab0d99180bdf4422b0386b412f46e2415',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526515,1010,'rw-r--r--',NULL,0,0,'root','root','2a884f194ae373405507900904bcb4f3','13282f481a3aafb7870b8527edaeda0cea137c3b','fec525fe6e3e4f393f4354df0d92df120a723496bab1a1c364acacbf0bde76b4',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572310,1827,'rw-r--r--',NULL,0,0,'root','root','3566c1c92fa5b176905cee6b07235756','62db242f43680297b357dfbe8a728229a4217146','21ca8bb09e50918830cf856d5580200d843b6980dc32e406fd1f7ef14940c184',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572311,12712,'rw-r--r--',NULL,0,0,'root','root','10de813701d35766e95410a079db6c15','4be71213567a3d3b426a2f23de378521abf392e4','8f18272e48ab20c2ecce1c7779f356c1a4145134b82f26c82abcc49191f117a3',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572312,6520,'rw-r--r--',NULL,0,0,'root','root','33fef87eecdef63ff14a8893d61f524e','98d338d46b3c68d9ed2313dcf525bd9a7b75f641','d61c74c81458f9e1736d2445ba30474d9cc093e523b5c6066c25685e453b124f',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572313,6198,'rw-r--r--',NULL,0,0,'root','root','c8d4e930269880475ef9664d66f5f378','a6b3fc470daa462c6e93194183578b592aa3dc44','f7d1cc3aae766dab84a115a66e281b7fc51c9297b5f47bb1389aca99d27d155d',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572314,54889,'rw-r--r--',NULL,0,0,'root','root','b832bd8cdd7a76b9920144b84df3643e','9adecf9851117d0860e7ca49a1e02dadf198013d','b1120d7eb016b232ee409095ee9c695d18411e1139bce9d17a77f1eb6ef78f90',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572315,3444,'rw-r--r--',NULL,0,0,'root','root','6e7d287bf9ddcb8bb8da73cb302b7573','bcf96f347932abc173df1a701c36f5f6bb53654d','13eb686770c4fd77a8f98037a99ba2e70cfb83773d59663ea68ea4ff7d172b6c',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572316,7257,'rw-r--r--',NULL,0,0,'root','root','c0984a116afe9d47aba7c6789de6203a','ba5686127c71521d7e10783787f9028a8eabb40e','c1786d634955af36ac166a4d9ebbcef3da3d6def3feddbccc108e8e3e99743a7',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572317,42042,'rw-r--r--',NULL,0,0,'root','root','6d83e8916cf7e7c1f12740f13db37036','abd84a222e7bfc75907f85798c84f1f5c235854d','cade19f2fdc84e6af7ea2dac645b8d3770ef3b22632f997e88b463f211619051',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572318,7613,'rw-r--r--',NULL,0,0,'root','root','ea8be527f23170dadfefb5b98a21e797','e55ae6e5c378c46c11d1d94b9617eb325d51b9c3','88f40938442511f3faecd389ea7aaca9334f2e29446f75743396235623f97a77',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572319,49282,'rw-r--r--',NULL,0,0,'root','root','c6b4cac837ac33d305606cbbfa3fff2f','f184714f318ba0b36e7342f2f6af8af780845df4','ab31d0acaccf5c09c6e08629da3513cf68f1ef67fb623ba20a0134c0cbdf9f7c',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572320,3837,'rw-r--r--',NULL,0,0,'root','root','f7a4833b9c64df5ad6fdeb14e4068726','9422f3fed74908436793f7dac8df5365a0ef5edf','7ef31d9db888bdc4325b98d81e4dbd785e44d3abecacbdd2e5890c75e0c6456b',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572321,1354,'rw-r--r--',NULL,0,0,'root','root','506988157989490129dae2bcbbafd6b2','5075ff134edbe06a1e540746f16d99a20ef37ae7','c6a15752d472f21b6082204df1c823f0732a90412e820dfc4c33ee76718c7b4f',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572322,1445,'rw-r--r--',NULL,0,0,'root','root','764c1780b377c43a6c3f988c70b0593a','9dde284f0de668222a5ddd6fb40ba13d70aa8ba7','b7f48b274ba8bc1d94192425ca285ff80b8712626df7c77d655ffe5bca13b496',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572323,16583,'rw-r--r--',NULL,0,0,'root','root','99e46aa1326380e93362dcdeffaa499c','bf28182a3bc0a56234bfef424d1d86435b6fddea','66d68cd1e05c196bbde6c05f17fb2314333d694f092e56e193f27e10e72a752b',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572324,8444,'rw-r--r--',NULL,0,0,'root','root','5b2c8f4758abd3aca51880425efba352','220d8593de4500eb4e10816f1946f9c3ffd37887','6746202c350ef569b669c19168c63027a31d7a50b8deb6903797b6a9bd07b20c',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572325,1170,'rw-r--r--',NULL,0,0,'root','root','0ca80d66a0fda293df63b29c0e274baf','d964394cf4e213ba05f3f5f66ef60fd1dd725ed5','326a9cf66968eafebddd10ce52112b6c271869952880c487452bdbf297ca51c7',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572326,1049,'rw-r--r--',NULL,0,0,'root','root','da3715d5ef8b78988cdfd3e2ac3a3db8','dfdf24ec5d3b42c01477977c2b930e776a5ae8ad','6133e33489985684ecb4e14f59b8f3fef91fda39aa762d6ff06f1664886e8c53',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572327,273309,'rw-r--r--',NULL,0,0,'root','root','e300cc766f8d5ed036cfda99b8c39eb6','7b872cd47045e2b3b173e93686c9d167149450a9','c976d873af7312d6324855370343fef37e1093d97061193003dc29d4fa92667e',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572328,6207,'rwxr-xr-x',NULL,0,0,'root','root','86e6d565efe3b794b171e64f780573fb','dfa57c89923af866bf5d00f50611e74c4fe38041','ba2d13587d5bbc7fd24c7aeb58fad35f834c2f0b9e3a7e5fb1739776635403d7',1558100579);
+	INSERT INTO entry_data VALUES(2051,1572329,2933,'rw-r--r--',NULL,0,0,'root','root','89da7cd4d1c32f56a64330587715417a','dd67f1c0ba29f48f1f854b39b318864b7f3c0292','cf4efd910ef22bfd1e777ca2f7ec1ffad179cacb16ad7d58314d8c2353575ea4',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572330,5999,'rw-r--r--',NULL,0,0,'root','root','c63712cc9a32b8a1c7854c79a1a35295','f89f5d1f6da530b095ee28c5897727fce2f24a42','8d018bd30370a8b3da38a86bd8a04d162bb21f13332b6b976a935720d473e1b0',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572331,1245,'rw-r--r--',NULL,0,0,'root','root','d792cc213a3ac9ce98f5e45d6469337f','37c483b1684553fa3e71f0a9956e1135338f5be2','85ece9cc4d575af8a68186bf396aaa56164f155212c9345fd84c8ff311b5400e',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572332,1270,'rw-r--r--',NULL,0,0,'root','root','cbe946e614415bdd5c1290f649da4621','0d87283ffd6ea770957bcd9b84c7c04f8ac186a0','2b80bcf3e5b9dfe33a7f742eabbe3fe2da3b76d201df4f85da3bc32592e0bc21',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572333,2185,'rw-r--r--',NULL,0,0,'root','root','ab0531fa007bb08316113de3a8fbdfbd','6a3dad28e3decc91df4cde4b1fb22aadcd1f9e80','924b505c23d3b3161c2b04c8684a763bc3f57470223b2275f3ecd70be9f412fa',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572334,1234,'rw-r--r--',NULL,0,0,'root','root','4cc72b89cd497e370b7f1eae69fdaec6','21873052e86d2eb3656e4cba6664ef61a5c34f68','a8841e1f48a61607f1606cc744f998f3e50eb5dfb05db66ba3d4deb1b3d5dc05',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572335,1263,'rw-r--r--',NULL,0,0,'root','root','03180a1b9e1f5b0d87ddf494f11661fd','72e7a2884c7f056cc8520b30ba1faa7a6f3de8be','6f9ef989bead05062096a0306c9055bfcc524a163ef0123aaf0906288c0017bd',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572336,10261,'rw-r--r--',NULL,0,0,'root','root','631c37c4969f17e8a7d2e6e6bba61bbf','1fb66ffb9a7607216450afc40c090a08c88aa0a3','4abe635bcdbee71593ab67a1111708a814b64146e4ba25daff50de7a54966fba',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572337,3686,'rw-r--r--',NULL,0,0,'root','root','df6bffee015de9b2ea4d72013df7ce8a','3bb89ce86908ccea9041cfd7590acd6d82f09156','a133fed7240b3f40cf92eda2cda85905dd8729197ec62783aa0864089d27fe48',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572338,1277,'rw-r--r--',NULL,0,0,'root','root','afdb5973a1fa51cac86502cc4842d623','dc58c04a8f4b652ea0a7a2a9f7b0ea1627971ff1','8ae80dde4630a614148e3b099a44af23d9658154275321b39c0d7cfe4bd79118',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572339,1448,'rw-r--r--',NULL,0,0,'root','root','72ef154100bfa4722a4cfb975219e711','2b40d5896983f4c91309cbe819359c0f5a369c6c','e27f64b03df3a533def7aaff9d084e8d6ef5048cf49606bcd7a9d6ba079d4209',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572340,4506,'rw-r--r--',NULL,0,0,'root','root','b4a128acdf1c4b5dc14e6e60d59a5fd3','3a66395ff9930e83cdab3ee6b1d6bef24df88ae3','b464eedaf021cf107ee8f662d1def02b97142d48369de29db56ebd032cf5647b',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572341,400497,'rw-r--r--',NULL,0,0,'root','root','736e1e5d9557a7d8b1421545190eb6f8','81891810c38dd7074361b1a3d1e98854311864da','eb71ba7ee92b6326882645bae49cde453527735eabb85e5f414f588a4b0947f6',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572342,716121,'rw-r--r--',NULL,0,0,'root','root','e9b9b0b450a8606059207f62cb09e958','ea09aebb62a341a1465dd1698aec19b23561b2ee','e7fdf0c334295029dd49e5b7234dd814b4a4f153e36517d344457e724445bbc5',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572343,1227,'rw-r--r--',NULL,0,0,'root','root','788b4b03aa195c733cea440eaa82a017','02177f7df5a2514e1e6ceed0f0a0eccf2e808627','a67d9a3036d7081cb58af5fc51f807f50a141745acc03e2afa9ec850bf474b66',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272977,2509,'rw-r--r--',NULL,0,0,'root','root','b7b570d522be934ebe7d9d93cc9473c1','c876815ff73e7579c96436b344dcb6aee4786620','0cd71151454e5c856b591d3d4c3dfbed012e5c81b7a900698cc048d68f04f0de',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272978,935,'rw-r--r--',NULL,0,0,'root','root','20517ffc27911a5d07ad4191f56e1803','c9e4da00b123c4acc18dc38d799d805fdde2af59','582b35d5d52e1631bf262bca81e21cc1007574e64ff0032dff599a2f38314a8a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272979,906,'rw-r--r--',NULL,0,0,'root','root','06714cb807f59a60f517a14138cee0c2','a13c3fe2e42e5f46552ab88d9aa3e2fa8b27efee','8dfc9e2c71bfba81ff9de3ddb85062823b40331af917180d5aea75709653130b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272980,867,'rw-r--r--',NULL,0,0,'root','root','20b6074ce74e084041b35265cdcad1cb','b64d8108f21d7ef4b67b6e65394c5ba8d0831e69','fe665ed3cc77e19a73db805f1f524dec879d42eacaae2d9e8e97c415caaeeb6e',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272981,1113,'rw-r--r--',NULL,0,0,'root','root','9952e25c7f2cc95f1ad62f998f2b16ef','0bfaf901b93abd053d408d92783a570f01c3bd9d','43f69bf3c4c36a33a148611eb6a3333f4a3440bad5063a1774ed2bcb15d24d1d',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272982,2807,'rw-r--r--',NULL,0,0,'root','root','1ac6b52abe2a5ed21ec7a21289d48186','707157a1f6126fed49f23966574942443f3a83c7','ccfa2da3b186db62414e8d4156d23ec4ffc89b6f9201e715fa120357ae543c4a',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272983,1143,'rw-r--r--',NULL,0,0,'root','root','2d2982f1150e904d20e8848d44dc29e1','86c3e31cb277adfe0646e9b3576c9b4aa42c5c55','585e80110bd770ee0ab80de9ba945fd3b109e60cd4c7499686b76e6c94810f7c',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272984,3289,'rw-r--r--',NULL,0,0,'root','root','953d79f30e19b071a8160bf152662782','052759f068ba16b016f5f65673c51557b2e7c502','585942bebf7f4a8d80804bea731790baf499edf1a92202081f8ad87de89cc2a9',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272985,1056,'rw-r--r--',NULL,0,0,'root','root','51da7890807418adb83c51461db1ae18','0ced23c2d8cd275b8446ae292c17a21f9e5acb47','ed5447501b2fa064a2f0f3d23c1aea155a4461df252c9bcca6a6c9c89de09949',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272986,1170,'rw-r--r--',NULL,0,0,'root','root','3c8981421cfe144d8f857c7ffb43b16e','f8d79b5c8598f18af623cc157f8321948906f9f7','a5cbf3f37fcc448c4ee7230f4f3bd0d296a8feec23f7893d6a0ebb816405bb83',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272987,836,'rw-r--r--',NULL,0,0,'root','root','e5f72ea9ed817dfa3411d63fc5fa04a0','c07d01728bcbc04e30c04d58a66e73d7f587d0ba','b8769b015828a27ca63dcdb4527d46ee09d560b5007573bc707c6663e9af8ad8',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272988,3522,'rw-r--r--',NULL,0,0,'root','root','2b341c6d9b27c189de3e6ab600100e92','59ff3c5792d622793c47e234616cd6db6e4a67de','8ebe10745c28ecc7cb2f1a1c16f98e67f4444bd35af1a1f0d6fc9779c50e163b',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272989,1058,'rw-r--r--',NULL,0,0,'root','root','56f926997d2f1bdf0b00f3c5c55a9420','a9bb1aed7b9616c982c1b3f525e549f3bda249f2','a35a466b1e3fce9fcb8b86c4bb03405fc6898ad99dd787cd1e238031a4fe33e2',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272990,895,'rw-r--r--',NULL,0,0,'root','root','7f1ecba27f0e0bc42f2c17d328c458aa','937c4fda28bcb7324521a10dd2f3324b00347a30','a50d2c3515c2ea2069ebf61ef6d86c13e493e682c63d0115552dba1d0f6888c3',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272991,856,'rw-r--r--',NULL,0,0,'root','root','43e2664e6f2ca1ad4ce88325ec97ef82','4121ffb605105d62cdb31f66fd305bc34faf7480','2372c728d0b5369adfc88a6186c1dad2578a1d36f4e2164c9eb4e3a7cb3f66cc',1558100573);
+	INSERT INTO entry_data VALUES(2051,34272992,837,'rw-r--r--',NULL,0,0,'root','root','7ae8e3411dbc86cc4f8767a870acc5c6','49e2d191766a37220a831bc33dd31bc969e374fa','8d99628e6c185542d00445a73480e73dce85e002e14329fbb932e85a76907ed6',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526517,2095,'rw-r--r--',NULL,0,0,'root','root','63c1c4154190a3919491cad04a1d6aad','efb6390e66aec72dae69deeed6ab313c74f45bc7','ea35b8ac1a37d25cb78cef9a344713872b17bd9fa3cb1806416e756367c5ac9d',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572345,58,'rw-r--r--',NULL,0,0,'root','root','dba5ceb757d7a4118775f3c1b56d6e13','4ba21cbf51d8a4a939086ee0b9c1d7f041a78b7b','23e423d33c3b8cb0c21e645a4a0107f73455c393de64d9ef481a62b9a3dfee37',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959817,302,'rw-r--r--',NULL,0,0,'root','root','e074a6e5d7c8a990b0c553bdedc85d88','d05b7629c320554b6522218c9e9d29d41198b85a','dce39ce8bd0e9a9f2b4a3f469f66c0e324da218d3885e2b552e6b85edc29d8a8',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272994,3274,'rw-r--r--',NULL,0,0,'root','root','d07d3e6523b3818be9593f759b3d2cf7','556a3a702b1301d0dcd63b922bfe82eaaf7589ce','777dcde8ff83b5dc3779053b1b7a544127888a98b8fc9ea6eb52b67300d4e430',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526519,2728,'rw-r--r--',NULL,0,0,'root','root','e5f939d8e49888d2ac8673e14b118e91','eb8b0f50acabc4b3241e3e1368477dd4635c7a71','09c07ce861e8e7a57bc8aa67c3336ca105bcd4ba6d9f60164f96be52ee465f6f',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526520,3557,'rw-r--r--',NULL,0,0,'root','root','754440c01c84f579cd3a5471206661d3','f4e915f8726bd8d5066408c514e663b47bbde0d0','4db7e001765b79ea490f7f04c32e1bd864adc51e28fe64c73373f343c580d6ee',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572347,940,'rw-r--r--',NULL,0,0,'root','root','ce28ed9c1c760ee2d3d015b02e150c72','41532f4bfe53164214b3d1a4a6e77bd6b1ee7dd7','a327a57bae478c6807cf00175d8e08f954815aa0682b3765457823a18a64bf18',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572348,1352,'rw-r--r--',NULL,0,0,'root','root','4ccb29143ea94f03e8d1b93c40b82c2e','61bc3a0a31eea5322683ab6653685eef5f237d78','f00bd6ceacc80e06f408d417bf0c6bccd762150f31c01277b0f39bf4736196f5',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572349,1302,'rw-r--r--',NULL,0,0,'root','root','6f5aaeec3b7e97c3cdc0765ed639d7fc','bff93fdceac51c255c12eeff147f52a20c0e3c7a','e3c6f3c27889f22eb345f7affd569fe7815d5afb57f277c90871d58d00ef6027',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572350,887,'rw-r--r--',NULL,0,0,'root','root','c70454c6d94eb6122ddd340a92607397','2261eec237e8f2141f8b693081d2aff357f78ed0','98b1abe0a6c8f8635f94500c379f656714f43ca3cf51f72ca1b96d5d11aafd84',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572351,862,'rw-r--r--',NULL,0,0,'root','root','815ace8179286e2d2d2142107deaad6e','c488a2cbb88e2136ea842e0459ee300751e623d9','3d886cd275f4ffba055c8dfbdf9d8ed7008aa4587d1706e101f831daa1e2b29f',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572416,2625,'rw-r--r--',NULL,0,0,'root','root','9c8b5e6ebae190574ef6abb50a7c65bc','835377c5fb5bf0adff6c19bce4eda719d08099ed','d170caee30a007edaf25d501a38d946f4d12359fa452b8855bad18bf16bc053c',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572417,863,'rw-r--r--',NULL,0,0,'root','root','c7356056514dd7983c427be9ba0c1209','e34f4daf2d3ed17526b143b8ca92ae0837463db6','6650115a9aebba13250708dc1ad90739dc859e1be54c8f95c7ad18a4fb6c7a45',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572418,1039,'rw-r--r--',NULL,0,0,'root','root','49df328b918e3aca044a2f8bccf5e0fb','28b7753085d250ba8d03b85914feb74b9f0f8b49','8f828ab49efa5628974991f5514f8921125f0587581234089b54ab8426c2e851',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572419,2209,'rw-r--r--',NULL,0,0,'root','root','8c8299cab8dba72243795eae3f52abff','00ca16ced1c54e3522e48aa29f1e5d8dd4f6ee1a','4962751c30f41560319a8aec794ac9db11c0fc12939f87afa69ffe35e3240a46',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572420,846,'rw-r--r--',NULL,0,0,'root','root','680263ff2f45260b7b1339524101d7a5','28d64f2e6c8973b0c2fecc44e68810d33c58608b','8fd59ddb698707762a770ad440aa53c72693092e411afc7a2d02f66171bc2ff5',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572421,1847,'rw-r--r--',NULL,0,0,'root','root','7a2b20696a1a70bf5c4e4aa13f7d0a1a','8aebe57964661cafaceb5931538546ffb760ebe5','46116c1e725b3e0da9d1440a111504487dc73c875cf7fcc65c7f0044e38b1fb6',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572422,1184,'rw-r--r--',NULL,0,0,'root','root','e52842ba6976b1ae5c075ef695ccd7b7','22fae9d939ff8b95ddc434d480c9b33ce155bac8','c3c719556f817bb8c1900de7b2cfaccef4b29b4a806d8b167f9b76bf4d448105',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572423,1437,'rw-r--r--',NULL,0,0,'root','root','c3d27b29e748212adb6a77aab4d558d5','c44892a0ae436a5cd2767b0a0568c1b4e74f80dd','76c7175b7c0a1fc19081e7bed222f13227ab12fbb08aa0cdcf2a3bd7ed426b02',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572424,1187,'rw-r--r--',NULL,0,0,'root','root','1fde462b556ff1f772bc020f7b624588','d22ee93eafa6045f884884e3e6d54fac3f02e362','a9eac99dd182d0f6d6d411703f1f093b4d5b33e2e55680e43888e4e93d86539c',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572425,3382,'rw-r--r--',NULL,0,0,'root','root','1f53f13b35881aac016a944c9a5c4e8e','b1bf873ee516744e70cb3af31de1d0667da4058d','33175547fdf3160944d8d161b00cb089605c94c36bd6fba82bc2192b4d66c48d',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572426,1508,'rw-r--r--',NULL,0,0,'root','root','0911586c8e6083609eb926507cf1aee3','ec7b531ac04e9ca398608715ff956d59db2de76d','137c46a8392a75a5184d8ffacbf72c710107f173a1382edefc4abe0f90f35254',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572427,883,'rw-r--r--',NULL,0,0,'root','root','539eb13354e8d286293b8d192c8115c6','d0b84f5c59f1b365abbee9872beec1caf799beee','351e956d6c15ac63718d1126c8d206ff9e3ca3185961926d219d267ff590b233',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572428,861,'rw-r--r--',NULL,0,0,'root','root','fffb9b41b0c35400f12d7b3a581608c7','67e2c1a8825924f4383a9fa623184045eec6463c','bfa5ceae4be795b798cc86b23ac22985afdee9cc46843629e2e81ec78b9d72ea',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572429,865,'rw-r--r--',NULL,0,0,'root','root','a46163178daed0336458824bc446e92d','50348c970cb90920ee93ce1be00e4f0bb71e543c','892ea0072fd5202bfe8c03742668c7dc2be64631267e1b0a05355cb42a44e736',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572430,1247,'rw-r--r--',NULL,0,0,'root','root','526520be3c12403faf3d6167cb4dc4b1','294513da5b14eea9274bed44975f8d86d1f5fb0c','aa09cd9114372bdb76156b5178425e6e647b31890da7215943ad287efec1777e',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572431,803,'rw-r--r--',NULL,0,0,'root','root','3c0cc75ff29a308678bc7f54c5a9cca2','97374cb91ceee26a36a1dfee2f9a2b0fb24172cf','22341b11bd87824cbc27ab2c5ce47be30dc6efed7b0fa200b9deab22e5741ad4',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572432,1497,'rw-r--r--',NULL,0,0,'root','root','c100c6edd163dbc4a5ba1577d790b4c3','59745ce2b8ee6057a3f3ea55d8c497681a745a9e','1dbca1eb257f68aaa79198c5245d53fc5a8c7f6b05097d2d6996370c134a3ef9',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572433,1360,'rw-r--r--',NULL,0,0,'root','root','15498653889900af8457e3cac519020f','7d623be8d32178a2c9698716d229c76498975b0e','6f9ca6ecabda822594d27fabdcc696fb7a11c69801ca2d93d4f066fd025b4bc0',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572434,1281,'rw-r--r--',NULL,0,0,'root','root','dbe04136da3e6c96c8b269ef106b368a','c7dd07c5739da0eb5cbe4d9f279993ff67b01fbf','8cfd67c0611965232bbd087767fb8fdec9801cbbd095d10534038f0aa7cf58c4',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572435,863,'rw-r--r--',NULL,0,0,'root','root','71d07e6ad9898bf59c86efc94fad0bbe','c35bb9b39f2a0f37267a6d1f6292a1910aa0162b','13d708af953c9afd0c3ba4e12812465e62bb6639d956e71888d2f1870c5cece4',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572436,864,'rw-r--r--',NULL,0,0,'root','root','be7e87a01b811943c000362297cc35f3','cd00c8d81e38c854d327d04bb9b3bb5767a625b2','965da869f894a33f6d7008948ffc4b33a0659f2f68b369eab52cb926ac8c7395',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572437,844,'rw-r--r--',NULL,0,0,'root','root','65b328ddb66f2aaeeca46a7d07013f19','967780037558ff6662275038874d703ab313253a','5e3e6c2f0a9abe6d56699b31bb0e610ccc79f2fb7554d8425c1408451e2b2cfc',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572438,884,'rw-r--r--',NULL,0,0,'root','root','8cc371cfd813d458214c840cb0a07434','3518fff5fd270d4b1c69a88c8ac261c73694b868','61aabc13943f4fe75c1979da57d5bde0457283d3140d8e4eb1e25720ad21753c',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572439,998,'rw-r--r--',NULL,0,0,'root','root','9f60a9805184a1be56239e22c85c63c3','e1eddf7ed376404c63772442e08f458e945eedd2','20dcdd051560302374c16653fcee155945d8b07a7cdffceb766808258fbc8434',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572440,1337,'rw-r--r--',NULL,0,0,'root','root','32c487937507edbe6ec26530f42263c1','1fa3188d770b0b6a2d384b1ee00a76e1bc0b2418','d9143546fcebe5d5d47e661cd3207374e17ccdf56e5bf1934c0e50abc7b70fa2',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572441,1282,'rw-r--r--',NULL,0,0,'root','root','50e0f3b91933ab254a9f9b9c82151704','ced3e1bfdcfc9d5dbeb8621cfecdcf732f6415a0','7bc6a6e2d61f4de121c8af6dbe5b0334ae7f1ef24a872b81d507ddc88606fa43',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959819,6347,'rw-r--r--',NULL,0,0,'root','root','90ce6497e6e703d2619b4907931aebd3','cfa2e5ed4298adc7c5d17d5753d612304a7cf3ef','ac789b3db1e6003cbc896ab63a26fa3d4f66932d2d731a245572b5b710e49a4a',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959820,935,'rw-r--r--',NULL,0,0,'root','root','79e4331ffc39c7f57de3416682120fcc','631dee96573b22b5f0938fd4631cfb4b3a23c862','ef46037250e739ea0150133c5ee788b679d67dc6408648835f0ee6ba71f5757a',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272996,6934,'rw-r--r--',NULL,0,0,'root','root','2ded35e7edf55ca89e274c3468004c54','68e940ce300ddb66221d37be89c12e1cc5a44c47','8272eccc4c517e662fa69b9a662e803674bc8aeac0ac94da20e6d1cebaac2e49',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526522,2435,'rw-r--r--',NULL,0,0,'root','root','eb64bd0e6df74fe41fc7d421fcece197','0bf66e1453b04cdd8dff1721c2e564635b254410','e0c4b7eec850e8aae81e1c1b6e57407fde73c8a4f2bffc694cf193d2d959b072',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572443,3607,'rw-r--r--',NULL,0,0,'root','root','17951c252effb2f4a1bb8f20e075a4e5','9555819fee627cc49b9548da5b588873e8605efc','e217759b0d6fff4d639e6dee24d801d24fe2ecb391fa86ab05698cfab28d7d3b',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572444,970,'rw-r--r--',NULL,0,0,'root','root','4fc6a8711018c7ba501b45a30974c2ba','52d074f1f359719fcfe4bc0bf3bb8abfb25248ed','ab52d53c0b962964e48ec03867be5db61afe227a16bd37634b2fba7e1c75b620',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959821,3221,'rw-r--r--',NULL,0,0,'root','root','cc874cbf0d3f641d5331b346270e4843','8e364830f293c64ad56fc6a8253d4619008cc83f','06762597b4cf4cd67a1abf4572b12f7be429493ea5266af7ba3f20d4e7129ad7',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959823,863,'rw-r--r--',NULL,0,0,'root','root','557da62b605e5df3449bdda50916ee7c','df60d5ffb88f13cd7bac92d214ccf8e999231b4c','211c8ef0dba60ecda0ffc6661337a61efd1fe19674a170941426e4abc52735c9',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959824,938,'rw-r--r--',NULL,0,0,'root','root','b1b0fe80e08df375bd582d0b465c07d3','90ab561e540de233106fec98774f2ddeccd0a56e','fed7ba2379477a911079e7cb3550ecf65fe18dbe6f973a5cc313108eb7d8e818',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272998,1253,'rw-r--r--',NULL,0,0,'root','root','d0d28bc973a96a5294ca7b7411d6adc4','f6d6f0da9247058cd736bbf2dee43e1336d1f7b9','3f45596e8922334659e8f4f7edad96aa8bc1f3f9dd16f9eb0115c787d535162b',1558100574);
+	INSERT INTO entry_data VALUES(2051,34272999,2295,'rw-r--r--',NULL,0,0,'root','root','56748aadcf80a2f4e1bf5812d666183a','c3173dccefff504d74c907f1674de09b1d11110b','80515d28d0fb454d3010ed8ce79a2c5a4015d1f78aa9e1dab5293c8d8560a1dc',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273000,1979,'rw-r--r--',NULL,0,0,'root','root','124e42cf53615305b6fcdd5bbc38f4ef','1ec6cea0001400a014641ee162c98c7dbaf7e21a','0890369a82e0ca5e184c6803b3f25c0ea0b861d693e03a05654d1b5849669522',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273001,821,'rw-r--r--',NULL,0,0,'root','root','878bbf17cb0f5a42526712669e8f4921','40b2c2dc59a0a4f8d2426674b2fbd55cc6993c41','d6026abb84d0e87000ef33b53760b7bbae4f9b00457e064ca2649da4dde96a4c',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273002,900,'rw-r--r--',NULL,0,0,'root','root','532c5591fbd445dbe996e9203dadb351','06bf91f98b91e81bfa13f8c39820a7d2dfa2c1b6','cc9d86a45d0fd8ce01b89a20010299d6b37c600c7600f2060a9bd0a9930075db',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273003,886,'rw-r--r--',NULL,0,0,'root','root','a16a9ea7fde62596c2398572f1bf0918','0531dbca626061e9a5e42ab5f8de42ce63e7acf5','035603853a1bed88b72a58770444423156dd8f369af7054ae71069587a0f6e8f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273004,869,'rw-r--r--',NULL,0,0,'root','root','8235c00c277a4bc84af95e967d6a9a92','124ce2b99619b2f1ebdbcf7486bb63a9a8bf58d7','0ccfa0c45d839feeb5860a16307be3e2f96b218be95d56d9e27716e5ce0211c4',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273005,4991,'rw-r--r--',NULL,0,0,'root','root','adbe8a4418aad9d675e58ee3c3dac143','0e82832250d93546ab83fc16daaf553fd0db921a','d1144e72c665067384c628d38a02e2be7f9ee7bb6bd39da646fd1b92fdf44ec8',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273006,1960,'rw-r--r--',NULL,0,0,'root','root','b474b5fb3b474ae8d9f82f5f1517df54','5b0cd9878be097ccbad6e6cd987df382ba917df3','496bcba81418008a4bb8cd102c064f53fa613855dff482d0286798d9a62050d6',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273007,2013,'rw-r--r--',NULL,0,0,'root','root','baa0850f2b00cc0ffa86ed3af5fc1ed8','9db325e88e5d1867d5fb88fabe83eca017843752','4769f781433f0f2a58bfe2cf5da9e8815dea8432d6a596aaf92397b3cc4b72c4',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273008,1082,'rw-r--r--',NULL,0,0,'root','root','64c657a679b822486c9fb2cc67ec4efe','6dd5f2690b8c8b45d5f490dd9570dc088896ff6b','9d21624bf5793d19a37292bd22b2d6e87385f5b240abfa1cba924900c184588f',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273009,1336,'rw-r--r--',NULL,0,0,'root','root','4c949456dfa5218a977288132bcb3f19','fa5bfaefcea640206a76c3c2eaa461523ae3b93c','02070a2821828ea5fae3b0b8a83e51329928d975021132b0c8926abea9879388',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273010,861,'rw-r--r--',NULL,0,0,'root','root','aeddb8e968e4023c60d39498a62fb113','b2c9b1951091c7e263a287cf13480ef913680e59','2a602377e269f79a359e6e9c65c078e098ba7930423e1bb237aab39cc9988ffb',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273011,872,'rw-r--r--',NULL,0,0,'root','root','4c5d0595d76cc33a0c2090598ac23053','d49c90a51b713682958f2750a9867413dcbf9046','84e531027e92f264086002be6cc2e5b65fb4d73e2ce00f0ee51453961a8b35f0',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526524,1128,'rw-r--r--',NULL,0,0,'root','root','571c7f8cd9c560229886e66f04c1e245','d72c5b83e430eb254d9c063ef1838b5a2a644483','cebdd14b146c9a7336c4d30a6b450bca7008f76b6a4596acd16c2002f09484ac',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526525,2216,'rw-r--r--',NULL,0,0,'root','root','c3fe78d78d925e35cb18ff3454388f29','b00884bcfb33311ac0e92af42403b3e1d5aa3f8d','a46da048f2f890ce64c063fbb96c810e1ca8bf58da4f41ce4e2531a3765c13aa',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526526,853,'rw-r--r--',NULL,0,0,'root','root','ea59122d493726296ff2110b01410b3a','1a316dc968f49f8cea827a40b1c073cbb9413ff7','f9b615c5ca7e2fde0bc85560256412323405e1f30578b5baaa8a15c75c4b56d2',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526527,1882,'rw-r--r--',NULL,0,0,'root','root','870dd9375e054f30430fdfcdcb419829','0745639bb6b0e22a9a3d669a91b15e2f5cac67a9','aa1feb612b9b2ae50036001473ad62e2c967fb1b2f12c1f4a5df42b7a35de5d3',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526528,882,'rw-r--r--',NULL,0,0,'root','root','ac7f43034725c19606b265d76484f09b','b49c0a4a270f78bbb379089d1901f7619f2bac59','b6d551799d0bf94b4d7aa663f9915cf5bbce7c424c92b761c1cf03374d40af86',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526529,861,'rw-r--r--',NULL,0,0,'root','root','5bf111882f8fcabcbfbc22dd91184ced','675445d66424f6914680dd99c18511e340186962','84d8ebd1563307beaf843a4c8327c03072ef7e603ece61d1a2923a2a41e3cb5a',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526530,1671,'rw-r--r--',NULL,0,0,'root','root','fb4d2ba8eb0a0de718e8f72e95b26730','e5babe9919caa5e452596f5519f66a2ece0a1b47','0eec14347d10525924ad4f729c0e7dd8db1dd84950e16d2355dca63136eb6858',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526531,975,'rw-r--r--',NULL,0,0,'root','root','0ceaa2f247c4e6dbeefe29c9187b0b4e','6f6b24b8e2b6fee40b0db44ca9757790dad453de','57aec22c4790fb80a71ab7bc121a1f43b8ef9facf3831a7f94bc1354095790d5',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572446,2432,'rw-r--r--',NULL,0,0,'root','root','9988ef3be8d2c5dd00a8ba5b4f13afa3','32833a47e8e888ed00c87a573191d6941fae871c','78361a471018585595069aada78bfab5665df97fd4fcf14c735186872885dbca',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572447,2579,'rw-r--r--',NULL,0,0,'root','root','58d5543745ee006b2b768a5a860d189f','c588b6c16e940d8b6cd1507fabcd5f1deef5f592','9b434629760b8f29af14701ebdae4f240e79aded9ab5b1adeb77db37dc345c5f',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959826,877,'rw-r--r--',NULL,0,0,'root','root','1be60f4932b5b97c8aa4d6dd36f3dcbe','1664d56f5d06fb794f040d256777d3d6899104db','c91d83f60379017157f0d34cc82ff25d84e8559ee82ef45f0e2368ad7b1dd33b',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959827,1074,'rw-r--r--',NULL,0,0,'root','root','d5207897cb5ba976fb859d2cbbf21f2e','b7e919f30c720fcd049d60668ac2c82293a6e4f7','9d5086b7fcc2c44659a0a262697e31ad0fa4398982e570efe4958d87cf0b02fc',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959828,803,'rw-r--r--',NULL,0,0,'root','root','3c0cc75ff29a308678bc7f54c5a9cca2','97374cb91ceee26a36a1dfee2f9a2b0fb24172cf','22341b11bd87824cbc27ab2c5ce47be30dc6efed7b0fa200b9deab22e5741ad4',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959829,1186,'rw-r--r--',NULL,0,0,'root','root','0a3abe0249f3b3388f1af96dd9cdedca','88bddf3d8c553a33f3e66d6997a72c85fbbd5a57','5e15c0d6fdd9a8560f758c4dbabc92573469b49cbaa426f1d0a3d8bf2651c32e',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959830,1164,'rw-r--r--',NULL,0,0,'root','root','21c9143c8ecb668e44992e007f8c2763','daf6f9e6869040a47c4fee6f9f2f0b96998e90ae','117884f94a57e3bc6a158ca8162d91ec339a83d298313a3aa42d69ed60ef4bfb',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959831,1151,'rw-r--r--',NULL,0,0,'root','root','6f2885c482c5817d89363079e1ed962c','cfc265b6c3ef3f9db006a43c9960388cfaf0e0cd','720d14f2cff5d2ac475d7918ef2c14b065e61603d69cf6eb9f4f7a92def1d0ed',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959832,1152,'rw-r--r--',NULL,0,0,'root','root','edd95fa5307669dd13fc27acab6f6983','7475734099a5628c47d3a8b300e037ee723373cf','706202b48a363c2a0e45689a6d707bca69b23a058ab9b36d0bc2f4c267f110da',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959833,1952,'rw-r--r--',NULL,0,0,'root','root','dc84767862d891014c991bf092ee670b','d27cb2a65a491246ce42026835a56008026340f5','b7d6330e7175f6f570de44393f0790b98be7eee99cd97d3893137977f42ca659',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959834,1153,'rw-r--r--',NULL,0,0,'root','root','2989738fb9f8f59b60f6f960a8b81abd','d8865425434968ae4ddd313e3b9f7f787f5a8aae','8e3ff6bb8b15a93415687a4eaef84e9f7ea597aa422354ea4ba7661740dc49e1',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959835,2375,'rw-r--r--',NULL,0,0,'root','root','5a77f77041e315c4e8a6a161a1d066a1','06613b4fdb38b40a285587d7c3eca7a7791944f4','3f4e4ef969303fc861f608d169454a0165b59c644f5e8e8c4c8ba9280b98f794',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959836,899,'rw-r--r--',NULL,0,0,'root','root','926d035f257d54f24d94ff7a3e544532','414ec9fe81214a65e5d0b25e8d953b43ec24d840','f94e6fe34bd470f764fe3a81f98a1f10103c8ed6deda8bcfc397d21df91eb5e9',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959837,1161,'rw-r--r--',NULL,0,0,'root','root','a74e021533c245474930ac6b1b9b7626','6e479d1df803f58a22f15638eabb242ac3fa31c9','2090a898247e8f18f528926302f6bede0db0a7782f7b9e610ef6702b85a0f16c',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959838,885,'rw-r--r--',NULL,0,0,'root','root','0ee8b7db2d06aae541a5802d7177e556','6af085d4ba9972f16f0ec565c6a2ff35e2d3d06a','a249f6e979a756455f6442d6ab5f26825821f7fbb55fbf1175132e5cda1be67e',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959839,4079,'rw-r--r--',NULL,0,0,'root','root','493e722d8c62c4404619b736c5bb082b','231f6c036d3463c222576983bff8bd27b6bacfc5','79f457641f523f299499bc2fb25119924e9d72fcd66ee531f4772cb8c04cd8a4',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959840,1170,'rw-r--r--',NULL,0,0,'root','root','da7d4262e3d17d635a17af9fb37c682c','11514b9dfea6c77bb3d3dab537095c67db39f493','abd6c92a6791f344d0e43126dde83f500aaa022b14d339a518d4ed1f61968f67',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959841,903,'rw-r--r--',NULL,0,0,'root','root','2dc615ce66b2cfb6639b84981adb80f2','dcc351d4628fe128c6e8a582405d217b810a599f','6c3103bc256ded21500b7d0e9845873d3673e5cc8f3b5010f3891affd453f2fb',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959842,2124,'rw-r--r--',NULL,0,0,'root','root','f252f966865af2721586efa2a88f085c','d0458d3087ab761fba3f976ebecc18ed6ff55e5c','9a906dba3f72d1c3fb2f872b97ce242b273ddb84724fd90ff3fff4db79168dd3',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959843,908,'rw-r--r--',NULL,0,0,'root','root','3db41736e40459cbf08a5d4710ee12e2','6a7c3da75114a88247c7f849f07e17a70ac2c4a0','940cce0fa20b39f77b75b1c0ed6d3c3fd2f935a4fec44f25dbe9bad46fe7a1f0',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273013,863,'rw-r--r--',NULL,0,0,'root','root','051445a4b1c0b9d636ae41d59c90050c','3d470457d9a00131490ff82ea76483bbc08932ce','259e9b0efe3d0efaf8257d51ceab3cffa1c1a8417bd02921b3319e4b0fde4185',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273014,875,'rw-r--r--',NULL,0,0,'root','root','c9ff0672d05a270ceb8604ae68a997f4','d8906c8813cee5f65f80cc0c600e7de1ea4b8226','e189ef39a0277f6fcb24904973929a5771036f66f342c3a05801354aea9f7575',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273015,860,'rw-r--r--',NULL,0,0,'root','root','b8c2d40670fdc541a73266571935550b','9dab29f7fbebe853ac441f0533ea2b8eeba6bf8a','286554b5c9f018ec47ad7a70b408493d0a7c436495e61934e506fd1a04c02a54',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273016,866,'rw-r--r--',NULL,0,0,'root','root','4c6c91cff2dca6bf4c57986a6757c0b6','935161ff9b59f8e5ff164ffe6642cec505e45481','f8e2ad3e25911119a32cc52aefcf0b557843a9078e0106c82f705800d91ed7e9',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273017,1746,'rw-r--r--',NULL,0,0,'root','root','62279fa50b69926a7ec2eaed10199d15','ace9002919f362273a3047b3b7a035a872508091','7133e12f2bf537abe52289d0d9d76f896d784cc0f260ee238ab7281f0419abad',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273018,823,'rw-r--r--',NULL,0,0,'root','root','2eddb09405d96a4399212065df41edd4','ea109c6604b246694b69dfcfefcba7edee52c5b5','1934c182fe914a2b90a03d60dd977d57f94e2d3e0e6e486723df5808d1b18f8f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273019,1458,'rw-r--r--',NULL,0,0,'root','root','ad2b1d768fb778af1c116f1bf2ca02e6','bcb2a19cf2b6740332d9bc4837b8102d5a6124ae','ed7f2e486f1599ac278a983666dba5c539a2bf0ee9684e349cc545f19d47d7fd',1558100574);
+	INSERT INTO entry_data VALUES(2051,34273020,829,'rw-r--r--',NULL,0,0,'root','root','ff6f6fa7fbf10edde003c655ced7a58d','94a18ce330800af372242f548385e9f3f3d0e71d','7bb8083cf4e7383be96f40992eed38f689b841afc950217385120a367d711041',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273021,848,'rw-r--r--',NULL,0,0,'root','root','cf3e0780f11393b8bdbf951c358f1921','439d570d37237af2edbd8267ba58f64f8792b689','d513a6cb83132cef7870a8b311d0211b1705a43a6951456ca2c516b720918536',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273022,832,'rw-r--r--',NULL,0,0,'root','root','5723d19a678cba0996b197da0eded0da','20e32b58d17c38d5a3feb611a0ffa479594a3664','00ae6041070c1b53f9c40720adbc76f738079ff0d8ca4a181f4cd659ba11c6cf',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273023,1662,'rw-r--r--',NULL,0,0,'root','root','d11a9c5c0e257feb632c141d0c9e05e6','f7dab06c782bb67617d5c70e17d1c06f3851765d','34641ac9d2e35711d403f538c56d15ab8cafefc590e4000b79d0122eaac0d85e',1558100574);
+	INSERT INTO entry_data VALUES(2051,34205374,1212,'rw-r--r--',NULL,0,0,'root','root','37886e34fff1ec7984cca732d541eda9','81f7105a04b63a84eee3d19668e0ef7dfe5b7328','e0299a7d1c1db6c0ee7c279f48eacc7657de6f7f2f21094a1028298088c7ae42',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209408,1150,'rw-r--r--',NULL,0,0,'root','root','c1c8e7ce6377cf5737df3ae1345d3595','0ce98200af414897b9d491d6008b9ebcd285dddd','1244c1864b81ff6144db0b7f3fa8b126cd2720d966804ecabf11baa3ad65dba9',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209409,946,'rw-r--r--',NULL,0,0,'root','root','1bc4f8c2f3167c0ebdefe0cf5dd87fee','a68f3fdaf5b412c45795a9611605a32285ca8105','05b9b1efdd79300c603faa3e8848b66abf74894b58d74c24a2e23cfd33c75a06',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209410,3001,'rw-r--r--',NULL,0,0,'root','root','e48566c55bb70d346842a4e23681089b','a713b755317b6228387733a3e05886b4cff58ad6','a370fe2a5e7831a95b1248a0aa904c0e034139e63b94154dd98ffa69102849b8',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209411,851,'rw-r--r--',NULL,0,0,'root','root','a7e70f774bbf7e4a5ee11ae3aacb38fc','c6153a78e60adab3917bfe8ead6e9cef9dce8d46','7b43cc43f53e5bf80e6ffcbcd2d7d328038bca815de7cd91b09e50764c9a3fd4',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209412,1304,'rw-r--r--',NULL,0,0,'root','root','bb784d261483399426b022b56affa9ec','d0ccfccfc26b9c4d8784af3d32455005f76de508','020f2c695a009def1ac207cc1243fb09708ffb7925c46187c10b221d03ddd493',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209413,1277,'rw-r--r--',NULL,0,0,'root','root','ffaec0e1ce42bd57095ac4160eb6ceb1','22097d428138a0f67e1b5d2c01ccc29f58ffbad8','bb24a2546b265b3134d175a70d4df3ff2bd196710953926ede1319048054bbbc',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209414,834,'rw-r--r--',NULL,0,0,'root','root','4f82ce250412db02f28d963cd2c16537','292d91c046a63c8f4343d4b8fdcdea1fb962afc9','a19e21f59f55629bd470585b4cc92d79e5d5c1c08aec3e86fab9919f0152e844',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209415,853,'rw-r--r--',NULL,0,0,'root','root','af212f7f6bce06f21a053aa441f855e9','ff8695e6883604200129f2554c93a9c2b7b645c5','c69d28e74596e0caba3be5b1f4b6a9ef1ff8c521c0b533c9ae7f57e5740b6d50',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209416,2626,'rw-r--r--',NULL,0,0,'root','root','78e4515631b66615c453fb575e87dc7f','21ca9c96881729ddd3d2c9e5ba99b447b0c9e793','5ad0457b53d0b679a0504fd19d4201deb59e40a1724f63530b10ec25b7ba164b',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209417,1158,'rw-r--r--',NULL,0,0,'root','root','d608dbde91f63791a66dc2f4fadfd45e','e632ac976f68ba0c01374d25af7de8b44fd3d8c1','3cf95973b7c13da5946e25c09ba291f71ea52442588b4e0ea043cb220986aa0a',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526533,852,'rw-r--r--',NULL,0,0,'root','root','48cdd82a559de0d2de8ab426b30cbac7','d1b4923e95aee4e5bd5cc948a5de1f6cf440c369','1fc5de93e70f7e46896123e0ee1fb5cc279e14bcf5d3a32d21e90d26cc74e5b0',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526534,874,'rw-r--r--',NULL,0,0,'root','root','8e413603aa1f70d129190974c3cc4eb8','37f42d8d014d96b138382146a863fd159861a97d','b279d8d49a5fc56d83acdfc27a157907fb436115773baf6d8c752941679457c3',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526535,873,'rw-r--r--',NULL,0,0,'root','root','9647933ce3787b231c9d61fa562d4722','81dda64908d34fa15d0e7106ee40fa5a1257c026','1162d5efd05b4bf6dd394555129171847e4fd1011e0c841b8632b9846ee74088',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526536,873,'rw-r--r--',NULL,0,0,'root','root','c19f0ce354465b821f5da9a5af607926','a85c7d9d3f8188fd010dedfb876c134bac5f4a9b','89e2d588f2d7f3762a304c1026149f9534bb7696654286352bbc57eca99f4299',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526537,1339,'rw-r--r--',NULL,0,0,'root','root','1d6823532d1c66d062a42b1815f05acf','4bb5ee78ecb9ddeffddd0588abb9e47e792514b2','84c619384aa344d7d034bc2a806b497a17ef67ed806c07f126a45c952288aa08',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526538,835,'rw-r--r--',NULL,0,0,'root','root','353a8da2deed1b1e85277daf25a035f1','c77163feb695b4e52e2d82c8d37031336c7f5394','126c66acb6e2b03e0f2dce12eaf3641c982d4ac3d3625d2adba4d849f173581e',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526539,993,'rw-r--r--',NULL,0,0,'root','root','8d7af29fa18711f3be13657b639890c3','ded238c33728df6ed89cb228c0c90dcf01d50e6d','0ce8dabd49b8b442ea6ff0da5ebe19e1239b889e3901db50b5a14687992fc5c4',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526540,1716,'rw-r--r--',NULL,0,0,'root','root','547d80ff7f78d635c8b972137e2e001e','57f74847908d172c8fdbcee0a47c5f15e8063e9c','90f996dfa59669bfb61aae1b4a45c4d11b9bc1fbc63917693b352e9d28069ec0',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526541,854,'rw-r--r--',NULL,0,0,'root','root','b1673bf23a32d0e05d6b5f929608bd66','c961eedc63d230ca3f9eb4e69338331959599a79','903ed3a79df1a4ae4d8172e825567f9c320b7a805201d6224c57abdcfb921262',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572449,1800,'rw-r--r--',NULL,0,0,'root','root','6717d63060095ac205aeaa9d0fd62cc3','c551df7ca10f320e6e546189b71721e5c6d7b59a','4f05961f26a2133267fdab78e7d8009668b392b4812f011a07966d086eea55f6',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959845,1422,'rw-r--r--',NULL,0,0,'root','root','07418134a4b51788640ef803b9dc5c0c','881e9d0e4edadcc25bffab6a06f79ea3e1eb748c','c4cdb2da0e689c808d98b3a5ea4799ae9ca09e4f963ed7d450edd5da20d662f5',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959846,3225,'rw-r--r--',NULL,0,0,'root','root','788c813702838b55e066f460c6550972','acb203d7b7f52fffadec454bc97b6f5bd4e39eba','5de204a9871ee8f5a15df4790d1856bd5d09dce170f7973f337d5af475031075',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959847,1607,'rw-r--r--',NULL,0,0,'root','root','b9facd60b3a06676132ab312d9f9c5c2','70130b7e62def0cf30ee61c6caf589018f2bf00c','cc0e87d1c6469a5bbf8471069c8ae39a31b327543753af12934edd8b95eca092',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209419,63,'rw-r--r--',NULL,0,0,'root','root','bcbf6afd0accc850b10ae4e0192ce4b2','8be11001b965e3e7a41b138b6b30d6e90d6bdd3a','c34059d953678dbb07d12bb1875183cca994cfe26f32b807fe0503821ec06723',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526543,875,'rw-r--r--',NULL,0,0,'root','root','6d492c711f46c422e25e8af3f76da14c','0e762476a0e577c3b123bc42cc6e78dbfc1232f8','ca2f9b3146cbfa27eeb78b272553f47e220d7aaa7003bf6f5b376c4d320b075d',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572451,1605,'rw-r--r--',NULL,0,0,'root','root','772a3004115fe56f26bd6f0c7fd5213a','90caa14e858c72323af7bd77aafe625ffee239cd','aea66e4eefcd0ba996f1fceae7c9fd9701603569e1f5f8293b53b6551eb6b08f',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959849,1191,'rw-r--r--',NULL,0,0,'root','root','0a6392cbed00e75efb5b9019d57bb34d','62a54a0df4f6b360b7bc1577e821e5bb313cd7be','96ebc43411acf2de468b852f0bab02e3d88dacbe1ce2e28cc68845b5f1f60e38',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959850,907,'rw-r--r--',NULL,0,0,'root','root','61dcc7941142c5d6bf4d718d6f15f4a1','7d683d8819edfc25e651018883c674af5f86ab8f','6fbcbcee660fe5121f583d28ac128bc49aa4ada8b6be75f2f4af62e12dacad5b',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959851,855,'rw-r--r--',NULL,0,0,'root','root','0e344ac15de0ab1025d602645b3cdcca','df18569fe3632a50061f6cdaf18057e66154b368','d79986817728b95c72d663256a2530af2340fdac0d7ea8316d543bc0368bfd2e',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959852,891,'rw-r--r--',NULL,0,0,'root','root','31824f0091686c719330a82612d763fc','1412867e15f60342f9e1d544e31030e847f44913','4dfc159e784e3a7922ee42c89494d70e606709dc3a9416b7d56e7eca95e999f8',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959853,1264,'rw-r--r--',NULL,0,0,'root','root','488e0e9f5fcac3ecbb32df4026a7580f','fcc8467370b1ab24ce1069ef202979e55aa62005','e1215c58abfc98a14d603afad950da0994bb75a45c6ef197740ced055327e967',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959854,855,'rw-r--r--',NULL,0,0,'root','root','7ed58c0c18a90346f8bf4885c5ec8251','bb57cdad4eec505bcc6ff653560af39bdfcba4c3','18c66e6beed61a5c72edd96ffdb5ef3600d0399f3079807493f48b6aaeeed513',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959855,953,'rw-r--r--',NULL,0,0,'root','root','6fde5b15ead184748ecc5398e1545b11','85e22fec3511ff9732989aa0053a6aa8ea9e8464','c08e1f2fd3430f474f188a3ecf9c8da934bd48804854f5476a9b7586110e3150',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959856,824,'rw-r--r--',NULL,0,0,'root','root','a44142799ce9b9cce3597841a50a676c','b5a3169d456be50630eda621bf714cf482be00d0','ecf9862e5a238a32e8277b148713a277c2a4272b997e87f83aa207c086cb53fa',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959857,1001,'rw-r--r--',NULL,0,0,'root','root','f52544dddebd1ff168be4bb93102d5b5','d23fe2a790ceb0e2fd35ee6ac5c6c8fd8178e3c2','fbba362977a19f8d3f132b371de6514e14378673b5385049280227e3192ed71d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209421,2323,'rw-r--r--',NULL,0,0,'root','root','81e7e922b40f6468f5a5041f00167099','d2611bb688a3eb207f89cf0e8d2d5ddd6356c43a','2af619d8e5824f439d2000ce6557293cafdf248948e704f5d481d702739e7b0e',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209422,2577,'rw-r--r--',NULL,0,0,'root','root','a46c77128fc8072d9617d08e9e98df43','5e821c153e1f8d74963a3b894b82eb1f3c46fbb3','cdb56d49c8ced72178dcaadecb32a4447d72848c9fac2adc13aad7db96a1a789',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209423,2653,'rw-r--r--',NULL,0,0,'root','root','0200aef090df5ccb6b94d433603fc170','1d9124c36abec5e4e4bcdce92372e6ee98183750','6ada9e14ef10f98b7e3cd8b68f3e2815f73354abc8719ce5401e2d22bfd29200',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526545,2071,'rw-r--r--',NULL,0,0,'root','root','d03d10247abdb76d5cfb3295dc17d314','ffa9944c0f8be8cedbfbf476b0a60ff803739c6a','676880dfd9d4bf349425982f9f20d54406d0192d081148fd829a92c7e7cd964c',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572453,829,'rw-r--r--',NULL,0,0,'root','root','9d432e005f3782b06451b073b7dd5725','39cfa0220c7cc5ec0e57642afa7f50f168b35c9e','2be653a0ca1b71c7a731996f14836f07ba341ef982bdbffbbf0efbb92074717d',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572454,1568,'rw-r--r--',NULL,0,0,'root','root','46f93155b0766f520a2fbc2331385c03','0aedf32ea612a2de935edb7b53e085bb8b7f0ebf','08512359c68f54cd5653c132aa0ca330fcf89ceca98de13975b434b5dfdc917d',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572455,865,'rw-r--r--',NULL,0,0,'root','root','fc50f9c35e6e3c3056af4f37a8229ed5','dfac3bbf47798cc5ce91d17730024514cc637f8b','6dfe23f5a64fb7a08342562ba44e9fad815f43b50b1ca4efad5f6c0b1fbfe08e',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572456,829,'rw-r--r--',NULL,0,0,'root','root','e8ff26df93152161f0eb54fbd6a3eed2','755c1eef09935d62f0fbcc3b1b0f5948394db277','c3e383a9dce1f855ad42f08694994fad14a0f7fcbcd5dc6b243c013d142fb22d',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572457,1604,'rw-r--r--',NULL,0,0,'root','root','529202482e7cdadf75c303042a35752e','40f19682cffc4fd5b12d9e52ff795d121d419aca','5bb9359386aea0dd89c53ebd94e1a22b79fa92d7727c91b8f7236ac041e2aec5',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572458,865,'rw-r--r--',NULL,0,0,'root','root','5f7c32bdb09e56e12e098e6208c87cf3','74db813de0cefb08339ec1a040f6d7dbba147249','d2f9ac3d9d8a23f69ad62e94d34ae80501166a50b87276833eed7f9449f0d36d',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572459,800,'rw-r--r--',NULL,0,0,'root','root','86d0966deb04fe9e2c1cbe51f2ae1a9b','3f03c400e99bd4253b56e36bb08bdf6d724dd7e3','3b9de4b994c842e868f8c74d1fe67ca3f037974e69f9156e18f8c627e2dbc494',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572460,806,'rw-r--r--',NULL,0,0,'root','root','a0a1938a19efd2cb340f3d2d24b9b6d9','b27179754a6d486aad1470ceeedc6d83cdb2c85c','0e1c35c6ded1888213f284bd9a14d428125daaf3520fa923af2fd54cb5e74820',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959859,1181,'rw-r--r--',NULL,0,0,'root','root','8488a1c33d8c16952a88de9fa66ba9b7','9151200a60c184cf6a2c2bb77dc31034bf0960f1','8cf9475ccaa0abd58a49e5af80d8f6f3b783d37c6faa92b90639e152634bf66e',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209425,2387,'rw-r--r--',NULL,0,0,'root','root','61728d3355ae8802278ebc3eadcf9988','1a0d6ae86dd6fddb677ac0b73b1357eeeee2ff61','94ae15cbf1ad39516bfd1b34c494a609d3f1d0161cc8af95da411aed096dbd83',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526547,863,'rw-r--r--',NULL,0,0,'root','root','10141f523e98d39b1596dd196b7c85e9','e4d644167e2405f460cc000b606bbea3cd3dbf99','03f9c9e16bf3e774960261e8ddca54c090bafd2600f0d8a423ddaf8eea5c4543',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526548,864,'rw-r--r--',NULL,0,0,'root','root','554c6f6fabd2c0e52d100fd137ab2cac','92aa749ce11927a0e004f76ae88966a4649003f8','1f2bf9209a32af7a28c94b232c4c242e17e94e309fa962f91b437d63c6675655',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526549,2653,'rw-r--r--',NULL,0,0,'root','root','be4db0e79192f0d32f960b645c49b04c','6791ff517509269451ce646d0d56a9c356405ee1','d2174de647bfeb8c208c1c1ce1c91a2572814d18ea7909acce57c10edd2cc7a9',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526550,860,'rw-r--r--',NULL,0,0,'root','root','629ee2fad7d3190a3a35e96d9a2ef621','e12937afa885fbf94302c37a0695a98113fe7ed6','95a16fe99be7fc69ab99792bab156ed4be1ff37ccaea68ec2ccd2a39bbf13d71',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526551,859,'rw-r--r--',NULL,0,0,'root','root','ea7f43da1323c105e45d6399053cffc4','748d165e9c618005552d8a7482fb7436ca6c0601','9a777ec985237ff812346f4f4eb9667a74235af5bf44211cec1e9299ce8df5e7',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526552,854,'rw-r--r--',NULL,0,0,'root','root','714b7a86a911e86588370f2ca421c4bd','6c9f20a9768a31297c79a3337c130eaf1db34c20','44fefe04aa0c5986601eef9297319836d834a0f96090f03221e984b0b90658b2',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526553,874,'rw-r--r--',NULL,0,0,'root','root','bcd83de9b9630359846d0c0a4925b50a','660a9f61ccc10dee47c78ed7de71b7c40ed74eb8','6a3048ad12e4b9dfe427976e36a3bd416e3762a7487927bcfa3be28757f12f5d',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526554,850,'rw-r--r--',NULL,0,0,'root','root','9ac5199b40cf649f85fc218b03177072','227432f86be9a038472e0b222922abd6813b4498','0f5e199442d21dfdd21dcc97fdfb195e0f457ee88db4bbf7f990b4bddc3722d2',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526555,874,'rw-r--r--',NULL,0,0,'root','root','86334e338c2d7e81f1c11cbb2b8df349','eec6003b9e9b1fbbba2f124f15f8d9b5c6ba3933','f69713d98f3bd3602d9b990d8f0605b4311982376a9c0e8b8726781c98481285',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526556,850,'rw-r--r--',NULL,0,0,'root','root','d1ab610afdb4a39be0d954cb77003a87','faa79b91e91a5d5e0daf04d7aa3c4d46320eb493','dd2bccd41bfda763519fa29fca24755de6a587cf68eadb15094631f8e497b595',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526557,850,'rw-r--r--',NULL,0,0,'root','root','9995958f4a9523d8297b2aa496410555','fe6da00f91d15a18abfa0645659a5a3dc358aa0c','dbf01f45bc6a14d397a17b0c2a107e363c78e6a157a5247c0945447ab0739a16',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526558,852,'rw-r--r--',NULL,0,0,'root','root','9426126b16493299a741a63e253e62b7','bff7470172cded8ddaae970d1cc4ba7900a91567','d02a295c8e920583c38bb645bcbb2f963c007a6adfb7080ef58b405731592756',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526559,874,'rw-r--r--',NULL,0,0,'root','root','2c7b66a25958c8c443a4939c46844925','6482e42f84c0fe657b5e2881be0f23cc03a9e734','1458897bcb91fcb5f570fbdca4ad063df110cbf443c01bd12d4cfb77d63261e4',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526560,850,'rw-r--r--',NULL,0,0,'root','root','71bb924b294235bfe78f9da448a37fcf','84ed8e8cdc8188f1356261121b16d88eaa6c32ef','685fcbc20e6560921832a3779030762641e9f9a091ee632a00daff659579edf5',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526561,875,'rw-r--r--',NULL,0,0,'root','root','362d905219ee5646712de59c3958d10d','2ab02aaa453007f521cc43fbdfc222b66a7cc276','72010fe467ab6f3a72280f549dc523747eb9216e432cd91d9a97f255ba772e8a',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526562,875,'rw-r--r--',NULL,0,0,'root','root','89d7025a780f7941d654502c1e45afff','4dd7e360b91d45ce53fd652c0bc1b6781abcf41c','6273496324bad0323c73a15eb22b95348bcc7a9de5bbc912cb3cf072b771c2e5',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526563,875,'rw-r--r--',NULL,0,0,'root','root','8bdc8b63c785c30f65a770de60e7853d','8ec28f0b65ab683330790afa1453f87a892725da','fe5e9b7c85459823e6effeb2383475a8ffb2a38c12630a071c697734f020a2a7',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526564,891,'rw-r--r--',NULL,0,0,'root','root','6064090cbc094565c90f0a00ee8425d5','121ac291b9fce9e20935dd4bb6280c25ac97e840','1b9403ba66bf0257414eec20698f52cbc579f5126190874d60df0c449f9ad0fd',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526565,871,'rw-r--r--',NULL,0,0,'root','root','ebda949ac08389866c89d0003afa46ee','10fe9845c17056a0882511924ff45c6436bd46fb','175db2bd2ed967cc03601d150f6b0c4480f7cd025764e7a20d11c036273c28f3',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526566,859,'rw-r--r--',NULL,0,0,'root','root','69a6654e5dcd5d51160b19a131dc0ff3','7e9a61130c7abd74f69afaaecb07e4e288cb72f2','484e0b6b72a8ea368752d65fca2b116ee1a27bce6ecb52c0a35c29d5e577b2ac',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526567,859,'rw-r--r--',NULL,0,0,'root','root','ca65c2dfca764a7abeab05931326724e','1c3e85ed6505840ccff8836cc56c42cb25bb2469','af9cba9a9170c7dd503c4a916fd4fb76de9552510d573157a79b755a1f6fd0a8',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526568,893,'rw-r--r--',NULL,0,0,'root','root','2e33d6fcd89628e983639de90fc34505','468011dc7acb59b53ce6b7faa8016993eb1e3a5f','a909d5c1e8f21824fd743a069d4902e3e03a46e33f3f2151ffc57dde99d0020d',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526569,893,'rw-r--r--',NULL,0,0,'root','root','18d9758da411bd4c2fa19ddb327e8bdc','089fc3d1e206a022c4b8918ac89425da849d5521','858e6ce4f02fd430f66c6d409688fb169f4b4fecdd236891114b8106c8d7a0af',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526570,3624,'rw-r--r--',NULL,0,0,'root','root','ddfef7b5b005d9d0c78d4a09de61619c','3bb78c1be43cffa98b7a16b58208b546807e4da1','f35d8843d77de68881433fba2eb602874a268620740cebaec839756aac2f07b0',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526571,1743,'rw-r--r--',NULL,0,0,'root','root','aef82bc67259a3178e04a7a91fc0f7de','4af43acb8fdfb9ebba43e871c3f2236d8dd27ed1','a8c89d91ed764decadb127caf04a730cba8b59ff8145d3b022eec7c61f29b39c',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526572,861,'rw-r--r--',NULL,0,0,'root','root','880f3e7623630644b6296d4bdc8819f2','169025b7beda0c5a4550d8cd4473638be5f365eb','b112d38d02094295f1cc80a5f5d62a426d842ae76952b30882869e145001ca5f',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526573,1230,'rw-r--r--',NULL,0,0,'root','root','f4f94daa399825383b7f7e4dc8a3fc3f','c718156203b90e1784eb1acc2bf37d286fcce75c','7e1048aa89f8e45a26e6119954c7a2f39c51d0494823646624290914f8b2b354',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526574,3662,'rw-r--r--',NULL,0,0,'root','root','497942f424e51b4c5c30febf02b35d90','708c9a59f327026950dcde559b1e75b82f506262','d8b8ef5b185092268d330d037c72f062d10bb196518e3a4431f8aa36259da11a',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526575,894,'rw-r--r--',NULL,0,0,'root','root','8aa3a2f82f5b97710b302f0b88ec9403','c3faba8d78a16792b1a4b845f4a01eab5693289d','c6f879582cc316941c4ef366b09c1e45c50986a8310f0655bc257c6ece3d8a19',1558100573);
+	INSERT INTO entry_data VALUES(2051,51526576,1083,'rw-r--r--',NULL,0,0,'root','root','7c9b656ae93428a1d825be64d72a73e4','b73617face727511fdfeee9adf4281135e70c83d','e491424967627bc49d824a3c19ab1b4822c2694e72c4b76be66d518e11a9775c',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526577,856,'rw-r--r--',NULL,0,0,'root','root','b442bf9d31a7a403a89400d8698c7e87','d520ed4e5719bf16de40a3d8394391ce1aec1e94','cf5a8580b11189044779c8ac7988b8c79224fccead977e9160171563738197ab',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526578,1510,'rw-r--r--',NULL,0,0,'root','root','77993fb912e2011bb5216f6730465af3','7090023d455e9b101c3cdb9b3dad3c805fbe2ab8','ebaab4d9b7cbe6d600af7d1caed1b4881431d716d32eea77786ff81a49191780',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526579,967,'rw-r--r--',NULL,0,0,'root','root','3dffb0d63d6b4fdcd8b7504f97c38751','c29b492c15a611f86eda56dc8c9605bfce2aa748','a0f5430196e4b4700caadd6098d5db6e5b46338242d62fe7dd3778760451bdcd',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526580,1912,'rw-r--r--',NULL,0,0,'root','root','a19b2e63fce39f7859edbf42095941ac','77be92606ff8bbad1384e321f0b6b1b15b12be4a','5a0d9ce917384fc35359058c2e0660590c13af51a1ee67566b797872bb9f8de2',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526581,2026,'rw-r--r--',NULL,0,0,'root','root','7627097082c0e869d647f66efcc7abe6','800a8d766614d674a9cf259c2895ad9d6de36d0d','9ec06bd9dfce87eb10ede3c729831a8bea62e9dd0d2a12f9cefde42be7857db3',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526582,1018,'rw-r--r--',NULL,0,0,'root','root','697cc5cec0241cbd034f2067a9cf245e','a0df355e5f5b0393c94d57b24bb43107db838698','bcc61915084b5aeef7875797fdc5d312b267d6959caec7604b9c780bfcc6ae23',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526583,4881,'rw-r--r--',NULL,0,0,'root','root','94e37a8cc6fb93bc9905285e3200a2ba','4f322b2705b3457b51b269fcd09f5551bf0e087e','cdbf5cc155dad4ddcacf9ae27a715247c9687cbfe193e40014a74af11436a1d7',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526584,870,'rw-r--r--',NULL,0,0,'root','root','5b5f8104e34c8df4556ee7abb9a8cca8','f28d97e7c8c52aef889568d4727deb9da05869c2','f0306f3a22100df5115f0c896db161f2cbf711528fc8d42a89bbfa0148999501',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572462,2889,'rw-r--r--',NULL,0,0,'root','root','3a365b67bfcadc901e0f36e7848b6d06','bf070ee00714205d2ca185598b176cd0eee372b5','de00201648562e453749e096a06825f7bc7096167b2fe8b1a47124d29e860383',1558100573);
+	INSERT INTO entry_data VALUES(2051,1572463,4434,'rw-r--r--',NULL,0,0,'root','root','d70805739d7ababa9ed28047c97b95ef','49e3ee70c7742d8da37a69c876374825576d82a5','2c86c57d9d262c9fbef7eb67a78d67718af6506a4ae4d66fa56b13dbea333630',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959861,1485,'rw-r--r--',NULL,0,0,'root','root','23c0fc87f0a12a893346003cb7b3af10','ee0bdfd1d47be52e49090c2323ad2fe041e80570','59f95f009f084c87d9f0cafffe154603acd0f24f1e21568796231d7e1da73bcb',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959862,921,'rw-r--r--',NULL,0,0,'root','root','bc045bccca6db958aa9037434c19302e','e7de887ed928538ed8dbedcc52cc717c23fe594b','8e684c22ffc28f593812bfbd921f289ae2411d961ac9cfbdaed7b77c5c5e46df',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209427,4308,'rw-r--r--',NULL,0,0,'root','root','c45ad1293c4879c54828ba9db7b739e9','21cfb5fecfcf946ab3c93926460984868cd706e1','ab0adea5e59ec3c2e11de02d580524b584b2ae89c25393802097a44a32e81b1b',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209428,823,'rw-r--r--',NULL,0,0,'root','root','f53d87d5386e6f39cda7f0c8f8c389af','5910ea3fd0197a8ae3fe7acc114c47ec12cecc09','0e28d36bdb5fddfdda5ee4cf9995dd34c72876b5450ae6c6a8090c03fa753182',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209429,823,'rw-r--r--',NULL,0,0,'root','root','5af9a2969c40c147f191e54483d72308','0c697907497cedbf59e4395efd339407dec75361','7a6b29b62170b404692f2c0f16009f0ff5654b3a9cec2c3a29834032f0cb887d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209430,895,'rw-r--r--',NULL,0,0,'root','root','ce8fca3b046c9f88bb5e23d5f140b32e','527879fdfb4ef7a902c23f9097962b50c4ac3378','11f64226cebd9a569799727563dbc1cd4c72a717f9b9beeb196e5f967f60a4d0',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209431,1450,'rw-r--r--',NULL,0,0,'root','root','d90a67b58c9919cad6d8009518a5317e','8141a2fcbeb7e60669a454edcc5169f614df1d05','c89529d09f2478562a020be8bdcc32b5bb6d6a3c2160e3745f5648b94038352a',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209432,1426,'rw-r--r--',NULL,0,0,'root','root','fc3e42f8613146ab0d71b5dd1bd911c4','9db288d48b1dda865a80fc74e9b56b1947a0a399','cdc26ba65cfcc80618bfeac6cb54e4dad408866a814444d91bbdebda9f22cb45',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209433,3025,'rw-r--r--',NULL,0,0,'root','root','36108038a1aff94ac09329cd83044352','75571e69672e4393a0ea9f224d36b4382c273d5d','f9474d31c5d266f24fa5866d1c7ea83afffb0cc2788a19a82497758bdc5fbb45',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209434,898,'rw-r--r--',NULL,0,0,'root','root','d23695171dc99ccab3c74ae946c98cc6','23e79281d03532a1daac8886373be5a0f7306d70','adba3840299348575bdadfce998a4e7e56b349b4bf237fa65b573f52761badef',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209435,898,'rw-r--r--',NULL,0,0,'root','root','689dc6c6b11f6d34760fb521c7002070','cb3ee4c2eb2d30a728c8c55ee6340abc5013a5bc','4d43f8ef1f493fd793b95443b329fbef5ce9f4299e790380ea7cb0784bc9fe47',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209436,898,'rw-r--r--',NULL,0,0,'root','root','fb3c6dd02d6fb2a47f0d9570ff94c7ca','e0a449a31174910b327ad6b9a39c2675dfa84a16','8b115663253eaa08ff781deb460237002b2670d57dccee619213e6489a440428',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209437,1061,'rw-r--r--',NULL,0,0,'root','root','952855ffec054e75752aad61dc053de4','1b612b5df3cf3f3ac188941bd00d4857451085b8','007bddfe5934d8130a4dfb02e654e14e8daf7f9817e5c85351c5ccf360c8f23a',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209438,1368,'rw-r--r--',NULL,0,0,'root','root','d8a5539e1e95bde19b797062e9ecc863','7f377ad284bbaeabacdf6e317c0b85709a3f16c4','a568dd8d09f58c60a4d6d70634e45556aa06e80d9c7aecd48f008b6abde53412',1558100574);
+	INSERT INTO entry_data VALUES(2051,34209439,1664,'rw-r--r--',NULL,0,0,'root','root','a3b25f34df4e13a3bc63848e24081926','2d259044a9de66def7f38016f84208ba84aba6c2','1510c6fb35ad5bd5e410dd19e5ee4443b8d2e30d4a47273419926b3cb50fa43d',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526586,706,'rw-r--r--',NULL,0,0,'root','root','5e400435befcd7065b54dc3a44828144','8e8f75015258a9fcc4d29b23a02ad5b01da0b080','538509b01d97d52659b952109ec0cdea6b12aa6f63ea49fe5acba37c097c41b1',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572465,745,'rw-r--r--',NULL,0,0,'root','root','97f903d0978b084db8263547032842d2','101103ab48a25e50e5c5ce9634c6f1a77e3be4f3','ec4a8ac2357ec96a48fdfa5c757ea5dd0903399ebb5e40ab08e3cf8e3e773282',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959864,812,'rw-r--r--',NULL,0,0,'root','root','e63cc3383c9e0403380da367bc1a24da','fd3e17c6a6ef559650981b443b6c33f89b1f54a0','45bbf2e925029930b2e2ef5833953dfd41b0a6faa54eacd03d39ef508e7ee761',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959865,2670,'rw-r--r--',NULL,0,0,'root','root','bb264cbbe6995d35a2a2a5f27c7edc24','32a969d18345b7ec05e2e2724caccc24be7d5592','de5d192d30bbf2b2381391d39b78470f32510798d9d223c96c6179512b150641',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959866,825,'rw-r--r--',NULL,0,0,'root','root','03cb3b8fc2b959a5c8c402a45c2697b5','9967aca19895968e9c7eb50700c8be31dba7acd8','964b1c2195dcdedfeb7768ac1c33fd237a43ceff8a172f64c803050f16401736',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209441,66,'rw-r--r--',NULL,0,0,'root','root','59085d7eb62b63059e94574177580c0b','9897570af71a07fc1ca30ef4748ffc6b26ba40c6','5b046196137330303547095f614e8108aae228d12bc701c86fcec81406932d95',1558100574);
+	INSERT INTO entry_data VALUES(2051,51526588,377,'rw-r--r--',NULL,0,0,'root','root','b3a6b135923ff370a7882d18ecd8bcbc','70425707dfdb014a959f6d16f3378447d4790797','7456cdf37a46f8d8835ead57a982a1e3133d8487b60e62aeb788566430c6f6a1',1558100574);
+	INSERT INTO entry_data VALUES(2051,1572467,77,'rw-r--r--',NULL,0,0,'root','root','094400101cefde243e209bf3a51a2a0f','fc86d8d97c347d0c6a3ae61a7f93a2964706e799','86187296cb8d76ca99276a7855c0a49694f1abbc0779231c8f6a1c9c004f0cc2',1558100574);
+	INSERT INTO entry_data VALUES(2051,17959868,1686,'rw-r--r--',NULL,0,0,'root','root','c1e7d2f442a87d6117de9b70ab9413c1','d9b54f60d78887d6e4d30536809b0df67426f7ab','765d340fdc6608af86bd5bf7ade3f1b2a0928daaa1592851e2e4c44cb5083b8f',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959869,1441,'rw-r--r--',NULL,0,0,'root','root','80f9a7ef9952327f9b01c4ee80b7bf6b','be26d82ae868d5edf046528d0759965268ef4e88','7b44a0690a5dd709752df2f7db86c564efed916a2f8e39cc15d6e7e899f0a37c',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959870,836,'rw-r--r--',NULL,0,0,'root','root','4dac3991b7604dfbd4b3333c25699e49','76f7cb1f534a353eec9349917888eba4f1d634d5','b44d07ca16a9a5cdea31784e056fa0c2c77eb1d7e97dc269256a7741353a4eef',1558100573);
+	INSERT INTO entry_data VALUES(2051,17959871,2117,'rw-r--r--',NULL,0,0,'root','root','820a198e793afacae0aaa643fb6df710','17b088b5a37a083e0af234a7fa54757512855d01','4db31ee6ed0de7d1b54cef8358cf1e4768d22aab7d2b5d3cfcdc64ee82b0ce57',1558100573);
+	INSERT INTO entry_data VALUES(2051,17960000,3268,'rw-r--r--',NULL,0,0,'root','root','29c1a192ae0ff88b2a819374356d3a4c','369014a75694ccb1707c616bf52d99f39119d2d0','59d40f650284289b0d8a560d864e3308471061c31b20165cbdcde60bf6475f15',1558100573);
+	INSERT INTO entry_data VALUES(2051,17960001,1423,'rw-r--r--',NULL,0,0,'root','root','fc7b1c56af242e2d67a59742dcbe5b38','b8cf017ffbc5b15a893499612144e7b9a3df5abb','548e789c6e1f83a04478e982e9f9f58a67f733548784a69e6aa49f72c1670478',1558100573);
+	INSERT INTO entry_data VALUES(2051,17960002,1628,'rw-r--r--',NULL,0,0,'root','root','b38de4c42d36042cc2a4e8bdb173629c','0b4eabc0c24eda24bd88aac5cc6c4a7eee478302','0f9364c8e9d2cb59670cc1bc9566a043363484503526692177cbe487f62e694f',1558100573);
+	INSERT INTO entry_data VALUES(2051,17960003,3685,'rw-r--r--',NULL,0,0,'root','root','eb1d2a2c235b3549082143f5ab9aefcf','04ab0d183f6b7114865c4441af0859b5f5805bbd','032a244a90e958279a9139da312b97d3715f1905d42c44dd96f97b38be6749f0',1558100573);
+	INSERT INTO entry_data VALUES(2051,17960004,1499,'rw-r--r--',NULL,0,0,'root','root','2aa51378a96114158c33f14a71003251','8e28586dfd27be211ab14552dd48092eb50eb6a8','976f65e0cae51507eac65bd48c0aa6ff3b1d77962ff45ba19aec7d749f889977',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273205,11339,'rw-r--r--',NULL,0,0,'root','root','422d7de522ab12447b168593bff2ff23','9c6087cdf8558168a21698f504ad2297a3b00a1b','59c1630cd479fdbca8bc2ee4654964aedf194fd348ca679857f500140797d510',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209443,9301,'rw-r--r--',NULL,0,0,'root','root','a759fcd0235d3109e702cfe2a03df987','469530056feaf3d976e64eb59c79ea80727d433b','bf4a5bde2b036182b3134203cdb66f93f5002fe46496c32bcc2c031037e81a44',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273206,11293,'rw-r--r--',NULL,0,0,'root','root','f2885aefacf0bcc2f2cd73be477825b3','b27b6046428ae8938d0bec74065c1af8d3e33787','1e66f19fec5e61632a5718f2786654e2701703b38da8831cab238f1c2f93543b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209444,877,'rw-r--r--',NULL,0,0,'root','root','53ffb22563bb29d9b6b01acfda9d66e5','15e1bca00b49b95b2be153fca195e70922d03864','43f059b361d7954dd279987ef4c970d9f7e892c9664048c6d17165a9d9616495',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273184,7874,'rw-r--r--',NULL,0,0,'root','root','3050665e61e085198a448cb00996050e','87475d2009af07dddb399dbdb7952d186c2c6326','63c93abb69a0e7425952581a5053fa19ec486e95c5f4a52ff276b40db2543529',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209445,1004,'rw-r--r--',NULL,0,0,'root','root','3fc662d95ae710a30b2c6c8c44e7094d','d6614dc76b1e72ee78390a02c9f01e7d94992fcd','e19c0de1b2edfc81be3d8b3378a02ebb090bdaa342277fed3d13ba2bd4cf9a46',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273207,833,'rw-r--r--',NULL,0,0,'root','root','a196969595c0cdea350c41766e86dc9a','73325efcda35fb7917b6c28800378d521b2b0434','6e3873240f67135532bc66f1313ef6639e6b8fb58138b51c526bce5d9a6dadea',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209446,878,'rw-r--r--',NULL,0,0,'root','root','7d4db20bd5edd0da0ba65aeadc285730','19e7bb9c17aa88dee912f4ce9313a1e6f5e84351','c3d48000a64a92c3aa172512685289b8c6cb9df749db532f2b16c47a605a02ab',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273208,5099,'rw-r--r--',NULL,0,0,'root','root','d4d370401dea8513a23d51897cdccebf','c6a203e9bac69cb9b137572b50a6781544ba9a31','64ee568d3633440839043828371dfe9f7b29ca77c2abdb2337bc4b4efe9cce6b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209447,4851,'rw-r--r--',NULL,0,0,'root','root','290036f39ba07cdcf44a0b98a5b4f9e4','3f0fcd36cd5ed210512cd6d44c9060376d5363e9','d5578e9fd57960ac21bb1080a86ad3ae1c70463b1fc337639f55b491a56bfb94',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273209,1464,'rw-r--r--',NULL,0,0,'root','root','bc07b1e661c2b2b5bd363ab3a4bfa86e','bee5e2bb88658df5077005031b3a4f3be2e4846e','be5a4bd8c1e6a8472243953b696aae96de1062b4a71e805c1f1dfb1e148a622f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209448,1346,'rw-r--r--',NULL,0,0,'root','root','674181817d3736545acee9215d19a8b8','47743f4d8a30d72fe9142c70fd5c1dacfab9447e','de3c4788438c6c600bb2873a1af3bf8d41a0e599361613c146b0a296c34f0914',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273210,1487,'rw-r--r--',NULL,0,0,'root','root','5b5bdada9eb97e048d6fb6e266f6ca79','5ffd9995e1701fd8b482eef4d98cbcc2a479c10f','20eb8accb5ed816e4f28d3ac24ce582258a5e184edbc3e519088536c493b5580',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209449,878,'rw-r--r--',NULL,0,0,'root','root','a583ccba1e8244a22c1512be6f151e7e','013bc5b82cb1d46ae8264f732c3fd92cf3ee373f','e9561f7ea7edacd458120aaed9bad393f326389b98e5db7b79a834f3da8fb6f5',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273211,1467,'rw-r--r--',NULL,0,0,'root','root','14aecd432e9dd492f8c9668cc724cb32','2319bbdfc14715fae832bd984da2fc626fc90a6b','4639f1ec1966381394ec8161aa504407a274b0827f5e6e73112847d8686357ed',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209450,1163,'rw-r--r--',NULL,0,0,'root','root','37706a63a74b69d81f78f1dd43a20287','f08b05d5c8cd04b96534266cf8db0305f3dd1987','fce711ee5906f67288cd3949b9cfe339536f30a4d5a902de164afc17ee359020',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273212,1532,'rw-r--r--',NULL,0,0,'root','root','3c85cd159bf0ce1947ed14160a710f17','cc49349ef5f71ea6dacbd185ab2a85d7b0fa49df','9a81b00c88ff653c19b55b513e695743ac21a5ef2de0454fb1d8666901ef54ab',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209451,876,'rw-r--r--',NULL,0,0,'root','root','593da79c1852f483005b581984aa9273','2d44707947c68828383b3f861a6f409569b0dde5','2e936364cc1024600352f39a67ed51fe0b0daff4be54def65d2b9e39cd79b027',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273213,1503,'rw-r--r--',NULL,0,0,'root','root','a59b39450d9397be82466959c0b75f4d','3485a08c6fbb4e5719472d4800c366f85b19731d','cac05e0c924c41fe89892499b867378eaf747b3781134696472995b259beee8a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209452,953,'rw-r--r--',NULL,0,0,'root','root','70ac0ad188fda539014bdcbab486c4c2','58d9878d9ba3e9fcd7d6ee07eb6738186c1732e4','689110ba3214e122c5ac47c0424180face1cca8ca2ea0c291c1ba357cdfc27f3',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273214,904,'rw-r--r--',NULL,0,0,'root','root','62a5bb00965b983249fa56d0613556f2','998a5e4471951d384d20c223ebe63a6d00e9ca15','ce325c6a18f7ec04e816c5b44f5de5e01b232751526fadbc46963f81f045e647',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209453,11538,'rw-r--r--',NULL,0,0,'root','root','181559a95667c52335da35d41bb3429d','4444250d99e11efd07d048ec2ce55d547d88dc5f','2c4e86a2fd131e313c2056b348f95debdbd495ef620d7bb37f40f852df3851a2',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273215,872,'rw-r--r--',NULL,0,0,'root','root','db03e1aec96f4b5ea1fd0648e8203a5d','7b1e0d935b6e5fb4fc74015539b557a1e307d539','5a997782f4c7b2c736457dcfa815e90a78242e366deb4bc3ea2f6fec1729e03d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209454,876,'rw-r--r--',NULL,0,0,'root','root','c0ea6a7e6ec63bf6e5228e25d9032d03','943d698d341b3d05a752ef9629e590fb4584a70c','875c8463576100d12dc02a0f2c80000f95d8878f5945fb9546f79559c1add69a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273216,4820,'rw-r--r--',NULL,0,0,'root','root','d78921c74ff88e27145dc8f07f02da9f','69c97ab682c3ba13f92dbf8877c5b93251697eab','431c6f6a86670c70e31e322b9015645b5ddda241c13ef3eadc717644886121a1',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209455,2842,'rw-r--r--',NULL,0,0,'root','root','cea106039e8ddd588783fbdfe7b913de','e4c7f9d81401eb1c6637b8326352eb0d11efe3a1','17db85a6a90f1b4e78fd4eff29ca56eb1b0972edd432431773386faf4ea60303',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273217,877,'rw-r--r--',NULL,0,0,'root','root','66b833017fe5ece230280bb0ee735f13','74b131fe6ea411cd9b84f44f44946a834b2c0fa4','8a3196877c50383d79da50b212a9218f81df36fd066574b006467b833f76dc07',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209456,1138,'rw-r--r--',NULL,0,0,'root','root','3a1be0998710d210bc8c85b8b03cfc56','9179be5542febd82d7a5ca06aabc789e758ff300','4e8b57b1a8b2582d897fbba18a60e25d3a6d842295caf5d644af0e9c28b3958d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273218,876,'rw-r--r--',NULL,0,0,'root','root','d5103de2007d0d64008979ab056886d4','8a16b26a4a25d7e7325250db42faa83e21730616','baceecdb5b57cbd79acaab4898bd5aa8397b9612e2dd1dd148adeb69cde89322',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209457,9520,'rw-r--r--',NULL,0,0,'root','root','2e372d134ad76a1e42e6b5330190ae79','39439e01b74c6c9869bc2d1154b8afb085dcad1b','075079e1e8f217cab5f6b8e4f3b560fa8386355ce1785d78ad36111eacfc871b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273183,878,'rw-r--r--',NULL,0,0,'root','root','a4a45941e47ba0fcf10f3b0cd21ef2f1','e0fed2f03ac5d7d53f72b921c6ca47c4fd8d5bca','ec65e8a1c7c4172ac44a427b787a05179bab0a2d04e47f0c08c7ad7051c81cd3',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209458,2201,'rw-r--r--',NULL,0,0,'root','root','6e139a08ff545f670ed59e938faeee7b','6f49a6ec960e76dd32213ee8e289b9bf9bd8f140','7fd8cb100a9450aefd3346e5ca3ba2c9f60f04d0298fc57f02f67b84dae7c593',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273219,11507,'rw-r--r--',NULL,0,0,'root','root','1955e11d6b658205084ae82b632994e2','500c0de61b35995edcf1cfbc9de27f771c30cf30','52ccad0d2323a0d691a3a2a34ae1d6e9ea68b00386d23dedce8a49eb2c9278f2',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209459,5573,'rw-r--r--',NULL,0,0,'root','root','008ebc2e641b8679c290d9f61c7def14','f93ee590abe7a59c6a1f876248c5292e7267c1d1','daca9b625d7a19bb3043ba1e05f6363fe84fa324b4e8db6ef6fccbfe3cd3ba6a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273220,11112,'rw-r--r--',NULL,0,0,'root','root','1c80fca3ce93fcc503b93040117d7094','952d524023bbb140add333942dce98875b2b0ee0','7568cfc982a348b98224c7a04aa9b5fb70f3b709df17a280e836d5b704c15d5d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209460,12603,'rw-r--r--',NULL,0,0,'root','root','8b642776d47f5abff88e647e0f0f2ab6','3c146a3948ce41d640233dd1df3dfff73ca48652','2cdc6108f0e592f034df992757a1082b2ae6855fc75090bcef8b7c9419df1cda',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273221,2342,'rw-r--r--',NULL,0,0,'root','root','6e90df48cc86584b61490b12ee92df02','5fa254af2a3fb93f34486fe33fcd6722ab89d7e2','e47656faafad8e32dae5e674947b5a422b70ce738244d367c497d99c75ddf168',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209461,11337,'rw-r--r--',NULL,0,0,'root','root','130f278cec7632ed810139beeafb45f5','7a413f54dc3df6db6346c2e9b6beeb60fb5ee679','c949ba3635c55eaf11d9e0013fd06ffd2142d2fad1b957a343ca9353b7979fe0',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273222,1426,'rw-r--r--',NULL,0,0,'root','root','59c5546f5f2c53c6ad0a57ea64e646cc','3e4e88aced972ca807bfc677f1c339c81f9bc41f','38a136b0c088c5163070afbca5cc7134bc69233de5e206336c6545603ba2b122',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209462,11328,'rw-r--r--',NULL,0,0,'root','root','118e1bde92895a88799cf823fb951c9b','d73fb0df065a289f9561df4b3f126e47855c8ad6','e6b8fa1fbf1e323fb626796cc7271cbe67a27fde5459e37d7f67deb0c49c537d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273194,880,'rw-r--r--',NULL,0,0,'root','root','7ebc63f45b463f28dce53df43859ac52','93e573100c79f99fb036b23211079210ae898fe0','97372779fa1ef57029dbd17551f19aec607fc8ba182199f7a820ac95e0738876',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209463,1650,'rw-r--r--',NULL,0,0,'root','root','16c06cf5760667d5eee5aa1174fb5e1e','76a124a1874df2a18fcc0510f0ef304babd7c923','4b2383237593dd0ca02bf79a737dd9762b2162e955441398e7b50cd284b37d16',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273223,1070,'rw-r--r--',NULL,0,0,'root','root','98b8532bbd5bd47f60216a48b0ec6c99','3077453695e98a037c8faf004b03902b8bfa1c03','12b455a0dfadde01a0842da807c45ea8be1a8b3168c8e7caa7a91366f00c1cbe',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209464,11714,'rw-r--r--',NULL,0,0,'root','root','2ba12904ba21fa9ad389fa3e55e550e3','7b9f1f44d632f70b35abde2de6bb7163ab824e08','260f5fad646176dfb8517058b2666b7e678c3c1494871468980b54bc14abffdf',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273193,1239,'rw-r--r--',NULL,0,0,'root','root','16ee47823b558fa2a1e07956921dd1b1','1dc3f8e42f43963b26b1849d5e9f69b6883e7640','840f1de162343d5f4d9d479473aa4545705cced1ae19e5a0d8777555609dbf79',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209465,5898,'rw-r--r--',NULL,0,0,'root','root','8802e34fd6ae2ba9398f0ca47e5c056d','1d253711d017e0387de062156c25bd92a8bfb017','5b2d5ed85b3b0a9812a22fe793845dd8de705e863bae04dab63b0f12cd8a2856',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273224,2192,'rw-r--r--',NULL,0,0,'root','root','944784b306c1ffdfc25cdd213b1ee72c','1830e2b324a1ba60017347bc72aae08c4b7a57c9','55be8c34d6d92794481d6f948f41afa83420188372326f16d452d90510499bbb',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209466,876,'rw-r--r--',NULL,0,0,'root','root','dd5fc6646aaf08e6f1b61dd8449993e3','c15d2ba8781820690a50b8bee6cb12e6005edb3d','55e7f96de21a67121b0bc7e3a22d3b0f225e6009ef1fbbc8a5a64f373bd96697',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273225,2986,'rw-r--r--',NULL,0,0,'root','root','e1d91f028c7139ed18bbac1c80473165','32a14ff4ae4075f504469193639c90a8506dd8b2','38419d578588deaef15d734a26100b8f08aa1a40e2c575c227e7825a36f6ff7b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209467,3826,'rw-r--r--',NULL,0,0,'root','root','ceb8ec9df3b5533b2969dfbbe1fd2b47','f4cf6b54dda2fc8dcc314f07688e0db17e456570','17a40176b2c2b5e848da4805cfee6f2862a8705c55b543ef5b397ada5da02df7',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273195,877,'rw-r--r--',NULL,0,0,'root','root','85d64c2e6c3722fcd1924b2df0ba8151','06cd4e6017d55026d0f7368c48d146c8a8860d5d','9c70532c7223312fbdc43531a48a8631744b46254653478b2fd141402ba6b3f5',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209468,1651,'rw-r--r--',NULL,0,0,'root','root','60c209e886c28b23fff262f9b908504e','f146383d38b80368e24d097de68656970cb49391','103a52c61dbad75edceb49b36deeaa360845ad205e926165f2385aea4d71456f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273196,879,'rw-r--r--',NULL,0,0,'root','root','ee0cf1b82f324a3f3fe3131c99c2aa85','b1897340ff18903d3c304e51c803ede56fc4a5bd','a457a7a3277dc6a345cade25995568638dbd26564b0619a44cea909a5141af2f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209469,2718,'rw-r--r--',NULL,0,0,'root','root','db0bc3c19fa1caf12fe249cd36dac6d9','aa9b82480e56542cc939ca0e76b6e28549dd2605','3eee88bbfeffb5a5ceab66d896b07de8ae655d8b330d401f4110dfaf087dafeb',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273197,2182,'rw-r--r--',NULL,0,0,'root','root','e73da8b3f64402f819f57da9c1a820b5','991dbff6eb133f549eec26987831b2ea432e0f94','961e54e28e364d1bdd060a0ef13adabfc1982c068cf682d2fce5c8b0b1abf5bb',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209470,20723,'rw-r--r--',NULL,0,0,'root','root','14fea96cf54eb7286f93ae589c2103c6','ede963de30d43e471dfd125c5b1c28cb44827388','ed0358c18cf7a4518275a74b36164220d66c19eb52d07e28c28de2d9e6d44276',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273226,880,'rw-r--r--',NULL,0,0,'root','root','7fecbbd6658e818722deb488fa757505','118fca25784099ca6ee2798b156aad1cb9df3d39','03d23573453db8b93ddab90da91f91b279d4ecbab9d1e5765d95a5f35d50a144',1558100573);
+	INSERT INTO entry_data VALUES(2051,34209471,833,'rw-r--r--',NULL,0,0,'root','root','7dfb36e13e6f84f752582a638de9ac0c','9d0c55192193c8494318f53e1a4526d05009943f','5caf8aaa4ee7ca6285baa7572cef784e34638e6420dd7eca575f6b3d74c14baf',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273227,917,'rw-r--r--',NULL,0,0,'root','root','5513b447691a9bc340bae495405c15cd','4bd4f0f5ea12e9589dc550766e327a6538bdde2f','54628131a19338032c24281ea932b8fb85b2b92e5eb7ec3e110773329381bf47',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273152,6699,'rw-r--r--',NULL,0,0,'root','root','ea3a6be7bbccb9054a9510e4a6971efd','3327b34bfd3c9bce67fad172300bc3123e8f1813','052656d841078f72c99deef56b98a7fd242313c64c6ee67b4eb5c0dfa8232300',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273228,878,'rw-r--r--',NULL,0,0,'root','root','e9f780d7bc576eedad74a2d78b35d736','6ea3d08f755aea27c86328b00f8d99b8a0e478a6','74e906898f279c716f67f5ee81680c556707bb18cb723dbcb52f94ebf14469a3',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273153,11456,'rw-r--r--',NULL,0,0,'root','root','255f9277751fe90149a043873fc99974','e32604d308e36b5d0b059bb3d4ff10a0590deeb1','c14191c0ac80c0d7d4b7911200fa0c4e88ea614f1725770aacabb63cfc86fb19',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273229,5462,'rw-r--r--',NULL,0,0,'root','root','d32517e173d2599dd5c71eebbda9f4cb','f674df520934c1ee3e9a70b244ccbd20947beb60','90b4e21e4cf7fc37314e25a4b2ac1e4101a7ec8528969b6b32d3a21f6dbad0d5',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273154,11129,'rw-r--r--',NULL,0,0,'root','root','37cc167cc6f981b4754cfa76145f6914','30f26fcc6290e91a1b5051e56e9c5708bce6c1f9','c76f37230c39b36368c1e1f16bd01de609d5058b2adde1a1c092b4ff10c3e267',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273230,9815,'rw-r--r--',NULL,0,0,'root','root','00d0921cfe78534d2034703a30eb0cd2','e614ded1bc5593165a4f7e6759ae33bda43340c4','272b9a330f0905789f584802dae1ff2cedd7cf32ffa01df31f2bffaf8c7f9689',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273155,2340,'rw-r--r--',NULL,0,0,'root','root','3ceabb210038e55658b4a9c101733a1b','b0bca3022cb316b250b9fa7ca039902ae59553aa','dcf6a6fd79bbee77d45d6fd92e4c7b4344704c70c82c82f4ba399a1c06ee1f1d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273231,1389,'rw-r--r--',NULL,0,0,'root','root','5f777315d347907d0c6af20303fb37bd','5fba2d02a329a7cfefa91c325993b288ffc1f523','210056f544420f4557d810eacef02e3642ef66fb6d55bede4bec3cb16989d1a6',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273156,12623,'rw-r--r--',NULL,0,0,'root','root','8947e28125b3caca889346db74cd28a1','980b5cd195ef19fb5e6d5bf41f1d96effdf268ed','5b8cf59f80f1513ee06aca177d184648a4068a3074207f40ae9dc3c767f4953b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273232,11125,'rw-r--r--',NULL,0,0,'root','root','53d098bc1642eb8007315f0961b09618','8a8dfb7300b1139a2f318053551e1ddd023d8d56','81c611ca2380aee9e78a0ef2584dec8094c20d4e60b112e32ecc97f18c94fc60',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273157,1998,'rw-r--r--',NULL,0,0,'root','root','bc03a071036f7cbf95be14edf60bdb05','a93980a05310cf98deca6fd54849b8461a47fc4f','ce35e4262d3b3938f6248ffd717af83a66510cebf501b5ff89ffc43b80eb6c34',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273233,9141,'rw-r--r--',NULL,0,0,'root','root','df9935ae2321d1b9337dd0e91e949fde','6123a68ae7e5312887217cb283dd36fdc1c485dd','dc06afe00fa4efede5ab0f35ffc4bcba1daa62c6e42f1f898860b45504d402fa',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273158,9385,'rw-r--r--',NULL,0,0,'root','root','2ce69492b5fee0abecfb1c5e564866b3','1b6d13bc18adfb744e649e4556fc3615dd8c30d7','9dc162152057fd03eb17b3386ffb623b3c3fa1cc6c95fdb2ef0036900cae8489',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273234,832,'rw-r--r--',NULL,0,0,'root','root','96ed82e7d6a0473da7a9a5760ce609db','807fd0ffcebf4909c281592af6bb17fa0ecdeedc','d5383610a5a2aabdd9044b3d33ac00bd6fb14b58daec446242a991b31b3eb359',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273159,12463,'rw-r--r--',NULL,0,0,'root','root','09238e563de3f9536332abb5f46c962e','48c90db346bcf4e3a489faf2a8eb94d52183ba69','aef66738c49b5e9a4e8027fda69e69d0ea97df76174e0b24a393bcdaef52606c',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273198,874,'rw-r--r--',NULL,0,0,'root','root','b9886238e47be69d02f6755a16b1ceb5','196eb15b166bb7e26697732b4b5ca89c78b192b3','8421c61b908ad84ad2b9cf6e7f958675bc879647848db30c325efa07cd8924b8',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273160,11198,'rw-r--r--',NULL,0,0,'root','root','746eabd0a470c4efd25990c6c655646f','94926be2390efc913e69da37ab122131415e547a','b9f2b10392a9d764be7a3544b9a3e3466d03b44c50ae4dcce91a320e12523664',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273235,1241,'rw-r--r--',NULL,0,0,'root','root','d90c5484811388f3fe3916b21a8b04d1','4a3e448a4285362f03b90df6c2c40e713db20f23','f13b632113f09cbc96c0e02f56236f2bbcdfdffb875ab28fc03e52f4e861495a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273161,12974,'rw-r--r--',NULL,0,0,'root','root','6c081731a5464ccde75105199b0ef955','c7c21c3a2013bb640b95b2892423d59219b64ff1','2082f2bc1c52f50f04fd7d1c0e8b6eda0c201eb323b58648b655deae8015e02f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273236,872,'rw-r--r--',NULL,0,0,'root','root','9e4539225027aa26dae6d4a3a33fdf7b','7e3057aaa366edecf8b84cf08c925a69173687f6','86ed7a79ff039c50bd524e736de77ec9e75f32635f70c6b43ed7ace5e5995646',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273162,831,'rw-r--r--',NULL,0,0,'root','root','bdc7019e329d9ded526bb2d77a45fc71','2f220e3c082852b115f057f0e8c7bdfdd50173d9','9a5a357009db2919c668e6da0988e895078311e5f6d3ef8b70c1589b02879c7e',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273237,4350,'rw-r--r--',NULL,0,0,'root','root','9418e9db86bf1edf9981cd3994301b2e','463bd7fd40a463ff1ca62b4569e9e1fa50b94377','4ef779cdf40115654ab74b03c34ec6757f4f6da713f6cc62efa215d0aba2a910',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273163,11011,'rw-r--r--',NULL,0,0,'root','root','d15602bb2f43b881f7bc9e2069eeb21e','8a29ecd3f7b5176c3790d811eef643403c95f37d','fa9a6535088351b700178598dc7c2ea81fe7cab51a3a3367c0f44197b741862c',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273238,874,'rw-r--r--',NULL,0,0,'root','root','903dad163d4131df1b80dd86deee73d0','5e3867e36e650ba4db0cffa462c05e59c34a5e5c','4ec0a042f26e95d72302cfa0dc1e45db23a5160dd1dde6f01fd849be3b10c896',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273164,11258,'rw-r--r--',NULL,0,0,'root','root','9cfa1b948aa8d2dd55f5882d24178d38','76a4c20ed48959a8b32d267b0b4fdb339c909725','43008bf68964d5ac4a288b9932fb031f1c2402da15fede4e446aaf1947739110',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273239,5102,'rw-r--r--',NULL,0,0,'root','root','30034af1c6548f7fd5ba52635db071e3','25b03ba327d32a41f345f227d622eeb0af2f6753','3b68c109b3febe31bfee34f63362030daafd227b1a6e71cd9ccae13355d0145a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273165,2114,'rw-r--r--',NULL,0,0,'root','root','166518a0334a61a48e013878f85ef546','8d3e481d8ad347a3c76229c7a51c5c59834d2844','0ed7edcd109ed786dbd6312491c217005551e50455aef6c24f95a7995ee1048b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273240,2854,'rw-r--r--',NULL,0,0,'root','root','227580a0b3a9493810333b828b026efa','bef6f85a3625dfcd4adf7182e5721d454dd008c1','0d17686c7f6896353cad6f2d81bdf81c0e3436f0417f273328c12a9d111e0593',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273166,3414,'rw-r--r--',NULL,0,0,'root','root','556860301d770482a2b2e24a87e79517','7b898cea0a35f1fa15ea9f4a13ec5a124126de38','9a193e3ba7d3fdb8a9c206c90d49d47368321b7d2be47ea1587d93974ca8f55a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273241,2923,'rw-r--r--',NULL,0,0,'root','root','8d5096eb91df4d21c4aaca488fa93df2','8e94368c8e5f822e17f8048fbbb2195e6f9edf87','71626e579ff5d69bfdacfbc85c07b45b95aa77dd887bf09345aaf018a414a997',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273167,896,'rw-r--r--',NULL,0,0,'root','root','9273fd16669d7eacb848a072440f0e60','5a3523534f3e3aa9518ca5cb2ea3c9d646c1ed7b','299d2518eeec89d6c1a5d2f62a574a13a2c8a40b7de3bd87863d1cff07f55bf2',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273242,13857,'rw-r--r--',NULL,0,0,'root','root','26878094030971e684341aa6ffca6fb1','717219922999c5dabcfe697b38342d4ae93ca538','c23e263c7a08c1e1201dab42fc379ef43786f410831b9cb10cc9fba2930c5c90',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273168,22976,'rw-r--r--',NULL,0,0,'root','root','01ec20a554957ed5173e5def3a4e1e4c','1f3bbdc41727526d707849e8bbb28b7d1cec4d89','036e4d2879216a15028d0cb289e41e0de4f81a42b4aeb871752ead44cff088fa',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273169,878,'rw-r--r--',NULL,0,0,'root','root','fda32fba44f559129361b11981d6e4cd','098e1117c60614fb3417c9abd6fbcb8a951c842b','213604689abd0870ed6c8c01f47a93f32aefe21a4e1f21fed763d14389238ec6',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273199,879,'rw-r--r--',NULL,0,0,'root','root','1d1204e6482e2003211ecf57617ed21b','175f8e5db03b721065f4dd55ecbec5c235a35ab8','3ad27c9b5383401cc911f09ca798253ca2efcac0efcd8f3032830f3cfdb6f447',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273170,5273,'rw-r--r--',NULL,0,0,'root','root','a8abe81c2de2b55d7ed66dd33f9bf54d','260a0e40e07df72377de54580c11f30a4236e308','d7a1654efa54502a12f7cb23798a39307e8abc207b78eb564847afc7ab1d6e3a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273200,878,'rw-r--r--',NULL,0,0,'root','root','011969e8fd46c4d02ed4a1391cef8cd4','46970ae83ed339b6417b975ff5535807d95d5086','25ef918d392831b85fa39f9f8d05b0db6d617d43944cd3c670594a17472cc29b',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273171,4914,'rw-r--r--',NULL,0,0,'root','root','48894efdcc2d2a6e1a40e6df8a1e5b28','bd9c0f71e6d69fed94453c6d0838bf6d05dc1615','3f28fe9746a10df88c178a314a70c789b3424e89b7cb2247fd13f24ba1fbf226',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273172,5121,'rw-r--r--',NULL,0,0,'root','root','549370fc9138653563b40d53e1a33df5','62608529fa3c4996cc13b5112fc9c8d7f95cff04','0faf1555250ae200b734aaa966127c2b1ffa299f786492df8ab62d967dfd80a1',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273173,877,'rw-r--r--',NULL,0,0,'root','root','cdc8228b3379bf47e7a76ecb2c8d3767','77dfebd7cdf4a7580f9c215962cce0693449e8f1','c2e2a26284d3cae2ab0ad63f75cc3318a9e0cbb6086b006ffce06a64f75cd14f',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273174,11614,'rw-r--r--',NULL,0,0,'root','root','2ea11c1f62bf4adf1bd38c7ca15df23b','39fac181aca50c07b179bcb6db9b56c2d2108c40','ad82cda7833c65ac27bc40f876ac19fd69cb266d1a25ededa71de9440a99a5d2',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273175,4462,'rw-r--r--',NULL,0,0,'root','root','4a2d6d99ace087868e39f7f6195d7766','85aeb7897717310cad4c12cb5da3283f7188c388','25b24beabb657c7c148fb49af44cedf9c5e254294edc541fe8368a18b5bd5cb0',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273176,6122,'rw-r--r--',NULL,0,0,'root','root','14b454802d709162f70db919a1c67f33','101231ba4bf2d36f57231f7084fbdd6f80f2a4aa','5ad04d8f325bdd3cc4efe12a221449341181e61a8f8e9dde66b2964c25c4c97d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273177,9384,'rw-r--r--',NULL,0,0,'root','root','42b92d23daff3cbe275dd18ff4a356d7','62a504e44588ebf02a7e8b8ce513f03ce0ccb2b8','390eb518278dde628414b1f67d63b01c2cf1d0c1cec5fcca022fd3b2dbf35da6',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273178,11149,'rw-r--r--',NULL,0,0,'root','root','ecec45f9f3671f3209e02a4e061c0d08','6a15484159cf5e900ea94e56195ad57759d5a4f0','0276f3b1931edf3cbd25ddc039accaa2913b558a2bbf0c390cd7006bdfa370f0',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273179,5172,'rw-r--r--',NULL,0,0,'root','root','b17ed087a227faa4edc3fdd0dfeeca38','e2609333f087410029cd5d15677d009bfc1f8367','c0c81e4bd003783079bc45bfa4239d5f378b8bd92a1d02fd60c682821af6b692',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273180,874,'rw-r--r--',NULL,0,0,'root','root','b3b14af96ef1e31aca7d545253b02c7b','783b01f73b9f533766b4a455a12d3f7bff91925a','6ef1e52206cb975800805fbec3374411aaf3c19224eb0ba2f80feb0d1831aee7',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273181,876,'rw-r--r--',NULL,0,0,'root','root','8ab955a13b48946df56b53b0e5ae9826','59351f79558a772ecd2d09fe51efc52d8edfb1c3','c67c4d5fd910c646b23de4bd59a09af95d35ee7ec152cd88b2e2191ce42fd369',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273182,879,'rw-r--r--',NULL,0,0,'root','root','87ec2adb8670d68197789bb30b7d4a82','e6db52acdabe0019068b03aa43a77e030a5c940b','24c589cb5c1910028fa6fa2f60d88078099d4ba3c6c8b888e7e73a2fec4708bd',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273185,58730,'rw-r--r--',NULL,0,0,'root','root','15c3144c2f097d88d587c01838152f74','278d022bea03a740585ed869adc6142fdcc194e1','927165f3c86817396f9f6638db5f90a2a6c5143d1fd9a0c87ce440e2a32c1afd',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273201,898,'rw-r--r--',NULL,0,0,'root','root','391108bed6a5436cccf30ff0f33d248a','ae56ea0a92acac9333454cf5df5b599a93aa91f8','18196ba198e21ba6a35791aa7166690142a111b9044f202eb5d802ad179af5ad',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273186,5909,'rw-r--r--',NULL,0,0,'root','root','7b7e41a41c0ca661652bcd4c024d5955','228bbd0da16f3c10f46c8913821bb722f33c7ad2','cac1510c0fb6a09ef520c6229d0b4729e96136963897df9c8ccd560c7395c68d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273202,828,'rw-r--r--',NULL,0,0,'root','root','63959672f143711cb9f8a5d2842690ac','fab5d03d0c5ce3a06c33697ba38ee4c1e87cbebe','2a090b15815074501ec1f6e9c4b9b1ef804cdcb693f1dd0f3fe8f2efedc05fa5',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273187,3787,'rw-r--r--',NULL,0,0,'root','root','8fe68785cd66a82c4a8ecd0b04c8133e','05733f1fce4ded8d6f78d6df93ca05ac68ce3ccb','4121b1879da998397e5039332c88dacf216792efd3d3faf2fb72a3fa842ffe98',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273188,3728,'rw-r--r--',NULL,0,0,'root','root','72c699d04f0bd6039096fea41ae04cac','ff96096b3ead3f96b7a6c9b18b24d5f781004685','78907157493e2f37785450ed8b24e24018c940391bcbd09e7f74f3f938839574',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273203,10409,'rw-r--r--',NULL,0,0,'root','root','cfef12bb58c64f016602fa80487dc647','9b1ebd53f5cb5e306f35e08effd8468d5902ef62','bec673bf2158e9de6b6cd1a2ec5763c3d0e57562e441769c2c6bf7c9e9657b4a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273189,4845,'rw-r--r--',NULL,0,0,'root','root','6faf3d6542dad9b85de4c696a6d0f916','cbb1733eb37d3fc0c3904ac34b9d21add1236bbd','dc44c098afe6fe0745851d3ee253400613f426fbe45134524d107937b985f38d',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273190,13630,'rw-r--r--',NULL,0,0,'root','root','d349cd3bdf68fa24c61ce56b91d7e318','fe3ddf58d387d8060e36b4414acb1236eb69a977','85e98dd167de1462c1fb1e58521a746e167f7ef6493f356887298e58a4db1094',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273204,9879,'rw-r--r--',NULL,0,0,'root','root','0693468f0eb4103ddf0adad96a532851','71f1ee3fcb0afd7eb7ae90d9a76a6eea5444e5db','26e9e1cb2effc46da2054dd6c1a2521023b1ba13eb5cfce77871c1046732b218',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273191,5316,'rw-r--r--',NULL,0,0,'root','root','4cccf45e43003b97557dc65c63d33d56','ad47e768b8b04f47f6c078684e6c32ce275dcdc3','82791d9886bedbdba31c161dc3dd343150ed444fc4b3bf3ab7c12ae857324b8a',1558100573);
+	INSERT INTO entry_data VALUES(2051,34273192,1242,'rw-r--r--',NULL,0,0,'root','root','16654bb646489c4d359f4d9e5fd8e52a','7ddd68df32d1ecdde4e2ad94e4c02cd69680449f','a56bd4dafdf61686b5fe27ed95b8c143f7a2f70d999060407e97d2b03c45f49d',1558100573);
+	INSERT INTO entry_data VALUES(2051,17859324,25696,'rw-r--r--',NULL,0,0,'root','root','780d821a49ef932cb7a7630e4a92f2a7','3bdb44a0799087c2a1d430c4229cec06ca0e813c','3b84c00c9ee1bb1f7453a189a70805ba95b292ba304089eea18d07f35ecc211b',1558100578);
+	INSERT INTO entry_data VALUES(2051,51539860,1624,'rw-r--r--',NULL,0,0,'root','root','287a668b09722b32e01c8e8f3bbb0dbf','c86611c3c29f50020bfeace23f8d7bbce7ce9b64','72e1422da6ab3a8c6b3c979f3d5c28f42ab39bbf7e27da112afd8698d1f70bc8',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539862,982,'rw-r--r--',NULL,0,0,'root','root','b023c096829fc6f65727e261fbd4627d','c080945b1eaf3bc595e63fe5286f1324b5b99a23','601a2af028a3d737647c7d0adc442e1bb36ae294c65f645b1b3b63aa56d918e8',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539863,3422,'rw-r--r--',NULL,0,0,'root','root','5e3c1164de36daa0aa1a48209402c4f6','89fcf71403a8b75f70b9c94928b10f029175ae2e','f71c5462203686f5663c14f72df9d74bd91e3218b8ee29444a761ad1fa244e3b',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539864,3135,'rw-r--r--',NULL,0,0,'root','root','10e1c73204d433165464223aca882181','8f4269fbcdad51ba3042f085a112c8ebfef7ba0f','ab3f9658aec23eba5593db3b98cefbda6e1b14e8aaa0b8c2397ab71efe96b71f',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539865,7931,'rw-r--r--',NULL,0,0,'root','root','6d3215ed4ba1eeeac28828aa315ca07b','cb9e1a549c0b059b796db6c415c0da4ebb3feedb','cd7dc6e61a58b205eeb01f6c6faea9b4dc2d208372810bc8b6b03c9241273c84',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539866,919,'rw-r--r--',NULL,0,0,'root','root','9e5b8c645badedaa921e7c2a8494c4ac','758b8e82102c16a13d3fd451592370322d09d071','da9c92c9ab1a82688b27a6cadb2835056488608ec3519faae71d47e817fda9bf',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539867,2603,'rw-r--r--',NULL,0,0,'root','root','03017ee31d9b483a63508792b0ecd342','a61653aac552c4926d385262af32bcf0897a62a8','80150e4d47be467a739fa9bb4c5e591087e2da505cfb52d37c54b740b1894b6c',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539868,3306,'rw-r--r--',NULL,0,0,'root','root','ad4904e73d32e7c8cb647a829bd359ca','75f04726bd0b5898cf43d63f2be3e26e5bb5f0b8','964eeafad5492d22c2b386af055a3e698bbf04dfc82b896db20201110ac285ee',1509657784);
+	INSERT INTO entry_data VALUES(2051,51539869,2913,'rw-r--r--',NULL,0,0,'root','root','d994780bb35f2e58f68bb5306adbe032','0a0e8010a66b1e60b2448bb24e1c0bea9476fadb','92de6e12c6a6dda66f96315dd921b1c0282ed2c360a7a54cc9976f0bae580dfd',1509657784);
+	INSERT INTO entry_data VALUES(2051,17965080,116,'rw-r--r--',NULL,0,0,'root','root','1e4a735e3fe42e5f24703200e77c8ce0','d70b4a98bc237c9f250291777f31de796f3288c5','13d7c2fcd85cb16a7524cdfa95d0a57e8c9a0b6698580c578d70b8960012adaf',1493433537);
+	INSERT INTO entry_data VALUES(2051,34276396,10039,'rw-r--r--',NULL,0,0,'root','root','23c4f28e46a9d8f8c812d28dc1ca6fb3','fc41b5ef2454d872b4e42f49b34c7d8c82b6ca97','aedc2d48d079e42957b64e4985fbe6722d0c51b22e082d5d3c0ce122826f88a4',1558102951);
+	INSERT INTO entry_data VALUES(2051,17968884,25,'rw-r--r--',NULL,0,0,'root','root','51591e7ab98851effab49089323cb160','6458e187c792c3e99bc60f66f0572ff1f2caa05c','1e5f74f4737c59e887dfdd7eca67a87bd4922f3092766354267f4b07eef52839',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970731,4142,'rw-r--r--',NULL,0,0,'root','root','f329323c5ed857873510e38233f1afcf','902fec7f98c59c34111cde89155167e6dd4c9618','ad0c9d99c6a392417b13a7e9a61bc4fc34d6bf4aa105ed1d5d9c19c1dc762e62',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968885,14,'rw-r--r--',NULL,0,0,'root','root','f763f1f31d26507986aad58ca02f79f9','1ba459458ff1a11c375689f463189c39d49db454','9b46599a85d951effbd1593c99fa637f9eef68496049075b09287f85a1d28017',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968886,24,'rw-r--r--',NULL,0,0,'root','root','602eda3ecedd81ef751d9241becb9142','d383cfe22a6d76c91414017bc39bc44f44d14ddb','b9ecf70ff2713cc1c36e8d3cd5f0fa7406a6ad10d574454706780740504708ce',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968887,26,'rw-r--r--',NULL,0,0,'root','root','1b87eeb6069e6f5ac7b5f0cc4bf48083','00c0ac5fef3e864140c35adf09dbae4567e469f9','c2468a2e8234fca4343948e59b12b30effdda1b0ec44f35e94e8824774b3312f',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970732,943,'rw-r--r--',NULL,0,0,'root','root','327941a5240e699e3251d74192f4f299','fcb3f5d802ab7e93f424c5e3b14a56a0d0128813','f781fcfd9161f148033a15af21c23613a4297b3afa6ab2cfad5801225f8a86a3',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968888,4140,'rw-r--r--',NULL,0,0,'root','root','3672fe16e6b14a124ad74acd47941be9','5125a4a2bc18dc0f5bc20e122ae4b95d80fbdd2b','0fd2209953a90ed3664810d69274ef1f58b09296b0b428cf3f51e829ce3b6e2a',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970733,391,'rw-r--r--',NULL,0,0,'root','root','7a30e22cd391b7992646723df280f4fe','3648e47344ed893a4bbe22f044dba0bf5a7fd309','9c000bb0ad216fce8adea54dfdc06179aa33e5fe7838a0b96dfe10b1555e295c',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968889,548,'rw-r--r--',NULL,0,0,'root','root','51e9f41665cca34d58ceb8bcf2ed072f','7d1a1535f6bc464f2ac698264d91f0c63408ddb5','bfc6510cc235fdbd10b902aa38dedde925532104f53738fd664dd475739b4727',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968890,29,'rw-r--r--',NULL,0,0,'root','root','ed8e137983ae58a7bf038180b29737bd','44e68e221c64b90aa495edbee3bc92905cf3029f','a6c067e4a867c0043c2fa0b0d4e5808818952596c73d2c6c240f14e6038b46f1',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968891,26,'rw-r--r--',NULL,0,0,'root','root','099d16dab225eaa121f1ba2f3af9f60a','d93058d0eca1ddec7c34eaa3a9c1b7e3005650e9','4c6983ed0c15fbf29b033973e4dfb5996b7968c23eec816d1d392d5e9b40d3c3',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970734,29,'rw-r--r--',NULL,0,0,'root','root','b1891143384a7308ec17d9e6ac836201','553069d87f0aacd36b1a60297161ac87559cfbaa','bf16d3fedcbeeb5bf120af2cf1005af66e38e5c4b988a9eb52dc936a6f1f3b8e',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968892,193,'rw-r--r--',NULL,0,0,'root','root','5fae93df3328f1915e3d26f77a8c3b9d','b0f7dd601228f59a596badfd5cea72b516f7ab1c','5817bf90ed3c4a1a10dc3ba23567f47fa16c1d5345b92a29a7c0eb1767baef46',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970735,183,'rw-r--r--',NULL,0,0,'root','root','3446a737f83b38c3b576d5bf2e5161ec','297286b2a1cbdacfc4476fd9e2160507ae0da894','3e208e7015a55fc7cb6cc84d27d94d408b9731794ee9170a6ee18fb336ad2b4f',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968893,3961,'rw-r--r--',NULL,0,0,'root','root','3ab408dde8126548c34cc6f31bdf0353','50b61c6dcd9911aa7ab823c63ddbaae8ddaa606f','7beabe4214b50ff2ef8fa93a5edc0b8fa6074370ab3420be8cc7562da23c4256',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970737,1052,'rw-r--r--',NULL,0,0,'root','root','f68e0a92c8d4207a7d3f35c36f38ca3d','c68c30db9c4f26d51738d90a5fe05045e21f5750','946344ff488ce0446e0a423adc8b273fe30710b8f83df4545f2c5830cd0a0e9d',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968894,1160,'rw-r--r--',NULL,0,0,'root','root','2ecfac7c883bc980aba880f424abb8ad','0c764ec0b99fe53435cb318c7164bdfa37f49910','c2e06e3d9d011515a46b551167c73124febb9f70e9923f58571ecab20aef10fb',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970736,13,'rw-r--r--',NULL,0,0,'root','root','5eed67a9759c991553fa3055af023a33','d7a4a7a4ffcd9882e6a250d58309b9ace43c0298','c3e262c82f19fb4f9ffc52577ffbfe69e6e1c8ddba6caddededa71698459bb32',1557876513);
+	INSERT INTO entry_data VALUES(2051,17968895,552,'rw-r--r--',NULL,0,0,'root','root','9c5c8998c0b2bf2cb4c3d65572cad11b','df3ba88cc4a324f467ed0a383f5b96e34daf1d6d','12624add82d33e3183e41f7598826556824705e1df498e0e093569782c962f10',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970738,48,'rw-r--r--',NULL,0,0,'root','root','9d7e8954714b47042b849ddbd2530973','9ba49713313932dd8ef1fb2d2dc6984938a2ecbd','6d86c3ccf6a33a103ab37f2a9a31641dd1a3629184126921b8e6ba9e86e9dc91',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970688,34,'rw-r--r--',NULL,0,0,'root','root','b5a49230bc9b80a4358d966255d4697a','f6a8a37a242448bf5a8e4f5bfadf3b2ccdac43a0','1ecc5c341ddd40193f5889bb0b73665362ad9161b390efec06aaf34937415cf2',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970739,1464,'rw-r--r--',NULL,0,0,'root','root','d16cb589cdceb30d4523334063ddf040','44efac162f8af0186543bdf88936949f56f3085a','0f7fba3995875e539a687e420e3165afc3cd262ccb51cfc266d3f4e4d2d5f840',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970689,754,'rw-r--r--',NULL,0,0,'root','root','e9039d4f201acacca70e8964ec22ee70','65318c20eaee956a57202536aa3f1e81f6d3d9bc','63e2528932f09ae784fc6a7c582995b6b7bf0534dea4dc8ae2bfafa6855a98d0',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970740,115,'rw-r--r--',NULL,0,0,'root','root','9b61359cbcc14b9be4d687b80b772bea','3b0f672b7bf885efc7b7cd8d02fe6789245c35b0','5b9cf1b6f1f3019ebd59da41f473f665c5dfdb46118b52e9fd23c2c09e3b4879',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970690,754,'rw-r--r--',NULL,0,0,'root','root','dc124184659f6acfcb2f77d4759adc8c','6d29ed042871f276a7363e4f59734092d07d4434','975a0a0be711f23f8296d6588c6d4ea0e1eb4902b6e76f0127b63643c4457655',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970691,984,'rw-r--r--',NULL,0,0,'root','root','821754802fb212acc9f48c7dd93ddaa1','36daa850c9ed9619607e6e75af2811548f589fc0','bec823270386ad924cbc6626df2b37e810d60a685cf6b1ca5168144c807535be',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970692,984,'rw-r--r--',NULL,0,0,'root','root','821754802fb212acc9f48c7dd93ddaa1','36daa850c9ed9619607e6e75af2811548f589fc0','bec823270386ad924cbc6626df2b37e810d60a685cf6b1ca5168144c807535be',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970693,704,'rw-r--r--',NULL,0,0,'root','root','0659d0dee2b39c585b6ebc682af0dbd9','464732a4ba803bb7fb4cbe97804dba9dfe9462b3','14d0078d7ef3acbf6803261640e1cca267dd2343fbddedb30c7d9056ff590059',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970750,1495,'rw-r--r--',NULL,0,0,'root','root','9ab31cd28e79474973fc02ccf1c06b99','a2c87d0318f3c073baaf1d25e0826eb6f874e422','55dce6cf91b4d640d05016f48085324ed513b789afcd1c64786496813804d95d',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970694,492,'rw-r--r--',NULL,0,0,'root','root','ce26ec480900a2420d14d5f2c43f07eb','b7b016cdf62e1dc84267398e31ab985a7d1dd385','51e8cf3bfb280df4d021e6c26b7508b2b2e157c34c0764a62c11bc9f1753a0d3',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970695,1088,'rw-r--r--',NULL,0,0,'root','root','65d8d37f2dd5a2514399e377d5ca5ec2','6e9defea986ca57b83103a9e13470615de59211c','f402d4fff479b72104305b3f6f44d4fab819dbffa1e0c9dbc538de016bc4451b',1557876513);
+	INSERT INTO entry_data VALUES(2051,34715484,6,'rw-r--r--',NULL,0,0,'root','root','2b1e4c2fa122919e766b40ebf0093c25','7e2cf1e31b8b133977223df1bd98be2cf6d62137','91a762d8f5851ab5962337e227edc044af8d2fd31bddc38b85d3b40ea4d11ee9',1573237930);
+	INSERT INTO entry_data VALUES(2051,17970696,12,'rw-r--r--',NULL,0,0,'root','root','0731b2373c97cc98c5c42dd56e7fb05c','0b0b7ceb79368c94dbe21cd9497585427deafd9e','eeb687129585e718f1c69a346b0c4295ee5f390d2c9ec5d9bfcbd8bf33fd33dc',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970751,3094,'rw-r--r--',NULL,0,0,'root','root','5bcadfd7842926832de6d6e29d23558d','c01ea2ac9ad62530d6414cbbfe95ebdf04a9bc45','0e84634a348d168b60f4ec49432cee34885b624e31e79af947ac979cb3e8ecab',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970697,2736,'rw-r--r--',NULL,0,0,'root','root','1d4b6acbc9b04d5e7c47624a2a23cc3c','95b748c1fe052f671bc5dcac720a51ffbc905278','7ea97736bdb288369433bcd89935883a390a4bd7cdce41af219ff29eed32477f',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970698,793,'rw-r--r--',NULL,0,0,'root','root','318ed78f38b29c99e478cbc7efc8ff14','8800fc391c80846f1c217e51a2cf8a26460aad51','3b3b3a9ad4fd7ed9b1d857194ae30149ec85af124cd1aa848a48d59408494a40',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970699,376,'rw-r--r--',NULL,0,0,'root','root','3214cd5156a91a2634a9f1378c2235ba','9c36c6455c9766ca12d0e6ac9600305f9635e2b6','2eda38631debff06464db492681a1c06e626cc46581954211be5872eb823e4a0',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970752,386,'rw-r--r--',NULL,0,0,'root','root','2d36f1f6c15bbfeaf2049d59dcfefe05','ec02ab8971bf554438e1a8efe73187fba068aff7','04306c7a6d5d160591b00db9619d4946e5444b383c530aa92305d0b3c2c9380b',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970700,271,'rw-r--r--',NULL,0,0,'root','root','38041d1be7beaea89eee8c1463142546','e533b18551c966f934c04300948d2d3ccf50db21','cda674ff9a6769796a0daff0d19860d233653e7be39ff79c7ad5a33fc5bab85a',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970753,1684,'rw-r--r--',NULL,0,0,'root','root','d7cdbfd65fc59cfc71ab5f00a3697aaf','1d5852789923b7fd96c275eb7d7c151a2334206e','a276cd0dc6717a15bf207a8b297d166ad41484305f9332973f596bf87d21ec7a',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970701,3404,'rw-r--r--',NULL,0,0,'root','root','c2e474051bc6f33a4a66ae518a409dc8','b50a00916a70d526cf383889a9206fc09a38cd1e','433ca712ff14c0a7deb1bae111ae8383fa262982ddef4358df37ea90bc26b67b',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970754,204,'rw-r--r--',NULL,0,0,'root','root','c68d472ee915c19d73f255623f4e0223','1312a3283c0bf451cae57da3989512f515850c78','76d8ce9a188958d2f2746d3f193362c17c9166788a0361f5f0ff1e53e358e2bf',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970702,2008,'rw-r--r--',NULL,0,0,'root','root','179dcaf6031785d6ca40792c290484ac','a265243c77ee5b4419b3d4ed7abe77babee9fb62','24a0d7c0966779a2bbd41f69a249f954bf4d460d086c64682a7703be1c48c464',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970755,3917,'rw-r--r--',NULL,0,0,'root','root','6dfd9f0f78dfc3e58c37f7fa9ce3511b','206effd95dcb4be1699f5f76456f62879df55dc4','34a3407e4fac453cf75c3f8bbf1ea392546fffee1e23ee90a4e094e77061ffdc',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970703,1149,'rw-r--r--',NULL,0,0,'root','root','ca55d23d02774d6eea321dcbd4099e5e','911d68bfae96436028f47e68a3b12e8f44490415','113c307ec2d572f320a5160e2f5b9e58d0c80ffaeaf6c55d5268250e1e3f5241',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970704,7792,'rw-r--r--',NULL,0,0,'root','root','2ce783e81ebf3c78c22bda7e19ab8bd8','e820303b2fdca882ce112f41f21bfdcad5a930b0','7c97fadd9865056f7cfdb3b5bb8cbab597322889fccdf21fc689f5662e18f6f8',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970705,497,'rw-r--r--',NULL,0,0,'root','root','5328dfe188ece714bf9fdb7e26dc9d00','6f05a03fbad83c31dcc764760a3913bd358aee6b','6faa77b936544620a70a1684994f0f4034643ab0dfd1f5f86ca9fa6b68fe149b',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970706,396,'rw-r--r--',NULL,0,0,'root','root','9d5532c21c759657347de8b26629cf13','615d8ae3286742300de932d65dbebd1581d6bcb8','04d52897b24b599a7e64bdff287d37b97607d87b1229ee736f33ff6fa164af51',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970707,76,'rw-r--r--',NULL,0,0,'root','root','0656916d9805c3af1f81424354082501','fbcd6087aaa4c49c9aad13b16cc26161b91bac8d','cd305033f6a1d36358505f39e69c1c47f8b84a00840f9092c14abd4d3957d1ed',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970708,238,'rw-r--r--',NULL,0,0,'root','root','25848f289fb76aeb7f78e29ab323dbf8','6b7108e12ad15d6b0f4dbbd35f97f3450e644a8e','3d377c9bf6f42df2d4d84e280fd237a75c9d8ab70ce98780fdb6e267c77d4e92',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970709,22,'rw-r--r--',NULL,0,0,'root','root','0e969889a4509e62ef352a0222d2620e','961b569b066cb73aa9d3a197e5c31b1b62548361','9ea559e59aee33366cf1dd607c0cb3881c9a5b205ab560d9e3773bdbc78571e7',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970710,24,'rw-r--r--',NULL,0,0,'root','root','a7b07bd2a66b8a562ccb64da03bd47da','1db024ef3ffa4315fc8058720e862f483206744f','f69da7619a9c86307cbfe9f75cbad531eb9b200d5d18c57be1f90e1f9e33e00a',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970711,38,'rw-r--r--',NULL,0,0,'root','root','d5eab60adbaf729bb5bf781fc4c5409d','1517b2275c64bb3a1cfaf34c009ed1ee7009cd26','d07a742c53d56e8bf2f9a00d967e0d7fb42b8e3d15f2f6938124300f326c1fda',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970712,367,'rw-r--r--',NULL,0,0,'root','root','63774fc2dd277fbfc54b4a8f7ea4528d','f2d4a07316962f77978b3047ebc002a1d1e15fef','0448533a38825403be79c032bdcbb94c5595f15e74df868eac159482d8e1fa9b',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970713,2599,'rw-r--r--',NULL,0,0,'root','root','d3d856994bf02899a396e4f4568f95b7','5e96894fb4f9c5b9d41b74ade713a4a710c6adc5','8e1d96bbbbe880db211a638bec7fe2c984e767f9e0c73b45971f7be5936ffd92',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970714,39,'rw-r--r--',NULL,0,0,'root','root','1e499dabfb5bbbf7439a06b08f7e2af3','d3ffbcca9d6061615538db52b0ef429e5c7035e5','bc7639de1421924ca421478b8cf95bfca82780286e6e7779369bfecde5da634d',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970715,113,'rw-r--r--',NULL,0,0,'root','root','008b9b3cad3c7073aa5331a453e68cd6','c8bf47a308ef40a1951e0ec2f0338804bd03b964','8c27c9e503ce81717c6653efa3e8aa2fb3b2605e38486f06193fedf12cb6a6a6',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970716,119,'rw-r--r--',NULL,0,0,'root','root','f5d92658f9dc0eb540ddc9d24fe3ffb1','54f218f4af0274b3841bb6c77b8b114f306c1abe','58c393d7b18e5ce592f67e5931316a3ca6db7473067722af48ccd410981d8aaa',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970717,187,'rw-r--r--',NULL,0,0,'root','root','73a9fd7af5924e04054f43e2708f5059','184fe6c6b33de1b66f4ff9822eff37e52a8be3bd','ec366d413420f344c84223e978937b717d9ed528f427e282ded51905c1bd5d6f',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970718,1254,'rw-r--r--',NULL,0,0,'root','root','1e34b81727b36c9269d413cb6d20b2e6','2d122d01e5b5070b6998c7d0c93eac4a8473797f','077c5649ad96bf7b7be305d9ab1ce32b2964102039dec7b45dfa22e4ad1f4fd2',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970719,666,'rw-r--r--',NULL,0,0,'root','root','fe9a8941cd52c7e012724122d67a98e6','79dc8e2e33d00380fc62657863561b4ae27d1053','43494c9d5b10b31640c3facd14278f18a648ee999e33966bd832dcbd620a9080',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970720,268,'rw-r--r--',NULL,0,0,'root','root','940c8db7e01ccaa6f2c5be2ca020ddf1','bcb2e62910467e60370f7a61a3f5b36f49c60934','b33a89104ae8e400d91376f0e1f7afa152916490323e96b594ca5ce18ab8055a',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970721,279,'rw-r--r--',NULL,0,0,'root','root','75cb498c51441db57932a4895f7f0d96','8005daf441012bf06909e0c64b1c331c361751f8','013d6dbf00ebd04310eab2f93c467990f827f1776bc68a8d286a55a351ecea51',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970722,2125,'rw-r--r--',NULL,0,0,'root','root','33284fd785df74d394b9e30a4ec8283e','76b9044cd360387bf0bed66c9c9172fce19270a2','1a12bf100574d5d31933ec1f6b4344d1a07120e9d5bf107dce8e4e6ee578c9d7',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970723,3824,'rw-r--r--',NULL,0,0,'root','root','c9d10da50e4b77dcc73b97f67a81a89a','cdbd2429c41ff751763fc9edd68519e5ab383c75','5757926280393eac9652f16599a745e16ea631801370e012ae1ff5637a04c94f',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970724,809,'rw-r--r--',NULL,0,0,'root','root','f4080c5eacaf30b4ed871a5330960696','7f46e81ae0afd5fd2e62fcc39f0d61747dac1d64','b2c8eb60d721c53636b1e7ca45da5a95bbe68f89f0ef291e8eee0d352a7576cc',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970725,13,'rw-r--r--',NULL,0,0,'root','root','5eed67a9759c991553fa3055af023a33','d7a4a7a4ffcd9882e6a250d58309b9ace43c0298','c3e262c82f19fb4f9ffc52577ffbfe69e6e1c8ddba6caddededa71698459bb32',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970726,573,'rw-r--r--',NULL,0,0,'root','root','9e5860565491b3157e3c6e0af682b7a2','2a7f6ff608bcbaecc979a7545c02cf9f822da29f','410079ca6670a50dc81bc78cca4aa310432a664d78f8c5ce38d7db56d914f1be',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970727,365,'rw-r--r--',NULL,0,0,'root','root','27277daf6f7ed1f21de8c6a59d5b9488','fe6a09b4f1937f382be53e54147c10128f908b46','6024573b4789cf6ee8b5d86b438d78a6bd4a8c5f7ee8007efc8154b52b4e671b',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970728,75,'rw-r--r--',NULL,0,0,'root','root','7bdb319bd61b19389e93ed85a1ed85d1','bc1f009a9ca3bb637d22fa359d1803c20dee1df8','55c694e8184370f0fef306599f9e163da37af075f741c025ecc6a5fb0ea77043',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970729,554,'rw-r--r--',NULL,0,0,'root','root','84d917e22e057ebfc379fd9190631b3e','f72c03b2f23a0995d63c4b480d76c2500944692d','344f41ff252f4d02507e9e140eb0ca669ff5d4cf38ce88c88b72c9913f61fe1d',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970730,985,'rw-r--r--',NULL,0,0,'root','root','0864a392edbfc3baca90a1aaaade771a','ef0ee4f3e0482867ddc7f1639f36927179bc2de0','650307c026d53db1a007247f1d5a3e95e760503fd5b7ea4cbed8d11720e388bd',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970741,2239,'rw-r--r--',NULL,0,0,'root','root','b349efcbcec257f5fca8372f1e47e7e0','8f5535bffb1a037c4d3da2605ec80dcf26deb834','e8a2c7d2bb92d9914b69fa85dc56024921513c003cc73f4e0526f2199cd4cdcb',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970742,10,'rw-r--r--',NULL,0,0,'root','root','74fd71c4ea2c8c58bbaa2cecfee56f7c','79cad31544a33ccca57149c02ab9a2ca753d88c4','0362d13957eac2887543f42877fb88eedff3fb3f1202b6673553a64163c1c609',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970743,2224,'rw-r--r--',NULL,0,0,'root','root','febd1d7966858a4a0352a2fe2c1abfa0','d36e32d4cc6dbb603e2f91c27c3bdf46f9747e7d','a8471b6f8cc175f546518c404c24bb492b7fbee7c172aa52e1af7a6768c5e7a5',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970744,178,'rw-r--r--',NULL,0,0,'root','root','1a5a8d37f0de964bab25b3908fa907d5','80c63cd8728319697bb99876a35b9457ad2ec8f4','49be549fce33b849042b8444daf5e3ed31c0de0ebd4d9db05bc90fe941c45b00',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970745,28,'rw-r--r--',NULL,0,0,'root','root','93b1a500916dcfabd8a1c288029a5502','4917e4adcc6c845556c21b977a192982b89956a4','ec25b18e04e9d71559c1df75985e81269d2034386eb35dfd43873869a4bd1aca',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970746,355,'rw-r--r--',NULL,0,0,'root','root','7976c7a3dd90fe100f30a23a29aaea89','27f59288ceda7d31e3f5a3d01105a1a210df0b74','fd8ab8d3efaa2ec37e867d801035d1cf8877849096b1a204e13ea7882b795f58',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970747,636,'rw-r--r--',NULL,0,0,'root','root','1f873f79332e99cb0cd2b9eba938ac3b','2c8a1935374549122d8ad8e93dfc4a253cc3130b','bed2bd339449ca79dd84729bffec11a95384b6e10738ea5361d30d2d4e52f493',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970748,217,'rw-r--r--',NULL,0,0,'root','root','7b632784a85ec6ead7d26e8fd195dea5','d54bb2fc49cfbb685c9888cb25d411279e86ee5f','94f74fa52735a9ccb91482ef77beea6b90ca9edf5a43eef0da69f89b37481aed',1557876513);
+	INSERT INTO entry_data VALUES(2051,17970749,1807,'rw-r--r--',NULL,0,0,'root','root','eaccee9d3fb610a691705ddf94b9ec11','4cea2add0ca91e4361fcd32c58cc6cfc7a723b72','5fc52d55cc6556ea781eb5e8c0f59b3734a4aa9434044dc41559a9074f1115aa',1557876513);
+	INSERT INTO entry_data VALUES(2051,51302934,875,'rw-r--r--',NULL,0,0,'root','root','5530a7e6bdc6c424b427fa45f970e34e','8a653226e81f6fc60bd7daeb1f7f94a146757c30','57647673734969c5473013ecccc737479b13a3b821cbc8f0b6892e01c7c71cc1',1586215218);
+	INSERT INTO entry_data VALUES(2051,18221727,10135,'rw-r--r--',NULL,0,0,'root','root','d3f2ca85cf30b4b9d0b05b525e07cf6a','b5326acefbe9e33c7fcae2ed0e49f90779157272','bfb5a245ddcd4a733d4ac44ef21b69f97a14dffb79bf3a8c2d6972709208e4d9',1557811231);
+	INSERT INTO entry_data VALUES(2051,34485943,127,'rw-r-----',NULL,0,0,'root','root','45dc8b93a8b644d96197dc87b7b2b392','a5048dc66b2acb12bc77760f1ee9cfbd46a63d23','c90c9e248efa3381f9344c507450cdf21849945f775d7c59291b6ab54dad830c',1587693386);
+	INSERT INTO entry_data VALUES(2051,34485944,856,'rw-r-----',NULL,0,0,'root','root','7bfa16d314ddb8b96a61a7f617b8cca0','e366ae72f49905a76056c8adba4830da1ac1fc42','373e785050e41008cc4bc3508439c2e66c853813694c528554cff5015f0f8a9e',1587693386);
+	INSERT INTO entry_data VALUES(2051,51695184,358,'rw-r-----',NULL,0,0,'root','root','199eaa1e43fa9139f0910bdb64fd219e','31f906a6e55c835d5a14d241d88580fbcf7f7422','b7c3e851e8901bc6b2895a6be8abe38887ea4bf8bcc9bf2699bf940c7974b567',1587693384);
+	INSERT INTO entry_data VALUES(2051,51699381,170,'rw-r--r--',NULL,0,0,'root','root','76cdded78b9e37b833c2c44cc31518c9','b90a3e3e839679ba496356ffce8263065a826829','af1aba7aef639bbd2d495b259f94e728436c796fb3f4803aa73183aecd3791fa',1587693087);
+	INSERT INTO entry_data VALUES(2051,1991468,244,'rw-------',NULL,0,0,'root','root','def45a38095c1c16ea919317b8020a83','17c157514a3d87c906a6c830df30c7ff3966c798','54c2cebdaadfb928f7327cc066218e38743f0ff94d02fe162a7a415e148d23a8',1591914208);
+	INSERT INTO entry_data VALUES(2051,34862711,107,'rw-r-----',NULL,0,0,'root','root','795528bd4c7b4131455c15d5d49991bb','247d8f848796ad5ae35e4bb643bdb452823a2d9f','0944f975965910b2dcd78d74ddd94cadeab1646609fed3731e050aae3e193dc4',1591914570);
+	INSERT INTO entry_data VALUES(2051,51467829,1516,'rw-r--r--',NULL,0,0,'root','root','06ef02c5e08c31ee02a83b40057f5e98','ce8cfbfbc4c35d1e2c734d615665ac044a515f2c','940bde17441ff0d0bce71f620148536f15fa9dfefaa2abd76877e028685b23e5',1591914476);
+	INSERT INTO entry_data VALUES(2051,52352979,1970,'rw-r--r--',NULL,0,0,'root','root','c3a3ab9db4b84a85aad64c7037e58d7e','499aaa349841c3cf20d0c554d39d5c6bc5fb5d0a','a652ab6f06ac9d20e460ede949f052c5a7f6b248c5248b569ddf382eef3ebb8b',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352980,1970,'rw-r--r--',NULL,0,0,'root','root','c3a3ab9db4b84a85aad64c7037e58d7e','499aaa349841c3cf20d0c554d39d5c6bc5fb5d0a','a652ab6f06ac9d20e460ede949f052c5a7f6b248c5248b569ddf382eef3ebb8b',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352981,91,'rw-r--r--',NULL,0,0,'root','root','9da57b6e63fd6b70c32670918372aa10','dd414d721867a440415048dac0f23e5f0faacabe','c979c8565c6fb49ba999d6cfcca6a924e2a0f57e406fdca089176676f0a34af3',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352982,91,'rw-r--r--',NULL,0,0,'root','root','9da57b6e63fd6b70c32670918372aa10','dd414d721867a440415048dac0f23e5f0faacabe','c979c8565c6fb49ba999d6cfcca6a924e2a0f57e406fdca089176676f0a34af3',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352983,397,'rw-r--r--',NULL,0,0,'root','root','7d5a653f3ace8ff48fa70818bfc0e722','063c2b9a925371a3ff8bc6640e9cfe6b41c23cb7','04507b224335783f82876ad63e335c02280f98e2e9b4035a5a3b73133d4b6cc8',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352984,2370,'rw-r--r--',NULL,0,0,'root','root','b9af5dabb774652def2c9a0ceb1bf0ba','d80525c865507f5c4fedb1e9074e4514f6e39a90','8a20240ce8c52c1838a6e48ded81d34754b932338a153f4c48705008ad7e2689',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352985,231,'rw-r--r--',NULL,0,0,'root','root','0d4ff7ccf6b68203e7f8f9beedb21dc7','55a95660c5f0eefc58ea22d46907f121205a667f','a58323791eb5b69763750f0c0b6e84c6aad8a41da4db17dbf4467140819378a0',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352986,260,'rw-r--r--',NULL,0,0,'root','root','39753ca4e41c31ed43bbcbd34c70263c','f7666148d800d5da9bc2535f4ed5f1c25804827d','e08f95b67c10b9cf7e0211af4e786edcfd5313273dcca85283683c5f48bcd650',1591914517);
+	INSERT INTO entry_data VALUES(2051,52352987,6,'rw-r--r--',NULL,0,0,'root','root','463b8ed2294de8e44cd4964ea22cafd6','b4684b9816e2a8d0da4f2c2ed4dc6def217a6377','d2387e70b5a084f4efdcd732bb2710ec28d48db38ecd38510ccab8877e4b7bd7',1591914517);
+	INSERT INTO entry_data VALUES(2051,51699385,5646,'rw-r--r--',NULL,0,0,'root','root','0d26773a504184900454d19c6cee67dc','9ac1642eb74a81fad83dc9f26b9fed088f8662a6','04cc9d766380c83d09af5b2208f13f25e34adf28d9ce9a552fc7538d1fb800df',1587693087);
+	INSERT INTO entry_data VALUES(2051,34487937,67,'rw-------',NULL,0,0,'root','root','a1e6502b1e86242beb0cb5bc9714ab61','0d181aaa0e9f105efb4701750b103841d6776515','28e1a3a05d8033716719a72bd81115294b7b8ec5044f13611fbf7a88f48a9356',1586217217);
+	INSERT INTO entry_data VALUES(2051,18345347,19,'rw-r--r--',NULL,0,0,'root','root','164aba1ef1298affaa58761647f2ceba','bc974529231a2809c4a185aa2a982d4a00b0ad83','6908ed1fdb7829167265e379e83e5f41c84c8ae34be5d85e2369a7648c9dbd2d',1591914518);
+	INSERT INTO entry_data VALUES(2051,16943897,26843,'rw-r--r--',NULL,0,983,'root','dnsmasq','806cb2db0d2dfe17dfcde1fc6536a563','c44cbe2a476900c672d6c044dbae8fbcb29ffed2','d6575b363dd4dd0065ebea48f37597e085c5d5b500d61e3387a9f6b8e562b7e7',1590018930);
+	INSERT INTO entry_data VALUES(2051,18345348,22,'rw-r--r--',NULL,0,0,'root','root','1fa1a102a201e94fd1e6c02255fee21f','cdf7e13e5429f90ab7ef420c202f149f2152a041','4796631793e89e4d6b5b2037536ee5aa85ed7a4168b139ecdaee6a4a55b03468',1591914520);
+	INSERT INTO entry_data VALUES(2051,18229391,4922,'rw-r--r--',NULL,0,0,'root','root','7eca62c7e1679b2ecf5cce3584fe0e4f','08e09edf00dca0bbf3bfd96323cdc43e4eb8192d','263bbda0c8a5e0009fc8a114c7f583a75f6cb20c7df40d45d053063f383a72ed',1557802604);
+	INSERT INTO entry_data VALUES(2051,51699581,1203,'rw-r--r--',NULL,0,0,'root','root','334026d69182a339fe4bdb54f8bb2f3b','4450946373c224ee5c9d58ea923150cedbc6f065','619e292279f79ef544514c6d871c8bf0c38c2474691cc03ee27351f315242e0d',1557802604);
+	INSERT INTO entry_data VALUES(2051,51706692,1299,'rw-r--r--',NULL,0,0,'root','root','6f9831bca6dbc861e070bf43fcf78f14','0c114cfd85ddcf6e47588c19e5722aa094648234','46c10ed90df19d37c5fd2c38cd19d5d04b417b338f99080282460a4848fbe8ee',1488092559);
+	INSERT INTO entry_data VALUES(2051,18234580,433,'rw-r--r--',NULL,0,0,'root','root','dbe655b06a25f3b19ddaf942c071928b','7e58387311f76d1ed11b8ba3014842e0012f6a5b','55846d275371d04a4a2773f20dc8ece5fa623c3512924befebe77f6f9c2d7760',1586215439);
+	INSERT INTO entry_data VALUES(2051,51712640,301,'rw-r--r--',NULL,0,0,'root','root','0cced4351abf3672c4d70d73d031add3','353cda777ae0e325e0832c3dd5d2077c018aab46','d03e775a558139f025146b167995e2a8d14469ba7c3ceb76f94e197384f5b053',1587755146);
+	INSERT INTO entry_data VALUES(2051,51712680,302,'rw-r--r--',NULL,0,0,'root','root','04489225dfb344254ff28fdb22f67026','c1ac99d5e8198002a97967118acf647f7142b47d','5f022dc09329bca3f68a72c6bcb6898ea688657c2ecd3dc5ec0ddb758938e40e',1541600262);
+	INSERT INTO entry_data VALUES(2051,2020931,181,'rw-r--r--',NULL,0,0,'root','root','b3884b515fe5ca56eb67dc1664e04e7a','699e9291439ad6a125044d3be27f02123a9f945f','2c3c0c8231276a9b3a3ac721dca947c9244f355409223157398636e5fde53a71',1587755147);
+	INSERT INTO entry_data VALUES(2051,2020932,327,'rw-r--r--',NULL,0,0,'root','root','15c2fda9d397ab3adadc0043cfde9855','854f3eb666d1e5739ddc7570656a72211192586e','dee7b55737e7fd169e51a83f2c0aeecc342d5c654de6c04ab868a6b743307029',1541600262);
+	INSERT INTO entry_data VALUES(2051,2020933,282,'rw-r--r--',NULL,0,0,'root','root','1afb0460de0852548e761ca2d0534d39','c70fd1a54a36750fb70899a1e8be7688a37feed4','a4d56942cba6582596e38f5ce79e8ff127b363c05534f49b40aad1538ca0607e',1541600262);
+	INSERT INTO entry_data VALUES(2051,2020934,283,'rw-r--r--',NULL,0,0,'root','root','57db8310742ff5119efc88de80bec090','29c2a2a36c98b31d34eafb3fe389ba011a360e1d','e0ed2365ac3d64ce2f3e7b1d148e8ac7a19dc47539b25a1966e442c65ab81483',1587755147);
+	INSERT INTO entry_data VALUES(2051,51712681,372,'rw-r--r--',NULL,0,0,'root','root','35e1a2257dc1cbeda48f1c225be73d30','42f891f85231f11af359d4cffe6a3287bcee008d','b16d92328ae5f039fb7577867ce2dc3cffcf165e8f94f0a06cc347d583067c38',1541600262);
+	INSERT INTO entry_data VALUES(2051,18345346,28,'rw-r--r--',NULL,0,0,'root','root','9548433a3fed333f0ae63ce393009e24','7b86e48defcf3c67c26d764c2679e18382793527','254e4f83b43e101c90b5f71359ad9b822507eab0861622c20287d4864d504925',1591914518);
+	INSERT INTO entry_data VALUES(2051,18234604,1174,'rw-r--r--',NULL,0,0,'root','root','f610551bb1e45b72634e79b9828e4ed2','8f960b31ec587012908fd1f884345e4943c2b679','484a39da56525341aa7171f1eb4ae5db2d1561f18792f1e452e85189915a4de1',1557925109);
+	INSERT INTO entry_data VALUES(2051,34495611,13186,'rw-------',NULL,0,0,'root','root','bc480823ff3a2590e95d30bb213b96a1','2c9110a29e869d620f6cd948a54475bcc9df83f5','79331b75af3b3abf8238651051f8a788ca1d0e1395230ce4713bea6580c8d0a0',1587700485);
+	INSERT INTO entry_data VALUES(2051,34495610,50,'rw-r--r--',NULL,0,0,'root','root','649b51b07caa02e359fe41b0b0b37034','519c181c88794d3512755a72622e6dc42cb6e776','6077a1c3c39c58b0f800fb56dddbf2002877a30f98cad29c2c74c645535da2f5',1591914213);
+	INSERT INTO entry_data VALUES(2051,18275406,450,'rw-r--r--',NULL,0,0,'root','root','7c1bbeb439d79ec32ff7d18cb1364e2f','b7d35ccebf8ce3b774a66e0faa7f0345bb5dfc9d','773f4c2f36c530e600e839ba09db0379faca7b056133da26c14fe36b4f6afa2d',1590686158);
+	INSERT INTO entry_data VALUES(2051,18275407,547,'rw-r--r--',NULL,0,0,'root','root','751c7c32cc3c48bd99a6ce4baf8767d0','c9096920705e8b61b6a33d37f44585ad5dc1cc8a','eec7b10d6930a141b2a2e04872c9c7382ca55011ec32c807f999ea322397f68b',1590686158);
+	INSERT INTO entry_data VALUES(2051,18284359,16529,'rw-r--r--',NULL,0,0,'root','root','873d34f2b231f93b5571a361c2c77d50','2a02db22e9ca58748cd1599ac6afdac1b63cc9ac','af94493a509833f1a634c957485b6a42e6b98fc31d8e1808718c9d7422c349bf',1590686158);
+	INSERT INTO entry_data VALUES(2051,18284360,3202,'rw-r--r--',NULL,0,0,'root','root','432fa7784cc3e3993cbc95c0438bf61c','11d50e987723a543497a6e9c8b004150c4f1fd16','60d97f2d5f251f691d22a90a6fb924709947a5ac9daf942c12ddc9775fcf2d79',1590686158);
+	INSERT INTO entry_data VALUES(2051,18284362,3247,'rw-r--r--',NULL,0,0,'root','root','a84d1b171afdbe9246b8febdd7652c06','60abeb302511e0e7c23252966a147d5daa11597a','a001661d77fd52ac72f3d3fff5e82cb8062e40de1d64d1aaa8a430cc2a16b3ef',1590686158);
+	INSERT INTO entry_data VALUES(2051,51776941,14,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1591914216);
+	INSERT INTO entry_data VALUES(2051,34862692,576,'rw-------',NULL,0,0,'root','root','b6e42194af8b6fed283b2202ed4662ed','d2b75619bc0e5b0e9d7b369c8b0c32655c47fd78','255094e01af213adcd82bbf277f3fcd9378d503ff69d5314b563811a5f2277f0',1591914575);
+	INSERT INTO entry_data VALUES(2051,18396144,2169,'rw-r--r--',NULL,0,0,'root','root','1f8c81f893744cb62272e77d039af02e','b5a104997651517fb0b7f210b971bb99acab3960','3d85007a9badd5d8a367f1cab4b07597a869ad907b0d63fc47903f9dde72b04f',1590686158);
+	INSERT INTO entry_data VALUES(2051,18396145,30294,'rw-r--r--',NULL,0,0,'root','root','c8f38b26905977b92583edfa0ee38069','3457b2b9bc2a239846bb76645be75989ae9b90d2','9ae53794c25a194c26bb0cf82f56e6ab2c04b4f90d9a2c48a289d2c5f29b0861',1590686158);
+	INSERT INTO entry_data VALUES(2051,51795554,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587699914);
+	INSERT INTO entry_data VALUES(2051,2044910,17,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587699914);
+	INSERT INTO entry_data VALUES(2051,2081805,4364,'rwxr-xr-x',NULL,0,0,'root','root','370468e5f19a306e29d39fbf7b72cf08','c37967f401d16fa37736cbe08809d3d66c8f516a','1aae06b3e3db93584b27ddf24ecd58e7a080f33c160f0186ec9b50ab32bc9a92',1587697551);
+	INSERT INTO entry_data VALUES(2051,2081806,4364,'rwxr-xr-x',NULL,0,0,'root','root','370468e5f19a306e29d39fbf7b72cf08','c37967f401d16fa37736cbe08809d3d66c8f516a','1aae06b3e3db93584b27ddf24ecd58e7a080f33c160f0186ec9b50ab32bc9a92',1587697551);
+	INSERT INTO entry_data VALUES(2051,2067202,4364,'rwxr-xr-x',NULL,0,0,'root','root','370468e5f19a306e29d39fbf7b72cf08','c37967f401d16fa37736cbe08809d3d66c8f516a','1aae06b3e3db93584b27ddf24ecd58e7a080f33c160f0186ec9b50ab32bc9a92',1587697551);
+	INSERT INTO entry_data VALUES(2051,34503585,15148,'rwxr-xr-x',NULL,0,0,'root','root','7c883dc469e547173590875efbce5c89','bb1899fe4279afda46c018dd00acb659fe94f848','df715712a819ae56f8dd7b49ccbdaa31ac7068089351892d0b38b46d0530bb1f',1567325481);
+	INSERT INTO entry_data VALUES(2051,2067203,1478,'rwxr-xr-x',NULL,0,0,'root','root','9ebfc4a9aa22fe49491ad4ac47d4d22c','473d0cce84003279a1140ee89a580f53ae2b0673','52214fe78f973980e91b2703e9c7d6a44b8a50b19173bc9e148e609871463615',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067204,4364,'rwxr-xr-x',NULL,0,0,'root','root','370468e5f19a306e29d39fbf7b72cf08','c37967f401d16fa37736cbe08809d3d66c8f516a','1aae06b3e3db93584b27ddf24ecd58e7a080f33c160f0186ec9b50ab32bc9a92',1587697551);
+	INSERT INTO entry_data VALUES(2051,2067209,5783,'rw-r--r--',NULL,0,0,'root','root','9308e8b04cbf7d2748a287ace40878ea','9f83aa1a95984642b2630b864d5ed5666f63d0c1','2106a0c4622d9226cc0ec5cd29f6c6d0a2661dc20146c33a9963209ff45f2476',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067210,1215,'rw-r--r--',NULL,0,0,'root','root','e1059f0307358c02766193e5e24c107b','d35580399a6664205387bfce1c69286b3d983991','21992a2e3e7825a9d6dedd65d74a2ff7c2e3eb537c82e3e32342189428413637',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067211,16072,'rw-r--r--',NULL,0,0,'root','root','86eafc21ca4ab293b7515e453c2b5dfe','832d99139d00b0a3b6d1b43dfc02b374ea81e842','204cb6ad710fc9cbde4395717959074dacb0ca00717357fc5942c977b38c6969',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067212,86435,'rw-r--r--',NULL,0,0,'root','root','54f86ef1a7a41930ba250151f143069b','3377c4eaf7594d11b4dc06a801ddedbc6733a6a9','3ce0ac07bd8baed8a966cb681615339be3e30ace7c8feb544a054fe9a3338291',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067213,473,'rw-r--r--',NULL,0,0,'root','root','de4f8846e6e571af9feddd834b33a9be','a5a3b302c2f4f7fbd01d8a2bfbf7bbcd20516564','b99af90ca7348099c7db9784bc4b469319e7c26788cd5a5b3cfc6c2cf6bae459',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067214,6356,'rw-r--r--',NULL,0,0,'root','root','c61228050bb7c1c28a7f659f86a6e6c9','d6b5802135047a6606b07c4e66c981291460f247','066f22046f66a4d2c7086dd1c91ed29df087dadb37cfc1ca96434e98ec33bbc3',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067215,13160,'rw-r--r--',NULL,0,0,'root','root','612084dbce32687eef288f56569de391','43bf3338279f03fb3e071a0a0406cbd038037eaf','006eb7553843cb7baa9b08da2a9d444346c0e982fb9d9293babe08ede680924b',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067216,5146,'rw-r--r--',NULL,0,0,'root','root','4e7be0e2cae08227fd9ddb261c1e4e93','d74815670dea186c0eaa34d5427e222cb5c94399','bdc32bdbb3e9fc91f9601d7bbfafba256bb50f09b7aeba3c834a2acef400fbb3',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067217,8768,'rw-r--r--',NULL,0,0,'root','root','d4314590e7e7aaf6bcd508be0fd1c614','0c4c61cf1ea83e6441f72da1884361335844f752','2d7607cb989486773963a05f3be9d64d73c8b0c723f9a006fda26b491ebb6ab4',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067218,10144,'rw-r--r--',NULL,0,0,'root','root','dff329f34df298d952d2e800a097c431','769fa5d74844286153dd89135a1b9276e648ffc3','6ea9c033adad468ddc4a75c5efa722988887dae41f97d07914050dfca59773e1',1567325502);
+	INSERT INTO entry_data VALUES(2051,2067207,60,'rw-r--r--',NULL,0,0,'root','root','f69cdba593a31a44773ccb174ba7d90c','43f5951e515e40e5f81c0bd04b924e98b53efabd','30a4e3ba0b735ea038ed89ce654e0a284362e4c2e8dc7c252616eac66732e5da',1587697575);
+	INSERT INTO entry_data VALUES(2051,2067205,8132,'rw-r--r--',NULL,0,0,'root','root','b51a1b7cc18985d38bf16006fcb54d83','a70d091d0ff70a809ae1a70516af30231d6c3bcc','975454833fcd78a879dad06f9dc7dd5c016ee75232622e5d8def0a91358233cf',1567325502);
+	INSERT INTO entry_data VALUES(2051,2076567,35,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1592310217);
+	INSERT INTO entry_data VALUES(2051,18284361,18,'rw-r--r--',NULL,0,0,'root','root','d5977e9951dbf89ba9440b7271f6d502','c8c10c38a350bb94ef4a5921e0a95321a32d534a','110ffac8e7d47ca858a9039411e0586859a7052ef05443e0f80e5ec217e5850c',1587700098);
+	INSERT INTO entry_data VALUES(2051,18333035,24,'rw-r--r--',NULL,0,0,'root','root','21ed70f6bcf44093f561c217513d7182','a9f38cd25cf7a22305e855ab6b54a241948546e3','c8090335b3d2d05f24ab97657b41e6b60b838f05307638decbd0c4e151d51095',1557586446);
+	INSERT INTO entry_data VALUES(2051,17597450,1108,'rw-r--r--',NULL,0,0,'root','root','6f54d75425984eebc0a03b7a45bc6f6f','ebb8b6bc795bffc4433123ca16842e3e01d2a2f3','53cbfdbdd04a1136a2cdd29319a3449c2dbbedefdf780515e1d61a54cc704838',1587694061);
+	INSERT INTO entry_data VALUES(2051,18300722,7916,'rw-r--r--',NULL,0,0,'root','root','bc0c46c812f427162da744e21ce38afd','a8236e17293e3b52872b9d7623829d38abd3fa6c','abfbeae87e381d3b00b767ddd6d6cb80ce962bd2d622e276113dbdb83c573700',1592310179);
+	INSERT INTO entry_data VALUES(2051,18592374,5165,'rw-r--r--',NULL,0,0,'root','root','878d4e006554fb07966e261bd4e8655e','6b4697388d3a58b5a7d35e2cef10f6728805a018','23799919063e8630689a6fe88b44a2e2834e651ef3522f8ec086bc40c4eb81be',1557586659);
+	INSERT INTO entry_data VALUES(2051,17934208,5122,'rw-r--r--',NULL,0,0,'root','root','dc25507ea23f614e5993600fb71b1228','af0547ab5b3e0f9f92c907fe6337d2f6566c4c68','b789d52eeff476170729617551bd35df0a4a5ab22ed80a55cd4356f9b96fab7c',1587748025);
+	INSERT INTO entry_data VALUES(2051,34524569,251,'rw-r--r--',NULL,0,0,'root','root','a84103ddb12c6a515a5ccda87e6f7192','cf8cf6e6b938f33805800747331aea23863e3b9c','b9c2c8bb0c4e84f419bbc4d0d18d934f3cdfb627d61f8c00080b5e6847852fed',1573570646);
+	INSERT INTO entry_data VALUES(2051,2102141,72,'rw-r--r--',NULL,0,0,'root','root','24daf82d39f693f165421e6cddf0a471','3b063bd8cdb99c3928bb63e7b72ac9bbd36bab7d','0033f4915526f0484fa1ef48a75725074b03f5855e6e1d7dfd043f608aac7d95',1586986059);
+	INSERT INTO entry_data VALUES(2051,19981920,121,'rw-r-----',NULL,0,975,'root','wazuh','b1eb5f24da70c99dc89ab729d4cafa73','7603aadc468db6f0a416656bf61745481de2fe5d','ecce3628d09e9fc6d8afbee7fc553baf463acd4ec4686af3bf0772273d3b5811',1591918060);
+	INSERT INTO entry_data VALUES(2051,18333034,438,'rw-r--r--',NULL,0,0,'root','root','4283e38e912049e6bfbdb78f59b54b9d','af68de4e50f46a643fa11d6e2e93cef399197bf5','3650710b79bac4fb10a3fee8fd99e91d51425cae792d1630407570ef86b4ca05',1519034485);
+	INSERT INTO entry_data VALUES(2051,16794491,208,'rw-r--r--',NULL,0,0,'root','root','787c0ce8b96dc083afe7fc1bda5a9f61','9c6cb1691f42805dd2dc6aedc7ca8f7689412300','4cf439950303ed531f78315ddf90c1e61328910ebfcc06035beb9c6b24373331',1591914058);
+	INSERT INTO entry_data VALUES(2051,18333039,3185,'rw-r--r--',NULL,0,0,'root','root','3858c26c366917ff96d337d80f7af14e','56af96750e49dba376d98f75c70ca8d1153b5d91','b7a5e3e9291c8d784e9723de0b39280c3027a22a13f9670158e5a116f4a71ed5',1587692798);
+	INSERT INTO entry_data VALUES(2051,18333024,265,'rw-r--r--',NULL,0,0,'root','root','e4656e7766a3492c8932af654fe88411','5f101b1a6a114aa5286d4de0a8f37c8aac980a15','164d8eab8fcf0c34cbbc2642289f97b49e96b20747a37f42332b7ee8f7f9aefe',1587693790);
+	INSERT INTO entry_data VALUES(2051,17934230,1042,'rw-r--r--',NULL,0,0,'root','root','2275d52abfc48de108d58587c12cb771','d3df313bb22b6d13ee470f027bc74b252a47cfd1','58d76eeca3e5e9f6ef1cce2e650c39f955299d0b2c737966751da2a8833441f9',1587699739);
+	INSERT INTO entry_data VALUES(2051,18353872,3606,'rw-r--r--',NULL,0,0,'root','root','a07d8d8fce03c91ed32b0cd17bd2d547','69d7897e3e008953905101a9359632db73d2a80f','5f7cad4c4b911361404e051ab9e630e9b7bacb097d4ebd687c4e8159e35e3ea7',1587699739);
+	INSERT INTO entry_data VALUES(2051,18400483,314,'rw-r--r--',NULL,0,0,'root','root','332a7cffa69102648a83e6819cefe5e3','a3486c43ca6547ec07d99f9246d687fe64c9f865','1c0d9d9190f1f5ceb924cbf458bc5c5c0067e46073836f9a36fbd5b6c8371b67',1576186804);
+	INSERT INTO entry_data VALUES(2051,34715535,14,'rw-r--r--',NULL,0,0,'root','root','9a561d913bcdb5a659ec2dd035975a8e','633f07e1b5698d04352d5dca735869bf2fe77897','5f1091c0497ab2eda81278ea5258e1d2dffe2c41812a66d8396fdc9626cd48e7',1596036386);
+	INSERT INTO entry_data VALUES(2051,34633891,1111,'rw-r--r--',NULL,0,0,'root','root','03bd172aff0dca2bda0a51998100cd73','5e5ca150d2d647719fe3b66c600194ba0f4d7269','c3c7f45bb2a724dc9b3edd19e2d89d4d7d2e42942610b0d61b9bdc4485eea02d',1576084396);
+	INSERT INTO entry_data VALUES(2051,34633892,5,'rw-r--r--',NULL,0,0,'root','root','451e20aff0f489cd2f7d4d73533aa961','43683f4e92c48be4b00ddd86e011a4f27fcdbeb5','6d1dbb9c582de44ad1dbc0d24eca4d831d8172bef0593680ecd24f6d0ce9def5',1596036386);
+	INSERT INTO entry_data VALUES(2051,34715531,1305,'rw-r--r--',NULL,0,0,'root','root','4ca31570088a29ecccd1f6666944cb20','386e97df61ec98b125980322cf4db76419e0855b','d4ebf0fb484540caf9e8adcbed5a3383e184f0e3c0f165d21743b9a658dfe109',1587698363);
+	INSERT INTO entry_data VALUES(2051,18277013,12,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1587758264);
+	INSERT INTO entry_data VALUES(2051,18434873,22,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1586876036);
+	INSERT INTO entry_data VALUES(2051,18412232,2747,'rw-r--r--',NULL,0,0,'root','root','3d6d52b5f00371ce6775cd02b446ceb4','5b6aefcb92828b99f6fb585ec0325d4732232b49','4b761a2c78c6a3adebef971d5e7e36ff4b763d6f4bc3f7a8654729e3481f8c81',1587697347);
+	INSERT INTO entry_data VALUES(2051,18276990,283,'rw-r--r--',NULL,0,0,'root','root','3ce2a388e9745d4ae76cfda63dc7524f','1a702f0bccabb8c24d92a5321ca5a768d5999eef','1159832d02f6cbc07168297856f890f7ccb9182e16cb8d1895659db236f4cc21',1587697347);
+	INSERT INTO entry_data VALUES(2051,34855596,417,'rw-r--r--',NULL,0,0,'root','root','3bf7c59a03cfa379fb6e7b3c8357f3d9','f1f862505c26f1a0284a35a6c68f047eb26093ea','19a10bf0d864def87118fbe33891ba677c406f35bbbe4d5044eedba8c31c3075',1591971981);
+	INSERT INTO entry_data VALUES(2051,34862686,380,'rw-r--r--',NULL,0,0,'root','root','b28f501d0d7121d37a203595e6c409d1','5406ad88b928a3f8fb16d3a361127653825a7b5e','409523f1ef41bc2542869b38179342f49950c805a497a73b63b2fa255acce43b',1591971714);
+	INSERT INTO entry_data VALUES(2051,18277083,4925,'rw-r--r--',NULL,0,0,'root','root','4b531524aa13c8a54614100b570b3dc7','7902feb66d0bcbe4eb88e1bfacf28befc38bd58b','e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a',1578075431);
+	INSERT INTO entry_data VALUES(2051,18277113,2872,'rw-r--r--',NULL,0,0,'root','root','c5265e95bfafc37a820e4118cc94da13','8a8a9177001a09acf016cf06fb5f25ddc44f9621','d180f4a32a79e251342f216b5097b5c4e46a3113b2e581bbec6bb05825d68147',1557806864);
+	INSERT INTO entry_data VALUES(2051,18345253,138,'rw-r--r--',NULL,0,0,'root','root','5d35541d70c49cb27306ed0ec94472d5','6bcbf569c12041def3a7f37430568050e097762a','1b623eacd3f5e561cfc9a7b05574e465ebc3cc16bd70d3402cea541041376969',1591818370);
+	INSERT INTO entry_data VALUES(2051,34738091,1753,'rw-r--r--',NULL,0,0,'root','root','8d4be860ead4cacc2ba5f77e7fadb11d','048eaf325c577ff4cf6ea923d7a8e25496d98416','f97a040cf49b7475cb21bf5e806797233eb445f1ddf9044ab7ce3079fe61a008',1499681699);
+	INSERT INTO entry_data VALUES(2051,52195433,127,'rw-r--r--',NULL,0,0,'root','root','fe9ad2d5c4c79122a99b4d5ed44fda0e','d7948ef155843e0c7d055bdc3632877b49873864','3c71b358be81e13b1c24e199a119fd001dbcdb90edc7d44c2c7ae175321a0215',1569937469);
+	INSERT INTO entry_data VALUES(2051,34738092,1121,'rw-r--r--',NULL,0,0,'root','root','186990ae1edac95a88dbef6a36a07716','8a246ebd5f0b1b762e55779808ece2a12f2491b6','d16fca08d5054e14ffa9b0cb919263f4f21db379da4058ea745d3ec467f32afd',1499681699);
+	INSERT INTO entry_data VALUES(2051,18589177,1,'rw-r--r--',NULL,0,0,'root','root','68b329da9893e34099c7d8ad5cb9c940','adc83b19e793491b1c6ea0fd8b46cd9f32e592fc','01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b',1557580342);
+	INSERT INTO entry_data VALUES(2051,18589248,1040,'rw-r--r--',NULL,0,0,'root','root','5027a26e8977a1ba5c15686117bda65e','61158b216b839b590954aeb571bc3e314fc045aa','c45ae683d7886f1e233fbe6fdbe9afa85b681683599b379d984d274f7217283b',1587698126);
+	INSERT INTO entry_data VALUES(2051,18589250,524,'rw-r--r--',NULL,0,0,'root','root','791ccf53a09097919390e59d585648fb','c3d0814c8a261cd5eb6e3f410beea7c091a67f30','af68a62f7e0cabb3d9ff640b98ed05992e9b9c2a059d73d008abe09f26efe646',1587698126);
+	INSERT INTO entry_data VALUES(2051,18589251,902,'rwxr-xr-x',NULL,0,0,'root','root','684ab0218eecdc44cb2763de89c484ec','4240ebad8314fbc5bc20a0642d1ac5fdd4075898','6cf43030b25c53f955942ed323a7191cd58c626a3a99d3e766a0ce9f19552f51',1587698126);
+	INSERT INTO entry_data VALUES(2051,18589252,2191,'rwxr-xr-x',NULL,0,0,'root','root','f5219718fdef09f4ff9e22c9791344aa','e66ad882d2803fbafef36c1c1daf5614ec53e529','3e76bd00da1312542bc5fe4fabefb893aded22c029afce14e129ef7cdfebde69',1587698126);
+	INSERT INTO entry_data VALUES(2051,17762581,15146,'rw-r--r--',NULL,0,0,'root','root','82f2bd4eb21459f3295d29b89bdf4fae','df072c49a5e41283c73b3b8491acb5685f9cf586','60b5bf323af014e67281bd52a8c554f3b936508a75e1e4c77389a2b9261ed09c',1587698126);
+	INSERT INTO entry_data VALUES(2051,18632058,4760,'rw-r--r--',NULL,0,0,'root','root','b15a2210142d6148221a6ca48cf71767','f3b42a06371d7281ed8a4a755a3d0820398b9ac5','ec8c39a4884b7b94b15f55596e0f78bce02ff75a25f4e74d405dfd6a98789930',1573235191);
+	INSERT INTO entry_data VALUES(2051,18589254,232,'rw-------',NULL,0,0,'root','root','a22d3adba71785330b99cb33de8dbc7c','f1d376e78786e43341ac26281882fbf2d71e81f3','8302845a2d74fa262f41a806c0ac15075fc01bd20d116aaf003a3f0200ca2755',1587698126);
+	INSERT INTO entry_data VALUES(2051,2705351,1509,'rw-r--r--',NULL,0,0,'root','root','cd08c106709c005bf4ac648750bf151d','68f53bef6f55b3fde55a62404d7f3e27e27b83a2','cb97abe60244407ce8474b5b217c37ca93fd7b2dbb21f7c1760070141f05fe25',1586221665);
+	INSERT INTO entry_data VALUES(2051,18589253,1035,'rwxr-xr-x',NULL,0,0,'root','root','f8600f18411e3ee56019a0cc17db1b9d','d1e823028240f86f9287fa36cc2a16ac767f9a9f','df8d3b365cbddd8918b4bf2ff458c0e12c29e167073cee73cd78a9b2f90b4076',1571698634);
+	INSERT INTO entry_data VALUES(2051,18589258,1213,'rwxr-xr-x',NULL,0,0,'root','root','3487c759925982269aee1607dd53fd99','5a1dbb05c8a262108eed6a861682bf333dc9c4eb','214d074e97c34595ae4c2c381425b071bc23e43906bde813d80e4ddbbf8f3550',1571698634);
+	INSERT INTO entry_data VALUES(2051,18589259,1308,'rwxr-xr-x',NULL,0,0,'root','root','1e8fa151c9dbee6e4b1d900ecfe9d393','c1a03e7a5f206149d459e57f0718c811177ce0ff','150d3f38663ba0e57233f0f1d48ea3f70fe9ce7912407fe8fe780bc12da16e39',1571698634);
+	INSERT INTO entry_data VALUES(2051,18589260,1057,'rwxr-xr-x',NULL,0,0,'root','root','3be15d6f0129678e692dc676c27d7ca7','7c38298bdc1d2630a3711a217371a0ad8dca2dec','8fcf38e4027c41f337ecd497c09e1315e02f1b266e8328225c392bc762066afd',1571698634);
+	INSERT INTO entry_data VALUES(2051,18345361,0,'rw-r--r--',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1536580263);
+	INSERT INTO entry_data VALUES(2051,18434870,587,'rw-r--r--',NULL,0,0,'root','root','bfcda79532aa73956fdad38c2d28b439','027ddf14fd5fb9a1e9e04de5daa9feab9221bb7b','00b4386c4abe7ee6bc60f89b1d2aa76a23939c19c5fb50678de0829d96ae286f',1557586733);
+	INSERT INTO entry_data VALUES(2051,2707480,6774,'rw-r--r--',NULL,0,0,'root','root','94b171bacee23778588dac81ab24c4d5','2907f324efc8826bd15bd241d1753767f33d0299','02a605f77bc57153d3af9b42f121738fbdcb3ae7cdf7ec10045fc91e5ba11c57',1557589688);
+	INSERT INTO entry_data VALUES(2051,2707481,5898,'rwxr-xr-x',NULL,0,0,'root','root','76904f6b1167ba00dfd02e4f24b0a260','192c256590fab6df2723060318d5ec8ae6196c07','12259a3cbdc0a276f9e6776b245075760e770698d31f747dc5f7caa2423690f3',1557589688);
+	INSERT INTO entry_data VALUES(2051,51956777,1176,'rwxr-xr-x',NULL,0,0,'root','root','edd1386b08a2158dc4208ace018d9beb','ebaa59c9e9d7a198d3a86ebf131b3589ae533c02','215dd88b1e6f582c4ed415f69c80e740de6e77e99eaa01ea3957bc844e4e4ff4',1524587447);
+	INSERT INTO entry_data VALUES(2051,16943899,692252,'rw-r--r--',NULL,0,0,'root','root','87691a7a9ac41be0fc7235d49ab9a6d2','2c36cb01508c1050c2f0e82a25e1dff777d58a25','ac7ed9a0608f2ee925d17dfa8154102f56d863e0ab53f39053ff27120ce571ce',1586215878);
+	INSERT INTO entry_data VALUES(2051,18590925,3181,'rw-r-----',NULL,0,0,'root','root','60eac7835f1d36c4ffdcb401a84c3e6c','be492fd5c55fa9900213af968099ffeee30707a5','047ba849dddb852be8244c997a458e6870f9c4b9c2ffafed67a3d30030931eea',1587694981);
+	INSERT INTO entry_data VALUES(2051,18591103,1786,'rw-r-----',NULL,0,0,'root','root','5d796b9d28e62cecda9df8ffbfb2f962','b56ed8b23d88008fed7061aa899d8db28234851b','0444c33410ee449e062fb6aa1ae604e10faf22eb7724b758dbd276c8c8516977',1587694981);
+	INSERT INTO entry_data VALUES(2051,17154852,2197,'rw-r--r--',NULL,0,0,'root','root','83b94adb68c0aca38b1f48856bc2e3b7','1f51be8e95e817c3577ae956ad4d643c5d6f6c94','eaecde680c4130f71a86bdd41e1deb39d5f30d490efa0d237db822caa0df8640',1588351808);
+	INSERT INTO entry_data VALUES(2051,2092,7,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557534786);
+	INSERT INTO entry_data VALUES(2051,146,8,'rwxrwxrwx',NULL,0,0,'root','root','d41d8cd98f00b204e9800998ecf8427e','da39a3ee5e6b4b0d3255bfef95601890afd80709','e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',1557534786);
+	CREATE INDEX path_index ON entry_path (path);
+	CREATE INDEX inode_index ON entry_path (inode_id);
+	CREATE INDEX dev_inode_index ON entry_data (dev, inode);
+	COMMIT;)"
+};
+#endif //_FIM_DB_DUMP_H
diff --git a/src/common/dbsync/integrationTests/fim/fimIntegrationTest.cpp b/src/common/dbsync/integrationTests/fim/fimIntegrationTest.cpp
new file mode 100644
index 0000000000..5cf55ffa46
--- /dev/null
+++ b/src/common/dbsync/integrationTests/fim/fimIntegrationTest.cpp
@@ -0,0 +1,346 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * August 6, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <fstream>
+#include <iostream>
+#include "json.hpp"
+#include "dbsync.h"
+#include "fimIntegrationTest.h"
+#include "fimDbDump.h"
+#include "cjsonSmartDeleter.hpp"
+using ::testing::_;
+
+constexpr auto DATABASE_TEMP {"FIM_TEMP.db"};
+
+class CallbackMock
+{
+    public:
+        CallbackMock() = default;
+        ~CallbackMock() = default;
+        MOCK_METHOD(void, callbackMock, (ReturnTypeCallback result_type, const nlohmann::json&), ());
+};
+
+static void callback(const ReturnTypeCallback type,
+                     const cJSON* json,
+                     void* ctx)
+{
+    CallbackMock* wrapper { reinterpret_cast<CallbackMock*>(ctx)};
+    const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(json) };
+    wrapper->callbackMock(type, nlohmann::json::parse(spJsonBytes.get()));
+}
+
+static void logFunction(const char* msg)
+{
+    if (msg)
+    {
+        std::cout << msg << std::endl;
+    }
+}
+
+DBSyncFimIntegrationTest::DBSyncFimIntegrationTest()
+    : m_dbHandle{ dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, FIM_SQL_DB_DUMP) }
+{
+    dbsync_initialize(&logFunction);
+}
+
+DBSyncFimIntegrationTest::~DBSyncFimIntegrationTest()
+{
+    EXPECT_NO_THROW(dbsync_teardown());
+    std::remove(DATABASE_TEMP);
+}
+
+void DBSyncFimIntegrationTest::SetUp()
+{
+};
+
+void DBSyncFimIntegrationTest::TearDown()
+{
+};
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_PATH)
+{
+    const auto expectedResult
+    {
+        R"({"checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a",
+            "dev":2051,
+            "entry_type":0,
+            "gid":0,
+            "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+            "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+            "inode":18277083,
+            "inode_id":1877,
+            "last_event":1596489275,
+            "mode":0,
+            "mtime":1578075431,
+            "options":131583,
+            "path":"/etc/wgetrc",
+            "perm":"rw-r--r--",
+            "scanned":0,
+            "size":4925,
+            "uid":0,
+            "user_name":"root"}
+            )"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["path, inode_id, mode, last_event, entry_type, scanned, options, checksum, dev, inode, size, perm, attributes, uid, gid, user_name, group_name, hash_md5, hash_sha1, hash_sha256, mtime"],
+           "row_filter":"INNER JOIN entry_data ON path ='/etc/wgetrc' AND entry_data.rowid = entry_path.inode_id",
+           "distinct_opt":false,
+           "order_by_opt":"",
+           "count_opt":100}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_LAST_PATH)
+{
+    const auto expectedResult
+    {
+        R"({"path":"/sbin"})"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["path"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"path DESC",
+           "count_opt":1}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_FIRST_PATH)
+{
+    const auto expectedResult
+    {
+        R"({"path":"/bin"})"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["path"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"path ASC",
+           "count_opt":1}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_ALL_ENTRIES)
+{
+    const auto selectSql
+    {
+        R"({"table":"entry_data",
+           "query":{"column_list":["path,
+                                    inode_id,
+                                    mode,
+                                    last_event,
+                                    entry_type,
+                                    scanned,
+                                    options,
+                                    checksum,
+                                    dev,
+                                    inode,
+                                    size,
+                                    perm,
+                                    attributes,
+                                    uid,
+                                    gid,
+                                    user_name,
+                                    group_name,
+                                    hash_md5,
+                                    hash_sha1,
+                                    hash_sha256,
+                                    mtime"],
+           "row_filter":"INNER JOIN entry_path ON inode_id = entry_data.rowid",
+           "distinct_opt":false,
+           "order_by_opt":"path ASC"}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, _)).Times(1904);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_COUNT_RANGE)
+{
+    const auto expectedResult
+    {
+        "{\"count(*)\":13}"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["count(*) "],
+           "row_filter":"INNER JOIN entry_data ON entry_data.rowid = entry_path.inode_id WHERE path BETWEEN '/etc/yum.conf' and '/etc/yum.repos.d/CentOS-centosplus.repo' ORDER BY path",
+           "distinct_opt":false,
+           "order_by_opt":""}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_PATH_RANGE)
+{
+    const auto expectedResult1
+    {
+        R"({"checksum":"e100589b9f75b293ea2fc718fb39ecedddf1f381",
+            "dev":2051,"entry_type":0,"gid":0,"group_name":"root",
+            "hash_md5":"d41d8cd98f00b204e9800998ecf8427e",
+            "hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
+            "hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+            "inode":18277013,"inode_id":1871,"last_event":1596489275,"mode":0,
+            "mtime":1587758264,"options":131583,"path":"/etc/yum.conf",
+            "perm":"rwxrwxrwx","scanned":0,"size":12,"uid":0,"user_name":"root"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"checksum":"eeb46d0e85f635cd8595afc3447b21686c8fedb3",
+           "dev":2051,"entry_type":0,"gid":0,"group_name":"root",
+           "hash_md5":"349e00330684b1b1443904956aa0b241",
+           "hash_sha1":"f945fe1ad48aa9c367d2a131a4f7a659db6c1967",
+           "hash_sha256":"0e3a78178a75c13d71cfc2fafb3072a009733414a90802b2b67ccc7279e050cd",
+           "inode":2078,"inode_id":604,"last_event":1596489275,"mode":0,
+           "mtime":1591146169,"options":131583,"path":"/etc/yum.repos.d/CentOS-AppStream.repo",
+           "perm":"rw-r--r--","scanned":1,"size":731,"uid":0,"user_name":"root"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"checksum":"e24f1dfcba64d3dea78c6840893c77539f44638f",
+           "dev":2051,"entry_type":0,"gid":0,"group_name":"root",
+           "hash_md5":"7449031222431c7cbac19313af55aca4",
+           "hash_sha1":"640746d2388b9500b300e2a45878e81e5473aa83",
+           "hash_sha256":"ee7da6f7be6623cc6da7613777def9c9801073d725f686eb4e3812584e3e417d",
+           "inode":2079,"inode_id":605,"last_event":1596489275,"mode":0,
+           "mtime":1591146169,"options":131583,"path":"/etc/yum.repos.d/CentOS-Base.repo",
+           "perm":"rw-r--r--","scanned":1,"size":712,"uid":0,"user_name":"root"})"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["path,
+                                    inode_id,
+                                    mode,
+                                    last_event,
+                                    entry_type,
+                                    scanned,
+                                    options,
+                                    checksum,
+                                    dev,
+                                    inode,
+                                    size,
+                                    perm,
+                                    attributes,
+                                    uid,
+                                    gid,
+                                    user_name,
+                                    group_name,
+                                    hash_md5,
+                                    hash_sha1,
+                                    hash_sha256,
+                                    mtime"],
+           "row_filter":"INNER JOIN entry_data ON entry_data.rowid = entry_path.inode_id WHERE path BETWEEN '/etc/yum.conf' and '/etc/yum.repos.d/CentOS-Base.repo' ORDER BY path",
+           "distinct_opt":false,
+           "order_by_opt":""}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult1))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult2))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult3))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_PATHS_INODE)
+{
+    const auto expectedResult
+    {
+        R"({"path":"/etc/yum.repos.d/CentOS-Base.repo"})"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["path"],
+           "row_filter":"INNER JOIN entry_data ON entry_data.rowid=entry_path.inode_id WHERE entry_data.inode=2079 AND entry_data.dev=2051",
+           "distinct_opt":false,
+           "order_by_opt":""}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_PATHS_INODE_COUNT)
+{
+    const auto expectedResult
+    {
+        "{\"count(*)\":1}"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["count(*) "],
+           "row_filter":"INNER JOIN entry_data ON entry_data.rowid=entry_path.inode_id WHERE entry_data.inode=2078 AND entry_data.dev=2051",
+           "distinct_opt":false,
+           "order_by_opt":""}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
+
+TEST_F(DBSyncFimIntegrationTest, FIMDB_STMT_GET_COUNT_PATH)
+{
+    const auto expectedResult
+    {
+        "{\"count(*)\":1906}"
+    };
+    const auto selectSql
+    {
+        R"({"table":"entry_path",
+           "query":{"column_list":["count(*) "],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":""}})"
+    };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelect{ cJSON_Parse(selectSql) };
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(expectedResult))).Times(1);
+    EXPECT_EQ(0, dbsync_select_rows(m_dbHandle, jsSelect.get(), callbackData));
+}
diff --git a/src/common/dbsync/integrationTests/fim/fimIntegrationTest.h b/src/common/dbsync/integrationTests/fim/fimIntegrationTest.h
new file mode 100644
index 0000000000..6d59f7ac24
--- /dev/null
+++ b/src/common/dbsync/integrationTests/fim/fimIntegrationTest.h
@@ -0,0 +1,30 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * August 6, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBYSNC_FIM_INTEGRATION_TEST_H
+#define _DBYSNC_FIM_INTEGRATION_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class DBSyncFimIntegrationTest : public ::testing::Test
+{
+    protected:
+
+        DBSyncFimIntegrationTest();
+        virtual ~DBSyncFimIntegrationTest();
+
+        void SetUp() override;
+        void TearDown() override;
+        const DBSYNC_HANDLE m_dbHandle;
+};
+
+#endif // _DBYSNC_FIM_INTEGRATION_TEST_H
diff --git a/src/common/dbsync/integrationTests/fim/main.cpp b/src/common/dbsync/integrationTests/fim/main.cpp
new file mode 100644
index 0000000000..ab2080e354
--- /dev/null
+++ b/src/common/dbsync/integrationTests/fim/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * August 6, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/Readme.md b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/Readme.md
new file mode 100644
index 0000000000..30bf007544
--- /dev/null
+++ b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/Readme.md
@@ -0,0 +1,14 @@
+# Insertion Update Delete and Select
+This test represents a common use case where the following steps will be followed:
+1) Create the database based on the `sql_statement` option under the `config.json` file.
+2) Insert the `inputSyncRowInsert.json` file's data into the DB.
+3) Update the DB with the `inputSyncRowModified.json` file's data.
+4) Delete some DB data based on the `deleteRows.json` file's data.
+5) Select rows based on `inputSelectRows.json` file's data.
+
+# Execution
+In order to execute this test it would be needed the `dbsync_test_tool` binary and the command line will look like the following one:
+```
+$> ./dbsync_test_tool -c config.json -a inputSyncRowInsert.json,inputSyncRowModified.json,deleteRows.json,inputSelectRows.json -o ./output
+```
+
diff --git a/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/deleteRows.json b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/deleteRows.json
new file mode 100644
index 0000000000..f8f5361dcc
--- /dev/null
+++ b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/deleteRows.json
@@ -0,0 +1,74 @@
+{
+    "action": "dbsync_delete_rows",
+    "body": {
+        "table":"processes",
+        "query": {
+            "data":[
+                {
+                    "pid":4,
+                    "name":"System",
+                    "path":"",
+                    "cmdline":"",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                },
+                {
+                    "pid":6,
+                    "name":"System",
+                    "path":"/usr/lib",
+                    "cmdline":"whoami",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                }],
+            "row_filter_opt":"pid>=4"
+        }
+    }
+}
diff --git a/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSelectRows.json b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSelectRows.json
new file mode 100644
index 0000000000..4109b3572e
--- /dev/null
+++ b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSelectRows.json
@@ -0,0 +1,13 @@
+{
+    "action": "dbsync_select_rows",
+    "body": {
+    	"table":"processes",
+     	"query":{
+     		"column_list":["pid","name","path","cmdline"],
+            "row_filter":"WHERE pid>5",
+            "distinct_opt":false,
+            "order_by_opt":"",
+            "count_opt":100
+        }
+    }
+}
diff --git a/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowInsert.json b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowInsert.json
new file mode 100644
index 0000000000..b14f118717
--- /dev/null
+++ b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowInsert.json
@@ -0,0 +1,136 @@
+{
+"action": "dbsync_sync_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":6,
+                "name":"User",
+                "path":"/usr/lib",
+                "cmdline":"nano",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":7,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowModified.json b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowModified.json
new file mode 100644
index 0000000000..ecc876f59e
--- /dev/null
+++ b/src/common/dbsync/smokeTests/InsertionUpdateDeleteSelect/inputSyncRowModified.json
@@ -0,0 +1,40 @@
+{
+"action": "dbsync_sync_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"User",
+                "path":"",
+                "cmdline":"Guake",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":1,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }  
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/Readme.md b/src/common/dbsync/smokeTests/Readme.md
new file mode 100644
index 0000000000..52174c4b5d
--- /dev/null
+++ b/src/common/dbsync/smokeTests/Readme.md
@@ -0,0 +1,10 @@
+# DBSync Smoke Tests
+## Index
+1. [Purpose](#purpose)
+2. [Folder Structure](#folder-structure)
+
+## Purpose
+The DBSync Smoke Tests have been created to stimulate the entire DBSync library APIsthrough the DBSync Tool. For more information about the DBSync Test Tool go to the [testtool Readme file.](../testtool/README.md)
+
+## Folder Structure
+Each folder represents an use case and it contains the necessary files to validated that specific use case. Moreover, each folder has each own Readme.md explaning the specific case and the expected result.
diff --git a/src/common/dbsync/smokeTests/config.json b/src/common/dbsync/smokeTests/config.json
new file mode 100644
index 0000000000..54ff376547
--- /dev/null
+++ b/src/common/dbsync/smokeTests/config.json
@@ -0,0 +1,7 @@
+{
+    "db_name": "temp.db",
+    "db_type": "1",
+    "host_type": "1",    
+    "persistance": "",
+    "sql_statement":"CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;CREATE TABLE processes_sockets(`socket_id` BIGINT, `pid` BIGINT, PRIMARY KEY (`socket_id`)) WITHOUT ROWID;"
+}
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/snapshotsUpdate/Readme.md b/src/common/dbsync/smokeTests/snapshotsUpdate/Readme.md
new file mode 100644
index 0000000000..7201391a88
--- /dev/null
+++ b/src/common/dbsync/smokeTests/snapshotsUpdate/Readme.md
@@ -0,0 +1,13 @@
+# Txn Operation
+This test represents a case where the following steps will be followed:
+1) Create the database based on the `sql_statement` option under the `config.json` file.
+2) Insert the `insertData.json` file's data into the DB.
+3) Update the DB with the `updateWithSnapshot.json` file's data.
+4) Close the transaction.
+
+# Execution
+In order to execute this test it would be needed the `dbsync_test_tool` binary and the command line will look like the following one:
+```
+$> ./dbsync_test_tool -c config.json -a insertData.json,updateWithSnapshot.json -o ./output
+```
+
diff --git a/src/common/dbsync/smokeTests/snapshotsUpdate/insertData.json b/src/common/dbsync/smokeTests/snapshotsUpdate/insertData.json
new file mode 100644
index 0000000000..71ccf64a50
--- /dev/null
+++ b/src/common/dbsync/smokeTests/snapshotsUpdate/insertData.json
@@ -0,0 +1,200 @@
+{
+"action": "dbsync_insert_data",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":6,
+                "name":"User",
+                "path":"/usr/lib",
+                "cmdline":"nano",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":7,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":8,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":9,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }            
+        ]
+    }
+} 
diff --git a/src/common/dbsync/smokeTests/snapshotsUpdate/updateWithSnapshot.json b/src/common/dbsync/smokeTests/snapshotsUpdate/updateWithSnapshot.json
new file mode 100644
index 0000000000..02df113cbb
--- /dev/null
+++ b/src/common/dbsync/smokeTests/snapshotsUpdate/updateWithSnapshot.json
@@ -0,0 +1,105 @@
+{
+   "action": "dbsync_update_with_snapshot",
+   "body": {
+      "table":"processes",
+      "data":[
+         {
+            "pid":4,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":5,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":6,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         }
+      ]
+   }
+   
+ }
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/triggerActions/Readme.md b/src/common/dbsync/smokeTests/triggerActions/Readme.md
new file mode 100644
index 0000000000..a2bdf5358b
--- /dev/null
+++ b/src/common/dbsync/smokeTests/triggerActions/Readme.md
@@ -0,0 +1,14 @@
+# Trigger actions
+This test represents a trigger action use case where the following steps will be followed:
+1) Create the database based on the `sql_statement` option under the `config.json` file.
+2) Insert the `insertDataProcesses.json` file's data into the DB.
+3) Insert the `insertDataSocket.json` file's data into the DB.
+4) Add relationship in tables based on `addTableRelationship.json` file's data.
+5) Delete data in table processes based on `deleteRows.json`, which should implicitly delete the data in the socket table. 
+
+# Execution
+In order to execute this test it would be needed the `dbsync_test_tool` binary and the command line will look like the following one:
+```
+$> ./dbsync_test_tool -c config.json -a insertDataProcesses.json,insertDataSocket.json,addTableRelationship.json,deleteRows.json -o ./output
+```
+
diff --git a/src/common/dbsync/smokeTests/triggerActions/addTableRelationship.json b/src/common/dbsync/smokeTests/triggerActions/addTableRelationship.json
new file mode 100644
index 0000000000..67d306c2a3
--- /dev/null
+++ b/src/common/dbsync/smokeTests/triggerActions/addTableRelationship.json
@@ -0,0 +1,16 @@
+{
+    "action": "dbsync_add_table_relationship",
+    "body": {  
+        "base_table":"processes",
+        "relationed_tables":
+        [
+            {
+                "table": "processes_sockets",
+                "field_match": 
+                {
+                    "pid": "pid"
+                }
+            }
+        ]
+    }
+}
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/triggerActions/deleteRows.json b/src/common/dbsync/smokeTests/triggerActions/deleteRows.json
new file mode 100644
index 0000000000..0277cd843f
--- /dev/null
+++ b/src/common/dbsync/smokeTests/triggerActions/deleteRows.json
@@ -0,0 +1,13 @@
+{
+    "action": "dbsync_delete_rows",
+        "body": {
+            "table": "processes",
+            "query": {
+                "data":[
+                {
+                    "pid":4
+                }],
+                "where_filter_opt":""
+            }
+        }
+    } 
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/triggerActions/insertDataProcesses.json b/src/common/dbsync/smokeTests/triggerActions/insertDataProcesses.json
new file mode 100644
index 0000000000..ca8b227f62
--- /dev/null
+++ b/src/common/dbsync/smokeTests/triggerActions/insertDataProcesses.json
@@ -0,0 +1,41 @@
+{
+    "action": "dbsync_insert_data",
+        "body": {
+            "table": "processes",
+            "data":[
+                {
+                    "pid":4,
+                    "name":"System",
+                    "path":"",
+                    "cmdline":"",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                 }         
+            ]
+        }
+    } 
+    
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/triggerActions/insertDataSocket.json b/src/common/dbsync/smokeTests/triggerActions/insertDataSocket.json
new file mode 100644
index 0000000000..b6b6607b44
--- /dev/null
+++ b/src/common/dbsync/smokeTests/triggerActions/insertDataSocket.json
@@ -0,0 +1,13 @@
+{
+    "action": "dbsync_insert_data",
+        "body": {
+            "table": "processes_sockets",
+            "data":[
+                {
+                    "pid":4,
+                    "socket_id":1
+                }         
+            ]
+        }
+    } 
+    
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/txnOperation/Readme.md b/src/common/dbsync/smokeTests/txnOperation/Readme.md
new file mode 100644
index 0000000000..6dc6983044
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/Readme.md
@@ -0,0 +1,15 @@
+# Txn Operation
+This test represents a transactional use case where the following steps will be followed:
+1) Create the database based on the `sql_statement` option under the `config.json` file.
+2) Create a transaction.
+3) Insert the `inputSyncRowInsertTxn.json` file's data into the DB.
+4) Get deleted rows. `pksGetDeletedRows.json` and `fullyGetDeletedRows.json` will define the information details.
+5) Update the DB with the `inputSyncRowModifiedTxn.json` file's data.
+6) Close the transaction.
+
+# Execution
+In order to execute this test it would be needed the `dbsync_test_tool` binary and the command line will look like the following one:
+```
+$> ./dbsync_test_tool -c config.json -a txnOperation/createTxn.json,txnOperation/inputSyncRowInsertTxn.json,txnOperation/pksGetDeletedRows.json,txnOperation/inputSyncRowModifiedTxn.json,txnOperation/closeTxn.json -o ./output
+```
+
diff --git a/src/common/dbsync/smokeTests/txnOperation/closeTxn.json b/src/common/dbsync/smokeTests/txnOperation/closeTxn.json
new file mode 100644
index 0000000000..77cb64e300
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/closeTxn.json
@@ -0,0 +1,3 @@
+{
+    "action": "dbsync_close_txn"
+}
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/txnOperation/createTxn.json b/src/common/dbsync/smokeTests/txnOperation/createTxn.json
new file mode 100644
index 0000000000..368c9af083
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/createTxn.json
@@ -0,0 +1,6 @@
+{
+    "action": "dbsync_create_txn",
+    "body": {
+        "tables": ["processes"]
+    }
+}
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/txnOperation/fullyGetDeletedRows.json b/src/common/dbsync/smokeTests/txnOperation/fullyGetDeletedRows.json
new file mode 100644
index 0000000000..f4c979e6dc
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/fullyGetDeletedRows.json
@@ -0,0 +1,3 @@
+{
+    "action": "dbsync_get_deleted_rows"
+}
diff --git a/src/common/dbsync/smokeTests/txnOperation/inputSyncRowInsertTxn.json b/src/common/dbsync/smokeTests/txnOperation/inputSyncRowInsertTxn.json
new file mode 100644
index 0000000000..79030efc64
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/inputSyncRowInsertTxn.json
@@ -0,0 +1,72 @@
+{
+"action": "dbsync_sync_txn_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }       
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/txnOperation/inputSyncRowModifiedTxn.json b/src/common/dbsync/smokeTests/txnOperation/inputSyncRowModifiedTxn.json
new file mode 100644
index 0000000000..3d0c608429
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/inputSyncRowModifiedTxn.json
@@ -0,0 +1,40 @@
+{
+"action": "dbsync_sync_txn_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"User",
+                "path":"",
+                "cmdline":"Guake",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":1,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }  
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/smokeTests/txnOperation/pksGetDeletedRows.json b/src/common/dbsync/smokeTests/txnOperation/pksGetDeletedRows.json
new file mode 100644
index 0000000000..f4c979e6dc
--- /dev/null
+++ b/src/common/dbsync/smokeTests/txnOperation/pksGetDeletedRows.json
@@ -0,0 +1,3 @@
+{
+    "action": "dbsync_get_deleted_rows"
+}
diff --git a/src/common/dbsync/src/dbengine.h b/src/common/dbsync/src/dbengine.h
new file mode 100644
index 0000000000..da4c55fa6e
--- /dev/null
+++ b/src/common/dbsync/src/dbengine.h
@@ -0,0 +1,73 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBENGINE_H
+#define _DBENGINE_H
+
+#include <set>
+#include <string>
+#include <vector>
+#include <functional>
+#include <shared_mutex>
+#include "json.hpp"
+#include "commonDefs.h"
+#include "abstractLocking.hpp"
+
+namespace DbSync
+{
+    using ResultCallback = std::function<void(ReturnTypeCallback, const nlohmann::json&)>;
+
+    class IDbEngine
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IDbEngine() = default;
+            // LCOV_EXCL_STOP
+
+            virtual void bulkInsert(const std::string& table,
+                                    const nlohmann::json& data) = 0;
+
+            virtual void refreshTableData(const nlohmann::json& data,
+                                          const ResultCallback callback,
+                                          std::unique_lock<std::shared_timed_mutex>& lock) = 0;
+
+            virtual void syncTableRowData(const nlohmann::json& jsInput,
+                                          const ResultCallback callback,
+                                          const bool inTransaction,
+                                          Utils::ILocking& mutex) = 0;
+
+            virtual void setMaxRows(const std::string& table,
+                                    const int64_t maxRows) = 0;
+
+            virtual void initializeStatusField(const nlohmann::json& tableNames) = 0;
+
+            virtual void deleteRowsByStatusField(const nlohmann::json& tableNames) = 0;
+
+            virtual void returnRowsMarkedForDelete(const nlohmann::json& tableNames,
+                                                   const DbSync::ResultCallback callback,
+                                                   std::unique_lock<std::shared_timed_mutex>& lock) = 0;
+
+            virtual void selectData(const std::string& table,
+                                    const nlohmann::json& query,
+                                    const ResultCallback& callback,
+                                    std::unique_lock<std::shared_timed_mutex>& lock) = 0;
+
+            virtual void deleteTableRowsData(const std::string& table,
+                                             const nlohmann::json& jsDeletionData) = 0;
+
+            virtual void addTableRelationship(const nlohmann::json& data) = 0;
+
+        protected:
+            IDbEngine() = default;
+    };
+}// namespace DbSync
+
+#endif // _DBENGINE_H
diff --git a/src/common/dbsync/src/dbengine_factory.h b/src/common/dbsync/src/dbengine_factory.h
new file mode 100644
index 0000000000..d6f6817466
--- /dev/null
+++ b/src/common/dbsync/src/dbengine_factory.h
@@ -0,0 +1,45 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBENGINE_FACTORY_H
+#define _DBENGINE_FACTORY_H
+
+#include "db_exception.h"
+#include "sqlite/sqlite_dbengine.h"
+#include "sqlite/sqlite_wrapper_factory.h"
+#include "commonDefs.h"
+#include <iostream>
+
+namespace DbSync
+{
+    class FactoryDbEngine
+    {
+        public:
+            static std::unique_ptr<IDbEngine> create(const DbEngineType              dbType,
+                                                     const std::string&              path,
+                                                     const std::string&              sqlStatement,
+                                                     const DbManagement              dbManagement,
+                                                     const std::vector<std::string>& upgradeStatements)
+            {
+                if (SQLITE3 == dbType)
+                {
+                    return std::make_unique<SQLiteDBEngine>(std::make_shared<SQLiteFactory>(), path, sqlStatement, dbManagement, upgradeStatements);
+                }
+
+                throw dbsync_error
+                {
+                    FACTORY_INSTANTATION
+                };
+            }
+    };
+}// namespace DbSync
+
+#endif // _DBENGINE_FACTORY_H
diff --git a/src/common/dbsync/src/dbsync.cpp b/src/common/dbsync/src/dbsync.cpp
index e69de29bb2..bf83be264f 100644
--- a/src/common/dbsync/src/dbsync.cpp
+++ b/src/common/dbsync/src/dbsync.cpp
@@ -0,0 +1,918 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <map>
+#include <mutex>
+#include "dbsync.h"
+#include "dbsync.hpp"
+#include "dbsync_implementation.h"
+#include "dbsyncPipelineFactory.h"
+#include "cjsonSmartDeleter.hpp"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+using namespace DbSync;
+
+static std::function<void(const std::string&)> gs_logFunction;
+
+static void log_message(const std::string& msg)
+{
+    if (!msg.empty() && gs_logFunction)
+    {
+        gs_logFunction(msg);
+    }
+}
+
+void dbsync_initialize(log_fnc_t log_function)
+{
+    DBSync::initialize([log_function](const std::string & msg)
+    {
+        log_function(msg.c_str());
+    });
+}
+
+DBSYNC_HANDLE dbsync_create_(const HostType     host_type,
+                             const DbEngineType db_type,
+                             const char*        path,
+                             const char*        sql_statement,
+                             const DbManagement db_management,
+                             const char**       upgrade_statements)
+{
+    DBSYNC_HANDLE retVal{ nullptr };
+    std::string errorMessage;
+
+    if (!path || !sql_statement)
+    {
+        errorMessage += "Invalid path or sql_statement.";
+    }
+    else
+    {
+        try
+        {
+            auto upgradeStatements = std::vector<std::string>();
+
+            while (upgrade_statements && *upgrade_statements)
+            {
+                upgradeStatements.emplace_back(*upgrade_statements);
+                upgrade_statements++;
+            }
+
+            retVal = DBSyncImplementation::instance().initialize(host_type, db_type, path, sql_statement, db_management, upgradeStatements);
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+DBSYNC_HANDLE dbsync_create(const HostType     host_type,
+                            const DbEngineType db_type,
+                            const char*        path,
+                            const char*        sql_statement)
+{
+    return dbsync_create_(host_type, db_type, path, sql_statement, DbManagement::VOLATILE, nullptr);
+}
+
+DBSYNC_HANDLE dbsync_create_persistent(const HostType     host_type,
+                                       const DbEngineType db_type,
+                                       const char*        path,
+                                       const char*        sql_statement,
+                                       const char**       upgrade_statements)
+{
+    return dbsync_create_(host_type, db_type, path, sql_statement, DbManagement::PERSISTENT, upgrade_statements);
+}
+
+void dbsync_teardown(void)
+{
+    PipelineFactory::instance().release();
+    DBSyncImplementation::instance().release();
+}
+
+TXN_HANDLE dbsync_create_txn(const DBSYNC_HANDLE handle,
+                             const cJSON*        tables,
+                             const unsigned int  thread_number,
+                             const unsigned int  max_queue_size,
+                             callback_data_t     callback_data)
+{
+    std::string errorMessage;
+    TXN_HANDLE txn{ nullptr };
+
+    if (!handle || !tables || !max_queue_size || !callback_data.callback)
+    {
+        errorMessage += "Invalid parameters.";
+    }
+    else
+    {
+        try
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(result, spJson.get(), callback_data.user_data);
+                }
+            };
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_Print(tables)};
+            txn = PipelineFactory::instance().create(handle, nlohmann::json::parse(spJsonBytes.get()), thread_number, max_queue_size, callbackWrapper);
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return txn;
+}
+
+int dbsync_close_txn(const TXN_HANDLE txn)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!txn)
+    {
+        errorMessage += "Invalid txn.";
+    }
+    else
+    {
+        try
+        {
+            PipelineFactory::instance().destroy(txn);
+            retVal = 0;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+int dbsync_sync_txn_row(const TXN_HANDLE txn,
+                        const cJSON*     js_input)
+{
+    auto retVal { -1 };
+    std::string error_message;
+
+    if (!txn || !js_input)
+    {
+        error_message += "Invalid txn or json.";
+    }
+    else
+    {
+        try
+        {
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_PrintUnformatted(js_input)};
+            PipelineFactory::instance().pipeline(txn)->syncRow(nlohmann::json::parse(spJsonBytes.get()));
+            retVal = 0;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            error_message += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            error_message += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(error_message);
+    return retVal;
+}
+
+int dbsync_add_table_relationship(const DBSYNC_HANDLE handle,
+                                  const cJSON*        js_input)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_input)
+    {
+        errorMessage += "Invalid parameters.";
+    }
+    else
+    {
+        try
+        {
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_Print(js_input)};
+            DBSyncImplementation::instance().addTableRelationship(handle, nlohmann::json::parse(spJsonBytes.get()));
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+    }
+
+    log_message(errorMessage);
+
+    return retVal;
+}
+
+int dbsync_insert_data(const DBSYNC_HANDLE handle,
+                       const cJSON*        js_insert)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_insert)
+    {
+        errorMessage += "Invalid handle or json.";
+    }
+    else
+    {
+        try
+        {
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_Print(js_insert)};
+            DBSyncImplementation::instance().insertBulkData(handle, nlohmann::json::parse(spJsonBytes.get()));
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        catch (const DbSync::max_rows_error& ex)
+        {
+            errorMessage += "DB error, ";
+            errorMessage += ex.what();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+
+    return retVal;
+}
+
+int dbsync_set_table_max_rows(const DBSYNC_HANDLE handle,
+                              const char*         table,
+                              const long long     max_rows)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !table)
+    {
+        errorMessage += "Invalid parameters.";
+    }
+    else
+    {
+        try
+        {
+            DBSyncImplementation::instance().setMaxRows(handle, table, max_rows);
+            retVal = 0;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+
+    return retVal;
+}
+
+int dbsync_sync_row(const DBSYNC_HANDLE handle,
+                    const cJSON*        js_input,
+                    callback_data_t     callback_data)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_input || !callback_data.callback)
+    {
+        errorMessage += "Invalid input parameters.";
+    }
+    else
+    {
+        try
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(result, spJson.get(), callback_data.user_data);
+                }
+            };
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(js_input) };
+            DBSyncImplementation::instance().syncRowData(handle, nlohmann::json::parse(spJsonBytes.get()), callbackWrapper);
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+int dbsync_select_rows(const DBSYNC_HANDLE handle,
+                       const cJSON*        js_data_input,
+                       callback_data_t     callback_data)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_data_input || !callback_data.callback)
+    {
+        errorMessage += "Invalid input parameters.";
+    }
+    else
+    {
+        try
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(result, spJson.get(), callback_data.user_data);
+                }
+            };
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(js_data_input) };
+            DBSyncImplementation::instance().selectData(handle, nlohmann::json::parse(spJsonBytes.get()), callbackWrapper);
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+int dbsync_delete_rows(const DBSYNC_HANDLE handle,
+                       const cJSON*        js_key_values)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_key_values)
+    {
+        errorMessage += "Invalid input parameters.";
+    }
+    else
+    {
+        try
+        {
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(js_key_values) };
+            DBSyncImplementation::instance().deleteRowsData(handle, nlohmann::json::parse(spJsonBytes.get()));
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+int dbsync_get_deleted_rows(const TXN_HANDLE  txn,
+                            callback_data_t   callback_data)
+{
+    auto retVal { -1 };
+    std::string error_message;
+
+    if (!txn || !callback_data.callback)
+    {
+        error_message += "Invalid txn or callback.";
+    }
+    else
+    {
+        try
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(result, spJson.get(), callback_data.user_data);
+                }
+            };
+            PipelineFactory::instance().pipeline(txn)->getDeleted(callbackWrapper);
+            retVal = 0;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            error_message += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            error_message += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(error_message);
+
+    return retVal;
+}
+
+int dbsync_update_with_snapshot(const DBSYNC_HANDLE handle,
+                                const cJSON*        js_snapshot,
+                                cJSON**             js_result)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_snapshot || !js_result)
+    {
+        errorMessage += "Invalid input parameter.";
+    }
+    else
+    {
+        try
+        {
+            nlohmann::json result;
+            const auto callbackWrapper
+            {
+                [&result](ReturnTypeCallback resultType, const nlohmann::json & jsonResult)
+                {
+                    static std::map<ReturnTypeCallback, std::string> s_opMap
+                    {
+                        // LCOV_EXCL_START
+                        { MODIFIED, "modified" },
+                        { DELETED,  "deleted" },
+                        { INSERTED, "inserted" }
+                        // LCOV_EXCL_STOP
+                    };
+                    result[s_opMap.at(resultType)].push_back(jsonResult);
+                }
+            };
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_PrintUnformatted(js_snapshot)};
+            DBSyncImplementation::instance().updateSnapshotData(handle, nlohmann::json::parse(spJsonBytes.get()), callbackWrapper);
+            *js_result = cJSON_Parse(result.dump().c_str());
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        catch (const DbSync::max_rows_error& ex)
+        {
+            errorMessage += "DB error, ";
+            errorMessage += ex.what();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+int dbsync_update_with_snapshot_cb(const DBSYNC_HANDLE handle,
+                                   const cJSON*        js_snapshot,
+                                   callback_data_t     callback_data)
+{
+    auto retVal { -1 };
+    std::string errorMessage;
+
+    if (!handle || !js_snapshot || !callback_data.callback)
+    {
+        errorMessage += "Invalid input parameters.";
+    }
+    else
+    {
+        try
+        {
+            const auto callbackWrapper
+            {
+                [callback_data](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+                {
+                    const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                    callback_data.callback(result, spJson.get(), callback_data.user_data);
+                }
+            };
+            const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_PrintUnformatted(js_snapshot)};
+            DBSyncImplementation::instance().updateSnapshotData(handle, nlohmann::json::parse(spJsonBytes.get()), callbackWrapper);
+            retVal = 0;
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            errorMessage += "json error, id: " + std::to_string(ex.id) + ". " + ex.what();
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            errorMessage += "DB error, id: " + std::to_string(ex.id()) + ". " + ex.what();
+            retVal = ex.id();
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {
+            errorMessage += "Unrecognized error.";
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    log_message(errorMessage);
+    return retVal;
+}
+
+void dbsync_free_result(cJSON** js_data)
+{
+    if (*js_data)
+    {
+        cJSON_Delete(*js_data);
+    }
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+
+void DBSync::initialize(std::function<void(const std::string&)> logFunction)
+{
+    if (!gs_logFunction)
+    {
+        gs_logFunction = logFunction;
+    }
+}
+
+DBSync::DBSync(const HostType                  hostType,
+               const DbEngineType              dbType,
+               const std::string&              path,
+               const std::string&              sqlStatement,
+               const DbManagement              dbManagement,
+               const std::vector<std::string>& upgradeStatements)
+    : m_dbsyncHandle { DBSyncImplementation::instance().initialize(hostType, dbType, path, sqlStatement, dbManagement, upgradeStatements) }
+    , m_shouldBeRemoved{ true }
+{ }
+
+DBSync::DBSync(const DBSYNC_HANDLE dbsyncHandle)
+    : m_dbsyncHandle { dbsyncHandle }
+    , m_shouldBeRemoved{ false }
+{ }
+
+DBSync::~DBSync()
+{
+    if (m_shouldBeRemoved)
+    {
+        DBSyncImplementation::instance().releaseContext(m_dbsyncHandle);
+    }
+}
+
+
+void DBSync::teardown()
+{
+    PipelineFactory::instance().release();
+    DBSyncImplementation::instance().release();
+}
+
+void DBSync::addTableRelationship(const nlohmann::json& jsInput)
+{
+    DBSyncImplementation::instance().addTableRelationship(m_dbsyncHandle, jsInput);
+}
+
+void DBSync::insertData(const nlohmann::json& jsInsert)
+{
+    DBSyncImplementation::instance().insertBulkData(m_dbsyncHandle, jsInsert);
+}
+
+void DBSync::setTableMaxRow(const std::string& table,
+                            const long long    maxRows)
+{
+    DBSyncImplementation::instance().setMaxRows(m_dbsyncHandle, table, maxRows);
+}
+
+void DBSync::syncRow(const nlohmann::json& jsInput,
+                     ResultCallbackData    callbackData)
+{
+    const auto callbackWrapper
+    {
+        [callbackData](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+        {
+            callbackData(result, jsonResult);
+        }
+    };
+    DBSyncImplementation::instance().syncRowData(m_dbsyncHandle, jsInput, callbackWrapper);
+}
+
+void DBSync::selectRows(const nlohmann::json& jsInput,
+                        ResultCallbackData    callbackData)
+{
+    const auto callbackWrapper
+    {
+        [callbackData](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+        {
+            callbackData(result, jsonResult);
+        }
+    };
+    DBSyncImplementation::instance().selectData(m_dbsyncHandle, jsInput, callbackWrapper);
+}
+
+void DBSync::deleteRows(const nlohmann::json& jsInput)
+{
+    DBSyncImplementation::instance().deleteRowsData(m_dbsyncHandle, jsInput);
+}
+
+void DBSync::updateWithSnapshot(const nlohmann::json& jsInput,
+                                nlohmann::json&       jsResult)
+{
+    const auto callbackWrapper
+    {
+        [&jsResult](ReturnTypeCallback resultType, const nlohmann::json & jsonResult)
+        {
+            static std::map<ReturnTypeCallback, std::string> s_opMap
+            {
+                // LCOV_EXCL_START
+                { MODIFIED, "modified" },
+                { DELETED,  "deleted" },
+                { INSERTED, "inserted" }
+                // LCOV_EXCL_STOP
+            };
+            jsResult[s_opMap.at(resultType)].push_back(jsonResult);
+        }
+    };
+    DBSyncImplementation::instance().updateSnapshotData(m_dbsyncHandle, jsInput, callbackWrapper);
+}
+
+void DBSync::updateWithSnapshot(const nlohmann::json&     jsInput,
+                                ResultCallbackData        callbackData)
+{
+    const auto callbackWrapper
+    {
+        [callbackData](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+        {
+            callbackData(result, jsonResult);
+        }
+    };
+    DBSyncImplementation::instance().updateSnapshotData(m_dbsyncHandle, jsInput, callbackWrapper);
+}
+
+
+DBSyncTxn::DBSyncTxn(const DBSYNC_HANDLE   handle,
+                     const nlohmann::json& tables,
+                     const unsigned int    threadNumber,
+                     const unsigned int    maxQueueSize,
+                     ResultCallbackData    callbackData)
+    : m_shouldBeRemoved {true}
+{
+    const auto callbackWrapper
+    {
+        [callbackData](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+        {
+            callbackData(result, jsonResult);
+        }
+    };
+    m_txn = PipelineFactory::instance().create(handle, tables, threadNumber, maxQueueSize, callbackWrapper);
+}
+
+DBSyncTxn::DBSyncTxn(const TXN_HANDLE handle)
+    : m_txn { handle }
+    , m_shouldBeRemoved {false}
+{ }
+
+DBSyncTxn::~DBSyncTxn()
+{
+    if (m_shouldBeRemoved)
+    {
+        try
+        {
+            PipelineFactory::instance().destroy(m_txn);
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            log_message(ex.what());
+        }
+    }
+}
+
+void DBSyncTxn::syncTxnRow(const nlohmann::json& jsInput)
+{
+    PipelineFactory::instance().pipeline(m_txn)->syncRow(jsInput);
+}
+
+void DBSyncTxn::getDeletedRows(ResultCallbackData  callbackData)
+{
+    const auto callbackWrapper
+    {
+        [&callbackData](ReturnTypeCallback result, const nlohmann::json & jsonResult)
+        {
+            callbackData(result, jsonResult);
+        }
+    };
+    PipelineFactory::instance().pipeline(m_txn)->getDeleted(callbackWrapper);
+}
+
+SelectQuery& SelectQuery::columnList(const std::vector<std::string>& fields)
+{
+    m_jsQuery["query"]["column_list"] = fields;
+    return *this;
+}
+
+SelectQuery& SelectQuery::rowFilter(const std::string& filter)
+{
+    m_jsQuery["query"]["row_filter"] = filter;
+    return *this;
+}
+
+SelectQuery& SelectQuery::distinctOpt(const bool distinct)
+{
+    m_jsQuery["query"]["distinct_opt"] = distinct;
+    return *this;
+}
+
+SelectQuery& SelectQuery::orderByOpt(const std::string& orderBy)
+{
+    m_jsQuery["query"]["order_by_opt"] = orderBy;
+    return *this;
+}
+
+SelectQuery& SelectQuery::countOpt(const uint32_t count)
+{
+    m_jsQuery["query"]["count_opt"] = count;
+    return *this;
+}
+
+DeleteQuery& DeleteQuery::data(const nlohmann::json& data)
+{
+    m_jsQuery["query"]["data"].push_back(data);
+    return *this;
+}
+
+DeleteQuery& DeleteQuery::reset()
+{
+    m_jsQuery["query"]["data"].clear();
+    return *this;
+}
+
+DeleteQuery& DeleteQuery::rowFilter(const std::string& filter)
+{
+    m_jsQuery["query"]["where_filter_opt"] = filter;
+    return *this;
+}
+
+InsertQuery& InsertQuery::data(const nlohmann::json& data)
+{
+    m_jsQuery["data"].push_back(data);
+    return *this;
+}
+
+InsertQuery& InsertQuery::reset()
+{
+    m_jsQuery["data"].clear();
+    return *this;
+}
+
+SyncRowQuery& SyncRowQuery::data(const nlohmann::json& data)
+{
+    m_jsQuery["data"].push_back(data);
+    return *this;
+}
+
+SyncRowQuery& SyncRowQuery::ignoreColumn(const std::string& column)
+{
+    m_jsQuery["options"]["ignore"].push_back(column);
+    return *this;
+}
+
+SyncRowQuery& SyncRowQuery::returnOldData()
+{
+    m_jsQuery["options"]["return_old_data"] = true;
+    return *this;
+}
+
+SyncRowQuery& SyncRowQuery::reset()
+{
+    m_jsQuery["data"].clear();
+    return *this;
+}
diff --git a/src/common/dbsync/src/dbsyncPipelineFactory.cpp b/src/common/dbsync/src/dbsyncPipelineFactory.cpp
new file mode 100644
index 0000000000..faecfa5cca
--- /dev/null
+++ b/src/common/dbsync/src/dbsyncPipelineFactory.cpp
@@ -0,0 +1,203 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <utility>
+#include "db_exception.h"
+#include "dbsyncPipelineFactory.h"
+#include "dbsync_implementation.h"
+#include "pipelineNodesImp.h"
+
+namespace DbSync
+{
+    class Pipeline final : public IPipeline
+    {
+        public:
+
+            Pipeline(const DBSYNC_HANDLE handle,
+                     const nlohmann::json& tables,
+                     const unsigned int threadNumber,
+                     const unsigned int maxQueueSize,
+                     const ResultCallback callback)
+                : m_handle{ handle }
+                , m_txnContext{ DBSyncImplementation::instance().createTransaction(handle, tables) }
+                , m_maxQueueSize{ maxQueueSize }
+                , m_callback{ callback }
+                , m_spDispatchNode{ maxQueueSize ? getDispatchNode(threadNumber) : nullptr }
+            {
+                if (!m_callback || !m_handle || !m_txnContext)
+                {
+                    throw dbsync_error
+                    {
+                        INVALID_PARAMETERS
+                    };
+                }
+            }
+            ~Pipeline()
+            {
+                if (m_spDispatchNode)
+                {
+                    try
+                    {
+                        m_spDispatchNode->rundown();
+                    }
+                    catch (...)
+                    {}
+                }
+
+                try
+                {
+                    DBSyncImplementation::instance().closeTransaction(m_handle, m_txnContext);
+                }
+                catch (...)
+                {}
+            }
+            void syncRow(const nlohmann::json& value) override
+            {
+                try
+                {
+                    DBSyncImplementation::instance().syncRowData
+                    (
+                        m_handle,
+                        m_txnContext,
+                        value,
+                        [this](ReturnTypeCallback resType, const nlohmann::json & resValue)
+                    {
+                        this->pushResult(SyncResult{resType, resValue});
+                    }
+                    );
+                }
+                catch (const DbSync::max_rows_error&)
+                {
+                    pushResult(SyncResult{MAX_ROWS, value});
+                }
+                catch (const std::exception& ex)
+                {
+                    SyncResult result;
+                    result.first = DB_ERROR;
+                    result.second = value;
+                    result.second["exception"] = ex.what();
+                    pushResult(result);
+                }
+            }
+            void getDeleted(ResultCallback callback) override
+            {
+                if (m_spDispatchNode)
+                {
+                    m_spDispatchNode->rundown();
+                }
+
+                DBSyncImplementation::instance().getDeleted(m_handle, m_txnContext, callback);
+            }
+        private:
+            using SyncResult = std::pair<ReturnTypeCallback, nlohmann::json>;
+            using DispatchCallbackNode = Utils::ReadNode<SyncResult>;
+
+            std::shared_ptr<DispatchCallbackNode> getDispatchNode(const int threadNumber)
+            {
+                return std::make_shared<DispatchCallbackNode>
+                       (
+                           std::bind(&Pipeline::dispatchResult, this, std::placeholders::_1),
+                           threadNumber ? threadNumber : std::thread::hardware_concurrency()
+                       );
+            }
+
+            void pushResult(const SyncResult& result)
+            {
+                const auto async{ m_spDispatchNode&& m_spDispatchNode->size() < m_maxQueueSize };
+
+                if (async)
+                {
+                    m_spDispatchNode->receive(result);
+                }
+                else
+                {
+                    dispatchResult(result);
+                }
+            }
+
+            void dispatchResult(const SyncResult& result)
+            {
+                const auto& value{ result.second };
+
+                if (!value.empty())
+                {
+                    m_callback(result.first, value);
+                }
+            }
+            const DBSYNC_HANDLE m_handle;
+            const TXN_HANDLE m_txnContext;
+            const unsigned int m_maxQueueSize;
+            const ResultCallback m_callback;
+            const std::shared_ptr<DispatchCallbackNode> m_spDispatchNode;
+    };
+    //----------------------------------------------------------------------------------------
+    PipelineFactory& PipelineFactory::instance() noexcept
+    {
+        static PipelineFactory s_instance;
+        return s_instance;
+    }
+    void PipelineFactory::release() noexcept
+    {
+        std::lock_guard<std::mutex> lock{ m_contextsMutex };
+        m_contexts.clear();
+    }
+    PipelineCtxHandle PipelineFactory::create(const DBSYNC_HANDLE   handle,
+                                              const nlohmann::json& tables,
+                                              const unsigned int    threadNumber,
+                                              const unsigned int    maxQueueSize,
+                                              const ResultCallback  callback)
+    {
+        const auto spContext
+        {
+            std::make_shared<Pipeline>(handle, tables, threadNumber, maxQueueSize, callback)
+        };
+        const auto ret { spContext.get() };
+        std::lock_guard<std::mutex> lock{ m_contextsMutex };
+        m_contexts.emplace(ret, spContext);
+        return ret;
+    }
+    const std::shared_ptr<IPipeline>& PipelineFactory::pipeline(const PipelineCtxHandle handle)
+    {
+        std::lock_guard<std::mutex> lock{ m_contextsMutex };
+        const auto& it
+        {
+            m_contexts.find(handle)
+        };
+
+        if (it == m_contexts.end())
+        {
+            throw dbsync_error
+            {
+                INVALID_HANDLE
+            };
+        }
+
+        return it->second;
+    }
+    void PipelineFactory::destroy(const PipelineCtxHandle handle)
+    {
+        std::lock_guard<std::mutex> lock{ m_contextsMutex };
+        const auto& it
+        {
+            m_contexts.find(handle)
+        };
+
+        if (it == m_contexts.end())
+        {
+            throw dbsync_error
+            {
+                INVALID_HANDLE
+            };
+        }
+
+        m_contexts.erase(it);
+    }
+}// namespace DbSync
diff --git a/src/common/dbsync/src/dbsyncPipelineFactory.h b/src/common/dbsync/src/dbsyncPipelineFactory.h
new file mode 100644
index 0000000000..94827d81fe
--- /dev/null
+++ b/src/common/dbsync/src/dbsyncPipelineFactory.h
@@ -0,0 +1,56 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef PIPE_LINE_FACTORY_H
+#define PIPE_LINE_FACTORY_H
+#include <map>
+#include <mutex>
+#include <memory>
+#include <functional>
+#include "dbengine.h"
+#include "commonDefs.h"
+
+namespace DbSync
+{
+    using TxnContext = void*;
+    using PipelineCtxHandle = void*;
+    struct IPipeline
+    {
+        // LCOV_EXCL_START
+        virtual ~IPipeline() = default;
+        // LCOV_EXCL_STOP
+        virtual void syncRow(const nlohmann::json& syncJson) = 0;
+        virtual void getDeleted(const ResultCallback callback) = 0;
+    };
+
+    class PipelineFactory final
+    {
+        public:
+            static PipelineFactory& instance() noexcept;
+            void release() noexcept;
+            PipelineCtxHandle create(const DBSYNC_HANDLE    handle,
+                                     const nlohmann::json&  tables,
+                                     const unsigned int     threadNumber,
+                                     const unsigned int     maxQueueSize,
+                                     const ResultCallback   callback);
+            const std::shared_ptr<IPipeline>& pipeline(const PipelineCtxHandle handle);
+            void destroy(const PipelineCtxHandle handle);
+        private:
+            PipelineFactory(const PipelineFactory&) = delete;
+            PipelineFactory& operator=(const PipelineFactory&) = delete;
+            PipelineFactory() = default;
+            ~PipelineFactory() = default;
+            std::map<PipelineCtxHandle, std::shared_ptr<IPipeline>> m_contexts;
+            std::mutex m_contextsMutex;
+    };
+
+}// namespace DbSync
+
+#endif //PIPE_LINE_FACTORY_H
diff --git a/src/common/dbsync/src/dbsync_implementation.cpp b/src/common/dbsync/src/dbsync_implementation.cpp
new file mode 100644
index 0000000000..7df8bf5ed9
--- /dev/null
+++ b/src/common/dbsync/src/dbsync_implementation.cpp
@@ -0,0 +1,190 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <iostream>
+#include "abstractLocking.hpp"
+#include "dbsync_implementation.h"
+
+using namespace DbSync;
+
+DBSYNC_HANDLE DBSyncImplementation::initialize(const HostType                  hostType,
+                                               const DbEngineType              dbType,
+                                               const std::string&              path,
+                                               const std::string&              sqlStatement,
+                                               const DbManagement              dbManagement,
+                                               const std::vector<std::string>& upgradeStatements)
+{
+    auto db{ FactoryDbEngine::create(dbType, path, sqlStatement, dbManagement, upgradeStatements) };
+    const auto spDbEngineContext
+    {
+        std::make_shared<DbEngineContext>(db, hostType, dbType)
+    };
+    const DBSYNC_HANDLE handle{ spDbEngineContext.get() };
+    std::lock_guard<std::mutex> lock{m_mutex};
+    m_dbSyncContexts[handle] = spDbEngineContext;
+    return handle;
+}
+
+void DBSyncImplementation::release()
+{
+    std::lock_guard<std::mutex> lock{m_mutex};
+    m_dbSyncContexts.clear();
+}
+
+void DBSyncImplementation::releaseContext(const DBSYNC_HANDLE handle)
+{
+    std::lock_guard<std::mutex> lock{ m_mutex };
+    m_dbSyncContexts.erase(handle);
+}
+
+void DBSyncImplementation::insertBulkData(const DBSYNC_HANDLE   handle,
+                                          const nlohmann::json& json)
+{
+    const auto ctx{ dbEngineContext(handle) };
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->bulkInsert(json.at("table"), json.at("data"));
+}
+
+void DBSyncImplementation::syncRowData(const DBSYNC_HANDLE      handle,
+                                       const nlohmann::json&    json,
+                                       const ResultCallback     callback)
+{
+    const auto ctx{ dbEngineContext(handle) };
+    Utils::ExclusiveLocking lock{ ctx->m_syncMutex };
+
+    ctx->m_dbEngine->syncTableRowData(json,
+                                      callback,
+                                      false,
+                                      lock);
+}
+
+void DBSyncImplementation::syncRowData(const DBSYNC_HANDLE      handle,
+                                       const TXN_HANDLE         txn,
+                                       const nlohmann::json&    json,
+                                       const ResultCallback     callback)
+{
+    const auto& ctx{ dbEngineContext(handle) };
+    const auto& tnxCtx { ctx->transactionContext(txn) };
+
+    if (std::find(tnxCtx->m_tables.begin(), tnxCtx->m_tables.end(), json.at("table")) == tnxCtx->m_tables.end())
+    {
+        throw dbsync_error{INVALID_TABLE};
+    }
+
+    Utils::SharedLocking lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->syncTableRowData(json,
+                                      callback,
+                                      true,
+                                      lock);
+}
+
+void DBSyncImplementation::deleteRowsData(const DBSYNC_HANDLE   handle,
+                                          const nlohmann::json& json)
+{
+    const auto ctx{ dbEngineContext(handle) };
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+
+    ctx->m_dbEngine->deleteTableRowsData(json.at("table"),
+                                         json.at("query"));
+}
+
+void DBSyncImplementation::updateSnapshotData(const DBSYNC_HANDLE   handle,
+                                              const nlohmann::json& json,
+                                              const ResultCallback  callback)
+{
+    const auto ctx{ dbEngineContext(handle) };
+
+    std::unique_lock<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->refreshTableData(json, callback, lock);
+}
+
+std::shared_ptr<DBSyncImplementation::DbEngineContext> DBSyncImplementation::dbEngineContext(const DBSYNC_HANDLE handle)
+{
+    std::lock_guard<std::mutex> lock{m_mutex};
+    const auto it{ m_dbSyncContexts.find(handle) };
+
+    if (it == m_dbSyncContexts.end())
+    {
+        throw dbsync_error { INVALID_HANDLE };
+    }
+
+    return it->second;
+}
+
+void DBSyncImplementation::setMaxRows(const DBSYNC_HANDLE handle,
+                                      const std::string& table,
+                                      const long long maxRows)
+{
+    const auto ctx{ dbEngineContext(handle) };
+
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->setMaxRows(table, maxRows);
+}
+
+TXN_HANDLE DBSyncImplementation::createTransaction(const DBSYNC_HANDLE      handle,
+                                                   const nlohmann::json&    json)
+{
+    const auto& ctx{ dbEngineContext(handle) };
+    const auto& spTransactionContext
+    {
+        std::make_shared<TransactionContext>(json)
+    };
+
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->addTransactionContext(spTransactionContext);
+    ctx->m_dbEngine->initializeStatusField(spTransactionContext->m_tables);
+
+    return spTransactionContext.get();
+}
+
+void DBSyncImplementation::closeTransaction(const DBSYNC_HANDLE handle,
+                                            const TXN_HANDLE txn)
+{
+    const auto& ctx{ dbEngineContext(handle) };
+    const auto& tnxCtx { ctx->transactionContext(txn) };
+
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->deleteRowsByStatusField(tnxCtx->m_tables);
+    ctx->deleteTransactionContext(txn);
+}
+
+void DBSyncImplementation::getDeleted(const DBSYNC_HANDLE   handle,
+                                      const TXN_HANDLE      txnHandle,
+                                      const ResultCallback  callback)
+{
+    const auto& ctx{ dbEngineContext(handle) };
+    const auto& tnxCtx { ctx->transactionContext(txnHandle) };
+
+    std::unique_lock<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->returnRowsMarkedForDelete(tnxCtx->m_tables, callback, lock);
+}
+
+void DBSyncImplementation::selectData(const DBSYNC_HANDLE   handle,
+                                      const nlohmann::json& json,
+                                      const ResultCallback& callback)
+{
+    const auto ctx{ dbEngineContext(handle) };
+
+    std::unique_lock<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->selectData(json.at("table"),
+                                json.at("query"),
+                                callback,
+                                lock);
+}
+
+void DBSyncImplementation::addTableRelationship(const DBSYNC_HANDLE   handle,
+                                                const nlohmann::json& json)
+{
+    const auto ctx{ dbEngineContext(handle) };
+
+    std::lock_guard<std::shared_timed_mutex> lock{ ctx->m_syncMutex };
+    ctx->m_dbEngine->addTableRelationship(json);
+}
diff --git a/src/common/dbsync/src/dbsync_implementation.h b/src/common/dbsync/src/dbsync_implementation.h
new file mode 100644
index 0000000000..0a7a09ac87
--- /dev/null
+++ b/src/common/dbsync/src/dbsync_implementation.h
@@ -0,0 +1,146 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBSYNC_IMPLEMENTATION_H
+#define _DBSYNC_IMPLEMENTATION_H
+
+#include <map>
+#include <memory>
+#include <mutex>
+#include <shared_mutex>
+#include "dbengine_factory.h"
+#include "commonDefs.h"
+#include "json.hpp"
+
+namespace DbSync
+{
+    class DBSyncImplementation final
+    {
+        public:
+            static DBSyncImplementation& instance()
+            {
+                static DBSyncImplementation s_instance;
+                return s_instance;
+            }
+
+            void insertBulkData(const DBSYNC_HANDLE     handle,
+                                const nlohmann::json&   json);
+
+            void syncRowData(const DBSYNC_HANDLE    handle,
+                             const nlohmann::json&  json,
+                             const ResultCallback   callback);
+
+            void syncRowData(const DBSYNC_HANDLE    handle,
+                             const TXN_HANDLE       txnHandle,
+                             const nlohmann::json&  json,
+                             const ResultCallback   callback);
+
+            void deleteRowsData(const DBSYNC_HANDLE     handle,
+                                const nlohmann::json&   json);
+
+            void updateSnapshotData(const DBSYNC_HANDLE     handle,
+                                    const nlohmann::json&   json,
+                                    const ResultCallback    callback);
+
+            DBSYNC_HANDLE initialize(const HostType                  hostType,
+                                     const DbEngineType              dbType,
+                                     const std::string&              path,
+                                     const std::string&              sqlStatement,
+                                     const DbManagement              dbManagement,
+                                     const std::vector<std::string>& upgradeStatements);
+
+            void setMaxRows(const DBSYNC_HANDLE handle,
+                            const std::string& table,
+                            const long long maxRows);
+
+            TXN_HANDLE createTransaction(const DBSYNC_HANDLE    handle,
+                                         const nlohmann::json&  json);
+
+            void closeTransaction(const DBSYNC_HANDLE handle,
+                                  const TXN_HANDLE txnHandle);
+
+            void getDeleted(const DBSYNC_HANDLE   handle,
+                            const TXN_HANDLE      txnHandle,
+                            const ResultCallback  callback);
+
+            void selectData(const DBSYNC_HANDLE    handle,
+                            const nlohmann::json&  json,
+                            const ResultCallback&  callback);
+
+            void addTableRelationship(const DBSYNC_HANDLE   handle,
+                                      const nlohmann::json& json);
+
+            void release();
+
+            void releaseContext(const DBSYNC_HANDLE handle);
+        private:
+
+            struct TransactionContext final
+            {
+                explicit TransactionContext(const nlohmann::json& tables)
+                    : m_tables(std::move(tables))
+                {}
+                nlohmann::json m_tables;
+            };
+            class DbEngineContext final
+            {
+                public:
+                    DbEngineContext(std::unique_ptr<IDbEngine>& dbEngine,
+                                    const HostType hostType,
+                                    const DbEngineType dbType)
+                        : m_dbEngine{std::move(dbEngine)}
+                        , m_hostType{hostType}
+                        , m_dbEngineType{dbType}
+                    {}
+                    const std::unique_ptr<IDbEngine> m_dbEngine;
+                    const HostType m_hostType;
+                    const DbEngineType m_dbEngineType;
+                    const std::shared_ptr<DBSyncImplementation::TransactionContext> transactionContext(const TXN_HANDLE handle)
+                    {
+                        std::lock_guard<std::mutex> lock{m_mutex};
+                        const auto it{ m_transactionContexts.find(handle) };
+
+                        if (m_transactionContexts.end() == it)
+                        {
+                            throw dbsync_error { INVALID_TRANSACTION };
+                        }
+
+                        return it->second;
+                    }
+                    void addTransactionContext(const std::shared_ptr<DbSync::DBSyncImplementation::TransactionContext>& spTransactionContext)
+                    {
+                        std::lock_guard<std::mutex> lock{m_mutex};
+                        m_transactionContexts[spTransactionContext.get()] = spTransactionContext;
+                    }
+                    void deleteTransactionContext(const TXN_HANDLE txnHandle)
+                    {
+                        std::lock_guard<std::mutex> lock{m_mutex};
+                        m_transactionContexts.erase(txnHandle);
+                    }
+
+                    std::shared_timed_mutex m_syncMutex;
+                private:
+                    std::map<TXN_HANDLE, std::shared_ptr<TransactionContext>> m_transactionContexts;
+                    std::mutex m_mutex;
+            };
+
+            std::shared_ptr<DbEngineContext> dbEngineContext(const DBSYNC_HANDLE handle);
+
+            DBSyncImplementation() = default;
+            ~DBSyncImplementation() = default;
+            DBSyncImplementation(const DBSyncImplementation&) = delete;
+            DBSyncImplementation& operator=(const DBSyncImplementation&) = delete;
+            std::map<DBSYNC_HANDLE, std::shared_ptr<DbEngineContext>> m_dbSyncContexts;
+            std::mutex m_mutex;
+    };
+}
+
+#endif // _DBSYNC_IMPLEMENTATION_H
diff --git a/src/common/dbsync/src/sqlite/isqlite_wrapper.h b/src/common/dbsync/src/sqlite/isqlite_wrapper.h
new file mode 100644
index 0000000000..c18f5f486f
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/isqlite_wrapper.h
@@ -0,0 +1,93 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#pragma once
+#include <string>
+#include <sqlite3.h>
+#include <memory>
+#include <math.h>
+#include "db_exception.h"
+
+namespace SQLite
+{
+    const constexpr auto MAX_ROWS_ERROR_STRING {"Too Many Rows."};
+
+    class sqlite_error : public DbSync::dbsync_error
+    {
+        public:
+            explicit sqlite_error(const std::pair<const int, const std::string>& exceptionInfo)
+                : DbSync::dbsync_error
+            {
+                exceptionInfo.first, "sqlite: " + exceptionInfo.second
+            }
+            {}
+    };
+
+    class IConnection
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IConnection() = default;
+            // LCOV_EXCL_STOP
+            virtual void close() = 0;
+            virtual void execute(const std::string& query) = 0;
+            virtual int64_t changes() const = 0;
+            virtual const std::shared_ptr<sqlite3>& db() const = 0;
+    };
+
+    class ITransaction
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~ITransaction() = default;
+            // LCOV_EXCL_STOP
+            virtual void commit() = 0;
+            virtual void rollback() = 0;
+    };
+
+    class IColumn
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IColumn() = default;
+            // LCOV_EXCL_STOP
+            virtual int32_t type() const = 0;
+            virtual std::string name() const = 0;
+            virtual bool hasValue() const = 0;
+            virtual int32_t value(const int32_t&) const = 0;
+            virtual uint64_t value(const uint64_t&) const = 0;
+            virtual int64_t value(const int64_t&) const = 0;
+            virtual std::string value(const std::string&) const = 0;
+            virtual double_t value(const double_t&) const = 0;
+    };
+
+    class IStatement
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IStatement() = default;
+            // LCOV_EXCL_STOP
+            virtual int32_t step() = 0;
+            virtual void bind(const int32_t index, const int32_t value) = 0;
+            virtual void bind(const int32_t index, const uint64_t value) = 0;
+            virtual void bind(const int32_t index, const int64_t value) = 0;
+            virtual void bind(const int32_t index, const std::string& value) = 0;
+            virtual void bind(const int32_t index, const double_t value) = 0;
+            virtual int columnsCount() const = 0;
+
+            virtual std::string expand() = 0;
+
+            virtual std::unique_ptr<IColumn> column(const int32_t index) = 0;
+            virtual void reset() = 0;
+
+    };
+
+}//namespace SQLite
diff --git a/src/common/dbsync/src/sqlite/sqlite_dbengine.cpp b/src/common/dbsync/src/sqlite/sqlite_dbengine.cpp
new file mode 100644
index 0000000000..210882507f
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/sqlite_dbengine.cpp
@@ -0,0 +1,2150 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <fstream>
+#include <thread>
+#include "db_exception.h"
+#include "mapWrapperSafe.h"
+#include "sqlite/isqlite_wrapper.h"
+#include "sqlite_dbengine.h"
+#include "stringHelper.h"
+#include "commonDefs.h"
+
+using namespace std::chrono_literals;
+auto constexpr MAX_TRIES = 5;
+
+SQLiteDBEngine::SQLiteDBEngine(const std::shared_ptr<ISQLiteFactory>& sqliteFactory,
+                               const std::string&                     path,
+                               const std::string&                     tableStmtCreation,
+                               const DbManagement                     dbManagement,
+                               const std::vector<std::string>&        upgradeStatements)
+    : m_sqliteFactory(sqliteFactory)
+{
+    initialize(path, tableStmtCreation, dbManagement, upgradeStatements);
+}
+
+SQLiteDBEngine::~SQLiteDBEngine()
+{
+    std::lock_guard<std::mutex> lock(m_stmtMutex);
+    m_statementsCache.clear();
+
+    if (m_transaction)
+    {
+        m_transaction->commit();
+    }
+}
+
+void SQLiteDBEngine::setMaxRows(const std::string& table,
+                                const int64_t maxRows)
+{
+    if (0 != loadTableData(table))
+    {
+        std::lock_guard<std::mutex> lock(m_maxRowsMutex);
+
+        if (maxRows < 0)
+        {
+            throw dbengine_error { MIN_ROW_LIMIT_BELOW_ZERO };
+        }
+        else if (0 == maxRows)
+        {
+            m_maxRows.erase(table);
+        }
+        else
+        {
+            const auto stmt
+            {
+                getStatement("SELECT COUNT(*) FROM " + table + ";")
+            };
+
+            if (stmt->step() == SQLITE_ROW)
+            {
+                const auto currentRows
+                {
+                    stmt->column(0)->value(int64_t{})
+                };
+
+                m_maxRows[table] = { maxRows, currentRows };
+            }
+            else
+            {
+                throw dbengine_error { SQL_STMT_ERROR };
+            }
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+void SQLiteDBEngine::bulkInsert(const std::string& table,
+                                const nlohmann::json& data)
+{
+    if (0 != loadTableData(table))
+    {
+        const auto& tableFieldsMetaData { m_tableFields[table] };
+
+        for (const auto& element : data)
+        {
+            insertElement(table, tableFieldsMetaData, element);
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+void SQLiteDBEngine::refreshTableData(const nlohmann::json& data,
+                                      const DbSync::ResultCallback callback,
+                                      std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    const std::string table { data.at("table").is_string() ? data.at("table").get_ref<const std::string&>() : "" };
+
+    if (createCopyTempTable(table))
+    {
+        bulkInsert(table + TEMP_TABLE_SUBFIX, data.at("data"));
+
+        if (0 != loadTableData(table))
+        {
+            std::vector<std::string> primaryKeyList;
+
+            if (getPrimaryKeysFromTable(table, primaryKeyList))
+            {
+                if (!removeNotExistsRows(table, primaryKeyList, callback, lock))
+                {
+                    // LCOV_EXCL_START
+                    std::cout << "Error during the delete rows update " << __LINE__ << " - " << __FILE__ << std::endl;
+                    // LCOV_EXCL_STOP
+                }
+
+                if (!changeModifiedRows(table, primaryKeyList, callback, lock))
+                {
+                    // LCOV_EXCL_START
+                    std::cout << "Error during the change of modified rows " << __LINE__ << " - " << __FILE__ << std::endl;
+                    // LCOV_EXCL_STOP
+                }
+
+                if (!insertNewRows(table, primaryKeyList, callback, lock))
+                {
+                    // LCOV_EXCL_START
+                    std::cout << "Error during the insert rows update " << __LINE__ << " - " << __FILE__ << std::endl;
+                    // LCOV_EXCL_STOP
+                }
+            }
+        }
+        // LCOV_EXCL_START
+        else
+        {
+            throw dbengine_error { EMPTY_TABLE_METADATA };
+        }
+
+        // LCOV_EXCL_STOP
+    }
+}
+
+void SQLiteDBEngine::syncTableRowData(const nlohmann::json& jsInput,
+                                      const DbSync::ResultCallback callback,
+                                      const bool inTransaction,
+                                      Utils::ILocking& lock)
+{
+    const auto& table { jsInput.at("table") };
+    const auto& data { jsInput.at("data") };
+
+    auto it { jsInput.find("options") };
+    auto returnOldData { false };
+    nlohmann::json ignoredColumns { };
+
+    if (jsInput.end() != it)
+    {
+        auto itOldData { it->find("return_old_data") };
+
+        if (it->end() != itOldData)
+        {
+            returnOldData = itOldData->is_boolean() ? itOldData.value().get<bool>() : returnOldData;
+        }
+
+        auto itIgnoredFields { it->find("ignore") };
+
+        if (it->end() != itIgnoredFields)
+        {
+            ignoredColumns = itIgnoredFields->is_array() ? itIgnoredFields.value() : ignoredColumns;
+        }
+    }
+
+    static const auto getDataToUpdate
+    {
+        [](const std::vector<std::string>& primaryKeyList,
+           const nlohmann::json & result,
+           const nlohmann::json & dataParam,
+           const bool inTransactionParam)
+        {
+            nlohmann::json ret;
+
+            if (inTransactionParam)
+            {
+                // No changes detected, only update the status field to avoid row deletion during the txn close.
+                if (result.empty())
+                {
+                    std::for_each(primaryKeyList.begin(),
+                                  primaryKeyList.end(),
+                                  [&dataParam, &ret](const std::string & pKey)
+                    {
+                        if (dataParam.find(pKey) != dataParam.end())
+                        {
+                            ret[pKey] = dataParam[pKey];
+                        }
+                    });
+                }
+                else // Changes detected, update the row with the new values.
+                {
+                    ret = result;
+                }
+
+                ret[STATUS_FIELD_NAME] = 1;
+            }
+            else if (!result.empty())
+            {
+                ret = result;
+            }
+
+            return ret;
+        }
+    };
+    std::vector<std::string> primaryKeyList;
+
+    if (0 != loadTableData(table))
+    {
+        if (getPrimaryKeysFromTable(table, primaryKeyList))
+        {
+            for (const auto& entry : data)
+            {
+                nlohmann::json updated;
+                nlohmann::json oldData;
+                const bool diffExist { getRowDiff(primaryKeyList, ignoredColumns, table, entry, updated, oldData) };
+
+                if (diffExist)
+                {
+                    const auto& jsDataToUpdate{getDataToUpdate(primaryKeyList, updated, entry, inTransaction)};
+
+                    if (!jsDataToUpdate.empty())
+                    {
+                        updateSingleRow(table, jsDataToUpdate);
+
+                        if (callback && !updated.empty())
+                        {
+
+                            lock.unlock();
+
+                            if (returnOldData)
+                            {
+                                nlohmann::json diff;
+                                diff["old"] = oldData;
+                                diff["new"] = updated;
+                                callback(MODIFIED, diff);
+                            }
+                            else
+                            {
+                                callback(MODIFIED, updated);
+                            }
+
+                            lock.lock();
+                        }
+                    }
+                }
+                else
+                {
+                    insertElement(table, m_tableFields[table], entry,
+                                  [&]()
+                    {
+                        // LCOV_EXCL_START
+                        if (callback)
+                        {
+                            lock.unlock();
+                            callback(INSERTED, entry);
+                            lock.lock();
+                        }
+
+                        // LCOV_EXCL_STOP
+                    });
+                }
+            }
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+void SQLiteDBEngine::initializeStatusField(const nlohmann::json& tableNames)
+{
+    for (const auto& tableValue : tableNames)
+    {
+        const auto table { tableValue.get<std::string>() };
+
+        if (0 != loadTableData(table))
+        {
+            const auto& fields { m_tableFields[table] };
+            const auto& it { std::find_if(fields.begin(),
+                                          fields.end(),
+                                          [](const ColumnData & column)
+            {
+                return 0 == std::get<Name>(column).compare(STATUS_FIELD_NAME);
+            })};
+
+            if (fields.end() == it)
+            {
+                m_tableFields.erase(table);
+                const auto stmtAdd { getStatement("ALTER TABLE " +
+                                                  table +
+                                                  " ADD COLUMN " +
+                                                  STATUS_FIELD_NAME +
+                                                  " " +
+                                                  STATUS_FIELD_TYPE +
+                                                  " DEFAULT 1;")};
+
+                // LCOV_EXCL_START
+                if (SQLITE_ERROR == stmtAdd->step())
+                {
+                    throw dbengine_error{ STEP_ERROR_UPDATE_STATUS_FIELD };
+                }
+
+                // LCOV_EXCL_STOP
+            }
+
+            const auto& stmtInit { getStatement("UPDATE " +
+                                                table +
+                                                " SET " +
+                                                STATUS_FIELD_NAME +
+                                                "=0;")};
+
+            // LCOV_EXCL_START
+            if (SQLITE_ERROR == stmtInit->step())
+            {
+                throw dbengine_error{ STEP_ERROR_ADD_STATUS_FIELD };
+            }
+
+            // LCOV_EXCL_STOP
+        }
+        else
+        {
+            throw dbengine_error { EMPTY_TABLE_METADATA };
+        }
+    }
+}
+
+void SQLiteDBEngine::deleteRowsByStatusField(const nlohmann::json& tableNames)
+{
+    for (const auto& tableValue : tableNames)
+    {
+        const auto table { tableValue.get<std::string>() };
+
+        if (0 != loadTableData(table))
+        {
+            const auto stmt { getStatement("DELETE FROM " +
+                                           table +
+                                           " WHERE " +
+                                           STATUS_FIELD_NAME +
+                                           "=0;")};
+
+            // LCOV_EXCL_START
+            if (SQLITE_ERROR == stmt->step())
+            {
+                throw dbengine_error{ STEP_ERROR_DELETE_STATUS_FIELD };
+            }
+
+            // LCOV_EXCL_STOP
+
+            updateTableRowCounter(table, m_sqliteConnection->changes() * -1ll);
+        }
+        else
+        {
+            throw dbengine_error { EMPTY_TABLE_METADATA };
+        }
+    }
+}
+
+void SQLiteDBEngine::returnRowsMarkedForDelete(const nlohmann::json& tableNames,
+                                               const DbSync::ResultCallback callback,
+                                               std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    m_transaction->commit();
+    m_transaction = m_sqliteFactory->createTransaction(m_sqliteConnection);
+
+    for (const auto& tableValue : tableNames)
+    {
+        const auto& table { tableValue.get<std::string>() };
+
+        if (0 != loadTableData(table))
+        {
+            auto tableFields { m_tableFields[table] };
+            const auto stmt { getStatement(getSelectAllQuery(table, tableFields)) };
+
+            while (SQLITE_ROW == stmt->step())
+            {
+                Row registerFields;
+                auto index { 0 };
+
+                for (const auto& field : tableFields)
+                {
+                    if (!std::get<TableHeader::TXNStatusField>(field))
+                    {
+                        getTableData(stmt,
+                                     index,
+                                     std::get<TableHeader::Type>(field),
+                                     std::get<TableHeader::Name>(field),
+                                     registerFields);
+                    }
+
+                    ++index;
+                }
+
+                nlohmann::json object {};
+
+                for (const auto& value : registerFields)
+                {
+                    getFieldValueFromTuple(value, object);
+                }
+
+                lock.unlock();
+                callback(ReturnTypeCallback::DELETED, object);
+                lock.lock();
+            }
+        }
+        else
+        {
+            throw dbengine_error { EMPTY_TABLE_METADATA };
+        }
+    }
+}
+
+void SQLiteDBEngine::selectData(const std::string& table,
+                                const nlohmann::json& query,
+                                const DbSync::ResultCallback& callback,
+                                std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    if (0 != loadTableData(table))
+    {
+        const auto& stmt { m_sqliteFactory->createStatement(m_sqliteConnection, buildSelectQuery(table, query)) };
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            nlohmann::json object;
+
+            for (int i = 0; i < stmt->columnsCount(); ++i)
+            {
+                const auto& column{ stmt->column(i) };
+                const auto& name{ column->name() };
+
+                if (column->hasValue() && name != STATUS_FIELD_NAME)
+                {
+                    switch (column->type())
+                    {
+                        case SQLITE_TEXT:
+                            object[name] = column->value(std::string{});
+                            break;
+
+                        case SQLITE_INTEGER:
+                            object[name] = column->value(int64_t{});
+                            break;
+
+                        case SQLITE_FLOAT:
+                            object[name] = column->value(double_t{});
+                            break;
+
+                        // LCOV_EXCL_START
+                        default:
+                            throw dbengine_error{INVALID_COLUMN_TYPE};
+                            // LCOV_EXCL_STOP
+                    }
+                }
+            }
+
+            if (callback && !object.empty())
+            {
+                lock.unlock();
+                callback(SELECTED, object);
+                lock.lock();
+            }
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+void SQLiteDBEngine::deleteTableRowsData(const std::string&    table,
+                                         const nlohmann::json& jsDeletionData)
+{
+    if (0 != loadTableData(table))
+    {
+        const auto& itData{ jsDeletionData.find("data")};
+        const auto& itFilter{ jsDeletionData.find("where_filter_opt")};
+
+        if (itData != jsDeletionData.end() && itData->size() > 0)
+        {
+            // Deletion via primary keys on "data" json field.
+            deleteRowsbyPK(table, itData.value());
+        }
+        else if (itFilter != jsDeletionData.end() && !itFilter->get<std::string>().empty())
+        {
+            // Deletion via condition on "where_filter_opt" json field.
+            m_sqliteConnection->execute("DELETE FROM " + table + " WHERE " + itFilter->get<std::string>());
+            updateTableRowCounter(table, m_sqliteConnection->changes() * -1ll);
+        }
+        else
+        {
+            throw dbengine_error{ INVALID_DELETE_INFO };
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+void SQLiteDBEngine::addTableRelationship(const nlohmann::json& data)
+{
+    const auto baseTable { data.at("base_table").get<std::string>() };
+
+    if (0 != loadTableData(baseTable))
+    {
+        std::vector<std::string> primaryKeys;
+
+        if (getPrimaryKeysFromTable(baseTable, primaryKeys))
+        {
+            m_sqliteConnection->execute(buildDeleteRelationTrigger(data, baseTable));
+            m_sqliteConnection->execute(buildUpdateRelationTrigger(data, baseTable, primaryKeys));
+        }
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+}
+
+///
+/// Private functions section
+///
+
+void SQLiteDBEngine::initialize(const std::string&              path,
+                                const std::string&              tableStmtCreation,
+                                const DbManagement              dbManagement,
+                                const std::vector<std::string>& upgradeStatements)
+{
+    if (path.empty())
+    {
+        throw dbengine_error {EMPTY_DATABASE_PATH};
+    }
+
+    auto currentDbsyncVersion = upgradeStatements.size() + 1;
+
+    auto reCreateDbLambda = [&]()
+    {
+        if (!cleanDB(path))
+        {
+            throw dbengine_error {DELETE_OLD_DB_ERROR};
+        }
+
+        m_sqliteConnection = m_sqliteFactory->createConnection(path);
+        const auto createDBQueryList {Utils::split(tableStmtCreation, ';')};
+        m_sqliteConnection->execute("PRAGMA temp_store = memory;");
+        m_sqliteConnection->execute("PRAGMA journal_mode = truncate;");
+        m_sqliteConnection->execute("PRAGMA synchronous = OFF;");
+        m_sqliteConnection->execute("PRAGMA user_version = " + std::to_string(currentDbsyncVersion) + ";");
+
+        for (const auto& query : createDBQueryList)
+        {
+            const auto stmt {getStatement(query)};
+
+            if (SQLITE_DONE != stmt->step())
+            {
+                throw dbengine_error {STEP_ERROR_CREATE_STMT};
+            }
+        }
+
+        m_transaction = m_sqliteFactory->createTransaction(m_sqliteConnection);
+    };
+
+    size_t dbVersion = 0;
+
+    if (DbManagement::PERSISTENT == dbManagement)
+    {
+        m_sqliteConnection = m_sqliteFactory->createConnection(path);
+        dbVersion = getDbVersion();
+
+        if (0 == dbVersion)
+        {
+            m_sqliteConnection.reset();
+            reCreateDbLambda();
+        }
+
+        else if (dbVersion < currentDbsyncVersion)
+        {
+            for (size_t i = dbVersion - 1; i < upgradeStatements.size(); ++i)
+            {
+                auto transaction = m_sqliteFactory->createTransaction(m_sqliteConnection);
+                const auto stmt {m_sqliteFactory->createStatement(m_sqliteConnection, upgradeStatements[i])};
+
+                if (SQLITE_DONE != stmt->step())
+                {
+                    throw dbengine_error {STEP_ERROR_UPDATE_STMT};
+                }
+
+                transaction->commit();
+                m_sqliteConnection->execute("PRAGMA user_version = " + std::to_string(i + 2) + ";");
+            }
+
+            m_transaction = m_sqliteFactory->createTransaction(m_sqliteConnection);
+        }
+    }
+    else if (DbManagement::VOLATILE == dbManagement)
+    {
+        reCreateDbLambda();
+    }
+}
+
+bool SQLiteDBEngine::cleanDB(const std::string& path)
+{
+    auto ret { true };
+    auto isRemoved {0};
+
+    if (path.compare(":memory") != 0)
+    {
+        if (std::ifstream(path))
+        {
+            isRemoved = std::remove(path.c_str());
+
+            for (uint8_t amountTries = 0; amountTries < MAX_TRIES && isRemoved; amountTries++)
+            {
+                std::this_thread::sleep_for(1s); //< Sleep for 1s
+                std::cerr << "Sleep for 1s and try to delete database again.\n";
+                isRemoved = std::remove(path.c_str());
+            }
+
+            if (isRemoved)
+            {
+                ret = false;
+            }
+        }
+    }
+
+    return ret;
+}
+
+size_t SQLiteDBEngine::getDbVersion()
+{
+    const auto stmt {m_sqliteFactory->createStatement(m_sqliteConnection, "PRAGMA user_version;")};
+
+    size_t version {0};
+
+    if (SQLITE_ROW == stmt->step())
+    {
+        version = stmt->column(0)->value(int32_t {});
+    }
+
+    return version;
+}
+
+void SQLiteDBEngine::insertElement(const std::string& table,
+                                   const TableColumns& tableFieldsMetaData,
+                                   const nlohmann::json& element,
+                                   const std::function<void()> callback)
+{
+    const auto stmt { getStatement(buildInsertDataSqlQuery(table, element)) };
+    int32_t index { 1l };
+
+    for (const auto& field : tableFieldsMetaData)
+    {
+        if (bindJsonData(stmt, field, element, index))
+        {
+            ++index;
+        }
+    }
+
+    updateTableRowCounter(table, 1ll);
+
+    // LCOV_EXCL_START
+    if (SQLITE_ERROR == stmt->step())
+    {
+        updateTableRowCounter(table, -1ll);
+        throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+    }
+
+    // LCOV_EXCL_STOP
+    if (callback)
+    {
+        callback();
+    }
+}
+
+size_t SQLiteDBEngine::loadTableData(const std::string& table)
+{
+    size_t fieldsNumber { 0ull };
+    const auto& tableFields{ m_tableFields[table] };
+
+    if (0 == tableFields.size())
+    {
+        if (loadFieldData(table))
+        {
+            fieldsNumber = m_tableFields[table].size();
+        }
+    }
+    else
+    {
+        fieldsNumber = tableFields.size();
+    }
+
+    return fieldsNumber;
+}
+
+std::string SQLiteDBEngine::buildInsertDataSqlQuery(const std::string& table,
+                                                    const nlohmann::json& data)
+{
+    //
+    // The INSERT statement will be as the following:
+    //  INSERT INTO table (column1, column2, ...) VALUES (valueColumn1, valueColumn2, ...);
+    //
+    std::string sql   {"INSERT INTO " + table + " ("};
+    std::string binds {") VALUES ("};
+
+    const auto tableFields{ m_tableFields[table] };
+
+    if (!tableFields.empty())
+    {
+        for (const auto& field : tableFields)
+        {
+            const auto& fieldName { std::get<TableHeader::Name>(field) };
+
+            if (data.empty() || data.find(fieldName) != data.end())
+            {
+                sql.append(fieldName + ",");
+                binds.append("?,");
+            }
+        }
+
+        // Remove extra "," for both strings
+        binds = binds.substr(0, binds.size() - 1);
+        sql = sql.substr(0, sql.size() - 1);
+        // Finish the statement
+        binds.append(");");
+        // Complete the statement
+        sql.append(binds);
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error { SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+
+    return sql;
+}
+
+bool SQLiteDBEngine::loadFieldData(const std::string& table)
+{
+    const auto ret { !table.empty() };
+    const std::string sql {"PRAGMA table_info(" + table + ");"};
+
+    if (ret)
+    {
+        TableColumns fieldList;
+        auto stmt { m_sqliteFactory->createStatement(m_sqliteConnection, sql) };
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            const auto& fieldName { stmt->column(1)->value(std::string{}) };
+            fieldList.push_back(std::make_tuple(stmt->column(0)->value(int32_t{}),
+                                                fieldName,
+                                                columnTypeName(stmt->column(2)->value(std::string{})),
+                                                0 != stmt->column(5)->value(int32_t{}),
+                                                InternalColumnNames.end() != std::find(InternalColumnNames.begin(),
+                                                                                       InternalColumnNames.end(), fieldName)));
+        }
+
+        m_tableFields.insert(table, fieldList);
+    }
+
+    return ret;
+}
+
+ColumnType SQLiteDBEngine::columnTypeName(const std::string& type)
+{
+    ColumnType retVal { Unknown };
+    const auto& hiddenIt {type.find(" HIDDEN")};
+    const auto& it { hiddenIt == std::string::npos ? ColumnTypeNames.find(type) : ColumnTypeNames.find(type.substr(0, hiddenIt)) };
+
+    if (ColumnTypeNames.end() != it)
+    {
+        retVal = it->second;
+    }
+
+    return retVal;
+}
+
+bool SQLiteDBEngine::bindJsonData(const std::shared_ptr<SQLite::IStatement> stmt,
+                                  const ColumnData& cd,
+                                  const nlohmann::json::value_type& valueType,
+                                  const unsigned int cid)
+{
+    bool retVal { true };
+    const auto type { std::get<TableHeader::Type>(cd) };
+    const auto name { std::get<TableHeader::Name>(cd) };
+    const auto& it  { valueType.find(name) };
+
+    if (valueType.end() != it)
+    {
+        const auto& jsData { *it };
+
+        if (ColumnType::BigInt == type)
+        {
+            int64_t value
+            {
+                jsData.is_number() ? jsData.get<int64_t>() : jsData.is_string()
+                && jsData.get_ref<const std::string&>().size()
+                ? std::stoll(jsData.get_ref<const std::string&>())
+                : 0
+            };
+            stmt->bind(cid, value);
+        }
+        else if (ColumnType::UnsignedBigInt == type)
+        {
+            uint64_t value
+            {
+                jsData.is_number_unsigned() ? jsData.get<uint64_t>() : jsData.is_string()
+                && jsData.get_ref<const std::string&>().size()
+                ? std::stoull(jsData.get_ref<const std::string&>())
+                : 0
+            };
+            stmt->bind(cid, value);
+        }
+        else if (ColumnType::Integer == type)
+        {
+            int32_t value
+            {
+                jsData.is_number() ? jsData.get<int32_t>() : jsData.is_string()
+                && jsData.get_ref<const std::string&>().size()
+                ? std::stoi(jsData.get_ref<const std::string&>())
+                : 0
+            };
+            stmt->bind(cid, value);
+        }
+        else if (ColumnType::Text == type)
+        {
+            std::string value
+            {
+                jsData.is_string() ? jsData.get_ref<const std::string&>() : ""
+            };
+            stmt->bind(cid, value);
+        }
+        else if (ColumnType::Double == type)
+        {
+            double_t value
+            {
+                jsData.is_number_float() ? jsData.get<double>() : jsData.is_string()
+                && jsData.get_ref<const std::string&>().size()
+                ? std::stod(jsData.get_ref<const std::string&>())
+                : .0f
+            };
+            stmt->bind(cid, value);
+        }
+        else
+        {
+            throw dbengine_error { INVALID_COLUMN_TYPE };
+        }
+    }
+    else
+    {
+        retVal = false;
+    }
+
+    return retVal;
+}
+
+bool SQLiteDBEngine::createCopyTempTable(const std::string& table)
+{
+    auto ret { false };
+    std::string queryResult;
+    deleteTempTable(table);
+
+    if (getTableCreateQuery(table, queryResult))
+    {
+        if (Utils::replaceAll(queryResult, "CREATE TABLE " + table, "CREATE TEMP TABLE IF NOT EXISTS " + table + "_TEMP"))
+        {
+            const auto stmt { getStatement(queryResult) };
+            ret = SQLITE_DONE == stmt->step();
+        }
+    }
+
+    return ret;
+}
+
+void SQLiteDBEngine::deleteTempTable(const std::string& table)
+{
+    try
+    {
+        m_sqliteConnection->execute("DELETE FROM " + table + TEMP_TABLE_SUBFIX + ";");
+    }
+    //if the table doesn't exist we don't care.
+    // LCOV_EXCL_START
+    catch (const std::exception& ex)
+    {
+    }
+
+    // LCOV_EXCL_STOP
+}
+
+bool SQLiteDBEngine::getTableCreateQuery(const std::string& table,
+                                         std::string& resultQuery)
+{
+    auto ret { false };
+    const std::string sql { "SELECT sql FROM sqlite_master WHERE type='table' AND name=?;" };
+
+    if (!table.empty())
+    {
+        const auto stmt { getStatement(sql) };
+        stmt->bind(1, table);
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            resultQuery.append(std::move(stmt->column(0)->value(std::string{})));
+            resultQuery.append(";");
+            ret = true;
+        }
+    }
+
+    return ret;
+}
+
+bool SQLiteDBEngine::removeNotExistsRows(const std::string& table,
+                                         const std::vector<std::string>& primaryKeyList,
+                                         const DbSync::ResultCallback callback,
+                                         std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    auto ret { true };
+    std::vector<Row> rowKeysValue;
+
+    if (getPKListLeftOnly(table, table + TEMP_TABLE_SUBFIX, primaryKeyList, rowKeysValue))
+    {
+        if (deleteRows(table, primaryKeyList, rowKeysValue))
+        {
+            for (const auto& row : rowKeysValue)
+            {
+                nlohmann::json object;
+
+                for (const auto& value : row)
+                {
+                    getFieldValueFromTuple(value, object);
+                }
+
+                if (callback)
+                {
+                    lock.unlock();
+                    callback(ReturnTypeCallback::DELETED, object);
+                    lock.lock();
+                }
+            }
+        }
+        else
+        {
+            ret = false;
+        }
+    }
+
+    return ret;
+}
+
+bool SQLiteDBEngine::getPrimaryKeysFromTable(const std::string& table,
+                                             std::vector<std::string>& primaryKeyList)
+{
+    auto retVal { false };
+    const auto tableFields { m_tableFields[table] };
+
+    for (const auto& value : tableFields)
+    {
+        if (std::get<TableHeader::PK>(value) == true)
+        {
+            primaryKeyList.push_back(std::get<TableHeader::Name>(value));
+        }
+
+        retVal = true;
+    }
+
+    return retVal;
+}
+
+void SQLiteDBEngine::getTableData(std::shared_ptr<SQLite::IStatement>const stmt,
+                                  const int32_t index,
+                                  const ColumnType& type,
+                                  const std::string& fieldName,
+                                  Row& row)
+{
+    if (ColumnType::BigInt == type)
+    {
+        row[fieldName] = std::make_tuple(type, std::string(), 0, stmt->column(index)->value(int64_t{}), 0, 0);
+    }
+    else if (ColumnType::UnsignedBigInt == type)
+    {
+        row[fieldName] = std::make_tuple(type, std::string(), 0, 0, stmt->column(index)->value(int64_t{}), 0);
+    }
+    else if (ColumnType::Integer == type)
+    {
+        row[fieldName] = std::make_tuple(type, std::string(), stmt->column(index)->value(int32_t{}), 0, 0, 0);
+    }
+    else if (ColumnType::Text == type)
+    {
+        row[fieldName] = std::make_tuple(type, stmt->column(index)->value(std::string{}), 0, 0, 0, 0);
+    }
+    else if (ColumnType::Double == type)
+    {
+        row[fieldName] = std::make_tuple(type, std::string(), 0, 0, 0, stmt->column(index)->value(double_t{}));
+    }
+    else
+    {
+        throw dbengine_error { INVALID_COLUMN_TYPE };
+    }
+}
+
+bool SQLiteDBEngine::getLeftOnly(const std::string& t1,
+                                 const std::string& t2,
+                                 const std::vector<std::string>& primaryKeyList,
+                                 std::vector<Row>& returnRows)
+{
+    auto ret { false };
+    const std::string query { buildLeftOnlyQuery(t1, t2, primaryKeyList) };
+
+    if (!t1.empty() && !query.empty())
+    {
+        const auto stmt { getStatement(query) };
+        const auto tableFields { m_tableFields[t1] };
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            Row registerFields;
+
+            for (const auto& field : tableFields)
+            {
+                getTableData(stmt,
+                             std::get<TableHeader::CID>(field),
+                             std::get<TableHeader::Type>(field),
+                             std::get<TableHeader::Name>(field),
+                             registerFields);
+            }
+
+            returnRows.push_back(std::move(registerFields));
+        }
+
+        ret = true;
+    }
+
+    return ret;
+}
+
+bool SQLiteDBEngine::getPKListLeftOnly(const std::string& t1,
+                                       const std::string& t2,
+                                       const std::vector<std::string>& primaryKeyList,
+                                       std::vector<Row>& returnRows)
+{
+    auto ret { false };
+    const std::string sql { buildLeftOnlyQuery(t1, t2, primaryKeyList, true) };
+
+    if (!t1.empty() && !sql.empty())
+    {
+        const auto stmt { getStatement(sql) };
+        const auto tableFields { m_tableFields[t1] };
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            Row registerFields;
+
+            for (const auto& pkValue : primaryKeyList)
+            {
+                auto index { 0ull };
+                const auto& it
+                {
+                    std::find_if(tableFields.begin(), tableFields.end(),
+                                 [&pkValue](const ColumnData & columnData)
+                    {
+                        return std::get<TableHeader::Name>(columnData) == pkValue;
+                    })
+                };
+
+                if (tableFields.end() != it)
+                {
+                    getTableData(stmt,
+                                 index,
+                                 std::get<TableHeader::Type>(*it),
+                                 std::get<TableHeader::Name>(*it),
+                                 registerFields);
+                }
+
+                ++index;
+            }
+
+            returnRows.push_back(std::move(registerFields));
+        }
+
+        ret = true;
+    }
+
+    return ret;
+}
+
+std::string SQLiteDBEngine::buildDeleteBulkDataSqlQuery(const std::string& table,
+                                                        const std::vector<std::string>& primaryKeyList)
+{
+    std::string sql{ "DELETE FROM " };
+    sql.append(table);
+    sql.append(" WHERE ");
+
+    if (0 != primaryKeyList.size())
+    {
+        for (const auto& value : primaryKeyList)
+        {
+            sql.append(value);
+            sql.append("=? AND ");
+        }
+
+        sql = sql.substr(0, sql.size() - 5);
+        sql.append(";");
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error { SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return sql;
+}
+
+bool SQLiteDBEngine::deleteRows(const std::string& table,
+                                const std::vector<std::string>& primaryKeyList,
+                                const std::vector<Row>& rowsToRemove)
+{
+    auto ret { false };
+    const auto sql { buildDeleteBulkDataSqlQuery(table, primaryKeyList) };
+
+    if (!sql.empty())
+    {
+        const auto stmt { getStatement(sql) };
+
+        for (const auto& row : rowsToRemove)
+        {
+            auto index {1l};
+
+            for (const auto& value : primaryKeyList)
+            {
+                bindFieldData(stmt, index, row.at(value));
+                ++index;
+            }
+
+            // LCOV_EXCL_START
+            if (SQLITE_ERROR == stmt->step())
+            {
+                throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+            }
+
+            updateTableRowCounter(table, m_sqliteConnection->changes() * -1ll);
+
+            // LCOV_EXCL_STOP
+            stmt->reset();
+        }
+
+        ret = true;
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error { SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return ret;
+}
+
+void SQLiteDBEngine::deleteRowsbyPK(const std::string& table,
+                                    const nlohmann::json& data)
+{
+    std::vector<std::string> primaryKeyList;
+
+    if (getPrimaryKeysFromTable(table, primaryKeyList))
+    {
+        const auto& tableFields { m_tableFields[table] };
+        const auto stmt
+        {
+            getStatement(buildDeleteBulkDataSqlQuery(table, primaryKeyList))
+        };
+
+        for (const auto& jsRow : data)
+        {
+            int32_t index { 1l };
+
+            for (const auto& pkValue : primaryKeyList)
+            {
+                const auto& it
+                {
+                    std::find_if(tableFields.begin(), tableFields.end(),
+                                 [&pkValue](const ColumnData & column)
+                    {
+                        return 0 == std::get<Name>(column).compare(pkValue);
+                    })
+                };
+
+                if (it != tableFields.end())
+                {
+                    if (bindJsonData(stmt, *it, jsRow, index))
+                    {
+                        ++index;
+                    }
+                }
+            }
+
+            // LCOV_EXCL_START
+            if (SQLITE_ERROR == stmt->step())
+            {
+                throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+            }
+
+            updateTableRowCounter(table, m_sqliteConnection->changes() * -1ll);
+
+            // LCOV_EXCL_STOP
+            stmt->reset();
+        }
+    }
+}
+
+void SQLiteDBEngine::bindFieldData(const std::shared_ptr<SQLite::IStatement> stmt,
+                                   const int32_t index,
+                                   const TableField& fieldData)
+{
+    const auto type { std::get<GenericTupleIndex::GenType>(fieldData) };
+
+    if (ColumnType::BigInt == type)
+    {
+        const auto value { std::get<GenericTupleIndex::GenBigInt>(fieldData) };
+        stmt->bind(index, value);
+    }
+    else if (ColumnType::UnsignedBigInt == type)
+    {
+        const auto value { std::get<GenericTupleIndex::GenUnsignedBigInt>(fieldData) };
+        stmt->bind(index, value);
+    }
+    else if (ColumnType::Integer == type)
+    {
+        const auto value { std::get<GenericTupleIndex::GenInteger>(fieldData) };
+        stmt->bind(index, value);
+    }
+    else if (ColumnType::Text == type)
+    {
+        const auto value { std::get<GenericTupleIndex::GenString>(fieldData) };
+        stmt->bind(index, value);
+    }
+    else if (ColumnType::Double == type)
+    {
+        const auto value { std::get<GenericTupleIndex::GenDouble>(fieldData) };
+        stmt->bind(index, value);
+    }
+    else
+    {
+        throw dbengine_error { INVALID_DATA_BIND };
+    }
+}
+
+
+std::string SQLiteDBEngine::buildSelectQuery(const std::string& table,
+                                             const nlohmann::json& jsQuery)
+{
+    const auto& columns{ jsQuery.at("column_list")};
+    const auto& itFilter{ jsQuery.find("row_filter")};
+    /*optional fields*/
+    const auto& itDistinct{ jsQuery.find("distinct_opt") };
+    const auto& itOrderBy{ jsQuery.find("order_by_opt") };
+    const auto& itCount{ jsQuery.find("count_opt") };
+
+    std::string sql{ "SELECT "};
+
+    if (itDistinct != jsQuery.end() && itDistinct->get<bool>())
+    {
+        sql += "DISTINCT ";
+    }
+
+    for (const auto& column : columns)
+    {
+        sql += column.get_ref<const std::string&>();
+        sql += ",";
+    }
+
+    sql = sql.substr(0, sql.size() - 1);
+
+    sql += " FROM " + table;
+
+    if (itFilter != jsQuery.end() && !itFilter->get<std::string>().empty())
+    {
+        sql += " ";
+        sql += itFilter->get<std::string>();
+    }
+
+    if (itOrderBy != jsQuery.end() && !itOrderBy->get<std::string>().empty())
+    {
+        sql += " ORDER BY " + itOrderBy->get<std::string>();
+    }
+
+    if (itCount != jsQuery.end())
+    {
+        const unsigned int limit{*itCount};
+        sql += " LIMIT " + std::to_string(limit);
+    }
+
+    sql += ";";
+    return sql;
+}
+
+std::string SQLiteDBEngine::buildLeftOnlyQuery(const std::string& t1,
+                                               const std::string& t2,
+                                               const std::vector<std::string>& primaryKeyList,
+                                               const bool returnOnlyPKFields)
+{
+    std::string fieldsList;
+    std::string onMatchList;
+    std::string nullFilterList;
+
+    for (const auto& value : primaryKeyList)
+    {
+        if (returnOnlyPKFields)
+        {
+            fieldsList.append("t1." + value + ",");
+        }
+
+        onMatchList.append("t1." + value + "= t2." + value + " AND ");
+        nullFilterList.append("t2." + value + " IS NULL AND ");
+    }
+
+    if (returnOnlyPKFields)
+    {
+        fieldsList = fieldsList.substr(0, fieldsList.size() - 1);
+    }
+    else
+    {
+        fieldsList.append("*");
+    }
+
+    onMatchList = onMatchList.substr(0, onMatchList.size() - 5);
+    nullFilterList = nullFilterList.substr(0, nullFilterList.size() - 5);
+
+    return "SELECT " + fieldsList + " FROM " + t1 + " t1 LEFT JOIN " + t2 + " t2 ON " + onMatchList + " WHERE " + nullFilterList + ";";
+}
+
+bool SQLiteDBEngine::getRowDiff(const std::vector<std::string>& primaryKeyList,
+                                const nlohmann::json& ignoredColumns,
+                                const std::string& table,
+                                const nlohmann::json& data,
+                                nlohmann::json& updatedData,
+                                nlohmann::json& oldData)
+{
+    bool diffExist { false };
+    bool isModified { false };
+    const auto stmt
+    {
+        getStatement(buildSelectMatchingPKsSqlQuery(table, primaryKeyList))
+    };
+
+    const auto& tableFields { m_tableFields[table] };
+    int32_t index { 1l };
+
+    // Always include primary keys
+    for (const auto& pkValue : primaryKeyList)
+    {
+        const auto& it
+        {
+            std::find_if(tableFields.begin(), tableFields.end(),
+                         [&pkValue](const ColumnData & column)
+            {
+                return 0 == std::get<Name>(column).compare(pkValue);
+            })
+        };
+
+        if (it != tableFields.end())
+        {
+            updatedData[pkValue] = data.at(pkValue);
+            oldData[pkValue] = data.at(pkValue);
+            bindJsonData(stmt, *it, data, index);
+            ++index;
+        }
+    }
+
+    diffExist = SQLITE_ROW == stmt->step();
+
+    if (diffExist)
+    {
+        // The row exists, so let's generate the diff
+        Row registryFields;
+
+        for (const auto& field : tableFields)
+        {
+            getTableData(stmt,
+                         std::get<TableHeader::CID>(field),
+                         std::get<TableHeader::Type>(field),
+                         std::get<TableHeader::Name>(field),
+                         registryFields);
+        }
+
+        if (!registryFields.empty())
+        {
+            for (const auto& value : registryFields)
+            {
+                nlohmann::json object;
+                getFieldValueFromTuple(value, object);
+                const auto& it
+                {
+                    data.find(value.first)
+                };
+
+                if (data.end() != it)
+                {
+                    // Only compare if not in ignore set
+                    if (*it != object.at(value.first))
+                    {
+                        // Diff found
+                        isModified = true;
+                        oldData[value.first] = object[value.first];
+                    }
+
+                    updatedData[value.first] = *it;
+                }
+            }
+        }
+    }
+
+    // If the row is not modified, we clear the result to update the status field value only.
+    if (!isModified)
+    {
+        updatedData.clear();
+        oldData.clear();
+    }
+    else
+    {
+        if (!ignoredColumns.empty())
+        {
+            auto haveDiffOnNonIgnored
+            {
+                [&ignoredColumns, primaryKeyList](const nlohmann::json & rowToBeUpdated) -> bool
+                {
+                    bool haveDiff { false };
+
+                    for (const auto& fieldToBeUpdated : rowToBeUpdated.items())
+                    {
+                        if (std::find(ignoredColumns.begin(), ignoredColumns.end(),
+                                      fieldToBeUpdated.key()) == ignoredColumns.end())
+                        {
+                            if (std::find(primaryKeyList.begin(), primaryKeyList.end(),
+                                          fieldToBeUpdated.key()) == primaryKeyList.end())
+                            {
+                                haveDiff = true;
+                                break;
+                            }
+                        }
+                    }
+
+                    return haveDiff;
+                }
+            };
+
+            if (!haveDiffOnNonIgnored(oldData))
+            {
+                updatedData.clear();
+                oldData.clear();
+            }
+        }
+    }
+
+    return diffExist;
+}
+
+bool SQLiteDBEngine::insertNewRows(const std::string& table,
+                                   const std::vector<std::string>& primaryKeyList,
+                                   const DbSync::ResultCallback callback,
+                                   std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    auto ret { true };
+    std::vector<Row> rowValues;
+
+    if (getLeftOnly(table + TEMP_TABLE_SUBFIX, table, primaryKeyList, rowValues))
+    {
+        bulkInsert(table, rowValues);
+
+        for (const auto& row : rowValues)
+        {
+            nlohmann::json object;
+
+            for (const auto& value : row)
+            {
+                getFieldValueFromTuple(value, object);
+            }
+
+            if (callback)
+            {
+                lock.unlock();
+                callback(ReturnTypeCallback::INSERTED, object);
+                lock.lock();
+            }
+        }
+    }
+
+    return ret;
+}
+
+void SQLiteDBEngine::bulkInsert(const std::string& table,
+                                const std::vector<Row>& data)
+{
+    const auto stmt { getStatement(buildInsertDataSqlQuery(table)) };
+
+    for (const auto& row : data)
+    {
+        const auto tableFields { m_tableFields[table] };
+
+        for (const auto& value : tableFields)
+        {
+            auto it { row.find(std::get<TableHeader::Name>(value))};
+
+            if (row.end() != it)
+            {
+                bindFieldData(stmt, std::get<TableHeader::CID>(value) + 1, (*it).second);
+            }
+        }
+
+        updateTableRowCounter(table, 1ll);
+
+        // LCOV_EXCL_START
+        if (SQLITE_ERROR == stmt->step())
+        {
+
+            updateTableRowCounter(table, -1ll);
+            throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+        }
+
+        // LCOV_EXCL_STOP
+        stmt->reset();
+    }
+}
+
+int SQLiteDBEngine::changeModifiedRows(const std::string& table,
+                                       const std::vector<std::string>& primaryKeyList,
+                                       const DbSync::ResultCallback callback,
+                                       std::unique_lock<std::shared_timed_mutex>& lock)
+{
+    auto ret { true };
+    std::vector<Row> rowKeysValue;
+
+    if (getRowsToModify(table, primaryKeyList, rowKeysValue))
+    {
+        if (updateRows(table, primaryKeyList, rowKeysValue))
+        {
+            for (const auto& row : rowKeysValue)
+            {
+                nlohmann::json object;
+
+                for (const auto& value : row)
+                {
+                    getFieldValueFromTuple(value, object);
+                }
+
+                if (callback)
+                {
+                    lock.unlock();
+                    callback(ReturnTypeCallback::MODIFIED, object);
+                    lock.lock();
+                }
+            }
+        }
+        else
+        {
+            ret = false;
+        }
+    }
+
+    return ret;
+}
+
+std::string SQLiteDBEngine::buildUpdatePartialDataSqlQuery(const std::string& table,
+                                                           const nlohmann::json& data,
+                                                           const std::vector<std::string>& primaryKeyList)
+
+{
+    std::string sql{ "UPDATE " + table + " SET "};
+
+    if (0 != primaryKeyList.size())
+    {
+        for (auto it = data.begin(); it != data.end(); ++it)
+        {
+            if (std::find(primaryKeyList.begin(), primaryKeyList.end(), it.key()) == primaryKeyList.end())
+            {
+                sql += it.key() + "=?,";
+            }
+        }
+
+        sql = sql.substr(0, sql.size() - 1); // Remove the last " , "
+        sql.append(" WHERE ");
+
+        for (auto it = data.begin(); it != data.end(); ++it)
+        {
+            if (std::find(primaryKeyList.begin(), primaryKeyList.end(), it.key()) != primaryKeyList.end())
+            {
+                sql += it.key() + "=? AND ";
+            }
+        }
+
+        sql = sql.substr(0, sql.size() - 5); // Remove the last " AND "
+        sql.append(";");
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error{ SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return sql;
+}
+
+std::string SQLiteDBEngine::buildSelectMatchingPKsSqlQuery(const std::string& table,
+                                                           const std::vector<std::string>& primaryKeyList)
+
+{
+    std::string sql{ "SELECT * FROM " };
+    sql.append(table);
+    sql.append(" WHERE ");
+
+    if (0 != primaryKeyList.size())
+    {
+        for (const auto& value : primaryKeyList)
+        {
+            sql.append(value);
+            sql.append("=? AND ");
+        }
+
+        sql = sql.substr(0, sql.size() - 5); // Remove the last " AND "
+        sql.append(";");
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error{ SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return sql;
+}
+
+std::string SQLiteDBEngine::buildUpdateDataSqlQuery(const std::string& table,
+                                                    const std::vector<std::string>& primaryKeyList,
+                                                    const Row& row,
+                                                    const std::pair<const std::string, TableField>& field)
+{
+    std::string sql{ "UPDATE " };
+    sql.append(table);
+    sql.append(" SET ");
+    sql.append(field.first);
+    sql.append("=");
+    getFieldValueFromTuple(field, sql, true);
+    sql.append(" WHERE ");
+
+    if (0 != primaryKeyList.size())
+    {
+        for (const auto& value : primaryKeyList)
+        {
+            const auto it { row.find("PK_" + value) };
+
+            if (it != row.end())
+            {
+                sql.append(value);
+                sql.append("=");
+                getFieldValueFromTuple((*it), sql, true);
+            }
+            else
+            {
+                sql.clear();
+                break;
+            }
+
+            sql.append(" AND ");
+        }
+
+        sql = sql.substr(0, sql.length() - 5);
+
+        if (sql.length() > 0)
+        {
+            sql.append(";");
+        }
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error{ SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return sql;
+}
+
+std::string SQLiteDBEngine::buildModifiedRowsQuery(const std::string& t1,
+                                                   const std::string& t2,
+                                                   const std::vector<std::string>& primaryKeyList)
+{
+    std::string fieldsList;
+    std::string onMatchList;
+
+    for (const auto& value : primaryKeyList)
+    {
+        fieldsList.append("t1." + value + ",");
+        onMatchList.append("t1." + value + "=t2." + value + " AND ");
+    }
+
+    const auto tableFields { m_tableFields[t1] };
+
+    for (const auto& value : tableFields)
+    {
+        const auto fieldName {std::get<TableHeader::Name>(value)};
+        fieldsList.append("CASE WHEN t1.");
+        fieldsList.append(fieldName);
+        fieldsList.append("<>t2.");
+        fieldsList.append(fieldName);
+        fieldsList.append(" THEN t1.");
+        fieldsList.append(fieldName);
+        fieldsList.append(" ELSE NULL END AS DIF_");
+        fieldsList.append(fieldName);
+        fieldsList.append(",");
+    }
+
+    fieldsList  = fieldsList.substr(0, fieldsList.size() - 1);
+    onMatchList = onMatchList.substr(0, onMatchList.size() - 5);
+    std::string ret {"SELECT "};
+    ret.append(fieldsList);
+    ret.append(" FROM (select *,'");
+    ret.append(t1);
+    ret.append("' as val from ");
+    ret.append(t1);
+    ret.append(" UNION ALL select *,'");
+    ret.append(t2);
+    ret.append("' as val from ");
+    ret.append(t2);
+    ret.append(") t1 INNER JOIN ");
+    ret.append(t1);
+    ret.append(" t2 ON ");
+    ret.append(onMatchList);
+    ret.append(" WHERE t1.val = '");
+    ret.append(t2);
+    ret.append("';");
+
+    return ret;
+}
+
+bool SQLiteDBEngine::getRowsToModify(const std::string& table,
+                                     const std::vector<std::string>& primaryKeyList,
+                                     std::vector<Row>& rowKeysValue)
+{
+    auto ret { false };
+    auto sql { buildModifiedRowsQuery(table, table + TEMP_TABLE_SUBFIX, primaryKeyList) };
+
+    if (!sql.empty())
+    {
+        const auto stmt { getStatement(sql) };
+
+        while (SQLITE_ROW == stmt->step())
+        {
+            bool dataModified{false};
+            const auto tableFields { m_tableFields[table] };
+            Row registerFields;
+            int32_t index {0l};
+
+            for (const auto& pkValue : primaryKeyList)
+            {
+                const auto it
+                {
+                    std::find_if(tableFields.begin(), tableFields.end(),
+                                 [&pkValue] (const ColumnData & cd)
+                    {
+                        return std::get<TableHeader::Name>(cd).compare(pkValue) == 0;
+                    })
+                };
+
+                if (tableFields.end() != it)
+                {
+                    getTableData(stmt,
+                                 index,
+                                 std::get<TableHeader::Type>(*it),
+                                 "PK_" + std::get<TableHeader::Name>(*it),
+                                 registerFields);
+                }
+
+                ++index;
+            }
+
+            for (const auto& field : tableFields)
+            {
+                if (registerFields.end() == registerFields.find(std::get<TableHeader::Name>(field)))
+                {
+                    if (stmt->column(index)->hasValue())
+                    {
+                        dataModified = true;
+                        getTableData(stmt, index, std::get<TableHeader::Type>(field),
+                                     std::get<TableHeader::Name>(field), registerFields);
+                    }
+                }
+
+                ++index;
+            }
+
+            if (dataModified)
+            {
+                rowKeysValue.push_back(std::move(registerFields));
+            }
+        }
+
+        ret = true;
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw dbengine_error { SQL_STMT_ERROR };
+    }
+
+    // LCOV_EXCL_STOP
+    return ret;
+}
+
+void SQLiteDBEngine::updateSingleRow(const std::string& table,
+                                     const nlohmann::json& jsData)
+{
+    std::vector<std::string> primaryKeyList;
+
+    if (getPrimaryKeysFromTable(table, primaryKeyList))
+    {
+        const auto& tableFields { m_tableFields[table] };
+        const auto stmt { getStatement(buildUpdatePartialDataSqlQuery(table, jsData, primaryKeyList)) };
+        int32_t index { 1l };
+
+        for (auto it = jsData.begin(); it != jsData.end(); ++it)
+        {
+            if (std::find(primaryKeyList.begin(), primaryKeyList.end(), it.key()) == primaryKeyList.end())
+            {
+                const auto it1{std::find_if(tableFields.begin(), tableFields.end(), [&it](const auto & value)
+                {
+                    return std::get<GenericTupleIndex::GenString>(value) == it.key();
+                })};
+
+                if (it1 == tableFields.end())
+                {
+                    throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+                }
+
+                bindJsonData(stmt, *it1, jsData, index);
+                ++index;
+            }
+        }
+
+        for (auto it = jsData.begin(); it != jsData.end(); ++it)
+        {
+            if (std::find(primaryKeyList.begin(), primaryKeyList.end(), it.key()) != primaryKeyList.end())
+            {
+                const auto it1{std::find_if(tableFields.begin(), tableFields.end(), [&it](const auto & value)
+                {
+                    return std::get<GenericTupleIndex::GenString>(value) == it.key();
+                })};
+
+                if (it1 == tableFields.end())
+                {
+                    throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+                }
+
+                bindJsonData(stmt, *it1, jsData, index);
+                ++index;
+            }
+        }
+
+        // LCOV_EXCL_START
+        if (SQLITE_ERROR == stmt->step())
+        {
+            throw dbengine_error{ BIND_FIELDS_DOES_NOT_MATCH };
+        }
+
+        // LCOV_EXCL_STOP
+        stmt->reset();
+    }
+}
+
+bool SQLiteDBEngine::updateRows(const std::string& table,
+                                const std::vector<std::string>& primaryKeyList,
+                                const std::vector<Row>& rowKeysValue)
+{
+
+    for (const auto& row : rowKeysValue)
+    {
+        for (const auto& field : row)
+        {
+            if (0 != field.first.substr(0, 3).compare("PK_"))
+            {
+                const auto sql
+                {
+                    buildUpdateDataSqlQuery(table,
+                                            primaryKeyList,
+                                            row,
+                                            field)
+                };
+                m_sqliteConnection->execute(sql);
+            }
+        }
+    }
+
+    return true;
+}
+
+void SQLiteDBEngine::getFieldValueFromTuple(const Field& value,
+                                            nlohmann::json& object)
+{
+    const auto rowType { std::get<GenericTupleIndex::GenType>(value.second) };
+
+    if (ColumnType::BigInt == rowType)
+    {
+        object[value.first] = std::get<ColumnType::BigInt>(value.second);
+    }
+    else if (ColumnType::UnsignedBigInt == rowType)
+    {
+        object[value.first] = std::get<ColumnType::UnsignedBigInt>(value.second);
+    }
+    else if (ColumnType::Integer == rowType)
+    {
+        object[value.first] = std::get<ColumnType::Integer>(value.second);
+    }
+    else if (ColumnType::Text == rowType)
+    {
+        object[value.first] = std::get<ColumnType::Text>(value.second);
+    }
+    else if (ColumnType::Double == rowType)
+    {
+        object[value.first] = std::get<ColumnType::Double>(value.second);
+    }
+    else
+    {
+        throw dbengine_error { DATATYPE_NOT_IMPLEMENTED };
+    }
+}
+
+void SQLiteDBEngine::getFieldValueFromTuple(const Field& value,
+                                            std::string& resultValue,
+                                            const bool quotationMarks)
+{
+    const auto rowType { std::get<GenericTupleIndex::GenType>(value.second) };
+
+    if (ColumnType::BigInt == rowType)
+    {
+        resultValue.append(std::to_string(std::get<ColumnType::BigInt>(value.second)));
+    }
+    else if (ColumnType::UnsignedBigInt == rowType)
+    {
+        resultValue.append(std::to_string(std::get<ColumnType::UnsignedBigInt>(value.second)));
+    }
+    else if (ColumnType::Integer == rowType)
+    {
+        resultValue.append(std::to_string(std::get<ColumnType::Integer>(value.second)));
+    }
+    else if (ColumnType::Text == rowType)
+    {
+        if (quotationMarks)
+        {
+            resultValue.append("'" + std::get<ColumnType::Text>(value.second) + "'");
+        }
+        else
+        {
+            resultValue.append(std::get<ColumnType::Text>(value.second));
+        }
+    }
+    else if (ColumnType::Double == rowType)
+    {
+        resultValue.append(std::to_string(std::get<ColumnType::Double>(value.second)));
+    }
+    else
+    {
+        throw dbengine_error { DATATYPE_NOT_IMPLEMENTED };
+    }
+}
+
+std::shared_ptr<SQLite::IStatement>const SQLiteDBEngine::getStatement(const std::string& sql)
+{
+    std::lock_guard<std::mutex> lock(m_stmtMutex);
+    const auto it
+    {
+        std::find_if(m_statementsCache.begin(),
+                     m_statementsCache.end(),
+                     [sql](const std::pair<std::string, std::shared_ptr<SQLite::IStatement>>& pair)
+        {
+            return 0 == pair.first.compare(sql);
+        })
+    };
+
+    if (m_statementsCache.end() != it)
+    {
+        it->second->reset();
+        return it->second;
+    }
+    else
+    {
+        m_statementsCache.emplace_back(sql, m_sqliteFactory->createStatement(m_sqliteConnection, sql));
+
+        if (CACHE_STMT_LIMIT <= m_statementsCache.size())
+        {
+            m_statementsCache.pop_front();
+        }
+
+        return m_statementsCache.back().second;
+    }
+}
+
+std::string SQLiteDBEngine::getSelectAllQuery(const std::string& table,
+                                              const TableColumns& tableFields) const
+{
+    std::string retVal { "SELECT " };
+
+    if (!tableFields.empty() && !table.empty())
+    {
+        for (const auto& field : tableFields)
+        {
+            if (!std::get<TableHeader::TXNStatusField>(field))
+            {
+                retVal.append(std::get<TableHeader::Name>(field));
+                retVal.append(",");
+            }
+
+        }
+
+        retVal = retVal.substr(0, retVal.size() - 1);
+        retVal.append(" FROM ");
+        retVal.append(table);
+        retVal.append(" WHERE ");
+        retVal.append(STATUS_FIELD_NAME);
+        retVal.append("=0;");
+    }
+    else
+    {
+        throw dbengine_error { EMPTY_TABLE_METADATA };
+    }
+
+    return retVal;
+}
+
+std::string SQLiteDBEngine::buildDeleteRelationTrigger(const nlohmann::json& data,
+                                                       const std::string&    baseTable)
+{
+    const constexpr auto DELETE_POSTFIX{"_delete"};
+
+    auto sqlDelete
+    {
+        "CREATE TRIGGER IF NOT EXISTS " + baseTable + DELETE_POSTFIX + " BEFORE DELETE ON " + baseTable
+    };
+
+    sqlDelete.append(" BEGIN ");
+
+    for (const auto& jsonValue : data.at("relationed_tables"))
+    {
+        sqlDelete.append("DELETE FROM " + jsonValue.at("table").get<std::string>() + " WHERE ");
+
+        for (const auto& match : jsonValue.at("field_match").items())
+        {
+            sqlDelete.append(match.key());
+            sqlDelete.append(" = OLD.");
+            sqlDelete.append(match.value().get_ref<const std::string&>());
+            sqlDelete.append(" AND ");
+        }
+
+        sqlDelete = sqlDelete.substr(0, sqlDelete.size() - 5);
+        sqlDelete.append(";");
+    }
+
+    sqlDelete.append("END;");
+    return sqlDelete;
+}
+
+std::string SQLiteDBEngine::buildUpdateRelationTrigger(const nlohmann::json&            data,
+                                                       const std::string&               baseTable,
+                                                       const std::vector<std::string>&  primaryKeys)
+{
+    const constexpr auto UPDATE_POSTFIX{"_update"};
+
+    auto sqlUpdate
+    {
+        "CREATE TRIGGER IF NOT EXISTS " + baseTable + UPDATE_POSTFIX + " BEFORE UPDATE OF "
+    };
+
+    for (const auto& pkName : primaryKeys)
+    {
+        sqlUpdate.append(pkName);
+        sqlUpdate.append(",");
+    }
+
+    sqlUpdate = sqlUpdate.substr(0, sqlUpdate.size() - 1);
+
+    sqlUpdate.append(" ON " + baseTable);
+
+    sqlUpdate.append(" BEGIN ");
+
+    for (const auto& jsonValue : data.at("relationed_tables"))
+    {
+        sqlUpdate.append("UPDATE " + jsonValue.at("table").get<std::string>() + " SET ");
+
+        auto sqlUpdateWhere { std::string(" WHERE ") };
+
+        for (const auto& match : jsonValue.at("field_match").items())
+        {
+            sqlUpdate.append(match.key());
+            sqlUpdate.append(" = NEW.");
+            sqlUpdate.append(match.value().get_ref<const std::string&>());
+            sqlUpdate.append(",");
+
+            sqlUpdateWhere.append(match.key());
+            sqlUpdateWhere.append(" = OLD.");
+            sqlUpdateWhere.append(match.value().get_ref<const std::string&>());
+            sqlUpdateWhere.append(" AND ");
+        }
+
+        sqlUpdate = sqlUpdate.substr(0, sqlUpdate.size() - 1);
+        sqlUpdateWhere = sqlUpdateWhere.substr(0, sqlUpdateWhere.size() - 5);
+        sqlUpdate.append(sqlUpdateWhere);
+        sqlUpdate.append(";");
+    }
+
+    sqlUpdate.append("END;");
+    return sqlUpdate;
+}
+
+void SQLiteDBEngine::updateTableRowCounter(const std::string& table, const long long rowModifyCount)
+{
+    std::lock_guard<std::mutex> lock(m_maxRowsMutex);
+    auto it { m_maxRows.find(table) };
+
+    if (it != m_maxRows.end())
+    {
+        if (it->second.currentRows + rowModifyCount > it->second.maxRows)
+        {
+            throw DbSync::max_rows_error { SQLite::MAX_ROWS_ERROR_STRING };
+        }
+
+        it->second.currentRows += rowModifyCount;
+
+        if (it->second.currentRows < 0)
+        {
+            it->second.currentRows = 0;
+            throw dbengine_error { ERROR_COUNT_MAX_ROWS };
+        }
+    }
+}
diff --git a/src/common/dbsync/src/sqlite/sqlite_dbengine.h b/src/common/dbsync/src/sqlite/sqlite_dbengine.h
new file mode 100644
index 0000000000..c4de7b9e8d
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/sqlite_dbengine.h
@@ -0,0 +1,328 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SQLITE_DBENGINE_H
+#define _SQLITE_DBENGINE_H
+
+#include <tuple>
+#include <iostream>
+#include <mutex>
+#include <queue>
+#include "dbengine.h"
+#include "sqlite_wrapper_factory.h"
+#include "isqlite_wrapper.h"
+#include "mapWrapperSafe.h"
+
+constexpr auto TEMP_TABLE_SUBFIX {"_TEMP"};
+
+constexpr auto STATUS_FIELD_NAME {"db_status_field_dm"};
+constexpr auto STATUS_FIELD_TYPE {"INTEGER"};
+
+constexpr auto CACHE_STMT_LIMIT
+{
+    30ull
+};
+
+const std::vector<std::string> InternalColumnNames =
+{
+    { STATUS_FIELD_NAME }
+};
+
+enum ColumnType
+{
+    Unknown = 0,
+    Text,
+    Integer,
+    BigInt,
+    UnsignedBigInt,
+    Double,
+    Blob,
+};
+
+const std::map<std::string, ColumnType> ColumnTypeNames =
+{
+    { "UNKNOWN", Unknown        },
+    { "TEXT", Text           },
+    { "INTEGER", Integer        },
+    { "BIGINT", BigInt         },
+    { "UNSIGNED BIGINT", UnsignedBigInt },
+    { "DOUBLE", Double         },
+    { "BLOB", Blob           },
+};
+
+enum TableHeader
+{
+    CID = 0,
+    Name,
+    Type,
+    PK,
+    TXNStatusField
+};
+
+enum GenericTupleIndex
+{
+    GenType = 0,
+    GenString,
+    GenInteger,
+    GenBigInt,
+    GenUnsignedBigInt,
+    GenDouble
+};
+
+using ColumnData =
+    std::tuple<int32_t, std::string, ColumnType, bool, bool>;
+
+using TableColumns =
+    std::vector<ColumnData>;
+
+using TableField =
+    std::tuple<int32_t, std::string, int32_t, int64_t, uint64_t, double_t>;
+
+using Row = std::map<std::string, TableField>;
+
+using Field = std::pair<const std::string, TableField>;
+
+enum ResponseType
+{
+    RTJson = 0,
+    RTCallback
+};
+
+class dbengine_error : public DbSync::dbsync_error
+{
+    public:
+        explicit dbengine_error(const std::pair<int, std::string>& exceptionInfo)
+            : DbSync::dbsync_error
+        {
+            exceptionInfo.first, "dbEngine: " + exceptionInfo.second
+        }
+        {}
+};
+
+struct MaxRows final
+{
+    int64_t maxRows;
+    int64_t currentRows;
+};
+
+class SQLiteDBEngine final : public DbSync::IDbEngine
+{
+    public:
+        SQLiteDBEngine(const std::shared_ptr<ISQLiteFactory>& sqliteFactory,
+                       const std::string&                     path,
+                       const std::string&                     tableStmtCreation,
+                       const DbManagement                     dbManagement = DbManagement::VOLATILE,
+                       const std::vector<std::string>&        upgradeStatements = {});
+        ~SQLiteDBEngine();
+
+        void bulkInsert(const std::string& table,
+                        const nlohmann::json& data) override;
+
+        void refreshTableData(const nlohmann::json& data,
+                              const DbSync::ResultCallback callback,
+                              std::unique_lock<std::shared_timed_mutex>& lock) override;
+
+        void syncTableRowData(const nlohmann::json& jsInput,
+                              const DbSync::ResultCallback callback,
+                              const bool inTransaction,
+                              Utils::ILocking& mutex) override;
+
+        void setMaxRows(const std::string& table,
+                        const int64_t maxRows) override;
+
+        void initializeStatusField(const nlohmann::json& tableNames) override;
+
+        void deleteRowsByStatusField(const nlohmann::json& tableNames) override;
+
+        void returnRowsMarkedForDelete(const nlohmann::json& tableNames,
+                                       const DbSync::ResultCallback callback,
+                                       std::unique_lock<std::shared_timed_mutex>& lock) override;
+
+        void selectData(const std::string& table,
+                        const nlohmann::json& query,
+                        const DbSync::ResultCallback& callback,
+                        std::unique_lock<std::shared_timed_mutex>& lock) override;
+
+        void deleteTableRowsData(const std::string& table,
+                                 const nlohmann::json& jsDeletionData) override;
+
+        void addTableRelationship(const nlohmann::json& data) override;
+
+    private:
+        void initialize(const std::string&              path,
+                        const std::string&              tableStmtCreation,
+                        const DbManagement              dbManagement,
+                        const std::vector<std::string>& upgradeStatements);
+
+        bool cleanDB(const std::string& path);
+
+        size_t getDbVersion();
+
+        size_t loadTableData(const std::string& table);
+
+        bool loadFieldData(const std::string& table);
+
+        std::string buildInsertDataSqlQuery(const std::string& table,
+                                            const nlohmann::json& data = {});
+
+        std::string buildDeleteBulkDataSqlQuery(const std::string& table,
+                                                const std::vector<std::string>& primaryKeyList);
+
+        std::string buildSelectQuery(const std::string& table,
+                                     const nlohmann::json& jsQuery);
+
+        ColumnType columnTypeName(const std::string& type);
+
+        bool bindJsonData(const std::shared_ptr<SQLite::IStatement> stmt,
+                          const ColumnData& cd,
+                          const nlohmann::json::value_type& valueType,
+                          const unsigned int cid);
+
+        bool createCopyTempTable(const std::string& table);
+
+        bool getTableCreateQuery(const std::string& table,
+                                 std::string& resultQuery);
+
+        bool getPrimaryKeysFromTable(const std::string& table,
+                                     std::vector<std::string>& primaryKeyList);
+
+        bool removeNotExistsRows(const std::string& table,
+                                 const std::vector<std::string>& primaryKeyList,
+                                 const DbSync::ResultCallback callback,
+                                 std::unique_lock<std::shared_timed_mutex>& lock);
+
+        bool getRowDiff(const std::vector<std::string>& primaryKeyList,
+                        const nlohmann::json& ignoredColumns,
+                        const std::string& table,
+                        const nlohmann::json& data,
+                        nlohmann::json& updatedData,
+                        nlohmann::json& oldData);
+
+        bool insertNewRows(const std::string& table,
+                           const std::vector<std::string>& primaryKeyList,
+                           const DbSync::ResultCallback callback,
+                           std::unique_lock<std::shared_timed_mutex>& lock);
+
+        bool deleteRows(const std::string& table,
+                        const std::vector<std::string>& primaryKeyList,
+                        const std::vector<Row>& rowsToRemove);
+
+        void deleteRows(const std::string& table,
+                        const nlohmann::json& data,
+                        const std::vector<std::string>& primaryKeyList);
+
+        void deleteRowsbyPK(const std::string& table,
+                            const nlohmann::json& data);
+
+        void getTableData(std::shared_ptr<SQLite::IStatement>const stmt,
+                          const int32_t index,
+                          const ColumnType& type,
+                          const std::string& fieldName,
+                          Row& row);
+
+        void bindFieldData(const std::shared_ptr<SQLite::IStatement> stmt,
+                           const int32_t index,
+                           const TableField& fieldData);
+
+        std::string buildLeftOnlyQuery(const std::string& t1,
+                                       const std::string& t2,
+                                       const std::vector<std::string>& primaryKeyList,
+                                       const bool returnOnlyPKFields = false);
+
+        bool getLeftOnly(const std::string& t1,
+                         const std::string& t2,
+                         const std::vector<std::string>& primaryKeyList,
+                         std::vector<Row>& returnRows);
+
+        bool getPKListLeftOnly(const std::string& t1,
+                               const std::string& t2,
+                               const std::vector<std::string>& primaryKeyList,
+                               std::vector<Row>& returnRows);
+
+        void bulkInsert(const std::string& table,
+                        const std::vector<Row>& data);
+
+        void deleteTempTable(const std::string& table);
+
+        std::string buildModifiedRowsQuery(const std::string& t1,
+                                           const std::string& t2,
+                                           const std::vector<std::string>& primaryKeyList);
+
+        int changeModifiedRows(const std::string& table,
+                               const std::vector<std::string>& primaryKeyList,
+                               const DbSync::ResultCallback callback,
+                               std::unique_lock<std::shared_timed_mutex>& lock);
+
+        std::string buildSelectMatchingPKsSqlQuery(const std::string& table,
+                                                   const std::vector<std::string>& primaryKeyList);
+
+        std::string buildUpdateDataSqlQuery(const std::string& table,
+                                            const std::vector<std::string>& primaryKeyList,
+                                            const Row& row,
+                                            const std::pair<const std::string, TableField>& field);
+
+        std::string buildUpdatePartialDataSqlQuery(const std::string& table,
+                                                   const nlohmann::json& data,
+                                                   const std::vector<std::string>& primaryKeyList);
+
+        bool getRowsToModify(const std::string& table,
+                             const std::vector<std::string>& primaryKeyList,
+                             std::vector<Row>& rowKeysValue);
+
+        void updateSingleRow(const std::string& table,
+                             const nlohmann::json& jsData);
+
+        bool updateRows(const std::string& table,
+                        const std::vector<std::string>& primaryKeyList,
+                        const std::vector<Row>& rowKeysValue);
+
+        void getFieldValueFromTuple(const Field& value,
+                                    std::string& resultValue,
+                                    const bool quotationMarks = false);
+
+        void getFieldValueFromTuple(const Field& value,
+                                    nlohmann::json& object);
+
+        SQLiteDBEngine(const SQLiteDBEngine&) = delete;
+
+        SQLiteDBEngine& operator=(const SQLiteDBEngine&) = delete;
+
+        std::shared_ptr<SQLite::IStatement>const getStatement(const std::string& sql);
+
+        std::string getSelectAllQuery(const std::string& table,
+                                      const TableColumns& tableFields) const;
+
+        std::string buildDeleteRelationTrigger(const nlohmann::json& data,
+                                               const std::string&    baseTable);
+
+        std::string buildUpdateRelationTrigger(const nlohmann::json&            data,
+                                               const std::string&               baseTable,
+                                               const std::vector<std::string>&  primaryKeys);
+
+        void updateTableRowCounter(const std::string& table,
+                                   const long long    rowModifyCount);
+
+        void insertElement(const std::string& table,
+                           const TableColumns& tableColumns,
+                           const nlohmann::json& element,
+                           const std::function<void()> callback = {});
+
+        Utils::MapWrapperSafe<std::string, TableColumns> m_tableFields;
+        std::deque<std::pair<std::string, std::shared_ptr<SQLite::IStatement>>> m_statementsCache;
+        const std::shared_ptr<ISQLiteFactory> m_sqliteFactory;
+        std::shared_ptr<SQLite::IConnection> m_sqliteConnection;
+        std::mutex m_stmtMutex;
+        std::unique_ptr<SQLite::ITransaction> m_transaction;
+        std::mutex m_maxRowsMutex;
+        std::map<std::string, MaxRows> m_maxRows;
+};
+
+#endif // _SQLITE_DBENGINE_H
diff --git a/src/common/dbsync/src/sqlite/sqlite_wrapper.cpp b/src/common/dbsync/src/sqlite/sqlite_wrapper.cpp
new file mode 100644
index 0000000000..feabdb1227
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/sqlite_wrapper.cpp
@@ -0,0 +1,319 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sqlite_wrapper.h"
+#include "db_exception.h"
+#include "makeUnique.h"
+#include "customDeleter.hpp"
+#include <iostream>
+#include <chrono>
+#include <sys/stat.h>
+
+constexpr auto DB_DEFAULT_PATH {"temp.db"};
+constexpr auto DB_MEMORY {":memory:"};
+constexpr auto DB_PERMISSIONS
+{
+    0640
+};
+
+using namespace SQLite;
+using ExpandedSQLPtr = std::unique_ptr<char, CustomDeleter<decltype(&sqlite3_free), sqlite3_free>>;
+
+static void checkSqliteResult(const int result,
+                              const std::string& exceptionString)
+{
+    if (SQLITE_OK != result)
+    {
+        throw sqlite_error
+        {
+            std::make_pair(result, exceptionString)
+        };
+    }
+}
+
+static sqlite3* openSQLiteDb(const std::string& path, const int flags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE)
+{
+    sqlite3* pDb{ nullptr };
+    const auto result
+    {
+        sqlite3_open_v2(path.c_str(), &pDb, flags, nullptr)
+    };
+    checkSqliteResult(result, "Unspecified type during initialization of SQLite.");
+    return pDb;
+}
+
+Connection::Connection(const std::string& path)
+    : m_db{ openSQLiteDb(path), [](sqlite3 * p)
+{
+    sqlite3_close_v2(p);
+} }
+{
+#ifndef _WIN32
+
+    if (path.compare(DB_MEMORY) != 0)
+    {
+        const auto result { chmod(path.c_str(), DB_PERMISSIONS) };
+
+        if (result != 0)
+        {
+            throw sqlite_error
+            {
+                std::make_pair(result, "Error changing permissions of SQLite database.")
+            };
+        }
+
+        m_db.reset(openSQLiteDb(path, SQLITE_OPEN_READWRITE), [](sqlite3 * p)
+        {
+            sqlite3_close_v2(p);
+        });
+    }
+
+#endif
+}
+
+void Connection::close()
+{
+    m_db.reset();
+}
+
+const std::shared_ptr<sqlite3>& Connection::db() const
+{
+    return m_db;
+}
+
+Connection::Connection()
+    : Connection(DB_DEFAULT_PATH)
+{}
+
+void Connection::execute(const std::string& query)
+{
+    if (!m_db)
+    {
+        throw sqlite_error
+        {
+            SQLITE_CONNECTION_ERROR
+        };
+    }
+
+    const auto result
+    {
+        sqlite3_exec(m_db.get(), query.c_str(), 0, 0, nullptr)
+    };
+
+    checkSqliteResult(result, query + ". " + sqlite3_errmsg(m_db.get()));
+}
+
+int64_t Connection::changes() const
+{
+    return sqlite3_changes(m_db.get());
+}
+
+Transaction::~Transaction()
+{
+    try
+    {
+        if (!m_rolledBack && !m_commited)
+        {
+            m_connection->execute("ROLLBACK TRANSACTION");
+        }
+    }
+    //dtor should never throw
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+}
+
+Transaction::Transaction(std::shared_ptr<IConnection>& connection)
+    : m_connection{ connection }
+    , m_rolledBack{ false }
+    , m_commited{ false }
+{
+    m_connection->execute("BEGIN TRANSACTION");
+}
+
+void Transaction::commit()
+{
+    if (!m_rolledBack && !m_commited)
+    {
+        m_connection->execute("COMMIT TRANSACTION");
+        m_commited = true;
+    }
+}
+
+void Transaction::rollback()
+{
+    try
+    {
+        if (!m_rolledBack && !m_commited)
+        {
+            m_rolledBack = true;
+            m_connection->execute("ROLLBACK TRANSACTION");
+        }
+    }
+    //rollback can be called in a catch statement to unwind things so it shouldn't throw
+    // LCOV_EXCL_START
+    catch (...)
+    {}
+
+    // LCOV_EXCL_STOP
+}
+
+bool Transaction::isCommited() const
+{
+    return m_commited;
+}
+
+bool Transaction::isRolledBack() const
+{
+    return m_rolledBack;
+}
+
+static sqlite3_stmt* prepareSQLiteStatement(std::shared_ptr<IConnection>& connection,
+                                            const std::string& query)
+{
+    sqlite3_stmt* pStatement{ nullptr };
+    const auto result
+    {
+        sqlite3_prepare_v2(connection->db().get(), query.c_str(), -1, &pStatement, nullptr)
+    };
+    checkSqliteResult(result, sqlite3_errmsg(connection->db().get()));
+    return pStatement;
+}
+
+Statement::Statement(std::shared_ptr<IConnection>& connection,
+                     const std::string& query)
+    : m_connection{ connection }
+    , m_stmt{ prepareSQLiteStatement(m_connection, query), [](sqlite3_stmt * p)
+{
+    sqlite3_finalize(p);
+} }
+, m_bindParametersCount{ sqlite3_bind_parameter_count(m_stmt.get()) }
+, m_bindParametersIndex{ 0 }
+{}
+
+int32_t Statement::step()
+{
+    auto ret { SQLITE_ERROR };
+
+    if (m_bindParametersIndex == m_bindParametersCount)
+    {
+        ret = sqlite3_step(m_stmt.get());
+
+        if (SQLITE_ROW != ret && SQLITE_DONE != ret)
+        {
+            checkSqliteResult(ret, sqlite3_errmsg(m_connection->db().get()));
+        }
+    }
+
+    return ret;
+}
+
+void Statement::reset()
+{
+    sqlite3_reset(m_stmt.get());
+    m_bindParametersIndex = 0;
+}
+
+void Statement::bind(const int32_t index, const int32_t value)
+{
+    const auto result{ sqlite3_bind_int(m_stmt.get(), index, value) };
+    checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+    ++m_bindParametersIndex;
+}
+void Statement::bind(const int32_t index, const uint64_t value)
+{
+    const auto result{ sqlite3_bind_int64(m_stmt.get(), index, value) };
+    checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+    ++m_bindParametersIndex;
+}
+void Statement::bind(const int32_t index, const int64_t value)
+{
+    const auto result{ sqlite3_bind_int64(m_stmt.get(), index, value) };
+    checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+    ++m_bindParametersIndex;
+}
+void Statement::bind(const int32_t index, const std::string& value)
+{
+    const auto result
+    {
+        sqlite3_bind_text(m_stmt.get(),
+                          index,
+                          value.c_str(),
+                          value.length(),
+                          SQLITE_TRANSIENT)
+    };
+    checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+    ++m_bindParametersIndex;
+}
+void Statement::bind(const int32_t index, const double_t value)
+{
+    const auto result{ sqlite3_bind_double(m_stmt.get(), index, value) };
+    checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+    ++m_bindParametersIndex;
+}
+
+// LCOV_EXCL_START
+std::string Statement::expand()
+{
+    return ExpandedSQLPtr(sqlite3_expanded_sql(m_stmt.get())).get();
+}
+// LCOV_EXCL_STOP
+
+std::unique_ptr<IColumn> Statement::column(const int32_t index)
+{
+    return std::make_unique<SQLite::Column>(m_stmt, index);
+}
+
+int Statement::columnsCount() const
+{
+    return sqlite3_column_count(m_stmt.get());
+}
+Column::Column(std::shared_ptr<sqlite3_stmt>& stmt,
+               const int32_t index)
+    : m_stmt{ stmt }
+    , m_index{ index }
+{}
+
+bool Column::hasValue() const
+{
+    return SQLITE_NULL != sqlite3_column_type(m_stmt.get(), m_index);
+}
+int32_t Column::type() const
+{
+    return sqlite3_column_type(m_stmt.get(), m_index);
+}
+std::string Column::name() const
+{
+    return sqlite3_column_name(m_stmt.get(), m_index);
+}
+int32_t Column::value(const int32_t&) const
+{
+    return sqlite3_column_int(m_stmt.get(), m_index);
+}
+uint64_t Column::value(const uint64_t&) const
+{
+    return sqlite3_column_int64(m_stmt.get(), m_index);
+}
+int64_t Column::value(const int64_t&) const
+{
+    return sqlite3_column_int64(m_stmt.get(), m_index);
+}
+double_t Column::value(const double_t&) const
+{
+    return sqlite3_column_double(m_stmt.get(), m_index);
+}
+std::string Column::value(const std::string&) const
+{
+    const auto str { reinterpret_cast<const char*>(sqlite3_column_text(m_stmt.get(), m_index)) };
+    return nullptr != str ? str : "";
+}
diff --git a/src/common/dbsync/src/sqlite/sqlite_wrapper.h b/src/common/dbsync/src/sqlite/sqlite_wrapper.h
new file mode 100644
index 0000000000..c020b97ea5
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/sqlite_wrapper.h
@@ -0,0 +1,102 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SQLITE_WRAPPER_H
+#define _SQLITE_WRAPPER_H
+
+#include "isqlite_wrapper.h"
+#include "sqlite3.h"
+
+#include <string>
+#include <memory>
+namespace SQLite
+{
+    class Connection : public IConnection
+    {
+        public:
+            Connection();
+            ~Connection() = default;
+            explicit Connection(const std::string& path);
+
+            void execute(const std::string& query) override;
+            void close() override;
+            const std::shared_ptr<sqlite3>& db() const override;
+            int64_t changes() const override;
+        private:
+            std::shared_ptr<sqlite3> m_db;
+    };
+
+
+    class Transaction : public ITransaction
+    {
+        public:
+            ~Transaction();
+            explicit Transaction(std::shared_ptr<IConnection>& connection);
+
+            void commit() override;
+            void rollback() override;
+            bool isRolledBack() const;
+            bool isCommited() const;
+        private:
+            std::shared_ptr<IConnection> m_connection;
+            bool m_rolledBack;
+            bool m_commited;
+    };
+
+    class Column : public IColumn
+    {
+        public:
+            ~Column() = default;
+            Column(std::shared_ptr<sqlite3_stmt>& stmt, const int32_t index);
+
+            bool hasValue() const override;
+            int32_t type() const override;
+            std::string name() const override;
+            int32_t value(const int32_t&) const override;
+            uint64_t value(const uint64_t&) const override;
+            int64_t value(const int64_t&) const override;
+            std::string value(const std::string&) const override;
+            double_t value(const double_t&) const override;
+        private:
+            std::shared_ptr<sqlite3_stmt> m_stmt;
+            const int32_t m_index;
+    };
+
+    class Statement : public IStatement
+    {
+        public:
+            ~Statement() = default;
+            Statement(std::shared_ptr<IConnection>& connection,
+                      const std::string& query);
+
+            int32_t step() override;
+            void reset() override;
+
+            void bind(const int32_t index, const int32_t value) override;
+            void bind(const int32_t index, const uint64_t value) override;
+            void bind(const int32_t index, const int64_t value) override;
+            void bind(const int32_t index, const std::string& value) override;
+            void bind(const int32_t index, const double_t value) override;
+            int columnsCount() const override;
+
+            std::string expand() override;
+
+            std::unique_ptr<IColumn> column(const int32_t index) override;
+
+        private:
+            std::shared_ptr<IConnection> m_connection;
+            std::shared_ptr<sqlite3_stmt> m_stmt;
+            const int m_bindParametersCount;
+            int m_bindParametersIndex;
+    };
+}
+
+#endif // _SQLITE_WRAPPER_H
diff --git a/src/common/dbsync/src/sqlite/sqlite_wrapper_factory.h b/src/common/dbsync/src/sqlite/sqlite_wrapper_factory.h
new file mode 100644
index 0000000000..7a1ab215b4
--- /dev/null
+++ b/src/common/dbsync/src/sqlite/sqlite_wrapper_factory.h
@@ -0,0 +1,55 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SQLITE_WRAPPER_FACTORY_H
+#define _SQLITE_WRAPPER_FACTORY_H
+
+#include "sqlite_wrapper.h"
+#include "makeUnique.h"
+class ISQLiteFactory
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~ISQLiteFactory() = default;
+        // LCOV_EXCL_STOP
+        virtual std::shared_ptr<SQLite::IConnection> createConnection(const std::string& path) = 0;
+        virtual std::unique_ptr<SQLite::ITransaction> createTransaction(std::shared_ptr<SQLite::IConnection>& connection) = 0;
+        virtual std::unique_ptr<SQLite::IStatement> createStatement(std::shared_ptr<SQLite::IConnection>& connection,
+                                                                    const std::string& query) = 0;
+};
+
+class SQLiteFactory : public ISQLiteFactory
+{
+    public:
+        SQLiteFactory() = default;
+        // LCOV_EXCL_START
+        ~SQLiteFactory() = default;
+        // LCOV_EXCL_STOP
+        SQLiteFactory(const SQLiteFactory&) = delete;
+        SQLiteFactory& operator=(const SQLiteFactory&) = delete;
+
+        std::shared_ptr<SQLite::IConnection> createConnection(const std::string& path) override
+        {
+            return std::make_shared<SQLite::Connection>(path);
+        }
+        std::unique_ptr<SQLite::ITransaction> createTransaction(std::shared_ptr<SQLite::IConnection>& connection) override
+        {
+            return std::make_unique<SQLite::Transaction>(connection);
+        }
+
+        std::unique_ptr<SQLite::IStatement> createStatement(std::shared_ptr<SQLite::IConnection>& connection,
+                                                            const std::string& query) override
+        {
+            return std::make_unique<SQLite::Statement>(connection, query);
+        }
+};
+
+#endif // _SQLITE_WRAPPER_FACTORY_H
diff --git a/src/common/dbsync/tests/CMakeLists.txt b/src/common/dbsync/tests/CMakeLists.txt
index e69de29bb2..7746c89e74 100644
--- a/src/common/dbsync/tests/CMakeLists.txt
+++ b/src/common/dbsync/tests/CMakeLists.txt
@@ -0,0 +1,21 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(unit_tests)
+
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+include_directories(${CMAKE_SOURCE_DIR}/src/sqlite/)
+include_directories(${SRC_FOLDER}/external/googletest/googletest/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googlemock/include/)
+
+link_directories(${SRC_FOLDER}/external/googletest/lib/)
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -fprofile-arcs ")
+else()
+  string(APPEND CMAKE_EXE_LINKER_FLAGS " -lgcov ")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_subdirectory(sqlite)
+add_subdirectory(interface)
+add_subdirectory(pipelineFactory)
+add_subdirectory(dbengine)
\ No newline at end of file
diff --git a/src/common/dbsync/tests/Readme.md b/src/common/dbsync/tests/Readme.md
new file mode 100644
index 0000000000..e7f6ae3210
--- /dev/null
+++ b/src/common/dbsync/tests/Readme.md
@@ -0,0 +1,30 @@
+# Unit Tests
+## Index
+1. [Compile Wazuh](#compile-wazuh)
+2. [Compile and run unit tests for Linux targets](#compile-and-run-unit-tests-for-linux-targets)
+
+## Compile Wazuh
+In order to run unit tests on a specific wazuh target, the project needs to be built with the `DEBUG` and `TEST` options as shown below:
+```
+make deps RESOURCES_URL=file:///path/to/deps/
+make TARGET=server|agent DEBUG=1 TEST=1
+```
+
+## Compile and run unit tests for Linux targets
+In order to run unit tests for dbsync, these need to be built using [CMake](#installing\ cmake) version 3.12 or higher.
+
+Navigate into `wazuh/src/dbsync/` and run the following commands:
+```
+mkdir build
+cd build
+cmake -DEXTERNAL_LIB=~/path/to/wazuh/src/external/ -DCMAKE_BUILD_TYPE=Debug -DUNIT_TEST=ON ..
+cmake --build .
+```
+
+### Running a specific test
+In case you need to run a specific test, navigate into the subdirectory where the test resides and run it as you would any other Linux binary. As an example, if you want to run tests on `string_helper.cpp`
+```
+cd bin
+./string_helper_unit_test
+```
+The output of the test will be written directly into the console.
diff --git a/src/common/dbsync/tests/dbengine/CMakeLists.txt b/src/common/dbsync/tests/dbengine/CMakeLists.txt
new file mode 100644
index 0000000000..c9337f798c
--- /dev/null
+++ b/src/common/dbsync/tests/dbengine/CMakeLists.txt
@@ -0,0 +1,54 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbengine_unit_test)
+
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-Wall -Wextra -std=c++14 --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+
+file(GLOB DBENGINE_UNITTEST_SRC
+    "*.cpp")
+
+file(GLOB SQLITE_ENGINE_SRC
+    "${CMAKE_SOURCE_DIR}/src/sqlite/sqlite_dbengine.cpp")
+
+add_executable(dbengine_unit_test 
+    ${DBENGINE_UNITTEST_SRC} 
+    ${SQLITE_ENGINE_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(dbengine_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(dbengine_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME dbengine_unit_test
+         COMMAND dbengine_unit_test)
diff --git a/src/common/dbsync/tests/dbengine/dbengine_test.cpp b/src/common/dbsync/tests/dbengine/dbengine_test.cpp
new file mode 100644
index 0000000000..48a22b7824
--- /dev/null
+++ b/src/common/dbsync/tests/dbengine/dbengine_test.cpp
@@ -0,0 +1,859 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <iostream>
+#include <string>
+#include "abstractLocking.hpp"
+#include "dbengine_test.h"
+#include "sqlite_dbengine.h"
+#include "../mocks/sqlitewrapper_mock.h"
+#include "../mocks/sqlitefactory_mock.h"
+
+using ::testing::_;
+using ::testing::Return;
+using ::testing::An;
+using ::testing::ByMove;
+
+static void initNoMetaDataMocks(std::unique_ptr<SQLiteDBEngine>& spEngine)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    EXPECT_CALL(*mockFactory, createConnection(_)).WillOnce(Return(mockConnection));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+}
+
+TEST_F(DBEngineTest, Initialization)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    auto mockStatement { std::make_unique<MockStatement>() };
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockStatement, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory, createStatement(_, _))
+    .WillOnce(Return(ByMove(std::move(mockStatement))));
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    EXPECT_NO_THROW(std::make_unique<SQLiteDBEngine>(
+                        mockFactory,
+                        "1",
+                        "NNN"));
+}
+
+TEST_F(DBEngineTest, InitializationSQLError)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    auto mockStatement { std::make_unique<MockStatement>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockStatement, step())
+    .WillOnce(Return(SQLITE_ERROR));
+    EXPECT_CALL(*mockFactory, createStatement(_, _))
+    .WillOnce(Return(ByMove(std::move(mockStatement))));
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    EXPECT_THROW(std::make_unique<SQLiteDBEngine>(
+                     mockFactory,
+                     "1",
+                     "NNN"), dbengine_error);
+}
+
+TEST_F(DBEngineTest, InitializationEmptyQuery)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    EXPECT_NO_THROW(std::make_unique<SQLiteDBEngine>(
+                        mockFactory,
+                        "1",
+                        ""));
+}
+
+TEST_F(DBEngineTest, InitializationEmptyFileName)
+{
+    EXPECT_THROW(std::make_unique<SQLiteDBEngine>(
+                     nullptr,
+                     "",
+                     "NNN"), dbengine_error);
+}
+
+TEST_F(DBEngineTest, InitializeStatusField)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("PID"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const std::string&>()))
+    .WillOnce(Return("INTEGER"));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockStatement_2, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_1))));
+    EXPECT_CALL(*mockStatement_2, column(1))
+    .WillOnce(Return(ByMove(std::move(mockColumn_2))));
+    EXPECT_CALL(*mockStatement_2, column(2))
+    .WillOnce(Return(ByMove(std::move(mockColumn_3))));
+    EXPECT_CALL(*mockStatement_2, column(5))
+    .WillOnce(Return(ByMove(std::move(mockColumn_4))));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    auto mockStatement_3 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_3,
+                step())
+    .WillOnce(Return(0));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "ALTER TABLE dummy ADD COLUMN db_status_field_dm INTEGER DEFAULT 1;"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_3))));
+
+    auto mockStatement_4 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_4,
+                step())
+    .WillOnce(Return(0));
+
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "UPDATE dummy SET db_status_field_dm=0;"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_4))));
+
+
+    EXPECT_NO_THROW(spEngine->initializeStatusField(std::vector<std::string> {"dummy"}));
+}
+
+TEST_F(DBEngineTest, InitializeStatusFieldNoMetadata)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    EXPECT_THROW(spEngine->initializeStatusField(std::vector<std::string> {"dummy"}), dbengine_error);
+}
+
+TEST_F(DBEngineTest, InitializeStatusFieldPreExistent)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("PID"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const std::string&>()))
+    .WillOnce(Return("INTEGER"));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockColumn_5 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_6 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_6, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_NAME));
+    auto mockColumn_7 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_7, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_TYPE));
+    auto mockColumn_8 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_8, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockStatement_2, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_1))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_5))));
+    EXPECT_CALL(*mockStatement_2, column(1))
+    .WillOnce(Return(ByMove(std::move(mockColumn_2))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_6))));
+    EXPECT_CALL(*mockStatement_2, column(2))
+    .WillOnce(Return(ByMove(std::move(mockColumn_3))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_7))));
+    EXPECT_CALL(*mockStatement_2, column(5))
+    .WillOnce(Return(ByMove(std::move(mockColumn_4))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_8))));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    auto mockStatement_4 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_4,
+                step())
+    .WillOnce(Return(0));
+
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "UPDATE dummy SET db_status_field_dm=0;"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_4))));
+
+    EXPECT_NO_THROW(spEngine->initializeStatusField(std::vector<std::string> {"dummy"}));
+}
+
+TEST_F(DBEngineTest, DeleteRowsByStatusField)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    EXPECT_CALL(*mockConnection, changes()).Times(1)
+    .WillOnce(Return(1));
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("PID"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const std::string&>()))
+    .WillOnce(Return("INTEGER"));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockColumn_5 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_6 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_6, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_NAME));
+    auto mockColumn_7 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_7, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_TYPE));
+    auto mockColumn_8 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_8, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockStatement_2, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_1))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_5))));
+    EXPECT_CALL(*mockStatement_2, column(1))
+    .WillOnce(Return(ByMove(std::move(mockColumn_2))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_6))));
+    EXPECT_CALL(*mockStatement_2, column(2))
+    .WillOnce(Return(ByMove(std::move(mockColumn_3))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_7))));
+    EXPECT_CALL(*mockStatement_2, column(5))
+    .WillOnce(Return(ByMove(std::move(mockColumn_4))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_8))));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    auto mockStatement_3 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_3,
+                step())
+    .WillOnce(Return(0));
+
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "DELETE FROM dummy WHERE db_status_field_dm=0;"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_3))));
+
+    EXPECT_NO_THROW(spEngine->deleteRowsByStatusField(std::vector<std::string> {"dummy"}));
+}
+
+TEST_F(DBEngineTest, DeleteRowsByStatusFieldNoMetadata)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    EXPECT_THROW(spEngine->deleteRowsByStatusField(std::vector<std::string> {"dummy"}), dbengine_error);
+}
+
+TEST_F(DBEngineTest, GetRowsToBeDeletedByStatusFieldNoMetadata)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    auto mockTransaction1 { std::make_unique<MockTransaction>() };
+    auto mockTransaction2 { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockTransaction1, commit()).Times(1);
+    EXPECT_CALL(*mockFactory, createTransaction(_)).Times(2)
+    .WillOnce(Return(ByMove(std::move(mockTransaction1))))
+    .WillOnce(Return(ByMove(std::move(mockTransaction2))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory, createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory, createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    std::shared_timed_mutex mutex;
+    std::unique_lock<std::shared_timed_mutex> lock(mutex);
+    EXPECT_THROW(spEngine->returnRowsMarkedForDelete({"dummy"}, nullptr, lock), dbengine_error);
+}
+
+TEST_F(DBEngineTest, GetRowsToBeDeletedByStatusField)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+
+    // First transaction, during the initialization of the engine.
+    auto mockTransaction1 { std::make_unique<MockTransaction>() };
+    // Second transaction, created after the getDeletedRows call.
+    auto mockTransaction2 { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createConnection(_)).WillOnce(Return(mockConnection));
+    EXPECT_CALL(*mockTransaction1, commit()).Times(1);
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .Times(2)
+    .WillOnce(Return(ByMove(std::move(mockTransaction1))))
+    .WillOnce(Return(ByMove(std::move(mockTransaction2))));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("PID"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const std::string&>()))
+    .WillOnce(Return("INTEGER"));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockColumn_5 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_6 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_6, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_NAME));
+    auto mockColumn_7 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_7, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_TYPE));
+    auto mockColumn_8 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_8, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockStatement_2, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_1))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_5))));
+    EXPECT_CALL(*mockStatement_2, column(1))
+    .WillOnce(Return(ByMove(std::move(mockColumn_2))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_6))));
+    EXPECT_CALL(*mockStatement_2, column(2))
+    .WillOnce(Return(ByMove(std::move(mockColumn_3))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_7))));
+    EXPECT_CALL(*mockStatement_2, column(5))
+    .WillOnce(Return(ByMove(std::move(mockColumn_4))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_8))));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    auto mockStatement_3 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_3,
+                step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+
+    auto mockColumn_9 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_9, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    EXPECT_CALL(*mockStatement_3, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_9))));
+
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "SELECT PID FROM dummy WHERE db_status_field_dm=0;"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_3))));
+
+    std::shared_timed_mutex mutex;
+    std::unique_lock<std::shared_timed_mutex> lock(mutex);
+    EXPECT_NO_THROW(spEngine->returnRowsMarkedForDelete({"dummy"}, [](ReturnTypeCallback, const nlohmann::json&) {}, lock));
+}
+
+TEST_F(DBEngineTest, syncTableRowDataWithoutMetadataShouldThrow)
+{
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    std::shared_timed_mutex mutex;
+    Utils::ExclusiveLocking lock(mutex);
+
+    initNoMetaDataMocks(spEngine);
+    // Due to the no metadata this should throw
+    EXPECT_THROW(spEngine->syncTableRowData({{"table", "dummy"}, {"data", {}}}, nullptr, false, lock), dbengine_error);
+}
+
+TEST_F(DBEngineTest, deleteTableRowsDataWithoutMetadataShouldThrow)
+{
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    initNoMetaDataMocks(spEngine);
+
+    // Due to the no metadata this should throw
+    EXPECT_THROW(spEngine->deleteTableRowsData("dummy", {}), dbengine_error);
+}
+
+TEST_F(DBEngineTest, selectDataWithoutMetadataShouldThrow)
+{
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    initNoMetaDataMocks(spEngine);
+
+    // Due to the no metadata this should throw
+    std::shared_timed_mutex mutex;
+    std::unique_lock<std::shared_timed_mutex> lock(mutex);
+    EXPECT_THROW(spEngine->selectData("dummy", {}, nullptr, lock), dbengine_error);
+}
+
+TEST_F(DBEngineTest, bulkInsertWithoutMetadataShouldThrow)
+{
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    initNoMetaDataMocks(spEngine);
+
+    // Due to the no metadata this should throw
+    EXPECT_THROW(spEngine->bulkInsert("dummy", nullptr), dbengine_error);
+}
+TEST_F(DBEngineTest, AddTableRelationship)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    const auto& relationshipJSON { nlohmann::json::parse(
+                                       R"(
+            {
+                "base_table":"dummy",
+                "relationed_tables":
+                [
+                    {
+                        "table": "dummy_relationed_1",
+                        "field_match":
+                        {
+                            "field_n_1": "field_m_1",
+                            "field_n_2": "field_m_2"
+                        }
+                    },
+                    {
+                        "table": "dummy_relationed_2",
+                        "field_match":
+                        {
+                            "field_n_1": "field_m_1",
+                            "field_n_2": "field_m_2"
+                        }
+                    }
+                ]
+            }
+        )"
+                                   )};
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+    EXPECT_CALL(*mockFactory, createConnection(_)).WillOnce(Return(mockConnection));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step()).WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockColumn_1 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_1, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_2 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_2, value(An<const std::string&>()))
+    .WillOnce(Return("PID"));
+    auto mockColumn_3 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_3, value(An<const std::string&>()))
+    .WillOnce(Return("INTEGER"));
+    auto mockColumn_4 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_4, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockColumn_5 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_5, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_6 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_6, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_NAME));
+    auto mockColumn_7 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_7, value(An<const std::string&>()))
+    .WillOnce(Return(STATUS_FIELD_TYPE));
+    auto mockColumn_8 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_8, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+
+    auto mockColumn_9 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_9, value(An<const int32_t&>()))
+    .WillOnce(Return(0));
+    auto mockColumn_10 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_10, value(An<const std::string&>()))
+    .WillOnce(Return("path"));
+    auto mockColumn_11 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_11, value(An<const std::string&>()))
+    .WillOnce(Return("TEXT"));
+    auto mockColumn_12 { std::make_unique<MockColumn>() };
+    EXPECT_CALL(*mockColumn_12, value(An<const int32_t&>()))
+    .WillOnce(Return(1));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_ROW))
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockStatement_2, column(0))
+    .WillOnce(Return(ByMove(std::move(mockColumn_1))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_5))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_9))));
+    EXPECT_CALL(*mockStatement_2, column(1))
+    .WillOnce(Return(ByMove(std::move(mockColumn_2))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_6))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_10))));
+    EXPECT_CALL(*mockStatement_2, column(2))
+    .WillOnce(Return(ByMove(std::move(mockColumn_3))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_7))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_11))));
+    EXPECT_CALL(*mockStatement_2, column(5))
+    .WillOnce(Return(ByMove(std::move(mockColumn_4))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_8))))
+    .WillOnce(Return(ByMove(std::move(mockColumn_12))));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    EXPECT_CALL(*mockConnection,
+                execute("CREATE TRIGGER IF NOT EXISTS dummy_delete BEFORE DELETE ON dummy BEGIN DELETE FROM dummy_relationed_1 WHERE field_n_1 = OLD.field_m_1 AND field_n_2 = OLD.field_m_2;DELETE FROM dummy_relationed_2 WHERE field_n_1 = OLD.field_m_1 AND field_n_2 = OLD.field_m_2;END;")).Times(
+                    1);
+    EXPECT_CALL(*mockConnection,
+                execute("CREATE TRIGGER IF NOT EXISTS dummy_update BEFORE UPDATE OF PID,path ON dummy BEGIN UPDATE dummy_relationed_1 SET field_n_1 = NEW.field_m_1,field_n_2 = NEW.field_m_2 WHERE field_n_1 = OLD.field_m_1 AND field_n_2 = OLD.field_m_2;UPDATE dummy_relationed_2 SET field_n_1 = NEW.field_m_1,field_n_2 = NEW.field_m_2 WHERE field_n_1 = OLD.field_m_1 AND field_n_2 = OLD.field_m_2;END;")).Times(
+                    1);
+
+    EXPECT_NO_THROW(spEngine->addTableRelationship(relationshipJSON));
+}
+
+TEST_F(DBEngineTest, AddTableRelationshipNoMetadata)
+{
+    const auto& mockFactory { std::make_shared<MockSQLiteFactory>() };
+    const auto& mockConnection { std::make_shared<MockConnection>() };
+    const auto& relationshipJSON { nlohmann::json::parse(
+                                       R"(
+            {
+                "base_table":"dummy",
+                "relationed_tables":
+                [
+                    {
+                        "table": "dummy_relationed_1",
+                        "field_match":
+                        {
+                            "field_n_1": "field_m_1",
+                            "field_n_2": "field_m_2"
+                        }
+                    },
+                    {
+                        "table": "dummy_relationed_2",
+                        "field_match":
+                        {
+                            "field_n_1": "field_m_1",
+                            "field_n_2": "field_m_2"
+                        }
+                    }
+                ]
+            }
+        )"
+                                   )};
+    auto mockTransaction { std::make_unique<MockTransaction>() };
+
+    EXPECT_CALL(*mockFactory, createTransaction(_))
+    .WillOnce(Return(ByMove(std::move(mockTransaction))));
+    EXPECT_CALL(*mockFactory, createConnection(_))
+    .WillOnce(Return(mockConnection));
+
+    auto mockStatement_1 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_1, step())
+    .WillOnce(Return(SQLITE_DONE));
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "NNN"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_1))));
+
+
+    EXPECT_CALL(*mockConnection, execute("PRAGMA temp_store = memory;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA journal_mode = truncate;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA synchronous = OFF;")).Times(1);
+    EXPECT_CALL(*mockConnection, execute("PRAGMA user_version = 1;")).Times(1);
+
+    std::unique_ptr<SQLiteDBEngine> spEngine;
+    EXPECT_NO_THROW(spEngine = std::make_unique<SQLiteDBEngine>(
+                                   mockFactory,
+                                   "1",
+                                   "NNN"));
+
+    auto mockStatement_2 { std::make_unique<MockStatement>() };
+    EXPECT_CALL(*mockStatement_2, step())
+    .WillOnce(Return(SQLITE_DONE));
+
+    EXPECT_CALL(*mockFactory,
+                createStatement(_, "PRAGMA table_info(dummy);"))
+    .WillOnce(Return(ByMove(std::move(mockStatement_2))));
+
+    EXPECT_THROW(spEngine->addTableRelationship(relationshipJSON), dbengine_error);
+}
diff --git a/src/common/dbsync/tests/dbengine/dbengine_test.h b/src/common/dbsync/tests/dbengine/dbengine_test.h
new file mode 100644
index 0000000000..f340c8c74c
--- /dev/null
+++ b/src/common/dbsync/tests/dbengine/dbengine_test.h
@@ -0,0 +1,24 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBENGINE_TEST_H
+#define _DBENGINE_TEST_H
+#include "gtest/gtest.h"
+
+class DBEngineTest : public ::testing::Test
+{
+    protected:
+
+        DBEngineTest() = default;
+        virtual ~DBEngineTest() = default;
+};
+
+#endif //_DBENGINE_TEST_H
\ No newline at end of file
diff --git a/src/common/dbsync/tests/dbengine/main.cpp b/src/common/dbsync/tests/dbengine/main.cpp
new file mode 100644
index 0000000000..d6fc27ef1c
--- /dev/null
+++ b/src/common/dbsync/tests/dbengine/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/dbsync/tests/interface/CMakeLists.txt b/src/common/dbsync/tests/interface/CMakeLists.txt
new file mode 100644
index 0000000000..49f9a2290a
--- /dev/null
+++ b/src/common/dbsync/tests/interface/CMakeLists.txt
@@ -0,0 +1,51 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbsync_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+
+file(GLOB INTERFACE_UNITTEST_SRC
+    "*.cpp"
+    "${CMAKE_SOURCE_DIR}/src/*.cpp"
+    "${CMAKE_SOURCE_DIR}/src/sqlite/*.cpp")
+
+add_executable(dbsync_unit_test 
+    ${INTERFACE_UNITTEST_SRC} )
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(dbsync_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        sqlite3
+        cjson
+        pthread
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(dbsync_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        sqlite3
+        cjson
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME dbsync_unit_test
+         COMMAND dbsync_unit_test)
diff --git a/src/common/dbsync/tests/interface/dbsync_test.cpp b/src/common/dbsync/tests/interface/dbsync_test.cpp
new file mode 100644
index 0000000000..20470c1aeb
--- /dev/null
+++ b/src/common/dbsync/tests/interface/dbsync_test.cpp
@@ -0,0 +1,2437 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <iostream>
+#include "json.hpp"
+#include "dbsync_test.h"
+#include "dbsync.h"
+#include "dbsync.hpp"
+#include "makeUnique.h"
+#include "test_inputs.h"
+#include "cjsonSmartDeleter.hpp"
+
+constexpr auto DATABASE_TEMP {"TEMP.db"};
+constexpr auto DATABASE_MEMORY {":memory:"};
+constexpr auto DATABASE_PERMISSIONS
+{
+    0640u
+};
+
+
+class CallbackMock
+{
+    public:
+        CallbackMock() = default;
+        ~CallbackMock() = default;
+        MOCK_METHOD(void, callbackMock, (ReturnTypeCallback result_type, const nlohmann::json&), ());
+};
+
+static void callback(const ReturnTypeCallback type,
+                     const cJSON* json,
+                     void* ctx)
+{
+    CallbackMock* wrapper { reinterpret_cast<CallbackMock*>(ctx)};
+    const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{ cJSON_PrintUnformatted(json) };
+    wrapper->callbackMock(type, nlohmann::json::parse(spJsonBytes.get()));
+}
+
+static void logFunction(const char* msg)
+{
+    if (msg)
+    {
+        std::cout << msg << std::endl;
+    }
+}
+
+void DBSyncTest::SetUp()
+{
+    dbsync_initialize(&logFunction);
+};
+
+void DBSyncTest::TearDown()
+{
+    EXPECT_NO_THROW(dbsync_teardown());
+    std::remove(DATABASE_TEMP);
+};
+
+TEST_F(DBSyncTest, Initialization)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    // On windows, no change in permissions is expected
+#ifndef _WIN32
+    struct stat stStat {};
+    ASSERT_EQ(0, stat(DATABASE_TEMP, &stStat));
+    ASSERT_NE(0, S_ISREG(stStat.st_mode));
+    EXPECT_EQ(DATABASE_PERMISSIONS, stStat.st_mode & 0777);
+#endif
+}
+
+TEST_F(DBSyncTest, InitializationNullptr)
+{
+    const auto handle_1 { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, nullptr) };
+    ASSERT_EQ(nullptr, handle_1);
+    const auto handle_2 { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, nullptr, "valid") };
+    ASSERT_EQ(nullptr, handle_2);
+}
+
+TEST_F(DBSyncTest, InitializationWithInvalidSqlStmt)
+{
+    const auto sqlWithoutTable{ "CREATE TABLE (`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle_1 { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sqlWithoutTable) };
+    ASSERT_EQ(nullptr, handle_1);
+}
+
+TEST_F(DBSyncTest, InitializationWithWrongDBEngine)
+{
+    const auto sqlWithoutTable{ "CREATE TABLE (`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::UNDEFINED, DATABASE_TEMP, sqlWithoutTable) };
+    ASSERT_EQ(nullptr, handle);
+}
+
+TEST_F(DBSyncTest, createTxn)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables { cJSON_Parse(tables) };
+
+    callback_data_t callbackData { callback, dummyCtx.get() };
+
+    EXPECT_NO_THROW(dummyCtx->txnContext = dbsync_create_txn(handle, jsonTables.get(), 0, 100, callbackData));
+    ASSERT_NE(nullptr, dummyCtx->txnContext);
+}
+
+TEST_F(DBSyncTest, createTxnNullptr)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes""})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables { cJSON_Parse(tables) };
+
+    callback_data_t callbackData { callback, dummyCtx.get() };
+    callback_data_t callbackDataNullptr { callback, nullptr };
+
+    ASSERT_NE(nullptr, handle);
+    ASSERT_EQ(nullptr, dbsync_create_txn(nullptr, jsonTables.get(), 0, 100, callbackData));
+    ASSERT_EQ(nullptr, dbsync_create_txn(handle, nullptr, 0, 100, callbackData));
+    ASSERT_EQ(nullptr, dbsync_create_txn(handle, jsonTables.get(), 0, 100, callbackData));
+    ASSERT_EQ(nullptr, dbsync_create_txn(handle, jsonTables.get(), 0, 0, callbackData));
+    ASSERT_EQ(nullptr, dbsync_create_txn(handle, jsonTables.get(), 0, 100, callbackDataNullptr));
+}
+
+TEST_F(DBSyncTest, syncTxnRowNullptr)
+{
+    const auto insertionSqlStmt1{ R"({"table":"processes","data":[{"pid":7,"name":"Guake"}]})"}; // Insert
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert1{ cJSON_Parse(insertionSqlStmt1) };
+    ASSERT_NE(0, dbsync_sync_txn_row(nullptr, jsInsert1.get()));
+}
+
+TEST_F(DBSyncTest, closeTxnNullptr)
+{
+    ASSERT_NE(0, dbsync_close_txn(nullptr));
+}
+
+TEST_F(DBSyncTest, dbsyncAddTableRelationshipDummy)
+{
+    ASSERT_EQ(-1, dbsync_add_table_relationship(nullptr, nullptr));
+}
+
+TEST_F(DBSyncTest, dbsyncAddTableRelationship)
+{
+    const auto sql { R"(CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;CREATE TABLE processes_sockets(`socket_id` BIGINT, `pid` BIGINT, PRIMARY KEY (`socket_id`)) WITHOUT ROWID;)"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto insertDataProcess { R"(
+        {
+            "table": "processes",
+            "data":[
+                {
+                    "pid":4,
+                    "name":"System",
+                    "path":"",
+                    "cmdline":"",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                 }
+            ]
+        }
+    )"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertProcess{ cJSON_Parse(insertDataProcess) };
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsertProcess.get()));
+
+    const auto insertDataSocket{ R"(
+        {
+        "table": "processes_sockets",
+            "data":[
+                {
+                    "pid":4,
+                    "socket_id":1
+                }
+            ]
+        }
+    )"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertSocket{ cJSON_Parse(insertDataSocket) };
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsertSocket.get()));
+
+    const auto relationshipJson{ R"(
+        {
+            "base_table":"processes",
+            "relationed_tables":
+            [
+                {
+                    "table": "processes_sockets",
+                    "field_match":
+                    {
+                        "pid": "pid"
+                    }
+                }
+            ]
+        })"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRelationship{ cJSON_Parse(relationshipJson) };
+    EXPECT_EQ(0, dbsync_add_table_relationship(handle, jsRelationship.get()));
+
+
+    const auto deleteProcess{ R"(
+        {
+            "table": "processes",
+            "query": {
+                "data":[
+                {
+                    "pid":4
+                }],
+                "where_filter_opt":""
+            }
+        })"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsDeleteProcess{ cJSON_Parse(deleteProcess) };
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsDeleteProcess.get()));
+
+}
+
+TEST_F(DBSyncTest, AddTableRelationshipIncorrectJSON)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto addRelationshipIncorrectJson{ R"(
+    {
+            "base_table":"processes",
+            "relationed_tables":
+            [
+                {
+                    "incorrect": "processes_sockets",
+                    "incorrect":
+                    {
+                        "incorrect": "pid"
+                    }
+                }
+            ]
+        })"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsAddRelationshipIncorrectJson{ cJSON_Parse(addRelationshipIncorrectJson) };
+    EXPECT_NE(0, dbsync_add_table_relationship(handle, jsAddRelationshipIncorrectJson.get()));
+}
+TEST_F(DBSyncTest, InsertData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, InsertDataWithCompoundPKs)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`, `tid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":"100"},
+                                                                 {"pid":5,"name":"User1", "tid":101},
+                                                                 {"pid":6,"name":"User2", "tid":102}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, InsertMoreCompleteData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `threads` INTEGER, `cpu_usage` DOUBLE, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System", "threads":5, "cpu_usage":17.50}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, InsertDataWithWrongColumnType)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `threads` INTEGER, `cpu_usage` DOUBLE, `blob` BLOB, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System", "threads":5, "cpu_usage":17.50, "blob":1}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_NE(0, dbsync_insert_data(handle, jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, InsertDataWithInvalidInput)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto inputNoData{ R"({"table":"processes"})"};
+    const auto inputNoTable{ R"({"data":[{"pid":4,"name":"System", "tid":101}]})"};
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInputNoData{ cJSON_Parse(inputNoData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInputNoTable{ cJSON_Parse(inputNoTable) };
+
+    EXPECT_NE(0, dbsync_insert_data(handle, jsInputNoData.get()));
+    EXPECT_NE(0, dbsync_insert_data(handle, jsInputNoTable.get()));
+}
+
+TEST_F(DBSyncTest, InsertDataNullptr)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    EXPECT_NE(0, dbsync_insert_data(handle, nullptr));
+}
+
+TEST_F(DBSyncTest, InsertDataInvalidHandle)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_NE(0, dbsync_insert_data(reinterpret_cast<void*>(0xffffffff), jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, GetDeletedRowsInvalidInput)
+{
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+    EXPECT_NE(0, dbsync_get_deleted_rows(nullptr, callbackData));
+}
+
+TEST_F(DBSyncTest, GetDeletedRowsOnlyPKs)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `euser` TEXT, PRIMARY KEY (`pid`,`name`)) WITHOUT ROWID;"};
+    const auto table { R"({"table":"processes"})" };
+    auto syncSqlStmt1 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System","euser":"wazuh"})"))
+                        .query();
+    auto syncSqlStmt2 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":7,"name":"Guake","euser":"wazuh"})"))
+                        .query();
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables { cJSON_Parse(table) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSync1 { cJSON_Parse(syncSqlStmt1.dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSync2{ cJSON_Parse(syncSqlStmt2.dump().c_str()) };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4,"euser":"wazuh"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7,"euser":"wazuh"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"euser":"wazuh","name":"System","pid":4})"))).Times(1);
+
+    dummyCtx->handle = dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql);
+    ASSERT_NE(nullptr, dummyCtx->handle);
+
+    EXPECT_EQ(0, dbsync_sync_row(dummyCtx->handle, jsSync1.get(), callbackData));
+
+    EXPECT_NO_THROW(dummyCtx->txnContext = dbsync_create_txn(dummyCtx->handle, jsonTables.get(), 0, 100, callbackData));
+    ASSERT_NE(nullptr, dummyCtx->txnContext);
+
+    EXPECT_EQ(0, dbsync_sync_txn_row(dummyCtx->txnContext, jsSync2.get()));
+
+    EXPECT_EQ(0, dbsync_get_deleted_rows(dummyCtx->txnContext, callbackData));
+}
+
+TEST_F(DBSyncTest, GetDeletedRowsAllAttributes)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `euser` TEXT, PRIMARY KEY (`pid`,`name`)) WITHOUT ROWID;"};
+    const auto table { R"({"table":"processes"})" };
+    auto syncSqlStmt1 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System","euser":"wazuh"})"))
+                        .query();
+    auto syncSqlStmt2 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":7,"name":"Guake","euser":"wazuh"})"))
+                        .query();
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables { cJSON_Parse(table) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSync1 { cJSON_Parse(syncSqlStmt1.dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSync2{ cJSON_Parse(syncSqlStmt2.dump().c_str()) };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4,"euser":"wazuh"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7,"euser":"wazuh"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"name":"System","pid":4,"euser":"wazuh"})"))).Times(1);
+
+    dummyCtx->handle = dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql);
+    ASSERT_NE(nullptr, dummyCtx->handle);
+
+    EXPECT_EQ(0, dbsync_sync_row(dummyCtx->handle, jsSync1.get(), callbackData));
+
+    dummyCtx->txnContext = dbsync_create_txn(dummyCtx->handle, jsonTables.get(), 0, 100, callbackData);
+    ASSERT_NE(nullptr, dummyCtx->handle);
+
+    EXPECT_EQ(0, dbsync_sync_txn_row(dummyCtx->txnContext, jsSync2.get()));
+
+    EXPECT_EQ(0, dbsync_get_deleted_rows(dummyCtx->txnContext, callbackData));
+}
+
+TEST_F(DBSyncTest, UpdateData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    cJSON* jsResponse { nullptr };
+
+    EXPECT_EQ(0, dbsync_update_with_snapshot(handle, jsInsert.get(), &jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, UpdateDataBadInputs)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+    const auto badSqlStmt{ R"("pid":4,"name":"System")"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertWithoutTable{ cJSON_Parse(badSqlStmt) };
+
+    cJSON* jsResponse { nullptr };
+
+    // Failure cases
+    EXPECT_NE(0, dbsync_update_with_snapshot(reinterpret_cast<void*>(0xffffffff), jsInsert.get(), nullptr));
+    EXPECT_NE(0, dbsync_update_with_snapshot(handle, jsInsertWithoutTable.get(), &jsResponse));
+    EXPECT_NE(0, dbsync_update_with_snapshot(nullptr, jsInsertWithoutTable.get(), nullptr));
+    EXPECT_NE(0, dbsync_update_with_snapshot(handle, nullptr, nullptr));
+    EXPECT_NE(0, dbsync_update_with_snapshot(handle, jsInsert.get(), nullptr));
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, UpdateDataCb)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_update_with_snapshot_cb(handle, jsInsert.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, UpdateDataCbBadInputs)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    callback_data_t callbackData { nullptr, nullptr };
+
+    // Failure cases
+    EXPECT_NE(0, dbsync_update_with_snapshot_cb(reinterpret_cast<void*>(0xffffffff), jsInsert.get(), callbackData));
+    EXPECT_NE(0, dbsync_update_with_snapshot_cb(handle, nullptr, callbackData));
+    EXPECT_NE(0, dbsync_update_with_snapshot_cb(handle, jsInsert.get(), callbackData));
+}
+
+
+TEST_F(DBSyncTest, UpdateDataCbEmptyInputs)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({ "incorrect":"incorrect" })"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    // Failure cases
+    EXPECT_NE(0, dbsync_update_with_snapshot_cb(handle, jsInsert.get(), callbackData));
+}
+
+TEST(DBSyncTestInit, InitializeWithNullFnct)
+{
+    dbsync_initialize(nullptr);
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    cJSON* jsResponse { nullptr };
+
+    EXPECT_EQ(0, dbsync_update_with_snapshot(handle, jsInsert.get(), &jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, FreeNullptrResult)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    cJSON* jsResponse { nullptr };
+
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, UpdateDataWithLessFields)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT,`path` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    cJSON* jsResponse { nullptr };
+
+    EXPECT_EQ(0, dbsync_update_with_snapshot(handle, jsInsert.get(), &jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, SetMaxRows)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 100));
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 0));
+}
+
+TEST_F(DBSyncTest, TryToInsertMoreThanMaxRows)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}, {"pid":3,"name":"cmd"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 1));
+    EXPECT_NE(0, dbsync_insert_data(handle, jsInsert.get()));
+
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 0));
+    EXPECT_NE(0, dbsync_insert_data(handle, jsInsert.get()));
+
+    const auto deleteProcess{ R"(
+        {
+            "table": "processes",
+            "query": {
+                "data":[
+                {
+                    "pid":4
+                }],
+                "where_filter_opt":""
+            }
+        })"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsDeleteProcess{ cJSON_Parse(deleteProcess) };
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsDeleteProcess.get()));
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+}
+
+TEST_F(DBSyncTest, TryToUpdateMaxRowsElements)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}, {"pid":3,"name":"cmd"}]})"};
+    const auto updateSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"Cmd"}, {"pid":3,"name":"System"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 2));
+    EXPECT_NE(0, dbsync_set_table_max_rows(handle, "proceses", 2));
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+
+    cJSON* jsResponse { nullptr };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate{ cJSON_Parse(updateSqlStmt) };
+    EXPECT_EQ(0, dbsync_update_with_snapshot(handle, jsUpdate.get(), &jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+}
+
+TEST_F(DBSyncTest, TryToUpdateMoreThanMaxRowsElements)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}, {"pid":3,"name":"cmd"}]})"};
+    const auto updateSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"Cmd"}, {"pid":3,"name":"System"}, {"pid":5,"name":"powershell"}]})"};
+
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 2));
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+
+    cJSON* jsResponse { nullptr };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate{ cJSON_Parse(updateSqlStmt) };
+    EXPECT_NE(0, dbsync_update_with_snapshot(handle, jsUpdate.get(), &jsResponse));
+    EXPECT_EQ(nullptr, jsResponse);
+
+    EXPECT_EQ(0, dbsync_set_table_max_rows(handle, "processes", 10));
+    EXPECT_EQ(0, dbsync_update_with_snapshot(handle, jsUpdate.get(), &jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+    EXPECT_NO_THROW(dbsync_free_result(&jsResponse));
+
+    // Failure cases
+    EXPECT_NE(0, dbsync_set_table_max_rows(nullptr, "processes", 10));
+    EXPECT_NE(0, dbsync_set_table_max_rows(nullptr, "", 10));
+}
+
+TEST_F(DBSyncTest, SetMaxRowsBadData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+    EXPECT_NE(0, dbsync_set_table_max_rows(reinterpret_cast<void*>(0xffffffff), "dummy", 100));
+    EXPECT_NE(0, dbsync_set_table_max_rows(handle, "dummy", 100));
+}
+
+TEST_F(DBSyncTest, syncRowInsertAndModified)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"System", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MODIFIED, nlohmann::json::parse(R"({"name":"System","pid":4,"tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MODIFIED, nlohmann::json::parse(R"({"pid":4,"name":"Systemmm","tid":105})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"Guake"})"))).Times(1);
+
+    const auto insertionSqlStmt1{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                                  {"pid":5,"name":"System", "tid":101},
+                                                                  {"pid":6,"name":"System", "tid":102}]})"}; // Insert
+    const auto updateSqlStmt1{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":101}]})"};    // Update
+    const auto updateSqlStmt2{ R"({"table":"processes","data":[{"pid":4,"name":"Systemmm", "tid":105}]})"};  // Update
+    const auto insertSqlStmt3{ R"({"table":"processes","data":[{"pid":7,"name":"Guake"}]})"};                // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert1{ cJSON_Parse(insertionSqlStmt1) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate1{ cJSON_Parse(updateSqlStmt1) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate2{ cJSON_Parse(updateSqlStmt2) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert2{ cJSON_Parse(insertSqlStmt3) };
+
+    callback_data_t callbackData { callback, &wrapper };
+    callback_data_t callbackEmpty { nullptr, nullptr };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInsert1.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate1.get(), callbackData));  // Expect a modified event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate2.get(), callbackData));  // Expect a modified event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInsert2.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInsert2.get(), callbackData));  // Same as above but EXPECT_CALL Times is 1
+    // Failure cases
+    EXPECT_NE(0, dbsync_sync_row(nullptr, jsInsert2.get(), callbackData));
+    EXPECT_NE(0, dbsync_sync_row(handle, nullptr, callbackData));
+    EXPECT_NE(0, dbsync_sync_row(handle, jsInsert2.get(), callbackEmpty));
+}
+
+TEST_F(DBSyncTest, syncRowInsertAndModifiedWithOldData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System","tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"System","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System","tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MODIFIED, nlohmann::json::parse(R"({"new":{"name":"System","pid":4,"tid":101},"old":{"pid":4,"tid":100}})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MODIFIED, nlohmann::json::parse(R"({"new":{"name":"Systemmm","pid":4,"tid":105},"old":{"name":"System","pid":4,"tid":101}})"))).Times(1);
+
+
+    auto insertionQuery1 = InsertQuery::builder().table("processes")
+                           .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))
+                           .data(nlohmann::json::parse(R"({"pid":5,"name":"System", "tid":101})"))
+                           .data(nlohmann::json::parse(R"({"pid":6,"name":"System", "tid":102})"));
+    auto updateQuery1 = SyncRowQuery::builder().table("processes")
+                        .returnOldData()
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":101})"));
+    auto updateQuery2 = SyncRowQuery::builder().table("processes")
+                        .returnOldData()
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"Systemmm", "tid":105})"));
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert1{ cJSON_Parse(insertionQuery1.query().dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate1{ cJSON_Parse(updateQuery1.query().dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate2{ cJSON_Parse(updateQuery2.query().dump().c_str()) };
+
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInsert1.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate1.get(), callbackData));  // Expect a modified event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate2.get(), callbackData));  // Expect a modified event
+}
+
+TEST_F(DBSyncTest, syncRowIgnoreFields)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+
+    auto insertionQuery = InsertQuery::builder().table("processes")
+                          .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))
+                          .data(nlohmann::json::parse(R"({"pid":5,"name":"System", "tid":101})"))
+                          .data(nlohmann::json::parse(R"({"pid":6,"name":"System", "tid":102})"));
+    auto updateQuery1 = SyncRowQuery::builder().table("processes")
+                        .ignoreColumn("tid")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":101})"));
+    auto updateQuery2 = SyncRowQuery::builder().table("processes")
+                        .ignoreColumn("tid")
+                        .ignoreColumn("name")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"Systemmm", "tid":105})"));
+    auto updateQuery3 = SyncRowQuery::builder().table("processes")
+                        .ignoreColumn("tid")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"SystemIsDown", "tid":106})"));
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert1{ cJSON_Parse(insertionQuery.query().dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate1{ cJSON_Parse(updateQuery1.query().dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate2{ cJSON_Parse(updateQuery2.query().dump().c_str()) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUpdate3{ cJSON_Parse(updateQuery3.query().dump().c_str()) };
+
+
+    CallbackMock wrapper;
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System","tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"System","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System","tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MODIFIED, nlohmann::json::parse(R"({"pid":4, "name":"SystemIsDown", "tid":106})"))).Times(1);
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInsert1.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate1.get(), callbackData));  // Expect an update event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate2.get(), callbackData));  // Expect an update event
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsUpdate3.get(), callbackData));  // Expect an update event
+}
+
+
+
+TEST_F(DBSyncTest, syncRowInvalidData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto inputNoData{ R"({"table":"processes"})"};
+    const auto inputNoTable{ R"({"data":[{"pid":4,"name":"System", "tid":101}]})"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInputNoData{ cJSON_Parse(inputNoData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInputNoTable{ cJSON_Parse(inputNoTable) };
+
+    callback_data_t callbackData { callback, nullptr };
+
+    EXPECT_NE(0, dbsync_sync_row(handle, jsInputNoData.get(), callbackData));
+    EXPECT_NE(0, dbsync_sync_row(handle, jsInputNoTable.get(), callbackData));
+    EXPECT_NE(0, dbsync_sync_row(reinterpret_cast<void*>(0xffffffff), jsInputNoTable.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllNoFilter)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` UNSIGNED BIGINT,`cpu_percentage` DOUBLE, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100, "cpu_percentage":10.7},
+                                                                 {"pid":115,"name":"System2", "tid":101, "cpu_percentage":55.4},
+                                                                 {"pid":120,"name":"System3", "tid":101, "cpu_percentage":22.1},
+                                                                 {"pid":125,"name":"System3", "tid":102, "cpu_percentage":90.3},
+                                                                 {"pid":300,"name":"System5", "tid":102, "cpu_percentage":30.5}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":4,"name":"System1", "tid":100, "cpu_percentage":10.7})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":115,"name":"System2", "tid":101, "cpu_percentage":55.4})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":120,"name":"System3", "tid":101, "cpu_percentage":22.1})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":125,"name":"System3", "tid":102, "cpu_percentage":90.3})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":300,"name":"System5", "tid":102, "cpu_percentage":30.5})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllFilterPid)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"WHERE pid>120",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":125,"name":"System3", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":300,"name":"System5", "tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllFilterPidOr)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"WHERE pid=120 OR pid=300",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":120,"name":"System3", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":300,"name":"System5", "tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllFilterPidBetween)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"WHERE pid BETWEEN 120 AND 300",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":120,"name":"System3", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":125,"name":"System3", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":300,"name":"System5", "tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectCount)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["count(*) AS count"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"count":5})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectInnerJoin)
+{
+    CallbackMock wrapper;
+
+    const auto sql
+    {
+        "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `fid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"
+        "CREATE TABLE files(`inode` BIGINT, `path` TEXT, `size` BIGINT, PRIMARY KEY (`inode`)) WITHOUT ROWID;"
+    };
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["pid,name,fid,path,size"],
+           "row_filter":"INNER JOIN files ON processes.fid=files.inode WHERE pid BETWEEN 100 AND 200",
+           "distinct_opt":false,
+           "order_by_opt":"",
+           "count_opt":100}})"
+    };
+
+    const auto insertPidsSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "fid":100},
+                                                                  {"pid":115,"name":"System2", "fid":101},
+                                                                  {"pid":225,"name":"System3", "fid":102}]})"}; // Insert pids
+    const auto insertFilesSqlStmt{ R"({"table":"files","data":[{"inode":100,"path":"/usr/bin/System1", "size":123456},
+                                                               {"inode":101,"path":"/usr/bin/System2", "size":654321},
+                                                               {"inode":102,"path":"/usr/bin/System3", "size":321654}]})"}; // Insert files
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertPids{ cJSON_Parse(insertPidsSqlStmt) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertFiles{ cJSON_Parse(insertFilesSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":115,"name":"System2", "fid":101, "path":"/usr/bin/System2", "size":654321})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsertPids.get()));
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsertFiles.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllFilterPid1)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"WHERE (pid>120 AND pid<200) ",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":125,"name":"System3", "tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataAllFilterPidTid)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["*"],
+           "row_filter":"WHERE (pid>120 AND tid!=101) ",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":125,"name":"System3", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"pid":300,"name":"System5", "tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataNameOnlyFilterPidTid)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["name"],
+           "row_filter":"WHERE (pid>120 AND tid!=101) ",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System5"})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+
+TEST_F(DBSyncTest, selectRowsDataNameOnly)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["name"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System1"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System2"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3"})"))).Times(2);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System5"})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataNameOnlyFilterPid)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["name"],
+           "row_filter":"WHERE pid<120",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System1"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System2"})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataNameTidOnly)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["name","tid"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System1","tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System2","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3","tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System5","tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+}
+
+TEST_F(DBSyncTest, selectRowsDataNameTidOnlyPid)
+{
+    CallbackMock wrapper;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["name","tid"],
+           "row_filter":"WHERE pid>100",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto selectDataWithoutTable
+    {
+        R"({"query":{"column_list":["name","tid"],
+           "row_filter":"pid>100",
+           "distinct_opt":false,
+           "order_by_opt":"tid",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectData{ cJSON_Parse(selectData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSelectDataWithoutTable{ cJSON_Parse(selectDataWithoutTable) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsert{ cJSON_Parse(insertionSqlStmt) };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System2","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System3","tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System5","tid":102})"))).Times(1);
+
+    callback_data_t callbackData { callback, &wrapper };
+    callback_data_t callbackEmpty { nullptr, nullptr };
+
+    EXPECT_EQ(0, dbsync_insert_data(handle, jsInsert.get()));
+    EXPECT_EQ(0, dbsync_select_rows(handle, jsSelectData.get(), callbackData));
+    // Failure cases
+    EXPECT_NE(0, dbsync_select_rows(reinterpret_cast<void*>(0xffffffff), jsSelectData.get(), callbackData));
+    EXPECT_NE(0, dbsync_select_rows(handle, jsSelectDataWithoutTable.get(), callbackData));
+    EXPECT_NE(0, dbsync_select_rows(nullptr, jsSelectData.get(), callbackData));
+    EXPECT_NE(0, dbsync_select_rows(handle, nullptr, callbackData));
+    EXPECT_NE(0, dbsync_select_rows(handle, jsSelectData.get(), callbackEmpty));
+}
+
+TEST_F(DBSyncTest, deleteSingleAndComposedData)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"System", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"System", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"System", "tid":104})"))).Times(1);
+
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"System", "tid":101},
+                                                            {"pid":6,"name":"System", "tid":102},
+                                                            {"pid":7,"name":"System", "tid":103},
+                                                            {"pid":8,"name":"System", "tid":104}]})"};
+
+    const auto singleRowToDelete
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":4,"name":"System", "tid":101}],
+           "where_filter_opt":""}})"
+    };
+
+    const auto composedRowsToDelete
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":5,"name":"Systemmm", "tid":101},
+                            {"pid":7,"name":"Systemmm", "tid":103},
+                            {"pid":8,"name":"Systemmm", "tid":104}],
+                    "where_filter_opt":""}})"
+    };
+
+    const auto unexistentRowToDelete
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":9,"name":"Systemmm", "tid":101}],
+           "where_filter_opt":""}})"
+    };
+
+    const auto dataWithoutTable
+    {
+        R"({"query":{"data":[{"pid":9,"name":"Systemmm", "tid":101}],
+           "where_filter_opt":""})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSingleDeletion{ cJSON_Parse(singleRowToDelete) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsComposedDeletion{ cJSON_Parse(composedRowsToDelete) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsUnexistentDeletion{ cJSON_Parse(unexistentRowToDelete) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsWithoutTable{ cJSON_Parse(dataWithoutTable) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsSingleDeletion.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsComposedDeletion.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsUnexistentDeletion.get()));
+    // Failure cases
+    EXPECT_NE(0, dbsync_delete_rows(nullptr, jsSingleDeletion.get()));
+    EXPECT_NE(0, dbsync_delete_rows(handle, nullptr));
+    EXPECT_NE(0, dbsync_delete_rows(handle, jsWithoutTable.get()));
+    EXPECT_NE(0, dbsync_delete_rows(reinterpret_cast<void*>(0xffffffff), jsSingleDeletion.get()));
+}
+
+TEST_F(DBSyncTest, deleteSingleDataByCompoundPK)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`, `tid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"System", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"System", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"System", "tid":104})"))).Times(1);
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"System", "tid":101},
+                                                            {"pid":6,"name":"System", "tid":102},
+                                                            {"pid":7,"name":"System", "tid":103},
+                                                            {"pid":8,"name":"System", "tid":104}]})"};
+
+    const auto singleRowToDelete
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":4, "tid":100}],
+           "where_filter_opt":""}})"
+    };
+
+    const auto singleRowWithoutCompleteCompoundPK
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"tid":101}],
+                    "where_filter_opt":""}})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsSingleDeletion{ cJSON_Parse(singleRowToDelete) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsMissingPKPID{ cJSON_Parse(singleRowWithoutCompleteCompoundPK) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsSingleDeletion.get()));
+    EXPECT_NE(0, dbsync_delete_rows(handle, jsMissingPKPID.get()));
+}
+
+TEST_F(DBSyncTest, deleteRowsByFilter)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"User1", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"User2", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"User3", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"User4", "tid":104})"))).Times(1);
+
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"User1", "tid":101},
+                                                            {"pid":6,"name":"User2", "tid":102},
+                                                            {"pid":7,"name":"User3", "tid":103},
+                                                            {"pid":8,"name":"User4", "tid":104}]})"};
+
+    const auto rowDeleteByPIDFilter
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":"pid=5"}})"
+    };
+
+    const auto rowDeleteByTIDFilter
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":"tid>=103"}})"
+    };
+
+    const auto rowDeleteByNameFilter
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":"name LIKE '%User2%'"}})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsrowDeleteByPIDFilter{ cJSON_Parse(rowDeleteByPIDFilter) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsrowDeleteByTIDFilter{ cJSON_Parse(rowDeleteByTIDFilter) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsrowDeleteByNameFilter{ cJSON_Parse(rowDeleteByNameFilter) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsrowDeleteByPIDFilter.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsrowDeleteByTIDFilter.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsrowDeleteByNameFilter.get()));
+}
+
+TEST_F(DBSyncTest, deleteRowsWithDataMorePriorityThanFilter)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"User1", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"User2", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"User3", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"User4", "tid":104})"))).Times(1);
+
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"User1", "tid":101},
+                                                            {"pid":6,"name":"User2", "tid":102},
+                                                            {"pid":7,"name":"User3", "tid":103},
+                                                            {"pid":8,"name":"User4", "tid":104}]})"};
+
+    const auto rowDeletePID4
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":4,"name":"System", "tid":100}],
+           "where_filter_opt":""}})"
+    };
+
+    const auto rowDeletePID6
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":6,"name":"User2", "tid":102}],
+           "where_filter_opt":"tid>=103"}})"
+    };
+
+    const auto rowDeletePID8
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":8,"name":"User4", "tid":104}],
+           "where_filter_opt":"name LIKE '%User2%'"}})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowDeletePID4{ cJSON_Parse(rowDeletePID4) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowDeletePID6{ cJSON_Parse(rowDeletePID6) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowDeletePID8{ cJSON_Parse(rowDeletePID8) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsRowDeletePID4.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsRowDeletePID6.get()));
+    EXPECT_EQ(0, dbsync_delete_rows(handle, jsRowDeletePID8.get()));
+}
+
+TEST_F(DBSyncTest, deleteRowsWithNoDataAndFilterShouldFail)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"User1", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"User2", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"User3", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"User4", "tid":104})"))).Times(1);
+
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"User1", "tid":101},
+                                                            {"pid":6,"name":"User2", "tid":102},
+                                                            {"pid":7,"name":"User3", "tid":103},
+                                                            {"pid":8,"name":"User4", "tid":104}]})"};
+
+    const auto rowEmpty
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":""}})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowEmpty{ cJSON_Parse(rowEmpty) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+    EXPECT_NE(0, dbsync_delete_rows(handle, jsRowEmpty.get()));
+}
+
+TEST_F(DBSyncTest, deleteRowsWithWhereInFilterShouldFail)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ASSERT_NE(nullptr, handle);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System", "tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":5,"name":"User1", "tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"User2", "tid":102})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":7,"name":"User3", "tid":103})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"pid":8,"name":"User4", "tid":104})"))).Times(1);
+
+    const auto initialData{ R"({"table":"processes","data":[{"pid":4,"name":"System", "tid":100},
+                                                            {"pid":5,"name":"User1", "tid":101},
+                                                            {"pid":6,"name":"User2", "tid":102},
+                                                            {"pid":7,"name":"User3", "tid":103},
+                                                            {"pid":8,"name":"User4", "tid":104}]})"};
+
+    const auto rowWithWhere
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":"WHERE name LIKE '%User2%'"}})"
+    };
+
+    const auto rowWithSpace
+    {
+        R"({"table":"processes",
+           "query":{"data":[],
+           "where_filter_opt":" "}})"
+    };
+
+    callback_data_t callbackData { callback, &wrapper };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInitialData{ cJSON_Parse(initialData) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowWithWhere{ cJSON_Parse(rowWithWhere) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsRowWithSpace{ cJSON_Parse(rowWithSpace) };
+
+    EXPECT_EQ(0, dbsync_sync_row(handle, jsInitialData.get(), callbackData));  // Expect an insert event
+    EXPECT_NE(0, dbsync_delete_rows(handle, jsRowWithWhere.get())); // WHERE in 'where_filter_opt' should fail
+    EXPECT_NE(0, dbsync_delete_rows(handle, jsRowWithSpace.get())); // space in 'where_filter_opt' should fail
+}
+
+TEST_F(DBSyncTest, selectCountCPP)
+{
+    CallbackMock wrapper;
+    std::unique_ptr<DBSync> dbSync;
+
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["count(*) AS count"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"",
+           "count_opt":100}})"
+    };
+
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System1", "tid":100},
+                                                                 {"pid":115,"name":"System2", "tid":101},
+                                                                 {"pid":120,"name":"System3", "tid":101},
+                                                                 {"pid":125,"name":"System3", "tid":102},
+                                                                 {"pid":300,"name":"System5", "tid":102}]})"}; // Insert
+
+    const auto rowDeletePID4
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":4}],
+           "where_filter_opt":""}})"
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"count":5})"))).Times(1);
+
+    ResultCallbackData selectCallbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt)));
+    EXPECT_NO_THROW(dbSync->selectRows(nlohmann::json::parse(selectData), selectCallbackData));
+    EXPECT_NO_THROW(dbSync->deleteRows(nlohmann::json::parse(rowDeletePID4)));
+}
+
+TEST_F(DBSyncTest, TryToInsertMoreThanMaxRowsCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt{ R"({"table":"processes","data":[{"pid":4,"name":"System"}, {"pid":3,"name":"cmd"}]})"};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    EXPECT_NO_THROW(dbSync->setTableMaxRow("processes", 1));
+    EXPECT_ANY_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt)));
+
+    EXPECT_NO_THROW(dbSync->setTableMaxRow("processes", 0));
+    EXPECT_ANY_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt)));
+
+    const auto rowDeletePID4
+    {
+        R"({"table":"processes",
+           "query":{"data":[{"pid":4}],
+           "where_filter_opt":""}})"
+    };
+
+    EXPECT_NO_THROW(dbSync->deleteRows(nlohmann::json::parse(rowDeletePID4)));
+    EXPECT_NO_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt)));
+}
+
+TEST_F(DBSyncTest, createTxnCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"name":"System","pid":4})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    const auto insertionSqlStmt1{ R"(
+        {
+            "table":"processes",
+            "data":
+                [
+                    {"pid":4,"name":"System"}
+                ]
+        })"}; // Insert
+
+    EXPECT_NO_THROW(dbSync->syncRow(nlohmann::json::parse(insertionSqlStmt1), callbackData));  // Expect an insert event
+
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 100, callbackData));
+
+    const auto insertionSqlStmt2{ R"({"table":"processes","data":[{"pid":7,"name":"Guake"}]})" }; // Insert
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(nlohmann::json::parse(insertionSqlStmt2)));
+
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+}
+
+
+TEST_F(DBSyncTest, createTxnCPP1)
+{
+    constexpr auto sql
+    {
+        R"(CREATE TABLE processes (
+        pid BIGINT,
+        name TEXT,
+        state TEXT,
+        ppid BIGINT,
+        utime BIGINT,
+        stime BIGINT,
+        cmd TEXT,
+        argvs TEXT,
+        euser TEXT,
+        ruser TEXT,
+        suser TEXT,
+        egroup TEXT,
+        rgroup TEXT,
+        sgroup TEXT,
+        fgroup TEXT,
+        priority BIGINT,
+        nice BIGINT,
+        size BIGINT,
+        vm_size BIGINT,
+        resident BIGINT,
+        share BIGINT,
+        start_time BIGINT,
+        pgrp BIGINT,
+        session BIGINT,
+        nlwp BIGINT,
+        tgid BIGINT,
+        tty BIGINT,
+        processor BIGINT,
+        PRIMARY KEY (pid)) WITHOUT ROWID;)"
+    };
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+    const auto& data1{nlohmann::json::parse(input1)};
+    const auto& data2{nlohmann::json::parse(input2)};
+    const auto& diffData{nlohmann::json::parse(diffResult)};
+    nlohmann::json insertionSqlStmt1;
+    insertionSqlStmt1["table"] = "processes";
+    insertionSqlStmt1["data"] = data1;
+    nlohmann::json insertionSqlStmt2;
+    insertionSqlStmt2["table"] = "processes";
+    insertionSqlStmt2["data"] = data2;
+
+    CallbackMock wrapper;
+
+    for (const auto& entry : data1)
+    {
+        EXPECT_CALL(wrapper, callbackMock(INSERTED, entry)).Times(1);
+    }
+
+    for (const auto& entry : diffData)
+    {
+        EXPECT_CALL(wrapper, callbackMock(MODIFIED, entry)).Times(1);
+    }
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+    EXPECT_NO_THROW(dbSync->syncRow(insertionSqlStmt1, callbackData));  // Expect an insert event
+
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 4096, callbackData));
+
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(insertionSqlStmt2));
+
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+}
+
+
+TEST_F(DBSyncTest, createTxnCPP2)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `time` BIGINT, PRIMARY KEY (`pid`, `time`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4, "time":100100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7,"time":100101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"name":"System","pid":4,"time":100100})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    auto syncSqlStmt1 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "time":100100})"))
+                        .query();
+    auto syncSqlStmt2 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":7,"name":"Guake","time":100101})"))
+                        .query();
+
+    EXPECT_NO_THROW(dbSync->syncRow(syncSqlStmt1, callbackData));
+
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 100, callbackData));
+
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(syncSqlStmt2));
+
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+}
+
+TEST_F(DBSyncTest, createTxnCPP3)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `time` BIGINT, PRIMARY KEY (`pid`, `time`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4, "time":100100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7,"time":100101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"pid":4,"time":100100,"name":"System"})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    auto syncSqlStmt1 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":4,"name":"System", "time":100100})"))
+                        .query();
+    auto syncSqlStmt2 = SyncRowQuery::builder().table("processes")
+                        .data(nlohmann::json::parse(R"({"pid":7,"name":"Guake","time":100101})"))
+                        .query();
+
+    EXPECT_NO_THROW(dbSync->syncRow(syncSqlStmt1, callbackData));
+
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 100, callbackData));
+
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(syncSqlStmt2));
+
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+}
+
+TEST_F(DBSyncTest, teardownCPP)
+{
+    std::unique_ptr<DBSync> dbSync;
+    const auto sql { R"(CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;CREATE TABLE processes_sockets(`socket_id` BIGINT, `pid` BIGINT, PRIMARY KEY (`socket_id`)) WITHOUT ROWID;)"};
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+    ASSERT_NO_THROW(dbSync->teardown());
+}
+
+TEST_F(DBSyncTest, dbsyncAddTableRelationshipCPP)
+{
+    const auto sql { R"(CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;CREATE TABLE processes_sockets(`socket_id` BIGINT, `pid` BIGINT, PRIMARY KEY (`socket_id`)) WITHOUT ROWID;)"};
+    std::unique_ptr<DBSync> dbSync;
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    const auto insertDataProcess{ R"(
+        {
+            "table": "processes",
+            "data":[
+                {
+                    "pid":4,
+                    "name":"System",
+                    "path":"",
+                    "cmdline":"",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                 }
+            ]
+        }
+    )"};
+
+    EXPECT_NO_THROW(dbSync->insertData(nlohmann::json::parse(insertDataProcess)));
+
+    const auto insertDataSocket{ R"(
+        {
+        "table": "processes_sockets",
+            "data":[
+                {
+                    "pid":4,
+                    "socket_id":1
+                }
+            ]
+        }
+    )"};
+
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInsertSocket{ cJSON_Parse(insertDataSocket) };
+    EXPECT_NO_THROW(dbSync->insertData(nlohmann::json::parse(insertDataSocket)));
+
+    const auto relationshipJson { R"(
+        {
+            "base_table":"processes",
+            "relationed_tables":
+            [
+                {
+                    "table": "processes_sockets",
+                    "field_match":
+                    {
+                        "pid": "pid"
+                    }
+                }
+            ]
+        })"};
+
+    EXPECT_NO_THROW(dbSync->addTableRelationship(nlohmann::json::parse(relationshipJson)));
+
+    const auto deleteProcess{ R"(
+        {
+            "table": "processes",
+            "query": {
+                "data":[
+                {
+                    "pid":4
+                }],
+                "where_filter_opt":""
+            }
+        })"};
+
+    EXPECT_NO_THROW(dbSync->deleteRows(nlohmann::json::parse(deleteProcess)));
+
+    const auto insertionSqlStmt1{ R"(
+        {
+            "table":"processes",
+            "data":
+                [
+                    {"pid":4,"name":"System", "tid":100},
+                    {"pid":5,"name":"System", "tid":101},
+                    {"pid":6,"name":"System", "tid":102}
+                ]
+        })"}; // Insert
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4,"tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":5,"tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":6,"tid":102})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->syncRow(nlohmann::json::parse(insertionSqlStmt1), callbackData));  // Expect an insert event
+}
+
+TEST_F(DBSyncTest, UpdateDataCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt1{ R"({"table":"processes","data":[{"pid":4,"name":"System"}]})"};
+    const auto insertionSqlStmt2{ R"({"table":"processes","data":[{"pid":5,"name":"Test"}]})"};
+
+    std::unique_ptr<DBSync> dbSync;
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    nlohmann::json jsResponse;
+
+    EXPECT_NO_THROW(dbSync->updateWithSnapshot(nlohmann::json::parse(insertionSqlStmt1), jsResponse));
+    EXPECT_NE(nullptr, jsResponse);
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Test","pid":5})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"pid":4})"))).Times(1);
+
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->updateWithSnapshot(nlohmann::json::parse(insertionSqlStmt2), callbackData));
+}
+
+TEST_F(DBSyncTest, constructorWithHandle)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    std::unique_ptr<DBSync> dbSync;
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    std::unique_ptr<DBSync> dbSyncHandled;
+    EXPECT_NO_THROW(dbSyncHandled = std::make_unique<DBSync>(dbSync->handle()));
+
+    EXPECT_EQ(dbSync->handle(), dbSyncHandled->handle());
+
+}
+
+TEST_F(DBSyncTest, txnDestructorOwnsHandle)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    ResultCallbackData callback { [](ReturnTypeCallback, const nlohmann::json&) {}};
+    TXN_HANDLE txHandle = nullptr;
+    {
+        // Use the overload that creates TXN_HANDLE from within and as such, has ownership of it.
+        DBSyncTxn tx(handle, nlohmann::json::parse(tables), 1, 100, callback);
+        tx = tx.handle();
+    }
+    EXPECT_NE(dbsync_close_txn(txHandle), 0);
+}
+
+TEST_F(DBSyncTest, txnDestructorDoesNotOwnHandle)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    auto handle { dbsync_create(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql) };
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables { cJSON_Parse(tables) };
+    callback_data_t callbackData { callback, dummyCtx.get() };
+    TXN_HANDLE txHandle = dbsync_create_txn(handle, jsonTables.get(), 1, 100, callbackData);
+    {
+        // Use the overload that only takes a TXN_HANDLE and sets up the destructor to NOT release the handle.
+        DBSyncTxn tx(txHandle);
+        tx = tx.handle();
+    }
+    EXPECT_EQ(dbsync_close_txn(txHandle), 0);
+
+}
+
+
+TEST_F(DBSyncTest, teardown)
+{
+    EXPECT_NO_THROW(DBSync::teardown());
+}
+
+TEST(QueryBuilder, selectInsertDeleteQuery)
+{
+    CallbackMock wrapper;
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+
+    std::unique_ptr<DBSync> dbSync;
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_MEMORY, sql));
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table("processes")
+        .columnList({"pid", "name"})
+        .rowFilter("WHERE pid = 4")
+        .orderByOpt("pid")
+        .distinctOpt(false)
+        .countOpt(1)
+        .build()
+    };
+
+    auto insertQuery
+    {
+        InsertQuery::builder()
+        .table("processes")
+        .data({{"pid", 4}, {"name", "System1"}, {"tid", 100}})
+        .data({{"pid", 5}, {"name", "System2"}})
+        .data({{"pid", 6}, {"tid", 103}})
+        .build()
+    };
+
+    auto deleteQuery
+    {
+        DeleteQuery::builder()
+        .table("processes")
+        .data({{"pid", 6}})
+        .rowFilter("")
+        .build()
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System1","pid":4})"))).Times(4);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"System2","pid":5})"))).Times(1);
+
+    ResultCallbackData selectCallbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->insertData(insertQuery.query()));
+    EXPECT_NO_THROW(dbSync->deleteRows(deleteQuery.query()));
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+    selectQuery.rowFilter("");
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+    deleteQuery.reset();
+    deleteQuery.rowFilter("pid=5");
+    EXPECT_NO_THROW(dbSync->deleteRows(deleteQuery.query()));
+    selectQuery.countOpt(2);
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+    insertQuery.reset();
+    insertQuery.data({{"pid", 5}, {"name", "System2"}});
+    EXPECT_NO_THROW(dbSync->insertData(insertQuery.query()));
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+}
+
+TEST_F(DBSyncTest, TryInvalidValuesOnSetMaxRowsCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    EXPECT_ANY_THROW(dbSync->setTableMaxRow("processes", -100));
+}
+
+TEST_F(DBSyncTest, TryToInsertMoreRowsWithFilledTableCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto insertionSqlStmt1{ R"({"table":"processes","data":[{"pid":4,"name":"System"}, {"pid":3,"name":"cmd"}]})"};
+    const auto insertionSqlStmt2{ R"({"table":"processes","data":[{"pid":5,"name":"htop"}, {"pid":6,"name":"top"}]})"};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    EXPECT_NO_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt1)));
+
+    EXPECT_NO_THROW(dbSync->setTableMaxRow("processes", 2));
+    EXPECT_ANY_THROW(dbSync->insertData(nlohmann::json::parse(insertionSqlStmt2)));
+}
+
+TEST_F(DBSyncTest, createTxnWithMaxRowsCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    const std::unique_ptr<DummyContext> dummyCtx { std::make_unique<DummyContext>()};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(MAX_ROWS, nlohmann::json::parse(R"({"data":[{"name":"Guake","pid":7},{"name":"Guake2","pid":8}],"table":"processes"})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(DELETED, nlohmann::json::parse(R"({"name":"System","pid":4})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    const auto insertionSqlStmt1{ R"(
+        {
+            "table":"processes",
+            "data":
+                [
+                    {"pid":4,"name":"System"}
+                ]
+        })"}; // Insert
+
+    EXPECT_NO_THROW(dbSync->syncRow(nlohmann::json::parse(insertionSqlStmt1), callbackData));  // Expect an insert event
+
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 100, callbackData));
+
+    const auto syncTxnData { R"(
+        {
+            "table":"processes",
+            "data":
+                [
+                    {"pid":7,"name":"Guake"},
+                    {"pid":8,"name":"Guake2"}
+                ]
+        })" }; // Insert
+
+
+    EXPECT_NO_THROW(dbSync->setTableMaxRow("processes", 2));
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(nlohmann::json::parse(syncTxnData)));
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+}
+
+TEST_F(DBSyncTest, createTxnAtomicOperation)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `time` BIGINT, PRIMARY KEY (`pid`, `time`)) WITHOUT ROWID;"};
+    const auto tables { R"({"table": "processes"})" };
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"System","pid":4, "time":100100})"))).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(INSERTED, nlohmann::json::parse(R"({"name":"Guake","pid":7,"time":100101})"))).Times(1);
+
+    ResultCallbackData callbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    const auto insertionSqlStmt1{ R"({"table":"processes","data":[{"pid":4,"name":"System", "time":100100}]})"}; // Insert
+    std::unique_ptr<DBSyncTxn> dbSyncTxn;
+    EXPECT_NO_THROW(dbSyncTxn = std::make_unique<DBSyncTxn>(dbSync->handle(), nlohmann::json::parse(tables), 0, 100, callbackData));
+    EXPECT_NO_THROW(dbSyncTxn->syncTxnRow(nlohmann::json::parse(insertionSqlStmt1)));
+
+    const auto insertionSqlStmt2{ R"({"table":"processes","data":[{"pid":7,"name":"Guake","time":100101}]})" }; // Insert
+    EXPECT_NO_THROW(dbSync->syncRow(nlohmann::json::parse(insertionSqlStmt2), callbackData));  // Expect an insert event
+
+    EXPECT_NO_THROW(dbSyncTxn->getDeletedRows(callbackData));
+
+    dbSyncTxn.reset();
+
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"count":2})"))).Times(1);
+
+    const auto selectData
+    {
+        R"({"table":"processes",
+           "query":{"column_list":["count(*) AS count"],
+           "row_filter":"",
+           "distinct_opt":false,
+           "order_by_opt":"",
+           "count_opt":100}})"
+    };
+
+    EXPECT_NO_THROW(dbSync->selectRows(nlohmann::json::parse(selectData), callbackData));
+}
+
+TEST_F(DBSyncTest, InitializationCPP)
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `time` BIGINT, PRIMARY KEY (`pid`, `time`)) WITHOUT ROWID;"};
+    std::unique_ptr<DBSync> dbSync;
+
+    EXPECT_NO_THROW(dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql));
+
+    // On windows, no change in permissions is expected
+#ifndef _WIN32
+    struct stat stStat {};
+    ASSERT_EQ(0, stat(DATABASE_TEMP, &stStat));
+    ASSERT_NE(0, S_ISREG(stStat.st_mode));
+    EXPECT_EQ(DATABASE_PERMISSIONS, stStat.st_mode & 0777);
+#endif
+}
+
+TEST_F(DBSyncTest, TestVolatileMode)
+{
+    const auto sql{"CREATE TABLE simple_test(`name` TEXT, `value` BIGINT, PRIMARY KEY (`name`));"};
+    std::vector<std::string> updates;
+
+    auto dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::VOLATILE, updates);
+    dbSync->insertData(nlohmann::json::parse(R"({"table":"simple_test","data":[{"name":"test1","value":1}]})"));
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table("simple_test")
+        .columnList({"name", "value"})
+        .rowFilter("WHERE name = 'test1'")
+        .orderByOpt("name")
+        .distinctOpt(false)
+        .countOpt(1)
+        .build()
+    };
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"test1","value":1})"))).Times(1);
+
+    ResultCallbackData selectCallbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+
+    // We expect no data after re-initializing the DB in VOLATILE mode
+    dbSync.reset();
+    dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::VOLATILE, updates);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse("{}"))).Times(0);
+
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+}
+
+TEST_F(DBSyncTest, TestPersistentMode)
+{
+    const auto sql{"CREATE TABLE simple_test(`name` TEXT, `value` BIGINT, PRIMARY KEY (`name`));"};
+    std::vector<std::string> updates;
+
+    auto dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::PERSISTENT, updates);
+    dbSync->insertData(nlohmann::json::parse(R"({"table":"simple_test","data":[{"name":"test1","value":1}]})"));
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table("simple_test")
+        .columnList({"name", "value"})
+        .rowFilter("WHERE name = 'test1'")
+        .orderByOpt("name")
+        .distinctOpt(false)
+        .countOpt(1)
+        .build()
+    };
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"test1","value":1})"))).Times(1);
+
+    ResultCallbackData selectCallbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+
+    // We expect the same data after re-initializing the DB in PERSISTENT mode
+    dbSync.reset();
+    dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::PERSISTENT, updates);
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"test1","value":1})"))).Times(1);
+
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+}
+
+TEST_F(DBSyncTest, TestUpgrade)
+{
+    const auto sql{"CREATE TABLE simple_test(`name` TEXT, `value` BIGINT, PRIMARY KEY (`name`));"};
+    std::vector<std::string> updates;
+
+    auto dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::PERSISTENT, updates);
+
+    // After the re-initialization, we expect the upgrades to run
+    const auto update1{"ALTER TABLE simple_test ADD COLUMN `new_column` TEXT;"};
+    updates.push_back(update1);
+
+    dbSync.reset();
+    dbSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::PERSISTENT, updates);
+
+    dbSync->insertData(nlohmann::json::parse(R"({"table":"simple_test","data":[{"name":"test1","value":1,"new_column":"new_value"}]})"));
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table("simple_test")
+        .columnList({"name", "value", "new_column"})
+        .rowFilter("WHERE name = 'test1'")
+        .orderByOpt("name")
+        .distinctOpt(false)
+        .countOpt(1)
+        .build()
+    };
+
+    CallbackMock wrapper;
+    EXPECT_CALL(wrapper, callbackMock(SELECTED, nlohmann::json::parse(R"({"name":"test1","value":1,"new_column":"new_value"})"))).Times(1);
+
+    ResultCallbackData selectCallbackData
+    {
+        [&wrapper](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            wrapper.callbackMock(type, jsonResult);
+        }
+    };
+
+    EXPECT_NO_THROW(dbSync->selectRows(selectQuery.query(), selectCallbackData));
+}
diff --git a/src/common/dbsync/tests/interface/dbsync_test.h b/src/common/dbsync/tests/interface/dbsync_test.h
new file mode 100644
index 0000000000..92e4146069
--- /dev/null
+++ b/src/common/dbsync/tests/interface/dbsync_test.h
@@ -0,0 +1,36 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBYSNC_TEST_H
+#define _DBYSNC_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+#include "commonDefs.h"
+
+class DBSyncTest : public ::testing::Test
+{
+    protected:
+
+        DBSyncTest() = default;
+        virtual ~DBSyncTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+struct DummyContext
+{
+    DBSYNC_HANDLE handle;
+    TXN_HANDLE    txnContext;
+};
+
+#endif // _DBYSNC_TEST_H
diff --git a/src/common/dbsync/tests/interface/main.cpp b/src/common/dbsync/tests/interface/main.cpp
new file mode 100644
index 0000000000..d6fc27ef1c
--- /dev/null
+++ b/src/common/dbsync/tests/interface/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/dbsync/tests/interface/test_inputs.h b/src/common/dbsync/tests/interface/test_inputs.h
new file mode 100644
index 0000000000..f8d46c5d3b
--- /dev/null
+++ b/src/common/dbsync/tests/interface/test_inputs.h
@@ -0,0 +1,18191 @@
+#ifndef TEST_INPUTS_H
+#define TEST_INPUTS_H
+
+constexpr auto input1
+{
+    R"(
+[
+	{
+		"argvs": "auto noprompt",
+		"cmd": "/sbin/init",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1,
+		"pid": 1,
+		"ppid": 0,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2428,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1,
+		"sgroup": "root",
+		"share": 1424,
+		"size": 42756,
+		"start_time": 39,
+		"state": "S",
+		"stime": 558,
+		"suser": "root",
+		"tgid": 1,
+		"tty": 0,
+		"utime": 786,
+		"vm_size": 171024
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kthreadd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 2,
+		"ppid": 0,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 7,
+		"suser": "root",
+		"tgid": 2,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_gp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 3,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 3,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_par_gp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 4,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 4,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:0H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 6,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 6,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mm_percpu_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 9,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 9,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksoftirqd/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 10,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 688,
+		"suser": "root",
+		"tgid": 10,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_sched",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 11,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 5935,
+		"suser": "root",
+		"tgid": 11,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "migration/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 12,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 166,
+		"suser": "root",
+		"tgid": 12,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "idle_inject/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 13,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 13,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cpuhp/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 14,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 14,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cpuhp/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 15,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 15,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "idle_inject/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 16,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 16,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "migration/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 17,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 166,
+		"suser": "root",
+		"tgid": 17,
+		"tty": 0,
+		"utime": 41,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksoftirqd/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 18,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 645,
+		"suser": "root",
+		"tgid": 18,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:0H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 20,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 20,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kdevtmpfs",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 21,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "S",
+		"stime": 14,
+		"suser": "root",
+		"tgid": 21,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "netns",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 22,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 22,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_tasks_kthre",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 23,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 23,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kauditd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 24,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 24,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "khungtaskd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 27,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 27,
+		"tty": 0,
+		"utime": 33,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "oom_reaper",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 28,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 28,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "writeback",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 29,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 29,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kcompactd0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 30,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 5,
+		"suser": "root",
+		"tgid": 30,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksmd",
+		"nice": 5,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 31,
+		"ppid": 2,
+		"priority": 25,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 31,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "khugepaged",
+		"nice": 19,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 32,
+		"ppid": 2,
+		"priority": 39,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 32,
+		"tty": 0,
+		"utime": 8,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kintegrityd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 78,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 78,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kblockd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 79,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 79,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "blkcg_punt_bio",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 80,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 80,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "tpm_dev_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 82,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 82,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ata_sff",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 83,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 83,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "md",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 84,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 84,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "edac-poller",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 85,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 85,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "devfreq_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 86,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 86,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "watchdogd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 87,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 108,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 87,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kswapd0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 90,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 172,
+		"state": "S",
+		"stime": 1484,
+		"suser": "root",
+		"tgid": 90,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ecryptfs-kthrea",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 91,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 172,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 91,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kthrotld",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 93,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 93,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/24-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 94,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 94,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/25-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 95,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 95,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/26-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 96,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 96,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/27-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 97,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 97,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/28-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 98,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 98,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/29-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 99,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 99,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/30-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 100,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 100,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/31-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 101,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 101,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/32-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 102,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 102,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/33-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 103,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 103,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/34-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 104,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 104,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/35-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 105,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 105,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/36-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 106,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 106,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/37-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 107,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 107,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/38-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 108,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 108,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/39-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 109,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 109,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/40-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 110,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 110,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/41-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 111,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 111,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/42-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 112,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 112,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/43-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 113,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 113,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/44-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 114,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 114,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/45-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 115,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 115,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/46-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 116,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 116,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/47-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 117,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 117,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/48-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 118,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 118,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/49-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 119,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 119,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/50-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 120,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 120,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/51-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 121,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 121,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/52-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 122,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 122,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/53-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 123,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 123,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/54-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 124,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 124,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/55-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 125,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 176,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 125,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "acpi_thermal_pm",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 126,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 176,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 126,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 127,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 127,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 128,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 128,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 129,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 129,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_1",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 130,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 130,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vfio-irqfd-clea",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 132,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 132,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ipv6_addrconf",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 133,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 183,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 133,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kstrp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 143,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 184,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 143,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u257:0-",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 146,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 184,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 146,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "charger_manager",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 159,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 185,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 159,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mpt_poll_0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 203,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 226,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 203,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mpt/0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 204,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 226,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 204,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_2",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 205,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 205,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_2",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 206,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 206,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_3",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 207,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 207,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_3",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 208,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 208,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_4",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 209,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 209,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_4",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 210,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 210,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_5",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 211,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 211,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_5",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 213,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 213,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_6",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 214,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 214,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_6",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 215,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 215,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_7",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 216,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 216,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_7",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 217,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 217,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_8",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 218,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 229,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 218,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_8",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 219,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 229,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 219,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_9",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 221,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 230,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 221,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_9",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 222,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 230,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 222,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_10",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 223,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 231,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 223,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_10",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 224,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 231,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 224,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_11",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 225,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 232,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 225,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_11",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 226,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 232,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 226,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_12",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 227,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 227,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_12",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 228,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 228,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_13",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 229,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 229,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_13",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 230,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 230,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_14",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 231,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 231,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_14",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 232,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 232,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_15",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 233,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 233,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_15",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 234,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 234,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_16",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 235,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 235,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_16",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 236,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 236,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_17",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 237,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 237,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_17",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 238,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 238,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_18",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 239,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 239,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_18",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 240,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 240,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_19",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 241,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 241,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_19",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 242,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 242,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_20",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 243,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 243,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_20",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 244,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 244,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_21",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 245,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 245,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_21",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 246,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 246,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_22",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 247,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 247,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_22",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 248,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 248,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_23",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 249,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 249,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_23",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 250,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 250,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_24",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 251,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 251,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_24",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 252,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 252,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_25",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 253,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 253,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_25",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 254,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 254,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_26",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 255,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 255,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_26",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 256,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 256,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_27",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 257,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 257,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_27",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 258,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 258,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_28",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 259,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 259,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_28",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 260,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 260,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_29",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 261,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 261,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_29",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 262,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 262,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_30",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 263,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 263,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_30",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 264,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 264,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_31",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 265,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 265,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_31",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 266,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 266,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_32",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 294,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 262,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 294,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_32",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 295,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 262,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 295,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:1H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 296,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 265,
+		"state": "I",
+		"stime": 717,
+		"suser": "root",
+		"tgid": 296,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:1H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 317,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 331,
+		"state": "I",
+		"stime": 715,
+		"suser": "root",
+		"tgid": 317,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jbd2/sda1-8",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 319,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 350,
+		"state": "S",
+		"stime": 572,
+		"suser": "root",
+		"tgid": 319,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ext4-rsv-conver",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 320,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 350,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 320,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-journald",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-journal",
+		"nice": -1,
+		"nlwp": 1,
+		"pgrp": 361,
+		"pid": 361,
+		"ppid": 1,
+		"priority": 19,
+		"processor": 1,
+		"resident": 3992,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 361,
+		"sgroup": "root",
+		"share": 3699,
+		"size": 15068,
+		"start_time": 444,
+		"state": "S",
+		"stime": 203,
+		"suser": "root",
+		"tgid": 361,
+		"tty": 0,
+		"utime": 101,
+		"vm_size": 60272
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/16-vmwgfx",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 380,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 457,
+		"state": "S",
+		"stime": 2651,
+		"suser": "root",
+		"tgid": 380,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ttm_swap",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 381,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 457,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 381,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 386,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 461,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 386,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop1",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 390,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 463,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 390,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop3",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 394,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 464,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 394,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop4",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 396,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 464,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 396,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-udevd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-udevd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 401,
+		"pid": 401,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1556,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 401,
+		"sgroup": "root",
+		"share": 752,
+		"size": 6049,
+		"start_time": 466,
+		"state": "S",
+		"stime": 360,
+		"suser": "root",
+		"tgid": 401,
+		"tty": 0,
+		"utime": 164,
+		"vm_size": 24196
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop5",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 405,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 468,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 405,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "/run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid",
+		"cmd": "vmware-vmblock-fuse",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmware-vmblock-",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 411,
+		"pid": 411,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 79,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 411,
+		"sgroup": "root",
+		"share": 14,
+		"size": 56132,
+		"start_time": 471,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 411,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 224528
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop6",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 414,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 472,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 414,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop7",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 415,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 472,
+		"state": "S",
+		"stime": 3,
+		"suser": "root",
+		"tgid": 415,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop8",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 417,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 476,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 417,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop9",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 422,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 480,
+		"state": "S",
+		"stime": 7,
+		"suser": "root",
+		"tgid": 422,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop10",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 423,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 484,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 423,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop11",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 444,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 486,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 444,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop12",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 446,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 490,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 446,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop13",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 447,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 493,
+		"state": "S",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 447,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-timesyncd",
+		"egroup": "systemd-timesync",
+		"euser": "systemd-timesync",
+		"fgroup": "systemd-timesync",
+		"name": "systemd-timesyn",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 469,
+		"pid": 469,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 870,
+		"rgroup": "systemd-timesync",
+		"ruser": "systemd-timesync",
+		"session": 469,
+		"sgroup": "systemd-timesync",
+		"share": 673,
+		"size": 22612,
+		"start_time": 501,
+		"state": "S",
+		"stime": 35,
+		"suser": "systemd-timesync",
+		"tgid": 469,
+		"tty": 0,
+		"utime": 22,
+		"vm_size": 90448
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/VGAuthService",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "VGAuthService",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 488,
+		"pid": 488,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1388,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 488,
+		"sgroup": "root",
+		"share": 1175,
+		"size": 12588,
+		"start_time": 516,
+		"state": "S",
+		"stime": 3,
+		"suser": "root",
+		"tgid": 488,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 50352
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/vmtoolsd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmtoolsd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 490,
+		"pid": 490,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1415,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 490,
+		"sgroup": "root",
+		"share": 1197,
+		"size": 60200,
+		"start_time": 516,
+		"state": "S",
+		"stime": 9998,
+		"suser": "root",
+		"tgid": 490,
+		"tty": 0,
+		"utime": 11359,
+		"vm_size": 240800
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/accountsservice/accounts-daemon",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "accounts-daemon",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 514,
+		"pid": 514,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1720,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 514,
+		"sgroup": "root",
+		"share": 1489,
+		"size": 59657,
+		"start_time": 535,
+		"state": "S",
+		"stime": 141,
+		"suser": "root",
+		"tgid": 514,
+		"tty": 0,
+		"utime": 164,
+		"vm_size": 238628
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/acpid",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "acpid",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 515,
+		"pid": 515,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 180,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 515,
+		"sgroup": "root",
+		"share": 162,
+		"size": 635,
+		"start_time": 536,
+		"state": "S",
+		"stime": 280,
+		"suser": "root",
+		"tgid": 515,
+		"tty": 0,
+		"utime": 75,
+		"vm_size": 2540
+	}, {
+		"argvs": "",
+		"cmd": "avahi-daemon: running [ubuntu.local]",
+		"egroup": "avahi",
+		"euser": "avahi",
+		"fgroup": "avahi",
+		"name": "avahi-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 518,
+		"pid": 518,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 800,
+		"rgroup": "avahi",
+		"ruser": "avahi",
+		"session": 518,
+		"sgroup": "avahi",
+		"share": 712,
+		"size": 2189,
+		"start_time": 537,
+		"state": "S",
+		"stime": 142,
+		"suser": "avahi",
+		"tgid": 518,
+		"tty": 0,
+		"utime": 70,
+		"vm_size": 8756
+	}, {
+		"argvs": "-f",
+		"cmd": "/usr/sbin/cron",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cron",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 520,
+		"pid": 520,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 711,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 520,
+		"sgroup": "root",
+		"share": 641,
+		"size": 2409,
+		"start_time": 537,
+		"state": "S",
+		"stime": 28,
+		"suser": "root",
+		"tgid": 520,
+		"tty": 0,
+		"utime": 10,
+		"vm_size": 9636
+	}, {
+		"argvs": "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "messagebus",
+		"euser": "messagebus",
+		"fgroup": "messagebus",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 522,
+		"pid": 522,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1485,
+		"rgroup": "messagebus",
+		"ruser": "messagebus",
+		"session": 522,
+		"sgroup": "messagebus",
+		"share": 864,
+		"size": 2582,
+		"start_time": 538,
+		"state": "S",
+		"stime": 63,
+		"suser": "messagebus",
+		"tgid": 522,
+		"tty": 0,
+		"utime": 235,
+		"vm_size": 10328
+	}, {
+		"argvs": "--no-daemon",
+		"cmd": "/usr/sbin/NetworkManager",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "NetworkManager",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 525,
+		"pid": 525,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2198,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 525,
+		"sgroup": "root",
+		"share": 1901,
+		"size": 65486,
+		"start_time": 539,
+		"state": "S",
+		"stime": 122,
+		"suser": "root",
+		"tgid": 525,
+		"tty": 0,
+		"utime": 237,
+		"vm_size": 261944
+	}, {
+		"argvs": "--foreground",
+		"cmd": "/usr/sbin/irqbalance",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irqbalance",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 531,
+		"pid": 531,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 911,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 531,
+		"sgroup": "root",
+		"share": 832,
+		"size": 20482,
+		"start_time": 541,
+		"state": "S",
+		"stime": 598,
+		"suser": "root",
+		"tgid": 531,
+		"tty": 0,
+		"utime": 212,
+		"vm_size": 81928
+	}, {
+		"argvs": "/usr/bin/networkd-dispatcher --run-startup-triggers",
+		"cmd": "/usr/bin/python3",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "networkd-dispat",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 534,
+		"pid": 534,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2400,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 534,
+		"sgroup": "root",
+		"share": 2080,
+		"size": 9888,
+		"start_time": 542,
+		"state": "S",
+		"stime": 6,
+		"suser": "root",
+		"tgid": 534,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 39552
+	}, {
+		"argvs": "--no-debug",
+		"cmd": "/usr/lib/policykit-1/polkitd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "polkitd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 535,
+		"pid": 535,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2634,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 535,
+		"sgroup": "root",
+		"share": 1708,
+		"size": 60452,
+		"start_time": 543,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 535,
+		"tty": 0,
+		"utime": 51,
+		"vm_size": 241808
+	}, {
+		"argvs": "-n -iNONE",
+		"cmd": "/usr/sbin/rsyslogd",
+		"egroup": "syslog",
+		"euser": "syslog",
+		"fgroup": "syslog",
+		"name": "rsyslogd",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 537,
+		"pid": 537,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 992,
+		"rgroup": "syslog",
+		"ruser": "syslog",
+		"session": 537,
+		"sgroup": "syslog",
+		"share": 752,
+		"size": 56137,
+		"start_time": 543,
+		"state": "S",
+		"stime": 33,
+		"suser": "syslog",
+		"tgid": 537,
+		"tty": 0,
+		"utime": 15,
+		"vm_size": 224548
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/snapd/snapd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "snapd",
+		"nice": 0,
+		"nlwp": 13,
+		"pgrp": 539,
+		"pid": 539,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 4714,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 539,
+		"sgroup": "root",
+		"share": 1678,
+		"size": 234231,
+		"start_time": 544,
+		"state": "S",
+		"stime": 549,
+		"suser": "root",
+		"tgid": 539,
+		"tty": 0,
+		"utime": 1492,
+		"vm_size": 936924
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/switcheroo-control",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "switcheroo-cont",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 540,
+		"pid": 540,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1490,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 540,
+		"sgroup": "root",
+		"share": 1374,
+		"size": 58935,
+		"start_time": 544,
+		"state": "S",
+		"stime": 5,
+		"suser": "root",
+		"tgid": 540,
+		"tty": 0,
+		"utime": 3,
+		"vm_size": 235740
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-logind",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-logind",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 541,
+		"pid": 541,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1154,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 541,
+		"sgroup": "root",
+		"share": 973,
+		"size": 4308,
+		"start_time": 545,
+		"state": "S",
+		"stime": 267,
+		"suser": "root",
+		"tgid": 541,
+		"tty": 0,
+		"utime": 48,
+		"vm_size": 17232
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/udisks2/udisksd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "udisksd",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 543,
+		"pid": 543,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2207,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 543,
+		"sgroup": "root",
+		"share": 1759,
+		"size": 98275,
+		"start_time": 545,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 543,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 393100
+	}, {
+		"argvs": "-u -s -O /run/wpa_supplicant",
+		"cmd": "/sbin/wpa_supplicant",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "wpa_supplicant",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 546,
+		"pid": 546,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 588,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 546,
+		"sgroup": "root",
+		"share": 445,
+		"size": 3420,
+		"start_time": 546,
+		"state": "S",
+		"stime": 67,
+		"suser": "root",
+		"tgid": 546,
+		"tty": 0,
+		"utime": 28,
+		"vm_size": 13680
+	}, {
+		"argvs": "",
+		"cmd": "avahi-daemon: chroot helper",
+		"egroup": "avahi",
+		"euser": "avahi",
+		"fgroup": "avahi",
+		"name": "avahi-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 518,
+		"pid": 557,
+		"ppid": 518,
+		"priority": 20,
+		"processor": 1,
+		"resident": 81,
+		"rgroup": "avahi",
+		"ruser": "avahi",
+		"session": 518,
+		"sgroup": "avahi",
+		"share": 0,
+		"size": 2142,
+		"start_time": 551,
+		"state": "S",
+		"stime": 0,
+		"suser": "avahi",
+		"tgid": 557,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 8568
+	}, {
+		"argvs": "--filter-policy=strict",
+		"cmd": "/usr/sbin/ModemManager",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ModemManager",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 651,
+		"pid": 651,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1760,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 651,
+		"sgroup": "root",
+		"share": 1440,
+		"size": 78435,
+		"start_time": 597,
+		"state": "S",
+		"stime": 4,
+		"suser": "root",
+		"tgid": 651,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 313740
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u257:1-",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 793,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 728,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 793,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "-1 -4 -v -i -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33",
+		"cmd": "/sbin/dhclient",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dhclient",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 831,
+		"pid": 831,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 923,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 831,
+		"sgroup": "root",
+		"share": 630,
+		"size": 24974,
+		"start_time": 744,
+		"state": "S",
+		"stime": 44,
+		"suser": "root",
+		"tgid": 831,
+		"tty": 0,
+		"utime": 11,
+		"vm_size": 99896
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cryptd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 865,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 767,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 865,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/bluetooth/bluetoothd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bluetoothd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1044,
+		"pid": 1044,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 960,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1044,
+		"sgroup": "root",
+		"share": 861,
+		"size": 2090,
+		"start_time": 864,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1044,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 8360
+	}, {
+		"argvs": "/usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",
+		"cmd": "/usr/bin/python3",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "unattended-upgr",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 1243,
+		"pid": 1243,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2885,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1243,
+		"sgroup": "root",
+		"share": 2331,
+		"size": 29519,
+		"start_time": 899,
+		"state": "S",
+		"stime": 4,
+		"suser": "root",
+		"tgid": 1243,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 118076
+	}, {
+		"argvs": "-f",
+		"cmd": "/usr/bin/whoopsie",
+		"egroup": "whoopsie",
+		"euser": "whoopsie",
+		"fgroup": "whoopsie",
+		"name": "whoopsie",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1245,
+		"pid": 1245,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2288,
+		"rgroup": "whoopsie",
+		"ruser": "whoopsie",
+		"session": 1245,
+		"sgroup": "whoopsie",
+		"share": 2043,
+		"size": 81817,
+		"start_time": 900,
+		"state": "S",
+		"stime": 8,
+		"suser": "whoopsie",
+		"tgid": 1245,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 327268
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/containerd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "containerd",
+		"nice": 0,
+		"nlwp": 11,
+		"pgrp": 1246,
+		"pid": 1246,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1987,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1246,
+		"sgroup": "root",
+		"share": 456,
+		"size": 223969,
+		"start_time": 901,
+		"state": "S",
+		"stime": 17678,
+		"suser": "root",
+		"tgid": 1246,
+		"tty": 0,
+		"utime": 13567,
+		"vm_size": 895876
+	}, {
+		"argvs": "--test",
+		"cmd": "/usr/sbin/kerneloops",
+		"egroup": "adm",
+		"euser": "kernoops",
+		"fgroup": "adm",
+		"name": "kerneloops",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1261,
+		"pid": 1261,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 492,
+		"rgroup": "adm",
+		"ruser": "kernoops",
+		"session": 1261,
+		"sgroup": "adm",
+		"share": 456,
+		"size": 2814,
+		"start_time": 903,
+		"state": "S",
+		"stime": 602,
+		"suser": "kernoops",
+		"tgid": 1261,
+		"tty": 0,
+		"utime": 41,
+		"vm_size": 11256
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/kerneloops",
+		"egroup": "adm",
+		"euser": "kernoops",
+		"fgroup": "adm",
+		"name": "kerneloops",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1267,
+		"pid": 1267,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 113,
+		"rgroup": "adm",
+		"ruser": "kernoops",
+		"session": 1267,
+		"sgroup": "adm",
+		"share": 0,
+		"size": 2814,
+		"start_time": 906,
+		"state": "S",
+		"stime": 607,
+		"suser": "kernoops",
+		"tgid": 1267,
+		"tty": 0,
+		"utime": 36,
+		"vm_size": 11256
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/lightdm",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "lightdm",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1269,
+		"pid": 1269,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1492,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1269,
+		"sgroup": "root",
+		"share": 1413,
+		"size": 76532,
+		"start_time": 906,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 1269,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 306128
+	}, {
+		"argvs": "-o -p -- \\u --noclear tty1 linux",
+		"cmd": "/sbin/agetty",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "agetty",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1271,
+		"pid": 1271,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 426,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1271,
+		"sgroup": "root",
+		"share": 391,
+		"size": 2163,
+		"start_time": 907,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1271,
+		"tty": 1025,
+		"utime": 0,
+		"vm_size": 8652
+	}, {
+		"argvs": "-core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch",
+		"cmd": "/usr/lib/xorg/Xorg",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "Xorg",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 1280,
+		"pid": 1280,
+		"ppid": 1269,
+		"priority": 20,
+		"processor": 0,
+		"resident": 28270,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1280,
+		"sgroup": "root",
+		"share": 16127,
+		"size": 184920,
+		"start_time": 916,
+		"state": "S",
+		"stime": 37378,
+		"suser": "root",
+		"tgid": 1280,
+		"tty": 1031,
+		"utime": 229195,
+		"vm_size": 739680
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/rtkit-daemon",
+		"egroup": "rtkit",
+		"euser": "rtkit",
+		"fgroup": "rtkit",
+		"name": "rtkit-daemon",
+		"nice": 1,
+		"nlwp": 3,
+		"pgrp": 1379,
+		"pid": 1379,
+		"ppid": 1,
+		"priority": 21,
+		"processor": 0,
+		"resident": 681,
+		"rgroup": "rtkit",
+		"ruser": "rtkit",
+		"session": 1379,
+		"sgroup": "rtkit",
+		"share": 617,
+		"size": 38289,
+		"start_time": 1069,
+		"state": "S",
+		"stime": 217,
+		"suser": "rtkit",
+		"tgid": 1379,
+		"tty": 0,
+		"utime": 29,
+		"vm_size": 153156
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "krfcommd",
+		"nice": -10,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 1418,
+		"ppid": 2,
+		"priority": 10,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 1111,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1418,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/upower/upowerd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "upowerd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1525,
+		"pid": 1525,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1545,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1525,
+		"sgroup": "root",
+		"share": 1353,
+		"size": 63029,
+		"start_time": 1165,
+		"state": "S",
+		"stime": 6,
+		"suser": "root",
+		"tgid": 1525,
+		"tty": 0,
+		"utime": 9,
+		"vm_size": 252116
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/colord",
+		"egroup": "colord",
+		"euser": "colord",
+		"fgroup": "colord",
+		"name": "colord",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1569,
+		"pid": 1569,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2255,
+		"rgroup": "colord",
+		"ruser": "colord",
+		"session": 1569,
+		"sgroup": "colord",
+		"share": 1753,
+		"size": 61615,
+		"start_time": 1230,
+		"state": "S",
+		"stime": 5,
+		"suser": "colord",
+		"tgid": 1569,
+		"tty": 0,
+		"utime": 8,
+		"vm_size": 246460
+	}, {
+		"argvs": "--session-child 12 19",
+		"cmd": "lightdm",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "lightdm",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1269,
+		"pid": 1573,
+		"ppid": 1269,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1385,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1269,
+		"sgroup": "root",
+		"share": 1385,
+		"size": 40048,
+		"start_time": 1241,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 1573,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 160192
+	}, {
+		"argvs": "",
+		"cmd": "bpfilter_umh",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "none",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 1748,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 112,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 112,
+		"size": 622,
+		"start_time": 1410,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1748,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 2488
+	}, {
+		"argvs": "--user",
+		"cmd": "/lib/systemd/systemd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "systemd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2005,
+		"pid": 2005,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1625,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2005,
+		"sgroup": "fedegc",
+		"share": 1301,
+		"size": 4807,
+		"start_time": 16718,
+		"state": "S",
+		"stime": 24,
+		"suser": "fedegc",
+		"tgid": 2005,
+		"tty": 0,
+		"utime": 22,
+		"vm_size": 19228
+	}, {
+		"argvs": "",
+		"cmd": "(sd-pam) ",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "(sd-pam) ",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2005,
+		"pid": 2007,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 76,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2005,
+		"sgroup": "fedegc",
+		"share": 0,
+		"size": 42310,
+		"start_time": 16719,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2007,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 169240
+	}, {
+		"argvs": "--daemonize=no --log-target=journal",
+		"cmd": "/usr/bin/pulseaudio",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "pulseaudio",
+		"nice": -11,
+		"nlwp": 4,
+		"pgrp": 2015,
+		"pid": 2015,
+		"ppid": 2005,
+		"priority": 9,
+		"processor": 1,
+		"resident": 3144,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2015,
+		"sgroup": "fedegc",
+		"share": 2594,
+		"size": 614213,
+		"start_time": 16727,
+		"state": "S",
+		"stime": 2188,
+		"suser": "fedegc",
+		"tgid": 2015,
+		"tty": 0,
+		"utime": 550,
+		"vm_size": 2456852
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/tracker-miner-fs",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "tracker-miner-f",
+		"nice": 19,
+		"nlwp": 5,
+		"pgrp": 2017,
+		"pid": 2017,
+		"ppid": 2005,
+		"priority": 39,
+		"processor": 0,
+		"resident": 2226,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2017,
+		"sgroup": "fedegc",
+		"share": 1936,
+		"size": 127976,
+		"start_time": 16728,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 2017,
+		"tty": 0,
+		"utime": 14,
+		"vm_size": 511904
+	}, {
+		"argvs": "--daemonize --login",
+		"cmd": "/usr/bin/gnome-keyring-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-keyring-d",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2019,
+		"pid": 2021,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1140,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2019,
+		"sgroup": "fedegc",
+		"share": 1000,
+		"size": 60043,
+		"start_time": 16730,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 2021,
+		"tty": 0,
+		"utime": 29,
+		"vm_size": 240172
+	}, {
+		"argvs": "--session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2023,
+		"pid": 2023,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1106,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 804,
+		"size": 2122,
+		"start_time": 16731,
+		"state": "S",
+		"stime": 59,
+		"suser": "fedegc",
+		"tgid": 2023,
+		"tty": 0,
+		"utime": 123,
+		"vm_size": 8488
+	}, {
+		"argvs": "--systemd --systemd --session=ubuntu",
+		"cmd": "/usr/libexec/gnome-session-binary",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-b",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2031,
+		"pid": 2031,
+		"ppid": 1573,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2085,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2031,
+		"sgroup": "fedegc",
+		"share": 2047,
+		"size": 47102,
+		"start_time": 16733,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2031,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 188408
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfsd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 2044,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1572,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1396,
+		"size": 59955,
+		"start_time": 16734,
+		"state": "S",
+		"stime": 4,
+		"suser": "fedegc",
+		"tgid": 2044,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 239820
+	}, {
+		"argvs": "/run/user/1000/gvfs -f -o big_writes",
+		"cmd": "/usr/libexec/gvfsd-fuse",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-fuse",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2044,
+		"pid": 2055,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1440,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1410,
+		"size": 94584,
+		"start_time": 16737,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2055,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 378336
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-udisks2-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-udisks2-vo",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2070,
+		"pid": 2070,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1961,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2070,
+		"sgroup": "fedegc",
+		"share": 1670,
+		"size": 78585,
+		"start_time": 16743,
+		"state": "S",
+		"stime": 7,
+		"suser": "fedegc",
+		"tgid": 2070,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 314340
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-gphoto2-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-gphoto2-vo",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2078,
+		"pid": 2078,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1499,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2078,
+		"sgroup": "fedegc",
+		"share": 1416,
+		"size": 59492,
+		"start_time": 16748,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2078,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 237968
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-goa-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-goa-volume",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2082,
+		"pid": 2082,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1357,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2082,
+		"sgroup": "fedegc",
+		"share": 1272,
+		"size": 58966,
+		"start_time": 16750,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2082,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235864
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/goa-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "goa-daemon",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2023,
+		"pid": 2088,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2323,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 2247,
+		"size": 135566,
+		"start_time": 16752,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2088,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 542264
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/goa-identity-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "goa-identity-se",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2101,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1450,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1450,
+		"size": 78687,
+		"start_time": 16760,
+		"state": "S",
+		"stime": 369,
+		"suser": "fedegc",
+		"tgid": 2101,
+		"tty": 0,
+		"utime": 161,
+		"vm_size": 314748
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-afc-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-afc-volume",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2121,
+		"pid": 2121,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1479,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2121,
+		"sgroup": "fedegc",
+		"share": 1375,
+		"size": 79180,
+		"start_time": 16763,
+		"state": "S",
+		"stime": 636,
+		"suser": "fedegc",
+		"tgid": 2121,
+		"tty": 0,
+		"utime": 129,
+		"vm_size": 316720
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-mtp-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-mtp-volume",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2133,
+		"pid": 2133,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1416,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2133,
+		"sgroup": "fedegc",
+		"share": 1324,
+		"size": 58923,
+		"start_time": 16765,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2133,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235692
+	}, {
+		"argvs": "/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu",
+		"cmd": "/usr/bin/ssh-agent",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ssh-agent",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2186,
+		"pid": 2186,
+		"ppid": 2031,
+		"priority": 20,
+		"processor": 1,
+		"resident": 9,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2186,
+		"sgroup": "ssh",
+		"share": 0,
+		"size": 1508,
+		"start_time": 16780,
+		"state": "S",
+		"stime": 55,
+		"suser": "fedegc",
+		"tgid": 2186,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 6032
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/at-spi-bus-launcher",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "at-spi-bus-laun",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2208,
+		"pid": 2208,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1452,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 1425,
+		"size": 76402,
+		"start_time": 16790,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2208,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 305608
+	}, {
+		"argvs": "--config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2208,
+		"pid": 2213,
+		"ppid": 2208,
+		"priority": 20,
+		"processor": 1,
+		"resident": 837,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 778,
+		"size": 1899,
+		"start_time": 16791,
+		"state": "S",
+		"stime": 33,
+		"suser": "fedegc",
+		"tgid": 2213,
+		"tty": 0,
+		"utime": 67,
+		"vm_size": 7596
+	}, {
+		"argvs": "--monitor",
+		"cmd": "/usr/libexec/gnome-session-ctl",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-c",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 2234,
+		"pid": 2234,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 948,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2234,
+		"sgroup": "fedegc",
+		"share": 948,
+		"size": 22514,
+		"start_time": 16809,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2234,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 90056
+	}, {
+		"argvs": "--systemd-service --session=ubuntu",
+		"cmd": "/usr/libexec/gnome-session-binary",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-b",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2243,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2393,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2113,
+		"size": 102691,
+		"start_time": 16811,
+		"state": "S",
+		"stime": 10,
+		"suser": "fedegc",
+		"tgid": 2243,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 410764
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/gnome-shell",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-shell",
+		"nice": 0,
+		"nlwp": 11,
+		"pgrp": 2259,
+		"pid": 2259,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 45568,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 14597,
+		"size": 1045228,
+		"start_time": 16818,
+		"state": "S",
+		"stime": 35205,
+		"suser": "fedegc",
+		"tgid": 2259,
+		"tty": 0,
+		"utime": 336492,
+		"vm_size": 4180912
+	}, {
+		"argvs": "--panel disable --xim",
+		"cmd": "ibus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-daemon",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2339,
+		"ppid": 2259,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1492,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1492,
+		"size": 77782,
+		"start_time": 16954,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 2339,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 311128
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-memconf",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-memconf",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2343,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1473,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1473,
+		"size": 40674,
+		"start_time": 16959,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2343,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 162696
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-extension-gtk3",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-extension-",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2339,
+		"pid": 2346,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2019,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1927,
+		"size": 68950,
+		"start_time": 16961,
+		"state": "S",
+		"stime": 27,
+		"suser": "fedegc",
+		"tgid": 2346,
+		"tty": 0,
+		"utime": 138,
+		"vm_size": 275800
+	}, {
+		"argvs": "--kill-daemon",
+		"cmd": "/usr/libexec/ibus-x11",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-x11",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2350,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2718,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 2449,
+		"size": 49463,
+		"start_time": 16963,
+		"state": "S",
+		"stime": 24,
+		"suser": "fedegc",
+		"tgid": 2350,
+		"tty": 0,
+		"utime": 68,
+		"vm_size": 197852
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-portal",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-portal",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2353,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1605,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1471,
+		"size": 59124,
+		"start_time": 16965,
+		"state": "S",
+		"stime": 6,
+		"suser": "fedegc",
+		"tgid": 2353,
+		"tty": 0,
+		"utime": 24,
+		"vm_size": 236496
+	}, {
+		"argvs": "--use-gnome-session",
+		"cmd": "/usr/libexec/at-spi2-registryd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "at-spi2-registr",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2208,
+		"pid": 2364,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1741,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 1647,
+		"size": 40726,
+		"start_time": 16972,
+		"state": "S",
+		"stime": 206,
+		"suser": "fedegc",
+		"tgid": 2364,
+		"tty": 0,
+		"utime": 171,
+		"vm_size": 162904
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/xdg-permission-store",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "xdg-permission-",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2374,
+		"pid": 2374,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1029,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2374,
+		"sgroup": "fedegc",
+		"share": 1029,
+		"size": 58897,
+		"start_time": 16991,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2374,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235588
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gnome-shell-calendar-server",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-shell-cal",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2023,
+		"pid": 2378,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1752,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1752,
+		"size": 145437,
+		"start_time": 16992,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 2378,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 581748
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-source-registry",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-sourc",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2389,
+		"pid": 2389,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2584,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2389,
+		"sgroup": "fedegc",
+		"share": 2357,
+		"size": 251280,
+		"start_time": 16998,
+		"state": "S",
+		"stime": 4,
+		"suser": "fedegc",
+		"tgid": 2389,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 1005120
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/dconf-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dconf-service",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2402,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1413,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1251,
+		"size": 39121,
+		"start_time": 17017,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2402,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 156484
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-calendar-factory",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-calen",
+		"nice": 0,
+		"nlwp": 9,
+		"pgrp": 2414,
+		"pid": 2414,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2515,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2414,
+		"sgroup": "fedegc",
+		"share": 2289,
+		"size": 211823,
+		"start_time": 17027,
+		"state": "S",
+		"stime": 6,
+		"suser": "fedegc",
+		"tgid": 2414,
+		"tty": 0,
+		"utime": 13,
+		"vm_size": 847292
+	}, {
+		"argvs": "/usr/share/gnome-shell/org.gnome.Shell.Notifications",
+		"cmd": "/usr/bin/gjs",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gjs",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2023,
+		"pid": 2426,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2857,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 2857,
+		"size": 649630,
+		"start_time": 17044,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 2426,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 2598520
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-addressbook-factory",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-addre",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2441,
+		"pid": 2441,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1917,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2441,
+		"sgroup": "fedegc",
+		"share": 1850,
+		"size": 168400,
+		"start_time": 17054,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2441,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 673600
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-a11y-settings",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-a11y-settin",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2466,
+		"pid": 2466,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1427,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2466,
+		"sgroup": "fedegc",
+		"share": 1369,
+		"size": 77462,
+		"start_time": 17078,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2466,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 309848
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-color",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-color",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2468,
+		"pid": 2468,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2886,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2468,
+		"sgroup": "fedegc",
+		"share": 2525,
+		"size": 142077,
+		"start_time": 17078,
+		"state": "S",
+		"stime": 64,
+		"suser": "fedegc",
+		"tgid": 2468,
+		"tty": 0,
+		"utime": 136,
+		"vm_size": 568308
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-datetime",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-datetime",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2469,
+		"pid": 2469,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2181,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2469,
+		"sgroup": "fedegc",
+		"share": 2122,
+		"size": 93452,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2469,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 373808
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-housekeeping",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-housekeepin",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2470,
+		"pid": 2470,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1595,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2470,
+		"sgroup": "fedegc",
+		"share": 1498,
+		"size": 77997,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 186,
+		"suser": "fedegc",
+		"tgid": 2470,
+		"tty": 0,
+		"utime": 394,
+		"vm_size": 311988
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-keyboard",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-keyboard",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2471,
+		"pid": 2471,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2370,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2471,
+		"sgroup": "fedegc",
+		"share": 2216,
+		"size": 105012,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 21,
+		"suser": "fedegc",
+		"tgid": 2471,
+		"tty": 0,
+		"utime": 67,
+		"vm_size": 420048
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-media-keys",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-media-keys",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2472,
+		"pid": 2472,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 3039,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2472,
+		"sgroup": "fedegc",
+		"share": 2607,
+		"size": 225400,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 47,
+		"suser": "fedegc",
+		"tgid": 2472,
+		"tty": 0,
+		"utime": 108,
+		"vm_size": 901600
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-power",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-power",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2474,
+		"pid": 2474,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2454,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2474,
+		"sgroup": "fedegc",
+		"share": 2240,
+		"size": 105165,
+		"start_time": 17082,
+		"state": "S",
+		"stime": 39,
+		"suser": "fedegc",
+		"tgid": 2474,
+		"tty": 0,
+		"utime": 86,
+		"vm_size": 420660
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-print-notifications",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-print-notif",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2479,
+		"pid": 2479,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1733,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2479,
+		"sgroup": "fedegc",
+		"share": 1602,
+		"size": 62112,
+		"start_time": 17083,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2479,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 248448
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-rfkill",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-rfkill",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2484,
+		"pid": 2484,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1411,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2484,
+		"sgroup": "fedegc",
+		"share": 1326,
+		"size": 114273,
+		"start_time": 17085,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2484,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 457092
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-screensaver-proxy",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-screensaver",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2486,
+		"pid": 2486,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1306,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2486,
+		"sgroup": "fedegc",
+		"share": 1289,
+		"size": 77308,
+		"start_time": 17086,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2486,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 309232
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-engine-simple",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-engine-sim",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2495,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1488,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1488,
+		"size": 40672,
+		"start_time": 17088,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2495,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 162688
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-sharing",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-sharing",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2496,
+		"pid": 2496,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1415,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2496,
+		"sgroup": "fedegc",
+		"share": 1306,
+		"size": 116210,
+		"start_time": 17089,
+		"state": "S",
+		"stime": 9,
+		"suser": "fedegc",
+		"tgid": 2496,
+		"tty": 0,
+		"utime": 34,
+		"vm_size": 464840
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-smartcard",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-smartcard",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2499,
+		"pid": 2499,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1486,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2499,
+		"sgroup": "fedegc",
+		"share": 1431,
+		"size": 78837,
+		"start_time": 17089,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2499,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 315348
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-sound",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-sound",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2504,
+		"pid": 2504,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1726,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2504,
+		"sgroup": "fedegc",
+		"share": 1683,
+		"size": 79885,
+		"start_time": 17091,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2504,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 319540
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-usb-protection",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-usb-protect",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2509,
+		"pid": 2509,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1460,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2509,
+		"sgroup": "fedegc",
+		"share": 1416,
+		"size": 114720,
+		"start_time": 17092,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2509,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 458880
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-wacom",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-wacom",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2514,
+		"pid": 2514,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2345,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2514,
+		"sgroup": "fedegc",
+		"share": 2156,
+		"size": 86333,
+		"start_time": 17093,
+		"state": "S",
+		"stime": 25,
+		"suser": "fedegc",
+		"tgid": 2514,
+		"tty": 0,
+		"utime": 69,
+		"vm_size": 345332
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-wwan",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-wwan",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2531,
+		"pid": 2531,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1413,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2531,
+		"sgroup": "fedegc",
+		"share": 1367,
+		"size": 96976,
+		"start_time": 17100,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2531,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 387904
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-data-server/evolution-alarm-notify",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-alarm",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2243,
+		"pid": 2533,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 3818,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2676,
+		"size": 158764,
+		"start_time": 17101,
+		"state": "S",
+		"stime": 44,
+		"suser": "fedegc",
+		"tgid": 2533,
+		"tty": 0,
+		"utime": 106,
+		"vm_size": 635056
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-xsettings",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-xsettings",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2534,
+		"pid": 2534,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2494,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2534,
+		"sgroup": "fedegc",
+		"share": 2268,
+		"size": 86729,
+		"start_time": 17101,
+		"state": "S",
+		"stime": 26,
+		"suser": "fedegc",
+		"tgid": 2534,
+		"tty": 0,
+		"utime": 107,
+		"vm_size": 346916
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "indicator-messa",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2544,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1551,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 1551,
+		"size": 78345,
+		"start_time": 17110,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2544,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 313380
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-disk-utility-notify",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-disk-utilit",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2243,
+		"pid": 2552,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1534,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 1353,
+		"size": 57948,
+		"start_time": 17114,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2552,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 231792
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-printer",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-printer",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2479,
+		"pid": 2557,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1995,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2479,
+		"sgroup": "fedegc",
+		"share": 1884,
+		"size": 85546,
+		"start_time": 17117,
+		"state": "S",
+		"stime": 7,
+		"suser": "fedegc",
+		"tgid": 2557,
+		"tty": 0,
+		"utime": 13,
+		"vm_size": 342184
+	}, {
+		"argvs": "-n vmusr --blockFd 3",
+		"cmd": "/usr/bin/vmtoolsd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "vmtoolsd",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2560,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 4262,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 3200,
+		"size": 73169,
+		"start_time": 17119,
+		"state": "S",
+		"stime": 7687,
+		"suser": "fedegc",
+		"tgid": 2560,
+		"tty": 0,
+		"utime": 13063,
+		"vm_size": 292676
+	}, {
+		"argvs": "",
+		"cmd": "zeitgeist-datahub",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-datah",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 3202,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2401,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2116,
+		"size": 120440,
+		"start_time": 19095,
+		"state": "S",
+		"stime": 103,
+		"suser": "fedegc",
+		"tgid": 3202,
+		"tty": 0,
+		"utime": 159,
+		"vm_size": 481760
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/zeitgeist-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-daemo",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3221,
+		"pid": 3221,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1861,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3221,
+		"sgroup": "fedegc",
+		"share": 1588,
+		"size": 96747,
+		"start_time": 19130,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 3221,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 386988
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/zeitgeist/zeitgeist-fts",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-fts",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3241,
+		"pid": 3241,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2398,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3241,
+		"sgroup": "fedegc",
+		"share": 1823,
+		"size": 68182,
+		"start_time": 19155,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 3241,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 272728
+	}, {
+		"argvs": "",
+		"cmd": "/opt/sublime_text/sublime_text",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "sublime_text",
+		"nice": 0,
+		"nlwp": 12,
+		"pgrp": 3412,
+		"pid": 3412,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 203653,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3412,
+		"sgroup": "fedegc",
+		"share": 11552,
+		"size": 603697,
+		"start_time": 19792,
+		"state": "S",
+		"stime": 20874,
+		"suser": "fedegc",
+		"tgid": 3412,
+		"tty": 0,
+		"utime": 117777,
+		"vm_size": 2414788
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gnome-terminal-server",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-terminal-",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 3472,
+		"pid": 3472,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 12392,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3472,
+		"sgroup": "fedegc",
+		"share": 4688,
+		"size": 223160,
+		"start_time": 19963,
+		"state": "S",
+		"stime": 5429,
+		"suser": "fedegc",
+		"tgid": 3472,
+		"tty": 0,
+		"utime": 40351,
+		"vm_size": 892640
+	}, {
+		"argvs": "3412 --auto-shell-env",
+		"cmd": "/opt/sublime_text/plugin_host",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "plugin_host",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3412,
+		"pid": 3521,
+		"ppid": 3412,
+		"priority": 20,
+		"processor": 1,
+		"resident": 12663,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3412,
+		"sgroup": "fedegc",
+		"share": 1677,
+		"size": 78786,
+		"start_time": 20081,
+		"state": "S",
+		"stime": 305,
+		"suser": "fedegc",
+		"tgid": 3521,
+		"tty": 0,
+		"utime": 1234,
+		"vm_size": 315144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 3522,
+		"pid": 3522,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1433,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3522,
+		"sgroup": "fedegc",
+		"share": 691,
+		"size": 3102,
+		"start_time": 20082,
+		"state": "S",
+		"stime": 49,
+		"suser": "fedegc",
+		"tgid": 3522,
+		"tty": 34816,
+		"utime": 129,
+		"vm_size": 12408
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfsd-metadata",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-metadata",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3856,
+		"pid": 3856,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1481,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3856,
+		"sgroup": "fedegc",
+		"share": 1336,
+		"size": 40543,
+		"start_time": 23095,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 3856,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 162172
+	}, {
+		"argvs": "",
+		"cmd": "update-notifier",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "update-notifier",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 3859,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 6884,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 4116,
+		"size": 183024,
+		"start_time": 23097,
+		"state": "S",
+		"stime": 189,
+		"suser": "fedegc",
+		"tgid": 3859,
+		"tty": 0,
+		"utime": 357,
+		"vm_size": 732096
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 4976,
+		"pid": 4976,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1114,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 4976,
+		"sgroup": "fedegc",
+		"share": 680,
+		"size": 2794,
+		"start_time": 98074,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 4976,
+		"tty": 34817,
+		"utime": 9,
+		"vm_size": 11176
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 321811,
+		"pid": 321811,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1543,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 321811,
+		"sgroup": "fedegc",
+		"share": 777,
+		"size": 3107,
+		"start_time": 4119998,
+		"state": "S",
+		"stime": 12,
+		"suser": "fedegc",
+		"tgid": 321811,
+		"tty": 34818,
+		"utime": 28,
+		"vm_size": 12428
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/0",
+		"cmd": "/usr/libexec/gvfsd-trash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-trash",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 321881,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1680,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1380,
+		"size": 78459,
+		"start_time": 4128015,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 321881,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 313836
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/1",
+		"cmd": "/usr/libexec/gvfsd-network",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-network",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2044,
+		"pid": 321907,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1814,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1579,
+		"size": 78572,
+		"start_time": 4128043,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 321907,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 314288
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/3",
+		"cmd": "/usr/libexec/gvfsd-dnssd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-dnssd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 321921,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1730,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1490,
+		"size": 78745,
+		"start_time": 4128381,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 321921,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 314980
+	}, {
+		"argvs": "--autolaunch=569b76505dd64fc7a0c6ef023e2f2bcc --binary-syntax --close-stderr",
+		"cmd": "dbus-launch",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dbus-launch",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 323658,
+		"pid": 323663,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 483,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 323658,
+		"sgroup": "root",
+		"share": 372,
+		"size": 1849,
+		"start_time": 4332813,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 323663,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 7396
+	}, {
+		"argvs": "--syslog-only --fork --print-pid 5 --print-address 7 --session",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 323664,
+		"pid": 323664,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 583,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 323664,
+		"sgroup": "root",
+		"share": 480,
+		"size": 1867,
+		"start_time": 4332818,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 323664,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 7468
+	}, {
+		"argvs": "--gapplication-service",
+		"cmd": "/usr/bin/nautilus",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "nautilus",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2023,
+		"pid": 520740,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 13843,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 5545,
+		"size": 333346,
+		"start_time": 9085836,
+		"state": "S",
+		"stime": 112,
+		"suser": "fedegc",
+		"tgid": 520740,
+		"tty": 0,
+		"utime": 695,
+		"vm_size": 1333384
+	}, {
+		"argvs": ".host:/ /mnt/hgfs -o subtype=vmhgfs-fuse,allow_other",
+		"cmd": "/usr/bin/vmhgfs-fuse",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmhgfs-fuse",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 539724,
+		"pid": 539724,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 603,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 539724,
+		"sgroup": "root",
+		"share": 239,
+		"size": 77314,
+		"start_time": 9188529,
+		"state": "S",
+		"stime": 25,
+		"suser": "root",
+		"tgid": 539724,
+		"tty": 0,
+		"utime": 55,
+		"vm_size": 309256
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "xfsalloc",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561037,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043329,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561037,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "xfs_mru_cache",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561041,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043329,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561041,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsIO",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561046,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043518,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561046,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsCommit",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561047,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043518,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561047,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsCommit",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561048,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043519,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561048,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsSync",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561049,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043519,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561049,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "su",
+		"cmd": "sudo",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sudo",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597875,
+		"pid": 597875,
+		"ppid": 4976,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1105,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 911,
+		"size": 3050,
+		"start_time": 10435645,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 597875,
+		"tty": 34817,
+		"utime": 1,
+		"vm_size": 12200
+	}, {
+		"argvs": "",
+		"cmd": "su",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "su",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597875,
+		"pid": 597876,
+		"ppid": 597875,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1067,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 945,
+		"size": 2786,
+		"start_time": 10436242,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 597876,
+		"tty": 34817,
+		"utime": 0,
+		"vm_size": 11144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597877,
+		"pid": 597877,
+		"ppid": 597876,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1090,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 898,
+		"size": 2544,
+		"start_time": 10436245,
+		"state": "S",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 597877,
+		"tty": 34817,
+		"utime": 4,
+		"vm_size": 10176
+	}, {
+		"argvs": "--fwdargv0 /usr/bin/subl /var/ossec/etc/ossec.conf",
+		"cmd": "/opt/sublime_text/sublime_text",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sublime_text",
+		"nice": 0,
+		"nlwp": 9,
+		"pgrp": 634523,
+		"pid": 634523,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 23599,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 634523,
+		"sgroup": "root",
+		"share": 8599,
+		"size": 226040,
+		"start_time": 12111972,
+		"state": "S",
+		"stime": 61,
+		"suser": "root",
+		"tgid": 634523,
+		"tty": 0,
+		"utime": 379,
+		"vm_size": 904160
+	}, {
+		"argvs": "634523 --auto-shell-env",
+		"cmd": "/opt/sublime_text/plugin_host",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "plugin_host",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 634523,
+		"pid": 634536,
+		"ppid": 634523,
+		"priority": 20,
+		"processor": 0,
+		"resident": 6064,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 634523,
+		"sgroup": "root",
+		"share": 2675,
+		"size": 37003,
+		"start_time": 12112031,
+		"state": "S",
+		"stime": 23,
+		"suser": "root",
+		"tgid": 634536,
+		"tty": 0,
+		"utime": 35,
+		"vm_size": 148012
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop14",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 643049,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 13711814,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 643049,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "su",
+		"cmd": "sudo",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sudo",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646484,
+		"pid": 646484,
+		"ppid": 3522,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1158,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 975,
+		"size": 3006,
+		"start_time": 14528172,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 646484,
+		"tty": 34816,
+		"utime": 1,
+		"vm_size": 12024
+	}, {
+		"argvs": "",
+		"cmd": "su",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "su",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646484,
+		"pid": 646485,
+		"ppid": 646484,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1069,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 947,
+		"size": 2786,
+		"start_time": 14528174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 646485,
+		"tty": 34816,
+		"utime": 0,
+		"vm_size": 11144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646488,
+		"pid": 646488,
+		"ppid": 646485,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1072,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 897,
+		"size": 2515,
+		"start_time": 14528176,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 646488,
+		"tty": 34816,
+		"utime": 2,
+		"vm_size": 10060
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/fwupd/fwupd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "fwupd",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 651816,
+		"pid": 651816,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 9750,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 651816,
+		"sgroup": "root",
+		"share": 3612,
+		"size": 99812,
+		"start_time": 14826742,
+		"state": "S",
+		"stime": 23,
+		"suser": "root",
+		"tgid": 651816,
+		"tty": 0,
+		"utime": 36,
+		"vm_size": 399248
+	}, {
+		"argvs": "-l",
+		"cmd": "/usr/sbin/cupsd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cupsd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 652282,
+		"pid": 652282,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1826,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 652282,
+		"sgroup": "root",
+		"share": 1387,
+		"size": 7167,
+		"start_time": 15138465,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 652282,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 28668
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/cups-browsed",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cups-browsed",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 652284,
+		"pid": 652284,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2429,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 652284,
+		"sgroup": "root",
+		"share": 2031,
+		"size": 45166,
+		"start_time": 15138466,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 652284,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 180664
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-resolved",
+		"egroup": "systemd-resolve",
+		"euser": "systemd-resolve",
+		"fgroup": "systemd-resolve",
+		"name": "systemd-resolve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 653225,
+		"pid": 653225,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2758,
+		"rgroup": "systemd-resolve",
+		"ruser": "systemd-resolve",
+		"session": 653225,
+		"sgroup": "systemd-resolve",
+		"share": 1696,
+		"size": 6061,
+		"start_time": 15142983,
+		"state": "S",
+		"stime": 4,
+		"suser": "systemd-resolve",
+		"tgid": 653225,
+		"tty": 0,
+		"utime": 3,
+		"vm_size": 24244
+	}, {
+		"argvs": "/usr/bin/update-manager --no-update --no-focus-on-map",
+		"cmd": "/usr/bin/python3",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "update-manager",
+		"nice": 10,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 653442,
+		"ppid": 2005,
+		"priority": 30,
+		"processor": 1,
+		"resident": 33850,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 20747,
+		"size": 227088,
+		"start_time": 15151522,
+		"state": "S",
+		"stime": 20,
+		"suser": "fedegc",
+		"tgid": 653442,
+		"tty": 0,
+		"utime": 202,
+		"vm_size": 908352
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:1-cgr",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653617,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15172029,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 653617,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:2-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653689,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15216522,
+		"state": "I",
+		"stime": 12,
+		"suser": "root",
+		"tgid": 653689,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:2-rcu",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653714,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15229831,
+		"state": "I",
+		"stime": 37,
+		"suser": "root",
+		"tgid": 653714,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:0-eve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653986,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15268845,
+		"state": "I",
+		"stime": 25,
+		"suser": "root",
+		"tgid": 653986,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:1-eve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654011,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15287287,
+		"state": "I",
+		"stime": 40,
+		"suser": "root",
+		"tgid": 654011,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:3-rcu",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654012,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15287287,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 654012,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:0-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654114,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15288985,
+		"state": "I",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 654114,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:3-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654116,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15288986,
+		"state": "I",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 654116,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}
+])"
+};
+
+constexpr auto input2
+{
+    R"(
+[
+	{
+		"argvs": "auto noprompt",
+		"cmd": "/sbin/init",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1,
+		"pid": 1,
+		"ppid": 0,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2428,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1,
+		"sgroup": "root",
+		"share": 1424,
+		"size": 42756,
+		"start_time": 39,
+		"state": "S",
+		"stime": 558,
+		"suser": "root",
+		"tgid": 1,
+		"tty": 0,
+		"utime": 786,
+		"vm_size": 171024
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kthreadd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 2,
+		"ppid": 0,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 7,
+		"suser": "root",
+		"tgid": 2,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_gp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 3,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 3,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_par_gp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 4,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 4,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:0H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 6,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 6,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mm_percpu_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 9,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 9,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksoftirqd/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 10,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 688,
+		"suser": "root",
+		"tgid": 10,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_sched",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 11,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "I",
+		"stime": 5935,
+		"suser": "root",
+		"tgid": 11,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "migration/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 12,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 166,
+		"suser": "root",
+		"tgid": 12,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "idle_inject/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 13,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 39,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 13,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cpuhp/0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 14,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 14,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cpuhp/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 15,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 15,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "idle_inject/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 16,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 16,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "migration/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 17,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 166,
+		"suser": "root",
+		"tgid": 17,
+		"tty": 0,
+		"utime": 41,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksoftirqd/1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 18,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "S",
+		"stime": 645,
+		"suser": "root",
+		"tgid": 18,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:0H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 20,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 40,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 20,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kdevtmpfs",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 21,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "S",
+		"stime": 14,
+		"suser": "root",
+		"tgid": 21,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "netns",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 22,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 22,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "rcu_tasks_kthre",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 23,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 41,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 23,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kauditd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 24,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 24,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "khungtaskd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 27,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 27,
+		"tty": 0,
+		"utime": 33,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "oom_reaper",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 28,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 28,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "writeback",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 29,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 29,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kcompactd0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 30,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 5,
+		"suser": "root",
+		"tgid": 30,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ksmd",
+		"nice": 5,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 31,
+		"ppid": 2,
+		"priority": 25,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 31,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "khugepaged",
+		"nice": 19,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 32,
+		"ppid": 2,
+		"priority": 39,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 42,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 32,
+		"tty": 0,
+		"utime": 8,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kintegrityd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 78,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 78,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kblockd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 79,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 79,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "blkcg_punt_bio",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 80,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 43,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 80,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "tpm_dev_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 82,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 82,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ata_sff",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 83,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 83,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "md",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 84,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 84,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "edac-poller",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 85,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 85,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "devfreq_wq",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 86,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 104,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 86,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "watchdogd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 87,
+		"ppid": 2,
+		"priority": -100,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 108,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 87,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kswapd0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 90,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 172,
+		"state": "S",
+		"stime": 1484,
+		"suser": "root",
+		"tgid": 90,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ecryptfs-kthrea",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 91,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 172,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 91,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kthrotld",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 93,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 93,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/24-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 94,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 94,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/25-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 95,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 95,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/26-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 96,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 96,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/27-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 97,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 97,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/28-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 98,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 98,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/29-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 99,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 99,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/30-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 100,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 100,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/31-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 101,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 101,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/32-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 102,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 173,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 102,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/33-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 103,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 103,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/34-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 104,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 104,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/35-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 105,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 105,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/36-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 106,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 106,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/37-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 107,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 107,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/38-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 108,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 108,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/39-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 109,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 109,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/40-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 110,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 110,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/41-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 111,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 111,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/42-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 112,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 112,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/43-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 113,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 113,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/44-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 114,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 114,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/45-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 115,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 115,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/46-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 116,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 116,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/47-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 117,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 117,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/48-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 118,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 118,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/49-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 119,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 119,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/50-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 120,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 120,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/51-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 121,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 121,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/52-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 122,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 122,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/53-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 123,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 123,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/54-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 124,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 175,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 124,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/55-pciehp",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 125,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 176,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 125,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "acpi_thermal_pm",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 126,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 176,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 126,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_0",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 127,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 127,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 128,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 128,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_1",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 129,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 129,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_1",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 130,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 130,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vfio-irqfd-clea",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 132,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 181,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 132,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ipv6_addrconf",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 133,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 183,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 133,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kstrp",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 143,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 184,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 143,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u257:0-",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 146,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 184,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 146,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "charger_manager",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 159,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 185,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 159,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mpt_poll_0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 203,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 226,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 203,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "mpt/0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 204,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 226,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 204,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_2",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 205,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 205,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_2",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 206,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 206,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_3",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 207,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 207,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_3",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 208,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 208,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_4",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 209,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 209,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_4",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 210,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 210,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_5",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 211,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 211,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_5",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 213,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 213,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_6",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 214,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 227,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 214,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_6",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 215,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 215,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_7",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 216,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 216,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_7",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 217,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 228,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 217,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_8",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 218,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 229,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 218,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_8",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 219,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 229,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 219,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_9",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 221,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 230,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 221,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_9",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 222,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 230,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 222,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_10",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 223,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 231,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 223,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_10",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 224,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 231,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 224,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_11",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 225,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 232,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 225,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_11",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 226,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 232,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 226,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_12",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 227,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 227,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_12",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 228,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 228,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_13",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 229,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 229,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_13",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 230,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 230,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_14",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 231,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 231,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_14",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 232,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 232,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_15",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 233,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 233,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_15",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 234,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 234,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_16",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 235,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 235,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_16",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 236,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 236,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_17",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 237,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 237,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_17",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 238,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 238,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_18",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 239,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 239,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_18",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 240,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 240,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_19",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 241,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 241,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_19",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 242,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 242,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_20",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 243,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 243,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_20",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 244,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 244,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_21",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 245,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 245,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_21",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 246,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 246,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_22",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 247,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 247,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_22",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 248,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 248,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_23",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 249,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 249,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_23",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 250,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 250,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_24",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 251,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 251,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_24",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 252,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 252,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_25",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 253,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 253,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_25",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 254,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 254,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_26",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 255,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 255,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_26",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 256,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 256,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_27",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 257,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 257,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_27",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 258,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 258,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_28",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 259,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 259,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_28",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 260,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 260,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_29",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 261,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 261,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_29",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 262,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 262,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_30",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 263,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 263,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_30",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 264,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 264,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_31",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 265,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 265,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_31",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 266,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 233,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 266,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_eh_32",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 294,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 262,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 294,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "scsi_tmf_32",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 295,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 262,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 295,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:1H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 296,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 265,
+		"state": "I",
+		"stime": 717,
+		"suser": "root",
+		"tgid": 296,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:1H-kb",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 317,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 331,
+		"state": "I",
+		"stime": 715,
+		"suser": "root",
+		"tgid": 317,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jbd2/sda1-8",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 319,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 350,
+		"state": "S",
+		"stime": 572,
+		"suser": "root",
+		"tgid": 319,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ext4-rsv-conver",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 320,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 350,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 320,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-journald",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-journal",
+		"nice": -1,
+		"nlwp": 1,
+		"pgrp": 361,
+		"pid": 361,
+		"ppid": 1,
+		"priority": 19,
+		"processor": 1,
+		"resident": 3992,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 361,
+		"sgroup": "root",
+		"share": 3699,
+		"size": 15068,
+		"start_time": 444,
+		"state": "S",
+		"stime": 203,
+		"suser": "root",
+		"tgid": 361,
+		"tty": 0,
+		"utime": 101,
+		"vm_size": 60272
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irq/16-vmwgfx",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 380,
+		"ppid": 2,
+		"priority": -51,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 457,
+		"state": "S",
+		"stime": 2652,
+		"suser": "root",
+		"tgid": 380,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ttm_swap",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 381,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 457,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 381,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop0",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 386,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 461,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 386,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop1",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 390,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 463,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 390,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop3",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 394,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 464,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 394,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop4",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 396,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 464,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 396,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-udevd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-udevd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 401,
+		"pid": 401,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1556,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 401,
+		"sgroup": "root",
+		"share": 752,
+		"size": 6049,
+		"start_time": 466,
+		"state": "S",
+		"stime": 360,
+		"suser": "root",
+		"tgid": 401,
+		"tty": 0,
+		"utime": 164,
+		"vm_size": 24196
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop5",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 405,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 468,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 405,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "/run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid",
+		"cmd": "vmware-vmblock-fuse",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmware-vmblock-",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 411,
+		"pid": 411,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 79,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 411,
+		"sgroup": "root",
+		"share": 14,
+		"size": 56132,
+		"start_time": 471,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 411,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 224528
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop6",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 414,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 472,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 414,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop7",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 415,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 472,
+		"state": "S",
+		"stime": 3,
+		"suser": "root",
+		"tgid": 415,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop8",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 417,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 476,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 417,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop9",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 422,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 480,
+		"state": "S",
+		"stime": 7,
+		"suser": "root",
+		"tgid": 422,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop10",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 423,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 484,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 423,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop11",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 444,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 486,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 444,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop12",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 446,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 490,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 446,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop13",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 447,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 493,
+		"state": "S",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 447,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-timesyncd",
+		"egroup": "systemd-timesync",
+		"euser": "systemd-timesync",
+		"fgroup": "systemd-timesync",
+		"name": "systemd-timesyn",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 469,
+		"pid": 469,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 870,
+		"rgroup": "systemd-timesync",
+		"ruser": "systemd-timesync",
+		"session": 469,
+		"sgroup": "systemd-timesync",
+		"share": 673,
+		"size": 22612,
+		"start_time": 501,
+		"state": "S",
+		"stime": 35,
+		"suser": "systemd-timesync",
+		"tgid": 469,
+		"tty": 0,
+		"utime": 22,
+		"vm_size": 90448
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/VGAuthService",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "VGAuthService",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 488,
+		"pid": 488,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1388,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 488,
+		"sgroup": "root",
+		"share": 1175,
+		"size": 12588,
+		"start_time": 516,
+		"state": "S",
+		"stime": 3,
+		"suser": "root",
+		"tgid": 488,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 50352
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/vmtoolsd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmtoolsd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 490,
+		"pid": 490,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1415,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 490,
+		"sgroup": "root",
+		"share": 1197,
+		"size": 60200,
+		"start_time": 516,
+		"state": "S",
+		"stime": 9998,
+		"suser": "root",
+		"tgid": 490,
+		"tty": 0,
+		"utime": 11359,
+		"vm_size": 240800
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/accountsservice/accounts-daemon",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "accounts-daemon",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 514,
+		"pid": 514,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1720,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 514,
+		"sgroup": "root",
+		"share": 1489,
+		"size": 59657,
+		"start_time": 535,
+		"state": "S",
+		"stime": 141,
+		"suser": "root",
+		"tgid": 514,
+		"tty": 0,
+		"utime": 164,
+		"vm_size": 238628
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/acpid",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "acpid",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 515,
+		"pid": 515,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 180,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 515,
+		"sgroup": "root",
+		"share": 162,
+		"size": 635,
+		"start_time": 536,
+		"state": "S",
+		"stime": 280,
+		"suser": "root",
+		"tgid": 515,
+		"tty": 0,
+		"utime": 75,
+		"vm_size": 2540
+	}, {
+		"argvs": "",
+		"cmd": "avahi-daemon: running [ubuntu.local]",
+		"egroup": "avahi",
+		"euser": "avahi",
+		"fgroup": "avahi",
+		"name": "avahi-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 518,
+		"pid": 518,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 800,
+		"rgroup": "avahi",
+		"ruser": "avahi",
+		"session": 518,
+		"sgroup": "avahi",
+		"share": 712,
+		"size": 2189,
+		"start_time": 537,
+		"state": "S",
+		"stime": 142,
+		"suser": "avahi",
+		"tgid": 518,
+		"tty": 0,
+		"utime": 70,
+		"vm_size": 8756
+	}, {
+		"argvs": "-f",
+		"cmd": "/usr/sbin/cron",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cron",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 520,
+		"pid": 520,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 711,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 520,
+		"sgroup": "root",
+		"share": 641,
+		"size": 2409,
+		"start_time": 537,
+		"state": "S",
+		"stime": 28,
+		"suser": "root",
+		"tgid": 520,
+		"tty": 0,
+		"utime": 10,
+		"vm_size": 9636
+	}, {
+		"argvs": "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "messagebus",
+		"euser": "messagebus",
+		"fgroup": "messagebus",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 522,
+		"pid": 522,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1485,
+		"rgroup": "messagebus",
+		"ruser": "messagebus",
+		"session": 522,
+		"sgroup": "messagebus",
+		"share": 864,
+		"size": 2582,
+		"start_time": 538,
+		"state": "S",
+		"stime": 63,
+		"suser": "messagebus",
+		"tgid": 522,
+		"tty": 0,
+		"utime": 235,
+		"vm_size": 10328
+	}, {
+		"argvs": "--no-daemon",
+		"cmd": "/usr/sbin/NetworkManager",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "NetworkManager",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 525,
+		"pid": 525,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2198,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 525,
+		"sgroup": "root",
+		"share": 1901,
+		"size": 65486,
+		"start_time": 539,
+		"state": "S",
+		"stime": 122,
+		"suser": "root",
+		"tgid": 525,
+		"tty": 0,
+		"utime": 237,
+		"vm_size": 261944
+	}, {
+		"argvs": "--foreground",
+		"cmd": "/usr/sbin/irqbalance",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "irqbalance",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 531,
+		"pid": 531,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 911,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 531,
+		"sgroup": "root",
+		"share": 832,
+		"size": 20482,
+		"start_time": 541,
+		"state": "S",
+		"stime": 598,
+		"suser": "root",
+		"tgid": 531,
+		"tty": 0,
+		"utime": 212,
+		"vm_size": 81928
+	}, {
+		"argvs": "/usr/bin/networkd-dispatcher --run-startup-triggers",
+		"cmd": "/usr/bin/python3",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "networkd-dispat",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 534,
+		"pid": 534,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2400,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 534,
+		"sgroup": "root",
+		"share": 2080,
+		"size": 9888,
+		"start_time": 542,
+		"state": "S",
+		"stime": 6,
+		"suser": "root",
+		"tgid": 534,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 39552
+	}, {
+		"argvs": "--no-debug",
+		"cmd": "/usr/lib/policykit-1/polkitd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "polkitd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 535,
+		"pid": 535,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2634,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 535,
+		"sgroup": "root",
+		"share": 1708,
+		"size": 60452,
+		"start_time": 543,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 535,
+		"tty": 0,
+		"utime": 51,
+		"vm_size": 241808
+	}, {
+		"argvs": "-n -iNONE",
+		"cmd": "/usr/sbin/rsyslogd",
+		"egroup": "syslog",
+		"euser": "syslog",
+		"fgroup": "syslog",
+		"name": "rsyslogd",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 537,
+		"pid": 537,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 992,
+		"rgroup": "syslog",
+		"ruser": "syslog",
+		"session": 537,
+		"sgroup": "syslog",
+		"share": 752,
+		"size": 56137,
+		"start_time": 543,
+		"state": "S",
+		"stime": 33,
+		"suser": "syslog",
+		"tgid": 537,
+		"tty": 0,
+		"utime": 15,
+		"vm_size": 224548
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/snapd/snapd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "snapd",
+		"nice": 0,
+		"nlwp": 13,
+		"pgrp": 539,
+		"pid": 539,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 4714,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 539,
+		"sgroup": "root",
+		"share": 1678,
+		"size": 234231,
+		"start_time": 544,
+		"state": "S",
+		"stime": 549,
+		"suser": "root",
+		"tgid": 539,
+		"tty": 0,
+		"utime": 1492,
+		"vm_size": 936924
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/switcheroo-control",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "switcheroo-cont",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 540,
+		"pid": 540,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1490,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 540,
+		"sgroup": "root",
+		"share": 1374,
+		"size": 58935,
+		"start_time": 544,
+		"state": "S",
+		"stime": 5,
+		"suser": "root",
+		"tgid": 540,
+		"tty": 0,
+		"utime": 3,
+		"vm_size": 235740
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-logind",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "systemd-logind",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 541,
+		"pid": 541,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1154,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 541,
+		"sgroup": "root",
+		"share": 973,
+		"size": 4308,
+		"start_time": 545,
+		"state": "S",
+		"stime": 267,
+		"suser": "root",
+		"tgid": 541,
+		"tty": 0,
+		"utime": 48,
+		"vm_size": 17232
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/udisks2/udisksd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "udisksd",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 543,
+		"pid": 543,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2207,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 543,
+		"sgroup": "root",
+		"share": 1759,
+		"size": 98275,
+		"start_time": 545,
+		"state": "S",
+		"stime": 19,
+		"suser": "root",
+		"tgid": 543,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 393100
+	}, {
+		"argvs": "-u -s -O /run/wpa_supplicant",
+		"cmd": "/sbin/wpa_supplicant",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "wpa_supplicant",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 546,
+		"pid": 546,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 588,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 546,
+		"sgroup": "root",
+		"share": 445,
+		"size": 3420,
+		"start_time": 546,
+		"state": "S",
+		"stime": 67,
+		"suser": "root",
+		"tgid": 546,
+		"tty": 0,
+		"utime": 28,
+		"vm_size": 13680
+	}, {
+		"argvs": "",
+		"cmd": "avahi-daemon: chroot helper",
+		"egroup": "avahi",
+		"euser": "avahi",
+		"fgroup": "avahi",
+		"name": "avahi-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 518,
+		"pid": 557,
+		"ppid": 518,
+		"priority": 20,
+		"processor": 1,
+		"resident": 81,
+		"rgroup": "avahi",
+		"ruser": "avahi",
+		"session": 518,
+		"sgroup": "avahi",
+		"share": 0,
+		"size": 2142,
+		"start_time": 551,
+		"state": "S",
+		"stime": 0,
+		"suser": "avahi",
+		"tgid": 557,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 8568
+	}, {
+		"argvs": "--filter-policy=strict",
+		"cmd": "/usr/sbin/ModemManager",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "ModemManager",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 651,
+		"pid": 651,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1760,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 651,
+		"sgroup": "root",
+		"share": 1440,
+		"size": 78435,
+		"start_time": 597,
+		"state": "S",
+		"stime": 4,
+		"suser": "root",
+		"tgid": 651,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 313740
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u257:1-",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 793,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 728,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 793,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "-1 -4 -v -i -pf /run/dhclient.ens33.pid -lf /var/lib/dhcp/dhclient.ens33.leases -I -df /var/lib/dhcp/dhclient6.ens33.leases ens33",
+		"cmd": "/sbin/dhclient",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dhclient",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 831,
+		"pid": 831,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 923,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 831,
+		"sgroup": "root",
+		"share": 630,
+		"size": 24974,
+		"start_time": 744,
+		"state": "S",
+		"stime": 44,
+		"suser": "root",
+		"tgid": 831,
+		"tty": 0,
+		"utime": 11,
+		"vm_size": 99896
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cryptd",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 865,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 767,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 865,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/bluetooth/bluetoothd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bluetoothd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1044,
+		"pid": 1044,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 960,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1044,
+		"sgroup": "root",
+		"share": 861,
+		"size": 2090,
+		"start_time": 864,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1044,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 8360
+	}, {
+		"argvs": "/usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",
+		"cmd": "/usr/bin/python3",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "unattended-upgr",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 1243,
+		"pid": 1243,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2885,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1243,
+		"sgroup": "root",
+		"share": 2331,
+		"size": 29519,
+		"start_time": 899,
+		"state": "S",
+		"stime": 4,
+		"suser": "root",
+		"tgid": 1243,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 118076
+	}, {
+		"argvs": "-f",
+		"cmd": "/usr/bin/whoopsie",
+		"egroup": "whoopsie",
+		"euser": "whoopsie",
+		"fgroup": "whoopsie",
+		"name": "whoopsie",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1245,
+		"pid": 1245,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2288,
+		"rgroup": "whoopsie",
+		"ruser": "whoopsie",
+		"session": 1245,
+		"sgroup": "whoopsie",
+		"share": 2043,
+		"size": 81817,
+		"start_time": 900,
+		"state": "S",
+		"stime": 8,
+		"suser": "whoopsie",
+		"tgid": 1245,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 327268
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/containerd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "containerd",
+		"nice": 0,
+		"nlwp": 11,
+		"pgrp": 1246,
+		"pid": 1246,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1987,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1246,
+		"sgroup": "root",
+		"share": 456,
+		"size": 223969,
+		"start_time": 901,
+		"state": "S",
+		"stime": 17678,
+		"suser": "root",
+		"tgid": 1246,
+		"tty": 0,
+		"utime": 13568,
+		"vm_size": 895876
+	}, {
+		"argvs": "--test",
+		"cmd": "/usr/sbin/kerneloops",
+		"egroup": "adm",
+		"euser": "kernoops",
+		"fgroup": "adm",
+		"name": "kerneloops",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1261,
+		"pid": 1261,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 492,
+		"rgroup": "adm",
+		"ruser": "kernoops",
+		"session": 1261,
+		"sgroup": "adm",
+		"share": 456,
+		"size": 2814,
+		"start_time": 903,
+		"state": "S",
+		"stime": 602,
+		"suser": "kernoops",
+		"tgid": 1261,
+		"tty": 0,
+		"utime": 41,
+		"vm_size": 11256
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/kerneloops",
+		"egroup": "adm",
+		"euser": "kernoops",
+		"fgroup": "adm",
+		"name": "kerneloops",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1267,
+		"pid": 1267,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 113,
+		"rgroup": "adm",
+		"ruser": "kernoops",
+		"session": 1267,
+		"sgroup": "adm",
+		"share": 0,
+		"size": 2814,
+		"start_time": 906,
+		"state": "S",
+		"stime": 607,
+		"suser": "kernoops",
+		"tgid": 1267,
+		"tty": 0,
+		"utime": 36,
+		"vm_size": 11256
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/lightdm",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "lightdm",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1269,
+		"pid": 1269,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1492,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1269,
+		"sgroup": "root",
+		"share": 1413,
+		"size": 76532,
+		"start_time": 906,
+		"state": "S",
+		"stime": 2,
+		"suser": "root",
+		"tgid": 1269,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 306128
+	}, {
+		"argvs": "-o -p -- \\u --noclear tty1 linux",
+		"cmd": "/sbin/agetty",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "agetty",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 1271,
+		"pid": 1271,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 426,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1271,
+		"sgroup": "root",
+		"share": 391,
+		"size": 2163,
+		"start_time": 907,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1271,
+		"tty": 1025,
+		"utime": 0,
+		"vm_size": 8652
+	}, {
+		"argvs": "-core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch",
+		"cmd": "/usr/lib/xorg/Xorg",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "Xorg",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 1280,
+		"pid": 1280,
+		"ppid": 1269,
+		"priority": 20,
+		"processor": 1,
+		"resident": 28270,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1280,
+		"sgroup": "root",
+		"share": 16127,
+		"size": 184920,
+		"start_time": 916,
+		"state": "S",
+		"stime": 37380,
+		"suser": "root",
+		"tgid": 1280,
+		"tty": 1031,
+		"utime": 229205,
+		"vm_size": 739680
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/rtkit-daemon",
+		"egroup": "rtkit",
+		"euser": "rtkit",
+		"fgroup": "rtkit",
+		"name": "rtkit-daemon",
+		"nice": 1,
+		"nlwp": 3,
+		"pgrp": 1379,
+		"pid": 1379,
+		"ppid": 1,
+		"priority": 21,
+		"processor": 0,
+		"resident": 681,
+		"rgroup": "rtkit",
+		"ruser": "rtkit",
+		"session": 1379,
+		"sgroup": "rtkit",
+		"share": 617,
+		"size": 38289,
+		"start_time": 1069,
+		"state": "S",
+		"stime": 217,
+		"suser": "rtkit",
+		"tgid": 1379,
+		"tty": 0,
+		"utime": 29,
+		"vm_size": 153156
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "krfcommd",
+		"nice": -10,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 1418,
+		"ppid": 2,
+		"priority": 10,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 1111,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1418,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/upower/upowerd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "upowerd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1525,
+		"pid": 1525,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1545,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1525,
+		"sgroup": "root",
+		"share": 1353,
+		"size": 63029,
+		"start_time": 1165,
+		"state": "S",
+		"stime": 6,
+		"suser": "root",
+		"tgid": 1525,
+		"tty": 0,
+		"utime": 9,
+		"vm_size": 252116
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/colord",
+		"egroup": "colord",
+		"euser": "colord",
+		"fgroup": "colord",
+		"name": "colord",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1569,
+		"pid": 1569,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2255,
+		"rgroup": "colord",
+		"ruser": "colord",
+		"session": 1569,
+		"sgroup": "colord",
+		"share": 1753,
+		"size": 61615,
+		"start_time": 1230,
+		"state": "S",
+		"stime": 5,
+		"suser": "colord",
+		"tgid": 1569,
+		"tty": 0,
+		"utime": 8,
+		"vm_size": 246460
+	}, {
+		"argvs": "--session-child 12 19",
+		"cmd": "lightdm",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "lightdm",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 1269,
+		"pid": 1573,
+		"ppid": 1269,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1385,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 1269,
+		"sgroup": "root",
+		"share": 1385,
+		"size": 40048,
+		"start_time": 1241,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 1573,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 160192
+	}, {
+		"argvs": "",
+		"cmd": "bpfilter_umh",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "none",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 1748,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 112,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 112,
+		"size": 622,
+		"start_time": 1410,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 1748,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 2488
+	}, {
+		"argvs": "--user",
+		"cmd": "/lib/systemd/systemd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "systemd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2005,
+		"pid": 2005,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1625,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2005,
+		"sgroup": "fedegc",
+		"share": 1301,
+		"size": 4807,
+		"start_time": 16718,
+		"state": "S",
+		"stime": 24,
+		"suser": "fedegc",
+		"tgid": 2005,
+		"tty": 0,
+		"utime": 22,
+		"vm_size": 19228
+	}, {
+		"argvs": "",
+		"cmd": "(sd-pam) ",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "(sd-pam) ",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2005,
+		"pid": 2007,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 76,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2005,
+		"sgroup": "fedegc",
+		"share": 0,
+		"size": 42310,
+		"start_time": 16719,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2007,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 169240
+	}, {
+		"argvs": "--daemonize=no --log-target=journal",
+		"cmd": "/usr/bin/pulseaudio",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "pulseaudio",
+		"nice": -11,
+		"nlwp": 4,
+		"pgrp": 2015,
+		"pid": 2015,
+		"ppid": 2005,
+		"priority": 9,
+		"processor": 1,
+		"resident": 3144,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2015,
+		"sgroup": "fedegc",
+		"share": 2594,
+		"size": 614213,
+		"start_time": 16727,
+		"state": "S",
+		"stime": 2188,
+		"suser": "fedegc",
+		"tgid": 2015,
+		"tty": 0,
+		"utime": 550,
+		"vm_size": 2456852
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/tracker-miner-fs",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "tracker-miner-f",
+		"nice": 19,
+		"nlwp": 5,
+		"pgrp": 2017,
+		"pid": 2017,
+		"ppid": 2005,
+		"priority": 39,
+		"processor": 0,
+		"resident": 2226,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2017,
+		"sgroup": "fedegc",
+		"share": 1936,
+		"size": 127976,
+		"start_time": 16728,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 2017,
+		"tty": 0,
+		"utime": 14,
+		"vm_size": 511904
+	}, {
+		"argvs": "--daemonize --login",
+		"cmd": "/usr/bin/gnome-keyring-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-keyring-d",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2019,
+		"pid": 2021,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1140,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2019,
+		"sgroup": "fedegc",
+		"share": 1000,
+		"size": 60043,
+		"start_time": 16730,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 2021,
+		"tty": 0,
+		"utime": 29,
+		"vm_size": 240172
+	}, {
+		"argvs": "--session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2023,
+		"pid": 2023,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1106,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 804,
+		"size": 2122,
+		"start_time": 16731,
+		"state": "S",
+		"stime": 59,
+		"suser": "fedegc",
+		"tgid": 2023,
+		"tty": 0,
+		"utime": 123,
+		"vm_size": 8488
+	}, {
+		"argvs": "--systemd --systemd --session=ubuntu",
+		"cmd": "/usr/libexec/gnome-session-binary",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-b",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2031,
+		"pid": 2031,
+		"ppid": 1573,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2085,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2031,
+		"sgroup": "fedegc",
+		"share": 2047,
+		"size": 47102,
+		"start_time": 16733,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2031,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 188408
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfsd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 2044,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1572,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1396,
+		"size": 59955,
+		"start_time": 16734,
+		"state": "S",
+		"stime": 4,
+		"suser": "fedegc",
+		"tgid": 2044,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 239820
+	}, {
+		"argvs": "/run/user/1000/gvfs -f -o big_writes",
+		"cmd": "/usr/libexec/gvfsd-fuse",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-fuse",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2044,
+		"pid": 2055,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1440,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1410,
+		"size": 94584,
+		"start_time": 16737,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2055,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 378336
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-udisks2-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-udisks2-vo",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2070,
+		"pid": 2070,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1961,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2070,
+		"sgroup": "fedegc",
+		"share": 1670,
+		"size": 78585,
+		"start_time": 16743,
+		"state": "S",
+		"stime": 7,
+		"suser": "fedegc",
+		"tgid": 2070,
+		"tty": 0,
+		"utime": 7,
+		"vm_size": 314340
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-gphoto2-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-gphoto2-vo",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2078,
+		"pid": 2078,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1499,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2078,
+		"sgroup": "fedegc",
+		"share": 1416,
+		"size": 59492,
+		"start_time": 16748,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2078,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 237968
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-goa-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-goa-volume",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2082,
+		"pid": 2082,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1357,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2082,
+		"sgroup": "fedegc",
+		"share": 1272,
+		"size": 58966,
+		"start_time": 16750,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2082,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235864
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/goa-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "goa-daemon",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2023,
+		"pid": 2088,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2323,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 2247,
+		"size": 135566,
+		"start_time": 16752,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2088,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 542264
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/goa-identity-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "goa-identity-se",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2101,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1450,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1450,
+		"size": 78687,
+		"start_time": 16760,
+		"state": "S",
+		"stime": 369,
+		"suser": "fedegc",
+		"tgid": 2101,
+		"tty": 0,
+		"utime": 161,
+		"vm_size": 314748
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-afc-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-afc-volume",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2121,
+		"pid": 2121,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1479,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2121,
+		"sgroup": "fedegc",
+		"share": 1375,
+		"size": 79180,
+		"start_time": 16763,
+		"state": "S",
+		"stime": 636,
+		"suser": "fedegc",
+		"tgid": 2121,
+		"tty": 0,
+		"utime": 129,
+		"vm_size": 316720
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfs-mtp-volume-monitor",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfs-mtp-volume",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2133,
+		"pid": 2133,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1416,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2133,
+		"sgroup": "fedegc",
+		"share": 1324,
+		"size": 58923,
+		"start_time": 16765,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2133,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235692
+	}, {
+		"argvs": "/usr/bin/im-launch env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu",
+		"cmd": "/usr/bin/ssh-agent",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ssh-agent",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2186,
+		"pid": 2186,
+		"ppid": 2031,
+		"priority": 20,
+		"processor": 1,
+		"resident": 9,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2186,
+		"sgroup": "ssh",
+		"share": 0,
+		"size": 1508,
+		"start_time": 16780,
+		"state": "S",
+		"stime": 55,
+		"suser": "fedegc",
+		"tgid": 2186,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 6032
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/at-spi-bus-launcher",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "at-spi-bus-laun",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2208,
+		"pid": 2208,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1452,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 1425,
+		"size": 76402,
+		"start_time": 16790,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2208,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 305608
+	}, {
+		"argvs": "--config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 2208,
+		"pid": 2213,
+		"ppid": 2208,
+		"priority": 20,
+		"processor": 1,
+		"resident": 837,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 778,
+		"size": 1899,
+		"start_time": 16791,
+		"state": "S",
+		"stime": 33,
+		"suser": "fedegc",
+		"tgid": 2213,
+		"tty": 0,
+		"utime": 67,
+		"vm_size": 7596
+	}, {
+		"argvs": "--monitor",
+		"cmd": "/usr/libexec/gnome-session-ctl",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-c",
+		"nice": 0,
+		"nlwp": 2,
+		"pgrp": 2234,
+		"pid": 2234,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 948,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2234,
+		"sgroup": "fedegc",
+		"share": 948,
+		"size": 22514,
+		"start_time": 16809,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2234,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 90056
+	}, {
+		"argvs": "--systemd-service --session=ubuntu",
+		"cmd": "/usr/libexec/gnome-session-binary",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-session-b",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2243,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2393,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2113,
+		"size": 102691,
+		"start_time": 16811,
+		"state": "S",
+		"stime": 10,
+		"suser": "fedegc",
+		"tgid": 2243,
+		"tty": 0,
+		"utime": 20,
+		"vm_size": 410764
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/gnome-shell",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-shell",
+		"nice": 0,
+		"nlwp": 11,
+		"pgrp": 2259,
+		"pid": 2259,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 45568,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 14597,
+		"size": 1045228,
+		"start_time": 16818,
+		"state": "S",
+		"stime": 35207,
+		"suser": "fedegc",
+		"tgid": 2259,
+		"tty": 0,
+		"utime": 336505,
+		"vm_size": 4180912
+	}, {
+		"argvs": "--panel disable --xim",
+		"cmd": "ibus-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-daemon",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2339,
+		"ppid": 2259,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1492,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1492,
+		"size": 77782,
+		"start_time": 16954,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 2339,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 311128
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-memconf",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-memconf",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2343,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1473,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1473,
+		"size": 40674,
+		"start_time": 16959,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2343,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 162696
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-extension-gtk3",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-extension-",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2339,
+		"pid": 2346,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2019,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1927,
+		"size": 68950,
+		"start_time": 16961,
+		"state": "S",
+		"stime": 27,
+		"suser": "fedegc",
+		"tgid": 2346,
+		"tty": 0,
+		"utime": 138,
+		"vm_size": 275800
+	}, {
+		"argvs": "--kill-daemon",
+		"cmd": "/usr/libexec/ibus-x11",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-x11",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2350,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2718,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 2449,
+		"size": 49463,
+		"start_time": 16963,
+		"state": "S",
+		"stime": 24,
+		"suser": "fedegc",
+		"tgid": 2350,
+		"tty": 0,
+		"utime": 68,
+		"vm_size": 197852
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-portal",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-portal",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2353,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1605,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1471,
+		"size": 59124,
+		"start_time": 16965,
+		"state": "S",
+		"stime": 6,
+		"suser": "fedegc",
+		"tgid": 2353,
+		"tty": 0,
+		"utime": 24,
+		"vm_size": 236496
+	}, {
+		"argvs": "--use-gnome-session",
+		"cmd": "/usr/libexec/at-spi2-registryd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "at-spi2-registr",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2208,
+		"pid": 2364,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1741,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2208,
+		"sgroup": "fedegc",
+		"share": 1647,
+		"size": 40726,
+		"start_time": 16972,
+		"state": "S",
+		"stime": 206,
+		"suser": "fedegc",
+		"tgid": 2364,
+		"tty": 0,
+		"utime": 171,
+		"vm_size": 162904
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/xdg-permission-store",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "xdg-permission-",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2374,
+		"pid": 2374,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1029,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2374,
+		"sgroup": "fedegc",
+		"share": 1029,
+		"size": 58897,
+		"start_time": 16991,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2374,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 235588
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gnome-shell-calendar-server",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-shell-cal",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2023,
+		"pid": 2378,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1752,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1752,
+		"size": 145437,
+		"start_time": 16992,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 2378,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 581748
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-source-registry",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-sourc",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2389,
+		"pid": 2389,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2584,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2389,
+		"sgroup": "fedegc",
+		"share": 2357,
+		"size": 251280,
+		"start_time": 16998,
+		"state": "S",
+		"stime": 4,
+		"suser": "fedegc",
+		"tgid": 2389,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 1005120
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/dconf-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "dconf-service",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2023,
+		"pid": 2402,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1413,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 1251,
+		"size": 39121,
+		"start_time": 17017,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2402,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 156484
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-calendar-factory",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-calen",
+		"nice": 0,
+		"nlwp": 9,
+		"pgrp": 2414,
+		"pid": 2414,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2515,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2414,
+		"sgroup": "fedegc",
+		"share": 2289,
+		"size": 211823,
+		"start_time": 17027,
+		"state": "S",
+		"stime": 6,
+		"suser": "fedegc",
+		"tgid": 2414,
+		"tty": 0,
+		"utime": 13,
+		"vm_size": 847292
+	}, {
+		"argvs": "/usr/share/gnome-shell/org.gnome.Shell.Notifications",
+		"cmd": "/usr/bin/gjs",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gjs",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2023,
+		"pid": 2426,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2857,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 2857,
+		"size": 649630,
+		"start_time": 17044,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 2426,
+		"tty": 0,
+		"utime": 5,
+		"vm_size": 2598520
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-addressbook-factory",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-addre",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2441,
+		"pid": 2441,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1917,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2441,
+		"sgroup": "fedegc",
+		"share": 1850,
+		"size": 168400,
+		"start_time": 17054,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2441,
+		"tty": 0,
+		"utime": 6,
+		"vm_size": 673600
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-a11y-settings",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-a11y-settin",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2466,
+		"pid": 2466,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1427,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2466,
+		"sgroup": "fedegc",
+		"share": 1369,
+		"size": 77462,
+		"start_time": 17078,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2466,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 309848
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-color",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-color",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2468,
+		"pid": 2468,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2886,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2468,
+		"sgroup": "fedegc",
+		"share": 2525,
+		"size": 142077,
+		"start_time": 17078,
+		"state": "S",
+		"stime": 64,
+		"suser": "fedegc",
+		"tgid": 2468,
+		"tty": 0,
+		"utime": 136,
+		"vm_size": 568308
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-datetime",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-datetime",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2469,
+		"pid": 2469,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2181,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2469,
+		"sgroup": "fedegc",
+		"share": 2122,
+		"size": 93452,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2469,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 373808
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-housekeeping",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-housekeepin",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2470,
+		"pid": 2470,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1595,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2470,
+		"sgroup": "fedegc",
+		"share": 1498,
+		"size": 77997,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 186,
+		"suser": "fedegc",
+		"tgid": 2470,
+		"tty": 0,
+		"utime": 394,
+		"vm_size": 311988
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-keyboard",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-keyboard",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2471,
+		"pid": 2471,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2370,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2471,
+		"sgroup": "fedegc",
+		"share": 2216,
+		"size": 105012,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 21,
+		"suser": "fedegc",
+		"tgid": 2471,
+		"tty": 0,
+		"utime": 67,
+		"vm_size": 420048
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-media-keys",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-media-keys",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2472,
+		"pid": 2472,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 3039,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2472,
+		"sgroup": "fedegc",
+		"share": 2607,
+		"size": 225400,
+		"start_time": 17079,
+		"state": "S",
+		"stime": 47,
+		"suser": "fedegc",
+		"tgid": 2472,
+		"tty": 0,
+		"utime": 108,
+		"vm_size": 901600
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-power",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-power",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2474,
+		"pid": 2474,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2454,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2474,
+		"sgroup": "fedegc",
+		"share": 2240,
+		"size": 105165,
+		"start_time": 17082,
+		"state": "S",
+		"stime": 39,
+		"suser": "fedegc",
+		"tgid": 2474,
+		"tty": 0,
+		"utime": 86,
+		"vm_size": 420660
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-print-notifications",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-print-notif",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2479,
+		"pid": 2479,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1733,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2479,
+		"sgroup": "fedegc",
+		"share": 1602,
+		"size": 62112,
+		"start_time": 17083,
+		"state": "S",
+		"stime": 3,
+		"suser": "fedegc",
+		"tgid": 2479,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 248448
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-rfkill",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-rfkill",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2484,
+		"pid": 2484,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1411,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2484,
+		"sgroup": "fedegc",
+		"share": 1326,
+		"size": 114273,
+		"start_time": 17085,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2484,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 457092
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-screensaver-proxy",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-screensaver",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2486,
+		"pid": 2486,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1306,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2486,
+		"sgroup": "fedegc",
+		"share": 1289,
+		"size": 77308,
+		"start_time": 17086,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2486,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 309232
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/ibus-engine-simple",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "ibus-engine-sim",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2339,
+		"pid": 2495,
+		"ppid": 2339,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1488,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2259,
+		"sgroup": "fedegc",
+		"share": 1488,
+		"size": 40672,
+		"start_time": 17088,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2495,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 162688
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-sharing",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-sharing",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2496,
+		"pid": 2496,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1415,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2496,
+		"sgroup": "fedegc",
+		"share": 1306,
+		"size": 116210,
+		"start_time": 17089,
+		"state": "S",
+		"stime": 9,
+		"suser": "fedegc",
+		"tgid": 2496,
+		"tty": 0,
+		"utime": 34,
+		"vm_size": 464840
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-smartcard",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-smartcard",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2499,
+		"pid": 2499,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1486,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2499,
+		"sgroup": "fedegc",
+		"share": 1431,
+		"size": 78837,
+		"start_time": 17089,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2499,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 315348
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-sound",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-sound",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2504,
+		"pid": 2504,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1726,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2504,
+		"sgroup": "fedegc",
+		"share": 1683,
+		"size": 79885,
+		"start_time": 17091,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2504,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 319540
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-usb-protection",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-usb-protect",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2509,
+		"pid": 2509,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1460,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2509,
+		"sgroup": "fedegc",
+		"share": 1416,
+		"size": 114720,
+		"start_time": 17092,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2509,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 458880
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-wacom",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-wacom",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2514,
+		"pid": 2514,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2345,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2514,
+		"sgroup": "fedegc",
+		"share": 2156,
+		"size": 86333,
+		"start_time": 17093,
+		"state": "S",
+		"stime": 25,
+		"suser": "fedegc",
+		"tgid": 2514,
+		"tty": 0,
+		"utime": 69,
+		"vm_size": 345332
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-wwan",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-wwan",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2531,
+		"pid": 2531,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1413,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2531,
+		"sgroup": "fedegc",
+		"share": 1367,
+		"size": 96976,
+		"start_time": 17100,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 2531,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 387904
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/evolution-data-server/evolution-alarm-notify",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "evolution-alarm",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2243,
+		"pid": 2533,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 3818,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2676,
+		"size": 158764,
+		"start_time": 17101,
+		"state": "S",
+		"stime": 44,
+		"suser": "fedegc",
+		"tgid": 2533,
+		"tty": 0,
+		"utime": 106,
+		"vm_size": 635056
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-xsettings",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-xsettings",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2534,
+		"pid": 2534,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2494,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2534,
+		"sgroup": "fedegc",
+		"share": 2268,
+		"size": 86729,
+		"start_time": 17101,
+		"state": "S",
+		"stime": 26,
+		"suser": "fedegc",
+		"tgid": 2534,
+		"tty": 0,
+		"utime": 107,
+		"vm_size": 346916
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/x86_64-linux-gnu/indicator-messages/indicator-messages-service",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "indicator-messa",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2544,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1551,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 1551,
+		"size": 78345,
+		"start_time": 17110,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2544,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 313380
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-disk-utility-notify",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-disk-utilit",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2243,
+		"pid": 2552,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1534,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 1353,
+		"size": 57948,
+		"start_time": 17114,
+		"state": "S",
+		"stime": 1,
+		"suser": "fedegc",
+		"tgid": 2552,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 231792
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gsd-printer",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gsd-printer",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2479,
+		"pid": 2557,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1995,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2479,
+		"sgroup": "fedegc",
+		"share": 1884,
+		"size": 85546,
+		"start_time": 17117,
+		"state": "S",
+		"stime": 7,
+		"suser": "fedegc",
+		"tgid": 2557,
+		"tty": 0,
+		"utime": 13,
+		"vm_size": 342184
+	}, {
+		"argvs": "-n vmusr --blockFd 3",
+		"cmd": "/usr/bin/vmtoolsd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "vmtoolsd",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2243,
+		"pid": 2560,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 4262,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 3200,
+		"size": 73169,
+		"start_time": 17119,
+		"state": "S",
+		"stime": 7687,
+		"suser": "fedegc",
+		"tgid": 2560,
+		"tty": 0,
+		"utime": 13063,
+		"vm_size": 292676
+	}, {
+		"argvs": "",
+		"cmd": "zeitgeist-datahub",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-datah",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 3202,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2401,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 2116,
+		"size": 120440,
+		"start_time": 19095,
+		"state": "S",
+		"stime": 103,
+		"suser": "fedegc",
+		"tgid": 3202,
+		"tty": 0,
+		"utime": 159,
+		"vm_size": 481760
+	}, {
+		"argvs": "",
+		"cmd": "/usr/bin/zeitgeist-daemon",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-daemo",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3221,
+		"pid": 3221,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1861,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3221,
+		"sgroup": "fedegc",
+		"share": 1588,
+		"size": 96747,
+		"start_time": 19130,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 3221,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 386988
+	}, {
+		"argvs": "",
+		"cmd": "/usr/lib/zeitgeist/zeitgeist-fts",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "zeitgeist-fts",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3241,
+		"pid": 3241,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 2398,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3241,
+		"sgroup": "fedegc",
+		"share": 1823,
+		"size": 68182,
+		"start_time": 19155,
+		"state": "S",
+		"stime": 8,
+		"suser": "fedegc",
+		"tgid": 3241,
+		"tty": 0,
+		"utime": 30,
+		"vm_size": 272728
+	}, {
+		"argvs": "",
+		"cmd": "/opt/sublime_text/sublime_text",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "sublime_text",
+		"nice": 0,
+		"nlwp": 12,
+		"pgrp": 3412,
+		"pid": 3412,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 203653,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3412,
+		"sgroup": "fedegc",
+		"share": 11552,
+		"size": 603697,
+		"start_time": 19792,
+		"state": "S",
+		"stime": 20876,
+		"suser": "fedegc",
+		"tgid": 3412,
+		"tty": 0,
+		"utime": 117829,
+		"vm_size": 2414788
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gnome-terminal-server",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gnome-terminal-",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 3472,
+		"pid": 3472,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 12392,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3472,
+		"sgroup": "fedegc",
+		"share": 4688,
+		"size": 223160,
+		"start_time": 19963,
+		"state": "S",
+		"stime": 5431,
+		"suser": "fedegc",
+		"tgid": 3472,
+		"tty": 0,
+		"utime": 40365,
+		"vm_size": 892640
+	}, {
+		"argvs": "3412 --auto-shell-env",
+		"cmd": "/opt/sublime_text/plugin_host",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "plugin_host",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3412,
+		"pid": 3521,
+		"ppid": 3412,
+		"priority": 20,
+		"processor": 1,
+		"resident": 12663,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3412,
+		"sgroup": "fedegc",
+		"share": 1677,
+		"size": 78786,
+		"start_time": 20081,
+		"state": "S",
+		"stime": 305,
+		"suser": "fedegc",
+		"tgid": 3521,
+		"tty": 0,
+		"utime": 1234,
+		"vm_size": 315144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 3522,
+		"pid": 3522,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1433,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3522,
+		"sgroup": "fedegc",
+		"share": 691,
+		"size": 3102,
+		"start_time": 20082,
+		"state": "S",
+		"stime": 49,
+		"suser": "fedegc",
+		"tgid": 3522,
+		"tty": 34816,
+		"utime": 129,
+		"vm_size": 12408
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/gvfsd-metadata",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-metadata",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 3856,
+		"pid": 3856,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1481,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 3856,
+		"sgroup": "fedegc",
+		"share": 1336,
+		"size": 40543,
+		"start_time": 23095,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 3856,
+		"tty": 0,
+		"utime": 1,
+		"vm_size": 162172
+	}, {
+		"argvs": "",
+		"cmd": "update-notifier",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "update-notifier",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 3859,
+		"ppid": 2243,
+		"priority": 20,
+		"processor": 1,
+		"resident": 6884,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 4116,
+		"size": 183024,
+		"start_time": 23097,
+		"state": "S",
+		"stime": 189,
+		"suser": "fedegc",
+		"tgid": 3859,
+		"tty": 0,
+		"utime": 357,
+		"vm_size": 732096
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 4976,
+		"pid": 4976,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1114,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 4976,
+		"sgroup": "fedegc",
+		"share": 680,
+		"size": 2794,
+		"start_time": 98074,
+		"state": "S",
+		"stime": 5,
+		"suser": "fedegc",
+		"tgid": 4976,
+		"tty": 34817,
+		"utime": 9,
+		"vm_size": 11176
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 321811,
+		"pid": 321811,
+		"ppid": 3472,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1543,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 321811,
+		"sgroup": "fedegc",
+		"share": 777,
+		"size": 3107,
+		"start_time": 4119998,
+		"state": "S",
+		"stime": 13,
+		"suser": "fedegc",
+		"tgid": 321811,
+		"tty": 34818,
+		"utime": 28,
+		"vm_size": 12428
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/0",
+		"cmd": "/usr/libexec/gvfsd-trash",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-trash",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 321881,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1680,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1380,
+		"size": 78459,
+		"start_time": 4128015,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 321881,
+		"tty": 0,
+		"utime": 4,
+		"vm_size": 313836
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/1",
+		"cmd": "/usr/libexec/gvfsd-network",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-network",
+		"nice": 0,
+		"nlwp": 4,
+		"pgrp": 2044,
+		"pid": 321907,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1814,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1579,
+		"size": 78572,
+		"start_time": 4128043,
+		"state": "S",
+		"stime": 0,
+		"suser": "fedegc",
+		"tgid": 321907,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 314288
+	}, {
+		"argvs": "--spawner :1.3 /org/gtk/gvfs/exec_spaw/3",
+		"cmd": "/usr/libexec/gvfsd-dnssd",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "gvfsd-dnssd",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 2044,
+		"pid": 321921,
+		"ppid": 2044,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1730,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2044,
+		"sgroup": "fedegc",
+		"share": 1490,
+		"size": 78745,
+		"start_time": 4128381,
+		"state": "S",
+		"stime": 2,
+		"suser": "fedegc",
+		"tgid": 321921,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 314980
+	}, {
+		"argvs": "--autolaunch=569b76505dd64fc7a0c6ef023e2f2bcc --binary-syntax --close-stderr",
+		"cmd": "dbus-launch",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dbus-launch",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 323658,
+		"pid": 323663,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 483,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 323658,
+		"sgroup": "root",
+		"share": 372,
+		"size": 1849,
+		"start_time": 4332813,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 323663,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 7396
+	}, {
+		"argvs": "--syslog-only --fork --print-pid 5 --print-address 7 --session",
+		"cmd": "/usr/bin/dbus-daemon",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "dbus-daemon",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 323664,
+		"pid": 323664,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 583,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 323664,
+		"sgroup": "root",
+		"share": 480,
+		"size": 1867,
+		"start_time": 4332818,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 323664,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 7468
+	}, {
+		"argvs": "--gapplication-service",
+		"cmd": "/usr/bin/nautilus",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "nautilus",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 2023,
+		"pid": 520740,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 0,
+		"resident": 13843,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2023,
+		"sgroup": "fedegc",
+		"share": 5545,
+		"size": 333346,
+		"start_time": 9085836,
+		"state": "S",
+		"stime": 112,
+		"suser": "fedegc",
+		"tgid": 520740,
+		"tty": 0,
+		"utime": 695,
+		"vm_size": 1333384
+	}, {
+		"argvs": ".host:/ /mnt/hgfs -o subtype=vmhgfs-fuse,allow_other",
+		"cmd": "/usr/bin/vmhgfs-fuse",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "vmhgfs-fuse",
+		"nice": 0,
+		"nlwp": 6,
+		"pgrp": 539724,
+		"pid": 539724,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 603,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 539724,
+		"sgroup": "root",
+		"share": 239,
+		"size": 77314,
+		"start_time": 9188529,
+		"state": "S",
+		"stime": 25,
+		"suser": "root",
+		"tgid": 539724,
+		"tty": 0,
+		"utime": 55,
+		"vm_size": 309256
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "xfsalloc",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561037,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043329,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561037,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "xfs_mru_cache",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561041,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043329,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561041,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsIO",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561046,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043518,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561046,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsCommit",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561047,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043518,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561047,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsCommit",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561048,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043519,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561048,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "jfsSync",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 561049,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 10043519,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 561049,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "su",
+		"cmd": "sudo",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sudo",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597875,
+		"pid": 597875,
+		"ppid": 4976,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1105,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 911,
+		"size": 3050,
+		"start_time": 10435645,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 597875,
+		"tty": 34817,
+		"utime": 1,
+		"vm_size": 12200
+	}, {
+		"argvs": "",
+		"cmd": "su",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "su",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597875,
+		"pid": 597876,
+		"ppid": 597875,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1067,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 945,
+		"size": 2786,
+		"start_time": 10436242,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 597876,
+		"tty": 34817,
+		"utime": 0,
+		"vm_size": 11144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 597877,
+		"pid": 597877,
+		"ppid": 597876,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1090,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 4976,
+		"sgroup": "root",
+		"share": 898,
+		"size": 2544,
+		"start_time": 10436245,
+		"state": "S",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 597877,
+		"tty": 34817,
+		"utime": 4,
+		"vm_size": 10176
+	}, {
+		"argvs": "--fwdargv0 /usr/bin/subl /var/ossec/etc/ossec.conf",
+		"cmd": "/opt/sublime_text/sublime_text",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sublime_text",
+		"nice": 0,
+		"nlwp": 9,
+		"pgrp": 634523,
+		"pid": 634523,
+		"ppid": 2005,
+		"priority": 20,
+		"processor": 1,
+		"resident": 23599,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 634523,
+		"sgroup": "root",
+		"share": 8599,
+		"size": 226040,
+		"start_time": 12111972,
+		"state": "S",
+		"stime": 61,
+		"suser": "root",
+		"tgid": 634523,
+		"tty": 0,
+		"utime": 379,
+		"vm_size": 904160
+	}, {
+		"argvs": "634523 --auto-shell-env",
+		"cmd": "/opt/sublime_text/plugin_host",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "plugin_host",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 634523,
+		"pid": 634536,
+		"ppid": 634523,
+		"priority": 20,
+		"processor": 0,
+		"resident": 6064,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 634523,
+		"sgroup": "root",
+		"share": 2675,
+		"size": 37003,
+		"start_time": 12112031,
+		"state": "S",
+		"stime": 23,
+		"suser": "root",
+		"tgid": 634536,
+		"tty": 0,
+		"utime": 35,
+		"vm_size": 148012
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "loop14",
+		"nice": -20,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 643049,
+		"ppid": 2,
+		"priority": 0,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 13711814,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 643049,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "su",
+		"cmd": "sudo",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "sudo",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646484,
+		"pid": 646484,
+		"ppid": 3522,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1158,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 975,
+		"size": 3006,
+		"start_time": 14528172,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 646484,
+		"tty": 34816,
+		"utime": 1,
+		"vm_size": 12024
+	}, {
+		"argvs": "",
+		"cmd": "su",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "su",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646484,
+		"pid": 646485,
+		"ppid": 646484,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1069,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 947,
+		"size": 2786,
+		"start_time": 14528174,
+		"state": "S",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 646485,
+		"tty": 34816,
+		"utime": 0,
+		"vm_size": 11144
+	}, {
+		"argvs": "",
+		"cmd": "bash",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "bash",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 646488,
+		"pid": 646488,
+		"ppid": 646485,
+		"priority": 20,
+		"processor": 1,
+		"resident": 1072,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 3522,
+		"sgroup": "root",
+		"share": 897,
+		"size": 2515,
+		"start_time": 14528176,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 646488,
+		"tty": 34816,
+		"utime": 2,
+		"vm_size": 10060
+	}, {
+		"argvs": "",
+		"cmd": "/usr/libexec/fwupd/fwupd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "fwupd",
+		"nice": 0,
+		"nlwp": 5,
+		"pgrp": 651816,
+		"pid": 651816,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 1,
+		"resident": 9750,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 651816,
+		"sgroup": "root",
+		"share": 3612,
+		"size": 99812,
+		"start_time": 14826742,
+		"state": "S",
+		"stime": 23,
+		"suser": "root",
+		"tgid": 651816,
+		"tty": 0,
+		"utime": 36,
+		"vm_size": 399248
+	}, {
+		"argvs": "-l",
+		"cmd": "/usr/sbin/cupsd",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cupsd",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 652282,
+		"pid": 652282,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 1826,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 652282,
+		"sgroup": "root",
+		"share": 1387,
+		"size": 7167,
+		"start_time": 15138465,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 652282,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 28668
+	}, {
+		"argvs": "",
+		"cmd": "/usr/sbin/cups-browsed",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "cups-browsed",
+		"nice": 0,
+		"nlwp": 3,
+		"pgrp": 652284,
+		"pid": 652284,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2429,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 652284,
+		"sgroup": "root",
+		"share": 2031,
+		"size": 45166,
+		"start_time": 15138466,
+		"state": "S",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 652284,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 180664
+	}, {
+		"argvs": "",
+		"cmd": "/lib/systemd/systemd-resolved",
+		"egroup": "systemd-resolve",
+		"euser": "systemd-resolve",
+		"fgroup": "systemd-resolve",
+		"name": "systemd-resolve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 653225,
+		"pid": 653225,
+		"ppid": 1,
+		"priority": 20,
+		"processor": 0,
+		"resident": 2758,
+		"rgroup": "systemd-resolve",
+		"ruser": "systemd-resolve",
+		"session": 653225,
+		"sgroup": "systemd-resolve",
+		"share": 1696,
+		"size": 6061,
+		"start_time": 15142983,
+		"state": "S",
+		"stime": 4,
+		"suser": "systemd-resolve",
+		"tgid": 653225,
+		"tty": 0,
+		"utime": 3,
+		"vm_size": 24244
+	}, {
+		"argvs": "/usr/bin/update-manager --no-update --no-focus-on-map",
+		"cmd": "/usr/bin/python3",
+		"egroup": "fedegc",
+		"euser": "fedegc",
+		"fgroup": "fedegc",
+		"name": "update-manager",
+		"nice": 10,
+		"nlwp": 5,
+		"pgrp": 2243,
+		"pid": 653442,
+		"ppid": 2005,
+		"priority": 30,
+		"processor": 1,
+		"resident": 33850,
+		"rgroup": "fedegc",
+		"ruser": "fedegc",
+		"session": 2243,
+		"sgroup": "fedegc",
+		"share": 20747,
+		"size": 227088,
+		"start_time": 15151522,
+		"state": "S",
+		"stime": 20,
+		"suser": "fedegc",
+		"tgid": 653442,
+		"tty": 0,
+		"utime": 202,
+		"vm_size": 908352
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:1-cgr",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653617,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15172029,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 653617,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:2-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653689,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15216522,
+		"state": "I",
+		"stime": 12,
+		"suser": "root",
+		"tgid": 653689,
+		"tty": 0,
+		"utime": 2,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:2-rcu",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653714,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15229831,
+		"state": "I",
+		"stime": 37,
+		"suser": "root",
+		"tgid": 653714,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/0:0-eve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 653986,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 0,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15268845,
+		"state": "I",
+		"stime": 25,
+		"suser": "root",
+		"tgid": 653986,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:1-eve",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654011,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15287287,
+		"state": "I",
+		"stime": 41,
+		"suser": "root",
+		"tgid": 654011,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/1:3-rcu",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654012,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15287287,
+		"state": "I",
+		"stime": 0,
+		"suser": "root",
+		"tgid": 654012,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:0-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654114,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15288985,
+		"state": "I",
+		"stime": 8,
+		"suser": "root",
+		"tgid": 654114,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}, {
+		"argvs": "",
+		"cmd": "",
+		"egroup": "root",
+		"euser": "root",
+		"fgroup": "root",
+		"name": "kworker/u256:3-",
+		"nice": 0,
+		"nlwp": 1,
+		"pgrp": 0,
+		"pid": 654116,
+		"ppid": 2,
+		"priority": 20,
+		"processor": 1,
+		"resident": 0,
+		"rgroup": "root",
+		"ruser": "root",
+		"session": 0,
+		"sgroup": "root",
+		"share": 0,
+		"size": 0,
+		"start_time": 15288986,
+		"state": "I",
+		"stime": 1,
+		"suser": "root",
+		"tgid": 654116,
+		"tty": 0,
+		"utime": 0,
+		"vm_size": 0
+	}
+])"
+};
+
+constexpr auto diffResult
+{
+    R"(
+[
+  {
+    "argvs": "",
+    "cmd": "",
+    "egroup": "root",
+    "euser": "root",
+    "fgroup": "root",
+    "name": "irq/16-vmwgfx",
+    "nice": 0,
+    "nlwp": 1,
+    "pgrp": 0,
+    "pid": 380,
+    "ppid": 2,
+    "priority": -51,
+    "processor": 1,
+    "resident": 0,
+    "rgroup": "root",
+    "ruser": "root",
+    "session": 0,
+    "sgroup": "root",
+    "share": 0,
+    "size": 0,
+    "start_time": 457,
+    "state": "S",
+    "stime": 2652,
+    "suser": "root",
+    "tgid": 380,
+    "tty": 0,
+    "utime": 0,
+    "vm_size": 0
+  },
+  {
+    "argvs": "",
+    "cmd": "/usr/bin/containerd",
+    "egroup": "root",
+    "euser": "root",
+    "fgroup": "root",
+    "name": "containerd",
+    "nice": 0,
+    "nlwp": 11,
+    "pgrp": 1246,
+    "pid": 1246,
+    "ppid": 1,
+    "priority": 20,
+    "processor": 1,
+    "resident": 1987,
+    "rgroup": "root",
+    "ruser": "root",
+    "session": 1246,
+    "sgroup": "root",
+    "share": 456,
+    "size": 223969,
+    "start_time": 901,
+    "state": "S",
+    "stime": 17678,
+    "suser": "root",
+    "tgid": 1246,
+    "tty": 0,
+    "utime": 13568,
+    "vm_size": 895876
+  },
+  {
+    "argvs": "-core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch",
+    "cmd": "/usr/lib/xorg/Xorg",
+    "egroup": "root",
+    "euser": "root",
+    "fgroup": "root",
+    "name": "Xorg",
+    "nice": 0,
+    "nlwp": 6,
+    "pgrp": 1280,
+    "pid": 1280,
+    "ppid": 1269,
+    "priority": 20,
+    "processor": 1,
+    "resident": 28270,
+    "rgroup": "root",
+    "ruser": "root",
+    "session": 1280,
+    "sgroup": "root",
+    "share": 16127,
+    "size": 184920,
+    "start_time": 916,
+    "state": "S",
+    "stime": 37380,
+    "suser": "root",
+    "tgid": 1280,
+    "tty": 1031,
+    "utime": 229205,
+    "vm_size": 739680
+  },
+  {
+    "argvs": "",
+    "cmd": "/usr/bin/gnome-shell",
+    "egroup": "fedegc",
+    "euser": "fedegc",
+    "fgroup": "fedegc",
+    "name": "gnome-shell",
+    "nice": 0,
+    "nlwp": 11,
+    "pgrp": 2259,
+    "pid": 2259,
+    "ppid": 2005,
+    "priority": 20,
+    "processor": 0,
+    "resident": 45568,
+    "rgroup": "fedegc",
+    "ruser": "fedegc",
+    "session": 2259,
+    "sgroup": "fedegc",
+    "share": 14597,
+    "size": 1045228,
+    "start_time": 16818,
+    "state": "S",
+    "stime": 35207,
+    "suser": "fedegc",
+    "tgid": 2259,
+    "tty": 0,
+    "utime": 336505,
+    "vm_size": 4180912
+  },
+  {
+    "argvs": "",
+    "cmd": "/opt/sublime_text/sublime_text",
+    "egroup": "fedegc",
+    "euser": "fedegc",
+    "fgroup": "fedegc",
+    "name": "sublime_text",
+    "nice": 0,
+    "nlwp": 12,
+    "pgrp": 3412,
+    "pid": 3412,
+    "ppid": 2005,
+    "priority": 20,
+    "processor": 1,
+    "resident": 203653,
+    "rgroup": "fedegc",
+    "ruser": "fedegc",
+    "session": 3412,
+    "sgroup": "fedegc",
+    "share": 11552,
+    "size": 603697,
+    "start_time": 19792,
+    "state": "S",
+    "stime": 20876,
+    "suser": "fedegc",
+    "tgid": 3412,
+    "tty": 0,
+    "utime": 117829,
+    "vm_size": 2414788
+  },
+  {
+    "argvs": "",
+    "cmd": "/usr/libexec/gnome-terminal-server",
+    "egroup": "fedegc",
+    "euser": "fedegc",
+    "fgroup": "fedegc",
+    "name": "gnome-terminal-",
+    "nice": 0,
+    "nlwp": 5,
+    "pgrp": 3472,
+    "pid": 3472,
+    "ppid": 2005,
+    "priority": 20,
+    "processor": 0,
+    "resident": 12392,
+    "rgroup": "fedegc",
+    "ruser": "fedegc",
+    "session": 3472,
+    "sgroup": "fedegc",
+    "share": 4688,
+    "size": 223160,
+    "start_time": 19963,
+    "state": "S",
+    "stime": 5431,
+    "suser": "fedegc",
+    "tgid": 3472,
+    "tty": 0,
+    "utime": 40365,
+    "vm_size": 892640
+  },
+  {
+    "argvs": "",
+    "cmd": "bash",
+    "egroup": "fedegc",
+    "euser": "fedegc",
+    "fgroup": "fedegc",
+    "name": "bash",
+    "nice": 0,
+    "nlwp": 1,
+    "pgrp": 321811,
+    "pid": 321811,
+    "ppid": 3472,
+    "priority": 20,
+    "processor": 1,
+    "resident": 1543,
+    "rgroup": "fedegc",
+    "ruser": "fedegc",
+    "session": 321811,
+    "sgroup": "fedegc",
+    "share": 777,
+    "size": 3107,
+    "start_time": 4119998,
+    "state": "S",
+    "stime": 13,
+    "suser": "fedegc",
+    "tgid": 321811,
+    "tty": 34818,
+    "utime": 28,
+    "vm_size": 12428
+  },
+  {
+    "argvs": "--gapplication-service",
+    "cmd": "/usr/bin/nautilus",
+    "egroup": "fedegc",
+    "euser": "fedegc",
+    "fgroup": "fedegc",
+    "name": "nautilus",
+    "nice": 0,
+    "nlwp": 6,
+    "pgrp": 2023,
+    "pid": 520740,
+    "ppid": 2005,
+    "priority": 20,
+    "processor": 0,
+    "resident": 13843,
+    "rgroup": "fedegc",
+    "ruser": "fedegc",
+    "session": 2023,
+    "sgroup": "fedegc",
+    "share": 5545,
+    "size": 333346,
+    "start_time": 9085836,
+    "state": "S",
+    "stime": 112,
+    "suser": "fedegc",
+    "tgid": 520740,
+    "tty": 0,
+    "utime": 695,
+    "vm_size": 1333384
+  },
+  {
+    "argvs": "",
+    "cmd": "",
+    "egroup": "root",
+    "euser": "root",
+    "fgroup": "root",
+    "name": "kworker/u256:2-",
+    "nice": 0,
+    "nlwp": 1,
+    "pgrp": 0,
+    "pid": 653689,
+    "ppid": 2,
+    "priority": 20,
+    "processor": 1,
+    "resident": 0,
+    "rgroup": "root",
+    "ruser": "root",
+    "session": 0,
+    "sgroup": "root",
+    "share": 0,
+    "size": 0,
+    "start_time": 15216522,
+    "state": "I",
+    "stime": 12,
+    "suser": "root",
+    "tgid": 653689,
+    "tty": 0,
+    "utime": 2,
+    "vm_size": 0
+  },
+  {
+    "argvs": "",
+    "cmd": "",
+    "egroup": "root",
+    "euser": "root",
+    "fgroup": "root",
+    "name": "kworker/1:1-eve",
+    "nice": 0,
+    "nlwp": 1,
+    "pgrp": 0,
+    "pid": 654011,
+    "ppid": 2,
+    "priority": 20,
+    "processor": 1,
+    "resident": 0,
+    "rgroup": "root",
+    "ruser": "root",
+    "session": 0,
+    "sgroup": "root",
+    "share": 0,
+    "size": 0,
+    "start_time": 15287287,
+    "state": "I",
+    "stime": 41,
+    "suser": "root",
+    "tgid": 654011,
+    "tty": 0,
+    "utime": 0,
+    "vm_size": 0
+  }
+])"
+};
+
+#endif //TEST_INPUTS_H
diff --git a/src/common/dbsync/tests/mocks/sqlitefactory_mock.h b/src/common/dbsync/tests/mocks/sqlitefactory_mock.h
new file mode 100644
index 0000000000..41ed10c701
--- /dev/null
+++ b/src/common/dbsync/tests/mocks/sqlitefactory_mock.h
@@ -0,0 +1,36 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _MOCKSQLITEFACTORY_TEST_H
+#define _MOCKSQLITEFACTORY_TEST_H
+
+#include <gmock/gmock.h>
+#include <string>
+#include "sqlite/sqlite_wrapper_factory.h"
+
+class MockSQLiteFactory : public ISQLiteFactory
+{
+    public:
+        MOCK_METHOD(std::shared_ptr<SQLite::IConnection>,
+                    createConnection,
+                    (const std::string& path),
+                    (override));
+        MOCK_METHOD(std::unique_ptr<SQLite::ITransaction>,
+                    createTransaction,
+                    (std::shared_ptr<SQLite::IConnection>& connection),
+                    (override));
+        MOCK_METHOD(std::unique_ptr<SQLite::IStatement>,
+                    createStatement,
+                    (std::shared_ptr<SQLite::IConnection>& connection,
+                     const std::string& query), (override));
+};
+
+#endif //_MOCKSQLITEFACTORY_TEST_H
\ No newline at end of file
diff --git a/src/common/dbsync/tests/mocks/sqlitewrapper_mock.h b/src/common/dbsync/tests/mocks/sqlitewrapper_mock.h
new file mode 100644
index 0000000000..d258b4a387
--- /dev/null
+++ b/src/common/dbsync/tests/mocks/sqlitewrapper_mock.h
@@ -0,0 +1,143 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _MOCKSQLITEWRAPPER_TEST_H
+#define _MOCKSQLITEWRAPPER_TEST_H
+
+#include <gmock/gmock.h>
+#include <string>
+#include "sqlite/isqlite_wrapper.h"
+
+class MockConnection : public SQLite::IConnection
+{
+    public:
+        MockConnection() = default;
+        virtual ~MockConnection() = default;
+        MOCK_METHOD(void,
+                    close,
+                    (),
+                    (override));
+        MOCK_METHOD(void,
+                    execute,
+                    (const std::string& query),
+                    (override));
+        MOCK_METHOD(int64_t,
+                    changes,
+                    (),
+                    (const override));
+        MOCK_METHOD(const std::shared_ptr<sqlite3>&,
+                    db,
+                    (),
+                    (const override));
+
+};
+
+class MockTransaction : public SQLite::ITransaction
+{
+    public:
+        MOCK_METHOD(void,
+                    commit,
+                    (),
+                    (override));
+        MOCK_METHOD(void,
+                    rollback,
+                    (),
+                    (override));
+};
+
+class MockColumn : public SQLite::IColumn
+{
+    public:
+        MOCK_METHOD(bool,
+                    hasValue,
+                    (),
+                    (const override));
+        MOCK_METHOD(int32_t,
+                    type,
+                    (),
+                    (const override));
+        MOCK_METHOD(std::string,
+                    name,
+                    (),
+                    (const override));
+        MOCK_METHOD(int32_t,
+                    value,
+                    (const int32_t&),
+                    (const override));
+        MOCK_METHOD(uint64_t,
+                    value,
+                    (const uint64_t&),
+                    (const override));
+        MOCK_METHOD(int64_t,
+                    value,
+                    (const int64_t&),
+                    (const override));
+        MOCK_METHOD(std::string,
+                    value,
+                    (const std::string&),
+                    (const override));
+        MOCK_METHOD(double_t,
+                    value,
+                    (const double_t&),
+                    (const override));
+};
+
+class MockStatement : public SQLite::IStatement
+{
+    public:
+        MockStatement() = default;
+        virtual ~MockStatement() = default;
+        MOCK_METHOD(int32_t,
+                    step,
+                    (),
+                    (override));
+        MOCK_METHOD(void,
+                    bind,
+                    (const int32_t index, const int32_t value),
+                    (override));
+        MOCK_METHOD(void,
+                    bind,
+                    (const int32_t index, const uint64_t value),
+                    (override));
+        MOCK_METHOD(void,
+                    bind,
+                    (const int32_t index, const int64_t value),
+                    (override));
+        MOCK_METHOD(void,
+                    bind,
+                    (const int32_t index, const std::string& value),
+                    (override));
+        MOCK_METHOD(void,
+                    bind,
+                    (const int32_t index, const double_t value),
+                    (override));
+
+        MOCK_METHOD(std::string,
+                    expand,
+                    (),
+                    (override));
+
+        MOCK_METHOD(std::unique_ptr<SQLite::IColumn>,
+                    column,
+                    (const int32_t index),
+                    (override));
+
+        MOCK_METHOD(void,
+                    reset,
+                    (),
+                    (override));
+        MOCK_METHOD(int,
+                    columnsCount,
+                    (),
+                    (const override));
+};
+
+#endif //_MOCKSQLITEWRAPPER_TEST_H
diff --git a/src/common/dbsync/tests/pipelineFactory/CMakeLists.txt b/src/common/dbsync/tests/pipelineFactory/CMakeLists.txt
new file mode 100644
index 0000000000..7dc559e83a
--- /dev/null
+++ b/src/common/dbsync/tests/pipelineFactory/CMakeLists.txt
@@ -0,0 +1,59 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbsyncPipelineFactory_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+include_directories(${CMAKE_SOURCE_DIR}/utils/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+
+file(GLOB PIPELINE_FACTORY_UNITTEST_SRC
+    "*.cpp")
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+file(GLOB PIPELINE_FACTORY_SRC
+    "${CMAKE_SOURCE_DIR}/src/*.cpp"
+    "${CMAKE_SOURCE_DIR}/src/sqlite/*.cpp")
+
+add_executable(dbsyncPipelineFactory_unit_test 
+    ${PIPELINE_FACTORY_UNITTEST_SRC}
+    ${PIPELINE_FACTORY_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(dbsyncPipelineFactory_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(dbsyncPipelineFactory_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+
+add_test(NAME dbsyncPipelineFactory_unit_test
+         COMMAND dbsyncPipelineFactory_unit_test)
diff --git a/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.cpp b/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.cpp
new file mode 100644
index 0000000000..654fd3d2a1
--- /dev/null
+++ b/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.cpp
@@ -0,0 +1,289 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <iostream>
+#include "dbsync_implementation.h"
+#include "dbsyncPipelineFactory.h"
+#include "dbsyncPipelineFactory_test.h"
+#include "db_exception.h"
+
+constexpr auto DATABASE_TEMP {"TEMP.db"};
+
+using namespace DbSync;
+
+
+
+void DBSyncPipelineFactoryTest::SetUp()
+{
+    const auto sql{ "CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `tid` BIGINT, PRIMARY KEY (`pid`)) WITHOUT ROWID;"};
+    m_dbHandle = DBSyncImplementation::instance().initialize(HostType::AGENT, DbEngineType::SQLITE3, DATABASE_TEMP, sql, DbManagement::VOLATILE, {});
+};
+
+void DBSyncPipelineFactoryTest::TearDown()
+{
+    m_pipelineFactory.release();
+    DBSyncImplementation::instance().release();
+};
+
+class CallbackWrapper
+{
+    public:
+        CallbackWrapper() = default;
+        ~CallbackWrapper() = default;
+        MOCK_METHOD(void, callback, (ReturnTypeCallback result_type, const nlohmann::json&), ());
+};
+
+TEST_F(DBSyncPipelineFactoryTest, CreatePipelineOk)
+{
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 1000 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+        [](ReturnTypeCallback, const nlohmann::json&) {})
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    ASSERT_NE(nullptr, m_pipelineFactory.pipeline(pipeHandle));
+}
+
+TEST_F(DBSyncPipelineFactoryTest, CreatePipelineInvalidHandle)
+{
+    const DBSYNC_HANDLE handle{ nullptr };
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const unsigned int threadNumber{ 1 };
+    const unsigned int maxQueueSize{ 1000 };
+    EXPECT_THROW(m_pipelineFactory.create(handle, json["tables"], threadNumber, maxQueueSize,
+    [](ReturnTypeCallback, const nlohmann::json&) {}), DbSync::dbsync_error);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, CreatePipelineInvalidTxnContext)
+{
+    const auto& json{ nlohmann::json::parse(R"({"tables": [""]})") };
+    const unsigned int threadNumber{ 1 };
+    const unsigned int maxQueueSize{ 1000 };
+    EXPECT_THROW
+    (
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+    [](ReturnTypeCallback, const nlohmann::json&) {}),
+    DbSync::dbsync_error
+    );
+}
+
+TEST_F(DBSyncPipelineFactoryTest, CreatePipelineInvalidCallback)
+{
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const unsigned int threadNumber{ 1 };
+    const unsigned int maxQueueSize{ 1000 };
+    EXPECT_THROW(m_pipelineFactory.create(m_dbHandle, json["tables"], threadNumber, maxQueueSize, nullptr), DbSync::dbsync_error);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, GetPipelineInvalidTxnContext)
+{
+    EXPECT_THROW
+    (
+        m_pipelineFactory.pipeline(nullptr),
+        DbSync::dbsync_error
+    );
+}
+
+TEST_F(DBSyncPipelineFactoryTest, PipelineSyncRowInvalidData)
+{
+    CallbackWrapper wrapper;
+    const auto& jsonInputNoTable{ R"({"data":[{"name":"System","pid":4,"tid":100}],"exception":"[json.exception.out_of_range.403] key 'table' not found"})"};
+    const auto& jsonInputNoData{ R"({"exception":"[json.exception.out_of_range.403] key 'data' not found","table":"processes"})"};
+    const auto resultFnc
+    {
+        [&wrapper](ReturnTypeCallback resultType, const nlohmann::json & result)
+        {
+            wrapper.callback(resultType, result);
+        }
+    };
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 1000 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+                                 resultFnc)
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    EXPECT_CALL(wrapper, callback(DB_ERROR, nlohmann::json::parse(jsonInputNoTable))).Times(1);
+    EXPECT_CALL(wrapper, callback(DB_ERROR, nlohmann::json::parse(jsonInputNoData))).Times(1);
+    const auto pipeline{ m_pipelineFactory.pipeline(pipeHandle) };
+    pipeline->syncRow(nlohmann::json::parse(jsonInputNoTable));
+    pipeline->syncRow(nlohmann::json::parse(jsonInputNoData));
+    pipeline->getDeleted(nullptr);
+    m_pipelineFactory.destroy(pipeHandle);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, PipelineSyncRow)
+{
+    CallbackWrapper wrapper;
+    const auto& jsonInput{ R"({"table":"processes","data":[{"pid":4, "tid":100, "name":"System"}]})"};
+    const auto& jsonInput1{ R"({"table":"processes","data":[{"pid":4, "tid":101, "name":"System1"}]})"};
+    const auto& jsonInput2{ R"({"table":"processes","data":[{"pid":4, "tid":102}]})"};
+    const auto resultFnc
+    {
+        [&wrapper](ReturnTypeCallback resultType, const nlohmann::json & result)
+        {
+            wrapper.callback(resultType, result);
+        }
+    };
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 1000 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+                                 resultFnc)
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    const auto pipeline{ m_pipelineFactory.pipeline(pipeHandle) };
+    EXPECT_CALL(wrapper, callback(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System","tid":100})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(MODIFIED, nlohmann::json::parse(R"({"pid":4,"name":"System1","tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(MODIFIED, nlohmann::json::parse(R"({"pid":4,"tid":102})"))).Times(1);
+    pipeline->syncRow(nlohmann::json::parse(jsonInput));
+    pipeline->syncRow(nlohmann::json::parse(jsonInput));
+    pipeline->syncRow(nlohmann::json::parse(jsonInput1));
+    pipeline->syncRow(nlohmann::json::parse(jsonInput1));
+    pipeline->syncRow(nlohmann::json::parse(jsonInput2));
+    pipeline->syncRow(nlohmann::json::parse(jsonInput2));
+    pipeline->getDeleted(nullptr);
+    m_pipelineFactory.destroy(pipeHandle);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, PipelineSyncRowMaxQueueSize)
+{
+    CallbackWrapper wrapper;
+    const auto& jsonInput{ R"({"table":"processes","data":[{"pid":4, "tid":100, "name":"System"}]})"};
+    const auto resultFnc
+    {
+        [&wrapper](ReturnTypeCallback resultType, const nlohmann::json & result)
+        {
+            wrapper.callback(resultType, result);
+        }
+    };
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 0 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+                                 resultFnc)
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    const auto pipeline{ m_pipelineFactory.pipeline(pipeHandle) };
+    EXPECT_CALL(wrapper, callback(INSERTED, nlohmann::json::parse(R"({"pid":4,"name":"System","tid":100})"))).Times(1);
+    pipeline->syncRow(nlohmann::json::parse(jsonInput));
+    pipeline->getDeleted(nullptr);
+    m_pipelineFactory.destroy(pipeHandle);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, PipelineSyncRowAndGetDeleted)
+{
+    CallbackWrapper wrapper;
+    const auto& jsonInputNoTxn{ R"({"table":"processes","data":[{"pid":4, "tid":100, "name":"System"},{"pid":5, "tid":101, "name":"System1"},{"pid":7, "tid":101, "name":"System7"}]})"};
+    const auto& jsonInputTxn1{ R"({"table":"processes","data":[{"pid":4, "tid":101, "name":"System"}]})"};
+    const auto& jsonInputTxn2{ R"({"table":"processes","data":[{"pid":6, "tid":105, "name":"System2"}]})"};
+    const auto resultFnc
+    {
+        [&wrapper](ReturnTypeCallback resultType, const nlohmann::json & result)
+        {
+            wrapper.callback(resultType, result);
+        }
+    };
+    EXPECT_CALL(wrapper, callback(MODIFIED, nlohmann::json::parse(R"({"name":"System","pid":4,"tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System2","tid":105})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(DELETED, nlohmann::json::parse(R"({"name":"System1","pid":5,"tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(DELETED, nlohmann::json::parse(R"({"name":"System7","pid":7,"tid":101})"))).Times(1);
+    DBSyncImplementation::instance().syncRowData(m_dbHandle, nlohmann::json::parse(jsonInputNoTxn), nullptr);
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 1000 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+                                 resultFnc)
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    const auto pipeline{ m_pipelineFactory.pipeline(pipeHandle) };
+    pipeline->syncRow(nlohmann::json::parse(jsonInputTxn1));
+    pipeline->syncRow(nlohmann::json::parse(jsonInputTxn2));
+    pipeline->getDeleted(resultFnc);
+    m_pipelineFactory.destroy(pipeHandle);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, PipelineSyncRowAndGetDeletedSameData)
+{
+    CallbackWrapper wrapper;
+    const auto& jsonInputNoTxn{ R"({"table":"processes","data":[{"pid":4, "tid":100, "name":"System"},{"pid":5, "tid":101, "name":"System1"},{"pid":7, "tid":101, "name":"System7"}]})"};
+    const auto& jsonInputTxn1{ R"({"table":"processes","data":[{"pid":4, "tid":101, "name":"System"}]})"};
+    const auto& jsonInputTxn2{ R"({"table":"processes","data":[{"pid":5, "tid":101, "name":"System1"}]})"};
+    const auto& jsonInputTxn3{ R"({"table":"processes","data":[{"pid":6, "tid":105, "name":"System2"}]})"};
+    const auto resultFnc
+    {
+        [&wrapper](ReturnTypeCallback resultType, const nlohmann::json & result)
+        {
+            wrapper.callback(resultType, result);
+        }
+    };
+    EXPECT_CALL(wrapper, callback(MODIFIED, nlohmann::json::parse(R"({"name":"System","pid":4,"tid":101})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(INSERTED, nlohmann::json::parse(R"({"pid":6,"name":"System2","tid":105})"))).Times(1);
+    EXPECT_CALL(wrapper, callback(DELETED, nlohmann::json::parse(R"({"name":"System7","pid":7,"tid":101})"))).Times(1);
+    DBSyncImplementation::instance().syncRowData(m_dbHandle, nlohmann::json::parse(jsonInputNoTxn), nullptr);
+    const auto& json{ nlohmann::json::parse(R"({"tables": ["processes"]})") };
+    const int threadNumber{ 1 };
+    const int maxQueueSize{ 1000 };
+    const auto pipeHandle
+    {
+        m_pipelineFactory.create(m_dbHandle,
+                                 json["tables"],
+                                 threadNumber,
+                                 maxQueueSize,
+                                 resultFnc)
+    };
+    ASSERT_NE(nullptr, pipeHandle);
+    const auto pipeline{ m_pipelineFactory.pipeline(pipeHandle) };
+    pipeline->syncRow(nlohmann::json::parse(jsonInputTxn1));
+    pipeline->syncRow(nlohmann::json::parse(jsonInputTxn2));
+    pipeline->syncRow(nlohmann::json::parse(jsonInputTxn3));
+    pipeline->getDeleted(resultFnc);
+    m_pipelineFactory.destroy(pipeHandle);
+}
+
+TEST_F(DBSyncPipelineFactoryTest, DestroyInvalidPipeline)
+{
+    EXPECT_THROW
+    (
+        m_pipelineFactory.destroy(nullptr),
+        DbSync::dbsync_error
+    );
+}
diff --git a/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.h b/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.h
new file mode 100644
index 0000000000..8e2f4706e4
--- /dev/null
+++ b/src/common/dbsync/tests/pipelineFactory/dbsyncPipelineFactory_test.h
@@ -0,0 +1,31 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef DBSYNC_PIPELINE_FACTORY_TESTS_H
+#define DBSYNC_PIPELINE_FACTORY_TESTS_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class DBSyncPipelineFactoryTest : public ::testing::Test
+{
+    protected:
+
+        DBSyncPipelineFactoryTest()
+            : m_pipelineFactory{DbSync::PipelineFactory::instance()}
+            , m_dbHandle{ nullptr }
+        {}
+        virtual ~DBSyncPipelineFactoryTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+        DbSync::PipelineFactory& m_pipelineFactory;
+        DBSYNC_HANDLE m_dbHandle;
+};
+#endif //DBSYNC_PIPELINE_FACTORY_TESTS_H
\ No newline at end of file
diff --git a/src/common/dbsync/tests/pipelineFactory/main.cpp b/src/common/dbsync/tests/pipelineFactory/main.cpp
new file mode 100644
index 0000000000..d6fc27ef1c
--- /dev/null
+++ b/src/common/dbsync/tests/pipelineFactory/main.cpp
@@ -0,0 +1,18 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 16, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/dbsync/tests/sqlite/CMakeLists.txt b/src/common/dbsync/tests/sqlite/CMakeLists.txt
new file mode 100644
index 0000000000..d0811739cb
--- /dev/null
+++ b/src/common/dbsync/tests/sqlite/CMakeLists.txt
@@ -0,0 +1,51 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sqlite_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${CMAKE_SOURCE_DIR}/src/sqlite/)
+file(GLOB SQLITE_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SQLITE_SRC
+    "${CMAKE_SOURCE_DIR}/src/sqlite/sqlite_wrapper.cpp")
+
+add_executable(sqlite_unit_test
+    ${SQLITE_UNIT_TEST_SRC}
+    ${SQLITE_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(sqlite_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(sqlite_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME sqlite_unit_test
+         COMMAND sqlite_unit_test)
diff --git a/src/common/dbsync/tests/sqlite/main.cpp b/src/common/dbsync/tests/sqlite/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/dbsync/tests/sqlite/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/dbsync/tests/sqlite/sqlite_test.cpp b/src/common/dbsync/tests/sqlite/sqlite_test.cpp
new file mode 100644
index 0000000000..776bae6898
--- /dev/null
+++ b/src/common/dbsync/tests/sqlite/sqlite_test.cpp
@@ -0,0 +1,278 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 20, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sqlite_test.h"
+#include "sqlite_wrapper.h"
+#include "db_exception.h"
+
+constexpr auto TEMP_TEST_DB_PATH {"temp_test.db"};
+constexpr auto TEMP_DB_PATH {"temp.db"};
+
+void SQLiteTest::SetUp() {};
+
+void SQLiteTest::TearDown()
+{
+    std::remove(TEMP_TEST_DB_PATH);
+    std::remove(TEMP_DB_PATH);
+};
+using ::testing::_;
+using ::testing::Return;
+using namespace SQLite;
+using namespace DbSync;
+
+class ConnectionWrapper: public IConnection
+{
+    public:
+        ConnectionWrapper() = default;
+        ~ConnectionWrapper() = default;
+        MOCK_METHOD(void, execute, (const std::string&), (override));
+        MOCK_METHOD(void, close, (), (override));
+        MOCK_METHOD(int64_t, changes, (), (const override));
+        MOCK_METHOD((const std::shared_ptr<sqlite3>&), db, (), (const override));
+};
+
+
+TEST_F(SQLiteTest, ConnectionCtor)
+{
+    Connection connectionDefault;
+    EXPECT_NE(nullptr, connectionDefault.db().get());
+    Connection connectionPath{TEMP_TEST_DB_PATH};
+    EXPECT_NE(nullptr, connectionPath.db().get());
+}
+
+TEST_F(SQLiteTest, ConnectionClose)
+{
+    Connection connectionDefault;
+    connectionDefault.close();
+    EXPECT_EQ(nullptr, connectionDefault.db().get());
+    EXPECT_THROW(connectionDefault.execute("BEGIN TRANSACTION"), sqlite_error);
+}
+
+TEST_F(SQLiteTest, ConnectionExecute)
+{
+    Connection connectionDefault;
+    EXPECT_NO_THROW(connectionDefault.execute("BEGIN TRANSACTION"));
+    EXPECT_THROW(connectionDefault.execute("WRONG STATEMENT"), sqlite_error);
+    EXPECT_NO_THROW(connectionDefault.execute("ROLLBACK TRANSACTION"));
+}
+TEST_F(SQLiteTest, TransactionCtorDtorSuccess)
+{
+    ConnectionWrapper* pConnection{ new ConnectionWrapper };
+    std::shared_ptr<IConnection> spConnection{ pConnection };
+    EXPECT_CALL(*pConnection, execute("BEGIN TRANSACTION"));
+    EXPECT_CALL(*pConnection, execute("ROLLBACK TRANSACTION"));
+    Transaction transaction{spConnection};
+    EXPECT_FALSE(transaction.isCommited());
+    EXPECT_FALSE(transaction.isRolledBack());
+}
+
+TEST_F(SQLiteTest, TransactionCommitSuccess)
+{
+    ConnectionWrapper* pConnection{ new ConnectionWrapper };
+    std::shared_ptr<IConnection> spConnection{ pConnection };
+    EXPECT_CALL(*pConnection, execute("BEGIN TRANSACTION"));
+    EXPECT_CALL(*pConnection, execute("COMMIT TRANSACTION")).Times(1);
+    EXPECT_CALL(*pConnection, execute("ROLLBACK TRANSACTION")).Times(0);
+    Transaction transaction{spConnection};
+    EXPECT_NO_THROW(transaction.commit());
+    EXPECT_TRUE(transaction.isCommited());
+    EXPECT_FALSE(transaction.isRolledBack());
+}
+
+TEST_F(SQLiteTest, TransactionCommitCantRollBack)
+{
+    ConnectionWrapper* pConnection{ new ConnectionWrapper };
+    std::shared_ptr<IConnection> spConnection{ pConnection };
+    EXPECT_CALL(*pConnection, execute("BEGIN TRANSACTION"));
+    EXPECT_CALL(*pConnection, execute("COMMIT TRANSACTION")).Times(1);
+    EXPECT_CALL(*pConnection, execute("ROLLBACK TRANSACTION")).Times(0);
+    Transaction transaction{spConnection};
+    EXPECT_NO_THROW(transaction.commit());
+    EXPECT_NO_THROW(transaction.rollback());
+    EXPECT_TRUE(transaction.isCommited());
+    EXPECT_FALSE(transaction.isRolledBack());
+}
+
+TEST_F(SQLiteTest, TransactionRollBack)
+{
+    ConnectionWrapper* pConnection{ new ConnectionWrapper };
+    std::shared_ptr<IConnection> spConnection{ pConnection };
+    EXPECT_CALL(*pConnection, execute("BEGIN TRANSACTION"));
+    EXPECT_CALL(*pConnection, execute("ROLLBACK TRANSACTION")).Times(1);
+    Transaction transaction{spConnection};
+    EXPECT_NO_THROW(transaction.rollback());
+    EXPECT_TRUE(transaction.isRolledBack());
+    EXPECT_FALSE(transaction.isCommited());
+}
+
+TEST_F(SQLiteTest, TransactionCantCommitAfterRollBack)
+{
+    ConnectionWrapper* pConnection{ new ConnectionWrapper };
+    std::shared_ptr<IConnection> spConnection{ pConnection };
+    EXPECT_CALL(*pConnection, execute("BEGIN TRANSACTION"));
+    EXPECT_CALL(*pConnection, execute("ROLLBACK TRANSACTION")).Times(1);
+    Transaction transaction{spConnection};
+    EXPECT_NO_THROW(transaction.rollback());
+    EXPECT_NO_THROW(transaction.commit());
+    EXPECT_TRUE(transaction.isRolledBack());
+    EXPECT_FALSE(transaction.isCommited());
+}
+
+TEST_F(SQLiteTest, StatementCtorSuccess)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    Statement stmt{spConnection, "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT);"};
+}
+
+TEST_F(SQLiteTest, StatementCtorFailure)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    EXPECT_THROW(Statement stmt(spConnection, "WRONG STATEMENT"), sqlite_error);
+}
+
+TEST_F(SQLiteTest, StatementStep)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    Statement stmt{spConnection, "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT);"};
+    EXPECT_TRUE(stmt.step());
+    stmt.reset();
+    EXPECT_THROW(stmt.step(), sqlite_error);
+}
+
+TEST_F(SQLiteTest, StatementBindInt)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    Statement createStmt
+    {
+        spConnection,
+        "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT, Colum3 BIGINT, Colum4 BIGINT, Colum5 FLOAT);"
+    };
+    EXPECT_NO_THROW(createStmt.step());
+    Statement insertStmt
+    {
+        spConnection,
+        R"(INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (?,?,?,?,?);)"
+    };
+    EXPECT_NO_THROW(insertStmt.bind(1, 1));
+    EXPECT_NO_THROW(insertStmt.bind(2, "1"));
+    EXPECT_NO_THROW(insertStmt.bind(3, int64_t{1l}));
+    EXPECT_NO_THROW(insertStmt.bind(4, uint64_t{1lu}));
+    EXPECT_NO_THROW(insertStmt.bind(5, double_t{1.0}));
+    EXPECT_TRUE(insertStmt.step());
+    insertStmt.reset();
+    EXPECT_NO_THROW(insertStmt.bind(1, 2));
+    EXPECT_NO_THROW(insertStmt.bind(2, "2"));
+    EXPECT_NO_THROW(insertStmt.bind(3, int64_t{2l}));
+    EXPECT_NO_THROW(insertStmt.bind(4, uint64_t{2lu}));
+    EXPECT_NO_THROW(insertStmt.bind(5, double_t{2.0}));
+    EXPECT_TRUE(insertStmt.step());
+}
+
+
+TEST_F(SQLiteTest, ColumnCtor)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    Statement createStmt
+    {
+        spConnection,
+        "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT, Colum3 BIGINT, Colum4 BIGINT, Colum5 FLOAT);"
+    };
+    EXPECT_TRUE(createStmt.step());
+    Statement insertStmt
+    {
+        spConnection, R"(INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (?,?,?,?,?);)"
+    };
+    auto spColumn{ insertStmt.column(1) };
+    EXPECT_FALSE(spColumn->hasValue());
+}
+
+
+TEST_F(SQLiteTest, ColumnValue)
+{
+    std::shared_ptr<IConnection> spConnection{ new Connection };
+    Statement createStmt
+    {
+        spConnection,
+        R"(CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT, Colum3 BIGINT, Colum4 BIGINT, Colum5 FLOAT);)"
+    };
+    EXPECT_TRUE(createStmt.step());
+    Statement insertStmt
+    {
+        spConnection, R"(INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5)  VALUES (1,"some text",2,3,4.0);)"
+    };
+    EXPECT_TRUE(insertStmt.step());
+    Statement selectStmt
+    {
+        spConnection, R"(SELECT * FROM test_table;)"
+    };
+    EXPECT_TRUE(selectStmt.step());
+    auto spColumn1{ selectStmt.column(0) };
+    EXPECT_TRUE(spColumn1->hasValue());
+    EXPECT_EQ(1, spColumn1->value(int32_t{}));
+    EXPECT_EQ(SQLITE_INTEGER, spColumn1->type());
+
+    auto spColumn2{ selectStmt.column(1) };
+    EXPECT_TRUE(spColumn2->hasValue());
+    EXPECT_EQ("some text", spColumn2->value(std::string{}));
+    EXPECT_EQ(SQLITE3_TEXT, spColumn2->type());
+
+    auto spColumn3{ selectStmt.column(2) };
+    EXPECT_TRUE(spColumn3->hasValue());
+    EXPECT_EQ(2l, spColumn3->value(int64_t{}));
+    EXPECT_EQ(SQLITE_INTEGER, spColumn3->type());
+
+    auto spColumn4{ selectStmt.column(3) };
+    EXPECT_TRUE(spColumn4->hasValue());
+    EXPECT_EQ(3lu, spColumn4->value(uint64_t{}));
+    EXPECT_EQ(SQLITE_INTEGER, spColumn4->type());
+
+    auto spColumn5{ selectStmt.column(4) };
+    EXPECT_TRUE(spColumn5->hasValue());
+    EXPECT_DOUBLE_EQ(4.0, spColumn5->value(double_t{}));
+    EXPECT_EQ(SQLITE_FLOAT, spColumn5->type());
+}
+
+TEST_F(SQLiteTest, StatementExpand)
+{
+    std::shared_ptr<IConnection> spConnection = std::make_shared<Connection>();
+    Statement createStmt
+    {
+        spConnection,
+        "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT, Colum3 BIGINT, Colum4 BIGINT, Colum5 FLOAT);"
+    };
+    createStmt.step();
+    Statement selectStmt
+    {
+        spConnection,
+        R"(INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (?,?,?,?,?);)"
+    };
+    const auto expectedStringStmt{ selectStmt.expand() };
+    EXPECT_EQ(expectedStringStmt, "INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (NULL,NULL,NULL,NULL,NULL);");
+}
+
+TEST_F(SQLiteTest, StatementExpandBind)
+{
+    std::shared_ptr<IConnection> spConnection = std::make_shared<Connection>();
+    Statement createStmt
+    {
+        spConnection,
+        "CREATE TABLE test_table (Colum1 INTEGER, Colum2 TEXT, Colum3 BIGINT, Colum4 BIGINT, Colum5 FLOAT);"
+    };
+    createStmt.step();
+    Statement insertStmt
+    {
+        spConnection,
+        R"(INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (?,?,?,?,?);)"
+    };
+    insertStmt.bind(2, "bar");
+    insertStmt.bind(3, 1000);
+    const auto expectedStringStmt{ insertStmt.expand() };
+    EXPECT_EQ(expectedStringStmt, "INSERT INTO test_table (Colum1, Colum2, Colum3, Colum4, Colum5) VALUES (NULL,'bar',1000,NULL,NULL);");
+}
diff --git a/src/common/dbsync/tests/sqlite/sqlite_test.h b/src/common/dbsync/tests/sqlite/sqlite_test.h
new file mode 100644
index 0000000000..fb4c75bfbb
--- /dev/null
+++ b/src/common/dbsync/tests/sqlite/sqlite_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 20, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SQLITE_TEST_H
+#define _SQLITE_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SQLiteTest : public ::testing::Test
+{
+
+    protected:
+
+        SQLiteTest() = default;
+        virtual ~SQLiteTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SQLITE_TEST_H
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/CMakeLists.txt b/src/common/dbsync/testtool/CMakeLists.txt
new file mode 100644
index 0000000000..952decf282
--- /dev/null
+++ b/src/common/dbsync/testtool/CMakeLists.txt
@@ -0,0 +1,38 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(dbsync_test_tool)
+
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${CMAKE_SOURCE_DIR}/utils/)
+include_directories(${CMAKE_SOURCE_DIR}/testtool/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-g -Wall -Wextra -std=c++14 -pthread")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+add_executable(dbsync_test_tool
+               ${CMAKE_SOURCE_DIR}/testtool/main.cpp )
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+	target_link_libraries(dbsync_test_tool
+	    dbsync
+	    -static-libstdc++
+	)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+	target_link_libraries(dbsync_test_tool
+	    dbsync
+	    pthread)
+else()
+	target_link_libraries(dbsync_test_tool
+	    dbsync
+	    pthread
+	    dl
+	)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
diff --git a/src/common/dbsync/testtool/Readme.md b/src/common/dbsync/testtool/Readme.md
new file mode 100644
index 0000000000..752d05283a
--- /dev/null
+++ b/src/common/dbsync/testtool/Readme.md
@@ -0,0 +1,46 @@
+# DBSync Testing Tool
+## Index
+1. [Purpose](#purpose)
+2. [Architecture Diagram](#architecture-diagram)
+3. [Compile Wazuh](#compile-wazuh)
+4. [How to use the tool](#how-to-use-the-tool)
+
+## Purpose
+The DBSync Testing Tool was created to test and validate the dbsync module. This tool works as a black box where an user will be able execute it with different arguments and analyze the output data as desired.
+
+## Architecture Diagram
+
+![alt text](../images/dbsyncTestToolArchDiagram.png)
+
+## Compile Wazuh
+In order to run unit tests on a specific wazuh target, the project needs to be built either in release or debug mode.
+```
+make TARGET=server|agent <DEBUG=1>
+```
+
+## How to use the tool
+In order to run the `dbsync_test_tool` utility the following steps need to be accomplished:
+1) Create a config json file with the following structure:
+```
+{
+    "db_name": "db_name",
+    "db_type": "1",
+    "host_type": "<0|1>",
+    "persistance": "",
+    "sql_statement":"sql"
+}
+```
+Where:
+  - db_name: Database name to be used.
+  - db_type: Database type to be used. Only SQLITE3 is currently supported.
+  - host_type: Agent or Manager.
+  - persistance: Database type of persistance being used.
+  - sql_statement: Database sql structure to be created. This structure will be associated with the other files needed to use the tool.
+
+2) Create the needed amount of json files representing the different actions information. These ones need to follow the sql_statement structure created in the step 1.
+3) Define an output folder where all resulting data will be located.
+4) Once all the above steps are accomplished the tool will be used like this:
+```
+./dbsync_test_tool -c config.json -a input1.json,input2.json,input3.json -o ./output
+```
+5) Considering the example above all diff snapshots will be located in ./output folder in the following format: action_1.json, action_2.json ... action_n.json where 'n' will be the number of json files passed as part of the argument "-a".
diff --git a/src/common/dbsync/testtool/action.h b/src/common/dbsync/testtool/action.h
new file mode 100644
index 0000000000..b09721b757
--- /dev/null
+++ b/src/common/dbsync/testtool/action.h
@@ -0,0 +1,832 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 21, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _ACTION_H
+#define _ACTION_H
+#include <json.hpp>
+#include <mutex>
+#include "dbsync.h"
+#include "makeUnique.h"
+#include "cjsonSmartDeleter.hpp"
+
+namespace TestDeleters
+{
+    struct ResultDeleter final
+    {
+        void operator()(cJSON* json)
+        {
+            dbsync_free_result(&json);
+        }
+    };
+};
+
+struct IAction
+{
+    virtual void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) = 0;
+
+    virtual ~IAction() = default;
+};
+
+struct InsertDataAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value.at("body").dump().c_str())
+        };
+
+        const auto retVal
+        {
+            dbsync_insert_data(ctx->handle,
+                               jsInput.get())
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_insert_data", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct UpdateWithSnapshotAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> currentSnapshotPtr
+        {
+            cJSON_Parse(value["body"].dump().c_str())
+        };
+        cJSON* snapshotLambda{ nullptr };
+
+        if (0 == dbsync_update_with_snapshot(ctx->handle, currentSnapshotPtr.get(), &snapshotLambda))
+        {
+            // Create and flush snapshot diff data in files like: snapshot_<#idx>.json
+            const std::unique_ptr<cJSON, TestDeleters::ResultDeleter> snapshotLambdaPtr(snapshotLambda);
+
+            std::stringstream oFileName;
+            oFileName << "action_" << ctx->currentId << ".json";
+            const std::string outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+            std::ofstream outputFile{ outputFileName };
+            const std::unique_ptr<char, CJsonSmartFree> snapshotDiff{ cJSON_Print(snapshotLambdaPtr.get()) };
+            outputFile << snapshotDiff.get() << std::endl;
+        }
+    }
+};
+
+static void dummyCallback(ReturnTypeCallback, const cJSON*, void*)
+{
+
+}
+
+static void txnCallback(ReturnTypeCallback type, const cJSON* json, void* user_data)
+{
+    if (user_data && json)
+    {
+        static std::mutex s_mutex;
+        std::lock_guard<std::mutex> lock{ s_mutex };
+        TestContext* ctx{ reinterpret_cast<TestContext*>(user_data) };
+        std::stringstream oFileName;
+        oFileName << "txn_" << reinterpret_cast<size_t>(ctx->txnContext) << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+        const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_PrintUnformatted(json)};
+        const auto newJson{nlohmann::json::parse(spJsonBytes.get())};
+        nlohmann::json jsonResult;
+        jsonResult.push_back(newJson);
+        jsonResult.push_back({{"result", type}});
+
+        std::ofstream outputFile{ outputFileName, std::ofstream::app};
+        outputFile << jsonResult.dump() << std::endl;
+    }
+}
+
+struct CreateTransactionAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsonTables
+        {
+            cJSON_Parse(value["body"]["tables"].dump().c_str())
+        };
+
+        callback_data_t callbackData { txnCallback, ctx.get() };
+
+        ctx->txnContext = dbsync_create_txn(ctx->handle,
+                                            jsonTables.get(),
+                                            0,
+                                            100,
+                                            callbackData);
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"txn_context", nullptr != ctx->txnContext } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct CloseTransactionAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& /*value*/) override
+    {
+
+
+        const auto retVal { dbsync_close_txn(ctx->txnContext)} ;
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"txn_context", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SetMaxRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const auto table{value["body"]["table"].get<std::string>()};
+        const auto maxRows{value["body"]["max_rows"].get<unsigned int>()};
+        const auto retVal
+        {
+            dbsync_set_table_max_rows(ctx->handle,
+                                      table.c_str(),
+                                      maxRows)
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_set_table_max_rows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct GetCallbackLogger final
+{
+    explicit GetCallbackLogger(const std::string& fileName)
+        : m_fileName(fileName)
+    {};
+    std::string m_fileName;
+    std::mutex m_mutex;
+
+};
+
+static void getCallbackCtx(ReturnTypeCallback /*type*/,
+                           const cJSON* json,
+                           void* user_data)
+{
+    GetCallbackLogger* loggerContext { reinterpret_cast<GetCallbackLogger*>(user_data) };
+
+    std::lock_guard<std::mutex> lock(loggerContext->m_mutex);
+    std::ifstream inputFile{ loggerContext->m_fileName };
+    nlohmann::json jsonResult {};
+
+    if (inputFile.peek() != std::ifstream::traits_type::eof())
+    {
+        jsonResult = nlohmann::json::parse(inputFile);
+    }
+
+    const std::unique_ptr<char, CJsonSmartFree> spJsonBytes{cJSON_PrintUnformatted(json)};
+    const auto& newJson { nlohmann::json::parse(spJsonBytes.get()) };
+    jsonResult.push_back(newJson);
+
+    std::ofstream outputFile{ loggerContext->m_fileName };
+    outputFile << jsonResult.dump() << std::endl;
+};
+
+
+struct GetDeletedRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& /*value*/) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto& outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+        const auto& outputFileNameCallback{ ctx->outputPath + "/" + "callback." + oFileName.str() };
+
+        const auto& loggerContext { std::make_unique<GetCallbackLogger>(outputFileNameCallback) };
+        callback_data_t callbackData { getCallbackCtx, loggerContext.get() } ;
+
+        const auto retVal
+        {
+            dbsync_get_deleted_rows(ctx->txnContext,
+                                    callbackData)
+        };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json& jsonResult { {"dbsync_get_deleted_rows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SyncRowAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value["body"].dump().c_str())
+        };
+
+        callback_data_t callbackData { dummyCallback, nullptr };
+
+        const auto retVal
+        {
+            dbsync_sync_row(ctx->handle,
+                            jsInput.get(),
+                            callbackData)
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_sync_row", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SyncTxnRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value["body"].dump().c_str())
+        };
+
+        const auto retVal
+        {
+            dbsync_sync_txn_row(ctx->txnContext,
+                                jsInput.get())
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_sync_txn_row", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct DeleteRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value.at("body").dump().c_str())
+        };
+
+        const auto retVal
+        {
+            dbsync_delete_rows(ctx->handle,
+                               jsInput.get())
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_delete_rows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SelectRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value.at("body").dump().c_str())
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+        const auto& outputFileNameCallback{ ctx->outputPath + "/" + "callback." + oFileName.str() };
+
+        const auto& loggerContext { std::make_unique<GetCallbackLogger>(outputFileNameCallback) };
+        callback_data_t callbackData { getCallbackCtx, loggerContext.get() } ;
+
+        const auto retVal
+        {
+            dbsync_select_rows(ctx->handle,
+                               jsInput.get(),
+                               callbackData)
+        };
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_select_rows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct AddTableRelationship final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+        {
+            cJSON_Parse(value.at("body").dump().c_str())
+        };
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        const auto retVal
+        {
+            dbsync_add_table_relationship(ctx->handle,
+                                          jsInput.get())
+        };
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"dbsync_add_table_relationship", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct InsertDataCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        int retVal{ 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->insertData(value.at("body"));
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"insertData", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct UpdateWithSnapshotActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        int retVal{ 0 };
+        nlohmann::json snapshotLambda { };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->updateWithSnapshot(value.at("body"), snapshotLambda);
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        snapshotLambda.push_back({"updateWithSnapshot", retVal });
+
+        std::ofstream outputFile{ outputFileName };
+        outputFile << snapshotLambda.dump() << std::endl;
+    }
+};
+
+struct CreateTransactionActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        int retVal{ 0 };
+
+        auto txnCallback = [&ctx](ReturnTypeCallback type, const nlohmann::json & json)
+        {
+            static std::mutex s_mutex;
+            std::lock_guard<std::mutex> lock{ s_mutex };
+
+            std::stringstream oFileName;
+            oFileName << "txn_" << reinterpret_cast<size_t>(ctx->txnContext) << ".json";
+            const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+            nlohmann::json jsonResult { };
+            jsonResult.push_back(json);
+            jsonResult.push_back({{"result", type}});
+
+            std::ofstream outputFile{ outputFileName, std::ofstream::app};
+            outputFile << jsonResult.dump() << std::endl;
+        };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            std::unique_ptr<DBSyncTxn> dbSyncTxn
+            {
+                std::make_unique<DBSyncTxn>(dbSync->handle(),
+                                            value.at("body").at("tables"),
+                                            0,
+                                            100,
+                                            txnCallback)
+            };
+
+            ctx->txnContext = dbSyncTxn->handle();
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"createTransaction", nullptr != ctx->txnContext&& 0 == retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SetMaxRowsActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        const auto table{value.at("body").at("table").get<std::string>()};
+        const auto maxRows{value.at("body").at("max_rows").get<unsigned int>()};
+
+        int retVal{ 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->setTableMaxRow(table, maxRows);
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"SetMaxRowsAction", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct AddTableRelationshipCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        int retVal{ 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->addTableRelationship(value.at("body"));
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"addTableRelationship", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct GetDeletedRowsActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& /*value*/) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto& outputFileNameCallback{ ctx->outputPath + "/" + "callback." + oFileName.str() };
+        const auto& loggerContext { std::make_unique<GetCallbackLogger>(outputFileNameCallback) };
+
+        auto callbackDelete
+        {
+            [&loggerContext](ReturnTypeCallback /*result_type*/, const nlohmann::json & json)
+            {
+                std::lock_guard<std::mutex> lock(loggerContext->m_mutex);
+
+                std::ifstream inputFile{ loggerContext->m_fileName };
+
+                nlohmann::json jsonResult {};
+
+                if (inputFile.peek() != std::ifstream::traits_type::eof())
+                {
+                    jsonResult = nlohmann::json::parse(inputFile);
+                }
+
+                jsonResult.push_back(json);
+
+                std::ofstream outputFile{ loggerContext->m_fileName };
+                outputFile << jsonResult.dump() << std::endl;
+            }
+        };
+
+        int retVal { 0 };
+
+        try
+        {
+            std::unique_ptr<DBSyncTxn> dbSyncTxn { std::make_unique<DBSyncTxn>(ctx->txnContext) };
+            dbSyncTxn->getDeletedRows(callbackDelete);
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        const auto& outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json& jsonResult { {"getDeletedRows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SyncRowActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto& outputFileNameCallback{ ctx->outputPath + "/" + "callback." + oFileName.str() };
+        const auto& loggerContext { std::make_unique<GetCallbackLogger>(outputFileNameCallback) };
+
+        auto callbackSync
+        {
+            [&loggerContext](ReturnTypeCallback /*result_type*/, const nlohmann::json & json)
+            {
+                std::lock_guard<std::mutex> lock(loggerContext->m_mutex);
+                std::ifstream inputFile{ loggerContext->m_fileName };
+
+                nlohmann::json jsonResult {};
+
+                if (inputFile.peek() != std::ifstream::traits_type::eof())
+                {
+                    jsonResult = nlohmann::json::parse(inputFile);
+                }
+
+                jsonResult.push_back(json);
+
+                std::ofstream outputFile{ loggerContext->m_fileName };
+                outputFile << jsonResult.dump() << std::endl;
+            }
+        };
+
+        int retVal { 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->syncRow(value.at("body"), callbackSync);
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"syncRow", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SyncTxnRowsActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        int retVal { 0 };
+
+        try
+        {
+            std::unique_ptr<DBSyncTxn> dbSyncTxn { std::make_unique<DBSyncTxn>(ctx->txnContext) };
+            dbSyncTxn->syncTxnRow(value.at("body"));
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"syncTxnRow", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct DeleteRowsActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        int retVal { 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->deleteRows(value.at("body"));
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = { {"deleteRows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SelectRowsActionCPP final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx,
+                 const nlohmann::json& value) override
+    {
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto& outputFileNameCallback{ ctx->outputPath + "/" + "callback." + oFileName.str() };
+        const auto& loggerContext { std::make_unique<GetCallbackLogger>(outputFileNameCallback) };
+
+        auto callbackSelect
+        {
+            [&loggerContext](ReturnTypeCallback /*result_type*/, const nlohmann::json & json)
+            {
+                std::lock_guard<std::mutex> lock(loggerContext->m_mutex);
+                std::ifstream inputFile{ loggerContext->m_fileName };
+
+                nlohmann::json jsonResult {};
+
+                if (inputFile.peek() != std::ifstream::traits_type::eof())
+                {
+                    jsonResult = nlohmann::json::parse(inputFile);
+                }
+
+                jsonResult.push_back(json);
+
+                std::ofstream outputFile{ loggerContext->m_fileName };
+                outputFile << jsonResult.dump() << std::endl;
+            }
+        };
+
+        int retVal { 0 };
+
+        try
+        {
+            std::unique_ptr<DBSync> dbSync { std::make_unique<DBSync>(ctx->handle) };
+            dbSync->selectRows(value.at("body"), callbackSelect);
+        }
+        catch (const nlohmann::detail::exception& ex)
+        {
+            retVal = ex.id;
+        }
+        catch (const DbSync::dbsync_error& ex)
+        {
+            retVal = ex.id();
+        }
+        catch (...)
+        {
+            retVal = -1;
+        }
+
+        std::ofstream outputFile{ ctx->outputPath + "/" + oFileName.str() };
+        const nlohmann::json jsonResult = { {"selectRows", retVal } };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+
+#endif //_ACTION_H
diff --git a/src/common/dbsync/testtool/cmdArgsHelper.h b/src/common/dbsync/testtool/cmdArgsHelper.h
new file mode 100644
index 0000000000..46a3128f2c
--- /dev/null
+++ b/src/common/dbsync/testtool/cmdArgsHelper.h
@@ -0,0 +1,100 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 02, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CMD_LINE_ARGS_HELPER_H_
+#define _CMD_LINE_ARGS_HELPER_H_
+
+#include <string>
+#include <sstream>
+#include <vector>
+#include <iostream>
+
+class CmdLineArgs
+{
+    public:
+        CmdLineArgs(const int argc, const char* argv[])
+            : m_configFile{ paramValueOf(argc, argv, "-c") }
+            , m_outputFolder{ paramValueOf(argc, argv, "-o") }
+            , m_actions{ splitActions(paramValueOf(argc, argv, "-a")) }
+        {}
+
+        const std::string& configFile() const
+        {
+            return m_configFile;
+        }
+
+        const std::vector<std::string>& actions() const
+        {
+            return m_actions;
+        }
+
+        const std::string& outputFolder() const
+        {
+            return m_outputFolder;
+        }
+
+        static void showHelp()
+        {
+            std::cout << "\nUsage: dbsync_test_tool <option(s)> SOURCES \n"
+                      << "Options:\n"
+                      << "\t-h \t\t\tShow this help message\n"
+                      << "\t-c JSON_CONFIG_FILE\tSpecifies the json config file to initialize the database.\n"
+                      << "\t-a ACTION_LIST\t\tSpecifies the list of actions to exercise the database.\n"
+                      << "\t-o OUTPUT_FOLDER\tSpecifies the output folder path where the results will be generated.\n"
+                      << "\nExample:"
+                      << "\n\t./dbsync_test_tool -c config.json -a input1.json,input2.json,input3.json -o ./output\n"
+                      << std::endl;
+        }
+
+    private:
+
+        static std::string paramValueOf(const int argc,
+                                        const char* argv[],
+                                        const std::string& switchValue)
+        {
+            for (int i = 1; i < argc; ++i)
+            {
+                const std::string currentValue{ argv[i] };
+
+                if (currentValue == switchValue && i + 1 < argc)
+                {
+                    // Switch found
+                    return argv[i + 1];
+                }
+            }
+
+            throw std::runtime_error
+            {
+                "Switch value: " + switchValue + " not found."
+            };
+        }
+
+        static std::vector<std::string> splitActions(const std::string& values)
+        {
+            std::vector<std::string> actionsValues;
+            std::stringstream ss{ values };
+
+            while (ss.good())
+            {
+                std::string substr;
+                getline(ss, substr, ','); // Getting each string between ',' character
+                actionsValues.push_back(std::move(substr));
+            }
+
+            return actionsValues;
+        }
+
+        const std::string m_configFile;
+        const std::string m_outputFolder;
+        const std::vector<std::string> m_actions;
+};
+
+#endif // _CMD_LINE_ARGS_HELPER_H_
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/factoryAction.h b/src/common/dbsync/testtool/factoryAction.h
new file mode 100644
index 0000000000..c5ab4191f8
--- /dev/null
+++ b/src/common/dbsync/testtool/factoryAction.h
@@ -0,0 +1,115 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 21, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FACTORY_ACTION_H
+#define _FACTORY_ACTION_H
+#include <iostream>
+#include <memory>
+
+class FactoryAction
+{
+    public:
+        static std::unique_ptr<IAction> create(const std::string& actionCode)
+        {
+            if (0 == actionCode.compare("dbsync_insert_data"))
+            {
+                return std::make_unique<InsertDataAction>();
+            }
+
+            if (0 == actionCode.compare("dbsync_update_with_snapshot"))
+            {
+                return std::make_unique<UpdateWithSnapshotAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_create_txn"))
+            {
+                return std::make_unique<CreateTransactionAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_close_txn"))
+            {
+                return std::make_unique<CloseTransactionAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_set_table_max_rows"))
+            {
+                return std::make_unique<SetMaxRowsAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_get_deleted_rows"))
+            {
+                return std::make_unique<GetDeletedRowsAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_sync_row"))
+            {
+                return std::make_unique<SyncRowAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_sync_txn_row"))
+            {
+                return std::make_unique<SyncTxnRowsAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_delete_rows"))
+            {
+                return std::make_unique<DeleteRowsAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_select_rows"))
+            {
+                return std::make_unique<SelectRowsAction>();
+            }
+            else if (0 == actionCode.compare("dbsync_add_table_relationship"))
+            {
+                return std::make_unique<AddTableRelationship>();
+            }
+            // C++ Interface
+            else if (0 == actionCode.compare("insertData"))
+            {
+                return std::make_unique<InsertDataCPP>();
+            }
+            else if (0 == actionCode.compare("updateWithSnapshot"))
+            {
+                return std::make_unique<UpdateWithSnapshotActionCPP>();
+            }
+            else if (0 == actionCode.compare("createTxn"))
+            {
+                return std::make_unique<CreateTransactionActionCPP>();
+            }
+            else if (0 == actionCode.compare("setTableMaxRows"))
+            {
+                return std::make_unique<SetMaxRowsActionCPP>();
+            }
+            else if (0 == actionCode.compare("addTableRelationship"))
+            {
+                return std::make_unique<AddTableRelationshipCPP>();
+            }
+            else if (0 == actionCode.compare("getDeletedRows"))
+            {
+                return std::make_unique<GetDeletedRowsActionCPP>();
+            }
+            else if (0 == actionCode.compare("syncRow"))
+            {
+                return std::make_unique<SyncRowActionCPP>();
+            }
+            else if (0 == actionCode.compare("syncTxnRow"))
+            {
+                return std::make_unique<SyncTxnRowsActionCPP>();
+            }
+            else if (0 == actionCode.compare("deleteRows"))
+            {
+                return std::make_unique<DeleteRowsActionCPP>();
+            }
+            else if (0 == actionCode.compare("selectRows"))
+            {
+                return std::make_unique<SelectRowsActionCPP>();
+            }
+            else
+            {
+                throw std::runtime_error { "Invalid action: " + actionCode };
+            }
+        }
+};
+
+#endif //_FACTORY_ACTION_H
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/closeTxn.json b/src/common/dbsync/testtool/input/closeTxn.json
new file mode 100644
index 0000000000..77cb64e300
--- /dev/null
+++ b/src/common/dbsync/testtool/input/closeTxn.json
@@ -0,0 +1,3 @@
+{
+    "action": "dbsync_close_txn"
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/config.json b/src/common/dbsync/testtool/input/config.json
new file mode 100644
index 0000000000..71b020384e
--- /dev/null
+++ b/src/common/dbsync/testtool/input/config.json
@@ -0,0 +1,7 @@
+{
+    "db_name": "temp.db",
+    "db_type": "1",
+    "host_type": "1",    
+    "persistance": "",
+    "sql_statement":"CREATE TABLE processes(`pid` BIGINT, `name` TEXT, `path` TEXT, `cmdline` TEXT, `state` TEXT, `cwd` TEXT, `root` TEXT, `uid` BIGINT, `gid` BIGINT, `euid` BIGINT, `egid` BIGINT, `suid` BIGINT, `sgid` BIGINT, `on_disk` INTEGER, `wired_size` BIGINT, `resident_size` BIGINT, `total_size` BIGINT, `user_time` BIGINT, `system_time` BIGINT, `disk_bytes_read` BIGINT, `disk_bytes_written` BIGINT, `start_time` BIGINT, `parent` BIGINT, `pgroup` BIGINT, `threads` INTEGER, `nice` INTEGER, `is_elevated_token` INTEGER, `elapsed_time` BIGINT, `handle_count` BIGINT, `percent_processor_time` BIGINT, `upid` BIGINT HIDDEN, `uppid` BIGINT HIDDEN, `cpu_type` INTEGER HIDDEN, `cpu_subtype` INTEGER HIDDEN, `phys_footprint` BIGINT HIDDEN, PRIMARY KEY (`pid`)) WITHOUT ROWID;"
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/config_template.json b/src/common/dbsync/testtool/input/config_template.json
new file mode 100644
index 0000000000..224bc5197f
--- /dev/null
+++ b/src/common/dbsync/testtool/input/config_template.json
@@ -0,0 +1,7 @@
+{
+    "db_name": "<db_name>",
+    "db_type": "<0|1>",
+    "host_type": "<0|1>",
+    "persistance": "",
+    "sql_statement":"<sql>"
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/createTxn.json b/src/common/dbsync/testtool/input/createTxn.json
new file mode 100644
index 0000000000..368c9af083
--- /dev/null
+++ b/src/common/dbsync/testtool/input/createTxn.json
@@ -0,0 +1,6 @@
+{
+    "action": "dbsync_create_txn",
+    "body": {
+        "tables": ["processes"]
+    }
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/deleteRows.json b/src/common/dbsync/testtool/input/deleteRows.json
new file mode 100644
index 0000000000..f8f5361dcc
--- /dev/null
+++ b/src/common/dbsync/testtool/input/deleteRows.json
@@ -0,0 +1,74 @@
+{
+    "action": "dbsync_delete_rows",
+    "body": {
+        "table":"processes",
+        "query": {
+            "data":[
+                {
+                    "pid":4,
+                    "name":"System",
+                    "path":"",
+                    "cmdline":"",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                },
+                {
+                    "pid":6,
+                    "name":"System",
+                    "path":"/usr/lib",
+                    "cmdline":"whoami",
+                    "state":"",
+                    "cwd":"",
+                    "root":"",
+                    "uid":-1,
+                    "gid":-1,
+                    "euid":-1,
+                    "egid":-1,
+                    "suid":-1,
+                    "sgid":-1,
+                    "on_disk":-1,
+                    "wired_size":-1,
+                    "resident_size":-1,
+                    "total_size":-1,
+                    "user_time":-1,
+                    "system_time":-1,
+                    "disk_bytes_read":-1,
+                    "disk_bytes_written":-1,
+                    "start_time":-1,
+                    "parent":0,
+                    "pgroup":-1,
+                    "threads":164,
+                    "nice":-1,
+                    "is_elevated_token":false,
+                    "elapsed_time":-1,
+                    "handle_count":-1,
+                    "percent_processor_time":-1
+                }],
+            "row_filter_opt":"pid>=4"
+        }
+    }
+}
diff --git a/src/common/dbsync/testtool/input/getDeletedRowsOnlyPKs.json b/src/common/dbsync/testtool/input/getDeletedRowsOnlyPKs.json
new file mode 100644
index 0000000000..f4c979e6dc
--- /dev/null
+++ b/src/common/dbsync/testtool/input/getDeletedRowsOnlyPKs.json
@@ -0,0 +1,3 @@
+{
+    "action": "dbsync_get_deleted_rows"
+}
diff --git a/src/common/dbsync/testtool/input/input2.json b/src/common/dbsync/testtool/input/input2.json
new file mode 100644
index 0000000000..9fcb621395
--- /dev/null
+++ b/src/common/dbsync/testtool/input/input2.json
@@ -0,0 +1,73 @@
+{
+   "action": "dbsync_update_with_snapshot",
+   "body": {
+      "table":"processes",
+      "data":[
+         {
+            "pid":4,
+            "name":"User",
+            "path":"",
+            "cmdline":"cmd.exe",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":5,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         }
+      ]
+   }
+   
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/input3.json b/src/common/dbsync/testtool/input/input3.json
new file mode 100644
index 0000000000..841ac56b33
--- /dev/null
+++ b/src/common/dbsync/testtool/input/input3.json
@@ -0,0 +1,105 @@
+{   
+   "action": "dbsync_update_with_snapshot",
+   "body": {
+      "table":"processes",
+      "data":[
+         {
+            "pid":5,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":6,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":7,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         }
+      ]
+   }
+   
+ }
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/input6.json b/src/common/dbsync/testtool/input/input6.json
new file mode 100644
index 0000000000..7e3f9642e0
--- /dev/null
+++ b/src/common/dbsync/testtool/input/input6.json
@@ -0,0 +1,7 @@
+{
+    "action": "dbsync_set_table_max_rows",
+    "body": {
+        "table": "processes",
+        "max_rows":100
+    }
+}
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/inputSelectRows.json b/src/common/dbsync/testtool/input/inputSelectRows.json
new file mode 100644
index 0000000000..5ab1121911
--- /dev/null
+++ b/src/common/dbsync/testtool/input/inputSelectRows.json
@@ -0,0 +1,13 @@
+{
+    "action": "dbsync_select_rows",
+    "body": {
+        "table":"processes",
+        "query":{
+            "column_list":["pid,name,threads"],
+            "row_filter":"WHERE pid>=5",
+            "distinct_opt":false,
+            "order_by_opt":"threads",
+            "count_opt":100
+        }
+    }
+}
diff --git a/src/common/dbsync/testtool/input/inputSyncRowInsert.json b/src/common/dbsync/testtool/input/inputSyncRowInsert.json
new file mode 100644
index 0000000000..b14f118717
--- /dev/null
+++ b/src/common/dbsync/testtool/input/inputSyncRowInsert.json
@@ -0,0 +1,136 @@
+{
+"action": "dbsync_sync_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":6,
+                "name":"User",
+                "path":"/usr/lib",
+                "cmdline":"nano",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":7,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/inputSyncRowInsertTxn.json b/src/common/dbsync/testtool/input/inputSyncRowInsertTxn.json
new file mode 100644
index 0000000000..79030efc64
--- /dev/null
+++ b/src/common/dbsync/testtool/input/inputSyncRowInsertTxn.json
@@ -0,0 +1,72 @@
+{
+"action": "dbsync_sync_txn_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }       
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/inputSyncRowModified.json b/src/common/dbsync/testtool/input/inputSyncRowModified.json
new file mode 100644
index 0000000000..ecc876f59e
--- /dev/null
+++ b/src/common/dbsync/testtool/input/inputSyncRowModified.json
@@ -0,0 +1,40 @@
+{
+"action": "dbsync_sync_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"User",
+                "path":"",
+                "cmdline":"Guake",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":1,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }  
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/inputSyncRowModifiedTxn.json b/src/common/dbsync/testtool/input/inputSyncRowModifiedTxn.json
new file mode 100644
index 0000000000..3d0c608429
--- /dev/null
+++ b/src/common/dbsync/testtool/input/inputSyncRowModifiedTxn.json
@@ -0,0 +1,40 @@
+{
+"action": "dbsync_sync_txn_row",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"User",
+                "path":"",
+                "cmdline":"Guake",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":1,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }  
+        ]
+    }
+} 
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/input/insertData.json b/src/common/dbsync/testtool/input/insertData.json
new file mode 100644
index 0000000000..71ccf64a50
--- /dev/null
+++ b/src/common/dbsync/testtool/input/insertData.json
@@ -0,0 +1,200 @@
+{
+"action": "dbsync_insert_data",
+    "body": {
+        "table": "processes",
+        "data":[
+            {
+                "pid":4,
+                "name":"System",
+                "path":"",
+                "cmdline":"",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":5,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"whoami",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":6,
+                "name":"User",
+                "path":"/usr/lib",
+                "cmdline":"nano",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":7,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":8,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             },
+             {
+                "pid":9,
+                "name":"System",
+                "path":"/usr/lib",
+                "cmdline":"git",
+                "state":"",
+                "cwd":"",
+                "root":"",
+                "uid":-1,
+                "gid":-1,
+                "euid":-1,
+                "egid":-1,
+                "suid":-1,
+                "sgid":-1,
+                "on_disk":-1,
+                "wired_size":-1,
+                "resident_size":-1,
+                "total_size":-1,
+                "user_time":-1,
+                "system_time":-1,
+                "disk_bytes_read":-1,
+                "disk_bytes_written":-1,
+                "start_time":-1,
+                "parent":0,
+                "pgroup":-1,
+                "threads":164,
+                "nice":-1,
+                "is_elevated_token":false,
+                "elapsed_time":-1,
+                "handle_count":-1,
+                "percent_processor_time":-1
+             }            
+        ]
+    }
+} 
diff --git a/src/common/dbsync/testtool/input/updateWithSnapshot.json b/src/common/dbsync/testtool/input/updateWithSnapshot.json
new file mode 100644
index 0000000000..02df113cbb
--- /dev/null
+++ b/src/common/dbsync/testtool/input/updateWithSnapshot.json
@@ -0,0 +1,105 @@
+{
+   "action": "dbsync_update_with_snapshot",
+   "body": {
+      "table":"processes",
+      "data":[
+         {
+            "pid":4,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":5,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         },
+         {
+            "pid":6,
+            "name":"System",
+            "path":"",
+            "cmdline":"",
+            "state":"",
+            "cwd":"",
+            "root":"",
+            "uid":-1,
+            "gid":-1,
+            "euid":-1,
+            "egid":-1,
+            "suid":-1,
+            "sgid":-1,
+            "on_disk":-1,
+            "wired_size":-1,
+            "resident_size":-1,
+            "total_size":-1,
+            "user_time":-1,
+            "system_time":-1,
+            "disk_bytes_read":-1,
+            "disk_bytes_written":-1,
+            "start_time":-1,
+            "parent":0,
+            "pgroup":-1,
+            "threads":164,
+            "nice":-1,
+            "is_elevated_token":false,
+            "elapsed_time":-1,
+            "handle_count":-1,
+            "percent_processor_time":-1
+         }
+      ]
+   }
+   
+ }
\ No newline at end of file
diff --git a/src/common/dbsync/testtool/main.cpp b/src/common/dbsync/testtool/main.cpp
new file mode 100644
index 0000000000..d5481595f6
--- /dev/null
+++ b/src/common/dbsync/testtool/main.cpp
@@ -0,0 +1,99 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 02, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <fstream>
+#include <stdio.h>
+#include <memory>
+#include <json.hpp>
+#include "makeUnique.h"
+#include "dbsync.h"
+#include "cmdArgsHelper.h"
+#include "testContext.h"
+#include "action.h"
+#include "factoryAction.h"
+
+static void loggerFunction(const char* msg)
+{
+    std::cout << "Msg: " << msg << std::endl;
+}
+
+int main(int argc, const char* argv[])
+{
+    try
+    {
+        CmdLineArgs cmdLineArgs(argc, argv);
+
+        const auto actions { cmdLineArgs.actions() };
+
+        // dbsync configuration data
+        std::ifstream configFile{ cmdLineArgs.configFile() };
+        const auto& jsonConfigFile { nlohmann::json::parse(configFile) };
+        const std::string dbName{ jsonConfigFile.at("db_name").get_ref<const std::string&>() };
+        const std::string dbType{ jsonConfigFile.at("db_type").get_ref<const std::string&>() };
+        const std::string hostType{ jsonConfigFile.at("host_type").get_ref<const std::string&>() };
+        const std::string persistance{ jsonConfigFile.at("persistance").get_ref<const std::string&>() };
+        const std::string sqlStmt{ jsonConfigFile.at("sql_statement").get_ref<const std::string&>() };
+
+        dbsync_initialize(loggerFunction);
+
+        DBSYNC_HANDLE handle {0};
+
+        if (persistance.compare("1") == 0)
+        {
+            handle = dbsync_create_persistent((hostType.compare("0") == 0) ? HostType::MANAGER : HostType::AGENT,
+                                              (dbType.compare("1") == 0) ? DbEngineType::SQLITE3 : DbEngineType::UNDEFINED,
+                                              dbName.c_str(),
+                                              sqlStmt.c_str(),
+                                              nullptr);
+
+        }
+        else
+        {
+            handle = dbsync_create((hostType.compare("0") == 0) ? HostType::MANAGER : HostType::AGENT,
+                                   (dbType.compare("1") == 0) ? DbEngineType::SQLITE3 : DbEngineType::UNDEFINED,
+                                   dbName.c_str(),
+                                   sqlStmt.c_str());
+        }
+
+        if (0 != handle)
+        {
+            std::unique_ptr<TestContext> testContext { std::make_unique<TestContext>()};
+            testContext->handle = handle;
+            testContext->outputPath = cmdLineArgs.outputFolder();
+
+            // Let's take the input json list and apply the changes to the db
+            for (size_t idx = 0; idx < actions.size(); ++idx)
+            {
+                testContext->currentId = idx;
+                const std::string inputFile{ actions[idx] };
+                std::ifstream actionsIdxFile{ inputFile };
+                std::cout << "Processing file: " << inputFile << std::endl;
+                const auto& jsonAction { nlohmann::json::parse(actionsIdxFile) };
+                auto action { FactoryAction::create(jsonAction["action"].get<std::string>()) };
+                action->execute(testContext, jsonAction);
+            }
+
+            dbsync_teardown();
+            std::cout << "Resulting files are located in the " << cmdLineArgs.outputFolder() << " folder" << std::endl;
+        }
+        else
+        {
+            std::cout << std::endl << "Something went wrong configuring the database. Please, check the config file data" << std::endl;
+        }
+    }
+    catch (const std::exception& ex)
+    {
+        std::cerr << ex.what() << std::endl;
+        CmdLineArgs::showHelp();
+    }
+
+    return 0;
+}
diff --git a/src/common/dbsync/testtool/testContext.h b/src/common/dbsync/testtool/testContext.h
new file mode 100644
index 0000000000..a7abb59f38
--- /dev/null
+++ b/src/common/dbsync/testtool/testContext.h
@@ -0,0 +1,24 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 21, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _TEST_CONTEXT_H
+#define _TEST_CONTEXT_H
+#include "dbsync.h"
+#include "dbsync.hpp"
+
+struct TestContext
+{
+    DBSYNC_HANDLE handle;
+    TXN_HANDLE txnContext;
+    size_t currentId;
+    std::string outputPath;
+};
+
+#endif //_TEST_CONTEXT_H
\ No newline at end of file
diff --git a/src/modules/github/tests/CMakeLists.txt b/src/common/debug_op/CMakeLists.txt
similarity index 100%
rename from src/modules/github/tests/CMakeLists.txt
rename to src/common/debug_op/CMakeLists.txt
diff --git a/src/common/debug_op/include/debug_op.h b/src/common/debug_op/include/debug_op.h
new file mode 100644
index 0000000000..a948700b2c
--- /dev/null
+++ b/src/common/debug_op/include/debug_op.h
@@ -0,0 +1,131 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions to generate debug/information/error/warning/critical reports
+ *
+ * We have two debug levels (1 and 2), a verbose mode and functions to catch warnings, errors, and critical situations
+ *
+ * To see these messages, use the "-d","-v" options (or "-d" twice to see debug2)
+ * The merror is printed by default when an important error occurs
+ */
+
+#ifndef DEBUG_H
+#define DEBUG_H
+
+#ifndef __GNUC__
+#define __attribute__(x)
+#endif
+
+#include <stdarg.h>
+#include <cJSON.h>
+/* For internal logs */
+#ifndef LOGFILE
+#ifndef WIN32
+#define LOGFILE   "logs/ossec.log"
+#define LOGJSONFILE "logs/ossec.json"
+#define _PRINTF_FORMAT printf
+#else
+#define LOGFILE "ossec.log"
+#define LOGJSONFILE "ossec.json"
+#define _PRINTF_FORMAT __MINGW_PRINTF_FORMAT
+#endif
+#endif
+
+#define mdebug1(msg, ...) _mdebug1(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define plain_mdebug1(msg, ...) _plain_mdebug1(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mtdebug1(tag, msg, ...) _mtdebug1(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mdebug2(msg, ...) _mdebug2(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mtdebug2(tag, msg, ...) _mtdebug2(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define merror(msg, ...) _merror(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define plain_merror(msg, ...) _plain_merror(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mterror(tag, msg, ...) _mterror(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mwarn(msg, ...) _mwarn(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define plain_mwarn(msg, ...) _plain_mwarn(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mtwarn(tag, msg, ...) _mtwarn(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define minfo(msg, ...) _minfo(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define plain_minfo(msg, ...) _plain_minfo(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mtinfo(tag, msg, ...) _mtinfo(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mferror(msg, ...) _mferror(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mtferror(tag, msg, ...) _mtferror(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define merror_exit(msg, ...) _merror_exit(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define plain_merror_exit(msg, ...) _plain_merror_exit(__FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mterror_exit(tag, msg, ...) _mterror_exit(tag, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mlerror_exit(level, msg, ...) _mlerror_exit(level, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+
+void _mdebug1(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _plain_mdebug1(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mtdebug1(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _mdebug2(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mtdebug2(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _merror(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _plain_merror(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mterror(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _mverror(const char * file, int line, const char * func, const char *msg, va_list args)  __attribute__((nonnull));
+void _mwarn(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _plain_mwarn(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mtwarn(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _mvwarn(const char * file, int line, const char * func, const char *msg, va_list args)  __attribute__((nonnull));
+void _minfo(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _plain_minfo(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mtinfo(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _mvinfo(const char * file, int line, const char * func, const char *msg, va_list args)  __attribute__((nonnull));
+void print_out(const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 1, 2))) __attribute__((nonnull));
+void _mferror(const char * file, int line, const char * func, const char *msg, ... ) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull));
+void _mtferror(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull));
+void _merror_exit(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull)) __attribute__ ((noreturn));
+void _plain_merror_exit(const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 4, 5))) __attribute__((nonnull)) __attribute__ ((noreturn));
+void _mterror_exit(const char *tag, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull)) __attribute__ ((noreturn));
+void _mlerror_exit(const int level, const char * file, int line, const char * func, const char *msg, ...) __attribute__((format(_PRINTF_FORMAT, 5, 6))) __attribute__((nonnull)) __attribute__ ((noreturn));
+
+/**
+ * @brief Logging module initializer
+ */
+void w_logging_init();
+
+/* Function to read the logging format configuration */
+void os_logging_config();
+cJSON *getLoggingConfig(void);
+
+#ifdef WIN32
+char * win_strerror(unsigned long error);
+#endif
+
+/* Use these three functions to set when you
+ * enter in debug, chroot or daemon mode
+ */
+void nowDebug(void);
+int isDebug(void);
+
+void nowChroot(void);
+void nowDaemon(void);
+
+int isChroot(void);
+
+/* Debug analysisd */
+#ifdef DEBUGAD
+#define DEBUG_MSG(x,y,z) minfo(x,y,z)
+#else
+#define DEBUG_MSG(x,y,z)
+#endif /* end debug analysisd */
+
+/**
+ * @brief Wrapper for the tagged log functions.
+ *
+ * @param level Log level.
+ * @param tag Tag representing the module sending the log.
+ * @param file File name.
+ * @param line Line number.
+ * @param func Function name.
+ * @param msg Message to send into the log.
+ * @param args Variable arguments list.
+ */
+void mtLoggingFunctionsWrapper(int level, const char* tag, const char* file, int line, const char* func, const char* msg, va_list args);
+
+#endif /* DEBUG_H */
diff --git a/src/common/debug_op/src/debug_op.c b/src/common/debug_op/src/debug_op.c
new file mode 100644
index 0000000000..e549b09ef7
--- /dev/null
+++ b/src/common/debug_op/src/debug_op.c
@@ -0,0 +1,725 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "headers/shared.h"
+#include <external/cJSON/cJSON.h>
+
+#ifdef WIN32
+#define localtime_r(x, y) localtime_s(y, x)
+#endif
+
+static int dbg_flag = 0;
+static int chroot_flag = 0;
+static int daemon_flag = 0;
+static int pid;
+
+static struct{
+  unsigned int log_plain:1;
+  unsigned int log_json:1;
+  unsigned int initialized:1;
+  unsigned int mutex_initialized:1;
+} flags;
+
+static pthread_mutex_t logging_mutex;
+
+static void _log_function(int level, const char *tag, const char * file, int line, const char * func, const char *msg, bool plain_only, va_list args) __attribute__((format(printf, 5, 0))) __attribute__((nonnull));
+
+// Wrapper for the real _log_function
+static void _log(int level, const char *tag, const char * file, int line, const char * func, const char *msg, va_list args) __attribute__((format(printf, 5, 0))) __attribute__((nonnull));
+static void _log(int level, const char *tag, const char * file, int line, const char * func, const char *msg, va_list args) {
+    _log_function(level, tag, file, line, func, msg, false, args);
+}
+
+
+#ifdef WIN32
+void WinSetError();
+#endif
+
+static void print_stderr_msg(char* timestamp, const char *tag, const char * file, int line, const char * func, const char* level, const char *msg, bool use_va_list, va_list args2) {
+    (void)fprintf(stderr, "%s ", timestamp);
+
+    if (dbg_flag > 0) {
+        (void)fprintf(stderr, "%s[%d] %s:%d at %s(): ", tag, pid, file, line, func);
+    } else {
+        (void)fprintf(stderr, "%s: ", tag);
+    }
+
+    (void)fprintf(stderr, "%s: ", level);
+    if (use_va_list) {
+        (void)vfprintf(stderr, msg, args2);
+    } else {
+        (void)fprintf(stderr, "%s", msg);
+    }
+#ifdef WIN32
+    (void)fprintf(stderr, "\r\n");
+#else
+    (void)fprintf(stderr, "\n");
+#endif
+}
+
+static void _log_function(int level, const char *tag, const char * file, int line, const char * func, const char *msg, bool plain_only, va_list args)
+{
+    va_list args2; /* For the stderr print */
+    va_list args3; /* For the JSON output */
+    FILE *fp;
+    char jsonstr[OS_MAXSTR];
+    char *output;
+    char logfile[PATH_MAX + 1];
+    char * filename;
+    char *timestamp = w_get_timestamp(time(NULL));
+
+    const char *strlevel[5]={
+      "DEBUG",
+      "INFO",
+      "WARNING",
+      "ERROR",
+      "CRITICAL",
+    };
+    const char *strleveljson[5]={
+      "debug",
+      "info",
+      "warning",
+      "error",
+      "critical"
+    };
+
+    /* Duplicate args */
+    va_copy(args2, args);
+    va_copy(args3, args);
+
+    if (!flags.initialized) {
+        /* If not initialized and plain_only is true, we avoid reading the
+           the ossec.conf file due to the call to many shared libraries (XML read, etc.).
+           The module will be initialized later. */
+        if(plain_only) {
+            flags.log_plain = 1;
+            flags.log_json = 0;
+            if(!flags.mutex_initialized) {
+                flags.mutex_initialized = 1;
+                int error_code = pthread_mutex_init(&logging_mutex, NULL);
+                if (error_code != 0 && daemon_flag == 0) {
+                    char err_msg[OS_SIZE_128] = {0};
+                    snprintf(err_msg, OS_SIZE_128, "Failed to initialize logging mutex (%d).", error_code);
+                    print_stderr_msg(timestamp, __local_name, __FILE__, __LINE__, __func__, strlevel[LOGLEVEL_ERROR],
+                                     err_msg, false, args);
+                }
+            }
+        } else {
+            w_logging_init();
+            mdebug1("Logging module auto-initialized");
+        }
+    }
+
+    if (filename = strrchr(file, '/'), filename) {
+        file = filename + 1;
+    }
+
+    /* The plain_only flag allows to bypass the JSON output even when it's enabled to
+       avoid the call to external libraries like cJSON. */
+    if (!plain_only && flags.log_json) {
+
+#ifndef WIN32
+        int oldmask;
+
+        strncpy(logfile, LOGJSONFILE, sizeof(logfile) - 1);
+        logfile[sizeof(logfile) - 1] = '\0';
+
+        if (!IsFile(logfile)) {
+            fp = wfopen(logfile, "a");
+        } else {
+            oldmask = umask(0006);
+            fp = wfopen(logfile, "w");
+            umask(oldmask);
+
+            // Make sure that the group is ossec
+
+            if (fp && getuid() == 0) {
+                gid_t group;
+
+                if (group = Privsep_GetGroup(GROUPGLOBAL), group != (gid_t)-1) {
+                    if (chown(logfile, 0, group)) {
+                        // Don't log anything
+                    }
+                }
+            }
+        }
+#else
+        strncpy(logfile, LOGJSONFILE, sizeof(logfile) - 1);
+        logfile[sizeof(logfile) - 1] = '\0';
+        fp = wfopen(logfile, "a");
+#endif
+
+        if (fp) {
+            cJSON *json_log = cJSON_CreateObject();
+
+            vsnprintf(jsonstr, OS_MAXSTR, msg, args3);
+
+            cJSON_AddStringToObject(json_log, "timestamp", timestamp);
+            cJSON_AddStringToObject(json_log, "tag", tag);
+
+            if (dbg_flag > 0) {
+                cJSON_AddNumberToObject(json_log, "pid", pid);
+                cJSON_AddStringToObject(json_log, "file", file);
+                cJSON_AddNumberToObject(json_log, "line", line);
+                cJSON_AddStringToObject(json_log, "routine", func);
+            }
+
+            cJSON_AddStringToObject(json_log, "level", strleveljson[level]);
+            cJSON_AddStringToObject(json_log, "description", jsonstr);
+
+            output = cJSON_PrintUnformatted(json_log);
+
+            w_mutex_lock(&logging_mutex);
+            (void)fprintf(fp, "%s", output);
+            (void)fprintf(fp, "\n");
+            fflush(fp);
+            w_mutex_unlock(&logging_mutex);
+
+            cJSON_Delete(json_log);
+            free(output);
+            fclose(fp);
+        }
+    }
+
+    if (flags.log_plain) {
+      /* If under chroot, log directly to /logs/ossec.log */
+
+#ifndef WIN32
+        int oldmask;
+
+        strncpy(logfile, LOGFILE, sizeof(logfile) - 1);
+        logfile[sizeof(logfile) - 1] = '\0';
+
+        if (!IsFile(logfile)) {
+            fp = wfopen(logfile, "a");
+        } else {
+            oldmask = umask(0006);
+            fp = wfopen(logfile, "w");
+            umask(oldmask);
+
+            // Make sure that the group is ossec
+
+            if (fp && getuid() == 0) {
+                gid_t group;
+
+                if (group = Privsep_GetGroup(GROUPGLOBAL), group != (gid_t)-1) {
+                    if (chown(logfile, 0, group)) {
+                        // Don't log anything
+                    }
+                }
+            }
+        }
+#else
+        strncpy(logfile, LOGFILE, sizeof(logfile) - 1);
+        logfile[sizeof(logfile) - 1] = '\0';
+        fp = wfopen(logfile, "a");
+#endif
+
+        /* Maybe log to syslog if the log file is not available */
+        if (fp) {
+            // Not using w_ variant to avoid calling this same method again.
+            int error_code = pthread_mutex_lock(&logging_mutex);
+            if (error_code != 0 && daemon_flag == 0) {
+                char err_msg[OS_SIZE_128] = {0};
+                snprintf(err_msg, OS_SIZE_128, "Failed to lock logging mutex (%d).", error_code);
+                print_stderr_msg(timestamp, __local_name, __FILE__, __LINE__, __func__, strlevel[LOGLEVEL_ERROR],
+                                 err_msg, false, args);
+            }
+            (void)fprintf(fp, "%s ", timestamp);
+
+            if (dbg_flag > 0) {
+                (void)fprintf(fp, "%s[%d] %s:%d at %s(): ", tag, pid, file, line, func);
+            } else {
+                (void)fprintf(fp, "%s: ", tag);
+            }
+
+            (void)fprintf(fp, "%s: ", strlevel[level]);
+            (void)vfprintf(fp, msg, args);
+            (void)fprintf(fp, "\n");
+            fflush(fp);
+            // Not using w_ variant to avoid calling this same method again.
+            error_code = pthread_mutex_unlock(&logging_mutex);
+            if (error_code != 0 && daemon_flag == 0) {
+                char err_msg[OS_SIZE_128] = {0};
+                snprintf(err_msg, OS_SIZE_128, "Failed to unlock logging mutex (%d).", error_code);
+                print_stderr_msg(timestamp, __local_name, __FILE__, __LINE__, __func__, strlevel[LOGLEVEL_ERROR],
+                                 err_msg, false, args);
+            }
+
+            fclose(fp);
+        }
+    }
+
+    /* Only if not in daemon mode */
+    if (daemon_flag == 0) {
+        print_stderr_msg(timestamp, tag, file, line, func, strlevel[level], msg, true, args2);
+    }
+
+    free(timestamp);
+    /* args must be ended here */
+    va_end(args2);
+    va_end(args3);
+}
+
+void w_logging_init(){
+    flags.initialized = 1;
+    if(!flags.mutex_initialized) {
+        flags.mutex_initialized = 1;
+        w_mutex_init(&logging_mutex, NULL);
+    }
+    os_logging_config();
+}
+
+void os_logging_config(){
+  OS_XML xml;
+  const char * xmlf[] = {"ossec_config", "logging", "log_format", NULL};
+  char * logformat;
+  char ** parts = NULL;
+  int i;
+
+  pid = (int)getpid();
+
+  if (OS_ReadXML(OSSECCONF, &xml) < 0){
+    flags.log_plain = 1;
+    flags.log_json = 0;
+    OS_ClearXML(&xml);
+    mlerror_exit(LOGLEVEL_ERROR, XML_ERROR, OSSECCONF, xml.err, xml.err_line);
+  }
+
+  logformat = OS_GetOneContentforElement(&xml, xmlf);
+
+  if (!logformat || logformat[0] == '\0'){
+
+    flags.log_plain = 1;
+    flags.log_json = 0;
+
+    free(logformat);
+    OS_ClearXML(&xml);
+    mdebug1(XML_NO_ELEM, "log_format");
+
+  }else{
+
+    parts = OS_StrBreak(',', logformat, 2);
+    char * part;
+    if (parts){
+      for (i=0; parts[i]; i++){
+        part = w_strtrim(parts[i]);
+        if (!strcmp(part, "plain")){
+          flags.log_plain = 1;
+        }else if(!strcmp(part, "json")){
+          flags.log_json = 1;
+        }else{
+          flags.log_plain = 1;
+          flags.log_json = 0;
+          mlerror_exit(LOGLEVEL_ERROR, XML_VALUEERR, "log_format", part);
+        }
+      }
+      for (i=0; parts[i]; i++){
+        free(parts[i]);
+      }
+      free(parts);
+    }
+
+    free(logformat);
+    OS_ClearXML(&xml);
+  }
+}
+
+cJSON *getLoggingConfig(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *logg = cJSON_CreateObject();
+
+    if (flags.log_plain) cJSON_AddStringToObject(logg,"plain","yes"); else cJSON_AddStringToObject(logg,"plain","no");
+    if (flags.log_json) cJSON_AddStringToObject(logg,"json","yes"); else cJSON_AddStringToObject(logg,"json","no");
+
+    cJSON_AddItemToObject(root,"logging",logg);
+
+    return root;
+}
+
+void _mdebug1(const char * file, int line, const char * func, const char *msg, ...)
+{
+    if (dbg_flag >= 1) {
+        va_list args;
+        int level = LOGLEVEL_DEBUG;
+        const char *tag = __local_name;
+        va_start(args, msg);
+        _log(level, tag, file, line, func, msg, args);
+        va_end(args);
+    }
+}
+
+void _plain_mdebug1(const char * file, int line, const char * func, const char *msg, ...)
+{
+    if (dbg_flag >= 1) {
+        va_list args;
+        int level = LOGLEVEL_DEBUG;
+        const char *tag = __local_name;
+        va_start(args, msg);
+        _log_function(level, tag, file, line, func, msg, true, args);
+        va_end(args);
+    }
+}
+
+void _mtdebug1(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    if (dbg_flag >= 1) {
+        va_list args;
+        int level = LOGLEVEL_DEBUG;
+        va_start(args, msg);
+        _log(level, tag, file, line, func, msg, args);
+        va_end(args);
+    }
+}
+
+void _mdebug2(const char * file, int line, const char * func, const char *msg, ...)
+{
+    if (dbg_flag >= 2) {
+        va_list args;
+        int level = LOGLEVEL_DEBUG;
+        const char *tag = __local_name;
+        va_start(args, msg);
+        _log(level, tag, file, line, func, msg, args);
+        va_end(args);
+    }
+}
+
+void _mtdebug2(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    if (dbg_flag >= 2) {
+        va_list args;
+        int level = LOGLEVEL_DEBUG;
+        va_start(args, msg);
+        _log(level, tag, file, line, func, msg, args);
+        va_end(args);
+    }
+}
+
+void _merror(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_ERROR;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _plain_merror(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_ERROR;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log_function(level, tag, file, line, func, msg, true, args);
+    va_end(args);
+}
+
+void _mterror(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_ERROR;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _mverror(const char * file, int line, const char * func, const char *msg, va_list args)
+{
+    int level = LOGLEVEL_ERROR;
+    const char *tag = __local_name;
+    _log(level, tag, file, line, func, msg, args);
+}
+
+void _mwarn(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_WARNING;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _plain_mwarn(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_WARNING;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log_function(level, tag, file, line, func, msg, true, args);
+    va_end(args);
+}
+
+void _mtwarn(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_WARNING;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _mvwarn(const char * file, int line, const char * func, const char *msg, va_list args)
+{
+    int level = LOGLEVEL_WARNING;
+    const char *tag = __local_name;
+    _log(level, tag, file, line, func, msg, args);
+}
+
+void _minfo(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_INFO;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _plain_minfo(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_INFO;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log_function(level, tag, file, line, func, msg, true, args);
+    va_end(args);
+}
+
+void _mtinfo(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_INFO;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+}
+
+void _mvinfo(const char * file, int line, const char * func, const char *msg, va_list args)
+{
+    int level = LOGLEVEL_INFO;
+    const char *tag = __local_name;
+    _log(level, tag, file, line, func, msg, args);
+}
+
+/* Only logs to a file */
+void _mferror(const char * file, int line, const char * func, const char *msg, ...)
+{
+    int level = LOGLEVEL_ERROR;
+    const char *tag = __local_name;
+    int dbg_tmp;
+    va_list args;
+    va_start(args, msg);
+
+    /* We set daemon flag to 1, so nothing is printed to the terminal */
+    dbg_tmp = daemon_flag;
+    daemon_flag = 1;
+    _log(level, tag, file, line, func, msg, args);
+
+    daemon_flag = dbg_tmp;
+
+    va_end(args);
+}
+
+/* Only logs to a file */
+void _mtferror(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    int level = LOGLEVEL_ERROR;
+    int dbg_tmp;
+    va_list args;
+    va_start(args, msg);
+
+    /* We set daemon flag to 1, so nothing is printed to the terminal */
+    dbg_tmp = daemon_flag;
+    daemon_flag = 1;
+    _log(level, tag, file, line, func, msg, args);
+
+    daemon_flag = dbg_tmp;
+
+    va_end(args);
+}
+
+void _merror_exit(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_CRITICAL;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+
+#ifdef WIN32
+    /* If not MA */
+#ifndef MA
+    WinSetError();
+#endif
+#endif
+
+    exit(1);
+}
+
+void _plain_merror_exit(const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_CRITICAL;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log_function(level, tag, file, line, func, msg, true, args);
+    va_end(args);
+
+#ifdef WIN32
+    /* If not MA */
+#ifndef MA
+    WinSetError();
+#endif
+#endif
+
+    exit(1);
+}
+
+void _mterror_exit(const char *tag, const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    int level = LOGLEVEL_CRITICAL;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+
+#ifdef WIN32
+    /* If not MA */
+#ifndef MA
+    WinSetError();
+#endif
+#endif
+
+    exit(1);
+}
+
+void _mlerror_exit(const int level, const char * file, int line, const char * func, const char *msg, ...)
+{
+    va_list args;
+    const char *tag = __local_name;
+
+    va_start(args, msg);
+    _log(level, tag, file, line, func, msg, args);
+    va_end(args);
+
+#ifdef WIN32
+    /* If not MA */
+#ifndef MA
+    WinSetError();
+#endif
+#endif
+
+    exit(1);
+}
+
+void nowChroot()
+{
+    chroot_flag = 1;
+}
+
+void nowDaemon()
+{
+    daemon_flag = 1;
+}
+
+void print_out(const char *msg, ...)
+{
+    va_list args;
+    va_start(args, msg);
+
+    /* Print to stderr */
+    (void)vfprintf(stderr, msg, args);
+
+#ifdef WIN32
+    (void)fprintf(stderr, "\r\n");
+#else
+    (void)fprintf(stderr, "\n");
+#endif
+
+    va_end(args);
+}
+
+void nowDebug()
+{
+    dbg_flag++;
+}
+
+int isDebug(void)
+{
+    return dbg_flag;
+}
+
+int isChroot()
+{
+    return (chroot_flag);
+}
+
+#ifdef WIN32
+char * win_strerror(unsigned long error) {
+    static TCHAR messageBuffer[4096];
+    LPSTR end;
+
+    FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, error, 0, messageBuffer, sizeof(messageBuffer) / sizeof(TCHAR), NULL);
+
+    if (end = strchr(messageBuffer, '\r'), end) {
+        *end = '\0';
+    }
+
+    return messageBuffer;
+}
+#endif
+
+void mtLoggingFunctionsWrapper(int level, const char* tag, const char* file, int line, const char* func, const char* msg, va_list args) {
+    switch(level) {
+        case(LOGLEVEL_DEBUG):
+            if (dbg_flag >= 1) {
+                _log(level, tag, file, line, func, msg, args);
+            }
+            break;
+        case(LOGLEVEL_DEBUG_VERBOSE):
+            if (dbg_flag >= 2) {
+                _log(LOGLEVEL_DEBUG, tag, file, line, func, msg, args);
+            }
+            break;
+        case(LOGLEVEL_INFO):
+        case(LOGLEVEL_WARNING):
+        case(LOGLEVEL_ERROR):
+            _log(level, tag, file, line, func, msg, args);
+            break;
+        case(LOGLEVEL_CRITICAL):
+            _log(level, tag, file, line, func, msg, args);
+#ifdef WIN32
+            /* If not MA */
+#ifndef MA
+            WinSetError();
+#endif
+#endif
+            exit(1);
+            break;
+        default:
+            break;
+    }
+}
diff --git a/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.c b/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.c
new file mode 100644
index 0000000000..ba7494bed9
--- /dev/null
+++ b/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.c
@@ -0,0 +1,226 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "debug_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <stdio.h>
+
+int __wrap_isChroot() {
+    return mock();
+}
+
+void __wrap__mdebug1(__attribute__((unused)) const char * file,
+                     __attribute__((unused)) int line,
+                     __attribute__((unused)) const char * func,
+                     const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mdebug2(__attribute__((unused)) const char * file,
+                     __attribute__((unused)) int line,
+                     __attribute__((unused)) const char * func,
+                     const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__merror(__attribute__((unused)) const char * file,
+                    __attribute__((unused)) int line,
+                    __attribute__((unused)) const char * func,
+                    const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__merror_exit(__attribute__((unused)) const char * file,
+                         __attribute__((unused)) int line,
+                         __attribute__((unused)) const char * func,
+                         const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+    mock_assert(0, "merror_exit called", file, line);
+}
+
+void __wrap__mferror(__attribute__((unused)) const char * file,
+                    __attribute__((unused)) int line,
+                    __attribute__((unused)) const char * func,
+                    const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__minfo(__attribute__((unused)) const char * file,
+                   __attribute__((unused)) int line,
+                   __attribute__((unused)) const char * func,
+                   const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mtdebug1(const char *tag,
+                      __attribute__((unused)) const char * file,
+                      __attribute__((unused)) int line,
+                      __attribute__((unused)) const char * func,
+                      const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mtdebug2(const char *tag,
+                      __attribute__((unused)) const char * file,
+                      __attribute__((unused)) int line,
+                      __attribute__((unused)) const char * func,
+                      const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mterror(const char *tag,
+                     __attribute__((unused)) const char * file,
+                     __attribute__((unused)) int line,
+                     __attribute__((unused)) const char * func,
+                     const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mterror_exit(const char *tag,
+                          __attribute__((unused)) const char * file,
+                          __attribute__((unused)) int line,
+                          __attribute__((unused)) const char * func,
+                          const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mtinfo(const char *tag,
+                    __attribute__((unused)) const char * file,
+                    __attribute__((unused)) int line,
+                    __attribute__((unused)) const char * func,
+                    const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mtwarn(const char *tag,
+                    __attribute__((unused)) const char * file,
+                    __attribute__((unused)) int line,
+                    __attribute__((unused)) const char * func,
+                    const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void __wrap__mwarn(__attribute__((unused)) const char * file,
+                   __attribute__((unused)) int line,
+                   __attribute__((unused)) const char * func,
+                   const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+char * __wrap_win_strerror(__attribute__((unused)) unsigned long error) {
+    return mock_type(char*);
+}
+
diff --git a/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.h b/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.h
new file mode 100644
index 0000000000..aed66bcdd8
--- /dev/null
+++ b/src/common/debug_op/tests/unit/wrappers/debug_op_wrappers.h
@@ -0,0 +1,91 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef DEBUG_OP_WRAPPERS_H
+#define DEBUG_OP_WRAPPERS_H
+
+#include "../headers/defs.h"
+
+int __wrap_isChroot();
+
+void __wrap__mdebug1(const char * file,
+                     int line,
+                     const char * func,
+                     const char *msg, ...);
+
+void __wrap__mdebug2(const char * file,
+                     int line,
+                     const char * func,
+                     const char *msg, ...);
+
+void __wrap__merror(const char * file,
+                    int line,
+                    const char * func,
+                    const char *msg, ...);
+
+void __wrap__merror_exit(const char * file,
+                         int line,
+                         const char * func,
+                         const char *msg, ...);
+
+void __wrap__mferror(const char * file,
+                    int line,
+                    const char * func,
+                    const char *msg, ...);
+
+void __wrap__minfo(const char * file,
+                  int line,
+                  const char * func,
+                  const char *msg, ...);
+
+void __wrap__mtdebug1(const char *tag,
+                      const char * file,
+                      int line,
+                      const char * func,
+                      const char *msg, ...);
+
+void __wrap__mtdebug2(const char *tag,
+                      const char * file,
+                      int line,
+                      const char * func,
+                      const char *msg, ...);
+
+void __wrap__mterror(const char *tag,
+                      const char * file,
+                      int line,
+                      const char * func,
+                      const char *msg, ...);
+
+void __wrap__mterror_exit(const char *tag,
+                          const char * file,
+                          int line,
+                          const char * func,
+                          const char *msg, ...);
+
+void __wrap__mtinfo(const char *tag,
+                          const char * file,
+                          int line,
+                          const char * func,
+                          const char *msg, ...);
+
+void __wrap__mtwarn(const char *tag,
+                          const char * file,
+                          int line,
+                          const char * func,
+                          const char *msg, ...);
+
+void __wrap__mwarn(const char * file,
+                   int line,
+                   const char * func,
+                   const char *msg, ...);
+
+char * __wrap_win_strerror(unsigned long error);
+
+#endif
diff --git a/src/modules/logcollector/tests/CMakeLists.txt b/src/common/dll_load_notify/CMakeLists.txt
similarity index 100%
rename from src/modules/logcollector/tests/CMakeLists.txt
rename to src/common/dll_load_notify/CMakeLists.txt
diff --git a/src/common/dll_load_notify/include/dll_load_notify.h b/src/common/dll_load_notify/include/dll_load_notify.h
new file mode 100644
index 0000000000..8aa0a644f8
--- /dev/null
+++ b/src/common/dll_load_notify/include/dll_load_notify.h
@@ -0,0 +1,73 @@
+/*
+ * Dll load notification helper.
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 16, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DLL_LOAD_NOTIFY_H
+#define _DLL_LOAD_NOTIFY_H
+
+#ifdef WIN32
+#include "cryptography.h"
+#include <winternl.h>
+#include <windows.h>
+#include <psapi.h>
+
+enum LDR_DLL_NOTIFICATION_REASON
+{
+	LDR_DLL_NOTIFICATION_REASON_LOADED = 1,
+	LDR_DLL_NOTIFICATION_REASON_UNLOADED = 2,
+};
+
+typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
+	ULONG flags;                      //Reserved.
+	PCUNICODE_STRING full_dll_name;   //The full path name of the DLL module.
+	PCUNICODE_STRING base_dll_name;   //The base file name of the DLL module.
+	PVOID dll_base;                   //A pointer to the base address for the DLL in memory.
+	ULONG size_of_image;              //The size of the DLL image, in bytes.
+} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
+
+typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
+	ULONG flags;                      //Reserved.
+	PCUNICODE_STRING full_dll_name;   //The full path name of the DLL module.
+	PCUNICODE_STRING base_dll_name;   //The base file name of the DLL module.
+	PVOID dll_base;                   //A pointer to the base address for the DLL in memory.
+	ULONG size_of_image;              //The size of the DLL image, in bytes.
+} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
+
+typedef union _LDR_DLL_NOTIFICATION_DATA {
+	LDR_DLL_LOADED_NOTIFICATION_DATA loaded;
+	LDR_DLL_UNLOADED_NOTIFICATION_DATA unloaded;
+} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
+
+
+typedef VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
+	_In_     ULONG                       notification_reason,
+	_In_     PLDR_DLL_NOTIFICATION_DATA  notification_data,
+	_In_opt_ PVOID                       context
+);
+
+
+typedef NTSTATUS (NTAPI *_LdrRegisterDllNotification)(
+	_In_     ULONG                          flags,
+	_In_     PLDR_DLL_NOTIFICATION_FUNCTION notification_function,
+	_In_opt_ PVOID                          context,
+	_Out_    PVOID                          *cookie
+);
+
+typedef NTSTATUS (NTAPI *_LdrUnregisterDllNotification)(
+	_In_ PVOID Cookie
+);
+
+/**
+ * @brief Enable and verify the DLL load notifications.
+ */
+void enable_dll_verification();
+
+#endif // WIN32
+#endif // _DLL_LOAD_NOTIFY_H
diff --git a/src/common/dll_load_notify/src/dll_load_notify.c b/src/common/dll_load_notify/src/dll_load_notify.c
new file mode 100644
index 0000000000..3d69e9fbff
--- /dev/null
+++ b/src/common/dll_load_notify/src/dll_load_notify.c
@@ -0,0 +1,163 @@
+/*
+ * Dll load notification helper.
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 16, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/**************************************************************************************
+    WARNING: all the logging functions of this file must use the plain_ variant
+    to avoid calling any external library that could be loaded during the signature
+    verification.
+
+    Also, all os_ functions that contain merror_exit were avoided for the same reason.
+**************************************************************************************/
+
+#include "shared.h"
+#include "dll_load_notify.h"
+
+#ifdef WIN32
+#include <versionhelpers.h>
+
+_LdrRegisterDllNotification LdrRegisterDllNotification = NULL;
+_LdrUnregisterDllNotification LdrUnregisterDllNotifcation = NULL;
+PVOID cookie_dll_notification = NULL;
+
+/**
+ *@brief Verify all the DLLs that are already loaded
+ */
+static void loaded_modules_verification()
+{
+#if IMAGE_TRUST_CHECKS != 0
+    HMODULE handle_module[OS_SIZE_1024];
+    HANDLE handle_process = GetCurrentProcess();
+    DWORD handle_bytes_needed = 0;
+
+    if (EnumProcessModules(handle_process,
+                           handle_module,
+                           sizeof(handle_module), &handle_bytes_needed)) {
+
+        for (size_t i = 0; i < (handle_bytes_needed / sizeof(HMODULE)); i++) {
+            wchar_t module_name[MAX_PATH];
+
+            // Get the full path to the module's file.
+            if (GetModuleFileNameExW(handle_process,
+                                     handle_module[i],
+                                     module_name,
+                                     sizeof(module_name) / sizeof(wchar_t))) {
+                // Check if the images loaded are signed.
+                if (verify_hash_and_pe_signature(module_name) != OS_SUCCESS) {
+                    const char* ERROR_MESSAGE = "The file '%S' is not signed or its signature is invalid.";
+#if IMAGE_TRUST_CHECKS == 2
+                    plain_merror_exit(ERROR_MESSAGE, module_name);
+#else
+                    plain_mwarn(ERROR_MESSAGE, module_name);
+#endif // IMAGE_TRUST_CHECKS == 2
+                } else {
+                    plain_mdebug1("The file '%S' is signed and its signature is valid.", module_name);
+                }
+            }
+        }
+    } else {
+        const char* ERROR_MESSAGE = "The mechanism of signature validation for loaded modules at startup failed because"
+                                    " the modules of the process couldn't be enumerated. Error: %lu";
+#if IMAGE_TRUST_CHECKS == 2
+        plain_merror_exit(ERROR_MESSAGE, GetLastError());
+#else
+        plain_mwarn(ERROR_MESSAGE, GetLastError());
+#endif // IMAGE_TRUST_CHECKS == 2
+
+    }
+#endif // IMAGE_TRUST_CHECKS != 0
+}
+
+/**
+ * @brief Callback function for DLL load notifications
+ * @param reason Reason for the notification.
+ * @param notification_data Data for the notification.
+ * @param context Context for the notification.
+ */
+void CALLBACK dll_notification(ULONG reason,
+                               PLDR_DLL_NOTIFICATION_DATA notification_data,
+                               __attribute__((unused)) PVOID context)
+{
+    const char* ERROR_MESSAGE = "The file '%S' is not signed or its signature is invalid.";
+    //Check for the reason
+    switch(reason)
+    {
+    case LDR_DLL_NOTIFICATION_REASON_LOADED:
+#if IMAGE_TRUST_CHECKS != 0
+        if (verify_hash_and_pe_signature(notification_data->loaded.full_dll_name->Buffer) != OS_SUCCESS) {
+#if IMAGE_TRUST_CHECKS == 2
+            plain_merror_exit(ERROR_MESSAGE, notification_data->loaded.full_dll_name->Buffer);
+#else
+            plain_mwarn(ERROR_MESSAGE, notification_data->loaded.full_dll_name->Buffer);
+#endif // IMAGE_TRUST_CHECKS == 2
+        } else {
+            plain_mdebug1("The file '%S' is signed and its signature is valid.",
+                    notification_data->loaded.full_dll_name->Buffer);
+        }
+#endif // IMAGE_TRUST_CHECKS != 0
+        break;
+    case LDR_DLL_NOTIFICATION_REASON_UNLOADED:
+        plain_mdebug1("Unloaded: '%S'", notification_data->unloaded.full_dll_name->Buffer);
+        break;
+    }
+}
+
+/**
+ * @brief Register for DLL load notifications and verify all the DLLs that are already loaded
+ */
+void enable_dll_verification()
+{
+#if IMAGE_TRUST_CHECKS != 0
+    // Check if all loaded DLLs are signed.
+    if (ERROR_SUCCESS != check_ca_available()) {
+        const char* ERROR_MESSAGE = "The dynamic signature validation is not available because the CA name('"
+                                    CA_NAME
+                                    "') is not available.";
+#if IMAGE_TRUST_CHECKS == 2
+        plain_merror_exit(ERROR_MESSAGE);
+#else
+        plain_mwarn(ERROR_MESSAGE);
+#endif
+    } else {
+        loaded_modules_verification();
+
+        // Register for DLL load notifications.
+        HMODULE handle_ntdll = GetModuleHandle("ntdll.dll");
+        if (handle_ntdll) {
+            LdrRegisterDllNotification = (_LdrRegisterDllNotification)GetProcAddress(handle_ntdll,
+                                                                                    "LdrRegisterDllNotification");
+            // If the function is available, the feature is available.
+            if (LdrRegisterDllNotification)
+            {
+                LdrRegisterDllNotification(0, &dll_notification, NULL, &cookie_dll_notification);
+            } else {
+                const char* ERROR_MESSAGE = "The dynamic signature validation is not available for this system. Error"
+                                            " %lu: %s";
+#if IMAGE_TRUST_CHECKS == 2
+                plain_merror_exit(ERROR_MESSAGE, GetLastError(), win_strerror(GetLastError()));
+#else
+                plain_mwarn(ERROR_MESSAGE, GetLastError(), win_strerror(GetLastError()));
+#endif // IMAGE_TRUST_CHECKS == 2
+            }
+        } else {
+            const char* ERROR_MESSAGE = "The mechanism of dynamic signature validation for loaded modules wasn't "
+                                        "initiated because it wasn't possible to get the handle of 'ntdll.dll'. "
+                                        "Error %lu: %s";
+#if IMAGE_TRUST_CHECKS == 2
+            plain_merror_exit(ERROR_MESSAGE, GetLastError(), win_strerror(GetLastError()));
+#else
+            plain_mwarn(ERROR_MESSAGE, GetLastError(), win_strerror(GetLastError()));
+#endif // IMAGE_TRUST_CHECKS == 2
+        }
+    }
+#endif // IMAGE_TRUST_CHECKS != 0
+}
+
+#endif // WIN32
diff --git a/src/common/encodingHelper/CMakeLists.txt b/src/common/encodingHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/encodingHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/encodingHelper/include/encodingWindowsHelper.h b/src/common/encodingHelper/include/encodingWindowsHelper.h
new file mode 100644
index 0000000000..ecfd82888c
--- /dev/null
+++ b/src/common/encodingHelper/include/encodingWindowsHelper.h
@@ -0,0 +1,82 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 16, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+
+#ifdef WIN32
+
+#ifndef _ENCODING_WINDOWS_HELPER_H
+#define _ENCODING_WINDOWS_HELPER_H
+
+#include <winsock2.h>
+#include <windows.h>
+#include <string>
+#include <memory>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+#pragma GCC diagnostic ignored "-Wreturn-type"
+#pragma GCC diagnostic ignored "-Wcast-function-type"
+
+namespace Utils
+{
+    class EncodingWindowsHelper final
+    {
+        public:
+            static std::string wstringToStringUTF8(const std::wstring& inputArgument)
+            {
+                std::string retVal;
+
+                if (!inputArgument.empty())
+                {
+                    const auto inputArgumentSize{static_cast<int>(inputArgument.size())};
+                    const auto sizeNeeded {WideCharToMultiByte(CP_UTF8, 0, inputArgument.data(), inputArgumentSize, nullptr, 0, nullptr, nullptr)};
+                    const auto buffer{std::make_unique<char[]>(sizeNeeded)};
+
+                    if (WideCharToMultiByte(CP_UTF8, 0, inputArgument.data(), inputArgumentSize, buffer.get(), sizeNeeded, nullptr, nullptr) > 0)
+                    {
+                        retVal.assign(buffer.get(), sizeNeeded);
+                    }
+                }
+
+                return retVal;
+            }
+
+            static std::wstring stringToWStringAnsi(const std::string& inputArgument)
+            {
+                std::wstring retVal;
+
+                if (!inputArgument.empty())
+                {
+                    const auto inputArgumentSize{static_cast<int>(inputArgument.size())};
+                    const auto sizeNeeded {MultiByteToWideChar(CP_ACP, 0, inputArgument.data(), inputArgumentSize, nullptr, 0)};
+                    const auto buffer{std::make_unique<wchar_t[]>(sizeNeeded)};
+
+                    if (MultiByteToWideChar(CP_ACP, 0, inputArgument.data(), inputArgumentSize, buffer.get(), sizeNeeded) > 0)
+                    {
+                        retVal.assign(buffer.get(), sizeNeeded);
+                    }
+                }
+
+                return retVal;
+            }
+
+            static std::string stringAnsiToStringUTF8(const std::string& inputArgument)
+            {
+                return wstringToStringUTF8(stringToWStringAnsi(inputArgument));
+            }
+    };
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _ENCODING_WINDOWS_HELPER_H
+
+#endif //WIN32
diff --git a/src/common/encodingHelper/tests/CMakeLists.txt b/src/common/encodingHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..eb649d8e92
--- /dev/null
+++ b/src/common/encodingHelper/tests/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC
+    "encodingWindows_test.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/encodingHelper/tests/encodingWindows_test.cpp b/src/common/encodingHelper/tests/encodingWindows_test.cpp
new file mode 100644
index 0000000000..48331e22a4
--- /dev/null
+++ b/src/common/encodingHelper/tests/encodingWindows_test.cpp
@@ -0,0 +1,45 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 17, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef WIN32
+#include "encodingWindows_test.h"
+#include "encodingWindowsHelper.h"
+#include "json.hpp"
+
+void EncodingWindowsHelperTest::SetUp() {};
+
+void EncodingWindowsHelperTest::TearDown() {};
+
+TEST_F(EncodingWindowsHelperTest, NoExceptConversion)
+{
+    nlohmann::json test;
+    std::wstring wideString = L"Eines de correcció del Microsoft Office 2016: català";
+    std::string multibyteString;
+    multibyteString.assign(wideString.begin(), wideString.end());
+    test["correct"] = Utils::EncodingWindowsHelper::stringAnsiToStringUTF8(multibyteString);
+    EXPECT_NO_THROW(test.dump());
+}
+
+TEST_F(EncodingWindowsHelperTest, ExceptWithoutConversion)
+{
+    nlohmann::json test;
+    std::wstring wideString = L"Eines de correcció del Microsoft Office 2016: català";
+    std::string multibyteString;
+    multibyteString.assign(wideString.begin(), wideString.end());
+    test["incorrect"] = multibyteString;
+    EXPECT_ANY_THROW(test.dump());
+}
+
+TEST_F(EncodingWindowsHelperTest, ReturnValueEmptyConversion)
+{
+    EXPECT_EQ(Utils::EncodingWindowsHelper::stringAnsiToStringUTF8(""), "");
+}
+
+#endif
\ No newline at end of file
diff --git a/src/common/encodingHelper/tests/encodingWindows_test.h b/src/common/encodingHelper/tests/encodingWindows_test.h
new file mode 100644
index 0000000000..0d8d8f2893
--- /dev/null
+++ b/src/common/encodingHelper/tests/encodingWindows_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * February 17, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef ENCODING_WINDOWS_HELPER_TEST_H
+#define ENCODING_WINDOWS_HELPER_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class EncodingWindowsHelperTest : public ::testing::Test
+{
+    protected:
+
+        EncodingWindowsHelperTest() = default;
+        virtual ~EncodingWindowsHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //ENCODING_WINDOWS_HELPER_TEST_H
\ No newline at end of file
diff --git a/src/common/encodingHelper/tests/main.cpp b/src/common/encodingHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/encodingHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/error_messages/CMakeLists.txt b/src/common/error_messages/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/error_messages/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/error_messages/include/debug_messages.h b/src/common/error_messages/include/debug_messages.h
new file mode 100644
index 0000000000..83d4f48810
--- /dev/null
+++ b/src/common/error_messages/include/debug_messages.h
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 17, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef DEBUG_MESSAGES_H
+#define DEBUG_MESSAGES_H
+
+/* File integrity monitoring debug messages */
+#define FIM_DIFF_SKIPPED                    "(6200): Diff execution skipped for containing insecure characters."
+#define FIM_SCHED_BATCH                     "(6201): Setting SCHED_BATCH returned: '%d'"
+#define FIM_LOCAL_DIFF_DELETE               "(6202): Deleting backup '%s'. Not monitored anymore."
+#define FIM_FILE_IGNORE_RESTRICT            "(6203): Ignoring entry '%s' due to restriction '%s'"
+#define FIM_IGNORE_ENTRY                    "(6204): Ignoring path '%s' due to pattern '%s'"
+#define FIM_IGNORE_SREGEX                   "(6205): Ignoring path '%s' due to sregex '%s'"
+#define FIM_TAG_ADDED                       "(6206): Adding tag '%s' to directory '%s'"
+#define FIM_READING_REGISTRY                "(6207): Attempt to read: '%s%s'"
+#define FIM_CLIENT_CONFIGURATION            "(6208): Reading Client Configuration [%s]"
+#define FIM_LOCALDIFF_DELETE                "(6209): Deleting '%s' from local hash table."
+#define FIM_CANNOT_ACCESS_FILE              "(6210): Cannot access '%s': it was removed during scan."
+#define FIM_SCANNING_FILE                   "(6211): File '%s'"
+#define FIM_SIMBOLIC_LINK_DISABLE           "(6212): Follow symbolic links disabled."
+#define FIM_CHECK_LINK_REALPATH             "(6213): Cannot get the real path of the link '%s'"
+#define FIM_HASH_ADD_FAIL                   "(6214): Not enough memory to add inode to db: '%s' (%s) "
+#define FIM_HASH_UPDATE                     "(6215): Updating path '%s' in inode hash table: '%s' (%s) "
+#define FIM_SCANNING_IRREGFILE              "(6216): IRREG File: '%s'"
+#define FIM_MAX_RECURSION_LEVEL             "(6217): Maximum level of recursion reached. Depth:%d recursion_level:%d '%s'"
+#define FIM_SYMBOLIC_LINK_DISCARDED         "(6218): Discarding symbolic link '%s' is already added in the configuration."
+#define FIM_SYMBOLIC_LINK_ADD               "(6219): Directory added to FIM configuration by link '%s'"
+
+#define FIM_FREQUENCY_DIRECTORY             "(6221): Directory loaded from syscheck db: '%s'"
+#define FIM_STAT_FAILED                     "(6222): Stat() function failed on: '%s' due to [(%d)-(%s)]"
+#define FIM_SKIP_NFS                        "(6223): FIM skip_nfs=%d, '%s'::is_nfs=%d"
+#define FIM_REALTIME_HASH_DUP               "(6224): Entry '%s' already exists in the RT hash table."
+#define FIM_REALTIME_MONITORING             "(6225): The '%s' directory starts to be monitored in real-time mode."
+#define FIM_REALTIME_NEWPATH                "(6226): Scanning new file '%s' with options for directory '%s'"
+#define FIM_REALTIME_NEWDIRECTORY           "(6227): Directory added for real time monitoring: '%s'"
+#define FIM_REALTIME_DISCARD_EVENT          "(6228): Real-time event with same checksum for file: '%s'. Ignoring it."
+#define FIM_WHODATA_HANDLE_UPDATE           "(6229): The handler ('%s') will be updated."
+#define FIM_WHODATA_NEWDIRECTORY            "(6230): Monitoring with Audit: '%s'"
+#define FIM_WHODATA_SCAN                    "(6231): The '%s' directory has been scanned after detecting event of new files."
+#define FIM_WHODATA_SCAN_ABORTED            "(6232): Scanning of the '%s' directory is aborted because something has gone wrong."
+#define FIM_WHODATA_CHECKTHREAD             "(6233): Checking thread set to '%d' seconds."
+#define FIM_LINK_ALREADY_ADDED              "(6234): Directory '%s' already monitored, ignoring link."
+#define FIM_WHODATA_FULLQUEUE               "(6235): Real-time Whodata events queue for Windows is full. Removing the first '%d'"
+#define FIM_WHODATA_EVENT_DELETED           "(6236): '%d' events have been deleted from the whodata list."
+#define FIM_WHODATA_EVENTQUEUE_VALUES       "(6237): Whodata event queue values for Windows -> max_size:'%d' | max_remove:'%d' | alert_threshold:'%d'",
+#define FIM_WHODATA_IGNORE                  "(6238): The file '%s' has been marked as ignored. It will be discarded."
+#define FIM_WHODATA_NOT_ACTIVE              "(6239): '%s' is discarded because its monitoring is not activated."
+#define FIM_WHODATA_CANCELED                "(6240): The monitoring of '%s' in whodata mode has been canceled. Added to the ignore list."
+#define FIM_WHODATA_DIRECTORY_SCANNED       "(6241): The '%s' directory has been scanned. It does not need to be scanned again."
+#define FIM_WHODATA_NEW_FILES               "(6242): New files have been detected in the '%s' directory after the last scan."
+#define FIM_WHODATA_DIRECTORY_DISCARDED     "(6243): The '%s' directory has been discarded because it is not being monitored in whodata mode."
+#define FIM_WHODATA_CHECK_NEW_FILES         "(6244): New files have been detected in the '%s' directory and will be scanned."
+#define FIM_WHODATA_NO_NEW_FILES            "(6245): The '%s' directory has not been scanned because no new files have been detected. Mask: '%x'"
+#define FIM_WHODATA_INVALID_UID             "(6246): Invalid identifier for user '%s'"
+#define FIM_AUDIT_EVENT                     "(6247): audit_event: uid=%s, auid=%s, euid=%s, gid=%s, pid=%i, ppid=%i, inode=%s, path=%s, pname=%s",
+#define FIM_AUDIT_EVENT1                    "(6248): audit_event_1/2: uid=%s, auid=%s, euid=%s, gid=%s, pid=%i, ppid=%i, inode=%s, path=%s, pname=%s",
+#define FIM_AUDIT_EVENT2                    "(6249): audit_event_2/2: uid=%s, auid=%s, euid=%s, gid=%s, pid=%i, ppid=%i, inode=%s, path=%s, pname=%s",
+#define FIM_AUDIT_DELETE_RULE               "(6250): Deleting Audit rules."
+#define FIM_AUDIT_MATCH_KEY                 "(6251): Match audit_key: '%s'"
+#define FIM_HEALTHCHECK_CREATE              "(6252): Whodata health-check: Detected file creation event (%s)"
+#define FIM_HEALTHCHECK_DELETE              "(6253): Whodata health-check: Detected file deletion event (%s)"
+#define FIM_HEALTHCHECK_UNRECOGNIZED_EVENT  "(6254): Whodata health-check: Unrecognized event (%s)"
+#define FIM_HEALTHCHECK_THREAD_ACTIVE       "(6255): Whodata health-check: Reading thread active."
+#define FIM_HEALTHCHECK_THREAD_FINISHED     "(6256): Whodata health-check: Reading thread finished."
+#define FIM_HEALTHCHECK_CREATE_ERROR        "(6257): Whodata health-check: Failed to receive creation event."
+#define FIM_UNABLE_TO_READ_TEMP_FILE        "(6258): Detected error or EOF before processing all entries."
+#define FIM_REG_IGNORE_SREGEX               "(6259): Ignoring '%s' '%s %s' due to sregex '%s'"
+#define FIM_REG_IGNORE_ENTRY                "(6260): Ignoring '%s' '%s %s' due to '%s'"
+#define FIM_HEALTHCHECK_SUCCESS             "(6261): Whodata health-check: Success."
+#define FIM_HEALTHCHECK_CHECK_RULE          "(6262): Couldn't delete audit health check rule."
+#define FIM_SACL_CHECK_CONFIGURE            "(6263): Setting up SACL for '%s'"
+#define FIM_REACHED_MAX_FPS                 "(6264): Maximum number of files read per second reached, sleeping."
+#define FIM_SACL_RESTORED                   "(6265): The SACL of '%s' has been restored correctly."
+#define FIM_SACL_CONFIGURE                  "(6266): The SACL of '%s' will be configured."
+#define FIM_SACL_NOT_FOUND                  "(6267): No SACL found on target. A new one will be created."
+#define FIM_ELEVATE_PRIVILEGE               "(6268): The '%s' privilege has been added."
+#define FIM_REDUCE_PRIVILEGE                "(6269): The '%s' privilege has been removed."
+#define FIM_AUDIT_NEWRULE                   "(6270): Added audit rule for monitoring directory: '%s'"
+#define FIM_AUDIT_RULEDUP                   "(6271): Audit rule for monitoring directory '%s' already added."
+#define FIM_INOTIFY_ADD_WATCH               "(6272): Unable to add inotify watch to real time monitoring: '%s'. '%d' '%d':'%s'"
+#define FIM_AUDIT_NOCONF                    "(6273): Cannot apply Audit config."
+#define FIM_AUDIT_NORULES                   "(6274): No rules added. Audit events reader thread will not start."
+#define FIM_AUDIT_RELOADING_RULES           "(6275): Reloading Audit rules."
+#define FIM_AUDIT_RELOADED_RULES            "(6276): Audit rules reloaded. Rules loaded: %i"
+#define FIM_AUDIT_THREAD_STOPED             "(6277): Audit thread finished."
+#define FIM_AUDIT_HEALTHCHECK_RULE          "(6278): Couldn't add audit health check rule."
+#define FIM_AUDIT_HEALTHCHECK_START         "(6279): Whodata health-check: Starting."
+#define FIM_AUDIT_HEALTHCHECK_FILE          "(6280): Couldn't create audit health check file."
+#define FIM_SYSCOM_ARGUMENTS                "(6281): SYSCOM %s needs arguments."
+#define FIM_SYSCOM_UNRECOGNIZED_COMMAND     "(6282): SYSCOM Unrecognized command '%s'"
+#define FIM_SYSCOM_FAIL_GETCONFIG           "(6283): At SYSCOM getconfig: Could not get '%s' section."
+#define FIM_SYSCOM_REQUEST_READY            "(6284): Local requests thread ready."
+#define FIM_SYSCOM_EMPTY_MESSAGE            "(6285): Empty message from local client."
+#define FIM_SYSCOM_THREAD_FINISED           "(6286): Local server thread finished."
+#define FIM_CONFIGURATION_FILE              "(6287): Reading configuration file: '%s'"
+#define FIM_SCAL_NOREFRESH                  "(6288): Could not refresh the SACL of '%s'. Its event will not be reported."
+#define FIM_DISCARD_RECYCLEBIN              "(6289): File '%s' is in the recycle bin. It will be discarded."
+#define FIM_REALTIME_ADD                    "(6290): Unable to add directory to real time monitoring: '%s'"
+#define FIM_WHODATA_REPLACELINK             "(6291): Replacing the symbolic link: '%s' -> '%s'"
+#define FIM_WHODATA_FILENOEXIST             "(6292): The '%s' file does not exist, but this will be notified when the corresponding event is received."
+#define FIM_LINKCHECK_TIME                  "(6293): Configured symbolic links will be checked every %d seconds."
+#define FIM_LINKCHECK_CHANGE                "(6294): Configured symbolic links will be checked every %d seconds."
+#define FIM_LINKCHECK_NOCHANGE              "(6295): The symbolic link of '%s' has not changed."
+#define FIM_LINKCHECK_FINALIZE              "(6296): Links check finalized."
+#define FIM_LINKCHECK_FILE                  "(6297): File '%s' was inside the unlinked directory '%s'. It will be notified."
+#define FIM_WHODATA_REMOVE_FOLDEREVENT      "(6298): Removed folder event received for '%s'"
+#define FIM_WHODATA_UNCONTROLLED_EVENT      "(6299): Uncontrolled whodata event on '%s'"
+#define FIM_WHODATA_DIRECTORY_REMOVED       "(6300): Directory '%s' has been moved or removed."
+#define FIM_WHODATA_UNCONTROLLED_REMOVE     "(6301): Uncontrolled removed folder event."
+#define FIM_WHODATA_IGNORE_EVENT            "(6302): Ignoring removing event for '%s' directory."
+#define FIM_WHODATA_DEVICE_LETTER           "(6303): Device '%s' associated with the mounting point '%s'"
+#define FIM_WHODATA_DEVICE_PATH             "(6304): Find device '%s' in path '%s'"
+#define FIM_WHODATA_DEVICE_REPLACE          "(6305): Replacing '%s' to '%s'"
+#define FIM_WHODATA_PATH_NOPROCCESED        "(6306): The path could not be processed in Whodata mode. Error: %u"
+#define FIM_CONVERT_PATH                    "(6307): Convert '%s' to '%s' to process the FIM events."
+#define FIM_WHODATA_FOLDER_REMOVED          "(6308): File '%s' was inside the removed directory '%s'. It will be notified."
+#define FIM_WHODATA_IGNORE_FILEEVENT        "(6309): Ignoring remove event for file '%s' because it has already been reported."
+#define FIM_CHECKSUM_MSG                    "(6310): Sending msg to the server: %s"
+#define FIM_PATH_EXEED_MAX                  "(6311): The path exceeds maximum permitted (%d): '%s'"
+#define FIM_DBSYNC_NO_ARGUMENT              "(6312): Data synchronization command '%s' with no argument."
+#define FIM_DBSYNC_UNKNOWN_CMD              "(6313): Unknown data synchronization command: '%s'"
+#define FIM_DBSYNC_INVALID_ARGUMENT         "(6314): Invalid data synchronization argument: '%s'"
+#define FIM_DBSYNC_DEC_ID                   "(6315): Setting global ID back to lower message ID (%ld)"
+#define FIM_DBSYNC_DROP_MESSAGE             "(6316): Dropping message with id (%ld) greater than global id (%ld)"
+#define FIM_DBSYNC_SEND                     "(6317): Sending integrity control message: %s"
+#define FIM_MONITORING_FILES_COUNT          "(6318): Number of indexed files %s scanning: %u"
+#define FIM_CONFIGURATION_NOTFOUND          "(6319): No configuration found for (%s):'%s'"
+#define FIM_PROCESS_PRIORITY                "(6320): Setting process priority to: '%d'"
+#define FIM_SEND                            "(6321): Sending FIM event: %s"
+#define FIM_AUDIT_ALREADY_ADDED             "(6322): Already added audit rule for monitoring directory: '%s'"
+#define FIM_REALTIME_DIRECTORYCHANGES       "(6323): Unable to set 'ReadDirectoryChangesW' for directory: '%s'"
+#define FIM_HASHES_FAIL                     "(6324): Couldn't generate hashes for '%s'"
+#define FIM_EXTRACT_PERM_FAIL               "(6325): It was not possible to extract the permissions of '%s'. Error: %d"
+#define FIM_RBTREE_DUPLICATE_INSERT         "(6326): Couldn't insert entry, duplicate path: '%s'"
+#define FIM_HASH_INSERT_INODE_HASH          "(6327): Unable to add inode to db: '%s' => '%s'"
+#define FIM_RBTREE_REPLACE                  "(6328): Unable to update file to db, key not found: '%s'"
+#define FIM_REGISTRY_EVENT_FAIL             "(6329): Unable to save registry key: '%s'"
+#define FIM_RUNNING_SCAN                    "(6330): The scan has been running during: %.3f sec (%.3f clock sec)"
+#define FIM_GET_ATTRIBUTES                  "(6331): Couldn't get attributes for file: '%s'"
+#define FIM_WARN_REALTIME_UNSUPPORTED       "(6332): Realtime monitoring request on unsupported system."
+#define FIM_WARN_WHODATA_UNSUPPORTED        "(6333): Whodata monitoring request on unsupported system."
+#define FIM_AUDIT_INVALID_AUID              "(6334): Audit: Invalid 'auid' value read. Check Audit configuration (PAM)."
+#define FIM_ENTRIES_INFO                    "(6335): Fim file entries count: '%d'"
+#define FIM_INODES_INFO                     "(6336): Fim inode entries: '%d', path count: '%d'"
+#define FIM_WHODATA_INVALID_UNKNOWN_UID     "(6337): The user ID could not be extracted from the event."
+#define FIM_EMPTY_DIRECTORIES_CONFIG        "(6338): Empty directories tag found in the configuration."
+
+#define FIM_DELETE_DB_TRY                   "(6340): Failed to delete FIM database '%s'- %dº try."
+#define FIM_DELETE_DB                       "(6341): Failed to delete FIM database '%s'."
+#define FIM_FILE_LIMIT_VALUE                "(6342): Maximum number of files to be monitored: '%u'"
+#define FIM_LIMIT_UNLIMITED                 "(6343): No limit set to maximum number of %s entries to be monitored"
+#define FIM_INOTIFY_WATCH_DELETED           "(6344): Inotify watch deleted for '%s'"
+#define FIM_NUM_WATCHES                     "(6345): Folders monitored with real-time engine: %u"
+#define FIM_REALTIME_CALLBACK               "(6346): Realtime watch deleted for '%s'"
+#define FIM_DIR_RECURSION_LEVEL             "(6347): Directory '%s' is already on the max recursion_level (%d), it will not be scanned."
+#define FIM_DIFF_FOLDER_SIZE                "(6348): Size of '%s' folder: %.5f KB."
+#define FIM_BIG_FILE_REPORT_CHANGES         "(6349): File '%s' is too big for configured maximum size to perform diff operation."
+#define FIM_DISK_QUOTA_LIMIT_REACHED        "(6350): The %s of the file size '%s' exceeds the disk_quota. Operation discarded."
+#define FIM_DIFF_IDENTICAL_MD5_FILES        "(6351): The files are identical, don't compute differences"
+#define FIM_DIFF_COMMAND_OUTPUT_EQUAL       "(6352): Command diff/fc output 0, files are the same"
+#define FIM_EMPTY_REGISTRY_CONFIG           "(6353): Empty windows_registry tag found in the configuration."
+#define FIM_REGISTRY_ENTRIES_INFO           "(6354): Fim registry entries count: '%d'"
+#define FIM_DIFF_FOLDER_NOT_EXIST           "(6355): Can't remove folder '%s', it does not exist."
+#define FIM_DIFF_FILE_SIZE_LIMIT            "(6356): Maximum file size limit to generate diff information configured to '%d KB' for '%s'."
+#define FIM_DISK_QUOTA_LIMIT                "(6357): Maximum disk quota size limit configured to '%d KB'."
+#define FIM_DIFF_FOLDER_DELETED             "(6358): Folder '%s' has been deleted."
+#define GLOB_NO_MATCH                       "(6359): No matches found for the glob pattern: '%s'"
+#define FIM_DB_FAIL_TO_GET_SCANNED_FILE     "(6360): Failed to get scanned value of '%s' - %s"
+#define FIM_WILDCARDS_UPDATE_START          "(6361): Starting configuration wildcards update."
+#define FIM_WILDCARDS_REMOVE_DIRECTORY      "(6362): Removing entry '%s' due to it has not been expanded by the wildcards"
+#define FIM_WILDCARDS_UPDATE_FINALIZE       "(6363): Configuration wildcards update finalize."
+#define FIM_REALTIME_MAXNUM_WATCHES         "(6364): Unable to add directory to real time monitoring: '%s' - Maximum size permitted."
+#define FIM_ADDED_RULE_TO_FILE              "(6365): Added directory '%s' to audit rules file."
+#define FIM_WHODATA_STATE_CHECKER           "(6366): Starting check of Windows Audit Policies and SACLs."
+#define FIM_WHODATA_POLICY_OPENED           "(6367): Audit policy opened successfully. Audit mode enabled."
+#define FIM_WHODATA_OBJECT_ACCESS           "(6368): Detected Audit Object Access category, checking subcategories. GUID: %s"
+#define FIM_WHODATA_SUCCESS_POLICY          "(6369): Found Audit %s subcategory configured to success. GUID: %s"
+#define FIM_REGISTRY_LIMIT_VALUE            "(6370): Maximum number of registry values to be monitored: '%u'"
+#define FIM_REGISTRY_VALUES_ENTRIES_INFO    "(6371): Fim registry values entries count: '%d'"
+#define FIM_WILDCARDS_REGISTERS_START       "(6372): Starting configuration for Windows registry wildcards."
+#define FIM_WILDCARDS_ADD_REGISTER          "(6373): Expanding entry '%s' to '%s' to monitor FIM events."
+#define FIM_WILDCARDS_REGISTERS_FINALIZE    "(6374): Wildcard configuration successfully completed."
+#define FIM_REG_VAL_INVALID_TYPE            "(6375): Invalid registry value type for report_changes. Registry key: '%s'. Registry value: '%s'."
+
+/* Modules messages */
+#define WM_UPGRADE_RESULT_AGENT_INFO         "(8151): Agent Information obtained: '%s'"
+#define WM_UPGRADE_MODULE_DISABLED           "(8152): Module Agent Upgrade disabled. Exiting..."
+#define WM_UPGRADE_MODULE_STARTED            "(8153): Module Agent Upgrade started."
+#define WM_UPGRADE_MODULE_FINISHED           "(8154): Module Agent Upgrade finished."
+#define WM_UPGRADE_INCOMMING_MESSAGE         "(8155): Incomming message: '%s'"
+#define WM_UPGRADE_RESPONSE_MESSAGE          "(8156): Response message: '%s'"
+#define WM_UPGRADE_TASK_SEND_MESSAGE         "(8157): Sending message to task_manager module: '%s'"
+#define WM_UPGRADE_TASK_RECEIVE_MESSAGE      "(8158): Receiving message from task_manager module: '%s'"
+#define WM_UPGRADE_EMPTY_MESSAGE             "(8159): Empty message from local client."
+#define WM_UPGRADE_NO_AGENTS_TO_UPGRADE      "(8160): There are no valid agents to upgrade."
+#define WM_UPGRADE_DOWNLOADING_WPK           "(8161): Downloading WPK file from: '%s'"
+#define WM_UPGRADE_SENDING_WPK_TO_AGENT      "(8162): Sending WPK to agent: '%.3d'"
+#define WM_UPGRADE_ACK_MESSAGE               "(8163): Sending upgrade ACK event: '%s'"
+#define WM_UPGRADE_ACK_RECEIVED              "(8164): Received upgrade notification from agent '%d'. Error code: '%d', message: '%s'"
+#define WM_UPGRADE_REQUEST_SEND_MESSAGE      "(8165): Sending message to agent: '%s'"
+#define WM_UPGRADE_REQUEST_RECEIVE_MESSAGE   "(8166): Receiving message from agent: '%s'"
+#define WM_UPGRADE_UPGRADE_FILE_AGENT        "(8167): Upgrade result file has been successfully erased from the agent."
+#define WM_UPGRADE_TASK_SEND_CLUSTER_MESSAGE "(8168): Sending sendsync message to task manager in master node: '%s'"
+#define WM_UPGRADE_DIFF_PACKAGE_NO_FORCE     "(8169): Agent '%d' with platform '%s' won't be upgraded using package '%s' without the force option. Ignoring..."
+#define WM_UPGRADE_DIFF_PACKAGE_FORCE        "(8170): Agent '%d' with platform '%s' will be upgraded using package '%s'"
+#define WM_UPGRADE_UNSUPPORTED_UPGRADE       "(8171): Agent '%d' with unsupported platform '%s' won't be upgraded without a default package."
+#define WM_UPGRADE_UNSUPPORTED_DEFAULT       "(8172): Agent '%d' with unsupported platform '%s' will be upgraded with package '%s'"
+
+#define MOD_TASK_START                      "(8200): Module Task Manager started."
+#define MOD_TASK_FINISH                     "(8201): Module Task Manager finished."
+#define MOD_TASK_DISABLED                   "(8202): Module disabled. Exiting..."
+#define MOD_TASK_EMPTY_MESSAGE              "(8203): Empty message from local client."
+#define MOD_TASK_INCOMMING_MESSAGE          "(8204): Incomming message: '%s'"
+#define MOD_TASK_RESPONSE_MESSAGE           "(8205): Response to message: '%s'"
+#define MOD_TASK_DISABLED_WORKER            "(8207): Module Task Manager only runs on Master nodes in cluster configuration."
+#define MOD_TASK_TASKS_DB_ERROR_IN_QUERY    "(8208): Tasks DB Error reported in the result of the query, message: '%s'"
+#define MOD_TASK_TASKS_DB_ERROR_EXECUTE     "(8209): Tasks DB Cannot execute SQL query: err database '%s/%s.db'"
+
+/* Generic messages */
+#define SUCCESSFULLY_RECONNECTED_SOCKET     "(8300): Successfully reconnected to '%s'"
+
+/* Logcollector */
+
+#define LOGCOLLECTOR_FILE_NOT_EXIST           "(9000): File '%s' no longer exists."
+#define LOGCOLLECTOR_SOCKET_TARGET            "(9001): Socket target for '%s' -> %s"
+
+#define LOGCOLLECTOR_JOURNAL_LOG_NOT_SYSLOG   "(9002): Failed to get the required fields, discarted log with timestamp '%" PRIu64 "'"
+#define LOGCOLLECTOR_JOURNAL_LOG_FIELD_ERROR  "(9003): Failed to get data field '%s' from entry with timestamp '%" PRIu64 "'. Error: %s"
+#define LOGCOLLECTOR_JOURNAL_LOG_CHECK_FILTER "(9004): Checking filters for timestamp '%s'"
+#define LOGCOLLECTOR_JOURNAL_LOG_NOT_OWNER    "(9005): Skipping is not the owner of the journal log."
+#define LOGCOLLECTOR_JOURNAL_LOG_NO_NEW       "(9006): No new entries in the journal."
+#define LOGCOLLECTOR_JOURNAL_LOG_TRUNCATED    "(9007): Message size > maximum allowed, The message will be truncated."
+#define LOGCOLLECTOR_JOURNAL_LOG_READING      "(9008): Reading from journal: '%s'."
+#define LOGCOLLECTOR_JOURNAL_LOG_SET_LAST     "(9009): Setting last read timestamp to '%" PRIu64 "'"
+
+/* Analysisd */
+
+#define MESSAGE_TOO_LONG                    "(9200): Long message, cannot be processed."
+#define UNABLE_TO_SEND_INFORMATION_TO_WDB   "(9201): Unable to send dbsync information to Wazuh DB."
+
+#endif /* DEBUG_MESSAGES_H */
diff --git a/src/common/error_messages/include/error_messages.h b/src/common/error_messages/include/error_messages.h
new file mode 100644
index 0000000000..f65f4131dd
--- /dev/null
+++ b/src/common/error_messages/include/error_messages.h
@@ -0,0 +1,605 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef ERROR_MESSAGES_H
+#define ERROR_MESSAGES_H
+
+/***  Error messages - English ***/
+
+/* SYSTEM ERRORS */
+#define FORK_ERROR    "(1101): Could not fork due to [(%d)-(%s)]."
+#define MEM_ERROR     "(1102): Could not acquire memory due to [(%d)-(%s)]."
+#define FOPEN_ERROR   "(1103): Could not open file '%s' due to [(%d)-(%s)]."
+#define SIZE_ERROR    "(1104): Maximum string size reached for: %s."
+#define NULL_ERROR    "(1105): Attempted to use null string."
+#define FORMAT_ERROR  "(1106): String not correctly formatted."
+#define MKDIR_ERROR   "(1107): Could not create directory '%s' due to [(%d)-(%s)]."
+#define HOME_ERROR    "(1108): Unable to find Wazuh install directory. Export it to WAZUH_HOME environment variable."
+#define THREAD_ERROR  "(1109): Unable to create new pthread."
+#define FWRITE_ERROR  "(1110): Could not write file '%s' due to [(%d)-(%s)]."
+#define WAITPID_ERROR "(1111): Error during waitpid()-call due to [(%d)-(%s)]."
+#define SETSID_ERROR  "(1112): Error during setsid()-call due to [(%d)-(%s)]."
+#define MUTEX_ERROR   "(1113): Unable to set pthread mutex."
+#define SELECT_ERROR  "(1114): Error during select()-call due to [(%d)-(%s)]."
+#define FREAD_ERROR   "(1115): Could not read from file '%s' due to [(%d)-(%s)]."
+#define FSEEK_ERROR   "(1116): Could not set position in file '%s' due to [(%d)-(%s)]."
+#define FILE_ERROR    "(1117): Error handling file '%s'."
+#define FSTAT_ERROR   "(1118): Could not retrieve information of file '%s' due to [(%d)-(%s)]."
+#define FGETS_ERROR   "(1119): Invalid line on file '%s': %s."
+#define GLOB_ERROR    "(1121): Glob error. Invalid pattern: '%s'."
+#define GLOB_NFOUND   "(1122): No file found by pattern: '%s'."
+#define UNLINK_ERROR  "(1123): Unable to delete file: '%s' due to [(%d)-(%s)]."
+#define RENAME_ERROR  "(1124): Could not rename file '%s' to '%s' due to [(%d)-(%s)]."
+#define OPEN_ERROR    "(1126): Unable to open file '%s' due to [(%d)-(%s)]."
+#define CHMOD_ERROR   "(1127): Could not chmod object '%s' due to [(%d)-(%s)]."
+#define MKSTEMP_ERROR "(1128): Could not create temporary file '%s' due to [(%d)-(%s)]."
+#define DELETE_ERROR  "(1129): Could not unlink file '%s' due to [(%d)-(%s)]."
+#define SETGID_ERROR  "(1130): Unable to switch to group '%s' due to [(%d)-(%s)]."
+#define SETUID_ERROR  "(1131): Unable to switch to user '%s' due to [(%d)-(%s)]."
+#define CHROOT_ERROR  "(1132): Unable to chroot to directory '%s' due to [(%d)-(%s)]."
+#define CHDIR_ERROR   "(1133): Unable to chdir to directory '%s' due to [(%d)-(%s)]."
+#define LINK_ERROR    "(1134): Unable to link from '%s' to '%s' due to [(%d)-(%s)]."
+#define CHOWN_ERROR   "(1135): Could not chown object '%s' due to [(%d)-(%s)]."
+#define EPOLL_ERROR   "(1136): Could not handle epoll descriptor."
+#define LOST_ERROR   "(1137): Lost connection with manager. Setting lock."
+#define KQUEUE_ERROR   "(1138): Could not handle kqueue descriptor."
+#define FTELL_ERROR     "(1139): Could not get position from file '%s' due to [(%d)-(%s)]."
+#define FCLOSE_ERROR  "(1140): Could not close file '%s' due to [(%d)-(%s)]."
+#define GLOB_ERROR_WIN "(1141): Glob error. Invalid pattern: '%s' or no files found."
+#define NICE_ERROR      "(1142): Cannot set process priority: %s (%d)."
+#define RMDIR_ERROR     "(1143): Unable to delete folder '%s' due to [(%d)-(%s)]."
+#define ATEXIT_ERROR    "(1144): Unable to set exit function"
+
+/* COMMON ERRORS */
+#define CONN_ERROR      "(1201): No remote connection configured."
+#define CONFIG_ERROR    "(1202): Configuration error at '%s'."
+#define USER_ERROR      "(1203): Invalid user '%s' or group '%s' given: %s (%d)"
+#define CONNTYPE_ERROR  "(1204): Invalid connection type: '%s'."
+#define PORT_ERROR      "(1205): Invalid port number: '%d'."
+#define BIND_ERROR      "(1206): Unable to Bind port '%d' due to [(%d)-(%s)]"
+#define RCONFIG_ERROR   "(1207): %s remote configuration in '%s' is corrupted."
+#define ENROLL_CONN_ERROR "(1208): Unable to connect to enrollment service at '[%s]:%d'"
+#define ENROLL_CONNECTED  "(1209): Connected to enrollment service at '[%s]:%d'"
+#define QUEUE_ERROR     "(1210): Queue '%s' not accessible: '%s'"
+#define QUEUE_FATAL     "(1211): Unable to access queue: '%s'. Giving up."
+#define PID_ERROR       "(1212): Unable to create PID file."
+#define DENYIP_WARN     "(1213): Message from '%s' not allowed. Cannot find the ID of the agent."
+#define MSG_ERROR       "(1214): Problem receiving message from '%s'."
+#define CLIENT_ERROR    "(1215): No client configured. Exiting."
+#define CONNS_ERROR     "(1216): Unable to connect to '[%s]:%d/%s': '%s'."
+#define SEC_ERROR       "(1217): Error creating encrypted message."
+#define SEND_ERROR      "(1218): Unable to send message to '%s': %s"
+#define RULESLOAD_ERROR "(1219): Unable to access the rules directory."
+#define RULES_ERROR     "(1220): Error loading the rules: '%s'."
+#define LISTS_ERROR     "(1221): Error loading the list: '%s'."
+#define IMSG_ERROR      "(1222): Invalid msg: %s"
+#define QUEUE_SEND      "(1224): Error sending message to queue."
+#define SIGNAL_RECV     "(1225): SIGNAL [(%d)-(%s)] Received. Exit Cleaning..."
+#define XML_ERROR       "(1226): Error reading XML file '%s': %s (line %d)."
+#define XML_ERROR_VAR   "(1227): Error applying XML variables '%s': %s."
+#define XML_NO_ELEM     "(1228): Element '%s' without any option."
+#define XML_INVALID     "(1229): Invalid element '%s' on the '%s' config."
+#define XML_INVELEM     "(1230): Invalid element in the configuration: '%s'."
+#define XML_ELEMNULL    "(1231): Invalid NULL element in the configuration."
+#define XML_READ_ERROR  "(1232): Error reading XML. Unknown cause."
+#define XML_INVATTR     "(1233): Invalid attribute '%s' in the configuration: '%s'."
+#define XML_VALUENULL   "(1234): Invalid NULL content for element: %s."
+#define XML_VALUEERR    "(1235): Invalid value for element '%s': %s."
+#define XML_MAXREACHED  "(1236): Maximum number of elements reached for: %s."
+#define INVALID_IP      "(1237): Invalid ip address: '%s'."
+#define INVALID_ELEMENT "(1238): Invalid value for element '%s': %s"
+#define NO_CONFIG       "(1239): Configuration file not found: '%s'."
+#define INVALID_TIME    "(1240): Invalid time format: '%s'."
+#define INVALID_DAY     "(1241): Invalid day format: '%s'."
+#define ACCEPT_ERROR    "(1242): Couldn't accept TCP connections: %s (%d)"
+#define RECV_ERROR      "(1243): Couldn't receive message from peer: %s (%d)"
+#define DUP_SECURE      "(1244): Can't add more than one secure connection."
+#define SEND_DISCON     "(1245): Sending message to disconnected agent '%s'."
+#define SHARED_ERROR    "(1246): Unable to send file '%s' to agent ID '%s'."
+#define TCP_NOT_SUPPORT "(1247): TCP not supported for this operating system."
+#define TCP_EPIPE       "(1248): Unable to send message. Connection has been closed by remote server."
+#define CONN_REF        "(1249): Unable to send message. Connection with remote server refused."
+#define ACCESS_ERROR    "(1250): Error trying to execute \"%s\": %s (%d)."
+#define MUTEX_INIT      "(1330) Cannot initialize mutex: %s (%d)."
+#define MUTEX_DESTROY   "(1331) Cannot destroy mutex: %s (%d)."
+#define MUTEX_LOCK      "(1332) Cannot lock mutex: %s (%d)."
+#define MUTEX_UNLOCK    "(1333) Cannot unlock mutex: %s (%d)."
+#define RWLOCK_INIT     "(1334) Cannot initialize rwlock: %s (%d)."
+#define RWLOCK_DESTROY  "(1335) Cannot destroy rwlock: %s (%d)."
+#define RWLOCK_LOCK_RD  "(1336) Cannot lock rwlock for reading: %s (%d)."
+#define RWLOCK_LOCK_WR  "(1337) Cannot lock rwlock for writing: %s (%d)."
+#define RWLOCK_UNLOCK   "(1338) Cannot unlock rwlock: %s (%d)."
+
+/* Mail errors */
+#define CHLDWAIT_ERROR  "(1261): Waiting for child process. (status: %d)."
+#define TOOMANY_WAIT_ERROR "(1262): Too many errors waiting for child process(es)."
+#define SNDMAIL_ERROR   "(1263): Error Sending email to %s (smtp server)"
+#define XML_INV_GRAN_MAIL "(1264): Invalid 'email_alerts' config (missing parameters)."
+#define INVALID_SMTP    "(1265): Invalid SMTP Server: %s"
+
+/* rootcheck */
+#define INVALID_RKCL_NAME  "(1251): Invalid rk configuration name: '%s'."
+#define INVALID_RKCL_VALUE "(1252): Invalid rk configuration value: '%s'."
+#define INVALID_ROOTDIR    "(1253): Invalid rootdir (unable to retrieve)."
+#define INVALID_RKCL_VAR   "(1254): Invalid rk variable: '%s'."
+#define MAX_RK_MSG        "(1255): Maximum number of global files reached: %d"
+
+/* syscheck */
+#define SK_SHUTDOWN     "(1756): Shutdown received. Releasing resources."
+#define SK_INV_REG      "(1757): Invalid syscheck registry entry: '%s'."
+#define SK_REG_OPEN     "(1758): Unable to open registry key: '%s'."
+
+/* analysisd */
+#define FTS_LIST_ERROR          "(1260): Error initiating FTS list"
+#define CRAFTED_IP              "(1271): Invalid IP Address '%s'. Possible logging attack."
+#define CRAFTED_USER            "(1272): Invalid username '%s'. Possible logging attack."
+#define INVALID_CAT             "(1273): Invalid category '%s' chosen."
+#define INVALID_CONFIG          "(1274): Invalid configuration. Element '%s': %s."
+#define INVALID_HOSTNAME        "(1275): Invalid hostname in syslog message: '%s'."
+#define INVALID_GEOIP_DB        "(1276): Cannot open GeoIP database: '%s'."
+#define FIM_INVALID_MESSAGE     "(1277): Invalid syscheck message received."
+#define UNABLE_TO_RECONNECT     "(1278): Unable to reconnect to '%s': %s (%d)."
+#define INVALID_RULE_ELEMENT    "(1279): Invalid rule element."
+#define INVALID_PREFIX          "(1283): Incorrect prefix message, message type: %s."
+#define INVALID_OPERATION       "(1284): Incorrect/unknown operation, type: %s."
+#define INVALID_RESPONSE        "(1285): Response with unexpected content."
+#define A_QUERY_ERROR           "(1286): Wazuh-db query error, check wdb logs."
+#define INVALID_TYPE            "(1287): Incorrect/unknown type value %s."
+#define WDBC_QUERY_EX_ERROR     "(1288): Wazuh-db query execution error."
+
+/* logcollector */
+#define SYSTEM_ERROR     "(1600): Internal error. Exiting.."
+#define LOGCOLLECTOR_MACOS_LOG_IREGEX_ERROR         "(1601): Invalid internal macOS log regex."
+#define LOGCOLLECTOR_MACOS_LOG_ERROR_AFTER_EXEC     "(1602): Execution error '%s'"
+#define LOGCOLLECTOR_MACOS_LOG_SHOW_INFO            "(1603): Monitoring macOS old logs with: %s."
+#define LOGCOLLECTOR_MACOS_LOG_STREAM_INFO          "(1604): Monitoring macOS logs with: %s."
+#define LOGCOLLECTOR_MACOS_LOG_SHOW_EXEC_ERROR      "(1605): Error while trying to execute `log show` as follows: %s."
+#define LOGCOLLECTOR_MACOS_LOG_STREAM_EXEC_ERROR    "(1606): Error while trying to execute `log stream` as follows: %s."
+#define LOGCOLLECTOR_MACOS_LOG_CHILD_EXITED         "(1607): macOS 'log %s' process exited, pid: %d, exit value: %d."
+
+#define LOGCOLLECTOR_JOURNAL_LOG_DISABLING          "(1608): Failed to connect to the journal, disabling journal log."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_SEEK          "(1609): Failed to move to the end of the journal, disabling journal log: %s."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_NEXT          "(1610): Failed to get the next entry, disabling journal log: %s."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_GET           "(1611): Failed to get the message from the journal"
+
+
+/* remoted */
+#define NO_REM_CONN     "(1750): No remote connection configured. Exiting."
+#define NO_CLIENT_KEYS  "(1751): File client.keys not found or empty."
+
+#define REMOTED_NET_PROTOCOL_NOT_SET  "(1752): Network protocol is not set."
+
+/* Active Response */
+#define AR_CMD_MISS     "(1280): Missing command options. " \
+                        "You must specify a 'name' and 'executable'."
+#define AR_MISS         "(1281): Missing options in the active response " \
+                        "configuration. "
+#define ARQ_ERROR       "(1301): Unable to connect to active response queue."
+#define AR_INV_LOC      "(1302): Invalid active response location: '%s'."
+#define AR_INV_CMD      "(1303): Invalid command '%s' in the active response."
+#define AR_DEF_AGENT    "(1304): No agent defined for response."
+#define AR_NO_TIMEOUT   "(1305): Timeout not allowed for command: '%s'."
+
+#define EXECD_INV_MSG   "(1310): Invalid active response (execd) message '%s'."
+#define EXEC_INV_NAME   "(1311): Invalid command name '%s' provided."
+#define EXEC_CMDERROR   "(1312): Error executing '%s': %s"
+#define EXEC_INV_CONF   "(1313): Invalid active response config: '%s'."
+#define EXEC_DISABLED   "(1350): Active response disabled."
+#define EXEC_SHUTDOWN   "(1314): Shutdown received. Deleting responses."
+#define EXEC_INV_JSON   "(1315): Invalid JSON message: '%s'"
+#define EXEC_INV_CMD    "(1316): Invalid AR command: '%s'"
+#define EXEC_CMD_FAIL   "(1317): Could not launch command %s (%d)"
+#define EXEC_BAD_NAME   "(1318): Command name truncated %s"
+
+#define AR_NOAGENT_ERROR                "(1320): Agent '%s' not found."
+#define EXEC_QUEUE_CONNECTION_ERROR     "(1321): Error communicating with queue '%s'."
+#define EXEC_QUEUE_BUSY                 "(1322): Socket busy."
+
+/* List operations */
+#define LIST_ERROR      "(1290): Unable to create a new list (calloc)."
+#define LIST_ADD_ERROR  "(1291): Error adding nodes to list."
+#define LIST_SIZE_ERROR "(1292): Error setting error size."
+#define LIST_FREE_ERROR "(1293): Error setting data free pointer."
+
+/* Hash operation */
+#define HASH_ERROR      "(1295): Unable to create a new hash (calloc)."
+#define HCREATE_ERROR   "(1296): Unable to create a '%s' hash table"
+#define HSETSIZE_ERROR  "(1297): Unable to set size of '%s' hash table"
+#define HADD_ERROR      "(1298): Failure to add '%s' to '%s' hash table"
+#define HUPDATE_ERROR   "(1299): Failure to update '%s' to '%s' hash table"
+
+/* Log collector messages */
+#define MISS_LOG_FORMAT "(1901): Missing 'log_format' element."
+#define MISS_FILE       "(1902): Missing 'location' element."
+#define INV_EVTLOG      "(1903): Invalid event log: '%s'."
+#define NSTD_EVTLOG     "(1907): Non-standard event log set: '%s'."
+#define LOGC_FILE_ERROR "(1904): File not available, ignoring it: '%s'."
+#define NO_FILE         "(1905): No file configured to monitor."
+#define PARSE_ERROR     "(1906): Error parsing file: '%s'."
+#define READING_FILE    "(1950): Analyzing file: '%s'."
+#define READING_EVTLOG  "(1951): Analyzing event log: '%s'."
+#define VAR_LOG_MON     "(1952): Monitoring variable log file: '%s'."
+#define INV_MULTILOG    "(1953): Invalid DJB multilog file: '%s'."
+#define MISS_SOCK_NAME  "(1954): Missing field 'name' for socket."
+#define MISS_SOCK_LOC   "(1955): Missing field 'location' for socket."
+#define REM_ERROR       "(1956): Error removing '%s' file."
+#define NEW_GLOB_FILE   "(1957): New file that matches the '%s' pattern: '%s'."
+#define DUP_FILE        "(1958): Log file '%s' is duplicated."
+#define FORGET_FILE     "(1959): File '%s' no longer exists."
+#ifndef WIN32
+#define FILE_LIMIT      "(1960): File limit has been reached (%d). Please reduce the number of files or increase \"logcollector.max_files\"."
+#else
+#define FILE_LIMIT      "(1960): File limit has been reached (%d)."
+#endif
+#define CURRENT_FILES   "(1961): Files being monitored: %i/%i."
+#define OPEN_ATTEMPT    "(1962): Unable to open file '%s'. Remaining attempts: %d"
+#define OPEN_UNABLE     "(1963): Unable to open file '%s'."
+#define NON_TEXT_FILE   "(1964): File '%s' is not ASCII or UTF-8 encoded."
+#define EXCLUDE_FILE    "(1965): File excluded: '%s'."
+#define DUP_FILE_INODE  "(1966): Inode for file '%s' already found. Skipping it."
+#define LOCALFILE_REGEX "(1967): Syntax error on multiline_regex: '%s'"
+#define MISS_MULT_REGEX "(1968): Missing 'multiline_regex' element."
+#define FAIL_SHA1_GEN   "(1969): Failure to generate the SHA1 hash from file '%s'"
+#define DUP_MACOS       "(1970): Can't add more than one 'macos' block."
+#define FP_TO_FD_ERROR  "(1971): The file descriptor couldn't be obtained from the file pointer of the Log Stream pipe: %s (%d)."
+#define GET_FLAGS_ERROR "(1972): The flags couldn't be obtained from the file descriptor: %s (%d)."
+#define SET_FLAGS_ERROR "(1973): The flags couldn't be set in the file descriptor: %s (%d)."
+#define WPOPENV_ERROR   "(1974): An error ocurred while calling wpopenv(): %s (%d)."
+#define LF_LOG_REGEX    "(1975): Syntax error on regex %s: '%s'"
+#define LF_MATCH_REGEX  "(1976): Ignoring the log line '%s' due to %s config: '%s'"
+
+/* Encryption/auth errors */
+#define INVALID_KEY     "(1401): Error reading authentication key: '%s'."
+#define NO_AUTHFILE     "(1402): Authentication key file '%s' not found."
+#define ENCFORMAT_ERROR "(1403): Incorrectly formatted message from agent '%s' (host '%s')."
+#define ENCKEY_ERROR    "(1404): Authentication error. Wrong key or corrupt payload. Message received from agent '%s' at '%s'."
+#define ENCSIZE_ERROR   "(1405): Message size not valid: '%64s'."
+#define ENCSUM_ERROR    "(1406): Checksum mismatch. Message received from agent '%s' at '%s'."
+#define ENCTIME_ERROR   "(1407): Duplicated counter for '%s'."
+#define ENC_IP_ERROR    "(1408): Invalid ID %s for the source ip: '%s' (name '%s')."
+#define ENCFILE_CHANGED "(1409): Authentication file changed. Updating."
+#define ENC_READ        "(1410): Reading authentication keys file."
+
+/* Regex errors */
+#define REGEX_COMPILE   "(1450): Syntax error on regex: '%s': %d."
+#define REGEX_SUBS      "(1451): Missing sub_strings on regex: '%s'."
+#define REGEX_SYNTAX    "(1452): Syntax error on regex: '%s'"
+
+/* Decoders */
+#define PPLUGIN_INV     "(2101): Parent decoder name invalid: '%s'."
+#define PDUP_INV        "(2102): Duplicated decoder with prematch: '%s'."
+#define PDUPFTS_INV     "(2103): Duplicated decoder with fts set: '%s'."
+#define DUP_INV         "(2104): Invalid duplicated decoder: '%s'."
+#define DEC_PLUGIN_ERR  "(2105): Error loading decoder options."
+#define DECODER_ERROR   "(2106): Error adding decoder plugin."
+#define DEC_REGEX_ERROR "(2107): Decoder configuration error: '%s'."
+#define DECODE_NOPRE    "(2108): No 'prematch' found in decoder: '%s'."
+#define DUP_REGEX       "(2109): Duplicated offsets for same regex: '%s'."
+#define INV_DECOPTION   "(2110): Invalid decoder argument for %s: '%s'."
+#define DECODE_ADD      "(2111): Additional data to plugin decoder: '%s'."
+
+#define INV_OFFSET      "(2120): Invalid offset value: '%s'"
+#define INV_ATTR        "(2121): Invalid decoder attribute: '%s'"
+#define INV_VAL         "(2122): Invalid value for attribute: '%s'"
+#define INV_VAL_ATTR    "(2123): Invalid value '%s' for attribute: '%s'"
+
+/* os_zlib */
+#define COMPRESS_ERR    "(2201): Error compressing string: '%s'."
+#define UNCOMPRESS_ERR  "(2202): Error uncompressing string."
+
+/* read defines */
+#define DEF_NOT_FOUND   "(2301): Definition not found for: '%s.%s'."
+#define INV_DEF         "(2302): Invalid definition for %s.%s: '%s'."
+
+/* Agent errors */
+#define AG_WAIT_SERVER  "(4101): Waiting for server reply (not started). Tried: '%s'. Ensure that the manager version is '%s' or higher."
+#define AG_CONNECTED    "(4102): Connected to the server ([%s]:%d/%s)."
+#define AG_USINGIP      "(4103): Server IP address already set. Trying that before the hostname."
+#define AG_INV_HOST     "(4104): Invalid hostname: '%s'."
+#define AG_INV_IP       "(4105): No valid server IP found."
+#define EVTLOG_OPEN     "(4106): Unable to open event log: '%s'."
+#define EVTLOG_GETLAST  "(4107): Unable to query last event log from: '%s'."
+#define EVTLOG_DUP      "(4108): Duplicated event log entry: '%s'."
+#define AG_NOKEYS_EXIT  "(4109): Unable to start without auth keys. Exiting."
+#define AG_INV_MNGIP    "(4112): Invalid server address found: '%s'"
+#define AG_ENROLL_FAIL  "(4113): Auto Enrollment configuration failed."
+#define AG_INV_INT      "(4114): All server addresses are IPv6 link-local and no interface to any <server> block has been configured."
+
+/* Rules reading errors */
+#define RL_INV_ROOT     "(5101): Invalid root element: '%s'."
+#define RL_INV_RULE     "(5102): Invalid rule element: '%s'."
+#define RL_INV_ENTRY    "(5103): Invalid rule on '%s'. Missing id/level."
+#define RL_EMPTY_ATTR   "(5104): Rule attribute '%s' empty."
+#define RL_INV_ATTR     "(5105): Invalid rule attributes inside file: '%s'."
+#define RL_NO_OPT       "(5106): Rule '%d' without any options. "\
+                        "It may lead to false positives. Exiting. "
+#define RL_REGEX_SYNTAX "(5107): Syntax error on tag '%s' in rule %d"
+
+/* Syslog output */
+#define XML_INV_CSYSLOG    "(5301): Invalid client-syslog configuration."
+#define ERROR_SENDING_MSG  "(5302): Error sending message to '%s'."
+
+/* Integrator daemon */
+#define XML_INV_INTEGRATOR "(5310): Invalid integratord configuration."
+
+/* Agentless */
+#define XML_INV_AGENTLESS   "(7101): Invalid agentless configuration."
+#define XML_INV_MISSFREQ    "(7102): Frequency not set for the periodic option."
+#define XML_INV_MISSOPTS    "(7103): Missing agentless options."
+
+/* Database messages */
+#define DBINIT_ERROR          "(5201): Error initializing database handler."
+#define DBCONN_ERROR          "(5202): Error connecting to database '%s'(%s): ERROR: %s."
+#define DBQUERY_ERROR         "(5203): Error executing query '%s'. Error: '%s'."
+#define DB_GENERROR           "(5204): Database error. Unable to run query."
+#define DB_MISS_CONFIG        "(5205): Missing database configuration. "\
+                              "It requires host, user, pass and database."
+#define DB_CONFIGERR          "(5206): Database configuration error."
+#define DB_COMPILED           "(5207): Wazuh not compiled with support for '%s'."
+#define DB_MAINERROR          "(5208): Multiple database errors. Exiting."
+#define DB_CLOSING            "(5209): Closing connection to database."
+#define DB_ATTEMPT            "(5210): Attempting to reconnect to database."
+#define DB_SQL_ERROR          "(5211): SQL error: '%s'"
+#define DB_TRANSACTION_ERROR  "(5212): Cannot begin transaction."
+#define DB_CACHE_ERROR        "(5213): Cannot cache statement."
+#define DB_CACHE_NULL_STMT    "(5214): Null statement on internal cache."
+#define DB_AGENT_SQL_ERROR    "(5215): DB(%s) SQL Error: '%s'."
+#define DB_INVALID_DELTA_MSG  "(5216): DB(%s) Could not bind delta field '%s' from '%s' scan."
+#define DB_DELTA_PARSING_ERR  "(5217): Could not parse syscollector delta information as JSON."
+
+/* File integrity monitoring error messages*/
+#define FIM_ERROR_WHODATA_SUM_MAX                   "(6603): The whodata sum for '%s' file could not be included in the alert as it is too large."
+#define FIM_ERROR_CHECK_THREAD                      "(6605): Could not create the Whodata check thread."
+#define FIM_ERROR_SELECT                            "(6606): Select failed (for real time file integrity monitoring)."
+#define FIM_ERROR_INOTIFY_INITIALIZE                "(6607): Unable to initialize inotify."
+#define FIM_ERROR_NFS_INOTIFY                       "(6608): '%s' NFS Directories do not support iNotify."
+#define FIM_ERROR_GENDIFF_COMMAND                   "(6609): Unable to run diff command '%s'"
+#define FIM_ERROR_REALTIME_WAITSINGLE_OBJECT        "(6610): WaitForSingleObjectEx failed (for real time file integrity monitoring)."
+#define FIM_ERROR_REALTIME_ADDDIR_FAILED            "(6611): 'realtime_adddir' failed, the directory '%s' couldn't be added to real time mode."
+#define FIM_ERROR_REALTIME_READ_BUFFER              "(6612): Unable to read from real time buffer."
+#define FIM_ERROR_REALTIME_WINDOWS_CALLBACK         "(6613): Real time Windows callback process: '%s' (%lx)."
+#define FIM_ERROR_REALTIME_WINDOWS_CALLBACK_EMPTY   "(6614): Real time call back called, but hash is empty."
+
+#define FIM_ERROR_AUDIT_MODE                        "(6617): Unable to get audit mode: %s (%d)."
+#define FIM_ERROR_REALTIME_INITIALIZE               "(6618): Unable to initialize real time file monitoring."
+#define FIM_ERROR_WHODATA_ADD_DIRECTORY             "(6619): Unable to add directory to whodata real time monitoring: '%s'. It will be monitored in Realtime"
+#define FIM_ERROR_WHODATA_AUDIT_SUPPORT             "(6620): Audit support not built. Whodata is not available."
+#define FIM_ERROR_WHODATA_EVENTCHANNEL              "(6621): Event Channel subscription could not be made. Whodata scan is disabled."
+#define FIM_ERROR_WHODATA_RESTORE_POLICIES          "(6622): There is no backup of audit policies. Policies will not be restored."
+#define FIM_ERROR_WHODATA_UNINITIALIZED             "(6623): Trying to monitor '%s' in who-data mode, but who-data is not initialized."
+
+#define FIM_ERROR_WHODATA_NOTFIND_DIRPOS            "(6625): The '%s' file does not have an associated directory."
+#define FIM_ERROR_WHODATA_HANDLER_REMOVE            "(6626): The handler '%s' could not be removed from the whodata hash table."
+#define FIM_ERROR_WHODATA_HANDLER_EVENT             "(6627): Could not get the time of the event whose handler is '%llu'."
+#define FIM_ERROR_WHODATA_EVENTID                   "(6628): Invalid EventID. The whodata cannot be extracted."
+
+#define FIM_ERROR_WHODATA_EVENTADD_DUP              "(6630): The event could not be added to the '%s' hash table because it is duplicated. Target: '%s'."
+#define FIM_ERROR_WHODATA_EVENTADD                  "(6631): The event could not be added to the '%s' hash table. Target: '%s'."
+#define FIM_ERROR_WHODATA_GET_SID                   "(6632): Could not obtain the sid of Everyone. Error '%lu'."
+#define FIM_ERROR_WHODATA_GET_ACE                   "(6633): Could not extract the ACE information. Error: '%lu'."
+#define FIM_ERROR_WHODATA_TOKENPRIVILEGES           "(6634): AdjustTokenPrivileges() failed. Error: '%lu'"
+#define FIM_ERROR_WHODATA_AUDITPOL                  "(6635): Auditpol backup error: '%s'."
+#define FIM_ERROR_WHODATA_SOCKET_CONNECT            "(6636): Cannot connect to socket '%s'."
+#define FIM_ERROR_WHODATA_READ_RULE                 "(6637): Could not read audit loaded rules."
+#define FIM_ERROR_WHODATA_ADD_RULE                  "(6638): Error adding audit rule for directory (%i): '%s'."
+#define FIM_ERROR_WHODATA_CHECK_RULE                "(6639): Error checking Audit rules list."
+#define FIM_ERROR_WHODATA_MAXNUM_WATCHES            "(6640): Unable to monitor who-data for directory: '%s' - Maximum size permitted (%d)."
+#define FIM_ERROR_WHODATA_COMPILE_REGEX             "(6641): Cannot compile '%s' regular expression."
+#define FIM_ERROR_WHODATA_HEALTHCHECK_START         "(6642): Audit health check couldn't be completed correctly."
+
+#define FIM_ERROR_WHODATA_CONTEXT                   "(6645): Error creating the whodata context. Error %lu."
+#define FIM_ERROR_SACL_ACE_DELETE                   "(6646): DeleteAce() failed restoring the SACLs. Error '%ld'"
+#define FIM_ERROR_SACL_FIND_PRIVILEGE               "(6647): Could not find the '%s' privilege. Error: %lu"
+#define FIM_ERROR_SACL_OPENPROCESSTOKEN             "(6648): OpenProcessToken() failed. Error '%lu'."
+#define FIM_ERROR_SACL_SET_PRIVILEGE                "(6649): Fail to set privileges. Error: '%ld'."
+#define FIM_ERROR_SACL_GETSECURITYINFO              "(6650): GetNamedSecurityInfo() failed. Error '%ld'"
+#define FIM_ERROR_SACL_GETSIZE                      "(6651): The size of the '%s' SACL could not be obtained."
+#define FIM_ERROR_SACL_NOMEMORY                     "(6652): No memory could be reserved for the new SACL of '%s'."
+#define FIM_ERROR_SACL_CREATE                       "(6653): The new SACL for '%s' could not be created."
+#define FIM_ERROR_SACL_ACE_GET                      "(6654): The ACE number %i for '%s' could not be obtained."
+#define FIM_ERROR_SACL_ACE_CPY                      "(6655): The ACE number %i of '%s' could not be copied to the new ACL."
+#define FIM_ERROR_SACL_ACE_NOMEMORY                 "(6656): No memory could be reserved for the new ACE of '%s'."
+#define FIM_ERROR_SACL_ACE_ADD                      "(6657): The new ACE could not be added to '%s'."
+#define FIM_ERROR_SACL_SETSECURITYINFO              "(6658): SetNamedSecurityInfo() failed. Error: '%lu'."
+#define FIM_ERROR_SACL_ELEVATE_PRIVILEGE            "(6659): The privilege could not be activated. Error: '%ld'."
+#define FIM_ERROR_WPOL_BACKUP_FILE_REMOVE           "(6660): '%s' could not be removed: '%s' (%d)."
+#define FIM_ERROR_WPOL_BACKUP_FILE_OPEN             "(6661): '%s' could not be opened: '%s' (%d)."
+#define FIM_ERROR_LIBMAGIC_START                    "(6662): Can't init libmagic: '%s'"
+#define FIM_ERROR_LIBMAGIC_LOAD                     "(6663): Can't load magic file: '%s'"
+#define FIM_ERROR_LIBMAGIC_BUFFER                   "(6664): magic_buffer: '%s'"
+#define FIM_ERROR_GENDIFF_OPEN                      "(6665): Unable to generate diff alert (fopen)'%s'."
+#define FIM_ERROR_GENDIFF_READ                      "(6666): Unable to generate diff alert (fread)."
+#define FIM_ERROR_GENDIFF_SECONDLINE_MISSING        "(6667): Unable to find second line of alert string."
+#define FIM_ERROR_GENDIFF_WRITING_DATA              "(6668): Unable to write data on file '%s'"
+#define FIM_ERROR_GENDIFF_INVALID_PATH              "(6669): Invalid path name: '%s'"
+#define FIM_ERROR_GENDIFF_CREATE_SNAPSHOT           "(6670): Unable to create snapshot for '%s'"
+#define FIM_ERROR_GENDIFF_OPEN_FILE                 "(6671): Unable to open file for writing '%s'"
+#define FIM_ERROR_SYSCOM_BIND_SOCKET                "(6672): Unable to bind to socket '%s': (%d) '%s'."
+#define FIM_ERROR_SYSCOM_ACCEPT                     "(6673): In accept(): '%s'"
+#define FIM_ERROR_SYSCOM_RECV                       "(6674): In OS_RecvSecureTCP(): '%s'"
+#define FIM_ERROR_SYSCOM_RECV_TOOLONG               "(6675): In OS_RecvSecureTCP(): response size is bigger than expected"
+#define FIM_ERROR_SYSCOM_RECV_MAXLEN                "(6676): The received message exceeds maximum permitted > '%i'"
+#define FIM_NO_OPTIONS                              "(6677): No option provided for directories: '%s', ignoring it."
+#define FIM_DIRECTORY_NOPROVIDED                    "(6678): No directory provided for syscheck to monitor."
+#define FIM_INVALID_ATTRIBUTE                       "(6679): Invalid attribute '%s' for '%s' option."
+#define FIM_INVALID_OPTION                          "(6680): Invalid option '%s' for attribute '%s'"
+
+#define FIM_ERROR_WHODATA_WIN_ARCH                  "(6682): Error reading 'Architecture' from Windows registry. (Error %u)"
+#define FIM_ERROR_WHODATA_WIN_SIDERROR              "(6683): Could not obtain the sid of Everyone. Error '%lu'."
+#define FIM_ERROR_WHODATA_OPEN_TOKEN                "(6684): OpenProcessToken() failed. Error '%lu'."
+#define FIM_ERROR_WHODATA_ACTIVATE_PRIV             "(6685): The privilege could not be activated. Error: '%ld'."
+#define FIM_ERROR_WHODATA_GETNAMEDSECURITY          "(6686): GetNamedSecurityInfo() failed. Error '%ld'"
+#define FIM_ERROR_WHODATA_SACL_SIZE                 "(6687): The size of the '%s' SACL could not be obtained."
+#define FIM_ERROR_WHODATA_SACL_MEMORY               "(6688): No memory could be reserved for the new SACL of '%s'."
+#define FIM_ERROR_WHODATA_SACL_NOCREATE             "(6689): The new SACL for '%s' could not be created. Error: '%ld'."
+#define FIM_ERROR_WHODATA_ACE_MEMORY                "(6690): No memory could be reserved for the new ACE of '%s'. Error: '%ld'."
+#define FIM_ERROR_WHODATA_COPY_SID                  "(6691): Could not copy the everyone SID for '%s'. Error: '%d-%ld'."
+#define FIM_ERROR_WHODATA_ACE_NOOBTAIN              "(6692): The ACE number %i for '%s' could not be obtained."
+#define FIM_ERROR_WHODATA_ACE_NUMBER                "(6693): The ACE number %i of '%s' could not be copied to the new ACL."
+#define FIM_ERROR_WHODATA_ACE_NOADDED               "(6694): The new ACE could not be added to '%s'. Error: '%ld'."
+#define FIM_ERROR_WHODATA_SETNAMEDSECURITY          "(6695): SetNamedSecurityInfo() failed. Error: '%lu'"
+#define FIM_CRITICAL_ERROR_OUT_MEM                  "(6697): Out of memory. Exiting."
+#define FIM_CRITICAL_DATA_CREATE                    "(6698): Creating Data Structure: %s. Exiting."
+#define FIM_CRITICAL_ERROR_SELECT                   "(6699): At '%s': select(): %s. Exiting."
+#define FIM_ERROR_INOTIFY_ADD_MAX_REACHED           "(6700): Unable to add inotify watch to real time monitoring: '%s'. '%d' '%d': The maximum limit of inotify watches has been reached."
+#define FIM_UNKNOWN_ATTRIBUTE                       "(6701): Unknown attribute '%s' for directory option."
+
+#define FIM_ERROR_WHODATA_INIT                      "(6710): Failed to start the Whodata engine. Directories/files will be monitored in Realtime mode"
+#define FIM_ERROR_GET_ABSOLUTE_PATH                 "(6711): Cannot get absolute path of '%s': %s (%d)"
+#define FIM_DIFF_DELETE_DIFF_FOLDER_ERROR           "(6713): Cannot remove diff folder for file: '%s'"
+#ifdef WIN32
+#define FIM_DIFF_COMMAND_OUTPUT_ERROR               "(6714): Command fc output an error"
+#else
+#define FIM_DIFF_COMMAND_OUTPUT_ERROR               "(6714): Command diff output an error"
+#endif
+#define FIM_WARN_OPEN_HANDLE_FILE                   "(6716): Could not open handle for '%s'. Error code: %lu"
+#define FIM_WARN_GET_FILETIME                       "(6717): Could not get the filetime of the file '%s'. Error code: %lu."
+#ifndef WIN32
+#define FIM_ERROR_EXPAND_ENV_VAR                    "(6718): Could not expand the environment variable %s."
+#else
+#define FIM_ERROR_EXPAND_ENV_VAR                    "(6718): Could not expand the environment variable %s (%ld)."
+#endif
+#define FIM_ERROR_TRANSACTION                       "(6719): Could not start DBSync transaction (%s)"
+#define FIM_ERROR_PATH_TOO_LONG                     "(6720): The path '%s%s' is too long. The maximum length is %d characters."
+
+#define FIM_AUDITPOL_ATTEMPT_FAIL                   "(6955): Auditpol command failed, attempt number: %d"
+#define FIM_AUDITPOL_FINAL_FAIL                     "(6956): After %d attempts the Auditpol command could not be executed successfully."
+
+/* Wazuh Logtest error messsages */
+#define LOGTEST_ERROR_BIND_SOCK                     "(7300): Unable to bind to socket '%s'. Errno: (%d) %s"
+#define LOGTEST_ERROR_ACCEPT_CONN                   "(7301): Failure to accept connection. Errno: %s"
+#define LOGTEST_ERROR_RECV_MSG_ERRNO                "(7302): Failure to receive message: Errno: %s"
+#define LOGTEST_ERROR_INIT_HASH                     "(7303): Failure to initialize all_sessions hash"
+#define LOGTEST_ERROR_INV_CONF                      "(7304): Invalid wazuh-logtest configuration"
+#define LOGTEST_ERROR_SIZE_HASH                     "(7305): Failure to resize all_sessions hash"
+#define LOGTEST_ERROR_COMMAND_NOT_ALLOWED           "(7306): Unable to process command"
+#define LOGTEST_ERROR_JSON_PARSE_POS                "(7307): Error parsing JSON in position %i, ... %s ..."
+#define LOGTEST_ERROR_JSON_REQUIRED_SFIELD          "(7308): '%s' JSON field is required and must be a string"
+#define LOGTEST_ERROR_TOKEN_INVALID                 "(7309): '%s' is not a valid token"
+#define LOGTEST_ERROR_RESPONSE                      "(7310): Failure to sending response to client [%i] %s."
+#define LOGTEST_ERROR_INITIALIZE_SESSION            "(7311): Failure to initializing session"
+#define LOGTEST_ERROR_PROCESS_EVENT                 "(7312): Failed to process the event"
+#define LOGTEST_ERROR_FIELD_NOT_FOUND               "(7313): '%s' JSON field not found"
+#define LOGTEST_ERROR_RECV_MSG_EMPTY_TO             "(7314): Failure to receive message: empty or reception timeout"
+#define LOGTEST_ERROR_RECV_MSG_OVERSIZE             "(7315): Failure to receive message: size is bigger than expected"
+#define LOGTEST_ERROR_TOKEN_INVALID_TYPE            "(7316): Failure to remove session. token JSON field must be a string"
+#define LOGTEST_ERROR_FIELD_NOT_VALID               "(7317): '%s' JSON field value is not valid"
+#define LOGTEST_ERROR_REMOVE_SESSION                "(7318): Failure to remove session '%s'"
+#define XML_ERROR_EMPTY_OR_
+
+/* Modules messages */
+#define WM_UPGRADE_JSON_PARSE_ERROR                 "(8101): Cannot parse JSON: '%s'"
+#define WM_UPGRADE_UNDEFINED_ACTION_ERRROR          "(8102): No action defined for command: '%s'"
+#define WM_UPGRADE_COMMAND_PARSE_ERROR              "(8103): Error parsing command: '%s'"
+#define WM_UPGRADE_UNREACHEABLE_TASK_MANAGER        "(8104): Cannot connect to '%s'. Could not reach task manager module."
+#define WM_UPGRADE_INVALID_TASK_MAN_JSON            "(8105): Response from task manager does not have a valid JSON format."
+#define WM_UPGRADE_TASK_EMPTY_MESSAGE               "(8106): Empty message from task manager module."
+#define WM_UPGRADE_REQUIRED_PARAMETERS              "(8107): Required parameters in message are missing."
+#define WM_UPGRADE_BIND_SOCK_ERROR                  "(8108): Unable to bind to socket '%s': '%s'"
+#define WM_UPGRADE_SELECT_ERROR                     "(8109): Error in select(): '%s'. Exiting..."
+#define WM_UPGRADE_ACCEPT_ERROR                     "(8110): Error in accept(): '%s'"
+#define WM_UPGRADE_RECV_ERROR                       "(8111): Error in recv(): '%s'"
+#define WM_UPGRADE_SOCKTERR_ERROR                   "(8112): Response size is bigger than expected."
+#define WM_UPGRADE_QUEUE_FD                         "(8113): Could not open default queue to send upgrade notification."
+#define WM_UPGRADE_UNREACHEABLE_REQUEST             "(8114): Cannot connect to '%s'. Could not reach agent."
+#define WM_UPGRADE_EMPTY_AGENT_RESPONSE             "(8115): Response from agent is empty."
+#define WM_UPGRADE_AGENT_RESPONSE_MESSAGE_ERROR     "(8116): Error response from agent: '%s'"
+#define WM_UPGRADE_AGENT_RESPONSE_UNKNOWN_ERROR     "(8117): Unknown error from agent."
+#define WM_UPGRADE_AGENT_RESPONSE_SHA1_ERROR        "(8118): The SHA1 of the file doesn't match in the agent."
+#define WM_UPGRADE_TASK_UPDATE_ERROR                "(8119): There has been an error updating task state. Error code: '%d', message: '%s'"
+#define WM_UPGRADE_RESULT_FILE_ERROR                "(8120): Agent was unable to erase upgrade_result file. Reason: '%s'"
+#define WM_UPGRADE_AGENT_RESPONSE_SCRIPT_ERROR      "(8121): Script execution failed in the agent."
+#define WM_UPGRADE_UPGRADE_QUEUE_FULL               "(8122): Upgrade queue is full. Agent '%d' won't be upgraded."
+#define WM_UPGRADE_TASK_MANANAGER_ERROR             "(8123): There has been an error executing the request in the tasks manager."
+#define WM_UPGRADE_FILE_OPENED                      "(8124): At %s: File '%s' was opened. Closing."
+#define WM_UPGRADE_UNSUPPORTED_MODE                 "(8125): At %s: Unsupported mode."
+#define WM_UPGRADE_INVALID_FILE_NAME                "(8126): At %s: Invalid file name."
+#define WM_UPGRADE_FILE_NOT_OPENED_AUTO             "(8127): At %s: File not opened. Agent might have been auto-restarted during upgrade."
+#define WM_UPGRADE_DIFFERENT_FILE                   "(8128): At %s: The target file doesn't match the opened file '%s'"
+#define WM_UPGRADE_CANNOT_WRITE                     "(8129): At %s: Cannot write on '%s'"
+#define WM_UPGRADE_FILE_NOT_OPENED                  "(8130): At %s: No file is opened."
+#define WM_UPGRADE_GERENIC_ERROR                    "(8131): At %s: '%s'"
+#define WM_UPGRADE_GENERATING_SHA1_ERROR            "(8132): At %s: Error generating SHA1."
+#define WM_UPGRADE_UNMERGING_FILE_ERROR             "(8133): At %s: Error unmerging file: '%s'"
+#define WM_UPGRADE_CHMOD_ERROR                      "(8134): At %s: Could not chmod '%s'"
+#define WM_UPGRADE_COMMAND_ERROR                    "(8135): At %s: Error executing command [%s]"
+#define WM_UPGRADE_ERASE_FILE_ERROR                 "(8136): At %s: Could not erase file '%s'"
+#define WM_UPGRADE_TOO_LONG_TEMP_FILE               "(8137): At %s: Too long temp file."
+#define WM_UPGRADE_COMPRESSED_FILE_ERROR            "(8138): At %s: Could not create temporary compressed file."
+#define WM_UPGRADE_UNSIGN_FILE_ERROR                "(8139): At %s: Could not unsign package file '%s'"
+#define WM_UPGRADE_FILE_OPEN_ERROR                  "(8140): At %s: Unable to open '%s'"
+#define WM_UPGRADE_CANNOT_READ                      "(8141): At %s: Unable to read '%s'"
+
+#define MOD_TASK_CHECK_DB_ERROR                     "(8250): DB integrity is invalid. Exiting..."
+#define MOD_TASK_CREATE_SOCK_ERROR                  "(8251): Queue '%s' not accessible: '%s'. Exiting..."
+#define MOD_TASK_SELECT_ERROR                       "(8252): Error in select(): '%s'. Exiting..."
+#define MOD_TASK_ACCEPT_ERROR                       "(8253): Error in accept(): '%s'"
+#define MOD_TASK_RECV_ERROR                         "(8254): Error in recv(): '%s'"
+#define MOD_TASK_SOCKTERR_ERROR                     "(8255): Response size is bigger than expected."
+#define MOD_TASK_LENGTH_ERROR                       "(8256): Received message > '%i'"
+#define MOD_TASK_PARSE_JSON_ERROR                   "(8257): Error parsing JSON event: '%s'"
+#define MOD_TASK_UNDEFINED_ACTION_ERRROR            "(8258): No action defined for command provided."
+#define MOD_TASK_PARSE_KEY_ERROR                    "(8259): Invalid message. '%s' not found."
+#define MOD_TASK_INVALID_ELEMENT_ERROR              "(8260): Invalid element in array."
+#define MOD_TASK_DB_ERROR                           "(8261): Database error."
+
+/* Sysinfo */
+#define SYSINFO_DYNAMIC_INIT_ERROR                  "(9000): Error loading sysinfo module."
+
+/* Verbose messages */
+#define STARTUP_MSG "Started (pid: %d)."
+#define PRIVSEP_MSG "Chrooted to directory: %s, using user: %s"
+#define MSG_SOCKET_SIZE "(unix_domain) Maximum send buffer set to: '%d'."
+
+#define NO_SYSLOG       "(1501): IP or network must be present in syslog" \
+                        " access list (allowed-ips). Syslog server disabled."
+#define CONN_TO     "Connected to '%s' (%s queue)"
+#define MAIL_DIS    "E-Mail notification disabled. Clean Exit."
+#define WAZUH_HOMEDIR "Wazuh home directory: %s"
+
+/* Debug Messages */
+#define FOUND_USER  "Found user/group ..."
+#define ASINIT      "Active response initialized ..."
+#define READ_CONFIG "Read configuration ..."
+
+/* Wait operations */
+#define WAITING_MSG     "Process locked due to agent is offline. Waiting for connection..."
+#define WAITING_FREE    "Agent is now online. Process unlocked, continuing..."
+#define SERVER_UNAV     "Server unavailable. Setting lock."
+#define SERVER_UP       "Server responded. Releasing lock."
+#define LOCK_RES        "Agent auto-restart locked for %d seconds."
+
+/* Buffer alerts */
+#define DISABLED_BUFFER "Agent buffer disabled."
+#define WARN_BUFFER     "Agent buffer at %d %%."
+#define FULL_BUFFER     "Agent buffer is full: Events may be lost."
+#define FLOODED_BUFFER  "Agent buffer is flooded: Producing too many events."
+#define NORMAL_BUFFER   "Agent buffer is under %d %%. Working properly again."
+#define TOLERANCE_TIME  "Tolerance time set to Zero, defined flooding condition when buffer is full."
+
+/* OSSEC alert messages */
+#define OS_MG_STARTED   "ossec: Manager started."
+#define OS_AG_STARTED   "ossec: Agent started: '%s->%s'."
+#define OS_AG_STOPPED   "ossec: Agent stopped: '%s->%s'."
+#define OS_AG_DISCON    "ossec: Agent disconnected: '%s'."
+#define OS_AG_REMOVED   "ossec: Agent removed: '%s'."
+
+#define OS_NORMAL_BUFFER  "wazuh: Agent buffer: 'normal'."
+#define OS_WARN_BUFFER  "wazuh: Agent buffer: '%d%%'."
+#define OS_FULL_BUFFER  "wazuh: Agent buffer: 'full'."
+#define OS_FLOOD_BUFFER "wazuh: Agent buffer: 'flooded'."
+
+/* WIN32 errors */
+#define CONF_ERROR      "Could not read (%s) (Make sure config exists and executable is running with Administrative privileges)."
+#define GMF_ERROR       "Could not run GetModuleFileName."
+#define GMF_BUFF_ERROR  "Could not get path because it is too long and was shrunk by (%d) characters with a max of (%d)."
+#define GMF_UNKN_ERROR  "Could not run GetModuleFileName which returned (%ld)."
+
+#endif /* ERROR_MESSAGES_H */
diff --git a/src/common/error_messages/include/information_messages.h b/src/common/error_messages/include/information_messages.h
new file mode 100644
index 0000000000..2fe0ce047a
--- /dev/null
+++ b/src/common/error_messages/include/information_messages.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2015
+ * January 17
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef INFO_MESSAGES_H
+#define INFO_MESSAGES_H
+
+/* File integrity monitoring info messages*/
+#define FIM_DAEMON_STARTED                  "(6000): Starting daemon..."
+#define FIM_DISABLED                        "(6001): File integrity monitoring disabled."
+#define FIM_MONITORING_REGISTRY             "(6002): Monitoring registry entry: '%s%s', with options '%s'"
+#define FIM_MONITORING_DIRECTORY            "(6003): Monitoring path: '%s', with options '%s'."
+#define FIM_MONITORING_LDIRECTORY           "(6003): Monitoring path: '%s' (%s), with options '%s'."
+#define FIM_NO_DIFF                         "(6004): No diff for file: '%s'"
+#define FIM_WAITING_QUEUE                   "(6005): Cannot connect to queue '%s' (%d)'%s'. Waiting %d seconds to reconnect."
+#define FIM_PRINT_IGNORE_ENTRY              "(6206): Ignore '%s' entry '%s'"
+#define FIM_PRINT_IGNORE_SREGEX             "(6207): Ignore '%s' sregex '%s'"
+#define FIM_FREQUENCY_STARTED               "(6008): File integrity monitoring scan started."
+#define FIM_FREQUENCY_ENDED                 "(6009): File integrity monitoring scan ended."
+#define FIM_FREQUENCY_TIME                  "(6010): File integrity monitoring scan frequency: %d seconds"
+#define FIM_REALTIME_STARTING               "(6011): Initializing real time file monitoring engine."
+#define FIM_REALTIME_STARTED                "(6012): Real-time file integrity monitoring started."
+#define FIM_REALTIME_PAUSED                 "(6013): Real-time file integrity monitoring paused."
+#define FIM_REALTIME_RESUMED                "(6014): Real-time file integrity monitoring resumed."
+#define FIM_REALTIME_INCOMPATIBLE           "(6015): Real-time Whodata mode is not compatible with this version of Windows."
+#define FIM_REALTIME_MONITORING_DIRECTORY   "(6016): Directory set for real time monitoring: '%s'."
+
+#define FIM_WHODATA_STARTING                "(6018): Initializing file integrity monitoring real-time Whodata engine."
+#define FIM_WHODATA_STARTED                 "(6019): File integrity monitoring real-time Whodata engine started."
+#define FIM_WHODATA_READDED                 "(6020): '%s' has been re-added. It will be monitored in real-time Whodata mode."
+#define FIM_WHODATA_SACL_CHANGED            "(6021): The SACL of '%s' has been modified and it is not valid for the real-time Whodata mode. Whodata will not be available for this file."
+#define FIM_WHODATA_DELETE                  "(6022): '%s' has been deleted. It will not be monitored in real-time Whodata mode."
+#define FIM_AUDIT_NOSOCKET                  "(6023): No socket found at '%s'. Restarting Auditd service."
+#define FIM_AUDIT_SOCKET                    "(6024): Generating Auditd socket configuration file: '%s'"
+#define FIM_AUDIT_RESTARTING                "(6025): Audit plugin configuration (%s) was modified. Restarting Auditd service."
+#define FIM_AUDIT_HEALTHCHECK_DISABLE       "(6026): Audit health check is disabled. Real-time Whodata could not work correctly."
+#define FIM_AUDIT_REMOVE_RULE               "(6027): Monitored directory '%s' was removed: Audit rule removed."
+
+#define FIM_AUDIT_RECONNECT                 "(6029): Audit: reconnecting... (%i)"
+#define FIM_AUDIT_CONNECT                   "(6030): Audit: connected."
+#define FIM_WINREGISTRY_START               "(6031): Registry integrity monitoring scan started"
+#define FIM_WINREGISTRY_ENDED               "(6032): Registry integrity monitoring scan ended"
+#define FIM_LINKCHECK_START                 "(6033): Starting symbolic link updater. Interval '%d'."
+#define FIM_LINKCHECK_CHANGED               "(6034): Updating symbolic link '%s': from '%s' to '%s'."
+#define FIM_WHODATA_VOLUMES                 "(6035): Analyzing Windows volumes"
+
+#define FIM_DB_NORMAL_ALERT_FILE            "(6036): The file database status returns to normal."
+#define FIM_DB_NORMAL_ALERT_REG             "(6037): The registry database status returns to normal."
+#define FIM_DB_80_PERCENTAGE_ALERT_FILE     "(6038): File database is 80%% full."
+#define FIM_DB_80_PERCENTAGE_ALERT_REG      "(6039): Registry database is 80%% full."
+#define FIM_DB_90_PERCENTAGE_ALERT_FILE     "(6040): File database is 90%% full."
+#define FIM_DB_90_PERCENTAGE_ALERT_REG      "(6041): Registry database is 90%% full."
+
+#define FIM_FILE_SIZE_LIMIT_DISABLED        "(6042): File size limit disabled."
+#define FIM_DISK_QUOTA_LIMIT_DISABLED       "(6043): Disk quota limit disabled."
+#define FIM_NO_DIFF_REGISTRY                "(6044): Option nodiff enabled for %s '%s'."
+#define FIM_AUDIT_CREATED_RULE_FILE         "(6045): Created audit rules file, due to audit immutable mode rules will be loaded in the next reboot."
+#define FIM_AUDIT_QUEUE_SIZE                "(6046): Internal audit queue size set to '%d'."
+
+/* wazuh-logtest information messages */
+#define LOGTEST_INITIALIZED                 "(7200): Logtest started"
+#define LOGTEST_DISABLED                    "(7201): Logtest disabled"
+#define LOGTEST_INFO_TOKEN_SESSION          "(7202): Session initialized with token '%s'"
+#define LOGTEST_INFO_LOG_EMPTY              "(7203): Empty log for check alert level"
+#define LOGTEST_INFO_LOG_NOALERT            "(7204): Output without rule"
+#define LOGTEST_INFO_LOG_NOLEVEL            "(7205): Rule without alert level"
+#define LOGTEST_INFO_SESSION_REMOVE         "(7206): The session '%s' was closed successfully"
+
+/* Logcollector info messages */
+#define LOGCOLLECTOR_INVALID_HANDLE_VALUE   "(9200): File '%s' can not be handled."
+#define LOGCOLLECTOR_ONLY_MACOS             "(9201): 'macos' log format is only supported on macOS."
+#define LOGCOLLECTOR_JOURNALD_ONLY_LINUX    "(9202): 'Journald' log format is only available on Linux."
+#define LOGCOLLECTOR_JOURNALD_MONITORING    "(9203): Monitoring journal entries."
+
+
+#endif /* INFO_MESSAGES_H */
diff --git a/src/common/error_messages/include/warning_messages.h b/src/common/error_messages/include/warning_messages.h
new file mode 100644
index 0000000000..056024a8ed
--- /dev/null
+++ b/src/common/error_messages/include/warning_messages.h
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2015
+ * January 17
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WARN_MESSAGES_H
+#define WARN_MESSAGES_H
+
+/* Active Response */
+#define AR_SERVER_AGENT "(1306): Invalid agent ID. Use location=server to run AR on the manager."
+
+/* File integrity monitoring warning messages*/
+#define FIM_WARN_ACCESS                         "(6900): Accessing  '%s': [(%d) - (%s)]"
+#define FIM_WARN_DELETE                         "(6901): Could not delete from filesystem '%s'"
+#define FIM_WARN_DELETE_HASH_TABLE              "(6902): Could not delete from hash table '%s'"
+#define FIM_WARN_SYMLINKS_UNSUPPORTED           "(6903) Links are not supported: '%s'"
+#define FIM_WARN_STAT_BROKEN_LINK               "(6904): Error in stat() function: %s. This may be caused by a broken symbolic link (%s)."
+#define FIM_WARN_ALLOW_PREFILTER                "(6905): Ignoring prefilter option '%s'. Enable <%s> to use it."
+#define FIM_WARN_REALTIME_OVERFLOW              "(6906): Real time process: no data. Probably buffer overflow."
+#define FIM_WARN_REALTIME_OPENFAIL              "(6907): '%s' does not exist. Monitoring discarded."
+#define FIM_WARN_REALTIME_DISABLED              "(6908): Ignoring flag for real time monitoring on directory: '%s'."
+#define FIM_WARN_AUDIT_SOCKET_NOEXIST           "(6909): Audit socket (%s) does not exist. You need to restart Auditd. Who-data will be disabled."
+#define FIM_WARN_AUDIT_CONFIGURATION_MODIFIED   "(6910): Audit plugin configuration was modified. You need to restart Auditd. Who-data will be disabled."
+#define FIM_WARN_AUDIT_RULES_MODIFIED           "(6911): Detected Audit rules manipulation: Audit rules removed."
+#define FIM_WARN_AUDIT_CONNECTION_CLOSED        "(6912): Audit: connection closed."
+#define FIM_WARN_AUDIT_THREAD_NOSTARTED         "(6913): Who-data engine could not start. Switching who-data to real-time."
+#define FIM_WARN_GENDIFF_SNAPSHOT               "(6914): Cannot create a snapshot of file '%s'"
+#define FIM_WARN_WHODATA_AUTOCONF               "(6915): Audit policies could not be auto-configured due to the Windows version. Check if they are correct for whodata mode."
+#define FIM_WARN_WHODATA_LOCALPOLICIES          "(6916): Local audit policies could not be configured."
+#define FIM_WARN_WHODATA_EVENT_OVERFLOW         "(6917): Real-time Whodata events queue for Windows has more than %d elements."
+#define FIM_WARN_NFS_INOTIFY                    "(6918): '%s' NFS Directories do not support iNotify."
+#define FIM_INV_REG                             "(6919): Invalid syscheck registry entry: '%s' arch: '%s'."
+#define FIM_REG_OPEN                            "(6920): Unable to open registry key: '%s' arch: '%s'."
+#define FIM_WARN_FILE_REALTIME                  "(6921): Unable to configure real-time option for file: '%s'"
+#define FIM_PATH_NOT_OPEN                       "(6922): Cannot open '%s': %s"
+
+#define FIM_AUDIT_NORUNNING                     "(6923): Who-data engine cannot start because Auditd is not running."
+#define FIM_INVALID_OPTION_SKIP                 "(6924): Invalid option '%s' for attribute '%s'. The paths '%s' will not be monitored."
+#define FIM_WARN_WHODATA_ADD_RULE               "(6925): Unable to add audit rule for '%s'"
+#define FIM_DB_FULL_ALERT_FILE                  "(6926): File database is 100%% full."
+#define FIM_DB_FULL_ALERT_REG                   "(6927): Registry database is 100%% full."
+#define FIM_WARN_WHODATA_GETID                  "(6928): Couldn't get event ID from Audit message. Line: '%s'."
+#define FIM_WARN_WHODATA_EVENT_TOOLONG          "(6929): Caching Audit message: event too long. Event with ID: '%s' will be discarded."
+#define FIM_WARN_MAX_DIR_REACH                  "(6930): Maximum number of directories to be monitored in the same tag reached (%d) Excess are discarded: '%s'"
+#define FIM_WARN_MAX_REG_REACH                  "(6931): Maximum number of registries to be monitored in the same tag reached (%d) Excess are discarded: '%s'"
+#define FIM_WHODATA_PARAMETER                   "(6932): Invalid parameter type (%ld) for '%s'."
+#define FIM_WHODATA_RENDER_EVENT                "(6933): Error rendering the event. Error %lu."
+#define FIM_WHODATA_RENDER_PARAM                "(6934): Invalid number of rendered parameters."
+#define FIM_DB_TEMPORARY_FILE_POSITION          "(6935): Unable to reposition temporary file to beginning. Error[%d]: '%s'"
+#define FIM_REG_VAL_WRONG_TYPE                  "(6936): Wrong registry value type processed for report_changes."
+#define FIM_INVALID_REG_OPTION_SKIP             "(6937): Invalid option '%s' for attribute '%s'. The registry '%s' not be monitored."
+#define FIM_REGISTRY_EVENT_NULL_ENTRY           "(6938): Invalid null registry event."
+#define FIM_REGISTRY_EVENT_NULL_ENTRY_KEY       "(6939): Invalid registry event with a null key was detected."
+#define FIM_REGISTRY_EVENT_WRONG_ENTRY_TYPE     "(6940): Invalid registry event with a type different than registry was detected."
+#define FIM_REGISTRY_EVENT_WRONG_SAVED_TYPE     "(6941): Invalid registry event with a saved type different than registry was detected."
+#define FIM_REGISTRY_UNSCANNED_KEYS_FAIL        "(6942): Failed to get unscanned registry keys."
+#define FIM_REGISTRY_UNSCANNED_VALUE_FAIL       "(6943): Failed to get unscanned registry values."
+#define FIM_REGISTRY_FAIL_TO_INSERT_VALUE       "(6944): Failed to insert value '%s %s\\%s'"
+#define FIM_REGISTRY_FAIL_TO_GET_KEY_ID         "(6945): Unable to get id for registry key '%s %s'"
+#define FIM_AUDIT_DISABLED                      "(6946): Audit is disabled."
+#define FIM_WARN_FORMAT_PATH                    "(6947): Error formatting path: '%s'"
+#define FIM_DATABASE_NODES_COUNT_FAIL           "(6948): Unable to get the number of entries in database."
+#define FIM_CJSON_ERROR_CREATE_ITEM             "(6949): Cannot create a cJSON item"
+#define FIM_REGISTRY_ACC_SID                    "(6950): Error in LookupAccountSid getting %s. (%ld): %s"
+#define FIM_WHODATA_ERROR_CHECKING_POL          "(6951): Unable to check the necessary policies for whodata: %s (%lu)."
+#define FIM_WHODATA_POLICY_CHANGE_CHECKER       "(6952): Audit policy change detected. Switching directories to realtime."
+#define FIM_WHODATA_POLICY_CHANGE_CHANNEL       "(6953): Event 4719 received due to changes in audit policy. Switching directories to realtime."
+#define FIM_EMPTY_CHANGED_ATTRIBUTES            "(6954): Entry '%s' does not have any modified fields. No event will be generated."
+#define FIM_INVALID_FILE_NAME                   "(6955): Ignoring file '%s' due to unsupported name (non-UTF8)."
+#define FIM_FULL_AUDIT_QUEUE                    "(6956): Internal audit queue is full. Some events may be lost. Next scheduled scan will recover lost data."
+
+/* Monitord warning messages */
+#define ROTATE_LOG_LONG_PATH                    "(7500): The path of the rotated log is too long."
+#define ROTATE_JSON_LONG_PATH                   "(7501): The path of the rotated json is too long."
+#define COMPRESSED_LOG_LONG_PATH                "(7502): The path of the compressed log is too long."
+#define COMPRESSED_JSON_LONG_PATH               "(7503): The path of the compressed json is too long."
+
+/* Wazuh-logtest warning messages*/
+#define LOGTEST_INV_NUM_THREADS                 "(7000): Number of logtest threads too high. Only creates %d threads"
+#define LOGTEST_INV_NUM_USERS                   "(7001): Number of maximum users connected in logtest too high. Only allows %d users"
+#define LOGTEST_INV_NUM_TIMEOUT                 "(7002): Number of maximum user timeouts in logtest too high. Only allows %ds maximum timeouts"
+#define LOGTEST_WARN_TOKEN_EXPIRED              "(7003): '%s' token expires"
+#define LOGTEST_WARN_SESSION_NOT_FOUND          "(7004): No session found for token '%s'"
+#define LOGTEST_WARN_FIELD_NOT_OBJECT_IGNORE    "(7005): '%s' field must be a JSON object. The parameter will be ignored"
+#define LOGTEST_WARN_FIELD_NOT_BOOLEAN_IGNORE   "(7006): '%s' field must be a boolean. The parameter will be ignored"
+
+
+/* Ruleset reading warnings */
+#define ANALYSISD_INV_VALUE_RULE                "(7600): Invalid value '%s' for attribute '%s' in rule %d."
+#define ANALYSISD_INV_VALUE_DEFAULT             "(7601): Invalid value for attribute '%s' in '%s' option " \
+                                                        "(decoder `%s`). Default value will be used."
+#define ANALYSISD_INV_OPT_VALUE_DEFAULT         "(7602): Invalid value '%s' in '%s' option " \
+                                                        "(decoder `%s`). Default value will be used."
+#define ANALYSISD_DEC_DEPRECATED_OPT_VALUE      "(7603): Deprecated value '%s' in '%s' option " \
+                                                        "(decoder `%s`). Default value will be used."
+#define ANALYSISD_IGNORE_RULE                   "(7604): Rule '%d' will be ignored."
+#define ANALYSISD_INV_OVERWRITE                 "(7605): It is not possible to overwrite '%s' value " \
+                                                        "in rule '%d'. The original value is retained."
+#define ANALYSISD_INV_SIG_ID                    "(7607): Invalid '%s'. Signature ID must be an integer. " \
+                                                        "Rule '%d' will be ignored."
+#define ANALYSISD_LEVEL_NOT_FOUND               "(7608): Level ID '%d' was not found. Invalid 'if_level'. " \
+                                                        "Rule '%d' will be ignored."
+#define ANALYSISD_INV_IF_LEVEL                  "(7609): Invalid 'if_level' value: '%s'. Rule '%d' will be ignored."
+#define ANALYSISD_GROUP_NOT_FOUND               "(7610): Group '%s' was not found. Invalid 'if_group'. " \
+                                                        "Rule '%d' will be ignored."
+#define ANALYSISD_CATEGORY_NOT_FOUND            "(7611): Category was not found. Invalid 'category'. " \
+                                                        "Rule '%d' will be ignored."
+#define ANALYSISD_DUPLICATED_SIG_ID             "(7612): Rule ID '%d' is duplicated. Only the first occurrence will be "\
+                                                        "considered."
+#define ANALYSISD_OVERWRITE_MISSING_RULE        "(7613): Rule ID '%d' does not exist but 'overwrite' is set to 'yes'. "\
+                                                        "Still, the rule will be loaded."
+#define ANALYSISD_NULL_RULE                     "(7614): Rule pointer is NULL. Skipping."
+#define ANALYSISD_INV_IF_MATCHED_SID            "(7615): Invalid 'if_matched_sid' value: '%s'. Rule '%d' will be ignored."
+#define ANALYSISD_LIST_NOT_LOADED               "(7616): List '%s' could not be loaded. Rule '%d' will be ignored."
+#define ANALYSISD_SIG_ID_NOT_FOUND              "(7617): Signature ID '%d' was not found and will be ignored "\
+                                                        "in the 'if_sid' option of rule '%d'."
+#define ANALYSISD_INVALID_IF_SID                "(7618): Invalid 'if_sid' value: '%s'. Rule '%d' will be ignored."
+#define ANALYSISD_EMPTY_SID                     "(7619): Empty 'if_sid' value. Rule '%d' will be ignored."
+#define ANALYSISD_SIG_ID_NOT_FOUND_MID          "(7620): Signature ID '%d' was not found. Invalid 'if_matched_sid'."\
+                                                         "Rule '%d' will be ignored."
+
+/* Logcollector */
+#define LOGCOLLECTOR_INV_VALUE_DEFAULT          "(8000): Invalid value '%s' for attribute '%s' in '%s' option. " \
+                                                "Default value will be used."
+#define LOGCOLLECTOR_MULTILINE_SUPPORT          "(8001): log_format '%s' does not support multiline_regex option." \
+                                                " Will be ignored."
+#define LOGCOLLECTOR_MULTILINE_AGE_TIMEOUT      "(8002): 'age' cannot be less than 'timeout' in multiline_regex option."\
+                                                " 'age' will be ignored."
+#define LOGCOLLECTOR_INV_VALUE_IGNORE           "(8003): Invalid value '%s' for attribute '%s' in '%s' option. " \
+                                                "Attribute will be ignored."
+#define LOGCOLLECTOR_OPTION_IGNORED             "(8004): log_format '%s' does not support '%s' option." \
+                                                " Option will be ignored."
+#define LOGCOLLECTOR_INV_MACOS                  "(8005): Invalid location value '%s' when using 'macos' as " \
+                                                "'log_format'. Default value will be used."
+#define LOGCOLLECTOR_MISSING_LOCATION_MACOS     "(8006): Missing 'location' element when using 'macos' as " \
+                                                "'log_format'. Default value will be used."
+#define LOGCOLLECTOR_DEFAULT_REGEX_TYPE         "(8007): Invalid type in '%s' regex '%s', setting by default PCRE2 regex."
+
+#define LOGCOLLECTOR_JOURNAL_LOG_LIB_FAIL_LOAD      "(8008): Failed to load '%s': '%s'."
+#define LOGCOLLECTOR_JOURNAL_LOG_LIB_FAIL_OWN       "(8009): The library '%s' is not owned by the root user."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_OPEN          "(8010): Failed open journal log: '%s'."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_READ_TS       "(8011): Failed to read timestamp from journal log: '%s'. Using current time."
+#define LOGCOLLECTOR_JOURNAL_LOG_FUTURE_TS          "(8012): The timestamp '%" PRIu64 "' is in the future or invalid. Using the most recent entry."
+#define LOGCOLLECTOR_JOURNAL_LOG_FAIL_READ_OLD_TS   "(8013): Failed to read oldest timestamp from journal log: '%s'."
+#define LOGCOLLECTOR_JOURNAL_LOG_CHANGE_TS          "(8014): The timestamp '%" PRIu64 "' is older than the oldest available in journal. Using the oldest entry."
+
+#define LOGCOLLECTOR_JOURNAL_CONFG_FAIL_FILTER      "(8015): Cannot add filter, the block will be ignored."
+#define LOGCOLLECTOR_JOURNAL_CONFG_MISSING_LOC      "(8016): Missing 'location' element when using '%s' as 'log_format'. Default value will be used."
+#define LOGCOLLECTOR_JOURNAL_CONFG_INVALID_LOC      "(8017): Invalid location value '%s' when using '%s' as 'log_format'. Default value will be used."
+#define LOGCOLLECTOR_JOURNAL_CONFG_NOT_JOURNAL_FILTER "(8018): log_format '%s' does not support filter option. Will be ignored."
+#define LOGCOLLECTOR_JOURNAL_CONFG_EMPTY_FILTER_FIELD "(8019): The field for the journal filter cannot be empty."
+#define LOGCOLLECTOR_JOURNAL_CONFG_EMPTY_FILTER_EXPR  "(8020): The expression for the journal filter cannot be empty."
+#define LOGCOLLECTOR_JOURNAL_CONFG_FILTER_EXP_FAIL    "(8021): Error compiling the PCRE2 expression '%s' for field '%s' in journal filter."
+#define LOGCOLLECTOR_JOURNAL_CONFG_DISABLE_FILTER    "(8022): The filters of the journald log will be disabled in the merge, because one of the configuration does not have filters."
+
+/* Remoted */
+#define REMOTED_NET_PROTOCOL_ERROR              "(9000): Error getting protocol. Default value (%s) will be used."
+#define REMOTED_INV_VALUE_IGNORE                "(9001): Ignored invalid value '%s' for '%s'."
+#define REMOTED_NET_PROTOCOL_ONLY_SECURE        "(9002): Only secure connection supports TCP and UDP at the same time."\
+                                                " Default value (%s) will be used."
+#define REMOTED_INV_VALUE_DEFAULT               "(9004): Invalid value '%s' in '%s' option. " \
+                                                "Default value will be used."
+#endif /* WARN_MESSAGES_H */
diff --git a/src/modules/ms_graph/tests/CMakeLists.txt b/src/common/exec_op/CMakeLists.txt
similarity index 100%
rename from src/modules/ms_graph/tests/CMakeLists.txt
rename to src/common/exec_op/CMakeLists.txt
diff --git a/src/common/exec_op/include/exec_op.h b/src/common/exec_op/include/exec_op.h
new file mode 100644
index 0000000000..09a866c710
--- /dev/null
+++ b/src/common/exec_op/include/exec_op.h
@@ -0,0 +1,43 @@
+/*
+ * Subprocess execution library
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 1, 2018
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef EXEC_OP_H
+#define EXEC_OP_H
+
+#define W_BIND_STDOUT   001
+#define W_BIND_STDERR   002
+#define W_CHECK_WRITE   004
+#define W_BIND_STDIN    020
+
+#ifdef WIN32
+#define WEXITSTATUS(x) x
+#endif
+
+typedef struct wfd_t {
+    FILE * file_in;
+    FILE * file_out;
+#ifdef WIN32
+    PROCESS_INFORMATION pinfo;
+#else
+    pid_t pid;
+#endif
+} wfd_t;
+
+// Open a stream from a process without shell (execvp form)
+wfd_t * wpopenv(const char * path, char * const * argv, int flags);
+
+// Open a stream from a process without shell (execlp form)
+wfd_t * wpopenl(const char * path, int flags, ...);
+
+// Close stream and return exit status
+int wpclose(wfd_t * wfd);
+
+#endif // EXEC_OP_H
diff --git a/src/common/exec_op/src/exec_op.c b/src/common/exec_op/src/exec_op.c
new file mode 100644
index 0000000000..0cada856d4
--- /dev/null
+++ b/src/common/exec_op/src/exec_op.c
@@ -0,0 +1,363 @@
+/*
+ * Subprocess execution library
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 1, 2018
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+
+// Open a stream from a process without shell (execvp form)
+wfd_t * wpopenv(const char * path, char * const * argv, int flags) {
+    wfd_t * wfd;
+    FILE * fp_in = NULL;
+    FILE * fp_out = NULL;
+
+#ifdef WIN32
+    int fd;
+    LPTSTR lpCommandLine = NULL;
+    HANDLE hPipeIn[2] = { INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE };
+    HANDLE hPipeOut[2] = { INVALID_HANDLE_VALUE, INVALID_HANDLE_VALUE };
+    STARTUPINFO sinfo = { .cb = sizeof(STARTUPINFO), .dwFlags = STARTF_USESTDHANDLES };
+    PROCESS_INFORMATION pinfo = { 0 };
+
+    // Create pipes
+
+    if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+        if (!CreatePipe(&hPipeOut[0], &hPipeOut[1], NULL, 0)) {
+            merror("CreatePipe(): %ld", GetLastError());
+            return NULL;
+        }
+
+        if (!SetHandleInformation(hPipeOut[1], HANDLE_FLAG_INHERIT, 1)) {
+            merror("SetHandleInformation(): %ld", GetLastError());
+            CloseHandle(hPipeOut[0]);
+            CloseHandle(hPipeOut[1]);
+            return NULL;
+        }
+
+        if (fd = _open_osfhandle((int)hPipeOut[0], 0), fd < 0) {
+            merror("_open_osfhandle(): %ld", GetLastError());
+            CloseHandle(hPipeOut[0]);
+            CloseHandle(hPipeOut[1]);
+            return NULL;
+        }
+
+        if (fp_out = _fdopen(fd, "r"), !fp_out) {
+            merror("_fdopen(): %ld", GetLastError());
+            _close(fd);
+            CloseHandle(hPipeOut[1]);
+            return NULL;
+        }
+
+        sinfo.hStdOutput = flags & W_BIND_STDOUT ? hPipeOut[1] : NULL;
+        sinfo.hStdError = flags & W_BIND_STDERR ? hPipeOut[1] : NULL;
+    }
+
+    if (flags & W_BIND_STDIN) {
+        if (!CreatePipe(&hPipeIn[0], &hPipeIn[1], NULL, 0)) {
+            merror("CreatePipe(): %ld", GetLastError());
+
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                CloseHandle(hPipeOut[1]);
+            }
+
+            return NULL;
+        }
+
+        if (!SetHandleInformation(hPipeIn[0], HANDLE_FLAG_INHERIT, 1)) {
+            merror("SetHandleInformation(): %ld", GetLastError());
+            CloseHandle(hPipeIn[0]);
+            CloseHandle(hPipeIn[1]);
+
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                CloseHandle(hPipeOut[1]);
+            }
+
+            return NULL;
+        }
+
+        if (fd = _open_osfhandle((int)hPipeIn[1], 0), fd < 0) {
+            merror("_open_osfhandle(): %ld", GetLastError());
+            CloseHandle(hPipeIn[0]);
+            CloseHandle(hPipeIn[1]);
+
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                CloseHandle(hPipeOut[1]);
+            }
+
+            return NULL;
+        }
+
+        if (fp_in = _fdopen(fd, "w"), !fp_in) {
+            merror("_fdopen(): %ld", GetLastError());
+            _close(fd);
+            CloseHandle(hPipeIn[0]);
+
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                CloseHandle(hPipeOut[1]);
+            }
+
+            return NULL;
+        }
+
+        sinfo.hStdInput = hPipeIn[0];
+    }
+
+    // Format command string
+
+    if (argv[0]) {
+        unsigned i;
+        size_t zarg;
+        size_t zcommand = strlen(argv[0]) + 3;
+        os_malloc(zcommand, lpCommandLine);
+        snprintf(lpCommandLine, zcommand, "\"%s\"", argv[0]);
+
+        for (i = 1; argv[i]; ++i) {
+            zarg = strlen(argv[i]) + 1;
+            os_realloc(lpCommandLine, zcommand + zarg, lpCommandLine);
+            snprintf(lpCommandLine + zcommand - 1, zarg + 1, " %s", argv[i]);
+            zcommand += zarg;
+        }
+
+        mdebug2("path = '%s', command = '%s'", path, lpCommandLine);
+    }
+
+    if (!CreateProcess(NULL, lpCommandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo)) {
+        mdebug1("CreateProcess(): %ld", GetLastError());
+
+        if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+            fclose(fp_out);
+            CloseHandle(hPipeOut[1]);
+        }
+
+        if (flags & W_BIND_STDIN) {
+            fclose(fp_in);
+            CloseHandle(hPipeIn[0]);
+        }
+
+        if (lpCommandLine) {
+            free(lpCommandLine);
+        }
+
+        return NULL;
+    }
+
+    free(lpCommandLine);
+    os_calloc(1, sizeof(wfd_t), wfd);
+
+    if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+        CloseHandle(hPipeOut[1]);
+        wfd->file_out = fp_out;
+    }
+
+    if (flags & W_BIND_STDIN) {
+        CloseHandle(hPipeIn[0]);
+        wfd->file_in = fp_in;
+    }
+
+    wfd->pinfo = pinfo;
+    return wfd;
+
+#else
+
+    pid_t pid;
+    int pipe_in[2] = { -1, -1 };
+    int pipe_out[2] = { -1, -1 };
+
+    if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+        if (pipe(pipe_out) < 0) {
+            return NULL;
+        }
+
+        fp_out = fdopen(pipe_out[0], "r");
+
+        if (fp_out == NULL) {
+            close(pipe_out[0]);
+            close(pipe_out[1]);
+            return NULL;
+        }
+    }
+
+    if (flags & W_BIND_STDIN) {
+        if (pipe(pipe_in) < 0) {
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                close(pipe_out[1]);
+            }
+
+            return NULL;
+        }
+
+        fp_in = fdopen(pipe_in[1], "w");
+        if (fp_in == NULL) {
+            close(pipe_in[0]);
+            close(pipe_in[1]);
+
+            if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+                fclose(fp_out);
+                close(pipe_out[1]);
+            }
+
+            return NULL;
+        }
+    }
+
+    os_calloc(1, sizeof(wfd_t), wfd);
+    wfd->file_in = fp_in;
+    wfd->file_out = fp_out;
+
+    switch (pid = fork(), pid) {
+    case -1:
+        // Error
+        break;
+
+    case 0:
+        // Child code
+
+        if (flags & W_CHECK_WRITE && !access(path, W_OK)) {
+            merror("At wpopenv(): file '%s' has write permissions.", path);
+            _exit(127);
+        }
+
+        int fd_null = open("/dev/null", O_RDWR, 0);
+
+        if (fd_null < 0) {
+            merror_exit(FOPEN_ERROR, "/dev/null", errno, strerror(errno));
+        }
+
+        if (flags & W_BIND_STDOUT) {
+            dup2(pipe_out[1], STDOUT_FILENO);
+        } else {
+            dup2(fd_null, STDOUT_FILENO);
+        }
+
+        if (flags & W_BIND_STDERR) {
+            dup2(pipe_out[1], STDERR_FILENO);
+        } else {
+            dup2(fd_null, STDERR_FILENO);
+        }
+
+        if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+            close(pipe_out[0]); // Used by parent process.
+            close(pipe_out[1]); // Already duplicated.
+        }
+
+        if (flags & W_BIND_STDIN) {
+            dup2(pipe_in[0], STDIN_FILENO);
+            close(pipe_in[0]);  // Already duplicated.
+            close(pipe_in[1]);  // Used by parent process.
+        } else {
+            dup2(fd_null, STDIN_FILENO);
+        }
+
+        close(fd_null);
+        setsid();
+        execvp(path, argv);
+        _exit(127);
+
+    default:
+        // Parent code
+
+        if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+            close(pipe_out[1]);
+        }
+
+        if (flags & W_BIND_STDIN) {
+            close(pipe_in[0]);
+        }
+
+        wfd->pid = pid;
+        return wfd;
+    }
+
+    // Error
+
+    if (flags & (W_BIND_STDOUT | W_BIND_STDERR)) {
+        fclose(fp_out);
+        close(pipe_out[1]);
+    }
+
+    if (flags & W_BIND_STDIN) {
+        fclose(fp_in);
+        close(pipe_in[0]);
+    }
+
+    free(wfd);
+    return NULL;
+#endif // WIN32
+}
+
+// Open a stream from a process without shell (execlp form)
+wfd_t * wpopenl(const char * path, int flags, ...) {
+    int argi;
+    char * arg;
+    char ** argv;
+    va_list args;
+    wfd_t * wfd;
+
+    os_malloc(sizeof(char *), argv);
+    va_start(args, flags);
+
+    for (argi = 0; arg = va_arg(args, char *), arg; ++argi) {
+        argv[argi] = strdup(arg);
+        os_realloc(argv, (argi + 2) * sizeof(char *), argv);
+    }
+
+    va_end(args);
+    argv[argi] = NULL;
+    wfd = wpopenv(path, argv, flags);
+
+    while (argi > 0) {
+        free(argv[--argi]);
+    }
+
+    free(argv);
+    return wfd;
+}
+
+// Close stream and return exit status
+int wpclose(wfd_t * wfd) {
+    int wstatus;
+
+    if (wfd->file_in) {
+        fclose(wfd->file_in);
+    }
+
+    if (wfd->file_out) {
+        fclose(wfd->file_out);
+    }
+
+#ifdef WIN32
+    DWORD exitcode;
+
+    switch (WaitForSingleObject(wfd->pinfo.hProcess, INFINITE)) {
+    case WAIT_OBJECT_0:
+        GetExitCodeProcess(wfd->pinfo.hProcess, &exitcode);
+        wstatus = exitcode;
+        break;
+    default:
+        merror("WaitForSingleObject(): %ld", GetLastError());
+        wstatus = -1;
+    }
+
+    CloseHandle(wfd->pinfo.hProcess);
+    CloseHandle(wfd->pinfo.hThread);
+    free(wfd);
+    return wstatus;
+#else
+    pid_t pid;
+
+    while (pid = waitpid(wfd->pid, &wstatus, 0), pid == -1 && errno == EINTR);
+    free(wfd);
+    return pid == -1 ? -1 : wstatus;
+#endif
+}
diff --git a/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.c b/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.c
new file mode 100644
index 0000000000..cad1ffcb6b
--- /dev/null
+++ b/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.c
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "exec_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+extern void write_date_storage();
+
+int __wrap_wpclose(__attribute__((unused)) wfd_t * wfd) {
+    return mock();
+}
+
+wfd_t *__wrap_wpopenl(__attribute__((unused)) const char * path, __attribute__((unused)) int flags, ...) {
+    return mock_type(wfd_t *);
+}
+
+wfd_t *__wrap_wpopenv(__attribute__((unused)) const char * path,
+                      __attribute__((unused)) char * const * argv,
+                      __attribute__((unused)) int flags) {
+    return mock_type(wfd_t *);
+}
diff --git a/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.h b/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.h
new file mode 100644
index 0000000000..6cad279695
--- /dev/null
+++ b/src/common/exec_op/tests/unit/wrappers/exec_op_wrappers.h
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef EXEC_OP_WRAPPERS_H
+#define EXEC_OP_WRAPPERS_H
+
+#ifdef WIN32
+#include <processthreadsapi.h>
+#endif
+#include <stdio.h>
+#include <sys/types.h>
+#include "../headers/exec_op.h"
+
+int __wrap_wpclose(wfd_t * wfd);
+
+wfd_t *__wrap_wpopenl(const char * path, int flags, ...);
+
+wfd_t *__wrap_wpopenv(const char * path, char * const * argv, int flags);
+
+#endif
diff --git a/src/modules/office365/tests/CMakeLists.txt b/src/common/expression/CMakeLists.txt
similarity index 100%
rename from src/modules/office365/tests/CMakeLists.txt
rename to src/common/expression/CMakeLists.txt
diff --git a/src/common/expression/include/expression.h b/src/common/expression/include/expression.h
new file mode 100644
index 0000000000..12b69b2772
--- /dev/null
+++ b/src/common/expression/include/expression.h
@@ -0,0 +1,143 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef EXPRESSION_H_
+#define EXPRESSION_H_
+#define PCRE2_CODE_UNIT_WIDTH 8
+
+#include "../external/libpcre2/include/pcre2.h"
+#include "../os_regex/os_regex.h"
+#include "os_ip.h"
+
+#define OSMATCH_STR  "osmatch"
+#define OSREGEX_STR  "osregex"
+#define PCRE2_STR    "pcre2"
+#define STRING_STR   "string"
+
+/**
+ * @brief Determine the types of expression allowed
+ */
+typedef enum {
+    EXP_TYPE_INVALID = -1,
+    EXP_TYPE_OSREGEX,
+    EXP_TYPE_OSMATCH,
+    EXP_TYPE_STRING,
+    EXP_TYPE_OSIP_ARRAY,
+    EXP_TYPE_PCRE2,
+} w_exp_type_t;
+
+/**
+ * @brief Store information regarding to PCRE2 regex.
+ * Only for internal use in expression.c
+ */
+typedef struct {
+   pcre2_code * code;
+   char * raw_pattern;
+} w_pcre2_code_t;
+
+/**
+ * @brief Represent the expressions used in rules and decoders.
+ *
+ * It can be OSRegex, OSMatch, string or array of os_ip.
+ */
+typedef struct {
+    w_exp_type_t exp_type;  ///< Determine the type of expression
+
+    union {                 ///< The expression which analysisd works
+        OSRegex * regex;
+        OSMatch * match;
+        char * string;
+        os_ip ** ips;
+        w_pcre2_code_t * pcre2;
+    };
+
+    bool negate;            ///< Determine if the expression is afirmative or negative
+} w_expression_t;
+
+
+/**
+ * @brief Allocate zero-initialized memory for a w_expression_t variable
+ * @param var variable to initialize
+ * @param type type of expression.
+ */
+void w_calloc_expression_t(w_expression_t ** var, w_exp_type_t type);
+
+/**
+ * @brief Frees memory for a w_expression_t variable
+ * @param var variable to free
+ */
+void w_free_expression_t(w_expression_t ** var);
+
+/**
+ * @brief Call the free function w_free_expression_t with expression type reference
+ * @param var variable to free
+ */
+void w_free_expression(w_expression_t * var);
+
+/**
+ * @brief add ip to os_ip array
+ * @param ips array which save ip
+ * @param ip ip to save
+ * @return true on success, otherwise false
+ */
+bool w_expression_add_osip(w_expression_t ** var, char * ip);
+
+/**
+ * @brief Compile an expression
+ * @param expression Expression to compile
+ * @param pattern Regular expression pattern
+ * @param flags Compilation flags (dependent on expression type)
+ * @return false on error. True otherwise
+ */
+bool w_expression_compile(w_expression_t * expression, const char * pattern, int flags);
+
+/**
+ * @brief Test match a compiled pattern to string
+ * @param expression expression with compiled pattern
+ * @param str_test string to test
+ * @param regex_match Structure to manage pattern matches. NULL is accepted
+ * @param end_match if match, returns end of matched (Only PCRE2 & OSRegex). NULL is accepted
+ * @return true if match. false otherwise
+ */
+bool w_expression_match(w_expression_t * expression, const char * str_test, const char ** end_match,
+                        regex_matching * regex_match);
+
+/**
+ * @brief Frees regex_matching object
+ * @param expression expression with compiled pattern
+  * @param regex_match Structure to manage pattern matches.
+ */
+void w_free_expression_match(w_expression_t * expression, regex_matching **reg);
+
+/**
+ * @brief Fill a match_data with PCRE2 result
+ * @param captured_groups number of matches of PCRE2 execute
+ * @param str_test string to test
+ * @param match_data PCRE2 block data
+ * @param regex_match to fill
+ */
+void w_expression_PCRE2_fill_regex_match(int captured_groups, const char * str_test, pcre2_match_data * match_data,
+                                         regex_matching * regex_match);
+
+/**
+ * @brief Get regex pattern of the expression
+ * @param expression expression with compiled pattern
+ * @return Returns raw regex pattern
+ */
+const char * w_expression_get_regex_pattern(w_expression_t * expression);
+
+/**
+ * @brief Get regex type of the expression (string format)
+ * @param expression expression with compiled pattern
+ * @return Returns type of the expression
+ */
+const char * w_expression_get_regex_type(w_expression_t * expression);
+
+#endif
diff --git a/src/common/expression/src/expression.c b/src/common/expression/src/expression.c
new file mode 100644
index 0000000000..363f317688
--- /dev/null
+++ b/src/common/expression/src/expression.c
@@ -0,0 +1,362 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "expression.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#include "unit_tests/wrappers/externals/pcre2/pcre2_wrappers.h"
+#else
+#define w_pcre2_match_data_create_from_pattern pcre2_match_data_create_from_pattern
+#define w_pcre2_match                          pcre2_match
+#define w_pcre2_match_data_free                pcre2_match_data_free
+#define w_pcre2_get_ovector_pointer            pcre2_get_ovector_pointer
+#endif
+
+void w_calloc_expression_t(w_expression_t ** var, w_exp_type_t type) {
+
+    os_calloc(1, sizeof(w_expression_t), *var);
+    (*var)->exp_type = type;
+
+    switch (type) {
+
+        case EXP_TYPE_OSMATCH:
+            os_calloc(1, sizeof(OSMatch), (*var)->match);
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            os_calloc(1, sizeof(OSRegex), (*var)->regex);
+            break;
+
+        case EXP_TYPE_PCRE2:
+            os_calloc(1, sizeof(w_pcre2_code_t), (*var)->pcre2);
+            break;
+
+        default:
+            break;
+    }
+}
+
+void w_free_expression_t(w_expression_t ** var) {
+
+    if (var == NULL || *var == NULL) {
+        return;
+    }
+
+    switch ((*var)->exp_type) {
+
+        case EXP_TYPE_OSMATCH:
+            OSMatch_FreePattern((*var)->match);
+            os_free((*var)->match);
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            OSRegex_FreePattern((*var)->regex);
+            os_free((*var)->regex);
+            break;
+
+        case EXP_TYPE_PCRE2:
+            pcre2_code_free((*var)->pcre2->code);
+            os_free((*var)->pcre2->raw_pattern);
+            os_free((*var)->pcre2);
+            break;
+
+        case EXP_TYPE_STRING:
+            os_free((*var)->string);
+            break;
+
+        case EXP_TYPE_OSIP_ARRAY:
+
+            if ((*var)->ips == NULL) {
+                break;
+            }
+
+            for (int i = 0; (*var)->ips[i]; i++) {
+                w_free_os_ip((*var)->ips[i]);
+            }
+            os_free((*var)->ips);
+            break;
+
+        default:
+            break;
+    }
+    os_free(*var);
+}
+
+void w_free_expression(w_expression_t * var) {
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_match(w_expression_t * expression, regex_matching **reg){
+    if (expression == NULL) {
+        return;
+    }
+
+    switch (expression->exp_type) {
+         case EXP_TYPE_OSMATCH:
+            OSRegex_free_regex_matching(*reg);
+            os_free(*reg);
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            OSRegex_free_regex_matching(*reg);
+            os_free(*reg);
+            break;
+
+        case EXP_TYPE_PCRE2:
+            OSRegex_free_regex_matching(*reg);
+            os_free(*reg);
+            break;
+
+        case EXP_TYPE_STRING:
+            break;
+
+        case EXP_TYPE_OSIP_ARRAY:
+            break;
+
+        default:
+            break;
+    }
+}
+
+bool w_expression_add_osip(w_expression_t ** var, char * ip) {
+
+    unsigned int ip_s = 0;
+
+    if ((*var) == NULL) {
+        w_calloc_expression_t(var, EXP_TYPE_OSIP_ARRAY);
+    }
+
+    while ((*var)->ips && (*var)->ips[ip_s]) {
+        ip_s++;
+    }
+
+    os_realloc((*var)->ips, (ip_s + 2) * sizeof(os_ip *), (*var)->ips);
+    os_calloc(1, sizeof(os_ip), (*var)->ips[ip_s]);
+    (*var)->ips[ip_s + 1] = NULL;
+
+    if (!OS_IsValidIP(ip, (*var)->ips[ip_s])) {
+        w_free_expression_t(var);
+        return false;
+    }
+
+    return true;
+}
+
+bool w_expression_compile(w_expression_t * expression, const char * pattern, int flags) {
+
+    bool retval = true;
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+
+    switch (expression->exp_type) {
+
+        case EXP_TYPE_OSMATCH:
+            if (!OSMatch_Compile(pattern, expression->match, flags)) {
+                retval = false;
+            }
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            if (!OSRegex_Compile(pattern, expression->regex, flags)) {
+                retval = false;
+            }
+            break;
+
+        case EXP_TYPE_PCRE2:
+            expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+            os_strdup(pattern, expression->pcre2->raw_pattern);
+
+            if (!expression->pcre2->code) {
+                retval = false;
+            }
+
+            break;
+
+        case EXP_TYPE_STRING:
+            os_strdup(pattern, expression->string);
+            break;
+
+        default:
+            break;
+    }
+
+    return retval;
+}
+
+bool w_expression_match(w_expression_t * expression, const char * str_test, const char ** end_match,
+                        regex_matching * regex_match) {
+
+    bool retval = false;
+    const char * ret_match = NULL;
+
+    regex_matching status_match = { .sub_strings = NULL };
+    pcre2_match_data * match_data = NULL;
+    PCRE2_SIZE * ovector = NULL;
+    int captured_groups = 0;
+
+    if (expression == NULL || str_test == NULL) {
+        return retval;
+    }
+
+    switch (expression->exp_type) {
+
+        case EXP_TYPE_OSMATCH:
+            retval = (OSMatch_Execute(str_test, strlen(str_test), expression->match)) ? true : false;
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            if (regex_match == NULL) {
+                regex_match = &status_match;
+            }
+
+            if (ret_match = OSRegex_Execute_ex(str_test, expression->regex, regex_match), ret_match) {
+                retval = true;
+            }
+
+            if (status_match.sub_strings != NULL) {
+                OSRegex_free_regex_matching(&status_match);
+            }
+            break;
+
+        case EXP_TYPE_PCRE2:
+
+            if (match_data = w_pcre2_match_data_create_from_pattern(expression->pcre2->code, NULL), !match_data) {
+                break;
+            }
+            captured_groups = w_pcre2_match(expression->pcre2->code, (PCRE2_SPTR) str_test,
+                                          strlen(str_test), 0, 0, match_data, NULL);
+
+            /* successful match */
+            if (captured_groups > 0) {
+                retval = true;
+                ovector = w_pcre2_get_ovector_pointer(match_data);
+                ret_match = str_test + ovector[1] - 1;
+
+                if (regex_match) {
+                    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+                }
+            }
+            w_pcre2_match_data_free(match_data);
+            break;
+
+        case EXP_TYPE_STRING:
+            retval = (strcmp(expression->string, str_test) != 0) ? false : true;
+            break;
+
+        case EXP_TYPE_OSIP_ARRAY:
+            retval = OS_IPFoundList(str_test, expression->ips) ? true: false;
+            break;
+
+        default:
+            break;
+    }
+
+    if (end_match && ret_match) {
+        *end_match = ret_match;
+    }
+
+    return retval;
+}
+
+void w_expression_PCRE2_fill_regex_match(int captured_groups, const char * str_test, pcre2_match_data * match_data,
+                                         regex_matching * regex_match) {
+
+    PCRE2_SIZE * ovector;
+    char *** sub_strings;
+    regex_dynamic_size * str_sizes;
+
+    /* Check if captured at least one group besides matching */
+    if (captured_groups < 2 || !str_test || !match_data || !regex_match) {
+        return;
+    }
+
+    sub_strings = &regex_match->sub_strings;
+    str_sizes = &regex_match->d_size;
+
+    w_FreeArray(*sub_strings);
+    os_realloc(*sub_strings, sizeof(char *) * captured_groups, *sub_strings);
+    memset((void *) *sub_strings, 0, sizeof(char *) * captured_groups);
+    str_sizes->sub_strings_size = sizeof(char *) * captured_groups;
+
+    ovector = w_pcre2_get_ovector_pointer(match_data);
+    for (int i = 1; i < captured_groups; i++) {
+        size_t substring_length = ovector[2 * i + 1] - ovector[2 * i];
+        regex_match->sub_strings[i - 1] = w_strndup(str_test + ovector[2 * i], substring_length);
+    }
+    regex_match->sub_strings[captured_groups - 1] = NULL;
+}
+
+const char * w_expression_get_regex_pattern(w_expression_t * expression) {
+
+    const char * retval = NULL;
+
+    if (!expression) {
+        return retval;
+    }
+
+    switch (expression->exp_type) {
+
+        case EXP_TYPE_OSREGEX:
+            retval = expression->regex->raw;
+            break;
+
+        case EXP_TYPE_OSMATCH:
+            retval = expression->match->raw;
+            break;
+
+        case EXP_TYPE_PCRE2:
+            retval = expression->pcre2->raw_pattern;
+            break;
+
+        case EXP_TYPE_STRING:
+            retval = expression->string;
+            break;
+
+        default:
+            break;
+    }
+
+    return retval;
+}
+
+const char * w_expression_get_regex_type(w_expression_t * expression) {
+
+    const char * retval = NULL;
+
+    if (!expression) {
+        return retval;
+    }
+
+    switch (expression->exp_type) {
+
+        case EXP_TYPE_OSMATCH:
+            retval = OSMATCH_STR;
+            break;
+
+        case EXP_TYPE_OSREGEX:
+            retval = OSREGEX_STR;
+            break;
+
+        case EXP_TYPE_PCRE2:
+            retval = PCRE2_STR;
+            break;
+
+        case EXP_TYPE_STRING:
+            retval = STRING_STR;
+            break;
+
+        default:
+            break;
+    }
+
+    return retval;
+}
diff --git a/src/common/expression/tests/unit/tests/CMakeLists.txt b/src/common/expression/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..f53377d531
--- /dev/null
+++ b/src/common/expression/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_expression")
+set(EXPRESSION_BASE_FLAGS "-Wl,--wrap,OS_IsValidIP -Wl,--wrap,OSMatch_Execute -Wl,--wrap,OSRegex_Compile \
+                           -Wl,--wrap,OSRegex_Execute -Wl,--wrap,OSRegex_Execute_ex -Wl,--wrap,OSMatch_Compile")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${EXPRESSION_BASE_FLAGS} -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${EXPRESSION_BASE_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/expression/tests/unit/tests/test_expression.c b/src/common/expression/tests/unit/tests/test_expression.c
new file mode 100644
index 0000000000..14a73ecb00
--- /dev/null
+++ b/src/common/expression/tests/unit/tests/test_expression.c
@@ -0,0 +1,1176 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <setjmp.h>
+#include <stdio.h>
+#include <cmocka.h>
+
+#include "shared.h"
+#include "expression.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/os_regex/os_regex_wrappers.h"
+#include "../wrappers/externals/pcre2/pcre2_wrappers.h"
+
+
+void w_calloc_expression_t(w_expression_t ** var, w_exp_type_t type);
+bool w_expression_add_osip(w_expression_t ** var, char * ip);
+void w_free_expression_t(w_expression_t ** var);
+bool w_expression_match(w_expression_t * expression, const char * str_test, const char ** end_match,
+                        regex_matching * regex_match);
+void w_expression_PCRE2_fill_regex_match(int captured_groups, const char * str_test, pcre2_match_data * match_data,
+                                         regex_matching * regex_match);
+const char * w_expression_get_regex_pattern(w_expression_t * expression);
+
+
+/* setup/teardown */
+    
+/* tests */
+
+// w_calloc_expression_t
+
+void w_calloc_expression_t_match(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_calloc_expression_t(&var, EXP_TYPE_OSMATCH);
+
+    assert_non_null(var);
+    assert_non_null(var->match);
+    assert_int_equal(var->exp_type, EXP_TYPE_OSMATCH);
+
+    os_free(var->match);
+    os_free(var);
+}
+
+void w_calloc_expression_t_regex(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_calloc_expression_t(&var, EXP_TYPE_OSREGEX);
+
+    assert_non_null(var);
+    assert_non_null(var->regex);
+    assert_int_equal(var->exp_type, EXP_TYPE_OSREGEX);
+
+    os_free(var->regex);
+    os_free(var);
+}
+
+void w_calloc_expression_t_string(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_calloc_expression_t(&var, EXP_TYPE_STRING);
+
+    assert_non_null(var);
+    assert_int_equal(var->exp_type, EXP_TYPE_STRING);
+
+    os_free(var);
+}
+
+void w_calloc_expression_t_osip(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_calloc_expression_t(&var, EXP_TYPE_OSIP_ARRAY);
+
+    assert_non_null(var);
+    assert_int_equal(var->exp_type, EXP_TYPE_OSIP_ARRAY);
+
+    os_free(var);
+}
+
+void w_calloc_expression_t_pcre2(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_calloc_expression_t(&var, EXP_TYPE_PCRE2);
+
+    assert_non_null(var);
+    assert_int_equal(var->exp_type, EXP_TYPE_PCRE2);
+
+    os_free(var->pcre2);
+    os_free(var);
+}
+
+// w_expression_add_osip
+
+void w_expression_add_osip_empty_ok(void ** state)
+{
+    w_expression_t * list_ips = NULL;
+    bool retval;
+
+    expect_any(__wrap_OS_IsValidIP, ip_address);
+    expect_not_value(__wrap_OS_IsValidIP, final_ip, NULL);
+    will_return(__wrap_OS_IsValidIP, 1);
+
+    retval = w_expression_add_osip(&list_ips, NULL);
+
+    assert_true(retval);
+    assert_int_equal(list_ips->exp_type, EXP_TYPE_OSIP_ARRAY);
+    assert_null(list_ips->ips[1]);
+    assert_non_null(list_ips->ips[0]);
+
+    os_free(list_ips->ips[0]);
+    os_free(list_ips->ips) os_free(list_ips);
+}
+
+void w_expression_add_osip_empty_fail(void ** state)
+{
+    w_expression_t * list_ips = NULL;
+    bool retval;
+
+    expect_any(__wrap_OS_IsValidIP, ip_address);
+    expect_not_value(__wrap_OS_IsValidIP, final_ip, NULL);
+    will_return(__wrap_OS_IsValidIP, 0);
+
+    retval = w_expression_add_osip(&list_ips, NULL);
+
+    assert_false(retval);
+    assert_null(list_ips);
+}
+
+void w_expression_add_osip_non_empty_ok(void ** state)
+{
+    w_expression_t * list_ips = NULL;
+    bool retval;
+
+    os_calloc(1, sizeof(w_expression_t), list_ips);
+    list_ips->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(2, sizeof(os_ip *), list_ips->ips);
+    os_calloc(1, sizeof(os_ip), list_ips->ips[0]);
+
+    expect_any(__wrap_OS_IsValidIP, ip_address);
+    expect_not_value(__wrap_OS_IsValidIP, final_ip, NULL);
+    will_return(__wrap_OS_IsValidIP, 1);
+
+    retval = w_expression_add_osip(&list_ips, NULL);
+
+    assert_true(retval);
+
+    assert_int_equal(list_ips->exp_type, EXP_TYPE_OSIP_ARRAY);
+    assert_null(list_ips->ips[2]);
+    assert_non_null(list_ips->ips[1]);
+    assert_non_null(list_ips->ips[0]);
+
+    os_free(list_ips->ips[1]);
+    os_free(list_ips->ips[0]);
+    os_free(list_ips->ips) os_free(list_ips);
+}
+
+void w_expression_add_osip_non_empty_fail(void ** state)
+{
+    w_expression_t * list_ips = NULL;
+    bool retval;
+
+    os_calloc(1, sizeof(w_expression_t), list_ips);
+    list_ips->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(2, sizeof(os_ip *), list_ips->ips);
+    os_calloc(1, sizeof(os_ip), list_ips->ips[0]);
+
+    expect_any(__wrap_OS_IsValidIP, ip_address);
+    expect_not_value(__wrap_OS_IsValidIP, final_ip, NULL);
+    will_return(__wrap_OS_IsValidIP, 0);
+
+    retval = w_expression_add_osip(&list_ips, NULL);
+
+    assert_false(retval);
+    assert_null(list_ips);
+}
+
+//w_free_expression_t
+
+void w_free_expression_t_NULL(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_osmatch(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_OSMATCH;
+
+    os_calloc(1, sizeof(OSMatch), var->match);
+    os_strdup("test", var->match->raw);
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_osregex(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_OSREGEX;
+
+    os_calloc(1, sizeof(OSRegex), var->regex);
+    os_strdup("test", var->regex->raw);
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_string(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_STRING;
+
+    os_strdup("test", var->string);
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_exp_type_osip_array_NULL(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    var->ips = NULL;
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_exp_type_osip_array(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(2, sizeof(os_ip *), var->ips);
+    os_calloc(1, sizeof(os_ip), var->ips[0]);
+    os_strdup("test", var->ips[0]->ip);
+
+    w_free_expression_t(&var);
+}
+
+void w_free_expression_t_exp_type_pcre2(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = EXP_TYPE_PCRE2;
+    os_calloc(1, sizeof(w_pcre2_code_t), var->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    var->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+    w_free_expression_t(&var);
+
+    os_free(pattern);
+}
+
+void w_free_expression_t_default(void ** state)
+{
+    w_expression_t * var = NULL;
+
+    os_calloc(1, sizeof(w_expression_t), var);
+    var->exp_type = 55;
+
+    w_free_expression_t(&var);
+}
+
+// w_expression_compile
+
+void w_expression_compile_osregex_fail(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSREGEX;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    expect_string(__wrap_OSRegex_Compile, pattern,"test");
+    will_return(__wrap_OSRegex_Compile, 0);
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_false(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+void w_expression_compile_osregex(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSREGEX;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    expect_string(__wrap_OSRegex_Compile, pattern,"test");
+    will_return(__wrap_OSRegex_Compile, 1);
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+void w_expression_compile_osmatch_fail(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSMATCH;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    expect_string(__wrap_OSMatch_Compile, pattern,"test");
+    will_return(__wrap_OSMatch_Compile, 0);
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_false(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+void w_expression_compile_osmatch(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSMATCH;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    expect_string(__wrap_OSMatch_Compile, pattern,"test");
+    will_return(__wrap_OSMatch_Compile, 1);
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+void w_expression_compile_pcre2(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression->pcre2->code);
+    os_free(expression->pcre2->raw_pattern);
+    os_free(expression->pcre2);
+    os_free(expression);
+}
+
+void w_expression_compile_string(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_STRING;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression->string);
+    os_free(expression);
+}
+
+void w_expression_compile_osip_array(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+void w_expression_compile_default(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = 55;
+
+    char * pattern = NULL;
+    os_strdup("test", pattern);
+
+    int flags = 0;
+
+    bool ret = w_expression_compile(expression, pattern, flags);
+    assert_true(ret);
+
+    os_free(pattern);
+    os_free(expression);
+}
+
+// w_expression_match
+
+void w_expression_match_NULL(void ** state)
+{
+    w_expression_t * expression = NULL;
+    char * str_test = NULL;
+
+    const char* end_match = "test_end_match";
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+}
+
+void w_expression_match_osmatch(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSMATCH;
+
+    const char* end_match = "test_end_match";
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    expect_string(__wrap_OSMatch_Execute, str,"test");
+    will_return(__wrap_OSMatch_Execute, 1);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_true(ret);
+
+    os_free(str_test);
+    os_free(expression);
+}
+
+void w_expression_match_osregex(void ** state)
+{
+    test_mode = 1;
+
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSREGEX;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+
+    const char* end_match = "test_end_match";
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    expect_string(__wrap_OSRegex_Execute_ex, str,"test");
+    will_return(__wrap_OSRegex_Execute_ex, "test_osregex");
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_true(ret);
+
+    os_free(str_test);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+void w_expression_match_pcre2_match_data_NULL(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    const char* end_match = "test_end_match";
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, NULL);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+
+    os_free(str_test);
+    os_free(pattern);
+    w_free_expression_t(&expression);
+}
+
+void w_expression_match_pcre2_match_no_captured_groups(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    const char* end_match = "test_end_match";
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 0);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+
+    os_free(str_test);
+    os_free(pattern);
+    w_free_expression_t(&expression);
+}
+
+void w_expression_match_pcre2_match_captured_groups(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    const char* end_match = "test_end_match";
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    char * aux[2];
+    aux[0] = str_test;
+    aux[1] = str_test+1;
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 1);
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_true(ret);
+
+    os_free(str_test);
+    os_free(pattern);
+    w_free_expression_t(&expression);
+}
+
+void w_expression_match_pcre2_match_regex_matching(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    const char* end_match = "test_end_match";
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    char * aux[2]   ;
+    aux[0] = str_test;
+    aux[1] = str_test+1;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 1);
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, regex_match);
+    assert_true(ret);
+
+    os_free(str_test);
+    os_free(pattern);
+    os_free(regex_match);
+    w_free_expression_t(&expression);
+}
+
+void w_expression_match_string(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_STRING;
+
+    os_calloc(1, sizeof(char), expression->string);
+
+    const char* end_match = "test_end_match";
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+
+    os_free(str_test);
+    os_free(expression->string);
+    os_free(expression);
+}
+
+void w_expression_match_osip_array(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(1, sizeof(os_ip*), expression->ips);
+
+    const char* end_match = "test_end_match";
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+
+    os_free(str_test);
+    os_free(expression->ips);
+    os_free(expression);
+}
+
+/*
+        case EXP_TYPE_STRING:
+            retval = (strcmp(expression->string, str_test) != 0) ? false : true;
+            break;
+
+        case EXP_TYPE_OSIP_ARRAY:
+            retval = OS_IPFoundList(str_test, expression->ips) ? true: false;
+            break;
+*/
+
+void w_expression_match_default(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = 55;
+
+    const char* end_match = "test_end_match";
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    bool ret = w_expression_match(expression, str_test, &end_match, NULL);
+    assert_false(ret);
+
+    os_free(str_test);
+    os_free(expression);
+}
+
+void w_expression_match_end_match_NULL(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    os_calloc(1, sizeof(w_pcre2_code_t), expression->pcre2);
+
+    int errornumber = 0;
+    PCRE2_SIZE erroroffset = 0;
+    char* pattern = NULL;
+    os_strdup("test", pattern);
+
+    expression->pcre2->code = pcre2_compile((PCRE2_SPTR) pattern, PCRE2_ZERO_TERMINATED,
+                                               0, &errornumber, &erroroffset, NULL);
+
+    char * str_test = NULL;
+    os_strdup("test", str_test);
+
+    char * aux[2];
+    aux[0] = str_test;
+    aux[1] = str_test+1;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 1);
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    bool ret = w_expression_match(expression, str_test, NULL, regex_match);
+    assert_true(ret);
+
+    os_free(str_test);
+    os_free(pattern);
+    os_free(regex_match);
+    w_free_expression_t(&expression);
+}
+
+// w_expression_PCRE2_fill_regex_match
+
+void w_expression_PCRE2_fill_regex_match_no_capture_groups(void ** state)
+{
+    int captured_groups = 0;
+
+    const char * str_test = "test";
+
+    pcre2_match_data * match_data = (pcre2_match_data*)1;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+
+    os_free(regex_match);
+}
+
+void w_expression_PCRE2_fill_regex_match_str_test_NULL(void ** state)
+{
+    int captured_groups = 2;
+
+    const char * str_test = NULL;
+
+    pcre2_match_data * match_data = (pcre2_match_data*)1;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+
+    os_free(regex_match);
+}
+
+void w_expression_PCRE2_fill_regex_match_match_data_NULL(void ** state)
+{
+    int captured_groups = 2;
+
+    const char * str_test = "test";
+
+    pcre2_match_data * match_data = NULL;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+
+    os_free(regex_match);
+}
+
+void w_expression_PCRE2_fill_regex_match_regex_match_NULL(void ** state)
+{
+    int captured_groups = 2;
+
+    const char * str_test = "test";
+
+    pcre2_match_data * match_data = (pcre2_match_data*)1;
+
+    regex_matching * regex_match = NULL;
+
+    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+
+    os_free(regex_match);
+}
+
+void w_expression_PCRE2_fill_regex_match_done(void ** state)
+{
+    int captured_groups = 2;
+
+    const char * str_test = "test";
+
+    pcre2_match_data * match_data = (pcre2_match_data*)1;
+
+    regex_matching * regex_match;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    char * str_aux = NULL;
+    os_strdup("test_regex_match", str_aux);
+
+    char * aux[4];
+    aux[0] = (char*)0;
+    aux[1] = (char*)1;
+    aux[2] = (char*)2;
+    aux[3] = (char*)3;
+
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    w_expression_PCRE2_fill_regex_match(captured_groups, str_test, match_data, regex_match);
+
+    os_free(str_aux);
+    os_free(regex_match->sub_strings[0]);
+    os_free(regex_match->sub_strings);
+    os_free(regex_match);
+}
+
+// w_expression_get_regex_pattern
+
+void w_expression_get_regex_pattern_expression_NULL(void ** state)
+{
+    w_expression_t * expression = NULL;
+
+    w_expression_get_regex_pattern(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_osregex(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSREGEX;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_string_equal(ret, "test");
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_osmatch(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSMATCH;
+
+    os_calloc(1, sizeof(OSMatch), expression->match);
+    os_strdup("test", expression->match->raw);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_string_equal(ret, "test");
+
+    os_free(expression->match->raw);
+    os_free(expression->match);
+    os_free(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_pcre2(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    os_calloc(1, sizeof(OSMatch), expression->pcre2);
+    os_strdup("test", expression->pcre2->raw_pattern);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_string_equal(ret, "test");
+
+    os_free(expression->pcre2->raw_pattern);
+    os_free(expression->pcre2);
+    os_free(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_string(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_STRING;
+
+    os_strdup("test", expression->string);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_string_equal("test", ret);
+
+    os_free(expression->string);
+    os_free(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_osip_array(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_null(ret);
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+void w_expression_get_regex_pattern_exp_type_default(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = 55;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_pattern(expression);
+    assert_null(ret);
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+// w_expression_get_regex_type
+
+void w_expression_get_regex_type_expression_NULL(void ** state)
+{
+    w_expression_t * expression = NULL;
+
+    w_expression_get_regex_type(expression);
+}
+
+void w_expression_get_regex_type_exp_type_osregex(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSREGEX;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_string_equal(ret, "osregex");
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+void w_expression_get_regex_type_exp_type_osmatch(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSMATCH;
+
+    os_calloc(1, sizeof(OSMatch), expression->match);
+    os_strdup("test", expression->match->raw);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_string_equal(ret, "osmatch");
+
+    os_free(expression->match->raw);
+    os_free(expression->match);
+    os_free(expression);
+}
+
+void w_expression_get_regex_type_exp_type_pcre2(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_PCRE2;
+
+    os_calloc(1, sizeof(OSMatch), expression->pcre2);
+    os_strdup("test", expression->pcre2->raw_pattern);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_string_equal(ret, "pcre2");
+
+    os_free(expression->pcre2->raw_pattern);
+    os_free(expression->pcre2);
+    os_free(expression);
+}
+
+void w_expression_get_regex_type_exp_type_string(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_STRING;
+
+    os_strdup("test", expression->string);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_string_equal("string", ret);
+
+    os_free(expression->string);
+    os_free(expression);
+}
+
+void w_expression_get_regex_type_exp_type_osip_array(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = EXP_TYPE_OSIP_ARRAY;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_null(ret);
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+void w_expression_get_regex_type_exp_type_default(void ** state)
+{
+    w_expression_t * expression = NULL;
+    os_calloc(1, sizeof(w_expression_t), expression);
+    expression->exp_type = 55;
+
+    os_calloc(1, sizeof(OSRegex), expression->regex);
+    os_strdup("test", expression->regex->raw);
+
+    const char* ret = w_expression_get_regex_type(expression);
+    assert_null(ret);
+
+    os_free(expression->regex->raw);
+    os_free(expression->regex);
+    os_free(expression);
+}
+
+int main(void)
+{
+    const struct CMUnitTest tests[] = {
+
+        // Test w_calloc_expression_t
+        cmocka_unit_test(w_calloc_expression_t_match),
+        cmocka_unit_test(w_calloc_expression_t_regex),
+        cmocka_unit_test(w_calloc_expression_t_string),
+        cmocka_unit_test(w_calloc_expression_t_osip),
+        cmocka_unit_test(w_calloc_expression_t_pcre2),
+
+        // Tests w_add_ip_to_array
+        cmocka_unit_test(w_expression_add_osip_empty_ok),
+        cmocka_unit_test(w_expression_add_osip_empty_fail),
+        cmocka_unit_test(w_expression_add_osip_non_empty_ok),
+        cmocka_unit_test(w_expression_add_osip_non_empty_fail),
+
+        //Test w_free_expression_t
+        cmocka_unit_test(w_free_expression_t_NULL),
+        cmocka_unit_test(w_free_expression_t_osmatch),
+        cmocka_unit_test(w_free_expression_t_osregex),
+        cmocka_unit_test(w_free_expression_t_string),
+        cmocka_unit_test(w_free_expression_t_exp_type_osip_array_NULL),
+        cmocka_unit_test(w_free_expression_t_exp_type_osip_array),
+        cmocka_unit_test(w_free_expression_t_exp_type_pcre2),
+        cmocka_unit_test(w_free_expression_t_default),
+
+        //Test w_expression_compile
+        cmocka_unit_test(w_expression_compile_osregex_fail),
+        cmocka_unit_test(w_expression_compile_osregex),
+        cmocka_unit_test(w_expression_compile_osmatch_fail),
+        cmocka_unit_test(w_expression_compile_osmatch),
+        cmocka_unit_test(w_expression_compile_pcre2),
+        cmocka_unit_test(w_expression_compile_string),
+        cmocka_unit_test(w_expression_compile_osip_array),
+        cmocka_unit_test(w_expression_compile_default),
+
+        //Test w_expression_match
+        cmocka_unit_test(w_expression_match_NULL),
+        cmocka_unit_test(w_expression_match_osmatch),
+        cmocka_unit_test(w_expression_match_osregex),
+        cmocka_unit_test(w_expression_match_pcre2_match_data_NULL),
+        cmocka_unit_test(w_expression_match_pcre2_match_no_captured_groups),
+        cmocka_unit_test(w_expression_match_pcre2_match_captured_groups),
+        cmocka_unit_test(w_expression_match_pcre2_match_regex_matching),
+        cmocka_unit_test(w_expression_match_string),
+        cmocka_unit_test(w_expression_match_osip_array),
+        cmocka_unit_test(w_expression_match_default),
+        cmocka_unit_test(w_expression_match_end_match_NULL),
+
+        //Test w_expression_PCRE2_fill_regex_match
+        cmocka_unit_test(w_expression_PCRE2_fill_regex_match_no_capture_groups),
+        cmocka_unit_test(w_expression_PCRE2_fill_regex_match_str_test_NULL),
+        cmocka_unit_test(w_expression_PCRE2_fill_regex_match_match_data_NULL),
+        cmocka_unit_test(w_expression_PCRE2_fill_regex_match_regex_match_NULL),
+        cmocka_unit_test(w_expression_PCRE2_fill_regex_match_done),
+
+        //Test w_expression_PCRE2_fill_regex_match
+        cmocka_unit_test(w_expression_get_regex_pattern_expression_NULL),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_osregex),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_osmatch),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_pcre2),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_string),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_osip_array),
+        cmocka_unit_test(w_expression_get_regex_pattern_exp_type_default),
+
+        //Test w_expression_get_regex_type
+        cmocka_unit_test(w_expression_get_regex_type_expression_NULL),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_osregex),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_osmatch),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_pcre2),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_string),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_osip_array),
+        cmocka_unit_test(w_expression_get_regex_type_exp_type_default)
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/expression/tests/unit/wrappers/expression_wrappers.c b/src/common/expression/tests/unit/wrappers/expression_wrappers.c
new file mode 100644
index 0000000000..6ffdacb5d1
--- /dev/null
+++ b/src/common/expression/tests/unit/wrappers/expression_wrappers.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "expression_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+bool __wrap_w_expression_match(__attribute__((unused))w_expression_t * expression, __attribute__((unused))const char * str_test,
+                               __attribute__((unused))const char ** end_match, regex_matching * regex_match) {
+    int ret = mock();
+
+    if(ret < 0) {
+        if (ret == -3) {
+            regex_match->d_size.prts_str_alloc_size = 0;
+            ret = 1;
+        } else {
+            ret *= (-1);
+
+            regex_match->d_size.prts_str_alloc_size = ret *sizeof(char *);
+            os_calloc(1, sizeof(char *) * (ret + 1), regex_match->sub_strings);
+
+            regex_match->sub_strings[0] = w_strndup((char*)mock(), 128);
+
+            if (ret > 1) {
+                regex_match->sub_strings[1] = w_strndup((char*)mock(), 128);
+                regex_match->sub_strings[2] = NULL;
+            } else {
+                regex_match->sub_strings[1] = NULL;
+            }
+        }
+    }
+    return ret;
+}
+
+void __wrap_w_calloc_expression_t(__attribute__((unused))w_expression_t ** var, w_exp_type_t type) {
+    check_expected(type);
+    return;
+}
+
+void __wrap_w_free_expression_t(__attribute__((unused))w_expression_t ** var) {
+    return;
+}
+
+bool __wrap_w_expression_compile(__attribute__((unused))w_expression_t * expression, __attribute__((unused))char * pattern,
+                          __attribute__((unused))int flags) {
+    return mock_type(bool);
+}
\ No newline at end of file
diff --git a/src/common/expression/tests/unit/wrappers/expression_wrappers.h b/src/common/expression/tests/unit/wrappers/expression_wrappers.h
new file mode 100644
index 0000000000..cdbc94e2b1
--- /dev/null
+++ b/src/common/expression/tests/unit/wrappers/expression_wrappers.h
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef EXPRESSION_WRAPPERS_H
+#define EXPRESSION_WRAPPERS_H
+
+#include <stdbool.h>
+#include "../headers/shared.h"
+#include "../headers/expression.h"
+
+bool __wrap_w_expression_match(__attribute__((unused))w_expression_t * expression, __attribute__((unused))const char * str_test,
+                               __attribute__((unused))const char ** end_match, regex_matching * regex_match);
+
+void __wrap_w_calloc_expression_t(__attribute__((unused))w_expression_t ** var, w_exp_type_t type);
+
+void __wrap_w_free_expression_t(__attribute__((unused))w_expression_t ** var);
+
+bool __wrap_w_expression_compile(__attribute__((unused))w_expression_t * expression, __attribute__((unused))char * pattern,
+                          __attribute__((unused))int flags);
+
+#endif
diff --git a/src/common/fileHelper/CMakeLists.txt b/src/common/fileHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/fileHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/fileHelper/include/fileIO.hpp b/src/common/fileHelper/include/fileIO.hpp
new file mode 100644
index 0000000000..221de46e36
--- /dev/null
+++ b/src/common/fileHelper/include/fileIO.hpp
@@ -0,0 +1,48 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FILEIO_HPP
+#define _FILEIO_HPP
+
+#include <filesystem>
+#include <fstream>
+#include <functional>
+
+/**
+ * Class to read file contents
+ */
+class FileIO
+{
+    public:
+        static void readLineByLine(
+            const std::filesystem::path& filePath,
+            const std::function<bool(const std::string&)>& callback)
+        {
+            std::ifstream file(filePath);
+
+            if (!file.is_open())
+            {
+                throw std::runtime_error("Could not open file");
+            }
+
+            std::string line;
+
+            while (std::getline(file, line))
+            {
+                if (!callback(line))
+                {
+                    break;
+                }
+            }
+        }
+};
+
+#endif  // _FILEIO_HPP
diff --git a/src/common/fileHelper/include/fileSystem.hpp b/src/common/fileHelper/include/fileSystem.hpp
new file mode 100644
index 0000000000..08850d8671
--- /dev/null
+++ b/src/common/fileHelper/include/fileSystem.hpp
@@ -0,0 +1,68 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FILESYSTEM_HELPER_HPP
+#define _FILESYSTEM_HELPER_HPP
+
+#include <filesystem>
+
+/**
+ * @brief Helper class to manage filesystem operations
+ */
+template <typename TDirectoryIterator = std::filesystem::directory_iterator>
+class RealFileSystemT
+{
+    public:
+        /**
+         * @brief Check if a path exists
+         * @param path Path to check
+         * @return True if the path exists, false otherwise
+         */
+
+        static bool exists(const std::filesystem::path& path)
+        {
+            return std::filesystem::exists(path);
+        }
+
+        /**
+         * @brief Return the iterator to the first element of a directory
+         * @param path Path to check
+         * @return The iterator to the first element of a directory
+         */
+        static TDirectoryIterator directory_iterator(const std::filesystem::path& path)
+        {
+            return TDirectoryIterator(path);
+        }
+
+        /**
+         * @brief Is regular file
+         * @param path Path to check
+         * @return True if the path is a regular file, false otherwise
+         */
+        static bool is_regular_file(const std::filesystem::path& path)
+        {
+            return std::filesystem::is_regular_file(path);
+        }
+
+        /**
+         * @brief Is directory
+         * @param path Path to check
+         * @return True if the path is a directory, false otherwise
+         */
+        static bool is_directory(const std::filesystem::path& path)
+        {
+            return std::filesystem::is_directory(path);
+        }
+};
+
+using RealFileSystem = RealFileSystemT<>;
+
+#endif // _FILESYSTEM_HELPER_HPP
diff --git a/src/common/fileHelper/include/filesystemHelper.h b/src/common/fileHelper/include/filesystemHelper.h
new file mode 100644
index 0000000000..932bc19780
--- /dev/null
+++ b/src/common/fileHelper/include/filesystemHelper.h
@@ -0,0 +1,120 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 23, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FILESYSTEM_HELPER_H
+#define _FILESYSTEM_HELPER_H
+
+#include <string>
+#include <iostream>
+#include <fstream>
+#include <cstdio>
+#include <memory>
+#include <sstream>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <vector>
+#include <dirent.h>
+#include <algorithm>
+#include <array>
+#include "stringHelper.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    static bool existsDir(const std::string& path)
+    {
+        struct stat info {};
+        return !stat(path.c_str(), &info) && (info.st_mode & S_IFDIR);
+    }
+    static bool existsRegular(const std::string& path)
+    {
+        struct stat info {};
+        return !stat(path.c_str(), &info) && (info.st_mode & S_IFREG);
+    }
+#ifndef WIN32
+    static bool existsSocket(const std::string& path)
+    {
+        struct stat info {};
+        return !stat(path.c_str(), &info) && ((info.st_mode & S_IFMT) == S_IFSOCK);
+    }
+#endif
+    struct DirSmartDeleter
+    {
+        void operator()(DIR* dir)
+        {
+            closedir(dir);
+        }
+    };
+
+    static std::vector<std::string> enumerateDir(const std::string& path)
+    {
+        std::vector<std::string> ret;
+        std::unique_ptr<DIR, DirSmartDeleter> spDir{opendir(path.c_str())};
+
+        if (spDir)
+        {
+            auto entry{readdir(spDir.get())};
+
+            while (entry)
+            {
+                ret.push_back(entry->d_name);
+                entry = readdir(spDir.get());
+            }
+        }
+
+        return ret;
+    }
+
+    static std::string getFileContent(const std::string& filePath)
+    {
+        std::stringstream content;
+        std::ifstream file { filePath, std::ios_base::in };
+
+        if (file.is_open())
+        {
+            content << file.rdbuf();
+        }
+
+        return content.str();
+    }
+
+    static std::vector<char> getBinaryContent(const std::string& filePath)
+    {
+        auto size { 0 };
+        std::unique_ptr<char[]> spBuffer;
+        std::ifstream file { filePath, std::ios_base::binary };
+
+        if (file.is_open())
+        {
+            // Get pointer to associated buffer object
+            auto buffer { file.rdbuf() };
+
+            if (nullptr != buffer)
+            {
+                // Get file size using buffer's members
+                size = buffer->pubseekoff(0, file.end, file.in);
+                buffer->pubseekpos(0, file.in);
+                // Allocate memory to contain file data
+                spBuffer = std::make_unique<char[]>(size);
+                // Get file data
+                buffer->sgetn(spBuffer.get(), size);
+            }
+        }
+
+        return std::vector<char> {spBuffer.get(), spBuffer.get() + size};
+    }
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _FILESYSTEM_HELPER_H
diff --git a/src/common/fileHelper/include/stdFileSystemHelper.hpp b/src/common/fileHelper/include/stdFileSystemHelper.hpp
new file mode 100644
index 0000000000..6155eb3573
--- /dev/null
+++ b/src/common/fileHelper/include/stdFileSystemHelper.hpp
@@ -0,0 +1,112 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 23, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _STD_FILESYSTEM_HELPER_HPP
+#define _STD_FILESYSTEM_HELPER_HPP
+
+#include "globHelper.h"
+#include <array>
+#include <deque>
+#include <filesystem>
+#include <string>
+
+namespace Utils
+{
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+    static void expandAbsolutePath(const std::string& path, std::deque<std::string>& output)
+    {
+        // Find the first * or ? from path.
+        std::array<char, 2> wildcards { '*', '?' };
+        size_t wildcardPos = std::string::npos;
+
+        for (const auto& wildcard : wildcards)
+        {
+            // Find the first wildcard.
+            const auto pos = path.find_first_of(wildcard);
+
+            // If the wildcard is found and it is before the current wildcard, then update the wildcard position.
+            if (pos != std::string::npos && (wildcardPos == std::string::npos || pos < wildcardPos))
+            {
+                wildcardPos = pos;
+            }
+        }
+
+        if (wildcardPos != std::string::npos)
+        {
+            const auto parentDirectoryPos { path.find_last_of(std::filesystem::path::preferred_separator, wildcardPos) };
+
+            // The parent directory is the part of the path before the first wildcard.
+            // If the wildcard is the first character, then the parent directory is the root directory.
+            const auto nextDirectoryPos { wildcardPos == 0 ? 0 : path.find_first_of(std::filesystem::path::preferred_separator, wildcardPos) };
+
+            if (parentDirectoryPos == std::string::npos)
+            {
+                throw std::runtime_error { "Invalid path: " + path };
+            }
+
+            // The base directory is the part of the path before the first wildcard.
+            // If there is no wildcard, then the base directory is the whole path.
+            // If the wildcard is the first character, then the base directory is the root directory.
+            std::string baseDir;
+
+            if (wildcardPos == 0)
+            {
+                baseDir = "";
+            }
+            else
+            {
+                baseDir = path.substr(0, parentDirectoryPos);
+            }
+
+            // The pattern is the part of the path after the first wildcard.
+            // If the wildcard is the last character, then the pattern is the rest of the string.
+            // If the wildcard is the first character, then the pattern is the rest of the string, minus the next '\'.
+            // If there is no next '\', then the pattern is the rest of the string.
+            const auto pattern
+            {
+                path.substr(parentDirectoryPos == 0 ? 0 : parentDirectoryPos + 1,
+                            nextDirectoryPos == std::string::npos ?
+                            std::string::npos :
+                            nextDirectoryPos - (parentDirectoryPos == 0 ? 0 : parentDirectoryPos + 1))
+            };
+
+            if (std::filesystem::exists(baseDir))
+            {
+                for (const auto& entry : std::filesystem::directory_iterator(baseDir))
+                {
+                    const auto entryName { entry.path().filename().string()};
+
+                    if (patternMatch(entryName, pattern))
+                    {
+                        std::string nextPath;
+                        nextPath += baseDir;
+                        nextPath += std::filesystem::path::preferred_separator;
+                        nextPath += entryName;
+                        nextPath += nextDirectoryPos == std::string::npos ? "" :
+                                    path.substr(nextDirectoryPos);
+
+                        expandAbsolutePath(nextPath, output);
+                    }
+                }
+            }
+        }
+        else
+        {
+            output.push_back(path);
+        }
+    }
+#pragma GCC diagnostic pop
+};
+
+
+#endif // _STD_FILESYSTEM_HELPER_HPP
diff --git a/src/common/fileHelper/tests/CMakeLists.txt b/src/common/fileHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..d863070331
--- /dev/null
+++ b/src/common/fileHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "filesystemHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/fileHelper/tests/filesystemHelper_test.cpp b/src/common/fileHelper/tests/filesystemHelper_test.cpp
new file mode 100644
index 0000000000..115b9f69c4
--- /dev/null
+++ b/src/common/fileHelper/tests/filesystemHelper_test.cpp
@@ -0,0 +1,64 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 23, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "filesystemHelper_test.h"
+
+void FilesystemUtilsTest::SetUp() {};
+
+void FilesystemUtilsTest::TearDown() {};
+#ifdef WIN32
+TEST_F(FilesystemUtilsTest, FilesystemExistsDir)
+{
+    EXPECT_TRUE(Utils::existsDir(R"(C:\)"));
+}
+
+TEST_F(FilesystemUtilsTest, FilesystemEnumerateDir)
+{
+    const auto items {Utils::enumerateDir(R"(C:\)")};
+    EXPECT_FALSE(items.empty());
+}
+
+#else
+TEST_F(FilesystemUtilsTest, FilesystemExistsDir)
+{
+    EXPECT_TRUE(Utils::existsDir(R"(/usr)"));
+}
+
+TEST_F(FilesystemUtilsTest, FilesystemExistsRegular)
+{
+    // Check correct input, for macos and linux.
+    EXPECT_TRUE(Utils::existsRegular(R"(/etc/services)"));
+
+    // Check wrong input
+    EXPECT_FALSE(Utils::existsRegular(R"(/etc)"));
+}
+
+TEST_F(FilesystemUtilsTest, FilesystemEnumerateDir)
+{
+    const auto items {Utils::enumerateDir(R"(/usr)")};
+    EXPECT_FALSE(items.empty());
+}
+
+TEST_F(FilesystemUtilsTest, getFileContent)
+{
+    const auto& inputFile{"/etc/services"};
+    const auto content {Utils::getFileContent(inputFile)};
+    EXPECT_FALSE(content.empty());
+}
+
+TEST_F(FilesystemUtilsTest, getFileBinaryContent)
+{
+    const auto binContent {Utils::getBinaryContent("/usr/bin/gcc")};
+    EXPECT_FALSE(binContent.empty());
+}
+
+
+#endif
diff --git a/src/common/fileHelper/tests/filesystemHelper_test.h b/src/common/fileHelper/tests/filesystemHelper_test.h
new file mode 100644
index 0000000000..85995d969c
--- /dev/null
+++ b/src/common/fileHelper/tests/filesystemHelper_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 23, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef FILESYSTEM_HELPER_TESTS_H
+#define FILESYSTEM_HELPER_TESTS_H
+#include "gtest/gtest.h"
+#include "filesystemHelper.h"
+#include <thread>
+
+class FilesystemUtilsTest : public ::testing::Test
+{
+    protected:
+
+        FilesystemUtilsTest() = default;
+        virtual ~FilesystemUtilsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //FILESYSTEM_HELPER_TESTS_H
diff --git a/src/common/fileHelper/tests/main.cpp b/src/common/fileHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/fileHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/fileHelper/tests/stdFileSystemHelper_test.cpp b/src/common/fileHelper/tests/stdFileSystemHelper_test.cpp
new file mode 100644
index 0000000000..545c4185f8
--- /dev/null
+++ b/src/common/fileHelper/tests/stdFileSystemHelper_test.cpp
@@ -0,0 +1,126 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 23, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "stdFileSystemHelper_test.hpp"
+
+void StdFileSystemHelperTest::SetUp() {};
+
+void StdFileSystemHelperTest::TearDown() {};
+
+TEST_F(StdFileSystemHelperTest, FilesystemExpandSimpleWildcard)
+{
+    constexpr auto PATH_MATCH_SIZE { 2u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_1, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_5) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_6) == 1);
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+
+TEST_F(StdFileSystemHelperTest, FilesystemExpandWildcard)
+{
+    constexpr auto PATH_MATCH_SIZE { 4u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_2, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_1) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_2) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_3) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_4) == 1);
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+
+TEST_F(StdFileSystemHelperTest, FilesystemExpandWildcardWithPrefix)
+{
+    constexpr auto PATH_MATCH_SIZE { 4u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_3, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_1) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_2) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_3) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_4) == 1);
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+
+TEST_F(StdFileSystemHelperTest, FilesystemExpandWildcardWithSuffix)
+{
+    constexpr auto PATH_MATCH_SIZE { 2u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_4, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_1) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_3) == 1);
+
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+TEST_F(StdFileSystemHelperTest, FilesystemExpandWildcardWithQuestionMark)
+{
+    constexpr auto PATH_MATCH_SIZE { 2u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_5, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_1) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_3) == 1);
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+
+TEST_F(StdFileSystemHelperTest, FilesystemExpandWildcardWithQuestionMark2)
+{
+    constexpr auto PATH_MATCH_SIZE { 2u };
+    std::deque<std::string> output;
+    std::unordered_map<std::string, uint32_t> outputMap;
+    Utils::expandAbsolutePath(PATH_TO_EXPAND_6, output);
+
+    for (const auto& item : output)
+    {
+        outputMap[item]++;
+    }
+
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_1) == 1);
+    EXPECT_TRUE(outputMap.at(EXPAND_PATH_3) == 1);
+    EXPECT_EQ(output.size(), PATH_MATCH_SIZE);
+}
+
diff --git a/src/common/fileHelper/tests/stdFileSystemHelper_test.hpp b/src/common/fileHelper/tests/stdFileSystemHelper_test.hpp
new file mode 100644
index 0000000000..8ce8160fc0
--- /dev/null
+++ b/src/common/fileHelper/tests/stdFileSystemHelper_test.hpp
@@ -0,0 +1,185 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 23, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _STD_FILESYSTEM_HELPER_TESTS_HPP
+#define _STD_FILESYSTEM_HELPER_TESTS_HPP
+
+#include "gtest/gtest.h"
+#include "stdFileSystemHelper.hpp"
+#include <filesystem>
+#include <fstream>
+#include <thread>
+#include <unordered_map>
+
+constexpr auto FS_MS_WAIT_TIME
+{
+    50ull
+};
+
+#ifndef _WIN32
+constexpr auto EXPAND_PATH_1 { "/tmp/wazuh_test/prefix_1_data/prefix1_1" };
+constexpr auto EXPAND_PATH_2 { "/tmp/wazuh_test/prefix_1_data/prefix1_2" };
+constexpr auto EXPAND_PATH_3 { "/tmp/wazuh_test/prefix_2_data/prefix2_1" };
+constexpr auto EXPAND_PATH_4 { "/tmp/wazuh_test/prefix_2_data/prefix2_2" };
+constexpr auto EXPAND_PATH_5 { "/tmp/wazuh_test/dummy" };
+constexpr auto EXPAND_PATH_6 { "/tmp/wazuh_test/dummy.txt" };
+constexpr auto PATH_TO_EXPAND_1 { "/tmp/wazuh_test/dum*" };
+constexpr auto PATH_TO_EXPAND_2 { "/tmp/wazuh_test/prefix_*_data/*" };
+constexpr auto PATH_TO_EXPAND_3 { "/tmp/wazuh_test/prefix_*_data/prefix*" };
+constexpr auto PATH_TO_EXPAND_4 { "/tmp/wazuh_test/prefix_*_data/*_1" };
+constexpr auto PATH_TO_EXPAND_5 { "/tmp/wazuh_test/prefix_?_data/*_1" };
+constexpr auto PATH_TO_EXPAND_6 { "/tmp/wazuh_test/prefix_*_data/prefix?*1" };
+constexpr auto TMP_PATH { "/tmp" };
+constexpr auto ROOT_PATH { "/tmp/wazuh_test" };
+constexpr auto ROOT_PATH_1 { "/tmp/wazuh_test/prefix_1_data" };
+constexpr auto ROOT_PATH_2 { "/tmp/wazuh_test/prefix_2_data" };
+constexpr auto ROOT_PATH_DUMMY { "/tmp/wazuh_test/dummy" };
+constexpr auto DUMMY_FILE { "/tmp/wazuh_test/dummy.txt" };
+#else
+constexpr auto EXPAND_PATH_1 { "C:\\tmp\\wazuh_test\\prefix_1_data\\prefix1_1" };
+constexpr auto EXPAND_PATH_2 { "C:\\tmp\\wazuh_test\\prefix_1_data\\prefix1_2" };
+constexpr auto EXPAND_PATH_3 { "C:\\tmp\\wazuh_test\\prefix_2_data\\prefix2_1" };
+constexpr auto EXPAND_PATH_4 { "C:\\tmp\\wazuh_test\\prefix_2_data\\prefix2_2" };
+constexpr auto EXPAND_PATH_5 { "C:\\tmp\\wazuh_test\\dummy" };
+constexpr auto EXPAND_PATH_6 { "C:\\tmp\\wazuh_test\\dummy.txt" };
+constexpr auto PATH_TO_EXPAND_1 { "C:\\tmp\\wazuh_test\\dum*" };
+constexpr auto PATH_TO_EXPAND_2 { "C:\\tmp\\wazuh_test\\prefix_*_data\\*" };
+constexpr auto PATH_TO_EXPAND_3 { "C:\\tmp\\wazuh_test\\prefix_*_data\\prefix*" };
+constexpr auto PATH_TO_EXPAND_4 { "C:\\tmp\\wazuh_test\\prefix_*_data\\*_1" };
+constexpr auto PATH_TO_EXPAND_5 { "C:\\tmp\\wazuh_test\\prefix_?_data\\*_1" };
+constexpr auto PATH_TO_EXPAND_6 { "C:\\tmp\\wazuh_test\\prefix_*_data\\prefix?*1" };
+constexpr auto TMP_PATH { "C:\\tmp" };
+constexpr auto ROOT_PATH { "C:\\tmp\\wazuh_test" };
+constexpr auto ROOT_PATH_1 { "C:\\tmp\\wazuh_test\\prefix_1_data" };
+constexpr auto ROOT_PATH_2 { "C:\\tmp\\wazuh_test\\prefix_2_data" };
+constexpr auto ROOT_PATH_DUMMY { "C:\\tmp\\wazuh_test\\dummy" };
+constexpr auto DUMMY_FILE { "C:\\tmp\\wazuh_test\\dummy.txt" };
+#endif
+
+constexpr auto ITERATION_LIMIT
+{
+    10u
+};
+
+class StdFileSystemHelperTest : public ::testing::Test
+{
+    protected:
+
+        StdFileSystemHelperTest() = default;
+        virtual ~StdFileSystemHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+
+        static void TearDownTestSuite()
+        {
+            std::filesystem::remove_all(ROOT_PATH);
+            auto iteration { 0u };
+
+            while (std::filesystem::exists(ROOT_PATH))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to remove " << ROOT_PATH;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+        }
+
+        static void SetUpTestSuite()
+        {
+            auto iteration { 0u };
+            std::filesystem::remove_all(ROOT_PATH);
+
+            while (std::filesystem::exists(ROOT_PATH))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to remove " << ROOT_PATH;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+
+            std::filesystem::create_directory(TMP_PATH);
+
+            iteration = 0u;
+
+            while (!std::filesystem::exists(TMP_PATH))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to create " << TMP_PATH;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+
+            std::filesystem::create_directory(ROOT_PATH);
+
+            iteration = 0u;
+
+            while (!std::filesystem::exists(ROOT_PATH))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to create " << ROOT_PATH;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+
+            std::filesystem::create_directory(ROOT_PATH_1);
+            std::filesystem::create_directory(ROOT_PATH_2);
+            std::filesystem::create_directory(ROOT_PATH_DUMMY);
+
+            iteration = 0u;
+
+            while (!std::filesystem::exists(ROOT_PATH_1) ||
+                    !std::filesystem::exists(ROOT_PATH_2) ||
+                    !std::filesystem::exists(ROOT_PATH_DUMMY))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to create " << ROOT_PATH_1 << " or " << ROOT_PATH_2 << " or " << ROOT_PATH_DUMMY;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+
+            // Create dummy file
+            std::ofstream dummyFile(DUMMY_FILE);
+            dummyFile << "dummy";
+            dummyFile.close();
+
+            std::filesystem::create_directory(EXPAND_PATH_1);
+            std::filesystem::create_directory(EXPAND_PATH_2);
+            std::filesystem::create_directory(EXPAND_PATH_3);
+            std::filesystem::create_directory(EXPAND_PATH_4);
+
+            iteration = 0u;
+
+            while (!std::filesystem::exists(EXPAND_PATH_1) ||
+                    !std::filesystem::exists(EXPAND_PATH_2) ||
+                    !std::filesystem::exists(EXPAND_PATH_3) ||
+                    !std::filesystem::exists(EXPAND_PATH_4))
+            {
+                if (iteration++ > ITERATION_LIMIT)
+                {
+                    FAIL() << "Unable to create " << EXPAND_PATH_1 << " or " << EXPAND_PATH_2 << " or " << EXPAND_PATH_3 << " or " << EXPAND_PATH_4;
+                }
+
+                std::this_thread::sleep_for(std::chrono::milliseconds(FS_MS_WAIT_TIME));
+            }
+        }
+};
+#endif //_STD_FILESYSTEM_HELPER_TESTS_HPP
diff --git a/src/modules/rootcheck/tests/CMakeLists.txt b/src/common/file_op/CMakeLists.txt
similarity index 100%
rename from src/modules/rootcheck/tests/CMakeLists.txt
rename to src/common/file_op/CMakeLists.txt
diff --git a/src/common/file_op/include/file_op.h b/src/common/file_op/include/file_op.h
new file mode 100644
index 0000000000..eefd0f66c9
--- /dev/null
+++ b/src/common/file_op/include/file_op.h
@@ -0,0 +1,652 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions to handle operation with files */
+
+#ifndef FILE_OP_H
+#define FILE_OP_H
+
+#include <stdint.h>
+#include <time.h>
+#include <stdbool.h>
+#include <sys/stat.h>
+#include <cJSON.h>
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+#ifdef __MACH__
+#include <libproc.h>
+#endif
+
+#define OS_PIDFILE  "var/run"
+#define UCS2_LE 1
+#define UCS2_BE 2
+
+#ifdef WIN32
+#define PATH_SEP '\\'
+typedef uint64_t wino_t;
+extern int isVista;
+#else
+#define PATH_SEP '/'
+typedef ino_t wino_t;
+#endif
+
+typedef struct File {
+    char *name;
+    FILE *fp;
+} File;
+
+/**
+ * @brief Set the program name. Must be done before *anything* else.
+ *
+ * @param name Program name.
+ */
+void OS_SetName(const char *name) __attribute__((nonnull));
+
+
+/**
+ * @brief Get the information of the operating system version in JSON format.
+ *
+ * @return Pointer to JSON object.
+ */
+cJSON* getunameJSON();
+
+
+/**
+ * @brief Get the time of the last modification of the specified file.
+ *
+ * @param file File name.
+ * @return Time of last modification or -1 on error.
+ */
+time_t File_DateofChange(const char *file) __attribute__((nonnull));
+
+
+/**
+ * @brief Get the inode number of the specified file.
+ *
+ * @param file File name.
+ * @return File inode or 0 on error.
+ */
+ino_t File_Inode(const char *file) __attribute__((nonnull));
+
+
+/**
+ * @brief Get the inode number of the specified file pointer.
+ *
+ * @param fp File pointer.
+ * @return File inode or -1 on error.
+ */
+wino_t get_fp_inode(FILE * fp);
+
+
+#ifdef WIN32
+/**
+ * @brief Get the file information of the specified file pointer.
+ *
+ * @param fp File pointer.
+ * @param fileInfo Pointer to file information.
+ * @return 0 in case of error, not 0 in success.
+ */
+int get_fp_file_information(FILE * fp, LPBY_HANDLE_FILE_INFORMATION fileInfo);
+#endif
+
+
+/**
+ * @brief Get the size of the specified file.
+ *
+ * @param path File name.
+ * @return File size or -1 on error.
+ */
+off_t FileSize(const char * path);
+
+
+/**
+ * @brief Get the size of a folder.
+ *
+ * @param path Folder path
+ *
+ * @return Size of folder in bytes
+ */
+float DirSize(const char *path);
+
+
+/**
+ * @brief Get the size of the specified file pointer.
+ *
+ * @param fp File pointer.
+ * @return File size or -1 on error.
+ */
+long get_fp_size(FILE * fp);
+
+
+/**
+ * @brief Check if the specified file is a directory or a symbolic link to a directory.
+ *
+ * @param file File path.
+ * @return 0 if it is a directory, -1 otherwise.
+ */
+int IsDir(const char *file) __attribute__((nonnull));
+
+
+/**
+ * @brief Check if the specified file is a regular file or a symbolic link to a regular file.
+ *
+ * @param file File path.
+ * @return 0 if it is a regular file, -1 otherwise.
+ */
+int IsFile(const char *file) __attribute__((nonnull));
+
+
+/**
+ * @brief Check if the specified file is a socket.
+ *
+ * @param file File path.
+ * @return 0 if it is a socket, -1 otherwise.
+ */
+int IsSocket(const char * file) __attribute__((nonnull));
+
+
+/**
+ * @brief Get the type of the specified file.
+ *
+ * @param dir File path.
+ * @return 1 if it is a file, 2 if it is a directory, 0 otherwise.
+ */
+int check_path_type(const char *dir) __attribute__((nonnull));
+
+
+#ifndef WIN32
+/**
+ * @brief Check if the specified file is a link.
+ *
+ * @param file File path.
+ * @return 0 if it is a link, -1 otherwise.
+ */
+int IsLink(const char * file) __attribute__((nonnull));
+#endif
+
+
+/**
+ * @brief Get random data from `/dev/urandom`.
+ *
+ * @return Pointer to random data array.
+ */
+char *GetRandomNoise();
+
+
+/**
+ * @brief Creates a PID file for the specified service name.
+ *
+ * @param name Service name.
+ * @param pid Service PID.
+ * @return 0 if the file was created, -1 on error.
+ */
+int CreatePID(const char *name, int pid) __attribute__((nonnull));
+
+
+/**
+ * @brief Deletes the PID file for the specified service name.
+ *
+ * @param name Service name.
+ * @return 0 if the file was deleted, -1 on error.
+ */
+int DeletePID(const char *name) __attribute__((nonnull));
+
+
+/**
+ * @brief Deletes the service state file.
+ *        The state file is defined by the __local_name value.
+ *
+ */
+void DeleteState();
+
+
+/**
+ * @brief Merge files recursively into one single file.
+ *
+ * @param finalfp Handler of the file.
+ * @param files Files to be merged.
+ * @param path_offset Offset for recursion.
+ * @return 1 if the merged file was created, 0 on error.
+ */
+int MergeAppendFile(FILE *finalfp, const char *files, int path_offset) __attribute__((nonnull(1, 2)));
+
+
+/**
+ * @brief Unmerge file.
+ *
+ * @param finalpath Path of the merged file.
+ * @param optdir Path of the folder to unmerge the files. If not specified, the files will be unmerged in the current working directory.
+ * @param mode Indicates if the merged file must be readed as a binary file  or not. Use `#OS_TEXT`, `#OS_BINARY`.
+ * @return 1 if the file was unmerged, 0 on error.
+ */
+int UnmergeFiles(const char *finalpath, const char *optdir, int mode, char ***unmerged_files) __attribute__((nonnull(1)));
+
+
+/**
+ * @brief Check if the merged file is valid.
+ *
+ * @param finalpath Path of the merged file.
+ * @param mode Indicates if the merged file must be readed as a binary file  or not. Use `#OS_TEXT`, `#OS_BINARY`.
+ * @return 1 if the merged file is valid, 0 if not.
+ */
+int TestUnmergeFiles(const char *finalpath, int mode) __attribute__((nonnull(1)));
+
+
+/**
+ * @brief Daemonize a process.
+ *
+ */
+void goDaemon(void);
+
+
+/**
+ * @brief Daemonize a process without closing stdin/stdout/stderr.
+ *
+ */
+void goDaemonLight(void);
+
+
+/**
+ * @brief Get the OS information.
+ *
+ * @return OS uname.
+ */
+const char *getuname(void);
+
+
+/**
+ * @brief Get the basename of a path.
+ *
+ * @bug There is a bug in the `basename()` function.
+ *      In the glibc implementation, the POSIX versions of these functions
+ *      modify the path argument, and segfault when called with a static
+ *      string such as "/usr/".
+ * @return Pointer to the path basename.
+ */
+char *basename_ex(char *path) __attribute__((nonnull));
+
+
+/**
+ * @brief Rename file or directory.
+ *
+ * @param source Path of the file/folder to be renamed.
+ * @param destination Path of the renamed file/folder.
+ * @return 0 on success and -1 on error.
+ */
+int rename_ex(const char *source, const char *destination) __attribute__((nonnull));
+
+
+/**
+ * @brief Create temporary file.
+ *
+ * @param tmp_path Temporary file path.
+ * @return 0 on success and -1 on error.
+ */
+int mkstemp_ex(char *tmp_path) __attribute__((nonnull));
+
+
+/**
+ * @brief Create temporary file.
+ *
+ * @param [out] file Pointer to File object.
+ * @param [in] source Source path.
+ * @param [in] copy Copy file.
+ * @return 0 on success and -1 on error.
+ */
+int TempFile(File *file, const char *source, int copy);
+
+
+/**
+ * @brief Move file.
+ *
+ * @param src Source path.
+ * @param dst Destination path.
+ * @return 0 on success and -1 on error.
+ */
+int OS_MoveFile(const char *src, const char *dst);
+
+
+/**
+ * @brief Copy file.
+ *
+ * @param src Source path.
+ * @param dst Destination path.
+ * @param mode Mode: `a` to append, `w` to write.
+ * @param message Write message to the destination file.
+ * @param silent Do not show errors.
+ * @return 0 on success and -1 on error.
+ */
+int w_copy_file(const char *src, const char *dst, char mode, char * message, int silent);
+
+
+/**
+ * @brief Delete directory recursively.
+ *
+ * @param path Path of the folder to be removed.
+ * @return 0 on success. On error, -1 is returned, and errno is set appropriately.
+ */
+int rmdir_ex(const char *path);
+
+
+/**
+ * @brief Delete directory content.
+ *
+ * @param name Path of the folder.
+ * @return 0 on success. On error, -1 is returned, and errno is set appropriately.
+ */
+int cldir_ex(const char *name);
+
+
+/**
+ * @brief Delete directory content with exception list.
+ *
+ * @param name Path of the folder.
+ * @param ignore Array of files to be ignored. This array must be NULL terminated.
+ * @return 0 on success. On error, -1 is returned, and errno is set appropriately.
+ */
+int cldir_ex_ignore(const char * name, const char ** ignore);
+
+
+/**
+ * @brief Create directory recursively.
+ *
+ * @param path Path of the folder.
+ * @return 0 on success, -1 on error.
+ */
+int mkdir_ex(const char * path);
+
+
+/**
+ * @brief Check the path for preventing directory transversal attacks.
+ *
+ * @param path Path to be checked.
+ * @return 0 if the path is safe, 1 otherwise.
+ */
+int w_ref_parent_folder(const char * path);
+
+
+/**
+ * @brief Read directory and return an array of contained files and folders, sorted alphabetically.
+ *
+ * @param name Path of the directory.
+ * @return Array of filenames.
+ */
+char ** wreaddir(const char * name);
+
+
+/**
+ * @brief Open file normally in Linux, allow read/write/delete in Windows.
+ *
+ * @param pathname Path of the file.
+ * @param mode Open mode.
+ * @return File pointer.
+ */
+FILE * wfopen(const char * pathname, const char * mode);
+
+
+/**
+ * @brief Compress a file in GZIP.
+ *
+ * @param filesrc Source file.
+ * @param filedst Compressed file path.
+ * @return 0 on success, -1 on error.
+ */
+int w_compress_gzfile(const char *filesrc, const char *filedst);
+
+
+/**
+ * @brief Uncompress GZIP file.
+ *
+ * @param gzfilesrc GZIP file path.
+ * @param gzfiledst Uncompressed file pah.
+ * @return 0 on success, -1 on error.
+ */
+int w_uncompress_gzfile(const char *gzfilesrc, const char *gzfiledst);
+
+
+/**
+ * @brief Check if a file is ASSCI or UTF8.
+ *
+ * @param file File to be checked.
+ * @param max_lines Max line to be processed.
+ * @param max_chars_utf8 Max number of UTF8 characters to be processed.
+ * @return 0 if the file is ASSCI or UTF8, 1 if not.
+ */
+int is_ascii_utf8(const char * file, unsigned int max_lines, unsigned int max_chars_utf8);
+
+
+/**
+ * @brief Check if a file is USC2.
+ *
+ * @param file File to be checked.
+ * @return 0 if the file is USC2, 1 if not.
+ */
+int is_usc2(const char * file);
+
+
+/**
+ * @brief Checks if the specified file is binary.
+ *
+ * @param f_name File to be checked.
+ * @return 0 if the file is binary, 1 if not.
+ */
+int checkBinaryFile(const char *f_name);
+
+
+/**
+ * @brief Returns the current file position of the given stream.
+ *        This is a wrapper for `ftell()` in UNIX and `_ftelli64()` in Windows.
+ *
+ * @param x File pointer.
+ * @return File position.
+ */
+int64_t w_ftell (FILE *x);
+
+/**
+ * @brief Set the current file position of the given stream.
+*        This is a wrapper for `fseek()` in UNIX and `_fseeki64()` in Windows.
+ * @param x File pointer.
+ * @param pos File position.
+ * @param mode Position used as reference for the offset: SEEK_SET, SEEK_CURRENT, SEEK_END
+ * @return  If successful, the function returns zero. Otherwise, it returns -1.
+ */
+int w_fseek(FILE *x, int64_t pos, int mode);
+
+/**
+ * @brief Prevent children processes from inheriting a file pointer.
+ *
+ * @param File pointer.
+ */
+void w_file_cloexec(FILE * fp);
+
+
+/**
+ * @brief Prevent children processes from inheriting a file descriptor.
+ *
+ * @param File descriptor.
+ */
+void w_descriptor_cloexec(int fd);
+
+
+#ifdef WIN32
+/**
+ * @brief Check if the Windows version is Vista or newer. (Windows)
+ *
+ * @return 1 if version is 6.0 or newer, 0 otherwise.
+ */
+int checkVista();
+
+
+/**
+ * @brief Get the creation date object. (Windows)
+ *
+ * @param [in] dir Path of the file/folder.
+ * @param [out] utc Pointer to SYSTEMTIME object.
+ * @return 0 on success, 1 on error.
+ */
+int get_creation_date(char *dir, SYSTEMTIME *utc);
+
+
+/**
+ * @brief Get the modification date object. (Windows)
+ *
+ * @param file Path of the file.
+ * @return time_t date of modification format.
+ */
+time_t get_UTC_modification_time(const char *file);
+
+
+/**
+ * @brief Move to the directory where this executable lives in. (Windows)
+ *
+ */
+void w_ch_exec_dir();
+
+
+/**
+ * @brief Get the size of a file. (Windows)
+ *
+ * @param file Path of the file.
+ * @return File size or -1 on error.
+ */
+DWORD FileSizeWin(const char * file);
+
+/**
+ * @brief Open a file
+ *
+ * This mode of opening the file allows reading \r\n instead of \n.
+ *
+ * @param file pathfile to open
+ * @param[out] lpFileInformation  pointer to a BY_HANDLE_FILE_INFORMATION structure that receives the file information
+ * @return file descriptor on success, otherwise null.
+ */
+FILE * w_fopen_r(const char *file, const char * mode, BY_HANDLE_FILE_INFORMATION * lpFileInformation);
+
+/**
+ * @brief Expands wildcards for Windows (using FindFirstFile and FindNexFile)
+ *
+ * @param path Path containing the wildcards to expand.
+ * @return char** Vector with the expanded paths.
+ */
+char **expand_win32_wildcards(const char *path);
+
+#endif // Windows
+
+/**
+ * @brief Add a trailing separator to a path string
+ *
+ * The trailing separator ('/' on UNIX, '\ ' on Windows) is only added if the source string does not end with such character.
+ *
+ * @param dest Destination string.
+ * @param src Source path string.
+ * @param n Size of the destination string.
+ * @return int number of bytes written in the string. If is greater or equal than n, the string remained truncated.
+ */
+int trail_path_separator(char * dest, const char * src, size_t n);
+
+
+/**
+ * @brief Check if a path is absolute
+ *
+ * A path on UNIX is absolute if it starts with /.
+ *
+ * A path on Windows is absolute if it starts with X:\ , being X any alphabetic character.
+ *
+ * @param path Input path.
+ * @return true if the path is absolute.
+ * @return false if the path is relative.
+ */
+bool isabspath(const char * path);
+
+
+/**
+ * @brief Unify path separators (slashes) for Windows paths
+ *
+ * Let all path separators be backslashes.
+ *
+ * @param path A string containing a path.
+ */
+void win_path_backslash(char * path);
+
+
+/**
+ * @brief Get an absolute path
+ *
+ * @param path Input path (absolute or relative).
+ * @param buffer Destination string.
+ * @param size Size of buffer.
+ * @return Pointer to buffer on success, or NULL on error.
+ */
+char * abspath(const char * path, char * buffer, size_t size);
+
+
+/**
+ * @brief Get the content of a given file
+ *
+ * @param path File location
+ * @param max_size Maximum allowed file size
+ * @return The content of the file
+ * @retval NULL The file doesn't exist or its size exceeds the maximum allowed
+ */
+char * w_get_file_content(const char * path, unsigned long max_size);
+
+
+/**
+ * @brief Get the pointer to a given file
+ *
+ * @param path File location
+ * @return The pointer to the file
+ * @retval NULL The file doesn't exist
+ */
+FILE * w_get_file_pointer(const char * path);
+
+/**
+ * @brief Check if a file is gzip compressed
+ *
+ * @param path File location
+ * @retval 0 The file is not gzip compressed
+ * @retval 1 The file is gzip compressed
+ */
+int w_is_compressed_gz_file(const char * path);
+
+/**
+ * @brief Check if a file is bzip2 compressed
+ *
+ * @param path File location
+ * @retval 0 The file is not bzip2 compressed
+ * @retval 1 The file is bzip2 compressed
+ */
+int w_is_compressed_bz2_file(const char * path);
+
+#ifndef CLIENT
+/**
+ * @brief Check if a file from a path is compressed in bunzip2 or gzip and uncompressed it
+ *
+ * @param path File location
+ * @retval -1 The file cannot be uncompressed
+ * @retval 0 The file has been uncompressed (.gz or .bz2)
+ */
+int w_uncompress_bz2_gz_file(const char * path, const char * dest);
+#endif /* CLIENT */
+
+/**
+ * @brief Get the Wazuh installation directory
+ *
+ * It is obtained from the /proc directory, argv[0], or the env variable WAZUH_HOME
+ *
+ * @param arg ARGV0 - Program name
+ * @return Pointer to the Wazuh installation path on success
+ */
+char *w_homedir(char *arg);
+#endif /* FILE_OP_H */
diff --git a/src/common/file_op/src/file_op.c b/src/common/file_op/src/file_op.c
new file mode 100644
index 0000000000..4a7cd9714d
--- /dev/null
+++ b/src/common/file_op/src/file_op.c
@@ -0,0 +1,3507 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions to handle operation with files
+ */
+
+#include "shared.h"
+#include "version_op.h"
+
+#include "../external/zlib/zlib.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#include "unit_tests/wrappers/windows/libc/stdio_wrappers.h"
+#include "unit_tests/wrappers/windows/fileapi_wrappers.h"
+#include "unit_tests/wrappers/windows/handleapi_wrappers.h"
+#endif
+#endif
+
+#ifndef WIN32
+#include <regex.h>
+#else
+#include <aclapi.h>
+#endif
+
+/* Vista product information */
+#ifdef WIN32
+
+#ifndef PRODUCT_UNLICENSED
+#define PRODUCT_UNLICENSED 0xABCDABCD
+#endif
+#ifndef PRODUCT_UNLICENSED_C
+#define PRODUCT_UNLICENSED_C "Product Unlicensed "
+#endif
+
+#ifndef PRODUCT_BUSINESS
+#define PRODUCT_BUSINESS 0x00000006
+#endif
+#ifndef PRODUCT_BUSINESS_C
+#define PRODUCT_BUSINESS_C "Business Edition "
+#endif
+
+#ifndef PRODUCT_BUSINESS_N
+#define PRODUCT_BUSINESS_N 0x00000010
+#endif
+#ifndef PRODUCT_BUSINESS_N_C
+#define PRODUCT_BUSINESS_N_C "Business Edition "
+#endif
+
+#ifndef PRODUCT_CLUSTER_SERVER
+#define PRODUCT_CLUSTER_SERVER 0x00000012
+#endif
+#ifndef PRODUCT_CLUSTER_SERVER_C
+#define PRODUCT_CLUSTER_SERVER_C "Cluster Server Edition "
+#endif
+
+#ifndef PRODUCT_CLUSTER_SERVER_V
+#define PRODUCT_CLUSTER_SERVER_V 0x00000040
+#endif
+#ifndef PRODUCT_CLUSTER_SERVER_V_C
+#define PRODUCT_CLUSTER_SERVER_V_C "Server Hyper Core V "
+#endif
+
+#ifndef PRODUCT_DATACENTER_SERVER
+#define PRODUCT_DATACENTER_SERVER 0x00000008
+#endif
+#ifndef PRODUCT_DATACENTER_SERVER_C
+#define PRODUCT_DATACENTER_SERVER_C "Datacenter Edition (full) "
+#endif
+
+#ifndef PRODUCT_DATACENTER_SERVER_CORE
+#define PRODUCT_DATACENTER_SERVER_CORE 0x0000000C
+#endif
+#ifndef PRODUCT_DATACENTER_SERVER_CORE_C
+#define PRODUCT_DATACENTER_SERVER_CORE_C "Datacenter Edition (core) "
+#endif
+
+#ifndef PRODUCT_DATACENTER_SERVER_CORE_V
+#define PRODUCT_DATACENTER_SERVER_CORE_V 0x00000027
+#endif
+#ifndef PRODUCT_DATACENTER_SERVER_CORE_V_C
+#define PRODUCT_DATACENTER_SERVER_CORE_V_C "Datacenter Edition (core) "
+#endif
+
+#ifndef PRODUCT_DATACENTER_SERVER_V
+#define PRODUCT_DATACENTER_SERVER_V 0x00000025
+#endif
+#ifndef PRODUCT_DATACENTER_SERVER_V_C
+#define PRODUCT_DATACENTER_SERVER_V_C "Datacenter Edition (full) "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE
+#define PRODUCT_ENTERPRISE 0x00000004
+#endif
+#ifndef PRODUCT_ENTERPRISE_C
+#define PRODUCT_ENTERPRISE_C "Enterprise Edition "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_N
+#define PRODUCT_ENTERPRISE_N 0x0000001B
+#endif
+#ifndef PRODUCT_ENTERPRISE_N_C
+#define PRODUCT_ENTERPRISE_N_C "Enterprise Edition "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_SERVER
+#define PRODUCT_ENTERPRISE_SERVER 0x0000000A
+#endif
+#ifndef PRODUCT_ENTERPRISE_SERVER_C
+#define PRODUCT_ENTERPRISE_SERVER_C "Enterprise Edition (full) "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_SERVER_CORE
+#define PRODUCT_ENTERPRISE_SERVER_CORE 0x0000000E
+#endif
+#ifndef PRODUCT_ENTERPRISE_SERVER_CORE_C
+#define PRODUCT_ENTERPRISE_SERVER_CORE_C "Enterprise Edition (core) "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_SERVER_CORE_V
+#define PRODUCT_ENTERPRISE_SERVER_CORE_V 0x00000029
+#endif
+#ifndef PRODUCT_ENTERPRISE_SERVER_CORE_V_C
+#define PRODUCT_ENTERPRISE_SERVER_CORE_V_C "Enterprise Edition (core) "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_SERVER_IA64
+#define PRODUCT_ENTERPRISE_SERVER_IA64 0x0000000F
+#endif
+#ifndef PRODUCT_ENTERPRISE_SERVER_IA64_C
+#define PRODUCT_ENTERPRISE_SERVER_IA64_C "Enterprise Edition for Itanium-based Systems "
+#endif
+
+#ifndef PRODUCT_ENTERPRISE_SERVER_V
+#define PRODUCT_ENTERPRISE_SERVER_V 0x00000026
+#endif
+#ifndef PRODUCT_ENTERPRISE_SERVER_V_C
+#define PRODUCT_ENTERPRISE_SERVER_V_C "Enterprise Edition (full) "
+#endif
+
+#ifndef PRODUCT_HOME_BASIC
+#define PRODUCT_HOME_BASIC 0x00000002
+#endif
+#ifndef PRODUCT_HOME_BASIC_C
+#define PRODUCT_HOME_BASIC_C "Home Basic Edition "
+#endif
+
+#ifndef PRODUCT_HOME_BASIC_N
+#define PRODUCT_HOME_BASIC_N 0x00000005
+#endif
+#ifndef PRODUCT_HOME_BASIC_N_C
+#define PRODUCT_HOME_BASIC_N_C "Home Basic Edition "
+#endif
+
+#ifndef PRODUCT_HOME_PREMIUM
+#define PRODUCT_HOME_PREMIUM 0x00000003
+#endif
+#ifndef PRODUCT_HOME_PREMIUM_C
+#define PRODUCT_HOME_PREMIUM_C "Home Premium Edition "
+#endif
+
+#ifndef PRODUCT_HOME_PREMIUM_N
+#define PRODUCT_HOME_PREMIUM_N 0x0000001A
+#endif
+#ifndef PRODUCT_HOME_PREMIUM_N_C
+#define PRODUCT_HOME_PREMIUM_N_C "Home Premium Edition "
+#endif
+
+#ifndef PRODUCT_HOME_SERVER
+#define PRODUCT_HOME_SERVER 0x00000013
+#endif
+#ifndef PRODUCT_HOME_SERVER_C
+#define PRODUCT_HOME_SERVER_C "Home Server Edition "
+#endif
+
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT
+#define PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT 0x0000001E
+#endif
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT_C
+#define PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT_C "Essential Business Server Management Server "
+#endif
+
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING
+#define PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING 0x00000020
+#endif
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING_C
+#define PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING_C "Essential Business Server Messaging Server "
+#endif
+
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY
+#define PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY 0x0000001F
+#endif
+#ifndef PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY_C
+#define PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY_C "Essential Business Server Security Server "
+#endif
+
+#ifndef PRODUCT_SERVER_FOR_SMALLBUSINESS
+#define PRODUCT_SERVER_FOR_SMALLBUSINESS 0x00000018
+#endif
+#ifndef PRODUCT_SERVER_FOR_SMALLBUSINESS_C
+#define PRODUCT_SERVER_FOR_SMALLBUSINESS_C "Small Business Edition "
+#endif
+
+#ifndef PRODUCT_SMALLBUSINESS_SERVER
+#define PRODUCT_SMALLBUSINESS_SERVER 0x00000009
+#endif
+#ifndef PRODUCT_SMALLBUSINESS_SERVER_C
+#define PRODUCT_SMALLBUSINESS_SERVER_C "Small Business Server "
+#endif
+
+#ifndef PRODUCT_SMALLBUSINESS_SERVER_PREMIUM
+#define PRODUCT_SMALLBUSINESS_SERVER_PREMIUM 0x00000019
+#endif
+#ifndef PRODUCT_SMALLBUSINESS_SERVER_PREMIUM_C
+#define PRODUCT_SMALLBUSINESS_SERVER_PREMIUM_C "Small Business Server Premium Edition "
+#endif
+
+#ifndef PRODUCT_STANDARD_SERVER
+#define PRODUCT_STANDARD_SERVER 0x00000007
+#endif
+#ifndef PRODUCT_STANDARD_SERVER_C
+#define PRODUCT_STANDARD_SERVER_C "Standard Edition "
+#endif
+
+#ifndef PRODUCT_STANDARD_SERVER_CORE
+#define PRODUCT_STANDARD_SERVER_CORE 0x0000000D
+#endif
+#ifndef PRODUCT_STANDARD_SERVER_CORE_C
+#define PRODUCT_STANDARD_SERVER_CORE_C "Standard Edition (core) "
+#endif
+
+#ifndef PRODUCT_STANDARD_SERVER_CORE_V
+#define PRODUCT_STANDARD_SERVER_CORE_V 0x00000028
+#endif
+#ifndef PRODUCT_STANDARD_SERVER_CORE_V_C
+#define PRODUCT_STANDARD_SERVER_CORE_V_C "Standard Edition "
+#endif
+
+#ifndef PRODUCT_STANDARD_SERVER_V
+#define PRODUCT_STANDARD_SERVER_V 0x00000024
+#endif
+#ifndef PRODUCT_STANDARD_SERVER_V_C
+#define PRODUCT_STANDARD_SERVER_V_C "Standard Edition "
+#endif
+
+#ifndef PRODUCT_STARTER
+#define PRODUCT_STARTER 0x0000000B
+#endif
+#ifndef PRODUCT_STARTER_C
+#define PRODUCT_STARTER_C "Starter Edition "
+#endif
+
+#ifndef PRODUCT_STORAGE_ENTERPRISE_SERVER
+#define PRODUCT_STORAGE_ENTERPRISE_SERVER 0x00000017
+#endif
+#ifndef PRODUCT_STORAGE_ENTERPRISE_SERVER_C
+#define PRODUCT_STORAGE_ENTERPRISE_SERVER_C "Storage Server Enterprise Edition "
+#endif
+
+#ifndef PRODUCT_STORAGE_EXPRESS_SERVER
+#define PRODUCT_STORAGE_EXPRESS_SERVER 0x00000014
+#endif
+#ifndef PRODUCT_STORAGE_EXPRESS_SERVER_C
+#define PRODUCT_STORAGE_EXPRESS_SERVER_C "Storage Server Express Edition "
+#endif
+
+#ifndef PRODUCT_STORAGE_STANDARD_SERVER
+#define PRODUCT_STORAGE_STANDARD_SERVER 0x00000015
+#endif
+#ifndef PRODUCT_STORAGE_STANDARD_SERVER_C
+#define PRODUCT_STORAGE_STANDARD_SERVER_C "Storage Server Standard Edition "
+#endif
+
+#ifndef PRODUCT_STORAGE_WORKGROUP_SERVER
+#define PRODUCT_STORAGE_WORKGROUP_SERVER 0x00000016
+#endif
+#ifndef PRODUCT_STORAGE_WORKGROUP_SERVER_C
+#define PRODUCT_STORAGE_WORKGROUP_SERVER_C "Storage Server Workgroup Edition "
+#endif
+
+#ifndef PRODUCT_ULTIMATE
+#define PRODUCT_ULTIMATE 0x00000001
+#endif
+#ifndef PRODUCT_ULTIMATE_C
+#define PRODUCT_ULTIMATE_C "Ultimate Edition "
+#endif
+
+#ifndef PRODUCT_ULTIMATE_N
+#define PRODUCT_ULTIMATE_N 0x0000001C
+#endif
+#ifndef PRODUCT_ULTIMATE_N_C
+#define PRODUCT_ULTIMATE_N_C "Ultimate Edition "
+#endif
+
+#ifndef PRODUCT_WEB_SERVER
+#define PRODUCT_WEB_SERVER 0x00000011
+#endif
+#ifndef PRODUCT_WEB_SERVER_C
+#define PRODUCT_WEB_SERVER_C "Web Server Edition "
+#endif
+
+#ifndef PRODUCT_WEB_SERVER_CORE
+#define PRODUCT_WEB_SERVER_CORE 0x0000001D
+#endif
+#ifndef PRODUCT_WEB_SERVER_CORE_C
+#define PRODUCT_WEB_SERVER_CORE_C "Web Server Edition "
+#endif
+
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_ADDL
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_ADDL 0x0000003C
+#endif
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_ADDL_C
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_ADDL_C "Essential Server Solution Additional "
+#endif
+
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_ADDLSVC
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_ADDLSVC 0x0000003E
+#endif
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_ADDLSVC_C
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_ADDLSVC_C "Essential Server Solution Additional SVC "
+#endif
+
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_MGMT
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_MGMT 0x0000003B
+#endif
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_MGMT_C
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_MGMT_C "Essential Server Solution Management "
+#endif
+
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_MGMTSVC
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_MGMTSVC 0x0000003D
+#endif
+#ifndef PRODUCT_ESSENTIALBUSINESS_SERVER_MGMTSVC_C
+#define PRODUCT_ESSENTIALBUSINESS_SERVER_MGMTSVC_C "Essential Server Solution Management SVC "
+#endif
+
+#ifndef PRODUCT_HOME_PREMIUM_SERVER
+#define PRODUCT_HOME_PREMIUM_SERVER 0x00000022
+#endif
+#ifndef PRODUCT_HOME_PREMIUM_SERVER_C
+#define PRODUCT_HOME_PREMIUM_SERVER_C "Home Server 2011 "
+#endif
+
+#ifndef PRODUCT_HYPERV
+#define PRODUCT_HYPERV 0x0000002A
+#endif
+#ifndef PRODUCT_HYPERV_C
+#define PRODUCT_HYPERV_C "Hyper-V Server "
+#endif
+
+#ifndef PRODUCT_MULTIPOINT_PREMIUM_SERVER
+#define PRODUCT_MULTIPOINT_PREMIUM_SERVER 0x0000004D
+#endif
+#ifndef PRODUCT_MULTIPOINT_PREMIUM_SERVER_C
+#define PRODUCT_MULTIPOINT_PREMIUM_SERVER_C "MultiPoint Server Premium (full installation) "
+#endif
+
+#ifndef PRODUCT_MULTIPOINT_STANDARD_SERVER
+#define PRODUCT_MULTIPOINT_STANDARD_SERVER 0x0000004C
+#endif
+#ifndef PRODUCT_MULTIPOINT_STANDARD_SERVER_C
+#define PRODUCT_MULTIPOINT_STANDARD_SERVER_C "MultiPoint Server Standard (full installation) "
+#endif
+
+#ifndef PRODUCT_STANDARD_SERVER_SOLUTIONS
+#define PRODUCT_STANDARD_SERVER_SOLUTIONS 0x00000034
+#endif
+#ifndef PRODUCT_STANDARD_SERVER_SOLUTIONS_C
+#define PRODUCT_STANDARD_SERVER_SOLUTIONS_C "Server Solutions Premium "
+#endif
+
+#ifndef PRODUCT_STORAGE_WORKGROUP_SERVER_CORE
+#define PRODUCT_STORAGE_WORKGROUP_SERVER_CORE 0x0000002D
+#endif
+#ifndef PRODUCT_STORAGE_WORKGROUP_SERVER_CORE_C
+#define PRODUCT_STORAGE_WORKGROUP_SERVER_CORE_C "Storage Server Workgroup (core installation) "
+#endif
+
+#ifndef FIRST_BUILD_WINDOWS_11
+#define FIRST_BUILD_WINDOWS_11 22000
+#endif
+
+#define mkstemp(x) 0
+#define mkdir(x, y) mkdir(x)
+#endif /* WIN32 */
+
+#ifdef WIN32
+int isVista;
+#endif
+
+const char *__local_name = "unset";
+
+/* Set the name of the starting program */
+void OS_SetName(const char *name)
+{
+    __local_name = name;
+    return;
+}
+
+
+time_t File_DateofChange(const char *file)
+{
+    struct stat file_status;
+
+    if (stat(file, &file_status) < 0) {
+        return (-1);
+    }
+
+    return (file_status.st_mtime);
+}
+
+
+ino_t File_Inode(const char *file)
+{
+    struct stat buffer;
+    return stat(file, &buffer) ? 0 : buffer.st_ino;
+}
+
+
+int IsDir(const char *file)
+{
+    struct stat file_status;
+    if (stat(file, &file_status) < 0) {
+        return (-1);
+    }
+    if (S_ISDIR(file_status.st_mode)) {
+        return (0);
+    }
+    return (-1);
+}
+
+
+int check_path_type(const char *dir)
+{
+    DIR *dp;
+    int retval;
+
+    if (dp = opendir(dir), dp) {
+        retval = 2;
+        closedir(dp);
+    } else if (errno == ENOTDIR){
+        retval = 1;
+    } else {
+        retval = 0;
+    }
+    return retval;
+}
+
+
+int IsFile(const char *file) {
+    struct stat buf;
+    return (!stat(file, &buf) && S_ISREG(buf.st_mode)) ? 0 : -1;
+}
+
+#ifndef WIN32
+
+int IsSocket(const char * file) {
+    struct stat buf;
+    return (!stat(file, &buf) && S_ISSOCK(buf.st_mode)) ? 0 : -1;
+}
+
+
+int IsLink(const char * file) {
+    struct stat buf;
+    return (!lstat(file, &buf) && S_ISLNK(buf.st_mode)) ? 0 : -1;
+}
+
+#endif // WIN32
+
+
+off_t FileSize(const char * path) {
+    struct stat buf;
+    return stat(path, &buf) ? -1 : buf.st_size;
+}
+
+
+#ifndef WIN32
+
+float DirSize(const char *path) {
+    struct dirent *dir;
+    struct stat buf;
+    DIR *directory;
+    float folder_size = 0.0;
+    float file_size = 0.0;
+    char *entry;
+
+    if (directory = opendir(path), directory == NULL) {
+        mdebug2("Couldn't open directory '%s'.", path);
+        return -1;
+    }
+
+    while ((dir = readdir(directory)) != NULL) {
+        // Ignore . and ..
+        if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0) {
+            continue;
+        }
+
+        os_malloc(strlen(path) + strlen(dir->d_name) + 2, entry);
+        snprintf(entry, strlen(path) + 2 + strlen(dir->d_name), "%s/%s", path, dir->d_name);
+
+        if (stat(entry, &buf) == -1) {
+            os_free(entry);
+            closedir(directory);
+            return 0;
+        }
+
+        // Recursion if the path points to a directory
+        switch (buf.st_mode & S_IFMT) {
+        case S_IFDIR:
+            folder_size += DirSize(entry);
+            break;
+
+        case S_IFREG:
+            if (file_size = FileSize(entry), file_size != -1) {
+                folder_size += file_size;
+            }
+
+            break;
+
+        default:
+            break;
+        }
+
+        os_free(entry);
+    }
+
+    closedir(directory);
+
+    return folder_size;
+}
+
+int CreatePID(const char *name, int pid)
+{
+    char file[256];
+    FILE *fp;
+
+    snprintf(file, 255, "%s/%s-%d.pid", OS_PIDFILE, name, pid);
+
+    fp = wfopen(file, "a");
+    if (!fp) {
+        return (-1);
+    }
+
+    fprintf(fp, "%d\n", pid);
+    if (chmod(file, 0640) != 0) {
+        merror(CHMOD_ERROR, file, errno, strerror(errno));
+        fclose(fp);
+        return (-1);
+    }
+
+    if (fclose(fp)) {
+        merror("Could not write PID file '%s': %s (%d)", file, strerror(errno), errno);
+        return -1;
+    }
+
+    return (0);
+}
+
+
+char *GetRandomNoise()
+{
+    FILE *fp;
+    char buf[2048 + 1];
+    size_t n;
+
+    /* Reading urandom */
+    fp = wfopen("/dev/urandom", "r");
+    if(!fp)
+    {
+        return(NULL);
+    }
+
+    n = fread(buf, 1, 2048, fp);
+    fclose(fp);
+
+    if (n == 2048) {
+        buf[2048] = '\0';
+        return(strdup(buf));
+    } else {
+        return NULL;
+    }
+}
+
+int DeletePID(const char *name)
+{
+    char file[256] = {'\0'};
+
+    snprintf(file, 255, "%s/%s-%d.pid", OS_PIDFILE, name, (int)getpid());
+
+    if (File_DateofChange(file) < 0) {
+        return (-1);
+    }
+
+    if (unlink(file)) {
+        mferror(DELETE_ERROR, file, errno, strerror(errno));
+        return (-1);
+    }
+
+    return (0);
+}
+#endif
+
+void DeleteState() {
+    char path[PATH_MAX + 1];
+
+    if (strcmp(__local_name, "unset")) {
+#ifdef WIN32
+        snprintf(path, sizeof(path), "%s.state", __local_name);
+#else
+        snprintf(path, sizeof(path), OS_PIDFILE "/%s.state", __local_name);
+#endif
+        unlink(path);
+    } else {
+        merror("At DeleteState(): __local_name is unset.");
+    }
+}
+
+
+int UnmergeFiles(const char *finalpath, const char *optdir, int mode, char ***unmerged_files)
+{
+    int ret = 1;
+    int state_ok;
+    int file_count = 0;
+    size_t i = 0, n = 0, files_size = 0;
+    char *files;
+    char * copy;
+    char final_name[2048 + 1];
+    char buf[2048 + 1];
+    char *file_name;
+    FILE *fp;
+    FILE *finalfp;
+
+    finalfp = wfopen(finalpath, mode == OS_BINARY ? "rb" : "r");
+    if (!finalfp) {
+        merror("Unable to read merged file: '%s' due to [(%d)-(%s)].", finalpath, errno, strerror(errno));
+        return (0);
+    }
+
+    /* Finds index of the last element on the list */
+    if (unmerged_files != NULL) {
+        for(file_count = 0; *(*unmerged_files + file_count); file_count++);
+    }
+
+    while (1) {
+        /* Read header portion */
+        if (fgets(buf, sizeof(buf) - 1, finalfp) == NULL) {
+            break;
+        }
+
+        /* Initiator */
+        if (buf[0] != '!') {
+            continue;
+        }
+
+        /* Get file size and name */
+        files_size = (size_t) atol(buf + 1);
+
+        files = strchr(buf, '\n');
+        if (files) {
+            *files = '\0';
+        }
+
+        files = strchr(buf, ' ');
+        if (!files) {
+            ret = 0;
+            continue;
+        }
+        files++;
+        state_ok = 1;
+
+        if (optdir) {
+            snprintf(final_name, 2048, "%s/%s", optdir, files);
+
+            // Check that final_name is inside optdir
+
+            if (w_ref_parent_folder(final_name)) {
+                merror("Unmerging '%s': unable to unmerge '%s' (it contains '..')", finalpath, final_name);
+                state_ok = 0;
+            }
+        } else {
+            strncpy(final_name, files, 2048);
+            final_name[2048] = '\0';
+        }
+
+        // Create directory
+
+        copy = strdup(final_name);
+
+        if (mkdir_ex(dirname(copy))) {
+            merror("Unmerging '%s': couldn't create directory '%s'", finalpath, files);
+            state_ok = 0;
+        }
+
+        free(copy);
+
+        /* Create temporary file */
+        char tmp_file[strlen(final_name) + 7];
+        snprintf(tmp_file, sizeof(tmp_file), "%sXXXXXX", final_name);
+
+        if (mkstemp_ex(tmp_file) == -1) {
+            merror("Unmerging '%s': could not create temporary file for '%s'", finalpath, files);
+            state_ok = 0;
+        }
+
+        /* Open filename */
+
+        if (state_ok) {
+            if (fp = wfopen(tmp_file, mode == OS_BINARY ? "wb" : "w"), !fp) {
+                ret = 0;
+                merror("Unable to unmerge file '%s' due to [(%d)-(%s)].", tmp_file, errno, strerror(errno));
+            }
+        } else {
+            fp = NULL;
+            ret = 0;
+        }
+
+        if (files_size < sizeof(buf) - 1) {
+            i = files_size;
+            files_size = 0;
+        } else {
+            i = sizeof(buf) - 1;
+            files_size -= sizeof(buf) - 1;
+        }
+
+        while ((n = fread(buf, 1, i, finalfp)) > 0) {
+            buf[n] = '\0';
+
+            if (fp) {
+                fwrite(buf, n, 1, fp);
+            }
+
+            if (files_size == 0) {
+                break;
+            } else {
+                if (files_size < sizeof(buf) - 1) {
+                    i = files_size;
+                    files_size = 0;
+                } else {
+                    i = sizeof(buf) - 1;
+                    files_size -= sizeof(buf) - 1;
+                }
+            }
+        }
+
+        if (fp) {
+            fclose(fp);
+        }
+
+        /* Mv to original name */
+        if (rename_ex(tmp_file, final_name) != 0) {
+            unlink(tmp_file);
+            ret = 0;
+            break;
+        }
+
+        if (unmerged_files != NULL) {
+            /* Removes path from file name */
+            file_name = strrchr(final_name, '/');
+            if (file_name) {
+                file_name++;
+            }
+            else {
+                file_name = final_name;
+            }
+
+            /* Appends file name to unmerged files list */
+            os_realloc(*unmerged_files, (file_count + 2) * sizeof(char *), *unmerged_files);
+            os_strdup(file_name, *(*unmerged_files + file_count));
+            file_count++;
+        }
+    }
+
+    if (unmerged_files != NULL) {
+        *(*unmerged_files + file_count) = NULL;
+    }
+
+    fclose(finalfp);
+    return (ret);
+}
+
+
+int TestUnmergeFiles(const char *finalpath, int mode)
+{
+    int ret = 1;
+    size_t i = 0, n = 0, files_size = 0, read_bytes = 0,data_size = 0;
+    char *files;
+    char buf[2048 + 1];
+    FILE *finalfp;
+
+    finalfp = wfopen(finalpath, mode == OS_BINARY ? "rb" : "r");
+    if (!finalfp) {
+        merror("Unable to read merged file: '%s'.", finalpath);
+        return (0);
+    }
+
+    while (1) {
+        /* Read header portion */
+        if (fgets(buf, sizeof(buf) - 1, finalfp) == NULL) {
+            break;
+        }
+
+        /* Initiator */
+        switch(buf[0]) {
+            case '#':
+                continue;
+            case '!':
+                goto parse;
+            default:
+                ret = 0;
+                goto end;
+        }
+
+parse:
+        /* Get file size and name */
+        files_size = (size_t) atol(buf + 1);
+        data_size = files_size;
+
+        files = strchr(buf, '\n');
+        if (files) {
+            *files = '\0';
+        }
+
+        files = strchr(buf, ' ');
+        if (!files) {
+            ret = 0;
+            continue;
+        }
+        files++;
+
+        /* Check for file name */
+        if(*files == '\0') {
+            ret = 0;
+            goto end;
+        }
+
+        if (files_size < sizeof(buf) - 1) {
+            i = files_size;
+            files_size = 0;
+        } else {
+            i = sizeof(buf) - 1;
+            files_size -= sizeof(buf) - 1;
+        }
+
+        read_bytes = 0;
+        while ((n = fread(buf, 1, i, finalfp)) > 0) {
+            buf[n] = '\0';
+            read_bytes += n;
+
+            if (files_size == 0) {
+                break;
+            } else {
+                if (files_size < sizeof(buf) - 1) {
+                    i = files_size;
+                    files_size = 0;
+                } else {
+                    i = sizeof(buf) - 1;
+                    files_size -= sizeof(buf) - 1;
+                }
+            }
+        }
+
+        if(read_bytes != data_size){
+            ret = 0;
+            goto end;
+        }
+
+    }
+end:
+    fclose(finalfp);
+    return (ret);
+}
+
+
+int MergeAppendFile(FILE *finalfp, const char *files, int path_offset)
+{
+    size_t n = 0;
+    long files_size = 0;
+    long files_final_size = 0;
+    char buf[2048 + 1];
+    FILE *fp = NULL;
+
+    if (path_offset < 0) {
+        char filename[PATH_MAX];
+        char * basedir;
+
+        // Create default basedir
+
+        strncpy(filename, files, sizeof(filename));
+        filename[sizeof(filename) - 1] = '\0';
+        basedir = dirname(filename);
+        path_offset = strlen(basedir);
+
+        if (basedir[path_offset - 1] != '/') {
+            path_offset++;
+        }
+    }
+
+    if (fp = wfopen(files, "r"), fp == NULL) {
+        merror("Unable to open file: '%s' due to [(%d)-(%s)].", files, errno, strerror(errno));
+        return (0);
+    }
+
+    if (fseek(fp, 0, SEEK_END) != 0) {
+        merror("Unable to set EOF offset in file: '%s', due to [(%d)-(%s)].", files, errno, strerror(errno));
+        fclose(fp);
+        return (0);
+    }
+
+    files_size = ftell(fp);
+    if (files_size == 0) {
+        mwarn("File '%s' is empty.", files);
+    }
+
+    fprintf(finalfp, "!%ld %s\n", files_size, files + path_offset);
+
+    if (fseek(fp, 0, SEEK_SET) != 0) {
+        merror("Unable to set the offset in file: '%s', due to [(%d)-(%s)].", files, errno, strerror(errno));
+        fclose(fp);
+        return (0);
+    }
+
+    while ((n = fread(buf, 1, sizeof(buf) - 1, fp)) > 0) {
+        buf[n] = '\0';
+        fwrite(buf, n, 1, finalfp);
+    }
+
+    files_final_size = ftell(fp);
+
+    fclose(fp);
+
+    if (files_size != files_final_size) {
+        merror("File '%s' was modified after getting its size.", files);
+        return (0);
+    }
+
+    return (1);
+}
+
+
+int checkBinaryFile(const char *f_name) {
+    FILE *fp;
+    char str[OS_MAXSTR + 1];
+    fpos_t fp_pos;
+    int64_t offset;
+    int64_t rbytes;
+
+    str[OS_MAXSTR] = '\0';
+
+    fp = wfopen(f_name, "r");
+
+     if (!fp) {
+        merror("Unable to open file '%s' due to [(%d)-(%s)].", f_name, errno, strerror(errno));
+        return 1;
+    }
+
+    /* Get initial file location */
+    fgetpos(fp, &fp_pos);
+
+    for (offset = w_ftell(fp); fgets(str, OS_MAXSTR + 1, fp) != NULL; offset += rbytes) {
+        rbytes = w_ftell(fp) - offset;
+
+        /* Flow control */
+        if (rbytes <= 0 || (rbytes > OS_MAXSTR + 1)) {
+            fclose(fp);
+            return 1;
+        }
+
+        /* Get the last occurrence of \n */
+        if (str[rbytes - 1] == '\n') {
+            str[rbytes - 1] = '\0';
+
+            if ((long)strlen(str) != rbytes - 1)
+            {
+                mdebug2("Line contains some zero-bytes (valid=" FTELL_TT "/ total=" FTELL_TT ").", FTELL_INT64 strlen(str), FTELL_INT64 rbytes - 1);
+                fclose(fp);
+                return 1;
+            }
+        }
+    }
+    fclose(fp);
+    return 0;
+}
+
+
+#ifndef WIN32
+/* Get basename of path */
+char *basename_ex(char *path)
+{
+    return (basename(path));
+}
+
+/* Rename file or directory */
+int rename_ex(const char *source, const char *destination)
+{
+    if (rename(source, destination)) {
+        mferror(RENAME_ERROR, source, destination, errno, strerror(errno));
+
+        return (-1);
+    }
+
+    return (0);
+}
+
+/* Create a temporary file */
+int mkstemp_ex(char *tmp_path)
+{
+    int fd;
+    mode_t old_mask = umask(0177);
+
+    fd = mkstemp(tmp_path);
+    umask(old_mask);
+
+    if (fd == -1) {
+        mferror(MKSTEMP_ERROR, tmp_path, errno, strerror(errno));
+
+        return (-1);
+    }
+
+    /* mkstemp() only implicitly does this in POSIX 2008 */
+    if (fchmod(fd, 0600) == -1) {
+        close(fd);
+
+        mferror(CHMOD_ERROR, tmp_path, errno, strerror(errno));
+
+        if (unlink(tmp_path)) {
+            mferror(DELETE_ERROR, tmp_path, errno, strerror(errno));
+        }
+
+        return (-1);
+    }
+
+    close(fd);
+    return (0);
+}
+
+
+/* Get uname. Memory must be freed after use */
+const char *getuname()
+{
+    struct utsname uts_buf;
+    static char muname[512] = "";
+    os_info *read_version;
+
+    if (!muname[0]){
+        if (read_version = get_unix_version(), read_version){
+            snprintf(muname, 512, "%s |%s |%s |%s |%s [%s|%s: %s] - %s %s",
+                    read_version->sysname,
+                    read_version->nodename,
+                    read_version->release,
+                    read_version->version,
+                    read_version->machine,
+                    read_version->os_name,
+                    read_version->os_platform,
+                    read_version->os_version,
+                    __ossec_name, __ossec_version);
+
+            free_osinfo(read_version);
+        }
+        else if (uname(&uts_buf) >= 0) {
+            snprintf(muname, 512, "%s %s %s %s %s - %s %s",
+                     uts_buf.sysname,
+                     uts_buf.nodename,
+                     uts_buf.release,
+                     uts_buf.version,
+                     uts_buf.machine,
+                     __ossec_name, __ossec_version);
+        } else {
+            snprintf(muname, 512, "No system info available - %s %s",
+                     __ossec_name, __ossec_version);
+        }
+    }
+
+    return muname;
+}
+
+
+/* Daemonize a process without closing stdin/stdout/stderr */
+void goDaemonLight()
+{
+    pid_t pid;
+
+    pid = fork();
+
+    if (pid < 0) {
+        merror(FORK_ERROR, errno, strerror(errno));
+        return;
+    } else if (pid) {
+        exit(0);
+    }
+
+    /* Become session leader */
+    if (setsid() < 0) {
+        merror(SETSID_ERROR, errno, strerror(errno));
+        return;
+    }
+
+    /* Fork again */
+    pid = fork();
+    if (pid < 0) {
+        merror(FORK_ERROR, errno, strerror(errno));
+        return;
+    } else if (pid) {
+        exit(0);
+    }
+
+    dup2(1, 2);
+
+    nowDaemon();
+}
+
+/* Daemonize a process */
+void goDaemon()
+{
+    int fd;
+    pid_t pid;
+
+    pid = fork();
+    if (pid < 0) {
+        merror(FORK_ERROR, errno, strerror(errno));
+        return;
+    } else if (pid) {
+        exit(0);
+    }
+
+    /* Become session leader */
+    if (setsid() < 0) {
+        merror(SETSID_ERROR, errno, strerror(errno));
+        return;
+    }
+
+    /* Fork again */
+    pid = fork();
+    if (pid < 0) {
+        merror(FORK_ERROR, errno, strerror(errno));
+        return;
+    } else if (pid) {
+        exit(0);
+    }
+
+    /* Dup stdin, stdout and stderr to /dev/null */
+    if ((fd = open("/dev/null", O_RDWR)) >= 0) {
+        dup2(fd, 0);
+        dup2(fd, 1);
+        dup2(fd, 2);
+
+        close(fd);
+    }
+
+    nowDaemon();
+}
+
+#else /* WIN32 */
+
+int checkVista()
+{
+    /* Check if the system is Vista (must be called during the startup) */
+    isVista = 0;
+
+    OSVERSIONINFOEX osvi = { .dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX) };
+    BOOL bOsVersionInfoEx;
+
+    if (bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi), !bOsVersionInfoEx) {
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+        if (!GetVersionEx((OSVERSIONINFO *)&osvi)) {
+            merror("Cannot get Windows version number.");
+            return -1;
+        }
+    }
+
+    if (osvi.dwMajorVersion >= 6) {
+        isVista = 1;
+    }
+
+    return (isVista);
+}
+
+
+int get_creation_date(char *dir, SYSTEMTIME *utc) {
+    HANDLE hdle;
+    FILETIME creation_date;
+    int retval = 1;
+
+    if (hdle = CreateFile(dir, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_BACKUP_SEMANTICS, NULL), hdle == INVALID_HANDLE_VALUE) {
+        return retval;
+    }
+
+    if (!GetFileTime(hdle, &creation_date, NULL, NULL)) {
+        goto end;
+    }
+
+    FileTimeToSystemTime(&creation_date, utc);
+    retval = 0;
+end:
+    CloseHandle(hdle);
+    return retval;
+}
+
+
+time_t get_UTC_modification_time(const char *file){
+    HANDLE hdle;
+    FILETIME modification_date;
+    if (hdle = CreateFile(file, GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL), \
+        hdle == INVALID_HANDLE_VALUE) {
+        mferror(FIM_WARN_OPEN_HANDLE_FILE, file, GetLastError());
+        return 0;
+    }
+
+    if (!GetFileTime(hdle, NULL, NULL, &modification_date)) {
+        CloseHandle(hdle);
+        mferror(FIM_WARN_GET_FILETIME, file, GetLastError());
+        return 0;
+    }
+
+    CloseHandle(hdle);
+
+    return (time_t) get_windows_file_time_epoch(modification_date);
+}
+
+
+char *basename_ex(char *path)
+{
+    return (PathFindFileNameA(path));
+}
+
+
+int rename_ex(const char *source, const char *destination)
+{
+    BOOL file_created = FALSE;
+    DWORD dwFileAttributes = GetFileAttributes(destination);
+
+    if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) {
+        // If the destination file does not exist, create it.
+
+        const DWORD dwDesiredAccess = GENERIC_WRITE;
+        const DWORD dwShareMode = FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE;
+        const DWORD dwCreationDisposition = CREATE_ALWAYS;
+        const DWORD dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL;
+
+        HANDLE hFile = CreateFile(destination, dwDesiredAccess, dwShareMode, NULL, dwCreationDisposition, dwFlagsAndAttributes, NULL);
+
+        if (hFile == INVALID_HANDLE_VALUE) {
+            mferror("Could not create file (%s) which returned (%lu)", destination, GetLastError());
+            return -1;
+        }
+
+        CloseHandle(hFile);
+        file_created = TRUE;
+    }
+
+    if (!ReplaceFile(destination, source, NULL, 0, NULL, NULL)) {
+        mferror("Could not move (%s) to (%s) which returned (%lu)", source, destination, GetLastError());
+
+        if (file_created) {
+            // Delete the destination file as it's been created by this function.
+            DeleteFile(destination);
+        }
+
+        return (-1);
+    }
+
+    return (0);
+}
+
+
+int mkstemp_ex(char *tmp_path)
+{
+    DWORD dwResult;
+    int result;
+    int status = -1;
+
+    HANDLE h = NULL;
+    PACL pACL = NULL;
+    PSECURITY_DESCRIPTOR pSD = NULL;
+    EXPLICIT_ACCESS ea[2];
+    SECURITY_ATTRIBUTES sa;
+
+    PSID pAdminGroupSID = NULL;
+    PSID pSystemGroupSID = NULL;
+    SID_IDENTIFIER_AUTHORITY SIDAuthNT = {SECURITY_NT_AUTHORITY};
+
+
+    if (result = _mktemp_s(tmp_path, strlen(tmp_path) + 1), result) {
+        mferror("Could not create temporary file (%s) which returned %d [(%d)-(%s)].", tmp_path, result, errno, strerror(errno));
+        return (-1);
+    }
+
+    /* Create SID for the BUILTIN\Administrators group */
+    result = AllocateAndInitializeSid(
+                 &SIDAuthNT,
+                 2,
+                 SECURITY_BUILTIN_DOMAIN_RID,
+                 DOMAIN_ALIAS_RID_ADMINS,
+                 0, 0, 0, 0, 0, 0,
+                 &pAdminGroupSID
+             );
+
+    if (!result) {
+        mferror("Could not create BUILTIN\\Administrators group SID which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Create SID for the SYSTEM group */
+    result = AllocateAndInitializeSid(
+                 &SIDAuthNT,
+                 1,
+                 SECURITY_LOCAL_SYSTEM_RID,
+                 0, 0, 0, 0, 0, 0, 0,
+                 &pSystemGroupSID
+             );
+
+    if (!result) {
+        mferror("Could not create SYSTEM group SID which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Initialize an EXPLICIT_ACCESS structure for an ACE */
+    ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
+
+    /* Add Administrators group */
+    ea[0].grfAccessPermissions = GENERIC_ALL;
+    ea[0].grfAccessMode = SET_ACCESS;
+    ea[0].grfInheritance = NO_INHERITANCE;
+    ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+    ea[0].Trustee.ptstrName = (LPTSTR)pAdminGroupSID;
+
+    /* Add SYSTEM group */
+    ea[1].grfAccessPermissions = GENERIC_ALL;
+    ea[1].grfAccessMode = SET_ACCESS;
+    ea[1].grfInheritance = NO_INHERITANCE;
+    ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+    ea[1].Trustee.ptstrName = (LPTSTR)pSystemGroupSID;
+
+    /* Set entries in ACL */
+    dwResult = SetEntriesInAcl(2, ea, NULL, &pACL);
+
+    if (dwResult != ERROR_SUCCESS) {
+        mferror("Could not set ACL entries which returned (%lu)", dwResult);
+
+        goto cleanup;
+    }
+
+    /* Initialize security descriptor */
+    pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(
+              LPTR,
+              SECURITY_DESCRIPTOR_MIN_LENGTH
+          );
+
+    if (pSD == NULL) {
+        mferror("Could not initialize SECURITY_DESCRIPTOR because of a LocalAlloc() failure which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) {
+        mferror("Could not initialize SECURITY_DESCRIPTOR because of an InitializeSecurityDescriptor() failure which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Set owner */
+    if (!SetSecurityDescriptorOwner(pSD, NULL, FALSE)) {
+        mferror("Could not set owner which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Set group owner */
+    if (!SetSecurityDescriptorGroup(pSD, NULL, FALSE)) {
+        mferror("Could not set group owner which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Add ACL to security descriptor */
+    if (!SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE)) {
+        mferror("Could not set SECURITY_DESCRIPTOR DACL which returned (%lu)", GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Initialize security attributes structure */
+    sa.nLength = sizeof (SECURITY_ATTRIBUTES);
+    sa.lpSecurityDescriptor = pSD;
+    sa.bInheritHandle = FALSE;
+
+    h = CreateFileA(
+            tmp_path,
+            GENERIC_WRITE,
+            0,
+            &sa,
+            CREATE_NEW,
+            FILE_ATTRIBUTE_NORMAL,
+            NULL
+        );
+
+    if (h == INVALID_HANDLE_VALUE) {
+        mferror("Could not create temporary file (%s) which returned (%lu)", tmp_path, GetLastError());
+
+        goto cleanup;
+    }
+
+    if (!CloseHandle(h)) {
+        mferror("Could not close file handle to (%s) which returned (%lu)", tmp_path, GetLastError());
+
+        goto cleanup;
+    }
+
+    /* Success */
+    status = 0;
+
+cleanup:
+    if (pAdminGroupSID) {
+        FreeSid(pAdminGroupSID);
+    }
+
+    if (pSystemGroupSID) {
+        FreeSid(pSystemGroupSID);
+    }
+
+    if (pACL) {
+        LocalFree(pACL);
+    }
+
+    if (pSD) {
+        LocalFree(pSD);
+    }
+
+    return (status);
+}
+
+
+const char *getuname()
+{
+    int ret_size = OS_SIZE_1024 - 2;
+    static char ret[OS_SIZE_1024 + 1] = "";
+    char os_v[128 + 1];
+    int add_infoEx = 1;
+
+    typedef void (WINAPI * PGNSI)(LPSYSTEM_INFO);
+    typedef BOOL (WINAPI * PGPI)(DWORD, DWORD, DWORD, DWORD, PDWORD);
+
+    /* See http://msdn.microsoft.com/en-us/library/windows/desktop/ms724429%28v=vs.85%29.aspx */
+    OSVERSIONINFOEX osvi;
+    SYSTEM_INFO si = {0};
+    PGNSI pGNSI;
+    PGPI pGPI;
+    BOOL bOsVersionInfoEx;
+    DWORD dwType;
+
+    ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+
+    if (!(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi))) {
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+        if (!GetVersionEx((OSVERSIONINFO *)&osvi)) {
+            return (NULL);
+        }
+    }
+
+    if (ret[0] != '\0') {
+        return ret;
+    }
+
+    switch (osvi.dwPlatformId) {
+        /* Test for the Windows NT product family */
+        case VER_PLATFORM_WIN32_NT:
+            if (osvi.dwMajorVersion == 6 && (osvi.dwMinorVersion == 0 || osvi.dwMinorVersion == 1) ) {
+                if (osvi.dwMinorVersion == 0) {
+                    if (osvi.wProductType == VER_NT_WORKSTATION ) {
+                        strncat(ret, "Microsoft Windows Vista ", ret_size - 1);
+                    } else {
+                        strncat(ret, "Microsoft Windows Server 2008 ", ret_size - 1);
+                    }
+                } else if (osvi.dwMinorVersion == 1) {
+                    if (osvi.wProductType == VER_NT_WORKSTATION ) {
+                        strncat(ret, "Microsoft Windows 7 ", ret_size - 1);
+                    } else {
+                        strncat(ret, "Microsoft Windows Server 2008 R2 ", ret_size - 1);
+                    }
+                }
+
+                ret_size -= strlen(ret) + 1;
+
+
+                /* Get product version */
+                pGPI = (PGPI) GetProcAddress(
+                              GetModuleHandle(TEXT("kernel32.dll")),
+                              "GetProductInfo");
+
+                if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0)
+                    pGPI( 6, 0, 0, 0, &dwType);
+                else
+                    pGPI( 6, 1, 0, 0, &dwType);
+
+                switch (dwType) {
+                    case PRODUCT_UNLICENSED:
+                        strncat(ret, PRODUCT_UNLICENSED_C, ret_size - 1);
+                        break;
+                    case PRODUCT_BUSINESS:
+                        strncat(ret, PRODUCT_BUSINESS_C, ret_size - 1);
+                        break;
+                    case PRODUCT_BUSINESS_N:
+                        strncat(ret, PRODUCT_BUSINESS_N_C, ret_size - 1);
+                        break;
+                    case PRODUCT_CLUSTER_SERVER:
+                        strncat(ret, PRODUCT_CLUSTER_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_DATACENTER_SERVER:
+                        strncat(ret, PRODUCT_DATACENTER_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_DATACENTER_SERVER_CORE:
+                        strncat(ret, PRODUCT_DATACENTER_SERVER_CORE_C, ret_size - 1);
+                        break;
+                    case PRODUCT_DATACENTER_SERVER_CORE_V:
+                        strncat(ret, PRODUCT_DATACENTER_SERVER_CORE_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_DATACENTER_SERVER_V:
+                        strncat(ret, PRODUCT_DATACENTER_SERVER_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE:
+                        strncat(ret, PRODUCT_ENTERPRISE_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_N:
+                        strncat(ret, PRODUCT_ENTERPRISE_N_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_SERVER:
+                        strncat(ret, PRODUCT_ENTERPRISE_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_SERVER_CORE:
+                        strncat(ret, PRODUCT_ENTERPRISE_SERVER_CORE_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_SERVER_CORE_V:
+                        strncat(ret, PRODUCT_ENTERPRISE_SERVER_CORE_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_SERVER_IA64:
+                        strncat(ret, PRODUCT_ENTERPRISE_SERVER_IA64_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ENTERPRISE_SERVER_V:
+                        strncat(ret, PRODUCT_ENTERPRISE_SERVER_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_HOME_BASIC:
+                        strncat(ret, PRODUCT_HOME_BASIC_C, ret_size - 1);
+                        break;
+                    case PRODUCT_HOME_BASIC_N:
+                        strncat(ret, PRODUCT_HOME_BASIC_N_C, ret_size - 1);
+                        break;
+                    case PRODUCT_HOME_PREMIUM:
+                        strncat(ret, PRODUCT_HOME_PREMIUM_C, ret_size - 1);
+                        break;
+                    case PRODUCT_HOME_PREMIUM_N:
+                        strncat(ret, PRODUCT_HOME_PREMIUM_N_C, ret_size - 1);
+                        break;
+                    case PRODUCT_HOME_SERVER:
+                        strncat(ret, PRODUCT_HOME_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT:
+                        strncat(ret, PRODUCT_MEDIUMBUSINESS_SERVER_MANAGEMENT_C, ret_size - 1);
+                        break;
+                    case PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING:
+                        strncat(ret, PRODUCT_MEDIUMBUSINESS_SERVER_MESSAGING_C, ret_size - 1);
+                        break;
+                    case PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY:
+                        strncat(ret, PRODUCT_MEDIUMBUSINESS_SERVER_SECURITY_C, ret_size - 1);
+                        break;
+                    case PRODUCT_SERVER_FOR_SMALLBUSINESS:
+                        strncat(ret, PRODUCT_SERVER_FOR_SMALLBUSINESS_C, ret_size - 1);
+                        break;
+                    case PRODUCT_SMALLBUSINESS_SERVER:
+                        strncat(ret, PRODUCT_SMALLBUSINESS_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_SMALLBUSINESS_SERVER_PREMIUM:
+                        strncat(ret, PRODUCT_SMALLBUSINESS_SERVER_PREMIUM_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STANDARD_SERVER:
+                        strncat(ret, PRODUCT_STANDARD_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STANDARD_SERVER_CORE:
+                        strncat(ret, PRODUCT_STANDARD_SERVER_CORE_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STANDARD_SERVER_CORE_V:
+                        strncat(ret, PRODUCT_STANDARD_SERVER_CORE_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STANDARD_SERVER_V:
+                        strncat(ret, PRODUCT_STANDARD_SERVER_V_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STARTER:
+                        strncat(ret, PRODUCT_STARTER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STORAGE_ENTERPRISE_SERVER:
+                        strncat(ret, PRODUCT_STORAGE_ENTERPRISE_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STORAGE_EXPRESS_SERVER:
+                        strncat(ret, PRODUCT_STORAGE_EXPRESS_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STORAGE_STANDARD_SERVER:
+                        strncat(ret, PRODUCT_STORAGE_STANDARD_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_STORAGE_WORKGROUP_SERVER:
+                        strncat(ret, PRODUCT_STORAGE_WORKGROUP_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ULTIMATE:
+                        strncat(ret, PRODUCT_ULTIMATE_C, ret_size - 1);
+                        break;
+                    case PRODUCT_ULTIMATE_N:
+                        strncat(ret, PRODUCT_ULTIMATE_N_C, ret_size - 1);
+                        break;
+                    case PRODUCT_WEB_SERVER:
+                        strncat(ret, PRODUCT_WEB_SERVER_C, ret_size - 1);
+                        break;
+                    case PRODUCT_WEB_SERVER_CORE:
+                        strncat(ret, PRODUCT_WEB_SERVER_CORE_C, ret_size - 1);
+                        break;
+
+                }
+                ret_size -= strlen(ret) + 1;
+            } else if (osvi.dwMajorVersion == 6 && (osvi.dwMinorVersion == 2 || osvi.dwMinorVersion == 3)) {
+                // Read Windows Version from registry
+                DWORD dwRet;
+                HKEY RegistryKey;
+                const DWORD size = 1024;
+                TCHAR value[size];
+                DWORD dwCount = size;
+                add_infoEx = 0;
+
+                if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), 0, KEY_READ | KEY_WOW64_64KEY , &RegistryKey) != ERROR_SUCCESS) {
+                    merror("Error opening Windows registry.");
+                }
+
+                dwRet = RegQueryValueEx(RegistryKey, TEXT("ProductName"), NULL, NULL, (LPBYTE)value, &dwCount);
+                if (dwRet != ERROR_SUCCESS) {
+                    merror("Error reading Windows registry. (Error %u)",(unsigned int)dwRet);
+                    strncat(ret, "Microsoft Windows undefined version", ret_size - 1);
+                }
+                else {
+                    RegCloseKey(RegistryKey);
+                    strncat(ret, "Microsoft ", ret_size - 1);
+                    strncat(ret, value, ret_size - 1);
+                }
+                ret_size -= strlen(ret) + 1;
+            } else if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2) {
+                pGNSI = (PGNSI)(LPSYSTEM_INFO)GetProcAddress(
+                            GetModuleHandle("kernel32.dll"),
+                            "GetNativeSystemInfo");
+                if (NULL != pGNSI) {
+                    pGNSI(&si);
+                } else {
+                    mwarn("It was not possible to retrieve GetNativeSystemInfo from kernek32.dll");
+                }
+
+                if ( GetSystemMetrics(89) )
+                    strncat(ret, "Microsoft Windows Server 2003 R2 ",
+                            ret_size - 1);
+                else if (osvi.wProductType == VER_NT_WORKSTATION &&
+                         si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) {
+                    strncat(ret,
+                            "Microsoft Windows XP Professional x64 Edition ",
+                            ret_size - 1 );
+                } else {
+                    strncat(ret, "Microsoft Windows Server 2003, ", ret_size - 1);
+                }
+
+                ret_size -= strlen(ret) + 1;
+            } else if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) {
+                strncat(ret, "Microsoft Windows XP ", ret_size - 1);
+
+                ret_size -= strlen(ret) + 1;
+            } else if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) {
+                strncat(ret, "Microsoft Windows 2000 ", ret_size - 1);
+
+                ret_size -= strlen(ret) + 1;
+            } else if (osvi.dwMajorVersion <= 4) {
+                strncat(ret, "Microsoft Windows NT ", ret_size - 1);
+
+                ret_size -= strlen(ret) + 1;
+            } else {
+                strncat(ret, "Microsoft Windows Unknown ", ret_size - 1);
+
+                ret_size -= strlen(ret) + 1;
+            }
+
+            /* Test for specific product on Windows NT 4.0 SP6 and later */
+            if (add_infoEx){
+                if (bOsVersionInfoEx) {
+                    /* Test for the workstation type */
+                    if (osvi.wProductType == VER_NT_WORKSTATION &&
+                            si.wProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64) {
+                        if ( osvi.dwMajorVersion == 4 ) {
+                            strncat(ret, "Workstation 4.0 ", ret_size - 1);
+                        } else if ( osvi.wSuiteMask & VER_SUITE_PERSONAL ) {
+                            strncat(ret, "Home Edition ", ret_size - 1);
+                        } else {
+                            strncat(ret, "Professional ", ret_size - 1);
+                        }
+
+                        /* Fix size */
+                        ret_size -= strlen(ret) + 1;
+                    }
+
+                    /* Test for the server type */
+                    else if ( osvi.wProductType == VER_NT_SERVER ||
+                              osvi.wProductType == VER_NT_DOMAIN_CONTROLLER ) {
+                        if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2) {
+                            if (si.wProcessorArchitecture ==
+                                    PROCESSOR_ARCHITECTURE_IA64 ) {
+                                if ( osvi.wSuiteMask & VER_SUITE_DATACENTER )
+                                    strncat(ret,
+                                            "Datacenter Edition for Itanium-based Systems ",
+                                            ret_size - 1);
+                                else if ( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
+                                    strncat(ret,
+                                            "Enterprise Edition for Itanium-based Systems ",
+                                            ret_size - 1);
+
+                                ret_size -= strlen(ret) + 1;
+                            } else if ( si.wProcessorArchitecture ==
+                                        PROCESSOR_ARCHITECTURE_AMD64 ) {
+                                if ( osvi.wSuiteMask & VER_SUITE_DATACENTER )
+                                    strncat(ret, "Datacenter x64 Edition ",
+                                            ret_size - 1 );
+                                else if ( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
+                                    strncat(ret, "Enterprise x64 Edition ",
+                                            ret_size - 1 );
+                                else
+                                    strncat(ret, "Standard x64 Edition ",
+                                            ret_size - 1 );
+
+                                ret_size -= strlen(ret) + 1;
+                            } else {
+                                if ( osvi.wSuiteMask & VER_SUITE_DATACENTER )
+                                    strncat(ret, "Datacenter Edition ",
+                                            ret_size - 1 );
+                                else if ( osvi.wSuiteMask & VER_SUITE_ENTERPRISE ) {
+                                    strncat(ret, "Enterprise Edition ", ret_size - 1);
+                                } else if ( osvi.wSuiteMask == VER_SUITE_BLADE ) {
+                                    strncat(ret, "Web Edition ", ret_size - 1 );
+                                } else {
+                                    strncat(ret, "Standard Edition ", ret_size - 1);
+                                }
+
+                                ret_size -= strlen(ret) + 1;
+                            }
+                        } else if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) {
+                            if ( osvi.wSuiteMask & VER_SUITE_DATACENTER ) {
+                                strncat(ret, "Datacenter Server ", ret_size - 1);
+                            } else if ( osvi.wSuiteMask & VER_SUITE_ENTERPRISE ) {
+                                strncat(ret, "Advanced Server ", ret_size - 1 );
+                            } else {
+                                strncat(ret, "Server ", ret_size - 1);
+                            }
+
+                            ret_size -= strlen(ret) + 1;
+                        } else if (osvi.dwMajorVersion <= 4) { /* Windows NT 4.0 */
+                            if ( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
+                                strncat(ret, "Server 4.0, Enterprise Edition ",
+                                        ret_size - 1 );
+                            else {
+                                strncat(ret, "Server 4.0 ", ret_size - 1);
+                            }
+
+                            ret_size -= strlen(ret) + 1;
+                        }
+                    }
+                }
+                /* Test for specific product on Windows NT 4.0 SP5 and earlier */
+                else {
+                    HKEY hKey;
+                    char szProductType[81];
+                    DWORD dwBufLen = 80;
+                    LONG lRet;
+
+                    lRet = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
+                                         "SYSTEM\\CurrentControlSet\\Control\\ProductOptions",
+                                         0, KEY_QUERY_VALUE, &hKey );
+                    if (lRet == ERROR_SUCCESS) {
+                        char __wv[32];
+
+                        lRet = RegQueryValueEx( hKey, "ProductType", NULL, NULL,
+                                                (LPBYTE) szProductType, &dwBufLen);
+                        RegCloseKey( hKey );
+
+                        if ((lRet == ERROR_SUCCESS) && (dwBufLen < 80) ) {
+                            if (lstrcmpi( "WINNT", szProductType) == 0 ) {
+                                strncat(ret, "Workstation ", ret_size - 1);
+                            } else if (lstrcmpi( "LANMANNT", szProductType) == 0 ) {
+                                strncat(ret, "Server ", ret_size - 1);
+                            } else if (lstrcmpi( "SERVERNT", szProductType) == 0 ) {
+                                strncat(ret, "Advanced Server " , ret_size - 1);
+                            }
+
+                            ret_size -= strlen(ret) + 1;
+
+                            memset(__wv, '\0', 32);
+                            snprintf(__wv, 31,
+                                     "%d.%d ",
+                                     (int)osvi.dwMajorVersion,
+                                     (int)osvi.dwMinorVersion);
+
+                            strncat(ret, __wv, ret_size - 1);
+                            ret_size -= strlen(__wv) + 1;
+                        }
+                    }
+                }
+            }
+            /* Display service pack (if any) and build number */
+            if ( osvi.dwMajorVersion == 4 &&
+                    lstrcmpi( osvi.szCSDVersion, "Service Pack 6" ) == 0 ) {
+                HKEY hKey;
+                LONG lRet;
+                char __wp[64];
+
+                memset(__wp, '\0', 64);
+                /* Test for SP6 versus SP6a */
+                lRet = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
+                                     "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix\\Q246009",
+                                     0, KEY_QUERY_VALUE, &hKey );
+                if ( lRet == ERROR_SUCCESS )
+                    snprintf(__wp, 63, "Service Pack 6a [Ver: %i.%i.%d]",
+                             (int)osvi.dwMajorVersion,
+                             (int)osvi.dwMinorVersion,
+                             (int)osvi.dwBuildNumber & 0xFFFF );
+                else { /* Windows NT 4.0 prior to SP6a */
+                    snprintf(__wp, 63, "%s [Ver: %i.%i.%d]",
+                             osvi.szCSDVersion,
+                             (int)osvi.dwMajorVersion,
+                             (int)osvi.dwMinorVersion,
+                             (int)osvi.dwBuildNumber & 0xFFFF );
+                }
+
+                strncat(ret, __wp, ret_size - 1);
+                ret_size -= strlen(__wp) + 1;
+                RegCloseKey( hKey );
+            } else if (osvi.dwMajorVersion == 6 && (osvi.dwMinorVersion == 2 || osvi.dwMinorVersion == 3)) {
+                // Read Windows Version number from registry
+                char __wp[64];
+                memset(__wp, '\0', 64);
+                DWORD dwRet;
+                HKEY RegistryKey;
+                const DWORD size = 30;
+                TCHAR winver[size];
+                TCHAR wincomp[size];
+                DWORD winMajor = 0;
+                DWORD winMinor = 0;
+                DWORD buildRevision = 0;
+                DWORD dwCount = size;
+                unsigned long type=REG_DWORD;
+
+                if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), 0, KEY_READ | KEY_WOW64_64KEY, &RegistryKey) != ERROR_SUCCESS) {
+                    merror("Error opening Windows registry.");
+                }
+
+                // Windows 10
+                dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentMajorVersionNumber"), NULL, &type, (LPBYTE)&winMajor, &dwCount);
+                if (dwRet == ERROR_SUCCESS) {
+                    dwCount = size;
+                    dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentMinorVersionNumber"), NULL, &type, (LPBYTE)&winMinor, &dwCount);
+                    if (dwRet != ERROR_SUCCESS) {
+                        merror("Error reading 'CurrentMinorVersionNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                    }
+                    else {
+                        dwCount = size;
+                        dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentBuildNumber"), NULL, NULL, (LPBYTE)wincomp, &dwCount);
+                        if (dwRet != ERROR_SUCCESS) {
+                            merror("Error reading 'CurrentBuildNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                            snprintf(__wp, 63, " [Ver: %d.%d]", (unsigned int)winMajor, (unsigned int)winMinor);
+                        }
+                        else {
+                            dwCount = size;
+                            dwRet = RegQueryValueEx(RegistryKey, TEXT("UBR"), NULL, &type, (LPBYTE)&buildRevision, &dwCount);
+                            if (dwRet != ERROR_SUCCESS) {
+                                snprintf(__wp,  sizeof(__wp), " [Ver: %d.%d.%s]", (unsigned int)winMajor, (unsigned int)winMinor, wincomp);
+                            }
+                            else {
+                                snprintf(__wp,  sizeof(__wp), " [Ver: %d.%d.%s.%lu]", (unsigned int)winMajor, (unsigned int)winMinor, wincomp, buildRevision);
+                            }
+
+                            char *endptr = NULL, *osVersion = NULL;
+                            const int buildNumber = (int) strtol(wincomp, &endptr, 10);
+
+                            if ('\0' == *endptr && buildNumber >= FIRST_BUILD_WINDOWS_11) {
+                                if (osVersion = strstr(ret, "Microsoft Windows 10"), osVersion != NULL) {
+                                    memcpy(osVersion, "Microsoft Windows 11", strlen("Microsoft Windows 11"));
+                                }
+                            }
+                        }
+                    }
+                    RegCloseKey(RegistryKey);
+                }
+                // Windows 6.2 or 6.3
+                else {
+                    dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentVersion"), NULL, NULL, (LPBYTE)winver, &dwCount);
+                    if (dwRet != ERROR_SUCCESS) {
+                        merror("Error reading 'Current Version' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                        snprintf(__wp, 63, " [Ver: 6.2]");
+                    }
+                    else {
+                        dwCount = size;
+                        dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentBuildNumber"), NULL, NULL, (LPBYTE)wincomp, &dwCount);
+                        if (dwRet != ERROR_SUCCESS) {
+                            merror("Error reading 'CurrentBuildNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                            snprintf(__wp, 63, " [Ver: 6.2]");
+                        }
+                        else {
+                            dwCount = size;
+                            dwRet = RegQueryValueEx(RegistryKey, TEXT("UBR"), NULL, &type, (LPBYTE)&buildRevision, &dwCount);
+                            if (dwRet != ERROR_SUCCESS) {
+                                snprintf(__wp, sizeof(__wp), " [Ver: %s.%s]", winver,wincomp);
+                            }
+                            else {
+                                snprintf(__wp, sizeof(__wp), " [Ver: %s.%s.%lu]", winver, wincomp, buildRevision);
+                            }
+                        }
+                    }
+                    RegCloseKey(RegistryKey);
+                }
+
+                strncat(ret, __wp, ret_size - 1);
+                ret_size -= strlen(ret) + 1;
+            } else {
+                char __wp[64];
+
+                memset(__wp, '\0', 64);
+
+                snprintf(__wp, 63, "%s [Ver: %i.%i.%d]",
+                         osvi.szCSDVersion,
+                         (int)osvi.dwMajorVersion,
+                         (int)osvi.dwMinorVersion,
+                         (int)osvi.dwBuildNumber & 0xFFFF );
+
+                strncat(ret, __wp, ret_size - 1);
+                ret_size -= strlen(__wp) + 1;
+            }
+            break;
+
+        /* Test for Windows Me/98/95 */
+        case VER_PLATFORM_WIN32_WINDOWS:
+            if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0) {
+                strncat(ret, "Microsoft Windows 95 ", ret_size - 1);
+                ret_size -= strlen(ret) + 1;
+            }
+
+            if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 10) {
+                strncat(ret, "Microsoft Windows 98 ", ret_size - 1);
+                ret_size -= strlen(ret) + 1;
+            }
+
+            if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 90) {
+                strncat(ret, "Microsoft Windows Millennium Edition",
+                        ret_size - 1);
+
+                ret_size -= strlen(ret) + 1;
+            }
+            break;
+
+        case VER_PLATFORM_WIN32s:
+            strncat(ret, "Microsoft Win32s", ret_size - 1);
+            ret_size -= strlen(ret) + 1;
+            break;
+    }
+
+    /* Add OSSEC-HIDS version */
+    snprintf(os_v, 128, " - %s %s", __ossec_name, __ossec_version);
+    strncat(ret, os_v, ret_size - 1);
+
+    return (ret);
+}
+
+
+void w_ch_exec_dir() {
+    TCHAR path[2048] = { 0 };
+    DWORD last_error;
+    int ret;
+
+    /* Get full path to the directory this executable lives in */
+    ret = GetModuleFileName(NULL, path, sizeof(path));
+
+    /* Check for errors */
+    if (!ret) {
+        print_out(GMF_ERROR);
+
+        /* Get last error */
+        last_error = GetLastError();
+
+        /* Look for errors */
+        switch (last_error) {
+        case ERROR_INSUFFICIENT_BUFFER:
+            print_out(GMF_BUFF_ERROR, ret, sizeof(path));
+            break;
+        default:
+            print_out(GMF_UNKN_ERROR, last_error);
+        }
+
+        exit(EXIT_FAILURE);
+    }
+
+    /* Remove file name from path */
+    PathRemoveFileSpec(path);
+
+    /* Move to correct directory */
+    if (chdir(path)) {
+        print_out(CHDIR_ERROR, path, errno, strerror(errno));
+        exit(EXIT_FAILURE);
+    }
+}
+
+FILE * w_fopen_r(const char *file, const char * mode, BY_HANDLE_FILE_INFORMATION * lpFileInformation) {
+
+    FILE *fp = NULL;
+    int fd;
+    HANDLE h;
+
+    h = CreateFile(file, GENERIC_READ, FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE,
+                   NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (h == INVALID_HANDLE_VALUE) {
+        return NULL;
+    }
+
+    if (lpFileInformation != NULL) {
+        memset(lpFileInformation, 0, sizeof(BY_HANDLE_FILE_INFORMATION));
+    }
+
+    if (GetFileInformationByHandle(h, lpFileInformation) == 0) {
+        merror(FILE_ERROR, file);
+    }
+
+    if (fd = _open_osfhandle((intptr_t)h, 0), fd == -1) {
+        merror(FOPEN_ERROR, file, errno, strerror(errno));
+        CloseHandle(h);
+        return NULL;
+    }
+
+    if (fp = _fdopen(fd, mode), fp == NULL) {
+        merror(FOPEN_ERROR, file, errno, strerror(errno));
+        CloseHandle(h);
+        return NULL;
+    }
+
+    return fp;
+}
+
+char **expand_win32_wildcards(const char *path) {
+    WIN32_FIND_DATA FindFileData;
+    HANDLE hFind;
+    char **pending_expand = NULL;
+    char **expanded_paths = NULL;
+    char *pattern = NULL;
+    char *next_glob = NULL;
+    char *parent_path = NULL;
+    int pending_expand_index = 0;
+    int expanded_index = 0;
+    size_t glob_pos = 0;
+
+    os_calloc(2, sizeof(char *), pending_expand);
+    os_strdup(path, pending_expand[0]);
+    // Loop until there is not any directory to expand.
+    while(true) {
+        pattern = pending_expand[0];
+
+        if (pattern == NULL) {
+            break;
+        }
+
+        glob_pos = strcspn(pattern, "*?");
+        if (glob_pos == strlen(pattern)) {
+            // If there are no more patterns, exit
+            expanded_paths = pending_expand;
+            break;
+        }
+
+        os_calloc(2, sizeof(char *), expanded_paths);
+
+        for (pending_expand_index = 0; pattern != NULL; pattern = pending_expand[++pending_expand_index]) {
+            glob_pos = strcspn(pattern, "*?");
+            next_glob = strchr(pattern + glob_pos, PATH_SEP);
+
+            // Find the next regex to be appended in case there is an expanded folder.
+            if (next_glob != NULL) {
+                *next_glob = '\0';
+                next_glob++;
+            }
+            os_strdup(pattern, parent_path);
+            char *look_back = strrchr(parent_path, PATH_SEP);
+
+            if (look_back) {
+                *look_back = '\0';
+            }
+
+            hFind = FindFirstFile(pattern, &FindFileData);
+            if (hFind == INVALID_HANDLE_VALUE) {
+                long unsigned errcode = GetLastError();
+                if (errcode == 2) {
+                    mdebug2("No file that matches %s.", pattern);
+                } else if (errcode == 3) {
+                    mdebug2("No folder that matches %s.", pattern);
+                } else {
+                    mdebug2("FindFirstFile failed (%lu) - '%s'\n", errcode, pattern);
+                }
+
+                os_free(pattern);
+                os_free(parent_path);
+                next_glob = NULL;
+                continue;
+            }
+            do {
+                if (strcmp(FindFileData.cFileName, ".") == 0 || strcmp(FindFileData.cFileName, "..") == 0) {
+                    continue;
+                }
+
+                if ((FindFileData.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT)) {
+                    continue;
+                }
+
+                if ((FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) == 0 && next_glob != NULL) {
+                    continue;
+                }
+
+                os_strdup(parent_path, expanded_paths[expanded_index]);
+                wm_strcat(&expanded_paths[expanded_index], FindFileData.cFileName, PATH_SEP);
+
+                if (next_glob != NULL) {
+                    wm_strcat(&expanded_paths[expanded_index], next_glob, PATH_SEP);
+                }
+
+                os_realloc(expanded_paths, (expanded_index + 2) * sizeof(char *), expanded_paths);
+                expanded_index++;
+                expanded_paths[expanded_index] = NULL;
+
+            } while(FindNextFile(hFind, &FindFileData));
+
+            FindClose(hFind);
+            // Now, free the memory, as the path that needed to be expanded is no longer needed and it's expansion is
+            // saved in expanded_paths vector.
+            os_free(pattern);
+            os_free(parent_path);
+            next_glob = NULL;
+        }
+
+        expanded_index = 0;
+        os_free(pending_expand);
+        pending_expand = expanded_paths;
+    }
+
+    return expanded_paths;
+}
+
+#endif /* WIN32 */
+
+
+int rmdir_ex(const char *name) {
+    if (rmdir(name) == 0) {
+        return 0;
+    }
+
+    switch (errno) {
+    case ENOTDIR:   // Not a directory
+
+#ifdef WIN32
+    case EINVAL:    // Not a directory
+#endif
+        return unlink(name);
+
+#if EEXIST != ENOTEMPTY
+    case EEXIST:
+#endif
+    case ENOTEMPTY: // Directory not empty
+        // Erase content and try to erase again
+        return cldir_ex(name) || rmdir(name) ? -1 : 0;
+
+    default:
+        return -1;
+    }
+}
+
+
+int cldir_ex(const char *name) {
+    return cldir_ex_ignore(name, NULL);
+}
+
+
+int cldir_ex_ignore(const char * name, const char ** ignore) {
+    DIR *dir;
+    struct dirent *dirent = NULL;
+    char path[PATH_MAX + 1];
+
+    // Erase content
+
+    dir = opendir(name);
+
+    if (!dir) {
+        return -1;
+    }
+
+    while (dirent = readdir(dir), dirent) {
+        // Skip "." and ".."
+        if ((dirent->d_name[0] == '.' && (dirent->d_name[1] == '\0' || (dirent->d_name[1] == '.' && dirent->d_name[2] == '\0'))) || w_str_in_array(dirent->d_name, ignore)) {
+            continue;
+        }
+
+        if (snprintf(path, PATH_MAX + 1, "%s/%s", name, dirent->d_name) > PATH_MAX) {
+            closedir(dir);
+            return -1;
+        }
+
+        if (rmdir_ex(path) < 0) {
+            closedir(dir);
+            return -1;
+        }
+    }
+
+    return closedir(dir);
+}
+
+
+int TempFile(File *file, const char *source, int copy) {
+    FILE *fp_src;
+    int fd;
+    char template[OS_FLSIZE + 1];
+    mode_t old_mask;
+
+    snprintf(template, OS_FLSIZE, "%s.XXXXXX", source);
+    old_mask = umask(0177);
+
+    fd = mkstemp(template);
+    umask(old_mask);
+
+    if (fd < 0) {
+        return -1;
+    }
+
+    fp_src = wfopen(source,"r");
+
+#ifndef WIN32
+    struct stat buf;
+
+    if (stat(source, &buf) == 0) {
+        if (fchmod(fd, buf.st_mode) < 0) {
+            if (fp_src) {
+                fclose(fp_src);
+            }
+            close(fd);
+            unlink(template);
+            return -1;
+        }
+    } else {
+        mdebug1(FSTAT_ERROR, source, errno, strerror(errno));
+    }
+
+#endif
+
+    if (file->fp = fdopen(fd, "w"), !file->fp) {
+        if (fp_src) {
+            fclose(fp_src);
+        }
+        close(fd);
+        unlink(template);
+        return -1;
+    }
+
+    if (copy) {
+        size_t count_r;
+        size_t count_w;
+        char buffer[4096];
+
+        if (fp_src) {
+            while (!feof(fp_src)) {
+                count_r = fread(buffer, 1, 4096, fp_src);
+
+                if (ferror(fp_src)) {
+                    fclose(fp_src);
+                    fclose(file->fp);
+                    unlink(template);
+                    return -1;
+                }
+
+                count_w = fwrite(buffer, 1, count_r, file->fp);
+
+                if (count_w != count_r || ferror(file->fp)) {
+                    fclose(fp_src);
+                    fclose(file->fp);
+                    unlink(template);
+                    return -1;
+                }
+            }
+        }
+    }
+
+    if (fp_src) {
+        fclose(fp_src);
+    }
+
+    file->name = strdup(template);
+    return 0;
+}
+
+
+int OS_MoveFile(const char *src, const char *dst) {
+    FILE *fp_src;
+    FILE *fp_dst;
+    size_t count_r;
+    size_t count_w;
+    char buffer[4096];
+    int status = 0;
+
+    if (rename(src, dst) == 0) {
+        return 0;
+    }
+
+    mdebug1("Couldn't rename %s: %s", dst, strerror(errno));
+
+    fp_src = wfopen(src, "r");
+
+    if (!fp_src) {
+        merror("Couldn't open file '%s'", src);
+        return -1;
+    }
+
+    fp_dst = wfopen(dst, "w");
+
+    if (!fp_dst) {
+        merror("Couldn't open file '%s'", dst);
+        fclose(fp_src);
+        unlink(src);
+        return -1;
+    }
+
+    while (!feof(fp_src)) {
+        count_r = fread(buffer, 1, 4096, fp_src);
+
+        if (ferror(fp_src)) {
+            merror("Couldn't read file '%s'", src);
+            status = -1;
+            break;
+        }
+
+        count_w = fwrite(buffer, 1, count_r, fp_dst);
+
+        if (count_w != count_r || ferror(fp_dst)) {
+            merror("Couldn't write file '%s'", dst);
+            status = -1;
+            break;
+        }
+    }
+
+    fclose(fp_src);
+    fclose(fp_dst);
+    return status ? status : unlink(src);
+}
+
+
+int w_copy_file(const char *src, const char *dst, char mode, char * message, int silent) {
+    FILE *fp_src;
+    FILE *fp_dst;
+    size_t count_r;
+    size_t count_w;
+    char buffer[4096];
+    int status = 0;
+
+    fp_src = wfopen(src, "r");
+
+    if (!fp_src) {
+        if(!silent) {
+            merror("At w_copy_file(): Couldn't open file '%s'", src);
+        }
+        return -1;
+    }
+
+    /* Append to file */
+    if (mode == 'a') {
+        fp_dst = wfopen(dst, "a");
+    }
+    else {
+        fp_dst = wfopen(dst, "w");
+    }
+
+
+    if (!fp_dst) {
+        if (!silent) {
+            merror("At w_copy_file(): Couldn't open file '%s'", dst);
+        }
+        fclose(fp_src);
+        return -1;
+    }
+
+    /* Write message to the destination file */
+    if (message) {
+        count_r = strlen(message);
+        count_w = fwrite(message, 1, count_r, fp_dst);
+
+        if (count_w != count_r || ferror(fp_dst)) {
+            if (!silent) {
+                merror("Couldn't write file '%s'", dst);
+            }
+            status = -1;
+            fclose(fp_src);
+            fclose(fp_dst);
+            return status;
+        }
+    }
+
+    while (!feof(fp_src)) {
+        count_r = fread(buffer, 1, 4096, fp_src);
+
+        if (ferror(fp_src)) {
+            if (!silent) {
+                merror("Couldn't read file '%s'", src);
+            }
+            status = -1;
+            break;
+        }
+
+        count_w = fwrite(buffer, 1, count_r, fp_dst);
+
+        if (count_w != count_r || ferror(fp_dst)) {
+            if (!silent) {
+                merror("Couldn't write file '%s'", dst);
+            }
+            status = -1;
+            break;
+        }
+    }
+
+    fclose(fp_src);
+    fclose(fp_dst);
+    return status;
+}
+
+
+int mkdir_ex(const char * path) {
+    char sep;
+    char * temp = strdup(path);
+    char * psep;
+    char * next;
+
+#ifndef WIN32
+    for (next = temp; psep = strchr(next, '/'), psep; next = psep + 1) {
+#else
+    for (next = temp; psep = strchr(next, '/'), psep || (psep = strchr(next, '\\'), psep); next = psep + 1) {
+#endif
+
+        sep = *psep;
+        *psep = '\0';
+
+        if (*temp && mkdir(temp, 0770) < 0) {
+            switch (errno) {
+            case EEXIST:
+                if (IsDir(temp) < 0) {
+                    merror("Couldn't make dir '%s': not a directory.", temp);
+                    free(temp);
+                    return -1;
+                }
+
+                break;
+
+            case EISDIR:
+                break;
+
+            default:
+                merror("Couldn't make dir '%s': %s", temp, strerror(errno));
+                free(temp);
+                return -1;
+            }
+        }
+
+        *psep = sep;
+    }
+
+    free(temp);
+
+    if (mkdir(path, 0770) < 0) {
+        switch (errno) {
+        case EEXIST:
+            if (IsDir(path) < 0) {
+                merror("Couldn't make dir '%s': not a directory.", path);
+                return -1;
+            }
+
+            break;
+
+        case EISDIR:
+            break;
+
+        default:
+            merror("Couldn't make dir '%s': %s", path, strerror(errno));
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+
+int w_ref_parent_folder(const char * path) {
+    const char * str;
+    char * ptr;
+
+    switch (path[0]) {
+    case '\0':
+        return 0;
+
+    case '.':
+        switch (path[1]) {
+        case '\0':
+            return 0;
+
+        case '.':
+            switch (path[2]) {
+            case '\0':
+                return 1;
+
+            case '/':
+#ifdef WIN32
+            case '\\':
+#endif
+                return 1;
+            }
+        }
+    }
+
+#ifdef WIN32
+    for (str = path; ptr = strstr(str, "/.."), ptr || (ptr = strstr(str, "\\.."), ptr); str = ptr + 3) {
+        if (ptr[3] == '\0' || ptr[3] == '/' || ptr[3] == '\\') {
+#else
+    for (str = path; ptr = strstr(str, "/.."), ptr; str = ptr + 3) {
+        if (ptr[3] == '\0' || ptr[3] == '/') {
+#endif
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+
+cJSON* getunameJSON()
+{
+    os_info *read_info;
+    cJSON* root = cJSON_CreateObject();
+
+#ifndef WIN32
+    if (read_info = get_unix_version(), read_info) {
+#else
+    if (read_info = get_win_version(), read_info) {
+#endif
+        if (read_info->os_name && (strcmp(read_info->os_name, "unknown") != 0)){
+            cJSON_AddStringToObject(root, "os_name", read_info->os_name);
+        }
+        if (read_info->os_major){
+            cJSON_AddStringToObject(root, "os_major", read_info->os_major);
+        }
+        if (read_info->os_minor){
+            cJSON_AddStringToObject(root, "os_minor", read_info->os_minor);
+        }
+        if (read_info->os_patch){
+            cJSON_AddStringToObject(root, "os_patch", read_info->os_patch);
+        }
+        if (read_info->os_build){
+            cJSON_AddStringToObject(root, "os_build", read_info->os_build);
+        }
+        if (read_info->os_version && (strcmp(read_info->os_version, "unknown") != 0)){
+            cJSON_AddStringToObject(root, "os_version", read_info->os_version);
+        }
+        if (read_info->os_codename){
+            cJSON_AddStringToObject(root, "os_codename", read_info->os_codename);
+        }
+        if (read_info->os_platform){
+            cJSON_AddStringToObject(root, "os_platform", read_info->os_platform);
+        }
+        if (read_info->sysname){
+            cJSON_AddStringToObject(root, "sysname", read_info->sysname);
+        }
+        if (read_info->nodename && (strcmp(read_info->nodename, "unknown") != 0)){
+            cJSON_AddStringToObject(root, "hostname", read_info->nodename);
+        }
+        if (read_info->release){
+            cJSON_AddStringToObject(root, "release", read_info->release);
+        }
+        if (read_info->version){
+            cJSON_AddStringToObject(root, "version", read_info->version);
+        }
+        if (read_info->machine && (strcmp(read_info->machine, "unknown") != 0)){
+            cJSON_AddStringToObject(root, "architecture", read_info->machine);
+        }
+        if (read_info->os_release){
+            cJSON_AddStringToObject(root, "os_release", read_info->os_release);
+        }
+        if (read_info->os_display_version){
+            cJSON_AddStringToObject(root, "os_display_version", read_info->os_display_version);
+        }
+
+        free_osinfo(read_info);
+        return root;
+    }
+    else
+        return NULL;
+}
+
+
+wino_t get_fp_inode(FILE * fp) {
+#ifdef WIN32
+    int fd;
+    HANDLE h;
+    BY_HANDLE_FILE_INFORMATION fileInfo;
+
+    if (fd = _fileno(fp), fd < 0) {
+        return -1;
+    }
+
+    if (h = (HANDLE)_get_osfhandle(fd), h == INVALID_HANDLE_VALUE) {
+        return -1;
+    }
+
+    return GetFileInformationByHandle(h, &fileInfo) ? (wino_t)fileInfo.nFileIndexHigh << 32 | fileInfo.nFileIndexLow : (wino_t)-1;
+
+#else
+
+    struct stat buf;
+    int fd;
+    return fd = fileno(fp), fd < 0 ? (wino_t)-1 : fstat(fd, &buf) ? (wino_t)-1 : buf.st_ino;
+#endif
+}
+
+
+#ifdef WIN32
+int get_fp_file_information(FILE * fp, LPBY_HANDLE_FILE_INFORMATION fileInfo) {
+    int fd;
+    HANDLE h;
+
+    if (fd = _fileno(fp), fd < 0) {
+        return 0;
+    }
+
+    if (h = (HANDLE)_get_osfhandle(fd), h == INVALID_HANDLE_VALUE) {
+        return 0;
+    }
+
+    return GetFileInformationByHandle(h, fileInfo);
+}
+#endif
+
+
+long get_fp_size(FILE * fp) {
+    long offset;
+    long size;
+
+    // Get initial position
+
+    if (offset = ftell(fp), offset < 0) {
+        return -1;
+    }
+
+    // Move to end
+
+    if (fseek(fp, 0, SEEK_END) != 0) {
+        return -1;
+    }
+
+    // Get ending position
+
+    if (size = ftell(fp), size < 0) {
+        return -1;
+    }
+
+    // Restore original offset
+
+    if (fseek(fp, offset, SEEK_SET) != 0) {
+        return -1;
+    }
+
+    return size;
+}
+
+static int qsort_strcmp(const void *s1, const void *s2) {
+    return strcmp(*(const char **)s1, *(const char **)s2);
+}
+
+
+char ** wreaddir(const char * name) {
+    DIR * dir;
+    struct dirent * dirent = NULL;
+    char ** files;
+    unsigned int i = 0;
+
+    if (dir = opendir(name), !dir) {
+        return NULL;
+    }
+
+    os_malloc(sizeof(char *), files);
+
+    while (dirent = readdir(dir), dirent) {
+        // Skip "." and ".."
+        if (dirent->d_name[0] == '.' && (dirent->d_name[1] == '\0' || (dirent->d_name[1] == '.' && dirent->d_name[2] == '\0'))) {
+            continue;
+        }
+
+        os_realloc(files, (i + 2) * sizeof(char *), files);
+        if(!files){
+           merror_exit(MEM_ERROR, errno, strerror(errno));
+        }
+        files[i++] = strdup(dirent->d_name);
+    }
+
+    files[i] = NULL;
+    qsort(files, i, sizeof(char *), qsort_strcmp);
+    closedir(dir);
+    return files;
+}
+
+
+FILE * wfopen(const char * pathname, const char * mode) {
+#ifdef WIN32
+    HANDLE hFile;
+    DWORD dwDesiredAccess = 0;
+    const DWORD dwShareMode = FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE;
+    DWORD dwCreationDisposition = 0;
+    const DWORD dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL;
+    int flags = _O_TEXT;
+    int fd;
+    FILE * fp;
+    int i;
+
+    if (pathname && strchr("\\/", pathname[0]) && strchr("\\/?\"<>|", pathname[1])) {
+        errno = EINVAL;
+        return NULL;
+    }
+
+    for (i = 0; mode[i]; ++i) {
+        switch (mode[i]) {
+        case '+':
+            dwDesiredAccess |= GENERIC_WRITE | GENERIC_READ;
+            flags &= ~_O_RDONLY;
+            break;
+        case 'a':
+            dwDesiredAccess = GENERIC_WRITE;
+            dwCreationDisposition = OPEN_ALWAYS;
+            flags = _O_APPEND;
+            break;
+        case 'b':
+            flags &= ~_O_TEXT;
+            break;
+        case 'r':
+            dwDesiredAccess = GENERIC_READ;
+            dwCreationDisposition = OPEN_EXISTING;
+            flags |= _O_RDONLY;
+            break;
+        case 't':
+            flags |= _O_TEXT;
+            break;
+        case 'w':
+            dwDesiredAccess = GENERIC_WRITE;
+            dwCreationDisposition = CREATE_ALWAYS;
+        }
+    }
+
+    if (!(dwDesiredAccess && dwCreationDisposition)) {
+        errno = EINVAL;
+        return NULL;
+    }
+
+    hFile = CreateFile(pathname, dwDesiredAccess, dwShareMode, NULL, dwCreationDisposition, dwFlagsAndAttributes, NULL);
+
+    if (hFile == INVALID_HANDLE_VALUE) {
+        errno = GetLastError();
+        return NULL;
+    }
+
+    if (fd = _open_osfhandle((intptr_t)hFile, flags), fd < 0) {
+        errno = GetLastError();
+        CloseHandle(hFile);
+        return NULL;
+    }
+
+    if (fp = _fdopen(fd, mode), fp == NULL) {
+        errno = GetLastError();
+        CloseHandle(hFile);
+        return NULL;
+    }
+
+    return fp;
+
+#else
+    return fopen(pathname, mode);
+#endif
+}
+
+
+int w_compress_gzfile(const char *filesrc, const char *filedst) {
+    FILE *fd;
+    gzFile gz_fd;
+    char *buf;
+    int len;
+    int err;
+
+    /* Set umask */
+    umask(0027);
+
+    /* Read file */
+    fd = wfopen(filesrc, "rb");
+    if (!fd) {
+        merror("in w_compress_gzfile(): fopen error %s (%d):'%s'",
+                filesrc,
+                errno,
+                strerror(errno));
+        return -1;
+    }
+
+    /* Open compressed file */
+    gz_fd = gzopen(filedst, "w");
+    if (!gz_fd) {
+        fclose(fd);
+        merror("in w_compress_gzfile(): gzopen error %s (%d):'%s'",
+                filedst,
+                errno,
+                strerror(errno));
+        return -1;
+    }
+
+    os_calloc(OS_SIZE_8192 + 1, sizeof(char), buf);
+    for (;;) {
+        len = fread(buf, 1, OS_SIZE_8192, fd);
+        if (len <= 0) {
+            break;
+        }
+
+        if (gzwrite(gz_fd, buf, (unsigned)len) != len) {
+            merror("in w_compress_gzfile(): Compression error: %s",
+                    gzerror(gz_fd, &err));
+            fclose(fd);
+            gzclose(gz_fd);
+            os_free(buf);
+            return -1;
+        }
+    }
+
+    fclose(fd);
+    gzclose(gz_fd);
+    os_free(buf);
+    return 0;
+}
+
+
+int w_uncompress_gzfile(const char *gzfilesrc, const char *gzfiledst) {
+    FILE *fd;
+    gzFile gz_fd;
+    char *buf;
+    int len;
+    int err;
+    struct stat statbuf;
+
+#ifdef WIN32
+    /* Win32 does not have lstat */
+    if (stat(gzfilesrc, &statbuf) < 0)
+#else
+    if (lstat(gzfilesrc, &statbuf) < 0)
+#endif
+    {
+        return -1;
+    }
+    /* Set umask */
+    umask(0027);
+
+    /* Read file */
+    fd = wfopen(gzfiledst, "wb");
+    if (!fd) {
+        merror("in w_uncompress_gzfile(): fopen error %s (%d):'%s'",
+                gzfiledst,
+                errno,
+                strerror(errno));
+        return -1;
+    }
+
+    /* Open compressed file */
+    gz_fd = gzopen(gzfilesrc, "rb");
+    if (!gz_fd) {
+        merror("in w_uncompress_gzfile(): gzopen error %s (%d):'%s'",
+                gzfilesrc,
+                errno,
+                strerror(errno));
+        fclose(fd);
+        return -1;
+    }
+
+    os_calloc(OS_SIZE_8192, sizeof(char), buf);
+    do {
+        len = gzread(gz_fd, buf, OS_SIZE_8192);
+
+        if (len > 0) {
+            fwrite(buf, 1, len, fd);
+            buf[0] = '\0';
+        }
+    } while (len == OS_SIZE_8192);
+
+    if (!gzeof(gz_fd)) {
+        const char * gzerr = gzerror(gz_fd, &err);
+        if (err) {
+            merror("in w_uncompress_gzfile(): gzread error: '%s'", gzerr);
+            fclose(fd);
+            gzclose(gz_fd);
+            os_free(buf);
+            return -1;
+        }
+    }
+
+    os_free(buf);
+    fclose(fd);
+    gzclose(gz_fd);
+
+    return 0;
+}
+
+
+int is_ascii_utf8(const char * file, unsigned int max_lines_ascii, unsigned int max_chars_utf8) {
+    int is_ascii = 1;
+    int retval = 0;
+    char *buffer = NULL;
+    unsigned int lines_read_ascii = 0;
+    unsigned int chars_read_utf8 = 0;
+    fpos_t begin;
+    FILE *fp;
+
+    fp = wfopen(file, "r");
+
+    if (!fp) {
+        mdebug1(OPEN_UNABLE, file);
+        retval = 1;
+        goto end;
+    }
+
+    fgetpos(fp, &begin);
+
+    os_calloc(OS_MAXSTR + 1, sizeof(char), buffer);
+
+    /* ASCII */
+    while (fgets(buffer, OS_MAXSTR, fp)) {
+        int i;
+        unsigned char *c = (unsigned char *)buffer;
+
+        if (lines_read_ascii >= max_lines_ascii) {
+            break;
+        }
+
+        lines_read_ascii++;
+
+        for (i = 0; i < OS_MAXSTR; i++) {
+            if( c[i] >= 0x80 ) {
+                is_ascii = 0;
+                break;
+            }
+        }
+
+        if (!is_ascii) {
+            break;
+        }
+    }
+
+    if (is_ascii) {
+        goto end;
+    }
+
+    /* UTF-8 */
+    fsetpos(fp, &begin);
+    unsigned char b[4] = {0};
+    size_t nbytes = 0;
+
+    while (nbytes = fread(b, sizeof(char), 4, fp), nbytes) {
+
+        if (chars_read_utf8 >= max_chars_utf8) {
+            break;
+        }
+
+        chars_read_utf8++;
+
+        /* Check for UTF-8 BOM */
+        if (b[0] == 0xEF && b[1] == 0xBB && b[2] == 0xBF) {
+            if (fseek(fp, -1, SEEK_CUR) != 0) {
+                merror(FSEEK_ERROR, file, errno, strerror(errno));
+            }
+            goto next;
+        }
+
+        /* Valid ASCII */
+        if (b[0] == 0x09 || b[0] == 0x0A || b[0] == 0x0D || (0x20 <= b[0] && b[0] <= 0x7E)) {
+            if (fseek(fp, -nbytes + 1, SEEK_CUR) != 0) {
+                merror(FSEEK_ERROR, file, errno, strerror(errno));
+            }
+            goto next;
+        }
+
+        /* Two bytes UTF-8 */
+        if (b[0] >= 0xC2 && b[0] <= 0xDF) {
+            if (b[1] >= 0x80 && b[1] <= 0xBF) {
+                if (fseek(fp, -2, SEEK_CUR) != 0) {
+                    merror(FSEEK_ERROR, file, errno, strerror(errno));
+                }
+                goto next;
+            }
+        }
+
+        /* Exclude overlongs */
+        if ( b[0] == 0xE0 ) {
+            if ( b[1] >= 0xA0 && b[1] <= 0xBF) {
+                if ( b[2] >= 0x80 && b[2] <= 0xBF ) {
+                    if (fseek(fp, -1, SEEK_CUR) != 0 ) {
+                        merror(FSEEK_ERROR, file, errno, strerror(errno));
+                    }
+                    goto next;
+                }
+            }
+        }
+
+        /* Three bytes UTF-8 */
+        if ((b[0] >= 0xE1 && b[0] <= 0xEC) || b[0] == 0xEE || b[0] == 0xEF) {
+            if (b[1] >= 0x80 && b[1] <= 0xBF) {
+                if (b[2] >= 0x80 && b[2] <= 0xBF) {
+                    if (fseek(fp, -1, SEEK_CUR) != 0 ) {
+                        merror(FSEEK_ERROR, file, errno, strerror(errno));
+                    }
+                    goto next;
+                }
+            }
+        }
+
+        /* Exclude surrogates */
+        if (b[0] == 0xED) {
+            if ( b[1] >= 0x80 && b[1] <= 0x9F) {
+                if ( b[2] >= 0x80 && b[2] <= 0xBF) {
+                    if (fseek(fp, -1, SEEK_CUR) != 0 ) {
+                        merror(FSEEK_ERROR, file, errno, strerror(errno));
+                    }
+                    goto next;
+                }
+            }
+        }
+
+        /* Four bytes UTF-8 plane 1-3 */
+        if (b[0] == 0xF0) {
+            if (b[1] >= 0x90 && b[1] <= 0xBF) {
+                if (b[2] >= 0x80 && b[2] <= 0xBF) {
+                    if (b[3] >= 0x80 && b[3] <= 0xBF) {
+                        goto next;
+                    }
+                }
+            }
+        }
+
+        /* Four bytes UTF-8 plane 4-15*/
+        if (b[0] >= 0xF1 && b[0] <= 0xF3) {
+            if (b[1] >= 0x80 && b[1] <= 0xBF) {
+                if (b[2] >= 0x80 && b[2] <= 0xBF) {
+                    if (b[3] >= 0x80 && b[3] <= 0xBF) {
+                        goto next;
+                    }
+                }
+            }
+        }
+
+        /* Four bytes UTF-8 plane 16 */
+        if (b[0] == 0xF4) {
+            if (b[1] >= 0x80 && b[1] <= 0x8F) {
+                if (b[2] >= 0x80 && b[2] <= 0xBF) {
+                    if (b[3] >= 0x80 && b[3] <= 0xBF) {
+                        goto next;
+                    }
+                }
+            }
+        }
+
+        retval = 1;
+        goto end;
+
+next:
+        memset(b, 0, 4);
+        continue;
+    }
+
+end:
+    if (fp) {
+        fclose(fp);
+    }
+    os_free(buffer);
+
+    return retval;
+}
+
+
+int is_usc2(const char * file) {
+    int retval = 0;
+    FILE *fp;
+
+    fp = wfopen(file, "r");
+
+    if (!fp) {
+        mdebug1(OPEN_UNABLE, file);
+        retval = 1;
+        goto end;
+    }
+
+    /* UCS-2 */
+    unsigned char b[2] = {0};
+    size_t nbytes = 0;
+
+    while (nbytes = fread(b, sizeof(char), 2, fp), nbytes) {
+
+        /* Check for UCS-2 LE BOM */
+        if (b[0] == 0xFF && b[1] == 0xFE) {
+            retval = UCS2_LE;
+            goto end;
+        }
+
+        /* Check for UCS-2 BE BOM */
+        if (b[0] == 0xFE && b[1] == 0xFF) {
+            retval = UCS2_BE;
+            goto end;
+        }
+
+        retval = 0;
+        goto end;
+    }
+
+end:
+    if (fp) {
+        fclose(fp);
+    }
+
+    return retval;
+}
+
+#ifdef WIN32
+DWORD FileSizeWin(const char * file) {
+    HANDLE h1;
+    BY_HANDLE_FILE_INFORMATION lpFileInfo;
+
+    h1 = CreateFile(file, GENERIC_READ,
+                    FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
+                    NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (h1 == INVALID_HANDLE_VALUE) {
+        merror(FILE_ERROR, file);
+    } else if (GetFileInformationByHandle(h1, &lpFileInfo) == 0) {
+        CloseHandle(h1);
+        merror(FILE_ERROR, file);
+    } else {
+        CloseHandle(h1);
+        return lpFileInfo.nFileSizeHigh + lpFileInfo.nFileSizeLow;
+    }
+
+    return -1;
+}
+
+float DirSize(const char *path) {
+    WIN32_FIND_DATA fdFile;
+    HANDLE hFind = NULL;
+    float folder_size = 0.0;
+    float file_size = 0.0;
+
+    char sPath[2048];
+
+    // Specify a file mask. *.* = We want everything!
+    sprintf(sPath, "%s\\*.*", path);
+
+    if ((hFind = FindFirstFile(sPath, &fdFile)) == INVALID_HANDLE_VALUE) {
+        merror(FILE_ERROR, path);
+        return 0;
+    }
+
+    do {
+        if (strcmp(fdFile.cFileName, ".") != 0 && strcmp(fdFile.cFileName, "..") != 0) {
+            // Build up our file path using the passed in
+            //  [path] and the file/foldername we just found:
+            sprintf(sPath, "%s\\%s", path, fdFile.cFileName);
+
+            if (fdFile.dwFileAttributes &FILE_ATTRIBUTE_DIRECTORY) {
+                folder_size += DirSize(sPath);
+            }
+            else {
+                if (file_size = FileSizeWin(sPath), file_size != -1) {
+                    folder_size += file_size;
+                }
+            }
+        }
+    } while (FindNextFile(hFind, &fdFile));
+
+    FindClose(hFind);
+
+    return folder_size;
+}
+
+#endif
+
+
+int64_t w_ftell(FILE *x) {
+
+#ifndef WIN32
+    int64_t z = ftell(x);
+#else
+    int64_t z = ftello64(x);
+#endif
+
+    if (z < 0)  {
+        merror("Ftell function failed due to [(%d)-(%s)]", errno, strerror(errno));
+        return -1;
+    } else {
+        return z;
+    }
+}
+
+int w_fseek(FILE *x, int64_t pos, int mode) {
+
+#ifndef WIN32
+    int64_t z = fseek(x, pos, mode);
+#else
+    int64_t z = fseeko64(x, pos, mode);
+#endif
+    if (z < 0)  {
+        mwarn("Fseek function failed due to [(%d)-(%s)]", errno, strerror(errno));
+        return -1;
+    } else {
+        return z;
+    }
+}
+
+/* Prevent children processes from inheriting a file pointer */
+void w_file_cloexec(__attribute__((unused)) FILE * fp) {
+#ifndef WIN32
+    w_descriptor_cloexec(fileno(fp));
+#endif
+}
+
+/* Prevent children processes from inheriting a file descriptor */
+void w_descriptor_cloexec(__attribute__((unused)) int fd){
+#ifndef WIN32
+    if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) {
+        mwarn("Cannot set close-on-exec flag to the descriptor: %s (%d)", strerror(errno), errno);
+    }
+#endif
+}
+
+// Add a trailing separator to a path string
+int trail_path_separator(char * dest, const char * src, size_t n) {
+    const char STR_SEPARATOR[] = { PATH_SEP, '\0' };
+    if (strlen(src) == 0) return 0;
+    return snprintf(dest, n, "%s%s", src, src[strlen(src) - 1] == PATH_SEP ? "" : STR_SEPARATOR);
+}
+
+// Check if a path is absolute
+bool isabspath(const char * path) {
+#ifdef WIN32
+    return strlen(path) >= 3 && isalpha(path[0]) && path[1] == ':' && (path[2] == '\\' || path[2] == '/');
+#else
+    return path[0] == '/';
+#endif
+}
+
+// Unify path separators (slashes) for Windows paths
+
+void win_path_backslash(char * path) {
+    for (char * c = strchr(path, '/'); c != NULL; c = strchr(c + 1, '/')) {
+        *c = '\\';
+    }
+}
+
+// Get an absolute path
+char * abspath(const char * path, char * buffer, size_t size) {
+    // If the path is already absolute, copy and return
+    if (isabspath(path)) {
+        strncpy(buffer, path, size);
+        buffer[size - 1] = '\0';
+#ifdef WIN32
+        buffer[0] = tolower(buffer[0]);
+#endif
+        return buffer;
+    }
+
+    char cwd[PATH_MAX];
+
+    if (getcwd(cwd, sizeof(cwd)) == NULL) {
+        return NULL;
+    }
+
+#ifdef WIN32
+    size_t len;
+
+    switch (path[0]) {
+    case '/':
+    case '\\':
+        // Starts with \: current drive's root
+        if (snprintf(buffer, size, "%c:%s", cwd[0], path) >= (int)size) {
+            return NULL;
+        }
+
+        break;
+
+    default:
+        // Remove root's backslash: "C:\" must be "C:"
+        len = strlen(cwd);
+        cwd[len - 1] = cwd[len - 1] == '\\' ? '\0' : cwd[len - 1];
+
+        if (snprintf(buffer, size, "%s\\%s", cwd, path) >= (int)size) {
+            return NULL;
+        }
+    }
+
+    win_path_backslash(buffer);
+#else
+    if (snprintf(buffer, size, "%s/%s", strcmp(cwd, "/") == 0 ? "" : cwd, path) >= (int)size) {
+        return NULL;
+    }
+#endif
+
+    return buffer;
+}
+
+/* Return the content of a file from a given path */
+char * w_get_file_content(const char * path, unsigned long max_size) {
+    FILE * fp = NULL;
+    char * buffer = NULL;
+    long size;
+    size_t read;
+
+    // Check if path is NULL
+    if (path == NULL) {
+        mdebug1("Cannot open NULL path");
+        goto end;
+    }
+
+    // Load file
+    if (fp = wfopen(path, "r"), !fp) {
+        mdebug1(FOPEN_ERROR, path, errno, strerror(errno));
+        goto end;
+    }
+
+    // Get file size
+    if (size = get_fp_size(fp), size < 0) {
+        mdebug1(FSEEK_ERROR, path, errno, strerror(errno));
+        goto end;
+    }
+
+    // Check file size limit
+    if ((unsigned long)size > max_size) {
+        mdebug1("Cannot load file '%s': it exceeds %ld MiB", path, (max_size / (1024 * 1024)));
+        goto end;
+    }
+
+    // Allocate memory
+    os_malloc(size + 1, buffer);
+
+    // Get file content
+    if (read = fread(buffer, 1, size, fp), read != (size_t)size && !feof(fp)) {
+        mdebug1(FREAD_ERROR, path, errno, strerror(errno));
+        os_free(buffer);
+        goto end;
+    }
+
+    buffer[size] = '\0';
+
+end:
+    if (fp) {
+        fclose(fp);
+    }
+
+    return buffer;
+}
+
+/* Return the pointer to a file from a given path */
+FILE * w_get_file_pointer(const char * path) {
+    FILE * fp = NULL;
+
+    // Check if path is NULL
+    if (path == NULL) {
+        mdebug1("Cannot open NULL path");
+        return NULL;
+    }
+
+    // Load file
+    if (fp = wfopen(path, "r"), !fp) {
+        mdebug1(FOPEN_ERROR, path, errno, strerror(errno));
+        return NULL;
+    }
+
+    return fp;
+}
+
+/* Check if a file is gzip compressed. */
+int w_is_compressed_gz_file(const char * path) {
+    unsigned char buf[2];
+    int retval = 0;
+    FILE *fp;
+
+    fp = wfopen(path, "rb");
+
+    /* Magic number: 1f 8b */
+    if (fp && fread(buf, 1, 2, fp) == 2) {
+        if (buf[0] == 0x1f && buf[1] == 0x8b) {
+            retval = 1;
+        }
+    }
+
+    if (fp) {
+        fclose(fp);
+    }
+
+    return retval;
+}
+
+/* Check if a file is bzip2 compressed. */
+int w_is_compressed_bz2_file(const char * path) {
+    unsigned char buf[3];
+    int retval = 0;
+    FILE *fp;
+
+    fp = wfopen(path, "rb");
+
+    /* Magic number: 42 5a 68 */
+    if (fp && fread(buf, 1, 3, fp) == 3) {
+        if (buf[0] == 0x42 && buf[1] == 0x5a && buf[2] == 0x68) {
+            retval = 1;
+        }
+    }
+
+    if (fp) {
+        fclose(fp);
+    }
+
+    return retval;
+}
+
+#ifndef CLIENT
+
+int w_uncompress_bz2_gz_file(const char * path, const char * dest) {
+    int result = 1;
+
+    if (w_is_compressed_bz2_file(path)) {
+        result = bzip2_uncompress(path, dest);
+    }
+
+    if (w_is_compressed_gz_file(path)) {
+        result = w_uncompress_gzfile(path, dest);
+    }
+
+    if (!result) {
+        mdebug1("The file '%s' was successfully uncompressed into '%s'", path, dest);
+    }
+
+    return result;
+}
+#endif
+
+#ifndef WIN32
+/**
+ * @brief Get the Wazuh installation directory
+ *
+ * It is obtained from the /proc directory, argv[0], or the env variable WAZUH_HOME
+ *
+ * @param arg ARGV0 - Program name
+ * @return Pointer to the Wazuh installation path on success
+ */
+char *w_homedir(char *arg) {
+    char *buff = NULL;
+    struct stat buff_stat;
+    char * delim = "/bin";
+    os_calloc(PATH_MAX, sizeof(char), buff);
+#ifdef __MACH__
+    pid_t pid = getpid();
+    if (proc_pidpath(pid, buff, PATH_MAX) > 0) {
+        buff = w_strtok_r_str_delim(delim, &buff);
+    }
+#else
+    if (realpath("/proc/self/exe", buff) != NULL) {
+        dirname(buff);
+        buff = w_strtok_r_str_delim(delim, &buff);
+    }
+    else if (realpath("/proc/curproc/file", buff) != NULL) {
+        dirname(buff);
+        buff = w_strtok_r_str_delim(delim, &buff);
+    }
+    else if (realpath("/proc/self/path/a.out", buff) != NULL) {
+        dirname(buff);
+        buff = w_strtok_r_str_delim(delim, &buff);
+    }
+#endif
+    else if (realpath(arg, buff) != NULL) {
+        dirname(buff);
+        buff = w_strtok_r_str_delim(delim, &buff);
+    } else {
+        // The path was not found so read WAZUH_HOME env var
+        char * home_env = NULL;
+        if (home_env = getenv(WAZUH_HOME_ENV), home_env) {
+            snprintf(buff, PATH_MAX, "%s", home_env);
+        }
+    }
+
+    if ((stat(buff, &buff_stat) < 0) || !S_ISDIR(buff_stat.st_mode)) {
+        os_free(buff);
+        merror_exit(HOME_ERROR);
+    }
+
+    return buff;
+}
+#endif
diff --git a/src/common/file_op/tests/unit/tests/CMakeLists.txt b/src/common/file_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..7da936daa5
--- /dev/null
+++ b/src/common/file_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,62 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_file_op")
+if(NOT ${TARGET} STREQUAL "winagent")
+    set(FILE_OP_BASE_FLAGS "-Wl,--wrap,stat,--wrap,chmod,--wrap,getpid,--wrap,wfopen \
+                            -Wl,--wrap,unlink,--wrap,fopen,--wrap,fflush,--wrap,fclose \
+                            -Wl,--wrap,fread,--wrap,ftell,--wrap,fseek,--wrap,fwrite,--wrap,remove \
+                            -Wl,--wrap,fprintf,--wrap,fgets,--wrap,File_DateofChange \
+                            -Wl,--wrap,bzip2_uncompress,--wrap,lstat,--wrap,popen \
+                            -Wl,--wrap,gzopen,--wrap,gzread,--wrap,gzclose,--wrap,fgetc \
+                            -Wl,--wrap,gzeof,--wrap,gzerror,--wrap,gzwrite,--wrap,fgetpos \
+                            -Wl,--wrap,realpath,--wrap,getenv,--wrap,atexit ${DEBUG_OP_WRAPPERS} \
+                            -Wl,--wrap,merror,--wrap,fseek")
+    list(APPEND shared_tests_flags "${FILE_OP_BASE_FLAGS}")
+else()
+    list(APPEND shared_tests_flags "-Wl,--wrap,get_windows_file_time_epoch,--wrap,mdebug2 \
+                                    -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                    -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                    -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown ${DEBUG_OP_WRAPPERS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/file_op/tests/unit/tests/test_file_op.c b/src/common/file_op/tests/unit/tests/test_file_op.c
new file mode 100644
index 0000000000..847a108a1a
--- /dev/null
+++ b/src/common/file_op/tests/unit/tests/test_file_op.c
@@ -0,0 +1,1169 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "../headers/defs.h"
+#include "../headers/file_op.h"
+#include "../error_messages/error_messages.h"
+#include "../wrappers/common.h"
+#include "../wrappers/libc/stdlib_wrappers.h"
+#include "../wrappers/posix/stat_wrappers.h"
+#include "../wrappers/posix/unistd_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/externals/zlib/zlib_wrappers.h"
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+
+#define N_PATHS 5
+
+static void expect_find_first_file(const char *file_path, const char *name, DWORD attrs, HANDLE handle) {
+    expect_string(wrap_FindFirstFile, lpFileName, file_path);
+    will_return(wrap_FindFirstFile, name);
+    if (name != NULL) {
+        will_return(wrap_FindFirstFile, attrs);
+    }
+
+    will_return(wrap_FindFirstFile, handle);
+}
+
+static void expect_find_next_file(HANDLE handle, const char *name, DWORD attrs, BOOL ret) {
+    expect_value(wrap_FindNextFile, hFindFile, handle);
+    will_return(wrap_FindNextFile, name);
+    if (name != NULL) {
+        will_return(wrap_FindNextFile, attrs);
+    }
+    will_return(wrap_FindNextFile, ret);
+}
+
+static int teardown_win32_wildcards(void **state) {
+    char **vector = *state;
+
+    for (int i = 0; vector[i]; i++) {
+        free(vector[i]);
+    }
+    free(vector);
+    return 0;
+}
+#else
+
+extern char * __real_getenv(const char *name);
+char * __wrap_getenv(const char *name) {
+    if (!test_mode) {
+        return __real_getenv(name);
+    }
+    check_expected(name);
+    return mock_type(char *);
+}
+
+void test_CreatePID_success(void **state)
+{
+    (void) state;
+    int ret;
+    char* content = NULL;
+
+    *state = content;
+
+    expect_string(__wrap_fopen, path, "var/run/test-2345.pid");
+    expect_string(__wrap_fopen, mode, "a");
+    will_return(__wrap_fopen, 1);
+
+    expect_value(__wrap_fprintf, __stream, 1);
+    expect_string(__wrap_fprintf, formatted_msg, "2345\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap_chmod, path, "var/run/test-2345.pid");
+    will_return(__wrap_chmod, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = CreatePID("test", 2345);
+    assert_int_equal(0, ret);
+}
+
+void test_CreatePID_failure_chmod(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_string(__wrap_fopen, path, "var/run/test-2345.pid");
+    expect_string(__wrap_fopen, mode, "a");
+    will_return(__wrap_fopen, 1);
+
+    expect_value(__wrap_fprintf, __stream, 1);
+    expect_string(__wrap_fprintf, formatted_msg, "2345\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap_chmod, path, "var/run/test-2345.pid");
+    will_return(__wrap_chmod, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1127): Could not chmod object 'var/run/test-2345.pid' due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = CreatePID("test", 2345);
+    assert_int_equal(-1, ret);
+}
+
+void test_CreatePID_failure_fopen(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_string(__wrap_fopen, path, "var/run/test-2345.pid");
+    expect_string(__wrap_fopen, mode, "a");
+    will_return(__wrap_fopen, NULL);
+
+    ret = CreatePID("test", 2345);
+    assert_int_equal(-1, ret);
+}
+
+void test_DeletePID_success(void **state)
+{
+    (void) state;
+    int ret = 0;
+
+    struct stat stat_delete = { .st_mode = 0 };
+
+    expect_string(__wrap_unlink, file, "var/run/test-2345.pid");
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap_stat, __file, "var/run/test-2345.pid");
+    will_return(__wrap_stat, &stat_delete);
+    will_return(__wrap_stat, 0);
+
+    ret = DeletePID("test");
+    assert_int_equal(0, ret);
+}
+
+void test_DeletePID_failure(void **state)
+{
+    (void) state;
+    int ret = 0;
+    struct stat stat_delete = { .st_mode = 0 };
+
+    expect_string(__wrap_unlink, file, "var/run/test-2345.pid");
+    will_return(__wrap_unlink, 1);
+
+    expect_string(__wrap_stat, __file, "var/run/test-2345.pid");
+    will_return(__wrap_stat, &stat_delete);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap__mferror, formatted_msg, "(1129): Could not unlink file 'var/run/test-2345.pid' due to [(0)-(Success)].");
+
+    ret = DeletePID("test");
+    assert_int_equal(-1, ret);
+}
+
+// w_is_compressed_gz_file
+
+void test_w_is_compressed_gz_file_uncompressed(void **state) {
+
+    char * path = "/test/file.gz";
+    int ret = 0;
+
+    expect_string(__wrap_fopen, path, "/test/file.gz");
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    will_return(__wrap_fread, "fake");
+    will_return(__wrap_fread, 2);
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = w_is_compressed_gz_file(path);
+    assert_int_equal(ret, 0);
+}
+
+// w_is_compressed_bz2_file
+
+void test_w_is_compressed_bz2_file_compressed(void **state) {
+
+    char * path = "/test/file.bz2";
+    int ret = 0;
+
+    expect_string(__wrap_fopen, path, "/test/file.bz2");
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    // BZh is 0x42 0x5a 0x68
+    will_return(__wrap_fread, "BZh");
+    will_return(__wrap_fread, 3);
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = w_is_compressed_bz2_file(path);
+    assert_int_equal(ret, 1);
+}
+
+void test_w_is_compressed_bz2_file_uncompressed(void **state) {
+
+    char * path = "/test/file.bz2";
+    int ret = 0;
+
+    expect_string(__wrap_fopen, path, "/test/file.bz2");
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    will_return(__wrap_fread, "fake");
+    will_return(__wrap_fread, 3);
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = w_is_compressed_bz2_file(path);
+    assert_int_equal(ret, 0);
+}
+
+// w_uncompress_bz2_gz_file
+
+#ifdef TEST_SERVER
+
+void test_w_uncompress_bz2_gz_file_bz2(void **state) {
+
+    char * path = "/test/file.bz2";
+    char * dest = "/test/file";
+    int ret;
+
+    expect_string(__wrap_fopen, path, "/test/file.bz2");
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    will_return(__wrap_fread, "BZh");
+    will_return(__wrap_fread, 3);
+
+    expect_string(__wrap_bzip2_uncompress, filebz2, "/test/file.bz2");
+    expect_string(__wrap_bzip2_uncompress, file, "/test/file");
+    will_return(__wrap_bzip2_uncompress, 0);
+
+    expect_string(__wrap_fopen, path, "/test/file.bz2");
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "The file '/test/file.bz2' was successfully uncompressed into '/test/file'");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    ret = w_uncompress_bz2_gz_file(path, dest);
+    assert_int_equal(ret, 0);
+}
+
+void test_MergeAppendFile_open_fail(void **state) {
+
+    FILE * finalfp = (FILE *)5;
+    char * file = "test.txt";
+    int path_offset = -1;
+    int ret;
+
+    expect_string(__wrap_fopen, path, file);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "Unable to open file: 'test.txt' due to [(0)-(Success)].");
+
+    ret = MergeAppendFile(finalfp, file, path_offset);
+    assert_int_equal(ret, 0);
+}
+
+void test_MergeAppendFile_fseek_fail(void **state) {
+
+    FILE * finalfp = (FILE *)5;
+    char * file = "test.txt";
+    int path_offset = -1;
+    int ret;
+
+    expect_string(__wrap_fopen, path, file);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 6);
+
+    will_return(__wrap_fseek, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "Unable to set EOF offset in file: 'test.txt', due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 6);
+    will_return(__wrap_fclose, 1);
+
+    ret = MergeAppendFile(finalfp, file, path_offset);
+    assert_int_equal(ret, 0);
+}
+
+void test_MergeAppendFile_fseek2_fail(void **state) {
+
+    FILE * finalfp = (FILE *)5;
+    char * file = "/test/shared/default/test.txt";
+    int path_offset = -1;
+    int ret;
+
+    expect_string(__wrap_fopen, path, file);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 6);
+
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_ftell, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "File '/test/shared/default/test.txt' is empty.");
+
+    expect_value(__wrap_fprintf, __stream, finalfp);
+    expect_string(__wrap_fprintf, formatted_msg, "!0 test.txt\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_fseek, -2);
+
+    expect_string(__wrap__merror, formatted_msg, "Unable to set the offset in file: '/test/shared/default/test.txt', due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 6);
+    will_return(__wrap_fclose, 1);
+
+    ret = MergeAppendFile(finalfp, file, path_offset);
+    assert_int_equal(ret, 0);
+}
+
+void test_MergeAppendFile_diff_ftell(void **state) {
+
+    FILE * finalfp = (FILE *)5;
+    char * file = "/test/shared/default/test.txt";
+    int path_offset = 0;
+    int ret;
+
+    expect_string(__wrap_fopen, path, file);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 6);
+
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_ftell, 25);
+
+    expect_value(__wrap_fprintf, __stream, finalfp);
+    expect_string(__wrap_fprintf, formatted_msg, "!25 /test/shared/default/test.txt\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_fread, "test.txt");
+    will_return(__wrap_fread, 1);
+
+    will_return(__wrap_fwrite, 0);
+
+    will_return(__wrap_fread, "test.txt");
+    will_return(__wrap_fread, 0);
+
+    will_return(__wrap_ftell, 33);
+
+    expect_value(__wrap_fclose, _File, 6);
+    will_return(__wrap_fclose, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "File '/test/shared/default/test.txt' was modified after getting its size.");
+
+    ret = MergeAppendFile(finalfp, file, path_offset);
+    assert_int_equal(ret, 0);
+}
+
+void test_MergeAppendFile_success(void **state) {
+
+    FILE * finalfp = (FILE *)5;
+    char * file = "/test/shared/default/test.txt";
+    int path_offset = 0;
+    int ret;
+
+    expect_string(__wrap_fopen, path, file);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 6);
+
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_ftell, 25);
+
+    expect_value(__wrap_fprintf, __stream, finalfp);
+    expect_string(__wrap_fprintf, formatted_msg, "!25 /test/shared/default/test.txt\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_fread, "test.txt");
+    will_return(__wrap_fread, 1);
+
+    will_return(__wrap_fwrite, 0);
+
+    will_return(__wrap_fread, "test.txt");
+    will_return(__wrap_fread, 0);
+
+    will_return(__wrap_ftell, 25);
+
+    expect_value(__wrap_fclose, _File, 6);
+    will_return(__wrap_fclose, 1);
+
+    ret = MergeAppendFile(finalfp, file, path_offset);
+    assert_int_equal(ret, 1);
+}
+
+#endif
+
+// w_compress_gzfile
+
+void test_w_compress_gzfile_wfopen_fail(void **state){
+
+    int ret;
+    char *srcfile = "testfilesrc";
+    char *dstfile = "testfiledst.gz";
+
+    expect_string(__wrap_fopen, path, srcfile);
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "in w_compress_gzfile(): fopen error testfilesrc (0):'Success'");
+
+    ret = w_compress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_compress_gzfile_gzopen_fail(void **state){
+
+    int ret;
+    char *srcfile = "testfilesrc";
+    char *dstfile = "testfiledst.gz";
+
+    expect_string(__wrap_fopen, path, srcfile);
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, dstfile);
+    expect_string(__wrap_gzopen, mode, "w");
+    will_return(__wrap_gzopen, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "in w_compress_gzfile(): gzopen error testfiledst.gz (0):'Success'");
+
+    ret = w_compress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_compress_gzfile_write_error(void **state){
+
+    int ret;
+    char *srcfile = "testfilesrc";
+    char *dstfile = "testfiledst.gz";
+
+    expect_string(__wrap_fopen, path, srcfile);
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, dstfile);
+    expect_string(__wrap_gzopen, mode, "w");
+    will_return(__wrap_gzopen, 2);
+
+    will_return(__wrap_fread, "teststring");
+    will_return(__wrap_fread, 10);
+
+    expect_value(__wrap_gzwrite, file, 2);
+    expect_string(__wrap_gzwrite, buf, "teststring");
+    expect_value(__wrap_gzwrite, len, 10);
+    will_return(__wrap_gzwrite, Z_ERRNO);
+
+    expect_value(__wrap_gzerror, file, 2);
+    will_return(__wrap_gzerror, Z_ERRNO);
+    will_return(__wrap_gzerror, "Test error");
+    expect_string(__wrap__merror, formatted_msg, "in w_compress_gzfile(): Compression error: Test error");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+    expect_value(__wrap_gzclose, file, 2);
+    will_return(__wrap_gzclose, 1);
+
+    ret = w_compress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_compress_gzfile_success(void **state){
+
+    int ret;
+    char *srcfile = "testfilesrc";
+    char *dstfile = "testfiledst.gz";
+
+    expect_string(__wrap_fopen, path, srcfile);
+    expect_string(__wrap_fopen, mode, "rb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, dstfile);
+    expect_string(__wrap_gzopen, mode, "w");
+    will_return(__wrap_gzopen, 2);
+
+    will_return(__wrap_fread, "teststring");
+    will_return(__wrap_fread, 10);
+
+    expect_value(__wrap_gzwrite, file, 2);
+    expect_string(__wrap_gzwrite, buf, "teststring");
+    expect_value(__wrap_gzwrite, len, 10);
+    will_return(__wrap_gzwrite, 10);
+
+    will_return(__wrap_fread, "");
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+    expect_value(__wrap_gzclose, file, 2);
+    will_return(__wrap_gzclose, 1);
+
+    ret = w_compress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, 0);
+}
+
+// w_uncompress_gzfile
+
+void test_w_uncompress_gzfile_lstat_fail(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, -1);
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_uncompress_gzfile_fopen_fail(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_fopen, path, dstfile);
+    expect_string(__wrap_fopen, mode, "wb");
+    will_return(__wrap_fopen, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "in w_uncompress_gzfile(): fopen error testfiledst (0):'Success'");
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_uncompress_gzfile_gzopen_fail(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_fopen, path, dstfile);
+    expect_string(__wrap_fopen, mode, "wb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, srcfile);
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "in w_uncompress_gzfile(): gzopen error testfile.gz (0):'Success'");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_uncompress_gzfile_first_read_fail(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_fopen, path, dstfile);
+    expect_string(__wrap_fopen, mode, "wb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, srcfile);
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 2);
+
+    expect_value(__wrap_gzread, gz_fd, 2);
+    will_return(__wrap_gzread, strlen("failstring"));
+    will_return(__wrap_gzread, "failstring");
+
+    will_return(__wrap_fwrite, 0);
+
+    expect_value(__wrap_gzeof, file, 2);
+    will_return(__wrap_gzeof, 0);
+
+    expect_value(__wrap_gzerror, file, 2);
+    will_return(__wrap_gzerror, Z_BUF_ERROR);
+    will_return(__wrap_gzerror, "Test error");
+
+    expect_string(__wrap__merror, formatted_msg, "in w_uncompress_gzfile(): gzread error: 'Test error'");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+    expect_value(__wrap_gzclose, file, 2);
+    will_return(__wrap_gzclose, 1);
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_uncompress_gzfile_first_read_success(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    char buffer[OS_SIZE_8192] = {"teststring"};
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_fopen, path, dstfile);
+    expect_string(__wrap_fopen, mode, "wb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, srcfile);
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 2);
+
+    expect_value(__wrap_gzread, gz_fd, 2);
+    will_return(__wrap_gzread, OS_SIZE_8192);
+    will_return(__wrap_gzread, buffer);
+
+    will_return(__wrap_fwrite, OS_SIZE_8192);
+
+    expect_value(__wrap_gzread, gz_fd, 2);
+    will_return(__wrap_gzread, strlen(buffer));
+    will_return(__wrap_gzread, buffer);
+
+    will_return(__wrap_fwrite, 0);
+
+    expect_value(__wrap_gzeof, file, 2);
+    will_return(__wrap_gzeof, 0);
+
+    expect_value(__wrap_gzerror, file, 2);
+    will_return(__wrap_gzerror, Z_BUF_ERROR);
+    will_return(__wrap_gzerror, "Test error");
+
+    expect_string(__wrap__merror, formatted_msg, "in w_uncompress_gzfile(): gzread error: 'Test error'");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+    expect_value(__wrap_gzclose, file, 2);
+    will_return(__wrap_gzclose, 1);
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, -1);
+}
+
+void test_w_uncompress_gzfile_success(void **state) {
+    int ret;
+    struct stat buf = { .st_mode = S_IFREG };
+    char *srcfile = "testfile.gz";
+    char *dstfile = "testfiledst";
+
+    expect_string(__wrap_lstat, filename, srcfile);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_fopen, path, dstfile);
+    expect_string(__wrap_fopen, mode, "wb");
+    will_return(__wrap_fopen, 1);
+
+    expect_string(__wrap_gzopen, path, srcfile);
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 2);
+
+    expect_value(__wrap_gzread, gz_fd, 2);
+    will_return(__wrap_gzread, 10);
+    will_return(__wrap_gzread, "teststring");
+
+    will_return(__wrap_fwrite, 10);
+
+    expect_value(__wrap_gzeof, file, 2);
+    will_return(__wrap_gzeof, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+    expect_value(__wrap_gzclose, file, 2);
+    will_return(__wrap_gzclose, 1);
+
+    ret = w_uncompress_gzfile(srcfile, dstfile);
+    assert_int_equal(ret, 0);
+}
+
+// w_homedir
+
+void test_w_homedir_first_attempt(void **state)
+{
+    char *argv0 = "/usr/share/wazuh/bin/test";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+    char *val = NULL;
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, argv0);
+
+    expect_string(__wrap_stat, __file, "/usr/share/wazuh");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    val = w_homedir(argv0);
+    assert_string_equal(val, "/usr/share/wazuh");
+    free(val);
+}
+
+void test_w_homedir_second_attempt(void **state)
+{
+    char *argv0 = "/usr/share/wazuh/bin/test";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+    char *val = NULL;
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_realpath, path, "/proc/curproc/file");
+    will_return(__wrap_realpath, argv0);
+
+    expect_string(__wrap_stat, __file, "/usr/share/wazuh");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    val = w_homedir(argv0);
+    assert_string_equal(val, "/usr/share/wazuh");
+    free(val);
+}
+
+void test_w_homedir_third_attempt(void **state)
+{
+    char *argv0 = "/usr/share/wazuh/bin/test";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+    char *val = NULL;
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_realpath, path, "/proc/curproc/file");
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_realpath, path, "/proc/self/path/a.out");
+    will_return(__wrap_realpath, argv0);
+
+    expect_string(__wrap_stat, __file, "/usr/share/wazuh");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    val = w_homedir(argv0);
+    assert_string_equal(val, "/usr/share/wazuh");
+    free(val);
+}
+
+void test_w_homedir_check_argv0(void **state)
+{
+    char *argv0 = "/usr/share/wazuh/bin/test";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+    char *val = NULL;
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, NULL);
+    expect_string(__wrap_realpath, path, "/proc/curproc/file");
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_realpath, path, "/proc/self/path/a.out");
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_realpath, path, argv0);
+    will_return(__wrap_realpath, argv0);
+
+    expect_string(__wrap_stat, __file, "/usr/share/wazuh");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    val = w_homedir(argv0);
+    assert_string_equal(val, "/usr/share/wazuh");
+    free(val);
+}
+
+void test_w_homedir_env_var(void **state)
+{
+    char *val = NULL;
+    char *argv0 = "bin/test";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, NULL);
+    expect_string(__wrap_realpath, path, "/proc/curproc/file");
+    will_return(__wrap_realpath, NULL);
+    expect_string(__wrap_realpath, path, "/proc/self/path/a.out");
+    will_return(__wrap_realpath, NULL);
+    expect_string(__wrap_realpath, path, argv0);
+    will_return(__wrap_realpath, NULL);
+
+    expect_string(__wrap_getenv, name, WAZUH_HOME_ENV);
+    will_return(__wrap_getenv, "/home/wazuh");
+
+    expect_string(__wrap_stat, __file, "/home/wazuh");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    val = w_homedir(argv0);
+    assert_string_equal(val, "/home/wazuh");
+    free(val);
+}
+
+void test_w_homedir_stat_fail(void **state)
+{
+    char *argv0 = "/fake/dir/bin";
+    struct stat stat_buf = { .st_mode = 0040000 }; // S_IFDIR
+
+    expect_string(__wrap_realpath, path, "/proc/self/exe");
+    will_return(__wrap_realpath, argv0);
+
+    expect_string(__wrap_stat, __file, "/fake/dir");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, -1);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1108): Unable to find Wazuh install directory. Export it to WAZUH_HOME environment variable.");
+
+    expect_assert_failure(w_homedir(argv0));
+}
+#endif
+
+void test_get_file_content(void **state)
+{
+    int max_size = 300;
+    char * content;
+    const char * expected = "test string";
+    const char * file_name = "test_file.txt";
+
+    expect_string(__wrap_fopen, path, file_name);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 1);
+
+    will_return(__wrap_ftell, 0);
+    will_return(__wrap_fseek, 0);
+    will_return(__wrap_ftell, 11); // Content size
+    will_return(__wrap_fseek, 0);
+
+    will_return(__wrap_fread, expected);
+    will_return(__wrap_fread, strlen(expected));
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    content = w_get_file_content(file_name, max_size);
+
+    assert_string_equal(content, expected);
+
+    free(content);
+}
+
+void test_get_file_pointer_NULL(void **state)
+{
+    const char * path = NULL;
+    
+    expect_string(__wrap__mdebug1, formatted_msg, "Cannot open NULL path");
+
+    FILE * fp = w_get_file_pointer(path);
+
+    assert_int_equal(NULL, fp);
+}
+
+void test_get_file_pointer_invalid(void **state)
+{
+    const char * file_name = "test_file.txt";
+    expect_string(__wrap_fopen, path, file_name);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 0);
+    expect_string(__wrap__mdebug1, formatted_msg, "(1103): Could not open file 'test_file.txt' due to [(0)-(Success)].");
+
+    FILE * fp = w_get_file_pointer(file_name);
+
+    assert_int_equal(NULL, fp);
+}
+
+void test_get_file_pointer_success(void **state)
+{
+    const char * file_name = "test_file.txt";
+    expect_string(__wrap_fopen, path, file_name);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, 1);
+
+    FILE * fp = w_get_file_pointer(file_name);
+
+    assert_int_equal(fp, fp);
+}
+
+#ifdef TEST_WINAGENT
+void test_get_UTC_modification_time_success(void **state) {
+    HANDLE hdle = (HANDLE)1234;
+    FILETIME modification_date;
+    modification_date.dwLowDateTime = (DWORD)1234;
+    modification_date.dwHighDateTime = (DWORD)4321;
+
+    expect_string(wrap_CreateFile, lpFileName, "C:\\a\\path");
+    will_return(wrap_CreateFile, hdle);
+
+    expect_value(wrap_GetFileTime, hFile, hdle);
+    will_return(wrap_GetFileTime, &modification_date);
+    will_return(wrap_GetFileTime, 1);
+
+    expect_value(wrap_CloseHandle, hObject, hdle);
+    will_return(wrap_CloseHandle, 0);
+
+    expect_value(__wrap_get_windows_file_time_epoch, ftime.dwLowDateTime, modification_date.dwLowDateTime);
+    expect_value(__wrap_get_windows_file_time_epoch, ftime.dwHighDateTime, modification_date.dwHighDateTime);
+    will_return(__wrap_get_windows_file_time_epoch, 123456);
+
+    time_t ret = get_UTC_modification_time("C:\\a\\path");
+    assert_int_equal(ret, 123456);
+}
+
+void test_get_UTC_modification_time_fail_get_handle(void **state) {
+    char buffer[OS_SIZE_128];
+    char *path = "C:\\a\\path";
+
+    expect_string(wrap_CreateFile, lpFileName, path);
+    will_return(wrap_CreateFile, INVALID_HANDLE_VALUE);
+
+    snprintf(buffer, OS_SIZE_128, FIM_WARN_OPEN_HANDLE_FILE, path, 2);
+    expect_string(__wrap__mferror, formatted_msg, buffer);
+
+    time_t ret = get_UTC_modification_time(path);
+    assert_int_equal(ret, 0);
+}
+
+void test_get_UTC_modification_time_fail_get_filetime(void **state) {
+    char buffer[OS_SIZE_128];
+    char *path = "C:\\a\\path";
+
+    HANDLE hdle = (HANDLE)1234;
+    FILETIME modification_date;
+    modification_date.dwLowDateTime = (DWORD)1234;
+    modification_date.dwHighDateTime = (DWORD)4321;
+
+    expect_string(wrap_CreateFile, lpFileName, path);
+    will_return(wrap_CreateFile, (HANDLE)1234);
+
+    expect_value(wrap_GetFileTime, hFile, (HANDLE)1234);
+    will_return(wrap_GetFileTime, &modification_date);
+    will_return(wrap_GetFileTime, 0);
+
+    snprintf(buffer, OS_SIZE_128, FIM_WARN_GET_FILETIME, path, 2);
+    expect_string(__wrap__mferror, formatted_msg, buffer);
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)1234);
+    will_return(wrap_CloseHandle, 0);
+
+    time_t ret = get_UTC_modification_time(path);
+    assert_int_equal(ret, 0);
+}
+
+void test_expand_win32_wildcards_no_wildcards(void **state) {
+    char *path = "C:\\path\\without\\wildcards";
+    char **result;
+
+    result = expand_win32_wildcards(path);
+
+    *state = result;
+    assert_string_equal(path, result[0]);
+    assert_null(result[1]);
+}
+
+void test_expand_win32_wildcards_invalid_handle(void **state) {
+    char *path = "C:\\wildcards*";
+    char **result;
+    expect_find_first_file(path, NULL, (DWORD) 0,  INVALID_HANDLE_VALUE);
+    expect_any(__wrap__mdebug2, formatted_msg);
+    result = expand_win32_wildcards(path);
+    *state = result;
+
+    assert_null(result[0]);
+}
+
+void test_expand_win32_wildcards_back_link(void **state) {
+    char *path = "C:\\.*";
+    char **result;
+
+    expect_find_first_file(path, ".", (DWORD) 0, (HANDLE) 1);
+    expect_find_next_file((HANDLE) 1, "..", (DWORD) 0, (BOOL) 1);
+    expect_find_next_file((HANDLE) 1, NULL, (DWORD) 0, (BOOL) 0);
+
+    result = expand_win32_wildcards(path);
+    *state = result;
+
+    assert_null(result[0]);
+}
+
+void test_expand_win32_wildcards_directories(void **state) {
+    char *path = "C:\\test*";
+    char **result;
+    char vectors[N_PATHS][MAX_PATH] = { '\0' };
+    char buffer[OS_SIZE_128] = {0};
+
+    snprintf(vectors[0], OS_SIZE_128, "testdir_%d", 0);
+    expect_find_first_file(path, vectors[0], FILE_ATTRIBUTE_DIRECTORY, (HANDLE) 1);
+
+    for (int i = 1; i < N_PATHS; i++) {
+        snprintf(vectors[i], OS_SIZE_128, "testdir_%d", i);
+        expect_find_next_file((HANDLE) 1, vectors[i], FILE_ATTRIBUTE_DIRECTORY, (BOOL) 1);
+    }
+
+    expect_find_next_file((HANDLE) 1, NULL, (DWORD) 0, (BOOL) 0);
+
+    result = expand_win32_wildcards(path);
+    *state = result;
+    int i;
+    for (i = 0; result[i]; i++) {
+        snprintf(buffer, OS_SIZE_128, "%s%s", "C:\\", vectors[i]);
+        assert_string_equal(buffer, result[i]);
+    }
+    assert_int_equal(N_PATHS, i);
+}
+
+void test_expand_win32_wildcards_directories_reparse_point(void **state) {
+    char *path = "C:\\reparse*";
+    char **result;
+    char vectors[N_PATHS][MAX_PATH] = { '\0' };
+
+    snprintf(vectors[0], OS_SIZE_128, "reparse_%d", 0);
+    expect_find_first_file(path, vectors[0], FILE_ATTRIBUTE_REPARSE_POINT, (HANDLE) 1);
+
+    for (int i = 1; i < 5; i++) {
+        snprintf(vectors[i], OS_SIZE_128, "reparse_%d", i);
+        expect_find_next_file((HANDLE) 1, vectors[i], FILE_ATTRIBUTE_REPARSE_POINT, (BOOL) 1);
+    }
+
+    expect_find_next_file((HANDLE) 1, NULL, (DWORD) 0, (BOOL) 0);
+
+    result = expand_win32_wildcards(path);
+    *state = result;
+
+    assert_null(result[0]);
+}
+
+void test_expand_win32_wildcards_file_with_next_glob(void **state) {
+    char *path = "C:\\ignored_*\\test?";
+    char **result;
+    char vectors[N_PATHS][MAX_PATH] = { '\0' };
+    char buffer[OS_SIZE_128] = {0};
+
+    // Begining to expand the first wildcard
+    // files that matches the first wildcard must be ignored
+    expect_find_first_file("C:\\ignored_*", "ignored_file", FILE_ATTRIBUTE_NORMAL, (HANDLE) 1);
+
+    expect_find_next_file((HANDLE) 1, "test_folder", FILE_ATTRIBUTE_DIRECTORY, (BOOL) 1);
+    // Ending to expand the first wildcard
+    expect_find_next_file((HANDLE) 1, NULL, 0, (BOOL) 0);
+
+    // Beggining to expand the second wildcard
+    snprintf(vectors[0], OS_SIZE_128, "test_%d", 0);
+    expect_find_first_file("C:\\test_folder\\test?", vectors[0], FILE_ATTRIBUTE_NORMAL, (HANDLE) 1);
+
+    for (int i = 1; i < N_PATHS; i++) {
+        snprintf(vectors[i], OS_SIZE_128, "test_%d", i);
+        expect_find_next_file((HANDLE) 1, vectors[i], FILE_ATTRIBUTE_DIRECTORY, (BOOL) 1);
+    }
+    // Ending to expand the second wildcard
+    expect_find_next_file((HANDLE) 1, NULL, 0, (BOOL) 0);
+
+    result = expand_win32_wildcards(path);
+    *state = result;
+    for (int i = 0; result[i]; i++) {
+        snprintf(buffer, OS_SIZE_128, "C:\\test_folder\\%s", vectors[i]);
+        assert_string_equal(buffer, result[i]);
+    }
+}
+
+#endif
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+#ifndef TEST_WINAGENT
+        cmocka_unit_test(test_CreatePID_success),
+        cmocka_unit_test(test_CreatePID_failure_chmod),
+        cmocka_unit_test(test_CreatePID_failure_fopen),
+        cmocka_unit_test(test_DeletePID_success),
+        cmocka_unit_test(test_DeletePID_failure),
+        cmocka_unit_test(test_w_is_compressed_gz_file_uncompressed),
+        cmocka_unit_test(test_w_is_compressed_bz2_file_compressed),
+        cmocka_unit_test(test_w_is_compressed_bz2_file_uncompressed),
+#ifdef TEST_SERVER
+        cmocka_unit_test(test_w_uncompress_bz2_gz_file_bz2),
+        // MergeAppendFile
+        cmocka_unit_test(test_MergeAppendFile_open_fail),
+        cmocka_unit_test(test_MergeAppendFile_fseek_fail),
+        cmocka_unit_test(test_MergeAppendFile_fseek2_fail),
+        cmocka_unit_test(test_MergeAppendFile_diff_ftell),
+        cmocka_unit_test(test_MergeAppendFile_success),
+#endif
+        // w_compress_gzfile
+        cmocka_unit_test(test_w_compress_gzfile_wfopen_fail),
+        cmocka_unit_test(test_w_compress_gzfile_gzopen_fail),
+        cmocka_unit_test(test_w_compress_gzfile_write_error),
+        cmocka_unit_test(test_w_compress_gzfile_success),
+        // w_uncompress_gzfile
+        cmocka_unit_test(test_w_uncompress_gzfile_lstat_fail),
+        cmocka_unit_test(test_w_uncompress_gzfile_fopen_fail),
+        cmocka_unit_test(test_w_uncompress_gzfile_gzopen_fail),
+        cmocka_unit_test(test_w_uncompress_gzfile_first_read_fail),
+        cmocka_unit_test(test_w_uncompress_gzfile_first_read_success),
+        cmocka_unit_test(test_w_uncompress_gzfile_success),
+        // w_homedir
+        cmocka_unit_test(test_w_homedir_first_attempt),
+        cmocka_unit_test(test_w_homedir_second_attempt),
+        cmocka_unit_test(test_w_homedir_third_attempt),
+        cmocka_unit_test(test_w_homedir_check_argv0),
+        cmocka_unit_test(test_w_homedir_env_var),
+        cmocka_unit_test(test_w_homedir_stat_fail),
+        // w_get_file_pointer
+        cmocka_unit_test(test_get_file_pointer_NULL),
+        cmocka_unit_test(test_get_file_pointer_invalid),
+        cmocka_unit_test(test_get_file_pointer_success),
+#else
+        cmocka_unit_test(test_get_UTC_modification_time_success),
+        cmocka_unit_test(test_get_UTC_modification_time_fail_get_handle),
+        cmocka_unit_test(test_get_UTC_modification_time_fail_get_filetime),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_no_wildcards, teardown_win32_wildcards),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_invalid_handle, teardown_win32_wildcards),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_back_link, teardown_win32_wildcards),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_directories, teardown_win32_wildcards),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_directories_reparse_point, teardown_win32_wildcards),
+        cmocka_unit_test_teardown(test_expand_win32_wildcards_file_with_next_glob, teardown_win32_wildcards)
+
+#endif
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/file_op/tests/unit/wrappers/file_op_wrappers.c b/src/common/file_op/tests/unit/wrappers/file_op_wrappers.c
new file mode 100644
index 0000000000..55b153bbb6
--- /dev/null
+++ b/src/common/file_op/tests/unit/wrappers/file_op_wrappers.c
@@ -0,0 +1,275 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "file_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <errno.h>
+#include "file_op.h"
+#include "../../common.h"
+
+int __wrap_abspath(const char *path, char *buffer, size_t size) {
+    check_expected(path);
+
+    strncpy(buffer, path, size);
+    buffer[size - 1] = '\0';
+
+    return mock();
+}
+
+void expect_abspath(const char *path, int ret) {
+    expect_string(__wrap_abspath, path, path);
+    will_return(__wrap_abspath, ret);
+}
+
+int __wrap_check_path_type(const char *dir) {
+    check_expected(dir);
+
+    return mock();
+}
+
+int __wrap_File_DateofChange(const char * file) {
+    check_expected_ptr(file);
+    return mock();
+}
+
+int __wrap_IsDir(const char *file) {
+    check_expected(file);
+    return mock();
+}
+
+int __wrap_IsFile(const char *file) {
+    check_expected(file);
+
+    return mock();
+}
+
+int __wrap_IsLink(const char * file) {
+    check_expected(file);
+    return mock();
+}
+
+int __wrap_IsSocket(const char * sock) {
+    check_expected(sock);
+    return mock();
+}
+
+int __wrap_rmdir_ex(const char *name) {
+    int ret = mock();
+
+    if(ret == -1) {
+        errno = ENOTEMPTY;
+    } else {
+        errno = 0;
+    }
+
+    check_expected(name);
+    return ret;
+}
+
+void expect_rmdir_ex_call(const char *dir, int ret) {
+    expect_string(__wrap_rmdir_ex, name, dir);
+    will_return(__wrap_rmdir_ex, ret);
+}
+
+int __wrap_w_compress_gzfile(const char *filesrc, const char *filedst) {
+    check_expected(filesrc);
+    check_expected(filedst);
+    return mock();
+}
+
+int __wrap_w_uncompress_gzfile(const char *gzfilesrc, const char *gzfiledst) {
+    check_expected(gzfilesrc);
+    check_expected(gzfiledst);
+    return mock();
+}
+
+void expect_w_uncompress_gzfile(const char * gzfilesrc, const char * gzfiledst, FILE *ret) {
+    expect_string(__wrap_w_uncompress_gzfile, gzfilesrc, gzfilesrc);
+    expect_string(__wrap_w_uncompress_gzfile, gzfiledst, gzfiledst);
+    will_return(__wrap_w_uncompress_gzfile, ret);
+}
+
+FILE *__real_wfopen(const char * path, const char * mode);
+FILE *__wrap_wfopen(const char * path, const char * mode) {
+    if(test_mode) {
+        check_expected(path);
+        check_expected(mode);
+        return mock_type(FILE *);
+    } else {
+        return __real_wfopen(path, mode);
+    }
+}
+
+void expect_wfopen(const char * path, const char * mode, FILE *ret) {
+    expect_string(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, mode);
+    will_return(__wrap_wfopen, ret);
+}
+
+char ** __wrap_wreaddir(const char * name) {
+    check_expected(name);
+    return mock_type(char**);
+}
+
+void expect_wreaddir_call(const char *dir, char **files) {
+    expect_string(__wrap_wreaddir, name, dir);
+    will_return(__wrap_wreaddir, files);
+}
+
+#ifndef WIN32
+off_t __wrap_FileSize(const char * path) {
+    check_expected(path);
+    return mock();
+}
+#else
+DWORD __wrap_FileSizeWin(const char * file) {
+    check_expected(file);
+    return mock();
+}
+#endif
+
+void expect_FileSize(const char *path, int ret) {
+#ifndef WIN32
+    expect_string(__wrap_FileSize, path, path);
+    will_return(__wrap_FileSize, ret);
+#else
+    expect_string(__wrap_FileSizeWin, file, path);
+    will_return(__wrap_FileSizeWin, ret);
+#endif
+}
+
+int __wrap_rename_ex(const char *source, const char *destination) {
+    check_expected(source);
+    check_expected(destination);
+
+    return mock();
+}
+
+void expect_rename_ex(const char *source, const char *destination, int ret) {
+    expect_string(__wrap_rename_ex, source, source);
+    expect_string(__wrap_rename_ex, destination, destination);
+    will_return(__wrap_rename_ex, ret);
+}
+
+int __wrap_mkstemp_ex(char *tmp_path) {
+    check_expected(tmp_path);
+    return mock();
+}
+
+void expect_mkstemp_ex(char *tmp_path, int ret) {
+    expect_string(__wrap_mkstemp_ex, tmp_path, tmp_path);
+    will_return(__wrap_mkstemp_ex, ret);
+}
+
+float __wrap_DirSize(const char *path) {
+    check_expected(path);
+
+    return mock();
+}
+
+int __wrap_mkdir_ex(const char *path) {
+    check_expected(path);
+    return mock();
+}
+
+void expect_mkdir_ex(const char *path, int ret) {
+    expect_string(__wrap_mkdir_ex, path, path);
+    will_return(__wrap_mkdir_ex, ret);
+}
+
+int __wrap_w_ref_parent_folder(const char * path) {
+    check_expected(path);
+
+    return mock();
+}
+
+int __wrap_cldir_ex(__attribute__((unused)) const char *name) {
+    return mock();
+}
+
+int __wrap_cldir_ex_ignore(const char *name, __attribute__((unused)) const char ** ignore) {
+    check_expected(name);
+    return mock();
+}
+
+int __wrap_UnmergeFiles(const char *finalpath, const char *optdir, int mode) {
+    check_expected(finalpath);
+    check_expected(optdir);
+    check_expected(mode);
+    return mock();
+}
+
+#ifdef WIN32
+long long __wrap_get_UTC_modification_time(const char *file_path) {
+    check_expected(file_path);
+    return mock();
+}
+#endif
+
+int64_t __wrap_w_ftell (FILE *x) {
+    check_expected(x);
+    return mock_type(int64_t);
+}
+
+int __wrap_w_fseek(FILE *x, int64_t pos, __attribute__((unused)) int mode) {
+    check_expected(x);
+    check_expected(pos);
+    return mock_type(int);
+}
+
+int __wrap_MergeAppendFile(FILE *finalfp, __attribute__((unused)) const char *files, int path_offset) {
+    check_expected(finalfp);
+    check_expected(path_offset);
+    return mock_type(int);
+}
+
+int __wrap_OS_MoveFile(const char *src, const char *dst) {
+    check_expected(src);
+    check_expected(dst);
+    return mock_type(int);
+}
+
+int __wrap_TestUnmergeFiles(const char *finalpath, __attribute__((unused)) int mode) {
+    check_expected(finalpath);
+    return mock_type(int);
+}
+
+int __wrap_checkBinaryFile(const char *f_name) {
+    check_expected(f_name);
+    return mock_type(int);
+}
+
+int __wrap_w_copy_file(const char *src, const char *dst, char mode, __attribute__((unused)) char * message, int silent) {
+    check_expected(src);
+    check_expected(dst);
+    check_expected(mode);
+    check_expected(silent);
+    return mock_type(int);
+}
+
+char *__wrap_GetRandomNoise() {
+    return mock_ptr_type(char*);
+}
+
+const char *__wrap_getuname() {
+    return mock_ptr_type(char*);
+}
+
+char * __wrap_w_get_file_content(__attribute__ ((__unused__)) const char * path,
+                                 __attribute__ ((__unused__)) int max_size) {
+    return mock_type(char *);
+}
+
+void expect_w_get_file_content(const char *buffer) {
+    will_return(__wrap_w_get_file_content, buffer);
+}
diff --git a/src/common/file_op/tests/unit/wrappers/file_op_wrappers.h b/src/common/file_op/tests/unit/wrappers/file_op_wrappers.h
new file mode 100644
index 0000000000..68f2da4133
--- /dev/null
+++ b/src/common/file_op/tests/unit/wrappers/file_op_wrappers.h
@@ -0,0 +1,106 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef FILE_OP_WRAPPERS_H
+#define FILE_OP_WRAPPERS_H
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+#ifdef WIN32
+#include <stdint.h>
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+int __wrap_abspath(const char *path, char *buffer, size_t size);
+void expect_abspath(const char *path, int ret);
+
+int __wrap_check_path_type(const char *dir);
+
+int __wrap_File_DateofChange(const char * file);
+
+int __wrap_IsDir(const char *file);
+
+int __wrap_IsFile(const char *file);
+
+int __wrap_IsLink(const char * file);
+
+int __wrap_IsSocket(const char * sock);
+
+int __wrap_rmdir_ex(const char *name);
+
+void expect_rmdir_ex_call(const char *dir, int ret);
+
+int __wrap_w_compress_gzfile(const char *filesrc, const char *filedst);
+
+int __wrap_w_uncompress_gzfile(const char *gzfilesrc, const char *gzfiledst);
+void expect_w_uncompress_gzfile(const char * gzfilesrc, const char * gzfiledst, FILE *ret);
+
+FILE *__wrap_wfopen(const char * __filename, const char * __modes);
+void expect_wfopen(const char * __filename, const char * __modes, FILE *ret);
+
+char ** __wrap_wreaddir(const char * name);
+
+void expect_wreaddir_call(const char *dir, char **files);
+
+#ifndef WIN32
+off_t __wrap_FileSize(const char * path);
+#else
+DWORD __wrap_FileSizeWin(const char * file);
+#endif
+void expect_FileSize(const char *path, int ret);
+
+int __wrap_rename_ex(const char *source, const char *destination);
+void expect_rename_ex(const char *source, const char *destination, int ret);
+
+int __wrap_mkstemp_ex(char *tmp_path);
+void expect_mkstemp_ex(char *tmp_path, int ret);
+
+float __wrap_DirSize(const char *path);
+
+int __wrap_mkdir_ex(const char *path);
+void expect_mkdir_ex(const char *path, int ret);
+
+int __wrap_w_ref_parent_folder(const char * path);
+
+int __wrap_cldir_ex(const char *name);
+
+int __wrap_cldir_ex_ignore(const char *name, const char ** ignore);
+
+int __wrap_UnmergeFiles(const char *finalpath, const char *optdir, int mode);
+
+#ifdef WIN32
+long long __wrap_get_UTC_modification_time(const char *file_path);
+#endif
+
+char *__wrap_GetRandomNoise();
+
+const char *__wrap_getuname();
+
+#endif
+int64_t __wrap_w_ftell (FILE *x);
+
+int __wrap_w_fseek(FILE *x, int64_t pos, int mode);
+
+int __wrap_MergeAppendFile(FILE *finalfp, const char *files, int path_offset);
+
+int __wrap_OS_MoveFile(const char *src, const char *dst);
+
+int __wrap_TestUnmergeFiles(const char *finalpath, int mode);
+
+int __wrap_checkBinaryFile(const char *f_name);
+
+int __wrap_w_copy_file(const char *src, const char *dst, char mode, __attribute__((unused)) char * message, int silent);
+
+char * __wrap_w_get_file_content(__attribute__ ((__unused__)) const char * path, __attribute__ ((__unused__)) int max_size);
+void expect_w_get_file_content(const char *buffer);
diff --git a/src/modules/sca/tests/CMakeLists.txt b/src/common/fs_op/CMakeLists.txt
similarity index 100%
rename from src/modules/sca/tests/CMakeLists.txt
rename to src/common/fs_op/CMakeLists.txt
diff --git a/src/common/fs_op/include/fs_op.h b/src/common/fs_op/include/fs_op.h
new file mode 100755
index 0000000000..65e9000680
--- /dev/null
+++ b/src/common/fs_op/include/fs_op.h
@@ -0,0 +1,54 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2014 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * License details at the LICENSE file included with OSSEC or
+ * online at: https://www.gnu.org/licenses/gpl.html
+ */
+
+/* Common API for dealing with file system information */
+
+#ifndef OS_FS
+#define OS_FS
+
+#ifndef WIN32
+
+#ifdef Linux
+#include <sys/vfs.h>
+#endif
+
+#ifdef FreeBSD
+#include <sys/param.h>
+#include <sys/mount.h>
+#endif
+#endif
+
+struct file_system_type {
+    const char *name;
+    long f_type;
+    int flag;
+};
+
+typedef struct fs_set {
+    unsigned nfs:1;
+    unsigned dev:1;
+    unsigned sys:1;
+    unsigned proc:1;
+} fs_set;
+
+extern const struct file_system_type network_file_systems[];
+extern const struct file_system_type skip_file_systems[];
+
+short IsNFS(const char *file)  __attribute__((nonnull));
+short skipFS(const char *file)  __attribute__((nonnull));
+
+bool HasFilesystem(const char * path, fs_set set);
+
+#endif /* OS_FS */
+
+/* EOF */
diff --git a/src/common/fs_op/src/fs_op.c b/src/common/fs_op/src/fs_op.c
new file mode 100755
index 0000000000..eb7f920af3
--- /dev/null
+++ b/src/common/fs_op/src/fs_op.c
@@ -0,0 +1,166 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2014 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+/* Functions to retrieve information about the filesystem
+ */
+
+
+#include "shared.h"
+#ifndef ARGV0
+#define ARGV0 "fs_op"
+#endif
+
+#ifdef __linux__
+#define DEVFS       0x00001373
+#define NFS         0x00006969
+#define PROCFS      0x00009fa0
+#define TMPFS       0x01021994
+#define AUFS        0x61756673
+#define SYSFS       0x62656572
+#define OVERLAYFS   0x794c7630
+#define BTRFS       0x9123683E
+#define CIFS        0xFF534D42
+#define V9FS        0x01021997
+#define ST_NODEV    4
+#elif defined(__FreeBSD__)
+#define NFS         0x3a
+#define DEV         0x71
+#define CIFS        // ToDo
+#elif defined(__MACH__)
+#define NFS         0x2
+#define DEV         0x13
+#define CIFS        0x1c
+#endif
+
+const struct file_system_type network_file_systems[] = {
+#ifdef __linux__
+    {.name="NFS",  .f_type=NFS, .flag=1},
+    {.name="CIFS", .f_type=CIFS, .flag=1},
+#endif
+    /*  The last entry must be name=NULL */
+    {.name=NULL, .f_type=0, .flag=0}
+};
+
+/* List of filesystem to skip the link count test */
+const struct file_system_type skip_file_systems[] = {
+#ifdef __linux__
+    {.name="BTRFS", .f_type=BTRFS, .flag=1},
+    {.name="AUFS", .f_type=AUFS, .flag=1},
+    {.name="OVERLAYFS", .f_type=OVERLAYFS, .flag=1},
+    {.name="V9FS", .f_type=V9FS, .flag=1},
+
+#endif
+    /*  The last entry must be name=NULL */
+    {.name=NULL, .f_type=0, .flag=0}
+};
+
+short IsNFS(const char *dir_name)
+{
+#if defined(Linux)
+    struct statfs stfs;
+
+    /* ignore NFS (0x6969) or CIFS (0xFF534D42) mounts */
+    if ( ! statfs(dir_name, &stfs) )
+    {
+        int i;
+        for ( i=0; network_file_systems[i].name != NULL; i++ ) {
+            if(network_file_systems[i].f_type == stfs.f_type ) {
+                return network_file_systems[i].flag;
+            }
+        }
+        return(0);
+    }
+    else
+    {
+        /* If the file exists, throw an error and retreat! If the file does not exist, there
+	 * is no reason to spam the log with these errors. */
+	if(errno != ENOENT) {
+            merror("statfs('%s') produced error: %s", dir_name, strerror(errno));
+	}
+        return(-1);
+    }
+#else
+    mdebug2("Attempted to check NFS status for '%s', but we don't know how on this OS.", dir_name);
+#endif
+    return(0);
+}
+
+short skipFS(const char *dir_name)
+{
+#if defined(Linux)
+    struct statfs stfs;
+
+    if ( ! statfs(dir_name, &stfs) )
+    {
+        int i;
+        for ( i=0; skip_file_systems[i].name != NULL; i++ ) {
+            if(skip_file_systems[i].f_type == stfs.f_type ) {
+                mdebug1("Skipping dir (FS %s): %s ", skip_file_systems[i].name, dir_name);
+                return skip_file_systems[i].flag;
+            }
+        }
+        return(0);
+    }
+    else
+    {
+        /* If the file exists, throw an error and retreat! If the file does not exist, there
+         * is no reason to spam the log with these errors. */
+        if(errno != ENOENT) {
+            merror("statfs('%s') produced error: %s", dir_name, strerror(errno));
+        }
+        return(-1);
+    }
+#else
+    mdebug2("Attempted to check FS status for '%s', but we don't know how on this OS.", dir_name);
+#endif
+    return(0);
+}
+
+bool HasFilesystem(__attribute__((unused))const char * path, __attribute__((unused))fs_set set) {
+#ifdef __linux__
+    struct statfs stfs;
+
+    if (statfs(path, &stfs) == -1) {
+        mdebug2("statfs(%s): %s", path, strerror(errno));
+        return false;
+    }
+
+    switch (stfs.f_type) {
+    case DEVFS:
+        // Linux 2.6.17 and earlier
+        return set.dev;
+    case NFS:
+         return set.nfs;
+    case PROCFS:
+        return set.proc;
+    case TMPFS:
+#ifdef _STATFS_F_FLAGS
+        // In modern Linux, /dev is TMPFS and ~ST_NODEV
+        return set.dev && (stfs.f_flags & ST_NODEV) == 0;
+#else
+        return set.dev;
+#endif
+    case SYSFS:
+        return set.sys;
+    case CIFS:
+        return set.nfs;
+    }
+
+#else
+    (void)path;
+    (void)set;
+#endif
+
+    return false;
+}
+
+
+/* EOF */
diff --git a/src/common/fs_op/tests/unit/tests/CMakeLists.txt b/src/common/fs_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..14ccaa9f02
--- /dev/null
+++ b/src/common/fs_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,46 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_fs_op")
+list(APPEND shared_tests_flags " ")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/fs_op/tests/unit/tests/test_fs_op.c b/src/common/fs_op/tests/unit/tests/test_fs_op.c
new file mode 100644
index 0000000000..5c7f7b38be
--- /dev/null
+++ b/src/common/fs_op/tests/unit/tests/test_fs_op.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+
+// Tests
+
+static int compare(const struct file_system_type * statfs) {
+    for (int i = 0; network_file_systems[i].name; i++) {
+        if (network_file_systems[i].f_type == statfs->f_type) {
+            return 1;
+        }
+    }
+
+    for (int i = 0; skip_file_systems[i].name; i++) {
+        if (skip_file_systems[i].f_type == statfs->f_type) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+void test_fs_magic(void **state)
+{
+    struct file_system_type statfs = {.f_type = 0x6969};
+    assert_int_equal(compare(&statfs), 1);
+
+    statfs.f_type = 0xFF534D42;
+    assert_int_equal(compare(&statfs), 1);
+
+    statfs.f_type = 0x9123683E;
+    assert_int_equal(compare(&statfs), 1);
+
+    statfs.f_type = 0x61756673;
+    assert_int_equal(compare(&statfs), 1);
+
+    statfs.f_type = 0x794c7630;
+    assert_int_equal(compare(&statfs), 1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+            cmocka_unit_test(test_fs_magic),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.c b/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.c
new file mode 100644
index 0000000000..0ebccdd917
--- /dev/null
+++ b/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.c
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "fs_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+bool __wrap_HasFilesystem(__attribute__((unused))const char * path, __attribute__((unused))fs_set set) {
+    check_expected(path);
+
+    return mock();
+}
diff --git a/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.h b/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.h
new file mode 100644
index 0000000000..c349537822
--- /dev/null
+++ b/src/common/fs_op/tests/unit/wrappers/fs_op_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef FS_OP_WRAPPERS_H
+#define FS_OP_WRAPPERS_H
+
+#include <stdbool.h>
+#include <fs_op.h>
+
+bool __wrap_HasFilesystem(const char * path, fs_set set);
+
+#endif
diff --git a/src/common/globHelper/CMakeLists.txt b/src/common/globHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/globHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/globHelper/include/globHelper.h b/src/common/globHelper/include/globHelper.h
new file mode 100644
index 0000000000..246a8fe711
--- /dev/null
+++ b/src/common/globHelper/include/globHelper.h
@@ -0,0 +1,92 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Agoust 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _GLOB_HELPER_H
+#define _GLOB_HELPER_H
+
+#include <string>
+
+namespace Utils
+{
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+    static bool patternMatch(const std::string& entryName, const std::string& pattern)
+    {
+        auto match { true };
+        // Match the glob pattern without regex
+        auto patternPos { 0u };
+
+        for (auto i { 0u }; i < entryName.size(); ++i)
+        {
+            if (patternPos < pattern.size())
+            {
+                // 'x' matches 'x'
+                if (entryName.at(i) == pattern.at(patternPos))
+                {
+                    ++patternPos;
+                }
+                // '*' matches any number of characters
+                else if (pattern.at(patternPos) == '*')
+                {
+                    // '*' matches zero characters
+                    if (patternPos + 1 < pattern.size() && pattern.at(patternPos + 1) == entryName.at(i))
+                    {
+                        ++patternPos;
+                        --i;
+                    }
+                    // '*' matches one or more characters
+                    else if (patternPos + 1 == pattern.size())
+                    {
+                        break;
+                    }
+                }
+                // '?' matches any single character
+                else if (pattern.at(patternPos) == '?')
+                {
+                    ++patternPos;
+                }
+                // No match
+                else
+                {
+                    match = false;
+                    break;
+                }
+            }
+            else
+            {
+                match = false;
+                break;
+            }
+        }
+
+        // if the pattern is not fully matched, check if the remaining characters are '*'
+        // and if so, the match is successful.
+        while (match && patternPos < pattern.size())
+        {
+            // '*' matches zero characters
+            if (pattern.at(patternPos) == '*')
+            {
+                ++patternPos;
+            }
+            // No match
+            else
+            {
+                match = false;
+            }
+        }
+
+        return match;
+    }
+#pragma GCC diagnostic pop
+}
+
+#endif // _GLOB_HELPER_H
diff --git a/src/common/globHelper/tests/CMakeLists.txt b/src/common/globHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..bc570c41ea
--- /dev/null
+++ b/src/common/globHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "globHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/globHelper/tests/globHelper_test.cpp b/src/common/globHelper/tests/globHelper_test.cpp
new file mode 100644
index 0000000000..6702c6a5d6
--- /dev/null
+++ b/src/common/globHelper/tests/globHelper_test.cpp
@@ -0,0 +1,118 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Agoust 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "globHelper_test.h"
+#include "globHelper.h"
+#include <sstream>
+
+void GlobHelperTest::SetUp() {};
+
+void GlobHelperTest::TearDown() {};
+
+TEST_F(GlobHelperTest, patternMatchSimple)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "test"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcard)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "te*t"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtEnd)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "te*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtStart)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "*st"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtStartAndEnd)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "*st*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtStartAndEndAndMiddle)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "*s*t*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtStartAndEndAndMiddleAndNoMatch)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "*s*t"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSimpleWithWildcardAtStartAndEndAndMiddleAndNoMatch2)
+{
+    EXPECT_FALSE(Utils::patternMatch("test", "s*t*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithWildcard2Characters)
+{
+    EXPECT_TRUE(Utils::patternMatch("test", "t*t"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithInvalidPostfix)
+{
+    EXPECT_FALSE(Utils::patternMatch("12", "*t"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithInvalidPostfix2)
+{
+    EXPECT_FALSE(Utils::patternMatch("12", "*t*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithInvalidPrefix)
+{
+    EXPECT_FALSE(Utils::patternMatch("12", "t*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithInvalidPrefix2)
+{
+    EXPECT_FALSE(Utils::patternMatch("13", "*t*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithDimension)
+{
+    EXPECT_FALSE(Utils::patternMatch("13", "131111111111111111"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithDimension2)
+{
+    EXPECT_FALSE(Utils::patternMatch("111111111111111111", "11"));
+}
+
+TEST_F(GlobHelperTest, patternMatchWithDimension3)
+{
+    EXPECT_FALSE(Utils::patternMatch("11", "111111111111111111"));
+}
+
+TEST_F(GlobHelperTest, patternMatchAll)
+{
+    EXPECT_TRUE(Utils::patternMatch("abcdef", "*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSingleCharacter)
+{
+    EXPECT_TRUE(Utils::patternMatch("abcdef", "a?c*"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSingleCharacter2)
+{
+    EXPECT_FALSE(Utils::patternMatch("abcdef", "a?c"));
+}
+
+TEST_F(GlobHelperTest, patternMatchSingleCharacter3)
+{
+    EXPECT_TRUE(Utils::patternMatch("abcd", "a?c?"));
+}
diff --git a/src/common/globHelper/tests/globHelper_test.h b/src/common/globHelper/tests/globHelper_test.h
new file mode 100644
index 0000000000..278c9c3ed6
--- /dev/null
+++ b/src/common/globHelper/tests/globHelper_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Agoust 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _GLOB_HELPER_TEST_H
+#define _GLOB_HELPER_TEST_H
+#include "gtest/gtest.h"
+
+class GlobHelperTest : public ::testing::Test
+{
+    protected:
+
+        GlobHelperTest() = default;
+        virtual ~GlobHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif // _GLOB_HELPER_TEST_H
diff --git a/src/common/globHelper/tests/main.cpp b/src/common/globHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/globHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/hashHelper/CMakeLists.txt b/src/common/hashHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/hashHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/hashHelper/include/hashHelper.h b/src/common/hashHelper/include/hashHelper.h
new file mode 100644
index 0000000000..c210be9b75
--- /dev/null
+++ b/src/common/hashHelper/include/hashHelper.h
@@ -0,0 +1,164 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Sep 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _HASH_HELPER_H
+#define _HASH_HELPER_H
+
+#include <memory>
+#include <vector>
+#include <stdexcept>
+#include "openssl/evp.h"
+#include <fstream>
+#include <array>
+#include <string>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    enum class HashType
+    {
+        Sha1,
+        Sha256,
+    };
+    class HashData final
+    {
+        public:
+            HashData(const HashType hashType = HashType::Sha1)
+                : m_spCtx{createContext()}
+            {
+                initializeContext(hashType, m_spCtx);
+            }
+            // LCOV_EXCL_START
+            ~HashData() = default;
+            // LCOV_EXCL_STOP
+            void update(const void* data, const size_t size)
+            {
+                const auto ret
+                {
+                    EVP_DigestUpdate(m_spCtx.get(), data, size)
+                };
+
+                // LCOV_EXCL_START
+                if (!ret)
+                {
+                    throw std::runtime_error
+                    {
+                        "Error getting digest final."
+                    };
+                }
+
+                // LCOV_EXCL_STOP
+            }
+            std::vector<unsigned char> hash()
+            {
+                unsigned char digest[EVP_MAX_MD_SIZE] {0};
+                unsigned int digestSize{0};
+                const auto ret
+                {
+                    EVP_DigestFinal_ex(m_spCtx.get(), digest, &digestSize)
+                };
+
+                // LCOV_EXCL_START
+                if (!ret)
+                {
+                    throw std::runtime_error
+                    {
+                        "Error getting digest final."
+                    };
+                }
+
+                // LCOV_EXCL_STOP
+                return {digest, digest + digestSize};
+            }
+        private:
+            struct EvpContextDeleter final
+            {
+                void operator()(EVP_MD_CTX* ctx)
+                {
+                    EVP_MD_CTX_destroy(ctx);
+                }
+            };
+
+            static EVP_MD_CTX* createContext()
+            {
+                auto ctx{ EVP_MD_CTX_create() };
+
+                // LCOV_EXCL_START
+                if (!ctx)
+                {
+                    throw std::runtime_error
+                    {
+                        "Error creating EVP_MD_CTX."
+                    };
+                }
+
+                // LCOV_EXCL_STOP
+                return ctx;
+            }
+            static void initializeContext(const HashType hashType, std::unique_ptr<EVP_MD_CTX, EvpContextDeleter>& spCtx)
+            {
+                auto ret{0};
+
+                switch (hashType)
+                {
+                    case HashType::Sha1:
+                        ret = EVP_DigestInit(spCtx.get(), EVP_sha1());
+                        break;
+
+                    case HashType::Sha256:
+                        ret = EVP_DigestInit(spCtx.get(), EVP_sha256());
+                        break;
+                }
+
+                if (!ret)
+                {
+                    throw std::runtime_error
+                    {
+                        "Error initializing EVP_MD_CTX."
+                    };
+                }
+            }
+            std::unique_ptr<EVP_MD_CTX, EvpContextDeleter> m_spCtx;
+    };
+
+    /**
+     * @brief Function to calculate the hash of a file.
+     *
+     * @param filepath Path to the file.
+     * @return std::vector<unsigned char> Digest vector.
+     */
+    static std::vector<unsigned char> hashFile(const std::string& filepath)
+    {
+        std::ifstream inputFile(filepath, std::fstream::in);
+        if (inputFile.good())
+        {
+            constexpr int BUFFER_SIZE {4096};
+            std::array<char, BUFFER_SIZE> buffer {};
+
+            HashData hash;
+            while (inputFile.read(buffer.data(), buffer.size()))
+            {
+                hash.update(buffer.data(), inputFile.gcount());
+            }
+            hash.update(buffer.data(), inputFile.gcount());
+
+            return hash.hash();
+        }
+
+        throw std::runtime_error {"Unable to open '" + filepath + "' for hashing."};
+    };
+} // namespace Utils
+
+#pragma GCC diagnostic pop
+
+#endif // _HASH_HELPER_H
diff --git a/src/common/hashHelper/tests/CMakeLists.txt b/src/common/hashHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..edfc42b521
--- /dev/null
+++ b/src/common/hashHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "hashHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/hashHelper/tests/hashHelper_test.cpp b/src/common/hashHelper/tests/hashHelper_test.cpp
new file mode 100644
index 0000000000..51be579a81
--- /dev/null
+++ b/src/common/hashHelper/tests/hashHelper_test.cpp
@@ -0,0 +1,112 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Sep 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "hashHelper_test.h"
+#include "hashHelper.h"
+#include <filesystem>
+
+void HashHelperTest::SetUp() {};
+
+void HashHelperTest::TearDown() {};
+
+using ::testing::_;
+using ::testing::Return;
+using namespace Utils;
+
+// Path where the test files reside.
+const std::filesystem::path INPUT_FILES_DIR {std::filesystem::current_path() / "input_files"};
+
+// Test file used for hashing.
+const std::filesystem::path TEST_FILE {INPUT_FILES_DIR / "test_file.xyz"};
+
+TEST_F(HashHelperTest, UnsupportedHashType)
+{
+    EXPECT_THROW(HashData hash{static_cast<HashType>(15)}, std::runtime_error);
+}
+
+TEST_F(HashHelperTest, HashHelperHashBufferSha1)
+{
+    const unsigned char expected[] {0x2d, 0x53, 0x3b, 0x9d, 0x9f, 0x0f, 0x06, 0xef, 0x4e, 0x3c, 0x23, 0xfd, 0x49, 0x6c, 0xfe, 0xb2, 0x78, 0x0e, 0xda, 0x7f};
+    const std::string data{"HASH"};
+    HashData hash;
+    hash.update(data.c_str(), data.size());
+    const auto result{ hash.hash() };
+    EXPECT_EQ(sizeof(expected), result.size());
+    EXPECT_TRUE(!memcmp(expected, result.data(), result.size()));
+}
+
+TEST_F(HashHelperTest, HashHelperHashIterativeSha1)
+{
+    const unsigned char expected[] {0x2d, 0x53, 0x3b, 0x9d, 0x9f, 0x0f, 0x06, 0xef, 0x4e, 0x3c, 0x23, 0xfd, 0x49, 0x6c, 0xfe, 0xb2, 0x78, 0x0e, 0xda, 0x7f};
+    const std::string data{"HASH"};
+    HashData hash;
+
+    for (const auto& value : data)
+    {
+        hash.update(&value, sizeof(value));
+    }
+
+    const auto result{ hash.hash() };
+    EXPECT_EQ(sizeof(expected), result.size());
+    EXPECT_TRUE(!memcmp(expected, result.data(), result.size()));
+}
+
+TEST_F(HashHelperTest, HashHelperHashBufferSha256)
+{
+    const unsigned char expected[] {0xc1, 0xfb, 0x44, 0xc7, 0x26, 0x28, 0xea, 0xe4, 0x91, 0x32, 0x06, 0x2f, 0xe5, 0x10, 0x9f, 0x65,
+                                    0x0b, 0x6a, 0x7a, 0xb9, 0x03, 0x33, 0x6e, 0x7f, 0xcd, 0x2e, 0xf8, 0xf5, 0xeb, 0xa0, 0x41, 0x51
+                                   };
+    const std::string data{"HASH"};
+    HashData hash{HashType::Sha256};
+    hash.update(data.c_str(), data.size());
+    const auto result{ hash.hash() };
+    EXPECT_EQ(sizeof(expected), result.size());
+    EXPECT_TRUE(!memcmp(expected, result.data(), result.size()));
+}
+
+TEST_F(HashHelperTest, HashHelperHashIterativeSha256)
+{
+    const unsigned char expected[] {0xc1, 0xfb, 0x44, 0xc7, 0x26, 0x28, 0xea, 0xe4, 0x91, 0x32, 0x06, 0x2f, 0xe5, 0x10, 0x9f, 0x65,
+                                    0x0b, 0x6a, 0x7a, 0xb9, 0x03, 0x33, 0x6e, 0x7f, 0xcd, 0x2e, 0xf8, 0xf5, 0xeb, 0xa0, 0x41, 0x51
+                                   };
+    const std::string data{"HASH"};
+    HashData hash{HashType::Sha256};
+
+    for (const auto& value : data)
+    {
+        hash.update(&value, sizeof(value));
+    }
+
+    const auto result{ hash.hash() };
+    EXPECT_EQ(sizeof(expected), result.size());
+    EXPECT_TRUE(!memcmp(expected, result.data(), result.size()));
+}
+
+/**
+ * @brief Test the hashing of a file.
+ *
+ */
+TEST_F(HashHelperTest, HashFile)
+{
+    const std::vector<unsigned char> expectedHash { 0x2e, 0x95, 0xd7, 0x58, 0x2c, 0x53, 0x58, 0x3f, 0xa8, 0xaf,
+                                                    0xb5, 0x4e, 0x0f, 0xe7, 0xa2, 0x59, 0x7c, 0x92, 0xcb, 0xba};
+
+    EXPECT_EQ(Utils::hashFile(TEST_FILE), expectedHash);
+}
+
+/**
+ * @brief Test the hashing of an inexistant file.
+ *
+ */
+TEST_F(HashHelperTest, HashFileInexistantFile)
+{
+    EXPECT_THROW(Utils::hashFile(INPUT_FILES_DIR / "inexistant_file.xml"), std::runtime_error);
+}
diff --git a/src/common/hashHelper/tests/hashHelper_test.h b/src/common/hashHelper/tests/hashHelper_test.h
new file mode 100644
index 0000000000..fe2b2da3a5
--- /dev/null
+++ b/src/common/hashHelper/tests/hashHelper_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Sep 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef HASH_HELPER_TESTS_H
+#define HASH_HELPER_TESTS_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class HashHelperTest : public ::testing::Test
+{
+    protected:
+
+        HashHelperTest() = default;
+        virtual ~HashHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //HASH_HELPER_TESTS_H
\ No newline at end of file
diff --git a/src/common/hashHelper/tests/input_files/test_file.xyz b/src/common/hashHelper/tests/input_files/test_file.xyz
new file mode 100644
index 0000000000..3995316735
Binary files /dev/null and b/src/common/hashHelper/tests/input_files/test_file.xyz differ
diff --git a/src/common/hashHelper/tests/main.cpp b/src/common/hashHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/hashHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/modules/upgrade/tests/CMakeLists.txt b/src/common/hash_op/CMakeLists.txt
similarity index 100%
rename from src/modules/upgrade/tests/CMakeLists.txt
rename to src/common/hash_op/CMakeLists.txt
diff --git a/src/common/hash_op/include/hash_op.h b/src/common/hash_op/include/hash_op.h
new file mode 100644
index 0000000000..5faf49810f
--- /dev/null
+++ b/src/common/hash_op/include/hash_op.h
@@ -0,0 +1,106 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Common API for dealing with hash operations */
+
+#ifndef OS_HASHOP
+#define OS_HASHOP
+#include <pthread.h>
+
+/* Node structure */
+typedef struct _OSHashNode {
+    struct _OSHashNode *next;
+    struct _OSHashNode *prev;
+
+    char *key;
+    void *data;
+} OSHashNode;
+
+typedef struct _OSHash {
+    unsigned int rows;
+    unsigned int initial_seed;
+    unsigned int constant;
+    pthread_rwlock_t mutex;
+    unsigned int elements;
+
+    void (*free_data_function)(void *data);
+    OSHashNode **table;
+} OSHash;
+
+typedef enum _OSHash_results_codes {
+    OSHASH_ERROR = 0,
+    OSHASH_DUPLICATE,
+    OSHASH_SUCCESS,
+} OSHash_results_codes;
+
+/* Prototypes */
+
+/* Create and initialize hash */
+OSHash *OSHash_Create(void);
+
+/* Free the memory used by the hash */
+int OSHash_SetFreeDataPointer(OSHash *self, void (free_data_function)(void *)) __attribute__((nonnull));
+void *OSHash_Free(OSHash *self) __attribute__((nonnull));
+
+/* Returns 0 on error
+ * Returns 1 on duplicated key (not added)
+ * Returns 2 on success
+ * Key must not be NULL
+ */
+int OSHash_Add(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Numeric_Add_ex(OSHash *hash, int key, void *data) __attribute__((nonnull(1, 3)));
+int OSHash_Add_ex(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Add_ins(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Update(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Update_ex(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Set(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSHash_Set_ex(OSHash *hash, const char *key, void *data) __attribute__((nonnull(1, 2)));
+void *OSHash_Delete(OSHash *self, const char *key) __attribute__((nonnull));
+void *OSHash_Numeric_Delete_ex(OSHash *self, int key) __attribute__((nonnull(1)));
+void *OSHash_Delete_ex(OSHash *self, const char *key) __attribute__((nonnull));
+void *OSHash_Delete_ins(OSHash *self, const char *key) __attribute__((nonnull));
+
+/* Returns NULL on error (key not found)
+ * Returns the key otherwise
+ * Key must not be NULL
+ */
+void *OSHash_Get(const OSHash *self, const char *key) __attribute__((nonnull));
+void *OSHash_Numeric_Get_ex(const OSHash *self, int key) __attribute__((nonnull(1)));
+void *OSHash_Get_ex(const OSHash *self, const char *key) __attribute__((nonnull));
+void *OSHash_Get_ex_dup(const OSHash *self, const char *key, void*(*duplicator)(void*)) __attribute__((nonnull));
+void *OSHash_Get_ins(const OSHash *self, const char *key) __attribute__((nonnull));
+
+unsigned int OSHash_Get_Elem_ex(OSHash *self) __attribute__((nonnull));
+
+int OSHash_setSize(OSHash *self, unsigned int new_size) __attribute__((nonnull));
+int OSHash_setSize_ex(OSHash *self, unsigned int new_size) __attribute__((nonnull));
+
+OSHash *OSHash_Duplicate(const OSHash *hash) __attribute__((nonnull));
+OSHash *OSHash_Duplicate_ex(const OSHash *hash) __attribute__((nonnull));
+
+OSHashNode *OSHash_Begin(const OSHash *self, unsigned int *i);
+OSHashNode *OSHash_Begin_ex(const OSHash *self, unsigned int *i);
+
+OSHashNode *OSHash_Next(const OSHash *self, unsigned int *i, OSHashNode *current);
+void *OSHash_Clean(OSHash *self, void (*cleaner)(void*));
+
+/*
+ * Safe iteration of the hash Table
+ * Mode: 0 (read it), 1 (write it), 2 (write it with delay)
+*/
+void OSHash_It(const OSHash *hash, void *data, void (*iterating_function)(OSHashNode **row, OSHashNode **node, void *data));
+void OSHash_It_ex(const OSHash *hash, char mode, void *data, void (*iterating_function)(OSHashNode **row, OSHashNode **node, void *data));
+
+/*
+ * Returns the index of the key.
+*/
+unsigned int OSHash_GetIndex(OSHash *self, const char *key);
+
+#endif /* OS_HASHOP */
diff --git a/src/common/hash_op/src/hash_op.c b/src/common/hash_op/src/hash_op.c
new file mode 100644
index 0000000000..690a3850c2
--- /dev/null
+++ b/src/common/hash_op/src/hash_op.c
@@ -0,0 +1,716 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Common API for dealing with hashes/maps */
+
+#include "shared.h"
+
+static unsigned int _os_genhash(const OSHash *self, const char *key) __attribute__((nonnull));
+
+int _OSHash_Add(OSHash *self, const char *key, void *data, int update);
+
+
+/* Create hash
+ * Returns NULL on error
+ */
+OSHash *OSHash_Create()
+{
+    unsigned int i = 0;
+    OSHash *self;
+
+    /* Allocate memory for the hash */
+    self = (OSHash *) calloc(1, sizeof(OSHash));
+    if (!self) {
+        return (NULL);
+    }
+
+    /* Set default row size */
+    self->rows = os_getprime(32);
+    if (self->rows == 0) {
+        free(self);
+        return (NULL);
+    }
+
+    /* Create hashing table */
+    self->table = (OSHashNode **)calloc(self->rows + 1, sizeof(OSHashNode *));
+    if (!self->table) {
+        free(self);
+        return (NULL);
+    }
+
+    /* Zero our tables */
+    for (i = 0; i <= self->rows; i++) {
+        self->table[i] = NULL;
+    }
+
+    /* Get seed */
+    srandom((unsigned int)time(0));
+    self->initial_seed = os_getprime((unsigned)os_random() % self->rows);
+    self->constant = os_getprime((unsigned)os_random() % self->rows);
+    w_rwlock_init(&self->mutex, NULL);
+    return (self);
+}
+
+/* Set the pointer to the function to free the memory data */
+int OSHash_SetFreeDataPointer(OSHash *self, void (free_data_function)(void *))
+{
+    self->free_data_function = free_data_function;
+    return (1);
+}
+
+/* Free the memory used by the hash */
+void *OSHash_Free(OSHash *self)
+{
+    unsigned int i = 0;
+    OSHashNode *curr_node;
+    OSHashNode *next_node;
+
+    /* Free each entry */
+    while (i <= self->rows) {
+        curr_node = self->table[i];
+        next_node = curr_node;
+        while (next_node) {
+            next_node = next_node->next;
+            if (curr_node->key) free(curr_node->key);
+            /* Take care of the data as well (if a function has been defined) */
+            if (curr_node->data && self->free_data_function) self->free_data_function(curr_node->data);
+            free(curr_node);
+            curr_node = next_node;
+        }
+        i++;
+    }
+
+    /* Free the hash table */
+    free(self->table);
+    pthread_rwlock_destroy(&self->mutex);
+    free(self);
+    return (NULL);
+}
+
+/* Generates hash for key */
+static unsigned int _os_genhash(const OSHash *self, const char *key)
+{
+    unsigned int hash_key = self->initial_seed;
+
+    /* What we have here is a simple polynomial hash.
+     * x0 * a^k-1 .. xk * a^k-k +1
+     */
+    while (*key) {
+        hash_key *= self->constant;
+        hash_key += (unsigned int) * key;
+        key++;
+    }
+
+    return (hash_key);
+}
+
+/* Set new size for hash
+ * Returns 0 on error (out of memory)
+ */
+int OSHash_setSize(OSHash *self, unsigned int new_size)
+{
+    unsigned int i = 0, orig_size = self->rows;
+    OSHashNode **tmpTable = NULL;
+
+    /* We can't decrease the size */
+    if (new_size <= self->rows) {
+        return (1);
+    }
+
+    /* Get next prime */
+    self->rows = os_getprime(new_size);
+    if (self->rows == 0) {
+        return (0);
+    }
+
+    /* Resize hash table */
+    /* If a call to realloc() fails, the pointer passed to it will remain unchanged */
+    tmpTable = (OSHashNode **) realloc(self->table, (self->rows + 1) * sizeof(OSHashNode *));
+    if (!tmpTable) return (0);
+
+    /* If a call to realloc() succeeds, the pointer passed to it would have been freed */
+    self->table = tmpTable;
+
+    /* Check if previous tables had allocated data */
+    OSHashNode *curr_node, *next_node;
+    for(i = 0; i < orig_size; i++) {
+        curr_node = self->table[i];
+        next_node = curr_node;
+        while(next_node) {
+            next_node = next_node->next;
+            if (curr_node->key) free(curr_node->key);
+            /* Take care of the data as well (if a function has been defined) */
+            if (curr_node->data && self->free_data_function) self->free_data_function(curr_node->data);
+            free(curr_node);
+            curr_node = next_node;
+        }
+    }
+
+    /* Zero our tables */
+    for (i = 0; i <= self->rows; i++) {
+        self->table[i] = NULL;
+    }
+
+    /* New seed */
+    self->initial_seed = os_getprime(456 % self->rows);
+    self->constant = os_getprime(789 % self->rows);
+
+    return (1);
+}
+
+int OSHash_setSize_ex(OSHash *self, unsigned int new_size)
+{
+    int result;
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_setSize(self,new_size);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+    return result;
+}
+
+
+/** int OSHash_Update(OSHash *self, char *key, void *data)
+ * Returns 0 on error (not found).
+ * Returns 1 on success. Data updated
+ * Key must not be NULL.
+ */
+int OSHash_Update(OSHash *self, const char *key, void *data)
+{
+    unsigned int hash_key;
+    unsigned int index;
+    OSHashNode *curr_node;
+
+    /* Generate hash of the message */
+    hash_key = _os_genhash(self, key);
+
+    /* Get array index */
+    index = hash_key % self->rows;
+
+    /* Check for duplicated entries in the index */
+    curr_node = self->table[index];
+    while (curr_node) {
+        /* Checking for duplicated key -- not adding */
+        if (strcmp(curr_node->key, key) == 0) {
+            if (curr_node->data && self->free_data_function) {
+                self->free_data_function(curr_node->data);
+            }
+            curr_node->data = data;
+            return (1);
+        }
+        curr_node = curr_node->next;
+    }
+    return (0);
+}
+
+/** int OSHash_Update_ex(OSHash *self, char *key, void *data)
+ * Returns 0 on error (not found).
+ * Returns 1 on success. Data updated
+ * Key must not be NULL.
+ */
+int OSHash_Update_ex(OSHash *self, const char *key, void *data)
+{
+    int result;
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Update(self,key,data);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+/** int OSHash_Add(OSHash *self, char *key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (not added)
+ * Returns 2 on success
+ * Key must not be NULL.
+ */
+int OSHash_Add(OSHash *self, const char *key, void *data) {
+    return _OSHash_Add(self, key, data, 0);
+}
+
+/** int OSHash_Set(OSHash *self, char *key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (updated)
+ * Returns 2 on success (added)
+ * Key must not be NULL.
+ */
+int OSHash_Set(OSHash *self, const char *key, void *data) {
+    return _OSHash_Add(self, key, data, 1);
+}
+
+int _OSHash_Add(OSHash *self, const char *key, void *data, int update)
+{
+    unsigned int hash_key;
+    unsigned int index;
+    OSHashNode *curr_node;
+    OSHashNode *new_node;
+
+    /* Generate hash of the message */
+    hash_key = _os_genhash(self, key);
+
+    /* Get array index */
+    index = hash_key % self->rows;
+
+    /* Check for duplicated entries in the index */
+    curr_node = self->table[index];
+    while (curr_node) {
+        /* Checking for duplicated key */
+        if (strcmp(curr_node->key, key) == 0) {
+            if (update) {
+                 curr_node->data = data;
+            }
+            return (1);
+        }
+        curr_node = curr_node->next;
+    }
+
+    /* Create new node */
+    new_node = (OSHashNode *) calloc(1, sizeof(OSHashNode));
+    if (!new_node) {
+        mdebug1("hash_op: calloc() failed!");
+        return (0);
+    }
+    new_node->next = NULL;
+    new_node->prev = NULL;
+    new_node->data = data;
+    new_node->key = strdup(key);
+    if ( new_node->key == NULL ) {
+        free(new_node);
+        mdebug1("hash_op: strdup() failed!");
+        return (0);
+    }
+
+    /* Add to table */
+    if (!self->table[index]) {
+        self->table[index] = new_node;
+    }
+    /* If there is duplicated, add to the beginning */
+    else {
+        new_node->next = self->table[index];
+        self->table[index]->prev = new_node;
+        self->table[index] = new_node;
+    }
+
+    self->elements = self->elements + 1;
+
+    return (2);
+}
+
+/** int OSHash_Numeric_Add_ex(OSHash *self, int key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (not added)
+ * Returns 2 on success
+ * Key must not be NULL.
+ */
+int OSHash_Numeric_Add_ex(OSHash *self, int key, void *data)
+{
+    char string_key[12];
+    int result;
+
+    snprintf(string_key, 12, "%d", key);
+    result = OSHash_Add_ex(self, string_key, data);
+
+    return result;
+}
+
+/** int OSHash_Add_ex(OSHash *self, char *key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (not added)
+ * Returns 2 on success
+ * Key must not be NULL.
+ */
+int OSHash_Add_ex(OSHash *self, const char *key, void *data)
+{
+    int result;
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Add(self,key,data);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+/** int OSHash_Set_ex(OSHash *self, char *key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (updated)
+ * Returns 2 on success (added)
+ * Key must not be NULL.
+ */
+int OSHash_Set_ex(OSHash *self, const char *key, void *data)
+{
+    int result;
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Set(self,key,data);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+/** int OSHash_Add_ins(OSHash *self, char *key, void *data)
+ * Returns 0 on error.
+ * Returns 1 on duplicated key (not added)
+ * Returns 2 on success
+ * Key must not be NULL.
+ */
+int OSHash_Add_ins(OSHash *self, const char *key, void *data)
+{
+    int result;
+    char *key_cpy = strdup(key);
+    str_lowercase(key_cpy);
+    result = OSHash_Add_ex(self,key_cpy,data);
+    free(key_cpy);
+    return result;
+}
+
+/** void *OSHash_Get(OSHash *self, char *key)
+ * Returns NULL on error (key not found).
+ * Returns the key otherwise.
+ * Key must not be NULL.
+ */
+void *OSHash_Get(const OSHash *self, const char *key)
+{
+    unsigned int hash_key;
+    unsigned int index;
+    const OSHashNode *curr_node;
+
+    /* Generate hash of the message */
+    hash_key = _os_genhash(self, key);
+
+    /* Get array index */
+    index = hash_key % self->rows;
+
+    /* Get entry */
+    curr_node = self->table[index];
+
+    while (curr_node != NULL) {
+        /* Skip null pointers */
+        if (curr_node->key != NULL) {
+            /* We may have collisions, so double check with strcmp */
+            if (strcmp(curr_node->key, key) == 0) {
+                return (curr_node->data);
+            }
+        }
+        curr_node = curr_node->next;
+    }
+
+    return (NULL);
+}
+
+/** void *OSHash_Numeric_Get_ex(OSHash *self, int key)
+ * Returns NULL on error (key not found).
+ * Returns the key otherwise.
+ * Key must not be NULL.
+ */
+void *OSHash_Numeric_Get_ex(const OSHash *self, int key)
+{
+    char string_key[12];
+    void *result;
+
+    snprintf(string_key, 12, "%d", key);
+    result = OSHash_Get_ex(self, string_key);
+
+    return result;
+}
+
+/** void *OSHash_Get_ex(OSHash *self, char *key)
+ * Returns NULL on error (key not found).
+ * Returns the key otherwise.
+ * Key must not be NULL.
+ */
+void *OSHash_Get_ex(const OSHash *self, const char *key)
+{
+    void *result;
+    w_rwlock_rdlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Get(self,key);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+/** void *OSHash_Get_ex_dup(OSHash *self, char *key, void(*duplicator)(void*))
+ * Returns NULL on error (key not found).
+ * Returns a copy of the data otherwise. Must be freed by the caller.
+ * Key must not be NULL.
+ */
+void *OSHash_Get_ex_dup(const OSHash *self, const char *key, void*(*duplicator)(void*))
+{
+    void *result;
+    w_rwlock_rdlock((pthread_rwlock_t *)&self->mutex);
+    result = duplicator(OSHash_Get(self, key));
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+/** void *OSHash_Get_ins(OSHash *self, char *key)
+ * Returns NULL on error (key not found).
+ * Returns the key otherwise.
+ * Key must not be NULL.
+ */
+void *OSHash_Get_ins(const OSHash *self, const char *key)
+{
+    void *result;
+    char *key_cpy = strdup(key);
+    str_lowercase(key_cpy);
+    result = OSHash_Get_ex(self,key_cpy);
+    free(key_cpy);
+    return result;
+}
+
+/* Return the number of elements in the hash table */
+unsigned int OSHash_Get_Elem_ex(OSHash *self) {
+    unsigned int ret;
+    w_rwlock_rdlock((pthread_rwlock_t *)&self->mutex);
+    ret = self->elements;
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return ret;
+}
+
+/* Return a pointer to a hash node if found, that hash node is removed from the table */
+void *OSHash_Delete(OSHash *self, const char *key)
+{
+    OSHashNode *curr_node;
+    OSHashNode *prev_node = NULL;
+    unsigned int hash_key;
+    unsigned int index;
+    void *data;
+
+    /* Generate hash of the message */
+    hash_key = _os_genhash(self, key);
+
+    /* Get array index */
+    index = hash_key % self->rows;
+
+    curr_node = self->table[index];
+    while ( curr_node != NULL ) {
+        if (strcmp(curr_node->key, key) == 0) {
+            if ( prev_node == NULL ) {
+                self->table[index] = curr_node->next;
+            } else {
+                prev_node->next = curr_node->next;
+            }
+            if (curr_node->next) {
+                curr_node->next->prev = prev_node;
+            }
+            free(curr_node->key);
+            data = curr_node->data;
+            free(curr_node);
+            self->elements = self->elements - 1;
+            return data;
+        }
+        prev_node = curr_node;
+        curr_node = curr_node->next;
+    }
+
+    return NULL;
+}
+
+void *OSHash_Numeric_Delete_ex(OSHash *self, int key)
+{
+    char string_key[12];
+    void *result;
+
+    snprintf(string_key, 12, "%d", key);
+    result = OSHash_Delete_ex(self, string_key);
+
+    return result;
+}
+
+/* Return a pointer to a hash node if found, that hash node is removed from the table */
+void *OSHash_Delete_ex(OSHash *self, const char *key)
+{
+    void *result;
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Delete(self,key);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+void *OSHash_Delete_ins(OSHash *self, const char *key)
+{
+    void *result;
+    char *key_cpy = strdup(key);
+    str_lowercase(key_cpy);
+    result = OSHash_Delete_ex(self,key_cpy);
+    free(key_cpy);
+    return result;
+}
+
+OSHash *OSHash_Duplicate(const OSHash *hash) {
+    OSHash *self;
+    unsigned int i;
+    OSHashNode *curr_node;
+    OSHashNode **next_addr;
+
+    os_calloc(1, sizeof(OSHash), self);
+    self->rows = hash->rows;
+    self->initial_seed = hash->initial_seed;
+    self->constant = hash->constant;
+    self->free_data_function = hash->free_data_function;
+
+    os_calloc(self->rows + 1, sizeof(OSHashNode*), self->table);
+    w_rwlock_init(&self->mutex, NULL);
+
+    for (i = 0; i <= self->rows; i++) {
+        next_addr = &self->table[i];
+
+        for (curr_node = hash->table[i]; curr_node; curr_node = curr_node->next) {
+            os_calloc(1, sizeof(OSHashNode), *next_addr);
+            (*next_addr)->key = strdup(curr_node->key);
+            (*next_addr)->data = curr_node->data;
+            next_addr = &(*next_addr)->next;
+        }
+    }
+
+    return self;
+}
+
+OSHash *OSHash_Duplicate_ex(const OSHash *hash) {
+
+    OSHash *result;
+
+    w_rwlock_rdlock((pthread_rwlock_t *)&hash->mutex);
+    result = OSHash_Duplicate(hash);
+    w_rwlock_unlock((pthread_rwlock_t *)&hash->mutex);
+
+    return result;
+}
+
+
+OSHashNode *OSHash_Begin(const OSHash *self, unsigned int *i){
+
+    OSHashNode *curr_node;
+    *i = 0;
+
+    if (self) {
+        while (*i <= self->rows) {
+            curr_node = self->table[*i];
+            if (curr_node && curr_node->key) {
+                return curr_node;
+            }
+            (*i)++;
+        }
+    }
+
+    return NULL;
+}
+
+OSHashNode *OSHash_Begin_ex(const OSHash *self, unsigned int *i){
+
+    OSHashNode *result;
+    w_rwlock_wrlock((pthread_rwlock_t *)&self->mutex);
+    result = OSHash_Begin(self, i);
+    w_rwlock_unlock((pthread_rwlock_t *)&self->mutex);
+
+    return result;
+}
+
+OSHashNode *OSHash_Next(const OSHash *self, unsigned int *i, OSHashNode *current){
+
+    if(current && current->next){
+        return current->next;
+    }
+
+    (*i)++;
+
+    while (*i <= self->rows) {
+        current = self->table[*i];
+        if (current && current->key) {
+            return current;
+        }
+        (*i)++;
+    }
+
+    return NULL;
+}
+
+void *OSHash_Clean(OSHash *self, void (*cleaner)(void*)){
+    unsigned int i;
+    OSHashNode *curr_node;
+    OSHashNode *next_node;
+
+    curr_node = OSHash_Begin(self, &i);
+    if(curr_node){
+        do {
+            next_node = OSHash_Next(self, &i, curr_node);
+            if(curr_node->key){
+                free(curr_node->key);
+            }
+            if(curr_node->data){
+                cleaner(curr_node->data);
+            }
+            free(curr_node);
+            curr_node = next_node;
+        } while (curr_node);
+    }
+
+    /* Free the hash table */
+    free(self->table);
+    pthread_rwlock_destroy(&self->mutex);
+    free(self);
+    return NULL;
+}
+
+void OSHash_It(const OSHash *hash, void *data, void (*iterating_function)(OSHashNode **row, OSHashNode **node, void *data)) {
+    unsigned int i;
+    OSHashNode *node_it;
+
+    for (i = 0; i < hash->rows; i++) {
+        node_it = hash->table[i];
+        while (node_it && node_it->key) {
+            OSHashNode *node_cpy = node_it;
+
+            iterating_function(&hash->table[i], &node_it, data);
+
+            // To avoid infinite loops
+            if (node_cpy == node_it) {
+                node_it = node_it->next;
+            }
+        }
+    }
+}
+
+void OSHash_It_ex(const OSHash *hash, char mode, void *data, void (*iterating_function)(OSHashNode **row, OSHashNode **node, void *data)) {
+    switch (mode) {
+        case 0:
+            w_rwlock_rdlock((pthread_rwlock_t *)&hash->mutex);
+        break;
+        case 1:
+            w_rwlock_wrlock((pthread_rwlock_t *)&hash->mutex);
+        break;
+        case 2:
+            w_rwlock_wrlock((pthread_rwlock_t *)&hash->mutex);
+            sleep(1);
+        break;
+        default:
+            return;
+    }
+    OSHash_It(hash, data, iterating_function);
+    w_rwlock_unlock((pthread_rwlock_t *)&hash->mutex);
+}
+
+
+/*
+ * Returns the index of the key.
+ * Key must not be NULL.
+ */
+unsigned int OSHash_GetIndex(OSHash *self, const char *key)
+{
+    unsigned int hash_key;
+    unsigned int index;
+
+    /* Generate hash of the message */
+    hash_key = _os_genhash(self, key);
+
+    /* Get array index */
+    index = hash_key % self->rows;
+
+    return index;
+}
diff --git a/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.c b/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.c
new file mode 100644
index 0000000000..13ff74b10e
--- /dev/null
+++ b/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.c
@@ -0,0 +1,236 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "hash_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../common.h"
+
+
+OSHash *mock_hashmap = NULL;
+
+OSHash *__real_OSHash_Create();
+
+int setup_hashmap(__attribute__((unused)) void **state) {
+    mock_hashmap = __real_OSHash_Create();
+
+    if (mock_hashmap == NULL) {
+        return -1;
+    }
+
+    return 0;
+}
+
+int teardown_hashmap(__attribute__((unused)) void **state) {
+    if (mock_hashmap) {
+        OSHash_Free(mock_hashmap);
+        mock_hashmap = NULL;
+    }
+
+    return 0;
+}
+
+int __real_OSHash_Add(OSHash *self, const char *key, void *data);
+int __wrap_OSHash_Add(__attribute__((unused)) OSHash *self, const char *key, void *data) {
+    int retval;
+
+    if (key) check_expected(key);
+
+    retval = mock();
+
+    if (mock_hashmap != NULL && retval != 0) {
+        __real_OSHash_Add(mock_hashmap, key, data);
+    }
+
+    return retval;
+}
+
+int __real_OSHash_Add_ex(OSHash *self, const char *key, void *data);
+int __wrap_OSHash_Add_ex(__attribute__((unused)) OSHash *self, const char *key, void *data) {
+    int retval;
+
+    if (test_mode){
+        check_expected(self);
+        check_expected(key);
+        if (OSHash_Add_ex_check_data) {
+            check_expected(data);
+        }
+        retval =  mock();
+
+        if (mock_hashmap != NULL && retval != 0) {
+            __real_OSHash_Add(mock_hashmap, key, data);
+        }
+
+        return retval;
+    }
+    return __real_OSHash_Add_ex(self, key, data);
+}
+
+void *__wrap_OSHash_Begin(const OSHash *self, __attribute__((unused)) unsigned int *i) {
+    check_expected_ptr(self);
+
+    return mock_type(OSHashNode*);
+}
+
+void * __real_OSHash_Begin_ex(const OSHash *self, unsigned int *i);
+void * __wrap_OSHash_Begin_ex(const OSHash *self, __attribute__((unused)) unsigned int *i) {
+    OSHashNode* retval;
+
+    if (test_mode){
+        check_expected(self);
+        retval = mock_type(OSHashNode*);
+
+        if (mock_hashmap != NULL) {
+            __real_OSHash_Begin(mock_hashmap, i);
+        }
+
+        return retval;
+    }
+    return __real_OSHash_Begin_ex(self, i);
+}
+
+void *__real_OSHash_Clean(OSHash *self, void (*cleaner)(void*));
+void *__wrap_OSHash_Clean(__attribute__((unused)) OSHash *self,
+                          __attribute__((unused)) void (*cleaner)(void*)) {
+    if (test_mode == 0) {
+        return __real_OSHash_Clean(self, cleaner);
+    }
+
+    return mock_type(void *);
+}
+
+OSHash *__wrap_OSHash_Create() {
+    if (test_mode == 0) {
+        return __real_OSHash_Create();
+    }
+
+    function_called();
+
+    return mock_type(OSHash *);
+}
+
+void *__real_OSHash_Delete_ex(OSHash *self, const char *key);
+void *__wrap_OSHash_Delete_ex(OSHash *self, const char *key) {
+    void *retval = NULL;
+    if (test_mode == 0) {
+        return __real_OSHash_Delete_ex(self, key);
+    }
+
+    check_expected(self);
+    check_expected(key);
+    retval = mock_type(void *);
+    if (mock_hashmap != NULL) {
+        void *aux = __real_OSHash_Delete(mock_hashmap, key);
+        if (aux != NULL && mock_hashmap->free_data_function) {
+            mock_hashmap->free_data_function(aux);
+        }
+    }
+
+    return retval;
+}
+
+void *__wrap_OSHash_Delete(OSHash *self, const char *key) {
+    if (test_mode){
+        check_expected(self);
+        check_expected(key);
+        return mock_type(void*);
+    }
+    return __real_OSHash_Delete_ex(self, key);
+}
+
+void *__real_OSHash_Get(const OSHash *self, const char *key);
+void *__wrap_OSHash_Get(const OSHash *self, const char *key) {
+    if (test_mode){
+        check_expected(self);
+        check_expected(key);
+        return mock_type(void*);
+    }
+    return __real_OSHash_Get(self, key);
+}
+
+void *__wrap_OSHash_Get_ex(const OSHash *self, const char *key) {
+    check_expected(self);
+    check_expected(key);
+
+    return mock_type(void*);
+}
+
+void *__wrap_OSHash_Get_ex_dup(const OSHash *self, const char *key, __attribute__((unused)) void*(*duplicator)(void*)) {
+    check_expected(self);
+    check_expected(key);
+    return mock_type(void*);
+}
+
+void *__wrap_OSHash_Numeric_Get_ex(const OSHash *self, int key) {
+    check_expected(self);
+    check_expected(key);
+
+    return mock_type(void*);
+}
+
+void *__wrap_OSHash_Next(const OSHash *self,
+                         __attribute__((unused)) unsigned int *i,
+                         __attribute__((unused)) OSHashNode *current) {
+    check_expected_ptr(self);
+    return mock_type(OSHashNode*);
+}
+
+int __wrap_OSHash_SetFreeDataPointer(__attribute__((unused)) OSHash *self, void (free_data_function)(void *)) {
+    function_called();
+
+    if (mock_hashmap != NULL && free_data_function != NULL) {
+        __real_OSHash_SetFreeDataPointer(mock_hashmap, free_data_function);
+    }
+
+    return mock();
+}
+
+int __wrap_OSHash_setSize(__attribute__((unused)) OSHash *self,
+                          __attribute__((unused)) unsigned int new_size) {
+    return mock();
+}
+
+int __real_OSHash_Update(OSHash *self, const char *key, void *data);
+int __wrap_OSHash_Update(__attribute__((unused)) OSHash *self,
+                            __attribute__((unused)) const char *key,
+                            __attribute__((unused)) void *data) {
+    int retval = mock();
+
+    if (mock_hashmap != NULL && retval != 0) {
+        __real_OSHash_Update(mock_hashmap, key, data);
+    }
+
+    return retval;
+}
+
+int __wrap_OSHash_Update_ex(__attribute__((unused)) OSHash *self,
+                            __attribute__((unused)) const char *key,
+                            __attribute__((unused)) void *data) {
+    int retval = mock();
+
+    if (mock_hashmap != NULL && retval != 0) {
+        __real_OSHash_Update(mock_hashmap, key, data);
+    }
+
+    return retval;
+}
+
+int __wrap_OSHash_Get_Elem_ex(OSHash *self) {
+    check_expected_ptr(self);
+    return mock();
+}
+
+int __wrap_OSHash_Set(OSHash *self, const char *key, void *data) {
+    check_expected_ptr(self);
+    check_expected_ptr(key);
+    check_expected_ptr(data);
+    return mock();
+}
diff --git a/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.h b/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.h
new file mode 100644
index 0000000000..d4b6ca483c
--- /dev/null
+++ b/src/common/hash_op/tests/unit/wrappers/hash_op_wrappers.h
@@ -0,0 +1,72 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef HASH_OP_WRAPPERS_H
+#define HASH_OP_WRAPPERS_H
+
+#include "hash_op.h"
+
+extern OSHash *mock_hashmap;
+
+int setup_hashmap(void **state);
+int teardown_hashmap(void **state);
+
+int __wrap_OSHash_Add(OSHash *self, const char *key, void *data);
+int __real_OSHash_Add(OSHash *hash, const char *key, void *data);
+
+int __real_OSHash_Add_ex(OSHash *self, const char *key, void *data);
+int __wrap_OSHash_Add_ex(__attribute__((unused)) OSHash *self, const char *key, void *data);
+
+void *__real_OSHash_Begin(const OSHash *self, unsigned int *i);
+void *__wrap_OSHash_Begin(const OSHash *self, unsigned int *i);
+
+void *__real_OSHash_Begin_ex(const OSHash *self, unsigned int *i);
+void *__wrap_OSHash_Begin_ex(const OSHash *self, __attribute__((unused)) unsigned int *i);
+
+void *__real_OSHash_Clean(OSHash *self, void (*cleaner)(void*));
+void *__wrap_OSHash_Clean(OSHash *self, void (*cleaner)(void*));
+
+OSHash *__wrap_OSHash_Create();
+OSHash * __real_OSHash_Create();
+
+void *__wrap_OSHash_Delete_ex(OSHash *self, const char *key);
+
+void *__real_OSHash_Delete(OSHash *self, const char *key);
+void *__wrap_OSHash_Delete(OSHash *self, const char *key);
+
+void *__wrap_OSHash_Get(const OSHash *self, const char *key);
+void *__real_OSHash_Get(const OSHash *self, const char *key);
+
+void *__real_OSHash_Get_ex(const OSHash *self, const char *key);
+void *__wrap_OSHash_Get_ex(const OSHash *self, const char *key);
+
+void *__wrap_OSHash_Get_ex_dup(const OSHash *self, const char *key, void*(*duplicator)(void*));
+
+void *__real_OSHash_Numeric_Get_ex(const OSHash *self, int key);
+void *__wrap_OSHash_Numeric_Get_ex(const OSHash *self, int key);
+
+void *__wrap_OSHash_Next(const OSHash *self, unsigned int *i, OSHashNode *current);
+
+int __real_OSHash_SetFreeDataPointer(OSHash *self, void (free_data_function)(void *));
+int __wrap_OSHash_SetFreeDataPointer(OSHash *self, void (free_data_function)(void *));
+
+int __wrap_OSHash_setSize(OSHash *self, unsigned int new_size);
+
+int __wrap_OSHash_Update_ex(OSHash *self, const char *key, void *data);
+
+int __wrap_OSHash_Update(OSHash *self, const char *key, void *data);
+
+extern int OSHash_Add_ex_check_data;
+
+int __wrap_OSHash_Get_Elem_ex(OSHash *self);
+
+int __wrap_OSHash_Set(OSHash *self, const char *key, void *data);
+
+#endif
diff --git a/src/common/jsonHelper/CMakeLists.txt b/src/common/jsonHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/jsonHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/jsonHelper/include/jsonIO.hpp b/src/common/jsonHelper/include/jsonIO.hpp
new file mode 100644
index 0000000000..7c73c35600
--- /dev/null
+++ b/src/common/jsonHelper/include/jsonIO.hpp
@@ -0,0 +1,68 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _JSONIO_HPP
+#define _JSONIO_HPP
+
+#include <filesystem>
+#include <fstream>
+
+/**
+ * Class to read and write json files
+ */
+template <typename T>
+class JsonIO
+{
+    public:
+
+        /**
+         * Read a json file
+         * @param filePath Path to the json file
+         * @return Json object
+         */
+        static T readJson(const std::filesystem::path& filePath)
+        {
+            std::ifstream file(filePath);
+
+            if (!file.is_open())
+            {
+                throw std::runtime_error("Could not open file");
+            }
+
+            T json;
+            file >> json;
+            return json;
+        }
+
+        /**
+         * Write a json file
+         * @param filePath Path to the json file
+         * @param json Json object
+         */
+        static void writeJson(const std::filesystem::path& filePath, const T& json)
+        {
+            std::ofstream file(filePath);
+
+            if (!file.is_open())
+            {
+                throw std::runtime_error("Could not open file");
+            }
+
+            file << json;
+
+            if (!file.good())
+            {
+                throw std::runtime_error("Could not write file");
+            }
+        }
+};
+
+#endif
diff --git a/src/common/data_provider/src/data_provider.cpp b/src/common/json_op/CMakeLists.txt
similarity index 100%
rename from src/common/data_provider/src/data_provider.cpp
rename to src/common/json_op/CMakeLists.txt
diff --git a/src/common/json_op/include/json_op.h b/src/common/json_op/include/json_op.h
new file mode 100644
index 0000000000..f6269f82b6
--- /dev/null
+++ b/src/common/json_op/include/json_op.h
@@ -0,0 +1,58 @@
+/*
+ * JSON support library
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 11, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef JSON_OP_H
+#define JSON_OP_H
+
+#define JSON_MAX_FSIZE 2147483648
+
+#include <cJSON.h>
+
+/**
+ * @brief It temporarily saves in memory the content of the file located in path.
+ * It also allows requesting and verifying that the JSON has a null termination
+ * and recovers the pointer to the last parsed byte.
+ *
+ * @param path  location of the file to be read.
+ * @param retry if set to 1, allows the operation to be retried if json parsing fails. It also removes C/C++ type comments.
+ * If it is set to 0, it does not perform the retry.
+ * @return cJSON*
+ */
+cJSON * json_fread(const char * path, char retry);
+
+/**
+ * @brief Represent a cJSON entity in plain text for storage in the file located at path.
+ *
+ * @param path location of the file to be write.
+ * @param item json entity to be represented in text.
+ * @return int stores the result of the write operation. If it returns -1 it indicates that the operation was not carried out correctly.
+ * If it returns 0, it indicates that the operation was successful.
+ */
+int json_fwrite(const char * path, const cJSON * item);
+
+/**
+ * @brief Clear C/C++ style comments from a JSON string.
+ *
+ * @param json json to which comment stripping is applied.
+ */
+void json_strip(char * json);
+
+// Check if a JSON object is tagged
+#define json_tagged_obj(x) (x && x->string)
+
+/**
+ * Parses agents array and returns an array of agent ids
+ * @param agents array of agents
+ * @return pointer to array of agent ids
+ * */
+int* json_parse_agents(const cJSON* agents);
+
+#endif
diff --git a/src/common/json_op/src/json_op.c b/src/common/json_op/src/json_op.c
new file mode 100644
index 0000000000..6175f51eb5
--- /dev/null
+++ b/src/common/json_op/src/json_op.c
@@ -0,0 +1,146 @@
+/*
+ * JSON support library
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 11, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+
+cJSON * json_fread(const char * path, char retry) {
+    cJSON * item = NULL;
+    char * buffer = NULL;
+    const char *jsonErrPtr;
+
+    if (buffer = w_get_file_content(path, JSON_MAX_FSIZE), !buffer) {
+        mdebug1("Cannot get the content of the file: %s", path);
+        return NULL;
+    }
+
+    if (item = cJSON_ParseWithOpts(buffer, &jsonErrPtr, 0), !item) {
+        if (retry) {
+            mdebug1("Couldn't parse JSON file '%s'. Trying to clear comments.", path);
+            json_strip(buffer);
+
+            if (item = cJSON_ParseWithOpts(buffer, &jsonErrPtr, 0), !item) {
+                mdebug1("Couldn't parse JSON file '%s'.", path);
+            }
+        }
+    }
+
+    free(buffer);
+    return item;
+}
+
+int json_fwrite(const char * path, const cJSON * item) {
+    FILE * fp = NULL;
+    char * buffer;
+    size_t size;
+    int retval = -1;
+
+    if (buffer = cJSON_PrintUnformatted(item), !buffer) {
+        mdebug1("Internal error dumping JSON into file '%s'", path);
+        return -1;
+    }
+
+    size = strlen(buffer);
+
+    if (fp = wfopen(path, "w"), !fp) {
+        mdebug1(FOPEN_ERROR, path, errno, strerror(errno));
+        goto end;
+    }
+
+    if (fwrite(buffer, 1, size, fp) != size) {
+        mdebug1("Couldn't write JSON into '%s': %s (%d)", path, strerror(errno), errno);
+        goto end;
+    }
+
+    retval = 0;
+
+end:
+    free(buffer);
+
+    if (fp) {
+        fclose(fp);
+    }
+
+    return retval;
+}
+
+void json_strip(char * json) {
+    char * line;
+    char * cursor;
+    char * next;
+
+    for (line = json; line; line = next) {
+        if (next = strchr(line, '\n'), next) {
+            *next = '\0';
+        }
+
+        // Skip whitespaces
+        cursor = line + strspn(line, " \t");
+
+        if (!strncmp(cursor, "//", 2)) {
+            if (next) {
+                // If there are more lines, copy all of them
+                *next = '\n';
+                memmove(cursor, next, strlen(next) + 1);
+                next = cursor + 1;
+            } else {
+                // Otherwise end string here
+                *cursor = '\0';
+                break;
+            }
+        } else if (!strncmp(cursor, "/*", 2)) {
+            if (next) {
+                *next = '\n';
+            }
+
+            if (next = strstr(cursor + 2, "*/"), next) {
+                memmove(cursor, next + 2, strlen(next + 2) + 1);
+                next = cursor;
+            } else {
+                // This is a syntax error - unterminated comment
+                break;
+            }
+        } else if (next) {
+            // Restore newline and move forward
+            *next++ = '\n';
+        }
+    }
+
+}
+
+int* json_parse_agents(const cJSON* agents) {
+    int *agent_ids = NULL;
+    int agents_size = 0;
+    int agent_index = 0;
+    int error_flag = 0;
+
+    agents_size = cJSON_GetArraySize(agents);
+
+    os_calloc(agents_size + 1, sizeof(int), agent_ids);
+    agent_ids[agent_index] = OS_INVALID;
+
+    while(!error_flag && (agent_index < agents_size)) {
+        cJSON *agent = cJSON_GetArrayItem(agents, agent_index);
+        if (agent->type == cJSON_Number) {
+            agent_ids[agent_index] = agent->valueint;
+            agent_ids[agent_index + 1] = OS_INVALID;
+        } else {
+            error_flag = 1;
+        }
+        agent_index++;
+    }
+
+    if (error_flag) {
+        os_free(agent_ids);
+        return NULL;
+    }
+
+    return agent_ids;
+}
diff --git a/src/common/json_op/tests/unit/tests/CMakeLists.txt b/src/common/json_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..8a2d83b6f4
--- /dev/null
+++ b/src/common/json_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+if(NOT ${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_names "test_json_op")
+list(APPEND shared_tests_flags "-Wl,--wrap,w_get_file_content -Wl,--wrap,cJSON_ParseWithOpts \
+                                -Wl,--wrap,cJSON_PrintUnformatted -Wl,--wrap,fopen \
+                                -Wl,--wrap,fwrite -Wl,--wrap,fclose -Wl,--wrap,wfopen \
+                                -Wl,--wrap,fflush -Wl,--wrap,fgets \
+                                -Wl,--wrap,fgetpos -Wl,--wrap,fgetc \
+                                -Wl,--wrap,fread -Wl,--wrap,remove \
+                                -Wl,--wrap,fseek -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/json_op/tests/unit/tests/test_json_op.c b/src/common/json_op/tests/unit/tests/test_json_op.c
new file mode 100644
index 0000000000..51bee73581
--- /dev/null
+++ b/src/common/json_op/tests/unit/tests/test_json_op.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+
+#include "../../headers/json_op.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/common.h"
+#include "../../headers/shared.h"
+
+#define PATH_EXAMPLE "/home/test"
+#define BUFFER_EXAMPLE "//This is a comment"
+
+static int teardown(void **state) {
+    if (state[0]) {
+        int *ids = (int*)state[0];
+        os_free(ids);
+    }
+    return 0;
+}
+
+static void test_json_fread_buffer_null(void **state) {
+    (void) state;
+    const char * DEBUG_MESSAGE_FREAD_BUFFER_NULL = "Cannot get the content of the file: /home/test";
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    expect_w_get_file_content(NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FREAD_BUFFER_NULL);
+
+    assert_ptr_equal(json_fread(path, 1), NULL);
+
+    os_free(path);
+}
+
+static void test_json_fread_no_retry(void **state) {
+    (void) state;
+    char * buffer;
+    os_strdup(BUFFER_EXAMPLE, buffer);
+    expect_w_get_file_content(buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    will_return(__wrap_cJSON_ParseWithOpts, (cJSON*)1);
+    will_return(__wrap_cJSON_ParseWithOpts, (cJSON*)1);
+
+    assert_ptr_equal(json_fread(path, 0), 0X1);
+
+    os_free(path);
+}
+
+static void test_json_fread_with_retry(void **state) {
+    (void) state;
+    const char * DEBUG_MESSAGE_FREAD_TRYING_CLEAR_COMMENTS = "Couldn't parse JSON file '/home/test'. Trying to clear comments.";
+    const char * DEBUG_MESSAGE_FREAD_COULD_NOT_PARSE_JSON = "Couldn't parse JSON file '/home/test'.";
+    char * buffer;
+    os_strdup(BUFFER_EXAMPLE, buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    expect_w_get_file_content(buffer);
+    will_return(__wrap_cJSON_ParseWithOpts, NULL);
+    will_return(__wrap_cJSON_ParseWithOpts, NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FREAD_TRYING_CLEAR_COMMENTS);
+    will_return(__wrap_cJSON_ParseWithOpts, NULL);
+    will_return(__wrap_cJSON_ParseWithOpts, NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FREAD_COULD_NOT_PARSE_JSON);
+
+    assert_ptr_equal(json_fread(path, 1), NULL);
+
+    os_free(path);
+}
+
+static void test_json_fread_successfully(void **state) {
+    (void) state;
+    char * buffer;
+    os_strdup(BUFFER_EXAMPLE, buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    expect_w_get_file_content(buffer);
+    will_return(__wrap_cJSON_ParseWithOpts, (cJSON*)8);
+    will_return(__wrap_cJSON_ParseWithOpts, (cJSON*)8);
+
+    assert_ptr_equal(json_fread(path, 0), 0X8);
+
+    os_free(path);
+}
+
+static void test_json_fwrite_buffer_null(void **state) {
+    (void) state;
+    test_mode = 1;
+    const char * DEBUG_MESSAGE_FWRITE_DUMPING_JSON = "Internal error dumping JSON into file '/home/test'";
+    cJSON * item = NULL;
+    FILE *fp = NULL;
+    char *buffer = NULL;
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    will_return(__wrap_cJSON_PrintUnformatted, buffer);
+    expect_string(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FWRITE_DUMPING_JSON);
+
+    assert_int_equal(json_fwrite(path, item), -1);
+
+    test_mode = 0;
+    os_free(path);
+}
+
+static void test_json_fwrite_fail_open(void **state) {
+    (void) state;
+    test_mode = 1;
+    const char * JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR = "//This is a comment \n{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    const char * DEBUG_MESSAGE_FWRITE_COULD_NOT_OPEN_FILE = "(1103): Could not open file '/home/test' due to";
+    cJSON * item = NULL;
+    FILE *fp = NULL;
+    char * buffer;
+    os_strdup(JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR, buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    will_return(__wrap_cJSON_PrintUnformatted, buffer);
+    expect_wfopen(path, "w", fp);
+    expect_memory(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FWRITE_COULD_NOT_OPEN_FILE, strlen(DEBUG_MESSAGE_FWRITE_COULD_NOT_OPEN_FILE));
+
+    assert_int_equal(json_fwrite(path, item), -1);
+
+    test_mode = 0;
+    os_free(path);
+}
+
+static void test_json_fwrite_fail_write(void **state) {
+    (void) state;
+    test_mode = 1;
+    const char * DEBUG_MESSAGE_FWRITE_COULD_NOT_WRITE = "Couldn't write JSON into '/home/test'";
+    cJSON * item = NULL;
+    FILE *fp = (FILE*)1;
+    char * buffer;
+    os_strdup(BUFFER_EXAMPLE, buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    will_return(__wrap_cJSON_PrintUnformatted, buffer);
+    test_mode = 0;
+    expect_wfopen(path, "w", fp);
+    test_mode = 1;
+    will_return(__wrap_fwrite, strlen(buffer)-1);
+    expect_memory(__wrap__mdebug1, formatted_msg, DEBUG_MESSAGE_FWRITE_COULD_NOT_WRITE, strlen(DEBUG_MESSAGE_FWRITE_COULD_NOT_WRITE));
+    expect_fclose(fp, 1);
+
+    assert_int_equal(json_fwrite(path, item), -1);
+
+    test_mode = 0;
+    os_free(path);
+}
+
+static void test_json_fwrite_successfully(void **state) {
+    (void) state;
+    const char * JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR = "//This is a comment \n{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    cJSON * item = (cJSON*)2;
+    FILE *fp = (FILE*)2;
+    char * buffer;
+    os_strdup(JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR, buffer);
+    char * path;
+    os_strdup(PATH_EXAMPLE, path);
+
+    will_return(__wrap_cJSON_PrintUnformatted, buffer);
+    test_mode = 0;
+    expect_wfopen(path, "w", fp);
+    will_return(__wrap_fwrite, strlen(buffer));
+    test_mode = 1;
+    expect_fclose(fp, 1);
+    assert_int_equal(json_fwrite(path, item), 0);
+
+    test_mode = 0;
+    os_free(path);
+}
+
+static void test_json_strip_delete_comment_single_bar(void **state) {
+    (void) state;
+    const char * JSON_EXAMPLE_WITH_COMMENT_SINGLE_BAR = "/*This is a comment*/{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    const char * EXPECTED_JSON_EXAMPLE_WITH_COMMENT_SINGLE_BAR = "{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    char * buffer;
+    os_strdup(JSON_EXAMPLE_WITH_COMMENT_SINGLE_BAR, buffer);
+
+    json_strip(buffer);
+
+    assert_string_equal(buffer, EXPECTED_JSON_EXAMPLE_WITH_COMMENT_SINGLE_BAR);
+
+    os_free(buffer);
+}
+
+static void test_json_strip_delete_comment_double_bar(void **state) {
+    (void) state;
+    const char * EXPECTED_JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR = "\n{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    const char * JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR = "//This is a comment \n{\"fruit\":[{\"lemon\":200},{\"banana\":100}]}";
+    char * buffer;
+    os_strdup(JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR, buffer);
+
+    json_strip(buffer);
+
+    assert_string_equal(buffer, EXPECTED_JSON_EXAMPLE_WITH_COMMENT_DOBLE_BAR);
+
+    os_free(buffer);
+}
+
+static void test_json_strip_file_without_json_content(void **state) {
+    (void) state;
+    const char * FILE_WITHOUT_JSON_CONTENT = "/*this is a comment*/ \0";
+    const char * STRING_EMPTY = " ";
+    char * buffer;
+    os_strdup(FILE_WITHOUT_JSON_CONTENT, buffer);
+
+    json_strip(buffer);
+
+    assert_string_equal(buffer, STRING_EMPTY);
+
+    os_free(buffer);
+}
+
+void test_json_parse_agents_success(void **state)
+{
+    cJSON *agents = cJSON_CreateArray();
+    cJSON *agent1 = cJSON_CreateNumber(15);
+    cJSON *agent2 = cJSON_CreateNumber(23);
+    cJSON *agent3 = cJSON_CreateNumber(8);
+    cJSON_AddItemToArray(agents, agent1);
+    cJSON_AddItemToArray(agents, agent2);
+    cJSON_AddItemToArray(agents, agent3);
+
+    int* agent_ids = json_parse_agents(agents);
+
+    cJSON_Delete(agents);
+
+    state[0] = (void*)agent_ids;
+    state[1] = NULL;
+
+    assert_non_null(agent_ids);
+    assert_int_equal(agent_ids[0], 15);
+    assert_int_equal(agent_ids[1], 23);
+    assert_int_equal(agent_ids[2], 8);
+    assert_int_equal(agent_ids[3], -1);
+}
+
+void test_json_parse_agents_type_error(void **state)
+{
+    cJSON *agents = cJSON_CreateArray();
+    cJSON *agent1 = cJSON_CreateNumber(15);
+    cJSON *agent2 = cJSON_CreateString("23");
+    cJSON *agent3 = cJSON_CreateNumber(8);
+    cJSON_AddItemToArray(agents, agent1);
+    cJSON_AddItemToArray(agents, agent2);
+    cJSON_AddItemToArray(agents, agent3);
+
+    int* agent_ids = json_parse_agents(agents);
+
+    cJSON_Delete(agents);
+
+    state[1] = NULL;
+
+    assert_null(agent_ids);
+}
+
+void test_json_parse_agents_empty(void **state)
+{
+    cJSON *agents = cJSON_CreateArray();
+
+    int* agent_ids = json_parse_agents(agents);
+
+    cJSON_Delete(agents);
+
+    state[0] = (void*)agent_ids;
+    state[1] = NULL;
+
+    assert_non_null(agent_ids);
+    assert_int_equal(agent_ids[0], -1);
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_json_fread_buffer_null),
+        cmocka_unit_test(test_json_fread_no_retry),
+        cmocka_unit_test(test_json_fread_with_retry),
+        cmocka_unit_test(test_json_fread_successfully),
+        cmocka_unit_test(test_json_fwrite_buffer_null),
+        cmocka_unit_test(test_json_fwrite_fail_open),
+        cmocka_unit_test(test_json_fwrite_fail_write),
+        cmocka_unit_test(test_json_fwrite_successfully),
+        cmocka_unit_test(test_json_strip_delete_comment_double_bar),
+        cmocka_unit_test(test_json_strip_delete_comment_single_bar),
+        cmocka_unit_test(test_json_strip_file_without_json_content),
+        // json_parse_agents
+        cmocka_unit_test_teardown(test_json_parse_agents_success, teardown),
+        cmocka_unit_test_teardown(test_json_parse_agents_type_error, teardown),
+        cmocka_unit_test_teardown(test_json_parse_agents_empty, teardown)
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/json_op/tests/unit/wrappers/json_op_wrappers.c b/src/common/json_op/tests/unit/wrappers/json_op_wrappers.c
new file mode 100644
index 0000000000..aa43bd6dd3
--- /dev/null
+++ b/src/common/json_op/tests/unit/wrappers/json_op_wrappers.c
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "json_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+cJSON * __wrap_json_fread(const char * path, __attribute__((unused)) char retry) {
+    if (path) check_expected(path);
+    return mock_type(cJSON *);
+}
+
+int __wrap_json_fwrite(const char * path, const cJSON * item) {
+    check_expected(path);
+    check_expected(item);
+    return mock_type(int);
+}
+
+int* __wrap_json_parse_agents(__attribute__((unused))const cJSON* agents) {
+    return mock_ptr_type(int*);
+}
diff --git a/src/common/json_op/tests/unit/wrappers/json_op_wrappers.h b/src/common/json_op/tests/unit/wrappers/json_op_wrappers.h
new file mode 100644
index 0000000000..798543e1cc
--- /dev/null
+++ b/src/common/json_op/tests/unit/wrappers/json_op_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef JSON_OP_WRAPPERS_H
+#define JSON_OP_WRAPPERS_H
+
+#include "../../../../headers/shared.h"
+
+cJSON * __wrap_json_fread(const char * path, char retry);
+int __wrap_json_fwrite(const char * path, const cJSON * item);
+
+int* __wrap_json_parse_agents(const cJSON* agents);
+
+int* __wrap_json_parse_agents(const cJSON* agents);
+
+#endif
diff --git a/src/common/linuxHelper/CMakeLists.txt b/src/common/linuxHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/linuxHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/linuxHelper/include/linuxInfoHelper.h b/src/common/linuxHelper/include/linuxInfoHelper.h
new file mode 100644
index 0000000000..1a3cf379f2
--- /dev/null
+++ b/src/common/linuxHelper/include/linuxInfoHelper.h
@@ -0,0 +1,78 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 10, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef LINUXINFO_HELPER_H
+#define LINUXINFO_HELPER_H
+
+#include "filesystemHelper.h"
+#include <vector>
+#include <cstdint>
+#include <string>
+#include <unistd.h>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    /**
+     * @brief Get system boot time in seconds since epoch
+     *
+     * @return uint64_t system boot time in seconds since epoch
+     */
+    static uint64_t getBootTime(void)
+    {
+        static uint64_t btime;
+
+        try
+        {
+            if (0UL == btime)
+            {
+                const std::string key {"btime "};
+                const auto file { Utils::getFileContent("/proc/stat") };
+
+                btime = std::stoull(file.substr(file.find(key) + key.length()));
+            }
+        }
+        // LCOV_EXCL_START
+        catch (...)
+        {}
+
+        // LCOV_EXCL_STOP
+
+        return btime;
+    }
+
+    /**
+     * @brief Get the number of clock ticks per second
+     *
+     * @return uint64_t number of clock ticks per second
+     */
+    static uint64_t getClockTick(void)
+    {
+        static uint64_t tick { static_cast<uint64_t>(sysconf(_SC_CLK_TCK)) };
+
+        return tick;
+    }
+
+    /**
+     * @brief Convert a boot-relative time in ticks to seconds since epoch
+     *
+     * @param startTime boot-relative time in ticks
+     * @return uint64_t seconds since epoch
+     */
+    static uint64_t timeTick2unixTime(const uint64_t startTime)
+    {
+        return (startTime / getClockTick()) + getBootTime();
+    }
+}
+
+#endif // LINUXINFO_HELPER_H
diff --git a/src/common/linuxHelper/tests/CMakeLists.txt b/src/common/linuxHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..11ee487c77
--- /dev/null
+++ b/src/common/linuxHelper/tests/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC
+    "linuxInfoHelper_test.cpp"
+)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/linuxHelper/tests/linuxInfoHelper_test.cpp b/src/common/linuxHelper/tests/linuxInfoHelper_test.cpp
new file mode 100644
index 0000000000..c74d007696
--- /dev/null
+++ b/src/common/linuxHelper/tests/linuxInfoHelper_test.cpp
@@ -0,0 +1,40 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 10, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "linuxInfoHelper_test.h"
+#include "linuxInfoHelper.h"
+#include "cmdHelper.h"
+
+
+void LinuxInfoHelperTest::SetUp() {};
+
+void LinuxInfoHelperTest::TearDown() {};
+
+TEST_F(LinuxInfoHelperTest, getBootTime)
+{
+    const auto btimeNumFromFunc{Utils::getBootTime()};
+
+    const auto btimeStr{Utils::exec("grep 'btime' /proc/stat | awk '{print $2}'")};
+    const auto btimeNumFromProc{std::stoull(btimeStr)};
+
+    EXPECT_FALSE(btimeNumFromFunc != btimeNumFromProc);
+}
+
+TEST_F(LinuxInfoHelperTest, timeTick2unixTime)
+{
+    const auto startTimeStr{Utils::exec("awk '{print $22}' /proc/1/stat")};
+    const auto startTimeNum{std::stoul(startTimeStr)};
+    const auto startTimeUnixFunc{Utils::timeTick2unixTime(startTimeNum)};
+
+    const auto startTimeUnixCmd{std::stoul(Utils::exec("date -d \"`ps -o lstart -p 1|tail -n 1`\" +%s"))};
+
+    EXPECT_FALSE(startTimeUnixFunc != startTimeUnixCmd);
+}
diff --git a/src/common/linuxHelper/tests/linuxInfoHelper_test.h b/src/common/linuxHelper/tests/linuxInfoHelper_test.h
new file mode 100644
index 0000000000..32b6c902a9
--- /dev/null
+++ b/src/common/linuxHelper/tests/linuxInfoHelper_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 10, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef LINUXINFO_HELPER_TESTS_H
+#define LINUXINFO_HELPER_TESTS_H
+#include "gtest/gtest.h"
+
+class LinuxInfoHelperTest : public ::testing::Test
+{
+    protected:
+
+        LinuxInfoHelperTest() = default;
+        virtual ~LinuxInfoHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif // LINUXINFO_HELPER_TESTS_H
diff --git a/src/common/linuxHelper/tests/main.cpp b/src/common/linuxHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/linuxHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/modules/active_response/include/active_response.h b/src/common/list_op/CMakeLists.txt
similarity index 100%
rename from src/modules/active_response/include/active_response.h
rename to src/common/list_op/CMakeLists.txt
diff --git a/src/common/list_op/include/list_op.h b/src/common/list_op/include/list_op.h
new file mode 100644
index 0000000000..2933591892
--- /dev/null
+++ b/src/common/list_op/include/list_op.h
@@ -0,0 +1,113 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Common list API */
+
+#ifndef OS_LIST
+#define OS_LIST
+
+#define OSList_foreach(node_it, list)                                                  \
+    for (node_it = (list != NULL) ? OSList_GetFirstNode(list) : NULL; node_it != NULL; \
+         node_it = OSList_GetNext(list, node_it))
+
+typedef struct _OSListNode {
+    struct _OSListNode *next;
+    struct _OSListNode *prev;
+    void *data;
+} OSListNode;
+
+typedef struct _OSList {
+    OSListNode *first_node;
+    OSListNode *last_node;
+    OSListNode *cur_node;
+
+    int currently_size;
+    int max_size;
+    volatile int count;
+    volatile int pending_remove;
+
+    void (*free_data_function)(void *data);
+    pthread_rwlock_t wr_mutex;
+    pthread_mutex_t mutex;
+} OSList;
+
+OSList *OSList_Create(void);
+
+/**
+ * @brief Frees all resources associated with a list.
+ *
+ * @param list List to be destroyed.
+*/
+void OSList_Destroy(OSList *);
+
+int OSList_SetMaxSize(OSList *list, int max_size);
+int OSList_SetFreeDataPointer(OSList *list, void (free_data_function)(void *));
+
+OSListNode *OSList_GetFirstNode(OSList *) __attribute__((nonnull));
+OSListNode *OSList_GetLastNode(OSList *) __attribute__((nonnull));
+OSListNode *OSList_GetLastNode_group(OSList *) __attribute__((nonnull));
+OSListNode *OSList_GetPrevNode(OSList *) __attribute__((nonnull));
+OSListNode *OSList_GetNextNode(OSList *) __attribute__((nonnull));
+OSListNode *OSList_GetCurrentlyNode(OSList *list) __attribute__((nonnull));
+
+void OSList_DeleteCurrentlyNode(OSList *list) __attribute__((nonnull));
+void OSList_DeleteThisNode(OSList *list, OSListNode *thisnode) __attribute__((nonnull(1)));
+void OSList_DeleteOldestNode(OSList *list) __attribute__((nonnull));
+
+void *OSList_AddData(OSList *list, void *data) __attribute__((nonnull(1)));
+
+/**
+ * @brief Clears all the nodes from a list and frees the referenced data
+ *
+ * @param list List to delete
+ */
+void OSList_CleanNodes(OSList *list);
+
+/**
+ * @brief Clears all the nodes from a list without freeing the referenced data
+ *
+ * @param list List to delete nodes
+ */
+void OSList_CleanOnlyNodes(OSList *list);
+
+/**
+ * @brief Get the next node to a given node
+ *
+ * @param list List where to get the node from
+ * @param node Node reference to get next
+ */
+OSListNode *OSList_GetNext(OSList *list, OSListNode *node);
+
+/**
+ * @brief Insert data in the place of a given node
+ *
+ * @param list List where to get the node from
+ * @param node Node reference to insert new node with data
+ * @param data Data to be insert
+ */
+int OSList_InsertData(OSList *list, OSListNode *node, void *data);
+
+/**
+ * @brief Get the pointer to data from the node placed in index position
+ *
+ * @param list List where to get the node from
+ * @param index Index that indicate the position of the node required
+ */
+void *OSList_GetDataFromIndex(OSList *list, int index);
+
+/**
+ * @brief Insert data at the beggining of a list
+ *
+ * @param list List where the node will be inserted into
+ * @param data Data to be inserted
+ */
+int OSList_PushData(OSList *list, void *data);
+
+#endif /* OS_LIST */
diff --git a/src/common/list_op/src/list_op.c b/src/common/list_op/src/list_op.c
new file mode 100644
index 0000000000..4e916eb49b
--- /dev/null
+++ b/src/common/list_op/src/list_op.c
@@ -0,0 +1,530 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Common API for dealing with lists */
+
+#include "shared.h"
+
+/* Create the list
+ * Returns NULL on error
+ */
+OSList *OSList_Create()
+{
+    OSList *my_list;
+
+    my_list = (OSList *) calloc(1, sizeof(OSList));
+    if (!my_list) {
+        return (NULL);
+    }
+
+    my_list->first_node = NULL;
+    my_list->last_node = NULL;
+    my_list->cur_node = NULL;
+    my_list->currently_size = 0;
+    my_list->max_size = 0;
+    my_list->count = 0;
+    my_list->pending_remove = 0;
+    my_list->free_data_function = NULL;
+    w_rwlock_init(&my_list->wr_mutex, NULL);
+    w_mutex_init(&my_list->mutex, NULL);
+
+    return (my_list);
+}
+
+void OSList_Destroy(OSList *list) {
+    if (!list) {
+        return;
+    }
+
+    OSList_CleanNodes(list);
+
+    w_rwlock_destroy(&list->wr_mutex);
+    w_mutex_destroy(&list->mutex);
+    free(list);
+
+    return;
+}
+
+/* Set the maximum number of elements in the list
+ * Returns 0 on error or 1 on success
+ */
+int OSList_SetMaxSize(OSList *list, int max_size)
+{
+    if (!list) {
+        return (0);
+    }
+
+    /* Minimum size is 1 */
+    if (max_size <= 1) {
+        return (0);
+    }
+
+    list->max_size = max_size;
+
+    return (1);
+}
+
+/* Set the pointer to the function to free the memory data */
+int OSList_SetFreeDataPointer(OSList *list, void (free_data_function)(void *))
+{
+    if (!list) {
+        return (0);
+    }
+
+    list->free_data_function = free_data_function;
+    return (1);
+}
+
+/* Get first node from list
+ * Returns null on invalid list
+ */
+OSListNode *OSList_GetFirstNode(OSList *list)
+{
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    list->cur_node = list->first_node;
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+    return (list->first_node);
+}
+
+/* Get last node from list
+ * Returns null on invalid list
+ */
+OSListNode *OSList_GetLastNode(OSList *list)
+{
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    list->cur_node = list->last_node;
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+    return (list->last_node);
+}
+
+/* Get last node from list
+ * Returns null on invalid list
+ */
+OSListNode *OSList_GetLastNode_group(OSList *list)
+{
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    list->cur_node = list->last_node;
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+    return (list->last_node);
+}
+
+/* Get next node from list
+ * Returns null on invalid list or at the end of the list
+ */
+OSListNode *OSList_GetNextNode(OSList *list)
+{
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    if (list->cur_node == NULL) {
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return (NULL);
+    }
+
+    list->cur_node = list->cur_node->next;
+
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+    return (list->cur_node);
+}
+
+/* Get the prev node from the list
+ * Returns NULL at the beginning
+ */
+OSListNode *OSList_GetPrevNode(OSList *list)
+{
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    if (list->cur_node == NULL) {
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return (NULL);
+    }
+
+    list->cur_node = list->cur_node->prev;
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+    return (list->cur_node);
+}
+
+/* Get the currently node
+ * Returns null when no currently node is available
+ */
+OSListNode *OSList_GetCurrentlyNode(OSList *list)
+{
+    return (list->cur_node);
+}
+
+/* Delete first node from list */
+void OSList_DeleteOldestNode(OSList *list)
+{
+    OSListNode *next;
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+    if (list->first_node) {
+        next = list->first_node->next;
+        if (next) {
+            next->prev = NULL;
+        } else {
+            list->last_node = next;
+        }
+
+        free(list->first_node);
+        list->first_node = next;
+    } else {
+        merror("No Oldest node to delete");
+    }
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return;
+}
+
+/* Delete this node from list
+ * Pointer goes to the next node available
+ */
+void OSList_DeleteThisNode(OSList *list, OSListNode *thisnode)
+{
+    OSListNode *prev;
+    OSListNode *next;
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+    if (thisnode == NULL) {
+        w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return;
+    }
+
+    prev = thisnode->prev;
+    next = thisnode->next;
+
+    /* Setting the previous node of the next one
+     * and the next node of the previous one.. :)
+     */
+    if (prev && next) {
+        prev->next = next;
+        next->prev = prev;
+    } else if (prev) {
+        prev->next = NULL;
+        list->last_node = prev;
+    } else if (next) {
+        next->prev = NULL;
+        list->first_node = next;
+    } else {
+        list->last_node = NULL;
+        list->first_node = NULL;
+    }
+
+    /* Free the node memory */
+    free(thisnode);
+
+    /* Set the currently node to the next one */
+    list->cur_node = next;
+
+    list->currently_size--;
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+}
+
+/* Delete current node from list
+ * Pointer goes to the next node available
+ */
+void OSList_DeleteCurrentlyNode(OSList *list)
+{
+    OSListNode *prev;
+    OSListNode *next;
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+    if (list->cur_node == NULL) {
+        w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return;
+    }
+
+    prev = list->cur_node->prev;
+    next = list->cur_node->next;
+
+    /* Setting the previous node of the next one
+     * and the next node of the previous one.. :)
+     */
+    if (prev && next) {
+        prev->next = next;
+        next->prev = prev;
+    } else if (prev) {
+        prev->next = NULL;
+        list->last_node = prev;
+    } else if (next) {
+        next->prev = NULL;
+        list->first_node = next;
+    } else {
+        list->last_node = NULL;
+        list->first_node = NULL;
+    }
+
+    /* Free the node memory */
+    free(list->cur_node);
+
+    /* Set the current node to the next one */
+    list->cur_node = next;
+
+    list->currently_size--;
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+}
+
+/* Add data to the list
+ * Returns 1 on success and 0 on failure
+ */
+void *OSList_AddData(OSList *list, void *data)
+{
+    OSListNode *newnode;
+    OSListNode *ret;
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    /* Allocate memory for new node */
+    newnode = (OSListNode *) calloc(1, sizeof(OSListNode));
+    if (!newnode) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return NULL;
+    }
+
+    newnode->prev = list->last_node;
+    newnode->next = NULL;
+    newnode->data = data;
+
+    /* If we don't have a first node, assign it */
+    if (!list->first_node) {
+        list->first_node = newnode;
+    }
+
+    /* If we have a last node, set the next to new node */
+    if (list->last_node) {
+        list->last_node->next = newnode;
+    }
+
+    /* newnode becomes last node */
+    list->last_node = newnode;
+
+    /* Increment list size */
+    list->currently_size++;
+
+    /* Ff currently_size higher than the maximum size, remove the
+     * oldest node (first one)
+     */
+    if (list->max_size) {
+        if (list->currently_size > list->max_size && list->first_node->next) {
+            /* Remove first node */
+            newnode = list->first_node->next;
+
+            newnode->prev = NULL;
+
+            /* Clear any internal memory using the pointer */
+            if (list->free_data_function) {
+                list->free_data_function(list->first_node->data);
+            }
+
+            /* Clear the memory */
+            free(list->first_node);
+
+            /* First node become the ex first->next */
+            list->first_node = newnode;
+
+            /* Reduce list size */
+            list->currently_size--;
+        }
+    }
+    ret = list->last_node;
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return ret;
+}
+
+void OSList_CleanNodes(OSList *list) {
+    if (list == NULL) {
+        return;
+    }
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    OSListNode *aux_node = NULL;
+
+    while(list->first_node != NULL) {
+        aux_node = list->first_node;
+        list->first_node = aux_node->next;
+        if (list->free_data_function != NULL) {
+            list->free_data_function(aux_node->data);
+        }
+        free(aux_node);
+    }
+
+    list->last_node = NULL;
+    list->cur_node = NULL;
+    list->first_node = NULL;
+
+    list->currently_size = 0;
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+}
+
+void OSList_CleanOnlyNodes(OSList *list) {
+    if (list == NULL) {
+        return;
+    }
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    OSListNode *aux_node = NULL;
+
+    while(list->first_node != NULL) {
+        aux_node = list->first_node;
+        list->first_node = aux_node->next;
+        os_free(aux_node);
+    }
+
+    list->last_node = NULL;
+    list->cur_node = NULL;
+    list->first_node = NULL;
+
+    list->currently_size = 0;
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+}
+
+OSListNode *OSList_GetNext(OSList *list, OSListNode *node) {
+    OSListNode *next;
+
+    w_rwlock_rdlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+    if (node == NULL) {
+        w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+        w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+        return (NULL);
+    }
+
+    next = node->next;
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return (next);
+}
+
+void *OSList_GetDataFromIndex(OSList *list, int index) {
+    int count = 0;
+    OSListNode *current;
+
+    w_rwlock_rdlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    current = list->first_node;
+
+    while (current != NULL) {
+        if (count == index) {
+            w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+            w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+            return (current->data);
+        }
+        count++;
+        current = current->next;
+    }
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return NULL;
+}
+
+/* Add data to the list
+ * Returns 0 on success and 1 on failure
+ */
+static int _OSList_InsertData(OSList *list, OSListNode *node, void *data) {
+    OSListNode *newnode;
+
+    /* Allocate memory for new node */
+    newnode = (OSListNode *) calloc(1, sizeof(OSListNode));
+    if (newnode == NULL) {
+        // LCOV_EXCL_START
+        merror(MEM_ERROR, errno, strerror(errno));
+        return 1;
+        // LCOV_EXCL_STOP
+    }
+
+    newnode->data = data;
+
+    /* If we don't have a first node, assign it */
+    if (!list->first_node) {
+        list->first_node = newnode;
+        list->last_node = newnode;
+        newnode->prev = NULL;
+        newnode->next = NULL;
+    } else if (node == NULL) {
+        newnode->prev = list->last_node;
+        newnode->prev->next = newnode;
+        newnode->next = NULL;
+        list->last_node = newnode;
+    } else {
+        if (node->prev == NULL) {
+            newnode->prev = NULL;
+            list->first_node = newnode;
+        } else {
+            node->prev->next = newnode;
+            newnode->prev = node->prev;
+        }
+        newnode->next = node;
+        node->prev = newnode;
+    }
+
+    /* Increment list size */
+    list->currently_size++;
+
+    return 0;
+}
+
+int OSList_InsertData(OSList *list, OSListNode *node, void *data) {
+    int retval;
+
+    assert(list != NULL);
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    retval = _OSList_InsertData(list, node, data);
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return retval;
+}
+
+/**
+ * Add data to the begging of the list
+ */
+int OSList_PushData(OSList *list, void *data) {
+    int retval;
+
+    assert(list != NULL);
+
+    w_rwlock_wrlock((pthread_rwlock_t *)&list->wr_mutex);
+    w_mutex_lock((pthread_mutex_t *)&list->mutex);
+
+    retval = _OSList_InsertData(list, list->first_node, data);
+
+    w_mutex_unlock((pthread_mutex_t *)&list->mutex);
+    w_rwlock_unlock((pthread_rwlock_t *)&list->wr_mutex);
+
+    return retval;
+}
diff --git a/src/common/list_op/tests/unit/tests/CMakeLists.txt b/src/common/list_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..b133b02f8c
--- /dev/null
+++ b/src/common/list_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,55 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_list_op")
+set(LIST_OP_BASE_FLAGS "-Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,pthread_mutex_lock \
+                        -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap,pthread_rwlock_unlock \
+                        -Wl,--wrap,pthread_rwlock_wrlock ${DEBUG_OP_WRAPPERS}")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${LIST_OP_BASE_FLAGS} -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${LIST_OP_BASE_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/list_op/tests/unit/tests/test_list_op.c b/src/common/list_op/tests/unit/tests/test_list_op.c
new file mode 100644
index 0000000000..00ebee3dd6
--- /dev/null
+++ b/src/common/list_op/tests/unit/tests/test_list_op.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../syscheckd/include/syscheck.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../headers/shared.h"
+
+syscheck_config config;
+
+static int setup_syscheck_dir_links(void **state) {
+
+    config.directories = OSList_Create();
+    if (config.directories == NULL) {
+        return (1);
+    }
+
+    return 0;
+}
+
+static int teardown_syscheck_dir_links(void **state) {
+
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if (config.directories) {
+        OSList_foreach(node_it, config.directories) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(config.directories);
+        config.directories = NULL;
+    }
+
+    return 0;
+}
+
+void free_data_function(void* data){
+    free(data);
+}
+
+void test_OSList_GetNext_null_return(void **state) {
+
+    OSList *list;
+    OSListNode *node = NULL;
+    OSListNode *node_returned;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    node_returned = OSList_GetNext(list, node);
+
+    assert_null(node_returned);
+
+}
+
+void test_OSList_GetNext_node_return(void **state) {
+
+    OSList *list = config.directories;
+    OSListNode *node;
+    OSListNode *node_returned;
+
+    list->first_node = (OSListNode*) malloc(sizeof(OSListNode));
+    list->first_node->next = (OSListNode*) malloc(sizeof(OSListNode));
+    list->first_node->next->next = NULL;
+    node = list->first_node;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+
+    node_returned = OSList_GetNext(list, node);
+
+    assert_non_null(node_returned);
+
+    OSList_CleanNodes(list);
+
+}
+
+void test_OSList_GetDataFromIndex_null_return(void **state) {
+
+    OSList *list = config.directories;
+    int data_index = 0;
+    void* data_return;
+
+    list->first_node = NULL;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    data_return = OSList_GetDataFromIndex(list, data_index);
+
+    assert_null(data_return);
+
+}
+
+void test_OSList_GetDataFromIndex_data_return(void **state) {
+
+    OSList *list = config.directories;
+    int data_index = 0;
+    void* data_return;
+    char* data = malloc(sizeof(char)*5);
+
+    strncpy (data, "data", 5);
+    list->first_node = (OSListNode*) malloc(sizeof(OSListNode));
+    list->first_node->next = NULL;
+    list->first_node->data = data;
+    list->free_data_function = free_data_function;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+
+    data_return = OSList_GetDataFromIndex(list, data_index);
+
+    assert_ptr_equal(data_return, list->first_node->data);
+
+    OSList_CleanNodes(list);
+    list->free_data_function = NULL;
+}
+
+void test_OSList_InsertData_insert_at_first_position(void **state) {
+
+    OSList *list = config.directories;
+    OSListNode *node = NULL;
+    void *data = NULL;
+    int return_code;
+    int success_code = 0;
+    int list_size_after_insertion = 1;
+
+    list->first_node = NULL;
+    list->last_node = NULL;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    return_code = OSList_InsertData(list, node, data);
+
+    assert_int_equal(return_code, success_code);
+    assert_non_null(list->first_node);
+    assert_non_null(list->last_node);
+    assert_int_equal(list->currently_size,list_size_after_insertion);
+
+    OSList_CleanNodes(list);
+
+}
+
+void test_OSList_InsertData_insert_at_last_position(void **state) {
+
+    OSList *list = config.directories;
+    OSListNode *node = NULL;
+    char *data = malloc(sizeof(char)*5);
+    int return_code;
+    int success_code = 0;
+    int list_size_after_insertion = 1;
+
+    strncpy (data, "data", 5);
+    list->first_node = (OSListNode*) malloc(sizeof(OSListNode));
+    list->first_node->next = (OSListNode*) malloc(sizeof(OSListNode));
+    list->last_node = list->first_node->next;
+    list->last_node->prev = list->first_node;
+    list->last_node->next = NULL;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    return_code = OSList_InsertData(list, node, data);
+
+    assert_int_equal(return_code, success_code);
+    assert_ptr_equal(list->last_node->data, data);
+    assert_int_equal(list->currently_size,list_size_after_insertion);
+
+    OSList_CleanNodes(list);
+    free(data);
+}
+
+void test_OSList_InsertData_insert_at_first_position_before_node(void **state) {
+
+    OSList *list = config.directories;
+    OSListNode *node;
+    char *data = malloc(sizeof(char)*5);
+    int return_code;
+    int success_code = 0;
+    int list_size_after_insertion = 1;
+
+    strncpy (data, "data", 5);
+    list->first_node = (OSListNode*) malloc(sizeof(OSListNode));
+    list->last_node = list->first_node;
+    list->first_node->prev = NULL;
+    list->first_node->next = NULL;
+    list->last_node->next = NULL;
+    node = list->first_node;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    return_code = OSList_InsertData(list, node, &data);
+
+    assert_int_equal(return_code, success_code);
+    assert_ptr_equal(list->first_node->next, node);
+    assert_int_equal(list->currently_size,list_size_after_insertion);
+
+    OSList_CleanNodes(list);
+    free(data);
+}
+
+void test_OSList_InsertData_insert_at_n_position_before_node(void **state) {
+
+    OSList *list = config.directories;
+    OSListNode *node;
+    char *data = malloc(sizeof(char)*5);
+    int return_code;
+    int success_code = 0;
+    int list_size_after_insertion = 1;
+
+    strncpy (data, "data", 5);
+    list->first_node = (OSListNode*) malloc(sizeof(OSListNode));
+    list->first_node->next = (OSListNode*) malloc(sizeof(OSListNode));
+    list->last_node = list->first_node->next;
+    list->last_node->next = NULL;
+    list->last_node->prev = list->first_node;
+    node = list->last_node;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    return_code = OSList_InsertData(list, node, &data);
+
+    assert_int_equal(return_code, success_code);
+    assert_ptr_equal(list->first_node->next, node->prev);
+    assert_int_equal(list->currently_size,list_size_after_insertion);
+
+    OSList_CleanNodes(list);
+    free(data);
+
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_OSList_GetNext_null_return),
+        cmocka_unit_test(test_OSList_GetNext_node_return),
+        cmocka_unit_test(test_OSList_GetDataFromIndex_null_return),
+        cmocka_unit_test(test_OSList_GetDataFromIndex_data_return),
+        cmocka_unit_test(test_OSList_InsertData_insert_at_first_position),
+        cmocka_unit_test(test_OSList_InsertData_insert_at_last_position),
+        cmocka_unit_test(test_OSList_InsertData_insert_at_first_position_before_node),
+        cmocka_unit_test(test_OSList_InsertData_insert_at_n_position_before_node)
+    };
+
+    return cmocka_run_group_tests(tests, setup_syscheck_dir_links, teardown_syscheck_dir_links);
+}
diff --git a/src/common/list_op/tests/unit/wrappers/list_op_wrappers.c b/src/common/list_op/tests/unit/wrappers/list_op_wrappers.c
new file mode 100644
index 0000000000..4194719d96
--- /dev/null
+++ b/src/common/list_op/tests/unit/wrappers/list_op_wrappers.c
@@ -0,0 +1,43 @@
+/* Copyright (C) 2023, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "list_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void *__wrap_OSList_AddData(__attribute__((unused))OSList *list, __attribute__((unused))void *data) {
+
+    bool must_free = mock();
+    if (must_free) {
+        os_free(data);
+    }
+    return mock_type(void *);
+}
+
+void __wrap_OSList_DeleteThisNode(__attribute__((unused))OSList *list, __attribute__((unused))OSListNode *thisnode) {
+    function_called();
+    return;
+}
+
+OSListNode *__wrap_OSList_GetFirstNode(__attribute__((unused))OSList *list) {
+    return mock_type(OSListNode *);
+}
+
+extern void __real_OSList_Destroy(__attribute__((unused))OSList *list);
+void __wrap_OSList_Destroy(__attribute__((unused))OSList *list) {
+    if (test_mode) {
+        function_called();
+    }
+    else {
+        __real_OSList_Destroy(list);
+    }
+    return;
+}
diff --git a/src/common/list_op/tests/unit/wrappers/list_op_wrappers.h b/src/common/list_op/tests/unit/wrappers/list_op_wrappers.h
new file mode 100644
index 0000000000..f738938a5f
--- /dev/null
+++ b/src/common/list_op/tests/unit/wrappers/list_op_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2023, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef LIST_OP_WRAPPERS_H
+#define LIST_OP_WRAPPERS_H
+
+#include "shared.h"
+
+void *__wrap_OSList_AddData(__attribute__((unused))OSList *list, __attribute__((unused))void *data);
+
+void __wrap_OSList_DeleteThisNode(__attribute__((unused))OSList *list, __attribute__((unused))OSListNode *thisnode);
+
+OSListNode *__wrap_OSList_GetFirstNode(__attribute__((unused))OSList *list);
+
+void __wrap_OSList_Destroy(__attribute__((unused))OSList *list);
+
+#endif // LIST_OP_WRAPPERS_H
diff --git a/src/modules/active_response/src/active_response.c b/src/common/logging_helper/CMakeLists.txt
similarity index 100%
rename from src/modules/active_response/src/active_response.c
rename to src/common/logging_helper/CMakeLists.txt
diff --git a/src/common/logging_helper/include/logging_helper.h b/src/common/logging_helper/include/logging_helper.h
new file mode 100644
index 0000000000..2f1b9e7d5e
--- /dev/null
+++ b/src/common/logging_helper/include/logging_helper.h
@@ -0,0 +1,49 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015-2021, Wazuh Inc.
+ * Oct 6, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _LOGGINGHELPER_H
+#define _LOGGINGHELPER_H
+
+typedef enum modules_log_level_t
+{
+    LOG_DEBUG,
+    LOG_INFO,
+    LOG_WARNING,
+    LOG_ERROR,
+    LOG_ERROR_EXIT,
+    LOG_DEBUG_VERBOSE
+} modules_log_level_t;
+
+/**
+ * @brief Global function to send a log message
+ *
+ * @param level Represent the log mode: ERROR, ERROR_EXIT, INFO, WARNING, DEBUG and DEBUG_VERBOSE
+ * @param log Message to send into the log
+ * @param tag Tag representing the module sending the log
+ */
+void taggedLogFunction(modules_log_level_t level, const char* log, const char* tag);
+
+/**
+ * @brief Global function to send a log message
+ *
+ * @param level Represent the log mode: ERROR, ERROR_EXIT, INFO, WARNING, DEBUG and DEBUG_VERBOSE
+ * @param log Message to send into the log
+ */
+void loggingFunction(modules_log_level_t level, const char* log);
+
+/**
+ * @brief Global function to send a error log message
+ *
+ * @param log Message to send into the log as error
+ */
+void loggingErrorFunction(const char* log);
+
+#endif //_LOGGINGHELPER_H
diff --git a/src/common/logging_helper/src/logging_helper.c b/src/common/logging_helper/src/logging_helper.c
new file mode 100644
index 0000000000..de97a805b7
--- /dev/null
+++ b/src/common/logging_helper/src/logging_helper.c
@@ -0,0 +1,69 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015-2021, Wazuh Inc.
+ * Oct 6, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "logging_helper.h"
+#include "debug_op.h"
+
+void loggingErrorFunction(const char * log) {
+    if (log) {
+        merror("%s", log);
+    }
+}
+
+void taggedLogFunction(modules_log_level_t level, const char* log, const char* tag) {
+
+    switch(level) {
+        case LOG_ERROR:
+            mterror(tag, "%s", log);
+            break;
+        case LOG_ERROR_EXIT:
+            mterror_exit(tag, "%s", log);
+            break;
+        case LOG_INFO:
+            mtinfo(tag, "%s", log);
+            break;
+        case LOG_WARNING:
+            mtwarn(tag, "%s", log);
+            break;
+        case LOG_DEBUG:
+            mtdebug1(tag, "%s", log);
+            break;
+        case LOG_DEBUG_VERBOSE:
+            mtdebug2(tag, "%s", log);
+            break;
+        default:;
+    }
+}
+
+void loggingFunction(modules_log_level_t level, const char* log) {
+
+    switch(level) {
+        case LOG_ERROR:
+            merror("%s", log);
+            break;
+        case LOG_ERROR_EXIT:
+            merror_exit("%s", log);
+            break;
+        case LOG_INFO:
+            minfo("%s", log);
+            break;
+        case LOG_WARNING:
+            mwarn("%s", log);
+            break;
+        case LOG_DEBUG:
+            mdebug1("%s", log);
+            break;
+        case LOG_DEBUG_VERBOSE:
+            mdebug2("%s", log);
+            break;
+        default:;
+    }
+}
diff --git a/src/common/mapWrapper/CMakeLists.txt b/src/common/mapWrapper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/mapWrapper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/mapWrapper/include/mapWrapperSafe.h b/src/common/mapWrapper/include/mapWrapperSafe.h
new file mode 100644
index 0000000000..5d2fe609d8
--- /dev/null
+++ b/src/common/mapWrapper/include/mapWrapperSafe.h
@@ -0,0 +1,50 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 18, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _MAP_WRAPPER_SAFE_H_
+#define _MAP_WRAPPER_SAFE_H_
+
+#include <map>
+#include <mutex>
+
+namespace Utils
+{
+    template<typename Key, typename Value>
+    class MapWrapperSafe final
+    {
+            std::map<Key, Value> m_map;
+            std::mutex m_mutex;
+        public:
+            // LCOV_EXCL_START
+            MapWrapperSafe() = default;
+            // LCOV_EXCL_STOP
+            void insert(const Key& key, const Value& value)
+            {
+                std::lock_guard<std::mutex> lock(m_mutex);
+                m_map.emplace(key, value);
+            }
+
+            Value operator[](const Key& key)
+            {
+                std::lock_guard<std::mutex> lock(m_mutex);
+                const auto it { m_map.find(key) };
+                return m_map.end() != it ? it->second : Value();
+            }
+
+            void erase(const Key& key)
+            {
+                std::lock_guard<std::mutex> lock(m_mutex);
+                m_map.erase(key);
+            }
+    };
+};
+
+
+#endif //_MAP_WRAPPER_SAFE_H_
\ No newline at end of file
diff --git a/src/common/mapWrapper/tests/CMakeLists.txt b/src/common/mapWrapper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..d488e3171d
--- /dev/null
+++ b/src/common/mapWrapper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "mapWrapperSafe_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/mapWrapper/tests/main.cpp b/src/common/mapWrapper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/mapWrapper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/mapWrapper/tests/mapWrapperSafe_test.cpp b/src/common/mapWrapper/tests/mapWrapperSafe_test.cpp
new file mode 100644
index 0000000000..a5608f6819
--- /dev/null
+++ b/src/common/mapWrapper/tests/mapWrapperSafe_test.cpp
@@ -0,0 +1,36 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Sep 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <thread>
+#include <chrono>
+#include "mapWrapperSafe_test.h"
+#include "mapWrapperSafe.h"
+
+
+void MapWrapperSafeTest::SetUp() {};
+
+void MapWrapperSafeTest::TearDown() {};
+
+TEST_F(MapWrapperSafeTest, insertTest)
+{
+    Utils::MapWrapperSafe<int, int> mapSafe;
+    mapSafe.insert(1, 2);
+    EXPECT_EQ(2, mapSafe[1]);
+}
+
+TEST_F(MapWrapperSafeTest, eraseTest)
+{
+    Utils::MapWrapperSafe<int, int> mapSafe;
+    mapSafe.insert(1, 2);
+    EXPECT_NO_THROW(mapSafe.erase(1));
+    EXPECT_EQ(0, mapSafe[1]);
+}
+
diff --git a/src/common/mapWrapper/tests/mapWrapperSafe_test.h b/src/common/mapWrapper/tests/mapWrapperSafe_test.h
new file mode 100644
index 0000000000..4d4ec37359
--- /dev/null
+++ b/src/common/mapWrapper/tests/mapWrapperSafe_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * Sep 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef MAP_WRAPPER_SAFE_TESTS_H
+#define MAP_WRAPPER_SAFE_TESTS_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class MapWrapperSafeTest : public ::testing::Test
+{
+    protected:
+
+        MapWrapperSafeTest() = default;
+        virtual ~MapWrapperSafeTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //MAP_WRAPPER_SAFE_TESTS_H
\ No newline at end of file
diff --git a/src/modules/aws/include/aws.h b/src/common/math_op/CMakeLists.txt
similarity index 100%
rename from src/modules/aws/include/aws.h
rename to src/common/math_op/CMakeLists.txt
diff --git a/src/common/math_op/include/math_op.h b/src/common/math_op/include/math_op.h
new file mode 100644
index 0000000000..b96fc8d7ab
--- /dev/null
+++ b/src/common/math_op/include/math_op.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef H_MATHOP_OS
+#define H_MATHOP_OS
+
+/**
+ * @brief Get the first available prime after the provided value.
+ *
+ * @param val Provided value.
+ * @return Returns the first available prime or 0 on error.
+ */
+unsigned int os_getprime(unsigned int val);
+
+#endif
diff --git a/src/common/math_op/src/math_op.c b/src/common/math_op/src/math_op.c
new file mode 100644
index 0000000000..3982b69abe
--- /dev/null
+++ b/src/common/math_op/src/math_op.c
@@ -0,0 +1,45 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+*/
+
+#include "shared.h"
+
+
+unsigned int os_getprime(unsigned int val)
+{
+    unsigned int i;
+    unsigned int max_i;
+
+    /* Value can't be even */
+    if ((val % 2) == 0) {
+        val++;
+    }
+
+    do {
+        /* We just need to check odd numbers up until half
+         * the size of the provided value
+         */
+        i = 3;
+        max_i = val / 2;
+        while (i <= max_i) {
+            /* Not prime */
+            if ((val % i) == 0) {
+                break;
+            }
+            i += 2;
+        }
+
+        /* Prime */
+        if (i >= max_i) {
+            return (val);
+        }
+    } while (val += 2);
+
+    return (0);
+}
diff --git a/src/modules/aws/scripts/aws.py b/src/common/mem_op/CMakeLists.txt
similarity index 100%
rename from src/modules/aws/scripts/aws.py
rename to src/common/mem_op/CMakeLists.txt
diff --git a/src/common/mem_op/include/mem_op.h b/src/common/mem_op/include/mem_op.h
new file mode 100644
index 0000000000..07d87b526e
--- /dev/null
+++ b/src/common/mem_op/include/mem_op.h
@@ -0,0 +1,30 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef MEM_H
+#define MEM_H
+
+#include <stdlib.h>
+
+#ifdef WIN32
+#define win_alloc(x) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (x))
+#define win_free(x) HeapFree(GetProcessHeap(), 0, (x))
+#endif
+
+#define w_FreeArray(x) if (x) {char **x_it = x; for (; *x_it; (x_it)++) {os_free(*x_it);}}
+#define w_FreeDoubleArray(y) if (y) {char ***y_it = y; for (; *y_it; (y_it)++) {w_FreeArray(*y_it); os_free(*y_it);}}
+void **os_AddPtArray(void *pt, void **array);
+char **os_AddStrArray(const char *str, char **array);
+void   os_FreeArray(char *ch1, char **ch2);
+int    os_IsStrOnArray(const char *str, char **array);
+char  *os_LoadString(char *at, const char *str) __attribute__((nonnull(2)));
+void  *memset_secure(void *v, int c, size_t n) __attribute__((nonnull));
+
+#endif /* MEM_H */
diff --git a/src/common/mem_op/src/mem_op.c b/src/common/mem_op/src/mem_op.c
new file mode 100644
index 0000000000..2802cabc36
--- /dev/null
+++ b/src/common/mem_op/src/mem_op.c
@@ -0,0 +1,132 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "mem_op.h"
+#include "shared.h"
+
+/* Add pointer to array */
+void **os_AddPtArray(void *pt, void **array)
+{
+    size_t i = 0;
+    void **ret = NULL;
+
+    if (array) {
+        while (array[i]) {
+            i++;
+        }
+    }
+
+    os_realloc(array, (i + 2)*sizeof(void *), ret);
+    ret[i] = pt;
+    ret[i + 1] = NULL;
+
+    return (ret);
+}
+
+/* Add a string to an array */
+char **os_AddStrArray(const char *str, char **array)
+{
+    size_t i = 0;
+    char **ret = NULL;
+    if (array) {
+        while (array[i]) {
+            i++;
+        }
+    }
+
+    os_realloc(array, (i + 2)*sizeof(char *), ret);
+    os_strdup(str, ret[i]);
+    ret[i + 1] = NULL;
+
+    return (ret);
+}
+
+/* Check if String is on array (Must be NULL terminated) */
+int os_IsStrOnArray(const char *str, char **array)
+{
+    if (!str || !array) {
+        return (0);
+    }
+
+    while (*array) {
+        if (strcmp(*array, str) == 0) {
+            return (1);
+        }
+        array++;
+    }
+    return (0);
+}
+
+/* Clear the memory of one char and one char** */
+void os_FreeArray(char *ch1, char **ch2)
+{
+    /* Clean char * */
+    if (ch1) {
+        free(ch1);
+        ch1 = NULL;
+    }
+
+    /* Clean chat ** */
+    if (ch2) {
+        char **nch2 = ch2;
+        w_FreeArray(ch2);
+        free(nch2);
+        nch2 = NULL;
+    }
+
+    return;
+}
+
+/* Allocate memory at "*at" and copy *str to it
+ * If *at already exist, realloc the memory and strcat str on it
+ * It will return the new string on success or NULL on memory error
+ */
+char *os_LoadString(char *at, const char *str)
+{
+    if (at == NULL) {
+        at = strdup(str);
+        if (!at) {
+            merror(MEM_ERROR, errno, strerror(errno));
+        }
+        return (at);
+    } else { /* at is not null. Need to reallocate its memory and copy str to it */
+        char *newat;
+        size_t strsize = strlen(str);
+        size_t finalsize = strsize + strlen(at) + 1;
+
+        newat = (char *) realloc(at, finalsize * sizeof(char));
+        if (newat == NULL) {
+            free(at);
+            merror(MEM_ERROR, errno, strerror(errno));
+            return (NULL);
+        }
+        at = newat;
+
+        strcat(at, str);
+        return (at);
+    }
+
+    return (NULL);
+}
+
+/* Clear memory regardless of compiler optimizations
+ * v = memory to clear
+ * c = character to set
+ * n = memory size to clear
+ */
+void *memset_secure(void *v, int c, size_t n)
+{
+    volatile unsigned char *p = (volatile unsigned char *)v;
+    while (n--) {
+        *p++ = (unsigned char) c;
+    }
+
+    return v;
+}
diff --git a/src/common/networkHelper/CMakeLists.txt b/src/common/networkHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/networkHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/networkHelper/include/networkHelper.h b/src/common/networkHelper/include/networkHelper.h
new file mode 100644
index 0000000000..9ca12b124f
--- /dev/null
+++ b/src/common/networkHelper/include/networkHelper.h
@@ -0,0 +1,86 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_HELPER_H
+#define _NETWORK_HELPER_H
+
+#include <string>
+#include <arpa/inet.h>
+#include <memory>
+#include <netdb.h>
+#include "makeUnique.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    class NetworkHelper final
+    {
+        public:
+            static std::string getNetworkTypeStringCode(const int value, const std::map<std::pair<int, int>, std::string>& interfaceTypeData)
+            {
+                std::string retVal;
+
+                const auto it
+                {
+                    std::find_if(interfaceTypeData.begin(), interfaceTypeData.end(),
+                                 [value](const std::pair<std::pair<int, int>, std::string>& paramValue)
+                    {
+                        return paramValue.first.first >= value && paramValue.first.second <= value;
+                    })
+                };
+
+                if (interfaceTypeData.end() != it)
+                {
+                    retVal = it->second;
+                }
+
+                return retVal;
+            }
+
+            template <class T>
+            static std::string IAddressToBinary(const int family, const T address)
+            {
+                std::string retVal;
+                const auto broadcastAddrPlain { std::make_unique<char[]>(NI_MAXHOST) };
+
+                if (inet_ntop(family, address, broadcastAddrPlain.get(), NI_MAXHOST))
+                {
+                    retVal = broadcastAddrPlain.get();
+                }
+
+                return retVal;
+            }
+
+            static std::string getBroadcast(const std::string& ipAddress, const std::string& netmask)
+            {
+                struct in_addr host;
+                struct in_addr mask;
+                struct in_addr broadcast;
+
+                std::string broadcastAddr;
+
+                if (inet_pton(AF_INET, ipAddress.c_str(), &host) == 1 && inet_pton(AF_INET, netmask.c_str(), &mask) == 1)
+                {
+
+                    broadcast.s_addr = host.s_addr | ~mask.s_addr;
+                    broadcastAddr = IAddressToBinary(AF_INET, &broadcast);
+                }
+
+                return broadcastAddr;
+            }
+    };
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _NETWORK_HELPER_H
\ No newline at end of file
diff --git a/src/common/networkHelper/include/networkUnixHelper.h b/src/common/networkHelper/include/networkUnixHelper.h
new file mode 100644
index 0000000000..58e6c1180b
--- /dev/null
+++ b/src/common/networkHelper/include/networkUnixHelper.h
@@ -0,0 +1,74 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 24, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _NETWORK_UNIX_HELPER_H
+#define _NETWORK_UNIX_HELPER_H
+
+#include <ifaddrs.h>
+#include <string>
+#include <map>
+#include <memory>
+#include <system_error>
+#include <net/if.h>
+#include "stringHelper.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    struct IfAddressSmartDeleter
+    {
+        void operator()(ifaddrs* address)
+        {
+            freeifaddrs(address);
+        }
+    };
+
+    class NetworkUnixHelper final
+    {
+        public:
+            static void getNetworks(std::unique_ptr<ifaddrs, IfAddressSmartDeleter>& interfacesAddress, std::map<std::string, std::vector<ifaddrs*>>& networkInterfaces)
+            {
+                struct ifaddrs* ifaddr
+                {
+                    nullptr
+                };
+                const auto ret{getifaddrs(&ifaddr)};
+
+                if (ret != -1)
+                {
+                    interfacesAddress.reset(ifaddr);
+
+                    for (auto ifa = ifaddr; ifa; ifa = ifa->ifa_next)
+                    {
+                        if (!(ifa->ifa_flags & IFF_LOOPBACK) && ifa->ifa_name)
+                        {
+                            networkInterfaces[substrOnFirstOccurrence(ifa->ifa_name, ":")].push_back(ifa);
+                        }
+                    }
+                }
+                else
+                {
+                    throw std::system_error
+                    {
+                        ret,
+                        std::system_category(),
+                        "Error reading networks"
+                    };
+                }
+            }
+    };
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _NETWORK_UNIX_HELPER_H
diff --git a/src/modules/aws/src/aws.c b/src/common/os_crypto/CMakeLists.txt
similarity index 100%
rename from src/modules/aws/src/aws.c
rename to src/common/os_crypto/CMakeLists.txt
diff --git a/src/common/os_crypto/include/md5_op.h b/src/common/os_crypto/include/md5_op.h
new file mode 100644
index 0000000000..a102c66996
--- /dev/null
+++ b/src/common/os_crypto/include/md5_op.h
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* OS_crypto/md5 Library
+ * APIs for many crypto operations
+ */
+
+#ifndef MD5_OP_H
+#define MD5_OP_H
+
+#include <sys/types.h>
+
+typedef char os_md5[33];
+
+int OS_MD5_File(const char *fname, os_md5 output, int mode) __attribute((nonnull));
+int OS_MD5_Str(const char *str, ssize_t length, os_md5 output) __attribute((nonnull));
+
+#endif /* MD5_OP_H */
diff --git a/src/common/os_crypto/include/md5_sha1_op.h b/src/common/os_crypto/include/md5_sha1_op.h
new file mode 100644
index 0000000000..369e828751
--- /dev/null
+++ b/src/common/os_crypto/include/md5_sha1_op.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef MD5SHA1_OP_H
+#define MD5SHA1_OP_H
+
+#include "../md5/md5_op.h"
+#include "../sha1/sha1_op.h"
+
+int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5output, os_sha1 sha1output, int mode) __attribute((nonnull(1, 3, 4)));
+
+#endif /* MD5SHA1_OP_H */
diff --git a/src/common/os_crypto/include/md5_sha1_sha256_op.h b/src/common/os_crypto/include/md5_sha1_sha256_op.h
new file mode 100644
index 0000000000..ad9c58f0c0
--- /dev/null
+++ b/src/common/os_crypto/include/md5_sha1_sha256_op.h
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+*/
+
+#ifndef MD5SHA1SHA256_OP_H
+#define MD5SHA1SHA256_OP_H
+
+#include "../md5/md5_op.h"
+#include "../sha1/sha1_op.h"
+#include "../sha256/sha256_op.h"
+
+
+int OS_MD5_SHA1_SHA256_File(const char *fname,
+                            char **prefilter_cmd,
+                            os_md5 md5output,
+                            os_sha1 sha1output,
+                            os_sha256 sha256output,
+                            int mode,
+                            size_t max_size) __attribute((nonnull(1, 3, 4)));
+
+#endif /* MD5SHA1SHA256_OP_H */
diff --git a/src/common/os_crypto/include/sha1_op.h b/src/common/os_crypto/include/sha1_op.h
new file mode 100644
index 0000000000..3623314739
--- /dev/null
+++ b/src/common/os_crypto/include/sha1_op.h
@@ -0,0 +1,93 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SHA1_OP_H
+#define SHA1_OP_H
+
+#include <sys/types.h>
+#include <openssl/sha.h>
+#ifdef WIN32
+#include <winsock2.h>
+#include <windef.h>
+#endif
+#include <openssl/evp.h>
+
+#define OS_SHA1_HEXDIGEST_SIZE (SHA_DIGEST_LENGTH * 2) // Sha1 digest len (20) * 2 (hex chars per byte)
+
+typedef char os_sha1[OS_SHA1_HEXDIGEST_SIZE + 1];
+
+int OS_SHA1_File(const char *fname, os_sha1 output, int mode) __attribute((nonnull));
+int OS_SHA1_Str(const char *str, ssize_t length, os_sha1 output) __attribute((nonnull));
+int OS_SHA1_Str2(const char *str, ssize_t length, os_sha1 output) __attribute((nonnull));
+
+/**
+ * @brief Get the SHA-1 digest from a list of strings.
+ *
+ * @param output[out] Output string.
+ * @param ...   [in] List of strings to calculate the SHA-1.
+ */
+int OS_SHA1_strings(os_sha1 output, ...);
+
+/**
+ * @brief Get the hexadecimal result of a SHA-1 digest
+ *
+ * @param digest[in] Binary SHA-1 digest.
+ * @param output[out] Output string.
+ */
+void OS_SHA1_Hexdigest(const unsigned char * digest, os_sha1 output);
+
+/**
+ * @brief Calculates the SHA1 of a file until N byte and save the context
+ * The context is not created, it is only reset, so the function that calls this function must previously do the creation of the context.
+ * Saved context must be freed after use.
+ *
+ * @param fname[in] File name to calculate SHA1.
+ * @param c[out] EVP_MD_CTX context.
+ * @param output[out] Output string.
+ * @param nbytes[in] Number of bytes to read.
+ * @return 0 on success.
+ * @return -1 when failure opening file.
+ * @retval -2 When fp does not correspond to the `fname` file.
+ * @retval -3 When context is NULL.
+ */
+int OS_SHA1_File_Nbytes(const char *fname, EVP_MD_CTX **c, os_sha1 output, int mode, int64_t nbytes);
+
+/**
+ * @brief If fp corresponds to fname then calculates the SHA1 of the `fname` file until N byte and save the context.
+ * The context is not created, it is only reset, so the function that calls this function must previously do the creation of the context.
+ * Saved context must be freed after use.
+ *
+ * @param[in] fname File name to calculate SHA1.
+ * @param[out] c EVP_MD_CTX context.
+ * @param[out] output Output string.
+ * @param[in] nbytes Number of bytes to read.
+ * @param[in] fd_check File serial number, Is checked against `fname`
+ * @retval 0 on success
+ * @retval -1 when failure opening file.
+ * @retval -2 When fp does not correspond to the `fname` file.
+ * @retval -3 When context is NULL.
+ */
+#ifndef WIN32
+int OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      ino_t fd_check);
+#else
+int OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      DWORD fd_check);
+#endif
+/**
+ * @brief update the context and calculates the SHA1, the context can not be null.
+ *
+ * @param c[out] EVP_MD_CTX context.
+ * @param output[out] Output string.
+ * @param buf[in] String to update the SHA1 context
+ */
+void OS_SHA1_Stream(EVP_MD_CTX *c, os_sha1 output, char * buf);
+
+#endif /* SHA1_OP_H */
diff --git a/src/common/os_crypto/include/sha256_op.h b/src/common/os_crypto/include/sha256_op.h
new file mode 100644
index 0000000000..d73669803d
--- /dev/null
+++ b/src/common/os_crypto/include/sha256_op.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Contributed by Arshad Khan (@arshad01)
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef SHA256_OP_H
+#define SHA256_OP_H
+
+#include <sys/types.h>
+
+typedef char os_sha256[65];
+
+/**
+ * @brief Calculates the SHA256 of a file.
+ *
+ * @param [in] fname Name of the file to calculate the hash.
+ * @param [out] output Buffer where the hash will be written. Must be at least sizeof(os_sha256).
+ * @param [in] mode Mode for opening the file. OS_BINARY or OS_TEXT.
+ * @return 0 o success.
+ */
+int OS_SHA256_File(const char *fname, os_sha256 output, int mode) __attribute((nonnull));
+
+/**
+ * @brief Calculates the SHA256 of a string.
+ *
+ * @param [in] str String to calculate the SHA256.
+ * @param [out] output Buffer where the hash will be written. Must be at least sizeof(os_sha256).
+ * @return 0 o success.
+ */
+void OS_SHA256_String(const char *str, os_sha256 output);
+
+/**
+ * @brief Calculates the SHA256 of a string and chop the output in a specific size.
+ *
+ * @param [in] str String to calculate the SHA256.
+ * @param [out] output Buffer where the hash will be written. Must be at least size+1 length.
+ * @param [in] size Size to chop the calculated hash.
+ * @return 0 o success.
+ */
+void OS_SHA256_String_sized(const char *str, char* output, size_t size);
+
+#endif /* SHA256_OP_H */
diff --git a/src/common/os_crypto/include/signature.h b/src/common/os_crypto/include/signature.h
new file mode 100644
index 0000000000..9992329121
--- /dev/null
+++ b/src/common/os_crypto/include/signature.h
@@ -0,0 +1,12 @@
+/* RSA-PKCS1-SHA256 signature
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 3, 2017.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+// Unsign a WPK256 file, using a key path array. Returns 0 on success or -1 on error.
+int w_wpk_unsign(const char * source, const char * target, const char ** ca_store);
diff --git a/src/common/os_crypto/src/md5_op.c b/src/common/os_crypto/src/md5_op.c
new file mode 100644
index 0000000000..98a48ec021
--- /dev/null
+++ b/src/common/os_crypto/src/md5_op.c
@@ -0,0 +1,83 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* OS_crypto/md5 Library
+ * APIs for many crypto operations
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/evp.h>
+
+#include "md5_op.h"
+#include "headers/defs.h"
+#include "headers/file_op.h"
+
+int OS_MD5_File(const char *fname, os_md5 output, int mode)
+{
+    FILE *fp;
+    EVP_MD_CTX *mdctx;
+    unsigned char buf[1024];
+    unsigned char digest[EVP_MAX_MD_SIZE];
+    size_t n;
+
+    memset(output, 0, sizeof(os_md5));
+
+    fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r");
+    if (!fp) {
+        return (-1);
+    }
+
+    mdctx = EVP_MD_CTX_new();
+    if (!mdctx) {
+        fclose(fp);
+        return (-1);
+    }
+
+    EVP_DigestInit(mdctx, EVP_md5());
+    while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
+        EVP_DigestUpdate(mdctx, buf, n);
+    }
+
+    EVP_DigestFinal(mdctx, digest, NULL);
+
+    for (n = 0; n < 16; n++) {
+        snprintf(output + n * 2, 3, "%02x", digest[n]);
+    }
+
+    EVP_MD_CTX_free(mdctx);
+    fclose(fp);
+
+    return (0);
+}
+
+int OS_MD5_Str(const char *str, ssize_t length, os_md5 output)
+{
+    EVP_MD_CTX *mdctx;
+    unsigned char digest[EVP_MAX_MD_SIZE];
+    size_t n;
+
+    mdctx = EVP_MD_CTX_new();
+    if (!mdctx) {
+        return (-1);
+    }
+
+    EVP_DigestInit(mdctx, EVP_md5());
+    EVP_DigestUpdate(mdctx, str, length < 0 ? (size_t)strlen(str) : (size_t)length);
+    EVP_DigestFinal(mdctx, digest, NULL);
+
+    for (n = 0; n < 16; n++) {
+        snprintf(output + n * 2, 3, "%02x", digest[n]);
+    }
+
+    EVP_MD_CTX_free(mdctx);
+
+    return (0);
+}
diff --git a/src/common/os_crypto/src/md5_sha1_op.c b/src/common/os_crypto/src/md5_sha1_op.c
new file mode 100644
index 0000000000..ca7d8c0ed5
--- /dev/null
+++ b/src/common/os_crypto/src/md5_sha1_op.c
@@ -0,0 +1,110 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "file_op.h"
+#include "md5_sha1_op.h"
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include "headers/defs.h"
+
+int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5output, os_sha1 sha1output, int mode)
+{
+    size_t n;
+    FILE *fp;
+    unsigned char buf[2048 + 2];
+    unsigned char sha1_digest[SHA_DIGEST_LENGTH];
+    unsigned char md5_digest[16];
+
+    /* Clear the memory */
+    md5output[0] = '\0';
+    sha1output[0] = '\0';
+    buf[2048 + 1] = '\0';
+
+    /* Use prefilter_cmd if set */
+    if (prefilter_cmd == NULL) {
+        fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r");
+        if (!fp) {
+            return (-1);
+        }
+    } else {
+        char cmd[OS_MAXSTR];
+        size_t target_length = strlen(prefilter_cmd) + 1 + strlen(fname);
+        int res = snprintf(cmd, sizeof(cmd), "%s %s", prefilter_cmd, fname);
+        if (res < 0 || (unsigned int)res != target_length) {
+            return (-1);
+        }
+        fp = popen(cmd, "r");
+        if (!fp) {
+            return (-1);
+        }
+    }
+
+    /* Initialize both hashes */
+    EVP_MD_CTX *md5_ctx = EVP_MD_CTX_new();
+    if (!md5_ctx) {
+        if (prefilter_cmd == NULL) {
+            fclose(fp);
+        } else {
+            pclose(fp);
+        }
+        return (-1);
+    }
+
+    EVP_MD_CTX *sha1_ctx = EVP_MD_CTX_new();
+    if (!sha1_ctx) {
+        EVP_MD_CTX_free(md5_ctx);
+        if (prefilter_cmd == NULL) {
+           fclose(fp);
+        } else {
+           pclose(fp);
+        }
+        return (-1);
+    }
+
+    EVP_DigestInit(md5_ctx, EVP_md5());
+    EVP_DigestInit(sha1_ctx, EVP_sha1());
+
+    /* Update for each one */
+    while ((n = fread(buf, 1, 2048, fp)) > 0) {
+        buf[n] = '\0';
+        EVP_DigestUpdate(md5_ctx, buf, n);
+        EVP_DigestUpdate(sha1_ctx, buf, n);
+    }
+
+    EVP_DigestFinal(md5_ctx, md5_digest, NULL);
+    EVP_DigestFinal(sha1_ctx, sha1_digest, NULL);
+
+    /* Set output for MD5 */
+    for (n = 0; n < 16; n++) {
+        snprintf(md5output, 3, "%02x", md5_digest[n]);
+        md5output += 2;
+    }
+
+    /* Set output for SHA-1 */
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(sha1output, 3, "%02x", sha1_digest[n]);
+        sha1output += 2;
+    }
+
+    EVP_MD_CTX_free(md5_ctx);
+    EVP_MD_CTX_free(sha1_ctx);
+
+    /* Close it */
+    if (prefilter_cmd == NULL) {
+        fclose(fp);
+    } else {
+        pclose(fp);
+    }
+
+    return (0);
+}
diff --git a/src/common/os_crypto/src/md5_sha1_sha256_op.c b/src/common/os_crypto/src/md5_sha1_sha256_op.c
new file mode 100644
index 0000000000..e44d4be15e
--- /dev/null
+++ b/src/common/os_crypto/src/md5_sha1_sha256_op.c
@@ -0,0 +1,144 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+*/
+
+#include <shared.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "md5_sha1_sha256_op.h"
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include "headers/defs.h"
+
+
+int OS_MD5_SHA1_SHA256_File(const char *fname,
+                            char **prefilter_cmd,
+                            os_md5 md5output,
+                            os_sha1 sha1output,
+                            os_sha256 sha256output,
+                            int mode,
+                            size_t max_size)
+{
+    size_t n, read = 0;
+    FILE *fp;
+    wfd_t *wfd;
+    unsigned char buf[OS_BUFFER_SIZE + 2];
+    unsigned char sha1_digest[SHA_DIGEST_LENGTH];
+    unsigned char md5_digest[16];
+    unsigned char sha256_digest[SHA256_DIGEST_LENGTH];
+
+    EVP_MD_CTX *sha1_ctx = NULL;
+    EVP_MD_CTX *md5_ctx = NULL;
+    EVP_MD_CTX *sha256_ctx = NULL;
+
+    /* Clear the memory */
+    md5output[0] = '\0';
+    sha1output[0] = '\0';
+    sha256output[0] = '\0';
+    buf[OS_BUFFER_SIZE + 1] = '\0';
+
+    /* Use prefilter_cmd if set */
+    if (prefilter_cmd == NULL) {
+        fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r");
+        if (!fp) {
+            return (-1);
+        }
+    } else {
+        char **command = NULL;
+        int cnt = 0;
+        while(prefilter_cmd[cnt] != NULL) {
+            cnt++;
+        }
+        os_calloc(cnt + 2, sizeof(char *), command);
+        for (cnt = 0; prefilter_cmd[cnt]; cnt++) {
+            os_strdup(prefilter_cmd[cnt], command[cnt]);
+        }
+
+        os_strdup(fname, command[cnt]);
+
+        wfd = wpopenv(*command, command, W_BIND_STDOUT);
+        free_strarray(command);
+
+        if (wfd == NULL) {
+            return -1;
+        }
+
+        fp = wfd->file_out;
+    }
+
+    /* Initialize all hashes */
+    sha1_ctx = EVP_MD_CTX_new();
+    md5_ctx = EVP_MD_CTX_new();
+    sha256_ctx = EVP_MD_CTX_new();
+    EVP_DigestInit(sha1_ctx, EVP_sha1());
+    EVP_DigestInit(md5_ctx, EVP_md5());
+    EVP_DigestInit(sha256_ctx, EVP_sha256());
+
+    /* Update for each one */
+    while ((n = fread(buf, 1, OS_BUFFER_SIZE, fp)) > 0) {
+
+        if (max_size > 0) {
+            read = read + n;
+            if (read >= max_size) {     // Maximum filesize error
+                mwarn("'%s' filesize is larger than the maximum allowed (%d MB). File skipped.", fname, (int)max_size/1048576); // max_size is in bytes
+                if (prefilter_cmd == NULL) {
+                    fclose(fp);
+                } else {
+                    wpclose(wfd);
+                }
+                EVP_MD_CTX_free(sha1_ctx);
+                EVP_MD_CTX_free(md5_ctx);
+                EVP_MD_CTX_free(sha256_ctx);
+                return (-1);
+            }
+        }
+
+        buf[n] = '\0';
+
+        EVP_DigestUpdate(sha1_ctx, buf, n);
+        EVP_DigestUpdate(md5_ctx, buf, n);
+        EVP_DigestUpdate(sha256_ctx, buf, n);
+    }
+
+    EVP_DigestFinal(sha1_ctx, sha1_digest, NULL);
+    EVP_DigestFinal(md5_ctx, md5_digest, NULL);
+    EVP_DigestFinal(sha256_ctx, sha256_digest, NULL);
+
+    EVP_MD_CTX_free(sha1_ctx);
+    EVP_MD_CTX_free(md5_ctx);
+    EVP_MD_CTX_free(sha256_ctx);
+
+    /* Set output for MD5 */
+    for (n = 0; n < 16; n++) {
+        snprintf(md5output, 3, "%02x", md5_digest[n]);
+        md5output += 2;
+    }
+
+    /* Set output for SHA-1 */
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(sha1output, 3, "%02x", sha1_digest[n]);
+        sha1output += 2;
+    }
+
+    /* Set output for SHA-256 */
+    for (n = 0; n < SHA256_DIGEST_LENGTH; n++) {
+        snprintf(sha256output, 3, "%02x", sha256_digest[n]);
+        sha256output += 2;
+    }
+
+    /* Close it */
+    if (prefilter_cmd == NULL) {
+        fclose(fp);
+    } else {
+        wpclose(wfd);
+    }
+
+    return (0);
+}
diff --git a/src/common/os_crypto/src/sha1_op.c b/src/common/os_crypto/src/sha1_op.c
new file mode 100644
index 0000000000..d977aef069
--- /dev/null
+++ b/src/common/os_crypto/src/sha1_op.c
@@ -0,0 +1,241 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "sha1_op.h"
+#include "headers/defs.h"
+#include "shared.h"
+
+/* OpenSSL SHA-1
+ * Only use if OpenSSL is not available
+#ifndef LIBOPENSSL_ENABLED
+#include "sha.h"
+#include "sha_locl.h"
+#else
+#include <openssl/sha.h>
+#endif
+*/
+
+int OS_SHA1_File(const char *fname, os_sha1 output, int mode) {
+    EVP_MD_CTX *sha1_ctx = EVP_MD_CTX_new();
+    FILE *fp;
+    unsigned char buf[2048 + 2];
+    unsigned char md[SHA_DIGEST_LENGTH];
+    size_t n;
+
+    memset(output, 0, sizeof(os_sha1));
+    buf[2049] = '\0';
+
+    fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r");
+    if (!fp) {
+        EVP_MD_CTX_free(sha1_ctx);
+        return (-1);
+    }
+
+    EVP_DigestInit(sha1_ctx, EVP_sha1());
+    while ((n = fread(buf, 1, 2048, fp)) > 0) {
+        buf[n] = '\0';
+        EVP_DigestUpdate(sha1_ctx, buf, n);
+    }
+
+    EVP_DigestFinal(sha1_ctx, md, NULL);
+
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    fclose(fp);
+    EVP_MD_CTX_free(sha1_ctx);
+
+    return (0);
+}
+
+int OS_SHA1_Str(const char *str, ssize_t length, os_sha1 output) {
+    unsigned char md[SHA_DIGEST_LENGTH];
+    size_t n;
+
+    EVP_MD_CTX *sha1_ctx = EVP_MD_CTX_new();
+    EVP_DigestInit(sha1_ctx, EVP_sha1());
+    EVP_DigestUpdate(sha1_ctx, (const unsigned char *)str, length < 0 ? (unsigned)strlen(str) : (unsigned)length);
+    EVP_DigestFinal(sha1_ctx, md, NULL);
+
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    EVP_MD_CTX_free(sha1_ctx);
+
+    return (0);
+}
+
+int OS_SHA1_Str2(const char *str, ssize_t length, os_sha1 output) {
+    unsigned char temp[SHA_DIGEST_LENGTH];
+    size_t n;
+
+    memset(temp, 0x0, SHA_DIGEST_LENGTH);
+    SHA1((unsigned char *)str, length, temp);
+
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", temp[n]);
+        output += 2;
+    }
+
+    return (0);
+}
+
+int OS_SHA1_strings(os_sha1 output, ...) {
+    unsigned char md[SHA_DIGEST_LENGTH];
+    size_t n;
+    EVP_MD_CTX *sha1_ctx = EVP_MD_CTX_new();
+    EVP_DigestInit(sha1_ctx, EVP_sha1());
+
+    va_list parameters;
+    char* parameter = NULL;
+    va_start(parameters, output);
+    while (parameter = va_arg(parameters, char*), parameter) {
+        EVP_DigestUpdate(sha1_ctx, parameter, strlen(parameter));
+    }
+    va_end(parameters);
+    EVP_DigestFinal(sha1_ctx, md, NULL);
+
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    EVP_MD_CTX_free(sha1_ctx);
+
+    return (0);
+}
+
+// Get the hexadecimal result of a SHA-1 digest
+void OS_SHA1_Hexdigest(const unsigned char * digest, os_sha1 output) {
+    size_t n;
+
+    for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", digest[n]);
+        output += 2;
+    }
+}
+
+int OS_SHA1_File_Nbytes(const char *fname, EVP_MD_CTX **c, os_sha1 output, int mode, int64_t nbytes) {
+    return OS_SHA1_File_Nbytes_with_fp_check(fname, c, output, mode, nbytes, 0);
+}
+
+#ifndef WIN32
+int OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      ino_t fd_check) {
+#else
+int OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      DWORD fd_check) {
+#endif
+
+    FILE *fp = NULL;
+    char buf[OS_MAXSTR];
+    int64_t n;
+    unsigned char md[SHA_DIGEST_LENGTH];
+
+    if (c == NULL || *c == NULL) {
+        mdebug1("Context for file '%s' can not be NULL.", fname);
+        return -3;
+    }
+
+    memset(output, 0, sizeof(os_sha1));
+    buf[OS_MAXSTR - 1] = '\0';
+
+    EVP_DigestInit(*c, EVP_sha1());
+
+    /* It's important to read \r\n instead of \n to generate the correct hash */
+#ifdef WIN32
+    BY_HANDLE_FILE_INFORMATION lpFileInformation;
+    DWORD open_fd = 0;
+    if (fp = w_fopen_r(fname, mode == OS_BINARY ? "rb" : "r", &lpFileInformation), fp == NULL) {
+        return -1;
+    } else {
+        open_fd = lpFileInformation.nFileIndexLow + lpFileInformation.nFileIndexHigh;
+    }
+#else
+    if (fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r"), fp == NULL) {
+        return -1;
+    }
+#endif
+
+    /* Check if it is the same file */
+    if (fd_check != 0) {
+#ifndef WIN32
+
+        struct stat tmp_stat;
+
+        if ((fstat(fileno(fp), &tmp_stat)) == -1) {
+            merror(FSTAT_ERROR, fname, errno, strerror(errno));
+        } else if (fd_check != tmp_stat.st_ino) {
+            mdebug1("The inode does not belong to file '%s'. The hash of the file will be ignored.", fname);
+            fclose(fp);
+            return -2;
+        }
+
+#else
+        if (open_fd != 0 && fd_check != open_fd) {
+            mdebug1("The inode does not belong to file '%s'. The hash of the file will be ignored.", fname);
+            fclose(fp);
+            return -2;
+        }
+
+#endif
+    }
+
+    for (int64_t bytes_count = 0; bytes_count < nbytes; bytes_count+=2048) {
+        if(bytes_count+2048 < nbytes) {
+            n = fread(buf, 1, 2048, fp);
+        } else {
+            n = fread(buf, 1, nbytes-bytes_count, fp);
+        }
+
+        buf[n] = '\0';
+        EVP_DigestUpdate(*c, buf, n);
+    }
+
+    EVP_MD_CTX *aux = EVP_MD_CTX_new();
+    EVP_MD_CTX_copy(aux, *c);
+
+    EVP_DigestFinal(aux, md, NULL);
+
+    OS_SHA1_Hexdigest(md, output);
+
+    EVP_MD_CTX_free(aux);
+
+    fclose(fp);
+
+    return (0);
+}
+
+void OS_SHA1_Stream(EVP_MD_CTX *c, os_sha1 output, char * buf) {
+    if(buf) {
+        size_t n = strlen(buf);
+
+        EVP_DigestUpdate(c, buf, n);
+    }
+
+    if(output) {
+        memset(output, 0, sizeof(os_sha1));
+        unsigned char md[SHA_DIGEST_LENGTH];
+        EVP_MD_CTX *aux = EVP_MD_CTX_new();
+        EVP_MD_CTX_copy(aux, c);
+
+        EVP_DigestFinal(aux, md, NULL);
+        OS_SHA1_Hexdigest(md, output);
+        EVP_MD_CTX_free(aux);
+    }
+
+}
diff --git a/src/common/os_crypto/src/sha256_op.c b/src/common/os_crypto/src/sha256_op.c
new file mode 100644
index 0000000000..b7dcbf4e3b
--- /dev/null
+++ b/src/common/os_crypto/src/sha256_op.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Contributed by Arshad Khan (@arshad01)
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "file_op.h"
+#include "sha256_op.h"
+#include "headers/defs.h"
+
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+
+int OS_SHA256_File(const char *fname, os_sha256 output, int mode)
+{
+    FILE *fp;
+    unsigned char buf[2048 + 2];
+    unsigned char md[SHA256_DIGEST_LENGTH];
+    size_t n;
+
+    memset(output, 0, sizeof(os_sha256));
+    buf[2049] = '\0';
+
+    fp = wfopen(fname, mode == OS_BINARY ? "rb" : "r");
+    if (!fp) {
+        return (-1);
+    }
+
+    EVP_MD_CTX *sha256_ctx = EVP_MD_CTX_new();
+
+    if (!sha256_ctx) {
+        fclose(fp);
+        return (-1);
+    }
+
+    EVP_DigestInit(sha256_ctx, EVP_sha256());
+
+    while ((n = fread(buf, 1, 2048, fp)) > 0) {
+        buf[n] = '\0';
+        EVP_DigestUpdate(sha256_ctx, buf, n);
+    }
+
+    EVP_DigestFinal(sha256_ctx, md, NULL);
+
+    for (n = 0; n < SHA256_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    EVP_MD_CTX_free(sha256_ctx);
+
+    fclose(fp);
+
+    return (0);
+}
+
+void OS_SHA256_String(const char *str, os_sha256 output)
+{
+    unsigned char md[SHA256_DIGEST_LENGTH];
+    size_t n;
+
+    EVP_MD_CTX *sha256_ctx = EVP_MD_CTX_new();
+
+    EVP_DigestInit(sha256_ctx, EVP_sha256());
+    EVP_DigestUpdate(sha256_ctx, str, strlen(str));
+    EVP_DigestFinal(sha256_ctx, md, NULL);
+
+    for (n = 0; n < SHA256_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    EVP_MD_CTX_free(sha256_ctx);
+}
+
+void OS_SHA256_String_sized(const char *str, char* output, size_t size)
+{
+    unsigned char md[SHA256_DIGEST_LENGTH];
+    size_t n;
+
+    EVP_MD_CTX *sha256_ctx = EVP_MD_CTX_new();
+
+    EVP_DigestInit(sha256_ctx, EVP_sha256());
+    EVP_DigestUpdate(sha256_ctx, str, strlen(str));
+    EVP_DigestFinal(sha256_ctx, md, NULL);
+
+    for (n = 0; n < size/2 && n < SHA256_DIGEST_LENGTH; n++) {
+        snprintf(output, 3, "%02x", md[n]);
+        output += 2;
+    }
+
+    EVP_MD_CTX_free(sha256_ctx);
+}
diff --git a/src/common/os_crypto/src/signature.c b/src/common/os_crypto/src/signature.c
new file mode 100644
index 0000000000..dcda3e755b
--- /dev/null
+++ b/src/common/os_crypto/src/signature.c
@@ -0,0 +1,337 @@
+/* RSA-PKCS1-SHA256 signature
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 28, 2017.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <headers/shared.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+#define SIGNLEN 2048 / 8
+#define BUFLEN 4096
+static const char MAGIC[] = "WPK256";
+
+static X509 * w_wpk_cert(FILE * fp);
+static int wpk_verify_cert(X509 * cert, const char ** ca_store);
+
+// Unsign a WPK256 file, using a key path array. Returns 0 on success or -1 on error.
+int w_wpk_unsign(const char * source, const char * target, const char ** ca_store) {
+    X509 * cert = NULL;
+    EVP_PKEY * pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    EVP_MD_CTX *hash = NULL;
+    FILE * filein = NULL;
+    FILE * fileout = NULL;
+    unsigned char signature[SIGNLEN];
+    unsigned char digest[SHA256_DIGEST_LENGTH];
+    unsigned char buffer[BUFLEN];
+    int retval = -1;
+    long offset;
+    ssize_t length;
+
+    // Read signed file
+
+    if (filein = wfopen(source, "rb"), !filein) {
+        merror("opening input file: %s", strerror(errno));
+        goto cleanup;
+    }
+
+    // Check magic number
+
+    if (length = fread(buffer, 1, sizeof(MAGIC), filein), length < (ssize_t)sizeof(MAGIC)) {
+        merror("Invalid input file (reading magic number).");
+        goto cleanup;
+    }
+
+    if (memcmp(buffer, MAGIC, sizeof(MAGIC))) {
+        merror("Invalid input file (bad magic number).");
+        goto cleanup;
+    }
+
+    // Get certificate
+
+    if (cert = w_wpk_cert(filein), !cert) {
+        merror("Couldn't extract certificate at file '%s'.", source);
+        goto cleanup;
+    }
+
+    // Validate certificate
+
+    if (ca_store) {
+        if (wpk_verify_cert(cert, ca_store) < 0) {
+            merror("Error verifying WPK certificate.");
+            goto cleanup;
+        }
+    } else {
+        mwarn("No root CA defined to verify file '%s'.", source);
+    }
+
+    // Read signature
+
+    if (length = fread(signature, 1, SIGNLEN, filein), length < SIGNLEN) {
+        merror("Invalid input file (reading signature).");
+        goto cleanup;
+    }
+
+    // Hash of file content
+
+    if (offset = ftell(filein), offset < 0) {
+        merror(FTELL_ERROR, source, errno, strerror(errno));
+        goto cleanup;
+    }
+
+    if (hash = EVP_MD_CTX_new(), !hash) {
+        merror("Couldn't create hash context.");
+        goto cleanup;
+    }
+
+    if (1 != EVP_DigestInit(hash, EVP_sha256())) {
+        merror("Couldn't initialize hash context.");
+        goto cleanup;
+    }
+
+    while (length = fread(buffer, 1, BUFLEN, filein), length > 0) {
+        if (1 != EVP_DigestUpdate(hash, buffer, length)) {
+            merror("Couldn't update hash.");
+            goto cleanup;
+        }
+    }
+
+    if (length < 0) {
+        merror("Invalid input file (reading content).");
+        goto cleanup;
+    }
+
+    if (1 != EVP_DigestFinal(hash, digest, NULL)) {
+        merror("Couldn't finalize hash.");
+        goto cleanup;
+    }
+
+    // Verify signature (PKCS1)
+
+    if (pkey = X509_get0_pubkey(cert), !pkey) {
+        merror("Couldn't get public key from certificate.");
+        goto cleanup;
+    }
+
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
+        merror("Public key is not RSA.");
+        goto cleanup;
+    }
+
+    if (ctx = EVP_PKEY_CTX_new(pkey, NULL), !ctx) {
+        merror("Couldn't create public key context.");
+        goto cleanup;
+    }
+
+    if (EVP_PKEY_verify_init(ctx) <= 0) {
+        merror("Failed to initialize public key context.");
+        goto cleanup;
+    }
+
+    if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) {
+        merror("Failed to set signature digest type.");
+        goto cleanup;
+    }
+
+    if (1 != EVP_PKEY_verify(ctx, signature, SIGNLEN, digest, SHA256_DIGEST_LENGTH)) {
+        merror("Failed to verify signature.");
+        goto cleanup;
+    }
+
+    // Extract file
+
+    if (fileout = wfopen(target, "wb"), !fileout) {
+        merror("Opening output file: %s", strerror(errno));
+        goto cleanup;
+    }
+
+    if (fseek(filein, offset, SEEK_SET) < 0) {
+        merror(FSEEK_ERROR, source, errno, strerror(errno));
+        goto cleanup;
+    }
+
+    while (length = fread(buffer, 1, BUFLEN, filein), length > 0) {
+        if (fwrite(buffer, 1, length, fileout) != (size_t)length) {
+            merror("writing output file.");
+            goto cleanup;
+        }
+    }
+
+    if (length < 0) {
+        merror("Invalid input file (writing output).");
+        goto cleanup;
+    }
+
+    retval = 0;
+
+cleanup:
+
+    if (filein) {
+        fclose(filein);
+    }
+
+    if (fileout) {
+        fclose(fileout);
+    }
+
+    if (hash) {
+        EVP_MD_CTX_free(hash);
+    }
+
+    if (ctx) {
+        EVP_PKEY_CTX_free(ctx);
+    }
+
+    if (cert) {
+        X509_free(cert);
+    }
+
+    return retval;
+}
+
+// Extract certificate in PEM format from opened WPK file
+
+X509 * w_wpk_cert(FILE * fp) {
+    X509 * cert;
+    BIO * bio;
+    char * buffer = NULL;
+    size_t i = 0;
+    size_t size = 1024;
+
+    os_calloc(1, size * sizeof(char), buffer);
+
+    // Read until null character
+
+    while (1) {
+        if (!fread(buffer + i, sizeof(char), 1, fp)) {
+            // Write anything but \0
+            buffer[i] = '-';
+            break;
+        }
+
+        if (!buffer[i] || feof(fp)) {
+            break;
+        }
+
+        i++;
+
+        if (i == size) {
+            os_realloc(buffer, (size *= 2) * sizeof(char), buffer);
+        }
+    }
+
+    if (buffer[i]) {
+        merror("Couldn't get certificate from WPK file.");
+        free(buffer);
+        return NULL;
+    }
+
+    bio = BIO_new_mem_buf(buffer, (int)i);
+
+    if (cert = PEM_read_bio_X509(bio, NULL, NULL, NULL), !cert) {
+        merror("Invalid certificate in WPK file.");
+        BIO_free_all(bio);
+        free(buffer);
+        return NULL;
+    }
+
+    BIO_free_all(bio);
+    free(buffer);
+    return cert;
+}
+
+int wpk_verify_cert(X509 * cert, const char ** ca_store) {
+    X509_STORE * store = NULL;
+    X509_STORE_CTX * store_ctx = NULL;
+    struct stat statbuf;
+    unsigned long err;
+    int result = -1;
+    int i;
+
+    OpenSSL_add_all_algorithms();
+
+    store_ctx = X509_STORE_CTX_new();
+
+    for (i = 0; ca_store[i]; i++) {
+
+        // If empty string, ignore
+
+        if (ca_store[i][0] == '\0') {
+            continue;
+        }
+
+        if (store = X509_STORE_new(), !store) {
+            merror("Couldn't create new store.");
+            return -1;
+        }
+
+        int r;
+
+        if (stat(ca_store[i], &statbuf) < 0) {
+            merror(FSTAT_ERROR, ca_store[i], errno, strerror(errno));
+            continue;
+        }
+
+        switch (statbuf.st_mode & S_IFMT) {
+        case S_IFDIR:
+            r = X509_STORE_load_locations(store, NULL, ca_store[i]);
+            break;
+
+        case S_IFREG:
+            r = X509_STORE_load_locations(store, ca_store[i], NULL);
+            break;
+
+        default:
+            merror("Loading CA '%s': it's neither file nor directory.", ca_store[i]);
+            continue;
+        }
+
+        if (r < 0) {
+            merror("Couldn't add CA '%s'", ca_store[i]);
+            X509_STORE_free(store);
+            continue;
+        }
+
+        X509_STORE_CTX_init(store_ctx, store, cert, NULL);
+
+        r = X509_verify_cert(store_ctx);
+
+        if (r == -1) {
+            ERR_load_crypto_strings();
+
+            while (err = ERR_get_error(), err) {
+                mdebug1("At wpk_verify_cert(): %s (%lu)", ERR_reason_error_string(err), err);
+            }
+
+        } else if (r == 0) {
+            ERR_load_crypto_strings();
+
+            err = X509_STORE_CTX_get_error(store_ctx);
+            mdebug1("Certificate couldn't be verified by CA '%s': %s (%lu)", ca_store[i], X509_verify_cert_error_string(err), err);
+
+        } else if (r == 1) {
+
+            result = 0;
+
+        } else {
+            mdebug1("At wpk_verify_cert(): unexpected result.");
+        }
+
+        X509_STORE_CTX_cleanup(store_ctx);
+        X509_STORE_free(store);
+
+        if (result == 0)
+            break;
+    }
+
+    X509_STORE_CTX_free(store_ctx);
+
+    return result;
+}
diff --git a/src/common/os_crypto/tests/unit/tests/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..dee7acd14f
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,21 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+if(${TARGET} STREQUAL "server")
+    add_subdirectory(aes)
+    add_subdirectory(hmac)
+    add_subdirectory(shared)
+    add_subdirectory(sha1)
+    add_subdirectory(blowfish)
+    add_subdirectory(md5)
+    add_subdirectory(md5_sha1)
+    add_subdirectory(md5_sha1_sha256)
+    add_subdirectory(sha256)
+    add_subdirectory(sha512)
+endif()
diff --git a/src/common/os_crypto/tests/unit/tests/md5/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/md5/CMakeLists.txt
new file mode 100644
index 0000000000..6cd34dd05b
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5/CMakeLists.txt
@@ -0,0 +1,40 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+list(APPEND md5_tests_names "test_md5_op")
+list(APPEND md5_tests_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fread \
+                             -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fprintf \
+                             -Wl,--wrap,fgets -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,wfopen -Wl,--wrap,popen")
+
+# Compiling tests
+list(LENGTH md5_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET md5_tests_names ${counter} test_name)
+    list(GET md5_tests_flags ${counter} test_flags)
+    add_executable(${test_name} ${test_name}.c)
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/os_crypto/tests/unit/tests/md5/test_md5_op.c b/src/common/os_crypto/tests/unit/tests/md5/test_md5_op.c
new file mode 100644
index 0000000000..be1cb83729
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5/test_md5_op.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <cmocka.h>
+
+#include "../../os_crypto/md5/md5_op.h"
+#include "../../wrappers/common.h"
+#include "../headers/shared.h"
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+
+// Tests
+
+void test_md5_string(void **state) {
+    const char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    os_md5 buffer;
+
+    assert_int_equal(OS_MD5_Str(string, -1, buffer), 0);
+
+    assert_string_equal(buffer, string_md5);
+}
+
+void test_md5_file(void **state) {
+    const char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+
+    char path[] = "path/to/file";
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fread, string);
+    will_return(__wrap_fread, strlen(string));
+
+    will_return(__wrap_fread, "");
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    os_md5 buffer;
+    assert_int_equal(OS_MD5_File(path, buffer, OS_TEXT), 0);
+
+    assert_string_equal(buffer, string_md5);
+}
+
+void test_md5_file_fail(void **state) {
+    char path[] = "path/to/non-existing/file";
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    os_md5 buffer;
+    assert_int_equal(OS_MD5_File(path, buffer, OS_TEXT), -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_md5_string),
+        cmocka_unit_test_setup_teardown(test_md5_file, setup_group, teardown_group),
+        cmocka_unit_test_setup_teardown(test_md5_file_fail, setup_group, teardown_group)
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/os_crypto/tests/unit/tests/md5_sha1/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/md5_sha1/CMakeLists.txt
new file mode 100644
index 0000000000..ca953290b2
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5_sha1/CMakeLists.txt
@@ -0,0 +1,40 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+list(APPEND md5_sha1_tests_names "test_md5_sha1_op")
+list(APPEND md5_sha1_tests_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fread \
+                                  -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,popen \
+                                  -Wl,--wrap,fgets -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,snprintf")
+
+# Compiling tests
+list(LENGTH md5_sha1_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET md5_sha1_tests_names ${counter} test_name)
+    list(GET md5_sha1_tests_flags ${counter} test_flags)
+    add_executable(${test_name} ${test_name}.c)
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/os_crypto/tests/unit/tests/md5_sha1/test_md5_sha1_op.c b/src/common/os_crypto/tests/unit/tests/md5_sha1/test_md5_sha1_op.c
new file mode 100644
index 0000000000..f021e20be6
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5_sha1/test_md5_sha1_op.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../headers/shared.h"
+#include "../../os_crypto/md5_sha1/md5_sha1_op.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+// Tests
+
+void test_md5_sha1_file(void **state)
+{
+    const char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+
+    /* create tmp file */
+    char file_name[256];
+    strncpy(file_name, "/tmp/tmp_file-XXXXXX", 256);
+    int fd = mkstemp(file_name);
+
+    write(fd, string, strlen(string));
+    close(fd);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+
+    assert_int_equal(OS_MD5_SHA1_File(file_name, NULL, md5buffer, sha1buffer, OS_TEXT), 0);
+
+    assert_string_equal(md5buffer, string_md5);
+    assert_string_equal(sha1buffer, string_sha1);
+}
+
+void test_md5_sha1_cmd_file(void **state)
+{
+    const char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+
+    /* create tmp file */
+    char file_name[256];
+    strncpy(file_name, "/tmp/tmp_file-XXXXXX", 256);
+    int fd = mkstemp(file_name);
+
+    write(fd, string, strlen(string));
+    close(fd);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+
+    assert_int_equal(OS_MD5_SHA1_File(file_name, "cat ", md5buffer, sha1buffer, OS_TEXT), 0);
+
+    assert_string_equal(md5buffer, string_md5);
+    assert_string_equal(sha1buffer, string_sha1);
+}
+
+void test_md5_sha1_cmd_file_fail(void **state)
+{
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+
+    assert_int_equal(OS_MD5_SHA1_File("not_existing_file", NULL, md5buffer, sha1buffer, OS_TEXT), -1);
+}
+
+void test_md5_sha1_cmd_file_snprintf_fail(void **state)
+{
+    const char *string = "teststring";
+
+    /* create tmp file */
+    char file_name[256];
+    strncpy(file_name, "/tmp/tmp_file-XXXXXX", 256);
+    int fd = mkstemp(file_name);
+
+    write(fd, string, strlen(string));
+    close(fd);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+
+    expect_value(__wrap_snprintf, __maxlen, OS_MAXSTR);
+    expect_string(__wrap_snprintf, __format, "%s %s");
+
+    will_return(__wrap_snprintf, -1);
+
+    assert_int_equal(OS_MD5_SHA1_File(file_name, "cat ", md5buffer, sha1buffer, OS_TEXT), -1);
+}
+
+void test_md5_sha1_cmd_file_popen_fail(void **state)
+{
+    const char *string = "teststring";
+
+    /* create tmp file */
+    char file_name[256];
+    strncpy(file_name, "/tmp/tmp_file-XXXXXX", 256);
+    int fd = mkstemp(file_name);
+
+    write(fd, string, strlen(string));
+    close(fd);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+
+    expect_value(__wrap_snprintf, __maxlen, OS_MAXSTR);
+    expect_string(__wrap_snprintf, __format, "%s %s");
+
+    will_return(__wrap_snprintf, 25);
+
+    expect_popen("", "r", NULL);
+
+    assert_int_equal(OS_MD5_SHA1_File(file_name, "cat ", md5buffer, sha1buffer, OS_TEXT), -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+            cmocka_unit_test(test_md5_sha1_file),
+            cmocka_unit_test(test_md5_sha1_cmd_file),
+            cmocka_unit_test(test_md5_sha1_cmd_file_fail),
+            cmocka_unit_test_setup_teardown(test_md5_sha1_cmd_file_snprintf_fail, setup_group, teardown_group),
+            cmocka_unit_test_setup_teardown(test_md5_sha1_cmd_file_popen_fail, setup_group, teardown_group),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/CMakeLists.txt
new file mode 100644
index 0000000000..d1071d3d0f
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/CMakeLists.txt
@@ -0,0 +1,39 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+list(APPEND md5_sha1_tests_names "test_md5_sha1_sha256_op")
+list(APPEND md5_sha1_tests_flags "-Wl,--wrap,_mwarn -Wl,--wrap,wpopenv,--wrap,wpclose,--wrap,fread,--wrap,fclose,--wrap,fflush,--wrap,fgets,--wrap,fgetpos \
+                                  -Wl,--wrap,fseek,--wrap,fwrite,--wrap,remove,--wrap,fgetc,--wrap,fopen,--wrap,wfopen -Wl,--wrap,popen")
+
+# Compiling tests
+list(LENGTH md5_sha1_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET md5_sha1_tests_names ${counter} test_name)
+    list(GET md5_sha1_tests_flags ${counter} test_flags)
+    add_executable(${test_name} ${test_name}.c)
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/test_md5_sha1_sha256_op.c b/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/test_md5_sha1_sha256_op.c
new file mode 100644
index 0000000000..78c4e43651
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/md5_sha1_sha256/test_md5_sha1_sha256_op.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../headers/shared.h"
+#include "../os_crypto/md5_sha1/md5_sha1_op.h"
+#include "../os_crypto/md5_sha1_sha256/md5_sha1_sha256_op.h"
+
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+#include "../../wrappers/wazuh/shared/file_op_wrappers.h"
+
+static int setup_group(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+// Tests
+
+void test_md5_sha1_sha256_file(void **state)
+{
+    char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    const char *string_sha256 = "3c8727e019a42b444667a587b6001251becadabbb36bfed8087a92c18882d111";
+
+    /* create tmp file */
+    char file_name[256] = "/tmp/tmp_file-XXXXXX";
+
+    FILE * fp = 0x1;
+    expect_wfopen(file_name, "r", fp);
+    expect_fread(string, strlen(string));
+    expect_fread(string, 0);
+    expect_fclose(fp, 0);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File(file_name, NULL, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 20), 0);
+
+    assert_string_equal(md5buffer, string_md5);
+    assert_string_equal(sha1buffer, string_sha1);
+}
+
+void test_md5_sha1_sha256_cmd_file(void **state)
+{
+    char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    const char *string_sha256 = "3c8727e019a42b444667a587b6001251becadabbb36bfed8087a92c18882d111";
+
+    char file_name[256] = "/tmp/tmp_file-XXXXXX";
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+    char *command [] = {"cat", NULL};
+
+    wfd_t wfd = { NULL, NULL, 0 };
+    will_return(__wrap_wpopenv, &wfd);
+    expect_fread(string, strlen(string));
+    expect_fread(string, 0);
+    will_return(__wrap_wpclose, 0);
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File(file_name, command, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 20), 0);
+
+    assert_string_equal(md5buffer, string_md5);
+    assert_string_equal(sha1buffer, string_sha1);
+    assert_string_equal(sha1buffer, string_sha1);
+
+}
+
+void test_md5_sha1_sha256_cmd_file_fail(void **state)
+{
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+
+    char *command [] = {"cat", NULL};
+
+    will_return(__wrap_wpopenv, NULL);
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File("file_name", command, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 20), -1);
+}
+
+void test_md5_sha1_sha256_file_fail(void **state)
+{
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+
+    expect_wfopen("file_name", "r", NULL);
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File("file_name", NULL, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 20), -1);
+}
+
+void test_md5_sha1_sha256_cmd_file_max_size_fail(void **state)
+{
+    char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    const char *string_sha256 = "3c8727e019a42b444667a587b6001251becadabbb36bfed8087a92c18882d111";
+
+    /* create tmp file */
+    char file_name[256] = "/tmp/tmp_file-XXXXXX";
+
+    FILE * fp = 0x1;
+    expect_fread(string, strlen(string));
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+
+    char *command [] = {"cat", NULL};
+
+    wfd_t wfd = { NULL, NULL, 0 };
+    will_return(__wrap_wpopenv, &wfd);
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mwarn, formatted_msg, "'/tmp/tmp_file-XXXXXX' filesize is larger than the maximum allowed (0 MB). File skipped.");
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File(file_name, command, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 1), -1);
+}
+
+void test_md5_sha1_sha256_file_max_size_fail(void **state)
+{
+    char *string = "teststring";
+    const char *string_md5 = "d67c5cbf5b01c9f91932e3b8def5e5f8";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    const char *string_sha256 = "3c8727e019a42b444667a587b6001251becadabbb36bfed8087a92c18882d111";
+
+    /* create tmp file */
+    char file_name[256] = "/tmp/tmp_file-XXXXXX";
+
+    FILE * fp = 0x1;
+    expect_wfopen(file_name, "r", fp);
+    expect_fread(string, strlen(string));
+    expect_fclose(fp, 0);
+
+    os_md5 md5buffer;
+    os_sha1 sha1buffer;
+    os_sha256 sha256buffer;
+
+    expect_string(__wrap__mwarn, formatted_msg, "'/tmp/tmp_file-XXXXXX' filesize is larger than the maximum allowed (0 MB). File skipped.");
+
+    assert_int_equal(OS_MD5_SHA1_SHA256_File(file_name, NULL, md5buffer, sha1buffer, sha256buffer, OS_TEXT, 1), -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_md5_sha1_sha256_file),
+        cmocka_unit_test(test_md5_sha1_sha256_cmd_file),
+        cmocka_unit_test(test_md5_sha1_sha256_cmd_file_fail),
+        cmocka_unit_test(test_md5_sha1_sha256_file_fail),
+        cmocka_unit_test(test_md5_sha1_sha256_cmd_file_max_size_fail),
+        cmocka_unit_test(test_md5_sha1_sha256_file_max_size_fail),
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/os_crypto/tests/unit/tests/sha1/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/sha1/CMakeLists.txt
new file mode 100644
index 0000000000..332f1f3127
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/sha1/CMakeLists.txt
@@ -0,0 +1,40 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+list(APPEND os_crypto_sha1_tests_names "test_sha1_op")
+list(APPEND os_crypto_sha1_tests_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fread \
+                                        -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fprintf \
+                                        -Wl,--wrap,fgets -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,wfopen -Wl,--wrap,popen")
+
+# Compiling tests
+list(LENGTH os_crypto_sha1_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET os_crypto_sha1_tests_names ${counter} test_name)
+    list(GET os_crypto_sha1_tests_flags ${counter} test_flags)
+    add_executable(${test_name} ${test_name}.c)
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/os_crypto/tests/unit/tests/sha1/test_sha1_op.c b/src/common/os_crypto/tests/unit/tests/sha1/test_sha1_op.c
new file mode 100644
index 0000000000..317a6b0461
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/sha1/test_sha1_op.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../headers/shared.h"
+#include "../../os_crypto/sha1/sha1_op.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+#include "../../wrappers/common.h"
+
+int OS_SHA1_File_Nbytes(const char *fname, EVP_MD_CTX **c, os_sha1 output, int mode, int64_t nbytes);
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* test */
+
+/* OS_SHA1_File_Nbytes */
+
+void OS_SHA1_File_Nbytes_context_null (void **state)
+{
+    const char *path = "/home/test_file";
+    EVP_MD_CTX *context = NULL;
+    os_sha1 output;
+    ssize_t nbytes = 4096;
+
+    int mode = OS_BINARY;
+
+    assert_int_equal(OS_SHA1_File_Nbytes(path, &context, output, mode, nbytes), -3);
+}
+
+void OS_SHA1_File_Nbytes_unable_open_file (void **state)
+{
+    const char *path = "/home/test_file";
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+    ssize_t nbytes = 4096;
+
+    int mode = OS_BINARY;
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "rb");
+    will_return(__wrap_wfopen, NULL);
+
+    assert_int_equal(OS_SHA1_File_Nbytes(path, &context, output, mode, nbytes), -1);
+
+    EVP_MD_CTX_free(context);
+}
+
+void OS_SHA1_File_Nbytes_ok (void **state)
+{
+    const char *path = "/home/test_file";
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+    ssize_t nbytes = 4000;
+
+    int mode = OS_BINARY;
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "rb");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 0);
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    assert_int_equal(OS_SHA1_File_Nbytes(path, &context, output, mode, nbytes), 0);
+
+    EVP_MD_CTX_free(context);
+}
+
+void OS_SHA1_File_Nbytes_num_bytes_exceded (void **state)
+{
+    const char *path = "/home/test_file";
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+    ssize_t nbytes = 6;
+
+    int mode = OS_BINARY;
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "rb");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    assert_int_equal(OS_SHA1_File_Nbytes(path, &context, output, mode, nbytes), 0);
+
+    EVP_MD_CTX_free(context);
+}
+
+/* OS_SHA1_Stream */
+
+void OS_SHA1_Stream_ok (void **state)
+{
+    char *buf = "hello";
+    os_sha1 output;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+
+    EVP_DigestInit(context, EVP_sha1());
+
+    OS_SHA1_Stream(context, output, buf);
+
+    EVP_MD_CTX_free(context);
+}
+
+void OS_SHA1_Stream_buf_null (void **state)
+{
+    char *buf = NULL;
+    os_sha1 output;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+
+    EVP_DigestInit(context, EVP_sha1());
+
+    OS_SHA1_Stream(context, output, buf);
+    EVP_MD_CTX_free(context);
+}
+
+void test_sha1_string(void **state)
+{
+    const char *string = "teststring";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    os_sha1 buffer;
+
+    assert_int_equal(OS_SHA1_Str(string, strlen(string), buffer), 0);
+
+    assert_string_equal(buffer, string_sha1);
+}
+
+void test_sha1_string2(void **state)
+{
+    const char *string = "teststring";
+    const char *string_sha1 = "b8473b86d4c2072ca9b08bd28e373e8253e865c4";
+    os_sha1 buffer;
+
+    assert_int_equal(OS_SHA1_Str2(string, strlen(string), buffer), 0);
+
+    assert_string_equal(buffer, string_sha1);
+}
+
+void test_sha1_file(void **state)
+{
+    const char *string = "teststring";
+    const char *string_sha1 = "da39a3ee5e6b4b0d3255bfef95601890afd80709";
+    os_sha1 buffer;
+
+    char file_name[256];
+    strncpy(file_name, "/tmp/tmp_file-XXXXXX", 256);
+
+    expect_string(__wrap_wfopen, path, file_name);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fread, string);
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    assert_int_equal(OS_SHA1_File(file_name, buffer, OS_TEXT), 0);
+
+    assert_string_equal(buffer, string_sha1);
+}
+
+void test_sha1_file_fail(void **state)
+{
+    os_sha1 buffer;
+
+    char file_name[256];
+    strncpy(file_name, "not_existing_file", 256);
+
+    expect_string(__wrap_wfopen, path, file_name);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    assert_int_equal(OS_SHA1_File(file_name, buffer, OS_TEXT), -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // Tests OS_SHA1_File_Nbytes
+        cmocka_unit_test(OS_SHA1_File_Nbytes_context_null),
+        cmocka_unit_test(OS_SHA1_File_Nbytes_unable_open_file),
+        cmocka_unit_test(OS_SHA1_File_Nbytes_ok),
+        cmocka_unit_test(OS_SHA1_File_Nbytes_num_bytes_exceded),
+        // Tests OS_SHA1_Stream
+        cmocka_unit_test(OS_SHA1_Stream_ok),
+        cmocka_unit_test(OS_SHA1_Stream_buf_null),
+        // Tests OS_SHA1_File
+        cmocka_unit_test(test_sha1_string),
+        cmocka_unit_test(test_sha1_string2),
+        cmocka_unit_test(test_sha1_file),
+        cmocka_unit_test(test_sha1_file_fail),
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/os_crypto/tests/unit/tests/sha256/CMakeLists.txt b/src/common/os_crypto/tests/unit/tests/sha256/CMakeLists.txt
new file mode 100644
index 0000000000..defab9fb22
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/sha256/CMakeLists.txt
@@ -0,0 +1,40 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+cmake_minimum_required(VERSION 3.10)
+
+list(APPEND sha256_tests_names "test_sha256_op")
+list(APPEND sha256_tests_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fread \
+                                -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fprintf \
+                                -Wl,--wrap,fgets -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,wfopen -Wl,--wrap,popen")
+
+# Compiling tests
+list(LENGTH sha256_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET sha256_tests_names ${counter} test_name)
+    list(GET sha256_tests_flags ${counter} test_flags)
+    add_executable(${test_name} ${test_name}.c)
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/os_crypto/tests/unit/tests/sha256/test_sha256_op.c b/src/common/os_crypto/tests/unit/tests/sha256/test_sha256_op.c
new file mode 100644
index 0000000000..284dd37fc0
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/tests/sha256/test_sha256_op.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <cmocka.h>
+
+#include "../../os_crypto/sha256/sha256_op.h"
+#include "../../wrappers/common.h"
+#include "../headers/shared.h"
+
+/* setups/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+// Tests
+
+void test_sha256_string() {
+    const char *string = "teststring";
+    const char *string_sha256 = "3c8727e019a42b444667a587b6001251becadabbb36bfed8087a92c18882d111";
+    os_sha256 buffer;
+
+    OS_SHA256_String(string, buffer);
+
+    assert_string_equal(buffer, string_sha256);
+}
+
+void test_sha256_string_sized() {
+    const char *string = "teststring";
+    const char *string_sha256_chopped = "3c8727e019";
+    int chopped_size = 10;
+    os_sha256 buffer;
+
+    OS_SHA256_String_sized(string, buffer, chopped_size);
+
+    assert_string_equal(buffer, string_sha256_chopped);
+}
+
+void test_sha256_file() {
+    const char *string = "teststring";
+    const char *string_sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+    char path[] = "path/to/file";
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fread, string);
+    will_return(__wrap_fread, 0);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    os_sha256 buffer;
+    assert_int_equal(OS_SHA256_File(path, buffer, OS_TEXT), 0);
+
+    assert_string_equal(buffer, string_sha256);
+}
+
+void test_sha256_file_fail() {
+    char path[] = "path/to/non-existing/file";
+
+    expect_value(__wrap_wfopen, path, path);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    os_sha256 buffer;
+    assert_int_equal(OS_SHA256_File(path, buffer, OS_TEXT), -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_sha256_string),
+        cmocka_unit_test(test_sha256_string_sized),
+        cmocka_unit_test_setup_teardown(test_sha256_file, setup_group, teardown_group),
+        cmocka_unit_test_setup_teardown(test_sha256_file_fail, setup_group, teardown_group),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.c b/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.c
new file mode 100644
index 0000000000..fa04c51b6f
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.c
@@ -0,0 +1,73 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "md5_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_OS_MD5_File(const char *fname, os_md5 output, int mode) {
+    check_expected(fname);
+    check_expected(mode);
+
+    char *md5 = mock_type(char *);
+    strncpy(output, md5, sizeof(os_md5));
+
+    return mock();
+}
+
+int __wrap_OS_MD5_Str(const char *str, ssize_t length, os_md5 output) {
+    check_expected(str);
+    check_expected(length);
+
+    char *md5 = mock_type(char *);
+    strncpy(output, md5, sizeof(os_md5));
+
+    return mock();
+}
+
+void expect_OS_MD5_File_call(const char *fname, os_md5 output, int mode, int ret) {
+    expect_string(__wrap_OS_MD5_File, fname, fname);
+    expect_value(__wrap_OS_MD5_File, mode, mode);
+    will_return(__wrap_OS_MD5_File, output);
+    will_return(__wrap_OS_MD5_File, ret);
+}
+
+int __wrap_OS_MD5_SHA1_SHA256_File(const char *fname, const char **prefilter_cmd, os_md5 md5output, os_sha1 sha1output,
+                                   os_sha256 sha256output, int mode, size_t max_size) {
+    check_expected(fname);
+    check_expected_ptr(prefilter_cmd);
+    check_expected(md5output);
+    check_expected(sha1output);
+    check_expected(sha256output);
+    check_expected(mode);
+    check_expected(max_size);
+
+    return mock();
+}
+
+void expect_OS_MD5_SHA1_SHA256_File_call(char *file,
+                                         char **prefilter_cmd,
+                                         char *md5,
+                                         char *sha1,
+                                         char *sha256,
+                                         int mode,
+                                         int max_size,
+                                         int ret) {
+
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, fname, file);
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, prefilter_cmd, prefilter_cmd);
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, md5output, md5);
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha1output, sha1);
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha256output, sha256);
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, mode, mode);
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, max_size, max_size);
+    will_return(__wrap_OS_MD5_SHA1_SHA256_File, ret);
+}
diff --git a/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.h b/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.h
new file mode 100644
index 0000000000..b69326cd4d
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/md5_op_wrappers.h
@@ -0,0 +1,39 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef MD5_OP_WRAPPERS_H
+#define MD5_OP_WRAPPERS_H
+
+#include <string.h>
+#include <sys/types.h>
+
+typedef char os_md5[33];
+typedef char os_sha1[41];
+typedef char os_sha256[65];
+
+int __wrap_OS_MD5_File(const char *fname, os_md5 output, int mode);
+int __wrap_OS_MD5_Str(const char *str, ssize_t length, os_md5 output);
+void expect_OS_MD5_File_call(const char *fname, os_md5 output, int mode, int ret);
+
+int __wrap_OS_MD5_SHA1_SHA256_File(const char *fname, const char **prefilter_cmd, os_md5 md5output, os_sha1 sha1output,
+                                   os_sha256 sha256output, int mode, size_t max_size);
+
+/**
+ * @brief This function loads the expect and will return of the function OS_MD5_SHA1_SHA256_File
+ */
+void expect_OS_MD5_SHA1_SHA256_File_call(char *file,
+                                         char **prefilter_cmd,
+                                         char *md5,
+                                         char *sha1,
+                                         char *sha256,
+                                         int mode,
+                                         int max_size,
+                                         int ret);
+#endif
diff --git a/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.c b/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.c
new file mode 100644
index 0000000000..47d43213de
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.c
@@ -0,0 +1,75 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sha1_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_OS_SHA1_File(const char *fname, os_sha1 output, int mode) {
+    check_expected(fname);
+    check_expected(mode);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+    return mock();
+}
+
+int __wrap_OS_SHA1_File_Nbytes(const char *fname, __attribute__((unused))EVP_MD_CTX **c, os_sha1 output, int mode, ssize_t nbytes) {
+    check_expected(fname);
+    check_expected(mode);
+    check_expected(nbytes);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+    return mock();
+}
+
+void __wrap_OS_SHA1_Stream(__attribute__((unused))EVP_MD_CTX *c, os_sha1 output, char * buf) {
+    check_expected(buf);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+}
+
+#ifndef WIN32
+int __wrap_OS_SHA1_File_Nbytes_with_fp_check(const char * fname, __attribute__((unused))EVP_MD_CTX ** c, os_sha1 output,
+                                      int mode, int64_t nbytes, ino_t fd_check) {
+    check_expected(fname);
+    check_expected(mode);
+    check_expected(nbytes);
+    check_expected(fd_check);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+    return mock();
+}
+#else
+int __wrap_OS_SHA1_File_Nbytes_with_fp_check(const char * fname, __attribute__((unused))EVP_MD_CTX ** c, os_sha1 output,
+                                      int mode, int64_t nbytes, DWORD fd_check) {
+    check_expected(fname);
+    check_expected(mode);
+    check_expected(nbytes);
+    check_expected(fd_check);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+    return mock();
+}
+#endif
+
+int __wrap_OS_SHA1_Str(const char *str, ssize_t length, os_sha1 output) {
+    check_expected(str);
+    check_expected(length);
+
+    snprintf(output, 41, "%s", mock_type(char *));
+
+    return 0;
+}
diff --git a/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.h b/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.h
new file mode 100644
index 0000000000..27ce1eb530
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/sha1_op_wrappers.h
@@ -0,0 +1,33 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SHA1_OP_WRAPPERS_H
+#define SHA1_OP_WRAPPERS_H
+
+#include "../../../../headers/shared.h"
+#include <string.h>
+#include <sys/types.h>
+
+typedef char os_sha1[41];
+
+int __wrap_OS_SHA1_File(const char *fname, os_sha1 output, int mode);
+int __wrap_OS_SHA1_File_Nbytes(const char *fname, EVP_MD_CTX **c, os_sha1 output, int mode, ssize_t nbytes);
+void __wrap_OS_SHA1_Stream(EVP_MD_CTX *c, os_sha1 output, char * buf);
+#ifndef WIN32
+int __wrap_OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      ino_t fd_check);
+#else
+int __wrap_OS_SHA1_File_Nbytes_with_fp_check(const char * fname, EVP_MD_CTX ** c, os_sha1 output, int mode, int64_t nbytes,
+                                      DWORD fd_check);
+#endif
+
+int __wrap_OS_SHA1_Str(const char *str, ssize_t length, os_sha1 output);
+
+#endif
diff --git a/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.c b/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.c
new file mode 100644
index 0000000000..5223f9108f
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.c
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sha256_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_OS_SHA256_String(const char *str, os_sha256 output) {
+    check_expected(str);
+
+    snprintf(output, 65, "%s", mock_type(char *));
+
+    return 0;
+}
diff --git a/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.h b/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.h
new file mode 100644
index 0000000000..96b7dbe9e4
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/sha256_op_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SHA256_OP_WRAPPERS_H
+#define SHA256_OP_WRAPPERS_H
+
+#include "../../../../headers/shared.h"
+#include <string.h>
+#include <sys/types.h>
+
+typedef char os_sha256[65];
+
+int __wrap_OS_SHA256_String(const char *str, os_sha256 output);
+
+#endif
diff --git a/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.c b/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.c
new file mode 100644
index 0000000000..097c63e53d
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.c
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "signature_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_w_wpk_unsign(const char * source,  __attribute__((unused)) const char * target,  __attribute__((unused)) const char ** ca_store) {
+    check_expected(source);
+    return mock();
+}
diff --git a/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.h b/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.h
new file mode 100644
index 0000000000..738eb952cc
--- /dev/null
+++ b/src/common/os_crypto/tests/unit/wrappers/signature_wrappers.h
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SIGNATURE_WRAPPERS_H
+#define SIGNATURE_WRAPPERS_H
+
+#include "headers/shared.h"
+#include <string.h>
+
+int __wrap_w_wpk_unsign(const char * source, const char * target, const char ** ca_store);
+
+
+#endif
diff --git a/src/modules/azure/include/azure.h b/src/common/os_utils/CMakeLists.txt
similarity index 100%
rename from src/modules/azure/include/azure.h
rename to src/common/os_utils/CMakeLists.txt
diff --git a/src/common/os_utils/include/os_utils.h b/src/common/os_utils/include/os_utils.h
new file mode 100644
index 0000000000..4c0d682d1c
--- /dev/null
+++ b/src/common/os_utils/include/os_utils.h
@@ -0,0 +1,38 @@
+/*
+ * OS processes
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 25, 2019
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef OS_UTILS_OP_H
+#define OS_UTILS_OP_H
+
+#ifdef WIN32
+#include <tlhelp32.h>
+#endif
+/* Process struct */
+typedef struct W_Proc_Info {
+    char *p_name;
+    char *p_path;
+} W_Proc_Info;
+
+
+char *w_os_get_runps(const char *ps, int mpid);
+/* Get list of Unix processes */
+OSList *w_os_get_process_list();
+/* Check if a file exists */
+int w_is_file(const char * const file);
+/* Delete the process list */
+int w_del_plist(OSList *p_list);
+
+#ifdef WIN32
+/* Executes Wow64DisableWow64FsRedirection if the OS version supports it */
+void SafeWow64DisableWow64FsRedirection(PVOID *oldValue);
+#endif
+
+#endif /* OS_UTILS_OP_H */
diff --git a/src/common/os_utils/src/os_utils.c b/src/common/os_utils/src/os_utils.c
new file mode 100644
index 0000000000..123c0fea92
--- /dev/null
+++ b/src/common/os_utils/src/os_utils.c
@@ -0,0 +1,341 @@
+/*
+ * Shared functions for Rootcheck events decoding
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+#include "os_utils.h"
+
+#ifdef WIN32
+#include <tlhelp32.h>
+#include <psapi.h>
+#include <windows.h>
+#endif
+
+#ifndef WIN32
+
+char *w_os_get_runps(const char *ps, int mpid)
+{
+    char *tmp_str, *nbuf;
+    char buf[OS_SIZE_2048 + 1];
+    char command[OS_SIZE_1024 + 1];
+    FILE *fp;
+
+    buf[0] = '\0';
+    command[0] = '\0';
+    command[OS_SIZE_1024] = '\0';
+
+    snprintf(command, OS_SIZE_1024, "%s -p %d 2> /dev/null", ps, mpid);
+    fp = popen(command, "r");
+    if (fp) {
+        while (fgets(buf, OS_SIZE_2048, fp) != NULL) {
+            tmp_str = strchr(buf, ':');
+            if (!tmp_str) {
+                continue;
+            }
+
+            nbuf = tmp_str++;
+
+            tmp_str = strchr(nbuf, ' ');
+            if (!tmp_str) {
+                continue;
+            }
+            tmp_str++;
+
+            /* Remove whitespaces */
+            while (*tmp_str == ' ') {
+                tmp_str++;
+            }
+
+            nbuf = tmp_str;
+
+            tmp_str = strchr(nbuf, '\n');
+            if (tmp_str) {
+                *tmp_str = '\0';
+            }
+
+            pclose(fp);
+            return (strdup(nbuf));
+        }
+
+        pclose(fp);
+    }
+
+    return (NULL);
+}
+
+/* Get list of Unix processes */
+OSList *w_os_get_process_list()
+{
+    int i = 1;
+    pid_t max_pid = MAX_PID;
+    OSList *p_list = NULL;
+    char ps[OS_SIZE_1024 + 1];
+
+    /* Check where ps is */
+    memset(ps, '\0', OS_SIZE_1024 + 1);
+    strncpy(ps, "/bin/ps", OS_SIZE_1024);
+    if (!w_is_file(ps)) {
+        strncpy(ps, "/usr/bin/ps", OS_SIZE_1024);
+        if (!w_is_file(ps)) {
+            mterror(ARGV0, "'ps' not found.");
+            return (NULL);
+        }
+    }
+
+    /* Create process list */
+    p_list = OSList_Create();
+    if (!p_list) {
+        mterror(ARGV0, LIST_ERROR);
+        return (NULL);
+    }
+
+    for (i = 1; i <= max_pid; i++) {
+        /* Check if the pid is present */
+        if ((!((getsid(i) == -1) && (errno == ESRCH))) &&
+                (!((getpgid(i) == -1) && (errno == ESRCH)))) {
+            W_Proc_Info *p_info;
+            char *p_name;
+
+            p_name = w_os_get_runps(ps, (int)i);
+            if (!p_name) {
+                continue;
+            }
+
+            os_calloc(1, sizeof(W_Proc_Info), p_info);
+            p_info->p_path = p_name;
+            p_info->p_name = NULL;
+            OSList_AddData(p_list, p_info);
+        }
+    }
+
+    return (p_list);
+}
+
+#endif
+/* Check if a file exists */
+int w_is_file(const char * const file) {
+    FILE *fp = wfopen(file, "r");
+    int is_exist = 0;
+    if (fp != NULL) {
+        is_exist = 1;
+        fclose(fp);
+    }
+    return is_exist;
+}
+
+/* Delete the process list */
+int w_del_plist(OSList *p_list)
+{
+    OSListNode *l_node;
+    OSListNode *p_node = NULL;
+
+    if (p_list == NULL) {
+        return (0);
+    }
+
+    l_node = OSList_GetFirstNode(p_list);
+    while (l_node) {
+        W_Proc_Info *pinfo;
+
+        pinfo = (W_Proc_Info *)l_node->data;
+
+        if (pinfo->p_name) {
+            free(pinfo->p_name);
+        }
+
+        if (pinfo->p_path) {
+            free(pinfo->p_path);
+        }
+
+        free(l_node->data);
+
+        if (p_node) {
+            free(p_node);
+            p_node = NULL;
+        }
+        p_node = l_node;
+
+        l_node = OSList_GetNextNode(p_list);
+    }
+
+    if (p_node) {
+        free(p_node);
+        p_node = NULL;
+    }
+
+    pthread_mutex_destroy(&(p_list->mutex));
+    pthread_rwlock_destroy(&(p_list->wr_mutex));
+
+    free(p_list);
+
+    return (1);
+}
+
+#ifdef WIN32
+
+/* Set Debug privilege
+ * See: "How to obtain a handle to any process with SeDebugPrivilege"
+ * http://support.microsoft.com/kb/131065/en-us
+ */
+int w_os_win32_setdebugpriv(HANDLE h, int en)
+{
+    TOKEN_PRIVILEGES tp;
+    TOKEN_PRIVILEGES tpPrevious;
+    LUID luid;
+    DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
+
+    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
+        return (0);
+    }
+
+    tp.PrivilegeCount = 1;
+    tp.Privileges[0].Luid = luid;
+    tp.Privileges[0].Attributes = 0;
+
+    AdjustTokenPrivileges(h, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
+                          &tpPrevious, &cbPrevious);
+
+    if (GetLastError() != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    tpPrevious.PrivilegeCount = 1;
+    tpPrevious.Privileges[0].Luid = luid;
+
+    /* If en is set to true, we enable the privilege */
+    if (en) {
+        tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
+    } else {
+        tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
+                                                tpPrevious.Privileges[0].Attributes);
+    }
+
+    AdjustTokenPrivileges(h, FALSE, &tpPrevious, cbPrevious, NULL, NULL);
+    if (GetLastError() != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    return (1);
+}
+
+/* Get list of win32 processes */
+OSList *w_os_get_process_list()
+{
+    OSList *p_list = NULL;
+    HANDLE hsnap;
+    HANDLE hpriv;
+    PROCESSENTRY32 p_entry;
+    p_entry.dwSize = sizeof(PROCESSENTRY32);
+
+    /* Get token to enable Debug privilege */
+    if (!OpenThreadToken(GetCurrentThread(),
+                         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hpriv)) {
+        if (GetLastError() == ERROR_NO_TOKEN) {
+            if (!ImpersonateSelf(SecurityImpersonation)) {
+                mterror(ARGV0, "os_get_win32_process_list -> ImpersonateSelf");
+                return (NULL);
+            }
+
+            if (!OpenThreadToken(GetCurrentThread(),
+                                 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+                                 FALSE, &hpriv)) {
+                mterror(ARGV0, "os_get_win32_process_list -> OpenThread");
+                return (NULL) ;
+            }
+        } else {
+            mterror(ARGV0, "os_get_win32_process_list -> OpenThread");
+            return (NULL);
+        }
+    }
+
+    /* Enable debug privilege */
+    if (!w_os_win32_setdebugpriv(hpriv, 1)) {
+        mterror(ARGV0, "w_os_win32_setdebugpriv");
+        CloseHandle(hpriv);
+        return (NULL);
+    }
+
+    /* Make a snapshot of every process */
+    hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hsnap == INVALID_HANDLE_VALUE) {
+        mterror(ARGV0, "CreateToolhelp32Snapshot");
+        return (NULL);
+    }
+
+    /* Get first and second processes -- system entries */
+    if (!Process32First(hsnap, &p_entry) && !Process32Next(hsnap, &p_entry )) {
+        mterror(ARGV0, "Process32First");
+        CloseHandle(hsnap);
+        return (NULL);
+    }
+
+    /* Create process list */
+    p_list = OSList_Create();
+    if (!p_list) {
+        CloseHandle(hsnap);
+        mterror(ARGV0, LIST_ERROR);
+        return (0);
+    }
+
+    /* Get each process name and path */
+    while (Process32Next( hsnap, &p_entry)) {
+        char *p_name;
+        char *p_path;
+        W_Proc_Info *p_info;
+
+        /* Set process name */
+        os_strdup(p_entry.szExeFile, p_name);
+
+        /* Get additional information from modules */
+        HANDLE hmod = INVALID_HANDLE_VALUE;
+        MODULEENTRY32 m_entry;
+        m_entry.dwSize = sizeof(MODULEENTRY32);
+
+        /* Snapshot of the process */
+        hmod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, p_entry.th32ProcessID);
+
+        if (hmod == INVALID_HANDLE_VALUE) {
+            os_strdup(p_name, p_path);
+        } else if (!Module32First(hmod, &m_entry)) {
+            /* Get executable path (first entry in the module list) */
+            CloseHandle(hmod);
+            os_strdup(p_name, p_path);
+        } else {
+            os_strdup(m_entry.szExePath, p_path);
+            CloseHandle(hmod);
+        }
+
+        os_calloc(1, sizeof(W_Proc_Info), p_info);
+        p_info->p_name = p_name;
+        p_info->p_path = p_path;
+        OSList_AddData(p_list, p_info);
+    }
+
+    /* Remove debug privileges */
+    w_os_win32_setdebugpriv(hpriv, 0);
+
+    CloseHandle(hsnap);
+    return (p_list);
+}
+
+typedef BOOL (WINAPI *LPFN_WOW64DISABLEWOW64FSREDIRECTION)(PVOID *OldValue);
+
+void SafeWow64DisableWow64FsRedirection(PVOID *oldValue) {
+    LPFN_WOW64DISABLEWOW64FSREDIRECTION Wow64DisableWow64FsRedirection = NULL;
+    HMODULE kernel32 = GetModuleHandle(TEXT("kernel32.dll"));
+    if (kernel32) {
+        Wow64DisableWow64FsRedirection = (LPFN_WOW64DISABLEWOW64FSREDIRECTION)GetProcAddress(kernel32, "Wow64DisableWow64FsRedirection");
+    }
+    if (Wow64DisableWow64FsRedirection) {
+        // The Wow64DisableWow64FsRedirection function is supported
+        Wow64DisableWow64FsRedirection(oldValue);
+    }
+}
+
+#endif
diff --git a/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.c b/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.c
new file mode 100644
index 0000000000..d982fdaa21
--- /dev/null
+++ b/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.c
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "os_utils_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_w_is_file(const char * const file) {
+    check_expected(file);
+    return mock();
+}
diff --git a/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.h b/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.h
new file mode 100644
index 0000000000..19fc049229
--- /dev/null
+++ b/src/common/os_utils/tests/unit/wrappers/os_utils_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef OS_UTILS_WRAPPERS_H
+#define OS_UTILS_WRAPPERS_H
+
+int __wrap_w_is_file(const char * const file);
+
+#endif
diff --git a/src/common/pipelineHelper/CMakeLists.txt b/src/common/pipelineHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/pipelineHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/pipelineHelper/include/pipelineNodesImp.h b/src/common/pipelineHelper/include/pipelineNodesImp.h
new file mode 100644
index 0000000000..36f9b6a3f8
--- /dev/null
+++ b/src/common/pipelineHelper/include/pipelineNodesImp.h
@@ -0,0 +1,89 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef PIPELINE_NODES_IMP_H
+#define PIPELINE_NODES_IMP_H
+#include <functional>
+#include "threadDispatcher.h"
+#include "pipelinePattern.h"
+
+namespace Utils
+{
+    template
+    <
+        typename Input,
+        typename Functor = std::function<void(const Input&)>,
+        template <class, class> class Dispatcher = SyncDispatcher
+        >
+    class ReadNode : public Dispatcher<Input, Functor>
+    {
+        public:
+            ReadNode(Functor functor)
+                : DispatcherType{ functor }
+            {}
+            ReadNode(Functor functor,
+                     const unsigned int numberOfThreads)
+                : DispatcherType{ functor, numberOfThreads, UNLIMITED_QUEUE_SIZE }
+            {}
+            // LCOV_EXCL_START
+            ~ReadNode() = default;
+            // LCOV_EXCL_STOP
+            void receive(const Input& data)
+            {
+                DispatcherType::push(data);
+            }
+        private:
+            using DispatcherType = Dispatcher<Input, Functor>;
+            using ReadNodeType = ReadNode<Input, Functor, Dispatcher>;
+    };
+
+    template
+    <
+        typename Input,
+        typename Output,
+        typename Reader,
+        typename Functor = std::function<Output(const Input&)>,
+        template <class, class> class Dispatcher = SyncDispatcher
+        >
+    class ReadWriteNode : public Utils::IPipelineWriter<Output, Reader>
+        , public Dispatcher<Input, std::function<void(const Input&)>>
+    {
+        public:
+            ReadWriteNode(Functor functor)
+                : DispatcherType{ std::bind(&RWNodeType::doTheWork, this, std::placeholders::_1) }
+                , m_functor{functor}
+            {}
+            ReadWriteNode(Functor functor,
+                          const unsigned int numberOfThreads)
+                : DispatcherType{ std::bind(&RWNodeType::doTheWork, this, std::placeholders::_1), numberOfThreads, UNLIMITED_QUEUE_SIZE }
+                , m_functor{functor}
+            {}
+            // LCOV_EXCL_START
+            ~ReadWriteNode() = default;
+            // LCOV_EXCL_STOP
+            void receive(const Input& data)
+            {
+                DispatcherType::push(data);
+            }
+        private:
+            using DispatcherType = Dispatcher<Input, std::function<void(const Input&)>>;
+            using RWNodeType = ReadWriteNode<Input, Output, Reader, Functor, Dispatcher>;
+            using WriterType = Utils::IPipelineWriter<Output, Reader>;
+
+            void doTheWork(const Input& data)
+            {
+                WriterType::send(m_functor(data));
+            }
+            Functor m_functor;
+    };
+}// namespace Utils
+
+#endif //PIPELINE_NODES_IMP_H
diff --git a/src/common/pipelineHelper/include/pipelinePattern.h b/src/common/pipelineHelper/include/pipelinePattern.h
new file mode 100644
index 0000000000..820555736b
--- /dev/null
+++ b/src/common/pipelineHelper/include/pipelinePattern.h
@@ -0,0 +1,98 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef PIPELINE_PATTERN_H
+#define PIPELINE_PATTERN_H
+#include <memory>
+#include <vector>
+#include <functional>
+#include "threadDispatcher.h"
+
+namespace Utils
+{
+    // /**
+    //  * @brief Pipeline Reader policy class minimun interface
+    //  * @details Receives messages from a Pipeline Writer class
+    //  *
+    //  * @tparam Type Message type to be received from a writer.
+    //  */
+    // template<typename Type>
+    // class PipeLineReader
+    // {
+    // public:
+    //  /**
+    //   * @brief Receives a message from a writer to be processed.
+    //   *
+    //   * @param data Message data
+    //   */
+    //  void receive(const Type& data);
+    // };
+
+    /**
+     * @brief Pipeline Writer interface
+     * @details Base class for Write nodes in the pipeline.
+     *
+     * @tparam T Message type to be sent to readers in the pipeline.
+     * @tparam Reader Type of the readers that will be chained with the writer.
+     */
+    template<typename T, typename Reader>
+    class IPipelineWriter
+    {
+        protected:
+            /**
+             * @brief Sends a message to all the chained readers in the pipeline.
+             *
+             * @param data Message data to be sent to readers.
+             */
+            void send(const T& data)
+            {
+                for (const auto& reader : m_readers)
+                {
+                    reader->receive(data);
+                }
+            }
+        public:
+            // LCOV_EXCL_START
+            virtual ~IPipelineWriter() = default;
+            // LCOV_EXCL_STOP
+            /**
+             * @brief Adds a reader to the chain.
+             *
+             * @param reader shared_ptr to the reader to be added.
+             */
+            void addReader(std::shared_ptr<Reader>& reader)
+            {
+                m_readers.push_back(reader);
+            }
+        private:
+            std::vector<std::shared_ptr<Reader>> m_readers;
+    };
+
+    /**
+     * @brief Helper function to connect nodes in the pipeline.
+     * @details Write class should accept Reader class. Compile time checked.
+     *
+     * @tparam Writer Writer class. Should expose an addReader method.
+     * @tparam Reader Reader class.
+     * @param writer Writer instance.
+     * @param reader Reader instance.
+     */
+    template<typename Writer, typename Reader>
+    void connect(std::shared_ptr<Writer> writer, std::shared_ptr<Reader> reader)
+    {
+        if (writer && reader)
+        {
+            writer->addReader(reader);
+        }
+    }
+}//namespace Utils
+
+#endif //PIPELINE_PATTERN_H
\ No newline at end of file
diff --git a/src/common/pipelineHelper/tests/CMakeLists.txt b/src/common/pipelineHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..89ca78eb3d
--- /dev/null
+++ b/src/common/pipelineHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "pipelineNodes_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/pipelineHelper/tests/main.cpp b/src/common/pipelineHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/pipelineHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/pipelineHelper/tests/pipelineNodes_test.cpp b/src/common/pipelineHelper/tests/pipelineNodes_test.cpp
new file mode 100644
index 0000000000..a3de94f101
--- /dev/null
+++ b/src/common/pipelineHelper/tests/pipelineNodes_test.cpp
@@ -0,0 +1,190 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "pipelineNodes_test.h"
+#include "pipelineNodesImp.h"
+
+void PipelineNodesTest::SetUp() {};
+
+void PipelineNodesTest::TearDown() {};
+
+class FunctorWrapper
+{
+    public:
+        FunctorWrapper() = default;
+        ~FunctorWrapper() = default;
+        MOCK_METHOD(void, Operator, (const int), ());
+        void operator()(const int value)
+        {
+            Operator(value);
+        }
+        void receive(const int& value)
+        {
+            Operator(value);
+        }
+};
+
+template<typename R, typename RW>
+static void ReadWriteNodeBehaviour(FunctorWrapper& functor, std::shared_ptr<R>& spReadNode, std::shared_ptr<RW>& spReadWriteNode);
+
+template<typename T>
+static void ReadNodeBehaviour(FunctorWrapper& functor, T& rNode);
+
+using ReadIntNodeSync = Utils::ReadNode<int, std::reference_wrapper<FunctorWrapper>, Utils::SyncDispatcher>;
+using ReadWriteNodeSync = Utils::ReadWriteNode<std::string, int, ReadIntNodeSync>;
+
+using ReadIntNodeAsync = Utils::ReadNode<int, std::reference_wrapper<FunctorWrapper>, Utils::AsyncDispatcher>;
+using ReadWriteNodeAsync = Utils::ReadWriteNode<std::string, int, ReadIntNodeAsync>;
+
+TEST_F(PipelineNodesTest, ReadNodeAsync)
+{
+    FunctorWrapper functor;
+    ReadIntNodeAsync rNode{ std::ref(functor) };
+
+    ReadNodeBehaviour(functor, rNode);
+}
+
+TEST_F(PipelineNodesTest, ReadNodeAsyncMultiThread)
+{
+    FunctorWrapper functor;
+    const unsigned int s_numberOfThreads{ 2 };
+    ReadIntNodeAsync rNode{ std::ref(functor), s_numberOfThreads };
+
+    ReadNodeBehaviour(functor, rNode);
+
+    EXPECT_EQ(s_numberOfThreads, rNode.numberOfThreads());
+}
+
+TEST_F(PipelineNodesTest, ReadNodeSync)
+{
+    FunctorWrapper functor;
+    ReadIntNodeSync rNode{ std::ref(functor) };
+
+    ReadNodeBehaviour(functor, rNode);
+}
+
+TEST_F(PipelineNodesTest, ReadNodeSyncMultiThread)
+{
+    FunctorWrapper functor;
+    const unsigned int s_numberOfThreads{ 2 };
+    ReadIntNodeSync rNode{ std::ref(functor), s_numberOfThreads };
+
+    ReadNodeBehaviour(functor, rNode);
+
+    EXPECT_EQ(0u, rNode.numberOfThreads());
+}
+
+TEST_F(PipelineNodesTest, ReadWriteNodeAsync)
+{
+    FunctorWrapper functor;
+    auto spReadNode
+    {
+        std::make_shared<ReadIntNodeAsync>(std::ref(functor))
+    };
+    auto spReadWriteNode
+    {
+        std::make_shared<ReadWriteNodeAsync>([](const std::string & value)
+        {
+            return std::stoi(value);
+        })
+    };
+
+    ReadWriteNodeBehaviour(functor, spReadNode, spReadWriteNode);
+}
+
+TEST_F(PipelineNodesTest, ReadWriteNodeSync)
+{
+    FunctorWrapper functor;
+    auto spReadNode
+    {
+        std::make_shared<ReadIntNodeSync>(std::ref(functor))
+    };
+    auto spReadWriteNode
+    {
+        std::make_shared<ReadWriteNodeSync>([](const std::string & value)
+        {
+            return std::stoi(value);
+        })
+    };
+
+    ReadWriteNodeBehaviour(functor, spReadNode, spReadWriteNode);
+}
+
+TEST_F(PipelineNodesTest, ConnectInvalidPtrs1)
+{
+    std::shared_ptr<Utils::ReadNode<int>> spReadNode;
+    std::shared_ptr<Utils::ReadWriteNode<int, int, Utils::ReadNode<int>>> spReadWriteNode;
+    EXPECT_NO_THROW(Utils::connect(spReadWriteNode, spReadNode));
+}
+
+TEST_F(PipelineNodesTest, ConnectInvalidPtrs2)
+{
+    const auto spReadNode
+    {
+        std::make_shared<Utils::ReadNode<int>>([](const int&) {})
+    };
+    std::shared_ptr<Utils::ReadWriteNode<int, int, Utils::ReadNode<int>>> spReadWriteNode;
+    EXPECT_NO_THROW(Utils::connect(spReadWriteNode, spReadNode));
+}
+
+TEST_F(PipelineNodesTest, ConnectInvalidPtrs3)
+{
+    std::shared_ptr<Utils::ReadNode<int>> spReadNode;
+    const auto spReadWriteNode
+    {
+        std::make_shared<Utils::ReadWriteNode<int, int, Utils::ReadNode<int>>>([](const int&)
+        {
+            return 0;
+        })
+    };
+    EXPECT_NO_THROW(Utils::connect(spReadWriteNode, spReadNode));
+}
+
+template<typename T>
+static void ReadNodeBehaviour(FunctorWrapper& functor, T& rNode)
+{
+    for (int i = 0; i < 10; ++i)
+    {
+        EXPECT_CALL(functor, Operator(i));
+    }
+
+    for (int i = 0; i < 10; ++i)
+    {
+        rNode.receive(i);
+    }
+
+    rNode.rundown();
+    EXPECT_TRUE(rNode.cancelled());
+    EXPECT_EQ(0ul, rNode.size());
+}
+
+template<typename R, typename RW>
+static void ReadWriteNodeBehaviour(FunctorWrapper& functor, std::shared_ptr<R>& spReadNode, std::shared_ptr<RW>& spReadWriteNode)
+{
+    Utils::connect(spReadWriteNode, spReadNode);
+
+    for (int i = 0; i < 10; ++i)
+    {
+        EXPECT_CALL(functor, Operator(i));
+    }
+
+    for (int i = 0; i < 10; ++i)
+    {
+        spReadWriteNode->receive(std::to_string(i));
+    }
+
+    spReadWriteNode->rundown();
+    EXPECT_EQ(0ul, spReadWriteNode->size());
+    EXPECT_TRUE(spReadWriteNode->cancelled());
+    spReadNode->rundown();
+    EXPECT_EQ(0ul, spReadNode->size());
+    EXPECT_TRUE(spReadNode->cancelled());
+}
\ No newline at end of file
diff --git a/src/common/pipelineHelper/tests/pipelineNodes_test.h b/src/common/pipelineHelper/tests/pipelineNodes_test.h
new file mode 100644
index 0000000000..95f5cf8f29
--- /dev/null
+++ b/src/common/pipelineHelper/tests/pipelineNodes_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef PIPELINE_NODE_TESTS_H
+#define PIPELINE_NODE_TESTS_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class PipelineNodesTest : public ::testing::Test
+{
+    protected:
+
+        PipelineNodesTest() = default;
+        virtual ~PipelineNodesTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //PIPELINE_NODE_TESTS_H
\ No newline at end of file
diff --git a/src/modules/azure/scripts/azure.py b/src/common/privsep_op/CMakeLists.txt
similarity index 100%
rename from src/modules/azure/scripts/azure.py
rename to src/common/privsep_op/CMakeLists.txt
diff --git a/src/common/privsep_op/include/privsep_op.h b/src/common/privsep_op/include/privsep_op.h
new file mode 100644
index 0000000000..57af0d7774
--- /dev/null
+++ b/src/common/privsep_op/include/privsep_op.h
@@ -0,0 +1,108 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions for privilege separation */
+
+#ifndef PRIV_H
+#define PRIV_H
+
+#include "shared.h"
+
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+#define w_ctime(x,y,z) ctime_r(x,y,z)
+#else
+#define w_ctime(x,y,z) ctime_r(x,y)
+#endif
+
+/**
+ * @brief Find a user by name
+ *
+ * This is a wrapper of getpwnam_r().
+ *
+ * @param name Name of the user.
+ * @param pwd Destination password structure.
+ * @param buf Context buffer.
+ * @param buflen Length of buffer.
+ * @return Pointer to pwd, on success.
+ * @retval NULL on failure.
+ * @post errno is set on failure.
+ */
+struct passwd *w_getpwnam(const char *name, struct passwd *pwd, char *buf, size_t buflen);
+
+/**
+ * @brief Find a user by UID
+ *
+ * This is a wrapper of getpwid_r().
+ *
+ * @param name Name of the user.
+ * @param pwd Destination password structure.
+ * @param buf Context buffer.
+ * @param buflen Length of buffer.
+ * @return Pointer to pwd, on success.
+ * @retval NULL on failure.
+ * @post errno is set on failure.
+ */
+struct passwd *w_getpwuid(uid_t  uid, struct  passwd  *pwd, char *buf, int  buflen);
+
+/**
+ * @brief Find a group by name
+ *
+ * This is a wrapper of getgrnam_r().
+ *
+ * @param name Name of the group.
+ * @param grp Destination group structure.
+ * @param buf Context buffer.
+ * @param buflen Length of buffer.
+ * @return Pointer to grp, on success.
+ * @retval NULL on failure.
+ * @post errno is set on failure.
+ */
+struct group  *w_getgrnam(const char *name, struct group *grp, char *buf, int buflen);
+
+/**
+ * @brief Find a group by GID
+ *
+ * This is a wrapper of getgrid_r().
+ *
+ * @param name Name of the group.
+ * @param grp Destination group structure.
+ * @param buf Context buffer.
+ * @param buflen Length of buffer.
+ * @return Pointer to grp, on success.
+ * @retval NULL on failure.
+ * @post errno is set on failure.
+ */
+struct group *w_getgrgid(gid_t gid, struct group *grp,  char *buf, int buflen);
+
+/**
+ * @brief Find a UID by user name
+ * @param name Name of the user.
+ * @return UID of the user, if found.
+ * @retval -1 user not found.
+ */
+uid_t Privsep_GetUser(const char *name) __attribute__((nonnull));
+
+/**
+ * @brief Find a GID by group name
+ * @param name Name of the group.
+ * @return GID of the group, if found.
+ * @retval -1 group not found.
+ */
+gid_t Privsep_GetGroup(const char *name) __attribute__((nonnull));
+
+int Privsep_SetUser(uid_t uid);
+
+int Privsep_SetGroup(gid_t gid);
+
+int Privsep_Chroot(const char *path) __attribute__((nonnull));
+
+#endif /* PRIV_H */
diff --git a/src/common/privsep_op/src/privsep_op.c b/src/common/privsep_op/src/privsep_op.c
new file mode 100644
index 0000000000..e7e0391565
--- /dev/null
+++ b/src/common/privsep_op/src/privsep_op.c
@@ -0,0 +1,185 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions for privilege separation */
+
+#ifndef WIN32
+
+#include <stdio.h>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "privsep_op.h"
+#include "headers/os_err.h"
+
+struct passwd *w_getpwnam(const char *name, struct passwd *pwd, char *buf, size_t buflen) {
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+    return getpwnam_r(name, pwd, buf, buflen);
+#else
+    struct passwd *result = NULL;
+    int retval = getpwnam_r(name, pwd, buf, buflen, &result);
+
+    if (result == NULL) {
+        errno = retval;
+    }
+
+    return result;
+#endif
+}
+
+struct passwd *w_getpwuid(uid_t uid, struct  passwd  *pwd, char *buf, int  buflen) {
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+    return getpwuid_r(uid, pwd, buf, buflen);
+#else
+    struct passwd *result = NULL;
+    int retval = getpwuid_r(uid, pwd, buf, buflen, &result);
+
+    if (result == NULL) {
+        errno = retval;
+    }
+
+    return result;
+#endif
+}
+
+struct group *w_getgrnam(const  char  *name,  struct group *grp, char *buf, int buflen) {
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+    return getgrnam_r(name, grp, buf, buflen);
+#else
+    struct group *result = NULL;
+    int retval = getgrnam_r(name, grp, buf, buflen, &result);
+
+    if (result == NULL) {
+        errno = retval;
+    }
+
+    return result;
+#endif
+}
+
+struct group *w_getgrgid(gid_t gid, struct group *grp,  char *buf, int buflen) {
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+    return getgrgid_r(gid, grp, buf, buflen);
+#else
+    struct group *result = NULL;
+    int retval = getgrgid_r(gid, grp, buf, buflen, &result);
+
+    if (result == NULL) {
+        errno = retval;
+    }
+
+    return result;
+#endif
+}
+
+uid_t Privsep_GetUser(const char *name)
+{
+    long int len =  sysconf(_SC_GETPW_R_SIZE_MAX);
+    len = len > 0 ? len : 1024;
+    struct passwd pw = { .pw_name = NULL };
+    char *buffer = NULL;
+    struct passwd *result = NULL;
+    uid_t pw_uid;
+
+    do {
+        os_realloc(buffer, len, buffer);
+        result = w_getpwnam(name, &pw, buffer, len);
+    } while (result == NULL && errno == ERANGE && (len *= 2) <= OS_MAXSTR);
+
+    pw_uid = result ? result->pw_uid : (uid_t)OS_INVALID;
+    os_free(buffer);
+
+    return pw_uid;
+}
+
+gid_t Privsep_GetGroup(const char *name)
+{
+    struct group grp = { .gr_name = NULL };
+    long int len = sysconf(_SC_GETGR_R_SIZE_MAX);
+    len = len > 0 ? len : 1024;
+    struct group *result = NULL;
+    char *buffer = NULL;
+    gid_t gr_gid;
+
+
+    do {
+        os_realloc(buffer, len, buffer);
+        result = w_getgrnam(name, &grp, buffer, len);
+    } while (result == NULL && errno == ERANGE && (len *= 2) <= OS_MAXSTR);
+
+    gr_gid = result ? result->gr_gid : (uid_t)OS_INVALID;
+    os_free(buffer);
+
+    return gr_gid;
+}
+
+int Privsep_SetUser(uid_t uid)
+{
+    if (setuid(uid) < 0) {
+        return (OS_INVALID);
+    }
+
+#ifndef HPUX
+    if (seteuid(uid) < 0) {
+        return (OS_INVALID);
+    }
+#endif
+
+    return (OS_SUCCESS);
+}
+
+int Privsep_SetGroup(gid_t gid)
+{
+    if (setgroups(1, &gid) == -1) {
+        return (OS_INVALID);
+    }
+
+#ifndef HPUX
+    if (setegid(gid) < 0) {
+        return (OS_INVALID);
+    }
+#endif
+
+    if (setgid(gid) < 0) {
+        return (OS_INVALID);
+    }
+
+    return (OS_SUCCESS);
+}
+
+int Privsep_Chroot(const char *path)
+{
+    if (chdir(path) < 0) {
+        return (OS_INVALID);
+    }
+
+    if (chroot(path) < 0) {
+        return (OS_INVALID);
+    }
+
+    if (chdir("/") < 0) {
+        return (OS_INVALID);
+    }
+
+    nowChroot();
+    return (OS_SUCCESS);
+}
+
+#endif /* !WIN32 */
diff --git a/src/common/privsep_op/tests/unit/tests/CMakeLists.txt b/src/common/privsep_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..d633aa3a52
--- /dev/null
+++ b/src/common/privsep_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,46 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_privsep_op")
+list(APPEND shared_tests_flags "-Wl,--wrap=sysconf,--wrap=getpwnam_r,--wrap=getgrnam_r,--wrap=getpid")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/privsep_op/tests/unit/tests/test_privsep_op.c b/src/common/privsep_op/tests/unit/tests/test_privsep_op.c
new file mode 100644
index 0000000000..9dc0494489
--- /dev/null
+++ b/src/common/privsep_op/tests/unit/tests/test_privsep_op.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <pwd.h>
+#include <grp.h>
+
+#include "../wrappers/posix/grp_wrappers.h"
+#include "../wrappers/posix/pwd_wrappers.h"
+#include "../headers/privsep_op.h"
+
+static void test_GetUser_success(void ** state) {
+    will_return(__wrap_sysconf, 1024);
+    uid_t uid = Privsep_GetUser("wazuh");
+    assert_int_equal(uid, 1000);
+}
+
+static void test_GetUser_success_extend(void ** state) {
+    will_return(__wrap_sysconf, 512);
+    uid_t uid = Privsep_GetUser("wazuh");
+    assert_int_equal(uid, 1000);
+}
+
+static void test_GetUser_failure(void ** state) {
+    will_return(__wrap_sysconf, 1024);
+    uid_t uid = Privsep_GetUser("other");
+    assert_int_equal(uid, (uid_t)-1);
+}
+
+static void test_GetGroup_success(void ** state) {
+    will_return(__wrap_sysconf, 1024);
+    uid_t uid = Privsep_GetGroup("wazuh");
+    assert_int_equal(uid, 1000);
+}
+
+static void test_GetGroup_success_extend(void ** state) {
+    will_return(__wrap_sysconf, 512);
+    uid_t uid = Privsep_GetGroup("wazuh");
+    assert_int_equal(uid, 1000);
+}
+
+static void test_GetGroup_failure(void ** state) {
+    will_return(__wrap_sysconf, 1024);
+    uid_t uid = Privsep_GetGroup("other");
+    assert_int_equal(uid, (uid_t)-1);
+}
+
+int main() {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_GetUser_success),
+        cmocka_unit_test(test_GetUser_success_extend),
+        cmocka_unit_test(test_GetUser_failure),
+        cmocka_unit_test(test_GetGroup_success),
+        cmocka_unit_test(test_GetGroup_success_extend),
+        cmocka_unit_test(test_GetGroup_failure),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.c b/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.c
new file mode 100644
index 0000000000..b6365274ea
--- /dev/null
+++ b/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.c
@@ -0,0 +1,53 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "privsep_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <string.h>
+
+#ifndef WIN32
+struct group *__wrap_w_getgrgid(gid_t gid, struct group *grp, char *buf, int buflen) {
+    struct group *mock_grp;
+    char *mock_buf;
+    check_expected(gid);
+
+    mock_grp = mock_type(struct group *);
+
+    if (mock_grp && grp) {
+        memcpy(grp, mock_grp, sizeof(char **) + 2 * sizeof(char *) + sizeof(gid_t));
+    }
+
+    mock_buf = mock_type(char *);
+    if (mock_buf && buf) {
+        strncpy(buf, mock_buf, buflen);
+    }
+
+    if (mock()) {
+        return grp;
+    } else {
+        return NULL;
+    }
+}
+#endif
+
+int __wrap_Privsep_GetUser(const char *name) {
+    check_expected(name);
+
+    return mock();
+}
+
+int __wrap_Privsep_GetGroup(const char *name) {
+    check_expected(name);
+
+    return mock();
+}
diff --git a/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.h b/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.h
new file mode 100644
index 0000000000..e3ea50f177
--- /dev/null
+++ b/src/common/privsep_op/tests/unit/wrappers/privsep_op_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PRIVSEP_OP_WRAPPERS_H
+#define PRIVSEP_OP_WRAPPERS_H
+
+#ifndef WIN32
+#include <pwd.h>
+
+struct group *__wrap_w_getgrgid(gid_t gid, struct group *grp,  char *buf, int buflen);
+#endif
+
+int __wrap_Privsep_GetUser(const char *name);
+
+int __wrap_Privsep_GetGroup(const char *name);
+
+#endif
diff --git a/src/modules/azure/src/azure.c b/src/common/pthreads_op/CMakeLists.txt
similarity index 100%
rename from src/modules/azure/src/azure.c
rename to src/common/pthreads_op/CMakeLists.txt
diff --git a/src/common/pthreads_op/include/pthreads_op.h b/src/common/pthreads_op/include/pthreads_op.h
new file mode 100644
index 0000000000..58598afd17
--- /dev/null
+++ b/src/common/pthreads_op/include/pthreads_op.h
@@ -0,0 +1,42 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef PTHREADS_OP_H
+#define PTHREADS_OP_H
+
+#ifndef WIN32
+#define w_create_thread(x, y) if (!CreateThread((void * (*) (void *))x, y)) merror_exit(THREAD_ERROR);
+#else
+#define w_create_thread(x, y, z, a, b, c) ({HANDLE hd; if (!(hd = CreateThread(x,y,z,a,b,c))) merror_exit(THREAD_ERROR); hd;})
+#endif
+#define w_mutex_init(x, y) { int error = pthread_mutex_init(x, y); if (error) merror_exit("At pthread_mutex_init(): %s", strerror(error)); }
+#define w_mutex_lock(x) { int error = pthread_mutex_lock(x); if (error) merror_exit("At pthread_mutex_lock(): %s", strerror(error)); }
+#define w_mutex_unlock(x) { int error = pthread_mutex_unlock(x); if (error) merror_exit("At pthread_mutex_unlock(): %s", strerror(error)); }
+#define w_mutex_destroy(x) { int error = pthread_mutex_destroy(x); if (error) merror_exit("At pthread_mutex_destroy(): %s", strerror(error)); }
+#define w_cond_init(x, y) { int error = pthread_cond_init(x, y); if (error) merror_exit("At pthread_cond_init(): %s", strerror(error)); }
+#define w_cond_wait(x, y) { int error = pthread_cond_wait(x, y); if (error) merror_exit("At pthread_cond_wait(): %s", strerror(error)); }
+#define w_cond_signal(x) { int error = pthread_cond_signal(x); if (error) merror_exit("At pthread_cond_signal(): %s", strerror(error)); }
+#define w_cond_broadcast(x) { int error = pthread_cond_broadcast(x); if (error) merror_exit("At pthread_cond_broadcast(): %s", strerror(error)); }
+#define w_cond_destroy(x) { int error = pthread_cond_destroy(x); if (error) merror_exit("At pthread_cond_destroy(): %s", strerror(error)); }
+#define w_rwlock_init(x, y) { int error = pthread_rwlock_init(x, y); if (error) merror_exit("At pthread_rwlock_init(): %s", strerror(error)); }
+#define w_rwlock_rdlock(x) { int error = pthread_rwlock_rdlock(x); if (error) merror_exit("At pthread_rwlock_rdlock(): %s", strerror(error)); }
+#define w_rwlock_wrlock(x) { int error = pthread_rwlock_wrlock(x); if (error) merror_exit("At pthread_rwlock_wrlock(): %s", strerror(error)); }
+#define w_rwlock_unlock(x) { int error = pthread_rwlock_unlock(x); if (error) merror_exit("At pthread_rwlock_unlock(): %s", strerror(error)); }
+#define w_rwlock_destroy(x) { int error = pthread_rwlock_destroy(x); if (error) merror_exit("At pthread_rwlock_destroy(" #x "): %s", strerror(error)); }
+#define w_mutexattr_init(x) { int error = pthread_mutexattr_init(x); if (error) merror_exit("At pthread_mutexattr_init(): %s", strerror(error)); }
+#define w_mutexattr_settype(x, y) { int error = pthread_mutexattr_settype(x, y); if (error) merror_exit("At pthread_mutexattr_settype(): %s", strerror(error)); }
+#define w_mutexattr_destroy(x) { int error = pthread_mutexattr_destroy(x); if (error) merror_exit("At pthread_mutexattr_destroy(): %s", strerror(error)); }
+
+#ifndef WIN32
+int CreateThread(void * (*function_pointer)(void *), void * data) __attribute__((nonnull(1)));
+int CreateThreadJoinable(pthread_t *lthread, void * (*function_pointer)(void *), void *data);
+#endif
+
+#endif
diff --git a/src/common/pthreads_op/src/pthreads_op.c b/src/common/pthreads_op/src/pthreads_op.c
new file mode 100644
index 0000000000..3d379e47a6
--- /dev/null
+++ b/src/common/pthreads_op/src/pthreads_op.c
@@ -0,0 +1,74 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+#include "shared.h"
+#include <pthread.h>
+#include <sys/resource.h>
+
+/* Create a new thread and give the argument passed to the function
+ * Returns 0 on success or -1 on error
+ */
+
+int CreateThreadJoinable(pthread_t *lthread, void * (*function_pointer)(void *), void *data)
+{
+    pthread_attr_t attr;
+    size_t read_size = 0;
+    size_t stacksize = 0;
+    int ret = 0;
+
+    if (pthread_attr_init(&attr)) {
+        merror(THREAD_ERROR " Cannot initialize attributes.");
+        return -1;
+    }
+
+    read_size = 1024 * (size_t)getDefine_Int("wazuh", "thread_stack_size", 2048, 65536);
+
+    /* Set the maximum stack limit to new threads */
+    if (pthread_attr_setstacksize(&attr, read_size)) {
+        merror(THREAD_ERROR " Cannot set stack size to %d KB.", (int)read_size);
+        return -1;
+    }
+
+    if (pthread_attr_getstacksize(&attr, &stacksize)) {
+        merror(THREAD_ERROR " Cannot confirm stack size setting.");
+        return -1;
+    }
+
+    mdebug2("Thread stack size set to: %d KiB", (int)stacksize / 1024);
+
+    ret = pthread_create(lthread, &attr, function_pointer, (void *)data);
+    if (ret != 0) {
+        merror(THREAD_ERROR " %s (%d)", strerror(ret), ret);
+        return -1;
+    }
+
+    pthread_attr_destroy(&attr);
+
+    return (0);
+}
+
+int CreateThread(void * (*function_pointer)(void *), void *data)
+{
+    pthread_t lthread;
+
+    if (CreateThreadJoinable(&lthread, function_pointer, data) < 0) {
+        return 0;
+    }
+
+    if (pthread_detach(lthread) != 0) {
+        merror(THREAD_ERROR " Cannot detach thread.");
+        return 0;
+    }
+
+    return 1;
+}
+
+#endif /* !WIN32 */
diff --git a/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.c b/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.c
new file mode 100644
index 0000000000..2634572188
--- /dev/null
+++ b/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.c
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "pthreads_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_CreateThread(__attribute__((unused)) void * (*function_pointer)(void *),
+                        __attribute__((unused))  void *data) {
+    return 1;
+}
diff --git a/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.h b/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.h
new file mode 100644
index 0000000000..1ea97bb6aa
--- /dev/null
+++ b/src/common/pthreads_op/tests/unit/wrappers/pthreads_op_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PTHREADS_OP_WRAPPERS_H
+#define PTHREADS_OP_WRAPPERS_H
+
+int __wrap_CreateThread(void * (*function_pointer)(void *), void *data);
+
+#endif
diff --git a/src/modules/docker/include/docker.h b/src/common/queue_op/CMakeLists.txt
similarity index 100%
rename from src/modules/docker/include/docker.h
rename to src/common/queue_op/CMakeLists.txt
diff --git a/src/common/queue_op/include/queue_op.h b/src/common/queue_op/include/queue_op.h
new file mode 100644
index 0000000000..c0c5ce93b5
--- /dev/null
+++ b/src/common/queue_op/include/queue_op.h
@@ -0,0 +1,126 @@
+/*
+ * Queue (abstract data type)
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 2, 2017
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/**
+ * Library that creates a circular buffer where items
+ * are pushed and poped following the FIFO (First In, First Out)
+ * principle.
+ * */
+#ifndef QUEUE_OP_H
+#define QUEUE_OP_H
+
+#include <pthread.h>
+
+/**
+ * queue main structure 
+ * */
+typedef struct w_queue_s {
+    void ** data; ///> Pointer to the circular buffer
+    size_t begin; ///> Stores the index of the next empty space
+    size_t end;   ///> Stores the index of the next element
+    size_t size;  ///> Size of the queue
+    pthread_mutex_t mutex; ///> mutex for mutual exclusion
+    pthread_cond_t available; ///> condition variable when queue is empty
+    pthread_cond_t available_not_empty; ///> Condition variable when queue is full
+    unsigned int elements; ///> counts the number of elements stored in the queue
+} w_queue_t;
+
+/**
+ * @brief Initializes a new queue structure
+ * 
+ * @param n size of the circular queue (fits n - 1 elements)
+ * @return initialize queue structure
+ * */
+w_queue_t * queue_init(size_t n);
+
+/**
+ * @brief Frees an existent queue
+ * 
+ * @param queue 
+ * */
+void queue_free(w_queue_t * queue);
+
+/**
+ * @brief Evaluates whether the queue is full or not
+ * 
+ * @param queue
+ * @return 1 if true, 0 if false
+ * */
+int queue_full(const w_queue_t * queue);
+
+/**
+ * @brief Evaluates whether the queue is empty or not
+ * 
+ * @param queue
+ * @return 1 if true, 0 if false
+ * */
+int queue_empty(const w_queue_t * queue);
+
+/** 
+ * @brief Tries to insert an element into the queue
+ * 
+ * @param queue the queue
+ * @param data data to be inserted
+ * @return -1 if queue is full
+ *          0 on success
+ * */
+int queue_push(w_queue_t * queue, void * data);
+
+/** 
+ * @brief Same as queue_push but with mutual exclusion 
+ * for multithreaded applications
+ * 
+ * @param queue the queue
+ * @param data data to be inserted
+ * @return -1 if queue is full
+ *          0 on success
+ * */
+int queue_push_ex(w_queue_t * queue, void * data);
+
+/** 
+ * @brief Same as queue_push_ex but if queue is full will
+ * wait until there is space for the element (THREAD BLOCK)
+ * 
+ * @param queue the queue
+ * @param data data to be inserted
+ * @return 0 always
+ * */
+int queue_push_ex_block(w_queue_t * queue, void * data);
+
+/**
+ * @brief Retrieves next item in the queue
+ * 
+ * @param queue the queue
+ * @return element if queue has a next
+ *         NULL if queue is empty
+ * */
+void * queue_pop(w_queue_t * queue);
+
+/**
+ * @brief Same as queue_pop but with mutual exclusion 
+ * for multithreaded applications. If queue is empty THREAD WILL BLOCK
+ * 
+ * @param queue the queue
+ * @return next element in the queue
+ * */
+void * queue_pop_ex(w_queue_t * queue);
+
+/**
+ * @brief Same as queue_pop_ex but with a configured timeout for the
+ * wait. If queue is empty THREAD WILL BLOCK
+ * 
+ * @param queue the queue
+ * @param abstime timeout specification
+ * @return next element in the queue
+ * */
+void * queue_pop_ex_timedwait(w_queue_t * queue, const struct timespec * abstime);
+
+#endif // QUEUE_OP_H
diff --git a/src/common/queue_op/src/queue_op.c b/src/common/queue_op/src/queue_op.c
new file mode 100644
index 0000000000..a6ad67f7a8
--- /dev/null
+++ b/src/common/queue_op/src/queue_op.c
@@ -0,0 +1,130 @@
+/*
+ * Queue (abstract data type)
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 2, 2017
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+
+w_queue_t * queue_init(size_t size) {
+    w_queue_t * queue;
+    os_calloc(1, sizeof(w_queue_t), queue);
+    os_malloc(size * sizeof(void *), queue->data);
+    queue->size = size;
+    queue->elements = 0;
+    w_mutex_init(&queue->mutex, NULL);
+    w_cond_init(&queue->available, NULL);
+    w_cond_init(&queue->available_not_empty, NULL);
+    return queue;
+}
+
+void queue_free(w_queue_t * queue) {
+    if (queue) {
+        free(queue->data);
+        w_mutex_destroy(&queue->mutex);
+        w_cond_destroy(&queue->available);
+        w_cond_destroy(&queue->available_not_empty);
+        free(queue);
+    }
+}
+
+int queue_full(const w_queue_t * queue) {
+    return (queue->begin + 1) % queue->size == queue->end;
+}
+
+int queue_empty(const w_queue_t * queue) {
+    return queue->begin == queue->end;
+}
+
+int queue_push(w_queue_t * queue, void * data) {
+    if (queue_full(queue)) {
+        return -1;
+    } else {
+        queue->data[queue->begin] = data;
+        queue->begin = (queue->begin + 1) % queue->size;
+        queue->elements++;
+        return 0;
+    }
+}
+
+int queue_push_ex(w_queue_t * queue, void * data) {
+    int result;
+
+    w_mutex_lock(&queue->mutex);
+
+    if (result = queue_push(queue, data), result == 0) {
+        w_cond_signal(&queue->available);
+    }
+
+    w_mutex_unlock(&queue->mutex);
+    return result;
+}
+
+int queue_push_ex_block(w_queue_t * queue, void * data) {
+    int result;
+
+    w_mutex_lock(&queue->mutex);
+
+    while (result = queue_full(queue), result) {
+        w_cond_wait(&queue->available_not_empty, &queue->mutex);
+    }
+
+    result = queue_push(queue,data);
+
+    w_cond_signal(&queue->available_not_empty);
+    w_cond_signal(&queue->available);
+    w_mutex_unlock(&queue->mutex);
+
+    return result;
+}
+
+void * queue_pop(w_queue_t * queue) {
+    void * data;
+
+    if (queue_empty(queue)) {
+        return NULL;
+    } else {
+        data = queue->data[queue->end];
+        queue->end = (queue->end + 1) % queue->size;
+        queue->elements--;
+        return data;
+    }
+}
+
+void * queue_pop_ex(w_queue_t * queue) {
+    void * data;
+
+    w_mutex_lock(&queue->mutex);
+
+    while (data = queue_pop(queue), !data) {
+        w_cond_wait(&queue->available, &queue->mutex);
+    }
+
+    w_cond_signal(&queue->available_not_empty);
+    w_mutex_unlock(&queue->mutex);
+
+    return data;
+}
+
+void * queue_pop_ex_timedwait(w_queue_t * queue, const struct timespec * abstime) {
+    void * data;
+
+    w_mutex_lock(&queue->mutex);
+
+    while (data = queue_pop(queue), !data) {
+        if (pthread_cond_timedwait(&queue->available, &queue->mutex, abstime) != 0) {
+            w_mutex_unlock(&queue->mutex);
+            return NULL;
+        }
+    }
+
+    w_cond_signal(&queue->available_not_empty);
+    w_mutex_unlock(&queue->mutex);
+
+    return data;
+}
diff --git a/src/common/queue_op/tests/unit/tests/CMakeLists.txt b/src/common/queue_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..5b91ffb5f8
--- /dev/null
+++ b/src/common/queue_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,54 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_queue_op")
+set(QUEUE_OP_BASE_FLAGS "-Wl,--wrap=pthread_mutex_lock,--wrap=pthread_mutex_unlock,--wrap=pthread_cond_wait \
+                         -Wl,--wrap=pthread_cond_signal,--wrap=pthread_cond_timedwait")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${QUEUE_OP_BASE_FLAGS} -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${QUEUE_OP_BASE_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/queue_op/tests/unit/tests/test_queue_op.c b/src/common/queue_op/tests/unit/tests/test_queue_op.c
new file mode 100644
index 0000000000..d1241c5763
--- /dev/null
+++ b/src/common/queue_op/tests/unit/tests/test_queue_op.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "shared.h"
+
+static const int QUEUE_SIZE = 5;
+static void (*callback_ptr)(void) = NULL;
+static w_queue_t *queue_ptr = NULL; // Local ptr to queue
+/****************SETUP/TEARDOWN******************/
+int setup_queue(void **state) {
+    w_queue_t *queue = queue_init(QUEUE_SIZE);
+    *state = queue;
+    queue_ptr = queue;
+    return 0;
+}
+
+int teardown_queue(void **state) {
+    w_queue_t *queue = *state;
+    queue_free(queue);
+    callback_ptr = NULL;
+    queue_ptr = NULL;
+    return 0;
+}
+
+//Unlocks blocked queue
+void callback_queue_pop_ex() {
+    queue_pop_ex(queue_ptr);
+}
+
+void callback_queue_push_ex() {
+    int *ptr = malloc(sizeof(int));
+    *ptr = 0;
+    queue_push_ex(queue_ptr, ptr);
+}
+/*****************WRAPS********************/
+int __wrap_pthread_mutex_lock(pthread_mutex_t *mutex) {
+    check_expected_ptr(mutex);
+    return 0;
+}
+
+int __wrap_pthread_mutex_unlock(pthread_mutex_t *mutex) {
+    check_expected_ptr(mutex);
+    return 0;
+}
+
+int __wrap_pthread_cond_wait(pthread_cond_t *cond,pthread_mutex_t *mutex) {
+    check_expected_ptr(cond);
+    check_expected_ptr(mutex);
+    // callback function to avoid infinite loops when testing
+    if (callback_ptr)
+        callback_ptr();
+    return 0;
+}
+
+int __wrap_pthread_cond_timedwait(pthread_cond_t *cond,pthread_mutex_t *mutex, const struct timespec * abstime) {
+    check_expected_ptr(cond);
+    check_expected_ptr(mutex);
+    check_expected_ptr(abstime);
+    // callback function to avoid infinite loops when testing
+    if (callback_ptr)
+        callback_ptr();
+    return mock_type(int);
+}
+
+int __wrap_pthread_cond_signal(pthread_cond_t *cond) {
+    check_expected_ptr(cond);
+    return 0;
+}
+
+/****************TESTS***************************/
+void test_queue_full(void **state){
+    w_queue_t *queue = *state;
+    for (int i=0; i < QUEUE_SIZE - 1; i++){
+        assert_int_equal(queue_full(queue), 0);
+        queue->begin++;
+    }
+    assert_int_equal(queue_full(queue), 1);
+}
+
+void test_queue_empty(void **state){
+    w_queue_t *queue = *state;
+    assert_int_equal(queue_empty(queue), 1);
+    queue->begin++;
+    assert_int_equal(queue_empty(queue), 0);
+    queue->begin--;
+    assert_int_equal(queue_empty(queue), 1);
+}
+
+void test_queue_push(void **state) {
+    w_queue_t *queue = *state;
+    int i;
+    int *ptr = NULL;
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        // Should fit QUEUE_SIZE - 1 elements
+        assert_int_equal(queue_push(queue, ptr), 0);
+    }
+    // Should now be full
+    assert_int_equal(queue_push(queue, ptr), -1);
+    // Validate elements are in queue
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue->data[i];
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+}
+
+void test_queue_push_ex(void **state) {
+    w_queue_t *queue = *state;
+    int i;
+    int *ptr = NULL;
+    expect_value_count(__wrap_pthread_mutex_lock, mutex,  &queue->mutex, QUEUE_SIZE);
+    expect_value_count(__wrap_pthread_cond_signal, cond, &queue->available, QUEUE_SIZE - 1);
+    expect_value_count(__wrap_pthread_mutex_unlock, mutex, &queue->mutex, QUEUE_SIZE);
+
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        // Should fit QUEUE_SIZE - 1 elements
+        assert_int_equal(queue_push_ex(queue, ptr), 0);
+    }
+    // Should now be full
+    assert_int_equal(queue_push_ex(queue, ptr), -1);
+    // Validate elements are in queue
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue->data[i];
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+}
+
+void test_queue_push_ex_block(void **state) {
+    w_queue_t *queue = *state;
+    int i;
+    int *ptr = NULL;
+    expect_value_count(__wrap_pthread_mutex_lock, mutex,  &queue->mutex, QUEUE_SIZE + 1);
+    expect_value_count(__wrap_pthread_mutex_unlock, mutex, &queue->mutex, QUEUE_SIZE + 1);
+
+    // Set callback and wait
+    expect_value(__wrap_pthread_cond_wait, cond, &queue->available_not_empty);
+    expect_value(__wrap_pthread_cond_wait, mutex, &queue->mutex);
+    callback_ptr = callback_queue_pop_ex;
+
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        // Should fit QUEUE_SIZE - 1 elements
+        expect_value(__wrap_pthread_cond_signal, cond, &queue->available_not_empty);
+        expect_value(__wrap_pthread_cond_signal, cond, &queue->available);
+        assert_int_equal(queue_push_ex_block(queue, ptr), 0);
+    }
+    // Should now be full
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available_not_empty);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available_not_empty);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available);
+    assert_int_equal(queue_push_ex_block(queue, ptr), 0);
+    // Validate elements are in queue
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue->data[i];
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+}
+
+void test_queue_pop(void **state) {
+    w_queue_t *queue = *state;
+    int i;
+    int *ptr = NULL;
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        queue_push(queue, ptr);
+    }
+    // Pop items from full queue
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue_pop(queue);
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+    // Should be empty now
+    ptr = queue_pop(queue);
+    assert_ptr_equal(ptr, NULL);
+    os_free(ptr);
+}
+
+void test_queue_pop_ex(void **state) {
+    w_queue_t *queue = *state;
+    int i;
+    int *ptr = NULL;
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        queue_push(queue, ptr);
+    }
+    // Pop items from full queue
+    expect_value_count(__wrap_pthread_mutex_lock, mutex,  &queue->mutex, QUEUE_SIZE + 1);
+    expect_value_count(__wrap_pthread_mutex_unlock, mutex, &queue->mutex, QUEUE_SIZE + 1);
+    expect_value_count(__wrap_pthread_cond_signal, cond, &queue->available_not_empty, QUEUE_SIZE - 1);
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue_pop_ex(queue);
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+    // Should be empty now until some push event
+    expect_value(__wrap_pthread_cond_wait, mutex, &queue->mutex);
+    expect_value(__wrap_pthread_cond_wait, cond, &queue->available);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available_not_empty);
+    callback_ptr = callback_queue_push_ex;
+    ptr = queue_pop_ex(queue);
+    assert_ptr_not_equal(ptr, NULL);
+    os_free(ptr);
+}
+
+void test_queue_pop_ex_timedwait_timeout(void **state) {
+    w_queue_t *queue = *state;
+    struct timespec abstime;
+    int i;
+    int *ptr = NULL;
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        queue_push(queue, ptr);
+    }
+    // Pop items from full queue
+    expect_value_count(__wrap_pthread_mutex_lock, mutex,  &queue->mutex, QUEUE_SIZE);
+    expect_value_count(__wrap_pthread_mutex_unlock, mutex, &queue->mutex, QUEUE_SIZE);
+    expect_value_count(__wrap_pthread_cond_signal, cond, &queue->available_not_empty, QUEUE_SIZE - 1);
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue_pop_ex_timedwait(queue, &abstime);
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+    // Should be empty now until some push event
+    expect_value(__wrap_pthread_cond_timedwait, mutex, &queue->mutex);
+    expect_value(__wrap_pthread_cond_timedwait, cond, &queue->available);
+    expect_value(__wrap_pthread_cond_timedwait, abstime, &abstime);
+    will_return(__wrap_pthread_cond_timedwait, ETIMEDOUT);
+    ptr = queue_pop_ex_timedwait(queue, &abstime);
+    assert_ptr_equal(ptr, NULL);
+}
+
+void test_queue_pop_ex_timedwait_no_timeout(void **state) {
+    w_queue_t *queue = *state;
+    struct timespec abstime;
+    int i;
+    int *ptr = NULL;
+    for (i=0; i < QUEUE_SIZE - 1; i++){
+        ptr = malloc(sizeof(int));
+        *ptr = i;
+        queue_push(queue, ptr);
+    }
+    // Pop items from full queue
+    expect_value_count(__wrap_pthread_mutex_lock, mutex,  &queue->mutex, QUEUE_SIZE + 1);
+    expect_value_count(__wrap_pthread_mutex_unlock, mutex, &queue->mutex, QUEUE_SIZE + 1);
+    expect_value_count(__wrap_pthread_cond_signal, cond, &queue->available_not_empty, QUEUE_SIZE - 1);
+    for(i=0; i < QUEUE_SIZE - 1; i++) {
+        ptr = queue_pop_ex_timedwait(queue, &abstime);
+        assert_int_equal(*ptr, i);
+        os_free(ptr);
+    }
+    // Should be empty now until some push event
+    expect_value(__wrap_pthread_cond_timedwait, mutex, &queue->mutex);
+    expect_value(__wrap_pthread_cond_timedwait, cond, &queue->available);
+    expect_value(__wrap_pthread_cond_timedwait, abstime, &abstime);
+    will_return(__wrap_pthread_cond_timedwait, 0);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available);
+    expect_value(__wrap_pthread_cond_signal, cond, &queue->available_not_empty);
+    callback_ptr = callback_queue_push_ex;
+    ptr = queue_pop_ex_timedwait(queue, &abstime);
+    assert_ptr_not_equal(ptr, NULL);
+    os_free(ptr);
+}
+/************************************************/
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_queue_full, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_empty, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_push, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_push_ex, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_push_ex_block, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_pop, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_pop_ex, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_pop_ex_timedwait_timeout, setup_queue, teardown_queue),
+        cmocka_unit_test_setup_teardown(test_queue_pop_ex_timedwait_no_timeout, setup_queue, teardown_queue),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.c b/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.c
new file mode 100644
index 0000000000..94481ff71f
--- /dev/null
+++ b/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.c
@@ -0,0 +1,67 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "queue_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_queue_push_ex(w_queue_t * queue, void * data) {
+    int retval = mock();
+
+    check_expected_ptr(queue);
+    check_expected(data);
+
+    if (retval != -1) {
+        queue->data[queue->begin] = data;
+        queue->begin = (queue->begin + 1) % queue->size;
+        queue->elements++;
+    }
+
+    return retval;
+}
+
+int __wrap_queue_full(const w_queue_t * queue) {
+    check_expected_ptr(queue);
+
+    return mock();
+}
+
+void * __wrap_queue_pop_ex(w_queue_t * queue) {
+    void * data = NULL;
+
+    int retval = mock();
+
+    check_expected_ptr(queue);
+
+    if (retval != -1) {
+        data = queue->data[queue->end];
+        queue->end = (queue->end + 1) % queue->size;
+        queue->elements--;
+    }
+
+    return data;
+}
+
+void * __wrap_queue_pop_ex_timedwait(w_queue_t * queue, __attribute__((unused)) const struct timespec * abstime) {
+    void * data = NULL;
+
+    int retval = mock();
+
+    check_expected_ptr(queue);
+
+    if (retval != -1) {
+        data = queue->data[queue->end];
+        queue->end = (queue->end + 1) % queue->size;
+        queue->elements--;
+    }
+
+    return data;
+}
diff --git a/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.h b/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.h
new file mode 100644
index 0000000000..99ee7d59ef
--- /dev/null
+++ b/src/common/queue_op/tests/unit/wrappers/queue_op_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef QUEUE_OP_WRAPPERS_H
+#define QUEUE_OP_WRAPPERS_H
+
+#include "headers/queue_op.h"
+
+int __wrap_queue_push_ex(w_queue_t * queue, void * data);
+
+int __wrap_queue_full(const w_queue_t * queue);
+
+void * __wrap_queue_pop_ex(w_queue_t * queue);
+
+void * __wrap_queue_pop_ex_timedwait(w_queue_t * queue, const struct timespec * abstime);
+
+#endif
diff --git a/src/modules/docker/scripts/docker.py b/src/common/randombytes/CMakeLists.txt
similarity index 100%
rename from src/modules/docker/scripts/docker.py
rename to src/common/randombytes/CMakeLists.txt
diff --git a/src/common/randombytes/include/randombytes.h b/src/common/randombytes/include/randombytes.h
new file mode 100644
index 0000000000..704ff0a0f1
--- /dev/null
+++ b/src/common/randombytes/include/randombytes.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Contributed by Jeremy Rossi (@jrossi)
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef RANDOMBYTES_H
+#define RANDOMBYTES_H
+
+void randombytes(void *ptr, size_t length);
+void srandom_init(void);
+int os_random(void);
+
+#endif /* RANDOMBYTES_H */
diff --git a/src/common/randombytes/src/randombytes.c b/src/common/randombytes/src/randombytes.c
new file mode 100644
index 0000000000..e40de3c3e8
--- /dev/null
+++ b/src/common/randombytes/src/randombytes.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Contributed by Jeremy Rossi (@jrossi)
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WIN32
+#include <sys/stat.h>
+#include <fcntl.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "shared.h"
+
+
+void randombytes(void *ptr, size_t length)
+{
+    char failed = 0;
+
+#ifdef WIN32
+    static HCRYPTPROV prov = 0;
+
+    if (prov == 0) {
+        if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, 0)) {
+            if (GetLastError() == (DWORD)NTE_BAD_KEYSET) {
+                mdebug1("No default container was found. Attempting to create default container.");
+
+                if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
+                    merror("CryptAcquireContext Flag: NewKeySet (1): (%lx)", GetLastError());
+                    failed = 1;
+                }
+            }else if(GetLastError() == (DWORD)NTE_KEYSET_ENTRY_BAD){
+                mwarn("The agent's RSA key container for the random generator is corrupt. Resetting container...");
+
+                if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_DELETEKEYSET)){
+                    merror("CryptAcquireContext Flag: DeleteKeySet: (%lx)", GetLastError());
+                    failed = 1;
+                }
+                if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
+                    merror("CryptAcquireContext Flag: NewKeySet (2): (%lx)", GetLastError());
+                    failed = 1;
+                }
+            } else {
+                merror("CryptAcquireContext no Flag: (%lx)", GetLastError());
+                failed = 1;
+            }
+        }
+    }
+    if (!failed && !CryptGenRandom(prov, length, ptr)) {
+        failed = 1;
+    }
+#else
+    static int fh = -1;
+    ssize_t ret;
+
+    if (fh < 0 && (fh = open("/dev/urandom", O_RDONLY | O_CLOEXEC), fh < 0 && (fh = open("/dev/random", O_RDONLY | O_CLOEXEC), fh < 0))) {
+        failed = 1;
+    } else {
+        ret = read(fh, ptr, length);
+
+        if (ret < 0 || (size_t)ret != length) {
+            failed = 1;
+        }
+    }
+
+#endif
+
+    if (failed) {
+        merror_exit("randombytes failed for all possible methods for accessing random data");
+    }
+}
+
+void srandom_init(void)
+{
+    unsigned int seed;
+    randombytes(&seed, sizeof seed);
+    srandom(seed);
+}
+
+int os_random(void) {
+	int myrandom;
+	randombytes(&myrandom, sizeof(myrandom));
+	return myrandom % RAND_MAX;
+}
diff --git a/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.c b/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.c
new file mode 100644
index 0000000000..dea0c278fb
--- /dev/null
+++ b/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.c
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "randombytes_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_os_random() {
+    return mock();
+}
diff --git a/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.h b/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.h
new file mode 100644
index 0000000000..5f6313e208
--- /dev/null
+++ b/src/common/randombytes/tests/unit/wrappers/randombytes_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef RANDOM_WRAPPERS_H
+#define RANDOM_WRAPPERS_H
+
+int __wrap_os_random();
+
+#endif
diff --git a/src/modules/docker/src/docker.c b/src/common/rbtree_op/CMakeLists.txt
similarity index 100%
rename from src/modules/docker/src/docker.c
rename to src/common/rbtree_op/CMakeLists.txt
diff --git a/src/common/rbtree_op/include/rbtree_op.h b/src/common/rbtree_op/include/rbtree_op.h
new file mode 100644
index 0000000000..026f95d77e
--- /dev/null
+++ b/src/common/rbtree_op/include/rbtree_op.h
@@ -0,0 +1,200 @@
+/**
+ * @file rbtree_op.h
+ * @brief RB tree data structure declaration
+ * @date 2019-08-21
+ *
+ * @copyright Copyright (C) 2015 Wazuh, Inc.
+ */
+
+/*
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef RBTREE_H
+#define RBTREE_H
+
+/// Possible colors of a red-black tree
+typedef enum rb_color { RB_RED, RB_BLACK } rb_color;
+
+/// Red-black tree node
+typedef struct rb_node {
+    char * key;                 ///< Node key
+    void * value;               ///< Pointer to value
+    rb_color color;             ///< Node color
+    struct rb_node * parent;    ///< Pointer to parent node
+    struct rb_node * left;      ///< Pointer to left child
+    struct rb_node * right;     ///< Pointer to right child
+} rb_node;
+
+/**
+ * @brief Red-black tree abstract data type
+ *
+ * A red-black tree is a self-balanced binary search tree.
+ *
+ * It supports O(log n) insertion, deletion and search.
+ */
+typedef struct rb_tree {
+    rb_node * root;             ///< Pointer to root node
+    void (*dispose)(void *);    ///< Pointer to function to dispose an element
+} rb_tree;
+
+/**
+ * @brief Create a red-black tree
+ *
+ * @return Pointer to an empty tree.
+ */
+
+rb_tree * rbtree_init();
+
+/**
+ * @brief Free a red-black tree
+ *
+ * If tree is NULL, no operation is performed.
+ *
+ * @post The tree is destroyed, including keys and values.
+ * @param tree Pointer to a red-black tree.
+ */
+
+void rbtree_destroy(rb_tree * tree);
+
+/**
+ * @brief Set free function to dispose elements
+ *
+ * rbtree_destroy and rbtree_delete will call this function for each element
+ * that they take out from the tree.
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param dispose Pointer to function to dispose an element.
+ */
+
+void rbtree_set_dispose(rb_tree * tree, void (*dispose)(void *));
+
+/**
+ * @brief Insert a key-value in the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param key Data key, used for ordering.
+ * @param value Data value.
+ * @return Pointer to the inserted node, on success.
+ * @retval NULL Key already exists in the tree.
+ */
+
+rb_node * rbtree_insert(rb_tree * tree, const char * key, void * value);
+
+/**
+ * @brief Update the value of an existing key
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param key Data key.
+ * @param value Data value.
+ * @post The old value is disposed if a dispose function was defined.
+ * @return Pointer to value, on success.
+ * @retval NULL Key not found.
+ */
+
+void * rbtree_replace(rb_tree * tree, const char * key, void * value);
+
+/**
+ * @brief Retrieve a value from the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param key Data key (search criteria).
+ * @return Pointer to data value, if found.
+ * @retval NULL Key not found.
+ */
+
+void * rbtree_get(const rb_tree * tree, const char * key);
+
+/**
+ * @brief Remove a value from the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param key Data key.
+ * @retval 1 The element was found and deleted.
+ * @retval 0 Key not in the tree.
+ */
+
+int rbtree_delete(rb_tree * tree, const char * key);
+
+/**
+ * @brief Get the minimum key in the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @return Minimum key in the tree.
+ * @retval NULL The tree is empty.
+ */
+
+const char * rbtree_minimum(const rb_tree * tree);
+
+/**
+ * @brief Get the maximum key in the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @return Maximum key in the tree.
+ * @retval NULL The tree is empty.
+ */
+
+const char * rbtree_maximum(const rb_tree * tree);
+
+/**
+ * @brief Get all the keys in the tree
+ *
+ * Retrieve all the keys, ordered alphabetically (inorder traversal).
+ *
+ * @param tree
+ * @return Null-terminated array of keys.
+ */
+
+char ** rbtree_keys(const rb_tree * tree);
+
+/**
+ * @brief Get all the keys from the tree within a range
+ *
+ * Retrieve all the keys in the closed range [min, max], ordered alphabetically
+ * (inorder traversal).
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param min Minimum key.
+ * @param max Maximum key.
+ * @return Null-terminated array of keys.
+ */
+
+char ** rbtree_range(const rb_tree * tree, const char * min, const char * max);
+
+/**
+ * @brief Get the black depth of a tree
+ *
+ * The black depth of a red-black tree is the number of black nodes from the
+ * root to any leaf, including null leafs (that are black).
+ *
+ * This function is test-oriented.
+ *
+ * @param tree Pointer to a red-black tree.
+ * @return Number of black nodes from the root.
+ * @retval -1 The tree is unbalanced. This would mean a bug.
+ */
+
+int rbtree_black_depth(const rb_tree * tree);
+
+/**
+ * @brief Get the size of the tree
+ *
+ * @param tree Pointer to a red-black tree.
+ * @return unsigned Number of elements in the tree.
+ */
+
+unsigned rbtree_size(const rb_tree * tree);
+
+/**
+ * @brief Check whether the tree is empty.
+ *
+ * @param tree Pointer to a red-black tree.
+ * @retval 1 The tree is empty.
+ * @retval 0 The tree is not empty.
+ */
+int rbtree_empty(const rb_tree * tree);
+
+#endif
diff --git a/src/common/rbtree_op/src/rbtree_op.c b/src/common/rbtree_op/src/rbtree_op.c
new file mode 100644
index 0000000000..d1a2d91722
--- /dev/null
+++ b/src/common/rbtree_op/src/rbtree_op.c
@@ -0,0 +1,685 @@
+/**
+ * @file rbtree_op.c
+ * @brief RB tree data structure definition
+ * @date 2019-08-21
+ *
+ * @copyright Copyright (C) 2015 Wazuh, Inc.
+ */
+
+/*
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+
+#ifdef WAZUH_UNIT_TESTING
+/* Replace assert with mock_assert */
+extern void mock_assert(const int result, const char* const expression,
+                        const char * const file, const int line);
+#undef assert
+#define assert(expression) \
+    mock_assert((int)(expression), #expression, __FILE__, __LINE__);
+#endif
+
+void customAssert(bool expression);
+void customAssert(bool expression) {
+    if (expression == FALSE) {
+        exit(1);
+    }
+}
+
+/* Private functions **********************************************************/
+
+#define grandparent parent->parent
+
+/**
+ * @brief Create and initialize a red-black tree node
+ *
+ * @param key Data key. It will be duplicated.
+ * @param value Data value.
+ * @return Pointer to a newly created node.
+ */
+
+static rb_node * rb_init(const char * key, void * value) {
+    rb_node * node;
+    os_calloc(1, sizeof(rb_node), node);
+    os_strdup(key, node->key);
+    node->value = value;
+    node->color = RB_RED;
+    return node;
+}
+
+/**
+ * @brief Free a red-black subtree
+ * @param node Pointer to a red-black tree node.
+ * @param dispose Pointer to function to dispose an element.
+ * @post If dispose is not NULL, the value is freed.
+ */
+
+static void rb_destroy(rb_node * node, void (*dispose)(void *)) {
+    if (node->left != NULL) {
+        rb_destroy(node->left, dispose);
+    }
+
+    if (node->right != NULL) {
+        rb_destroy(node->right, dispose);
+    }
+
+    free(node->key);
+
+    if (node->value != NULL && dispose != NULL) {
+        dispose(node->value);
+    }
+
+    free(node);
+}
+
+/**
+ * @brief Find a node from a subtree
+ *
+ * @param node Pointer to a red-black tree node.
+ * @param key Data key (search criteria).
+ * @return Pointer to the node storing the key, if found.
+ * @retval NULL Key not found.
+ */
+
+rb_node * rb_get(rb_node * node, const char * key) {
+    while (node != NULL) {
+        int cmp = strcmp(key, node->key);
+
+        if (cmp == 0) {
+            break;
+        }
+
+        node = cmp < 0 ? node->left : node->right;
+    }
+
+    return node;
+}
+
+/**
+ * @brief Get the node with the minimum key from a subtree
+ *
+ * Return the leftmost node of the subtree.
+ *
+ * @param node Pointer to a red-black tree node.
+ * @return Pointer to the node storing the minimum key.
+ */
+
+static rb_node * rb_min(rb_node * node) {
+    rb_node * t;
+    for (t = node; t->left != NULL; t = t->left);
+    return t;
+}
+
+/**
+ * @brief Get the node with the maximum key from a subtree
+ *
+ * Return the rightmost node of the subtree.
+ *
+ * @param node Pointer to a red-black tree node.
+ * @return Pointer to the node storing the maximum key.
+ */
+
+static rb_node * rb_max(rb_node * node) {
+    rb_node * t;
+    for (t = node; t->right != NULL; t = t->right);
+    return t;
+}
+
+/**
+ * @brief Get the uncle of a node
+ *
+ * @param node Pointer to a red-black tree node.
+ * @return Pointer to the sibling of node's parent.
+ */
+
+static rb_node * rb_uncle(rb_node * node) {
+    rb_node * gp;
+    return (node->parent && (gp = node->grandparent)) ? (node->parent == gp->left) ? gp->right : gp->left : NULL;
+}
+
+/**
+ * @brief Rotate a subtree to left
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param node Pointer to the pivot node.
+ */
+
+static void rb_rotate_left(rb_tree * tree, rb_node * node) {
+    rb_node * t = node->right;
+
+    if (node->parent == NULL) {
+        tree->root = t;
+    } else {
+        if (node == node->parent->left) {
+            node->parent->left = t;
+        } else {
+            node->parent->right = t;
+        }
+    }
+
+    if (t->left != NULL) {
+        t->left->parent = node;
+    }
+
+    node->right = t->left;
+    t->left = node;
+    t->parent = node->parent;
+    node->parent = t;
+}
+
+/**
+ * @brief Rotate a subtree to right
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param node Pointer to the pivot node.
+ */
+
+static void rb_rotate_right(rb_tree * tree, rb_node * node) {
+    rb_node * t = node->left;
+
+    if (node->parent == NULL) {
+        tree->root = t;
+    } else {
+        if (node == node->parent->left) {
+            node->parent->left = t;
+        } else {
+            node->parent->right = t;
+        }
+    }
+
+    if (t->right != NULL) {
+        t->right->parent = node;
+    }
+
+    node->left = t->right;
+    t->right = node;
+    t->parent = node->parent;
+    node->parent = t;
+}
+
+/**
+ * @brief Balance a tree after an insertion
+ *
+ * @param tree Pointer to a red-black tree.
+ * @param node Pointer to the node that was inserted.
+ */
+
+static void rb_balance_insert(rb_tree * tree, rb_node * node) {
+    while (node->parent && node->parent->color == RB_RED) {
+        rb_node * uncle = rb_uncle(node);
+
+        if (uncle != NULL && uncle->color == RB_RED) {
+            node->parent->color = RB_BLACK;
+            uncle->color = RB_BLACK;
+            node->grandparent->color = RB_RED;
+
+            node = node->grandparent;
+        } else {
+            if (node->parent == node->grandparent->left) {
+                if (node == node->parent->right) {
+                    node = node->parent;
+                    rb_rotate_left(tree, node);
+                }
+
+                node->parent->color = RB_BLACK;
+                node->grandparent->color = RB_RED;
+
+                rb_rotate_right(tree, node->grandparent);
+            } else {
+                if (node == node->parent->left) {
+                    node = node->parent;
+                    rb_rotate_right(tree, node);
+                }
+
+                node->parent->color = RB_BLACK;
+                node->grandparent->color = RB_RED;
+
+                rb_rotate_left(tree, node->grandparent);
+            }
+        }
+    }
+
+    tree->root->color = RB_BLACK;
+}
+
+/**
+ * @brief Balance a tree after a deletion
+ *
+ * @param tree Pointer to the red-black tree.
+ * @param node Pointer to the node that was deleted.
+ * @param parent Pointer to the parent of node.
+ */
+
+static void rb_balance_delete(rb_tree * tree, rb_node * node, rb_node * parent) {
+    while (parent != NULL && (node == NULL || node->color == RB_BLACK)) {
+        if (node == parent->left) {
+            rb_node * sibling = parent->right;
+
+            customAssert(sibling != NULL);
+
+            if (sibling->color == RB_RED) {
+                // Case 1: sibling is red
+
+                sibling->color = RB_BLACK;
+                parent->color = RB_RED;
+                rb_rotate_left(tree, parent);
+                sibling = parent->right;
+            }
+
+            if (sibling->color == RB_BLACK && (sibling->left == NULL || sibling->left->color == RB_BLACK) && (sibling->right == NULL || sibling->right->color == RB_BLACK)) {
+                // Case 2: sibling is black and both nephews are black
+
+                sibling->color = RB_RED;
+                node = parent;
+                parent = parent->parent;
+
+            } else {
+                if (sibling->right == NULL || sibling->right->color == RB_BLACK) {
+                    // Case 3: Sibling is black, left nephew is red and right nephew is black
+
+                    sibling->left->color = RB_BLACK;
+                    sibling->color = RB_RED;
+                    rb_rotate_right(tree, sibling);
+                    sibling = parent->right;
+                }
+
+                customAssert(sibling->right != NULL);
+                // Case 4: Sibling is black, right nephew is red
+
+                sibling->color = parent->color;
+                parent->color = RB_BLACK;
+                sibling->right->color = RB_BLACK;
+                rb_rotate_left(tree, parent);
+
+                break;
+            }
+        } else {
+            rb_node * sibling = parent->left;
+
+            assert(sibling != NULL);
+
+            if (sibling->color == RB_RED) {
+                // Case 1b: sibling is red
+
+                sibling->color = RB_BLACK;
+                parent->color = RB_RED;
+                rb_rotate_right(tree, parent);
+                sibling = parent->left;
+            }
+
+            if (sibling->color == RB_BLACK && (sibling->left == NULL || sibling->left->color == RB_BLACK) && (sibling->right == NULL || sibling->right->color == RB_BLACK)) {
+                // Case 2b: sibling is black and both nephews are black
+
+                sibling->color = RB_RED;
+                node = parent;
+                parent = parent->parent;
+            } else {
+                if (sibling->left == NULL || sibling->left->color == RB_BLACK) {
+                    // Case 3b: Sibling is black, left nephew is red and right nephew is black
+
+                    sibling->right->color = RB_BLACK;
+                    sibling->color = RB_RED;
+                    rb_rotate_left(tree, sibling);
+                    sibling = parent->left;
+                }
+
+                customAssert(sibling->left != NULL);
+                // Case 4b: Sibling is black, right nephew is red
+
+                sibling->color = parent->color;
+                parent->color = RB_BLACK;
+                sibling->left->color = RB_BLACK;
+                rb_rotate_right(tree, parent);
+
+                break;
+            }
+        }
+    }
+
+    if (node != NULL) {
+        node->color = RB_BLACK;
+    }
+}
+
+/**
+ * @brief Get all the keys in a subtree
+ *
+ * @param node Pointer to a red-black tree node.
+ * @param array Pointer to the target string array.
+ * @param size[in,out] Pointer to the current size of the array.
+ * @pre array is expected to be size cells long.
+ * @post array is reallocated to size+2 cells long.
+ * @post array is no longer valid after calling this function.
+ * @return Newly allocated null-terminated array of keys.
+ */
+
+static char ** rb_keys(rb_node * node, char ** array, unsigned * size) {
+    if (node->left != NULL) {
+        array = rb_keys(node->left, array, size);
+    }
+
+    os_realloc(array, sizeof(char *) * (*size + 2), array);
+    os_strdup(node->key, array[(*size)++]);
+
+    if (node->right != NULL) {
+        array = rb_keys(node->right, array, size);
+    }
+
+    return array;
+}
+
+/**
+ * @brief Get all the keys from the subtree within a range
+ *
+ * @param node Pointer to a red-black tree node.
+ * @param min Minimum key.
+ * @param max Maximum key.
+ * @param array Pointer to the target string array.
+ * @param size[in,out] Pointer to the current size of the array.
+ * @pre array is expected to be size cells long.
+ * @post array is reallocated to size+2 cells long.
+ * @post array is no longer valid after calling this function.
+ * @return Newly allocated null-terminated array of keys.
+ */
+
+static char ** rb_range(rb_node * node, const char * min, const char * max, char ** array, unsigned * size) {
+    int cmp_min = strcmp(node->key, min);
+    int cmp_max = strcmp(node->key, max);
+
+    if (node->left != NULL && cmp_min > 0) {
+        // node > min
+        array = rb_range(node->left, min, max, array, size);
+    }
+
+    if (cmp_min >= 0 && cmp_max <= 0) {
+        // min <= node <= max
+        os_realloc(array, sizeof(char *) * (*size + 2), array);
+        os_strdup(node->key, array[(*size)++]);
+    }
+
+    if (node->right != NULL && cmp_max < 0) {
+        // node < min
+        array = rb_range(node->right, min, max, array, size);
+    }
+
+    return array;
+}
+
+/**
+ * @brief Get the black depth of a red-black subtree
+ *
+ * The black depth of a node is the number of black nodes from it to any leaf,
+ * including null leafs (that are black) and excluding the node itself.
+ *
+ * This function is test-oriented: it checks that all possible paths from the
+ * root to every leaf matches, and returns the length of this path.
+ *
+ * @param node Pointer to a red-black tree node.
+ * @return Number of black nodes from this node.
+ * @retval -1 The subtree is unbalanced. This would mean a bug.
+ */
+
+static int rb_black_depth(rb_node * node) {
+    if (node == NULL) {
+        return 1;
+    }
+
+    int d_left = rb_black_depth(node->left);
+    int d_right = rb_black_depth(node->right);
+
+    if (d_left != d_right) {
+        return -1;
+    }
+
+    return d_left + (node->color == RB_BLACK);
+}
+
+/**
+ * @brief Get the size of a subtree
+ *
+ * This function is recursive: 1 + rb_size(left subtree) + rb_size(right subtree).
+ *
+ * @param node Pointer to a red-black tree node.
+ * @return Number of nodes in the subtree.
+ */
+
+unsigned rb_size(rb_node * node) {
+    return (node->left ? rb_size(node->left) : 0) + 1 + (node->right ? rb_size(node->right) : 0);
+}
+
+/* Public functions ***********************************************************/
+
+// Create a red-black tree
+
+rb_tree * rbtree_init() {
+    rb_tree * tree;
+    os_calloc(1, sizeof(rb_tree), tree);
+    return tree;
+}
+
+// Free a red-black tree
+
+void rbtree_destroy(rb_tree * tree) {
+    if (tree == NULL) {
+        return;
+    }
+
+    if (tree->root != NULL) {
+        rb_destroy(tree->root, tree->dispose);
+    }
+
+    free(tree);
+}
+
+// Set free function to dispose elements
+
+void rbtree_set_dispose(rb_tree * tree, void (*dispose)(void *)) {
+    tree->dispose = dispose;
+}
+
+// Insert a key-value in the tree
+
+rb_node *rbtree_insert(rb_tree *tree, const char *key, void *value) {
+    assert(tree != NULL);
+    assert(key != NULL);
+
+    rb_node * node = rb_init(key, value);
+    rb_node * parent = NULL;
+    int cmp;
+
+    for (rb_node * t = tree->root; t != NULL; t = cmp < 0 ? t->left : t->right) {
+        parent = t;
+        cmp = strcmp(key, t->key);
+
+        if (cmp == 0) {
+            // Duplicate key. Do not dispose value.
+            rb_destroy(node, NULL);
+            return NULL;
+        }
+    }
+
+    if (parent == NULL) {
+        tree->root = node;
+    } else if (cmp < 0) {
+        parent->left = node;
+    } else {
+        parent->right = node;
+    }
+
+    node->parent = parent;
+    rb_balance_insert(tree, node);
+
+    return node;
+}
+
+// Update the value of an existing key
+
+void * rbtree_replace(rb_tree * tree, const char * key, void * value) {
+    assert(tree != NULL);
+    assert(key != NULL);
+
+    rb_node * node = rb_get(tree->root, key);
+
+    if (node == NULL) {
+        return NULL;
+    }
+
+    if (node->value && tree->dispose) {
+        tree->dispose(node->value);
+    }
+
+    node->value = value;
+
+    return value;
+}
+
+// Retrieve a value from the tree
+
+void * rbtree_get(const rb_tree * tree, const char * key) {
+    assert(tree != NULL);
+    assert(key != NULL);
+
+    rb_node * node = rb_get(tree->root, key);
+    return node ? node->value : NULL;
+}
+
+// Remove a value from the tree
+
+int rbtree_delete(rb_tree * tree, const char * key) {
+    assert(tree != NULL);
+    assert(key != NULL);
+
+    rb_node * node = rb_get(tree->root, key);
+
+    if (node == NULL) {
+        return 0;
+    }
+
+    // Succesor: node that will be actually deleted
+    rb_node * s = (node->left != NULL && node->right != NULL) ? rb_min(node->right) : node;
+    rb_node * t = (s->left != NULL) ? s->left : s->right;
+
+    if (s->parent == NULL) {
+        tree->root = t;
+    } else if (s == s->parent->left) {
+        s->parent->left = t;
+    } else {
+        s->parent->right = t;
+    }
+
+    if (t != NULL) {
+        t->parent = s->parent;
+    }
+
+    free(node->key);
+
+    if (node->value && tree->dispose) {
+        tree->dispose(node->value);
+    }
+
+    if (node != s) {
+        // Copy successor into node
+
+        node->key = s->key;
+        node->value = s->value;
+    }
+
+    if (s->color == RB_BLACK) {
+        rb_balance_delete(tree, t, s->parent);
+    }
+
+    free(s);
+    return 1;
+}
+
+// Get the minimum key in the tree
+
+const char * rbtree_minimum(const rb_tree * tree) {
+    assert(tree != NULL);
+    return tree->root ? rb_min(tree->root)->key : NULL;
+}
+
+// Get the maximum key in the tree
+
+const char * rbtree_maximum(const rb_tree * tree) {
+    assert(tree != NULL);
+    return tree->root ? rb_max(tree->root)->key : NULL;
+}
+
+// Get all the keys in the tree
+
+char ** rbtree_keys(const rb_tree * tree) {
+    assert(tree != NULL);
+
+    unsigned size = 0;
+    char ** array;
+
+    os_malloc(sizeof(char *), array);
+
+    if (tree->root != NULL) {
+        array = rb_keys(tree->root, array, &size);
+    }
+
+    array[size] = NULL;
+    return array;
+}
+
+// Get all the keys from the tree within a range
+
+char ** rbtree_range(const rb_tree * tree, const char * min, const char * max) {
+    assert(tree != NULL);
+    assert(min != NULL);
+    assert(max != NULL);
+
+    unsigned size = 0;
+    char ** array;
+
+    os_malloc(sizeof(char *), array);
+
+    if (tree->root != NULL) {
+        array = rb_range(tree->root, min, max, array, &size);
+    }
+
+    array[size] = NULL;
+    return array;
+}
+
+// Get the black depth of a tree
+
+int rbtree_black_depth(const rb_tree * tree) {
+    assert(tree != NULL);
+
+    if (tree->root == NULL) {
+        return 0;
+    }
+
+    if (tree->root->color == RB_RED) {
+        return -1;
+    }
+
+    int d_left = rb_black_depth(tree->root->left);
+    int d_right = rb_black_depth(tree->root->right);
+
+    return (d_left == -1 || d_right == -1 || d_left != d_right) ? -1 : d_left;
+}
+
+// Get the size of the tree
+
+unsigned rbtree_size(const rb_tree * tree) {
+    assert(tree != NULL);
+
+    return tree->root ? rb_size(tree->root) : 0;
+}
+
+// Check whether the tree is empty
+
+int rbtree_empty(const rb_tree * tree) {
+    assert(tree != NULL);
+
+    return tree->root == NULL;
+}
diff --git a/src/common/rbtree_op/tests/unit/tests/CMakeLists.txt b/src/common/rbtree_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..538ffc0b10
--- /dev/null
+++ b/src/common/rbtree_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,50 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_rbtree_op")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "-Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck ${DEBUG_OP_WRAPPERS}")
+else()
+list(APPEND shared_tests_flags " ")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/rbtree_op/tests/unit/tests/test_rbtree_op.c b/src/common/rbtree_op/tests/unit/tests/test_rbtree_op.c
new file mode 100644
index 0000000000..2d966cd3ec
--- /dev/null
+++ b/src/common/rbtree_op/tests/unit/tests/test_rbtree_op.c
@@ -0,0 +1,690 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "../headers/rbtree_op.h"
+
+/* setup/teardowns */
+
+static int create_rbtree(void **state)
+{
+    rb_tree *tree = rbtree_init();
+    *state = tree;
+    return 0;
+}
+
+static int create_rbtree_with_dispose(void **state)
+{
+    rb_tree *tree = rbtree_init();
+
+    rbtree_set_dispose(tree, free);
+
+    *state = tree;
+    return 0;
+}
+
+static int delete_rbtree(void **state)
+{
+    rb_tree *tree = *state;
+    rbtree_destroy(tree);
+    return 0;
+}
+
+/* tests */
+
+void test_rbtree_insert_success(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("testing");
+    rb_node *ret;
+
+    ret = rbtree_insert(tree, "test", value);
+
+    assert_non_null(tree->root);
+    assert_non_null(ret);
+    assert_ptr_equal(ret->value, value);
+    assert_string_equal(tree->root->key, "test");
+    assert_ptr_equal(tree->root->value, value);
+}
+
+void test_rbtree_insert_failure(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("testing");
+    rb_node *ret;
+
+    rbtree_insert(tree, "test", value);
+    ret = rbtree_insert(tree, "test", value);
+
+    assert_null(ret);
+}
+
+void test_rbtree_insert_null_tree(void **state)
+{
+    (void) state;
+    char *value = strdup("testing");
+
+    expect_assert_failure(rbtree_insert(NULL, "test", value));
+
+    free(value);
+}
+
+void test_rbtree_insert_null_key(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("testing");
+
+    expect_assert_failure(rbtree_insert(tree, NULL, value));
+
+    free(value);
+}
+
+void test_rbtree_insert_null_value(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = NULL;
+    rb_node *ret;
+
+    ret = rbtree_insert(tree, "test", NULL);
+
+    assert_non_null(ret);
+    assert_non_null(tree->root);
+    assert_string_equal(tree->root->key, "test");
+    assert_ptr_equal(tree->root->value, value);
+}
+
+void test_rbtree_replace_success(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+    char *value_replaced = strdup("replaced");
+    char *ret;
+
+    rbtree_insert(tree, "test", value_testing);
+    ret = rbtree_replace(tree, "test", value_replaced);
+
+    assert_ptr_equal(ret, value_replaced);
+    assert_string_equal(tree->root->key, "test");
+    assert_ptr_equal(tree->root->value, value_replaced);
+}
+
+
+void test_rbtree_replace_failure(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+    char *ret;
+
+    rbtree_insert(tree, "test", value_testing);
+    ret = rbtree_replace(tree, "invalid", value_testing);
+
+    assert_null(ret);
+    assert_string_equal(tree->root->key, "test");
+    assert_ptr_equal(tree->root->value, value_testing);
+}
+
+void test_rbtree_replace_null_tree(void **state)
+{
+    (void) state;
+    char *value_testing = strdup("testing");
+
+    expect_assert_failure(rbtree_replace(NULL, "invalid", value_testing));
+
+    free(value_testing);
+}
+
+void test_rbtree_replace_null_key(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+
+    expect_assert_failure(rbtree_replace(tree, NULL, value_testing));
+
+    free(value_testing);
+}
+
+void test_rbtree_replace_null_value(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+    char *ret;
+
+    rbtree_insert(tree, "test", value_testing);
+    ret = rbtree_replace(tree, "test", NULL);
+
+    assert_null(ret);
+    assert_string_equal(tree->root->key, "test");
+    assert_null(tree->root->value);
+}
+
+void test_rbtree_get_success(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+    rb_node *ret;
+
+    rbtree_insert(tree, "test", value_testing);
+
+    ret = rbtree_get(tree, "test");
+
+    assert_ptr_equal(ret, value_testing);
+}
+
+void test_rbtree_get_failure(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_testing = strdup("testing");
+    rb_node *ret;
+
+    rbtree_insert(tree, "test", value_testing);
+    ret = rbtree_get(tree, "invalid");
+
+    assert_null(ret);
+}
+
+void test_rbtree_get_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_get(NULL, "invalid"));
+}
+
+void test_rbtree_get_null_key(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+
+    expect_assert_failure(rbtree_get(tree, NULL));
+}
+
+
+void test_rbtree_delete_success(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value_1 = strdup("value_1");
+    char *value_2 = strdup("value_2");
+    char *value_3 = strdup("value_3");
+
+    rbtree_insert(tree, "test_1", value_1);
+    rbtree_insert(tree, "test_2", value_2);
+    rbtree_insert(tree, "test_3", value_3);
+
+    assert_int_equal(rbtree_delete(tree, "test_1"), 1);
+    assert_null(rbtree_get(tree, "test_1"));
+    assert_int_equal(rbtree_delete(tree, "test_2"), 1);
+    assert_null(rbtree_get(tree, "test_2"));
+    assert_int_equal(rbtree_delete(tree, "test_3"), 1);
+    assert_null(rbtree_get(tree, "test_3"));
+}
+
+void test_rbtree_delete_failure(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+
+    rbtree_insert(tree, "test", value);
+
+    assert_int_equal(rbtree_delete(tree, "invalid"), 0);
+}
+
+void test_rbtree_delete_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_delete(NULL, "invalid"));
+}
+
+void test_rbtree_delete_null_key(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+
+    expect_assert_failure(rbtree_delete(tree, NULL));
+}
+
+void test_rbtree_minimum(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    const char *ret;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "-key", value);
+    rbtree_insert(tree, "9key", value);
+    rbtree_insert(tree, "Z_key", value);
+
+    ret = rbtree_minimum(tree);
+    free(value);
+    assert_string_equal(ret, "-key");
+}
+
+void test_rbtree_minimum_empty_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    const char *ret;
+
+    ret = rbtree_minimum(tree);
+    assert_null(ret);
+}
+
+void test_rbtree_minimum_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_minimum(NULL));
+}
+
+void test_rbtree_maximum(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    const char *ret;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "-key", value);
+    rbtree_insert(tree, "9key", value);
+    rbtree_insert(tree, "Z_key", value);
+
+    ret = rbtree_maximum(tree);
+    free(value);
+    assert_string_equal(ret, "a_key");
+}
+
+void test_rbtree_maximum_empty_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    const char *ret;
+
+    ret = rbtree_maximum(tree);
+    assert_null(ret);
+}
+
+void test_rbtree_maximum_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_maximum(NULL));
+}
+
+void test_rbtree_keys(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    char ** ret = NULL;
+    char expected_ret[32];
+    int i;
+
+    rbtree_insert(tree, "key1", value);
+    rbtree_insert(tree, "key2", value);
+    rbtree_insert(tree, "key3", value);
+    rbtree_insert(tree, "key4", value);
+
+    ret = rbtree_keys(tree);
+    free(value);
+
+    for(i = 0; ret[i]; i++) {
+        assert_non_null(ret[i]);
+
+        snprintf(expected_ret, 32, "key%d", (i + 1));
+        assert_string_equal(ret[i], expected_ret);
+
+        free(ret[i]);
+    }
+
+    free(ret[i]);
+    free(ret);
+
+    assert_int_equal(i, 4);
+}
+
+void test_rbtree_keys_empty_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char ** ret = NULL;
+
+    ret = rbtree_keys(tree);
+
+    assert_null(*ret);
+    assert_non_null(ret);
+
+    free(ret);
+}
+
+void test_rbtree_keys_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_keys(NULL));
+}
+
+void test_rbtree_range(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    char expected_ret[32];
+    char ** ret = NULL;
+    int i;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+    rbtree_insert(tree, "c_key", value);
+    rbtree_insert(tree, "d_key", value);
+    rbtree_insert(tree, "e_key", value);
+
+    ret = rbtree_range(tree, "b_key", "d_key");
+    free(value);
+
+    for(i = 0; ret[i]; i++) {
+        assert_non_null(ret[i]);
+
+        snprintf(expected_ret, 32, "%c_key", (i + 'b'));
+        assert_string_equal(ret[i], expected_ret);
+
+        free(ret[i]);
+    }
+
+    assert_int_equal(i, 3);
+
+    free(ret[i]);
+    free(ret);
+}
+
+void test_rbtree_range_empty_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char ** ret = NULL;
+
+    ret = rbtree_range(tree, "b_key", "d_key");
+
+    assert_non_null(ret);
+    assert_null(*ret);
+    free(ret);
+}
+
+void test_rbtree_range_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_range(NULL, "b_key", "d_key"));
+}
+
+void test_rbtree_range_min_not_in_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    char expected_ret[32];
+    char ** ret = NULL;
+    int i;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+    rbtree_insert(tree, "c_key", value);
+    rbtree_insert(tree, "d_key", value);
+    rbtree_insert(tree, "e_key", value);
+
+    ret = rbtree_range(tree, "__key", "d_key");
+    free(value);
+
+    for(i = 0; ret[i]; i++) {
+        assert_non_null(ret[i]);
+
+        snprintf(expected_ret, 32, "%c_key", (i + 'a'));
+        assert_string_equal(ret[i], expected_ret);
+
+        free(ret[i]);
+    }
+
+    assert_int_equal(i, 4);
+
+    free(ret[i]);
+    free(ret);
+}
+
+void test_rbtree_range_null_min(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+
+    expect_assert_failure(rbtree_range(tree, NULL, "d_key"));
+}
+
+void test_rbtree_range_max_not_in_tree(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    char expected_ret[32];
+    char ** ret = NULL;
+    int i;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+    rbtree_insert(tree, "c_key", value);
+    rbtree_insert(tree, "d_key", value);
+    rbtree_insert(tree, "e_key", value);
+
+    ret = rbtree_range(tree, "b_key", "z_key");
+    free(value);
+
+    for(i = 0; ret[i]; i++) {
+        assert_non_null(ret[i]);
+
+        snprintf(expected_ret, 32, "%c_key", (i + 'b'));
+        assert_string_equal(ret[i], expected_ret);
+
+        free(ret[i]);
+    }
+
+    assert_int_equal(i, 4);
+
+    free(ret[i]);
+    free(ret);
+}
+
+void test_rbtree_range_null_max(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+
+    expect_assert_failure(rbtree_range(tree, "b_key", NULL));
+}
+
+void test_rbtree_black_depth_success(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    int ret;
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+
+    ret = rbtree_black_depth(tree);
+    free(value);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_rbtree_black_depth_failure(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    int ret;
+
+    ret = rbtree_black_depth(tree);
+    assert_int_equal(ret, 0);
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+    tree->root->color = RB_RED;
+
+    ret = rbtree_black_depth(tree);
+    free(value);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_rbtree_black_depth_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_black_depth(NULL));
+}
+
+void test_rbtree_size(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    int ret;
+
+    ret = rbtree_size(tree);
+    assert_int_equal(ret, 0);
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+    rbtree_insert(tree, "c_key", value);
+    rbtree_insert(tree, "d_key", value);
+    rbtree_insert(tree, "e_key", value);
+
+    ret = rbtree_size(tree);
+    free(value);
+
+    assert_int_equal(ret, 5);
+}
+
+void test_rbtree_size_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_size(NULL));
+}
+
+void test_rbtree_empty(void **state)
+{
+    (void) state;
+    rb_tree *tree = *state;
+    char *value = strdup("value");
+    int ret;
+
+    ret = rbtree_empty(tree);
+    assert_int_equal(ret, 1);
+
+    rbtree_insert(tree, "a_key", value);
+    rbtree_insert(tree, "b_key", value);
+
+    ret = rbtree_empty(tree);
+    free(value);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_rbtree_empty_null_tree(void **state)
+{
+    (void) state;
+
+    expect_assert_failure(rbtree_empty(NULL));
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        /* rbtree_insert tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_insert_success, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_insert_failure, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_insert_null_tree, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_insert_null_key, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_insert_null_value, create_rbtree_with_dispose, delete_rbtree),
+
+        /* rbtree_replace tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_replace_success, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_replace_failure, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_replace_null_tree, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_replace_null_key, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_replace_null_value, create_rbtree_with_dispose, delete_rbtree),
+
+        /* rbtree_get tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_get_success, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_get_failure, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_get_null_tree, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_get_null_key, create_rbtree_with_dispose, delete_rbtree),
+
+        /* rbtree_delete tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_delete_success, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_delete_failure, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_delete_null_tree, create_rbtree_with_dispose, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_delete_null_key, create_rbtree_with_dispose, delete_rbtree),
+
+        /* rbtree_minimum tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_minimum, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_minimum_empty_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_minimum_null_tree, create_rbtree, delete_rbtree),
+
+        /* rbtree_minimum tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_maximum, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_maximum_empty_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_maximum_null_tree, create_rbtree, delete_rbtree),
+
+        /* rbtree_keys tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_keys, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_keys_empty_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_keys_null_tree, create_rbtree, delete_rbtree),
+
+        /* rbtree_range tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_range, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_range_null_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_range_min_not_in_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_range_null_min, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_range_max_not_in_tree, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_range_null_max, create_rbtree, delete_rbtree),
+
+        /* rbtree_depth tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_black_depth_success, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_black_depth_failure, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_black_depth_null_tree, create_rbtree, delete_rbtree),
+
+        /* rbtree_size tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_size, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_size_null_tree, create_rbtree, delete_rbtree),
+
+        /* rbtree_empty tests */
+        cmocka_unit_test_setup_teardown(test_rbtree_empty, create_rbtree, delete_rbtree),
+        cmocka_unit_test_setup_teardown(test_rbtree_empty_null_tree, create_rbtree, delete_rbtree),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.c b/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.c
new file mode 100644
index 0000000000..481b161bcf
--- /dev/null
+++ b/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.c
@@ -0,0 +1,30 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "rbtree_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void * __wrap_rbtree_insert(__attribute__((unused)) rb_tree * tree,
+                            __attribute__((unused)) const char * key,
+                            __attribute__((unused)) void * value) {
+    return NULL;
+}
+
+char **__wrap_rbtree_keys(__attribute__((unused)) const rb_tree *tree) {
+    return mock_type(char **);
+}
+
+void *__wrap_rbtree_get(const rb_tree *tree, const char * key) {
+    check_expected(tree);
+    check_expected(key);
+    return mock_type(void*);
+}
diff --git a/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.h b/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.h
new file mode 100644
index 0000000000..adc7b67a39
--- /dev/null
+++ b/src/common/rbtree_op/tests/unit/wrappers/rbtree_op_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef RBTREE_OP_WRAPPERS_H
+#define RBTREE_OP_WRAPPERS_H
+
+#include <rbtree_op.h>
+
+void * __wrap_rbtree_insert(rb_tree * tree, const char * key, void * value);
+
+char **__wrap_rbtree_keys(const rb_tree *tree);
+
+void *__wrap_rbtree_get(const rb_tree *tree, const char * key);
+
+#endif
diff --git a/src/modules/fim/include/fim.h b/src/common/read_alert/CMakeLists.txt
similarity index 100%
rename from src/modules/fim/include/fim.h
rename to src/common/read_alert/CMakeLists.txt
diff --git a/src/common/read_alert/include/read_alert.h b/src/common/read_alert/include/read_alert.h
new file mode 100644
index 0000000000..ece55c2f3a
--- /dev/null
+++ b/src/common/read_alert/include/read_alert.h
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef CRALERT_H
+#define CRALERT_H
+
+#define CRALERT_MAIL_SET    0x001
+#define CRALERT_EXEC_SET    0x002
+#define CRALERT_READ_ALL    0x004
+#define CRALERT_READ_FAILED 0x008
+#define CRALERT_FP_SET      0x010
+
+/* File queue */
+typedef struct _alert_data {
+    unsigned int rule;
+    unsigned int level;
+    char *alertid;
+    char *date;
+    char *location;
+    char *comment;
+    char *group;
+    char *srcip;
+    int srcport;
+    char *dstip;
+    int dstport;
+    char *user;
+    char *filename;
+    char *old_md5;
+    char *new_md5;
+    char *old_sha1;
+    char *new_sha1;
+    char *old_sha256;
+    char *new_sha256;
+    char **log;
+    char *srcgeoip;
+    char *dstgeoip;
+    /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+    char *file_size;
+    char *owner_chg;
+    char *group_chg;
+    char *perm_chg;
+    /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+} alert_data;
+
+alert_data *GetAlertData(int flag, FILE *fp) __attribute__((nonnull));
+void        FreeAlertData(alert_data *al_data) __attribute__((nonnull));
+
+#endif /* CRALERT_H */
diff --git a/src/common/read_alert/src/read_alert.c b/src/common/read_alert/src/read_alert.c
new file mode 100644
index 0000000000..4a6e070737
--- /dev/null
+++ b/src/common/read_alert/src/read_alert.c
@@ -0,0 +1,352 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* File monitoring functions */
+
+#include "shared.h"
+#include "read-alert.h"
+
+/* ** Alert xyz: email active-response ** */
+
+#define ALERT_BEGIN     "** Alert"
+#define ALERT_BEGIN_SZ  8
+#define RULE_BEGIN      "Rule: "
+#define RULE_BEGIN_SZ   6
+#define SRCIP_BEGIN     "Src IP: "
+#define SRCIP_BEGIN_SZ  8
+
+#ifdef LIBGEOIP_ENABLED
+#define GEOIP_BEGIN_SRC     "Src Location: "
+#define GEOIP_BEGIN_SRC_SZ  14
+#define GEOIP_BEGIN_DST     "Dst Location: "
+#define GEOIP_BEGIN_DST_SZ  14
+#endif /* LIBGEOIP_ENABLED */
+
+#define SRCPORT_BEGIN     "Src Port: "
+#define SRCPORT_BEGIN_SZ  10
+#define DSTIP_BEGIN     "Dst IP: "
+#define DSTIP_BEGIN_SZ  8
+#define DSTPORT_BEGIN     "Dst Port: "
+#define DSTPORT_BEGIN_SZ  10
+#define USER_BEGIN      "User: "
+#define USER_BEGIN_SZ   6
+#define ALERT_MAIL      "mail"
+#define ALERT_MAIL_SZ   4
+#define OLDMD5_BEGIN      "Old md5sum was: "
+#define OLDMD5_BEGIN_SZ   16
+#define NEWMD5_BEGIN      "New md5sum is : "
+#define NEWMD5_BEGIN_SZ   16
+#define OLDSHA1_BEGIN     "Old sha1sum was: "
+#define OLDSHA1_BEGIN_SZ  17
+#define NEWSHA1_BEGIN     "New sha1sum is : "
+#define NEWSHA1_BEGIN_SZ  17
+#define OLDSHA256_BEGIN     "Old sha256sum was: "
+#define OLDSHA256_BEGIN_SZ  19
+#define NEWSHA256_BEGIN     "New sha256sum is : "
+#define NEWSHA256_BEGIN_SZ  19
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+#define SIZE_BEGIN        "Size changed from "
+#define SIZE_BEGIN_SZ     18
+#define OWNER_BEGIN        "Ownership was "
+#define OWNER_BEGIN_SZ     14
+#define GROUP_BEGIN        "Group ownership was "
+#define GROUP_BEGIN_SZ     20
+#define PERM_BEGIN        "Permissions changed from "
+#define PERM_BEGIN_SZ     25
+
+#define LOG_LIMIT      100
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+
+
+void FreeAlertData(alert_data *al_data) {
+    char **p;
+    os_free(al_data->alertid);
+    os_free(al_data->date);
+    os_free(al_data->location);
+    os_free(al_data->comment);
+    os_free(al_data->group);
+    os_free(al_data->srcip);
+    os_free(al_data->dstip);
+    os_free(al_data->user);
+    os_free(al_data->filename);
+    os_free(al_data->old_md5);
+    os_free(al_data->new_md5);
+    os_free(al_data->old_sha1);
+    os_free(al_data->new_sha1);
+    os_free(al_data->old_sha256);
+    os_free(al_data->new_sha256);
+    os_free(al_data->file_size);
+    os_free(al_data->owner_chg);
+    os_free(al_data->group_chg);
+    os_free(al_data->perm_chg);
+
+/* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+    if (al_data->log) {
+        p = al_data->log;
+
+        while (*(p)) {
+            os_free(*(p));
+            p++;
+        }
+        os_free(al_data->log);
+    }
+#ifdef LIBGEOIP_ENABLED
+
+    os_free(al_data->srcgeoip);
+    os_free(al_data->dstgeoip);
+
+#endif
+    // al_data can't be NULL
+    free(al_data);
+    al_data = NULL;
+}
+
+/* Return alert data for the file specified */
+alert_data *GetAlertData(int flag, FILE *fp) {
+
+    alert_data *al_data;
+    os_calloc(1, sizeof(alert_data), al_data);
+
+    int _r = 0, issyscheck = 0;
+    size_t log_size = 0;
+    char *p;
+    char str[OS_MAXSTR + 1];
+    str[OS_MAXSTR] = '\0';
+
+    while (fgets(str, OS_MAXSTR, fp) != NULL) {
+        /* End of alert */
+        if (strncmp(ALERT_BEGIN, str, ALERT_BEGIN_SZ) == 0) {
+            char *m;
+            size_t z = 0;
+            /* End of the alert. */
+            if (_r == 2) {
+                if (fseek(fp, -strlen(str), SEEK_CUR) != -1) {
+                    return (al_data);
+                } else {
+                    goto l_error;
+                }
+            }
+
+            p = str + ALERT_BEGIN_SZ + 1;
+
+            m = strstr(p, ":");
+            if (!m) {
+                continue;
+            }
+
+            z = strlen(p) - strlen(m);
+            os_realloc(al_data->alertid, (z + 1) * sizeof(char), al_data->alertid);
+            strncpy(al_data->alertid, p, z);
+            al_data->alertid[z] = '\0';
+
+            /* Search for email flag */
+            p = strchr(p, ' ');
+            if (!p) {
+                continue;
+            }
+
+            p++;
+
+            /* Check for the flags */
+            if ((flag & CRALERT_MAIL_SET) &&
+                    (strncmp(ALERT_MAIL, p, ALERT_MAIL_SZ) != 0)) {
+                continue;
+            }
+
+            p = strchr(p, '-');
+            if (p) {
+                p++;
+                /* Skip leading spaces */
+                while (*p == ' ') {
+                        p++;
+                }
+                os_free(al_data->group);
+                os_strdup(p, al_data->group);
+
+                /* Clean newline from group */
+                os_clearnl(al_data->group, p);
+                if (al_data->group != NULL && strstr(al_data->group, "syscheck") != NULL) {
+                    issyscheck = 1;
+                }
+            }
+
+            /* Search for active-response flag */
+            _r = 1;
+            continue;
+        }
+
+        if (_r < 1) {
+            continue;
+        }
+
+        /*** Extract information from the event ***/
+
+        /* r1 means: 2006 Apr 13 16:15:17 /var/log/auth.log */
+        if (_r == 1) {
+            /* Clear newline */
+            os_clearnl(str, p);
+
+            p = strchr(str, ':');
+            if (p) {
+                p = strchr(p, ' ');
+                if (p) {
+                    *p = '\0';
+                    p++;
+                } else {
+                    /* If p is null it is because strchr failed */
+                    merror("date or location not NULL");
+                    goto l_error;
+                }
+            }
+
+            /* If not, str is date and p is the location */
+            if (al_data->date || al_data->location || !p) {
+                merror("date or location not NULL or p is NULL");
+                goto l_error;
+            }
+
+            os_strdup(str, al_data->date);
+            os_strdup(p, al_data->location);
+            _r = 2;
+            log_size = 0;
+            continue;
+        } else if (_r == 2) {
+            /* Rule begin */
+            if (strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + RULE_BEGIN_SZ;
+                al_data->rule = atoi(p);
+
+                p = strchr(p, ' ');
+                if (p) {
+                    p++;
+                    p = strchr(p, ' ');
+                    if (p) {
+                        p++;
+                    }
+                }
+
+                if (!p) {
+                    goto l_error;
+                }
+
+                al_data->level = atoi(p);
+
+                /* Get the comment */
+                p = strchr(p, '\'');
+                if (!p) {
+                    goto l_error;
+                }
+
+                p++;
+                os_free(al_data->comment);
+                os_strdup(p, al_data->comment);
+
+                /* Must have the closing \' */
+                p = strrchr(al_data->comment, '\'');
+                if (p) {
+                    *p = '\0';
+                } else {
+                    goto l_error;
+                }
+            }
+
+            /* srcip */
+            else if (strncmp(SRCIP_BEGIN, str, SRCIP_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + SRCIP_BEGIN_SZ;
+                os_free(al_data->srcip);
+                os_strdup(p,al_data->srcip);
+            }
+#ifdef LIBGEOIP_ENABLED
+            /* GeoIP Source Location */
+            else if (strncmp(GEOIP_BEGIN_SRC, str, GEOIP_BEGIN_SRC_SZ) == 0) {
+                os_clearnl(str, p);
+                p = str + GEOIP_BEGIN_SRC_SZ;
+                os_free(al_data->srcgeoip);
+                os_strdup(p, al_data->srcgeoip);
+            }
+#endif
+            /* srcport */
+            else if (strncmp(SRCPORT_BEGIN, str, SRCPORT_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + SRCPORT_BEGIN_SZ;
+                al_data->srcport = atoi(p);
+            }
+            /* dstip */
+            else if (strncmp(DSTIP_BEGIN, str, DSTIP_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + DSTIP_BEGIN_SZ;
+                os_free(al_data->dstip);
+                os_strdup(p, al_data->dstip);
+            }
+#ifdef LIBGEOIP_ENABLED
+            /* GeoIP Destination Location */
+            else if (strncmp(GEOIP_BEGIN_DST, str, GEOIP_BEGIN_DST_SZ) == 0) {
+                os_clearnl(str, p);
+                p = str + GEOIP_BEGIN_DST_SZ;
+                os_free(al_data->dstgeoip);
+                os_strdup(p, al_data->dstgeoip);
+            }
+#endif
+            /* dstport */
+            else if (strncmp(DSTPORT_BEGIN, str, DSTPORT_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + DSTPORT_BEGIN_SZ;
+                al_data->dstport = atoi(p);
+            }
+            /* username */
+            else if (strncmp(USER_BEGIN, str, USER_BEGIN_SZ) == 0) {
+                os_clearnl(str, p);
+
+                p = str + USER_BEGIN_SZ;
+                os_free(al_data->user);
+                os_strdup(p, al_data->user);
+            }
+
+         /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+            /* It is a log message */
+            else if (log_size < LOG_LIMIT) {
+                os_clearnl(str, p);
+                if (issyscheck == 1) {
+                    if (strncmp(str, "Integrity checksum changed for: '", 33) == 0) {
+                        al_data->filename = strdup(str + 33);
+                        if (al_data->filename) {
+                            al_data->filename[strlen(al_data->filename) - 1] = '\0';
+                        }
+                    }
+                    issyscheck = 0;
+                }
+
+                os_realloc(al_data->log, (log_size + 2) * sizeof(char *), al_data->log);
+                os_strdup(str, al_data->log[log_size]);
+                log_size++;
+                al_data->log[log_size] = NULL;
+            }
+        }
+    }
+
+    // We reached the end of the alert and the information is saved.
+    if (feof(fp) && *str == '\0' && _r == 2) {
+        return al_data;
+    }
+
+l_error:
+    /* Free the memory */
+    FreeAlertData(al_data);
+    /* We need to clean end of file before returning */
+    clearerr(fp);
+    return (NULL);
+}
diff --git a/src/modules/fim/src/fim.c b/src/common/regex_op/CMakeLists.txt
similarity index 100%
rename from src/modules/fim/src/fim.c
rename to src/common/regex_op/CMakeLists.txt
diff --git a/src/common/regex_op/include/regex_op.h b/src/common/regex_op/include/regex_op.h
new file mode 100644
index 0000000000..f8aa375736
--- /dev/null
+++ b/src/common/regex_op/include/regex_op.h
@@ -0,0 +1,46 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef OS_REGEX_OP_H
+#define OS_REGEX_OP_H
+
+#ifndef WIN32
+#include <regex.h>
+#include "../external/sqlite/sqlite3.h"
+
+/**
+ * @brief Compare a string with a regular expression.
+ *
+ * @param str String to check.
+ * @param regex Regex to match.
+ * @return Returns 1 if matches, 0 if not.
+ */
+int OS_PRegex(const char *str, const char *regex);
+
+
+/**
+ * @brief Compare a string with a expression.
+ *
+ * @details This function extends the POSIX function regexec().
+ *          In this function the pattern is self compiled.
+ *
+ * @param pattern Regex to match.
+ * @param string String to check.
+ * @param nmatch The maximum number of matches to record in pmatch.
+ * @param pmatch Array of regmatch_t objects where the function can record the matches.
+ * @return Returns 1 on success or 0 on error.
+ */
+int w_regexec(const char * pattern, const char * string, size_t nmatch, regmatch_t * pmatch);
+
+// Callback to use POSIX regex with the SQLite engine
+void w_sql_regex(sqlite3_context *context, int argc, sqlite3_value **argv);
+
+#endif
+#endif
diff --git a/src/common/regex_op/src/regex_op.c b/src/common/regex_op/src/regex_op.c
new file mode 100644
index 0000000000..5eafa60a57
--- /dev/null
+++ b/src/common/regex_op/src/regex_op.c
@@ -0,0 +1,94 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+
+#include "shared.h"
+
+
+int OS_PRegex(const char *str, const char *regex)
+{
+    regex_t preg;
+
+    if (!str || !regex) {
+        return (0);
+    }
+
+    if (regcomp(&preg, regex, REG_EXTENDED | REG_NOSUB) != 0) {
+        merror("Posix Regex compile error (%s).", regex);
+        return (0);
+    }
+
+    if (regexec(&preg, str, 0, NULL, 0) != 0) {
+        /* Didn't match */
+        regfree(&preg);
+        return (0);
+    }
+
+    regfree(&preg);
+    return (1);
+}
+
+
+int w_regexec(const char * pattern, const char * string, size_t nmatch, regmatch_t * pmatch) {
+    regex_t regex;
+    int result;
+
+    if (!(pattern && string)) {
+        return 0;
+    }
+
+    if (regcomp(&regex, pattern, REG_EXTENDED)) {
+        merror("Couldn't compile regular expression '%s'", pattern);
+        return 0;
+    }
+
+    result = regexec(&regex, string, nmatch, pmatch, 0);
+    regfree(&regex);
+    return !result;
+}
+
+void w_sql_regex(sqlite3_context *context, int argc, sqlite3_value **argv) {
+    char *pattern;
+    char *to_match;
+    regex_t regex;
+    char *error_msg;
+
+    if (argc != 2) {
+        sqlite3_result_error(context, "regexp(): invalid arguments.\n", -1);
+        return;
+    }
+
+    pattern = (char*)sqlite3_value_text(argv[0]);
+    to_match = (char*)sqlite3_value_text(argv[1]);
+
+    if (!pattern || !to_match) {
+        if (pattern == to_match) {
+            sqlite3_result_int(context, 1);
+        } else {
+            sqlite3_result_int(context, 0);
+        }
+
+        return;
+    }
+
+    if (regcomp(&regex, pattern, REG_EXTENDED | REG_NOSUB)) {
+        os_calloc(OS_SIZE_1024, sizeof(char), error_msg);
+        snprintf(error_msg, OS_SIZE_1024, "regexp(): could not compile '%s'.\n", pattern);
+        sqlite3_result_error(context, error_msg, -1);
+        free(error_msg);
+        return;
+    }
+
+    sqlite3_result_int(context, !regexec(&regex, to_match , 0, NULL, 0));
+    regfree(&regex);
+}
+
+#endif /* !WIN32 */
diff --git a/src/common/registryHelper/CMakeLists.txt b/src/common/registryHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/registryHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/registryHelper/include/registryHelper.h b/src/common/registryHelper/include/registryHelper.h
new file mode 100644
index 0000000000..191cab2a35
--- /dev/null
+++ b/src/common/registryHelper/include/registryHelper.h
@@ -0,0 +1,439 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WIN32
+
+#ifndef _REGISTRY_HELPER_H
+#define _REGISTRY_HELPER_H
+
+#include <string>
+#include <winsock2.h>
+#include <windows.h>
+#include <winreg.h>
+#include <cstdio>
+#include <memory>
+#include "encodingWindowsHelper.h"
+#include "windowsHelper.h"
+#include "stringHelper.h"
+#include "globHelper.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    class Registry final
+    {
+        public:
+            Registry(const HKEY key, const std::string& subKey = "", const REGSAM access = KEY_READ)
+                : m_registryKey{openRegistry(key, subKey, access)}
+            {}
+            ~Registry()
+            {
+                close();
+            }
+
+            void close()
+            {
+                if (m_registryKey)
+                {
+                    RegCloseKey(m_registryKey);
+                    m_registryKey = nullptr;
+                }
+            }
+
+            DWORD dword(const std::string& valueName) const
+            {
+                DWORD ret{};
+                DWORD size{sizeof(DWORD)};
+                const auto result
+                {
+                    RegQueryValueEx(m_registryKey, valueName.c_str(), nullptr, nullptr, reinterpret_cast<LPBYTE>(&ret), &size)
+                };
+
+                if (result != ERROR_SUCCESS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error reading DWORD value of: " + valueName
+                    };
+                }
+
+                return ret;
+            }
+
+            bool dword(const std::string& valueName, DWORD& value) const
+            {
+                DWORD size{sizeof(DWORD)};
+                const auto result
+                {
+                    RegQueryValueEx(m_registryKey, valueName.c_str(), nullptr, nullptr, reinterpret_cast<LPBYTE>(&value), &size)
+                };
+                return result == ERROR_SUCCESS;
+            }
+
+            std::vector<std::string> enumerate() const
+            {
+                std::vector<std::string> ret;
+                constexpr auto MAX_KEY_NAME_SIZE{255};//https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
+                char buff[MAX_KEY_NAME_SIZE] {};
+                DWORD size{MAX_KEY_NAME_SIZE};
+                DWORD index{0};
+                auto result{RegEnumKeyEx(m_registryKey, index, buff, &size, nullptr, nullptr, nullptr, nullptr)};
+
+                while (result == ERROR_SUCCESS)
+                {
+                    ret.push_back(buff);
+                    size = MAX_KEY_NAME_SIZE;
+                    ++index;
+                    result = RegEnumKeyEx(m_registryKey, index, buff, &size, nullptr, nullptr, nullptr, nullptr);
+                }
+
+                if (result != ERROR_NO_MORE_ITEMS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error enumerating registry."
+                    };
+                }
+
+                return ret;
+            }
+
+            std::vector<std::string> enumerateValueKey() const
+            {
+                std::vector<std::string> ret;
+                constexpr auto MAX_KEY_NAME_VALUE {32767}; // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
+                char buffer[MAX_KEY_NAME_VALUE];
+                DWORD size {MAX_KEY_NAME_VALUE};
+                DWORD index {0};
+
+                auto result {RegEnumValue(m_registryKey, index, buffer, &size, nullptr,  nullptr, nullptr, nullptr)};
+
+                while (ERROR_SUCCESS == result)
+                {
+                    ret.push_back(buffer);
+                    size = MAX_KEY_NAME_VALUE;
+                    index++;
+                    result = RegEnumValue(m_registryKey, index, buffer, &size, nullptr,  nullptr, nullptr, nullptr);
+                }
+
+                if (ERROR_NO_MORE_ITEMS != result)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error enumerating Values in registry."
+                    };
+                }
+
+                return ret;
+            }
+
+            void enumerate(const std::function<void(const std::string&)>& callback) const
+            {
+                std::vector<std::string> ret;
+                constexpr auto MAX_KEY_NAME_SIZE{255};//https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
+                char buff[MAX_KEY_NAME_SIZE] {};
+                DWORD size{MAX_KEY_NAME_SIZE};
+                DWORD index{0};
+                auto result{RegEnumKeyEx(m_registryKey, index, buff, &size, nullptr, nullptr, nullptr, nullptr)};
+
+                while (result == ERROR_SUCCESS)
+                {
+                    callback(buff);
+                    size = MAX_KEY_NAME_SIZE;
+                    ++index;
+                    result = RegEnumKeyEx(m_registryKey, index, buff, &size, nullptr, nullptr, nullptr, nullptr);
+                }
+
+                if (result != ERROR_NO_MORE_ITEMS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error enumerating registry."
+                    };
+                }
+            }
+
+            bool enumerate(std::vector<std::string>& values) const
+            {
+                bool ret{true};
+
+                try
+                {
+                    values = this->enumerate();
+                }
+                catch (...)
+                {
+                    ret = false;
+                }
+
+                return ret;
+            }
+
+            bool enumerateValueKey(std::vector<std::string>& values) const
+            {
+                auto ret{true};
+
+                try
+                {
+                    values = this->enumerateValueKey();
+                }
+                catch (...)
+                {
+                    ret = false;
+                }
+
+                return ret;
+            }
+
+            std::string keyModificationDate() const
+            {
+                std::string ret;
+                FILETIME lastModificationTime { };
+                const auto result
+                {
+                    RegQueryInfoKey(m_registryKey, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, &lastModificationTime)
+                };
+
+                if (ERROR_SUCCESS == result)
+                {
+                    ULARGE_INTEGER time { };
+
+                    time.LowPart = lastModificationTime.dwLowDateTime;
+                    time.HighPart = lastModificationTime.dwHighDateTime;
+
+                    // Use structure values to build 18-digit LDAP/FILETIME number
+                    ret = Utils::buildTimestamp(time.QuadPart);
+                }
+
+                return ret;
+            }
+
+            std::string string(const std::string& valueName) const
+            {
+                DWORD size{0};
+                auto result
+                {
+                    RegQueryValueEx(m_registryKey, valueName.c_str(), nullptr, nullptr, nullptr, &size)
+                };
+
+                if (result != ERROR_SUCCESS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error reading the size of: " + valueName
+                    };
+                }
+
+                const auto spBuff{std::make_unique<BYTE[]>(size)};
+
+                if (!spBuff)
+                {
+                    throw std::runtime_error
+                    {
+                        "Error allocating memory to read String value of: " + valueName
+                    };
+                }
+
+                result = RegQueryValueEx(m_registryKey, valueName.c_str(), nullptr, nullptr, spBuff.get(), &size);
+
+                if (result != ERROR_SUCCESS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error reading String value of: " + valueName
+                    };
+                }
+
+                return std::string{reinterpret_cast<const char*>(spBuff.get())};
+            }
+
+
+            bool qword(const std::string& valueName, ULONGLONG& value) const
+            {
+                ULONGLONG valueRegistry;
+                DWORD size {sizeof(ULONGLONG)};
+                DWORD type;
+                auto ret {false};
+
+                const auto result { RegQueryValueEx(m_registryKey, valueName.c_str(), nullptr, &type, reinterpret_cast<LPBYTE>(&valueRegistry), &size) };
+
+                if (ERROR_SUCCESS != result)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error reading the value of: " + valueName
+                    };
+                }
+
+                if (REG_QWORD == type)
+                {
+                    value = valueRegistry;
+                    ret = true;
+                }
+
+                return ret;
+            }
+
+            bool string(const std::string& valueName, std::string& value) const
+            {
+                bool ret{true};
+
+                try
+                {
+                    value = EncodingWindowsHelper::stringAnsiToStringUTF8(this->string(valueName));
+                }
+                catch (...)
+                {
+                    ret = false;
+                }
+
+                return ret;
+            }
+
+        private:
+            static HKEY openRegistry(const HKEY key, const std::string& subKey, const REGSAM access)
+            {
+                HKEY ret{nullptr};
+                const auto result
+                {
+                    RegOpenKeyEx(key, subKey.c_str(), 0, access, &ret)
+                };
+
+                if (result != ERROR_SUCCESS)
+                {
+                    throw std::system_error
+                    {
+                        result,
+                        std::system_category(),
+                        "Error opening registry: " + subKey
+                    };
+                }
+
+                return ret;
+            }
+            HKEY m_registryKey;
+    };
+
+
+    static void expandRegistryPath(const HKEY key,
+                                   const std::string& subKey,
+                                   std::vector<std::string>& registryKeys)
+    {
+        // Find the first * or ? from path.
+        const std::array<char, 2> wildcards { '*', '?' };
+        size_t wildcardPos = std::string::npos;
+
+        for (const auto& wildcard : wildcards)
+        {
+            // Find the first wildcard.
+            const auto pos = subKey.find_first_of(wildcard);
+
+            // If the wildcard is found and it is before the current wildcard, then update the wildcard position.
+            if (std::string::npos != pos && (std::string::npos == wildcardPos || pos < wildcardPos))
+            {
+                wildcardPos = pos;
+            }
+        }
+
+        if (std::string::npos != wildcardPos)
+        {
+            // The next directory is the part of the path after the first wildcard.
+            const auto nextDirectoryPos { subKey.find_first_of('\\', wildcardPos) };
+
+            // The parent directory is the part of the path before the first wildcard.
+            // If the wildcard is the first character, then the parent directory is the root directory.
+            const auto parentDirectoryPos { 0 == wildcardPos ? 0 : subKey.find_last_of('\\', wildcardPos) };
+
+            // If the parent directory is not found, then the path is invalid.
+            if (std::string::npos == parentDirectoryPos)
+            {
+                throw std::runtime_error { "Invalid path: " + subKey };
+            }
+
+            // The base directory is the part of the path before the first wildcard.
+            // If there is no wildcard, then the base directory is the whole path.
+            // If the wildcard is the first character, then the base directory is the root directory.
+            std::string baseDir;
+
+            if (0 == wildcardPos)
+            {
+                baseDir = "";
+            }
+            else
+            {
+                baseDir = subKey.substr(0, parentDirectoryPos);
+            }
+
+            // The pattern is the part of the path after the first wildcard.
+            // If the wildcard is the last character, then the pattern is the rest of the string.
+            // If the wildcard is the first character, then the pattern is the rest of the string, minus the next '\'.
+            // If there is no next '\', then the pattern is the rest of the string.
+            const auto pattern
+            {
+                subKey.substr(0 == parentDirectoryPos ? 0 : parentDirectoryPos + 1,
+                              std::string::npos == nextDirectoryPos ?
+                              std::string::npos : nextDirectoryPos - (0 == parentDirectoryPos ? 0 :
+                                                                      parentDirectoryPos + 1))
+            };
+
+            try
+            {
+                // Enumerate the registry keys and expand the path.
+                for (const auto& entry : Utils::Registry{key, baseDir, KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_WOW64_64KEY }.enumerate())
+                {
+                    // If the base directory is empty, then the entry name is the entry.
+                    // Otherwise, the entry name is the base directory, followed by a '\', followed by the entry.
+                    const auto entryName { baseDir.empty() ? entry : R"(\)" + entry };
+
+                    // If the entry name matches the pattern, then expand the path.
+                    if (Utils::patternMatch(entryName, pattern))
+                    {
+                        // If the next directory position is npos, then there is no next directory.
+                        // Otherwise, the next directory is the part of the path after the next '\'.
+                        Utils::expandRegistryPath(key, baseDir +
+                                                  entryName +
+                                                  (std::string::npos ==  nextDirectoryPos ? "" :
+                                                   subKey.substr(nextDirectoryPos)),
+                                                  registryKeys);
+                    }
+                }
+            }
+            catch (const std::exception& e)
+            { }
+        }
+        else
+        {
+            registryKeys.push_back(subKey);
+        }
+    }
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _REGISTRY_HELPER_H
+
+#endif //WIN32
diff --git a/src/common/registryHelper/tests/CMakeLists.txt b/src/common/registryHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..8a9094d462
--- /dev/null
+++ b/src/common/registryHelper/tests/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC
+    "registryHelper_test.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/registryHelper/tests/main.cpp b/src/common/registryHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/registryHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/registryHelper/tests/registryHelper_test.cpp b/src/common/registryHelper/tests/registryHelper_test.cpp
new file mode 100644
index 0000000000..51a4422b74
--- /dev/null
+++ b/src/common/registryHelper/tests/registryHelper_test.cpp
@@ -0,0 +1,114 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef WIN32
+#include "registryHelper_test.h"
+#include "registryHelper.h"
+
+constexpr auto CENTRAL_PROCESSOR_REGISTRY {"HARDWARE\\DESCRIPTION\\System\\CentralProcessor"};
+constexpr auto CENTRAL_PROCESSOR_REGISTRY_0 {"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"};
+
+void RegistryUtilsTest::SetUp() {};
+
+void RegistryUtilsTest::TearDown() {};
+
+TEST_F(RegistryUtilsTest, RegistryString)
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY_0);
+    const auto result{reg.string("ProcessorNameString")};
+    EXPECT_FALSE(result.empty());
+}
+
+TEST_F(RegistryUtilsTest, RegistryStringNoThrow)
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY_0);
+    std::string value;
+    const auto result{reg.string("SomeWrongValue", value)};
+    EXPECT_TRUE(value.empty());
+    EXPECT_FALSE(result);
+}
+
+TEST_F(RegistryUtilsTest, RegistryDWORD)
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY_0);
+    const auto result{reg.dword("~MHz")};
+    EXPECT_NE(0u, result);
+}
+
+TEST_F(RegistryUtilsTest, RegistryDWORDNoThrow)
+{
+    DWORD value{0};
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY_0);
+    const auto result{reg.dword("SomeWrongValue", value)};
+    EXPECT_FALSE(result);
+}
+
+TEST_F(RegistryUtilsTest, RegistryQWORD)
+{
+    HKEY handler;
+    const LPCTSTR subkey { TEXT("WazuhTest") };
+    LPCTSTR value { TEXT("Test") };
+    ULONGLONG data { 0xF00000000000000 };
+    ULONGLONG valueRead { 0 };
+
+    auto result { RegCreateKeyEx(HKEY_CURRENT_USER, subkey, 0, nullptr, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr, &handler, nullptr) };
+    EXPECT_EQ(ERROR_SUCCESS, result);
+
+    result = RegSetValueEx(handler, value, 0, REG_QWORD, reinterpret_cast<LPBYTE>(&data), sizeof(ULONGLONG));
+    EXPECT_EQ(ERROR_SUCCESS, result);
+
+    Utils::Registry reg(HKEY_CURRENT_USER, subkey);
+    result = reg.qword(value, valueRead);
+    EXPECT_TRUE(result);
+    EXPECT_EQ(data, valueRead);
+
+    RegDeleteKeyEx(HKEY_CURRENT_USER, subkey, KEY_WOW64_64KEY, 0);
+    RegCloseKey(handler);
+}
+
+TEST_F(RegistryUtilsTest, RegistryQWORDNoThrow)
+{
+    HKEY handler;
+    const LPCTSTR subkey { TEXT("WazuhTest") };
+    LPCTSTR value { TEXT("Test") };
+    DWORD data { 1 };
+    ULONGLONG valueRead { 0 };
+
+    auto result { RegCreateKeyEx(HKEY_CURRENT_USER, subkey, 0, nullptr, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr, &handler, nullptr) };
+    EXPECT_EQ(ERROR_SUCCESS, result);
+
+    result = RegSetValueEx(handler, value, 0, REG_DWORD, reinterpret_cast<LPBYTE>(&data), sizeof(ULONGLONG));
+    EXPECT_EQ(ERROR_SUCCESS, result);
+
+    Utils::Registry reg(HKEY_CURRENT_USER, subkey);
+    result = reg.qword(value, valueRead);
+    EXPECT_FALSE(result);
+    EXPECT_EQ(0u, valueRead);
+
+    RegDeleteKeyEx(HKEY_CURRENT_USER, subkey, KEY_WOW64_64KEY, 0);
+    RegCloseKey(handler);
+}
+
+TEST_F(RegistryUtilsTest, RegistryEnumerate)
+{
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY, KEY_ENUMERATE_SUB_KEYS | KEY_READ);
+    const auto result{reg.enumerate()};
+    EXPECT_NE(0u, result.size());
+}
+
+TEST_F(RegistryUtilsTest, RegistryEnumerateNoThrow)
+{
+    std::vector<std::string> values;
+    Utils::Registry reg(HKEY_LOCAL_MACHINE, CENTRAL_PROCESSOR_REGISTRY_0, KEY_ENUMERATE_SUB_KEYS | KEY_READ);
+    reg.enumerate(values);
+    EXPECT_EQ(0u, values.size());
+}
+
+#endif
diff --git a/src/common/registryHelper/tests/registryHelper_test.h b/src/common/registryHelper/tests/registryHelper_test.h
new file mode 100644
index 0000000000..4f90af0191
--- /dev/null
+++ b/src/common/registryHelper/tests/registryHelper_test.h
@@ -0,0 +1,25 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef REGISTRY_HELPER_TESTS_H
+#define REGISTRY_HELPER_TESTS_H
+#include "gtest/gtest.h"
+
+class RegistryUtilsTest : public ::testing::Test
+{
+    protected:
+
+        RegistryUtilsTest() = default;
+        virtual ~RegistryUtilsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //REGISTRY_HELPER_TESTS_H
diff --git a/src/modules/gcp/include/gcp.h b/src/common/rwlock_op/CMakeLists.txt
similarity index 100%
rename from src/modules/gcp/include/gcp.h
rename to src/common/rwlock_op/CMakeLists.txt
diff --git a/src/common/rwlock_op/include/rwlock_op.h b/src/common/rwlock_op/include/rwlock_op.h
new file mode 100644
index 0000000000..b4ae418d1d
--- /dev/null
+++ b/src/common/rwlock_op/include/rwlock_op.h
@@ -0,0 +1,74 @@
+/**
+ * @file rwlock_op.h
+ * @brief Read-write lock library declaration
+ * @date 2022-09-02
+ *
+ * @copyright Copyright (C) 2015 Wazuh, Inc.
+ */
+
+/*
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef RWLOCK_OP_H
+#define RWLOCK_OP_H
+
+#include <pthread.h>
+
+#define RWLOCK_LOCK_READ(rwlock, stmt) rwlock_lock_read(rwlock); stmt; rwlock_unlock(rwlock);
+#define RWLOCK_LOCK_WRITE(rwlock, stmt) rwlock_lock_write(rwlock); stmt; rwlock_unlock(rwlock);
+
+/**
+ * @brief Read-write lock
+ *
+ * This structure provides a read-write lock with FIFO queueing.
+ */
+typedef struct {
+    pthread_mutex_t mutex;
+    pthread_rwlock_t rwlock;
+} rwlock_t;
+
+/**
+ * @brief Initialize a read_write lock.
+ *
+ * @param rwlock Pointer to a rwlock_t structure.
+ * @post Dies with critical error if the lock is initialized twice.
+ */
+void rwlock_init(rwlock_t * rwlock);
+
+/**
+ * @brief Lock a read-write lock for reading.
+ *
+ * @param rwlock Pointer to a rwlock_t structure.
+ * @post Dies with critical error if a deadlock is detected.
+ */
+void rwlock_lock_read(rwlock_t * rwlock);
+
+/**
+ * @brief Lock a read-write lock for writing.
+ *
+ * @param rwlock Pointer to a rwlock_t structure.
+ * @post Dies with critical error if a deadlock is detected.
+ */
+void rwlock_lock_write(rwlock_t * rwlock);
+
+/**
+ * @brief Unlock a read-write lock.
+ *
+ * @param rwlock Pointer to a rwlock_t structure.
+ * @post Dies with critical error if the current thread does not lock this lock.
+ */
+void rwlock_unlock(rwlock_t * rwlock);
+
+/**
+ * @brief Free a read-write lock.
+ *
+ * @param rwlock Pointer to a rwlock_t structure.
+ * @post Dies with critical error if the lock is currently locked.
+ */
+void rwlock_destroy(rwlock_t * rwlock);
+
+#endif
diff --git a/src/common/rwlock_op/src/rwlock_op.c b/src/common/rwlock_op/src/rwlock_op.c
new file mode 100644
index 0000000000..840ad4cce2
--- /dev/null
+++ b/src/common/rwlock_op/src/rwlock_op.c
@@ -0,0 +1,91 @@
+/**
+ * @file rwlock_op.c
+ * @brief Read-write lock library definition
+ * @date 2022-09-02
+ *
+ * @copyright Copyright (C) 2015 Wazuh, Inc.
+ */
+
+/*
+ * This program is a free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+
+// Initialize a read_write lock.
+
+void rwlock_init(rwlock_t * rwlock) {
+    errno = pthread_mutex_init(&rwlock->mutex, NULL);
+    if (errno != 0) {
+        merror_exit(MUTEX_INIT, strerror(errno), errno);
+    }
+
+    errno = pthread_rwlock_init(&rwlock->rwlock, NULL);
+    if (errno != 0) {
+        merror_exit(RWLOCK_INIT, strerror(errno), errno);
+    }
+}
+
+// Lock a read-write lock for reading.
+
+void rwlock_lock_read(rwlock_t * rwlock) {
+    errno = pthread_mutex_lock(&rwlock->mutex);
+    if (errno != 0) {
+        merror_exit(MUTEX_LOCK, strerror(errno), errno);
+    }
+
+    errno = pthread_rwlock_rdlock(&rwlock->rwlock);
+    if (errno != 0) {
+        merror_exit(RWLOCK_LOCK_RD, strerror(errno), errno);
+    }
+
+    errno = pthread_mutex_unlock(&rwlock->mutex);
+    if (errno != 0) {
+        merror_exit(MUTEX_UNLOCK, strerror(errno), errno);
+    }
+}
+
+// Lock a read-write lock for writing.
+
+void rwlock_lock_write(rwlock_t * rwlock) {
+    errno = pthread_mutex_lock(&rwlock->mutex);
+    if (errno != 0) {
+        merror_exit(MUTEX_LOCK, strerror(errno), errno);
+    }
+
+    errno = pthread_rwlock_wrlock(&rwlock->rwlock);
+    if (errno != 0) {
+        merror_exit(RWLOCK_LOCK_WR, strerror(errno), errno);
+    }
+
+    errno = pthread_mutex_unlock(&rwlock->mutex);
+    if (errno != 0) {
+        merror_exit(MUTEX_UNLOCK, strerror(errno), errno);
+    }
+}
+
+// Unlock a read-write lock.
+
+void rwlock_unlock(rwlock_t * rwlock) {
+    errno = pthread_rwlock_unlock(&rwlock->rwlock);
+    if (errno != 0) {
+        merror_exit(RWLOCK_UNLOCK, strerror(errno), errno);
+    }
+}
+
+// Free a read-write lock.
+
+void rwlock_destroy(rwlock_t * rwlock) {
+    errno = pthread_mutex_destroy(&rwlock->mutex);
+    if (errno != 0) {
+        merror_exit(MUTEX_DESTROY, strerror(errno), errno);
+    }
+
+    errno = pthread_rwlock_destroy(&rwlock->rwlock);
+    if (errno != 0) {
+        merror_exit(RWLOCK_DESTROY, strerror(errno), errno);
+    }
+}
diff --git a/src/common/rwlock_op/tests/unit/tests/CMakeLists.txt b/src/common/rwlock_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..022d075c7b
--- /dev/null
+++ b/src/common/rwlock_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,46 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_rwlock_op")
+list(APPEND shared_tests_flags "${DEBUG_OP_WRAPPERS}")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/rwlock_op/tests/unit/tests/test_rwlock_op.c b/src/common/rwlock_op/tests/unit/tests/test_rwlock_op.c
new file mode 100644
index 0000000000..dc4a3f4d82
--- /dev/null
+++ b/src/common/rwlock_op/tests/unit/tests/test_rwlock_op.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "../headers/shared.h"
+
+#define BUFFER_LEN 64
+#define N_READERS 4
+#define READ_CYCLES 10000
+#define WRITE_CYCLES 1000
+
+typedef struct {
+    rwlock_t * rwlock;
+    char buffer[BUFFER_LEN];
+} thread_args_t;
+
+int test_rwlock_setup(void ** state) {
+    *state = malloc(sizeof(rwlock_t));
+    return 0;
+}
+
+int test_rwlock_teardown(void ** state) {
+    free(*state);
+    return 0;
+}
+
+static void * reader(thread_args_t * thread_args) {
+    char target[BUFFER_LEN];
+
+    for (int i = 0; i < READ_CYCLES; i++) {
+        RWLOCK_LOCK_READ(thread_args->rwlock, {
+            memcpy(target, thread_args->buffer, BUFFER_LEN);
+            sched_yield();
+        })
+    }
+
+    return NULL;
+}
+
+static void * writer(thread_args_t * thread_args) {
+    int i = 0;
+
+    for (int i = 0; i < WRITE_CYCLES; i++) {
+        RWLOCK_LOCK_WRITE(thread_args->rwlock, {
+            snprintf(thread_args->buffer, BUFFER_LEN, "%d", i);
+        })
+
+        sched_yield();
+    }
+
+    return NULL;
+}
+
+void test_rwlock_threads(void ** state) {
+    pthread_t thread_writer;
+    pthread_t thread_readers[N_READERS];
+    thread_args_t thread_args = {
+        .rwlock = *(rwlock_t **)state
+    };
+
+    rwlock_init(thread_args.rwlock);
+
+    for (int i = 0; i < N_READERS; i++) {
+        errno = pthread_create(&thread_readers[i], NULL, (void * (*)(void *))reader, (void *)&thread_args);
+        assert_int_equal(errno, 0);
+    }
+
+    errno = pthread_create(&thread_writer, NULL, (void * (*)(void *))writer, (void *)&thread_args);
+    assert_int_equal(errno, 0);
+
+    if (errno != 0) {
+        perror("pthread_start(writer)");
+        abort();
+    }
+
+    errno = pthread_join(thread_writer, NULL);
+    assert_int_equal(errno, 0);
+
+    for (int i = 0; i < N_READERS; i++) {
+        errno = pthread_join(thread_readers[i], NULL);
+        assert_int_equal(errno, 0);
+    }
+
+    rwlock_destroy(thread_args.rwlock);
+}
+
+int main() {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_rwlock_threads, test_rwlock_setup, test_rwlock_teardown),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.c b/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.c
new file mode 100644
index 0000000000..fcfe7b1cae
--- /dev/null
+++ b/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.c
@@ -0,0 +1,30 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "rwlock_op_wrappers.h"
+
+void __wrap_rwlock_lock_read(rwlock_t * rwlock) {
+    (void)rwlock;
+    function_called();
+}
+
+void __wrap_rwlock_lock_write(rwlock_t * rwlock) {
+    (void)rwlock;
+    function_called();
+}
+
+void __wrap_rwlock_unlock(rwlock_t * rwlock) {
+    (void)rwlock;
+    function_called();
+}
diff --git a/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.h b/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.h
new file mode 100644
index 0000000000..11578fb9cc
--- /dev/null
+++ b/src/common/rwlock_op/tests/unit/wrappers/rwlock_op_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef RWLOCK_OP_WRAPPERS_H
+#define RWLOCK_OP_WRAPPERS_H
+
+#include <rwlock_op.h>
+
+void __wrap_rwlock_lock_read(rwlock_t * rwlock);
+void __wrap_rwlock_lock_write(rwlock_t * rwlock);
+void __wrap_rwlock_unlock(rwlock_t * rwlock);
+
+#endif
diff --git a/src/modules/gcp/scripts/gcp.py b/src/common/schedule_scan/CMakeLists.txt
similarity index 100%
rename from src/modules/gcp/scripts/gcp.py
rename to src/common/schedule_scan/CMakeLists.txt
diff --git a/src/common/schedule_scan/include/schedule_scan.h b/src/common/schedule_scan/include/schedule_scan.h
new file mode 100644
index 0000000000..69ac3b78c5
--- /dev/null
+++ b/src/common/schedule_scan/include/schedule_scan.h
@@ -0,0 +1,110 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+
+/**
+ * Shared API to treat scheduled events
+ */
+#ifndef SCHED_SCAN_H
+#define SCHED_SCAN_H
+
+typedef struct _sched_scan_config {
+    int scan_day;           /* Day of the month [1..31]                   */
+    int scan_wday;          /* Day of the week [0..6]                     */
+    char* scan_time;        /* Time of day [hh:mm]                        */
+    unsigned int interval;  /* Interval betweeen events in seconds        */
+    bool month_interval;    /* Flag to determine if interval is in months */
+    time_t next_scheduled_scan_time;/* Absolute time next scheduled event will occur */
+    time_t time_start;      /* Do not write, used by the modules          */
+    int daylight;
+} sched_scan_config;
+
+/**
+ * Receives pointer to sched_scan_config structure returns
+ * absolute time for next event
+ * */
+#define sched_get_next_scan_time(x) x.next_scheduled_scan_time
+
+void sched_scan_init(sched_scan_config *scan_config);
+void sched_scan_free(sched_scan_config *scan_config);
+
+/**
+ * @brief Reads an array of xml nodes and overrides scheduling configuration
+ *
+ * Expected xml nodes:
+ * ´´´
+ * <day></day>
+ * <wday></wday>
+ * <time></time>
+ * <interval></interval>
+ * ´´´
+ * */
+int sched_scan_read(sched_scan_config *scan_config, xml_node **nodes, const char *MODULE_NAME);
+
+/**
+ * @brief Calculates time until the next scheduled time according based on scheduling configuration
+ *
+ * @param config Scheduling configuration
+ * Available options are:
+ * 1. Specific day of a month
+ * 2. Specific day of a week
+ * 3. Every day at a certain time
+ * 4. Set up a scan between intervals
+ * @param MODULE_TAG String to identify module
+ * @param run_on_start forces first time run
+ * @return time until next scan in seconds
+ *   stores in config->next_scheduled_scan_time the absolute time where next event
+ *   should occur
+ * */
+time_t sched_scan_get_time_until_next_scan(sched_scan_config *config, const char *MODULE_TAG, const int run_on_start);
+
+/**
+ * @brief Function to check the change of daylight to add or subtract an hour
+ *
+ * @param config schedule scan configuration struct
+ * @param next_scan_time next scan time to check the daylight
+ * @param test option to test the function and it has to be true
+ */
+void check_daylight(sched_scan_config *config, time_t * next_scan_time, bool test);
+
+/**
+ * @brief Get time in seconds to the specified hour in hh:mm
+ *
+ * @param hourtime of the day hh:mm format
+ * @param num_weeks number of days interval
+ * @param first_time if it the next time we need to obtain or we respect the interval number of days
+ * @return amount of time in seconds
+*/
+unsigned long int get_time_to_hour(const char * hour, const unsigned int num_days, bool first_time);
+
+/**
+ * @brief Get time to reach a particular day of the week and hour
+ *
+ * @param wday day of the weak
+ * @param hour time of the day hh:mm format
+ * @param num_weeks number of weeks interval
+ * @param first_time if it the next day we need to obtain or we respect the interval number of days
+ * @return amount of time in seconds
+ * */
+unsigned long int get_time_to_day(int wday, const char * hour, const unsigned int num_weeks, bool first_time);
+
+/**
+ * @brief Get time to reach a particular day of the month and hour
+ *
+ * @param month_day day of the month
+ * @param hour time of the day hh:mm format
+ * @param num_of_months in case we want to check every certain number of months
+ * @return amount of time in seconds
+ * */
+unsigned long int get_time_to_month_day(int month_day, const char* hour, int num_of_months);
+
+void sched_scan_dump(const sched_scan_config* scan_config, cJSON *cjson_object);
+int is_sched_tag(const char* tag);
+#endif /* SCHED_SCAN_H */
diff --git a/src/common/schedule_scan/src/schedule_scan.c b/src/common/schedule_scan/src/schedule_scan.c
new file mode 100644
index 0000000000..5e01868b39
--- /dev/null
+++ b/src/common/schedule_scan/src/schedule_scan.c
@@ -0,0 +1,397 @@
+#include "shared.h"
+#include "wazuh_modules/wmodules.h"
+
+
+static const char *XML_INTERVAL = "interval";
+static const char *XML_SCAN_DAY = "day";
+static const char *XML_WEEK_DAY = "wday";
+static const char *XML_TIME = "time";
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static for unit testing
+#define static
+#endif
+
+static int _sched_scan_validate_parameters(sched_scan_config *scan_config);
+static time_t _get_next_time(const sched_scan_config *config, const char *MODULE_TAG,  const int run_on_start);
+
+/**
+ * Check if the input tag is used for scheduling
+ * */
+int is_sched_tag(const char* tag){
+    return !strcmp(tag, XML_INTERVAL) || !strcmp(tag, XML_SCAN_DAY) || !strcmp(tag, XML_WEEK_DAY) || !strcmp(tag, XML_TIME);
+}
+
+/**
+ * Initializes sched_scan_config structure with
+ * default values
+ * */
+void sched_scan_init(sched_scan_config *scan_config){
+    scan_config->scan_wday = -1;
+    scan_config->scan_day = 0;
+    scan_config->scan_time = NULL;
+    scan_config->interval = WM_DEF_INTERVAL;
+    scan_config->month_interval = false;
+    scan_config->time_start = 0;
+    scan_config->next_scheduled_scan_time = 0;
+    scan_config->daylight = -1;
+}
+
+/**
+ * Frees sched_scan_config internal variables
+ * */
+void sched_scan_free(sched_scan_config *scan_config){
+    os_free(scan_config->scan_time);
+}
+
+int sched_scan_read(sched_scan_config *scan_config, xml_node **nodes, const char *MODULE_NAME) {
+    unsigned i;
+    for (i = 0; nodes[i]; i++) {
+        if (!strcmp(nodes[i]->element, XML_SCAN_DAY)) { // <day></day>
+            if (!OS_StrIsNum(nodes[i]->content)) {
+                merror(XML_VALUEERR, nodes[i]->element, nodes[i]->content);
+                return (OS_INVALID);
+            } else {
+                scan_config->scan_day = atoi(nodes[i]->content);
+                if (scan_config->scan_day < 1 || scan_config->scan_day > 31) {
+                    merror(XML_VALUEERR, nodes[i]->element, nodes[i]->content);
+                    return (OS_INVALID);
+                }
+            }
+        } else if (!strcmp(nodes[i]->element, XML_WEEK_DAY)) { // <wday></wday>
+            scan_config->scan_wday = w_validate_wday(nodes[i]->content);
+            if (scan_config->scan_wday < 0 || scan_config->scan_wday > 6) {
+                merror(XML_VALUEERR, nodes[i]->element, nodes[i]->content);
+                return OS_INVALID;
+            }
+        } else if (!strcmp(nodes[i]->element, XML_TIME)) {  // <time></time>
+            scan_config->scan_time = w_validate_time(nodes[i]->content);
+            if (!scan_config->scan_time) {
+                merror(XML_VALUEERR, nodes[i]->element, nodes[i]->content);
+                return (OS_INVALID);
+            }
+        } else if (!strcmp(nodes[i]->element, XML_INTERVAL)) { //<interval></interval>
+            char *endptr;
+            scan_config->interval = strtoul(nodes[i]->content, &endptr, 0);
+
+            if (scan_config->interval <= 0 || scan_config->interval >= UINT_MAX) {
+                merror("Invalid interval value at module '%s'", MODULE_NAME);
+                return OS_INVALID;
+            }
+
+            switch (*endptr) {
+                case 'M':
+                    scan_config->month_interval = true;
+                    // interval will be considered as a month when this option is active
+                    break;
+                case 'w':
+                    scan_config->interval *= 604800;
+                    break;
+                case 'd':
+                    scan_config->interval *= 86400;
+                    break;
+                case 'h':
+                    scan_config->interval *= 3600;
+                    break;
+                case 'm':
+                    scan_config->interval *= 60;
+                    break;
+                case 's':
+                case '\0':
+                    break;
+                default:
+                    merror("Invalid interval value at module '%s'", MODULE_NAME);
+                    return OS_INVALID;
+            }
+        }
+    }
+
+    return _sched_scan_validate_parameters(scan_config);
+}
+
+time_t sched_scan_get_time_until_next_scan(sched_scan_config *config, const char *MODULE_TAG,  const int run_on_start) {
+    time_t next_scan_time;
+
+    time_t next_time = _get_next_time(config, MODULE_TAG, run_on_start);
+    next_scan_time = time(NULL) + next_time;
+    check_daylight(config, &next_scan_time, false);
+    config->next_scheduled_scan_time = next_scan_time;
+    return next_time;
+}
+
+static time_t _get_next_time(const sched_scan_config *config, const char *MODULE_TAG,  const int run_on_start) {
+    if (run_on_start && !config->next_scheduled_scan_time) {
+        // If scan on start then initial waiting time is 0
+        return 0;
+    }
+
+    if (config->scan_day) {
+        // Option 1: Day of the month
+        return (time_t) get_time_to_month_day(config->scan_day,  config->scan_time, config->interval);
+    } else if (config->scan_wday >= 0) {
+        unsigned int num_weeks = config->interval / 604800;
+        // Option 2: Day of the week
+        return (time_t) get_time_to_day(config->scan_wday, config->scan_time, num_weeks, config->next_scheduled_scan_time ? FALSE : TRUE);
+    } else if (config->scan_time) {
+        unsigned int num_days = config->interval / 86400;
+        // Option 3: Time of the day [hh:mm]
+        return (time_t) get_time_to_hour(config->scan_time, num_days, config->next_scheduled_scan_time ? FALSE : TRUE);
+    } else if (config->interval) {
+        // Option 4: Interval of time
+        const time_t last_run_time = time(NULL) - config->next_scheduled_scan_time;
+
+        if ((time_t)config->interval >= last_run_time) {
+            return  (time_t)config->interval - last_run_time;
+        } else if(!config->next_scheduled_scan_time) {
+            // First time defined by run_on_start
+            if(run_on_start) {
+                return 0;
+            } else {
+                return (time_t)config->interval;
+            }
+        } else {
+            mtwarn(MODULE_TAG, "Interval overtaken.");
+            return 0;
+        }
+    } else {
+        merror_exit("Invalid Scheduling option for module %s. Exiting.", MODULE_TAG);
+    }
+    return 0;
+}
+
+
+static int _sched_scan_validate_parameters(sched_scan_config *scan_config) {
+    // Validate scheduled scan parameters and interval value
+    if (scan_config->scan_day && (scan_config->scan_wday >= 0)) {
+        merror("Options 'day' and 'wday' are not compatible.");
+        return OS_INVALID;
+    } else if (scan_config->scan_day) {
+        if (!scan_config->month_interval) {
+            mwarn("Interval must be a multiple of one month. New interval value: 1M");
+            scan_config->interval = 1; // 1 month
+            scan_config->month_interval = true;
+        }
+        if (!scan_config->scan_time)
+            scan_config->scan_time = strdup("00:00");
+    } else if (scan_config->scan_wday >= 0) {
+        if (w_validate_interval(scan_config->interval, 1) != 0) {
+            scan_config->interval = 604800;  // 1 week
+            mwarn("Interval must be a multiple of one week. New interval value: 1w");
+        }
+        if (scan_config->interval == 0)
+            scan_config->interval = 604800;
+        if (!scan_config->scan_time)
+            scan_config->scan_time = strdup("00:00");
+    } else if (scan_config->scan_time) {
+        if (w_validate_interval(scan_config->interval, 0) != 0) {
+            scan_config->interval = WM_DEF_INTERVAL;  // 1 day
+            mwarn("Interval must be a multiple of one day. New interval value: 1d");
+        }
+    } else if (scan_config->month_interval) {
+        mwarn("Interval value is in months. Setting scan day to first day of the month.");
+        scan_config->scan_day = 1;
+        scan_config->scan_time = strdup("00:00");
+    }
+
+    return 0;
+}
+
+void sched_scan_dump(const sched_scan_config* scan_config, cJSON *cjson_object){
+    if (scan_config->interval) cJSON_AddNumberToObject(cjson_object, "interval", scan_config->interval);
+    if (scan_config->scan_day) cJSON_AddNumberToObject(cjson_object, "day", scan_config->scan_day);
+    switch (scan_config->scan_wday) {
+        case 0:
+            cJSON_AddStringToObject(cjson_object, "wday", "sunday");
+            break;
+        case 1:
+            cJSON_AddStringToObject(cjson_object, "wday", "monday");
+            break;
+        case 2:
+            cJSON_AddStringToObject(cjson_object, "wday", "tuesday");
+            break;
+        case 3:
+            cJSON_AddStringToObject(cjson_object, "wday", "wednesday");
+            break;
+        case 4:
+            cJSON_AddStringToObject(cjson_object, "wday", "thursday");
+            break;
+        case 5:
+            cJSON_AddStringToObject(cjson_object, "wday", "friday");
+            break;
+        case 6:
+            cJSON_AddStringToObject(cjson_object, "wday", "saturday");
+            break;
+        default:
+            break;
+    }
+    if (scan_config->scan_time) cJSON_AddStringToObject(cjson_object, "time", scan_config->scan_time);
+
+}
+
+// Function to check the change of daylight to add or subtract an hour
+void check_daylight(sched_scan_config *config, time_t * next_scan_time, bool test) {
+    struct tm tm_future;
+    int future_daylight;
+
+    localtime_r(next_scan_time, &tm_future);
+
+    if (test) {
+        future_daylight = 1;
+    } else {
+        future_daylight = tm_future.tm_isdst;
+    }
+    if (config->daylight != -1) {
+        *next_scan_time += 3600*(config->daylight - future_daylight);
+    }
+    config->daylight = future_daylight;
+}
+
+// Get time in seconds to the specified hour in hh:mm
+unsigned long int get_time_to_hour(const char * hour, const unsigned int num_days, bool first_time) {
+    time_t curr_time;
+    time_t target_time;
+    struct tm tm_result = { .tm_sec = 0 };
+    double diff;
+    int i;
+
+    char ** parts = OS_StrBreak(':', hour, 2);
+
+    // Get current time
+    curr_time = time(NULL);
+    localtime_r(&curr_time, &tm_result);
+
+    struct tm t_target = tm_result;
+
+    // Look for the particular hour
+    t_target.tm_hour = atoi(parts[0]);
+    t_target.tm_min = atoi(parts[1]);
+    t_target.tm_sec = 0;
+
+    // Calculate difference between hours
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+
+    if (diff <= 0) {
+        if (first_time) {
+            t_target.tm_mday += 1;
+        } else {
+            t_target.tm_mday += num_days;
+        }
+    }
+
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+
+    for (i=0; parts[i]; i++)
+        free(parts[i]);
+
+    free(parts);
+    return (unsigned long int)diff;
+}
+
+// Get time to reach a particular day of the week and hour
+unsigned long int get_time_to_day(int wday, const char * hour, const unsigned int num_weeks, bool first_time) {
+
+    time_t curr_time;
+    time_t target_time;
+    struct tm tm_result = { .tm_sec = 0 };
+    double diff;
+    int i, ret;
+
+    // Get exact hour and minute to go to
+    char ** parts = OS_StrBreak(':', hour, 2);
+
+    // Get current time
+    curr_time = time(NULL);
+    localtime_r(&curr_time, &tm_result);
+
+    struct tm t_target = tm_result;
+
+    // Look for the particular hour
+    t_target.tm_hour = atoi(parts[0]);
+    t_target.tm_min = atoi(parts[1]);
+    t_target.tm_sec = 0;
+
+    // Calculate difference between hours
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+
+    if (wday == tm_result.tm_wday) {    // We are in the desired day
+
+        if (diff <= 0) {
+            t_target.tm_mday += first_time ? 7 : num_weeks*7;   // Seconds of a week
+        }
+
+    } else if (wday > tm_result.tm_wday) {  // We are looking for a future day
+
+        while (wday > tm_result.tm_wday) {
+            t_target.tm_mday += 1;
+            tm_result.tm_wday++;
+        }
+
+    } else if (wday < tm_result.tm_wday) { // We have past the desired day
+
+        ret = 7 - (tm_result.tm_wday - wday);
+        for (i = 0; i < ret; i++) {
+            t_target.tm_mday += 1;
+        }
+    }
+
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+
+    free(parts[0]);
+    free(parts[1]);
+    free(parts);
+
+    return (unsigned long int)diff;
+
+}
+
+unsigned long int get_time_to_month_day(int month_day, const char* hour, int num_of_months) {
+    assert(num_of_months > 0);
+
+    time_t curr_time;
+    time_t target_time;
+    double diff;
+    struct tm tm_result = { .tm_sec = 0 };
+
+    // Get current time
+    curr_time = time(NULL);
+    localtime_r(&curr_time, &tm_result);
+
+    struct tm t_target = tm_result;
+    // Get exact hour and minute to go to
+    char ** parts = OS_StrBreak(':', hour, 2);
+    // Look for the target day an hour
+    t_target.tm_mday = month_day;
+    t_target.tm_hour = atoi(parts[0]);
+    t_target.tm_min = atoi(parts[1]);
+    t_target.tm_sec = 0;
+
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+    if ( (tm_result.tm_mday < month_day) || ((tm_result.tm_mday == month_day) && diff > 0) ) {
+        num_of_months = 0;
+    }
+
+    if (num_of_months >= 12) {
+        t_target.tm_year += (num_of_months / 12);
+        num_of_months = (num_of_months % 12);
+    }
+
+    if(t_target.tm_mon + num_of_months > 11) {
+        // We should increment a year
+        t_target.tm_mon = (t_target.tm_mon + num_of_months) % 12;
+        t_target.tm_year++;
+    } else {
+        t_target.tm_mon+= num_of_months;
+    }
+    target_time = mktime(&t_target);
+    diff = difftime(target_time, curr_time);
+    free(parts[0]);
+    free(parts[1]);
+    free(parts);
+
+    return (unsigned long int) diff;
+}
diff --git a/src/common/schedule_scan/tests/unit/tests/CMakeLists.txt b/src/common/schedule_scan/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..155d3a21c1
--- /dev/null
+++ b/src/common/schedule_scan/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,48 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_schedule_scan")
+list(APPEND shared_tests_flags "-Wl,--wrap=OS_StrIsNum,--wrap=_merror,--wrap=w_time_delay,--wrap=time,--wrap=_mwarn \
+                                -Wl,--wrap=OSRegex_Compile -Wl,--wrap=OSRegex_Execute -Wl,--wrap,OSMatch_Execute \
+                                -Wl,--wrap,OSRegex_Execute_ex")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/schedule_scan/tests/unit/tests/test_schedule_scan.c b/src/common/schedule_scan/tests/unit/tests/test_schedule_scan.c
new file mode 100644
index 0000000000..f1864a3607
--- /dev/null
+++ b/src/common/schedule_scan/tests/unit/tests/test_schedule_scan.c
@@ -0,0 +1,754 @@
+/**
+ * Unitary test for methods
+ * described in 'headers/schedule_scan.h' and
+ * 'shared/schedule_scan.c' files
+* */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../wazuh_modules/wmodules.h"
+
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/time_op_wrappers.h"
+#include "../wrappers/wazuh/os_regex/os_regex_wrappers.h"
+
+
+extern time_t _get_next_time(const sched_scan_config *config, const char *MODULE_TAG,  const int run_on_start);
+extern int _sched_scan_validate_parameters(sched_scan_config *scan_config);
+extern time_t __real_time(time_t *_time);
+
+typedef struct test_structure {
+    xml_node **nodes;
+    sched_scan_config *scan_config;
+} test_structure;
+
+/*********************************/
+/*       WRAPS                   */
+/*********************************/
+
+time_t __wrap_time(time_t *_time){
+    if(!current_time){
+        current_time = __real_time(NULL);
+    }
+    return current_time;
+}
+
+/*********************************/
+/*       SETUP-TEARDOWN          */
+/*********************************/
+static int test_scan_read_setup(void **state) {
+    test_structure *test;
+    test = calloc(1, sizeof(test_structure));
+    xml_node **nodes;
+    nodes = calloc(2, sizeof(xml_node*));
+    nodes[0] = calloc(1, sizeof(xml_node));
+    test->nodes = nodes;
+    test->scan_config = calloc(1, sizeof(sched_scan_config));
+    *state = test;
+    return 0;
+}
+
+static int test_scan_read_teardown(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    free(test->nodes[0]->element);
+    free(test->nodes[0]->content);
+    free(test->nodes[0]);
+    free(test->nodes);
+    if(test->scan_config->scan_time)
+        free(test->scan_config->scan_time);
+    free(test->scan_config);
+    free(test);
+    return 0;
+}
+
+static int test_sched_scan_validate_setup(void **state) {
+    sched_scan_config *scan_config;
+    scan_config = calloc(1, sizeof(sched_scan_config));
+    sched_scan_init(scan_config);
+    *state = scan_config;
+    return 0;
+}
+
+static int test_sched_scan_validate_teardown(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    sched_scan_free(scan_config);
+    free(scan_config);
+    return 0;
+}
+
+static int test_get_time_setup(void **state) {
+    current_time = 1591189200;
+    return 0;
+}
+
+static int test_get_time_teardown(void **state) {
+    current_time = 0;
+    return 0;
+}
+
+static int setup_group(void **state) {
+    current_time = 0;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    current_time = 0;
+    return 0;
+}
+/*********************************/
+/*       TESTS                   */
+/*********************************/
+void test_tag_successfull(void **state) {
+    assert_int_equal(is_sched_tag("interval"), 1);
+    assert_int_equal(is_sched_tag("day"), 1);
+    assert_int_equal(is_sched_tag("wday"), 1);
+    assert_int_equal(is_sched_tag("time"), 1);
+}
+
+void test_tag_failure(void **state) {
+    assert_int_equal(is_sched_tag("foo"), 0);
+    assert_int_equal(is_sched_tag("bar"), 0);
+    assert_int_equal(is_sched_tag("parrot"), 0);
+    assert_int_equal(is_sched_tag("fake_tag"), 0);
+}
+
+void test_sched_scan_init(void **state){
+    sched_scan_config scan_config;
+    sched_scan_init(&scan_config);
+    assert_int_equal(scan_config.scan_wday, -1);
+    assert_int_equal(scan_config.scan_day, 0);
+    assert(scan_config.scan_time == NULL);
+    assert_int_equal(scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(scan_config.month_interval,false);
+    assert_int_equal(scan_config.time_start, 0);
+    assert_int_equal(scan_config.next_scheduled_scan_time, 0);
+}
+
+void test_sched_scan_read_correct_day(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("day");
+    nodes[0]->content = strdup("15");
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M" );
+    expect_string(__wrap_OS_StrIsNum, str,  "15");
+    will_return(__wrap_OS_StrIsNum, 1);
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->scan_day, 15);
+}
+
+void test_sched_scan_read_wrong_day(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("day");
+    nodes[0]->content = strdup("123");
+    expect_string(__wrap_OS_StrIsNum, str,  "123");
+    will_return(__wrap_OS_StrIsNum, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1235): Invalid value for element 'day': 123.");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_read_not_number(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("day");
+    nodes[0]->content = strdup("abc");
+    expect_string(__wrap_OS_StrIsNum, str,  "abc");
+    will_return(__wrap_OS_StrIsNum, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1235): Invalid value for element 'day': abc.");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_read_correct_wday(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w" );
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("wday");
+    nodes[0]->content = strdup("Monday");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->scan_wday, 1);
+}
+
+void test_sched_scan_read_wrong_wday(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("wday");
+    nodes[0]->content = strdup("UnexistentDay");
+    expect_string(__wrap__merror, formatted_msg, "(1241): Invalid day format: 'UnexistentDay'.");
+    expect_string(__wrap__merror, formatted_msg, "(1235): Invalid value for element 'wday': UnexistentDay.");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_read_correct_time(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("time");
+    nodes[0]->content = strdup("12:30");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_string_equal(test->scan_config->scan_time, nodes[0]->content);
+}
+
+void test_sched_scan_read_wrong_time(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("time");
+    nodes[0]->content = strdup("aa:40");
+    expect_string(__wrap__merror, formatted_msg, "(1240): Invalid time format: 'aa:40'.");
+    expect_string(__wrap__merror, formatted_msg, "(1235): Invalid value for element 'time': aa:40.");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_read_correct_interval_month(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval value is in months. Setting scan day to first day of the month." );
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("2M");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 2);
+    assert_int_equal(test->scan_config->month_interval, true);
+}
+
+void test_sched_scan_read_correct_interval_week(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("5w");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 5*604800);
+    assert_int_equal(test->scan_config->month_interval, false);
+}
+
+void test_sched_scan_read_correct_interval_day(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("2d");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 2*86400);
+    assert_int_equal(test->scan_config->month_interval, false);
+}
+
+void test_sched_scan_read_correct_interval_hour(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("1h");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 3600);
+    assert_int_equal(test->scan_config->month_interval, false);
+}
+
+void test_sched_scan_read_correct_interval_minute(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("25m");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 25*60);
+    assert_int_equal(test->scan_config->month_interval, false);
+}
+
+void test_sched_scan_read_correct_interval_second(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("100s");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, 0);
+    assert_int_equal(test->scan_config->interval, 100);
+    assert_int_equal(test->scan_config->month_interval, false);
+}
+
+void test_sched_scan_read_wrong_interval(void **state) {
+    test_structure *test = ( test_structure *) *state;
+    sched_scan_init(test->scan_config);
+    xml_node **nodes = test->nodes;
+    nodes[0]->element = strdup("interval");
+    nodes[0]->content = strdup("three seconds");
+    expect_string(__wrap__merror, formatted_msg, "Invalid interval value at module 'TEST_MODULE'");
+    int ret = sched_scan_read(test->scan_config, nodes, "TEST_MODULE");
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_validate_incompatible_wday(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->scan_day = 1;
+    scan_config->scan_wday = 1;
+    expect_string(__wrap__merror, formatted_msg, "Options 'day' and 'wday' are not compatible.");
+    int ret = _sched_scan_validate_parameters(scan_config);
+    assert_int_equal(ret, -1);
+}
+
+void test_sched_scan_validate_day_not_month_interval(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    scan_config->scan_day = 1;
+    scan_config->month_interval = false;
+    scan_config->scan_time = NULL;
+    int ret = _sched_scan_validate_parameters(scan_config);
+    assert_int_equal(scan_config->month_interval, true);
+    assert_int_equal(scan_config->interval, 1);
+    assert_string_equal(scan_config->scan_time, "00:00");
+    assert_int_equal(ret, 0);
+}
+
+void test_sched_scan_validate_wday_not_week_interval(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    scan_config->scan_wday = 2;
+    scan_config->interval = 7;
+    scan_config->scan_time = NULL;
+    int ret = _sched_scan_validate_parameters(scan_config);
+    assert_int_equal(scan_config->scan_wday, 2);
+    assert_int_equal(scan_config->interval, 604800);
+    assert_string_equal(scan_config->scan_time, "00:00");
+    assert_int_equal(ret, 0);
+}
+
+void test_sched_scan_validate_time_not_day_interval(void **state){
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one day. New interval value: 1d");
+    scan_config->scan_time = strdup("00:00");
+    scan_config->interval = 30;
+    int ret = _sched_scan_validate_parameters(scan_config);
+    assert_int_equal(scan_config->interval, WM_DEF_INTERVAL);
+    assert_string_equal(scan_config->scan_time, "00:00");
+    assert_int_equal(ret, 0);
+}
+
+void test_get_next_time_day_configuration(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->scan_day = 1;
+    scan_config->month_interval = true;
+    scan_config->interval = 2; //Each 2 months
+    scan_config->scan_time = strdup("00:00");
+    time_t ret = _get_next_time(scan_config, "TEST_MODULE", 0);
+    assert_int_equal((int)ret, get_time_to_month_day(1, "00:00", 2));
+}
+
+
+void test_get_next_time_wday_configuration(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->scan_wday = 2;
+    scan_config->scan_time = strdup("00:00");
+    time_t ret = _get_next_time(scan_config, "TEST_MODULE", 0);
+    assert_int_equal((int) ret, get_time_to_day(2, "00:00", 1, true));
+}
+
+void test_get_next_time_daytime_configuration(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->scan_time = strdup("05:00");
+    time_t ret = _get_next_time(scan_config, "TEST_MODULE", 0);
+    assert_int_equal((int) ret, get_time_to_hour("05:00", 1, true));
+}
+
+void test_get_next_time_interval_configuration(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->interval = 3600;
+    time_t ret = _get_next_time(scan_config, "TEST_MODULE", 0);
+    assert_int_equal((int) ret, 3600);
+    scan_config->next_scheduled_scan_time = time(NULL); // Update last scan time
+    ret = _get_next_time(scan_config, "TEST_MODULE", 0);
+    assert_int_equal((int) ret, 3600);
+}
+
+void test_sched_scan_dump_day(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    cJSON * object = cJSON_CreateObject();
+    char * object_str = NULL;
+
+    scan_config->scan_day = 3;
+    scan_config->scan_time = "08:00";
+    scan_config->interval = WM_DEF_INTERVAL;
+    sched_scan_dump(scan_config, object);
+    object_str = cJSON_PrintUnformatted(object);
+
+    assert_string_equal(object_str, "{\"interval\":86400,\"day\":3,\"time\":\"08:00\"}");
+
+    cJSON_Delete(object);
+    os_free(object_str);
+    os_free(scan_config);
+}
+
+void test_sched_scan_dump_wday(void **state) {
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    char * object_str = NULL;
+    cJSON * wday;
+    int i;
+
+    char * week_days[] = {"sunday", "monday", "tuesday", "wednesday", "thursday", "friday", "saturday", "sunday"};
+
+    for (i = 0; i < 7; i++) {
+        cJSON * object = cJSON_CreateObject();
+        scan_config->scan_wday = i;
+        sched_scan_dump(scan_config, object);
+        wday = cJSON_GetObjectItem(object, "wday");
+        assert_string_equal(week_days[i], wday->valuestring);
+        cJSON_Delete(object);
+    }
+
+    os_free(scan_config);
+}
+
+void test_check_daylight_first_time(void **state) {
+    (void) state;
+    time_t next_scan_time = 0;
+    time_t next_scan_time_initial = next_scan_time;
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->daylight = -1;
+
+    check_daylight(scan_config, &next_scan_time, false);
+    assert_int_equal(next_scan_time, next_scan_time_initial + 0);
+}
+
+void test_check_daylight_same_daylight_zero(void **state) {
+    (void) state;
+    time_t next_scan_time = 0;
+    time_t next_scan_time_initial = next_scan_time;
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->daylight = 0;
+
+    check_daylight(scan_config, &next_scan_time, false);
+    assert_int_equal(next_scan_time, next_scan_time_initial + 0);
+}
+
+void test_check_daylight_same_daylight_one(void **state) {
+    (void) state;
+    time_t next_scan_time = 0;
+    time_t next_scan_time_initial = next_scan_time;
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->daylight = 1;
+
+    check_daylight(scan_config, &next_scan_time, true);
+    assert_int_equal(next_scan_time, next_scan_time_initial + 0);
+}
+
+void test_check_daylight_different_daylight_one_zero(void **state) {
+    (void) state;
+    time_t next_scan_time = 0;
+    time_t next_scan_time_initial = next_scan_time;
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->daylight = 1;
+
+    check_daylight(scan_config, &next_scan_time, false);
+    assert_int_equal(next_scan_time, next_scan_time_initial + 3600);
+}
+
+void test_check_daylight_different_daylight_zero_one(void **state) {
+    (void) state;
+    time_t next_scan_time = 0;
+    time_t next_scan_time_initial = next_scan_time;
+    sched_scan_config *scan_config = (sched_scan_config *)  *state;
+    scan_config->daylight = 0;
+
+    check_daylight(scan_config, &next_scan_time, true);
+    assert_int_equal(next_scan_time, next_scan_time_initial - 3600);
+}
+
+void test_get_time_to_hour_no_negative_diff(void **state) {
+    /* Date: Mon 2020/06/03 15:00:00 */
+    char hour[6];
+    const unsigned int num_days = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    diff_test = get_time_to_hour(hour, num_days, first_time);
+
+    assert_int_equal(diff_test, 60);
+}
+
+void test_get_time_to_hour_first_time(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    char hour[6];
+    const unsigned int num_days = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    diff_test = get_time_to_hour(hour, num_days, first_time);
+
+    assert_int_equal(diff_test, 3600*24-60);
+}
+
+void test_get_time_to_hour_num_days(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    char hour[6];
+    const unsigned int num_days = 3;
+    bool first_time = false;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    diff_test = get_time_to_hour(hour, num_days, first_time);
+
+    assert_int_equal(diff_test, num_days*3600*24-60);
+}
+
+void test_get_time_to_day_same_wday_positive_diff(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int wday;
+    char hour[6];
+    const unsigned int num_weeks = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    wday = current_tm.tm_wday;
+    diff_test = get_time_to_day(wday, hour, num_weeks, first_time);
+
+    assert_int_equal(diff_test, 60);
+}
+
+void test_get_time_to_day_same_wday_negative_diff_first_time(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int wday;
+    char hour[6];
+    const unsigned int num_weeks = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    wday = current_tm.tm_wday;
+    diff_test = get_time_to_day(wday, hour, num_weeks, first_time);
+
+    assert_int_equal(diff_test, 3600*24*7-60);
+}
+
+void test_get_time_to_day_same_wday_negative_diff_num_weeks(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int wday;
+    char hour[6];
+    const unsigned int num_weeks = 3;
+    bool first_time = false;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    wday = current_tm.tm_wday;
+    diff_test = get_time_to_day(wday, hour, num_weeks, first_time);
+
+    assert_int_equal(diff_test, num_weeks*3600*24*7-60);
+}
+
+void test_get_time_to_day_different_before_wday(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int wday;
+    char hour[6];
+    const unsigned int num_weeks = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    wday = current_tm.tm_wday + 2;
+    diff_test = get_time_to_day(wday, hour, num_weeks, first_time);
+
+    assert_int_equal(diff_test, 60+3600*24*(wday-current_tm.tm_wday));
+}
+
+void test_get_time_to_day_different_after_wday(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int wday;
+    char hour[6];
+    const unsigned int num_weeks = 1;
+    bool first_time = true;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    wday = current_tm.tm_wday - 2;
+    diff_test = get_time_to_day(wday, hour, num_weeks, first_time);
+
+    assert_int_equal(diff_test, 60+3600*24*(7-(current_tm.tm_wday-wday)));
+}
+
+void test_get_time_to_month_day_same_month_day_positive_diff(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int mday;
+    char hour[6];
+    const unsigned int num_months = 1;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    mday = current_tm.tm_mday;
+    diff_test = get_time_to_month_day(mday, hour, num_months);
+
+    assert_int_equal(diff_test, 60);
+}
+
+void test_get_time_to_month_day_same_month(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int mday;
+    char hour[6];
+    const unsigned int num_months = 1;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time + 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    mday = current_tm.tm_mday + 1;
+    diff_test = get_time_to_month_day(mday, hour, num_months);
+
+    assert_int_equal(diff_test, 3600*24+60);
+}
+
+void test_get_time_to_month_day_high_num_months(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int mday;
+    char hour[6];
+    const unsigned int num_months = 13;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    mday = current_tm.tm_mday;
+    diff_test = get_time_to_month_day(mday, hour, num_months);
+
+    assert_int_equal(diff_test, 3600*24*395-60);
+}
+
+void test_get_time_to_month_day_num_months(void **state) {
+    /* Date: Wed 2020/06/03 15:00:00 */
+    int mday;
+    char hour[6];
+    const unsigned int num_months = 8;
+    unsigned long diff_test;
+    time_t diff_time;
+    struct tm current_tm;
+
+    diff_time = current_time - 60;
+    localtime_r(&diff_time, &current_tm);
+    sprintf(hour, "%2d:%2d", current_tm.tm_hour, current_tm.tm_min);
+    mday = current_tm.tm_mday;
+    diff_test = get_time_to_month_day(mday, hour, num_months);
+
+    assert_int_equal(diff_test, 3600*24*245-60);
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_tag_successfull),
+        cmocka_unit_test(test_tag_failure),
+        cmocka_unit_test(test_sched_scan_init),
+        /* sched_scan_read function tests */
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_day, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_wrong_day, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_not_number, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_wday, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_wrong_wday, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_time, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_wrong_time, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_month, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_week, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_day, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_hour, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_minute, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_correct_interval_second, test_scan_read_setup, test_scan_read_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_read_wrong_interval, test_scan_read_setup, test_scan_read_teardown),
+        /* _sched_scan_validate_parameters function tests */
+        cmocka_unit_test_setup_teardown(test_sched_scan_validate_incompatible_wday, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_validate_day_not_month_interval, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_validate_wday_not_week_interval, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_sched_scan_validate_time_not_day_interval, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        /* _get_next_time function tests */
+        cmocka_unit_test_setup_teardown(test_get_next_time_day_configuration, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_get_next_time_wday_configuration, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_get_next_time_daytime_configuration, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_get_next_time_interval_configuration, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        /* sched_scan_dump function tests */
+        cmocka_unit_test_setup(test_sched_scan_dump_day, test_sched_scan_validate_setup),
+        cmocka_unit_test_setup(test_sched_scan_dump_wday, test_sched_scan_validate_setup),
+        /* check_daylight function tests */
+        cmocka_unit_test_setup_teardown(test_check_daylight_first_time, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_check_daylight_same_daylight_zero, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_check_daylight_same_daylight_one, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_check_daylight_different_daylight_one_zero, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        cmocka_unit_test_setup_teardown(test_check_daylight_different_daylight_zero_one, test_sched_scan_validate_setup, test_sched_scan_validate_teardown),
+        /* get_time_to_hour function tests */
+        cmocka_unit_test_setup_teardown(test_get_time_to_hour_no_negative_diff, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_hour_first_time, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_hour_num_days, test_get_time_setup, test_get_time_teardown),
+        /* get_time_to_day function tests */
+        cmocka_unit_test_setup_teardown(test_get_time_to_day_same_wday_positive_diff, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_day_same_wday_negative_diff_first_time, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_day_same_wday_negative_diff_num_weeks, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_day_different_before_wday, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_day_different_after_wday, test_get_time_setup, test_get_time_teardown),
+        /* get_time_to_month_day function tests */
+        cmocka_unit_test_setup_teardown(test_get_time_to_month_day_same_month_day_positive_diff, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_month_day_same_month, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_month_day_high_num_months, test_get_time_setup, test_get_time_teardown),
+        cmocka_unit_test_setup_teardown(test_get_time_to_month_day_num_months, test_get_time_setup, test_get_time_teardown)
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.c b/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.c
new file mode 100644
index 0000000000..13ac4d8393
--- /dev/null
+++ b/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.c
@@ -0,0 +1,40 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "schedule_scan_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+void __wrap_sched_scan_dump(const sched_scan_config* scan_config,
+                            cJSON *cjson_object) {
+    check_expected_ptr(scan_config);
+    check_expected_ptr(cjson_object);
+}
+
+time_t __wrap_sched_scan_get_time_until_next_scan(sched_scan_config *config,
+                                                  const char *MODULE_TAG,
+                                                  const int run_on_start) {
+    check_expected_ptr(config);
+    check_expected(MODULE_TAG);
+    check_expected(run_on_start);
+
+    return mock_type(time_t);
+}
+
+int __wrap_sched_scan_read(__attribute__((unused)) sched_scan_config *scan_config,
+                           xml_node **nodes,
+                           const char *MODULE_NAME) {
+    check_expected_ptr(nodes);
+    check_expected(MODULE_NAME);
+
+    return mock();
+}
diff --git a/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.h b/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.h
new file mode 100644
index 0000000000..0419499685
--- /dev/null
+++ b/src/common/schedule_scan/tests/unit/wrappers/schedule_scan_wrappers.h
@@ -0,0 +1,28 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SCHEDULE_SCAN_WRAPPERS_H
+#define SCHEDULE_SCAN_WRAPPERS_H
+
+#include <time.h>
+#include "shared.h"
+
+void __wrap_sched_scan_dump(const sched_scan_config* scan_config,
+                            cJSON *cjson_object);
+
+time_t __wrap_sched_scan_get_time_until_next_scan(sched_scan_config *config,
+                                                  const char *MODULE_TAG,
+                                                  const int run_on_start);
+
+int __wrap_sched_scan_read(sched_scan_config *scan_config,
+                           xml_node **nodes,
+                           const char *MODULE_NAME);
+
+#endif
diff --git a/src/modules/gcp/src/gcp.c b/src/common/sig_op/CMakeLists.txt
similarity index 100%
rename from src/modules/gcp/src/gcp.c
rename to src/common/sig_op/CMakeLists.txt
diff --git a/src/common/sig_op/include/sig_op.h b/src/common/sig_op/include/sig_op.h
new file mode 100644
index 0000000000..a7a3b6cb8d
--- /dev/null
+++ b/src/common/sig_op/include/sig_op.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions to handle signal manipulation */
+
+#ifndef SIG_H
+#define SIG_H
+
+void HandleSIG(int sig) __attribute__((noreturn));
+void HandleSIGPIPE(int sig);
+void HandleExit();
+
+/* Start signal manipulation */
+void StartSIG(const char *process_name) __attribute__((nonnull));
+
+/* Start signal manipulation -- function as an argument */
+void StartSIG2(const char *process_name, void (*func)(int)) __attribute__((nonnull));
+
+#endif /* SIG_H */
diff --git a/src/common/sig_op/src/sig_op.c b/src/common/sig_op/src/sig_op.c
new file mode 100644
index 0000000000..da26bdda40
--- /dev/null
+++ b/src/common/sig_op/src/sig_op.c
@@ -0,0 +1,89 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Functions to handle signal manipulation */
+
+#ifndef WIN32
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+
+#include "shared.h"
+#include "sig_op.h"
+#include "file_op.h"
+#include "debug_op.h"
+#include "error_messages/error_messages.h"
+#include "error_messages/debug_messages.h"
+
+static const char *pidfile = NULL;
+
+/* To avoid hp-ux requirement of strsignal */
+#ifdef __hpux
+char* strsignal(int sig)
+{
+    static char str[12];
+    sprintf(str, "%d", sig);
+    return str;
+}
+#endif
+
+void HandleExit() {
+    DeletePID(pidfile);
+
+    if (strcmp(__local_name, "unset")) {
+        DeleteState();
+    }
+}
+
+void HandleSIG(int sig)
+{
+    minfo(SIGNAL_RECV, sig, strsignal(sig));
+
+    exit(1);
+}
+
+
+/* To avoid client-server communication problems */
+void HandleSIGPIPE(__attribute__((unused)) int sig)
+{
+    return;
+}
+
+void StartSIG(const char *process_name)
+{
+    pidfile = process_name;
+
+    signal(SIGHUP, SIG_IGN);
+    signal(SIGINT, HandleSIG);
+    signal(SIGQUIT, HandleSIG);
+    signal(SIGTERM, HandleSIG);
+    signal(SIGALRM, HandleSIG);
+    signal(SIGPIPE, HandleSIGPIPE);
+
+    atexit(HandleExit);
+}
+
+void StartSIG2(const char *process_name, void (*func)(int))
+{
+    pidfile = process_name;
+
+    signal(SIGHUP, SIG_IGN);
+    signal(SIGINT, func);
+    signal(SIGQUIT, func);
+    signal(SIGTERM, func);
+    signal(SIGALRM, func);
+    signal(SIGPIPE, HandleSIGPIPE);
+
+    atexit(HandleExit);
+}
+
+#endif /* !WIN32 */
diff --git a/src/common/sqliteWrapper/CMakeLists.txt b/src/common/sqliteWrapper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/sqliteWrapper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/sqliteWrapper/include/sqliteWrapperTemp.h b/src/common/sqliteWrapper/include/sqliteWrapperTemp.h
new file mode 100644
index 0000000000..280df56af9
--- /dev/null
+++ b/src/common/sqliteWrapper/include/sqliteWrapperTemp.h
@@ -0,0 +1,524 @@
+/*
+ * Wazuh DBSYNC
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 26, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SQLITE_WRAPPER_TEMP_H
+#define _SQLITE_WRAPPER_TEMP_H
+
+#include "sqlite3.h"
+#include <string>
+#include <memory>
+#include "makeUnique.h"
+#include "customDeleter.hpp"
+#include <iostream>
+#include <chrono>
+#include <sys/stat.h>
+#include <math.h>
+#include <stdexcept>
+
+using DBSyncExceptionType = const std::pair<int, std::string>;
+
+DBSyncExceptionType FACTORY_INSTANTATION           { std::make_pair(1, "Unspecified type during factory instantiation")         };
+DBSyncExceptionType INVALID_HANDLE                 { std::make_pair(2, "Invalid handle value.")                                 };
+DBSyncExceptionType INVALID_TRANSACTION            { std::make_pair(3, "Invalid transaction value.")                            };
+DBSyncExceptionType SQLITE_CONNECTION_ERROR        { std::make_pair(4, "No connection available for executions.")               };
+DBSyncExceptionType EMPTY_DATABASE_PATH            { std::make_pair(5, "Empty database store path.")                            };
+DBSyncExceptionType EMPTY_TABLE_METADATA           { std::make_pair(6, "Empty table metadata.")                                 };
+DBSyncExceptionType INVALID_PARAMETERS             { std::make_pair(7, "Invalid parameters.")                                   };
+DBSyncExceptionType DATATYPE_NOT_IMPLEMENTED       { std::make_pair(8, "Datatype not implemented.")                             };
+DBSyncExceptionType SQL_STMT_ERROR                 { std::make_pair(9, "Invalid SQL statement.")                                };
+DBSyncExceptionType INVALID_PK_DATA                { std::make_pair(10, "Primary key not found.")                               };
+DBSyncExceptionType INVALID_COLUMN_TYPE            { std::make_pair(11, "Invalid column field type.")                           };
+DBSyncExceptionType INVALID_DATA_BIND              { std::make_pair(12, "Invalid data to bind.")                                };
+DBSyncExceptionType INVALID_TABLE                  { std::make_pair(13, "Invalid table.")                                       };
+DBSyncExceptionType INVALID_DELETE_INFO            { std::make_pair(14, "Invalid information provided for deletion.")           };
+DBSyncExceptionType BIND_FIELDS_DOES_NOT_MATCH     { std::make_pair(15, "Invalid information provided for statement creation.") };
+DBSyncExceptionType STEP_ERROR_CREATE_STMT         { std::make_pair(16, "Error creating table.")                                };
+DBSyncExceptionType STEP_ERROR_ADD_STATUS_FIELD    { std::make_pair(17, "Error adding status field.")                           };
+DBSyncExceptionType STEP_ERROR_UPDATE_STATUS_FIELD { std::make_pair(18, "Error updating status field.")                         };
+DBSyncExceptionType STEP_ERROR_DELETE_STATUS_FIELD { std::make_pair(19, "Error deleting status field.")                         };
+DBSyncExceptionType DELETE_OLD_DB_ERROR            { std::make_pair(20, "Error deleting old db.")                               };
+DBSyncExceptionType MIN_ROW_LIMIT_BELOW_ZERO       { std::make_pair(21, "Invalid row limit, values below 0 not allowed.")       };
+DBSyncExceptionType ERROR_COUNT_MAX_ROWS           { std::make_pair(22, "Count is less than 0.")                                };
+
+namespace DbSync
+{
+    /**
+     *   This class should be used by concrete types to report errors.
+    */
+    class dbsync_error : public std::exception
+    {
+        public:
+            __attribute__((__returns_nonnull__))
+            const char* what() const noexcept override
+            {
+                return m_error.what();
+            }
+
+            int id() const noexcept
+            {
+                return m_id;
+            }
+
+            dbsync_error(const int id,
+                         const std::string& whatArg)
+                : m_id{ id }
+                , m_error{ whatArg }
+            {}
+
+            explicit dbsync_error(const std::pair<int, std::string>& exceptionInfo)
+                : m_id{ exceptionInfo.first }
+                , m_error{ exceptionInfo.second }
+            {}
+
+        private:
+            /// an exception object as storage for error messages
+            const int m_id;
+            std::runtime_error m_error;
+    };
+
+    /**
+     *   This class should be used by concrete types to report errors.
+    */
+    class max_rows_error : public std::exception
+    {
+        public:
+            __attribute__((__returns_nonnull__))
+            const char* what() const noexcept override
+            {
+                return m_error.what();
+            }
+
+            explicit max_rows_error(const std::string& whatArg)
+                : m_error{ whatArg }
+            {}
+
+        private:
+            /// an exception object as storage for error messages
+            std::runtime_error m_error;
+    };
+}
+
+constexpr auto DB_DEFAULT_PATH {"temp.db"};
+constexpr auto DB_MEMORY {":memory:"};
+constexpr auto DB_PERMISSIONS
+{
+    0640
+};
+
+
+namespace SQLite
+{
+    const constexpr auto MAX_ROWS_ERROR_STRING {"Too Many Rows."};
+
+    class sqlite_error : public DbSync::dbsync_error
+    {
+        public:
+            explicit sqlite_error(const std::pair<const int, const std::string>& exceptionInfo)
+                : DbSync::dbsync_error
+            {
+                exceptionInfo.first, "sqlite: " + exceptionInfo.second
+            }
+            {}
+    };
+
+    class IConnection
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IConnection() = default;
+            // LCOV_EXCL_STOP
+            virtual void close() = 0;
+            virtual void execute(const std::string& query) = 0;
+            virtual int64_t changes() const = 0;
+            virtual const std::shared_ptr<sqlite3>& db() const = 0;
+    };
+
+    class ITransaction
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~ITransaction() = default;
+            // LCOV_EXCL_STOP
+            virtual void commit() = 0;
+            virtual void rollback() = 0;
+    };
+
+    class IColumn
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IColumn() = default;
+            // LCOV_EXCL_STOP
+            virtual int32_t type() const = 0;
+            virtual std::string name() const = 0;
+            virtual bool hasValue() const = 0;
+            virtual int32_t value(const int32_t&) const = 0;
+            virtual uint64_t value(const uint64_t&) const = 0;
+            virtual int64_t value(const int64_t&) const = 0;
+            virtual std::string value(const std::string&) const = 0;
+            virtual double_t value(const double_t&) const = 0;
+    };
+
+    class IStatement
+    {
+        public:
+            // LCOV_EXCL_START
+            virtual ~IStatement() = default;
+            // LCOV_EXCL_STOP
+            virtual int32_t step() = 0;
+            virtual void bind(const int32_t index, const int32_t value) = 0;
+            virtual void bind(const int32_t index, const uint64_t value) = 0;
+            virtual void bind(const int32_t index, const int64_t value) = 0;
+            virtual void bind(const int32_t index, const std::string& value) = 0;
+            virtual void bind(const int32_t index, const double_t value) = 0;
+            virtual int columnsCount() const = 0;
+
+            virtual std::string expand() = 0;
+
+            virtual std::unique_ptr<IColumn> column(const int32_t index) = 0;
+            virtual void reset() = 0;
+
+    };
+
+}//namespace SQLite
+
+using namespace SQLite;
+using ExpandedSQLPtr = std::unique_ptr<char, CustomDeleter<decltype(&sqlite3_free), sqlite3_free>>;
+
+static void checkSqliteResult(const int result,
+                              const std::string& exceptionString)
+{
+    if (SQLITE_OK != result)
+    {
+        throw sqlite_error
+        {
+            std::make_pair(result, exceptionString)
+        };
+    }
+}
+
+static sqlite3* openSQLiteDb(const std::string& path, const int flags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE)
+{
+    sqlite3* pDb{ nullptr };
+    const auto result
+    {
+        sqlite3_open_v2(path.c_str(), &pDb, flags, nullptr)
+    };
+    checkSqliteResult(result, "Unspecified type during initialization of SQLite.");
+    return pDb;
+}
+
+static sqlite3_stmt* prepareSQLiteStatement(std::shared_ptr<IConnection>& connection,
+                                            const std::string& query)
+{
+    sqlite3_stmt* pStatement{ nullptr };
+    const auto result
+    {
+        sqlite3_prepare_v2(connection->db().get(), query.c_str(), -1, &pStatement, nullptr)
+    };
+    checkSqliteResult(result, sqlite3_errmsg(connection->db().get()));
+    return pStatement;
+}
+
+namespace SQLite
+{
+    class Connection : public IConnection
+    {
+        public:
+            ~Connection() = default;
+
+            explicit Connection(const std::string& path)
+                : m_db{ openSQLiteDb(path), [](sqlite3 * p)
+            {
+                sqlite3_close_v2(p);
+            } }
+            {
+#ifndef _WIN32
+
+                if (path.compare(DB_MEMORY) != 0)
+                {
+                    const auto result { chmod(path.c_str(), DB_PERMISSIONS) };
+
+                    if (result != 0)
+                    {
+                        throw sqlite_error
+                        {
+                            std::make_pair(result, "Error changing permissions of SQLite database.")
+                        };
+                    }
+
+                    m_db.reset(openSQLiteDb(path, SQLITE_OPEN_READWRITE), [](sqlite3 * p)
+                    {
+                        sqlite3_close_v2(p);
+                    });
+                }
+
+#endif
+            }
+
+            void close()
+            {
+                m_db.reset();
+            }
+
+            const std::shared_ptr<sqlite3>& db() const
+            {
+                return m_db;
+            }
+
+            Connection()
+                : Connection(DB_DEFAULT_PATH)
+            {}
+
+            void execute(const std::string& query)
+            {
+                if (!m_db)
+                {
+                    throw sqlite_error
+                    {
+                        SQLITE_CONNECTION_ERROR
+                    };
+                }
+
+                const auto result
+                {
+                    sqlite3_exec(m_db.get(), query.c_str(), 0, 0, nullptr)
+                };
+
+                checkSqliteResult(result, query + ". " + sqlite3_errmsg(m_db.get()));
+            }
+
+            int64_t changes() const
+            {
+                return sqlite3_changes(m_db.get());
+            }
+        private:
+            std::shared_ptr<sqlite3> m_db;
+    };
+
+    class Transaction : public ITransaction
+    {
+        public:
+            ~Transaction()
+            {
+                try
+                {
+                    if (!m_rolledBack && !m_commited)
+                    {
+                        m_connection->execute("ROLLBACK TRANSACTION");
+                    }
+                }
+                //dtor should never throw
+                // LCOV_EXCL_START
+                catch (...)
+                {}
+
+                // LCOV_EXCL_STOP
+            }
+
+            explicit Transaction(std::shared_ptr<IConnection>& connection)
+                : m_connection{ connection }
+                , m_rolledBack{ false }
+                , m_commited{ false }
+            {
+                m_connection->execute("BEGIN TRANSACTION");
+            }
+
+            void commit()
+            {
+                if (!m_rolledBack && !m_commited)
+                {
+                    m_connection->execute("COMMIT TRANSACTION");
+                    m_commited = true;
+                }
+            }
+
+            void rollback()
+            {
+                try
+                {
+                    if (!m_rolledBack && !m_commited)
+                    {
+                        m_rolledBack = true;
+                        m_connection->execute("ROLLBACK TRANSACTION");
+                    }
+                }
+                //rollback can be called in a catch statement to unwind things so it shouldn't throw
+                // LCOV_EXCL_START
+                catch (...)
+                {}
+
+                // LCOV_EXCL_STOP
+            }
+
+            bool isCommited() const
+            {
+                return m_commited;
+            }
+
+            bool isRolledBack() const
+            {
+                return m_rolledBack;
+            }
+        private:
+            std::shared_ptr<IConnection> m_connection;
+            bool m_rolledBack;
+            bool m_commited;
+    };
+
+    class Column : public IColumn
+    {
+        public:
+            ~Column() = default;
+            Column(std::shared_ptr<sqlite3_stmt>& stmt,
+                   const int32_t index)
+                : m_stmt{ stmt }
+                , m_index{ index }
+            {}
+            bool hasValue() const
+            {
+                return SQLITE_NULL != sqlite3_column_type(m_stmt.get(), m_index);
+            }
+            int32_t type() const
+            {
+                return sqlite3_column_type(m_stmt.get(), m_index);
+            }
+            std::string name() const
+            {
+                return sqlite3_column_name(m_stmt.get(), m_index);
+            }
+            int32_t value(const int32_t&) const
+            {
+                return sqlite3_column_int(m_stmt.get(), m_index);
+            }
+            uint64_t value(const uint64_t&) const
+            {
+                return sqlite3_column_int64(m_stmt.get(), m_index);
+            }
+            int64_t value(const int64_t&) const
+            {
+                return sqlite3_column_int64(m_stmt.get(), m_index);
+            }
+            double_t value(const double_t&) const
+            {
+                return sqlite3_column_double(m_stmt.get(), m_index);
+            }
+            std::string value(const std::string&) const
+            {
+                const auto str { reinterpret_cast<const char*>(sqlite3_column_text(m_stmt.get(), m_index)) };
+                return nullptr != str ? str : "";
+            }
+        private:
+            std::shared_ptr<sqlite3_stmt> m_stmt;
+            const int32_t m_index;
+    };
+
+    class Statement : public IStatement
+    {
+        public:
+            ~Statement() = default;
+            Statement(std::shared_ptr<IConnection>& connection,
+                      const std::string& query)
+                : m_connection{ connection }
+                , m_stmt{ prepareSQLiteStatement(m_connection, query), [](sqlite3_stmt * p)
+            {
+                sqlite3_finalize(p);
+            } }
+            , m_bindParametersCount{ sqlite3_bind_parameter_count(m_stmt.get()) }
+            , m_bindParametersIndex{ 0 }
+            {}
+
+            int32_t step()
+            {
+                auto ret { SQLITE_ERROR };
+
+                if (m_bindParametersIndex == m_bindParametersCount)
+                {
+                    ret = sqlite3_step(m_stmt.get());
+
+                    if (SQLITE_ROW != ret && SQLITE_DONE != ret)
+                    {
+                        checkSqliteResult(ret, sqlite3_errmsg(m_connection->db().get()));
+                    }
+                }
+
+                return ret;
+            }
+
+            void reset()
+            {
+                sqlite3_reset(m_stmt.get());
+                m_bindParametersIndex = 0;
+            }
+
+            void bind(const int32_t index, const int32_t value)
+            {
+                const auto result{ sqlite3_bind_int(m_stmt.get(), index, value) };
+                checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+                ++m_bindParametersIndex;
+            }
+            void bind(const int32_t index, const uint64_t value)
+            {
+                const auto result{ sqlite3_bind_int64(m_stmt.get(), index, value) };
+                checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+                ++m_bindParametersIndex;
+            }
+            void bind(const int32_t index, const int64_t value)
+            {
+                const auto result{ sqlite3_bind_int64(m_stmt.get(), index, value) };
+                checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+                ++m_bindParametersIndex;
+            }
+            void bind(const int32_t index, const std::string& value)
+            {
+                const auto result
+                {
+                    sqlite3_bind_text(m_stmt.get(),
+                                      index,
+                                      value.c_str(),
+                                      value.length(),
+                                      SQLITE_TRANSIENT)
+                };
+                checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+                ++m_bindParametersIndex;
+            }
+            void bind(const int32_t index, const double_t value)
+            {
+                const auto result{ sqlite3_bind_double(m_stmt.get(), index, value) };
+                checkSqliteResult(result, sqlite3_errmsg(m_connection->db().get()));
+                ++m_bindParametersIndex;
+            }
+
+            // LCOV_EXCL_START
+            std::string expand()
+            {
+                return ExpandedSQLPtr(sqlite3_expanded_sql(m_stmt.get())).get();
+            }
+            // LCOV_EXCL_STOP
+
+            std::unique_ptr<IColumn> column(const int32_t index)
+            {
+                return std::make_unique<SQLite::Column>(m_stmt, index);
+            }
+
+            int columnsCount() const
+            {
+                return sqlite3_column_count(m_stmt.get());
+            }
+        private:
+            std::shared_ptr<IConnection> m_connection;
+            std::shared_ptr<sqlite3_stmt> m_stmt;
+            const int m_bindParametersCount;
+            int m_bindParametersIndex;
+    };
+}
+
+#endif // _SQLITE_WRAPPER_TEMP_H
diff --git a/src/modules/github/include/github.h b/src/common/store_op/CMakeLists.txt
similarity index 100%
rename from src/modules/github/include/github.h
rename to src/common/store_op/CMakeLists.txt
diff --git a/src/common/store_op/include/store_op.h b/src/common/store_op/include/store_op.h
new file mode 100644
index 0000000000..e990e27577
--- /dev/null
+++ b/src/common/store_op/include/store_op.h
@@ -0,0 +1,52 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Common list API */
+
+#ifndef OS_STORE
+#define OS_STORE
+
+/* Store node */
+typedef struct _OSStoreNode {
+    struct _OSStoreNode *next;
+    struct _OSStoreNode *prev;
+    void *data;
+    char *key;
+    size_t key_size;
+} OSStoreNode;
+
+/* Store list */
+typedef struct _OSStore {
+    OSStoreNode *first_node;
+    OSStoreNode *last_node;
+    OSStoreNode *cur_node;
+
+    int currently_size;
+    int max_size;
+
+    void (*free_data_function)(void *data);
+} OSStore;
+
+OSStore *OSStore_Create(void);
+OSStore *OSStore_Free(OSStore *list) __attribute__((nonnull));
+
+int OSStore_Put(OSStore *list, const char *key, void *data) __attribute__((nonnull(1, 2)));
+int OSStore_Check(OSStore *list, const char *key) __attribute__((nonnull));
+int OSStore_NCheck(OSStore *list, const char *key) __attribute__((nonnull));
+int OSStore_NCaseCheck(OSStore *list, const char *key) __attribute__((nonnull));
+int OSStore_GetPosition(OSStore *list, const char *key) __attribute__((nonnull));
+void *OSStore_Get(OSStore *list, const char *key) __attribute__((nonnull));
+OSStoreNode *OSStore_GetFirstNode(OSStore *list) __attribute__((nonnull));
+int OSStore_Sort(OSStore *list, void *(sort_data_function)(void *d1, void *d2)) __attribute__((nonnull));
+
+int OSStore_SetMaxSize(OSStore *list, int max_size);
+int OSStore_SetFreeDataPointer(OSStore *list, void (free_data_function)(void *));
+
+#endif /* OS_STORE */
diff --git a/src/common/store_op/src/store_op.c b/src/common/store_op/src/store_op.c
new file mode 100644
index 0000000000..aa7d2e2c17
--- /dev/null
+++ b/src/common/store_op/src/store_op.c
@@ -0,0 +1,384 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Common API for dealing with ordered lists
+ * Provides a fast search on average (n/2)
+ */
+
+#include "shared.h"
+
+
+/* Create the list storage
+ * Returns NULL on error
+ */
+OSStore *OSStore_Create()
+{
+    OSStore *my_list;
+
+    my_list = (OSStore *) calloc(1, sizeof(OSStore));
+    if (!my_list) {
+        return (NULL);
+    }
+
+    my_list->first_node = NULL;
+    my_list->last_node = NULL;
+    my_list->cur_node = NULL;
+    my_list->currently_size = 0;
+    my_list->max_size = 0;
+    my_list->free_data_function = NULL;
+
+    return (my_list);
+}
+
+/* Delete the list storage
+ * Returns NULL on error
+ */
+OSStore *OSStore_Free(OSStore *list)
+{
+    OSStoreNode *delnode;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if (list->cur_node->key) {
+            free(list->cur_node->key);
+            list->cur_node->key = NULL;
+        }
+        if (list->cur_node->data) {
+            free(list->cur_node->data);
+            list->cur_node->data = NULL;
+        }
+
+        /* Delete each node */
+        delnode = list->cur_node;
+        list->cur_node = list->cur_node->next;
+        free(delnode);
+    }
+
+    list->first_node = NULL;
+    list->last_node = NULL;
+
+    free(list);
+    list = NULL;
+
+    return (list);
+}
+
+/* Set the maximum number of elements in the storage
+ * Returns 0 on error or 1 on success
+ */
+int OSStore_SetMaxSize(OSStore *list, int max_size)
+{
+    if (!list) {
+        return (0);
+    }
+
+    /* Minimum size is 1 */
+    if (max_size <= 1) {
+        return (0);
+    }
+
+    list->max_size = max_size;
+
+    return (1);
+}
+
+/* Set the pointer to the function to free the memory data */
+int OSStore_SetFreeDataPointer(OSStore *list, void (free_data_function)(void *))
+{
+    if (!list) {
+        return (0);
+    }
+
+    list->free_data_function = free_data_function;
+    return (1);
+}
+
+/* Sort the storage by size */
+int OSStore_Sort(OSStore *list, void *(sort_data_function)(void *d1, void *d2))
+{
+    OSStoreNode *newnode = NULL;
+    OSStoreNode *movenode = NULL;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        movenode = list->cur_node->prev;
+
+        /* Check for all the previous entries, using sort */
+        while (movenode) {
+
+            if (sort_data_function(list->cur_node->data, movenode->data)) {
+                movenode = movenode->prev;
+            }
+
+            /* This node should stay where it is */
+            else if (movenode == list->cur_node->prev) {
+                break;
+            }
+
+            /* Replace the nodes */
+            else {
+                newnode = list->cur_node;
+
+                if (list->cur_node->prev) {
+                    list->cur_node->prev->next = list->cur_node->next;
+                }
+
+                if (list->cur_node->next) {
+                    list->cur_node->next->prev = list->cur_node->prev;
+                } else {
+                    list->last_node = list->cur_node->prev;
+                }
+
+                list->cur_node = list->cur_node->prev;
+
+                newnode->next = movenode->next;
+                newnode->prev = movenode;
+
+                if (movenode->next) {
+                    movenode->next->prev = newnode;
+                }
+
+                movenode->next = newnode;
+
+                break;
+            }
+        }
+
+        /* If movenode is not set, put the current node in first */
+        if (!movenode && (list->cur_node != list->first_node)) {
+            newnode = list->cur_node;
+
+            if (list->cur_node->prev) {
+                list->cur_node->prev->next = list->cur_node->next;
+            }
+
+            if (list->cur_node->next) {
+                list->cur_node->next->prev = list->cur_node->prev;
+            } else {
+                list->last_node = list->cur_node->prev;
+            }
+
+            if ((list->cur_node = list->cur_node->prev) == NULL) {
+                return (1);
+            }
+
+            newnode->prev = NULL;
+            newnode->next = list->first_node;
+            list->first_node->prev = newnode;
+
+            list->first_node = newnode;
+        }
+
+        list->cur_node = list->cur_node->next;
+    }
+
+    return (1);
+}
+
+/* Get key position from storage
+ * Returns 0 if not present or the key if available
+ * (position may change after each PUT)
+ */
+int OSStore_GetPosition(OSStore *list, const char *key)
+{
+    int chk_rc, pos = 1;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if ((chk_rc = strcmp(list->cur_node->key, key)) >= 0) {
+            /* Found */
+            if (chk_rc == 0) {
+                return (pos);
+            }
+
+            /* Not found */
+            return (0);
+        }
+
+        list->cur_node = list->cur_node->next;
+        pos++;
+    }
+    return (0);
+}
+
+/* Get first node from storage
+ * Returns NULL if not present
+ */
+OSStoreNode *OSStore_GetFirstNode(OSStore *list)
+{
+    return (list->first_node);
+}
+
+/* Get data from storage
+ * Returns NULL if not present
+ */
+void *OSStore_Get(OSStore *list, const char *key)
+{
+    int chk_rc;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if ((chk_rc = strcmp(list->cur_node->key, key)) >= 0) {
+            /* Found */
+            if (chk_rc == 0) {
+                return (list->cur_node->data);
+            }
+
+            /* Not found */
+            return (NULL);
+        }
+
+        list->cur_node = list->cur_node->next;
+    }
+    return (NULL);
+}
+
+/* Check if key is present on storage
+ * Returns 0 if not present
+ */
+int OSStore_Check(OSStore *list, const char *key)
+{
+    int chk_rc;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if ((chk_rc = strcmp(list->cur_node->key, key)) >= 0) {
+            /* Found */
+            if (chk_rc == 0) {
+                return (1);
+            }
+
+            /* Not found */
+            return (0);
+        }
+
+        list->cur_node = list->cur_node->next;
+    }
+    return (0);
+}
+
+/* Check if key is present on storage (using strncmp)
+ * Returns 0 if not present
+ */
+int OSStore_NCheck(OSStore *list, const char *key)
+{
+    int chk_rc;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if ((chk_rc = strncmp(list->cur_node->key, key,
+                              list->cur_node->key_size)) >= 0) {
+            /* Found */
+            if (chk_rc == 0) {
+                return (1);
+            }
+
+            /* Not found */
+            return (0);
+        }
+
+        list->cur_node = list->cur_node->next;
+    }
+    return (0);
+}
+
+/* Check if key is present on storage (case insensitive)
+ * Returns 0 if not present
+ */
+int OSStore_NCaseCheck(OSStore *list, const char *key)
+{
+    int chk_rc;
+    list->cur_node = list->first_node;
+
+    while (list->cur_node) {
+        if (chk_rc = strncasecmp(list->cur_node->key, key,
+                                 list->cur_node->key_size), chk_rc == 0) {
+            return (1);
+        }
+
+        list->cur_node = list->cur_node->next;
+    }
+    return (0);
+}
+
+/* Add data to the list
+ * Returns 1 on success and 0 on failure
+ */
+int OSStore_Put(OSStore *list, const char *key, void *data)
+{
+    int chk_rc;
+    OSStoreNode *newnode;
+
+    /* Allocate memory for new node */
+    newnode = (OSStoreNode *) calloc(1, sizeof(OSStoreNode));
+    if (!newnode) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        return (0);
+    }
+
+    newnode->prev = NULL;
+    newnode->next = NULL;
+    newnode->data = data;
+    newnode->key = strdup(key);
+    if (!newnode->key) {
+        free(newnode);
+        merror(MEM_ERROR, errno, strerror(errno));
+        return (0);
+    }
+    newnode->key_size = strlen(key);
+
+    /* If we don't have first node, assign it */
+    if (!list->first_node) {
+        list->first_node = newnode;
+        list->last_node = newnode;
+    }
+
+    /* Store the data in order */
+    else {
+        list->cur_node = list->first_node;
+        while (list->cur_node) {
+            if ((chk_rc = strcmp(list->cur_node->key, key)) >= 0) {
+                /* Duplicate entry */
+                if (chk_rc == 0) {
+                    free(newnode->key);
+                    free(newnode);
+                    return (1);
+                }
+
+                /* If there is no prev node, this is the first node */
+                if (list->cur_node->prev) {
+                    list->cur_node->prev->next = newnode;
+                } else {
+                    list->first_node = newnode;
+                }
+
+                newnode->prev = list->cur_node->prev;
+
+                list->cur_node->prev = newnode;
+                newnode->next = list->cur_node;
+                break;
+            }
+
+            list->cur_node = list->cur_node->next;
+        }
+
+        /* New node is the higher key */
+        if (!newnode->next) {
+            list->last_node->next = newnode;
+            newnode->prev = list->last_node;
+            list->last_node = newnode;
+        }
+    }
+
+    /* Increment list size */
+    list->currently_size++;
+
+    return (1);
+}
diff --git a/src/common/stringHelper/CMakeLists.txt b/src/common/stringHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/stringHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/stringHelper/include/stringHelper.h b/src/common/stringHelper/include/stringHelper.h
new file mode 100644
index 0000000000..28dfb807a9
--- /dev/null
+++ b/src/common/stringHelper/include/stringHelper.h
@@ -0,0 +1,463 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 11, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _STRING_HELPER_H
+#define _STRING_HELPER_H
+
+#include <algorithm>
+#include <iomanip>
+#include <memory>
+#include <regex>
+#include <sstream>
+#include <string>
+#include <vector>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+// Time values for conversion
+#define W_WEEK_SECONDS   604800
+#define W_DAY_SECONDS    86400
+#define W_HOUR_SECONDS   3600
+#define W_MINUTE_SECONDS 60
+
+namespace Utils
+{
+    static void ISO8859ToUTF8(std::string& data)
+    {
+        // Convert from ISO-8859-1 to UTF-8
+        std::string strOut;
+        // 0xc0 is 11000000 in binary, used to mask the first 2 bits of the character of a 2-byte sequence
+        constexpr auto UTF8_2BYTE_SEQ {0xc0};
+        // 6 is the number of bits to shift the character to the right
+        constexpr auto UTF8_2BYTE_SEQ_VALUE_LEN {6};
+        // 0x80 is 10000000 in binary, is the first code point of a 2-byte sequence
+        constexpr auto UTF8_2BYTE_FIRST_CODE_VALUE {0x80};
+        // 0x3f is 00111111 in binary, used to mask the last 6 bits of the character of a 2-byte sequence
+        constexpr auto UTF8_2BYTE_MASK {0x3f};
+
+        for (auto it = data.begin(); it != data.end(); ++it)
+        {
+            const uint8_t ch = *it;
+
+            // ASCII character
+            if (ch < UTF8_2BYTE_FIRST_CODE_VALUE)
+            {
+                strOut.push_back(ch);
+            }
+            // Extended ASCII
+            else
+            {
+                // 2-byte sequence
+                // 110xxxxx
+                strOut.push_back(UTF8_2BYTE_SEQ | ch >> UTF8_2BYTE_SEQ_VALUE_LEN);
+                // 10xxxxxx
+                strOut.push_back(UTF8_2BYTE_FIRST_CODE_VALUE | (ch & UTF8_2BYTE_MASK));
+            }
+        }
+
+        data = strOut;
+    }
+
+    static bool replaceAll(std::string& data, const std::string& toSearch, const std::string& toReplace)
+    {
+        auto pos {data.find(toSearch)};
+        const auto ret {std::string::npos != pos};
+
+        while (std::string::npos != pos)
+        {
+            data.replace(pos, toSearch.size(), toReplace);
+            pos = data.find(toSearch, pos);
+        }
+
+        return ret;
+    }
+
+    static bool replaceFirst(std::string& data, const std::string& toSearch, const std::string& toReplace)
+    {
+        auto pos {data.find(toSearch)};
+        auto ret {false};
+
+        if (std::string::npos != pos)
+        {
+            data.replace(pos, toSearch.size(), toReplace);
+            ret = true;
+        }
+
+        return ret;
+    }
+
+    static std::string leftTrim(const std::string& str, const std::string& args = " ")
+    {
+        const auto pos {str.find_first_not_of(args)};
+
+        if (pos != std::string::npos)
+        {
+            return str.substr(pos);
+        }
+        else
+        {
+            return "";
+        }
+
+        return str;
+    }
+
+    static std::string rightTrim(const std::string& str, const std::string& args = " ")
+    {
+        const auto pos {str.find_last_not_of(args)};
+
+        if (pos != std::string::npos)
+        {
+            return str.substr(0, pos + 1);
+        }
+        else
+        {
+            return "";
+        }
+
+        return str;
+    }
+
+    static std::string trim(const std::string& str, const std::string& args = " ")
+    {
+        return leftTrim(rightTrim(str, args), args);
+    }
+
+    static std::vector<std::string> split(const std::string& str, const char delimiter)
+    {
+        std::vector<std::string> tokens;
+        std::string token;
+        std::istringstream tokenStream {str};
+
+        while (std::getline(tokenStream, token, delimiter))
+        {
+            tokens.push_back(token);
+        }
+
+        return tokens;
+    }
+
+    static std::string splitIndex(const std::string& str, const char delimiter, const size_t index)
+    {
+        std::string retVal;
+        const auto& splitResult {split(str, delimiter)};
+
+        if (index < splitResult.size())
+        {
+            retVal = splitResult.at(index);
+        }
+        else
+        {
+            throw std::runtime_error("Invalid index to get values.");
+        }
+
+        return retVal;
+    }
+
+    static std::vector<std::string> splitNullTerminatedStrings(const char* buffer)
+    {
+        constexpr auto NULL_TERMINATED_DELIMITER {'\0'};
+        std::vector<std::string> ret;
+
+        while (buffer[0] != NULL_TERMINATED_DELIMITER)
+        {
+            const std::string token(buffer);
+
+            if (!token.empty())
+            {
+                ret.push_back(token);
+            }
+
+            buffer += token.size() + 1;
+        }
+
+        return ret;
+    }
+
+    static void
+    splitMapKeyValue(const std::string& str, const char delimiter, std::map<std::string, std::string>& mapResult)
+    {
+        constexpr auto NEWLINE_DELIMITER {'\n'};
+        std::string line;
+        std::vector<std::string> lineKeyValue;
+        std::istringstream strStream {str};
+
+        mapResult.clear();
+
+        while (std::getline(strStream, line, NEWLINE_DELIMITER))
+        {
+            size_t delimiterPos = line.find_first_of(delimiter);
+
+            if (delimiterPos == std::string::npos)
+            {
+                continue;
+            }
+
+            mapResult.insert(std::pair<std::string, std::string>(trim(line.substr(0, delimiterPos), " \"\t"),
+                                                                 trim(line.substr(delimiterPos + 1), " \"\t")));
+        }
+    }
+
+    static std::string asciiToHex(const std::vector<unsigned char>& asciiData)
+    {
+        std::string ret;
+        std::stringstream ss;
+
+        for (const auto& val : asciiData)
+        {
+            ss << std::hex << std::setfill('0') << std::setw(2) << static_cast<unsigned int>(val);
+        }
+
+        if (ss.good())
+        {
+            ret = ss.str();
+        }
+        // LCOV_EXCL_START
+        else
+        {
+            const auto size {asciiData.size() * 2};
+            const auto buffer {std::make_unique<char[]>(size + 1)};
+            char* output {buffer.get()};
+
+            for (const auto& value : asciiData)
+            {
+                snprintf(output, 3, "%02x", value);
+                output += 2;
+            }
+
+            ret = std::string {buffer.get(), size};
+        }
+
+        // LCOV_EXCL_STOP
+        return ret;
+    }
+
+    static std::string toUpperCase(const std::string& str)
+    {
+        std::string temp {str};
+        std::transform(std::begin(temp),
+                       std::end(temp),
+                       std::begin(temp),
+                       [](std::string::value_type character) { return std::toupper(character); });
+        return temp;
+    }
+
+    static std::string toLowerCase(const std::string& str)
+    {
+        std::string temp {str};
+        std::transform(std::begin(temp),
+                       std::end(temp),
+                       std::begin(temp),
+                       [](std::string::value_type character) { return std::tolower(character); });
+        return temp;
+    }
+
+    static bool haveUpperCaseCharacters(const std::string& str)
+    {
+        return std::any_of(
+            std::begin(str), std::end(str), [](std::string::value_type character) { return std::isupper(character); });
+    }
+
+    static std::string toSentenceCase(const std::string& str)
+    {
+        std::string temp;
+        if (!str.empty())
+        {
+            temp = toLowerCase(str);
+            *temp.begin() = static_cast<char>(std::toupper(*str.begin()));
+        }
+        return temp;
+    }
+
+    static bool startsWith(const std::string& str, const std::string& start)
+    {
+        if (!str.empty() && str.length() >= start.length())
+        {
+            return str.compare(0, start.length(), start) == 0;
+        }
+
+        return false;
+    }
+
+    static bool endsWith(const std::string& str, const std::string& ending)
+    {
+        if (!str.empty() && str.length() >= ending.length())
+        {
+            const auto endLength {ending.length()};
+            const auto token {str.substr(str.length() - endLength, endLength)};
+            return token == ending;
+        }
+
+        return false;
+    }
+
+    static std::string substrOnFirstOccurrence(const std::string& str, const std::string& args = " ")
+    {
+        const auto pos {str.find(args)};
+
+        if (pos != std::string::npos)
+        {
+            return str.substr(0, pos);
+        }
+
+        return str;
+    }
+
+    static std::pair<std::string, std::string>
+    splitKeyValueNonEscapedDelimiter(const std::string& str, const char delimiter, const char escapeChar)
+    {
+        std::pair<std::string, std::string> retVal {std::make_pair(str, "")};
+        const auto findText {std::string {escapeChar} + std::string {delimiter}};
+        auto found {str.find_first_of(findText)};
+        constexpr auto DELIMITER_ESCAPE_LENGTH {2};
+
+        while (std::string::npos != found)
+        {
+            if (str.at(found) == delimiter)
+            {
+                retVal = std::make_pair(str.substr(0, found), str.substr(found + 1));
+                break;
+            }
+
+            found = str.find_first_of(findText, found + DELIMITER_ESCAPE_LENGTH);
+        }
+
+        return retVal;
+    }
+
+    static bool findRegexInString(const std::string& in,
+                                  std::string& match,
+                                  const std::regex& pattern,
+                                  const size_t matchIndex = 0,
+                                  const std::string& start = "")
+    {
+        bool ret {false};
+
+        if (start.empty() || startsWith(in, start))
+        {
+            std::smatch sm;
+            ret = std::regex_search(in, sm, pattern);
+
+            if (ret && sm.size() >= matchIndex)
+            {
+                match = sm[matchIndex];
+            }
+        }
+
+        return ret;
+    }
+
+    /**
+     * @brief Checks that the string is alphanumeric and contains all of the special characters passed as argument.
+     *
+     * @param str Original string.
+     * @param specialCharacters Special characters string.
+     * @return true
+     * @return false
+     */
+    static bool isAlphaNumericWithSpecialCharacters(const std::string& str, const std::string& specialCharacters)
+    {
+        return str.compare("") != 0 ? std::all_of(std::begin(str),
+                                                  std::end(str),
+                                                  [&specialCharacters](const auto& character) {
+                                                      return std::isalnum(character) ||
+                                                             specialCharacters.find(character) != std::string::npos;
+                                                  })
+                                    : false;
+    }
+
+    static bool isNumber(const std::string& str)
+    {
+        std::string::const_iterator it = str.begin();
+
+        while (it != str.end() && std::isdigit(*it)) ++it;
+
+        return !str.empty() && it == str.end();
+    }
+
+    static bool parseStrToBool(const std::string& str)
+    {
+        if (str.compare("yes") == 0)
+        {
+            return true;
+        }
+        else if (str.compare("no") == 0)
+        {
+            return false;
+        }
+        else
+        {
+            throw std::runtime_error("Invalid input.");
+        }
+    }
+
+    static long parseStrToTime(const std::string& str)
+    {
+        std::size_t pos;
+        try
+        {
+            auto seconds {std::stol(str, &pos)};
+
+            if (seconds < 0)
+            {
+                return -1;
+            }
+
+            if (isNumber(str))
+            {
+                return seconds;
+            }
+
+            switch (str.at(pos))
+            {
+                case '\0': break;
+                case 'w': seconds *= W_WEEK_SECONDS; break;
+                case 'd': seconds *= W_DAY_SECONDS; break;
+                case 'h': seconds *= W_HOUR_SECONDS; break;
+                case 'm': seconds *= W_MINUTE_SECONDS; break;
+                case 's': break;
+                default: return -1;
+            }
+
+            return seconds;
+        }
+        catch (const std::invalid_argument& e)
+        {
+            return -1;
+        }
+    }
+    /**
+     * @brief Add size padding to a string.
+     *
+     * @param str Original string.
+     * @param padCharacter Character to use for padding.
+     * @param minSize Minimum size of the string.
+     * @return std::string Padded string.
+     */
+    static std::string padString(const std::string& str, const char padCharacter, const int64_t minSize)
+    {
+        std::string out;
+        const auto strLength = minSize - static_cast<int64_t>(str.length());
+
+        for (auto i = 0ll; i < strLength; ++i)
+        {
+            out += padCharacter;
+        }
+        out += str;
+        return out;
+    }
+
+} // namespace Utils
+
+#pragma GCC diagnostic pop
+
+#endif // _STRING_HELPER_H
diff --git a/src/common/stringHelper/tests/CMakeLists.txt b/src/common/stringHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..fa11bdbe98
--- /dev/null
+++ b/src/common/stringHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "stringHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/stringHelper/tests/main.cpp b/src/common/stringHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/stringHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/stringHelper/tests/stringHelper_test.cpp b/src/common/stringHelper/tests/stringHelper_test.cpp
new file mode 100644
index 0000000000..8132d1270d
--- /dev/null
+++ b/src/common/stringHelper/tests/stringHelper_test.cpp
@@ -0,0 +1,591 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "stringHelper_test.h"
+#include "stringHelper.h"
+#include <sstream>
+
+void StringUtilsTest::SetUp() {};
+
+void StringUtilsTest::TearDown() {};
+
+TEST_F(StringUtilsTest, CheckReplacement)
+{
+    std::string string_base {"hello_world"};
+    const auto retVal {Utils::replaceAll(string_base, "hello_", "bye_")};
+    EXPECT_EQ(string_base, "bye_world");
+    EXPECT_TRUE(retVal);
+}
+
+TEST_F(StringUtilsTest, CheckNotReplacement)
+{
+    std::string string_base {"hello_world"};
+    const auto retVal {Utils::replaceAll(string_base, "nothing_", "bye_")};
+    EXPECT_EQ(string_base, "hello_world");
+    EXPECT_FALSE(retVal);
+}
+
+TEST_F(StringUtilsTest, SplitEmptyString)
+{
+    auto splitTextVector {Utils::split("", '.')};
+    EXPECT_EQ(0ull, splitTextVector.size());
+}
+
+TEST_F(StringUtilsTest, SplitDelimiterNoCoincidence)
+{
+    const auto splitTextVector {Utils::split("hello_world", '.')};
+    EXPECT_EQ(1ull, splitTextVector.size());
+}
+
+TEST_F(StringUtilsTest, SplitDelimiterCoincidence)
+{
+    const auto splitTextVector {Utils::split("hello.world", '.')};
+    EXPECT_EQ(2ull, splitTextVector.size());
+    EXPECT_EQ(splitTextVector[0], "hello");
+    EXPECT_EQ(splitTextVector[1], "world");
+}
+
+TEST_F(StringUtilsTest, SplitIndex)
+{
+    const auto splitTextVector {Utils::splitIndex("hello.world", '.', 0)};
+    EXPECT_EQ(5ull, splitTextVector.size());
+    EXPECT_EQ(splitTextVector, "hello");
+}
+
+TEST_F(StringUtilsTest, SplitIndexRuntimeError)
+{
+    EXPECT_THROW(Utils::splitIndex("hello.world", '.', 2), std::runtime_error);
+}
+
+TEST_F(StringUtilsTest, AsciiToHexString)
+{
+    const std::vector<unsigned char> data {0x2d, 0x53, 0x3b, 0x9d, 0x9f, 0x0f, 0x06, 0xef, 0x4e, 0x3c,
+                                           0x23, 0xfd, 0x49, 0x6c, 0xfe, 0xb2, 0x78, 0x0e, 0xda, 0x7f};
+    const std::string expected {"2d533b9d9f0f06ef4e3c23fd496cfeb2780eda7f"};
+    const auto result {Utils::asciiToHex(data)};
+    EXPECT_EQ(expected, result);
+}
+
+TEST_F(StringUtilsTest, CheckFirstReplacement)
+{
+    std::string string_base {"bye_bye"};
+    const auto retVal {Utils::replaceFirst(string_base, "bye", "hello")};
+    EXPECT_EQ(string_base, "hello_bye");
+    EXPECT_TRUE(retVal);
+}
+
+TEST_F(StringUtilsTest, CheckNotFirstReplacement)
+{
+    std::string string_base {"hello_world"};
+    const auto retVal {Utils::replaceFirst(string_base, "nothing_", "bye_")};
+    EXPECT_EQ(string_base, "hello_world");
+    EXPECT_FALSE(retVal);
+}
+
+TEST_F(StringUtilsTest, RightTrim)
+{
+    EXPECT_EQ("Hello", Utils::rightTrim("Hello"));
+    EXPECT_EQ("Hello", Utils::rightTrim("Hello "));
+    EXPECT_EQ("Hello", Utils::rightTrim("Hello  "));
+    EXPECT_EQ("Hello", Utils::rightTrim("Hello            "));
+    EXPECT_EQ(" Hello", Utils::rightTrim(" Hello"));
+    EXPECT_EQ("\tHello", Utils::rightTrim("\tHello\t", "\t"));
+    EXPECT_EQ(" \t\nHello", Utils::rightTrim(" \t\nHello \t\n ", "\t\n "));
+    EXPECT_EQ(" \t\nHello \t\n", Utils::rightTrim(" \t\nHello \t\n "));
+    EXPECT_EQ("", Utils::rightTrim(""));
+    EXPECT_EQ("", Utils::rightTrim(" "));
+    EXPECT_EQ("", Utils::rightTrim("           "));
+}
+
+TEST_F(StringUtilsTest, LeftTrim)
+{
+    EXPECT_EQ("Hello", Utils::leftTrim("Hello"));
+    EXPECT_EQ("Hello", Utils::leftTrim(" Hello"));
+    EXPECT_EQ("Hello", Utils::leftTrim(" Hello"));
+    EXPECT_EQ("Hello", Utils::leftTrim("          Hello"));
+    EXPECT_EQ("Hello\t ", Utils::leftTrim(" \tHello\t ", " \t"));
+    EXPECT_EQ("Hello\t\n ", Utils::leftTrim(" \t\nHello\t\n ", " \t\n"));
+    EXPECT_EQ("\t\nHello\t\n ", Utils::leftTrim(" \t\nHello\t\n "));
+    EXPECT_EQ("", Utils::leftTrim(""));
+    EXPECT_EQ("", Utils::leftTrim(" "));
+    EXPECT_EQ("", Utils::leftTrim("           "));
+}
+
+TEST_F(StringUtilsTest, Trim)
+{
+    EXPECT_EQ("Hello", Utils::trim("Hello"));
+    EXPECT_EQ("Hello", Utils::trim(" Hello "));
+    EXPECT_EQ("Hello", Utils::trim(" Hello "));
+    EXPECT_EQ("Hello", Utils::trim("          Hello      "));
+    EXPECT_EQ("Hello", Utils::trim(" \tHello\t ", " \t"));
+    EXPECT_EQ("Hello", Utils::trim(" \t\nHello\t\n ", " \t\n"));
+    EXPECT_EQ("", Utils::trim(" "));
+    EXPECT_EQ("", Utils::trim("   "));
+}
+
+TEST_F(StringUtilsTest, ToUpperCase)
+{
+    EXPECT_EQ("", Utils::toUpperCase(""));
+    EXPECT_EQ("HELLO WORLD", Utils::toUpperCase("HeLlO WoRlD"));
+    EXPECT_EQ("123", Utils::toUpperCase("123"));
+}
+
+TEST_F(StringUtilsTest, ToLowerCase)
+{
+    EXPECT_EQ("", Utils::toLowerCase(""));
+    EXPECT_EQ("hello world", Utils::toLowerCase("HeLlO WoRlD"));
+    EXPECT_EQ("123", Utils::toLowerCase("123"));
+}
+
+TEST_F(StringUtilsTest, ToSentenceCase)
+{
+    EXPECT_EQ("", Utils::toSentenceCase(""));
+    EXPECT_EQ("H", Utils::toSentenceCase("h"));
+    EXPECT_EQ("Hello", Utils::toSentenceCase("hello"));
+    EXPECT_EQ("Hello", Utils::toSentenceCase("HELLO"));
+    EXPECT_EQ("Hello world", Utils::toSentenceCase("HeLlO WoRlD"));
+    EXPECT_EQ("123", Utils::toSentenceCase("123"));
+}
+
+TEST_F(StringUtilsTest, StartsWith)
+{
+    const std::string start {"Package_"};
+    const std::string item1 {"Package_6_for_KB4565554~31bf3856ad364e35~amd64~~18362.957.1.3"};
+    const std::string item2 {"Package_5_for_KB4569073~31bf3856ad364e35~amd64~~18362.1012.1.1"};
+    const std::string item3 {"Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~~10.0.18362.815"};
+    const std::string item4 {"Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package_31bf3856ad364e35~"
+                             "amd64~~10.0.18362.1139.mum"};
+    EXPECT_TRUE(Utils::startsWith(start, start));
+    EXPECT_TRUE(Utils::startsWith(item1, start));
+    EXPECT_TRUE(Utils::startsWith(item2, start));
+    EXPECT_FALSE(Utils::startsWith("", start));
+    EXPECT_FALSE(Utils::startsWith(item3, start));
+    EXPECT_FALSE(Utils::startsWith(item4, start));
+}
+
+TEST_F(StringUtilsTest, EndsWith)
+{
+    const std::string end {"_package"};
+    const std::string item1 {"KB4565554~31bf3856ad364e35~amd64~~18362.957.1.3_package"};
+    const std::string item2 {"KB4569073~31bf3856ad364e35~amd64~~18362.1012.1.1_package"};
+    const std::string item3 {"Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~~10.0.18362.815"};
+    const std::string item4 {"Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package_31bf3856ad364e35~"
+                             "amd64~~10.0.18362.1139.mum"};
+    EXPECT_TRUE(Utils::endsWith(end, end));
+    EXPECT_TRUE(Utils::endsWith(item1, end));
+    EXPECT_TRUE(Utils::endsWith(item2, end));
+    EXPECT_FALSE(Utils::endsWith("", end));
+    EXPECT_FALSE(Utils::endsWith(item3, end));
+    EXPECT_FALSE(Utils::endsWith(item4, end));
+}
+
+TEST_F(StringUtilsTest, SplitDelimiterNullTerminated)
+{
+    const char buffer[] {'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '\0'};
+    const auto tokens {Utils::splitNullTerminatedStrings(buffer)};
+    EXPECT_EQ(2ull, tokens.size());
+    EXPECT_EQ(tokens[0], "hello");
+    EXPECT_EQ(tokens[1], "world");
+}
+
+TEST_F(StringUtilsTest, SplitMapKeyValue)
+{
+    std::string buffer("PRETTY_NAME=\"Ubuntu 22.04.1 LTS\"\n\
+NAME=\"Ubuntu\"\n\
+VERSION_ID=\"22.04\"\n\
+VERSION=\"22.04.1 LTS (Jammy Jellyfish)\"\n\
+VERSION_CODENAME=jammy\n\
+ID=ubuntu\n\
+ID_LIKE=debian\n\
+HOME_URL=\"https://www.ubuntu.com/\"\n\
+SUPPORT_URL=\"https://help.ubuntu.com/\"\n\
+BUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\n\
+PRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\n\
+UBUNTU_CODENAME=jammy\n");
+    std::map<std::string, std::string> mapResult;
+    Utils::splitMapKeyValue(buffer, '=', mapResult);
+    std::map<std::string, std::string>::iterator itMapResult;
+    EXPECT_NE(itMapResult = mapResult.find("PRETTY_NAME"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "PRETTY_NAME");
+    EXPECT_EQ(itMapResult->second, "Ubuntu 22.04.1 LTS");
+    EXPECT_NE(itMapResult = mapResult.find("NAME"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "NAME");
+    EXPECT_EQ(itMapResult->second, "Ubuntu");
+    EXPECT_NE(itMapResult = mapResult.find("VERSION_ID"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "VERSION_ID");
+    EXPECT_EQ(itMapResult->second, "22.04");
+    EXPECT_NE(itMapResult = mapResult.find("VERSION"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "VERSION");
+    EXPECT_EQ(itMapResult->second, "22.04.1 LTS (Jammy Jellyfish)");
+    EXPECT_NE(itMapResult = mapResult.find("VERSION_CODENAME"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "VERSION_CODENAME");
+    EXPECT_EQ(itMapResult->second, "jammy");
+    EXPECT_NE(itMapResult = mapResult.find("ID"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "ID");
+    EXPECT_EQ(itMapResult->second, "ubuntu");
+    EXPECT_NE(itMapResult = mapResult.find("ID_LIKE"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "ID_LIKE");
+    EXPECT_EQ(itMapResult->second, "debian");
+    EXPECT_NE(itMapResult = mapResult.find("HOME_URL"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "HOME_URL");
+    EXPECT_EQ(itMapResult->second, "https://www.ubuntu.com/");
+    EXPECT_NE(itMapResult = mapResult.find("SUPPORT_URL"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "SUPPORT_URL");
+    EXPECT_EQ(itMapResult->second, "https://help.ubuntu.com/");
+    EXPECT_NE(itMapResult = mapResult.find("BUG_REPORT_URL"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "BUG_REPORT_URL");
+    EXPECT_EQ(itMapResult->second, "https://bugs.launchpad.net/ubuntu/");
+    EXPECT_NE(itMapResult = mapResult.find("PRIVACY_POLICY_URL"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "PRIVACY_POLICY_URL");
+    EXPECT_EQ(itMapResult->second, "https://www.ubuntu.com/legal/terms-and-policies/privacy-policy");
+    EXPECT_NE(itMapResult = mapResult.find("UBUNTU_CODENAME"), mapResult.end());
+    EXPECT_EQ(itMapResult->first, "UBUNTU_CODENAME");
+    EXPECT_EQ(itMapResult->second, "jammy");
+}
+
+TEST_F(StringUtilsTest, CheckMultiReplacement)
+{
+    std::string string_base {"hello         world"};
+    const auto retVal {Utils::replaceAll(string_base, "  ", " ")};
+    EXPECT_EQ(string_base, "hello world");
+    EXPECT_TRUE(retVal);
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrect)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("hello         world", "         "), "hello");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrectEmpty)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("", " "), "");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceNoOccurrences)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("hello         world", "bye"), "hello         world");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrectEndText)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("hello         world", "world"), "hello         ");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrectFirstText)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("hello         world", "hello"), "");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrectEscapeCharacter)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("hello\nworld", "\n"), "hello");
+}
+
+TEST_F(StringUtilsTest, substrOnFirstOccurrenceCorrectEscapeCharacterEmptyResult)
+{
+    EXPECT_EQ(Utils::substrOnFirstOccurrence("\n", "\n"), "");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedSimple)
+{
+    std::string stringBase {"hello:world"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "hello");
+    EXPECT_EQ(retVal.second, "world");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedSimpleEnd)
+{
+    std::string stringBase {"hello:"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "hello");
+    EXPECT_EQ(retVal.second, "");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedSimpleDoubleDelimiterEnd)
+{
+    std::string stringBase {"hello:world:"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "hello");
+    EXPECT_EQ(retVal.second, "world:");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedSimpleDoubleEnd)
+{
+    std::string stringBase {"hello::"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "hello");
+    EXPECT_EQ(retVal.second, ":");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedSimpleEmptyDoubleEnd)
+{
+    std::string stringBase {"::"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "");
+    EXPECT_EQ(retVal.second, ":");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedComplex)
+{
+    std::string stringBase {"he\\:llo:world"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "he\\:llo");
+    EXPECT_EQ(retVal.second, "world");
+}
+
+TEST_F(StringUtilsTest, splitKeyValueNonEscapedComplexEnd)
+{
+    std::string stringBase {"he\\:llo:"};
+    const auto retVal {Utils::splitKeyValueNonEscapedDelimiter(stringBase, ':', '\\')};
+    EXPECT_EQ(retVal.first, "he\\:llo");
+    EXPECT_EQ(retVal.second, "");
+}
+
+TEST_F(StringUtilsTest, findRegexInStringNotStartWith)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"PREFIX Some random content"};
+    const auto regex {std::regex(R"(PREFIX Some random content)")};
+    EXPECT_FALSE(Utils::findRegexInString(valueToCheck, matchedValue, regex, 0, "OTHERPREFIX"));
+    EXPECT_TRUE(matchedValue.empty());
+}
+
+TEST_F(StringUtilsTest, findRegexInStringStartWith)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"PREFIX Some random content"};
+    const auto regex {std::regex(R"(PREFIX Some random content)")};
+    EXPECT_TRUE(Utils::findRegexInString(valueToCheck, matchedValue, regex, 0, "PREFIX"));
+    EXPECT_EQ(matchedValue, valueToCheck);
+}
+
+TEST_F(StringUtilsTest, findRegexInStringMatchingRegexWithoutGroup)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"This string should not be extracted"};
+    const auto regex {std::regex(R"(^This string should not be extracted$)")};
+    EXPECT_TRUE(Utils::findRegexInString(valueToCheck, matchedValue, regex));
+    EXPECT_EQ(matchedValue, valueToCheck);
+}
+
+TEST_F(StringUtilsTest, findRegexInStringNoExtractingFirstGroup)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"This string should be extracted"};
+    const auto regex {std::regex(R"(^This (\S+) should be (\S+)$)")};
+    EXPECT_TRUE(Utils::findRegexInString(valueToCheck, matchedValue, regex));
+    EXPECT_EQ(matchedValue, valueToCheck);
+}
+
+TEST_F(StringUtilsTest, findRegexInStringExtractingFirstGroup)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"This string should be extracted"};
+    const auto regex {std::regex(R"(^This (\S+) should be (\S+)$)")};
+    EXPECT_TRUE(Utils::findRegexInString(valueToCheck, matchedValue, regex, 1));
+    EXPECT_EQ(matchedValue, "string");
+}
+
+TEST_F(StringUtilsTest, findRegexInStringExtractingSecondGroup)
+{
+    std::string matchedValue;
+    const auto valueToCheck {"This string should be extracted"};
+    const auto regex {std::regex(R"(^This (\S+) should be (\S+)$)")};
+    EXPECT_TRUE(Utils::findRegexInString(valueToCheck, matchedValue, regex, 2));
+    EXPECT_EQ(matchedValue, "extracted");
+}
+
+TEST_F(StringUtilsTest, convertToUTF8NoChanges)
+{
+    std::string noUnicodeString {"This is a test"};
+    Utils::ISO8859ToUTF8(noUnicodeString);
+    EXPECT_EQ("This is a test", noUnicodeString);
+}
+
+TEST_F(StringUtilsTest, rawUnicodeToUTF8)
+{
+    std::stringstream fileContent;
+    // Set buffer in ISO8859-1
+    fileContent << R"(CLASSES=none)"
+                   R"(BASEDIR=/opt/csw)"
+                   R"(INSTDATE=Jan 09 2023 14:35)"
+                   R"(PKGSAV=/var/sadm/pkg/CSWschilybase/save)"
+                   R"(PKGINST=CSWschilybase)"
+                   R"(PSTAMP=joerg@unstable9x-20130619141117)"
+                   R"(EMAIL=joerg@opencsw.org)"
+                   R"(HOTLINE=http://www.opencsw.org/bugtrack/)"
+                   R"(VENDOR=http://cdrecord.berlios.de/old/private/  packaged for CSW by J)"
+                << "\xF6"
+                << R"(rg Schilling)"
+                   R"(CATEGORY=application)"
+                   R"(NAME=schilybase - A collection of common files from J. Schilling)"
+                   R"(PKG=CSWschilybase)"
+                   R"(VERSION=1.01,REV=2013.06.19)"
+                   R"(ARCH=i386)"
+                   R"(OAMBASE=/usr/sadm/sysadm)"
+                   R"(PATH=/sbin:/usr/sbin:/usr/bin:/usr/sadm/install/bin)"
+                   R"(TZ=localtime)"
+                   R"(LANG=C)"
+                   R"(LC_ALL=)"
+                   R"(LC_MONETARY=)"
+                   R"(LC_MESSAGES=)"
+                   R"(LC_COLLATE=)"
+                   R"(LC_TIME=)"
+                   R"(LC_NUMERIC=)"
+                   R"(LC_CTYPE=)";
+
+    std::string content;
+
+    while (fileContent.good())
+    {
+        std::string line;
+        std::getline(fileContent, line);
+        // Convert 'line' to UTF-8
+        Utils::ISO8859ToUTF8(line);
+
+        content += line;
+    }
+
+    EXPECT_EQ("CLASSES=none"
+              "BASEDIR=/opt/csw"
+              "INSTDATE=Jan 09 2023 14:35"
+              "PKGSAV=/var/sadm/pkg/CSWschilybase/save"
+              "PKGINST=CSWschilybase"
+              "PSTAMP=joerg@unstable9x-20130619141117"
+              "EMAIL=joerg@opencsw.org"
+              "HOTLINE=http://www.opencsw.org/bugtrack/VENDOR=http://cdrecord.berlios.de/old/private/  packaged for CSW"
+              " by J\xC3\xB6rg Schilling"
+              "CATEGORY=applicationNAME=schilybase - A collection of common files from J. SchillingPKG=CSWschilybase"
+              "VERSION=1.01,REV=2013.06.19"
+              "ARCH=i386"
+              "OAMBASE=/usr/sadm/sysadm"
+              "PATH=/sbin:/usr/sbin:/usr/bin:/usr/sadm/install/bin"
+              "TZ=localtime"
+              "LANG=C"
+              "LC_ALL="
+              "LC_MONETARY="
+              "LC_MESSAGES="
+              "LC_COLLATE="
+              "LC_TIME="
+              "LC_NUMERIC="
+              "LC_CTYPE=",
+              content);
+}
+
+TEST_F(StringUtilsTest, stringIsNumberFalse1)
+{
+    EXPECT_FALSE(Utils::isNumber("random_string"));
+}
+
+TEST_F(StringUtilsTest, stringIsNumberFalse2)
+{
+    EXPECT_FALSE(Utils::isNumber("r4nd0m_57r1n9"));
+}
+
+TEST_F(StringUtilsTest, stringIsNumberFalse3)
+{
+    EXPECT_FALSE(Utils::isNumber(""));
+}
+
+TEST_F(StringUtilsTest, stringIsNumberTrue)
+{
+    EXPECT_TRUE(Utils::isNumber("12345"));
+}
+
+TEST_F(StringUtilsTest, parseStrToBoolYes)
+{
+    EXPECT_TRUE(Utils::parseStrToBool("yes"));
+}
+
+TEST_F(StringUtilsTest, parseStrToBoolNo)
+{
+    EXPECT_FALSE(Utils::parseStrToBool("no"));
+}
+
+TEST_F(StringUtilsTest, parseStrToBoolSarasa)
+{
+    EXPECT_THROW(Utils::parseStrToBool("Sarasa"), std::runtime_error);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeEmpty)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1"), 1);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneSec)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1s"), 1);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneMin)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1m"), 60);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneHour)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1h"), 3600);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneDay)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1d"), 86400);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneWeek)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1w"), 604800);
+}
+
+TEST_F(StringUtilsTest, parseStrToTimeOneSarasa)
+{
+    EXPECT_EQ(Utils::parseStrToTime("1invalid"), -1);
+}
+
+/*
+ * isAlphaNumericWithSpecialCharacters() tests
+ */
+
+/**
+ * @brief Validates the string is alphanumeric and contains all of the special characters passed as argument.
+ *
+ */
+TEST_F(StringUtilsTest, IsAlphaNumericWithSpecialCharacters)
+{
+    const std::string stringBase1 {"random_string"};
+    const std::string stringBase2 {"r4nd0mS7r1n6"};
+    const std::string stringBase3 {"random-_-string"};
+    const std::string stringBase4 {"random*string"};
+    const std::string stringBase5;
+    EXPECT_TRUE(Utils::isAlphaNumericWithSpecialCharacters(stringBase1, "_"));
+    EXPECT_TRUE(Utils::isAlphaNumericWithSpecialCharacters(stringBase1, "__"));
+    EXPECT_TRUE(Utils::isAlphaNumericWithSpecialCharacters(stringBase2, ""));
+    EXPECT_TRUE(Utils::isAlphaNumericWithSpecialCharacters(stringBase3, "-_"));
+    EXPECT_TRUE(Utils::isAlphaNumericWithSpecialCharacters(stringBase4, "*"));
+    EXPECT_FALSE(Utils::isAlphaNumericWithSpecialCharacters(stringBase5, "-_*"));
+}
+
+TEST_F(StringUtilsTest, padString)
+{
+    EXPECT_EQ(Utils::padString("test", '0', 10), "000000test");
+    EXPECT_EQ(Utils::padString("test", '0', 2), "test");
+    EXPECT_EQ(Utils::padString("test", '0', 4), "test");
+    EXPECT_EQ(Utils::padString("", '0', 4), "0000");
+}
+
+TEST_F(StringUtilsTest, haveUpperCaseCharacters)
+{
+    EXPECT_TRUE(Utils::haveUpperCaseCharacters("Test"));
+    EXPECT_FALSE(Utils::haveUpperCaseCharacters("test"));
+    EXPECT_FALSE(Utils::haveUpperCaseCharacters(""));
+}
+
diff --git a/src/common/stringHelper/tests/stringHelper_test.h b/src/common/stringHelper/tests/stringHelper_test.h
new file mode 100644
index 0000000000..44c5ae6086
--- /dev/null
+++ b/src/common/stringHelper/tests/stringHelper_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef STRING_HELPER_TESTS_H
+#define STRING_HELPER_TESTS_H
+#include "gtest/gtest.h"
+
+class StringUtilsTest : public ::testing::Test
+{
+    protected:
+
+        StringUtilsTest() = default;
+        virtual ~StringUtilsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //STRING_HELPER_TESTS_H
\ No newline at end of file
diff --git a/src/modules/github/src/github.c b/src/common/string_op/CMakeLists.txt
similarity index 100%
rename from src/modules/github/src/github.c
rename to src/common/string_op/CMakeLists.txt
diff --git a/src/common/string_op/include/string_op.h b/src/common/string_op/include/string_op.h
new file mode 100644
index 0000000000..51c142ac38
--- /dev/null
+++ b/src/common/string_op/include/string_op.h
@@ -0,0 +1,406 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef H_STRINGOP_OS
+#define H_STRINGOP_OS
+
+#include <cJSON.h>
+#include <stdbool.h>
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+
+#ifndef WC_ERR_INVALID_CHARS
+#define WC_ERR_INVALID_CHARS 0x80
+#endif
+
+/* converts a Windows format string to char* */
+char *convert_windows_string(LPCWSTR string);
+#endif
+
+// Time values for conversion
+#define W_WEEK_SECONDS      604800
+#define W_DAY_SECONDS       86400
+#define W_HOUR_SECONDS      3600
+#define W_MINUTE_SECONDS    60
+
+// Time units
+#define W_WEEKS_L   "week(s)"
+#define W_WEEKS_S   "w"
+#define W_DAYS_L    "day(s)"
+#define W_DAYS_S    "d"
+#define W_HOURS_L   "hour(s)"
+#define W_HOURS_S   "h"
+#define W_MINUTES_L "minute(s)"
+#define W_MINUTES_S "m"
+#define W_SECONDS_L "second(s)"
+#define W_SECONDS_S "s"
+
+// Convert string to lowercase
+#define str_lowercase(str_lc) { char *x = str_lc; while (*x != '\0') { *x = tolower(*x); x++; } }
+
+// Convert string to uppercase
+#define str_uppercase(str_lc) { char *x = str_lc; while (*x != '\0') { *x = toupper(*x); x++; } }
+
+// Convert double to string
+#define w_double_str(x) ({char *do_str; os_calloc(20, sizeof(char),do_str); snprintf(do_str, 19, "%f", x); do_str;})
+
+// Convert long to string
+#define w_long_str(x) ({char *do_str; os_calloc(32, sizeof(char),do_str); snprintf(do_str, 31, "%ld", x); do_str;})
+
+// Replace a character in a string
+#define wchr_replace(x, y, z) { char *x_it; for (x_it = x; *x_it != '\0'; x_it++) if (*x_it == y) *x_it = z; }
+
+// Count the words of a string
+#define w_word_counter(x) ({ int w_count = 0; char *w_it = x; \
+    while (*w_it) { if (*w_it != ' ') { w_count++; while (*w_it != ' ' && *w_it != '\0') w_it++; continue;} w_it++;} w_count;})
+
+// Check if a string is a number. It does not work with signs (+/-)
+#define w_str_is_number(str) ({char *x = str; for (; *x != '\0'; x++) if (!isdigit(*x)) { x = NULL; break;} x;})
+
+/* Trim the CR and/or LF from the last positions of a string */
+void os_trimcrlf(char *str);
+
+/* Similiar to Perl's substr() function */
+int os_substr(char *dest, const char *src, size_t position, ssize_t length) __attribute__((nonnull(1)));
+
+/* Remove a character from a string */
+char *os_strip_char(const char *source, char remove) __attribute__((nonnull));
+
+/* Escape a list of characters with a backslash */
+char *os_shell_escape(const char *src);
+
+/* Count the number of repetitions of needle at haystack */
+size_t os_strcnt(const char *haystack, char needle);
+
+// Trim whitespaces from string
+char * w_strtrim(char * string);
+
+// Add a dynamic field with object nesting
+void W_JSON_AddField(cJSON *root, const char *key, const char *value);
+
+// Converts a CSV list into JSON style string array ("a,s,d" -> ["a","s","d"])
+void csv_list_to_json_str_array(char * const csv_list, char **buffer);
+
+// Searches haystack for needle. Returns 1 if needle is found in haystack.
+int w_str_in_array(const char * needle, const char ** haystack);
+
+/* Filter escape characters */
+char* filter_special_chars(const char *string);
+
+// Replace substrings
+char * wstr_replace(const char * string, const char * search, const char * replace);
+
+// Locate first occurrence of non escaped character in string
+char * wstr_chr(const char * str, char character);
+
+/**
+ * @brief Locate first occurrence of non escaped character in string.
+ *
+ * @param str A valid pointer to a string where look for a non escaped character.
+ * @param character The non escaped character.
+ * @param escape The character used to escape.
+ * @return The position of the non escaped character, or NULL if fail.
+ */
+char * wstr_chr_escape(const char * str, char character, char escape);
+
+/**
+ * @brief Escape a specific character from a character string.
+ *
+ * @param dststr A valid pointer to a char buffer where escaped string will be stored.
+ * @param dst_size The dststr size to control buffer overflow.
+ * @param str A valid pointer to a string to escape.
+ * @param escape The character used to escape.
+ * @param match The value to escape.
+ * @return The size of the dststr if success, or OS_INVALID if fail.
+ */
+ssize_t wstr_escape(char *dststr, size_t dst_size, const char *str, char escape, char match);
+
+/**
+ * @brief Unescape a specific character from a character string.
+ *
+ * @param dststr A valid pointer to a char buffer where unescaped string will be stored.
+ * @param dst_size The dststr size to control buffer overflow.
+ * @param str A valid pointer to a string to unescape.
+ * @param escape The character used to unescape.
+ * @return The size of the dststr if success, or OS_INVALID if fail.
+ */
+ssize_t wstr_unescape(char *dststr, size_t dst_size, const char *str, char escape);
+
+// Free string array
+void free_strarray(char ** array);
+
+// Get the size of a string array
+size_t strarray_size(char ** array);
+
+// Delete last occurrence of duplicated string
+char * wstr_delete_repeated_groups(const char * string);
+
+/* Concatenate strings with optional separator
+ *
+ * str1 must be a valid pointer to NULL or a string at heap
+ * Returns 0 if success, or -1 if fail.
+ */
+int wm_strcat(char **str1, const char *str2, char sep);
+
+// Check if str ends in str_end
+int wstr_end(char *str, const char *str_end);
+
+/* Split a string within splitted_str
+ *  - delim: Words delimiter
+ *  - occurrences: Words by division
+ *  - replace_delim: (Optional) Replace the delimiter with a new one
+*/
+
+void wstr_split(char *str, char *delim, char *replace_delim, int occurrences, char ***splitted_str);
+
+// Check if the specified string is already in the array
+int w_is_str_in_array(char *const *ar, const char *str);
+
+// Remove zeros from the end of the decimal number
+void w_remove_zero_dec(char *str_number);
+
+/* Similar to strtok_r but checks for full delim appearances */
+char *w_strtok_r_str_delim(const char *delim, char **remaining_str);
+
+// Returns the characters number of the string source if, only if, source is included completely in str, 0 in other case.
+int w_compare_str(const char * source, const char * str);
+const char * find_string_in_array(char * const string_array[], size_t array_len, const char * const str, const size_t str_len);
+
+char *decode_hex_buffer_2_ascii_buffer(const char * const encoded_buffer, const size_t buffer_size);
+
+/**
+ * @brief Parse boolean string
+ *
+ * @param string Input string.
+ * @pre string is not null.
+ * @retval 1 True.
+ * @retval 0 False.
+ * @retval -1 Cannot parse string.
+ */
+int w_parse_bool(const char * string);
+
+/**
+ * @brief Parse positive time string into seconds
+ *
+ * Format: ^[0-9]+(s|m|h|d|w)?
+ *
+ * s: seconds
+ * m: minutes
+ * h: hours
+ * d: days
+ * w: weeks
+ *
+ * Any character after the first byte is ignored.
+ *
+ * @param string Input string.
+ * @pre string is not null.
+ * @return Time represented in seconds.
+ * @retval -1 Cannot parse string, or value is negative.
+ */
+long w_parse_time(const char * string);
+
+/**
+ * @brief Parse positive size string into bytes
+ *
+ * Format: ^[0-9]+(b|B|k|K|m|M|g|G)?
+ *
+ * b/B: bytes
+ * k/K: kilobytes
+ * m/M: megabytes
+ * g/G: gigabytes
+ *
+ * Any character after the first byte is ignored.
+ *
+ * @param string Input string.
+ * @pre string is not null.
+ * @return Size represented in bytes.
+ * @retval -1 Cannot parse string, or value is negative.
+ */
+ssize_t w_parse_size(const char * string);
+
+/**
+ * @brief Convert seconds into the greater valid time unit (s|m|h|d|w).
+ * The conversion will always round down the output.
+ *
+ * s: seconds
+ * m: minutes
+ * h: hours
+ * d: days
+ * w: weeks
+ *
+ * @param seconds Positive amount of seconds.
+ * @param long_format Format of the output.
+ *                    TRUE: long format ("second(s)").
+ *                    FALSE: short format ("s")
+ * @return String with the time unit.
+ * @retval "invalid" if the input is negative. A time unit if the input is valid.
+ */
+char* w_seconds_to_time_unit(long seconds, bool long_format);
+
+/**
+ * @brief Convert seconds into the greater time value.
+ *  * The conversion will always round down the output.
+ *
+ * @param seconds Positive amount of seconds.
+ * @return Value of the seconds converted to the greater time unit.
+ * @retval - if the input is negative. A time value if the input is valid.
+ */
+long w_seconds_to_time_value(long seconds);
+
+/*
+ * @brief Length of the initial segment of s which consists entirely of non-escaped bytes different from reject
+ *
+ * @param s String.
+ * @param reject String delimiter.
+ * @return size_t Number of bytes in s that are not reject.
+ */
+size_t strcspn_escaped(const char * s, char reject);
+
+/**
+ * @brief Escape JSON reserved characters
+ *
+ * Add an escape to the following bytes: \b \t \n \f \r " \
+ *
+ * @param string Input string
+ * @return Pointer to a new string containg an escaped copy of "string"
+ */
+char * wstr_escape_json(const char * string);
+
+/**
+ * @brief Unescape JSON reserved characters
+ *
+ * Unescape sets '\b', '\t', '\n', '\f', '\r', '\"' and '\\'.
+ * Bypass any other escape attempt.
+ *
+ * @param string Input string
+ * @return Pointer to a new string containg an unescaped copy of "string"
+ */
+char * wstr_unescape_json(const char * string);
+
+/**
+ * @brief Lowercase a string
+ *
+ * @param string Input string
+ * @return Pointer to a new string containing a lowercased copy of "string"
+ */
+char * w_tolower_str(const char *string);
+
+/* b64 function prototypes */
+char *decode_base64(const char *src);
+char *encode_base64(int size, const char *src);
+
+/**
+ * @brief Verify the string is not truncated after executing snprintf
+ *
+ * @param str Pointer to a buffer where the resulting string is stored.
+ * @param size Maximum number of bytes to be used in the buffer.
+ * @param format String that contains a format string that follows the same specifications as format in printf.
+ * @param ... Depending on the format string, the function may expect a sequence of additional arguments.
+ * @return int The number of characters that would have been written if size had been sufficiently large.
+ */
+int os_snprintf(char *str, size_t size, const char *format, ...);
+
+/**
+ * @brief Remove a substring from a string.
+ *
+ * @param str Original string.
+ * @param sub Substring to remove from the string.
+ * @return char* String after removing the substring.
+ */
+char * w_remove_substr(char *str, const char *sub);
+
+/**
+ * @brief Returns a copy of the first n characters of str.
+ *
+ * If str is longer than n, only n characters are copied (a terminating character ('\0') is added).
+ * if n is zero an empty string is returned.
+ * @param str String to copy.
+ * @param n Maximum number of characters to copy.
+ * @return char* New string copy of str[:n] or NULL if str is null
+ */
+char * w_strndup(const char *str, size_t n);
+
+/**
+ * @brief Split a string into an array of strings separated by given delimiters.
+ * @param string_to_split String to split.
+ * @param delim String with the delimiters used to split.
+ * @param max_array_size Maximum number of strings returned in the array, if it is 0 no limit will be applied.
+ * @return char** Returns an array of string.
+ */
+char ** w_string_split(const char *string_to_split, const char *delim, int max_array_size);
+
+/**
+ * @brief Append two strings
+ *
+ * This function produces a string with length #a + n, and joins the content
+ * of a and the first n bytes of b.
+ * Semantics are like: a += b[:n].
+ *
+ * @param a First string.
+ * @param b Second string.
+ * @param n Length of the left-substring in b that will be copied.
+ * @return Pointer to a zero-ended string that contains the concatenation of a + b.
+ * @pre a may be NULL. In that case, this function returns strdup(b).
+ * @pre b must contain at less n valid bytes.
+ * @post String a is freed and it's not valid after calling this function.
+ */
+char* w_strcat(char *a, const char *b, size_t n);
+
+/**
+ * @brief Append a string into the n-th position of a string array
+ *
+ * Extends the size of the array to (n + 1) pointers, sets array[n] to string,
+ * and terminates the array with NULL.
+ *
+ * @param array Pointer to the source string array, that will be extended.
+ * @param string Pointer to the string that will be inserted into the array.
+ * @param n Position of the current tail of the array (null pointer).
+ * @return A pointer to a string array.
+ * @pre array has n valid positions before calling this function.
+ * @post array holds the same pointer that this function received, i.e. strings are not duplicated.
+ * @post The pointer to array is no longer valid as it's resized.
+ */
+char** w_strarray_append(char **array, char *string, int n);
+
+/**
+ * @brief Tokenize string separated by spaces, respecting double-quotes
+ *
+ * Splits words in a string separated by spaces into an array.
+ * Parts within double-quotes are not splitted.
+ * The backslash character escapes spaces, double-quotes and backslashes.
+ *
+ * @param string Pointer to the source string.
+ * @return Pointer to a NULL-terminated string array.
+ * @post The structure returned must be freed with free_strarray().
+ */
+char** w_strtok(const char *string);
+
+/**
+ * @brief Concatenate a NULL-terminated string list into a single string
+ *
+ * @param list String list to concatenate
+ * @param sep Optional separator. Set to 0 if unused.
+ * @return Allocated string with list concatenation.
+ */
+char* w_strcat_list(char ** list, char sep);
+
+/**
+ * @brief Convert a given string to hexadecimal and store it in a buffer
+ * @param src_buf Input buffer containing the string to be converted
+ * @param src_size Input buffer size
+ * @param dst_buf Output buffer where to store the converted string
+ * @param dst_size Output buffer size
+ * @return OS_SUCCESS on success, OS_INVALID on failure
+ */
+int print_hex_string(const char *src_buf, unsigned int src_size, char *dst_buf, unsigned int dst_size);
+
+#endif
diff --git a/src/common/string_op/src/string_op.c b/src/common/string_op/src/string_op.c
new file mode 100644
index 0000000000..584620f131
--- /dev/null
+++ b/src/common/string_op/src/string_op.c
@@ -0,0 +1,1233 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "string.h"
+#include "../os_regex/os_regex.h"
+#include "string_op.h"
+
+#ifdef WIN32
+#ifdef EVENTCHANNEL_SUPPORT
+#define _WIN32_WINNT 0x0600
+#endif
+#endif
+
+/* Trim CR and/or LF from the last positions of a string */
+void os_trimcrlf(char *str)
+{
+    if (str == NULL) {
+        return;
+    }
+
+    if (*str == '\0') {
+        return;
+    }
+
+    size_t len = strlen(str);
+    len--;
+
+    while (str[len] == '\n' || str[len] == '\r') {
+        str[len] = '\0';
+
+        if (len == 0) {
+            break;
+        }
+
+        len--;
+    }
+}
+
+/* Remove offending char (e.g., double quotes) from source */
+char *os_strip_char(const char *source, char remove)
+{
+    char *clean;
+    const char *iterator = source;
+    size_t length = 0;
+    int i;
+
+    /* Figure out how much memory to allocate */
+    for ( ; *iterator; iterator++ ) {
+        if ( *iterator != remove ) {
+            length++;
+        }
+    }
+
+    /* Allocate the memory */
+    if ( (clean = (char *) malloc( length + 1 )) == NULL ) {
+        // Return NULL
+        return NULL;
+    }
+    memset(clean, '\0', length + 1);
+
+    /* Remove the characters */
+    iterator = source;
+    for ( i = 0; *iterator; iterator++ ) {
+        if ( *iterator != remove ) {
+            clean[i] = *iterator;
+            i++;
+        }
+    }
+
+    return clean;
+}
+
+/* Do a substring */
+int os_substr(char *dest, const char *src, size_t position, ssize_t length)
+{
+    dest[0] = '\0';
+
+    if ( length <= 0  ) {
+        /* Unsupported negative length string */
+        return -3;
+    }
+    if ( src == NULL ) {
+        return -2;
+    }
+    if ( position >= strlen(src) ) {
+        return -1;
+    }
+
+    strncat(dest, (src + position), (size_t) length);
+
+    return 0;
+}
+
+/* Escape a set of characters */
+char *os_shell_escape(const char *src)
+{
+    /* Maximum Length of the String is 2 times the current length */
+    char shell_escapes[22] = { '\\', '"', '\'', '\t', ';', '`', '>', '<', '|', '#',
+                             '*', '[', ']', '{', '}', '&', '$', '!', ':', '(', ')'
+                           };
+
+    char *escaped_string;
+    size_t length = 0;
+    int i = 0;
+
+    if (src == NULL) {
+        return NULL;
+    }
+
+    /* Determine how long the string will be */
+    const char *iterator = src;
+    for (; *iterator; iterator++) {
+        if (strchr(shell_escapes, *iterator)) {
+            if ((*iterator == '\\') && *(iterator+1) && strchr(shell_escapes, *(iterator+1))) {
+                // avoid scape because it's already scaped
+                iterator++;
+            }
+            length++;
+        }
+        length++;
+    }
+    /* Allocate memory */
+    if ((escaped_string = (char *) calloc(1, length + 1 )) == NULL) {
+        return NULL;
+    }
+
+    /* Escape the escapable characters */
+    iterator = src;
+    for (i = 0; *iterator; iterator++) {
+        if (strchr(shell_escapes, *iterator)) {
+            if ((*iterator == '\\') && *(iterator+1) && strchr(shell_escapes, *(iterator+1))) {
+                // avoid scape because it's already scaped
+                escaped_string[i] = *iterator;
+                i++;
+                iterator++;
+            } else {
+                escaped_string[i] = '\\';
+                i++;
+            }
+        }
+        escaped_string[i] = *iterator;
+        i++;
+    }
+
+    return escaped_string;
+}
+
+/* Count the number of repetitions of needle at haystack */
+size_t os_strcnt(const char *haystack, char needle) {
+    size_t count = 0;
+    char *ptr;
+
+    for (ptr = strchr(haystack, needle); ptr; ptr = strchr(ptr + 1, needle))
+        count++;
+
+    return count;
+}
+
+// Trim whitespaces from string
+
+char * w_strtrim(char * string) {
+    char *c;
+    char *d;
+
+    if(string != NULL) {
+        string = &string[strspn(string, " ")];
+        for (c = string + strcspn(string, " "); *(d = c + strspn(c, " ")); c = d + strcspn(d, " "));
+        *c = '\0';
+    }
+    return string;
+}
+
+// Add a dynamic field with object nesting
+void W_JSON_AddField(cJSON *root, const char *key, const char *value) {
+
+    cJSON *object;
+    char *current;
+    char *nest = strchr(key, '.');
+    size_t length;
+
+    if (nest) {
+        length = nest - key;
+        os_malloc(length + 1, current);
+        strncpy(current, key, length);
+        current[length] = '\0';
+
+        if (object = cJSON_GetObjectItem(root, current), object) {
+            if (cJSON_IsObject(object)) {
+                W_JSON_AddField(object, nest + 1, value);
+            }
+        } else {
+            cJSON_AddItemToObject(root, current, object = cJSON_CreateObject());
+            W_JSON_AddField(object, nest + 1, value);
+        }
+
+        free(current);
+    } else if (!cJSON_GetObjectItem(root, key)) {
+        const char *jsonErrPtr;
+        cJSON * value_json = NULL;
+
+        if (*value == '[' &&
+           (value_json = cJSON_ParseWithOpts(value, &jsonErrPtr, 0), value_json) &&
+           (*jsonErrPtr == '\0')) {
+            cJSON_AddItemToObject(root, key, value_json);
+        } else {
+            if (value_json) {
+                cJSON_Delete(value_json);
+            }
+            cJSON_AddStringToObject(root, key, value);
+        }
+    }
+}
+
+void csv_list_to_json_str_array(char * const csv_list, char **buffer)
+{
+    cJSON *array = cJSON_CreateArray();
+    char *remaining_str = NULL;
+    char *element = strtok_r(csv_list, ",", &remaining_str);
+
+    while (element) {
+        cJSON *obj = cJSON_CreateString(element);
+        cJSON_AddItemToArray(array, obj);
+        element = strtok_r(NULL, ",", &remaining_str);
+    }
+    *buffer = cJSON_Print(array);
+    cJSON_Delete(array);
+}
+
+// Searches haystack for needle. Returns 1 if needle is found in haystack.
+int w_str_in_array(const char * needle, const char ** haystack) {
+    int i;
+
+    if (!(needle && haystack)) {
+        return 0;
+    }
+
+    for (i = 0; haystack[i]; i++) {
+        if (strcmp(needle, haystack[i]) == 0) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+/* Filter escape characters */
+
+char* filter_special_chars(const char *string) {
+    int i, j = 0;
+    int n = strlen(string);
+    char *filtered = malloc(n + 1);
+
+    if (!filtered)
+        return NULL;
+
+    for (i = 0; i <= n; i++)
+        filtered[j++] = (string[i] == '\\') ? string[++i] : string[i];
+
+    return filtered;
+}
+
+// Replace substrings
+
+char * wstr_replace(const char * string, const char * search, const char * replace) {
+    char * result;
+    const char * scur;
+    const char * snext;
+    size_t wi = 0;
+    size_t zcur;
+
+    if (!(string && search && replace)) {
+        return NULL;
+    }
+
+    const size_t ZSEARCH = strlen(search);
+    const size_t ZREPLACE = strlen(replace);
+
+    os_malloc(sizeof(char), result);
+
+    for (scur = string; snext = strstr(scur, search), snext; scur = snext + ZSEARCH) {
+        zcur = snext - scur;
+        os_realloc(result, wi + zcur + ZREPLACE + 1, result);
+        memcpy(result + wi, scur, zcur);
+        wi += zcur;
+        memcpy(result + wi, replace, ZREPLACE);
+        wi += ZREPLACE;
+    }
+
+    // Copy last chunk
+
+    zcur = strlen(scur);
+    os_realloc(result, wi + zcur + 1, result);
+    memcpy(result + wi, scur, zcur);
+    wi += zcur;
+
+    result[wi] = '\0';
+    return result;
+}
+
+// Locate first occurrence of non '\\' escaped character in string
+
+char * wstr_chr(const char * str, char character) {
+
+    return wstr_chr_escape(str, character, '\\');
+}
+
+// Locate first occurrence of non escaped character in string
+
+char * wstr_chr_escape(const char * str, char character, char escape) {
+    bool escaped = false;
+
+    for (;*str != '\0'; str++) {
+        if (!escaped) {
+            if (*str == character) {
+                return (char *)str;
+            }
+            if (*str == escape) {
+                escaped = true;
+            }
+        } else {
+            escaped = false;
+        }
+    }
+    return NULL;
+}
+
+// Escape a specific character from a character string
+
+ssize_t wstr_escape(char *dststr, size_t dst_size, const char *str, char escape, char match) {
+
+    if (str == NULL || dststr == NULL) {
+        return OS_INVALID;
+    }
+
+    size_t i = 0;   // Read position
+    size_t j = 0;   // Write position
+    size_t z;       // Span length
+
+    char charset[3] = {escape, match, '\0'};
+
+    do {
+        z = strcspn(str + i, charset);
+
+        if (str[i + z] == '\0' || (j + z) >= (dst_size - 2)) {
+            z = (z + j <= dst_size - 1) ? z : (dst_size - j - 1);
+            // End of str
+            strncpy(dststr + j, str + i, z);
+        } else {
+            // Reserved character
+            strncpy(dststr + j, str + i, z);
+            dststr[j + z] = escape;
+            if (str[i + z] == escape) {
+                dststr[j + z + 1] = escape;
+            } else {
+                dststr[j + z + 1] = match;
+            }
+            z++;
+            j++;
+        }
+
+        j += z;
+        i += z;
+    } while (str[i] != '\0' && j < (dst_size - 2));
+
+    dststr[j] = '\0';
+    return j;
+}
+
+// Unescape a specific character from a character string
+
+ssize_t wstr_unescape(char *dststr, size_t dst_size, const char *str, char escape) {
+
+    if (str == NULL || dststr == NULL) {
+        return OS_INVALID;
+    }
+
+    size_t i = 0;   // Read position
+    size_t j = 0;   // Write position
+    size_t z;       // Span length
+
+    char charset[2] = {escape, '\0'};
+
+    do {
+        z = strcspn(str + i, charset);
+        z = (z + j <= dst_size - 1) ? z : (dst_size - j - 1);
+
+        strncpy(dststr + j, str + i, z);
+        j += z;
+        i += z;
+
+        if (str[i] != '\0' && j < (dst_size - 1)) {
+
+            if (str[i + 1] == escape) {
+                dststr[j++] = str[i++];
+            }
+            else if (str[i + 1] == '\0') {
+                dststr[j++] = str[i];
+            }
+            i++;
+        }
+
+    } while (str[i] != '\0' && j < (dst_size - 1));
+
+    dststr[j] = '\0';
+    return j;
+}
+
+#ifdef WIN32
+
+char *convert_windows_string(LPCWSTR string)
+{
+    char *dest = NULL;
+    size_t size = 0;
+    int result = 0;
+
+    if (string == NULL) {
+        return (NULL);
+    }
+
+    /* Determine size required */
+    size = WideCharToMultiByte(CP_UTF8,
+                               WC_ERR_INVALID_CHARS,
+                               string,
+                               -1,
+                               NULL,
+                               0,
+                               NULL,
+                               NULL);
+
+    if (size == 0) {
+        mferror(
+            "Could not WideCharToMultiByte() when determining size which returned (%lu)",
+            GetLastError());
+        return (NULL);
+    }
+
+    if ((dest = calloc(size, sizeof(char))) == NULL) {
+        mferror(
+            "Could not calloc() memory for WideCharToMultiByte() which returned [(%d)-(%s)]",
+            errno,
+            strerror(errno)
+        );
+        return (NULL);
+    }
+
+    result = WideCharToMultiByte(CP_UTF8,
+                                 WC_ERR_INVALID_CHARS,
+                                 string,
+                                 -1,
+                                 dest,
+                                 size,
+                                 NULL,
+                                 NULL);
+
+    if (result == 0) {
+        mferror(
+            "Could not WideCharToMultiByte() which returned (%lu)",
+            GetLastError());
+        free(dest);
+        return (NULL);
+    }
+
+    return (dest);
+}
+
+#endif
+
+// Free string array
+void free_strarray(char ** array) {
+    int i;
+
+    if (array) {
+        for (i = 0; array[i]; ++i) {
+            free(array[i]);
+        }
+
+        free(array);
+    }
+}
+
+// Get the size of a string array
+size_t strarray_size(char ** array) {
+    size_t size = 0;
+
+    if (array) {
+        while (array[size]) {
+            size++;
+        }
+    }
+    return size;
+}
+
+char * wstr_delete_repeated_groups(const char * string){
+    char **aux;
+    char *result = NULL;
+    int i, k;
+
+    aux = OS_StrBreak(MULTIGROUP_SEPARATOR, string, MAX_GROUPS_PER_MULTIGROUP);
+
+    for (i=0; aux[i] != NULL; i++) {
+        for (k=0; k < i; k++){
+            if (!strcmp(aux[k], aux[i])) {
+                break;
+            }
+        }
+
+        // If no duplicate found, append
+        if (k == i) {
+            wm_strcat(&result, aux[i], MULTIGROUP_SEPARATOR);
+        }
+    }
+
+    free_strarray(aux);
+    return result;
+}
+
+
+// Concatenate strings with optional separator
+
+int wm_strcat(char **str1, const char *str2, char sep) {
+    size_t len1;
+    size_t len2;
+
+    if (str2) {
+        len2 = strlen(str2);
+
+        if (*str1) {
+            len1 = strlen(*str1);
+            os_realloc(*str1, len1 + len2 + (sep ? 2 : 1), *str1);
+
+            if (sep)
+                memcpy(*str1 + (len1++), &sep, 1);
+        } else {
+            len1 = 0;
+            os_malloc(len2 + 1, *str1);
+        }
+
+        memcpy(*str1 + len1, str2, len2 + 1);
+        return 0;
+    } else
+        return -1;
+}
+
+int wstr_end(char *str, const char *str_end) {
+    size_t str_len = strlen(str);
+    size_t str_end_len = strlen(str_end);
+    return str_end_len <= str_len && !strcmp(str + str_len - str_end_len, str_end);
+}
+
+void wstr_split(char *str, char *delim, char *replace_delim, int occurrences, char ***splitted_str) {
+    char *new_delim = replace_delim ? replace_delim : delim;
+    size_t new_delim_size = strlen(replace_delim ? replace_delim : delim);
+    int count = 0;
+    int splitted_count;
+    char *str_cpy, *str_cpy_ref;
+    char *str_it;
+    char **acc_strs;
+    char *saveptr;
+
+    if (occurrences < 1) {
+        return;
+    }
+
+    os_strdup(str, str_cpy);
+    str_cpy_ref = str_cpy;
+    str_it = strtok_r(str_cpy, delim, &saveptr);
+
+    os_calloc(occurrences, sizeof(char *), acc_strs);
+
+    for (splitted_count = 0; *splitted_str && (*splitted_str)[splitted_count]; splitted_count++);
+
+    for (; str_it && *str_it; count++) {
+        os_strdup(str_it, acc_strs[count]);
+
+        if (count == occurrences - 1) {
+            // Add a new term
+            size_t term_size;
+            char *new_term_it;
+
+            for (count = term_size = 0; count < occurrences; count++) {
+                term_size += strlen(acc_strs[count]);
+            }
+
+            term_size += (occurrences - 1) * new_delim_size + 1;
+
+            os_realloc(*splitted_str, (splitted_count + 2) * sizeof(char *), *splitted_str);
+            os_calloc(term_size, sizeof(char), (*splitted_str)[splitted_count]);
+            (*splitted_str)[splitted_count + 1] = NULL;
+
+            for (count = 0, new_term_it = (*splitted_str)[splitted_count]; count < occurrences; count++) {
+                if (count) {
+                    strncpy(new_term_it, new_delim, term_size);
+                    term_size -= new_delim_size;
+                    new_term_it += new_delim_size;
+                }
+                strncpy(new_term_it, acc_strs[count], term_size);
+                term_size -= strlen(acc_strs[count]);
+                new_term_it += strlen(acc_strs[count]);
+                os_free(acc_strs[count]);
+            }
+
+            splitted_count++;
+            count = -1;
+        }
+        str_it = strtok_r(NULL, delim, &saveptr);
+    }
+
+    // Remove residual terms (they are discarded)
+    for (count = 0; acc_strs[count]; count++) {
+        free(acc_strs[count]);
+    }
+    free(acc_strs);
+    free(str_cpy_ref);
+}
+
+/* Check if the specified string is already in the array */
+int w_is_str_in_array(char *const *ar, const char *str)
+{
+    while (*ar) {
+        if (strcmp(*ar, str) == 0) {
+            return (1);
+        }
+        ar++;
+    }
+    return (0);
+}
+
+// Remove zeros from the end of the decimal number
+void w_remove_zero_dec(char *str_number) {
+    char *base;
+    char *number_end;
+
+    if (base = strchr(str_number, '.'), base) {
+        for (number_end = base; *number_end; number_end++);
+        for (--number_end; base != number_end && *number_end == '0'; number_end--) {
+            *number_end = '\0';
+        }
+    }
+}
+
+/* Similar to strtok_r but checks for full delim appearances */
+char *w_strtok_r_str_delim(const char *delim, char **remaining_str)
+{
+    if (!*remaining_str) {
+        return NULL;
+    }
+
+    if (!delim || *delim == '\0') {
+        char *str = *remaining_str;
+        *remaining_str = NULL;
+        return str;
+    }
+
+    char *delim_found = NULL;
+    size_t delim_len = strlen(delim);
+
+    while ((delim_found = strstr(*remaining_str, delim))) {
+        if (*remaining_str == delim_found) {
+            *remaining_str += delim_len;
+            continue;
+        }
+        break;
+    }
+
+    if (**remaining_str == '\0') {
+        return NULL;
+    }
+
+    char *token = *remaining_str;
+
+    if((delim_found = strstr(*remaining_str, delim))) {
+        *delim_found = '\0';
+        *remaining_str = delim_found + delim_len;
+    } else {
+        *remaining_str = NULL;
+    }
+
+    return token;
+}
+
+
+// Returns the characters number of the string source if, only if, source is included completely in str, 0 in other case.
+int w_compare_str(const char * source, const char * str) {
+    int matching = 0;
+    size_t source_lenght;
+
+    if (!(source && str)) {
+        return -1;
+    }
+
+    source_lenght = strlen(source);
+    if (source_lenght > strlen(str)) {
+        return -2;
+    }
+
+    // Match if result is 0
+    matching = strncmp(source, str, source_lenght);
+
+    return matching == 0 ? source_lenght : 0;
+}
+
+const char * find_string_in_array(char * const string_array[], size_t array_len, const char * const str, const size_t str_len)
+{
+    if (!string_array || !str){
+        return NULL;
+    }
+
+    size_t i;
+    for (i = 0; i < array_len; ++i) {
+        if (strncmp(str, string_array[i], str_len) == 0) {
+            return string_array[i];
+        }
+    }
+
+    return NULL;
+}
+
+// Parse boolean string
+
+int w_parse_bool(const char * string) {
+    return (strcmp(string, "yes") == 0) ? 1 : (strcmp(string, "no") == 0) ? 0 : -1;
+}
+
+// Parse positive time string into seconds
+
+long w_parse_time(const char * string) {
+    char * end;
+    long seconds = strtol(string, &end, 10);
+
+    if (seconds < 0 || (seconds == LONG_MAX && errno == ERANGE)) {
+        return -1;
+    }
+
+    switch (*end) {
+    case '\0':
+        break;
+    case 'w':
+        seconds *= W_WEEK_SECONDS;
+        break;
+    case 'd':
+        seconds *= W_DAY_SECONDS;
+        break;
+    case 'h':
+        seconds *= W_HOUR_SECONDS;
+        break;
+    case 'm':
+        seconds *= W_MINUTE_SECONDS;
+        break;
+    case 's':
+        break;
+    default:
+        return -1;
+    }
+
+    return seconds >= 0 ? seconds : -1;
+}
+
+// Parse positive size string into bytes
+
+ssize_t w_parse_size(const char * string) {
+    char c;
+    ssize_t size;
+
+    switch (sscanf(string, "%zd%c", &size, &c)) {
+    case 1:
+        break;
+
+    case 2:
+        switch (c) {
+        case 'G':
+        case 'g':
+            size *= 1073741824;
+            break;
+        case 'M':
+        case 'm':
+            size *= 1048576;
+            break;
+        case 'K':
+        case 'k':
+            size *= 1024;
+            break;
+        case 'B':
+        case 'b':
+            break;
+        default:
+            return -1;
+        }
+
+        break;
+
+    default:
+        return -1;
+    }
+
+    return size >= 0 ? size : -1;
+}
+
+// Get time unit from seconds
+
+char*  w_seconds_to_time_unit(long seconds, bool long_format) {
+
+    if (seconds < 0) {
+        return "invalid";
+    }
+    else if (seconds >= W_WEEK_SECONDS) {
+        return long_format ? W_WEEKS_L : W_WEEKS_S ;
+    }
+    else if (seconds >= W_DAY_SECONDS) {
+        return long_format ? W_DAYS_L : W_DAYS_S ;
+    }
+    else if (seconds >= W_HOUR_SECONDS) {
+        return long_format ? W_HOURS_L : W_HOURS_S ;
+    }
+    else if (seconds >= W_MINUTE_SECONDS) {
+       return long_format ? W_MINUTES_L : W_MINUTES_S ;
+    }
+    else {
+       return long_format ? W_SECONDS_L : W_SECONDS_S ;
+    }
+}
+
+// Get time value from seconds
+
+long w_seconds_to_time_value(long seconds) {
+
+    if(seconds < 0) {
+        return -1;
+    }
+    else if (seconds >= W_WEEK_SECONDS) {
+        return seconds/W_WEEK_SECONDS;
+    }
+    else if (seconds >= W_DAY_SECONDS) {
+        return seconds/W_DAY_SECONDS;
+    }
+    else if (seconds >= W_HOUR_SECONDS) {
+        return seconds/W_HOUR_SECONDS;
+    }
+    else if (seconds >= W_MINUTE_SECONDS) {
+        return seconds/W_MINUTE_SECONDS;
+    }
+    else {
+        return seconds;
+    }
+}
+
+char* decode_hex_buffer_2_ascii_buffer(const char * const encoded_buffer, const size_t buffer_size)
+{
+    if (!encoded_buffer) {
+        return NULL;
+    }
+
+    /* each ASCII character has 2 digits in its HEX form, hence its length must be even */
+    if (buffer_size % 2 != 0) {
+        return NULL;
+    }
+
+    const size_t decoded_len = buffer_size / 2;
+    char *decoded_buffer;
+    os_calloc(decoded_len + 1, sizeof(char), decoded_buffer);
+
+    size_t i;
+    for(i = 0; i < decoded_len; ++i) {
+        if (1 != sscanf(encoded_buffer + 2 * i, "%2hhx", decoded_buffer + i)) {
+            os_free(decoded_buffer);
+            return NULL;
+        }
+    }
+
+    return decoded_buffer;
+}
+
+// Length of the initial segment of s which consists entirely of non-escaped bytes different from reject
+
+size_t strcspn_escaped(const char * s, char reject) {
+    char charset[3] = { '\\', reject };
+
+    size_t len = strlen(s);
+    size_t spn_len = 0;
+
+    do {
+        spn_len += strcspn(s + spn_len, charset);
+
+        if (s[spn_len] == '\\') {
+            spn_len += 2;
+        } else {
+            return spn_len;
+        }
+    } while (spn_len < len);
+
+    return len;
+}
+
+// Escape JSON reserved characters
+
+char * wstr_escape_json(const char * string) {
+    const char escape_map[] = {
+        ['\b'] = 'b',
+        ['\t'] = 't',
+        ['\n'] = 'n',
+        ['\f'] = 'f',
+        ['\r'] = 'r',
+        ['\"'] = '\"',
+        ['\\'] = '\\'
+    };
+
+    size_t i = 0;   // Read position
+    size_t j = 0;   // Write position
+    size_t z;       // Span length
+
+    char * output;
+    os_malloc(1, output);
+
+    do {
+        z = strcspn(string + i, "\b\t\n\f\r\"\\");
+
+        if (string[i + z] == '\0') {
+            // End of string
+            os_realloc(output, j + z + 1, output);
+            strncpy(output + j, string + i, z);
+        } else {
+            // Reserved character
+            os_realloc(output, j + z + 3, output);
+            strncpy(output + j, string + i, z);
+            output[j + z] = '\\';
+            output[j + z + 1] = escape_map[(int)string[i + z]];
+            z++;
+            j++;
+        }
+
+        j += z;
+        i += z;
+    } while (string[i] != '\0');
+
+    output[j] = '\0';
+    return output;
+}
+
+// Unescape JSON reserved characters
+
+char * wstr_unescape_json(const char * string) {
+    const char UNESCAPE_MAP[] = {
+        ['b'] = '\b',
+        ['t'] = '\t',
+        ['n'] = '\n',
+        ['f'] = '\f',
+        ['r'] = '\r',
+        ['\"'] = '\"',
+        ['\\'] = '\\'
+    };
+
+    size_t i = 0;   // Read position
+    size_t j = 0;   // Write position
+    size_t z;       // Span length
+
+    char * output;
+    os_malloc(1, output);
+
+    do {
+        z = strcspn(string + i, "\\");
+
+        // Extend output and copy
+        os_realloc(output, j + z + 3, output);
+        strncpy(output + j, string + i, z);
+
+        i += z;
+        j += z;
+
+        if (string[i] != '\0') {
+            // Peek byte following '\'
+            switch (string[++i]) {
+            case '\0':
+                // End of string
+                output[j++] = '\\';
+                break;
+
+            case 'b':
+            case 't':
+            case 'n':
+            case 'f':
+            case 'r':
+            case '\"':
+            case '\\':
+                // Escaped character
+                output[j++] = UNESCAPE_MAP[(int)string[i++]];
+                break;
+
+            default:
+                // Bad escape
+                output[j++] = '\\';
+                output[j++] = string[i++];
+            }
+        }
+    } while (string[i] != '\0');
+
+    output[j] = '\0';
+    return output;
+}
+
+// Lowercase a string
+
+char * w_tolower_str(const char *string) {
+    char *tolower_str;
+    int count;
+
+    if (!string) {
+        return NULL;
+    }
+
+    os_malloc(1, tolower_str);
+
+    for(count = 0; string[count]; count++) {
+        os_realloc(tolower_str, count + 2, tolower_str);
+        tolower_str[count] = tolower(string[count]);
+    }
+
+    tolower_str[count] = '\0';
+
+    return tolower_str;
+}
+
+// Verify the string is not truncated after executing snprintf
+
+int os_snprintf(char *str, size_t size, const char *format, ...) {
+    size_t ret;
+    va_list args;
+
+    va_start(args, format);
+    ret = vsnprintf(str, size, format, args);
+    if (ret >= size) {
+        mwarn("String may be truncated because it is too long.");
+    }
+    va_end(args);
+
+    return ret;
+}
+
+// Remove a substring from a string
+
+char * w_remove_substr(char *str, const char *sub) {
+    char *p, *q, *r;
+
+    if (!str || !sub) {
+        return NULL;
+    }
+
+    if ((q = r = strstr(str, sub)) != NULL) {
+        size_t len = strlen(sub);
+        while ((r = strstr(p = r + len, sub)) != NULL) {
+            while (p < r)
+                *q++ = *p++;
+        }
+        while ((*q++ = *p++) != '\0')
+            continue;
+    }
+    return str;
+}
+
+char * w_strndup(const char * str, size_t n) {
+
+    char * str_cpy = NULL;
+    size_t str_len;
+
+    if (str == NULL) {
+        return str_cpy;
+    }
+
+    if (str_len = strlen(str), str_len > n) {
+        str_len = n;
+    }
+
+    os_malloc(str_len + 1, str_cpy);
+    if (str_len > 0) {
+        memcpy(str_cpy, str, str_len);
+    }
+
+    str_cpy[str_len] = '\0';
+
+    return str_cpy;
+}
+
+char ** w_string_split(const char *string_to_split, const char *delim, int max_array_size) {
+    char **paths = NULL;
+    char *state;
+    char *token;
+    int i = 0;
+    char *aux;
+
+    os_calloc(1, sizeof(char *), paths);
+
+    if (!string_to_split || !delim) {
+        return paths;
+    }
+    os_strdup(string_to_split, aux);
+
+    for(token = strtok_r(aux, delim, &state); token; token = strtok_r(NULL, delim, &state)){
+        os_realloc(paths, (i + 2) * sizeof(char *), paths);
+        os_strdup(token, paths[i]);
+        paths[i + 1] = NULL;
+        i++;
+        if (max_array_size && i >= max_array_size) break;
+    }
+    os_free(aux);
+
+    return paths;
+}
+
+// Append two strings
+
+char* w_strcat(char *a, const char *b, size_t n) {
+    if (a == NULL) {
+        return w_strndup(b, n);
+    }
+
+    size_t a_len = strlen(a);
+    size_t output_len = a_len + n;
+
+    os_realloc(a, output_len + 1, a);
+
+    memcpy(a + a_len, b, n);
+    a[output_len] = '\0';
+
+    return a;
+}
+
+// Append a string into the n-th position of a string array
+
+char** w_strarray_append(char **array, char *string, int n) {
+    os_realloc(array, sizeof(char *) * (n + 2), array);
+    array[n] = string;
+    array[n + 1] = NULL;
+
+    return array;
+}
+
+// Tokenize string separated by spaces, respecting double-quotes
+
+char** w_strtok(const char *string) {
+    bool quoting = false;
+    int output_n = 0;
+    char *accum = NULL;
+    char **output;
+
+    os_calloc(1, sizeof(char*), output);
+
+    const char *i;
+    const char *j;
+
+    for (i = string; (j = strpbrk(i, " \"\\")) != NULL; i = j + 1) {
+        switch (*j) {
+        case ' ':
+            if (quoting) {
+                accum = w_strcat(accum, i, j - i + 1);
+            } else {
+                if (j > i) {
+                    accum = w_strcat(accum, i, j - i);
+                }
+
+                if (accum != NULL) {
+                    output = w_strarray_append(output, accum, output_n++);
+                    accum = NULL;
+                }
+            }
+
+            break;
+
+        case '\"':
+            if (j > i || quoting) {
+                accum = w_strcat(accum, i, j - i);
+            }
+
+            quoting = !quoting;
+            break;
+
+        case '\\':
+            if (j > i) {
+                accum = w_strcat(accum, i, j - i);
+            }
+
+            if (j[1] != '\0') {
+                accum = w_strcat(accum, ++j, 1);
+            }
+        }
+    }
+
+    if (*i != '\0') {
+        accum = w_strcat(accum, i, strlen(i));
+    }
+
+    if (accum != NULL) {
+        output = w_strarray_append(output, accum, output_n);
+    }
+
+    return output;
+}
+
+char* w_strcat_list(char ** list, char sep_char) {
+
+    char * concatenation = NULL;
+    char sep[] = {sep_char, '\0'};
+
+    if (list != NULL) {
+        char ** FIRST_ELEMENT = list;
+        while (*list != NULL) {
+            if (list != FIRST_ELEMENT) {
+                concatenation = w_strcat(concatenation, sep, 1);
+            }
+            concatenation = w_strcat(concatenation, *list, w_strlen(*list));
+            list++;
+        }
+    }
+
+    return concatenation;
+}
+
+int print_hex_string(const char *src_buf, unsigned int src_size, char *dst_buf, unsigned int dst_size) {
+    if (src_buf && dst_buf) {
+        unsigned int i = 0;
+        for (; (i < (dst_size-1)/2) && (i < src_size); ++i) {
+            sprintf(dst_buf+2*i, "%.2x", src_buf[i]);
+        }
+        dst_buf[i * 2] = '\0';
+        return OS_SUCCESS;
+    }
+    return OS_INVALID;
+}
diff --git a/src/common/string_op/tests/unit/tests/CMakeLists.txt b/src/common/string_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..1fdfc0568e
--- /dev/null
+++ b/src/common/string_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,53 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_string_op")
+set(STRING_OP_BASE_FLAGS "${DEBUG_OP_WRAPPERS} -Wl,--wrap,syscom_dispatch")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${STRING_OP_BASE_FLAGS} -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${STRING_OP_BASE_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/string_op/tests/unit/tests/test_string_op.c b/src/common/string_op/tests/unit/tests/test_string_op.c
new file mode 100644
index 0000000000..f5bc9e5f75
--- /dev/null
+++ b/src/common/string_op/tests/unit/tests/test_string_op.c
@@ -0,0 +1,1207 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../headers/shared.h"
+
+char * w_tolower_str(const char *string);
+
+/* setup/teardown */
+
+int teardown_free_paths(void **state) {
+    char **paths = *state;
+    free_strarray(paths);
+
+    return 0;
+}
+
+/* tests */
+
+/* w_tolower_str */
+void test_w_tolower_str_NULL(void **state)
+{
+    char * string = NULL;
+
+    char* ret = w_tolower_str(string);
+    assert_null(ret);
+
+}
+
+void test_w_tolower_str_empty(void **state)
+{
+    char * string = "";
+
+    char* ret = w_tolower_str(string);
+    assert_string_equal(ret, "");
+
+    os_free(ret);
+
+}
+
+void test_w_tolower_str_caps(void **state)
+{
+    char * string = "TEST";
+
+    char* ret = w_tolower_str(string);
+    assert_string_equal(ret, "test");
+
+    os_free(ret);
+
+}
+
+void test_os_snprintf_short(void **state)
+{
+    int ret;
+    size_t size = 10;
+    char str[size + 1];
+
+    ret = os_snprintf(str, size, "%s%3d", "agent", 1);
+    assert_int_equal(ret, 8);
+}
+
+void test_os_snprintf_long(void **state)
+{
+    int ret;
+    size_t size = 5;
+    char str[size + 1];
+
+    expect_string(__wrap__mwarn, formatted_msg,"String may be truncated because it is too long.");
+    ret = os_snprintf(str, size, "%s%3d", "agent", 1);
+    assert_int_equal(ret, 8);
+}
+
+void test_os_snprintf_more_parameters(void **state)
+{
+    int ret;
+    size_t size = 100;
+    char str[size + 1];
+
+    ret = os_snprintf(str, size, "%s%3d:%s%s", "agent", 1, "sent ", "message");
+    assert_int_equal(ret, 21);
+}
+
+/* w_remove_substr */
+
+void test_w_remove_substr_null_sub(void **state)
+{
+    int i;
+    char * ret;
+    char * sub = NULL;
+    char * str = "This is a test";
+
+    ret = w_remove_substr(str, sub);
+    assert_null(ret);
+}
+
+void test_w_remove_substr_success(void **state)
+{
+    int i;
+    char * ret;
+    char * strings[] = {
+        "remove thisThis is the principal string.",
+        "This is the principal string.remove this",
+        "This isremove this the principal string."
+    };
+    int size_array = sizeof(strings) / sizeof(strings[0]);
+    char * substr = "remove this";
+    char * string;
+    char * str_cpy;
+
+    for (i = 0; i < size_array; i++) {
+        w_strdup(strings[i], string);
+        str_cpy = string;
+        ret = w_remove_substr(str_cpy, substr);
+        assert_string_equal(ret, "This is the principal string.");
+        os_free(str_cpy);
+    }
+}
+
+// Tests W_JSON_AddField
+
+void test_W_JSON_AddField_nest_object(void **state)
+{
+    cJSON * root = cJSON_CreateObject();
+    cJSON_AddObjectToObject(root, "test");
+    const char * key = "test.files";
+    const char * value = "[\"file1\",\"file2\",\"file3\"]";
+    char * output = NULL;
+
+    W_JSON_AddField(root, key, value);
+    output = cJSON_PrintUnformatted(root);
+    assert_string_equal(output, "{\"test\":{\"files\":[\"file1\",\"file2\",\"file3\"]}}");
+
+    os_free(output);
+    cJSON_Delete(root);
+}
+
+void test_W_JSON_AddField_nest_no_object(void **state)
+{
+    cJSON * root = cJSON_CreateObject();
+    const char * key = "test.files";
+    const char * value = "[\"file1\",\"file2\",\"file3\"]";
+    char * output = NULL;
+
+    W_JSON_AddField(root, key, value);
+    output = cJSON_PrintUnformatted(root);
+    assert_string_equal(output, "{\"test\":{\"files\":[\"file1\",\"file2\",\"file3\"]}}");
+
+    os_free(output);
+    cJSON_Delete(root);
+}
+
+void test_W_JSON_AddField_JSON_valid(void **state)
+{
+    cJSON * root = cJSON_CreateObject();
+    const char * key = "files";
+    const char * value = "[\"file1\",\"file2\",\"file3\"]";
+    char * output = NULL;
+
+    W_JSON_AddField(root, key, value);
+    output = cJSON_PrintUnformatted(root);
+    assert_string_equal(output, "{\"files\":[\"file1\",\"file2\",\"file3\"]}");
+
+    os_free(output);
+    cJSON_Delete(root);
+}
+
+void test_W_JSON_AddField_JSON_invalid(void **state)
+{
+    cJSON * root = cJSON_CreateObject();
+    const char * key = "files";
+    const char * value = "[\"file1\",\"file2\"],\"file3\"]";
+    char * output = NULL;
+
+    W_JSON_AddField(root, key, value);
+    output = cJSON_PrintUnformatted(root);
+    assert_string_equal(output, "{\"files\":\"[\\\"file1\\\",\\\"file2\\\"],\\\"file3\\\"]\"}");
+
+    os_free(output);
+    cJSON_Delete(root);
+}
+
+void test_W_JSON_AddField_string_time(void **state)
+{
+    cJSON * root = cJSON_CreateObject();
+    const char * key = "time";
+    const char * value = "[28/Oct/2020:10:22:11 +0000]";
+    char * output = NULL;
+
+    W_JSON_AddField(root, key, value);
+    output = cJSON_PrintUnformatted(root);
+    assert_string_equal(output, "{\"time\":\"[28/Oct/2020:10:22:11 +0000]\"}");
+
+    os_free(output);
+    cJSON_Delete(root);
+}
+/* w_strndup */
+void test_w_strndup_null_str(void ** state)
+{
+    const char * str = NULL;
+    assert_null(w_strndup(NULL, 5));
+}
+
+void test_w_strndup_str_less_than_n(void ** state)
+{
+    const char * str = "Test";
+    const char * expected_str = "Test";
+    char * retval;
+
+    retval = w_strndup(str, strlen(str)+10);
+    assert_string_equal(retval, expected_str);
+    assert_int_equal(strlen(retval), strlen(expected_str));
+    os_free(retval);
+}
+
+void test_w_strndup_str_greater_than_n(void ** state) {
+    const char * str = "Test Test Test Test";
+    const char * expected_str = "Test Test ";
+    char * retval;
+
+    retval = w_strndup(str, 10);
+    assert_string_equal(retval, expected_str);
+    assert_int_equal(strlen(retval), 10);
+    os_free(retval);
+}
+
+void test_w_strndup_str_equal_to_n(void ** state) {
+    const char * str = "Test Test Test Test";
+    const char * expected_str = "Test Test Test Test";
+    char * retval;
+
+    retval = w_strndup(str, strlen(expected_str));
+    assert_string_equal(retval, expected_str);
+    assert_int_equal(strlen(retval), strlen(expected_str));
+    os_free(retval);
+}
+
+
+void test_w_strndup_str_zero_n(void ** state) {
+    const char * str = "Test Test Test Test";
+    const char * expected_str = "Test Test Test Test";
+    char * retval;
+
+    retval = w_strndup(str, 0);
+    assert_string_equal(retval, "");
+    assert_int_equal(strlen(retval), 0);
+    os_free(retval);
+}
+
+void test_w_strcat_null_input(void ** state) {
+    const char * B = "Hello World";
+    char * a = w_strcat(NULL, B, strlen(B));
+
+    assert_string_equal(a, B);
+
+    free(a);
+}
+
+void test_w_strcat_string_input(void ** state) {
+    char * a = strdup("Hello");
+    const char * B = "World";
+    a = w_strcat(a, B, strlen(B));
+
+    assert_string_equal(a, "HelloWorld");
+
+    free(a);
+}
+
+void test_w_strarray_append(void ** state) {
+    char ** array = NULL;
+    char *a, *b;
+    int n = 0;
+
+    os_strdup("Hello", a);
+    os_strdup("World", b);
+
+    array = w_strarray_append(array, a, n++);
+    array = w_strarray_append(array, b, n++);
+
+    assert_ptr_equal(array[0], a);
+    assert_ptr_equal(array[1], b);
+    assert_null(array[2]);
+
+    free_strarray(array);
+}
+
+void test_w_strtok_empty(void ** state) {
+    char ** array = w_strtok("");
+    assert_null(array[0]);
+    free_strarray(array);
+}
+
+void test_w_strtok_nospaces(void ** state) {
+    char ** array = w_strtok("Hello");
+    assert_string_equal(array[0], "Hello");
+    assert_null(array[1]);
+    free_strarray(array);
+}
+
+void test_w_strtok_string(void ** state) {
+    char ** array = w_strtok("BB\"B BBB BBE\" \"\" F \"\\\"G\\\"\" \"BB\"B BB\\\\E\\ GGF D B");
+    assert_string_equal(array[0], "BBB BBB BBE");
+    assert_string_equal(array[1], "");
+    assert_string_equal(array[2], "F");
+    assert_string_equal(array[3], "\"G\"");
+    assert_string_equal(array[4], "BBB");
+    assert_string_equal(array[5], "BB\\E GGF");
+    assert_string_equal(array[6], "D");
+    assert_string_equal(array[7], "B");
+    assert_null(array[8]);
+    free_strarray(array);
+}
+
+void test_w_string_split_str_null(void ** state) {
+    const char *str = NULL;
+    char **paths = NULL;
+    const char *delim = ",";
+
+    paths = w_string_split(str, delim, 0);
+    *state = paths;
+    assert_null(paths[0]);
+}
+
+void test_w_string_split_delim_null(void ** state) {
+    const char *str = "test1,test2,test3";
+    char **paths = NULL;
+    const char *delim = NULL;
+
+    paths = w_string_split(str, delim, 0);
+    *state = paths;
+    assert_null(paths[0]);
+}
+
+void test_w_string_split_normal(void ** state) {
+    const char *str = "test1,test2,test3";
+    char *expected_str[] = {"test1","test2","test3"};
+    char **paths = NULL;
+    const char *delim = ",";
+
+    paths = w_string_split(str, delim, 0);
+    *state = paths;
+
+    assert_non_null(paths[0]);
+    for (int i = 0; paths[i]; i++){
+        assert_string_equal(paths[i], expected_str[i]);
+    }
+}
+
+void test_w_string_split_max_array_size(void ** state) {
+    const char *str = "test1,test2,test3,outofarray";
+    char *expected_str[] = {"test1","test2","test3"};
+    char **paths = NULL;
+    const char *delim = ",";
+
+    paths = w_string_split(str, delim, 3);
+    *state = paths;
+
+    assert_non_null(paths[0]);
+    for (int i = 0; paths[i]; i++){
+        assert_string_equal(paths[i], expected_str[i]);
+    }
+}
+
+
+void test_strnspn_escaped(void ** state)
+{
+    assert_int_equal(strcspn_escaped("ABC\\D ", ' '), 5);
+    assert_int_equal(strcspn_escaped("ABC\\ D", ' '), 6);
+    assert_int_equal(strcspn_escaped("ABCD\\", ' '), 5);
+    assert_int_equal(strcspn_escaped("ABCDE \\ ", ' '), 5);
+    assert_int_equal(strcspn_escaped("ABCDE\\\\ F", ' '), 7);
+    assert_int_equal(strcspn_escaped("ABCDE\\\\", ' '), 7);
+    assert_int_equal(strcspn_escaped("ABC\\ D E", ' '), 6);
+    assert_int_equal(strcspn_escaped("ABCDE", ' '), 5);
+}
+
+void test_json_escape(void ** state)
+{
+    const char * INPUTS[] = { "\b\tHello \n\f\r \"World\".\\", "Hello\b\t \n\f\r \"World\"\\.", NULL };
+    const char * EXPECTED_OUTPUTS[] = { "\\b\\tHello \\n\\f\\r \\\"World\\\".\\\\", "Hello\\b\\t \\n\\f\\r \\\"World\\\"\\\\.", NULL };
+    int i;
+
+    for (i = 0; INPUTS[i] != NULL; i++) {
+        char * output = wstr_escape_json(INPUTS[i]);
+        assert_string_equal(output, EXPECTED_OUTPUTS[i]);
+        free(output);
+    }
+}
+
+void test_json_unescape(void ** state)
+{
+    const char * INPUTS[] = { "\\b\\tHello \\n\\f\\r \\\"World\\\".\\\\", "Hello\\b\\t \\n\\f\\r \\\"World\\\"\\\\.", "Hello \\World", "Hello World\\", NULL };
+    const char * EXPECTED_OUTPUTS[] = { "\b\tHello \n\f\r \"World\".\\", "Hello\b\t \n\f\r \"World\"\\.", "Hello \\World", "Hello World\\", NULL };
+    int i;
+
+    for (i = 0; INPUTS[i] != NULL; i++) {
+        char * output = wstr_unescape_json(INPUTS[i]);
+        assert_string_equal(output, EXPECTED_OUTPUTS[i]);
+        free(output);
+    }
+}
+
+/* Test for wstr_replace */
+
+void test_wstr_replace_valid(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo /var";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_wstr_replace_double_$(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo $/var";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $$file", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_wstr_replace_surround_$(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo $/var$";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $$file$", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_wstr_replace_multiples_variable(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo /var /var";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file $file", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_wstr_replace_multiples_variables_surround_$(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo /var$ $/var$";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file$ $$file$", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_wstr_replace_different_variables(void **state)
+{
+    const char * INPUTS[] = {"$file","$home",NULL};
+    const char * replace[] = {"/var","/home"};
+    const char EXPECTED_OUTPUT[] = "echo /var /home";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file $home", subject);
+
+    for (int i = 0; INPUTS[i] != NULL; i++) {
+        ret = wstr_replace(subject, INPUTS[i], replace[i]);
+        os_free(subject);
+        subject = ret;
+    }
+    assert_string_equal(subject, EXPECTED_OUTPUT);
+    os_free(subject);
+}
+
+void test_wstr_replace_different_variables_surround_$(void **state)
+{
+    const char * INPUTS[] = {"$file","$home",NULL};
+    const char * replace[] = {"/var","/home"};
+    const char EXPECTED_OUTPUT[] = "echo $/var$ /home$";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $$file$ $home$", subject);
+
+    for (int i = 0; INPUTS[i] != NULL; i++) {
+        ret = wstr_replace(subject, INPUTS[i], replace[i]);
+        os_free(subject);
+        subject = ret;
+    }
+    assert_string_equal(subject, EXPECTED_OUTPUT);
+    os_free(subject);
+}
+
+void test_wstr_replace_different_variables_$(void **state)
+{
+    const char * INPUTS[] = {"$file","$home","$$",NULL};
+    const char * replace[] = {"/var","/home","/etc"};
+    const char EXPECTED_OUTPUT[] = "echo $/var /home/etc /etc";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $$file $home$$ $$", subject);
+
+    for (int i = 0; INPUTS[i] != NULL; i++) {
+        ret = wstr_replace(subject, INPUTS[i], replace[i]);
+        os_free(subject);
+        subject = ret;
+    }
+    assert_string_equal(subject, EXPECTED_OUTPUT);
+    os_free(subject);
+}
+
+void test_wstr_replace_different_variables_empty(void **state)
+{
+    const char * INPUTS[] = {"$file","$home","$empty",NULL};
+    const char * replace[] = {"/var","/home",""};
+    const char EXPECTED_OUTPUT[] = "echo /var /home ";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file $home $empty", subject);
+
+    for (int i = 0; INPUTS[i] != NULL; i++) {
+        ret = wstr_replace(subject, INPUTS[i], replace[i]);
+        os_free(subject);
+        subject = ret;
+    }
+    assert_string_equal(subject, EXPECTED_OUTPUT);
+    os_free(subject);
+}
+
+void test_wstr_replace_contained_variables(void **state)
+{
+    const char * INPUTS[] = {"$file_new","$file",NULL};
+    const char * replace[] = {"/var","/home",""};
+    const char EXPECTED_OUTPUT[] = "echo /var";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $file_new", subject);
+
+    for (int i = 0; INPUTS[i] != NULL; i++) {
+        ret = wstr_replace(subject, INPUTS[i], replace[i]);
+        os_free(subject);
+        subject = ret;
+    }
+    assert_string_equal(subject, EXPECTED_OUTPUT);
+    os_free(subject);
+}
+
+void test_wstr_replace_not_found(void **state)
+{
+    const char * search = "$file";
+    const char * replace = "/var";
+    const char EXPECTED_OUTPUT[] = "echo $fake";
+    char * subject = NULL;
+    char * ret = NULL;
+
+    os_strdup("echo $fake", subject);
+    ret = wstr_replace(subject, search, replace);
+    assert_string_equal(ret, EXPECTED_OUTPUT);
+    os_free(ret);
+    os_free(subject);
+}
+
+void test_w_strcat_list_null_list(void ** state) {
+
+    char ** list = NULL;
+    char * retstr;
+
+    retstr = w_strcat_list(list, ' ');
+
+    assert_null(retstr);
+}
+
+void test_w_strcat_list_empty_list(void ** state) {
+
+    char ** list = {NULL};
+    char * retstr;
+
+    retstr = w_strcat_list(list, ' ');
+
+    assert_null(retstr);
+}
+
+void test_w_strcat_list_one_element_list(void ** state) {
+
+    char * list[] = {"TestString", NULL};
+    char * retstr;
+
+    retstr = w_strcat_list(list, ' ');
+
+    assert_non_null(retstr);
+    assert_string_equal(retstr, "TestString");
+
+    os_free(retstr);
+}
+
+void test_w_strcat_list_large_list(void ** state) {
+
+    char * list[] = {"A", "large", "test", "string", "to", "be", "concatenated", "in", "this", "function", NULL};
+    char * retstr;
+
+    retstr = w_strcat_list(list, ' ');
+
+    assert_non_null(retstr);
+    assert_string_equal(retstr, "A large test string to be concatenated in this function");
+
+    os_free(retstr);
+}
+
+// Test os_shell_escape
+
+void test_os_shell_escape_already_escaped(void ** state) {
+
+    const char *src = "\\'";  // to scape: \'
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\\'");  // espected: \'
+
+    os_free(ret);
+}
+
+void test_os_shell_escape_not_escaped(void ** state) {
+
+    const char *src = "\'";  // to escape: '
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\\\'");  // espected: \'
+
+    os_free(ret);
+}
+
+void test_os_shell_escape_border(void ** state) {
+
+    const char *src = "$ border case `";  // to scape: $ border case `
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\\$ border case \\`");  // espected: \$ border case \`
+
+    os_free(ret);
+}
+
+void test_os_shell_escape_all(void ** state) {
+
+    const char *src = "\" \' \t ; ` > < | # * [ ] { } & $ ! : ( )";
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\\\" \\\' \\\t \\; \\` \\> \\< \\| \\# \\* \\[ \\] \\{ \\} \\& \\$ \\! \\: \\( \\)");
+
+    os_free(ret);
+}
+
+void test_os_shell_avoid_escape_all(void ** state) {
+
+    const char *src = "\\\" \\\' \\\t \\; \\` \\> \\< \\| \\# \\* \\[ \\] \\{ \\} \\& \\$ \\! \\: \\( \\)";
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\\\" \\\' \\\t \\; \\` \\> \\< \\| \\# \\* \\[ \\] \\{ \\} \\& \\$ \\! \\: \\( \\)");
+
+    os_free(ret);
+}
+
+void test_os_shell_escape_backslash(void ** state) {
+
+    const char *src = "\a \t \\a \\t";
+
+    char * ret = os_shell_escape(src);
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "\a \\\t \\\\a \\\\t");
+
+    os_free(ret);
+}
+
+void test_os_shell_double_escape(void ** state) {
+
+    const char *src = "\" \' \t ; ` > < | # * [ ] { } & $ ! : ( )";
+
+    char * ret1 = os_shell_escape(src);
+
+    assert_non_null(ret1);
+
+    char * ret2 = os_shell_escape(ret1);
+
+    assert_non_null(ret2);
+    assert_string_equal(ret1, ret2);
+
+    os_free(ret1);
+    os_free(ret2);
+}
+
+void test_strarray_size_null(void ** state) {
+    assert_int_equal(strarray_size(0), 0);
+}
+
+void test_strarray_size_zero(void ** state) {
+    char *str_array[] = {0};
+    assert_int_equal(strarray_size(str_array), 0);
+}
+
+void test_strarray_size(void ** state) {
+    char *str_array[] = {"one", "two", "three", "four", "five", 0};
+    assert_int_equal(strarray_size(str_array), 5);
+}
+
+void test_wstr_escape_dststr_null(void ** state) {
+
+    ssize_t ret = wstr_escape(NULL, 0, "test string without colons", '\\', ':');
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_wstr_escape_str_null(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), NULL, '\\', ':');
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_wstr_escape_not_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "test string without colons", '\\', ':');
+    assert_string_equal(dststr, "test string without colons");
+    assert_int_equal(ret, 26);
+}
+
+void test_wstr_escape_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "test string with one : colons", '\\', ':');
+    assert_string_equal(dststr, "test string with one \\: colons");
+    assert_int_equal(ret, 30);
+}
+
+void test_wstr_escape_corner_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), ":::test string with multi : colons:::", '|', ':');
+    assert_string_equal(dststr, "|:|:|:test string with multi |: colons|:|:|:");
+    assert_int_equal(ret, 44);
+}
+
+void test_wstr_escape_backslash_and_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "\\ \\ \\\\ \\: \\", '\\', ':');
+    assert_string_equal(dststr, "\\\\ \\\\ \\\\\\\\ \\\\\\: \\\\");
+    assert_int_equal(ret, 18);
+}
+
+void test_wstr_escape_at_sign_and_asterisk(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "@ @@ * # * @@ @", '*', '@');
+    assert_string_equal(dststr, "*@ *@*@ ** # ** *@*@ *@");
+    assert_int_equal(ret, 23);
+}
+
+void test_wstr_escape_buff_overflow(void ** state) {
+
+    char dststr[10];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "1 2 3 4 5 6 7", '*', '@');
+    assert_string_equal(dststr, "1 2 3 4 5");
+    assert_int_equal(ret, 9);
+}
+
+void test_wstr_escape_buff_overflow_escape_same_size(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "123456789", '\\', ':');
+    assert_string_equal(dststr, "12345678");
+    assert_int_equal(ret, 8);
+}
+
+
+void test_wstr_escape_buff_overflow_escape_same_size_colons(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "12345678:", '\\', ':');
+    assert_string_equal(dststr, "12345678");
+    assert_int_equal(ret, 8);
+}
+
+void test_wstr_escape_buff_overflow_escape_same_size_before_last_colons(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "1234567:9", '\\', ':');
+    assert_string_equal(dststr, "1234567");
+    assert_int_equal(ret, 7);
+}
+
+void test_wstr_escape_buff_overflow_escape_same_size_last_before_last_colons(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "1234567::", '\\', ':');
+    assert_string_equal(dststr, "1234567");
+    assert_int_equal(ret, 7);
+}
+
+void test_wstr_escape_buff_overflow_escape_same_size_multi_colons(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "123456:::", '\\', ':');
+    assert_string_equal(dststr, "123456\\:");
+    assert_int_equal(ret, 8);
+}
+
+void test_wstr_escape_buff_overflow_escape(void ** state) {
+
+    char dststr[10];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "1 : 3 : 5 6 7", '\\', ':');
+    assert_string_equal(dststr, "1 \\: 3 \\:");
+    assert_int_equal(ret, 9);
+}
+
+void test_wstr_escape_one_scape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_escape(dststr, sizeof(dststr), "\\", '\\', ':');
+    assert_string_equal(dststr, "\\\\");
+    assert_int_equal(ret, 2);
+}
+
+void test_wstr_unescape_dststr_null(void ** state) {
+
+    ssize_t ret = wstr_unescape(NULL, 0, "test string without colons", '\\');
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_wstr_unescape_str_null(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), NULL, '\\');
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_wstr_unescape_not_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "test string without colons", '\\');
+    assert_string_equal(dststr, "test string without colons");
+    assert_int_equal(ret, 26);
+}
+
+void test_wstr_unescape_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "test string with one \\: colons", '\\');
+    assert_string_equal(dststr, "test string with one : colons");
+    assert_int_equal(ret, 29);
+}
+
+void test_wstr_unescape_corner_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "|:|:|:test string with multi |: colons|:|:|:", '|');
+    assert_string_equal(dststr, ":::test string with multi : colons:::");
+    assert_int_equal(ret, 37);
+}
+
+void test_wstr_unescape_backslash_and_colons_escape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "\\\\ \\\\ \\\\\\\\ \\\\\\: \\\\", '\\');
+    assert_string_equal(dststr, "\\ \\ \\\\ \\: \\");
+    assert_int_equal(ret, 11);
+}
+
+void test_wstr_unescape_at_sign_and_asterisk(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "*@ *@*@ ** # ** *@*@ *@", '*');
+    assert_string_equal(dststr, "@ @@ * # * @@ @");
+    assert_int_equal(ret, 15);
+}
+
+void test_wstr_unescape_buff_overflow(void ** state) {
+
+    char dststr[10];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "1 2 3 4 5 6 7", '*');
+    assert_string_equal(dststr, "1 2 3 4 5");
+    assert_int_equal(ret, 9);
+}
+
+void test_wstr_unescape_buff_overflow_same_size(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "1234567*9", '*');
+    assert_string_equal(dststr, "12345679");
+    assert_int_equal(ret, 8);
+}
+
+void test_wstr_unescape_buff_overflow_same_size_last_escape(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "12345678*", '*');
+    assert_string_equal(dststr, "12345678");
+    assert_int_equal(ret, 8);
+}
+
+void test_wstr_unescape_buff_overflow_same_size_last_escape_asterisk(void ** state) {
+
+    char dststr[9];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "1234567**", '*');
+    assert_string_equal(dststr, "1234567*");
+    assert_int_equal(ret, 8);
+}
+
+void test_wstr_unescape_buff_overflow_escape(void ** state) {
+
+    char dststr[10];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "1 \\: 3 \\: 5 6 7", '\\');
+    assert_string_equal(dststr, "1 : 3 : 5");
+    assert_int_equal(ret, 9);
+}
+
+void test_wstr_unescape_one_scape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "\\", '\\');
+    assert_string_equal(dststr, "\\");
+    assert_int_equal(ret, 1);
+}
+
+void test_wstr_unescape_end_scape(void ** state) {
+
+    char dststr[OS_BUFFER_SIZE];
+
+    ssize_t ret = wstr_unescape(dststr, sizeof(dststr), "test \\a b\\", '\\');
+    assert_string_equal(dststr, "test a b\\");
+    assert_int_equal(ret, 9);
+}
+
+void test_wstr_chr_str_eof(void ** state) {
+
+    char * ret = wstr_chr_escape("\0", ':', '\\');
+    assert_null(ret);
+}
+
+void test_wstr_chr_str_without_character(void ** state) {
+
+    char str[OS_BUFFER_SIZE] = "test string without colons";
+    char * ret = wstr_chr_escape(str, ':', '\\');
+    assert_null(ret);
+}
+
+void test_wstr_chr_str_without_escaped_colons(void ** state) {
+
+    char str[OS_BUFFER_SIZE] = "test string with : escaped colons";
+    char * ret = wstr_chr_escape(str, ':', '\\');
+    assert_non_null(ret);
+    assert_ptr_equal(ret, str+17);
+    assert_int_equal(*ret, str[17]);
+}
+
+void test_wstr_chr_str_with_escaped_colons(void ** state) {
+
+    char str[OS_BUFFER_SIZE] = "test string with \\: escaped : colons";
+    char * ret = wstr_chr_escape(str, ':', '\\');
+    assert_non_null(ret);
+    assert_ptr_equal(ret, str+28);
+    assert_int_equal(*ret, str[28]);
+}
+
+void test_print_hex_string_ok(void ** state) {
+    char *str = "pj01W-923rjwqdoOS=ADJFj3209das.;a12['2.z";
+    char hex[OS_SIZE_2048 + 1] = {0};
+    int ret = print_hex_string(str, 40, hex, sizeof(hex));
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(hex, "706a3031572d393233726a7771646f4f533d41444a466a333230396461732e3b6131325b27322e7a");
+}
+
+void test_print_hex_string_partial_ok(void ** state) {
+    char *str = "pj01W-923rjwqdoOS=ADJFj3209das.;a12['2.z";
+    char hex[OS_SIZE_2048 + 1] = {0};
+    int ret = print_hex_string(str, 20, hex, sizeof(hex));
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(hex, "706a3031572d393233726a7771646f4f533d4144");
+}
+
+void test_print_hex_string_equal_dest_ok(void ** state) {
+    char *str = "pj01W-923rjwqdoOS=ADJFj3209das.;a12['2.z";
+    char hex[80 + 1] = {0};
+    int ret = print_hex_string(str, 40, hex, sizeof(hex));
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(hex, "706a3031572d393233726a7771646f4f533d41444a466a333230396461732e3b6131325b27322e7a");
+}
+
+void test_print_hex_string_miss_last_dest_ok(void ** state) {
+    char *str = "pj01W-923rjwqdoOS=ADJFj3209das.;a12['2.z";
+    char hex[80] = {0};
+    int ret = print_hex_string(str, 40, hex, sizeof(hex));
+    assert_int_equal(ret, OS_SUCCESS);
+    assert_string_equal(hex, "706a3031572d393233726a7771646f4f533d41444a466a333230396461732e3b6131325b27322e");
+}
+
+void test_print_hex_string_null_src_err(void ** state) {
+    char *str = NULL;
+    char hex[OS_SIZE_2048 + 1] = {0};
+    int ret = print_hex_string(str, 40, hex, sizeof(hex));
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_print_hex_string_null_dst_err(void ** state) {
+    char *str = "pj01W-923rjwqdoOS=ADJFj3209das.;a12['2.z";
+    char *hex = NULL;
+    int ret = print_hex_string(str, 40, hex, sizeof(hex));
+    assert_int_equal(ret, OS_INVALID);
+}
+
+/* Tests */
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        //Tests w_tolower_str
+        cmocka_unit_test(test_w_tolower_str_NULL),
+        cmocka_unit_test(test_w_tolower_str_empty),
+        cmocka_unit_test(test_w_tolower_str_caps),
+        // Tests os_snprintf
+        cmocka_unit_test(test_os_snprintf_short),
+        cmocka_unit_test(test_os_snprintf_long),
+        cmocka_unit_test(test_os_snprintf_more_parameters),
+        // Tests w_remove_substr
+        cmocka_unit_test(test_w_remove_substr_null_sub),
+        cmocka_unit_test(test_w_remove_substr_success),
+        // Tests W_JSON_AddField
+        cmocka_unit_test(test_W_JSON_AddField_nest_object),
+        cmocka_unit_test(test_W_JSON_AddField_nest_no_object),
+        cmocka_unit_test(test_W_JSON_AddField_JSON_valid),
+        cmocka_unit_test(test_W_JSON_AddField_JSON_invalid),
+        cmocka_unit_test(test_W_JSON_AddField_string_time),
+        // Tests w_strndup
+        cmocka_unit_test(test_w_strndup_null_str),
+        cmocka_unit_test(test_w_strndup_str_less_than_n),
+        cmocka_unit_test(test_w_strndup_str_greater_than_n),
+        cmocka_unit_test(test_w_strndup_str_equal_to_n),
+        cmocka_unit_test(test_w_strndup_str_zero_n),
+        // Tests w_strcat
+        cmocka_unit_test(test_w_strcat_null_input),
+        cmocka_unit_test(test_w_strcat_string_input),
+        // Tests w_strarray_append
+        cmocka_unit_test(test_w_strarray_append),
+        // Tests w_strtok
+        cmocka_unit_test(test_w_strtok_empty),
+        cmocka_unit_test(test_w_strtok_nospaces),
+        cmocka_unit_test(test_w_strtok_string),
+        // Tests w_string_split
+        cmocka_unit_test_teardown(test_w_string_split_str_null, teardown_free_paths),
+        cmocka_unit_test_teardown(test_w_string_split_delim_null, teardown_free_paths),
+        cmocka_unit_test_teardown(test_w_string_split_normal, teardown_free_paths),
+        cmocka_unit_test_teardown(test_w_string_split_max_array_size, teardown_free_paths),
+        // Tests escape/unescape
+        cmocka_unit_test(test_strnspn_escaped),
+        cmocka_unit_test(test_json_escape),
+        cmocka_unit_test(test_json_unescape),
+        // Tests wstr_replace
+        cmocka_unit_test(test_wstr_replace_valid),
+        cmocka_unit_test(test_wstr_replace_double_$),
+        cmocka_unit_test(test_wstr_replace_surround_$),
+        cmocka_unit_test(test_wstr_replace_multiples_variable),
+        cmocka_unit_test(test_wstr_replace_different_variables_surround_$),
+        cmocka_unit_test(test_wstr_replace_different_variables_$),
+        cmocka_unit_test(test_wstr_replace_different_variables_empty),
+        cmocka_unit_test(test_wstr_replace_different_variables),
+        cmocka_unit_test(test_wstr_replace_multiples_variables_surround_$),
+        cmocka_unit_test(test_wstr_replace_contained_variables),
+        cmocka_unit_test(test_wstr_replace_not_found),
+        // Tests w_strcat_list
+        cmocka_unit_test(test_w_strcat_list_null_list),
+        cmocka_unit_test(test_w_strcat_list_empty_list),
+        cmocka_unit_test(test_w_strcat_list_one_element_list),
+        cmocka_unit_test(test_w_strcat_list_large_list),
+        // Test os_shell_escape
+        cmocka_unit_test(test_os_shell_escape_already_escaped),
+        cmocka_unit_test(test_os_shell_escape_not_escaped),
+        cmocka_unit_test(test_os_shell_escape_border),
+        cmocka_unit_test(test_os_shell_escape_all),
+        cmocka_unit_test(test_os_shell_avoid_escape_all),
+        cmocka_unit_test(test_os_shell_escape_backslash),
+        cmocka_unit_test(test_os_shell_double_escape),
+        // Test strarray_size
+        cmocka_unit_test(test_strarray_size_null),
+        cmocka_unit_test(test_strarray_size_zero),
+        cmocka_unit_test(test_strarray_size),
+        // Test wstr_escape
+        cmocka_unit_test(test_wstr_escape_dststr_null),
+        cmocka_unit_test(test_wstr_escape_str_null),
+        cmocka_unit_test(test_wstr_escape_not_escape),
+        cmocka_unit_test(test_wstr_escape_colons_escape),
+        cmocka_unit_test(test_wstr_escape_corner_colons_escape),
+        cmocka_unit_test(test_wstr_escape_backslash_and_colons_escape),
+        cmocka_unit_test(test_wstr_escape_at_sign_and_asterisk),
+        cmocka_unit_test(test_wstr_escape_buff_overflow),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape_same_size),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape_same_size_colons),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape_same_size_before_last_colons),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape_same_size_last_before_last_colons),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape_same_size_multi_colons),
+        cmocka_unit_test(test_wstr_escape_buff_overflow_escape),
+        cmocka_unit_test(test_wstr_escape_one_scape),
+        // Test wstr_unescape
+        cmocka_unit_test(test_wstr_unescape_dststr_null),
+        cmocka_unit_test(test_wstr_unescape_str_null),
+        cmocka_unit_test(test_wstr_unescape_not_escape),
+        cmocka_unit_test(test_wstr_unescape_colons_escape),
+        cmocka_unit_test(test_wstr_unescape_corner_colons_escape),
+        cmocka_unit_test(test_wstr_unescape_backslash_and_colons_escape),
+        cmocka_unit_test(test_wstr_unescape_at_sign_and_asterisk),
+        cmocka_unit_test(test_wstr_unescape_buff_overflow),
+        cmocka_unit_test(test_wstr_unescape_buff_overflow_same_size),
+        cmocka_unit_test(test_wstr_unescape_buff_overflow_same_size_last_escape),
+        cmocka_unit_test(test_wstr_unescape_buff_overflow_same_size_last_escape_asterisk),
+        cmocka_unit_test(test_wstr_unescape_buff_overflow_escape),
+        cmocka_unit_test(test_wstr_unescape_one_scape),
+        cmocka_unit_test(test_wstr_unescape_end_scape),
+        // Test wstr_chr
+        cmocka_unit_test(test_wstr_chr_str_eof),
+        cmocka_unit_test(test_wstr_chr_str_without_character),
+        cmocka_unit_test(test_wstr_chr_str_without_escaped_colons),
+        cmocka_unit_test(test_wstr_chr_str_with_escaped_colons),
+        // Test print_hex_string
+        cmocka_unit_test(test_print_hex_string_ok),
+        cmocka_unit_test(test_print_hex_string_partial_ok),
+        cmocka_unit_test(test_print_hex_string_equal_dest_ok),
+        cmocka_unit_test(test_print_hex_string_miss_last_dest_ok),
+        cmocka_unit_test(test_print_hex_string_null_src_err),
+        cmocka_unit_test(test_print_hex_string_null_dst_err),
+
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/string_op/tests/unit/wrappers/string_op_wrappers.c b/src/common/string_op/tests/unit/wrappers/string_op_wrappers.c
new file mode 100644
index 0000000000..afb3840cc3
--- /dev/null
+++ b/src/common/string_op/tests/unit/wrappers/string_op_wrappers.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "string_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#ifdef WIN32
+char *__wrap_convert_windows_string(LPCWSTR string) {
+    check_expected(string);
+    return mock_type(char*);
+}
+#endif
+
+int __wrap_wstr_end(char *str, const char *str_end) {
+    if (str) {
+        check_expected(str);
+    }
+
+    if (str_end) {
+        check_expected(str_end);
+    }
+
+    return mock();
+}
+
+char *__wrap_wstr_escape_json(__attribute__ ((__unused__)) const char * string) {
+    return mock_type(char *);
+}
+
+char *__wrap_wstr_replace(const char * string, const char * search, const char * replace) {
+    check_expected(string);
+    check_expected(search);
+    check_expected(replace);
+
+    return mock_type(char*);
+}
+
+void __real_wstr_split(char *str, char *delim, char *replace_delim, int occurrences, char ***splitted_str);
+void __wrap_wstr_split(char *str, char *delim, char *replace_delim, int occurrences, char ***splitted_str) {
+    if(mock()) {
+        __real_wstr_split(str, delim, replace_delim, occurrences, splitted_str);
+    }
+    else {
+        *splitted_str = NULL;
+    }
+}
diff --git a/src/common/string_op/tests/unit/wrappers/string_op_wrappers.h b/src/common/string_op/tests/unit/wrappers/string_op_wrappers.h
new file mode 100644
index 0000000000..2a38469943
--- /dev/null
+++ b/src/common/string_op/tests/unit/wrappers/string_op_wrappers.h
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STRING_OP_WRAPPERS_h
+#define STRING_OP_WRAPPERS_h
+
+#include <string.h>
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+
+char *__wrap_convert_windows_string(LPCWSTR string);
+#endif
+
+int __wrap_wstr_end(char *str, const char *str_end);
+
+char *__wrap_wstr_escape_json(const char * string);
+
+char *__wrap_wstr_replace(const char * string, const char * search, const char * replace);
+
+void __wrap_wstr_split(char *str, char *delim, char *replace_delim, int occurrences, char ***splitted_str);
+
+#endif
diff --git a/src/modules/inventory/include/inventory.hpp b/src/common/sym_load/CMakeLists.txt
similarity index 100%
rename from src/modules/inventory/include/inventory.hpp
rename to src/common/sym_load/CMakeLists.txt
diff --git a/src/common/sym_load/include/sym_load.h b/src/common/sym_load/include/sym_load.h
new file mode 100644
index 0000000000..ac532206ec
--- /dev/null
+++ b/src/common/sym_load/include/sym_load.h
@@ -0,0 +1,35 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef H_SYMLOAD_OS
+#define H_SYMLOAD_OS
+
+#ifndef WIN32
+#include <dlfcn.h>
+#else
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+void* so_get_module_handle_on_path(const char *path, const char *so);
+void* so_get_module_handle(const char *so);
+/**
+ * @brief Check if a module/library is already loaded. Must call a corresponding so_free_library()
+ * if not used in WIN32. If RTLD_NOLOAD isn't found in the system,
+ * the behavior is the same than so_get_module_handle().
+ *
+ * @param so The name of the module/library to check.
+ * @return void* A handle to module if it is already loaded, NULL otherwise.
+ */
+void* so_check_module_loaded(const char *so);
+void* so_get_function_sym(void *handle, const char *function_name);
+int so_free_library(void *handle);
+
+#endif //H_SYMLOAD_OS
diff --git a/src/common/sym_load/src/sym_load.c b/src/common/sym_load/src/sym_load.c
new file mode 100644
index 0000000000..7484b21cf4
--- /dev/null
+++ b/src/common/sym_load/src/sym_load.c
@@ -0,0 +1,88 @@
+#include <stdio.h>
+#include "sym_load.h"
+
+#ifndef WIN32
+#ifdef RTLD_NOLOAD
+#define W_RTLD_NOLOAD RTLD_NOLOAD
+#else
+#define W_RTLD_NOLOAD 0x0
+#endif // RTLD_NOLOAD
+#endif // WIN32
+
+void* so_get_module_handle_on_path(const char *path, const char *so){
+#ifdef WIN32
+    char file_name[MAX_PATH] = { 0 };
+    snprintf(file_name, MAX_PATH-1, "%s%s.dll", path, so);
+    return LoadLibrary(file_name);
+#else
+    char file_name[4096] = { 0 };
+#if defined(__MACH__)
+    snprintf(file_name, 4096-1, "%slib%s.dylib", path, so);
+#else
+    snprintf(file_name, 4096-1, "%slib%s.so", path, so);
+#endif
+    return dlopen(file_name, RTLD_LAZY);
+#endif
+}
+
+void* so_get_module_handle(const char *so){
+#ifdef WIN32
+    char file_name[MAX_PATH] = { 0 };
+    snprintf(file_name, MAX_PATH-1, "%s.dll", so);
+
+    HMODULE handle = NULL;
+    char full_path[MAX_PATH] = { 0 };
+
+    // Get full path to the module's file.
+    // If the function succeeds, the return value is the length of the string that is copied to the buffer,
+    // in characters, not including the terminating null character.
+    // If the function fails, the return value is NULL.
+
+    if (GetFullPathName(file_name, MAX_PATH, full_path, NULL)) {
+        handle = LoadLibrary(full_path);
+    }
+
+    return handle;
+#else
+    char file_name[4096] = { 0 };
+#if defined(__MACH__)
+    snprintf(file_name, 4096-1, "lib%s.dylib", so);
+#else
+    snprintf(file_name, 4096-1, "lib%s.so", so);
+#endif
+    return dlopen(file_name, RTLD_LAZY);
+#endif
+}
+
+void* so_check_module_loaded(const char *so){
+#ifdef WIN32
+    char file_name[MAX_PATH] = { 0 };
+    snprintf(file_name, MAX_PATH-1, "%s.dll", so);
+    return GetModuleHandle(file_name);
+#else
+    char file_name[4096] = { 0 };
+#if defined(__MACH__)
+    snprintf(file_name, 4096-1, "lib%s.dylib", so);
+#else
+    snprintf(file_name, 4096-1, "lib%s.so", so);
+#endif
+    return dlopen(file_name, W_RTLD_NOLOAD | RTLD_LAZY);
+#endif
+}
+
+void* so_get_function_sym(void *handle, const char *function_name){
+#ifndef WIN32
+    return dlsym(handle, function_name);
+#else
+    return (void *)(intptr_t)GetProcAddress((HINSTANCE)handle, function_name);
+#endif
+}
+
+
+int so_free_library(void *handle){
+#ifndef WIN32
+    return dlclose(handle);
+#else
+    return FreeLibrary((HINSTANCE)handle);
+#endif
+}
diff --git a/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.c b/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.c
new file mode 100644
index 0000000000..3eb0cf0d66
--- /dev/null
+++ b/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.c
@@ -0,0 +1,59 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sym_load_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <errno.h>
+#include "../../common.h"
+
+void* __wrap_so_get_module_handle_on_path(const char *path, const char *so) {
+    if (test_mode) {
+        check_expected(path);
+        check_expected(so);
+        void *ret = mock_type(void*);
+
+        return ret;
+
+    }
+    return so_get_module_handle_on_path(path, so);
+}
+
+void* __wrap_so_get_module_handle(const char *so) {
+    if (test_mode) {
+        check_expected(so);
+        void *ret = mock_type(void*);
+
+        return ret;
+
+    }
+    return so_get_module_handle(so);
+}
+
+void* __wrap_so_get_function_sym(void *handle, const char *function_name) {
+    if (test_mode) {
+        check_expected(handle);
+        check_expected(function_name);
+        void *ret = mock_type(void*);
+
+        return ret;
+
+    }
+    return so_get_function_sym(handle, function_name);
+}
+
+int __wrap_so_free_library(void *handle) {
+    if (test_mode) {
+        check_expected(handle);
+        return mock();
+    }
+    return so_free_library(handle);
+}
diff --git a/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.h b/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.h
new file mode 100644
index 0000000000..a44231ef01
--- /dev/null
+++ b/src/common/sym_load/tests/unit/wrappers/sym_load_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYM_LOAD_WRAPPERS_H
+#define SYM_LOAD_WRAPPERS_H
+#include "sym_load.h"
+
+void* __wrap_so_get_module_handle_on_path(const char *path, const char *so);
+
+void* __wrap_so_get_module_handle(const char *so);
+
+void* __wrap_so_get_function_sym(void *handle, const char *function_name);
+
+int __wrap_so_free_library(void *handle);
+
+#endif
diff --git a/src/modules/inventory/src/inventory.cpp b/src/common/syscheck_op/CMakeLists.txt
similarity index 100%
rename from src/modules/inventory/src/inventory.cpp
rename to src/common/syscheck_op/CMakeLists.txt
diff --git a/src/common/syscheck_op/include/syscheck_op.h b/src/common/syscheck_op/include/syscheck_op.h
new file mode 100644
index 0000000000..6c9a0609b7
--- /dev/null
+++ b/src/common/syscheck_op/include/syscheck_op.h
@@ -0,0 +1,545 @@
+/*
+ * Shared functions for Syscheck events decoding
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef SYSCHECK_OP_H
+#define SYSCHECK_OP_H
+
+extern const char *SYSCHECK_EVENT_STRINGS[];
+
+#ifndef WIN32
+
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+
+// Windows file attributes
+#define FILE_ATTRIBUTE_READONLY                 0x00000001
+#define FILE_ATTRIBUTE_HIDDEN                   0x00000002
+#define FILE_ATTRIBUTE_SYSTEM                   0x00000004
+#define FILE_ATTRIBUTE_DIRECTORY                0x00000010
+#define FILE_ATTRIBUTE_ARCHIVE                  0x00000020
+#define FILE_ATTRIBUTE_DEVICE                   0x00000040
+#define FILE_ATTRIBUTE_NORMAL                   0x00000080
+#define FILE_ATTRIBUTE_TEMPORARY                0x00000100
+#define FILE_ATTRIBUTE_SPARSE_FILE              0x00000200
+#define FILE_ATTRIBUTE_REPARSE_POINT            0x00000400
+#define FILE_ATTRIBUTE_COMPRESSED               0x00000800
+#define FILE_ATTRIBUTE_OFFLINE                  0x00001000
+#define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED      0x00002000
+#define FILE_ATTRIBUTE_ENCRYPTED                0x00004000
+#define FILE_ATTRIBUTE_VIRTUAL                  0x00010000
+
+// Permissions
+// Generic rights
+#define GENERIC_READ                            0x80000000
+#define GENERIC_WRITE                           0x40000000
+#define GENERIC_EXECUTE                         0x20000000
+#define GENERIC_ALL                             0x10000000
+// Standard rights
+#define DELETE                                  0x00010000
+#define READ_CONTROL                            0x00020000
+#define WRITE_DAC                               0x00040000
+#define WRITE_OWNER                             0x00080000
+#define SYNCHRONIZE                             0x00100000
+
+// Specific rights
+#define FILE_READ_DATA                          0x00000001
+#define FILE_WRITE_DATA                         0x00000002
+#define FILE_APPEND_DATA                        0x00000004
+#define FILE_READ_EA                            0x00000008
+#define FILE_WRITE_EA                           0x00000010
+#define FILE_EXECUTE                            0x00000020
+#define FILE_READ_ATTRIBUTES                    0x00000080
+#define FILE_WRITE_ATTRIBUTES                   0x00000100
+
+#else
+
+#include "shared.h"
+#include "aclapi.h"
+#include <sddl.h>
+#include <winreg.h>
+
+#define BUFFER_LEN 1024
+
+//Windows registers
+#define STR_HKEY_CLASSES_ROOT                   "HKEY_CLASSES_ROOT"
+#define STR_HKEY_CURRENT_CONFIG                 "HKEY_CURRENT_CONFIG"
+#define STR_HKEY_CURRENT_USER                   "HKEY_CURRENT_USER"
+#define STR_HKEY_LOCAL_MACHINE                  "HKEY_LOCAL_MACHINE"
+#define STR_HKEY_PERFORMANCE_DATA               "HKEY_PERFORMANCE_DATA"
+#define STR_HKEY_USERS                          "HKEY_USERS"
+#define check_wildcard(x)                       strchr(x,'*') || strchr(x,'?')
+
+/* Fields for paths */
+typedef struct _reg_path_struct {
+    char* path;
+    int has_wildcard;
+    int checked;
+} reg_path_struct;
+
+#endif
+
+#include "../syscheckd/include/syscheck.h"
+#include "../analysisd/eventinfo.h"
+#include "../os_net/os_net.h"
+
+#define FILE_ATTRIBUTE_INTEGRITY_STREAM         0x00008000
+#define FILE_ATTRIBUTE_NO_SCRUB_DATA            0x00020000
+#define FILE_ATTRIBUTE_RECALL_ON_OPEN           0x00040000
+#define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS    0x00400000
+
+#define MAX_WIN_PERM_SIZE OS_SIZE_20480
+
+/* Fields for rules */
+typedef enum fim_fields {
+    FIM_FILE,
+    FIM_HARD_LINKS,
+    FIM_MODE,
+    FIM_SIZE,
+    FIM_SIZE_BEFORE,
+    FIM_PERM,
+    FIM_PERM_BEFORE,
+    FIM_UID,
+    FIM_UID_BEFORE,
+    FIM_GID,
+    FIM_GID_BEFORE,
+    FIM_MD5,
+    FIM_MD5_BEFORE,
+    FIM_SHA1,
+    FIM_SHA1_BEFORE,
+    FIM_UNAME,
+    FIM_UNAME_BEFORE,
+    FIM_GNAME,
+    FIM_GNAME_BEFORE,
+    FIM_MTIME,
+    FIM_MTIME_BEFORE,
+    FIM_INODE,
+    FIM_INODE_BEFORE,
+    FIM_SHA256,
+    FIM_SHA256_BEFORE,
+    FIM_DIFF,
+    FIM_ATTRS,
+    FIM_ATTRS_BEFORE,
+    FIM_CHFIELDS,
+    FIM_USER_ID,
+    FIM_USER_NAME,
+    FIM_GROUP_ID,
+    FIM_GROUP_NAME,
+    FIM_PROC_NAME,
+    FIM_PROC_PNAME,
+    FIM_AUDIT_CWD,
+    FIM_AUDIT_PCWD,
+    FIM_AUDIT_ID,
+    FIM_AUDIT_NAME,
+    FIM_EFFECTIVE_UID,
+    FIM_EFFECTIVE_NAME,
+    FIM_PPID,
+    FIM_PROC_ID,
+    FIM_TAG,
+    FIM_SYM_PATH,
+    FIM_REGISTRY_ARCH,
+    FIM_REGISTRY_VALUE_NAME,
+    FIM_REGISTRY_VALUE_TYPE,
+    FIM_REGISTRY_HASH,
+    FIM_ENTRY_TYPE,
+    FIM_EVENT_TYPE,
+    FIM_NFIELDS
+} fim_fields;
+
+typedef struct __sdb {
+    char comment[OS_MAXSTR + 1];
+    char size[OS_FLSIZE + 1];
+    char perm[OS_FLSIZE + 1];
+    char owner[OS_FLSIZE + 1];
+    char gowner[OS_FLSIZE + 1];
+    char md5[OS_FLSIZE + 1];
+    char sha1[OS_FLSIZE + 1];
+    char sha256[OS_FLSIZE + 1];
+    char mtime[OS_FLSIZE + 1];
+    char inode[OS_FLSIZE + 1];
+    char attrs[OS_SIZE_1024 + 1];
+    char sym_path[OS_FLSIZE + 1];
+
+    // Whodata fields
+    char user_id[OS_FLSIZE + 1];
+    char user_name[OS_FLSIZE + 1];
+    char group_id[OS_FLSIZE + 1];
+    char group_name[OS_FLSIZE + 1];
+    char process_name[OS_FLSIZE + 1];
+    char audit_uid[OS_FLSIZE + 1];
+    char audit_name[OS_FLSIZE + 1];
+    char effective_uid[OS_FLSIZE + 1];
+    char effective_name[OS_FLSIZE + 1];
+    char ppid[OS_FLSIZE + 1];
+    char process_id[OS_FLSIZE + 1];
+
+    int db_err;
+    int socket;
+} _sdb; /* syscheck db information */
+
+typedef struct sk_sum_wdata {
+    char *user_id;
+    char *user_name;
+    char *group_id;
+    char *group_name;
+    char *process_name;
+    char *cwd;
+    char *audit_uid;
+    char *audit_name;
+    char *effective_uid;
+    char *effective_name;
+    char *parent_name;
+    char *parent_cwd;
+    char *ppid;
+    char *process_id;
+} sk_sum_wdata;
+
+/* File sum structure */
+typedef struct sk_sum_t {
+    char *size;
+    int perm;
+    char *win_perm;
+    char *uid;
+    char *gid;
+    char *md5;
+    char *sha1;
+    char *sha256;
+    char *attributes;
+    char *uname;
+    char *gname;
+    long mtime;
+    long inode;
+    char *tag;
+    char *symbolic_path;
+    sk_sum_wdata wdata;
+    int changes;
+    char silent;
+    long date_alert;
+} sk_sum_t;
+
+/**
+ * @brief Parse c_sum string
+ *
+ * @param [out] sum
+ * @param [in] c_sum
+ * @param [in] w_sum
+ * @return 0 if success, 1 when c_sum denotes a deleted file, -1 on failure
+ */
+int sk_decode_sum(sk_sum_t *sum, char *c_sum, char *w_sum);
+
+/**
+ * @brief Parse fields changes and date_alert only provide for wazuh_db
+ *
+ * @param [out] sum
+ * @param [in] c_sum
+ * @return 0 if success, -1 on failure
+ */
+int sk_decode_extradata(sk_sum_t *sum, char *c_sum);
+
+/**
+ * @brief Fill an event with specific data
+ *
+ * @param [out] lf Event to be filled
+ * @param [in] f_name File name for the event
+ * @param [in] sum File sum used to fill the event
+ */
+void sk_fill_event(Eventinfo *lf, const char *f_name, const sk_sum_t *sum);
+
+/**
+ * @brief Fills a buffer with a specific file sum
+ *
+ * @param [in] sum File sum used to fill the buffer
+ * @param [out] output The output buffer to be written
+ * @param [in] size Size in bytes to be written into output
+ * @return 0 on success, -1 on failure
+ */
+int sk_build_sum(const sk_sum_t *sum, char *output, size_t size);
+
+/**
+ * @brief Delete from path to parent all empty folders
+ *
+ * @param path The path from which to delete
+ * @return 0 on success, -1 on failure
+ */
+int remove_empty_folders(const char *path);
+
+/**
+ * @brief Frees from memory a sk_sum_t structure
+ *
+ * @param [out] sum The sk_sum_t object to be freed
+ */
+void sk_sum_clean(sk_sum_t *sum);
+
+/**
+ * @brief Change in Windows paths all slashes for backslashes for compatibility
+ *
+ * @param [out] path The path of the file to be normalized
+ */
+void normalize_path(char *path);
+
+/**
+ * @brief Escape characteres '!', ':', ' ' from incomming string
+ *
+ * @param field Syscheck checksum string
+ * @return A string with escaped characters
+ */
+char *escape_syscheck_field(char *field);
+#ifndef CLIENT
+char *unescape_syscheck_field(char *sum);
+#endif
+
+#ifndef WIN32
+
+/**
+ * @brief Retrieves the user name from a user ID in UNIX
+ *
+ * @param uid The user ID
+ * @return The user name on success, NULL on failure
+ */
+char *get_user(int uid);
+
+/**
+ * @brief Retrieves the group name from a group ID in UNIX
+ *
+ * @param gid The group ID
+ * @return The group name on success, an empty string on failure
+ */
+char *get_group(int gid);
+
+
+#else
+
+/**
+ * @brief Retrieves the user name of the owner of a registry in Windows.
+ * Also sets the ID associated to that user.
+ *
+ * @post *sid is always allocated and must be freed after usage.
+ *
+ * @param path Registry path to check the owner of.
+ * @param sid The user ID associated to the user.
+ * @param hndl Handle for the registry to check the owner of.
+ *
+ * @return The user name on success, an empty string on failure.
+ */
+char *get_registry_user(const char *path, char **sid, HANDLE hndl);
+
+/**
+ * @brief Retrieves the user name of the owner of a file in Windows.
+ * Also sets the ID associated to that user.
+ *
+ * @post *sid is always allocated and must be freed after usage.
+ *
+ * @param path File path to check the owner of.
+ * @param sid The user ID associated to the user.
+ *
+ * @return The user name on success, an empty string on failure.
+ */
+char *get_file_user(const char *path, char **sid);
+
+/**
+ * @brief Retrieves the user name of the owner of a file or registry in Windows.
+ * Also sets the ID associated to that user.
+ *
+ * @post *sid is always allocated and must be freed after usage.
+ *
+ * @param path File or registry path to check the owner of.
+ * @param sid The user ID associated to the user.
+ * @param hndl Handle of the file or registry to check the owner of.
+ * @param object_type Type of the object to check the owner of (SE_FILE_OBJECT or SE_REGISTRY_KEY).
+ *
+ * @return The user name on success, an empty string on failure.
+ */
+char *get_user(const char *path, char **sid, HANDLE hndl, SE_OBJECT_TYPE object_type);
+
+/**
+ * @brief Check if a directory exists
+ *
+ * @param path Path of the directory to check
+ * @return The FILE_ATTRIBUTE_DIRECTORY bit mask on success, 0 on failure
+ */
+unsigned int w_directory_exists(const char *path);
+
+/**
+ * @brief Retrieves the attributes of a specific file (Windows)
+ *
+ * @param file_path The path of the file to check the attributes of
+ * @return The bit mask of the file attributes on success, 0 on failure
+ */
+unsigned int w_get_file_attrs(const char *file_path);
+
+/**
+ * @brief Retrieves the permissions of a specific file (Windows)
+ *
+ * @param [in] file_path The path of the file from which to check permissions
+ * @param [out] output_acl A cJSON pointer to an object holding the ACL of the file.
+ * @retval 0 on success.
+ * @retval -1 if the cJSON object could not be initialized.
+ * @retval An error code retrieved from `GetLastError` otherwise.
+ */
+int w_get_file_permissions(const char *file_path, cJSON **output_acl);
+
+/**
+ * @brief Retrieves the group name from a group ID in windows
+ *
+ * @return The group name on success, an empty string on failure
+ */
+char *get_group(__attribute__((unused)) int gid);
+
+/**
+ * @brief Retrieves the group name and gid of a registry key.
+ * Also sets the group ID associated to that group.
+ *
+ * @param sid The user ID associated to the group.
+ * @param hndl Handle for the registry to check the group of.
+ *
+ * @return The user name on success, NULL on failure.
+*/
+char *get_registry_group(char **sid, HANDLE hndl);
+
+/**
+ * @brief Retrieves the permissions of a registry key.
+ *
+ * @param [in] hndl Handle for the registry key to check the permissions of.
+ * @param [out] output_acl A cJSON pointer to an object holding the ACL of the file.
+ * @retval 0 on success.
+ * @retval -1 if the cJSON object could not be initialized.
+ * @retval An error code retrieved from `GetLastError` otherwise.
+*/
+DWORD get_registry_permissions(HKEY hndl, cJSON **output_acl);
+
+/**
+ * @brief Get last modification time from registry key.
+ *
+ * @param hndl Handle for the registry key to check the permissions of.
+ *
+ * @return Last modification time of registry key in POSIX format.
+*/
+unsigned int get_registry_mtime(HKEY hndl);
+
+/**
+ * @brief Retrieves the account information (name and domain) from SID
+ *
+ * @param [in] sid SID from which retrieve the information
+ * @param [out] account_name Buffer in which the account name is written
+ * @param [out] account_domain Buffer in which the account domain is written
+ * @return 0 on success, error code on failure
+ */
+int w_get_account_info(SID *sid, char **account_name, char **account_domain);
+
+/**
+ * @brief Checks if at least one structure exists whose path has a wildcard  (Windows)
+ *
+ * @param [in] array_struct Arrangement of structures.
+ * @retval 1 on success.
+ * @retval 0 if there is not more wildcards.
+ */
+int w_is_still_a_wildcard(reg_path_struct **array_struct);
+
+/**
+ * @brief Returns the HKEY corresponding to the root key name  (Windows)
+ *
+ * @param [in] str_rootkey String that represents the root key.
+ * @retval HKEY on success.
+ * @retval NULL if there is not match.
+ */
+HKEY w_switch_root_key(char* str_rootkey);
+
+/**
+ * @brief Return all keys based on a root key and subkey  (Windows)
+ *
+ * @param [in] root_key HKEY that represents the root key.
+ * @param [in] str_subkey String that represents the main subkey, this could be NULL.
+ * @retval A non empty array of string on success.
+ */
+char** w_list_all_keys(HKEY root_key, char* str_subkey);
+
+/**
+ * @brief Generate all valid paths that contains a * or ? (Windows)
+ *
+ * @param [in] array_struct Array of all possible paths.
+ * @param [out] array_struct Array of paths with tag checked in 1 and has_wildcard in 0.
+ */
+void w_expand_by_wildcard(reg_path_struct **array_struct, char wildcard_chr);
+
+
+/**
+ * @brief Extract the subkey from path (Windows)
+ *
+ * @param [in] key String path that contains the key and subkey.
+ * @return Allocated subkey or NULL if there is not one.
+ */
+char* get_subkey(char* key);
+
+/**
+ * @brief Return all possible paths based in a entry  (Windows)
+ *
+ * @param [in] entry Raw entry read from config file.
+ * @param [out] paths Array of paths expanded with tag checked in 1 and has_wildcard in 0.
+ */
+void expand_wildcard_registers(char* entry, char** paths);
+
+#endif
+
+/**
+ * @brief Converts a bit mask into a human readable format
+ *
+ * @param [out] str Buffer to be written
+ * @param [in] attrs Bit mask to be converted
+ */
+void decode_win_attributes(char *str, unsigned int attrs);
+
+/**
+ * @brief Decodes a permission string and converts it to a human readable format
+ *
+ * @param [in] raw_perm A raw string with the permissions
+ * @return A string in human readable format with the Windows permission
+ */
+char *decode_win_permissions(char *raw_perm);
+
+/**
+ * @brief Compares 2 Windows ACLs in JSON format
+ *
+ * @param [in] acl1 A cJSON object holding a Windows ACL
+ * @param [in] acl2 A cJSON object holding a Windows ACL
+ * @return `true` if ACLs are equal to each other, `false` otherwise
+ */
+bool compare_win_permissions(const cJSON * const acl1, const cJSON * const acl2);
+
+/**
+ * @brief Decodes a permission string and converts it to a human readable format
+ *
+ * @param [out] acl_json A cJSON with the permissions to decode
+ */
+void decode_win_acl_json(cJSON *acl_json);
+
+/**
+ * @brief Transforms a bit mask of attributes into a human readable cJSON
+ *
+ * @param attributes A string with the Windows attributes
+ * @return A cJSON with the attributes
+ */
+cJSON *attrs_to_json(const char *attributes);
+
+/**
+ * @brief Transforms a string of permissions into a human readable cJSON
+ *
+ * @param permissions Permissions string
+ * @return A cJSON with the permissions
+ */
+cJSON *win_perm_to_json(char *permissions);
+
+/**
+ * @brief Send a one-way message to Syscheck
+ *
+ * @param message Payload.
+ */
+void ag_send_syscheck(char * message);
+
+#endif /* SYSCHECK_OP_H */
diff --git a/src/common/syscheck_op/src/syscheck_op.c b/src/common/syscheck_op/src/syscheck_op.c
new file mode 100644
index 0000000000..4c34472e5d
--- /dev/null
+++ b/src/common/syscheck_op/src/syscheck_op.c
@@ -0,0 +1,1987 @@
+/*
+ * Shared functions for Syscheck events decoding
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "syscheck_op.h"
+
+const char *SYSCHECK_EVENT_STRINGS[] = {
+    [FIM_ADDED] = "added",
+    [FIM_MODIFIED] = "modified",
+    [FIM_READDED] = "readded",
+    [FIM_DELETED] = "deleted"
+};
+
+#ifdef WAZUH_UNIT_TESTING
+/* Replace assert with mock_assert */
+extern void mock_assert(const int result, const char* const expression,
+                        const char * const file, const int line);
+#undef assert
+#define assert(expression) \
+    mock_assert((int)(expression), #expression, __FILE__, __LINE__);
+
+#ifdef WIN32
+#include "unit_tests/wrappers/windows/aclapi_wrappers.h"
+#include "unit_tests/wrappers/windows/errhandlingapi_wrappers.h"
+#include "unit_tests/wrappers/windows/fileapi_wrappers.h"
+#include "unit_tests/wrappers/windows/handleapi_wrappers.h"
+#include "unit_tests/wrappers/windows/sddl_wrappers.h"
+#include "unit_tests/wrappers/windows/securitybaseapi_wrappers.h"
+#include "unit_tests/wrappers/windows/winbase_wrappers.h"
+#include "unit_tests/wrappers/windows/winreg_wrappers.h"
+
+#endif
+#endif
+
+#ifdef WIN32
+/**
+ * @brief Retrieves the permissions of a specific file (Windows)
+ *
+ * @param [out] ace_json cJSON with the mask to process
+ * @param [in] mask Mask with the permissions
+ * @param [in] ace_type string "allowed" or "denied" depends on ace type
+ */
+static void make_mask_readable (cJSON *ace_json, int mask, char *ace_type);
+#endif
+
+char *escape_syscheck_field(char *field) {
+    char *esc_it;
+
+    field = wstr_replace(field, "!", "\\!");
+    esc_it = wstr_replace(field, ":", "\\:");
+    free(field);
+    field = wstr_replace(esc_it, " ", "\\ ");
+    free(esc_it);
+
+    return field;
+}
+
+void normalize_path(char * path) {
+    assert(path != NULL);
+
+    char *ptname = path;
+
+    if(ptname[1] == ':' && ((ptname[0] >= 'A' && ptname[0] <= 'Z') || (ptname[0] >= 'a' && ptname[0] <= 'z'))) {
+        /* Change forward slashes to backslashes on entry */
+        ptname = strchr(ptname, '/');
+        while (ptname) {
+            *ptname = '\\';
+            ptname++;
+
+            ptname = strchr(ptname, '/');
+        }
+    }
+}
+
+int remove_empty_folders(const char *path) {
+    assert(path != NULL);
+
+    char DIFF_PATH[PATH_MAX] = DIFF_DIR;
+    const char *c;
+    char parent[PATH_MAX] = "\0";
+    char ** subdir;
+    int retval = 0;
+
+    // Get parent
+    c = strrchr(path, PATH_SEP);
+    if (c) {
+        memcpy(parent, path, c - path);
+        parent[c - path] = '\0';
+        // Don't delete above /diff
+        if (strcmp(DIFF_PATH, parent) != 0) {
+            subdir = wreaddir(parent);
+            if (!(subdir && *subdir)) {
+                // Remove empty folder
+                mdebug1("Removing empty directory '%s'.", parent);
+                if (rmdir_ex(parent) != 0) {
+                    mwarn("Empty directory '%s' couldn't be deleted. ('%s')", parent, strerror(errno));
+                    retval = -1;
+                } else {
+                    // Get parent and remove it if it's empty
+                    retval = remove_empty_folders(parent);
+                }
+            }
+
+            free_strarray(subdir);
+        }
+    }
+
+    return retval;
+}
+
+#ifndef WIN32
+#ifndef CLIENT
+int sk_decode_sum(sk_sum_t *sum, char *c_sum, char *w_sum) {
+    assert(sum != NULL);
+    assert(c_sum != NULL);
+
+    char *c_perm;
+    char *c_mtime;
+    char *c_inode;
+    char *attrs;
+    int retval = 0;
+    char * uname;
+
+    if (c_sum[0] == '-' && c_sum[1] == '1') {
+        retval = 1;
+    } else {
+        sum->size = c_sum;
+
+        if (!(c_perm = strchr(c_sum, ':')))
+            return -1;
+
+        *(c_perm++) = '\0';
+
+        if (!(sum->uid = wstr_chr(c_perm, ':')))
+            return -1;
+
+        *(sum->uid++) = '\0';
+
+        if (*c_perm == '|') {
+            // Windows permissions
+            char *unsc_perm = unescape_syscheck_field(c_perm);
+
+            // We need to transform them to the new format
+            // before processing
+            sum->win_perm = decode_win_permissions(unsc_perm);
+            free(unsc_perm);
+        } else if (*c_perm == ':') {
+        } else if (isdigit(*c_perm)) {
+            sum->perm = atoi(c_perm);
+        } else {
+            os_strdup(c_perm, sum->win_perm);
+        }
+
+        if (!(sum->gid = strchr(sum->uid, ':')))
+            return -1;
+
+        *(sum->gid++) = '\0';
+
+        if (!(sum->md5 = strchr(sum->gid, ':')))
+            return -1;
+
+        *(sum->md5++) = '\0';
+
+        if (!(sum->sha1 = strchr(sum->md5, ':')))
+            return -1;
+
+        *(sum->sha1++) = '\0';
+
+        // New fields: user name, group name, modification time and inode
+
+        if ((uname = strchr(sum->sha1, ':'))) {
+            *(uname++) = '\0';
+
+            if (!(sum->gname = strchr(uname, ':')))
+                return -1;
+
+            *(sum->gname++) = '\0';
+
+            sum->uname = os_strip_char(uname, '\\');
+
+            if (!(c_mtime = strchr(sum->gname, ':')))
+                return -1;
+
+            *(c_mtime++) = '\0';
+
+            if (!(c_inode = strchr(c_mtime, ':')))
+                return -1;
+
+            *(c_inode++) = '\0';
+
+            sum->sha256 = NULL;
+
+            if ((sum->sha256 = strchr(c_inode, ':'))) {
+                *(sum->sha256++) = '\0';
+
+                if (sum->sha256) {
+                    if (attrs = strchr(sum->sha256, ':'), attrs) {
+                        *(attrs++) = '\0';
+                        if (isdigit(*attrs)) {
+                            int attributes = strtoul(attrs, NULL, 10);
+                            os_calloc(OS_SIZE_256 + 1, sizeof(char), sum->attributes);
+                            decode_win_attributes(sum->attributes, attributes);
+                        } else {
+                            os_strdup(attrs, sum->attributes);
+                        }
+                    }
+                }
+
+                sum->mtime = atol(c_mtime);
+                sum->inode = atol(c_inode);
+            }
+        }
+    }
+
+    // Get extra data
+    if (w_sum) {
+        char * user_name;
+        char * process_name;
+        char * symbolic_path;
+
+        sum->wdata.user_id = w_sum;
+
+        if ((user_name = wstr_chr(w_sum, ':'))) {
+            *(user_name++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.group_id = wstr_chr(user_name, ':'))) {
+            *(sum->wdata.group_id++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.group_name = wstr_chr(sum->wdata.group_id, ':'))) {
+            *(sum->wdata.group_name++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((process_name = wstr_chr(sum->wdata.group_name, ':'))) {
+            *(process_name++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.audit_uid = wstr_chr(process_name, ':'))) {
+            *(sum->wdata.audit_uid++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.audit_name = wstr_chr(sum->wdata.audit_uid, ':'))) {
+            *(sum->wdata.audit_name++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.effective_uid = wstr_chr(sum->wdata.audit_name, ':'))) {
+            *(sum->wdata.effective_uid++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.effective_name = wstr_chr(sum->wdata.effective_uid, ':'))) {
+            *(sum->wdata.effective_name++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.ppid = wstr_chr(sum->wdata.effective_name, ':'))) {
+            *(sum->wdata.ppid++) = '\0';
+        } else {
+            return -1;
+        }
+
+        if ((sum->wdata.process_id = wstr_chr(sum->wdata.ppid, ':'))) {
+            *(sum->wdata.process_id++) = '\0';
+        } else {
+            return -1;
+        }
+
+        /* Look for a defined tag */
+        if (sum->tag = wstr_chr(sum->wdata.process_id, ':'), sum->tag) {
+            *(sum->tag++) = '\0';
+        } else {
+            sum->tag = NULL;
+        }
+
+        /* Look for a symbolic path */
+        if (sum->tag && (symbolic_path = wstr_chr(sum->tag, ':'))) {
+            *(symbolic_path++) = '\0';
+        } else {
+            symbolic_path = NULL;
+        }
+
+        /* Look if it is a silent event */
+        if (symbolic_path && (c_inode = wstr_chr(symbolic_path, ':'))) {
+            *(c_inode++) = '\0';
+            if (*c_inode == '+') {
+                sum->silent = 1;
+            }
+        }
+
+
+        sum->symbolic_path = unescape_syscheck_field(symbolic_path);
+        sum->wdata.user_name = unescape_syscheck_field(user_name);
+        sum->wdata.process_name = unescape_syscheck_field(process_name);
+        if (*sum->wdata.ppid == '-') {
+            sum->wdata.ppid = NULL;
+        }
+    }
+
+    return retval;
+}
+
+int sk_decode_extradata(sk_sum_t *sum, char *c_sum) {
+    char *changes;
+    char *date_alert;
+    char *sym_path;
+
+    assert(sum != NULL);
+    assert(c_sum != NULL);
+
+    if (changes = strchr(c_sum, '!'), !changes) {
+        return 0;
+    }
+    *changes++ = '\0';
+
+    if (date_alert = strchr(changes, ':'), !date_alert) {
+        return 0;
+    }
+    *(date_alert++) = '\0';
+
+    if (sym_path = strchr(date_alert, ':'), sym_path) {
+        *(sym_path++) = '\0';
+        sum->symbolic_path = unescape_syscheck_field(sym_path);
+    }
+
+    sum->changes = atoi(changes);
+    sum->date_alert = atol(date_alert);
+
+    return 1;
+}
+
+void sk_fill_event(Eventinfo *lf, const char *f_name, const sk_sum_t *sum) {
+    assert(lf != NULL);
+    assert(f_name != NULL);
+    assert(sum != NULL);
+
+    os_strdup(f_name, lf->fields[FIM_FILE].value);
+
+    if (sum->size) {
+        os_strdup(sum->size, lf->fields[FIM_SIZE].value);
+    }
+
+    if (sum->perm) {
+        os_calloc(7, sizeof(char), lf->fields[FIM_PERM].value);
+        snprintf(lf->fields[FIM_PERM].value, 7, "%06o", sum->perm);
+    } else if (sum->win_perm && *sum->win_perm != '\0') {
+        os_strdup(sum->win_perm, lf->fields[FIM_PERM].value);
+    }
+
+    if (sum->uid) {
+        os_strdup(sum->uid, lf->fields[FIM_UID].value);
+    }
+
+    if (sum->gid) {
+        os_strdup(sum->gid, lf->fields[FIM_GID].value);
+    }
+
+    if (sum->md5) {
+        os_strdup(sum->md5, lf->fields[FIM_MD5].value);
+    }
+
+    if (sum->sha1) {
+        os_strdup(sum->sha1, lf->fields[FIM_SHA1].value);
+    }
+
+    if (sum->uname) {
+        os_strdup(sum->uname, lf->fields[FIM_UNAME].value);
+    }
+
+    if (sum->gname) {
+        os_strdup(sum->gname, lf->fields[FIM_GNAME].value);
+    }
+
+    if (sum->mtime) {
+        lf->fields[FIM_MTIME].value = w_long_str(sum->mtime);
+    }
+
+    if (sum->inode) {
+        lf->fields[FIM_INODE].value = w_long_str(sum->inode);
+    }
+
+    if(sum->sha256) {
+        os_strdup(sum->sha256, lf->fields[FIM_SHA256].value);
+    }
+
+    if(sum->attributes) {
+        os_strdup(sum->attributes, lf->fields[FIM_ATTRS].value);
+    }
+
+    if(sum->wdata.user_id) {
+        os_strdup(sum->wdata.user_id, lf->fields[FIM_USER_ID].value);
+    }
+
+    if(sum->wdata.user_name) {
+        os_strdup(sum->wdata.user_name, lf->fields[FIM_USER_NAME].value);
+    }
+
+    if(sum->wdata.group_id) {
+        os_strdup(sum->wdata.group_id, lf->fields[FIM_GROUP_ID].value);
+    }
+
+    if(sum->wdata.group_name) {
+        os_strdup(sum->wdata.group_name, lf->fields[FIM_GROUP_NAME].value);
+    }
+
+    if(sum->wdata.process_name) {
+        os_strdup(sum->wdata.process_name, lf->fields[FIM_PROC_NAME].value);
+    }
+
+    if(sum->wdata.parent_name) {
+        os_strdup(sum->wdata.parent_name, lf->fields[FIM_PROC_PNAME].value);
+    }
+
+    if(sum->wdata.cwd) {
+        os_strdup(sum->wdata.cwd, lf->fields[FIM_AUDIT_CWD].value);
+    }
+
+    if(sum->wdata.parent_cwd) {
+        os_strdup(sum->wdata.parent_cwd, lf->fields[FIM_AUDIT_PCWD].value);
+    }
+
+    if(sum->wdata.audit_uid) {
+        os_strdup(sum->wdata.audit_uid, lf->fields[FIM_AUDIT_ID].value);
+    }
+
+    if(sum->wdata.audit_name) {
+        os_strdup(sum->wdata.audit_name, lf->fields[FIM_AUDIT_NAME].value);
+    }
+
+    if(sum->wdata.effective_uid) {
+        os_strdup(sum->wdata.effective_uid, lf->fields[FIM_EFFECTIVE_UID].value);
+    }
+
+    if(sum->wdata.effective_name) {
+        os_strdup(sum->wdata.effective_name, lf->fields[FIM_EFFECTIVE_NAME].value);
+    }
+
+    if(sum->wdata.ppid) {
+        os_strdup(sum->wdata.ppid, lf->fields[FIM_PPID].value);
+    }
+
+    if(sum->wdata.process_id) {
+        os_strdup(sum->wdata.process_id, lf->fields[FIM_PROC_ID].value);
+    }
+
+    if(sum->tag) {
+        os_strdup(sum->tag, lf->fields[FIM_TAG].value);
+    }
+
+    if(sum->symbolic_path) {
+        os_strdup(sum->symbolic_path, lf->fields[FIM_SYM_PATH].value);
+    }
+}
+
+int sk_build_sum(const sk_sum_t * sum, char * output, size_t size) {
+    int r;
+    char s_perm[16];
+    char s_mtime[16];
+    char s_inode[16];
+    char *username;
+
+    assert(sum != NULL);
+    assert(output != NULL);
+
+    if(sum->perm) {
+        snprintf(s_perm, sizeof(s_perm), "%d", sum->perm);
+    } else {
+        *s_perm = '\0';
+    }
+    snprintf(s_mtime, sizeof(s_mtime), "%ld", sum->mtime);
+    snprintf(s_inode, sizeof(s_inode), "%ld", sum->inode);
+
+    username = wstr_replace((const char*)sum->uname, " ", "\\ ");
+
+    // This string will be sent to Analysisd, who will parse it
+    // If it is a Windows event, we need to escape the permissions
+    char *win_perm = NULL;
+    if (sum->win_perm) {
+        win_perm = wstr_replace(sum->win_perm, ":", "\\:");
+    }
+
+    // size:permision:uid:gid:md5:sha1:uname:gname:mtime:inode:sha256:attrs!changes:date_alert
+    // ^^^^^^^^^^^^^^^^^^^^^^^^^^^checksum^^^^^^^^^^^^^^^^^^^^^^^^^^^!^^^^extradata^^^^^
+    r = snprintf(output, size, "%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s!%d:%ld",
+            sum->size,
+            (!win_perm) ? s_perm : win_perm,
+            sum->uid,
+            sum->gid,
+            sum->md5,
+            sum->sha1,
+            sum->uname ? username : "",
+            sum->gname ? sum->gname : "",
+            sum->mtime ? s_mtime : "",
+            sum->inode ? s_inode : "",
+            sum->sha256 ? sum->sha256 : "",
+            sum->attributes ? sum->attributes : "",
+            sum->changes,
+            sum->date_alert
+    );
+
+    free(win_perm);
+    free(username);
+    return r < (int)size ? 0 : -1;
+}
+
+void sk_sum_clean(sk_sum_t * sum) {
+    assert(sum != NULL);
+
+    os_free(sum->symbolic_path);
+    os_free(sum->attributes);
+    os_free(sum->wdata.user_name);
+    os_free(sum->wdata.process_name);
+    os_free(sum->wdata.parent_cwd);
+    os_free(sum->wdata.cwd);
+    os_free(sum->wdata.parent_name);
+    os_free(sum->uname);
+    os_free(sum->win_perm);
+}
+
+#endif /* #ifndef CLIENT */
+
+char *unescape_syscheck_field(char *sum) {
+    char *esc_it;
+
+    if (sum && *sum != '\0') {
+        // The parameter string is not released
+        sum = wstr_replace(sum, "\\ ", " ");
+        esc_it = wstr_replace(sum, "\\!", "!");
+        free(sum);
+        sum = wstr_replace(esc_it, "\\:", ":");
+        os_free(esc_it);
+        return sum;
+    }
+    return NULL;
+}
+
+char *get_user(int uid) {
+    struct passwd pwd;
+    struct passwd *result;
+    char *buf;
+    char *user_name = NULL;
+    int bufsize;
+    int errno;
+
+    bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+    if (bufsize == -1) {
+        bufsize = 16384;
+    }
+
+    os_calloc(bufsize, sizeof(char), buf);
+
+#if defined(SUN_MAJOR_VERSION) && defined(SUN_MINOR_VERSION)  && \
+    (SUN_MAJOR_VERSION < 11) || \
+    ((SUN_MAJOR_VERSION == 11) && (SUN_MINOR_VERSION < 4))
+    result = getpwuid_r(uid, &pwd, buf, bufsize);
+#else
+    errno = getpwuid_r(uid, &pwd, buf, bufsize, &result);
+#endif
+    if (result == NULL) {
+        if (errno == 0) {
+            mdebug2("User with uid '%d' not found.\n", uid);
+        }
+        else {
+            mdebug2("Failed getting user_name (%d): '%s'\n", errno, strerror(errno));
+        }
+    } else {
+        os_strdup(pwd.pw_name, user_name);
+    }
+
+    os_free(buf);
+
+    return user_name;
+}
+
+char *get_group(int gid) {
+    struct group grp;
+    struct group *result;
+    char *group_name = NULL;
+    char *buf;
+    int bufsize;
+
+    bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
+    if (bufsize == -1) {
+        bufsize = 16384;
+    }
+
+    os_calloc(bufsize, sizeof(char), buf);
+
+    result = w_getgrgid(gid, &grp, buf, bufsize);
+
+    if (result == NULL) {
+        if (errno == 0) {
+            mdebug2("Group with gid '%d' not found.\n", gid);
+        } else {
+            mdebug2("Failed getting group_name (%d): '%s'\n", errno, strerror(errno));
+        }
+    } else {
+        os_strdup(grp.gr_name, group_name);
+    }
+
+    os_free(buf);
+
+    return group_name;
+}
+
+/* Send a one-way message to Syscheck */
+void ag_send_syscheck(char * message) {
+    int sock = OS_ConnectUnixDomain(SYS_LOCAL_SOCK, SOCK_STREAM, OS_MAXSTR);
+
+    if (sock < 0) {
+        mwarn("dbsync: cannot connect to syscheck: %s (%d)", strerror(errno), errno);
+        return;
+    }
+
+    if (OS_SendSecureTCP(sock, strlen(message), message) < 0) {
+        mwarn("Cannot send message to syscheck: %s (%d)", strerror(errno), errno);
+    }
+
+    close(sock);
+}
+
+#else /* #ifndef WIN32 */
+
+// LCOV_EXCL_START
+char *get_registry_user(const char *path, char **sid, HANDLE hndl) {
+    return get_user(path, sid, hndl, SE_REGISTRY_KEY);
+}
+// LCOV_EXCL_STOP
+
+char *get_file_user(const char *path, char **sid) {
+    HANDLE hFile;
+    char *result;
+
+    // Get the handle of the file object.
+    hFile = CreateFile(TEXT(path),
+                       GENERIC_READ,
+                       FILE_SHARE_READ | FILE_SHARE_WRITE,
+                       NULL,
+                       OPEN_EXISTING,
+                       FILE_ATTRIBUTE_NORMAL,
+                       NULL);
+
+    // Check GetLastError for CreateFile error code.
+    if (hFile == INVALID_HANDLE_VALUE) {
+        DWORD dwErrorCode = GetLastError();
+        LPSTR messageBuffer = NULL;
+        LPSTR end;
+
+        FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+                      NULL, dwErrorCode, 0, (LPTSTR) &messageBuffer, 0, NULL);
+
+        if (end = strchr(messageBuffer, '\r'), end) {
+            *end = '\0';
+        }
+
+        switch (dwErrorCode) {
+        case ERROR_ACCESS_DENIED:     // 5
+        case ERROR_SHARING_VIOLATION: // 32
+            mdebug1("At get_user(%s): CreateFile(): %s (%lu)", path, messageBuffer, dwErrorCode);
+            break;
+        default:
+            mwarn("At get_user(%s): CreateFile(): %s (%lu)", path, messageBuffer, dwErrorCode);
+        }
+
+        LocalFree(messageBuffer);
+    }
+
+    result = get_user(path, sid, hFile, SE_FILE_OBJECT);
+
+    CloseHandle(hFile);
+
+    return result;
+}
+
+char *get_user(const char *path, char **sid, HANDLE hndl, SE_OBJECT_TYPE object_type) {
+    DWORD dwRtnCode = 0;
+    PSID pSidOwner = NULL;
+    BOOL bRtnBool = TRUE;
+    char AcctName[BUFFER_LEN];
+    char DomainName[BUFFER_LEN];
+    DWORD dwAcctName = BUFFER_LEN;
+    DWORD dwDomainName = BUFFER_LEN;
+    SID_NAME_USE eUse = SidTypeUnknown;
+    PSECURITY_DESCRIPTOR pSD = NULL;
+    LPSTR local_sid;
+    char *result;
+
+    if (hndl == INVALID_HANDLE_VALUE) {
+        os_strdup("", *sid);
+        *AcctName = '\0';
+        goto end;
+    }
+
+    // Get the owner SID of the file or registry
+    dwRtnCode = GetSecurityInfo(hndl,                       // Object handle
+                                object_type,                // Object type (file or registry)
+                                OWNER_SECURITY_INFORMATION, // Security information bit flags
+                                &pSidOwner,                 // Owner SID
+                                NULL,                       // Group SID
+                                NULL,                       // DACL
+                                NULL,                       // SACL
+                                &pSD);                      // Security descriptor
+
+    if (!ConvertSidToStringSid(pSidOwner, &local_sid)) {
+        os_strdup("", *sid);
+        mdebug1("The user's SID could not be extracted.");
+    } else {
+        os_strdup(local_sid, *sid);
+        LocalFree(local_sid);
+    }
+
+    if (dwRtnCode != ERROR_SUCCESS) {
+        mdebug1("GetSecurityInfo error code = (%lu), '%s'", dwRtnCode, win_strerror(dwRtnCode));
+        *AcctName = '\0';
+        goto end;
+    }
+
+    // Second call to LookupAccountSid to get the account name.
+    bRtnBool = LookupAccountSid(NULL,                   // Name of local or remote computer
+                                pSidOwner,              // Security identifier
+                                AcctName,               // Account name buffer
+                                (LPDWORD)&dwAcctName,   // Size of account name buffer
+                                DomainName,             // Domain name
+                                (LPDWORD)&dwDomainName, // Size of domain name buffer
+                                &eUse);                 // SID type
+
+    // Check GetLastError for LookupAccountSid error condition.
+    if (bRtnBool == FALSE) {
+        DWORD dwErrorCode = 0;
+
+        dwErrorCode = GetLastError();
+
+        if (dwErrorCode == ERROR_NONE_MAPPED) {
+            mdebug1("Account owner not found for '%s'", path);
+        }
+        else {
+            LPSTR messageBuffer = NULL;
+            LPSTR end;
+
+            FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+                          NULL, dwErrorCode, 0, (LPTSTR) &messageBuffer, 0, NULL);
+            if (end = strchr(messageBuffer, '\r'), end) {
+                *end = '\0';
+            }
+
+            mwarn(FIM_REGISTRY_ACC_SID, "user", dwErrorCode, messageBuffer);
+            LocalFree(messageBuffer);
+        }
+
+        *AcctName = '\0';
+    }
+
+end:
+    if (pSD) {
+        LocalFree(pSD);
+    }
+
+    result = wstr_replace(AcctName, " ", "\\ ");
+
+    return result;
+}
+
+
+/**
+ * @brief Retrieves the permissions of a specific file (Windows)
+ *
+ * @param [out] acl_json cJSON to write the permissions
+ * @param [in] sid The user ID associated to the user
+ * @param [in] account_name The account name associated to the sid
+ * @param [in] ace_type int with 0 if "allowed" ace, 1 if "denied" ace
+ * @param [in] mask Mask with the permissions
+ */
+static void add_ace_to_json(cJSON *acl_json, char *sid, char *account_name, const char *ace_type, int mask) {
+    cJSON *ace_json = NULL;
+    cJSON *mask_json = NULL;
+
+    ace_json = cJSON_GetObjectItem(acl_json, sid);
+    if (ace_json == NULL) {
+        ace_json = cJSON_CreateObject();
+        if (ace_json == NULL) {
+            mwarn(FIM_CJSON_ERROR_CREATE_ITEM);
+            return;
+        }
+        cJSON_AddStringToObject(ace_json, "name", account_name);
+        cJSON_AddItemToObject(acl_json, sid, ace_json);
+    }
+
+    mask_json = cJSON_GetObjectItem(ace_json, ace_type);
+    if (mask_json == NULL) {
+        cJSON_AddNumberToObject(ace_json, ace_type, mask);
+        return;
+    }
+
+    cJSON_SetNumberValue(mask_json, (mask_json->valueint | mask));
+
+    return;
+}
+
+
+/**
+ * @brief Retrieves the permissions of a specific file (Windows)
+ *
+ * @param [in] ace ACE structure
+ * @param [out] acl_json cJSON to write the permissions
+ * @return 0 on success, the error code on failure, -2 if ACE could not be obtained
+ */
+static int process_ace_info(void *ace, cJSON *acl_json) {
+    SID *sid;
+    char *sid_str = NULL;
+    char *account_name = NULL;
+    char *domain_name = NULL;
+    int mask;
+    int ace_type;
+    int error;
+
+    if (((ACCESS_ALLOWED_ACE *)ace)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {
+        ACCESS_ALLOWED_ACE *allowed_ace = (ACCESS_ALLOWED_ACE *)ace;
+        sid = (SID *)&allowed_ace->SidStart;
+        mask = allowed_ace->Mask;
+        ace_type = 0;
+    } else if (((ACCESS_DENIED_ACE *)ace)->Header.AceType == ACCESS_DENIED_ACE_TYPE) {
+        ACCESS_DENIED_ACE *denied_ace = (ACCESS_DENIED_ACE *)ace;
+        sid = (SID *)&denied_ace->SidStart;
+        mask = denied_ace->Mask;
+        ace_type = 1;
+    } else {
+        mdebug2("Invalid ACE type.");
+        return 1;
+    }
+
+    if (!IsValidSid(sid)) {
+        mdebug2("Invalid SID found in ACE.");
+        return 1;
+    }
+
+    if (error = w_get_account_info(sid, &account_name, &domain_name), error) {
+        mdebug2("No information could be extracted from the account linked to the SID. Error: %d.", error);
+    }
+
+    if (!ConvertSidToStringSid(sid, &sid_str)) {
+        mdebug2("Could not extract the SID.");
+        os_free(account_name);
+        os_free(domain_name);
+        return 1;
+    }
+
+    add_ace_to_json(acl_json, sid_str, account_name, ace_type ? "denied" : "allowed", mask);
+
+    LocalFree(sid_str);
+    os_free(account_name);
+    os_free(domain_name);
+
+    return 0;
+}
+
+/**
+ * @brief Translates an ACL permissions to JSON.
+ *
+ * @param [in] pSecurityDescriptor A security descriptor to be translated.
+ * @param [out] acl_json A pointer to a cJSON object where information will be stored.
+ * @retval 0 on success.
+ * @retval -1 if the cJSON object could not be initialized.
+ * @retval -2 if no DACL is retrieved.
+ * @retval An error code retrieved from `GetLastError` otherwise.
+ */
+static int get_win_permissions(PSECURITY_DESCRIPTOR pSecurityDescriptor, cJSON **output_acl) {
+    ACL_SIZE_INFORMATION aclsizeinfo;
+    ACCESS_ALLOWED_ACE *pAce = NULL;
+    PACL pDacl = NULL;
+    BOOL fDaclPresent = FALSE;
+    BOOL fDaclDefaulted = TRUE;
+    BOOL bRtnBool = TRUE;
+    DWORD dwErrorCode = 0;
+    DWORD cAce;
+    cJSON *acl_json = cJSON_CreateObject();
+
+    if (acl_json == NULL) {
+        mwarn(FIM_CJSON_ERROR_CREATE_ITEM);
+        return -1;
+    }
+
+    // Retrieve a pointer to the DACL in the security descriptor.
+    bRtnBool = GetSecurityDescriptorDacl(pSecurityDescriptor,   // Structure that contains the DACL
+                                         &fDaclPresent,         // Indicates the presence of a DACL
+                                         &pDacl,                // Pointer to ACL
+                                         &fDaclDefaulted);      // Flag set to the value of the SE_DACL_DEFAULTED flag
+
+    if (bRtnBool == FALSE) {
+        dwErrorCode = GetLastError();
+        mdebug2("GetSecurityDescriptorDacl failed. GetLastError returned: %ld", dwErrorCode);
+
+        cJSON_Delete(acl_json);
+        return dwErrorCode;
+    }
+
+    // Check whether no DACL or a NULL DACL was retrieved from the security descriptor buffer.
+    if (fDaclPresent == FALSE || pDacl == NULL) {
+        mdebug2("No DACL was found (all access is denied), or a NULL DACL (unrestricted access) was found.");
+
+        cJSON_Delete(acl_json);
+        return -2;
+    }
+
+    // Retrieve the ACL_SIZE_INFORMATION structure to find the number of ACEs in the DACL.
+    bRtnBool = GetAclInformation(pDacl,                 // Pointer to an ACL
+                                 &aclsizeinfo,          // Pointer to a buffer to receive the requested information
+                                 sizeof(aclsizeinfo),   // The size, in bytes, of the buffer
+                                 AclSizeInformation);   // Fill the buffer with an ACL_SIZE_INFORMATION structure
+
+    if (bRtnBool == FALSE) {
+        dwErrorCode = GetLastError();
+        mdebug2("GetAclInformation failed. GetLastError returned: %ld", dwErrorCode);
+
+        cJSON_Delete(acl_json);
+        return dwErrorCode;
+    }
+
+    // Loop through the ACEs to get the information.
+    for (cAce = 0; cAce < aclsizeinfo.AceCount; cAce++) {
+        // Get ACE info
+        if (GetAce(pDacl, cAce, (LPVOID*)&pAce) == FALSE) {
+            mdebug2("GetAce failed. GetLastError returned: %ld", GetLastError());
+            continue;
+        }
+        if (process_ace_info(pAce, acl_json)) {
+            mdebug1("ACE number %lu could not be processed.", cAce);
+        }
+    }
+
+    *output_acl = acl_json;
+
+    return 0;
+}
+
+
+int w_get_file_permissions(const char *file_path, cJSON **output_acl) {
+    int retval = 0;
+    SECURITY_DESCRIPTOR *s_desc = NULL;
+    unsigned long size = 0;
+
+    if (!GetFileSecurity(file_path, DACL_SECURITY_INFORMATION, 0, 0, &size)) {
+        retval = GetLastError();
+
+        // We must have this error at this point
+        if (retval != ERROR_INSUFFICIENT_BUFFER) {
+            goto end;
+        }
+    }
+
+    os_calloc(size, 1, s_desc);
+
+    if (!GetFileSecurity(file_path, DACL_SECURITY_INFORMATION, s_desc, size, &size)) {
+        retval = GetLastError();
+        goto end;
+    }
+
+    retval = get_win_permissions(s_desc, output_acl);
+
+    if (retval != 0) {
+        goto end;
+    }
+
+end:
+    free(s_desc);
+    return retval;
+}
+
+int w_get_account_info(SID *sid, char **account_name, char **account_domain) {
+    SID_NAME_USE snu;
+    unsigned long a_name_size = 0;
+    unsigned long a_domain_size = 0;
+    int error;
+
+    if (error = LookupAccountSid(0, sid, NULL, &a_name_size, NULL, &a_domain_size, &snu), !error) {
+        // We must have this error at this point
+        if (error = GetLastError(), error != ERROR_INSUFFICIENT_BUFFER) {
+            return GetLastError();
+        }
+    }
+
+    os_calloc(a_name_size, sizeof(char), *account_name);
+    os_calloc(a_domain_size, sizeof(char), *account_domain);
+
+    if (error = LookupAccountSid(0, sid, *account_name, &a_name_size, *account_domain, &a_domain_size, &snu), !error) {
+        return GetLastError();
+    }
+
+    return 0;
+}
+
+unsigned int w_directory_exists(const char *path){
+    if (path != NULL){
+        unsigned int attrs = w_get_file_attrs(path);
+        return attrs & FILE_ATTRIBUTE_DIRECTORY;
+    }
+
+    return 0;
+}
+
+unsigned int w_get_file_attrs(const char *file_path) {
+    unsigned int attrs;
+
+    if (attrs = GetFileAttributesA(file_path), attrs == INVALID_FILE_ATTRIBUTES) {
+        attrs = 0;
+        mdebug2("The attributes for '%s' could not be obtained. Error '%ld'.", file_path, GetLastError());
+    }
+
+    return attrs;
+}
+
+char *get_group(__attribute__((unused)) int gid) {
+    char *result;
+
+    os_strdup("", result);
+    return result;
+}
+
+char *get_registry_group(char **sid, HANDLE hndl) {
+    DWORD dwRtnCode = 0;
+    PSID pSidGroup = NULL;
+    BOOL bRtnBool = TRUE;
+    char GrpName[BUFFER_LEN];
+    char DomainName[BUFFER_LEN];
+    DWORD dwGrpName = BUFFER_LEN;
+    DWORD dwDomainName = BUFFER_LEN;
+    SID_NAME_USE eUse = SidTypeUnknown;
+    PSECURITY_DESCRIPTOR pSD = NULL;
+    char *result;
+    LPSTR local_sid;
+
+    // Get the group SID of the file or registry
+    dwRtnCode = GetSecurityInfo(hndl,                       // Object handle
+                                SE_REGISTRY_KEY,            // Object type (file or registry)
+                                GROUP_SECURITY_INFORMATION, // Security information bit flags
+                                NULL,                       // Owner SID
+                                &pSidGroup,                 // Group SID
+                                NULL,                       // DACL
+                                NULL,                       // SACL
+                                &pSD);                      // Security descriptor
+
+    if (!ConvertSidToStringSid(pSidGroup, &local_sid)) {
+        os_strdup("", *sid);
+        mdebug1("The user's SID could not be extracted.");
+    } else {
+        os_strdup(local_sid, *sid);
+        LocalFree(local_sid);
+    }
+
+    if (dwRtnCode != ERROR_SUCCESS) {
+        mdebug1("GetSecurityInfo error code = (%lu), '%s'", dwRtnCode, win_strerror(dwRtnCode));
+        *GrpName = '\0';
+        goto end;
+    }
+
+    // Second call to LookupAccountSid to get the account name.
+    bRtnBool = LookupAccountSid(NULL,                   // Name of local or remote computer
+                                pSidGroup,              // Security identifier
+                                GrpName,                // Group name buffer
+                                (LPDWORD)&dwGrpName,    // Size of group name buffer
+                                DomainName,             // Domain name
+                                (LPDWORD)&dwDomainName, // Size of domain name buffer
+                                &eUse);                 // SID type
+
+    if (strncmp(GrpName, "None", 4) == 0) {
+        *GrpName = '\0';
+    }
+
+    // Check GetLastError for LookupAccountSid error condition.
+    if (bRtnBool == FALSE) {
+        DWORD dwErrorCode = 0;
+
+        dwErrorCode = GetLastError();
+        if (dwErrorCode == ERROR_NONE_MAPPED) {
+            mdebug1("Group not found for registry key");
+        }
+        else {
+            LPSTR messageBuffer = NULL;
+            LPSTR end;
+
+            FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+                          NULL, dwErrorCode, 0, (LPTSTR) &messageBuffer, 0, NULL);
+            if (end = strchr(messageBuffer, '\r'), end) {
+                *end = '\0';
+            }
+
+            mwarn(FIM_REGISTRY_ACC_SID, "group", dwErrorCode, messageBuffer);
+            LocalFree(messageBuffer);
+        }
+
+        *GrpName = '\0';
+    }
+
+end:
+    if (pSD) {
+        LocalFree(pSD);
+    }
+
+    result = wstr_replace(GrpName, " ", "\\ ");
+
+    return result;
+}
+
+DWORD get_registry_permissions(HKEY hndl, cJSON **output_acl) {
+    PSECURITY_DESCRIPTOR pSecurityDescriptor;
+    DWORD dwRtnCode = 0;
+    DWORD lpcbSecurityDescriptor = 0;
+
+    dwRtnCode = RegGetKeySecurity(hndl, DACL_SECURITY_INFORMATION, NULL, &lpcbSecurityDescriptor);
+
+    if (dwRtnCode != ERROR_INSUFFICIENT_BUFFER) {
+        return dwRtnCode;
+    }
+
+    os_calloc(lpcbSecurityDescriptor, 1, pSecurityDescriptor);
+
+    // Get the security information.
+    dwRtnCode = RegGetKeySecurity(hndl,                         // Handle to an open key
+                                  DACL_SECURITY_INFORMATION,    // Request DACL security information
+                                  pSecurityDescriptor,          // Pointer that receives the DACL information
+                                  &lpcbSecurityDescriptor);     // Pointer that specifies the size, in bytes
+
+    if (dwRtnCode != ERROR_SUCCESS) {
+        os_free(pSecurityDescriptor);
+        return dwRtnCode;
+    }
+
+    dwRtnCode = get_win_permissions(pSecurityDescriptor, output_acl);
+
+    if (dwRtnCode != 0) {
+        os_free(pSecurityDescriptor);
+        return dwRtnCode;
+    }
+
+    os_free(pSecurityDescriptor);
+
+    return ERROR_SUCCESS;
+}
+
+unsigned int get_registry_mtime(HKEY hndl) {
+    FILETIME lpftLastWriteTime;
+    DWORD dwRtnCode = 0;
+
+    dwRtnCode = RegQueryInfoKeyA(hndl, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, &lpftLastWriteTime);
+
+    if (dwRtnCode != ERROR_SUCCESS) {
+        mwarn("Couldn't get modification time for registry key.");
+        return 0;
+    }
+
+    return get_windows_file_time_epoch(lpftLastWriteTime);
+}
+
+/* Send a one-way message to Syscheck */
+void ag_send_syscheck(char * message) {
+    char * response = NULL;
+    syscom_dispatch(message, &response);
+    free(response);
+}
+
+HKEY w_switch_root_key(char* str_rootkey) {
+    if (!strcmp(str_rootkey, STR_HKEY_CLASSES_ROOT)) {
+        return HKEY_CLASSES_ROOT;
+    }
+    else if (!strcmp(str_rootkey, STR_HKEY_CURRENT_CONFIG)) {
+        return HKEY_CURRENT_CONFIG;
+    }
+    else if (!strcmp(str_rootkey, STR_HKEY_CURRENT_USER)) {
+        return HKEY_CURRENT_USER;
+    }
+    else if (!strcmp(str_rootkey, STR_HKEY_LOCAL_MACHINE)) {
+        return HKEY_LOCAL_MACHINE;
+    }
+    else if (!strcmp(str_rootkey, STR_HKEY_USERS)) {
+        return HKEY_USERS;
+    }
+    else {
+        mdebug1("Invalid value of root Handle to Registry Key.");
+        return NULL;
+    }
+}
+
+void expand_wildcard_registers(char* entry, char** paths) {
+    reg_path_struct** aux_vector;
+    reg_path_struct** current_position;
+    os_calloc(OS_SIZE_8192, sizeof(reg_path_struct*), aux_vector);
+
+    reg_path_struct* first_e;
+    os_calloc(1, sizeof(reg_path_struct), first_e);
+
+    first_e->path           = strdup(entry);
+    first_e->has_wildcard   = check_wildcard(entry);
+    first_e->checked        = 0;
+    *aux_vector             = first_e;
+    current_position        = aux_vector; //Save the current pointer for future iteration
+
+    // ----- Begin expansion path section -----
+    // New algorithm form proposal
+
+    while (w_is_still_a_wildcard(current_position)) {
+        char* pos_qk = strchr((*current_position)->path, '?');
+        char* pos_sr = strchr((*current_position)->path, '*');
+        if (pos_qk != NULL && pos_sr != NULL) {
+            if (pos_qk < pos_sr) {
+                w_expand_by_wildcard(current_position, '?');
+            } else {
+                w_expand_by_wildcard(current_position, '*');
+            }
+        } else if (pos_sr != NULL) {
+            w_expand_by_wildcard(current_position, '*');
+        } else if (pos_qk != NULL) {
+            w_expand_by_wildcard(current_position, '?');
+        }
+        current_position++;
+    }
+
+    // ----- End expansion path section -----
+
+    current_position = aux_vector;
+    while (*current_position != NULL) {
+        if (!(*current_position)->has_wildcard && (*current_position)->checked) {
+            os_strdup((*current_position)->path, *paths);
+            os_free((*current_position)->path);
+            os_free(*current_position);
+            paths++;
+        } else {
+            os_free((*current_position)->path);
+            os_free(*current_position);
+        }
+        current_position++;
+    }
+
+    //Release memory before leaves function
+    os_free(*current_position);
+    os_free(aux_vector);
+}
+
+char* get_subkey(char* key) {
+    char* remaining_key = NULL;
+    char* subkey        = NULL;
+
+    os_strdup(strchr(key, '\\') + 1, remaining_key);
+    os_calloc(OS_SIZE_128, sizeof(char), subkey);
+
+    char* aux_token;
+
+    aux_token = strtok(remaining_key, "\\");
+    while (aux_token !=NULL && !(strchr(aux_token, '?') || strchr(aux_token, '*'))) {
+        strcat(subkey, aux_token);
+        aux_token = strtok(NULL, "\\");
+        strcat(subkey, "\\");
+    }
+    int path_len = strlen(subkey) - 1;
+    os_free(remaining_key);
+    if (path_len > 0) {
+        if (subkey[path_len] == '\\') {
+            subkey[path_len] = '\0';
+        }
+        return subkey;
+    } else {
+        os_free(subkey);
+        return strdup("");
+    }
+}
+
+int w_is_still_a_wildcard(reg_path_struct **array_struct) {
+    while (*array_struct) {
+        if ((*array_struct)->has_wildcard && !(*array_struct)->checked) {
+            return 1;
+        }
+        array_struct++;
+    }
+    return 0;
+}
+
+char** w_list_all_keys(HKEY root_key, char* str_subkey) {
+    HKEY keyhandle;
+    char** key_list = NULL;
+    if (RegOpenKeyEx(root_key, str_subkey, 0, KEY_READ | KEY_WOW64_64KEY, &keyhandle) == ERROR_SUCCESS) {
+        TCHAR    achKey[OS_SIZE_256];
+        DWORD    cbName;
+        TCHAR    achClass[OS_SIZE_256] = TEXT("");
+        DWORD    cchClassName = OS_SIZE_256;
+        DWORD    cSubKeys = 0;
+        DWORD    cbMaxSubKey;
+        DWORD    cchMaxClass;
+        DWORD    cValues;
+        DWORD    cchMaxValue;
+        DWORD    cbMaxValueData;
+        DWORD    cbSecurityDescriptor;
+        FILETIME ftLastWriteTime;
+
+        DWORD i, retCode;
+
+        // Get the class name and the value count.
+        retCode = RegQueryInfoKey(
+            keyhandle,               // key handle
+            achClass,                // buffer for class name
+            &cchClassName,           // size of class string
+            NULL,                    // reserved
+            &cSubKeys,               // number of subkeys
+            &cbMaxSubKey,            // longest subkey size
+            &cchMaxClass,            // longest class string
+            &cValues,                // number of values for this key
+            &cchMaxValue,            // longest value name
+            &cbMaxValueData,         // longest value data
+            &cbSecurityDescriptor,   // security descriptor
+            &ftLastWriteTime);       // last write time
+
+        if (retCode == ERROR_SUCCESS) {
+            if (cSubKeys) {
+            os_calloc(cSubKeys + 1, sizeof(char*), key_list);
+            for (i = 0; i < cSubKeys; i++) {
+                cbName = OS_SIZE_256;
+                retCode = RegEnumKeyEx(keyhandle, i,
+                    achKey,
+                    &cbName,
+                    NULL,
+                    NULL,
+                    NULL,
+                    &ftLastWriteTime);
+                if (retCode == ERROR_SUCCESS) {
+                    os_strdup(achKey, *(key_list + i));
+                    }
+                }
+                *(key_list + i) = NULL;
+            }
+        }
+    }
+    RegCloseKey(keyhandle);
+    return key_list;
+}
+
+void w_expand_by_wildcard(reg_path_struct **array_struct, char wildcard_chr) {
+    // ----- Begin setup variables section -----
+    char* wildcard_str          = NULL;
+    os_calloc(2, sizeof(char), wildcard_str);
+    wildcard_str[0]             = wildcard_chr;
+    wildcard_str[1]             = '\0';
+
+    char** first_position       = NULL;
+
+    char* matcher               = NULL; //Only used when wildcard is ?.
+
+    //Create a copy of the path to be able to modify it.
+    char* aux_path              = NULL;
+    os_strdup((*array_struct)->path, aux_path);
+
+    //Take the first part of the wildcard, splitting by wildcard. Clean any chars after a slash bar.
+    char* first_part            = strtok(aux_path, wildcard_str);
+    for (int letter = strlen(first_part) - 1; letter >= 0; letter--) {
+        if (first_part[letter] != '\\') {
+            first_part[letter] = '\0';
+        }
+        else {
+            break;
+        }
+    }
+
+    if (wildcard_chr == '?') {
+        //Usar strtok_r
+        char* temp          = NULL;
+        char* aux_matcher   = NULL;
+        os_strdup((*array_struct)->path, temp);
+
+        //Search through all tokens until you find the one that has the wildcard
+        aux_matcher = strtok(temp, "\\");
+        while (!strchr(aux_matcher, '?')) {
+            aux_matcher = strtok(NULL, "\\");
+        }
+        os_strdup(aux_matcher,matcher);
+        os_free(temp);
+    }
+
+    //Take the remainder part of the path.
+    char* second_part       = NULL;
+    if ((*array_struct)->path != NULL) {
+        second_part         = strchr(strchr((*array_struct)->path, wildcard_chr), '\\');
+    }
+
+    //Duplicate key part
+    char* temp = NULL;
+    os_strdup(first_part,temp);
+
+    char* str_root_key          = NULL;
+    //Obtain the subkey. If it's empty, it's a NULL value.
+    char* subkey                = get_subkey((*array_struct)->path);
+
+    os_strdup(strtok(temp, "\\"), str_root_key);
+    os_free(temp);
+
+    HKEY root_key               = w_switch_root_key(str_root_key);
+
+    // ----- End setup variables section -----
+
+    (*array_struct)->checked    = 1; //Mark path as checked.
+
+    //Get first empty position of the vector.
+    int first_empty             = 0;
+    while (array_struct[first_empty] != NULL) {
+        first_empty++;
+    }
+    //----------------------------------------
+
+    //There is two possibles branches to take depending of the wildcard.
+    if (wildcard_chr=='?') {
+        if (root_key != NULL && matcher != NULL) {
+            //Get all keys from Windows API.
+            char** query_keys = w_list_all_keys(root_key, subkey);
+            first_position = query_keys;
+            if (query_keys) {
+                //Itarate over string vector.
+                while (*query_keys != NULL) {
+                    //Use Windows API and check wildcar coincidences.
+                    if (PathMatchSpecA(*query_keys, matcher)) {
+                        // ----- Begin final path variable section -----
+
+                        char* full_path = NULL;
+                        os_calloc(OS_SIZE_256, sizeof(char), full_path);
+
+                        //Copy first part.
+                        strcpy(full_path, first_part);
+
+                        //Add key result.
+                        strcat(full_path, *query_keys);
+
+                        //Copy second part.
+                        second_part != NULL ? strcat(full_path, second_part) : strcat(full_path,"\0");
+
+                        // ----- End final path variable section -----
+
+                        //Create new struct and add it to vector.
+                        reg_path_struct* new_struct = NULL;
+                        os_calloc(1, sizeof(reg_path_struct), new_struct);
+
+                        int path_length             = strlen(full_path);
+                        if(full_path[path_length - 1] == '\\'){
+                            full_path[path_length - 1] = '\0';
+                        }
+
+                        new_struct->path            = full_path;
+                        new_struct->has_wildcard    = (check_wildcard(full_path)) && !(check_wildcard(*query_keys)) ? 1 : 0;
+                        new_struct->checked         = 1 & !new_struct->has_wildcard;
+                        array_struct[first_empty]   = new_struct;
+
+                        //Increment pointers.
+                        first_empty++;
+                    }
+                    //Increment pointers.
+                    query_keys++;
+                    }
+                }
+            //Release memory before leaves function.
+            os_free(matcher);
+        }
+    } else {
+        if (root_key != NULL) {
+            //Get all keys from Windows API.
+            char** query_keys = w_list_all_keys(root_key, subkey);
+            first_position    = query_keys;
+            if (query_keys) {
+                //Itarate over string vector.
+                while (*query_keys != NULL) {
+
+                    // ----- Begin final path variable section -----
+
+                    char* full_path = NULL;
+                    os_calloc(OS_SIZE_256, sizeof(char), full_path);
+
+                    //Copy first part.
+                    strcpy(full_path, first_part);
+
+                    //Add key result.
+                    strcat(full_path, *query_keys);
+
+                    //Copy second part.
+                    second_part != NULL ? strcat(full_path, second_part) : strcat(full_path, "\0");
+
+                    // ----- End final path variable section -----
+
+                    //Create new struct and add it to vector.
+                    reg_path_struct* new_struct = NULL;
+                    os_calloc(1, sizeof(reg_path_struct), new_struct);
+
+                    int path_length             = strlen(full_path);
+                    if(full_path[path_length - 1] == '\\') {
+                        full_path[path_length - 1] = '\0';
+                    }
+
+                    new_struct->path            = full_path;
+                    new_struct->has_wildcard    = (check_wildcard(full_path)) && !(check_wildcard(*query_keys)) ? 1 : 0;
+                    new_struct->checked         = 1 & !new_struct->has_wildcard;
+                    array_struct[first_empty]   = new_struct;
+
+                    //Increment pointers.
+                    first_empty++;
+                    query_keys++;
+                }
+            }
+        }
+    }
+
+    //Release memory after leaves function. Common variables
+    os_free(wildcard_str);
+    os_free(aux_path);
+    os_free(str_root_key);
+    os_free(subkey);
+    free_strarray(first_position);
+    os_free(matcher);
+}
+
+#endif /* # else (ifndef WIN32) */
+
+void decode_win_attributes(char *str, unsigned int attrs) {
+    size_t size;
+
+    size = snprintf(str, OS_SIZE_256, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+                    attrs & FILE_ATTRIBUTE_ARCHIVE ? "ARCHIVE, " : "",
+                    attrs & FILE_ATTRIBUTE_COMPRESSED ? "COMPRESSED, " : "",
+                    attrs & FILE_ATTRIBUTE_DEVICE ? "DEVICE, " : "",
+                    attrs & FILE_ATTRIBUTE_DIRECTORY ? "DIRECTORY, " : "",
+                    attrs & FILE_ATTRIBUTE_ENCRYPTED ? "ENCRYPTED, " : "",
+                    attrs & FILE_ATTRIBUTE_HIDDEN ? "HIDDEN, " : "",
+                    attrs & FILE_ATTRIBUTE_INTEGRITY_STREAM ? "INTEGRITY_STREAM, " : "",
+                    attrs & FILE_ATTRIBUTE_NORMAL ? "NORMAL, " : "",
+                    attrs & FILE_ATTRIBUTE_NOT_CONTENT_INDEXED ? "NOT_CONTENT_INDEXED, " : "",
+                    attrs & FILE_ATTRIBUTE_NO_SCRUB_DATA ? "NO_SCRUB_DATA, " : "",
+                    attrs & FILE_ATTRIBUTE_OFFLINE ? "OFFLINE, " : "",
+                    attrs & FILE_ATTRIBUTE_READONLY ? "READONLY, " : "",
+                    attrs & FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS ? "RECALL_ON_DATA_ACCESS, " : "",
+                    attrs & FILE_ATTRIBUTE_RECALL_ON_OPEN ? "RECALL_ON_OPEN, " : "",
+                    attrs & FILE_ATTRIBUTE_REPARSE_POINT ? "REPARSE_POINT, " : "",
+                    attrs & FILE_ATTRIBUTE_SPARSE_FILE ? "SPARSE_FILE, " : "",
+                    attrs & FILE_ATTRIBUTE_SYSTEM ? "SYSTEM, " : "",
+                    attrs & FILE_ATTRIBUTE_TEMPORARY ? "TEMPORARY, " : "",
+                    attrs & FILE_ATTRIBUTE_VIRTUAL ? "VIRTUAL, " : "");
+    if (size > 2) {
+        str[size - 2] = '\0';
+    }
+}
+
+void make_mask_readable (cJSON *ace_json, int mask, char *ace_type) {
+    int i;
+    int perm_bits[] = {
+        GENERIC_READ,
+        GENERIC_WRITE,
+        GENERIC_EXECUTE,
+        GENERIC_ALL,
+        DELETE,
+        READ_CONTROL,
+        WRITE_DAC,
+        WRITE_OWNER,
+        SYNCHRONIZE,
+        FILE_READ_DATA,
+        FILE_WRITE_DATA,
+        FILE_APPEND_DATA,
+        FILE_READ_EA,
+        FILE_WRITE_EA,
+        FILE_EXECUTE,
+        FILE_READ_ATTRIBUTES,
+        FILE_WRITE_ATTRIBUTES,
+        0
+    };
+
+    static const char * const perm_strings[] = {
+        "generic_read",
+        "generic_write",
+        "generic_execute",
+        "generic_all",
+        "delete",
+        "read_control",
+        "write_dac",
+        "write_owner",
+        "synchronize",
+        "read_data",
+        "write_data",
+        "append_data",
+        "read_ea",
+        "write_ea",
+        "execute",
+        "read_attributes",
+        "write_attributes",
+        NULL
+    };
+
+    cJSON *perm_array = cJSON_CreateArray();
+    if (perm_array == NULL) {
+        mwarn(FIM_CJSON_ERROR_CREATE_ITEM);
+        return;
+    }
+
+    for (i = 0; perm_bits[i]; i++) {
+        if (mask & perm_bits[i]) {
+            cJSON_AddItemToArray(perm_array, cJSON_CreateString(perm_strings[i]));
+        }
+    }
+
+    cJSON_ReplaceItemInObject(ace_json, ace_type, perm_array);
+}
+
+void decode_win_acl_json (cJSON *acl_json) {
+    cJSON *json_object = NULL;
+    cJSON *allowed_item = NULL;
+    cJSON *denied_item = NULL;
+
+    assert(acl_json != NULL);
+
+    cJSON_ArrayForEach(json_object, acl_json) {
+        allowed_item = cJSON_GetObjectItem(json_object, "allowed");
+        if (allowed_item) {
+            make_mask_readable(json_object, allowed_item->valueint, "allowed");
+        }
+        denied_item = cJSON_GetObjectItem(json_object, "denied");
+        if (denied_item) {
+            make_mask_readable(json_object, denied_item->valueint, "denied");
+        }
+    }
+}
+
+char *decode_win_permissions(char *raw_perm) {
+    int written = 0;
+    int size = 0;
+    char *base_it = NULL;
+    char *account_name = NULL;
+    char a_type;
+    char *decoded_perm;
+    long mask;
+
+    if (*raw_perm != '|') {
+        // It is trying to convert to the new format
+        // a permissions that have already been transformed
+        os_strdup("", decoded_perm);
+        return decoded_perm;
+    }
+
+    os_calloc(MAX_WIN_PERM_SIZE, sizeof(char), decoded_perm);
+
+    int perm_size = MAX_WIN_PERM_SIZE;
+    char *decoded_it = decoded_perm;
+    char *perm_it = raw_perm;
+
+    while (perm_it = strchr(perm_it, '|'), perm_it) {
+        // Get the account/group name
+        base_it = ++perm_it;
+        if (perm_it = strchr(perm_it, ','), !perm_it) {
+            goto error;
+        }
+        *perm_it = '\0';
+        os_strdup(base_it, account_name);
+        *perm_it = ',';
+
+        // Get the access type
+        base_it = ++perm_it;
+        if (perm_it = strchr(perm_it, ','), !perm_it) {
+            goto error;
+        }
+        a_type = *base_it;
+
+        // Get the access mask
+        base_it = ++perm_it;
+        if (perm_it = strchr(perm_it, '|'), perm_it) {
+            *perm_it = '\0';
+            mask = strtol(base_it, NULL, 10);
+            *perm_it = '|';
+        } else {
+            // End of the msg
+            mask = strtol(base_it, NULL, 10);
+        }
+
+        size = snprintf(NULL, 0, "%s (%s): %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", account_name,
+                        a_type == '0' ? "allowed" : "denied", mask & GENERIC_READ ? "generic_read|" : "",
+                        mask & GENERIC_WRITE ? "generic_write|" : "", mask & GENERIC_EXECUTE ? "generic_execute|" : "",
+                        mask & GENERIC_ALL ? "generic_all|" : "", mask & DELETE ? "delete|" : "",
+                        mask & READ_CONTROL ? "read_control|" : "", mask & WRITE_DAC ? "write_dac|" : "",
+                        mask & WRITE_OWNER ? "write_owner|" : "", mask & SYNCHRONIZE ? "synchronize|" : "",
+                        mask & FILE_READ_DATA ? "read_data|" : "", mask & FILE_WRITE_DATA ? "write_data|" : "",
+                        mask & FILE_APPEND_DATA ? "append_data|" : "", mask & FILE_READ_EA ? "read_ea|" : "",
+                        mask & FILE_WRITE_EA ? "write_ea|" : "", mask & FILE_EXECUTE ? "execute|" : "",
+                        mask & FILE_READ_ATTRIBUTES ? "read_attributes|" : "",
+                        mask & FILE_WRITE_ATTRIBUTES ? "write_attributes|" : "");
+
+        if (size > perm_size) {
+            os_free(account_name);
+
+            if (perm_it != NULL) {
+                continue;
+            }
+            break;
+        }
+
+        size = snprintf(decoded_it, perm_size, "%s (%s): %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+                        account_name,
+                        a_type == '0' ? "allowed" : "denied",
+                        mask & GENERIC_READ ? "generic_read|" : "",
+                        mask & GENERIC_WRITE ? "generic_write|" : "",
+                        mask & GENERIC_EXECUTE ? "generic_execute|" : "",
+                        mask & GENERIC_ALL ? "generic_all|" : "",
+                        mask & DELETE ? "delete|" : "",
+                        mask & READ_CONTROL ? "read_control|" : "",
+                        mask & WRITE_DAC ? "write_dac|" : "",
+                        mask & WRITE_OWNER ? "write_owner|" : "",
+                        mask & SYNCHRONIZE ? "synchronize|" : "",
+                        mask & FILE_READ_DATA ? "read_data|" : "",
+                        mask & FILE_WRITE_DATA ? "write_data|" : "",
+                        mask & FILE_APPEND_DATA ? "append_data|" : "",
+                        mask & FILE_READ_EA ? "read_ea|" : "",
+                        mask & FILE_WRITE_EA ? "write_ea|" : "",
+                        mask & FILE_EXECUTE ? "execute|" : "",
+                        mask & FILE_READ_ATTRIBUTES ? "read_attributes|" : "",
+                        mask & FILE_WRITE_ATTRIBUTES ? "write_attributes|" : ""
+                    );
+
+        if (size + 1 < perm_size) {
+            strncpy(decoded_it + (size++) - 1, ", ", 3);
+        }
+
+        written += size;
+        decoded_it += size;
+        perm_size -= size;
+
+        os_free(account_name);
+        if (!perm_it) {
+            break;
+        }
+    }
+
+    if (decoded_it && size > 1) {
+        *(decoded_it - 2) = '\0';
+        // Adjusts the final size
+        os_realloc(decoded_perm, written * sizeof(char), decoded_perm);
+    }
+
+    return decoded_perm;
+error:
+    free(decoded_perm);
+    free(account_name);
+    mdebug1("The file permissions could not be decoded: '%s'.", raw_perm);
+    return NULL;
+}
+
+static bool compare_win_aces(const cJSON * const ace1, const cJSON * const ace2) {
+    cJSON *ace1_helper, *ace2_helper;
+
+    assert(ace1 != NULL && ace2 != NULL);
+
+    ace1_helper = cJSON_GetObjectItem(ace1, "allowed");
+    ace2_helper = cJSON_GetObjectItem(ace2, "allowed");
+
+    if (ace1_helper == NULL) {
+        if (ace2_helper != NULL) {
+            return false;
+        }
+        // Both ace helpers are NULL, we consider them to be equal
+    } else if (ace2_helper == NULL) {
+        return false;
+    } else if (cJSON_Compare(ace1_helper, ace2_helper, true) == false) {
+        return false;
+    }
+
+    ace1_helper = cJSON_GetObjectItem(ace1, "denied");
+    ace2_helper = cJSON_GetObjectItem(ace2, "denied");
+
+    if (ace1_helper == NULL) {
+        if (ace2_helper != NULL) {
+            return false;
+        }
+        // Both ace helpers are NULL, we consider them to be equal
+    } else if (ace2_helper == NULL) {
+        return false;
+    } else if (cJSON_Compare(ace1_helper, ace2_helper, true) == false) {
+        return false;
+    }
+
+    return true;
+}
+
+bool compare_win_permissions(const cJSON * const acl1, const cJSON * const acl2) {
+    cJSON *ace1;
+    cJSON *ace2;
+
+    if (acl1 == NULL) {
+        return acl2 == NULL;
+    }
+
+    if (acl2 == NULL) {
+        return false;
+    }
+
+    if (cJSON_GetArraySize(acl1) != cJSON_GetArraySize(acl2)) {
+        return false;
+    }
+
+    cJSON_ArrayForEach(ace1, acl1) {
+        ace2 = cJSON_GetObjectItem(acl2, ace1->string);
+
+        if (ace2 == NULL) {
+            return false;
+        }
+
+        if (compare_win_aces(ace1, ace2) == false) {
+            return false;
+        }
+    }
+
+    // If we get here, both ACLs are identical
+    return true;
+}
+
+cJSON *attrs_to_json(const char *attributes) {
+    cJSON *attrs_array;
+
+    assert(attributes != NULL);
+
+    if (attrs_array = cJSON_CreateArray(), !attrs_array) {
+        return NULL;
+    }
+
+    char *attrs_cpy;
+    os_strdup(attributes, attrs_cpy);
+    char *attr = attrs_cpy;
+
+    while (attr) {
+        char *sep = strchr(attr, ',');
+        if (sep) {
+            *(sep++) = '\0';
+        }
+        while (*attr == ' ') attr++;
+        cJSON_AddItemToArray(attrs_array, cJSON_CreateString(attr));
+        attr = sep;
+    }
+
+    free(attrs_cpy);
+    return attrs_array;
+}
+
+cJSON *win_perm_to_json(char *perms) {
+    cJSON *perms_json;
+
+    assert(perms != NULL);
+
+    if (perms_json = cJSON_CreateArray(), !perms_json) {
+        return NULL;
+    }
+
+    char *perms_cpy;
+    os_strdup(perms, perms_cpy);
+    char *perms_it = perms_cpy;
+
+    while (perms_it && *perms_it) {
+        char *perm_node = perms_it;
+        perms_it = strchr(perms_it, ',');
+        if (perms_it) {
+            *(perms_it++) = '\0';
+        }
+
+        while (*perm_node == ' ') perm_node++;
+
+        // Get the username
+        char *username = perm_node;
+        perm_node = strchr(perm_node, '(');
+        if (!perm_node) {
+            mdebug1("Uncontrolled condition when parsing the username from '%s'. Skipping permission.", username);
+            continue;
+        }
+        *(perm_node++) = '\0';
+        {
+            size_t u_size = strlen(username);
+            if (u_size > 0 && username[u_size - 1] == ' ') {
+                username[u_size - 1] = '\0';
+            }
+        }
+
+        // Get the permission type
+        char *perm_type = perm_node;
+        perm_node = strchr(perm_node, ')');
+        if (!perm_node) {
+            mdebug1("Uncontrolled condition when parsing the permission type from '%s'. Skipping permission.", perm_type);
+            continue;
+        }
+        *(perm_node++) = '\0';
+
+        // Remove the colon separator
+        if (*perm_node == ':') {
+            perm_node++;
+        }
+
+        while (*perm_node == ' ') perm_node++;
+
+        // Get the permissions
+        char *permissions = perm_node;
+        perm_node = strchr(perm_node, ',');
+        if (perm_node) {
+            *(perm_node++) = '\0'; //LCOV_EXCL_LINE
+        }
+
+        const char *tag_name = "name";
+        cJSON *json_it;
+        cJSON *user_obj = NULL;
+        char next_it = 0;
+        for (json_it = perms_json->child; json_it; json_it = json_it->next) {
+            cJSON *obj;
+            if (obj = cJSON_GetObjectItem(json_it, tag_name), !obj || !obj->valuestring) {
+                continue; //LCOV_EXCL_LINE
+            }
+            if (!strcmp(obj->valuestring, username)) {
+                user_obj = json_it;
+                if (obj = cJSON_GetObjectItem(json_it, perm_type), obj) {
+                    mdebug1("ACL [%s] fragmented. All permissions may not be displayed.", perms);
+                    next_it = 1;
+                }
+                break;
+            }
+        }
+        if (next_it) {
+            continue;
+        }
+
+        if (!user_obj) {
+            if (user_obj = cJSON_CreateObject(), !user_obj) {
+                goto error;
+            }
+            cJSON_AddStringToObject(user_obj, tag_name, username);
+            cJSON_AddItemToArray(perms_json, user_obj);
+        }
+
+        cJSON *specific_perms;
+        if (specific_perms = cJSON_CreateArray(), !specific_perms) {
+            goto error;
+        }
+
+        if (*permissions == '\0') {
+            // Empty ACE
+            cJSON_AddItemToObject(user_obj, perm_type, specific_perms);
+            continue;
+        }
+
+        char **perms_array = NULL;
+        wstr_split(permissions, "|", NULL, 1, &perms_array);
+        if (!perms_array) {
+            cJSON_Delete(specific_perms);
+            goto error;
+        }
+
+        int i;
+        for (i = 0; perms_array[i]; i++) {
+            str_uppercase(perms_array[i]);
+            cJSON_AddItemToArray(specific_perms, cJSON_CreateString(perms_array[i]));
+        }
+        cJSON_AddItemToObject(user_obj, perm_type, specific_perms);
+
+        w_FreeArray(perms_array);
+        free(perms_array);
+    }
+
+    free(perms_cpy);
+    if(cJSON_GetArraySize(perms_json) == 0)
+    {
+        cJSON_Delete(perms_json);
+        return NULL;
+    }
+
+    return perms_json;
+error:
+    mdebug1("Uncontrolled condition when parsing a Windows permission from '%s'.", perms);
+    cJSON_Delete(perms_json);
+    free(perms_cpy);
+    return NULL;
+}
diff --git a/src/common/syscheck_op/tests/unit/tests/CMakeLists.txt b/src/common/syscheck_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..f62b904015
--- /dev/null
+++ b/src/common/syscheck_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,56 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_syscheck_op")
+set(SYSCHECK_OP_BASE_FLAGS "-Wl,--wrap,rmdir_ex -Wl,--wrap,wreaddir -Wl,--wrap,getpwuid_r -Wl,--wrap,w_getgrgid \
+                            -Wl,--wrap,wstr_split -Wl,--wrap,OS_ConnectUnixDomain -Wl,--wrap,OS_SendSecureTCP \
+                            -Wl,--wrap,sysconf -Wl,--wrap,win_strerror -Wl,--wrap,wfopen ${DEBUG_OP_WRAPPERS}")
+if(${TARGET} STREQUAL "winagent")
+    # cJSON_CreateArray@0 instead of cJSON_CreateArray since linker will be looking for cdecl forma
+    # More info at: (https://devblogs.microsoft.com/oldnewthing/20040108-00/?p=41163)
+    list(APPEND shared_tests_flags "${SYSCHECK_OP_BASE_FLAGS} -Wl,--wrap=syscom_dispatch -Wl,--wrap=is_fim_shutdown \
+                                    -Wl,--wrap,cJSON_CreateArray@0 -Wl,--wrap,cJSON_CreateObject@0 -Wl,--wrap=Start_win32_Syscheck")
+else()
+    list(APPEND shared_tests_flags "${SYSCHECK_OP_BASE_FLAGS} -Wl,--wrap=cJSON_CreateArray,--wrap=cJSON_CreateObject -Wl,--wrap,getpid")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/syscheck_op/tests/unit/tests/test_syscheck_op.c b/src/common/syscheck_op/tests/unit/tests/test_syscheck_op.c
new file mode 100644
index 0000000000..e89223df4e
--- /dev/null
+++ b/src/common/syscheck_op/tests/unit/tests/test_syscheck_op.c
@@ -0,0 +1,4872 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../headers/syscheck_op.h"
+#include "../analysisd/eventinfo.h"
+
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/posix/grp_wrappers.h"
+#include "../wrappers/posix/pwd_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/string_op_wrappers.h"
+#include "../wrappers/wazuh/os_net/os_net_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/shared/privsep_op_wrappers.h"
+#include "../wrappers/common.h"
+
+#ifdef TEST_WINAGENT
+#include "../wrappers/wazuh/syscheckd/syscom_wrappers.h"
+#include "../wrappers/windows/sddl_wrappers.h"
+#include "../wrappers/windows/winreg_wrappers.h"
+#include "../wrappers/windows/aclapi_wrappers.h"
+#include "../wrappers/windows/winbase_wrappers.h"
+#include "../wrappers/windows/fileapi_wrappers.h"
+#include "../wrappers/windows/handleapi_wrappers.h"
+#include "../wrappers/windows/errhandlingapi_wrappers.h"
+#include "../wrappers/windows/securitybaseapi_wrappers.h"
+#else
+#include "../wrappers/posix/unistd_wrappers.h"
+#endif
+
+/* Auxiliar structs */
+
+typedef struct __sk_decode_data_s {
+    sk_sum_t sum;
+    char *c_sum;
+    char *w_sum;
+}sk_decode_data_t;
+
+typedef struct __sk_fill_event_s {
+    sk_sum_t *sum;
+    Eventinfo *lf;
+    char *f_name;
+}sk_fill_event_t;
+
+typedef struct __sk_build_sum_s {
+    sk_sum_t sum;
+    char *output;
+}sk_build_sum_t;
+
+typedef struct __unescape_syscheck_field_data_s {
+    char *input;
+    char *output;
+}unescape_syscheck_field_data_t;
+
+typedef struct __registry_group_information {
+    char *name;
+    char *id;
+} registry_group_information_t;
+
+#ifdef TEST_WINAGENT
+#define BASE_WIN_ALLOWED_ACE "[" \
+    "\"delete\"," \
+    "\"read_control\"," \
+    "\"write_dac\"," \
+    "\"write_owner\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"write_data\"," \
+    "\"append_data\"," \
+    "\"read_ea\"," \
+    "\"write_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"," \
+    "\"write_attributes\"" \
+"]"
+
+#define BASE_WIN_DENIED_ACE "[" \
+    "\"read_control\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"read_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"" \
+"]"
+
+#define BASE_WIN_ACE "{" \
+    "\"name\": \"Users\"," \
+    "\"allowed\": " BASE_WIN_ALLOWED_ACE "," \
+    "\"denied\": " BASE_WIN_DENIED_ACE \
+"}"
+
+#define BASE_WIN_SID "S-1-5-32-636"
+
+static cJSON *create_win_permissions_object() {
+    static const char * const BASE_WIN_PERMS = "{\"" BASE_WIN_SID "\": " BASE_WIN_ACE "}";
+    return cJSON_Parse(BASE_WIN_PERMS);
+}
+#endif
+
+/* setup/teardown */
+
+static int teardown_string(void **state) {
+    free(*state);
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+
+static int setup_string_array(void **state) {
+    char **array = calloc(10, sizeof(char*));
+
+    if(array == NULL)
+        return -1;
+
+    *state = array;
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_string_array(void **state) {
+    char **array = *state;
+
+    free_strarray(array);
+    test_mode = 0;
+
+    return 0;
+}
+
+static int setup_get_registry_group(void **state) {
+    registry_group_information_t *group_information = (registry_group_information_t *)
+                                                        calloc(1, sizeof(registry_group_information_t));
+
+    if (group_information == NULL) {
+        return -1;
+    }
+
+    group_information->name = (char *)calloc(OS_SIZE_6144 + 1, sizeof(char));
+    group_information->id = (char *)calloc(OS_SIZE_6144 + 1, sizeof(char));
+
+    if (group_information->name == NULL || group_information->id == NULL) {
+        return -1;
+    }
+
+    *state = group_information;
+
+    return 0;
+}
+
+static int teardown_get_registry_group(void **state) {
+    registry_group_information_t *group_information = *state;
+
+    free(group_information->name);
+    free(group_information->id);
+    free(group_information);
+
+    return 0;
+}
+
+#endif
+
+#if defined(TEST_SERVER)
+
+static int setup_sk_decode(void **state) {
+    sk_decode_data_t *data = calloc(1, sizeof(sk_decode_data_t));
+
+    if(!data) {
+        return -1;
+    }
+
+    *state = data;
+    return 0;
+}
+
+static int teardown_sk_decode(void **state) {
+    sk_decode_data_t *data = *state;
+
+    if(data) {
+        sk_sum_clean(&data->sum);
+
+        if(data->c_sum)
+            free(data->c_sum);
+
+        if(data->w_sum)
+            free(data->w_sum);
+
+        free(data);
+    }
+    return 0;
+}
+
+static int setup_sk_fill_event(void **state) {
+    sk_fill_event_t* data = calloc(1, sizeof(sk_fill_event_t));
+
+    if(!data) {
+        return -1;
+    }
+
+    if(data->lf = calloc(1, sizeof(Eventinfo)), data->lf == NULL) {
+        return -1;
+    }
+
+    if(data->lf->fields = calloc(FIM_NFIELDS, sizeof(DynamicField)), !data->lf->fields)
+        return -1;
+
+    data->lf->nfields = FIM_NFIELDS;
+
+    if(data->sum = calloc(1, sizeof(sk_sum_t)), data->sum == NULL) {
+        return -1;
+    }
+
+    *state = data;
+    return 0;
+}
+
+static int teardown_sk_fill_event(void **state) {
+    sk_fill_event_t* data = *state;
+
+    if(data){
+        free(data->f_name);
+
+        free(data->sum);
+        // sk_sum_clean(&data->sum);
+        Free_Eventinfo(data->lf);
+        free(data);
+    }
+    return 0;
+}
+
+static int setup_sk_build_sum(void **state) {
+    sk_build_sum_t* data = calloc(1, sizeof(sk_build_sum_t));
+
+    if(!data) {
+        return -1;
+    }
+
+    if(data->output = calloc(OS_MAXSTR, sizeof(char)), !data->output)
+        return -1;
+
+    *state = data;
+    return 0;
+}
+
+static int teardown_sk_build_sum(void **state) {
+    sk_build_sum_t* data = *state;
+
+    if(data){
+        free(data->output);
+        // sk_sum_clean(&data->sum);
+
+        free(data);
+    }
+    return 0;
+}
+
+#endif
+
+#ifndef TEST_WINAGENT
+
+static int setup_unescape_syscheck_field(void **state) {
+    *state = calloc(1, sizeof(unescape_syscheck_field_data_t));
+
+    if(!*state) {
+        return -1;
+    }
+    return 0;
+}
+
+static int teardown_unescape_syscheck_field(void **state) {
+    unescape_syscheck_field_data_t *data = *state;
+
+    if(data) {
+        free(data->input);
+        free(data->output);
+        free(data);
+    }
+    return 0;
+}
+
+#endif
+
+static int teardown_cjson(void **state) {
+    cJSON *array = *state;
+
+    cJSON_Delete(array);
+
+    return 0;
+}
+
+/* Tests */
+
+/* escape_syscheck_field tests */
+static void test_escape_syscheck_field_escape_all(void **state) {
+    char *input = "This is: a test string!!";
+    char *output = NULL;
+
+    output = escape_syscheck_field(input);
+
+    *state = output;
+
+    assert_string_equal(output, "This\\ is\\:\\ a\\ test\\ string\\!\\!");
+}
+
+static void test_escape_syscheck_field_null_input(void **state) {
+    char *output;
+
+    output = (char*)0xFFFF;
+    output = escape_syscheck_field(NULL);
+
+    assert_null(output);
+}
+
+/* normalize_path tests */
+static void test_normalize_path_success(void **state) {
+    char *test_string = strdup("C:\\Regular/windows/path\\");
+    *state = test_string;
+
+    normalize_path(test_string);
+
+    assert_string_equal(test_string, "C:\\Regular\\windows\\path\\");
+}
+
+static void test_normalize_path_linux_dir(void **state) {
+    char *test_string = strdup("unchanged/path");
+
+    if(test_string != NULL) {
+        *state = test_string;
+    } else {
+        fail();
+    }
+
+    normalize_path(test_string);
+
+    assert_string_equal(test_string, "unchanged/path");
+}
+
+static void test_normalize_path_null_input(void **state) {
+    char *test_string = NULL;
+
+    expect_assert_failure(normalize_path(test_string));
+}
+
+/* remove_empty_folders tests */
+static void test_remove_empty_folders_success(void **state) {
+#ifndef TEST_WINAGENT
+    char *input = "queue/diff/local/test-dir/";
+    char *first_subdir = "queue/diff/local/test-dir";
+    char *second_subdir = "queue/diff/local";
+#else
+    char *input = "queue/diff\\local\\test-dir\\";
+    char *first_subdir = "queue/diff\\local\\test-dir";
+    char *second_subdir = "queue/diff\\local";
+#endif
+    int ret = -1;
+    char message[OS_SIZE_1024];
+    char **mock_directory_content;
+
+    if(mock_directory_content = calloc(2, sizeof(char*)), !mock_directory_content)
+        fail();
+
+    mock_directory_content[0] = strdup("some-file.tmp");
+    mock_directory_content[1] = NULL;
+
+    expect_wreaddir_call(first_subdir, NULL);
+
+    snprintf(message, OS_SIZE_1024, "Removing empty directory '%s'.", first_subdir);
+    expect_string(__wrap__mdebug1, formatted_msg, message);
+
+    expect_rmdir_ex_call(first_subdir, 0);
+
+    expect_wreaddir_call(second_subdir, mock_directory_content);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_remove_empty_folders_recursive_success(void **state) {
+#ifndef TEST_WINAGENT
+    char *input = "queue/diff/local/dir1/dir2/";
+    static const char *parent_dirs[] = {
+        "queue/diff/local/dir1/dir2",
+        "queue/diff/local/dir1",
+        "queue/diff/local"
+    };
+#else
+    char *input = "queue/diff\\local\\dir1\\dir2\\";
+    static const char *parent_dirs[] = {
+        "queue/diff\\local\\dir1\\dir2",
+        "queue/diff\\local\\dir1",
+        "queue/diff\\local"
+    };
+#endif
+    char messages[3][OS_SIZE_1024];
+    int ret = -1;
+    char **mock_directory_content;
+
+    if(mock_directory_content = calloc(2, sizeof(char*)), !mock_directory_content)
+        fail();
+
+    mock_directory_content[0] = strdup("some-file.tmp");
+    mock_directory_content[1] = NULL;
+
+    snprintf(messages[0], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[0]);
+    snprintf(messages[1], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[1]);
+
+    // Remove dir2
+    expect_wreaddir_call(parent_dirs[0], NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, messages[0]);
+
+    expect_rmdir_ex_call(parent_dirs[0], 0);
+
+    // Remove dir1
+    expect_wreaddir_call(parent_dirs[1], NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, messages[1]);
+
+    expect_rmdir_ex_call(parent_dirs[1], 0);
+
+    expect_wreaddir_call(parent_dirs[2], mock_directory_content);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_remove_empty_folders_null_input(void **state) {
+    expect_assert_failure(remove_empty_folders(NULL));
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_remove_empty_folders_relative_path(void **state) {
+#ifndef TEST_WINAGENT
+    char *input = "./local/test-dir/";
+    const static char *parent_dirs[] = {"./local/test-dir", "./local", "."};
+#else
+    char *input = ".\\local\\test-dir\\";
+    const static char *parent_dirs[] = {".\\local\\test-dir", ".\\local", "."};
+#endif
+    char messages[3][OS_SIZE_1024];
+    int ret = -1;
+
+    snprintf(messages[0], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[0]);
+    snprintf(messages[1], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[1]);
+    snprintf(messages[2], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[2]);
+
+    expect_wreaddir_call(parent_dirs[0], NULL);
+    expect_wreaddir_call(parent_dirs[1], NULL);
+    expect_wreaddir_call(parent_dirs[2], NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, messages[0]);
+    expect_string(__wrap__mdebug1, formatted_msg, messages[1]);
+    expect_string(__wrap__mdebug1, formatted_msg, messages[2]);
+
+    expect_rmdir_ex_call(parent_dirs[0], 0);
+    expect_rmdir_ex_call(parent_dirs[1], 0);
+    expect_rmdir_ex_call(parent_dirs[2], 0);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, 0);
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_remove_empty_folders_absolute_path(void **state) {
+    int ret = -1;
+#ifndef TEST_WINAGENT
+    char *input = "/home/user1/";
+    static const char *parent_dirs[] = {
+        "/home/user1",
+        "/home",
+        ""
+    };
+#else
+    char *input = "c:\\home\\user1\\";
+    static const char *parent_dirs[] = {
+        "c:\\home\\user1",
+        "c:\\home",
+        "c:"
+    };
+#endif
+    char messages[3][OS_SIZE_1024];
+
+    snprintf(messages[0], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[0]);
+    snprintf(messages[1], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[1]);
+    snprintf(messages[2], OS_SIZE_1024, "Removing empty directory '%s'.", parent_dirs[2]);
+
+    expect_wreaddir_call(parent_dirs[0], NULL);
+    expect_wreaddir_call(parent_dirs[1], NULL);
+    expect_wreaddir_call(parent_dirs[2], NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, messages[0]);
+    expect_string(__wrap__mdebug1, formatted_msg, messages[1]);
+    expect_string(__wrap__mdebug1, formatted_msg, messages[2]);
+
+    expect_rmdir_ex_call(parent_dirs[0], 0);
+    expect_rmdir_ex_call(parent_dirs[1], 0);
+    expect_rmdir_ex_call(parent_dirs[2], 0);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_remove_empty_folders_non_empty_dir(void **state) {
+#ifndef TEST_WINAGENT
+    char *input = "queue/diff/local/test-dir/";
+    static const char *parent_dir = "queue/diff/local/test-dir";
+#else
+    char *input = "queue/diff\\local\\c\\test-dir\\";
+    static const char *parent_dir = "queue/diff\\local\\c\\test-dir";
+#endif
+    int ret = -1;
+    char **subdir;
+
+    if(subdir = calloc(2, sizeof(char*)), !subdir)
+        fail();
+
+    subdir[0] = strdup("some-file.tmp");
+    subdir[1] = NULL;
+
+    expect_wreaddir_call(parent_dir, subdir);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_remove_empty_folders_error_removing_dir(void **state) {
+#ifndef TEST_WINAGENT
+    char *input = "queue/diff/local/test-dir/";
+    static const char *parent_dir = "queue/diff/local/test-dir";
+#else
+    char *input = "queue/diff\\local\\test-dir\\";
+    static const char *parent_dir = "queue/diff\\local\\test-dir";
+#endif
+    int ret = -1;
+    char remove_dir_message[OS_SIZE_1024];
+    char dir_not_deleted_message[OS_SIZE_1024];
+
+    expect_wreaddir_call(parent_dir, NULL);
+
+    snprintf(remove_dir_message, OS_SIZE_1024, "Removing empty directory '%s'.", parent_dir);
+    expect_string(__wrap__mdebug1, formatted_msg, remove_dir_message);
+
+    expect_rmdir_ex_call(parent_dir, -1);
+
+    snprintf(dir_not_deleted_message, OS_SIZE_1024,
+        "Empty directory '%s' couldn't be deleted. ('Directory not empty')", parent_dir);
+    expect_string(__wrap__mwarn, formatted_msg, dir_not_deleted_message);
+
+    ret = remove_empty_folders(input);
+
+    assert_int_equal(ret, -1);
+}
+
+#if defined(TEST_SERVER)
+/* sk_decode_sum tests */
+static void test_sk_decode_sum_no_decode(void **state) {
+    sk_decode_data_t *data = *state;
+
+    int ret = sk_decode_sum(&data->sum, "-1", NULL);
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_sk_decode_sum_deleted_file(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("-1");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_sk_decode_sum_no_perm(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_ptr_equal(data->sum.size, data->c_sum);
+}
+
+static void test_sk_decode_sum_missing_separator(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, data->c_sum);
+}
+
+static void test_sk_decode_sum_no_uid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size::");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+}
+
+static void test_sk_decode_sum_no_gid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+}
+
+static void test_sk_decode_sum_no_md5(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+}
+
+static void test_sk_decode_sum_no_sha1(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+}
+
+static void test_sk_decode_sum_no_new_fields(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_sk_decode_sum_win_perm_string(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:win_perm:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_string_equal(data->sum.win_perm, "win_perm");
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+}
+
+static void test_sk_decode_sum_win_perm_encoded(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:|account,0,4:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_string_equal(data->sum.win_perm, "account (allowed): append_data");
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_sk_decode_sum_no_gname(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_sk_decode_sum_no_uname(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        ":gname");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+}
+
+static void test_sk_decode_sum_no_mtime(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+}
+
+static void test_sk_decode_sum_no_inode(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+}
+
+static void test_sk_decode_sum_no_sha256(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+    assert_null(data->sum.sha256);
+}
+
+static void test_sk_decode_sum_empty_sha256(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456::");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+    assert_string_equal(data->sum.sha256, "");
+    assert_int_equal(data->sum.mtime, 2345);
+    assert_int_equal(data->sum.inode, 3456);
+}
+
+static void test_sk_decode_sum_no_attributes(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456:"
+                        "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+    assert_string_equal(data->sum.sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    assert_int_equal(data->sum.mtime, 2345);
+    assert_int_equal(data->sum.inode, 3456);
+}
+
+static void test_sk_decode_sum_non_numeric_attributes(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456:"
+                        "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40:"
+                        "attributes");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+    assert_string_equal(data->sum.sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    assert_int_equal(data->sum.mtime, 2345);
+    assert_int_equal(data->sum.inode, 3456);
+    assert_string_equal(data->sum.attributes, "attributes");
+}
+
+static void test_sk_decode_sum_win_encoded_attributes(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456:"
+                        "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40:"
+                        "1");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, NULL);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.gname, "gname");
+    assert_string_equal(data->sum.uname, "uname");
+    assert_string_equal(data->sum.sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    assert_int_equal(data->sum.mtime, 2345);
+    assert_int_equal(data->sum.inode, 3456);
+    assert_string_equal(data->sum.attributes, "READONLY");
+}
+
+static void test_sk_decode_sum_extra_data_empty(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_sk_decode_sum_extra_data_no_user_name(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+}
+
+static void test_sk_decode_sum_extra_data_no_group_id(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+}
+
+static void test_sk_decode_sum_extra_data_no_group_name(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+}
+
+static void test_sk_decode_sum_extra_data_no_process_name(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+}
+
+static void test_sk_decode_sum_extra_data_no_audit_uid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+}
+
+static void test_sk_decode_sum_extra_data_no_audit_name(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+}
+
+static void test_sk_decode_sum_extra_data_no_effective_uid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+}
+
+static void test_sk_decode_sum_extra_data_no_effective_name(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+}
+
+static void test_sk_decode_sum_extra_data_no_ppid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+}
+
+static void test_sk_decode_sum_extra_data_no_process_id(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:ppid");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_null(data->sum.wdata.user_name);
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_null(data->sum.wdata.process_name);
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+}
+
+static void test_sk_decode_sum_extra_data_no_tag(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:ppid:process_id");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_null(data->sum.tag);
+    assert_null(data->sum.symbolic_path);
+}
+
+static void test_sk_decode_sum_extra_data_no_symbolic_path(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "ppid:process_id:tag");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_string_equal(data->sum.tag, "tag");
+    assert_null(data->sum.symbolic_path);
+}
+
+static void test_sk_decode_sum_extra_data_no_inode(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "ppid:process_id:tag:symbolic_path");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_string_equal(data->sum.tag, "tag");
+    assert_string_equal(data->sum.symbolic_path, "symbolic_path");
+}
+
+static void test_sk_decode_sum_extra_data_all_fields(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "ppid:process_id:tag:symbolic_path:-");
+
+    data->sum.silent = 0;
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_string_equal(data->sum.tag, "tag");
+    assert_string_equal(data->sum.symbolic_path, "symbolic_path");
+    assert_int_equal(data->sum.silent, 0);
+}
+
+static void test_sk_decode_sum_extra_data_all_fields_silent(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "ppid:process_id:tag:symbolic_path:+");
+
+    data->sum.silent = 0;
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_string_equal(data->sum.wdata.ppid, "ppid");
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_string_equal(data->sum.tag, "tag");
+    assert_string_equal(data->sum.symbolic_path, "symbolic_path");
+    assert_int_equal(data->sum.silent, 1);
+}
+
+static void test_sk_decode_sum_extra_data_null_ppid(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 123456789;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "-:process_id:tag:symbolic_path:+");
+
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->sum.size, "size");
+    assert_int_equal(data->sum.perm, 1234);
+    assert_string_equal(data->sum.uid, "uid");
+    assert_string_equal(data->sum.gid, "gid");
+    assert_string_equal(data->sum.md5, "3691689a513ace7e508297b583d7050d");
+    assert_string_equal(data->sum.sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    assert_string_equal(data->sum.wdata.user_id, "user_id");
+    assert_string_equal(data->sum.wdata.user_name, "user_name");
+    assert_string_equal(data->sum.wdata.group_id, "group_id");
+    assert_string_equal(data->sum.wdata.group_name, "group_name");
+    assert_string_equal(data->sum.wdata.process_name, "process_name");
+    assert_string_equal(data->sum.wdata.audit_uid, "audit_uid");
+    assert_string_equal(data->sum.wdata.audit_name, "audit_name");
+    assert_string_equal(data->sum.wdata.effective_uid, "effective_uid");
+    assert_string_equal(data->sum.wdata.effective_name, "effective_name");
+    assert_null(data->sum.wdata.ppid);
+    assert_string_equal(data->sum.wdata.process_id, "process_id");
+    assert_string_equal(data->sum.tag, "tag");
+    assert_string_equal(data->sum.symbolic_path, "symbolic_path");
+    assert_int_equal(data->sum.silent, 1);
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_sk_decode_sum_extra_data_null_sum(void **state) {
+    sk_decode_data_t *data = *state;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    expect_assert_failure(sk_decode_sum(NULL, data->c_sum, NULL));
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_sk_decode_sum_extra_data_null_c_sum(void **state) {
+    sk_decode_data_t *data = *state;
+
+    expect_assert_failure(sk_decode_sum(&data->sum, NULL, NULL));
+}
+
+/* sk_decode_extradata tests */
+static void test_sk_decode_extradata_null_sum(void **state) {
+    sk_decode_data_t *data = *state;
+    data->c_sum = strdup("some string");
+
+    expect_assert_failure(sk_decode_extradata(NULL, data->c_sum));
+}
+
+static void test_sk_decode_extradata_null_c_sum(void **state) {
+    sk_decode_data_t *data = *state;
+
+    expect_assert_failure(sk_decode_extradata(&data->sum, NULL));
+}
+
+static void test_sk_decode_extradata_no_changes(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 12345;
+
+    data->c_sum = strdup("some string");
+
+    ret = sk_decode_extradata(&data->sum, data->c_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->c_sum, "some string");
+}
+
+static void test_sk_decode_extradata_no_date_alert(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 12345;
+
+    data->c_sum = strdup("some string!15");
+
+    ret = sk_decode_extradata(&data->sum, data->c_sum);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->c_sum, "some string");
+    assert_string_equal(data->c_sum + 12, "15");
+}
+
+static void test_sk_decode_extradata_no_sym_path(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 12345;
+
+    data->c_sum = strdup("some string!15:20");
+
+    data->sum.symbolic_path = NULL;
+
+    ret = sk_decode_extradata(&data->sum, data->c_sum);
+
+    assert_int_equal(ret, 1);
+    assert_string_equal(data->c_sum, "some string");
+    assert_string_equal(data->c_sum + 12, "15");
+    assert_string_equal(data->c_sum + 15, "20");
+    assert_int_equal(data->sum.changes, 15);
+    assert_int_equal(data->sum.date_alert, 20);
+    assert_null(data->sum.symbolic_path);
+}
+
+static void test_sk_decode_extradata_all_fields(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret = 12345;
+
+    data->c_sum = strdup("some string!15:20:a symbolic path");
+
+    data->sum.symbolic_path = NULL;
+
+    ret = sk_decode_extradata(&data->sum, data->c_sum);
+
+    assert_int_equal(ret, 1);
+    assert_string_equal(data->c_sum, "some string");
+    assert_string_equal(data->c_sum + 12, "15");
+    assert_string_equal(data->c_sum + 15, "20");
+    assert_int_equal(data->sum.changes, 15);
+    assert_int_equal(data->sum.date_alert, 20);
+    assert_string_equal(data->sum.symbolic_path, "a symbolic path");
+}
+
+/* sk_fill_event tests */
+static void test_sk_fill_event_full_event(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->f_name = strdup("f_name");
+
+    data->sum->size = "size";
+    data->sum->perm = 123456; // 361100 in octal
+    data->sum->uid = "uid";
+    data->sum->gid = "gid";
+    data->sum->md5 = "md5";
+    data->sum->sha1 = "sha1";
+    data->sum->uname = "uname";
+    data->sum->gname = "gname";
+    data->sum->mtime = 2345678;
+    data->sum->inode = 3456789;
+    data->sum->sha256 = "sha256";
+    data->sum->attributes = "attributes";
+    data->sum->wdata.user_id = "user_id";
+    data->sum->wdata.user_name = "user_name";
+    data->sum->wdata.group_id = "group_id";
+    data->sum->wdata.group_name = "group_name";
+    data->sum->wdata.process_name = "process_name";
+    data->sum->wdata.audit_uid = "audit_uid";
+    data->sum->wdata.audit_name = "audit_name";
+    data->sum->wdata.effective_uid = "effective_uid";
+    data->sum->wdata.effective_name = "effective_name";
+    data->sum->wdata.ppid = "ppid";
+    data->sum->wdata.process_id = "process_id";
+    data->sum->tag = "tag";
+    data->sum->symbolic_path = "symbolic_path";
+
+    sk_fill_event(data->lf, data->f_name, data->sum);
+
+    assert_string_equal(data->lf->fields[FIM_FILE].value, "f_name");
+    assert_string_equal(data->lf->fields[FIM_FILE].value, "f_name");
+    assert_string_equal(data->lf->fields[FIM_SIZE].value, "size");
+    assert_string_equal(data->lf->fields[FIM_PERM].value, "361100");
+    assert_string_equal(data->lf->fields[FIM_UID].value, "uid");
+    assert_string_equal(data->lf->fields[FIM_GID].value, "gid");
+    assert_string_equal(data->lf->fields[FIM_MD5].value, "md5");
+    assert_string_equal(data->lf->fields[FIM_SHA1].value, "sha1");
+    assert_string_equal(data->lf->fields[FIM_UNAME].value, "uname");
+    assert_string_equal(data->lf->fields[FIM_GNAME].value, "gname");
+    assert_string_equal(data->lf->fields[FIM_MTIME].value, "2345678");
+    assert_string_equal(data->lf->fields[FIM_INODE].value, "3456789");
+    assert_string_equal(data->lf->fields[FIM_SHA256].value, "sha256");
+    assert_string_equal(data->lf->fields[FIM_ATTRS].value, "attributes");
+    assert_string_equal(data->lf->fields[FIM_USER_ID].value, "user_id");
+    assert_string_equal(data->lf->fields[FIM_USER_NAME].value, "user_name");
+    assert_string_equal(data->lf->fields[FIM_GROUP_ID].value, "group_id");
+    assert_string_equal(data->lf->fields[FIM_GROUP_NAME].value, "group_name");
+    assert_string_equal(data->lf->fields[FIM_PROC_NAME].value, "process_name");
+    assert_string_equal(data->lf->fields[FIM_AUDIT_ID].value, "audit_uid");
+    assert_string_equal(data->lf->fields[FIM_AUDIT_NAME].value, "audit_name");
+    assert_string_equal(data->lf->fields[FIM_EFFECTIVE_UID].value, "effective_uid");
+    assert_string_equal(data->lf->fields[FIM_EFFECTIVE_NAME].value, "effective_name");
+    assert_string_equal(data->lf->fields[FIM_PPID].value, "ppid");
+    assert_string_equal(data->lf->fields[FIM_PROC_ID].value, "process_id");
+
+    assert_string_equal(data->lf->fields[FIM_TAG].value, "tag");
+
+    assert_string_equal(data->lf->fields[FIM_SYM_PATH].value, "symbolic_path");
+}
+
+static void test_sk_fill_event_empty_event(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->f_name = strdup("f_name");
+
+    sk_fill_event(data->lf, data->f_name, data->sum);
+
+    assert_string_equal(data->lf->fields[FIM_FILE].value, "f_name");
+    assert_null(data->lf->fields[FIM_SIZE].value);
+    assert_null(data->lf->fields[FIM_PERM].value);
+    assert_null(data->lf->fields[FIM_UID].value);
+    assert_null(data->lf->fields[FIM_GID].value);
+    assert_null(data->lf->fields[FIM_MD5].value);
+    assert_null(data->lf->fields[FIM_SHA1].value);
+    assert_null(data->lf->fields[FIM_UNAME].value);
+    assert_null(data->lf->fields[FIM_GNAME].value);
+    assert_null(data->lf->fields[FIM_MTIME].value);
+    assert_null(data->lf->fields[FIM_INODE].value);
+    assert_null(data->lf->fields[FIM_SHA256].value);
+    assert_null(data->lf->fields[FIM_ATTRS].value);
+    assert_null(data->lf->fields[FIM_USER_ID].value);
+    assert_null(data->lf->fields[FIM_USER_NAME].value);
+    assert_null(data->lf->fields[FIM_GROUP_ID].value);
+    assert_null(data->lf->fields[FIM_GROUP_NAME].value);
+    assert_null(data->lf->fields[FIM_PROC_NAME].value);
+    assert_null(data->lf->fields[FIM_AUDIT_ID].value);
+    assert_null(data->lf->fields[FIM_AUDIT_NAME].value);
+    assert_null(data->lf->fields[FIM_EFFECTIVE_UID].value);
+    assert_null(data->lf->fields[FIM_EFFECTIVE_NAME].value);
+    assert_null(data->lf->fields[FIM_PPID].value);
+    assert_null(data->lf->fields[FIM_PROC_ID].value);
+
+    assert_null(data->lf->fields[FIM_TAG].value);
+
+    assert_null(data->lf->fields[FIM_SYM_PATH].value);
+}
+
+static void test_sk_fill_event_win_perm(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->f_name = strdup("f_name");
+
+    data->sum->win_perm = "win_perm";
+
+    sk_fill_event(data->lf, data->f_name, data->sum);
+
+    assert_string_equal(data->lf->fields[FIM_FILE].value, "f_name");
+    assert_null(data->lf->fields[FIM_SIZE].value);
+    assert_string_equal(data->lf->fields[FIM_PERM].value, "win_perm");
+    assert_null(data->lf->fields[FIM_UID].value);
+    assert_null(data->lf->fields[FIM_GID].value);
+    assert_null(data->lf->fields[FIM_MD5].value);
+    assert_null(data->lf->fields[FIM_SHA1].value);
+    assert_null(data->lf->fields[FIM_UNAME].value);
+    assert_null(data->lf->fields[FIM_GNAME].value);
+    assert_null(data->lf->fields[FIM_MTIME].value);
+    assert_null(data->lf->fields[FIM_INODE].value);
+    assert_null(data->lf->fields[FIM_SHA256].value);
+    assert_null(data->lf->fields[FIM_ATTRS].value);
+    assert_null(data->lf->fields[FIM_USER_ID].value);
+    assert_null(data->lf->fields[FIM_USER_NAME].value);
+    assert_null(data->lf->fields[FIM_GROUP_ID].value);
+    assert_null(data->lf->fields[FIM_GROUP_NAME].value);
+    assert_null(data->lf->fields[FIM_PROC_NAME].value);
+    assert_null(data->lf->fields[FIM_AUDIT_ID].value);
+    assert_null(data->lf->fields[FIM_AUDIT_NAME].value);
+    assert_null(data->lf->fields[FIM_EFFECTIVE_UID].value);
+    assert_null(data->lf->fields[FIM_EFFECTIVE_NAME].value);
+    assert_null(data->lf->fields[FIM_PPID].value);
+    assert_null(data->lf->fields[FIM_PROC_ID].value);
+
+    assert_null(data->lf->fields[FIM_TAG].value);
+
+    assert_null(data->lf->fields[FIM_SYM_PATH].value);
+}
+
+static void test_sk_fill_event_null_eventinfo(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->f_name = strdup("f_name");
+
+    data->sum->win_perm = "win_perm";
+
+    expect_assert_failure(sk_fill_event(NULL, data->f_name, data->sum));
+}
+
+static void test_sk_fill_event_null_f_name(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->sum->win_perm = "win_perm";
+
+    expect_assert_failure(sk_fill_event(data->lf, NULL, data->sum));
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_sk_fill_event_null_sum(void **state) {
+    sk_fill_event_t *data = *state;
+
+    data->f_name = strdup("f_name");
+
+    expect_assert_failure(sk_fill_event(data->lf, data->f_name, NULL));
+}
+
+/* sk_build_sum tests */
+static void test_sk_build_sum_full_message(void **state) {
+    sk_build_sum_t *data = *state;
+    int ret;
+
+    data->sum.size = "size";
+    data->sum.perm = 123456;
+    data->sum.win_perm = NULL;
+    data->sum.uid = "uid";
+    data->sum.gid = "gid";
+    data->sum.md5 = "md5";
+    data->sum.sha1 = "sha1";
+    data->sum.uname = "username";
+    data->sum.gname = "gname";
+    data->sum.mtime = 234567;
+    data->sum.inode = 345678;
+    data->sum.sha256 = "sha256";
+    data->sum.attributes = "attributes";
+    data->sum.changes = 456789;
+    data->sum.date_alert = 567890;
+
+    ret = sk_build_sum(&data->sum, data->output, OS_MAXSTR);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->output,
+                        "size:123456:uid:gid:md5:sha1:username:gname:234567:345678:sha256:attributes!456789:567890");
+}
+
+static void test_sk_build_sum_skip_fields_message(void **state) {
+    sk_build_sum_t *data = *state;
+    int ret;
+
+    data->sum.size = "size";
+    data->sum.perm = 0;
+    data->sum.win_perm = NULL;
+    data->sum.uid = "uid";
+    data->sum.gid = "gid";
+    data->sum.md5 = "md5";
+    data->sum.sha1 = "sha1";
+    data->sum.uname = NULL;
+    data->sum.gname = NULL;
+    data->sum.mtime = 0;
+    data->sum.inode = 0;
+    data->sum.sha256 = NULL;
+    data->sum.attributes = NULL;
+    data->sum.changes = 0;
+    data->sum.date_alert = 0;
+
+    ret = sk_build_sum(&data->sum, data->output, OS_MAXSTR);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->output, "size::uid:gid:md5:sha1::::::!0:0");
+}
+
+static void test_sk_build_sum_win_perm(void **state) {
+    sk_build_sum_t *data = *state;
+    int ret;
+
+    data->sum.size = "size";
+    data->sum.perm = 0;
+    data->sum.win_perm = "win_perm";
+    data->sum.uid = "uid";
+    data->sum.gid = "gid";
+    data->sum.md5 = "md5";
+    data->sum.sha1 = "sha1";
+    data->sum.uname = NULL;
+    data->sum.gname = NULL;
+    data->sum.mtime = 0;
+    data->sum.inode = 0;
+    data->sum.sha256 = NULL;
+    data->sum.attributes = NULL;
+    data->sum.changes = 0;
+    data->sum.date_alert = 0;
+
+    ret = sk_build_sum(&data->sum, data->output, OS_MAXSTR);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(data->output, "size:win_perm:uid:gid:md5:sha1::::::!0:0");
+}
+
+static void test_sk_build_sum_insufficient_buffer_size(void **state) {
+    sk_build_sum_t *data = *state;
+    int ret;
+
+    data->sum.size = "size";
+    data->sum.perm = 0;
+    data->sum.win_perm = "win_perm";
+    data->sum.uid = "uid";
+    data->sum.gid = "gid";
+    data->sum.md5 = "md5";
+    data->sum.sha1 = "sha1";
+    data->sum.uname = NULL;
+    data->sum.gname = NULL;
+    data->sum.mtime = 0;
+    data->sum.inode = 0;
+    data->sum.sha256 = NULL;
+    data->sum.attributes = NULL;
+    data->sum.changes = 0;
+    data->sum.date_alert = 0;
+
+    ret = sk_build_sum(&data->sum, data->output, 10);
+
+    assert_int_equal(ret, -1);
+    assert_string_equal(data->output, "size:win_");
+}
+
+static void test_sk_build_sum_null_sum(void **state) {
+    sk_build_sum_t *data = *state;
+
+    expect_assert_failure(sk_build_sum(NULL, data->output, OS_MAXSTR));
+}
+
+static void test_sk_build_sum_null_output(void **state) {
+    sk_build_sum_t *data = *state;
+
+    expect_assert_failure(sk_build_sum(&data->sum, NULL, OS_MAXSTR));
+}
+
+/* sk_sum_clean tests */
+static void test_sk_sum_clean_full_message(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456:"
+                        "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40:"
+                        "1");
+    data->w_sum = strdup("user_id:user_name:group_id:group_name:process_name:"
+                        "audit_uid:audit_name:effective_uid:effective_name:"
+                        "ppid:process_id:tag:symbolic_path:-");
+
+    // Fill sum with as many info as possible
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+    assert_int_equal(ret, 0);
+
+    // And free it
+    sk_sum_clean(&data->sum);
+
+    assert_null(data->sum.symbolic_path);
+    assert_null(data->sum.attributes);
+    assert_null(data->sum.wdata.user_name);
+    assert_null(data->sum.wdata.process_name);
+    assert_null(data->sum.uname);
+    assert_null(data->sum.win_perm);
+}
+
+static void test_sk_sum_clean_shortest_valid_message(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret;
+
+    data->c_sum = strdup("size:1234:uid:gid:"
+                        "3691689a513ace7e508297b583d7050d:"
+                        "07f05add1049244e7e71ad0f54f24d8094cd8f8b:"
+                        "uname:gname:2345:3456");
+
+    // Fill sum with as many info as possible
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+    assert_int_equal(ret, 0);
+
+    // And free it
+    sk_sum_clean(&data->sum);
+
+    assert_null(data->sum.symbolic_path);
+    assert_null(data->sum.attributes);
+    assert_null(data->sum.wdata.user_name);
+    assert_null(data->sum.wdata.process_name);
+    assert_null(data->sum.uname);
+    assert_null(data->sum.win_perm);
+}
+
+static void test_sk_sum_clean_invalid_message(void **state) {
+    sk_decode_data_t *data = *state;
+    int ret;
+
+    data->c_sum = strdup("This is not a valid syscheck message");
+
+    // Fill sum with as many info as possible
+    ret = sk_decode_sum(&data->sum, data->c_sum, data->w_sum);
+    assert_int_equal(ret, -1);
+
+    // And free it
+    sk_sum_clean(&data->sum);
+
+    assert_null(data->sum.symbolic_path);
+    assert_null(data->sum.attributes);
+    assert_null(data->sum.wdata.user_name);
+    assert_null(data->sum.wdata.process_name);
+    assert_null(data->sum.uname);
+    assert_null(data->sum.win_perm);
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_sk_sum_clean_null_sum(void **state) {
+    expect_assert_failure(sk_sum_clean(NULL));
+}
+#endif
+#ifndef TEST_WINAGENT
+/* unescape_syscheck_field tests */
+static void test_unescape_syscheck_field_escaped_chars(void **state) {
+    unescape_syscheck_field_data_t *data = *state;
+
+    data->input = strdup("Hi\\!! This\\ is\\ a string with\\: escaped chars:");
+
+    data->output = unescape_syscheck_field(data->input);
+
+    assert_string_equal(data->output, "Hi!! This is a string with: escaped chars:");
+}
+
+static void test_unescape_syscheck_field_no_escaped_chars(void **state) {
+    unescape_syscheck_field_data_t *data = *state;
+
+    data->input = strdup("Hi!! This is a string without: escaped chars:");
+
+    data->output = unescape_syscheck_field(data->input);
+
+    assert_string_equal(data->output, "Hi!! This is a string without: escaped chars:");
+}
+
+static void test_unescape_syscheck_null_input(void **state) {
+    unescape_syscheck_field_data_t *data = *state;
+
+    data->input = NULL;
+
+    data->output = unescape_syscheck_field(data->input);
+
+    assert_null(data->output);
+}
+
+static void test_unescape_syscheck_empty_string(void **state) {
+    unescape_syscheck_field_data_t *data = *state;
+
+    data->input = strdup("");
+
+    data->output = unescape_syscheck_field(data->input);
+
+    assert_null(data->output);
+}
+
+/* get_user tests */
+static void test_get_user_success(void **state) {
+    char *user;
+
+    will_return(__wrap_sysconf, 16384);
+
+    will_return(__wrap_getpwuid_r, "user_name");
+    will_return(__wrap_getpwuid_r, 1);
+#ifndef SOLARIS
+    will_return(__wrap_getpwuid_r, 0);
+#endif
+
+    user = get_user(1);
+
+    *state = user;
+
+    assert_string_equal(user, "user_name");
+}
+
+static void test_get_user_uid_not_found(void **state) {
+    char *user;
+
+    will_return(__wrap_sysconf, -1);
+
+    will_return(__wrap_getpwuid_r, "user_name");
+    will_return(__wrap_getpwuid_r, NULL);
+#ifndef SOLARIS
+    will_return(__wrap_getpwuid_r, 0);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "User with uid '1' not found.\n");
+
+    user = get_user(1);
+
+    *state = user;
+
+    assert_null(user);
+}
+
+static void test_get_user_error(void **state) {
+    char *user;
+
+    will_return(__wrap_sysconf, 16384);
+
+    will_return(__wrap_getpwuid_r, "user_name");
+    will_return(__wrap_getpwuid_r, NULL);
+#ifndef SOLARIS
+    will_return(__wrap_getpwuid_r, ENOENT);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Failed getting user_name (2): 'No such file or directory'\n");
+
+    user = get_user(1);
+
+    *state = user;
+
+    assert_null(user);
+}
+#endif
+
+#if defined(TEST_WINAGENT)
+struct group {
+    const char *gr_name;
+};
+#endif
+
+/* get_group tests */
+#ifndef TEST_WINAGENT
+static void test_get_group_success(void **state) {
+    struct group group = { .gr_name = "group" };
+    char *output;
+
+    will_return(__wrap_sysconf, -1);
+
+    expect_value(__wrap_w_getgrgid, gid, 1000);
+    will_return(__wrap_w_getgrgid, &group);
+    will_return(__wrap_w_getgrgid, NULL); // We don't care about member buffers
+    will_return(__wrap_w_getgrgid, 1); // Success
+
+    output = get_group(1000);
+
+    assert_string_equal(output, group.gr_name);
+
+    free(output);
+}
+
+static void test_get_group_no_group(void **state) {
+    const char *output;
+
+    errno = 0;
+
+    will_return(__wrap_sysconf, 8);
+
+    expect_value(__wrap_w_getgrgid, gid, 1000);
+    will_return(__wrap_w_getgrgid, NULL);
+    will_return(__wrap_w_getgrgid, NULL); // We don't care about member buffers
+    will_return(__wrap_w_getgrgid, 0); // Fail
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Group with gid '1000' not found.\n");
+
+    output = get_group(1000);
+
+    assert_null(output);
+}
+#else
+static void test_get_group(void **state) {
+    assert_string_equal(get_group(0), "");
+}
+#endif
+
+/* ag_send_syscheck tests */
+/* ag_send_syscheck does not modify inputs or return anything, so there are no asserts */
+/* validation of this function is done through the wrapped functions. */
+#ifndef TEST_WINAGENT
+static void test_ag_send_syscheck_success(void **state) {
+    char *input = "This is a mock message, it wont be sent anywhere";
+
+    expect_string(__wrap_OS_ConnectUnixDomain, path, SYS_LOCAL_SOCK);
+    expect_value(__wrap_OS_ConnectUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_ConnectUnixDomain, max_msg_size, OS_MAXSTR);
+
+    will_return(__wrap_OS_ConnectUnixDomain, 1234);
+
+    expect_value(__wrap_OS_SendSecureTCP, sock, 1234);
+    expect_value(__wrap_OS_SendSecureTCP, size, 48);
+    expect_string(__wrap_OS_SendSecureTCP, msg, input);
+
+    will_return(__wrap_OS_SendSecureTCP, 48);
+
+    ag_send_syscheck(input);
+}
+
+static void test_ag_send_syscheck_unable_to_connect(void **state) {
+    char *input = "This is a mock message, it wont be sent anywhere";
+
+    expect_string(__wrap_OS_ConnectUnixDomain, path, SYS_LOCAL_SOCK);
+    expect_value(__wrap_OS_ConnectUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_ConnectUnixDomain, max_msg_size, OS_MAXSTR);
+
+    will_return(__wrap_OS_ConnectUnixDomain, OS_SOCKTERR);
+
+    errno = EADDRNOTAVAIL;
+
+    expect_string(__wrap__mwarn, formatted_msg, "dbsync: cannot connect to syscheck: Cannot assign requested address (99)");
+
+    ag_send_syscheck(input);
+
+    errno = 0;
+}
+static void test_ag_send_syscheck_error_sending_message(void **state) {
+    char *input = "This is a mock message, it wont be sent anywhere";
+
+    expect_string(__wrap_OS_ConnectUnixDomain, path, SYS_LOCAL_SOCK);
+    expect_value(__wrap_OS_ConnectUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_ConnectUnixDomain, max_msg_size, OS_MAXSTR);
+
+    will_return(__wrap_OS_ConnectUnixDomain, 1234);
+
+    expect_value(__wrap_OS_SendSecureTCP, sock, 1234);
+    expect_value(__wrap_OS_SendSecureTCP, size, 48);
+    expect_string(__wrap_OS_SendSecureTCP, msg, input);
+
+    will_return(__wrap_OS_SendSecureTCP, OS_SOCKTERR);
+
+    errno = EWOULDBLOCK;
+
+    expect_string(__wrap__mwarn, formatted_msg, "Cannot send message to syscheck: Resource temporarily unavailable (11)");
+
+    ag_send_syscheck(input);
+
+    errno = 0;
+}
+#else
+static void test_ag_send_syscheck(void **state) {
+    char *response = strdup("A mock reponse message");
+
+    expect_string(__wrap_syscom_dispatch, command, "command");
+    will_return(__wrap_syscom_dispatch, response);
+    will_return(__wrap_syscom_dispatch, 23);
+
+    ag_send_syscheck("command");
+}
+#endif
+
+/* decode_win_attributes tests */
+static void test_decode_win_attributes_all_attributes(void **state) {
+    char str[OS_SIZE_256];
+    unsigned int attrs = 0;
+
+    attrs |= FILE_ATTRIBUTE_ARCHIVE     |
+             FILE_ATTRIBUTE_COMPRESSED  |
+             FILE_ATTRIBUTE_DEVICE      |
+             FILE_ATTRIBUTE_DIRECTORY   |
+             FILE_ATTRIBUTE_ENCRYPTED   |
+             FILE_ATTRIBUTE_HIDDEN      |
+             FILE_ATTRIBUTE_NORMAL      |
+             FILE_ATTRIBUTE_OFFLINE     |
+             FILE_ATTRIBUTE_READONLY    |
+             FILE_ATTRIBUTE_SPARSE_FILE |
+             FILE_ATTRIBUTE_SYSTEM      |
+             FILE_ATTRIBUTE_TEMPORARY   |
+             FILE_ATTRIBUTE_VIRTUAL     |
+             FILE_ATTRIBUTE_NO_SCRUB_DATA |
+             FILE_ATTRIBUTE_REPARSE_POINT |
+             FILE_ATTRIBUTE_RECALL_ON_OPEN |
+             FILE_ATTRIBUTE_INTEGRITY_STREAM |
+             FILE_ATTRIBUTE_NOT_CONTENT_INDEXED |
+             FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS;
+
+    decode_win_attributes(str, attrs);
+
+    assert_string_equal(str, "ARCHIVE, COMPRESSED, DEVICE, DIRECTORY, ENCRYPTED, "
+                             "HIDDEN, INTEGRITY_STREAM, NORMAL, NOT_CONTENT_INDEXED, "
+                             "NO_SCRUB_DATA, OFFLINE, READONLY, RECALL_ON_DATA_ACCESS, "
+                             "RECALL_ON_OPEN, REPARSE_POINT, SPARSE_FILE, SYSTEM, TEMPORARY, "
+                             "VIRTUAL");
+}
+
+static void test_decode_win_attributes_no_attributes(void **state) {
+    char str[OS_SIZE_256];
+    unsigned int attrs = 0;
+
+    decode_win_attributes(str, attrs);
+
+    assert_string_equal(str, "");
+}
+
+static void test_decode_win_attributes_some_attributes(void **state) {
+    char str[OS_SIZE_256];
+    unsigned int attrs = 0;
+
+    attrs |= FILE_ATTRIBUTE_ARCHIVE     |
+             FILE_ATTRIBUTE_DEVICE      |
+             FILE_ATTRIBUTE_ENCRYPTED   |
+             FILE_ATTRIBUTE_NORMAL      |
+             FILE_ATTRIBUTE_READONLY    |
+             FILE_ATTRIBUTE_SPARSE_FILE |
+             FILE_ATTRIBUTE_TEMPORARY   |
+             FILE_ATTRIBUTE_NO_SCRUB_DATA |
+             FILE_ATTRIBUTE_RECALL_ON_OPEN;
+
+    decode_win_attributes(str, attrs);
+
+    assert_string_equal(str, "ARCHIVE, DEVICE, ENCRYPTED, NORMAL, NO_SCRUB_DATA, "
+                             "READONLY, RECALL_ON_OPEN, SPARSE_FILE, TEMPORARY");
+}
+
+/* decode_win_acl_json */
+void assert_ace_full_perms(const cJSON * const ace) {
+    int i;
+    const char *it;
+    cJSON *element;
+    static const char * const perm_strings[] = {
+        "generic_read",
+        "generic_write",
+        "generic_execute",
+        "generic_all",
+        "delete",
+        "read_control",
+        "write_dac",
+        "write_owner",
+        "synchronize",
+        "read_data",
+        "write_data",
+        "append_data",
+        "read_ea",
+        "write_ea",
+        "execute",
+        "read_attributes",
+        "write_attributes",
+        NULL
+    };
+
+    assert_non_null(ace);
+    assert_true(cJSON_IsArray(ace));
+
+    for (i = 0, it = perm_strings[0]; it; it = perm_strings[++i]) {
+        int fail = 1;
+        cJSON_ArrayForEach(element, ace) {
+            if (strcmp(cJSON_GetStringValue(element), it) == 0) {
+                fail = 0;
+                break;
+            }
+        }
+
+        if (fail) {
+            fail_msg("%s not found", it);
+        }
+    }
+}
+
+#define set_full_perms(x)                                                                                   \
+    x |= GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL | DELETE | READ_CONTROL | WRITE_DAC | \
+         WRITE_OWNER | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA |   \
+         FILE_WRITE_EA | FILE_EXECUTE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES
+
+static void test_decode_win_acl_json_null_json(void **state) {
+    expect_assert_failure(decode_win_acl_json(NULL));
+}
+
+static void test_decode_win_acl_fail_creating_object(void **state) {
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = __real_cJSON_CreateObject();
+    cJSON *element;
+
+    if (acl == NULL || ace == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    cJSON_AddItemToObject(acl, "S-1-5-32-636", ace);
+
+    cJSON_AddItemToObject(ace, "allowed", cJSON_CreateNumber(full_perms));
+
+    will_return(__wrap_cJSON_CreateArray, NULL);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_CJSON_ERROR_CREATE_ITEM);
+
+    decode_win_acl_json(acl);
+
+    ace = cJSON_GetObjectItem(acl, "S-1-5-32-636");
+    assert_non_null(ace);
+
+    cJSON *denied = cJSON_GetObjectItem(ace, "denied");
+    assert_null(denied);
+
+    cJSON *allowed = cJSON_GetObjectItem(ace, "allowed");
+    assert_non_null(allowed);
+    assert_int_equal(full_perms, allowed->valueint);
+}
+
+static void test_decode_win_acl_json_allowed_ace_only(void **state) {
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = __real_cJSON_CreateObject();
+    cJSON *element;
+
+    if (acl == NULL || ace == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    cJSON_AddItemToObject(acl, "S-1-5-32-636", ace);
+
+    cJSON_AddItemToObject(ace, "allowed", cJSON_CreateNumber(full_perms));
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    decode_win_acl_json(acl);
+
+    ace = cJSON_GetObjectItem(acl, "S-1-5-32-636");
+    assert_non_null(ace);
+
+    cJSON *denied = cJSON_GetObjectItem(ace, "denied");
+    assert_null(denied);
+
+    cJSON *allowed = cJSON_GetObjectItem(ace, "allowed");
+    assert_ace_full_perms(allowed);
+}
+
+static void test_decode_win_acl_json_denied_ace_only(void **state) {
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = __real_cJSON_CreateObject();
+    cJSON *element;
+
+    if (acl == NULL || ace == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    cJSON_AddItemToObject(acl, "S-1-5-32-636", ace);
+
+    cJSON_AddItemToObject(ace, "denied", cJSON_CreateNumber(full_perms));
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    decode_win_acl_json(acl);
+
+    ace = cJSON_GetObjectItem(acl, "S-1-5-32-636");
+    assert_non_null(ace);
+
+    cJSON *allowed = cJSON_GetObjectItem(ace, "allowed");
+    assert_null(allowed);
+
+    cJSON *denied = cJSON_GetObjectItem(ace, "denied");
+    assert_ace_full_perms(denied);
+}
+
+static void test_decode_win_acl_json_both_ace_types(void **state) {
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = __real_cJSON_CreateObject();
+    cJSON *element;
+
+    if (acl == NULL || ace == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    cJSON_AddItemToObject(acl, "S-1-5-32-636", ace);
+
+    cJSON_AddItemToObject(ace, "name", cJSON_CreateString("username"));
+    cJSON_AddItemToObject(ace, "denied", cJSON_CreateNumber(full_perms));
+    cJSON_AddItemToObject(ace, "allowed", cJSON_CreateNumber(full_perms));
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    decode_win_acl_json(acl);
+
+    ace = cJSON_GetObjectItem(acl, "S-1-5-32-636");
+    assert_non_null(ace);
+
+    cJSON *allowed = cJSON_GetObjectItem(ace, "allowed");
+    assert_ace_full_perms(allowed);
+
+    cJSON *denied = cJSON_GetObjectItem(ace, "denied");
+    assert_ace_full_perms(denied);
+
+    // User name must be untouched, same as other unused fields
+    cJSON *name = cJSON_GetObjectItem(ace, "name");
+    assert_non_null(name);
+    assert_string_equal("username", cJSON_GetStringValue(name));
+}
+
+static void test_decode_win_acl_json_empty_acl(void **state) {
+    cJSON *acl = __real_cJSON_CreateObject();
+    *state = acl;
+
+    if (acl == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    decode_win_acl_json(acl);
+
+    assert_int_equal(0, cJSON_GetArraySize(acl));
+}
+
+static void test_decode_win_acl_json_empty_ace(void **state) {
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = __real_cJSON_CreateObject();
+    cJSON *element;
+
+    if (acl == NULL || ace == NULL) {
+        fail_msg("Failed to create cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    cJSON_AddItemToObject(acl, "S-1-5-32-636", ace);
+
+    decode_win_acl_json(acl);
+
+    ace = cJSON_GetObjectItem(acl, "S-1-5-32-636");
+    assert_non_null(ace);
+    assert_int_equal(0, cJSON_GetArraySize(ace));
+}
+
+static void test_decode_win_acl_json_multiple_aces(void **state) {
+    const char * const SIDS[] = {
+        [0] = "S-1-5-32-636",
+        [1] = "S-1-5-32-363",
+        [2] = "S-1-5-32-444",
+        [3] = NULL
+    };
+    const char * const USERNAMES[] = {
+        [0] = "username",
+        [1] = "someone",
+        [2] = "anon",
+        [3] = NULL
+    };
+    int full_perms = 0, i = 0;
+    const char * it;
+    cJSON *acl = __real_cJSON_CreateObject();
+    cJSON *ace = NULL;
+    cJSON *element;
+
+    if (acl == NULL) {
+        fail_msg("Failed to create ACL cJSON object");
+    }
+
+    *state = acl;
+    set_full_perms(full_perms);
+
+    for (i = 0, it = SIDS[0]; it; it = SIDS[++i]) {
+        ace = __real_cJSON_CreateObject();
+        if (ace == NULL) {
+            fail_msg("Failed to create ACE cJSON object");
+        }
+
+        cJSON_AddItemToObject(acl, it, ace);
+
+        cJSON_AddItemToObject(ace, "name", cJSON_CreateString(USERNAMES[i]));
+        cJSON_AddItemToObject(ace, "denied", cJSON_CreateNumber(full_perms));
+        cJSON_AddItemToObject(ace, "allowed", cJSON_CreateNumber(full_perms));
+
+        will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+        will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    }
+
+    decode_win_acl_json(acl);
+
+    for (i = 0, it = SIDS[0]; it; it = SIDS[++i]) {
+        ace = cJSON_GetObjectItem(acl, it);
+        assert_non_null(ace);
+
+        cJSON *allowed = cJSON_GetObjectItem(ace, "allowed");
+        assert_ace_full_perms(allowed);
+
+        cJSON *denied = cJSON_GetObjectItem(ace, "denied");
+        assert_ace_full_perms(denied);
+
+        // User name must be untouched, same as other unused fields
+        cJSON *name = cJSON_GetObjectItem(ace, "name");
+        assert_non_null(name);
+        assert_string_equal(USERNAMES[i], cJSON_GetStringValue(name));
+    }
+}
+
+
+/* decode_win_permissions tests */
+static void test_decode_win_permissions_success_all_permissions(void **state) {
+    char raw_perm[OS_SIZE_1024] = { '\0' };
+    char *output;
+
+    snprintf(raw_perm, OS_MAXSTR, "|account,0,%ld",
+             (long int)(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL | DELETE | READ_CONTROL |
+                             WRITE_DAC | WRITE_OWNER | SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA |
+                             FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | FILE_EXECUTE | FILE_READ_ATTRIBUTES |
+                             FILE_WRITE_ATTRIBUTES));
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_string_equal(output,
+                        "account (allowed): generic_read|generic_write|generic_execute|"
+                        "generic_all|delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|"
+                        "append_data|read_ea|write_ea|execute|read_attributes|write_attributes");
+}
+
+static void test_decode_win_permissions_success_no_permissions(void **state) {
+    char raw_perm[OS_SIZE_1024] = { '\0' };
+    char *output;
+
+    snprintf(raw_perm, OS_MAXSTR,  "|account,0,%ld", (long int)0);
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_string_equal(output, "account (allowed):");
+}
+
+static void test_decode_win_permissions_success_some_permissions(void **state) {
+    char raw_perm[OS_SIZE_1024] = { '\0' };
+    char *output;
+
+    snprintf(raw_perm, OS_MAXSTR, "|account,0,%ld",
+             (long int)(GENERIC_READ | GENERIC_EXECUTE | DELETE | WRITE_DAC | SYNCHRONIZE | FILE_WRITE_DATA |
+                        FILE_READ_EA | FILE_EXECUTE | FILE_WRITE_ATTRIBUTES));
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_string_equal(output, "account (allowed): generic_read|generic_execute|"
+                                "delete|write_dac|synchronize|write_data|read_ea|execute|write_attributes");
+}
+
+static void test_decode_win_permissions_success_multiple_accounts(void **state) {
+    char raw_perm[OS_SIZE_1024] = { '\0' };
+    char *output;
+
+    snprintf(raw_perm, OS_MAXSTR, "|first,0,%ld|second,1,%ld", (long int)(GENERIC_READ), (long int)(GENERIC_EXECUTE));
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_string_equal(output, "first (allowed): generic_read, second (denied): generic_execute");
+}
+
+static void test_decode_win_permissions_fail_no_account_name(void **state) {
+    char *raw_perm = "|this wont pass";
+    char *output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "The file permissions could not be decoded: '|this wont pass'.");
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_null(output);
+}
+
+static void test_decode_win_permissions_fail_no_access_type(void **state) {
+    char raw_perm[OS_SIZE_1024] = { "|account,this wont pass" };
+    char *output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "The file permissions could not be decoded: '|account,this wont pass'.");
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_null(output);
+}
+
+static void test_decode_win_permissions_fail_wrong_format(void **state) {
+    char raw_perm[OS_SIZE_1024] = { "this is not the proper format" };
+    char *output;
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_string_equal("", output);
+}
+
+static void test_decode_win_permissions_overrun_inner_buffer(void **state) {
+    char raw_perm[OS_MAXSTR] = { '\0' };
+    int size = 0;
+    char *output;
+
+    while (size < MAX_WIN_PERM_SIZE) {
+        size += snprintf(raw_perm + size, OS_MAXSTR,  "|account%d,0,%ld", size, (long int)(GENERIC_READ));
+    }
+
+    output = decode_win_permissions(raw_perm);
+
+    *state = output;
+
+    assert_true(strlen(output) < MAX_WIN_PERM_SIZE);
+}
+
+/* compare_win_permissions */
+#define BASE_WIN_ALLOWED_ACE "[" \
+    "\"delete\"," \
+    "\"read_control\"," \
+    "\"write_dac\"," \
+    "\"write_owner\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"write_data\"," \
+    "\"append_data\"," \
+    "\"read_ea\"," \
+    "\"write_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"," \
+    "\"write_attributes\"" \
+"]"
+
+#define BASE_WIN_DENIED_ACE "[" \
+    "\"read_control\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"read_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"" \
+"]"
+
+#define BASE_WIN_ACE "{" \
+    "\"name\": \"Users\"," \
+    "\"allowed\": " BASE_WIN_ALLOWED_ACE "," \
+    "\"denied\": " BASE_WIN_DENIED_ACE \
+"}"
+
+static const char * const BASE_WIN_PERMS = "{\"S-1-5-32-636\": " BASE_WIN_ACE "}";
+
+static void test_compare_win_permissions_equal_acls(void **state) {
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_true(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_null_acl1(void **state) {
+    cJSON *acl1 = NULL;
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_null_acl2(void **state) {
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = NULL;
+
+    assert_non_null(acl1);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+}
+
+static void test_compare_win_permissions_both_acls_null(void **state) {
+    cJSON *acl1 = NULL;
+    cJSON *acl2 = NULL;
+
+    assert_true(compare_win_permissions(acl1, acl2));
+}
+
+static void test_compare_win_permissions_acl1_larger_than_acl2(void **state) {
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    cJSON_AddItemToObject(acl1, "S-1-5-18", __real_cJSON_CreateObject());
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_acl2_larger_than_acl1(void **state) {
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    cJSON_AddItemToObject(acl2, "S-1-5-18", __real_cJSON_CreateObject());
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_different_entries(void **state) {
+    const char * const ACL2 = "{ \"S-1-5-18\":" BASE_WIN_ACE "}";
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(ACL2);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_allowed_ace(void **state) {
+    const char *const NO_ALLOWED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"denied\": " BASE_WIN_DENIED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(NO_ALLOWED_ACE);
+    cJSON *acl2 = cJSON_Parse(NO_ALLOWED_ACE);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_true(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_allowed_ace1(void **state) {
+    const char *const NO_ALLOWED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"denied\": " BASE_WIN_DENIED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(NO_ALLOWED_ACE);
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_allowed_ace2(void **state) {
+    const char *const NO_ALLOWED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"denied\": " BASE_WIN_DENIED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(NO_ALLOWED_ACE);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_denied_ace(void **state) {
+    const char *const NO_DENIED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"allowed\": " BASE_WIN_ALLOWED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(NO_DENIED_ACE);
+    cJSON *acl2 = cJSON_Parse(NO_DENIED_ACE);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_true(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_denied_ace1(void **state) {
+    const char *const NO_DENIED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"allowed\": " BASE_WIN_ALLOWED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(NO_DENIED_ACE);
+    cJSON *acl2 = cJSON_Parse(BASE_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_no_denied_ace2(void **state) {
+    const char *const NO_DENIED_ACE = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"allowed\": " BASE_WIN_ALLOWED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(NO_DENIED_ACE);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_different_allowed_ace(void **state) {
+    const char *const CUSTOM_WIN_PERMS = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"allowed\": [\"read_control\"],"
+                                       "\"denied\": " BASE_WIN_DENIED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(CUSTOM_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+static void test_compare_win_permissions_different_denied_ace(void **state) {
+    const char *const CUSTOM_WIN_PERMS = "{\"S-1-5-32-636\": {"
+                                       "\"name\": \"Users\","
+                                       "\"denied\": [\"read_control\"],"
+                                       "\"allowed\": " BASE_WIN_ALLOWED_ACE "}}";
+    cJSON *acl1 = cJSON_Parse(BASE_WIN_PERMS);
+    cJSON *acl2 = cJSON_Parse(CUSTOM_WIN_PERMS);
+
+    assert_non_null(acl1);
+    assert_non_null(acl2);
+
+    assert_false(compare_win_permissions(acl1, acl2));
+
+    cJSON_Delete(acl1);
+    cJSON_Delete(acl2);
+}
+
+/* attrs_to_json tests */
+static void test_attrs_to_json_single_attribute(void **state) {
+    char *input = "attribute";
+    cJSON *output;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    output = attrs_to_json(input);
+
+    *state = output;
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(output, 0));
+    assert_string_equal(string, "attribute");
+}
+
+static void test_attrs_to_json_multiple_attributes(void **state) {
+    char *input = "attr1, attr2, attr3";
+    cJSON *output;
+    char *attr1, *attr2, *attr3;
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    output = attrs_to_json(input);
+
+    *state = output;
+
+    attr1 = cJSON_GetStringValue(cJSON_GetArrayItem(output, 0));
+    attr2 = cJSON_GetStringValue(cJSON_GetArrayItem(output, 1));
+    attr3 = cJSON_GetStringValue(cJSON_GetArrayItem(output, 2));
+
+    assert_string_equal(attr1, "attr1");
+    assert_string_equal(attr2, "attr2");
+    assert_string_equal(attr3, "attr3");
+}
+
+static void test_attrs_to_json_unable_to_create_json_array(void **state)  {
+    char *input = "attr1, attr2, attr3";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateArray, NULL);
+
+    output = attrs_to_json(input);
+
+    *state = output;
+
+    assert_null(output);
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_attrs_to_json_null_attributes(void **state)  {
+    expect_assert_failure(attrs_to_json(NULL));
+}
+
+/* win_perm_to_json tests*/
+static void test_win_perm_to_json_all_permissions(void **state) {
+    char *input = "account (allowed): generic_read|generic_write|generic_execute|"
+        "generic_all|delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|"
+        "append_data|read_ea|write_ea|execute|read_attributes|write_attributes";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 1);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "account");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 17);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "GENERIC_ALL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "READ_CONTROL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 6));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 7));
+    assert_string_equal(string, "WRITE_OWNER");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 8));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 9));
+    assert_string_equal(string, "READ_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 10));
+    assert_string_equal(string, "WRITE_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 11));
+    assert_string_equal(string, "APPEND_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 12));
+    assert_string_equal(string, "READ_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 13));
+    assert_string_equal(string, "WRITE_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 14));
+    assert_string_equal(string, "EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 15));
+    assert_string_equal(string, "READ_ATTRIBUTES");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 16));
+    assert_string_equal(string, "WRITE_ATTRIBUTES");
+}
+
+static void test_win_perm_to_json_some_permissions(void **state) {
+    char *input = "account (allowed): generic_read|generic_execute|delete|"
+        "write_dac|synchronize|write_data|read_ea|execute|write_attributes";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 1);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "account");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 9);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "WRITE_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 6));
+    assert_string_equal(string, "READ_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 7));
+    assert_string_equal(string, "EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 8));
+    assert_string_equal(string, "WRITE_ATTRIBUTES");
+}
+
+static void test_win_perm_to_json_no_permissions(void **state) {
+    char *input = "account (allowed)";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_non_null(output);
+
+    const cJSON *ace = cJSON_GetArrayItem(output, 0);
+    assert_string_equal(cJSON_GetStringValue(cJSON_GetObjectItem(ace, "name")), "account");
+    assert_int_equal(cJSON_GetArraySize(cJSON_GetObjectItem(ace, "allowed")), 0);
+}
+
+static void test_win_perm_to_json_empty_permissions(void **state) {
+    char *input = "account (allowed):,";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_non_null(output);
+
+    const cJSON *ace = cJSON_GetArrayItem(output, 0);
+    assert_string_equal(cJSON_GetStringValue(cJSON_GetObjectItem(ace, "name")), "account");
+    assert_int_equal(cJSON_GetArraySize(cJSON_GetObjectItem(ace, "allowed")), 0);
+}
+
+static void test_win_perm_to_json_allowed_denied_permissions(void **state) {
+    char *input = "account (denied): generic_read|generic_write|generic_execute|"
+        "generic_all|delete|read_control|write_dac|write_owner, account (allowed): synchronize|read_data|write_data|"
+        "append_data|read_ea|write_ea|execute|read_attributes|write_attributes";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 1);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "account");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 8);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "GENERIC_ALL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "READ_CONTROL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 6));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 7));
+    assert_string_equal(string, "WRITE_OWNER");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 9);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "APPEND_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "READ_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "WRITE_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 6));
+    assert_string_equal(string, "EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 7));
+    assert_string_equal(string, "READ_ATTRIBUTES");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 8));
+    assert_string_equal(string, "WRITE_ATTRIBUTES");
+}
+
+static void test_win_perm_to_json_multiple_accounts(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,"
+        " first (denied): generic_all|delete|read_control|write_dac|write_owner,"
+        " second (allowed): synchronize|read_data|write_data,"
+        " third (denied): append_data|read_ea|write_ea|execute|read_attributes|write_attributes";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 3);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "first");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 5);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_ALL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "READ_CONTROL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "WRITE_OWNER");
+
+    user = cJSON_GetArrayItem(output, 1);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "second");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_DATA");
+
+    user = cJSON_GetArrayItem(output, 2);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "third");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 6);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "APPEND_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "READ_ATTRIBUTES");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "WRITE_ATTRIBUTES");
+}
+
+static void test_win_perm_to_json_malformed_permission_1(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,"
+        " first (denied): generic_all|delete|read_control|write_dac|write_owner,"
+        " second (allowed): synchronize|read_data|write_data,"
+        " third (denied): append_data|read_ea|write_ea|execute|read_attributes|write_attributes,"
+        " fourth ";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing the username from 'fourth '. Skipping permission.");
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 3);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "first");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 5);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_ALL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "READ_CONTROL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "WRITE_OWNER");
+
+    user = cJSON_GetArrayItem(output, 1);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "second");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_DATA");
+
+    user = cJSON_GetArrayItem(output, 2);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "third");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 6);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "APPEND_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_EA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "EXECUTE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "READ_ATTRIBUTES");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 5));
+    assert_string_equal(string, "WRITE_ATTRIBUTES");
+
+}
+
+static void test_win_perm_to_json_malformed_permission_2(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,"
+        " first (denied): generic_all|delete|read_control|write_dac|write_owner,"
+        " second (allowed): synchronize|read_data|write_data,"
+        " third (error,"
+        " fourth (denied): append_data|read_ea|write_ea|execute|read_attributes|write_attributes";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing the permission type from 'error'. Skipping permission.");
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 3);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "first");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+
+    permissions_array = cJSON_GetObjectItem(user, "denied");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 5);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_ALL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "DELETE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "READ_CONTROL");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 3));
+    assert_string_equal(string, "WRITE_DAC");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 4));
+    assert_string_equal(string, "WRITE_OWNER");
+
+    user = cJSON_GetArrayItem(output, 1);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "second");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "SYNCHRONIZE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "READ_DATA");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "WRITE_DATA");
+}
+
+static void test_win_perm_to_json_fragmented_acl(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,"
+        " first (allowed): generic_all|delete|read_control|write_dac|write_owner,";
+    cJSON *output;
+    cJSON *user, *permissions_array;
+    char *string;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 1);  // use real wstr_split
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "ACL [first (allowed): generic_read|generic_write|generic_execute, "
+        "first (allowed): generic_all|delete|read_control|write_dac|write_owner,] fragmented. All permissions may not be displayed.");
+
+    output = win_perm_to_json(input);
+
+    *state = output;
+
+    assert_int_equal(cJSON_GetArraySize(output), 1);
+
+    user = cJSON_GetArrayItem(output, 0);
+
+    string = cJSON_GetStringValue(cJSON_GetObjectItem(user, "name"));
+    assert_string_equal(string, "first");
+
+    permissions_array = cJSON_GetObjectItem(user, "allowed");
+    assert_int_equal(cJSON_GetArraySize(permissions_array), 3);
+
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 0));
+    assert_string_equal(string, "GENERIC_READ");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 1));
+    assert_string_equal(string, "GENERIC_WRITE");
+    string = cJSON_GetStringValue(cJSON_GetArrayItem(permissions_array, 2));
+    assert_string_equal(string, "GENERIC_EXECUTE");
+}
+
+// TODO: Validate this condition is required to be tested
+static void test_win_perm_to_json_null_input(void **state) {
+    expect_assert_failure(win_perm_to_json(NULL));
+}
+
+static void test_win_perm_to_json_unable_to_create_main_array(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateArray, NULL);
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+
+static void test_win_perm_to_json_unable_to_create_sub_array(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing a Windows permission from 'first (allowed): generic_read|generic_write|generic_execute,'.");
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+
+static void test_win_perm_to_json_unable_to_create_user_object(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateObject, NULL);
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing a Windows permission from 'first (allowed): generic_read|generic_write|generic_execute,'.");
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+
+static void test_win_perm_to_json_incorrect_permission_format(void **state) {
+    char *input = "This format is incorrect";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing the username from 'This format is incorrect'. Skipping permission.");
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+static void test_win_perm_to_json_incorrect_permission_format_2(void **state) {
+    char *input = "This format is incorrect (too";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing the permission type from 'too'. Skipping permission.");
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+
+static void test_win_perm_to_json_error_splitting_permissions(void **state) {
+    char *input = "first (allowed): generic_read|generic_write|generic_execute,";
+    cJSON *output;
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+    will_return(__wrap_cJSON_CreateArray, __real_cJSON_CreateArray());
+
+    will_return_always(__wrap_wstr_split, 0);  // fail to split string
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "Uncontrolled condition when parsing a Windows permission from 'first (allowed): generic_read|generic_write|generic_execute,'.");
+
+    output = win_perm_to_json(input);
+
+    assert_null(output);
+}
+
+#ifdef TEST_WINAGENT
+
+static void test_get_file_user_CreateFile_error_access_denied(void **state) {
+    char **array = *state;
+
+    expect_CreateFile_call("C:\\a\\path", INVALID_HANDLE_VALUE);
+
+    expect_GetLastError_call(ERROR_ACCESS_DENIED);
+
+    expect_FormatMessage_call("An error message");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "At get_user(C:\\a\\path): CreateFile(): An error message (5)");
+
+    expect_CloseHandle_call(INVALID_HANDLE_VALUE, 1);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+}
+
+static void test_get_file_user_CreateFile_error_sharing_violation(void **state) {
+    char **array = *state;
+
+    expect_CreateFile_call("C:\\a\\path", INVALID_HANDLE_VALUE);
+
+    expect_GetLastError_call(ERROR_SHARING_VIOLATION);
+
+    expect_FormatMessage_call("An error message");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "At get_user(C:\\a\\path): CreateFile(): An error message (32)");
+
+    expect_CloseHandle_call(INVALID_HANDLE_VALUE, 1);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+}
+
+static void test_get_file_user_CreateFile_error_generic(void **state) {
+    char **array = *state;
+
+    expect_CreateFile_call("C:\\a\\path", INVALID_HANDLE_VALUE);
+
+    expect_GetLastError_call(127);
+
+    expect_FormatMessage_call("An error message");
+
+    expect_string(__wrap__mwarn, formatted_msg, "At get_user(C:\\a\\path): CreateFile(): An error message (127)");
+
+    expect_CloseHandle_call(INVALID_HANDLE_VALUE, 1);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+}
+
+static void test_get_file_user_GetSecurityInfo_error(void **state) {
+    char **array = *state;
+    char error_msg[OS_SIZE_1024];
+
+    expect_CreateFile_call("C:\\a\\path", (HANDLE)1234);
+
+    expect_CloseHandle_call((HANDLE)1234, 1);
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"", ERROR_ACCESS_DENIED);
+
+    expect_ConvertSidToStringSid_call("", FALSE);
+
+    will_return(__wrap_win_strerror,"Access denied.");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "The user's SID could not be extracted.");
+
+    snprintf(error_msg,
+             OS_SIZE_1024,
+             "GetSecurityInfo error code = (%lu), 'Access denied.'",
+             ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug1, formatted_msg, error_msg);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+}
+
+static void test_get_file_user_LookupAccountSid_error(void **state) {
+    char **array = *state;
+
+    expect_CreateFile_call("C:\\a\\path", (HANDLE)1234);
+
+    expect_CloseHandle_call((HANDLE)1234, 1);
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("sid", TRUE);
+
+    expect_LookupAccountSid_call("", "domainname", FALSE);
+    expect_GetLastError_call(ERROR_ACCESS_DENIED);
+    expect_FormatMessage_call("Access is denied.");
+    expect_string(__wrap__mwarn, formatted_msg, "(6950): Error in LookupAccountSid getting user. (5): Access is denied.");
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+    assert_string_equal(array[1], "sid");
+}
+
+static void test_get_file_user_LookupAccountSid_error_none_mapped(void **state) {
+    char **array = *state;
+    char error_msg[OS_SIZE_1024];
+
+    expect_CreateFile_call("C:\\a\\path", (HANDLE)1234);
+
+    expect_CloseHandle_call((HANDLE)1234, 1);
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("sid", TRUE);
+
+    expect_LookupAccountSid_call("", "domainname", FALSE);
+    expect_GetLastError_call(ERROR_NONE_MAPPED);
+
+    snprintf(error_msg,
+             OS_SIZE_1024,
+             "Account owner not found for '%s'",
+             "C:\\a\\path");
+
+    expect_string(__wrap__mdebug1, formatted_msg, error_msg);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "");
+    assert_string_equal(array[1], "sid");
+}
+
+static void test_get_file_user_success(void **state) {
+    char **array = *state;
+
+    expect_CreateFile_call("C:\\a\\path", (HANDLE)1234);
+
+    expect_CloseHandle_call((HANDLE)1234, 1);
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("sid", TRUE);
+
+    expect_LookupAccountSid_call("accountName", "domainname", TRUE);
+
+    array[0] = get_file_user("C:\\a\\path", &array[1]);
+
+    assert_string_equal(array[0], "accountName");
+    assert_string_equal(array[1], "sid");
+}
+
+void test_w_get_account_info_LookupAccountSid_error_insufficient_buffer(void **state) {
+    char **array = *state;
+    int ret;
+    SID input;
+
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Name size
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Domain size
+    will_return(wrap_LookupAccountSid, 0);
+
+    will_return(wrap_GetLastError, ERROR_INVALID_NAME);
+    will_return(wrap_GetLastError, ERROR_INVALID_NAME);
+
+    ret = w_get_account_info(&input, &array[0], &array[1]);
+
+    assert_int_equal(ret, ERROR_INVALID_NAME);
+}
+
+void test_w_get_account_info_LookupAccountSid_error_second_call(void **state) {
+    char **array = *state;
+    int ret;
+    SID input;
+
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Name size
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Domain size
+    will_return(wrap_LookupAccountSid, 0);
+
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+
+    will_return(wrap_LookupAccountSid, "accountName");
+    will_return(wrap_LookupAccountSid, "domainName");
+    will_return(wrap_LookupAccountSid, 0);
+
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+
+    ret = w_get_account_info(&input, &array[0], &array[1]);
+
+    assert_int_equal(ret, ERROR_INSUFFICIENT_BUFFER);
+}
+
+void test_w_get_account_info_success(void **state) {
+    char **array = *state;
+    int ret;
+    SID input;
+
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Name size
+    will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Domain size
+    will_return(wrap_LookupAccountSid, 1);
+
+    will_return(wrap_LookupAccountSid, "accountName");
+    will_return(wrap_LookupAccountSid, "domainName");
+    will_return(wrap_LookupAccountSid, 1);
+
+    ret = w_get_account_info(&input, &array[0], &array[1]);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(array[0], "accountName");
+    assert_string_equal(array[1], "domainName");
+}
+
+void test_w_get_file_permissions_GetFileSecurity_error_on_size(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, 0);
+    will_return(wrap_GetFileSecurity, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_GetFileSecurity_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, NULL);
+    will_return(wrap_GetFileSecurity, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_create_cjson_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, NULL);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_CJSON_ERROR_CREATE_ITEM);
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, -1);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_GetSecurityDescriptorDacl_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, FALSE);
+    will_return(wrap_GetSecurityDescriptorDacl, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "GetSecurityDescriptorDacl failed. GetLastError returned: 5");
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_no_dacl(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, FALSE);
+    will_return(wrap_GetSecurityDescriptorDacl, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "No DACL was found (all access is denied), or a NULL DACL (unrestricted access) was found.");
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, -2);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_GetAclInformation_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, TRUE);
+    will_return(wrap_GetSecurityDescriptorDacl, (PACL)123456);
+    will_return(wrap_GetSecurityDescriptorDacl, 1);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "GetAclInformation failed. GetLastError returned: 5");
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_w_get_file_permissions_GetAce_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+    ACL_SIZE_INFORMATION acl_size = { .AceCount = 1 };
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, TRUE);
+    will_return(wrap_GetSecurityDescriptorDacl, (PACL)123456);
+    will_return(wrap_GetSecurityDescriptorDacl, 1);
+
+    will_return(wrap_GetAclInformation, &acl_size);
+    will_return(wrap_GetAclInformation, 1);
+
+    will_return(wrap_GetAce, NULL);
+    will_return(wrap_GetAce, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+    expect_string(__wrap__mdebug2, formatted_msg, "GetAce failed. GetLastError returned: 5");
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, 0);
+    assert_non_null(permissions);
+    cJSON_Delete(permissions);
+}
+
+void test_w_get_file_permissions_success(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+    ACL_SIZE_INFORMATION acl_size = {
+        .AceCount = 1,
+    };
+    ACCESS_ALLOWED_ACE ace = {
+        .Header.AceType = ACCESS_ALLOWED_ACE_TYPE,
+    };
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, TRUE);
+    will_return(wrap_GetSecurityDescriptorDacl, (PACL)123456);
+    will_return(wrap_GetSecurityDescriptorDacl, 1);
+
+    will_return(wrap_GetAclInformation, &acl_size);
+    will_return(wrap_GetAclInformation, 1);
+
+    will_return(wrap_GetAce, &ace);
+    will_return(wrap_GetAce, 1);
+
+    // Inside process_ace_info
+    {
+        will_return(wrap_IsValidSid, 1);
+
+        // Inside w_get_account_info
+        will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Name size
+        will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Domain size
+        will_return(wrap_LookupAccountSid, 1);
+
+        will_return(wrap_LookupAccountSid, "accountName");
+        will_return(wrap_LookupAccountSid, "domainName");
+        will_return(wrap_LookupAccountSid, 1);
+
+        expect_ConvertSidToStringSid_call(BASE_WIN_SID, TRUE);
+    }
+
+    // Inside add_ace_to_json
+    {
+        will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    }
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, 0);
+    assert_non_null(permissions);
+
+    cJSON *ace_json = cJSON_GetObjectItem(permissions, BASE_WIN_SID);
+    assert_non_null(ace_json);
+    assert_string_equal(cJSON_GetStringValue(cJSON_GetObjectItem(ace_json, "name")), "accountName");
+    assert_int_equal(cJSON_GetObjectItem(ace_json, "allowed")->valueint, 0);
+    assert_null(cJSON_GetObjectItem(ace_json, "denied"));
+
+    cJSON_Delete(permissions);
+}
+
+void test_w_get_file_permissions_process_ace_info_error(void **state) {
+    cJSON *permissions = NULL;
+    int ret;
+    SECURITY_DESCRIPTOR sec_desc;
+    ACL_SIZE_INFORMATION acl_size = {
+        .AceCount = 1,
+    };
+    ACCESS_ALLOWED_ACE ace = {
+        .Header.AceType = SYSTEM_AUDIT_ACE_TYPE,
+    };
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, OS_SIZE_1024);
+    will_return(wrap_GetFileSecurity, 1);
+
+    expect_string(wrap_GetFileSecurity, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileSecurity, &sec_desc);
+    will_return(wrap_GetFileSecurity, 1);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    will_return(wrap_GetSecurityDescriptorDacl, TRUE);
+    will_return(wrap_GetSecurityDescriptorDacl, (PACL)123456);
+    will_return(wrap_GetSecurityDescriptorDacl, 1);
+
+    will_return(wrap_GetAclInformation, &acl_size);
+    will_return(wrap_GetAclInformation, 1);
+
+    will_return(wrap_GetAce, &ace);
+    will_return(wrap_GetAce, 1);
+
+    // Inside process_ace_info
+    expect_string(__wrap__mdebug2, formatted_msg, "Invalid ACE type.");
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "ACE number 0 could not be processed.");
+
+    ret = w_get_file_permissions("C:\\a\\path", &permissions);
+
+    assert_int_equal(ret, 0);
+    assert_non_null(permissions);
+}
+
+void test_w_get_file_attrs_error(void **state) {
+    int ret;
+
+    expect_string(wrap_GetFileAttributesA, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileAttributesA, INVALID_FILE_ATTRIBUTES);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "The attributes for 'C:\\a\\path' could not be obtained. Error '5'.");
+
+    ret = w_get_file_attrs("C:\\a\\path");
+
+    assert_int_equal(ret, 0);
+}
+
+void test_w_get_file_attrs_success(void **state) {
+    int ret;
+
+    expect_string(wrap_GetFileAttributesA, lpFileName, "C:\\a\\path");
+    will_return(wrap_GetFileAttributesA, 123456);
+
+    ret = w_get_file_attrs("C:\\a\\path");
+
+    assert_int_equal(ret, 123456);
+}
+
+void test_w_directory_exists_null_path(void **state) {
+    unsigned int ret;
+
+    ret = w_directory_exists(NULL);
+
+    assert_null(ret);
+}
+
+void test_w_directory_exists_error_getting_attrs(void **state) {
+    unsigned int ret;
+
+    // Inside w_get_file_attrs
+    {
+        expect_string(wrap_GetFileAttributesA, lpFileName, "C:\\a\\path");
+        will_return(wrap_GetFileAttributesA, INVALID_FILE_ATTRIBUTES);
+
+        will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+        expect_string(__wrap__mdebug2, formatted_msg,
+            "The attributes for 'C:\\a\\path' could not be obtained. Error '5'.");
+    }
+
+    ret = w_directory_exists("C:\\a\\path");
+
+    assert_null(ret);
+}
+
+void test_w_directory_exists_path_is_not_dir(void **state) {
+    unsigned int ret;
+
+    // Inside w_get_file_attrs
+    {
+        expect_string(wrap_GetFileAttributesA, lpFileName, "C:\\a\\path");
+        will_return(wrap_GetFileAttributesA, FILE_ATTRIBUTE_NORMAL);
+    }
+
+    ret = w_directory_exists("C:\\a\\path");
+
+    assert_null(ret);
+}
+
+void test_w_directory_exists_path_is_dir(void **state) {
+    unsigned int ret;
+
+    // Inside w_get_file_attrs
+    {
+        expect_string(wrap_GetFileAttributesA, lpFileName, "C:\\a\\path");
+        will_return(wrap_GetFileAttributesA, FILE_ATTRIBUTE_DIRECTORY);
+    }
+
+    ret = w_directory_exists("C:\\a\\path");
+
+    assert_non_null(ret);
+}
+
+void test_get_registry_group_GetSecurityInfo_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    registry_group_information_t *group_information = *state;
+    char *group = group_information->name;
+    char *group_id = group_information->id;
+    char error_msg[OS_SIZE_1024];
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"", ERROR_ACCESS_DENIED);
+    expect_ConvertSidToStringSid_call("", TRUE);
+    will_return(__wrap_win_strerror, "Access denied.");
+
+    snprintf(error_msg,
+             OS_SIZE_1024,
+             "GetSecurityInfo error code = (%lu), 'Access denied.'",
+             ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug1, formatted_msg, error_msg);
+
+    group = get_registry_group(&group_id, hndl);
+
+    assert_string_equal(group, "");
+    assert_string_equal(group_id, "");
+}
+
+void test_get_registry_group_ConvertSidToStringSid_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    registry_group_information_t *group_information = *state;
+    char *group = group_information->name;
+    char *group_id = group_information->id;
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"groupid", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("dummy", FALSE);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "The user's SID could not be extracted.");
+
+    expect_LookupAccountSid_call("groupname", "domainname", TRUE);
+
+    group = get_registry_group(&group_id, hndl);
+
+    assert_string_equal(group, "groupname");
+    assert_string_equal(group_id, "");
+}
+
+void test_get_registry_group_LookupAccountSid_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    registry_group_information_t *group_information = *state;
+    char *group = group_information->name;
+    char *group_id = group_information->id;
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"groupid", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("groupid", TRUE);
+
+    expect_LookupAccountSid_call("", "domainname", FALSE);
+    expect_GetLastError_call(ERROR_ACCESS_DENIED);
+    expect_FormatMessage_call("Access is denied.");
+    expect_string(__wrap__mwarn, formatted_msg, "(6950): Error in LookupAccountSid getting group. (5): Access is denied.");
+
+    group = get_registry_group(&group_id, hndl);
+
+    assert_string_equal(group, "");
+    assert_string_equal(group_id, "groupid");
+}
+
+void test_get_registry_group_LookupAccountSid_not_found(void **state) {
+    HKEY hndl = (HKEY)123456;
+    registry_group_information_t *group_information = *state;
+    char *group = group_information->name;
+    char *group_id = group_information->id;
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"groupid", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("groupid", TRUE);
+
+    expect_LookupAccountSid_call("", "domainname", FALSE);
+    expect_GetLastError_call(ERROR_NONE_MAPPED);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Group not found for registry key");
+
+    group = get_registry_group(&group_id, hndl);
+
+    assert_string_equal(group, "");
+    assert_string_equal(group_id, "groupid");
+}
+
+void test_get_registry_group_success(void **state) {
+    HKEY hndl = (HKEY)123456;
+    registry_group_information_t *group_information = *state;
+    char *group = group_information->name;
+    char *group_id = group_information->id;
+
+    expect_GetSecurityInfo_call(NULL, (PSID)"groupid", ERROR_SUCCESS);
+
+    expect_ConvertSidToStringSid_call("groupid", TRUE);
+
+    expect_LookupAccountSid_call("groupname", "domainname", TRUE);
+
+    group = get_registry_group(&group_id, hndl);
+
+    assert_string_equal(group, "groupname");
+    assert_string_equal(group_id, "groupid");
+}
+
+void test_get_registry_permissions_RegGetKeySecurity_insufficient_buffer(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_ACCESS_DENIED);
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_get_registry_permissions_RegGetKeySecurity_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_ACCESS_DENIED);
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_ACCESS_DENIED);
+    assert_null(permissions);
+}
+
+void test_get_registry_permissions_GetSecurityDescriptorDacl_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_SUCCESS);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    expect_GetSecurityDescriptorDacl_call(TRUE, (PACL*)0, FALSE);
+
+    expect_GetLastError_call(ERROR_SUCCESS);
+    expect_string(__wrap__mdebug2, formatted_msg, "GetSecurityDescriptorDacl failed. GetLastError returned: 0");
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_SUCCESS);
+    assert_null(permissions);
+}
+
+void test_get_registry_permissions_GetSecurityDescriptorDacl_no_DACL(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+    char error_msg[OS_SIZE_1024];
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_SUCCESS);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    expect_GetSecurityDescriptorDacl_call(TRUE, (PACL*)0, TRUE);
+
+    snprintf(error_msg,
+             OS_SIZE_1024,
+             "%s",
+             "No DACL was found (all access is denied), or a NULL DACL (unrestricted access) was found.");
+
+    expect_string(__wrap__mdebug2, formatted_msg, error_msg);
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_not_equal(retval, ERROR_SUCCESS);
+    assert_null(permissions);
+}
+
+void test_get_registry_permissions_GetAclInformation_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_SUCCESS);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    expect_GetSecurityDescriptorDacl_call(TRUE, (PACL*)4321, TRUE);
+
+    expect_GetAclInformation_call(NULL, FALSE);
+
+    expect_GetLastError_call(ERROR_SUCCESS);
+    expect_string(__wrap__mdebug2, formatted_msg, "GetAclInformation failed. GetLastError returned: 0");
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_SUCCESS);
+    assert_null(permissions);
+}
+
+void test_get_registry_permissions_GetAce_fails(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+    ACL_SIZE_INFORMATION acl_size = { .AceCount = 1 };
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_SUCCESS);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    expect_GetSecurityDescriptorDacl_call(TRUE, (PACL*)4321, TRUE);
+
+    expect_GetAclInformation_call(&acl_size, TRUE);
+
+    expect_GetAce_call(NULL, FALSE);
+
+    expect_GetLastError_call(ERROR_SUCCESS);
+    expect_string(__wrap__mdebug2, formatted_msg, "GetAce failed. GetLastError returned: 0");
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_SUCCESS);
+    assert_non_null(permissions);
+}
+
+void test_get_registry_permissions_success(void **state) {
+    HKEY hndl = (HKEY)123456;
+    unsigned int retval = 0;
+    cJSON *permissions = NULL;
+    ACL_SIZE_INFORMATION acl_size = { .AceCount = 1 };
+    ACCESS_ALLOWED_ACE ace = {
+        .Header.AceType = ACCESS_ALLOWED_ACE_TYPE,
+    };
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_INSUFFICIENT_BUFFER);
+
+    expect_RegGetKeySecurity_call((LPDWORD)120, ERROR_SUCCESS);
+
+    will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+
+    expect_GetSecurityDescriptorDacl_call(TRUE, (PACL*)4321, TRUE);
+
+    expect_GetAclInformation_call(&acl_size, TRUE);
+
+    expect_GetAce_call((LPVOID*)&ace, TRUE);
+
+    // Inside process_ace_info
+    {
+        will_return(wrap_IsValidSid, 1);
+
+        // Inside w_get_account_info
+        will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Name size
+        will_return(wrap_LookupAccountSid, OS_SIZE_1024);   // Domain size
+        will_return(wrap_LookupAccountSid, 1);
+
+        will_return(wrap_LookupAccountSid, "accountName");
+        will_return(wrap_LookupAccountSid, "domainName");
+        will_return(wrap_LookupAccountSid, 1);
+
+        expect_ConvertSidToStringSid_call(BASE_WIN_SID, TRUE);
+
+        will_return(__wrap_cJSON_CreateObject, __real_cJSON_CreateObject());
+    }
+
+    retval = get_registry_permissions(hndl, &permissions);
+
+    assert_int_equal(retval, ERROR_SUCCESS);
+    assert_non_null(permissions);
+
+    cJSON *ace_json = cJSON_GetObjectItem(permissions, BASE_WIN_SID);
+    assert_non_null(ace_json);
+    assert_string_equal(cJSON_GetStringValue(cJSON_GetObjectItem(ace_json, "name")), "accountName");
+    assert_int_equal(cJSON_GetObjectItem(ace_json, "allowed")->valueint, 0);
+    assert_null(cJSON_GetObjectItem(ace_json, "denied"));
+
+    cJSON_Delete(permissions);
+}
+
+void test_get_registry_mtime_RegQueryInfoKeyA_fails(void **state) {
+    FILETIME last_write_time;
+    unsigned int retval = 0;
+    HKEY hndl = (HKEY)123456;
+
+    expect_RegQueryInfoKeyA_call(&last_write_time, ERROR_MORE_DATA);
+
+    expect_string(__wrap__mwarn, formatted_msg, "Couldn't get modification time for registry key.");
+
+    retval = get_registry_mtime(hndl);
+
+    assert_int_equal(retval, 0);
+}
+
+void test_get_registry_mtime_success(void **state) {
+    FILETIME last_write_time;
+    unsigned int retval = 0;
+    HKEY hndl = (HKEY)123456;
+
+    expect_RegQueryInfoKeyA_call(&last_write_time, ERROR_SUCCESS);
+
+    retval = get_registry_mtime(hndl);
+
+    assert_int_not_equal(retval, 0);
+}
+
+void test_get_subkey(void **state)
+{
+    char* test_vector_path[4] = {
+        "HKEY_SOMETHING\\*\\A",
+        "HKEY_SOMETHING\\A\\B\\*",
+        "HKEY_SOMETHING\\A?",
+        "HKEY_SOMETHING\\A\\B\\C?"
+    };
+
+    char* expected_subkey[4] = {
+        "",
+        "A\\B",
+        "",
+        "A\\B"
+    };
+
+    for (int scenario = 0; scenario < 4; scenario++) {
+        char* result_function = get_subkey(test_vector_path[scenario]);
+        assert_string_equal(result_function, expected_subkey[scenario]);
+    }
+}
+
+void test_w_is_still_a_wildcard(void **state) {
+    int ret;
+    reg_path_struct** test_reg;
+    int has_wildcard_vec[4] = {0, 1, 1, 0};
+    int checked_vec[4] = {0, 1, 0, 1};
+    int expected_result[4] = {0, 0, 1, 0};
+
+    test_reg    = (reg_path_struct**)calloc(2, sizeof(reg_path_struct*));
+    test_reg[0] = (reg_path_struct*)calloc(1, sizeof(reg_path_struct));
+    test_reg[1] = NULL;
+
+    for(int scenario = 0; scenario < 4; scenario++) {
+        test_reg[0]->has_wildcard = has_wildcard_vec[scenario];
+        test_reg[0]->checked = checked_vec[scenario];
+        ret = w_is_still_a_wildcard(test_reg);
+        assert_int_equal(expected_result[scenario], ret);
+    }
+
+    os_free(test_reg[0]);
+    os_free(test_reg);
+}
+
+void test_w_list_all_keys_subkey_notnull(void** state) {
+    HKEY root_key = HKEY_LOCAL_MACHINE;
+    HKEY keyhandle;
+    FILETIME last_write_time = { 0, 1000 };
+
+    char* subkey = "HARDWARE";
+    char* result[4] = {
+        "ACPI",
+        "DESCRIPTION",
+        "DEVICEMAP",
+        "RESOURCEMAP"
+    };
+
+    expect_RegOpenKeyEx_call(root_key, subkey, 0, KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(4, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("ACPI", 5, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("DESCRIPTION", 12, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("DEVICEMAP", 10, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("RESOURCEMAP", 12, ERROR_SUCCESS);
+
+    char** query_result = w_list_all_keys(root_key, subkey);
+
+    for (int idx = 0; idx < 4; idx++) {
+        assert_string_equal(query_result[idx], result[idx]);
+        os_free(query_result[idx]);
+    }
+}
+
+void test_w_list_all_keys_subkey_null(void** state) {
+    HKEY root_key = HKEY_LOCAL_MACHINE;
+    HKEY keyhandle;
+    FILETIME last_write_time = { 0, 1000 };
+
+    char* subkey = "";
+    char* result[6] = {
+        "BCD00000000",
+        "HARDWARE",
+        "SAM",
+        "SECURITY",
+        "SOFTWARE",
+        "SYSTEM",
+    };
+
+    expect_RegOpenKeyEx_call(root_key, subkey, 0, KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(6, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("BCD00000000", 12, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("HARDWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SAM", 4, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SECURITY", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SOFTWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SYSTEM", 7, ERROR_SUCCESS);
+
+    char** query_result = w_list_all_keys(root_key, subkey);
+
+    for (int idx = 0; idx < 6; idx++) {
+        assert_string_equal(query_result[idx], result[idx]);
+        os_free(query_result[idx]);
+    }
+}
+
+void test_w_switch_root_key(void** state) {
+    char* root_key_valid_lm = "HKEY_LOCAL_MACHINE";
+    char* root_key_valid_cr = "HKEY_CLASSES_ROOT";
+    char* root_key_valid_cc = "HKEY_CURRENT_CONFIG";
+    char* root_key_valid_us = "HKEY_USERS";
+    char* root_key_valid_cu = "HKEY_CURRENT_USER";
+
+    char* root_key_invalid  = "HKEY_SOMETHING";
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    HKEY ret;
+
+    ret = w_switch_root_key(root_key_valid_lm);
+    assert_int_equal(ret, HKEY_LOCAL_MACHINE);
+
+    ret = w_switch_root_key(root_key_valid_cr);
+    assert_int_equal(ret, HKEY_CLASSES_ROOT);
+
+    ret = w_switch_root_key(root_key_valid_cc);
+    assert_int_equal(ret, HKEY_CURRENT_CONFIG);
+
+    ret = w_switch_root_key(root_key_valid_us);
+    assert_int_equal(ret, HKEY_USERS);
+
+    ret = w_switch_root_key(root_key_valid_cu);
+    assert_int_equal(ret, HKEY_CURRENT_USER);
+
+    ret = w_switch_root_key(root_key_invalid);
+    assert_null(ret);
+}
+
+void test_expand_wildcard_registers_star_only(void **state){
+    char* entry     = "HKEY_LOCAL_MACHINE\\*";
+    char** paths    = NULL;
+    os_calloc(OS_SIZE_1024, sizeof(char*), paths);
+    char* subkey    = "";
+    HKEY root_key   = HKEY_LOCAL_MACHINE;
+
+    char* result[6] = {
+        "HKEY_LOCAL_MACHINE\\BCD00000000",
+        "HKEY_LOCAL_MACHINE\\HARDWARE",
+        "HKEY_LOCAL_MACHINE\\SAM",
+        "HKEY_LOCAL_MACHINE\\SECURITY",
+        "HKEY_LOCAL_MACHINE\\SOFTWARE",
+        "HKEY_LOCAL_MACHINE\\SYSTEM",
+    };
+
+    HKEY keyhandle;
+    FILETIME last_write_time = { 0, 1000 };
+
+    expect_RegOpenKeyEx_call(root_key, subkey, 0, KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(6, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("BCD00000000", 12, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("HARDWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SAM", 4, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SECURITY", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SOFTWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SYSTEM", 7, ERROR_SUCCESS);
+
+    expand_wildcard_registers(entry, paths);
+
+    int i = 0;
+    while(*paths != NULL){
+        assert_string_equal(*paths, result[i]);
+        os_free(*paths);
+        paths++;
+        i++;
+    }
+}
+
+void test_expand_wildcard_registers_invalid_path(void **state){
+    char* entry     = "HKEY_LOCAL_MACHINE\\????";
+    char** paths    = NULL;
+    os_calloc(OS_SIZE_1024, sizeof(char*), paths);
+    char* subkey    = "";
+    HKEY root_key   = HKEY_LOCAL_MACHINE;
+
+    FILETIME last_write_time = { 0, 1000 };
+
+    expect_RegOpenKeyEx_call(root_key, subkey, 0, KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(6, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("BCD00000000", 12, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("HARDWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SAM", 4, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SECURITY", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SOFTWARE", 9, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("SYSTEM", 7, ERROR_SUCCESS);
+
+    expand_wildcard_registers(entry, paths);
+
+    assert_null(*paths);
+    os_free(paths);
+
+}
+
+#endif
+
+
+int main(int argc, char *argv[]) {
+    const struct CMUnitTest tests[] = {
+        /* escape_syscheck_field tests */
+        cmocka_unit_test_teardown(test_escape_syscheck_field_escape_all, teardown_string),
+        cmocka_unit_test_teardown(test_escape_syscheck_field_null_input, teardown_string),
+
+        /* normalize_path tests */
+        cmocka_unit_test_teardown(test_normalize_path_success, teardown_string),
+        cmocka_unit_test_teardown(test_normalize_path_linux_dir, teardown_string),
+        cmocka_unit_test(test_normalize_path_null_input),
+
+        /* remove_empty_folders tests */
+        cmocka_unit_test(test_remove_empty_folders_success),
+        cmocka_unit_test(test_remove_empty_folders_recursive_success),
+        cmocka_unit_test(test_remove_empty_folders_null_input),
+        cmocka_unit_test(test_remove_empty_folders_relative_path),
+        cmocka_unit_test(test_remove_empty_folders_absolute_path),
+        cmocka_unit_test(test_remove_empty_folders_non_empty_dir),
+        cmocka_unit_test(test_remove_empty_folders_error_removing_dir),
+
+#if defined(TEST_SERVER)
+        /* sk_decode_sum tests */
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_decode, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_deleted_file, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_perm, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_missing_separator, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_uid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_gid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_md5, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_sha1, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_new_fields, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_win_perm_string, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_win_perm_encoded, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_gname, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_uname, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_mtime, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_inode, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_sha256, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_empty_sha256, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_no_attributes, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_non_numeric_attributes, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_win_encoded_attributes, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_empty, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_user_name, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_group_id, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_group_name, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_process_name, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_audit_uid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_audit_name, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_effective_uid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_effective_name, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_ppid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_process_id, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_tag, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_symbolic_path, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_no_inode, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_all_fields, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_all_fields_silent, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_null_ppid, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_null_sum, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_sum_extra_data_null_c_sum, setup_sk_decode, teardown_sk_decode),
+
+        /* sk_decode_extradata tests */
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_null_sum, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_null_c_sum, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_no_changes, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_no_date_alert, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_no_sym_path, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_decode_extradata_all_fields, setup_sk_decode, teardown_sk_decode),
+
+        /* sk_fill_event tests */
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_full_event, setup_sk_fill_event, teardown_sk_fill_event),
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_empty_event, setup_sk_fill_event, teardown_sk_fill_event),
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_win_perm, setup_sk_fill_event, teardown_sk_fill_event),
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_null_eventinfo, setup_sk_fill_event, teardown_sk_fill_event),
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_null_f_name, setup_sk_fill_event, teardown_sk_fill_event),
+        cmocka_unit_test_setup_teardown(test_sk_fill_event_null_sum, setup_sk_fill_event, teardown_sk_fill_event),
+
+        /* sk_build_sum tests */
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_full_message, setup_sk_build_sum, teardown_sk_build_sum),
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_skip_fields_message, setup_sk_build_sum, teardown_sk_build_sum),
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_win_perm, setup_sk_build_sum, teardown_sk_build_sum),
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_insufficient_buffer_size, setup_sk_build_sum, teardown_sk_build_sum),
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_null_sum, setup_sk_build_sum, teardown_sk_build_sum),
+        cmocka_unit_test_setup_teardown(test_sk_build_sum_null_output, setup_sk_build_sum, teardown_sk_build_sum),
+
+        /* sk_sum_clean tests */
+        cmocka_unit_test_setup_teardown(test_sk_sum_clean_full_message, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_sum_clean_shortest_valid_message, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_sum_clean_invalid_message, setup_sk_decode, teardown_sk_decode),
+        cmocka_unit_test_setup_teardown(test_sk_sum_clean_null_sum, setup_sk_decode, teardown_sk_decode),
+#endif
+#ifndef TEST_WINAGENT
+        /* unescape_syscheck_field tests */
+        cmocka_unit_test_setup_teardown(test_unescape_syscheck_field_escaped_chars, setup_unescape_syscheck_field, teardown_unescape_syscheck_field),
+        cmocka_unit_test_setup_teardown(test_unescape_syscheck_field_no_escaped_chars, setup_unescape_syscheck_field, teardown_unescape_syscheck_field),
+        cmocka_unit_test_setup_teardown(test_unescape_syscheck_null_input, setup_unescape_syscheck_field, teardown_unescape_syscheck_field),
+        cmocka_unit_test_setup_teardown(test_unescape_syscheck_empty_string, setup_unescape_syscheck_field, teardown_unescape_syscheck_field),
+
+        /* get_user tests */
+        cmocka_unit_test_teardown(test_get_user_success, teardown_string),
+        cmocka_unit_test_teardown(test_get_user_uid_not_found, teardown_string),
+        cmocka_unit_test_teardown(test_get_user_error, teardown_string),
+
+        /* get_group tests */
+        cmocka_unit_test(test_get_group_success),
+        cmocka_unit_test(test_get_group_no_group),
+
+        /* ag_send_syscheck tests */
+        cmocka_unit_test(test_ag_send_syscheck_success),
+        cmocka_unit_test(test_ag_send_syscheck_unable_to_connect),
+        cmocka_unit_test(test_ag_send_syscheck_error_sending_message),
+#else
+        cmocka_unit_test(test_get_group),
+        cmocka_unit_test(test_ag_send_syscheck),
+#endif
+
+        /* decode_win_attributes tests */
+        cmocka_unit_test(test_decode_win_attributes_all_attributes),
+        cmocka_unit_test(test_decode_win_attributes_no_attributes),
+        cmocka_unit_test(test_decode_win_attributes_some_attributes),
+
+        /* decode_win_acl_json */
+        cmocka_unit_test(test_decode_win_acl_json_null_json),
+        cmocka_unit_test_teardown(test_decode_win_acl_fail_creating_object, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_allowed_ace_only, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_denied_ace_only, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_both_ace_types, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_empty_acl, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_empty_ace, teardown_cjson),
+        cmocka_unit_test_teardown(test_decode_win_acl_json_multiple_aces, teardown_cjson),
+
+        /* decode_win_permissions tests */
+        cmocka_unit_test_teardown(test_decode_win_permissions_success_all_permissions, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_success_no_permissions, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_success_some_permissions, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_success_multiple_accounts, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_fail_no_account_name, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_fail_no_access_type, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_fail_wrong_format, teardown_string),
+        cmocka_unit_test_teardown(test_decode_win_permissions_overrun_inner_buffer, teardown_string),
+
+        /* compare_win_permissions */
+        cmocka_unit_test(test_compare_win_permissions_equal_acls),
+        cmocka_unit_test(test_compare_win_permissions_null_acl1),
+        cmocka_unit_test(test_compare_win_permissions_null_acl2),
+        cmocka_unit_test(test_compare_win_permissions_both_acls_null),
+        cmocka_unit_test(test_compare_win_permissions_acl1_larger_than_acl2),
+        cmocka_unit_test(test_compare_win_permissions_acl2_larger_than_acl1),
+        cmocka_unit_test(test_compare_win_permissions_different_entries),
+        cmocka_unit_test(test_compare_win_permissions_no_allowed_ace),
+        cmocka_unit_test(test_compare_win_permissions_no_allowed_ace1),
+        cmocka_unit_test(test_compare_win_permissions_no_allowed_ace2),
+        cmocka_unit_test(test_compare_win_permissions_no_denied_ace),
+        cmocka_unit_test(test_compare_win_permissions_no_denied_ace1),
+        cmocka_unit_test(test_compare_win_permissions_no_denied_ace2),
+        cmocka_unit_test(test_compare_win_permissions_different_allowed_ace),
+        cmocka_unit_test(test_compare_win_permissions_different_denied_ace),
+
+        /* attrs_to_json tests */
+        cmocka_unit_test_teardown(test_attrs_to_json_single_attribute, teardown_cjson),
+        cmocka_unit_test_teardown(test_attrs_to_json_multiple_attributes, teardown_cjson),
+        cmocka_unit_test_teardown(test_attrs_to_json_unable_to_create_json_array, teardown_cjson),
+        cmocka_unit_test_teardown(test_attrs_to_json_null_attributes, teardown_cjson),
+
+        /* win_perm_to_json tests*/
+        cmocka_unit_test_teardown(test_win_perm_to_json_all_permissions, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_some_permissions, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_no_permissions, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_empty_permissions, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_allowed_denied_permissions, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_multiple_accounts, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_malformed_permission_1, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_malformed_permission_2, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_fragmented_acl, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_null_input, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_unable_to_create_main_array, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_unable_to_create_sub_array, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_unable_to_create_user_object, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_incorrect_permission_format, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_incorrect_permission_format_2, teardown_cjson),
+        cmocka_unit_test_teardown(test_win_perm_to_json_error_splitting_permissions, teardown_cjson),
+
+#ifdef TEST_WINAGENT
+        /* get_file_user tests */
+        cmocka_unit_test_setup_teardown(test_get_file_user_CreateFile_error_access_denied, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_CreateFile_error_sharing_violation, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_CreateFile_error_generic, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_GetSecurityInfo_error, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_LookupAccountSid_error, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_LookupAccountSid_error_none_mapped, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_get_file_user_success, setup_string_array, teardown_string_array),
+
+        /* w_get_account_info tests */
+        cmocka_unit_test_setup_teardown(test_w_get_account_info_LookupAccountSid_error_insufficient_buffer, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_w_get_account_info_LookupAccountSid_error_second_call, setup_string_array, teardown_string_array),
+        cmocka_unit_test_setup_teardown(test_w_get_account_info_success, setup_string_array, teardown_string_array),
+
+        /* w_get_file_permissions tests */
+        cmocka_unit_test(test_w_get_file_permissions_GetFileSecurity_error_on_size),
+        cmocka_unit_test(test_w_get_file_permissions_GetFileSecurity_error),
+        cmocka_unit_test(test_w_get_file_permissions_create_cjson_error),
+        cmocka_unit_test(test_w_get_file_permissions_GetSecurityDescriptorDacl_error),
+        cmocka_unit_test(test_w_get_file_permissions_no_dacl),
+        cmocka_unit_test(test_w_get_file_permissions_GetAclInformation_error),
+        cmocka_unit_test(test_w_get_file_permissions_GetAce_error),
+        cmocka_unit_test(test_w_get_file_permissions_success),
+        cmocka_unit_test(test_w_get_file_permissions_process_ace_info_error),
+
+        /* w_get_file_attrs tests */
+        cmocka_unit_test(test_w_get_file_attrs_error),
+        cmocka_unit_test(test_w_get_file_attrs_success),
+
+        /* w_directory_exists tests */
+        cmocka_unit_test(test_w_directory_exists_null_path),
+        cmocka_unit_test(test_w_directory_exists_error_getting_attrs),
+        cmocka_unit_test(test_w_directory_exists_path_is_not_dir),
+        cmocka_unit_test(test_w_directory_exists_path_is_dir),
+
+        /* get_registry_group tests */
+        cmocka_unit_test_setup_teardown(test_get_registry_group_GetSecurityInfo_fails, setup_get_registry_group, teardown_get_registry_group),
+        cmocka_unit_test_setup_teardown(test_get_registry_group_ConvertSidToStringSid_fails, setup_get_registry_group, teardown_get_registry_group),
+        cmocka_unit_test_setup_teardown(test_get_registry_group_LookupAccountSid_fails, setup_get_registry_group, teardown_get_registry_group),
+        cmocka_unit_test_setup_teardown(test_get_registry_group_LookupAccountSid_not_found, setup_get_registry_group, teardown_get_registry_group),
+        cmocka_unit_test_setup_teardown(test_get_registry_group_success, setup_get_registry_group, teardown_get_registry_group),
+
+
+        /* get_registry_permissions tests */
+        cmocka_unit_test(test_get_registry_permissions_RegGetKeySecurity_insufficient_buffer),
+        cmocka_unit_test(test_get_registry_permissions_RegGetKeySecurity_fails),
+        cmocka_unit_test(test_get_registry_permissions_GetSecurityDescriptorDacl_fails),
+        cmocka_unit_test(test_get_registry_permissions_GetSecurityDescriptorDacl_no_DACL),
+        cmocka_unit_test(test_get_registry_permissions_GetAclInformation_fails),
+        cmocka_unit_test(test_get_registry_permissions_GetAce_fails),
+        cmocka_unit_test(test_get_registry_permissions_success),
+
+        /* get_registry_mtime tests */
+        cmocka_unit_test(test_get_registry_mtime_RegQueryInfoKeyA_fails),
+        cmocka_unit_test(test_get_registry_mtime_success),
+
+        /* expand_wildcard_register */
+        cmocka_unit_test(test_get_subkey),
+        cmocka_unit_test(test_w_is_still_a_wildcard),
+        cmocka_unit_test(test_w_list_all_keys_subkey_notnull),
+        cmocka_unit_test(test_w_list_all_keys_subkey_null),
+        cmocka_unit_test(test_w_switch_root_key),
+        cmocka_unit_test(test_expand_wildcard_registers_star_only),
+        cmocka_unit_test(test_expand_wildcard_registers_invalid_path),
+#endif
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.c b/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.c
new file mode 100644
index 0000000000..635f395c40
--- /dev/null
+++ b/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.c
@@ -0,0 +1,129 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "syscheck_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include "shared.h"
+
+char *__wrap_decode_win_permissions(char *raw_perm) {
+    check_expected(raw_perm);
+    return mock_type(char*);
+}
+
+void __wrap_decode_win_acl_json(cJSON *perms) {
+    check_expected(perms);
+    return;
+}
+
+int __wrap_delete_target_file(const char *path) {
+    check_expected(path);
+    return mock();
+}
+
+char *__wrap_get_group(int gid) {
+    check_expected(gid);
+    return mock_type(char*);
+}
+
+#ifndef WIN32
+char *__wrap_get_user(int uid) {
+    check_expected(uid);
+
+    return mock_type(char*);
+}
+#else
+char *__wrap_get_user(const char *path, char **sid) {
+    check_expected(path);
+    *sid = mock_type(char*);
+
+    return mock_type(char*);
+}
+
+char *__wrap_get_file_user(const char *path, char **sid) {
+    check_expected(path);
+    *sid = mock_type(char *);
+
+    return mock_type(char *);
+}
+
+#endif
+
+unsigned int __wrap_w_directory_exists(const char *path) {
+    check_expected(path);
+    return mock();
+}
+
+unsigned int __wrap_w_get_file_attrs(const char *file_path) {
+    check_expected(file_path);
+    return mock();
+}
+
+int __wrap_w_get_file_permissions(const char *file_path, cJSON **output_acl) {
+    check_expected(file_path);
+
+    assert_non_null(output_acl);
+
+    *output_acl = mock_type(cJSON *);
+
+    return mock();
+}
+
+int __wrap_remove_empty_folders(const char *folder) {
+    check_expected(folder);
+    return mock();
+}
+
+void expect_get_group(int gid, char *ret) {
+    expect_value(__wrap_get_group, gid, gid);
+    will_return(__wrap_get_group, ret);
+}
+
+#ifdef WIN32
+void expect_get_user(const char *path, char **sid, char *user) {
+    expect_string(__wrap_get_user, path, path);
+    will_return(__wrap_get_user, sid);
+    will_return(__wrap_get_user, user);
+}
+
+void expect_get_file_user(const char *path, char *sid, char *user) {
+    expect_string(__wrap_get_file_user, path, path);
+    will_return(__wrap_get_file_user, sid);
+    will_return(__wrap_get_file_user, user);
+}
+
+void expect_w_get_file_permissions(const char *file_path, cJSON *perms, int ret) {
+    expect_string(__wrap_w_get_file_permissions, file_path, file_path);
+    will_return(__wrap_w_get_file_permissions, perms);
+    will_return(__wrap_w_get_file_permissions, ret);
+}
+
+DWORD __wrap_get_registry_permissions(__attribute__((unused)) HKEY hndl, cJSON **output_acl) {
+    assert_non_null(output_acl);
+
+    *output_acl = mock_type(cJSON *);
+
+    return mock();
+}
+
+void expect_get_registry_permissions(cJSON *permissions, DWORD retval) {
+    will_return(__wrap_get_registry_permissions, permissions);
+    will_return(__wrap_get_registry_permissions, retval);
+}
+
+#else
+
+void expect_get_user(int uid, char *ret) {
+    expect_value(__wrap_get_user, uid, uid);
+    will_return(__wrap_get_user, ret);
+}
+#endif
diff --git a/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.h b/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.h
new file mode 100644
index 0000000000..21c0238b32
--- /dev/null
+++ b/src/common/syscheck_op/tests/unit/wrappers/syscheck_op_wrappers.h
@@ -0,0 +1,83 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSCHECK_OP_WRAPPERS_H
+#define SYSCHECK_OP_WRAPPERS_H
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+#endif // WIN32
+
+#include <cJSON.h>
+
+char *__wrap_decode_win_permissions(char *raw_perm);
+
+void __wrap_decode_win_acl_json(cJSON *perms);
+
+int __wrap_delete_target_file(const char *path);
+
+char *__wrap_get_group(int gid);
+
+#ifndef WIN32
+char *__wrap_get_user(int uid);
+#else
+char *__wrap_get_user(const char *path, char **sid);
+
+char *__wrap_get_file_user(const char *path, char **sid);
+#endif
+
+unsigned int __wrap_w_directory_exists(const char *path);
+
+unsigned int __wrap_w_get_file_attrs(const char *file_path);
+
+int __wrap_w_get_file_permissions(const char *file_path, cJSON **output_acl);
+
+int __wrap_remove_empty_folders(const char *folder);
+
+#ifdef WIN32
+/**
+ * @brief This function loads the expect and will return of the function get_user
+ */
+void expect_get_user(const char *path, char **sid, char *user);
+
+/**
+ * @brief This function loads the expect and will return of the function get_user
+ */
+void expect_get_file_user(const char *path, char *sid, char *user);
+
+/**
+ * @brief This function loads the expect and will return of the function w_get_file_permissions
+ */
+void expect_w_get_file_permissions(const char *file_path, cJSON *perms, int ret);
+
+/**
+ * @brief Mock calls to get_registry_permissions
+ */
+DWORD __wrap_get_registry_permissions(__attribute__((unused)) HKEY hndl, cJSON **output_acl);
+
+/**
+ * @brief This function loads the expect and will return of the function get_registry_permissions
+ */
+void expect_get_registry_permissions(cJSON *permissions, DWORD retval);
+
+#else
+/**
+ * @brief This function loads the expect and will return of the function get_user
+ */
+void expect_get_user(int uid, char *ret);
+#endif /*WIN32*/
+
+/**
+ * @brief This function loads the expect and will return of the function get_group
+ */
+void expect_get_group(int gid, char *ret);
+
+#endif /*SYSCHECK_OP_WRAPPERS_H*/
diff --git a/src/modules/ms_graph/include/ms_graph.h b/src/common/sysinfo_utils/CMakeLists.txt
similarity index 100%
rename from src/modules/ms_graph/include/ms_graph.h
rename to src/common/sysinfo_utils/CMakeLists.txt
diff --git a/src/common/sysinfo_utils/include/sysinfo_utils.h b/src/common/sysinfo_utils/include/sysinfo_utils.h
new file mode 100644
index 0000000000..d00a43cb38
--- /dev/null
+++ b/src/common/sysinfo_utils/include/sysinfo_utils.h
@@ -0,0 +1,77 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYSINFO_UTILS_H_
+#define SYSINFO_UTILS_H_
+
+#include "../data_provider/include/sysInfo.h"
+#include "shared.h"
+
+/**
+ * @brief Store helpers to execute stateless requests to SysInfo
+ *
+ */
+typedef struct {
+    void * module;                        ///< Opaque reference to sysinfo library
+    sysinfo_processes_func processes;     ///< `sysinfo_processes` helper
+    sysinfo_free_result_func free_result; ///< `sysinfo_free_result` helper
+    sysinfo_os_func os;                   ///< `sysinfo_os_func` helper
+} w_sysinfo_helpers_t;
+
+/**
+ * @brief Initialize Sysinfo library and helpers
+ *
+ * @param sysinfo struct to store helpers references
+ * @return true on success. false otherwise
+ */
+bool w_sysinfo_init(w_sysinfo_helpers_t * sysinfo);
+
+/**
+ * @brief Release Sysinfo library and helpers resources
+ *
+ * @param sysinfo struct that store helpers references
+ * @return true on success. false otherwise
+ */
+bool w_sysinfo_deinit(w_sysinfo_helpers_t * sysinfo);
+
+/**
+ * @brief Get all processes information
+ *
+ * @param sysinfo sysinfo helpers reference
+ * @return cJSON* list of cJSON objects containing all processes information. NULL otherwise
+ */
+cJSON * w_sysinfo_get_processes(w_sysinfo_helpers_t * sysinfo);
+
+/**
+ * @brief Get OS information
+ *
+ * @param sysinfo sysinfo helpers reference
+ * @return cJSON* cJSON object containing OS information. NULL otherwise
+ */
+cJSON * w_sysinfo_get_os(w_sysinfo_helpers_t * sysinfo);
+
+/**
+ * @brief Get array of child processes
+ *
+ * @param sysinfo sysinfo helpers to be used
+ * @param parent_pid parent process pid
+ * @param max_count max count of processes to find. Zero to find all you can
+ * @return pid_t* zero-terminated array of child processes. NULL if no children were found
+ */
+pid_t * w_get_process_childs(w_sysinfo_helpers_t * sysinfo, pid_t parent_pid, unsigned int max_count);
+
+/**
+ * @brief Get OS codename
+ *
+ * @param sysinfo sysinfo helpers to be used
+ * @return char* Allocated string with OS codename. NULL otherwise
+ */
+char * w_get_os_codename(w_sysinfo_helpers_t * sysinfo);
+
+#endif
diff --git a/src/common/sysinfo_utils/src/sysinfo_utils.c b/src/common/sysinfo_utils/src/sysinfo_utils.c
new file mode 100644
index 0000000000..690d0e459b
--- /dev/null
+++ b/src/common/sysinfo_utils/src/sysinfo_utils.c
@@ -0,0 +1,116 @@
+/*
+ * Shared functions for Rootcheck events decoding
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "sysinfo_utils.h"
+#include "sym_load.h"
+
+bool w_sysinfo_init(w_sysinfo_helpers_t * sysinfo) {
+
+    bool result = false;
+    if (sysinfo != NULL) {
+        sysinfo->module = so_get_module_handle("sysinfo");
+        if (sysinfo->module != NULL) {
+            sysinfo->processes = so_get_function_sym(sysinfo->module, "sysinfo_processes");
+            sysinfo->os = so_get_function_sym(sysinfo->module, "sysinfo_os");
+            sysinfo->free_result = so_get_function_sym(sysinfo->module, "sysinfo_free_result");
+            if (sysinfo->processes != NULL && sysinfo->os != NULL && sysinfo->free_result != NULL) {
+                result = true;
+            } else {
+                w_sysinfo_deinit(sysinfo);
+            }
+        }
+    }
+
+    return result;
+}
+
+bool w_sysinfo_deinit(w_sysinfo_helpers_t * sysinfo) {
+
+    bool result = false;
+    if (sysinfo != NULL) {
+        so_free_library(sysinfo->module);
+        sysinfo->module = NULL;
+        sysinfo->processes = NULL;
+        sysinfo->free_result = NULL;
+        sysinfo->os = NULL;
+        return true;
+    }
+    return result;
+}
+
+cJSON * w_sysinfo_get_processes(w_sysinfo_helpers_t * sysinfo) {
+
+    cJSON * processes = NULL;
+
+    if (sysinfo != NULL && sysinfo->processes != NULL) {
+        sysinfo->processes(&processes);
+    }
+    return processes;
+}
+
+cJSON * w_sysinfo_get_os(w_sysinfo_helpers_t * sysinfo) {
+
+    cJSON * os_info = NULL;
+
+    if (sysinfo != NULL && sysinfo->os != NULL) {
+        sysinfo->os(&os_info);
+    }
+    return os_info;
+}
+
+pid_t * w_get_process_childs(w_sysinfo_helpers_t * sysinfo, pid_t parent_pid, unsigned int max_count) {
+
+    const unsigned int CHILDS_CHUNKS = 5;
+    unsigned int childs_count = 0;
+    cJSON * processes = NULL;
+    cJSON * process = NULL;
+    char * process_pid_str = NULL;
+    pid_t * childs_list = NULL;
+    pid_t process_pid = 0;
+    processes = w_sysinfo_get_processes(sysinfo);
+    if (processes != NULL) {
+        cJSON_ArrayForEach(process, processes) {
+            cJSON * ppid_object = cJSON_GetObjectItem(process, "ppid");
+            if (cJSON_IsNumber(ppid_object) && (pid_t) ppid_object->valuedouble == parent_pid) {
+                process_pid_str = cJSON_GetStringValue(cJSON_GetObjectItem(process, "pid"));
+                if (process_pid_str != NULL) {
+                    if (process_pid = (pid_t) strtol(process_pid_str, NULL, 10), process_pid > 0) {
+                        if (childs_count % CHILDS_CHUNKS == 0) {
+                            os_realloc(childs_list, sizeof(pid_t) * (childs_count + CHILDS_CHUNKS + 1), childs_list);
+                            memset(childs_list + childs_count, 0, sizeof(pid_t) * (CHILDS_CHUNKS + 1));
+                        }
+                        childs_list[childs_count++] = process_pid;
+                        if (max_count > 0 && childs_count == max_count) {
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        sysinfo->free_result(&processes);
+    }
+
+    return childs_list;
+}
+
+char * w_get_os_codename(w_sysinfo_helpers_t * sysinfo) {
+
+    char * codename = NULL;
+    cJSON * os_info = NULL;
+
+    os_info = w_sysinfo_get_os(sysinfo);
+
+    if (os_info != NULL) {
+        w_strdup(cJSON_GetStringValue(cJSON_GetObjectItem(os_info, "os_codename")), codename);
+        sysinfo->free_result(&os_info);
+    }
+
+    return codename;
+}
diff --git a/src/common/sysinfo_utils/tests/unit/tests/CMakeLists.txt b/src/common/sysinfo_utils/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..6b2a5d5ea7
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,62 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_sysinfo_utils")
+
+if(${TARGET} STREQUAL "winagent")
+    # cJSON_CreateArray@0 instead of cJSON_CreateArray since linker will be looking for cdecl forma
+    # More info at: (https://devblogs.microsoft.com/oldnewthing/20040108-00/?p=41163)
+    list(APPEND shared_tests_flags "-Wl,--wrap,so_free_library -Wl,--wrap,so_get_function_sym \
+                                -Wl,--wrap,so_get_module_handle -Wl,--wrap,so_get_module_handle_on_path \
+                                -Wl,--wrap,sysinfo_os -Wl,--wrap,sysinfo_processes -Wl,--wrap,sysinfo_free_result \
+                                -Wl,--wrap,cJSON_GetObjectItem@8 -Wl,--wrap,cJSON_GetStringValue@4 \
+                                -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+    list(APPEND shared_tests_flags "-Wl,--wrap,so_free_library -Wl,--wrap,so_get_function_sym \
+                                -Wl,--wrap,so_get_module_handle -Wl,--wrap,so_get_module_handle_on_path \
+                                -Wl,--wrap,sysinfo_os -Wl,--wrap,sysinfo_processes -Wl,--wrap,sysinfo_free_result \
+                                -Wl,--wrap,cJSON_GetObjectItem -Wl,--wrap,cJSON_GetStringValue")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/sysinfo_utils/tests/unit/tests/test_sysinfo_utils.c b/src/common/sysinfo_utils/tests/unit/tests/test_sysinfo_utils.c
new file mode 100644
index 0000000000..eb22fe95f5
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/tests/test_sysinfo_utils.c
@@ -0,0 +1,939 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/wazuh/shared/sym_load_wrappers.h"
+#include "../../headers/shared.h"
+#include "../../headers/sysinfo_utils.h"
+#include "../wrappers/common.h"
+#include "../../data_provider/include/sysInfo.h"
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* wraps */
+
+/* w_sysinfo_deinit */
+
+void test_w_sysinfo_deinit_NULL(void ** state) {
+
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    bool ret = w_sysinfo_deinit(sysinfo);
+
+    assert_false(ret);
+    assert_null(sysinfo);
+}
+
+void test_w_sysinfo_deinit_OK(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.module = NULL;
+
+    expect_value(__wrap_so_free_library, handle, sysinfo.module);
+    will_return(__wrap_so_free_library, true);
+
+    bool ret = w_sysinfo_deinit(&sysinfo);
+
+    assert_true(ret);
+    assert_null(sysinfo.module);
+    assert_null(sysinfo.processes);
+    assert_null(sysinfo.os);
+    assert_null(sysinfo.free_result);
+}
+
+/* w_sysinfo_init */
+
+void test_w_sysinfo_init_sysinfo_NULL(void ** state) {
+
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    bool ret = w_sysinfo_init(sysinfo);
+
+    assert_false(ret);
+    assert_null(sysinfo);
+}
+
+void test_w_sysinfo_init_sysinfo_module_NULL(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+
+    expect_string(__wrap_so_get_module_handle, so, "sysinfo");
+    will_return(__wrap_so_get_module_handle, NULL);
+
+    bool ret = w_sysinfo_init(&sysinfo);
+
+    assert_false(ret);
+}
+
+void test_w_sysinfo_init_sysinfo_processes_NULL(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+
+    expect_string(__wrap_so_get_module_handle, so, "sysinfo");
+    will_return(__wrap_so_get_module_handle, 123);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_processes");
+    will_return(__wrap_so_get_function_sym, NULL);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_os");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_free_result");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_free_library, handle, 123);
+    will_return(__wrap_so_free_library, true);
+
+    bool ret = w_sysinfo_init(&sysinfo);
+
+    assert_null(sysinfo.module);
+    assert_null(sysinfo.processes);
+    assert_null(sysinfo.os);
+    assert_null(sysinfo.free_result);
+    assert_false(ret);
+}
+
+void test_w_sysinfo_init_sysinfo_os_NULL(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+
+    expect_string(__wrap_so_get_module_handle, so, "sysinfo");
+    will_return(__wrap_so_get_module_handle, 123);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_processes");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_os");
+    will_return(__wrap_so_get_function_sym, NULL);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_free_result");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_free_library, handle, 123);
+    will_return(__wrap_so_free_library, true);
+
+    bool ret = w_sysinfo_init(&sysinfo);
+
+    assert_null(sysinfo.module);
+    assert_null(sysinfo.processes);
+    assert_null(sysinfo.os);
+    assert_null(sysinfo.free_result);
+    assert_false(ret);
+}
+
+void test_w_sysinfo_init_sysinfo_free_result_NULL(void ** state) {
+    w_sysinfo_helpers_t sysinfo;
+
+    expect_string(__wrap_so_get_module_handle, so, "sysinfo");
+    will_return(__wrap_so_get_module_handle, 123);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_processes");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_os");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_free_result");
+    will_return(__wrap_so_get_function_sym, NULL);
+    expect_value(__wrap_so_free_library, handle, 123);
+    will_return(__wrap_so_free_library, true);
+
+    bool ret = w_sysinfo_init(&sysinfo);
+
+    assert_null(sysinfo.module);
+    assert_null(sysinfo.processes);
+    assert_null(sysinfo.os);
+    assert_null(sysinfo.free_result);
+    assert_false(ret);
+}
+
+void test_w_sysinfo_init_sysinfo_OK(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+
+    expect_string(__wrap_so_get_module_handle, so, "sysinfo");
+    will_return(__wrap_so_get_module_handle, 123);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_processes");
+    will_return(__wrap_so_get_function_sym, 1);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_os");
+    will_return(__wrap_so_get_function_sym, 2);
+    expect_value(__wrap_so_get_function_sym, handle, 123);
+    expect_string(__wrap_so_get_function_sym, function_name, "sysinfo_free_result");
+    will_return(__wrap_so_get_function_sym, 3);
+
+    bool ret = w_sysinfo_init(&sysinfo);
+
+    assert_ptr_equal(sysinfo.module, 123);
+    assert_ptr_equal(sysinfo.processes, 1);
+    assert_ptr_equal(sysinfo.os, 2);
+    assert_ptr_equal(sysinfo.free_result, 3);
+    assert_true(ret);
+}
+
+/* w_sysinfo_get_processes */
+
+void test_w_sysinfo_get_processes_sysinfo_NULL(void ** state) {
+
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    cJSON * ret = w_sysinfo_get_processes(sysinfo);
+
+    assert_null(ret);
+}
+
+void test_w_sysinfo_get_processes_processes_NULL(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = NULL;
+
+    cJSON * ret = w_sysinfo_get_processes(&sysinfo);
+
+    assert_null(ret);
+}
+
+void test_w_sysinfo_get_processes_OK(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+
+    will_return(__wrap_sysinfo_processes, 123);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    cJSON * ret = w_sysinfo_get_processes(&sysinfo);
+
+    assert_ptr_equal(ret, 123);
+}
+
+/* w_sysinfo_get_os */
+
+void test_w_sysinfo_get_os_sysinfo_NULL(void ** state) {
+
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    cJSON * ret = w_sysinfo_get_os(sysinfo);
+
+    assert_null(ret);
+}
+
+void test_w_sysinfo_get_os_os_NULL(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.os = NULL;
+
+    cJSON * ret = w_sysinfo_get_os(&sysinfo);
+
+    assert_null(ret);
+}
+
+void test_w_sysinfo_get_os_OK(void ** state) {
+
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.os = &sysinfo_os;
+
+    will_return(__wrap_sysinfo_os, 123);
+    will_return(__wrap_sysinfo_os, 0);
+
+    cJSON * ret = w_sysinfo_get_os(&sysinfo);
+
+    assert_ptr_equal(ret, 123);
+}
+
+/* w_get_process_childs */
+
+void test_w_get_process_childs_sysinfo_NULL(void ** state) {
+
+    //test_w_sysinfo_get_processes_sysinfo_NULL
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    pid_t * ret = w_get_process_childs(sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+}
+
+void test_w_get_process_childs_sysinfo_processes_NULL(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_NULL
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = NULL;
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+}
+
+void test_w_get_process_childs_empty_processes_list(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_free(processes);
+
+}
+
+void test_w_get_process_childs_ppid_object_not_found(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":\"4122\"," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(processes);
+
+}
+
+void test_w_get_process_childs_ppid_not_valid_object_type(void ** state) {
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":\"4122\"," \
+                        "\"ppid\":\"test\",\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, "test");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(processes);
+
+}
+
+void test_w_get_process_childs_ppid_dont_match(void ** state) {
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":\"4122\"," \
+                        "\"ppid\":1,\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->valuedouble = 1;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(processes);
+
+}
+
+void test_w_get_process_childs_pid_object_not_found(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(processes);
+
+}
+
+void test_w_get_process_childs_pid_not_a_number(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":\"test\",\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, "test");
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(processes);
+
+}
+
+void test_w_get_process_childs_new_childs_chunk(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    cJSON * pid_child = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child);
+    pid_child->type = 8;
+    pid_child->valuedouble = 100;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child);
+
+    will_return(__wrap_cJSON_GetStringValue, "100");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_int_equal(*ret, 100);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(pid_child);
+    cJSON_Delete(processes);
+    os_free(ret);
+
+}
+
+void test_w_get_process_childs_already_allocated_childs_chunk(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":200,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    cJSON * pid_child_1 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_1);
+    pid_child_1->type = 8;
+    pid_child_1->valuedouble = 100;
+
+    cJSON * pid_child_2 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_2);
+    pid_child_2->type = 8;
+    pid_child_2->valuedouble = 200;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_1);
+
+    will_return(__wrap_cJSON_GetStringValue, "100");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "200");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_int_equal(*ret, 100);
+    assert_int_equal(*(ret+1), 200);
+    assert_int_equal(*(ret+2), 0);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(pid_child_1);
+    cJSON_Delete(pid_child_2);
+    cJSON_Delete(processes);
+    os_free(ret);
+
+}
+
+void test_w_get_process_childs_no_childs_found(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":200,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_null(ret);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(processes);
+    os_free(ret);
+
+}
+
+void test_w_get_process_childs_more_childs_than_allowed(void ** state) {
+        //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":200,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":300,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":400,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":500,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":600,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":700,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":800,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":900,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":1000,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":1100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 0;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    cJSON * pid_child_1 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_1);
+    pid_child_1->type = 8;
+    pid_child_1->valuedouble = 100;
+
+    cJSON * pid_child_2 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_2);
+    pid_child_2->type = 8;
+    pid_child_2->valuedouble = 200;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_1);
+
+    will_return(__wrap_cJSON_GetStringValue, "100");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "200");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "300");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "400");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "500");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "600");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "700");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "800");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "900");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "1000");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "1100");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_int_equal(*ret, 100);
+    assert_int_equal(*(ret+1), 200);
+    assert_int_equal(*(ret+2), 300);
+    assert_int_equal(*(ret+3), 400);
+    assert_int_equal(*(ret+4), 500);
+    assert_int_equal(*(ret+5), 600);
+    assert_int_equal(*(ret+6), 700);
+    assert_int_equal(*(ret+7), 800);
+    assert_int_equal(*(ret+8), 900);
+    assert_int_equal(*(ret+9), 1000);
+    assert_int_equal(*(ret+10), 1100);
+    assert_int_equal(*(ret+11), 0);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(pid_child_1);
+    cJSON_Delete(pid_child_2);
+    cJSON_Delete(processes);
+    os_free(ret);
+
+}
+
+void test_w_get_process_childs_max_count(void ** state) {
+
+    //test_w_sysinfo_get_processes_processes_OK
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.processes = &sysinfo_processes;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    cJSON * processes = cJSON_Parse("[{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":100,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":200,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}," \
+                        "{\"euser\":\"root\",\"name\":\"sleep\",\"nice\":0,\"pid\":300,\"ppid\":10," \
+                        "\"priority\":31,\"rgroup\":\"wheel\",\"ruser\":\"root\",\"state\":\"R\",\"vm_size\":2432788}]");
+
+    pid_t parent_pid = 10;
+
+    unsigned int max_count = 2;
+
+    cJSON * ppid_object = NULL;
+    os_calloc(1, sizeof(cJSON), ppid_object);
+    ppid_object->type = 8;
+    ppid_object->valuedouble = 10;
+
+    cJSON * pid_child_1 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_1);
+    pid_child_1->type = 8;
+    pid_child_1->valuedouble = 100;
+
+    cJSON * pid_child_2 = NULL;
+    os_calloc(1, sizeof(cJSON), pid_child_2);
+    pid_child_2->type = 8;
+    pid_child_2->valuedouble = 200;
+
+    will_return(__wrap_sysinfo_processes, processes);
+    will_return(__wrap_sysinfo_processes, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_1);
+
+    will_return(__wrap_cJSON_GetStringValue, "100");
+
+    will_return(__wrap_cJSON_GetObjectItem, ppid_object);
+
+    will_return(__wrap_cJSON_GetObjectItem, pid_child_2);
+
+    will_return(__wrap_cJSON_GetStringValue, "200");
+
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    pid_t * ret = w_get_process_childs(&sysinfo, parent_pid, max_count);
+
+    assert_int_equal(*ret, 100);
+    assert_int_equal(*(ret+1), 200);
+    assert_int_equal(*(ret+2), 0);
+
+    cJSON_Delete(ppid_object);
+    cJSON_Delete(pid_child_1);
+    cJSON_Delete(pid_child_2);
+    cJSON_Delete(processes);
+    os_free(ret);
+
+}
+
+/* w_get_os_codename */
+
+void test_w_get_os_codename_sysinfo_error(void ** state) {
+
+    w_sysinfo_helpers_t * sysinfo = NULL;
+
+    char * ret = w_get_os_codename(sysinfo);
+
+    assert_ptr_equal(ret, NULL);
+}
+
+void test_w_get_os_codename_no_codename_object(void ** state) {
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.os = &sysinfo_os;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    will_return(__wrap_sysinfo_os, 123);
+    will_return(__wrap_sysinfo_os, 0);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    char * ret = w_get_os_codename(&sysinfo);
+
+    assert_ptr_equal(ret, NULL);
+    os_free(ret);
+}
+
+void test_w_get_os_codename_OK(void ** state) {
+    w_sysinfo_helpers_t sysinfo;
+    sysinfo.os = &sysinfo_os;
+    sysinfo.free_result = &sysinfo_free_result;
+
+    will_return(__wrap_sysinfo_os, 123);
+    will_return(__wrap_sysinfo_os, 0);
+    will_return(__wrap_cJSON_GetObjectItem, 123);
+    will_return(__wrap_cJSON_GetStringValue, "test");
+    will_return(__wrap_sysinfo_free_result, NULL);
+
+    char * ret = w_get_os_codename(&sysinfo);
+
+    assert_string_equal(ret, "test");
+    os_free(ret);
+}
+
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        // Tees w_sysinfo_deinit
+        cmocka_unit_test(test_w_sysinfo_deinit_NULL),
+        cmocka_unit_test(test_w_sysinfo_deinit_OK),
+        // Tees w_sysinfo_init
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_NULL),
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_module_NULL),
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_processes_NULL),
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_os_NULL),
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_free_result_NULL),
+        cmocka_unit_test(test_w_sysinfo_init_sysinfo_OK),
+        // Test w_sysinfo_get_processes
+        cmocka_unit_test(test_w_sysinfo_get_processes_sysinfo_NULL),
+        cmocka_unit_test(test_w_sysinfo_get_processes_processes_NULL),
+        cmocka_unit_test(test_w_sysinfo_get_processes_OK),
+        // Test w_sysinfo_get_os
+        cmocka_unit_test(test_w_sysinfo_get_os_sysinfo_NULL),
+        cmocka_unit_test(test_w_sysinfo_get_os_os_NULL),
+        cmocka_unit_test(test_w_sysinfo_get_os_OK),
+        // Test w_get_process_childs
+        cmocka_unit_test(test_w_get_process_childs_sysinfo_NULL),
+        cmocka_unit_test(test_w_get_process_childs_sysinfo_processes_NULL),
+        cmocka_unit_test(test_w_get_process_childs_empty_processes_list),
+        cmocka_unit_test(test_w_get_process_childs_ppid_object_not_found),
+        cmocka_unit_test(test_w_get_process_childs_ppid_not_valid_object_type),
+        cmocka_unit_test(test_w_get_process_childs_ppid_dont_match),
+        cmocka_unit_test(test_w_get_process_childs_pid_object_not_found),
+        cmocka_unit_test(test_w_get_process_childs_pid_not_a_number),
+        cmocka_unit_test(test_w_get_process_childs_new_childs_chunk),
+        cmocka_unit_test(test_w_get_process_childs_already_allocated_childs_chunk),
+        cmocka_unit_test(test_w_get_process_childs_no_childs_found),
+        cmocka_unit_test(test_w_get_process_childs_more_childs_than_allowed),
+        cmocka_unit_test(test_w_get_process_childs_max_count),
+        // Test w_get_os_codename
+        cmocka_unit_test(test_w_get_os_codename_sysinfo_error),
+        cmocka_unit_test(test_w_get_os_codename_no_codename_object),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.c b/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.c
new file mode 100644
index 0000000000..bbe476c22e
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sysInfo_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_sysinfo_hardware(cJSON ** js_result) {
+    *js_result = mock_ptr_type(cJSON *);
+    int ret = mock_type(int);
+    return ret;
+}
+
+int __wrap_sysinfo_packages(cJSON ** js_result) {
+
+    *js_result = mock_ptr_type(cJSON *);
+    return mock_type(int);
+}
+
+int __wrap_sysinfo_os(cJSON ** js_result) {
+
+    *js_result = mock_ptr_type(cJSON *);
+    return mock_type(int);
+}
+
+int __wrap_sysinfo_processes(cJSON ** js_result) {
+
+    *js_result = mock_ptr_type(cJSON *);
+    return mock_type(int);
+}
+
+int __wrap_sysinfo_networks(cJSON ** js_result) {
+
+    *js_result = mock_ptr_type(cJSON *);
+    return mock_type(int);
+}
+
+int __wrap_sysinfo_ports(cJSON ** js_result) {
+
+    *js_result = mock_ptr_type(cJSON *);
+    return mock_type(int);
+}
+
+void __wrap_sysinfo_free_result( __attribute__((unused)) cJSON ** js_data) {
+
+    js_data = mock_ptr_type(cJSON **);
+}
diff --git a/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.h b/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.h
new file mode 100644
index 0000000000..38708fdec7
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/wrappers/sysInfo_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSINFO_WRAPPERS_H
+#define SYSINFO_WRAPPERS_H
+
+#include "cJSON.h"
+
+int __wrap_sysinfo_hardware(cJSON** js_result);
+int __wrap_sysinfo_packages(cJSON** js_result);
+int __wrap_sysinfo_os(cJSON** js_result);
+int __wrap_sysinfo_processes(cJSON** js_result);
+int __wrap_sysinfo_networks(cJSON** js_result);
+int __wrap_sysinfo_ports(cJSON** js_result);
+void __wrap_sysinfo_free_result(cJSON** js_data);
+
+#endif
\ No newline at end of file
diff --git a/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.c b/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.c
new file mode 100644
index 0000000000..b98a92c599
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.c
@@ -0,0 +1,66 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sysinfo_utils_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <errno.h>
+#include "../../common.h"
+
+bool __wrap_w_sysinfo_init(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo) {
+    if (test_mode) {
+        bool ret = mock_type(bool);
+        return ret;
+    }
+    return w_sysinfo_init(sysinfo);
+}
+
+bool __wrap_w_sysinfo_deinit(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo) {
+    if (test_mode) {
+        bool ret = mock_type(bool);
+        return ret;
+    }
+    return w_sysinfo_deinit(sysinfo);
+}
+
+cJSON * __wrap_w_sysinfo_get_processes(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo) {
+    if (test_mode) {
+        cJSON * ret = mock_type(cJSON *);
+        return ret;
+    }
+    return w_sysinfo_get_processes(sysinfo);
+}
+
+cJSON * __wrap_w_sysinfo_get_os(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo) {
+    if (test_mode) {
+        cJSON * ret = mock_type(cJSON *);
+        return ret;
+    }
+    return w_sysinfo_get_os(sysinfo);
+}
+
+pid_t * __wrap_w_get_process_childs(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo,
+                                    __attribute__((__unused__)) pid_t parent_pid,
+                                    __attribute__((__unused__)) unsigned int max_count) {
+    if (test_mode) {
+        pid_t * ret = mock_type(pid_t *);
+        return ret;
+    }
+    return w_get_process_childs(sysinfo, parent_pid, max_count);
+}
+
+char * __wrap_w_get_os_codename(__attribute__((__unused__)) w_sysinfo_helpers_t * sysinfo) {
+    if (test_mode) {
+        char * ret = mock_type(char *);
+        return ret;
+    }
+    return w_get_os_codename(sysinfo);
+}
diff --git a/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.h b/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.h
new file mode 100644
index 0000000000..f965810ea6
--- /dev/null
+++ b/src/common/sysinfo_utils/tests/unit/wrappers/sysinfo_utils_wrappers.h
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYSINFO_UTILS_WRAPPERS_H
+#define SYSINFO_UTILS_WRAPPERS_H
+
+#include "sysinfo_utils.h"
+
+bool __wrap_w_sysinfo_init(w_sysinfo_helpers_t * sysinfo);
+
+bool __wrap_w_sysinfo_deinit(w_sysinfo_helpers_t * sysinfo);
+
+cJSON * __wrap_w_sysinfo_get_processes(w_sysinfo_helpers_t * sysinfo);
+
+cJSON * __wrap_w_sysinfo_get_os(w_sysinfo_helpers_t * sysinfo);
+
+pid_t * __wrap_w_get_process_childs(w_sysinfo_helpers_t * sysinfo, pid_t parent_pid, unsigned int max_count);
+
+char * __wrap_w_get_os_codename(w_sysinfo_helpers_t * sysinfo);
+
+#endif
diff --git a/src/common/threadDispatcher/CMakeLists.txt b/src/common/threadDispatcher/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/threadDispatcher/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/threadDispatcher/include/threadDispatcher.h b/src/common/threadDispatcher/include/threadDispatcher.h
new file mode 100644
index 0000000000..b214e4a8a6
--- /dev/null
+++ b/src/common/threadDispatcher/include/threadDispatcher.h
@@ -0,0 +1,234 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef THREAD_DISPATCHER_H
+#define THREAD_DISPATCHER_H
+#include <vector>
+#include <thread>
+#include <atomic>
+#include <future>
+#include <functional>
+#include <iostream>
+#include "threadSafeQueue.h"
+#include "promiseFactory.h"
+#include "commonDefs.h"
+
+namespace Utils
+{
+    // *
+    //  * @brief Minimal Dispatcher interface
+    //  * @details Handle dispatching of messages of type Type
+    //  * to be processed by calling Functor.
+    //  *
+    //  * @tparam Type Messages types.
+    //  * @tparam Functor Entity that processes the messages.
+
+    // template <typename Type, typename Functor>
+    // class DispatcherInterface
+    // {
+    // public:
+    //  /**
+    //   * @brief Ctor
+    //   *
+    //   * @param functor Callable entity.
+    //   * @param int Maximun number of threads to be used by the dispatcher.
+    //   */
+    //  DispatcherInterface(Functor functor, const unsigned int numberOfThreads);
+    //  *
+    //   * @brief Pushes a message to be processed by the functor.
+    //   * @details The implementation decides whether the processing is sync or async.
+    //   *
+    //   * @param data Message value.
+
+    //  void push(const Type& data);
+    //  /**
+    //   * @brief Rundowns the pending messages until reaches 0.
+    //   * @details It should be a blocking call.
+    //   */
+    //  void rundown();
+    //  /**
+    //   * @brief Cancels the dispatching.
+    //   */
+    //  void cancel();
+    // };
+
+    template
+    <
+        typename Type,
+        typename Functor
+        >
+    class AsyncDispatcher
+    {
+        public:
+            AsyncDispatcher(Functor functor, const unsigned int numberOfThreads = std::thread::hardware_concurrency(), const size_t maxQueueSize = UNLIMITED_QUEUE_SIZE)
+                : m_functor{ functor }
+                , m_running{ true }
+                , m_numberOfThreads{ numberOfThreads ? numberOfThreads : 1 }
+                , m_maxQueueSize { maxQueueSize }
+            {
+                m_threads.reserve(m_numberOfThreads);
+
+                for (unsigned int i = 0; i < m_numberOfThreads; ++i)
+                {
+                    m_threads.push_back(std::thread{ &AsyncDispatcher<Type, Functor>::dispatch, this });
+                }
+            }
+            AsyncDispatcher& operator=(const AsyncDispatcher&) = delete;
+            AsyncDispatcher(AsyncDispatcher& other) = delete;
+            ~AsyncDispatcher()
+            {
+                cancel();
+            }
+
+            void push(const Type& value)
+            {
+                if (m_running)
+                {
+                    if (UNLIMITED_QUEUE_SIZE == m_maxQueueSize || m_queue.size() < m_maxQueueSize)
+                    {
+                        m_queue.push
+                        (
+                            [value, this]()
+                        {
+                            this->m_functor(value);
+                        }
+                        );
+                    }
+                }
+            }
+
+            void rundown()
+            {
+                if (m_running)
+                {
+                    auto promise { PromiseFactory<PROMISE_TYPE>::getPromiseObject() };
+                    m_queue.push
+                    (
+                        [&promise]()
+                    {
+                        promise->set_value();
+                    }
+                    );
+                    promise->wait();
+                    cancel();
+                }
+            }
+            void cancel()
+            {
+                m_running = false;
+                m_queue.cancel();
+                joinThreads();
+            }
+
+            bool cancelled() const
+            {
+                return !m_running;
+            }
+            unsigned int numberOfThreads() const
+            {
+                return m_numberOfThreads;
+            }
+            size_t size() const
+            {
+                return m_queue.size();
+            }
+
+        private:
+            void dispatch()
+            {
+                try
+                {
+                    while (m_running)
+                    {
+                        std::function<void()> fnc;
+
+                        if (m_queue.pop(fnc))
+                        {
+                            fnc();
+                        }
+                    }
+                }
+                catch (const std::exception& ex)
+                {
+                    std::cerr << "Dispatch handler error, " << ex.what() << std::endl;
+                }
+            }
+            void joinThreads()
+            {
+                for (auto& thread : m_threads)
+                {
+                    if (thread.joinable())
+                    {
+                        thread.join();
+                    }
+                }
+            }
+
+            Functor m_functor;
+            SafeQueue<std::function<void()>> m_queue;
+            std::vector<std::thread> m_threads;
+            std::atomic_bool m_running;
+            const unsigned int m_numberOfThreads;
+            const size_t m_maxQueueSize;
+    };
+
+    template <typename Input, typename Functor>
+    class SyncDispatcher
+    {
+        public:
+            SyncDispatcher(Functor functor,
+                           const unsigned int /*numberOfThreads = std::thread::hardware_concurrency()*/,
+                           const size_t /*maxQueueSize = UNLIMITED_QUEUE_SIZE*/)
+                : m_functor{functor}
+                , m_running{true}
+            {
+            }
+
+            SyncDispatcher(Functor functor)
+                : m_functor{functor}
+                , m_running{true}
+            {
+            }
+
+            void push(const Input& data)
+            {
+                if (m_running)
+                {
+                    m_functor(data);
+                }
+            }
+            size_t size() const
+            {
+                return 0;
+            }
+            void rundown()
+            {
+                cancel();
+            }
+            void cancel()
+            {
+                m_running = false;
+            }
+            bool cancelled() const
+            {
+                return !m_running;
+            }
+            unsigned int numberOfThreads() const
+            {
+                return 0;
+            }
+            ~SyncDispatcher() = default;
+        private:
+            Functor m_functor;
+            bool m_running;
+    };
+}//namespace Utils
+#endif //THREAD_DISPATCHER_H
diff --git a/src/common/threadDispatcher/include/threadSafeQueue.h b/src/common/threadDispatcher/include/threadSafeQueue.h
new file mode 100644
index 0000000000..4d354d8622
--- /dev/null
+++ b/src/common/threadDispatcher/include/threadSafeQueue.h
@@ -0,0 +1,178 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef THREAD_SAFE_QUEUE_H
+#define THREAD_SAFE_QUEUE_H
+#include <atomic>
+#include <condition_variable>
+#include <iostream>
+#include <memory>
+#include <mutex>
+#include <queue>
+#include <thread>
+
+namespace Utils
+{
+
+    template<typename T, typename U, typename Tq = std::queue<T>>
+    class TSafeQueue
+    {
+    public:
+        TSafeQueue()
+            : m_canceled {false}
+        {
+        }
+        TSafeQueue& operator=(const TSafeQueue&) = delete;
+        TSafeQueue(TSafeQueue& other)
+            : TSafeQueue {}
+        {
+            std::lock_guard<std::mutex> lock {other.m_mutex};
+            m_queue = other.m_queue;
+        }
+        explicit TSafeQueue(Tq&& queue)
+            : m_queue {std::move(queue)}
+            , m_canceled {false}
+        {
+        }
+        ~TSafeQueue()
+        {
+            cancel();
+        }
+
+        void push(const T& value)
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+
+            if (!m_canceled)
+            {
+                m_queue.push(value);
+                m_cv.notify_one();
+            }
+        }
+
+        bool pop(U& value, const bool wait = true)
+        {
+            std::unique_lock<std::mutex> lock {m_mutex};
+
+            if (wait)
+            {
+                m_cv.wait(lock, [this]() { return !m_queue.empty() || m_canceled; });
+            }
+
+            const bool ret {!m_canceled && !m_queue.empty()};
+
+            if (ret)
+            {
+                value = std::move(m_queue.front());
+                m_queue.pop();
+            }
+
+            return ret;
+        }
+
+        std::shared_ptr<U> pop(const bool wait = true)
+        {
+            std::unique_lock<std::mutex> lock {m_mutex};
+
+            if (wait)
+            {
+                m_cv.wait(lock, [this]() { return !m_queue.empty() || m_canceled; });
+            }
+
+            const bool ret {!m_canceled && !m_queue.empty()};
+
+            if (ret)
+            {
+                const auto spData {std::make_shared<U>(m_queue.front())};
+                m_queue.pop();
+                return spData;
+            }
+
+            return nullptr;
+        }
+
+        std::queue<U> getBulk(const uint64_t elementsQuantity,
+                              const std::chrono::seconds& timeout = std::chrono::seconds(5))
+        {
+            std::unique_lock<std::mutex> lock {m_mutex};
+            std::queue<U> bulkQueue;
+
+            // If we have less elements than requested, wait for more elements to be pushed.
+            // coverity[missing_lock]
+            if (m_queue.size() < elementsQuantity)
+            {
+                m_cv.wait_for(lock,
+                              timeout,
+                              [this, elementsQuantity]()
+                              {
+                                  // coverity[missing_lock]
+                                  return m_canceled.load() || m_queue.size() >= elementsQuantity;
+                              });
+            }
+
+            // If the queue is not canceled, get the elements.
+            if (!m_canceled)
+            {
+                for (auto i = 0; i < elementsQuantity && i < m_queue.size(); ++i)
+                {
+                    bulkQueue.push(std::move(m_queue.at(i)));
+                }
+            }
+
+            return bulkQueue;
+        }
+
+        void popBulk(const uint64_t elementsQuantity)
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+            for (auto i = 0; i < elementsQuantity && !m_queue.empty(); ++i)
+            {
+                m_queue.pop();
+            }
+        }
+
+        bool empty() const
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+            return m_queue.empty();
+        }
+
+        size_t size() const
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+            return m_queue.size();
+        }
+
+        void cancel()
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+            m_canceled = true;
+            m_cv.notify_all();
+        }
+
+        bool cancelled() const
+        {
+            std::lock_guard<std::mutex> lock {m_mutex};
+            return m_canceled;
+        }
+
+    private:
+        mutable std::mutex m_mutex;
+        std::condition_variable m_cv;
+        std::atomic<bool> m_canceled {};
+        Tq m_queue;
+    };
+
+    template<typename T, typename Tq = std::queue<T>>
+    using SafeQueue = TSafeQueue<T, T, Tq>;
+} // namespace Utils
+
+#endif // THREAD_SAFE_QUEUE_H
diff --git a/src/common/threadDispatcher/tests/CMakeLists.txt b/src/common/threadDispatcher/tests/CMakeLists.txt
new file mode 100644
index 0000000000..34b6da0c3d
--- /dev/null
+++ b/src/common/threadDispatcher/tests/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "threadDispatcher_test.cpp"
+    "threadSafeQueue_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/threadDispatcher/tests/main.cpp b/src/common/threadDispatcher/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/threadDispatcher/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/threadDispatcher/tests/threadDispatcher_test.cpp b/src/common/threadDispatcher/tests/threadDispatcher_test.cpp
new file mode 100644
index 0000000000..d106193ff9
--- /dev/null
+++ b/src/common/threadDispatcher/tests/threadDispatcher_test.cpp
@@ -0,0 +1,123 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <thread>
+#include <chrono>
+#include "threadDispatcher_test.h"
+#include "threadDispatcher.h"
+
+void ThreadDispatcherTest::SetUp() {};
+
+void ThreadDispatcherTest::TearDown() {};
+
+using ::testing::_;
+using namespace Utils;
+
+// LCOV_EXCL_START
+class FunctorWrapper
+{
+    public:
+        FunctorWrapper() {}
+        ~FunctorWrapper() {}
+        MOCK_METHOD(void, Operator, (const int), ());
+        void operator()(const int value)
+        {
+            Operator(value);
+        }
+};
+// LCOV_EXCL_STOP
+
+TEST_F(ThreadDispatcherTest, AsyncDispatcherPushAndRundown)
+{
+    FunctorWrapper functor;
+    AsyncDispatcher<int, std::reference_wrapper<FunctorWrapper>> dispatcher
+    {
+        std::ref(functor)
+    };
+    EXPECT_EQ(std::thread::hardware_concurrency(), dispatcher.numberOfThreads());
+
+    for (int i = 0; i < 10; ++i)
+    {
+        EXPECT_CALL(functor, Operator(i));
+    }
+
+    for (int i = 0; i < 10; ++i)
+    {
+        dispatcher.push(i);
+    }
+
+    dispatcher.rundown();
+    EXPECT_TRUE(dispatcher.cancelled());
+    EXPECT_EQ(0ul, dispatcher.size());
+}
+
+TEST_F(ThreadDispatcherTest, AsyncDispatcherCancel)
+{
+    FunctorWrapper functor;
+    AsyncDispatcher<int, std::reference_wrapper<FunctorWrapper>> dispatcher
+    {
+        std::ref(functor)
+    };
+    EXPECT_EQ(std::thread::hardware_concurrency(), dispatcher.numberOfThreads());
+    dispatcher.cancel();
+
+    for (int i = 0; i < 10; ++i)
+    {
+        EXPECT_CALL(functor, Operator(i)).Times(0);
+        dispatcher.push(i);
+    }
+
+    EXPECT_TRUE(dispatcher.cancelled());
+    dispatcher.rundown();
+    EXPECT_EQ(0ul, dispatcher.size());
+}
+
+TEST_F(ThreadDispatcherTest, AsyncDispatcherQueue)
+{
+    constexpr auto NUMBER_OF_THREADS { 1ul };
+    constexpr auto MAX_QUEUE_SIZE { 5ull };
+    constexpr auto NUMBER_OF_ITEMS { 1000 };
+    std::mutex mutex;
+    std::unique_lock<std::mutex> lock(mutex);
+    std::condition_variable condition;
+    std::atomic<bool> firstCall { true };
+
+    AsyncDispatcher<int, std::function<void(int)>> dispatcher
+    {
+        [&mutex, &condition, &firstCall](int)
+        {
+            std::unique_lock<std::mutex> lock(mutex);
+            condition.notify_one();
+
+            if (firstCall)
+            {
+                firstCall = false;
+                condition.wait(lock);
+            }
+        }
+        , NUMBER_OF_THREADS
+        , MAX_QUEUE_SIZE
+    };
+
+    dispatcher.push(0);
+    condition.wait(lock);
+
+    for (int i = 0; i < NUMBER_OF_ITEMS - 1; ++i)
+    {
+        dispatcher.push(0);
+    }
+
+    EXPECT_EQ(MAX_QUEUE_SIZE, dispatcher.size());
+    condition.notify_one();
+    lock.unlock();
+    dispatcher.rundown();
+}
+
diff --git a/src/common/threadDispatcher/tests/threadDispatcher_test.h b/src/common/threadDispatcher/tests/threadDispatcher_test.h
new file mode 100644
index 0000000000..ae4ee170a7
--- /dev/null
+++ b/src/common/threadDispatcher/tests/threadDispatcher_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef THREAD_DISPATCHER_TESTS_H
+#define THREAD_DISPATCHER_TESTS_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class ThreadDispatcherTest : public ::testing::Test
+{
+    protected:
+
+        ThreadDispatcherTest() = default;
+        virtual ~ThreadDispatcherTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //THREAD_DISPATCHER_TESTS_H
\ No newline at end of file
diff --git a/src/common/threadDispatcher/tests/threadSafeQueue_test.cpp b/src/common/threadDispatcher/tests/threadSafeQueue_test.cpp
new file mode 100644
index 0000000000..fbe8f57643
--- /dev/null
+++ b/src/common/threadDispatcher/tests/threadSafeQueue_test.cpp
@@ -0,0 +1,118 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <thread>
+#include "threadSafeQueue_test.h"
+#include "threadSafeQueue.h"
+
+void ThreadSafeQueueTest::SetUp() {};
+
+void ThreadSafeQueueTest::TearDown() {};
+
+using namespace Utils;
+TEST_F(ThreadSafeQueueTest, Ctor)
+{
+    SafeQueue<int> queue;
+    int ret_val{};
+    EXPECT_TRUE(queue.empty());
+    EXPECT_FALSE(queue.cancelled());
+    EXPECT_FALSE(queue.pop(ret_val, false));//non wait pop;
+    auto spValue{queue.pop(false)};
+    EXPECT_FALSE(spValue);
+}
+
+TEST_F(ThreadSafeQueueTest, NonBlockingPop)
+{
+    SafeQueue<int> queue;
+    queue.push(0);
+    int ret_val{};
+    EXPECT_TRUE(queue.pop(ret_val, false));//non wait pop;
+    EXPECT_EQ(0, ret_val);//non wait pop;
+    EXPECT_FALSE(queue.pop(ret_val, false));//non wait pop;
+    queue.push(1);
+    auto spValue{queue.pop(false)};
+    EXPECT_TRUE(spValue);
+    EXPECT_EQ(1, *spValue);
+    spValue = queue.pop(false);
+    EXPECT_FALSE(spValue);
+}
+
+TEST_F(ThreadSafeQueueTest, BlockingPopByRef)
+{
+    SafeQueue<int> queue;
+    std::thread t1
+    {
+        [&queue]()
+        {
+            int ret_val{};
+            EXPECT_TRUE(queue.pop(ret_val));
+            EXPECT_EQ(0, ret_val);
+        }
+    };
+    queue.push(0);
+    t1.join();
+}
+
+TEST_F(ThreadSafeQueueTest, BlockingPopBySmartPtr)
+{
+    SafeQueue<int> queue;
+    std::thread t1
+    {
+        [&queue]()
+        {
+            auto ret_val{queue.pop()};
+            EXPECT_TRUE(ret_val);
+            EXPECT_EQ(0, *ret_val);
+        }
+    };
+    queue.push(0);
+    t1.join();
+}
+
+TEST_F(ThreadSafeQueueTest, Cancel)
+{
+    SafeQueue<int> queue;
+    queue.push(0);
+    queue.push(1);
+    queue.push(2);
+    int ret_val{};
+    EXPECT_TRUE(queue.pop(ret_val, false));//non wait pop;
+    queue.cancel();
+    EXPECT_FALSE(queue.pop(ret_val, false));//non wait pop;
+    EXPECT_FALSE(queue.pop(ret_val));//wait pop;
+    EXPECT_TRUE(queue.cancelled());
+}
+
+TEST_F(ThreadSafeQueueTest, CancelBlockingPop)
+{
+    SafeQueue<int> queue;
+    std::thread t1
+    {
+        [&queue]()
+        {
+            auto ret_val{queue.pop()};
+            EXPECT_FALSE(ret_val);
+            EXPECT_TRUE(queue.cancelled());
+        }
+    };
+    std::thread t2
+    {
+        [&queue]()
+        {
+            int ret_val{};
+            EXPECT_FALSE(queue.pop(ret_val));
+            EXPECT_TRUE(queue.cancelled());
+        }
+    };
+    queue.cancel();
+    t1.join();
+    t2.join();
+}
\ No newline at end of file
diff --git a/src/common/threadDispatcher/tests/threadSafeQueue_test.h b/src/common/threadDispatcher/tests/threadSafeQueue_test.h
new file mode 100644
index 0000000000..58ee8db315
--- /dev/null
+++ b/src/common/threadDispatcher/tests/threadSafeQueue_test.h
@@ -0,0 +1,26 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef THREAD_SAFE_QUEUE_TESTS_H
+#define THREAD_SAFE_QUEUE_TESTS_H
+#include "gtest/gtest.h"
+
+class ThreadSafeQueueTest : public ::testing::Test
+{
+    protected:
+
+        ThreadSafeQueueTest() = default;
+        virtual ~ThreadSafeQueueTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+#endif //THREAD_SAFE_QUEUE_TESTS_H
\ No newline at end of file
diff --git a/src/common/timeHelper/CMakeLists.txt b/src/common/timeHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/timeHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/timeHelper/include/timeHelper.h b/src/common/timeHelper/include/timeHelper.h
new file mode 100644
index 0000000000..5e2433ab99
--- /dev/null
+++ b/src/common/timeHelper/include/timeHelper.h
@@ -0,0 +1,162 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _TIME_HELPER_H
+#define _TIME_HELPER_H
+
+#include "stringHelper.h"
+#include <chrono>
+#include <ctime>
+#include <iomanip>
+#include <sstream>
+#include <string>
+
+namespace Utils
+{
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+    static std::string getTimestamp(const std::time_t& time, const bool utc = true)
+    {
+        std::stringstream ss;
+        // gmtime: result expressed as a UTC time
+        tm* localTime {utc ? gmtime(&time) : localtime(&time)};
+        // Final timestamp: "YYYY/MM/DD hh:mm:ss"
+        // Date
+        ss << std::setfill('0') << std::setw(4) << std::to_string(localTime->tm_year + 1900);
+        ss << "/";
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_mon + 1);
+        ss << "/";
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_mday);
+        // Time
+        ss << " ";
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_hour);
+        ss << ":";
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_min);
+        ss << ":";
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_sec);
+        return ss.str();
+    }
+    static std::string getCurrentTimestamp()
+    {
+        return getTimestamp(std::time(nullptr));
+    }
+
+    /**
+     * @brief Get a compact timestamp.
+     *
+     * @param time Time to convert.
+     * @param utc If true, the time will be expressed as a UTC time.
+     * @return std::string Compact timestamp. Format: "YYYYMMDDhhmmss".
+     */
+    static std::string getCompactTimestamp(const std::time_t& time, const bool utc = true)
+    {
+        std::stringstream ss;
+        // gmtime: result expressed as a UTC time
+        tm const* localTime {utc ? gmtime(&time) : localtime(&time)};
+        // Date
+        ss << std::setfill('0') << std::setw(4) << std::to_string(localTime->tm_year + 1900);
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_mon + 1);
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_mday);
+        // Time
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_hour);
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_min);
+        ss << std::setfill('0') << std::setw(2) << std::to_string(localTime->tm_sec);
+        return ss.str();
+    }
+
+    static std::string getCurrentISO8601()
+    {
+        // Get local time in UTC
+        auto now = std::chrono::system_clock::now();
+        auto itt = std::chrono::system_clock::to_time_t(now);
+
+        std::ostringstream ss;
+        ss << std::put_time(gmtime(&itt), "%FT%T");
+
+        // Get milliseconds from the current time
+        auto milliseconds =
+            std::chrono::duration_cast<std::chrono::milliseconds>(now.time_since_epoch()).count() % 1000;
+
+        // ISO 8601
+        ss << '.' << std::setfill('0') << std::setw(3) << milliseconds << 'Z';
+
+        return ss.str();
+    }
+
+    static std::string timestampToISO8601(const std::string& timestamp)
+    {
+        std::tm tm {};
+        std::istringstream ss(timestamp);
+        ss >> std::get_time(&tm, "%Y/%m/%d %H:%M:%S");
+        if (ss.fail())
+        {
+            return "";
+        }
+        std::time_t time = std::mktime(&tm);
+
+        auto itt = std::chrono::system_clock::from_time_t(time);
+
+        std::ostringstream output;
+        output << std::put_time(gmtime(&time), "%FT%T");
+
+        // Get milliseconds from the current time
+        auto milliseconds =
+            std::chrono::duration_cast<std::chrono::milliseconds>(itt.time_since_epoch()).count() % 1000;
+
+        // ISO 8601
+        output << '.' << std::setfill('0') << std::setw(3) << milliseconds << 'Z';
+
+        return output.str();
+    }
+
+    static std::string rawTimestampToISO8601(const std::string& timestamp)
+    {
+        if (timestamp.empty() || !Utils::isNumber(timestamp))
+        {
+            return "";
+        }
+
+        std::time_t time = std::stoi(timestamp);
+        auto itt = std::chrono::system_clock::from_time_t(time);
+
+        std::ostringstream output;
+        output << std::put_time(gmtime(&time), "%FT%T");
+
+        // Get milliseconds from the current time
+        auto milliseconds =
+            std::chrono::duration_cast<std::chrono::milliseconds>(itt.time_since_epoch()).count() % 1000;
+
+        // ISO 8601
+        output << '.' << std::setfill('0') << std::setw(3) << milliseconds << 'Z';
+
+        return output.str();
+    }
+
+    static std::chrono::seconds secondsSinceEpoch()
+    {
+        return std::chrono::duration_cast<std::chrono::seconds>(std::chrono::system_clock::now().time_since_epoch());
+    }
+
+    /**
+     * @brief Get seconds from epoch, since 1970-01-01 00:00:00 UTC.
+     * @return seconds from epoch.
+     */
+    static int64_t getSecondsFromEpoch()
+    {
+        return std::chrono::duration_cast<std::chrono::seconds>(std::chrono::system_clock::now().time_since_epoch())
+            .count();
+    };
+
+#pragma GCC diagnostic pop
+} // namespace Utils
+
+#endif // _TIME_HELPER_H
diff --git a/src/common/timeHelper/tests/CMakeLists.txt b/src/common/timeHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..4d4b204aee
--- /dev/null
+++ b/src/common/timeHelper/tests/CMakeLists.txt
@@ -0,0 +1,84 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "timeHelper_test.cpp"
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/timeHelper/tests/main.cpp b/src/common/timeHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/timeHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/timeHelper/tests/timeHelper_test.cpp b/src/common/timeHelper/tests/timeHelper_test.cpp
new file mode 100644
index 0000000000..aa6f871cdc
--- /dev/null
+++ b/src/common/timeHelper/tests/timeHelper_test.cpp
@@ -0,0 +1,88 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "timeHelper_test.h"
+#include "timeHelper.h"
+#include <regex>
+
+void TimeUtilsTest::SetUp() {};
+
+void TimeUtilsTest::TearDown() {};
+
+TEST_F(TimeUtilsTest, CheckTimestamp)
+{
+    const auto currentTimestamp {Utils::getCurrentTimestamp()};
+    const auto timestamp {Utils::getTimestamp(std::time(nullptr))};
+    EXPECT_FALSE(currentTimestamp.empty());
+    EXPECT_FALSE(timestamp.empty());
+}
+
+TEST_F(TimeUtilsTest, CheckTimestampValidFormat)
+{
+    constexpr auto DATE_FORMAT_REGEX_STR {
+        "[0-9]{4}/([0-9]|1[0-2]){2}/(([0-9]|1[0-2]){2}) (([0-9]|1[0-2]){2}):(([0-9]|1[0-2]){2}):(([0-9]|1[0-2]){2})"};
+    const auto currentTimestamp {Utils::getCurrentTimestamp()};
+    const auto timestamp {Utils::getTimestamp(std::time(nullptr))};
+    EXPECT_TRUE(std::regex_match(currentTimestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+    EXPECT_TRUE(std::regex_match(timestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+}
+
+TEST_F(TimeUtilsTest, CheckTimestampInvalidFormat)
+{
+    constexpr auto DATE_FORMAT_REGEX_STR {
+        "[0-9]{4}/([1-9]|1[0-2])/([1-9]|[1-2][0-9]|3[0-1])(2[0-3]|1[0-9]|[0-9]):([0-9]|[1-5][0-9]):([1-5][0-9]|[0-9])"};
+    const auto currentTimestamp {Utils::getCurrentTimestamp()};
+    const auto timestamp {Utils::getTimestamp(std::time(nullptr))};
+    EXPECT_FALSE(std::regex_match(currentTimestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+    EXPECT_FALSE(std::regex_match(timestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+}
+
+TEST_F(TimeUtilsTest, CheckCompactTimestampValidFormat)
+{
+    constexpr auto DATE_FORMAT_REGEX_STR {
+        "[0-9]{4}/([0-9]|1[0-2]){2}/(([0-9]|1[0-2]){2}) (([0-9]|1[0-2]){2}):(([0-9]|1[0-2]){2}):(([0-9]|1[0-2]){2})"};
+    constexpr auto COMPACT_FORMAT_REGEX_STR {
+        "[0-9]{4}([0-9]|1[0-2]){2}(([0-9]|1[0-2]){2})(([0-9]|1[0-2]){2})(([0-9]|1[0-2]){2})(([0-9]|1[0-2]){2})"};
+    const auto currentTimestamp {Utils::getCurrentTimestamp()};
+    const auto timestamp {Utils::getCompactTimestamp(std::time(nullptr))};
+    EXPECT_TRUE(std::regex_match(currentTimestamp, std::regex(DATE_FORMAT_REGEX_STR))) << timestamp;
+    EXPECT_TRUE(std::regex_match(timestamp, std::regex(COMPACT_FORMAT_REGEX_STR)));
+}
+
+TEST_F(TimeUtilsTest, CheckCompactTimestampInvalidFormat)
+{
+    constexpr auto DATE_FORMAT_REGEX_STR {
+        "[0-9]{4}/([1-9]|1[0-2])/([1-9]|[1-2][0-9]|3[0-1])(2[0-3]|1[0-9]|[0-9]):([0-9]|[1-5][0-9]):([1-5][0-9]|[0-9])"};
+    const auto currentTimestamp {Utils::getCurrentTimestamp()};
+    const auto timestamp {Utils::getCompactTimestamp(std::time(nullptr))};
+    EXPECT_FALSE(std::regex_match(currentTimestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+    EXPECT_FALSE(std::regex_match(timestamp, std::regex(DATE_FORMAT_REGEX_STR)));
+}
+
+TEST_F(TimeUtilsTest, TimestampToISO8601)
+{
+    // Get timestamp in local time
+    const auto timestamp {Utils::getTimestamp(std::time(nullptr), false)};
+    // Get current ISO8601 timestamp in UTC
+    const auto currentISO8601 {Utils::getCurrentISO8601()};
+    // replace milliseconds to 000Z to align with timestamp format
+    const auto currentISO8601ZeroMs {currentISO8601.substr(0, currentISO8601.size() - 4) + "000Z"};
+
+    EXPECT_EQ(currentISO8601ZeroMs, Utils::timestampToISO8601(timestamp));
+    EXPECT_EQ("", Utils::timestampToISO8601("21:00:00"));
+}
+
+TEST_F(TimeUtilsTest, RawTimestampToISO8601)
+{
+    EXPECT_EQ("2020-11-13T01:54:25.000Z", Utils::rawTimestampToISO8601("1605232465"));
+    EXPECT_EQ("", Utils::rawTimestampToISO8601(""));
+    EXPECT_EQ("", Utils::rawTimestampToISO8601("abcdefg"));
+}
diff --git a/src/common/timeHelper/tests/timeHelper_test.h b/src/common/timeHelper/tests/timeHelper_test.h
new file mode 100644
index 0000000000..88402c2565
--- /dev/null
+++ b/src/common/timeHelper/tests/timeHelper_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 28, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef TIME_HELPER_TESTS_H
+#define TIME_HELPER_TESTS_H
+
+#include <gtest/gtest.h>
+
+class TimeUtilsTest : public ::testing::Test
+{
+    protected:
+
+        TimeUtilsTest() = default;
+        virtual ~TimeUtilsTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif // TIME_HELPER_TESTS_H
diff --git a/src/modules/ms_graph/src/ms_graph.c b/src/common/time_op/CMakeLists.txt
similarity index 100%
rename from src/modules/ms_graph/src/ms_graph.c
rename to src/common/time_op/CMakeLists.txt
diff --git a/src/common/time_op/include/time_op.h b/src/common/time_op/include/time_op.h
new file mode 100644
index 0000000000..35fa3bcc28
--- /dev/null
+++ b/src/common/time_op/include/time_op.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/**
+ * @file time_op.h
+ * @brief Time operations header file
+ * @date October 4, 2017
+ */
+
+#ifndef TIME_OP_H
+#define TIME_OP_H
+
+#include <time.h>
+
+/**
+ * @brief Get the current calendar time
+ *
+ * @param ts Pointer to a timespec structure
+ */
+
+#define TIME_LENGTH     OS_SIZE_128
+
+void gettime(struct timespec *ts);
+
+/**
+ * @brief Compute time substraction "a - b"
+ *
+ * @param a Minuend
+ * @param b Subtrahend
+ */
+void time_sub(struct timespec * a, const struct timespec * b);
+
+/**
+ * @brief Get the time difference
+ *
+ * @param a Timestamp before
+ * @param b Timestamp after
+ * @return Time elapsed between a and b (in seconds)
+ */
+double time_diff(const struct timespec * a, const struct timespec * b);
+
+char *w_get_timestamp(const time_t time);
+
+/**
+ * @brief Takes sleeps of 1 second until the input time is reached
+ *
+ * @param time time until which the thread will sleep
+ * */
+void w_sleep_until(time_t abs_time);
+
+/**
+* @brief Sleep function for Windows and Unix (milliseconds)
+*
+* @param ms sleep time in miliseconds
+*/
+void w_time_delay(unsigned long int ms);
+
+#ifdef WIN32
+
+/**
+ * @brief Get the epoch time
+ *
+ * @return Number of seconds since the epoch
+ */
+long long int get_windows_time_epoch();
+
+/**
+ * @brief Get the epoch time from a FILETIME object
+ *
+ * @param ft
+ * @return Number of seconds since the epoch
+ */
+long long int get_windows_file_time_epoch(FILETIME ft);
+
+#endif
+
+/**
+ * @brief Function to check if a year is a leap year or not.
+ *
+ * @param year Year to check.
+ * @return Boolean indicating whether the year is leap.
+ */
+bool is_leap_year(int year);
+
+#endif // TIME_OP_H
diff --git a/src/common/time_op/src/time_op.c b/src/common/time_op/src/time_op.c
new file mode 100644
index 0000000000..2f12fc264f
--- /dev/null
+++ b/src/common/time_op/src/time_op.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/**
+ * @file time_op.c
+ * @brief Time operations
+ * @date October 4, 2017
+ */
+
+#include "shared.h"
+
+#ifndef WIN32
+
+#ifdef __MACH__
+#include <mach/clock.h>
+#include <mach/mach.h>
+#endif
+
+// Get the current calendar time
+
+void gettime(struct timespec *ts) {
+#ifdef __MACH__
+    clock_serv_t cclock;
+    mach_timespec_t mts;
+    host_get_clock_service(mach_host_self(), CALENDAR_CLOCK, &cclock);
+    clock_get_time(cclock, &mts);
+    mach_port_deallocate(mach_task_self(), cclock);
+    ts->tv_sec = mts.tv_sec;
+    ts->tv_nsec = mts.tv_nsec;
+#else
+    clock_gettime(CLOCK_REALTIME, ts);
+#endif
+}
+
+#else
+
+#include <windows.h>
+#define EPOCH_DIFFERENCE 11644473600LL
+
+// Get the epoch time
+
+long long int get_windows_time_epoch() {
+    FILETIME ft = {0};
+
+    GetSystemTimeAsFileTime(&ft);
+    return get_windows_file_time_epoch(ft);
+}
+
+// Get the epoch time from a FILETIME object
+
+long long int get_windows_file_time_epoch(FILETIME ft) {
+    LARGE_INTEGER li = {0};
+
+    li.LowPart = ft.dwLowDateTime;
+    li.HighPart = ft.dwHighDateTime;
+
+    /* Current machine EPOCH time */
+    long long int file_time_epoch = (li.QuadPart / 10000000) - EPOCH_DIFFERENCE;
+    return file_time_epoch;
+}
+
+void gettime(struct timespec * ts) {
+    FILETIME ft;
+    GetSystemTimeAsFileTime(&ft);
+
+    LARGE_INTEGER li = {.LowPart = ft.dwLowDateTime, .HighPart = ft.dwHighDateTime};
+
+    // Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+    ts->tv_sec = li.QuadPart / 10000000 - EPOCH_DIFFERENCE;
+    ts->tv_nsec = (li.QuadPart % 10000000) * 100;
+}
+
+#endif
+
+char *w_get_timestamp(time_t time) {
+    struct tm localtm;
+    char *timestamp;
+
+    localtime_r(&time, &localtm);
+
+    os_calloc(TIME_LENGTH, sizeof(char), timestamp);
+
+    snprintf(timestamp, TIME_LENGTH, "%d/%02d/%02d %02d:%02d:%02d",
+            localtm.tm_year + 1900, localtm.tm_mon + 1,
+            localtm.tm_mday, localtm.tm_hour, localtm.tm_min, localtm.tm_sec);
+
+    return timestamp;
+}
+
+
+void w_sleep_until(const time_t abs_time) {
+    while( time(NULL) < abs_time ) {
+        w_time_delay(1000);
+    }
+}
+
+void w_time_delay(unsigned long int ms) {
+#ifdef WIN32
+    Sleep(ms);
+#else
+    struct timeval timeout = { ms / 1000, (ms % 1000) * 1000};
+    select(0, NULL, NULL, NULL, &timeout);
+#endif
+}
+
+// Compute time substraction "a - b"
+
+void time_sub(struct timespec * a, const struct timespec * b) {
+    a->tv_sec -= b->tv_sec;
+    a->tv_nsec -= b->tv_nsec;
+
+    if (a->tv_nsec < 0) {
+        a->tv_nsec += 1000000000;
+        a->tv_sec--;
+    }
+}
+
+// Get the time elapsed between a and b (in seconds)
+
+double time_diff(const struct timespec * a, const struct timespec * b) {
+    return b->tv_sec - a->tv_sec + (b->tv_nsec - a->tv_nsec) / 1e9;
+}
+
+// Function to check if a year is a leap year or not.
+
+bool is_leap_year(int year) {
+    bool result = false;
+
+    if ((year % 4 == 0 && year % 100 != 0) || year % 400 == 0) {
+        result = true;
+    }
+
+    return result;
+}
diff --git a/src/common/time_op/tests/unit/tests/CMakeLists.txt b/src/common/time_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..86a8ff419f
--- /dev/null
+++ b/src/common/time_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,50 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_time_op")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "-Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck ${DEBUG_OP_WRAPPERS}")
+else()
+list(APPEND shared_tests_flags " ")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/time_op/tests/unit/tests/test_time_op.c b/src/common/time_op/tests/unit/tests/test_time_op.c
new file mode 100644
index 0000000000..0b9a110745
--- /dev/null
+++ b/src/common/time_op/tests/unit/tests/test_time_op.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+
+#include "../headers/shared.h"
+
+
+/* tests */
+
+void test_is_leap_year_two(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 2;
+    ret = is_leap_year(year);
+
+    assert_false(ret);
+}
+
+void test_is_leap_year_four(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 4;
+    ret = is_leap_year(year);
+
+    assert_true(ret);
+}
+
+void test_is_leap_year_one_hundred(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 100;
+    ret = is_leap_year(year);
+
+    assert_false(ret);
+}
+
+void test_is_leap_year_two_hundred(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 200;
+    ret = is_leap_year(year);
+
+    assert_false(ret);
+}
+
+void test_is_leap_year_three_hundred(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 300;
+    ret = is_leap_year(year);
+
+    assert_false(ret);
+}
+
+void test_is_leap_year_four_hundred(void **state)
+{
+    (void) state;
+    bool ret;
+    int year = 400;
+    ret = is_leap_year(year);
+
+    assert_true(ret);
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_is_leap_year_two),
+        cmocka_unit_test(test_is_leap_year_four),
+        cmocka_unit_test(test_is_leap_year_one_hundred),
+        cmocka_unit_test(test_is_leap_year_two_hundred),
+        cmocka_unit_test(test_is_leap_year_three_hundred),
+        cmocka_unit_test(test_is_leap_year_four_hundred)
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/time_op/tests/unit/wrappers/time_op_wrappers.c b/src/common/time_op/tests/unit/wrappers/time_op_wrappers.c
new file mode 100644
index 0000000000..ea0d503d47
--- /dev/null
+++ b/src/common/time_op/tests/unit/wrappers/time_op_wrappers.c
@@ -0,0 +1,50 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifdef WIN32
+#include <windows.h>
+#endif
+#include "time_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+time_t current_time = 0;
+
+void __wrap_w_sleep_until(const time_t new_time){
+    current_time = new_time;
+}
+
+void __wrap_w_time_delay(unsigned long int msec){
+    current_time += (msec/1000);
+}
+
+char* __wrap_w_get_timestamp(time_t time) {
+    check_expected(time);
+
+    return mock_type(char*);
+}
+
+void __wrap_gettime(struct timespec *ts) {
+    ts->tv_sec = mock_type(time_t);
+}
+
+double __wrap_time_diff(__attribute__((unused)) const struct timespec * a, __attribute__((unused)) const struct timespec * b) {
+    return mock_type(double);
+}
+
+#ifdef WIN32
+long long __wrap_get_windows_file_time_epoch(FILETIME ftime) {
+    check_expected(ftime.dwLowDateTime);
+    check_expected(ftime.dwHighDateTime);
+
+    return mock_type(long long);
+}
+#endif
diff --git a/src/common/time_op/tests/unit/wrappers/time_op_wrappers.h b/src/common/time_op/tests/unit/wrappers/time_op_wrappers.h
new file mode 100644
index 0000000000..fd627f1645
--- /dev/null
+++ b/src/common/time_op/tests/unit/wrappers/time_op_wrappers.h
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef TIME_OP_WRAPPERS_H
+#define TIME_OP_WRAPPERS_H
+
+#include <time.h>
+
+void __wrap_w_sleep_until(const time_t new_time);
+
+void __wrap_w_time_delay(unsigned long int msec);
+
+char* __wrap_w_get_timestamp(time_t time);
+
+double __wrap_time_diff(__attribute__((unused)) const struct timespec * a, __attribute__((unused)) const struct timespec * b);
+
+extern time_t current_time;
+
+#ifdef WIN32
+long long int __wrap_get_windows_file_time_epoch(FILETIME ft);
+#endif
+void __wrap_gettime(struct timespec *ts);
+
+#endif
diff --git a/src/modules/office365/include/office365.h b/src/common/url/CMakeLists.txt
similarity index 100%
rename from src/modules/office365/include/office365.h
rename to src/common/url/CMakeLists.txt
diff --git a/src/common/url/include/url.h b/src/common/url/include/url.h
new file mode 100644
index 0000000000..0f36259c11
--- /dev/null
+++ b/src/common/url/include/url.h
@@ -0,0 +1,67 @@
+/*
+ * URL download support library
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 3, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef URL_GET_H_
+#define URL_GET_H_
+
+#include "../external/curl/include/curl/curl.h"
+
+#define WURL_WRITE_FILE_ERROR "Cannot open file '%s'"
+#define WURL_DOWNLOAD_FILE_ERROR "Cannot download file '%s' from URL: '%s'"
+#define WURL_TIMEOUT_ERROR  "Timeout reached when downloading file '%s' from URL: '%s'"
+
+#define WURL_GET_METHOD "GET"
+#define WURL_POST_METHOD "POST"
+
+typedef struct curl_response {
+    char *header;               /* Response header */
+    char *body;                 /* Response body */
+    long status_code;           /* Response code (200, 404, 500...) */
+    bool max_size_reached;      /* Response incomplete, limit buffer reached */
+} curl_response;
+
+int wurl_get(const char * url, const char * dest, const char * header, const char *data, const long timeout);
+int w_download_status(int status,const char *url,const char *dest);
+// Request download
+int wurl_request(const char * url, const char * dest, const char *header, const char *data, const long timeout);
+int wurl_request_gz(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256);
+
+/**
+ * @brief Make a HTTP GET request
+ * @param url URL to request
+ * @param max_size Max response size allowed
+ * @param timeout Maximum time allowed for the request
+ * @return Request response (body)
+ */
+char * wurl_http_get(const char * url, size_t max_size, const long timeout);
+
+/**
+ * @brief Make a HTTP request
+ * @param method HTTP method
+ * @param headers Request headers
+ * @param url URL to request
+ * @param payload Request body
+ * @param max_size Max response size allowed
+ * @param timeout Maximum time allowed for the request
+ * @return Request response (status_code, headers and body)
+ */
+curl_response *wurl_http_request(char *method, char **headers, const char *url, const char *payload, size_t max_size, const long timeout);
+
+void wurl_free_response(curl_response* response);
+#ifndef CLIENT
+int wurl_request_bz2(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256);
+int wurl_request_uncompress_bz2_gz(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256);
+#endif
+
+/* Check download module availability */
+int wurl_check_connection();
+
+#endif /* CUSTOM_OUTPUT_SEARCH_H_ */
diff --git a/src/common/url/src/url.c b/src/common/url/src/url.c
new file mode 100644
index 0000000000..dc9d05d33f
--- /dev/null
+++ b/src/common/url/src/url.c
@@ -0,0 +1,552 @@
+/*
+ * URL download support library
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 3, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+#include "os_crypto/sha256/sha256_op.h"
+#include <os_net/os_net.h>
+
+#ifdef WAZUH_UNIT_TESTING
+    #ifdef WIN32
+        #include "unit_tests/wrappers/windows/url_wrappers.h"
+    #else
+        #include "unit_tests/wrappers/wazuh/shared/url_wrappers.h"
+    #endif
+#endif
+
+struct MemoryStruct {
+  char *memory;
+  size_t size;
+  size_t max_response_size;
+  bool max_size_error;
+};
+
+static size_t WriteMemoryCallback(void *contents, size_t size, size_t nmemb, void *userp)
+{
+  size_t realsize = size * nmemb;
+  struct MemoryStruct *mem = (struct MemoryStruct *)userp;
+
+  if ((mem->size + realsize) > mem->max_response_size) {
+    mwarn("Response buffer size limit reached.");
+    mem->max_size_error = true;
+    return 0;
+  }
+
+  char *ptr = realloc(mem->memory, mem->size + realsize + 1);
+  if (ptr == NULL) {
+    return 0;
+  }
+
+  mem->memory = ptr;
+  memcpy(&(mem->memory[mem->size]), contents, realsize);
+  mem->size += realsize;
+  mem->memory[mem->size] = 0;
+
+  return realsize;
+}
+
+#ifndef WIN32
+/*
+ * These values ​​were taken from how libcurl looks for the paths at compilation time,
+ * here it is modified to be able to support the precompiled deps.
+ *
+ * https://github.com/curl/curl/blob/5930cb1c465ef5f0de6f1b91a843bb6f0bed1f23/acinclude.m4#L2182
+ */
+const char* certs_list[] = {
+    "/etc/ssl/certs/ca-certificates.crt",       // Debian systems
+    "/etc/pki/tls/certs/ca-bundle.crt",         // Redhat and Mandriva
+    "/usr/share/ssl/certs/ca-bundle.crt",       // RedHat
+    "/usr/local/share/certs/ca-root-nss.crt",   // FreeBSD
+    "/etc/ssl/cert.pem",                        // OpenBSD, FreeBSD, MacOS
+    NULL
+};
+
+char const * find_cert_list() {
+    char const * ret_val = NULL;
+
+    for (size_t i = 0; NULL != certs_list[i]; ++i) {
+        if (-1 != FileSize(certs_list[i])) {
+            ret_val = certs_list[i];
+            break;
+        }
+    }
+
+    return ret_val;
+}
+
+int wurl_get(const char * url, const char * dest, const char * header, const char *data, const long timeout) {
+    CURL *curl;
+    FILE *fp;
+    CURLcode res;
+    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_NO_ATEXIT, NULL);
+    curl = curl_easy_init();
+    char errbuf[CURL_ERROR_SIZE];
+    int old_mask;
+
+    if (curl) {
+        char const *cert = find_cert_list();
+
+        old_mask = umask(0006);
+        fp = wfopen(dest, "wb");
+        umask(old_mask);
+        if (!fp) {
+            mdebug1(FOPEN_ERROR, dest, errno, strerror(errno));
+            curl_easy_cleanup(curl);
+            return OS_FILERR;
+        }
+
+        res = curl_easy_setopt(curl, CURLOPT_URL, url);
+        res += curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL);
+        res += curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
+
+        if (header) {
+            struct curl_slist *c_header = curl_slist_append(NULL, header);
+            res += curl_easy_setopt(curl, CURLOPT_HTTPHEADER, c_header);
+        }
+
+        if (data) {
+            res += curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
+        }
+
+        if (timeout) {
+            res += curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);
+        }
+
+        // Enable SSL check if url is HTTPS
+        if (!strncmp(url, "https", 5)) {
+            if (NULL != cert) {
+                res += curl_easy_setopt(curl, CURLOPT_CAINFO, cert);
+            }
+        }
+
+        res += curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
+        res += curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+
+        if (res != 0) {
+            mdebug1("Parameter setup error at CURL");
+            curl_easy_cleanup(curl);
+            fclose(fp);
+            unlink(dest);
+            return OS_CONNERR;
+        }
+
+        res = curl_easy_perform(curl);
+
+        switch(res) {
+        case CURLE_OK:
+            break;
+        case CURLE_OPERATION_TIMEDOUT:
+            mdebug1("CURL ERROR: %s", errbuf);
+            curl_easy_cleanup(curl);
+            fclose(fp);
+            unlink(dest);
+            return OS_TIMEOUT;
+        default:
+            mdebug1("CURL ERROR: %s",errbuf);
+            curl_easy_cleanup(curl);
+            fclose(fp);
+            unlink(dest);
+            return OS_CONNERR;
+        }
+
+        curl_easy_cleanup(curl);
+        fclose(fp);
+    }
+
+    return 0;
+}
+
+int w_download_status(int status,const char *url,const char *dest) {
+
+    switch(status) {
+        case OS_FILERR:
+            mwarn(WURL_WRITE_FILE_ERROR,dest);
+            break;
+        case OS_CONNERR:
+            mwarn(WURL_DOWNLOAD_FILE_ERROR, dest, url);
+            break;
+    }
+
+    return status;
+}
+
+// Request download
+int wurl_request(const char * url, const char * dest, const char *header, const char *data, const long timeout) {
+    const char * COMMAND = "download";
+    char response[64];
+    char * _url;
+    char * srequest;
+    size_t zrequest;
+    ssize_t zrecv;
+    int sock;
+    int retval = -1;
+    char *parsed_dest;
+    char *parsed_header = NULL;
+    char *parsed_data = NULL;
+
+    if (!url) {
+        return -1;
+    }
+
+    // Escape whitespaces
+
+    _url = wstr_replace(url, " ", "%20");
+
+    // Escape delimiter
+
+    parsed_dest = wstr_replace(dest, "|", "\\|");
+    if (header) {
+        parsed_header = wstr_replace(header, "|", "\\|");
+    }
+    if (data) {
+        parsed_data = wstr_replace(data, "|", "\\|");
+    }
+
+    // Build request
+
+    zrequest = strlen(_url) + strlen(parsed_dest) + strlen(COMMAND) +
+               (parsed_header ? strlen(parsed_header) : 0) +
+               (parsed_data ? strlen(parsed_data) : 0) + sizeof(long) + 7;
+    os_calloc(1, zrequest, srequest);
+    snprintf(srequest, zrequest, "%s %s|%s|%s|%s|%ld|", COMMAND, _url, parsed_dest, parsed_header ? parsed_header : "", parsed_data ? parsed_data : "", timeout ? timeout : 0);
+    os_free(parsed_dest);
+    os_free(parsed_header);
+    os_free(parsed_data);
+
+    // Connect to downlod module
+
+    if (sock = OS_ConnectUnixDomain(WM_DOWNLOAD_SOCK, SOCK_STREAM, OS_MAXSTR), sock < 0) {
+        mwarn("Couldn't connect to download module socket '%s'", WM_DOWNLOAD_SOCK);
+        goto end;
+    }
+
+    // Send request
+
+    if (send(sock, srequest, zrequest - 1, 0) != (ssize_t)(zrequest - 1)) {
+        merror("Couldn't send request to download module.");
+        goto end;
+    }
+
+    // Receive response
+
+    switch (zrecv = recv(sock, response, sizeof(response) - 1, 0), zrecv) {
+    case -1:
+        merror("Couldn't receive URL response from download module.");
+        goto end;
+
+    case 0:
+        merror("Couldn't receive URL response from download module (closed unexpectedly).");
+        goto end;
+
+    default:
+        response[zrecv] = '\0';
+
+        // Parse responses
+
+        if (!strcmp(response, "ok")) {
+            retval = 0;
+        } else if (!strcmp(response, "err connecting to url")) {
+            retval = OS_CONNERR;
+        } else if (!strcmp(response, "err writing file")) {
+            retval = OS_FILERR;
+        } else if (!strcmp(response, "err timeout")) {
+            retval = OS_TIMEOUT;
+        } else {
+            mdebug1("Couldn't download from '%s': %s", _url, response);
+        }
+    }
+
+end:
+    free(_url);
+    free(srequest);
+
+    if (sock >= 0) {
+        close(sock);
+    }
+
+    return retval;
+}
+
+// Request a uncompressed download (.gz)
+int wurl_request_gz(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256) {
+    char compressed_file[OS_SIZE_6144 + 1];
+    int retval = OS_INVALID;
+
+    snprintf(compressed_file, OS_SIZE_6144, "tmp/req-%u", os_random());
+
+    if (wurl_request(url, compressed_file, header, data, timeout)) {
+        return retval;
+
+    } else {
+        os_sha256 filehash = {0};
+        if (sha256 && !OS_SHA256_File(compressed_file, filehash, 'r') && strcmp(sha256, filehash)) {
+            merror("Invalid file integrity for '%s'", compressed_file);
+
+        } else if (w_uncompress_gzfile(compressed_file, dest)) {
+            merror("Could not uncompress the file downloaded from '%s'", url);
+
+        } else {
+            retval = 0;
+        }
+    }
+
+    if (remove(compressed_file) < 0) {
+        mdebug1("Could not remove '%s'. Error: %d.", compressed_file, errno);
+    }
+
+    return retval;
+}
+
+/* Check download module availability */
+int wurl_check_connection() {
+    int sock = OS_ConnectUnixDomain(WM_DOWNLOAD_SOCK, SOCK_STREAM, OS_MAXSTR);
+
+    if (sock < 0) {
+        return -1;
+    } else {
+        close(sock);
+        return 0;
+    }
+}
+
+char * wurl_http_get(const char * url, size_t max_size, const long timeout) {
+    CURL *curl;
+    CURLcode res;
+    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_NO_ATEXIT, NULL);
+    curl = curl_easy_init();
+    char errbuf[CURL_ERROR_SIZE];
+
+    struct MemoryStruct chunk;
+
+    chunk.memory = malloc(1);  /* will be grown as needed by the realloc above */
+    chunk.size = 0;    /* no data at this point */
+    chunk.max_response_size = max_size;
+    chunk.max_size_error = false;
+
+    if (curl) {
+        char const *cert = find_cert_list();
+
+        res = curl_easy_setopt(curl, CURLOPT_URL, url);
+        res += curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteMemoryCallback);
+        res += curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&chunk);
+
+        // Enable SSL check if url is HTTPS
+        if (!strncmp(url, "https", 5)) {
+            if (NULL != cert) {
+                res += curl_easy_setopt(curl, CURLOPT_CAINFO, cert);
+            }
+        }
+
+        res += curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
+        res += curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+
+        if (timeout) {
+            res += curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);
+        }
+
+        if (res != 0) {
+            mdebug1("Parameter setup error at CURL");
+            curl_easy_cleanup(curl);
+            free(chunk.memory);
+            return NULL;
+        }
+
+        res = curl_easy_perform(curl);
+
+        if (res) {
+            mdebug1("CURL ERROR %s",errbuf);
+            curl_easy_cleanup(curl);
+            free(chunk.memory);
+            return NULL;
+        }
+        curl_easy_cleanup(curl);
+    }
+
+    return chunk.memory;
+}
+
+#endif
+#ifndef CLIENT
+
+// Request a download of a bzip2 file and uncompress it.
+int wurl_request_bz2(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256) {
+    char compressed_file[OS_SIZE_6144 + 1];
+    int retval = OS_INVALID;
+
+    snprintf(compressed_file, OS_SIZE_6144, "tmp/req-%u", os_random());
+
+    if (wurl_request(url, compressed_file, header, data, timeout)) {
+        return retval;
+
+    } else {
+        os_sha256 filehash = {0};
+        if (sha256 && !OS_SHA256_File(compressed_file, filehash, 'r') && strcmp(sha256, filehash)) {
+            merror("Invalid file integrity for '%s'", compressed_file);
+
+        } else if (bzip2_uncompress(compressed_file, dest)) {
+            merror("Could not uncompress the file downloaded from '%s'", url);
+
+        } else {
+            retval = 0;
+        }
+    }
+
+    if (remove(compressed_file) < 0) {
+        mdebug1("Could not remove '%s'. Error: %d.", compressed_file, errno);
+    }
+
+    return retval;
+}
+
+// Check the compression type of the file and try to download and uncompress it.
+int wurl_request_uncompress_bz2_gz(const char * url, const char * dest, const char * header, const char * data, const long timeout, char *sha256) {
+    int res_url_request;
+    int compress = 0;
+
+    if (wstr_end((char *)url, ".gz")) {
+        compress = 1;
+        res_url_request = wurl_request_gz(url, dest, header, data, timeout, sha256);
+    } else if (wstr_end((char *)url, ".bz2")) {
+        compress = 1;
+        res_url_request = wurl_request_bz2(url, dest, header, data, timeout, sha256);
+    } else {
+        res_url_request = wurl_request(url, dest, header, data, timeout);
+    }
+
+    if (compress == 1 && !res_url_request) {
+        mdebug1("File from URL '%s' was successfully uncompressed into '%s'", url, dest);
+    }
+
+    return res_url_request;
+}
+#endif
+
+curl_response* wurl_http_request(char *method, char **headers, const char* url, const char *payload, size_t max_size, const long timeout) {
+    curl_response *response;
+    struct curl_slist* headers_list = NULL;
+    struct curl_slist* headers_tmp = NULL;
+    CURLcode res;
+    struct MemoryStruct req;
+    struct MemoryStruct req_header;
+
+    if (!url) {
+        mdebug1("url not defined");
+        return NULL;
+    }
+
+    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_NO_ATEXIT, NULL);
+    CURL* curl = curl_easy_init();
+
+    if (!curl) {
+        mdebug1("curl initialization failure");
+        return NULL;
+    }
+
+    res = curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, method);
+
+#ifndef WIN32
+    char const *cert = find_cert_list();
+
+    // Enable SSL check if url is HTTPS
+    if (!strncmp(url, "https", 5)) {
+        if (NULL != cert) {
+            res += curl_easy_setopt(curl, CURLOPT_CAINFO, cert);
+        }
+    }
+#endif
+
+    headers_list = curl_slist_append(headers_list, "User-Agent: curl/7.58.0");
+
+    if (headers_list == NULL) {
+        curl_easy_cleanup(curl);
+        mdebug1("curl append header failure");
+        return NULL;
+    }
+
+    // Append custom headers
+    char** ptr = headers;
+    for (char* header = *ptr; header; header=*++ptr) {
+        headers_tmp = curl_slist_append(headers_list, header);
+
+        if (headers_tmp == NULL) {
+            curl_slist_free_all(headers_list);
+            curl_easy_cleanup(curl);
+            mdebug1("curl append custom header failure");
+            return NULL;
+        }
+
+        headers_list = headers_tmp;
+    }
+
+    req.memory = malloc(1);  /* will be grown as needed by the realloc above */
+    req.size = 0;    /* no data at this point */
+    req.max_response_size = max_size;
+    req.max_size_error = false;
+
+    req_header.memory = malloc(1);  /* will be grown as needed by the realloc above */
+    req_header.size = 0;    /* no data at this point */
+    req_header.max_response_size = max_size;
+    req_header.max_size_error = false;
+
+    res += curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteMemoryCallback);
+    res += curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&req);
+    res += curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers_list);
+    res += curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, WriteMemoryCallback);
+    res += curl_easy_setopt(curl, CURLOPT_HEADERDATA, (void *)&req_header);
+    res += curl_easy_setopt(curl, CURLOPT_URL, (void *)url);
+
+    if (payload) {
+        res += curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (void *)payload);
+    }
+
+    if (timeout) {
+        res += curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);
+    }
+
+    if (res != CURLE_OK) {
+        mdebug1("Parameter setup error at CURL");
+        curl_slist_free_all(headers_list);
+        curl_easy_cleanup(curl);
+        os_free(req.memory);
+        os_free(req_header.memory);
+        return NULL;
+    }
+
+    res = curl_easy_perform(curl);
+
+    if (res != CURLE_OK && !(req.max_size_error || req_header.max_size_error)) {
+        mdebug1("curl_easy_perform() failed: %s", curl_easy_strerror(res));
+        curl_slist_free_all(headers_list);
+        curl_easy_cleanup(curl);
+        os_free(req.memory);
+        os_free(req_header.memory);
+        return NULL;
+    }
+
+    os_calloc(1, sizeof(curl_response), response);
+    curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &response->status_code);
+    response->header = req_header.memory;
+    response->body = req.memory;
+
+    if (req.max_size_error || req_header.max_size_error) {
+        response->max_size_reached = true;
+    }
+
+    curl_slist_free_all(headers_list);
+    curl_easy_cleanup(curl);
+
+    return response;
+}
+
+void wurl_free_response(curl_response* response) {
+    os_free(response->header);
+    os_free(response->body);
+    os_free(response);
+}
diff --git a/src/common/url/tests/unit/tests/CMakeLists.txt b/src/common/url/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..1a4feb310e
--- /dev/null
+++ b/src/common/url/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,49 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_url")
+list(APPEND shared_tests_flags "-Wl,--wrap,curl_slist_free_all -Wl,--wrap,curl_easy_cleanup \
+                                -Wl,--wrap,curl_easy_init -Wl,--wrap,curl_easy_setopt -Wl,--wrap,wfopen \
+                                -Wl,--wrap,curl_slist_append -Wl,--wrap,curl_easy_perform \
+                                -Wl,--wrap,curl_easy_getinfo -Wl,--wrap,FileSize ${DEBUG_OP_WRAPPERS}")
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/url/tests/unit/tests/test_url.c b/src/common/url/tests/unit/tests/test_url.c
new file mode 100644
index 0000000000..96dbbd7773
--- /dev/null
+++ b/src/common/url/tests/unit/tests/test_url.c
@@ -0,0 +1,741 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "../headers/shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+
+/* setup/teardown */
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* tests */
+// Test wurl_http_request
+void test_wurl_http_request_url_null(void **state)
+{
+    curl_response *response = NULL;
+    char **headers = NULL;
+    char *url = NULL;
+    size_t max_size = 1;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "url not defined");
+
+    response = wurl_http_request(NULL, headers, url, NULL, max_size, 0);
+    assert_null(response);
+}
+
+void test_wurl_http_request_init_failure(void **state)
+{
+    curl_response *response = NULL;
+    CURL* curl = NULL;
+    char **headers = NULL;
+    char *url = "http://test.com";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl initialization failure");
+
+    response = wurl_http_request(NULL, headers, url, NULL, max_size, 0);
+    assert_null(response);
+}
+
+void test_wurl_http_request_headers_list_null(void **state)
+{
+    curl_response *response = NULL;
+    CURL *curl = (CURL *) 1;
+    char **headers = NULL;
+    char *url = "https://test.com";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CAINFO);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl append header failure");
+
+    response = wurl_http_request(NULL, headers, url, NULL, max_size, 0);
+    assert_null(response);
+}
+
+void test_wurl_http_request_headers_tmp_null(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *pheaders = "headers";
+    char *url = "http://test.com";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_string(wrap_curl_slist_append, data, "headers");
+        expect_value(wrap_curl_slist_append, list, headers);
+        will_return(wrap_curl_slist_append, NULL);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_string(__wrap_curl_slist_append, data, "headers");
+        expect_value(__wrap_curl_slist_append, list, headers);
+        will_return(__wrap_curl_slist_append, NULL);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl append custom header failure");
+
+    response = wurl_http_request(NULL, &pheaders, url, NULL, max_size, 0);
+
+    assert_null(response);
+}
+
+void test_wurl_http_request_curl_easy_perform_fail_with_headers(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *url = "http://test.com";
+    size_t max_size = 1;
+
+    char auth_header[OS_SIZE_8192];
+    snprintf(auth_header, OS_SIZE_8192 -1, "Content-Type: application/x-www-form-urlencoded");
+    char **pheaders = NULL;
+    os_calloc(2, sizeof(char*), pheaders);
+    pheaders[0] = auth_header;
+    pheaders[1] = NULL;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_string(wrap_curl_slist_append, data, "Content-Type: application/x-www-form-urlencoded");
+        expect_value(wrap_curl_slist_append, list, headers);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_perform, curl, curl);
+        will_return(wrap_curl_easy_perform, (CURLcode) 9);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_string(__wrap_curl_slist_append, data, "Content-Type: application/x-www-form-urlencoded");
+        expect_value(__wrap_curl_slist_append, list, headers);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_perform, curl, curl);
+        will_return(__wrap_curl_easy_perform, (CURLcode) 9);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl_easy_perform() failed: Access denied to remote resource");
+
+    response = wurl_http_request(NULL, pheaders, url, NULL, max_size, 0);
+    os_free(pheaders);
+    assert_null(response);
+}
+
+void test_wurl_http_request_curl_easy_perform_fail_with_payload(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *pheaders = NULL;
+    char *url = "http://test.com";
+    const char *payload = "payload test";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_perform, curl, curl);
+        will_return(wrap_curl_easy_perform, (CURLcode) 9);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_perform, curl, curl);
+        will_return(__wrap_curl_easy_perform, (CURLcode) 9);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl_easy_perform() failed: Access denied to remote resource");
+
+    response = wurl_http_request(NULL, &pheaders, url, payload, max_size, 0);
+    assert_null(response);
+}
+
+void test_wurl_http_request_curl_easy_perform_fail_timeout(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *pheaders = NULL;
+    char *url = "http://test.com";
+    const char *payload = "payload test";
+    size_t max_size = 1;
+    long timeout = 1L;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_TIMEOUT);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_perform, curl, curl);
+        will_return(wrap_curl_easy_perform, (CURLcode) 28);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_TIMEOUT);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_perform, curl, curl);
+        will_return(__wrap_curl_easy_perform, (CURLcode) 28);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "curl_easy_perform() failed: Timeout was reached");
+
+    response = wurl_http_request(NULL, &pheaders, url, payload, max_size, 1);
+    assert_null(response);
+}
+
+void test_wurl_http_request_curl_easy_setopt_fail(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *pheaders = NULL;
+    char *url = "http://test.com";
+    const char *payload = "payload test";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, (CURLcode) 49);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, (CURLcode) 49);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Parameter setup error at CURL");
+
+    response = wurl_http_request(NULL, &pheaders, url, payload, max_size, 0);
+    assert_null(response);
+}
+
+void test_wurl_http_request_success(void **state)
+{
+    curl_response *response = NULL;
+    struct curl_slist* headers = (struct curl_slist*) 1;
+    CURL *curl = (CURL *) 1;
+    char *pheaders = NULL;
+    char *url = "http://test.com";
+    const char *payload = "payload test";
+    size_t max_size = 1;
+
+    #ifdef TEST_WINAGENT
+        will_return(wrap_curl_easy_init, curl);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(wrap_curl_slist_append, list, NULL);
+        will_return(wrap_curl_slist_append, headers);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(wrap_curl_easy_setopt, curl, curl);
+        will_return(wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(wrap_curl_easy_perform, curl, curl);
+        will_return(wrap_curl_easy_perform, CURLE_OK);
+
+        expect_value(wrap_curl_easy_getinfo, curl, curl);
+        expect_value(wrap_curl_easy_getinfo, option, CURLINFO_RESPONSE_CODE);
+        will_return(wrap_curl_easy_getinfo, CURLE_OK);
+
+        expect_value(wrap_curl_slist_free_all, list, headers);
+        expect_value(wrap_curl_easy_cleanup, curl, curl);
+
+    #else
+        will_return(__wrap_curl_easy_init, curl);
+
+        expect_FileSize("/etc/ssl/certs/ca-certificates.crt", 1);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_CUSTOMREQUEST);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_string(__wrap_curl_slist_append, data, "User-Agent: curl/7.58.0");
+        expect_value(__wrap_curl_slist_append, list, NULL);
+        will_return(__wrap_curl_slist_append, headers);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_WRITEDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HTTPHEADER);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERFUNCTION);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_HEADERDATA);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_URL);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_setopt, option, CURLOPT_POSTFIELDS);
+        expect_value(__wrap_curl_easy_setopt, curl, curl);
+        will_return(__wrap_curl_easy_setopt, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_perform, curl, curl);
+        will_return(__wrap_curl_easy_perform, CURLE_OK);
+
+        expect_value(__wrap_curl_easy_getinfo, curl, curl);
+        expect_value(__wrap_curl_easy_getinfo, option, CURLINFO_RESPONSE_CODE);
+        will_return(__wrap_curl_easy_getinfo, CURLE_OK);
+
+        expect_value(__wrap_curl_slist_free_all, list, headers);
+        expect_value(__wrap_curl_easy_cleanup, curl, curl);
+    #endif
+
+    response = wurl_http_request(NULL, &pheaders, url, payload, max_size, 0);
+    assert_non_null(response);
+    os_free(response->header);
+    os_free(response->body);
+    os_free(response);
+}
+
+int main(void)
+{
+    const struct CMUnitTest tests[] = {
+        // Tests wurl_http_request
+        cmocka_unit_test(test_wurl_http_request_url_null),
+        cmocka_unit_test(test_wurl_http_request_init_failure),
+        cmocka_unit_test(test_wurl_http_request_headers_list_null),
+        cmocka_unit_test(test_wurl_http_request_headers_tmp_null),
+        cmocka_unit_test(test_wurl_http_request_curl_easy_perform_fail_with_headers),
+        cmocka_unit_test(test_wurl_http_request_curl_easy_perform_fail_with_payload),
+        cmocka_unit_test(test_wurl_http_request_curl_easy_perform_fail_timeout),
+        cmocka_unit_test(test_wurl_http_request_curl_easy_setopt_fail),
+        cmocka_unit_test(test_wurl_http_request_success),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/common/url/tests/unit/wrappers/url_wrappers.c b/src/common/url/tests/unit/wrappers/url_wrappers.c
new file mode 100644
index 0000000000..3a6be7dddf
--- /dev/null
+++ b/src/common/url/tests/unit/wrappers/url_wrappers.c
@@ -0,0 +1,116 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "url_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../common.h"
+
+int __wrap_wurl_request(const char * url,
+                        const char * dest,
+                        const char *header,
+                        const char *data,
+                        const long timeout) {
+    if (url) {
+        check_expected(url);
+    }
+
+    if (dest) {
+        check_expected(dest);
+    }
+
+    if (header) {
+        check_expected(header);
+    }
+
+    if (data) {
+        check_expected(data);
+    }
+
+    if (timeout) {
+        check_expected(timeout);
+    }
+
+    return mock();
+}
+
+char* __wrap_wurl_http_get(const char * url, __attribute__((unused)) size_t max_size, long timeout) {
+    check_expected(url);
+
+    check_expected(timeout);
+
+    return mock_type(char *);
+}
+
+curl_response* __wrap_wurl_http_request(char *method, char **headers, const char* url, const char *payload, size_t max_size, long timeout) {
+    check_expected(method);
+
+    char** ptr = headers;
+    for (char* header = *ptr; header; header=*++ptr) {
+        check_expected(header);
+    }
+
+    check_expected(url);
+
+    if (payload) {
+        check_expected(payload);
+    }
+
+    check_expected(max_size);
+
+    check_expected(timeout);
+
+    return mock_type(curl_response*);
+}
+
+CURL* __wrap_curl_easy_init() {
+    return mock_type(CURL *);
+}
+
+void __wrap_curl_easy_cleanup(CURL *curl) {
+    check_expected_ptr(curl);
+}
+
+CURLcode __wrap_curl_easy_setopt(CURL *curl, CURLoption option, __attribute__ ((__unused__)) void *parameter) {
+    check_expected(option);
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
+
+struct curl_slist* __wrap_curl_slist_append(struct curl_slist *list, const char *data) {
+    check_expected(data);
+    check_expected_ptr(list);
+
+    return mock_type(struct curl_slist *);
+}
+
+CURLcode __wrap_curl_easy_perform(CURL *curl) {
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
+
+void __wrap_curl_slist_free_all(struct curl_slist *list) {
+    check_expected_ptr(list);
+}
+
+CURLcode __wrap_curl_easy_getinfo(CURL *curl, CURLoption option, __attribute__ ((__unused__)) void *parameter) {
+
+    check_expected(option);
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
+
+void __wrap_wurl_free_response(curl_response* response) {
+    check_expected_ptr(response);
+}
diff --git a/src/common/url/tests/unit/wrappers/url_wrappers.h b/src/common/url/tests/unit/wrappers/url_wrappers.h
new file mode 100644
index 0000000000..ad95ea9d0b
--- /dev/null
+++ b/src/common/url/tests/unit/wrappers/url_wrappers.h
@@ -0,0 +1,39 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef URL_WRAPPERS_H
+#define URL_WRAPPERS_H
+
+#include "../../../../headers/shared.h"
+#include "../../../../headers/url.h"
+
+int __wrap_wurl_request(const char * url, const char * dest, const char *header, const char *data, const long timeout);
+
+char* __wrap_wurl_http_get(const char * url, size_t max_size, long timeout);
+
+curl_response* __wrap_wurl_http_request(char *method, char **headers, const char* url, const char *payload, size_t max_size, long timeout);
+
+CURL* __wrap_curl_easy_init();
+
+void __wrap_curl_easy_cleanup(CURL* curl);
+
+CURLcode __wrap_curl_easy_setopt(CURL *curl, CURLoption option, void *parameter);
+
+struct curl_slist* __wrap_curl_slist_append(struct curl_slist *list, const char *string);
+
+CURLcode __wrap_curl_easy_perform(CURL *curl);
+
+void __wrap_curl_slist_free_all(struct curl_slist *list);
+
+CURLcode __wrap_curl_easy_getinfo(CURL *curl, CURLoption option, void *parameter);
+
+void __wrap_wurl_free_response(curl_response* response);
+
+#endif
diff --git a/src/modules/office365/src/office365.c b/src/common/utf8_op/CMakeLists.txt
similarity index 100%
rename from src/modules/office365/src/office365.c
rename to src/common/utf8_op/CMakeLists.txt
diff --git a/src/common/utf8_op/include/utf8_op.h b/src/common/utf8_op/include/utf8_op.h
new file mode 100644
index 0000000000..e8ac49f5a1
--- /dev/null
+++ b/src/common/utf8_op/include/utf8_op.h
@@ -0,0 +1,38 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * June 19, 2019
+ */
+
+
+/**
+ * @brief Return whether a string is UTF-8.
+ *
+ * @param string File path
+ * @return True if the file is UTF-8, false if not.
+ */
+bool w_utf8_valid(const char * string);
+
+
+/**
+ * @brief Get the pointer to the first character that does not match UTF-8, or the last byte (0).
+ *
+ * @param string String to be checked.
+ * @return Pointer to character.
+ */
+const char * w_utf8_drop(const char * string);
+
+
+/**
+ * @brief Filter string to remove or replace invalid characters.
+ *
+ * @param string String to be filtered.
+ * @param replacement Set to 0 for remove invalid characters or set to 1 to replace them.
+ * @return Return a new string with valid UTF-8 characters only.
+ */
+char * w_utf8_filter(const char * string, bool replacement);
diff --git a/src/common/utf8_op/src/utf8_op.c b/src/common/utf8_op/src/utf8_op.c
new file mode 100644
index 0000000000..ece6baffdd
--- /dev/null
+++ b/src/common/utf8_op/src/utf8_op.c
@@ -0,0 +1,116 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * June 19, 2019
+ * https://en.wikipedia.org/wiki/UTF-8
+ */
+
+#include <shared.h>
+
+#define REPLACEMENT_INC 4096
+
+/* Single byte: 0xxxxxxx */
+#define valid_1(x) (x[0] & 0x80) == 0
+
+/* Two bytes: 110xxxxx 10xxxxxx */
+/* Starting bytes 0xC0 and 0xC1 are forbidden (overlong) */
+#define valid_2(x) (x[0] & 0xE0) == 0xC0 && (x[0] & 0x1E) != 0 && (x[1] & 0xC0) == 0x80
+
+/* Three bytes: 1110xxxx 10xxxxxx 10xxxxxx */
+/* 0xE0 could start overlong encodings */
+/* 0xED (range U+D800–U+DFFF) is reserved for UTF-16 surrogate halves */
+#define valid_3(x) (x[0] & 0xF0) == 0xE0 && x[0] != (char)0xE0 && x[0] != (char)0xED && (x[1] & 0xC0) == 0x80 && (x[2] & 0xC0) == 0x80
+
+/* Four bytes: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+/* 0xF0 could start overlong encodings */
+/* Starting bytes 111101xx are forbidden (Unicode limit) */
+#define valid_4(x) (x[0] & 0xF8) == 0xF0 && x[0] != (char)0xF0 && (x[0] & 0x04) == 0 && (x[1] & 0xC0) == 0x80 && (x[2] & 0xC0) == 0x80 && (x[3] & 0xC0) == 0x80
+
+/* Return whether a string is UTF-8 */
+bool w_utf8_valid(const char * string) {
+    assert(string != NULL);
+    return *(w_utf8_drop(string)) == '\0';
+}
+
+/* Return pointer to the first character that does not match UTF-8, or the last byte (0) */
+const char * w_utf8_drop(const char * string) {
+    assert(string != NULL);
+
+    while (*string) {
+        if (valid_1(string)) {
+            string++;
+        } else if (valid_2(string)) {
+            string += 2;
+        } else if (valid_3(string)) {
+            string += 3;
+        } else if (valid_4(string)) {
+            string += 4;
+        } else {
+            return string;
+        }
+    }
+
+    return string;
+}
+
+/* Return a new string with valid UTF-8 characters only */
+char * w_utf8_filter(const char * string, bool replacement) {
+    assert(string != NULL);
+
+    const char * valid = w_utf8_drop(string);
+
+    if (*valid == '\0') {
+        char * copy;
+        os_strdup(string, copy);
+        return copy;
+    }
+
+    size_t size = strlen(string) + 1;
+    char * copy;
+    size_t i = valid - string;
+    size_t repl = 0;
+
+    os_malloc(size, copy);
+    memcpy(copy, string, i);
+
+    while (*valid) {
+        if (valid_1(valid)) {
+            copy[i++] = *valid++;
+        } else if (valid_2(valid)) {
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+        } else if (valid_3(valid)) {
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+        } else if (valid_4(valid)) {
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+            copy[i++] = *valid++;
+        } else {
+            if (replacement) {
+                if (repl < 3) {
+                    size += REPLACEMENT_INC;
+                    os_realloc(copy, size, copy);
+                    repl += REPLACEMENT_INC;
+                }
+
+                copy[i++] = 0xEF;
+                copy[i++] = 0xBF;
+                copy[i++] = 0xBD;
+                repl -= 3;
+            }
+
+            valid++;
+        }
+    }
+
+    copy[i] = '\0';
+    return copy;
+}
diff --git a/src/common/utf8_op/tests/unit/tests/CMakeLists.txt b/src/common/utf8_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..ffe573ab70
--- /dev/null
+++ b/src/common/utf8_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,52 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_utf8_op")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "-Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags " ")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/utf8_op/tests/unit/tests/test_utf8_op.c b/src/common/utf8_op/tests/unit/tests/test_utf8_op.c
new file mode 100644
index 0000000000..a6440be1d1
--- /dev/null
+++ b/src/common/utf8_op/tests/unit/tests/test_utf8_op.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+
+// Tests
+
+void test_utf8_random_replace(void **state)
+{
+    size_t i;
+    const size_t LENGTH = 4096;
+    char buffer[LENGTH];
+
+    randombytes(buffer, LENGTH - 1);
+
+    /* Avoid zeroes */
+
+    for (i = 0; i < LENGTH - 1; i++) {
+        buffer[i] = buffer[i] ? buffer[i] : '0';
+    }
+
+    buffer[LENGTH - 1] = '\0';
+
+    char * copy = w_utf8_filter(buffer, true);
+    int r = w_utf8_valid(copy);
+    free(copy);
+}
+
+void test_utf8_random_not_replace(void **state)
+{
+    size_t i;
+    const size_t LENGTH = 4096;
+    char buffer[LENGTH];
+
+    randombytes(buffer, LENGTH - 1);
+
+    /* Avoid zeroes */
+
+    for (i = 0; i < LENGTH - 1; i++) {
+        buffer[i] = buffer[i] ? buffer[i] : '0';
+    }
+
+    buffer[LENGTH - 1] = '\0';
+
+    char * copy = w_utf8_filter(buffer, false);
+    int r = w_utf8_valid(copy);
+    free(copy);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+            cmocka_unit_test(test_utf8_random_replace),
+            cmocka_unit_test(test_utf8_random_not_replace),
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/utils/abstractLocking.hpp b/src/common/utils/abstractLocking.hpp
new file mode 100644
index 0000000000..dd925bcf6c
--- /dev/null
+++ b/src/common/utils/abstractLocking.hpp
@@ -0,0 +1,68 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 18, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _ABSTRACT_LOCKING_HPP
+#define _ABSTRACT_LOCKING_HPP
+
+#include <mutex>
+#include <shared_mutex>
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    class ILocking
+    {
+        public:
+            virtual ~ILocking() = default;
+            virtual void lock() = 0;
+            virtual void unlock() = 0;
+    };
+
+    class SharedLocking final : public ILocking
+    {
+            std::shared_lock<std::shared_timed_mutex> m_lock;
+        public:
+            explicit SharedLocking(std::shared_timed_mutex& mutex)
+                : m_lock(std::shared_lock<std::shared_timed_mutex>(mutex)) {};
+
+            virtual ~SharedLocking() = default;
+            virtual void lock() override
+            {
+                m_lock.lock();
+            }
+            virtual void unlock() override
+            {
+                m_lock.unlock();
+            }
+    };
+
+    class ExclusiveLocking final : public ILocking
+    {
+            std::unique_lock<std::shared_timed_mutex> m_lock;
+        public:
+            explicit ExclusiveLocking(std::shared_timed_mutex& mutex)
+                : m_lock(std::unique_lock<std::shared_timed_mutex>(mutex)) {};
+
+            virtual ~ExclusiveLocking() = default;
+            virtual void lock() override
+            {
+                m_lock.lock();
+            }
+            virtual void unlock() override
+            {
+                m_lock.unlock();
+            }
+    };
+};
+
+#endif /* _ABSTRACT_LOCKING_HPP */
diff --git a/src/common/utils/abstractWait.h b/src/common/utils/abstractWait.h
new file mode 100644
index 0000000000..4e21680532
--- /dev/null
+++ b/src/common/utils/abstractWait.h
@@ -0,0 +1,71 @@
+/*
+ * Utils abstract wait
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _ABSTRACT_WAIT_HPP
+#define _ABSTRACT_WAIT_HPP
+
+#include <future>
+#include <thread>
+
+class IWait
+{
+    public:
+        virtual ~IWait() = default;
+        virtual void set_value() = 0;
+        virtual void wait() = 0;
+};
+
+class PromiseWaiting final : public IWait
+{
+        std::promise<void> m_promise;
+
+    public:
+        explicit PromiseWaiting() {};
+
+        virtual ~PromiseWaiting() = default;
+
+        virtual void set_value() override
+        {
+            m_promise.set_value();
+        }
+
+        virtual void wait() override
+        {
+            m_promise.get_future().wait();
+        }
+};
+
+
+class BusyWaiting final : public IWait
+{
+        std::atomic<bool> end;
+
+    public:
+        explicit BusyWaiting() : end {false} {};
+
+        virtual ~BusyWaiting() = default;
+
+        virtual void set_value() override
+        {
+            end = true;
+        }
+
+        virtual void wait() override
+        {
+            while (!end.load())
+            {
+                std::this_thread::sleep_for(std::chrono::seconds{1});
+            }
+        }
+};
+
+
+#endif // _ABSTRACT_WAIT_HPP
diff --git a/src/common/utils/builder.hpp b/src/common/utils/builder.hpp
new file mode 100644
index 0000000000..55c4369b53
--- /dev/null
+++ b/src/common/utils/builder.hpp
@@ -0,0 +1,56 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015-2021, Wazuh Inc.
+ * January 19, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _BUILDER_PATTERN_HPP
+#define _BUILDER_PATTERN_HPP
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+
+namespace Utils
+{
+    /**
+     * @brief This class provides a simple interface to construct an object using a Builder pattern.
+     *
+     * @tparam T Type of the object to be built.
+     * @tparam Ts Arguments.
+     */
+    template <typename T, class... Ts>
+    class Builder
+    {
+        public:
+            /**
+             * @brief This method is used to build an object.
+             *
+             * @param args Arguments.
+             * @return T Object built.
+             */
+            static T builder(Ts... args)
+            {
+                return T(args...); // Default constructor
+            }
+
+            /**
+             * @brief This method returns a reference to the object.
+             * @return T Reference to the object.
+             */
+            T & build()
+            {
+                return static_cast<T&>(*this); // Return reference to self
+            }
+    };
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _BUILDER_PATTERN_HPP
+
+
diff --git a/src/common/utils/cjsonSmartDeleter.hpp b/src/common/utils/cjsonSmartDeleter.hpp
new file mode 100644
index 0000000000..423c9e2096
--- /dev/null
+++ b/src/common/utils/cjsonSmartDeleter.hpp
@@ -0,0 +1,21 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 27, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CJSON_SMART_DELETER_HPP
+#define _CJSON_SMART_DELETER_HPP
+
+#include "customDeleter.hpp"
+#include "cJSON.h"
+
+struct CJsonSmartFree final : CustomDeleter<decltype(&cJSON_free), cJSON_free> {};
+struct CJsonSmartDeleter final : CustomDeleter<decltype(&cJSON_Delete), cJSON_Delete> {};
+
+#endif // _CJSON_SMART_DELETER_HPP
diff --git a/src/common/utils/customDeleter.hpp b/src/common/utils/customDeleter.hpp
new file mode 100644
index 0000000000..e55fd9796e
--- /dev/null
+++ b/src/common/utils/customDeleter.hpp
@@ -0,0 +1,25 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 27, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CUSTOM_DELETER_HPP
+#define _CUSTOM_DELETER_HPP
+
+template <typename F, F func>
+struct CustomDeleter
+{
+    template <typename T>
+    constexpr void operator()(T* arg) const
+    {
+        func(arg);
+    }
+};
+
+#endif // _CUSTOM_DELETER_HPP
diff --git a/src/common/utils/defer.hpp b/src/common/utils/defer.hpp
new file mode 100644
index 0000000000..11368301e8
--- /dev/null
+++ b/src/common/utils/defer.hpp
@@ -0,0 +1,73 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 16, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DEFER_H_
+#define _DEFER_H_
+
+#define DEFER(...) auto CONCAT(__defer_auto_defer__, __COUNTER__) = deferFunc(__VA_ARGS__)
+#define DEFER_STATIC(...) static auto CONCAT(__defer_auto_defer__, __COUNTER__) = deferFunc(__VA_ARGS__)
+
+#define CONCAT(x, y)      CONCAT_IMPL(x, y)
+#define CONCAT_IMPL(x, y) x##y
+
+/**
+ * @brief A Defer object calls a function object in its destructor
+ *
+ * This is a templated class that can store any type of function object. When the
+ * Defer object is destroyed (i.e., when it goes out of scope), its destructor
+ * calls the stored function object. This is useful for performing cleanup
+ * operations or releasing resources at the end of a scope.
+ *
+ * @tparam F The type of the function object to be stored
+ */
+template<typename F>
+class Defer final
+{
+    public:
+        /**
+         * @brief Constructor that stores a function object
+         * @param f The function object to be stored
+         */
+        explicit Defer(F f)
+            : m_f(f)
+        {
+        }
+
+        /**
+         * @brief Destructor that calls the stored function object
+         */
+        ~Defer()
+        {
+            m_f();
+        }
+
+    private:
+        F m_f; ///< The stored function object
+};
+
+/**
+ * @brief Create a Defer object that stores a function object
+ *
+ * This is a templated function that creates a Defer object and stores a given
+ * function object in it. It is intended to be used in conjunction with a lambda
+ * function to provide a simple implementation of a defer statement.
+ *
+ * @tparam F The type of the function object to be stored
+ * @param f The function object to be stored
+ * @return A Defer object that stores the given function object
+ */
+template<typename F>
+Defer<F> deferFunc(F f)
+{
+    return Defer<F>(f);
+}
+
+#endif // _DEFER_H_
diff --git a/src/common/utils/defs.h b/src/common/utils/defs.h
new file mode 100644
index 0000000000..3239e3a708
--- /dev/null
+++ b/src/common/utils/defs.h
@@ -0,0 +1,430 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009-2012 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Global Definitions */
+
+#ifndef OS_HEADERS
+#define OS_HEADERS
+
+#define TRUE            1
+#define FALSE           0
+
+#define READ    1
+#define WRITE   2
+
+#define OS_BINARY  0
+#define OS_TEXT    1
+
+/* Size limit control */
+#define OS_SIZE_1048576 1048576
+#define OS_SIZE_65536   65536
+#define OS_SIZE_61440   61440
+#define OS_SIZE_32768   32768
+#define OS_SIZE_20480   20480
+#define OS_SIZE_8192    8192
+#define OS_SIZE_6144    6144
+#define OS_SIZE_4096    4096
+#define OS_SIZE_2048    2048
+#define OS_SIZE_1024    1024
+#define OS_SIZE_512     512
+#define OS_SIZE_256     256
+#define OS_SIZE_128     128
+#define OS_SIZE_64      64
+#define OS_SIZE_32      32
+#define OS_SIZE_16      16
+
+/* Level of log messages */
+#define LOGLEVEL_DEBUG_VERBOSE 5
+#define LOGLEVEL_CRITICAL 4
+#define LOGLEVEL_ERROR 3
+#define LOGLEVEL_WARNING 2
+#define LOGLEVEL_INFO 1
+#define LOGLEVEL_DEBUG 0
+
+#define OS_MAXSTR       OS_SIZE_65536               /* Size for logs, sockets, etc      */
+#define OS_BUFFER_SIZE  OS_SIZE_2048                /* Size of general buffers          */
+#define OS_FLSIZE       OS_SIZE_256                 /* Maximum file size                */
+#define OS_HEADER_SIZE  OS_SIZE_128                 /* Maximum header size              */
+#define OS_LOG_HEADER   OS_SIZE_256                 /* Maximum log header size          */
+#define OS_SK_HEADER    OS_SIZE_6144                /* Maximum syscheck header size     */
+#define IPSIZE          INET6_ADDRSTRLEN            /* IP Address size                  */
+#define AUTH_POOL       1000                        /* Max number of connections        */
+#define BACKLOG         128                         /* Socket input queue length        */
+#define MAX_EVENTS      1024                        /* Max number of epoll events       */
+#define EPOLL_MILLIS    -1                          /* Epoll wait time                  */
+#define MAX_TAG_COUNTER 256                         /* Max retrying counter             */
+#define SOCK_RECV_TIME0 300                         /* Socket receiving timeout (s)     */
+#define MIN_ORDER_SIZE  32                          /* Minimum size of orders array     */
+#define KEEPALIVE_SIZE  700                         /* Random keepalive string size     */
+#define MAX_DYN_STR     4194304                     /* Max message size received 4MiB   */
+#define DATE_LENGTH     64                          /* Format date time %D %T           */
+#define OS_MAX_LOG_SIZE OS_MAXSTR - OS_LOG_HEADER   /* Maximum log size with a header protection */
+
+/* Some global names */
+#define __ossec_name    "Wazuh"
+#define __ossec_version "v5.0.0"
+#define __author        "Wazuh Inc."
+#define __contact       "info@wazuh.com"
+#define __site          "http://www.wazuh.com"
+#define __license       "\
+This program is free software; you can redistribute it and/or modify\n\
+it under the terms of the GNU General Public License (version 2) as \n\
+published by the Free Software Foundation. For more details, go to \n\
+https://www.gnu.org/licenses/gpl.html\n"
+
+/* Maximum allowed PID */
+#ifdef SOLARIS
+#define MAX_PID 29999
+#else
+#define MAX_PID 32768
+#endif
+
+/* First ID assigned by authd */
+#ifndef AUTHD_FIRST_ID
+#define AUTHD_FIRST_ID  1024
+#endif
+
+/* Notify the manager */
+#define NOTIFY_TIME     10      // ... every 10 seconds
+#define RECONNECT_TIME  60      // Time to reconnect
+
+/* User Configuration */
+#ifndef USER
+#define USER            "wazuh"
+#endif
+
+#ifndef ROOTUSER
+#define ROOTUSER        "root"
+#endif
+
+#ifndef GROUPGLOBAL
+#define GROUPGLOBAL     "wazuh"
+#endif
+
+// Standard super user UID and GID
+#define ROOT_UID (0)
+
+#define ROOT_GID (0)
+
+// Wazuh home environment variable
+#define WAZUH_HOME_ENV  "WAZUH_HOME"
+
+/* Default queue */
+#define DEFAULTQUEUE    "queue/sockets/queue"
+
+// Authd local socket
+#define AUTH_LOCAL_SOCK "queue/sockets/auth"
+
+// Key request socket
+#define KEY_REQUEST_SOCK "queue/sockets/krequest"
+
+// Local requests socket
+#define COM_LOCAL_SOCK  "queue/sockets/com"
+#define LC_LOCAL_SOCK  "queue/sockets/logcollector"
+#define SYS_LOCAL_SOCK  "queue/sockets/syscheck"
+#define WM_LOCAL_SOCK  "queue/sockets/wmodules"
+#define REMOTE_LOCAL_SOCK  "queue/sockets/remote"
+#define ANLSYS_LOCAL_SOCK  "queue/sockets/analysis"
+#define MAIL_LOCAL_SOCK "queue/sockets/mail"
+#define LESSD_LOCAL_SOCK "queue/sockets/agentless"
+#define INTG_LOCAL_SOCK "queue/sockets/integrator"
+#define CSYS_LOCAL_SOCK  "queue/sockets/csyslog"
+#define MON_LOCAL_SOCK  "queue/sockets/monitor"
+#define CLUSTER_SOCK "queue/cluster/c-internal.sock"
+#define CONTROL_SOCK "queue/sockets/control"
+#define LOGTEST_SOCK "queue/sockets/logtest"
+#define AGENT_UPGRADE_SOCK "queue/sockets/upgrade"
+
+// Tasks socket
+#define TASK_QUEUE "queue/tasks/task"
+
+// Attempts to check sockets availability
+#define SOCK_ATTEMPTS   10
+
+// Database socket
+#define WDB_LOCAL_SOCK "queue/db/wdb"
+
+#define WM_DOWNLOAD_SOCK "queue/sockets/download"
+
+// Tasks socket
+#define WM_UPGRADE_SOCK "queue/tasks/upgrade"
+
+#define WM_TASK_MODULE_SOCK "queue/tasks/task"
+
+/* Active Response files */
+#define DEFAULTAR_FILE  "ar.conf"
+#define AR_BINDIR       "active-response/bin"
+#ifndef WIN32
+#define DEFAULTAR       "etc/shared/" DEFAULTAR_FILE
+#define AGENTCONFIG     "etc/shared/agent.conf"
+#define DEF_CA_STORE    "etc/wpk_root.pem"
+#else
+#define DEFAULTAR       "shared/" DEFAULTAR_FILE
+#define AGENTCONFIG     "shared/agent.conf"
+#define DEF_CA_STORE    "wpk_root.pem"
+#endif
+
+/* Exec queue */
+#define EXECQUEUE       "queue/alerts/execq"
+
+/* Security configuration assessment module queue */
+#define CFGAQUEUE       "queue/alerts/cfgaq"
+
+/* Security configuration assessment remoted queue */
+#define CFGARQUEUE       "queue/alerts/cfgarq"
+
+/* Active Response queue */
+#define ARQUEUE         "queue/alerts/ar"
+
+/* Decoder file */
+#define XML_LDECODER    "etc/decoders/local_decoder.xml"
+
+/* Agent groups location */
+#define GROUPS_DIR    "queue/agent-groups"
+
+/* Default group name */
+#define DEFAULT_GROUP "default"
+
+/* Syscollector normalization configs */
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#define SYSCOLLECTOR_NORM_CONFIG_DISK_PATH    ".\\norm_config.json"
+#else
+#define SYSCOLLECTOR_NORM_CONFIG_DISK_PATH    "./norm_config.json"
+#endif // WIN32
+#else
+#define SYSCOLLECTOR_NORM_CONFIG_DISK_PATH "queue/syscollector/norm_config.json"
+#endif // WAZUH_UNIT_TESTING
+
+#if defined(__MACH__)
+#define SYSCOLLECTOR_NORM_TYPE "macos"
+#elif defined(WIN32)
+#define SYSCOLLECTOR_NORM_TYPE "windows"
+#else
+#define SYSCOLLECTOR_NORM_TYPE "linux"
+#endif // __MACH__
+
+
+/* Syscollector db directory */
+#ifndef WAZUH_UNIT_TESTING
+#define SYSCOLLECTOR_DB_DISK_PATH "queue/syscollector/db/local.db"
+#else
+#ifndef WIN32
+#define SYSCOLLECTOR_DB_DISK_PATH    "./local.db"
+#else
+#define SYSCOLLECTOR_DB_DISK_PATH    ".\\local.db"
+#endif // WIN32
+#endif // WAZUH_UNIT_TESTING
+
+/* Wazuh Database */
+#define WDB_DIR                "var/db"
+#define WDB2_DIR               "queue/db"
+#define WDB_GLOB_NAME          "global"
+#define WDB_MITRE_NAME         "mitre"
+#define WDB_PROF_NAME          ".template.db"
+#define WDB_PROF_PATH          WDB2_DIR "/" WDB_PROF_NAME
+#define WDB_TASK_DIR           "queue/tasks"
+#define WDB_TASK_NAME          "tasks"
+#define WDB_BACKUP_FOLDER      "backup/db"
+#define WDB_GLOB_BACKUP_NAME   WDB_GLOB_NAME".db-backup"
+
+/* Diff queue */
+#define DIFF_DIR        "queue/diff"
+#define DIFF_NEW_FILE   "new-entry"
+#define DIFF_LAST_FILE  "last-entry"
+#define DIFF_GZ_FILE    "last-entry.gz"
+#define DIFF_TEST_HOST  "__test"
+
+/* Syscheck data */
+#define SYSCHECK        "syscheck"
+#define SYSCHECK_REG    "syscheck-registry"
+
+/* Rule path */
+#define RULEPATH        "rules"
+
+/* Wait file */
+#ifndef WIN32
+#define WAIT_FILE       "queue/sockets/.wait"
+#else
+#define WAIT_FILE       ".wait"
+#endif
+
+/* Agent information file */
+#ifndef WIN32
+#define AGENT_INFO_FILE "queue/sockets/.agent_info"
+#else
+#define AGENT_INFO_FILE ".agent_info"
+#endif
+
+/* Agentless directories */
+#define AGENTLESSDIR        "agentless"
+#define AGENTLESS_ENTRYDIR  "queue/agentless"
+
+/* Integration directory. */
+#define INTEGRATORDIR "integrations"
+
+
+/* Internal definitions files */
+#ifndef WIN32
+#define OSSEC_DEFINES   "etc/internal_options.conf"
+#define OSSEC_LDEFINES   "etc/local_internal_options.conf"
+#else
+#define OSSEC_DEFINES   "internal_options.conf"
+#define OSSEC_LDEFINES   "local_internal_options.conf"
+#endif
+
+/* Log directories */
+#define EVENTS            "logs/archives"
+#define EVENTS_DAILY      "logs/archives/archives.log"
+#define ALERTS            "logs/alerts"
+#define ALERTS_DAILY      "logs/alerts/alerts.log"
+#define ALERTSJSON_DAILY  "logs/alerts/alerts.json"
+#define FWLOGS            "logs/firewall"
+#define FWLOGS_DAILY      "logs/firewall/firewall.log"
+#define EVENTSJSON_DAILY  "logs/archives/archives.json"
+
+/* Stats directories */
+#define STATWQUEUE  "stats/weekly-average"
+#define STATQUEUE   "stats/hourly-average"
+#define STATSAVED   "stats/totals"
+
+/* Authentication keys file */
+#ifndef WIN32
+#define KEYS_FILE       "etc/client.keys"
+#define AUTHD_PASS      "etc/authd.pass"
+#else
+#define KEYS_FILE       "client.keys"
+#define AUTHD_PASS      "authd.pass"
+#endif
+
+/* Timestamp file */
+#define TIMESTAMP_FILE  "queue/agents-timestamp"
+
+/* Shared config directory */
+#ifndef WIN32
+#define SHAREDCFG_DIR   "etc/shared"
+#else
+#define SHAREDCFG_DIR   "shared"
+#endif
+
+/* Multi-groups directory */
+#define MULTIGROUPS_DIR   "var/multigroups"
+#define MAX_GROUP_NAME 255
+#define MULTIGROUP_SEPARATOR ','
+#define MAX_GROUPS_PER_MULTIGROUP 128
+
+// Incoming directory
+#ifndef WIN32
+#define INCOMING_DIR   "var/incoming"
+#else
+#define INCOMING_DIR   "incoming"
+#endif
+
+// Upgrade directory
+#ifndef WIN32
+#define UPGRADE_DIR   "var/upgrade"
+#else
+#define UPGRADE_DIR   "upgrade"
+#endif
+
+// Download directory
+#define DOWNLOAD_DIR  "var/download"
+
+/* Built-in defines */
+
+#ifndef WIN32
+#define OSSECCONF       "etc/ossec.conf"
+#else
+#define OSSECCONF       "ossec.conf"
+#endif
+
+#define SHAREDCFG_FILE      SHAREDCFG_DIR "/merged.mg"
+#define SHAREDCFG_FILENAME  "merged.mg"
+
+#define MAX_QUEUED_EVENTS_PATH "/proc/sys/fs/inotify/max_queued_events"
+
+#define TMP_DIR "tmp"
+
+/* Windows COMSPEC */
+#define COMSPEC "C:\\Windows\\System32\\cmd.exe"
+
+/* Default ports */
+#ifndef DEFAULT_SECURE
+#define DEFAULT_SECURE 1514 /* Default encrypted */
+#endif
+
+#ifndef DEFAULT_SYSLOG
+#define DEFAULT_SYSLOG 514 /* Default syslog port - udp */
+#endif
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+/* XML global elements */
+#ifndef xml_global
+#define xml_global "global"
+#endif
+
+#ifndef xml_alerts
+#define xml_alerts "alerts"
+#endif
+
+#ifndef xml_rules
+#define xml_rules "rules"
+#endif
+
+#ifndef xml_localfile
+#define xml_localfile "localfile"
+#endif
+
+#ifndef xml_remote
+#define xml_remote "remote"
+#endif
+
+#ifndef xml_client
+#define xml_client "client"
+#endif
+
+#ifndef xml_execd
+#define xml_execd "execd"
+#endif
+
+#ifndef xml_syscheck
+#define xml_syscheck "syscheck"
+#endif
+
+#ifndef xml_rootcheck
+#define xml_rootcheck "rootcheck"
+#endif
+
+#ifndef xml_command
+#define xml_command  "command"
+#endif
+
+#ifndef xml_ar
+#define xml_ar      "active-response"
+#endif
+
+#define CLOCK_LENGTH 256
+
+#define SECURITY_CONFIGURATION_ASSESSMENT_DIR       "ruleset/sca"
+
+#define SECURITY_CONFIGURATION_ASSESSMENT_DIR_WIN   "ruleset\\sca"
+
+#ifdef WIN32
+#define FTELL_TT "%lld"
+#define FTELL_INT64 (int64_t)
+#else
+#define FTELL_TT "%ld"
+#define FTELL_INT64 (long)
+#endif
+
+#endif /* OS_HEADERS */
diff --git a/src/common/utils/makeUnique.h b/src/common/utils/makeUnique.h
new file mode 100644
index 0000000000..c585f27778
--- /dev/null
+++ b/src/common/utils/makeUnique.h
@@ -0,0 +1,61 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 14, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Taken from isocpp.org/files/papers/N3656.txt
+ * Stephan T. Lavavej <stl@microsoft.com>
+ */
+#ifndef _MAKE_UNIQUE_H
+#define _MAKE_UNIQUE_H
+
+#if __cplusplus < 201402L
+#include <cstddef>
+#include <memory>
+#include <type_traits>
+#include <utility>
+
+namespace std
+{
+    template<class T> struct _Unique_if
+    {
+        typedef unique_ptr<T> _Single_object;
+    };
+
+    template<class T> struct _Unique_if<T[]>
+    {
+        typedef unique_ptr<T[]> _Unknown_bound;
+    };
+
+    template<class T, size_t N> struct _Unique_if<T[N]>
+    {
+        typedef void _Known_bound;
+    };
+
+    template<class T, class... Args>
+    typename _Unique_if<T>::_Single_object
+    make_unique(Args&& ... args)
+    {
+        return unique_ptr<T>(new T(std::forward<Args>(args)...));
+    }
+
+    template<class T>
+    typename _Unique_if<T>::_Unknown_bound
+    make_unique(size_t n)
+    {
+        typedef typename remove_extent<T>::type U;
+        return unique_ptr<T>(new U[n]());
+    }
+
+    template<class T, class... Args>
+    typename _Unique_if<T>::_Known_bound
+    make_unique(Args&& ...) = delete;
+}
+#endif
+#endif //_MAKE_UNIQUE_H
\ No newline at end of file
diff --git a/src/common/utils/osPrimitivesImplMac.h b/src/common/utils/osPrimitivesImplMac.h
new file mode 100644
index 0000000000..344593597b
--- /dev/null
+++ b/src/common/utils/osPrimitivesImplMac.h
@@ -0,0 +1,106 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _OSPRIMITIVES_IMPL_MAC_H
+#define _OSPRIMITIVES_IMPL_MAC_H
+
+#include "osPrimitivesInterfaceMac.h"
+
+class OsPrimitivesMac : public IOsPrimitivesMac
+{
+    public:
+        OsPrimitivesMac() = default;
+        // LCOV_EXCL_START
+        virtual ~OsPrimitivesMac() = default;
+        // LCOV_EXCL_STOP
+
+        int sysctl(int* name, u_int namelen, void* oldp, size_t* oldlenp, void* newp, size_t newlen) const
+        {
+            return ::sysctl(name, namelen, oldp, oldlenp, newp, newlen);
+        }
+
+        int sysctlbyname(const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen) const
+        {
+            return ::sysctlbyname(name, oldp, oldlenp, newp, newlen);
+        }
+
+        CFMutableDictionaryRef IOServiceMatching(const char* name) const
+        {
+            return ::IOServiceMatching(name);
+        }
+
+        kern_return_t IOServiceGetMatchingServices(mach_port_t mainPort, CFDictionaryRef matching, io_iterator_t* existing) const
+        {
+            return ::IOServiceGetMatchingServices(mainPort, matching, existing);
+        }
+
+        io_object_t IOIteratorNext(io_iterator_t iterator) const
+        {
+            return ::IOIteratorNext(iterator);
+        }
+
+        kern_return_t IORegistryEntryGetName(io_registry_entry_t entry, io_name_t name) const
+        {
+            return ::IORegistryEntryGetName(entry, name);
+        }
+
+        kern_return_t IORegistryEntryCreateCFProperties(io_registry_entry_t entry, CFMutableDictionaryRef* properties, CFAllocatorRef allocator, IOOptionBits options) const
+        {
+            return ::IORegistryEntryCreateCFProperties(entry, properties, allocator, options);
+        }
+
+        kern_return_t IOObjectRelease(io_object_t object) const
+        {
+            return ::IOObjectRelease(object);
+        }
+
+        CFStringRef CFStringCreateWithCString(CFAllocatorRef alloc, const char* cStr, CFStringEncoding encoding) const
+        {
+            return ::CFStringCreateWithCString(alloc, cStr, encoding);
+        }
+
+        const void* CFDictionaryGetValue(CFDictionaryRef theDict, const void* key) const
+        {
+            return ::CFDictionaryGetValue(theDict, key);
+        }
+
+        CFTypeID CFGetTypeID(CFTypeRef cf) const
+        {
+            return ::CFGetTypeID(cf);
+        }
+
+        CFTypeID CFDataGetTypeID(void) const
+        {
+            return ::CFDataGetTypeID();
+        }
+
+        CFIndex CFDataGetLength(CFDataRef theData) const
+        {
+            return ::CFDataGetLength(theData);
+        }
+
+        void CFDataGetBytes(CFDataRef theData, CFRange range, UInt8* buffer) const
+        {
+            return ::CFDataGetBytes(theData, range, buffer);
+        }
+
+        CFRange CFRangeMake(CFIndex loc, CFIndex len) const
+        {
+            return ::CFRangeMake(loc, len);
+        }
+
+        void CFRelease(CFTypeRef cf) const
+        {
+            ::CFRelease(cf);
+        }
+};
+
+#endif // _OSPRIMITIVES_IMPL_MAC_H
diff --git a/src/common/utils/osPrimitivesInterfaceMac.h b/src/common/utils/osPrimitivesInterfaceMac.h
new file mode 100644
index 0000000000..d971e5a9af
--- /dev/null
+++ b/src/common/utils/osPrimitivesInterfaceMac.h
@@ -0,0 +1,45 @@
+/*
+ * Wazuh SYSINFO
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 11, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _OSPRIMITIVES_INTERFACE_MAC_H
+#define _OSPRIMITIVES_INTERFACE_MAC_H
+
+#include "IOKit/IOKitLib.h"
+#include "CoreFoundation/CFBase.h"
+
+class IOsPrimitivesMac
+{
+    public:
+        // LCOV_EXCL_START
+        virtual ~IOsPrimitivesMac() = default;
+        // LCOV_EXCL_STOP
+
+        virtual int sysctl(int* name, u_int namelen, void* oldp, size_t* oldlenp, void* newp, size_t newlen) const = 0;
+        virtual int sysctlbyname(const char* name, void* oldp, size_t* oldlenp, void* newp, size_t newlen) const = 0;
+
+        virtual CFMutableDictionaryRef IOServiceMatching(const char* name) const = 0;
+        virtual kern_return_t IOServiceGetMatchingServices(mach_port_t mainPort, CFDictionaryRef matching, io_iterator_t* existing) const = 0;
+        virtual io_object_t IOIteratorNext(io_iterator_t iterator) const = 0;
+        virtual kern_return_t IORegistryEntryGetName(io_registry_entry_t entry, io_name_t name) const = 0;
+        virtual kern_return_t IORegistryEntryCreateCFProperties(io_registry_entry_t entry, CFMutableDictionaryRef* properties, CFAllocatorRef allocator, IOOptionBits options) const = 0;
+        virtual kern_return_t IOObjectRelease(io_object_t object) const = 0;
+
+        virtual CFStringRef CFStringCreateWithCString(CFAllocatorRef alloc, const char* cStr, CFStringEncoding encoding) const = 0;
+        virtual const void* CFDictionaryGetValue(CFDictionaryRef theDict, const void* key) const = 0;
+        virtual CFTypeID CFGetTypeID(CFTypeRef cf) const = 0;
+        virtual CFTypeID CFDataGetTypeID(void) const = 0;
+        virtual CFIndex CFDataGetLength(CFDataRef theData) const = 0;
+        virtual void CFDataGetBytes(CFDataRef theData, CFRange range, UInt8* buffer) const = 0;
+        virtual CFRange CFRangeMake(CFIndex loc, CFIndex len) const = 0;
+        virtual void CFRelease(CFTypeRef cf) const = 0;
+};
+
+#endif // _OSPRIMITIVES_INTERFACE_MAC_H
diff --git a/src/common/utils/os_err.h b/src/common/utils/os_err.h
new file mode 100644
index 0000000000..e0bdaa3d24
--- /dev/null
+++ b/src/common/utils/os_err.h
@@ -0,0 +1,36 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Basic error codes */
+
+#ifndef OS_ERR
+#define OS_ERR
+
+#define OS_SUCCESS      0   /* Success                  */
+#define OS_INVALID      -1  /* Invalid entry            */
+#define OS_NOTFOUND     -2  /* Entry not found          */
+#define OS_FILERR       -3  /* Error in the file        */
+#define OS_SIZELIM      -4  /* Size limit problem       */
+#define OS_CFGERR       -5  /* Configuration error      */
+#define OS_SOCKTERR     -6  /* Socket error             */
+#define OS_MISVALUE     -7  /* There are values missing */
+#define OS_CONNERR      -8  /* Connection failed        */
+#define OS_UNDEF        -9  /* Uknown error             */
+#define OS_MEMERR       -10 /* Memory Error             */
+#define OS_SOCKBUSY     -11 /* Socket busy -- try again */
+#define OS_MAXLEN       -12 /* Max length               */
+#define OS_TIMEOUT      -13 /* Timeout error            */
+
+#define OS_ENDFILE      -20 /* End of file              */
+#define OS_FINISH       -21 /* Finished this task       */
+
+typedef int w_err_t;
+
+#endif /* OS_ERR */
diff --git a/src/common/utils/os_ip.h b/src/common/utils/os_ip.h
new file mode 100644
index 0000000000..7aec7950e4
--- /dev/null
+++ b/src/common/utils/os_ip.h
@@ -0,0 +1,37 @@
+#ifndef SHARED_OS_IP_H
+#define SHARED_OS_IP_H
+
+#define w_free_os_ip(x)                                                                                                \
+    if (x) {                                                                                                           \
+        if (x->is_ipv6) {                                                                                              \
+            os_free(x->ipv6)                                                                                           \
+        } else {                                                                                                       \
+            os_free(x->ipv4)                                                                                           \
+        };                                                                                                             \
+        os_free(x->ip);                                                                                                \
+        os_free(x)                                                                                                     \
+    }
+
+/* IPv4 structure */
+typedef struct _os_ipv4 {
+    unsigned int ip_address;
+    unsigned int netmask;
+} os_ipv4;
+
+/* IPv6 structure */
+typedef struct _os_ipv6 {
+    uint8_t ip_address[16];
+    uint8_t netmask[16];
+} os_ipv6;
+
+/* IP structure */
+typedef struct _os_ip {
+    char * ip;
+    union {
+        os_ipv4 * ipv4;
+        os_ipv6 * ipv6;
+    };
+    bool is_ipv6;
+} os_ip;
+
+#endif /* SHARED_OS_IP_H */
diff --git a/src/common/utils/promiseFactory.h b/src/common/utils/promiseFactory.h
new file mode 100644
index 0000000000..2544f5ea7a
--- /dev/null
+++ b/src/common/utils/promiseFactory.h
@@ -0,0 +1,42 @@
+/*
+ * Promise factory
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 4, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "abstractWait.h"
+
+#ifndef _PROMISE_FACTORY_HPP
+#define _PROMISE_FACTORY_HPP
+
+enum PromiseType
+{
+    NORMAL,
+    SLEEP
+};
+
+template<PromiseType osType>
+class PromiseFactory final
+{
+public:
+    static std::shared_ptr<IWait> getPromiseObject()
+    {
+        return std::make_shared<PromiseWaiting>();
+    }
+};
+
+template<>
+class PromiseFactory<PromiseType::SLEEP> final
+{
+public:
+    static std::shared_ptr<IWait> getPromiseObject()
+    {
+        return std::make_shared<BusyWaiting>();
+    }
+};
+
+#endif // _PROMISE_FACTORY_HPP
diff --git a/src/common/utils/shared.h b/src/common/utils/shared.h
new file mode 100644
index 0000000000..54fe42fe2a
--- /dev/null
+++ b/src/common/utils/shared.h
@@ -0,0 +1,234 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/*
+ *  The stack smashing protector defeats some BoF via: gcc -fstack-protector
+ *  Reference: http://gcc.gnu.org/onlinedocs/gcc-4.1.2/cpp.pdf
+ */
+
+#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 1) && (__GNUC_PATCHLEVEL__ >= 2)) || \
+                          ((__GNUC__ == 4) && (__GNUC_MINOR__ >= 2)) || \
+                           (__GNUC__ >= 5))
+
+/* Heuristically enable the stack protector on sensitive functions */
+#define __SSP__ 1
+
+/* FORTIFY_SOURCE is RedHat / Fedora specific */
+#define FORTIFY_SOURCE
+#endif
+
+#ifndef SHARED_H
+#define SHARED_H
+
+#ifndef LARGEFILE64_SOURCE
+#define LARGEFILE64_SOURCE
+#endif /* LARGEFILE64_SOURCE */
+
+#ifndef FILE_OFFSET_BITS
+#define FILE_OFFSET_BITS 64
+#endif /* FILE_OFFSET_BITS */
+
+/* Global headers */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/param.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <assert.h>
+
+#ifndef WIN32
+#include <sys/wait.h>
+#include <sys/resource.h>
+
+// Only Linux and FreeBSD need mount.h */
+#if defined(Linux) || defined(FreeBSD)
+#include <sys/mount.h>
+#endif
+
+/* HPUX does not have select.h */
+#ifndef HPUX
+#include <sys/select.h>
+#endif
+
+#include <sys/utsname.h>
+#endif /* WIN32 */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <ctype.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <pthread.h>
+
+/* The mingw32 builder used by travis.ci can't find glob.h
+ * Yet glob must work on actual win32.
+ */
+#ifndef __MINGW32__
+#include <glob.h>
+#endif
+
+#ifndef WIN32
+#include <netdb.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#else
+#include <winsock2.h>
+#include <windows.h>
+#include <io.h>
+#include <ws2tcpip.h>
+#include <shlwapi.h>
+#include <direct.h>
+#endif
+
+#ifdef __cplusplus
+#include <atomic>
+#define _Atomic(T) std::atomic<T>
+#else
+#ifdef hpux
+// TODO: remove this line after upgrading GCC on HP-UX
+#define _Atomic(T) T
+#endif
+#endif
+
+#include <time.h>
+#include <errno.h>
+#include <libgen.h>
+
+#ifndef LARGEFILE64_SOURCE
+#define LARGEFILE64_SOURCE
+#endif /* LARGEFILE64_SOURCE */
+
+#ifndef FILE_OFFSET_BITS
+#define FILE_OFFSET_BITS 64
+#endif /* FILE_OFFSET_BITS */
+
+/* Global portability code */
+
+#ifdef SOLARIS
+#include <limits.h>
+typedef uint32_t u_int32_t;
+typedef uint16_t u_int16_t;
+typedef uint8_t u_int8_t;
+
+#ifndef va_copy
+#define va_copy __va_copy
+#endif
+
+#endif /* SOLARIS */
+
+#if defined(HPUX) || defined(DOpenBSD)
+#include <limits.h>
+typedef uint64_t u_int64_t;
+typedef int int32_t;
+typedef uint32_t u_int32_t;
+typedef uint16_t u_int16_t;
+typedef uint8_t u_int8_t;
+
+#define MSG_DONTWAIT 0
+#endif
+
+#ifdef Darwin
+typedef int sock2len_t;
+#endif
+
+#ifndef WIN32
+#define CloseSocket(x) close(x)
+#endif
+
+#ifdef WIN32
+typedef int uid_t;
+typedef int gid_t;
+typedef int socklen_t;
+#define sleep(x) Sleep((x) * 1000)
+#define srandom(x) srand(x)
+#define lstat(x,y) stat(x,y)
+#define CloseSocket(x) closesocket(x)
+void WinSetError();
+typedef uint32_t u_int32_t;
+typedef uint16_t u_int16_t;
+typedef uint8_t u_int8_t;
+
+#define MSG_DONTWAIT    0
+
+#ifndef PROCESSOR_ARCHITECTURE_AMD64
+#define PROCESSOR_ARCHITECTURE_AMD64 9
+#endif
+#endif /* WIN32 */
+
+#ifdef AIX
+#define MSG_DONTWAIT MSG_NONBLOCK
+#endif
+
+#if defined(__GNUC__) && __GNUC__ >= 7
+#define WFALLTHROUGH __attribute__ ((fallthrough))
+#else
+#define WFALLTHROUGH ((void) 0)
+#endif
+
+/* Common structure for socket forwarding in Analysisd and logcollector */
+typedef struct _socket_forwarder {
+    char   *name;
+    char   *location;
+    int    mode;
+    char   *prefix;
+    int    socket;
+    time_t last_attempt;
+} socket_forwarder;
+
+
+extern const char *__local_name;
+/*** Global prototypes ***/
+/*** These functions will exit on error. No need to check return code ***/
+
+/* for calloc: x = calloc(4,sizeof(char)) -> os_calloc(4,sizeof(char),x) */
+#define os_calloc(x,y,z) ((z = (__typeof__(z)) calloc(x,y)))?(void)1:merror_exit(MEM_ERROR, errno, strerror(errno))
+
+#define os_strdup(x,y) ((y = strdup(x)))?(void)1:merror_exit(MEM_ERROR, errno, strerror(errno))
+
+#define os_malloc(x,y) ((y = (__typeof__(y)) malloc(x)))?(void)1:merror_exit(MEM_ERROR, errno, strerror(errno))
+
+#define os_free(x) if(x){free(x);x=NULL;}
+
+#define os_realloc(x,y,z) ((z = (__typeof__(z))realloc(x,y)))?(void)1:merror_exit(MEM_ERROR, errno, strerror(errno))
+
+#define os_clearnl(x,p) if((p = strrchr(x, '\n')))*p = '\0';
+
+#define w_fclose(x) if (x) { fclose(x); x=NULL; }
+
+#define w_strdup(x,y) ({ int retstr = 0; if (x) { os_strdup(x, y);} else retstr = 1; retstr;})
+
+#define sqlite_strdup(x,y) ({ if (x) { os_strdup(x, y); } else (void)0; })
+
+#define w_strlen(x) ({ size_t ret = 0; if (x) ret = strlen(x); ret;})
+
+// Calculate the number of elements within an array.
+// Only static arrays allowed.
+#define array_size(array) (sizeof(array)/sizeof(array[0]))
+
+#ifdef CLIENT
+#define isAgent 1
+#else
+#define isAgent 0
+#endif
+
+#ifndef WAZUH_UNIT_TESTING
+#define FOREVER() 1
+#endif
+
+#endif /* SHARED_H */
diff --git a/src/common/utils/singleton.hpp b/src/common/utils/singleton.hpp
new file mode 100644
index 0000000000..7e5fae0838
--- /dev/null
+++ b/src/common/utils/singleton.hpp
@@ -0,0 +1,31 @@
+/*
+ * Wazuh Utils - Singleton template
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 20, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _SINGLETON_HPP
+#define _SINGLETON_HPP
+
+template<typename T>
+class Singleton
+{
+    public:
+        static T& instance()
+        {
+            static T s_instance;
+            return s_instance;
+        }
+    protected:
+        Singleton() = default;
+        virtual ~Singleton() = default;
+        Singleton(const Singleton&) = delete;
+        Singleton& operator=(const Singleton&) = delete;
+};
+
+#endif // _SINGLETON_HPP
diff --git a/src/common/utils/tests/unit/wrappers/common.c b/src/common/utils/tests/unit/wrappers/common.c
new file mode 100644
index 0000000000..d2afef24ad
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/common.c
@@ -0,0 +1,33 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <time.h>
+#include <stdio.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include "headers/defs.h"
+
+time_t time_mock_value;
+int test_mode = 0;
+int activate_full_db = 0;
+
+int FOREVER() {
+    return 1;
+}
+
+int __wrap_FOREVER() {
+    return mock();
+}
+
+time_t wrap_time (__attribute__ ((__unused__)) time_t *t) {
+    return time_mock_value;
+}
diff --git a/src/common/utils/tests/unit/wrappers/common.h b/src/common/utils/tests/unit/wrappers/common.h
new file mode 100644
index 0000000000..7f5f2885bd
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/common.h
@@ -0,0 +1,38 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef COMMON_H
+#define COMMON_H
+
+#include <time.h>
+#include <stdio.h>
+
+extern int test_mode;
+extern int activate_full_db;
+
+int FOREVER();
+
+int __wrap_FOREVER();
+
+time_t wrap_time (time_t *t);
+
+#ifdef WIN32
+extern time_t time_mock_value;
+
+#define time(x) wrap_time(x)
+#endif
+
+#ifndef __MACH__
+#ifndef expect_any_always
+#define expect_any_always(function, parameter) expect_any_count(function, parameter, -1)
+#endif
+#endif
+
+#endif /* COMMON_H */
diff --git a/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.c
new file mode 100644
index 0000000000..ed096ca307
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.c
@@ -0,0 +1,92 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#ifndef __MACH__
+#include "libaudit_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_audit_add_rule_data() {
+    return mock();
+}
+
+int __wrap_audit_add_watch_dir(int type,
+                               __attribute__((unused)) struct audit_rule_data **rulep,
+                               const char *path) {
+    check_expected(type);
+    check_expected(path);
+
+    return mock();
+}
+
+int __wrap_audit_close() {
+    return mock();
+}
+
+int __wrap_audit_delete_rule_data() {
+    return mock();
+}
+
+char *__wrap_audit_errno_to_name() {
+    return mock_type(char *);
+}
+
+int __wrap_audit_get_reply(int fd,
+                           struct audit_reply *rep,
+                           reply_t block,
+                           __attribute__((unused)) int peek) {
+    check_expected(fd);
+    check_expected(block);
+
+    struct audit_reply *reply = mock_type(struct audit_reply *);
+    if (reply) {
+        *rep = *reply;
+    }
+
+    return mock();
+}
+
+int __wrap_audit_open() {
+    return mock();
+}
+
+int __wrap_audit_rule_fieldpair_data(__attribute__((unused)) struct audit_rule_data **rulep,
+                                     const char *pair,
+                                     int flags) {
+    check_expected(pair);
+    check_expected(flags);
+
+    return mock();
+}
+
+int __wrap_audit_send(int fd,
+                      int type,
+                      const void *data,
+                      __attribute__((unused)) unsigned int size) {
+    check_expected(fd);
+    check_expected(type);
+    check_expected(data);
+
+    return mock();
+}
+
+int __wrap_audit_update_watch_perms(__attribute__((unused)) struct audit_rule_data *rule,
+                                    int perms) {
+    check_expected(perms);
+
+    return mock();
+}
+
+int __wrap_audit_request_status(__attribute__((unused)) int fd) {
+    return mock();
+}
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.h
new file mode 100644
index 0000000000..a9b29fa2d9
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/audit/libaudit_wrappers.h
@@ -0,0 +1,50 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef LIBAUDIT_WRAPPERS_H
+#define LIBAUDIT_WRAPPERS_H
+
+#include <libaudit.h>
+
+int __wrap_audit_add_rule_data();
+
+int __wrap_audit_add_watch_dir(int type,
+                               struct audit_rule_data **rulep,
+                               const char *path);
+
+int __wrap_audit_close();
+
+int __wrap_audit_delete_rule_data();
+
+char *__wrap_audit_errno_to_name();
+
+int __wrap_audit_get_reply(int fd,
+                           struct audit_reply *rep,
+                           reply_t block,
+                           int peek);
+
+int __wrap_audit_open();
+
+int __wrap_audit_rule_fieldpair_data(struct audit_rule_data **rulep,
+                                     const char *pair,
+                                     int flags);
+
+int __wrap_audit_send(int fd,
+                      int type,
+                      const void *data,
+                      unsigned int size);
+
+int __wrap_audit_update_watch_perms(struct audit_rule_data *rule,
+                                    int perms);
+
+
+int __wrap_audit_request_status(int fd);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.c
new file mode 100644
index 0000000000..144138444d
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.c
@@ -0,0 +1,85 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "bzlib_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+
+
+int __wrap_BZ2_bzRead(int* bzerror,
+                      BZFILE* f,
+                      void* buf,
+                      int len) {
+    check_expected_ptr(f);
+    *bzerror = mock();
+    int n = mock();
+    if(n <= len) {
+        memcpy(buf, mock_type(void*), n);
+    }
+    return n;
+}
+
+void __wrap_BZ2_bzReadClose(__attribute__ ((__unused__)) int* bzerror,
+                            BZFILE* f) {
+    check_expected_ptr(f);
+}
+
+BZFILE* __wrap_BZ2_bzReadOpen(int* bzerror,
+                              FILE* f,
+                              __attribute__ ((__unused__)) int small,
+                              __attribute__ ((__unused__)) int verbosity,
+                              __attribute__ ((__unused__)) void* unused,
+                              __attribute__ ((__unused__)) int nUnused) {
+    check_expected_ptr(f);
+    *bzerror = mock();
+
+    return mock_type(BZFILE*);
+}
+
+void __wrap_BZ2_bzWrite(int* bzerror,
+                       BZFILE* f,
+                       void* buf,
+                       int len) {
+    check_expected_ptr(f);
+    check_expected(buf);
+    check_expected(len);
+    *bzerror = mock();
+}
+
+void __wrap_BZ2_bzWriteClose(__attribute__ ((__unused__)) int* bzerror,
+                               BZFILE* f,
+                               __attribute__ ((__unused__)) int abandon,
+                               __attribute__ ((__unused__)) unsigned int* nbytes_in,
+                               __attribute__ ((__unused__)) unsigned int* nbytes_out) {
+    check_expected_ptr(f);
+}
+
+BZFILE* __wrap_BZ2_bzWriteOpen(int* bzerror,
+                               FILE* f,
+                               __attribute__ ((__unused__)) int blockSize100k,
+                               __attribute__ ((__unused__)) int verbosity,
+                               __attribute__ ((__unused__)) int workFactor) {
+    check_expected_ptr(f);
+    *bzerror = mock();
+
+    return mock_type(BZFILE*);
+}
+
+#ifndef TEST_WINAGENT
+int __wrap_bzip2_uncompress(const char *filebz2,
+                            const char *file) {
+
+    check_expected_ptr(filebz2);
+    check_expected_ptr(file);
+    return mock();
+}
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.h
new file mode 100644
index 0000000000..4925a38d5b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/bzip2/bzlib_wrappers.h
@@ -0,0 +1,53 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef BZLIB_WRAPPERS_H
+#define BZLIB_WRAPPERS_H
+
+#include "bzlib.h"
+
+int __wrap_BZ2_bzRead(int* bzerror,
+                      BZFILE* f,
+                      void* buf,
+                      int len);
+
+void __wrap_BZ2_bzReadClose(int* bzerror,
+                            BZFILE* f);
+
+BZFILE* __wrap_BZ2_bzReadOpen(int* bzerror,
+                          FILE* f,
+                          int small,
+                          int verbosity,
+                          void* unused,
+                          int nUnused);
+
+void __wrap_BZ2_bzWrite(int* bzerror,
+                       BZFILE* f,
+                       void* buf,
+                       int len);
+
+void __wrap_BZ2_bzWriteClose(int* bzerror,
+                               BZFILE* f,
+                               int abandon,
+                               unsigned int* nbytes_in,
+                               unsigned int* nbytes_out);
+
+BZFILE* __wrap_BZ2_bzWriteOpen(int* bzerror,
+                               FILE* f,
+                               int blockSize100k,
+                               int verbosity,
+                               int workFactor);
+
+#ifndef TEST_WINAGENT
+int __wrap_bzip2_uncompress(const char *filebz2,
+                            const char *file);
+#endif
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.c
new file mode 100644
index 0000000000..1ae4739440
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.c
@@ -0,0 +1,151 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "cJSON_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+cJSON_bool __wrap_cJSON_AddItemToArray(__attribute__ ((__unused__)) cJSON *array,
+                                 __attribute__ ((__unused__)) cJSON *item) {
+    function_called();
+    return mock_type(cJSON_bool);
+}
+
+cJSON_bool __wrap_cJSON_AddItemToObject(__attribute__ ((__unused__)) cJSON *object,
+                                  __attribute__ ((__unused__)) const char *string,
+                                  __attribute__ ((__unused__)) cJSON *item) {
+    function_called();
+    return mock_type(cJSON_bool);
+}
+
+cJSON* __wrap_cJSON_AddStringToObject(__attribute__ ((__unused__)) cJSON * const object,
+                                      const char * const name,
+                                      const char * const string) {
+    if (name) check_expected(name);
+    if (string) check_expected(string);
+    return mock_type(cJSON *);
+}
+
+cJSON* __wrap_cJSON_AddArrayToObject(__attribute__ ((__unused__)) cJSON * const object,
+                              const char * const name) {
+    if (name) check_expected(name);
+    return mock_type(cJSON *);
+}
+
+cJSON* __wrap_cJSON_AddNumberToObject(__attribute__ ((__unused__)) cJSON * const object,
+                                      const char * const name,
+                                      const double number) {
+    if (name) check_expected(name);
+    check_expected(number);
+    return mock_type(cJSON *);
+}
+
+cJSON* __wrap_cJSON_AddFalseToObject(__attribute__ ((__unused__)) cJSON * const object, const char * const name) {
+    if (name) check_expected(name);
+    return mock_type(cJSON *);
+}
+
+cJSON* __wrap_cJSON_AddObjectToObject(cJSON * const object, const char * const name) {
+    if (name) check_expected(name);
+    check_expected(object);
+    return mock_type(cJSON *);
+}
+
+#ifdef WIN32
+cJSON * __stdcall __wrap_cJSON_CreateArray(void) {
+    return mock_type(cJSON *);
+}
+
+cJSON * __stdcall __wrap_cJSON_CreateObject(void) {
+    return mock_type(cJSON *);
+}
+#else
+cJSON * __wrap_cJSON_CreateArray(void) {
+    return mock_type(cJSON *);
+}
+
+cJSON * __wrap_cJSON_CreateObject(void) {
+    return mock_type(cJSON *);
+}
+#endif
+
+cJSON * __wrap_cJSON_CreateNumber(double num) {
+    check_expected(num);
+    return mock_type(cJSON *);
+}
+
+cJSON * __wrap_cJSON_CreateString(const char *string) {
+    check_expected(string);
+    return mock_type(cJSON *);
+}
+
+void __wrap_cJSON_Delete(__attribute__ ((__unused__)) cJSON *item) {
+    function_called();
+    return;
+}
+
+cJSON * WSTD_CALL __wrap_cJSON_GetObjectItem(__attribute__ ((__unused__)) const cJSON * const object,
+                                   __attribute__ ((__unused__)) const char * const string) {
+    return mock_type(cJSON *);
+}
+
+char* WSTD_CALL __wrap_cJSON_GetStringValue(__attribute__ ((__unused__)) cJSON * item) {
+    return mock_type(char*);
+}
+
+cJSON_bool __wrap_cJSON_IsNumber(__attribute__ ((__unused__)) cJSON * item) {
+    return mock_type(cJSON_bool);
+}
+
+cJSON_bool __wrap_cJSON_IsString(__attribute__ ((__unused__)) const cJSON * const item) {
+    return mock_type(cJSON_bool);
+}
+
+cJSON_bool __wrap_cJSON_IsObject(__attribute__ ((__unused__)) cJSON * item) {
+    return mock_type(cJSON_bool);
+}
+
+cJSON * __wrap_cJSON_Parse(__attribute__ ((__unused__)) const char *value) {
+    return mock_type(cJSON *);
+}
+
+cJSON * __wrap_cJSON_ParseWithOpts(__attribute__ ((__unused__)) const char *value,
+                                   const char **return_parse_end,
+                                   __attribute__ ((__unused__)) cJSON_bool require_null_terminated) {
+    *return_parse_end = mock_type(char *);
+    return mock_type(cJSON *);
+}
+
+char * __wrap_cJSON_PrintUnformatted(__attribute__ ((__unused__)) const cJSON *item) {
+    return mock_type(char *);
+}
+
+char * __wrap_cJSON_Print(__attribute__ ((__unused__)) const cJSON *item) {
+    return mock_type(char *);
+}
+
+int __wrap_cJSON_GetArraySize(__attribute__ ((__unused__))  const cJSON *array) {
+    return mock();
+}
+
+cJSON * __wrap_cJSON_GetArrayItem(__attribute__ ((__unused__)) const cJSON *array, __attribute__ ((__unused__)) int index) {
+    return mock_type(cJSON*);
+}
+
+cJSON* __wrap_cJSON_Duplicate(__attribute__ ((__unused__)) const cJSON *item, __attribute__ ((__unused__)) int recurse) {
+    return mock_type(cJSON*);
+}
+
+cJSON* __wrap_cJSON_AddBoolToObject(__attribute__ ((__unused__)) cJSON * const object,
+                                    __attribute__ ((__unused__))const char * const name,
+                                    __attribute__ ((__unused__))const cJSON_bool boolean) {
+    return mock_type(cJSON *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.h
new file mode 100644
index 0000000000..4f40d3c7bb
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/cJSON/cJSON_wrappers.h
@@ -0,0 +1,108 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef CJSON_WRAPPERS_H
+#define CJSON_WRAPPERS_H
+
+#include <cJSON.h>
+#include <stdbool.h>
+
+#ifdef WIN32
+#define WSTD_CALL __stdcall
+#else
+#define WSTD_CALL
+#endif
+
+cJSON_bool __wrap_cJSON_AddItemToArray(cJSON *array, cJSON *item);
+
+extern cJSON_bool __real_cJSON_AddItemToArray(cJSON *array, cJSON *item);
+
+cJSON_bool __wrap_cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item);
+
+extern cJSON_bool __real_cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item);
+
+cJSON *__wrap_cJSON_AddStringToObject(cJSON *const object, const char *const name, const char *const string);
+
+cJSON *__wrap_cJSON_AddObjectToObject(cJSON *const object, const char *const name);
+
+cJSON* __wrap_cJSON_AddFalseToObject(__attribute__ ((__unused__)) cJSON * const object, const char * const name);
+
+extern cJSON *__real_cJSON_AddStringToObject(cJSON *const object, const char *const name, const char *const string);
+
+cJSON *__wrap_cJSON_AddArrayToObject(cJSON *const object, const char *const name);
+
+extern cJSON *__real_cJSON_AddArrayToObject(cJSON *const object, const char *const name);
+
+cJSON *__wrap_cJSON_AddNumberToObject(cJSON *const object, const char *const name, const double number);
+
+extern cJSON *__real_cJSON_AddNumberToObject(cJSON *const object, const char *const name, const double number);
+
+#ifdef WIN32
+extern cJSON *__stdcall __real_cJSON_CreateArray(void);
+
+cJSON *__stdcall __wrap_cJSON_CreateArray(void);
+
+extern cJSON *__stdcall __real_cJSON_CreateObject(void);
+
+cJSON *__stdcall __wrap_cJSON_CreateObject(void);
+#else
+extern cJSON *__real_cJSON_CreateArray(void);
+
+cJSON *__wrap_cJSON_CreateArray(void);
+
+extern cJSON *__real_cJSON_CreateObject(void);
+
+cJSON *__wrap_cJSON_CreateObject(void);
+#endif
+
+cJSON *__wrap_cJSON_CreateNumber(double num);
+
+extern cJSON *__real_cJSON_CreateNumber(double num);
+
+cJSON *__wrap_cJSON_CreateString(const char *string);
+
+extern cJSON *__real_cJSON_CreateString(const char *string);
+
+void __wrap_cJSON_Delete(cJSON *item);
+
+extern void __real_cJSON_Delete(cJSON *item);
+
+cJSON *WSTD_CALL __wrap_cJSON_GetObjectItem(const cJSON *const object, const char *const string);
+
+extern cJSON *__real_cJSON_GetObjectItem(const cJSON *const object, const char *const string);
+
+char *WSTD_CALL __wrap_cJSON_GetStringValue(cJSON *item);
+
+cJSON_bool __wrap_cJSON_IsNumber(cJSON *item);
+
+cJSON_bool __wrap_cJSON_IsObject(cJSON *item);
+
+cJSON *__wrap_cJSON_Parse(const char *value);
+
+cJSON *__wrap_cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated);
+
+extern cJSON *__real_cJSON_Parse(const char *value);
+
+extern char *__real_cJSON_PrintUnformatted(cJSON *item);
+
+char *__wrap_cJSON_PrintUnformatted(const cJSON *item);
+
+char *__wrap_cJSON_Print(const cJSON *item);
+
+int __wrap_cJSON_GetArraySize(const cJSON *array);
+
+cJSON *__wrap_cJSON_GetArrayItem(const cJSON *array, int index);
+
+extern cJSON *__real_cJSON_GetArrayItem(const cJSON *array, int index);
+
+cJSON *__wrap_cJSON_Duplicate(const cJSON *item, int recurse);
+
+cJSON *__wrap_cJSON_AddBoolToObject(cJSON *const object, const char *const name, const cJSON_bool boolean);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.c
new file mode 100644
index 0000000000..a107240b53
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.c
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "bio_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+BIO *__wrap_BIO_new_socket(__attribute__((unused)) int sock,
+                           __attribute__((unused)) int close_flag) {
+    return NULL;
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.h
new file mode 100644
index 0000000000..6f9ae972f6
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/bio_wrappers.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef BIO_WRAPPERS_H
+#define BIO_WRAPPERS_H
+
+#include <openssl/ssl.h>
+
+BIO *__wrap_BIO_new_socket(int sock, int close_flag);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.c
new file mode 100644
index 0000000000..0afafe3543
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.c
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "digest_wrappers.h"
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../common.h"
+#include <openssl/evp.h>
+
+extern int __real_EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *data, size_t count);
+int __wrap_EVP_DigestUpdate(EVP_MD_CTX *ctx,
+                            const void *data,
+                            size_t count) {
+   if (test_mode) {
+      check_expected(data);
+      check_expected(count);
+      return mock();
+   }
+   else {
+     return __real_EVP_DigestUpdate(ctx, data, count);
+   }
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.h
new file mode 100644
index 0000000000..29d3ed81a3
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/digest_wrappers.h
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef DIGEST_WRAPPERS_H
+#define DIGEST_WRAPPERS_H
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+#endif
+#include <stddef.h>
+#include <openssl/evp.h>
+
+int __wrap_EVP_DigestUpdate(EVP_MD_CTX *ctx,
+                            const void *data,
+                            size_t count);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.c
new file mode 100644
index 0000000000..607034f332
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.c
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include "evp_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+EVP_PKEY *__wrap_EVP_PKEY_new(void) {
+    if (mock()) {
+        return __real_EVP_PKEY_new();
+    }
+
+    return mock_type(EVP_PKEY *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.h
new file mode 100644
index 0000000000..e37d6140dc
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/evp_wrappers.h
@@ -0,0 +1,14 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include <openssl/evp.h>
+
+EVP_PKEY * __wrap_EVP_PKEY_new(void);
+extern EVP_PKEY * __real_EVP_PKEY_new(void);
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.c
new file mode 100644
index 0000000000..785d9d8c77
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.c
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "init_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_OPENSSL_init_crypto(__attribute__((unused)) uint64_t opts,
+                               __attribute__((unused)) const OPENSSL_INIT_SETTINGS *settings) {
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.h
new file mode 100644
index 0000000000..612014a2f5
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/init_wrappers.h
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef INIT_WRAPPERS_H
+#define INIT_WRAPPERS_H
+
+#include <stdint.h>
+#include <openssl/crypto.h>
+
+int __wrap_OPENSSL_init_crypto(uint64_t opts,
+                               const OPENSSL_INIT_SETTINGS *settings);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.c
new file mode 100644
index 0000000000..c0d04e2cb9
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.c
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "pem_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_PEM_write_PrivateKey(FILE *out,
+                                const EVP_PKEY *x,
+                                const EVP_CIPHER *enc,
+                                const unsigned char *kstr,
+                                int klen,
+                                pem_password_cb *cb,
+                                void *u) {
+    return mock_type(int);
+
+}
+
+int __wrap_PEM_write_X509(FILE *out, const X509 *x) {
+    return mock_type(int);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.h
new file mode 100644
index 0000000000..d558860517
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/pem_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <stdio.h>
+
+int __wrap_PEM_write_PrivateKey(FILE *out,
+                                const EVP_PKEY *x,
+                                const EVP_CIPHER *enc,
+                                const unsigned char *kstr,
+                                int klen,
+                                pem_password_cb *cb,
+                                void *u);
+
+int __wrap_PEM_write_X509(FILE *out, const X509 *x);
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.c
new file mode 100644
index 0000000000..a21a522626
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.c
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "rsa_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
+    return mock_type(int);
+}
+
+RSA *__wrap_RSA_new(void) {
+    if (mock()) {
+        return __real_RSA_new();
+    }
+
+    return mock_type(RSA *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.h
new file mode 100644
index 0000000000..529a5e7375
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/rsa_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include <openssl/rsa.h>
+
+int __wrap_RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
+
+/**
+ * @brief Wrapper for RSA_new.
+ * If the first mock is not null, the wrapper will return a real call to RSA_new, otherwise, it will return a mock RSA *
+ *
+ * @return RSA* Real structure in case the first mock is not null, a mock otherwise.
+ */
+RSA * __wrap_RSA_new(void);
+
+extern RSA *__real_RSA_new(void);
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.c
new file mode 100644
index 0000000000..3164944a6b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.c
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "ssl_init_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_OPENSSL_init_ssl(__attribute__((unused)) uint64_t opts,
+                            __attribute__((unused)) const OPENSSL_INIT_SETTINGS * settings) {
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.h
new file mode 100644
index 0000000000..2e02b6da91
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_init_wrappers.h
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SSL_INIT_WRAPPERS_H
+#define SSL_INIT_WRAPPERS_H
+
+#include <stdint.h>
+#include <openssl/crypto.h>
+
+int __wrap_OPENSSL_init_ssl(uint64_t opts,
+                            const OPENSSL_INIT_SETTINGS * settings);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.c
new file mode 100644
index 0000000000..a9aac99b3e
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.c
@@ -0,0 +1,50 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "ssl_lib_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_SSL_read(SSL *ssl, void *buf, int num) {
+    check_expected(ssl);
+    check_expected_ptr(buf);
+    check_expected(num);
+
+    snprintf(buf, num, "%s",mock_ptr_type(char*));
+
+    return mock_type(int);
+}
+
+int __wrap_SSL_connect(__attribute__((unused)) SSL *s) {
+    return mock_type(int);
+}
+
+int __wrap_SSL_get_error(__attribute__((unused)) const SSL *s, int i) {
+    check_expected(i);
+    return mock_type(int);
+}
+
+int __wrap_SSL_write(SSL *ssl, const void *buf, __attribute__((unused)) int num) {
+    check_expected(ssl);
+    check_expected(buf);
+    return mock_type(int);
+}
+
+SSL *__wrap_SSL_new(SSL_CTX *ctx) {
+    check_expected(ctx);
+    return mock_ptr_type(SSL *);
+}
+
+void __wrap_SSL_set_bio(__attribute__((unused)) SSL *s,
+                        __attribute__((unused)) BIO *rbio,
+                        __attribute__((unused)) BIO *wbio) {
+    return;
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.h
new file mode 100644
index 0000000000..873d894aa6
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/ssl_lib_wrappers.h
@@ -0,0 +1,28 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SSL_LIB_WRAPPERS_H
+#define SSL_LIB_WRAPPERS_H
+
+#include <openssl/ssl.h>
+
+int __wrap_SSL_read(SSL *ssl, void *buf, int num);
+
+int __wrap_SSL_connect(SSL *s);
+
+int __wrap_SSL_get_error(const SSL *s, int i);
+
+int __wrap_SSL_write(SSL *ssl, const void *buf, int num);
+
+SSL *__wrap_SSL_new(SSL_CTX *ctx);
+
+void __wrap_SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.c b/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.c
new file mode 100644
index 0000000000..54aabd872b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.c
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include "x509_wrapppers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) {
+    return mock_type(int);
+}
+
+X509 *__wrap_X509_new(void) {
+    if (mock()) {
+        return __real_X509_new();
+    }
+    return mock_type(X509 *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.h b/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.h
new file mode 100644
index 0000000000..fc52acb66e
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/openssl/x509_wrapppers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#include <openssl/x509.h>
+
+int __wrap_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
+
+X509 *__wrap_X509_new(void);
+extern X509 *__real_X509_new(void);
diff --git a/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.c
new file mode 100644
index 0000000000..53b2a5cfc7
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.c
@@ -0,0 +1,66 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stdio.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "pcre2_wrappers.h"
+
+static bool g_enable_pcre2 = false;
+
+void w_test_pcre2_wrappers(bool enable)
+{
+    g_enable_pcre2 = !enable;
+}
+
+pcre2_match_data_8* wrap_pcre2_match_data_create_from_pattern(pcre2_code_8* code, void* aux)
+{
+
+    if (g_enable_pcre2)
+    {
+        // Print macro
+        return pcre2_match_data_create_from_pattern(code, aux);
+    }
+    return mock_type(pcre2_match_data_8*);
+}
+
+int wrap_pcre2_match(pcre2_code_8* code_match_data,
+                     const PCRE2_UCHAR8* str_test,
+                     size_t strlen,
+                     int a,
+                     int b,
+                     pcre2_match_data_8* match_data,
+                     void* aux)
+{
+    if (g_enable_pcre2)
+    {
+        return pcre2_match(code_match_data, str_test, strlen, a, b, match_data, aux);
+    }
+    return mock();
+}
+
+void wrap_pcre2_match_data_free(pcre2_match_data_8* match_data)
+{
+    if (g_enable_pcre2)
+    {
+        pcre2_match_data_free(match_data);
+    }
+    return;
+}
+
+size_t* wrap_pcre2_get_ovector_pointer(pcre2_match_data_8* match_data)
+{
+    if (g_enable_pcre2)
+    {
+        return pcre2_get_ovector_pointer(match_data);
+    }
+    return mock_type(size_t*);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.h
new file mode 100644
index 0000000000..4881f0fa2c
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/pcre2/pcre2_wrappers.h
@@ -0,0 +1,41 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PCRE2_WRAPPERS_H
+#define PCRE2_WRAPPERS_H
+
+#define PCRE2_CODE_UNIT_WIDTH 8
+
+#include "shared.h"
+#include "expression.h"
+
+#define w_pcre2_match_data_create_from_pattern wrap_pcre2_match_data_create_from_pattern
+#define w_pcre2_match wrap_pcre2_match
+#define w_pcre2_match_data_free wrap_pcre2_match_data_free
+#define w_pcre2_get_ovector_pointer wrap_pcre2_get_ovector_pointer
+
+pcre2_match_data_8 * wrap_pcre2_match_data_create_from_pattern(pcre2_code_8 * code, void* aux);
+
+int wrap_pcre2_match(pcre2_code_8 * code_match_data, const PCRE2_UCHAR8 * str_test, 
+                size_t strlen, int a, int b, pcre2_match_data_8 * match_data, void * aux);
+
+void wrap_pcre2_match_data_free(pcre2_match_data_8 * match_data);
+
+size_t* wrap_pcre2_get_ovector_pointer(pcre2_match_data_8 * match_data);
+
+/**
+ * @brief Disable or enable the PCRE2 wrappers
+ * 
+ * The wrappers are enabled by default.
+ * @param enable If true, the wrappers are disabled. If false, the wrappers are enabled.
+ */
+void w_test_pcre2_wrappers(bool enable);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.c
new file mode 100644
index 0000000000..8c937a1031
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.c
@@ -0,0 +1,36 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "readproc_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+void __wrap_closeproc(PROCTAB* PT) {
+    check_expected(PT);
+}
+
+void __wrap_freeproc(proc_t* p) {
+    check_expected(p);
+}
+
+PROCTAB* __wrap_openproc(int flags, ...) {
+    check_expected(flags);
+    return mock_type(PROCTAB*);
+}
+
+proc_t* __wrap_readproc(PROCTAB *restrict const PT,
+                        proc_t *restrict p) {
+    check_expected(PT);
+    check_expected(p);
+
+    return mock_type(proc_t*);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.h
new file mode 100644
index 0000000000..56fa98ecdd
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/procpc/readproc_wrappers.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef READPROC_WRAPPERS_H
+#define READPROC_WRAPPERS_H
+
+#include "../external/procps/readproc.h"
+
+void __wrap_closeproc(PROCTAB* PT);
+
+
+void __wrap_freeproc(proc_t* p);
+
+PROCTAB* __wrap_openproc(int flags, ...);
+
+proc_t* __wrap_readproc(PROCTAB *restrict const PT,
+                        proc_t *restrict p);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.c
new file mode 100644
index 0000000000..94f4f740a6
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.c
@@ -0,0 +1,224 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sqlite3_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../common.h"
+
+
+int __wrap_sqlite3_bind_int(__attribute__((unused)) sqlite3_stmt *stmt,
+                            int index,
+                            int value) {
+    check_expected(index);
+    check_expected(value);
+
+    return mock();
+}
+
+void expect_sqlite3_bind_int_call(int idx, int val, int ret) {
+    expect_value(__wrap_sqlite3_bind_int, index, idx);
+    expect_value(__wrap_sqlite3_bind_int, value, val);
+    will_return(__wrap_sqlite3_bind_int, ret);
+}
+
+int __wrap_sqlite3_bind_int64(__attribute__((unused)) sqlite3_stmt *stmt,
+                              int index,
+                              sqlite3_int64 value) {
+    check_expected(index);
+    check_expected(value);
+
+    return mock();
+}
+
+int __wrap_sqlite3_bind_double(__attribute__((unused)) sqlite3_stmt *pStmt, int index, double value) {
+    check_expected(index);
+    check_expected(value);
+
+    return mock();
+}
+
+int __wrap_sqlite3_bind_null(__attribute__((unused)) sqlite3_stmt *pStmt, int index) {
+    check_expected(index);
+
+    return mock();
+}
+
+void expect_sqlite3_bind_int64_call(int idx, double val, int ret) {
+    expect_value(__wrap_sqlite3_bind_int64, index, idx);
+    expect_value(__wrap_sqlite3_bind_int64, value, val);
+    will_return(__wrap_sqlite3_bind_int64, ret);
+}
+
+int __wrap_sqlite3_bind_text(__attribute__((unused)) sqlite3_stmt* pStmt,
+                             int pos,
+                             const char* buffer,
+                             __attribute__((unused)) int length,
+                             __attribute__((unused)) void *mem_callback) {
+    check_expected(pos);
+    if (buffer) check_expected(buffer);
+
+    return mock();
+}
+
+void expect_sqlite3_bind_text_call(int position, const char *buf, int ret) {
+    expect_value(__wrap_sqlite3_bind_text, pos, position);
+
+    if (buf) {
+        expect_string(__wrap_sqlite3_bind_text, buffer, buf);
+    }
+
+    will_return(__wrap_sqlite3_bind_text, ret);
+}
+
+int __wrap_sqlite3_bind_parameter_index(__attribute__((unused)) sqlite3_stmt * stmt,
+                                        const char *zName) {
+    check_expected(zName);
+
+    return mock();
+}
+
+int __wrap_sqlite3_clear_bindings(__attribute__((unused)) sqlite3_stmt* pStmt) {
+    return mock();
+}
+
+int __wrap_sqlite3_close_v2() {
+    return mock();
+}
+
+double __wrap_sqlite3_column_double(__attribute__((unused)) sqlite3_stmt *pStmt,
+                                    int iCol) {
+    check_expected(iCol);
+    return mock_type(double);
+}
+
+int __wrap_sqlite3_column_int(__attribute__((unused)) sqlite3_stmt *pStmt,
+                              int iCol) {
+    check_expected(iCol);
+    return mock();
+}
+
+sqlite3_int64 __wrap_sqlite3_column_int64(__attribute__((unused)) sqlite3_stmt* stmt,
+                                          int iCol) {
+    check_expected(iCol);
+    return mock();
+}
+
+const unsigned char *__wrap_sqlite3_column_text(__attribute__((unused)) sqlite3_stmt *pStmt,
+                                                int iCol) {
+    check_expected(iCol);
+    return mock_type(const unsigned char*);
+
+}
+
+int __wrap_sqlite3_extended_errcode(__attribute__((unused)) sqlite3* db) {
+    return mock();
+}
+
+const char *__wrap_sqlite3_errmsg(__attribute__((unused)) sqlite3* db) {
+    return mock_ptr_type(const char *);
+}
+
+int __wrap_sqlite3_exec(__attribute__((unused)) sqlite3* db,                                /* An open database */
+                        const char *sql,                                                    /* SQL to be evaluated */
+                        __attribute__((unused)) int (*callback)(void*,int,char**,char**),   /* Callback function */
+                        __attribute__((unused)) void *arg,                                  /* 1st argument to callback */
+                        char **errmsg) {                                                    /* Error msg written here */
+    check_expected(sql);
+    *errmsg = mock_ptr_type(char *);
+    return mock();
+}
+
+int __wrap_sqlite3_finalize(__attribute__((unused)) sqlite3_stmt *pStmt) {
+    return mock();
+}
+
+void __wrap_sqlite3_free(__attribute__((unused)) void* ptr) {
+    return;
+}
+
+int __wrap_sqlite3_last_insert_rowid(__attribute__((unused)) sqlite3* db){
+    return mock();
+}
+
+int __wrap_sqlite3_open_v2(const char *filename,                           /* Database filename (UTF-8) */
+                           sqlite3 **ppDb,                                 /* OUT: SQLite db handle */
+                           int flags,                                      /* Flags */
+                           __attribute__((unused)) const char *zVfs) {     /* Name of VFS module to use */
+    check_expected(filename);
+    check_expected(flags);
+    *ppDb = mock_type(sqlite3 *);
+    return mock();
+}
+
+int __wrap_sqlite3_prepare_v2(__attribute__((unused)) sqlite3 *db,            /* Database handle */
+                              __attribute__((unused)) const char *zSql,       /* SQL statement, UTF-8 encoded */
+                              __attribute__((unused)) int nByte,              /* Maximum length of zSql in bytes. */
+                              sqlite3_stmt **ppStmt,                          /* OUT: Statement handle */
+                              const char **pzTail){                           /* OUT: Pointer to unused portion of zSql */
+
+    *ppStmt = mock_type(sqlite3_stmt *);
+    if(pzTail){
+        *pzTail = 0;
+    }
+    return mock();
+}
+
+int __wrap_sqlite3_reset(__attribute__((unused)) sqlite3_stmt *pStmt) {
+    return mock();
+}
+
+extern int __real_sqlite3_step(__attribute__((unused)) sqlite3_stmt * stmt);
+int __wrap_sqlite3_step(__attribute__((unused)) sqlite3_stmt * stmt){
+    if (mock())
+        return __real_sqlite3_step(stmt);
+    else
+        return mock();
+}
+
+void expect_sqlite3_step_call(int ret) {
+    will_return(__wrap_sqlite3_step, 0);    // This will_return prevents from calling the real function
+    will_return(__wrap_sqlite3_step, ret);
+}
+
+void expect_sqlite3_step_count(int ret, int count) {
+    for (int i = count; i; i--) {
+        expect_sqlite3_step_call(ret);
+    }
+}
+
+int __wrap_sqlite3_column_count(__attribute__((unused)) sqlite3_stmt *stmt) {
+    return mock();
+}
+
+int __wrap_sqlite3_column_type(__attribute__((unused)) sqlite3_stmt *pStmt,
+                               int i){
+    check_expected(i);
+    return mock();
+}
+
+const char* __wrap_sqlite3_column_name(__attribute__((unused)) sqlite3_stmt *pStmt,
+                                       int N){
+    check_expected(N);
+    return mock_ptr_type(char *);
+}
+
+int __wrap_sqlite3_changes(__attribute__((unused)) sqlite3 * db){
+    return mock();
+}
+
+int __wrap_sqlite3_get_autocommit(__attribute__((unused)) sqlite3 * db) {
+    return mock();
+}
+
+const char*  __wrap_sqlite3_sql(__attribute__((unused)) sqlite3_stmt *pStmt){
+    return mock_ptr_type(char*);
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.h
new file mode 100644
index 0000000000..4e0b795f13
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/sqlite/sqlite3_wrappers.h
@@ -0,0 +1,107 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SQLITE3_WRAPPERS_H
+#define SQLITE3_WRAPPERS_H
+
+#include "../external/sqlite/sqlite3.h"
+
+int __wrap_sqlite3_bind_int(sqlite3_stmt *stmt,
+                            int index,
+                            int value);
+
+void expect_sqlite3_bind_int_call(int idx, int val, int ret);
+
+int __wrap_sqlite3_bind_int64(sqlite3_stmt *stmt,
+                              int index,
+                              sqlite3_int64 value);
+
+int __wrap_sqlite3_bind_double(sqlite3_stmt *pStmt, int index, double value);
+
+int __wrap_sqlite3_bind_null(sqlite3_stmt *pStmt, int index);
+
+void expect_sqlite3_bind_int64_call(int idx, double val, int ret);
+
+int __wrap_sqlite3_bind_text(sqlite3_stmt* pStmt,
+                             int pos,
+                             const char* buffer,
+                             int length,
+                             void *mem_callback);
+
+void expect_sqlite3_bind_text_call(int position, const char *buf, int ret);
+
+int __wrap_sqlite3_bind_parameter_index(__attribute__((unused)) sqlite3_stmt * stmt,
+                                        const char *zName);
+
+int __wrap_sqlite3_bind_double(__attribute__((unused)) sqlite3_stmt* stmt,
+                               int index,
+                               double value);
+
+int __wrap_sqlite3_clear_bindings(sqlite3_stmt* pStmt);
+
+int __wrap_sqlite3_close_v2();
+
+double __wrap_sqlite3_column_double(sqlite3_stmt *pStmt,
+                                    int iCol);
+
+int __wrap_sqlite3_column_int(sqlite3_stmt *pStmt,
+                              int iCol);
+
+sqlite3_int64 __wrap_sqlite3_column_int64(sqlite3_stmt* stmt,
+                                          int iCol);
+
+const unsigned char *__wrap_sqlite3_column_text(sqlite3_stmt *pStmt,
+                                                int iCol);
+
+const char *__wrap_sqlite3_errmsg(sqlite3* db);
+
+int __wrap_sqlite3_extended_errcode(__attribute__((unused)) sqlite3* db);
+
+int __wrap_sqlite3_exec(sqlite3* db,                                 /* An open database */
+                        const char *sql,                             /* SQL to be evaluated */
+                        int (*callback)(void*,int,char**,char**),    /* Callback function */
+                        void *arg,                                   /* 1st argument to callback */
+                        char **errmsg);                              /* Error msg written here */
+
+int __wrap_sqlite3_finalize(sqlite3_stmt *pStmt);
+
+void __wrap_sqlite3_free(void* ptr);
+
+int __wrap_sqlite3_last_insert_rowid(sqlite3* db);
+
+int __wrap_sqlite3_open_v2(const char *filename,   /* Database filename (UTF-8) */
+                           sqlite3 **ppDb,         /* OUT: SQLite db handle */
+                           int flags,              /* Flags */
+                           const char *zVfs);      /* Name of VFS module to use */
+
+int __wrap_sqlite3_prepare_v2(sqlite3 *db,            /* Database handle */
+                              const char *zSql,       /* SQL statement, UTF-8 encoded */
+                              int nByte,              /* Maximum length of zSql in bytes. */
+                              sqlite3_stmt **ppStmt,  /* OUT: Statement handle */
+                              const char **pzTail);    /* OUT: Pointer to unused portion of zSql */
+
+int __wrap_sqlite3_reset(sqlite3_stmt *pStmt);
+
+int __wrap_sqlite3_step(sqlite3_stmt * stmt);
+
+void expect_sqlite3_step_call(int ret);
+void expect_sqlite3_step_count(int ret, int count);
+
+int __wrap_sqlite3_column_count(sqlite3_stmt *pStmt);
+
+int __wrap_sqlite3_column_type(sqlite3_stmt *pStmt, int i);
+
+const char* __wrap_sqlite3_column_name(sqlite3_stmt *pStmt, int N);
+
+int __wrap_sqlite3_get_autocommit(__attribute__((unused)) sqlite3 * db);
+
+const char* __wrap_sqlite3_sql(sqlite3_stmt *pStmt);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.c b/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.c
new file mode 100644
index 0000000000..09cbb18138
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.c
@@ -0,0 +1,62 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "zlib_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+
+
+int __wrap_gzread(gzFile gz_fd,
+                  void* buf,
+                  int len) {
+    check_expected_ptr(gz_fd);
+    int n = mock();
+    if(n <= len && (n > 0)) {
+        memcpy(buf, mock_type(void*), n);
+    }
+    return n;
+}
+
+gzFile __wrap_gzopen(const char * path,
+                     const char * mode) {
+    check_expected(path);
+    check_expected(mode);
+
+    return mock_type(gzFile);
+}
+
+int __wrap_gzclose(gzFile file) {
+    check_expected_ptr(file);
+    return mock();
+}
+
+int __wrap_gzeof(gzFile file) {
+    check_expected_ptr(file);
+    return mock();
+}
+
+const char * __wrap_gzerror(gzFile file,
+                            int *errnum) {
+    check_expected_ptr(file);
+    *errnum = mock();
+    return mock_type(char*);
+}
+
+int __wrap_gzwrite(gzFile file,
+                   voidpc buf,
+                   unsigned int len) {
+    check_expected_ptr(file);
+    check_expected(buf);
+    check_expected(len);
+    return mock();
+
+}
diff --git a/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.h b/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.h
new file mode 100644
index 0000000000..20d0c866f7
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/externals/zlib/zlib_wrappers.h
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef ZLIB_WRAPPERS_H
+#define ZLIB_WRAPPERS_H
+
+#include "../../../../external/zlib/zlib.h"
+
+int __wrap_gzread(gzFile gz_fd,
+                  void* buf,
+                  int len);
+
+gzFile __wrap_gzopen(const char * file,
+                     const char * mode);
+
+int __wrap_gzclose(gzFile file);
+
+int __wrap_gzeof(gzFile file);
+
+const char * __wrap_gzerror(gzFile file,
+                            __attribute__((unused)) int *errnum);
+
+int __wrap_gzwrite(gzFile file,
+                   voidpc buf,
+                   unsigned int len);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.c b/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.c
new file mode 100644
index 0000000000..9eda2da1f7
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.c
@@ -0,0 +1,259 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include "headers/defs.h"
+#include "../common.h"
+
+fpos_t * test_position = NULL;
+
+extern int __real_fclose(FILE *_File);
+int __wrap_fclose(FILE *_File) {
+    if(test_mode) {
+        check_expected(_File);
+        return mock();
+    } else {
+        return __real_fclose(_File);
+    }
+}
+void expect_fclose(FILE *_File, int ret) {
+    expect_value(__wrap_fclose, _File, _File);
+    will_return(__wrap_fclose, ret);
+}
+
+extern int __real_fflush(FILE *__stream);
+int __wrap_fflush(FILE *__stream) {
+    if (test_mode) {
+        return 0;
+    }
+    return __real_fflush(__stream);
+}
+
+extern char * __real_fgets (char * __s, int __n, FILE * __stream);
+char * __wrap_fgets (char * __s, int __n, FILE * __stream) {
+    if (test_mode) {
+        char *buffer = mock_type(char*);
+        check_expected(__stream);
+        if(buffer) {
+            size_t buff_len = strlen(buffer);
+            if (buff_len + 1 < (size_t) __n) {
+                strncpy(__s, buffer, buff_len + 1);
+            } else {
+                strncpy(__s, buffer, __n - 1);
+                __s[ __n - 1] = '\0';
+            }
+            return __s;
+        }
+        return NULL;
+    } else {
+        return __real_fgets(__s, __n, __stream);
+    }
+}
+
+extern int __real_fgetpos(FILE *__restrict __stream, fpos_t * __pos);
+int __wrap_fgetpos (FILE *__restrict __stream, fpos_t * __pos) {
+    if(test_mode) {
+        check_expected(__stream);
+        memcpy(__pos, test_position, sizeof(fpos_t));
+        return mock();
+    } else {
+        return __real_fgetpos(__stream, __pos);
+    }
+}
+
+extern FILE* __real_fopen(const char* path, const char* mode);
+FILE* __wrap_fopen(const char* path, const char* mode) {
+    if(test_mode) {
+        check_expected_ptr(path);
+        check_expected(mode);
+        return mock_ptr_type(FILE*);
+    } else {
+        return __real_fopen(path, mode);
+    }
+}
+void expect_fopen(const char* path, const char* mode, FILE *fp) {
+    expect_string(__wrap_fopen, path, path);
+    expect_string(__wrap_fopen, mode, mode);
+    will_return(__wrap_fopen, fp);
+}
+
+int __wrap_fprintf(FILE *__stream, const char *__format, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+    int ret;
+
+    va_start(args, __format);
+    if (test_mode) {
+        vsnprintf(formatted_msg, OS_MAXSTR, __format, args);
+
+        check_expected(__stream);
+        check_expected(formatted_msg);
+
+        ret = mock();
+    } else {
+        ret = vfprintf(__stream, __format, args);
+    }
+    va_end(args);
+
+    return ret;
+}
+
+void expect_fprintf(FILE *__stream, const char *formatted_msg, int ret) {
+#ifndef WIN32
+    expect_value(__wrap_fprintf, __stream, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, formatted_msg);
+    will_return(__wrap_fprintf, ret);
+#else
+    expect_value(wrap_fprintf, __stream, __stream);
+    expect_string(wrap_fprintf, formatted_msg, formatted_msg);
+    will_return(wrap_fprintf, ret);
+#endif
+}
+
+int __wrap_snprintf(char *__s, size_t __maxlen, const char *__format, ...) {
+    if (test_mode) {
+        check_expected_ptr(__maxlen);
+        check_expected_ptr(__format);
+        memset(__s, 0, __maxlen);
+
+        return mock_type(int);
+    } else {
+        va_list args;
+        va_start(args, __format);
+
+        int val = vsnprintf(__s, __maxlen, __format, args);
+
+        va_end(args);
+
+        return val;
+    }
+}
+
+extern size_t __real_fread(void *ptr, size_t size, size_t n, FILE *stream);
+size_t __wrap_fread(void *ptr, size_t size, size_t n, FILE *stream) {
+    if (test_mode) {
+        strncpy((char *) ptr, mock_type(char *), n);
+        size_t ret = mock();
+        if (ret > n){
+            return n;
+        } else {
+            return ret;
+        }
+    }
+    return __real_fread(ptr, size, n, stream);
+}
+
+void expect_fread(char *file, size_t ret) {
+    will_return(__wrap_fread, file);
+    will_return(__wrap_fread, ret);
+}
+
+long int __wrap_ftell(__attribute__ ((__unused__)) FILE *stream) {
+    return mock();
+}
+
+extern int __real_fseek(FILE *stream, long offset, int whence);
+int __wrap_fseek(FILE *stream, long offset, int whence) {
+    if (test_mode) {
+        return mock();
+    }
+    return __real_fseek(stream, offset, whence);
+}
+
+extern size_t __real_fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
+size_t __wrap_fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream) {
+    if (test_mode) {
+        return mock_type(size_t);
+    }
+    return __real_fwrite(ptr, size, nmemb, stream);
+}
+
+extern int __real_remove(const char *filename);
+int __wrap_remove(const char *filename) {
+    if(test_mode){
+        check_expected(filename);
+        return mock();
+    }
+    return __real_remove(filename);
+}
+
+int __wrap_rename(const char *__old, const char *__new) {
+    check_expected(__old);
+    check_expected(__new);
+    return mock();
+}
+
+void __wrap_clearerr (FILE *__stream) {
+    function_called();
+    check_expected(__stream);
+    return;
+}
+
+int __wrap_fileno (FILE *__stream) {
+    check_expected(__stream);
+    return mock();
+}
+
+extern int __real_fgetc(FILE * stream);
+int __wrap_fgetc(FILE * stream) {
+    if(test_mode) {
+        return mock_type(int);
+    } else {
+        return __real_fgetc(stream);
+    }
+}
+
+int __wrap__fseeki64(__attribute__ ((__unused__)) FILE *stream, \
+                     __attribute__ ((__unused__)) long offset, __attribute__ ((__unused__)) int whence) {
+     return mock();
+}
+
+extern FILE *__real_popen(const char *command, const char *type);
+FILE *__wrap_popen(const char *command, const char *type) {
+    if(!test_mode){
+        return __real_popen(command, type);
+    }
+    check_expected(command);
+    check_expected(type);
+    return mock_ptr_type(FILE*);
+}
+
+void expect_popen(const char *command, const char *type, FILE *ret) {
+  expect_string(__wrap_popen, command, command);
+  expect_string(__wrap_popen, type, type);
+  will_return(__wrap_popen, ret);
+}
+
+int __wrap_pclose(FILE *stream) {
+    check_expected(stream);
+    return mock();
+}
+
+int __wrap_fputc(char character, FILE *stream) {
+    check_expected(character);
+    check_expected(stream);
+    return mock();
+}
+
+FILE *__wrap_open_memstream(char **__bufloc, size_t *__sizeloc) {
+    *__bufloc = mock_type(char *);
+    *__sizeloc = mock_type(size_t);
+    return mock_ptr_type(FILE*);
+}
+
+ssize_t __wrap_getline(char ** lineptr, size_t * n, FILE * stream) {
+    *lineptr = mock_ptr_type(char *);
+    *n = strlen(*lineptr);
+    return *n;
+}
diff --git a/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.h b/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.h
new file mode 100644
index 0000000000..b3d6186abc
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/stdio_wrappers.h
@@ -0,0 +1,69 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STDIO_WRAPPERS_H
+#define STDIO_WRAPPERS_H
+
+#include <stdio.h>
+
+extern fpos_t * test_position;
+
+int __wrap_fclose(FILE *_File);
+void expect_fclose(FILE *_File, int ret);
+
+int __wrap_fflush(FILE *__stream);
+
+char * __wrap_fgets (char * __s, int __n, FILE * __stream);
+
+FILE* __wrap_fopen(const char* path, const char* mode);
+void expect_fopen(const char* path, const char* mode, FILE *fp);
+
+int __wrap_fprintf (FILE *__stream, const char *__format, ...);
+void expect_fprintf(FILE *__stream, const char *formatted_msg, int ret);
+
+int __wrap_snprintf(char *__s, size_t __maxlen, const char *__format, ...);
+
+size_t __wrap_fread(void *ptr, size_t size, size_t n, FILE *stream);
+void expect_fread(char *file, int ret);
+
+long int __wrap_ftell(FILE *__stream);
+
+int __wrap_fseek(FILE *stream, long offset, int whence);
+
+size_t __wrap_fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
+
+int __wrap_remove(const char *filename);
+
+int __wrap_rename(const char *__old, const char *__new);
+
+size_t __wrap_strlen(const char *s);
+
+int __wrap_fgetpos (FILE *__restrict __stream, fpos_t * __pos);
+
+void __wrap_clearerr (FILE *__stream);
+
+int __wrap_fileno (FILE *__stream);
+
+int __wrap_fgetc(FILE * stream);
+
+int __wrap__fseeki64(FILE *stream, long offset, int whence);
+
+FILE *__wrap_popen(const char *command, const char *type);
+void expect_popen(const char *command, const char *type, FILE *ret);
+
+int __wrap_pclose(FILE *stream);
+
+int __wrap_fputc(char character, FILE *stream);
+
+FILE *__wrap_open_memstream(char **__bufloc, size_t *__sizeloc);
+
+ssize_t __wrap_getline(char ** lineptr, size_t * n, FILE * stream);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.c b/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.c
new file mode 100644
index 0000000000..122f57d3eb
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.c
@@ -0,0 +1,52 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "stdlib_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <limits.h>
+#include "../common.h"
+
+
+extern int __real_atexit(void (*callback)(void));
+int __wrap_atexit(void (*callback)(void)) {
+    if(test_mode)
+        return 0;
+    else
+        return __real_atexit(callback);
+}
+
+char *__wrap_realpath(const char *path, char *resolved_path) {
+    check_expected(path);
+    if (resolved_path != NULL) {
+        char *aux = mock_type(char *);
+        if (aux == NULL) {
+            return NULL;
+        }
+        snprintf(resolved_path, PATH_MAX, "%s", aux);
+        return resolved_path;
+    }
+
+    return mock_type(char *);
+}
+
+int __wrap_system(__attribute__((unused))const char *__command) {
+    return mock();
+}
+
+void expect_system(int ret) {
+    will_return(__wrap_system, ret);
+}
+
+int __wrap_mkstemp(__attribute__((unused)) char *template) {
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.h b/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.h
new file mode 100644
index 0000000000..72253f2d6f
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/stdlib_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STDLIB_WRAPPERS_H
+#define STDLIB_WRAPPERS_H
+
+int __wrap_atexit(void (*callback)(void));
+
+char *__wrap_realpath(const char *path, char *resolved_path);
+
+int __wrap_system(const char *__command);
+void expect_system(int ret);
+
+int __wrap_mkstemp(char *template);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/libc/string_wrappers.c b/src/common/utils/tests/unit/wrappers/libc/string_wrappers.c
new file mode 100644
index 0000000000..1a5aebabf3
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/string_wrappers.c
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "string_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+char *__wrap_strerror(__attribute__((unused)) int __errnum) {
+    return mock_type(char*);
+}
+
+size_t __wrap_strlen(const char *s) {
+    check_expected(s);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/libc/string_wrappers.h b/src/common/utils/tests/unit/wrappers/libc/string_wrappers.h
new file mode 100644
index 0000000000..3ca98eb2c0
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/string_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STRING_WRAPPERS_H
+#define STRING_WRAPPERS_H
+
+#include <string.h>
+
+char *__wrap_strerror (int __errnum);
+
+size_t __wrap_strlen(const char *s);
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/libc/time_wrappers.c b/src/common/utils/tests/unit/wrappers/libc/time_wrappers.c
new file mode 100644
index 0000000000..0fc3f7e7dc
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/time_wrappers.c
@@ -0,0 +1,21 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "time_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+
+size_t __wrap_strftime(char * s, size_t max, __attribute__((unused)) const char * format,
+                       __attribute__((unused)) const struct tm * tm) {
+    strncpy(s, mock_type(char *), max);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/libc/time_wrappers.h b/src/common/utils/tests/unit/wrappers/libc/time_wrappers.h
new file mode 100644
index 0000000000..ec9ed7dc5b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/libc/time_wrappers.h
@@ -0,0 +1,17 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef TIME_WRAPPERS_H
+#define TIME_WRAPPERS_H
+
+#include <time.h>
+
+size_t __wrap_strftime(char *s, size_t max, const char *format, const struct tm *tm);
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.c b/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.c
new file mode 100644
index 0000000000..d5c6f86153
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dlfcn_wrappers.h"
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+extern int test_mode;
+
+extern void * __real_dlsym(void * handle, const char * symbol);
+void * __wrap_dlsym(void * handle, const char * symbol) {
+    if (test_mode) {
+        check_expected_ptr(handle);
+        check_expected_ptr(symbol);
+        return mock_ptr_type(void *);
+    } else {
+        return __real_dlsym(handle, symbol);
+    }
+}
+
+// Mock dlerror function
+extern char * __real_dlerror(void);
+char * __wrap_dlerror(void) {
+    if (test_mode) {
+        return mock_ptr_type(char *);
+    } else {
+        return __real_dlerror();
+    }
+}
+
+// Mock dlopen function
+extern void * __real_dlopen(const char * filename, int flags);
+void * __wrap_dlopen(const char * filename, int flags) {
+    if (test_mode) {
+        check_expected_ptr(filename);
+        check_expected(flags);
+        return mock_ptr_type(void *);
+    } else {
+        return __real_dlopen(filename, flags);
+    }
+}
+
+// Mock dlclose function
+extern int __real_dlclose(void * handle);
+int __wrap_dlclose(void * handle) {
+    if (test_mode) {
+        check_expected_ptr(handle);
+        return mock();
+    } else {
+        return __real_dlclose(handle);
+    }
+}
diff --git a/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.h b/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.h
new file mode 100644
index 0000000000..7edd2794af
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/dlfcn_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef DLFCN_WRAPPERS_H
+#define DLFCN_WRAPPERS_H
+
+#include <dlfcn.h>
+
+void * __wrap_dlopen(const char *filename, int flag);
+
+int __wrap_dlclose(void *handle);
+
+void * __wrap_dlsym(void *handle, const char *symbol);
+
+char * __wrap_dlerror(void);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.c b/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.c
new file mode 100644
index 0000000000..ba344f101f
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.c
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "inotify_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_inotify_add_watch(__attribute__((unused)) int fd,
+                             __attribute__((unused)) const char *pathname,
+                             __attribute__((unused)) uint32_t mask) {
+    return mock();
+}
+
+int __wrap_inotify_init() {
+    return mock();
+}
+
+int __wrap_inotify_rm_watch() {
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.h b/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.h
new file mode 100644
index 0000000000..d32a64d05c
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/inotify_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef INOTIFY_WRAPPERS_H
+#define INOTIFY_WRAPPERS_H
+
+#include <stdint.h>
+
+int __wrap_inotify_add_watch(int fd,
+                             const char *pathname,
+                             uint32_t mask);
+
+int __wrap_inotify_init();
+
+int __wrap_inotify_rm_watch();
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.c b/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.c
new file mode 100644
index 0000000000..f2bbd91448
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.c
@@ -0,0 +1,129 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "socket_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <stdlib.h>
+#include "../common.h"
+
+#define BUFFERSIZE 1024
+#define SENDSTRING "Hello World!\n"
+
+int __wrap_socket(__attribute__((unused))int __domain, __attribute__((unused))int __type, __attribute__((unused))int __protocol) {
+    return mock();
+}
+
+int __wrap_bind(__attribute__((unused))int __fd, __attribute__((unused))__CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len) {
+    return mock();
+}
+
+int __wrap_setsockopt(__attribute__((unused))int __fd, __attribute__((unused))int __level, __attribute__((unused))int __optname, __attribute__((unused))const void *__optval, __attribute__((unused))socklen_t __optlen) {
+    return mock();
+}
+
+int __wrap_getsockopt(__attribute__((unused))int __fd, __attribute__((unused))int __level, __attribute__((unused))int __optname, __attribute__((unused))void *__restrict __optval, __attribute__((unused))socklen_t *__restrict __optlen) {
+
+    int number = 100000;
+    void *len = &number;
+    memcpy((int*)__optval, (int*)len, sizeof(int));
+
+    return mock();
+}
+
+int __wrap_listen(__attribute__((unused))int __fd, __attribute__((unused))int __n) {
+    return mock();
+}
+
+int __wrap_connect(__attribute__((unused))int __fd, __attribute__((unused))__CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len) {
+    return mock();
+}
+
+int __wrap_accept(__attribute__((unused))int __fd, struct sockaddr * __addr, __attribute__((unused))socklen_t *__restrict __addr_len) {
+    __addr->sa_family = mock();
+    return mock();
+}
+
+ssize_t __wrap_send(__attribute__((unused))int __fd, __attribute__((unused))const void *__buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags) {
+    return mock();
+}
+
+ssize_t __wrap_sendto(__attribute__((unused)) int __fd, __attribute__((unused)) const void *__buf, __attribute__((unused)) size_t __n, __attribute__((unused)) int __flags,
+                      __attribute__((unused)) __CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len){
+    return mock();
+}
+
+ssize_t __wrap_recv(__attribute__((unused))int __fd, __attribute__((unused))void *__buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags) {
+
+    if(__fd == -1) {
+        return mock();
+    }
+
+    if(__fd == 3 || __fd == 4 || (__fd == 5 && __n == 13)) {
+        char text[BUFFERSIZE];
+        strcpy(text, SENDSTRING);
+        void *buffer = &text;
+        memcpy((char*)__buf, (char*)buffer, sizeof(SENDSTRING));
+    } else if(__fd == 5 && __n != 13) {
+        u_int32_t number = 13;
+        void *buffer = &number;
+        memcpy((u_int32_t*)__buf, (u_int32_t*)buffer, sizeof(u_int32_t));
+    } else if(__fd == 7) {
+        char text[BUFFERSIZE];
+        strcpy(text, "err --------");
+        void *buffertext = &text;
+        // Set the payload buffer size to simulate the cluster message format
+        size_t payload_size = 9;
+        *(uint32_t *)(__buf+4) = wnet_order_big(payload_size);
+        memcpy((char*)__buf+8, (char*)buffertext, 12);
+    }
+
+    return mock();
+}
+
+ssize_t __wrap_recvfrom(__attribute__((unused))int __fd, __attribute__((unused))void *__restrict __buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags, __attribute__((unused))__SOCKADDR_ARG __addr, __attribute__((unused))socklen_t *__restrict __addr_len) {
+
+    if(__fd != -1) {
+        char text[BUFFERSIZE];
+        strcpy(text, SENDSTRING);
+        void *buffer = &text;
+        memcpy((char*)__buf, (char*)buffer, sizeof(SENDSTRING));
+    }
+
+    return mock();
+}
+
+extern int __real_fcntl(__attribute__((unused))int __fd, __attribute__((unused))int __cmd, __attribute__((unused))unsigned long);
+int __wrap_fcntl(int __fd, int __cmd, ...) {
+
+    va_list ap;
+    va_start(ap, __cmd);
+    unsigned long arg = va_arg(ap, unsigned long);
+    va_end(ap);
+
+    if(!test_mode) {
+        return __real_fcntl(__fd, __cmd, arg);
+    }
+    return mock();
+}
+
+int __wrap_getaddrinfo(const char *node, __attribute__((unused))const char *service, __attribute__((unused))const struct addrinfo *hints, struct addrinfo **res) {
+    struct addrinfo* addr;
+    check_expected(node);
+
+    addr = mock_type(struct addrinfo*);
+    if (addr != NULL) {
+        *res = calloc(1, sizeof(struct addrinfo));
+        memcpy(*res, addr, sizeof(struct addrinfo));
+    }
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.h b/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.h
new file mode 100644
index 0000000000..2e6c41923c
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/socket_wrappers.h
@@ -0,0 +1,44 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SOCKET_WRAPPERS_H
+#define SOCKET_WRAPPERS_H
+
+#include <sys/socket.h>
+#include <netdb.h>
+
+int __wrap_socket(__attribute__((unused))int __domain,__attribute__((unused))int __type,__attribute__((unused))int __protocol);
+
+int __wrap_bind(__attribute__((unused))int __fd, __attribute__((unused))__CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len);
+
+int __wrap_setsockopt(__attribute__((unused))int __fd, __attribute__((unused))int __level, __attribute__((unused))int __optname, __attribute__((unused))const void *__optval, __attribute__((unused))socklen_t __optlen);
+
+int __wrap_getsockopt(__attribute__((unused))int __fd, __attribute__((unused))int __level, __attribute__((unused))int __optname, __attribute__((unused))void *__restrict __optval, __attribute__((unused))socklen_t *__restrict __optlen);
+
+int __wrap_listen(__attribute__((unused))int __fd, __attribute__((unused))int __n);
+
+int __wrap_connect(__attribute__((unused))int __fd, __attribute__((unused))__CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len);
+
+int __wrap_accept(__attribute__((unused))int __fd, struct sockaddr * __addr, __attribute__((unused))socklen_t *__restrict __addr_len);
+
+ssize_t __wrap_send(__attribute__((unused))int __fd, __attribute__((unused))const void *__buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags);
+
+ssize_t __wrap_sendto(__attribute__((unused))int __fd, __attribute__((unused))const void *__buf, __attribute__((unused))size_t __n, __attribute__((unused)) int __flags,
+                      __attribute__((unused)) __CONST_SOCKADDR_ARG __addr, __attribute__((unused))socklen_t __len);
+
+ssize_t __wrap_recv(__attribute__((unused))int __fd, __attribute__((unused))void *__buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags);
+
+ssize_t __wrap_recvfrom(__attribute__((unused))int __fd, __attribute__((unused))void *__restrict __buf, __attribute__((unused))size_t __n, __attribute__((unused))int __flags, __attribute__((unused))__SOCKADDR_ARG __addr, __attribute__((unused))socklen_t *__restrict __addr_len);
+
+int __wrap_fcntl(__attribute__((unused))int __fd, __attribute__((unused))int __cmd, ...);
+
+int __wrap_getaddrinfo(const char *node, __attribute__((unused))const char *service, __attribute__((unused))const struct addrinfo *hints, struct addrinfo **res);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.c b/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.c
new file mode 100644
index 0000000000..1ebbb98d35
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.c
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "wait_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <stdio.h>
+
+pid_t __wrap_waitpid(pid_t __pid, int * wstatus, int __options) {
+
+    check_expected(__pid);
+    check_expected(__options);
+    *wstatus = mock_type(int);
+    return mock_type(pid_t);
+}
diff --git a/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.h b/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.h
new file mode 100644
index 0000000000..4e7f3743b2
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/linux/wait_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef WAIT_WRAPPERS_H
+#define WAIT_WRAPPERS_H
+
+#include <sys/types.h>
+#include <sys/wait.h>
+
+pid_t __wrap_waitpid(pid_t __pid, int * wstatus, int __options);
+
+#endif // WAIT_WRAPPERS_H
diff --git a/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.c b/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.c
new file mode 100644
index 0000000000..507fcaf5bd
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include "headers/defs.h"
+#include "../../common.h"
+
+char * wrap_fgets (char * __s, int __n, FILE * __stream) {
+    if (test_mode) {
+        char *buffer = mock_type(char*);
+        check_expected(__stream);
+        if(buffer) {
+            strncpy(__s, buffer, __n);
+            return __s;
+        }
+        return NULL;
+    } else {
+        return fgets(__s, __n, __stream);
+    }
+}
+
+int wrap_fprintf (FILE *__stream, const char *__format, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+    int ret;
+    va_start(args, __format);
+
+    if (test_mode) {
+        vsnprintf(formatted_msg, OS_MAXSTR, __format, args);
+        check_expected(__stream);
+        check_expected(formatted_msg);
+        ret = mock();
+    }
+    else {
+        ret = vfprintf(__stream, __format, args);
+    }
+
+    va_end(args);
+    return ret;
+}
+
+int wrap_snprintf (char * s, size_t n, const char *__format, ...) {
+    va_list args;
+    int ret;
+    va_start(args, __format);
+
+    if (test_mode) {
+        vsnprintf(s, n, __format, args);
+        check_expected(s);
+        ret = mock();
+    }
+    else {
+        ret = snprintf(s, n, __format, args);
+    }
+
+    va_end(args);
+    return ret;
+}
+
+int wrap_fstat (int __fd, struct stat *__buf) {
+    if (test_mode) {
+        int ret = 0;
+        __buf->st_size = mock_type(int);
+        ret = mock_type(int);
+        if (ret < 0) {
+            errno = ESRCH;
+        }
+
+        return ret;
+    }
+
+    return fstat(__fd, __buf);
+}
+
+int wrap_fileno (FILE *fp) {
+    if (test_mode) {
+        return mock_type(int);
+    }
+    return fileno(fp);
+}
+
+int wrap_fclose (FILE *fp) {
+    if (test_mode) {
+        int ret = 0;
+        check_expected(fp);
+        ret = mock_type(int);
+        if (ret < 0) {
+            errno = ESRCH;
+        }
+
+        return ret;
+    }
+    return fclose(fp);
+}
+
+int wrap_fwrite(char *src, int n, size_t size, FILE *fp) {
+    if (test_mode) {
+        check_expected(src);
+        return mock();
+    }
+    return fwrite(src, n, size, fp);
+}
+
+int wrap_fseek(FILE *fp, int seek,  int flag) {
+    if (test_mode) {
+        check_expected(fp);
+        return 1;
+    }
+    return fseek(fp, seek, flag);
+}
+
+void * wrap_mmap (void *start, size_t length, int prot, int flags, int fd, off_t offset) {
+    if (test_mode) {
+        check_expected(fd);
+        void *ret = mock_type(void*);
+        if (ret == MAP_FAILED) {
+            errno = ESRCH;
+        }
+
+        return ret;
+        
+    }
+    return mmap(start, length, prot, flags, fd, offset);
+}
+
+int wrap_munmap (void *mem, size_t size) {
+    if (test_mode) {
+        check_expected(mem);
+        return 1;
+    }
+    return munmap(mem, size);
+}
+
+FILE * wrap_tmpfile () {
+    if (test_mode) {
+        FILE* ret = mock_type(FILE*);
+        if (ret == NULL) {
+            errno = ESRCH;
+        }
+
+        return ret;
+    }
+    return tmpfile();
+}
+
+FILE * wrap_fopen (const char* path, const char* mode) {
+    if(test_mode) {
+        check_expected_ptr(path);
+        check_expected(mode);
+        FILE* ret = mock_ptr_type(FILE*);
+        if (ret == NULL) {
+            errno = ESRCH;
+        }
+
+        return ret;
+    } else {
+        return fopen(path, mode);
+    }
+}
diff --git a/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.h b/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.h
new file mode 100644
index 0000000000..c75b019fa6
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libc/stdio_wrappers.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef STDIO_WRAPPERS_MACOS_H
+#define STDIO_WRAPPERS_MACOS_H
+
+#undef fprintf
+#define fprintf wrap_fprintf
+#undef snprintf
+#define snprintf wrap_snprintf
+#undef fstat
+#define fstat wrap_fstat
+#undef fileno
+#define fileno wrap_fileno
+#undef fclose
+#define fclose wrap_fclose
+#undef fwrite
+#define fwrite wrap_fwrite
+#undef fseek
+#define fseek wrap_fseek
+#undef fgets
+#define fgets wrap_fgets
+#undef mmap
+#define mmap wrap_mmap
+#undef munmap
+#define munmap wrap_munmap
+#undef tmpfile
+#define tmpfile wrap_tmpfile
+#undef fopen
+#define fopen wrap_fopen
+
+
+char * wrap_fgets(char * __s, int __n, FILE * __stream);
+int wrap_fprintf(FILE *__stream, const char *__format, ...);
+int wrap_snprintf(char * s, size_t n, const char *__format, ...);
+int wrap_fstat (int __fd, struct stat *__buf);
+int wrap_fileno(FILE *fp);
+int wrap_fclose(FILE *fp);
+int wrap_fwrite(char *src, int n, size_t size, FILE *fp);
+int wrap_fseek(FILE *fp, int seek,  int flag);
+void * wrap_mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
+int wrap_munmap (void *mem, size_t size);
+FILE * wrap_tmpfile();
+FILE * wrap_fopen (const char* path, const char* mode);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.c b/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.c
new file mode 100644
index 0000000000..9e2cea2a46
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "external/libplist/include/plist/plist.h"
+#include "../common.h"
+#include "../headers/shared.h"
+
+void wrap_plist_from_bin (char * bin, size_t size, plist_t *node) {
+    if (test_mode) {
+        check_expected(bin);
+        *node = mock_type(plist_t);
+        return;
+    }
+    
+    plist_from_bin(bin, size, node);
+}
+
+void wrap_plist_to_xml (plist_t *node, char ** xml, uint32_t *size) {
+    if (test_mode) {
+        check_expected(node);
+        char *tmp = mock_type(char*);
+        w_strdup(tmp, *xml);
+        *size = mock_type(uint32_t);
+        return;
+    }
+    
+    plist_to_xml(node, xml, size);
+}
+
+void wrap_plist_free(plist_t node) {
+    if (test_mode) {
+        check_expected(node);
+        return;
+    }
+    
+    plist_free(node);
+}
\ No newline at end of file
diff --git a/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.h b/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.h
new file mode 100644
index 0000000000..42964e7458
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libplist_wrappers.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef STDIO_WRAPPERS_LIBPLIST_H
+#define STDIO_WRAPPERS_LIBPLIST_H
+
+#include "external/libplist/include/plist/plist.h"
+
+#undef plist_from_bin
+#define plist_from_bin wrap_plist_from_bin
+#undef plist_to_xml
+#define plist_to_xml wrap_plist_to_xml
+#undef plist_free
+#define plist_free wrap_plist_free
+
+void wrap_plist_from_bin (char * bin, size_t size, plist_t *node);
+void wrap_plist_to_xml (plist_t *node, char ** xml, uint32_t *size);
+void wrap_plist_free(plist_t node);
+
+#endif
\ No newline at end of file
diff --git a/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.c b/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.c
new file mode 100644
index 0000000000..e3e538beaa
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../common.h"
+#include "headers/defs.h"
+
+void wrap_mterror(const char *tag, const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void wrap_mtwarn(const char *tag, const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void wrap_mtdebug1(const char *tag, const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+void wrap_mtdebug2(const char *tag, const char *msg, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+
+    check_expected(tag);
+
+    va_start(args, msg);
+    vsnprintf(formatted_msg, OS_MAXSTR, msg, args);
+    va_end(args);
+
+    check_expected(formatted_msg);
+}
+
+int wrap_wm_sendmsg(__attribute__((unused)) int usec,
+                    __attribute__((unused)) int queue,
+                    __attribute__((unused)) const char *message,
+                    __attribute__((unused)) const char *locmsg,
+                    __attribute__((unused)) char loc) {
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.h b/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.h
new file mode 100644
index 0000000000..b018b7b6ee
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/libwazuh_wrappers.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef STDIO_WRAPPERS_LIBWAZUH_H
+#define STDIO_WRAPPERS_LIBWAZUH_H
+
+
+#undef mterror
+#define mterror wrap_mterror
+#undef mtwarn
+#define mtwarn wrap_mtwarn
+#undef mtdebug1
+#define mtdebug1 wrap_mtdebug1
+#undef mtdebug2
+#define mtdebug2 wrap_mtdebug2
+#undef wm_sendmsg
+#define wm_sendmsg wrap_wm_sendmsg
+
+void wrap_mterror(const char *tag, const char *msg, ...);
+void wrap_mtwarn(const char *tag, const char *msg, ...);
+void wrap_mtdebug1(const char *tag, const char *msg, ...);
+void wrap_mtdebug2(const char *tag, const char *msg, ...);
+int wrap_wm_sendmsg(int usec,
+                    int queue,
+                    const char *message,
+                    const char *locmsg,
+                    char loc);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.c b/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.c
new file mode 100644
index 0000000000..e15b286312
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dirent_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <errno.h>
+#include "../../common.h"
+
+int wrap_closedir(__attribute__((unused)) DIR *dirp) {
+    if (test_mode) {
+        check_expected(dirp);
+        return mock_type(int);
+    }
+    return closedir(dirp);
+}
+
+DIR * wrap_opendir(const char *filename) {
+    if(test_mode) {
+        check_expected_ptr(filename);
+        DIR* ret = mock_ptr_type(DIR*);
+        if (ret == NULL) {
+            errno = ESRCH;
+        }
+
+        return ret; 
+    } else {
+        return opendir(filename);
+    }
+}
+
+struct dirent * wrap_readdir(DIR *dirp) {
+    if (test_mode) {
+        return mock_type(struct dirent *);
+    }
+    return readdir(dirp);
+}
diff --git a/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.h b/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.h
new file mode 100644
index 0000000000..3f551b5921
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/macos/posix/dirent_wrappers.h
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef DIRENT_WRAPPERS_MACOS_H
+#define DIRENT_WRAPPERS_MACOS_H
+
+#include <dirent.h>
+
+#undef closedir
+#define closedir wrap_closedir
+#undef opendir
+#define opendir wrap_opendir
+#undef readdir
+#define readdir wrap_readdir
+
+int wrap_closedir(__attribute__((unused)) DIR *dirp);
+
+DIR * wrap_opendir(const char *filename);
+
+struct dirent * wrap_readdir(DIR *dirp);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.c
new file mode 100644
index 0000000000..c54a25a5d5
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.c
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "dirent_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_closedir(__attribute__((unused)) DIR *dirp) {
+    return 1;
+}
+
+int __wrap_opendir() {
+    return mock();
+}
+
+struct dirent * __wrap_readdir() {
+    return mock_type(struct dirent *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.h
new file mode 100644
index 0000000000..7f8057d291
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/dirent_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef DIRENT_WRAPPERS_H
+#define DIRENT_WRAPPERS_H
+
+#include <dirent.h>
+
+int __wrap_closedir(DIR *dirp);
+
+int __wrap_opendir();
+
+struct dirent * __wrap_readdir();
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.c
new file mode 100644
index 0000000000..0ae6f509d9
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.c
@@ -0,0 +1,36 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "grp_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+
+#ifndef WIN32
+struct group *__wrap_getgrgid(__attribute__((unused)) gid_t gid) {
+    return mock_ptr_type(struct group*);
+}
+
+int __wrap_getgrnam_r(const char *name, struct group *grp,__attribute__((unused)) char *buf, size_t buflen, struct group **result) {
+    *result = NULL;
+
+    if (buflen < 1024) {
+        return ERANGE;
+    }
+
+    if (strcmp(name, "wazuh") == 0) {
+        grp->gr_gid = 1000;
+        *result = grp;
+    }
+
+    return 0;
+}
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.h
new file mode 100644
index 0000000000..32bc78de9b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/grp_wrappers.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef GRP_WRAPPERS_H
+#define GRP_WRAPPERS_H
+
+#ifndef WIN32
+#include <stddef.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <errno.h>
+
+
+struct group *__wrap_getgrgid(gid_t gid);
+
+int __wrap_getgrnam_r(const char *name, struct group *grp, char *buf, size_t buflen, struct group **result);
+
+#endif
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.c
new file mode 100644
index 0000000000..fe1a27a30d
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.c
@@ -0,0 +1,59 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "pthread_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void (*pthread_callback_ptr)(void) = NULL;
+
+int __wrap_pthread_mutex_lock(__attribute__((unused)) pthread_mutex_t *x) {
+    function_called();
+    return 0;
+}
+
+int __wrap_pthread_mutex_unlock(__attribute__((unused)) pthread_mutex_t *x) {
+    function_called();
+    return 0;
+}
+
+int __wrap_pthread_rwlock_rdlock(__attribute__((unused)) pthread_rwlock_t *rwlock) {
+    function_called();
+    return 0;
+}
+
+int __wrap_pthread_rwlock_wrlock(__attribute__((unused)) pthread_rwlock_t *rwlock) {
+    function_called();
+    return 0;
+}
+
+int __wrap_pthread_rwlock_unlock(__attribute__((unused)) pthread_rwlock_t *rwlock) {
+    function_called();
+    return 0;
+}
+
+int __wrap_pthread_exit() {
+    return mock();
+}
+
+int __wrap_pthread_cond_wait(pthread_cond_t *cond,pthread_mutex_t *mutex) {
+    check_expected_ptr(cond);
+    check_expected_ptr(mutex);
+    // callback function to avoid infinite loops when testing
+    if (pthread_callback_ptr)
+        pthread_callback_ptr();
+    return 0;
+}
+
+int __wrap_pthread_cond_signal(pthread_cond_t *cond) {
+    check_expected_ptr(cond);
+    return 0;
+}
diff --git a/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.h
new file mode 100644
index 0000000000..cc53411aa0
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/pthread_wrappers.h
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PTHREAD_WRAPPERS_H
+#define PTHREAD_WRAPPERS_H
+
+#include <pthread.h>
+
+int __wrap_pthread_mutex_lock(pthread_mutex_t *x);
+
+int __wrap_pthread_mutex_unlock(pthread_mutex_t *x);
+
+int __wrap_pthread_rwlock_rdlock(pthread_rwlock_t *rwlock);
+
+int __wrap_pthread_rwlock_wrlock(pthread_rwlock_t *rwlock);
+
+int __wrap_pthread_rwlock_unlock(pthread_rwlock_t *rwlock);
+
+int __wrap_pthread_exit();
+
+int __wrap_pthread_cond_wait(pthread_cond_t *cond, pthread_mutex_t *mutex);
+
+int __wrap_pthread_cond_signal(pthread_cond_t *cond);
+
+extern void (*pthread_callback_ptr)(void);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.c
new file mode 100644
index 0000000000..16e77e12c9
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.c
@@ -0,0 +1,59 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "pwd_wrappers.h"
+
+#ifndef WIN32
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <errno.h>
+#include <string.h>
+
+
+int __wrap_getpwnam_r(const char *name,
+                      struct passwd *pwd,
+                      __attribute__((unused))  char *buf,
+                      size_t buflen,
+                      struct passwd **result) {
+    *result = NULL;
+
+    if (buflen < 1024) {
+        return ERANGE;
+    }
+
+    if (strcmp(name, "wazuh") == 0) {
+        pwd->pw_uid = 1000;
+        *result = pwd;
+    }
+
+    return 0;
+}
+// Test solaris version of this wrapper.
+#ifdef SOLARIS
+struct passwd **__wrap_getpwuid_r(__attribute__((unused)) uid_t uid,
+                                  struct passwd *pwd,
+                                  __attribute__((unused)) char *buf,
+                                  __attribute__((unused)) size_t buflen) {
+        pwd->pw_name = mock_type(char*);
+        return mock_type(struct passwd*);
+}
+#else
+int __wrap_getpwuid_r(__attribute__((unused)) uid_t uid,
+                      struct passwd *pwd,
+                      __attribute__((unused)) char *buf,
+                      __attribute__((unused)) size_t buflen,
+                      struct passwd **result) {
+    pwd->pw_name = mock_type(char*);
+    *result = mock_type(struct passwd*);
+    return mock();
+}
+#endif
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.h
new file mode 100644
index 0000000000..65f55399f4
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/pwd_wrappers.h
@@ -0,0 +1,38 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PWD_WRAPPERS_H
+#define PWD_WRAPPERS_H
+
+#ifndef WIN32
+#include <stddef.h>
+#include <pwd.h>
+
+int __wrap_getpwnam_r(const char *name,
+                      struct passwd *pwd,
+                      char *buf,
+                      size_t buflen,
+                      struct passwd **result);
+
+#ifdef SOLARIS
+struct passwd **__wrap_getpwuid_r(uid_t uid,
+                                  struct passwd *pwd,
+                                  char *buf,
+                                  size_t buflen);
+#else
+int __wrap_getpwuid_r(uid_t uid,
+                      struct passwd *pwd,
+                      char *buf,
+                      size_t buflen,
+                      struct passwd **result);
+#endif
+
+#endif
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/select_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/select_wrappers.c
new file mode 100644
index 0000000000..2261743027
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/select_wrappers.c
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+
+#include "select_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+int __wrap_select(__attribute__((unused)) int nfds,
+                  __attribute__((unused)) fd_set *restrict readfds,
+                  __attribute__((unused)) fd_set *restrict writefds,
+                  __attribute__((unused)) fd_set *restrict errorfds,
+                  __attribute__((unused)) struct timeval *restrict timeout) {
+    return mock();
+}
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/select_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/select_wrappers.h
new file mode 100644
index 0000000000..8dda51bf80
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/select_wrappers.h
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SELECT_WRAPPERS_H
+#define SELECT_WRAPPERS_H
+#ifndef WIN32
+
+#include <sys/select.h>
+
+int __wrap_select(int nfds,
+                  fd_set *restrict readfds,
+                  fd_set *restrict writefds,
+                  fd_set *restrict errorfds,
+                  struct timeval *restrict timeout);
+
+#endif
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.c
new file mode 100644
index 0000000000..0a4a13525f
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.c
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "signal_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <stdio.h>
+
+int __wrap_kill(pid_t pid, int sig){
+    
+    check_expected(sig);
+    check_expected(pid);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.h
new file mode 100644
index 0000000000..356cbe4f45
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/signal_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SIGNAL_WRAPPERS_H
+#define SIGNAL_WRAPPERS_H
+
+#include <signal.h>
+#include <sys/types.h>
+
+int __wrap_kill(pid_t pid, int sig);
+
+#endif // SIGNAL_WRAPPERS_H
diff --git a/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.c
new file mode 100644
index 0000000000..ea441a1345
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.c
@@ -0,0 +1,106 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "stat_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../common.h"
+
+#include <string.h>
+
+
+int __wrap_chmod(const char *path) {
+    check_expected_ptr(path);
+    return mock();
+}
+
+int __wrap_fchmod(int fd, mode_t mode) {
+    check_expected(fd);
+    check_expected(mode);
+    return mock();
+}
+
+int __wrap_chown(const char *__file, int __owner, int __group) {
+    check_expected(__file);
+    check_expected(__owner);
+    check_expected(__group);
+
+    return mock();
+}
+
+int __wrap_lstat(const char *filename, struct stat *buf) {
+    struct stat * mock_buf;
+    check_expected(filename);
+
+    mock_buf = mock_type(struct stat *);
+    if (mock_buf != NULL) {
+        memcpy(buf, mock_buf, sizeof(struct stat));
+    }
+    return mock();
+}
+
+int __wrap_fstat(int __fd, struct stat *__buf) {
+    check_expected(__fd);
+    __buf->st_mode = mock();
+    __buf->st_size = mock();
+    return mock();
+}
+
+#ifdef WIN32
+int __wrap_mkdir(const char *__path) {
+    check_expected(__path);
+    return mock();
+}
+#elif defined(__MACH__)
+int __wrap_mkdir(const char *__path, mode_t __mode) {
+    check_expected(__path);
+    check_expected(__mode);
+    return mock();
+}
+#else
+int __wrap_mkdir(const char *__path, __mode_t __mode) {
+    check_expected(__path);
+    check_expected(__mode);
+    return mock();
+}
+#endif
+
+#ifdef WIN32
+void expect_mkdir(const char *__path, int ret) {
+#elif defined(__MACH__)
+void expect_mkdir(const char *__path, mode_t __mode, int ret) {
+    expect_value(__wrap_mkdir, __mode, __mode);
+#else
+void expect_mkdir(const char *__path, __mode_t __mode, int ret) {
+    expect_value(__wrap_mkdir, __mode, __mode);
+#endif
+    expect_string(__wrap_mkdir, __path, __path);
+    will_return(__wrap_mkdir, ret);
+}
+
+extern int __real_stat(const char * __file, struct stat * __buf);
+int __wrap_stat(const char * __file, struct stat * __buf) {
+    struct stat * mock_buf;
+    if (test_mode) {
+        check_expected(__file);
+        mock_buf = mock_type(struct stat *);
+        if (mock_buf != NULL) {
+            memcpy(__buf, mock_buf, sizeof(struct stat));
+        }
+        return mock_type(int);
+    }
+    return __real_stat(__file, __buf);
+}
+
+mode_t __wrap_umask(mode_t mode) {
+    check_expected(mode);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.h
new file mode 100644
index 0000000000..a9b396349f
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/stat_wrappers.h
@@ -0,0 +1,45 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STAT_WRAPPERS_H
+#define STAT_WRAPPERS_H
+
+#include <sys/stat.h>
+
+int __wrap_chmod(const char *path);
+int __wrap_fchmod(int fd, mode_t mode);
+
+int __wrap_chown(const char *__file, int __owner, int __group);
+
+int __wrap_lstat(const char *filename, struct stat *buf);
+
+int __wrap_fstat (int __fd, struct stat *__buf);
+
+#ifdef WIN32
+int __wrap_mkdir(const char *__path);
+#elif defined(__MACH__)
+int __wrap_mkdir(const char *__path, mode_t __mode);
+#else
+int __wrap_mkdir(const char *__path, __mode_t __mode);
+#endif
+
+#ifdef WIN32
+void expect_mkdir(const char *__path, int ret);
+#elif defined(__MACH__)
+void expect_mkdir(const char *__path, mode_t __mode, int ret);
+#else
+void expect_mkdir(const char *__path, __mode_t __mode, int ret);
+#endif
+
+int __wrap_stat(const char * __file, struct stat * __buf);
+
+mode_t __wrap_umask(mode_t mode);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/time_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/time_wrappers.c
new file mode 100644
index 0000000000..1ae78892ad
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/time_wrappers.c
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "time_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+
+time_t __wrap_time(__attribute__ ((unused)) time_t *t) {
+    return mock_type(time_t);
+}
+
+char *__wrap_ctime_r(const time_t *timep, char *buf) {
+    check_expected(timep);
+
+    strncpy(buf, mock_type(const char *), 26);
+
+    return buf;
+}
+
+void __wrap_gettimeofday(struct timeval *__restrict __tv, __attribute__((unused)) void *__restrict __tz) {
+        struct timeval *mocked_time = mock_ptr_type(struct timeval *);
+        if (mocked_time && __tv) {
+            *__tv = *mocked_time;
+        }
+}
diff --git a/src/common/utils/tests/unit/wrappers/posix/time_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/time_wrappers.h
new file mode 100644
index 0000000000..8eba99db00
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/time_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef TIME_WRAPPERS_H
+#define TIME_WRAPPERS_H
+
+#include <time.h>
+#include <sys/time.h>
+
+time_t __wrap_time(time_t *t);
+char *__wrap_ctime_r(const time_t *timep, char *buf);
+
+void __wrap_gettimeofday(__attribute__((unused))struct timeval *__restrict __tv, __attribute__((unused)) void *__restrict __tz);
+
+#endif // TIME_WRAPPERS_H
diff --git a/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.c b/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.c
new file mode 100644
index 0000000000..31109074e3
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.c
@@ -0,0 +1,104 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "unistd_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <string.h>
+#include <stdio.h>
+#include "../common.h"
+
+int __wrap_unlink(const char *file) {
+    check_expected_ptr(file);
+    return mock();
+}
+
+#ifdef WIN32
+int wrap__unlink(const char *file) {
+    check_expected_ptr(file);
+    return mock();
+}
+#endif
+
+int __wrap_close(__attribute__ ((__unused__)) int fd) {
+    return 1;
+}
+
+extern int __real_getpid();
+int __wrap_getpid() {
+    if (test_mode) {
+        return 2345;
+    }
+    return __real_getpid();
+}
+
+#ifndef WIN32
+void __wrap_sleep(unsigned int seconds) {
+    check_expected(seconds);
+    return;
+}
+
+int __wrap_usleep(__attribute__((unused)) useconds_t usec) {
+    function_called();
+    return 0;
+}
+#endif
+
+int __wrap_sysconf(__attribute__((unused)) int name) {
+    return mock();
+}
+
+ssize_t __wrap_read(__attribute__((unused)) int fildes,
+                    void *buf,
+                    size_t nbyte) {
+    char * buffer = mock_type(char *);
+    size_t n = mock_type(size_t);
+    if(buffer) {
+        if (nbyte > n){
+            memcpy(buf, buffer, n);
+            return n;
+        } else {
+            memcpy(buf, buffer, nbyte);
+            return nbyte;
+        }
+    }
+    errno = EFAULT;
+    return -1;
+}
+
+int __wrap_gethostname(char *name, int len) {
+    snprintf(name, len, "%s",mock_type(char*));
+    return mock_type(int);
+}
+
+int __wrap_readlink(__attribute__((unused)) void **state) {
+    return mock();
+}
+
+int __wrap_symlink(const char *path1, const char *path2) {
+    check_expected(path1);
+    check_expected(path2);
+    return mock();
+}
+
+int __wrap_access (const char *__name, int __type) {
+    check_expected(__name);
+    check_expected(__type);
+    return mock();
+}
+
+#ifdef WIN32
+int __wrap__access (const char *__name, int __type) {
+    check_expected(__name);
+    check_expected(__type);
+    return mock();
+}
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.h b/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.h
new file mode 100644
index 0000000000..52686e7da7
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/posix/unistd_wrappers.h
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef UNISTD_WRAPPERS_H
+#define UNISTD_WRAPPERS_H
+
+#include <unistd.h>
+#include <errno.h>
+
+#undef _unlink
+#define _unlink wrap__unlink
+
+int __wrap_unlink(const char *file);
+#ifdef WIN32
+int wrap__unlink(const char *file);
+#endif
+
+#ifndef WIN32
+int __wrap_close(int fd) __attribute__((weak));
+#else
+int __wrap_close(int fd);
+#endif
+
+extern int __real_getpid();
+int __wrap_getpid();
+
+#ifndef WIN32
+void __wrap_sleep(unsigned int seconds);
+#endif
+
+int __wrap_sysconf(int name);
+
+int __wrap_usleep(useconds_t usec);
+
+ssize_t __wrap_read(int fildes, void *buf, size_t nbyte);
+
+int __wrap_gethostname(char *name, int len);
+
+int __wrap_readlink(void **state);
+
+int __wrap_symlink(const char *path1, const char *path2);
+
+int __wrap_access (const char *__name, int __type);
+#ifdef WIN32
+int __wrap__access (const char *__name, int __type);
+#endif
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/shared.cmake b/src/common/utils/tests/unit/wrappers/shared.cmake
new file mode 100644
index 0000000000..91397c3b13
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/shared.cmake
@@ -0,0 +1,32 @@
+set(HASH_OP_WRAPPERS "-Wl,--wrap,OSHash_Add \
+                      -Wl,--wrap,OSHash_Add_ex \
+                      -Wl,--wrap,OSHash_Begin \
+                      -Wl,--wrap,OSHash_Begin_ex \
+                      -Wl,--wrap,OSHash_Clean \
+                      -Wl,--wrap,OSHash_Create \
+                      -Wl,--wrap,OSHash_Delete_ex \
+                      -Wl,--wrap,OSHash_Delete \
+                      -Wl,--wrap,OSHash_Get \
+                      -Wl,--wrap,OSHash_Get_ex \
+                      -Wl,--wrap,OSHash_Get_ex_dup \
+                      -Wl,--wrap,OSHash_Next \
+                      -Wl,--wrap,OSHash_SetFreeDataPointer \
+                      -Wl,--wrap,OSHash_setSize \
+                      -Wl,--wrap,OSHash_Update_ex \
+                      -Wl,--wrap,OSHash_Update \
+                      -Wl,--wrap,OSHash_Get_Elem_ex")
+
+
+set(DEBUG_OP_WRAPPERS "-Wl,--wrap,_mdebug1 \
+                       -Wl,--wrap,_mdebug2 \
+                       -Wl,--wrap,_merror \
+                       -Wl,--wrap,_merror_exit \
+                       -Wl,--wrap,_mferror \
+                       -Wl,--wrap,_minfo \
+                       -Wl,--wrap,_mtdebug1 \
+                       -Wl,--wrap,_mtdebug2 \
+                       -Wl,--wrap,_mterror \
+                       -Wl,--wrap,_mterror_exit \
+                       -Wl,--wrap,_mtinfo \
+                       -Wl,--wrap,_mtwarn \
+                       -Wl,--wrap,_mwarn")
diff --git a/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.c
new file mode 100644
index 0000000000..9a87643b16
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.c
@@ -0,0 +1,72 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "aclapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+DWORD wrap_GetSecurityInfo(__UNUSED_PARAM(HANDLE handle),
+                           __UNUSED_PARAM(SE_OBJECT_TYPE ObjectType),
+                           __UNUSED_PARAM(SECURITY_INFORMATION SecurityInfo),
+                           PSID *ppsidOwner,
+                           PSID *ppsidGroup,
+                           __UNUSED_PARAM(PACL *ppDacl),
+                           __UNUSED_PARAM(PACL *ppSacl),
+                           __UNUSED_PARAM(PSECURITY_DESCRIPTOR *ppSecurityDescriptor)) {
+    if (ppsidOwner) {
+        *ppsidOwner = mock_type(PSID);
+    }
+
+    if (ppsidGroup) {
+        *ppsidGroup = mock_type(PSID);
+    }
+
+    return mock();
+}
+
+void expect_GetSecurityInfo_call(PSID ppsidOwner, PSID pSidGroup, DWORD ret_value) {
+    if (ppsidOwner) will_return(wrap_GetSecurityInfo, ppsidOwner);
+    if (pSidGroup) will_return(wrap_GetSecurityInfo, pSidGroup);
+    will_return(wrap_GetSecurityInfo, ret_value);
+}
+
+DWORD wrap_GetNamedSecurityInfo(LPCSTR pObjectName,
+                                SE_OBJECT_TYPE ObjectType,
+                                SECURITY_INFORMATION SecurityInfo,
+                                __UNUSED_PARAM(PSID *ppsidOwner),
+                                __UNUSED_PARAM(PSID *ppsidGroup),
+                                __UNUSED_PARAM(PACL *ppDacl),
+                                PACL *ppSacl,
+                                PSECURITY_DESCRIPTOR *ppSecurityDescriptor) {
+    check_expected(pObjectName);
+    check_expected(ObjectType);
+    check_expected(SecurityInfo);
+    *ppSacl = mock_type(PACL);
+    *ppSecurityDescriptor = mock_type(PSECURITY_DESCRIPTOR);
+    return mock();
+}
+
+DWORD wrap_SetNamedSecurityInfo(LPSTR pObjectName,
+                                SE_OBJECT_TYPE ObjectType,
+                                SECURITY_INFORMATION SecurityInfo,
+                                PSID psidOwner,
+                                PSID psidGroup,
+                                PACL pDacl,
+                                PACL pSacl) {
+    check_expected(pObjectName);
+    check_expected(ObjectType);
+    check_expected(SecurityInfo);
+    check_expected(psidOwner);
+    check_expected(psidGroup);
+    check_expected(pDacl);
+    check_expected(pSacl);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.h
new file mode 100644
index 0000000000..70bcdb535d
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/aclapi_wrappers.h
@@ -0,0 +1,51 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef ACLAPI_WRAPPERS_H
+#define ACLAPI_WRAPPERS_H
+
+#include <windows.h>
+#include <accctrl.h>
+
+#undef GetNamedSecurityInfo
+#define GetNamedSecurityInfo wrap_GetNamedSecurityInfo
+#undef SetNamedSecurityInfo
+#define SetNamedSecurityInfo wrap_SetNamedSecurityInfo
+#define GetSecurityInfo wrap_GetSecurityInfo
+
+DWORD wrap_GetSecurityInfo(HANDLE handle,
+                           SE_OBJECT_TYPE ObjectType,
+                           SECURITY_INFORMATION SecurityInfo,
+                           PSID *ppsidOwner,
+                           PSID *ppsidGroup,
+                           PACL *ppDacl,
+                           PACL *ppSacl,
+                           PSECURITY_DESCRIPTOR *ppSecurityDescriptor);
+
+void expect_GetSecurityInfo_call(PSID ppsidOwner, PSID pSidGroup, DWORD ret_value);
+
+DWORD wrap_GetNamedSecurityInfo(LPCSTR pObjectName,
+                                SE_OBJECT_TYPE ObjectType,
+                                SECURITY_INFORMATION SecurityInfo,
+                                PSID *ppsidOwner,
+                                PSID *ppsidGroup,
+                                PACL *ppDacl,
+                                PACL *ppSacl,
+                                PSECURITY_DESCRIPTOR *ppSecurityDescriptor);
+
+DWORD wrap_SetNamedSecurityInfo(LPSTR pObjectName,
+                                SE_OBJECT_TYPE ObjectType,
+                                SECURITY_INFORMATION SecurityInfo,
+                                PSID psidOwner,
+                                PSID psidGroup,
+                                PACL pDacl,
+                                PACL pSacl);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.c
new file mode 100644
index 0000000000..63662be8d5
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.c
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "errhandlingapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+DWORD wrap_GetLastError(VOID) {
+    return mock();
+}
+
+void expect_GetLastError_call(int error_code) {
+    will_return(wrap_GetLastError, error_code);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.h
new file mode 100644
index 0000000000..b89ecf070a
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/errhandlingapi_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef ERRHANDLINGAPI_WRAPPERS_H
+#define ERRHANDLINGAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#undef GetLastError
+#define GetLastError wrap_GetLastError
+
+DWORD wrap_GetLastError(VOID);
+
+void expect_GetLastError_call(int error_code);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.c
new file mode 100644
index 0000000000..fa4f560984
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.c
@@ -0,0 +1,137 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "fileapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include "../common.h"
+
+HANDLE wrap_CreateFile(LPCSTR lpFileName,
+                       DWORD dwDesiredAccess,
+                       DWORD dwShareMode,
+                       LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+                       DWORD dwCreationDisposition,
+                       DWORD dwFlagsAndAttributes,
+                       HANDLE hTemplateFile) {
+    if (test_mode) {
+        check_expected(lpFileName);
+        return mock_type(HANDLE);
+    } else {
+        return CreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
+    }
+}
+
+void expect_CreateFile_call(const char *filename, HANDLE ret) {
+    expect_string(wrap_CreateFile, lpFileName, filename);
+    will_return(wrap_CreateFile, (HANDLE)ret);
+}
+
+DWORD wrap_GetFileAttributesA(LPCSTR lpFileName) {
+    check_expected(lpFileName);
+    return mock();
+}
+
+WINBOOL wrap_GetVolumePathNamesForVolumeNameW(LPCWSTR lpszVolumeName,
+                                              LPWCH lpszVolumePathNames,
+                                              DWORD cchBufferLength,
+                                              PDWORD lpcchReturnLength) {
+    DWORD buffer_size;
+    check_expected(lpszVolumeName);
+    buffer_size = mock();
+
+    if(lpszVolumePathNames && buffer_size <= cchBufferLength) {
+        memcpy(lpszVolumePathNames, mock_type(LPWCH), cchBufferLength);
+    }
+
+    *lpcchReturnLength = buffer_size;
+    return mock();
+}
+
+HANDLE wrap_FindFirstVolumeW(LPWSTR lpszVolumeName,
+                             DWORD cchBufferLength) {
+    wcsncpy(lpszVolumeName, mock_type(wchar_t*), cchBufferLength);
+    return mock_type(HANDLE);
+}
+
+WINBOOL wrap_FindVolumeClose (HANDLE hFindVolume) {
+    check_expected(hFindVolume);
+    return mock();
+}
+
+DWORD wrap_QueryDosDeviceW(LPCWSTR lpDeviceName,
+                           LPWSTR lpTargetPath,
+                           DWORD ucchMax) {
+    DWORD len = mock();
+    check_expected(lpDeviceName);
+
+    if(len <= ucchMax)
+        memcpy(lpTargetPath, mock_type(LPWSTR), len);
+
+    return mock();
+}
+
+WINBOOL wrap_FindNextVolumeW(HANDLE hFindVolume,
+                             LPWSTR lpszVolumeName,
+                             DWORD cchBufferLength) {
+    check_expected(hFindVolume);
+    wcsncpy(lpszVolumeName, mock_type(LPWSTR), cchBufferLength);
+    return mock();
+}
+
+BOOL wrap_GetFileTime(HANDLE     hFile,
+                      LPFILETIME lpCreationTime,
+                      LPFILETIME lpLastAccessTime,
+                      LPFILETIME lpLastWriteTime) {
+    LPFILETIME lpft;
+
+    check_expected(hFile);
+    if (lpCreationTime){
+        lpft = mock_type(LPFILETIME);
+        lpCreationTime->dwLowDateTime = lpft->dwLowDateTime;
+        lpCreationTime->dwHighDateTime = lpft->dwHighDateTime;
+    }
+    if (lpLastAccessTime){
+        lpft = mock_type(LPFILETIME);
+        lpLastAccessTime->dwLowDateTime = lpft->dwLowDateTime;
+        lpLastAccessTime->dwHighDateTime = lpft->dwHighDateTime;
+    }
+    if (lpLastWriteTime){
+        lpft = mock_type(LPFILETIME);
+        lpLastWriteTime->dwLowDateTime = lpft->dwLowDateTime;
+        lpLastWriteTime->dwHighDateTime = lpft->dwHighDateTime;
+    }
+    return mock_type(BOOL);
+}
+
+HANDLE wrap_FindFirstFile(LPCSTR lpFileName,  LPWIN32_FIND_DATA lpFindFileData) {
+    char *file_name;
+    check_expected(lpFileName);
+
+    file_name = mock_type(char *);
+    if (file_name != NULL) {
+        strcpy(lpFindFileData->cFileName, file_name);
+        lpFindFileData->dwFileAttributes = mock_type(DWORD);
+    }
+
+    return mock_type(HANDLE);
+}
+
+BOOL wrap_FindNextFile(HANDLE hFindFile, LPWIN32_FIND_DATA lpFindFileData) {
+    char *file_name;
+    check_expected(hFindFile);
+    file_name = mock_type(char *);
+    if (file_name != NULL) {
+        strcpy(lpFindFileData->cFileName, file_name);
+        lpFindFileData->dwFileAttributes = mock_type(DWORD);
+    }
+    return mock_type(BOOL);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.h
new file mode 100644
index 0000000000..902bbb534d
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/fileapi_wrappers.h
@@ -0,0 +1,70 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef FILEAPI_WRAPPERS_H
+#define FILEAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#define FindFirstVolumeW wrap_FindFirstVolumeW
+#define GetVolumePathNamesForVolumeNameW wrap_GetVolumePathNamesForVolumeNameW
+#define FindVolumeClose wrap_FindVolumeClose
+#define QueryDosDeviceW wrap_QueryDosDeviceW
+#define FindNextVolumeW wrap_FindNextVolumeW
+#undef  CreateFile
+#define CreateFile      wrap_CreateFile
+#undef  GetFileTime
+#define GetFileTime      wrap_GetFileTime
+#define GetFileAttributesA wrap_GetFileAttributesA
+#undef FindFirstFile
+#define FindFirstFile wrap_FindFirstFile
+#undef FindNextFile
+#define FindNextFile wrap_FindNextFile
+
+HANDLE wrap_CreateFile(LPCSTR lpFileName,
+                       DWORD dwDesiredAccess,
+                       DWORD dwShareMode,
+                       LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+                       DWORD dwCreationDisposition,
+                       DWORD dwFlagsAndAttributes,
+                       HANDLE hTemplateFile);
+
+void expect_CreateFile_call(const char *filename, HANDLE ret);
+
+DWORD wrap_GetFileAttributesA(LPCSTR lpFileName);
+
+WINBOOL wrap_GetVolumePathNamesForVolumeNameW(LPCWSTR lpszVolumeName,
+                                              LPWCH lpszVolumePathNames,
+                                              DWORD cchBufferLength,
+                                              PDWORD lpcchReturnLength);
+
+HANDLE wrap_FindFirstVolumeW(LPWSTR lpszVolumeName,
+                             DWORD cchBufferLength);
+
+WINBOOL wrap_FindVolumeClose(HANDLE hFindVolume);
+
+DWORD wrap_QueryDosDeviceW(LPCWSTR lpDeviceName,
+                           LPWSTR lpTargetPath,
+                           DWORD ucchMax);
+
+WINBOOL wrap_FindNextVolumeW(HANDLE hFindVolume,
+                             LPWSTR lpszVolumeName,
+                             DWORD cchBufferLength);
+
+BOOL wrap_GetFileTime(HANDLE     hFile,
+                      LPFILETIME lpCreationTime,
+                      LPFILETIME lpLastAccessTime,
+                      LPFILETIME lpLastWriteTime);
+
+HANDLE wrap_FindFirstFile(LPCSTR lpFileName,  LPWIN32_FIND_DATAA lpFindFileData);
+
+BOOL wrap_FindNextFile(HANDLE hFindFile, LPWIN32_FIND_DATAA lpFindFileData);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.c
new file mode 100644
index 0000000000..f3241d0d9a
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.c
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "handleapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+WINBOOL wrap_CloseHandle(HANDLE hObject) {
+    check_expected(hObject);
+    return mock();
+}
+
+void expect_CloseHandle_call(HANDLE object, int ret) {
+    expect_value(wrap_CloseHandle, hObject, object);
+    will_return(wrap_CloseHandle, ret);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.h
new file mode 100644
index 0000000000..8e1c28d295
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/handleapi_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef HANDLEAPI_WRAPPERS_H
+#define HANDLEAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#undef CloseHandle
+#define CloseHandle wrap_CloseHandle
+
+WINBOOL wrap_CloseHandle (HANDLE hObject);
+
+void expect_CloseHandle_call(HANDLE object, int ret);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.c
new file mode 100644
index 0000000000..45e537c75c
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "heapapi_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+LPVOID wrap_win_alloc(SIZE_T size) {
+    check_expected(size);
+    return mock_type(LPVOID);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.h
new file mode 100644
index 0000000000..3f2b949600
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/heapapi_wrappers.h
@@ -0,0 +1,20 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef HEAPAPI_WRAPPERS_H
+#define HEAPAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#undef win_alloc
+#define win_alloc wrap_win_alloc
+
+LPVOID wrap_win_alloc(SIZE_T size);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/io_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/io_wrappers.c
new file mode 100644
index 0000000000..185dc28caf
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/io_wrappers.c
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "io_wrappers.h"
+
+char * wrap_mktemp_s(__attribute__((unused)) const char *path, __attribute__((unused)) ssize_t length) {
+    return mock_type(char*);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/io_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/io_wrappers.h
new file mode 100644
index 0000000000..c6265d7106
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/io_wrappers.h
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef IO_WIN_WRAPPERS_H
+#define IO_WIN_WRAPPERS_H
+
+#include <io.h>
+
+#undef _mktemp_s
+#define _mktemp_s  wrap_mktemp_s
+
+char * wrap_mktemp_s(const char *path, ssize_t length);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.c
new file mode 100644
index 0000000000..d55c169660
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.c
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include "kernel32_wrappers.h"
+
+DWORD wrap_WaitForSingleObject(HANDLE hMutex, long value) {
+    check_expected(hMutex);
+    check_expected(value);
+    return mock();
+}
+
+bool wrap_ReleaseMutex(HANDLE hMutex) {
+    check_expected(hMutex);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.h
new file mode 100644
index 0000000000..d8d6bb3c29
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/libc/kernel32_wrappers.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef KERNEL32_WRAPPERS_WINDOWS_H
+#define KERNEL32_WRAPPERS_WINDOWS_H
+
+#include <stdbool.h>
+#include <windows.h>
+
+DWORD wrap_WaitForSingleObject(HANDLE hMutex, long value);
+
+bool wrap_ReleaseMutex(HANDLE hMutex);
+
+#undef WaitForSingleObject
+#define WaitForSingleObject wrap_WaitForSingleObject
+#undef ReleaseMutex
+#define ReleaseMutex wrap_ReleaseMutex
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.c
new file mode 100644
index 0000000000..9912b03c55
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.c
@@ -0,0 +1,56 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include "headers/defs.h"
+#include "../../common.h"
+
+
+char * wrap_fgets(char * __s, int __n, FILE * __stream) {
+    if (test_mode) {
+        char *buffer = mock_type(char*);
+        check_expected(__stream);
+
+        if (buffer) {
+            strncpy(__s, buffer, __n);
+            return __s;
+        }
+
+        return 0;
+    }
+    else {
+        return fgets(__s, __n, __stream);
+    }
+}
+
+
+int wrap_fprintf (FILE *__stream, const char *__format, ...) {
+    char formatted_msg[OS_MAXSTR];
+    va_list args;
+    int ret;
+    va_start(args, __format);
+
+    if (test_mode) {
+        vsnprintf(formatted_msg, OS_MAXSTR, __format, args);
+        check_expected(__stream);
+        check_expected(formatted_msg);
+        ret = mock();
+    }
+    else {
+        ret = vfprintf(__stream, __format, args);
+    }
+
+    va_end(args);
+    return ret;
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.h
new file mode 100644
index 0000000000..9fd3a92dec
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/libc/stdio_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef STDIO_WRAPPERS_WINDOWS_H
+#define STDIO_WRAPPERS_WINDOWS_H
+
+#include <stdio.h>
+
+char * wrap_fgets(char * __s, int __n, FILE * __stream);
+
+int wrap_fprintf(FILE *__stream, const char *__format, ...);
+
+#define fprintf wrap_fprintf
+#define fgets wrap_fgets
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.c
new file mode 100644
index 0000000000..d7c94642ef
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.c
@@ -0,0 +1,59 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "ntsecapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+NTSTATUS wrap_LsaOpenPolicy(__UNUSED_PARAM(PLSA_UNICODE_STRING    SystemName),
+                            __UNUSED_PARAM(PLSA_OBJECT_ATTRIBUTES ObjectAttributes),
+                            __UNUSED_PARAM(ACCESS_MASK            DesiredAccess),
+                            __UNUSED_PARAM(PLSA_HANDLE            PolicyHandle)) {
+    return mock();
+}
+
+NTSTATUS wrap_LsaQueryInformationPolicy(__UNUSED_PARAM(LSA_HANDLE               PolicyHandle),
+                                        __UNUSED_PARAM(POLICY_INFORMATION_CLASS InformationClass),
+                                        PVOID                                   *Buffer) {
+    *Buffer = mock_type(PPOLICY_AUDIT_EVENTS_INFO);
+    return mock();
+}
+
+BOOLEAN wrap_AuditLookupCategoryGuidFromCategoryId(__UNUSED_PARAM(POLICY_AUDIT_EVENT_TYPE AuditCategoryId),
+                                                   GUID                    *pAuditCategoryGuid) {
+    GUID *guid = mock_type(GUID *);
+    *pAuditCategoryGuid = *guid;
+    return mock();
+}
+
+BOOLEAN wrap_AuditEnumerateSubCategories(__UNUSED_PARAM(const GUID *pAuditCategoryGuid),
+                                         __UNUSED_PARAM(BOOLEAN    bRetrieveAllSubCategories),
+                                         __UNUSED_PARAM(GUID       **ppAuditSubCategoriesArray),
+                                         PULONG                    pdwCountReturned) {
+    *pdwCountReturned = mock_type(ULONG);
+    return mock();
+}
+
+BOOLEAN wrap_AuditQuerySystemPolicy(__UNUSED_PARAM(const GUID                *pSubCategoryGuids),
+                                    __UNUSED_PARAM(ULONG                     dwPolicyCount),
+                                    PAUDIT_POLICY_INFORMATION                *ppAuditPolicy) {
+    *ppAuditPolicy = mock_type(AUDIT_POLICY_INFORMATION *);
+    return mock();
+}
+
+NTSTATUS wrap_LsaFreeMemory(__UNUSED_PARAM(PVOID Buffer)) {
+    return 0;
+}
+
+NTSTATUS wrap_LsaClose(__UNUSED_PARAM(LSA_HANDLE ObjectHandle)) {
+    return 0;
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.h
new file mode 100644
index 0000000000..3f171c6e5a
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/ntsecapi_wrappers.h
@@ -0,0 +1,58 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef NTSECAPI_WRAPPERS_H
+#define NTSECAPI_WRAPPERS_H
+
+#include <windows.h>
+#include <ntsecapi.h>
+
+#undef LsaOpenPolicy
+#define LsaOpenPolicy wrap_LsaOpenPolicy
+#undef LsaQueryInformationPolicy
+#define LsaQueryInformationPolicy wrap_LsaQueryInformationPolicy
+#undef AuditLookupCategoryGuidFromCategoryId
+#define AuditLookupCategoryGuidFromCategoryId wrap_AuditLookupCategoryGuidFromCategoryId
+#undef AuditEnumerateSubCategories
+#define AuditEnumerateSubCategories wrap_AuditEnumerateSubCategories
+#undef AuditQuerySystemPolicy
+#define AuditQuerySystemPolicy wrap_AuditQuerySystemPolicy
+#undef LsaFreeMemory
+#define LsaFreeMemory wrap_LsaFreeMemory
+#undef LsaClose
+#define LsaClose wrap_LsaClose
+
+NTSTATUS wrap_LsaOpenPolicy(PLSA_UNICODE_STRING    SystemName,
+                            PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
+                            ACCESS_MASK            DesiredAccess,
+                            PLSA_HANDLE            PolicyHandle);
+
+NTSTATUS wrap_LsaQueryInformationPolicy(LSA_HANDLE                PolicyHandle,
+                                        POLICY_INFORMATION_CLASS  InformationClass,
+                                        PVOID                     *Buffer);
+
+BOOLEAN wrap_AuditLookupCategoryGuidFromCategoryId(POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
+                                                   GUID                    *pAuditCategoryGuid);
+
+BOOLEAN wrap_AuditEnumerateSubCategories(const GUID *pAuditCategoryGuid,
+                                         BOOLEAN    bRetrieveAllSubCategories,
+                                         GUID       **ppAuditSubCategoriesArray,
+                                         PULONG     pdwCountReturned);
+
+BOOLEAN wrap_AuditQuerySystemPolicy(const GUID                *pSubCategoryGuids,
+                                    ULONG                     dwPolicyCount,
+                                    PAUDIT_POLICY_INFORMATION *ppAuditPolicy);
+
+NTSTATUS wrap_LsaFreeMemory(PVOID Buffer);
+
+NTSTATUS wrap_LsaClose(LSA_HANDLE ObjectHandle);
+
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.c
new file mode 100644
index 0000000000..294cd61a18
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.c
@@ -0,0 +1,71 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "processthreadsapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+WINBOOL wrap_SetThreadPriority(HANDLE hThread, int nPriority) {
+    check_expected(hThread);
+    check_expected(nPriority);
+    return mock();
+}
+
+HANDLE wrap_GetCurrentThread(VOID) {
+    return mock_type(HANDLE);
+}
+
+HANDLE wrap_GetCurrentProcess(VOID) {
+    return mock_type(HANDLE);
+}
+
+HANDLE wrap_CreateThread(__UNUSED_PARAM(LPSECURITY_ATTRIBUTES lpThreadAttributes),
+                         __UNUSED_PARAM(SIZE_T dwStackSize),
+                         __UNUSED_PARAM(LPTHREAD_START_ROUTINE lpStartAddress),
+                         __UNUSED_PARAM(PVOID lpParameter),
+                         __UNUSED_PARAM(DWORD dwCreationFlags),
+                         __UNUSED_PARAM(LPDWORD lpThreadId)) {
+    return mock_type(HANDLE);
+}
+
+BOOL wrap_OpenProcessToken(__UNUSED_PARAM (HANDLE  ProcessHandle),
+                           DWORD DesiredAccess,
+                           PHANDLE TokenHandle) {
+    check_expected(DesiredAccess);
+    *TokenHandle = mock_type(HANDLE);
+    return mock();
+}
+
+BOOL wrap_TerminateProcess(__UNUSED_PARAM(HANDLE hProcess),
+                           __UNUSED_PARAM(UINT uExitCode)) {
+    function_called();
+    return mock();
+}
+
+void expect_SetThreadPriority_call(HANDLE handle, int priority, int ret) {
+    expect_value(wrap_SetThreadPriority, hThread, handle);
+    expect_value(wrap_SetThreadPriority, nPriority, priority);
+    will_return(wrap_SetThreadPriority, ret);
+}
+
+BOOL wrap_CreateProcessW(__UNUSED_PARAM(LPCWSTR               lpApplicationName),
+                         LPWSTR                lpCommandLine,
+                         __UNUSED_PARAM(LPSECURITY_ATTRIBUTES lpProcessAttributes),
+                         __UNUSED_PARAM(LPSECURITY_ATTRIBUTES lpThreadAttributes),
+                         __UNUSED_PARAM(BOOL                  bInheritHandles),
+                         __UNUSED_PARAM(DWORD                 dwCreationFlags),
+                         __UNUSED_PARAM(LPVOID                lpEnvironment),
+                         __UNUSED_PARAM(LPCWSTR               lpCurrentDirectory),
+                         __UNUSED_PARAM(LPSTARTUPINFOW        lpStartupInfo),
+                         __UNUSED_PARAM(LPPROCESS_INFORMATION lpProcessInformation)) {
+    check_expected(lpCommandLine);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.h
new file mode 100644
index 0000000000..62de5bcd55
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/processthreadsapi_wrappers.h
@@ -0,0 +1,61 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef PROCESSTHREADSAPI_WRAPPERS_H
+#define PROCESSTHREADSAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#undef OpenProcessToken
+#define OpenProcessToken    wrap_OpenProcessToken
+#define GetCurrentProcess   wrap_GetCurrentProcess
+#define SetThreadPriority   wrap_SetThreadPriority
+#define GetCurrentThread    wrap_GetCurrentThread
+#define CreateThread        wrap_CreateThread
+#define CreateProcessW      wrap_CreateProcessW
+#undef TerminateProcess
+#define TerminateProcess    wrap_TerminateProcess
+
+WINBOOL wrap_SetThreadPriority(HANDLE hThread, int nPriority);
+
+HANDLE wrap_GetCurrentThread(VOID);
+
+HANDLE wrap_GetCurrentProcess(VOID);
+
+HANDLE wrap_CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,
+                         SIZE_T dwStackSize,
+                         LPTHREAD_START_ROUTINE lpStartAddress,
+                         PVOID lpParameter,
+                         DWORD dwCreationFlags,
+                         LPDWORD lpThreadId);
+
+BOOL wrap_OpenProcessToken(HANDLE ProcessHandle,
+                           DWORD DesiredAccess,
+                           PHANDLE TokenHandle);
+
+BOOL wrap_TerminateProcess(__UNUSED_PARAM(HANDLE hProcess),
+                           __UNUSED_PARAM(UINT uExitCode));
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of SetThreadPriority
+ */
+void expect_SetThreadPriority_call(HANDLE handle, int priority, int ret);
+
+BOOL wrap_CreateProcessW(LPCWSTR               lpApplicationName,
+                         LPWSTR                lpCommandLine,
+                         LPSECURITY_ATTRIBUTES lpProcessAttributes,
+                         LPSECURITY_ATTRIBUTES lpThreadAttributes,
+                         BOOL                  bInheritHandles,
+                         DWORD                 dwCreationFlags,
+                         LPVOID                lpEnvironment,
+                         LPCWSTR               lpCurrentDirectory,
+                         LPSTARTUPINFOW        lpStartupInfo,
+                         LPPROCESS_INFORMATION lpProcessInformation);
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.c
new file mode 100644
index 0000000000..cb180ef352
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.c
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "sddl_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+WINBOOL wrap_ConvertSidToStringSid(__UNUSED_PARAM(PSID Sid),
+                                   LPSTR *StringSid) {
+    *StringSid = mock_type(LPSTR);
+    return mock();
+}
+
+void expect_ConvertSidToStringSid_call(LPSTR StringSid, int ret_value) {
+    will_return(wrap_ConvertSidToStringSid, StringSid);
+    will_return(wrap_ConvertSidToStringSid, ret_value);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.h
new file mode 100644
index 0000000000..4cb7a3e2c7
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/sddl_wrappers.h
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SDDL_WRAPPERS_H
+#define SDDL_WRAPPERS_H
+
+#include <windows.h>
+
+#undef  ConvertSidToStringSid
+#define ConvertSidToStringSid wrap_ConvertSidToStringSid
+
+WINBOOL wrap_ConvertSidToStringSid(PSID Sid, LPSTR *StringSid);
+
+void expect_ConvertSidToStringSid_call(LPSTR StringSid, int ret_value);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.c
new file mode 100644
index 0000000000..640d65c846
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.c
@@ -0,0 +1,128 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "securitybaseapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+WINBOOL wrap_IsValidSid(__UNUSED_PARAM(PSID pSid)) {
+    return mock();
+}
+
+WINBOOL wrap_GetSecurityDescriptorDacl(__UNUSED_PARAM(PSECURITY_DESCRIPTOR pSecurityDescriptor),
+                                       LPBOOL lpbDaclPresent,
+                                       PACL *pDacl,
+                                       __UNUSED_PARAM(LPBOOL lpbDaclDefaulted)) {
+    *lpbDaclPresent = mock();
+
+    if(*lpbDaclPresent == TRUE)
+        *pDacl = mock_type(PACL);
+
+    return mock();
+}
+
+void expect_GetSecurityDescriptorDacl_call(int fDaclPresent, PACL *pDacl, int ret_value) {
+    will_return(wrap_GetSecurityDescriptorDacl, fDaclPresent);
+    will_return(wrap_GetSecurityDescriptorDacl, pDacl);
+    will_return(wrap_GetSecurityDescriptorDacl, ret_value);
+}
+
+WINBOOL wrap_GetAclInformation(__UNUSED_PARAM(PACL pAcl),
+                               LPVOID pAclInformation,
+                               DWORD nAclInformationLength,
+                               __UNUSED_PARAM(ACL_INFORMATION_CLASS dwAclInformationClass)) {
+    LPVOID acl_information = mock_type(LPVOID);
+
+    if(acl_information != NULL)
+        memcpy(pAclInformation, acl_information, nAclInformationLength);
+
+    return mock();
+}
+
+void expect_GetAclInformation_call(LPVOID pAclInformation, int ret_value) {
+    will_return(wrap_GetAclInformation, pAclInformation);
+    will_return(wrap_GetAclInformation, ret_value);
+}
+
+WINBOOL wrap_GetAce(__UNUSED_PARAM(PACL pAcl),
+                    __UNUSED_PARAM(DWORD dwAceIndex),
+                    LPVOID *pAce) {
+    *pAce = mock_type(LPVOID);
+    return mock();
+}
+
+void expect_GetAce_call(LPVOID *pAce, int ret_value) {
+    will_return(wrap_GetAce, pAce);
+    will_return(wrap_GetAce, ret_value);
+}
+
+WINBOOL wrap_AdjustTokenPrivileges(HANDLE TokenHandle,
+                                   WINBOOL DisableAllPrivileges,
+                                   __UNUSED_PARAM(PTOKEN_PRIVILEGES NewState),
+                                   __UNUSED_PARAM(DWORD BufferLength),
+                                   __UNUSED_PARAM(PTOKEN_PRIVILEGES PreviousState),
+                                   __UNUSED_PARAM(PDWORD ReturnLength)) {
+    check_expected(TokenHandle);
+    check_expected(DisableAllPrivileges);
+    return mock();
+}
+
+WINBOOL wrap_AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
+                                      BYTE nSubAuthorityCount,
+                                      __UNUSED_PARAM(DWORD nSubAuthority0),
+                                      __UNUSED_PARAM(DWORD nSubAuthority1),
+                                      __UNUSED_PARAM(DWORD nSubAuthority2),
+                                      __UNUSED_PARAM(DWORD nSubAuthority3),
+                                      __UNUSED_PARAM(DWORD nSubAuthority4),
+                                      __UNUSED_PARAM(DWORD nSubAuthority5),
+                                      __UNUSED_PARAM(DWORD nSubAuthority6),
+                                      __UNUSED_PARAM(DWORD nSubAuthority7),
+                                      __UNUSED_PARAM(PSID *pSid)) {
+    check_expected(pIdentifierAuthority);
+    check_expected(nSubAuthorityCount);
+    return mock();
+}
+
+WINBOOL wrap_InitializeAcl(PACL pAcl,
+                           DWORD nAclLength,
+                           DWORD dwAclRevision) {
+    check_expected(pAcl);
+    check_expected(nAclLength);
+    check_expected(dwAclRevision);
+    return mock();
+}
+
+WINBOOL wrap_CopySid(__UNUSED_PARAM(DWORD nDestinationSidLength),
+                     __UNUSED_PARAM(PSID pDestinationSid),
+                     __UNUSED_PARAM(PSID pSourceSid)) {
+    return mock();
+}
+
+WINBOOL wrap_AddAce(PACL pAcl,
+                    __UNUSED_PARAM(DWORD dwAceRevision),
+                    __UNUSED_PARAM(DWORD dwStartingAceIndex),
+                    __UNUSED_PARAM(LPVOID pAceList),
+                    __UNUSED_PARAM(DWORD nAceListLength)) {
+    check_expected(pAcl);
+    return mock();
+}
+
+WINBOOL wrap_EqualSid(__UNUSED_PARAM(PSID pSid1),
+                      __UNUSED_PARAM(PSID pSid2)) {
+    return mock();
+}
+
+BOOL wrap_DeleteAce(PACL  pAcl,
+                    DWORD dwAceIndex){
+    check_expected(pAcl);
+    check_expected(dwAceIndex);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.h
new file mode 100644
index 0000000000..acf88925aa
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/securitybaseapi_wrappers.h
@@ -0,0 +1,89 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SECURITYBASEAPI_WRAPPERS_H
+#define SECURITYBASEAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#define AdjustTokenPrivileges wrap_AdjustTokenPrivileges
+#define AllocateAndInitializeSid wrap_AllocateAndInitializeSid
+#define GetAclInformation wrap_GetAclInformation
+#define InitializeAcl wrap_InitializeAcl
+#define CopySid wrap_CopySid
+#define GetAce wrap_GetAce
+#define AddAce wrap_AddAce
+#define EqualSid wrap_EqualSid
+#define DeleteAce wrap_DeleteAce
+#define IsValidSid wrap_IsValidSid
+#define GetSecurityDescriptorDacl wrap_GetSecurityDescriptorDacl
+
+WINBOOL wrap_IsValidSid(PSID pSid);
+
+WINBOOL wrap_GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                       LPBOOL lpbDaclPresent,
+                                       PACL *pDacl,
+                                       LPBOOL lpbDaclDefaulted);
+
+void expect_GetSecurityDescriptorDacl_call(int fDaclPresent, PACL *pDacl, int ret_value);
+
+WINBOOL wrap_GetAclInformation(PACL pAcl,
+                               LPVOID pAclInformation,
+                               DWORD nAclInformationLength,
+                               ACL_INFORMATION_CLASS dwAclInformationClass);
+
+void expect_GetAclInformation_call(LPVOID pAclInformation, int ret_value);
+
+WINBOOL wrap_GetAce(PACL pAcl,
+                    DWORD dwAceIndex,
+                    LPVOID *pAce);
+
+void expect_GetAce_call(LPVOID *pAce, int ret_value);
+
+WINBOOL wrap_AdjustTokenPrivileges(HANDLE TokenHandle,
+                                   WINBOOL DisableAllPrivileges,
+                                   PTOKEN_PRIVILEGES NewState,
+                                   DWORD BufferLength,
+                                   PTOKEN_PRIVILEGES PreviousState,
+                                   PDWORD ReturnLength);
+
+WINBOOL wrap_AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
+                                      BYTE nSubAuthorityCount,
+                                      DWORD nSubAuthority0,
+                                      DWORD nSubAuthority1,
+                                      DWORD nSubAuthority2,
+                                      DWORD nSubAuthority3,
+                                      DWORD nSubAuthority4,
+                                      DWORD nSubAuthority5,
+                                      DWORD nSubAuthority6,
+                                      DWORD nSubAuthority7,
+                                      PSID *pSid);
+
+WINBOOL wrap_InitializeAcl(PACL pAcl,
+                           DWORD nAclLength,
+                           DWORD dwAclRevision);
+
+WINBOOL wrap_CopySid(DWORD nDestinationSidLength,
+                     PSID pDestinationSid,
+                     PSID pSourceSid);
+
+WINBOOL wrap_AddAce(PACL pAcl,
+                    DWORD dwAceRevision,
+                    DWORD dwStartingAceIndex,
+                    LPVOID pAceList,
+                    DWORD nAceListLength);
+
+WINBOOL wrap_EqualSid(PSID pSid1,
+                      PSID pSid2);
+
+BOOL wrap_DeleteAce(PACL  pAcl,
+                    DWORD dwAceIndex);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.c
new file mode 100644
index 0000000000..43db9e7fb4
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "stringapiset_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int wrap_WideCharToMultiByte(__UNUSED_PARAM(UINT CodePage),
+                             __UNUSED_PARAM(DWORD dwFlags),
+                             LPCWCH lpWideCharStr,
+                             int cchWideChar,
+                             LPSTR lpMultiByteStr,
+                             int cbMultiByte,
+                             __UNUSED_PARAM(LPCCH lpDefaultChar),
+                             __UNUSED_PARAM(LPBOOL lpUsedDefaultChar)) {
+    check_expected(lpWideCharStr);
+    check_expected(cchWideChar);
+
+    if(lpMultiByteStr)
+        strncpy(lpMultiByteStr, mock_type(char*), cbMultiByte);
+
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.h
new file mode 100644
index 0000000000..4bf9fe776a
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/stringapiset_wrappers.h
@@ -0,0 +1,27 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef STRINGAPISET_WRAPPERS_H
+#define STRINGAPISET_WRAPPERS_H
+
+#include <windows.h>
+
+#define WideCharToMultiByte wrap_WideCharToMultiByte
+
+int wrap_WideCharToMultiByte(UINT CodePage,
+                             DWORD dwFlags,
+                             LPCWCH lpWideCharStr,
+                             int cchWideChar,
+                             LPSTR lpMultiByteStr,
+                             int cbMultiByte,
+                             LPCCH lpDefaultChar,
+                             LPBOOL lpUsedDefaultChar);
+
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.c
new file mode 100644
index 0000000000..2c84e50c67
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.c
@@ -0,0 +1,36 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "synchapi_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+VOID wrap_Sleep(DWORD dwMilliseconds) {
+    check_expected(dwMilliseconds);
+}
+
+HANDLE wrap_CreateEvent(LPSECURITY_ATTRIBUTES lpEventAttributes,
+                        WINBOOL bManualReset,
+                        WINBOOL bInitialState,
+                        LPCSTR lpName) {
+    check_expected(lpEventAttributes);
+    check_expected(bManualReset);
+    check_expected(bInitialState);
+    check_expected(lpName);
+    return mock_type(HANDLE);
+}
+
+DWORD wrap_WaitForSingleObjectEx(HANDLE hHandle, DWORD dwMilliseconds, BOOL bAlertable) {
+    check_expected(hHandle);
+    check_expected(dwMilliseconds);
+    check_expected(bAlertable);
+    return mock_type(DWORD);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.h
new file mode 100644
index 0000000000..d9738d5e8a
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/synchapi_wrappers.h
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYNCHAPI_WRAPPERS_H
+#define SYNCHAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#define Sleep wrap_Sleep
+#undef CreateEvent
+#define CreateEvent wrap_CreateEvent
+#undef WaitForSingleObjectEx
+#define WaitForSingleObjectEx wrap_WaitForSingleObjectEx
+
+VOID wrap_Sleep(DWORD dwMilliseconds);
+
+HANDLE wrap_CreateEvent(LPSECURITY_ATTRIBUTES lpEventAttributes,
+                        WINBOOL bManualReset,
+                        WINBOOL bInitialState,
+                        LPCSTR lpName);
+
+DWORD wrap_WaitForSingleObjectEx(HANDLE hHandle, DWORD dwMilliseconds, BOOL bAlertable);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.c
new file mode 100644
index 0000000000..e325c68049
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.c
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysinfoapi_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+VOID wrap_GetSystemTime(LPSYSTEMTIME lpSystemTime) {
+  memcpy(lpSystemTime, mock_type(LPSYSTEMTIME), sizeof(SYSTEMTIME));
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.h
new file mode 100644
index 0000000000..c16e0b7d78
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/sysinfoapi_wrappers.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef SYSINFOAPI_WRAPPERS_H
+#define SYSINFOAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#define GetSystemTime wrap_GetSystemTime
+
+VOID wrap_GetSystemTime(LPSYSTEMTIME lpSystemTime);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.c
new file mode 100644
index 0000000000..390d3522c8
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "system_calls_wrappers.h"
+
+char * wrap_getenv(const char *name) {
+    check_expected(name);
+    return mock_type(char *);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.h
new file mode 100644
index 0000000000..007a56704e
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/system_calls_wrappers.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYSTEM_CALLS_WRAPPERS_H
+#define SYSTEM_CALLS_WRAPPERS_H
+
+//#undef _mktemp_s
+//#define _mktemp_s  wrap_mktemp_s
+
+char * wrap_getenv(const char *name);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.c
new file mode 100644
index 0000000000..5a10adacec
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "timezoneapi_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+WINBOOL wrap_FileTimeToSystemTime(CONST FILETIME *lpFileTime,
+                                  LPSYSTEMTIME lpSystemTime) {
+    check_expected(lpFileTime);
+    memcpy(lpSystemTime, mock_type(LPSYSTEMTIME), sizeof(SYSTEMTIME));
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.h
new file mode 100644
index 0000000000..dc4e74f5a4
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/timezoneapi_wrappers.h
@@ -0,0 +1,22 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef TIMEZONEAPI_WRAPPERS_H
+#define TIMEZONEAPI_WRAPPERS_H
+
+#include <windows.h>
+
+#define FileTimeToSystemTime wrap_FileTimeToSystemTime
+
+WINBOOL wrap_FileTimeToSystemTime(CONST FILETIME *lpFileTime,
+                                  LPSYSTEMTIME lpSystemTime);
+
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/url_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/url_wrappers.c
new file mode 100644
index 0000000000..8df82a3353
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/url_wrappers.c
@@ -0,0 +1,110 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "url_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+CURL* wrap_curl_easy_init() {
+    return mock_type(CURL *);
+}
+
+void wrap_curl_easy_cleanup(CURL *curl) {
+    check_expected_ptr(curl);
+}
+
+CURLcode wrap_curl_easy_setopt(CURL *curl, CURLoption option, __attribute__ ((__unused__)) void *parameter) {
+    check_expected(option);
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
+
+struct curl_slist* wrap_curl_slist_append(struct curl_slist *list, const char *data) {
+    check_expected(data);
+    check_expected_ptr(list);
+
+    return mock_type(struct curl_slist *);
+}
+
+int wrap_wurl_request(const char * url,
+                        const char * dest,
+                        const char *header,
+                        const char *data,
+                        const long timeout) {
+    if (url) {
+        check_expected(url);
+    }
+
+    if (dest) {
+        check_expected(dest);
+    }
+
+    if (header) {
+        check_expected(header);
+    }
+
+    if (data) {
+        check_expected(data);
+    }
+
+    if (timeout) {
+        check_expected(timeout);
+    }
+
+    return mock();
+}
+
+char* wrap_wurl_http_get(const char * url, __attribute__((unused)) size_t max_size, long timeout) {
+    check_expected(url);
+
+    check_expected(timeout);
+
+    return mock_type(char *);
+}
+
+curl_response* wrap_wurl_http_request(char *method, char **headers, const char* url, const char *payload, size_t max_size, long timeout) {
+    check_expected(method);
+
+    char** ptr = headers;
+    for (char* header = *ptr; header; header=*++ptr) {
+        check_expected(header);
+    }
+
+    check_expected(url);
+
+    if (payload) {
+        check_expected(payload);
+    }
+
+    check_expected(max_size);
+
+    check_expected(timeout);
+
+    return mock_type(curl_response*);
+}
+
+CURLcode wrap_curl_easy_perform(CURL *curl) {
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
+
+void wrap_curl_slist_free_all(struct curl_slist *list) {
+    check_expected_ptr(list);
+}
+
+CURLcode wrap_curl_easy_getinfo(CURL *curl, CURLoption option, __attribute__ ((__unused__)) void *parameter) {
+    check_expected(option);
+    check_expected_ptr(curl);
+
+    return mock_type(CURLcode);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/url_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/url_wrappers.h
new file mode 100644
index 0000000000..0427f6f4bf
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/url_wrappers.h
@@ -0,0 +1,45 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#ifndef URL_WRAPPERS_H
+#define URL_WRAPPERS_H
+
+#include <stdbool.h>
+#include "headers/url.h"
+
+#define curl_easy_init wrap_curl_easy_init
+#define curl_easy_cleanup wrap_curl_easy_cleanup
+#undef curl_easy_setopt
+#define curl_easy_setopt wrap_curl_easy_setopt
+#define curl_slist_append wrap_curl_slist_append
+#define curl_easy_perform wrap_curl_easy_perform
+#define curl_slist_free_all wrap_curl_slist_free_all
+#undef curl_easy_getinfo
+#define curl_easy_getinfo wrap_curl_easy_getinfo
+
+CURL* wrap_curl_easy_init();
+
+void wrap_curl_easy_cleanup(CURL* curl);
+
+CURLcode wrap_curl_easy_setopt(CURL *curl, CURLoption option, void *parameter);
+
+struct curl_slist* wrap_curl_slist_append(struct curl_slist *list, const char *string);
+
+CURLcode wrap_curl_easy_perform(CURL *curl);
+
+void wrap_curl_slist_free_all(struct curl_slist *list);
+
+int wrap_wurl_request(const char * url, const char * dest, const char *header, const char *data, const long timeout);
+
+char* wrap_wurl_http_get(const char * url, size_t max_size, long timeout);
+
+curl_response* wrap_wurl_http_request(char *method, char **headers, const char* url, const char *payload, size_t max_size, long timeout);
+
+CURLcode wrap_curl_easy_getinfo(CURL *curl, CURLoption option, void *parameter);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.c
new file mode 100644
index 0000000000..b7303d2eea
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.c
@@ -0,0 +1,108 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "winbase_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <tchar.h>
+
+DWORD wrap_FormatMessage(DWORD dwFlags,
+                         __UNUSED_PARAM(LPCVOID lpSource),
+                         __UNUSED_PARAM(DWORD dwMessageId),
+                         __UNUSED_PARAM(DWORD dwLanguageId),
+                         LPTSTR lpBuffer,
+                         DWORD nSize,
+                         __UNUSED_PARAM(va_list *Arguments)) {
+
+    if (dwFlags & FORMAT_MESSAGE_ALLOCATE_BUFFER) {
+        *((LPTSTR*)lpBuffer) = mock_type(char*);
+    }
+    else {
+        char *mockMessage = mock_type(char*);
+        _stprintf_s(lpBuffer, nSize, _T("%hs"), mockMessage);
+    }
+    return 0;
+}
+
+void expect_FormatMessage_call(char *buffer) {
+    will_return(wrap_FormatMessage, buffer);
+}
+
+HLOCAL wrap_LocalFree(__UNUSED_PARAM(HLOCAL hMem)) {
+    return NULL;
+}
+
+WINBOOL wrap_LookupAccountSid(__UNUSED_PARAM(LPCSTR lpSystemName),
+                              __UNUSED_PARAM(PSID Sid),
+                              LPSTR Name,
+                              LPDWORD cchName,
+                              LPSTR ReferencedDomainName,
+                              LPDWORD cchReferencedDomainName,
+                              __UNUSED_PARAM(PSID_NAME_USE peUse)) {
+    if (Name != NULL) {
+        strncpy(Name, mock_type(char*), *cchName);
+    } else {
+        *cchName = mock();
+    }
+
+    if (ReferencedDomainName != NULL) {
+        strncpy(ReferencedDomainName, mock_type(char*), *cchReferencedDomainName);
+    } else {
+        *cchReferencedDomainName = mock();
+    }
+
+    return mock();
+}
+
+void expect_LookupAccountSid_call(char *name, char *DomainName, int ret_value) {
+    will_return(wrap_LookupAccountSid, name);
+    will_return(wrap_LookupAccountSid, DomainName);
+    will_return(wrap_LookupAccountSid, ret_value);
+}
+
+WINBOOL wrap_GetFileSecurity(LPCSTR lpFileName,
+                             __UNUSED_PARAM(SECURITY_INFORMATION RequestedInformation),
+                             PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                             DWORD nLength,
+                             LPDWORD lpnLengthNeeded) {
+    check_expected(lpFileName);
+
+    if(!nLength) {
+        *lpnLengthNeeded = mock();
+    } else {
+        PSECURITY_DESCRIPTOR sec_desc = mock_type(PSECURITY_DESCRIPTOR);
+
+        if(sec_desc) {
+            memcpy(pSecurityDescriptor, sec_desc, nLength);
+        }
+    }
+
+    return mock();
+}
+
+WINBOOL wrap_ReadDirectoryChangesW(__UNUSED_PARAM(HANDLE hDirectory),
+                                   __UNUSED_PARAM(LPVOID lpBuffer),
+                                   __UNUSED_PARAM(DWORD nBufferLength),
+                                   __UNUSED_PARAM(WINBOOL bWatchSubtree),
+                                   __UNUSED_PARAM(DWORD dwNotifyFilter),
+                                   __UNUSED_PARAM(LPDWORD lpBytesReturned),
+                                   __UNUSED_PARAM(LPOVERLAPPED lpOverlapped),
+                                   __UNUSED_PARAM(LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)) {
+    return mock();
+}
+
+BOOL wrap_LookupPrivilegeValue(__UNUSED_PARAM(LPCSTR lpSystemName),
+                               LPCSTR lpName,
+                               __UNUSED_PARAM(PLUID  lpLuid)) {
+    check_expected(lpName);
+    lpLuid = mock_type(PLUID);
+    return mock();
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.h
new file mode 100644
index 0000000000..3284e16f1b
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winbase_wrappers.h
@@ -0,0 +1,67 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef WINBASE_WRAPPERS_H
+#define WINBASE_WRAPPERS_H
+
+#include <windows.h>
+
+#undef  LookupPrivilegeValue
+#define LookupPrivilegeValue wrap_LookupPrivilegeValue
+#define LocalFree wrap_LocalFree
+#undef  FormatMessage
+#define FormatMessage wrap_FormatMessage
+#undef  LookupAccountSid
+#define LookupAccountSid wrap_LookupAccountSid
+#undef  GetFileSecurity
+#define GetFileSecurity wrap_GetFileSecurity
+#define ReadDirectoryChangesW wrap_ReadDirectoryChangesW
+
+DWORD wrap_FormatMessage(DWORD dwFlags,
+                         LPCVOID lpSource,
+                         DWORD dwMessageId,
+                         DWORD dwLanguageId,
+                         LPTSTR lpBuffer,
+                         DWORD nSize,
+                         va_list *Arguments);
+
+void expect_FormatMessage_call(char *buffer);
+
+HLOCAL wrap_LocalFree(HLOCAL hMem);
+
+WINBOOL wrap_GetFileSecurity(LPCSTR lpFileName,
+                             SECURITY_INFORMATION RequestedInformation,
+                             PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                             DWORD nLength, LPDWORD lpnLengthNeeded);
+
+WINBOOL wrap_LookupAccountSid(LPCSTR lpSystemName,
+                              PSID Sid,
+                              LPSTR Name,
+                              LPDWORD cchName,
+                              LPSTR ReferencedDomainName,
+                              LPDWORD cchReferencedDomainName,
+                              PSID_NAME_USE peUse);
+
+void expect_LookupAccountSid_call(char *name, char *DomainName, int ret_value);
+
+WINBOOL wrap_ReadDirectoryChangesW(HANDLE hDirectory,
+                                   LPVOID lpBuffer,
+                                   DWORD nBufferLength,
+                                   WINBOOL bWatchSubtree,
+                                   DWORD dwNotifyFilter,
+                                   LPDWORD lpBytesReturned,
+                                   LPOVERLAPPED lpOverlapped,
+                                   LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);
+
+BOOL wrap_LookupPrivilegeValue(LPCSTR lpSystemName,
+                               LPCSTR lpName,
+                               PLUID  lpLuid);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.c
new file mode 100644
index 0000000000..d5d3be7139
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "winevt_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <tchar.h>
+
+BOOL wrap_EvtRender(EVT_HANDLE Context,
+                    EVT_HANDLE Fragment,
+                    DWORD      Flags,
+                    DWORD      BufferSize,
+                    PVOID      Buffer,
+                    PDWORD     BufferUsed,
+                    PDWORD     PropertyCount) {
+  check_expected_ptr(Context);
+  check_expected_ptr(Fragment);
+  check_expected(Flags);
+  check_expected(BufferSize);
+  PEVT_VARIANT output = mock_ptr_type(PEVT_VARIANT);
+  *BufferUsed = mock_type(int);
+  *PropertyCount = mock_type(int);
+  if (output && Buffer && *BufferUsed <= BufferSize) {
+    memcpy(Buffer, output, *BufferUsed);
+  }
+  return mock();
+}
+
+EVT_HANDLE wrap_EvtCreateRenderContext(DWORD   ValuePathsCount,
+                                       LPCWSTR *ValuePaths,
+                                       DWORD   Flags) {
+    check_expected(ValuePathsCount),
+    check_expected_ptr(ValuePaths);
+    check_expected(Flags);
+    return mock_type(EVT_HANDLE);
+}
+
+EVT_HANDLE wrap_EvtSubscribe(EVT_HANDLE             Session,
+                             HANDLE                 SignalEvent,
+                             LPCWSTR                ChannelPath,
+                             LPCWSTR                Query,
+                             EVT_HANDLE             Bookmark,
+                             PVOID                  Context,
+                             EVT_SUBSCRIBE_CALLBACK Callback,
+                             DWORD                  Flags) {
+    check_expected_ptr(Session);
+    check_expected(SignalEvent);
+    check_expected(ChannelPath);
+    check_expected(Query);
+    check_expected(Bookmark);
+    check_expected(Context);
+    check_expected_ptr(Callback);
+    check_expected(Flags);
+    return mock_type(EVT_HANDLE);
+}
+
+BOOL wrap_EvtClose(__UNUSED_PARAM(EVT_HANDLE object)) {
+    return mock_type(BOOL);
+}
+
+EVT_HANDLE wrap_EvtOpenPublisherMetadata(EVT_HANDLE Session,
+                                         LPCWSTR    PublisherId,
+                                         LPCWSTR    LogFilePath,
+                                         LCID       Locale,
+                                         DWORD      Flags) {
+  check_expected_ptr(Session);
+  check_expected(PublisherId);
+  check_expected(LogFilePath);
+  check_expected(Locale);
+  check_expected(Flags);
+  return mock_type(EVT_HANDLE);
+}
+
+BOOL wrap_EvtFormatMessage(__UNUSED_PARAM(EVT_HANDLE   PublisherMetadata),
+                           __UNUSED_PARAM(EVT_HANDLE   Event),
+                           __UNUSED_PARAM(DWORD        MessageId),
+                           __UNUSED_PARAM(DWORD        ValueCount),
+                           __UNUSED_PARAM(PEVT_VARIANT Values),
+                           __UNUSED_PARAM(DWORD        Flags),
+                           DWORD        BufferSize,
+                           LPWSTR       Buffer,
+                           PDWORD       BufferUsed) {
+
+  if(BufferSize) {
+    char *mockMessage = mock_type(char*);
+    _stprintf_s(Buffer, BufferSize, _T("%hs"), mockMessage);
+    *BufferUsed = BufferSize;
+  }
+  else {
+    *BufferUsed = mock_type(int);
+  }
+  return mock_type(BOOL);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.h
new file mode 100644
index 0000000000..52281c0079
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winevt_wrappers.h
@@ -0,0 +1,68 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WINEVT_WRAPPERS_H
+#define WINEVT_WRAPPERS_H
+
+#include <windows.h>
+#include <winevt.h>
+
+#undef EvtRender
+#define EvtRender wrap_EvtRender
+#undef EvtCreateRenderContext
+#define EvtCreateRenderContext wrap_EvtCreateRenderContext
+#undef EvtSubscribe
+#define EvtSubscribe wrap_EvtSubscribe
+#undef EvtClose
+#define EvtClose wrap_EvtClose
+#undef EvtOpenPublisherMetadata
+#define EvtOpenPublisherMetadata wrap_EvtOpenPublisherMetadata
+#undef EvtFormatMessage
+#define EvtFormatMessage wrap_EvtFormatMessage
+
+BOOL wrap_EvtRender(EVT_HANDLE Context,
+                    EVT_HANDLE Fragment,
+                    DWORD      Flags,
+                    DWORD      BufferSize,
+                    PVOID      Buffer,
+                    PDWORD     BufferUsed,
+                    PDWORD     PropertyCount);
+
+EVT_HANDLE wrap_EvtCreateRenderContext(DWORD   ValuePathsCount,
+                                       LPCWSTR *ValuePaths,
+                                       DWORD   Flags);
+
+EVT_HANDLE wrap_EvtSubscribe(EVT_HANDLE             Session,
+                             HANDLE                 SignalEvent,
+                             LPCWSTR                ChannelPath,
+                             LPCWSTR                Query,
+                             EVT_HANDLE             Bookmark,
+                             PVOID                  Context,
+                             EVT_SUBSCRIBE_CALLBACK Callback,
+                             DWORD                  Flags);
+
+BOOL wrap_EvtClose(EVT_HANDLE object);
+
+EVT_HANDLE wrap_EvtOpenPublisherMetadata(EVT_HANDLE Session,
+                                         LPCWSTR    PublisherId,
+                                         LPCWSTR    LogFilePath,
+                                         LCID       Locale,
+                                         DWORD      Flags);
+
+BOOL wrap_EvtFormatMessage(EVT_HANDLE   PublisherMetadata,
+                           EVT_HANDLE   Event,
+                           DWORD        MessageId,
+                           DWORD        ValueCount,
+                           PEVT_VARIANT Values,
+                           DWORD        Flags,
+                           DWORD        BufferSize,
+                           LPWSTR       Buffer,
+                           PDWORD       BufferUsed);
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.c
new file mode 100644
index 0000000000..f4d6dd12be
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "winreg_wrappers.h"
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+LONG wrap_RegQueryInfoKey(__UNUSED_PARAM(HKEY hKey),
+                          __UNUSED_PARAM(LPSTR lpClass),
+                          __UNUSED_PARAM(LPDWORD lpcchClass),
+                          __UNUSED_PARAM(LPDWORD lpReserved),
+                          LPDWORD lpcSubKeys,
+                          __UNUSED_PARAM(LPDWORD lpcbMaxSubKeyLen),
+                          __UNUSED_PARAM(LPDWORD lpcbMaxClassLen),
+                          LPDWORD lpcValues,
+                          LPDWORD lpcbMaxValueNameLen,
+                          LPDWORD lpcbMaxValueLen,
+                          __UNUSED_PARAM(LPDWORD lpcbSecurityDescriptor),
+                          PFILETIME lpftLastWriteTime) {
+    if (lpcSubKeys) *lpcSubKeys = mock_type(CHAR);
+    if (lpcValues) *lpcValues = mock_type(DWORD);
+    PFILETIME mock_file_time;
+    *lpcbMaxValueNameLen = mock();
+    *lpcbMaxValueLen = mock();
+    mock_file_time = mock_type(PFILETIME);
+    lpftLastWriteTime->dwLowDateTime = mock_file_time->dwLowDateTime;
+    lpftLastWriteTime->dwHighDateTime = mock_file_time->dwHighDateTime;
+    return mock();
+}
+
+void expect_RegQueryInfoKey_call(DWORD sub_keys, DWORD values, PFILETIME last_write_time, LONG return_value) {
+    will_return(wrap_RegQueryInfoKey, sub_keys);
+    will_return(wrap_RegQueryInfoKey, values);
+    will_return(wrap_RegQueryInfoKey, 256);
+    will_return(wrap_RegQueryInfoKey, 256);
+    will_return(wrap_RegQueryInfoKey, last_write_time);
+    will_return(wrap_RegQueryInfoKey, return_value);
+}
+
+LONG wrap_RegQueryInfoKeyA(__UNUSED_PARAM(HKEY hKey),
+                          __UNUSED_PARAM(LPSTR lpClass),
+                          __UNUSED_PARAM(LPDWORD lpcchClass),
+                          __UNUSED_PARAM(LPDWORD lpReserved),
+                          __UNUSED_PARAM(LPDWORD lpcSubKeys),
+                          __UNUSED_PARAM(LPDWORD lpcbMaxSubKeyLen),
+                          __UNUSED_PARAM(LPDWORD lpcbMaxClassLen),
+                          __UNUSED_PARAM(LPDWORD lpcValues),
+                          __UNUSED_PARAM(LPDWORD lpcbMaxValueNameLen),
+                          __UNUSED_PARAM(LPDWORD lpcbMaxValueLen),
+                          __UNUSED_PARAM(LPDWORD lpcbSecurityDescriptor),
+                          PFILETIME lpftLastWriteTime) {
+    PFILETIME mock_file_time;
+    mock_file_time = mock_type(PFILETIME);
+    lpftLastWriteTime->dwLowDateTime = mock_file_time->dwLowDateTime;
+    lpftLastWriteTime->dwHighDateTime = mock_file_time->dwHighDateTime;
+    return mock();
+}
+
+void expect_RegQueryInfoKeyA_call(PFILETIME last_write_time, LONG return_value) {
+    will_return(wrap_RegQueryInfoKeyA, last_write_time);
+    will_return(wrap_RegQueryInfoKeyA, return_value);
+}
+
+LONG wrap_RegEnumKeyEx(__UNUSED_PARAM(HKEY hKey),
+                       __UNUSED_PARAM(DWORD dwIndex),
+                       LPSTR lpName,
+                       LPDWORD lpcchName,
+                       __UNUSED_PARAM(LPDWORD lpReserved),
+                       __UNUSED_PARAM(LPSTR lpClass),
+                       __UNUSED_PARAM(LPDWORD lpcchClass),
+                       __UNUSED_PARAM(PFILETIME lpftLastWriteTime)) {
+    strcpy(lpName, mock_ptr_type(char *));
+    *lpcchName = mock_type(long);
+    return mock();
+}
+
+void expect_RegEnumKeyEx_call(LPSTR name, DWORD name_length, LONG return_value) {
+    will_return(wrap_RegEnumKeyEx, name);
+    will_return(wrap_RegEnumKeyEx, name_length);
+    will_return(wrap_RegEnumKeyEx, return_value);
+}
+
+LONG wrap_RegOpenKeyEx(HKEY hKey,
+                       LPCSTR lpSubKey,
+                       DWORD ulOptions,
+                       REGSAM samDesired,
+                       PHKEY phkResult) {
+    PHKEY key;
+    check_expected(hKey);
+    check_expected(lpSubKey);
+    check_expected(ulOptions);
+    check_expected(samDesired);
+    if(key = mock_type(PHKEY), key) {
+        memcpy(phkResult, key, sizeof(HKEY));
+    }
+    return mock();
+}
+
+void expect_RegOpenKeyEx_call(HKEY hKey, LPCSTR sub_key, DWORD options, REGSAM sam, PHKEY result, LONG return_value) {
+    expect_value(wrap_RegOpenKeyEx, hKey, hKey);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey, sub_key);
+    expect_value(wrap_RegOpenKeyEx, ulOptions, options);
+    expect_value(wrap_RegOpenKeyEx, samDesired, sam);
+    will_return(wrap_RegOpenKeyEx, result);
+    will_return(wrap_RegOpenKeyEx, return_value);
+}
+
+LONG wrap_RegEnumValue(__UNUSED_PARAM(HKEY hKey),
+                       __UNUSED_PARAM(DWORD dwIndex),
+                       LPSTR lpValueName,
+                       LPDWORD lpcchValueName,
+                       __UNUSED_PARAM(LPDWORD lpReserved),
+                       LPDWORD lpType,
+                       LPBYTE lpData,
+                       LPDWORD lpcbData) {
+    strcpy(lpValueName, mock_ptr_type(char *));
+    *lpcchValueName = mock_type(long);
+    *lpType = mock_type(long);
+    *lpcbData = mock_type(long);
+    const void *data = mock_ptr_type(void *);
+    memcpy(lpData, data, sizeof(char) * (*lpcbData));
+    return mock();
+}
+
+void expect_RegEnumValue_call(LPSTR value_name, DWORD type, LPBYTE data, DWORD data_length, LONG return_value) {
+    will_return(wrap_RegEnumValue, value_name);
+    will_return(wrap_RegEnumValue, strlen(value_name));
+    will_return(wrap_RegEnumValue, type);
+    will_return(wrap_RegEnumValue, data_length);
+    will_return(wrap_RegEnumValue, data);
+    will_return(wrap_RegEnumValue, return_value);
+}
+
+LONG wrap_RegCloseKey(__UNUSED_PARAM(HKEY hKey)) {
+    return 0;
+}
+
+LONG wrap_RegQueryValueEx(__UNUSED_PARAM(HKEY hKey),
+                          LPCSTR lpValueName,
+                          LPDWORD lpReserved,
+                          LPDWORD lpType,
+                          LPBYTE lpData,
+                          LPDWORD lpcbData) {
+    LPBYTE data;
+    check_expected(lpValueName);
+    check_expected(lpReserved);
+    check_expected(lpType);
+    if(data = mock_type(LPBYTE), data) {
+        memcpy(lpData, data, *lpcbData);
+    }
+    return mock();
+}
+
+WINBOOL wrap_RegGetKeySecurity(__UNUSED_PARAM(HKEY hKey),
+                               __UNUSED_PARAM(SECURITY_INFORMATION SecurityInformation),
+                               __UNUSED_PARAM(PSECURITY_DESCRIPTOR pSecurityDescriptor),
+                               LPDWORD lpcbSecurityDescriptor) {
+    *lpcbSecurityDescriptor = mock();
+    return mock();
+}
+
+void expect_RegGetKeySecurity_call(LPDWORD lpcbSecurityDescriptor, int ret_value) {
+    will_return(wrap_RegGetKeySecurity, lpcbSecurityDescriptor);
+    will_return(wrap_RegGetKeySecurity, ret_value);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.h
new file mode 100644
index 0000000000..f4de68c515
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winreg_wrappers.h
@@ -0,0 +1,108 @@
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WINREG_WRAPPERS_H
+#define WINREG_WRAPPERS_H
+
+#include <windows.h>
+
+#undef RegQueryInfoKey
+#define RegQueryInfoKey wrap_RegQueryInfoKey
+#undef RegQueryInfoKeyA
+#define RegQueryInfoKeyA wrap_RegQueryInfoKeyA
+#undef RegEnumKeyEx
+#define RegEnumKeyEx wrap_RegEnumKeyEx
+#undef RegOpenKeyEx
+#define RegOpenKeyEx wrap_RegOpenKeyEx
+#undef RegEnumValue
+#define RegEnumValue wrap_RegEnumValue
+#undef RegCloseKey
+#define RegCloseKey wrap_RegCloseKey
+#undef RegQueryValueEx
+#define RegQueryValueEx wrap_RegQueryValueEx
+#undef RegGetKeySecurity
+#define RegGetKeySecurity wrap_RegGetKeySecurity
+
+LONG wrap_RegQueryInfoKey(HKEY hKey,
+                          LPSTR lpClass,
+                          LPDWORD lpcchClass,
+                          LPDWORD lpReserved,
+                          LPDWORD lpcSubKeys,
+                          LPDWORD lpcbMaxSubKeyLen,
+                          LPDWORD lpcbMaxClassLen,
+                          LPDWORD lpcValues,
+                          LPDWORD lpcbMaxValueNameLen,
+                          LPDWORD lpcbMaxValueLen,
+                          LPDWORD lpcbSecurityDescriptor,
+                          PFILETIME lpftLastWriteTime);
+
+void expect_RegQueryInfoKey_call(DWORD sub_keys, DWORD values, PFILETIME last_write_time, LONG return_value);
+
+LONG wrap_RegQueryInfoKeyA(HKEY hKey,
+                          LPSTR lpClass,
+                          LPDWORD lpcchClass,
+                          LPDWORD lpReserved,
+                          LPDWORD lpcSubKeys,
+                          LPDWORD lpcbMaxSubKeyLen,
+                          LPDWORD lpcbMaxClassLen,
+                          LPDWORD lpcValues,
+                          LPDWORD lpcbMaxValueNameLen,
+                          LPDWORD lpcbMaxValueLen,
+                          LPDWORD lpcbSecurityDescriptor,
+                          PFILETIME lpftLastWriteTime);
+
+void expect_RegQueryInfoKeyA_call(PFILETIME last_write_time, LONG return_value);
+
+LONG wrap_RegEnumKeyEx(HKEY hKey,
+                       DWORD dwIndex,
+                       LPSTR lpName,
+                       LPDWORD lpcchName,
+                       LPDWORD lpReserved,
+                       LPSTR lpClass,
+                       LPDWORD lpcchClass,
+                       PFILETIME lpftLastWriteTime);
+
+void expect_RegEnumKeyEx_call(LPSTR name, DWORD name_length, LONG return_value);
+
+LONG wrap_RegOpenKeyEx(HKEY hKey,
+                       LPCSTR lpSubKey,
+                       DWORD ulOptions,
+                       REGSAM samDesired,
+                       PHKEY phkResult);
+
+void expect_RegOpenKeyEx_call(HKEY hKey, LPCSTR sub_key, DWORD options, REGSAM sam, PHKEY result, LONG return_value);
+
+LONG wrap_RegQueryValueEx(HKEY hKey,
+                          LPCSTR lpValueName,
+                          LPDWORD lpReserved,
+                          LPDWORD lpType,
+                          LPBYTE lpData,
+                          LPDWORD lpcbData);
+
+LONG wrap_RegEnumValue(HKEY hKey,
+                       DWORD dwIndex,
+                       LPSTR lpValueName,
+                       LPDWORD lpcchValueName,
+                       LPDWORD lpReserved,
+                       LPDWORD lpType,
+                       LPBYTE lpData,LPDWORD lpcbData);
+
+void expect_RegEnumValue_call(LPSTR value_name, DWORD type, LPBYTE data, DWORD data_length, LONG return_value);
+
+LONG wrap_RegCloseKey(HKEY hKey);
+
+WINBOOL wrap_RegGetKeySecurity(__UNUSED_PARAM(HKEY hKey),
+                               __UNUSED_PARAM(SECURITY_INFORMATION SecurityInformation),
+                               __UNUSED_PARAM(PSECURITY_DESCRIPTOR pSecurityDescriptor),
+                               LPDWORD lpcbSecurityDescriptor);
+
+void expect_RegGetKeySecurity_call(LPDWORD lpcbSecurityDescriptor, int ret_value);
+
+#endif
diff --git a/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.c b/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.c
new file mode 100644
index 0000000000..3f205cb0a8
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.c
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+int wrap_gethostname(char *name, int len) {
+    snprintf(name, len, "%s", mock_type(char *));
+    return mock_type(int);
+}
diff --git a/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.h b/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.h
new file mode 100644
index 0000000000..475a69d782
--- /dev/null
+++ b/src/common/utils/tests/unit/wrappers/windows/winsock_wrappers.h
@@ -0,0 +1,19 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef WINSOCK_WRAPPERS_H
+#define WINSOCK_WRAPPERS_H
+
+#include <winsock.h>
+#define gethostname wrap_gethostname
+
+int wrap_gethostname(char *name, int len);
+
+#endif
diff --git a/src/common/utils/uniqueFD.hpp b/src/common/utils/uniqueFD.hpp
new file mode 100644
index 0000000000..839b6d4e9c
--- /dev/null
+++ b/src/common/utils/uniqueFD.hpp
@@ -0,0 +1,94 @@
+/*
+ * Wazuh Utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 25, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef UNIQUE_FD_H
+#define UNIQUE_FD_H
+
+#include <unistd.h>
+
+namespace Utils
+{
+
+    /*
+    * This class is intended to handle a file descriptor similar to a unique pointer in C++.
+    */
+    class UniqueFD
+    {
+        public:
+            explicit UniqueFD(const int fd) : m_fd(fd) { }
+            ~UniqueFD()
+            {
+                clear();
+            }
+
+            UniqueFD(const UniqueFD&) = delete;
+            UniqueFD& operator=(const UniqueFD&) = delete;
+            UniqueFD(UniqueFD&& other) : m_fd(other.m_fd)
+            {
+                other.m_fd = -1;
+            }
+
+            /**
+             * @brief Assign a new file descriptor and close the file descriptor you have assigned.
+             *
+             * @param other New file descriptor associated.
+             *
+             * @return Returns the reference to the object with new file descriptor.
+             */
+            UniqueFD& operator=(UniqueFD&& other)
+            {
+                reset(other.release());
+                return *this;
+            }
+
+            int release()
+            {
+                int fd = m_fd;
+                m_fd = -1;
+                return fd;
+            }
+
+            /**
+             * @brief Gets file descriptor associated of the object.
+             *
+             * @return Returns the associated file descriptor.
+             */
+            int get() const
+            {
+                return m_fd;
+            }
+
+            /**
+             * @brief Clean the file descriptor associated to the class. First, close
+             *  the associated file descriptor if it has one.
+             *
+             * @param fd File descriptor that is associated with class
+             */
+            void reset(const int fd)
+            {
+                if (-1 != m_fd)
+                {
+                    close(m_fd);
+                }
+
+                m_fd = fd;
+            }
+
+            void clear()
+            {
+                reset(-1);
+            }
+        private:
+            int m_fd;
+    };
+}
+
+#endif /* UNIQUE_FD_H */
diff --git a/src/modules/sca/include/sca.h b/src/common/validate_op/CMakeLists.txt
similarity index 100%
rename from src/modules/sca/include/sca.h
rename to src/common/validate_op/CMakeLists.txt
diff --git a/src/common/validate_op/include/validate_op.h b/src/common/validate_op/include/validate_op.h
new file mode 100644
index 0000000000..22e8f0801d
--- /dev/null
+++ b/src/common/validate_op/include/validate_op.h
@@ -0,0 +1,191 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef VALIDATE_H
+#define VALIDATE_H
+
+
+/* Run-time definitions */
+int getDefine_Int(const char *high_name, const char *low_name, int min, int max) __attribute__((nonnull));
+
+
+/**
+ * @brief Check if IP_address is present at that_ip
+ *
+ * @param ip_address IP address.
+ * @param that_ip Struct os_ip to check.
+ * @return Returns 1 on success or 0 on failure.
+ */
+int OS_IPFound(const char *ip_address, const os_ip *that_ip) __attribute__((nonnull));
+
+
+/**
+ * @brief Check if IP_address is present at that_ip
+ *
+ * @param ip_address IP address.
+ * @param list_of_ips List of os_ip struct to check.
+ * @return Returns 1 on success or 0 on failure.
+ */
+int OS_IPFoundList(const char *ip_address, os_ip **list_of_ips);// __attribute__((nonnull));
+
+
+/**
+ * @brief Validate if an IP address is in the right format
+ *
+ * @param ip_address [in] IP address.
+ * @param final_ip [out] Struct os_ip with the given IP address.
+ * @return Returns 0 if doesn't match or 1 if it does (or 2 if it has a CIDR).
+ */
+int OS_IsValidIP(const char *ip_address, os_ip *final_ip);
+
+
+/**
+ * @brief Check if an IPv4 address is embedded in an IPv6 address and resolve it.
+ *
+ * @param ip_address IPv6 address to be analized, if it contains an IPv4, it will be modified with it.
+ * @param size Size of the address buffer.
+ * @return Returns 0 if doesn't match or 1 if it does.
+ */
+int OS_GetIPv4FromIPv6(char *ip_address, size_t size);
+
+
+/**
+ * @brief Expand IPv6 to its full representation.
+ *
+ * @param ip_address IPv6 address to be expanded, it will be modified with its full representation.
+ * @param size Size of the address buffer.
+ * @return Returns 0 on success or -1 on failure.
+ */
+int OS_ExpandIPv6(char *ip_address, size_t size);
+
+
+/**
+ * @brief Validate if a time is in an acceptable format.
+ *
+ * Acceptable formats:
+ *      hh:mm - hh:mm (24 hour format)
+ *      !hh:mm - hh:mm (24 hour format)
+ *      hh - hh (24 hour format)
+ *      hh:mm am - hh:mm pm (12 hour format)
+ *      hh am - hh pm (12 hour format)
+ *
+ * @param time_str Time to be validated.
+ * @return Returns 0 if doesn't match or a valid string in success.
+ */
+char *OS_IsValidTime(const char *time_str);
+
+
+/**
+ * @brief Validate if a time is in an acceptable format, but only accepts a unique time, not a range.
+ *
+ * @param time_str Time to be validated.
+ * @return Returns 0 if doesn't match or a valid string in success.
+ */
+char *OS_IsValidUniqueTime(const char *time_str) __attribute__((nonnull));
+
+
+/**
+ * @brief Validate if a time is in on a specied time interval.
+ *        Must be a valid string, called after OS_IsValidTime().
+ * @param time_str Time to be validated.
+ * @param ossec_time Time interval.
+ * @return Returns 1 on success or 0 on failure.
+ */
+int OS_IsonTime(const char *time_str, const char *ossec_time) __attribute__((nonnull));
+
+
+/**
+ * @brief Checks if time is the same or has passed a specified one.
+ *        Must be a valid string, called after OS_IsValidTime().
+ * @param time_str Time to be validated.
+ * @param ossec_time Time interval.
+ * @return Returns 1 on success or 0 on failure.
+ */
+int OS_IsAfterTime(const char *time_str, const char *ossec_time) __attribute__((nonnull));
+
+
+/**
+ * @brief Checks if time is the same or has passed a specified one.
+ *    Acceptable formats:
+ *      weekdays, weekends, monday, tuesday, thursday,..
+ *      monday,tuesday
+ *      mon,tue wed
+ * @param day_str Day to be validated.
+ * @return Returns 0 if doesn't match or a valid string in success.
+ */
+char *OS_IsValidDay(const char *day_str);
+
+
+/**
+ * @brief Check if the specified week day is in the range.
+ *
+ * @param week_day Day of the week.
+ * @param ossec_day Interval.
+ * @return Returns 1 on success or 0 on failure.
+ */
+int OS_IsonDay(int week_day, const char *ossec_day) __attribute__((nonnull));
+
+
+/**
+ * @brief Convert a CIDR into string: aaa.bbb.ccc.ddd[/ee]
+ *
+ * @param ip [in] IP to be converted.
+ * @param string [out] Allocated string to store the IP.
+ * @param size [in] Size of the allocated string.
+ * @return Returns 0 on success or -1 on failure.
+ */
+int OS_CIDRtoStr(const os_ip * ip, char * string, size_t size);
+
+
+/**
+ * @brief Validate the day of the week set and retrieve its corresponding integer value.
+ *
+ * @param day_str Day of the week.
+ * @return Return day of the week. If not found, -1 is returned.
+ */
+int w_validate_wday(const char * day_str);
+
+
+/**
+ * @brief Validate a given time.
+ *        Acceptable format: hh:mm (24 hour format)
+ *
+ * @param time_str Time to be validated.
+ * @return Returns NULL on error or a valid string in success.
+ */
+char * w_validate_time(const char * time_str);
+
+
+/**
+ * @brief Validate if the specified interval is multiple of weeks or days.
+ *
+ * @param interval Interval to be validated.
+ * @param force Set to 0 to check if it is multiple of days or 1 for weeks.
+ * @return Returns 0 if the interval is multiple, -1 otherwise.
+ */
+int w_validate_interval(int interval, int force);
+
+
+/**
+ * @brief Convert to bytes
+ *
+ * @param content string to validate
+ * @return number of bytes on success, otherwise -1
+ */
+long long w_validate_bytes(const char *content);
+
+
+/* Macros */
+
+/* Check if the IP is a single host, not a network with a netmask */
+#define isSingleHost(x) ((x->is_ipv6) ? false : (x->ipv4->netmask == 0xFFFFFFFF))
+
+
+#endif /* VALIDATE_H */
diff --git a/src/common/validate_op/src/validate_op.c b/src/common/validate_op/src/validate_op.c
new file mode 100644
index 0000000000..88b3b65af7
--- /dev/null
+++ b/src/common/validate_op/src/validate_op.c
@@ -0,0 +1,1163 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "validate_op.h"
+#include "expression.h"
+#include "../os_net/os_net.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#define static
+
+#undef OSSEC_DEFINES
+#define OSSEC_DEFINES   "./internal_options.conf"
+
+#undef OSSEC_LDEFINES
+#define OSSEC_LDEFINES   "./local_internal_options.conf"
+#endif
+
+#define DEFAULT_IPV6_PREFIX  128
+#define DEFAULT_IPV4_NETMASK 32
+
+
+static char *_read_file(const char *high_name, const char *low_name, const char *defines_file) __attribute__((nonnull(3)));
+static void _init_masks(void);
+static const char *__gethour(const char *str, char *ossec_hour, const size_t ossec_hour_len) __attribute__((nonnull));
+
+/**
+ * @brief Convert the netmask from an integer value, valid from 0 to 128.
+ *
+ * @param[in] netnumb Integer value of the netmask.
+ * @param[out] nmask6 structure to complete value of the netmask.
+ * @return Returns 0 on success or -1 on failure.
+ */
+static int convertNetmask(int netnumb, struct in6_addr *nmask6);
+
+/**
+ * @brief Get CIDR from IPv6 netmask.
+ *
+ * @param[in] netmask IPV6 netmask.
+ * @return CIDR representation of IPv6 netmask.
+ */
+static int getCIDRipv6(uint8_t *netmask);
+
+/* Global variables */
+static int _mask_inited = 0;
+static unsigned int _netmasks[33];
+
+
+/*
+* ipv4 alone; or ipv4 + CIDR; or ipv4 + netmask
+*             example:  "10.10.10.10" or "10.10.10.10/32" or "10.10.10.10/255.255.255.255"
+*
+* ipv6 format: uncompress and compress IPv6 supported, with or without prefix
+*             example: "2001:db8:abcd:0012:0000:0000:0000:0000" or "11AA::11AA" or "::11AA:11AA:11AA:11AA/64"
+*/
+
+#define IPV4_ADDRESS "(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\x5c.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])"
+#define IPV6_PREFIX "12[0-8]|1[0-1][0-9]|[0-9]?[0-9]"
+
+#define IPV4_MASK_IPV6 "^::[fF]{4}:("IPV4_ADDRESS"(?:\x2F(?:(?:3[0-2]|[1-2]?[0-9])|"IPV4_ADDRESS"))?)$"
+
+static  char *ip_address_regex[] = {
+// IPv4
+"^(?:::[fF]{4}:)?("IPV4_ADDRESS")(?:\x2F((?:3[0-2]|[1-2]?[0-9])|"IPV4_ADDRESS"))?$",
+// IPv6
+"^((?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,6}(?::[0-9a-fA-F]{1,4}){1})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1}(?::[0-9a-fA-F]{1,4}){1,6})(?:\x2F("IPV6_PREFIX"))?$",
+"^((?:[0-9a-fA-F]{1,4}:){1,7}:)(?:\x2F("IPV6_PREFIX"))?$",
+"^(:(?::[0-9a-fA-F]{1,4}){1,7})(?:\x2F("IPV6_PREFIX"))?$",
+"^(::)$",
+NULL,
+};
+
+/* Read the file and return a string the matches the following
+ * format: high_name.low_name.
+ * If return is not null, value must be freed
+ */
+static char *_read_file(const char *high_name, const char *low_name, const char *defines_file)
+{
+    FILE *fp;
+    char buf[OS_SIZE_1024 + 1];
+    char *buf_pt;
+    char *tmp_buffer;
+    char *ret;
+    int i;
+
+    fp = wfopen(defines_file, "r");
+    if (!fp) {
+        if (strcmp(defines_file, OSSEC_LDEFINES) != 0) {
+            merror(FOPEN_ERROR, defines_file, errno, strerror(errno));
+        }
+        return (NULL);
+    }
+    w_file_cloexec(fp);
+
+    /* Invalid call */
+    if (!high_name || !low_name) {
+        merror(NULL_ERROR);
+        fclose(fp);
+        return (NULL);
+    }
+
+    /* Read it */
+    buf[OS_SIZE_1024] = '\0';
+    while (fgets(buf, OS_SIZE_1024 , fp) != NULL) {
+        /* Commented or blank lines */
+        if (buf[0] == '#' || buf[0] == ' ' || buf[0] == '\n') {
+            continue;
+        }
+
+        /* Messages not formatted correctly */
+        buf_pt = strchr(buf, '.');
+        if (!buf_pt) {
+            merror(FGETS_ERROR, defines_file, buf);
+            continue;
+        }
+
+        /* Check for the high name */
+        *buf_pt = '\0';
+        buf_pt++;
+        if (strcmp(buf, high_name) != 0) {
+            continue;
+        }
+
+        tmp_buffer = buf_pt;
+
+        /* Get the equal */
+        buf_pt = strchr(buf_pt, '=');
+        if (!buf_pt) {
+            merror(FGETS_ERROR, defines_file, buf);
+            continue;
+        }
+
+        /* Prepare buf_pt to access the value for this option */
+        *buf_pt = '\0';
+        buf_pt++;
+
+        /* Remove possible whitespaces between the low name and the equal sign */
+        i = (strlen(tmp_buffer) - 1);
+        while(tmp_buffer[i] == ' ')
+        {
+            tmp_buffer[i] = '\0';
+            i--;
+        }
+
+        /* Check for the low name */
+        if (strcmp(tmp_buffer, low_name) != 0) {
+            continue;
+        }
+
+        /* Ignore possible whitespaces between the equal sign and the value for this option */
+        while(*buf_pt == ' ') buf_pt++;
+
+        /* Remove newlines or anything that will cause errors */
+        tmp_buffer = strrchr(buf_pt, '\n');
+        if (tmp_buffer) {
+            *tmp_buffer = '\0';
+        }
+        tmp_buffer = strrchr(buf_pt, '\r');
+        if (tmp_buffer) {
+            *tmp_buffer = '\0';
+        }
+
+        os_strdup(buf_pt, ret);
+        fclose(fp);
+        return (ret);
+    }
+
+    fclose(fp);
+    return (NULL);
+}
+
+/* Convert to netmasks from CIDR number */
+static int convertNetmask(int netnumb, struct in6_addr *nmask6)
+{
+    if (netnumb < 0 || netnumb > 128) {
+        return -1;
+    }
+
+    uint32_t aux = 0;
+    uint32_t index = 0;
+    uint8_t variable_size = 8;
+
+    for (int i = 0; i < 16; i++) {
+#ifndef WIN32
+        nmask6->s6_addr[i] = 0;
+#else
+        nmask6->u.Byte[i] = 0;
+#endif
+        index = ((netnumb > variable_size) ? variable_size : netnumb);
+        netnumb -= index;
+
+        for (uint8_t a = 0; a < index; a++) {
+            aux = variable_size - a -1;
+#ifndef WIN32
+            nmask6->s6_addr[i] += UINT8_C(1) << aux;
+#else
+            nmask6->u.Byte[i] += UINT8_C(1) << aux;
+#endif
+        }
+    }
+    return 0;
+}
+
+/* Initialize netmasks -- taken from snort util.c */
+static void _init_masks()
+{
+    _mask_inited = 1;
+    _netmasks[0] = 0x0;
+    _netmasks[1] = 0x80000000;
+    _netmasks[2] = 0xC0000000;
+    _netmasks[3] = 0xE0000000;
+    _netmasks[4] = 0xF0000000;
+    _netmasks[5] = 0xF8000000;
+    _netmasks[6] = 0xFC000000;
+    _netmasks[7] = 0xFE000000;
+    _netmasks[8] = 0xFF000000;
+    _netmasks[9] = 0xFF800000;
+    _netmasks[10] = 0xFFC00000;
+    _netmasks[11] = 0xFFE00000;
+    _netmasks[12] = 0xFFF00000;
+    _netmasks[13] = 0xFFF80000;
+    _netmasks[14] = 0xFFFC0000;
+    _netmasks[15] = 0xFFFE0000;
+    _netmasks[16] = 0xFFFF0000;
+    _netmasks[17] = 0xFFFF8000;
+    _netmasks[18] = 0xFFFFC000;
+    _netmasks[19] = 0xFFFFE000;
+    _netmasks[20] = 0xFFFFF000;
+    _netmasks[21] = 0xFFFFF800;
+    _netmasks[22] = 0xFFFFFC00;
+    _netmasks[23] = 0xFFFFFE00;
+    _netmasks[24] = 0xFFFFFF00;
+    _netmasks[25] = 0xFFFFFF80;
+    _netmasks[26] = 0xFFFFFFC0;
+    _netmasks[27] = 0xFFFFFFE0;
+    _netmasks[28] = 0xFFFFFFF0;
+    _netmasks[29] = 0xFFFFFFF8;
+    _netmasks[30] = 0xFFFFFFFC;
+    _netmasks[31] = 0xFFFFFFFE;
+    _netmasks[32] = 0xFFFFFFFF;
+}
+
+/* Get an integer definition. This function always return on
+ * success or exits on error.
+ */
+int getDefine_Int(const char *high_name, const char *low_name, int min, int max)
+{
+    int ret;
+    char *value;
+    char *pt;
+
+    /* Try to read from the local define file */
+    value = _read_file(high_name, low_name, OSSEC_LDEFINES);
+    if (!value) {
+        value = _read_file(high_name, low_name, OSSEC_DEFINES);
+        if (!value) {
+            merror_exit(DEF_NOT_FOUND, high_name, low_name);
+        }
+    }
+
+    pt = value;
+    while (*pt != '\0') {
+        if (!isdigit((int)*pt)) {
+            merror_exit(INV_DEF, high_name, low_name, value);
+        }
+        pt++;
+    }
+
+    ret = atoi(value);
+    if ((ret < min) || (ret > max)) {
+        merror_exit(INV_DEF, high_name, low_name, value);
+    }
+
+    /* Clear memory */
+    free(value);
+
+    return (ret);
+}
+
+/* Check if IP_address is present at that_IP
+ * Returns 1 on success or 0 on failure
+ */
+int OS_IPFound(const char *ip_address, const os_ip *that_ip)
+{
+    int _true = 1;
+    bool is_ipv6 = false;
+    struct in_addr net;
+    struct in6_addr net6;
+
+    /* Extract IP address */
+    if (OS_SUCCESS == get_ipv4_numeric(ip_address, &net)) {
+        is_ipv6 = false;
+    } else if (OS_SUCCESS == get_ipv6_numeric(ip_address, &net6)) {
+        is_ipv6 = true;
+    } else {
+        return (!_true);
+    }
+
+    /* If negate is set */
+    if (that_ip->ip[0] == '!') {
+        _true = 0;
+    }
+
+    /* Check if IP is in thatip & netmask */
+    if (is_ipv6) {
+        for(unsigned int i = 0; i < 16; i++) {
+#ifndef WIN32
+            if ((net6.s6_addr[i] & that_ip->ipv6->netmask[i]) != that_ip->ipv6->ip_address[i]) {
+#else
+            if ((net6.u.Byte[i] & that_ip->ipv6->netmask[i]) != that_ip->ipv6->ip_address[i]) {
+#endif
+                break;
+            } else if (i >= (15)) {
+                return (_true);
+            }
+        }
+    } else {
+        if ((net.s_addr & that_ip->ipv4->netmask) == that_ip->ipv4->ip_address) {
+            return (_true);
+        }
+    }
+
+    /* Didn't match */
+    return (!_true);
+}
+
+/* Check if IP_address is present in the "list_of_ips".
+ * Returns 1 on success or 0 on failure
+ * The list MUST be NULL terminated
+ */
+int OS_IPFoundList(const char *ip_address, os_ip **list_of_ips)
+{
+    int _true = 1;
+    bool is_ipv6 = false;
+    struct in_addr net;
+    struct in6_addr net6;
+
+    /* Extract IP address */
+    if (OS_SUCCESS == get_ipv4_numeric(ip_address, &net)) {
+        is_ipv6 = false;
+    } else if (OS_SUCCESS == get_ipv6_numeric(ip_address, &net6)) {
+        is_ipv6 = true;
+    } else {
+        return (!_true);
+    }
+
+    while (*list_of_ips) {
+        os_ip *l_ip = *list_of_ips;
+
+        if (l_ip->ip[0] == '!') {
+            _true = 0;
+        }
+
+        /* Check if IP is in thatip & netmask */
+        if (is_ipv6) {
+            for(unsigned int i = 0; i < 16; i++) {
+#ifndef WIN32
+                if ((net6.s6_addr[i] & l_ip->ipv6->netmask[i]) != l_ip->ipv6->ip_address[i]) {
+#else
+                if ((net6.u.Byte[i] & l_ip->ipv6->netmask[i]) != l_ip->ipv6->ip_address[i]) {
+#endif
+                    break;
+                } else if (i >= (15)) {
+                    return (_true);
+                }
+            }
+        } else {
+            if ((net.s_addr & l_ip->ipv4->netmask) == l_ip->ipv4->ip_address) {
+                return (_true);
+            }
+        }
+
+        list_of_ips++;
+    }
+
+    return (!_true);
+}
+
+/* Validate if an IP address is in the right format
+ * Returns 0 if doesn't match or 1 if it is an IP or 2 an IP with CIDR.
+ * WARNING: On success this function may modify the value of ip_address
+ */
+int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
+{
+    unsigned int ret = 0;
+
+    /* Can't be null */
+    if (!ip_address) {
+        return (0);
+    }
+
+    if (*ip_address == '!') {
+        ip_address++;
+    }
+
+    /* Assign the IP address */
+    if (final_ip) {
+        memset(final_ip, 0, sizeof(os_ip));
+        os_calloc(IPSIZE + 1, sizeof(char), final_ip->ip);
+        strncpy(final_ip->ip, ip_address, IPSIZE);
+        OS_GetIPv4FromIPv6(final_ip->ip, IPSIZE);
+    }
+
+    if (strcmp(ip_address, "any") != 0) {
+
+        w_expression_t * exp;
+        unsigned int i = 0;
+
+        regex_matching * regex_match = NULL;
+        os_calloc(1, sizeof(regex_matching), regex_match);
+
+        while (ip_address_regex[i] != NULL) {
+
+            w_calloc_expression_t(&exp, EXP_TYPE_PCRE2);
+            if (w_expression_compile(exp, ip_address_regex[i], 0) &&
+                 w_expression_match(exp, ip_address, NULL, regex_match)) {
+
+                /* number of regex captures */
+                int sub_strings_num = 0;
+                if (regex_match->sub_strings) {
+                    for (sub_strings_num = 0; regex_match->sub_strings[sub_strings_num] != NULL; sub_strings_num++);
+                }
+
+                ret = sub_strings_num == 2 ? 2 : 1;
+
+                if (final_ip) {
+                    /* Regex 0 (i = 0) match IPv4, superior regex match IPv6 */
+                    if (i > 0) {
+                        /* IPv6 */
+                        os_calloc(1, sizeof(os_ipv6), final_ip->ipv6);
+                        final_ip->is_ipv6 = TRUE;
+
+                        /* At this point regex can capture 1 or 2 strings, first is the ip and second the prefix */
+                        if (sub_strings_num > 0) {
+                            /* IP Address captured */
+                            struct in6_addr net6;
+                            struct in6_addr nmask6;
+                            memset(&net6, 0, sizeof(net6));
+                            memset(&nmask6, 0, sizeof(nmask6));
+
+                            if (OS_INVALID == get_ipv6_numeric(regex_match->sub_strings[0], &net6)) {
+                                ret = 0;
+                                break;
+                            }
+
+                            if (sub_strings_num == 2) {
+                                /* prefix */
+                                int cidr = atoi(regex_match->sub_strings[1]);
+                                if ((strlen(regex_match->sub_strings[1]) > 3) ||
+                                      convertNetmask(cidr, &nmask6)) {
+                                    ret = 0;
+                                    break;
+                                }
+                            } else if (convertNetmask(DEFAULT_IPV6_PREFIX, &nmask6)) {
+                                ret = 0;
+                                break;
+                            }
+#ifndef WIN32
+                            for(unsigned int i = 0; i < 16; i++) {
+                                final_ip->ipv6->ip_address[i] = net6.s6_addr[i] & nmask6.s6_addr[i];
+                            }
+                            memcpy(final_ip->ipv6->netmask, nmask6.s6_addr, sizeof(final_ip->ipv6->netmask));
+#else
+                            for(unsigned int i = 0; i < 16; i++) {
+                                final_ip->ipv6->ip_address[i] = net6.u.Byte[i] & nmask6.u.Byte[i];
+                            }
+                            memcpy(final_ip->ipv6->netmask, nmask6.u.Byte, sizeof(final_ip->ipv6->netmask));
+#endif
+                            OS_ExpandIPv6(final_ip->ip, IPSIZE);
+
+                        } else {
+                            ret = 0;
+                            break;
+                        }
+                    } else {
+                        /* IPv4 */
+                        os_calloc(1, sizeof(os_ipv4), final_ip->ipv4);
+                        final_ip->is_ipv6 = FALSE;
+
+                        /* At this point regex can capture 1 or 2 strings, ip and CIDR or netmask */
+                        if (sub_strings_num > 0) {
+                            /* IP Address captured */
+                            struct in_addr net;
+                            struct in_addr nmask;
+                            memset(&net, 0, sizeof(net));
+                            memset(&nmask, 0, sizeof(nmask));
+
+                            if (OS_INVALID == get_ipv4_numeric(regex_match->sub_strings[0], &net)) {
+                                if (strcmp("0.0.0.0", regex_match->sub_strings[0]) == 0) {
+                                    net.s_addr = 0;
+                                } else {
+                                    ret = 0;
+                                    break;
+                                }
+                            }
+
+                            if (sub_strings_num == 2) {
+                                /* CIDR or Netmask */
+                                if (strlen(regex_match->sub_strings[1]) <= 2) {
+                                    int cidr = atoi(regex_match->sub_strings[1]);
+                                    if (!_mask_inited) {
+                                        _init_masks();
+                                    }
+                                    nmask.s_addr = htonl(_netmasks[cidr]);
+                                } else if (OS_INVALID == get_ipv4_numeric(regex_match->sub_strings[1], &nmask)) {
+                                    ret = 0;
+                                    break;
+                                }
+                            } else {
+                                if (!_mask_inited) {
+                                    _init_masks();
+                                }
+                                nmask.s_addr = htonl(_netmasks[DEFAULT_IPV4_NETMASK]);
+                            }
+
+                            final_ip->ipv4->ip_address = net.s_addr & nmask.s_addr;
+                            final_ip->ipv4->netmask = nmask.s_addr;
+
+                        } else {
+                            ret = 0;
+                            break;
+                        }
+                    }
+                }
+                break;
+            }
+            w_free_expression_t(&exp);
+            i++;
+        }
+
+        OSRegex_free_regex_matching(regex_match);
+        os_free(regex_match)
+        w_free_expression_t(&exp);
+    }
+    else {
+        /* any case */
+        if (final_ip) {
+            os_calloc(1, sizeof(os_ipv6), final_ip->ipv6);
+            memset(final_ip->ipv6->ip_address, 0, sizeof(final_ip->ipv6->ip_address));
+            memset(final_ip->ipv6->netmask, 0, sizeof(final_ip->ipv6->netmask));
+        }
+        ret = 2;
+    }
+
+    return ret;
+}
+
+/* Extract embedded IPv4 from IPv6 */
+int OS_GetIPv4FromIPv6(char *ip_address, size_t size)
+{
+    w_expression_t * exp;
+    int ret = 0;
+
+    regex_matching * regex_match = NULL;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    w_calloc_expression_t(&exp, EXP_TYPE_PCRE2);
+    if (w_expression_compile(exp, IPV4_MASK_IPV6, 0) &&
+         w_expression_match(exp, ip_address, NULL, regex_match)) {
+
+        /* number of regex captures */
+        if (regex_match->sub_strings && regex_match->sub_strings[0]) {
+            strncpy(ip_address, regex_match->sub_strings[0], size);
+            ret = 1;
+        }
+    }
+
+    OSRegex_free_regex_matching(regex_match);
+    os_free(regex_match)
+    w_free_expression_t(&exp);
+    return ret;
+}
+
+/* Expand IPv6 address */
+int OS_ExpandIPv6(char *ip_address, size_t size)
+{
+    struct in6_addr net6;
+    char aux_ip[IPSIZE + 1] = {0};
+    char *save_ptr = NULL;
+
+    memset(&net6, 0, sizeof(net6));
+    strncpy(aux_ip, ip_address, IPSIZE);
+
+    if (OS_INVALID == get_ipv6_numeric(strtok_r(aux_ip, "/", &save_ptr), &net6)) {
+        return OS_INVALID;
+    }
+
+    uint8_t aux[16];
+    for(unsigned int i = 0; i < 16; i++) {
+#ifndef WIN32
+        aux[i] = net6.s6_addr[i];
+#else
+        aux[i] = net6.u.Byte[i];
+#endif
+    }
+
+    /* In case of ip_address has CIDR */
+    int cidr = 0;
+    char *cidr_str = strtok_r(NULL, "/", &save_ptr);
+    if (cidr_str) {
+        cidr = atoi(cidr_str);
+        if (cidr < 0 || cidr > DEFAULT_IPV6_PREFIX) {
+            return OS_INVALID;
+        }
+    }
+
+    if (cidr) {
+        snprintf(ip_address, size, "%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X/%u",
+            (int)aux[0], (int)aux[1], (int)aux[2], (int)aux[3],
+            (int)aux[4], (int)aux[5], (int)aux[6], (int)aux[7],
+            (int)aux[8], (int)aux[9], (int)aux[10], (int)aux[11],
+            (int)aux[12], (int)aux[13], (int)aux[14], (int)aux[15], cidr);
+    } else {
+        snprintf(ip_address, size, "%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X",
+            (int)aux[0], (int)aux[1], (int)aux[2], (int)aux[3],
+            (int)aux[4], (int)aux[5], (int)aux[6], (int)aux[7],
+            (int)aux[8], (int)aux[9], (int)aux[10], (int)aux[11],
+            (int)aux[12], (int)aux[13], (int)aux[14], (int)aux[15]);
+    }
+
+    return OS_SUCCESS;
+}
+
+/* Must be a valid string, called after OS_IsValidTime
+ * Returns 1 on success or 0 on failure
+ */
+int OS_IsonTime(const char *time_str, const char *ossec_time)
+{
+    int _true = 1;
+
+    if (*ossec_time == '!') {
+        _true = 0;
+    }
+    ossec_time++;
+
+    /* Comparing against min/max value */
+    if ((strncmp(time_str, ossec_time, 5) >= 0) &&
+            (strncmp(time_str, ossec_time + 5, 5) <= 0)) {
+        return (_true);
+    }
+
+    return (!_true);
+}
+
+/* Validate if a time is in an acceptable format for OSSEC.
+ * Returns 0 if doesn't match or a valid string for OSSEC usage in success.
+ * ** On success this function may modify the value of date
+ * Acceptable formats:
+ *      hh:mm - hh:mm (24 hour format)
+ *      !hh:mm -hh:mm (24 hour format)
+ *      hh - hh (24 hour format)
+ *      hh:mm am - hh:mm pm (12 hour format)
+ *      hh am - hh pm (12 hour format)
+ */
+#define RM_WHITE(x)while(*x == ' ')x++;
+
+static const char *__gethour(const char *str, char *ossec_hour, const size_t ossec_hour_len)
+{
+    int _size = 0;
+    int chour = 0;
+    int cmin = 0;
+
+    /* Invalid time format */
+    if (!isdigit((int)*str)) {
+        merror(INVALID_TIME, str);
+    }
+
+    /* Hour */
+    chour = atoi(str);
+
+    /* Get a valid hour */
+    if (chour < 0 || chour >= 24) {
+        merror(INVALID_TIME, str);
+        return (NULL);
+    }
+
+    /* Go after the hour */
+    while (isdigit((int)*str)) {
+        _size++;
+        str++;
+    }
+
+    /* Invalid hour */
+    if (_size > 2) {
+        merror(INVALID_TIME, str);
+        return (NULL);
+    }
+
+    /* Get minute */
+    if (*str == ':') {
+        str++;
+        if ((!isdigit((int)*str) ||
+                !isdigit((int) * (str + 1))) && isdigit((int) * (str + 2))) {
+            merror(INVALID_TIME, str);
+            return (NULL);
+        }
+
+        cmin = atoi(str);
+        str += 2;
+    }
+
+    /* Remove spaces */
+    RM_WHITE(str);
+
+    if ((*str == 'a') || (*str == 'A')) {
+        str++;
+        if ((*str == 'm') || (*str == 'M')) {
+            if (chour == 12) chour = 0;
+            const int bytes_written = snprintf(ossec_hour, ossec_hour_len, "%02d:%02d", chour, cmin);
+
+            if (bytes_written < 0 || (size_t)bytes_written >= ossec_hour_len) {
+                return (NULL);
+            }
+
+            str++;
+            return (str);
+        }
+    } else if ((*str == 'p') || (*str == 'P')) {
+        str++;
+        if ((*str == 'm') || (*str == 'M')) {
+            if (chour == 12) chour = 0;
+            chour += 12;
+
+            /* New hour must be valid */
+            if (chour < 0 || chour >= 24) {
+                merror(INVALID_TIME, str);
+                return (NULL);
+            }
+
+            const int bytes_written = snprintf(ossec_hour, ossec_hour_len, "%02d:%02d", chour, cmin);
+
+            if (bytes_written < 0 || (size_t)bytes_written >= ossec_hour_len) {
+                return (NULL);
+            }
+
+            str++;
+            return (str);
+        }
+
+    } else {
+        const int bytes_written = snprintf(ossec_hour, ossec_hour_len, "%02d:%02d", chour, cmin);
+
+        if (bytes_written < 0 || (size_t)bytes_written >= ossec_hour_len) {
+            return (NULL);
+        }
+
+        return (str);
+    }
+
+    /* Here is error */
+    merror(INVALID_TIME, str);
+    return (NULL);
+}
+
+char *OS_IsValidTime(const char *time_str)
+{
+    char *ret;
+    char first_hour[7];
+    char second_hour[7];
+    int ng = 0;
+
+    /* Must be not null */
+    if (!time_str) {
+        return (NULL);
+    }
+
+    /* Clear memory */
+    memset(first_hour, '\0', 7);
+    memset(second_hour, '\0', 7);
+
+    /* Remove spaces */
+    RM_WHITE(time_str);
+
+    /* Check for negative */
+    if (*time_str == '!') {
+        ng = 1;
+        time_str++;
+
+        /* We may have spaces after the '!' */
+        RM_WHITE(time_str);
+    }
+
+    /* Get first hour */
+    time_str = __gethour(time_str, first_hour, sizeof(first_hour));
+
+    if (!time_str) {
+        return (NULL);
+    }
+
+    /* Remove spaces */
+    RM_WHITE(time_str);
+
+    if (*time_str != '-') {
+        return (NULL);
+    }
+
+    time_str++;
+
+    /* Remove spaces */
+    RM_WHITE(time_str);
+
+    /* Get second hour */
+    time_str = __gethour(time_str, second_hour, sizeof(second_hour));
+    if (!time_str) {
+        return (NULL);
+    }
+
+    RM_WHITE(time_str);
+    if (*time_str != '\0') {
+        return (NULL);
+    }
+
+    os_calloc(16, sizeof(char), ret);
+
+    /* Fix dump hours */
+    if (strcmp(first_hour, second_hour) > 0) {
+        snprintf(ret, 16, "!%s%s", second_hour, first_hour);
+        return (ret);
+    }
+
+    /* For the normal times */
+    snprintf(ret, 16, "%c%s%s", ng == 0 ? '.' : '!', first_hour, second_hour);
+
+    return (ret);
+}
+
+/* Check if the current time is the same or has passed the specified one */
+int OS_IsAfterTime(const char *time_str, const char *ossec_time)
+{
+    /* Unique times can't have a ! */
+    if (*ossec_time == '!') {
+        return (0);
+    }
+
+    ossec_time++;
+
+    /* Compare against min/max value */
+    if (strncmp(time_str, ossec_time, 5) >= 0) {
+        return (1);
+    }
+
+    return (0);
+}
+
+/* Create a unique time, not a range. Must be used with OS_IsAfterTime. */
+char *OS_IsValidUniqueTime(const char *time_str)
+{
+    char mytime[128 + 1];
+
+    if (*time_str == '!') {
+        return (NULL);
+    }
+
+    memset(mytime, '\0', 128 + 1);
+    snprintf(mytime, 128, "%s-%s", time_str, time_str);
+
+    return (OS_IsValidTime(mytime));
+}
+
+/* Check if the specified week day is in the range */
+int OS_IsonDay(int week_day, const char *ossec_day)
+{
+    int _true = 1;
+
+    /* Negative */
+    if (ossec_day[7] == '!') {
+        _true = 0;
+    }
+
+    if (week_day < 0 || week_day > 7) {
+        return (0);
+    }
+
+    /* It is on the right day */
+    if (ossec_day[week_day] == 1) {
+        return (_true);
+    }
+
+    return (!_true);
+}
+
+/* Validate if a day is in an acceptable format for OSSEC
+ * Returns 0 if doesn't match or a valid string for OSSEC usage in success.
+ * WARNING: On success this function may modify the value of date
+ * Acceptable formats:
+ *  weekdays, weekends, monday, tuesday, thursday,..
+ *  monday,tuesday
+ *  mon,tue wed
+ */
+#define RM_SEP(x)while((*x == ' ') || (*x == ','))x++;
+
+#define IS_SEP(x) (*x == ' ' || *x == ',')
+
+char *OS_IsValidDay(const char *day_str)
+{
+    int i = 0, ng = 0;
+    char *ret;
+    char day_ret[9] = {0, 0, 0, 0, 0, 0, 0, 0, 0};
+    const char *(days[]) = {
+        "sunday", "sun", "monday", "mon", "tuesday", "tue",
+        "wednesday", "wed", "thursday", "thu", "friday",
+        "fri", "saturday", "sat", "weekdays", "weekends", NULL
+    };
+    int days_int[] = {0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 8};
+
+    /* Must be a valid string */
+    if (!day_str) {
+        return (NULL);
+    }
+
+    RM_WHITE(day_str);
+
+    /* Check for negatives */
+    if (*day_str == '!') {
+        ng = 1;
+        RM_WHITE(day_str);
+    }
+
+    while (*day_str != '\0') {
+        i = 0;
+        while (days[i]) {
+            if (strncasecmp(day_str, days[i], strlen(days[i])) == 0) {
+                /* Weekdays */
+                if (days_int[i] == 7) {
+                    day_ret[1] = 1;
+                    day_ret[2] = 1;
+                    day_ret[3] = 1;
+                    day_ret[4] = 1;
+                    day_ret[5] = 1;
+                }
+                /* Weekends */
+                else if (days_int[i] == 8) {
+                    day_ret[0] = 1;
+                    day_ret[6] = 1;
+                } else {
+                    day_ret[days_int[i]] = 1;
+                }
+                break;
+            }
+            i++;
+        }
+
+        if (!days[i]) {
+            return (NULL);
+        }
+
+        day_str += strlen(days[i]);
+
+        if (IS_SEP(day_str)) {
+            RM_SEP(day_str);
+            continue;
+        } else if (*day_str == '\0') {
+            break;
+        } else {
+            return (NULL);
+        }
+    }
+
+    /* Assign values */
+    os_calloc(9, sizeof(char), ret);
+    if (ng == 1) {
+        /* Set negative */
+        ret[7] = '!';
+    }
+
+    ng = 0;
+    for (i = 0; i <= 6; i++) {
+        /* Check if some is checked */
+        if (day_ret[i] == 1) {
+            ng = 1;
+        }
+        ret[i] = day_ret[i];
+    }
+
+    /* At least one day must be checked */
+    if (ng == 0) {
+        free(ret);
+        return (NULL);
+    }
+
+    return (ret);
+}
+
+// Convert a CIDR into string: aaa.bbb.ccc.ddd[/ee]
+int OS_CIDRtoStr(const os_ip * ip, char * string, size_t size) {
+    int imask = 0;
+    bool is_ipv6 = false;
+    uint32_t hmask;
+
+    if (strchr(ip->ip, ':') != NULL) {
+        is_ipv6 = true;
+        imask = getCIDRipv6(ip->ipv6->netmask);
+    }
+
+    if (is_ipv6 && imask < 128) {
+        return ((snprintf(string, size, "%s/%u", ip->ip, imask) < (int)size) - 1);
+
+    } else if (!is_ipv6 && (ip->ipv4->netmask != 0xFFFFFFFF) && strcmp(ip->ip, "any")) {
+        if (_mask_inited) {
+            _init_masks();
+        }
+
+        hmask = ntohl(ip->ipv4->netmask);
+        for (imask = 0; imask < 32 && _netmasks[imask] != hmask; imask++);
+        return (imask < 32) ? ((snprintf(string, size, "%s/%u", ip->ip, imask) < (int)size) - 1) : -1;
+
+    } else {
+        strncpy(string, ip->ip, size - 1);
+        string[size - 1] = '\0';
+        return 0;
+    }
+}
+
+// Get CIDR from IPv6 netmask
+static int getCIDRipv6(uint8_t *netmask) {
+    int imask = 0;
+    uint8_t aux = 0;
+    for (uint8_t i = 0; i < 16; i++) {
+        aux = netmask[i];
+        for (uint8_t a = 0; a < 8 && aux > 0; a++) {
+            if (0x01 & aux) {
+                imask++;
+            }
+            aux = aux >> UINT8_C(1);
+        }
+    }
+    return imask;
+}
+
+/* Validate the day of the week set and retrieve its corresponding integer value.
+   If not found, -1 is returned.
+*/
+
+int w_validate_wday(const char * day_str) {
+
+    int i = 0;
+
+    const char *(days[]) = {
+        "sunday", "sun", "monday", "mon", "tuesday", "tue",
+        "wednesday", "wed", "thursday", "thu", "friday",
+        "fri", "saturday", "sat", NULL
+    };
+
+    int days_int[] = {0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6};
+
+    /* Must be a valid string */
+    if (!day_str) {
+        return -1;
+    }
+
+    // Remove spaces
+    RM_WHITE(day_str);
+
+    while((days[i] != NULL)) {
+        if (strncasecmp(day_str, days[i], strlen(days[i])) == 0) {
+            return days_int[i];
+        }
+        i++;
+    }
+
+    merror(INVALID_DAY, day_str);
+    return -1;
+
+}
+
+// Acceptable format: hh:mm (24 hour format)
+char * w_validate_time(const char * time_str) {
+
+    int hour = -1;
+    int min = -1;
+    char * ret_time = NULL;
+
+    if (!time_str) {
+        return NULL;
+    }
+
+    /* Remove spaces */
+    RM_WHITE(time_str);
+
+    if (!strchr(time_str, ':')) {
+        merror(INVALID_TIME, time_str);
+        return NULL;
+    }
+
+    if (sscanf(time_str, "%d:%d", &hour, &min) < 0) {
+        merror(INVALID_TIME, time_str);
+        return NULL;
+    } else {
+        if ((hour < 0 || hour >= 24) || (min < 0 || min >= 60)) {
+            merror(INVALID_TIME, time_str);
+            return NULL;
+        }
+    }
+
+    os_calloc(12, sizeof(char), ret_time);
+    snprintf(ret_time, 12, "%02d:%02d", hour, min);
+
+    return ret_time;
+
+}
+
+// Validate if the specified interval is multiple of weeks or days
+int w_validate_interval(int interval, int force) {
+
+    int ret = -1;
+
+    switch(force) {
+        case 0:     // Force to be a multiple of a day
+            ret = interval % 86400;
+            break;
+        case 1:     // Force to be a multiple of a week
+            ret = interval % 604800;
+            break;
+        default:
+            merror("At validate_interval(): internal error.");
+    }
+
+    return ret;
+}
+
+long long w_validate_bytes(const char *content) {
+
+    long long converted_value = 0;
+    char * end;
+    long read_value = strtol(content, &end, 10);
+
+    if (read_value < 0 || read_value == LONG_MAX || content == end) {
+        return -1;
+    }
+
+    switch (*end) {
+        case 'K':
+        case 'k':
+            converted_value = read_value * 1024LL;
+            break;
+        case 'M':
+        case 'm':
+            converted_value = read_value * (1024 * 1024LL);
+            break;
+        case 'G':
+        case 'g':
+            converted_value = read_value * (1024 * 1024 * 1024LL);
+            break;
+        default:
+            converted_value = read_value;
+            break;
+    }
+
+    return converted_value;
+}
diff --git a/src/common/validate_op/tests/unit/tests/CMakeLists.txt b/src/common/validate_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..3f4a9918cf
--- /dev/null
+++ b/src/common/validate_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,55 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_validate_op")
+set(VALIDATE_OP_FLAGS "-Wl,--wrap,w_expression_match -Wl,--wrap,w_calloc_expression_t \
+                       -Wl,--wrap,w_expression_compile -Wl,--wrap,w_free_expression_t \
+                       -Wl,--wrap,get_ipv4_numeric -Wl,--wrap,get_ipv6_numeric")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${VALIDATE_OP_FLAGS} -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown ${DEBUG_OP_WRAPPERS}")
+else()
+list(APPEND shared_tests_flags "${VALIDATE_OP_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/validate_op/tests/unit/tests/test_validate_op.c b/src/common/validate_op/tests/unit/tests/test_validate_op.c
new file mode 100644
index 0000000000..4799b0a9df
--- /dev/null
+++ b/src/common/validate_op/tests/unit/tests/test_validate_op.c
@@ -0,0 +1,1372 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "../../headers/shared.h"
+#include "../../headers/validate_op.h"
+#include "../wrappers/wazuh/shared/expression_wrappers.h"
+#include "../wrappers/wazuh/os_net/os_net_wrappers.h"
+#include "../../shared/validate_op.c"
+
+/* tests */
+
+#define TEST_MOCKED
+
+void w_validate_bytes_non_number (void **state)
+{
+    const char * value = "hello";
+    long long expected_value = -1;
+
+    long long ret = w_validate_bytes(value);
+    assert_memory_equal(&ret, &expected_value, sizeof(long long));
+}
+
+void w_validate_bytes_bytes (void **state)
+{
+    const char * value = "1024B";
+    long long expected_value = 1024;
+
+    long long ret = w_validate_bytes(value);
+    assert_memory_equal(&ret, &expected_value, sizeof(long long));
+}
+
+void w_validate_bytes_kilobytes (void **state)
+{
+    const char * value = "1024KB";
+    long long expected_value = 1024*1024;
+
+    long long ret = w_validate_bytes(value);
+    assert_memory_equal(&ret, &expected_value, sizeof(long long));
+}
+
+void w_validate_bytes_megabytes (void **state)
+{
+    const char * value = "1024MB";
+    long long expected_value = 1024*1024*1024;
+
+    long long ret = w_validate_bytes(value);
+    assert_memory_equal(&ret, &expected_value, sizeof(long long));
+}
+
+void w_validate_bytes_gigabytes (void **state)
+{
+    const char * value = "1024GB";
+    long long expected_value = 1024 * ((long long) 1024*1024*1024);
+
+    long long ret = w_validate_bytes(value);
+    assert_memory_equal(&ret, &expected_value, sizeof(long long));
+}
+
+void OS_IsValidIP_null(void **state)
+{
+    int ret = OS_IsValidIP(NULL, NULL);
+    assert_int_equal(ret, 0);
+}
+
+void OS_IsValidIP_any(void **state)
+{
+    int ret = OS_IsValidIP("any", NULL);
+    assert_int_equal(ret, 2);
+}
+
+void OS_IsValidIP_any_struct(void **state)
+{
+    int ret = 0;
+    os_ip *ret_ip;
+
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    ret = OS_IsValidIP("any", ret_ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_not_valid_ip(void **state)
+{
+    unsigned int i = 0;
+    while (ip_address_regex[i] != NULL) {
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, false);
+        i++;
+    }
+
+    int ret = OS_IsValidIP("12.0", NULL);
+    assert_int_equal(ret, 0);
+}
+
+void OS_IsValidIP_valid_multi_ipv4(void **state)
+{
+    const char * ip_to_test[] = {
+        "1.1.1.1",
+        "255.255.255.255",
+        "100.100.100.100",
+        "10.10.10.10",
+        "111.111.111.111",
+        "222.222.222.222",
+        "127.0.0.1",
+        NULL,
+    };
+
+    int ret = 0;
+    os_ip *ret_ip;
+
+    for (int i = 0; ip_to_test[i] != NULL; i++) {
+
+        os_calloc(1, sizeof(os_ip), ret_ip);
+
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, true);
+
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, -1);
+        will_return(__wrap_w_expression_match, ip_to_test);
+
+        will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+
+        ret = OS_IsValidIP(ip_to_test[i], ret_ip);
+        assert_string_equal(ip_to_test[i], ret_ip->ip);
+        assert_int_equal(ret, 1);
+        assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+        w_free_os_ip(ret_ip);
+    }
+}
+
+void OS_IsValidIP_not_valid_multi_ipv4(void **state)
+{
+    const char * ip_to_test[] = {
+        // more or less than 4 octets
+        "111",
+        "01.01",
+        "01.01.01",
+        "10.10.10.10.10",
+        "222.222.222.222.222",
+        // octet limit exceeded (more than 255)
+        "333.333.334.334",
+        "256.1.01.001",
+        "1.1.1.256",
+        "327.0.0.1",
+        "4000.00.0.1",
+        // ip with index limit exceeded (more than 32)
+        "10.10.10.10/",
+        "10.10.10.10/33",
+        "10.10.10.10/99",
+        "10.10.10.10/123",
+        "10.10.10.10/12345",
+        // ip with extra 0
+        "01.01.01.01",
+        "001.001.001.001",
+        "000.00.0.1",
+        // ip with invalid netmask
+        "1.1.1.10/36.255.255",
+        "1.1.1.1/36.1.1.256",
+        "1.1.1.300/36.1.1.255",
+        NULL,
+    };
+
+    int ret = 0;
+    os_ip *ret_ip;
+
+    for (int i = 0; ip_to_test[i] != NULL; i++) {
+
+        os_calloc(1, sizeof(os_ip), ret_ip);
+
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, true);
+
+        unsigned int a = 0;
+        while (ip_address_regex[a] != NULL) {
+            expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+            will_return(__wrap_w_expression_compile, true);
+            will_return(__wrap_w_expression_match, false);
+            a++;
+        }
+
+        ret = OS_IsValidIP(ip_to_test[i], ret_ip);
+        assert_string_equal(ip_to_test[i], ret_ip->ip);
+        assert_int_equal(ret, 0);
+
+        w_free_os_ip(ret_ip);
+    }
+}
+
+void OS_IsValidIP_valid_ipv4_CIDR(void **state)
+{
+    char ip_to_test[] = {"192.168.10.12/32"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "192.168.10.12");
+    will_return(__wrap_w_expression_match, "32");
+
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_string_equal(ip_to_test, ret_ip->ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_fail(void **state)
+{
+    char ip_to_test[] = {"192.168.10.12/32"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "192.168.10.12");
+    will_return(__wrap_w_expression_match, "32");
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_zero_fail(void **state)
+{
+    char ip_to_test[] = {"0.0.0.0/32"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "0.0.0");
+    will_return(__wrap_w_expression_match, "32");
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_zero_pass(void **state)
+{
+    char ip_to_test[] = {"0.0.0.0/32"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "0.0.0.0");
+    will_return(__wrap_w_expression_match, "32");
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 2);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_netmask(void **state)
+{
+    char ip_to_test[] = {"32.32.32.32/255.255.255.255"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "32.32.32.32");
+    will_return(__wrap_w_expression_match, "255.255.255.255");
+
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_string_equal(ip_to_test, ret_ip->ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_0_netmask(void **state)
+{
+    char ip_to_test[] = {"0.0.0.0/255.255.255.255"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "0.0.0.0");
+    will_return(__wrap_w_expression_match, "255.255.255.255");
+
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_string_equal(ip_to_test, ret_ip->ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_netmask_0(void **state)
+{
+    char ip_to_test[] = {"16.16.16.16/255.255.255.0"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "16.16.16.16");
+    will_return(__wrap_w_expression_match, "255.255.255.0");
+
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_string_equal(ip_to_test, ret_ip->ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, FALSE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_netmask_fail(void **state)
+{
+    char ip_to_test[] = {"32.32.32.32/255.255.255.255"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "32.32.32.32");
+    will_return(__wrap_w_expression_match, "255.255.255.255");
+
+    will_return(__wrap_get_ipv4_numeric, OS_SUCCESS);
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_sub_string_0(void **state)
+{
+    char ip_to_test[] = {"32.32.32.32/255.255.255.255"};
+
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "32.32.32.32");
+    will_return(__wrap_w_expression_match, "255.255.255.255");
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0xFFFFFFFF);
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0xFFFFFFFF);
+
+    int ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 2);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv4_netmask_0_NULL_struct(void **state)
+{
+    char ip_to_test[] = {"16.16.16.16/255.255.255.0"};
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "16.16.16.16");
+    will_return(__wrap_w_expression_match, "255.255.255.0");
+
+    int ret = OS_IsValidIP(ip_to_test, NULL);
+    assert_int_equal(ret, 2);
+}
+
+void OS_IsValidIP_valid_multi_ipv6(void **state)
+{
+    const char * ip_to_test[] = {
+        "2001:db8:abcd:0012:0000:0000:0000:0000",
+        "2001:db8:abcd:0012:ffff:ffff:ffff:ffff",
+        "fe80::ceaf:9ff2:b33c:1ca7",
+        "11AA:11AA:11AA:11AA:11AA:11AA:11AA:11AA",
+        "11AA::11AA:11AA:11AA:11AA:11AA:11AA",
+        "11AA::11AA:11AA:11AA:11AA:11AA",
+        "11AA::11AA:11AA:11AA:11AA",
+        "11AA::11AA:11AA:11AA",
+        "11AA::11AA:11AA",
+        "11AA::11AA",
+        "11AA:11AA:11AA:11AA:11AA:11AA::11AA",
+        "11AA:11AA:11AA:11AA:11AA::11AA",
+        "11AA:11AA:11AA:11AA::11AA",
+        "11AA:11AA:11AA::11AA",
+        "11AA:11AA::11AA",
+        "11AA::11AA",
+        "11AA::11AA:11AA:11AA:11AA:11AA:11AA",
+        "11AA:11AA::11AA:11AA:11AA:11AA:11AA",
+        "11AA:11AA:11AA::11AA:11AA:11AA:11AA",
+        "11AA:11AA:11AA:11AA::11AA:11AA:11AA",
+        "11AA:11AA:11AA:11AA:11AA::11AA:11AA",
+        "11AA:11AA:11AA:11AA:11AA:11AA::11AA",
+        "11AA:11AA:11AA:11AA:11AA:11AA:11AA::",
+        "11AA:11AA:11AA:11AA:11AA:11AA::",
+        "11AA:11AA:11AA:11AA:11AA::",
+        "11AA:11AA:11AA:11AA::",
+        "11AA:11AA:11AA::",
+        "11AA:11AA::",
+        "11AA::",
+        "::11AA:11AA:11AA:11AA:11AA:11AA:11AA",
+        "::11AA:11AA:11AA:11AA:11AA:11AA",
+        "::11AA:11AA:11AA:11AA:11AA",
+        "::11AA:11AA:11AA:11AA",
+        "::11AA:11AA:11AA",
+        "::11AA:11AA",
+        "::11AA",
+        "::",
+        "::ffff:10.2.3.1",
+        NULL,
+    };
+
+    int ret = 0;
+    os_ip *ret_ip;
+
+    for (int i = 0; ip_to_test[i] != NULL; i++) {
+
+        os_calloc(1, sizeof(os_ip), ret_ip);
+
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, true);
+
+        /* First call to __wrap_w_expression_match fail */
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, false);
+
+        /* Second call to __wrap_w_expression_match pass */
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, -1);
+        will_return(__wrap_w_expression_match, ip_to_test);
+
+        will_return(__wrap_get_ipv6_numeric, OS_SUCCESS);
+        will_return(__wrap_get_ipv6_numeric, OS_SUCCESS);
+
+        ret = OS_IsValidIP(ip_to_test[i], ret_ip);
+        //assert_string_equal(ip_to_test[i], ret_ip->ip);
+        assert_int_equal(ret, 1);
+        assert_int_equal(ret_ip->is_ipv6, TRUE);
+        assert_non_null(ret_ip->ipv6->ip_address);
+
+        w_free_os_ip(ret_ip);
+    }
+}
+
+void OS_IsValidIP_not_valid_multi_ipv6(void **state)
+{
+
+    const char * ip_to_test[] = {
+        "::11AA:11AA:11AA:11AA:11AA::11AA",
+        "::11AA:11AA:11AA:11AA:11AA:11AA:",
+        "::11AA:11AA::11AA:11AA:11AA:",
+        "::11AA:11AA:11AA:11AA:::",
+        "::11AA::11AA:11AA::11AA:11AA:11AA::11AA",
+        "11AA:11AA:11AA:11AA:11AA:11AA:11AA:11AA:11AA",
+        "GGAA:11AA:11AA:11AA:11AA:11AA:11AA:11AA",
+        NULL,
+    };
+
+    int ret = 0;
+    os_ip *ret_ip;
+
+    for (int i = 0; ip_to_test[i] != NULL; i++) {
+
+        os_calloc(1, sizeof(os_ip), ret_ip);
+
+        expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+        will_return(__wrap_w_expression_compile, true);
+        will_return(__wrap_w_expression_match, true);
+
+        int a = 0;
+        while (ip_address_regex[a] != NULL) {
+            expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+            will_return(__wrap_w_expression_compile, true);
+            will_return(__wrap_w_expression_match, false);
+            a++;
+        }
+
+        ret = OS_IsValidIP(ip_to_test[i], ret_ip);
+        assert_string_equal(ip_to_test[i], ret_ip->ip);
+        assert_int_equal(ret, 0);
+
+        w_free_os_ip(ret_ip);
+    }
+}
+
+void OS_IsValidIP_valid_ipv6_prefix(void **state)
+{
+    char ip_to_test[] = {"2001:db8:abcd:0012:0000:0000:0000:0000/60"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    /* First call to __wrap_w_expression_match fail */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    /* Second call to __wrap_w_expression_match pass */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "2001:db8:abcd:0012:0000:0000:0000:0000");
+    will_return(__wrap_w_expression_match, "60");
+
+    will_return(__wrap_get_ipv6_numeric, OS_SUCCESS);
+    will_return(__wrap_get_ipv6_numeric, OS_SUCCESS);
+
+    ret = OS_IsValidIP(ip_to_test, ret_ip);
+    //assert_string_equal(ip_to_test, ret_ip->ip);
+    assert_int_equal(ret, 2);
+    assert_int_equal(ret_ip->is_ipv6, TRUE);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv6_prefix_NULL_struct(void **state)
+{
+    char ip_to_test[] = {"2001:db8:abcd:0012:0000:0000:0000:0000/64"};
+
+    /* First call to __wrap_w_expression_match fail */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    /* Second call to __wrap_w_expression_match pass */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "2001:db8:abcd:0012:0000:0000:0000:0000");
+    will_return(__wrap_w_expression_match, "64");
+
+    int ret = OS_IsValidIP(ip_to_test, NULL);
+    assert_int_equal(ret, 2);
+}
+
+void OS_IsValidIP_valid_ipv6_numeric_fail(void **state)
+{
+    char ip_to_test[] = {"2001:db8:abcd:0012:0000:0000:0000:0000"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    /* First call to __wrap_w_expression_match fail */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    /* Second call to __wrap_w_expression_match pass */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "2001:db8:abcd:0012:0000:0000:0000:0000");
+
+    will_return(__wrap_get_ipv6_numeric, OS_INVALID);
+
+    ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv6_converNetmask_fail(void **state)
+{
+    char ip_to_test[] = {"2001:db8:abcd:0012:0000:0000:0000:0000/64"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    /* First call to __wrap_w_expression_match fail */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    /* Second call to __wrap_w_expression_match pass */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "2001:db8:abcd:0012:0000:0000:0000:0000");
+    will_return(__wrap_w_expression_match, "644");
+
+    will_return(__wrap_get_ipv6_numeric, OS_SUCCESS);
+
+    ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IsValidIP_valid_ipv6_sub_string_0(void **state)
+{
+    char ip_to_test[] = {"2001:db8:abcd:0012:0000:0000:0000:0000/64"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    /* First call to __wrap_w_expression_match fail */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    /* Second call to __wrap_w_expression_match pass */
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -2);
+    will_return(__wrap_w_expression_match, "2001:db8:abcd:0012:0000:0000:0000:0000");
+    will_return(__wrap_w_expression_match, "64");
+
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0xFFFFFFFF);
+
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0xFFFFFFFF);
+
+    ret = OS_IsValidIP(ip_to_test, ret_ip);
+    assert_int_equal(ret, 2);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFound_not_valid_ip(void **state)
+{
+    char ip_to_test[] = {"2001::db8:abcd::0012/64"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, OS_INVALID);
+
+    ret = OS_IPFound(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFound_valid_ipv4(void **state)
+{
+    char ip_to_test[] = {"255.255.255.255"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+    os_strdup("255.255.255.255", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->ipv4->ip_address = 0xFFFFFFFF;
+    ret_ip->ipv4->netmask = 0xFFFFFFFF;
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0xFFFFFFFF);
+
+    ret = OS_IPFound(ip_to_test, ret_ip);
+    assert_int_equal(ret, 1);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFound_valid_ipv4_negated(void **state)
+{
+    char ip_to_test[] = {"16.16.16.16"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+    os_strdup("!16.16.16.16", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->ipv4->ip_address = 0x10101010;
+    ret_ip->ipv4->netmask = 0xFFFFFFFF;
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0x10101010);
+
+    ret = OS_IPFound(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFound_valid_ipv6(void **state)
+{
+    char ip_to_test[] = {"1010:1010:1010:1010:1010:1010:1010:1010"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+    os_strdup("1010:1010:1010:1010:1010:1010:1010:1010", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    unsigned int a = 0;
+    for(a = 0; a < 16; a++) {
+        ret_ip->ipv6->ip_address[a] = 0x10;
+    }
+    for(a = 0; a < 16; a++) {
+        ret_ip->ipv6->netmask[a] = 0xFF;
+    }
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0x10);
+
+    ret = OS_IPFound(ip_to_test, ret_ip);
+    assert_int_equal(ret, 1);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFound_valid_ipv6_fail(void **state)
+{
+    char ip_to_test[] = {"1010:1010:1010:1010:1010:1010:1010:1010"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+    os_strdup("1010:1010:1010:1010:1010:1010:1010:1010", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    unsigned int a = 0;
+    for(a = 0; a < 16; a++) {
+        ret_ip->ipv6->ip_address[a] = 0x10;
+    }
+    for(a = 0; a < 16; a++) {
+        ret_ip->ipv6->netmask[a] = 0xFF;
+    }
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0x00);
+
+    ret = OS_IPFound(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFoundList_fail(void **state)
+{
+    char ip_to_test[] = {"1010:1010:1010:1010:1010:1010:1010:1010"};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, OS_INVALID);
+
+    ret = OS_IPFoundList(ip_to_test, &ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_IPFoundList_valid_ipv4(void **state)
+{
+    char ip_to_test[] = {"16.16.16.32"};
+
+    int ret = 0;
+    os_ip **ret_ip;
+    os_calloc(3, sizeof(os_ip *), ret_ip);
+    os_calloc(1, sizeof(os_ip), ret_ip[0]);
+    os_calloc(1, sizeof(os_ip), ret_ip[1]);
+
+    os_strdup("16.16.16.16", (*ret_ip[0]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[0]).ipv4);
+
+    (*ret_ip[0]).ipv4->ip_address = 0x10101010;
+    (*ret_ip[0]).ipv4->netmask = 0xFFFFFFFF;
+
+    os_strdup("16.16.16.32", (*ret_ip[1]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[1]).ipv4);
+
+    (*ret_ip[1]).ipv4->ip_address = 0x10101020;
+    (*ret_ip[1]).ipv4->netmask = 0xFFFFFFFF;
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0x10101020);
+
+    ret = OS_IPFoundList(ip_to_test, ret_ip);
+    assert_int_equal(ret, 1);
+
+    w_free_os_ip(ret_ip[0]);
+    w_free_os_ip(ret_ip[1]);
+    free(ret_ip);
+}
+
+void OS_IPFoundList_valid_ipv4_negated(void **state)
+{
+    char ip_to_test[] = {"!16.16.16.16"};
+
+    int ret = 0;
+    os_ip **ret_ip;
+    os_calloc(2, sizeof(os_ip *), ret_ip);
+    os_calloc(1, sizeof(os_ip), ret_ip[0]);
+
+    os_strdup("!16.16.16.16", (*ret_ip[0]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[0]).ipv4);
+
+    (*ret_ip[0]).ipv4->ip_address = 0x10101010;
+    (*ret_ip[0]).ipv4->netmask = 0xFFFFFFFF;
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0x10101010);
+
+    ret = OS_IPFoundList(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip[0]);
+    w_free_os_ip(ret_ip[1]);
+    free(ret_ip);
+}
+
+void OS_IPFoundList_valid_ipv4_not_found(void **state)
+{
+    char ip_to_test[] = {"16.16.16.32"};
+
+    int ret = 0;
+    os_ip **ret_ip;
+    os_calloc(4, sizeof(os_ip *), ret_ip);
+    os_calloc(1, sizeof(os_ip), ret_ip[0]);
+    os_calloc(1, sizeof(os_ip), ret_ip[1]);
+    os_calloc(1, sizeof(os_ip), ret_ip[2]);
+
+    os_strdup("16.16.16.16", (*ret_ip[0]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[0]).ipv4);
+
+    (*ret_ip[0]).ipv4->ip_address = 0x10101010;
+    (*ret_ip[0]).ipv4->netmask = 0xFFFFFFFF;
+
+    os_strdup("16.16.16.32", (*ret_ip[1]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[1]).ipv4);
+
+    (*ret_ip[1]).ipv4->ip_address = 0x10101020;
+    (*ret_ip[1]).ipv4->netmask = 0xFFFFFFFF;
+
+    os_strdup("16.16.32.32", (*ret_ip[2]).ip);
+    os_calloc(1, sizeof(os_ipv4), (*ret_ip[2]).ipv4);
+
+    (*ret_ip[2]).ipv4->ip_address = 0x10102020;
+    (*ret_ip[2]).ipv4->netmask = 0xFFFFFFFF;
+
+    will_return(__wrap_get_ipv4_numeric, 1);
+    will_return(__wrap_get_ipv4_numeric, 0x10202020);
+
+    ret = OS_IPFoundList(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip[0]);
+    w_free_os_ip(ret_ip[1]);
+    w_free_os_ip(ret_ip[2]);
+    free(ret_ip);
+}
+
+void OS_IPFoundList_valid_ipv6_fail(void **state)
+{
+    char ip_to_test[] = {"1010:1010:1010:1010:1010:1010:1010:1010"};
+
+    int ret = 0;
+    os_ip **ret_ip;
+    os_calloc(3, sizeof(os_ip *), ret_ip);
+    os_calloc(1, sizeof(os_ip), ret_ip[0]);
+    os_calloc(1, sizeof(os_ip), ret_ip[1]);
+
+    for(unsigned int i = 0; i < 2; i++) {
+        os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", (*ret_ip[i]).ip);
+        os_calloc(1, sizeof(os_ipv6), (*ret_ip[i]).ipv6);
+
+        unsigned int a = 0;
+        for(a = 0; a < 16; a++) {
+            (*ret_ip[i]).ipv6->ip_address[a] = 0x10;
+        }
+        for(a = 0; a < 16; a++) {
+            (*ret_ip[i]).ipv6->netmask[a] = 0xFF;
+        }
+    }
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0x00);
+
+    ret = OS_IPFoundList(ip_to_test, ret_ip);
+    assert_int_equal(ret, 0);
+
+    w_free_os_ip(ret_ip[0]);
+    w_free_os_ip(ret_ip[1]);
+    free(ret_ip);
+}
+
+void OS_IPFoundList_valid_ipv6(void **state)
+{
+    char ip_to_test[] = {"1010:1010:1010:1010:1010:1010:1010:1010"};
+
+    int ret = 0;
+    os_ip **ret_ip;
+    os_calloc(3, sizeof(os_ip *), ret_ip);
+    os_calloc(1, sizeof(os_ip), ret_ip[0]);
+    os_calloc(1, sizeof(os_ip), ret_ip[1]);
+
+    for(unsigned int i = 0; i < 2; i++) {
+        os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", (*ret_ip[i]).ip);
+        os_calloc(1, sizeof(os_ipv6), (*ret_ip[i]).ipv6);
+
+        unsigned int a = 0;
+        for(a = 0; a < 16; a++) {
+            (*ret_ip[i]).ipv6->ip_address[a] = 0x20;
+        }
+        for(a = 0; a < 16; a++) {
+            (*ret_ip[i]).ipv6->netmask[a] = 0xFF;
+        }
+    }
+
+    will_return(__wrap_get_ipv4_numeric, OS_INVALID);
+    will_return(__wrap_get_ipv6_numeric, 1);
+    will_return(__wrap_get_ipv6_numeric, 0x20);
+
+    ret = OS_IPFoundList(ip_to_test, ret_ip);
+    assert_int_equal(ret, 1);
+
+    w_free_os_ip(ret_ip[0]);
+    w_free_os_ip(ret_ip[1]);
+    free(ret_ip);
+}
+
+void OS_CIDRtoStr_any(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("any", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->is_ipv6 = false;
+    ret_ip->ipv4->ip_address = 0x0;
+    ret_ip->ipv4->netmask = 0x0;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "any");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv4(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("16.16.16.16", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->is_ipv6 = false;
+    ret_ip->ipv4->ip_address = 0x10101010;
+    ret_ip->ipv4->netmask = 0xFFFFFFFF;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "16.16.16.16");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv6CIDR_64(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    ret_ip->is_ipv6 = true;
+    for (unsigned int a = 0; a < 8; a++) {
+        ret_ip->ipv6->netmask[a] = 0xFF;
+    }
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "0101:0101:0101:0101:0101:0101:0101:0101/64");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv6CIDR_127(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    ret_ip->is_ipv6 = true;
+    for (unsigned int a = 0; a < 15; a++) {
+        ret_ip->ipv6->netmask[a] = 0xFF;
+    }
+    ret_ip->ipv6->netmask[15] = 0xFE;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "0101:0101:0101:0101:0101:0101:0101:0101/127");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv6CIDR_128(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    ret_ip->is_ipv6 = true;
+    for (unsigned int a = 0; a < 16; a++) {
+        ret_ip->ipv6->netmask[a] = 0xFF;
+    }
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "0101:0101:0101:0101:0101:0101:0101:0101");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv6(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("0101:0101:0101:0101:0101:0101:0101:0101", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv6), ret_ip->ipv6);
+
+    ret_ip->is_ipv6 = true;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "0101:0101:0101:0101:0101:0101:0101:0101/0");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv4_CIDR_24(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("16.16.16.16", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->is_ipv6 = false;
+    ret_ip->ipv4->ip_address = 0x10101010;
+    /* FFFFFF = 24 bits */
+    ret_ip->ipv4->netmask = 0xFFFFFF;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "16.16.16.16/24");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_CIDRtoStr_valid_ipv4_CIDR_0(void **state)
+{
+    char ip_to_test[IPSIZE] = {0};
+
+    int ret = 0;
+    os_ip *ret_ip;
+    os_calloc(1, sizeof(os_ip), ret_ip);
+
+    os_strdup("32.32.32.32", ret_ip->ip);
+    os_calloc(1, sizeof(os_ipv4), ret_ip->ipv4);
+
+    ret_ip->is_ipv6 = false;
+    ret_ip->ipv4->ip_address = 0x20202020;
+    /* Zero bits */
+    ret_ip->ipv4->netmask = 0x0;
+
+    ret = OS_CIDRtoStr(ret_ip, ip_to_test, IPSIZE);
+    assert_int_equal(ret, 0);
+    assert_string_equal(ip_to_test, "32.32.32.32/0");
+
+    w_free_os_ip(ret_ip);
+}
+
+void OS_GetIPv4FromIPv6_success(void **state) {
+
+    char address[IPSIZE + 1] = {0};
+    strncpy(address, "::ffff:10.2.2.3", IPSIZE);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "10.2.2.3");
+
+    int ret = OS_GetIPv4FromIPv6(address, IPSIZE);
+
+    assert_string_equal("10.2.2.3", address);
+    assert_int_equal(ret, 1);
+}
+
+void OS_GetIPv4FromIPv6_netmask_success(void **state) {
+
+    char address[IPSIZE + 1] = {0};
+    strncpy(address, "::ffff:10.2.2.3/255.255.255.255", IPSIZE);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "10.2.2.3/255.255.255.255");
+
+    int ret = OS_GetIPv4FromIPv6(address, IPSIZE);
+
+    assert_string_equal("10.2.2.3/255.255.255.255", address);
+    assert_int_equal(ret, 1);
+}
+
+void OS_GetIPv4FromIPv6_compile_fail(void **state) {
+
+    char address[IPSIZE + 1] = {0};
+    strncpy(address, "10.2.2.4", IPSIZE);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, false);
+
+    int ret = OS_GetIPv4FromIPv6(address, IPSIZE);
+
+    assert_string_equal("10.2.2.4", address);
+    assert_int_equal(ret, 0);
+}
+
+void OS_GetIPv4FromIPv6_match_fail(void **state) {
+
+    char address[IPSIZE + 1] = {0};
+    strncpy(address, "10.2.2.5/64", IPSIZE);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    int ret = OS_GetIPv4FromIPv6(address, IPSIZE);
+
+    assert_string_equal("10.2.2.5/64", address);
+    assert_int_equal(ret, 0);
+}
+
+void OS_GetIPv4FromIPv6_empty_group(void **state) {
+
+    char address[IPSIZE + 1] = {0};
+    strncpy(address, "::ffff:10.2.2.3/255.255.255.255", IPSIZE);
+
+    expect_value(__wrap_w_calloc_expression_t, type, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, NULL);
+
+    int ret = OS_GetIPv4FromIPv6(address, IPSIZE);
+
+    assert_string_equal("::ffff:10.2.2.3/255.255.255.255", address);
+    assert_int_equal(ret, 0);
+}
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        // Tests w_validate_bytes
+        cmocka_unit_test(w_validate_bytes_non_number),
+        cmocka_unit_test(w_validate_bytes_bytes),
+        cmocka_unit_test(w_validate_bytes_kilobytes),
+        cmocka_unit_test(w_validate_bytes_megabytes),
+        cmocka_unit_test(w_validate_bytes_gigabytes),
+        // Test OS_IsValidIP
+        cmocka_unit_test(OS_IsValidIP_null),
+        cmocka_unit_test(OS_IsValidIP_any),
+        cmocka_unit_test(OS_IsValidIP_any_struct),
+        cmocka_unit_test(OS_IsValidIP_not_valid_ip),
+        cmocka_unit_test(OS_IsValidIP_valid_multi_ipv4),
+        cmocka_unit_test(OS_IsValidIP_not_valid_multi_ipv4),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_CIDR),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_fail),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_zero_fail),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_zero_pass),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_netmask),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_0_netmask),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_netmask_0),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_netmask_fail),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_sub_string_0),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv4_netmask_0_NULL_struct),
+        cmocka_unit_test(OS_IsValidIP_valid_multi_ipv6),
+        cmocka_unit_test(OS_IsValidIP_not_valid_multi_ipv6),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv6_prefix),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv6_prefix_NULL_struct),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv6_numeric_fail),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv6_converNetmask_fail),
+        cmocka_unit_test(OS_IsValidIP_valid_ipv6_sub_string_0),
+        // Test OS_IPFound
+        cmocka_unit_test(OS_IPFound_not_valid_ip),
+        cmocka_unit_test(OS_IPFound_valid_ipv4),
+        cmocka_unit_test(OS_IPFound_valid_ipv4_negated),
+        cmocka_unit_test(OS_IPFound_valid_ipv6),
+        cmocka_unit_test(OS_IPFound_valid_ipv6_fail),
+        // Test OS_IPFoundList
+        cmocka_unit_test(OS_IPFoundList_fail),
+        cmocka_unit_test(OS_IPFoundList_valid_ipv4),
+        cmocka_unit_test(OS_IPFoundList_valid_ipv4_negated),
+        cmocka_unit_test(OS_IPFoundList_valid_ipv4_not_found),
+        cmocka_unit_test(OS_IPFoundList_valid_ipv6_fail),
+        cmocka_unit_test(OS_IPFoundList_valid_ipv6),
+        // Test OS_CIDRtoStr
+        cmocka_unit_test(OS_CIDRtoStr_any),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv4),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv6),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv6CIDR_64),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv6CIDR_127),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv6CIDR_128),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv4_CIDR_24),
+        cmocka_unit_test(OS_CIDRtoStr_valid_ipv4_CIDR_0),
+        // Test OS_GetIPv4FromIPv6
+        cmocka_unit_test(OS_GetIPv4FromIPv6_success),
+        cmocka_unit_test(OS_GetIPv4FromIPv6_netmask_success),
+        cmocka_unit_test(OS_GetIPv4FromIPv6_compile_fail),
+        cmocka_unit_test(OS_GetIPv4FromIPv6_match_fail),
+        cmocka_unit_test(OS_GetIPv4FromIPv6_empty_group),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.c b/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.c
new file mode 100644
index 0000000000..fe91f28685
--- /dev/null
+++ b/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.c
@@ -0,0 +1,77 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "validate_op_wrappers.h"
+
+int __wrap_getDefine_Int(__attribute__((unused)) const char *high_name,
+                         __attribute__((unused)) const char *low_name,
+                         __attribute__((unused)) int min,
+                         __attribute__((unused)) int max) {
+    // For SCA
+    if (!strcmp(low_name, "request_db_interval")) {
+        return 5;
+    }
+
+    // For SCA
+    if (!strcmp(low_name, "commands_timeout")) {
+        return 300;
+    }
+
+    return mock();
+}
+
+int __wrap_OS_IsValidIP(const char *ip_address, os_ip *final_ip) {
+    check_expected(ip_address);
+    check_expected(final_ip);
+
+    int ret = mock();
+    if(ret < 0){
+        ret *= (-1);
+        os_strdup(ip_address, final_ip->ip);
+        if (ret == 2) {
+            os_calloc(1, sizeof(os_ipv4), final_ip->ipv4);
+            ret = 1;
+        }
+    }
+
+    return ret;
+}
+
+int __wrap_OS_GetIPv4FromIPv6(char *ip_address, size_t size) {
+    check_expected(ip_address);
+    check_expected(size);
+    return mock();
+}
+
+int __wrap_OS_ExpandIPv6(char *ip_address, size_t size) {
+    check_expected(ip_address);
+    check_expected(size);
+    return mock();
+}
+
+int __wrap_OS_IPFoundList(const char *ip_address, __attribute__((unused)) os_ip **list_of_ips) {
+    check_expected(ip_address);
+    return mock();
+}
+
+int __wrap_OS_CIDRtoStr(const os_ip *ip, char *string, size_t size) {
+    check_expected(ip);
+    check_expected(size);
+
+    char *str = mock_type(char *);
+    if (str != NULL) {
+        snprintf(string, size, "%s", str);
+    }
+
+    return mock();
+}
diff --git a/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.h b/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.h
new file mode 100644
index 0000000000..c80430e901
--- /dev/null
+++ b/src/common/validate_op/tests/unit/wrappers/validate_op_wrappers.h
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef VALIDATE_OP_WRAPPERS_H
+#define VALIDATE_OP_WRAPPERS_H
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../headers/shared.h"
+#include "../headers/validate_op.h"
+
+int __wrap_getDefine_Int(const char *high_name, const char *low_name, int min, int max);
+
+int __wrap_OS_IsValidIP(const char *ip_address, os_ip *final_ip);
+
+int __wrap_OS_GetIPv4FromIPv6(char *ip_address, size_t size);
+
+int __wrap_OS_ExpandIPv6(char *ip_address, size_t size);
+
+int __wrap_OS_IPFoundList(const char *ip_address, os_ip **list_of_ips);
+
+int __wrap_OS_CIDRtoStr(const os_ip *ip, char *string, size_t size);
+
+#endif
diff --git a/src/modules/sca/src/sca.c b/src/common/vector_op/CMakeLists.txt
similarity index 100%
rename from src/modules/sca/src/sca.c
rename to src/common/vector_op/CMakeLists.txt
diff --git a/src/common/vector_op/include/vector_op.h b/src/common/vector_op/include/vector_op.h
new file mode 100644
index 0000000000..7cd471c14f
--- /dev/null
+++ b/src/common/vector_op/include/vector_op.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 19, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef VECTOR_OP_H
+#define VECTOR_OP_H
+
+typedef struct {
+    /** @brief Pointer to the char* vector. */
+    char **vector;
+    /** @brief Number of elements in the vector. */
+    int used;
+    /** @brief Size of the allocated vector. */
+    int size;
+} W_Vector;
+
+
+/**
+ * @brief Initialize a char* vector with the specified size.
+ *
+ * @param initialSize Vector size.
+ * @return Pointer to the W_Vector initialized.
+ */
+W_Vector *W_Vector_init(int initialSize);
+
+
+/**
+ * @brief Adds a new element to the end of the vector.
+ *
+ * @param v Pointer to the W_Vector initialized.
+ * @param element Element to be added.
+ */
+void W_Vector_insert(W_Vector *v, const char *element);
+
+
+/**
+ * @brief Gets the content from the specified position.
+ *
+ * @param v Pointer to the W_Vector.
+ * @param position Position to be read.
+ * @return Content of the specified postion.
+ */
+const char *W_Vector_get(W_Vector *v, int position);
+
+
+/**
+ * @brief Gets the number of elements in the vector.
+ *
+ * @param v Pointer to the W_Vector.
+ * @return Number of elements.
+ */
+int W_Vector_length(W_Vector *v);
+
+
+/**
+ * @brief Deallocates the memory allocated by the vector.
+ *
+ * @param v Pointer to the W_Vector.
+ */
+void W_Vector_free(W_Vector *v);
+
+
+/**
+ * @brief Adds a new element if it is not present in the vector.
+ *
+ * @param v Pointer to the W_Vector initialized.
+ * @param element Element to be added.
+ * @return Returns 1 if the element is duplicated, 0 otherwise.
+ */
+int W_Vector_insert_unique(W_Vector *v, const char *element);
+
+#endif /* VECTOR_OP_H */
diff --git a/src/common/vector_op/src/vector_op.c b/src/common/vector_op/src/vector_op.c
new file mode 100644
index 0000000000..e71e021155
--- /dev/null
+++ b/src/common/vector_op/src/vector_op.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 19, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+
+
+W_Vector *W_Vector_init(int initialSize) {
+
+    W_Vector *v;
+    os_malloc(sizeof(W_Vector), v);
+    v->vector = (char **)malloc(initialSize * sizeof(char *));
+    v->used = 0;
+    v->size = initialSize;
+    return v;
+}
+
+
+void W_Vector_insert(W_Vector *v, const char *element) {
+
+    if (v) {
+        if (v->used == v->size) {
+            v->size *= 2;
+            v->vector = (char **)realloc(v->vector, v->size * sizeof(char *));
+            if(!v->vector){
+                merror_exit(MEM_ERROR, errno, strerror(errno));
+            }
+        }
+        v->vector[v->used++] = strdup(element);
+    }
+}
+
+
+const char *W_Vector_get(W_Vector *v, int position) {
+
+    if (v && position < v->used) {
+        return v->vector[position];
+    } else {
+        return NULL;
+    }
+}
+
+
+int W_Vector_length(W_Vector *v) {
+    if (v) {
+        return v->used;
+    } else {
+        return 0;
+    }
+}
+
+
+void W_Vector_free(W_Vector *v) {
+    int i;
+
+    if (v) {
+        for (i=0; i < v->used; i++) {
+            os_free(v->vector[i]);
+        }
+        os_free (v->vector);
+        os_free (v);
+    }
+}
+
+
+int W_Vector_insert_unique(W_Vector *v, const char *element) {
+    int i;
+    int found = 0;
+
+    if (v) {
+        for (i=0; i < v->used; i++) {
+            if (strcmp(element, v->vector[i]) == 0) {
+                found = 1;
+                break;
+            }
+        }
+
+        if (!found) {
+            W_Vector_insert(v, element);
+        }
+    }
+
+    return found;
+}
diff --git a/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.c b/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.c
new file mode 100644
index 0000000000..c0a5a147b2
--- /dev/null
+++ b/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.c
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "vector_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_W_Vector_insert_unique(W_Vector *v, const char *element) {
+    check_expected_ptr(v);
+    check_expected(element);
+
+    return mock();
+}
+
+int __wrap_W_Vector_length(__attribute__((unused)) W_Vector *v) {
+    return mock();
+}
diff --git a/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.h b/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.h
new file mode 100644
index 0000000000..b99680dbe1
--- /dev/null
+++ b/src/common/vector_op/tests/unit/wrappers/vector_op_wrappers.h
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef VECTOR_OP_WRAPPERS_H
+#define VECTOR_OP_WRAPPERS_H
+
+#include "vector_op.h"
+
+int __wrap_W_Vector_insert_unique(W_Vector *v, const char *element);
+
+int __wrap_W_Vector_length(W_Vector *v);
+
+#endif
diff --git a/src/modules/upgrade/include/upgrade.h b/src/common/version_op/CMakeLists.txt
similarity index 100%
rename from src/modules/upgrade/include/upgrade.h
rename to src/common/version_op/CMakeLists.txt
diff --git a/src/common/version_op/include/version_op.h b/src/common/version_op/include/version_op.h
new file mode 100644
index 0000000000..cdda5c6c94
--- /dev/null
+++ b/src/common/version_op/include/version_op.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef VERSION_H
+#define VERSION_H
+
+
+#define MAC_SYSVERSION "/System/Library/CoreServices/SystemVersion.plist"
+#define MAC_SERVERVERSION "/System/Library/CoreServices/ServerVersion.plist"
+
+/**
+ * @struct os_info
+ * @brief Stores information about the operating system version.
+ */
+typedef struct os_info {
+    char *os_name;      ///< Operating system name.
+    char *os_major;     ///< OS version number (major).
+    char *os_minor;     ///< OS version number (minor).
+    char *os_patch;     ///< OS version number (patch).
+    char *os_build;     ///< OS version number (build).
+    char *os_version;   ///< OS version (major.minor[.build])
+    char *os_codename;  ///< OS version codename.
+    char *os_platform;  ///< OS version ID.
+    char *sysname;      ///< Operating system name (UNIX).
+    char *nodename;     ///< Name within "some implementation-defined network" (UNIX).
+    char *release;      ///< Operating system release (UNIX).
+    char *version;      ///< Operating system version (UNIX).
+    char *machine;      ///< Hardware identifier (UNIX).
+    char *os_release;   ///< OS release.
+    char *os_display_version;   ///< OS display version (Windows).
+} os_info;
+
+
+/**
+ * @brief Get the macOS release name corresponding to a version number.
+ *
+ * @param version Version number.
+ * @return Reselase name.
+ */
+const char *OSX_ReleaseName(int version);
+
+
+/**
+ * @brief Get the Windows version information.
+ *
+ * @return Pointer to allocated os_info struct.
+ */
+os_info *get_win_version();
+
+
+/**
+ * @brief Get the version information. (UNIX based systems).
+ *
+ * @return Pointer to allocated os_info struct.
+ */
+os_info *get_unix_version();
+
+
+/**
+ * @brief Deallocates the memory used by the os_info struct.
+ *
+ * @param osinfo Pointer to allocated os_info struct.
+ */
+void free_osinfo(os_info * osinfo);
+
+
+/**
+ * @brief Get number of processors
+ *
+ * @return Number of processors and 1 on error.
+ */
+int get_nproc();
+
+/**
+ * Compare two versions with format v4.0.0
+ * @param version1 char * with the string version
+ * @param version2 char * with the string version
+ * @param compare_patch bool to compare or not patch version
+ * @return return_code
+ * @retval 0 equals
+ * @retval 1 version1 > version2
+ * @retval -1 version1 < version2
+ * */
+int compare_wazuh_versions(const char *version1, const char *version2, bool compare_patch);
+
+#endif /* VERSION_H */
diff --git a/src/common/version_op/src/version_op.c b/src/common/version_op/src/version_op.c
new file mode 100644
index 0000000000..7bb4558b7d
--- /dev/null
+++ b/src/common/version_op/src/version_op.c
@@ -0,0 +1,1116 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+#include "version_op.h"
+
+#ifdef __linux__
+#include <sched.h>
+#elif defined(__MACH__) || defined(__FreeBSD__) || defined(__OpenBSD__)
+#include <sys/sysctl.h>
+#endif
+
+#ifdef WIN32
+
+char *get_release_from_build(char *os_build);
+
+os_info *get_win_version()
+{
+    os_info *info;
+    unsigned int i;
+    char temp[1024];
+    DWORD dwRet;
+    HKEY RegistryKey;
+    char * subkey;
+    const DWORD vsize = 1024;
+    TCHAR value[vsize];
+    DWORD dwCount = vsize;
+    char version[64] = "";
+    const DWORD size = 30;
+    unsigned long type = REG_DWORD;
+
+    size_t ver_length = 60;
+    size_t v_length = 20;
+
+    os_calloc(1,sizeof(os_info),info);
+    os_calloc(vsize, sizeof(char), subkey);
+
+    typedef void (WINAPI * PGNSI)(LPSYSTEM_INFO);
+
+    OSVERSIONINFOEX osvi;
+    BOOL bOsVersionInfoEx;
+
+    SYSTEM_INFO si = {0};
+    PGNSI pGNSI;
+
+    ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+    osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+
+    if (bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi), !bOsVersionInfoEx) {
+        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+        if (!GetVersionEx((OSVERSIONINFO *)&osvi)) {
+            free(info);
+            free(subkey);
+            return (NULL);
+        }
+    }
+
+    // Release version
+    snprintf(version, 63, "%i.%i", (int)osvi.dwMajorVersion, (int)osvi.dwMinorVersion);
+    info->version = strdup(version);
+
+    if (osvi.dwMajorVersion == 6) {
+
+        // Read Windows Version from registry
+
+        snprintf(subkey, vsize - 1, "%s", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion");
+
+        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+            merror(SK_REG_OPEN, subkey);
+            info->os_name = strdup("Microsoft Windows undefined version");
+        }
+        else {
+            dwRet = RegQueryValueEx(RegistryKey, TEXT("ProductName"), NULL, NULL, (LPBYTE)value, &dwCount);
+            if (dwRet != ERROR_SUCCESS) {
+                merror("Error reading 'ProductName' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                info->os_name = strdup("Microsoft Windows undefined version");
+            }
+            else {
+                memset(temp, '\0', sizeof(temp));
+                strcpy(temp, "Microsoft ");
+                strncat(temp, value, 1022);
+                info->os_name = strdup(temp);
+            }
+
+            RegCloseKey(RegistryKey);
+        }
+
+        // Read Windows Version number from registry
+        char vn_temp[64];
+        memset(vn_temp, '\0', 64);
+        TCHAR winver[size];
+        TCHAR wincomp[size];
+        DWORD winMajor = 0;
+        DWORD winMinor = 0;
+        dwCount = size;
+
+        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+            merror(SK_REG_OPEN, subkey);
+        }
+
+        // Windows 10
+        dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentMajorVersionNumber"), NULL, &type, (LPBYTE)&winMajor, &dwCount);
+        if (dwRet == ERROR_SUCCESS) {
+            dwCount = size;
+            dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentMinorVersionNumber"), NULL, &type, (LPBYTE)&winMinor, &dwCount);
+            if (dwRet != ERROR_SUCCESS) {
+                merror("Error reading 'CurrentMinorVersionNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+            }
+            else {
+                snprintf(vn_temp, 63, "%d", (unsigned int)winMajor);
+                info->os_major = strdup(vn_temp);
+                snprintf(vn_temp, 63, "%d", (unsigned int)winMinor);
+                info->os_minor = strdup(vn_temp);
+                dwCount = size;
+                dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentBuildNumber"), NULL, NULL, (LPBYTE)wincomp, &dwCount);
+                if (dwRet != ERROR_SUCCESS) {
+                    merror("Error reading 'CurrentBuildNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                }
+                else {
+                    snprintf(vn_temp, 63, "%s", wincomp);
+                    info->os_build = strdup(vn_temp);
+                }
+            }
+
+            dwCount = vsize;
+            dwRet = RegQueryValueEx(RegistryKey, TEXT("ReleaseId"), NULL, NULL, (LPBYTE)value, &dwCount);
+            if (dwRet != ERROR_SUCCESS) {
+                mdebug1("Could not read the 'ReleaseId' key from Windows registry. (Error %u)",(unsigned int)dwRet);
+                info->os_release = get_release_from_build(info->os_build);
+            }
+            else {
+                info->os_release = strdup(value);
+            }
+
+            RegCloseKey(RegistryKey);
+        }
+        // Windows 6.2 or 6.3
+        else {
+            dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentVersion"), NULL, NULL, (LPBYTE)winver, &dwCount);
+            if (dwRet != ERROR_SUCCESS) {
+                merror("Error reading 'Current Version' from Windows registry. (Error %u)",(unsigned int)dwRet);
+            }
+            else {
+                char ** parts = OS_StrBreak('.', winver, 2);
+                info->os_major = strdup(parts[0]);
+                info->os_minor = strdup(parts[1]);
+                for (i = 0; parts[i]; i++){
+                    free(parts[i]);
+                }
+                free(parts);
+                dwCount = size;
+                dwRet = RegQueryValueEx(RegistryKey, TEXT("CurrentBuildNumber"), NULL, NULL, (LPBYTE)wincomp, &dwCount);
+                if (dwRet != ERROR_SUCCESS) {
+                    merror("Error reading 'CurrentBuildNumber' from Windows registry. (Error %u)",(unsigned int)dwRet);
+                }
+                else {
+                    snprintf(vn_temp, 63, "%s", wincomp);
+                    info->os_build = strdup(vn_temp);
+                }
+                RegCloseKey(RegistryKey);
+            }
+        }
+
+        snprintf(version, 63, "%s.%s.%s", info->os_major, info->os_minor, info->os_build);
+        info->os_version = strdup(version);
+    }
+    else {
+        if (osvi.dwMajorVersion == 5) {
+            if (osvi.dwMinorVersion == 0) {
+                info->os_name = strdup("Microsoft Windows 2000");
+            }
+            else if (osvi.dwMinorVersion == 1) {
+                info->os_name = strdup("Microsoft Windows XP");
+            }
+            else if (osvi.dwMinorVersion == 2) {
+                pGNSI = (PGNSI)(LPSYSTEM_INFO)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetNativeSystemInfo");
+                if (NULL != pGNSI) {
+                    pGNSI(&si);
+                } else {
+                    mwarn("It was not possible to retrieve GetNativeSystemInfo from kernek32.dll");
+                }
+                if (osvi.wProductType == VER_NT_WORKSTATION && si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) {
+                    info->os_name = strdup("Microsoft Windows XP Professional x64 Edition");
+                }
+                else {
+                    if ( GetSystemMetrics(89) != 0 ) {
+                        info->os_name = strdup("Microsoft Windows Server 2003 R2");
+                    }
+                    else {
+                        info->os_name = strdup("Microsoft Windows Server 2003");
+                    }
+                }
+            }
+        } else if (osvi.dwMajorVersion == 4) {
+            switch (osvi.dwPlatformId) {
+                case VER_PLATFORM_WIN32_NT:
+                    info->os_name = strdup("Microsoft Windows NT");
+                    break;
+
+                case VER_PLATFORM_WIN32_WINDOWS:
+                    if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0) {
+                        info->os_name = strdup("Microsoft Windows 95");
+                    }
+                    if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 10) {
+                        info->os_name = strdup("Microsoft Windows 98");
+                    }
+                    if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 90) {
+                        info->os_name = strdup("Microsoft Windows ME");
+                    }
+                    break;
+            }
+        }
+        else {
+            info->os_name = strdup("Microsoft Windows");
+        }
+
+        os_calloc(ver_length + 1, sizeof(char), info->os_version);
+        os_calloc(v_length + 1, sizeof(char), info->os_major);
+        os_calloc(v_length + 1, sizeof(char), info->os_minor);
+        os_calloc(v_length + 1, sizeof(char), info->os_build);
+
+        snprintf(info->os_major, v_length, "%i",(int)osvi.dwMajorVersion);
+        snprintf(info->os_minor, v_length, "%i",(int)osvi.dwMinorVersion);
+        snprintf(info->os_build, v_length, "%d",(int)osvi.dwBuildNumber & 0xFFFF);
+        snprintf(info->os_version, ver_length, "%i.%i.%d",
+                 (int)osvi.dwMajorVersion,
+                 (int)osvi.dwMinorVersion,
+                 (int)osvi.dwBuildNumber & 0xFFFF );
+
+    }
+
+    // Read Service Pack
+    if(!info->os_release) {
+        DWORD service_pack = 0;
+        dwCount = sizeof(DWORD);
+        snprintf(subkey, vsize - 1, "%s", "SYSTEM\\CurrentControlSet\\Control\\Windows");
+
+        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+            merror(SK_REG_OPEN, subkey);
+        }
+        else {
+            dwRet = RegQueryValueEx(RegistryKey, TEXT("CSDVersion"), NULL, &type, (LPBYTE)&service_pack, &dwCount);
+            if (dwRet != ERROR_SUCCESS) {
+                merror("Error reading 'CSDVersion' from Windows registry. (Error %u)",(unsigned int)dwRet);
+            }
+            else {
+                switch(service_pack) {
+                case 256:
+                    info->os_release = strdup("sp1");
+                    break;
+                case 512:
+                    info->os_release = strdup("sp2");
+                    break;
+                case 768:
+                    info->os_release = strdup("sp3");
+                    break;
+                case 1024:
+                    info->os_release = strdup("sp4");
+                    break;
+                case 1280:
+                    info->os_release = strdup("sp5");
+                    break;
+                case 1536:
+                    info->os_release = strdup("sp6");
+                    break;
+                default:
+                    mdebug2("The value of CSDVersion is not a recognizable service pack.: %lu.", service_pack);
+                }
+            }
+            RegCloseKey(RegistryKey);
+        }
+    }
+
+    // Read Architecture
+
+    snprintf(subkey, vsize - 1, "%s", "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+
+    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+        merror(SK_REG_OPEN, subkey);
+    } else {
+        char arch[64] = "";
+        dwCount = sizeof(arch);
+        dwRet = RegQueryValueEx(RegistryKey, TEXT("PROCESSOR_ARCHITECTURE"), NULL, NULL, (LPBYTE)&arch, &dwCount);
+
+        if (dwRet != ERROR_SUCCESS) {
+            merror("Error reading 'Architecture' from Windows registry. (Error %u)",(unsigned int)dwRet);
+        } else {
+            if (!strncmp(arch, "AMD64", 5) || !strncmp(arch, "IA64", 4) || !strncmp(arch, "ARM64", 5)) {
+                info->machine = strdup("x86_64");
+            } else if (!strncmp(arch, "x86", 3)) {
+                info->machine = strdup("i686");
+            }
+        }
+        RegCloseKey(RegistryKey);
+    }
+
+    if (!info->machine) {
+        info->machine = strdup("unknown");
+    }
+
+    // Read Hostname
+
+    snprintf(subkey, vsize - 1, "%s", "System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName");
+    char nodename[1024] = "";
+    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subkey, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+        merror(SK_REG_OPEN, subkey);
+    } else {
+        dwCount = size;
+        dwRet = RegQueryValueEx(RegistryKey, TEXT("ComputerName"), NULL, NULL, (LPBYTE)&nodename, &dwCount);
+
+        if (dwRet != ERROR_SUCCESS) {
+            merror("Error reading 'hostname' from Windows registry. (Error %u)",(unsigned int)dwRet);
+        } else {
+            info->nodename = strdup(nodename);
+        }
+        RegCloseKey(RegistryKey);
+    }
+
+    if (!info->nodename) {
+        info->nodename = strdup("unknown");
+    }
+
+    free(subkey);
+
+    return info;
+}
+
+char *get_release_from_build(char *os_build) {
+    char *retval = NULL;
+
+    if (os_build) {
+        if (!strcmp(os_build, "10240")) {
+            os_strdup("1507", retval);
+        } else if (!strcmp(os_build, "10586")) {
+            os_strdup("1511", retval);
+        } else if (!strcmp(os_build, "14393")) {
+            os_strdup("1607", retval);
+        } else if (!strcmp(os_build, "15063")) {
+            os_strdup("1709", retval);
+        } else if (!strcmp(os_build, "17134")) {
+            os_strdup("1803", retval);
+        } else if (!strcmp(os_build, "17763")) {
+            os_strdup("1809", retval);
+        } else if (!strcmp(os_build, "18362")) {
+            os_strdup("1903", retval);
+        } else if (!strcmp(os_build, "18363")) {
+            os_strdup("1909", retval);
+        } else {
+            mdebug1("The release associated with the %s build is not recognized.", os_build);
+        }
+    }
+
+    return retval;
+}
+
+#else
+
+const char *OSX_ReleaseName(int version) {
+    const char *R_NAMES[] = {
+    /* 10 */ "Snow Leopard",
+    /* 11 */ "Lion",
+    /* 12 */ "Mountain Lion",
+    /* 13 */ "Mavericks",
+    /* 14 */ "Yosemite",
+    /* 15 */ "El Capitan",
+    /* 16 */ "Sierra",
+    /* 17 */ "High Sierra",
+    /* 18 */ "Mojave",
+    /* 19 */ "Catalina",
+    /* 20 */ "Big Sur",
+    /* 21 */ "Monterey",
+    /* 22 */ "Ventura",
+    /* 23 */ "Sonoma",
+    };
+
+    version -= 10;
+
+    if (version >= 0 && (unsigned)version < sizeof(R_NAMES) / sizeof(char *)) {
+        return R_NAMES[version];
+    } else {
+        return "Unknown";
+    }
+}
+
+
+os_info *get_unix_version()
+{
+    FILE *os_release, *cmd_output, *version_release, *cmd_output_ver;
+    char buff[OS_SIZE_256];
+    char *tag, *end;
+    char *name = NULL;
+    char *id = NULL;
+    char *version = NULL;
+    char *version_id = NULL;
+    char *codename = NULL;
+    char *save_ptr = NULL;
+    regmatch_t match[2];
+    int match_size;
+    struct utsname uts_buf;
+    os_info *info;
+
+    os_calloc(1,sizeof(os_info),info);
+
+    // Try to open /etc/os-release
+    os_release = wfopen("/etc/os-release", "r");
+    // Try to open /usr/lib/os-release
+    if (!os_release) os_release = wfopen("/usr/lib/os-release", "r");
+
+    if (os_release) {
+        while (fgets(buff, sizeof(buff)- 1, os_release)) {
+            tag = strtok_r(buff, "=", &save_ptr);
+            if (tag) {
+                if (strcmp (tag,"NAME") == 0) {
+                    if (!name) {
+                        name = strtok_r(NULL, "\n", &save_ptr);
+                        if (name[0] == '\"' && (end = strchr(++name, '\"'), end)) {
+                            *end = '\0';
+                        }
+                        info->os_name = strdup(name);
+                    }
+                } else if (strcmp (tag,"VERSION") == 0) {
+                    if (!version) {
+                        if (version_id) {
+                            os_free(info->os_version);
+                        }
+                        version = strtok_r(NULL, "\n", &save_ptr);
+                        if (version[0] == '\"' && (end = strchr(++version, '\"'), end)) {
+                            *end = '\0';
+                        }
+                        info->os_version = strdup(version);
+                    }
+                } else if (strcmp (tag,"VERSION_ID") == 0) {
+                    if (!version && !version_id) {
+                        version_id = strtok_r(NULL, "\n", &save_ptr);
+                        if (version_id[0] == '\"' && (end = strchr(++version_id, '\"'), end)) {
+                            *end = '\0';
+                        }
+                        info->os_version = strdup(version_id);
+                    }
+                } else if (strcmp (tag,"ID") == 0) {
+                    if (!id) {
+                        id = strtok_r(NULL, " \n", &save_ptr);
+                        if (id[0] == '\"' && (end = strchr(++id, '\"'), end)) {
+                            *end = '\0';
+                        }
+                        info->os_platform = strdup(id);
+                    }
+                }
+            }
+        }
+        fclose(os_release);
+
+        // If the OS is CentOS, try to get the version from the 'centos-release' file.
+        // If the OS is Arch Linux, openSUSE Tumbleweed set os_version as empty string.
+        if (info->os_platform) {
+            if (strcmp(info->os_platform, "centos") == 0) {
+                regex_t regexCompiled;
+                regmatch_t match[2];
+                int match_size;
+                if (version_release = wfopen("/etc/centos-release","r"), version_release){
+                    os_free(info->os_version);
+                    static const char *pattern = "([0-9][0-9]*\\.?[0-9]*)\\.*";
+                    if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                        merror_exit("Cannot compile regular expression.");
+                    }
+                    while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                        if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                            match_size = match[1].rm_eo - match[1].rm_so;
+                            os_malloc(match_size + 1, info->os_version);
+                            snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                            break;
+                        }
+                    }
+                    regfree(&regexCompiled);
+                    fclose(version_release);
+                }
+            } else if (strcmp(info->os_platform, "opensuse-tumbleweed") == 0 ||
+                          strcmp(info->os_platform, "arch") == 0) {
+                os_free(info->os_version);
+                os_strdup("", info->os_version);
+            }
+        }
+    }
+
+    if (!info->os_name || (!info->os_version && !info->os_build) || !info->os_platform) {
+        os_free(info->os_name);
+        os_free(info->os_version);
+        os_free(info->os_platform);
+        os_free(info->os_build);
+        regex_t regexCompiled;
+        regmatch_t match[4];
+        int match_size;
+
+        // CentOS
+        if (version_release = wfopen("/etc/centos-release","r"), version_release){
+            info->os_name = strdup("CentOS Linux");
+            info->os_platform = strdup("centos");
+            static const char *pattern = "([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Can not compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Fedora
+        } else if (version_release = wfopen("/etc/fedora-release","r"), version_release){
+            info->os_name = strdup("Fedora");
+            info->os_platform = strdup("fedora");
+            static const char *pattern = " ([0-9][0-9]*) ";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Can not compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf(info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // RedHat
+        } else if (version_release = wfopen("/etc/redhat-release","r"), version_release){
+            static const char *pattern = "([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Can not compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if (strstr(buff, "CentOS")){
+                        info->os_name = strdup("CentOS Linux");
+                        info->os_platform = strdup("centos");
+                } else if (strstr(buff, "Fedora")){
+                        info->os_name = strdup("Fedora");
+                        info->os_platform = strdup("fedora");
+                } else {
+                    if (strstr(buff, "Server")){
+                        info->os_name = strdup("Red Hat Enterprise Linux Server");
+                    } else {
+                        info->os_name = strdup("Red Hat Enterprise Linux");
+                    }
+                    info->os_platform = strdup("rhel");
+                }
+
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Arch
+        } else if (version_release = wfopen("/etc/arch-release","r"), version_release){
+            info->os_name = strdup("Arch Linux");
+            info->os_platform = strdup("arch");
+            static const char *pattern = "([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            if (info->os_version == NULL) {
+                os_strdup("", info->os_version);
+            }
+
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Gentoo
+        } else if (version_release = wfopen("/etc/gentoo-release","r"), version_release){
+            info->os_name = strdup("Gentoo");
+            info->os_platform = strdup("gentoo");
+            static const char *pattern = " ([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // SuSE
+        } else if (version_release = wfopen("/etc/SuSE-release","r"), version_release){
+            info->os_name = strdup("SuSE Linux");
+            info->os_platform = strdup("suse");
+            static const char *pattern = ".*VERSION = ([0-9][0-9]*)";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Ubuntu
+        } else if (version_release = wfopen("/etc/lsb-release","r"), version_release){
+            info->os_name = strdup("Ubuntu");
+            info->os_platform = strdup("ubuntu");
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                tag = strtok_r(buff, "=", &save_ptr);
+                if (tag && strcmp(tag,"DISTRIB_RELEASE") == 0){
+                    info->os_version = strdup(strtok_r(NULL, "\n", &save_ptr));
+                    break;
+                }
+            }
+            fclose(version_release);
+        // Debian
+        } else if (version_release = wfopen("/etc/debian_version","r"), version_release){
+            info->os_name = strdup("Debian GNU/Linux");
+            info->os_platform = strdup("debian");
+            static const char *pattern = "([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Slackware
+        } else if (version_release = wfopen("/etc/slackware-version","r"), version_release){
+            info->os_name = strdup("Slackware");
+            info->os_platform = strdup("slackware");
+            static const char *pattern = " ([0-9][0-9]*\\.?[0-9]*)\\.*";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 2, match, 0) == 0){
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        // Alpine
+        } else if (version_release = wfopen("/etc/alpine-release","r"), version_release){
+            info->os_name = strdup("Alpine Linux");
+            info->os_platform = strdup("alpine");
+            static const char *pattern = "([0-9]+\\.)?([0-9]+\\.)?([0-9]+)";
+            if (regcomp(&regexCompiled, pattern, REG_EXTENDED)) {
+                merror_exit("Cannot compile regular expression.");
+            }
+            while (fgets(buff, sizeof(buff) - 1, version_release)) {
+                if(regexec(&regexCompiled, buff, 4, match, 0) == 0){
+                    match_size = match[0].rm_eo - match[0].rm_so;
+                    os_malloc(match_size + 1, info->os_version);
+                    snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[0].rm_so);
+                    break;
+                }
+            }
+            regfree(&regexCompiled);
+            fclose(version_release);
+        } else {
+            char *uname_path = NULL;
+
+            if (get_binary_path("uname", &uname_path) < 0) {
+                mdebug1("Binary '%s' not found in default paths, the full path will not be used.", uname_path);
+            }
+
+            if (cmd_output = popen(uname_path, "r"), cmd_output) {
+                char full_cmd[OS_MAXSTR] = {0};
+
+                if (fgets(buff,sizeof(buff) - 1, cmd_output) == NULL) {
+                    mdebug1("Cannot read from command output (uname).");
+                // MacOSX
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr),"Darwin") == 0) {
+                    char *cmd_path = NULL;
+                    info->os_platform = strdup("darwin");
+
+                    if (get_binary_path("system_profiler", &cmd_path) < 0) {
+                        mdebug1("Binary '%s' not found in default paths, the full path will not be used.", cmd_path);
+                    }
+
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", cmd_path, "SPSoftwareDataType");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        while (fgets(buff, sizeof(buff), cmd_output_ver) != NULL) {
+                            char *key = strtok_r(buff, ":", &save_ptr);
+                            if (key) {
+                                const char *expected_key = "System Version";
+                                char *trimmed_key = w_strtrim(key);
+                                if (NULL != trimmed_key && strncmp(trimmed_key, expected_key, strlen(expected_key)) == 0) {
+                                    char *value = strtok_r(NULL, " ", &save_ptr);
+                                    if (value) {
+                                        w_strdup(value, info->os_name);
+                                    } else {
+                                        mdebug1("Cannot parse System Version value (system_profiler SPSoftwareDataType).");
+                                    }
+                                }
+                                if(info->os_name) {
+                                    break;
+                                }
+                            }
+                        }
+                        if (NULL == info->os_name) {
+                            mdebug1("Cannot read from command output (system_profiler SPSoftwareDataType).");
+                        }
+                        pclose(cmd_output_ver);
+                    }
+
+                    os_free(cmd_path);
+                    if (get_binary_path("sw_vers", &cmd_path) < 0) {
+                        mdebug1("Binary '%s' not found in default paths, the full path will not be used.", cmd_path);
+                    }
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", cmd_path, "-productVersion");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (sw_vers -productVersion).");
+                        } else {
+                            w_strdup(strtok_r(buff, "\n", &save_ptr), info->os_version);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", cmd_path, "-buildVersion");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (sw_vers -buildVersion).");
+                        } else {
+                            w_strdup(strtok_r(buff, "\n", &save_ptr), info->os_build);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", uname_path, "-r");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (uname -r).");
+                        } else if (w_regexec("([0-9][0-9]*\\.?[0-9]*)\\.*", buff, 2, match)){
+                            match_size = match[1].rm_eo - match[1].rm_so;
+                            char *kern = NULL;
+                            os_malloc(match_size + 1, kern);
+                            snprintf(kern, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                            w_strdup(OSX_ReleaseName(atoi(kern)), info->os_codename);
+                            free(kern);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+                    os_free(cmd_path);
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr),"SunOS") == 0){ // Sun OS
+                    info->os_name = strdup("SunOS");
+                    info->os_platform = strdup("sunos");
+
+                    if (os_release = wfopen("/etc/release", "r"), os_release) {
+                        if (fgets(buff, sizeof(buff) - 1, os_release) == NULL) {
+                            merror("Cannot read from /etc/release.");
+                            fclose(os_release);
+                            pclose(cmd_output);
+                            os_free(uname_path);
+                            goto free_os_info;
+                        } else {
+                            char *base;
+                            char tag[]  = "Solaris";
+                            char *found = strstr(buff, tag);
+                            if (found) {
+                                for (found += strlen(tag); *found != '\0' && *found == ' '; found++);
+                                for (base = found; *found != '\0' && *found != ' '; found++);
+                                *found = '\0';
+                                os_strdup(base, info->os_version);
+                                fclose(os_release);
+                            } else {
+                                merror("Cannot get the Solaris version.");
+                                fclose(os_release);
+                                pclose(cmd_output);
+                                os_free(uname_path);
+                                goto free_os_info;
+                            }
+                        }
+                    } else {
+                        pclose(cmd_output);
+                        os_free(uname_path);
+                        goto free_os_info;
+                    }
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr),"HP-UX") == 0){ // HP-UX
+                    info->os_name = strdup("HP-UX");
+                    info->os_platform = strdup("hp-ux");
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", uname_path, "-r");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (uname -r).");
+                        } else if (w_regexec("B\\.([0-9][0-9]*\\.[0-9]*)", buff, 2, match)){
+                            match_size = match[1].rm_eo - match[1].rm_so;
+                            os_malloc(match_size + 1, info->os_version);
+                            snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr),"OpenBSD") == 0 ||
+                        strcmp(strtok_r(buff, "\n", &save_ptr),"NetBSD")  == 0 ||
+                        strcmp(strtok_r(buff, "\n", &save_ptr),"FreeBSD") == 0 ){ // BSD
+                    info->os_name = strdup("BSD");
+                    info->os_platform = strdup("bsd");
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", uname_path, "-r");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (uname -r).");
+                        } else if (w_regexec("([0-9][0-9]*\\.?[0-9]*)\\.*", buff, 2, match)){
+                            match_size = match[1].rm_eo - match[1].rm_so;
+                            os_malloc(match_size + 1, info->os_version);
+                            snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr),"ZscalerOS") == 0) {
+                    info->os_name = strdup("BSD");
+                    info->os_platform = strdup("bsd");
+
+                    memset(full_cmd, '\0', OS_MAXSTR);
+                    snprintf(full_cmd, sizeof(full_cmd), "%s %s", uname_path, "-r");
+                    if (cmd_output_ver = popen(full_cmd, "r"), cmd_output_ver) {
+                        if(fgets(buff, sizeof(buff) - 1, cmd_output_ver) == NULL){
+                            mdebug1("Cannot read from command output (uname -r).");
+                        } else if (w_regexec("([0-9]+-\\S*).*", buff, 2, match)){
+                            match_size = match[1].rm_eo - match[1].rm_so;
+                            os_malloc(match_size + 1, info->os_version);
+                            snprintf (info->os_version, match_size +1, "%.*s", match_size, buff + match[1].rm_so);
+                        }
+                        pclose(cmd_output_ver);
+                    }
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr), "AIX") == 0) { // AIX
+                    char *cmd_path = NULL;
+
+                    os_strdup("AIX", info->os_name);
+                    os_strdup("aix", info->os_platform);
+
+                    if (get_binary_path("oslevel", &cmd_path) < 0) {
+                        mdebug1("Binary '%s' not found in default paths, the full path will not be used.", cmd_path);
+                    }
+
+                    if (cmd_output_ver = popen(cmd_path, "r"), cmd_output_ver) {
+                        if (fgets(buff, sizeof(buff) - 1, cmd_output_ver)) {
+                            int buff_len = strlen(buff);
+                            if (buff_len > 0) {
+                                buff[buff_len - 1] = '\0';
+                                os_strdup(buff, info->os_version);
+                            }
+                        } else {
+                            mdebug1("Cannot read from command output (oslevel).");
+                        }
+                        pclose(cmd_output_ver);
+                    }
+                    os_free(cmd_path);
+                } else if (strcmp(strtok_r(buff, "\n", &save_ptr), "Linux") == 0) { // Linux undefined
+                    info->os_name = strdup("Linux");
+                    info->os_platform = strdup("linux");
+                }
+                pclose(cmd_output);
+            }
+            os_free(uname_path);
+        }
+    }
+
+    if (uname(&uts_buf) >= 0) {
+        os_strdup(uts_buf.sysname, info->sysname);
+        os_strdup(uts_buf.nodename, info->nodename);
+        os_strdup(uts_buf.release, info->release);
+        os_strdup(uts_buf.version, info->version);
+        os_strdup(uts_buf.machine, info->machine);
+    } else {
+        goto free_os_info;
+    }
+
+    if (info->os_version) { // Parsing version
+        if (strcmp(info->os_version, "") != 0) {
+            // os_major.os_minor (os_codename)
+            os_strdup(info->os_version, version);
+            if (codename = strstr(version, " ("), codename){
+                *codename = '\0';
+                codename += 2;
+                *(codename + strlen(codename) - 1) = '\0';
+                info->os_codename = strdup(codename);
+            }
+            free(version);
+            // Get os_major
+            if (w_regexec("^([0-9]+)\\.*", info->os_version, 2, match)) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, info->os_major);
+                snprintf(info->os_major, match_size + 1, "%.*s", match_size, info->os_version + match[1].rm_so);
+            }
+            // Get os_minor
+            if (w_regexec("^[0-9]+\\.([0-9]+)\\.*", info->os_version, 2, match)) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, info->os_minor);
+                snprintf(info->os_minor, match_size + 1, "%.*s", match_size, info->os_version + match[1].rm_so);
+            }
+            // Get os_patch
+            if (w_regexec("^[0-9]+\\.[0-9]+\\.([0-9]+)*", info->os_version, 2, match)) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, info->os_patch);
+                snprintf(info->os_patch, match_size + 1, "%.*s", match_size, info->os_version + match[1].rm_so);
+            }
+            // Get OSX codename
+            if (info->os_platform && strcmp(info->os_platform,"darwin") == 0) {
+                if (info->os_codename) {
+                    char * tmp_os_version;
+                    size_t len = 4;
+                    len += strlen(info->os_version);
+                    len += strlen(info->os_codename);
+                    os_malloc(len, tmp_os_version);
+                    snprintf(tmp_os_version, len, "%s (%s)", info->os_version, info->os_codename);
+                    free(info->os_version);
+                    info->os_version = tmp_os_version;
+                }
+            }
+        }
+    } else {
+        // Empty version
+        os_strdup("0.0", info->os_version);
+    }
+
+    return info;
+free_os_info:
+    free_osinfo(info);
+    return NULL;
+}
+
+#endif /* WIN32 */
+
+
+void free_osinfo(os_info * osinfo) {
+    if (osinfo) {
+        free(osinfo->os_name);
+        free(osinfo->os_major);
+        free(osinfo->os_minor);
+        free(osinfo->os_patch);
+        free(osinfo->os_build);
+        free(osinfo->os_version);
+        free(osinfo->os_codename);
+        free(osinfo->os_platform);
+        free(osinfo->sysname);
+        free(osinfo->nodename);
+        free(osinfo->release);
+        free(osinfo->version);
+        free(osinfo->machine);
+        free(osinfo);
+    }
+}
+
+
+int get_nproc() {
+#ifdef __linux__
+    #ifdef CPU_COUNT
+    cpu_set_t set;
+    CPU_ZERO(&set);
+
+    if (sched_getaffinity(getpid(), sizeof(set), &set) < 0) {
+        mwarn("sched_getaffinity(): %s (%d).", strerror(errno), errno);
+        return 1;
+    }
+
+    return CPU_COUNT(&set);
+    #else
+    FILE *fp;
+    char string[OS_MAXSTR];
+    int cpu_cores = 0;
+
+    if (!(fp = wfopen("/proc/cpuinfo", "r"))) {
+        mwarn("Unable to read cpuinfo file");
+    } else {
+        while (fgets(string, OS_MAXSTR, fp) != NULL){
+            if (!strncmp(string, "processor", 9)){
+                cpu_cores++;
+            }
+        }
+        fclose(fp);
+    }
+
+    if(!cpu_cores)
+        cpu_cores = 1;
+
+    return cpu_cores;
+    #endif
+#elif defined(__MACH__) || defined(__FreeBSD__) || defined(__OpenBSD__)
+    unsigned int cpu_cores;
+    int mib[] = { CTL_HW, HW_NCPU };
+    size_t len = sizeof(cpu_cores);
+
+    if (!sysctl(mib, 2, &cpu_cores, &len, NULL, 0)) {
+        return cpu_cores;
+    } else {
+        mwarn("sysctl failed getting CPU cores: %s (%d)", strerror(errno), errno);
+        return 1;
+    }
+#else
+    mwarn("get_nproc(): Unimplemented.");
+    return 1;
+#endif
+}
+
+int compare_wazuh_versions(const char *version1, const char *version2, bool compare_patch) {
+    char ver1[10];
+    char ver2[10];
+    char *tmp_v1 = NULL;
+    char *tmp_v2 = NULL;
+    char *token = NULL;
+    int patch1 = 0;
+    int major1 = 0;
+    int minor1 = 0;
+    int patch2 = 0;
+    int major2 = 0;
+    int minor2 = 0;
+    int result = 0;
+
+    if (version1) {
+        strncpy(ver1, version1, 9);
+
+        if (tmp_v1 = strchr(ver1, 'v'), tmp_v1) {
+            tmp_v1++;
+        } else {
+            tmp_v1 = ver1;
+        }
+
+        if (token = strtok(tmp_v1, "."), token) {
+            major1 = atoi(token);
+
+            if (token = strtok(NULL, "."), token) {
+                minor1 = atoi(token);
+
+                if (token = strtok(NULL, "."), token) {
+                    patch1 = atoi(token);
+                }
+            }
+        }
+    }
+
+    if (version2) {
+        strncpy(ver2, version2, 9);
+
+        if (tmp_v2 = strchr(ver2, 'v'), tmp_v2) {
+            tmp_v2++;
+        } else {
+            tmp_v2 = ver2;
+        }
+
+        if (token = strtok(tmp_v2, "."), token) {
+            major2 = atoi(token);
+
+            if (token = strtok(NULL, "."), token) {
+                minor2 = atoi(token);
+
+                if (token = strtok(NULL, "."), token) {
+                    patch2 = atoi(token);
+                }
+            }
+        }
+    }
+
+    if (major1 > major2) {
+        result = 1;
+    } else if (major1 < major2){
+        result = -1;
+    } else {
+        if(minor1 > minor2) {
+            result = 1;
+        } else if (minor1 < minor2) {
+            result = -1;
+        } else if (compare_patch) {
+            if (patch1 > patch2) {
+                result = 1;
+            } else if (patch1 < patch2) {
+                result = -1;
+            } else {
+                result = 0;
+            }
+        } else {
+            result = 0;
+        }
+    }
+
+    return result;
+}
diff --git a/src/common/version_op/tests/unit/tests/CMakeLists.txt b/src/common/version_op/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..7f866c52f0
--- /dev/null
+++ b/src/common/version_op/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,56 @@
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Tests list and flags
+list(APPEND shared_tests_names "test_version_op")
+set(VERSION_OP_BASE_FLAGS "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fread -Wl,--wrap,wfopen \
+                           -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fprintf -Wl,--wrap,fgets \
+                           -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,popen -Wl,--wrap,pclose \
+                           -Wl,--wrap,get_binary_path")
+if(${TARGET} STREQUAL "winagent")
+list(APPEND shared_tests_flags "${VERSION_OP_BASE_FLAGS} -Wl,--wrap,syscom_dispatch -Wl,--wrap,Start_win32_Syscheck \
+                                -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+list(APPEND shared_tests_flags "${VERSION_OP_BASE_FLAGS}")
+endif()
+
+# Compiling tests
+list(LENGTH shared_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET shared_tests_names ${counter} test_name)
+    list(GET shared_tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            ANALYSISD_O
+            ${TEST_DEPS}
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/version_op/tests/unit/tests/test_version_op.c b/src/common/version_op/tests/unit/tests/test_version_op.c
new file mode 100644
index 0000000000..32d6342c4e
--- /dev/null
+++ b/src/common/version_op/tests/unit/tests/test_version_op.c
@@ -0,0 +1,2362 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/wazuh/shared/binaries_op_wrappers.h"
+#include "../headers/version_op.h"
+
+/* setup/teardowns */
+static int setup_group(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* tests */
+
+#ifdef __linux__
+static int delete_os_info(void **state)
+{
+    os_info *data = *state;
+    free_osinfo(data);
+    return 0;
+}
+
+// Linux Only
+void test_get_unix_version_Ubuntu1904(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"Ubuntu\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION=\"19.04 (Disco Dingo)\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=ubuntu");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "EOF");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Ubuntu");
+    assert_string_equal(ret->os_major, "19");
+    assert_string_equal(ret->os_minor, "04");
+    assert_string_equal(ret->os_version, "19.04 (Disco Dingo)");
+    assert_string_equal(ret->os_codename, "Disco Dingo");
+    assert_string_equal(ret->os_platform, "ubuntu");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_centos(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"CentOS Linux\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION=\"7 (Core)\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=centos");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "EOF");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    // Open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "CentOS Linux release 7.5.1804 (Core)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "CentOS Linux");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "5");
+    assert_string_equal(ret->os_version, "7.5");
+    assert_string_equal(ret->os_platform, "centos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_archlinux_distro_based(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"Manjaro Linux\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=manjaro");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    // Attempt to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Attempt to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Attempt to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Arch Linux");
+    assert_string_equal(ret->os_version, "");
+    assert_string_equal(ret->os_platform, "arch");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_archlinux_no_version_id(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"Arch Linux\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=arch");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Arch Linux");
+    assert_string_equal(ret->os_version, "");
+    assert_string_equal(ret->os_platform, "arch");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_archlinux(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"Arch Linux\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION_ID=\"TEMPLATE_VERSION_ID\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=arch");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Arch Linux");
+    assert_string_equal(ret->os_version, "");
+    assert_string_equal(ret->os_platform, "arch");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_opensuse_tumbleweed_no_version_id(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"openSUSE Tumbleweed\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=opensuse-tumbleweed");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "openSUSE Tumbleweed");
+    assert_string_equal(ret->os_version, "");
+    assert_string_equal(ret->os_platform, "opensuse-tumbleweed");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_opensuse_tumbleweed(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"openSUSE Tumbleweed\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION_ID=\"20230619\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=opensuse-tumbleweed");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "openSUSE Tumbleweed");
+    assert_string_equal(ret->os_version, "");
+    assert_string_equal(ret->os_platform, "opensuse-tumbleweed");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_alpine(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "NAME=\"Alpine Linux\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ID=alpine");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION_ID=3.17.1");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "PRETTY_NAME=\"Alpine Linux v3.17\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "HOME_URL=\"https://alpinelinux.org/\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "BUG_REPORT_URL=\"https://gitlab.alpinelinux.org/alpine/aports/-/issues\"");
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Alpine Linux");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_minor, "17");
+    assert_string_equal(ret->os_patch, "1");
+    assert_string_equal(ret->os_version, "3.17.1");
+    assert_string_equal(ret->os_platform, "alpine");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_centos(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "CentOS Linux release 6.2.1604 (Core)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "CentOS Linux");
+    assert_string_equal(ret->os_major, "6");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "6.2");
+    assert_string_equal(ret->os_platform, "centos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_fedora(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Fedora release 7 (Moonshine)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Fedora");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_version, "7");
+    assert_string_equal(ret->os_platform, "fedora");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_redhat_centos(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "CentOS Linux Server release 7.2 (Maipo)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "CentOS Linux");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "7.2");
+    assert_string_equal(ret->os_platform, "centos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_redhat_fedora(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Fedora Linux Server release 7.2 (Maipo)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Fedora");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "7.2");
+    assert_string_equal(ret->os_platform, "fedora");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_redhat_rhel(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Red Hat Enterprise Linux release 7.2 (Maipo)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Red Hat Enterprise Linux");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "7.2");
+    assert_string_equal(ret->os_platform, "rhel");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_redhat_rhel_server(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Red Hat Enterprise Linux Server release 7.2 (Maipo)");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Red Hat Enterprise Linux Server");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "7.2");
+    assert_string_equal(ret->os_platform, "rhel");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_ubuntu(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "DISTRIB_RELEASE=20.04");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Ubuntu");
+    assert_string_equal(ret->os_major, "20");
+    assert_string_equal(ret->os_minor, "04");
+    assert_string_equal(ret->os_version, "20.04");
+    assert_string_equal(ret->os_platform, "ubuntu");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_gentoo(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Gentoo Base System version 1.6.12");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Gentoo");
+    assert_string_equal(ret->os_major, "1");
+    assert_string_equal(ret->os_minor, "6");
+    assert_string_equal(ret->os_version, "1.6");
+    assert_string_equal(ret->os_platform, "gentoo");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_suse(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "VERSION = 3.5");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "SuSE Linux");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_version, "3");
+    assert_string_equal(ret->os_platform, "suse");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_arch(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "3.5.14");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Arch Linux");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_minor, "5");
+    assert_string_equal(ret->os_version, "3.5");
+    assert_string_equal(ret->os_platform, "arch");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_debian(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "3.5.14");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Debian GNU/Linux");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_minor, "5");
+    assert_string_equal(ret->os_version, "3.5");
+    assert_string_equal(ret->os_platform, "debian");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_slackware(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Slackware 14.2");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Slackware");
+    assert_string_equal(ret->os_major, "14");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "14.2");
+    assert_string_equal(ret->os_platform, "slackware");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_alpine(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "3.17.1");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "Alpine Linux");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_minor, "17");
+    assert_string_equal(ret->os_patch, "1");
+    assert_string_equal(ret->os_version, "3.17.1");
+    assert_string_equal(ret->os_platform, "alpine");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_uname_darwin(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Darwin\n");
+
+    // system_profiler SPSoftwareDataType
+    char *system_profiler_path = NULL;
+    os_strdup("/path/to/system_profiler", system_profiler_path);
+    expect_string(__wrap_get_binary_path, command, "system_profiler");
+    will_return(__wrap_get_binary_path, system_profiler_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/system_profiler SPSoftwareDataType");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Software:\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "System Software Overview:\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "    System Version: macOS 10.12 (16A323)\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // sw_vers -productVersion
+    char *sw_vers_path = NULL;
+    os_strdup("/path/to/sw_vers", sw_vers_path);
+    expect_string(__wrap_get_binary_path, command, "sw_vers");
+    will_return(__wrap_get_binary_path, sw_vers_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/sw_vers -productVersion");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10.2\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // sw_vers -buildVersion
+    expect_string(__wrap_popen, command, "/path/to/sw_vers -buildVersion");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // uname -r
+    expect_string(__wrap_popen, command, "/path/to/uname -r");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "macos\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "macOS");
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "10.2");
+    assert_string_equal(ret->os_platform, "darwin");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_uname_darwin_no_key(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Darwin\n");
+
+    // system_profiler SPSoftwareDataType
+    char *cmd_path = NULL;
+    os_strdup("/path/to/system_profiler", cmd_path);
+    expect_string(__wrap_get_binary_path, command, "system_profiler");
+    will_return(__wrap_get_binary_path, cmd_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/system_profiler SPSoftwareDataType");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Software:\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "System Software Overview:\n");
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, NULL);
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // sw_vers -productVersion
+    char *sw_vers_path = NULL;
+    os_strdup("/path/to/sw_vers", sw_vers_path);
+    expect_string(__wrap_get_binary_path, command, "sw_vers");
+    will_return(__wrap_get_binary_path, sw_vers_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/sw_vers -productVersion");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10.2\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // sw_vers -buildVersion
+    expect_string(__wrap_popen, command, "/path/to/sw_vers -buildVersion");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    // uname -r
+    expect_string(__wrap_popen, command, "/path/to/uname -r");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "macos\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_null(ret->os_name);
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_minor, "2");
+    assert_string_equal(ret->os_version, "10.2");
+    assert_string_equal(ret->os_platform, "darwin");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_uname_sunos(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "SunOS\n");
+
+    // Open /etc/release
+    expect_string(__wrap_wfopen, path, "/etc/release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Oracle Solaris 11.1 SPARC");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "SunOS");
+    assert_string_equal(ret->os_major, "11");
+    assert_string_equal(ret->os_minor, "1");
+    assert_string_equal(ret->os_version, "11.1");
+    assert_string_equal(ret->os_platform, "sunos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+// Scenario two: The content of /etc/release is Solaris 10 x/y ...
+void test_get_unix_version_fail_os_release_uname_sunos_10_scenario_one(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "SunOS\n");
+
+    // Open /etc/release
+    expect_string(__wrap_wfopen, path, "/etc/release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Solaris 10 1/13");
+
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "SunOS");
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_version, "10");
+    assert_string_equal(ret->os_platform, "sunos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+// Scenario two: The content of /etc/release is Oracle Solaris 10 x/y ...
+void test_get_unix_version_fail_os_release_uname_sunos_10_scenario_two(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "SunOS\n");
+
+    // Open /etc/release
+    expect_string(__wrap_wfopen, path, "/etc/release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "Oracle Solaris 10 1/13");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "SunOS");
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_version, "10");
+    assert_string_equal(ret->os_platform, "sunos");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_uname_hp_ux(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "HP-UX\n");
+
+    // uname - r
+    expect_string(__wrap_popen, command, "/path/to/uname -r");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "B.3.5");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "HP-UX");
+    assert_string_equal(ret->os_major, "3");
+    assert_string_equal(ret->os_minor, "5");
+    assert_string_equal(ret->os_version, "3.5");
+    assert_string_equal(ret->os_platform, "hp-ux");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_fail_os_release_uname_bsd(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "OpenBSD\n");
+
+    // uname - r
+    expect_string(__wrap_popen, command, "/path/to/uname -r");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10.3.5");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "BSD");
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_minor, "3");
+    assert_string_equal(ret->os_version, "10.3");
+    assert_string_equal(ret->os_platform, "bsd");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_get_unix_version_zscaler(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "ZscalerOS\n");
+
+    // uname - r
+    expect_string(__wrap_popen, command, "/path/to/uname -r");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "10-R");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "BSD");
+    assert_string_equal(ret->os_major, "10");
+    assert_string_equal(ret->os_version, "10-R");
+    assert_string_equal(ret->os_platform, "bsd");
+}
+
+void test_get_unix_version_fail_os_release_uname_aix(void **state)
+{
+    (void) state;
+    os_info *ret;
+
+    // Fail to open /etc/os-release
+    expect_string(__wrap_wfopen, path, "/etc/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /usr/lib/os-release
+    expect_string(__wrap_wfopen, path, "/usr/lib/os-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/centos-release
+    expect_string(__wrap_wfopen, path, "/etc/centos-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/fedora-release
+    expect_string(__wrap_wfopen, path, "/etc/fedora-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/redhat-release
+    expect_string(__wrap_wfopen, path, "/etc/redhat-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/arch-release
+    expect_string(__wrap_wfopen, path, "/etc/arch-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/gentoo-release
+    expect_string(__wrap_wfopen, path, "/etc/gentoo-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/SuSE-release
+    expect_string(__wrap_wfopen, path, "/etc/SuSE-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/lsb-release
+    expect_string(__wrap_wfopen, path, "/etc/lsb-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/debian_version
+    expect_string(__wrap_wfopen, path, "/etc/debian_version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/slackware-version
+    expect_string(__wrap_wfopen, path, "/etc/slackware-version");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // Fail to open /etc/alpine-release
+    expect_string(__wrap_wfopen, path, "/etc/alpine-release");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, 0);
+
+    // uname
+    char *uname_path = NULL;
+    os_strdup("/path/to/uname", uname_path);
+    expect_string(__wrap_get_binary_path, command, "uname");
+    will_return(__wrap_get_binary_path, uname_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/uname");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "AIX\n");
+
+    // oslevel
+    char *oslevel_path = NULL;
+    os_strdup("/path/to/oslevel", oslevel_path);
+    expect_string(__wrap_get_binary_path, command, "oslevel");
+    will_return(__wrap_get_binary_path, oslevel_path);
+    will_return(__wrap_get_binary_path, 0);
+
+    expect_string(__wrap_popen, command, "/path/to/oslevel");
+    expect_string(__wrap_popen, type, "r");
+    will_return(__wrap_popen, 1);
+
+    expect_value(__wrap_fgets, __stream, 1);
+    will_return(__wrap_fgets, "7.1\n");
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+
+    expect_value(__wrap_pclose, stream, 1);
+    will_return(__wrap_pclose, 1);
+
+    ret = get_unix_version();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret->os_name, "AIX");
+    assert_string_equal(ret->os_major, "7");
+    assert_string_equal(ret->os_minor, "1");
+    assert_string_equal(ret->os_version, "7.1");
+    assert_string_equal(ret->os_platform, "aix");
+    assert_string_equal(ret->sysname, "Linux");
+}
+
+void test_OSX_ReleaseName(void **state) {
+    (void)state;
+
+    assert_string_equal(OSX_ReleaseName(9), "Unknown");
+    assert_string_equal(OSX_ReleaseName(10), "Snow Leopard");
+    assert_string_equal(OSX_ReleaseName(11), "Lion");
+    assert_string_equal(OSX_ReleaseName(12), "Mountain Lion");
+    assert_string_equal(OSX_ReleaseName(13), "Mavericks");
+    assert_string_equal(OSX_ReleaseName(14), "Yosemite");
+    assert_string_equal(OSX_ReleaseName(15), "El Capitan");
+    assert_string_equal(OSX_ReleaseName(16), "Sierra");
+    assert_string_equal(OSX_ReleaseName(17), "High Sierra");
+    assert_string_equal(OSX_ReleaseName(18), "Mojave");
+    assert_string_equal(OSX_ReleaseName(19), "Catalina");
+    assert_string_equal(OSX_ReleaseName(20), "Big Sur");
+    assert_string_equal(OSX_ReleaseName(21), "Monterey");
+    assert_string_equal(OSX_ReleaseName(22), "Ventura");
+    assert_string_equal(OSX_ReleaseName(23), "Sonoma");
+    assert_string_equal(OSX_ReleaseName(24), "Unknown");
+}
+
+#endif
+
+void test_compare_wazuh_versions_equal_patch(void **state)
+{
+    (void) state;
+    char *v1 = "v4.0.0";
+    char *v2 = "v4.0.0";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_compare_wazuh_versions_equal_minor(void **state)
+{
+    (void) state;
+    char *v1 = "3.13";
+    char *v2 = "3.13";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_compare_wazuh_versions_equal_major(void **state)
+{
+    (void) state;
+    char *v1 = "4";
+    char *v2 = "v4";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_compare_wazuh_versions_greater_patch(void **state)
+{
+    (void) state;
+    char *v1 = "4.0.1";
+    char *v2 = "v4.0.0";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_compare_wazuh_versions_greater_patch_no_patch(void **state)
+{
+    (void) state;
+    char *v1 = "4.0.1";
+    char *v2 = "v4.0.0";
+
+    int ret = compare_wazuh_versions(v1, v2, false);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_compare_wazuh_versions_greater_minor(void **state)
+{
+    (void) state;
+    char *v1 = "2.15";
+    char *v2 = "2";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_compare_wazuh_versions_greater_major(void **state)
+{
+    (void) state;
+    char *v1 = "v5";
+    char *v2 = "4.9";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_compare_wazuh_versions_lower_patch(void **state)
+{
+    (void) state;
+    char *v1 = "v4.0.1";
+    char *v2 = "v4.0.3";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_compare_wazuh_versions_lower_minor(void **state)
+{
+    (void) state;
+    char *v1 = "2.15.1";
+    char *v2 = "2.18";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_compare_wazuh_versions_lower_major(void **state)
+{
+    (void) state;
+    char *v1 = "v5";
+    char *v2 = "v6.1";
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_compare_wazuh_versions_null(void **state)
+{
+    (void) state;
+    char *v1 = NULL;
+    char *v2 = NULL;
+
+    int ret = compare_wazuh_versions(v1, v2, true);
+
+    assert_int_equal(ret, 0);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+#ifdef __linux__
+            cmocka_unit_test_teardown(test_get_unix_version_Ubuntu1904, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_centos, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_archlinux_distro_based, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_archlinux_no_version_id, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_archlinux, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_opensuse_tumbleweed_no_version_id, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_opensuse_tumbleweed, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_alpine, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_centos, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_fedora, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_redhat_centos, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_redhat_fedora, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_redhat_rhel, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_redhat_rhel_server, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_ubuntu, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_gentoo, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_suse, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_arch, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_debian, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_slackware, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_alpine, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_darwin, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_darwin_no_key, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_sunos, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_sunos_10_scenario_one, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_sunos_10_scenario_two, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_hp_ux, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_bsd, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_zscaler, delete_os_info),
+            cmocka_unit_test_teardown(test_get_unix_version_fail_os_release_uname_aix, delete_os_info),
+            cmocka_unit_test(test_OSX_ReleaseName),
+#endif
+            // compare_wazuh_versions
+            cmocka_unit_test(test_compare_wazuh_versions_equal_patch),
+            cmocka_unit_test(test_compare_wazuh_versions_equal_minor),
+            cmocka_unit_test(test_compare_wazuh_versions_equal_major),
+            cmocka_unit_test(test_compare_wazuh_versions_greater_patch),
+            cmocka_unit_test(test_compare_wazuh_versions_greater_patch_no_patch),
+            cmocka_unit_test(test_compare_wazuh_versions_greater_minor),
+            cmocka_unit_test(test_compare_wazuh_versions_greater_major),
+            cmocka_unit_test(test_compare_wazuh_versions_lower_patch),
+            cmocka_unit_test(test_compare_wazuh_versions_lower_minor),
+            cmocka_unit_test(test_compare_wazuh_versions_lower_major),
+            cmocka_unit_test(test_compare_wazuh_versions_null)
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/common/version_op/tests/unit/wrappers/version_op_wrappers.c b/src/common/version_op/tests/unit/wrappers/version_op_wrappers.c
new file mode 100644
index 0000000000..530a379071
--- /dev/null
+++ b/src/common/version_op/tests/unit/wrappers/version_op_wrappers.c
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "version_op_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_compare_wazuh_versions(const char *version1, const char *version2, bool compare_patch) {
+    check_expected(version1);
+    check_expected(version2);
+    check_expected(compare_patch);
+
+    return mock();
+}
diff --git a/src/common/version_op/tests/unit/wrappers/version_op_wrappers.h b/src/common/version_op/tests/unit/wrappers/version_op_wrappers.h
new file mode 100644
index 0000000000..37106a6909
--- /dev/null
+++ b/src/common/version_op/tests/unit/wrappers/version_op_wrappers.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef VERSION_OP_WRAPPERS_H
+#define VERSION_OP_WRAPPERS_H
+
+#include <stdbool.h>
+
+int __wrap_compare_wazuh_versions(const char *version1, const char *version2, bool compare_patch);
+
+#endif
diff --git a/src/common/windowsHelper/CMakeLists.txt b/src/common/windowsHelper/CMakeLists.txt
new file mode 100644
index 0000000000..fd8f24c852
--- /dev/null
+++ b/src/common/windowsHelper/CMakeLists.txt
@@ -0,0 +1,5 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+if(UNIT_TEST)
+    add_subdirectory(tests)
+endif()
diff --git a/src/common/windowsHelper/include/windowsHelper.h b/src/common/windowsHelper/include/windowsHelper.h
new file mode 100644
index 0000000000..8a709667f3
--- /dev/null
+++ b/src/common/windowsHelper/include/windowsHelper.h
@@ -0,0 +1,690 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 1, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WIN32
+
+#ifndef _NETWORK_WINDOWS_HELPER_H
+#define _NETWORK_WINDOWS_HELPER_H
+
+#include <map>
+#include <memory>
+#include <vector>
+#include <array>
+#include <system_error>
+#include <winsock2.h>
+#include <windows.h>
+#include <time.h>
+#include <ws2tcpip.h>
+#include <iphlpapi.h>
+#include <versionhelpers.h>
+#include "mem_op.h"
+#include "stringHelper.h"
+#include "encodingWindowsHelper.h"
+#include "timeHelper.h"
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-function"
+#pragma GCC diagnostic ignored "-Wreturn-type"
+#pragma GCC diagnostic ignored "-Wcast-function-type"
+
+constexpr auto WORKING_ADAPTERS_INFO_BUFFER_SIZE
+{
+    15000
+};
+constexpr auto MAX_ADAPTERS_INFO_TRIES
+{
+    3
+};
+
+constexpr auto WINDOWS_UNIX_EPOCH_DIFF_SECONDS
+{
+    11644473600ULL
+};
+
+constexpr int BASEBOARD_INFORMATION_TYPE
+{
+    2
+};
+
+typedef struct RawSMBIOSData
+{
+    BYTE    Used20CallingMethod;
+    BYTE    SMBIOSMajorVersion;
+    BYTE    SMBIOSMinorVersion;
+    BYTE    DmiRevision;
+    DWORD   Length;
+    BYTE    SMBIOSTableData[];
+} RawSMBIOSData, *PRawSMBIOSData;
+
+typedef struct SMBIOSStructureHeader
+{
+    BYTE Type;
+    BYTE FormattedAreaLength;
+    WORD Handle;
+} SMBIOSStructureHeader;
+
+typedef struct SMBIOSBaseboardInfoStructure
+{
+    BYTE Type;
+    BYTE FormattedAreaLength;
+    WORD Handle;
+    BYTE Manufacturer;
+    BYTE Product;
+    BYTE Version;
+    BYTE SerialNumber;
+} SMBIOSBaseboardInfoStructure;
+constexpr auto REFERENCE_YEAR
+{
+    1900
+};
+
+//140512 represents 14:05:12.
+constexpr auto HOURMINSEC_VALUE_SIZE
+{
+    6
+};
+
+constexpr auto INSTALLDATE_REGISTRY_VALUE_SIZE
+{
+    8
+};
+
+
+namespace Utils
+{
+    struct IPAddressSmartDeleter
+    {
+        void operator()(IP_ADAPTER_INFO* address)
+        {
+            win_free(address);
+            address = nullptr;
+        }
+        void operator()(IP_ADAPTER_ADDRESSES* address)
+        {
+            win_free(address);
+            address = nullptr;
+        }
+    };
+
+    typedef UINT (WINAPI* GetSystemFirmwareTable_t)(DWORD, DWORD, PVOID, DWORD);
+    static GetSystemFirmwareTable_t getSystemFirmwareTableFunctionAddress()
+    {
+        GetSystemFirmwareTable_t ret{nullptr};
+        auto hKernel32 { GetModuleHandle(TEXT("kernel32.dll")) };
+
+        if (hKernel32)
+        {
+            ret = reinterpret_cast<GetSystemFirmwareTable_t>(GetProcAddress(hKernel32, "GetSystemFirmwareTable"));
+        }
+
+        return ret;
+    }
+
+    typedef NETIOAPI_API (WINAPI* ConvertLengthToIpv4Mask_t)(ULONG, PULONG);
+    static ConvertLengthToIpv4Mask_t getConvertLengthToIpv4MaskFunctionAddress()
+    {
+        ConvertLengthToIpv4Mask_t ret{nullptr};
+        auto hIphlpapi { GetModuleHandle(TEXT("Iphlpapi.dll")) };
+
+        if (hIphlpapi)
+        {
+            ret = reinterpret_cast<ConvertLengthToIpv4Mask_t>(GetProcAddress(hIphlpapi, "ConvertLengthToIpv4Mask"));
+        }
+
+        return ret;
+    }
+
+    typedef NETIOAPI_API (WINAPI* GetIfEntry2_t)(PMIB_IF_ROW2);
+    static GetIfEntry2_t getIfEntry2FunctionAddress()
+    {
+        GetIfEntry2_t ret{nullptr};
+        auto hIphlpapi { GetModuleHandle(TEXT("Iphlpapi.dll")) };
+
+        if (hIphlpapi)
+        {
+            ret = reinterpret_cast<GetIfEntry2_t>(GetProcAddress(hIphlpapi, "GetIfEntry2"));
+        }
+
+        return ret;
+    }
+
+    typedef INT (WINAPI* inet_pton_t)(INT, PCSTR, PVOID);
+    static inet_pton_t getInetPtonFunctionAddress()
+    {
+        inet_pton_t ret{nullptr};
+        auto hWs232 { GetModuleHandle(TEXT("ws2_32.dll")) };
+
+        if (hWs232)
+        {
+            ret = reinterpret_cast<inet_pton_t>(GetProcAddress(hWs232, "inet_pton"));
+        }
+
+        return ret;
+    }
+
+    typedef PCSTR (WINAPI* inet_ntop_t)(INT, PVOID, PSTR, size_t);
+    static inet_ntop_t getInetNtopFunctionAddress()
+    {
+        inet_ntop_t ret{nullptr};
+        auto hWs232 { GetModuleHandle(TEXT("ws2_32.dll")) };
+
+        if (hWs232)
+        {
+            ret = reinterpret_cast<inet_ntop_t>(GetProcAddress(hWs232, "inet_ntop"));
+        }
+
+        return ret;
+    }
+
+    static bool isVistaOrLater()
+    {
+        static const bool ret
+        {
+            IsWindowsVistaOrGreater()
+        };
+        return ret;
+    }
+
+    // https://en.wikipedia.org/wiki/ISO_8601#Calendar_dates
+    // https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations
+    static std::string normalizeTimestamp(const std::string& dateISO8601CalendarDateFormat, const std::string& dateISO8601CombinedFormat)
+    {
+        std::string normalizedTimestamp;
+
+        if (dateISO8601CalendarDateFormat.size() != INSTALLDATE_REGISTRY_VALUE_SIZE)
+        {
+            throw std::runtime_error("Invalid dateISO8601CalendarDateFormat size.");
+        }
+
+        if (!isNumber(dateISO8601CalendarDateFormat))
+        {
+            throw std::runtime_error("Invalid dateISO8601CalendarDateFormat format.");
+        }
+
+        const auto pos = dateISO8601CombinedFormat.find(' ');
+
+        if (pos != std::string::npos)
+        {
+            // Substracts "YYYY/MM/DD" from "YYYY/MM/DD hh:mm:ss" string.
+            auto dateTrimmed = dateISO8601CombinedFormat.substr(0, pos);
+            // Substracts "hh:mm:ss" from "YYYY/MM/DD hh:mm:ss" string.
+            auto timeTrimmed = dateISO8601CombinedFormat.substr(pos + 1);
+
+            // Converts "YYYY/MM/DD" string to "YYYYMMDD".
+            Utils::replaceAll(dateTrimmed, "/", "");
+            // Converts "hh:mm:ss" string to "hhmmss".
+            Utils::replaceAll(timeTrimmed, ":", "");
+
+            if (dateTrimmed.size() == INSTALLDATE_REGISTRY_VALUE_SIZE
+                    || timeTrimmed.size() == HOURMINSEC_VALUE_SIZE)
+            {
+                if (dateTrimmed.compare(dateISO8601CalendarDateFormat) == 0)
+                {
+                    normalizedTimestamp = dateISO8601CombinedFormat;
+                }
+                else
+                {
+                    tm local_time_s {};
+
+                    // Parsing YYYYMMDD date format string.
+                    local_time_s.tm_year = std::stoi(dateISO8601CalendarDateFormat.substr(0, 4)) - REFERENCE_YEAR;
+                    local_time_s.tm_mon = std::stoi(dateISO8601CalendarDateFormat.substr(4, 2)) - 1;
+                    local_time_s.tm_mday = std::stoi(dateISO8601CalendarDateFormat.substr(6, 2));
+                    local_time_s.tm_hour = 0;
+                    local_time_s.tm_min = 0;
+                    local_time_s.tm_sec = 0;
+                    time_t local_time = mktime(&local_time_s);
+
+                    normalizedTimestamp = Utils::getTimestamp(local_time, false);
+                }
+            }
+            else
+            {
+                throw std::runtime_error("Invalid dateISO8601CombinedFormat format.");
+            }
+        }
+        else
+        {
+            throw std::runtime_error("Invalid dateISO8601CombinedFormat date/time separator.");
+        }
+
+        return normalizedTimestamp;
+    }
+
+    /* Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.6.0.pdf */
+    static std::string getSerialNumberFromSmbios(const BYTE* rawData, const DWORD rawDataSize)
+    {
+        std::string serialNumber;
+        DWORD offset{0};
+
+        if (nullptr != rawData)
+        {
+            std::unique_ptr<BYTE[]> tmpBuffer { std::make_unique<BYTE[]>(rawDataSize + 1) };
+            memcpy(tmpBuffer.get(), rawData, rawDataSize);
+
+            while (offset < rawDataSize && serialNumber.empty())
+            {
+                if (offset + sizeof(SMBIOSStructureHeader) >= rawDataSize)
+                {
+                    break;
+                }
+
+                SMBIOSStructureHeader header{};
+                memcpy(&header, tmpBuffer.get() + offset, sizeof(SMBIOSStructureHeader));
+
+                if (offset + header.FormattedAreaLength >= rawDataSize || offset + sizeof(SMBIOSBaseboardInfoStructure) >= rawDataSize)
+                {
+                    break;
+                }
+
+                if (BASEBOARD_INFORMATION_TYPE == header.Type)
+                {
+                    SMBIOSBaseboardInfoStructure info{};
+                    memcpy(&info, tmpBuffer.get() + offset, sizeof(SMBIOSBaseboardInfoStructure));
+                    offset += info.FormattedAreaLength;
+
+                    for (BYTE i = 1; i < info.SerialNumber; ++i)
+                    {
+                        const char* tmp{reinterpret_cast<const char*>(tmpBuffer.get() + offset)};
+
+                        if (offset < rawDataSize)
+                        {
+                            const auto len{ nullptr != tmp ? strlen(tmp) : 0 };
+                            offset += len + sizeof(char);
+                        }
+                    }
+
+                    if (offset < rawDataSize)
+                    {
+                        serialNumber = reinterpret_cast<const char*>(tmpBuffer.get() + offset);
+                    }
+                }
+                else
+                {
+                    offset += header.FormattedAreaLength;
+
+                    // Search for the end of the unformatted structure (\0\0)
+                    while (offset + 1 < rawDataSize)
+                    {
+                        if (!(*(tmpBuffer.get() + offset)) && !(*(tmpBuffer.get() + offset + 1)))
+                        {
+                            offset += 2;
+                            break;
+                        }
+
+                        offset++;
+                    }
+                }
+            }
+        }
+
+        return serialNumber;
+    }
+
+    static std::string buildTimestamp(const ULONGLONG time)
+    {
+        // Format of value is 18-digit LDAP/FILETIME timestamps.
+        // 18-digit LDAP/FILETIME timestamps -> Epoch/Unix time
+        // (value/10000000ULL) - 11644473600ULL
+        const time_t epochTime { static_cast<long int> ((time / 10000000ULL) - WINDOWS_UNIX_EPOCH_DIFF_SECONDS) };
+        char formatString[20] = {0};
+
+        tm utc_time;
+        gmtime_s(&utc_time, &epochTime);
+
+        std::strftime(formatString, sizeof(formatString), "%Y/%m/%d %H:%M:%S", &utc_time);
+        return formatString;
+    }
+
+    class NetworkWindowsHelper final
+    {
+            static DWORD getAdapterAddresses(PIP_ADAPTER_ADDRESSES& ipAdapterAddresses)
+            {
+                // Set the flags to pass to GetAdaptersAddresses()
+                // When the GAA_FLAG_INCLUDE_PREFIX flag is set, IP address prefixes are returned for both IPv6 and IPv4 addresses.
+                const auto adapterAddressesFlags
+                {
+                    isVistaOrLater() ? (GAA_FLAG_INCLUDE_PREFIX | GAA_FLAG_INCLUDE_GATEWAYS)
+                    : 0
+                };
+
+                ULONG bufferLen { WORKING_ADAPTERS_INFO_BUFFER_SIZE };
+                DWORD dwRetVal  { 0 };
+                auto attempts   { 0 };
+                bool adapterAddressesFound { false };
+
+                do
+                {
+                    ipAdapterAddresses = reinterpret_cast<IP_ADAPTER_ADDRESSES*>(win_alloc(bufferLen));
+
+                    if (!ipAdapterAddresses)
+                    {
+                        throw std::system_error
+                        {
+                            static_cast<int>(GetLastError()),
+                            std::system_category(),
+                            "Unable to allocate memory for PIP_ADAPTER_ADDRESSES struct."
+                        };
+                    }
+
+                    // Two calls of GetAdaptersAddresses are needed. One for getting the size needed (bufferLen variable),
+                    // and the second one for getting the actual data we want.
+                    dwRetVal = GetAdaptersAddresses(AF_UNSPEC, adapterAddressesFlags, nullptr, ipAdapterAddresses, &bufferLen);
+
+                    if (ERROR_BUFFER_OVERFLOW == dwRetVal)
+                    {
+                        win_free(ipAdapterAddresses);
+                        ipAdapterAddresses = nullptr;
+                    }
+                    else
+                    {
+                        adapterAddressesFound = true;
+                    }
+
+                    ++attempts;
+                }
+                while (!adapterAddressesFound && attempts < MAX_ADAPTERS_INFO_TRIES);
+
+                return dwRetVal;
+            }
+
+            static DWORD getAdapterInfoXP(PIP_ADAPTER_INFO& ipAdapterInfo)
+            {
+                // Windows XP additional IPv4 interfaces data
+
+                ULONG bufferLen { WORKING_ADAPTERS_INFO_BUFFER_SIZE };
+                DWORD dwRetVal  { 0 };
+                auto attempts   { 0 };
+                bool adapterInfoFound { false };
+
+                while (!adapterInfoFound && attempts < MAX_ADAPTERS_INFO_TRIES)
+                {
+                    ipAdapterInfo = reinterpret_cast<IP_ADAPTER_INFO*>(win_alloc(bufferLen));
+
+                    if (!ipAdapterInfo)
+                    {
+                        throw std::system_error
+                        {
+                            static_cast<int>(GetLastError()),
+                            std::system_category(),
+                            "Unable to allocate memory for IP_ADAPTER_INFO struct."
+                        };
+                    }
+
+                    dwRetVal = GetAdaptersInfo(ipAdapterInfo, &bufferLen);
+
+                    if (ERROR_BUFFER_OVERFLOW == dwRetVal)
+                    {
+                        win_free(ipAdapterInfo);
+                        ipAdapterInfo = nullptr;
+                    }
+                    else
+                    {
+                        adapterInfoFound = true;
+                    }
+
+                    ++attempts;
+                }
+
+                return dwRetVal;
+            }
+
+        public:
+
+            enum NetworkFamilyTypes
+            {
+                UNDEF,
+                IPV4,
+                IPV6,
+                COMMON_DATA
+            };
+
+            static std::string getAdapterNameStr(const std::wstring& adapterName)
+            {
+                return Utils::EncodingWindowsHelper::wstringToStringUTF8(adapterName);
+            }
+
+            static void getAdapters(std::unique_ptr<IP_ADAPTER_ADDRESSES, IPAddressSmartDeleter>& interfacesAddress)
+            {
+                PIP_ADAPTER_ADDRESSES ipAdapterAddresses { nullptr };
+                const DWORD dwRetVal { getAdapterAddresses(ipAdapterAddresses) };
+
+                if (NO_ERROR == dwRetVal)
+                {
+                    interfacesAddress.reset(ipAdapterAddresses);
+                }
+                else
+                {
+                    throw std::system_error
+                    {
+                        static_cast<int>(dwRetVal),
+                        std::system_category(),
+                        "Error reading network adapter addresses"
+                    };
+                }
+            }
+
+            static void getAdapterInfo(std::unique_ptr<IP_ADAPTER_INFO, IPAddressSmartDeleter>& adapterInfo)
+            {
+                PIP_ADAPTER_INFO ipAdapterInfo { nullptr };
+                const DWORD dwRetVal { getAdapterInfoXP(ipAdapterInfo) };
+
+                if (NO_ERROR == dwRetVal)
+                {
+                    adapterInfo.reset(ipAdapterInfo);
+                }
+                else
+                {
+                    throw std::system_error
+                    {
+                        static_cast<int>(dwRetVal),
+                        std::system_category(),
+                        "Error reading network adapter info"
+                    };
+                }
+            }
+
+            static std::string IAddressToString(const int family, in_addr address)
+            {
+                std::string retVal;
+                auto plainAddress { std::make_unique<char[]>(NI_MAXHOST) };
+
+                if (isVistaOrLater())
+                {
+                    static auto pfnInetNtop { getInetNtopFunctionAddress() };
+
+                    if (pfnInetNtop)
+                    {
+                        if (pfnInetNtop(family, &address, plainAddress.get(), NI_MAXHOST))
+                        {
+                            retVal = plainAddress.get();
+                        }
+                    }
+                }
+                else
+                {
+                    // Windows XP
+                    plainAddress.reset(inet_ntoa(address));
+
+                    if (plainAddress)
+                    {
+                        retVal = plainAddress.get();
+                    }
+                }
+
+                return retVal;
+            }
+
+            static std::string IAddressToString(const int family, in6_addr address)
+            {
+                std::string retVal;
+                auto plainAddress { std::make_unique<char[]>(NI_MAXHOST) };
+
+                if (isVistaOrLater())
+                {
+                    static auto pfnInetNtop { getInetNtopFunctionAddress() };
+
+                    if (pfnInetNtop)
+                    {
+                        if (pfnInetNtop(family, &address, plainAddress.get(), NI_MAXHOST))
+                        {
+                            retVal = plainAddress.get();
+                        }
+                    }
+                }
+
+                // IPv6 in Windows XP is not supported
+                return retVal;
+            }
+
+            static std::string broadcastAddress(const std::string& ipAddress, const std::string& netmask)
+            {
+                struct in_addr host {};
+                struct in_addr mask {};
+                struct in_addr broadcast {};
+
+                std::string broadcastAddr;
+
+                static auto pfnInetPton { getInetPtonFunctionAddress() };
+
+                if (pfnInetPton)
+                {
+                    if (pfnInetPton(AF_INET, ipAddress.c_str(), &host) == 1 && pfnInetPton(AF_INET, netmask.c_str(), &mask) == 1)
+                    {
+                        broadcast.s_addr = host.s_addr | ~mask.s_addr;
+                        broadcastAddr = IAddressToString(AF_INET, broadcast);
+                    }
+                }
+
+                return broadcastAddr;
+            }
+
+            static std::string getIpV6Address(const uint8_t* addrParam)
+            {
+                std::string retVal;
+
+                if (addrParam)
+                {
+                    constexpr auto IPV6_BUFFER_ADDRESS_SIZE { 16 };
+                    std::array<char, IPV6_BUFFER_ADDRESS_SIZE> buffer;
+                    memcpy(buffer.data(), addrParam, IPV6_BUFFER_ADDRESS_SIZE);
+
+                    std::array<char, IPV6_BUFFER_ADDRESS_SIZE> addrComparator;
+                    addrComparator.fill(0);
+
+                    if (std::equal(buffer.begin(), buffer.end(), addrComparator.begin()))
+                    {
+                        retVal = "::";
+                    }
+                    else
+                    {
+                        addrComparator.at(IPV6_BUFFER_ADDRESS_SIZE - 1) = 0x1;
+
+                        if (std::equal(buffer.begin(), buffer.end(), addrComparator.begin()))
+                        {
+                            retVal = "::1";
+                        }
+                        else
+                        {
+                            std::stringstream ss;
+                            bool separator { false };
+                            ss << std::hex << std::setfill('0');
+
+                            for (const auto& value : buffer)
+                            {
+                                ss << std::setw(2) << (static_cast<unsigned>(value) & 0xFF);
+
+                                if (separator)
+                                {
+                                    ss << ":";
+                                }
+
+                                separator = !separator;
+                            }
+
+                            retVal = ss.str();
+                            Utils::replaceAll(retVal, "0000", "");
+                            Utils::replaceAll(retVal, ":::", "::");
+                            retVal = retVal.substr(0, retVal.size() - 1);
+                        }
+                    }
+                }
+
+                return retVal;
+            }
+
+            static std::string ipv6Netmask(const uint8_t maskLength)
+            {
+                static const auto MAX_BITS_LENGTH { 128 };
+                std::string netmask;
+
+                if (maskLength < MAX_BITS_LENGTH)
+                {
+                    // For a unicast IPv6 address, any value greater than 128 is an illegal value
+
+                    // Each chunks of addresses has four letters "f" following by a ":"
+                    // If "maskLength" is not multiple of 4, we need to fill the current
+                    // "chunk" depending of the amount of letters needed. That's why
+                    // the need of the following map.
+                    static std::map<int, std::string> NET_MASK_FILLER_CHARS_MAP =
+                    {
+                        { 1, "8"},
+                        { 2, "c"},
+                        { 3, "e"}
+                    };
+                    static const int BITS_PER_CHUNK     { 4 };
+                    static const int NETMASK_TOTAL_BITS { 32 };
+
+                    netmask = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"; // 128 bits address
+                    const int value          { maskLength / BITS_PER_CHUNK };
+                    const int remainingValue { maskLength % BITS_PER_CHUNK };
+                    const int totalSum       { value + remainingValue };
+                    const int refillData     { totalSum % BITS_PER_CHUNK };
+                    const int separators     { value / BITS_PER_CHUNK };
+                    const int remainingSeparators     { value % BITS_PER_CHUNK };
+                    const int finalNumberOfSeparators { remainingSeparators == 0 ? separators - 1 : separators };
+
+                    // Add the needed ":" separators
+                    netmask = netmask.substr(0, value + finalNumberOfSeparators);
+
+                    if (remainingValue)
+                    {
+                        // If the maskLength is not multiple of 4, let's refill with the corresponding
+                        // character
+                        const auto it { NET_MASK_FILLER_CHARS_MAP.find(remainingValue) };
+
+                        if (NET_MASK_FILLER_CHARS_MAP.end() != it)
+                        {
+                            netmask += it->second;
+                        }
+                    }
+                    else
+                    {
+                        netmask += std::string(refillData, '0'); // Refill data with 0's if applies
+                    }
+
+                    if (totalSum < (NETMASK_TOTAL_BITS - BITS_PER_CHUNK))
+                    {
+                        // Append "::" to fill the complete 128 bits address (IPv6 representation)
+                        netmask += "::";
+                    }
+                }
+
+                return netmask;
+            }
+    };
+}
+
+#pragma GCC diagnostic pop
+
+#endif // _NETWORK_WINDOWS_HELPER_H
+
+#endif //WIN32
diff --git a/src/common/windowsHelper/tests/CMakeLists.txt b/src/common/windowsHelper/tests/CMakeLists.txt
new file mode 100644
index 0000000000..e4b45fece4
--- /dev/null
+++ b/src/common/windowsHelper/tests/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(utils_unit_test)
+
+file(GLOB UTIL_CXX_UNITTEST_WINDOWS_SRC
+    "windowsHelper_test.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_COMMON_SRC
+    "main.cpp"
+)
+
+file(GLOB UTIL_CXX_UNITTEST_LINUX_SRC)
+
+file(COPY input_files DESTINATION ${CMAKE_CURRENT_BINARY_DIR})
+
+link_directories(${SRC_FOLDER}/external/googletest/lib)
+link_directories(${SRC_FOLDER}/external/libarchive/.libs/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_executable(utils_unit_test
+      ${UTIL_CXX_UNITTEST_COMMON_SRC}
+      ${UTIL_CXX_UNITTEST_WINDOWS_SRC}
+      ${UTIL_CXX_UNITTEST_CPP17_SRC}
+    )
+    add_definitions(-DWIN32=1
+                    -D_WIN32_WINNT=0x600)
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        pthread
+        crypto
+        ssl
+        -static-libgcc -static-libstdc++
+        ws2_32
+        crypt32
+    )
+else()
+
+    if (APPLE)
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    else()
+      add_executable(utils_unit_test
+        ${UTIL_CXX_UNITTEST_COMMON_SRC}
+        ${UTIL_CXX_UNITTEST_LINUX_SRC}
+        ${UTIL_CXX_UNITTEST_CPP17_SRC}
+      )
+    endif(APPLE)
+
+    target_link_libraries(utils_unit_test
+        debug gtestd
+        debug gmockd
+        optimized gtest
+        optimized gmock
+        rocksdb
+        crypto
+        dl
+        pthread
+        rt
+        lzma
+        z
+        minizip
+        archive
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  target_link_libraries(utils_unit_test -fprofile-arcs)
+else()
+  target_link_libraries(utils_unit_test gcov)
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+add_test(NAME utils_unit_test
+         COMMAND utils_unit_test)
diff --git a/src/common/windowsHelper/tests/main.cpp b/src/common/windowsHelper/tests/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/common/windowsHelper/tests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/common/windowsHelper/tests/windowsHelper_test.cpp b/src/common/windowsHelper/tests/windowsHelper_test.cpp
new file mode 100644
index 0000000000..8d7718e463
--- /dev/null
+++ b/src/common/windowsHelper/tests/windowsHelper_test.cpp
@@ -0,0 +1,241 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 10, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef WIN32
+#include "windowsHelper_test.h"
+#include "windowsHelper.h"
+
+void WindowsHelperTest::SetUp() {};
+
+void WindowsHelperTest::TearDown() {};
+
+TEST_F(WindowsHelperTest, ipv6NetMask_64)
+{
+    const int addressPrefixLength { 64 };
+    const std::string expectedNetMask { "ffff:ffff:ffff:ffff::" };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_EQ(expectedNetMask, netMask);
+}
+
+TEST_F(WindowsHelperTest, ipv6NetMask_127)
+{
+    const int addressPrefixLength { 127 };
+    const std::string expectedNetMask { "ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe" };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_EQ(expectedNetMask, netMask);
+}
+
+TEST_F(WindowsHelperTest, ipv6NetMask_55)
+{
+    const int addressPrefixLength { 55 };
+    const std::string expectedNetMask { "ffff:ffff:ffff:fe::" };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_EQ(expectedNetMask, netMask);
+}
+
+TEST_F(WindowsHelperTest, ipv6NetMask_77)
+{
+    const int addressPrefixLength { 77 };
+    const std::string expectedNetMask { "ffff:ffff:ffff:ffff:fff8::" };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_EQ(expectedNetMask, netMask);
+}
+
+TEST_F(WindowsHelperTest, ipv6NetMask_72)
+{
+    const int addressPrefixLength { 72 };
+    const std::string expectedNetMask { "ffff:ffff:ffff:ffff:ff00::" };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_EQ(expectedNetMask, netMask);
+}
+
+TEST_F(WindowsHelperTest, ipv6NetMask_INVALID)
+{
+    const int addressPrefixLength { 130 };
+    std::string netMask { Utils::NetworkWindowsHelper::ipv6Netmask(addressPrefixLength) };
+    EXPECT_TRUE(netMask.empty());
+}
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSWithNullData_TEST)
+{
+    constexpr auto SERIAL_NUMBER_DATA { "" };
+    std::string serialNumber;
+
+    serialNumber = Utils::getSerialNumberFromSmbios(nullptr, 0);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSRealData_TEST)
+{
+    std::vector<unsigned char> rawData {0xda, 0xfb, 0x00, 0xda, 0xb2, 0x00, 0x37, 0x4f, 0x1e, 0x36, 0x00, 0x05, 0x00, 0x05, 0x00, 0x03, 0x00, 0x06, 0x00,
+                                        0x06, 0x00, 0x05, 0x00, 0x0f, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x00, 0x02, 0x00, 0x12, 0x00, 0x12, 0x00, 0x04, 0x00, 0x22, 0x00,
+                                        0x22, 0x00, 0x01, 0x00, 0x23, 0x00, 0x23, 0x00, 0x00, 0x00, 0x28, 0x00, 0x28, 0x00, 0x00, 0x00, 0x29, 0x00, 0x29, 0x00, 0x01, 0x00, 0x2a, 0x00,
+                                        0x2a, 0x00, 0x02, 0x00, 0x2b, 0x00, 0x2b, 0x00, 0xff, 0xff, 0x2c, 0x00, 0x2c, 0x00, 0xff, 0xff, 0x2d, 0x00, 0x2d, 0x00, 0x02, 0x00, 0x2e, 0x00,
+                                        0x2e, 0x00, 0x00, 0x00, 0x42, 0x00, 0x42, 0x00, 0x01, 0x00, 0x43, 0x00, 0x43, 0x00, 0x00, 0x00, 0x55, 0x00, 0x55, 0x00, 0x00, 0x00, 0x5c, 0x00,
+                                        0x5c, 0x00, 0x01, 0x00, 0x5d, 0x00, 0x5d, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x05, 0x00, 0x6e, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x90, 0x00,
+                                        0x90, 0x00, 0x01, 0x00, 0x91, 0x00, 0x91, 0x00, 0x00, 0x00, 0x92, 0x00, 0x92, 0x00, 0x02, 0x00, 0x93, 0x00, 0x93, 0x00, 0x01, 0x00, 0x94, 0x00,
+                                        0x94, 0x00, 0x00, 0x00, 0x97, 0x00, 0x97, 0x00, 0x01, 0x00, 0x98, 0x00, 0x98, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x9b, 0x00, 0x01, 0x00, 0x9d, 0x00,
+                                        0x9d, 0x00, 0x01, 0x00, 0x9e, 0x00, 0x9e, 0x00, 0x00, 0x00, 0x9f, 0x00, 0x9f, 0x00, 0x00, 0x00, 0xa0, 0x00, 0xa0, 0x00, 0x01, 0x00, 0xa1, 0x00,
+                                        0xa1, 0x00, 0x00, 0x00, 0xa2, 0x00, 0xa2, 0x00, 0x02, 0x00, 0xa3, 0x00, 0xa3, 0x00, 0x01, 0x00, 0xd1, 0x00, 0xd1, 0x00, 0x01, 0x00, 0xd2, 0x00,
+                                        0xd2, 0x00, 0x00, 0x00, 0xed, 0x00, 0xed, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xda, 0xfb, 0x01, 0xda, 0xb2, 0x00,
+                                        0x37, 0x4f, 0x1e, 0x36, 0x00, 0xf0, 0x00, 0xf0, 0x00, 0x01, 0x00, 0xf5, 0x00, 0xf5, 0x00, 0x04, 0x00, 0xf6, 0x00, 0xf6, 0x00, 0x00, 0x00, 0x09,
+                                        0x01, 0x09, 0x01, 0x00, 0x00, 0x17, 0x01, 0x17, 0x01, 0x00, 0x00, 0x18, 0x01, 0x18, 0x01, 0x01, 0x00, 0x19, 0x01, 0x19, 0x01, 0x00, 0x00, 0x1a,
+                                        0x01, 0x1a, 0x01, 0x01, 0x00, 0x1b, 0x01, 0x1b, 0x01, 0x00, 0x00, 0x1c, 0x01, 0x1c, 0x01, 0x01, 0x00, 0x1d, 0x01, 0x1d, 0x01, 0x00, 0x00, 0x1e,
+                                        0x01, 0x1e, 0x01, 0x01, 0x00, 0x2b, 0x01, 0x2b, 0x01, 0x01, 0x00, 0x2c, 0x01, 0x2c, 0x01, 0x00, 0x00, 0x2d, 0x01, 0x2d, 0x01, 0x01, 0x00, 0x2e,
+                                        0x01, 0x2e, 0x01, 0x00, 0x00, 0x35, 0x01, 0x35, 0x01, 0xff, 0x00, 0x37, 0x01, 0x37, 0x01, 0x00, 0x00, 0x38, 0x01, 0x38, 0x01, 0x01, 0x00, 0x39,
+                                        0x01, 0x39, 0x01, 0x02, 0x00, 0x40, 0x01, 0x40, 0x01, 0x00, 0x00, 0x41, 0x01, 0x41, 0x01, 0x01, 0x00, 0x44, 0x01, 0x44, 0x01, 0x00, 0x00, 0x45,
+                                        0x01, 0x45, 0x01, 0x01, 0x00, 0x46, 0x01, 0x46, 0x01, 0x00, 0x00, 0x47, 0x01, 0x47, 0x01, 0x01, 0x00, 0x4a, 0x01, 0x4a, 0x01, 0x00, 0x00, 0x4b,
+                                        0x01, 0x4b, 0x01, 0x01, 0x00, 0x4e, 0x01, 0x4e, 0x01, 0x00, 0x00, 0x4f, 0x01, 0x4f, 0x01, 0x01, 0x00, 0x54, 0x01, 0x54, 0x01, 0x00, 0x00, 0x55,
+                                        0x01, 0x55, 0x01, 0x01, 0x00, 0x68, 0x01, 0x68, 0x01, 0x00, 0x00, 0x69, 0x01, 0x69, 0x01, 0x01, 0x00, 0x75, 0x01, 0x75, 0x01, 0x02, 0x00, 0x76,
+                                        0x01, 0x76, 0x01, 0x01, 0x00, 0x9b, 0x01, 0x9b, 0x01, 0x00, 0x00, 0x9c, 0x01, 0x9c, 0x01, 0x01, 0x00, 0xd2, 0x01, 0xd2, 0x01, 0x00, 0x00, 0xff,
+                                        0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xda, 0xfb, 0x02, 0xda, 0xb2, 0x00, 0x37, 0x4f, 0x1e, 0x36, 0x00, 0xd3, 0x01, 0xd3, 0x01, 0x01, 0x00,
+                                        0xd4, 0x01, 0xd4, 0x01, 0x00, 0x00, 0xd5, 0x01, 0xd5, 0x01, 0x01, 0x00, 0xe8, 0x01, 0xe8, 0x01, 0x00, 0x00, 0xe9, 0x01, 0xe9, 0x01, 0x01, 0x00,
+                                        0x02, 0x02, 0x02, 0x02, 0x00, 0x00, 0x03, 0x02, 0x03, 0x02, 0x01, 0x00, 0x04, 0x02, 0x04, 0x02, 0x00, 0x00, 0x05, 0x02, 0x05, 0x02, 0x01, 0x00,
+                                        0x2d, 0x02, 0x2d, 0x02, 0x01, 0x00, 0x2e, 0x02, 0x2e, 0x02, 0x00, 0x00, 0x32, 0x02, 0x32, 0x02, 0x02, 0x00, 0x33, 0x02, 0x33, 0x02, 0x01, 0x00,
+                                        0x4a, 0x02, 0x4a, 0x02, 0x01, 0x00, 0x4b, 0x02, 0x4b, 0x02, 0x01, 0x00, 0x4c, 0x02, 0x4c, 0x02, 0x00, 0x00, 0x5b, 0x02, 0x5b, 0x02, 0x00, 0x00,
+                                        0x5c, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x64, 0x02, 0x64, 0x02, 0x01, 0x00, 0x65, 0x02, 0x65, 0x02, 0x00, 0x00, 0x66, 0x02, 0x66, 0x02, 0x01, 0x00,
+                                        0x67, 0x02, 0x67, 0x02, 0x00, 0x00, 0x68, 0x02, 0x68, 0x02, 0x01, 0x00, 0x69, 0x02, 0x69, 0x02, 0x00, 0x00, 0x6c, 0x02, 0x6c, 0x02, 0x01, 0x00,
+                                        0x6d, 0x02, 0x6d, 0x02, 0x00, 0x00, 0x6e, 0x02, 0x6e, 0x02, 0x00, 0x00, 0xa3, 0x02, 0xa3, 0x02, 0x01, 0x00, 0xa4, 0x02, 0xa4, 0x02, 0x00, 0x00,
+                                        0xa7, 0x02, 0xa7, 0x02, 0x01, 0x00, 0xa8, 0x02, 0xa8, 0x02, 0x00, 0x00, 0xbd, 0x02, 0xbd, 0x02, 0x01, 0x00, 0xbe, 0x02, 0xbe, 0x02, 0x00, 0x00,
+                                        0xcd, 0x02, 0xcd, 0x02, 0x01, 0x00, 0xd8, 0x02, 0xd8, 0x02, 0xff, 0xff, 0xd9, 0x02, 0xd9, 0x02, 0xff, 0xff, 0xda, 0x02, 0xda, 0x02, 0xff, 0xff,
+                                        0xdb, 0x02, 0xdb, 0x02, 0xff, 0xff, 0xdc, 0x02, 0xdc, 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xda, 0xfb, 0x03, 0xda,
+                                        0xb2, 0x00, 0x37, 0x4f, 0x1e, 0x36, 0x00, 0xdd, 0x02, 0xdd, 0x02, 0xff, 0xff, 0xde, 0x02, 0xde, 0x02, 0xff, 0xff, 0xdf, 0x02, 0xdf, 0x02, 0xff,
+                                        0xff, 0xe3, 0x02, 0xe3, 0x02, 0x01, 0x00, 0xe4, 0x02, 0xe4, 0x02, 0x00, 0x00, 0xe5, 0x02, 0xe5, 0x02, 0x01, 0x00, 0xfd, 0x02, 0xfd, 0x02, 0x01,
+                                        0x00, 0xfe, 0x02, 0xfe, 0x02, 0x00, 0x00, 0x0f, 0x03, 0x0f, 0x03, 0x02, 0x00, 0x12, 0x03, 0x12, 0x03, 0x03, 0x00, 0x13, 0x03, 0x13, 0x03, 0x01,
+                                        0x00, 0x14, 0x03, 0x14, 0x03, 0x00, 0x00, 0x15, 0x03, 0x15, 0x03, 0x01, 0x00, 0x16, 0x03, 0x16, 0x03, 0x00, 0x00, 0x17, 0x03, 0x17, 0x03, 0x01,
+                                        0x00, 0x18, 0x03, 0x18, 0x03, 0x00, 0x00, 0x19, 0x03, 0x19, 0x03, 0x01, 0x00, 0x1a, 0x03, 0x1a, 0x03, 0x00, 0x00, 0x1b, 0x03, 0x1b, 0x03, 0x01,
+                                        0x00, 0x1c, 0x03, 0x1c, 0x03, 0x00, 0x00, 0x1d, 0x03, 0x1d, 0x03, 0x01, 0x00, 0x1e, 0x03, 0x1e, 0x03, 0x00, 0x00, 0x1f, 0x03, 0x1f, 0x03, 0x01,
+                                        0x00, 0x20, 0x03, 0x20, 0x03, 0x00, 0x00, 0x25, 0x03, 0x25, 0x03, 0x01, 0x00, 0x26, 0x03, 0x26, 0x03, 0x01, 0x00, 0x4f, 0x03, 0x4f, 0x03, 0x01,
+                                        0x00, 0x50, 0x03, 0x50, 0x03, 0x00, 0x00, 0x57, 0x03, 0x57, 0x03, 0x00, 0x00, 0x58, 0x03, 0x58, 0x03, 0x01, 0x00, 0x61, 0x03, 0x61, 0x03, 0x01,
+                                        0x00, 0x62, 0x03, 0x62, 0x03, 0x00, 0x00, 0x69, 0x03, 0x69, 0x03, 0x00, 0x00, 0x6a, 0x03, 0x6a, 0x03, 0x01, 0x00, 0x6b, 0x03, 0x6b, 0x03, 0x02,
+                                        0x00, 0x83, 0x03, 0x83, 0x03, 0x07, 0x00, 0x3e, 0x40, 0x3e, 0x40, 0x00, 0x00, 0x3f, 0x40, 0x3f, 0x40, 0x01, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00,
+                                        0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xda, 0x4d, 0x04, 0xda, 0xb2, 0x00, 0x37, 0x4f, 0x1e, 0x36, 0x00, 0x02, 0x80, 0x02, 0x80,
+                                        0x02, 0x00, 0x03, 0x80, 0x03, 0x80, 0x03, 0x00, 0x0c, 0x80, 0x0c, 0x80, 0x00, 0x00, 0x0d, 0x80, 0x0d, 0x80, 0x00, 0x00, 0x00, 0xa0, 0x00, 0xa0,
+                                        0x01, 0x00, 0x04, 0xa0, 0x04, 0xa0, 0x01, 0x00, 0x00, 0xf0, 0x00, 0xf0, 0x55, 0x00, 0x02, 0xf0, 0x02, 0xf0, 0x03, 0x00, 0x05, 0xf0, 0x05, 0xf0,
+                                        0x7f, 0x00, 0x06, 0xf0, 0x06, 0xf0, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x01, 0x02, 0x00, 0xf0,
+                                        0x03, 0xbf, 0x80, 0x9a, 0x8b, 0x3f, 0x01, 0x00, 0x17, 0x00, 0x03, 0x0f, 0x04, 0x06, 0xff, 0xff, 0x44, 0x65, 0x6c, 0x6c, 0x20, 0x49, 0x6e, 0x63,
+                                        0x2e, 0x00, 0x41, 0x30, 0x31, 0x00, 0x30, 0x38, 0x2f, 0x31, 0x33, 0x2f, 0x32, 0x30, 0x31, 0x33, 0x00, 0x00, 0x01, 0x1b, 0x01, 0x00, 0x01, 0x02,
+                                        0x03, 0x04, 0x44, 0x45, 0x4c, 0x4c, 0x59, 0x00, 0x10, 0x44, 0x80, 0x38, 0xb6, 0xc0, 0x4f, 0x35, 0x59, 0x31, 0x06, 0x05, 0x06, 0x44, 0x65, 0x6c,
+                                        0x6c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x00, 0x50, 0x6f, 0x77, 0x65, 0x72, 0x45, 0x64, 0x67, 0x65, 0x20, 0x54, 0x32, 0x30, 0x00, 0x30, 0x31, 0x00,
+                                        0x36, 0x59, 0x44, 0x38, 0x35, 0x59, 0x31, 0x00, 0x50, 0x6f, 0x77, 0x65, 0x72, 0x45, 0x64, 0x67, 0x65, 0x20, 0x54, 0x32, 0x30, 0x00, 0x20, 0x00,
+                                        0x00, 0x02, 0x0f, 0x02, 0x00, 0x01, 0x02, 0x03, 0x04, 0x00, 0x09, 0x00, 0x03, 0x00, 0x0a, 0x00, 0x44, 0x65, 0x6c, 0x6c, 0x20, 0x49, 0x6e, 0x63,
+                                        0x2e, 0x00, 0x30, 0x56, 0x44, 0x35, 0x48, 0x59, 0x00, 0x41, 0x30, 0x30, 0x00, 0x2f, 0x36, 0x59, 0x44, 0x38, 0x35, 0x59, 0x31, 0x2f, 0x43, 0x4e,
+                                        0x37, 0x32, 0x32, 0x30, 0x30, 0x33, 0x39, 0x33, 0x30, 0x30, 0x33, 0x39, 0x2f, 0x00, 0x20, 0x00, 0x20, 0x00, 0x00};
+
+    const auto size { rawData.size() };
+    constexpr auto SERIAL_NUMBER_DATA { "/6YD85Y1/CN722003930039/" };
+    std::string serialNumber;
+
+    const auto smbios { reinterpret_cast<PRawSMBIOSData>(rawData.data()) };
+    serialNumber = Utils::getSerialNumberFromSmbios(smbios->SMBIOSTableData, size);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSCorruptedData1_TEST)
+{
+    const std::vector<unsigned char> rawData {0x0, 0x0, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0xff, 0x27, 0xc7};
+    const auto size { rawData.size() };
+    constexpr auto SERIAL_NUMBER_DATA { "" };
+    std::string serialNumber;
+
+    serialNumber = Utils::getSerialNumberFromSmbios(rawData.data(), size);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSCorruptedData2_TEST)
+{
+    const std::vector<unsigned char> rawData {0x2, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0x5, 0xa};
+    const auto size { rawData.size() };
+    constexpr auto SERIAL_NUMBER_DATA { "" };
+    std::string serialNumber;
+
+    serialNumber = Utils::getSerialNumberFromSmbios(rawData.data(), size);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSTablesNoEndDoubleNull_TEST)
+{
+    const std::vector<unsigned char> rawData {0xda, 0xfb, 0x00, 0xda, 0xb2, 0x00, 0x37, 0x4f, 0x1e, 0x36, 0x00, 0x05, 0x00, 0x05, 0x00, 0x03, 0x00, 0x06, 0x00,
+                                              0x06, 0x00, 0x05, 0x00, 0x0f, 0x00, 0x0f, 0x00, 0x11, 0x00, 0x11, 0x00, 0x02, 0x00, 0x12, 0x00, 0x12, 0x00, 0x04, 0x00, 0x22};
+    const auto size { rawData.size() };
+    constexpr auto SERIAL_NUMBER_DATA { "" };
+    std::string serialNumber;
+
+    serialNumber = Utils::getSerialNumberFromSmbios(rawData.data(), size);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+TEST_F(WindowsHelperTest, getSerialNumberFromSMBIOSTables2NoEndDoubleNull_TEST)
+{
+    const std::vector<unsigned char> rawData {0x2, 0x8, 0xff, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x0, 0x6, 0x0, 0x7, 0x0, 'S', 'e', 'r', 'i', 'a', 'l', ' ', 't', 'e', 's', 't'};
+    const auto size { rawData.size() };
+    constexpr auto SERIAL_NUMBER_DATA { "Serial test" };
+    std::string serialNumber;
+
+    serialNumber = Utils::getSerialNumberFromSmbios(rawData.data(), size);
+    EXPECT_EQ(SERIAL_NUMBER_DATA, serialNumber);
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampShortRegistryInstallDateValue)
+{
+    std::string RegistryInstallDateValue = "202202";
+    std::string RegistryModificationDateValue = "2022/02/15 14:04:50";
+
+    EXPECT_ANY_THROW(Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue));
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampLongRegistryInstallDateValue)
+{
+    std::string RegistryInstallDateValue = "2022021516";
+    std::string RegistryModificationDateValue = "2022/02/15 14:04:50";
+
+    EXPECT_ANY_THROW(Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue));
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampUnknownRegistryInstallDateValue)
+{
+    std::string RegistryInstallDateValue;
+    std::string RegistryModificationDateValue = "2022/02/15 14:04:50";
+
+    EXPECT_ANY_THROW(Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue));
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampNotEqual)
+{
+    std::string RegistryInstallDateValue = "20220214";
+    std::string RegistryModificationDateValue = "2022/02/15 14:04:50";
+    std::string expected = "2022/02/14 00:00:00";
+
+    std::string result = Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue);
+
+    EXPECT_EQ(expected, result);
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampEqual)
+{
+    std::string RegistryInstallDateValue = "20220215";
+    std::string RegistryModificationDateValue = "2022/02/15 14:04:50";
+    std::string expected = "2022/02/15 14:04:50";
+
+    std::string result = Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue);
+
+    EXPECT_EQ(expected, result);
+}
+
+TEST_F(WindowsHelperTest, normalizeTimestampWrongRegistryInstallDateValue)
+{
+    std::string RegistryInstallDateValue = "a0220215";
+    std::string RegistryModificationDateValue = "2022/02/15 23:59:59";
+
+    EXPECT_ANY_THROW(Utils::normalizeTimestamp(RegistryInstallDateValue, RegistryModificationDateValue));
+}
+
+#endif
diff --git a/src/common/windowsHelper/tests/windowsHelper_test.h b/src/common/windowsHelper/tests/windowsHelper_test.h
new file mode 100644
index 0000000000..146ae8a0cc
--- /dev/null
+++ b/src/common/windowsHelper/tests/windowsHelper_test.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh shared modules utils
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 10, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WINDOWS_HELPER_TEST_H
+#define WINDOWS_HELPER_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class WindowsHelperTest : public ::testing::Test
+{
+    protected:
+
+        WindowsHelperTest() = default;
+        virtual ~WindowsHelperTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //WINDOWS_HELPER_TEST_H
\ No newline at end of file
diff --git a/src/modules/upgrade/src/upgrade.c b/src/common/wm_exec/CMakeLists.txt
similarity index 100%
rename from src/modules/upgrade/src/upgrade.c
rename to src/common/wm_exec/CMakeLists.txt
diff --git a/src/common/wm_exec/src/wm_exec.c b/src/common/wm_exec/src/wm_exec.c
new file mode 100644
index 0000000000..cc454acb9e
--- /dev/null
+++ b/src/common/wm_exec/src/wm_exec.c
@@ -0,0 +1,757 @@
+/*
+ * Wazuh Module Manager
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 25, 2016.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove STATIC qualifier from tests
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+#ifdef __MACH__
+#include <mach/clock.h>
+#include <mach/mach.h>
+#endif
+
+#if defined(WAZUH_UNIT_TESTING) && defined(WIN32)
+#include "../../unit_tests/wrappers/windows/processthreadsapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/handleapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/libc/kernel32_wrappers.h"
+#endif
+
+static pthread_mutex_t wm_children_mutex;   // Mutex for child process pool
+
+// Data structure to share with the reader thread
+
+typedef struct ThreadInfo {
+#ifdef WIN32
+    CHAR * output;
+    HANDLE pipe;
+#else
+    pthread_mutex_t mutex;
+    pthread_cond_t finished;
+    int pipe;
+    char * output;
+#endif
+} ThreadInfo;
+
+STATIC OSList * wm_children_list = NULL;    // Child process list
+
+// Clean node data
+static void wm_children_node_clean(pid_t *p_sid) {
+    os_free(p_sid);
+}
+
+// Initialize children pool
+
+void wm_children_pool_init() {
+    w_mutex_init(&wm_children_mutex, NULL);
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, (void (*)(void *))wm_children_node_clean);
+}
+
+#ifdef WIN32
+
+// Windows version -------------------------------------------------------------
+
+static DWORD WINAPI Reader(LPVOID args);    // Reading thread's start point
+
+// Execute command with timeout of secs
+
+int wm_exec(char *command, char **output, int *status, int secs, const char * add_path) {
+    HANDLE hThread = NULL;
+    DWORD dwCreationFlags;
+    STARTUPINFO sinfo = { 0 };
+    PROCESS_INFORMATION pinfo = { 0 };
+    ThreadInfo tinfo = { 0 };
+    int retval = 0;
+    int winerror = 0;
+
+    // Add environment variable if exists
+
+    if (add_path != NULL) {
+
+        char * new_path;
+        os_calloc(OS_SIZE_6144, sizeof(char), new_path);
+        char * env_path = getenv("PATH");
+
+        if (!env_path) {
+            snprintf(new_path, OS_SIZE_6144 - 1, "PATH=%s", add_path);
+        } else if (strlen(env_path) >= OS_SIZE_6144) {
+            merror("at wm_exec(): PATH environment variable too large.");
+            retval = -1;
+        } else {
+            snprintf(new_path, OS_SIZE_6144 - 1, "PATH=%s;%s", add_path, env_path);
+        }
+
+        // Using '_putenv' instead of '_putenv_s' for compatibility with Windows XP.
+        if (_putenv(new_path) < 0) {
+            merror("at wm_exec(): Unable to set new 'PATH' environment variable (%s).", strerror(errno));
+            retval = -1;
+        }
+
+        char * new_env = getenv("PATH");
+        if (new_env != NULL) {
+            mdebug1("New 'PATH' environment variable set: '%s'", new_env);
+        }
+        os_free(new_path);
+    }
+
+    sinfo.cb = sizeof(STARTUPINFO);
+
+    if (output) {
+        sinfo.dwFlags = STARTF_USESTDHANDLES;
+
+        // Create stdout pipe and make it inheritable
+
+        if (!CreatePipe(&tinfo.pipe, &sinfo.hStdOutput, NULL, 0)) {
+            winerror = GetLastError();
+            merror("at wm_exec(): CreatePipe(%d): %s", winerror, win_strerror(winerror));
+            return -1;
+        }
+
+        sinfo.hStdError = sinfo.hStdOutput;
+
+        if (!SetHandleInformation(sinfo.hStdOutput, HANDLE_FLAG_INHERIT, 1)) {
+            winerror = GetLastError();
+            merror("at wm_exec(): SetHandleInformation(%d): %s", winerror, win_strerror(winerror));
+            return -1;
+        }
+    }
+
+    // Create child process and close inherited pipes
+
+    dwCreationFlags = wm_task_nice < -10 ? HIGH_PRIORITY_CLASS :
+                      wm_task_nice < 0 ? ABOVE_NORMAL_PRIORITY_CLASS :
+                      wm_task_nice == 0 ? NORMAL_PRIORITY_CLASS :
+                      wm_task_nice < 10 ? BELOW_NORMAL_PRIORITY_CLASS :
+                      IDLE_PRIORITY_CLASS;
+
+    size_t size = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, command, -1, NULL, 0);
+    wchar_t *wcommand;
+    os_calloc(size, sizeof(wchar_t), wcommand);
+
+    MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, command, -1, wcommand, size);
+    mdebug2("UTF-8 command: %ls", wcommand);
+
+    if (!CreateProcessW(NULL, wcommand, NULL, NULL, TRUE, dwCreationFlags, NULL, NULL, &sinfo, &pinfo)) {
+        winerror = GetLastError();
+        merror("at wm_exec(): CreateProcess(%d): %s", winerror, win_strerror(winerror));
+        os_free(wcommand);
+        return -1;
+    }
+
+    os_free(wcommand);
+
+    if (output) {
+        CloseHandle(sinfo.hStdOutput);
+
+        // Create reading thread
+
+        hThread = w_create_thread(NULL, 0, Reader, &tinfo, 0, NULL);
+    }
+
+    switch (WaitForSingleObject(pinfo.hProcess, secs ? (unsigned)(secs * 1000) : INFINITE)) {
+    case 0:
+        if (status) {
+            DWORD exitcode;
+            GetExitCodeProcess(pinfo.hProcess, &exitcode);
+            *status = exitcode;
+        }
+
+        break;
+
+    case WAIT_TIMEOUT:
+        TerminateProcess(pinfo.hProcess, 1);
+        retval = WM_ERROR_TIMEOUT;
+        break;
+
+    default:
+        winerror = GetLastError();
+        merror("at wm_exec(): WaitForSingleObject(%d): %s", winerror, win_strerror(winerror));
+        TerminateProcess(pinfo.hProcess, 1);
+        retval = -1;
+    }
+
+    if (output) {
+        // Output
+
+        if (WaitForSingleObject(hThread, 1000) == WAIT_TIMEOUT) {
+            TerminateThread(hThread, 1);
+            WaitForSingleObject(hThread, INFINITE);
+        }
+
+        if (retval >= 0) {
+            *output = tinfo.output ? tinfo.output : strdup("");
+        } else {
+            free(tinfo.output);
+        }
+
+        CloseHandle(hThread);
+        CloseHandle(tinfo.pipe);
+    }
+
+    // Cleanup
+
+    CloseHandle(pinfo.hProcess);
+    CloseHandle(pinfo.hThread);
+
+    return retval;
+}
+
+// Reading thread's start point
+
+DWORD WINAPI Reader(LPVOID args) {
+    ThreadInfo * tinfo = (ThreadInfo *)args;
+    CHAR buffer[WM_BUFFER_MAX + 1];
+    DWORD length = 0;
+    DWORD nbytes;
+
+    while (ReadFile(tinfo->pipe, buffer, 1024, &nbytes, NULL), nbytes > 0) {
+        int nextsize = length + nbytes;
+
+        if (nextsize <= WM_STRING_MAX) {
+            tinfo->output = (char*)realloc(tinfo->output, nextsize + 1);
+            memcpy(tinfo->output + length, buffer, nbytes);
+            length = nextsize;
+            tinfo->output[length] = '\0';
+        } else {
+            mwarn("String limit reached.");
+            break;
+        }
+    }
+
+    return 0;
+}
+
+// Add process to pool
+
+void wm_append_handle(HANDLE hProcess) {
+    HANDLE * p_hProcess = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    if (wm_children_list != NULL) {
+        os_calloc(1, sizeof(HANDLE), p_hProcess);
+        *p_hProcess = hProcess;
+
+        void * retval = OSList_AddData(wm_children_list, (void *)p_hProcess);
+
+        if (retval == NULL) {
+            merror("Child process handle %p could not be registered in the children list.", hProcess);
+            os_free(p_hProcess);
+        }
+    }
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+// Remove process from pool
+
+void wm_remove_handle(HANDLE hProcess) {
+    OSListNode * node_it = NULL;
+    HANDLE * p_hProcess = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    if (wm_children_list != NULL) {
+        OSList_foreach(node_it, wm_children_list) {
+            p_hProcess = (HANDLE *)node_it->data;
+            if (p_hProcess && *p_hProcess == hProcess) {
+                OSList_DeleteThisNode(wm_children_list, node_it);
+                os_free(p_hProcess);
+                w_mutex_unlock(&wm_children_mutex);
+                return;
+            }
+        }
+        mwarn("Child process handle %p could not be removed because it was not found in the children list.", hProcess);
+    }
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+// Terminate every child process group. Doesn't wait for them!
+
+void wm_kill_children() {
+    // This function may be called from a signal handler
+
+    HANDLE * p_hProcess = NULL;
+    OSListNode * node_it = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    OSList_foreach(node_it, wm_children_list) {
+        if (node_it->data) {
+            p_hProcess = (HANDLE *)node_it->data;
+            TerminateProcess(*p_hProcess, ERROR_PROC_NOT_FOUND);
+        }
+    }
+
+    // Release dynamic children's list
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+#else
+
+// Unix version ----------------------------------------------------------------
+
+#include <unistd.h>
+
+#ifndef _GNU_SOURCE
+extern char ** environ;
+#endif
+
+static void* reader(void *args);   // Reading thread's start point
+
+// Execute command with timeout of secs
+
+int wm_exec(char *command, char **output, int *exitcode, int secs, const char * add_path)
+{
+    char ** argv;
+    pid_t pid;
+    int pipe_fd[2];
+    ThreadInfo tinfo = { PTHREAD_MUTEX_INITIALIZER, PTHREAD_COND_INITIALIZER, 0, NULL };
+    pthread_t thread;
+    struct timespec timeout = { 0, 0 };
+    int retval = -1;
+    int status;
+
+    if (exitcode) {
+        *exitcode = 0;
+    }
+
+    // Create pipe for child's stdout
+
+    if (output) {
+        if (pipe(pipe_fd) < 0) {
+            merror("At wm_exec(): pipe(): %s", strerror(errno));
+            return -1;
+        }
+        w_descriptor_cloexec(pipe_fd[0]);
+    }
+
+    // Fork
+
+    switch (pid = fork()) {
+    case -1:
+
+        // Error
+
+        merror("Cannot run a subprocess: %s (%d)", strerror(errno), errno);
+
+        if (output) {
+            close(pipe_fd[0]);
+            close(pipe_fd[1]);
+        }
+
+        return -1;
+
+    case 0:
+
+        // Child
+
+        // Add environment variable if exists
+
+        if (add_path != NULL) {
+
+            char * new_path = NULL;
+            os_calloc(OS_SIZE_6144, sizeof(char), new_path);
+            char *env_path = getenv("PATH");
+
+            if (!env_path) {
+                snprintf(new_path, OS_SIZE_6144 - 1, "%s", add_path);
+            } else if (strlen(env_path) >= OS_SIZE_6144) {
+                merror("at wm_exec(): PATH environment variable too large.");
+            } else {
+                const int bytes_written = snprintf(new_path, OS_SIZE_6144, "%s:%s", add_path, env_path);
+
+                if (bytes_written >= OS_SIZE_6144) {
+                    merror("at wm_exec(): New environment variable too large.");
+                }
+                else if (bytes_written < 0) {
+                    merror("at wm_exec(): New environment variable error: %d (%s).", errno, strerror(errno));
+                }
+            }
+
+            if (setenv("PATH", new_path, 1) < 0) {
+                merror("at wm_exec(): Unable to set new 'PATH' environment variable (%s).", strerror(errno));
+            }
+
+            char * new_env = getenv("PATH");
+            if (new_env != NULL) {
+                mdebug1("New 'PATH' environment variable set: '%s'", new_env);
+            }
+            os_free(new_path);
+        }
+
+        argv = w_strtok(command);
+
+        int fd = open("/dev/null", O_RDWR, 0);
+
+        if (fd < 0) {
+            merror_exit(FOPEN_ERROR, "/dev/null", errno, strerror(errno));
+        }
+
+        dup2(fd, STDIN_FILENO);
+
+        if (output) {
+            close(pipe_fd[0]);
+            dup2(pipe_fd[1], STDOUT_FILENO);
+            dup2(pipe_fd[1], STDERR_FILENO);
+            close(pipe_fd[1]);
+        } else {
+            dup2(fd, STDOUT_FILENO);
+            dup2(fd, STDERR_FILENO);
+        }
+
+        close(fd);
+
+        setsid();
+        if (nice(wm_task_nice)) {}
+        execvp(argv[0], argv);
+        _exit(EXECVE_ERROR);
+
+        break;
+
+    default:
+
+        // Parent
+
+        wm_append_sid(pid);
+
+        if (output) {
+            close(pipe_fd[1]);
+            tinfo.pipe = pipe_fd[0];
+
+            // Launch thread
+
+            w_mutex_lock(&tinfo.mutex);
+
+            if (pthread_create(&thread, NULL, reader, &tinfo)) {
+                merror("Couldn't create reading thread.");
+                w_mutex_unlock(&tinfo.mutex);
+
+                if (output) {
+                    close(pipe_fd[0]);
+                    close(pipe_fd[1]);
+                }
+
+                return -1;
+            }
+
+            gettime(&timeout);
+            timeout.tv_sec += secs;
+
+            // Wait for reading termination
+
+            switch (secs ? pthread_cond_timedwait(&tinfo.finished, &tinfo.mutex, &timeout) : pthread_cond_wait(&tinfo.finished, &tinfo.mutex)) {
+            case 0:
+                retval = 0;
+                break;
+
+            case ETIMEDOUT:
+                retval = WM_ERROR_TIMEOUT;
+                kill(-pid, SIGTERM);
+                break;
+
+            default:
+                kill(-pid, SIGTERM);
+            }
+            // Wait for thread
+
+            w_mutex_unlock(&tinfo.mutex);
+            pthread_join(thread, NULL);
+
+            // Cleanup
+
+            w_mutex_destroy(&tinfo.mutex);
+            w_cond_destroy(&tinfo.finished);
+
+            // Wait for child process
+
+            switch (waitpid(pid, &status, 0)) {
+            case -1:
+                merror("waitpid()");
+                retval = -1;
+                break;
+
+            default:
+                if (WEXITSTATUS(status) == EXECVE_ERROR) {
+                    mdebug1("Invalid command: '%s': (%d) %s", command, errno, strerror(errno));
+                    retval = -1;
+                }
+
+                if (exitcode)
+                    *exitcode = WEXITSTATUS(status);
+            }
+
+        } else if (secs) {
+            // Kill and timeout
+            sleep(1);
+            secs--;
+            do {
+                if (waitpid(pid,&status,WNOHANG) == 0) { // Command yet not finished
+                    retval = -1;
+                    switch (kill(pid, 0)) {
+                    case -1:
+                        switch(errno) {
+                        case ESRCH:
+                            merror("At wm_exec(): No such process. Couldn't wait PID %d: (%d) %s.", pid, errno, strerror(errno));
+                            retval = -2;
+                            break;
+
+                        default:
+                            merror("At wm_exec(): Couldn't wait PID %d: (%d) %s.", pid, errno, strerror(errno));
+                            retval = -3;
+                        }
+                        break;
+
+                    default:
+                        if (secs > 0) {
+                            sleep(1);
+                            secs--;
+                        } else if (!secs) {
+                            secs--;
+                            continue;
+                        }
+                    }
+
+                    if (retval == -2 || retval == -3) {
+                        break;
+                    }
+
+                } else { // Command finished
+                    if (WEXITSTATUS(status) == EXECVE_ERROR) {
+                        mdebug1("Invalid command: '%s': (%d) %s", command, errno, strerror(errno));
+                        retval = -1;
+                    } else {
+                        retval = 0;
+                    }
+
+                    if (exitcode) {
+                        *exitcode = WEXITSTATUS(status);
+                    }
+
+                    break;
+                }
+            } while(secs >= 0);
+
+            if(retval != 0) {
+                kill(pid,SIGTERM);
+                retval = WM_ERROR_TIMEOUT;
+
+                // Wait for child process
+
+                switch (waitpid(pid, &status, 0)) {
+                case -1:
+                    merror("waitpid(): %s (%d)", strerror(errno), errno);
+                    retval = -1;
+                    break;
+
+                default:
+                    if (WEXITSTATUS(status) == EXECVE_ERROR) {
+                        mdebug1("Invalid command: '%s': (%d) %s", command, errno, strerror(errno));
+                        retval = -1;
+                    }
+
+                    if (exitcode)
+                        *exitcode = WEXITSTATUS(status);
+                }
+            }
+        } else {
+            switch (waitpid(pid, &status, 0)) {
+            case -1:
+                merror("waitpid()");
+                retval = -1;
+                break;
+
+            default:
+                if (WEXITSTATUS(status) == EXECVE_ERROR) {
+                    mdebug1("Invalid command: '%s': (%d) %s", command, errno, strerror(errno));
+                    retval = -1;
+                } else {
+                    retval = 0;
+                }
+
+                if (exitcode) {
+                    *exitcode = WEXITSTATUS(status);
+                }
+            }
+        }
+
+        wm_remove_sid(pid);
+
+        if (output) {
+            // Setup output
+
+            if (retval >= 0) {
+                *output = tinfo.output ? tinfo.output : strdup("");
+            } else {
+                free(tinfo.output);
+            }
+        }
+    }
+
+    return retval;
+}
+
+// Reading thread's start point
+
+void* reader(void *args) {
+    ThreadInfo * tinfo = (ThreadInfo *)args;
+    char buffer[WM_BUFFER_MAX + 1];
+    int length = 0;
+    int nbytes;
+
+    while ((nbytes = read(tinfo->pipe, buffer, WM_BUFFER_MAX)) > 0) {
+        int nextsize = length + nbytes;
+
+        if (nextsize <= WM_STRING_MAX) {
+            tinfo->output = (char*)realloc(tinfo->output, nextsize + 1);
+            memcpy(tinfo->output + length, buffer, nbytes);
+            length = nextsize;
+        } else {
+            mwarn("String limit reached.");
+            break;
+        }
+    }
+
+    if (tinfo->output) {
+        tinfo->output[length] = '\0';
+    }
+
+    w_mutex_lock(&tinfo->mutex);
+    w_cond_signal(&tinfo->finished);
+    w_mutex_unlock(&tinfo->mutex);
+
+    close(tinfo->pipe);
+    return NULL;
+}
+
+// Add process group to pool
+
+void wm_append_sid(pid_t sid) {
+    pid_t * p_sid = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    if (wm_children_list != NULL) {
+        os_calloc(1, sizeof(pid_t), p_sid);
+        *p_sid = sid;
+
+        void * retval = OSList_AddData(wm_children_list, (void *)p_sid);
+
+        if (retval == NULL) {
+            merror("Child process ID %d could not be registered in the children list.", sid);
+            os_free(p_sid);
+        }
+    }
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+// Remove process group from pool
+
+void wm_remove_sid(pid_t sid) {
+
+    OSListNode * node_it = NULL;
+    pid_t * p_sid = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    if (wm_children_list != NULL) {
+        OSList_foreach(node_it, wm_children_list) {
+            p_sid = (pid_t *)node_it->data;
+            if (p_sid && *p_sid == sid) {
+                OSList_DeleteThisNode(wm_children_list, node_it);
+                os_free(p_sid);
+                w_mutex_unlock(&wm_children_mutex);
+                return;
+            }
+        }
+        mwarn("Child process ID %d could not be removed because it was not found in the children list.", sid);
+    }
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+// Terminate every child process group. Doesn't wait for them!
+
+void wm_kill_children() {
+    // This function may be called from a signal handler
+
+    int timeout;
+    pid_t sid;
+    pid_t * p_sid = NULL;
+    OSListNode * node_it = NULL;
+
+    w_mutex_lock(&wm_children_mutex);
+    OSList_foreach(node_it, wm_children_list) {
+        p_sid = (pid_t *)node_it->data;
+        if (p_sid) {
+            sid = *p_sid;
+            if (wm_kill_timeout) {
+                timeout = wm_kill_timeout;
+
+                // Fork a process to kill the child
+
+                switch (fork()) {
+                case -1:
+                    merror("wm_kill_children(): Couldn't fork: (%d) %s.", errno, strerror(errno));
+                    break;
+
+                case 0: // Child
+
+                    kill(-sid, SIGTERM);
+
+                    do {
+                        sleep(1);
+
+                        // Poll process, waitpid() does not work here
+
+                        switch (kill(-sid, 0)) {
+                        case -1:
+                            switch (errno) {
+                            case ESRCH:
+                                exit(EXIT_SUCCESS);
+
+                            default:
+                                merror("wm_kill_children(): Couldn't wait PID %d: (%d) %s.", sid, errno, strerror(errno));
+                                exit(EXIT_FAILURE);
+                            }
+
+                        default:
+                            timeout--;
+                        }
+                    } while (timeout);
+
+                    // If time is gone, kill process
+
+                    mdebug1("Killing process group %d", sid);
+
+                    kill(-sid, SIGKILL);
+                    exit(EXIT_SUCCESS);
+
+                default: // Parent
+                    break;
+
+                }
+            } else {
+                // Kill immediately
+                kill(-sid, SIGKILL);
+            }
+        }
+    }
+
+    // Release dynamic children's list
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+
+    w_mutex_unlock(&wm_children_mutex);
+}
+
+#endif // WIN32
diff --git a/src/common/wm_exec/tests/unit/tests/CMakeLists.txt b/src/common/wm_exec/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..6e315eaf44
--- /dev/null
+++ b/src/common/wm_exec/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,75 @@
+# Copyright (C) 2023, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Generate wazuh modules library
+file(GLOB wm_exec ../../../wazuh_modules/wm_exec.o)
+
+add_library(WM_EXEC_O STATIC ${wm_exec})
+
+set_source_files_properties(
+  ${wm_exec}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+)
+
+set_target_properties(
+  WM_EXEC_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+)
+
+target_link_libraries(WM_EXEC_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_exec")
+list(APPEND WM_EXEC_BASE_FLAGS "-Wl,--wrap,OSList_AddData -Wl,--wrap,OSList_DeleteThisNode \
+                                -Wl,--wrap,OSList_GetFirstNode -Wl,--wrap,OSList_Destroy ${DEBUG_OP_WRAPPERS}")
+
+if(${TARGET} STREQUAL "winagent")
+    list(APPEND tests_flags "${WM_EXEC_BASE_FLAGS} -Wl,--wrap,fim_db_init -Wl,--wrap=syscom_dispatch \
+                               -Wl,--wrap=fim_db_teardown -Wl,--wrap=Start_win32_Syscheck -Wl,--wrap=is_fim_shutdown")
+else()
+    list(APPEND tests_flags "${WM_EXEC_BASE_FLAGS} -Wl,--wrap,fork -Wl,--wrap,kill -Wl,--wrap,exit -Wl,--wrap,sleep")
+endif()
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        WM_EXEC_O
+        ${TEST_DEPS}
+    )
+
+    if(${TARGET} STREQUAL "winagent")
+        target_link_libraries(${test_name} fimdb)
+    endif(${TARGET} STREQUAL "winagent")
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+          ${test_name}
+          ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/common/wm_exec/tests/unit/tests/test_wm_exec.c b/src/common/wm_exec/tests/unit/tests/test_wm_exec.c
new file mode 100644
index 0000000000..b4593be2a0
--- /dev/null
+++ b/src/common/wm_exec/tests/unit/tests/test_wm_exec.c
@@ -0,0 +1,459 @@
+/*
+ * Copyright (C) 2023, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+
+#include "../../wrappers/wazuh/shared/list_op_wrappers.h"
+#include "../../wrappers/posix/signal_wrappers.h"
+
+#define COMMAND u8"Powershell -c \"@{ winCounter = (Get-Counter '\\mémoire\\mégaoctets disponibles').CounterSamples[0] } | ConvertTo-Json -compress\""
+#define COMMAND2 u8"Powershell -c \"@{ winCounter = (Get-Counter '\\processeur(_total)\\% temps processeur').CounterSamples[0] } | ConvertTo-Json -compress\""
+
+
+extern OSList * wm_children_list;
+
+int __wrap_sleep (unsigned int __seconds) {
+    return mock();
+}
+
+pid_t __wrap_fork(void) {
+    return mock_type(pid_t);
+}
+
+void __wrap_exit(__attribute__((unused))int code) {
+    function_called();
+    return;
+}
+
+static int setup_modules(void ** state) {
+    *state = NULL;
+    // wm_kill_timeout to default value
+    wm_kill_timeout = 0;
+    wm_children_pool_init();
+    // Release list for custom usage
+    OSList_Destroy(wm_children_list);
+    test_mode = true;
+    wm_children_list = NULL;
+    return 0;
+}
+
+static int teardown_modules(void ** state) {
+    // wm_kill_timeout to default value
+    wm_kill_timeout = 0;
+    test_mode = false;
+    return 0;
+}
+
+static void test_wm_exec_accented_command(void ** state) {
+#ifdef WIN32
+    size_t size = mbstowcs(NULL, COMMAND, 0);
+    wchar_t *wcommand = calloc(size, sizeof(wchar_t));
+    mbstowcs(wcommand, COMMAND, size);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+    expect_string(wrap_CreateProcessW, lpCommandLine, wcommand);
+    will_return(wrap_CreateProcessW, TRUE);
+    expect_any(wrap_WaitForSingleObject, hMutex);
+    expect_any(wrap_WaitForSingleObject, value);
+    will_return(wrap_WaitForSingleObject, 0);
+    expect_any(wrap_CloseHandle, hObject);
+    will_return(wrap_CloseHandle, FALSE);
+    expect_any(wrap_CloseHandle, hObject);
+    will_return(wrap_CloseHandle, FALSE);
+    assert_int_equal(0, wm_exec(COMMAND, NULL, NULL, 0, NULL));
+
+    free(wcommand);
+#else
+    printf("not implemented yet!\n");
+#endif
+}
+
+static void test_wm_exec_not_accented_command(void ** state) {
+#ifdef WIN32
+    size_t size = mbstowcs(NULL, COMMAND2, 0);
+    wchar_t *wcommand = calloc(size, sizeof(wchar_t));
+    mbstowcs(wcommand, COMMAND2, size);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+    expect_string(wrap_CreateProcessW, lpCommandLine, wcommand);
+    will_return(wrap_CreateProcessW, TRUE);
+    expect_any(wrap_WaitForSingleObject, hMutex);
+    expect_any(wrap_WaitForSingleObject, value);
+    will_return(wrap_WaitForSingleObject, 0);
+    expect_any(wrap_CloseHandle, hObject);
+    will_return(wrap_CloseHandle, FALSE);
+    expect_any(wrap_CloseHandle, hObject);
+    will_return(wrap_CloseHandle, FALSE);
+    assert_int_equal(0, wm_exec(COMMAND2, NULL, NULL, 0, NULL));
+
+    free(wcommand);
+#else
+    printf("not implemented yet!\n");
+#endif
+}
+
+#ifndef TEST_WINAGENT
+static void test_wm_append_sid_null_list(void ** state) {
+    pid_t sid = 1234;
+    wm_children_list = NULL; // NULL List
+
+    wm_append_sid(sid);
+}
+
+static void test_wm_append_sid_fail(void ** state) {
+    pid_t sid = 1234;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    will_return(__wrap_OSList_AddData, false);
+    will_return(__wrap_OSList_AddData, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "Child process ID 1234 could not be registered in the children list.");
+
+    wm_append_sid(sid);
+}
+
+static void test_wm_append_sid_success(void ** state) {
+    pid_t sid = 1234;
+    OSListNode * node;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    will_return(__wrap_OSList_AddData, true);
+    will_return(__wrap_OSList_AddData, (void *)1);
+
+    wm_append_sid(sid);
+}
+
+static void test_wm_remove_sid_null_list(void ** state) {
+    pid_t sid = 1234;
+    wm_children_list = NULL; // NULL List
+
+    wm_remove_sid(sid);
+}
+
+static void test_wm_remove_sid_not_found(void ** state) {
+    pid_t sid = 1234;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    will_return(__wrap_OSList_GetFirstNode, NULL);
+
+    expect_string(__wrap__mwarn, formatted_msg,
+                 "Child process ID 1234 could not be removed because it was "
+                 "not found in the children list.");
+
+    wm_remove_sid(sid);
+}
+
+static void test_wm_remove_sid_success(void ** state) {
+    pid_t sid = 1234;
+    pid_t * p_sid = NULL;
+    OSListNode * node = NULL;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    os_calloc(1, sizeof(pid_t), p_sid);
+    *p_sid = sid;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_sid;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+    expect_function_call(__wrap_OSList_DeleteThisNode);
+
+    wm_remove_sid(sid);
+
+    os_free(node);
+}
+
+static void test_wm_kill_children_fork_failed(void ** state) {
+    pid_t sid = 1234;
+    pid_t * p_sid = NULL;
+    OSListNode * node = NULL;
+
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, free);
+
+    os_calloc(1, sizeof(pid_t), p_sid);
+    *p_sid = sid;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_sid;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+
+    pid_t pidError = -1;
+    will_return(__wrap_fork, pidError);
+    errno = 13;
+
+    wm_kill_timeout = 1;
+
+    expect_string(__wrap__merror, formatted_msg, "wm_kill_children(): Couldn't fork: (13) Permission denied.");
+
+    test_mode = false;
+
+    wm_kill_children(sid);
+
+    os_free(p_sid);
+    os_free(node);
+
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+}
+
+static void test_wm_kill_children_timeout_kill_child(void ** state) {
+    pid_t sid = 1234;
+    pid_t * p_sid = NULL;
+    OSListNode * node = NULL;
+
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, free);
+
+    wm_kill_timeout = 1;
+
+    os_calloc(1, sizeof(pid_t), p_sid);
+    *p_sid = sid;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_sid;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+
+    pid_t pidOk = 0;
+    will_return(__wrap_fork, pidOk);
+
+    expect_value(__wrap_kill,pid,sid*(-1));
+    expect_value(__wrap_kill,sig,SIGTERM);
+    will_return(__wrap_kill,0);
+
+    will_return(__wrap_sleep, OS_SUCCESS);
+
+    expect_value(__wrap_kill,pid,sid*(-1));
+    expect_value(__wrap_kill,sig,0);
+    will_return(__wrap_kill,-1);
+
+    errno = 3;
+
+    expect_function_call(__wrap_exit);
+
+    expect_string(__wrap__merror, formatted_msg, "wm_kill_children(): Couldn't wait PID 1234: (3) No such process.");
+
+    expect_function_call(__wrap_exit);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Killing process group 1234");
+
+    expect_value(__wrap_kill,pid,sid*(-1));
+    expect_value(__wrap_kill,sig,SIGKILL);
+    will_return(__wrap_kill,0);
+
+    expect_function_call(__wrap_exit);
+
+    test_mode = false;
+
+    wm_kill_children(sid);
+
+    os_free(p_sid);
+    os_free(node);
+
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+}
+
+static void test_wm_kill_children_parent(void ** state) {
+    pid_t sid = 1234;
+    pid_t * p_sid = NULL;
+    OSListNode * node = NULL;
+
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, free);
+
+    os_calloc(1, sizeof(pid_t), p_sid);
+    *p_sid = sid;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_sid;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+
+    expect_value(__wrap_kill,pid,sid*(-1));
+    expect_value(__wrap_kill,sig,SIGKILL);
+    will_return(__wrap_kill,0);
+
+    test_mode = false;
+
+    wm_kill_children(sid);
+
+    os_free(p_sid);
+    os_free(node);
+
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+}
+
+#else
+static void test_wm_append_handle_null_list(void ** state) {
+    HANDLE hProcess = (HANDLE)0x00112233;
+    wm_children_list = NULL; // NULL List
+
+    wm_append_handle(hProcess);
+}
+
+static void test_wm_append_handle_fail(void ** state) {
+    HANDLE hProcess = (HANDLE)0x00112233;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+
+    will_return(__wrap_OSList_AddData, false);
+    will_return(__wrap_OSList_AddData, NULL);
+
+    expect_string(__wrap__merror, formatted_msg,
+                 "Child process handle 00112233 could not be registered in the "
+                 "children list.");
+
+    wm_append_handle(hProcess);
+}
+
+static void test_wm_append_handle_success(void ** state) {
+    HANDLE hProcess = (HANDLE)0x00112233;
+    OSListNode * node;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    will_return(__wrap_OSList_AddData, true);
+    will_return(__wrap_OSList_AddData, node);
+
+    wm_append_handle(hProcess);
+}
+
+static void test_wm_remove_handle_null_list(void ** state) {
+    HANDLE hProccess = (HANDLE)0x00112233;
+    wm_children_list = NULL; // NULL List
+
+    wm_remove_handle(hProccess);
+}
+
+static void test_wm_remove_handle_not_found(void ** state) {
+    HANDLE hProcces = (HANDLE)0x00112233;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    will_return(__wrap_OSList_GetFirstNode, NULL);
+
+    expect_string(__wrap__mwarn, formatted_msg, 
+                 "Child process handle 00112233 could not be removed because "
+                 "it was not found in the children list.");
+
+    wm_remove_handle(hProcces);
+}
+
+static void test_wm_remove_handle_success(void ** state) {
+    HANDLE hProcess = (HANDLE)0x00112233;
+    HANDLE * p_hProcess = NULL;
+    OSListNode * node = NULL;
+    wm_children_list = (OSList *)1; // NON-NULL List
+
+    os_calloc(1, sizeof(HANDLE), p_hProcess);
+    *p_hProcess = hProcess;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_hProcess;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+    expect_function_call(__wrap_OSList_DeleteThisNode);
+
+    wm_remove_handle(hProcess);
+
+    os_free(node);
+}
+
+static void test_wm_kill_children_with_empty_list(void ** state) {
+    wm_children_list = NULL; // NULL List
+
+    test_mode = false;
+
+    wm_kill_children();
+}
+
+static void test_wm_kill_children_with_empty_node(void ** state) {
+    OSListNode * node = NULL;
+
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, free);
+
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = NULL;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+
+    test_mode = false;
+
+    wm_kill_children();
+
+    os_free(node);
+
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+}
+
+static void test_wm_kill_children_with_success(void ** state) {
+    HANDLE hProcess = (HANDLE)10;
+    HANDLE * p_hProcess = NULL;
+    OSListNode * node = NULL;
+
+    wm_children_list = OSList_Create();
+    OSList_SetFreeDataPointer(wm_children_list, free);
+
+    os_calloc(1, sizeof(HANDLE), p_hProcess);
+    *p_hProcess = hProcess;
+    node = (OSListNode *) calloc(1, sizeof(OSListNode));
+    node->data = p_hProcess;
+
+    will_return(__wrap_OSList_GetFirstNode, node);
+
+    expect_function_call(wrap_TerminateProcess);
+    will_return(wrap_TerminateProcess, true);
+
+    test_mode = false;
+
+    wm_kill_children();
+
+    os_free(p_hProcess);
+    os_free(node);
+
+    OSList_Destroy(wm_children_list);
+    wm_children_list = NULL;
+}
+
+#endif
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_wm_exec_accented_command),
+        cmocka_unit_test(test_wm_exec_not_accented_command),
+#ifndef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_wm_append_sid_null_list, NULL, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_append_sid_fail, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_append_sid_success, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_remove_sid_null_list, NULL, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_remove_sid_not_found, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_remove_sid_success, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_fork_failed, setup_modules, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_timeout_kill_child, setup_modules, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_parent, setup_modules, NULL)
+#else
+        cmocka_unit_test_setup_teardown(test_wm_append_handle_null_list, NULL, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_append_handle_fail, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_append_handle_success, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_remove_handle_null_list, NULL, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_remove_handle_not_found, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_remove_handle_success, setup_modules, teardown_modules),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_with_empty_list, setup_modules, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_with_empty_node, setup_modules, NULL),
+        cmocka_unit_test_setup_teardown(test_wm_kill_children_with_success, setup_modules, NULL)
+#endif
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.c b/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.c
new file mode 100644
index 0000000000..5ef90cde58
--- /dev/null
+++ b/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.c
@@ -0,0 +1,44 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "headers/shared.h"
+#include "wm_exec_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_wm_exec(char *command, char **output, int *exitcode, int secs, const char * add_path) {
+    check_expected(command);
+    check_expected(secs);
+    check_expected(add_path);
+
+    if (output) {
+        char *out = mock_type(char *);
+        if (out) {
+            os_strdup(out, *output);
+        }
+    }
+
+    *exitcode = mock_type(int);
+
+    return mock();
+}
+
+void expect_wm_exec(char *command, int sec, const char * add_path, char *output_command, int exitcode, int return_code) {
+    expect_string(__wrap_wm_exec, command, command);
+    expect_value(__wrap_wm_exec, secs, sec);
+    expect_value(__wrap_wm_exec, add_path, add_path);
+    if (output_command != NULL) {
+	    will_return(__wrap_wm_exec, output_command);
+    }
+    will_return(__wrap_wm_exec, exitcode);
+    will_return(__wrap_wm_exec, return_code);
+}
+
diff --git a/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.h b/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.h
new file mode 100644
index 0000000000..0e09c36b9b
--- /dev/null
+++ b/src/common/wm_exec/tests/unit/wrappers/wm_exec_wrappers.h
@@ -0,0 +1,17 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef WM_EXEC_WRAPPERS_H
+#define WM_EXEC_WRAPPERS_H
+
+int __wrap_wm_exec(char *command, char **output, int *exitcode, int secs, const char * add_path);
+void expect_wm_exec(char *command, int sec, const char * add_path, char *output_command, int exitcode, int return_code);
+
+#endif
diff --git a/src/common/yaml2json/CMakeLists.txt b/src/common/yaml2json/CMakeLists.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/common/yaml2json/include/yaml2json.h b/src/common/yaml2json/include/yaml2json.h
new file mode 100644
index 0000000000..e06ae534c9
--- /dev/null
+++ b/src/common/yaml2json/include/yaml2json.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * August 4, 2018
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef YAML2JSON_H
+#define YAML2JSON_H
+
+#include "../external/libyaml/include/yaml.h"
+#include <cJSON.h>
+
+int yaml_parse_stdin(yaml_document_t * document);
+int yaml_parse_file(const char * path, yaml_document_t * document);
+cJSON * yaml2json(yaml_document_t * document, int quoted_float_as_string );
+
+#endif
diff --git a/src/common/yaml2json/src/yaml2json.c b/src/common/yaml2json/src/yaml2json.c
new file mode 100644
index 0000000000..06d45e8585
--- /dev/null
+++ b/src/common/yaml2json/src/yaml2json.c
@@ -0,0 +1,132 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * August 4, 2018
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include "shared.h"
+
+static cJSON * yaml2json_node(yaml_document_t * document, yaml_node_t * node, int quoted_float_as_string);
+
+int yaml_parse_stdin(yaml_document_t * document) {
+    yaml_parser_t parser;
+    int error = -1;
+
+    yaml_parser_initialize(&parser);
+    yaml_parser_set_input_file(&parser, stdin);
+
+    if (yaml_parser_load(&parser, document)) {
+        error = 0;
+    } else {
+        mwarn("Failed to load YAML document at line %u", (unsigned int)parser.problem_mark.line);
+    }
+
+    yaml_parser_delete(&parser);
+
+    return error;
+}
+
+int yaml_parse_file(const char * path, yaml_document_t * document) {
+    yaml_parser_t parser;
+    FILE * finput;
+    int error = -1;
+
+    if (finput = wfopen(path, "rb"), finput) {
+        yaml_parser_initialize(&parser);
+        yaml_parser_set_input_file(&parser, finput);
+
+        if (yaml_parser_load(&parser, document)) {
+            error = 0;
+        } else {
+            mwarn("Failed to load YAML document in %s:%u", path, (unsigned int)parser.problem_mark.line);
+            yaml_document_delete(document);
+        }
+
+        yaml_parser_delete(&parser);
+        fclose(finput);
+    } else {
+        mwarn("Cannot open file '%s': %s (%d)", path, strerror(errno), errno);
+    }
+
+    return error;
+}
+
+cJSON * yaml2json(yaml_document_t * document, int single_quote_float_as_string) {
+    yaml_node_t * node;
+
+    if (node = yaml_document_get_root_node(document), !node) {
+        mwarn("No document defined.");
+        return NULL;
+    }
+
+    return yaml2json_node(document, node, single_quote_float_as_string);
+}
+
+cJSON * yaml2json_node(yaml_document_t * document, yaml_node_t * node,int quoted_float_as_string) {
+    yaml_node_t * key;
+    yaml_node_t * value;
+    yaml_node_item_t * item_i;
+    yaml_node_pair_t * pair_i;
+    double number;
+    char * scalar;
+    char * end;
+    cJSON * object;
+
+    switch (node->type) {
+    case YAML_NO_NODE:
+        object = cJSON_CreateObject();
+        break;
+
+    case YAML_SCALAR_NODE:
+        scalar = (char *)node->data.scalar.value;
+        number = strtod(scalar, &end);
+
+        if(quoted_float_as_string && (node->data.scalar.style == YAML_SINGLE_QUOTED_SCALAR_STYLE || node->data.scalar.style == YAML_DOUBLE_QUOTED_SCALAR_STYLE)) {
+            object = cJSON_CreateString(scalar);
+        } else {
+            object = (end == scalar || *end) ? cJSON_CreateString(scalar) : cJSON_CreateNumber(number);
+        }
+
+        break;
+
+    case YAML_SEQUENCE_NODE:
+        object = cJSON_CreateArray();
+
+        for (item_i = node->data.sequence.items.start; item_i < node->data.sequence.items.top; ++item_i) {
+            cJSON_AddItemToArray(object, yaml2json_node(document, yaml_document_get_node(document, *item_i),quoted_float_as_string));
+        }
+
+        break;
+
+    case YAML_MAPPING_NODE:
+        object = cJSON_CreateObject();
+
+        for (pair_i = node->data.mapping.pairs.start; pair_i < node->data.mapping.pairs.top; ++pair_i) {
+            key = yaml_document_get_node(document, pair_i->key);
+            value = yaml_document_get_node(document, pair_i->value);
+
+            if (key->type != YAML_SCALAR_NODE) {
+                mwarn("Mapping key is not scalar (line %u).", (unsigned int)key->start_mark.line);
+                continue;
+            }
+
+            cJSON_AddItemToObject(object, (char *)key->data.scalar.value, yaml2json_node(document, value,quoted_float_as_string));
+        }
+
+        break;
+
+    default:
+        mwarn("Unknown node type (line %u).", (unsigned int)node->start_mark.line);
+        object = NULL;
+    }
+
+    return object;
+}
diff --git a/src/modules/active_response/include/active_responses.h b/src/modules/active_response/include/active_responses.h
new file mode 100644
index 0000000000..c6a7166c57
--- /dev/null
+++ b/src/modules/active_response/include/active_responses.h
@@ -0,0 +1,158 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "shared.h"
+
+#ifndef WIN32
+#define LOG_FILE "logs/active-responses.log"
+#else
+#define LOG_FILE "active-response\\active-responses.log"
+#endif
+
+#define COMMANDSIZE_4096 4096
+
+#define VERSION 1
+#define AR_MODULE_NAME "active-response"
+#define CHECK_KEYS_ENTRY "check_keys"
+
+/**
+ * Enumeration of the available commands
+ * */
+typedef enum _ar_command_list {
+    ADD_COMMAND = 0,
+    DELETE_COMMAND,
+    CONTINUE_COMMAND,
+    ABORT_COMMAND
+} ar_command_list;
+
+/**
+ * Write the incomming message in active-responses log file.
+ * @param ar_name Name of active response
+ * @param msg Incomming message to write
+ * */
+void write_debug_file(const char *ar_name, const char *msg);
+
+/**
+ * @brief Set wazuh home directory and check message from stdin
+ * @param argv Arguments of the script
+ * @param message JSON message from stdin
+ * @return Command from message
+ */
+int setup_and_check_message(char **argv, cJSON **message);
+
+/**
+ * @brief Send message with keys and check message from stdin
+ * @param argv Arguments of the script
+ * @param keys Keys to be sent
+ * @return Command from message
+ */
+int send_keys_and_check_message(char **argv, char **keys);
+
+/**
+ * Get the json structure from input
+ * Caller must call cJSON_Delete() to release the object
+ * @param input Input to validate
+ * @return JSON input or NULL on Invalid
+ * */
+cJSON* get_json_from_input(const char *input);
+
+/**
+ * Get command from input
+ * @param input Input
+ * @return char * with the command or NULL on fail
+ * */
+const char* get_command_from_json(const cJSON *input);
+
+/**
+ * Get alert from input
+ * @param input Input
+ * @return JSON alert or NULL on Invalid.
+ * */
+const cJSON* get_alert_from_json(const cJSON *input);
+
+/**
+ * Get srcip from input
+ * @param input Input
+ * @return char * with the srcip or NULL on fail
+ * */
+const char* get_srcip_from_json(const cJSON *input);
+
+/**
+ * Get username from input
+ * @param input Input
+ * @return char * with the username or NULL on fail
+ * */
+const char* get_username_from_json(const cJSON *input);
+
+/**
+ * Get extra_args from input
+ * @param input Input
+ * @return char * with the extra_args or NULL on fail
+ * */
+char* get_extra_args_from_json(const cJSON *input);
+
+/**
+ * Get keys from input
+ * @param input Input
+ * @return char * with the keys or NULL on fail
+ * */
+char* get_keys_from_json(const cJSON *input);
+
+/**
+ * @brief This function splits a string using a delimiter
+ * @param output_buf buffer output
+ * @param delimiter  delimiter used to split the string
+ * @param strBefore  buffer to store split string before delimiter
+ * @param strAfter   buffer to store split string after delimiter
+*/
+void splitStrFromCharDelimiter(const char * output_buf, const char delimiter, char * strBefore, char * strAfter);
+
+/**
+ * @brief It looks for a string that matches pattern 1, if it finds it, it looks again for pattern 2, there should be spaces in the middle between the patterns.
+ * @param output_buf buffer where search
+ * @param str_pattern_1 pattern to match
+ * @param str_pattern_2 pattern to match
+ * @return 1 or 0
+ * @example output_buf -> "... Status:    Disabled ..."
+ *          isEnabledFromPattern(output_buf, "Status: ", "Enabled")
+ *            if it matches pattern 1 look for pattern 2 and if found, it returns 1
+ *          isEnabledFromPattern(output_buf, "Status: ", NULL)
+ *            find only by "Status"
+*/
+int isEnabledFromPattern(const char * output_buf, const char * str_pattern_1, const char * str_pattern_2);
+
+#ifndef WIN32
+
+/**
+ * Write process pid to lock simultaneous executions of the script
+ * @param lock_path Path of the folder to lock
+ * @param lock_pid_path Path of the file to lock
+ * @param log_path Messages log file
+ * @param proc_name Name of the proces to lock/unlock
+ * @return OS_SUCCESS or OS_INVALID
+ * */
+int lock(const char *lock_path, const char *lock_pid_path, const char *log_path, const char *proc_name);
+
+/**
+ * Remove lock
+ * @param lock_path Path of the folder to lock
+ * @param log_path Messages log file
+ * */
+void unlock(const char *lock_path, const char *log_path);
+
+/**
+ * Check ip version from a string
+ * @param ip Ip to check version
+ * @retval 4 If ip is ipv4
+ * @retval 6 If ip is ipv6
+ * @retval OS_INVALID on Invalid IP or error
+ * */
+int get_ip_version(const char *ip);
+
+#endif
diff --git a/src/modules/active_response/include/execd.h b/src/modules/active_response/include/execd.h
new file mode 100644
index 0000000000..b2fb7679e6
--- /dev/null
+++ b/src/modules/active_response/include/execd.h
@@ -0,0 +1,91 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef EXECD_H
+#define EXECD_H
+
+#ifndef ARGV0
+#define ARGV0 "wazuh-execd"
+#endif
+
+/* Arguments for the commands */
+#define ADD_ENTRY       "add"
+#define DELETE_ENTRY    "delete"
+#define CONTINUE_ENTRY  "continue"
+#define ABORT_ENTRY     "abort"
+
+/* Maximum number of active responses active */
+#define MAX_AR      64
+
+/* Maximum number of command arguments */
+#define MAX_ARGS    32
+
+/* Execd select timeout -- in seconds */
+#define EXECD_TIMEOUT   1
+
+extern int repeated_offenders_timeout[];
+extern time_t pending_upg;
+extern int is_disabled;
+extern int req_timeout;
+extern int max_restart_lock;
+
+/** Function prototypes **/
+
+int ReadExecConfig(void);
+cJSON *getARConfig(void);
+cJSON *getExecdInternalOptions(void);
+cJSON *getClusterConfig(void);
+char *GetCommandbyName(const char *name, int *timeout) __attribute__((nonnull));
+void ExecCmd(char *const *cmd) __attribute__((nonnull));
+void ExecCmd_Win32(char *cmd);
+int ExecdConfig(const char *cfgfile) __attribute__((nonnull));
+
+#ifdef WIN32
+int WinExecdStart(void);
+void ExecdRun(char *exec_msg);
+void ExecdTimeoutRun();
+void ExecdShutdown();
+#else
+#ifdef WAZUH_UNIT_TESTING
+void ExecdStart(int q);
+#else
+void ExecdStart(int q) __attribute__((noreturn));
+#endif
+void ExecdRun(char *exec_msg, int *childcount);
+void ExecdTimeoutRun(int *childcount);
+void ExecdShutdown(int sig) __attribute__((noreturn));
+#endif
+
+size_t wcom_unmerge(const char *file_path, char **output);
+size_t wcom_uncompress(const char * source, const char * target, char ** output);
+size_t wcom_restart(char **output);
+size_t wcom_dispatch(char *command, char **output);
+size_t lock_restart(int timeout);
+size_t wcom_getconfig(const char * section, char ** output);
+size_t wcom_check_manager_config(char **output);
+
+#ifndef WIN32
+// Com request thread dispatcher
+void * wcom_main(void * arg);
+#endif
+
+/* Timeout data structure */
+typedef struct _timeout_data {
+    time_t time_of_addition;
+    int time_to_block;
+    char **command;
+    char *parameters;
+    char *rkey;
+} timeout_data;
+
+void FreeTimeoutEntry(timeout_data *timeout_entry);
+void FreeTimeoutList();
+
+#endif /* EXECD_H */
diff --git a/src/modules/active_response/scripts/restart.sh b/src/modules/active_response/scripts/restart.sh
index e69de29bb2..87aba9d40f 100644
--- a/src/modules/active_response/scripts/restart.sh
+++ b/src/modules/active_response/scripts/restart.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Restarts Wazuh.
+# Copyright (C) 2015, Wazuh Inc.
+
+
+PARAM_TYPE=$1
+
+help()
+{
+    echo "Usage: $0 [manager|agent]"
+}
+
+# Usage
+if [ "$1" = "-h" ]; then
+    help
+    exit 0;
+fi
+
+# Checking user arguments
+if [ "x$PARAM_TYPE" = "xmanager" ]; then
+    TYPE="manager"
+elif [ "x$PARAM_TYPE" = "xagent" ]; then
+    TYPE="agent"
+else
+    help
+    exit 1;
+fi
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../../
+PWD=`pwd`
+
+# Logging the call
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/logs/active-responses.log
+
+# Rules and decoders test
+if [ "$TYPE" = "manager" ]; then
+    if !(${PWD}/bin/wazuh-logtest-legacy -t > /dev/null 2>&1); then
+        exit 1;
+    fi
+fi
+
+${PWD}/bin/wazuh-control restart
+
+exit $?;
diff --git a/src/modules/active_response/src/active_responses.c b/src/modules/active_response/src/active_responses.c
new file mode 100644
index 0000000000..177307b997
--- /dev/null
+++ b/src/modules/active_response/src/active_responses.c
@@ -0,0 +1,651 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+
+/**
+ * Build JSON message with keys to be sent to execd
+ * @param ar_name Name of active response
+ * @param keys Array of keys
+ * @return char * with the JSON message in string format
+ */
+static char* build_json_keys_message(const char *ar_name, char **keys);
+
+/**
+ * Get srcip from win eventdata
+ * @param data Input
+ * @return cJSON * with the ipAddress or NULL on fail
+ * */
+static cJSON* get_srcip_from_win_eventdata(const cJSON *data);
+
+
+void write_debug_file(const char *ar_name, const char *msg) {
+    char *timestamp = w_get_timestamp(time(NULL));
+
+    FILE *ar_log_file = wfopen(LOG_FILE, "a");
+
+    if (ar_log_file) {
+        fprintf(ar_log_file, "%s %s: %s\n", timestamp, ar_name, msg);
+        fclose(ar_log_file);
+    }
+
+    os_free(timestamp);
+}
+
+int setup_and_check_message(char **argv, cJSON **message) {
+    int ret = OS_INVALID;
+    char input[OS_MAXSTR];
+    cJSON *input_json = NULL;
+
+#ifndef WIN32
+    char *home_path = w_homedir(argv[0]);
+
+    /* Trim absolute path to get Wazuh's installation directory */
+    home_path = w_strtok_r_str_delim("/active-response", &home_path);
+
+    /* Change working directory */
+    if (chdir(home_path) == -1) {
+        merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno));
+    }
+    os_free(home_path);
+#endif
+
+    write_debug_file(argv[0], "Starting");
+
+    memset(input, '\0', OS_MAXSTR);
+    if (fgets(input, OS_MAXSTR, stdin) == NULL) {
+        write_debug_file(argv[0], "Cannot read input from stdin");
+        return OS_INVALID;
+    }
+
+    write_debug_file(argv[0], input);
+
+    input_json = get_json_from_input(input);
+    if (!input_json) {
+        write_debug_file(argv[0], "Invalid input format");
+        return OS_INVALID;
+    }
+
+    const char *action = get_command_from_json(input_json);
+    if (!action) {
+        write_debug_file(argv[0], "Cannot read 'command' from json");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("add", action)) {
+        ret = ADD_COMMAND;
+    } else if (!strcmp("delete", action)) {
+        ret = DELETE_COMMAND;
+    } else {
+        write_debug_file(argv[0], "Invalid value of 'command'");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (message) {
+        *message = input_json;
+    }
+
+    return ret;
+}
+
+int send_keys_and_check_message(char **argv, char **keys) {
+    int ret = OS_INVALID;
+    char *keys_msg;
+    char input[OS_MAXSTR];
+    cJSON *input_json = NULL;
+
+    // Build and send message with keys
+    keys_msg = build_json_keys_message(basename_ex(argv[0]), keys);
+
+    write_debug_file(argv[0], keys_msg);
+
+    fprintf(stdout, "%s\n", keys_msg);
+    fflush(stdout);
+
+    os_free(keys_msg);
+
+    // Read the response of previous message
+    memset(input, '\0', OS_MAXSTR);
+    if (fgets(input, OS_MAXSTR, stdin) == NULL) {
+        write_debug_file(argv[0], "Cannot read input from stdin");
+        return OS_INVALID;
+    }
+
+    write_debug_file(argv[0], input);
+
+    input_json = get_json_from_input(input);
+    if (!input_json) {
+        write_debug_file(argv[0], "Invalid input format");
+        return OS_INVALID;
+    }
+
+    const char *action = get_command_from_json(input_json);
+    if (!action) {
+        write_debug_file(argv[0], "Cannot read 'command' from json");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("continue", action)) {
+        ret = CONTINUE_COMMAND;
+    } else if (!strcmp("abort", action)) {
+        ret = ABORT_COMMAND;
+    } else {
+        ret = OS_INVALID;
+        write_debug_file(argv[0], "Invalid value of 'command'");
+    }
+
+    cJSON_Delete(input_json);
+
+    return ret;
+}
+
+cJSON* get_json_from_input(const char *input) {
+    cJSON *input_json = NULL;
+    cJSON *version_json = NULL;
+    cJSON *origin_json = NULL;
+    cJSON *command_json = NULL;
+    cJSON *parameters_json = NULL;
+    const char *json_err;
+
+    // Parsing input
+    if (input_json = cJSON_ParseWithOpts(input, &json_err, 0), !input_json) {
+        return NULL;
+    }
+
+    // Detect version
+    version_json = cJSON_GetObjectItem(input_json, "version");
+    if (!cJSON_IsNumber(version_json)) {
+        cJSON_Delete(input_json);
+        return NULL;
+    }
+
+    // Detect origin
+    origin_json = cJSON_GetObjectItem(input_json, "origin");
+    if (!cJSON_IsObject(origin_json)) {
+        cJSON_Delete(input_json);
+        return NULL;
+    }
+
+    // Detect command
+    command_json = cJSON_GetObjectItem(input_json, "command");
+    if (!cJSON_IsString(command_json)) {
+        cJSON_Delete(input_json);
+        return NULL;
+    }
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input_json, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        cJSON_Delete(input_json);
+        return NULL;
+    }
+
+    return input_json;
+}
+
+const char* get_command_from_json(const cJSON *input) {
+    cJSON *command_json = NULL;
+
+    // Detect command
+    command_json = cJSON_GetObjectItem(input, "command");
+    if (cJSON_IsString(command_json)) {
+        return command_json->valuestring;
+    }
+
+    return NULL;
+}
+
+const cJSON* get_alert_from_json(const cJSON *input) {
+    cJSON *parameters_json = NULL;
+    cJSON *alert_json = NULL;
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        return NULL;
+    }
+
+    // Detect alert
+    alert_json = cJSON_GetObjectItem(parameters_json, "alert");
+    if (!cJSON_IsObject(alert_json)) {
+        return NULL;
+    }
+
+    return alert_json;
+}
+
+const char* get_srcip_from_json(const cJSON *input) {
+    cJSON *parameters_json = NULL;
+    cJSON *alert_json = NULL;
+    cJSON *data_json = NULL;
+    cJSON *srcip_json = NULL;
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        return NULL;
+    }
+
+    // Detect alert
+    alert_json = cJSON_GetObjectItem(parameters_json, "alert");
+    if (!cJSON_IsObject(alert_json)) {
+        return NULL;
+    }
+
+    // Detect data
+    data_json = cJSON_GetObjectItem(alert_json, "data");
+    if (!cJSON_IsObject(data_json)) {
+        return NULL;
+    }
+
+    // Detect srcip from win.eventdata
+    srcip_json = get_srcip_from_win_eventdata(data_json);
+    if (cJSON_IsString(srcip_json)) {
+        return srcip_json->valuestring;
+    }
+    // Detect srcip from data
+    srcip_json = cJSON_GetObjectItem(data_json, "srcip");
+    if (cJSON_IsString(srcip_json)) {
+        return srcip_json->valuestring;
+    }
+
+    return NULL;
+}
+
+static cJSON* get_srcip_from_win_eventdata(const cJSON *data) {
+    cJSON *win_json = NULL;
+    cJSON *eventdata_json = NULL;
+    cJSON *ipAddress_json = NULL;
+
+    // Detect win
+    win_json = cJSON_GetObjectItem(data, "win");
+    if (!cJSON_IsObject(win_json)) {
+        return NULL;
+    }
+
+    // Detect eventdata
+    eventdata_json = cJSON_GetObjectItem(win_json, "eventdata");
+    if (!cJSON_IsObject(eventdata_json)) {
+        return NULL;
+    }
+
+    // Detect ipAddress
+    ipAddress_json = cJSON_GetObjectItem(eventdata_json, "ipAddress");
+    if (cJSON_IsString(ipAddress_json)) {
+        return ipAddress_json;
+    }
+
+    // Detect destinationIp
+    ipAddress_json = cJSON_GetObjectItem(eventdata_json, "destinationIp");
+    if (cJSON_IsString(ipAddress_json)) {
+        return ipAddress_json;
+    }
+
+    return NULL;
+}
+
+const char* get_username_from_json(const cJSON *input) {
+    cJSON *parameters_json = NULL;
+    cJSON *alert_json = NULL;
+    cJSON *data_json = NULL;
+    cJSON *username_json = NULL;
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        return NULL;
+    }
+
+    // Detect alert
+    alert_json = cJSON_GetObjectItem(parameters_json, "alert");
+    if (!cJSON_IsObject(alert_json)) {
+        return NULL;
+    }
+
+    // Detect data
+    data_json = cJSON_GetObjectItem(alert_json, "data");
+    if (!cJSON_IsObject(data_json)) {
+        return NULL;
+    }
+
+    // Detect username
+    username_json = cJSON_GetObjectItem(data_json, "dstuser");
+    if (cJSON_IsString(username_json)) {
+        return username_json->valuestring;
+    }
+
+    return NULL;
+}
+
+char* get_extra_args_from_json(const cJSON *input) {
+    cJSON *parameters_json = NULL;
+    cJSON *extra_args_json = NULL;
+    char args[COMMANDSIZE_4096];
+    char *extra_args = NULL;
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        return NULL;
+    }
+
+    // Detect extra_args
+    extra_args_json = cJSON_GetObjectItem(parameters_json, "extra_args");
+    if (!cJSON_IsArray(extra_args_json)) {
+        return NULL;
+    }
+
+    memset(args, '\0', COMMANDSIZE_4096);
+    for (int i = 0; i < cJSON_GetArraySize(extra_args_json); i++) {
+        cJSON *subitem = cJSON_GetArrayItem(extra_args_json, i);
+        if (cJSON_IsString(subitem)) {
+            if (strlen(args) + strlen(subitem->valuestring) + 2 > COMMANDSIZE_4096) {
+                break;
+            }
+            if (args[0] != '\0') {
+                strcat(args, " ");
+            }
+            strcat(args, subitem->valuestring);
+        }
+    }
+
+    if (args[0] != '\0') {
+        os_strdup(args, extra_args);
+    }
+
+    return extra_args;
+}
+
+char* get_keys_from_json(const cJSON *input) {
+    cJSON *parameters_json = NULL;
+    cJSON *keys_json = NULL;
+    char args[COMMANDSIZE_4096];
+    char *keys = NULL;
+
+    // Detect parameters
+    parameters_json = cJSON_GetObjectItem(input, "parameters");
+    if (!cJSON_IsObject(parameters_json)) {
+        return NULL;
+    }
+
+    // Detect keys
+    keys_json = cJSON_GetObjectItem(parameters_json, "keys");
+    if (!cJSON_IsArray(keys_json)) {
+        return NULL;
+    }
+
+    memset(args, '\0', COMMANDSIZE_4096);
+    for (int i = 0; i < cJSON_GetArraySize(keys_json); i++) {
+        cJSON *subitem = cJSON_GetArrayItem(keys_json, i);
+        if (cJSON_IsString(subitem)) {
+            if (strlen(args) + strlen(subitem->valuestring) + 2 > COMMANDSIZE_4096) {
+                break;
+            }
+            strcat(args, "-");
+            strcat(args, subitem->valuestring);
+        }
+    }
+
+    if (args[0] != '\0') {
+        os_strdup(args, keys);
+    }
+
+    return keys;
+}
+
+static char* build_json_keys_message(const char *ar_name, char **keys) {
+    cJSON *_object = NULL;
+    cJSON *_array = NULL;
+    char *msg = NULL;
+    int keys_size;
+
+    cJSON *message = cJSON_CreateObject();
+
+    cJSON_AddNumberToObject(message, "version", VERSION);
+
+    _object = cJSON_CreateObject();
+    cJSON_AddItemToObject(message, "origin", _object);
+
+    cJSON_AddStringToObject(_object, "name", ar_name ? ar_name : "");
+    cJSON_AddStringToObject(_object, "module", AR_MODULE_NAME);
+
+    cJSON_AddStringToObject(message, "command", CHECK_KEYS_ENTRY);
+
+    _object = cJSON_CreateObject();
+    cJSON_AddItemToObject(message, "parameters", _object);
+
+    _array = cJSON_CreateArray();
+    cJSON_AddItemToObject(_object, "keys", _array);
+
+    for (keys_size = 0; (keys != NULL) && (keys[keys_size] != NULL); keys_size++) {
+        cJSON_AddItemToArray(_array, cJSON_CreateString(keys[keys_size]));
+    }
+
+    msg = cJSON_PrintUnformatted(message);
+
+    cJSON_Delete(message);
+
+    return msg;
+}
+
+void splitStrFromCharDelimiter(const char * output_buf, const char delimiter, char * strBefore, char * strAfter){
+    const char *pos = NULL;
+
+    if (output_buf != NULL) {
+        pos = strchr(output_buf, delimiter);
+
+        if (pos != NULL) {
+            if (strBefore != NULL) {
+                strncpy(strBefore, output_buf, pos - output_buf);
+            }
+            if (strAfter != NULL) {
+                strncpy(strAfter, pos + 1, strlen(pos));
+            }
+        }
+    }
+}
+
+int isEnabledFromPattern(const char * output_buf, const char * str_pattern_1, const char * str_pattern_2) {
+    int retVal = 0;
+    const char *pos = NULL;
+
+    if (str_pattern_1 != NULL) {
+        pos = strstr(output_buf, str_pattern_1);
+    }
+
+    if (pos != NULL) {
+        char state[OS_MAXSTR];
+        char buffer[OS_MAXSTR];
+
+        if (str_pattern_2 != NULL) {
+            snprintf(buffer, OS_MAXSTR -1, "%%*s %%%lds", strlen(str_pattern_2));
+            if (sscanf(pos, buffer /*"%*s %7s"*/, state) == 1) {
+                if (strcmp(state, str_pattern_2) == 0) {
+                    retVal = 1;
+                } else {
+                    retVal = 0;
+                }
+            }
+        } else {
+            retVal = 1;
+        }
+    }
+
+    return retVal;
+}
+
+#ifndef WIN32
+
+int lock(const char *lock_path, const char *lock_pid_path, const char *log_path, const char *proc_name) {
+    char log_msg[OS_MAXSTR];
+    int i=0;
+    int max_iteration = 50;
+    int saved_pid = -1;
+    int read;
+
+    // Providing a lock.
+    while (true) {
+        FILE *pid_file;
+        int current_pid = -1;
+
+        if (mkdir(lock_path, S_IRWXG) == 0) {
+            // Lock acquired (setting the pid)
+            pid_t pid = getpid();
+            if (pid_file = wfopen(lock_pid_path, "w"), !pid_file) {
+                write_debug_file(log_path, "Cannot write pid file");
+                return OS_INVALID;
+            } else {
+                fprintf(pid_file, "%d", (int)pid);
+                fclose(pid_file);
+                return OS_SUCCESS;
+            }
+        }
+
+        // Getting currently/saved PID locking the file
+        if (pid_file = wfopen(lock_pid_path, "r"), !pid_file) {
+            write_debug_file(log_path, "Cannot read pid file");
+        } else {
+            read = fscanf(pid_file, "%d", &current_pid);
+            fclose(pid_file);
+
+            if (read == 1) {
+                if (saved_pid == -1) {
+                    saved_pid = current_pid;
+                }
+
+                if (current_pid == saved_pid) {
+                    i++;
+                }
+
+            } else {
+                write_debug_file(log_path, "Cannot read pid file");
+            }
+        }
+
+        sleep(i);
+
+        i++;
+
+        // So i increments 2 by 2 if the pid does not change.
+        // If the pid keeps changing, we will increments one
+        // by one and fail after MAX_ITERACTION
+        if (i >= max_iteration) {
+            bool kill = false;
+            char *pgrep_path = NULL;
+
+            if (get_binary_path("pgrep", &pgrep_path) < 0) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", pgrep_path);
+                write_debug_file(log_path, log_msg);
+            }
+            char *command_ex_1[4] = { pgrep_path, "-f", (char *)proc_name, NULL };
+
+            wfd_t *wfd = wpopenv(*command_ex_1, command_ex_1, W_BIND_STDOUT);
+            if (!wfd) {
+                write_debug_file(log_path, "Unable to run pgrep");
+            } else {
+                char output_buf[OS_MAXSTR];
+                while (fgets(output_buf, OS_MAXSTR, wfd->file_out)) {
+                    int pid = atoi(output_buf);
+                    if (pid == current_pid) {
+                        char pid_str[10];
+                        char *kill_path = NULL;
+                        memset(pid_str, '\0', 10);
+                        snprintf(pid_str, 9, "%d", pid);
+
+                        if (get_binary_path("kill", &kill_path) < 0) {
+                            memset(log_msg, '\0', OS_MAXSTR);
+                            snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", kill_path);
+                            write_debug_file(log_path, log_msg);
+                        }
+                        char *command_ex_2[4] = { kill_path, "-9", pid_str, NULL };
+
+                        wfd_t *wfd2 = wpopenv(*command_ex_2, command_ex_2, W_BIND_STDOUT);
+                        if (!wfd2) {
+                            write_debug_file(log_path, "Unable to run kill");
+                        } else {
+                            wpclose(wfd2);
+                            memset(log_msg, '\0', OS_MAXSTR);
+                            snprintf(log_msg, OS_MAXSTR -1, "Killed process %d holding lock.", pid);
+                            write_debug_file(log_path, log_msg);
+                            kill = true;
+                            unlock(lock_path, log_path);
+                            i = 0;
+                            saved_pid = -1;
+                        }
+                        os_free(kill_path);
+                        break;
+                    }
+                }
+                wpclose(wfd);
+            }
+
+            os_free(pgrep_path);
+
+            if (!kill) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to kill process %d holding lock.", current_pid);
+                write_debug_file(log_path, log_msg);
+
+                // Unlocking
+                unlock(lock_path, log_path);
+
+                // Try take lock again
+                if (mkdir(lock_path, S_IRWXG) == 0) {
+                    // Lock acquired (setting the pid)
+                    pid_t pid = getpid();
+                    pid_file = wfopen(lock_pid_path, "w");
+                    fprintf(pid_file, "%d", (int)pid);
+                    fclose(pid_file);
+
+                    return OS_SUCCESS;
+                }
+
+                return OS_INVALID;
+            }
+        }
+    }
+
+}
+
+void unlock(const char *lock_path, const char *log_path) {
+    if (rmdir_ex(lock_path) < 0) {
+        write_debug_file(log_path, "Unable to remove lock folder");
+    }
+}
+
+int get_ip_version(const char *ip) {
+    struct addrinfo hint, *res = NULL;
+    int ret;
+
+    memset(&hint, '\0', sizeof hint);
+
+    hint.ai_family = AF_UNSPEC;
+    hint.ai_flags = AI_NUMERICHOST;
+
+    ret = getaddrinfo(ip, NULL, &hint, &res);
+    if (ret) {
+        freeaddrinfo(res);
+        return OS_INVALID;
+    }
+    if (res->ai_family == AF_INET) {
+        freeaddrinfo(res);
+        return 4;
+    } else if (res->ai_family == AF_INET6) {
+        freeaddrinfo(res);
+        return 6;
+    }
+
+    freeaddrinfo(res);
+    return OS_INVALID;
+}
+#endif
diff --git a/src/modules/active_response/src/binaries/default_firewall_drop.c b/src/modules/active_response/src/binaries/default_firewall_drop.c
new file mode 100644
index 0000000000..80f2dab2f8
--- /dev/null
+++ b/src/modules/active_response/src/binaries/default_firewall_drop.c
@@ -0,0 +1,333 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "../active_responses.h"
+
+#define LOCK_PATH "active-response/bin/fw-drop"
+#define LOCK_FILE "active-response/bin/fw-drop/pid"
+#define IP4TABLES "iptables"
+#define IP6TABLES "ip6tables"
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char iptables_tmp[COMMANDSIZE_4096 - 5] = "";
+    char log_msg[OS_MAXSTR];
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+    struct utsname uname_buffer;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    int ip_version = get_ip_version(srcip);
+    if (ip_version == 4) {
+        strcpy(iptables_tmp, IP4TABLES);
+    } else if (ip_version == 6) {
+        strcpy(iptables_tmp, IP6TABLES);
+    } else {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Unable to run active response (invalid IP: '%s').", srcip);
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (uname(&uname_buffer) < 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("Linux", uname_buffer.sysname)) {
+        char lock_path[COMMANDSIZE_4096];
+        char lock_pid_path[COMMANDSIZE_4096];
+        char *iptables = NULL;
+        wfd_t *wfd = NULL;
+
+        // Checking if iptables is present
+        if (get_binary_path(iptables_tmp, &iptables) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "The iptables file '%s' is not accessible: %s (%d)", iptables, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(iptables);
+            return OS_SUCCESS;
+        }
+
+        char arg[3] = {0};
+        if (action == ADD_COMMAND) {
+            strcpy(arg, "-I");
+        } else {
+            strcpy(arg, "-D");
+        }
+
+        memset(lock_path, '\0', COMMANDSIZE_4096);
+        memset(lock_pid_path, '\0', COMMANDSIZE_4096);
+        snprintf(lock_path, COMMANDSIZE_4096 - 1, "%s", LOCK_PATH);
+        snprintf(lock_pid_path, COMMANDSIZE_4096 - 1, "%s", LOCK_FILE);
+
+        // Taking lock
+        if (lock(lock_path, lock_pid_path, argv[0], basename(argv[0])) == OS_INVALID) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to take lock. End.");
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(iptables);
+            return OS_INVALID;
+        }
+
+        int count = 0;
+        bool flag = true;
+        while (flag) {
+            char *exec_cmd1[8] = { iptables, arg, "INPUT", "-s", (char *)srcip, "-j", "DROP", NULL };
+
+            wfd = wpopenv(iptables, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                count++;
+                if (count > 4) {
+                    flag = false;
+                    write_debug_file(argv[0], "Unable to run iptables");
+                } else {
+                    sleep(count);
+                }
+            } else {
+                flag = false;
+                wpclose(wfd);
+            }
+        }
+
+        count = 0;
+        flag = true;
+        while (flag) {
+            char *exec_cmd2[8] = { iptables, arg, "FORWARD", "-s", (char *)srcip, "-j", "DROP", NULL };
+
+            wfd = wpopenv(iptables, exec_cmd2, W_BIND_STDERR);
+            if (!wfd) {
+                count++;
+                if (count > 4) {
+                    flag = false;
+                    write_debug_file(argv[0], "Unable to run iptables");
+                } else {
+                    sleep(count);
+                }
+            } else {
+                flag = false;
+                wpclose(wfd);
+            }
+        }
+        unlock(lock_path, argv[0]);
+        os_free(iptables);
+
+    } else if (!strcmp("FreeBSD", uname_buffer.sysname) || !strcmp("SunOS", uname_buffer.sysname) || !strcmp("NetBSD", uname_buffer.sysname)) {
+        char arg1[COMMANDSIZE_4096];
+        char arg2[COMMANDSIZE_4096];
+        char ipfarg[COMMANDSIZE_4096];
+        char *ipfilter_path = NULL;
+        wfd_t *wfd = NULL;
+
+        // Checking if ipfilter is present
+        if (get_binary_path("ipf", &ipfilter_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The ipfilter file '%s' is not accessible: %s (%d)", ipfilter_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(ipfilter_path);
+            return OS_SUCCESS;
+        }
+
+        memset(arg1, '\0', COMMANDSIZE_4096);
+        memset(arg2, '\0', COMMANDSIZE_4096);
+        memset(ipfarg, '\0', COMMANDSIZE_4096);
+
+        snprintf(arg1, COMMANDSIZE_4096 -1, "block out quick from any to %s", srcip);
+        snprintf(arg2, COMMANDSIZE_4096 -1, "block in quick from %s to any", srcip);
+        if (action == ADD_COMMAND) {
+            snprintf(ipfarg, COMMANDSIZE_4096 -1,"-f");
+        } else {
+            snprintf(ipfarg, COMMANDSIZE_4096 -1,"-rf");
+        }
+
+        char *exec_cmd1[4] = { ipfilter_path, ipfarg, "-", NULL };
+
+        wfd = wpopenv(ipfilter_path, exec_cmd1, W_BIND_STDIN);
+        if (!wfd) {
+            write_debug_file(argv[0], "Unable to run ipf");
+        } else {
+            fprintf(wfd->file_in, "%s\n", arg1);
+            fflush(wfd->file_in);
+            wpclose(wfd);
+        }
+
+        wfd = wpopenv(ipfilter_path, exec_cmd1, W_BIND_STDIN);
+        if (!wfd) {
+            write_debug_file(argv[0], "Unable to run ipf");
+        } else {
+            fprintf(wfd->file_in, "%s\n", arg2);
+            fflush(wfd->file_in);
+            wpclose(wfd);
+        }
+        os_free(ipfilter_path);
+
+    } else if (!strcmp("AIX", uname_buffer.sysname)) {
+        char *genfilt_path = NULL;
+        char *lsfilt_path = NULL;
+        char *mkfilt_path = NULL;
+        char *rmfilt_path = NULL;
+        wfd_t *wfd = NULL;
+
+        // Checking if genfilt is present
+        if (get_binary_path("genfilt", &genfilt_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The genfilt file '%s' is not accessible: %s (%d)", genfilt_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(genfilt_path);
+            return OS_SUCCESS;
+        }
+
+        // Checking if lsfilt is present
+        if (get_binary_path("lsfilt", &lsfilt_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The lsfilt file '%s' is not accessible: %s (%d)", lsfilt_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(genfilt_path);
+            os_free(lsfilt_path);
+            return OS_SUCCESS;
+        }
+
+        // Checking if mkfilt is present
+        if (get_binary_path("mkfilt", &mkfilt_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The mkfilt file '%s' is not accessible: %s (%d)", mkfilt_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(genfilt_path);
+            os_free(lsfilt_path);
+            os_free(mkfilt_path);
+            return OS_SUCCESS;
+        }
+
+        // Checking if rmfilt is present
+        if (get_binary_path("rmfilt", &rmfilt_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The rmfilt file '%s' is not accessible: %s (%d)", rmfilt_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(genfilt_path);
+            os_free(lsfilt_path);
+            os_free(mkfilt_path);
+            os_free(rmfilt_path);
+            return OS_SUCCESS;
+        }
+
+        if (action == ADD_COMMAND) {
+            char *exec_cmd1[18] = { genfilt_path, "-v", "4", "-a", "D", "-s", (char *)srcip, "-m", "255.255.255.255", "-d", "0.0.0.0", "-M", "0.0.0.0", "-w", "B", "-D", "\"Access Denied by WAZUH\"", NULL };
+
+            wfd = wpopenv(genfilt_path, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run genfilt");
+            } else {
+                wpclose(wfd);
+            }
+        } else {
+            char *exec_cmd1[5] = { lsfilt_path, "-v", "4", "-O", NULL };
+
+            wfd = wpopenv(lsfilt_path, exec_cmd1, W_BIND_STDOUT);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run lsfilt");
+            } else {
+                char output_buf[OS_MAXSTR];
+                while (fgets(output_buf, OS_MAXSTR, wfd->file_out)) {
+                    if (strstr(output_buf, srcip) != NULL) {
+                        // Removing a specific rule
+                        char *rule_str = strtok(output_buf, "|");
+                        char *exec_cmd2[6] = { rmfilt_path, "-v", "4", "-n", rule_str, NULL };
+
+                        wfd_t *wfd2 = wpopenv(rmfilt_path, exec_cmd2, W_BIND_STDERR);
+                        if (!wfd2) {
+                            write_debug_file(argv[0], "Unable to run rmfilt");
+                        } else {
+                            wpclose(wfd2);
+                        }
+                    }
+                }
+                wpclose(wfd);
+            }
+        }
+
+        // Deactivate and activate the filter rules
+        char *exec_cmd3[5] = { mkfilt_path, "-v", "4", "-d", NULL };
+
+        wfd = wpopenv(mkfilt_path, exec_cmd3, W_BIND_STDERR);
+        if (!wfd) {
+            write_debug_file(argv[0], "Unable to run mkfilt");
+        } else {
+            wpclose(wfd);
+        }
+
+        char *exec_cmd4[5] = { mkfilt_path, "-v", "4", "-u", NULL };
+
+        wfd = wpopenv(mkfilt_path, exec_cmd4, W_BIND_STDERR);
+        if (!wfd) {
+            write_debug_file(argv[0], "Unable to run mkfilt");
+        } else {
+            wpclose(wfd);
+        }
+
+        os_free(genfilt_path);
+        os_free(lsfilt_path);
+        os_free(mkfilt_path);
+        os_free(rmfilt_path);
+
+    } else {
+        write_debug_file(argv[0], "Invalid system");
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/disable_account.c b/src/modules/active_response/src/binaries/disable_account.c
new file mode 100644
index 0000000000..1e0148f59f
--- /dev/null
+++ b/src/modules/active_response/src/binaries/disable_account.c
@@ -0,0 +1,134 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char args[COMMANDSIZE_4096];
+    char *cmd_path = NULL;
+    char log_msg[OS_MAXSTR];
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+    struct utsname uname_buffer;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Detect username
+    const char *user = get_username_from_json(input_json);
+    if (!user) {
+        write_debug_file(argv[0], "Cannot read 'dstuser' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(user, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    if (!strcmp("root", user)) {
+        write_debug_file(argv[0], "Invalid username");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (uname(&uname_buffer) < 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("Linux", uname_buffer.sysname) || !strcmp("SunOS", uname_buffer.sysname)) {
+        // Checking if passwd is present
+        if (get_binary_path("passwd", &cmd_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The passwd file '%s' is not accessible: %s (%d)", cmd_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(cmd_path);
+            return OS_SUCCESS;
+        }
+
+        memset(args, '\0', COMMANDSIZE_4096);
+        if (action == ADD_COMMAND) {
+            snprintf(args, COMMANDSIZE_4096 -1, "-l");
+        } else {
+            snprintf(args, COMMANDSIZE_4096 -1, "-u");
+        }
+
+    } else if (!strcmp("AIX", uname_buffer.sysname)) {
+        // Checking if chuser is present
+        if (get_binary_path("chuser", &cmd_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The chuser file '%s' is not accessible: %s (%d)", cmd_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(cmd_path);
+            return OS_SUCCESS;
+        }
+
+        // Disabling an account
+        memset(args, '\0', COMMANDSIZE_4096);
+        if (action == ADD_COMMAND) {
+            snprintf(args, COMMANDSIZE_4096 -1, "account_locked=true");
+        } else {
+            snprintf(args, COMMANDSIZE_4096 -1, "account_locked=false");
+        }
+
+    } else {
+        write_debug_file(argv[0], "Invalid system");
+        cJSON_Delete(input_json);
+        return OS_SUCCESS;
+    }
+
+    // Execute the command
+    char *exec_cmd1[4] = { cmd_path, args, (char *)user, NULL };
+
+    wfd_t *wfd = wpopenv(cmd_path, exec_cmd1, W_BIND_STDERR);
+    if (!wfd) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Error executing '%s': %s", cmd_path, strerror(errno));
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(cmd_path);
+        return OS_INVALID;
+    }
+    wpclose(wfd);
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+    os_free(cmd_path);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/firewalld_drop.c b/src/modules/active_response/src/binaries/firewalld_drop.c
new file mode 100644
index 0000000000..4d2b2893b2
--- /dev/null
+++ b/src/modules/active_response/src/binaries/firewalld_drop.c
@@ -0,0 +1,156 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+
+#define LOCK_PATH "active-response/bin/fw-drop"
+#define LOCK_FILE "active-response/bin/fw-drop/pid"
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char rule[COMMANDSIZE_4096];
+    char log_msg[OS_MAXSTR];
+    char lock_path[COMMANDSIZE_4096];
+    char lock_pid_path[COMMANDSIZE_4096];
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+    struct utsname uname_buffer;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    int ip_version = get_ip_version(srcip);
+    memset(rule, '\0', COMMANDSIZE_4096);
+    if (ip_version == 4) {
+        snprintf(rule, COMMANDSIZE_4096 -1, "rule family=ipv4 source address=%s drop", srcip);
+    } else if (ip_version == 6) {
+        snprintf(rule, COMMANDSIZE_4096 -1, "rule family=ipv6 source address=%s drop", srcip);
+    } else {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Unable to run active response (invalid IP: '%s').", srcip);
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (uname(&uname_buffer) != 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("Linux", uname_buffer.sysname)) {
+        char arg1[COMMANDSIZE_4096] = {0};
+        char *fw_cmd_path = NULL;
+
+        if (action == ADD_COMMAND) {
+            strcpy(arg1, "--add-rich-rule");
+        } else {
+            strcpy(arg1, "--remove-rich-rule");
+        }
+
+        // Checking if firewall-cmd is present
+        if (get_binary_path("firewall-cmd", &fw_cmd_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "The firewall-cmd file '%s' is not accessible: %s (%d)", fw_cmd_path, strerror(errno), errno);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(fw_cmd_path);
+            return OS_INVALID;
+        }
+
+        memset(lock_path, '\0', COMMANDSIZE_4096);
+        memset(lock_pid_path, '\0', COMMANDSIZE_4096);
+        snprintf(lock_path, COMMANDSIZE_4096 - 1, "%s", LOCK_PATH);
+        snprintf(lock_pid_path, COMMANDSIZE_4096 - 1, "%s", LOCK_FILE);
+
+        // Taking lock
+        if (lock(lock_path, lock_pid_path, argv[0], basename(argv[0])) == OS_INVALID) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to take lock. End.");
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(fw_cmd_path);
+            return OS_INVALID;
+        }
+
+        int count = 0;
+        bool flag = true;
+        while (flag) {
+            char *exec_cmd1[4] = { fw_cmd_path, arg1, rule, NULL };
+
+            wfd_t *wfd = wpopenv(fw_cmd_path, exec_cmd1, W_BIND_STDERR);
+            if (wfd) {
+                int wp_closefd = wpclose(wfd);
+                if ( WIFEXITED(wp_closefd) ) {
+                    int wstatus = WEXITSTATUS(wp_closefd);
+                    if (wstatus == 0) {
+                        flag = false;
+                    }
+                }
+            }
+            if (flag) {
+                count++;
+                if (count > 4) {
+                    flag = false;
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR -1, "Unable to run firewall-cmd, action: '%s', rule: '%s'", arg1, rule);
+                    write_debug_file(argv[0], log_msg);
+                } else {
+                    sleep(count);
+                }
+            }
+        }
+        unlock(lock_path, argv[0]);
+        os_free(fw_cmd_path);
+    } else {
+        write_debug_file(argv[0], "Invalid system");
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/host_deny.c b/src/modules/active_response/src/binaries/host_deny.c
new file mode 100644
index 0000000000..d492791b7e
--- /dev/null
+++ b/src/modules/active_response/src/binaries/host_deny.c
@@ -0,0 +1,224 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+
+#define LOCK_PATH "active-response/bin/host-deny-lock"
+#define LOCK_FILE "active-response/bin/host-deny-lock/pid"
+#define DEFAULT_HOSTS_DENY_PATH "/etc/hosts.deny"
+#define FREEBSD_HOSTS_DENY_PATH "/etc/hosts.allow"
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char hosts_deny_rule[COMMANDSIZE_4096];
+    char hosts_deny_path[COMMANDSIZE_4096];
+    char log_msg[OS_MAXSTR];
+    char lock_path[COMMANDSIZE_4096];
+    char lock_pid_path[COMMANDSIZE_4096];
+    char output_buf[OS_MAXSTR - 25];
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+    struct utsname uname_buffer;
+    FILE *host_deny_fp = NULL;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    if (get_ip_version(srcip) == OS_INVALID) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Unable to run active response (invalid IP: '%s')", srcip);
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (uname(&uname_buffer) != 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    memset(hosts_deny_rule, '\0', COMMANDSIZE_4096);
+    memset(hosts_deny_path, '\0', COMMANDSIZE_4096);
+    if (!strcmp("FreeBSD", uname_buffer.sysname)) {
+        snprintf(hosts_deny_rule, COMMANDSIZE_4096 -1, "ALL : %s : deny", srcip);
+        strcpy(hosts_deny_path, FREEBSD_HOSTS_DENY_PATH);
+    } else {
+        snprintf(hosts_deny_rule, COMMANDSIZE_4096 -1, "ALL:%s", srcip);
+        strcpy(hosts_deny_path, DEFAULT_HOSTS_DENY_PATH);
+    }
+
+    memset(lock_path, '\0', COMMANDSIZE_4096);
+    memset(lock_pid_path, '\0', COMMANDSIZE_4096);
+    snprintf(lock_path, COMMANDSIZE_4096 - 1, "%s", LOCK_PATH);
+    snprintf(lock_pid_path, COMMANDSIZE_4096 - 1, "%s", LOCK_FILE);
+
+    if (action == ADD_COMMAND) {
+        // Taking lock
+        if (lock(lock_path, lock_pid_path, argv[0], basename(argv[0])) == OS_INVALID) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to take lock. End.");
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            return OS_INVALID;
+        }
+
+        host_deny_fp = wfopen(hosts_deny_path, "r");
+        if (!host_deny_fp) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Could not open file '%s'", hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            unlock(lock_path, argv[0]);
+            return OS_INVALID;
+        }
+
+        // Looking for duplication
+        memset(output_buf, '\0', OS_MAXSTR - 25);
+        while (fgets(output_buf, OS_MAXSTR - 25, host_deny_fp)) {
+            if (strstr(output_buf, srcip) != NULL) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "IP %s already exists on '%s'", srcip, hosts_deny_path);
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                fclose(host_deny_fp);
+                unlock(lock_path, argv[0]);
+                return OS_INVALID;
+            }
+        }
+        fclose(host_deny_fp);
+
+        // Open again to append rule
+        host_deny_fp = wfopen(hosts_deny_path, "a");
+        if (!host_deny_fp) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Could not open file '%s'", hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            unlock(lock_path, argv[0]);
+            return OS_INVALID;
+        }
+
+        if (fprintf(host_deny_fp, "%s\n", hosts_deny_rule) <= 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to write rule '%s' on '%s'", hosts_deny_rule, hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+        }
+        fclose(host_deny_fp);
+
+        unlock(lock_path, argv[0]);
+
+    } else {
+        FILE *temp_host_deny_fp = NULL;
+        char temp_hosts_deny_path[COMMANDSIZE_4096];
+
+        memset(temp_hosts_deny_path, '\0', COMMANDSIZE_4096);
+        snprintf(temp_hosts_deny_path, COMMANDSIZE_4096 - 1, "%s", "active-response/bin/temp-hosts-deny");
+
+        // Taking lock
+        if (lock(lock_path, lock_pid_path, argv[0], basename(argv[0])) == OS_INVALID) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to take lock. End.");
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            return OS_INVALID;
+        }
+
+        bool write_fail = false;
+
+        host_deny_fp = wfopen(hosts_deny_path, "r");
+        if (!host_deny_fp) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Could not open file '%s'", hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            unlock(lock_path, argv[0]);
+            return OS_INVALID;
+        }
+
+        // Create the temporary file
+        temp_host_deny_fp = wfopen(temp_hosts_deny_path, "w");
+        if (!temp_host_deny_fp) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Could not open file '%s'", temp_hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            fclose(host_deny_fp);
+            unlock(lock_path, argv[0]);
+            return OS_INVALID;
+        }
+
+        memset(output_buf, '\0', OS_MAXSTR - 25);
+        while (fgets(output_buf, OS_MAXSTR - 25, host_deny_fp)) {
+            if (strstr(output_buf, srcip) == NULL) {
+                if (fwrite(output_buf, 1, strlen(output_buf), temp_host_deny_fp) != strlen(output_buf)) {
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR -1, "Unable to write line '%s'", output_buf);
+                    write_debug_file(argv[0], log_msg);
+                    write_fail = true;
+                    break;
+                }
+            }
+            memset(output_buf, '\0', OS_MAXSTR - 25);
+        }
+
+        fclose(host_deny_fp);
+        fclose(temp_host_deny_fp);
+
+        if (write_fail || rename(temp_hosts_deny_path, hosts_deny_path) != 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to write file '%s'", hosts_deny_path);
+            write_debug_file(argv[0], log_msg);
+        }
+
+        unlink(temp_hosts_deny_path);
+        unlock(lock_path, argv[0]);
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/netsh.c b/src/modules/active_response/src/binaries/netsh.c
new file mode 100644
index 0000000000..4c0d4fa995
--- /dev/null
+++ b/src/modules/active_response/src/binaries/netsh.c
@@ -0,0 +1,326 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WIN32
+
+#include "active_responses.h"
+#include "dll_load_notify.h"
+
+#define RULE_NAME "WAZUH ACTIVE RESPONSE BLOCKED IP"
+
+#define PATH_FIREWALL_PROFILES_REG_DEFAULT "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\"
+#define FIREWALL_DATA_INITIALIZE { false, false, FIREWALL_DOMAIN }
+#define FIREWALL_PROFILES_MAX (3)   /*!< Maximum number of profiles*/
+
+/**
+ * @brief enumeration of the available profiles
+ */
+typedef enum {
+    FIREWALL_DOMAIN = 0,
+    FIREWALL_PRIVATE,
+    FIREWALL_PUBLIC,
+    FIREWALL_DEFAULT
+} firewallProfile_t;
+
+/**
+ * @brief firewall data struct
+ */
+typedef struct {
+    bool isThereProfile;
+    bool isEnabled;
+    firewallProfile_t profile;
+} firewallData_t;
+
+/**
+ * @brief Get all firewall profiles status
+ * @param argv Name of logging file
+ * @return int
+ */
+static int getAllProfilesStatus(const char *argv);
+
+/**
+ * @brief Get name of the profile if it exists
+ * @param output_buf buffer output
+ * @param firewallData pointer to firewall data
+*/
+static void getFirewallProfile(const char * output_buf, firewallData_t *firewallData);
+
+/**
+ * @brief Get status of the profile
+ * @param output_buf buffer output
+ * @param firewallData pointer to firewall data
+*/
+static void getStatusFirewallProfile(const char * output_buf, firewallData_t *firewallData);
+
+int main (int argc, char **argv) {
+    // This must be always the first instruction
+    enable_dll_verification();
+
+    (void)argc;
+    char log_msg[OS_MAXSTR];
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    char name[OS_MAXSTR -1];
+    char description[OS_MAXSTR -1];
+    char remoteip[OS_MAXSTR -1];
+    wfd_t *wfd = NULL;
+    char *netsh_path = NULL;
+
+    snprintf(name, OS_MAXSTR -1, "name=\"%s\"", RULE_NAME);
+    snprintf(remoteip, OS_MAXSTR -1, "remoteip=%s/32", srcip);
+
+    // Checking if netsh.exe is present
+    if (get_binary_path("netsh.exe", &netsh_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", netsh_path);
+        write_debug_file(argv[0], log_msg);
+    }
+
+    char *exec_args_add[11] = { netsh_path, "advfirewall", "firewall", "add", "rule", name, "interface=any", "dir=in", "action=block", remoteip, NULL };
+    char *exec_args_delete[8] = { netsh_path, "advfirewall", "firewall", "delete", "rule", name, remoteip, NULL };
+
+    if ((action == ADD_COMMAND)) {
+        if (getAllProfilesStatus(argv[0]) == OS_INVALID) {
+            cJSON_Delete(input_json);
+            os_free(netsh_path);
+            return OS_INVALID;
+        }
+    }
+
+    if (1 == checkVista()) {
+        wfd = wpopenv(netsh_path, (action == ADD_COMMAND) ? exec_args_add : exec_args_delete, W_BIND_STDERR);
+        if (!wfd) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: '%s', rule: '%s'", (action == ADD_COMMAND) ? "ADD" : "DELETE", RULE_NAME);
+            write_debug_file(argv[0], log_msg);
+        } else {
+            wpclose(wfd);
+        }
+    } else {
+        snprintf(description, OS_MAXSTR -1, "description=\"%s\"", RULE_NAME);
+        snprintf(remoteip, OS_MAXSTR -1, "srcaddr=\"%s\"", srcip);
+
+        char *exec_args_delete[12] = { netsh_path, "ipsec", "static", "delete", "filter", "filterlist=\"wazuh_filter\"", "srcmask=\"255.255.255.255\"", remoteip, "dstaddr=Me", "protocol=\"any\"", "mirrored=yes", NULL };
+        char *exec_args_filter[12] = { netsh_path, "ipsec", "static", "add", "filter", "filterlist=\"wazuh_filter\"", "srcmask=\"255.255.255.255\"", remoteip, "dstaddr=Me", "protocol=\"any\"", "mirrored=yes", NULL };
+        char *exec_args_faction[8] = { netsh_path, "ipsec", "static", "add", "filteraction", "name=\"wazuh_action\"", "action=block", NULL };
+        char *exec_args_policy[9]  = { netsh_path, "ipsec", "static", "add", "policy", "name=\"wazuh_policy\"", "assign=yes", description, NULL };
+        char *exec_args_rule[10]   = { netsh_path, "ipsec", "static", "add", "rule", "name=wazuh_rule", "policy=wazuh_policy", "filterlist=wazuh_filter", "filteraction=wazuh_action", NULL };
+
+        if (action == ADD_COMMAND) {
+            wfd = wpopenv(netsh_path, exec_args_filter, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: 'ADD', 'wazuh_filter'");
+                write_debug_file(argv[0], log_msg);
+            } else {
+                wpclose(wfd);
+            }
+
+            wfd = wpopenv(netsh_path, exec_args_faction, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: 'ADD', 'wazuh_action'");
+                write_debug_file(argv[0], log_msg);
+            } else {
+                wpclose(wfd);
+            }
+
+            wfd = wpopenv(netsh_path, exec_args_policy, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: 'ADD', 'wazuh_policy'");
+                write_debug_file(argv[0], log_msg);
+            } else {
+                wpclose(wfd);
+            }
+
+            wfd = wpopenv(netsh_path, exec_args_rule, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: 'ADD', 'wazuh_rule'");
+                write_debug_file(argv[0], log_msg);
+            } else {
+                wpclose(wfd);
+            }
+        } else {
+            wfd = wpopenv(netsh_path, exec_args_delete, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run netsh, action: 'DELETE', rule: 'wazuh_rule'");
+                write_debug_file(argv[0], log_msg);
+            } else {
+                wpclose(wfd);
+            }
+        }
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+    os_free(netsh_path);
+
+    return OS_SUCCESS;
+}
+
+static int getAllProfilesStatus(const char *argv) {
+    char pathFirewallProfilesReg[256] = {0};
+    char *firewallProfilesReg[FIREWALL_PROFILES_MAX] = { "DomainProfile", "StandardProfile", "PublicProfile" };
+    bool globalfirewallStatus = true;
+    char aux_buf[OS_MAXSTR] = {0}, aux_buf2[OS_MAXSTR] = {0}, msgLengths[FIREWALL_PROFILES_MAX] = {0,0,0};
+    int countActiveProfile = 0, nextPositionComma = 0, numCommas = 0;
+    char output_buf[OS_MAXSTR];
+    char log_msg[OS_MAXSTR];
+    const char *firewallProfileStr[FIREWALL_PROFILES_MAX + 1] = { "FIREWALL_DOMAIN", "FIREWALL_PRIVATE", "FIREWALL_PUBLIC", "FIREWALL_DEFAULT" };
+    firewallData_t firewallData = FIREWALL_DATA_INITIALIZE;
+    wfd_t *wfd = NULL;
+    char *reg_path = NULL;
+
+
+    // Checking if reg.exe is present
+    if (get_binary_path("reg.exe", &reg_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", reg_path);
+        write_debug_file(argv, log_msg);
+    }
+
+    char *exec_args_show_profile[6] = { reg_path, "query", pathFirewallProfilesReg, "/v", "EnableFirewall", NULL };
+    memset(aux_buf2, '\0', OS_MAXSTR);
+    memset(log_msg, '\0', OS_MAXSTR);
+    strcpy(log_msg, "{\"message\":\"Active response may not have an effect\",\"firewall\":{");
+
+    for (int i = 0; i < FIREWALL_PROFILES_MAX; i++) {
+        memset(pathFirewallProfilesReg, 0, sizeof(pathFirewallProfilesReg));
+        strcpy(pathFirewallProfilesReg, PATH_FIREWALL_PROFILES_REG_DEFAULT);
+        strcat(pathFirewallProfilesReg, firewallProfilesReg[i]);
+
+        wfd = wpopenv(reg_path, exec_args_show_profile, W_BIND_STDOUT);
+
+        if (!wfd) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Error executing '%s' : %s", reg_path, strerror(errno));
+            write_debug_file(argv, log_msg);
+            os_free(reg_path);
+            return OS_INVALID;
+        } else {
+            while (fgets(output_buf, OS_MAXSTR -1, wfd->file_out)) {
+                if (firewallData.isThereProfile == false) {
+                    getFirewallProfile(output_buf, &firewallData);
+                } else {
+                    countActiveProfile++;
+                    getStatusFirewallProfile(output_buf, &firewallData);
+                    char msg_buf[OS_MAXSTR] = {0};
+                    strncpy(msg_buf, "\"profile%d\":\"%s\",\"status%d\":\"%s\" ", OS_MAXSTR -1);
+                    globalfirewallStatus &= firewallData.isEnabled;
+                    memset(aux_buf, '\0', OS_MAXSTR);
+                    snprintf(aux_buf, OS_MAXSTR -1, msg_buf, i + 1,
+                        firewallProfileStr[firewallData.profile], i + 1,
+                        firewallData.isEnabled == true ? "active" : "inactive"
+                    );
+                    msgLengths[i] = strlen(aux_buf);
+                    strcat(aux_buf2, aux_buf);
+                    firewallData.isThereProfile = false;
+                }
+            }
+            wpclose(wfd);
+        }
+    }
+
+    for (int i = 0; i < FIREWALL_PROFILES_MAX - 1; i++) {
+        nextPositionComma += msgLengths[i];
+        if(nextPositionComma > 0 && (numCommas < countActiveProfile - 1)){
+            aux_buf2[nextPositionComma -1] = ',';
+            numCommas++;
+        }
+    }
+
+    if (false == globalfirewallStatus) {
+        strcat(log_msg, aux_buf2);
+        memset(aux_buf, '\0', OS_MAXSTR);
+        snprintf(aux_buf, OS_MAXSTR -1, "},\"status\":\"inactive\",\"script\":\"netsh\"}");
+        strcat(log_msg, aux_buf);
+        write_debug_file(argv, log_msg);
+    }
+    os_free(reg_path);
+    return OS_SUCCESS;
+}
+
+static void getFirewallProfile(const char * output_buf, firewallData_t *firewallData) {
+    if (output_buf != NULL) {
+        const char* ptr = NULL;
+
+        if ((ptr = strstr(output_buf, "FirewallPolicy")) != NULL) {
+           char after[OS_MAXSTR];
+           splitStrFromCharDelimiter(ptr, '\\', NULL, after);
+
+            if (after != NULL) {
+                if (strstr(after, "DomainProfile") != NULL) {
+                    firewallData->profile = FIREWALL_DOMAIN;
+                    firewallData->isThereProfile = true;
+                } else if (strstr(after, "PublicProfile") != NULL) {
+                    firewallData->profile = FIREWALL_PUBLIC;
+                    firewallData->isThereProfile = true;
+                } else if (strstr(after, "StandardProfile") != NULL) {
+                    firewallData->profile = FIREWALL_PRIVATE;
+                    firewallData->isThereProfile = true;
+                } else {
+                    firewallData->isThereProfile = false;
+                }
+            }
+        }
+    }
+}
+
+static void getStatusFirewallProfile(const char * output_buf, firewallData_t *firewallData) {
+    if (firewallData->isThereProfile == true && isEnabledFromPattern(output_buf, "REG_DWORD", "0x1")) {
+        firewallData->isEnabled = true;
+    } else {
+        firewallData->isEnabled = false;
+    }
+}
+
+#endif
diff --git a/src/modules/active_response/src/binaries/npf.c b/src/modules/active_response/src/binaries/npf.c
new file mode 100644
index 0000000000..14013a6299
--- /dev/null
+++ b/src/modules/active_response/src/binaries/npf.c
@@ -0,0 +1,177 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "../active_responses.h"
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char output_buf[OS_MAXSTR];
+    char log_msg[OS_MAXSTR];
+    int action = OS_INVALID;
+    char *npfctl_path = NULL;
+    cJSON *input_json = NULL;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    // Checking if npfctl is present
+    if (get_binary_path("npfctl", &npfctl_path) < 0) {
+        write_debug_file(argv[0], "The NPFCTL is not accessible");
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+
+    char *exec_cmd1[3] = { npfctl_path, "show", NULL };
+
+    wfd_t *wfd = wpopenv(npfctl_path, exec_cmd1, W_BIND_STDOUT);
+    if (!wfd) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", npfctl_path, strerror(errno));
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+
+    int flag = false;
+    while (fgets(output_buf, OS_MAXSTR, wfd->file_out)) {
+        const char *pos = strstr(output_buf, "filtering:");
+
+        if (pos != NULL) {
+            char state[15];
+
+            if (pos && sscanf(pos, "%*s %9s", state) == 1) {
+                if (strcmp(state, "active") != 0) {
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR -1, "The filter property is inactive");
+                    write_debug_file(argv[0], log_msg);
+                    cJSON_Delete(input_json);
+                    wpclose(wfd);
+                    os_free(npfctl_path);
+                    return OS_INVALID;
+                }
+                flag = true;
+                break;
+            } else {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Key word not found");
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                wpclose(wfd);
+                os_free(npfctl_path);
+                return OS_INVALID;
+            }
+        }
+    }
+    wpclose(wfd);
+
+    if (flag == false) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Unable to find 'filtering'");
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+
+    wfd = wpopenv(npfctl_path, exec_cmd1, W_BIND_STDOUT);
+    if (!wfd) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", npfctl_path, strerror(errno));
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+
+    flag = false;
+    while (fgets(output_buf, OS_MAXSTR, wfd->file_out)) {
+        const char *pos = strstr(output_buf, "table <wazuh_blacklist>");
+
+        if (pos != NULL) {
+            flag = true;
+            break;
+        }
+    }
+    wpclose(wfd);
+
+    if (flag == false) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Unable to find 'table <wazuh_blacklist>'");
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+
+    char *exec_cmd2[6] = { NULL, NULL, NULL, NULL, NULL, NULL };
+
+    if (action == ADD_COMMAND) {
+        const char *arg3[6] = { npfctl_path, "table", "wazuh_blacklist", "add", srcip, NULL };
+        memcpy(exec_cmd2, arg3, sizeof(exec_cmd2));
+    } else {
+        const char *arg3[6] = { npfctl_path, "table", "wazuh_blacklist", "del", srcip, NULL };
+        memcpy(exec_cmd2, arg3, sizeof(exec_cmd2));
+    }
+
+    // Executing it
+    wfd = wpopenv(npfctl_path, exec_cmd2, W_BIND_STDOUT);
+    if (!wfd) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", npfctl_path, strerror(errno));
+        write_debug_file(argv[0], log_msg);
+        cJSON_Delete(input_json);
+        os_free(npfctl_path);
+        return OS_INVALID;
+    }
+    wpclose(wfd);
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+    os_free(npfctl_path);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/pf.c b/src/modules/active_response/src/binaries/pf.c
new file mode 100644
index 0000000000..cfcade39a4
--- /dev/null
+++ b/src/modules/active_response/src/binaries/pf.c
@@ -0,0 +1,281 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "../active_responses.h"
+
+#define DEVPF       ("/dev/pf")
+#define PFCTL_RULES ("/etc/pf.conf")
+#define PFCTL_TABLE ("wazuh_fwtable")
+
+/**
+ * @brief check if firewall is configured
+ * @param log_prog_name name of the program to be written to the logs
+ * @param path path to firewall configuration file
+ * @param table name of firewall table
+ * @return 0 if configured, -1 otherwise
+*/
+static int checking_if_its_configured(const char *log_prog_name, const char *path, const char *table);
+
+/**
+ * @brief write to file path
+ * @param path path to file
+ * @param cmd command or text to write inside file
+ * @return 1 if successful, 0 otherwise
+*/
+static int write_cmd_to_file(const char *path, const char *cmd);
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char log_msg[OS_MAXSTR];
+    char output_buf[OS_MAXSTR];
+    int isEnabledFirewall = 0;
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+    struct utsname uname_buffer;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+    if (uname(&uname_buffer) < 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("OpenBSD", uname_buffer.sysname) || !strcmp("FreeBSD", uname_buffer.sysname) || !strcmp("Darwin", uname_buffer.sysname)) {
+        wfd_t *wfd = NULL;
+        char *pfctl_path = NULL;
+
+        // Checking if pfctl is present
+        if (get_binary_path("pfctl", &pfctl_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The pfctl file '%s' is not accessible", pfctl_path);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(pfctl_path);
+            return OS_SUCCESS;
+        }
+
+        char *exec_cmd1[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+        char *exec_cmd2[4] = { NULL, NULL, NULL, NULL };
+        char *exec_cmd3[4] = { pfctl_path, "-s", "info", NULL };
+        char *exec_cmd4[4] = { pfctl_path, "-f", PFCTL_RULES, NULL };
+
+        // Checking if we have pf config file
+        if (access(PFCTL_RULES, F_OK) == 0) {
+            if (action == ADD_COMMAND) {
+                const char *arg1[7] = { pfctl_path, "-t", PFCTL_TABLE, "-T", "add", srcip, NULL };
+                memcpy(exec_cmd1, arg1, sizeof(exec_cmd1));
+
+                const char *arg2[4] = { pfctl_path, "-k", srcip, NULL };
+                memcpy(exec_cmd2, arg2, sizeof(exec_cmd2));
+            } else {
+                const char *arg1[7] = { pfctl_path, "-t", PFCTL_TABLE, "-T", "delete", srcip, NULL };
+                memcpy(exec_cmd1, arg1, sizeof(exec_cmd1));
+            }
+
+            // Checking if pf is running
+            if (access(DEVPF, F_OK) < 0) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR - 1, "The file '%s' is not accessible", DEVPF);
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                os_free(pfctl_path);
+                return OS_SUCCESS;
+            } else {
+                // Checking if wazuh table is configured in pf.conf
+                if (checking_if_its_configured(argv[0], PFCTL_RULES, PFCTL_TABLE) != 0) {
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR - 1, "Table '%s' does not exist", PFCTL_TABLE);
+                    write_debug_file(argv[0], log_msg);
+
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR - 1, "table <%s> persist #%s\nblock in quick from <%s> to any\nblock out quick from any to <%s>", PFCTL_TABLE, PFCTL_TABLE, PFCTL_TABLE, PFCTL_TABLE);
+
+                    if (0 == write_cmd_to_file(PFCTL_RULES, log_msg)) {
+                        memset(log_msg, '\0', OS_MAXSTR);
+                        snprintf(log_msg, OS_MAXSTR - 1, "Error opening file '%s' : %s", PFCTL_RULES, strerror(errno));
+                        write_debug_file(argv[0], log_msg);
+                        cJSON_Delete(input_json);
+                        os_free(pfctl_path);
+                        return OS_INVALID;
+                    }
+
+                    if (exec_cmd4[0] != NULL) {
+                        wfd = wpopenv(pfctl_path, exec_cmd4, W_BIND_STDOUT);
+                        if (!wfd) {
+                            memset(log_msg, '\0', OS_MAXSTR);
+                            snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", pfctl_path, strerror(errno));
+                            write_debug_file(argv[0], log_msg);
+                            cJSON_Delete(input_json);
+                            os_free(pfctl_path);
+                            return OS_INVALID;
+                        }
+                        wpclose(wfd);
+                    }
+                }
+            }
+        } else {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR - 1, "The pf rules file '%s' does not exist", PFCTL_RULES);
+            write_debug_file(argv[0], log_msg);
+            cJSON_Delete(input_json);
+            os_free(pfctl_path);
+            return OS_SUCCESS;
+        }
+
+        // Executing it
+
+        if (exec_cmd3[0] != NULL && action == ADD_COMMAND) {
+            wfd = wpopenv(pfctl_path, exec_cmd3, W_BIND_STDOUT);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", pfctl_path, strerror(errno));
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                os_free(pfctl_path);
+                return OS_INVALID;
+            }
+            else {
+                while (fgets(output_buf, OS_MAXSTR -1, wfd->file_out) && 0  == isEnabledFirewall) {
+                    isEnabledFirewall = isEnabledFromPattern(output_buf, "Status: ", "Enabled");
+                }
+
+                if (0 == isEnabledFirewall) {
+                    memset(log_msg, '\0', OS_MAXSTR);
+                    snprintf(log_msg, OS_MAXSTR -1, "{\"message\":\"Active response may not have an effect\",\"profile\":\"default\",\"status\":\"inactive\",\"script\":\"pf\"}");
+                    write_debug_file(argv[0], log_msg);
+                }
+            }
+            wpclose(wfd);
+        }
+
+        if (exec_cmd1[0] != NULL) {
+            wfd = wpopenv(pfctl_path, exec_cmd1, W_BIND_STDOUT);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", pfctl_path, strerror(errno));
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                os_free(pfctl_path);
+                return OS_INVALID;
+            }
+            wpclose(wfd);
+        }
+
+        if (exec_cmd2[0] != NULL) {
+            wfd = wpopenv(pfctl_path, exec_cmd2, W_BIND_STDOUT);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR - 1, "Error executing '%s' : %s", pfctl_path, strerror(errno));
+                write_debug_file(argv[0], log_msg);
+                cJSON_Delete(input_json);
+                os_free(pfctl_path);
+                return OS_INVALID;
+            }
+            wpclose(wfd);
+        }
+        os_free(pfctl_path);
+
+    } else {
+        write_debug_file(argv[0], "Invalid system");
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(input_json);
+
+    return OS_SUCCESS;
+}
+
+static int checking_if_its_configured(const char *log_prog_name, const char *path, const char *table) {
+    char command[COMMANDSIZE_4096];
+    char output_buf[OS_MAXSTR];
+    char *cat_path = NULL;
+    char *grep_path = NULL;
+    char log_msg[OS_MAXSTR];
+
+    if (get_binary_path("cat", &cat_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR - 1, "Binary '%s' not found in default paths, the full path will not be used.", cat_path);
+        write_debug_file(log_prog_name, log_msg);
+    }
+    if (get_binary_path("grep", &grep_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR - 1, "Binary '%s' not found in default paths, the full path will not be used.", grep_path);
+        write_debug_file(log_prog_name, log_msg);
+    }
+
+    snprintf(command, COMMANDSIZE_4096 -1, "%s %s | %s %s", cat_path, path, grep_path, table);
+    FILE *fp = popen(command, "r");
+
+    if (fp) {
+        while (fgets(output_buf, OS_MAXSTR, fp) != NULL) {
+            pclose(fp);
+            os_free(cat_path);
+            os_free(grep_path);
+            return OS_SUCCESS;
+        }
+        pclose(fp);
+        os_free(cat_path);
+        os_free(grep_path);
+        return OS_INVALID;
+    }
+    os_free(cat_path);
+    os_free(grep_path);
+    return OS_INVALID;
+}
+
+static int write_cmd_to_file(const char *path, const char *cmd) {
+    int retVal = 0;
+    if (path != NULL && cmd != NULL) {
+        FILE *fp = wfopen(path, "a+");
+        if (fp != NULL) {
+            fprintf(fp, "%s\n", cmd);
+            retVal = 1;
+            fclose(fp);
+        }
+    }
+    return retVal;
+}
diff --git a/src/modules/active_response/src/binaries/restart_wazuh.c b/src/modules/active_response/src/binaries/restart_wazuh.c
new file mode 100644
index 0000000000..fe1be297dd
--- /dev/null
+++ b/src/modules/active_response/src/binaries/restart_wazuh.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+#include "dll_load_notify.h"
+
+int main (int argc, char **argv) {
+#ifdef WIN32
+    // This must be always the first instruction
+    enable_dll_verification();
+#endif
+
+    (void)argc;
+    int action = OS_INVALID;
+
+    action = setup_and_check_message(argv, NULL);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+#ifndef WIN32
+    char log_msg[OS_MAXSTR];
+    char *exec_cmd[3] = { "bin/wazuh-control", "restart", NULL };
+
+    wfd_t *wfd = wpopenv(*exec_cmd, exec_cmd, W_BIND_STDERR);
+    if (!wfd) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Error executing '%s': %s", *exec_cmd, strerror(errno));
+        write_debug_file(argv[0], log_msg);
+        return OS_INVALID;
+    }
+
+    while (waitpid(-1, NULL, 0) > 0);
+
+    wpclose(wfd);
+#else
+    char cmd[OS_MAXSTR + 1];
+
+    snprintf(cmd, OS_MAXSTR, "%%WINDIR%%\\system32\\net.exe stop Wazuh");
+    system(cmd);
+
+    snprintf(cmd, OS_MAXSTR, "%%WINDIR%%\\system32\\net.exe start Wazuh");
+    system(cmd);
+#endif
+
+    write_debug_file(argv[0], "Ended");
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/route_null.c b/src/modules/active_response/src/binaries/route_null.c
new file mode 100644
index 0000000000..17c1cc884f
--- /dev/null
+++ b/src/modules/active_response/src/binaries/route_null.c
@@ -0,0 +1,195 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+#include "dll_load_notify.h"
+
+int main (int argc, char **argv) {
+#ifdef WIN32
+    // This must be always the first instruction
+    enable_dll_verification();
+#endif
+
+    (void)argc;
+    int action = OS_INVALID;
+    cJSON *input_json = NULL;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get srcip
+    const char *srcip = get_srcip_from_json(input_json);
+    if (!srcip) {
+        write_debug_file(argv[0], "Cannot read 'srcip' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    if (action == ADD_COMMAND) {
+        char **keys = NULL;
+        int action2 = OS_INVALID;
+
+        os_calloc(2, sizeof(char *), keys);
+        os_strdup(srcip, keys[0]);
+        keys[1] = NULL;
+
+        action2 = send_keys_and_check_message(argv, keys);
+
+        os_free(keys);
+
+        // If necessary, abort execution
+        if (action2 != CONTINUE_COMMAND) {
+            cJSON_Delete(input_json);
+
+            if (action2 == ABORT_COMMAND) {
+                write_debug_file(argv[0], "Aborted");
+                return OS_SUCCESS;
+            } else {
+                return OS_INVALID;
+            }
+        }
+    }
+
+#ifndef WIN32
+    struct utsname uname_buffer;
+    wfd_t *wfd = NULL;
+    char *route_path = NULL;
+    char log_msg[OS_MAXSTR];
+
+    if (get_binary_path("route", &route_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", route_path);
+        write_debug_file(argv[0], log_msg);
+    }
+
+    if (uname(&uname_buffer) < 0) {
+        write_debug_file(argv[0], "Cannot get system name");
+        cJSON_Delete(input_json);
+        os_free(route_path);
+        return OS_INVALID;
+    }
+
+    if (!strcmp("Linux", uname_buffer.sysname)) {
+        if (action == ADD_COMMAND) {
+            char *exec_cmd1[5] = { route_path, "add", (char *)srcip, "reject", NULL };
+
+            wfd = wpopenv(route_path, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run route");
+            } else {
+                wpclose(wfd);
+            }
+        } else {
+            char *exec_cmd1[5] = { route_path, "del", (char *)srcip, "reject", NULL };
+
+            wfd = wpopenv(route_path, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run route");
+            } else {
+                wpclose(wfd);
+            }
+        }
+    } else if (!strcmp("FreeBSD", uname_buffer.sysname)) {
+        if (action == ADD_COMMAND) {
+            char *exec_cmd1[7] = { route_path, "-q", "add", (char *)srcip, "127.0.0.1", "-blackhole", NULL };
+
+            wfd = wpopenv(route_path, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run route");
+            } else {
+                wpclose(wfd);
+            }
+        } else {
+            char *exec_cmd1[7] = { route_path, "-q", "delete", (char *)srcip, "127.0.0.1", "-blackhole", NULL };
+
+            wfd = wpopenv(route_path, exec_cmd1, W_BIND_STDERR);
+            if (!wfd) {
+                write_debug_file(argv[0], "Unable to run route");
+            } else {
+                wpclose(wfd);
+            }
+        }
+    } else {
+        write_debug_file(argv[0], "Invalid system");
+    }
+    os_free(route_path);
+#else
+    char log_msg[OS_MAXSTR];
+    char *route_path = NULL;
+
+    if (get_binary_path("route.exe", &route_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", route_path);
+        write_debug_file(argv[0], log_msg);
+    }
+
+    if (action == ADD_COMMAND) {
+        const char *regex = ".*Default Gateway.*[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*";
+        const char *tmp_file = "default-gateway.txt";
+        char gateway[IPSIZE + 1] = {0};
+
+        char cmd[OS_MAXSTR + 1];
+        snprintf(cmd, OS_MAXSTR, "%%WINDIR%%\\system32\\ipconfig.exe | %%WINDIR%%\\system32\\findstr.exe /R /C:\"%s\" > %s", regex, tmp_file);
+        system(cmd);
+
+        FILE *fp = wfopen(tmp_file, "r");
+        if(fp != NULL) {
+            char output_buf[OS_MAXSTR];
+            while (fgets(output_buf, OS_MAXSTR, fp)) {
+                char *ptr = strchr(output_buf, ':');
+                if (ptr != NULL) {
+                    snprintf(gateway, sizeof(gateway), "%s", ptr + 2);
+                }
+            }
+            fclose(fp);
+        }
+        remove(tmp_file);
+
+        if (gateway[0]) {
+            char *exec_args_add[8] = { route_path, "-p", "ADD", (char *)srcip, "MASK", "255.255.255.255", gateway, NULL };
+
+            wfd_t *wfd = wpopenv(route_path, exec_args_add, W_BIND_STDERR);
+            if (!wfd) {
+                memset(log_msg, '\0', OS_MAXSTR);
+                snprintf(log_msg, OS_MAXSTR -1, "Unable to run %s, action: 'ADD'", route_path);
+                write_debug_file(argv[0], log_msg);
+            }
+            else {
+                wpclose(wfd);
+            }
+        } else {
+            write_debug_file(argv[0], "Couldn't get default gateway");
+            cJSON_Delete(input_json);
+            os_free(route_path);
+            return OS_INVALID;
+        }
+    } else {
+        char *exec_args_delete[4] = { route_path, "DELETE", (char *)srcip, NULL };
+
+        wfd_t *wfd = wpopenv(route_path, exec_args_delete, W_BIND_STDERR);
+        if (!wfd) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Unable to run %s, action: 'DELETE'", route_path);
+            write_debug_file(argv[0], log_msg);
+        }
+        else {
+            wpclose(wfd);
+        }
+    }
+    os_free(route_path);
+#endif
+
+    write_debug_file(argv[0], "Ended");
+
+	cJSON_Delete(input_json);
+
+    return OS_SUCCESS;
+}
diff --git a/src/modules/active_response/src/binaries/wazuh_slack.c b/src/modules/active_response/src/binaries/wazuh_slack.c
new file mode 100644
index 0000000000..4336d1778f
--- /dev/null
+++ b/src/modules/active_response/src/binaries/wazuh_slack.c
@@ -0,0 +1,272 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "active_responses.h"
+
+
+/**
+ * Get json with the data to share on slack from an alert. Example:
+ * {
+ *  "attachments":  [{
+ *          "color":    "warning",
+ *          "pretext":  "WAZUH Alert",
+ *          "title":    "N/A",
+ *          "text": "Jan 28 02:13:23 ubuntu-bionic kernel: [39622.230464] VBoxClient[26081]: ...
+ *          "fields":   [{
+ *                  "title":    "Agentless Host",
+ *                  "value":    "ubuntu-bionic"
+ *              }, {
+ *                  "title":    "Location",
+ *                  "value":    "/var/log/syslog"
+ *              }, {
+ *                  "title":    "Rule ID",
+ *                  "value":    "1010 (level 5)"
+ *              }],
+ *          "ts":   "1611800004.741250"
+ *      }]
+ * }
+ *
+ * @param alert Alert to extract info
+ * @return JSON object
+ * */
+static cJSON *format_output(const cJSON *alert);
+
+int main (int argc, char **argv) {
+    (void)argc;
+    char *site_url = NULL;
+    char *output_str = NULL;
+    char *cmd_path = NULL;
+    char log_msg[OS_MAXSTR];
+    int action = OS_INVALID;
+    int return_value = OS_INVALID;
+    cJSON *input_json = NULL;
+    cJSON *output_json = NULL;
+
+    action = setup_and_check_message(argv, &input_json);
+    if ((action != ADD_COMMAND) && (action != DELETE_COMMAND)) {
+        return OS_INVALID;
+    }
+
+    // Get alert
+    const cJSON *alert_json = get_alert_from_json(input_json);
+    if (!alert_json) {
+        write_debug_file(argv[0], "Cannot read 'alert' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    // Get extra_args
+    site_url = get_extra_args_from_json(input_json);
+    if (!site_url) {
+        write_debug_file(argv[0], "Cannot read 'extra_args' from data");
+        cJSON_Delete(input_json);
+        return OS_INVALID;
+    }
+
+    output_json = format_output(alert_json);
+    output_str = cJSON_PrintUnformatted(output_json);
+
+    // Execute the command
+
+    // Try with curl
+    bool success_command = false;
+    if (get_binary_path("curl", &cmd_path) < 0) {
+        memset(log_msg, '\0', OS_MAXSTR);
+        snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", cmd_path);
+        write_debug_file(argv[0], log_msg);
+    }
+    char *exec_cmd1[9] = { cmd_path, "-H", "Accept: application/json", "-H", "Content-Type: application/json", "-d", output_str, site_url, NULL };
+
+    wfd_t *wfd = wpopenv(cmd_path, exec_cmd1, W_BIND_STDOUT | W_BIND_STDERR);
+    if (wfd) {
+        char buffer[4096];
+        while (fgets(buffer, sizeof(buffer), wfd->file_out));
+        int wp_closefd = wpclose(wfd);
+        if ( WIFEXITED(wp_closefd) ) {
+            int wstatus = WEXITSTATUS(wp_closefd);
+            if (wstatus == 0) {
+                success_command = true;
+                return_value = OS_SUCCESS;
+            }
+        }
+    }
+
+    if (!success_command) {
+        write_debug_file(argv[0], "Unable to run curl, trying with wget...");
+
+        // Try with wget
+        os_free(cmd_path);
+        if (get_binary_path("wget", &cmd_path) < 0) {
+            memset(log_msg, '\0', OS_MAXSTR);
+            snprintf(log_msg, OS_MAXSTR -1, "Binary '%s' not found in default paths, the full path will not be used.", cmd_path);
+            write_debug_file(argv[0], log_msg);
+        }
+        char *exec_cmd2[6] = { cmd_path, "--keep-session-cookies", "--post-data", output_str, site_url, NULL };
+
+        wfd = wpopenv(cmd_path, exec_cmd2, W_BIND_STDOUT | W_BIND_STDERR);
+        if (wfd) {
+            char buffer[4096];
+            while (fgets(buffer, sizeof(buffer), wfd->file_out));
+            int wp_closefd = wpclose(wfd);
+            if ( WIFEXITED(wp_closefd) ) {
+                int wstatus = WEXITSTATUS(wp_closefd);
+                if (wstatus == 0) {
+                    success_command = true;
+                    return_value = OS_SUCCESS;
+                }
+            }
+        }
+    }
+
+    if (!success_command) {
+        write_debug_file(argv[0], "Unable to run wget");
+        return_value = OS_INVALID;
+    }
+
+    write_debug_file(argv[0], "Ended");
+
+    cJSON_Delete(output_json);
+    cJSON_Delete(input_json);
+    os_free(output_str);
+    os_free(site_url);
+    os_free(cmd_path);
+
+    return return_value;
+}
+
+static cJSON *format_output(const cJSON *alert) {
+    cJSON *rule_json = NULL;
+    cJSON *agent_json = NULL;
+    cJSON *agentless_json = NULL;
+    cJSON *location_json = NULL;
+    cJSON *full_log_json = NULL;
+    cJSON *rule_description_json = NULL;
+    cJSON *alert_id_json = NULL;
+    cJSON *root_out = NULL;
+    cJSON *root_list = NULL;
+    cJSON *fields_list = NULL;
+    cJSON *item_objects = NULL;
+    cJSON *item_agent = NULL;
+    cJSON *item_agentless = NULL;
+    cJSON *item_location = NULL;
+    cJSON *item_rule = NULL;
+    char temp_line[OS_MAXSTR];
+    int level = -1;
+
+    root_out = cJSON_CreateObject();
+    root_list = cJSON_CreateArray();
+    fields_list = cJSON_CreateArray();
+    item_objects = cJSON_CreateObject();
+
+    // Detect agent
+    agent_json = cJSON_GetObjectItem(alert, "agent");
+    if (agent_json && (agent_json->type == cJSON_Object)) {
+        cJSON *agent_id_json = NULL;
+        cJSON *agent_name_json = NULL;
+
+        item_agent = cJSON_CreateObject();
+
+        // Detect Agent ID
+        agent_id_json = cJSON_GetObjectItem(agent_json, "id");
+
+        // Detect Agent name
+        agent_name_json = cJSON_GetObjectItem(agent_json, "name");
+
+        memset(temp_line, '\0', OS_MAXSTR);
+        snprintf(temp_line, OS_MAXSTR -1, "(%s) - %s",
+                                        agent_id_json != NULL ? agent_id_json->valuestring : "N/A",
+                                        agent_name_json != NULL ? agent_name_json->valuestring : "N/A"
+                                        );
+
+        cJSON_AddStringToObject(item_agent, "title", "Agent");
+        cJSON_AddStringToObject(item_agent, "value", temp_line);
+        cJSON_AddItemToArray(fields_list, item_agent);
+    }
+
+    // Detect agentless
+    agentless_json = cJSON_GetObjectItem(alert, "agentless");
+    if (agentless_json && (agentless_json->type == cJSON_Object)) {
+        cJSON *agentless_host_json = NULL;
+        item_agentless = cJSON_CreateObject();
+
+        // Detect Agentless host
+        agentless_host_json = cJSON_GetObjectItem(agentless_json, "host");
+
+        cJSON_AddStringToObject(item_agentless, "title", "Agentless Host");
+        cJSON_AddStringToObject(item_agentless, "value", agentless_host_json != NULL ? agentless_host_json->valuestring : "N/A");
+        cJSON_AddItemToArray(fields_list, item_agentless);
+    }
+
+    // Detect location
+    location_json = cJSON_GetObjectItem(alert, "location");
+    item_location = cJSON_CreateObject();
+    cJSON_AddStringToObject(item_location, "title", "Location");
+    cJSON_AddStringToObject(item_location, "value", location_json != NULL ? location_json->valuestring : "N/A");
+    cJSON_AddItemToArray(fields_list, item_location);
+
+    // Detect Rule
+    rule_json = cJSON_GetObjectItem(alert, "rule");
+    if (rule_json && (rule_json->type == cJSON_Object)) {
+        cJSON *rule_id_json = NULL;
+        cJSON *rule_level_json = NULL;
+        char str_level[10];
+
+        // Detect Rule ID
+        rule_id_json = cJSON_GetObjectItem(rule_json, "id");
+
+        // Detect Rule Level
+        memset(str_level, '\0', 10);
+        rule_level_json = cJSON_GetObjectItem(rule_json, "level");
+        if (rule_level_json && (rule_level_json->type == cJSON_Number)) {
+            snprintf(str_level, 9, "%d", rule_level_json->valueint);
+            level = rule_level_json->valueint;
+        } else {
+            snprintf(str_level, 9, "N/A");
+        }
+
+        // Detect Rule Description
+        rule_description_json = cJSON_GetObjectItem(rule_json, "description");
+
+        memset(temp_line, '\0', OS_MAXSTR);
+        snprintf(temp_line, OS_MAXSTR -1, "%s (level %s)",
+                                        rule_id_json != NULL ? rule_id_json->valuestring : "N/A",
+                                        str_level
+                                        );
+
+        item_rule = cJSON_CreateObject();
+        cJSON_AddStringToObject(item_rule, "title", "Rule ID");
+        cJSON_AddStringToObject(item_rule, "value", temp_line);
+        cJSON_AddItemToArray(fields_list, item_rule);
+    }
+
+    if (level <= 4) {
+        cJSON_AddStringToObject(item_objects, "color", "good");
+    } else if (level >= 5 && level <= 7) {
+        cJSON_AddStringToObject(item_objects, "color", "warning");
+    } else {
+        cJSON_AddStringToObject(item_objects, "color", "danger");
+    }
+
+    cJSON_AddStringToObject(item_objects, "pretext", "WAZUH Alert");
+    cJSON_AddStringToObject(item_objects, "title", rule_description_json != NULL ? rule_description_json->valuestring : "N/A");
+
+    // Detect full log
+    full_log_json = cJSON_GetObjectItem(alert, "full_log");
+    cJSON_AddStringToObject(item_objects, "text", full_log_json != NULL ? full_log_json->valuestring : "");
+
+    cJSON_AddItemToObject(item_objects, "fields", fields_list);
+
+    alert_id_json = cJSON_GetObjectItem(alert, "id");
+    cJSON_AddStringToObject(item_objects, "ts", alert_id_json != NULL ? alert_id_json->valuestring : "");
+
+    cJSON_AddItemToArray(root_list, item_objects);
+    cJSON_AddItemToObject(root_out, "attachments", root_list);
+
+    return root_out;
+}
diff --git a/src/modules/active_response/src/config.c b/src/modules/active_response/src/config.c
new file mode 100644
index 0000000000..81cda866b7
--- /dev/null
+++ b/src/modules/active_response/src/config.c
@@ -0,0 +1,276 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#include "shared.h"
+#include "execd.h"
+#include "wazuh_modules/wmodules.h"
+#include "client-agent/agentd.h"
+#include "logcollector/logcollector.h"
+#include "rootcheck/rootcheck.h"
+#include "os_net/os_net.h"
+
+int is_disabled;
+
+/* Read the config file */
+int ExecdConfig(const char *cfgfile)
+{
+    is_disabled = 0;
+
+    const char *(xmlf[]) = {"ossec_config", "active-response", "disabled", NULL};
+    char *disable_entry;
+    char *repeated_t = NULL;
+    char **repeated_a;
+    int i = 0;
+
+    OS_XML xml;
+
+    /* Read XML file */
+    if (OS_ReadXML(cfgfile, &xml) < 0)
+    {
+        merror_exit(XML_ERROR, cfgfile, xml.err, xml.err_line);
+    }
+
+    /* We do not validate the xml in here. It is done by other processes. */
+    disable_entry = OS_GetOneContentforElement(&xml, xmlf);
+    if (disable_entry)
+    {
+        if (strcmp(disable_entry, "yes") == 0)
+        {
+            is_disabled = 1;
+        }
+        else if (strcmp(disable_entry, "no") == 0)
+        {
+            is_disabled = 0;
+        }
+        else
+        {
+            merror(XML_VALUEERR, "disabled", disable_entry);
+            free(disable_entry);
+            return (-1);
+        }
+
+        free(disable_entry);
+    }
+
+    XML_NODE node;
+    node = OS_GetElementsbyNode(&xml, NULL);
+
+    XML_NODE child = NULL;
+    while (node && node[i])
+    {
+        child = OS_GetElementsbyNode(&xml, node[i]);
+        int j = 0;
+
+        while (child && child[j]){
+
+            if (strcmp(child[j]->element, "active-response") == 0){
+                XML_NODE child_attr = NULL;
+                child_attr = OS_GetElementsbyNode(&xml, child[j]);
+                int p = 0;
+
+                while (child_attr && child_attr[p])
+                {
+                    if (!strcmp(child_attr[p]->element, "repeated_offenders"))
+                    {
+                        os_strdup(child_attr[p]->content, repeated_t);
+                        OS_ClearNode(child_attr);
+                        goto next;
+                    }
+                    p++;
+                }
+
+                OS_ClearNode(child_attr);
+
+            }
+            j++;
+        }
+
+        i++;
+        OS_ClearNode(child);
+        child = NULL;
+    }
+
+next:
+    OS_ClearNode(child);
+    OS_ClearNode(node);
+
+    //repeated_t = OS_GetOneContentforElement(&xml, blocks);
+    if (repeated_t)
+    {
+        int i = 0;
+        int j = 0;
+        repeated_a = OS_StrBreak(',', repeated_t, 5);
+        if (!repeated_a)
+        {
+            merror(XML_VALUEERR, "repeated_offenders", repeated_t);
+            free(repeated_t);
+            return (-1);
+        }
+
+        while (repeated_a[i] != NULL)
+        {
+            char *tmpt = repeated_a[i];
+            while (*tmpt != '\0')
+            {
+                if (*tmpt == ' ' || *tmpt == '\t')
+                {
+                    tmpt++;
+                }
+                else
+                {
+                    break;
+                }
+            }
+
+            if (*tmpt == '\0')
+            {
+                i++;
+                continue;
+            }
+
+            repeated_offenders_timeout[j] = atoi(tmpt);
+            minfo("Adding offenders timeout: %d (for #%d)",
+                repeated_offenders_timeout[j], j + 1);
+            j++;
+            repeated_offenders_timeout[j] = 0;
+            if (j >= 6)
+            {
+                break;
+            }
+            i++;
+        }
+
+        free(repeated_t);
+
+        for (i = 0; repeated_a[i]; i++)
+        {
+            free(repeated_a[i]);
+        }
+
+        free(repeated_a);
+    }
+
+    OS_ClearXML(&xml);
+
+    return (is_disabled);
+}
+
+cJSON *getARConfig(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *ar = cJSON_CreateObject();
+    unsigned int i;
+
+    if (is_disabled) cJSON_AddStringToObject(ar,"disabled","yes"); else cJSON_AddStringToObject(ar,"disabled","no");
+    if (*repeated_offenders_timeout) {
+        cJSON *rot = cJSON_CreateArray();
+        for (i=0;repeated_offenders_timeout[i];i++) {
+            cJSON_AddItemToArray(rot,cJSON_CreateNumber(repeated_offenders_timeout[i]));
+        }
+        cJSON_AddItemToObject(ar,"repeated_offenders",rot);
+    }
+
+    cJSON_AddItemToObject(root,"active-response",ar);
+
+    return root;
+}
+
+
+cJSON *getExecdInternalOptions(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *internals = cJSON_CreateObject();
+    cJSON *execd = cJSON_CreateObject();
+
+    cJSON_AddNumberToObject(execd,"request_timeout",req_timeout);
+    cJSON_AddNumberToObject(execd,"max_restart_lock",max_restart_lock);
+
+    cJSON_AddItemToObject(internals,"execd",execd);
+    cJSON_AddItemToObject(root,"internal",internals);
+
+    return root;
+}
+
+
+cJSON *getClusterConfig(void) {
+
+#ifndef WIN32
+    char req[] = "get_config";
+    char *buffer = NULL;
+    int sock = -1;
+    char sockname[PATH_MAX + 1];
+    ssize_t length;
+
+    cJSON *cluster_config_cJSON;
+
+    strcpy(sockname, CLUSTER_SOCK);
+
+    if (sock = external_socket_connect(sockname, WAZUH_IPC_TIMEOUT), sock < 0) {
+        switch (errno) {
+        case ECONNREFUSED:
+            merror("At getClusterConfig(): Could not connect to socket '%s': %s (%d).", sockname, strerror(errno), errno);
+            break;
+
+        default:
+            merror("At getClusterConfig(): Could not connect to socket '%s': %s (%d).", sockname, strerror(errno), errno);
+        }
+        return NULL;
+    }
+
+    if (OS_SendSecureTCPCluster(sock, req, "", 0) != 0) {
+        merror("send(): %s", strerror(errno));
+        close(sock);
+        return NULL;
+    }
+
+    os_calloc(OS_MAXSTR,sizeof(char),buffer);
+
+    switch (length = OS_RecvSecureClusterTCP(sock, buffer, OS_MAXSTR), length) {
+    case -2:
+        merror("Cluster error detected");
+        free(buffer);
+        close(sock);
+        return NULL;
+
+    case -1:
+        merror("At wcom_main(): OS_RecvSecureClusterTCP(): %s", strerror(errno));
+        free(buffer);
+        close(sock);
+        return NULL;
+
+    case 0:
+        mdebug1("Empty message from local client.");
+        free(buffer);
+        close(sock);
+        return NULL;
+
+    case OS_MAXLEN:
+        merror("Received message > %i", OS_MAXSTR);
+        free(buffer);
+        close(sock);
+        return NULL;
+
+    default:
+        close(sock);
+    }
+
+    const char *jsonErrPtr;
+    cluster_config_cJSON = cJSON_ParseWithOpts(buffer, &jsonErrPtr, 0);
+    if (!cluster_config_cJSON) {
+        mdebug1("Error parsing JSON event. %s", buffer);
+        free(buffer);
+        return NULL;
+    }
+
+    free(buffer);
+    return cluster_config_cJSON;
+#else
+    return NULL;
+#endif
+}
diff --git a/src/modules/active_response/src/exec.c b/src/modules/active_response/src/exec.c
new file mode 100644
index 0000000000..e6f088e466
--- /dev/null
+++ b/src/modules/active_response/src/exec.c
@@ -0,0 +1,241 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "os_regex/os_regex.h"
+#include "execd.h"
+
+static char exec_names[MAX_AR + 1][OS_FLSIZE + 1];
+static char exec_cmd[MAX_AR + 1][OS_FLSIZE + 1];
+static int  exec_timeout[MAX_AR + 1];
+static int  exec_size = 0;
+static int  f_time_reading = 1;
+
+
+/* Read the shared exec config
+ * Returns 1 on success or 0 on failure
+ * Format of the file is 'name - command - timeout'
+ */
+int ReadExecConfig()
+{
+    int i = 0, j = 0, dup_entry = 0;
+    FILE *fp;
+    FILE *process_file;
+    char buffer[OS_MAXSTR + 1];
+
+    /* Clean up */
+    for (i = 0; i <= exec_size + 1; i++) {
+        memset(exec_names[i], '\0', OS_FLSIZE + 1);
+        memset(exec_cmd[i], '\0', OS_FLSIZE + 1);
+        exec_timeout[i] = 0;
+    }
+    exec_size = 0;
+
+    /* Open file */
+    fp = wfopen(DEFAULTAR, "r");
+    if (!fp) {
+        merror(FOPEN_ERROR, DEFAULTAR, errno, strerror(errno));
+        return (0);
+    }
+
+    /* Read config */
+    while (fgets(buffer, OS_MAXSTR, fp) != NULL) {
+        char *str_pt;
+        char *tmp_str;
+
+        str_pt = buffer;
+
+        // The command name must not start with '!'
+
+        if (buffer[0] == '!') {
+            merror(EXEC_INV_CONF, DEFAULTAR);
+            continue;
+        }
+
+        /* Clean up the buffer */
+        tmp_str = strstr(buffer, " - ");
+        if (!tmp_str) {
+            merror(EXEC_INV_CONF, DEFAULTAR);
+            continue;
+        }
+        *tmp_str = '\0';
+        tmp_str += 3;
+
+        /* Set the name */
+        const int bytes_written = snprintf(exec_names[exec_size], sizeof(exec_names[exec_size]), "%s", str_pt);
+
+        if (bytes_written < 0) {
+            merror(EXEC_BAD_NAME " Error %d (%s).", exec_names[exec_size], errno, strerror(errno));
+        } else if ((size_t)bytes_written >= sizeof(exec_names[exec_size])) {
+            merror(EXEC_BAD_NAME, exec_names[exec_size]);
+        }
+
+        str_pt = tmp_str;
+
+        /* Search for ' ' and - */
+        tmp_str = strstr(tmp_str, " - ");
+        if (!tmp_str) {
+            merror(EXEC_INV_CONF, DEFAULTAR);
+            continue;
+        }
+        *tmp_str = '\0';
+        tmp_str += 3;
+
+        // Directory traversal test
+
+        if (w_ref_parent_folder(str_pt)) {
+            merror("Active response command '%s' vulnerable to directory traversal attack. Ignoring.", str_pt);
+            exec_cmd[exec_size][0] = '\0';
+        } else {
+            /* Write the full command path */
+            snprintf(exec_cmd[exec_size], OS_FLSIZE,
+                     "%s/%s",
+                     AR_BINDIR,
+                     str_pt);
+            process_file = wfopen(exec_cmd[exec_size], "r");
+            if (!process_file) {
+                if (f_time_reading) {
+                    minfo("Active response command not present: '%s'. "
+                            "Not using it on this system.",
+                            exec_cmd[exec_size]);
+                }
+
+                exec_cmd[exec_size][0] = '\0';
+            } else {
+                fclose(process_file);
+            }
+        }
+
+        str_pt = tmp_str;
+        tmp_str = strchr(tmp_str, '\n');
+        if (tmp_str) {
+            *tmp_str = '\0';
+        }
+
+        /* Get the exec timeout */
+        exec_timeout[exec_size] = atoi(str_pt);
+
+        /* Check if name is duplicated */
+        dup_entry = 0;
+        for (j = 0; j < exec_size; j++) {
+            if (strcmp(exec_names[j], exec_names[exec_size]) == 0) {
+                if (exec_cmd[j][0] == '\0') {
+                    snprintf(exec_cmd[j], sizeof(exec_cmd[j]), "%s", exec_cmd[exec_size]);
+                    dup_entry = 1;
+                    break;
+                } else if (exec_cmd[exec_size][0] == '\0') {
+                    dup_entry = 1;
+                }
+            }
+        }
+
+        if (dup_entry) {
+            exec_cmd[exec_size][0] = '\0';
+            exec_names[exec_size][0] = '\0';
+            exec_timeout[exec_size] = 0;
+        } else {
+            exec_size++;
+        }
+    }
+
+    fclose(fp);
+    f_time_reading = 0;
+
+    return (1);
+}
+
+/* Returns a pointer to the command name (full path)
+ * Returns NULL if name cannot be found
+ * If timeout is not NULL, write the timeout for that
+ * command to it
+ */
+char *GetCommandbyName(const char *name, int *timeout)
+{
+    int i = 0;
+
+    // Filter custom commands
+
+    if (name[0] == '!') {
+        if (w_ref_parent_folder(name + 1)) {
+            mwarn("Active response command '%s' vulnerable to directory traversal attack. Ignoring.", name + 1);
+            return NULL;
+        }
+
+        static char command[OS_FLSIZE];
+
+        if (snprintf(command, sizeof(command), "%s/%s", AR_BINDIR, name + 1) >= (int)sizeof(command)) {
+            mwarn("Cannot execute command '%32s...': path too long.", name + 1);
+            return NULL;
+        }
+
+        *timeout = 0;
+        return command;
+    }
+
+    for (; i < exec_size; i++) {
+        if (strcmp(name, exec_names[i]) == 0) {
+            *timeout = exec_timeout[i];
+            return (exec_cmd[i]);
+        }
+    }
+
+    return (NULL);
+}
+
+#ifndef WIN32
+
+/* Execute command given. Must be a argv** NULL terminated.
+ * Prints error to log message in case of problems
+ */
+void ExecCmd(char *const *cmd)
+{
+    pid_t pid;
+
+    /* Fork and leave it running */
+    pid = fork();
+    if (pid == 0) {
+        if (execv(*cmd, cmd) < 0) {
+            merror(EXEC_CMDERROR, *cmd, strerror(errno));
+            exit(1);
+        }
+
+        exit(0);
+    }
+
+    return;
+}
+
+#else
+
+void ExecCmd_Win32(char *cmd)
+{
+    STARTUPINFO si;
+    PROCESS_INFORMATION pi;
+
+    ZeroMemory( &si, sizeof(si) );
+    si.cb = sizeof(si);
+    ZeroMemory( &pi, sizeof(pi) );
+
+    if (!CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL,
+                       &si, &pi)) {
+        merror("Unable to create active response process. ");
+        return;
+    }
+
+    /* Wait until process exits */
+    WaitForSingleObject(pi.hProcess, INFINITE );
+
+    /* Close process and thread */
+    CloseHandle( pi.hProcess );
+    CloseHandle( pi.hThread );
+
+    return;
+}
+#endif
diff --git a/src/modules/active_response/src/execd.c b/src/modules/active_response/src/execd.c
new file mode 100644
index 0000000000..6e07023b02
--- /dev/null
+++ b/src/modules/active_response/src/execd.c
@@ -0,0 +1,558 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "list_op.h"
+#include "os_regex/os_regex.h"
+#include "os_net/os_net.h"
+#include "wazuh_modules/wmodules.h"
+#include "../external/cJSON/cJSON.h"
+#include "execd.h"
+#include "active-response/active_responses.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+int repeated_offenders_timeout[] = {0, 0, 0, 0, 0, 0, 0};
+time_t pending_upg = 0;
+
+STATIC OSList *timeout_list;
+STATIC OSListNode *timeout_node;
+STATIC OSHash *repeated_hash;
+
+#ifdef WIN32
+#ifdef WAZUH_UNIT_TESTING
+    #include "unit_tests/wrappers/windows/libc/stdio_wrappers.h"
+#endif
+extern w_queue_t * winexec_queue;
+DWORD WINAPI win_exec_main(void * args);
+#endif
+
+
+/* Free the timeout entry
+ * Must be called after popping it from the timeout list
+ */
+void FreeTimeoutEntry(timeout_data *timeout_entry)
+{
+    char **tmp_str;
+
+    if (!timeout_entry) {
+        return;
+    }
+
+    tmp_str = timeout_entry->command;
+
+    /* Clear the command arguments */
+    if (tmp_str) {
+        while (*tmp_str) {
+            os_free(*tmp_str);
+            *tmp_str = NULL;
+            tmp_str++;
+        }
+        os_free(timeout_entry->command);
+    }
+
+    os_free(timeout_entry->parameters);
+
+    os_free(timeout_entry->rkey);
+
+    os_free(timeout_entry);
+}
+
+/* Free the timeout list
+ */
+void FreeTimeoutList() {
+    timeout_node = OSList_GetFirstNode(timeout_list);
+    while (timeout_node) {
+        FreeTimeoutEntry((timeout_data *)timeout_node->data);
+        OSList_DeleteCurrentlyNode(timeout_list);
+        timeout_node = OSList_GetCurrentlyNode(timeout_list);
+    }
+    os_free(timeout_list);
+}
+
+#ifdef WIN32
+void ExecdShutdown()
+#else
+void ExecdShutdown(int sig)
+#endif
+{
+    /* Remove pending active responses */
+    minfo(EXEC_SHUTDOWN);
+
+    timeout_node = timeout_list ? OSList_GetFirstNode(timeout_list) : NULL;
+    while (timeout_node) {
+        timeout_data *list_entry;
+
+        list_entry = (timeout_data *)timeout_node->data;
+
+        mdebug2("Delete pending AR: '%s' '%s'", list_entry->command[0], list_entry->parameters);
+
+        wfd_t *wfd = wpopenv(list_entry->command[0], list_entry->command, W_BIND_STDIN);
+        if (wfd) {
+            /* Send alert to AR script */
+            fprintf(wfd->file_in, "%s\n", list_entry->parameters);
+            fflush(wfd->file_in);
+            wpclose(wfd);
+        } else {
+            merror(EXEC_CMD_FAIL, strerror(errno), errno);
+        }
+
+        /* Delete current node - already sets the pointer to next */
+        OSList_DeleteCurrentlyNode(timeout_list);
+        timeout_node = OSList_GetCurrentlyNode(timeout_list);
+
+        /* Clear the memory */
+        FreeTimeoutEntry(list_entry);
+    }
+
+#ifndef WIN32
+    HandleSIG(sig);
+#endif
+}
+
+#ifdef WIN32
+void ExecdTimeoutRun()
+#else
+void ExecdTimeoutRun(int *childcount)
+#endif
+{
+    time_t curr_time = time(NULL);
+
+    /* Check if there is any timed out command to execute */
+    timeout_node = OSList_GetFirstNode(timeout_list);
+    while (timeout_node) {
+        timeout_data *list_entry;
+
+        list_entry = (timeout_data *)timeout_node->data;
+
+        /* Timed out */
+        if ((curr_time - list_entry->time_of_addition) > list_entry->time_to_block) {
+
+            mdebug1("Executing command '%s %s' after a timeout of '%ds'",
+                list_entry->command[0],
+                list_entry->parameters ? list_entry->parameters : "",
+                list_entry->time_to_block
+            );
+
+            wfd_t *wfd = wpopenv(list_entry->command[0], list_entry->command, W_BIND_STDIN);
+            if (wfd) {
+                /* Send alert to AR script */
+                fprintf(wfd->file_in, "%s\n", list_entry->parameters);
+                fflush(wfd->file_in);
+                wpclose(wfd);
+            } else {
+                merror(EXEC_CMD_FAIL, strerror(errno), errno);
+            }
+
+            /* Delete currently node - already sets the pointer to next */
+            OSList_DeleteCurrentlyNode(timeout_list);
+            timeout_node = OSList_GetCurrentlyNode(timeout_list);
+
+            /* Clear the memory */
+            FreeTimeoutEntry(list_entry);
+
+#ifndef WIN32
+            (*childcount)++;
+#endif
+        } else {
+            timeout_node = OSList_GetNextNode(timeout_list);
+        }
+    }
+}
+
+#ifdef WIN32
+void ExecdRun(char *exec_msg)
+#else
+void ExecdRun(char *exec_msg, int *childcount)
+#endif
+{
+    time_t curr_time;
+
+    int timeout_value;
+    int added_before = 0;
+
+    cJSON *json_root = NULL;
+    char *name = NULL;
+    char *cmd[2] = { NULL, NULL };
+    char *cmd_parameters = NULL;
+
+    timeout_data *timeout_entry;
+
+    /* Current time */
+    curr_time = time(0);
+
+    /* Parse message */
+    if (json_root = cJSON_Parse(exec_msg), !json_root) {
+        merror(EXEC_INV_JSON, exec_msg);
+        return;
+    }
+
+    /* Get application name */
+    cJSON *json_command = cJSON_GetObjectItem(json_root, "command");
+    if (json_command && (json_command->type == cJSON_String)) {
+        name = json_command->valuestring;
+    } else {
+        merror(EXEC_INV_CMD, exec_msg);
+        cJSON_Delete(json_root);
+        return;
+    }
+
+#ifndef WIN32
+    if (!strcmp(name, "restart-wazuh")) {
+        char *cmd_api[MAX_ARGS] = {0};
+
+        cJSON_Delete(json_root);
+
+        os_strdup("active-response/bin/restart.sh", cmd_api[0]);
+
+    #ifdef CLIENT
+        os_strdup("agent", cmd_api[1]);
+    #else
+        os_strdup("manager", cmd_api[1]);
+    #endif
+
+        ExecCmd(cmd_api);
+        return;
+    }
+#endif
+
+    /* Get command to execute */
+    cmd[0] = GetCommandbyName(name, &timeout_value);
+    if (!cmd[0]) {
+        ReadExecConfig();
+        cmd[0] = GetCommandbyName(name, &timeout_value);
+        if (!cmd[0]) {
+            merror(EXEC_INV_NAME, name);
+            cJSON_Delete(json_root);
+            return;
+        }
+    }
+    if (cmd[0][0] == '\0') {
+        cJSON_Delete(json_root);
+        return;
+    }
+
+    /* Command parameters */
+    cJSON_ReplaceItemInObject(json_root, "command", cJSON_CreateString(ADD_ENTRY));
+    cJSON *json_origin = cJSON_GetObjectItem(json_root, "origin");
+    cJSON_ReplaceItemInObject(json_origin, "module", cJSON_CreateString(ARGV0));
+    cJSON *json_parameters = cJSON_GetObjectItem(json_root, "parameters");
+    cJSON_AddItemToObject(json_parameters, "program", cJSON_CreateString(cmd[0]));
+    cmd_parameters = cJSON_PrintUnformatted(json_root);
+
+    /* Execute command */
+    mdebug1("Executing command '%s %s'", cmd[0], cmd_parameters ? cmd_parameters : "");
+
+    wfd_t *wfd = wpopenv(cmd[0], cmd, W_BIND_STDIN | W_BIND_STDOUT);
+    if (wfd) {
+        char response[OS_SIZE_8192];
+        char rkey[OS_SIZE_4096];
+        cJSON *keys_json = NULL;
+
+        /* Send alert to AR script */
+        fprintf(wfd->file_in, "%s\n", cmd_parameters);
+        fflush(wfd->file_in);
+
+        /* Receive alert keys from AR script to check timeout list */
+        if (fgets(response, sizeof(response), wfd->file_out) == NULL) {
+            mdebug1("Active response won't be added to timeout list. "
+                    "Message not received with alert keys from script '%s'", cmd[0]);
+            wpclose(wfd);
+            os_free(cmd_parameters);
+            cJSON_Delete(json_root);
+            return;
+        }
+
+        /* Set rkey initially with the name of the AR */
+        memset(rkey, '\0', OS_SIZE_4096);
+        snprintf(rkey, OS_SIZE_4096 - 1, "%s", basename_ex(cmd[0]));
+
+        keys_json = get_json_from_input(response);
+        if (keys_json != NULL) {
+            const char *action = get_command_from_json(keys_json);
+            if ((action != NULL) && (strcmp(CHECK_KEYS_ENTRY, action) == 0)) {
+                char *keys = get_keys_from_json(keys_json);
+                if (keys != NULL) {
+                    /* Append to rkey the alert keys that the AR script will use */
+                    strcat(rkey, keys);
+                    os_free(keys);
+                }
+            }
+            cJSON_Delete(keys_json);
+        }
+
+        added_before = 0;
+
+        /* We don't need to add to the list if the timeout_value == 0 */
+        if (timeout_value) {
+            if (repeated_hash != NULL) {
+                char *ntimes = NULL;
+
+                if ((ntimes = (char *) OSHash_Get(repeated_hash, rkey))) {
+                    int ntimes_int = 0;
+                    int i2 = 0;
+                    int new_timeout = 0;
+
+                    ntimes_int = atoi(ntimes);
+                    while (repeated_offenders_timeout[i2] != 0) {
+                        i2++;
+                    }
+                    if (ntimes_int >= i2) {
+                        new_timeout = repeated_offenders_timeout[i2 - 1] * 60;
+                    } else {
+                        os_free(ntimes);       /* In hash_op.c, data belongs to caller */
+                        os_calloc(16, sizeof(char), ntimes);
+                        new_timeout = repeated_offenders_timeout[ntimes_int] * 60;
+                        ntimes_int++;
+                        snprintf(ntimes, 16, "%d", ntimes_int);
+                        if (OSHash_Update(repeated_hash, rkey, ntimes) != 1) {
+                            os_free(ntimes);
+                            merror("At ExecdRun: OSHash_Update() failed");
+                        }
+                    }
+                    mdebug1("Repeated offender. Setting timeout to '%ds'", new_timeout);
+                    timeout_value = new_timeout;
+                } else {
+                    /* Add to the repeated offenders list */
+                    char *tmp_zero;
+                    os_strdup("0", tmp_zero);
+                    if (OSHash_Add(repeated_hash, rkey, tmp_zero) != 2) {
+                        os_free(tmp_zero);
+                        merror("At ExecdRun: OSHash_Add() failed");
+                    }
+                }
+            }
+
+            /* Check if this command was already executed */
+            timeout_node = OSList_GetFirstNode(timeout_list);
+            while (timeout_node) {
+                timeout_data *list_entry;
+
+                list_entry = (timeout_data *)timeout_node->data;
+                if (strcmp(list_entry->rkey, rkey) == 0) {
+                    /* Means we executed this command before and we don't need to add it again */
+                    added_before = 1;
+
+                    /* Update the timeout */
+                    mdebug1("Command already received, updating time of addition to now.");
+                    list_entry->time_of_addition = curr_time;
+                    list_entry->time_to_block = timeout_value;
+                    break;
+                }
+
+                /* Continue with the next entry in timeout list */
+                timeout_node = OSList_GetNextNode(timeout_list);
+            }
+
+            /* If it wasn't added before, do it now */
+            if (!added_before) {
+                /* Timeout parameters */
+                cJSON_ReplaceItemInObject(json_root, "command", cJSON_CreateString(DELETE_ENTRY));
+
+                /* Create the timeout entry */
+                os_calloc(1, sizeof(timeout_data), timeout_entry);
+                os_calloc(2, sizeof(char *), timeout_entry->command);
+                os_strdup(cmd[0], timeout_entry->command[0]);
+                timeout_entry->command[1] = NULL;
+                timeout_entry->parameters = cJSON_PrintUnformatted(json_root);
+                os_strdup(rkey, timeout_entry->rkey);
+                timeout_entry->time_of_addition = curr_time;
+                timeout_entry->time_to_block = timeout_value;
+
+                /* Add command to the timeout list */
+                mdebug1("Adding command '%s %s' to the timeout list, with a timeout of '%ds'.",
+                    timeout_entry->command[0],
+                    timeout_entry->parameters,
+                    timeout_entry->time_to_block
+                );
+
+                if (!OSList_AddData(timeout_list, timeout_entry)) {
+                    merror(LIST_ADD_ERROR);
+                    FreeTimeoutEntry(timeout_entry);
+                }
+            }
+        }
+
+        /* If it wasn't added before, continue execution */
+        if (!added_before) {
+            /* Continue command */
+            cJSON_ReplaceItemInObject(json_root, "command", cJSON_CreateString(CONTINUE_ENTRY));
+        } else {
+            /* Abort command */
+            cJSON_ReplaceItemInObject(json_root, "command", cJSON_CreateString(ABORT_ENTRY));
+        }
+
+        os_free(cmd_parameters);
+        cmd_parameters = cJSON_PrintUnformatted(json_root);
+
+        /* Send continue/abort message to AR script */
+        fprintf(wfd->file_in, "%s\n", cmd_parameters);
+        fflush(wfd->file_in);
+
+        wpclose(wfd);
+
+#ifndef WIN32
+        (*childcount)++;
+#endif
+    } else {
+        merror(EXEC_CMD_FAIL, strerror(errno), errno);
+    }
+
+    os_free(cmd_parameters);
+    cJSON_Delete(json_root);
+}
+
+#ifndef WIN32
+
+void ExecdStart(int q)
+{
+    int childcount = 0;
+
+    char buffer[OS_MAXSTR + 1];
+
+    /* Select */
+    fd_set fdset;
+    struct timeval socket_timeout;
+
+    /* Clear the buffer */
+    memset(buffer, '\0', OS_MAXSTR + 1);
+
+#ifndef WAZUH_UNIT_TESTING
+    /* Create list for timeout */
+    timeout_list = OSList_Create();
+    if (!timeout_list) {
+        merror_exit(LIST_ERROR);
+    }
+#endif
+
+    if (repeated_offenders_timeout[0] != 0) {
+        repeated_hash = OSHash_Create();
+    } else {
+        repeated_hash = NULL;
+    }
+
+    /* Main loop */
+    while (1) {
+        /* Clean up any children */
+        while (childcount) {
+            int wp;
+            wp = waitpid((pid_t) - 1, NULL, WNOHANG);
+            if (wp < 0 && errno != ECHILD) {
+                merror(WAITPID_ERROR, errno, strerror(errno));
+                break;
+            }
+            /* if = 0, we still need to wait for the child process */
+            else if (wp == 0) {
+                break;
+            }
+            /* Child completed if wp > 0 */
+            else {
+                childcount--;
+            }
+        }
+
+        ExecdTimeoutRun(&childcount);
+
+        /* Set timeout to EXECD_TIMEOUT */
+        socket_timeout.tv_sec = EXECD_TIMEOUT;
+        socket_timeout.tv_usec = 0;
+
+        /* Set FD values */
+        FD_ZERO(&fdset);
+        FD_SET(q, &fdset);
+
+        /* Add timeout */
+        if (select(q + 1, &fdset, NULL, NULL, &socket_timeout) == 0) {
+            /* Timeout */
+            continue;
+        }
+
+        /* Check for error */
+        if (!FD_ISSET(q, &fdset)) {
+            merror(SELECT_ERROR, errno, strerror(errno));
+            continue;
+        }
+
+        /* Receive the message */
+        if (OS_RecvUnix(q, OS_MAXSTR, buffer) == 0) {
+            merror(QUEUE_ERROR, EXECQUEUE, strerror(errno));
+            continue;
+        }
+
+        mdebug2("Received message: '%s'", buffer);
+
+        ExecdRun(buffer, &childcount);
+
+    #ifdef WAZUH_UNIT_TESTING
+        break;
+    #endif
+    }
+}
+
+#else
+
+int WinExecdStart()
+{
+    int c;
+    char *cfg = OSSECCONF;
+    winexec_queue = queue_init(OS_SIZE_128);
+
+    /* Read config */
+    if ((c = ExecdConfig(cfg)) < 0) {
+        mlerror_exit(LOGLEVEL_ERROR, CONFIG_ERROR, cfg);
+    }
+
+    /* Active response disabled */
+    if (c == 1) {
+        minfo(EXEC_DISABLED);
+        return (0);
+    }
+
+    /* Create list for timeout */
+    timeout_list = OSList_Create();
+    if (!timeout_list) {
+        merror_exit(LIST_ERROR);
+    }
+
+    if (repeated_offenders_timeout[0] != 0) {
+        repeated_hash = OSHash_Create();
+    } else {
+        repeated_hash = NULL;
+    }
+
+    /* Delete pending AR at succesfull exit */
+    atexit(ExecdShutdown);
+
+    /* Start up message */
+    minfo(STARTUP_MSG, getpid());
+
+    w_create_thread(NULL, 0, win_exec_main,
+                    winexec_queue, 0, NULL);
+
+    return (1);
+}
+
+// Create a thread to run windows AR simultaneous
+DWORD WINAPI win_exec_main(__attribute__((unused)) void * args) {
+    while(1) {
+        char* exec_msg = queue_pop_ex(winexec_queue);
+        if (exec_msg) {
+            ExecdRun(exec_msg);
+            os_free(exec_msg);
+        }
+    }
+}
+
+#endif
diff --git a/src/modules/active_response/src/main.c b/src/modules/active_response/src/main.c
new file mode 100644
index 0000000000..239bff5bc7
--- /dev/null
+++ b/src/modules/active_response/src/main.c
@@ -0,0 +1,177 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* agent daemon */
+
+#include "shared.h"
+#include "execd.h"
+
+
+/* Prototypes */
+static void help_execd(char * home_path) __attribute__((noreturn));
+
+
+/* Print help statement */
+static void help_execd(char * home_path)
+{
+    print_header();
+    print_out("  %s: -[Vhdtf] [-g group] [-c config]", ARGV0);
+    print_out("    -V          Version and license message");
+    print_out("    -h          This help message");
+    print_out("    -d          Execute in debug mode. This parameter");
+    print_out("                can be specified multiple times");
+    print_out("                to increase the debug level.");
+    print_out("    -t          Test configuration");
+    print_out("    -f          Run in foreground");
+    print_out("    -g <group>  Group to run as (default: %s)", GROUPGLOBAL);
+    print_out("    -c <config> Configuration file to use (default: %s)", OSSECCONF);
+    print_out(" ");
+    os_free(home_path);
+    exit(1);
+}
+
+
+#ifdef WAZUH_UNIT_TESTING
+__attribute((weak))
+#endif
+int main(int argc, char **argv)
+{
+    int c;
+    int test_config = 0, run_foreground = 0;
+    gid_t gid;
+    int m_queue = 0;
+    int debug_level = 0;
+    pthread_t wcom_thread;
+
+    /* Set the name */
+    OS_SetName(ARGV0);
+
+    // Define current working directory
+    char * home_path = w_homedir(argv[0]);
+    if (chdir(home_path) == -1) {
+        merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno));
+    }
+
+    const char *group = GROUPGLOBAL;
+    const char *cfg = OSSECCONF;
+
+
+    while ((c = getopt(argc, argv, "Vtdhfg:c:")) != -1) {
+        switch (c) {
+            case 'V':
+                print_version();
+                break;
+            case 'h':
+                help_execd(home_path);
+                break;
+            case 'd':
+                debug_level = 1;
+                nowDebug();
+                break;
+            case 'f':
+                run_foreground = 1;
+                break;
+            case 'g':
+                if (!optarg) {
+                    merror_exit("-g needs an argument.");
+                }
+                group = optarg;
+                break;
+            case 'c':
+                if (!optarg) {
+                    merror_exit("-c needs an argument.");
+                }
+                cfg = optarg;
+                break;
+            case 't':
+                test_config = 1;
+                break;
+            default:
+                help_execd(home_path);
+                break;
+        }
+    }
+
+    if (debug_level == 0) {
+        /* Get debug level */
+        debug_level = getDefine_Int("execd", "debug", 0, 2);
+        while (debug_level != 0) {
+            nowDebug();
+            debug_level--;
+        }
+    }
+
+    mdebug1(WAZUH_HOMEDIR, home_path);
+    os_free(home_path);
+
+    /* Check if the group given is valid */
+    gid = Privsep_GetGroup(group);
+    if (gid == (gid_t) - 1) {
+        merror_exit(USER_ERROR, "", group, strerror(errno), errno);
+    }
+
+    /* Privilege separation */
+    if (Privsep_SetGroup(gid) < 0) {
+        merror_exit(SETGID_ERROR, group, errno, strerror(errno));
+    }
+
+    /* Read config */
+    if ((c = ExecdConfig(cfg)) < 0) {
+        mlerror_exit(LOGLEVEL_ERROR, CONFIG_ERROR, cfg);
+    }
+
+    /* Exit if test_config */
+    if (test_config) {
+        exit(0);
+    }
+
+    /* Signal manipulation */
+    StartSIG2(ARGV0, ExecdShutdown);
+
+    if (!run_foreground) {
+        /* Going daemon */
+        nowDaemon();
+        goDaemon();
+    }
+
+    /* Active response disabled */
+    if (c == 1) {
+        minfo(EXEC_DISABLED);
+    }
+
+    /* Create the PID file */
+    if (CreatePID(ARGV0, getpid()) < 0) {
+        merror_exit(PID_ERROR);
+    }
+
+    // Start com request thread
+    if (CreateThreadJoinable(&wcom_thread, wcom_main, NULL) < 0) {
+        exit(EXIT_FAILURE);
+    }
+
+    /* Start up message */
+    minfo(STARTUP_MSG, (int)getpid());
+
+    /* If AR is disabled, do not continue */
+    if (c == 1) {
+        pthread_join(wcom_thread, NULL);
+        exit(EXIT_SUCCESS);
+    }
+
+    /* Start exec queue */
+    if ((m_queue = StartMQ(EXECQUEUE, READ, 0)) < 0) {
+        merror_exit(QUEUE_ERROR, EXECQUEUE, strerror(errno));
+    }
+
+    /* The real daemon Now */
+    ExecdStart(m_queue);
+
+    exit(0);
+}
diff --git a/src/modules/active_response/src/wcom.c b/src/modules/active_response/src/wcom.c
new file mode 100644
index 0000000000..fa1b6f875b
--- /dev/null
+++ b/src/modules/active_response/src/wcom.c
@@ -0,0 +1,491 @@
+/* Remote request listener
+ * Copyright (C) 2015, Wazuh Inc.
+ * Jun 07, 2017.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+#include <pthread.h>
+#include "os_net/os_net.h"
+#include "execd.h"
+#include "os_crypto/sha1/sha1_op.h"
+#include "os_crypto/signature/signature.h"
+#include "wazuh_modules/wmodules.h"
+#include "external/zlib/zlib.h"
+#include "client-agent/agentd.h"
+#include "logcollector/logcollector.h"
+#include "rootcheck/rootcheck.h"
+
+static int _jailfile(char finalpath[PATH_MAX + 1], const char * basedir, const char * filename);
+int req_timeout;
+int max_restart_lock;
+
+size_t wcom_dispatch(char *command, char ** output) {
+    char *rcv_comm = command;
+    char *rcv_args = NULL;
+    char * source;
+    char * target;
+
+    if ((rcv_args = strchr(rcv_comm, ' '))) {
+        *rcv_args = '\0';
+        rcv_args++;
+    }
+
+    if (strcmp(rcv_comm, "unmerge") == 0) {
+        if (!rcv_args) {
+            mdebug1("WCOM unmerge needs arguments.");
+            os_strdup("err WCOM unmerge needs arguments", *output);
+            return strlen(*output);
+        }
+        // unmerge [file_path]
+        return wcom_unmerge(rcv_args, output);
+
+    } else if (strcmp(rcv_comm, "uncompress") == 0) {
+        if (!rcv_args) {
+            mdebug1("WCOM uncompress needs arguments.");
+            os_strdup("err WCOM uncompress needs arguments", *output);
+            return strlen(*output);
+        }
+        // uncompress [file_path]
+        source = rcv_args;
+
+        if (target = strchr(rcv_args, ' '), target) {
+            *(target++) = '\0';
+            return wcom_uncompress(source, target, output);
+        } else {
+            mdebug1("Bad WCOM uncompress message.");
+            os_strdup("err Too few commands", *output);
+            return strlen(*output);
+        }
+
+    } else if (strcmp(rcv_comm, "restart") == 0 || strcmp(rcv_comm, "restart-wazuh") == 0) {
+        return wcom_restart(output);
+    } else if (strcmp(rcv_comm, "lock_restart") == 0) {
+        max_restart_lock = 0;
+        int timeout = -2;
+
+        if (!max_restart_lock) {
+            max_restart_lock = getDefine_Int("execd", "max_restart_lock", 0, 3600);
+        }
+
+        if (rcv_args) {
+            timeout = atoi(rcv_args);
+        }
+
+        if (timeout < -1) {
+            os_strdup("err Invalid timeout", *output);
+        } else {
+            os_strdup("ok ", *output);
+            if (timeout == -1 || timeout > max_restart_lock) {
+                if (timeout > max_restart_lock) {
+                    mwarn("Timeout exceeds the maximum allowed.");
+                }
+                timeout = max_restart_lock;
+            }
+        }
+        lock_restart(timeout);
+
+        return strlen(*output);
+
+    } else if (strcmp(rcv_comm, "getconfig") == 0) {
+        // getconfig section
+        if (!rcv_args) {
+            mdebug1("WCOM getconfig needs arguments.");
+            os_strdup("err WCOM getconfig needs arguments", *output);
+            return strlen(*output);
+        }
+        return wcom_getconfig(rcv_args, output);
+
+    } else if (strcmp(rcv_comm, "check-manager-configuration") == 0) {
+        return wcom_check_manager_config(output);
+
+    } else {
+        mdebug1("WCOM Unrecognized command '%s'.", rcv_comm);
+        os_strdup("err Unrecognized command", *output);
+        return strlen(*output);
+    }
+}
+
+size_t wcom_unmerge(const char *file_path, char ** output) {
+    char final_path[PATH_MAX + 1];
+
+    if (_jailfile(final_path, INCOMING_DIR, file_path) < 0) {
+        merror("At WCOM unmerge: Invalid file name");
+        os_strdup("err Invalid file name", *output);
+        return strlen(*output);
+    }
+
+    if (UnmergeFiles(final_path, INCOMING_DIR, OS_BINARY, NULL) == 0) {
+        merror("At WCOM unmerge: Error unmerging file '%s.'", final_path);
+        os_strdup("err Cannot unmerge file", *output);
+        return strlen(*output);
+    } else {
+        os_strdup("ok ", *output);
+        return strlen(*output);
+    }
+}
+
+size_t wcom_uncompress(const char * source, const char * target, char ** output) {
+    char final_source[PATH_MAX + 1];
+    char final_target[PATH_MAX + 1];
+    char buffer[4096];
+    gzFile fsource;
+    FILE *ftarget;
+    int length;
+
+    if (_jailfile(final_source, INCOMING_DIR, source) < 0) {
+        merror("At WCOM uncompress: Invalid file name");
+        os_strdup("err Invalid file name", *output);
+        return strlen(*output);
+    }
+
+    if (_jailfile(final_target, INCOMING_DIR, target) < 0) {
+        merror("At WCOM uncompress: Invalid file name");
+        os_strdup("err Invalid file name", *output);
+        return strlen(*output);
+    }
+
+    if (fsource = gzopen(final_source, "rb"), !fsource) {
+        merror("At WCOM uncompress: Unable to open '%s'", final_source);
+        os_strdup("err Unable to open source", *output);
+        return strlen(*output);
+    }
+
+    if (ftarget = wfopen(final_target, "wb"), !ftarget) {
+        gzclose(fsource);
+        merror("At WCOM uncompress: Unable to open '%s'", final_target);
+        os_strdup("err Unable to open target", *output);
+        return strlen(*output);
+    }
+
+    while (length = gzread(fsource, buffer, 4096), length > 0) {
+        if ((int)fwrite(buffer, 1, length, ftarget) != length) {
+            gzclose(fsource);
+            fclose(ftarget);
+            merror("At WCOM uncompress: Unable to write '%s'", final_target);
+            os_strdup("err Unable to write target", *output);
+            return strlen(*output);
+        }
+    }
+
+    if (length < 0) {
+        merror("At WCOM uncompress: Unable to read '%s'", final_source);
+        os_strdup("err Unable to read source", *output);
+    } else {
+        unlink(final_source);
+        os_strdup("ok ", *output);
+    }
+
+    gzclose(fsource);
+    fclose(ftarget);
+    return strlen(*output);
+}
+
+size_t wcom_restart(char ** output) {
+    time_t lock = pending_upg - time(NULL);
+    if (lock <= 0) {
+#ifndef WIN32
+        char *exec_cmd[3] = {NULL};
+
+        if (access("active-response/bin/restart.sh", F_OK) == 0) {
+            exec_cmd[0] = "active-response/bin/restart.sh";
+#ifdef CLIENT
+            exec_cmd[1] = "agent";
+#else
+            exec_cmd[1] = "manager";
+#endif
+        } else {
+            exec_cmd[0] = "bin/wazuh-control";
+            exec_cmd[1] = "restart";
+        }
+
+        switch (fork()) {
+            case -1:
+                merror("At WCOM restart: Cannot fork");
+                os_strdup("err Cannot fork", *output);
+            break;
+            case 0:
+                if (execv(exec_cmd[0], exec_cmd) < 0) {
+                    merror(EXEC_CMDERROR, *exec_cmd, strerror(errno));
+                    _exit(1);
+                }
+            break;
+            default:
+                os_strdup("ok ", *output);
+            break;
+        }
+#else
+        static char command[OS_FLSIZE];
+        snprintf(command, sizeof(command), "%s/%s", AR_BINDIR, "restart-wazuh.exe");
+        char *cmd[2] = { command, NULL };
+        char *cmd_parameters = "{\"version\":1,\"origin\":{\"name\":\"\",\"module\":\"wazuh-execd\"},\"command\":\"add\",\"parameters\":{\"extra_args\":[],\"alert\":{},\"program\":\"restart-wazuh.exe\"}}";
+        wfd_t *wfd = wpopenv(cmd[0], cmd, W_BIND_STDIN);
+        if (wfd) {
+            /* Send alert to AR script */
+            fprintf(wfd->file_in, "%s\n", cmd_parameters);
+            fflush(wfd->file_in);
+            wpclose(wfd);
+        } else {
+            merror("At WCOM restart: Cannot execute restart process");
+            os_strdup("err Cannot execute restart process", *output);
+        }
+#endif
+    } else {
+        minfo(LOCK_RES, (int)lock);
+    }
+
+    if (!*output) os_strdup("ok ", *output);
+    return strlen(*output);
+}
+
+
+size_t wcom_getconfig(const char * section, char ** output) {
+
+    cJSON *cfg;
+    char *json_str;
+
+    if (strcmp(section, "active-response") == 0) {
+        if (cfg = getARConfig(), cfg) {
+            os_strdup("ok ", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "logging") == 0) {
+        if (cfg = getLoggingConfig(), cfg) {
+            os_strdup("ok ", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "internal") == 0) {
+        if (cfg = getExecdInternalOptions(), cfg) {
+            os_strdup("ok ", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "cluster") == 0) {
+#ifndef WIN32
+        /* Check socket connection with cluster first */
+        int sock = -1;
+        char sockname[PATH_MAX + 1] = {0};
+
+        strcpy(sockname, CLUSTER_SOCK);
+
+        if (sock = OS_ConnectUnixDomain(sockname, SOCK_STREAM, OS_MAXSTR), sock < 0) {
+            os_strdup("err Unable to connect with socket. The component might be disabled", *output);
+            return strlen(*output);
+        }
+        else {
+            close(sock);
+
+            if (cfg = getClusterConfig(), cfg) {
+                os_strdup("ok ", *output);
+                json_str = cJSON_PrintUnformatted(cfg);
+                wm_strcat(output, json_str, ' ');
+                free(json_str);
+                cJSON_Delete(cfg);
+                return strlen(*output);
+            } else {
+                goto error;
+            }
+        }
+#endif
+    }else {
+        goto error;
+    }
+error:
+    mdebug1("At WCOM getconfig: Could not get '%s' section", section);
+    os_strdup("err Could not get requested section", *output);
+    return strlen(*output);
+}
+
+size_t wcom_check_manager_config(char **output) {
+    static const char *daemons[] = {"bin/wazuh-authd", "bin/wazuh-remoted",
+                                    "bin/wazuh-execd", "bin/wazuh-analysisd", "bin/wazuh-logcollector",
+                                    "bin/wazuh-integratord", "bin/wazuh-syscheckd", "bin/wazuh-maild",
+                                    "bin/wazuh-modulesd", "bin/wazuh-clusterd", "bin/wazuh-agentlessd",
+                                    "bin/wazuh-integratord", "bin/wazuh-dbd", "bin/wazuh-csyslogd", NULL
+                                    };
+
+    int response_retval = 0;
+    int i;
+    char command_in[PATH_MAX] = {0};
+    char *response_string = NULL;
+    char *command_out = NULL;
+    cJSON *response = cJSON_CreateObject();
+
+    OS_XML xml_check;
+    const char *cfg = OSSECCONF;
+
+    if (OS_ReadXML(cfg, &xml_check) < 0) {
+        snprintf(response_string, 0, "Error reading %s file", cfg);
+        response_retval = EXECVE_ERROR;
+    } else {
+        OS_ClearXML(&xml_check);
+
+        for (i = 0; daemons[i]; i++) {
+            response_retval = 0;
+            snprintf(command_in, PATH_MAX, "%s -t", daemons[i]);
+            // Exec a command with a timeout of 2000 seconds.
+            if (wm_exec(command_in, &command_out, &response_retval, 2000, NULL) < 0) {
+                if (response_retval == EXECVE_ERROR) {
+                    mwarn("Path is invalid or file has insufficient permissions. %s", command_in);
+                } else {
+                    mwarn("Error executing [%s]", command_in);
+                }
+
+                os_free(response_string);
+                size_t size = snprintf(NULL, 0, "Error executing %s - (%d)", command_in, response_retval);
+                os_calloc(size + 1, sizeof(char), response_string);
+                snprintf(response_string, size, "Error executing %s - (%d)", command_in, response_retval);
+                break;
+            }
+
+            if (command_out && *command_out) {
+                // Remove last newline
+                size_t lastchar = strlen(command_out) - 1;
+                command_out[lastchar] = command_out[lastchar] == '\n' ? '\0' : command_out[lastchar];
+
+                wm_strcat(&response_string, command_out, ' ');
+            }
+
+            os_free(command_out);
+
+            if(response_retval) {
+                break;
+            }
+        }
+    }
+
+    cJSON_AddNumberToObject(response, "error", response_retval);
+
+    if (response_retval) {
+        char error_msg[OS_SIZE_4096 - 27] = {0};
+        snprintf(error_msg, OS_SIZE_4096 - 27, "%s", response_string);
+        cJSON_AddStringToObject(response, "message", error_msg);
+    } else {
+        cJSON_AddStringToObject(response, "message", "ok");
+    }
+
+    os_free(response_string);
+
+    *output = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+
+    return strlen(*output);
+}
+
+#ifndef WIN32
+void * wcom_main(__attribute__((unused)) void * arg) {
+    int sock;
+    int peer;
+    char *buffer = NULL;
+    char *response = NULL;
+    ssize_t length;
+    fd_set fdset;
+
+    mdebug1("Local requests thread ready");
+
+    if (sock = OS_BindUnixDomain(COM_LOCAL_SOCK, SOCK_STREAM, OS_MAXSTR), sock < 0) {
+        merror("Unable to bind to socket '%s': (%d) %s.", COM_LOCAL_SOCK, errno, strerror(errno));
+        return NULL;
+    }
+
+    while (1) {
+
+        // Wait for socket
+        FD_ZERO(&fdset);
+        FD_SET(sock, &fdset);
+
+        switch (select(sock + 1, &fdset, NULL, NULL, NULL)) {
+        case -1:
+            if (errno != EINTR) {
+                merror_exit("At wcom_main(): select(): %s", strerror(errno));
+            }
+
+            continue;
+
+        case 0:
+            continue;
+        }
+
+        if (peer = accept(sock, NULL, NULL), peer < 0) {
+            if (errno != EINTR) {
+                merror("At wcom_main(): accept(): %s", strerror(errno));
+            }
+
+            continue;
+        }
+
+        os_calloc(OS_MAXSTR, sizeof(char), buffer);
+        switch (length = OS_RecvSecureTCP(peer, buffer,OS_MAXSTR), length) {
+        case OS_SOCKTERR:
+            merror("At wcom_main(): OS_RecvSecureTCP(): response size is bigger than expected");
+            break;
+
+        case -1:
+            merror("At wcom_main(): OS_RecvSecureTCP(): %s", strerror(errno));
+            break;
+
+        case 0:
+            mdebug1("Empty message from local client.");
+            close(peer);
+            break;
+
+        case OS_MAXLEN:
+            merror("Received message > %i", MAX_DYN_STR);
+            close(peer);
+            break;
+
+        default:
+            length = wcom_dispatch(buffer, &response);
+            OS_SendSecureTCP(peer, length, response);
+            os_free(response);
+            close(peer);
+        }
+        os_free(buffer);
+    }
+
+    mdebug1("Local server thread finished.");
+
+    close(sock);
+    return NULL;
+}
+
+#endif
+
+int _jailfile(char finalpath[PATH_MAX + 1], const char * basedir, const char * filename) {
+
+    if (w_ref_parent_folder(filename)) {
+        return -1;
+    }
+
+#ifndef WIN32
+    return snprintf(finalpath, PATH_MAX + 1, "%s/%s", basedir, filename) > PATH_MAX ? -1 : 0;
+#else
+    return snprintf(finalpath, PATH_MAX + 1, "%s\\%s", basedir, filename) > PATH_MAX ? -1 : 0;
+#endif
+}
+
+size_t lock_restart(int timeout) {
+    pending_upg = time(NULL) + (time_t) timeout;
+    return 0;
+}
diff --git a/src/modules/active_response/tests/integration/conftest.py b/src/modules/active_response/tests/integration/conftest.py
new file mode 100644
index 0000000000..d29cfdace6
--- /dev/null
+++ b/src/modules/active_response/tests/integration/conftest.py
@@ -0,0 +1,350 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+import subprocess
+import pytest
+from typing import List
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.configurations import AR_CONF
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.agentd.patterns import AGENTD_CONNECTED_TO_SERVER
+from wazuh_testing.modules.execd.patterns import EXECD_RECEIVED_MESSAGE
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.tools.simulators.authd_simulator import AuthdSimulator
+from wazuh_testing.tools.simulators.remoted_simulator import RemotedSimulator
+from wazuh_testing.utils import configuration, file, services
+from wazuh_testing.utils.callbacks import generate_callback
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            file.truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            file.truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            services.control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                services.control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        services.control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            services.control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def configure_ar_conf(request: pytest.FixtureRequest) -> None:
+    """
+    Fixture for configuring the ar.conf file.
+
+    This fixture checks if the `ar_conf` variable is defined in the module and reads its
+    value. It then backs up the original state of the `ar.conf` file, writes the new
+    configuration, specified in `ar_conf`, and restores the original state after the test.
+
+    Args:
+        request (pytest.FixtureRequest): The request object representing the fixture.
+
+    Raises:
+        AttributeError: If the `ar_conf` variable is not defined in the module.
+    """
+    if not hasattr(request.module, 'ar_conf'):
+        raise AttributeError('The var `ar_conf` is not defined in module.')
+
+    ar_config = getattr(request.module, 'ar_conf')
+
+    if file.exists_and_is_file(AR_CONF):
+        backup = file.read_file_lines(AR_CONF)
+    else:
+        backup = None
+
+    file.write_file(AR_CONF, ar_config)
+
+    yield
+
+    if backup:
+        file.write_file(AR_CONF, backup)
+    else:
+        file.remove_file(AR_CONF)
+
+
+@pytest.fixture()
+def send_execd_message(test_metadata: dict, remoted_simulator: RemotedSimulator) -> None:
+    """
+    Fixture for sending an execd message and monitoring its execution.
+
+    This fixture validates the input, instantiates a `RemotedSimulator` and a `FileMonitor`,
+    starts the simulator and waits for the agent to connect to it. It then sends the input
+    message to the simulator and waits for the execd to start processing the message. After
+    the test, the simulator is shut down.
+
+    Args:
+        test_metadata (dict): Metadata containing the test input.
+
+    Raises:
+        AttributeError: If the `input` key is missing in the `test_metadata`.
+    """
+    if test_metadata.get('input') is None:
+        raise AttributeError('No `input` key in `test_metadata`.')
+
+    monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    monitor.start(callback=generate_callback(AGENTD_CONNECTED_TO_SERVER))
+    remoted_simulator.send_custom_message(test_metadata['input'])
+    monitor.start(callback=generate_callback(EXECD_RECEIVED_MESSAGE))
+
+
+@pytest.fixture()
+def remoted_simulator() -> RemotedSimulator:
+    """
+    Fixture for an RemotedSimulator instance.
+
+    This fixture creates an instance of the RemotedSimulator and starts it.
+    The simulator is yielded to the test function, allowing to interact
+    with it. After the test function finishes, the simulator is shut down.
+
+    Returns:
+        RemotedSimulator: An instance of the RemotedSimulator.
+
+    """
+    remoted = RemotedSimulator()
+    remoted.start()
+
+    yield remoted
+
+    remoted.shutdown()
+
+
+@pytest.fixture()
+def authd_simulator() -> AuthdSimulator:
+    """
+    Fixture for an AuthdSimulator instance.
+
+    This fixture creates an instance of the AuthdSimulator and starts it.
+    The simulator is yielded to the test function, allowing to interact
+    with it. After the test function finishes, the simulator is shut down.
+
+    Returns:
+        AuthdSimulator: An instance of the AuthdSimulator.
+
+    """
+    authd = AuthdSimulator()
+    authd.start()
+
+    yield authd
+
+    authd.shutdown()
diff --git a/src/modules/active_response/tests/integration/pytest.ini b/src/modules/active_response/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/active_response/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/__init__.py b/src/modules/active_response/tests/integration/test_run_active_response/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/data/configuration_templates/config_run_active_response.yaml b/src/modules/active_response/tests/integration/test_run_active_response/data/configuration_templates/config_run_active_response.yaml
new file mode 100644
index 0000000000..764e69fca4
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/data/configuration_templates/config_run_active_response.yaml
@@ -0,0 +1,23 @@
+- sections:
+    - section: client
+      elements:
+        - notify_time:
+            value: 10
+        - time-reconnect:
+            value: 60
+        - auto_restart:
+            value: "yes"
+        - crypto_method:
+            value: "aes"
+        - server:
+            elements:
+                - address:
+                    value: 127.0.0.1
+                - port:
+                    value: 1514
+                - protocol:
+                    value: tcp
+    - section: active-response
+      elements:
+        - disabled:
+            value: "no"
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_firewall_drop.yaml b/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_firewall_drop.yaml
new file mode 100644
index 0000000000..8a5db0482a
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_firewall_drop.yaml
@@ -0,0 +1,33 @@
+- name: Command execution succeed
+  description: Checks the firewall-drop5 command succeed
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"version":1,"origin":{"name":"","module":"wazuh-analysisd"},"command":"firewall-drop5",
+            "parameters":{"extra_args":[],"alert":{"rule":{"level":5,"description":"Test.","id":5715},
+            "data":{"dstuser":"Test.","srcip":"3.3.3.3"}}}}'
+
+- name: Command execution fail - missing 'srcip'
+  description: Checks the firewall-drop command does not succeed because the 'srcip' is not sent.
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"version":1,"origin":{"name":"","module":"wazuh-analysisd"},"command":"firewall-drop5",
+            "parameters":{"extra_args":[],"alert":{"rule":{"level":5,"description":"Test.","id":5715},
+            "data":{"dstuser":"Test."}}}}'
+    expected_error: .*Cannot read 'srcip' from data
+
+- name: Command execution fail - invalid format no version
+  description: Checks the firewall-drop command does not succeed because the input is invalid.
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"origin":{"name":"","module":"wazuh-analysisd"},"command":"firewall-drop5",
+            "parameters":{"extra_args":[],"alert":{"rule":{"level":5,"description":"Test.","id":5715},
+            "data":{"dstuser":"Test."}}}}'
+    expected_error: .*Invalid input format
+
+- name: Command execution fail - invalid format no parameters
+  description: Checks the firewall-drop command does not succeed because the 'srcip' is not sent.
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"version":1,"origin":{"name":"","module":"wazuh-analysisd"},"command":"firewall-drop5",
+            "data":{"dstuser":"Test.","srcip":"3.3.3.3"}}}}'
+    expected_error: .*Invalid input format
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_restart.yaml b/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_restart.yaml
new file mode 100644
index 0000000000..ea26153cc9
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/data/test_cases/cases_execd_restart.yaml
@@ -0,0 +1,14 @@
+- name: Command execution succeed
+  description: Checks the firewall-drop5 command succeed
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"version":1,"origin":{"name":"","module":"wazuh-analysisd"},"command":"restart-wazuh0",
+            "parameters":{"extra_args":[],"alert":{"rule":{"level":5,"description":"Test.","id":554}}}}'
+
+- name: Command execution succeed
+  description: Checks the firewall-drop5 command succeed
+  configuration_parameters:
+  metadata:
+    input: '#!-execd {"origin":{"name":"","module":"wazuh-analysisd"},"command":"restart-wazuh0",
+            "parameters":{"extra_args":[],"alert":{"rule":{"level":5,"description":"Test.","id":554}}}}'
+    expected_error: .*Invalid input format
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/test_firewall_drop.py b/src/modules/active_response/tests/integration/test_run_active_response/test_firewall_drop.py
new file mode 100644
index 0000000000..644a40ed60
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/test_firewall_drop.py
@@ -0,0 +1,143 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: Active responses execute a script in response to the triggering of specific alerts based
+       on the alert level or rule group. These tests will check if the 'active responses',
+       which are executed by the 'wazuh-execd' daemon via scripts, run correctly.
+
+components:
+    - execd
+
+suite: execd
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-execd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH, ACTIVE_RESPONSE_LOG_PATH
+from wazuh_testing.modules.execd.active_response import patterns as ar_patterns
+from wazuh_testing.modules.execd import patterns as execd_paterns
+from wazuh_testing.modules.execd.configuration import EXECD_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+
+# Set pytest marks.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=1)]
+
+# Cases metadata and its ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_execd_firewall_drop.yaml')
+config_path = Path(CONFIGS_PATH, 'config_run_active_response.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test internal options and configurations.
+local_internal_options = {EXECD_DEBUG: '2'}
+daemons_handler_configuration = {'all_daemons': True}
+ar_conf = 'firewall-drop5 - firewall-drop - 5'
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata',  zip(test_configuration, test_metadata), ids=cases_ids)
+def test_execd_firewall_drop(test_configuration, test_metadata, configure_local_internal_options, truncate_monitored_files,
+                             set_wazuh_configuration, configure_ar_conf, remoted_simulator, authd_simulator,
+                             daemons_handler, send_execd_message):
+    '''
+    description: Check if 'firewall-drop' command of 'active response' is executed correctly.
+                 For this purpose, a simulated agent is used and the 'active response'
+                 is sent to it. This response includes an IP address that must be added
+                 and removed from 'iptables', the Linux firewall.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_metadata:
+            type: dict
+            brief: Test case metadata.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - configure_ar_conf:
+            type: fixture
+            brief: Set the Active Response configuration.
+        - remoted_simulator:
+            type: fixture
+            brief: Starts an RemotedSimulator instance for the test function.
+        - authd_simulator:
+            type: fixture
+            brief: Starts an AuthdSimulator instance for the test function.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - send_execd_message:
+            type: fixture
+            brief: Send an execd message to the agent using RemotedSimulator.
+
+    assertions:
+        - Check the expected error is raised when it supposed to fail.
+        - Check execd is executed correctly.
+        - Check the firewall-drop program is used.
+        - Check the firewall rule is added and deleted with correct scrip.
+    input_description:
+        - The `cases_execd_firewall_drop.yaml` file provides the test cases.
+    '''
+    ar_monitor = FileMonitor(ACTIVE_RESPONSE_LOG_PATH)
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    if error_message := test_metadata.get('expected_error'):
+        callback = generate_callback(error_message)
+        ar_monitor.start(callback=callback)
+        assert ar_monitor.callback_result, 'AR `firewall-drop` did not fail.'
+        return
+
+    wazuh_log_monitor.start(callback=generate_callback(execd_paterns.EXECD_EXECUTING_COMMAND))
+    assert wazuh_log_monitor.callback_result, 'Execd `executing` command log not raised.'
+
+    ar_monitor.start(callback=generate_callback(ar_patterns.ACTIVE_RESPONSE_FIREWALL_DROP))
+    assert ar_monitor.callback_result, 'AR `firewall-drop` program not used.'
+
+    ar_monitor.start(callback=generate_callback(ar_patterns.ACTIVE_RESPONSE_ADD_COMMAND))
+    assert ar_monitor.callback_result, 'AR `add` command not executed.'
+    assert '"srcip":"3.3.3.3"' in ar_monitor.callback_result, 'AR `srcip` value is not correct.'
+
+    ar_monitor.start(callback=generate_callback(ar_patterns.ACTIVE_RESPONSE_DELETE_COMMAND))
+    assert ar_monitor.callback_result, 'AR `delete` command not executed.'
diff --git a/src/modules/active_response/tests/integration/test_run_active_response/test_restart_wazuh.py b/src/modules/active_response/tests/integration/test_run_active_response/test_restart_wazuh.py
new file mode 100644
index 0000000000..5830a566a6
--- /dev/null
+++ b/src/modules/active_response/tests/integration/test_run_active_response/test_restart_wazuh.py
@@ -0,0 +1,142 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: Active responses execute a script in response to the triggering of specific alerts based
+       on the alert level or rule group. These tests will check if the 'active responses',
+       which are executed by the 'wazuh-execd' daemon via scripts, run correctly.
+
+components:
+    - execd
+
+suite: execd
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-execd
+
+os_platform:
+    - linux
+    - Windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 11
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import ACTIVE_RESPONSE_LOG_PATH, WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.execd.active_response.patterns import ACTIVE_RESPONSE_RESTART_WAZUH
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.execd.configuration import EXECD_DEBUG
+from wazuh_testing.modules.execd.patterns import EXECD_SHUTDOWN_RECEIVED
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+
+# Set pytest marks.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Cases metadata and its ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_execd_restart.yaml')
+config_path = Path(CONFIGS_PATH, 'config_run_active_response.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test internal options and configurations.
+local_internal_options = {AGENTD_WINDOWS_DEBUG if sys.platform == WINDOWS else EXECD_DEBUG: '2'}
+daemons_handler_configuration = {'all_daemons': True}
+ar_conf = 'restart-wazuh0 - restart-wazuh - 0\nrestart-wazuh0 - restart-wazuh.exe - 0'
+
+
+# Test Function.
+@pytest.mark.parametrize('test_configuration, test_metadata',  zip(test_configuration, test_metadata), ids=cases_ids)
+def test_execd_restart(test_configuration, test_metadata, configure_local_internal_options, truncate_monitored_files,
+                       set_wazuh_configuration, configure_ar_conf, remoted_simulator, authd_simulator,
+                       daemons_handler, send_execd_message):
+    '''
+    description: Check if 'restart-wazuh' command of 'active response' is executed correctly.
+                 For this purpose, a simulated server is used, from which the active response is sent.
+                 This response includes the order to restart the Wazuh agent, which must restart after
+                 receiving this response.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_metadata:
+            type: dict
+            brief: Test case metadata.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - configure_ar_conf:
+            type: fixture
+            brief: Set the Active Response configuration.
+        - remoted_simulator:
+            type: fixture
+            brief: Starts an RemotedSimulator instance for the test function.
+        - authd_simulator:
+            type: fixture
+            brief: Starts an AuthdSimulator instance for the test function.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - send_execd_message:
+            type: fixture
+            brief: Send an execd message to the agent using RemotedSimulator.
+
+    assertions:
+        - Check the expected error is raised when it supposed to fail.
+        - Check the execd shutdown log is raised.
+        - Check the restart-wazuh program is used.
+    input_description:
+        - The `cases_execd_restart.yaml` file provides the test cases.
+    '''
+    ar_monitor = FileMonitor(ACTIVE_RESPONSE_LOG_PATH)
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    if error_message := test_metadata.get('expected_error'):
+        callback = generate_callback(error_message)
+        ar_monitor.start(callback=callback)
+        assert ar_monitor.callback_result, 'AR `wazuh-restart` did not fail.'
+        return
+
+    wazuh_log_monitor.start(callback=generate_callback(EXECD_SHUTDOWN_RECEIVED))
+    assert wazuh_log_monitor.callback_result, 'Execd `shutdown` log not raised.'
+
+    ar_monitor.start(callback=generate_callback(ACTIVE_RESPONSE_RESTART_WAZUH))
+    assert ar_monitor.callback_result, 'AR `restart-wazuh` program not used.'
diff --git a/src/modules/active_response/tests/unit/tests/CMakeLists.txt b/src/modules/active_response/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..46795cf724
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,83 @@
+# Generate execd library
+file(GLOB execd_files
+    ${SRC_FOLDER}/os_execd/*.o
+    ${SRC_FOLDER}/active-response/*.o)
+
+add_library(EXECD_O STATIC ${execd_files})
+
+set_source_files_properties(
+    ${execd_files}
+    PROPERTIES
+    EXTERNAL_OBJECT true
+    GENERATED true
+)
+
+set_target_properties(
+    EXECD_O
+    PROPERTIES
+    LINKER_LANGUAGE C
+)
+
+target_link_libraries(EXECD_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Generate Execd tests
+if(${TARGET} STREQUAL "winagent")
+    list(APPEND execd_names "test_win_execd")
+    list(APPEND execd_flags "-Wl,--wrap,ReadExecConfig -Wl,--wrap,GetCommandbyName -Wl,--wrap,wpopenv -Wl,--wrap,wpclose -Wl,--wrap,fwrite \
+                             -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fread -Wl,--wrap,fseek \
+                             -Wl,--wrap,remove -Wl,--wrap,fgetpos -Wl,--wrap=fgetc -Wl,--wrap,fwrite -Wl,--wrap,wfopen \
+                             -Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck -Wl,--wrap=is_fim_shutdown \
+                             -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown \
+                             -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND execd_names "test_get_command_by_name")
+    list(APPEND execd_flags "-Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck -Wl,--wrap=is_fim_shutdown \
+                             -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown \
+                             ${DEBUG_OP_WRAPPERS}")
+else()
+    list(APPEND execd_names "test_execd")
+    list(APPEND execd_flags "-Wl,--wrap,time -Wl,--wrap,select -Wl,--wrap,OS_RecvUnix -Wl,--wrap,wfopen \
+                             -Wl,--wrap,ReadExecConfig -Wl,--wrap,GetCommandbyName -Wl,--wrap,wpopenv -Wl,--wrap,wpclose -Wl,--wrap,fwrite \
+                             -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fread -Wl,--wrap,fseek \
+                             -Wl,--wrap,remove -Wl,--wrap,fgetpos -Wl,--wrap=fgetc -Wl,--wrap,fwrite \
+                             -Wl,--wrap,fprintf -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND execd_names "test_get_command_by_name")
+    list(APPEND execd_flags "${DEBUG_OP_WRAPPERS}")
+endif()
+
+list(LENGTH execd_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET execd_names ${counter} execd_test_name)
+    list(GET execd_flags ${counter} execd_test_flags)
+
+    add_executable(${execd_test_name} ${execd_test_name}.c)
+
+    target_link_libraries(
+        ${execd_test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        EXECD_O
+        ${TEST_DEPS}
+    )
+
+    if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${execd_test_name} fimdb)
+    endif(${TARGET} STREQUAL "winagent")
+
+    if(NOT execd_test_flags STREQUAL " ")
+        target_link_libraries(
+            ${execd_test_name}
+            ${execd_test_flags}
+        )
+    endif()
+    add_test(NAME ${execd_test_name} COMMAND ${execd_test_name})
+endforeach()
diff --git a/src/modules/active_response/tests/unit/tests/binaries/CMakeLists.txt b/src/modules/active_response/tests/unit/tests/binaries/CMakeLists.txt
new file mode 100644
index 0000000000..4778843f3c
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/binaries/CMakeLists.txt
@@ -0,0 +1,50 @@
+# Generate active-response library
+file(GLOB active-response_files
+    ${SRC_FOLDER}/active-response/*.o)
+
+add_library(ACTIVE-RESPONSE_O STATIC ${active-response_files})
+
+set_source_files_properties(
+    ${active-response_files}
+    PROPERTIES
+    EXTERNAL_OBJECT true
+    GENERATED true
+)
+
+set_target_properties(
+    ACTIVE-RESPONSE_O
+    PROPERTIES
+    LINKER_LANGUAGE C
+)
+
+target_link_libraries(ACTIVE-RESPONSE_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+# Generate active-response tests
+if(NOT ${TARGET} STREQUAL "winagent")
+    list(APPEND active-response_names "test_active_response")
+    list(APPEND active-response_flags "-Wl,--wrap,getaddrinfo -Wl,--wrap,fcntl")
+endif()
+
+list(LENGTH active-response_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET active-response_names ${counter} active-response_test_name)
+    list(GET active-response_flags ${counter} active-response_test_flags)
+
+    add_executable(${active-response_test_name} ${active-response_test_name}.c)
+
+    target_link_libraries(
+        ${active-response_test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        ACTIVE-RESPONSE_O
+        ${TEST_DEPS}
+    )
+    if(NOT active-response_test_flags STREQUAL " ")
+        target_link_libraries(
+            ${active-response_test_name}
+            ${active-response_test_flags}
+        )
+    endif()
+    add_test(NAME ${active-response_test_name} COMMAND ${active-response_test_name})
+endforeach()
\ No newline at end of file
diff --git a/src/modules/active_response/tests/unit/tests/binaries/test_active_response.c b/src/modules/active_response/tests/unit/tests/binaries/test_active_response.c
new file mode 100644
index 0000000000..062d27da43
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/binaries/test_active_response.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <setjmp.h>
+#include <stdio.h>
+#include <cmocka.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../../headers/shared.h"
+#include "../../active-response/active_responses.h"
+
+#include "../wrappers/common.h"
+
+// Structs
+typedef struct test_struct {
+    struct addrinfo *addr;
+} test_struct_t;
+
+// Setup / Teardown
+
+static int test_setup(void **state) {
+    test_struct_t *init_data = NULL;
+
+    os_calloc(1,sizeof(test_struct_t),init_data);
+    os_calloc(1, sizeof(struct addrinfo), init_data->addr);
+    os_calloc(1, sizeof(struct sockaddr), init_data->addr->ai_addr);
+
+    *state = init_data;
+
+    test_mode = 1;
+
+    return OS_SUCCESS;
+}
+
+static int test_teardown(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    os_free(data->addr->ai_addr);
+    os_free(data->addr);
+    os_free(data);
+
+    test_mode = 0;
+
+    return OS_SUCCESS;
+}
+
+// Tests
+void test_get_ip_version_success_ipv4(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *dummy_ipaddr = "";
+
+    data->addr->ai_family = AF_INET;
+
+    expect_string(__wrap_getaddrinfo, node, dummy_ipaddr);
+    will_return(__wrap_getaddrinfo, data->addr);
+    will_return(__wrap_getaddrinfo, 0);     //0 means success
+
+    int ret = get_ip_version(dummy_ipaddr);
+
+    assert_int_equal(ret, 4);
+}
+
+void test_get_ip_version_success_ipv6(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *dummy_ipaddr = "";
+
+    data->addr->ai_family = AF_INET6;
+
+    expect_string(__wrap_getaddrinfo, node, dummy_ipaddr);
+    will_return(__wrap_getaddrinfo, data->addr);
+    will_return(__wrap_getaddrinfo, 0);     //0 means success
+
+    int ret = get_ip_version(dummy_ipaddr);
+
+    assert_int_equal(ret, 6);
+}
+
+void test_get_ip_version_no_success(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *dummy_ipaddr = "";
+
+    data->addr->ai_family = AF_INET6;
+
+    expect_string(__wrap_getaddrinfo, node, dummy_ipaddr);
+    will_return(__wrap_getaddrinfo, data->addr);
+    will_return(__wrap_getaddrinfo, 1);
+
+    int ret = get_ip_version(dummy_ipaddr);
+
+    assert_int_equal(ret, -1);    //OS_INVALID
+}
+
+void test_get_ip_version_success_invalid_ip(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *dummy_ipaddr = "";
+
+    data->addr->ai_family = -1;         //invalid family
+
+    expect_string(__wrap_getaddrinfo, node, dummy_ipaddr);
+    will_return(__wrap_getaddrinfo, data->addr);
+    will_return(__wrap_getaddrinfo, 0);     //0 means success
+
+    int ret = get_ip_version(dummy_ipaddr);
+
+    assert_int_equal(ret, -1);    //OS_INVALID
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_get_ip_version_success_ipv4, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_ip_version_success_ipv6, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_ip_version_no_success, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_ip_version_success_invalid_ip, test_setup, test_teardown),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/active_response/tests/unit/tests/test_execd.c b/src/modules/active_response/tests/unit/tests/test_execd.c
new file mode 100644
index 0000000000..31b7d45e4a
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/test_execd.c
@@ -0,0 +1,1144 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "shared.h"
+#include "list_op.h"
+#include "../os_regex/os_regex.h"
+#include "../os_net/os_net.h"
+#include "../wazuh_modules/wmodules.h"
+#include "../external/cJSON/cJSON.h"
+#include "../os_execd/execd.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/posix/select_wrappers.h"
+#include "../wrappers/wazuh/os_execd/exec_wrappers.h"
+#include "../wrappers/wazuh/os_net/os_net_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/exec_op_wrappers.h"
+
+extern int test_mode;
+extern OSList *timeout_list;
+
+void ExecdStart(int q);
+
+/* Setup/Teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+static int test_setup_file(void **state) {
+    wfd_t* wfd = NULL;
+    os_calloc(1, sizeof(wfd_t), wfd);
+    wfd->file_in = (FILE *)1;
+    wfd->file_out = (FILE *)2;
+    timeout_list = OSList_Create();
+    *state = wfd;
+    return 0;
+}
+
+static int test_setup_file_timeout(void **state) {
+    wfd_t* wfd = NULL;
+    os_calloc(1, sizeof(wfd_t), wfd);
+    wfd->file_in = (FILE *)1;
+    wfd->file_out = (FILE *)2;
+    timeout_list = OSList_Create();
+    timeout_data *timeout_entry;
+    os_calloc(1, sizeof(timeout_data), timeout_entry);
+    os_calloc(2, sizeof(char *), timeout_entry->command);
+    os_strdup("restart-wazuh10", timeout_entry->command[0]);
+    timeout_entry->command[1] = NULL;
+    os_strdup("restart-wazuh-10.0.0.1-root", timeout_entry->rkey);
+    timeout_entry->time_of_addition = 123456789;
+    timeout_entry->time_to_block = 10;
+    OSList_AddData(timeout_list, timeout_entry);
+    *state = wfd;
+    return 0;
+}
+
+static int test_teardown_file(void **state) {
+    wfd_t* wfd = *state;
+    os_free(wfd);
+    FreeTimeoutList();
+    return 0;
+}
+
+/* Tests */
+
+static void test_ExecdStart_ok(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh0\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.1\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"continue\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_timeout_not_repeated(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh10\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 10;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh10\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh10");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.2\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"continue\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Adding command 'restart-wazuh {"
+                                                                                    "\"version\":\"1\","
+                                                                                    "\"origin\":{"
+                                                                                        "\"name\":\"node01\","
+                                                                                        "\"module\":\"wazuh-execd\""
+                                                                                    "},"
+                                                                                    "\"command\":\"delete\","
+                                                                                    "\"parameters\":{"
+                                                                                        "\"extra_args\":[],"
+                                                                                        "\"alert\":{"
+                                                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                            "\"rule\":{"
+                                                                                                "\"level\":5,"
+                                                                                                "\"description\":\"File added to the system.\","
+                                                                                                "\"id\":\"554\""
+                                                                                            "},"
+                                                                                            "\"id\":\"1609860180.513333\","
+                                                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                            "\"syscheck\":{"
+                                                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                "\"mode\":\"realtime\","
+                                                                                                "\"event\":\"added\""
+                                                                                            "},"
+                                                                                            "\"location\":\"syscheck\""
+                                                                                        "},"
+                                                                                        "\"program\":\"restart-wazuh\""
+                                                                                    "}"
+                                                                                "}' to the timeout list, with a timeout of '10s'.");
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_timeout_repeated(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh10\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 10;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh10\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh10");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.1\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"abort\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Command already received, updating time of addition to now.");
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_wpopenv_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh0\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1317): Could not launch command Success (0)");
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_fgets_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh0\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fprintf, __stream, wfd->file_in);
+    expect_string(__wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_value(__wrap_fgets, __stream, wfd->file_out);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Active response won't be added to timeout list. Message not received with alert keys from script 'restart-wazuh'");
+
+    will_return(__wrap_wpclose, 0);
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_get_command_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{"
+                                                                        "\"version\":\"1\","
+                                                                        "\"origin\":{"
+                                                                            "\"name\":\"node01\","
+                                                                            "\"module\":\"wazuh-analysisd\""
+                                                                        "},"
+                                                                        "\"command\":\"restart-wazuh0\","
+                                                                        "\"parameters\":{"
+                                                                            "\"extra_args\":[],"
+                                                                            "\"alert\":{"
+                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                "\"rule\":{"
+                                                                                    "\"level\":5,"
+                                                                                    "\"description\":\"File added to the system.\","
+                                                                                    "\"id\":\"554\""
+                                                                                "},"
+                                                                                "\"id\":\"1609860180.513333\","
+                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                "\"syscheck\":{"
+                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                    "\"mode\":\"realtime\","
+                                                                                    "\"event\":\"added\""
+                                                                                "},"
+                                                                                "\"location\":\"syscheck\""
+                                                                            "}"
+                                                                        "}"
+                                                                    "}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, NULL);
+
+    will_return(__wrap_ReadExecConfig, 0);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1311): Invalid command name 'restart-wazuh0' provided.");
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_get_name_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{}";
+    char *message2 = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: '{}'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap__merror, formatted_msg, "(1316): Invalid AR command: '{}'");
+
+    ExecdStart(queue);
+}
+
+static void test_ExecdStart_json_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "unknown";
+    char *message2 = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    will_return(__wrap_time, now);
+
+    will_return(__wrap_select, 1);
+
+    expect_value(__wrap_OS_RecvUnix, socket, queue);
+    expect_value(__wrap_OS_RecvUnix, sizet, OS_MAXSTR);
+    will_return(__wrap_OS_RecvUnix, message);
+    will_return(__wrap_OS_RecvUnix, strlen(message));
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Received message: 'unknown'");
+
+    will_return(__wrap_time, now);
+
+    expect_string(__wrap__merror, formatted_msg, "(1315): Invalid JSON message: 'unknown'");
+
+    ExecdStart(queue);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_ExecdStart_ok, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_timeout_not_repeated, test_setup_file_timeout, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_timeout_repeated, test_setup_file_timeout, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_wpopenv_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_fgets_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_get_command_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_get_name_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_ExecdStart_json_err, test_setup_file, test_teardown_file),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/active_response/tests/unit/tests/test_get_command_by_name.c b/src/modules/active_response/tests/unit/tests/test_get_command_by_name.c
new file mode 100644
index 0000000000..d41f96be74
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/test_get_command_by_name.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "shared.h"
+#include "../../os_execd/execd.h"
+
+static void test_custom_command(void **state) {
+    (void)state;
+
+    int timeout = 100;
+    char * r = GetCommandbyName("!custom.sh", &timeout);
+
+    assert_int_equal(timeout, 0);
+    assert_string_equal(r, AR_BINDIR "/custom.sh");
+}
+
+static void test_path_traversal(void **state) {
+    (void)state;
+    int timeout = 100;
+
+    expect_string(__wrap__mwarn, formatted_msg, "Active response command '../custom.sh' vulnerable to directory traversal attack. Ignoring.");
+
+    char * r = GetCommandbyName("!../custom.sh", &timeout);
+    assert_null(r);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_custom_command),
+        cmocka_unit_test(test_path_traversal),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/active_response/tests/unit/tests/test_win_execd.c b/src/modules/active_response/tests/unit/tests/test_win_execd.c
new file mode 100644
index 0000000000..846faf0d92
--- /dev/null
+++ b/src/modules/active_response/tests/unit/tests/test_win_execd.c
@@ -0,0 +1,825 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "shared.h"
+#include "list_op.h"
+#include "../os_regex/os_regex.h"
+#include "../os_net/os_net.h"
+#include "../os_execd/execd.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/wazuh/os_execd/exec_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/exec_op_wrappers.h"
+#include "../wrappers/windows/libc/stdio_wrappers.h"
+
+extern int test_mode;
+extern OSList *timeout_list;
+
+/* Setup/Teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+static int test_setup_file(void **state) {
+    wfd_t* wfd = NULL;
+    os_calloc(1, sizeof(wfd_t), wfd);
+    wfd->file_in = (FILE *)1;
+    wfd->file_out = (FILE *)2;
+    timeout_list = OSList_Create();
+    *state = wfd;
+    return 0;
+}
+
+static int test_setup_file_timeout(void **state) {
+    wfd_t* wfd = NULL;
+    os_calloc(1, sizeof(wfd_t), wfd);
+    wfd->file_in = (FILE *)1;
+    wfd->file_out = (FILE *)2;
+    timeout_list = OSList_Create();
+    timeout_data *timeout_entry;
+    os_calloc(1, sizeof(timeout_data), timeout_entry);
+    os_calloc(2, sizeof(char *), timeout_entry->command);
+    os_strdup("restart-wazuh10", timeout_entry->command[0]);
+    timeout_entry->command[1] = NULL;
+    os_strdup("restart-wazuh-10.0.0.1-root", timeout_entry->rkey);
+    timeout_entry->time_of_addition = 123456789;
+    timeout_entry->time_to_block = 10;
+    OSList_AddData(timeout_list, timeout_entry);
+    *state = wfd;
+    return 0;
+}
+
+static int test_teardown_file(void **state) {
+    wfd_t* wfd = *state;
+    os_free(wfd);
+    FreeTimeoutList();
+    return 0;
+}
+
+/* Tests */
+
+static void test_WinExecdRun_ok(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, wfd->file_out);
+    will_return(wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.1\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"continue\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_timeout_not_repeated(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh10\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 10;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh10");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, wfd->file_out);
+    will_return(wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.2\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"continue\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Adding command 'restart-wazuh {"
+                                                                                    "\"version\":\"1\","
+                                                                                    "\"origin\":{"
+                                                                                        "\"name\":\"node01\","
+                                                                                        "\"module\":\"wazuh-execd\""
+                                                                                    "},"
+                                                                                    "\"command\":\"delete\","
+                                                                                    "\"parameters\":{"
+                                                                                        "\"extra_args\":[],"
+                                                                                        "\"alert\":{"
+                                                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                            "\"rule\":{"
+                                                                                                "\"level\":5,"
+                                                                                                "\"description\":\"File added to the system.\","
+                                                                                                "\"id\":\"554\""
+                                                                                            "},"
+                                                                                            "\"id\":\"1609860180.513333\","
+                                                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                            "\"syscheck\":{"
+                                                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                "\"mode\":\"realtime\","
+                                                                                                "\"event\":\"added\""
+                                                                                            "},"
+                                                                                            "\"location\":\"syscheck\""
+                                                                                        "},"
+                                                                                        "\"program\":\"restart-wazuh\""
+                                                                                    "}"
+                                                                                "}' to the timeout list, with a timeout of '10s'.");
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_timeout_repeated(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh10\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 10;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh10");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, wfd->file_out);
+    will_return(wrap_fgets, "{"
+                                  "\"version\":1,"
+                                  "\"origin\":{"
+                                      "\"name\":\"restart-wazuh\","
+                                      "\"module\":\"active-response\""
+                                  "},"
+                                  "\"command\":\"check_keys\","
+                                  "\"parameters\":{"
+                                      "\"keys\":[\"10.0.0.1\", \"root\"]"
+                                  "}"
+                              "}\n");
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"abort\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Command already received, updating time of addition to now.");
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_wpopenv_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1317): Could not launch command Success (0)");
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_fgets_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, "restart-wazuh");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Executing command 'restart-wazuh {"
+                                                                                        "\"version\":\"1\","
+                                                                                        "\"origin\":{"
+                                                                                            "\"name\":\"node01\","
+                                                                                            "\"module\":\"wazuh-execd\""
+                                                                                        "},"
+                                                                                        "\"command\":\"add\","
+                                                                                        "\"parameters\":{"
+                                                                                            "\"extra_args\":[],"
+                                                                                            "\"alert\":{"
+                                                                                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                                                                "\"rule\":{"
+                                                                                                    "\"level\":5,"
+                                                                                                    "\"description\":\"File added to the system.\","
+                                                                                                    "\"id\":\"554\""
+                                                                                                "},"
+                                                                                                "\"id\":\"1609860180.513333\","
+                                                                                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                                                                "\"syscheck\":{"
+                                                                                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                                                    "\"mode\":\"realtime\","
+                                                                                                    "\"event\":\"added\""
+                                                                                                "},"
+                                                                                                "\"location\":\"syscheck\""
+                                                                                            "},"
+                                                                                            "\"program\":\"restart-wazuh\""
+                                                                                        "}"
+                                                                                    "}'");
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(wrap_fprintf, __stream, wfd->file_in);
+    expect_string(wrap_fprintf, formatted_msg, "{"
+                                                    "\"version\":\"1\","
+                                                    "\"origin\":{"
+                                                        "\"name\":\"node01\","
+                                                        "\"module\":\"wazuh-execd\""
+                                                    "},"
+                                                    "\"command\":\"add\","
+                                                    "\"parameters\":{"
+                                                        "\"extra_args\":[],"
+                                                        "\"alert\":{"
+                                                            "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                                            "\"rule\":{"
+                                                                "\"level\":5,"
+                                                                "\"description\":\"File added to the system.\","
+                                                                "\"id\":\"554\""
+                                                            "},"
+                                                            "\"id\":\"1609860180.513333\","
+                                                            "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                                            "\"syscheck\":{"
+                                                                "\"path\":\"/home/vagrant/file/n41.txt\","
+                                                                "\"mode\":\"realtime\","
+                                                                "\"event\":\"added\""
+                                                            "},"
+                                                            "\"location\":\"syscheck\""
+                                                        "},"
+                                                        "\"program\":\"restart-wazuh\""
+                                                    "}"
+                                                "}\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, wfd->file_out);
+    will_return(wrap_fgets, NULL);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Active response won't be added to timeout list. Message not received with alert keys from script 'restart-wazuh'");
+
+    will_return(__wrap_wpclose, 0);
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_get_command_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{"
+                        "\"version\":\"1\","
+                        "\"origin\":{"
+                            "\"name\":\"node01\","
+                            "\"module\":\"wazuh-analysisd\""
+                        "},"
+                        "\"command\":\"restart-wazuh0\","
+                        "\"parameters\":{"
+                            "\"extra_args\":[],"
+                            "\"alert\":{"
+                                "\"timestamp\":\"2021-01-05T15:23:00.547+0000\","
+                                "\"rule\":{"
+                                    "\"level\":5,"
+                                    "\"description\":\"File added to the system.\","
+                                    "\"id\":\"554\""
+                                "},"
+                                "\"id\":\"1609860180.513333\","
+                                "\"full_log\":\"File '/home/vagrant/file/n41.txt' added\\nMode: realtime\\n\","
+                                "\"syscheck\":{"
+                                    "\"path\":\"/home/vagrant/file/n41.txt\","
+                                    "\"mode\":\"realtime\","
+                                    "\"event\":\"added\""
+                                "},"
+                                "\"location\":\"syscheck\""
+                            "}"
+                        "}"
+                    "}";
+    int timeout = 0;
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, NULL);
+
+    will_return(__wrap_ReadExecConfig, 0);
+
+    expect_string(__wrap_GetCommandbyName, name, "restart-wazuh0");
+    will_return(__wrap_GetCommandbyName, timeout);
+    will_return(__wrap_GetCommandbyName, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1311): Invalid command name 'restart-wazuh0' provided.");
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_get_name_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "{}";
+    int timeout = 0;
+
+    expect_string(__wrap__merror, formatted_msg, "(1316): Invalid AR command: '{}'");
+
+    ExecdRun(message);
+}
+
+static void test_WinExecdRun_json_err(void **state) {
+    wfd_t * wfd = *state;
+    int queue = 1;
+    int now = 123456789;
+    char *message = "unknown";
+    int timeout = 0;
+
+    expect_string(__wrap__merror, formatted_msg, "(1315): Invalid JSON message: 'unknown'");
+
+    ExecdRun(message);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_ok, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_timeout_not_repeated, test_setup_file_timeout, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_timeout_repeated, test_setup_file_timeout, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_wpopenv_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_fgets_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_get_command_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_get_name_err, test_setup_file, test_teardown_file),
+        cmocka_unit_test_setup_teardown(test_WinExecdRun_json_err, test_setup_file, test_teardown_file),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/active_response/tests/unit/wrappers/exec_wrappers.c b/src/modules/active_response/tests/unit/wrappers/exec_wrappers.c
new file mode 100644
index 0000000000..58dabb6a52
--- /dev/null
+++ b/src/modules/active_response/tests/unit/wrappers/exec_wrappers.c
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "exec_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../common.h"
+
+int __wrap_ReadExecConfig() {
+    return mock();
+}
+
+char *__wrap_GetCommandbyName(const char *name, int *timeout) {
+    check_expected(name);
+
+    *timeout = mock();
+
+    return mock_type(char *);
+}
diff --git a/src/modules/active_response/tests/unit/wrappers/exec_wrappers.h b/src/modules/active_response/tests/unit/wrappers/exec_wrappers.h
new file mode 100644
index 0000000000..59b2bffebe
--- /dev/null
+++ b/src/modules/active_response/tests/unit/wrappers/exec_wrappers.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef OS_EXEC_WRAPPERS_H
+#define OS_EXEC_WRAPPERS_H
+
+int __wrap_ReadExecConfig();
+
+char *__wrap_GetCommandbyName(const char *name, int *timeout);
+
+#endif
diff --git a/src/modules/aws/include/wm_aws.h b/src/modules/aws/include/wm_aws.h
new file mode 100644
index 0000000000..d149539f7b
--- /dev/null
+++ b/src/modules/aws/include/wm_aws.h
@@ -0,0 +1,98 @@
+/*
+ * Wazuh Module for AWS S3 integration
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 08, 2018.
+ *
+ * Updated by Jeremy Phillips <jeremy@uranusbytes.com>
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_AWS_H
+#define WM_AWS_H
+
+#define WM_AWS_LOGTAG ARGV0 ":aws-s3"
+#define WM_AWS_DEFAULT_INTERVAL 5
+#define WM_AWS_SCRIPT_PATH "wodles/aws/aws-s3"
+
+typedef struct wm_aws_state_t {
+    time_t next_time;               // Absolute time for next scan
+} wm_aws_state_t;
+
+typedef struct wm_aws_bucket {
+    char *bucket;                       // S3 bucket
+    char *aws_profile;                  // AWS credentials profile
+    char *iam_role_arn;                 // IAM role
+    char *iam_role_duration;            // IAM role session duration
+    char *aws_organization_id;          // AWS organization ID
+    char *aws_account_id;               // AWS account ID(s)
+    char *aws_account_alias;            // AWS account alias
+    char *trail_prefix;                 // Trail prefix
+    char *trail_suffix;                 // Trail suffix
+    char *only_logs_after;              // Date (YYYY-MMM-DD) to only parse logs after
+    char *regions;                      // CSV of regions to parse
+    char *type;                         // String defining bucket type.
+    char *discard_field;                // Name of the event's field to apply the discard_regex on
+    char *discard_regex;                // REGEX to determine if an event should be skipped
+    char *sts_endpoint;                 // URL for the VPC endpoint to use to obtain the STS token
+    char *service_endpoint;             // URL for the endpoint to use to obtain the logs
+    unsigned int remove_from_bucket:1;  // Remove the logs from the bucket
+    struct wm_aws_bucket *next;     // Pointer to next
+} wm_aws_bucket;
+
+
+typedef struct wm_aws_service {
+    char *type;                         // String defining service type.
+    char *aws_profile;                  // AWS credentials profile
+    char *iam_role_arn;                 // IAM role
+    char *iam_role_duration;            // IAM role session duration
+    char *aws_account_id;               // AWS account ID(s)
+    char *aws_account_alias;            // AWS account alias
+    char *only_logs_after;              // Date (YYYY-MMM-DD) to only parse logs after
+    char *regions;                      // CSV of regions to parse
+    char *aws_log_groups;               // CSV of log groups to parse
+    char *discard_field;                // Name of the event's field to apply the discard_regex on
+    char *discard_regex;                // REGEX to determine if an event should be skipped
+    unsigned int remove_log_streams:1;  // Remove the log stream from the log group
+    char *sts_endpoint;                 // URL for the VPC endpoint to use to obtain the STS token
+    char *service_endpoint;             // URL for the endpoint to use to obtain the logs
+    struct wm_aws_service *next;        // Pointer to next
+} wm_aws_service;
+
+typedef struct wm_aws_subscriber {
+    char *type;                            // String defining subscriber type.
+    char *aws_profile;                     // AWS credentials profile
+    char *sqs_name;                        // String defining SQS name
+    char *external_id;                     // AWS external ID
+    char *iam_role_arn;                    // IAM role
+    char *iam_role_duration;               // IAM role session duration
+    char *discard_field;                   // Name of the event's field to apply the discard_regex on
+    char *discard_regex;                   // REGEX to determine if an event should be skipped
+    char *sts_endpoint;                    // URL for the VPC endpoint to use to obtain the STS token
+    char *service_endpoint;                // URL for the endpoint to use to obtain the logs
+    struct wm_aws_subscriber *next;        // Pointer to next
+} wm_aws_subscriber;
+
+typedef struct wm_aws {
+    sched_scan_config scan_config;
+    char *bucket;                       // DEPRECATE
+    int queue_fd;
+    unsigned int enabled:1;
+    unsigned int run_on_start:1;
+    unsigned int remove_from_bucket:1;  // DEPRECATE
+    unsigned int skip_on_error:1;
+    wm_aws_state_t state;
+    wm_aws_bucket *buckets;      // buckets (linked list)
+    wm_aws_service *services;      // services (linked list)
+    wm_aws_subscriber *subscribers;
+} wm_aws;
+
+extern const wm_context WM_AWS_CONTEXT;   // Context
+
+// Parse XML
+int wm_aws_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+#endif // WM_AWS_H
diff --git a/src/modules/aws/scripts/__init__.py b/src/modules/aws/scripts/__init__.py
new file mode 100644
index 0000000000..ea0d8aeea6
--- /dev/null
+++ b/src/modules/aws/scripts/__init__.py
@@ -0,0 +1,3 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
diff --git a/src/modules/aws/scripts/aws_s3.py b/src/modules/aws/scripts/aws_s3.py
new file mode 100755
index 0000000000..aa0c562718
--- /dev/null
+++ b/src/modules/aws/scripts/aws_s3.py
@@ -0,0 +1,202 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+#
+#
+# Error Codes:
+#   1 - Unknown
+#   2 - SIGINT
+#   3 - Invalid credentials to access AWS service
+#   4 - boto3 module missing
+#   5 - Unexpected error accessing SQLite DB
+#   6 - Unable to create SQLite DB
+#   7 - Unexpected error querying/working with objects in S3
+#   8 - Failed to decompress file
+#   9 - Failed to parse file
+#   10 - pyarrow module missing
+#   11 - Unable to connect to Wazuh
+#   12 - Invalid type of bucket
+#   13 - Unexpected error sending message to Wazuh
+#   14 - Empty bucket
+#   15 - Invalid endpoint URL
+#   16 - Throttling error
+#   17 - Invalid key format
+#   18 - Invalid prefix
+#   19 - The server datetime and datetime of the AWS environment differ
+#   20 - Unable to find SQS
+#   21 - Failed fetch/delete from SQS
+#   22 - Invalid region
+#   23 - Profile not found
+
+import signal
+import sys
+
+
+import aws_tools
+import buckets_s3
+import services
+import subscribers
+
+
+def main(argv):
+    # Parse arguments
+    options = aws_tools.get_script_arguments()
+
+    if int(options.debug) > 0:
+        aws_tools.debug_level = int(options.debug)
+        aws_tools.debug('+++ Debug mode on - Level: {debug}'.format(debug=options.debug), 1)
+
+    try:
+        if options.logBucket:
+            if options.type.lower() == 'cloudtrail':
+                bucket_type = buckets_s3.cloudtrail.AWSCloudTrailBucket
+            elif options.type.lower() == 'vpcflow':
+                bucket_type = buckets_s3.vpcflow.AWSVPCFlowBucket
+            elif options.type.lower() == 'config':
+                bucket_type = buckets_s3.config.AWSConfigBucket
+            elif options.type.lower() == 'custom':
+                bucket_type = buckets_s3.aws_bucket.AWSCustomBucket
+            elif options.type.lower() == 'guardduty':
+                bucket_type = buckets_s3.guardduty.AWSGuardDutyBucket
+            elif options.type.lower() == 'cisco_umbrella':
+                bucket_type = buckets_s3.umbrella.CiscoUmbrella
+            elif options.type.lower() == 'waf':
+                bucket_type = buckets_s3.waf.AWSWAFBucket
+            elif options.type.lower() == 'alb':
+                bucket_type = buckets_s3.load_balancers.AWSALBBucket
+            elif options.type.lower() == 'clb':
+                bucket_type = buckets_s3.load_balancers.AWSCLBBucket
+            elif options.type.lower() == 'nlb':
+                bucket_type = buckets_s3.load_balancers.AWSNLBBucket
+            elif options.type.lower() == 'server_access':
+                bucket_type = buckets_s3.server_access.AWSServerAccess
+            else:
+                raise Exception("Invalid type of bucket")
+            bucket = bucket_type(reparse=options.reparse,
+                                 profile=options.aws_profile,
+                                 iam_role_arn=options.iam_role_arn,
+                                 bucket=options.logBucket,
+                                 only_logs_after=options.only_logs_after,
+                                 skip_on_error=options.skip_on_error,
+                                 account_alias=options.aws_account_alias,
+                                 prefix=options.trail_prefix,
+                                 suffix=options.trail_suffix,
+                                 delete_file=options.deleteFile,
+                                 aws_organization_id=options.aws_organization_id,
+                                 region=options.regions[0] if options.regions else None,
+                                 discard_field=options.discard_field,
+                                 discard_regex=options.discard_regex,
+                                 sts_endpoint=options.sts_endpoint,
+                                 service_endpoint=options.service_endpoint,
+                                 iam_role_duration=options.iam_role_duration
+                                 )
+            # check if bucket is empty or credentials are wrong
+            bucket.check_bucket()
+            bucket.iter_bucket(options.aws_account_id, options.regions)
+        elif options.service:
+            if options.service.lower() == 'inspector':
+                service_type = services.inspector.AWSInspector
+            elif options.service.lower() == 'cloudwatchlogs':
+                service_type = services.cloudwatchlogs.AWSCloudWatchLogs
+            else:
+                raise Exception("Invalid type of service")
+
+            if not options.regions:
+                aws_config = aws_tools.get_aws_config_params()
+
+                profile = options.aws_profile or "default"
+
+                if aws_config.has_option(profile, "region"):
+                    options.regions.append(aws_config.get(profile, "region"))
+                else:
+                    if service_type == services.inspector.AWSInspector:
+                        aws_tools.debug(
+                            "+++ Warning: No regions were specified, trying to get events from supported regions", 1
+                        )
+                        options.regions = services.inspector.SUPPORTED_REGIONS
+                    else:
+                        aws_tools.debug(
+                            "+++ Warning: No regions were specified, trying to get events from all regions", 1
+                        )
+                        options.regions = aws_tools.ALL_REGIONS
+
+            for region in options.regions:
+                try:
+                    service_type.check_region(region)
+                except ValueError as exc:
+                    aws_tools.debug(f"+++ ERROR: {exc}", 1)
+                    exit(22)
+
+                aws_tools.debug('+++ Getting alerts from "{}" region.'.format(region), 1)
+
+                service = service_type(reparse=options.reparse,
+                                       profile=options.aws_profile,
+                                       iam_role_arn=options.iam_role_arn,
+                                       only_logs_after=options.only_logs_after,
+                                       account_alias=options.aws_account_alias,
+                                       region=region,
+                                       aws_log_groups=options.aws_log_groups,
+                                       remove_log_streams=options.deleteLogStreams,
+                                       discard_field=options.discard_field,
+                                       discard_regex=options.discard_regex,
+                                       sts_endpoint=options.sts_endpoint,
+                                       service_endpoint=options.service_endpoint,
+                                       iam_role_duration=options.iam_role_duration
+                                       )
+                service.get_alerts()
+        elif options.subscriber:
+            if options.subscriber.lower() == "security_lake":
+                if options.aws_profile:
+                    aws_tools.error(
+                        "The AWS Security Lake integration does not make use of the Profile authentication "
+                        f"method. Check the available ones for it in "
+                        f"{aws_tools.SECURITY_LAKE_IAM_ROLE_AUTHENTICATION_URL}")
+                    sys.exit(3)
+                aws_tools.arg_validate_security_lake_auth_params(options.external_id,
+                                                                 options.queue,
+                                                                 options.iam_role_arn)
+                bucket_handler = subscribers.s3_log_handler.AWSSLSubscriberBucket
+                message_processor = subscribers.sqs_message_processor.AWSSSecLakeMessageProcessor
+            elif options.subscriber.lower() == "buckets":
+                bucket_handler = subscribers.s3_log_handler.AWSSubscriberBucket
+                message_processor = subscribers.sqs_message_processor.AWSS3MessageProcessor
+            elif options.subscriber.lower() == "security_hub":
+                bucket_handler = subscribers.s3_log_handler.AWSSecurityHubSubscriberBucket
+                message_processor = subscribers.sqs_message_processor.AWSS3MessageProcessor
+            else:
+                raise Exception("Invalid type of subscriber")
+            subscriber_queue = subscribers.sqs_queue.AWSSQSQueue(
+                external_id=options.external_id,
+                iam_role_arn=options.iam_role_arn,
+                iam_role_duration=options.iam_role_duration,
+                profile=options.aws_profile,
+                sts_endpoint=options.sts_endpoint,
+                service_endpoint=options.service_endpoint,
+                name=options.queue,
+                skip_on_error=options.skip_on_error,
+                discard_field=options.discard_field,
+                discard_regex=options.discard_regex,
+                bucket_handler=bucket_handler,
+                message_processor=message_processor)
+            subscriber_queue.sync_events()
+    except Exception as err:
+        aws_tools.debug("+++ Error: {}".format(err), 2)
+        if aws_tools.debug_level > 0:
+            raise
+        aws_tools.error(str(err))
+        sys.exit(12)
+
+
+if __name__ == '__main__':
+    try:
+        aws_tools.debug('Args: {args}'.format(args=str(sys.argv)), 2)
+        signal.signal(signal.SIGINT, aws_tools.handler)
+        main(sys.argv[1:])
+        sys.exit(0)
+    except Exception as e:
+        aws_tools.error("Unknown error: {}".format(e))
+        if aws_tools.debug_level > 0:
+            raise
+        sys.exit(1)
diff --git a/src/modules/aws/scripts/aws_tools.py b/src/modules/aws/scripts/aws_tools.py
new file mode 100644
index 0000000000..800c71cd68
--- /dev/null
+++ b/src/modules/aws/scripts/aws_tools.py
@@ -0,0 +1,419 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""This module contains generic functions for this wodle."""
+
+import argparse
+import configparser
+from os import path
+from datetime import datetime
+from typing import Optional
+import sys
+import re
+
+DEFAULT_AWS_CONFIG_PATH = path.join(path.expanduser('~'), '.aws', 'config')
+SECURITY_LAKE_IAM_ROLE_AUTHENTICATION_URL = 'https://documentation.wazuh.com/current/cloud-security/amazon/services/' \
+                                        'supported-services/security-lake.html#configuring-an-iam-role'
+
+ALL_REGIONS = (
+    'af-south-1', 'ap-east-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-south-1', 'ap-south-2',
+    'ap-southeast-1', 'ap-southeast-2', 'ap-southeast-3', 'ap-southeast-4', 'ca-central-1', 'eu-central-1',
+    'eu-central-2', 'eu-north-1', 'eu-south-1', 'eu-south-2', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'il-central-1',
+    'me-central-1', 'me-south-1', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'
+)
+
+RETRY_ATTEMPTS_KEY: str = "max_attempts"
+RETRY_MODE_CONFIG_KEY: str = "retry_mode"
+RETRY_MODE_BOTO_KEY: str = "mode"
+WAZUH_DEFAULT_RETRY_CONFIGURATION = {RETRY_ATTEMPTS_KEY: 10, RETRY_MODE_BOTO_KEY: 'standard'}
+
+# Enable/disable debug mode
+debug_level = 0
+
+
+def set_profile_dict_config(boto_config: dict, profile: str, profile_config: dict):
+    """Create a botocore.config.Config object with the specified profile_config.
+
+    This function reads the profile configuration from the provided profile_config object and extracts the necessary
+    parameters to create a botocore.config.Config object.
+    It handles the signature version, s3, proxies, and proxies_config settings found in the .aws/config file.
+    If a setting is not found, a default value is used based on the boto3 documentation and config is
+    set into the boto_config.
+
+    Parameters
+    ----------
+    boto_config: dict
+        The config dictionary where the Boto Config will be set.
+
+    profile : str
+        The AWS profile name to use for the configuration.
+
+    profile_config : dict
+        The user config dict containing the profile configuration.
+    """
+    profile = remove_prefix(profile, 'profile ')
+
+    # Set s3 config
+    if 's3' in str(profile_config):
+        s3_config = {
+            "max_concurrent_requests": int(profile_config.get('s3.max_concurrent_requests', 10)),
+            "max_queue_size": int(profile_config.get('s3.max_queue_size', 10)),
+            "multipart_threshold": profile_config.get('s3.multipart_threshold', '8MB'),
+            "multipart_chunksize": profile_config.get('s3.multipart_chunksize', '8MB'),
+            "max_bandwidth": profile_config.get('s3.max_bandwidth'),
+            "use_accelerate_endpoint": (
+                True if profile_config.get('s3.use_accelerate_endpoint') == 'true' else False
+            ),
+            "addressing_style": profile_config.get('s3.addressing_style', 'auto'),
+        }
+        boto_config['config'].s3 = s3_config
+
+    # Set Proxies configuration
+    if 'proxy' in str(profile_config):
+        proxy_config = {
+            "host": profile_config.get('proxy.host'),
+            "port": int(profile_config.get('proxy.port')),
+            "username": profile_config.get('proxy.username'),
+            "password": profile_config.get('proxy.password'),
+        }
+        boto_config['config'].proxies = proxy_config
+
+        proxies_config = {
+            "ca_bundle": profile_config.get('proxy.ca_bundle'),
+            "client_cert": profile_config.get('proxy.client_cert'),
+            "use_forwarding_for_https": (
+                True if profile_config.get('proxy.use_forwarding_for_https') == 'true' else False
+            )
+        }
+        boto_config['config'].proxies_config = proxies_config
+    
+    # Checks for retries config in profile config and sets it if not found to avoid throttling exception
+    if RETRY_ATTEMPTS_KEY in profile_config or RETRY_MODE_CONFIG_KEY in profile_config:
+        retries = {
+            RETRY_ATTEMPTS_KEY: int(profile_config.get(RETRY_ATTEMPTS_KEY, 10)),
+            RETRY_MODE_BOTO_KEY: profile_config.get(RETRY_MODE_CONFIG_KEY, 'standard')
+        }
+        debug(f"Retries parameters found in user profile. Using profile '{profile}' retries configuration", 2)
+        boto_config['config'].retries = retries
+
+    else:
+        debug(
+            "No retries configuration found in profile config. Generating default configuration for retries: mode: "
+            f"{boto_config['config'].retries['mode']} - max_attempts: {boto_config['config'].retries['max_attempts']}",
+            2)
+
+    # Set signature version
+    boto_config['config'].signature_version = profile_config.get('signature_version', 's3v4')
+
+
+def remove_prefix(text: str, prefix: str) -> str:
+    """Removes the prefix from the text if it exists. Otherwise, it returns the text unchanged.
+
+    Parameters
+    ----------
+    text : str
+        Text to remove the prefix from.
+    prefix : str
+        Prefix to be removed.
+
+    Returns
+    -------
+    str
+        Text without the prefix.
+    """
+    return text[len(prefix):] if text.startswith(prefix) else text
+
+
+def handler(signal, frame):
+    print("ERROR: SIGINT received.")
+    sys.exit(2)
+
+
+def debug(msg, msg_level):
+    if debug_level >= msg_level:
+        print('DEBUG: {debug_msg}'.format(debug_msg=msg))
+
+
+def error(msg):
+    print('ERROR: {error_msg}'.format(error_msg=msg))
+
+
+def info(msg):
+    print('INFO: {msg}'.format(msg=msg))
+
+
+def arg_valid_date(arg_string):
+    try:
+        parsed_date = datetime.strptime(arg_string, "%Y-%b-%d")
+        # Return str created from date in YYYYMMDD format
+        return parsed_date.strftime('%Y%m%d')
+    except ValueError:
+        raise argparse.ArgumentTypeError("Argument not a valid date in format YYYY-MMM-DD: '{0}'.".format(arg_string))
+
+
+def arg_valid_key(arg_string, append_slash=True):
+    CHARACTERS_TO_AVOID = "\\{}^%`[]'\"<>~#|"
+    XML_CONSTRAINTS = ["&apos;", "&quot;", "&amp;", "&lt;", "&gt;", "&#13;", "&#10;"]
+
+    # Validate against the naming guidelines https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
+    if any([char in arg_string for char in list(CHARACTERS_TO_AVOID) + XML_CONSTRAINTS]):
+        raise argparse.ArgumentTypeError(
+            f"'{arg_string}' has an invalid character."
+            f" Avoid to use '{CHARACTERS_TO_AVOID}' or '{''.join(XML_CONSTRAINTS)}'."
+        )
+
+    if append_slash and arg_string and arg_string[-1] != '/':
+        return '{arg_string}/'.format(arg_string=arg_string)
+    return arg_string
+
+
+def aws_logs_groups_valid_key(arg_string):
+    return arg_valid_key(arg_string, append_slash=False)
+
+
+def arg_valid_accountid(arg_string):
+    if arg_string is None:
+        return []
+    account_ids = arg_string.split(',')
+    for account in account_ids:
+        if not account.strip().isdigit() or len(account) != 12:
+            raise argparse.ArgumentTypeError(
+                "Not valid AWS account ID (numeric digits only): '{0}'.".format(arg_string))
+
+    return account_ids
+
+
+def arg_valid_regions(arg_string):
+    if not arg_string:
+        return []
+    final_regions = []
+    regions = arg_string.split(',')
+    for arg_region in regions:
+        if not re.match(r'^([a-z]{2}(-gov)?)-([a-z]+)-\d$', arg_region):
+            raise argparse.ArgumentTypeError(
+                f"WARNING: The region '{arg_region}' has not a valid format.'"
+            )
+        if arg_region.strip():
+            final_regions.append(arg_region.strip())
+    final_regions = list(set(final_regions))
+    final_regions.sort()
+    return final_regions
+
+
+def arg_valid_iam_role_duration(arg_string):
+    """Checks if the role session duration specified is a valid parameter.
+
+    Parameters
+    ----------
+    arg_string: str or None
+        The desired session duration in seconds.
+
+    Returns
+    -------
+    num_seconds: None or int
+        The returned value will be None if no duration was specified or if it was an invalid value; elsewhere,
+        it will return the number of seconds that the session will last.
+
+    Raises
+    ------
+    argparse.ArgumentTypeError
+        If the number provided is not in the expected range.
+    """
+    # Session duration must be between 15m and 12h
+    if arg_string is None:
+        return None
+
+    # Validate if the argument is a number
+    if not arg_string.isdigit():
+        raise argparse.ArgumentTypeError("Invalid session duration specified. Value must be a valid number.")
+
+    # Convert to integer and check range
+    num_seconds = int(arg_string)
+    if not (900 <= num_seconds <= 43200):
+        raise argparse.ArgumentTypeError("Invalid session duration specified. Value must be between 900 and 43200.")
+
+    return num_seconds
+
+
+def arg_valid_bucket_name(arg: str) -> str:
+    """Validate the bucket name against the S3 naming rules.
+    https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+
+    Parameters
+    ----------
+    arg : str
+        Argument to validate.
+
+    Returns
+    -------
+    str
+        The bucket name if match with the rules.
+
+    Raises
+    ------
+    argparse.ArgumentTypeError
+        If the bucket name is not valid.
+    """
+    if not re.match(r'(?!(^xn--|.+-s3alias$|.+--ol-s3$))^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$', arg):
+        raise argparse.ArgumentTypeError(f"'{arg}' isn't a valid bucket name.")
+    return arg
+
+
+def args_valid_iam_role_arn(iam_role_arn):
+    """Checks if the IAM role ARN specified is a valid parameter.
+
+    Parameters
+    ----------
+    iam_role_arn : str
+        The IAM role ARN to validate.
+
+    Raises
+    ------
+    argparse.ArgumentTypeError
+        If the ARN provided is not in the expected format.
+    """
+    pattern = r'^arn:(?P<Partition>[^:\n]*):(?P<Service>[^:\n]*):(?P<Region>[^:\n]*):(?P<AccountID>[^:\n]*):(?P<Ignore>(?P<ResourceType>[^:\/\n]*)[:\/])?(?P<Resource>.*)$'
+
+    if not re.match(pattern, iam_role_arn):
+        raise argparse.ArgumentTypeError("Invalid ARN Role specified. Value must be a valid ARN Role.")
+
+    return iam_role_arn
+
+
+def args_valid_sqs_name(sqs_name):
+    """Checks if the SQS name specified is a valid parameter.
+
+    Parameters
+    ----------
+    sqs_name : str
+        The SQS name to validate.
+
+    Raises
+    ------
+    argparse.ArgumentTypeError
+        If the SQS name provided is not in the expected format.
+    """
+    pattern = r'^[a-zA-Z0-9-_]{1,80}$'
+
+    if not re.match(pattern, sqs_name):
+        raise argparse.ArgumentTypeError("Invalid SQS Name specified. Value must be up to 80 characters and the valid "
+                                         "values are alphanumeric characters, hyphens (-), and underscores (_)")
+
+    return sqs_name
+
+
+def arg_validate_security_lake_auth_params(external_id: Optional[str], name: Optional[str], iam_role_arn: Optional[str]):
+    """
+    Validate the Securit Lake authentication arguments.
+
+    Parameters
+    ----------
+    external_id : Optional[str]
+        The name of the External ID to use.
+    name: Optional[str]
+        Name of the SQS Queue.
+    iam_role_arn : Optional[str]
+        IAM Role.
+    """
+
+    if iam_role_arn is None:
+        error('Used a subscriber but no --iam_role_arn provided.')
+        sys.exit(21)
+    if name is None:
+        error('Used a subscriber but no --queue provided.')
+        sys.exit(21)
+    if external_id is None:
+        error('Used a subscriber but no --external_id provided.')
+        sys.exit(21)
+
+
+def get_aws_config_params() -> configparser.RawConfigParser:
+    """Read and retrieve parameters from aws config file.
+
+    Returns
+    -------
+    configparser.RawConfigParser
+        The parsed configuration.
+    """
+    config = configparser.RawConfigParser()
+    config.read(DEFAULT_AWS_CONFIG_PATH)
+
+    return config
+
+
+def get_script_arguments():
+    parser = argparse.ArgumentParser(usage="usage: %(prog)s [options]",
+                                     description="Wazuh wodle for monitoring AWS",
+                                     formatter_class=argparse.RawTextHelpFormatter)
+    # only one must be present (bucket or service)
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument('-b', '--bucket', dest='logBucket', help='Specify the S3 bucket containing AWS logs',
+                       action='store', type=arg_valid_bucket_name)
+    group.add_argument('-sr', '--service', dest='service', help='Specify the name of the service',
+                       action='store')
+    group.add_argument('-sb', '--subscriber', dest='subscriber', help='Specify the type of the subscriber',
+                       action='store')
+    parser.add_argument('-q', '--queue', dest='queue', help='Specify the name of the SQS',
+                        type=args_valid_sqs_name, action='store')
+    parser.add_argument('-O', '--aws_organization_id', dest='aws_organization_id',
+                        help='AWS organization ID for logs', required=False)
+    parser.add_argument('-c', '--aws_account_id', dest='aws_account_id',
+                        help='AWS Account ID for logs', required=False,
+                        type=arg_valid_accountid)
+    parser.add_argument('-d', '--debug', action='store', dest='debug', default=0, help='Enable debug')
+    # Beware, once you delete history it's gone.
+    parser.add_argument('-R', '--remove', action='store_true', dest='deleteFile',
+                        help='Remove processed files from the AWS S3 bucket', default=False)
+    parser.add_argument('-p', '--aws_profile', dest='aws_profile', help='The name of credential profile to use',
+                        default=None)
+    parser.add_argument('-x', '--external_id', dest='external_id', help='The name of the External ID to use',
+                        default=None)
+    parser.add_argument('-i', '--iam_role_arn', dest='iam_role_arn',
+                        help='ARN of IAM role to assume for access to S3 bucket',
+                        type=args_valid_iam_role_arn,
+                        default=None)
+    parser.add_argument('-n', '--aws_account_alias', dest='aws_account_alias',
+                        help='AWS Account ID Alias', default='')
+    parser.add_argument('-l', '--trail_prefix', dest='trail_prefix',
+                        help='Log prefix for S3 key',
+                        default='', type=arg_valid_key)
+    parser.add_argument('-L', '--trail_suffix', dest='trail_suffix',
+                        help='Log suffix for S3 key',
+                        default='', type=arg_valid_key)
+    parser.add_argument('-s', '--only_logs_after', dest='only_logs_after',
+                        help='Only parse logs after this date - format YYYY-MMM-DD',
+                        default=None, type=arg_valid_date)
+    parser.add_argument('-r', '--regions', dest='regions', help='Comma delimited list of AWS regions to parse logs',
+                        default='', type=arg_valid_regions)
+    parser.add_argument('-e', '--skip_on_error', action='store_true', dest='skip_on_error',
+                        help='If fail to parse a file, error out instead of skipping the file', default=False)
+    parser.add_argument('-o', '--reparse', action='store_true', dest='reparse',
+                        help='Parse the log file, even if its been parsed before', default=False)
+    parser.add_argument('-t', '--type', dest='type', type=str, help='Bucket type.', default='cloudtrail')
+    parser.add_argument('-g', '--aws_log_groups', dest='aws_log_groups', help='Name of the log group to be parsed',
+                        default='', type=aws_logs_groups_valid_key)
+    parser.add_argument('-P', '--remove-log-streams', action='store_true', dest='deleteLogStreams',
+                        help='Remove processed log streams from the log group', default=False)
+    parser.add_argument('-df', '--discard-field', type=str, dest='discard_field', default=None,
+                        help='The name of the event field where the discard_regex should be applied to determine if '
+                             'an event should be skipped.', )
+    parser.add_argument('-dr', '--discard-regex', type=str, dest='discard_regex', default=None,
+                        help='REGEX value to be applied to determine whether an event should be skipped.', )
+    parser.add_argument('-st', '--sts_endpoint', type=str, dest='sts_endpoint', default=None,
+                        help='URL for the VPC endpoint to use to obtain the STS token.')
+    parser.add_argument('-se', '--service_endpoint', type=str, dest='service_endpoint', default=None,
+                        help='URL for the endpoint to use to obtain the logs.')
+    parser.add_argument('-rd', '--iam_role_duration', type=arg_valid_iam_role_duration, dest='iam_role_duration',
+                        default=None,
+                        help='The duration, in seconds, of the role session. Value can range from 900s to the max'
+                             ' session duration set for the role.')
+    parsed_args = parser.parse_args()
+
+    if parsed_args.iam_role_duration is not None and parsed_args.iam_role_arn is None:
+        raise argparse.ArgumentTypeError('Used --iam_role_duration argument but no --iam_role_arn provided.')
+
+    return parsed_args
diff --git a/src/modules/aws/scripts/buckets_s3/__init__.py b/src/modules/aws/scripts/buckets_s3/__init__.py
new file mode 100644
index 0000000000..904c03390a
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/__init__.py
@@ -0,0 +1,25 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+from buckets_s3 import aws_bucket
+from buckets_s3 import cloudtrail
+from buckets_s3 import config
+from buckets_s3 import guardduty
+from buckets_s3 import load_balancers
+from buckets_s3 import server_access
+from buckets_s3 import umbrella
+from buckets_s3 import vpcflow
+from buckets_s3 import waf
+
+__all__ = [
+    "aws_bucket",
+    "cloudtrail",
+    "config",
+    "guardduty",
+    "load_balancers",
+    "server_access",
+    "umbrella",
+    "vpcflow",
+    "waf"
+]
diff --git a/src/modules/aws/scripts/buckets_s3/aws_bucket.py b/src/modules/aws/scripts/buckets_s3/aws_bucket.py
new file mode 100644
index 0000000000..d3d0c7743e
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/aws_bucket.py
@@ -0,0 +1,942 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import copy
+import sys
+import botocore
+import json
+import csv
+import zipfile
+import re
+from os import path
+from typing import Iterator
+
+from datetime import datetime
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import wazuh_integration
+import aws_tools
+
+MAX_RECORD_RETENTION = 500
+PATH_DATE_FORMAT = "%Y/%m/%d"
+DB_DATE_FORMAT = "%Y%m%d"
+DEFAULT_DATABASE_NAME = "s3_cloudtrail"
+
+RETRY_CONFIGURATION_URL = 'https://documentation.wazuh.com/current/amazon/services/prerequisites/' \
+                          'considerations.html#Connection-configuration-for-retries'
+
+INVALID_CREDENTIALS_ERROR_CODE = "SignatureDoesNotMatch"
+INVALID_REQUEST_TIME_ERROR_CODE = "RequestTimeTooSkewed"
+THROTTLING_EXCEPTION_ERROR_CODE = "ThrottlingException"
+
+UNKNOWN_ERROR_MESSAGE = "Unexpected error: '{error}'."
+INVALID_CREDENTIALS_ERROR_MESSAGE = "Invalid credentials to access S3 Bucket"
+INVALID_REQUEST_TIME_ERROR_MESSAGE = "The server datetime and datetime of the AWS environment differ"
+THROTTLING_EXCEPTION_ERROR_MESSAGE = "The '{name}' request was denied due to request throttling. " \
+                                     "If the problem persists check the following link to learn how to use " \
+                                     f"the Retry configuration to avoid it: '{RETRY_CONFIGURATION_URL}'"
+
+AWS_BUCKET_MSG_TEMPLATE = {'integration': 'aws',
+                           'aws': {'log_info': {'aws_account_alias': '', 'log_file': '', 's3bucket': ''}}}
+
+
+class AWSBucket(wazuh_integration.WazuhAWSDatabase):
+    """
+    Represents a bucket with events on the inside.
+
+    This is an abstract class.
+
+    Parameters
+    ----------
+    reparse : bool
+        Whether to parse already parsed logs or not.
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    bucket : str
+        Bucket name to extract logs from.
+    only_logs_after : str
+        Date after which obtain logs.
+    skip_on_error : bool
+        Whether to continue processing logs or stop when an error takes place.
+    account_alias: str
+        Alias of the AWS account where the bucket is.
+    prefix : str
+        Prefix to filter files in bucket.
+    suffix : str
+        Suffix to filter files in bucket.
+    delete_file : bool
+        Whether to delete an already processed file from a bucket or not.
+    aws_organization_id : str
+        The AWS organization ID.
+    discard_field : str
+        Name of the event field to apply the regex value on.
+    discard_regex : str
+        REGEX value to determine whether an event should be skipped.
+
+    Attributes
+    ----------
+    date_format : str
+        The format that the service uses to store the date in the bucket's path.
+    """
+    empty_bucket_message_template = "+++ No logs to process in bucket: {aws_account_id}/{aws_region}"
+
+    def __init__(self, db_table_name, bucket, reparse, profile, iam_role_arn,
+                 only_logs_after, skip_on_error, account_alias, prefix, suffix, delete_file, aws_organization_id,
+                 region, discard_field, discard_regex, sts_endpoint, service_endpoint, iam_role_duration=None):
+        # common SQL queries
+        self.sql_already_processed = """
+            SELECT
+              count(*)
+            FROM
+              {table_name}
+            WHERE
+              bucket_path=:bucket_path AND
+              aws_account_id=:aws_account_id AND
+              aws_region=:aws_region AND
+              log_key=:log_name;"""
+
+        self.sql_mark_complete = """
+            INSERT INTO {table_name} (
+                bucket_path,
+                aws_account_id,
+                aws_region,
+                log_key,
+                processed_date,
+                created_date) VALUES (
+                :bucket_path,
+                :aws_account_id,
+                :aws_region,
+                :log_key,
+                DATETIME('now'),
+                :created_date);"""
+
+        self.sql_create_table = """
+            CREATE TABLE {table_name} (
+                bucket_path 'text' NOT NULL,
+                aws_account_id 'text' NOT NULL,
+                aws_region 'text' NOT NULL,
+                log_key 'text' NOT NULL,
+                processed_date 'text' NOT NULL,
+                created_date 'integer' NOT NULL,
+                PRIMARY KEY (bucket_path, aws_account_id, aws_region, log_key));"""
+
+        self.sql_find_last_key_processed = """
+            SELECT
+                log_key
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region = :aws_region AND
+                log_key LIKE :prefix
+            ORDER BY
+                log_key DESC
+            LIMIT 1;"""
+
+        self.sql_find_first_key_processed = """
+            SELECT
+                log_key
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region = :aws_region
+            ORDER BY
+                log_key ASC
+            LIMIT 1;"""
+
+        self.sql_db_maintenance = """
+            DELETE FROM {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region AND
+                log_key <= (SELECT log_key
+                    FROM
+                        {table_name}
+                    WHERE
+                        bucket_path=:bucket_path AND
+                        aws_account_id=:aws_account_id AND
+                        aws_region=:aws_region
+                    ORDER BY
+                        log_key DESC
+                    LIMIT 1
+                    OFFSET :retain_db_records);"""
+
+        self.sql_count_region = """
+            SELECT
+                count(*)
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region;"""
+
+        # DB name
+        self.db_name = DEFAULT_DATABASE_NAME
+        # Table name
+        self.db_table_name = db_table_name
+
+        wazuh_integration.WazuhAWSDatabase.__init__(self,
+                                                    db_name=self.db_name,
+                                                    service_name='s3',
+                                                    profile=profile,
+                                                    iam_role_arn=iam_role_arn,
+                                                    region=region,
+                                                    discard_field=discard_field,
+                                                    discard_regex=discard_regex,
+                                                    sts_endpoint=sts_endpoint,
+                                                    service_endpoint=service_endpoint,
+                                                    iam_role_duration=iam_role_duration,
+                                                    skip_on_error=skip_on_error)
+        self.retain_db_records = MAX_RECORD_RETENTION
+        self.reparse = reparse
+        self.only_logs_after = datetime.strptime(only_logs_after, DB_DATE_FORMAT) if only_logs_after else None
+        self.account_alias = account_alias
+        self.prefix = prefix
+        self.suffix = suffix
+        self.delete_file = delete_file
+        self.bucket = bucket
+        self.bucket_path = f"{self.bucket}/{self.prefix}"
+        self.aws_organization_id = aws_organization_id
+        self.date_format = "%Y/%m/%d"
+        self.date_regex = re.compile(r'(\d{4}/\d{2}/\d{2})')
+        self.prefix_regex = re.compile(r"^\d{12}$")
+        self.check_prefix = False
+
+    def _same_prefix(self, match_start: int or None, aws_account_id: str, aws_region: str) -> bool:
+        """
+        Check if the prefix of a file key is the same as the one expected.
+
+        Parameters
+        ----------
+        match_start : int or None
+            The position of the string with the file key where it started matching with a date format.
+        aws_account_id : str
+            The account ID of the AWS account.
+        aws_region : str
+            The region where the bucket is located.
+
+        Returns
+        -------
+        bool
+            True if the prefix is the same, False otherwise.
+        """
+        return isinstance(match_start, int) and match_start == len(self.get_full_prefix(aws_account_id, aws_region))
+
+    def already_processed(self, downloaded_file, aws_account_id, aws_region, **kwargs):
+        cursor = self.db_cursor.execute(self.sql_already_processed.format(table_name=self.db_table_name), {
+            'bucket_path': self.bucket_path,
+            'aws_account_id': aws_account_id,
+            'aws_region': aws_region,
+            'log_name': downloaded_file})
+        return cursor.fetchone()[0] > 0
+
+    def get_creation_date(self, log_key):
+        raise NotImplementedError
+
+    def mark_complete(self, aws_account_id, aws_region, log_file, **kwargs):
+        if not self.reparse:
+            try:
+                self.db_cursor.execute(self.sql_mark_complete.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_account_id': aws_account_id,
+                    'aws_region': aws_region,
+                    'log_key': log_file['Key'],
+                    'created_date': self.get_creation_date(log_file)})
+            except Exception as e:
+                aws_tools.debug("+++ Error marking log {} as completed: {}".format(log_file['Key'], e), 2)
+
+    def db_count_region(self, aws_account_id, aws_region):
+        """Counts the number of rows in DB for a region
+        :param aws_account_id: AWS account ID
+        :type aws_account_id: str
+        :param aws_region: AWS region
+        :param aws_region: str
+        :rtype: int
+        """
+        query_count_region = self.db_cursor.execute(
+            self.sql_count_region.format(table_name=self.db_table_name), {'bucket_path': self.bucket_path,
+                                                                          'aws_account_id': aws_account_id,
+                                                                          'aws_region': aws_region,
+                                                                          'retain_db_records': self.retain_db_records})
+        return query_count_region.fetchone()[0]
+
+    def db_maintenance(self, aws_account_id=None, aws_region=None):
+        aws_tools.debug("+++ DB Maintenance", 1)
+        try:
+            if self.db_count_region(aws_account_id, aws_region) > self.retain_db_records:
+                self.db_cursor.execute(self.sql_db_maintenance.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_account_id': aws_account_id,
+                    'aws_region': aws_region,
+                    'retain_db_records': self.retain_db_records})
+        except Exception as e:
+            aws_tools.error(f"Failed to execute DB cleanup - AWS Account ID: {aws_account_id}  Region: {aws_region}: {e}")
+
+    def marker_custom_date(self, aws_region: str, aws_account_id: str, date: datetime) -> str:
+        """
+        Return an AWS bucket marker using a custom date.
+
+        Parameters
+        ----------
+        aws_region : str
+            The region.
+        aws_account_id : str
+            The account ID.
+        date : datetime
+            The date that must be used to create the filter.
+
+        Returns
+        -------
+        str
+            The required marker.
+        """
+        return f'{self.get_full_prefix(aws_account_id, aws_region)}{date.strftime(self.date_format)}'
+
+    def marker_only_logs_after(self, aws_region, aws_account_id):
+        return '{init}{only_logs_after}'.format(
+            init=self.get_full_prefix(aws_account_id, aws_region),
+            only_logs_after=self.only_logs_after.strftime(self.date_format)
+        )
+
+    def get_alert_msg(self, aws_account_id, log_key, event, error_msg=""):
+        def remove_none_fields(event):
+            for key, value in list(event.items()):
+                if isinstance(value, dict):
+                    remove_none_fields(event[key])
+                elif value is None:
+                    del event[key]
+
+        # error_msg will only have a value when event is None and vice versa
+        msg = copy.deepcopy(AWS_BUCKET_MSG_TEMPLATE)
+        msg['aws']['log_info'].update({
+            'aws_account_alias': self.account_alias,
+            'log_file': log_key,
+            's3bucket': self.bucket
+        })
+        if event:
+            remove_none_fields(event)
+            msg['aws'].update(event)
+        elif error_msg:
+            msg['error_msg'] = error_msg
+        return msg
+
+    def get_full_prefix(self, account_id, account_region):
+        raise NotImplementedError
+
+    def get_base_prefix(self):
+        raise NotImplementedError
+
+    def get_service_prefix(self, account_id):
+        raise NotImplementedError
+
+    def find_account_ids(self):
+        try:
+            prefixes = self.client.list_objects_v2(Bucket=self.bucket, Prefix=self.get_base_prefix(),
+                                                   Delimiter='/')['CommonPrefixes']
+            accounts = []
+            for p in prefixes:
+                account_id = p['Prefix'].split('/')[-2]
+                if self.prefix_regex.match(account_id):
+                    accounts.append(account_id)
+            return accounts
+        except botocore.exceptions.ClientError as err:
+            if err.response['Error']['Code'] == THROTTLING_EXCEPTION_ERROR_CODE:
+                aws_tools.debug(f'ERROR: {THROTTLING_EXCEPTION_ERROR_MESSAGE.format(name="find_account_ids")}.', 2)
+                sys.exit(16)
+            else:
+                aws_tools.debug(f'ERROR: The "find_account_ids" request failed: {err}', 1)
+                sys.exit(1)
+
+        except KeyError:
+            aws_tools.error(f"No logs found in '{self.get_base_prefix()}'. Check the provided prefix and the location of "
+                  f"the logs for the bucket type '{aws_tools.get_script_arguments().type.lower()}'")
+            sys.exit(18)
+
+    def find_regions(self, account_id):
+        try:
+            regions = self.client.list_objects_v2(Bucket=self.bucket,
+                                                  Prefix=self.get_service_prefix(account_id=account_id),
+                                                  Delimiter='/')
+
+            if 'CommonPrefixes' in regions:
+                return [common_prefix['Prefix'].split('/')[-2] for common_prefix in regions['CommonPrefixes']]
+            else:
+                aws_tools.debug(f"+++ No regions found for AWS Account {account_id}", 1)
+                return []
+        except botocore.exceptions.ClientError as err:
+            if err.response['Error']['Code'] == THROTTLING_EXCEPTION_ERROR_CODE:
+                aws_tools.debug(f'ERROR: {THROTTLING_EXCEPTION_ERROR_MESSAGE.format(name="find_regions")}. ', 2)
+                sys.exit(16)
+            else:
+                aws_tools.debug(f'ERROR: The "find_account_ids" request failed: {err}', 1)
+                sys.exit(1)
+
+    def build_s3_filter_args(self, aws_account_id, aws_region, iterating=False, custom_delimiter='', **kwargs):
+        filter_marker = ''
+        last_key = None
+        if self.reparse:
+            if self.only_logs_after:
+                filter_marker = self.marker_only_logs_after(aws_region, aws_account_id)
+            else:
+                filter_marker = self.marker_custom_date(aws_region, aws_account_id, self.default_date)
+        else:
+            query_last_key = self.db_cursor.execute(
+                self.sql_find_last_key_processed.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_region': aws_region,
+                    'prefix': f'{self.prefix}%',
+                    'aws_account_id': aws_account_id,
+                    **kwargs
+                })
+            try:
+                filter_marker = query_last_key.fetchone()[0]
+            except (TypeError, IndexError):
+                # if DB is empty for a region
+                filter_marker = self.marker_only_logs_after(aws_region, aws_account_id) if self.only_logs_after \
+                    else self.marker_custom_date(aws_region, aws_account_id, self.default_date)
+
+        filter_args = {
+            'Bucket': self.bucket,
+            'MaxKeys': 1000,
+            'Prefix': self.get_full_prefix(aws_account_id, aws_region)
+        }
+
+        # if nextContinuationToken is not used for processing logs in a bucket
+        if not iterating:
+            filter_args['StartAfter'] = filter_marker
+            if self.only_logs_after:
+                only_logs_marker = self.marker_only_logs_after(aws_region, aws_account_id)
+                filter_args['StartAfter'] = only_logs_marker if only_logs_marker > filter_marker else filter_marker
+
+            if custom_delimiter:
+                prefix_len = len(filter_args['Prefix'])
+                filter_args['StartAfter'] = filter_args['StartAfter'][:prefix_len] + \
+                                            filter_args['StartAfter'][prefix_len:].replace('/', custom_delimiter)
+            aws_tools.debug(f"+++ Marker: {filter_args['StartAfter']}", 2)
+
+        return filter_args
+
+    def reformat_msg(self, event):
+        aws_tools.debug('++ Reformat message', 3)
+
+        def single_element_list_to_dictionary(my_event):
+            for name, value in list(my_event.items()):
+                if isinstance(value, list) and len(value) == 1:
+                    my_event[name] = value[0]
+                elif isinstance(value, dict):
+                    single_element_list_to_dictionary(my_event[name])
+
+        # turn some list fields into dictionaries
+        single_element_list_to_dictionary(event)
+
+        # In order to support both old and new index pattern, change data.aws.sourceIPAddress fieldname
+        # and parse that one with type ip
+        # Only add this field if the sourceIPAddress is an IP and not a DNS.
+        if 'sourceIPAddress' in event['aws'] and re.match(r'\d+\.\d+.\d+.\d+', event['aws']['sourceIPAddress']):
+            event['aws']['source_ip_address'] = event['aws']['sourceIPAddress']
+
+        if 'tags' in event['aws'] and not isinstance(event['aws']['tags'], dict):
+            event['aws']['tags'] = {'value': event['aws']['tags']}
+
+        return event
+
+    def load_information_from_file(self, log_key):
+        """
+        AWS logs are stored in different formats depending on the service:
+        * A JSON with a unique field "Records" which is an array of jsons. The filename has .json extension.
+        (Cloudtrail)
+        * Multiple JSONs stored in the same line and with no separation. The filename has no extension.
+        (GuardDuty, IAM, Macie, Inspector)
+        * TSV format. The filename has no extension. Has multiple lines. (VPC)
+        :param log_key: name of the log file
+        :return: list of events in json format.
+        """
+        raise NotImplementedError
+
+    def get_log_file(self, aws_account_id, log_key):
+        def exception_handler(error_txt, error_code):
+            if self.skip_on_error:
+                aws_tools.debug("++ {}; skipping...".format(error_txt), 1)
+                try:
+                    error_msg = self.get_alert_msg(aws_account_id,
+                                                   log_key,
+                                                   None,
+                                                   error_txt)
+                    self.send_msg(error_msg)
+                except:
+                    aws_tools.debug("++ Failed to send message to Wazuh", 1)
+            else:
+                aws_tools.error(error_txt)
+                sys.exit(error_code)
+
+        try:
+            return self.load_information_from_file(log_key=log_key)
+        except (TypeError, IOError, zipfile.BadZipfile, zipfile.LargeZipFile) as e:
+            exception_handler("Failed to decompress file {}: {}".format(log_key, repr(e)), 8)
+        except (ValueError, csv.Error) as e:
+            exception_handler("Failed to parse file {}: {}".format(log_key, repr(e)), 9)
+        except Exception as e:
+            exception_handler("Unknown error reading/parsing file {}: {}".format(log_key, repr(e)), 1)
+
+    def iter_bucket(self, account_id, regions):
+        self.init_db(self.sql_create_table.format(table_name=self.db_table_name))
+        self.iter_regions_and_accounts(account_id, regions)
+        self.db_connector.commit()
+        self.db_cursor.execute(self.sql_db_optimize)
+        self.db_connector.close()
+
+    def iter_regions_and_accounts(self, account_id, regions):
+        if not account_id:
+            # No accounts provided, so find which exist in s3 bucket
+            account_id = self.find_account_ids()
+        for aws_account_id in account_id:
+            # No regions provided, so find which exist for this AWS account
+            if not regions:
+                regions = self.find_regions(aws_account_id)
+                if not regions:
+                    continue
+            for aws_region in regions:
+                aws_tools.debug("+++ Working on {} - {}".format(aws_account_id, aws_region), 1)
+                self.iter_files_in_bucket(aws_account_id, aws_region)
+                self.db_maintenance(aws_account_id=aws_account_id, aws_region=aws_region)
+
+    def send_event(self, event):
+        # Change dynamic fields to strings; truncate values as needed
+        event_msg = self.reformat_msg(event)
+        # Send the message
+        self.send_msg(event_msg)
+
+    def iter_events(self, event_list, log_key, aws_account_id):
+
+        if event_list is not None:
+            for event in event_list:
+                if self.event_should_be_skipped(event):
+                    aws_tools.debug(
+                        f'+++ The "{self.discard_regex.pattern}" regex found a match in the "{self.discard_field}" '
+                        f'field. The event will be skipped.', 2)
+                    continue
+                else:
+                    aws_tools.debug(
+                        f'+++ The "{self.discard_regex.pattern}" regex did not find a match in the '
+                        f'"{self.discard_field}" field. The event will be processed.', 3)
+                # Parse out all the values of 'None'
+                event_msg = self.get_alert_msg(aws_account_id, log_key, event)
+
+                self.send_event(event_msg)
+
+    def _print_no_logs_to_process_message(self, bucket, aws_account_id, aws_region, **kwargs):
+
+        if aws_account_id is not None and aws_region is not None:
+            message_args = {
+                'aws_account_id': aws_account_id, 'aws_region': aws_region, **kwargs
+            }
+        else:
+            message_args = {'bucket': bucket}
+        aws_tools.debug(self.empty_bucket_message_template.format(**message_args), 1)
+
+    def _filter_bucket_files(self, bucket_files: list, **kwargs) -> Iterator[dict]:
+        """Apply filters over a list of bucket files.
+        Parameters
+        ----------
+        bucket_files : list
+            Bucket files to filter.
+        Yields
+        ------
+        Iterator[str]
+            A bucket file that matches the filters.
+        """
+        for bucket_file in bucket_files:
+            if not bucket_file['Key']:
+                continue
+
+            if bucket_file['Key'][-1] == '/':
+                # The file is a folder
+                continue
+
+            yield bucket_file
+
+    def iter_files_in_bucket(self, aws_account_id=None, aws_region=None, **kwargs):
+        if aws_account_id is None:
+            aws_account_id = self.aws_account_id
+        try:
+            bucket_files = self.client.list_objects_v2(
+                **self.build_s3_filter_args(aws_account_id, aws_region, **kwargs)
+            )
+            if self.reparse:
+                aws_tools.debug('++ Reparse mode enabled', 2)
+
+            while True:
+                if 'Contents' not in bucket_files:
+                    self._print_no_logs_to_process_message(self.bucket, aws_account_id, aws_region, **kwargs)
+                    return
+
+                processed_logs = 0
+
+                for bucket_file in self._filter_bucket_files(bucket_files['Contents'], **kwargs):
+
+                    if self.check_prefix:
+                        date_match = self.date_regex.search(bucket_file['Key'])
+                        match_start = date_match.span()[0] if date_match else None
+
+                        if not self._same_prefix(match_start, aws_account_id, aws_region):
+                            aws_tools.debug(f"++ Skipping file with another prefix: {bucket_file['Key']}", 3)
+                            continue
+
+                    if self.already_processed(bucket_file['Key'], aws_account_id, aws_region, **kwargs):
+                        if self.reparse:
+                            aws_tools.debug(f"++ File previously processed, but reparse flag set: {bucket_file['Key']}",
+                                            1)
+                        else:
+                            aws_tools.debug(f"++ Skipping previously processed file: {bucket_file['Key']}", 1)
+                            continue
+
+                    aws_tools.debug(f"++ Found new log: {bucket_file['Key']}", 2)
+                    # Get the log file from S3 and decompress it
+                    log_json = self.get_log_file(aws_account_id, bucket_file['Key'])
+                    self.iter_events(log_json, bucket_file['Key'], aws_account_id)
+                    # Remove file from S3 Bucket
+                    if self.delete_file:
+                        aws_tools.debug(f"+++ Remove file from S3 Bucket:{bucket_file['Key']}", 2)
+                        self.client.delete_object(Bucket=self.bucket, Key=bucket_file['Key'])
+                    self.mark_complete(aws_account_id, aws_region, bucket_file, **kwargs)
+                    processed_logs += 1
+
+                # This is a workaround in order to work with custom buckets that don't have
+                # base prefix to search the logs
+                if processed_logs == 0:
+                    self._print_no_logs_to_process_message(self.bucket, aws_account_id, aws_region, **kwargs)
+
+                if bucket_files['IsTruncated']:
+                    new_s3_args = self.build_s3_filter_args(aws_account_id, aws_region, True, **kwargs)
+                    new_s3_args['ContinuationToken'] = bucket_files['NextContinuationToken']
+                    bucket_files = self.client.list_objects_v2(**new_s3_args)
+                else:
+                    break
+        except botocore.exceptions.ClientError as error:
+            error_code = error.response.get("Error", {}).get("Code")
+
+            if error_code == THROTTLING_EXCEPTION_ERROR_CODE:
+                error_message = f"{THROTTLING_EXCEPTION_ERROR_MESSAGE.format(name='iter_files_in_bucket')}: {error}"
+                exit_number = 16
+            else:
+                error_message = f'ERROR: The "iter_files_in_bucket" request failed: {error}'
+                exit_number = 1
+            aws_tools.error(f"{error_message}")
+            exit(exit_number)
+
+        except Exception as err:
+            if hasattr(err, 'message'):
+                aws_tools.debug(f"+++ Unexpected error: {err.message}", 2)
+            else:
+                aws_tools.debug(f"+++ Unexpected error: {err}", 2)
+            aws_tools.error(f"Unexpected error querying/working with objects in S3: {err}")
+            sys.exit(7)
+
+    def check_bucket(self):
+        """Check if the bucket is empty or the credentials are wrong."""
+        try:
+            # If folders are not among the first 1000 results, pagination is needed.
+            paginator = self.client.get_paginator("list_objects_v2")
+            for page in paginator.paginate(Bucket=self.bucket, Prefix=self.prefix, Delimiter='/'):
+                if 'CommonPrefixes' in page:
+                    break
+            else:
+                aws_tools.error("No files were found in '{0}'. No logs will be processed.".format(self.bucket_path))
+                exit(14)
+
+        except botocore.exceptions.ClientError as error:
+            error_code = error.response.get("Error", {}).get("Code")
+
+            if error_code == THROTTLING_EXCEPTION_ERROR_CODE:
+                error_message = f"{THROTTLING_EXCEPTION_ERROR_MESSAGE.format(name='check_bucket')}: {error}"
+                exit_number = 16
+            elif error_code == INVALID_CREDENTIALS_ERROR_CODE:
+                error_message = INVALID_CREDENTIALS_ERROR_MESSAGE
+                exit_number = 3
+            elif error_code == INVALID_REQUEST_TIME_ERROR_CODE:
+                error_message = INVALID_REQUEST_TIME_ERROR_MESSAGE
+                exit_number = 19
+            else:
+                error_message = UNKNOWN_ERROR_MESSAGE.format(error=error)
+                exit_number = 1
+
+            aws_tools.error(f"{error_message}")
+            exit(exit_number)
+        except botocore.exceptions.EndpointConnectionError as e:
+            aws_tools.error(f"{str(e)}")
+            exit(15)
+
+
+class AWSLogsBucket(AWSBucket):
+    """
+    Abstract class for logs generated from services such as CloudTrail or Config
+    """
+
+    def __init__(self, **kwargs):
+        AWSBucket.__init__(self, **kwargs)
+        # If not empty, both self.prefix and self.suffix always have a trailing '/'
+        self.bucket_path = f"{self.bucket}/{self.prefix}{self.suffix}"
+        self.service = None
+
+    def get_base_prefix(self):
+        base_path = '{}AWSLogs/{}'.format(self.prefix, self.suffix)
+        if self.aws_organization_id:
+            base_path = '{base_prefix}{aws_organization_id}/'.format(
+                base_prefix=base_path,
+                aws_organization_id=self.aws_organization_id)
+
+        return base_path
+
+    def get_service_prefix(self, account_id):
+        return '{base_prefix}{aws_account_id}/{aws_service}/'.format(
+            base_prefix=self.get_base_prefix(),
+            aws_account_id=account_id,
+            aws_service=self.service)
+
+    def get_full_prefix(self, account_id, account_region):
+        return '{service_prefix}{aws_region}/'.format(
+            service_prefix=self.get_service_prefix(account_id),
+            aws_region=account_region)
+
+    def get_creation_date(self, log_file):
+        # An example of cloudtrail filename would be
+        # AWSLogs/11111111/CloudTrail/ap-northeast-1/2018/08/10/
+        # 111111_CloudTrail_ap-northeast-1_20180810T0115Z_DgrtLuV9YQvGGdN6.json.gz
+        # the following line extracts this part -> 20180810
+        return int(path.basename(log_file['Key']).split('_')[-2].split('T')[0])
+
+    def get_alert_msg(self, aws_account_id, log_key, event, error_msg=""):
+        alert_msg = AWSBucket.get_alert_msg(self, aws_account_id, log_key, event, error_msg)
+        alert_msg['aws']['aws_account_id'] = aws_account_id
+        return alert_msg
+
+    def load_information_from_file(self, log_key):
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            json_file = json.load(f)
+            return None if self.field_to_load not in json_file else [dict(x, source=self.service.lower()) for x in
+                                                                     json_file[self.field_to_load]]
+
+
+class AWSCustomBucket(AWSBucket):
+    empty_bucket_message_template = "+++ No logs to process in bucket: {bucket}"
+
+    def __init__(self, db_table_name=None, **kwargs):
+        # only special services have a different DB table
+        AWSBucket.__init__(self, db_table_name=db_table_name if db_table_name else 'custom', **kwargs)
+        self.retain_db_records = MAX_RECORD_RETENTION
+        # get STS client
+        profile = kwargs.get('profile', None)
+        self.sts_client = self.get_sts_client(profile=profile)
+        # get account ID
+        self.aws_account_id = self.sts_client.get_caller_identity().get('Account')
+        self.macie_location_pattern = re.compile(r'"lat":(-?0+\d+\.\d+),"lon":(-?0+\d+\.\d+)')
+        self.check_prefix = True
+        # SQL queries for custom buckets
+        self.sql_already_processed = """
+            SELECT
+                count(*)
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                log_key=:log_key;"""
+
+        self.sql_mark_complete = """
+            INSERT INTO {table_name} (
+                bucket_path,
+                aws_account_id,
+                log_key,
+                processed_date,
+                created_date)
+            VALUES (
+                :bucket_path,
+                :aws_account_id,
+                :log_key,
+                DATETIME('now'),
+                :created_date);"""
+
+        self.sql_create_table = """
+            CREATE TABLE {table_name} (
+                bucket_path 'text' NOT NULL,
+                aws_account_id 'text' NOT NULL,
+                log_key 'text' NOT NULL,
+                processed_date 'text' NOT NULL,
+                created_date 'integer' NOT NULL,
+                PRIMARY KEY (bucket_path, aws_account_id, log_key));"""
+
+        self.sql_find_last_key_processed = """
+            SELECT
+                log_key
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                log_key LIKE :prefix
+            ORDER BY
+                log_key DESC
+            LIMIT 1;"""
+
+        self.sql_db_maintenance = """
+            DELETE FROM {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                log_key <=
+                (SELECT log_key
+                    FROM
+                        {table_name}
+                    WHERE
+                        bucket_path=:bucket_path AND
+                        aws_account_id=:aws_account_id
+                    ORDER BY
+                        log_key DESC
+                    LIMIT 1
+                    OFFSET :retain_db_records);"""
+
+        self.sql_count_custom = """
+            SELECT
+                count(*)
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id;"""
+
+    def load_information_from_file(self, log_key):
+        def json_event_generator(data):
+            while data:
+                try:
+                    json_data, json_index = decoder.raw_decode(data)
+                except ValueError as err:
+                    # Handle undefined values for lat and lon fields in Macie logs
+                    match = self.macie_location_pattern.search(data)
+                    if not match or not match.group(1) or not match.group(2):
+                        raise err
+                    lat = float(match.group(1))
+                    lon = float(match.group(2))
+                    new_pattern = f'"lat":{lat},"lon":{lon}'
+                    data = re.sub(self.macie_location_pattern, new_pattern, data)
+                    json_data, json_index = decoder.raw_decode(data)
+                data = data[json_index:]
+                yield json_data
+
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            if f.read(1) == '{':
+                decoder = json.JSONDecoder()
+                return [dict(event['detail'], source=event['source'].replace('aws.', '')) for event in
+                        json_event_generator('{' + f.read()) if 'detail' in event]
+            else:
+                fieldnames = (
+                    "version", "account_id", "interface_id", "srcaddr", "dstaddr", "srcport", "dstport", "protocol",
+                    "packets", "bytes", "start", "end", "action", "log_status")
+                tsv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=' ')
+                return [dict(x, source='vpc') for x in tsv_file]
+
+    def get_creation_date(self, log_file):
+        # The Amazon S3 object name follows the pattern
+        # DeliveryStreamName-DeliveryStreamVersion-YYYY-MM-DD-HH-MM-SS-RandomString
+        name_regex = re.match(r".*(\d\d\d\d[\/\-]\d\d[\/\-]\d\d).*", log_file['Key'])
+        if name_regex is None:
+            return int(log_file['LastModified'].strftime('%Y%m%d'))
+        else:
+            return int(name_regex.group(1).replace('/', '').replace('-', ''))
+
+    def get_full_prefix(self, account_id, account_region):
+        return self.prefix
+
+    def reformat_msg(self, event):
+
+        def list_paths_from_dict(d, discard_levels=None, glue=".", path=None):
+            path = [] if path is None else path
+            if not isinstance(d, dict):
+                path.extend(d if isinstance(d, list) else [str(d)])
+                return [glue.join(path[:discard_levels if discard_levels is None else -discard_levels])]
+            return [item for k, v in d.items() for item in list_paths_from_dict(v,
+                                                                                path=path + [k],
+                                                                                discard_levels=discard_levels,
+                                                                                glue=glue)]
+
+        AWSBucket.reformat_msg(self, event)
+        if event['aws']['source'] == 'macie' and 'trigger' in event['aws']:
+            del event['aws']['trigger']
+
+        if 'service' in event['aws'] and 'additionalInfo' in event['aws']['service'] and \
+                'unusual' in event['aws']['service']['additionalInfo'] and \
+                not isinstance(event['aws']['service']['additionalInfo']['unusual'], dict):
+            event['aws']['service']['additionalInfo']['unusual'] = {
+                'value': event['aws']['service']['additionalInfo']['unusual']}
+
+        if event['aws']['source'] == 'macie':
+            for field in ('Bucket', 'DLP risk', 'IP', 'Location', 'Object',
+                          'Owner', 'Themes', 'Timestamps', 'recipientAccountId'):
+                try:
+                    if isinstance(event['aws']['summary'][field], dict):
+                        event['aws']['summary'][field] = list_paths_from_dict(event['aws']['summary'][field],
+                                                                              discard_levels=1,
+                                                                              path=[])
+                except KeyError:
+                    pass
+
+            try:
+                for event_name in event['aws']['summary']['Events']:
+                    for event_field in event['aws']['summary']['Events'][event_name]:
+                        event['aws']['summary']['Events'][event_name][event_field] = list_paths_from_dict(
+                            event['aws']['summary']['Events'][event_name][event_field],
+                            discard_levels=0 if event_field == 'count' else 1,
+                            path=[])
+            except KeyError:
+                pass
+
+        return event
+
+    def iter_regions_and_accounts(self, account_id, regions):
+        # Only <self.retain_db_records> logs for each region are stored in DB. Using self.bucket as region name
+        # would prevent to lose lots of logs from different buckets.
+        # no iterations for accounts_id or regions on custom buckets
+        self.iter_files_in_bucket()
+        self.db_maintenance()
+
+    def already_processed(self, downloaded_file, aws_account_id, aws_region, **kwargs):
+        cursor = self.db_cursor.execute(self.sql_already_processed.format(table_name=self.db_table_name), {
+            'bucket_path': self.bucket_path,
+            'aws_account_id': self.aws_account_id,
+            'log_key': downloaded_file})
+        return cursor.fetchone()[0] > 0
+
+    def mark_complete(self, aws_account_id, aws_region, log_file, **kwargs):
+        AWSBucket.mark_complete(self, aws_account_id or self.aws_account_id, aws_region, log_file)
+
+    def db_count_custom(self, aws_account_id=None):
+        """Counts the number of rows in DB for a region
+        :param aws_account_id: AWS account ID
+        :type aws_account_id: str
+        :rtype: int
+        """
+        query_count_custom = self.db_cursor.execute(
+            self.sql_count_custom.format(table_name=self.db_table_name), {
+                'bucket_path': self.bucket_path,
+                'aws_account_id': aws_account_id if aws_account_id else self.aws_account_id,
+                'retain_db_records': self.retain_db_records})
+
+        return query_count_custom.fetchone()[0]
+
+    def db_maintenance(self, aws_account_id=None, **kwargs):
+        aws_tools.debug("+++ DB Maintenance", 1)
+        try:
+            if self.db_count_custom(aws_account_id) > self.retain_db_records:
+                self.db_cursor.execute(self.sql_db_maintenance.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_account_id': aws_account_id if aws_account_id else self.aws_account_id,
+                    'retain_db_records': self.retain_db_records})
+        except Exception as e:
+            aws_tools.error(f"ERROR: Failed to execute DB cleanup - Path: {self.bucket_path}: {e}")
diff --git a/src/modules/aws/scripts/buckets_s3/cloudtrail.py b/src/modules/aws/scripts/buckets_s3/cloudtrail.py
new file mode 100644
index 0000000000..85c8345113
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/cloudtrail.py
@@ -0,0 +1,44 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+sys.path.append(os.path.dirname(os.path.realpath(__file__)))
+import aws_bucket
+
+DYNAMIC_FIELDS = ['additionalEventData', 'responseElements', 'requestParameters']
+
+
+class AWSCloudTrailBucket(aws_bucket.AWSLogsBucket):
+    """
+    Represents a bucket with AWS CloudTrail logs
+    """
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'cloudtrail'
+        aws_bucket.AWSLogsBucket.__init__(self, **kwargs)
+        self.service = 'CloudTrail'
+        self.field_to_load = 'Records'
+
+    def reformat_msg(self, event):
+        aws_bucket.AWSBucket.reformat_msg(self, event)
+        # Some fields in CloudTrail are dynamic in nature, which causes problems for ES mapping
+        # ES mapping expects for a dictionary, if the field is any other type (list or string)
+        # turn it into a dictionary
+        for field_to_cast in DYNAMIC_FIELDS:
+            if field_to_cast in event['aws'] and not isinstance(event['aws'][field_to_cast], dict):
+                event['aws'][field_to_cast] = {'string': str(event['aws'][field_to_cast])}
+
+        if 'requestParameters' in event['aws']:
+            request_parameters = event['aws']['requestParameters']
+            if 'disableApiTermination' in request_parameters:
+                disable_api_termination = request_parameters['disableApiTermination']
+                if isinstance(disable_api_termination, bool):
+                    request_parameters['disableApiTermination'] = {'value': disable_api_termination}
+                elif isinstance(disable_api_termination, dict):
+                    pass
+                else:
+                    print("WARNING: Could not reformat event {0}".format(event))
+
+        return event
diff --git a/src/modules/aws/scripts/buckets_s3/config.py b/src/modules/aws/scripts/buckets_s3/config.py
new file mode 100644
index 0000000000..50231b5679
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/config.py
@@ -0,0 +1,204 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+import re
+from os import path
+from datetime import datetime
+from time import mktime
+
+import aws_bucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSConfigBucket(aws_bucket.AWSLogsBucket):
+    """
+    Represents a bucket with AWS Config logs
+    """
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'config'
+        aws_bucket.AWSLogsBucket.__init__(self, **kwargs)
+        self.service = 'Config'
+        self.field_to_load = 'configurationItems'
+        # SQL queries for AWS Config
+        self.sql_find_last_key_processed_of_day = """
+            SELECT
+                log_key
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region = :aws_region AND
+                created_date = :created_date
+            ORDER BY
+                log_key DESC
+            LIMIT 1;"""
+        self._leading_zero_regex = re.compile(r'/(0)(?P<num>\d)')
+        self._extract_date_regex = re.compile(r'\d{4}/\d{1,2}/\d{1,2}')
+
+    def _format_created_date(self, date: str) -> str:
+        """
+        Return a date with the format used by the created_date field of the database.
+
+        Parameters
+        ----------
+        date : str
+            Date in the "%Y/%m/%d" format.
+
+        Returns
+        -------
+        str
+            Date with the format used by the database.
+        """
+        return datetime.strftime(datetime.strptime(date, self.date_format), aws_bucket.DB_DATE_FORMAT)
+
+    def _remove_padding_zeros_from_marker(self, marker: str) -> str:
+        """Remove the leading zeros from the month and day of a given marker.
+
+        For example, 'AWSLogs/123456789012/Config/us-east-1/2020/01/06' would become
+        'AWSLogs/123456789012/Config/us-east-1/2020/1/6'.
+
+        Parameters
+        ----------
+        marker : str
+            The marker which may include a date with leading zeros as part of the month and the day.
+
+        Returns
+        -------
+        str
+            Marker without padding zeros in the date.
+        """
+        try:
+            date = self._extract_date_regex.search(marker).group(0)
+            # We can't call re.sub directly on the marker because the AWS account ID could start with a 0 too
+            parsed_date = re.sub(self._leading_zero_regex, r'/\g<num>', date)
+            return marker.replace(date, parsed_date)
+        except AttributeError:
+            aws_tools.error(f"There was an error while trying to extract a date from the marker '{marker}'")
+            sys.exit(16)
+
+    def marker_only_logs_after(self, aws_region: str, aws_account_id: str) -> str:
+        """Return a marker using the only_logs_after date to pass it as a filter to the list_objects_v2 method.
+
+        This method removes the leading zeroes for the month and the day to comply with the config buckets folder
+        structure.
+
+        Parameters
+        ----------
+        aws_region : str
+            Region where the bucket is located.
+        aws_account_id : str
+            Account ID that's being used to access the bucket.
+
+        Returns
+        -------
+        str
+            Marker generated using the only_logs_after value.
+        """
+        return self._remove_padding_zeros_from_marker(aws_bucket.AWSBucket.marker_only_logs_after(self, aws_region,
+                                                                                                  aws_account_id))
+
+    def marker_custom_date(self, aws_region: str, aws_account_id: str, date: datetime) -> str:
+        """Return a marker using the specified date to pass it as a filter to the list_objects_v2 method.
+
+        This method removes the leading zeroes for the month and the day to comply with the config buckets folder
+        structure.
+
+        Parameters
+        ----------
+        aws_region : str
+            Region where the bucket is located.
+        aws_account_id : str
+            Account ID that's being used to access the bucket.
+        date : datetime
+            Date that will be used to generate the marker.
+
+        Returns
+        -------
+        str
+            Marker generated using the specified date.
+        """
+        return self._remove_padding_zeros_from_marker(
+            aws_bucket.AWSBucket.marker_custom_date(self, aws_region, aws_account_id, date))
+
+    def reformat_msg(self, event):
+        aws_bucket.AWSBucket.reformat_msg(self, event)
+        if 'configuration' in event['aws']:
+            configuration = event['aws']['configuration']
+
+            # Remove unnecessary fields to avoid performance issues
+            for key in configuration:
+                if type(configuration[key]) is dict and "Content" in configuration[key]:
+                    content_list = list(configuration[key]["Content"].keys())
+                    configuration[key]["Content"] = content_list
+
+            if 'securityGroups' in configuration:
+                security_groups = configuration['securityGroups']
+                if isinstance(security_groups, str):
+                    configuration['securityGroups'] = {'groupId': [security_groups]}
+                elif isinstance(security_groups, list):
+                    group_ids = [sec_group['groupId'] for sec_group in security_groups if 'groupId' in sec_group]
+                    group_names = [sec_group['groupName'] for sec_group in security_groups if 'groupName' in sec_group]
+                    configuration['securityGroups'] = {}
+                    if len(group_ids) > 0:
+                        configuration['securityGroups']['groupId'] = group_ids
+                    if len(group_names) > 0:
+                        configuration['securityGroups']['groupName'] = group_names
+                elif isinstance(configuration['securityGroups'], dict):
+                    configuration['securityGroups'] = {key: [value] for key, value in security_groups.items()}
+                else:
+                    print("WARNING: Could not reformat event {0}".format(event))
+
+            if 'availabilityZones' in configuration:
+                availability_zones = configuration['availabilityZones']
+                if isinstance(availability_zones, str):
+                    configuration['availabilityZones'] = {'zoneName': [availability_zones]}
+                elif isinstance(availability_zones, list):
+                    subnet_ids = [zone['subnetId'] for zone in availability_zones if 'subnetId' in zone]
+                    zone_names = [zone['zoneName'] for zone in availability_zones if 'zoneName' in zone]
+                    configuration['availabilityZones'] = {}
+                    if len(subnet_ids) > 0:
+                        configuration['availabilityZones']['subnetId'] = subnet_ids
+                    if len(zone_names) > 0:
+                        configuration['availabilityZones']['zoneName'] = zone_names
+                elif isinstance(configuration['availabilityZones'], dict):
+                    configuration['availabilityZones'] = {key: [value] for key, value in availability_zones.items()}
+                else:
+                    print("WARNING: Could not reformat event {0}".format(event))
+
+            if 'state' in configuration:
+                state = configuration['state']
+                if isinstance(state, str):
+                    configuration['state'] = {'name': state}
+                elif isinstance(state, dict):
+                    pass
+                else:
+                    print("WARNING: Could not reformat event {0}".format(event))
+
+            if 'createdTime' in configuration:
+                created_time = configuration['createdTime']
+                if isinstance(created_time, float) or isinstance(created_time, int):
+                    configuration['createdTime'] = float(created_time)
+                else:
+                    try:
+                        date_string = str(created_time)
+                        configuration['createdTime'] = mktime(datetime.strptime(date_string,
+                                                                                "%Y-%m-%dT%H:%M:%S.%fZ").timetuple())
+                    except Exception:
+                        print("WARNING: Could not reformat event {0}".format(event))
+
+            if 'iamInstanceProfile' in configuration:
+                iam_profile = configuration['iamInstanceProfile']
+                if isinstance(iam_profile, str):
+                    configuration['iamInstanceProfile'] = {'name': iam_profile}
+                elif isinstance(iam_profile, dict):
+                    pass
+                else:
+                    print("WARNING: Could not reformat event {0}".format(event))
+
+        return event
diff --git a/src/modules/aws/scripts/buckets_s3/guardduty.py b/src/modules/aws/scripts/buckets_s3/guardduty.py
new file mode 100644
index 0000000000..746b3714d2
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/guardduty.py
@@ -0,0 +1,99 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+from os import path
+import json
+from aws_bucket import AWSBucket, AWSCustomBucket, AWSLogsBucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+GUARDDUTY_URL = 'https://documentation.wazuh.com/current/amazon/services/supported-services/guardduty.html'
+GUARDDUTY_DEPRECATED_MESSAGE = 'The functionality to process GuardDuty logs stored in S3 via Kinesis was deprecated ' \
+                               'in {release}. Consider configuring GuardDuty to store its findings directly in an S3 ' \
+                               'bucket instead. Check {url} for more information.'
+
+
+class AWSGuardDutyBucket(AWSCustomBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'guardduty'
+        AWSCustomBucket.__init__(self, **kwargs)
+
+        self.service = 'GuardDuty'
+        if self.check_guardduty_type():
+            self.type = "GuardDutyNative"
+            self.empty_bucket_message_template = AWSBucket.empty_bucket_message_template
+        else:
+            self.type = "GuardDutyKinesis"
+
+    def check_guardduty_type(self):
+        try:
+            return \
+                    'CommonPrefixes' in self.client.list_objects_v2(Bucket=self.bucket, Prefix=f'{self.prefix}AWSLogs',
+                                                                    Delimiter='/', MaxKeys=1)
+        except Exception as err:
+            if hasattr(err, 'message'):
+                aws_tools.debug(f"+++ Unexpected error: {err.message}", 2)
+            else:
+                aws_tools.debug(f"+++ Unexpected error: {err}", 2)
+            aws_tools.error(f"Unexpected error querying/working with objects in S3: {err}")
+            sys.exit(7)
+
+    def get_service_prefix(self, account_id):
+        return AWSLogsBucket.get_service_prefix(self, account_id)
+
+    def get_full_prefix(self, account_id, account_region):
+        if self.type == "GuardDutyNative":
+            return AWSLogsBucket.get_full_prefix(self, account_id, account_region)
+        else:
+            return self.prefix
+
+    def get_base_prefix(self):
+        if self.type == "GuardDutyNative":
+            return AWSLogsBucket.get_base_prefix(self)
+        else:
+            return self.prefix
+
+    def iter_regions_and_accounts(self, account_id, regions):
+        if self.type == "GuardDutyNative":
+            AWSBucket.iter_regions_and_accounts(self, account_id, regions)
+        else:
+            print(GUARDDUTY_DEPRECATED_MESSAGE.format(release="4.5", url=GUARDDUTY_URL))
+            self.check_prefix = True
+            AWSCustomBucket.iter_regions_and_accounts(self, account_id, regions)
+
+    def send_event(self, event):
+        # Send the message (splitted if it is necessary)
+        for msg in self.reformat_msg(event):
+            self.send_msg(msg)
+
+    def reformat_msg(self, event):
+        aws_tools.debug('++ Reformat message', 3)
+        if event['aws']['source'] == 'guardduty' and 'service' in event['aws'] and \
+                'action' in event['aws']['service'] and \
+                'portProbeAction' in event['aws']['service']['action'] and \
+                'portProbeDetails' in event['aws']['service']['action']['portProbeAction'] and \
+                len(event['aws']['service']['action']['portProbeAction']['portProbeDetails']) > 1:
+
+            port_probe_details = event['aws']['service']['action']['portProbeAction']['portProbeDetails']
+            for detail in port_probe_details:
+                event['aws']['service']['action']['portProbeAction']['portProbeDetails'] = detail
+                yield event
+        else:
+            AWSBucket.reformat_msg(self, event)
+            yield event
+
+    def load_information_from_file(self, log_key):
+        if log_key.endswith('.jsonl.gz'):
+            with self.decompress_file(self.bucket, log_key=log_key) as f:
+                json_list = list(f)
+                result = []
+                for json_item in json_list:
+                    x = json.loads(json_item)
+                    result.append(dict(x, source=x['service']['serviceName']))
+                return result
+        else:
+            return AWSCustomBucket.load_information_from_file(self, log_key)
diff --git a/src/modules/aws/scripts/buckets_s3/load_balancers.py b/src/modules/aws/scripts/buckets_s3/load_balancers.py
new file mode 100644
index 0000000000..ed50172b22
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/load_balancers.py
@@ -0,0 +1,126 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+import csv
+from os import path
+from aws_bucket import AWSBucket, AWSCustomBucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSLBBucket(AWSCustomBucket):
+    """Class that has common methods unique to the load balancers."""
+
+    empty_bucket_message_template = AWSBucket.empty_bucket_message_template
+
+    def __init__(self, *args, **kwargs):
+        self.service = 'elasticloadbalancing'
+        AWSCustomBucket.__init__(self, *args, **kwargs)
+
+    def get_base_prefix(self):
+        return f'{self.prefix}AWSLogs/{self.suffix}'
+
+    def get_service_prefix(self, account_id):
+        return f'{self.get_base_prefix()}{account_id}/{self.service}/'
+
+    def iter_regions_and_accounts(self, account_id, regions):
+        AWSBucket.iter_regions_and_accounts(self, account_id, regions)
+
+    def get_full_prefix(self, account_id, account_region):
+        return f'{self.get_service_prefix(account_id)}{account_region}/'
+
+    def mark_complete(self, aws_account_id, aws_region, log_file):
+        AWSBucket.mark_complete(self, aws_account_id, aws_region, log_file)
+
+
+class AWSALBBucket(AWSLBBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'alb'
+        AWSLBBucket.__init__(self, **kwargs)
+
+    def load_information_from_file(self, log_key):
+        """Load data from a ALB access log file."""
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            fieldnames = (
+                "type", "time", "elb", "client_port", "target_port", "request_processing_time",
+                "target_processing_time", "response_processing_time", "elb_status_code", "target_status_code",
+                "received_bytes", "sent_bytes", "request", "user_agent", "ssl_cipher", "ssl_protocol",
+                "target_group_arn", "trace_id", "domain_name", "chosen_cert_arn", "matched_rule_priority",
+                "request_creation_time", "action_executed", "redirect_url", "error_reason", "target_port_list",
+                "target_status_code_list", "classification", "classification_reason")
+            tsv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=' ')
+            tsv_file = [dict(x, source='alb') for x in tsv_file]
+
+            fields_to_process_map = {
+                "client_port": "client_ip",
+                "target_port": "target_ip",
+                "target_port_list": "target_ip_list"
+            }
+
+            for log_entry in tsv_file:
+                for field_to_process, ip_field in fields_to_process_map.items():
+                    try:
+                        port, ip = "", ""
+                        for item in [i.split(":") for i in log_entry[field_to_process].split()]:
+                            ip += f"{item[0]} "
+                            port += f"{item[1]} "
+                        log_entry[field_to_process], log_entry[ip_field] = port.strip(), ip.strip()
+                    except (ValueError, IndexError):
+                        aws_tools.debug(f"Unable to process correctly ABL log entry, for field {field_to_process}.",
+                                        msg_level=1)
+                        aws_tools.debug(f"Log Entry: {log_entry}", msg_level=2)
+
+            return tsv_file
+
+
+class AWSCLBBucket(AWSLBBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'clb'
+        AWSLBBucket.__init__(self, **kwargs)
+
+    def load_information_from_file(self, log_key):
+        """Load data from a CLB access log file."""
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            fieldnames = (
+                "time", "elb", "client_port", "backend_port", "request_processing_time", "backend_processing_time",
+                "response_processing_time", "elb_status_code", "backend_status_code", "received_bytes", "sent_bytes",
+                "request", "user_agent", "ssl_cipher", "ssl_protocol")
+            tsv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=' ')
+
+            return [dict(x, source='clb') for x in tsv_file]
+
+
+class AWSNLBBucket(AWSLBBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'nlb'
+        AWSLBBucket.__init__(self, **kwargs)
+
+    def load_information_from_file(self, log_key):
+        """Load data from a NLB access log file."""
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            fieldnames = (
+                "type", "version", "time", "elb", "listener", "client_port", "destination_port", "connection_time",
+                "tls_handshake_time", "received_bytes", "sent_bytes", "incoming_tls_alert", "chosen_cert_arn",
+                "chosen_cert_serial", "tls_cipher", "tls_protocol_version", "tls_named_group", "domain_name",
+                "alpn_fe_protocol", "alpn_client_preference_list")
+            tsv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=' ')
+
+            tsv_file = [dict(x, source='nlb') for x in tsv_file]
+
+            # Split ip_addr:port field into ip_addr and port fields
+            for log_entry in tsv_file:
+                try:
+                    log_entry['client_ip'], log_entry['client_port'] = log_entry['client_port'].split(':')
+                    log_entry['destination_ip'], log_entry['destination_port'] = \
+                        log_entry['destination_port'].split(':')
+                except ValueError:
+                    log_entry['client_ip'] = log_entry['client_port']
+                    log_entry['destination_ip'] = log_entry['destination_port']
+
+            return tsv_file
diff --git a/src/modules/aws/scripts/buckets_s3/server_access.py b/src/modules/aws/scripts/buckets_s3/server_access.py
new file mode 100644
index 0000000000..4360a91b3c
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/server_access.py
@@ -0,0 +1,200 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+from os import path
+import botocore
+import re
+
+from aws_bucket import INVALID_CREDENTIALS_ERROR_CODE, INVALID_CREDENTIALS_ERROR_MESSAGE
+from aws_bucket import INVALID_REQUEST_TIME_ERROR_CODE, INVALID_REQUEST_TIME_ERROR_MESSAGE
+from aws_bucket import THROTTLING_EXCEPTION_ERROR_CODE, THROTTLING_EXCEPTION_ERROR_MESSAGE
+from aws_bucket import UNKNOWN_ERROR_MESSAGE
+from aws_bucket import AWSCustomBucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSServerAccess(AWSCustomBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 's3_server_access'
+        AWSCustomBucket.__init__(self, **kwargs)
+        self.date_regex = re.compile(r'(\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2})')
+        self.date_format = '%Y-%m-%d'
+
+    def iter_files_in_bucket(self, aws_account_id: str = None, aws_region: str = None):
+        if aws_account_id is None:
+            aws_account_id = self.aws_account_id
+        try:
+            bucket_files = self.client.list_objects_v2(**self.build_s3_filter_args(aws_account_id, aws_region,
+                                                                                   custom_delimiter='-'))
+            while True:
+                if 'Contents' not in bucket_files:
+                    self._print_no_logs_to_process_message(self.bucket, aws_account_id, aws_region)
+                    return
+
+                processed_logs = 0
+
+                for bucket_file in bucket_files['Contents']:
+                    if not bucket_file['Key']:
+                        continue
+
+                    if bucket_file['Key'][-1] == '/':
+                        # The file is a folder
+                        continue
+
+                    try:
+                        date_match = self.date_regex.search(bucket_file['Key'])
+                        match_start = date_match.span()[0] if date_match else None
+                    except TypeError:
+                        if self.skip_on_error:
+                            aws_tools.debug(
+                                f"+++ WARNING: The format of the {bucket_file['Key']} filename is not valid, "
+                                "skipping it.", 1)
+                            continue
+                        else:
+                            aws_tools.error(f"The filename of {bucket_file['Key']} doesn't have the valid format.")
+                            sys.exit(17)
+
+                    if not self._same_prefix(match_start, aws_account_id, aws_region):
+                        aws_tools.debug(f"++ Skipping file with another prefix: {bucket_file['Key']}", 3)
+                        continue
+
+                    if self.already_processed(bucket_file['Key'], aws_account_id, aws_region):
+                        if self.reparse:
+                            aws_tools.debug(f"++ File previously processed, but reparse flag set: {bucket_file['Key']}",
+                                            1)
+                        else:
+                            aws_tools.debug(f"++ Skipping previously processed file: {bucket_file['Key']}", 2)
+                            continue
+
+                    aws_tools.debug(f"++ Found new log: {bucket_file['Key']}", 2)
+                    # Get the log file from S3 and decompress it
+                    log_json = self.get_log_file(aws_account_id, bucket_file['Key'])
+                    self.iter_events(log_json, bucket_file['Key'], aws_account_id)
+                    # Remove file from S3 Bucket
+                    if self.delete_file:
+                        aws_tools.debug(f"+++ Remove file from S3 Bucket:{bucket_file['Key']}", 2)
+                        self.client.delete_object(Bucket=self.bucket, Key=bucket_file['Key'])
+                    self.mark_complete(aws_account_id, aws_region, bucket_file)
+                    processed_logs += 1
+
+                if processed_logs == 0:
+                    self._print_no_logs_to_process_message(self.bucket, aws_account_id, aws_region)
+
+                if bucket_files['IsTruncated']:
+                    new_s3_args = self.build_s3_filter_args(aws_account_id, aws_region, True)
+                    new_s3_args['ContinuationToken'] = bucket_files['NextContinuationToken']
+                    bucket_files = self.client.list_objects_v2(**new_s3_args)
+                else:
+                    break
+
+        except Exception as err:
+            if hasattr(err, 'message'):
+                aws_tools.debug(f"+++ Unexpected error: {err.message}", 2)
+            else:
+                aws_tools.debug(f"+++ Unexpected error: {err}", 2)
+            aws_tools.error(f"Unexpected error querying/working with objects in S3: {err}")
+            sys.exit(7)
+
+    def marker_only_logs_after(self, aws_region: str, aws_account_id: str) -> str:
+        """
+        Return a marker to filter AWS log files using the `only_logs_after` value.
+
+        Parameters
+        ----------
+        aws_region : str
+            The region where the bucket is located.
+        aws_account_id : str
+            The account ID of the AWS account.
+
+        Returns
+        -------
+        str
+            The filter, with the file's prefix and date.
+        """
+        return self.get_full_prefix(aws_account_id, aws_region) + self.only_logs_after.strftime(self.date_format)
+
+    def check_bucket(self):
+        """Check if the bucket is empty or the credentials are wrong."""
+
+        try:
+            bucket_objects = self.client.list_objects_v2(Bucket=self.bucket, Prefix=self.prefix, Delimiter='/')
+            if not 'CommonPrefixes' in bucket_objects and not 'Contents' in bucket_objects:
+                aws_tools.error("No files were found in '{0}'. No logs will be processed.".format(self.bucket_path))
+                exit(14)
+        except botocore.exceptions.ClientError as error:
+            error_code = error.response.get("Error", {}).get("Code")
+
+            if error_code == THROTTLING_EXCEPTION_ERROR_CODE:
+                error_message = f"{THROTTLING_EXCEPTION_ERROR_MESSAGE.format(name='check_bucket')}: {error}"
+                exit_number = 16
+            elif error_code == INVALID_CREDENTIALS_ERROR_CODE:
+                error_message = INVALID_CREDENTIALS_ERROR_MESSAGE
+                exit_number = 3
+            elif error_code == INVALID_REQUEST_TIME_ERROR_CODE:
+                error_message = INVALID_REQUEST_TIME_ERROR_MESSAGE
+                exit_number = 19
+            else:
+                error_message = UNKNOWN_ERROR_MESSAGE.format(error=error)
+                exit_number = 1
+
+            aws_tools.error(error_message)
+            exit(exit_number)
+
+    def load_information_from_file(self, log_key):
+        """Load data from a S3 access log file."""
+
+        def parse_line(line_):
+            def merge_values(delimiter='"', remove=False):
+                next_ = next(it, None)
+                while next_:
+                    value_list[-1] = f'{value_list[-1]} {next_}'
+                    try:
+                        if next_[-1] == delimiter:
+                            if remove:
+                                value_list[-1] = value_list[-1][1:-1]
+                            break
+                    except TypeError:
+                        pass
+                    next_ = next(it, None)
+
+            value_list = list()
+            it = iter(line_.split(" "))
+            value = next(it, None)
+            while value:
+                value_list.append(value)
+                # Check if the current value should be combined with the next ones
+                try:
+                    if value[0] == "[" and value[-1] != "]":
+                        merge_values(delimiter=']', remove=True)
+                    elif value[0] == '"' and value[-1] != '"':
+                        merge_values(remove=True)
+                    elif value[0] == "'" and value[-1] != "'":
+                        merge_values(remove=True)
+                    elif (value[0] == '"' and value[-1] == '"') or (value[0] == "'" and value[-1] == "'"):
+                        value_list[-1] = value_list[-1][1:-1]
+                except TypeError:
+                    pass
+                value = next(it, None)
+            try:
+                value_list[-1] = value_list[-1].replace("\n", "")
+            except TypeError:
+                pass
+            return value_list
+
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            fieldnames = (
+                "bucket_owner", "bucket", "time", "remote_ip", "requester", "request_id", "operation", "key",
+                "request_uri", "http_status", "error_code", "bytes_sent", "object_sent", "total_time",
+                "turn_around_time", "referer", "user_agent", "version_id", "host_id", "signature_version",
+                "cipher_suite", "authentication_type", "host_header", "tls_version")
+            result = list()
+            for line in f:
+                json_list = dict(zip(fieldnames, parse_line(line)))
+                json_list["source"] = 's3_server_access'
+                result.append(json_list)
+            return result
diff --git a/src/modules/aws/scripts/buckets_s3/umbrella.py b/src/modules/aws/scripts/buckets_s3/umbrella.py
new file mode 100644
index 0000000000..5d8475cc11
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/umbrella.py
@@ -0,0 +1,60 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import csv
+import sys
+from os import path
+from aws_bucket import AWSCustomBucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class CiscoUmbrella(AWSCustomBucket):
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'cisco_umbrella'
+        AWSCustomBucket.__init__(self, **kwargs)
+        self.check_prefix = False
+        self.date_format = '%Y-%m-%d'
+
+    def load_information_from_file(self, log_key):
+        """Load data from a Cisco Umbrella log file."""
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            if 'dnslogs' in self.prefix:
+                fieldnames = ('timestamp', 'most_granular_identity',
+                              'identities', 'internal_ip', 'external_ip',
+                              'action', 'query_type', 'response_code', 'domain',  # noqa: E501
+                              'categories', 'most_granular_identity_type',
+                              'identity_types', 'blocked_categories'
+                              )
+            elif 'proxylogs' in self.prefix:
+                fieldnames = ('timestamp', 'identities', 'internal_ip',
+                              'external_ip', 'destination_ip', 'content_type',
+                              'verdict', 'url', 'referer', 'user_agent',
+                              'status_code', 'requested_size', 'response_size',
+                              'response_body_size', 'sha', 'categories',
+                              'av_detections', 'puas', 'amp_disposition',
+                              'amp_malware_name', 'amp_score', 'identity_type',
+                              'blocked_categories'
+                              )
+            elif 'iplogs' in self.prefix:
+                fieldnames = ('timestamp', 'identity', 'source_ip',
+                              'source_port', 'destination_ip',
+                              'destination_port', 'categories'
+                              )
+            else:
+                aws_tools.error("Only 'dnslogs', 'proxylogs' or 'iplogs' are allowed for Cisco Umbrella")
+                exit(12)
+            csv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=',')
+
+            # remove None values in csv_file
+            return [dict({k: v for k, v in row.items() if v is not None},
+                         source='cisco_umbrella') for row in csv_file]
+
+    def marker_only_logs_after(self, aws_region, aws_account_id):
+        return '{init}{only_logs_after}'.format(
+            init=self.get_full_prefix(aws_account_id, aws_region),
+            only_logs_after=self.only_logs_after.strftime(self.date_format)
+        )
diff --git a/src/modules/aws/scripts/buckets_s3/vpcflow.py b/src/modules/aws/scripts/buckets_s3/vpcflow.py
new file mode 100644
index 0000000000..843b785af0
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/vpcflow.py
@@ -0,0 +1,274 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import csv
+import sys
+from os import path
+from typing import Iterator
+from aws_bucket import AWSLogsBucket
+try:
+    import boto3
+except ImportError:
+    print('ERROR: boto3 module is required.')
+    sys.exit(4)
+
+import operator
+from datetime import datetime
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSVPCFlowBucket(AWSLogsBucket):
+    """
+    Represents a bucket with AWS VPC logs
+    """
+
+    empty_bucket_message_template = (
+        "+++ No logs to process for {flow_log_id} flow log ID in bucket: {aws_account_id}/{aws_region}"
+    )
+    empty_bucket_message_template_without_log_id = "+++ No logs to process in bucket: {aws_account_id}/{aws_region}"
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'vpcflow'
+        AWSLogsBucket.__init__(self, **kwargs)
+        self.service = 'vpcflowlogs'
+        self.profile_name = kwargs['profile']
+        # SQL queries for VPC must be after constructor call
+        self.sql_already_processed = """
+            SELECT
+                count(*)
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region AND
+                flow_log_id=:flow_log_id AND
+                log_key=:log_key;"""
+
+        self.sql_mark_complete = """
+            INSERT INTO {table_name} (
+                bucket_path,
+                aws_account_id,
+                aws_region,
+                flow_log_id,
+                log_key,
+                processed_date,
+                created_date)
+            VALUES (
+                :bucket_path,
+                :aws_account_id,
+                :aws_region,
+                :flow_log_id,
+                :log_key,
+                DATETIME('now'),
+                :created_date);"""
+
+        self.sql_create_table = """
+            CREATE TABLE {table_name} (
+                bucket_path 'text' NOT NULL,
+                aws_account_id 'text' NOT NULL,
+                aws_region 'text' NOT NULL,
+                flow_log_id 'text' NOT NULL,
+                log_key 'text' NOT NULL,
+                processed_date 'text' NOT NULL,
+                created_date 'integer' NOT NULL,
+                PRIMARY KEY (bucket_path, aws_account_id, aws_region, flow_log_id, log_key));"""
+
+        self.sql_find_last_key_processed = """
+            SELECT
+                log_key
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region = :aws_region AND
+                flow_log_id = :flow_log_id AND
+                log_key LIKE :prefix
+            ORDER BY
+                log_key DESC
+            LIMIT 1;"""
+
+        self.sql_db_maintenance = """
+            DELETE FROM {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region AND
+                flow_log_id=:flow_log_id AND
+                log_key <= (SELECT log_key
+                    FROM
+                        {table_name}
+                    WHERE
+                        bucket_path=:bucket_path AND
+                        aws_account_id=:aws_account_id AND
+                        aws_region=:aws_region AND
+                        flow_log_id=:flow_log_id
+                    ORDER BY
+                        log_key DESC
+                    LIMIT 1
+                    OFFSET :retain_db_records);"""
+
+        self.sql_count_region = """
+            SELECT
+                count(*)
+            FROM
+                {table_name}
+            WHERE
+                bucket_path=:bucket_path AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region AND
+                flow_log_id=:flow_log_id;"""
+
+    def load_information_from_file(self, log_key):
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            fieldnames = (
+                "version", "account_id", "interface_id", "srcaddr", "dstaddr", "srcport", "dstport", "protocol",
+                "packets", "bytes", "start", "end", "action", "log_status")
+            unix_fields = ('start', 'end')
+            result = []
+
+            tsv_file = csv.DictReader(f, fieldnames=fieldnames, delimiter=' ')
+
+            # Transform UNIX timestamp to ISO8601
+            for row in tsv_file:
+                for key, value in row.items():
+                    if key in unix_fields and value not in unix_fields:
+                        row[key] = datetime.utcfromtimestamp(int(value)).strftime('%Y-%m-%dT%H:%M:%SZ')
+
+                result.append(dict(row, source='vpc'))
+
+            return result
+
+    def get_ec2_client(self, region, profile_name=None):
+        conn_args = {}
+        conn_args['region_name'] = region
+
+        if profile_name is not None:
+            conn_args['profile_name'] = profile_name
+
+        boto_session = boto3.Session(**conn_args)
+
+        if region not in aws_tools.ALL_REGIONS:
+            raise ValueError(f"Invalid region '{region}'")
+
+        try:
+            ec2_client = boto_session.client(service_name='ec2', **self.connection_config)
+        except Exception as e:
+            aws_tools.error("Error getting EC2 client: {}".format(e))
+            sys.exit(3)
+
+        return ec2_client
+
+    def get_flow_logs_ids(self, region, account_id, profile_name=None):
+        try:
+            ec2_client = self.get_ec2_client(region, profile_name=profile_name)
+            return list(map(operator.itemgetter('FlowLogId'), ec2_client.describe_flow_logs()['FlowLogs']))
+        except ValueError:
+            aws_tools.debug(
+                self.empty_bucket_message_template_without_log_id.format(aws_account_id=account_id, aws_region=region),
+                msg_level=1
+            )
+            aws_tools.debug(
+                f"+++ WARNING: Check the provided region: '{region}'. It's an invalid one.", msg_level=1
+            )
+            return []
+
+    def already_processed(self, downloaded_file, aws_account_id, aws_region, flow_log_id):
+        cursor = self.db_cursor.execute(self.sql_already_processed.format(table_name=self.db_table_name), {
+            'bucket_path': self.bucket_path,
+            'aws_account_id': aws_account_id,
+            'aws_region': aws_region,
+            'flow_log_id': flow_log_id,
+            'log_key': downloaded_file})
+        return cursor.fetchone()[0] > 0
+
+    def iter_regions_and_accounts(self, account_id, regions):
+        if not account_id:
+            # No accounts provided, so find which exist in s3 bucket
+            account_id = self.find_account_ids()
+        for aws_account_id in account_id:
+            # No regions provided, so find which exist for this AWS account
+            if not regions:
+                regions = self.find_regions(aws_account_id)
+                if regions == []:
+                    continue
+            for aws_region in regions:
+                aws_tools.debug("+++ Working on {} - {}".format(aws_account_id, aws_region), 1)
+                # get flow log ids for the current region
+                flow_logs_ids = self.get_flow_logs_ids(
+                    aws_region, aws_account_id, profile_name=self.profile_name
+                )
+                # for each flow log id
+                for flow_log_id in flow_logs_ids:
+                    self.iter_files_in_bucket(aws_account_id, aws_region, flow_log_id=flow_log_id)
+                    self.db_maintenance(aws_account_id, aws_region, flow_log_id)
+
+    def db_count_region(self, aws_account_id, aws_region, flow_log_id):
+        """Counts the number of rows in DB for a region
+        :param aws_account_id: AWS account ID
+        :type aws_account_id: str
+        :param aws_region: AWS region
+        :type aws_region: str
+        :param flow_log_id: Flow log ID
+        :type flow_log_id: str
+        :rtype: int
+        """
+        query_count_region = self.db_cursor.execute(
+            self.sql_count_region.format(table_name=self.db_table_name), {
+                'bucket_path': self.bucket_path,
+                'aws_account_id': aws_account_id,
+                'aws_region': aws_region,
+                'flow_log_id': flow_log_id,
+                'retain_db_records': self.retain_db_records})
+        return query_count_region.fetchone()[0]
+
+    def db_maintenance(self, aws_account_id=None, aws_region=None, flow_log_id=None):
+        aws_tools.debug("+++ DB Maintenance", 1)
+        try:
+            if self.db_count_region(aws_account_id, aws_region, flow_log_id) > self.retain_db_records:
+                self.db_cursor.execute(self.sql_db_maintenance.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_account_id': aws_account_id,
+                    'aws_region': aws_region,
+                    'flow_log_id': flow_log_id,
+                    'retain_db_records': self.retain_db_records})
+        except Exception as e:
+            aws_tools.error(f"Failed to execute DB cleanup - AWS Account ID: {aws_account_id}  Region: {aws_region}: {e}")
+
+    def _filter_bucket_files(self, bucket_files: list, **kwargs) -> Iterator[dict]:
+        """Filter bucket files that contain the flow_log_id in the filename.
+        Parameters
+        ----------
+        bucket_files : list
+            Bucket files to filter.
+        Yields
+        ------
+        Iterator[str]
+            A bucket file that matches the filter.
+        """
+        flow_log_id = kwargs["flow_log_id"]
+        for bucket_file in super()._filter_bucket_files(bucket_files, **kwargs):
+            if flow_log_id in bucket_file["Key"]:
+                yield bucket_file
+
+    def mark_complete(self, aws_account_id, aws_region, log_file, flow_log_id):
+        if self.reparse:
+            if self.already_processed(log_file['Key'], aws_account_id, aws_region, flow_log_id):
+                aws_tools.debug(
+                    '+++ File already marked complete, but reparse flag set: {log_key}'.format(log_key=log_file['Key']),
+                    2)
+        else:
+            try:
+                self.db_cursor.execute(self.sql_mark_complete.format(table_name=self.db_table_name), {
+                    'bucket_path': self.bucket_path,
+                    'aws_account_id': aws_account_id,
+                    'aws_region': aws_region,
+                    'flow_log_id': flow_log_id,
+                    'log_key': log_file['Key'],
+                    'created_date': self.get_creation_date(log_file)})
+            except Exception as e:
+                aws_tools.debug("+++ Error marking log {} as completed: {}".format(log_file['Key'], e), 2)
diff --git a/src/modules/aws/scripts/buckets_s3/waf.py b/src/modules/aws/scripts/buckets_s3/waf.py
new file mode 100644
index 0000000000..cd73106be2
--- /dev/null
+++ b/src/modules/aws/scripts/buckets_s3/waf.py
@@ -0,0 +1,62 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import json
+import sys
+from os import path
+from aws_bucket import AWSCustomBucket
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSWAFBucket(AWSCustomBucket):
+    standard_http_headers = ['a-im', 'accept', 'accept-charset', 'accept-encoding', 'accept-language',
+                             'access-control-request-method', 'access-control-request-headers', 'authorization',
+                             'cache-control', 'connection', 'content-encoding', 'content-length', 'content-type',
+                             'cookie', 'date', 'expect', 'forwarded', 'from', 'host', 'http2-settings', 'if-match',
+                             'if-modified-since', 'if-none-match', 'if-range', 'if-unmodified-since', 'max-forwards',
+                             'origin', 'pragma', 'prefer', 'proxy-authorization', 'range', 'referer', 'te', 'trailer',
+                             'transfer-encoding', 'user-agent', 'upgrade', 'via', 'warning', 'x-requested-with',
+                             'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto']
+
+    def __init__(self, **kwargs):
+        kwargs['db_table_name'] = 'waf'
+        AWSCustomBucket.__init__(self, **kwargs)
+
+    def load_information_from_file(self, log_key):
+        """Load data from a WAF log file."""
+
+        def json_event_generator(data):
+            while data:
+                json_data, json_index = decoder.raw_decode(data)
+                data = data[json_index:]
+                yield json_data
+
+        content = []
+        decoder = json.JSONDecoder()
+        with self.decompress_file(self.bucket, log_key=log_key) as f:
+            for line in f.readlines():
+                try:
+                    for event in json_event_generator(line.rstrip()):
+                        event['source'] = 'waf'
+                        try:
+                            headers = {}
+                            for element in event['httpRequest']['headers']:
+                                name = element["name"]
+                                if name.lower() in self.standard_http_headers:
+                                    headers[name] = element["value"]
+                            event['httpRequest']['headers'] = headers
+                        except (KeyError, TypeError):
+                            aws_tools.error(f"The {log_key} file doesn't have the expected structure.")
+                            if not self.skip_on_error:
+                                sys.exit(9)
+                        content.append(event)
+
+                except json.JSONDecodeError:
+                    aws_tools.error("Events from {} file could not be loaded.".format(log_key.split('/')[-1]))
+                    if not self.skip_on_error:
+                        sys.exit(9)
+
+        return json.loads(json.dumps(content))
diff --git a/src/modules/aws/scripts/pytest.ini b/src/modules/aws/scripts/pytest.ini
new file mode 100644
index 0000000000..40880458c7
--- /dev/null
+++ b/src/modules/aws/scripts/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+asyncio_mode=auto
diff --git a/src/modules/aws/scripts/requirements.txt b/src/modules/aws/scripts/requirements.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/aws/scripts/services/__init__.py b/src/modules/aws/scripts/services/__init__.py
new file mode 100644
index 0000000000..ffa55177d6
--- /dev/null
+++ b/src/modules/aws/scripts/services/__init__.py
@@ -0,0 +1,13 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+from services import aws_service
+from services import cloudwatchlogs
+from services import inspector
+
+__all__ = [
+  "aws_service",
+  "cloudwatchlogs",
+  "inspector"
+]
diff --git a/src/modules/aws/scripts/services/aws_service.py b/src/modules/aws/scripts/services/aws_service.py
new file mode 100644
index 0000000000..9b7cb00bfd
--- /dev/null
+++ b/src/modules/aws/scripts/services/aws_service.py
@@ -0,0 +1,165 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import copy
+import sys
+from os import path
+from datetime import datetime
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import wazuh_integration
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+DEFAULT_DATABASE_NAME = "aws_services"
+DEFAULT_TABLENAME = "aws_services"
+
+AWS_SERVICE_MSG_TEMPLATE = {'integration': 'aws', 'aws': ''}
+
+
+class AWSService(wazuh_integration.WazuhAWSDatabase):
+    """
+    Represents a service which provides events.
+
+    This is an abstract class.
+
+    Parameters
+    ----------
+    reparse : bool
+        Whether to parse already parsed logs or not.
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    service_name : str
+        Service name to extract logs from.
+    only_logs_after : str
+        Date after which obtain logs.
+    account_alias: str
+        AWS account alias.
+    region : str
+        Region name.
+    db_table_name : str
+        The name of the table to be created for the given bucket or service.
+    discard_field : str
+        Name of the event field to apply the regex value on.
+    discard_regex : str
+        REGEX value to determine whether an event should be skipped.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+    """
+
+    def __init__(self, reparse: bool, access_key: str, secret_key: str, profile: str, iam_role_arn: str,
+                 service_name: str, only_logs_after: str, account_alias: str, region: str, db_table_name: str = DEFAULT_TABLENAME,
+                 discard_field: str = None, discard_regex: str = None, sts_endpoint: str = None,
+                 service_endpoint: str = None,
+                 iam_role_duration: str = None, **kwargs):
+        # DB name
+        self.db_name = 'aws_services'
+        # Table name
+        self.db_table_name = db_table_name
+
+        wazuh_integration.WazuhAWSDatabase.__init__(self, db_name=self.db_name, service_name=service_name,
+                                                    profile=profile,
+                                                    iam_role_arn=iam_role_arn, region=region,
+                                                    discard_field=discard_field, discard_regex=discard_regex,
+                                                    sts_endpoint=sts_endpoint, service_endpoint=service_endpoint,
+                                                    iam_role_duration=iam_role_duration)
+        self.reparse = reparse
+        self.region = region
+        self.service_name = service_name
+        # get sts client (necessary for getting account ID)
+        self.sts_client = self.get_sts_client(profile)
+        # get account ID
+        self.account_id = self.sts_client.get_caller_identity().get('Account')
+        self.only_logs_after = only_logs_after
+        self.account_alias = account_alias
+
+        # SQL queries for services
+        self.sql_create_table = """
+            CREATE TABLE {table_name} (
+                    service_name 'text' NOT NULL,
+                    aws_account_id 'text' NOT NULL,
+                    aws_region 'text' NOT NULL,
+                    scan_date 'text' NOT NULL,
+                    PRIMARY KEY (service_name, aws_account_id, aws_region, scan_date));"""
+
+        self.sql_insert_value = """
+            INSERT INTO {table_name} (
+                service_name,
+                aws_account_id,
+                aws_region,
+                scan_date)
+            VALUES (
+                :service_name,
+                :aws_account_id,
+                :aws_region,
+                :scan_date);"""
+
+        self.sql_find_last_scan = """
+            SELECT
+                scan_date
+            FROM
+                {table_name}
+            WHERE
+                service_name=:service_name AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region
+            ORDER BY
+                scan_date DESC
+            LIMIT 1;"""
+
+        self.sql_db_maintenance = """
+            DELETE FROM {table_name}
+            WHERE
+                service_name=:service_name AND
+                aws_account_id=:aws_account_id AND
+                aws_region=:aws_region AND
+                rowid NOT IN (SELECT ROWID
+                    FROM
+                        {table_name}
+                    WHERE
+                        service_name=:service_name AND
+                        aws_account_id=:aws_account_id AND
+                        aws_region=:aws_region
+                    ORDER BY
+                        scan_date DESC
+                    LIMIT :retain_db_records);"""
+
+    @staticmethod
+    def check_region(region: str) -> None:
+        """
+        Check if the region is valid.
+
+        Parameters
+        ----------
+        region : str
+            AWS region.
+        """
+        if region not in aws_tools.ALL_REGIONS:
+            raise ValueError(f"Invalid region '{region}'")
+
+    def get_last_log_date(self):
+        date = self.only_logs_after if self.only_logs_after is not None else self.default_date.strftime('%Y%m%d')
+        return f'{date[0:4]}-{date[4:6]}-{date[6:8]} 00:00:00.0'
+
+    def format_message(self, msg):
+        # rename service field to source
+        if 'service' in msg:
+            msg['source'] = msg['service'].lower()
+            del msg['service']
+        # cast createdAt
+        if 'createdAt' in msg:
+            msg['createdAt'] = datetime.strftime(msg['createdAt'], '%Y-%m-%dT%H:%M:%SZ')
+        # cast updatedAt
+        if 'updatedAt' in msg:
+            msg['updatedAt'] = datetime.strftime(msg['updatedAt'], '%Y-%m-%dT%H:%M:%SZ')
+        formatted_msg = copy.deepcopy(AWS_SERVICE_MSG_TEMPLATE)
+        formatted_msg['aws'] = msg
+        return formatted_msg
diff --git a/src/modules/aws/scripts/services/cloudwatchlogs.py b/src/modules/aws/scripts/services/cloudwatchlogs.py
new file mode 100644
index 0000000000..3c6b83905a
--- /dev/null
+++ b/src/modules/aws/scripts/services/cloudwatchlogs.py
@@ -0,0 +1,534 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import json
+import re
+import sqlite3
+import sys
+
+import botocore
+from datetime import datetime
+from datetime import timezone
+from os import path
+
+sys.path.append(path.dirname(path.realpath(__file__)))
+import aws_service
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSCloudWatchLogs(aws_service.AWSService):
+    """
+    Class for getting AWS Cloudwatch logs
+
+    Attributes
+    ----------
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    only_logs_after : str
+        Date after which obtain logs.
+    account_alias: str
+        AWS account alias.
+    region : str
+        Region where the logs are located.
+    aws_log_groups : str
+        String containing a list of log group names separated by a comma.
+    remove_log_streams : bool
+        Indicate if log streams should be removed after being fetched.
+    db_table_name : str
+        Name of the table to be created on aws_service.db.
+    only_logs_after_millis : int
+        only_logs_after expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
+    reparse : bool
+        Whether to parse already parsed logs or not.
+    log_group_list : list of str
+        List of each log group to be parsed.
+    sql_cloudwatch_create_table : str
+        Query for the creation of the table.
+    sql_cloudwatch_insert : str
+        Query to insert the token for a given log stream.
+    sql_cloudwatch_update : str
+        Query for updating the token, start_time and end_time values.
+    sql_cloudwatch_select : str
+        Query to obtain the token, start_time and end_time values.
+    sql_cloudwatch_select_logstreams : str
+        Query to get all logstreams in the DB.
+    sql_cloudwatch_purge : str
+        Query to delete a row from the DB.
+    """
+
+    def __init__(self, reparse, access_key, secret_key, profile,
+                 iam_role_arn, only_logs_after, account_alias, region, aws_log_groups,
+                 remove_log_streams, discard_field=None, discard_regex=None, sts_endpoint=None, service_endpoint=None,
+                 iam_role_duration=None, **kwargs):
+
+        self.sql_cloudwatch_create_table = """
+            CREATE TABLE {table_name} (
+                    aws_region 'text' NOT NULL,
+                    aws_log_group 'text' NOT NULL,
+                    aws_log_stream 'text' NOT NULL,
+                    next_token 'text',
+                    start_time 'integer',
+                    end_time 'integer',
+                    PRIMARY KEY (aws_region, aws_log_group, aws_log_stream));"""
+
+        self.sql_cloudwatch_insert = """
+            INSERT INTO {table_name} (
+                aws_region,
+                aws_log_group,
+                aws_log_stream,
+                next_token,
+                start_time,
+                end_time)
+            VALUES
+                (:aws_region,
+                :aws_log_group,
+                :aws_log_stream,
+                :next_token,
+                :start_time,
+                :end_time);"""
+
+        self.sql_cloudwatch_update = """
+            UPDATE
+                {table_name}
+            SET
+                next_token=:next_token,
+                start_time=:start_time,
+                end_time=:end_time
+            WHERE
+                aws_region=:aws_region AND
+                aws_log_group=:aws_log_group AND
+                aws_log_stream=:aws_log_stream;"""
+
+        self.sql_cloudwatch_select = """
+            SELECT
+                next_token,
+                start_time,
+                end_time
+            FROM
+                {table_name}
+            WHERE
+                aws_region=:aws_region AND
+                aws_log_group=:aws_log_group AND
+                aws_log_stream=:aws_log_stream"""
+        self.sql_cloudwatch_select_logstreams = """
+            SELECT
+                aws_log_stream
+            FROM
+                {table_name}
+            WHERE
+                aws_region=:aws_region AND
+                aws_log_group=:aws_log_group
+            ORDER BY
+                aws_log_stream;"""
+        self.sql_cloudwatch_purge = """
+            DELETE FROM {table_name}
+            WHERE
+                aws_region=:aws_region AND
+                aws_log_group=:aws_log_group AND
+                aws_log_stream=:aws_log_stream;"""
+
+        aws_service.AWSService.__init__(self, db_table_name='cloudwatch_logs', service_name='cloudwatchlogs',
+                                        reparse=reparse, access_key=access_key, secret_key=secret_key,
+                                        profile=profile, iam_role_arn=iam_role_arn, only_logs_after=only_logs_after,
+                                        account_alias=account_alias, region=region, discard_field=discard_field,
+                                        discard_regex=discard_regex, iam_role_duration=iam_role_duration,
+                                        sts_endpoint=sts_endpoint, service_endpoint=service_endpoint)
+        self.log_group_list = [group for group in aws_log_groups.split(",") if group != ""] if aws_log_groups else []
+        self.remove_log_streams = remove_log_streams
+        self.only_logs_after_millis = int(datetime.strptime(only_logs_after, '%Y%m%d').replace(
+            tzinfo=timezone.utc).timestamp() * 1000) if only_logs_after else None
+        self.default_date_millis = int(self.default_date.timestamp() * 1000)
+        aws_tools.debug("only logs: {}".format(self.only_logs_after_millis), 1)
+
+    def get_alerts(self):
+        """Iterate over all the log streams for each log group provided by the user in the given region to get their
+        logs and send them to analysisd, which will raise alerts if applicable.
+
+        It will avoid getting duplicate events by using the token, start_time and end_time variables stored in the DB.
+        Logs with a timestamp lesser that start_time and greater than end_time will be fetched using the
+        `get_alerts_within_range` function.
+
+        The log streams will be removed after fetching them if `remove_log_streams` value is True.
+
+        The database will be purged to remove unnecessary records at the end of each log group iteration.
+        """
+        self.init_db(self.sql_cloudwatch_create_table.format(table_name=self.db_table_name))
+
+        if self.reparse:
+            aws_tools.debug('Reparse mode ON', 1)
+
+        try:
+            for log_group in self.log_group_list:
+                for log_stream in self.get_log_streams(log_group=log_group):
+                    aws_tools.debug(
+                        'Getting data from DB for log stream "{}" in log group "{}"'.format(log_stream, log_group), 1)
+                    db_values = self.get_data_from_db(log_group=log_group, log_stream=log_stream)
+                    aws_tools.debug('Token: "{}", start_time: "{}", '
+                                    'end_time: "{}"'.format(db_values['token'] if db_values else None,
+                                                            db_values['start_time'] if db_values else None,
+                                                            db_values['end_time'] if db_values else None), 2)
+                    result_before = None
+                    start_time = self.only_logs_after_millis if self.only_logs_after_millis else \
+                        self.default_date_millis
+                    end_time = None
+                    token = None
+
+                    if db_values:
+                        if self.reparse:
+                            result_before = self.get_alerts_within_range(log_group=log_group, log_stream=log_stream,
+                                                                         token=None, start_time=start_time,
+                                                                         end_time=None)
+
+                        elif db_values['start_time'] and db_values['start_time'] > start_time:
+                            result_before = self.get_alerts_within_range(log_group=log_group, log_stream=log_stream,
+                                                                         token=None, start_time=start_time,
+                                                                         end_time=db_values['start_time'])
+
+                        if db_values['end_time']:
+                            if not self.only_logs_after_millis or db_values['end_time'] > self.only_logs_after_millis:
+                                start_time = db_values['end_time'] + 1
+                                token = db_values['token']
+
+                    result_after = self.get_alerts_within_range(log_group=log_group, log_stream=log_stream, token=token,
+                                                                start_time=start_time, end_time=end_time)
+
+                    db_values = self.update_values(values=db_values, result_before=result_before,
+                                                   result_after=result_after)
+
+                    self.save_data_db(log_group=log_group, log_stream=log_stream, values=db_values)
+
+                    if self.remove_log_streams:
+                        self.remove_aws_log_stream(log_group=log_group, log_stream=log_stream)
+
+                self.purge_db(log_group=log_group)
+        finally:
+            aws_tools.debug("committing changes and closing the DB", 1)
+            self.close_db()
+
+    def remove_aws_log_stream(self, log_group, log_stream):
+        """Remove a log stream from a log group in AWS Cloudwatch Logs.
+
+        Parameters
+        ----------
+        log_group : str
+            Name of the group where the log stream is stored
+        log_stream : str
+            Name of the log stream to be removed
+        """
+        try:
+            aws_tools.debug('Removing log stream "{}" from log group "{}"'.format(log_group, log_stream), 1)
+            self.client.delete_log_stream(logGroupName=log_group, logStreamName=log_stream)
+        except botocore.exceptions.ClientError as err:
+            aws_tools.error(f'The "remove_aws_log_stream" request failed: {err}')
+            sys.exit(16)
+        except Exception:
+            aws_tools.debug('ERROR: Error trying to remove "{}" log stream from "{}" log group.'.format(log_stream, log_group),
+                            0)
+
+    def get_alerts_within_range(self, log_group, log_stream, token, start_time, end_time):
+        """Get all the logs from a log stream with a timestamp between the range of the provided start and end times and
+        send them to Analysisd.
+
+        It will fetch every log from the given log stream using boto3 `get_log_events` until it returns an empty
+        response.
+
+        Parameters
+        ----------
+        log_group : str
+            Name of the log group where the log stream is stored
+        log_stream : str
+            Name of the log stream to get its logs
+        token : str or None
+            Token to the next set of logs. Obtained from a previous call and stored in DB.
+        start_time : int
+            The start of the time range, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
+            Logs with a timestamp equal to this time or later will be fetched.
+        end_time : int or None
+            The end of the time range, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
+            Events with a timestamp equal to or later than this time won't be fetched.
+
+        Returns
+        -------
+        A dict containing the Token for the next set of logs, the timestamp of the first fetched log and the timestamp
+        of the latest one.
+        """
+        sent_events = 0
+        response = None
+        min_start_time = start_time
+        max_end_time = end_time if end_time is not None else start_time
+
+        parameters = {'logGroupName': log_group,
+                      'logStreamName': log_stream,
+                      'nextToken': token,
+                      'startTime': start_time,
+                      'endTime': end_time,
+                      'startFromHead': True}
+
+        # Request event logs until CloudWatch returns an empty list for the log stream
+        while response is None or response['events'] != list():
+            aws_tools.debug(
+                'Getting CloudWatch logs from log stream "{}" in log group "{}" using token "{}", start_time '
+                '"{}" and end_time "{}"'.format(log_stream, log_group, token, start_time, end_time), 1)
+
+            # Try to get CloudWatch Log events until the request succeeds or the allowed number of attempts is reached
+            try:
+                response = self.client.get_log_events(
+                    **{param: value for param, value in parameters.items() if value is not None})
+
+            except botocore.exceptions.EndpointConnectionError:
+                aws_tools.debug(f'WARNING: The "get_log_events" request was denied because the endpoint URL was not '
+                                f'available. Attempting again.', 1)
+                continue  # Needed to make the get_log_events request again
+            except botocore.exceptions.ClientError as err:
+                aws_tools.error(f'The "get_log_events" request failed: {err}')
+                sys.exit(16)
+
+            # Update token
+            token = response['nextForwardToken']
+            parameters['nextToken'] = token
+
+            # Send events to Analysisd
+            if response['events']:
+                aws_tools.debug('+++ Sending events to Analysisd...', 1)
+                for event in response['events']:
+                    event_msg = event['message']
+                    try:
+                        json_event = json.loads(event_msg)
+                        if self.event_should_be_skipped(json_event):
+                            aws_tools.debug(
+                                f'+++ The "{self.discard_regex.pattern}" regex found a match in the "{self.discard_field}" '
+                                f'field. The event will be skipped.', 2)
+                            continue
+                        else:
+                            aws_tools.debug(
+                                f'+++ The "{self.discard_regex.pattern}" regex did not find a match in the '
+                                f'"{self.discard_field}" field. The event will be processed.', 3)
+                    except ValueError:
+                        # event_msg is not a JSON object, check if discard_regex.pattern matches the given string
+                        aws_tools.debug(f"+++ Retrieved log event is not a JSON object.", 3)
+                        if re.match(self.discard_regex, event_msg):
+                            aws_tools.debug(
+                                f'+++ The "{self.discard_regex.pattern}" regex found a match. The event will be skipped.',
+                                2)
+                            continue
+                        else:
+                            print(f'WARNING: The "{self.discard_regex.pattern}" regex did not find a match. '
+                                  f'The event will be processed.')
+                    aws_tools.debug('The message is "{}"'.format(event_msg), 2)
+                    aws_tools.debug('The message\'s timestamp is {}'.format(event["timestamp"]), 3)
+                    self.send_msg(event_msg, dump_json=False)
+                    sent_events += 1
+
+                    if min_start_time is None:
+                        min_start_time = event['timestamp']
+                    elif event['timestamp'] < min_start_time:
+                        min_start_time = event['timestamp']
+
+                    if max_end_time is None:
+                        max_end_time = event['timestamp']
+                    elif event['timestamp'] > max_end_time:
+                        max_end_time = event['timestamp']
+
+            if sent_events:
+                aws_tools.debug(f"+++ Sent {sent_events} events to Analysisd", 1)
+                sent_events = 0
+            else:
+                aws_tools.debug(f'+++ There are no new events in the "{log_group}" group', 1)
+
+        return {'token': token, 'start_time': min_start_time, 'end_time': max_end_time}
+
+    def get_data_from_db(self, log_group, log_stream):
+        """Get the token, start time and end time of a log stream stored in DB.
+
+        Parameters
+        ----------
+        log_group : str
+            Name of the log group
+        log_stream : str
+            Name of the log stream
+
+        Returns
+        -------
+        A dict containing the token, start_time and end_time of the log stream. None if no data were found in the DB.
+        """
+        self.db_cursor.execute(self.sql_cloudwatch_select.format(table_name=self.db_table_name), {
+            'aws_region': self.region,
+            'aws_log_group': log_group,
+            'aws_log_stream': log_stream})
+        query_result = self.db_cursor.fetchone()
+        if query_result:
+            return {'token': None if query_result[0] == "None" else query_result[0],
+                    'start_time': None if query_result[1] == "None" else query_result[1],
+                    'end_time': None if query_result[2] == "None" else query_result[2]}
+
+    def update_values(self, values, result_after, result_before):
+        """Update the values for token, start_time and end_time using the results of previous 'get_alerts_within_range'
+        executions.
+
+        Parameters
+        ----------
+        values : dict
+            A dict containing the token, start_time and end_time values to be updated.
+        result_after : dict
+            A dict containing the resulting token, start_time and end_time values of a 'get_alerts_within_range'
+            execution.
+        result_before : dict
+            A dict containing the resulting token, start_time and end_time values of a 'get_alerts_within_range'
+            execution.
+
+        Returns
+        -------
+        A dict containing the last token, minimal start_time and maximum end_value of the provided parameters.
+        """
+        min_start_time = result_before['start_time'] if result_before else None
+        max_end_time = result_before['end_time'] if result_before else None
+
+        if result_after is not None:
+            if min_start_time is None:
+                min_start_time = result_after['start_time']
+            # It's necessary to ensure that we're not comparing None with int
+            elif result_after['start_time'] is not None:
+                min_start_time = result_after['start_time'] if result_after[
+                                                                   'start_time'] < min_start_time else min_start_time
+
+            if max_end_time is None:
+                max_end_time = result_after['end_time']
+            elif result_after['end_time'] is not None:
+                max_end_time = result_after['end_time'] if result_after['end_time'] > max_end_time else max_end_time
+
+        token = result_before['token'] if result_before is not None else None
+        token = result_after['token'] if result_after is not None else token
+
+        if values is None:
+            return {'token': token, 'start_time': min_start_time, 'end_time': max_end_time}
+        else:
+            result = {'token': token}
+
+            if values['start_time'] is not None:
+                result['start_time'] = min_start_time if min_start_time is not None and min_start_time < values[
+                    'start_time'] else values['start_time']
+            else:
+                result['start_time'] = max_end_time
+
+            if values['end_time'] is not None:
+                result['end_time'] = max_end_time if max_end_time is not None and max_end_time > values['end_time'] \
+                    else values['end_time']
+            else:
+                result['end_time'] = max_end_time
+            return result
+
+    def save_data_db(self, log_group, log_stream, values):
+        """Insert the token, start_time and end_time values into the DB. If the values already exist they will be
+        updated instead.
+
+        Parameters
+        ----------
+        log_group : str
+            Name of the log group
+        log_stream : str
+            Name of the log stream
+        values : dict
+            Dict containing the token, start_time and end_time.
+        """
+        aws_tools.debug('Saving data for log group "{}" and log stream "{}".'.format(log_group, log_stream), 1)
+        aws_tools.debug('The saved values are "{}"'.format(values), 2)
+        try:
+            self.db_cursor.execute(self.sql_cloudwatch_insert.format(table_name=self.db_table_name), {
+                'aws_region': self.region,
+                'aws_log_group': log_group,
+                'aws_log_stream': log_stream,
+                'next_token': values['token'],
+                'start_time': values['start_time'],
+                'end_time': values['end_time']})
+        except sqlite3.IntegrityError:
+            aws_tools.debug("Some data already exists on DB for that key. Updating their values...", 2)
+            self.db_cursor.execute(self.sql_cloudwatch_update.format(table_name=self.db_table_name), {
+                'aws_region': self.region,
+                'aws_log_group': log_group,
+                'aws_log_stream': log_stream,
+                'next_token': values['token'],
+                'start_time': values['start_time'],
+                'end_time': values['end_time']})
+
+    def get_log_streams(self, log_group):
+        """Get the list of log streams stored in the specified log group.
+
+        Parameters
+        ----------
+        log_group : str
+            Name of the log group to get its log streams
+
+        Returns
+        -------
+        A list with the name of each log stream for the given log group.
+        """
+
+        result_list = list()
+        aws_tools.debug('Getting log streams for "{}" log group'.format(log_group), 1)
+
+        try:
+            # Get all log streams using the token of the previous call to describe_log_streams
+            response = self.client.describe_log_streams(logGroupName=log_group)
+            log_streams = response['logStreams']
+            token = response.get('nextToken')
+            while token:
+                response = self.client.describe_log_streams(logGroupName=log_group, nextToken=token)
+                log_streams.extend(response['logStreams'])
+                token = response.get('nextToken')
+
+            for log_stream in log_streams:
+                aws_tools.debug('Found "{}" log stream in {}'.format(log_stream['logStreamName'], log_group), 2)
+                result_list.append(log_stream['logStreamName'])
+
+            if result_list == list():
+                aws_tools.debug('No log streams were found for log group "{}"'.format(log_group), 1)
+
+        except botocore.exceptions.EndpointConnectionError as e:
+            aws_tools.error(f'{str(e)}')
+        except botocore.exceptions.ClientError as err:
+            aws_tools.error(f'The "get_log_streams" request failed: {err}')
+            sys.exit(16)
+        except Exception:
+            aws_tools.debug(
+                '++++ The specified "{}" log group does not exist or insufficient privileges to access it.'.format(
+                    log_group), 0)
+
+        return result_list
+
+    def purge_db(self, log_group):
+        """Remove from AWS_Service.db any record for log streams that no longer exist on AWS CloudWatch Logs.
+
+        Parameters
+        ----------
+        log group : str
+            Name of the log group to check its log streams
+        """
+        aws_tools.debug('Purging the BD', 1)
+        # Get the list of log streams from DB
+        self.db_cursor.execute(self.sql_cloudwatch_select_logstreams.format(table_name=self.db_table_name), {
+            'aws_region': self.region,
+            'aws_log_group': log_group})
+        query_result = self.db_cursor.fetchall()
+        log_streams_sql = set()
+        for log_stream in query_result:
+            log_streams_sql.add(log_stream[0])
+
+        # Get the list of log streams from AWS
+        log_streams_aws = set(self.get_log_streams(log_group))
+
+        # Check the difference and remove if applicable
+        log_streams_to_purge = log_streams_sql - log_streams_aws
+        if log_streams_to_purge != set():
+            aws_tools.debug(
+                'Data for the following log streams will be removed from {}: "{}"'.format(self.db_table_name,
+                                                                                          log_streams_to_purge), 2)
+        for log_stream in log_streams_to_purge:
+            self.db_cursor.execute(self.sql_cloudwatch_purge.format(table_name=self.db_table_name), {
+                'aws_region': self.region,
+                'aws_log_group': log_group,
+                'aws_log_stream': log_stream})
diff --git a/src/modules/aws/scripts/services/inspector.py b/src/modules/aws/scripts/services/inspector.py
new file mode 100644
index 0000000000..80e5ef84ca
--- /dev/null
+++ b/src/modules/aws/scripts/services/inspector.py
@@ -0,0 +1,154 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+from os import path
+from datetime import datetime
+
+sys.path.append(path.dirname(path.realpath(__file__)))
+import aws_service
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+SUPPORTED_REGIONS = (
+    'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-2', 'eu-central-1', 'eu-north-1', 'eu-west-1',
+    'eu-west-2', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'
+)
+
+
+class AWSInspector(aws_service.AWSService):
+    """
+    Class for getting AWS Inspector logs
+
+    Parameters
+    ----------
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role that will be assumed to use the service.
+    only_logs_after : str
+        Date after which obtain logs.
+    region : str
+        AWS region that will be used to fetch the events.
+
+    Attributes
+    ----------
+    sent_events : int
+        The number of events collected and sent to analysisd.
+    """
+
+    def __init__(self, reparse, access_key, secret_key, profile,
+                 iam_role_arn, only_logs_after, account_alias, region, aws_log_groups=None,
+                 remove_log_streams=None, discard_field=None, discard_regex=None,
+                 sts_endpoint=None, service_endpoint=None, iam_role_duration=None, **kwargs):
+
+        aws_service.AWSService.__init__(self, db_table_name=aws_service.DEFAULT_TABLENAME, service_name='inspector',
+                                        reparse=reparse, access_key=access_key, secret_key=secret_key,
+                                        profile=profile, iam_role_arn=iam_role_arn, only_logs_after=only_logs_after,
+                                        account_alias=account_alias, region=region, aws_log_groups=aws_log_groups,
+                                        remove_log_streams=remove_log_streams, discard_field=discard_field,
+                                        discard_regex=discard_regex, sts_endpoint=sts_endpoint,
+                                        service_endpoint=service_endpoint, iam_role_duration=iam_role_duration)
+
+        # max DB records for region
+        self.retain_db_records = 5
+        self.sent_events = 0
+
+    def send_describe_findings(self, arn_list: list):
+        """
+        Collect and send to analysisd the requested findings.
+
+        Parameters
+        ----------
+        arn_list : list[str]
+            The ARN of the findings that should be requested to AWS and sent to analysisd.
+        """
+        if len(arn_list) != 0:
+            response = self.client.describe_findings(findingArns=arn_list)['findings']
+            aws_tools.debug(f"+++ Processing {len(response)} events", 3)
+            for elem in response:
+                if self.event_should_be_skipped(elem):
+                    aws_tools.debug(f'+++ The "{self.discard_regex.pattern}" regex found a match in the '
+                                    f'"{self.discard_field}" field. The event will be skipped.', 2)
+                    continue
+                self.send_msg(self.format_message(elem))
+                self.sent_events += 1
+
+    def get_alerts(self):
+        self.init_db(self.sql_create_table.format(table_name=self.db_table_name))
+        try:
+            initial_date = self.get_last_log_date()
+            # reparse logs if this parameter exists
+            if self.reparse:
+                last_scan = initial_date
+            else:
+                self.db_cursor.execute(self.sql_find_last_scan.format(table_name=self.db_table_name), {
+                    'service_name': self.service_name,
+                    'aws_account_id': self.account_id,
+                    'aws_region': self.region})
+                last_scan = self.db_cursor.fetchone()[0]
+        except TypeError as e:
+            # write initial date if DB is empty
+            self.db_cursor.execute(self.sql_insert_value.format(table_name=self.db_table_name), {
+                'service_name': self.service_name,
+                'aws_account_id': self.account_id,
+                'aws_region': self.region,
+                'scan_date': initial_date})
+            last_scan = initial_date
+
+        date_last_scan = datetime.strptime(last_scan, '%Y-%m-%d %H:%M:%S.%f')
+        date_scan = date_last_scan
+        if self.only_logs_after:
+            date_only_logs = datetime.strptime(self.only_logs_after, "%Y%m%d")
+            date_scan = date_only_logs if date_only_logs > date_last_scan else date_last_scan
+
+        # get current time (UTC)
+        date_current = datetime.utcnow()
+        # describe_findings only retrieves 100 results per call
+        response = self.client.list_findings(maxResults=100, filter={'creationTimeRange':
+                                                                         {'beginDate': date_scan,
+                                                                          'endDate': date_current}})
+        aws_tools.debug(f"+++ Listing findings starting from {date_scan}", 2)
+        self.send_describe_findings(response['findingArns'])
+        # Iterate if there are more elements
+        while 'nextToken' in response:
+            response = self.client.list_findings(maxResults=100, nextToken=response['nextToken'],
+                                                 filter={'creationTimeRange': {'beginDate': date_scan,
+                                                                               'endDate': date_current}})
+            self.send_describe_findings(response['findingArns'])
+
+        if self.sent_events:
+            aws_tools.debug(f"+++ {self.sent_events} events collected and processed in {self.region}", 1)
+        else:
+            aws_tools.debug(f'+++ There are no new events in the "{self.region}" region', 1)
+
+        # insert last scan in DB
+        self.db_cursor.execute(self.sql_insert_value.format(table_name=self.db_table_name), {
+            'service_name': self.service_name,
+            'aws_account_id': self.account_id,
+            'aws_region': self.region,
+            'scan_date': date_current})
+        # DB maintenance
+        self.db_cursor.execute(self.sql_db_maintenance.format(table_name=self.db_table_name), {
+            'service_name': self.service_name,
+            'aws_account_id': self.account_id,
+            'aws_region': self.region,
+            'retain_db_records': self.retain_db_records})
+        # close connection with DB
+        self.close_db()
+
+    @staticmethod
+    def check_region(region: str) -> None:
+        """
+        Check if the region is supported.
+
+        Parameters
+        ----------
+        region : str
+            AWS region.
+        """
+        if region not in SUPPORTED_REGIONS:
+            raise ValueError(f"Unsupported region '{region}'")
diff --git a/src/modules/aws/scripts/subscribers/__init__.py b/src/modules/aws/scripts/subscribers/__init__.py
new file mode 100644
index 0000000000..4cbc6fbbe2
--- /dev/null
+++ b/src/modules/aws/scripts/subscribers/__init__.py
@@ -0,0 +1,14 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+
+from subscribers import sqs_queue
+from subscribers import s3_log_handler
+from subscribers import sqs_message_processor
+
+__all__ = [
+    "s3_log_handler",
+    "sqs_message_processor",
+    "sqs_queue"
+]
diff --git a/src/modules/aws/scripts/subscribers/s3_log_handler.py b/src/modules/aws/scripts/subscribers/s3_log_handler.py
new file mode 100644
index 0000000000..b7e2636361
--- /dev/null
+++ b/src/modules/aws/scripts/subscribers/s3_log_handler.py
@@ -0,0 +1,393 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import csv
+import io
+import json
+import re
+import sys
+
+from os import path
+from typing import List
+from urllib.parse import unquote
+
+try:
+    import pyarrow.parquet as pq
+except ImportError:
+    print('ERROR: pyarrow module is required.')
+    sys.exit(10)
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import wazuh_integration
+
+
+class AWSS3LogHandler:
+    def obtain_logs(self, bucket: str, log_path: str) -> list:
+        """Fetch a file from a bucket and obtain a list of events from it.
+
+        Parameters
+        ----------
+        bucket : str
+            Bucket to get the file from.
+        log_path : str
+            Relative path of the file inside the bucket.
+
+        Returns
+        -------
+        list[dict]
+            List of extracted events to send to Wazuh.
+        """
+        raise NotImplementedError
+
+    def process_file(self, message_body: dict) -> None:
+        """Parse an SQS message body, obtain the events associated, and send them to Analysisd.
+
+        Parameters
+        ----------
+        message_body : dict
+            An SQS message received from the queue.
+        """
+        raise NotImplementedError
+
+
+class AWSSubscriberBucket(wazuh_integration.WazuhIntegration, AWSS3LogHandler):
+    """Class for processing events from AWS S3 buckets.
+
+    Attributes
+    ----------
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    """
+    def __init__(self, service_endpoint: str = None, sts_endpoint: str = None, profile: str = None, **kwargs):
+        wazuh_integration.WazuhIntegration.__init__(self,
+                                                    profile=profile,
+                                                    service_name='s3',
+                                                    service_endpoint=service_endpoint,
+                                                    sts_endpoint=sts_endpoint,
+                                                    **kwargs)
+
+    @staticmethod
+    def _process_jsonl(file: io.TextIOWrapper) -> List[dict]:
+        """Process JSON objects present in a JSONL file.
+
+        Parameters
+        ----------
+        file : io.TextIOWrapper
+            File object.
+        Returns
+        -------
+        list[dict]
+            List of events from the file.
+        """
+        json_list = list(file)
+        result = []
+        for json_item in json_list:
+            x = json.loads(json_item)
+            result.append(dict(x))
+        return result
+
+    @staticmethod
+    def _json_event_generator(data: str):
+        """Obtain events from string of JSON objects.
+
+        Parameters
+        ----------
+        data : str
+            String of JSON data.
+        Yields
+        -------
+        dict
+            Extracted JSON event.
+        """
+        decoder = json.JSONDecoder()
+        while data:
+            json_data, json_index = decoder.raw_decode(data)
+            data = data[json_index:]
+            yield json_data
+
+    @staticmethod
+    def _remove_none_fields(event: dict):
+        """Remove None fields from events.
+
+        Parameters
+        ----------
+        event : dict
+            Event to send to Analysisd.
+        """
+        for key, value in list(event.items()):
+            if isinstance(value, dict):
+                AWSSubscriberBucket._remove_none_fields(event[key])
+            elif value is None:
+                del event[key]
+
+    @staticmethod
+    def is_csv(file: io.TextIOWrapper) -> bool:
+        """Determine if the given file is a CSV according to its headers.
+
+        Parameters
+        ----------
+        file : io.TextIOWrapper
+            File object.
+
+        Returns
+        -------
+        bool
+            Whether a file contains csv data or not.
+        """
+        # Read the first line (header row) from the file
+        header_row = file.readline().strip()
+        file.seek(0)
+        # Define the regex pattern for invalid CSV header characters
+        not_header_pattern = re.compile(r'.*\d+.*')
+        # Check if the header row matches the regex pattern
+        return not bool(not_header_pattern.match(header_row))
+
+    def obtain_logs(self, bucket: str, log_path: str) -> List[dict]:
+        """Fetch a file from a bucket and obtain a list of events from it.
+
+        Parameters
+        ----------
+        bucket : str
+            Bucket to get the file from.
+        log_path : str
+            Relative path of the file inside the bucket.
+
+        Returns
+        -------
+        list[dict]
+            List of extracted events to send to Wazuh.
+        """
+
+        with self.decompress_file(bucket, log_key=log_path) as f:
+            try:
+                if log_path.endswith('.jsonl.gz'):
+                    return self._process_jsonl(file=f)
+
+                return [dict(event.get('detail', event), source="custom")
+                        for event in self._json_event_generator(f.read())]
+
+            except (json.JSONDecodeError, AttributeError):
+                aws_tools.debug("+++ Log file does not contain JSON objects. Trying with other formats.", 2)
+                f.seek(0)
+                if self.is_csv(f):
+                    aws_tools.debug("+++ Log file is CSV formatted.", 2)
+                    dialect = csv.Sniffer().sniff(f.read(1024))
+                    f.seek(0)
+                    reader = csv.DictReader(f, dialect=dialect)
+                    return [dict({k: v for k, v in row.items() if v is not None},
+                                 source='custom') for row in reader]
+                else:
+                    aws_tools.debug("+++ Data in the file does not seem to be CSV. Trying with plain text.", 2)
+                    try:
+                        return [dict(full_log=event, source="custom") for event in f.read().splitlines()]
+                    except OSError:
+                        aws_tools.error(f"Data in the file does not seem to be plain text either.")
+                        sys.exit(9)
+
+    def process_file(self, message_body: dict) -> None:
+        """Parse an SQS message, obtain the events associated, and send them to Analysisd.
+
+        Parameters
+        ----------
+        message_body : dict
+            An SQS message received from the queue.
+        """
+
+        log_path = unquote(message_body['log_path'])
+        bucket_path = message_body['bucket_path']
+
+        msg = {
+            'integration': 'aws',
+            'aws': {
+                'log_info': {
+                    'log_file': log_path,
+                    's3bucket': bucket_path
+                }
+            }
+        }
+        formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
+        for log in formatted_logs:
+            self._remove_none_fields(log)
+            if 'full_log' in log:
+                # The processed logs origin is a plain text log file
+                if re.match(self.discard_regex, log['full_log']):
+                    aws_tools.debug(f'+++ The "{self.discard_regex.pattern}" regex found a match. '
+                                    f'The event will be skipped.', 2)
+                else:
+                    print(f'WARNING: The "{self.discard_regex.pattern}" regex did not find a match. '
+                          f'The event will be processed.')
+                    continue
+            elif self.event_should_be_skipped(log):
+                aws_tools.debug(f'+++ The "{self.discard_regex.pattern}" regex found a match '
+                                f'in the "{self.discard_field}" '
+                      f'field. The event will be skipped.', 2)
+                continue
+            else:
+                aws_tools.debug(
+                                f'+++ The "{self.discard_regex.pattern}" regex did not find a match in the '
+                                f'"{self.discard_field}" field. The event will be processed.', 3)
+
+            msg['aws'].update(log)
+            self.send_msg(msg)
+
+
+class AWSSLSubscriberBucket(wazuh_integration.WazuhIntegration, AWSS3LogHandler):
+    """Class for processing AWS Security Lake events from S3.
+
+    Attributes
+    ----------
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    """
+
+    def __init__(self, service_endpoint: str = None, sts_endpoint: str = None, profile: str = None, **kwargs):
+        wazuh_integration.WazuhIntegration.__init__(self,
+                                                    profile=profile,
+                                                    service_name='s3',
+                                                    service_endpoint=service_endpoint,
+                                                    sts_endpoint=sts_endpoint,
+                                                    **kwargs)
+
+    def obtain_logs(self, bucket: str, log_path: str) -> list:
+        """Fetch a parquet file from a bucket and obtain a list of the events it contains.
+
+        Parameters
+        ----------
+        bucket : str
+            Bucket to get the file from.
+        log_path : str
+            Relative path of the file inside the bucket.
+
+        Returns
+        -------
+        events : list
+            Events contained inside the parquet file.
+        """
+        aws_tools.debug(f'Processing file {log_path} in {bucket}', 2)
+        events = []
+        try:
+            raw_parquet = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_path)['Body'].read())
+        except Exception as e:
+            aws_tools.debug(f'Could not get the parquet file {log_path} in {bucket}: {e}', 1)
+            sys.exit(21)
+        pfile = pq.ParquetFile(raw_parquet)
+        for i in pfile.iter_batches():
+            for j in i.to_pylist():
+                events.append(json.dumps(j))
+        aws_tools.debug(f'Found {len(events)} events in file {log_path}', 2)
+        return events
+
+    def process_file(self, message_body: dict) -> None:
+        """Parse an SQS message, obtain the events associated, and send them to Analysisd.
+
+        Parameters
+        ----------
+        message_body : dict
+            An SQS message received from the queue.
+        """
+        events_in_file = self.obtain_logs(bucket=message_body['bucket_path'],
+                                          log_path=message_body['log_path'])
+        for event in events_in_file:
+            self.send_msg(event, dump_json=False)
+        aws_tools.debug(f'{len(events_in_file)} events sent to Analysisd', 2)
+
+
+class AWSSecurityHubSubscriberBucket(AWSSubscriberBucket):
+    """Class for processing events from AWS S3 buckets containing Security Hub related logs."""
+
+    @staticmethod
+    def _add_event_type_fields(details: dict, event: dict):
+        """Add the corresponding fields into the event if the details contain them.
+
+        Parameters
+        ----------
+        details : dict
+            Source dictionary containing the events from the log file.
+        event : dict
+            Destination dictionary to be added to the event sent to Wazuh.
+        """
+        fields = ['findings', 'actionName', 'actionDescription', 'actionDescription', 'insightName', 'insightArn',
+                  'resultType', 'insightResults']
+
+        def _action(source: dict, dest: dict, field_name: str) -> None:
+            if field_name == 'findings':
+                dest.setdefault('finding', source[field_name][0])
+            else:
+                dest.setdefault(field_name, source[field_name])
+
+        for key in fields:
+            if key in details:
+                _action(details, event, key)
+
+    def obtain_logs(self, bucket: str, log_path: str) -> List[dict]:
+        """Fetch a file from a bucket and obtain a list of events from it.
+
+        Parameters
+        ----------
+        bucket : str
+            Bucket to get the file from.
+        log_path : str
+            Relative path of the file inside the bucket.
+
+        Returns
+        -------
+        List[dict]
+            List of extracted events to send to Wazuh.
+        """
+        with self.decompress_file(bucket, log_key=log_path) as f:
+            try:
+                extracted_events = []
+                for event in self._json_event_generator(f.read()):
+                    event_detail = event['detail']
+                    base_event = dict(source="securityhub", detail_type=event["detail-type"])
+                    self._add_event_type_fields(event_detail, base_event)
+                    extracted_events.append(base_event)
+
+                return extracted_events
+
+            except (json.JSONDecodeError, AttributeError):
+                aws_tools.error(f"Data in the file does not contain JSON objects.")
+                sys.exit(9)
+
+    def process_file(self, message_body: dict) -> None:
+        """Parse an SQS message, obtain the events associated, and send them to Analysisd.
+
+        Parameters
+        ----------
+        message_body : dict
+            An SQS message received from the queue.
+        """
+        log_path = message_body['log_path']
+        bucket_path = message_body['bucket_path']
+
+        formatted_logs = self.obtain_logs(bucket=bucket_path, log_path=log_path)
+        for log in formatted_logs:
+            msg = {
+                'integration': 'aws',
+                'aws': {
+                    'log_info': {
+                        'log_file': log_path,
+                        's3bucket': bucket_path
+                    }
+                }
+            }
+            self._remove_none_fields(log)
+            if self.event_should_be_skipped(log):
+                aws_tools.debug(f'+++ The "{self.discard_regex.pattern}" regex found a match '
+                                f'in the "{self.discard_field}" field. The event will be skipped.', 2)
+                continue
+            else:
+                aws_tools.debug(
+                    f'+++ The "{self.discard_regex.pattern}" regex did not find a match in the '
+                    f'"{self.discard_field}" field. The event will be processed.', 3)
+
+            msg['aws'].update(log)
+            self.send_msg(msg)
diff --git a/src/modules/aws/scripts/subscribers/sqs_message_processor.py b/src/modules/aws/scripts/subscribers/sqs_message_processor.py
new file mode 100644
index 0000000000..e85b12d181
--- /dev/null
+++ b/src/modules/aws/scripts/subscribers/sqs_message_processor.py
@@ -0,0 +1,52 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import json
+import sys
+from os import path
+from typing import List
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSQueueMessageProcessor:
+    """Class in charge of processing the messages retrieved from an AWS SQS queue."""
+
+    def extract_message_info(self, sqs_messages: List[dict]) -> List[dict]:
+        messages = []
+        for mesg in sqs_messages:
+            body = mesg['Body']
+            msg_handle = mesg["ReceiptHandle"]
+            message = json.loads(body)
+
+            aws_tools.debug(f'The message is: {message}', 2)
+
+            message_information = self.parse_message(message)
+            messages.append({**message_information, "handle": msg_handle})
+        return messages
+
+    def parse_message(self, message: dict) -> dict:
+        raise NotImplementedError
+
+
+class AWSS3MessageProcessor(AWSQueueMessageProcessor):
+    def parse_message(self, message: dict) -> dict:
+        try:
+            log_path = message["Records"][0]["s3"]["object"]["key"]
+            bucket_path = message["Records"][0]["s3"]["bucket"]["name"]
+
+            return {"route": {"log_path": log_path, "bucket_path": bucket_path}}
+        except KeyError:
+            return {'raw_message': message}
+
+
+class AWSSSecLakeMessageProcessor(AWSQueueMessageProcessor):
+    def parse_message(self, message: dict) -> dict:
+        try:
+            log_path = message["detail"]["object"]["key"]
+            bucket_path = message["detail"]["bucket"]["name"]
+            return {"route": {"log_path": log_path, "bucket_path": bucket_path}}
+        except KeyError:
+            return {'raw_message': message}
diff --git a/src/modules/aws/scripts/subscribers/sqs_queue.py b/src/modules/aws/scripts/subscribers/sqs_queue.py
new file mode 100644
index 0000000000..135dd4090f
--- /dev/null
+++ b/src/modules/aws/scripts/subscribers/sqs_queue.py
@@ -0,0 +1,143 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import botocore
+import sys
+from os import path
+
+sys.path.append(path.join(path.dirname(path.realpath(__file__)), '..', 'subscribers'))
+import s3_log_handler
+import sqs_message_processor
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import wazuh_integration
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import aws_tools
+
+
+class AWSSQSQueue(wazuh_integration.WazuhIntegration):
+    """Class for getting AWS SQS Queue notifications.
+
+    Attributes
+    ----------
+    name: str
+        Name of the SQS Queue.
+    iam_role_arn : str
+        IAM Role.
+    external_id : str
+        The name of the External ID to use.
+    sts_endpoint : str
+        URL for the VPC endpoint to use to obtain the STS token.
+    service_endpoint : str
+        URL for the endpoint to use to obtain the logs.
+    message_processor: AWSQueueMessageProcessor
+        Class to process received notifications.
+    """
+
+    def __init__(self, name: str, iam_role_arn: str, message_processor: sqs_message_processor.AWSQueueMessageProcessor,
+                 bucket_handler: s3_log_handler.AWSS3LogHandler,
+                 profile: str = None, iam_role_duration: int = None, external_id: str = None,
+                 sts_endpoint=None, service_endpoint=None, skip_on_error=False,
+                 **kwargs):
+        self.sqs_name = name
+        wazuh_integration.WazuhIntegration.__init__(self,
+                                                    iam_role_arn=iam_role_arn,
+                                                    profile=profile, external_id=external_id, service_name='sqs',
+                                                    sts_endpoint=sts_endpoint, skip_on_error=skip_on_error,
+                                                    iam_role_duration=iam_role_duration,
+                                                    **kwargs)
+        self.sts_client = self.get_sts_client(None, None, profile)
+        self.account_id = self.sts_client.get_caller_identity().get('Account')
+        self.sqs_url = self._get_sqs_url()
+        self.iam_role_arn = iam_role_arn
+        self.iam_role_duration = iam_role_duration
+        self.bucket_handler = bucket_handler(external_id=external_id,
+                                             iam_role_arn=self.iam_role_arn,
+                                             iam_role_duration=self.iam_role_duration,
+                                             service_endpoint=service_endpoint,
+                                             sts_endpoint=sts_endpoint,
+                                             skip_on_error=skip_on_error,
+                                             profile=profile,
+                                             **kwargs)
+        self.message_processor = message_processor()
+
+    def _get_sqs_url(self) -> str:
+        """Get the URL of the AWS SQS queue.
+
+        Returns
+        -------
+        url : str
+            The URL of the AWS SQS queue
+        """
+        try:
+            url = self.client.get_queue_url(QueueName=self.sqs_name,
+                                            QueueOwnerAWSAccountId=self.account_id)['QueueUrl']
+            aws_tools.debug(f'The SQS queue is: {url}', 2)
+            return url
+        except botocore.exceptions.ClientError:
+            aws_tools.error('Queue does not exist, verify the given name')
+            sys.exit(20)
+
+    def delete_message(self, message: dict) -> None:
+        """Delete message from the SQS queue.
+
+        Parameters
+        ----------
+        message : dict
+            An SQS message recieved from the queue
+        """
+        try:
+            self.client.delete_message(QueueUrl=self.sqs_url, ReceiptHandle=message["handle"])
+            aws_tools.debug(f'Message deleted from queue: {self.sqs_name}', 2)
+        except Exception as e:
+            aws_tools.debug(f'ERROR: Error deleting message from SQS: {e}', 1)
+            sys.exit(21)
+
+    def fetch_messages(self) -> dict:
+        """Retrieves one or more messages (up to 10), from the specified queue.
+
+        Returns
+        -------
+        dict
+            A dictionary with a list of messages from the SQS queue.
+        """
+        try:
+            aws_tools.debug(f'Retrieving messages from: {self.sqs_name}', 2)
+            return self.client.receive_message(QueueUrl=self.sqs_url, AttributeNames=['All'],
+                                               MaxNumberOfMessages=10, MessageAttributeNames=['All'],
+                                               WaitTimeSeconds=20)
+        except Exception as e:
+            aws_tools.debug(f'ERROR: Error receiving message from SQS: {e}', 1)
+            sys.exit(21)
+
+    def get_messages(self) -> list:
+        """Retrieve parsed messages from the SQS queue.
+
+        Returns
+        -------
+        messages : list
+            Parsed messages from the SQS queue.
+        """
+        sqs_raw_messages = self.fetch_messages()
+        aws_tools.debug(f'The raw message is: {sqs_raw_messages}', 3)
+        sqs_messages = sqs_raw_messages.get('Messages', [])
+
+        return self.message_processor.extract_message_info(sqs_messages)
+
+    def sync_events(self) -> None:
+        """Get messages from the SQS queue, parse their events, send them to AnalysisD, and delete them from the queue.
+        """
+        messages = self.get_messages()
+        while messages:
+            for message in messages:
+                try:
+                    self.bucket_handler.process_file(message["route"])
+                except KeyError:
+                    message_without_handle = {k: v for k, v in message.items() if k != 'handle'}
+                    aws_tools.debug(f"Processed message {message_without_handle} does not contain the expected format, "
+                                    f"omitting message.", 2)
+                    continue
+                self.delete_message(message)
+            messages = self.get_messages()
diff --git a/src/modules/aws/scripts/tests/__init__.py b/src/modules/aws/scripts/tests/__init__.py
new file mode 100644
index 0000000000..ea0d8aeea6
--- /dev/null
+++ b/src/modules/aws/scripts/tests/__init__.py
@@ -0,0 +1,3 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
diff --git a/src/modules/aws/scripts/tests/aws_utils.py b/src/modules/aws/scripts/tests/aws_utils.py
new file mode 100644
index 0000000000..5043b66afa
--- /dev/null
+++ b/src/modules/aws/scripts/tests/aws_utils.py
@@ -0,0 +1,433 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+import copy
+from unittest.mock import patch
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'services'))
+import aws_service
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'subscribers'))
+import sqs_queue
+import s3_log_handler
+
+TEST_TABLE_NAME = "cloudtrail"
+TEST_SERVICE_NAME = "s3"
+TEST_AWS_PROFILE = "test_aws_profile"
+TEST_IAM_ROLE_ARN = "arn:aws:iam::123455678912:role/Role"
+TEST_IAM_ROLE_DURATION = '3600'
+TEST_ACCOUNT_ID = "123456789123"
+TEST_ACCOUNT_ALIAS = "test_account_alias"
+TEST_ORGANIZATION_ID = "test_organization_id"
+TEST_TOKEN = 'test_token'
+TEST_CREATION_DATE = "2022-01-01"
+TEST_BUCKET = "test-bucket"
+TEST_SERVICE = "test-service"
+TEST_SQS_NAME = "test-sqs"
+TEST_PREFIX = "test_prefix"
+TEST_SUFFIX = "test_suffix"
+TEST_REGION = "us-east-1"
+TEST_DISCARD_FIELD = "test_field"
+TEST_DISCARD_REGEX = "test_regex"
+TEST_ONLY_LOGS_AFTER = "20220101"
+TEST_ONLY_LOGS_AFTER_WITH_FORMAT = "2022-01-01 00:00:00.0"
+TEST_LOG_KEY = "123456789_CloudTrail-us-east-1_20190401T00015Z_aaaa.json.gz"
+TEST_FULL_PREFIX = "base/account_id/service/region/"
+TEST_EXTERNAL_ID = "external-id-Sec-Lake"
+
+TEST_SERVICE_ENDPOINT = 'test_service_endpoint'
+TEST_STS_ENDPOINT = "test_sts_endpoint"
+
+TEST_LOG_FULL_PATH_CLOUDTRAIL_1 = 'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_' \
+                                  '20190401T0030Z_aaaa.json.gz'
+TEST_LOG_FULL_PATH_CLOUDTRAIL_2 = 'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_' \
+                                  '20190401T00015Z_aaaa.json.gz'
+TEST_LOG_FULL_PATH_CUSTOM_1 = 'custom/2019/04/15/07/firehose_custom-1-2019-04-15-09-16-03.zip'
+TEST_LOG_FULL_PATH_CUSTOM_2 = 'custom/2019/04/15/07/firehose_custom-1-2019-04-15-13-19-03.zip'
+TEST_LOG_FULL_PATH_CONFIG_1 = 'AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_' \
+                              'ConfigHistory_20190415T020500Z.json.gz'
+
+LIST_OBJECT_V2 = {'CommonPrefixes': [{'Prefix': f'AWSLogs/{TEST_REGION}/'},
+                                     {'Prefix': f'AWSLogs/prefix/{TEST_REGION}/'}]}
+
+LIST_OBJECT_V2_NO_PREFIXES = {'Contents': [{
+    'Key': '',
+    'OtherKey': 'value'}],
+    'IsTruncated': False
+}
+
+LIST_OBJECT_V2_TRUNCATED = copy.deepcopy(LIST_OBJECT_V2_NO_PREFIXES)
+LIST_OBJECT_V2_TRUNCATED.update({'IsTruncated': True, 'NextContinuationToken': 'Token'})
+
+WAZUH_VERSION = "4.5.0"
+
+TEST_WAZUH_PATH = "/var/ossec"
+TEST_DATABASE = "test"
+TEST_MESSAGE = "test_message"
+QUEUE_PATH = 'queue/sockets/queue'
+WODLE_PATH = 'wodles/aws'
+
+SQL_COUNT_ROWS = """SELECT count(*) FROM {table_name};"""
+
+data_path = os.path.join(os.path.dirname(__file__), 'data')
+
+# Error codes
+UNKNOWN_ERROR_CODE = 1
+INVALID_CREDENTIALS_ERROR_CODE = 3
+METADATA_ERROR_CODE = 5
+UNABLE_TO_CREATE_DB = 6
+UNEXPECTED_ERROR_WORKING_WITH_S3 = 7
+DECOMPRESS_FILE_ERROR_CODE = 8
+PARSE_FILE_ERROR_CODE = 9
+UNABLE_TO_CONNECT_SOCKET_ERROR_CODE = 11
+INVALID_TYPE_ERROR_CODE = 12
+SENDING_MESSAGE_SOCKET_ERROR_CODE = 13
+EMPTY_BUCKET_ERROR_CODE = 14
+INVALID_ENDPOINT_ERROR_CODE = 15
+THROTTLING_ERROR_CODE = 16
+INVALID_KEY_FORMAT_ERROR_CODE = 17
+INVALID_PREFIX_ERROR_CODE = 18
+INVALID_REQUEST_TIME_ERROR_CODE = 19
+UNABLE_TO_FETCH_DELETE_FROM_QUEUE = 21
+INVALID_REGION_ERROR_CODE = 22
+
+
+def get_wazuh_integration_parameters(service_name: str = TEST_SERVICE_NAME, profile: str = TEST_AWS_PROFILE,
+                                     iam_role_arn: str = None, region: str = None, discard_field: str = None,
+                                     discard_regex: str = None, sts_endpoint: str = None, service_endpoint: str = None,
+                                     iam_role_duration: str = None, external_id: str = None,
+                                     skip_on_error: bool = False):
+    """Return a dict containing every parameter supported by WazuhIntegration. Used to simulate different ossec.conf
+    configurations.
+
+    Parameters
+    ----------
+    service_name : str
+        Name of the service.
+    profile : str
+        AWS profile name.
+    iam_role_arn : str
+        IAM Role ARN value.
+    region : str
+        Region name.
+    discard_field : list of str
+        List of field names to be discarded.
+    discard_regex : str
+        Regex to be applied to the fields to determine if they should be discarded.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+    external_id: str
+        AWS external ID for IAM Role assumption when using Security Lake.
+    skip_on_error : bool
+        Whether to continue processing logs or stop when an error takes place.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'service_name': service_name, 'profile': profile, 'iam_role_arn': iam_role_arn,
+            'region': region, 'discard_field': discard_field, 'discard_regex': discard_regex,
+            'sts_endpoint': sts_endpoint, 'service_endpoint': service_endpoint, 'iam_role_duration': iam_role_duration,
+            'external_id': external_id, 'skip_on_error': skip_on_error}
+
+
+def get_wazuh_aws_database_parameters(service_name: str = TEST_SERVICE_NAME, profile: str = TEST_AWS_PROFILE,
+                                      db_name: str = TEST_DATABASE,
+                                      iam_role_arn: str = None, region: str = None, discard_field: str = None,
+                                      discard_regex: str = None, sts_endpoint: str = None, service_endpoint: str = None,
+                                      iam_role_duration: str = None, external_id: str = None):
+    """Return a dict containing every parameter supported by WazuhAWSDatabase.
+
+    Parameters
+    ----------
+    service_name : str
+        Name of the service.
+    profile : str
+        AWS profile name.
+    db_name : str
+        Database name.
+    iam_role_arn : str
+        IAM Role ARN value.
+    region : str
+        Region name.
+    discard_field : list of str
+        List of field names to be discarded.
+    discard_regex : str
+        Regex to be applied to the fields to determine if they should be discarded.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+    external_id: str
+        AWS external ID for IAM Role assumption when using Security Lake.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'service_name': service_name, 'profile': profile, 'db_name': db_name, 'iam_role_arn': iam_role_arn,
+            'region': region, 'discard_field': discard_field, 'discard_regex': discard_regex,
+            'sts_endpoint': sts_endpoint, 'service_endpoint': service_endpoint, 'iam_role_duration': iam_role_duration,
+            'external_id': external_id}
+
+
+def get_aws_bucket_parameters(db_table_name: str = TEST_TABLE_NAME, bucket: str = TEST_BUCKET, reparse: bool = False,
+                              profile: str = TEST_AWS_PROFILE,
+                              iam_role_arn: str = None, only_logs_after: str = None, skip_on_error: bool = False,
+                              account_alias: str = None, prefix: str = "", suffix: str = "", delete_file: bool = False,
+                              aws_organization_id: str = None, region: str = None, discard_field: str = None,
+                              discard_regex: str = None, sts_endpoint: str = None, service_endpoint: str = None,
+                              iam_role_duration: str = None):
+    """Return a dict containing every parameter supported by AWSBucket. Used to simulate different ossec.conf
+    configurations.
+
+    Parameters
+    ----------
+    db_table_name : str
+        The name of the table to be created for the given bucket or service.
+    bucket : str
+        Name of the bucket.
+    reparse : bool
+        Whether to parse already parsed logs or not.
+    profile : str
+        AWS profile name.
+    iam_role_arn : str
+        IAM Role ARN value.
+    only_logs_after : str
+        Date after which obtain logs.
+    skip_on_error : bool
+        Whether to continue processing logs or stop when an error takes place.
+    account_alias: str
+        Alias of the AWS account where the bucket is.
+    prefix : str
+        Prefix to filter files in bucket.
+    suffix : str
+        Suffix to filter files in bucket.
+    delete_file : bool
+        Whether to delete an already processed file from a bucket or not.
+    aws_organization_id : str
+        The AWS organization ID.
+    region : str
+        Region name.
+    discard_field : list of str
+        List of field names to be discarded.
+    discard_regex : str
+        Regex to be applied to the fields to determine if they should be discarded.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'db_table_name': db_table_name, 'bucket': bucket, 'reparse': reparse, 'profile': profile,
+            'iam_role_arn': iam_role_arn,
+            'only_logs_after': only_logs_after, 'skip_on_error': skip_on_error, 'account_alias': account_alias,
+            'prefix': prefix, 'suffix': suffix, 'delete_file': delete_file, 'aws_organization_id': aws_organization_id,
+            'region': region, 'discard_field': discard_field, 'discard_regex': discard_regex,
+            'sts_endpoint': sts_endpoint, 'service_endpoint': service_endpoint, 'iam_role_duration': iam_role_duration}
+
+
+def get_aws_service_parameters(db_table_name: str = TEST_TABLE_NAME, service_name: str = 'cloudwatchlogs',
+                               reparse: bool = False,
+                               profile: str = TEST_AWS_PROFILE, iam_role_arn: str = None,
+                               only_logs_after: str = None, account_alias: str = None, region: str = None, aws_log_groups: str = None,
+                               remove_log_streams: bool = None, discard_field: str = None,
+                               discard_regex: str = None, sts_endpoint: str = None, service_endpoint: str = None,
+                               iam_role_duration: str = None):
+    """Return a dict containing every parameter supported by AWSService. Used to simulate different ossec.conf
+    configurations.
+
+    Parameters
+    ----------
+    reparse : bool
+        Whether to parse already parsed logs or not.
+    profile : str
+        AWS profile.
+    iam_role_arn : str
+        IAM Role.
+    service_name : str
+        Service name to extract logs from.
+    only_logs_after : str
+        Date after which obtain logs.
+    account_alias: str
+        AWS account alias.
+    region : str
+        Region name.
+    aws_log_groups : str
+        String containing a list of log group names separated by a comma.
+    remove_log_streams: str
+        Indicate if log streams should be removed after being fetched.
+    db_table_name : str
+        The name of the table to be created for the given bucket or service.
+    discard_field : str
+        Name of the event field to apply the regex value on.
+    discard_regex : str
+        REGEX value to determine whether an event should be skipped.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'db_table_name': db_table_name, 'service_name': service_name, 'reparse': reparse, 'access_key': access_key,
+            'secret_key': secret_key, 'profile': profile, 'iam_role_arn': iam_role_arn,
+            'only_logs_after': only_logs_after, 'account_alias': account_alias, 'region': region, 'aws_log_groups': aws_log_groups,
+            'remove_log_streams': remove_log_streams, 'discard_field': discard_field,
+            'discard_regex': discard_regex, 'sts_endpoint': sts_endpoint,
+            'service_endpoint': service_endpoint, 'iam_role_duration': iam_role_duration}
+
+
+def get_aws_sqs_queue_parameters(name: str = TEST_SQS_NAME, external_id: str = TEST_EXTERNAL_ID,
+                                 iam_role_arn: str = TEST_IAM_ROLE_ARN, iam_role_duration: str = None,
+                                 sts_endpoint: str = None, service_endpoint: str = None):
+    """Return a dict containing every parameter supported by AWSSQSQueue. Used to simulate different ossec.conf
+    configurations.
+
+    Parameters
+    ----------
+    name: str
+        Name of the SQS Queue.
+    external_id : str
+        The name of the External ID to use.
+    iam_role_arn : str
+        IAM Role.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'name': name, 'external_id': external_id, 'iam_role_arn': iam_role_arn,
+            'sts_endpoint': sts_endpoint, 'service_endpoint': service_endpoint, 'iam_role_duration': iam_role_duration}
+
+
+def get_aws_s3_log_handler_parameters(iam_role_arn: str = None, iam_role_duration: str = None,
+                                      service_endpoint: str = None, sts_endpoint: str = None):
+    """Return a dict containing every parameter supported by AWSSLSubscriberBucket.
+    Used to simulate different ossec.conf configurations.
+
+    Parameters
+    ----------
+    iam_role_arn : str
+        IAM Role.
+    iam_role_duration : str
+        The desired duration of the session that is going to be assumed.
+    sts_endpoint : str
+        STS endpoint URL.
+    service_endpoint : str
+        Service endpoint URL.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their default values.
+    """
+    return {'iam_role_arn': iam_role_arn, 'iam_role_duration': iam_role_duration,
+            'sts_endpoint': sts_endpoint, 'service_endpoint': service_endpoint}
+
+
+def get_mocked_wazuh_integration(**kwargs):
+    with patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.sqlite3.connect'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return wazuh_integration.WazuhIntegration(**get_wazuh_integration_parameters(**kwargs))
+
+
+def get_mocked_wazuh_aws_database(**kwargs):
+    with patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version'), \
+            patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.sqlite3.connect'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return wazuh_integration.WazuhAWSDatabase(**get_wazuh_aws_database_parameters(**kwargs))
+
+
+def get_mocked_aws_bucket(**kwargs):
+    with patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version'), \
+            patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.sqlite3.connect'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return aws_bucket.AWSBucket(**get_aws_bucket_parameters(**kwargs))
+
+
+def get_mocked_bucket(class_=aws_bucket.AWSBucket, **kwargs):
+    with patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version'), \
+            patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.sqlite3.connect'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return class_(**get_aws_bucket_parameters(**kwargs))
+
+
+def get_mocked_service(class_=aws_service.AWSService, **kwargs):
+    with patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version'), \
+            patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.sqlite3.connect'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return class_(**get_aws_service_parameters(**kwargs))
+
+
+def get_mocked_aws_sqs_queue(**kwargs):
+    with patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION), \
+            patch('s3_log_handler.AWSS3LogHandler.__init__') as mocked_handler, \
+            patch('sqs_message_processor.AWSQueueMessageProcessor.__init__') as mocked_processor:
+        return sqs_queue.AWSSQSQueue(message_processor=mocked_processor, bucket_handler=mocked_handler,
+                                     **get_aws_sqs_queue_parameters(**kwargs))
+
+
+def get_mocked_aws_sl_subscriber_bucket(**kwargs):
+    with patch('wazuh_integration.WazuhIntegration.get_client'), \
+            patch('wazuh_integration.utils.find_wazuh_path', return_value=TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=WAZUH_VERSION):
+        return s3_log_handler.AWSSLSubscriberBucket(**get_aws_s3_log_handler_parameters(**kwargs))
+
+
+def database_execute_script(connector, sql_file):
+    with open(os.path.join(data_path, sql_file)) as f:
+        connector.cursor().executescript(f.read())
+    connector.commit()
+
+
+def database_execute_query(connector, query, query_params={}):
+    row = connector.execute(query, query_params).fetchone()
+    return row[0] if row and len(row) == 1 else row
diff --git a/src/modules/aws/scripts/tests/conftest.py b/src/modules/aws/scripts/tests/conftest.py
new file mode 100644
index 0000000000..28c4396832
--- /dev/null
+++ b/src/modules/aws/scripts/tests/conftest.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import sqlite3
+
+@pytest.fixture()
+def custom_database():
+    """Create a custom database in memory without cache."""
+    memory_db = sqlite3.connect(':memory:')
+    yield memory_db
+
+    # List tables
+    table_list = memory_db.execute(
+        "SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%';").fetchall()
+
+    # Drop tables
+    for table in [table[0] for table in table_list]:
+        memory_db.execute(f"DROP TABLE {table};")
+    memory_db.close()
diff --git a/src/modules/aws/scripts/tests/data/log_files/AWSSecurityLake/test_file.parquet b/src/modules/aws/scripts/tests/data/log_files/AWSSecurityLake/test_file.parquet
new file mode 100644
index 0000000000..5346c77a6d
Binary files /dev/null and b/src/modules/aws/scripts/tests/data/log_files/AWSSecurityLake/test_file.parquet differ
diff --git a/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf
new file mode 100644
index 0000000000..e487c9de64
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf
@@ -0,0 +1,4 @@
+{"timestamp":1592357192516,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global\/webacl\/hello-world\/5933d6d9-9dde-js82-od8w-9ck28nv9","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[{"ruleId":"TestRule","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"httpRequest":{"clientIp":"3.3.3.3","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"foo","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}{"timestamp":1592361810888,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global\/webacl\/hello-world\/5933d6d9-9dde-js82-od8w-9ck28nv9","terminatingRuleId":"RG-Reference","terminatingRuleType":"GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"XSS","location":"HEADER","matchedData":["<","frameset"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global\/rulegroup\/hello-world\/c05lb698-1f11-4m41-aef4-99a506d53f4b","terminatingRule":{"ruleId":"RuleA-XSS","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[{"ruleId":"RuleB-SQLi","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"3.3.3.3","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"xssfoo","value":"<frameset onload=alert(1)>"},{"name":"bar","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional\/webacl\/test\/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP\/1.1","httpMethod":"POST","requestId":"null"},"labels":[{"name":"value"}]}
+{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional\/webacl\/STMTest\/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
+{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional\/webacl\/STMTest\/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
+{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional\/webacl\/STMTest\/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional\/webacl\/STMTest\/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"1.1.1.1","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl\/7.61.1"},{"name":"Accept","value":"*\/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"\/foo","args":"","httpVersion":"HTTP\/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
\ No newline at end of file
diff --git a/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_invalid_json b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_invalid_json
new file mode 100644
index 0000000000..d11582d46f
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_invalid_json
@@ -0,0 +1 @@
+{"invalid json",
\ No newline at end of file
diff --git a/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_wrong_structure b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_wrong_structure
new file mode 100644
index 0000000000..d03f830ecb
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/log_files/WAF/aws_waf_wrong_structure
@@ -0,0 +1 @@
+{"timestamp":1592357192516}
diff --git a/src/modules/aws/scripts/tests/data/schema_cloudtrail_test.sql b/src/modules/aws/scripts/tests/data/schema_cloudtrail_test.sql
new file mode 100644
index 0000000000..10fb378ca9
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_cloudtrail_test.sql
@@ -0,0 +1,128 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 1, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'cloudtrail' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, aws_region, log_key));
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0030Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0000Z_aaab.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0000Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0005Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0020Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0010Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T0025Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'cloudtrail' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'AWSLogs/123456789/CloudTrail/us-east-1/2019/04/01/123456789_CloudTrail-us-east-1_20190401T00015Z_aaaa.json.gz',
+    DATETIME('now'),
+    '');
diff --git a/src/modules/aws/scripts/tests/data/schema_cloudwatchlogs_test.sql b/src/modules/aws/scripts/tests/data/schema_cloudwatchlogs_test.sql
new file mode 100644
index 0000000000..6fc4db4955
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_cloudwatchlogs_test.sql
@@ -0,0 +1,31 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'cloudwatch_logs' (
+    aws_region 'text' NOT NULL,
+    aws_log_group 'text' NOT NULL,
+    aws_log_stream 'text' NOT NULL,
+    next_token 'text',
+    start_time 'integer',
+    end_time 'integer',
+    PRIMARY KEY (aws_region, aws_log_group, aws_log_stream));
+
+INSERT INTO 'cloudwatch_logs' (
+    aws_region,
+    aws_log_group,
+    aws_log_stream,
+    next_token,
+    start_time,
+    end_time) VALUES (
+    'us-east-1',
+    'test_log_group',
+    'test_stream',
+    'f/12345678123456781234567812345678123456781234567812345678/s',
+    1640996200000,
+    1659355591835
+    );
diff --git a/src/modules/aws/scripts/tests/data/schema_config_test.sql b/src/modules/aws/scripts/tests/data/schema_config_test.sql
new file mode 100644
index 0000000000..a40dbf0f5c
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_config_test.sql
@@ -0,0 +1,128 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'config' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, aws_region, log_key));
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020505Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020515Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020510Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020520Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020525Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020530Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020500Z.json.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'config' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'config/AWSLogs/123456789/Config/us-east-1/2019/4/15/ConfigHistory/123456789_Config_us-east-1_ConfigHistory_20190415T020535Z.json.gz',
+    DATETIME('now'),
+    '20230101');
diff --git a/src/modules/aws/scripts/tests/data/schema_custom_test.sql b/src/modules/aws/scripts/tests/data/schema_custom_test.sql
new file mode 100644
index 0000000000..c148bed869
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_custom_test.sql
@@ -0,0 +1,111 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'custom' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, log_key));
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-09-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-10-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-11-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-13-19-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-12-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-13-17-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-08-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'custom' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'custom/2019/04/15/07/firehose_custom-1-2019-04-15-13-18-03.zip',
+    DATETIME('now'),
+    '');
diff --git a/src/modules/aws/scripts/tests/data/schema_empty_table.sql b/src/modules/aws/scripts/tests/data/schema_empty_table.sql
new file mode 100644
index 0000000000..169c282fd4
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_empty_table.sql
@@ -0,0 +1,9 @@
+
+CREATE TABLE 'cloudtrail' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, aws_region, log_key));
diff --git a/src/modules/aws/scripts/tests/data/schema_empty_vpc_table.sql b/src/modules/aws/scripts/tests/data/schema_empty_vpc_table.sql
new file mode 100644
index 0000000000..2360c53a41
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_empty_vpc_table.sql
@@ -0,0 +1,10 @@
+
+CREATE TABLE 'vpcflow' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    flow_log_id 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, aws_region, flow_log_id, log_key));
diff --git a/src/modules/aws/scripts/tests/data/schema_guardduty_test.sql b/src/modules/aws/scripts/tests/data/schema_guardduty_test.sql
new file mode 100644
index 0000000000..5bdb2e8368
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_guardduty_test.sql
@@ -0,0 +1,111 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'guardduty' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, log_key));
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-08-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-09-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-10-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-11-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-12-16-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-13-17-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-13-18-03.zip',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'guardduty' (
+    bucket_path,
+    aws_account_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'guardduty/2019/04/15/07/firehose_guardduty-1-2019-04-15-13-19-03.zip',
+    DATETIME('now'),
+    '');
diff --git a/src/modules/aws/scripts/tests/data/schema_metadata_deprecated_tables_test.sql b/src/modules/aws/scripts/tests/data/schema_metadata_deprecated_tables_test.sql
new file mode 100644
index 0000000000..78bb5d5480
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_metadata_deprecated_tables_test.sql
@@ -0,0 +1,14 @@
+CREATE TABLE 'metadata' (
+    key 'text' NOT NULL,
+    value 'text' NOT NULL,
+    PRIMARY KEY (key, value));
+
+CREATE TABLE 'log_progress' (
+    key 'text' NOT NULL,
+    value 'text' NOT NULL,
+    PRIMARY KEY (key, value));
+
+CREATE TABLE 'trail_progress' (
+    key 'text' NOT NULL,
+    value 'text' NOT NULL,
+    PRIMARY KEY (key, value));
diff --git a/src/modules/aws/scripts/tests/data/schema_metadata_test.sql b/src/modules/aws/scripts/tests/data/schema_metadata_test.sql
new file mode 100644
index 0000000000..adcdac083b
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_metadata_test.sql
@@ -0,0 +1,6 @@
+CREATE TABLE 'metadata' (
+    key 'text' NOT NULL,
+    value 'text' NOT NULL,
+    PRIMARY KEY (key, value));
+
+INSERT INTO 'metadata' (key, value) VALUES ('version', '0.0.0');
diff --git a/src/modules/aws/scripts/tests/data/schema_services_test.sql b/src/modules/aws/scripts/tests/data/schema_services_test.sql
new file mode 100644
index 0000000000..0999db1419
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_services_test.sql
@@ -0,0 +1,94 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'aws_services' (
+    service_name 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    scan_date 'text' NOT NULL,
+    PRIMARY KEY (service_name, aws_account_id, aws_region, scan_date));
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-01-26 00:00:00.0');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-02-06 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-03-06 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-04-06 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-05-06 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-06-06 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-07-07 18:58:32.504472');
+
+INSERT INTO 'aws_services' (
+    service_name,
+    aws_account_id,
+    aws_region,
+    scan_date) VALUES (
+    'inspector',
+    '123456789123',
+    'us-east-1',
+    '2022-08-26 00:00:00.0');
diff --git a/src/modules/aws/scripts/tests/data/schema_vpcflow_test.sql b/src/modules/aws/scripts/tests/data/schema_vpcflow_test.sql
new file mode 100644
index 0000000000..b01e8fd99e
--- /dev/null
+++ b/src/modules/aws/scripts/tests/data/schema_vpcflow_test.sql
@@ -0,0 +1,145 @@
+/*
+ * SQL Schema AWS tests
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 15, 2019.
+ * This program is a free software, you can redistribute it
+ * and/or modify it under the terms of GPLv2.
+ */
+
+CREATE TABLE 'vpcflow' (
+    bucket_path 'text' NOT NULL,
+    aws_account_id 'text' NOT NULL,
+    aws_region 'text' NOT NULL,
+    flow_log_id 'text' NOT NULL,
+    log_key 'text' NOT NULL,
+    processed_date 'text' NOT NULL,
+    created_date 'integer' NOT NULL,
+    PRIMARY KEY (bucket_path, aws_account_id, aws_region, flow_log_id, log_key));
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T0945Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T0950Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T0955Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T0940Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T1000Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T115Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T1005Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
+
+INSERT INTO 'vpcflow' (
+    bucket_path,
+    aws_account_id,
+    aws_region,
+    flow_log_id,
+    log_key,
+    processed_date,
+    created_date) VALUES (
+    'test-bucket/',
+    '123456789123',
+    'us-east-1',
+    'fl-1234',
+    'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_fl-1234_20190415T110Z_c23ab7.log.gz',
+    DATETIME('now'),
+    '20230101');
diff --git a/src/modules/aws/scripts/tests/pytest.ini b/src/modules/aws/scripts/tests/pytest.ini
new file mode 100644
index 0000000000..40880458c7
--- /dev/null
+++ b/src/modules/aws/scripts/tests/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+asyncio_mode=auto
diff --git a/src/modules/aws/scripts/tests/test_aws_bucket.py b/src/modules/aws/scripts/tests/test_aws_bucket.py
new file mode 100644
index 0000000000..f7f6198ed0
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_aws_bucket.py
@@ -0,0 +1,1201 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import copy
+import gzip
+import os
+import sqlite3
+import sys
+import zipfile
+import re
+import csv
+from datetime import datetime
+from unittest.mock import MagicMock, patch, mock_open
+
+import botocore
+import pytest
+import zlib
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+from cloudtrail import AWSCloudTrailBucket
+from config import AWSConfigBucket
+
+TEST_CLOUDTRAIL_SCHEMA = "schema_cloudtrail_test.sql"
+TEST_CUSTOM_SCHEMA = "schema_custom_test.sql"
+TEST_EMPTY_TABLE_SCHEMA = "schema_empty_table.sql"
+
+CLOUDTRAIL_SCHEMA_COUNT = 8
+CUSTOM_SCHEMA_COUNT = 8
+
+SQL_GET_ROW = "SELECT bucket_path, aws_account_id, aws_region, log_key, created_date FROM {table_name};"
+SQL_COUNT_TABLES = """SELECT count(*) FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%';"""
+SQL_SELECT_TABLES = """SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%';"""
+SQL_FIND_LAST_KEY_PROCESSED = """SELECT log_key FROM {table_name} ORDER BY log_key DESC LIMIT 1;"""
+
+SAMPLE_EVENT_1 = {'key1': 'value1', 'key2': 'value2'}
+SAMPLE_EVENT_2 = {'key1': 'value1', 'key2': None}
+
+utils.LIST_OBJECT_V2_NO_PREFIXES['Contents'][0]['Key'] = utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1
+
+
+@pytest.mark.parametrize('only_logs_after', [None, "20220101"])
+@patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version')
+@patch('wazuh_integration.sqlite3.connect')
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH)
+@patch('wazuh_integration.utils.get_wazuh_version')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_bucket_initializes_properly(mock_wazuh_integration, mock_version, mock_path, mock_client, mock_connect,
+                                         mock_metadata,
+                                         only_logs_after: str or None):
+    """Test if the instances of AWSBucket are created properly."""
+    kwargs = utils.get_aws_bucket_parameters(db_table_name=utils.TEST_TABLE_NAME, bucket=utils.TEST_BUCKET,
+                                             profile=utils.TEST_AWS_PROFILE, iam_role_arn=utils.TEST_IAM_ROLE_ARN,
+                                             account_alias=utils.TEST_ACCOUNT_ALIAS, prefix=utils.TEST_PREFIX,
+                                             suffix=utils.TEST_SUFFIX, aws_organization_id=utils.TEST_ORGANIZATION_ID,
+                                             region=utils.TEST_REGION, discard_field=utils.TEST_DISCARD_FIELD,
+                                             discard_regex=utils.TEST_DISCARD_REGEX,
+                                             sts_endpoint=utils.TEST_STS_ENDPOINT,
+                                             service_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                             iam_role_duration=utils.TEST_IAM_ROLE_DURATION, delete_file=True,
+                                             skip_on_error=True, reparse=True, only_logs_after=only_logs_after)
+    integration = aws_bucket.AWSBucket(**kwargs)
+    mock_wazuh_integration.assert_called_with(integration, service_name="s3",
+                                              profile=kwargs["profile"], iam_role_arn=kwargs["iam_role_arn"],
+                                              region=kwargs["region"], discard_field=kwargs["discard_field"],
+                                              discard_regex=kwargs["discard_regex"],
+                                              sts_endpoint=kwargs["sts_endpoint"],
+                                              service_endpoint=kwargs["service_endpoint"],
+                                              iam_role_duration=kwargs["iam_role_duration"], external_id=None,
+                                              skip_on_error=kwargs["skip_on_error"])
+
+    assert integration.retain_db_records == aws_bucket.MAX_RECORD_RETENTION
+    assert integration.reparse == kwargs["reparse"]
+    assert integration.only_logs_after == datetime.strptime(only_logs_after, aws_bucket.DB_DATE_FORMAT) \
+        if only_logs_after else integration.only_logs_after is None
+    assert integration.skip_on_error == kwargs["skip_on_error"]
+    assert integration.account_alias == kwargs["account_alias"]
+    assert integration.prefix == kwargs["prefix"]
+    assert integration.suffix == kwargs["suffix"]
+    assert integration.delete_file == kwargs["delete_file"]
+    assert integration.bucket == kwargs["bucket"]
+    assert integration.bucket_path == f'{kwargs["bucket"]}/{kwargs["prefix"]}'
+    assert integration.aws_organization_id == kwargs["aws_organization_id"]
+    assert not integration.check_prefix
+
+
+@pytest.mark.parametrize('log_file, account_id, region, expected_result', [
+    (utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, True),
+    (utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_2, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, True),
+    ("", utils.TEST_ACCOUNT_ID, utils.TEST_REGION, False),
+    (utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1, utils.TEST_ACCOUNT_ID, "", False),
+    (utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1, "", utils.TEST_REGION, False),
+])
+def test_aws_bucket_already_processed(custom_database,
+                                      log_file: str, account_id: str, region: str, expected_result: bool):
+    """Test 'already_processed' method correctly determines if a log file has been processed.
+
+    Parameters
+    ----------
+    log_file: str
+        Complete path of the downloaded file.
+    account_id: str
+        AWS account ID.
+    region: str
+        Region of service.
+    expected_result: bool
+        Expected result from the method's execution.
+    """
+    utils.database_execute_script(custom_database, TEST_CLOUDTRAIL_SCHEMA)
+
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, region=region)
+    bucket.db_connector = custom_database
+    bucket.db_cursor = bucket.db_connector.cursor()
+    bucket.db_table_name = 'cloudtrail'
+
+    assert bucket.already_processed(downloaded_file=log_file, aws_account_id=account_id,
+                                    aws_region=region) == expected_result
+
+
+def test_aws_bucket_get_creation_date_raises_exception():
+    """Test 'get_creation_date' method properly raise a NotImplementedError exception when being directly called."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with pytest.raises(NotImplementedError):
+        bucket.get_creation_date(utils.TEST_LOG_KEY)
+
+
+def test_aws_bucket_mark_complete(custom_database):
+    """Test 'mark_complete' method inserts non-processed logs into the DB."""
+    utils.database_execute_script(custom_database, TEST_EMPTY_TABLE_SCHEMA)
+
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET)
+    bucket.db_connector = custom_database
+    bucket.db_cursor = bucket.db_connector.cursor()
+    bucket.db_table_name = utils.TEST_TABLE_NAME
+
+    assert utils.database_execute_query(bucket.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=bucket.db_table_name)) == 0
+
+    with patch('aws_bucket.AWSBucket.get_creation_date', return_value=utils.TEST_CREATION_DATE):
+        bucket.mark_complete(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                             log_file={'Key': utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1})
+
+    assert utils.database_execute_query(bucket.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=bucket.db_table_name)) == 1
+
+    row = utils.database_execute_query(bucket.db_connector, SQL_GET_ROW.format(table_name=bucket.db_table_name))
+    assert row[0] == f"{utils.TEST_BUCKET}/"
+    assert row[1] == utils.TEST_ACCOUNT_ID
+    assert row[2] == utils.TEST_REGION
+    assert row[3] == utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1
+    assert row[4] == utils.TEST_CREATION_DATE
+
+
+@patch('aws_bucket.aws_tools.debug')
+def test_aws_bucket_mark_complete_handles_exceptions_when_db_query_fails(mock_debug, custom_database):
+    """Test 'mark_complete' handles exceptions raised when trying to execute a query to the DB."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    bucket.db_connector = custom_database
+    mocked_cursor = MagicMock()
+    mocked_cursor.execute.side_effect = Exception
+    bucket.db_cursor = mocked_cursor
+
+    bucket.mark_complete(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                         log_file={'Key': utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1})
+
+    mock_debug.assert_called_with(f'+++ Error marking log {utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1} as completed: ', 2)
+
+
+@pytest.mark.parametrize('region', [utils.TEST_REGION, "invalid_region"])
+def test_aws_bucket_db_count_region(custom_database, region):
+    """Test 'db_count_region' method counts the number of rows in DB for a region"""
+    utils.database_execute_script(custom_database, TEST_CLOUDTRAIL_SCHEMA)
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.db_connector = custom_database
+    bucket.db_cursor = bucket.db_connector.cursor()
+    bucket.db_table_name = utils.TEST_TABLE_NAME
+
+    expected_count = CLOUDTRAIL_SCHEMA_COUNT if region == utils.TEST_REGION else 0
+    assert bucket.db_count_region(utils.TEST_ACCOUNT_ID, region) == expected_count
+
+
+@pytest.mark.parametrize('expected_db_count', [CLOUDTRAIL_SCHEMA_COUNT, 0])
+def test_aws_bucket_db_maintenance(custom_database, expected_db_count):
+    """Test 'db_maintenance' method deletes rows from a table until the count is equal to 'retain_db_records'."""
+    utils.database_execute_script(custom_database, TEST_CLOUDTRAIL_SCHEMA)
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.db_connector = custom_database
+    bucket.db_cursor = bucket.db_connector.cursor()
+    bucket.db_table_name = utils.TEST_TABLE_NAME
+    bucket.retain_db_records = expected_db_count
+
+    assert utils.database_execute_query(bucket.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=bucket.db_table_name)) == CLOUDTRAIL_SCHEMA_COUNT
+
+    with patch('aws_bucket.AWSBucket.db_count_region', return_value=CLOUDTRAIL_SCHEMA_COUNT):
+        bucket.db_maintenance(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION)
+
+    assert utils.database_execute_query(bucket.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=bucket.db_table_name)) == expected_db_count
+
+
+@patch('builtins.print')
+def test_aws_bucket_db_maintenance_handles_exceptions_when_db_fails(mock_print, custom_database):
+    """Test 'db_maintenance' method handles exceptions raised when fails to make the DB maintenance."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    bucket.db_connector = custom_database
+    mocked_cursor = MagicMock()
+    mocked_cursor.execute.side_effect = Exception
+
+    bucket.db_maintenance(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION)
+
+    mock_print.assert_called_once()
+
+
+def test_aws_bucket_marker_custom_date():
+    """Test 'marker_custom_date' method returns a valid AWS bucket marker when using a custom date."""
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.date_format = '%Y-%m-%d'
+
+    test_date = datetime.now()
+    full_prefix = f"{utils.TEST_ACCOUNT_ID}/{utils.TEST_REGION}/"
+    with patch('aws_bucket.AWSBucket.get_full_prefix', return_value=full_prefix):
+        marker = bucket.marker_custom_date(aws_region=utils.TEST_REGION, aws_account_id=utils.TEST_ACCOUNT_ID,
+                                           date=test_date)
+    assert marker == f"{full_prefix}{test_date.strftime(bucket.date_format)}"
+
+
+def test_aws_bucket_marker_only_logs_after():
+    """Test 'marker_only_logs_after' method returns a valid marker using only_log_after."""
+    test_only_logs_after = utils.TEST_ONLY_LOGS_AFTER
+    bucket = utils.get_mocked_aws_bucket(only_logs_after=test_only_logs_after)
+    bucket.date_format = '%Y-%m-%d'
+
+    full_prefix = f"{utils.TEST_ACCOUNT_ID}/{utils.TEST_REGION}/"
+    with patch('aws_bucket.AWSBucket.get_full_prefix', return_value=full_prefix):
+        marker = bucket.marker_only_logs_after(aws_region=utils.TEST_REGION, aws_account_id=utils.TEST_ACCOUNT_ID)
+    assert marker == f"{full_prefix}{test_only_logs_after[0:4]}-{test_only_logs_after[4:6]}-{test_only_logs_after[6:8]}"
+
+
+@pytest.mark.parametrize('event', [SAMPLE_EVENT_1, SAMPLE_EVENT_2, None])
+def test_aws_bucket_get_alert_msg(event):
+    """Test 'get_alert_msg' method returns messages with the valid format."""
+    bucket = utils.get_mocked_aws_bucket(account_alias=utils.TEST_ACCOUNT_ALIAS)
+    expected_error_message = "error message"
+    expected_msg = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    expected_msg['aws']['log_info'].update({
+        'aws_account_alias': bucket.account_alias,
+        'log_file': utils.TEST_LOG_KEY,
+        's3bucket': bucket.bucket
+    })
+    if event:
+        # Remove 'None' values from the event before updating the message
+        expected_msg['aws'].update({k: v for k, v in event.items() if v is not None})
+    else:
+        expected_msg['error_msg'] = expected_error_message
+    assert bucket.get_alert_msg(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY, event,
+                                error_msg=expected_error_message) == expected_msg
+
+
+def test_aws_bucket_get_full_prefix():
+    """Test 'get_full_prefix' method properly raise a NotImplementedError exception when being directly called."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with pytest.raises(NotImplementedError):
+        bucket.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+
+def test_aws_bucket_get_base_prefix():
+    """Test 'get_base_prefix' method properly raise a NotImplementedError exception when being directly called."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with pytest.raises(NotImplementedError):
+        bucket.get_base_prefix()
+
+
+def test_aws_bucket_get_service_prefix():
+    """Test 'get_service_prefix' method properly raise a NotImplementedError exception when being directly called."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with pytest.raises(NotImplementedError):
+        bucket.get_service_prefix(utils.TEST_ACCOUNT_ID)
+
+
+@patch('aws_bucket.AWSBucket.get_base_prefix', return_value=utils.TEST_PREFIX)
+def test_aws_bucket_find_account_ids(mock_prefix):
+    """Test 'find_account_ids' method returns a valid account_ids list."""
+    object_list = {'CommonPrefixes': [{'Prefix': f'AWSLogs/{utils.TEST_ACCOUNT_ID}/'},
+                                      {'Prefix': f'AWSLogs/prefix/{utils.TEST_ACCOUNT_ID}/'}]}
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, prefix=utils.TEST_PREFIX)
+    bucket.client = MagicMock()
+    bucket.client.list_objects_v2.return_value = object_list
+
+    accounts = bucket.find_account_ids()
+    bucket.client.list_objects_v2.assert_called_with(Bucket=utils.TEST_BUCKET, Prefix=utils.TEST_PREFIX, Delimiter='/')
+    assert accounts == [utils.TEST_ACCOUNT_ID for _ in object_list['CommonPrefixes']]
+
+
+@pytest.mark.parametrize('error_code, exit_code', [
+    (aws_bucket.THROTTLING_EXCEPTION_ERROR_CODE, utils.THROTTLING_ERROR_CODE),
+    ('OtherClientException', utils.UNKNOWN_ERROR_CODE)
+])
+@patch('aws_bucket.AWSBucket.get_base_prefix', return_value=utils.TEST_PREFIX)
+def test_aws_bucket_find_account_ids_handles_exceptions_on_client_error(mock_prefix, error_code: str, exit_code: int):
+    """Test 'find_account_ids' method handles client errors as expected."""
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, prefix=utils.TEST_PREFIX)
+    bucket.client = MagicMock()
+    bucket.client.list_objects_v2.side_effect = botocore.exceptions.ClientError({'Error': {'Code': error_code}}, "name")
+
+    with pytest.raises(SystemExit) as e:
+        bucket.find_account_ids()
+    assert e.value.code == exit_code
+
+
+@patch('aws_bucket.AWSBucket.get_base_prefix', return_value=utils.TEST_PREFIX)
+@patch('aws_bucket.aws_tools.get_script_arguments')
+def test_aws_bucket_find_account_ids_handles_exceptions_on_key_error(mock_prefix, mock_script_arguments):
+    """Test 'find_account_ids' method handles KeyError as expected."""
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, prefix=utils.TEST_PREFIX)
+    bucket.client = MagicMock()
+    bucket.client.list_objects_v2.side_effect = KeyError
+
+    with pytest.raises(SystemExit) as e:
+        bucket.find_account_ids()
+    assert e.value.code == utils.INVALID_PREFIX_ERROR_CODE
+
+
+@pytest.mark.parametrize('object_list', [utils.LIST_OBJECT_V2, utils.LIST_OBJECT_V2_NO_PREFIXES])
+@patch('aws_bucket.AWSBucket.get_service_prefix', return_value=utils.TEST_PREFIX)
+def test_aws_bucket_find_regions(mock_prefix, object_list: dict):
+    """Test 'find_regions' method returns a valid region list."""
+
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, prefix=utils.TEST_PREFIX)
+    bucket.client = MagicMock()
+    bucket.client.list_objects_v2.return_value = object_list
+
+    accounts = bucket.find_regions(utils.TEST_ACCOUNT_ID)
+    bucket.client.list_objects_v2.assert_called_with(Bucket=utils.TEST_BUCKET, Prefix=utils.TEST_PREFIX, Delimiter='/')
+    if object_list.get('CommonPrefixes'):
+        assert accounts == [utils.TEST_REGION for _ in object_list['CommonPrefixes']]
+    else:
+        assert len(accounts) == 0
+
+
+@pytest.mark.parametrize('error_code, exit_code', [
+    (aws_bucket.THROTTLING_EXCEPTION_ERROR_CODE, utils.THROTTLING_ERROR_CODE),
+    ('OtherClientException', utils.UNKNOWN_ERROR_CODE)
+])
+@patch('aws_bucket.AWSBucket.get_service_prefix', return_value=utils.TEST_PREFIX)
+def test_aws_bucket_find_regions_handles_exceptions_on_client_error(mock_prefix, error_code: str, exit_code: int):
+    """Test 'find_regions' method handles client errors as expected."""
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, prefix=utils.TEST_PREFIX)
+    bucket.client = MagicMock()
+    bucket.client.list_objects_v2.side_effect = botocore.exceptions.ClientError({'Error': {'Code': error_code}}, "name")
+
+    with pytest.raises(SystemExit) as e:
+        bucket.find_regions(utils.TEST_ACCOUNT_ID)
+    assert e.value.code == exit_code
+
+
+@pytest.mark.parametrize('reparse', [True, False])
+@pytest.mark.parametrize('only_logs_after', [utils.TEST_ONLY_LOGS_AFTER, None])
+@pytest.mark.parametrize('iterating', [True, False])
+@pytest.mark.parametrize('custom_delimiter', ['', '-'])
+@pytest.mark.parametrize('region', [utils.TEST_REGION, 'region_for_empty_db'])
+@patch('aws_bucket.AWSBucket.get_full_prefix', return_value=utils.TEST_FULL_PREFIX)
+def test_aws_bucket_build_s3_filter_args(mock_get_full_prefix, custom_database,
+                                         region: str, custom_delimiter: str, iterating: bool,
+                                         only_logs_after: str or None, reparse: bool):
+    """Test 'build_s3_filter_args' method returns the expected filter arguments for the list_objects_v2 call.
+
+    Parameters
+    ----------
+    region: str
+        Region name.
+    custom_delimiter: str
+        Custom delimiter expected in the key.
+    iterating: bool
+        Whether the call to the method is being made inside a loop due to a truncated response.
+    only_logs_after: str or None
+        Date after which obtain logs.
+    reparse: bool
+        Whether to parse already parsed logs or not.
+    """
+    utils.database_execute_script(custom_database, TEST_CLOUDTRAIL_SCHEMA)
+
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, reparse=reparse, only_logs_after=only_logs_after)
+    bucket.db_connector = custom_database
+    bucket.db_cursor = bucket.db_connector.cursor()
+    bucket.db_table_name = utils.TEST_TABLE_NAME
+
+    expected_filter_args = {
+        'Bucket': bucket.bucket,
+        'MaxKeys': 1000,
+        'Prefix': mock_get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+    }
+
+    aws_account_id = utils.TEST_ACCOUNT_ID
+    aws_region = region
+
+    if bucket.reparse:
+        if only_logs_after:
+            filter_marker = bucket.marker_only_logs_after(aws_region, aws_account_id)
+        else:
+            filter_marker = bucket.marker_custom_date(aws_region, aws_account_id, bucket.default_date)
+    else:
+        filter_marker = utils.database_execute_query(bucket.db_connector, SQL_FIND_LAST_KEY_PROCESSED.format(
+            table_name=bucket.db_table_name))
+
+    if aws_region == 'region_for_empty_db':
+        filter_marker = bucket.marker_only_logs_after(aws_region, aws_account_id) if bucket.only_logs_after \
+            else bucket.marker_custom_date(aws_region, aws_account_id, bucket.default_date)
+
+    if not iterating:
+        expected_filter_args['StartAfter'] = filter_marker
+        if only_logs_after:
+            only_logs_marker = bucket.marker_only_logs_after(aws_region, aws_account_id)
+            expected_filter_args['StartAfter'] = only_logs_marker if only_logs_marker > filter_marker else filter_marker
+
+        if custom_delimiter:
+            prefix_len = len(expected_filter_args['Prefix'])
+            expected_filter_args['StartAfter'] = expected_filter_args['StartAfter'][:prefix_len] + \
+                                                 expected_filter_args['StartAfter'][prefix_len:]. \
+                                                     replace('/', custom_delimiter)
+
+    assert expected_filter_args == bucket.build_s3_filter_args(aws_account_id, aws_region, iterating,
+                                                               custom_delimiter)
+
+
+def test_aws_bucket_reformat_msg():
+    """Test 'reformat_msg' method applies the expected format to a given event."""
+    bucket = utils.get_mocked_aws_bucket()
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    event['aws'].update(
+        {
+            'sourceIPAddress': '255.255.255.255',
+            'tags': ['tag1', 'tag2'],
+            'additional_field': ['element']
+        }
+    )
+
+    formatted_event = bucket.reformat_msg(event)
+
+    assert isinstance(formatted_event['aws']['tags'], dict)
+    assert not isinstance(formatted_event['aws']['additional_field'], list)
+    assert formatted_event['aws']['source_ip_address'] == '255.255.255.255'
+    assert formatted_event['aws']['tags'] == {'value': ['tag1', 'tag2']}
+
+
+def test_aws_bucket_load_information_from_file():
+    """Test 'load_information_from_file' method properly raise a NotImplementedError exception
+    when being directly called."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with pytest.raises(NotImplementedError):
+        bucket.load_information_from_file(utils.TEST_LOG_KEY)
+
+
+@pytest.mark.parametrize('expected_result', [SAMPLE_EVENT_1, SAMPLE_EVENT_2])
+@patch('aws_bucket.AWSBucket.load_information_from_file')
+def test_aws_bucket_get_log_file(mock_load_from_file, expected_result):
+    """Test 'get_log_file' method returns the expected event from a log file"""
+    bucket = utils.get_mocked_aws_bucket()
+    mock_load_from_file.return_value = expected_result
+    assert expected_result == bucket.get_log_file(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY)
+    mock_load_from_file.assert_called_with(log_key=utils.TEST_LOG_KEY)
+
+
+@pytest.mark.parametrize('exception, error_message, exit_code', [
+    (TypeError, f'Failed to decompress file {utils.TEST_LOG_KEY}: TypeError()', utils.DECOMPRESS_FILE_ERROR_CODE),
+    (zipfile.BadZipfile, f'Failed to decompress file {utils.TEST_LOG_KEY}: BadZipFile()',
+     utils.DECOMPRESS_FILE_ERROR_CODE),
+    (zipfile.LargeZipFile, f'Failed to decompress file {utils.TEST_LOG_KEY}: LargeZipFile()',
+     utils.DECOMPRESS_FILE_ERROR_CODE),
+    (IOError, f'Failed to decompress file {utils.TEST_LOG_KEY}: OSError()', utils.DECOMPRESS_FILE_ERROR_CODE),
+    (ValueError, f'Failed to parse file {utils.TEST_LOG_KEY}: ValueError()', utils.PARSE_FILE_ERROR_CODE),
+    (csv.Error, f'Failed to parse file {utils.TEST_LOG_KEY}: Error()', utils.PARSE_FILE_ERROR_CODE),
+    (Exception, f'Unknown error reading/parsing file {utils.TEST_LOG_KEY}: Exception()', utils.UNKNOWN_ERROR_CODE)
+])
+@pytest.mark.parametrize('skip_on_error', [True, False])
+@patch('aws_bucket.AWSBucket.load_information_from_file')
+def test_aws_bucket_get_log_file_handles_exceptions_when_information_cannot_be_loaded(mock_load_from_file,
+                                                                                      skip_on_error: bool,
+                                                                                      exception: Exception,
+                                                                                      error_message: str,
+                                                                                      exit_code: int):
+    """Test 'get_log_file' method handles exceptions raised according to their type.
+
+    Parameters
+    ----------
+    skip_on_error: bool
+        Whether to send the error to Wazuh or exit with an error code.
+    exception: Exception
+        Exception that might be raised.
+    error_message: str
+        Expected error message.
+    exit_code: int
+        Expected exit code.
+    """
+    bucket = utils.get_mocked_aws_bucket(skip_on_error=skip_on_error)
+    mock_load_from_file.side_effect = exception
+    if bucket.skip_on_error:
+        with patch('aws_bucket.AWSBucket.send_msg') as mock_send_msg, \
+                patch('aws_bucket.aws_tools.debug') as mock_debug, \
+                patch('aws_bucket.AWSBucket.get_alert_msg', return_value='error_msg') as mock_get_alert_msg:
+            debug_message_example = "++ {}; skipping...".format(error_message)
+
+            bucket.get_log_file(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY)
+            mock_debug.assert_called_with(debug_message_example, 1)
+            mock_get_alert_msg.assert_called_once_with(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY, None, error_message)
+            mock_send_msg.assert_called_once_with(mock_get_alert_msg())
+
+            mock_send_msg.side_effect = Exception
+            bucket.get_log_file(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY)
+            mock_debug.assert_called_with("++ Failed to send message to Wazuh", 1)
+
+    else:
+        with pytest.raises(SystemExit) as e:
+            bucket.get_log_file(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY)
+        assert e.value.code == exit_code
+
+
+@patch('aws_bucket.AWSBucket.iter_regions_and_accounts')
+@patch('aws_bucket.AWSBucket.init_db')
+def test_aws_bucket_iter_bucket(mock_init, mock_iter):
+    """Test 'iter_bucket' method calls the appropriate functions."""
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.db_connector = MagicMock()
+    bucket.db_cursor = MagicMock()
+    bucket.iter_bucket(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+    mock_init.assert_called_once()
+    mock_iter.assert_called_with(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+    bucket.db_connector.commit.assert_called_once()
+    bucket.db_cursor.execute.assert_called_with(bucket.sql_db_optimize)
+    bucket.db_connector.close.assert_called_once()
+
+
+@pytest.mark.parametrize('account_id', [[utils.TEST_ACCOUNT_ID], None])
+@pytest.mark.parametrize('regions', [[utils.TEST_REGION], None])
+@patch('aws_bucket.AWSBucket.find_account_ids', return_value=[utils.TEST_ACCOUNT_ID])
+@patch('aws_bucket.AWSBucket.find_regions', side_effect=[[utils.TEST_REGION], None])
+@patch('aws_bucket.AWSBucket.iter_files_in_bucket')
+@patch('aws_bucket.AWSBucket.db_maintenance')
+def test_aws_bucket_iter_regions_and_accounts(mock_db_maintenance, mock_iter_files, mock_find_regions, mock_accounts,
+                                              regions: list[str], account_id: list[str]):
+    """Test 'iter_regions_and_accounts' method makes the necessary calls in order to process the bucket's files."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    bucket.iter_regions_and_accounts(account_id, regions)
+
+    if not account_id:
+        mock_accounts.assert_called_once()
+        account_id = bucket.find_account_ids()
+    for aws_account_id in account_id:
+        if not regions:
+            mock_find_regions.assert_called_with(aws_account_id)
+            regions = bucket.find_regions(aws_account_id)
+            if not regions:
+                continue
+        for region in regions:
+            mock_iter_files.assert_called_with(aws_account_id, region)
+            mock_db_maintenance.assert_called_with(aws_account_id=aws_account_id, aws_region=region)
+
+
+@patch('aws_bucket.AWSBucket.send_msg')
+@patch('aws_bucket.AWSBucket.reformat_msg', return_value=SAMPLE_EVENT_1)
+def test_aws_bucket_send_event(mock_reformat, mock_send):
+    """Test 'send_event' method makes the necessary calls in order to send an event to Analysisd."""
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.send_event(SAMPLE_EVENT_1)
+    mock_reformat.assert_called_with(SAMPLE_EVENT_1)
+    mock_send.assert_called_with(SAMPLE_EVENT_1)
+
+
+@pytest.mark.parametrize('discard_field', [None, 'eventVersion'])
+@pytest.mark.parametrize('discard_regex', [None, '^ver.ion$'])
+@patch('aws_bucket.AWSBucket.get_alert_msg')
+@patch('aws_bucket.AWSBucket.send_event')
+@patch('aws_bucket.aws_tools.debug')
+def test_aws_bucket_iter_events(mock_debug, mock_send_event, mock_get_alert,
+                                discard_regex: str or None, discard_field: str or None):
+    """Test 'iter_events' method process a list of events and discards them in case they contain the discard values.
+
+    Parameters
+    ----------
+    discard_regex: str or None
+        REGEX value to determine whether an event should be skipped.
+    discard_field: str or None
+        Name of the event field to apply the regex value on.
+    """
+    bucket = utils.get_mocked_aws_bucket(discard_field=discard_field, discard_regex=discard_regex)
+    event_list = [
+        {'eventVersion': 'version', 'userIdentity': {'type': 'someType'}, 'eventTime': 'someTime', 'eventName': 'name',
+         'source': 'cloudtrail'}]
+
+    bucket.iter_events(event_list, utils.TEST_LOG_KEY, utils.TEST_ACCOUNT_ID)
+    for event in event_list:
+        if bucket.discard_field and discard_regex:
+            mock_debug.assert_any_call(
+                f'+++ The "{bucket.discard_regex.pattern}" regex found a match in the "{bucket.discard_field}" '
+                f'field. The event will be skipped.', 2)
+            continue
+        mock_get_alert.assert_called_with(utils.TEST_ACCOUNT_ID, utils.TEST_LOG_KEY, event)
+        mock_send_event.assert_called()
+
+
+@pytest.mark.parametrize('object_list',
+                         [utils.LIST_OBJECT_V2, utils.LIST_OBJECT_V2_NO_PREFIXES, utils.LIST_OBJECT_V2_TRUNCATED])
+@pytest.mark.parametrize('reparse', [True, False])
+@pytest.mark.parametrize('check_prefix', [True, False])
+@pytest.mark.parametrize('delete_file', [True, False])
+@patch('aws_bucket.aws_tools.debug')
+@patch('aws_bucket.AWSBucket.build_s3_filter_args')
+def test_aws_bucket_iter_files_in_bucket(mock_build_filter, mock_debug,
+                                         delete_file: bool, check_prefix: bool, reparse: bool, object_list: dict):
+    """Test 'iter_files_in_bucket' method makes the necessary method calls
+    in order to process the logs inside the bucket.
+
+    Parameters
+    ----------
+    delete_file: bool
+        Whether to remove the file from the bucket or not.
+    check_prefix: bool
+        Whether to check the key prefix or not.
+    reparse: bool
+        Whether to parse already parsed logs or not.
+    object_list: dict
+        Objects to be returned by list_objects_v2.
+    """
+    bucket = utils.get_mocked_aws_bucket(bucket=utils.TEST_BUCKET, delete_file=delete_file, reparse=reparse,
+                                         prefix=utils.TEST_PREFIX)
+
+    mock_build_filter.return_value = {
+        'Bucket': bucket.bucket,
+        'MaxKeys': 1000,
+        'Prefix': utils.TEST_PREFIX
+    }
+
+    bucket.client.list_objects_v2.return_value = object_list
+    bucket.check_prefix = check_prefix
+
+    aws_account_id = utils.TEST_ACCOUNT_ID
+    aws_region = utils.TEST_REGION
+
+    with patch('aws_bucket.AWSBucket.already_processed', return_value=True) as mock_already_processed, \
+            patch('aws_bucket.AWSBucket.get_log_file') as mock_get_log_file, \
+            patch('aws_bucket.AWSBucket.iter_events') as mock_iter_events, \
+            patch('aws_bucket.AWSBucket.mark_complete') as mock_mark_complete, \
+            patch('aws_bucket.AWSBucket.get_full_prefix', return_value=utils.TEST_FULL_PREFIX):
+
+        if 'IsTruncated' in object_list and object_list['IsTruncated']:
+            bucket.client.list_objects_v2.side_effect = [object_list, utils.LIST_OBJECT_V2_NO_PREFIXES]
+
+        bucket.iter_files_in_bucket(aws_account_id, aws_region)
+
+        if bucket.reparse:
+            mock_debug.assert_any_call('++ Reparse mode enabled', 2)
+
+        mock_build_filter.assert_any_call(aws_account_id, aws_region)
+        bucket.client.list_objects_v2.assert_called_with(**mock_build_filter(aws_account_id, aws_region))
+
+        if 'Contents' not in object_list:
+            mock_debug.assert_any_call(f"+++ No logs to process in bucket: {aws_account_id}/{aws_region}",
+                                       1)
+        else:
+            for bucket_file in object_list['Contents']:
+                if not bucket_file['Key']:
+                    continue
+
+                if bucket_file['Key'][-1] == '/':
+                    continue
+
+                if bucket.check_prefix:
+                    date_match = bucket.date_regex.search(bucket_file['Key'])
+                    match_start = date_match.span()[0] if date_match else None
+
+                    if not bucket._same_prefix(match_start, aws_account_id, aws_region):
+                        mock_debug.assert_any_call(f"++ Skipping file with another prefix: {bucket_file['Key']}", 3)
+                        continue
+
+                mock_already_processed.assert_called_with(bucket_file['Key'], aws_account_id, aws_region)
+                if bucket.reparse:
+                    mock_debug.assert_any_call(
+                        f"++ File previously processed, but reparse flag set: {bucket_file['Key']}",
+                        1)
+                else:
+                    mock_debug.assert_any_call(f"++ Skipping previously processed file: {bucket_file['Key']}", 1)
+                    continue
+
+                mock_debug.assert_any_call(f"++ Found new log: {bucket_file['Key']}", 2)
+                mock_get_log_file.assert_called_with(aws_account_id, bucket_file['Key'])
+                mock_iter_events.assert_called()
+
+                if bucket.delete_file:
+                    mock_debug.assert_any_call(f"+++ Remove file from S3 Bucket:{bucket_file['Key']}", 2)
+
+                mock_mark_complete.assert_called_with(aws_account_id, aws_region, bucket_file)
+
+            if object_list['IsTruncated']:
+                mock_build_filter.assert_any_call(aws_account_id, aws_region, True)
+
+
+@pytest.mark.parametrize('error_code, exit_code', [
+    (aws_bucket.THROTTLING_EXCEPTION_ERROR_CODE, utils.THROTTLING_ERROR_CODE),
+    ('OtherClientException', utils.UNKNOWN_ERROR_CODE),
+])
+def test_aws_bucket_iter_files_in_bucket_handles_exceptions_on_error(error_code, exit_code):
+    """Test 'iter_files_in_bucket' method handles exceptions raised when trying to fetch objects from AWS
+    or by an unexpected cause and exits with the expected exit code.
+    """
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.client = MagicMock()
+
+    with patch('aws_bucket.AWSBucket.build_s3_filter_args') as mock_build_filter:
+        with pytest.raises(SystemExit) as e:
+            bucket.client.list_objects_v2.side_effect = botocore.exceptions.ClientError({'Error': {'Code': error_code}},
+                                                                                        "name")
+            bucket.iter_files_in_bucket(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+        assert e.value.code == exit_code
+
+        with pytest.raises(SystemExit) as e:
+            mock_build_filter.side_effect = Exception
+            bucket.iter_files_in_bucket(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+        assert e.value.code == utils.UNEXPECTED_ERROR_WORKING_WITH_S3
+
+
+def test_aws_bucket_check_bucket():
+    """Test 'check_bucket' method makes the necessary method calls in order to verify that the bucket is not empty."""
+    page = {'CommonPrefixes': 'list of Prefix'}
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.client = MagicMock()
+
+    paginator = MagicMock()
+    bucket.client.get_paginator.return_value = paginator
+    paginator.paginate = MagicMock(return_value=[page])
+    bucket.check_bucket()
+
+    bucket.client.get_paginator.assert_called_once()
+    paginator.paginate.assert_called_with(Bucket=bucket.bucket, Prefix=bucket.prefix, Delimiter='/')
+
+
+def test_aws_bucket_check_bucket_exits_when_empty():
+    """Test 'check_bucket' method exits with the expected error code when the bucket is empty."""
+    page = {'OtherKey': ''}
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.client = MagicMock()
+
+    paginator = MagicMock()
+    bucket.client.get_paginator.return_value = paginator
+    paginator.paginate = MagicMock(return_value=[page])
+
+    with pytest.raises(SystemExit) as e:
+        bucket.check_bucket()
+    paginator.paginate.assert_called_with(Bucket=bucket.bucket, Prefix=bucket.prefix, Delimiter='/')
+    assert e.value.code == 14
+
+
+@pytest.mark.parametrize('error_code, exit_code', [
+    (aws_bucket.THROTTLING_EXCEPTION_ERROR_CODE, utils.THROTTLING_ERROR_CODE),
+    (aws_bucket.INVALID_CREDENTIALS_ERROR_CODE, utils.INVALID_CREDENTIALS_ERROR_CODE),
+    (aws_bucket.INVALID_REQUEST_TIME_ERROR_CODE, utils.INVALID_REQUEST_TIME_ERROR_CODE),
+    ("OtherClientError", utils.UNKNOWN_ERROR_CODE)
+])
+def test_aws_bucket_check_bucket_handles_exceptions_on_client_error(error_code: str, exit_code: int):
+    """Test 'check_bucket' method handles the different botocore client exceptions and exits with the expected code
+    when an exception is raised accessing to AWS.
+
+    Parameters
+    ----------
+    error_code: str
+        Expected error message.
+    exit_code: int
+        Expected exit code.
+    """
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.client = MagicMock()
+
+    with pytest.raises(SystemExit) as e:
+        bucket.client.get_paginator.side_effect = botocore.exceptions.ClientError({'Error': {'Code': error_code}},
+                                                                                  "name")
+        bucket.check_bucket()
+    assert e.value.code == exit_code
+
+
+def test_aws_bucket_check_bucket_handles_exceptions_on_endpoint_error():
+    """Test 'check_bucket' method handles botocore endpoint exceptions and exits with the expected code
+    when an exception is raised connecting to AWS."""
+    bucket = utils.get_mocked_aws_bucket()
+    bucket.client = MagicMock()
+
+    with pytest.raises(SystemExit) as e:
+        bucket.client.get_paginator.side_effect = botocore.exceptions.EndpointConnectionError(
+            endpoint_url='endpoint.aws.com')
+        bucket.check_bucket()
+    assert e.value.code == utils.INVALID_ENDPOINT_ERROR_CODE
+
+
+@pytest.mark.parametrize('prefix', [utils.TEST_PREFIX, None])
+@pytest.mark.parametrize('suffix', [utils.TEST_SUFFIX, None])
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('aws_bucket.AWSBucket.__init__', side_effect=aws_bucket.AWSBucket.__init__)
+def test_aws_logs_bucket_initializes_properly(mock_bucket, mock_wazuh_aws_database, prefix, suffix):
+    """Test if the instances of AWSLogsBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket, bucket=utils.TEST_BUCKET,
+                                       prefix=prefix, suffix=suffix)
+    mock_bucket.assert_called_once()
+    assert instance.bucket_path == f"{utils.TEST_BUCKET}/{prefix}{suffix}"
+
+
+@pytest.mark.parametrize('organization_id', [utils.TEST_ORGANIZATION_ID, None])
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_logs_bucket_get_base_prefix(mock_wazuh_aws_database, organization_id):
+    """Test 'get_base_prefix' returns the expected prefix with the format
+    <prefix>/AWSLogs/<suffix>/<organization_id>/.
+    """
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket, aws_organization_id=organization_id,
+                                       prefix=f'{utils.TEST_PREFIX}/', suffix=f'{utils.TEST_SUFFIX}/')
+    expected_base_prefix = os.path.join(utils.TEST_PREFIX, 'AWSLogs', utils.TEST_SUFFIX,
+                                        (organization_id if organization_id else ""), '')
+    assert instance.get_base_prefix() == expected_base_prefix
+
+
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('aws_bucket.AWSLogsBucket.get_base_prefix', return_value='base_prefix/')
+def test_aws_logs_bucket_get_service_prefix(mock_base_prefix, mock_wazuh_aws_database):
+    """Test 'get_service_prefix' method returns the expected prefix with the format
+    <base_prefix>/<account_id>/<service>.
+    """
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket)
+    instance.service = utils.TEST_SERVICE_NAME
+    expected_base_prefix = os.path.join('base_prefix', utils.TEST_ACCOUNT_ID, utils.TEST_SERVICE_NAME, '')
+    assert instance.get_service_prefix(utils.TEST_ACCOUNT_ID) == expected_base_prefix
+
+
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('aws_bucket.AWSLogsBucket.get_service_prefix', return_value='service_prefix/')
+def test_aws_logs_bucket_get_full_prefix(mock_service_prefix, mock_wazuh_aws_database):
+    """Test 'get_full_prefix' method returns the expected prefix with the format <service_prefix>/<region>."""
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket, region=utils.TEST_REGION)
+    expected_base_prefix = os.path.join('service_prefix', utils.TEST_REGION, '')
+    assert instance.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION) == expected_base_prefix
+
+
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_logs_bucket_get_creation_date(mock_wazuh_aws_database):
+    """Test 'get_creation_date' method returns the expected date from a log filename."""
+    log_file = {'Key': utils.TEST_LOG_FULL_PATH_CLOUDTRAIL_1}
+    expected_result = 20190401
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket)
+    assert instance.get_creation_date(log_file) == expected_result
+
+
+def test_aws_logs_bucket_get_alert_msg():
+    """Test 'get_alert_msg' method returns messages with the valid format."""
+    bucket = utils.get_mocked_aws_bucket()
+
+    with patch('wazuh_integration.WazuhAWSDatabase.__init__'):
+        instance = utils.get_mocked_bucket(class_=aws_bucket.AWSLogsBucket)
+        aws_account_id = utils.TEST_ACCOUNT_ID
+        expected_msg = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+        expected_error_message = "error message"
+
+        expected_alert_msg = bucket.get_alert_msg(aws_account_id, utils.TEST_LOG_KEY, expected_msg,
+                                                  error_msg=expected_error_message)
+        expected_alert_msg['aws']['aws_account_id'] = aws_account_id
+
+        assert expected_alert_msg == instance.get_alert_msg(aws_account_id, utils.TEST_LOG_KEY, expected_msg,
+                                                            expected_error_message)
+
+
+@pytest.mark.parametrize('class_, json_file_content, result', [
+    (AWSCloudTrailBucket, {"field_to_load": "example"}, None),
+    (AWSCloudTrailBucket, {"Records": [{"example_key": "example_value"}]},
+     [{"example_key": "example_value", 'source': 'cloudtrail'}]),
+    (AWSConfigBucket, {"configurationItems": [{"example_key": "example_value"}]},
+     [{"example_key": "example_value", 'source': 'config'}])])
+@patch('json.load')
+@patch('aws_bucket.AWSBucket.decompress_file')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_logs_bucket_load_information_from_file(mock_wazuh_aws_database, mock_decompress, mock_json_load,
+                                                    class_: AWSCloudTrailBucket or AWSConfigBucket,
+                                                    json_file_content: dict, result: list[dict] or None):
+    """Test 'load_information_from_file' method returns the expected information.
+
+    Parameters
+    ----------
+    class_: AWSCloudTrailBucket or AWSConfigBucket
+        Subclasses of AWSLogsBucket which determine the field to load from the file.
+    json_file_content: dict
+        File content.
+    result: list[dict] or None
+        Expected information to be fetched from the file.
+    """
+    instance = utils.get_mocked_bucket(class_=class_)
+
+    mock_json_load.return_value = json_file_content
+
+    assert result == instance.load_information_from_file(utils.TEST_LOG_KEY)
+    mock_decompress.assert_called_once_with(instance.bucket, log_key=utils.TEST_LOG_KEY)
+
+
+@pytest.mark.parametrize('profile', [utils.TEST_AWS_PROFILE, None])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('aws_bucket.AWSBucket.__init__', side_effect=aws_bucket.AWSBucket.__init__)
+def test_aws_custom_bucket_initializes_properly(mock_bucket, mock_wazuh_aws_database, mock_sts, profile):
+    """Test if the instances of AWSCustomBucket are created properly."""
+
+    mock_client = MagicMock()
+    mock_sts.return_value = mock_client
+
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket,
+                                       profile=profile)
+    mock_bucket.assert_called_once()
+
+    assert instance.retain_db_records == aws_bucket.MAX_RECORD_RETENTION
+    mock_sts.assert_called_with(profile=profile)
+    mock_client.get_caller_identity.assert_called_once()
+    assert instance.macie_location_pattern == re.compile(r'"lat":(-?0+\d+\.\d+),"lon":(-?0+\d+\.\d+)')
+    assert instance.check_prefix
+
+
+@pytest.mark.parametrize('data, result', [
+    ('{"source": "aws.custombucket", "detail": {"schemaVersion": "2.0"}}',
+     [{"source": "custombucket", "schemaVersion": "2.0"}]),
+    ('version account_id\nversion account_id', [{"source": "vpc", "version": "version", "account_id": "account_id"}])
+])
+@patch('csv.DictReader', return_value=[{"version": "version", "account_id": "account_id"}])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_load_information_from_file(mock_wazuh_aws_database, mock_sts, mock_reader,
+                                                      data: str, result: list[dict]):
+    """Test 'load_information_from_file' method returns the expected information.
+
+    Parameters
+    ----------
+    data: str
+        File content.
+    result: list[dict]
+        Expected information to be fetched from the file.
+    """
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+
+    with patch('aws_bucket.AWSBucket.decompress_file', mock_open(read_data=data)):
+        assert result == instance.load_information_from_file(utils.TEST_LOG_KEY)
+
+
+@pytest.mark.parametrize('log_file, expected_date', [
+    ({'Key': 'AWSLogs/166157441623/elasticloadbalancing/us-west-1/2021/12/21/166157441623_elasticloadbalancing'},
+     20211221),
+    ({'Key': 'AWSLogs/875611522134/elasticloadbalancing/us-west-1/2020/01/03/166157441623_elasticloadbalancing'},
+     20200103),
+    ({'Key': '981837383623/iplogs/2020-09-20/2020-09-20-00-00-moyl.csv.gz'}, 20200920),
+    ({'Key': '836629801214/iplogs/2021-01-18/2021-01-18-00-00-zxsb.csv.gz'}, 20210118),
+    ({'Key': '2020/09/30/13/firehose_guardduty-1-2020-09-30-13-17-05-532e184c-1hfba.zip'}, 20200930),
+    ({'Key': '2020/10/15/03/firehose_guardduty-1-2020-10-15-03-22-01-ea728dd1-763a4.zip'}, 20201015),
+    ({'Key': 'AWSLogs/567970947422/GuardDuty/us-east-1/2022/10/21/ec7b0b8c-5ec8-32ec-8e77-c738515b4f6f.jsonl.gz'},
+     20221021),
+    ({'Key': '2021/03/18/aws-waf-logs-delivery-stream-1-2021-03-18-10-32-48-77baca34f-efad-4f14-45bd7871'},
+     20210318),
+    ({'Key': '2021/09/06/aws-waf-logs-delivery-stream-1-2021-09-06-21-02-18-8ba031bbd-babf-4c6a-83ba282c'},
+     20210906),
+    ({'Key': '2021-11-12-09-11-26-B9F9F891E8D0EB13'}, 20211112),
+    ({'Key': '20-03-02-21-02-43-A8269E82CA8BDD21', 'LastModified': datetime.strptime('2021/01/23', '%Y/%m/%d')},
+     20210123)
+])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_get_creation_date(mock_wazuh_aws_database, mock_sts, log_file: dict, expected_date: int):
+    """Test AWSCustomBucket's get_creation_date method.
+
+    Parameters
+    ----------
+    log_file : dict
+        The log file introduced.
+    expected_date : int
+        The date that the method should return.
+    """
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+
+    assert instance.get_creation_date(log_file) == expected_date
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_get_full_prefix(mock_wazuh_aws_database, mock_sts):
+    """Test 'get_full_prefix' method returns the expected prefix."""
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket, prefix=utils.TEST_PREFIX)
+
+    assert instance.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION) == utils.TEST_PREFIX
+
+
+@pytest.mark.parametrize('event_field, event_field_name', [('count', ''), ('other_field', 'event_field_value')])
+@pytest.mark.parametrize('source', ['macie', 'custom'])
+@pytest.mark.parametrize('macie_field', ['Bucket', 'DLP risk', 'IP', 'Location', 'Object',
+                                         'Owner', 'Themes', 'Timestamps', 'recipientAccountId'])
+def test_aws_custom_bucket_reformat_msg(macie_field: str, source: str, event_field: str, event_field_name: str):
+    """Test 'reformat_msg' method applies the expected format to a given event depending on the event field.
+
+    Parameters
+    ----------
+    macie_field: str
+        Fields present in AWS Macie logs.
+    source: str
+        Field that determines from which AWS Service the log comes from.
+    event_field: str
+        Field that may or may not be present in the event.
+    event_field_name: str
+        Field that may or may not be present in the event.
+    """
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    event['aws'].update(
+        {
+            'source': source,
+            'trigger': 'test_value',
+            'service': {
+                'additionalInfo': {
+                    'unusual': 'unusual_value'
+                }
+            }
+        }
+    )
+    if event['aws']['source'] == 'macie':
+        event['aws'].update(
+            {
+                'trigger': 'test_value',
+                'summary': {
+                    macie_field: {
+                        'test_key': 'value'
+                    },
+                    'Events': {
+                        'event_name': {
+                            event_field: {
+                                event_field_name: 'value'
+                            }
+                        }
+                    }
+                }
+            }
+        )
+
+    with patch('wazuh_integration.WazuhIntegration.get_sts_client'), \
+            patch('wazuh_integration.WazuhAWSDatabase.__init__'), \
+            patch('aws_bucket.AWSBucket.reformat_msg') as mock_reformat:
+        instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+
+        instance.reformat_msg(event)
+        mock_reformat.assert_called_once_with(instance, event)
+        assert event['aws']['service']['additionalInfo']['unusual'] == {'value': 'unusual_value'}
+
+        if source == 'macie':
+            assert 'trigger' not in event['aws']
+            assert event['aws']['summary'][macie_field] == ['test_key']
+            assert event['aws']['summary']['Events']['event_name'] == {event_field: [event_field_name]}
+
+
+@patch('aws_bucket.AWSBucket.iter_files_in_bucket')
+@patch('aws_bucket.AWSCustomBucket.db_maintenance')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_iter_regions_and_accounts(mock_wazuh_aws_database, mock_sts, mock_maintenance,
+                                                     mock_iter_files_bucket):
+    """Test 'iter_regions_and_accounts' method makes the necessary calls in order to process the bucket's files."""
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+
+    instance.iter_regions_and_accounts(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+    mock_maintenance.assert_called_once()
+    mock_iter_files_bucket.assert_called_once()
+
+
+@pytest.mark.parametrize('log_file, account_id, region, expected_result', [
+    (utils.TEST_LOG_FULL_PATH_CUSTOM_1, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, True),
+    (utils.TEST_LOG_FULL_PATH_CUSTOM_2, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, True),
+    ("", utils.TEST_ACCOUNT_ID, utils.TEST_REGION, False),
+    (utils.TEST_LOG_FULL_PATH_CUSTOM_1, utils.TEST_ACCOUNT_ID, "", True),
+    (utils.TEST_LOG_FULL_PATH_CUSTOM_1, "", utils.TEST_REGION, False),
+])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_already_processed(mock_wazuh_aws_database, mock_sts,
+                                             custom_database, log_file: str, account_id: str, region: str,
+                                             expected_result):
+    """Test 'already_processed' method correctly determines if a log file has been processed.
+
+    Parameters
+    ----------
+    log_file: str
+        Complete path of the downloaded file.
+    account_id: str
+        AWS account ID.
+    region: str
+        Region of service.
+    expected_result: bool
+        Expected result from the method's execution.
+    """
+    utils.database_execute_script(custom_database, TEST_CUSTOM_SCHEMA)
+
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket, bucket=utils.TEST_BUCKET, region=region)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = 'custom'
+    instance.aws_account_id = account_id
+
+    assert instance.already_processed(downloaded_file=log_file, aws_account_id=account_id,
+                                      aws_region=region) == expected_result
+
+
+def test_aws_custom_bucket_mark_complete():
+    """Test 'mark_complete' method inserts non-processed logs into the DB."""
+    test_log_file = 'log_file'
+
+    bucket = utils.get_mocked_aws_bucket()
+
+    with patch('wazuh_integration.WazuhIntegration.get_sts_client'), \
+            patch('wazuh_integration.WazuhAWSDatabase.__init__'), \
+            patch('aws_bucket.AWSBucket.mark_complete'):
+        instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+        instance.aws_account_id = utils.TEST_ACCOUNT_ID
+
+        instance.mark_complete(utils.TEST_ACCOUNT_ID, utils.TEST_REGION, test_log_file)
+        bucket.mark_complete.assert_called_once_with(instance, instance.aws_account_id, utils.TEST_REGION,
+                                                     test_log_file)
+
+
+@pytest.mark.parametrize('aws_account_id', [utils.TEST_ACCOUNT_ID, None])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_db_count_custom(mock_wazuh_aws_database, mock_sts, custom_database,
+                                           aws_account_id: str or None):
+    """Test 'db_count_region' method returns the number of rows in DB for an AWS account id.
+
+    Parameters
+    ----------
+    aws_account_id: str or None
+        AWS account ID.
+    """
+    utils.database_execute_script(custom_database, TEST_CUSTOM_SCHEMA)
+
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = "custom"
+    instance.aws_account_id = utils.TEST_ACCOUNT_ID
+
+    expected_count = CUSTOM_SCHEMA_COUNT
+    assert instance.db_count_custom(aws_account_id) == expected_count
+
+
+@pytest.mark.parametrize('expected_db_count', [CUSTOM_SCHEMA_COUNT, 0])
+@pytest.mark.parametrize('aws_account_id', [utils.TEST_ACCOUNT_ID, None])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_db_maintenance(mock_wazuh_aws_database, mock_sts, aws_account_id, expected_db_count,
+                                          custom_database):
+    """Test 'db_maintenance' method deletes rows from a table until the count is equal to 'retain_db_records'."""
+    utils.database_execute_script(custom_database, TEST_CUSTOM_SCHEMA)
+
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = "custom"
+    instance.retain_db_records = expected_db_count
+    instance.aws_account_id = utils.TEST_ACCOUNT_ID
+
+    assert utils.database_execute_query(instance.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=instance.db_table_name)) == CUSTOM_SCHEMA_COUNT
+
+    with patch('aws_bucket.AWSCustomBucket.db_count_custom', return_value=CUSTOM_SCHEMA_COUNT):
+        instance.db_maintenance(aws_account_id=aws_account_id)
+
+    assert utils.database_execute_query(instance.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=instance.db_table_name)) == expected_db_count
+
+
+@patch('builtins.print')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_custom_bucket_db_maintenance_handles_exceptions(mock_wazuh_aws_database, mock_sts, mock_print,
+                                                             custom_database):
+    """Test 'db_maintenance' handles exceptions raised when trying to execute a query to the DB."""
+    instance = utils.get_mocked_bucket(class_=aws_bucket.AWSCustomBucket)
+
+    instance.db_connector = custom_database
+    mocked_cursor = MagicMock()
+    mocked_cursor.execute.side_effect = Exception
+
+    instance.db_maintenance(aws_account_id=utils.TEST_ACCOUNT_ID)
+
+    mock_print.assert_called_once()
diff --git a/src/modules/aws/scripts/tests/test_aws_s3.py b/src/modules/aws/scripts/tests/test_aws_s3.py
new file mode 100644
index 0000000000..8ce44fdd2e
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_aws_s3.py
@@ -0,0 +1,94 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import aws_s3
+import aws_tools
+import services
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+
+@pytest.mark.parametrize('args, class_', [
+    (['main', '--bucket', 'bucket-name', '--type', 'cloudtrail'], 'buckets_s3.cloudtrail.AWSCloudTrailBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'vpcflow'], 'buckets_s3.vpcflow.AWSVPCFlowBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'config'], 'buckets_s3.config.AWSConfigBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'custom'], 'buckets_s3.aws_bucket.AWSCustomBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'guardduty'], 'buckets_s3.guardduty.AWSGuardDutyBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'cisco_umbrella'], 'buckets_s3.umbrella.CiscoUmbrella'),
+    (['main', '--bucket', 'bucket-name', '--type', 'waf'], 'buckets_s3.waf.AWSWAFBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'alb'], 'buckets_s3.load_balancers.AWSALBBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'clb'], 'buckets_s3.load_balancers.AWSCLBBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'nlb'], 'buckets_s3.load_balancers.AWSNLBBucket'),
+    (['main', '--bucket', 'bucket-name', '--type', 'server_access'], 'buckets_s3.server_access.AWSServerAccess'),
+    (['main', '--service', 'inspector'], 'services.inspector.AWSInspector'),
+    (['main', '--service', 'cloudwatchlogs'], 'services.cloudwatchlogs.AWSCloudWatchLogs'),
+    (['main', '--subscriber', 'security_lake', '--iam_role_arn', utils.TEST_IAM_ROLE_ARN,
+      '--external_id', utils.TEST_EXTERNAL_ID, '--queue', utils.TEST_SQS_NAME], 'subscribers.sqs_queue.AWSSQSQueue'),
+    (['main', '--subscriber', 'buckets', '--queue', utils.TEST_SQS_NAME], 'subscribers.sqs_queue.AWSSQSQueue'),
+    (['main', '--subscriber', 'security_hub', '--queue', utils.TEST_SQS_NAME], 'subscribers.sqs_queue.AWSSQSQueue')
+])
+@patch('aws_tools.get_script_arguments', side_effect=aws_tools.get_script_arguments)
+def test_main(mock_arguments, args: list[str], class_):
+    """Test 'main' function makes the expected calls when processing buckets or services.
+
+    Parameters
+    ----------
+    args : list[str]
+        List of arguments that make the `main` function exit.
+    class_: AWSBucket or AWSService
+        Class to be instantiated.
+    """
+    instance = MagicMock()
+    with patch("sys.argv", args), \
+            patch("configparser.RawConfigParser.has_option", return_value=False), \
+            patch(class_) as mocked_class:
+        mocked_class.return_value = instance
+        aws_s3.main(args)
+    mock_arguments.assert_called_once()
+    if 'bucket' in args[1]:
+        mocked_class.assert_called_once()
+        instance.check_bucket.assert_called_once()
+        instance.iter_bucket.assert_called_once()
+    elif 'service' in args[1]:
+        if args[2] == 'inspector':
+            assert mocked_class.call_count == len(services.inspector.SUPPORTED_REGIONS)
+            assert instance.get_alerts.call_count == len(services.inspector.SUPPORTED_REGIONS)
+        else:
+            assert mocked_class.call_count == len(aws_tools.ALL_REGIONS)
+            assert instance.get_alerts.call_count == len(aws_tools.ALL_REGIONS)
+    elif 'subscriber' in args[1]:
+        mocked_class.assert_called_once()
+        instance.sync_events.assert_called_once()
+
+
+@pytest.mark.parametrize('args, error_code', [
+    (['main', '--bucket', 'bucket-name', '--type', 'invalid'], utils.INVALID_TYPE_ERROR_CODE),
+    (['main', '--service', 'invalid'], utils.INVALID_TYPE_ERROR_CODE),
+    (['main', '--subscriber', 'invalid'], utils.INVALID_TYPE_ERROR_CODE),
+    (['main', '--service', 'cloudwatchlogs', '--regions', 'in-valid-1'], utils.INVALID_REGION_ERROR_CODE),
+    (['main', '--service', 'inspector', '--regions', 'in-valid-1'], utils.INVALID_REGION_ERROR_CODE),
+    (['main', '--service', 'inspector', '--regions', 'af-south-1'], utils.INVALID_REGION_ERROR_CODE)
+])
+def test_main_type_ko(args: list[str], error_code: int):
+    """Test 'main' function handles exceptions when receiving invalid buckets or services.
+
+    Parameters
+    ----------
+    args : list[str]
+        List of arguments that make the `main` function exit.
+    error_code : int
+        Expected error code.
+    """
+    with patch("sys.argv", args), \
+            pytest.raises(SystemExit) as e:
+        aws_s3.main(args)
+    assert e.value.code == error_code
diff --git a/src/modules/aws/scripts/tests/test_aws_service.py b/src/modules/aws/scripts/tests/test_aws_service.py
new file mode 100644
index 0000000000..2dbc533f2a
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_aws_service.py
@@ -0,0 +1,91 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import copy
+import os
+import sys
+from datetime import datetime
+from unittest.mock import MagicMock, patch
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'services'))
+import aws_service
+
+TEST_DATETIME = datetime.now()
+TEST_DATETIME_STR = datetime.strftime(TEST_DATETIME, '%Y-%m-%dT%H:%M:%SZ')
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version')
+@patch('wazuh_integration.sqlite3.connect')
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH)
+@patch('wazuh_integration.utils.get_wazuh_version')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_service_initializes_properly(mock_wazuh_integration, mock_version, mock_path, mock_client, mock_connect,
+                                         mock_metadata, mock_sts):
+    """Test if the instances of 'AWSService' are created properly."""
+    mock_client = MagicMock()
+    mock_sts.return_value = mock_client
+    kwargs = utils.get_aws_service_parameters(db_table_name=utils.TEST_TABLE_NAME,
+                                              service_name=utils.TEST_SERVICE_NAME, reparse=True,
+                                              profile=utils.TEST_AWS_PROFILE, iam_role_arn=utils.TEST_IAM_ROLE_ARN,
+                                              only_logs_after=utils.TEST_ONLY_LOGS_AFTER,
+                                              account_alias=utils.TEST_ACCOUNT_ALIAS,
+                                              region=utils.TEST_REGION,
+                                              discard_field=utils.TEST_DISCARD_FIELD,
+                                              discard_regex=utils.TEST_DISCARD_REGEX,
+                                              sts_endpoint=utils.TEST_STS_ENDPOINT,
+                                              service_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                              iam_role_duration=utils.TEST_IAM_ROLE_DURATION)
+    instance = aws_service.AWSService(**kwargs)
+    mock_wazuh_integration.assert_called_with(instance, service_name=utils.TEST_SERVICE_NAME,
+                                              profile=kwargs["profile"], iam_role_arn=kwargs["iam_role_arn"],
+                                              region=kwargs["region"], discard_field=kwargs["discard_field"],
+                                              discard_regex=kwargs["discard_regex"],
+                                              sts_endpoint=kwargs["sts_endpoint"],
+                                              service_endpoint=kwargs["service_endpoint"],
+                                              iam_role_duration=kwargs["iam_role_duration"], external_id=None,
+                                              skip_on_error=False)
+    assert instance.service_name == utils.TEST_SERVICE_NAME
+    assert instance.reparse
+    assert instance.region == utils.TEST_REGION
+    assert instance.only_logs_after == utils.TEST_ONLY_LOGS_AFTER
+    mock_sts.assert_called_with(kwargs["profile"])
+    mock_client.get_caller_identity.assert_called_once()
+
+
+def test_aws_service_check_region():
+    """Test 'check_region' function raises exception when an incorrect region is passed."""
+    with pytest.raises(ValueError) as e:
+        aws_service.AWSService.check_region('no-region')
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_service_get_last_log_date(mock_wazuh_integration, mock_wazuh_aws_database, mock_sts):
+    """Test 'get_last_log_date' function returns a date with the expected format."""
+    instance = utils.get_mocked_service(only_logs_after=utils.TEST_ONLY_LOGS_AFTER)
+    assert instance.get_last_log_date() == utils.TEST_ONLY_LOGS_AFTER_WITH_FORMAT
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_service_format_message(mock_wazuh_integration, mock_wazuh_aws_database, mock_sts):
+    """Test 'format_message' function updates the expected fields of an event."""
+    input_msg = {'service': 'service_name', 'createdAt': TEST_DATETIME, 'updatedAt': TEST_DATETIME, 'key': 'value'}
+    output_msg = {'source': 'service_name', 'createdAt': TEST_DATETIME_STR, 'updatedAt': TEST_DATETIME_STR,
+                  'key': 'value'}
+    instance = utils.get_mocked_service(only_logs_after=utils.TEST_ONLY_LOGS_AFTER)
+    expected_msg = copy.deepcopy(aws_service.AWS_SERVICE_MSG_TEMPLATE)
+    expected_msg['aws'] = output_msg
+    assert instance.format_message(input_msg) == expected_msg
diff --git a/src/modules/aws/scripts/tests/test_cloudtrail.py b/src/modules/aws/scripts/tests/test_cloudtrail.py
new file mode 100644
index 0000000000..84e1d47a04
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_cloudtrail.py
@@ -0,0 +1,50 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import copy
+import os
+import sys
+from unittest.mock import patch
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import cloudtrail
+
+
+@patch('aws_bucket.AWSLogsBucket.__init__')
+def test_aws_cloudtrail_bucket_initializes_properly(mock_logs_bucket):
+    """Test if the instances of AWSCloudTrailBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=cloudtrail.AWSCloudTrailBucket)
+    mock_logs_bucket.assert_called_once()
+    assert instance.service == "CloudTrail"
+    assert instance.field_to_load == "Records"
+
+
+@patch('aws_bucket.AWSBucket.reformat_msg')
+def test_aws_cloudtrail_bucket_reformat_msg(mock_reformat):
+    """Test 'reformat_msg' method applies the expected format to a given event."""
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    # Add problematic fields
+    for field in cloudtrail.DYNAMIC_FIELDS:
+        if field == 'requestParameters':
+            event['aws'].update({field: {'disableApiTermination': False}})
+        else:
+            event['aws'].update({field: 'value'})
+
+    instance = utils.get_mocked_bucket(class_=cloudtrail.AWSCloudTrailBucket)
+    formatted_event = instance.reformat_msg(event)
+    mock_reformat.assert_called_with(instance, event)
+
+    for field in cloudtrail.DYNAMIC_FIELDS:
+        if field == 'requestParameters':
+            # Check disableApiTermination field was cast from bool to dict
+            assert isinstance(formatted_event['aws']['requestParameters']['disableApiTermination'], dict)
+            assert formatted_event['aws']['requestParameters']['disableApiTermination']['value'] == False
+        else:
+            # Check dynamic fields were cast from string to dict
+            assert isinstance(event['aws'][field], dict)
+            assert formatted_event['aws'][field]['string'] == 'value'
diff --git a/src/modules/aws/scripts/tests/test_cloudwatchlogs.py b/src/modules/aws/scripts/tests/test_cloudwatchlogs.py
new file mode 100644
index 0000000000..17964602f9
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_cloudwatchlogs.py
@@ -0,0 +1,456 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+import botocore
+import copy
+import sqlite3
+from datetime import datetime, timezone
+from unittest.mock import patch, MagicMock
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'services'))
+import aws_service
+import cloudwatchlogs
+
+TEST_LOG_GROUP = 'test_log_group'
+TEST_LOG_STREAM = 'test_stream'
+TEST_START_TIME = 1640996200000
+TEST_END_TIME = 1659355591835
+TEST_TOKEN = 'f/12345678123456781234567812345678123456781234567812345678/s'
+
+TEST_CLOUDWATCH_SCHEMA = "schema_cloudwatchlogs_test.sql"
+
+
+@pytest.mark.parametrize('only_logs_after', [utils.TEST_ONLY_LOGS_AFTER, None])
+@pytest.mark.parametrize('aws_log_groups', [TEST_LOG_GROUP, None])
+@pytest.mark.parametrize('remove_log_streams', [True, False])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('aws_service.AWSService.__init__', side_effect=aws_service.AWSService.__init__)
+def test_aws_cloudwatchlogs_initializes_properly(mock_aws_service, mock_sts_client,
+                                    remove_log_streams: bool, aws_log_groups: str or None,
+                                    only_logs_after: str or None):
+    """Test if the instances of AWSCloudWatchLogs are created properly.
+
+    Parameters
+    ----------
+    aws_log_groups: str or None
+        Log group names.
+    only_logs_after: str or None
+        Date after which obtain logs.
+    remove_log_streams: bool
+        Indicate if log streams should be removed after being fetched.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs,
+                                        remove_log_streams=remove_log_streams,
+                                        aws_log_groups=aws_log_groups,
+                                        only_logs_after=only_logs_after)
+
+    mock_aws_service.assert_called_once()
+    assert instance.log_group_list == (
+        [group for group in aws_log_groups.split(",") if group != ""] if aws_log_groups else [])
+    assert instance.remove_log_streams == remove_log_streams
+    assert instance.only_logs_after_millis == (int(datetime.strptime(only_logs_after, '%Y%m%d').replace(
+        tzinfo=timezone.utc).timestamp() * 1000) if only_logs_after else None)
+    assert instance.default_date_millis == int(instance.default_date.timestamp() * 1000)
+
+
+@pytest.mark.parametrize('remove_log_streams', [True, False])
+@pytest.mark.parametrize('only_logs_after', [utils.TEST_ONLY_LOGS_AFTER, None])
+@pytest.mark.parametrize('reparse', [True, False])
+@patch('wazuh_integration.WazuhAWSDatabase.init_db')
+@patch('wazuh_integration.WazuhAWSDatabase.close_db')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.purge_db')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.update_values')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.get_data_from_db')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.get_alerts_within_range')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.get_log_streams', return_value=[TEST_LOG_STREAM])
+@patch('cloudwatchlogs.AWSCloudWatchLogs.remove_aws_log_stream')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_get_alerts(mock_debug, mock_sts_client, mock_remove_aws_log_stream, mock_get_log_streams,
+                                       mock_get_alerts_within_range, mock_get_data_from_db,
+                                       mock_update_values, mock_purge, mock_close, mock_init,
+                                       reparse: bool, only_logs_after: str or None, remove_log_streams: bool):
+    """Test 'get_alerts' method makes the expected calls in order to fetch the events and send them to Analysisd.
+
+    Parameters
+    ----------
+    reparse: bool
+        Whether to parse already parsed logs or not.
+    only_logs_after: str or None
+        Date after which obtain logs.
+    remove_log_streams: bool
+        Indicate if log streams should be removed after being fetched.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs, aws_log_groups=TEST_LOG_GROUP,
+                                        reparse=reparse, remove_log_streams=remove_log_streams,
+                                        only_logs_after=only_logs_after)
+
+    data_from_db = {
+        'token': TEST_TOKEN,
+        'start_time': TEST_START_TIME,
+        'end_time': TEST_END_TIME
+    }
+
+    mock_get_log_streams.return_value = [TEST_LOG_STREAM]
+    mock_get_data_from_db.return_value = data_from_db
+
+    instance.get_alerts()
+
+    if reparse:
+        mock_debug.assert_any_call('Reparse mode ON', 1)
+
+    mock_init.assert_called_once()
+
+    if instance.remove_log_streams:
+        mock_remove_aws_log_stream.assert_called()
+
+    mock_get_alerts_within_range.assert_called()
+
+    mock_update_values.assert_called()
+    mock_purge.assert_called()
+    mock_close.assert_called_once()
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_remove_aws_log_stream(mock_debug, mock_sts_client):
+    """Test 'remove_aws_log_stream' method makes the necessary calls in order to remove the specified log stream
+    from AWS Cloudwatch Logs."""
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+    mock_delete_log_stream = instance.client.delete_log_stream
+
+    instance.remove_aws_log_stream(TEST_LOG_GROUP, TEST_LOG_STREAM)
+    mock_debug.assert_any_call(
+        'Removing log stream "{}" from log group "{}"'.format(TEST_LOG_GROUP, TEST_LOG_STREAM), 1)
+    mock_delete_log_stream.assert_called_once_with(logGroupName=TEST_LOG_GROUP, logStreamName=TEST_LOG_STREAM)
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_remove_aws_log_stream_handles_exceptions(mock_debug, mock_sts_client):
+    """Test 'remove_aws_log_stream' method handles exceptions raised when trying
+    to remove a log stream from a log group.
+    This could be due to a botocore ClientError or another type of Exception.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+    mock_delete_log_stream = instance.client.delete_log_stream
+
+    mock_delete_log_stream.side_effect = Exception
+    instance.remove_aws_log_stream(TEST_LOG_GROUP, TEST_LOG_STREAM)
+
+    mock_debug.assert_any_call(
+        'ERROR: Error trying to remove "{}" log stream from "{}" log group.'.format(TEST_LOG_STREAM, TEST_LOG_GROUP), 0)
+
+    mock_delete_log_stream.side_effect = botocore.exceptions.ClientError(
+        {'Error': {'Code': utils.THROTTLING_ERROR_CODE}}, "name")
+    with pytest.raises(SystemExit) as e:
+        instance.remove_aws_log_stream(TEST_LOG_GROUP, TEST_LOG_STREAM)
+    assert e.value.code == utils.THROTTLING_ERROR_CODE
+
+
+@pytest.mark.parametrize('end_time', [None, TEST_END_TIME - 1])
+@pytest.mark.parametrize('start_time', [None, TEST_START_TIME + 1])
+@pytest.mark.parametrize('timestamp', [TEST_END_TIME, TEST_START_TIME])
+@pytest.mark.parametrize('token', [None, TEST_TOKEN])
+@patch('wazuh_integration.WazuhIntegration.send_msg')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_get_alerts_within_range(mock_debug, mock_sts_client, mock_send_msg,
+                                                    token: str or None, timestamp: int,
+                                                    start_time: int or None, end_time: int or None):
+    """Test 'get_alerts_within_range' method makes the necessary calls in order
+    to get the events from AWS CloudWatch Logs, send them to Analysisd and return the expected token and timestamps.
+
+
+    Parameters
+    ----------
+    token: str
+        Token to the next set of logs.
+    timestamp: int
+        Expected timestamp to be retrieved inside the get_log_events response.
+    start_time : int or None
+        The start of the time range, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
+    end_time : int or None
+        The end of the time range, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+
+    mock_client_get_log_events = instance.client.get_log_events
+
+    min_start_time = start_time
+    max_end_time = end_time if end_time is not None else start_time
+
+    expected_response_with_events = {
+        'events': [
+            {
+                'timestamp': timestamp,
+                'message': 'someMsg',
+                'ingestionTime': 123
+            },
+        ],
+        'nextForwardToken': token,
+        'nextBackwardToken': 'string'
+    }
+
+    expected_response_without_events = copy.deepcopy(expected_response_with_events)
+    expected_response_without_events['events'] = []
+    expected_response_without_events['nextForwardToken'] = token
+
+    if min_start_time is None:
+        min_start_time = expected_response_with_events['events'][0]['timestamp']
+    elif expected_response_with_events['events'][0]['timestamp'] < start_time:
+        min_start_time = expected_response_with_events['events'][0]['timestamp']
+
+    if max_end_time is None:
+        max_end_time = expected_response_with_events['events'][0]['timestamp']
+    elif expected_response_with_events['events'][0]['timestamp'] > max_end_time:
+        max_end_time = expected_response_with_events['events'][0]['timestamp']
+
+    expected_result = {'token': token, 'start_time': min_start_time, 'end_time': max_end_time}
+
+    mock_client_get_log_events.side_effect = [botocore.exceptions.EndpointConnectionError(endpoint_url='example.com'),
+                                              expected_response_with_events, expected_response_without_events]
+
+    assert expected_result == instance.get_alerts_within_range(TEST_LOG_GROUP, TEST_LOG_STREAM, token, start_time,
+                                                               end_time)
+
+    mock_send_msg.assert_any_call(expected_response_with_events['events'][0]['message'], dump_json=False)
+    mock_debug.assert_any_call(f'WARNING: The "get_log_events" request was denied because the endpoint URL was not '
+                               f'available. Attempting again.', 1)
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_cloudwatchlogs_get_alerts_within_range_handles_exceptions_on_client_error(mock_sts_client):
+    """Test 'get_alerts_within_range' method handles exceptions raised
+    when trying to get log events from AWS CloudWatch Logs.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+
+    mock_client_get_log_events = instance.client.get_log_events
+
+    mock_client_get_log_events.side_effect = botocore.exceptions.ClientError(
+        {'Error': {'Code': utils.THROTTLING_ERROR_CODE}}, "name")
+    with pytest.raises(SystemExit) as e:
+        instance.get_alerts_within_range(TEST_LOG_GROUP, TEST_LOG_STREAM, 'token', TEST_START_TIME, TEST_END_TIME)
+    assert e.value.code == utils.THROTTLING_ERROR_CODE
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_cloudwatchlogs_get_data_from_db(mock_sts_client, custom_database):
+    """Test 'get_data_from_db' method retrieves the expected information from the DB.
+    """
+    utils.database_execute_script(custom_database, TEST_CLOUDWATCH_SCHEMA)
+
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs, region=utils.TEST_REGION)
+
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+
+    assert {'token': TEST_TOKEN,
+            'start_time': TEST_START_TIME,
+            'end_time': TEST_END_TIME} == instance.get_data_from_db(TEST_LOG_GROUP, TEST_LOG_STREAM)
+
+
+@pytest.mark.parametrize('values', [None,
+                                    {'token': TEST_TOKEN, 'start_time': TEST_START_TIME, 'end_time': TEST_END_TIME},
+                                    {'token': TEST_TOKEN, 'start_time': None, 'end_time': None}
+                                    ])
+@pytest.mark.parametrize('result_after', [None,
+                                          {'token': TEST_TOKEN, 'start_time': TEST_START_TIME + 1,
+                                           'end_time': TEST_END_TIME + 1}])
+@pytest.mark.parametrize('result_before', [None,
+                                           {'token': TEST_TOKEN, 'start_time': TEST_START_TIME - 1,
+                                            'end_time': TEST_END_TIME - 1}])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_cloudwatchlogs_update_values(mock_sts_client, result_before: dict or None, result_after: dict or None,
+                                          values: dict or None):
+    """Test 'update_values' method returns the expected dict with the results of previous executions.
+
+    Parameters
+    ----------
+    result_before: dict or None
+        A dict containing the token, start_time and end_time values to be updated.
+    result_after: dict or None
+        A dict containing the expected token, start_time and end_time values of a 'get_alerts_within_range' execution.
+    values: dict or None
+        A dict containing the expected token, start_time and end_time values of a 'get_alerts_within_range' execution.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    token = TEST_TOKEN if result_before or result_after else None
+    start_time = None
+    end_time = None
+
+    if values or result_after or result_before:
+        start_time = min(
+            (value['start_time'] for value in [values, result_before, result_after] if value and value['start_time']),
+            default=None)
+
+        end_time = max(
+            (value['end_time'] for value in [values, result_before, result_after] if value and value['end_time']),
+            default=None)
+
+        if values:
+            if not values['start_time']:
+                start_time = max(
+                    (value['end_time'] for value in [values, result_before, result_after] if
+                     value and value['end_time']),
+                    default=None)
+            if not values['end_time']:
+                end_time = max(
+                    (value['end_time'] for value in [values, result_before, result_after] if
+                     value and value['end_time']),
+                    default=None)
+
+    result = {
+        'token': token,
+        'start_time': start_time,
+        'end_time': end_time
+    }
+
+    assert result == instance.update_values(values, result_after, result_before)
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_save_data_db(mock_debug, mock_sts_client, custom_database):
+    """Test 'save_data_db' method inserts token, start_time and end_time values into the DB and updates them if
+    already exist.
+    """
+    utils.database_execute_script(custom_database, TEST_CLOUDWATCH_SCHEMA)
+
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs, region=utils.TEST_REGION)
+
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+
+    instance.save_data_db(TEST_LOG_GROUP, TEST_LOG_STREAM,
+                          {'token': TEST_TOKEN, 'start_time': TEST_START_TIME, 'end_time': TEST_END_TIME})
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        instance.sql_cloudwatch_select.format(table_name=instance.db_table_name), {
+                                            'aws_region': instance.region,
+                                            'aws_log_group': TEST_LOG_GROUP,
+                                            'aws_log_stream': TEST_LOG_STREAM})[2] == TEST_END_TIME
+
+    instance.save_data_db(TEST_LOG_GROUP, TEST_LOG_STREAM,
+                          {'token': TEST_TOKEN, 'start_time': TEST_START_TIME, 'end_time': TEST_END_TIME + 1})
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        instance.sql_cloudwatch_select.format(table_name=instance.db_table_name), {
+                                            'aws_region': instance.region,
+                                            'aws_log_group': TEST_LOG_GROUP,
+                                            'aws_log_stream': TEST_LOG_STREAM})[2] == TEST_END_TIME + 1
+
+    mock_debug.assert_any_call("Some data already exists on DB for that key. Updating their values...", 2)
+
+
+@pytest.mark.parametrize('describe_log_streams_response, expected_result_list',
+                         [([{
+                             'logStreams': [
+                                 {
+                                     'logStreamName': TEST_LOG_STREAM,
+                                 },
+                             ],
+                             'nextToken': 'string'
+                         }, {
+                             'logStreams': [
+                                 {
+                                     'logStreamName': 'next_log_stream',
+                                 },
+                             ]
+                         }], [TEST_LOG_STREAM, 'next_log_stream']),
+                             ([{
+                                 'logStreams': []
+                             }], [])
+                         ])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_get_log_streams(mock_debug, mock_sts_client,
+                                            describe_log_streams_response, expected_result_list: list[str]):
+    """Test 'get_log_streams' method retrieves the log streams from
+    the response of describe_log_streams with the specified log group.
+
+    Parameters
+    ----------
+    describe_log_streams_response: list[dict]
+        List of the different responses that can be received.
+    expected_result_list: list[str]
+        Expected list of log streams to be returned by the method.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+    mock_describe_log_streams = instance.client.describe_log_streams
+
+    mock_describe_log_streams.side_effect = describe_log_streams_response
+
+    result_list = instance.get_log_streams(TEST_LOG_GROUP)
+
+    if not result_list:
+        mock_debug.assert_any_call('No log streams were found for log group "{}"'.format(TEST_LOG_GROUP), 1)
+
+    assert expected_result_list == result_list
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.aws_tools.debug')
+def test_aws_cloudwatchlogs_get_log_streams_handles_exceptions(mock_debug, mock_sts_client):
+    """Test 'get_log_streams' method handles exceptions raised when trying to fetch the log streams
+    from the specified log group.
+    This could be due to a botocore Error or another type of Exception.
+    """
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs)
+
+    instance.client = MagicMock()
+    mock_describe_log_streams = instance.client.describe_log_streams
+
+    mock_describe_log_streams.side_effect = Exception
+    instance.get_log_streams(TEST_LOG_GROUP)
+    mock_debug.assert_any_call(
+        '++++ The specified "{}" log group does not exist or insufficient privileges to access it.'.format(
+            TEST_LOG_GROUP), 0)
+
+    mock_describe_log_streams.side_effect = botocore.exceptions.ClientError(
+        {'Error': {'Code': utils.THROTTLING_ERROR_CODE}}, "name")
+    with pytest.raises(SystemExit) as e:
+        instance.get_log_streams(TEST_LOG_GROUP)
+    assert e.value.code == utils.THROTTLING_ERROR_CODE
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('cloudwatchlogs.AWSCloudWatchLogs.get_log_streams', return_value=[])
+def test_aws_cloudwatchlogs_purge_db(mock_get_log_streams, mock_sts_client, custom_database):
+    """Test 'purge_db' method removes the records for log streams when they no longer exist on AWS CloudWatch Logs."""
+    utils.database_execute_script(custom_database, TEST_CLOUDWATCH_SCHEMA)
+
+    instance = utils.get_mocked_service(class_=cloudwatchlogs.AWSCloudWatchLogs, region=utils.TEST_REGION)
+
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+
+    instance.db_table_name = 'cloudwatch_logs'
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=instance.db_table_name)) == 1
+
+    instance.purge_db(TEST_LOG_GROUP)
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=instance.db_table_name)) == 0
diff --git a/src/modules/aws/scripts/tests/test_config.py b/src/modules/aws/scripts/tests/test_config.py
new file mode 100644
index 0000000000..9513053da8
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_config.py
@@ -0,0 +1,151 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+import copy
+from unittest.mock import patch, MagicMock
+import re
+from datetime import datetime, timedelta
+
+import botocore
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import config
+
+TEST_CONFIG_SCHEMA = "schema_config_test.sql"
+TEST_TABLE_NAME = 'config'
+
+TEST_DATE = '2023/1/1'
+DAYS_DELTA = 10
+
+SQL_FIND_LAST_LOG_PROCESSED = """SELECT created_date FROM {table_name} ORDER BY created_date DESC LIMIT 1;"""
+SQL_FIND_LAST_KEY_PROCESSED = """SELECT log_key FROM {table_name} ORDER BY log_key DESC LIMIT 1;"""
+
+utils.LIST_OBJECT_V2_NO_PREFIXES['Contents'][0]['Key'] = utils.TEST_LOG_FULL_PATH_CONFIG_1
+
+
+@patch('aws_bucket.AWSLogsBucket.__init__')
+def test_aws_config_bucket_initializes_properly(mock_logs_bucket):
+    """Test if the instances of AWSConfigBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=config.AWSConfigBucket)
+    mock_logs_bucket.assert_called_once()
+    assert instance.service == "Config"
+    assert instance.field_to_load == "configurationItems"
+    assert instance._leading_zero_regex == re.compile(r'/(0)(?P<num>\d)')
+    assert instance._extract_date_regex == re.compile(r'\d{4}/\d{1,2}/\d{1,2}')
+
+
+@pytest.mark.parametrize('marker, result_marker', [
+    ('AWSLogs/123456789012/Config/us-east-1/2020/01/06', 'AWSLogs/123456789012/Config/us-east-1/2020/1/6'),
+    ('AWSLogs/123456789/Config/us-east-1/2019/04/15/', 'AWSLogs/123456789/Config/us-east-1/2019/4/15/'),
+    ('AWSLogs/123456789/Config/us-east-1/2019/12/06/', 'AWSLogs/123456789/Config/us-east-1/2019/12/6/')
+])
+@patch('aws_bucket.AWSBucket.marker_only_logs_after')
+def test_aws_config_bucket_marker_only_logs_after(mock_marker_only_logs_after, marker: str, result_marker: str):
+    """Test 'marker_only_logs_after' method returns the expected marker.
+
+    Parameters
+    ----------
+    marker: str
+        The marker introduced.
+    result_marker: str
+        The marker the method should return without padding zeros in the date.
+    """
+    instance = utils.get_mocked_bucket(class_=config.AWSConfigBucket, only_logs_after=utils.TEST_ONLY_LOGS_AFTER)
+    mock_marker_only_logs_after.return_value = result_marker
+
+    assert instance.marker_only_logs_after(utils.TEST_ACCOUNT_ID,
+                                           utils.TEST_REGION) == instance._remove_padding_zeros_from_marker(marker)
+
+
+@patch('aws_bucket.AWSBucket.marker_only_logs_after')
+def test_aws_config_bucket_marker_only_logs_after_handles_exceptions(mock_marker_only_logs_after):
+    """Test 'marker_only_logs_after' method handles the AtrributeError exception and exits
+    with the expected exit code."""
+    instance = utils.get_mocked_bucket(class_=config.AWSConfigBucket)
+    mock_marker_only_logs_after.return_value = os.path.join('AWSLogs', '123456789', 'Config', 'us-east-1', '2019', '12',
+                                                            '06')
+
+    with patch('re.sub') as mock_re_sub:
+        with pytest.raises(SystemExit) as e:
+            mock_re_sub.side_effect = AttributeError
+            instance.marker_only_logs_after(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+        assert e.value.code == utils.THROTTLING_ERROR_CODE
+
+
+@patch('aws_bucket.AWSBucket.marker_custom_date')
+def test_aws_config_bucket_marker_custom_date(mock_marker_custom_date):
+    """Test 'marker_custom_date' method returns the expected marker when specifying a custom date."""
+    instance = utils.get_mocked_bucket(class_=config.AWSConfigBucket)
+    custom_date = datetime(2022, 9, 8)
+
+    mock_marker_custom_date.return_value = os.path.join('AWSLogs', utils.TEST_ACCOUNT_ID, 'Config', utils.TEST_REGION,
+                                                        custom_date.strftime(instance.date_format))
+
+    assert instance.marker_custom_date(utils.TEST_ACCOUNT_ID, utils.TEST_REGION,
+                                       custom_date) == instance._remove_padding_zeros_from_marker(
+        mock_marker_custom_date(instance, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, custom_date))
+
+
+@pytest.mark.parametrize('security_groups', ['securityGroupId', [{'groupId': 'id', 'groupName': 'name'}],
+                                             {'groupId': 'id', 'groupName': 'name'}])
+@pytest.mark.parametrize('availability_zones',
+                         ['zone', [{'subnetId': 'id', 'zoneName': 'name'}], {'subnetId': 'id', 'zoneName': 'name'}])
+@pytest.mark.parametrize('state', ['stateName', {}])
+@pytest.mark.parametrize('created_time', [1672763065, '2020-06-01T01:03:03.106Z'])
+@pytest.mark.parametrize('iam_profile', ['iamInstanceProfileName', {}])
+@patch('aws_bucket.AWSBucket.reformat_msg')
+def test_aws_config_bucket_reformat_msg(mock_reformat,
+                                        iam_profile: str or dict, created_time: int or str, state: str or dict,
+                                        availability_zones: str or dict, security_groups: str or dict):
+    """Test 'reformat_msg' method applies the expected format to a given event.
+
+    Parameters
+    ----------
+    iam_profile: str or dict
+        IAM instance profile.
+    created_time: int or str
+        Event creation time.
+    state: str or dict
+        State values for the state key.
+    availability_zones: str or dict
+        Availability zones values for the availabilityZones key.
+    security_groups: str or dict
+        Security groups values for the securityGroups key.
+    """
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    event['aws'].update(
+        {
+            'configuration': {
+                'securityGroups': security_groups,
+                'availabilityZones': availability_zones,
+                'state': state,
+                'createdTime': created_time,
+                'iamInstanceProfile': iam_profile,
+                'unnecesary_fields': {
+                    'Content': {
+                        'example_key': 'example_value'
+                    }
+                }
+            }
+        }
+    )
+
+    instance = utils.get_mocked_bucket(class_=config.AWSConfigBucket)
+
+    formatted_event = instance.reformat_msg(event)
+
+    assert isinstance(formatted_event['aws']['configuration']['securityGroups'], dict)
+    assert isinstance(formatted_event['aws']['configuration']['availabilityZones'], dict)
+    assert isinstance(formatted_event['aws']['configuration']['state'], dict)
+    assert isinstance(formatted_event['aws']['configuration']['createdTime'], float)
+    assert isinstance(formatted_event['aws']['configuration']['iamInstanceProfile'], dict)
+    assert isinstance(formatted_event['aws']['configuration']['unnecesary_fields']['Content'], list)
diff --git a/src/modules/aws/scripts/tests/test_guardduty.py b/src/modules/aws/scripts/tests/test_guardduty.py
new file mode 100644
index 0000000000..00ffb4147c
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_guardduty.py
@@ -0,0 +1,261 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+import copy
+from unittest.mock import patch, mock_open, MagicMock
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import guardduty
+
+SAMPLE_EVENT_1 = {'key1': 'value1', 'key2': 'value2'}
+
+
+@pytest.mark.parametrize('guardduty_native', [True, False])
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_guardduty_bucket_initializes_properly(mock_custom_bucket, guardduty_native):
+    """Test if the instances of AWSGuardDutyBucket are created properly."""
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type', return_value=guardduty_native):
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+
+        mock_custom_bucket.assert_called_once()
+        assert instance.service == "GuardDuty"
+
+        if guardduty_native:
+            assert instance.type == "GuardDutyNative"
+        else:
+            assert instance.type == "GuardDutyKinesis"
+
+
+@pytest.mark.parametrize('object_list, result', [(utils.LIST_OBJECT_V2, True),
+                                                 (utils.LIST_OBJECT_V2_NO_PREFIXES, False)])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_guardduty_bucket_check_guardduty_type(mock_wazuh_aws_integration, mock_sts,
+                                                   object_list: dict, result: bool):
+    """Test 'check_guardduty_type' method defines if the bucket contains GuardDuty Native logs or not.
+
+    Parameters
+    ----------
+    object_list: dict
+        Objects to be returned by list_objects_v2.
+    result: bool
+        Expected result.
+    """
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type'):
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+
+    instance.client = MagicMock()
+    instance.client.list_objects_v2.return_value = object_list
+
+    assert result == instance.check_guardduty_type()
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_guardduty_bucket_check_guardduty_type_handles_exceptions(mock_wazuh_aws_integration, mock_sts):
+    """Test 'check_guardduty_type' handles exceptions raised and exits with the expected exit code."""
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type'):
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+
+    with pytest.raises(SystemExit) as e:
+        instance.client = MagicMock()
+        instance.client.list_objects_v2.side_effect = Exception
+        instance.check_guardduty_type()
+    assert e.value.code == utils.UNEXPECTED_ERROR_WORKING_WITH_S3
+
+
+@patch('aws_bucket.AWSLogsBucket.get_base_prefix', return_value='base_prefix/')
+@patch('guardduty.AWSGuardDutyBucket.check_guardduty_type')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_guardduty_bucket_get_service_prefix(mock_custom_bucket, mock_type, mock_base_prefix):
+    """Test 'get_service_prefix' method returns the expected prefix with the format
+    <base_prefix>/<account_id>/<service>."""
+    instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+
+    expected_base_prefix = os.path.join('base_prefix', utils.TEST_ACCOUNT_ID, instance.service, '')
+    assert instance.get_service_prefix(utils.TEST_ACCOUNT_ID) == expected_base_prefix
+
+
+@pytest.mark.parametrize('guardduty_native', [True, False])
+@patch('aws_bucket.AWSLogsBucket.get_service_prefix', return_value='service_prefix/')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_guardduty_bucket_get_full_prefix(mock_wazuh_aws_integration, mock_sts, mock_service_prefix,
+                                              guardduty_native):
+    """Test 'get_full_prefix' method the expected prefix depending on the GuardDuty bucket type.
+
+    Parameters
+    ----------
+    guardduty_native: bool
+        Result for the 'check_guardduty_type' call that determines the GuardDuty bucket type.
+    """
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type', return_value=guardduty_native):
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket, prefix='prefix/')
+
+        if instance.type == "GuardDutyNative":
+            assert os.path.join(instance.get_service_prefix(utils.TEST_ACCOUNT_ID), utils.TEST_REGION, '') == \
+                   instance.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+        else:
+            assert instance.prefix == instance.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+
+@pytest.mark.parametrize('guardduty_native', [True, False])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_guardduty_bucket_get_base_prefix(mock_wazuh_aws_integration, mock_sts, guardduty_native: bool):
+    """Test 'get_full_prefix' method the expected base prefix depending on the GuardDuty bucket type.
+
+    Parameters
+    ----------
+    guardduty_native: bool
+        Result for the 'check_guardduty_type' call that determines the GuardDuty bucket type.
+    """
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type', return_value=guardduty_native):
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket, prefix='prefix/')
+
+        if instance.type == "GuardDutyNative":
+            assert instance.get_base_prefix() == os.path.join(instance.prefix, 'AWSLogs', '')
+        else:
+            assert instance.get_base_prefix() == instance.prefix
+
+
+@pytest.mark.parametrize('guardduty_native', [True, False])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_aws_guardduty_bucket_iter_regions_and_accounts(mock_wazuh_aws_integration, mock_sts, guardduty_native: bool):
+    """Test 'iter_regions_and_accounts' method makes the necessary calls in order to process the bucket's files
+    depending on the GuardDuty bucket type.
+
+    Parameters
+    ----------
+    guardduty_native: bool
+        Result for the 'check_guardduty_type' call that determines the GuardDuty bucket type.
+    """
+    account_ids = [utils.TEST_ACCOUNT_ID]
+    regions = [utils.TEST_REGION]
+    with patch('guardduty.AWSGuardDutyBucket.check_guardduty_type', return_value=guardduty_native), \
+            patch('aws_bucket.AWSBucket.iter_regions_and_accounts') as mock_bucket_regions_and_accounts, \
+            patch('aws_bucket.AWSCustomBucket.iter_regions_and_accounts') as mock_custom_regions_and_accounts:
+        instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+
+        if instance.type == "GuardDutyNative":
+            instance.iter_regions_and_accounts(account_ids, regions)
+            mock_bucket_regions_and_accounts.assert_called_with(instance, account_ids, regions)
+        else:
+            instance.iter_regions_and_accounts(account_ids, regions)
+            assert instance.check_prefix
+            mock_custom_regions_and_accounts.assert_called_with(instance, account_ids, regions)
+
+
+@patch('guardduty.AWSGuardDutyBucket.send_msg')
+@patch('guardduty.AWSGuardDutyBucket.reformat_msg', return_value=['message'])
+@patch('guardduty.AWSGuardDutyBucket.check_guardduty_type')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_guardduty_bucket_send_event(mock_custom_bucket, mock_type, mock_reformat, mock_send):
+    """Test 'send_event' method makes the necessary calls in order to send the event to Analysisd."""
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+    instance.send_event(event)
+    mock_reformat.assert_called_with(event)
+    mock_send.assert_called()
+
+
+@pytest.mark.parametrize('fields', [{
+    'service':
+        {'action':
+            {
+                'portProbeAction':
+                    {
+                        'portProbeDetails': [
+                            {
+                                "localIpDetails": {
+                                    "ipAddressV4": "string"
+                                },
+                                "localPortDetails": {
+                                    "port": "number",
+                                    "portName": "string"
+                                }
+                            },
+                            {
+                                "localIpDetails": {
+                                    "ipAddressV4": "string"
+                                },
+                                "localPortDetails": {
+                                    "port": "number",
+                                    "portName": "string"
+                                }
+                            }]
+                    }}},
+    'additional_field': ['element']
+}, {'otherField': 'element'}])
+@patch('aws_bucket.AWSBucket.reformat_msg')
+@patch('guardduty.AWSGuardDutyBucket.check_guardduty_type')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_guardduty_bucket_reformat_msg(mock_custom_bucket, mock_type, mock_reformat, fields: dict):
+    """Test 'reformat_msg' method applies the expected format to a given event..
+
+    Parameters
+    ----------
+    fields: dict
+        Dictionary part of the event to be reformatted.
+    """
+    event = copy.deepcopy(aws_bucket.AWS_BUCKET_MSG_TEMPLATE)
+    event['aws'].update({'source': 'guardduty'})
+    event['aws'].update(fields)
+    instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+    result = []
+
+    formatted_event = list(instance.reformat_msg(event))
+
+    if 'service' in event['aws'] and \
+            'action' in event['aws']['service'] and \
+            'portProbeAction' in event['aws']['service']['action'] and \
+            'portProbeDetails' in event['aws']['service']['action']['portProbeAction'] and \
+            len(event['aws']['service']['action']['portProbeAction']['portProbeDetails']) > 1:
+        port_probe_details = event['aws']['service']['action']['portProbeAction']['portProbeDetails']
+        for detail in port_probe_details:
+            event['aws']['service']['action']['portProbeAction']['portProbeDetails'] = detail
+            result.append(event)
+        assert result == formatted_event
+
+    else:
+        mock_reformat.assert_called_once()
+        assert [event] == formatted_event
+
+
+@pytest.mark.parametrize('log_key, json_file_content, result',
+                         [('file.jsonl.gz',
+                           '{"detail": {"schemaVersion": "2.0"}, "service": {"serviceName": "guardduty"}}',
+                           [{"detail": {"schemaVersion": "2.0"}, "service": {"serviceName": "guardduty"},
+                             "source": "guardduty"}]),
+                          ('file.zip',
+                           '{"source": "guardduty", "detail": {"schemaVersion": "2.0"}}',
+                           [{"source": "guardduty", "schemaVersion": "2.0"}])])
+@patch('aws_bucket.AWSBucket.decompress_file')
+@patch('guardduty.AWSGuardDutyBucket.check_guardduty_type')
+@patch('aws_bucket.AWSCustomBucket.get_sts_client')
+def test_aws_guardduty_bucket_load_information_from_file(mock_sts_client, mock_type, mock_decompress,
+                                                         log_key: str, json_file_content: list[dict] or str,
+                                                         result: list[dict]):
+    """Test 'load_information_from_file' method returns the expected information.
+
+    Parameters
+    ----------
+    log_key: str
+        Name of the file to be processed.
+    json_file_content: str
+        File content.
+    result: list[dict]
+        Expected information to be fetched from the file.
+    """
+    instance = utils.get_mocked_bucket(class_=guardduty.AWSGuardDutyBucket)
+    with patch('aws_bucket.AWSBucket.decompress_file', mock_open(read_data=json_file_content)):
+        assert result == instance.load_information_from_file(log_key)
diff --git a/src/modules/aws/scripts/tests/test_inspector.py b/src/modules/aws/scripts/tests/test_inspector.py
new file mode 100644
index 0000000000..5efa8852bd
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_inspector.py
@@ -0,0 +1,108 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+from datetime import datetime
+from unittest.mock import patch, MagicMock
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'services'))
+import aws_service
+import inspector
+
+TEST_SERVICES_SCHEMA = 'schema_services_test.sql'
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('aws_service.AWSService.__init__', side_effect=aws_service.AWSService.__init__)
+def test_aws_inspector_initializes_properly(mock_aws_service, mock_sts_client):
+    """Test if the instances of AWSInspector are created properly."""
+    instance = utils.get_mocked_service(class_=inspector.AWSInspector)
+
+    mock_aws_service.assert_called_once()
+    assert instance.retain_db_records == 5
+    assert instance.sent_events == 0
+
+
+@patch('aws_service.AWSService.get_sts_client')
+def test_aws_inspector_send_describe_findings(mock_sts_client):
+    """Test 'send_describe_findings' method sends the findings to Analysisd
+    and updates the instance's sent_events attribute accordingly to the number of findings.
+    """
+    arn_list = ['arn1']
+
+    instance = utils.get_mocked_service(class_=inspector.AWSInspector)
+
+    mock_client = MagicMock()
+    instance.client = mock_client
+    instance.client.describe_findings.return_value = {
+        'findings': [
+            {
+                'arn': 'arn1',
+                'schemaVersion': 123,
+                'service': 'string',
+            }
+        ]
+    }
+    with patch('wazuh_integration.WazuhIntegration.send_msg') as mock_send_msg, \
+            patch('aws_service.AWSService.format_message') as mock_format:
+        instance.send_describe_findings(arn_list)
+        assert instance.sent_events == 1
+        mock_send_msg.assert_called_once()
+        mock_format.assert_called_once()
+
+
+@pytest.mark.parametrize('reparse', [True, False])
+@pytest.mark.parametrize('only_logs_after', [utils.TEST_ONLY_LOGS_AFTER, None])
+@patch('wazuh_integration.WazuhAWSDatabase.init_db')
+@patch('wazuh_integration.WazuhAWSDatabase.close_db')
+@patch('inspector.AWSInspector.send_describe_findings')
+@patch('inspector.aws_tools.debug')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_inspector_get_alerts(mock_sts_client, mock_debug, mock_send_describe_findings, mock_init_db, mock_close_db,
+                                  only_logs_after, reparse, custom_database):
+    """Test 'get_alerts' method sends the collected events and updates the DB accordingly.
+
+    Parameters
+    ----------
+    reparse: bool
+        Whether to parse already parsed logs or not.
+    only_logs_after: str or None
+        Date after which obtain logs.
+    """
+    utils.database_execute_script(custom_database, TEST_SERVICES_SCHEMA)
+
+    instance = utils.get_mocked_service(class_=inspector.AWSInspector,
+                                        reparse=reparse, only_logs_after=only_logs_after, region=utils.TEST_REGION)
+
+    instance.account_id = utils.TEST_ACCOUNT_ID
+
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+
+    instance.client = MagicMock()
+    mock_list_findings = instance.client.list_findings
+    mock_list_findings.side_effect = [{'findingArns': ['arn1'], 'nextToken': None},
+                                      {'findingArns': ['arn2']}]
+
+    instance.get_alerts()
+
+    last_scan_date = utils.database_execute_query(custom_database,
+                                                  instance.sql_find_last_scan.format(table_name=instance.db_table_name),
+                                                  {
+                                                      'service_name': instance.service_name,
+                                                      'aws_account_id': instance.account_id,
+                                                      'aws_region': instance.region}
+                                                  )
+
+    assert datetime.strptime(last_scan_date.split(' ')[0], "%Y-%m-%d").strftime("%Y%m%d") == datetime.utcnow().strftime(
+        "%Y%m%d")
diff --git a/src/modules/aws/scripts/tests/test_load_balancers.py b/src/modules/aws/scripts/tests/test_load_balancers.py
new file mode 100644
index 0000000000..557022c51b
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_load_balancers.py
@@ -0,0 +1,224 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import csv
+import os
+import sys
+from unittest.mock import patch, mock_open
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import load_balancers
+
+
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_lb_bucket_initializes_properly(mock_custom_bucket):
+    """Test if the instances of AWSLBBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket)
+    assert instance.service == 'elasticloadbalancing'
+    mock_custom_bucket.assert_called_once()
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_lb_bucket_get_base_prefix(mock_sts):
+    """Test 'get_base_prefix' returns the expected prefix with the format <prefix>/AWSLogs/<suffix>"""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket, prefix=f'{utils.TEST_PREFIX}/',
+                                       suffix=f'{utils.TEST_SUFFIX}/')
+    expected_base_prefix = os.path.join(utils.TEST_PREFIX, 'AWSLogs', utils.TEST_SUFFIX, '')
+    assert instance.get_base_prefix() == expected_base_prefix
+
+
+@patch('load_balancers.AWSLBBucket.get_base_prefix', return_value='base_prefix/')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_lb_bucket_get_service_prefix(mock_custom_bucket, mock_base_prefix):
+    """Test 'get_service_prefix' returns the expected prefix with the format <base_prefix>/<account_id>/<service>."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket)
+    expected_service_prefix = os.path.join('base_prefix', utils.TEST_ACCOUNT_ID, instance.service, '')
+    assert instance.get_service_prefix(utils.TEST_ACCOUNT_ID) == expected_service_prefix
+
+
+@patch('aws_bucket.AWSBucket.iter_regions_and_accounts')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_lb_bucket_iter_regions_and_accounts(mock_custom_bucket, mock_iter_regions_accounts):
+    """Test 'iter_regions_and_accounts' method calls AWSBucket.iter_regions_and_accounts"""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket)
+    instance.iter_regions_and_accounts(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+    mock_iter_regions_accounts.assert_called_with(instance, utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+
+
+@patch('load_balancers.AWSLBBucket.get_service_prefix',
+       return_value=os.path.join('base_prefix', utils.TEST_ACCOUNT_ID, 'elasticloadbalancing', ''))
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_lb_bucket_get_full_prefix(mock_custom_bucket, mock_service_prefix):
+    """Test 'get_full_prefix' returns the expected prefix with the format <service_prefix>/<region>."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket)
+    expected_full_prefix = os.path.join('base_prefix', utils.TEST_ACCOUNT_ID, 'elasticloadbalancing',
+                                        utils.TEST_REGION, '')
+    assert instance.get_full_prefix(utils.TEST_ACCOUNT_ID, utils.TEST_REGION) == expected_full_prefix
+
+
+@patch('aws_bucket.AWSBucket.mark_complete')
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_lb_bucket_mark_complete(mock_custom_bucket, mock_mark_complete):
+    """Test 'mark_complete' method calls AWSBucket.mark_complete"""
+    test_log_file = 'log_file'
+
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSLBBucket)
+    instance.mark_complete(utils.TEST_ACCOUNT_ID, utils.TEST_REGION, test_log_file)
+
+    mock_mark_complete.assert_called_with(instance, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, test_log_file)
+
+
+@patch('load_balancers.AWSLBBucket.__init__')
+def test_aws_alb_bucket_initializes_properly(mock_lb_bucket):
+    """Test if the instances of AWSALBBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSALBBucket)
+    mock_lb_bucket.assert_called_once()
+
+
+@patch('load_balancers.AWSLBBucket.get_sts_client')
+def test_aws_alb_bucket_load_information_from_file(mock_sts_client):
+    """Test 'load_information_from_file' method returns the expected information or logs
+    the appropriate error message.
+    """
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSALBBucket)
+
+    with patch('aws_bucket.AWSBucket.decompress_file'), \
+            patch('csv.DictReader') as mock_reader, \
+            patch('aws_bucket.aws_tools.debug') as mock_debug:
+        tsv_reader = [{
+            'type': 'http', 'time': '2025-11-23T23:57:06.780380Z', 'elb': 'app/ALB/example',
+            'client_port': '0.0.0.0:48888', 'target_port': '0.0.0.0:80', 'request_processing_time': '0.001',
+            'target_processing_time': '0.001', 'response_processing_time': '0.000',
+            'elb_status_code': '403', 'target_status_code': '403', 'received_bytes': '136',
+            'sent_bytes': '5173', 'request': 'GET http://0.0.0.0:80/ HTTP/1.1',
+            'user_agent': 'Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://domain.com)',
+            'ssl_cipher': '-', 'ssl_protocol': '-',
+            'target_group_arn': 'arn:aws:elasticloadbalancing:region:123456789123:targetgroup/EC2/xxxxxxxxxxxxxx',
+            'trace_id': 'Root=1-xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'domain_name': '-',
+            'chosen_cert_arn': '-', 'matched_rule_priority': '0',
+            'request_creation_time': '2025-11-23T23:57:06.778000Z',
+            'action_executed': 'forward', 'redirect_url': '-',
+            'error_reason': '-', 'target_port_list': '0.0.0.0:80',
+            'target_status_code_list': '403', 'classification': '-',
+            'classification_reason': '-'
+        }]
+
+        mock_reader.return_value = tsv_reader
+
+        expected_information = [{
+            'type': 'http', 'time': '2025-11-23T23:57:06.780380Z', 'elb': 'app/ALB/example',
+            'client_port': '48888', 'target_port': '80', 'client_ip': '0.0.0.0', 'target_ip': '0.0.0.0',
+            'target_ip_list': '0.0.0.0', 'request_processing_time': '0.001', 'target_processing_time': '0.001',
+            'response_processing_time': '0.000', 'elb_status_code': '403',
+            'target_status_code': '403', 'received_bytes': '136', 'sent_bytes': '5173',
+            'request': 'GET http://0.0.0.0:80/ HTTP/1.1',
+            'user_agent': 'Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://domain.com)',
+            'ssl_cipher': '-', 'ssl_protocol': '-',
+            'target_group_arn': 'arn:aws:elasticloadbalancing:region:123456789123:targetgroup/EC2/xxxxxxxxxxxxxx',
+            'trace_id': 'Root=1-xxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'domain_name': '-',
+            'chosen_cert_arn': '-', 'matched_rule_priority': '0',
+            'request_creation_time': '2025-11-23T23:57:06.778000Z',
+            'action_executed': 'forward', 'redirect_url': '-', 'error_reason': '-',
+            'target_port_list': '80', 'target_status_code_list': '403',
+            "source": "alb", 'classification': '-', 'classification_reason': '-'
+        }]
+        assert expected_information == instance.load_information_from_file(utils.TEST_LOG_KEY)
+
+        # Force Error when handling IP:Port fields
+        tsv_reader[0]['client_port'] = '0.0.0.0'
+        instance.load_information_from_file(utils.TEST_LOG_KEY)
+        mock_debug.assert_called()
+
+
+@patch('load_balancers.AWSLBBucket.__init__')
+def test_aws_clb_bucket_initializes_properly(mock_lb_bucket):
+    """Test if the instances of AWSCLBBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSCLBBucket)
+    mock_lb_bucket.assert_called_once()
+
+
+@patch('load_balancers.AWSLBBucket.get_sts_client')
+def test_aws_clb_bucket_load_information_from_file(mock_sts_client):
+    """Test 'load_information_from_file' method returns the expected information."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSCLBBucket)
+
+    with patch('aws_bucket.AWSBucket.decompress_file'), \
+            patch('csv.DictReader') as mock_reader:
+        mock_reader.return_value = [{
+            "time": "2020-11-12T17:33:30.084203Z", "elb": "elb", "client_port": "0.0.0.0:55438",
+            "backend_port": "0.0.0.0:55000", "request_processing_time": "0.000628",
+            "backend_processing_time": "0.00001",
+            "response_processing_time": "0.000015", "elb_status_code": "-",
+            "backend_status_code": "-", "received_bytes": "1071",
+            "sent_bytes": "2250", "request": "- - - ", "user_agent": "-",
+            "ssl_cipher": "-", "ssl_protocol": "-"
+        }]
+
+        expected_information = [{
+            "time": "2020-11-12T17:33:30.084203Z", "elb": "elb",
+            "client_port": "0.0.0.0:55438", "backend_port": "0.0.0.0:55000",
+            "request_processing_time": "0.000628", "backend_processing_time": "0.00001",
+            "response_processing_time": "0.000015", "elb_status_code": "-",
+            "backend_status_code": "-", "received_bytes": "1071",
+            "sent_bytes": "2250", "request": "- - - ",
+            "user_agent": "-", "ssl_cipher": "-",
+            "ssl_protocol": "-", "source": "clb"
+        }]
+
+        assert expected_information == instance.load_information_from_file(utils.TEST_LOG_KEY)
+
+
+@patch('load_balancers.AWSLBBucket.__init__')
+def test_aws_nlb_bucket_initializes_properly(mock_lb_bucket):
+    """Test if the instances of AWSNLBBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSNLBBucket)
+    mock_lb_bucket.assert_called_once()
+
+
+@patch('load_balancers.AWSLBBucket.get_sts_client')
+def test_aws_nlb_bucket_load_information_from_file(mock_sts_client):
+    """Test 'load_information_from_file' method returns the expected information."""
+    instance = utils.get_mocked_bucket(class_=load_balancers.AWSNLBBucket)
+
+    with patch('aws_bucket.AWSBucket.decompress_file'), \
+            patch('csv.DictReader') as mock_reader:
+        tsv_reader = [{
+            "type": "tls", "version": "2.0", "time": "2020-11-24T03:01:14",
+            "elb": "elb", "listener": "listener", "client_port": "0.0.0.0:62215",
+            "destination_port": "0.0.0.0:55000", "connection_time": "17553",
+            "tls_handshake_time": "-", "received_bytes": "0", "sent_bytes": "0",
+            "incoming_tls_alert": "-", "chosen_cert_arn": "-",
+            "chosen_cert_serial": "-", "tls_cipher": "-", "tls_protocol_version": "-",
+            "tls_named_group": "-", "domain_name": "-",
+            "alpn_fe_protocol": "-", "alpn_client_preference_list": "-", "null": "-"
+        }]
+
+        mock_reader.return_value = tsv_reader
+
+        expected_information = [{
+            "type": "tls", "version": "2.0", "time": "2020-11-24T03:01:14",
+            "elb": "elb", "listener": "listener",
+            "client_port": "62215", "destination_port": "55000",
+            "connection_time": "17553", "tls_handshake_time": "-",
+            "received_bytes": "0", "sent_bytes": "0", "incoming_tls_alert": "-",
+            "chosen_cert_arn": "-", "chosen_cert_serial": "-",
+            "tls_cipher": "-", "tls_protocol_version": "-",
+            "tls_named_group": "-", "domain_name": "-",
+            "alpn_fe_protocol": "-", "alpn_client_preference_list": "-",
+            "null": "-", "source": "nlb", "client_ip": "0.0.0.0", "destination_ip": "0.0.0.0"
+        }]
+
+        assert expected_information == instance.load_information_from_file(utils.TEST_LOG_KEY)
+
+        # Force Error when handling IP:Port fields
+        tsv_reader[0]['client_port'] = '0.0.0.0'
+        tsv_reader[0]['destination_port'] = '0.0.0.0'
+        result = instance.load_information_from_file(utils.TEST_LOG_KEY)
+        assert result[0]['client_ip'] == tsv_reader[0]['client_port']
+        assert result[0]['destination_ip'] == tsv_reader[0]['destination_port']
diff --git a/src/modules/aws/scripts/tests/test_s3_log_handler.py b/src/modules/aws/scripts/tests/test_s3_log_handler.py
new file mode 100644
index 0000000000..63996636b5
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_s3_log_handler.py
@@ -0,0 +1,326 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+import os
+import io
+import re
+from unittest.mock import patch, MagicMock, call
+import pytest
+import json
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'subscribers'))
+import s3_log_handler
+
+SAMPLE_PARQUET_KEY = 'aws/source/region=region/accountId=accountID/eventHour=YYYYMMDDHH/file.gz.parquet'
+SAMPLE_MESSAGE = {'bucket_path': utils.TEST_MESSAGE, 'log_path': SAMPLE_PARQUET_KEY}
+SAMPLE_PARQUET_EVENT_1 = {'key1': 'value1', 'key2': 'value2'}
+
+test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+logs_path = os.path.join(test_data_path, 'log_files')
+
+
+def test_method_raises_not_implemented():
+    """Test that obtain_logs and process_file methods raise NotImplementedError."""
+    handler = s3_log_handler.AWSS3LogHandler()
+    with pytest.raises(NotImplementedError):
+        handler.obtain_logs("test_bucket", "test_log_path")
+
+    with pytest.raises(NotImplementedError):
+        handler.process_file({"message": "test_message"})
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effet=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sl_subscriber_bucket_initializes_properly(mock_wazuh_integration, mock_client, mock_sts_client):
+    """Test if the instances of AWSSLSubscriberBucket are created properly."""
+    kwargs = utils.get_aws_s3_log_handler_parameters(iam_role_arn=utils.TEST_IAM_ROLE_ARN,
+                                                     iam_role_duration=utils.TEST_IAM_ROLE_DURATION,
+                                                     service_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                                     sts_endpoint=utils.TEST_STS_ENDPOINT)
+
+    integration = s3_log_handler.AWSSLSubscriberBucket(**kwargs)
+
+    mock_wazuh_integration.assert_called_with(integration,
+                                              profile=None,
+                                              service_name='s3',
+                                              sts_endpoint=kwargs["sts_endpoint"],
+                                              service_endpoint=kwargs["service_endpoint"],
+                                              iam_role_arn=kwargs['iam_role_arn'],
+                                              iam_role_duration=kwargs['iam_role_duration'],
+                                              )
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sl_subscriber_bucket_obtain_logs(mock_wazuh_integration, mock_sts_client):
+    """Test 'obtain_information_from_parquet' fetches parquets from a bucket and retrieves the expected list of
+    events."""
+    instance = utils.get_mocked_aws_sl_subscriber_bucket()
+    mock_get_object = instance.client.get_object
+
+    with patch('io.BytesIO', return_value=(os.path.join(logs_path, 'AWSSecurityLake', 'test_file.parquet'))):
+        events = instance.obtain_logs(utils.TEST_BUCKET, SAMPLE_PARQUET_KEY)
+
+    assert events == [json.dumps(SAMPLE_PARQUET_EVENT_1)]
+    mock_get_object.assert_called_with(Bucket=utils.TEST_BUCKET, Key=SAMPLE_PARQUET_KEY)
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sl_subscriber_bucket_obtain_logs_handles_exception(mock_wazuh_integration,
+                                                                                    mock_sts_client):
+    """Test 'obtain_information_from_parquet' handles exceptions raised when failing to process a parquet file."""
+    instance = utils.get_mocked_aws_sl_subscriber_bucket()
+
+    instance.client.get_object.side_effect = Exception
+
+    with pytest.raises(SystemExit) as e:
+        instance.obtain_logs(utils.TEST_BUCKET, SAMPLE_PARQUET_KEY)
+    assert e.value.code == utils.UNABLE_TO_FETCH_DELETE_FROM_QUEUE
+
+
+@patch('s3_log_handler.AWSSLSubscriberBucket.obtain_logs')
+@patch('wazuh_integration.WazuhIntegration.send_msg')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sl_subscriber_bucket_process_file(mock_wazuh_integration, mock_sts_client, mock_send, mock_obtain):
+    """Test 'process_file' method sends the events inside the given message to AnalysisD."""
+    instance = utils.get_mocked_aws_sl_subscriber_bucket()
+
+    mock_obtain.return_value = SAMPLE_PARQUET_EVENT_1
+
+    instance.process_file(SAMPLE_MESSAGE)
+
+    mock_obtain.assert_called_once_with(bucket=SAMPLE_MESSAGE['bucket_path'],
+                                        log_path=SAMPLE_MESSAGE['log_path'])
+    mock_send.assert_called()
+
+
+@pytest.mark.parametrize("content, is_csv",
+                         [
+                             ("Name, Age, City\nJohn, 30, New York", True),
+                             ("Name1, Age, City\nJohn, 30, New York", False),
+                             ("", True),
+                         ])
+def test_is_csv(content, is_csv):
+    """Test the 'is_csv' function of AWSSubscriberBucket class."""
+    valid_csv_file = io.StringIO(content)
+    assert s3_log_handler.AWSSubscriberBucket.is_csv(valid_csv_file) == is_csv
+
+@pytest.mark.parametrize("content, expected",
+                         [
+                             (['{"event1": "data1"}', '{"event2": "data2"}'],
+                              [{'event1': 'data1'}, {'event2': 'data2'}])
+                         ])
+def test_process_jsonl(content, expected):
+    """Test the '_process_jsonl' function of AWSSubscriberBucket class."""
+    assert s3_log_handler.AWSSubscriberBucket._process_jsonl(content) == expected
+
+
+def test_json_event_generator():
+    """Test the _json_event_generator function of AWSSubscriberBucket class."""
+    data = '{"event": "data1"}{"event": "data2"}'
+    generator = s3_log_handler.AWSSubscriberBucket._json_event_generator(data)
+    events = list(generator)
+    assert events == [{"event": "data1"}, {"event": "data2"}]
+
+
+@pytest.mark.parametrize("content, expected", [
+    ({'example1': None, 'example2': 'some_value'}, {'example2': 'some_value'}),
+    ({'example1': {'a': None, 'b': None}, 'example2': {'a': 1, 'b': None}},
+     {'example1': {}, 'example2': {'a': 1}})
+])
+def test_protected_remove_none_fields(content, expected):
+    """Test the '_remove_none_fields' function of AWSSubscriberBucket class."""
+    s3_log_handler.AWSSubscriberBucket._remove_none_fields(content)
+    assert content == expected
+
+
+@pytest.mark.parametrize(
+    "bucket_name, log_path, content, expected_logs",
+    [
+        (
+            "test_bucket",
+            "logs/sample.jsonl.gz",
+            '{"event": "data1"}\n{"event": "data2"}\n',
+            [{"event": "data1"}, {"event": "data2"}],
+        ),
+        (
+            "test_bucket",
+            "logs/sample.csv",
+            "Name, Age, City\nJohn, 30, New York",
+            [{"Age": "30", "City": "New York", "Name": "John", "source": "custom"}],
+        ),
+    ],
+    ids=[
+        "JSONL Sample Data",
+        "CSV Sample Data",
+    ],
+)
+def test_obtain_logs_processes_different_data_types(bucket_name, log_path, content, expected_logs):
+    """Test the 'obtain_logs' function of AWSSubscriberBucket class."""
+    with patch('s3_log_handler.wazuh_integration.WazuhIntegration.__init__'):
+        with patch('s3_log_handler.AWSSubscriberBucket.decompress_file', return_value=io.StringIO(content)):
+            formatted_logs = s3_log_handler.AWSSubscriberBucket().obtain_logs(bucket=bucket_name, log_path=log_path)
+
+            assert formatted_logs == expected_logs
+            assert formatted_logs is not None
+
+
+@patch('s3_log_handler.aws_tools.debug')
+def test_process_file_sends_expected_messages(mock_debug):
+    """Test the 'process_file' function of AWSSubscriberBucket class."""
+    with patch('s3_log_handler.wazuh_integration.WazuhIntegration.__init__'):
+        processor = s3_log_handler.AWSSubscriberBucket()
+        processor.discard_regex = re.compile('your_regex_pattern_here')
+        processor.discard_field = 'your_discard_field_value'
+
+        message_body = {'log_path': 'log.txt', 'bucket_path': 'bucket'}
+        formatted_logs = [{'full_log': 'some log entry matching discard regex'}]
+
+        processor.obtain_logs = MagicMock(return_value=formatted_logs)
+        processor.event_should_be_skipped = MagicMock(return_value=False)
+        processor.send_msg = MagicMock()
+
+        formatted_logs_no_full_log = [{'other_field': 'some value'}]
+        processor.obtain_logs.return_value = formatted_logs_no_full_log
+        processor.process_file(message_body)
+
+        expected_msg = {
+            'integration': 'aws',
+            'aws': {
+                'log_info': {
+                    'log_file': 'log.txt',
+                    's3bucket': 'bucket'
+                }
+            }
+        }
+        expected_msg['aws'].update(formatted_logs_no_full_log[0]) 
+        processor.send_msg.assert_called_once_with(expected_msg)
+
+        log_with_match = {'full_log': 'some log entry matching discard regex'}
+        formatted_logs_with_match = [log_with_match]
+
+        processor.obtain_logs.return_value = formatted_logs_with_match
+        processor.process_file(message_body)
+        processor.send_msg.assert_called_once()
+
+
+@pytest.mark.parametrize("content, expected_calls", [
+    (['{"event1": "data1"}', '{"event2": "data2"}'], [call('{"event1": "data1"}', dump_json=False), call('{"event2": "data2"}', dump_json=False)])
+])
+def test_protected_process_jsonl(content, expected_calls):
+    """Test the 'process_file' function of AWSSLSubscriberBucket class."""
+    aws_ssl_subscriber_bucket = utils.get_mocked_aws_sl_subscriber_bucket()
+    message_body = {'bucket_path': 'example-bucket', 'log_path': 'example-log.parquet'}
+    mocked_obtain_logs = MagicMock(return_value=content)
+    aws_ssl_subscriber_bucket.obtain_logs = mocked_obtain_logs
+
+    with patch.object(aws_ssl_subscriber_bucket, 'send_msg') as mock_send_msg:
+        aws_ssl_subscriber_bucket.process_file(message_body)
+
+    mocked_obtain_logs.assert_called_once_with(bucket='example-bucket', log_path='example-log.parquet')
+    mock_send_msg.assert_has_calls(expected_calls)
+
+
+@pytest.mark.parametrize("details, event", [
+    ({'actionName': 'Test action name', 'actionDescription': 'Test action description'},
+     {'actionName': 'Test action name', 'actionDescription': 'Test action description',
+      'extra_key': 'value'}),
+    ({'actionName': 'Test action name', 'actionDescription': 'Test action description',
+      'insightResults': [{'key': 'value'}], 'insightName': 'insightName', 'insightArn': 'insightArn'},
+     {'actionName': 'Test action name', 'actionDescription': 'Test action description',
+      'insightResults': [{'key': 'value'}], 'insightName': 'insightName', 'insightArn': 'insightArn',
+      'extra_key': 'value'}),
+    ({'findings': [{'key': 'value'}]},
+     {'finding': {'key': 'value'}, 'extra_key': 'value'})
+])
+def test_sec_hub_protected_add_event_type_fields(details, event):
+    """Test the 'add_event_type_fields' function of AWSSecurityHubSubscriberBucket class."""
+    base_event = dict(extra_key="value")
+    s3_log_handler.AWSSecurityHubSubscriberBucket._add_event_type_fields(details, base_event)
+    assert base_event == event
+
+
+@pytest.mark.parametrize(
+    "content, expected_logs",
+    [
+        (
+            '{"detail": {"data1": "value"}, "detail-type": "Security Hub Type"}'
+            '{"detail": {"data2": "value"}, "detail-type": "Security Hub Type"}',
+            [{"data1": "value", "source": "securityhub", "detail_type": "Security Hub Type"},
+             {"data2": "value", "source": "securityhub", "detail_type": "Security Hub Type"}],
+        ),
+    ]
+)
+def test_obtain_logs_processes_security_hub_events(content, expected_logs):
+    """Test the 'obtain_logs' method of AWSSecurityHubSubscriberBucket class."""
+    with patch('s3_log_handler.wazuh_integration.WazuhIntegration.__init__'):
+        with patch('s3_log_handler.AWSSubscriberBucket.decompress_file', return_value=io.StringIO(content)):
+            with patch("s3_log_handler.AWSSecurityHubSubscriberBucket._add_event_type_fields",
+                       side_effect=lambda event, base: base.update(event)):
+                formatted_logs = s3_log_handler.AWSSecurityHubSubscriberBucket().obtain_logs(bucket=utils.TEST_BUCKET,
+                                                                                             log_path=utils.TEST_LOG_KEY
+                                                                                             )
+                assert formatted_logs == expected_logs
+                assert formatted_logs is not None
+
+
+def test_sec_hub_obtain_logs_handles_exception():
+    """Test 'obtain_logs' handles exceptions raised when failing to process JSON files."""
+    with patch('s3_log_handler.wazuh_integration.WazuhIntegration.__init__'):
+        with patch('s3_log_handler.AWSSubscriberBucket.decompress_file'):
+            with patch('s3_log_handler.AWSSubscriberBucket._json_event_generator', side_effect=[json.JSONDecodeError
+                                                                                                ('test', 'test', 1),
+                                                                                                AttributeError]):
+                with pytest.raises(SystemExit) as e:
+                    s3_log_handler.AWSSecurityHubSubscriberBucket().obtain_logs(bucket=utils.TEST_BUCKET,
+                                                                                log_path=utils.TEST_LOG_KEY)
+                assert e.value.code == utils.PARSE_FILE_ERROR_CODE
+
+
+@pytest.mark.parametrize("discard_log", [True, False])
+@patch('s3_log_handler.aws_tools.debug')
+def test_sec_hub_process_file_sends_expected_messages(mock_debug, discard_log):
+    """Test 'process_file' method of AWSSecurityHubSubscriberBucket the class sends the events inside the given
+    message to AnalysisD."""
+    log_file = utils.TEST_LOG_KEY
+    bucket_path = utils.TEST_BUCKET
+    message_body = {"log_path": log_file, "bucket_path": bucket_path}
+
+    formatted_logs = [{"field": "value"}]
+
+    with patch('s3_log_handler.wazuh_integration.WazuhIntegration.__init__'):
+        with patch('s3_log_handler.AWSSecurityHubSubscriberBucket.obtain_logs', return_value=formatted_logs):
+            with patch('s3_log_handler.AWSSecurityHubSubscriberBucket.event_should_be_skipped',
+                       return_value=discard_log):
+                log_handler = s3_log_handler.AWSSecurityHubSubscriberBucket()
+
+                log_handler.discard_regex = re.compile('discard_regex')
+                log_handler.discard_field = 'discard_field'
+
+                log_handler.send_msg = MagicMock()
+                log_handler.process_file(message_body)
+                mock_debug.assert_called()
+                for log in formatted_logs:
+                    if not discard_log:
+                        expected_msg = {
+                            'integration': 'aws',
+                            'aws': {
+                                'log_info': {
+                                    'log_file': log_file,
+                                    's3bucket': bucket_path
+                                }
+                            }
+                        }
+                        expected_msg['aws'].update(log)
+                        log_handler.send_msg.assert_called_with(expected_msg)
diff --git a/src/modules/aws/scripts/tests/test_server_access.py b/src/modules/aws/scripts/tests/test_server_access.py
new file mode 100644
index 0000000000..c243f458d5
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_server_access.py
@@ -0,0 +1,238 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+import re
+from unittest.mock import patch, MagicMock, mock_open
+import botocore
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import server_access
+
+TEST_LOG_SERVER_ACCESS_FULL_PATH = '2021-04-29-09-12-25-F123456789012345'
+utils.LIST_OBJECT_V2_NO_PREFIXES['Contents'][0]['Key'] = TEST_LOG_SERVER_ACCESS_FULL_PATH
+
+
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_server_access_initializes_properly(mock_custom_bucket):
+    """Test if the instances of AWSServerAccess are created properly."""
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess)
+    assert instance.date_regex == re.compile(r'(\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2})')
+    assert instance.date_format == '%Y-%m-%d'
+
+    mock_custom_bucket.assert_called_once()
+
+
+@pytest.mark.parametrize('object_list',
+                         [utils.LIST_OBJECT_V2, utils.LIST_OBJECT_V2_NO_PREFIXES, utils.LIST_OBJECT_V2_TRUNCATED])
+@pytest.mark.parametrize('reparse', [True, False])
+@pytest.mark.parametrize('delete_file', [True, False])
+@pytest.mark.parametrize('same_prefix_result', [True, False])
+@patch('aws_bucket.aws_tools.debug')
+@patch('aws_bucket.AWSBucket.build_s3_filter_args')
+def test_aws_server_access_iter_files_in_bucket(mock_build_filter, mock_debug,
+                                                same_prefix_result: bool, delete_file: bool, reparse: bool,
+                                                object_list: dict):
+    """Test 'iter_files_in_bucket' method makes the necessary
+    method calls in order to process the logs inside the bucket.
+
+    Parameters
+    ----------
+    same_prefix_result: bool
+        Result from the execution of the _same_prefix method.
+    delete_file: bool
+        Whether to delete an already processed file from a bucket or not.
+    reparse: bool
+        Whether to parse already parsed logs or not.
+    object_list: dict
+        Objects to be returned by list_objects_v2.
+    """
+    with patch('wazuh_integration.WazuhIntegration.get_sts_client'), \
+            patch('wazuh_integration.WazuhAWSDatabase.__init__'):
+
+        instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess, bucket=utils.TEST_BUCKET,
+                                           delete_file=delete_file, reparse=reparse)
+
+        mock_build_filter.return_value = {
+            'Bucket': instance.bucket,
+            'MaxKeys': 1000,
+            'Prefix': utils.TEST_PREFIX
+        }
+
+        instance.client = MagicMock()
+        instance.client.list_objects_v2.return_value = object_list
+
+        aws_account_id = utils.TEST_ACCOUNT_ID
+        aws_region = None
+
+        with patch('aws_bucket.AWSBucket._same_prefix', return_value=same_prefix_result) as mock_same_prefix, \
+                patch('aws_bucket.AWSCustomBucket.already_processed', return_value=True) as mock_already_processed, \
+                patch('aws_bucket.AWSBucket.get_log_file') as mock_get_log_file, \
+                patch('aws_bucket.AWSBucket.iter_events') as mock_iter_events, \
+                patch('aws_bucket.AWSBucket._print_no_logs_to_process_message') as mock_no_logs_message, \
+                patch('aws_bucket.AWSCustomBucket.mark_complete') as mock_mark_complete:
+
+            if 'IsTruncated' in object_list and object_list['IsTruncated']:
+                instance.client.list_objects_v2.side_effect = [object_list, utils.LIST_OBJECT_V2_NO_PREFIXES]
+
+            instance.iter_files_in_bucket(aws_account_id, aws_region)
+
+            mock_build_filter.assert_any_call(aws_account_id, aws_region, custom_delimiter='-')
+            instance.client.list_objects_v2.assert_called_with(**mock_build_filter(aws_account_id, aws_region))
+
+            if 'Contents' not in object_list:
+                mock_no_logs_message.assert_any_call(instance.bucket, aws_account_id, aws_region)
+            else:
+                for bucket_file in object_list['Contents']:
+                    if not bucket_file['Key']:
+                        continue
+
+                    if bucket_file['Key'][-1] == '/':
+                        continue
+
+                    date_match = instance.date_regex.search(bucket_file['Key'])
+                    match_start = date_match.span()[0] if date_match else None
+
+                    mock_same_prefix.assert_called_with(match_start, aws_account_id, aws_region)
+
+                    if not instance._same_prefix(match_start, aws_account_id, aws_region):
+                        mock_debug.assert_any_call(f"++ Skipping file with another prefix: {bucket_file['Key']}", 3)
+                        continue
+
+                    mock_already_processed.assert_called_with(bucket_file['Key'], aws_account_id, aws_region)
+                    if instance.reparse:
+                        mock_debug.assert_any_call(
+                            f"++ File previously processed, but reparse flag set: {bucket_file['Key']}",
+                            1)
+                    else:
+                        mock_debug.assert_any_call(f"++ Skipping previously processed file: {bucket_file['Key']}", 2)
+                        continue
+
+                    mock_debug.assert_any_call(f"++ Found new log: {bucket_file['Key']}", 2)
+                    mock_get_log_file.assert_called_with(aws_account_id, bucket_file['Key'])
+                    mock_iter_events.assert_called()
+
+                    if instance.delete_file:
+                        mock_debug.assert_any_call(f"+++ Remove file from S3 Bucket:{bucket_file['Key']}", 2)
+
+                    mock_mark_complete.assert_called_with(aws_account_id, aws_region, bucket_file)
+
+                if object_list['IsTruncated']:
+                    mock_build_filter.assert_any_call(aws_account_id, aws_region, True)
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_server_access_iter_files_in_bucket_handles_exceptions(mock_sts):
+    """Test 'iter_files_in_bucket' method handles exceptions raised when the filename does not have the valid format
+    or by an unexpected cause and exits with the expected exit code.
+    """
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess)
+
+    instance.client = MagicMock()
+
+    with patch('aws_bucket.AWSBucket.build_s3_filter_args') as mock_build_filter:
+        with pytest.raises(SystemExit) as e:
+            instance.skip_on_error = False
+            utils.LIST_OBJECT_V2_NO_PREFIXES['Contents'][0]['Key'] = ['123']
+            instance.client.list_objects_v2.return_value = utils.LIST_OBJECT_V2_NO_PREFIXES
+            instance.iter_files_in_bucket(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+        assert e.value.code == utils.INVALID_KEY_FORMAT_ERROR_CODE
+
+        with pytest.raises(SystemExit) as e:
+            mock_build_filter.side_effect = Exception
+            instance.iter_files_in_bucket(utils.TEST_ACCOUNT_ID, utils.TEST_REGION)
+        assert e.value.code == utils.UNEXPECTED_ERROR_WORKING_WITH_S3
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_server_access_marker_only_logs_after(mock_sts):
+    """Test 'marker_only_logs_after' method returns the expected marker using the `only_logs_after` value."""
+    test_only_logs_after = utils.TEST_ONLY_LOGS_AFTER
+
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess, only_logs_after=test_only_logs_after)
+    instance.prefix = utils.TEST_PREFIX
+
+    instance.date_format = '%Y-%m-%d'
+
+    marker = instance.marker_only_logs_after(aws_region=utils.TEST_REGION, aws_account_id=utils.TEST_ACCOUNT_ID)
+    assert marker == f"{instance.prefix}" \
+                     f"{test_only_logs_after[0:4]}-{test_only_logs_after[4:6]}-{test_only_logs_after[6:8]}"
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_server_access_check_bucket_handles_exceptions_when_empty_bucket(mock_sts):
+    """Test 'check_bucket' method exits with the expected code when no files are found in the bucket."""
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess, bucket=utils.TEST_BUCKET)
+    instance.client = MagicMock()
+    instance.client.list_objects_v2.return_value = {'ResponseWithoutCommonPrefixes'}
+
+    with pytest.raises(SystemExit) as e:
+        instance.check_bucket()
+    assert e.value.code == utils.EMPTY_BUCKET_ERROR_CODE
+
+
+@pytest.mark.parametrize('error_code, exit_code', [
+    (aws_bucket.THROTTLING_EXCEPTION_ERROR_CODE, utils.THROTTLING_ERROR_CODE),
+    (aws_bucket.INVALID_CREDENTIALS_ERROR_CODE, utils.INVALID_CREDENTIALS_ERROR_CODE),
+    (aws_bucket.INVALID_REQUEST_TIME_ERROR_CODE, utils.INVALID_REQUEST_TIME_ERROR_CODE),
+    ("OtherClientError", utils.UNKNOWN_ERROR_CODE)
+])
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+def test_aws_server_access_check_bucket_handles_exceptions_on_client_error(mock_sts,
+                                                                           error_code: str, exit_code: int):
+    """Test 'check_bucket' method handles the different botocore exception and
+    exits with the expected code when an exception is raised accessing to AWS.
+
+    Parameters
+    ----------
+    error_code: str
+        Expected error message.
+    exit_code: int
+        Expected exit code.
+    """
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess)
+    instance.client = MagicMock()
+    instance.client.list_objects_v2.side_effect = botocore.exceptions.ClientError({'Error': {'Code': error_code}},
+                                                                                  "name")
+
+    with pytest.raises(SystemExit) as e:
+        instance.check_bucket()
+    assert e.value.code == exit_code
+
+
+@patch('aws_bucket.AWSCustomBucket.get_sts_client')
+def test_aws_server_access_load_information_from_file(mock_sts_client):
+    """Test 'load_information_from_file' method returns the expected information."""
+    instance = utils.get_mocked_bucket(class_=server_access.AWSServerAccess)
+
+    data = 'bucket_owner test_bucket [29/Apr/2025:08:47:53 +0000] 0.0.0.0 arn:aws:iam::123456789123:user/test.user ' \
+           'request_id operation - "GET /test_bucket?website= HTTP/1.1" 404 NoSuchWebsiteConfiguration 343 - 85 - ' \
+           '"-" "S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.991 Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 ' \
+           'OpenJDK_64-Bit_Server_VM/25.282-b08 java/1.8.0_282 vendor/Oracle_Corporation cfg/retry-mode/legacy" - ' \
+           'host_id signature_version cipher_suite authentication_type s3.amazonaws.com TLSv1.2 '
+    expected_information = [
+        {"bucket_owner": "bucket_owner", "bucket": "test_bucket", "time": "29/Apr/2025:08:47:53 +0000",
+         "remote_ip": "0.0.0.0", "requester": "arn:aws:iam::123456789123:user/test.user",
+         "request_id": "request_id", "operation": "operation", "key": "-",
+         "request_uri": "GET /test_bucket?website= HTTP/1.1", "http_status": "404",
+         "error_code": "NoSuchWebsiteConfiguration", "bytes_sent": "343",
+         "object_sent": "-", "total_time": "85",
+         "turn_around_time": "-", "referer": "-",
+         "user_agent": "S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.991 "
+                       "Linux/4.9.230-0.1.ac.224.84.332.metal1.x86_64 "
+                       "OpenJDK_64-Bit_Server_VM/25.282-b08 java/1.8.0_282 vendor/Oracle_Corporation "
+                       "cfg/retry-mode/legacy",
+         "version_id": "-", "host_id": "host_id",
+         "signature_version": "signature_version", "cipher_suite": "cipher_suite",
+         "authentication_type": "authentication_type", "host_header": "s3.amazonaws.com",
+         "tls_version": "TLSv1.2", "source": "s3_server_access"}]
+
+    with patch('aws_bucket.AWSBucket.decompress_file', mock_open(read_data=data)):
+        assert instance.load_information_from_file(utils.TEST_LOG_KEY) == expected_information
diff --git a/src/modules/aws/scripts/tests/test_sqs_message_processor.py b/src/modules/aws/scripts/tests/test_sqs_message_processor.py
new file mode 100644
index 0000000000..75e85a9874
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_sqs_message_processor.py
@@ -0,0 +1,173 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import json
+import sys
+import os
+
+sys.path.append(
+    os.path.join(os.path.dirname(os.path.realpath(__file__)), "..", "subscribers")
+)
+import sqs_message_processor as sqs
+
+
+@pytest.mark.parametrize(
+    "msg, expected",
+    [
+        (
+            {
+                "Records": [
+                    {"s3": {"object": {"key": "key"}, "bucket": {"name": "name"}}}
+                ]
+            },
+            {"route": {"log_path": "key", "bucket_path": "name"}},
+        ),
+        ({"example": "some_value"}, {"raw_message": {"example": "some_value"}}),
+    ],
+)
+def test_aws_s3_message_processor(msg, expected):
+    """
+    Test AWSS3MessageProcessor parse_message method.
+    """
+    processor = sqs.AWSS3MessageProcessor()
+    assert processor.parse_message(msg) == expected
+
+
+@pytest.mark.parametrize(
+    "msg, expected",
+    [
+        (
+            {"detail": {"object": {"key": "key"}, "bucket": {"name": "name"}}},
+            {"route": {"log_path": "key", "bucket_path": "name"}},
+        ),
+        ({"example": "some_value"}, {"raw_message": {"example": "some_value"}}),
+    ],
+)
+def test_aws_sec_lake_message_processor(msg, expected):
+    """
+    Test AWSSSecLakeMessageProcessor parse_message method.
+    """
+    processor = sqs.AWSSSecLakeMessageProcessor()
+    assert processor.parse_message(msg) == expected
+
+
+@pytest.mark.parametrize(
+    "sqs_processor, sqs_messages, expected",
+    [
+        (
+            sqs.AWSS3MessageProcessor,
+            [
+                {
+                    "ReceiptHandle": "h1",
+                    "Body": {
+                        "Records": [
+                            {
+                                "s3": {
+                                    "object": {"key": "key1"},
+                                    "bucket": {"name": "name1"},
+                                }
+                            }
+                        ]
+                    },
+                },
+                {
+                    "ReceiptHandle": "h2",
+                    "Body": {
+                        "Records": [
+                            {
+                                "s3": {
+                                    "object": {"key": "key2"},
+                                    "bucket": {"name": "name2"},
+                                }
+                            }
+                        ]
+                    },
+                },
+            ],
+            [
+                {"route": {"log_path": "key1", "bucket_path": "name1"}, "handle": "h1"},
+                {"route": {"log_path": "key2", "bucket_path": "name2"}, "handle": "h2"},
+            ],
+        ),
+        (
+            sqs.AWSSSecLakeMessageProcessor,
+            [
+                {
+                    "ReceiptHandle": "h1",
+                    "Body": {
+                        "detail": {
+                            "object": {"key": "key1"},
+                            "bucket": {"name": "name1"},
+                        }
+                    },
+                },
+                {"ReceiptHandle": "h2", "Body": {"example": "some_value"}},
+            ],
+            [
+                {"route": {"log_path": "key1", "bucket_path": "name1"}, "handle": "h1"},
+                {"raw_message": {"example": "some_value"}, "handle": "h2"},
+            ],
+        ),
+        (
+            sqs.AWSSSecLakeMessageProcessor,
+            [
+                {
+                    "ReceiptHandle": "h1",
+                    "Body": {
+                        "detail": {
+                            "object": {"key": "key1"},
+                            "bucket": {"name": "name1"},
+                        }
+                    },
+                },
+                {
+                    "ReceiptHandle": "h2",
+                    "Body": {
+                        "detail": {
+                            "object": {"key": "key2"},
+                            "bucket": {"name": "name2"},
+                        }
+                    },
+                },
+            ],
+            [
+                {"route": {"log_path": "key1", "bucket_path": "name1"}, "handle": "h1"},
+                {"route": {"log_path": "key2", "bucket_path": "name2"}, "handle": "h2"},
+            ],
+        ),
+        (
+            sqs.AWSS3MessageProcessor,
+            [
+                {
+                    "ReceiptHandle": "h1",
+                    "Body": {
+                        "Records": [
+                            {
+                                "s3": {
+                                    "object": {"key": "key1"},
+                                    "bucket": {"name": "name1"},
+                                }
+                            }
+                        ]
+                    },
+                },
+                {"ReceiptHandle": "h2", "Body": {"example": "some_value"}},
+            ],
+            [
+                {"route": {"log_path": "key1", "bucket_path": "name1"}, "handle": "h1"},
+                {"raw_message": {"example": "some_value"}, "handle": "h2"},
+            ],
+        ),
+    ],
+)
+def test_extract_message_info(sqs_processor, sqs_messages, expected):
+    """
+    Test extract_message_info method of AWSQueueMessageProcessor subclasses.
+    """
+    processor = sqs_processor()
+    for i, message in enumerate(sqs_messages):
+        sqs_messages[i]["Body"] = json.dumps(message["Body"])
+    result = processor.extract_message_info(sqs_messages)
+    assert result == expected
diff --git a/src/modules/aws/scripts/tests/test_sqs_queue.py b/src/modules/aws/scripts/tests/test_sqs_queue.py
new file mode 100644
index 0000000000..f8ccc83562
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_sqs_queue.py
@@ -0,0 +1,145 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import sys
+import os
+from unittest.mock import patch
+import pytest
+import json
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'subscribers'))
+import sqs_queue
+
+SAMPLE_RAW_MESSAGE = {'Messages': [{'MessageId': 'string', 'ReceiptHandle': 'string', 'MD5OfBody': 'string',
+                                    'Body': '{"detail": {"bucket": {"name": "example-bucket"},"object": {"key": '
+                                            '"example-key"}}}', 'Attributes': {'string': 'string'}}]}
+SAMPLE_BODY = json.loads(SAMPLE_RAW_MESSAGE['Messages'][0]['Body'])
+SAMPLE_MESSAGE = {"handle": SAMPLE_RAW_MESSAGE['Messages'][0]['ReceiptHandle']}
+SAMPLE_URL = "sqs-test-url.com"
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('s3_log_handler.AWSS3LogHandler.__init__', return_value=None)
+@patch('sqs_message_processor.AWSQueueMessageProcessor.__init__')
+@patch('sqs_queue.AWSSQSQueue._get_sqs_url')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effet=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_initializes_properly(mock_wazuh_integration, mock_get_sqs_url, mock_message_processor,
+                                            mock_bucket_log_handler_init, mock_client, mock_sts_client):
+    """Test if the instances of AWSSQSQueue are created properly."""
+    mock_sts_client.return_value = mock_client
+    kwargs = utils.get_aws_sqs_queue_parameters(name=utils.TEST_SQS_NAME,
+                                                external_id=utils.TEST_EXTERNAL_ID,
+                                                service_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                                sts_endpoint=utils.TEST_STS_ENDPOINT,
+                                                iam_role_arn=utils.TEST_IAM_ROLE_ARN,
+                                                iam_role_duration=utils.TEST_IAM_ROLE_DURATION)
+    integration = sqs_queue.AWSSQSQueue(message_processor=mock_message_processor,
+                                        bucket_handler=mock_bucket_log_handler_init,
+                                        **kwargs)
+    mock_wazuh_integration.assert_called_with(integration,
+                                              iam_role_arn=kwargs["iam_role_arn"],
+                                              profile=None,
+                                              external_id=kwargs["external_id"],
+                                              service_name='sqs',
+                                              sts_endpoint=kwargs["sts_endpoint"],
+                                              skip_on_error=False,
+                                              iam_role_duration=kwargs["iam_role_duration"])
+
+    assert integration.sqs_name == kwargs['name']
+    assert integration.iam_role_arn == kwargs['iam_role_arn']
+    mock_get_sqs_url.assert_called_once()
+    mock_bucket_log_handler_init.assert_called_once()
+    mock_sts_client.assert_called_with(None, None, None)
+    mock_client.get_caller_identity.assert_called_once()
+
+
+@patch('sqs_queue.AWSSQSQueue._get_sqs_url', return_value=SAMPLE_URL)
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_delete_message(mock_wazuh_integration, mock_sts_client, mock_get_url):
+    """Test 'delete_message' method sends the given message to SQS."""
+    instance = utils.get_mocked_aws_sqs_queue()
+    instance.delete_message(SAMPLE_MESSAGE)
+
+    instance.client.delete_message.assert_called_with(QueueUrl=SAMPLE_URL, ReceiptHandle=SAMPLE_MESSAGE["handle"])
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_delete_message_handles_exception_when_deleting_message(mock_wazuh_integration, mock_sts_client):
+    """Test 'delete_message' handles exceptions raised when trying to delete a message from SQS."""
+    instance = utils.get_mocked_aws_sqs_queue()
+    instance.client.delete_message.side_effect = Exception
+
+    with pytest.raises(SystemExit) as e:
+        instance.delete_message(SAMPLE_MESSAGE)
+    assert e.value.code == utils.UNABLE_TO_FETCH_DELETE_FROM_QUEUE
+
+
+@patch('sqs_queue.AWSSQSQueue._get_sqs_url', return_value=SAMPLE_URL)
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_fetch_messages(mock_wazuh_integration, mock_sts_client, mock_get_url):
+    """Test 'fetch_messages' method retrieves one or more messages from the specified queue."""
+    instance = utils.get_mocked_aws_sqs_queue()
+    mock_receive = instance.client.receive_message
+    mock_receive.return_value = SAMPLE_RAW_MESSAGE
+
+    raw_messages = instance.fetch_messages()
+    mock_receive.assert_called_with(QueueUrl=instance.sqs_url, AttributeNames=['All'],
+                                    MaxNumberOfMessages=10, MessageAttributeNames=['All'],
+                                    WaitTimeSeconds=20)
+    assert type(raw_messages) is dict
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_fetch_messages_handles_exception_when_getting_messages(mock_wazuh_integration, mock_sts_client):
+    """Test 'fetch_messages' handles exceptions raised when trying to retrieve messages from SQS."""
+    instance = utils.get_mocked_aws_sqs_queue()
+
+    mock_receive = instance.client.receive_message
+    mock_receive.side_effect = Exception
+
+    with pytest.raises(SystemExit) as e:
+        instance.fetch_messages()
+    assert e.value.code == utils.UNABLE_TO_FETCH_DELETE_FROM_QUEUE
+
+
+@patch('sqs_queue.AWSSQSQueue.fetch_messages', return_value=SAMPLE_RAW_MESSAGE)
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_get_messages(mock_wazuh_integration, mock_sts_client, mock_fetch):
+    """Test 'get_messages' method returns parsed messages."""
+    instance = utils.get_mocked_aws_sqs_queue()
+    mocked_processor_extract = instance.message_processor.extract_message_info
+    instance.get_messages()
+    mocked_processor_extract.assert_called_with(SAMPLE_RAW_MESSAGE['Messages'])
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhIntegration.__init__', side_effect=wazuh_integration.WazuhIntegration.__init__)
+def test_aws_sqs_queue_sync_events(mock_wazuh_integration, mock_sts_client):
+    """Test 'sync_events' method gets messages from the SQS queue, sends them to AnalysisD
+    and deletes from the queue until it is empty."""
+    instance = utils.get_mocked_aws_sqs_queue()
+
+    with patch('sqs_queue.AWSSQSQueue.get_messages',
+               side_effect=[[{"route": {"log_path": SAMPLE_BODY["detail"]["object"]["key"],
+                              "bucket_path": SAMPLE_BODY["detail"]["bucket"]["name"]},
+                              "handle": SAMPLE_MESSAGE["handle"]}], []]),\
+            patch('sqs_queue.AWSSQSQueue.delete_message') as mock_delete:
+        mock_process = instance.bucket_handler.process_file
+
+        instance.sync_events()
+
+        mock_process.assert_called()
+        mock_delete.assert_called()
diff --git a/src/modules/aws/scripts/tests/test_tools.py b/src/modules/aws/scripts/tests/test_tools.py
new file mode 100644
index 0000000000..9064b66dd3
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_tools.py
@@ -0,0 +1,224 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import argparse
+import os
+import sys
+import io
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import aws_tools
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+
+@pytest.mark.parametrize('msg_level', range(3))
+@patch('builtins.print')
+def test_debug(mock_print, msg_level):
+    """Test 'debug' function only prints messages with a level equal or greater than the debug level."""
+    msg = "test message"
+    aws_tools.debug(msg, msg_level)
+    if aws_tools.debug_level >= msg_level:
+        mock_print.assert_called_with(f"DEBUG: {msg}")
+    else:
+        mock_print.assert_not_called()
+
+
+def test_arg_valid_date():
+    """Test 'arg_valid_date' function returns a string with the expected format."""
+    parsed_date = aws_tools.arg_valid_date("2022-JAN-01")
+    assert isinstance(parsed_date, str)
+    assert parsed_date == "20220101"
+
+
+def test_arg_valid_date_raises_exception_when_invalid_format_provided():
+    """Test 'arg_valid_date' function raises an 'ArgumentTypeError' error if the format provided is not supported."""
+    with pytest.raises(argparse.ArgumentTypeError):
+        aws_tools.arg_valid_date("2022-01-01")
+
+
+@pytest.mark.parametrize('arg_string', ['prefix', 'prefix/', ''])
+def test_arg_valid_key(arg_string: str):
+    """Test 'arg_valid_key' function returns the expected key.
+
+    Parameters
+    ----------
+    arg_string: str
+        String containing the key to be formatted.
+    """
+    prefix = aws_tools.arg_valid_key(arg_string)
+    if arg_string:
+        assert isinstance(prefix, str)
+        assert prefix[-1] == "/"
+        assert arg_string in prefix
+
+
+def test_arg_valid_key_raises_exception_when_invalid_format_provided():
+    """Test 'arg_valid_key' function raises an 'ArgumentTypeError' error when invalid key is provided."""
+    with pytest.raises(argparse.ArgumentTypeError) as e:
+        aws_tools.arg_valid_key('prefix{}')
+
+
+@pytest.mark.parametrize('arg_string', [
+    utils.TEST_ACCOUNT_ID,
+    f'{utils.TEST_ACCOUNT_ID},{utils.TEST_ACCOUNT_ID}',
+    f'{utils.TEST_ACCOUNT_ID},{utils.TEST_ACCOUNT_ID},{utils.TEST_ACCOUNT_ID}',
+    None
+])
+def test_arg_valid_accountid(arg_string: str or None):
+    """Test 'arg_valid_accountid' function returns the expected number of account IDs.
+
+    Parameters
+    ----------
+    arg_string: str or None
+        String of account ids separated by comma.
+    """
+    account_ids = aws_tools.arg_valid_accountid(arg_string)
+    assert isinstance(account_ids, list)
+    assert len(account_ids) == (len(arg_string.split(',')) if arg_string else 0)
+
+
+@pytest.mark.parametrize('arg_string', [
+    utils.TEST_ACCOUNT_ID[:-1],
+    f'{utils.TEST_ACCOUNT_ID},{utils.TEST_ACCOUNT_ID[:-1]}',
+    f'{utils.TEST_ACCOUNT_ID},{utils.TEST_ACCOUNT_ID},123456789abc'
+])
+def test_arg_valid_accountid_raises_exception_when_invalid_account_provided(arg_string):
+    """Test 'arg_valid_accountid' function raises an 'ArgumentTypeError' error
+    if the number of digits is different to 12 or the account id is not formed only by digits.
+
+    Parameters
+    ----------
+    arg_string: str or None
+        String of account ids separated by comma.
+    """
+    with pytest.raises(argparse.ArgumentTypeError):
+        aws_tools.arg_valid_accountid(arg_string)
+
+
+@pytest.mark.parametrize('arg_string', [
+    utils.TEST_REGION,
+    f'{utils.TEST_REGION},{utils.TEST_REGION}',
+    f'{utils.TEST_REGION},{utils.TEST_REGION},{utils.TEST_REGION}',
+    None
+])
+def test_arg_valid_regions(arg_string):
+    """Test 'arg_valid_regions' function returns the expected number of regions.
+
+    Parameters
+    ----------
+    arg_string: str or None
+        String of regions separated by comma.
+    """
+    regions = aws_tools.arg_valid_regions(arg_string)
+    assert isinstance(regions, list)
+    assert len(regions) == (len(set(arg_string.split(','))) if arg_string else 0)
+
+
+def test_arg_valid_regions_raises_exception_when_invalid_region_provided():
+    """Test 'arg_valid_regions' function raises an 'ArgumentTypeError' error when invalid region is provided."""
+    with pytest.raises(argparse.ArgumentTypeError) as e:
+        aws_tools.arg_valid_regions('invalid-region')
+
+
+@pytest.mark.parametrize('arg_string', ["900", "43200"])
+def test_arg_valid_iam_role_duration(arg_string: str):
+    """Test 'arg_valid_iam_role_duration' function returns the expected duration.
+
+    Parameters
+    ----------
+    arg_string: str
+        The desired session duration in seconds.
+    """
+    duration = aws_tools.arg_valid_iam_role_duration(arg_string)
+    assert isinstance(duration, int)
+    assert duration == int(arg_string)
+
+
+def test_arg_valid_bucket_name_raises_exception_when_invalid_bucket_name_provided():
+    """Test 'arg_valid_bucket_name' function raises an 'ArgumentTypeError' error when invalid
+    bucket name is provided.
+    """
+    with pytest.raises(argparse.ArgumentTypeError) as e:
+        aws_tools.arg_valid_bucket_name('--ol-s3-invalid')
+
+
+@pytest.mark.parametrize('arg_string', ["899", "43201"])
+def test_arg_valid_iam_role_duration_raises_exception_when_invalid_duration_provided(arg_string):
+    """Test 'arg_valid_iam_role_duration' function raises an 'ArgumentTypeError' error
+    when the duration is not between 15m and 12h.
+
+    Parameters
+    ----------
+    arg_string: str
+        The desired session duration in seconds.
+    """
+    with pytest.raises(argparse.ArgumentTypeError):
+        aws_tools.arg_valid_iam_role_duration(arg_string)
+
+
+@pytest.mark.parametrize("test_input, expected_output", [
+    (('external_id', None, None), "ERROR: Used a subscriber but no --iam_role_arn provided."),
+    (('external_id', None, 'iam_role_arn'), "ERROR: Used a subscriber but no --queue provided."),
+    ((None, 'name', 'iam_role_arn'), "ERROR: Used a subscriber but no --external_id provided.")
+])
+def test_arg_validate_security_lake_auth_params(test_input, expected_output):
+    """Test the arg_validate_security_lake_auth_params function of aws_tools."""
+    captured_output = io.StringIO()
+    sys.stdout = captured_output
+
+    with pytest.raises(SystemExit) as excinfo:
+        aws_tools.arg_validate_security_lake_auth_params(*test_input)
+
+    output = captured_output.getvalue().strip()
+
+    assert output == expected_output
+    assert excinfo.value.code == 21
+
+    sys.stdout = sys.__stdout__
+
+
+@patch('configparser.RawConfigParser')
+def test_get_aws_config_params(mock_config):
+    """Test 'get_aws_config_params' function returns the expected configparser.RawConfigParser object"""
+    config = MagicMock()
+    mock_config.return_value = config
+    assert aws_tools.get_aws_config_params() == config
+    config.read.assert_called_with(aws_tools.DEFAULT_AWS_CONFIG_PATH)
+
+
+@pytest.mark.parametrize('mutually_exclusive_parameter', ['--bucket', '--service'])
+def test_get_script_arguments(capsys, mutually_exclusive_parameter):
+    """Test 'get_script_arguments' function shows no messages when the required parameters were provided."""
+    with patch("sys.argv", ['main', mutually_exclusive_parameter, 'any']):
+        aws_tools.get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == "", 'stdout was not empty'
+    assert stderr == "", 'stderr was not empty'
+
+
+@pytest.mark.parametrize('args', [
+    ['main'],
+])
+def test_get_script_arguments_required(capsys, args):
+    """Test 'get_script_arguments' function shows an error message when the required parameters are not provided."""
+    with patch("sys.argv", args), pytest.raises(SystemExit) as exception:
+        aws_tools.get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == "", 'The output was not empty'
+    assert stderr != "", 'No error message was found in the output'
+    assert exception.value.code == 2
+
+
+def test_get_script_arguments_iam_role_duration_but_no_iam_role_arn_raises_exception():
+    """Test 'get_script_arguments' function raises an 'ArgumentTypeError' error when the `iam_role_duration`
+    parameter is provided but the 'iam_role_arn' is not.
+    """
+    args = ['main', '--subscriber', 'security_lake', '--iam_role_duration', '3600']
+    with patch("sys.argv", args), pytest.raises(argparse.ArgumentTypeError) as exception:
+        aws_tools.get_script_arguments()
diff --git a/src/modules/aws/scripts/tests/test_umbrella.py b/src/modules/aws/scripts/tests/test_umbrella.py
new file mode 100644
index 0000000000..58f9d7371a
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_umbrella.py
@@ -0,0 +1,116 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+from unittest.mock import patch, mock_open
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import umbrella
+
+
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_cisco_umbrella_initializes_properly(mock_custom_bucket):
+    """Test if the instances of CiscoUmbrella are created properly."""
+    instance = utils.get_mocked_bucket(class_=umbrella.CiscoUmbrella)
+    assert not instance.check_prefix
+    assert instance.date_format == '%Y-%m-%d'
+
+    mock_custom_bucket.assert_called_once()
+
+
+@pytest.mark.parametrize('prefix, data, expected_result', [
+    ('dnslogs',
+     '"2015-01-16 17:48:41","ActiveDirectoryUserName", "ActiveDirectoryUserName,ADSite,Network", "0.0.0.0","0.0.0.0",'
+     '"Allowed","1 (A)", "NOERROR","domain-visited.com.", "Chat,Photo Sharing,Social Networking,Allow List"',
+     [{"timestamp": "2015-01-16 17:48:41", "most_granular_identity": "ActiveDirectoryUserName",
+       "identities": " \"ActiveDirectoryUserName", "internal_ip": "ADSite", "external_ip": "Network\"",
+       "action": " \"0.0.0.0\"", "query_type": "0.0.0.0", "response_code": "Allowed", "domain": "1 (A)",
+       "categories": " \"NOERROR\"", "most_granular_identity_type": "domain-visited.com.",
+       "identity_types": " \"Chat", "blocked_categories": "Photo Sharing",
+       None: [
+           "Social Networking",
+           "Allow List\""], 'source': 'cisco_umbrella'}
+      ]),
+    ('proxylogs',
+     '"2017-10-02 23:52:53","TheComputerName","ActiveDirectoryUserName, ADSite,Network","0.0.0.0","0.0.0.0","",'
+     '"ALLOWED", "http://example.com/the.js","www.example.com", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) '
+     'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200", "562","1489","","","","","",'
+     '"","","Networks"',
+     [{"timestamp": "2017-10-02 23:52:53", "identities": "TheComputerName",
+       "internal_ip": "ActiveDirectoryUserName, ADSite,Network",
+       "external_ip": "0.0.0.0", "destination_ip": "0.0.0.0", "content_type": "", "verdict": "ALLOWED",
+       "url": " \"http://example.com/the.js\"",
+       "referer": "www.example.com",
+       "user_agent": " \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML",
+       "status_code": " like Gecko) Chrome/61.0.3163.100 Safari/537.36\"", "requested_size": "200",
+       "response_size": " \"562\"", "response_body_size": "1489", "sha": "", "categories": "", "av_detections": "",
+       "puas": "",
+       "amp_disposition": "", "amp_malware_name": "", "amp_score": "", "identity_type": "Networks",
+       'source': 'cisco_umbrella'}]),
+    ('iplogs',
+     '"2017-10-02 19:58:12","TheComputerName","0.0.0.0", "55605","0.0.0.0","443","Unauthorized IP Tunnel Access"',
+     [{"timestamp": "2017-10-02 19:58:12",
+       "identity": "TheComputerName",
+       "source_ip": "0.0.0.0",
+       "source_port": " \"55605\"",
+       "destination_ip": "0.0.0.0",
+       "destination_port": "443",
+       "categories": "Unauthorized IP Tunnel Access",
+       'source': 'cisco_umbrella'}])
+])
+@patch('aws_bucket.AWSCustomBucket.get_sts_client')
+def test_cisco_umbrella_load_information_from_file(mock_sts_client, prefix: str,
+                                                   data: str, expected_result: list[dict]):
+    """Test 'load_information_from_file' method returns the expected information.
+
+    Parameters
+    ----------
+    prefix: str
+        Prefix to filter files in bucket.
+    data: str
+        Data found in a Cisco Umbrella log file.
+    expected_result: list[dict]
+        Expected data extracted from a Cisco Umbrella log file.
+    """
+    instance = utils.get_mocked_bucket(class_=umbrella.CiscoUmbrella)
+    instance.prefix = prefix
+
+    with patch('aws_bucket.AWSBucket.decompress_file', mock_open(read_data=data)):
+        assert instance.load_information_from_file(utils.TEST_LOG_KEY) == expected_result
+
+
+@patch('aws_bucket.AWSCustomBucket.get_sts_client')
+def test_cisco_umbrella_load_information_from_file_handles_exceptions(mock_sts_client):
+    """Test 'load_information_from_file' method exits when the prefix is not dnslogs, proxylogs or iplogs
+    with the expected error code
+    """
+    instance = utils.get_mocked_bucket(class_=umbrella.CiscoUmbrella)
+    instance.prefix = 'Error prefix'
+
+    with patch('aws_bucket.AWSBucket.decompress_file'), \
+            pytest.raises(SystemExit) as e:
+        instance.load_information_from_file(utils.TEST_LOG_KEY)
+    assert e.value.code == utils.INVALID_TYPE_ERROR_CODE
+
+
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+def test_cisco_umbrella_marker_only_logs_after(mock_integration, mock_sts):
+    """Test 'marker_only_logs_after' method returns the expected marker using the `only_logs_after` value."""
+    test_only_logs_after = utils.TEST_ONLY_LOGS_AFTER
+
+    instance = utils.get_mocked_bucket(class_=umbrella.CiscoUmbrella, only_logs_after=test_only_logs_after)
+    instance.prefix = utils.TEST_PREFIX
+
+    instance.date_format = '%Y-%m-%d'
+
+    marker = instance.marker_only_logs_after(aws_region=utils.TEST_REGION, aws_account_id=utils.TEST_ACCOUNT_ID)
+    assert marker == f"{instance.prefix}{test_only_logs_after[0:4]}-{test_only_logs_after[4:6]}-" \
+                     f"{test_only_logs_after[6:8]}"
diff --git a/src/modules/aws/scripts/tests/test_vpcflow.py b/src/modules/aws/scripts/tests/test_vpcflow.py
new file mode 100644
index 0000000000..9823314830
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_vpcflow.py
@@ -0,0 +1,304 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+import botocore
+from datetime import datetime, timedelta
+from unittest.mock import patch, MagicMock, mock_open
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import vpcflow
+
+VPC_SCHEMA_COUNT = 8
+
+DAYS_DELTA = 10
+
+TEST_VPCFLOW_SCHEMA = "schema_vpcflow_test.sql"
+TEST_EMPTY_TABLE_SCHEMA = "schema_empty_vpc_table.sql"
+
+TEST_FLOW_LOG_ID = 'fl-1234'
+TEST_TABLE_NAME = 'vpcflow'
+TEST_LOG_KEY = 'vpc/AWSLogs/123456789/vpcflowlogs/us-east-1/2019/04/15/123456789_vpcflowlogs_us-east-1_' \
+               'fl-1234_20190415T0945Z_c23ab7.log.gz'
+TEST_DATE = "2023/01/01"
+
+SQL_GET_DATE_LAST_LOG_PROCESSED = """SELECT created_date FROM {table_name} ORDER BY log_key DESC LIMIT 1;"""
+SQL_GET_ROW = "SELECT bucket_path, aws_account_id, aws_region, flow_log_id, log_key, created_date FROM {table_name};"
+SQL_FIND_LAST_KEY_PROCESSED = """SELECT log_key FROM {table_name} ORDER BY log_key DESC LIMIT 1;"""
+
+
+@patch('aws_bucket.AWSLogsBucket.__init__')
+def test_aws_vpc_flow_bucket_initializes_properly(mock_logs_bucket):
+    """Test if the instances of AWSVPCFlowBucket are created properly."""
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+    assert instance.service == 'vpcflowlogs'
+
+    mock_logs_bucket.assert_called_once()
+
+
+def test_aws_vpc_flow_bucket_load_information_from_file():
+    """Test 'load_information_from_file' method returns the expected information."""
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+
+    data = '2 123456789123 eni-12345678912345678 0.0.0.0 0.0.0.0 3500 52000 6 39 4698 1622505433 1622505730 ACCEPT OK'
+
+    expected_result = [{
+        'version': '2', 'account_id': '123456789123',
+        'interface_id': 'eni-12345678912345678',
+        'srcaddr': '0.0.0.0', 'dstaddr': '0.0.0.0',
+        'srcport': '3500', 'dstport': '52000',
+        'protocol': '6', 'packets': '39',
+        'bytes': '4698', 'start': '1622505433',
+        'end': '1622505730', 'action': 'ACCEPT', 'log_status': 'OK'
+    }]
+    expected_result[0].update({'source': 'vpc'})
+    expected_result[0]["start"] = datetime.utcfromtimestamp(int(expected_result[0]["start"])).strftime(
+        '%Y-%m-%dT%H:%M:%SZ')
+    expected_result[0]["end"] = datetime.utcfromtimestamp(int(expected_result[0]["end"])).strftime('%Y-%m-%dT%H:%M:%SZ')
+
+    with patch('aws_bucket.AWSBucket.decompress_file', mock_open(read_data=data)):
+        assert instance.load_information_from_file(utils.TEST_LOG_KEY) == list(expected_result)
+
+
+@pytest.mark.parametrize('profile', [None, utils.TEST_AWS_PROFILE])
+def test_aws_vpc_flow_bucket_get_ec2_client(profile: str or None):
+    """Test 'get_ec2_client' method instantiates a boto3.Session object with the proper arguments.
+
+    Parameters
+    ----------
+    profile: str or None
+        AWS profile.
+    """
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+    region = utils.TEST_REGION
+
+    conn_args = {'region_name': region}
+
+    if profile is not None:
+        conn_args['profile_name'] = profile
+
+    with patch('boto3.Session') as mock_session:
+        instance.connection_config = MagicMock()
+        instance.get_ec2_client(region, profile)
+        mock_session.assert_called_once_with(**conn_args)
+
+
+@patch('aws_bucket.AWSLogsBucket.__init__')
+def test_aws_vpc_flow_bucket_get_ec2_client_handles_exceptions_on_ec2_client_error(mock_logs_bucket):
+    """Test 'get_ec2_client' method handles exceptions raised when trying to get the EC2 client."""
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+
+    with patch('boto3.Session'), \
+            pytest.raises(SystemExit) as e:
+        instance.get_ec2_client(utils.TEST_REGION, utils.TEST_AWS_PROFILE)
+    assert e.value.code == utils.INVALID_CREDENTIALS_ERROR_CODE
+
+
+@patch('vpcflow.AWSVPCFlowBucket.get_ec2_client')
+def test_aws_vpc_flow_bucket_get_flow_logs_ids(mock_get_ec2_client):
+    """Test 'get_flow_logs_ids' method returns the expected flow log ids from the client's response."""
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+
+    ec2_client = mock_get_ec2_client.return_value
+    ec2_client.describe_flow_logs.return_value = {
+        'FlowLogs': [
+            {
+                'FlowLogId': 'Id1',
+                'OtherFields': 'fields'
+            },
+            {
+                'FlowLogId': 'Id2',
+                'OtherFields': 'fields'
+            },
+            {
+                'FlowLogId': 'Id3',
+                'OtherFields': 'fields'
+            },
+        ],
+        'NextToken': 'string'
+    }
+
+    assert ['Id1', 'Id2', 'Id3'] == instance.get_flow_logs_ids(utils.TEST_REGION, utils.TEST_AWS_PROFILE)
+
+
+@pytest.mark.parametrize('log_file, account_id, region, expected_result', [
+    (TEST_LOG_KEY, utils.TEST_ACCOUNT_ID, utils.TEST_REGION, True),
+    ("", utils.TEST_ACCOUNT_ID, utils.TEST_REGION, False),
+    (TEST_LOG_KEY, "", utils.TEST_REGION, False),
+])
+def test_aws_vpc_flow_bucket_already_processed(custom_database,
+                                               log_file: str, account_id: str,
+                                               region: str, expected_result: bool):
+    """Test 'already_processed' method correctly determines if a log file has been processed.
+
+    Parameters
+    ----------
+    log_file: str
+        Complete path of the downloaded file.
+    account_id: str
+        AWS account ID.
+    region: str
+        Region of service.
+    expected_result: bool
+        Expected result from the method's execution.
+    """
+    utils.database_execute_script(custom_database, TEST_VPCFLOW_SCHEMA)
+
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket, bucket=utils.TEST_BUCKET)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = TEST_TABLE_NAME
+    instance.aws_account_id = utils.TEST_ACCOUNT_ID
+
+    assert instance.already_processed(downloaded_file=log_file, aws_account_id=account_id,
+                                      aws_region=region, flow_log_id=TEST_FLOW_LOG_ID) == expected_result
+
+
+@pytest.mark.parametrize('account_id', [[utils.TEST_ACCOUNT_ID], None])
+@pytest.mark.parametrize('regions', [[utils.TEST_REGION], None])
+@patch('aws_bucket.AWSLogsBucket.iter_files_in_bucket')
+@patch('vpcflow.AWSVPCFlowBucket.get_flow_logs_ids', return_value=['Id1'])
+@patch('vpcflow.AWSVPCFlowBucket.db_maintenance')
+@patch('aws_bucket.AWSBucket.find_account_ids', return_value=[utils.TEST_ACCOUNT_ID])
+@patch('aws_bucket.AWSBucket.find_regions', side_effect=[[utils.TEST_REGION], None])
+def test_aws_vpc_flow_bucket_iter_regions_and_accounts(mock_find_regions, mock_accounts,
+                                                       mock_maintenance, mock_get_flow_logs_ids,
+                                                       mock_iter_files_in_bucket,
+                                                       regions: list[str] or None, account_id: list[str] or None):
+    """Test 'iter_regions_and_accounts' method makes the necessary calls in order to process the bucket's files.
+
+    Parameters
+    ----------
+    regions: list[str] or None
+        List of regions.
+    account_id: list[str] or None
+        List of account IDs.
+    """
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket)
+
+    instance.profile_name = utils.TEST_AWS_PROFILE
+
+    instance.iter_regions_and_accounts(account_id, regions)
+
+    if not account_id:
+        mock_accounts.assert_called_once()
+        account_id = instance.find_account_ids()
+    for aws_account_id in account_id:
+        if not regions:
+            mock_find_regions.assert_called_with(aws_account_id)
+            regions = instance.find_regions(aws_account_id)
+            if not regions:
+                continue
+        for aws_region in regions:
+            mock_get_flow_logs_ids.assert_called_with(
+                aws_region, aws_account_id, profile_name=instance.profile_name
+            )
+            flow_logs_ids = instance.get_flow_logs_ids(aws_region, profile_name=instance.profile_name)
+            for flow_log_id in flow_logs_ids:
+                mock_iter_files_in_bucket.assert_called_with(aws_account_id, aws_region, flow_log_id=flow_log_id)
+                mock_maintenance.assert_called_with(aws_account_id, aws_region, flow_log_id)
+
+
+@pytest.mark.parametrize('flow_log_id', [TEST_FLOW_LOG_ID, "other-id"])
+@pytest.mark.parametrize('region', [utils.TEST_REGION, "invalid_region"])
+def test_aws_vpc_flow_bucket_db_count_region(custom_database, region: str, flow_log_id: str):
+    """Test 'db_count_region' method returns the number of rows in DB for a region.
+
+    Parameters
+    ----------
+    region: str
+        AWS region that may or not be in DB.
+    flow_log_id: str
+        Flow log ID.
+    """
+    utils.database_execute_script(custom_database, TEST_VPCFLOW_SCHEMA)
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket, bucket=utils.TEST_BUCKET)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = TEST_TABLE_NAME
+
+    expected_count = VPC_SCHEMA_COUNT if region == utils.TEST_REGION and flow_log_id == TEST_FLOW_LOG_ID else 0
+    assert instance.db_count_region(utils.TEST_ACCOUNT_ID, region, flow_log_id) == expected_count
+
+
+@pytest.mark.parametrize('expected_db_count', [VPC_SCHEMA_COUNT, 0])
+def test_aws_vpc_flow_bucket_db_maintenance(custom_database, expected_db_count: int):
+    """Test 'db_maintenance' function deletes rows from a table until the count is equal to 'retain_db_records'."""
+    utils.database_execute_script(custom_database, TEST_VPCFLOW_SCHEMA)
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket, bucket=utils.TEST_BUCKET)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = TEST_TABLE_NAME
+    instance.retain_db_records = expected_db_count
+
+    assert utils.database_execute_query(instance.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=instance.db_table_name)) == VPC_SCHEMA_COUNT
+
+    with patch('aws_bucket.AWSBucket.db_count_region', return_value=VPC_SCHEMA_COUNT):
+        instance.db_maintenance(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                                flow_log_id=TEST_FLOW_LOG_ID)
+
+    assert utils.database_execute_query(instance.db_connector, utils.SQL_COUNT_ROWS.format(
+        table_name=instance.db_table_name)) == expected_db_count
+
+
+def test_aws_vpc_flow_bucket_mark_complete(custom_database):
+    """Test 'mark_complete' method inserts non-processed logs into the DB."""
+    utils.database_execute_script(custom_database, TEST_EMPTY_TABLE_SCHEMA)
+
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket, bucket=utils.TEST_BUCKET)
+
+    instance.reparse = True
+    with patch('vpcflow.AWSVPCFlowBucket.already_processed', return_value=True), \
+            patch('aws_bucket.aws_tools.debug') as mock_debug:
+        instance.mark_complete(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                               log_file={'Key': TEST_LOG_KEY}, flow_log_id=TEST_FLOW_LOG_ID)
+        mock_debug.assert_called_once_with(f'+++ File already marked complete, but reparse flag set: {TEST_LOG_KEY}', 2)
+
+    instance.reparse = False
+
+    log_file = {'Key': TEST_LOG_KEY}
+
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.db_table_name = TEST_TABLE_NAME
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=instance.db_table_name)) == 0
+
+    instance.mark_complete(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                           log_file=log_file, flow_log_id=TEST_FLOW_LOG_ID)
+
+    assert utils.database_execute_query(instance.db_connector,
+                                        utils.SQL_COUNT_ROWS.format(table_name=instance.db_table_name)) == 1
+
+    row = utils.database_execute_query(instance.db_connector, SQL_GET_ROW.format(table_name=instance.db_table_name))
+    assert row[0] == f"{utils.TEST_BUCKET}/"
+    assert row[1] == utils.TEST_ACCOUNT_ID
+    assert row[2] == utils.TEST_REGION
+    assert row[3] == TEST_FLOW_LOG_ID
+    assert row[4] == TEST_LOG_KEY
+    assert row[5] == instance.get_creation_date(log_file)
+
+
+@patch('aws_bucket.aws_tools.debug')
+def test_aws_vpc_flow_bucket_mark_complete_handles_exceptions_on_query_error(mock_debug, custom_database):
+    """Test 'mark_complete' handles exceptions raised when trying to execute a query to the DB."""
+    instance = utils.get_mocked_bucket(class_=vpcflow.AWSVPCFlowBucket, reparse=False)
+
+    instance.db_connector = custom_database
+    mocked_cursor = MagicMock()
+    mocked_cursor.execute.side_effect = Exception
+    instance.db_cursor = mocked_cursor
+
+    instance.mark_complete(aws_account_id=utils.TEST_ACCOUNT_ID, aws_region=utils.TEST_REGION,
+                           log_file={'Key': TEST_LOG_KEY}, flow_log_id=TEST_FLOW_LOG_ID)
+
+    mock_debug.assert_any_call(f"+++ Error marking log {TEST_LOG_KEY} as completed: ", 2)
diff --git a/src/modules/aws/scripts/tests/test_waf.py b/src/modules/aws/scripts/tests/test_waf.py
new file mode 100644
index 0000000000..a62724f0a8
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_waf.py
@@ -0,0 +1,89 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import os
+import sys
+from unittest.mock import patch, MagicMock
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'buckets_s3'))
+import aws_bucket
+import waf
+
+test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+logs_path = os.path.join(test_data_path, 'log_files')
+
+
+@patch('aws_bucket.AWSCustomBucket.__init__')
+def test_aws_waf_bucket_initializes_properly(mock_custom_bucket):
+    """Test if the instances of AWSWAFBucket are created properly."""
+    utils.get_mocked_bucket(class_=waf.AWSWAFBucket)
+    mock_custom_bucket.assert_called_once()
+
+
+@pytest.mark.parametrize('log_file, skip_on_error', [
+    (os.path.join(logs_path, 'WAF', 'aws_waf'), False),
+    (os.path.join(logs_path, 'WAF', 'aws_waf'), True),
+    (os.path.join(logs_path, 'WAF', 'aws_waf_invalid_json'), True),
+    (os.path.join(logs_path, 'WAF', 'aws_waf_wrong_structure'), True),
+])
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('aws_bucket.AWSBucket.__init__', side_effect=aws_bucket.AWSBucket.__init__)
+@patch('aws_bucket.AWSCustomBucket.__init__', side_effect=aws_bucket.AWSCustomBucket.__init__)
+def test_aws_waf_bucket_load_information_from_file(mock_custom_bucket, mock_bucket, mock_sts, mock_integration,
+                                                   log_file: str, skip_on_error: bool):
+    """Test AWSWAFBucket's implementation of the load_information_from_file method.
+
+    Parameters
+    ----------
+    log_file : str
+        File that should be decompressed.
+    skip_on_error : bool
+        If the skip_on_error is disabled or not.
+    """
+    instance = utils.get_mocked_bucket(class_=waf.AWSWAFBucket)
+    instance.skip_on_error = skip_on_error
+    with open(log_file, 'rb') as f:
+        instance.client = MagicMock()
+        instance.client.get_object.return_value.__getitem__.return_value = f
+        instance.load_information_from_file(log_file)
+
+
+@pytest.mark.parametrize('log_file, skip_on_error, expected_exception', [
+    (os.path.join(logs_path, 'WAF', 'aws_waf_invalid_json'), False, SystemExit),
+    (os.path.join(logs_path, 'WAF', 'aws_waf_wrong_structure'), False, SystemExit),
+])
+@patch('wazuh_integration.WazuhAWSDatabase.__init__')
+@patch('wazuh_integration.WazuhIntegration.get_sts_client')
+@patch('aws_bucket.AWSBucket.__init__', side_effect=aws_bucket.AWSBucket.__init__)
+@patch('aws_bucket.AWSCustomBucket.__init__', side_effect=aws_bucket.AWSCustomBucket.__init__)
+def test_aws_waf_bucket_load_information_from_file_handles_exception_on_invalid_argument(mock_custom_bucket,
+                                                                                         mock_bucket, mock_sts,
+                                                                                         mock_integration,
+                                                                                         log_file: str,
+                                                                                         skip_on_error: bool,
+                                                                                         expected_exception: Exception):
+    """Test that AWSWAFBucket's implementation of the load_information_from_file method raises
+    an exception when called with invalid arguments.
+
+    Parameters
+    ----------
+    log_file : str
+        File that should be decompressed.
+    skip_on_error : bool
+        If the skip_on_error is disabled or not.
+    expected_exception : Exception
+        Exception that should be raised.
+    """
+    instance = utils.get_mocked_bucket(class_=waf.AWSWAFBucket)
+    instance.skip_on_error = skip_on_error
+    with open(log_file, 'rb') as f, \
+            pytest.raises(expected_exception):
+        instance.client = MagicMock()
+        instance.client.get_object.return_value.__getitem__.return_value = f
+        instance.load_information_from_file(log_file)
diff --git a/src/modules/aws/scripts/tests/test_wazuh_integration.py b/src/modules/aws/scripts/tests/test_wazuh_integration.py
new file mode 100644
index 0000000000..e99d32fb42
--- /dev/null
+++ b/src/modules/aws/scripts/tests/test_wazuh_integration.py
@@ -0,0 +1,532 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import gzip
+import os
+import socket
+import sqlite3
+import sys
+import zipfile
+import zlib
+from datetime import datetime, timezone
+from json import dumps
+from unittest.mock import MagicMock, patch, call
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '.'))
+import aws_utils as utils
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
+import wazuh_integration
+import aws_tools
+
+TEST_METADATA_SCHEMA = "schema_metadata_test.sql"
+TEST_METADATA_DEPRECATED_TABLES_SCHEMA = "schema_metadata_deprecated_tables_test.sql"
+METADATA_TABLE_NAME = 'metadata'
+DB_TABLENAME = "test_table"
+
+
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH)
+@patch('wazuh_integration.utils.get_wazuh_version')
+def test_wazuh_integration_initializes_properly(mock_version, mock_path, mock_client):
+    """Test if the instances of WazuhIntegration are created properly."""
+
+    args = utils.get_wazuh_integration_parameters()
+    integration = wazuh_integration.WazuhIntegration(**args)
+    mock_path.assert_called_once()
+    mock_version.assert_called_once()
+    assert integration.wazuh_path == utils.TEST_WAZUH_PATH
+    assert integration.wazuh_queue == os.path.join(integration.wazuh_path, utils.QUEUE_PATH)
+    assert integration.wazuh_wodle == os.path.join(integration.wazuh_path, utils.WODLE_PATH)
+    mock_client.assert_called_with(profile=args["profile"], iam_role_arn=args["iam_role_arn"],
+                                   service_name=args["service_name"], region=args["region"],
+                                   sts_endpoint=args["sts_endpoint"], service_endpoint=args["service_endpoint"],
+                                   iam_role_duration=args["iam_role_duration"], external_id=args["external_id"])
+
+    assert integration.default_date == datetime.utcnow().replace(hour=0, minute=0, second=0, microsecond=0,
+                                                                 tzinfo=timezone.utc)
+
+
+@pytest.mark.parametrize('file_exists, options, retry_attempts, retry_mode',
+                         [(True, [aws_tools.RETRY_ATTEMPTS_KEY, aws_tools.RETRY_MODE_BOTO_KEY], 5, 'standard'),
+                          (True, ['other_option'], None, None),
+                          (False, None, None, None)]
+                         )
+def test_default_config(file_exists, options, retry_attempts, retry_mode):
+    """Test if `default_config` function returns the Wazuh default Retry configuration if there is no user-defined
+    configuration.
+
+    Parameters
+    ----------
+    file_exists : bool
+        The value to be returned by the mocked config reader call.
+    options: list[str]
+        List of options that can be found in an AWS config file.
+    retry_attempts: int or None
+        Number of attempts to set in the retries' configuration. None for when the retry_attempt option is not declared
+        in the AWS config file.
+    retry_mode: str or None
+        Mode to set in the retries' configuration. None for when the retry_mode option is not declared in
+        the AWS config file.
+    """
+    profile = utils.TEST_AWS_PROFILE
+    with patch('wazuh_integration.path.exists', return_value=file_exists):
+        if file_exists:
+            with patch('aws_tools.get_aws_config_params') as mock_config:
+                mock_config.options(profile).return_value = options
+                profile_config = {option: mock_config.get(profile, option) for option in mock_config.options(profile)}
+
+                config = wazuh_integration.WazuhIntegration.default_config(profile=utils.TEST_AWS_PROFILE)
+
+            if aws_tools.RETRY_ATTEMPTS_KEY in profile_config or aws_tools.RETRY_MODE_CONFIG_KEY in profile_config:
+                retries = {
+                    aws_tools.RETRY_ATTEMPTS_KEY: retry_attempts,
+                    aws_tools.RETRY_MODE_BOTO_KEY: retry_mode
+                }
+            else:
+                retries = aws_tools.WAZUH_DEFAULT_RETRY_CONFIGURATION
+
+            assert config['config'].retries == retries
+        else:
+            config = wazuh_integration.WazuhIntegration.default_config(profile=utils.TEST_AWS_PROFILE)
+            assert 'config' in config
+            assert config['config'].retries == aws_tools.WAZUH_DEFAULT_RETRY_CONFIGURATION
+
+
+@pytest.mark.parametrize('profile', [
+    None,
+    utils.TEST_AWS_PROFILE,
+])
+@pytest.mark.parametrize('region', list(wazuh_integration.DEFAULT_GOV_REGIONS) + ['us-east-1', None])
+@pytest.mark.parametrize('service_name', list(wazuh_integration.SERVICES_REQUIRING_REGION) + ['other'])
+def test_wazuh_integration_get_client_authentication(profile, region, service_name):
+    """Test `get_client` function uses the different authentication parameters properly.
+
+    Parameters
+    ----------
+    profile : str
+        AWS profile name.
+    region : str
+        Region name.
+    service_name : str
+        Name of the service.
+    """
+    kwargs = utils.get_wazuh_integration_parameters(
+        profile=profile, region=region, service_name=service_name, iam_role_arn=None
+    )
+    expected_conn_args = {}
+
+    if profile:
+        expected_conn_args['profile_name'] = profile
+    expected_conn_args['region_name'] = None
+
+    if region and service_name in wazuh_integration.SERVICES_REQUIRING_REGION:
+        expected_conn_args['region_name'] = region
+    else:
+        expected_conn_args['region_name'] = region if region in wazuh_integration.DEFAULT_GOV_REGIONS else None
+
+    with patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=utils.WAZUH_VERSION), \
+            patch('wazuh_integration.boto3.Session') as mock_boto:
+        wazuh_integration.WazuhIntegration(**kwargs)
+        mock_boto.assert_called_with(**expected_conn_args)
+
+
+@pytest.mark.parametrize('external_id', [utils.TEST_EXTERNAL_ID, None])
+@pytest.mark.parametrize('iam_role_arn', [utils.TEST_IAM_ROLE_ARN, None])
+@pytest.mark.parametrize('service_name', ["cloudTrail", "cloudwatchlogs"])
+def test_wazuh_integration_get_client(iam_role_arn, service_name, external_id):
+    """Test `get_client` function creates a valid client object both when an IAM Role is provided and when it's not.
+
+    Parameters
+    ----------
+    iam_role_arn : str
+        IAM Role.
+    service_name : str
+        Name of the service.
+    external_id : str
+        External ID primarily used for Security Lake.
+    """
+    kwargs = utils.get_wazuh_integration_parameters(profile=None,
+                                                    sts_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                                    service_endpoint=utils.TEST_SERVICE_ENDPOINT,
+                                                    service_name=service_name, iam_role_arn=iam_role_arn,
+                                                    iam_role_duration=utils.TEST_IAM_ROLE_DURATION,
+                                                    external_id=external_id)
+    service_name = "logs" if service_name == "cloudwatchlogs" else service_name
+    conn_kwargs = {'region_name': None}
+    sts_kwargs = {'aws_access_key_id': None, 'aws_secret_access_key': None, 'aws_session_token': utils.TEST_TOKEN,
+                  'region_name': None}
+    assume_role_kwargs = {'RoleArn': iam_role_arn, 'RoleSessionName': 'WazuhLogParsing',
+                          'DurationSeconds': utils.TEST_IAM_ROLE_DURATION}
+    if external_id:
+        assume_role_kwargs['ExternalId'] = external_id
+
+    sts_role_assumption = {
+        'Credentials': {'AccessKeyId': None, 'SecretAccessKey': None, 'SessionToken': utils.TEST_TOKEN}}
+
+    mock_boto_session = MagicMock()
+    mock_sts_session = MagicMock()
+    mock_sts_client = MagicMock()
+    mock_boto_session.client.return_value = mock_sts_client
+    mock_sts_client.assume_role.return_value = sts_role_assumption
+
+    with patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=utils.WAZUH_VERSION), \
+            patch('wazuh_integration.boto3.Session', side_effect=[mock_boto_session, mock_sts_session]) as mock_session:
+        instance = wazuh_integration.WazuhIntegration(**kwargs)
+
+        if iam_role_arn:
+            mock_session.assert_has_calls([call(**conn_kwargs), call(**sts_kwargs)])
+            mock_boto_session.client.assert_called_with(service_name='sts', endpoint_url=utils.TEST_SERVICE_ENDPOINT,
+                                                        **instance.connection_config)
+            mock_sts_client.assume_role.assert_called_with(**assume_role_kwargs)
+            mock_sts_session.client.assert_called_with(service_name=service_name,
+                                                       endpoint_url=utils.TEST_SERVICE_ENDPOINT,
+                                                       **instance.connection_config)
+        else:
+            mock_session.assert_called_with(**conn_kwargs)
+            mock_boto_session.client.assert_called_with(service_name=service_name,
+                                                        endpoint_url=utils.TEST_SERVICE_ENDPOINT,
+                                                        **instance.connection_config)
+
+
+def test_wazuh_integration_get_client_handles_exceptions_on_botocore_error():
+    """Test `get_client` function handles botocore.exceptions as expected."""
+    mock_boto_session = MagicMock()
+    mock_boto_session.client.side_effect = wazuh_integration.botocore.exceptions.ClientError({'Error': {'Code': 1}},
+                                                                                             'operation')
+
+    with patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH), \
+            patch('wazuh_integration.utils.get_wazuh_version', return_value=utils.WAZUH_VERSION), \
+            patch('wazuh_integration.boto3.Session', return_value=mock_boto_session):
+        with pytest.raises(SystemExit) as e:
+            wazuh_integration.WazuhIntegration(**utils.get_wazuh_integration_parameters())
+        assert e.value.code == utils.INVALID_CREDENTIALS_ERROR_CODE
+
+
+@pytest.mark.parametrize('profile', [
+    None,
+    utils.TEST_AWS_PROFILE,
+])
+def test_wazuh_integration_get_sts_client(profile):
+    """Test `get_sts_client` function uses the expected configuration for the session and the client while returning a
+    valid sts client object.
+
+    Parameters
+    ----------
+    profile : str
+        AWS profile name.
+    """
+    instance = utils.get_mocked_wazuh_integration(profile=profile)
+    expected_conn_args = {}
+
+    if profile:
+        expected_conn_args['profile_name'] = profile
+
+    mock_session = MagicMock()
+    with patch('wazuh_integration.boto3.Session', return_value=mock_session) as mock_boto:
+        sts_client = instance.get_sts_client(profile=profile)
+        mock_boto.assert_called_with(**expected_conn_args)
+        mock_session.client.assert_called_with(service_name='sts', **instance.connection_config)
+        assert sts_client == mock_session.client()
+
+
+def test_wazuh_integration_get_sts_client_handles_exceptions_when_invalid_creds_provided():
+    """Test `get_sts_client` function handles invalid credentials exception as expected."""
+    mock_boto_session = MagicMock()
+    mock_boto_session.client.side_effect = wazuh_integration.botocore.exceptions.ClientError({'Error': {'Code': 1}},
+                                                                                             'operation')
+
+    instance = utils.get_mocked_wazuh_integration(profile=None)
+
+    with patch('wazuh_integration.boto3.Session', return_value=mock_boto_session):
+        with pytest.raises(SystemExit) as e:
+            instance.get_sts_client(profile=None)
+        assert e.value.code == utils.INVALID_CREDENTIALS_ERROR_CODE
+
+
+@pytest.mark.parametrize("dump_json", [True, False])
+def test_wazuh_integration_send_msg(dump_json):
+    """Test `send_msg` function build the message using the expected format and sends it to the appropriate socket.
+
+    Parameters
+    ----------
+    dump_json : bool
+        Determine if the message should be dumped first.
+    """
+    instance = utils.get_mocked_wazuh_integration()
+    msg = dumps(utils.TEST_MESSAGE) if dump_json else utils.TEST_MESSAGE
+    with patch('wazuh_integration.socket.socket') as mock_socket:
+        m = MagicMock()
+        mock_socket.return_value = m
+        instance.send_msg(utils.TEST_MESSAGE, dump_json=dump_json)
+        mock_socket.assert_called_once()
+        m.send.assert_called_with(f"{wazuh_integration.MESSAGE_HEADER}{msg}".encode())
+        m.close.assert_called_once()
+
+
+@pytest.mark.parametrize("error_code, expected_exit_code", [
+    (111, utils.UNABLE_TO_CONNECT_SOCKET_ERROR_CODE),
+    (1, utils.SENDING_MESSAGE_SOCKET_ERROR_CODE),
+    (90, None)
+])
+def test_wazuh_integration_send_msg_socket_error(error_code, expected_exit_code):
+    """Test `send_msg` function handles the different expected socket exceptions.
+
+    Parameters
+    ----------
+    error_code : int
+        Error code number for the socket error to be raised.
+    expected_exit_code : int
+        Error code number for the expected exit exception.
+    """
+    instance = utils.get_mocked_wazuh_integration()
+    error = socket.error()
+    error.errno = error_code
+
+    with patch('wazuh_integration.socket.socket') as mock_socket:
+        mock_socket.side_effect = error
+        if expected_exit_code:
+            with pytest.raises(SystemExit) as e:
+                instance.send_msg(utils.TEST_MESSAGE)
+            assert e.value.code == expected_exit_code
+        else:
+            instance.send_msg(utils.TEST_MESSAGE)
+
+
+@patch('io.BytesIO')
+def test_wazuh_integration_decompress_file(mock_io):
+    """Test 'decompress_file' method calls the expected function for a determined file type."""
+    integration = utils.get_mocked_wazuh_integration()
+    integration.client = MagicMock()
+    # Instance that inherits from WazuhIntegration sets the attribute bucket in its constructor
+    integration.bucket = utils.TEST_BUCKET
+
+    with patch('gzip.open', return_value=MagicMock()) as mock_gzip_open:
+        gzip_mock = mock_gzip_open.return_value
+        integration.decompress_file(integration.bucket, 'test.gz')
+
+    integration.client.get_object.assert_called_once()
+    mock_gzip_open.assert_called_once()
+    gzip_mock.read.assert_called_once()
+    gzip_mock.seek.assert_called_with(0)
+
+    with patch('zipfile.ZipFile', return_value=MagicMock()) as mock_zip, \
+            patch('io.TextIOWrapper') as mock_io_text:
+        zip_mock = mock_zip.return_value
+        zip_mock.namelist.return_value = ['name']
+        zip_mock.open.return_value = "file contents"
+        integration.decompress_file(integration.bucket, 'test.zip')
+    zip_mock.namelist.assert_called_once()
+    zip_mock.open.assert_called_with('name')
+    mock_io_text.assert_called_with("file contents")
+
+    with patch('io.TextIOWrapper') as mock_io_text:
+        integration.decompress_file(integration.bucket, 'test.tar')
+        mock_io_text.assert_called_once()
+
+
+@patch('io.BytesIO')
+def test_aws_wazuh_integration_decompress_file_handles_exceptions_when_decompress_fails(mock_io):
+    """Test 'decompress_file' method handles exceptions raised when trying to decompress a file and
+    exits with the expected exit code.
+    """
+    integration = utils.get_mocked_wazuh_integration()
+    integration.client = MagicMock()
+
+    # Instance that inherits from WazuhIntegration sets the attribute bucket in its constructor
+    integration.bucket = utils.TEST_BUCKET
+
+    with patch('gzip.open', side_effect=[gzip.BadGzipFile, zlib.error, TypeError]), \
+            pytest.raises(SystemExit) as e:
+        integration.decompress_file(integration.bucket, 'test.gz')
+    assert e.value.code == utils.DECOMPRESS_FILE_ERROR_CODE
+
+    with patch('zipfile.ZipFile', side_effect=zipfile.BadZipFile), \
+            pytest.raises(SystemExit) as e:
+        integration.decompress_file(integration.bucket, 'test.zip')
+    assert e.value.code == utils.DECOMPRESS_FILE_ERROR_CODE
+
+    with pytest.raises(SystemExit) as e:
+        integration.decompress_file(integration.bucket, 'test.snappy')
+    assert e.value.code == utils.DECOMPRESS_FILE_ERROR_CODE
+
+
+def test_wazuh_integration_send_msg_handles_exceptions():
+    """Test `send_msg` function handles the other expected exceptions."""
+    instance = utils.get_mocked_wazuh_integration()
+
+    with patch('wazuh_integration.socket.socket') as mock_socket:
+        mock_socket.side_effect = TypeError
+        with pytest.raises(SystemExit) as e:
+            instance.send_msg(utils.TEST_MESSAGE)
+        assert e.value.code == utils.SENDING_MESSAGE_SOCKET_ERROR_CODE
+
+
+@patch('wazuh_integration.utils.find_wazuh_path', return_value=utils.TEST_WAZUH_PATH)
+@patch('wazuh_integration.utils.get_wazuh_version')
+@patch('wazuh_integration.WazuhIntegration.get_client')
+@patch('wazuh_integration.WazuhAWSDatabase.check_metadata_version')
+@patch('wazuh_integration.sqlite3.connect')
+def test_wazuh_aws_database_initializes_properly(mock_connect, mock_metadata, mock_client, mock_version, mock_path):
+    """Test if the instances of WazuhAWSDatabase are created properly."""
+    mock_connect.return_value = MagicMock()
+    args = utils.get_wazuh_aws_database_parameters()
+    wazuh_aws_db = wazuh_integration.WazuhAWSDatabase(**args)
+
+    assert wazuh_aws_db.db_path == os.path.join(wazuh_aws_db.wazuh_wodle, f"{utils.TEST_DATABASE}.db")
+    mock_connect.assert_called_once()
+    wazuh_aws_db.db_connector.cursor.assert_called_once()
+    mock_metadata.assert_called_once()
+
+
+def test_wazuh_aws_database_create_table():
+    """Test `create_table` function creates the table using the expected SQL."""
+    instance = utils.get_mocked_wazuh_aws_database()
+    instance.db_cursor = MagicMock()
+    test_sql = "test"
+    instance.create_table(test_sql)
+    instance.db_cursor.execute.assert_called_with(test_sql)
+
+
+def test_wazuh_aws_database_create_table_handles_exceptions_when_table_not_created():
+    """Test `create_table` function handles exceptions raised
+    and exits with the expected code when the table cannot be created.
+    """
+    instance = utils.get_mocked_wazuh_aws_database()
+    instance.db_cursor = MagicMock()
+    instance.db_cursor.execute.side_effect = Exception
+
+    with pytest.raises(SystemExit) as e:
+        instance.create_table("")
+    assert e.value.code == utils.UNABLE_TO_CREATE_DB
+
+
+@pytest.mark.parametrize("table_list", [
+    ["table_1", "table_2", DB_TABLENAME],
+    ["table_1", "table_2"],
+    [DB_TABLENAME],
+    []
+])
+@patch('wazuh_integration.WazuhAWSDatabase.create_table')
+def test_wazuh_aws_database_db_initialization(mock_create_table, table_list):
+    """Test `init_db` function checks if the required table exists and creates it if not.
+
+    Parameters
+    ----------
+    table_list : list of str
+        Table list to be returned by the mocked database query.
+    """
+    instance = utils.get_mocked_wazuh_aws_database()
+    instance.db_cursor = MagicMock()
+    instance.db_cursor.execute.return_value = [(x,) for x in table_list]
+    instance.db_table_name = DB_TABLENAME
+    test_sql = "test"
+    instance.init_db(test_sql)
+
+    if DB_TABLENAME in table_list:
+        mock_create_table.assert_not_called()
+    else:
+        mock_create_table.assert_called_with(test_sql)
+
+
+def test_wazuh_aws_database_db_initialization_handles_exceptions():
+    """Test `init_db` function handles exception as expected."""
+    instance = utils.get_mocked_wazuh_aws_database()
+    instance.db_cursor = MagicMock()
+    instance.db_cursor.execute.side_effect = sqlite3.OperationalError
+
+    with pytest.raises(SystemExit) as e:
+        instance.init_db("")
+    assert e.value.code == utils.METADATA_ERROR_CODE
+
+
+def test_wazuh_aws_database_close_db():
+    """Test `close_db` function closes the database objects properly."""
+    instance = utils.get_mocked_wazuh_aws_database()
+    instance.db_connector = MagicMock()
+    instance.db_cursor = MagicMock()
+
+    instance.close_db()
+
+    instance.db_connector.commit.assert_called_once()
+    instance.db_cursor.execute.assert_called_with(instance.sql_db_optimize)
+    instance.db_connector.close.assert_called_once()
+
+
+def test_wazuh_aws_database_check_metadata_version_existing_table(custom_database):
+    """Test if `check_metadata_version` function updates the metadata value when the table already exists."""
+    # Populate the database
+    utils.database_execute_script(custom_database, TEST_METADATA_SCHEMA)
+
+    instance = utils.get_mocked_wazuh_aws_database(db_name=utils.TEST_DATABASE)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    old_metadata_value = utils.database_execute_query(custom_database, instance.sql_get_metadata_version)
+    assert old_metadata_value != utils.WAZUH_VERSION
+
+    instance.check_metadata_version()
+    new_metadata_value = utils.database_execute_query(custom_database, instance.sql_get_metadata_version)
+    assert new_metadata_value == utils.WAZUH_VERSION
+
+
+def test_wazuh_aws_database_check_metadata_version_no_table(custom_database):
+    """Test if `check_metadata_version` function updates the metadata value when the table does not exist."""
+    instance = utils.get_mocked_wazuh_aws_database(db_name=utils.TEST_DATABASE)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+    instance.check_metadata_version()
+    new_metadata_value = utils.database_execute_query(custom_database, instance.sql_get_metadata_version)
+    assert new_metadata_value == utils.WAZUH_VERSION
+
+
+@pytest.mark.parametrize('table_exists', [True, False, sqlite3.Error])
+def test_wazuh_aws_database_check_metadata_version_handles_exceptions(custom_database, table_exists):
+    """Test if `check_metadata_version` function handles exceptions properly.
+
+    Parameters
+    ----------
+    table_exists : bool or sqlite3.Error
+        The value to be returned by the mocked database call.
+    """
+    mocked_table_exists = MagicMock()
+    if isinstance(table_exists, bool):
+        mocked_table_exists.fetchone.return_value = table_exists
+    else:
+        mocked_table_exists.fetchone.side_effect = table_exists
+    mocked_cursor = MagicMock()
+    mocked_cursor.execute.side_effect = [mocked_table_exists, sqlite3.OperationalError]
+
+    instance = utils.get_mocked_wazuh_aws_database(db_name=utils.TEST_DATABASE)
+    instance.db_connector = custom_database
+    instance.db_cursor = mocked_cursor
+
+    with pytest.raises(SystemExit) as e:
+        instance.check_metadata_version()
+    assert e.value.code == utils.METADATA_ERROR_CODE
+
+
+def test_wazuh_aws_database_delete_deprecated_tables(custom_database):
+    """Test `delete_deprecated_tables` function remove unwanted tables while keeping the rest intact."""
+    # Populate the database
+    utils.database_execute_script(custom_database, TEST_METADATA_DEPRECATED_TABLES_SCHEMA)
+
+    instance = utils.get_mocked_wazuh_aws_database(db_name=utils.TEST_DATABASE)
+    instance.db_connector = custom_database
+    instance.db_cursor = instance.db_connector.cursor()
+
+    for table in wazuh_integration.DEPRECATED_TABLES:
+        assert instance.db_cursor.execute(instance.sql_find_table, {'name': table}).fetchone()[0]
+    assert instance.db_cursor.execute(instance.sql_find_table, {'name': METADATA_TABLE_NAME}).fetchone()[0]
+
+    instance.delete_deprecated_tables()
+
+    # The deprecated tables were deleted
+    for table in wazuh_integration.DEPRECATED_TABLES:
+        assert not instance.db_cursor.execute(instance.sql_find_table, {'name': table}).fetchone()
+    # The metadata table is still present
+    assert instance.db_cursor.execute(instance.sql_find_table, {'name': METADATA_TABLE_NAME}).fetchone()[0]
diff --git a/src/modules/aws/scripts/utils.py b/src/modules/aws/scripts/utils.py
new file mode 100644
index 0000000000..1a9436766e
--- /dev/null
+++ b/src/modules/aws/scripts/utils.py
@@ -0,0 +1,115 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import subprocess
+from functools import lru_cache
+from sys import exit
+
+
+@lru_cache(maxsize=None)
+def find_wazuh_path() -> str:
+    """
+    Get the Wazuh installation path.
+
+    Returns
+    -------
+    str
+        Path where Wazuh is installed or empty string if there is no framework in the environment.
+    """
+    abs_path = os.path.abspath(os.path.dirname(__file__))
+    allparts = []
+    while 1:
+        parts = os.path.split(abs_path)
+        if parts[0] == abs_path:  # sentinel for absolute paths
+            allparts.insert(0, parts[0])
+            break
+        elif parts[1] == abs_path:  # sentinel for relative paths
+            allparts.insert(0, parts[1])
+            break
+        else:
+            abs_path = parts[0]
+            allparts.insert(0, parts[1])
+
+    wazuh_path = ''
+    try:
+        for i in range(0, allparts.index('wodles')):
+            wazuh_path = os.path.join(wazuh_path, allparts[i])
+    except ValueError:
+        pass
+
+    return wazuh_path
+
+
+def call_wazuh_control(option: str) -> str:
+    """
+    Execute the wazuh-control script with the parameters specified.
+
+    Parameters
+    ----------
+    option : str
+        The option that will be passed to the script.
+
+    Returns
+    -------
+    str
+        The output of the call to wazuh-control.
+    """
+    wazuh_control = os.path.join(find_wazuh_path(), "bin", "wazuh-control")
+    try:
+        proc = subprocess.Popen([wazuh_control, option], stdout=subprocess.PIPE)
+        (stdout, stderr) = proc.communicate()
+        return stdout.decode()
+    except (OSError, ChildProcessError):
+        print(f'ERROR: a problem occurred while executing {wazuh_control}')
+        exit(1)
+
+
+def get_wazuh_info(field: str) -> str:
+    """
+    Execute the wazuh-control script with the 'info' argument, filtering by field if specified.
+
+    Parameters
+    ----------
+    field : str
+        The field of the output that's being requested. Its value can be 'WAZUH_VERSION', 'WAZUH_REVISION' or
+        'WAZUH_TYPE'.
+
+    Returns
+    -------
+    str
+        The output of the wazuh-control script.
+    """
+    wazuh_info = call_wazuh_control("info")
+    if not wazuh_info:
+        return "ERROR"
+
+    if not field:
+        return wazuh_info
+
+    env_variables = wazuh_info.rsplit("\n")
+    env_variables.remove("")
+    wazuh_env_vars = dict()
+    for env_variable in env_variables:
+        key, value = env_variable.split("=")
+        wazuh_env_vars[key] = value.replace("\"", "")
+
+    return wazuh_env_vars[field]
+
+
+@lru_cache(maxsize=None)
+def get_wazuh_version() -> str:
+    """
+    Return the version of Wazuh installed.
+
+    Returns
+    -------
+    str
+        The version of Wazuh installed.
+    """
+    return get_wazuh_info("WAZUH_VERSION")
+
+
+# Max size of the event that ANALYSISID can handle
+MAX_EVENT_SIZE = 65535
diff --git a/src/modules/aws/scripts/wazuh_integration.py b/src/modules/aws/scripts/wazuh_integration.py
new file mode 100644
index 0000000000..4009178242
--- /dev/null
+++ b/src/modules/aws/scripts/wazuh_integration.py
@@ -0,0 +1,485 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import socket
+import sqlite3
+import sys
+
+try:
+    import boto3
+except ImportError:
+    print('ERROR: boto3 module is required.')
+    sys.exit(4)
+
+import aws_tools
+import botocore
+import configparser
+import copy
+import gzip
+import io
+import json
+import operator
+import re
+import zipfile
+import zlib
+
+from datetime import datetime
+from datetime import timezone
+from os import path
+
+sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
+import utils
+
+DEPRECATED_TABLES = {'log_progress', 'trail_progress'}
+DEFAULT_GOV_REGIONS = {'us-gov-east-1', 'us-gov-west-1'}
+SERVICES_REQUIRING_REGION = {'inspector', 'cloudwatchlogs'}
+MESSAGE_HEADER = "1:Wazuh-AWS:"
+
+
+class WazuhIntegration:
+    """
+    Class with common methods.
+    :param profile: AWS profile.
+    :param iam_role_arn: IAM Role.
+    :param service_name: Name of the service (s3 for services which stores logs in buckets).
+    :param region: Region of service.
+    :param iam_role_duration: The desired duration of the session that is going to be assumed.
+    :param external_id: AWS external ID for IAM Role assumption.
+    :param skip_on_error: Whether to continue processing logs or stop when an error takes place.
+    """
+
+    def __init__(self, profile, iam_role_arn, service_name=None, region=None,
+                 discard_field=None, discard_regex=None, sts_endpoint=None,
+                 service_endpoint=None, iam_role_duration=None, external_id=None, skip_on_error=False):
+
+        self.skip_on_error = skip_on_error
+        self.wazuh_path = utils.find_wazuh_path()
+        self.wazuh_version = utils.get_wazuh_version()
+        self.wazuh_queue = path.join(self.wazuh_path, "queue", "sockets", "queue")
+        self.wazuh_wodle = path.join(self.wazuh_path, "wodles", "aws")
+
+        self.connection_config = self.default_config(profile=profile)
+        self.client = self.get_client(profile=profile,
+                                      iam_role_arn=iam_role_arn,
+                                      service_name=service_name,
+                                      region=region,
+                                      sts_endpoint=sts_endpoint,
+                                      service_endpoint=service_endpoint,
+                                      iam_role_duration=iam_role_duration,
+                                      external_id=external_id
+                                      )
+
+        self.discard_field = discard_field
+        self.discard_regex = re.compile(fr'{discard_regex}')
+        # to fetch logs using this date if no only_logs_after value was provided on the first execution
+        self.default_date = datetime.utcnow().replace(hour=0, minute=0, second=0, microsecond=0, tzinfo=timezone.utc)
+
+    @staticmethod
+    def default_config(profile: str) -> dict:
+        """Set the parameters found in user config file as a default configuration for client.
+
+        This method is called when Wazuh Integration is instantiated and sets a default config using .aws/config file
+        using the profile received from parameter.
+
+        If .aws/config file exist the file is retrieved and read to check for the existence of retry parameters mode and
+        max attempts if they exist and empty dictionary is returned and config is handled by botocore but if they don't
+        exist a botocore Config object is created and default configuration is set using user config for received
+        profile and retries parameters are set to avoid a throttling exception.
+
+        Parameters
+        ----------
+        profile : string
+                AWS profile configuration to use.
+
+        Returns
+        -------
+        dict
+            Configuration dictionary.
+
+        Raises
+        ------
+        KeyError
+            KeyError when there is no region in user config file.
+
+        ValueError
+            ValueError when there is an error parsing config file.
+
+        NoSectionError
+            configparser error when given profile does not exist in user config file.
+        """
+        args = {}
+        args['config'] = botocore.config.Config(retries=aws_tools.WAZUH_DEFAULT_RETRY_CONFIGURATION)
+
+        if path.exists(aws_tools.DEFAULT_AWS_CONFIG_PATH):
+            # Get User Aws Config
+            aws_config = aws_tools.get_aws_config_params()
+
+            # Set profile
+            if profile is not None and profile != 'default':
+                if profile not in aws_config.sections():
+                    profile = f"profile {profile}"
+            else:
+                profile = 'default'
+
+            try:
+                # Get profile config dictionary
+                profile_config = {option: aws_config.get(profile, option) for option in aws_config.options(profile)}
+
+            except configparser.NoSectionError:
+                aws_tools.error(f"No profile named: '{profile}' was found in the user config file")
+                sys.exit(23)
+
+            # Map Primary Botocore Config parameters with profile config file
+            try:
+                aws_tools.set_profile_dict_config(boto_config=args,
+                                                  profile=profile,
+                                                  profile_config=profile_config)
+
+            except (KeyError, ValueError) as e:
+                aws_tools.error('Invalid key or value found in config '.format(e))
+                sys.exit(17)
+
+            aws_tools.debug(f"Created Config object using profile: '{profile}' configuration", 2)
+
+        else:
+            aws_tools.debug(
+                f"Generating default configuration for retries: {aws_tools.RETRY_MODE_BOTO_KEY} "
+                f"{args['config'].retries[aws_tools.RETRY_MODE_BOTO_KEY]} - "
+                f"{aws_tools.RETRY_ATTEMPTS_KEY} {args['config'].retries[aws_tools.RETRY_ATTEMPTS_KEY]}",
+                2)
+
+        return args
+
+    def get_client(self, profile, iam_role_arn, service_name, region=None,
+                   sts_endpoint=None, service_endpoint=None, iam_role_duration=None, external_id=None):
+        conn_args = {}
+
+        if profile is not None:
+            conn_args['profile_name'] = profile
+
+            # set region name
+        if region and service_name in SERVICES_REQUIRING_REGION:
+            conn_args['region_name'] = region
+        else:
+            # it is necessary to set region_name for GovCloud regions
+            conn_args['region_name'] = region if region in DEFAULT_GOV_REGIONS else None
+
+        boto_session = boto3.Session(**conn_args)
+        service_name = "logs" if service_name == "cloudwatchlogs" else service_name
+        # If using a role, create session using that
+        try:
+            if iam_role_arn:
+
+                sts_client = boto_session.client(service_name='sts', endpoint_url=sts_endpoint,
+                                                 **self.connection_config)
+                assume_role_kwargs = {'RoleArn': iam_role_arn, 'RoleSessionName': 'WazuhLogParsing'}
+                if external_id:
+                    assume_role_kwargs['ExternalId'] = external_id
+
+                if iam_role_duration is not None:
+                    assume_role_kwargs['DurationSeconds'] = iam_role_duration
+
+                sts_role_assumption = sts_client.assume_role(**assume_role_kwargs)
+
+                sts_session = boto3.Session(aws_access_key_id=sts_role_assumption['Credentials']['AccessKeyId'],
+                                            aws_secret_access_key=sts_role_assumption['Credentials']['SecretAccessKey'],
+                                            aws_session_token=sts_role_assumption['Credentials']['SessionToken'],
+                                            region_name=conn_args.get('region_name'))
+
+                client = sts_session.client(service_name=service_name, endpoint_url=service_endpoint,
+                                            **self.connection_config)
+            else:
+                client = boto_session.client(service_name=service_name, endpoint_url=service_endpoint,
+                                             **self.connection_config)
+
+        except (botocore.exceptions.ClientError, botocore.exceptions.NoCredentialsError) as e:
+            aws_tools.error("Access error: {}".format(e))
+            sys.exit(3)
+        return client
+
+    def get_sts_client(self, profile):
+        conn_args = {}
+
+        if profile is not None:
+            conn_args['profile_name'] = profile
+
+        boto_session = boto3.Session(**conn_args)
+        try:
+            sts_client = boto_session.client(service_name='sts', **self.connection_config)
+        except Exception as e:
+            aws_tools.error("Error getting STS client: {}".format(e))
+            sys.exit(3)
+
+        return sts_client
+
+    def event_should_be_skipped(self, event_):
+        def _check_recursive(json_item=None, nested_field: str = '', regex: str = ''):
+            field_list = nested_field.split('.', 1)
+            try:
+                expression_to_evaluate = json_item[field_list[0]]
+            except TypeError:
+                if isinstance(json_item, list):
+                    return any(_check_recursive(i, field_list[0], regex=regex) for i in json_item)
+                return False
+            except KeyError:
+                return False
+            if len(field_list) == 1:
+                def check_regex(exp):
+                    try:
+                        return re.match(regex, exp) is not None
+                    except TypeError:
+                        return isinstance(exp, list) and any(check_regex(ex) for ex in exp)
+
+                return check_regex(expression_to_evaluate)
+            return _check_recursive(expression_to_evaluate, field_list[1], regex=regex)
+
+        return self.discard_field and self.discard_regex \
+            and _check_recursive(event_, nested_field=self.discard_field, regex=self.discard_regex)
+
+    def send_msg(self, msg, dump_json=True):
+        """
+        Sends an AWS event to the Wazuh Queue
+
+        :param msg: JSON message to be sent.
+        :param dump_json: If json.dumps should be applied to the msg
+        """
+        try:
+            json_msg = json.dumps(msg, default=str)
+            aws_tools.debug(json_msg, 3)
+            s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+            s.connect(self.wazuh_queue)
+            encoded_msg = f"{MESSAGE_HEADER}{json_msg if dump_json else msg}".encode()
+            # Logs warning if event is bigger than max size
+            if len(encoded_msg) > utils.MAX_EVENT_SIZE:
+                aws_tools.debug(f"Event size exceeds the maximum allowed limit of {utils.MAX_EVENT_SIZE} bytes.", 1)
+            s.send(encoded_msg)
+            s.close()
+        except socket.error as e:
+            if e.errno == 111:
+                aws_tools.error("Wazuh must be running.")
+                sys.exit(11)
+            elif e.errno == 90:
+                aws_tools.error("Message too long to send to Wazuh.  Skipping message...")
+                aws_tools.debug('+++ ERROR: Message longer than buffer socket for Wazuh. Consider increasing rmem_max. '
+                                'Skipping message...', 1)
+            else:
+                aws_tools.error("Error sending message to wazuh: {}".format(e))
+                sys.exit(13)
+        except Exception as e:
+            aws_tools.error("Error sending message to wazuh: {}".format(e))
+            sys.exit(13)
+
+    def _decompress_gzip(self, raw_object: io.BytesIO):
+        """Method that decompress gzip compressed data.
+
+        Parameters
+        ----------
+        raw_object : io.BytesIO
+            Buffer with the gzip compressed object.
+
+        Returns
+        -------
+        file_object
+            Decompressed object.
+        """
+        try:
+            gzip_file = gzip.open(filename=raw_object, mode='rt')
+            # Ensure that the file is not corrupted by reading from it
+            gzip_file.read()
+            gzip_file.seek(0)
+            return gzip_file
+        except (gzip.BadGzipFile, zlib.error, TypeError):
+            aws_tools.error(f'Invalid gzip file received.')
+            if not self.skip_on_error:
+                sys.exit(8)
+
+    def _decompress_zip(self, raw_object: io.BytesIO):
+        """Method that decompress zip compressed data.
+
+        Parameters
+        ----------
+        raw_object : io.BytesIO
+            Buffer with the zip compressed object.
+
+        Returns
+        -------
+        file_object
+            Decompressed object.
+        """
+        try:
+            zipfile_object = zipfile.ZipFile(raw_object, compression=zipfile.ZIP_DEFLATED)
+            return io.TextIOWrapper(zipfile_object.open(zipfile_object.namelist()[0]))
+        except zipfile.BadZipFile:
+            aws_tools.error('Invalid zip file received.')
+        if not self.skip_on_error:
+            sys.exit(8)
+
+    def decompress_file(self, bucket: str, log_key: str):
+        """Method that returns a file stored in a bucket decompressing it if necessary.
+
+        Parameters
+        ----------
+        bucket : str
+            Path of the bucket to get the log file from.
+        log_key : str
+            Name of the file that should be returned.
+        """
+        raw_object = io.BytesIO(self.client.get_object(Bucket=bucket, Key=log_key)['Body'].read())
+        if log_key[-3:] == '.gz':
+            return self._decompress_gzip(raw_object)
+        elif log_key[-4:] == '.zip':
+            return self._decompress_zip(raw_object)
+        elif log_key[-7:] == '.snappy':
+            aws_tools.error(f"Couldn't decompress the {log_key} file, snappy compression is not supported.")
+            if not self.skip_on_error:
+                sys.exit(8)
+        else:
+            return io.TextIOWrapper(raw_object)
+
+
+class WazuhAWSDatabase(WazuhIntegration):
+    """
+    Class with methods for buckets or services instances using db files
+    :param db_name: Database name when instantiating buckets or services
+    :param profile: AWS profile
+    :param iam_role_arn: IAM Role
+    :param db_name: Name of the database file
+    :param service_name: Name of the service (s3 for services which stores logs in buckets)
+    :param region: Region of service
+    :param iam_role_duration: The desired duration of the session that is going to be assumed.
+    :param external_id: AWS external ID for IAM Role assumption
+    """
+    def __init__(self, profile, iam_role_arn, db_name,
+                 service_name=None, region=None, discard_field=None,
+                 discard_regex=None, sts_endpoint=None, service_endpoint=None, iam_role_duration=None,
+                 external_id=None, skip_on_error=False):
+        # SQL queries
+        self.sql_find_table_names = """
+                    SELECT
+                        tbl_name
+                    FROM
+                        sqlite_master
+                    WHERE
+                        type='table';"""
+
+        self.sql_db_optimize = "PRAGMA optimize;"
+
+        self.sql_create_metadata_table = """
+                    CREATE TABLE metadata (
+                        key 'text' NOT NULL,
+                        value 'text' NOT NULL,
+                        PRIMARY KEY (key, value));
+                    """
+
+        self.sql_get_metadata_version = """
+                    SELECT
+                        value
+                    FROM
+                        metadata
+                    WHERE
+                        key='version';
+                    """
+
+        self.sql_find_table = """
+                    SELECT
+                        tbl_name
+                    FROM
+                        sqlite_master
+                    WHERE
+                        type='table' AND
+                        name=:name;
+                    """
+
+        self.sql_insert_version_metadata = """
+                    INSERT INTO metadata (
+                        key,
+                        value)
+                    VALUES (
+                        'version',
+                        :wazuh_version);"""
+
+        self.sql_update_version_metadata = """
+                    UPDATE
+                        metadata
+                    SET
+                        value=:wazuh_version
+                    WHERE
+                        key='version';
+                    """
+
+        self.sql_drop_table = "DROP TABLE {table_name};"
+
+        WazuhIntegration.__init__(self, service_name=service_name,
+                                  profile=profile,
+                                  iam_role_arn=iam_role_arn, region=region,
+                                  discard_field=discard_field, discard_regex=discard_regex,
+                                  sts_endpoint=sts_endpoint, service_endpoint=service_endpoint,
+                                  iam_role_duration=iam_role_duration, external_id=external_id,
+                                  skip_on_error=skip_on_error)
+
+        # db_name is an instance variable of subclass
+        self.db_path = "{0}/{1}.db".format(self.wazuh_wodle, db_name)
+        self.db_connector = sqlite3.connect(self.db_path)
+        self.db_cursor = self.db_connector.cursor()
+        self.check_metadata_version()
+
+    def create_table(self, sql_create_table):
+        """
+        :param sql_create_table: SQL query to create the table
+        """
+        try:
+            aws_tools.debug('+++ Table does not exist; create', 1)
+            self.db_cursor.execute(sql_create_table)
+        except Exception as e:
+            aws_tools.error("Unable to create SQLite DB: {}".format(e))
+            sys.exit(6)
+
+    def init_db(self, sql_create_table):
+        """
+        :param sql_create_table: SQL query to create the table
+        """
+        try:
+            tables = set(map(operator.itemgetter(0), self.db_cursor.execute(self.sql_find_table_names)))
+        except Exception as e:
+            aws_tools.error("Unexpected error accessing SQLite DB: {}".format(e))
+            sys.exit(5)
+        # if table does not exist, create a new table
+        if self.db_table_name not in tables:
+            self.create_table(sql_create_table)
+
+    def close_db(self):
+        self.db_connector.commit()
+        self.db_cursor.execute(self.sql_db_optimize)
+        self.db_connector.close()
+
+    def check_metadata_version(self):
+        try:
+            if self.db_cursor.execute(self.sql_find_table, {'name': 'metadata'}).fetchone():
+                # The table does not exist; update existing metadata value, if required
+                try:
+                    metadata_version = self.db_cursor.execute(self.sql_get_metadata_version).fetchone()[0]
+                    if metadata_version != self.wazuh_version:
+                        self.db_cursor.execute(self.sql_update_version_metadata, {'wazuh_version': self.wazuh_version})
+                except (sqlite3.IntegrityError, sqlite3.OperationalError, sqlite3.Error) as err:
+                    aws_tools.error(f'Error attempting to update the metadata table: {err}')
+                    sys.exit(5)
+            else:
+                # The table does not exist; create it and insert the metadata value
+                try:
+                    self.db_cursor.execute(self.sql_create_metadata_table)
+                    self.db_cursor.execute(self.sql_insert_version_metadata, {'wazuh_version': self.wazuh_version})
+                    self.delete_deprecated_tables()
+                except (sqlite3.IntegrityError, sqlite3.OperationalError, sqlite3.Error) as err:
+                    aws_tools.error(f'Error attempting to create the metadata table: {err}')
+                    sys.exit(5)
+            self.db_connector.commit()
+        except (sqlite3.IntegrityError, sqlite3.OperationalError, sqlite3.Error) as err:
+            aws_tools.error(f'Error attempting to operate with the {self.db_path} database: {err}')
+            sys.exit(5)
+
+    def delete_deprecated_tables(self):
+        tables = set([t[0] for t in self.db_cursor.execute(self.sql_find_table_names).fetchall()])
+        for table in tables.intersection(DEPRECATED_TABLES):
+            aws_tools.debug(f"Removing deprecated '{table} 'table from {self.db_path}", 2)
+            self.db_cursor.execute(self.sql_drop_table.format(table_name=table))
diff --git a/src/modules/aws/src/wm_aws.c b/src/modules/aws/src/wm_aws.c
new file mode 100644
index 0000000000..e21b97e43f
--- /dev/null
+++ b/src/modules/aws/src/wm_aws.c
@@ -0,0 +1,839 @@
+/*
+ * Wazuh Module for AWS S3 integration
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 08, 2018.
+ *
+ * Updated by Jeremy Phillips <jeremy@uranusbytes.com>
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+
+#ifdef WAZUH_UNIT_TESTING
+/* Remove static qualifier when testing */
+#define static
+#endif
+
+static wm_aws *aws_config;                              // Pointer to aws_configuration
+#ifdef WIN32
+static DWORD WINAPI wm_aws_main(void *arg);             // Module main function. It won't return
+#else
+static void* wm_aws_main(wm_aws *aws_config);           // Module main function. It won't return
+#endif
+static void wm_aws_destroy(wm_aws *aws_config);         // Destroy data
+static void wm_aws_setup(wm_aws *_aws_config);          // Setup module
+static void wm_aws_check();                             // Check configuration, disable flag
+static void wm_aws_run_s3(wm_aws *aws_config, wm_aws_bucket *bucket);       // Run a s3 bucket
+static void wm_aws_run_service(wm_aws *aws_config, wm_aws_service *service);// Run a AWS service such as Inspector
+static void wm_aws_run_subscriber(wm_aws *aws_config, wm_aws_subscriber *subscriber); //Run an AWS subscriber
+cJSON *wm_aws_dump(const wm_aws *aws_config);
+
+// Command module context definition
+
+const wm_context WM_AWS_CONTEXT = {
+    .name = "aws-s3",
+    .start = (wm_routine)wm_aws_main,
+    .destroy = (void(*)(void *))wm_aws_destroy,
+    .dump = (cJSON * (*)(const void *))wm_aws_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+// Module module main function. It won't return.
+#ifdef WIN32
+DWORD WINAPI wm_aws_main(void *arg) {
+    wm_aws *aws_config = (wm_aws *)arg;
+#else
+void* wm_aws_main(wm_aws *aws_config) {
+#endif
+    wm_aws_bucket *cur_bucket;
+    wm_aws_service *cur_service;
+    wm_aws_subscriber *cur_subscriber;
+    char *log_info;
+    char * timestamp = NULL;
+
+
+    wm_aws_setup(aws_config);
+    mtinfo(WM_AWS_LOGTAG, "Module AWS started");
+
+    // Main loop
+
+    do {
+
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(aws_config->scan_config), WM_AWS_LOGTAG, aws_config->run_on_start);
+
+        if (aws_config->state.next_time == 0) {
+            aws_config->state.next_time = aws_config->scan_config.time_start + time_sleep;
+        }
+
+        if (wm_state_io(WM_AWS_CONTEXT.name, WM_IO_WRITE, &aws_config->state, sizeof(aws_config->state)) < 0)
+            mterror(WM_AWS_LOGTAG, "Couldn't save running state.");
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(aws_config->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_AWS_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtinfo(WM_AWS_LOGTAG, "Starting fetching of logs.");
+
+        for (cur_bucket = aws_config->buckets; cur_bucket; cur_bucket = cur_bucket->next) {
+
+            log_info = NULL;
+
+            wm_strcat(&log_info, "Executing Bucket Analysis: (Bucket:", '\0');
+            if (cur_bucket->bucket) {
+                wm_strcat(&log_info, cur_bucket->bucket, ' ');
+            }
+            else {
+                wm_strcat(&log_info, "unknown_bucket", ' ');
+            }
+
+
+            if (cur_bucket->trail_prefix) {
+                wm_strcat(&log_info, ", Path:", '\0');
+                wm_strcat(&log_info, cur_bucket->trail_prefix, ' ');
+            }
+
+            if (cur_bucket->trail_suffix) {
+                wm_strcat(&log_info, ", Path suffix:", '\0');
+                wm_strcat(&log_info, cur_bucket->trail_suffix, ' ');
+            }
+
+            if (cur_bucket->type) {
+                wm_strcat(&log_info, ", Type:", '\0');
+                wm_strcat(&log_info, cur_bucket->type, ' ');
+            }
+
+            if (cur_bucket->aws_account_id) {
+                wm_strcat(&log_info, ", Account ID:", '\0');
+                wm_strcat(&log_info, cur_bucket->aws_account_id, ' ');
+            }
+
+            if (cur_bucket->aws_account_alias) {
+                wm_strcat(&log_info, ", Account Alias:", '\0');
+                wm_strcat(&log_info, cur_bucket->aws_account_alias, ' ');
+            }
+
+            if (cur_bucket->aws_organization_id) {
+                wm_strcat(&log_info, ", Organization ID:", '\0');
+                wm_strcat(&log_info, cur_bucket->aws_organization_id, ' ');
+            }
+
+            if (cur_bucket->aws_profile) {
+                wm_strcat(&log_info, ", Profile:", '\0');
+                wm_strcat(&log_info, cur_bucket->aws_profile, ' ');
+            }
+
+            wm_strcat(&log_info, ")", '\0');
+
+            mtinfo(WM_AWS_LOGTAG, "%s", log_info);
+            wm_aws_run_s3(aws_config, cur_bucket);
+            free(log_info);
+        }
+
+        for (cur_service = aws_config->services; cur_service; cur_service = cur_service->next) {
+
+            log_info = NULL;
+
+            wm_strcat(&log_info, "Executing Service Analysis: (Service:", '\0');
+            if (cur_service->type) {
+                wm_strcat(&log_info, cur_service->type, ' ');
+            }
+            else {
+                wm_strcat(&log_info, "unknown_type", ' ');
+            }
+
+
+            if (cur_service->aws_account_id) {
+                wm_strcat(&log_info, ", Account ID:", '\0');
+                wm_strcat(&log_info, cur_service->aws_account_id, ' ');
+            }
+
+            if (cur_service->aws_account_alias) {
+                wm_strcat(&log_info, ", Account Alias:", '\0');
+                wm_strcat(&log_info, cur_service->aws_account_alias, ' ');
+            }
+
+            if (cur_service->aws_profile) {
+                wm_strcat(&log_info, ", Profile:", '\0');
+                wm_strcat(&log_info, cur_service->aws_profile, ' ');
+            }
+
+            wm_strcat(&log_info, ")", '\0');
+
+            mtinfo(WM_AWS_LOGTAG, "%s", log_info);
+            wm_aws_run_service(aws_config, cur_service);
+            free(log_info);
+        }
+
+        for (cur_subscriber = aws_config->subscribers; cur_subscriber; cur_subscriber = cur_subscriber->next) {
+            log_info = NULL;
+
+            wm_strcat(&log_info, "Executing Subscriber fetch: (Type and SQS:", '\0');
+            if (cur_subscriber->type) {
+                wm_strcat(&log_info, cur_subscriber->type, ' ');
+            }
+            else {
+                wm_strcat(&log_info, "unknown_type", ' ');
+            }
+
+            if (cur_subscriber->sqs_name) {
+                wm_strcat(&log_info, cur_subscriber->sqs_name, ' ');
+            }
+            else {
+                wm_strcat(&log_info, "unknown_queue", ' ');
+            }
+
+            wm_strcat(&log_info, ")", '\0');
+
+            mtinfo(WM_AWS_LOGTAG, "%s", log_info);
+            wm_aws_run_subscriber(aws_config, cur_subscriber);
+            free(log_info);
+        }
+
+        mtinfo(WM_AWS_LOGTAG, "Fetching logs finished.");
+
+    } while (FOREVER());
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+
+// Get read data
+
+cJSON *wm_aws_dump(const wm_aws *aws_config) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_aws = cJSON_CreateObject();
+
+    sched_scan_dump(&(aws_config->scan_config), wm_aws);
+
+    if (aws_config->enabled) cJSON_AddStringToObject(wm_aws,"disabled","no"); else cJSON_AddStringToObject(wm_aws,"disabled","yes");
+    if (aws_config->run_on_start) cJSON_AddStringToObject(wm_aws,"run_on_start","yes"); else cJSON_AddStringToObject(wm_aws,"run_on_start","no");
+    if (aws_config->skip_on_error) cJSON_AddStringToObject(wm_aws,"skip_on_error","yes"); else cJSON_AddStringToObject(wm_aws,"skip_on_error","no");
+    if (aws_config->buckets) {
+        wm_aws_bucket *iter;
+        cJSON *arr_buckets = cJSON_CreateArray();
+        for (iter = aws_config->buckets; iter; iter = iter->next) {
+            cJSON *buck = cJSON_CreateObject();
+            if (iter->bucket) cJSON_AddStringToObject(buck,"name",iter->bucket);
+            if (iter->aws_profile) cJSON_AddStringToObject(buck,"aws_profile",iter->aws_profile);
+            if (iter->iam_role_arn) cJSON_AddStringToObject(buck,"iam_role_arn",iter->iam_role_arn);
+            if (iter->iam_role_duration) cJSON_AddStringToObject(buck, "iam_role_duration",iter->iam_role_duration);
+            if (iter->aws_account_id) cJSON_AddStringToObject(buck,"aws_account_id",iter->aws_account_id);
+            if (iter->aws_account_alias) cJSON_AddStringToObject(buck,"aws_account_alias",iter->aws_account_alias);
+            if (iter->trail_prefix) cJSON_AddStringToObject(buck,"path",iter->trail_prefix);
+            if (iter->trail_suffix) cJSON_AddStringToObject(buck,"path_suffix",iter->trail_suffix);
+            if (iter->only_logs_after) cJSON_AddStringToObject(buck,"only_logs_after",iter->only_logs_after);
+            if (iter->regions) cJSON_AddStringToObject(buck,"regions",iter->regions);
+            if (iter->type) cJSON_AddStringToObject(buck,"type",iter->type);
+            if (iter->remove_from_bucket) cJSON_AddStringToObject(buck,"remove_from_bucket","yes"); else cJSON_AddStringToObject(buck,"remove_from_bucket","no");
+            if (iter->discard_field) cJSON_AddStringToObject(buck,"discard_field",iter->discard_field);
+            if (iter->discard_regex) cJSON_AddStringToObject(buck,"discard_regex",iter->discard_regex);
+            if (iter->sts_endpoint) cJSON_AddStringToObject(buck,"sts_endpoint",iter->sts_endpoint);
+            if (iter->service_endpoint) cJSON_AddStringToObject(buck,"service_endpoint",iter->service_endpoint);
+            cJSON_AddItemToArray(arr_buckets,buck);
+        }
+        if (cJSON_GetArraySize(arr_buckets) > 0) {
+            cJSON_AddItemToObject(wm_aws,"buckets",arr_buckets);
+        } else {
+            cJSON_free(arr_buckets);
+        }
+    }
+    if (aws_config->services) {
+        wm_aws_service *iter;
+        cJSON *arr_services = cJSON_CreateArray();
+        for (iter = aws_config->services; iter; iter = iter->next) {
+            cJSON *service = cJSON_CreateObject();
+            if (iter->type) cJSON_AddStringToObject(service,"type",iter->type); // type is the name of the service
+            if (iter->aws_profile) cJSON_AddStringToObject(service,"aws_profile",iter->aws_profile);
+            if (iter->iam_role_arn) cJSON_AddStringToObject(service,"iam_role_arn",iter->iam_role_arn);
+            if (iter->iam_role_duration) cJSON_AddStringToObject(service, "iam_role_duration",iter->iam_role_duration);
+            if (iter->aws_account_id) cJSON_AddStringToObject(service,"aws_account_id",iter->aws_account_id);
+            if (iter->aws_account_alias) cJSON_AddStringToObject(service,"aws_account_alias",iter->aws_account_alias);
+            if (iter->only_logs_after) cJSON_AddStringToObject(service,"only_logs_after",iter->only_logs_after);
+            if (iter->regions) cJSON_AddStringToObject(service,"regions",iter->regions);
+            if (iter->aws_log_groups) cJSON_AddStringToObject(service,"aws_log_groups",iter->aws_log_groups);
+            if (iter->remove_log_streams) cJSON_AddStringToObject(service,"remove_log_streams","yes"); else cJSON_AddStringToObject(service,"remove_log_streams","no");
+            if (iter->discard_field) cJSON_AddStringToObject(service,"discard_field",iter->discard_field);
+            if (iter->discard_regex) cJSON_AddStringToObject(service,"discard_regex",iter->discard_regex);
+            if (iter->sts_endpoint) cJSON_AddStringToObject(service,"sts_endpoint",iter->sts_endpoint);
+            if (iter->service_endpoint) cJSON_AddStringToObject(service,"service_endpoint",iter->service_endpoint);
+            cJSON_AddItemToArray(arr_services,service);
+        }
+        if (cJSON_GetArraySize(arr_services) > 0) {
+            cJSON_AddItemToObject(wm_aws,"services",arr_services);
+        } else {
+            cJSON_free(arr_services);
+        }
+    }
+    if (aws_config->subscribers) {
+    wm_aws_subscriber *iter;
+        cJSON *arr_subscribers = cJSON_CreateArray();
+        for (iter = aws_config->subscribers; iter; iter = iter->next) {
+            cJSON *subscriber = cJSON_CreateObject();
+            if (iter->type) cJSON_AddStringToObject(subscriber,"type",iter->type);
+            if (iter->sqs_name) cJSON_AddStringToObject(subscriber,"sqs_name",iter->sqs_name);
+            if (iter->external_id) cJSON_AddStringToObject(subscriber,"external_id",iter->external_id);
+            if (iter->iam_role_arn) cJSON_AddStringToObject(subscriber,"iam_role_arn",iter->iam_role_arn);
+            if (iter->iam_role_duration) cJSON_AddStringToObject(subscriber, "iam_role_duration",iter->iam_role_duration);
+            if (iter->aws_profile) cJSON_AddStringToObject(subscriber,"aws_profile",iter->aws_profile);
+            if (iter->sts_endpoint) cJSON_AddStringToObject(subscriber,"sts_endpoint",iter->sts_endpoint);
+            if (iter->service_endpoint) cJSON_AddStringToObject(subscriber,"service_endpoint",iter->service_endpoint);
+            if (iter->discard_field) cJSON_AddStringToObject(subscriber,"discard_field",iter->discard_field);
+            if (iter->discard_regex) cJSON_AddStringToObject(subscriber,"discard_regex",iter->discard_regex);
+            cJSON_AddItemToArray(arr_subscribers,subscriber);
+        }
+        if (cJSON_GetArraySize(arr_subscribers) > 0) {
+            cJSON_AddItemToObject(wm_aws,"subscribers",arr_subscribers);
+        } else {
+            cJSON_free(arr_subscribers);
+        }
+    }
+    cJSON_AddItemToObject(root,"aws-s3",wm_aws);
+
+    return root;
+}
+
+
+// Destroy data
+void wm_aws_destroy(wm_aws *aws_config) {
+    free(aws_config);
+}
+
+// Setup module
+
+void wm_aws_setup(wm_aws *_aws_config) {
+
+    aws_config = _aws_config;
+    wm_aws_check();
+
+    // Read running state
+
+    if (wm_state_io(WM_AWS_CONTEXT.name, WM_IO_READ, &aws_config->state, sizeof(aws_config->state)) < 0)
+        memset(&aws_config->state, 0, sizeof(aws_config->state));
+
+    // Connect to socket
+
+    aws_config->queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    if (aws_config->queue_fd < 0) {
+        mterror(WM_AWS_LOGTAG, "Can't connect to queue.");
+        pthread_exit(NULL);
+    }
+}
+
+
+// Check configuration
+
+void wm_aws_check() {
+    // Check if disabled
+
+    if (!aws_config->enabled) {
+        mtinfo(WM_AWS_LOGTAG, "Module AWS is disabled. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    // Check if there are buckets or services
+
+    if (!aws_config->buckets && !aws_config->services && !aws_config->subscribers) {
+        mtwarn(WM_AWS_LOGTAG, "No AWS buckets, services or subscribers defined. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    // Check if interval defined; otherwise set default
+
+    if (!aws_config->scan_config.interval)
+        aws_config->scan_config.interval = WM_AWS_DEFAULT_INTERVAL;
+
+}
+
+// Run a bucket parsing
+#ifdef WAZUH_UNIT_TESTING
+__attribute__((weak))
+#endif
+void wm_aws_run_s3(wm_aws *aws_config, wm_aws_bucket *exec_bucket) {
+    int status;
+    char *output = NULL;
+    char *command = NULL;
+
+    // Define time to sleep between messages sent
+    int usec = 1000000 / wm_max_eps;
+
+    // Create arguments
+    mtdebug2(WM_AWS_LOGTAG, "Create argument list");
+
+    // script path
+    char * script = NULL;
+    os_calloc(PATH_MAX, sizeof(char), script);
+
+    snprintf(script, PATH_MAX, "%s", WM_AWS_SCRIPT_PATH);
+
+    wm_strcat(&command, script, '\0');
+    os_free(script);
+
+    // bucket
+    wm_strcat(&command, "--bucket", ' ');
+    wm_strcat(&command, exec_bucket->bucket, ' ');
+
+    // bucket arguments
+    if (exec_bucket->remove_from_bucket) {
+        wm_strcat(&command, "--remove", ' ');
+    }
+    if (exec_bucket->aws_profile) {
+        wm_strcat(&command, "--aws_profile", ' ');
+        wm_strcat(&command, exec_bucket->aws_profile, ' ');
+    }
+    if (exec_bucket->iam_role_arn) {
+        wm_strcat(&command, "--iam_role_arn", ' ');
+        wm_strcat(&command, exec_bucket->iam_role_arn, ' ');
+    }
+    if (exec_bucket->iam_role_duration){
+        wm_strcat(&command, "--iam_role_duration", ' ');
+        wm_strcat(&command, exec_bucket->iam_role_duration, ' ');
+    }
+    if (exec_bucket->aws_organization_id) {
+        wm_strcat(&command, "--aws_organization_id", ' ');
+        wm_strcat(&command, exec_bucket->aws_organization_id, ' ');
+    }
+    if (exec_bucket->aws_account_id) {
+        wm_strcat(&command, "--aws_account_id", ' ');
+        wm_strcat(&command, exec_bucket->aws_account_id, ' ');
+    }
+    if (exec_bucket->aws_account_alias) {
+        wm_strcat(&command, "--aws_account_alias", ' ');
+        wm_strcat(&command, exec_bucket->aws_account_alias, ' ');
+    }
+    if (exec_bucket->trail_prefix) {
+        wm_strcat(&command, "--trail_prefix", ' ');
+        wm_strcat(&command, exec_bucket->trail_prefix, ' ');
+    }
+    if (exec_bucket->trail_suffix) {
+        wm_strcat(&command, "--trail_suffix", ' ');
+        wm_strcat(&command, exec_bucket->trail_suffix, ' ');
+    }
+    if (exec_bucket->only_logs_after) {
+        wm_strcat(&command, "--only_logs_after", ' ');
+        wm_strcat(&command, exec_bucket->only_logs_after, ' ');
+    }
+    if (exec_bucket->regions) {
+        wm_strcat(&command, "--regions", ' ');
+        wm_strcat(&command, exec_bucket->regions, ' ');
+    }
+    if (exec_bucket->discard_field) {
+        wm_strcat(&command, "--discard-field", ' ');
+        wm_strcat(&command, exec_bucket->discard_field, ' ');
+    }
+    if (exec_bucket->discard_regex) {
+        wm_strcat(&command, "--discard-regex", ' ');
+        wm_strcat(&command, exec_bucket->discard_regex, ' ');
+    }
+    if (exec_bucket->sts_endpoint) {
+        wm_strcat(&command, "--sts_endpoint", ' ');
+        wm_strcat(&command, exec_bucket->sts_endpoint, ' ');
+    }
+    if (exec_bucket->service_endpoint) {
+        wm_strcat(&command, "--service_endpoint", ' ');
+        wm_strcat(&command, exec_bucket->service_endpoint, ' ');
+    }
+    if (exec_bucket->type) {
+        wm_strcat(&command, "--type", ' ');
+        wm_strcat(&command, exec_bucket->type, ' ');
+    }
+    if (isDebug()) {
+        wm_strcat(&command, "--debug", ' ');
+        if (isDebug() > 2) {
+            wm_strcat(&command, "3", ' ');
+        } else if (isDebug() > 1) {
+            wm_strcat(&command, "2", ' ');
+        } else {
+            wm_strcat(&command, "1", ' ');
+        }
+    }
+    if (aws_config->skip_on_error) {
+        wm_strcat(&command, "--skip_on_error", ' ');
+    }
+    if (wm_state_io(WM_AWS_CONTEXT.name, WM_IO_READ, &aws_config->state, sizeof(aws_config->state)) < 0) {
+        memset(&aws_config->state, 0, sizeof(aws_config->state));
+    }
+
+    // Execute
+    char *trail_title = NULL;
+    wm_strcat(&trail_title, "Bucket:", ' ');
+    wm_strcat(&trail_title, exec_bucket->aws_account_id, ' ');
+    if(exec_bucket->aws_account_alias){
+        wm_strcat(&trail_title, "(", '\0');
+        wm_strcat(&trail_title, exec_bucket->aws_account_alias, '\0');
+        wm_strcat(&trail_title, ")", '\0');
+    }
+    wm_strcat(&trail_title, " - ", ' ');
+
+    mtdebug1(WM_AWS_LOGTAG, "Launching S3 Command: %s", command);
+
+    const int wm_exec_ret_code = wm_exec(command, &output, &status, 0, NULL);
+
+    os_free(command);
+
+    if (wm_exec_ret_code != 0){
+        mterror(WM_AWS_LOGTAG, "Internal error. Exiting...");
+        os_free(trail_title);
+        if (wm_exec_ret_code > 0) {
+            os_free(output);
+        }
+        pthread_exit(NULL);
+    } else if (status > 0) {
+        mtwarn(WM_AWS_LOGTAG, "%s Returned exit code %d", trail_title, status);
+        if(status == 1) {
+            char * unknown_error_msg = strstr(output,"Unknown error");
+            if (unknown_error_msg == NULL)
+                mtwarn(WM_AWS_LOGTAG, "%s Unknown error.", trail_title);
+            else
+                mtwarn(WM_AWS_LOGTAG, "%s %s", trail_title, unknown_error_msg);
+        } else if(status == 2) {
+            char * ptr;
+            if (ptr = strstr(output, "aws.py: error:"), ptr) {
+                ptr += 14;
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments: %s", trail_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments.", trail_title);
+            }
+        } else {
+            char * ptr;
+            if (ptr = strstr(output, "ERROR: "), ptr) {
+                ptr += 7;
+                mtwarn(WM_AWS_LOGTAG, "%s %s", trail_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s %s", trail_title, output);
+            }
+        }
+        mtdebug1(WM_AWS_LOGTAG, "%s OUTPUT: %s", trail_title, output);
+    } else {
+        mtdebug2(WM_AWS_LOGTAG, "%s OUTPUT: %s", trail_title, output);
+    }
+
+    char *line;
+    char *save_ptr = NULL;
+    for (line = strtok_r(output, "\n", &save_ptr); line; line = strtok_r(NULL, "\n", &save_ptr)) {
+        wm_sendmsg(usec, aws_config->queue_fd, line, WM_AWS_CONTEXT.name, LOCALFILE_MQ);
+    }
+
+    os_free(trail_title);
+    os_free(output);
+}
+
+// Run a service parsing
+
+void wm_aws_run_service(wm_aws *aws_config, wm_aws_service *exec_service) {
+    int status;
+    char *output = NULL;
+    char *command = NULL;
+
+    // Define time to sleep between messages sent
+    int usec = 1000000 / wm_max_eps;
+
+    // Create arguments
+    mtdebug2(WM_AWS_LOGTAG, "Create argument list");
+
+    // script path
+    char * script = NULL;
+    os_calloc(PATH_MAX, sizeof(char), script);
+
+    snprintf(script, PATH_MAX, "%s", WM_AWS_SCRIPT_PATH);
+
+    wm_strcat(&command, script, '\0');
+    os_free(script);
+
+    // service
+    wm_strcat(&command, "--service", ' ');
+    wm_strcat(&command, exec_service->type, ' ');
+
+    // service arguments
+    if (exec_service->aws_profile) {
+        wm_strcat(&command, "--aws_profile", ' ');
+        wm_strcat(&command, exec_service->aws_profile, ' ');
+    }
+    if (exec_service->iam_role_arn) {
+        wm_strcat(&command, "--iam_role_arn", ' ');
+        wm_strcat(&command, exec_service->iam_role_arn, ' ');
+    }
+    if (exec_service->iam_role_duration){
+        wm_strcat(&command, "--iam_role_duration", ' ');
+        wm_strcat(&command, exec_service->iam_role_duration, ' ');
+    }
+    if (exec_service->aws_account_id) {
+        wm_strcat(&command, "--aws_account_id", ' ');
+        wm_strcat(&command, exec_service->aws_account_id, ' ');
+    }
+    if (exec_service->aws_account_alias) {
+        wm_strcat(&command, "--aws_account_alias", ' ');
+        wm_strcat(&command, exec_service->aws_account_alias, ' ');
+    }
+    if (exec_service->only_logs_after) {
+        wm_strcat(&command, "--only_logs_after", ' ');
+        wm_strcat(&command, exec_service->only_logs_after, ' ');
+    }
+    if (exec_service->regions) {
+        wm_strcat(&command, "--regions", ' ');
+        wm_strcat(&command, exec_service->regions, ' ');
+    }
+    if (exec_service->aws_log_groups) {
+        wm_strcat(&command, "--aws_log_groups", ' ');
+        wm_strcat(&command, exec_service->aws_log_groups, ' ');
+    }
+    if (exec_service->remove_log_streams) {
+        wm_strcat(&command, "--remove-log-streams", ' ');
+    }
+    if (exec_service->discard_field) {
+        wm_strcat(&command, "--discard-field", ' ');
+        wm_strcat(&command, exec_service->discard_field, ' ');
+    }
+    if (exec_service->discard_regex) {
+        wm_strcat(&command, "--discard-regex", ' ');
+        wm_strcat(&command, exec_service->discard_regex, ' ');
+    }
+    if (exec_service->sts_endpoint) {
+        wm_strcat(&command, "--sts_endpoint", ' ');
+        wm_strcat(&command, exec_service->sts_endpoint, ' ');
+    }
+    if (exec_service->service_endpoint) {
+        wm_strcat(&command, "--service_endpoint", ' ');
+        wm_strcat(&command, exec_service->service_endpoint, ' ');
+    }
+    if (isDebug()) {
+        wm_strcat(&command, "--debug", ' ');
+        if (isDebug() > 2) {
+            wm_strcat(&command, "3", ' ');
+        } else if (isDebug() > 1) {
+            wm_strcat(&command, "2", ' ');
+        } else {
+            wm_strcat(&command, "1", ' ');
+        }
+    }
+    if (aws_config->skip_on_error) {
+        wm_strcat(&command, "--skip_on_error", ' ');
+    }
+    if (wm_state_io(WM_AWS_CONTEXT.name, WM_IO_READ, &aws_config->state, sizeof(aws_config->state)) < 0) {
+        memset(&aws_config->state, 0, sizeof(aws_config->state));
+    }
+
+    // Execute
+    char *service_title = NULL;
+    wm_strcat(&service_title, "Service:", ' ');
+    wm_strcat(&service_title, exec_service->type, ' ');
+    wm_strcat(&service_title, exec_service->aws_account_id, ' ');
+    if(exec_service->aws_account_alias){
+        wm_strcat(&service_title, "(", '\0');
+        wm_strcat(&service_title, exec_service->aws_account_alias, '\0');
+        wm_strcat(&service_title, ")", '\0');
+    }
+    wm_strcat(&service_title, " - ", ' ');
+
+    mtdebug1(WM_AWS_LOGTAG, "Launching S3 Command: %s", command);
+
+    const int wm_exec_ret_code = wm_exec(command, &output, &status, 0, NULL);
+
+    os_free(command);
+
+    if (wm_exec_ret_code) {
+        mterror(WM_AWS_LOGTAG, "Internal error. Exiting...");
+        os_free(service_title);
+
+        if (wm_exec_ret_code > 0) {
+            os_free(output);
+        }
+        pthread_exit(NULL);
+    } else if (status > 0) {
+        mtwarn(WM_AWS_LOGTAG, "%s Returned exit code %d", service_title, status);
+        if(status == 1) {
+            char * unknown_error_msg = strstr(output,"Unknown error");
+            if (unknown_error_msg == NULL)
+                mtwarn(WM_AWS_LOGTAG, "%s Unknown error.", service_title);
+            else
+                mtwarn(WM_AWS_LOGTAG, "%s %s", service_title, unknown_error_msg);
+        } else if(status == 2) {
+            char * ptr;
+            if (ptr = strstr(output, "aws.py: error:"), ptr) {
+                ptr += 14;
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments: %s", service_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments.", service_title);
+            }
+        } else {
+            char * ptr;
+            if (ptr = strstr(output, "ERROR: "), ptr) {
+                ptr += 7;
+                mtwarn(WM_AWS_LOGTAG, "%s %s", service_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s %s", service_title, output);
+            }
+        }
+        mtdebug1(WM_AWS_LOGTAG, "%s OUTPUT: %s", service_title, output);
+    } else {
+        mtdebug2(WM_AWS_LOGTAG, "%s OUTPUT: %s", service_title, output);
+    }
+
+    os_free(service_title);
+
+    char *line;
+    char *save_ptr = NULL;
+    for (line = strtok_r(output, "\n", &save_ptr); line; line = strtok_r(NULL, "\n", &save_ptr)) {
+        wm_sendmsg(usec, aws_config->queue_fd, line, WM_AWS_CONTEXT.name, LOCALFILE_MQ);
+    }
+
+    os_free(output);
+}
+
+// Run a subscriber parsing
+void wm_aws_run_subscriber(wm_aws *aws_config, wm_aws_subscriber *exec_subscriber) {
+    int status;
+    char *output = NULL;
+    char *command = NULL;
+
+    // Define time to sleep between messages sent
+    int usec = 1000000 / wm_max_eps;
+
+    // Create arguments
+    mtdebug2(WM_AWS_LOGTAG, "Create argument list");
+
+    // script path
+    char * script = NULL;
+    os_calloc(PATH_MAX, sizeof(char), script);
+
+    snprintf(script, PATH_MAX, "%s", WM_AWS_SCRIPT_PATH);
+
+    wm_strcat(&command, script, '\0');
+    os_free(script);
+
+    // subscriber
+    wm_strcat(&command, "--subscriber", ' ');
+    wm_strcat(&command, exec_subscriber->type, ' ');
+
+    wm_strcat(&command, "--queue", ' ');
+    wm_strcat(&command, exec_subscriber->sqs_name, ' ');
+
+    // subscriber arguments
+    if (exec_subscriber->external_id) {
+        wm_strcat(&command, "--external_id", ' ');
+        wm_strcat(&command, exec_subscriber->external_id, ' ');
+    }
+    if (exec_subscriber->iam_role_arn) {
+        wm_strcat(&command, "--iam_role_arn", ' ');
+        wm_strcat(&command, exec_subscriber->iam_role_arn, ' ');
+    }
+    if (exec_subscriber->iam_role_duration){
+        wm_strcat(&command, "--iam_role_duration", ' ');
+        wm_strcat(&command, exec_subscriber->iam_role_duration, ' ');
+    }
+    if (exec_subscriber->aws_profile) {
+        wm_strcat(&command, "--aws_profile", ' ');
+        wm_strcat(&command, exec_subscriber->aws_profile, ' ');
+    }
+    if (exec_subscriber->sts_endpoint){
+        wm_strcat(&command, "--sts_endpoint", ' ');
+        wm_strcat(&command, exec_subscriber->sts_endpoint, ' ');
+    }
+    if (exec_subscriber->service_endpoint){
+        wm_strcat(&command, "--service_endpoint", ' ');
+        wm_strcat(&command, exec_subscriber->service_endpoint, ' ');
+    }
+
+    if (exec_subscriber->discard_field) {
+        wm_strcat(&command, "--discard-field", ' ');
+        wm_strcat(&command, exec_subscriber->discard_field, ' ');
+    }
+    if (exec_subscriber->discard_regex) {
+        wm_strcat(&command, "--discard-regex", ' ');
+        wm_strcat(&command, exec_subscriber->discard_regex, ' ');
+    }
+
+    if (isDebug()) {
+        wm_strcat(&command, "--debug", ' ');
+        if (isDebug() > 2) {
+            wm_strcat(&command, "3", ' ');
+        } else if (isDebug() > 1) {
+            wm_strcat(&command, "2", ' ');
+        } else {
+            wm_strcat(&command, "1", ' ');
+        }
+    }
+
+    if (aws_config->skip_on_error) {
+        wm_strcat(&command, "--skip_on_error", ' ');
+    }
+    if (wm_state_io(WM_AWS_CONTEXT.name, WM_IO_READ, &aws_config->state, sizeof(aws_config->state)) < 0) {
+        memset(&aws_config->state, 0, sizeof(aws_config->state));
+    }
+
+    // Execute
+    char *subscriber_title = NULL;
+    wm_strcat(&subscriber_title, "Subscriber:", ' ');
+    wm_strcat(&subscriber_title, exec_subscriber->type, ' ');
+    wm_strcat(&subscriber_title, exec_subscriber->sqs_name, ' ');
+
+    wm_strcat(&subscriber_title, " - ", ' ');
+
+    mtdebug1(WM_AWS_LOGTAG, "Launching S3 Subscriber Command: %s", command);
+
+    const int wm_exec_ret_code = wm_exec(command, &output, &status, 0, NULL);
+
+    os_free(command);
+
+    if (wm_exec_ret_code) {
+        mterror(WM_AWS_LOGTAG, "Internal error. Exiting...");
+        os_free(subscriber_title);
+
+        if (wm_exec_ret_code > 0) {
+            os_free(output);
+        }
+        pthread_exit(NULL);
+    } else if (status > 0) {
+        mtwarn(WM_AWS_LOGTAG, "%s Returned exit code %d", subscriber_title, status);
+        if(status == 1) {
+            char * unknown_error_msg = strstr(output,"Unknown error");
+            if (unknown_error_msg == NULL)
+                mtwarn(WM_AWS_LOGTAG, "%s Unknown error.", subscriber_title);
+            else
+                mtwarn(WM_AWS_LOGTAG, "%s %s", subscriber_title, unknown_error_msg);
+        } else if(status == 2) {
+            char * ptr;
+            if (ptr = strstr(output, "aws.py: error:"), ptr) {
+                ptr += 14;
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments: %s", subscriber_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s Error parsing arguments.", subscriber_title);
+            }
+        } else {
+            char * ptr;
+            if (ptr = strstr(output, "ERROR: "), ptr) {
+                ptr += 7;
+                mtwarn(WM_AWS_LOGTAG, "%s %s", subscriber_title, ptr);
+            } else {
+                mtwarn(WM_AWS_LOGTAG, "%s %s", subscriber_title, output);
+            }
+        }
+        mtdebug1(WM_AWS_LOGTAG, "%s OUTPUT: %s", subscriber_title, output);
+    } else {
+        mtdebug2(WM_AWS_LOGTAG, "%s OUTPUT: %s", subscriber_title, output);
+    }
+
+    os_free(subscriber_title);
+
+    char *line;
+    char *save_ptr = NULL;
+    for (line = strtok_r(output, "\n", &save_ptr); line; line = strtok_r(NULL, "\n", &save_ptr)) {
+        wm_sendmsg(usec, aws_config->queue_fd, line, WM_AWS_CONTEXT.name, LOCALFILE_MQ);
+    }
+
+    os_free(output);
+}
diff --git a/src/modules/aws/tests/integration/__init__.py b/src/modules/aws/tests/integration/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/aws/tests/integration/configurator.py b/src/modules/aws/tests/integration/configurator.py
new file mode 100644
index 0000000000..65baaa5be4
--- /dev/null
+++ b/src/modules/aws/tests/integration/configurator.py
@@ -0,0 +1,162 @@
+# Copyright (C) 2015-2023, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+    This file contains the Test Configurator class that will manage all resources and configurations for each test
+    module.
+"""
+from os.path import join
+from uuid import uuid4
+
+# qa-integration-framework imports
+from wazuh_testing.utils.configuration import (
+    get_test_cases_data,
+    load_configuration_template,
+)
+from wazuh_testing.logger import logger
+
+
+# Local imports
+from .utils import TEST_DATA_PATH, TEMPLATE_DIR, TEST_CASES_DIR
+
+# Constants
+METADATA_SQS = 'sqs_name'
+METADATA_RESOURCE_TYPE = 'resource_type'
+METADATA_BUCKET = 'bucket_name'
+METADATA_VPC = 'vpc_name'
+METADATA_LOG_GROUP = 'log_group_name'
+METADATA_LOG_STREAM = 'log_stream_name'
+
+CONFIG_SQS = 'SQS_NAME'
+CONFIG_BUCKET = 'BUCKET_NAME'
+CONFIG_LOG_GROUP = 'LOG_GROUP_NAME'
+
+
+# Classes
+class TestConfigurator:
+    """
+    TestConfigurator class is responsible for configuring test data and parameters for a specific test module.
+
+    Attributes:
+    - module (str): The name of the test module.
+    - metadata (list): Test metadata retrieved from the test cases.
+    - cases_ids (list): Identifiers for the test cases.
+    - test_configuration_template (list): The loaded configuration template for the test module.
+
+    """
+
+    def __init__(self):
+        self._module = ""
+        self._metadata: list = []
+        self._cases_ids: list = []
+        self._test_configuration_template: list = []
+        self._set_session_id()
+
+    @property
+    def module(self):
+        return self._module
+
+    @module.setter
+    def module(self, test_module: str):
+        self._module = test_module
+
+    @property
+    def metadata(self):
+        return self._metadata
+
+    @property
+    def test_configuration_template(self):
+        return self._test_configuration_template
+
+    @property
+    def cases_ids(self):
+        return self._cases_ids
+
+    def _set_session_id(self) -> None:
+        """Create and set the test session id."""
+        self._session_id = str(uuid4())[:8]
+        logger.info(f"This test session id is: {self._session_id}")
+
+    def configure_test(self, configuration_file="", cases_file="") -> None:
+        """Configure and manage the resources for the test.
+
+        Args:
+            configuration_file (str): The name of the configuration file.
+            cases_file (str): The name of the test cases file.
+        """
+        # Set test cases yaml path
+        cases_yaml_path = join(TEST_DATA_PATH, TEST_CASES_DIR, self.module, cases_file)
+
+        # Set test cases data
+        parameters, self._metadata, self._cases_ids = get_test_cases_data(cases_yaml_path)
+
+        # Modify original data to include session information
+        self._modify_metadata(parameters=parameters)
+
+        # Set test configuration template for tests with config files
+        self._load_configuration_template(configuration_file=configuration_file,
+                                          parameters=parameters)
+
+    def _load_configuration_template(self, configuration_file: str, parameters: str) -> None:
+        """Set the configuration template of the test.
+
+        Args:
+            configuration_file (str): The name of the configuration file.
+            parameters (str): The test parameters.
+        """
+        if configuration_file != "":
+            # Set config path
+            configuration_path = join(TEST_DATA_PATH, TEMPLATE_DIR, self.module, configuration_file)
+
+            # load configuration template
+            self._test_configuration_template = load_configuration_template(
+                configuration_path,
+                parameters,
+                self._metadata
+            )
+
+    def _modify_metadata(self, parameters: list) -> None:
+        """Modify raw data to add test session information.
+
+        Args:
+            parameters (list): The parameters of the test.
+        """
+        # Add Suffix (_todelete) to alert a safe deletion of resource in case of errors.
+        suffix = f"-{self._session_id}-todelete"
+
+        # Add suffix to metadata
+        for param, data in zip(parameters, self._metadata):
+            # Determine whether resource creation is required or not
+            resource_creation_required = METADATA_RESOURCE_TYPE in data
+
+            if resource_creation_required:
+                try:
+                    if METADATA_SQS in data:
+                        data[METADATA_SQS] += suffix
+                        param[CONFIG_SQS] += suffix
+
+                    if data[METADATA_RESOURCE_TYPE] == "bucket":
+                        data[METADATA_BUCKET] += suffix
+                        if METADATA_VPC in data:
+                            data[METADATA_VPC] += suffix
+                        if CONFIG_BUCKET in param:
+                            param[CONFIG_BUCKET] += suffix
+
+                    elif data[METADATA_RESOURCE_TYPE] == "log_group":
+                        if CONFIG_LOG_GROUP in param:
+                            suffixed_log_groups = []
+                            for log_group in data[METADATA_LOG_GROUP].split(','):
+                                log_group += suffix
+                                suffixed_log_groups.append(log_group)
+                            data[METADATA_LOG_GROUP] = ','.join(suffixed_log_groups)
+                            param[CONFIG_LOG_GROUP] = data[METADATA_LOG_GROUP]
+                            if METADATA_LOG_STREAM in data:  # It is not present for basic or parser tests
+                                data[METADATA_LOG_STREAM] += suffix
+
+                except KeyError:
+                    raise
+
+
+# Instantiate configurator
+configurator = TestConfigurator()
diff --git a/src/modules/aws/tests/integration/conftest.py b/src/modules/aws/tests/integration/conftest.py
new file mode 100644
index 0000000000..e248f56f50
--- /dev/null
+++ b/src/modules/aws/tests/integration/conftest.py
@@ -0,0 +1,858 @@
+# Copyright (C) 2015-2023, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module contains all necessary components (fixtures, classes, methods) to configure the test for its execution.
+"""
+
+import os
+import sys
+import pytest
+import boto3
+from botocore.exceptions import ClientError
+from typing import List
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.aws.utils import (
+    create_bucket,
+    upload_log_events,
+    create_log_group,
+    create_log_stream,
+    create_flow_log,
+    delete_vpc,
+    delete_bucket,
+    delete_log_group,
+    delete_log_stream,
+    delete_s3_db,
+    delete_services_db,
+    upload_bucket_file,
+    generate_file,
+    create_sqs_queue,
+    get_sqs_queue_arn,
+    set_sqs_policy,
+    set_bucket_event_notification_configuration,
+    delete_sqs_queue,
+    delete_bucket_files
+)
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import configuration
+from wazuh_testing.utils.file import truncate_file
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.constants.aws import US_EAST_1_REGION
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture(scope='session')
+def load_wazuh_basic_configuration():
+    """Load a new basic configuration to the manager"""
+    # Load ossec.conf with all disabled settings
+    minimal_configuration = configuration.get_minimal_configuration()
+
+    # Make a backup from current configuration
+    backup_ossec_configuration = configuration.get_wazuh_conf()
+
+    # Write new configuration
+    configuration.write_wazuh_conf(minimal_configuration)
+
+    yield
+
+    # Restore the ossec.conf backup
+    configuration.write_wazuh_conf(backup_ossec_configuration)
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def configure_local_internal_options_function(request):
+    """Fixture to configure the local internal options file.
+
+    It uses the test variable local_internal_options. This should be
+    a dictionary wich keys and values corresponds to the internal option configuration, For example:
+    local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (fixture): Provide information on the executing test function.
+
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            logger.debug('local_internal_options is not set')
+            raise AttributeError('Error when using the fixture "configure_local_internal_options_module", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    logger.debug(f"Set local_internal_option to {str(local_internal_options)}")
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    logger.debug(f"Restore local_internal_option to {str(backup_local_internal_options)}")
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def restart_wazuh_function(request):
+    """Restart before starting a test, and stop it after finishing.
+
+       Args:
+            request (fixture): Provide information on the executing test function.
+    """
+    # If there is a list of required daemons defined in the test module, restart daemons, else restart all daemons.
+    try:
+        daemons = request.module.REQUIRED_DAEMONS
+    except AttributeError:
+        daemons = []
+
+    if len(daemons) == 0:
+        logger.debug(f"Restarting all daemon")
+        control_service('restart')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Restarting {daemon}")
+            # Restart daemon instead of starting due to legacy used fixture in the test suite.
+            control_service('restart', daemon=daemon)
+
+    yield
+
+    # Stop all daemons by default (daemons = None)
+    if len(daemons) == 0:
+        logger.debug(f"Stopping all daemons")
+        control_service('stop')
+    else:
+        # Stop a list daemons in order (as Wazuh does)
+        daemons.reverse()
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def file_monitoring(request):
+    """Fixture to handle the monitoring of a specified file.
+
+    It uses the variable `file_to_monitor` to determinate the file to monitor. Default `LOG_FILE_PATH`
+
+    Args:
+        request (fixture): Provide information on the executing test function.
+    """
+    if hasattr(request.module, 'file_to_monitor'):
+        file_to_monitor = getattr(request.module, 'file_to_monitor')
+    else:
+        file_to_monitor = WAZUH_LOG_PATH
+
+    logger.debug(f"Initializing file to monitor to {file_to_monitor}")
+
+    file_monitor = FileMonitor(file_to_monitor)
+    setattr(request.module, 'log_monitor', file_monitor)
+
+    yield
+
+    truncate_file(file_to_monitor)
+    logger.debug(f"Trucanted {file_to_monitor}")
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture
+def mark_cases_as_skipped(metadata):
+    if metadata['name'] in ['alb_remove_from_bucket', 'clb_remove_from_bucket', 'nlb_remove_from_bucket']:
+        pytest.skip(reason='ALB, CLB and NLB integrations are removing older logs from other region')
+
+
+@pytest.fixture
+def restart_wazuh_function_without_exception(daemon=None):
+    """Restart all Wazuh daemons."""
+    try:
+        control_service("start", daemon=daemon)
+    except ValueError:
+        pass
+
+    yield
+
+    control_service('stop', daemon=daemon)
+
+
+"""Boto3 client fixtures"""
+# Use the environment variable or default to 'dev'
+aws_profile = os.environ.get("AWS_PROFILE", "default")
+
+
+@pytest.fixture()
+def boto_session():
+    """Create a boto3 Session using the system defined AWS profile."""
+    return boto3.Session(profile_name=f'{aws_profile}')
+
+
+@pytest.fixture()
+def s3_client(boto_session: boto3.Session):
+    """Create an S3 client to manage bucket resources.
+
+    Args:
+        boto_session (boto3.Session): Session used to create the client.
+
+    Returns:
+        boto3.resources.base.ServiceResource: S3 client to manage bucket resources.
+    """
+    return boto_session.resource(service_name="s3", region_name=US_EAST_1_REGION)
+
+
+@pytest.fixture()
+def ec2_client(boto_session: boto3.Session):
+    """Create an EC2 client to manage VPC resources.
+
+    Args:
+        boto_session (boto3.Session): Session used to create the client.
+
+    Returns:
+        Service client instance: EC2 client to manage VPC resources.
+    """
+    return boto_session.client(service_name="ec2", region_name=US_EAST_1_REGION)
+
+
+@pytest.fixture()
+def logs_clients(boto_session: boto3.Session, metadata: dict):
+    """Create CloudWatch Logs clients per region to manage CloudWatch resources.
+
+    Args:
+        boto_session (boto3.Session): Session used to create the client.
+        metadata (dict): Metadata from the module to obtain the defined regions.
+
+    Returns:
+        list(Service client instance): CloudWatch client list to manage the service's resources in multiple regions.
+    """
+    # A client for each region is required to generate logs accordingly
+    return [boto_session.client(service_name="logs", region_name=region)
+            for region in metadata.get('regions', US_EAST_1_REGION).split(',')]
+
+
+@pytest.fixture()
+def sqs_client(boto_session: boto3.Session):
+    """Create an SQS client to manage queues.
+
+    Args:
+        boto_session (boto3.Session): Session used to create the client.
+
+    Returns:
+        Service client instance: SQS client to manage the queue resources.
+    """
+    return boto_session.client(service_name="sqs", region_name=US_EAST_1_REGION)
+
+
+"""Session fixtures"""
+
+
+@pytest.fixture()
+def buckets_manager(s3_client):
+    """Initializes a set to manage the creation and deletion of the buckets used throughout the test session.
+
+    Args:
+        s3_client (boto3.resources.base.ServiceResource): S3 client used to manage the bucket resources.
+
+    Yields:
+        buckets (set): Set of buckets.
+        s3_client (boto3.resources.base.ServiceResource): S3 client used to manage the bucket resources.
+    """
+    # Create buckets set
+    buckets: set = set()
+
+    yield buckets, s3_client
+
+    # Delete all buckets created during execution
+    for bucket in buckets:
+        try:
+            # Delete the bucket
+            delete_bucket(bucket_name=bucket, client=s3_client)
+        except ClientError as error:
+            logger.error({
+                "message": "Client error deleting bucket, delete manually",
+                "resource_name": bucket,
+                "error": str(error)
+            })
+
+        except Exception as error:
+            logger.error({
+                "message": "Broad error deleting bucket, delete manually",
+                "resource_name": bucket,
+                "error": str(error)
+            })
+
+
+@pytest.fixture()
+def log_groups_manager(logs_clients):
+    """Initializes a set to manage the creation and deletion of the log groups used throughout the test session.
+
+    Args:
+        logs_clients (list(Service client instance)): CloudWatch Logs client list to manage the CloudWatch resources.
+
+    Yields:
+        log_groups (set): Set of log groups.
+        logs_clients (list(Service client instance)): CloudWatch Logs client list to manage the CloudWatch resources.
+    """
+    # Create log groups set
+    log_groups: set = set()
+
+    yield log_groups, logs_clients
+
+    # Delete all resources created during execution
+    for log_group in log_groups:
+        try:
+            for logs_client in logs_clients:
+                delete_log_group(log_group_name=log_group, client=logs_client)
+        except ClientError as error:
+            logger.error({
+                "message": "Client error deleting log_group, delete manually",
+                "resource_name": log_group,
+                "error": str(error)
+            })
+            raise error
+
+        except Exception as error:
+            logger.error({
+                "message": "Broad error deleting log_group, delete manually",
+                "resource_name": log_group,
+                "error": str(error)
+            })
+            raise error
+
+
+@pytest.fixture()
+def sqs_manager(sqs_client):
+    """Initializes a set to manage the creation and deletion of the sqs queues used throughout the test session.
+
+    Args:
+        sqs_client (Service client instance): SQS client to manage the SQS resources.
+
+    Yields:
+        sqs_queues (set): Set of SQS queues.
+        sqs_client (Service client instance): SQS client to manage the SQS resources.
+    """
+    # Create buckets set
+    sqs_queues: set = set()
+
+    yield sqs_queues, sqs_client
+
+    # Delete all resources created during execution
+    for sqs in sqs_queues:
+        try:
+            delete_sqs_queue(sqs_queue_url=sqs, client=sqs_client)
+        except ClientError as error:
+            logger.error({
+                "message": "Client error deleting sqs queue, delete manually",
+                "resource_name": sqs,
+                "error": str(error)
+            })
+
+        except Exception as error:
+            logger.error({
+                "message": "Broad error deleting sqs queue, delete manually",
+                "resource_name": sqs,
+                "error": str(error)
+            })
+
+
+"""S3 fixtures"""
+
+
+@pytest.fixture()
+def create_test_bucket(buckets_manager,
+                       metadata: dict):
+    """Create a bucket.
+
+    Args:
+        buckets_manager (fixture): Set of buckets.
+        metadata (dict): Bucket information.
+    """
+    bucket_name = metadata["bucket_name"]
+    bucket_type = metadata["bucket_type"]
+
+    buckets, s3_client = buckets_manager
+    try:
+        # Create bucket
+        create_bucket(bucket_name=bucket_name, client=s3_client)
+        logger.debug(f"Created new bucket: type {bucket_name}")
+
+        # Append created bucket to resource set
+        buckets.add(bucket_name)
+
+    except ClientError as error:
+        logger.error({
+            "message": "Client error creating bucket",
+            "bucket_name": bucket_name,
+            "bucket_type": bucket_type,
+            "error": str(error)
+        })
+        raise
+
+    except Exception as error:
+        logger.error({
+            "message": "Broad error creating bucket",
+            "bucket_name": bucket_name,
+            "bucket_type": bucket_type,
+            "error": str(error)
+        })
+        raise
+
+
+@pytest.fixture
+def manage_bucket_files(metadata: dict, s3_client, ec2_client):
+    """Upload a file to S3 bucket and delete after the test ends.
+
+    Args:
+        metadata (dict): Metadata to get the parameters.
+        s3_client (boto3.resources.base.ServiceResource): S3 client used to manage the bucket resources.
+        ec2_client (Service client instance): EC2 client to manage VPC resources.
+    """
+    # Get bucket name
+    bucket_name = metadata['bucket_name']
+
+    # Get bucket type
+    bucket_type = metadata['bucket_type']
+
+    # Get only_logs_after, regions, prefix and suffix if set to generate file accordingly
+    file_creation_date = metadata.get('only_logs_after')
+    regions = metadata.get('regions', US_EAST_1_REGION).split(',')
+    prefix = metadata.get('path', '')
+    suffix = metadata.get('path_suffix', '')
+
+    # Check if the VPC type is the one to be tested
+    vpc_bucket = bucket_type == 'vpcflow'
+
+    # Check if logs need to be created
+    log_number = metadata.get("expected_results", 1) > 0
+
+    # Generate files
+    if log_number:
+        files_to_upload = []
+        metadata['uploaded_file'] = ''
+        try:
+            if vpc_bucket:
+                # Create VPC resources
+                flow_log_id, vpc_id = create_flow_log(vpc_name=metadata['vpc_name'],
+                                                      bucket_name=bucket_name,
+                                                      client=ec2_client)
+                metadata['flow_log_id'] = flow_log_id
+                for region in regions:
+                    data, key = generate_file(bucket_type=bucket_type,
+                                              bucket_name=bucket_name,
+                                              date=file_creation_date,
+                                              region=region,
+                                              prefix=prefix,
+                                              suffix=suffix,
+                                              flow_log_id=flow_log_id)
+                    files_to_upload.append((data, key))
+            else:
+                for region in regions:
+                    data, key = generate_file(bucket_type=bucket_type,
+                                              bucket_name=bucket_name,
+                                              region=region,
+                                              prefix=prefix,
+                                              suffix=suffix,
+                                              date=file_creation_date)
+                    files_to_upload.append((data, key))
+
+            for data, key in files_to_upload:
+                # Upload file to bucket
+                upload_bucket_file(bucket_name=bucket_name,
+                                   data=data,
+                                   key=key,
+                                   client=s3_client)
+
+                logger.debug('Uploaded file: %s to bucket "%s"', key, bucket_name)
+
+                # Set filename for test execution
+                metadata['uploaded_file'] += key
+
+        except ClientError as error:
+            logger.error({
+                "message": "Client error uploading file to bucket",
+                "bucket_name": bucket_name,
+                "error": str(error)
+            })
+            raise error
+
+        except Exception as error:
+            logger.error({
+                "message": "Broad error uploading file to bucket",
+                "bucket_name": bucket_name,
+                "error": str(error)
+            })
+            raise error
+
+    yield
+
+    try:
+        if log_number:
+            # Delete all bucket files
+            delete_bucket_files(bucket_name=bucket_name, client=s3_client)
+
+            if vpc_bucket:
+                # Delete VPC resources (VPC and Flow Log)
+                delete_vpc(vpc_id=vpc_id, flow_log_id=flow_log_id, client=ec2_client)
+
+    except ClientError as error:
+        logger.error({
+            "message": "Client error deleting resources from bucket",
+            "bucket_name": bucket_name,
+            "error": str(error)
+        })
+        raise error
+
+    except Exception as error:
+        logger.error({
+            "message": "Broad error deleting resources from bucket",
+            "bucket_name": bucket_name,
+            "error": str(error)
+        })
+        raise error
+
+
+"""CloudWatch fixtures"""
+
+
+@pytest.fixture()
+def create_test_log_group(log_groups_manager,
+                          metadata: dict) -> None:
+    """Create a log group.
+
+    Args:
+        log_groups_manager (tuple): Log groups set and CloudWatch clients.
+        metadata (dict): Log group information.
+    """
+    # Get log group names
+    log_group_names = metadata["log_group_name"].split(',')
+
+    # If the resource_type is defined, then the resource must be created
+    resource_creation = 'resource_type' in metadata
+
+    log_groups, logs_clients = log_groups_manager
+
+    try:
+        if resource_creation:
+            # Create log group
+            for log_group in log_group_names:
+                for logs_client in logs_clients:
+                    create_log_group(log_group_name=log_group, client=logs_client)
+                    logger.debug(f"Created log group: {log_group}")
+
+                # Append created log group to resource list
+                log_groups.add(log_group)
+
+    except ClientError as error:
+        logger.error({
+            "message": "Client error creating log group",
+            "log_group": log_group,
+            "error": str(error)
+        })
+        raise
+
+    except Exception as error:
+        logger.error({
+            "message": "Broad error creating log group",
+            "log_group": log_group,
+            "error": str(error)
+        })
+        raise
+
+
+@pytest.fixture()
+def create_test_log_stream(metadata: dict, log_groups_manager) -> None:
+    """Create a log stream.
+
+    Args:
+        metadata (dict): Log group information.
+        log_groups_manager (tuple): Log groups set and CloudWatch clients.
+    """
+    # Get log group names
+    log_group_names = metadata["log_group_name"].split(',')
+
+    # Get log stream
+    log_stream_name = metadata['log_stream_name']
+
+    # If the resource_type is defined, then the resource must be created
+    resource_creation = 'resource_type' in metadata
+
+    _, logs_clients = log_groups_manager
+
+    try:
+        if resource_creation:
+            # Create log stream for each log group defined
+            for log_group in log_group_names:
+                for logs_client in logs_clients:
+                    create_log_stream(log_group=log_group,
+                                      log_stream=log_stream_name,
+                                      client=logs_client)
+                    logger.debug(f'Created log stream {log_stream_name} within log group {log_group}')
+
+    except ClientError as error:
+        logger.error({
+            "message": "Client error creating log stream",
+            "log_group": log_group,
+            "error": str(error)
+        })
+        raise
+
+    except Exception as error:
+        logger.error({
+            "message": "Broad error creating log stream",
+            "log_group": log_group,
+            "error": str(error)
+        })
+        raise
+
+
+@pytest.fixture
+def manage_log_group_events(metadata: dict, logs_clients):
+    """Upload events to a log stream inside a log group and delete the log stream after the test ends.
+
+    Args:
+        metadata (dict): Metadata to get the parameters.
+        logs_clients (list(Service client instance)): CloudWatch Logs client list to manage the CloudWatch resources.
+    """
+    # Get log group names
+    log_group_names = metadata["log_group_name"].split(',')
+
+    # Get log stream name
+    log_stream_name = metadata["log_stream_name"]
+
+    # Get number of events
+    event_number = metadata.get("expected_results", 1)
+
+    # If the resource_type is defined, then the resource must be created
+    resource_creation = 'resource_type' in metadata
+
+    try:
+        if resource_creation:
+            log_creation_date = metadata.get('only_logs_after')
+            for log_group in log_group_names:
+                for logs_client in logs_clients:
+                    # Create log events in log group
+                    upload_log_events(
+                        log_stream=log_stream_name,
+                        log_group=log_group,
+                        date=log_creation_date,
+                        type_json='discard_field' in metadata,
+                        events_number=event_number,
+                        client=logs_client
+                    )
+
+    except ClientError as error:
+        logger.error({
+            "message": "Client error uploading events to log stream",
+            "log_group": log_group,
+            "log_stream_name": log_stream_name,
+            "error": str(error)
+        })
+        raise error
+
+    except Exception as error:
+        logger.error({
+            "message": "Broad error uploading events to log stream",
+            "log_group": log_group,
+            "log_stream_name": log_stream_name,
+            "error": str(error)
+        })
+        raise error
+
+    yield
+
+
+"""SQS fixtures"""
+
+
+@pytest.fixture
+def set_test_sqs_queue(metadata: dict, sqs_manager, s3_client) -> None:
+    """Create a test SQS queue.
+
+    Args:
+        metadata (dict): The metadata for the SQS queue.
+        sqs_manager (fixture): The SQS set for the test.
+        s3_client (boto3.resources.base.ServiceResource): S3 client used to manage bucket resources.
+    """
+    # Get bucket name
+    bucket_name = metadata["bucket_name"]
+    # Get SQS name
+    sqs_name = metadata["sqs_name"]
+
+    sqs_queues, sqs_client = sqs_manager
+
+    try:
+        # Create SQS and get URL
+        sqs_queue_url = create_sqs_queue(sqs_name=sqs_name, client=sqs_client)
+        # Add it to sqs set
+        sqs_queues.add(sqs_queue_url)
+
+        # Get SQS Queue ARN
+        sqs_queue_arn = get_sqs_queue_arn(sqs_url=sqs_queue_url, client=sqs_client)
+
+        # Set policy
+        set_sqs_policy(bucket_name=bucket_name,
+                       sqs_queue_url=sqs_queue_url,
+                       sqs_queue_arn=sqs_queue_arn,
+                       client=sqs_client)
+
+        # Set bucket notification configuration
+        set_bucket_event_notification_configuration(bucket_name=bucket_name,
+                                                    sqs_queue_arn=sqs_queue_arn,
+                                                    client=s3_client)
+
+    except ClientError as error:
+        # Check if the sqs exist
+        if error.response['Error']['Code'] == 'ResourceNotFound':
+            logger.error(f"SQS Queue {sqs_name} already exists")
+            raise error
+        else:
+            raise error
+
+    except Exception as error:
+        raise error
+
+
+"""DB fixtures"""
+
+
+@pytest.fixture
+def clean_s3_cloudtrail_db():
+    """Delete the DB file before and after the test execution."""
+    delete_s3_db()
+
+    yield
+
+    delete_s3_db()
+
+
+@pytest.fixture
+def clean_aws_services_db():
+    """Delete the DB file before and after the test execution."""
+    delete_services_db()
+
+    yield
+
+    delete_services_db()
diff --git a/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/bucket_configuration_defaults.yaml b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/bucket_configuration_defaults.yaml
new file mode 100644
index 0000000000..022de09008
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/bucket_configuration_defaults.yaml
@@ -0,0 +1,13 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
diff --git a/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/cloudwatch_configuration_defaults.yaml b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/cloudwatch_configuration_defaults.yaml
new file mode 100644
index 0000000000..5aa0d879f1
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/cloudwatch_configuration_defaults.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/inspector_configuration_defaults.yaml b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/inspector_configuration_defaults.yaml
new file mode 100644
index 0000000000..5e7f4d5957
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/basic_test_module/inspector_configuration_defaults.yaml
@@ -0,0 +1,13 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/custom_bucket_test_module/custom_bucket_configuration.yaml b/src/modules/aws/tests/integration/data/configuration_template/custom_bucket_test_module/custom_bucket_configuration.yaml
new file mode 100644
index 0000000000..511abd0446
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/custom_bucket_test_module/custom_bucket_configuration.yaml
@@ -0,0 +1,13 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - subscriber:
+            attributes:
+              - type: buckets
+            elements:
+              - sqs_name:
+                  value: SQS_NAME
diff --git a/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_bucket_discard_regex.yaml b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_bucket_discard_regex.yaml
new file mode 100644
index 0000000000..1e13d34a82
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_bucket_discard_regex.yaml
@@ -0,0 +1,21 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: 2022-NOV-20
+              - path:
+                  value: PATH
+              - discard_regex:
+                  attributes:
+                    - field: DISCARD_FIELD
+                  value: DISCARD_REGEX
diff --git a/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_json.yaml b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_json.yaml
new file mode 100644
index 0000000000..ed15d3b99b
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_json.yaml
@@ -0,0 +1,21 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: REGIONS
+              - discard_regex:
+                  attributes:
+                    - field: DISCARD_FIELD
+                  value: DISCARD_REGEX
diff --git a/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_simple_text.yaml b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_simple_text.yaml
new file mode 100644
index 0000000000..06d1ea077b
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_cloudwatch_discard_regex_simple_text.yaml
@@ -0,0 +1,19 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: REGIONS
+              - discard_regex:
+                  value: DISCARD_REGEX
diff --git a/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_inspector_discard_regex.yaml b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_inspector_discard_regex.yaml
new file mode 100644
index 0000000000..1ed1c57070
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/discard_regex_test_module/configuration_inspector_discard_regex.yaml
@@ -0,0 +1,19 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: REGIONS
+              - discard_regex:
+                  attributes:
+                    - field: DISCARD_FIELD
+                  value: DISCARD_REGEX
diff --git a/src/modules/aws/tests/integration/data/configuration_template/log_groups_test_module/configuration_log_groups.yaml b/src/modules/aws/tests/integration/data/configuration_template/log_groups_test_module/configuration_log_groups.yaml
new file mode 100644
index 0000000000..32073dcb2e
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/log_groups_test_module/configuration_log_groups.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - only_logs_after:
+                  value: 2023-JAN-12
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_with_only_logs_after.yaml
new file mode 100644
index 0000000000..20e3637bc9
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_with_only_logs_after.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: "no"
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - path:
+                  value: PATH
diff --git a/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_without_only_logs_after.yaml b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_without_only_logs_after.yaml
new file mode 100644
index 0000000000..3a1b01510d
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/bucket_configuration_without_only_logs_after.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: "no"
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - path:
+                  value: PATH
diff --git a/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/cloudwatch_configuration_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/cloudwatch_configuration_with_only_logs_after.yaml
new file mode 100644
index 0000000000..ddb2aade57
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/cloudwatch_configuration_with_only_logs_after.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: "no"
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/inspector_configuration_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/inspector_configuration_with_only_logs_after.yaml
new file mode 100644
index 0000000000..576e5a5e2c
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/inspector_configuration_with_only_logs_after.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: "no"
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/service_configuration_without_only_logs_after.yaml b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/service_configuration_without_only_logs_after.yaml
new file mode 100644
index 0000000000..5e76159855
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/only_logs_after_test_module/service_configuration_without_only_logs_after.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: "no"
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_bucket_and_service_missing.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_bucket_and_service_missing.yaml
new file mode 100644
index 0000000000..818a192d1a
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_bucket_and_service_missing.yaml
@@ -0,0 +1,7 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_multiple_bucket_and_service_tags.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_multiple_bucket_and_service_tags.yaml
new file mode 100644
index 0000000000..508f8ca1d5
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_multiple_bucket_and_service_tags.yaml
@@ -0,0 +1,39 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: cloudtrail
+            elements:
+              - name:
+                  value: wazuh-cloudtrail-integration-tests
+              - regions:
+                  value: us-east-1
+        - bucket:
+            attributes:
+              - type: cloudtrail
+            elements:
+              - name:
+                  value: wazuh-cloudtrail-integration-tests
+              - regions:
+                  value: us-east-2
+        - service:
+            attributes:
+              - type: cloudwatchlogs
+            elements:
+              - aws_log_groups:
+                  value: wazuh-cloudwatchlogs-integration-tests
+              - regions:
+                  value: us-east-1
+        - service:
+            attributes:
+              - type: cloudwatchlogs
+            elements:
+              - aws_log_groups:
+                  value: wazuh-cloudwatchlogs-integration-tests
+              - regions:
+                  value: us-east-2
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_bucket.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_bucket.yaml
new file mode 100644
index 0000000000..35905584ce
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_bucket.yaml
@@ -0,0 +1,11 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            elements:
+              - name:
+                  value: wazuh-cloudtrail-integration-tests
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_service.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_service.yaml
new file mode 100644
index 0000000000..7be1e67f61
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_type_missing_in_service.yaml
@@ -0,0 +1,11 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            elements:
+              - name:
+                  aws_log_groups: wazuh-cloudwatch-integration-tests
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_bucket.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_bucket.yaml
new file mode 100644
index 0000000000..2d6041e70a
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_bucket.yaml
@@ -0,0 +1,23 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: REGIONS
+              - path:
+                  value: PATH
+              - path_suffix:
+                  value: PATH_SUFFIX
+              - remove_from_bucket:
+                  value: REMOVE_FROM_BUCKET
diff --git a/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_service.yaml b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_service.yaml
new file mode 100644
index 0000000000..3dfe2fcf3f
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/parser_test_module/configuration_values_in_service.yaml
@@ -0,0 +1,19 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUPS
+              - only_logs_after:
+                  value: ONLY_LOGS_AFTER
+              - regions:
+                  value: REGIONS
+              - remove_log_streams:
+                  value: REMOVE_LOG_STREAMS
diff --git a/src/modules/aws/tests/integration/data/configuration_template/path_suffix_test_module/configuration_path_suffix.yaml b/src/modules/aws/tests/integration/data/configuration_template/path_suffix_test_module/configuration_path_suffix.yaml
new file mode 100644
index 0000000000..6a8bd157f4
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/path_suffix_test_module/configuration_path_suffix.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: 2022-NOV-20
+              - path_suffix:
+                  value: PATH_SUFFIX
diff --git a/src/modules/aws/tests/integration/data/configuration_template/path_test_module/configuration_path.yaml b/src/modules/aws/tests/integration/data/configuration_template/path_test_module/configuration_path.yaml
new file mode 100644
index 0000000000..03912c8f4c
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/path_test_module/configuration_path.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: 2022-NOV-20
+              - path:
+                  value: PATH
diff --git a/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/bucket_configuration_regions.yaml b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/bucket_configuration_regions.yaml
new file mode 100644
index 0000000000..9bb441e588
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/bucket_configuration_regions.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - only_logs_after:
+                  value: 2022-NOV-20
+              - regions:
+                  value: REGIONS
diff --git a/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/cloudwatch_configuration_regions.yaml b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/cloudwatch_configuration_regions.yaml
new file mode 100644
index 0000000000..cedab0988b
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/cloudwatch_configuration_regions.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - only_logs_after:
+                  value: 2023-JAN-12
+              - regions:
+                  value: REGIONS
diff --git a/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/inspector_configuration_regions.yaml b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/inspector_configuration_regions.yaml
new file mode 100644
index 0000000000..2ed5a44ce7
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/regions_test_module/inspector_configuration_regions.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - only_logs_after:
+                  value: 2023-JAN-12
+              - regions:
+                  value: REGIONS
diff --git a/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_from_bucket.yaml b/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_from_bucket.yaml
new file mode 100644
index 0000000000..2ae2eb33fa
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_from_bucket.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - bucket:
+            attributes:
+              - type: BUCKET_TYPE
+            elements:
+              - name:
+                  value: BUCKET_NAME
+              - remove_from_bucket:
+                  value: 'yes'
+              - path:
+                  value: PATH
diff --git a/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_log_stream.yaml b/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_log_stream.yaml
new file mode 100644
index 0000000000..88a76a2f14
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/configuration_template/remove_from_bucket_test_module/configuration_remove_log_stream.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: wodle
+      attributes:
+        - name: aws-s3
+      elements:
+        - disabled:
+            value: 'no'
+        - service:
+            attributes:
+              - type: SERVICE_TYPE
+            elements:
+              - aws_log_groups:
+                  value: LOG_GROUP_NAME
+              - remove_log_streams:
+                  value: 'yes'
+              - regions:
+                  value: us-east-1
diff --git a/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_bucket_defaults.yaml b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_bucket_defaults.yaml
new file mode 100644
index 0000000000..3bde4e3f7b
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_bucket_defaults.yaml
@@ -0,0 +1,139 @@
+- name: cloudtrail_defaults
+  description: CloudTrail default configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+
+- name: vpc_defaults
+  description: VPC default configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+
+- name: config_defaults
+  description: Config default configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+
+- name: alb_defaults
+  description: ALB default configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+
+- name: clb_defaults
+  description: CLB default configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+
+- name: nlb_defaults
+  description: NLB default configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+
+- name: kms_defaults
+  description: KMS default configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+
+- name: macie_defaults
+  description: CloudTrail default configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+
+- name: trusted_advisor_defaults
+  description: Trusted Advisor default configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+
+- name: guardduty_defaults
+  description: GuardDuty default configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+
+- name: native_guardduty_defaults
+  description: Native GuardDuty default configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+
+- name: waf_defaults
+  description: WAF default configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+
+- name: server_access_defaults
+  description: Server Access default configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+
+- name: cisco_umbrella_defaults
+  description: Umbrella default configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
diff --git a/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_cloudwatch_defaults.yaml b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_cloudwatch_defaults.yaml
new file mode 100644
index 0000000000..0694fc0341
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_cloudwatch_defaults.yaml
@@ -0,0 +1,9 @@
+- name: cloudwatchlogs_defaults
+  description: CloudWatch default configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
diff --git a/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_inspector_defaults.yaml b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_inspector_defaults.yaml
new file mode 100644
index 0000000000..7116fe13c2
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/basic_test_module/cases_inspector_defaults.yaml
@@ -0,0 +1,10 @@
+- name: inspector_defaults
+  description: Inspector default configurations
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    LOG_GROUP_NAME: wazuh-inspector-integration-tests
+  metadata:
+    resource_type: log_group
+    service_type: inspector
+    log_group_name: wazuh-inspector-integration-tests
+
diff --git a/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom.yaml b/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom.yaml
new file mode 100644
index 0000000000..cef6697ce3
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom.yaml
@@ -0,0 +1,10 @@
+- name: custom_bucket_defaults
+  description: Custom bucket default configuration
+  configuration_parameters:
+    SQS_NAME: wazuh-sqs-integration-tests-t1
+  metadata:
+    resource_type: bucket
+    sqs_name: wazuh-sqs-integration-tests-t1
+    bucket_name: wazuh-sqs-bucket-integration-test-t1
+    bucket_type: cloudtrail
+    expected_results: 1
diff --git a/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom_logs.yaml b/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom_logs.yaml
new file mode 100644
index 0000000000..0be1fbc140
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/custom_bucket_test_module/cases_bucket_custom_logs.yaml
@@ -0,0 +1,10 @@
+- name: bucket_with_logs
+  description: Logs inside a custom bucket
+  configuration_parameters:
+    SQS_NAME: wazuh-sqs-integration-tests-t2
+  metadata:
+    resource_type: bucket
+    sqs_name: wazuh-sqs-integration-tests-t2
+    bucket_name: wazuh-sqs-bucket-integration-test-t2
+    bucket_type: cloudtrail
+    expected_results: 1
diff --git a/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_bucket_discard_regex.yaml b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_bucket_discard_regex.yaml
new file mode 100644
index 0000000000..4fffec4b83
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_bucket_discard_regex.yaml
@@ -0,0 +1,253 @@
+- name: cloudtrail_discard_regex
+  description: CloudTrail discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    DISCARD_FIELD: eventSource
+    DISCARD_REGEX: .*sts.amazonaws.com.*
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: eventSource
+    discard_regex: .*sts.amazonaws.com.*
+    expected_results: 1
+    skipped_logs: 1
+
+- name: vpc_discard_regex
+  description: VPC discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    DISCARD_FIELD: action
+    DISCARD_REGEX: "REJECT"
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: action
+    discard_regex: "REJECT"
+    vpc_name: wazuh-vpc-integration-tests
+    expected_results: 1
+    skipped_logs: 5
+
+- name: config_discard_regex
+  description: Config discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    DISCARD_FIELD: configuration.complianceType
+    DISCARD_REGEX: .*COMPLIANT.*
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: configuration.complianceType
+    discard_regex: .*COMPLIANT.*
+    expected_results: 5
+    skipped_logs: 1
+
+- name: alb_discard_regex
+  description: ALB discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    DISCARD_FIELD: elb_status_code
+    DISCARD_REGEX: '403'
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: elb_status_code
+    discard_regex: '403'
+    expected_results: 1
+    skipped_logs: 5
+
+- name: clb_discard_regex
+  description: CLB discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    DISCARD_FIELD: elb_status_code
+    DISCARD_REGEX: '403'
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: elb_status_code
+    discard_regex: '403'
+    expected_results: 1
+    skipped_logs: 5
+
+- name: nlb_discard_regex
+  description: NLB discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    DISCARD_FIELD: type
+    DISCARD_REGEX: tls
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: type
+    discard_regex: tls
+    expected_results: 1
+    skipped_logs: 5
+
+- name: kms_discard_regex
+  description: KMS discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    DISCARD_FIELD: eventName
+    DISCARD_REGEX: GenerateDataKey
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: eventName
+    discard_regex: GenerateDataKey
+    expected_results: 1
+    skipped_logs: 1
+
+- name: macie_discard_regex
+  description: Macie discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    DISCARD_FIELD: severity
+    DISCARD_REGEX: CRITICAL
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: severity
+    discard_regex: CRITICAL
+    expected_results: 3
+    skipped_logs: 1
+
+- name: trusted_advisor_discard_regex
+  description: Trusted Advisor discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    DISCARD_FIELD: status
+    DISCARD_REGEX: OK
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: status
+    discard_regex: OK
+    expected_results: 1
+    skipped_logs: 1
+
+- name: guardduty_discard_regex
+  description: GuardDuty discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    DISCARD_FIELD: partition
+    DISCARD_REGEX: aws
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: partition
+    discard_regex: aws
+    expected_results: 1
+    skipped_logs: 1
+
+- name: native_guardduty_discard_regex
+  description: Native GuardDuty discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    DISCARD_FIELD: partition
+    DISCARD_REGEX: aws
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: partition
+    discard_regex: aws
+    expected_results: 1
+    skipped_logs: 1
+
+- name: waf_discard_regex
+  description: WAF discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    DISCARD_FIELD: action
+    DISCARD_REGEX: BLOCK
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: action
+    discard_regex: BLOCK
+    expected_results: 1
+    skipped_logs: 1
+
+- name: server_access_discard_regex
+  description: Server Access discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    DISCARD_FIELD: http_status
+    DISCARD_REGEX: '404'
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: http_status
+    discard_regex: '404'
+    expected_results: 1
+    skipped_logs: 1
+
+- name: cisco_umbrella_discard_regex
+  description: CloudTrail discard regex configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    DISCARD_FIELD: action
+    DISCARD_REGEX: Allowed
+    PATH: dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    discard_field: action
+    discard_regex: Allowed
+    expected_results: 1
+    skipped_logs: 5
+    path: dnslogs
diff --git a/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_json.yaml b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_json.yaml
new file mode 100644
index 0000000000..8f273bbbbb
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_json.yaml
@@ -0,0 +1,22 @@
+- name: cloudwatch_discard_regex_json
+  description: >
+    CloudWatch configuration for an event being discarded when the regex matches
+    the content in the specified field inside the incoming JSON log
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+    REGIONS: us-east-1
+    DISCARD_FIELD: message
+    DISCARD_REGEX: .*event.*number.*0
+    ONLY_LOGS_AFTER: 2023-JUL-03
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2023-JUL-03
+    discard_field: message
+    discard_regex: .*event.*number.*0
+    regions: us-east-1
+    skipped_logs: 1
+    expected_results: 3
diff --git a/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_simple_text.yaml b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_simple_text.yaml
new file mode 100644
index 0000000000..2fbae8be4d
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_cloudwatch_discard_regex_simple_text.yaml
@@ -0,0 +1,20 @@
+- name: cloudwatch_discard_regex_simple_text
+  description: >
+    CloudWatch configuration for an event being discarded when the regex matches
+    the content inside the incoming simple text log
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests-simple-text
+    REGIONS: us-east-1
+    DISCARD_REGEX: .*Test.*
+    ONLY_LOGS_AFTER: 2023-JAN-12
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests-simple-text
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream-simple-text
+    only_logs_after: 2023-JAN-12
+    discard_regex: .*Test.*
+    regions: us-east-1
+    skipped_logs: 1
+    expected_results: 3
diff --git a/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_inspector_discard_regex.yaml b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_inspector_discard_regex.yaml
new file mode 100644
index 0000000000..502e7f58fb
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/discard_regex_test_module/cases_inspector_discard_regex.yaml
@@ -0,0 +1,18 @@
+- name: inspector_discard_regex
+  description: >
+    Inspector configuration for an event being discarded when the regex matches
+    the content in the specified field inside the incoming JSON log
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    REGIONS: us-east-1
+    DISCARD_FIELD: assetAttributes.tags.key
+    DISCARD_REGEX: .*inspector-integration-test.*
+    ONLY_LOGS_AFTER: 2023-JAN-12
+  metadata:
+    resource_type: finding
+    service_type: inspector
+    only_logs_after: 2023-JAN-12
+    discard_field: assetAttributes.tags.key
+    discard_regex: .*inspector-integration-test.*
+    regions: us-east-1
+    skipped_logs: 11
diff --git a/src/modules/aws/tests/integration/data/test_cases/log_groups_test_module/cases_log_groups.yaml b/src/modules/aws/tests/integration/data/test_cases/log_groups_test_module/cases_log_groups.yaml
new file mode 100644
index 0000000000..1b03070f48
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/log_groups_test_module/cases_log_groups.yaml
@@ -0,0 +1,24 @@
+- name: cloudwatchlogs_log_groups_with_data
+  description: CloudWatch log groups configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests,temporary-log-group
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests,temporary-log-group
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2023-JAN-12
+    expected_results: 3
+
+- name: cloudwatchlogs_inexistent_log_group
+  description: CloudWatch log group configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: fake-log-group
+  metadata:
+    service_type: cloudwatchlogs
+    log_group_name: fake-log-group
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2023-JAN-12
+    expected_results: 0
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_multiple_calls.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_multiple_calls.yaml
new file mode 100644
index 0000000000..53c444b61f
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_multiple_calls.yaml
@@ -0,0 +1,170 @@
+- name: cloudtrail_only_logs_after_multiple_calls
+  description: CloudTrail only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: vpc_only_logs_after_multiple_calls
+  description: VPC only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+  metadata:
+    resource_type: bucket
+    vpc_name: wazuh-vpc-integration-tests
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: config_only_logs_after_multiple_calls
+  description: Config only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: alb_only_logs_after_multiple_calls
+  description: ALB only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: clb_only_logs_after_multiple_calls
+  description: CLB only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: nlb_only_logs_after_multiple_calls
+  description: NLB only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: kms_only_logs_after_multiple_calls
+  description: KMS only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: macie_only_logs_after_multiple_calls
+  description: Macie only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: trusted_advisor_only_logs_after_multiple_calls
+  description: Trusted Advisor only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: guardduty_only_logs_after_multiple_calls
+  description: GuardDuty only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: native_guardduty_only_logs_after_multiple_calls
+  description: Native GuardDuty only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: waf_only_logs_after_multiple_calls
+  description: WAF only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: server_access_only_logs_after_multiple_calls
+  description: Server Access only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 1
+
+- name: cisco_umbrella_only_logs_after_multiple_calls
+  description: Umbrella only_logs_after multiple calls configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: dnslogs
+    expected_results: 1
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_with_only_logs_after.yaml
new file mode 100644
index 0000000000..245b1708bb
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_with_only_logs_after.yaml
@@ -0,0 +1,198 @@
+- name: cloudtrail_with_only_logs_after
+  description: CloudTrail only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 5
+
+- name: vpc_with_only_logs_after
+  description: VPC only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    vpc_name: wazuh-vpc-integration-tests
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: config_with_only_logs_after
+  description: Config only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 5
+
+- name: alb_with_only_logs_after
+  description: ALB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 5
+
+- name: clb_with_only_logs_after
+  description: CLB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 5
+
+- name: nlb_with_only_logs_after
+  description: NLB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 5
+
+- name: kms_with_only_logs_after
+  description: KMS only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: macie_with_only_logs_after
+  description: Macie only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: trusted_avisor_with_only_logs_after
+  description: Trusted Advisor only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: guardduty_with_only_logs_after
+  description: GuardDuty only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: native_guardduty_with_only_logs_after
+  description: Native GuardDuty only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: waf_with_only_logs_after
+  description: WAF only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+
+- name: server_access_with_only_logs_after
+  description: Server Access only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+    table_name: s3_server_access
+
+- name: cisco_umbrella_with_only_logs_after
+  description: Umbrella only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+    PATH: dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
+    path: dnslogs
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_without_only_logs_after.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_without_only_logs_after.yaml
new file mode 100644
index 0000000000..4de40817d5
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_bucket_without_only_logs_after.yaml
@@ -0,0 +1,170 @@
+- name: cloudtrail_without_only_logs_after
+  description: CloudTrail only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    expected_results: 1
+
+- name: vpc_without_only_logs_after
+  description: VPC only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    vpc_name: wazuh-vpc-integration-tests
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    expected_results: 1
+
+- name: config_without_only_logs_after
+  description: Config only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    expected_results: 1
+
+- name: alb_without_only_logs_after
+  description: ALB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    expected_results: 1
+
+- name: clb_without_only_logs_after
+  description: CLB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    expected_results: 1
+
+- name: nlb_without_only_logs_after
+  description: NLB only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    expected_results: 1
+
+- name: kms_without_only_logs_after
+  description: KMS only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    expected_results: 1
+
+- name: macie_without_only_logs_after
+  description: Macie only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    expected_results: 1
+
+- name: trusted_advisor_without_only_logs_after
+  description: Trusted Advisor only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    expected_results: 1
+
+- name: guardduty_without_only_logs_after
+  description: GuardDuty only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    expected_results: 1
+
+- name: native_guardduty_without_only_logs_after
+  description: Native GuardDuty only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    expected_results: 1
+
+- name: waf_without_only_logs_after
+  description: WAF only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    expected_results: 1
+
+- name: server_access_without_only_logs_after
+  description: Server Access only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    expected_results: 1
+    table_name: s3_server_access
+
+- name: cisco_umbrella_without_only_logs_after
+  description: Umbrella only logs after configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    expected_results: 1
+    path: dnslogs
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_multiple_calls.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_multiple_calls.yaml
new file mode 100644
index 0000000000..02ef034784
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_multiple_calls.yaml
@@ -0,0 +1,13 @@
+- name: cloudwatchlogs_only_logs_after_multiple_calls
+  description: CloudWatch only_logs_after multiple calls configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+  metadata:
+    service_type: cloudwatchlogs
+    resource_type: log_group
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    expected_results: 3
+    only_logs_after: 2023-JAN-12
+  
\ No newline at end of file
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_with_only_logs_after.yaml
new file mode 100644
index 0000000000..7a85d15562
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_cloudwatch_with_only_logs_after.yaml
@@ -0,0 +1,13 @@
+- name: cloudwatchlogs_with_only_logs_after
+  description: CloudWatch only logs after configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: 2022-NOV-20
+  metadata:
+    service_type: cloudwatchlogs
+    resource_type: log_group
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2022-NOV-20
+    expected_results: 3
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_multiple_calls.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_multiple_calls.yaml
new file mode 100644
index 0000000000..738095e861
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_multiple_calls.yaml
@@ -0,0 +1,5 @@
+- name: inspector_only_logs_after_multiple_calls
+  description: Inspector only_logs_after multiple calls configurations
+  configuration_parameters:
+  metadata:
+    service_type: inspector
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_with_only_logs_after.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_with_only_logs_after.yaml
new file mode 100644
index 0000000000..9416f76ae5
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_inspector_with_only_logs_after.yaml
@@ -0,0 +1,9 @@
+- name: inspector_with_only_logs_after
+  description: Inspector only logs after configurations
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    ONLY_LOGS_AFTER: 2023-JAN-30
+  metadata:
+    service_type: inspector
+    only_logs_after: 2023-JAN-30
+    expected_results: 11
diff --git a/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_service_without_only_logs_after.yaml b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_service_without_only_logs_after.yaml
new file mode 100644
index 0000000000..7b9e837af1
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/only_logs_after_test_module/cases_service_without_only_logs_after.yaml
@@ -0,0 +1,11 @@
+- name: cloudwatchlogs_without_only_logs_after
+  description: CloudWatch only logs after configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+  metadata:
+    service_type: cloudwatchlogs
+    resource_type: log_group
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    expected_results: 1
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_bucket_and_service_missing.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_bucket_and_service_missing.yaml
new file mode 100644
index 0000000000..a1b300a75a
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_bucket_and_service_missing.yaml
@@ -0,0 +1,4 @@
+- name: parser_bucket_and_service_missing
+  description: Parser bucket and service missing configurations
+  configuration_parameters: []
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_bucket.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_bucket.yaml
new file mode 100644
index 0000000000..f230042ece
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_bucket.yaml
@@ -0,0 +1,71 @@
+- name: parser_empty_type_in_bucket
+  description: Parser empty type in bucket
+  configuration_parameters:
+    BUCKET_TYPE: ''
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_name_in_bucket
+  description: Parser empty name in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: ''
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_only_logs_after_in_bucket
+  description: Parser empty only_logs_after in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: ''
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_regions_in_bucket
+  description: Parser empty regions in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: ''
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_path_in_bucket
+  description: Parser empty path in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: ''
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_path_suffix_in_bucket
+  description: Parser empty path_suffix in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: ''
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_service.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_service.yaml
new file mode 100644
index 0000000000..d252f271d0
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_empty_values_in_service.yaml
@@ -0,0 +1,39 @@
+- name: parser_empty_type_in_service
+  description: Parser empty type in service
+  configuration_parameters:
+    SERVICE_TYPE: ''
+    LOG_GROUPS: wazuh-cloudwatch-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_log_groups_in_service
+  description: Parser empty log_groups in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: ''
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_only_logs_after_in_service
+  description: Parser empty only_logs_after in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: ''
+    REGIONS: us-east-1
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_empty_regions_in_service
+  description: Parser empty regions in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: ''
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_bucket.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_bucket.yaml
new file mode 100644
index 0000000000..968031942f
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_bucket.yaml
@@ -0,0 +1,83 @@
+- name: parser_invalid_name_in_bucket
+  description: Parser invalid name in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: 1
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_type_in_bucket
+  description: Parser invalid type in bucket
+  configuration_parameters:
+    BUCKET_TYPE: invalid_value
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_only_logs_after_in_bucket
+  description: Parser invalid only_logs_after in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_regions_in_bucket
+  description: Parser invalid regions in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: 1
+    PATH: test_prefix
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_path_in_bucket
+  description: Parser invalid path in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test-prefix>
+    PATH_SUFFIX: test_suffix
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_path_suffix_in_bucket
+  description: Parser invalid path_suffix in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test-suffix>
+    REMOVE_FROM_BUCKET: 'no'
+  metadata: []
+
+- name: parser_invalid_remove_from_bucket_in_bucket
+  description: Parser invalid remove_from_bucket in bucket
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    PATH: test_prefix
+    PATH_SUFFIX: test-suffix
+    REMOVE_FROM_BUCKET: nein
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_service.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_service.yaml
new file mode 100644
index 0000000000..fb739358fc
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_invalid_values_in_service.yaml
@@ -0,0 +1,49 @@
+- name: parser_invalid_type_in_service
+  description: Parser invalid type in service
+  configuration_parameters:
+    SERVICE_TYPE: fakeservice
+    LOG_GROUPS: wazuh-cloudwatch-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    REMOVE_LOG_STREAMS: 'no'
+  metadata: []
+
+- name: parser_invalid_log_groups_in_service
+  description: Parser invalid log_groups in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: invalid_log_group>
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: us-east-1
+    REMOVE_LOG_STREAMS: 'no'
+  metadata: []
+
+- name: parser_invalid_only_logs_after_in_service
+  description: Parser invalid only_logs_after in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: JAN-31
+    REGIONS: us-east-1
+    REMOVE_LOG_STREAMS: 'no'
+  metadata: []
+
+- name: parser_invalid_regions_in_service
+  description: Parser invalid regions in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: 1
+    REMOVE_LOG_STREAMS: 'no'
+  metadata: []
+
+- name: parser_invalid_remove_log_stream_in_service
+  description: Parser invalid remove_log_stream in service
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUPS: wazuh-cloudwatchlogs-integration-tests
+    ONLY_LOGS_AFTER: 2023-JAN-31
+    REGIONS: 1
+    REMOVE_LOG_STREAMS: nein
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_multiple_bucket_and_service_tags.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_multiple_bucket_and_service_tags.yaml
new file mode 100644
index 0000000000..6b07c332e6
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_multiple_bucket_and_service_tags.yaml
@@ -0,0 +1,4 @@
+- name: parser_mutiple_bucket_and_service_tags
+  description: Parser multiple bucket and service tags configurations
+  configuration_parameters: []
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_bucket.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_bucket.yaml
new file mode 100644
index 0000000000..44cef7e1dd
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_bucket.yaml
@@ -0,0 +1,4 @@
+- name: parser_type_missing_in_bucket
+  description: Parser type missing in bucket configurations
+  configuration_parameters: []
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_service.yaml b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_service.yaml
new file mode 100644
index 0000000000..d8ba3d2b20
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/parser_test_module/cases_type_missing_in_service.yaml
@@ -0,0 +1,4 @@
+- name: parser_type_missing_in_service
+  description: Parser type missing in service configurations
+  configuration_parameters: []
+  metadata: []
diff --git a/src/modules/aws/tests/integration/data/test_cases/path_suffix_test_module/cases_path_suffix.yaml b/src/modules/aws/tests/integration/data/test_cases/path_suffix_test_module/cases_path_suffix.yaml
new file mode 100644
index 0000000000..ee5869d46a
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/path_suffix_test_module/cases_path_suffix.yaml
@@ -0,0 +1,128 @@
+- name: cloudtrail_path_suffix_with_data
+  description: CloudTrail path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH_SUFFIX: test_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: test_suffix
+    expected_results: 1
+
+- name: cloudtrail_path_suffix_without_data
+  description: CloudTrail path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH_SUFFIX: empty_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: empty_suffix
+    expected_results: 0
+
+- name: cloudtrail_inexistent_path_suffix
+  description: CloudTrail path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH_SUFFIX: inexistent_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: inexistent_suffix
+    expected_results: 0
+
+- name: vpc_path_suffix_with_data
+  description: VPC path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH_SUFFIX: test_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: test_suffix
+    expected_results: 1
+
+- name: config_path_suffix_with_data
+  description: Config path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH_SUFFIX: test_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: test_suffix
+    expected_results: 1
+
+- name: vpc_path_suffix_without_data
+  description: VPC path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH_SUFFIX: empty_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: empty_suffix
+    expected_results: 0
+
+- name: config_path_suffix_without_data
+  description: Config path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH_SUFFIX: empty_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: empty_suffix
+    expected_results: 0
+
+- name: vpc_inexistent_path_suffix
+  description: VPC path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH_SUFFIX: inexistent_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: inexistent_suffix
+    expected_results: 0
+
+- name: config_inexistent_path_suffix
+  description: Config path_suffix configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH_SUFFIX: inexistent_suffix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path_suffix: inexistent_suffix
+    expected_results: 0
diff --git a/src/modules/aws/tests/integration/data/test_cases/path_test_module/cases_path.yaml b/src/modules/aws/tests/integration/data/test_cases/path_test_module/cases_path.yaml
new file mode 100644
index 0000000000..e8cf5f3079
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/path_test_module/cases_path.yaml
@@ -0,0 +1,593 @@
+- name: cloudtrail_path_with_data
+  description: CloudTrail path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: cloudtrail_path_without_data
+  description: CloudTrail path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: cloudtrail_inexistent_path
+  description: CloudTrail path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: vpc_path_with_data
+  description: VPC path configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: vpc_path_without_data
+  description: VPC path configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: cisco_umbrella_path_with_data
+  description: Umbrella path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: test_prefix/dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix/dnslogs
+    expected_results: 1
+
+- name: cisco_umbrella_path_without_data
+  description: Umbrella path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: vpc_inexistent_path
+  description: CloudTrail path configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: config_path_with_data
+  description: Config path configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: config_path_without_data
+  description: Config path configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: config_inexistent_path
+  description: Config path configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: alb_path_with_data
+  description: ALB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: alb_path_without_data
+  description: ALB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: alb_inexistent_path
+  description: ALB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: clb_path_with_data
+  description: CLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: clb_path_without_data
+  description: CLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: clb_inexistent_path
+  description: CLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: nlb_path_with_data
+  description: NLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: nlb_path_without_data
+  description: NLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: nlb_inexistent_path
+  description: NLB path configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: kms_path_with_data
+  description: KMS path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: kms_path_without_data
+  description: KMS path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: kms_inexistent_path
+  description: KMS path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: macie_path_with_data
+  description: Macie path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: macie_path_without_data
+  description: Macie path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: macie_inexistent_path
+  description: Macie path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: trusted_advisor_path_with_data
+  description: Trusted Advisor path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: trusted_advisor_path_without_data
+  description: Trusted Advisor path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: trusted_advisor_inexistent_path
+  description: Trusted Advisor path configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: guardduty_path_with_data
+  description: GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: guardduty_path_without_data
+  description: GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: guardduty_inexistent_path
+  description: GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: native_guardduty_path_with_data
+  description: Native GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: native_guardduty_path_without_data
+  description: Native GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: native_guardduty_inexistent_path
+  description: Native GuardDuty path configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: waf_path_with_data
+  description: WAF path configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+
+- name: waf_path_without_data
+  description: WAF path configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+
+- name: waf_inexistent_path
+  description: WAF path configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+
+- name: server_access_path_with_data
+  description: Server Access path configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    PATH: test_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: test_prefix
+    expected_results: 1
+    table_name: s3_server_access
+
+- name: server_access_path_without_data
+  description: Server Access path configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    PATH: empty_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: empty_prefix
+    expected_results: 0
+    table_name: s3_server_access
+
+- name: server_access_inexistent_path
+  description: Server Access path configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
+    table_name: s3_server_access
+
+- name: cisco_umbrella_inexistent_path
+  description: Umbrella path configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: inexistent_prefix
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    only_logs_after: 2022-NOV-20
+    path: inexistent_prefix
+    expected_results: 0
diff --git a/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_bucket_regions.yaml b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_bucket_regions.yaml
new file mode 100644
index 0000000000..f53e98e971
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_bucket_regions.yaml
@@ -0,0 +1,254 @@
+- name: cloudtrail_region_with_data
+  description: CloudTrail regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 3
+
+- name: cloudtrail_regions_with_data
+  description: CloudTrail regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 5
+
+- name: cloudtrail_inexistent_region
+  description: CloudTrail regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
+
+- name: vpc_region_with_data
+  description: VPC regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 1
+
+- name: config_region_with_data
+  description: Config regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 3
+
+- name: alb_region_with_data
+  description: ALB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 3
+
+- name: vpc_regions_with_data
+  description: VPC regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 1
+
+- name: config_regions_with_data
+  description: Config regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 5
+
+- name: alb_regions_with_data
+  description: ALB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 5
+
+- name: vpc_inexistent_region
+  description: VPC regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+    vpc_name: wazuh-vpc-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
+
+- name: config_inexistent_region
+  description: Config regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
+
+- name: alb_inexistent_region
+  description: ALB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
+
+- name: clb_region_with_data
+  description: CLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 3
+
+- name: clb_regions_with_data
+  description: CLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 5
+
+- name: clb_inexistent_region
+  description: CLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
+
+- name: nlb_region_with_data
+  description: NLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1
+    expected_results: 3
+
+- name: nlb_regions_with_data
+  description: NLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-east-1,us-east-2
+    expected_results: 5
+
+- name: nlb_inexistent_region
+  description: NLB regions configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    REGIONS: us-fake-1
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+    only_logs_after: 2022-NOV-20
+    regions: us-fake-1
+    expected_results: 0
diff --git a/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_cloudwatch_regions.yaml b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_cloudwatch_regions.yaml
new file mode 100644
index 0000000000..467fa21b92
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_cloudwatch_regions.yaml
@@ -0,0 +1,29 @@
+- name: cloudwatchlogs_region_with_data
+  description: CloudWatch regions configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+    REGIONS: us-east-1
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2023-JAN-12
+    regions: us-east-1
+    expected_results: 3
+
+- name: cloudwatchlogs_regions_with_data
+  description: CloudWatch regions configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: wazuh-cloudwatchlogs-integration-tests
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: wazuh-cloudwatchlogs-integration-tests
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
+    only_logs_after: 2023-JAN-12
+    regions: us-east-1,us-east-2
+    expected_results: 3
diff --git a/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_inspector_regions.yaml b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_inspector_regions.yaml
new file mode 100644
index 0000000000..bdd799957a
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/regions_test_module/cases_inspector_regions.yaml
@@ -0,0 +1,32 @@
+- name: inspector_region_with_data
+  description: Inspector regions configurations
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    REGIONS: us-east-1
+  metadata:
+    service_type: inspector
+    only_logs_after: 2023-JAN-12
+    regions: us-east-1
+    expected_results: 11
+
+- name: inspector_regions_with_data
+  description: Inspector regions configurations
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    REGIONS: us-east-1,us-east-2
+  metadata:
+    service_type: inspector
+    only_logs_after: 2023-JAN-12
+    regions: us-east-1,us-east-2
+    expected_results: 11
+
+- name: inspector_inexistent_region
+  description: Inspector regions configurations
+  configuration_parameters:
+    SERVICE_TYPE: inspector
+    REGIONS: us-fake-1
+  metadata:
+    service_type: inspector
+    only_logs_after: 2023-JAN-12
+    regions: us-fake-1
+    expected_results: 0
diff --git a/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml b/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml
new file mode 100644
index 0000000000..bce58ee5b2
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_from_bucket.yaml
@@ -0,0 +1,155 @@
+- name: cloudtrail_remove_from_bucket
+  description: CloudTrail remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: cloudtrail
+    BUCKET_NAME: wazuh-cloudtrail-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: cloudtrail
+    bucket_name: wazuh-cloudtrail-integration-tests
+
+- name: vpc_remove_from_bucket
+  description: VPC remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: vpcflow
+    BUCKET_NAME: wazuh-vpcflow-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    vpc_name: wazuh-vpc-integration-tests
+    bucket_type: vpcflow
+    bucket_name: wazuh-vpcflow-integration-tests
+
+- name: config_remove_from_bucket
+  description: Config remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: config
+    BUCKET_NAME: wazuh-config-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: config
+    bucket_name: wazuh-config-integration-tests
+
+- name: alb_remove_from_bucket
+  description: ALB remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: alb
+    BUCKET_NAME: wazuh-alb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: alb
+    bucket_name: wazuh-alb-integration-tests
+
+- name: clb_remove_from_bucket
+  description: CLB remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: clb
+    BUCKET_NAME: wazuh-clb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: clb
+    bucket_name: wazuh-clb-integration-tests
+
+- name: nlb_remove_from_bucket
+  description: NLB remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: nlb
+    BUCKET_NAME: wazuh-nlb-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: nlb
+    bucket_name: wazuh-nlb-integration-tests
+
+- name: kms_remove_from_bucket
+  description: KMS remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-kms-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-kms-integration-tests
+
+- name: macie_remove_from_bucket
+  description: Macie remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-macie-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-macie-integration-tests
+
+- name: trusted_advisor_remove_from_bucket
+  description: Trusted Advisor remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: custom
+    BUCKET_NAME: wazuh-trusted-advisor-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: custom
+    bucket_name: wazuh-trusted-advisor-integration-tests
+
+- name: guardduty_remove_from_bucket
+  description: GuardDuty remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-guardduty-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-guardduty-integration-tests
+
+- name: native_guardduty_remove_from_bucket
+  description: Native GuardDuty remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: guardduty
+    BUCKET_NAME: wazuh-native-guardduty-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: guardduty
+    bucket_name: wazuh-native-guardduty-integration-tests
+
+- name: waf_remove_from_bucket
+  description: WAF remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: waf
+    BUCKET_NAME: wazuh-waf-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: waf
+    bucket_name: wazuh-waf-integration-tests
+
+- name: server_access_remove_from_bucket
+  description: Server Access remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: server_access
+    BUCKET_NAME: wazuh-server-access-integration-tests
+    PATH: ''
+  metadata:
+    resource_type: bucket
+    bucket_type: server_access
+    bucket_name: wazuh-server-access-integration-tests
+
+- name: cisco_umbrella_remove_from_bucket
+  description: CloudTrail remove from bucket configurations
+  configuration_parameters:
+    BUCKET_TYPE: cisco_umbrella
+    BUCKET_NAME: wazuh-umbrella-integration-tests
+    PATH: dnslogs
+  metadata:
+    resource_type: bucket
+    bucket_type: cisco_umbrella
+    bucket_name: wazuh-umbrella-integration-tests
+    path: dnslogs
diff --git a/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_log_streams.yaml b/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_log_streams.yaml
new file mode 100644
index 0000000000..239cf0baa0
--- /dev/null
+++ b/src/modules/aws/tests/integration/data/test_cases/remove_from_bucket_test_module/cases_remove_log_streams.yaml
@@ -0,0 +1,10 @@
+- name: cloudwatchlogs_remove_from_bucket
+  description: CloudWatch remove from bucket configurations
+  configuration_parameters:
+    SERVICE_TYPE: cloudwatchlogs
+    LOG_GROUP_NAME: temporary-log-group
+  metadata:
+    resource_type: log_group
+    service_type: cloudwatchlogs
+    log_group_name: temporary-log-group
+    log_stream_name: wazuh-cloudwatchlogs-integration-tests-stream
diff --git a/src/modules/aws/tests/integration/event_monitor.py b/src/modules/aws/tests/integration/event_monitor.py
new file mode 100644
index 0000000000..f0ccf1d1d8
--- /dev/null
+++ b/src/modules/aws/tests/integration/event_monitor.py
@@ -0,0 +1,256 @@
+# Copyright (C) 2015-2023, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all callback methods to monitor and event
+"""
+
+import re
+
+# # qa-integration-framework imports
+from wazuh_testing.modules.aws.patterns import (AWS_MODULE_STARTED_PARAMETRIZED,
+                                                AWS_UNDEFINED_SERVICE_TYPE, AWS_DEPRECATED_CONFIG_DEFINED,
+                                                AWS_NO_SERVICE_WARNING, AWS_MODULE_STARTED, INVALID_EMPTY_TYPE_ERROR,
+                                                EMPTY_CONTENT_ERROR, EMPTY_CONTENT_WARNING,
+                                                INVALID_EMPTY_SERVICE_TYPE_ERROR, INVALID_TAG_CONTENT_ERROR,
+                                                PARSING_BUCKET_ERROR_WARNING,
+                                                PARSING_SERVICE_ERROR_WARNING, SERVICE_ANALYSIS, BUCKET_ANALYSIS,
+                                                MODULE_START, PARSER_ERROR, MODULE_ERROR, NEW_LOG_FOUND, DEBUG_MESSAGE,
+                                                EVENTS_COLLECTED, DEBUG_ANALYSISD_MESSAGE, ANALYSISD_EVENT,
+                                                AWS_EVENT_HEADER, NO_LOG_PROCESSED, NO_BUCKET_LOG_PROCESSED)
+from wazuh_testing.constants.aws import INSPECTOR_TYPE
+
+
+def make_aws_callback(pattern, prefix=''):
+    """Create a callback function from a text pattern.
+
+    Args:
+        pattern (str): String to match on the log.
+        prefix (str): Regular expression used as prefix before the pattern.
+
+    Returns:
+        lambda: Function that returns if there's a match in the file.
+    """
+    regex = re.compile(r'{}{}'.format(prefix, pattern))
+    return lambda line: regex.match(line)
+
+
+def callback_detect_aws_module_called(parameters):
+    """Detect if aws module was called with correct parameters.
+
+    Args:
+        parameters (list): Values to check.
+
+    Returns:
+        Callable: Callback to match the line.
+    """
+    pattern = fr'{AWS_MODULE_STARTED_PARAMETRIZED}{" ".join(parameters)}\n*'
+    regex = re.compile(pattern)
+    return lambda line: regex.match(line)
+
+
+def callback_detect_aws_error_for_missing_type(line):
+    """Detect if the AWS module displays an error about missing type.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+    if re.match(fr"{AWS_UNDEFINED_SERVICE_TYPE}", line):
+        return line
+
+
+def callback_detect_aws_legacy_module_warning(line):
+    """Detect if the AWS module displays a warning about legacy config.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+    if re.match(fr"{AWS_DEPRECATED_CONFIG_DEFINED}", line):
+        return line
+
+
+def callback_detect_aws_module_warning(line):
+    """Detect if the AWS module displays a warning.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+    if re.match(fr"{AWS_NO_SERVICE_WARNING}", line):
+        return line
+
+
+def callback_detect_aws_module_started(line):
+    """Detect if the AWS module was called.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+    if re.match(fr"{AWS_MODULE_STARTED}", line):
+        return line
+
+
+def callback_detect_aws_empty_value(line):
+    """Detect if the AWS module displays a message about an empty value.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+
+    if (
+            re.match(fr"{INVALID_EMPTY_TYPE_ERROR}", line) or
+            re.match(fr"{EMPTY_CONTENT_ERROR}", line) or
+            re.match(fr"{EMPTY_CONTENT_WARNING}", line)
+    ):
+        return line
+
+
+def callback_detect_aws_invalid_value(line):
+    """Detect if the AWS module displays a message about an invalid value.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+
+    if (
+            re.match(fr"{INVALID_EMPTY_SERVICE_TYPE_ERROR}", line) or
+            re.match(fr"{INVALID_TAG_CONTENT_ERROR}", line) or
+            re.match(fr"{PARSING_BUCKET_ERROR_WARNING}", line),
+            re.match(fr"{PARSING_SERVICE_ERROR_WARNING}", line)
+    ):
+        return line
+
+
+def callback_detect_bucket_or_service_call(line):
+    """Detect if bucket or service module was called.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+
+    if (
+            re.match(fr"{SERVICE_ANALYSIS}", line) or
+            re.match(fr"{BUCKET_ANALYSIS}", line)
+    ):
+        return line
+
+
+def callback_detect_aws_module_start(line):
+    """Search for the start message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: Line if it matches.
+    """
+    if re.match(fr"{MODULE_START}", line):
+        return line
+
+
+def callback_detect_all_aws_err(line):
+    """Search for the parse or module error message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: line if it matches.
+    """
+    if (re.match(fr"{PARSER_ERROR}", line) or
+            re.match(fr"{MODULE_ERROR}", line)
+    ):
+        return line
+
+
+def callback_detect_aws_read_err(line):
+    """Search for the parser error message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: line if it matches.
+    """
+    if re.match(fr"{PARSER_ERROR}", line):
+        return line
+
+
+def callback_detect_aws_wmodule_err(line):
+    """Search for the module error message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: line if it matches.
+    """
+    if re.match(fr"{MODULE_ERROR}", line):
+        return line
+
+
+def callback_detect_event_processed(line):
+    """Search for the event processed message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: line if it matches.
+    """
+    if re.match(fr"{NEW_LOG_FOUND}", line):
+        return line
+
+
+def callback_detect_event_skipped(pattern):
+    """Search for event processed or skipped message in the given line.
+
+    Args:
+        pattern (str): Pattern to match in line.
+    Returns:
+        Callable: Callback to match the given line.
+    """
+    pattern_regex = re.compile(pattern)
+    return lambda line: pattern_regex.match(line)
+
+
+def callback_detect_service_event_processed(expected_results, service_type):
+    if service_type == INSPECTOR_TYPE:
+        regex = re.compile(fr"{DEBUG_MESSAGE} {expected_results} {EVENTS_COLLECTED}")
+    else:
+        regex = re.compile(fr"{DEBUG_ANALYSISD_MESSAGE} {expected_results} {ANALYSISD_EVENT}")
+    return lambda line: regex.match(line)
+
+
+def callback_event_sent_to_analysisd(line):
+    """Search for the module header message in the given line.
+
+    Args:
+        line (str): Line to match.
+
+    Returns:
+        Optional[str]: line if it matches.
+    """
+    if line.startswith(fr"{AWS_EVENT_HEADER}"):
+        return line
diff --git a/src/modules/aws/tests/integration/pytest.ini b/src/modules/aws/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/aws/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/aws/tests/integration/test_basic.py b/src/modules/aws/tests/integration/test_basic.py
new file mode 100644
index 0000000000..fb3fea9e80
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_basic.py
@@ -0,0 +1,327 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the basic test suite
+"""
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+
+# Local module imports
+from . import event_monitor
+from .utils import ERROR_MESSAGE, local_internal_options
+from .configurator import configurator
+
+pytestmark = [pytest.mark.server]
+
+# Set module name
+configurator.module = "basic_test_module"
+
+# -------------------------------------------- TEST_BUCKET_DEFAULTS ----------------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='bucket_configuration_defaults.yaml',
+                            cases_file='cases_bucket_defaults.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_bucket_defaults(
+        test_configuration, metadata, create_test_bucket, load_wazuh_basic_configuration, set_wazuh_configuration,
+        clean_s3_cloudtrail_db, configure_local_internal_options_function, truncate_monitored_files,
+        restart_wazuh_function, file_monitoring
+):
+    """
+    description: The module is invoked with the expected parameters and no error occurs.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check in the ossec.log that no errors occurs.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the log that no errors occurs.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', metadata['bucket_name'],
+        '--type', metadata['bucket_type'],
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# -------------------------------------------- TEST_CLOUDWATCH_DEFAULTS ------------------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='cloudwatch_configuration_defaults.yaml',
+                            cases_file='cases_cloudwatch_defaults.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_service_defaults(
+        test_configuration, metadata, create_test_log_group, load_wazuh_basic_configuration,
+        set_wazuh_configuration, clean_aws_services_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: The module is invoked with the expected parameters and no error occurs.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check in the ossec.log that no errors occurs.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the log that no errors occurs.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    log_groups = metadata.get('log_group_name')
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', metadata['service_type'],
+        '--regions', 'us-east-1',
+        '--aws_log_groups', log_groups,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# ------------------------------------------ TEST_INSPECTOR_DEFAULTS ---------------------------------------------------
+# Configure T3 test
+configurator.configure_test(configuration_file='inspector_configuration_defaults.yaml',
+                            cases_file='cases_inspector_defaults.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_inspector_defaults(
+        test_configuration, metadata, create_test_log_group, load_wazuh_basic_configuration,
+        set_wazuh_configuration, clean_aws_services_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: The module is invoked with the expected parameters and no error occurs.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check in the ossec.log that no errors occurs.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the log that no errors occurs.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', metadata['service_type'],
+        '--regions', 'us-east-1',
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_custom_bucket.py b/src/modules/aws/tests/integration/test_custom_bucket.py
new file mode 100644
index 0000000000..ab2d003fdf
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_custom_bucket.py
@@ -0,0 +1,265 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the custom bucket test suite
+"""
+import pytest
+import time
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+
+# Local module imports
+from . import event_monitor
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+from .configurator import configurator
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = "custom_bucket_test_module"
+
+# -------------------------------------------- TEST_CUSTOM_BUCKETS_DEFAULTS -------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='custom_bucket_configuration.yaml',
+                            cases_file='cases_bucket_custom.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_custom_bucket_defaults(
+        test_configuration, metadata, create_test_bucket, set_test_sqs_queue,
+        load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files,
+        restart_wazuh_function, file_monitoring
+):
+    """
+    description: Test the AWS S3 custom bucket module is invoked with the expected parameters and no error occurs.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check in the ossec.log that no errors occurs.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+
+    wazuh_min_version: 4.7.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - set_test_sqs_queue:
+            type: fixture
+            brief: Create temporal SQS queue.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the log that no errors occurs.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--subscriber', 'buckets',
+        '--queue', metadata['sqs_name'],
+        '--debug', '2'
+    ]
+
+    log_header = 'Launching S3 Subscriber Command: '
+    expected_log = log_header + " ".join(parameters)
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.make_aws_callback(expected_log, prefix='^.*')
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# -------------------------------------------- TEST_CUSTOM_BUCKETS_LOGS -------------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='custom_bucket_configuration.yaml',
+                            cases_file='cases_bucket_custom_logs.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_custom_bucket_logs(
+        test_configuration, metadata, create_test_bucket, set_test_sqs_queue, manage_bucket_files,
+        load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function,
+        file_monitoring
+):
+    """
+    description: Test the AWS S3 custom bucket module is invoked with the expected parameters and retrieve
+    the messages from the SQS Queue.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+            - Uploads a file to the S3 Bucket.
+        - test:
+            - Check in the log that the module was called with correct parameters.
+            - Check that the module retrieved a message from the SQS Queue.
+            - Check that the module processed a message from the SQS Queue.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Deletes the file created in the S3 Bucket.
+
+    wazuh_min_version: 4.7.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - set_test_sqs_queue:
+            type: fixture
+            brief: Create temporal SQS queue.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check that the module retrieved a message from the SQS Queue.
+        - Check that the module processed a message from the SQS Queue.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    sqs_name = metadata['sqs_name']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--subscriber', 'buckets',
+        '--queue', sqs_name,
+        '--debug', '2'
+    ]
+    log_header = 'Launching S3 Subscriber Command: '
+    expected_log = log_header + " ".join(parameters)
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Give time to the queue to retrieve the messages.
+    time.sleep(30)
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.make_aws_callback(expected_log, prefix='^.*')
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    retrieve_pattern = fr'.*Retrieving messages from: {sqs_name}'
+
+    # Check if the message was retrieved from the queue
+    log_monitor.start(
+        timeout=TIMEOUT[10],
+        callback=event_monitor.make_aws_callback(retrieve_pattern)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_sqs_message_retrieval']
+
+    message_pattern = fr'.*The message is: .*'
+
+    # Check if it processes the created file
+    log_monitor.start(
+        timeout=TIMEOUT[10],
+        callback=event_monitor.make_aws_callback(message_pattern)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_message_handling']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_discard_regex.py b/src/modules/aws/tests/integration/test_discard_regex.py
new file mode 100644
index 0000000000..8ddea4f6c7
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_discard_regex.py
@@ -0,0 +1,531 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module contains all the cases for the discard_regex test suite.
+"""
+
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths.aws import S3_CLOUDTRAIL_DB_PATH, AWS_SERVICES_DB_PATH
+from wazuh_testing.modules.aws.utils import path_exist
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set module name
+configurator.module = "discard_regex_test_module"
+
+# --------------------------------------------- TEST_BUCKET_DISCARD_REGEX ---------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_bucket_discard_regex.yaml',
+                            cases_file='cases_bucket_discard_regex.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_bucket_discard_regex(
+        test_configuration, metadata, create_test_bucket, manage_bucket_files,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_s3_cloudtrail_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+    """
+    description: Check that some bucket logs are excluded when the regex and field defined in <discard_regex>
+                 match an event.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket and skips
+              the ones that match with regex.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly.
+    input_description:
+        - The `configuration_bucket_discard_regex` file provides the module configuration for this test.
+        - The `cases_bucket_discard_regex` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    only_logs_after = metadata['only_logs_after']
+    discard_field = metadata['discard_field']
+    discard_regex = metadata['discard_regex']
+    expected_results = metadata['expected_results']
+    skipped_logs = metadata['skipped_logs']
+    path = metadata['path'] if 'path' in metadata else None
+
+    pattern = fr'.*The "{discard_regex}" regex found a match in the "{discard_field}" field.' \
+              ' The event will be skipped.'
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--only_logs_after', only_logs_after,
+        '--discard-field', discard_field,
+        '--discard-regex', discard_regex,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    if path is not None:
+        parameters.insert(3, path)
+        parameters.insert(3, '--trail_prefix')
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_processed,
+        accumulations=expected_results
+    )
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_skipped(pattern),
+        accumulations=skipped_logs
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_discard_regex_message']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+
+# ----------------------------------------- TEST_CLOUDWATCH_DISCARD_REGEX_JSON ----------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='configuration_cloudwatch_discard_regex_json.yaml',
+                            cases_file='cases_cloudwatch_discard_regex_json.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_cloudwatch_discard_regex_json(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+    """
+    description: Check that some CloudWatch JSON logs are excluded when the regex and field defined in <discard_regex>
+                 match an event.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket and skips
+              the ones that match with regex.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly.
+    input_description:
+        - The `configuration_cloudwatch_discard_regex` file provides the module configuration for this test.
+        - The `cases_cloudwatch_discard_regex` file provides the test cases.
+    """
+    log_group_name = metadata.get('log_group_name')
+    service_type = metadata.get('service_type')
+    only_logs_after = metadata.get('only_logs_after')
+    regions: str = metadata.get('regions')
+    discard_field = metadata.get('discard_field', None)
+    discard_regex = metadata.get('discard_regex')
+    skipped_logs = metadata.get('skipped_logs')
+
+    pattern = fr'.*The "{discard_regex}" regex found a match in the "{discard_field}" field.' \
+              ' The event will be skipped.'
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--aws_log_groups', log_group_name,
+        '--discard-field', discard_field,
+        '--discard-regex', discard_regex,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_skipped(pattern),
+        accumulations=skipped_logs
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_discard_regex_message']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+
+# ------------------------------------- TEST_CLOUDWATCH_DISCARD_REGEX_SIMPLE_TEXT -------------------------------------
+# Configure T3 test
+configurator.configure_test(configuration_file='configuration_cloudwatch_discard_regex_simple_text.yaml',
+                            cases_file='cases_cloudwatch_discard_regex_simple_text.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_cloudwatch_discard_regex_simple_text(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+    """
+    description: Check that some CloudWatch simple text logs are excluded when the regex defined in <discard_regex>
+                 matches an event.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket and skips
+              the ones that match with regex.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file
+
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly.
+    input_description:
+        - The `configuration_cloudwatch_discard_regex_simple_text` file provides
+        the module configuration for this test.
+        - The `cases_cloudwatch_discard_regex_simple_text` file provides the test cases.
+    """
+    log_group_name = metadata.get('log_group_name')
+    service_type = metadata.get('service_type')
+    only_logs_after = metadata.get('only_logs_after')
+    regions: str = metadata.get('regions')
+    discard_regex = metadata.get('discard_regex')
+    skipped_logs = metadata.get('skipped_logs')
+
+    pattern = fr'.*The "{discard_regex}" regex found a match. The event will be skipped.'
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--aws_log_groups', log_group_name,
+        '--discard-regex', discard_regex,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_skipped(pattern),
+        accumulations=skipped_logs
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_discard_regex_message']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+
+# ------------------------------------------- TEST_INSPECTOR_DISCARD_REGEX --------------------------------------------
+# Configure T4 test
+configurator.configure_test(configuration_file='configuration_inspector_discard_regex.yaml',
+                            cases_file='cases_inspector_discard_regex.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_inspector_discard_regex(
+        test_configuration, metadata, load_wazuh_basic_configuration,
+        set_wazuh_configuration, clean_aws_services_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+    """
+    description: Check that some Inspector logs are excluded when the regex and field defined in <discard_regex>
+                 match an event.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket and skips
+              the ones that match with regex.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly.
+    input_description:
+        - The `configuration_inspector_discard_regex` file provides the module configuration for this test.
+        - The `cases_inspector_discard_regex` file provides the test cases.
+    """
+    service_type = metadata.get('service_type')
+    only_logs_after = metadata.get('only_logs_after')
+    regions: str = metadata.get('regions')
+    discard_field = metadata.get('discard_field', '')
+    discard_regex = metadata.get('discard_regex')
+    skipped_logs = metadata.get('skipped_logs')
+
+    pattern = fr'.*The "{discard_regex}" regex found a match in the "{discard_field}" field.' \
+              ' The event will be skipped.'
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--discard-field', discard_field,
+        '--discard-regex', discard_regex,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_skipped(pattern),
+        accumulations=skipped_logs
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_discard_regex_message']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
diff --git a/src/modules/aws/tests/integration/test_log_groups.py b/src/modules/aws/tests/integration/test_log_groups.py
new file mode 100644
index 0000000000..2441e659c3
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_log_groups.py
@@ -0,0 +1,169 @@
+"""
+Copyright (C) 2015-2023, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+This module will contains all cases for the log groups test suite
+"""
+
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.utils.db_queries.aws_db import get_multiple_service_db_row, table_exists
+from wazuh_testing.modules.aws.utils import path_exist
+from wazuh_testing.constants.paths.aws import AWS_SERVICES_DB_PATH
+from wazuh_testing.modules.aws.patterns import NON_EXISTENT_SPECIFIED_LOG_GROUPS
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'log_groups_test_module'
+
+# ----------------------------------------------- TEST_AWS_LOG_GROUPS --------------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_log_groups.yaml',
+                            cases_file='cases_log_groups.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_log_groups(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring,
+):
+    """
+    description: Only the events for the specified log_group are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a region that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket
+              for the specified region.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - create_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_regions` file provides the module configuration for this test.
+        - The `cases_regions` file provides the test cases.
+    """
+    service_type = metadata['service_type']
+    log_group_names = metadata['log_group_name']
+    expected_results = metadata['expected_results']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', '2023-JAN-12',
+        '--regions', 'us-east-1',
+        '--aws_log_groups', log_group_names,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[20],
+            callback=event_monitor.callback_detect_service_event_processed(expected_results, service_type),
+            accumulations=len(log_group_names.split(','))
+        )
+    else:
+        log_monitor.start(
+            timeout=TIMEOUT[10],
+            callback=event_monitor.make_aws_callback(pattern=fr"{NON_EXISTENT_SPECIFIED_LOG_GROUPS}")
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_no_existent_log_group']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+    if expected_results:
+        log_group_list = log_group_names.split(",")
+        for row in get_multiple_service_db_row(table_name='cloudwatch_logs'):
+            assert row.aws_log_group in log_group_list
+    else:
+        assert not table_exists(table_name='cloudwatch_logs')
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_only_logs_after.py b/src/modules/aws/tests/integration/test_only_logs_after.py
new file mode 100644
index 0000000000..b904c053a0
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_only_logs_after.py
@@ -0,0 +1,1076 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the only logs after test suite
+"""
+
+import pytest
+from datetime import datetime
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths.aws import S3_CLOUDTRAIL_DB_PATH, AWS_SERVICES_DB_PATH
+from wazuh_testing.constants.aws import ONLY_LOGS_AFTER_PARAM, VPC_FLOW_TYPE, US_EAST_1_REGION
+from wazuh_testing.utils.db_queries.aws_db import get_multiple_s3_db_row, get_service_db_row, get_s3_db_row
+from wazuh_testing.modules.aws.utils import (call_aws_module, upload_log_events, create_log_stream, path_exist,
+                                             get_last_file_key, analyze_command_output,
+                                             generate_file, upload_bucket_file)
+from wazuh_testing.modules.aws.patterns import (NO_LOG_PROCESSED, NO_BUCKET_LOG_PROCESSED, MARKER, NO_NEW_EVENTS,
+                                                EVENT_SENT)
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'only_logs_after_test_module'
+
+# --------------------------------------------- TEST_BUCKET_WITHOUT_ONLY_LOGS_AFTER ------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='bucket_configuration_without_only_logs_after.yaml',
+                            cases_file='cases_bucket_without_only_logs_after.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_bucket_without_only_logs_after(
+        test_configuration, metadata, create_test_bucket, manage_bucket_files,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_s3_cloudtrail_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function,
+        file_monitoring
+):
+    """
+    description: Only the log uploaded during execution is processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were sent to analysisd. Only the logs whose timestamp is greater than
+              the date specified in the configuration should be processed.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    expected_results = metadata['expected_results']
+    table_name = metadata.get('table_name', bucket_type)
+    path = metadata.get('path')
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    if path is not None:
+        parameters.insert(3, path)
+        parameters.insert(3, '--trail_prefix')
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_processed,
+        accumulations=expected_results
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+    data = get_s3_db_row(table_name=table_name)
+
+    assert bucket_name in data.bucket_path
+    assert metadata['uploaded_file'] == data.log_key
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# -------------------------------------------- TEST_SERVICE_WITHOUT_ONLY_LOGS_AFTER ------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='service_configuration_without_only_logs_after.yaml',
+                            cases_file='cases_service_without_only_logs_after.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_service_without_only_logs_after(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only the event created during execution is processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were sent to analysisd. Only the logs whose timestamp is greater than
+              the date specified in the configuration should be processed.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    service_type = metadata['service_type']
+    log_group_name = metadata['log_group_name']
+    expected_results = metadata['expected_results']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--regions', US_EAST_1_REGION,
+        '--aws_log_groups', log_group_name,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+    data = get_service_db_row(table_name="cloudwatch_logs")
+
+    assert log_group_name == data.aws_log_group
+
+    assert metadata['log_stream_name'] == data.aws_log_stream
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# --------------------------------------------- TEST_BUCKET_WITH_ONLY_LOGS_AFTER ---------------------------------------
+# Configure T3 test
+configurator.configure_test(configuration_file='bucket_configuration_with_only_logs_after.yaml',
+                            cases_file='cases_bucket_with_only_logs_after.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_bucket_with_only_logs_after(
+        test_configuration, metadata, create_test_bucket, manage_bucket_files,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_s3_cloudtrail_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: All logs with a timestamp greater than the only_logs_after value are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were sent to analysisd. Only the logs whose timestamp is greater than
+              the date specified in the configuration should be processed.
+            - Check the database was created and updated accordingly
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    only_logs_after = metadata['only_logs_after']
+    expected_results = metadata['expected_results']
+    table_name = metadata.get('table_name', bucket_type)
+    path = metadata.get('path')
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--only_logs_after', only_logs_after,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    if path is not None:
+        parameters.insert(3, path)
+        parameters.insert(3, '--trail_prefix')
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_event_processed,
+        accumulations=expected_results
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+    for row in get_multiple_s3_db_row(table_name=table_name):
+        assert bucket_name in row.bucket_path
+        assert (
+            datetime.strptime(only_logs_after, '%Y-%b-%d') == datetime.strptime(str(row.created_date), '%Y%m%d')
+        )
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# --------------------------------------------TEST_CLOUDWATCH_WITH_ONLY_LOGS_AFTER -------------------------------------
+# Configure T4 test
+configurator.configure_test(configuration_file='cloudwatch_configuration_with_only_logs_after.yaml',
+                            cases_file='cases_cloudwatch_with_only_logs_after.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_cloudwatch_with_only_logs_after(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: All events with a timestamp greater than the only_logs_after value are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were sent to analysisd. Only the logs whose timestamp is greater than
+              the date specified in the configuration should be processed.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    table_name_map = {
+        'inspector': 'aws_services',
+        'cloudwatchlogs': 'cloudwatch_logs'
+    }
+
+    service_type = metadata['service_type']
+    log_group_name = metadata.get('log_group_name')
+    only_logs_after = metadata['only_logs_after']
+    expected_results = metadata['expected_results']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', US_EAST_1_REGION,
+        '--aws_log_groups', log_group_name,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[10],
+        callback=event_monitor.callback_detect_service_event_processed(expected_results, service_type),
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+    data = get_service_db_row(table_name=table_name_map[service_type])
+
+    assert log_group_name == data.aws_log_group
+    assert metadata['log_stream_name'] == data.aws_log_stream
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# ------------------------------------------ TEST_INSPECTOR_WITH_ONLY_LOGS_AFTER ---------------------------------------
+# Configure T5 test
+configurator.configure_test(configuration_file='inspector_configuration_with_only_logs_after.yaml',
+                            cases_file='cases_inspector_with_only_logs_after.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_inspector_with_only_logs_after(
+        test_configuration, metadata,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: All events with a timestamp greater than the only_logs_after value are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check the expected number of events were sent to analysisd. Only the logs whose timestamp is greater than
+              the date specified in the configuration should be processed.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    table_name_map = {
+        'inspector': 'aws_services',
+        'cloudwatchlogs': 'cloudwatch_logs'
+    }
+
+    service_type = metadata['service_type']
+    only_logs_after = metadata['only_logs_after']
+    expected_results = metadata['expected_results']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', US_EAST_1_REGION,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[10],
+        callback=event_monitor.callback_detect_service_event_processed(expected_results, service_type),
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    assert path_exist(path=AWS_SERVICES_DB_PATH)
+
+    data = get_service_db_row(table_name=table_name_map[service_type])
+
+    assert data.service == service_type
+    assert (
+        datetime.strptime(data.timestamp, '%Y-%m-%d %H:%M:%S.%f') == datetime.strptime(only_logs_after, '%Y-%b-%d')
+    )
+
+
+# ---------------------------------------------------- TEST_MULTIPLE_CALLS ---------------------------------------------
+# Configure T6 test
+configurator.configure_test(cases_file='cases_bucket_multiple_calls.yaml')
+
+
+@pytest.mark.tier(level=1)
+@pytest.mark.parametrize('metadata',
+                         configurator.metadata,
+                         ids=configurator.cases_ids)
+def test_bucket_multiple_calls(
+        metadata, clean_s3_cloudtrail_db, s3_client, create_test_bucket, manage_bucket_files,
+        load_wazuh_basic_configuration, restart_wazuh_function
+):
+    """
+    description: Call the AWS module multiple times with different only_logs_after values.
+    test_phases:
+        - setup:
+            - Delete the `s3_cloudtrail.db`.
+
+        - test:
+            - Call the module without only_logs_after and check that no logs were processed.
+            - Upload a log file for the day of the test execution and call the module with the same parameters as
+              before, check that the uploaded logs were processed.
+            - Call the module with the same parameters and check that no logs were processed, there were no duplicates.
+            - Call the module with only_logs_after set in the past and check that the expected number of logs were
+              processed.
+            - Call the module with the same parameters in and check there were no duplicates.
+            - Call the module with only_logs_after set with an older date check that old logs were processed without
+              duplicates.
+            - Call the module with only_logs_after set with an early date than setted previously and check that no logs
+              were processed, there were no duplicates.
+
+        - teardown:
+            - Delete the `s3_cloudtrail.db`.
+            - Delete the uploaded files.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - s3_client:
+            type: fixture
+            brief: S3 client to access the bucket.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - restart_wazuh_daemon:
+            type: fixture
+            brief: Restart the wazuh service.
+        - delete_file_from_s3:
+            type: fixture
+            brief: Delete the file after the test execution.
+    input_description:
+        - The `cases_multiple_calls` file provides the test cases.
+    """
+
+    bucket_type = metadata['bucket_type']
+    bucket_name = metadata['bucket_name']
+    expected_results = metadata['expected_results']
+    path = metadata.get('path')
+    region = US_EAST_1_REGION
+
+    base_parameters = [
+        '--bucket', bucket_name,
+        '--type', bucket_type,
+        '--regions', region,
+        '--debug', '2'
+    ]
+
+    if path is not None:
+        base_parameters.extend(['--trail_prefix', path])
+
+    # Call the module without only_logs_after and check that no logs were processed
+    # Get bucket type
+    if bucket_type == VPC_FLOW_TYPE:
+        pattern = fr"{NO_LOG_PROCESSED}"
+        # Check for the non 'processed' messages in the given output.
+        # For VPC the number of messages depend on the number of flow log IDs obtained by the module which may vary.
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters),
+            callback=event_monitor.make_aws_callback(pattern),
+            error_message=ERROR_MESSAGE['event_not_found'],
+            match_exact_number=False
+        )
+    else:
+        pattern = fr"{NO_BUCKET_LOG_PROCESSED}"
+        # Check for the non 'processed' messages in the given output.
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters),
+            callback=event_monitor.make_aws_callback(pattern),
+            expected_results=1,
+            error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+        )
+
+    # Call the module with only_logs_after set in the past and check that the expected number of logs were processed
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2022-NOV-20'),
+        callback=event_monitor.callback_detect_event_processed,
+        expected_results=expected_results,
+        error_message=ERROR_MESSAGE['incorrect_event_number']
+    )
+
+    if bucket_type == VPC_FLOW_TYPE:
+        # Call the module with the same parameters in and check there were no duplicates
+        # For VPC the number of messages depend on the number of flow log IDs obtained by the module which may vary.
+        expected_skipped_logs_step_3 = metadata.get('expected_skipped_logs_step_3', 1)
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2022-NOV-20'),
+            callback=event_monitor.make_aws_callback(pattern),
+            expected_results=expected_skipped_logs_step_3,
+            error_message=ERROR_MESSAGE['incorrect_event_number'],
+            match_exact_number=False
+        )
+
+        # Call the module with only_logs_after set with an early date than the one set previously and check that no logs
+        # were processed, there were no duplicates
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2022-NOV-22'),
+            callback=event_monitor.make_aws_callback(pattern),
+            expected_results=expected_skipped_logs_step_3 - 1 if expected_skipped_logs_step_3 > 1 else 1,
+            error_message=ERROR_MESSAGE['incorrect_event_number'],
+            match_exact_number=False
+        )
+    else:
+        # Call the module with the same parameters in and check there were no duplicates
+        expected_skipped_logs_step_3 = metadata.get('expected_skipped_logs_step_3', 1)
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2022-NOV-20'),
+            callback=event_monitor.make_aws_callback(pattern),
+            expected_results=expected_skipped_logs_step_3,
+            error_message=ERROR_MESSAGE['incorrect_event_number']
+        )
+
+        # Call the module with only_logs_after set with an early date than the one set previously and check that no logs
+        # were processed, there were no duplicates
+        analyze_command_output(
+            command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2022-NOV-22'),
+            callback=event_monitor.make_aws_callback(pattern),
+            expected_results=expected_skipped_logs_step_3 - 1 if expected_skipped_logs_step_3 > 1 else 1,
+            error_message=ERROR_MESSAGE['incorrect_event_number']
+        )
+
+    # Upload a log file for the day of the test execution and call the module without only_logs_after and check that
+    # only the uploaded logs were processed and the last marker is specified in the DB.
+    last_marker_key = get_last_file_key(bucket_type, bucket_name, datetime.utcnow(), region, s3_client)
+    if bucket_type == VPC_FLOW_TYPE:
+        data, key = generate_file(bucket_type=bucket_type,
+                                  bucket_name=bucket_name,
+                                  region=region,
+                                  prefix='',
+                                  suffix='',
+                                  date='',
+                                  flow_log_id=metadata['flow_log_id'])
+    else:
+        data, key = generate_file(bucket_type=bucket_type,
+                                  bucket_name=bucket_name,
+                                  region=region,
+                                  prefix='',
+                                  suffix='',
+                                  date='')
+    metadata['filename'] = key
+
+    upload_bucket_file(bucket_name=bucket_name,
+                       data=data,
+                       key=key,
+                       client=s3_client)
+
+    pattern = fr"{MARKER}{last_marker_key}"
+
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters),
+        callback=event_monitor.make_aws_callback(pattern),
+        expected_results=1,
+        error_message=ERROR_MESSAGE['incorrect_marker']
+    )
+
+
+# -------------------------------------------- TEST_INSPECTOR_MULTIPLE_CALLS -------------------------------------------
+# Configure T7 test
+configurator.configure_test(cases_file='cases_inspector_multiple_calls.yaml')
+
+
+@pytest.mark.tier(level=1)
+@pytest.mark.parametrize('metadata',
+                         configurator.metadata,
+                         ids=configurator.cases_ids)
+@pytest.mark.xfail
+def test_inspector_multiple_calls(
+    metadata, clean_aws_services_db, load_wazuh_basic_configuration, restart_wazuh_function
+):
+    """
+    description: Call the AWS module multiple times with different only_logs_after values.
+    test_phases:
+        - setup:
+            - Delete the `aws_services.db`.
+        - test:
+            - Call the module without only_logs_after and check that no logs were processed.
+            - Call the module with only_logs_after set in the past and check that the expected number of logs were
+              processed.
+            - Call the module with the same parameters in and check there were no duplicates.
+            - Call the module with only_logs_after set with an early date than setted previously and check that no logs
+              were processed, there were no duplicates.
+        - teardown:
+            - Delete the `aws_services.db`.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - restart_wazuh_daemon:
+            type: fixture
+            brief: Restart the wazuh service.
+    input_description:
+        - The `cases_multiple_calls` file provides the test cases.
+    """
+
+    service_type = metadata['service_type']
+
+    base_parameters = [
+        '--service', service_type,
+        '--regions', US_EAST_1_REGION,
+        '--debug', '2'
+    ]
+
+    pattern = fr"{NO_NEW_EVENTS}"
+
+    # Call the module without only_logs_after and check that no logs were processed
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters),
+        callback=event_monitor.make_aws_callback(pattern),
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+    # Call the module with only_logs_after set in the past and check that the expected number of logs were processed.
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-30'),
+        callback=event_monitor.callback_detect_service_event_processed(
+            expected_results=4,
+            service_type=service_type),
+        error_message=ERROR_MESSAGE['incorrect_event_number']
+    )
+
+    # Call the module with the same parameters in and check there were no duplicates
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-30'),
+        callback=event_monitor.make_aws_callback(pattern),
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+    # Call the module with only_logs_after set with an early date than the one set previously and check that no logs
+    # were processed, there were no duplicates
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-31'),
+        callback=event_monitor.make_aws_callback(pattern),
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+
+# ----------------------------------------- TEST_CLOUDWATCH_MULTIPLE_CALLS ---------------------------------------------
+# Configure T8 test
+configurator.configure_test(cases_file='cases_cloudwatch_multiple_calls.yaml')
+
+
+@pytest.mark.tier(level=1)
+@pytest.mark.parametrize('metadata',
+                         configurator.metadata,
+                         ids=configurator.cases_ids)
+@pytest.mark.xfail
+def test_cloudwatch_multiple_calls(
+        metadata, clean_aws_services_db, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        logs_clients, load_wazuh_basic_configuration, restart_wazuh_function
+):
+    """
+    description: Call the AWS module multiple times with different only_logs_after values.
+    test_phases:
+        - setup:
+            - Delete the `aws_services.db`.
+        - test:
+            - Call the module without only_logs_after and check that no logs were processed.
+            - Upload a log file for the day of the test execution and call the module with the same parameters as
+              before, check that the uploaded logs were processed.
+            - Call the module with the same parameters and check that no logs were processed, there were no duplicates.
+            - Call the module with only_logs_after set in the past and check that the expected number of logs were
+              processed.
+            - Call the module with the same parameters in and check there were no duplicates.
+            - Call the module with only_logs_after set with an older date check that old logs were processed without
+              duplicates.
+            - Call the module with only_logs_after set with an early date than setted previously and check that no logs
+              were processed, there were no duplicates.
+        - teardown:
+            - Delete the `aws_services.db`.
+            - Delete the uploaded files.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - restart_wazuh_daemon:
+            type: fixture
+            brief: Restart the wazuh service.
+        - delete_log_stream:
+            type: fixture
+            brief: Delete the log stream after the test execution.
+    input_description:
+        - The `cases_multiple_calls` file provides the test cases.
+    """
+
+    service_type = metadata['service_type']
+    log_group_name = metadata['log_group_name']
+    log_stream_name = metadata['log_stream_name']
+
+    # Obtain generated client for test case
+    log_client = logs_clients[0]
+
+    base_parameters = [
+        '--service', service_type,
+        '--aws_log_groups', log_group_name,
+        '--regions', US_EAST_1_REGION,
+        '--debug', '2'
+    ]
+
+    pattern = fr"{EVENT_SENT}"
+
+    # Call the module without only_logs_after and check that no logs were processed
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters),
+        callback=event_monitor.make_aws_callback(pattern),
+        expected_results=0,
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+    # Call the module with only_logs_after set in the past and check that the expected number of logs were processed.
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-12'),
+        callback=event_monitor.callback_detect_service_event_processed(
+            expected_results=3,
+            service_type=service_type),
+        error_message=ERROR_MESSAGE['incorrect_event_number']
+    )
+
+    # Call the module with the same parameters in and check there were no duplicates
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-12'),
+        callback=event_monitor.make_aws_callback(pattern),
+        expected_results=0,
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+    # Call the module with only_logs_after set with an early date than the one set previously and check that no logs
+    # were processed, there were no duplicates
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters, ONLY_LOGS_AFTER_PARAM, '2023-JAN-15'),
+        callback=event_monitor.make_aws_callback(pattern),
+        expected_results=0,
+        error_message=ERROR_MESSAGE['unexpected_number_of_events_found']
+    )
+
+    # Upload a log file for the day of the test execution and call the module without only_logs_after and check that
+    # only the uploaded logs were processed.
+    upload_log_events(log_stream=log_stream_name, log_group=log_group_name, date='',
+                      type_json=False, events_number=1, client=log_client)
+
+    analyze_command_output(
+        command_output=call_aws_module(*base_parameters),
+        callback=event_monitor.callback_detect_service_event_processed(
+            expected_results=1,
+            service_type=service_type),
+        error_message=ERROR_MESSAGE['incorrect_event_number']
+    )
diff --git a/src/modules/aws/tests/integration/test_parser.py b/src/modules/aws/tests/integration/test_parser.py
new file mode 100644
index 0000000000..0ad1d9c50d
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_parser.py
@@ -0,0 +1,569 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the parser test suite
+"""
+
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'parser_test_module'
+
+# --------------------------------------------TEST_BUCKET_AND_SERVICE_MISSING ------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_bucket_and_service_missing.yaml',
+                            cases_file='cases_bucket_and_service_missing.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_bucket_and_service_missing(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: Command for bucket and service weren't invoked.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was not called.
+
+    input_description:
+        - The `configuration_bucket_and_service_missing` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_warning,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_warning']
+
+
+# -------------------------------------------- TEST_TYPE_MISSING_IN_BUCKET ---------------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='configuration_type_missing_in_bucket.yaml',
+                            cases_file='cases_type_missing_in_bucket.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_type_missing_in_bucket(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: A warning occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about missing attributes.
+    input_description:
+        - The `configuration_type_missing_in_bucket` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_legacy_module_warning,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_legacy_warning']
+
+
+# -------------------------------------------- TEST_TYPE_MISSING_IN_SERVICE --------------------------------------------
+# Configure T3 test
+configurator.configure_test(configuration_file='configuration_type_missing_in_service.yaml',
+                            cases_file='cases_type_missing_in_service.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_type_missing_in_service(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: An error occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about missing attributes.
+
+    input_description:
+        - The `configuration_type_missing_in_service` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_error_for_missing_type,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_error_message']
+
+
+# -------------------------------------------- TEST_EMPTY_VALUES_IN_BUCKET ---------------------------------------------
+# Configure T4 test
+configurator.configure_test(configuration_file='configuration_values_in_bucket.yaml',
+                            cases_file='cases_empty_values_in_bucket.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_empty_values_in_bucket(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: An error occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about an empty value.
+    input_description:
+        - The `configuration_values_in_bucket` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_empty_value,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_empty_value_message']
+
+
+# -------------------------------------------- TEST_EMPTY_VALUES_IN_SERVICE --------------------------------------------
+# Configure T5 test
+configurator.configure_test(configuration_file='configuration_values_in_service.yaml',
+                            cases_file='cases_empty_values_in_service.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_empty_values_in_service(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: An error occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about an empty value.
+
+    input_description:
+        - The `configuration_values_in_service` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_empty_value,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_empty_value_message']
+
+
+# ------------------------------------------ TEST_INVALID_VALUES_IN_BUCKET ---------------------------------------------
+# Configure T6 test
+configurator.configure_test(configuration_file='configuration_values_in_bucket.yaml',
+                            cases_file='cases_invalid_values_in_bucket.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_invalid_values_in_bucket(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: An error occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about an invalid value.
+    input_description:
+        - The `configuration_values_in_bucket` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_aws_invalid_value,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_invalid_value_message']
+
+
+# ------------------------------------------ TEST_INVALID_VALUES_IN_BUCKET ---------------------------------------------
+# Configure T7 test
+configurator.configure_test(configuration_file='configuration_values_in_service.yaml',
+                            cases_file='cases_invalid_values_in_service.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_invalid_values_in_service(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: An error occurs and was displayed in `ossec.log`.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module displays the message about an invalid value.
+    input_description:
+        - The `configuration_values_in_service` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_invalid_value,
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_invalid_value_message']
+
+
+# --------------------------------------- TEST_MULTIPLE_BUCKET_AND_SERVICE_TAGS ----------------------------------------
+# Configure T8 test
+configurator.configure_test(configuration_file='configuration_multiple_bucket_and_service_tags.yaml',
+                            cases_file='cases_multiple_bucket_and_service_tags.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_multiple_bucket_and_service_tags(
+        test_configuration, metadata, load_wazuh_basic_configuration, set_wazuh_configuration,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function_without_exception,
+        file_monitoring
+):
+    """
+    description: The command is invoked two times for buckets and two times for services.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has not appeared calling the module with correct parameters.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_function_without_exception:
+            type: fixture
+            brief: Restart the wazuh service catching the exception.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called the right amount of times.
+    input_description:
+        - The `configuration_multiple_bucket_and_service_tags` file provides the configuration for this test.
+    """
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.callback_detect_bucket_or_service_call,
+        accumulations=4
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_service_calls_amount']
diff --git a/src/modules/aws/tests/integration/test_path.py b/src/modules/aws/tests/integration/test_path.py
new file mode 100644
index 0000000000..ff3ab4053b
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_path.py
@@ -0,0 +1,167 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the path test suite
+"""
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths.aws import S3_CLOUDTRAIL_DB_PATH
+from wazuh_testing.utils.db_queries.aws_db import get_s3_db_row, table_exists_or_has_values
+from wazuh_testing.modules.aws.utils import path_exist
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'path_test_module'
+
+# ---------------------------------------------------- TEST_PATH -------------------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_path.yaml',
+                            cases_file='cases_path.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_path(
+        test_configuration, metadata, load_wazuh_basic_configuration, create_test_bucket, manage_bucket_files,
+        set_wazuh_configuration, clean_s3_cloudtrail_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only logs within a path are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a path that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the command was called with the correct parameters.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_path` file provides the module configuration for this test.
+        - The `cases_path` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    only_logs_after = metadata['only_logs_after']
+    path = metadata['path']
+    expected_results = metadata['expected_results']
+    table_name = metadata.get('table_name', bucket_type)
+    pattern = fr".*WARNING: Bucket:  -  No files were found in '{bucket_name}/{path}/'. No logs will be processed.\n+"
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--trail_prefix', path,
+        '--only_logs_after', only_logs_after,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[20],
+            callback=event_monitor.callback_detect_event_processed,
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    else:
+        log_monitor.start(
+            timeout=TIMEOUT[10],
+            callback=event_monitor.make_aws_callback(pattern),
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_empty_path_message']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+    if expected_results:
+        data = get_s3_db_row(table_name=table_name)
+        assert f"{bucket_name}/{path}/" == data.bucket_path
+        assert data.log_key.startswith(f"{path}/")
+    else:
+        assert not table_exists_or_has_values(table_name=table_name)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_path_suffix.py b/src/modules/aws/tests/integration/test_path_suffix.py
new file mode 100644
index 0000000000..da71d7e181
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_path_suffix.py
@@ -0,0 +1,166 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the path suffix test suite
+"""
+
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths.aws import S3_CLOUDTRAIL_DB_PATH
+from wazuh_testing.utils.db_queries.aws_db import get_s3_db_row, table_exists_or_has_values
+from wazuh_testing.modules.aws.utils import path_exist
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'path_suffix_test_module'
+
+# ---------------------------------------------------- TEST_PATH -------------------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_path_suffix.yaml',
+                            cases_file='cases_path_suffix.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_path_suffix(
+        test_configuration, metadata, load_wazuh_basic_configuration,  create_test_bucket, manage_bucket_files,
+        set_wazuh_configuration, clean_s3_cloudtrail_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only logs within a path_suffix are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a path_suffix that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the command was called with the correct parameters.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_path_suffix` file provides the module configuration for this test.
+        - The `cases_path_suffix` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    only_logs_after = metadata['only_logs_after']
+    path_suffix = metadata['path_suffix']
+    expected_results = metadata['expected_results']
+    pattern = fr".*WARNING: Bucket:  -  No files were found in '{bucket_name}/{path_suffix}/'. No logs will be processed.\n+"
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--trail_suffix', path_suffix,
+        '--only_logs_after', only_logs_after,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[20],
+            callback=event_monitor.callback_detect_event_processed,
+        )
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    else:
+        log_monitor.start(
+            timeout=TIMEOUT[10],
+            callback=event_monitor.make_aws_callback(pattern),
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_empty_path_suffix_message']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+    if expected_results:
+        data = get_s3_db_row(table_name=bucket_type)
+        assert f"{bucket_name}/{path_suffix}/" == data.bucket_path
+        assert data.log_key.startswith(f"AWSLogs/{path_suffix}/")
+    else:
+        assert not table_exists_or_has_values(table_name=bucket_type)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_regions.py b/src/modules/aws/tests/integration/test_regions.py
new file mode 100644
index 0000000000..0cd809b752
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_regions.py
@@ -0,0 +1,468 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the region test suite
+"""
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.aws import RANDOM_ACCOUNT_ID
+from wazuh_testing.constants.paths.aws import AWS_SERVICES_DB_PATH, S3_CLOUDTRAIL_DB_PATH
+from wazuh_testing.modules.aws.utils import path_exist
+from wazuh_testing.utils.db_queries.aws_db import (get_multiple_service_db_row, table_exists_or_has_values,
+                                                   get_multiple_s3_db_row)
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'regions_test_module'
+
+# ---------------------------------------------------- TEST_PATH -------------------------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='bucket_configuration_regions.yaml',
+                            cases_file='cases_bucket_regions.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_regions(
+        test_configuration, metadata, load_wazuh_basic_configuration,  create_test_bucket, manage_bucket_files,
+        set_wazuh_configuration, clean_s3_cloudtrail_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only the logs for the specified region are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a region that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket
+              for the specified region.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: S3 buckets manager.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_regions` file provides the module configuration for this test.
+        - The `cases_regions` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    bucket_type = metadata['bucket_type']
+    only_logs_after = metadata['only_logs_after']
+    regions = metadata['regions']
+    expected_results = metadata['expected_results']
+    pattern = f".*DEBUG: \+\+\+ No logs to process in bucket: {RANDOM_ACCOUNT_ID}/{regions}"
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--type', bucket_type,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[50],
+            callback=event_monitor.callback_detect_event_processed,
+            accumulations=expected_results
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    else:
+        log_monitor.start(
+            timeout=TIMEOUT[10],
+            callback=event_monitor.make_aws_callback(pattern),
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_no_region_found_message']
+
+    assert path_exist(path=S3_CLOUDTRAIL_DB_PATH)
+
+    if expected_results:
+        regions_list = regions.split(",")
+        for row in get_multiple_s3_db_row(table_name=bucket_type):
+            if hasattr(row, "aws_region"):
+                assert row.aws_region in regions_list
+            else:
+                assert row.log_key.split("/")[3] in regions_list
+    else:
+        assert not table_exists_or_has_values(table_name=bucket_type)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# -------------------------------------------- TEST_CLOUDWATCH_REGIONS -------------------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='cloudwatch_configuration_regions.yaml',
+                            cases_file='cases_cloudwatch_regions.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_cloudwatch_regions(
+        test_configuration, metadata, load_wazuh_basic_configuration, create_test_log_group, create_test_log_stream,
+        manage_log_group_events, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only the logs for the specified region are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a region that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket
+              for the specified region.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_regions` file provides the module configuration for this test.
+        - The `cases_regions` file provides the test cases.
+    """
+    service_type = metadata['service_type']
+    log_group_name = metadata.get('log_group_name')
+    only_logs_after = metadata['only_logs_after']
+    regions: str = metadata['regions']
+    expected_results = metadata['expected_results']
+    regions_list = regions.split(",")
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--aws_log_groups', log_group_name,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[20],
+            callback=event_monitor.callback_detect_service_event_processed(expected_results, service_type),
+            accumulations=len(regions_list)
+        )
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    else:
+        log_monitor.start(
+            timeout=session_parameters.default_timeout,
+            callback=event_monitor.make_aws_callback(
+                fr".*\+\+\+ ERROR: Invalid region '{regions}'"
+            ),
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_non-existent_region_message']
+
+    table_name = 'cloudwatch_logs'
+
+    if expected_results:
+        assert table_exists_or_has_values(table_name=table_name, db_path=AWS_SERVICES_DB_PATH)
+        for row in get_multiple_service_db_row(table_name=table_name):
+            assert (getattr(row, 'region', None) or getattr(row, 'aws_region')) in regions_list
+    else:
+        assert not table_exists_or_has_values(table_name=table_name, db_path=AWS_SERVICES_DB_PATH)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# ------------------------------------------ TEST_INSPECTOR_PATH -------------------------------------------------------
+# Configure T3 test
+configurator.configure_test(configuration_file='inspector_configuration_regions.yaml',
+                            cases_file='cases_inspector_regions.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_inspector_regions(
+        test_configuration, metadata, load_wazuh_basic_configuration,
+        set_wazuh_configuration, clean_aws_services_db, configure_local_internal_options_function,
+        truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: Only the logs for the specified region are processed.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - If a region that does not exist was specified, make sure that a message is displayed in the ossec.log
+              warning the user.
+            - Check the expected number of events were forwarded to analysisd, only logs stored in the bucket
+              for the specified region.
+            - Check the database was created and updated accordingly.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+            - Delete the uploaded file.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check the expected number of events were forwarded to analysisd.
+        - Check the database was created and updated accordingly, using the correct path for each entry.
+    input_description:
+        - The `configuration_regions` file provides the module configuration for this test.
+        - The `cases_regions` file provides the test cases.
+    """
+    service_type = metadata['service_type']
+    only_logs_after = metadata['only_logs_after']
+    regions: str = metadata['regions']
+    expected_results = metadata['expected_results']
+    regions_list = regions.split(",")
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--only_logs_after', only_logs_after,
+        '--regions', regions,
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    if expected_results:
+        log_monitor.start(
+            timeout=TIMEOUT[20],
+            callback=event_monitor.callback_detect_service_event_processed(expected_results, service_type),
+            accumulations=len(regions_list)
+        )
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_event_number']
+
+    else:
+        log_monitor.start(
+            timeout=session_parameters.default_timeout,
+            callback=event_monitor.make_aws_callback(
+                fr".*\+\+\+ ERROR: Unsupported region '{regions}'"
+            ),
+        )
+
+        assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_non-existent_region_message']
+
+    table_name = 'aws_services'
+
+    if expected_results:
+        assert table_exists_or_has_values(table_name=table_name, db_path=AWS_SERVICES_DB_PATH)
+        for row in get_multiple_service_db_row(table_name=table_name):
+            assert (getattr(row, 'region', None) or getattr(row, 'aws_region')) in regions_list
+    else:
+        assert not table_exists_or_has_values(table_name=table_name, db_path=AWS_SERVICES_DB_PATH)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/test_remove_from_bucket.py b/src/modules/aws/tests/integration/test_remove_from_bucket.py
new file mode 100644
index 0000000000..bf8c8e84e6
--- /dev/null
+++ b/src/modules/aws/tests/integration/test_remove_from_bucket.py
@@ -0,0 +1,268 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+This module will contain all cases for the remove from bucket test suite
+"""
+
+import pytest
+
+# qa-integration-framework imports
+from wazuh_testing import session_parameters
+from wazuh_testing.modules.aws.utils import log_stream_exists, file_exists
+from wazuh_testing.modules.aws.patterns import REMOVE_S3_FILE
+
+# Local module imports
+from . import event_monitor
+from .configurator import configurator
+from .utils import ERROR_MESSAGE, TIMEOUT, local_internal_options
+
+pytestmark = [pytest.mark.server]
+
+# Set test configurator for the module
+configurator.module = 'remove_from_bucket_test_module'
+
+# ---------------------------------------------------- TEST_REMOVE_FROM_BUCKET -----------------------------------------
+# Configure T1 test
+configurator.configure_test(configuration_file='configuration_remove_from_bucket.yaml',
+                            cases_file='cases_remove_from_bucket.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_remove_from_bucket(
+        test_configuration, metadata, mark_cases_as_skipped, create_test_bucket, manage_bucket_files, s3_client,
+        load_wazuh_basic_configuration, set_wazuh_configuration, clean_s3_cloudtrail_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: The uploaded file was removed after the execution.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check that the uploaded log was removed by the module after the execution.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - mark_cases_as_skipped:
+            type: fixture
+            brief: Mark certain tests as skipped.
+        - create_test_bucket:
+            type: fixture
+            brief: Create temporal bucket.
+        - manage_bucket_files:
+            type: fixture
+            brief: Create and delete the resources for the test.
+        - s3_client:
+            type: fixture
+            brief: S3 client to access AWS.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_s3_cloudtrail_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the bucket that the uploaded log was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    bucket_name = metadata['bucket_name']
+    path = metadata.get('path')
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--bucket', bucket_name,
+        '--remove',
+        '--type', metadata['bucket_type'],
+        '--debug', '2'
+    ]
+
+    if path is not None:
+        parameters.insert(4, path)
+        parameters.insert(4, '--trail_prefix')
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    log_monitor.start(
+        timeout=TIMEOUT[20],
+        callback=event_monitor.make_aws_callback(pattern=fr"{REMOVE_S3_FILE}")
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_no_existent_log_group']
+
+    assert not file_exists(filename=metadata['uploaded_file'], bucket_name=bucket_name, client=s3_client)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
+
+
+# ---------------------------------------------------- TEST_REMOVE_LOG_STREAM ------------------------------------------
+# Configure T2 test
+configurator.configure_test(configuration_file='configuration_remove_log_stream.yaml',
+                            cases_file='cases_remove_log_streams.yaml')
+
+
+@pytest.mark.tier(level=0)
+@pytest.mark.parametrize('test_configuration, metadata',
+                         zip(configurator.test_configuration_template, configurator.metadata),
+                         ids=configurator.cases_ids)
+def test_remove_log_stream(
+        test_configuration, metadata, create_test_log_group, create_test_log_stream, manage_log_group_events,
+        logs_clients, load_wazuh_basic_configuration, set_wazuh_configuration, clean_aws_services_db,
+        configure_local_internal_options_function, truncate_monitored_files, restart_wazuh_function, file_monitoring
+):
+    """
+    description: The created log stream was removed after the execution.
+    test_phases:
+        - setup:
+            - Load Wazuh light configuration.
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Truncate wazuh logs.
+            - Restart wazuh-manager service to apply configuration changes.
+        - test:
+            - Check in the ossec.log that a line has appeared calling the module with correct parameters.
+            - Check that the created log stream was removed by the module after the execution.
+        - teardown:
+            - Truncate wazuh logs.
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+    wazuh_min_version: 4.6.0
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Get configurations from the module.
+        - metadata:
+            type: dict
+            brief: Get metadata from the module.
+        - create_test_log_group:
+            type: fixture
+            brief: Create a log group.
+        - create_test_log_stream:
+            type: fixture
+            brief: Create a log stream with events for the day of execution.
+        - manage_log_group_events:
+            type: fixture
+            brief: Manage events for the created log stream and log group.
+        - logs_clients:
+            type: fixture
+            brief: CloudWatch Logs client to check the log stream existence.
+        - load_wazuh_basic_configuration:
+            type: fixture
+            brief: Load basic wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Apply changes to the ossec.conf configuration.
+        - clean_aws_services_db:
+            type: fixture
+            brief: Delete the DB file before and after the test execution.
+        - configure_local_internal_options_function:
+            type: fixture
+            brief: Apply changes to the local_internal_options.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate wazuh logs.
+        - restart_wazuh_daemon_function:
+            type: fixture
+            brief: Restart the wazuh service.
+        - file_monitoring:
+            type: fixture
+            brief: Handle the monitoring of a specified file.
+    assertions:
+        - Check in the log that the module was called with correct parameters.
+        - Check in the log group that the created stream was removed.
+    input_description:
+        - The `configuration_defaults` file provides the module configuration for this test.
+        - The `cases_defaults` file provides the test cases.
+    """
+    service_type = metadata['service_type']
+    log_group_name = metadata['log_group_name']
+
+    parameters = [
+        'wodles/aws/aws-s3',
+        '--service', service_type,
+        '--regions', 'us-east-1',
+        '--aws_log_groups', log_group_name,
+        '--remove-log-streams',
+        '--debug', '2'
+    ]
+
+    # Check AWS module started
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_start
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['failed_start']
+
+    # Check command was called correctly
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_aws_module_called(parameters)
+    )
+
+    assert log_monitor.callback_result is not None, ERROR_MESSAGE['incorrect_parameters']
+
+    for log_client in logs_clients:
+        assert not log_stream_exists(log_stream=metadata['log_stream_name'], log_group=log_group_name,
+                                     client=log_client)
+
+    # Detect any ERROR message
+    log_monitor.start(
+        timeout=session_parameters.default_timeout,
+        callback=event_monitor.callback_detect_all_aws_err
+    )
+
+    assert log_monitor.callback_result is None, ERROR_MESSAGE['error_found']
diff --git a/src/modules/aws/tests/integration/utils.py b/src/modules/aws/tests/integration/utils.py
new file mode 100644
index 0000000000..5f133b3186
--- /dev/null
+++ b/src/modules/aws/tests/integration/utils.py
@@ -0,0 +1,61 @@
+# Copyright (C) 2015-2023, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+"""
+    This file contain constant and other utilities to be used in the AWS integration test module.
+"""
+
+# qa-integration-framework imports
+from wazuh_testing.modules.monitord import configuration as monitord_config
+
+from os.path import join, dirname, realpath
+
+# CONSTANTS
+TEMPLATE_DIR = 'configuration_template'
+TEST_CASES_DIR = 'test_cases'
+WAZUH_MODULES_DEBUG = 'wazuh_modules.debug'
+
+# DICTS
+ERROR_MESSAGE = {
+
+    "failed_start": "The AWS module did not start as expected",
+    "incorrect_parameters": "The AWS module was not called with the correct parameters",
+    "error_found": "Found error message on AWS module",
+    "incorrect_event_number": "The AWS module did not process the expected number of events",
+    "incorrect_non-existent_region_message": "The AWS module did not show correct message about non-existent region",
+    "incorrect_no_existent_log_group": "The AWS module did not show correct message non-existent log group",
+    "incorrect_empty_path_message": "The AWS module did not show correct message about empty path",
+    "incorrect_empty_path_suffix_message": "The AWS module did not show correct message about empty path_suffix",
+    "incorrect_error_message": "The AWS module did not show the expected error message",
+    "incorrect_empty_value_message": "The AWS module did not show the expected message about empty value",
+    "incorrect_legacy_warning": "The AWS module did not show the expected legacy warning",
+    "incorrect_warning": "The AWS module did not show the expected warning",
+    "incorrect_invalid_value_message": "The AWS module did not show the expected message about invalid value",
+    "incorrect_service_calls_amount": "The AWS module was not called for bucket or service the right amount of times",
+    "unexpected_number_of_events_found": "Some logs may have been processed, "
+                                         "or the results found are more than expected",
+    "event_not_found": "The expected log pattern was not found",
+    "incorrect_marker": "The AWS module did not use the correct marker",
+    "incorrect_no_region_found_message": "The AWS module did not show correct message about non-existent region",
+    "incorrect_discard_regex_message": "The AWS module did not show the correct message about discard regex or, "
+                                       "did not process the expected amount of logs",
+    "failed_sqs_message_retrieval": "The AWS module did not retrieve the expected message from the SQS Queue",
+    "failed_message_handling": "The AWS module did not handle the expected message",
+    "file_not_removed": "The AWS did not show the expected removed file from S3 message"
+}
+
+TIMEOUT = {
+    10: 10,
+    20: 20,
+    30: 30,
+    40: 40,
+    50: 50
+}
+
+# Paths
+TEST_DATA_PATH = join(dirname(realpath(__file__)), 'data')
+
+# Set local internal options
+local_internal_options = {WAZUH_MODULES_DEBUG: '2',
+                          monitord_config.MONITORD_ROTATE_LOG: '0'}
diff --git a/src/modules/aws/tests/unit/tests/CMakeLists.txt b/src/modules/aws/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..9df6d81809
--- /dev/null
+++ b/src/modules/aws/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,71 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_aws")
+list(APPEND tests_flags "-Wl,--wrap=time,--wrap=w_time_delay,--wrap=w_sleep_until,--wrap=_mwarn,--wrap=_minfo,--wrap=_merror \
+                         -Wl,--wrap=_mtwarn,--wrap=_mtinfo,--wrap=_mterror,--wrap=wm_aws_run_s3,--wrap=StartMQ,--wrap=FOREVER \
+                         -Wl,--wrap=atexit -Wl,--wrap=wm_state_io")
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB aws ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM aws ../../../wazuh_modules/main.o)
+
+add_library(AWS_O STATIC ${aws})
+
+set_source_files_properties(
+  ${aws}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  AWS_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(AWS_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        AWS_O
+        -lcmocka
+        -ldl
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/aws/tests/unit/tests/test_wm_aws.c b/src/modules/aws/tests/unit/tests/test_wm_aws.c
new file mode 100644
index 0000000000..88dea8bf72
--- /dev/null
+++ b/src/modules/aws/tests/unit/tests/test_wm_aws.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for aws Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../../../wazuh_modules/wm_aws.h"
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+
+#define TEST_MAX_DATES 5
+
+static wmodule *aws_module;
+static OS_XML *lxml;
+extern int test_mode;
+
+extern void wm_aws_run_s3(wm_aws_bucket *bucket);
+
+void wm_aws_run_s3(wm_aws_bucket *exec_bucket) {
+    // Will wrap this function to check running times in order to check scheduling
+    return;
+}
+/****************************************************************/
+
+static void wmodule_cleanup(wmodule *module) {
+    free( ((wm_aws*) module->data)->buckets->bucket);
+    free( ((wm_aws*) module->data)->buckets->aws_profile);
+    free( ((wm_aws*) module->data)->buckets->trail_prefix);
+    free( ((wm_aws*) module->data)->buckets->type);
+    free( ((wm_aws*) module->data)->buckets);
+    free(module->data);
+    free(module->tag);
+    free(module);
+}
+
+/***  SETUPS/TEARDOWNS  ******/
+static int setup_module() {
+    int ret;
+    aws_module = calloc(1, sizeof(wmodule));
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<interval>10m</interval>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>"
+    ;
+    lxml = malloc(sizeof(OS_XML));
+    XML_NODE nodes = string_to_xml_node(string, lxml);
+    ret = wm_aws_read(lxml, nodes, aws_module);
+    OS_ClearNode(nodes);
+    test_mode = 1;
+    return ret;
+}
+
+static int teardown_module() {
+    test_mode = 0;
+    wmodule_cleanup(aws_module);
+    OS_ClearXML(lxml);
+    return 0;
+}
+
+static int setup_test_executions(void **state) {
+    wm_max_eps = 1;
+    return 0;
+}
+
+static int teardown_test_executions(void **state) {
+    wm_aws* module_data = (wm_aws *) *state;
+    sched_scan_free(&(module_data->scan_config));
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wm_aws *module_data = (wm_aws*)test->module->data;
+    sched_scan_free(&(module_data->scan_config));
+    wmodule_cleanup(test->module);
+    os_free(test);
+    return 0;
+}
+
+/** Tests **/
+void test_interval_execution(void **state) {
+    wm_aws* module_data = (wm_aws *)aws_module->data;
+    int i = 0;
+
+    *state = module_data;
+    module_data->scan_config.next_scheduled_scan_time = 0;
+    module_data->scan_config.scan_day = 0;
+    module_data->scan_config.scan_wday = -1;
+    module_data->scan_config.interval = 600; // 10min
+    module_data->scan_config.month_interval = false;
+
+    will_return_count(__wrap_FOREVER, 1, TEST_MAX_DATES);
+    will_return(__wrap_FOREVER, 0);
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 0);
+
+    expect_string(__wrap_wm_state_io, tag, "aws-s3");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_value(__wrap_wm_state_io, state, &module_data->state);
+    expect_value(__wrap_wm_state_io, size, sizeof(module_data->state));
+    will_return(__wrap_wm_state_io, 1);
+
+    for (i = 0; i < TEST_MAX_DATES + 1; i++) {
+        expect_string(__wrap_wm_state_io, tag, "aws-s3");
+        expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+        expect_value(__wrap_wm_state_io, state, &module_data->state);
+        expect_value(__wrap_wm_state_io, size, sizeof(module_data->state));
+        will_return(__wrap_wm_state_io, -1);
+    }
+
+    expect_string_count(__wrap__mterror, tag, "wazuh-modulesd:aws-s3", TEST_MAX_DATES + 1);
+    expect_string_count(__wrap__mterror, formatted_msg, "Couldn't save running state.", TEST_MAX_DATES + 1);
+    expect_any_always(__wrap__mtinfo, tag);
+    expect_any_always(__wrap__mtinfo, formatted_msg);
+
+    aws_module->context->start(module_data);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>15:05</time>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>\n"
+        "<fake-tag>ASD</fake-tag>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake-tag' at module 'aws-s3'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_aws_read(&(test->xml), test->nodes, test->module), -1);
+
+}
+
+void test_read_scheduling_monthday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>15:05</time>\n"
+        "<day>6</day>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_aws_read(&(test->xml), test->nodes, test->module), 0);
+    wm_aws *module_data = (wm_aws*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 6);
+    assert_int_equal(module_data->scan_config.interval, 1);
+    assert_int_equal(module_data->scan_config.month_interval, true);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "15:05");
+}
+
+void test_read_scheduling_weekday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>13:03</time>\n"
+        "<wday>Monday</wday>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_aws_read(&(test->xml), test->nodes, test->module), 0);
+    wm_aws *module_data = (wm_aws*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 604800);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, 1);
+    assert_string_equal(module_data->scan_config.scan_time, "13:03");
+}
+
+void test_read_scheduling_daytime_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>01:11</time>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one day. New interval value: 1d");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_aws_read(&(test->xml), test->nodes, test->module), 0);
+    wm_aws *module_data = (wm_aws*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "01:11");
+}
+
+void test_read_scheduling_interval_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<interval>10m</interval>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<skip_on_error>yes</skip_on_error>\n"
+        "<bucket type=\"config\">\n"
+        "    <name>wazuh-aws-wodle</name>\n"
+        "    <path>config</path>\n"
+        "   <aws_profile>default</aws_profile>\n"
+        "</bucket>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_aws_read(&(test->xml), test->nodes, test->module), 0);
+    wm_aws *module_data = (wm_aws*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 600);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_interval_execution, setup_test_executions, teardown_test_executions)
+    };
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_monthday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_weekday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_daytime_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_interval_configuration, setup_test_read, teardown_test_read)
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_with_startup, setup_module, teardown_module);
+    result += cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/azure/include/wm_azure.h b/src/modules/azure/include/wm_azure.h
new file mode 100644
index 0000000000..47a3ec387e
--- /dev/null
+++ b/src/modules/azure/include/wm_azure.h
@@ -0,0 +1,80 @@
+/*
+ * Wazuh Module for Azure
+ * Copyright (C) 2015, Wazuh Inc.
+ * September, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_AZURE
+#define WM_AZURE
+
+#define WM_AZURE_LOGTAG ARGV0 ":" AZ_WM_NAME
+#define WM_AZURE_SCRIPT_PATH "wodles/azure/azure-logs"
+
+#define LOG_ANALYTICS   0
+#define GRAPHS          1
+
+#define WM_AZURE_DEF_TIMEOUT 3600
+
+typedef struct wm_azure_flags_t {
+    unsigned int enabled:1;
+    unsigned int run_on_start:1;
+} wm_azure_flags_t;
+
+typedef struct wm_azure_state_t {
+    time_t next_time;               // Absolute time for next scan
+} wm_azure_state_t;
+
+typedef struct wm_azure_request_t {
+    char * tag;             // Request tag
+    char * workspace;       // Workspace ID
+    char * query;           // SQL Query
+    char * time_offset;     // Offset to look for logs (minutes, hours, days)
+    unsigned int timeout;   // Timeout for a single request
+    struct wm_azure_request_t *next;
+} wm_azure_request_t;
+
+typedef struct wm_azure_api_t {
+    unsigned int type:1;        // Type of API defined (Log analytics or graph)
+    char * auth_path;           // Authentication file with application ID and key
+    char * tenantdomain;        // Domain
+    wm_azure_request_t *request;  // Requests (linked list)
+    struct wm_azure_api_t *next;
+} wm_azure_api_t;
+
+typedef struct wm_azure_container_t {
+    char * name;            // Container name
+    char * blobs;           // Blobs
+    char * content_type;    // Content type (plain | inline | file)
+    char * time_offset;     // Offset to look for logs (minutes, hours, days)
+    char * path;          // Prefix to search into
+    unsigned int timeout;   // Timeout for a single container
+    struct wm_azure_container_t *next;
+} wm_azure_container_t;
+
+typedef struct wm_azure_storage_t {
+    char * auth_path;       // Authentication file with account name and key
+    char * tag;             // Storage tag
+    wm_azure_container_t *container;  // Storage container
+    struct wm_azure_storage_t *next;
+} wm_azure_storage_t;
+
+typedef struct wm_azure_t {
+    unsigned int timeout;           // Default execution time limit (seconds)
+    wm_azure_flags_t flags;           // Default flags
+    wm_azure_state_t state;           // Running state
+    wm_azure_api_t *api_config;     // Log Analytics and Graphs (linked list)
+    wm_azure_storage_t *storage;    // Storage (linked list)
+    sched_scan_config scan_config;  // Scheduling configuration
+} wm_azure_t;
+
+extern const wm_context WM_AZURE_CONTEXT;   // Context
+
+// Parse XML configuration
+int wm_azure_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+#endif
diff --git a/src/modules/azure/scripts/__init__.py b/src/modules/azure/scripts/__init__.py
new file mode 100644
index 0000000000..ea0d8aeea6
--- /dev/null
+++ b/src/modules/azure/scripts/__init__.py
@@ -0,0 +1,3 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
diff --git a/src/modules/azure/scripts/azure_logs.py b/src/modules/azure/scripts/azure_logs.py
new file mode 100644
index 0000000000..b9d8d3eb91
--- /dev/null
+++ b/src/modules/azure/scripts/azure_logs.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+###
+# Integration of Wazuh agent with Microsoft Azure
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+###
+
+################################################################################################
+# pip install azure
+# https://github.com/Azure/azure-sdk-for-python
+# https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python
+################################################################################################
+import logging
+import sys
+
+from azure_utils import get_script_arguments, set_logger
+from db.orm import check_database_integrity
+from azure_services.analytics import start_log_analytics
+from azure_services.graph import start_graph
+from azure_services.storage import start_storage
+
+if __name__ == '__main__':
+    args = get_script_arguments()
+    set_logger(args.debug_level)
+
+    if not check_database_integrity():
+        sys.exit(1)
+
+    if args.log_analytics:
+        start_log_analytics(args)
+    elif args.graph:
+        start_graph(args)
+    elif args.storage:
+        start_storage(args)
+    else:
+        logging.error(
+            'No valid API was specified. Please use "graph", "log_analytics" or "storage".'
+        )
+        sys.exit(1)
diff --git a/src/modules/azure/scripts/azure_services/__init__.py b/src/modules/azure/scripts/azure_services/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/azure_services/analytics.py b/src/modules/azure/scripts/azure_services/analytics.py
new file mode 100644
index 0000000000..4148b0b80c
--- /dev/null
+++ b/src/modules/azure/scripts/azure_services/analytics.py
@@ -0,0 +1,261 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sys
+from hashlib import md5
+from json import dumps
+from os.path import abspath, dirname
+
+from dateutil.parser import parse
+from requests import HTTPError, get
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from azure_utils import (
+    CREDENTIALS_URL,
+    DATETIME_MASK,
+    DEPRECATED_MESSAGE,
+    get_token,
+    offset_to_datetime,
+    read_auth_file,
+    send_message,
+)
+from db import orm
+from db.utils import create_new_row, update_row_object
+
+URL_ANALYTICS = 'https://api.loganalytics.io'
+
+
+def start_log_analytics(args):
+    """Run the Log Analytics integration processing the logs available for the given time offset. The client or
+    application must have "Contributor" permission to read Log Analytics."""
+
+    logging.info('Azure Log Analytics starting.')
+
+    # Read credentials
+    if args.la_auth_path and args.la_tenant_domain:
+        logging.debug(f"Log Analytics: Using the auth file {args.la_auth_path} for authentication")
+        client, secret = read_auth_file(
+            auth_path=args.la_auth_path, fields=('application_id', 'application_key')
+        )
+    elif args.la_id and args.la_key and args.la_tenant_domain:
+        logging.debug(f"Log Analytics: Using id and key from configuration for authentication")
+        logging.warning(
+            DEPRECATED_MESSAGE.format(
+                name='la_id and la_key', release='4.4', url=CREDENTIALS_URL
+            )
+        )
+        client = args.la_id
+        secret = args.la_key
+    else:
+        logging.error(
+            'Log Analytics: No parameters have been provided for authentication.'
+        )
+        sys.exit(1)
+
+    # Get authentication token
+    logging.info('Log Analytics: Getting authentication token.')
+    token = get_token(
+        client_id=client,
+        secret=secret,
+        domain=args.la_tenant_domain,
+        scope=f'{URL_ANALYTICS}/.default',
+    )
+
+    # Build the request
+    md5_hash = md5(args.la_query.encode()).hexdigest()
+    url = f'{URL_ANALYTICS}/v1/workspaces/{args.workspace}/query'
+    body = build_log_analytics_query(
+        query=args.la_query,
+        offset=args.la_time_offset,
+        reparse=args.reparse,
+        md5_hash=md5_hash,
+    )
+    headers = {'Authorization': f'Bearer {token}'}
+
+    # Get the logs
+    try:
+        get_log_analytics_events(
+            url=url,
+            body=body,
+            headers=headers,
+            md5_hash=md5_hash,
+            query=args.la_query,
+            tag=args.la_tag,
+        )
+    except HTTPError as e:
+        logging.error(f'Log Analytics: {e}')
+    logging.info('Azure Log Analytics ending.')
+
+
+def build_log_analytics_query(
+        query: str, offset: str, reparse: bool, md5_hash: str
+) -> dict:
+    """Prepare and make the request, building the query based on the time of event generation.
+
+    Parameters
+    ----------
+    offset : str
+        The filtering condition for the query.
+    md5_hash : str
+        md5 value used to search the query in the file containing the dates.
+
+    Returns
+    -------
+    dict
+        The required body for the requested query.
+    """
+    try:
+        item = orm.get_row(orm.LogAnalytics, md5=md5_hash)
+        if item is None:
+            item = create_new_row(
+                table=orm.LogAnalytics,
+                query=query,
+                md5_hash=md5_hash,
+                offset=offset,
+            )
+    except orm.AzureORMError as e:
+        logging.error(
+            f'Error trying to obtain row object from "{orm.LogAnalytics.__tablename__}" using md5="{md5}": '
+            f'{e}'
+        )
+        sys.exit(1)
+
+    min_str = item.min_processed_date
+    max_str = item.max_processed_date
+    min_datetime = parse(min_str, fuzzy=True)
+    max_datetime = parse(max_str, fuzzy=True)
+    desired_datetime = offset_to_datetime(offset) if offset else max_datetime
+    desired_str = f'datetime({desired_datetime.strftime(DATETIME_MASK)})'
+    min_str = f'datetime({min_str})'
+    max_str = f'datetime({max_str})'
+
+    # If reparse was provided, get the logs ignoring if they were already processed
+    if reparse:
+        filter_value = f'TimeGenerated >= {desired_str}'
+    # Build the filter taking into account the min and max values from the file
+    else:
+        # Build the filter taking into account the min and max values
+        if desired_datetime < min_datetime:
+            logging.debug(f"Log Analytics: Making request query for the following intervals: "
+                          f"from {desired_str} to {min_str} and from {max_str}")
+            filter_value = (
+                f'( TimeGenerated < {min_str} and TimeGenerated >= {desired_str}) or '
+                f'( TimeGenerated > {max_str})'
+            )
+        elif desired_datetime > max_datetime:
+            logging.debug(f"Log Analytics: Making request for the following interval: from {desired_str}")
+            filter_value = f'TimeGenerated >= {desired_str}'
+        else:
+            logging.debug(f"Log Analytics: Making request for the following interval: from {max_str}")
+            filter_value = f'TimeGenerated > {max_str}'
+
+    query = f'{query} | order by TimeGenerated asc | where {filter_value} '
+    logging.debug(f'Log Analytics: The search starts for query: "{query}"')
+    return {'query': query}
+
+
+def get_log_analytics_events(
+        url: str, body: dict, headers: dict, md5_hash: str, query: str, tag: str
+):
+    """Get the logs, process the response and iterate the events.
+
+    Parameters
+    ----------
+    url : str
+        The url for the request.
+    body : dict
+        Body for the request containing the query.
+    headers : dict
+        The header for the request, containing the authentication token.
+    md5_hash : str
+        md5 value used to search the query in the file containing the dates.
+
+    Raises
+    ------
+    HTTPError
+        If the response for the request is not 200 OK.
+    """
+    logging.info('Log Analytics: Sending a request to the Log Analytics API.')
+    logging.debug(f"Log Analytics request - URL: {url} - Params: {body} - Headers: {headers}")
+    response = get(url, params=body, headers=headers, timeout=10)
+    if response.status_code == 200:
+        try:
+            columns = response.json()['tables'][0]['columns']
+            rows = response.json()['tables'][0]['rows']
+            if len(rows) == 0:
+                logging.info('Log Analytics: There are no new results')
+            else:
+                time_position = get_time_position(columns)
+                if time_position is not None:
+                    iter_log_analytics_events(columns, rows, tag)
+                    update_row_object(
+                        table=orm.LogAnalytics,
+                        md5_hash=md5_hash,
+                        new_min=rows[0][time_position],
+                        new_max=rows[len(rows) - 1][time_position],
+                        query=query,
+                    )
+                else:
+                    logging.error('Error: No TimeGenerated field was found')
+
+        except KeyError as e:
+            logging.error(
+                f'Error: It was not possible to obtain the columns and rows from the event: "{e}".'
+            )
+    else:
+        logging.error(f"Error with Log Analytics request: {response.json()}")
+        response.raise_for_status()
+
+
+def get_time_position(columns: list):
+    """Get the position of the 'TimeGenerated' field in the columns list.
+
+    Parameters
+    ----------
+    columns : list
+        List of columns of the log analytic logs.
+
+    Returns
+    -------
+    int or None
+        The index of the 'TimeGenerated' field in the given list or None if it's not present.
+    """
+    for i in range(0, len(columns)):
+        if columns[i]['name'] == 'TimeGenerated':
+            return i
+
+
+def iter_log_analytics_events(columns: list, rows: list, tag: str):
+    """Iterate through the columns and rows to build the events and send them to the socket.
+
+    Parameters
+    ----------
+    columns : list
+        List of dicts containing the names and the types of each column.
+    rows : list
+        List of rows containing the values for each column. Each rows is an event.
+    """
+    # Add tag columns
+    columns.append({'type': 'string', 'name': 'azure_tag'})
+    if tag:
+        columns.append({'type': 'string', 'name': 'log_analytics_tag'})
+
+    for row in rows:
+        # Add tag values
+        row.append('azure-log-analytics')
+        if tag:
+            row.append(tag)
+
+        # Build the events and send them
+        event = {}
+        for c in range(0, len(columns)):
+            event[columns[c]['name']] = row[c]
+        logging.info('Log Analytics: Sending event by socket.')
+        logging.debug(f"Event send to socket: {event}")
+        send_message(dumps(event))
diff --git a/src/modules/azure/scripts/azure_services/graph.py b/src/modules/azure/scripts/azure_services/graph.py
new file mode 100644
index 0000000000..6a03cf4e6b
--- /dev/null
+++ b/src/modules/azure/scripts/azure_services/graph.py
@@ -0,0 +1,218 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sys
+from hashlib import md5
+from json import dumps
+from os.path import abspath, dirname
+
+from dateutil.parser import parse
+from requests import HTTPError, get
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from azure_utils import (
+    CREDENTIALS_URL,
+    DATETIME_MASK,
+    DEPRECATED_MESSAGE,
+    get_token,
+    offset_to_datetime,
+    read_auth_file,
+    send_message,
+)
+from db import orm
+from db.utils import create_new_row, update_row_object
+
+URL_GRAPH = 'https://graph.microsoft.com'
+
+
+def start_graph(args):
+    """Run the Microsoft Graph integration processing the logs available for the given query and offset values in
+    the configuration. The client or application must have permission to access Microsoft Graph."""
+    logging.info('Azure Graph starting.')
+
+    # Read credentials
+    if args.graph_auth_path and args.graph_tenant_domain:
+        logging.debug(f"Graph: Using the auth file {args.graph_auth_path} for authentication")
+        client, secret = read_auth_file(
+            auth_path=args.graph_auth_path, fields=('application_id', 'application_key')
+        )
+    elif args.graph_id and args.graph_key and args.graph_tenant_domain:
+        logging.debug(f"Graph: Using id and key from configuration for authentication")
+        logging.warning(
+            DEPRECATED_MESSAGE.format(
+                name='graph_id and graph_key', release='4.4', url=CREDENTIALS_URL
+            )
+        )
+        client = args.graph_id
+        secret = args.graph_key
+    else:
+        logging.error('Graph: No parameters have been provided for authentication.')
+        sys.exit(1)
+
+    # Get the token
+    logging.info('Graph: Getting authentication token.')
+    token = get_token(
+        client_id=client,
+        secret=secret,
+        domain=args.graph_tenant_domain,
+        scope=f'{URL_GRAPH}/.default',
+    )
+    headers = {'Authorization': f'Bearer {token}'}
+
+    # Build the query
+    logging.info('Graph: Building the url.')
+    md5_hash = md5(args.graph_query.encode()).hexdigest()
+    url = build_graph_url(
+        query=args.graph_query,
+        offset=args.graph_time_offset,
+        reparse=args.reparse,
+        md5_hash=md5_hash,
+    )
+    logging.info(f'Graph: The URL is "{url}"')
+
+    # Get events
+    logging.info('Graph: Pagination starts')
+    try:
+        get_graph_events(
+            url=url,
+            headers=headers,
+            md5_hash=md5_hash,
+            query=args.graph_query,
+            tag=args.graph_tag,
+        )
+    except HTTPError as e:
+        logging.error(f'Graph: {e}')
+    logging.info('Graph: End')
+
+
+def build_graph_url(query: str, offset: str, reparse: bool, md5_hash: str):
+    """Build the URL to use with the specified service filtering its results by the desired_datetime.
+
+    Parameters
+    ----------
+    offset : str
+        The filtering condition for the query.
+    md5_hash : str
+        md5 value used to search the query in the file containing the dates.
+
+    Returns
+    -------
+    str
+        The required URL for the requested query.
+    """
+    try:
+        item = orm.get_row(orm.Graph, md5=md5_hash)
+        if item is None:
+            item = create_new_row(
+                table=orm.Graph,
+                query=query,
+                md5_hash=md5_hash,
+                offset=offset,
+            )
+    except orm.AzureORMError as e:
+        logging.error(
+            f'Error trying to obtain row object from "{orm.Graph.__tablename__}" using md5="{md5}": {e}'
+        )
+        sys.exit(1)
+
+    min_str = item.min_processed_date
+    max_str = item.max_processed_date
+    min_datetime = parse(min_str, fuzzy=True)
+    max_datetime = parse(max_str, fuzzy=True)
+    desired_datetime = offset_to_datetime(offset) if offset else max_datetime
+    desired_str = desired_datetime.strftime(DATETIME_MASK)
+    filtering_condition = (
+        'createdDateTime' if 'signins' in query.lower() else 'activityDateTime'
+    )
+
+    # If reparse was provided, get the logs ignoring if they were already processed
+    if reparse:
+        filter_value = f'{filtering_condition}+ge+{desired_str}'
+    # Build the filter taking into account the min and max values from the file
+    else:
+        if desired_datetime < min_datetime:
+            logging.debug(f"Graph: Making request query for the following intervals: "
+                          f"from {desired_str} to {min_str} and from {max_str}")
+            filter_value = (
+                f'({filtering_condition}+lt+{min_str}+and+{filtering_condition}+ge+{desired_str})'
+                f'+or+({filtering_condition}+gt+{max_str})'
+            )
+        elif desired_datetime > max_datetime:
+            logging.debug(f"Graph: Making request for the following interval: from {desired_str}")
+            filter_value = f'{filtering_condition}+ge+{desired_str}'
+        else:
+            logging.debug(f"Graph: Making request for the following interval: from {max_str}")
+            filter_value = f'{filtering_condition}+gt+{max_str}'
+
+    logging.debug(f'Graph: The search starts for query: "{query}" using {filter_value}')
+    return f'{URL_GRAPH}/v1.0/{query}{"?" if "?" not in query else ""}&$filter={filter_value}'
+
+
+def get_graph_events(url: str, headers: dict, md5_hash: str, query: str, tag: str):
+    """Request the data using the specified url and process the values in the response.
+
+    Parameters
+    ----------
+    url : str
+        The url for the request.
+    headers : dict
+        The header for the request, containing the authentication token.
+    md5_hash : str
+        md5 value used to search the query in the file containing the dates.
+
+    Raises
+    ------
+    HTTPError
+        If the response for the request is not 200 OK.
+    """
+
+    logging.debug(f"Graph request - URL: {url} - Headers: {headers}")
+    logging.info("Graph: Requesting data")
+    response = get(url=url, headers=headers, timeout=10)
+
+    if response.status_code == 200:
+        response_json = response.json()
+        values_json = response_json.get('value')
+        for value in values_json:
+            try:
+                date = value['activityDateTime']
+            except KeyError:
+                date = value['createdDateTime']
+            update_row_object(
+                table=orm.Graph,
+                md5_hash=md5_hash,
+                new_min=date,
+                new_max=date,
+                query=query,
+            )
+            value['azure_tag'] = 'azure-ad-graph'
+            if tag:
+                value['azure_aad_tag'] = tag
+            json_result = dumps(value)
+            logging.info('Graph: Sending event by socket.')
+            send_message(json_result)
+
+        if len(values_json) == 0:
+            logging.info('Graph: There are no new results')
+        next_url = response_json.get('@odata.nextLink')
+
+        if next_url:
+            logging.info(f"Graph: Requesting data from next page")
+            logging.debug(f"Iterating to next url: {next_url}")
+            get_graph_events(
+                url=next_url, headers=headers, md5_hash=md5_hash, query=query, tag=tag
+            )
+    elif response.status_code == 400:
+        logging.error(f'Bad Request for url: {response.url}')
+        logging.error(
+            f'Ensure the URL is valid and there is data available for the specified datetime.'
+        )
+    else:
+        logging.error(f"Error with Graph request: {response.json()}")
+        response.raise_for_status()
diff --git a/src/modules/azure/scripts/azure_services/storage.py b/src/modules/azure/scripts/azure_services/storage.py
new file mode 100644
index 0000000000..4621bdae94
--- /dev/null
+++ b/src/modules/azure/scripts/azure_services/storage.py
@@ -0,0 +1,287 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sys
+from datetime import datetime
+from hashlib import md5
+from json import JSONDecodeError, dumps, loads
+from os.path import abspath, dirname
+
+from azure.common import AzureException, AzureHttpError
+from azure.storage.blob import BlockBlobService
+from azure.storage.common._error import AzureSigningError
+from azure.storage.common.retry import no_retry
+from dateutil.parser import parse
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from azure_utils import (
+    CREDENTIALS_URL,
+    DEPRECATED_MESSAGE,
+    offset_to_datetime,
+    read_auth_file,
+    send_message,
+)
+from db import orm
+from db.utils import create_new_row, update_row_object
+
+
+def start_storage(args):
+    """Get access and content of the storage accounts."""
+    logging.info('Azure Storage starting.')
+
+    # Read credentials
+    logging.info('Storage: Authenticating.')
+    if args.storage_auth_path:
+        logging.debug(f"Storage: Using path {args.storage_auth_path} for authentication")
+        name, key = read_auth_file(
+            auth_path=args.storage_auth_path, fields=('account_name', 'account_key')
+        )
+    elif args.account_name and args.account_key:
+        logging.debug(f"Storage: Using path account name and account key for authentication")
+        logging.warning(
+            DEPRECATED_MESSAGE.format(
+                name='account_name and account_key', release='4.4', url=CREDENTIALS_URL
+            )
+        )
+        name = args.account_name
+        key = args.account_key
+    else:
+        logging.error('Storage: No parameters have been provided for authentication.')
+        sys.exit(1)
+
+    block_blob_service = BlockBlobService(account_name=name, account_key=key)
+
+    # Disable max retry value before attempting to validate the credentials
+    old_retry_value = block_blob_service.retry
+    block_blob_service.retry = no_retry
+
+    # Verify if the credentials grant access to the specified container
+    if args.container != '*':
+        try:
+            if not block_blob_service.exists(args.container):
+                logging.error(
+                    f'Storage: The "{args.container}" container does not exists.'
+                )
+                sys.exit(1)
+            logging.info(f"Storage: Getting the specified containers: {args.container}")
+            containers = [args.container]
+        except AzureException:
+            logging.error(
+                f'Storage: Invalid credentials for accessing the "{args.container}" container.'
+            )
+            sys.exit(1)
+    else:
+        try:
+            logging.info("Storage: Getting all containers.")
+            containers = [
+                container.name for container in block_blob_service.list_containers()
+            ]
+        except AzureSigningError:
+            logging.error(
+                'Storage: Unable to list the containers. Invalid credentials.'
+            )
+            sys.exit(1)
+        except AzureException as e:
+            logging.error(f'Storage: The containers could not be listed: "{e}".')
+            sys.exit(1)
+
+    # Restore the default max retry value
+    block_blob_service.retry = old_retry_value
+    logging.info('Storage: Authenticated.')
+
+    # Get the blobs
+    for container in containers:
+        md5_hash = md5(name.encode()).hexdigest()
+        offset = args.storage_time_offset
+        try:
+            item = orm.get_row(orm.Storage, md5=md5_hash)
+            if item is None:
+                item = create_new_row(
+                    table=orm.Storage, query=name, md5_hash=md5_hash, offset=offset
+                )
+        except orm.AzureORMError as e:
+            logging.error(
+                f'Error trying to obtain row object from "{orm.Storage.__tablename__}" using md5="{md5}": {e}'
+            )
+            sys.exit(1)
+
+        min_datetime = parse(item.min_processed_date, fuzzy=True)
+        max_datetime = parse(item.max_processed_date, fuzzy=True)
+        desired_datetime = offset_to_datetime(offset) if offset else max_datetime
+        get_blobs(
+            container_name=container,
+            prefix=args.prefix,
+            blob_service=block_blob_service,
+            md5_hash=md5_hash,
+            min_datetime=min_datetime,
+            max_datetime=max_datetime,
+            desired_datetime=desired_datetime,
+            tag=args.storage_tag,
+            reparse=args.reparse,
+            json_file=args.json_file,
+            json_inline=args.json_inline,
+            blob_extension=args.blobs,
+        )
+    logging.info('Storage: End')
+
+
+def get_blobs(
+    container_name: str,
+    blob_service: BlockBlobService,
+    md5_hash: str,
+    min_datetime: datetime,
+    max_datetime: datetime,
+    desired_datetime: datetime,
+    tag: str,
+    reparse: bool,
+    json_file: bool,  # CHECKME
+    json_inline: bool,  # CHECKME
+    blob_extension: str,
+    next_marker: str = None,
+    prefix: str = None,
+):
+    """Get the blobs from a container and send their content.
+
+    Parameters
+    ----------
+    container_name : str
+        Name of container to read the blobs from.
+    blob_service : BlockBlobService
+        Client used to obtain the blobs.
+    min_datetime : datetime
+        Value to compare with the blobs last modified times.
+    max_datetime : datetime
+        Value to compare with the blobs last modified times.
+    desired_datetime : datetime
+        Value to compare with the blobs last modified times.
+    md5_hash : str
+        md5 value used to search the container in the file containing the dates.
+    next_marker : str
+        Token used as a marker to continue from previous iteration.
+    prefix : str, optional
+        Prefix value to search blobs that match with it.
+
+    Raises
+    ------
+    AzureException
+        If it was not possible to list the blobs for the given container.
+    """
+    try:
+        # Get the blob list
+        logging.info(f"Storage: Getting blobs from container {container_name}.")
+        blobs = blob_service.list_blobs(
+            container_name, prefix=prefix, marker=next_marker
+        )
+    except AzureException as e:
+        logging.error(f'Storage: Error getting blobs from "{container_name}": "{e}".')
+        raise e
+    else:
+
+        logging.info(
+            f'Storage: The search starts from the date: {desired_datetime} for blobs in '
+            f'container: "{container_name}" and prefix: "/{prefix if prefix is not None else ""}"'
+        )
+        for blob in blobs:
+            # Skip if the blob is empty
+            if blob.properties.content_length == 0:
+                logging.debug(f'Empty blob {blob.name}, skipping')
+                continue
+            # Skip the blob if nested under the set prefix
+            if prefix is not None and len(blob.name.split('/')) > 2:
+                logging.debug(
+                    f'Skipped blob {blob.name}, nested under set prefix {prefix}'
+                )
+                continue
+            # Skip the blob if its name has not the expected format
+            if blob_extension and blob_extension not in blob.name:
+                logging.debug(
+                    f'Skipped blob, name {blob.name} does not match with the format "{blob_extension}"'
+                )
+                continue
+
+            # Skip the blob if already processed
+            last_modified = blob.properties.last_modified
+            if not reparse and (
+                last_modified < desired_datetime
+                or (min_datetime <= last_modified <= max_datetime)
+            ):
+                logging.info(f"Storage: Skipping blob {blob.name} due to being already processed")
+                continue
+
+            # Get the blob data
+            try:
+                logging.info(f"Getting data from blob {blob.name}")
+                data = blob_service.get_blob_to_text(container_name, blob.name)
+            except (ValueError, AzureException, AzureHttpError) as e:
+                logging.error(f'Storage: Error reading the blob data: "{e}".')
+                continue
+            else:
+                # Process the data as a JSON
+                if json_file:
+                    try:
+                        content_list = loads(data.content)
+                        records = content_list['records']
+                    except (JSONDecodeError, TypeError) as e:
+                        logging.error(
+                            f'Storage: Error reading the contents of the blob: "{e}".'
+                        )
+                        continue
+                    except KeyError as e:
+                        logging.error(
+                            f'Storage: No records found in the blob\'s contents: "{e}".'
+                        )
+                        continue
+                    else:
+                        for log_record in records:
+                            # Add azure tags
+                            log_record['azure_tag'] = 'azure-storage'
+                            if tag:
+                                log_record['azure_storage_tag'] = tag
+                            logging.info('Storage: Sending event by socket.')
+                            send_message(dumps(log_record))
+                # Process the data as plain text
+                else:
+                    for line in [s for s in str(data.content).splitlines() if s]:
+                        if json_inline:
+                            msg = '{"azure_tag": "azure-storage"'
+                            if tag:
+                                msg = f'{msg}, "azure_storage_tag": "{tag}"'
+                            msg = f'{msg}, {line[1:]}'
+                        else:
+                            msg = 'azure_tag: azure-storage.'
+                            if tag:
+                                msg = f'{msg} azure_storage_tag: {tag}.'
+                            msg = f'{msg} {line}'
+                        logging.info('Storage: Sending event by socket.')
+                        send_message(msg)
+            update_row_object(
+                table=orm.Storage,
+                md5_hash=md5_hash,
+                query=container_name,
+                new_min=last_modified.strftime('%Y-%m-%dT%H:%M:%S.%fZ'),
+                new_max=last_modified.strftime('%Y-%m-%dT%H:%M:%S.%fZ'),
+            )
+
+        # Continue until no marker is returned
+        if blobs.next_marker:
+            logging.debug(f"Iteration to next marker: {blobs.next_marker}")
+            get_blobs(
+                container_name=container_name,
+                blob_service=blob_service,
+                next_marker=blobs.next_marker,
+                min_datetime=min_datetime,
+                max_datetime=max_datetime,
+                desired_datetime=desired_datetime,
+                md5_hash=md5_hash,
+                tag=tag,
+                reparse=reparse,
+                json_file=json_file,
+                json_inline=json_inline,
+                blob_extension=blob_extension,
+            )
diff --git a/src/modules/azure/scripts/azure_utils.py b/src/modules/azure/scripts/azure_utils.py
new file mode 100644
index 0000000000..b764b42eba
--- /dev/null
+++ b/src/modules/azure/scripts/azure_utils.py
@@ -0,0 +1,460 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sys
+from argparse import ArgumentParser
+from datetime import datetime, timedelta, timezone
+from os.path import abspath, dirname
+from socket import AF_UNIX, SOCK_DGRAM
+from socket import error as socket_error
+from socket import socket
+
+from requests import RequestException, post
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from utils import ANALYSISD, MAX_EVENT_SIZE
+
+SOCKET_HEADER = '1:Azure:'
+
+DATETIME_MASK = '%Y-%m-%dT%H:%M:%S.%fZ'
+
+# Logger parameters
+LOGGING_MSG_FORMAT = '%(asctime)s azure: %(levelname)s: %(message)s'
+LOGGING_DATE_FORMAT = '%Y/%m/%d %H:%M:%S'
+LOG_LEVELS = {0: logging.WARNING, 1: logging.INFO, 2: logging.DEBUG}
+
+CREDENTIALS_URL = 'https://documentation.wazuh.com/current/azure/activity-services/prerequisites/credentials.html'
+DEPRECATED_MESSAGE = (
+    'The {name} authentication parameter was deprecated in {release}. '
+    'Please use another authentication method instead. Check {url} for more information.'
+)
+URL_LOGGING = 'https://login.microsoftonline.com'
+
+
+def set_logger(debug_level: int):
+    """Set the logger configuration."""
+    logging.basicConfig(
+        level=LOG_LEVELS.get(debug_level, logging.INFO),
+        format=LOGGING_MSG_FORMAT,
+        datefmt=LOGGING_DATE_FORMAT,
+    )
+    logging.getLogger('azure').setLevel(LOG_LEVELS.get(debug_level, logging.WARNING))
+    logging.getLogger('urllib3').setLevel(logging.ERROR)
+
+
+def get_script_arguments():
+    """Read and parse arguments."""
+    parser = ArgumentParser()
+
+    # only one must be present (log_analytics, graph or storage)
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument(
+        '--log_analytics',
+        action='store_true',
+        required=False,
+        help='Activates Log Analytics API call.',
+    )
+    group.add_argument(
+        '--graph', action='store_true', required=False, help='Activates Graph API call.'
+    )
+    group.add_argument(
+        '--storage',
+        action='store_true',
+        required=False,
+        help='Activates Storage API call.',
+    )
+
+    # Log Analytics arguments #
+    parser.add_argument(
+        '--la_id',
+        metavar='ID',
+        type=str,
+        required=False,
+        help='Application ID for Log Analytics authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="la_id", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--la_key',
+        metavar='KEY',
+        type=str,
+        required=False,
+        help='Application Key for Log Analytics authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="la_key", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--la_auth_path',
+        metavar='filepath',
+        type=str,
+        required=False,
+        help='Path of the file containing the credentials for authentication.',
+    )
+    parser.add_argument(
+        '--la_tenant_domain',
+        metavar='domain',
+        type=str,
+        required=False,
+        help='Tenant domain for Log Analytics.',
+    )
+    parser.add_argument(
+        '--la_query',
+        metavar='query',
+        required=False,
+        help='Query for Log Analytics.',
+        type=arg_valid_la_query,
+    )
+    parser.add_argument(
+        '--workspace',
+        metavar='workspace',
+        type=str,
+        required=False,
+        help='Workspace for Log Analytics.',
+    )
+    parser.add_argument(
+        '--la_tag',
+        metavar='tag',
+        type=str,
+        required=False,
+        help='Tag that is added to the query result.',
+    )
+    parser.add_argument(
+        '--la_time_offset',
+        metavar='time',
+        type=str,
+        required=False,
+        help='Time range for the request.',
+    )
+
+    # Graph arguments #
+    parser.add_argument(
+        '--graph_id',
+        metavar='ID',
+        type=str,
+        required=False,
+        help='Application ID for Graph authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="graph_id", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--graph_key',
+        metavar='KEY',
+        type=str,
+        required=False,
+        help='Application KEY for Graph authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="graph_key", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--graph_auth_path',
+        metavar='filepath',
+        type=str,
+        required=False,
+        help='Path of the file containing the credentials authentication.',
+    )
+    parser.add_argument(
+        '--graph_tenant_domain',
+        metavar='domain',
+        type=str,
+        required=False,
+        help='Tenant domain for Graph.',
+    )
+    parser.add_argument(
+        '--graph_query',
+        metavar='query',
+        required=False,
+        type=arg_valid_graph_query,
+        help='Query for Graph.',
+    )
+    parser.add_argument(
+        '--graph_tag',
+        metavar='tag',
+        type=str,
+        required=False,
+        help='Tag that is added to the query result.',
+    )
+    parser.add_argument(
+        '--graph_time_offset',
+        metavar='time',
+        type=str,
+        required=False,
+        help='Time range for the request.',
+    )
+
+    # Storage arguments #
+    parser.add_argument(
+        '--account_name',
+        metavar='account',
+        type=str,
+        required=False,
+        help='Storage account name for authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="account_name", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--account_key',
+        metavar='KEY',
+        type=str,
+        required=False,
+        help='Storage account key for authentication. '
+        f'{DEPRECATED_MESSAGE.format(name="account_key", release="4.4", url=CREDENTIALS_URL)}',
+    )
+    parser.add_argument(
+        '--storage_auth_path',
+        metavar='filepath',
+        type=str,
+        required=False,
+        help='Path of the file containing the credentials authentication.',
+    )
+    parser.add_argument(
+        '--container',
+        metavar='container',
+        required=False,
+        type=arg_valid_container_name,
+        help='Name of the container where searches the blobs.',
+    )
+    parser.add_argument(
+        '--blobs',
+        metavar='blobs',
+        required=False,
+        type=arg_valid_blob_extension,
+        help='Extension of blobs. For example: "*.log"',
+    )
+    parser.add_argument(
+        '--storage_tag',
+        metavar='tag',
+        type=str,
+        required=False,
+        help='Tag that is added to each blob request.',
+    )
+    parser.add_argument(
+        '--json_file',
+        action='store_true',
+        required=False,
+        help='Specifies that the blob is only composed of events in json file format. '
+        'By default, the content of the blob is considered to be plain text.',
+    )
+    parser.add_argument(
+        '--json_inline',
+        action='store_true',
+        required=False,
+        help='Specifies that the blob is only composed of events in json inline format. '
+        'By default, the content of the blob is considered to be plain text.',
+    )
+    parser.add_argument(
+        '--storage_time_offset',
+        metavar='time',
+        type=str,
+        required=False,
+        help='Time range for the request.',
+    )
+    parser.add_argument(
+        '-p',
+        '--prefix',
+        dest='prefix',
+        help='The relative path to the logs',
+        type=str,
+        required=False,
+    )
+
+    # General parameters #
+    parser.add_argument(
+        '--reparse',
+        action='store_true',
+        dest='reparse',
+        help='Parse the log, even if its been parsed before',
+        default=False,
+    )
+    parser.add_argument(
+        '-d',
+        '--debug',
+        action='store',
+        type=int,
+        dest='debug_level',
+        default=0,
+        help='Specify debug level. Admits values from 0 to 2.',
+    )
+
+    return parser.parse_args()
+
+
+def arg_valid_container_name(arg_string):
+    return arg_string.replace('"', '') if arg_string else arg_string
+
+
+def arg_valid_graph_query(arg_string):
+    if arg_string:
+        if arg_string[0] == "'":
+            arg_string = arg_string[1:]
+        if arg_string[-1] == "'":
+            arg_string = arg_string[:-1]
+        return arg_string.replace('\\$', '$')
+
+
+def arg_valid_la_query(arg_string):
+    return arg_string.replace('\\!', '!') if arg_string else arg_string
+
+
+def arg_valid_blob_extension(arg_string):
+    return arg_string.replace('"', '').replace('*', '') if arg_string else arg_string
+
+
+def read_auth_file(auth_path: str, fields: tuple):
+    """Read the authentication file. Its contents must be in 'field = value' format.
+
+    Parameters
+    ----------
+    auth_path : str
+        Path to the authentication file.
+    fields : tuple
+        Tuple of 2 str field names expected to be in the authentication file.
+
+    Returns
+    -------
+    tuple of str
+        The field values for the requested authentication fields.
+    """
+    credentials = {}
+    try:
+        with open(auth_path, 'r') as auth_file:
+            for line in auth_file:
+                key, value = (
+                    line.replace(' ', '').replace('\n', '').split('=', maxsplit=1)
+                )
+                if not value:
+                    continue
+                credentials[key] = value.replace('\n', '')
+        if fields[0] not in credentials or fields[1] not in credentials:
+            logging.error(
+                f'Error: The authentication file does not contains the expected "{fields[0]}" '
+                f'and "{fields[1]}" fields.'
+            )
+            sys.exit(1)
+        return credentials[fields[0]], credentials[fields[1]]
+    except ValueError:
+        logging.error(
+            'Error: The authentication file format is not valid. '
+            'Make sure that it is composed of only 2 lines with "field = value" format.'
+        )
+        sys.exit(1)
+    except OSError as e:
+        logging.error(f'Error: The authentication file could not be opened: {e}')
+        sys.exit(1)
+
+
+def get_token(client_id: str, secret: str, domain: str, scope: str):
+    """Get the authentication token for accessing a given resource in the specified domain.
+
+    Parameters
+    ----------
+    client_id : str
+        The client ID.
+    secret : str
+        The client secret.
+    domain : str
+        The tenant domain.
+    scope : str
+        The scope for the token requested.
+
+    Returns
+    -------
+    str
+        A valid token.
+    """
+    body = {
+        'client_id': client_id,
+        'client_secret': secret,
+        'scope': scope,
+        'grant_type': 'client_credentials',
+    }
+    auth_url = f'{URL_LOGGING}/{domain}/oauth2/v2.0/token'
+    token_response = {}
+    try:
+        token_response = post(auth_url, data=body, timeout=10).json()
+        return token_response['access_token']
+    except (ValueError, KeyError):
+        if token_response['error'] == 'unauthorized_client':
+            err_msg = 'The application id provided is not valid.'
+        elif token_response['error'] == 'invalid_client':
+            err_msg = 'The application key provided is not valid.'
+        elif (
+            token_response['error'] == 'invalid_request'
+            and 90002 in token_response['error_codes']
+        ):
+            err_msg = f'The "{domain}" tenant domain was not found.'
+        else:
+            err_msg = 'Couldn\'t get the token for authentication.'
+        logging.error(f'Error: {err_msg}')
+
+    except RequestException as e:
+        logging.error(
+            f'Error: An error occurred while trying to obtain the authentication token: {e}'
+        )
+
+    sys.exit(1)
+
+
+def send_message(message: str):
+    """Send a message with a header to the analysisd queue.
+
+    Parameters
+    ----------
+    message : str
+        The message body to send to analysisd.
+    """
+    s = socket(AF_UNIX, SOCK_DGRAM)
+
+    encoded_msg = f'{SOCKET_HEADER}{message}'.encode(errors='replace')
+
+    # Logs warning if event is bigger than max size
+    if len(encoded_msg) > MAX_EVENT_SIZE:
+        logging.warning(
+            f'WARNING: Event size exceeds the maximum allowed limit of {MAX_EVENT_SIZE} bytes.'
+        )
+
+    try:
+        s.connect(ANALYSISD)
+        s.send(encoded_msg)
+    except socket_error as e:
+        if e.errno == 111:
+            logging.error('ERROR: Wazuh must be running.')
+            sys.exit(1)
+        elif e.errno == 90:
+            logging.error(
+                'ERROR: Message too long to send to Wazuh.  Skipping message...'
+            )
+        else:
+            logging.error(f'ERROR: Error sending message to wazuh: {e}')
+            sys.exit(1)
+    finally:
+        s.close()
+
+
+def offset_to_datetime(offset: str):
+    """Transform an offset value to a datetime object.
+
+    Parameters
+    ----------
+    offset : str
+        A positive number containing a suffix character that indicates its time unit,
+        such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months).
+
+    Returns
+    -------
+    datetime
+        The result of subtracting the offset value from the current datetime.
+    """
+    offset = offset.replace(' ', '')
+    value = int(offset[: len(offset) - 1])
+    unit = offset[len(offset) - 1 :]
+
+    if unit == 'h':
+        return datetime.utcnow().replace(tzinfo=timezone.utc) - timedelta(hours=value)
+    if unit == 'm':
+        return datetime.utcnow().replace(tzinfo=timezone.utc) - timedelta(minutes=value)
+    if unit == 'd':
+        return datetime.utcnow().replace(tzinfo=timezone.utc) - timedelta(days=value)
+
+    logging.error('Invalid offset format. Use "h", "m" or "d" time unit.')
+    exit(1)
diff --git a/src/modules/azure/scripts/db/__init__.py b/src/modules/azure/scripts/db/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/db/orm.py b/src/modules/azure/scripts/db/orm.py
new file mode 100644
index 0000000000..b5eabd67fd
--- /dev/null
+++ b/src/modules/azure/scripts/db/orm.py
@@ -0,0 +1,341 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import json
+import logging
+from datetime import datetime, timezone
+from os import remove
+from os.path import abspath, dirname, exists, getsize, join
+from typing import Dict, Optional, Union
+
+from dateutil.parser import ParserError, parse
+from sqlalchemy import Column, String, Text, UniqueConstraint, create_engine, update
+from sqlalchemy.exc import IntegrityError, OperationalError, StatementError
+from sqlalchemy.orm import declarative_base, sessionmaker
+from sqlalchemy.sql.expression import select
+
+MODULE_ROOT_DIR = dirname(dirname(abspath(__file__)))
+DATABASE_NAME = 'azure.db'
+database_path = join(MODULE_ROOT_DIR, DATABASE_NAME)
+LAST_DATES_NAME = 'last_dates.json'
+last_dates_path = join(MODULE_ROOT_DIR, LAST_DATES_NAME)
+last_dates_default_contents = {'log_analytics': {}, 'graph': {}, 'storage': {}}
+
+LAST_DATES_MAX_FIELD_NAME = 'max'
+LAST_DATES_MIN_FIELD_NAME = 'min'
+
+engine = create_engine('sqlite:///' + database_path, echo=False)
+session = sessionmaker(bind=engine)()
+Base = declarative_base()
+
+
+class AzureTable:
+    md5 = Column(Text, primary_key=True)
+    query = Column(Text, nullable=False)
+    min_processed_date = Column(String(28), nullable=False)
+    max_processed_date = Column(String(28), nullable=False)
+
+    def __init__(self, md5: str, query: str, min_processed_date: str, max_processed_date: str):
+        self.md5 = md5
+        self.query = query
+        self.min_processed_date = min_processed_date
+        self.max_processed_date = max_processed_date
+
+
+class Graph(AzureTable, Base):
+    __tablename__ = 'graph'
+    __table_args__ = (UniqueConstraint('md5', name='md5_restriction'),)
+
+
+class LogAnalytics(AzureTable, Base):
+    __tablename__ = 'log_analytics'
+    __table_args__ = (UniqueConstraint('md5', name='md5_restriction'),)
+
+
+class Storage(AzureTable, Base):
+    __tablename__ = 'storage'
+    __table_args__ = (UniqueConstraint('md5', name='md5_restriction'),)
+
+
+class AzureORMError(Exception):
+    pass
+
+
+def add_row(row: Base):
+    """Insert a new row object into the database.
+
+    Parameters
+    ----------
+    row : Base
+        The row object to insert into the database.
+
+    Raises
+    ------
+    AzureORMError
+    """
+    try:
+        session.add(row)
+        session.commit()
+    except (IntegrityError, OperationalError) as e:
+        session.rollback()
+        raise AzureORMError(str(e))
+
+
+def check_database_integrity() -> bool:
+    """Create a database file if not present and migrate from an old last_dates.json file if required.
+
+    Returns
+    -------
+    bool
+        True if the check finished successfully, False otherwise.
+    """
+    logging.info('Checking database integrity')
+    create_db()
+
+    # Check if a migration from an old last_dates_file is required
+    if exists(last_dates_path) and getsize(last_dates_path) > 0:
+        try:
+            migrate_from_last_dates_file()
+        except Exception as e:
+            logging.error(f'Error during last_dates file migration process: {e}')
+            return False
+        try:
+            remove(last_dates_path)
+        except OSError:
+            logging.warning(f'It was not possible to remove the old last_dates file at {last_dates_path}')
+    logging.info('Database integrity check finished')
+    return True
+
+
+def create_db():
+    """Create the Azure database if it does not exist yet."""
+    Base.metadata.create_all(engine)
+
+
+def get_row(table: Base, md5: str) -> AzureTable:
+    """Get a row from the specified table using the md5 value provided.
+
+    Returns
+    -------
+    AzureTable
+        The row object if present or False if an exception was caught when attempting to obtain the row object.
+
+    Raises
+    ------
+    AzureORMError
+    """
+    try:
+        return session.scalars(select(table).filter_by(md5=md5).limit(1)).first()
+    except (IntegrityError, OperationalError, AttributeError) as e:
+        raise AzureORMError(str(e))
+
+
+def get_all_rows(table: Base) -> list:
+    """Get a list of all the rows available for the given table. For testing purposes.
+
+    Returns
+    -------
+    list
+        A list containing the different row objects available or False if an exception was raised.
+
+    Raises
+    ------
+    AzureORMError
+    """
+    try:
+        return session.execute(select(table)).scalars().all()
+    except (IntegrityError, OperationalError, AttributeError) as e:
+        raise AzureORMError(str(e))
+
+
+def migrate_from_last_dates_file():
+    """Load a 'last_dates.json' file and insert its contents into the database."""
+    logging.info('Migration from an old last_dates file is necessary. ')
+    last_dates_content = load_dates_json()
+    keys = last_dates_content.keys()
+    for service in [Graph, LogAnalytics, Storage]:
+        if service.__tablename__ in keys:
+            for md5_hash in last_dates_content[service.__tablename__].keys():
+                min_value = last_dates_content[service.__tablename__][md5_hash][LAST_DATES_MIN_FIELD_NAME]
+                max_value = last_dates_content[service.__tablename__][md5_hash][LAST_DATES_MAX_FIELD_NAME]
+                row = service(
+                    md5=md5_hash,
+                    query='',
+                    min_processed_date=min_value,
+                    max_processed_date=max_value,
+                )
+                add_row(row=row)
+    logging.info('The database migration process finished successfully.')
+
+
+def update_row(table: Base, md5: str, min_date: str, max_date: str, query: str = None):
+    """Update an existing row in the specified table.
+
+    Parameters
+    ----------
+    table : Base
+        The table to work with.
+    md5 : str
+        The key of the row object to update.
+    min_date : str
+        The new value for the lowest date processed.
+    max_date : str
+        The new value for the highest date processed.
+    query : str
+        The query value for the row object.
+
+    Raises
+    ------
+    AzureORMError
+    """
+    try:
+        row_data = {'min_processed_date': min_date, 'max_processed_date': max_date}
+        if query:
+            row_data['query'] = query
+        session.execute(update(table).where(table.md5 == md5).values(row_data))
+        session.commit()
+    except (IntegrityError, OperationalError, StatementError) as e:
+        session.rollback()
+        raise AzureORMError(str(e))
+
+
+def load_dates_json() -> dict:
+    """Read the "last_dates_file" containing the different processed dates. It will be created with empty values in
+    case it does not exist.
+
+    Returns
+    -------
+    dict
+        The contents of the "last_dates_file".
+
+    Raises
+    ------
+    json.JSONDecodeError
+    OSError
+    """
+    logging.info(f'Getting the data from {last_dates_path}.')
+    try:
+        if exists(last_dates_path):
+            with open(last_dates_path) as file:
+                contents = json.load(file)
+                # This adds compatibility with "last_dates_files" from previous releases as the format was different
+                for key in contents.keys():
+                    for md5_hash in contents[key].keys():
+                        contents[key][md5_hash] = get_min_max_values(contents[key][md5_hash])
+        else:
+            contents = last_dates_default_contents
+        return contents
+    except (json.JSONDecodeError, OSError) as e:
+        logging.error(f'Error: The file of the last dates could not be read: {e}.')
+        raise e
+
+
+def get_min_max_values(content: Union[Dict[str, str], str]) -> Dict[str, str]:
+    """
+    Validates the min and max values of the content and returns
+    the corresponding value.
+
+    Parameters
+    ----------
+    content : Dict[str, str]
+        Content of an element inside the 'last_dates.json'.
+
+    Returns
+    -------
+    Dict[str, str]
+        The passed content after fields validation.
+
+    """
+    if not isinstance(content, dict):
+        try:
+            parse(content, fuzzy=True)
+            return {
+                LAST_DATES_MIN_FIELD_NAME: content,
+                LAST_DATES_MAX_FIELD_NAME: content,
+            }
+        except ParserError:
+            new_value = get_default_min_max_values()
+            return {
+                LAST_DATES_MIN_FIELD_NAME: new_value,
+                LAST_DATES_MAX_FIELD_NAME: new_value,
+            }
+
+    final_dict = {}
+    min_value = content[LAST_DATES_MIN_FIELD_NAME]
+    max_value = content[LAST_DATES_MAX_FIELD_NAME]
+
+    # Checks if min is a valid value
+    min_value = validate_date_string(min_value)
+
+    # Checks if max is a valid value
+    max_value = validate_date_string(max_value)
+
+    # If no error is raised
+    if min_value is not None and max_value is not None:
+        final_dict = content
+    # If min is an invalid value and max is a valid value
+    elif min_value is None and max_value is not None:
+        # Change min to be the same as max and update json
+        final_dict = {
+            LAST_DATES_MIN_FIELD_NAME: max_value,
+            LAST_DATES_MAX_FIELD_NAME: max_value,
+        }
+    # If min is a valid value and max is an invalid value
+    elif min_value is not None and max_value is None:
+        # Change max to be the same as min and update json
+        final_dict = {
+            LAST_DATES_MIN_FIELD_NAME: min_value,
+            LAST_DATES_MAX_FIELD_NAME: min_value,
+        }
+    # min and max are invalid values
+    else:
+        new_value = get_default_min_max_values()
+        final_dict = {
+            LAST_DATES_MIN_FIELD_NAME: new_value,
+            LAST_DATES_MAX_FIELD_NAME: new_value,
+        }
+
+    return final_dict
+
+
+def validate_date_string(value: str, fuzzy: bool = True) -> Optional[str]:
+    """
+    Validates if the passed value is a valid Date string. If it
+    is a valid format, returns the passed value, otherwise returns None
+
+    Parameters
+    ----------
+    value : str
+        Date that the functions tries to parse.
+    fuzzy : bool
+        Allow fuzzy parsing.
+
+
+    Returns
+    -------
+    Optional[str]
+        Returns the passed value if it is a valid date. Else it
+        returns None.
+
+    """
+    try:
+        parse(value, fuzzy=fuzzy)
+        return value
+    except ParserError:
+        return None
+
+
+def get_default_min_max_values() -> str:
+    """
+    Get the default min and max field values of the 'last_dates.json'.
+
+    Returns
+    -------
+    str
+        Execution date as a string with format %Y-%m-%dT%H:%M:%S.%fZ
+    """
+    return datetime.utcnow().replace(tzinfo=timezone.utc).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
diff --git a/src/modules/azure/scripts/db/utils.py b/src/modules/azure/scripts/db/utils.py
new file mode 100644
index 0000000000..956c40d6ae
--- /dev/null
+++ b/src/modules/azure/scripts/db/utils.py
@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sys
+from datetime import datetime
+from hashlib import md5
+from os.path import abspath, dirname
+
+from dateutil.parser import parse
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from azure_utils import DATETIME_MASK, offset_to_datetime
+from db import orm
+
+
+def update_row_object(
+    table: orm.Base, md5_hash: str, new_min: str, new_max: str, query: str = None
+):
+    """Update the database with the specified values if applicable.
+
+    Parameters
+    ----------
+    table : orm.Base
+        Database table reference for the service.
+    md5_hash : str
+        md5 value used to search the query in the file containing the dates.
+    new_min : str
+        Value to compare with the current min value stored.
+    new_max : str
+        Value to compare with the current max value stored.
+    query : str
+        Query value before applying the md5 hash transformation.
+    """
+    try:
+        row = orm.get_row(table=table, md5=md5_hash)
+        old_min_str = row.min_processed_date
+        old_max_str = row.max_processed_date
+    except (orm.AzureORMError, AttributeError) as e:
+        logging.error(
+            f'Error trying to obtain row object from "{table.__tablename__}" using md5="{md5}": {e}'
+        )
+        sys.exit(1)
+    old_min_date = parse(old_min_str, fuzzy=True)
+    old_max_date = parse(old_max_str, fuzzy=True)
+    # "parse" adds compatibility with "last_dates_files" from previous releases as the format wasn't localized
+    # It also handles any datetime with more than 6 digits for the microseconds value provided by Azure
+    new_min_date = parse(new_min, fuzzy=True)
+    new_max_date = parse(new_max, fuzzy=True)
+    if new_min_date < old_min_date or new_max_date > old_max_date:
+        min_ = new_min if new_min_date < old_min_date else old_min_str
+        max_ = new_max if new_max_date > old_max_date else old_max_str
+        logging.debug(
+            f'Attempting to update a {table.__tablename__} row object. '
+            f'MD5: "{md5_hash}", min_date: "{min_}", max_date: "{max_}"'
+        )
+        try:
+            orm.update_row(
+                table=table, md5=md5_hash, min_date=min_, max_date=max_, query=query
+            )
+        except orm.AzureORMError as e:
+            logging.error(f'Error updating row object from {table.__tablename__}: {e}')
+            sys.exit(1)
+
+
+def create_new_row(table: orm.Base, md5_hash: str, query: str, offset: str) -> orm.Base:
+    """Create a new row object for the given table, insert it into the database and return it.
+
+    Parameters
+    ----------
+    table : orm.Base
+        Database table reference for the service.
+    md5_hash : str
+        md5 value used as the key for the table.
+    query : str
+        The query value before applying the md5 transformation.
+    offset : str
+        Value used to determine the desired datetime.
+
+    Returns
+    -------
+    orm.Base
+        A copy of the inserted row object.
+    """
+    logging.info(
+        f'{md5_hash} was not found in the database for {table.__tablename__}. Adding it.'
+    )
+    desired_datetime = (
+        offset_to_datetime(offset)
+        if offset
+        else datetime.utcnow().replace(hour=0, minute=0, second=0, microsecond=0)
+    )
+    desired_str = desired_datetime.strftime(DATETIME_MASK)
+    item = table(
+        md5=md5_hash,
+        query=query,
+        min_processed_date=desired_str,
+        max_processed_date=desired_str,
+    )
+    logging.debug(
+        f'Attempting to insert row object into {table.__tablename__} with md5="{md5_hash}", '
+        f'min_date="{desired_str}", max_date="{desired_str}"'
+    )
+    try:
+        orm.add_row(row=item)
+    except orm.AzureORMError as e:
+        logging.error(f'Error inserting row object into {table.__tablename__}: {e}')
+        sys.exit(1)
+    return item
diff --git a/src/modules/azure/scripts/pytest.ini b/src/modules/azure/scripts/pytest.ini
new file mode 100644
index 0000000000..40880458c7
--- /dev/null
+++ b/src/modules/azure/scripts/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+asyncio_mode=auto
diff --git a/src/modules/azure/scripts/requirements.txt b/src/modules/azure/scripts/requirements.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/__init__.py b/src/modules/azure/scripts/tests/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/azure_services/__init__.py b/src/modules/azure/scripts/tests/azure_services/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/azure_services/test_analytics.py b/src/modules/azure/scripts/tests/azure_services/test_analytics.py
new file mode 100644
index 0000000000..99234f3cc1
--- /dev/null
+++ b/src/modules/azure/scripts/tests/azure_services/test_analytics.py
@@ -0,0 +1,275 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import json
+import sys
+from hashlib import md5
+from os.path import abspath, dirname, join, realpath
+from unittest.mock import MagicMock, call, patch
+
+import pytest
+from dateutil.parser import parse
+from requests import HTTPError
+
+sys.path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+
+from azure_services.analytics import (
+    URL_ANALYTICS,
+    build_log_analytics_query,
+    get_log_analytics_events,
+    get_time_position,
+    iter_log_analytics_events,
+    start_log_analytics,
+)
+from db import orm
+
+PAST_DATE = '2022-01-01T12:00:00.000000Z'
+PRESENT_DATE = '2022-06-15T12:00:00.000000Z'
+FUTURE_DATE = '2022-12-31T12:00:00.000000Z'
+
+TEST_DATA_PATH = join(dirname(dirname(realpath(__file__))), 'data')
+
+
+@pytest.mark.parametrize(
+    'auth_path, la_id, key, offset, query, workspace, reparse, tag',
+    [
+        (None, 'client', 'secret', '1d', 'query', 'workspace', False, 'la_tag'),
+        ('/var/ossec/', None, None, '', '', '', False, ''),
+    ],
+)
+@patch('azure_services.analytics.get_log_analytics_events')
+@patch('azure_services.analytics.build_log_analytics_query')
+@patch('azure_services.analytics.get_token')
+@patch('azure_services.analytics.read_auth_file')
+def test_start_log_analytics(
+    mock_auth,
+    mock_token,
+    mock_build,
+    mock_get_logs,
+    auth_path,
+    la_id,
+    key,
+    offset,
+    query,
+    workspace,
+    reparse,
+    tag,
+):
+    """Test start_log_analytics reads the credentials, obtains a token, builds the query using that token and attempts
+    to get the log analytics logs."""
+    tenant = 'tenant'
+    args = MagicMock(
+        la_tenant_domain=tenant,
+        la_auth_path=auth_path,
+        la_id=la_id,
+        la_key=key,
+        la_query=query,
+        la_time_offset=offset,
+        workspace=workspace,
+        reparse=reparse,
+        la_tag=tag,
+    )
+
+    mock_auth.return_value = credentials = ('client', 'secret')
+    mock_token.return_value = token = 'token'
+    mock_build.return_value = body = 'body'
+    start_log_analytics(args)
+
+    if auth_path:
+        mock_auth.assert_called_with(auth_path=auth_path, fields=('application_id', 'application_key'))
+    else:
+        mock_auth.assert_not_called()
+
+    # Check a token is requested using the right parameters
+    mock_token.assert_called_with(
+        client_id=credentials[0],
+        secret=credentials[1],
+        domain=tenant,
+        scope=f'{URL_ANALYTICS}/.default',
+    )
+    md5_hash = md5(query.encode()).hexdigest()
+    mock_build.assert_called_with(query=query, offset=offset, reparse=reparse, md5_hash=md5_hash)
+    mock_get_logs.assert_called_with(
+        url=f'{URL_ANALYTICS}/v1/workspaces/{workspace}/query',
+        body=body,
+        headers={'Authorization': f'Bearer {token}'},
+        md5_hash=md5_hash,
+        query=query,
+        tag=tag,
+    )
+
+
+@patch('azure_utils.logging.error')
+@patch('azure_services.analytics.get_log_analytics_events', side_effect=HTTPError)
+@patch('azure_services.analytics.build_log_analytics_query')
+@patch('azure_services.analytics.get_token')
+@patch('azure_services.analytics.read_auth_file', return_value=('client', 'secret'))
+def test_start_log_analytics_ko(mock_auth, mock_token, mock_build, mock_get_logs, mock_logging):
+    """Test start_log_analytics shows error message if get_log_analytics_events returns an HTTP error."""
+    args = MagicMock(
+        la_tenant_domain='test',
+        la_id='test',
+        la_key='test',
+        la_query='test',
+        la_time_offset='',
+        workspace='test',
+    )
+    start_log_analytics(args)
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.logging.error')
+def test_start_log_analytics_ko_credentials(mock_logging):
+    """Test start_log_analytics stops its execution if no valid credentials are provided."""
+    args = MagicMock(la_tenant_domain=None)
+    with pytest.raises(SystemExit) as err:
+        start_log_analytics(args)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'min_date, max_date, desired_date, reparse',
+    [
+        (PRESENT_DATE, FUTURE_DATE, PAST_DATE, False),
+        (PAST_DATE, PRESENT_DATE, FUTURE_DATE, False),
+        (PAST_DATE, FUTURE_DATE, PRESENT_DATE, False),
+        (PAST_DATE, PAST_DATE, PRESENT_DATE, True),
+    ],
+)
+@patch('azure_services.analytics.offset_to_datetime')
+@patch('azure_services.analytics.create_new_row')
+@patch('db.orm.get_row', return_value=None)
+def test_build_log_analytics_query(mock_get, mock_create, mock_datetime, min_date, max_date, desired_date, reparse):
+    """Test build_log_analytics_query creates the required query with the expected "TimeGenerated" filter values."""
+    la_query = 'test_query'
+    mock_create.return_value = MagicMock(min_processed_date=min_date, max_processed_date=max_date)
+    mock_datetime.return_value = parse(desired_date)
+    result = build_log_analytics_query(query=la_query, offset=desired_date, md5_hash='', reparse=reparse)
+    mock_get.assert_called_with(orm.LogAnalytics, md5='')
+    mock_create.assert_called_with(
+        table=orm.LogAnalytics,
+        query=la_query,
+        md5_hash='',
+        offset=desired_date,
+    )
+
+    if reparse:
+        expected_str = f'TimeGenerated >= datetime({desired_date})'
+    else:
+        if parse(desired_date) < parse(min_date, fuzzy=True):
+            expected_str = (
+                f'( TimeGenerated < datetime({min_date}) and TimeGenerated >= datetime({desired_date})) '
+                f'or ( TimeGenerated > datetime({max_date}))'
+            )
+        elif parse(desired_date) > parse(max_date, fuzzy=True):
+            expected_str = f'TimeGenerated >= datetime({desired_date})'
+        else:
+            expected_str = f'TimeGenerated > datetime({max_date})'
+
+    assert expected_str in result['query']
+
+
+@patch('azure_utils.logging.error')
+@patch('db.orm.get_row', side_effect=orm.AzureORMError)
+def test_build_log_analytics_query_ko(mock_get, mock_logging):
+    """Test build_log_analytics_query handles ORM exceptions."""
+    with pytest.raises(SystemExit) as err:
+        build_log_analytics_query(query='', offset='', reparse=False, md5_hash='')
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'file, time_position',
+    [
+        ('log_analytics_events', 0),
+        ('log_analytics_events', None),
+        ('log_analytics_events_no_results', None),
+        ('log_analytics_events_empty', None),
+    ],
+)
+@patch('azure_utils.logging.error')
+@patch('azure_services.analytics.update_row_object')
+@patch('azure_services.analytics.iter_log_analytics_events')
+@patch('azure_services.analytics.get_time_position')
+@patch('azure_services.analytics.get')
+def test_get_log_analytics_events(mock_get, mock_position, mock_iter, mock_update, mock_logging, file, time_position):
+    """Test get_log_analytics_events gets the logs, process the response and iterate the events if the 'TimeGenerated'
+    field was present."""
+    la_query = 'test_query'
+    m = MagicMock(status_code=200)
+    with open(join(TEST_DATA_PATH, file)) as f:
+        try:
+            events = json.loads(f.read())
+            m.json.return_value = events
+            columns = events['tables'][0]['columns']
+            rows = events['tables'][0]['rows']
+        except (KeyError, json.decoder.JSONDecodeError):
+            m.json.return_value = {}
+            columns = None
+            rows = None
+
+    mock_get.return_value = m
+    mock_position.return_value = time_position
+    url = 'url'
+    body = 'body'
+    headers = 'headers'
+    tag = 'test'
+    get_log_analytics_events(url=url, body=body, headers=headers, md5_hash='', query=la_query, tag=tag)
+    mock_get.assert_called_with(url, params=body, headers=headers, timeout=10)
+    if rows is None or (len(rows) > 0 and time_position is None):
+        mock_logging.assert_called_once()
+    elif len(rows) == 0:
+        mock_position.assert_not_called()
+        mock_iter.assert_not_called()
+        mock_update.assert_not_called()
+    else:
+        mock_position.assert_called_with(columns)
+        mock_iter.assert_called_with(columns, rows, tag)
+        mock_update.assert_called_once()
+
+
+@patch('azure_services.analytics.get')
+def test_get_log_analytics_events_error_responses(mock_get):
+    """Test get_log_analytics_events handles invalid responses from the request module."""
+    la_query = 'test_query'
+    response_mock = MagicMock(status_code=400)
+    mock_get.return_value = response_mock
+    get_log_analytics_events(url=None, body=None, headers=None, md5_hash=None, query=la_query, tag='')
+    response_mock.raise_for_status.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'columns, position',
+    [
+        ([{'name': 'TimeGenerated'}, {'name': 'test'}], 0),
+        ([{'name': 'test'}, {'name': 'TimeGenerated'}], 1),
+        ([{'name': 'test'}, {'name': 'test'}], None),
+    ],
+)
+def test_get_time_position(columns, position):
+    """Test get_time_position returns the position of the 'TimeGenerated' field."""
+    result = get_time_position(columns)
+    assert result == position
+
+
+@patch('azure_services.analytics.send_message')
+def test_iter_log_analytics_events(mock_send):
+    """Test iter_log_analytics_events iterates through the columns and rows to build the events and send them to the
+    socket."""
+    la_tag = 'tag'
+    with open(join(TEST_DATA_PATH, 'log_analytics_events')) as f:
+        events = json.loads(f.read())
+        columns = events['tables'][0]['columns']
+        rows = events['tables'][0]['rows']
+    iter_log_analytics_events(columns=columns, rows=rows, tag=la_tag)
+    keys = [col['name'] for col in columns]
+    tag_keys = ['azure_tag', 'log_analytics_tag']
+    tag_values = ['azure-log-analytics', la_tag]
+    expected_calls = [call(json.dumps({k: v for k, v in zip(keys + tag_keys, values + tag_values)})) for values in rows]
+    mock_send.assert_has_calls(expected_calls)
diff --git a/src/modules/azure/scripts/tests/azure_services/test_graph.py b/src/modules/azure/scripts/tests/azure_services/test_graph.py
new file mode 100644
index 0000000000..2a551e035f
--- /dev/null
+++ b/src/modules/azure/scripts/tests/azure_services/test_graph.py
@@ -0,0 +1,226 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import json
+import sys
+from hashlib import md5
+from os.path import abspath, dirname, join, realpath
+from unittest.mock import MagicMock, patch
+
+import pytest
+from dateutil.parser import parse
+from requests import HTTPError
+
+sys.path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+
+from azure_services.graph import (
+    URL_GRAPH,
+    build_graph_url,
+    get_graph_events,
+    start_graph,
+)
+from db import orm
+
+PAST_DATE = '2022-01-01T12:00:00.000000Z'
+PRESENT_DATE = '2022-06-15T12:00:00.000000Z'
+FUTURE_DATE = '2022-12-31T12:00:00.000000Z'
+
+TEST_DATA_PATH = join(dirname(dirname(realpath(__file__))), 'data')
+
+
+@pytest.mark.parametrize(
+    'auth_path, graph_id, key, offset, query, tag, reparse',
+    [
+        (None, 'client', 'secret', '1d', 'query', 'tag', False),
+        ('/var/ossec/', None, None, '', '', '', False),
+    ],
+)
+@patch('azure_services.graph.get_graph_events')
+@patch('azure_services.graph.build_graph_url')
+@patch('azure_services.graph.get_token')
+@patch('azure_services.graph.read_auth_file')
+def test_start_graph(
+    mock_auth,
+    mock_token,
+    mock_build,
+    mock_graph,
+    auth_path,
+    graph_id,
+    key,
+    offset,
+    query,
+    tag,
+    reparse,
+):
+    """Test start_graph attempts to process the logs available for the given authentication, query and offset values."""
+    tenant = 'tenant'
+    args = MagicMock(
+        graph_tenant_domain=tenant,
+        graph_auth_path=auth_path,
+        graph_id=graph_id,
+        graph_key=key,
+        graph_time_offset=offset,
+        graph_query=query,
+        graph_tag=tag,
+        reparse=reparse,
+    )
+    mock_auth.return_value = credentials = ('client', 'secret')
+    mock_token.return_value = token = 'token'
+    mock_build.return_value = url = 'url'
+
+    start_graph(args)
+
+    if auth_path and tenant:
+        mock_auth.assert_called_with(auth_path=auth_path, fields=('application_id', 'application_key'))
+    else:
+        mock_auth.assert_not_called()
+
+    mock_token.assert_called_with(
+        client_id=credentials[0],
+        secret=credentials[1],
+        domain=tenant,
+        scope=f'{URL_GRAPH}/.default',
+    )
+    md5_hash = md5(query.encode()).hexdigest()
+    mock_build.assert_called_with(query=query, offset=offset, reparse=reparse, md5_hash=md5_hash)
+    mock_graph.assert_called_with(
+        url=url,
+        headers={'Authorization': f'Bearer {token}'},
+        md5_hash=md5_hash,
+        query=query,
+        tag=tag,
+    )
+
+
+@patch('azure_utils.logging.error')
+@patch('azure_services.graph.get_graph_events', side_effect=HTTPError)
+@patch('azure_services.graph.build_graph_url')
+@patch('azure_services.graph.get_token')
+@patch('azure_services.graph.read_auth_file', return_value=('client', 'secret'))
+def test_start_graph_ko(mock_auth, mock_token, mock_build, mock_get, mock_logging):
+    """Test start_graph shows error message if get_log_analytics_events returns an HTTP error."""
+    args = MagicMock(graph_id='test', graph_key='test', graph_tenant_domain='test', graph_query='')
+    start_graph(args)
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.logging.error')
+def test_start_graph_ko_credentials(mock_logging):
+    """Test start_graph stops its execution if no valid credentials are provided."""
+    args = MagicMock(graph_tenant_domain=None)
+    with pytest.raises(SystemExit) as err:
+        start_graph(args)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'min_date, max_date, desired_date, reparse',
+    [
+        (PRESENT_DATE, FUTURE_DATE, PAST_DATE, False),
+        (PAST_DATE, PRESENT_DATE, FUTURE_DATE, False),
+        (PAST_DATE, FUTURE_DATE, PRESENT_DATE, False),
+        (PAST_DATE, PAST_DATE, PRESENT_DATE, True),
+    ],
+)
+@patch('azure_services.graph.offset_to_datetime')
+@patch('azure_services.graph.create_new_row')
+@patch('db.orm.get_row', return_value=None)
+def test_build_graph_url(
+    mock_get,
+    mock_create,
+    mock_datetime,
+    min_date,
+    max_date,
+    desired_date,
+    reparse,
+):
+    """Test build_graph_url builds the URL applying the expected filters based on the dates provided."""
+    mock_create.return_value = MagicMock(min_processed_date=min_date, max_processed_date=max_date)
+    mock_datetime.return_value = parse(desired_date)
+    query = 'query'
+    offset = '1d'
+    md5_hash = ''
+
+    result = build_graph_url(offset=offset, query=query, reparse=reparse, md5_hash=md5_hash)
+
+    mock_get.assert_called_with(orm.Graph, md5=md5_hash)
+    mock_create.assert_called_with(table=orm.Graph, query=query, md5_hash=md5_hash, offset=offset)
+
+    filtering_condition = 'createdDateTime' if 'signins' in query.lower() else 'activityDateTime'
+
+    if reparse:
+        expected_str = f'{filtering_condition}+ge+{desired_date}'
+    else:
+        if parse(desired_date) < parse(min_date, fuzzy=True):
+            expected_str = (
+                f'({filtering_condition}+lt+{min_date}+and+{filtering_condition}+ge+{desired_date})'
+                f'+or+({filtering_condition}+gt+{max_date})'
+            )
+        elif parse(desired_date) > parse(max_date, fuzzy=True):
+            expected_str = f'{filtering_condition}+ge+{desired_date}'
+        else:
+            expected_str = f'{filtering_condition}+gt+{max_date}'
+    assert URL_GRAPH in result
+    assert query in result
+    assert expected_str in result
+
+
+@patch('azure_utils.logging.error')
+@patch('db.orm.get_row', side_effect=orm.AzureORMError)
+def test_build_graph_url_ko(mock_get, mock_logging):
+    """Test build_log_analytics_query handles ORM exceptions."""
+    with pytest.raises(SystemExit) as err:
+        build_graph_url(offset=None, query='query', reparse=False, md5_hash=None)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('azure_services.graph.send_message')
+@patch('azure_services.graph.update_row_object')
+@patch('azure_services.graph.get')
+def test_get_graph_events(mock_get, mock_update, mock_send):
+    """Test get_graph_events recursively request the data using the specified url and process the values present in the
+    response."""
+
+    def load_events(path):
+        with open(join(TEST_DATA_PATH, path)) as f:
+            return json.loads(f.read())
+
+    # The first file contains both values and a nextLink to the following file
+    event_list = MagicMock(status_code=200)
+    contents = load_events('graph_events')
+    event_list.json.return_value = contents
+    num_events = len(contents['value'])
+    url = contents['@odata.nextLink']
+
+    # The second file has no values nor nextLink
+    empty_event_list = MagicMock(status_code=200)
+    empty_event_list.json.return_value = load_events('graph_events_no_values')
+
+    mock_get.side_effect = [event_list, empty_event_list]
+
+    headers = 'headers'
+    get_graph_events(url=url, headers=headers, md5_hash='', query='query', tag='tag')
+    mock_get.assert_called_with(url=url, headers=headers, timeout=10)
+    assert mock_update.call_count == num_events
+    assert mock_send.call_count == num_events
+
+
+@pytest.mark.parametrize('status_code', [400, 500])
+@patch('azure_utils.logging.error')
+@patch('azure_services.graph.get')
+def test_get_graph_events_error_responses(mock_get, mock_logging, status_code):
+    """Test get_graph_events handles invalid responses from the request module."""
+    response_mock = MagicMock(status_code=status_code)
+    mock_get.return_value = response_mock
+    get_graph_events(url=None, headers=None, md5_hash=None, query='query', tag='tag')
+
+    if status_code == 400:
+        assert mock_logging.call_count == 2
+    else:
+        response_mock.raise_for_status.assert_called_once()
diff --git a/src/modules/azure/scripts/tests/azure_services/test_storage.py b/src/modules/azure/scripts/tests/azure_services/test_storage.py
new file mode 100644
index 0000000000..1584acbd01
--- /dev/null
+++ b/src/modules/azure/scripts/tests/azure_services/test_storage.py
@@ -0,0 +1,552 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import json
+import sys
+from datetime import datetime
+from hashlib import md5
+from os.path import abspath, dirname, join, realpath
+from typing import Optional
+from unittest.mock import MagicMock, PropertyMock, call, patch
+
+import pytest
+import pytz
+from azure.common import AzureException, AzureHttpError
+from azure.storage.common._error import AzureSigningError
+from dateutil.parser import parse
+
+sys.path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+
+from azure_services.storage import get_blobs, start_storage
+from db import orm
+
+PAST_DATE = '2022-01-01T12:00:00.000000Z'
+PRESENT_DATE = '2022-06-15T12:00:00.000000Z'
+FUTURE_DATE = '2022-12-31T12:00:00.000000Z'
+
+TEST_DATA_PATH = join(dirname(dirname(realpath(__file__))), 'data')
+
+
+def create_mocked_blob(blob_name: str, last_modified: datetime = None, content_length: Optional[int] = None):
+    """Return a fake blob with name and creation time.
+
+    Parameters:
+    ----------
+    blob_name : str
+        The name of the fake blob.
+    last_modified : str
+        The last modified time property of the fake blob. datetime.now() will be used if no creation_time is provided.
+    content_length: Optional[int]
+        The content_length property of the fake blob. This property is only set if the length is not None
+
+    Returns
+    -------
+    MagicMock
+         A fake blob.
+    """
+    blob = MagicMock()
+    blob.name = blob_name
+    blob.properties.last_modified = (last_modified if last_modified else datetime.now()).replace(tzinfo=pytz.UTC)
+
+    # Add Blob length property
+    if content_length is not None:
+        type(blob.properties).content_length = PropertyMock(return_value=content_length)
+
+    return blob
+
+
+@pytest.mark.parametrize(
+    'auth_path, name, key, container_name',
+    [
+        (None, 'name', 'key', 'container'),
+        ('/var/ossec/', '', '', '*'),
+    ],
+)
+@patch('azure_services.storage.get_blobs')
+@patch('azure_services.storage.create_new_row')
+@patch('azure_services.storage.orm.get_row', return_value=None)
+@patch('azure_services.storage.BlockBlobService')
+@patch('azure_services.storage.read_auth_file')
+def test_start_storage(
+    mock_auth,
+    mock_blob,
+    mock_get_row,
+    mock_create,
+    mock_get_blobs,
+    auth_path,
+    name,
+    key,
+    container_name,
+):
+    """Test start_storage process blobs in bucket as expected."""
+    offset = '1d'
+    args = MagicMock(
+        storage_auth_path=auth_path,
+        account_name=name,
+        account_key=key,
+        container=container_name,
+        storage_time_offset=offset,
+    )
+    mock_create.return_value = MagicMock(min_processed_date=PRESENT_DATE, max_processed_date=PRESENT_DATE)
+    mock_auth.return_value = (name, key)
+    m = MagicMock()
+    m.list_containers.return_value = [MagicMock(name=container_name)]
+    mock_blob.return_value = m
+    start_storage(args)
+
+    if auth_path:
+        mock_auth.assert_called_with(auth_path=auth_path, fields=('account_name', 'account_key'))
+    else:
+        mock_auth.assert_not_called()
+
+    md5_hash = md5(name.encode()).hexdigest()
+    mock_blob.assert_called_with(account_name=name, account_key=key)
+    mock_get_row.assert_called_with(orm.Storage, md5=md5_hash)
+    mock_create.assert_called_with(table=orm.Storage, query=name, md5_hash=md5_hash, offset=offset)
+    mock_get_blobs.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'container_name, exception',
+    [
+        ('', None),
+        ('', AzureException),
+        ('*', AzureSigningError),
+        ('*', AzureException),
+        ('*', None),
+    ],
+)
+@patch('azure_utils.logging.error')
+@patch('azure_services.storage.create_new_row', side_effect=orm.AzureORMError)
+@patch('db.orm.get_row', return_value=None)
+@patch('azure_services.storage.BlockBlobService')
+def test_start_storage_ko(mock_blob, mock_get, mock_create, mock_logging, container_name, exception):
+    """Test start_log_analytics shows error message if get_log_analytics_events returns an HTTP error."""
+    args = MagicMock(
+        storage_auth_path=None,
+        account_name='test',
+        account_key='test',
+        container=container_name,
+        storage_time_offset='',
+    )
+    m = MagicMock()
+    if container_name == '*':
+        m.list_containers.return_value = [MagicMock(name=container_name)]
+        m.list_containers.side_effect = exception
+    else:
+        m.exists.return_value = None
+        m.exists.side_effect = exception
+    mock_blob.return_value = m
+
+    with pytest.raises(SystemExit) as err:
+        start_storage(args)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.logging.error')
+def test_start_storage_ko_credentials(mock_logging):
+    """Test start_storage stops its execution if no valid credentials are provided."""
+    args = MagicMock(storage_auth_path=None, account_name=None, account_key=None)
+    with pytest.raises(SystemExit) as err:
+        start_storage(args)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'blob_date, min_date, max_date, desired_date, extension, reparse, json_file, inline, send_events',
+    [
+        # blob_date < desired_date - Blobs should be skipped
+        (
+            PRESENT_DATE,
+            PAST_DATE,
+            PAST_DATE,
+            FUTURE_DATE,
+            None,
+            False,
+            False,
+            False,
+            False,
+        ),
+        # blob_date > desired_date, min_date == blob_date and blob_date < max_date - Blobs should be skipped
+        (
+            PRESENT_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            PAST_DATE,
+            None,
+            False,
+            False,
+            False,
+            False,
+        ),
+        # blob_date > desired_date, min_date < blob_date and blob_date == max_date - Blobs should be skipped
+        (
+            FUTURE_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            PAST_DATE,
+            None,
+            False,
+            False,
+            False,
+            False,
+        ),
+        # blob_date > desired_date, min_date < blob_date and blob_date < max_date - Blobs should be skipped
+        (
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            PAST_DATE,
+            None,
+            False,
+            False,
+            False,
+            False,
+        ),
+        # blob_date < min_datetime - Blobs must be processed
+        (
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            PAST_DATE,
+            None,
+            False,
+            False,
+            False,
+            True,
+        ),
+        # blob_date > max_datetime - Blobs must be processed
+        (
+            FUTURE_DATE,
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            None,
+            False,
+            False,
+            True,
+            True,
+        ),
+        # Reparse old logs
+        (
+            FUTURE_DATE,
+            FUTURE_DATE,
+            FUTURE_DATE,
+            FUTURE_DATE,
+            None,
+            True,
+            False,
+            True,
+            True,
+        ),
+        # Only .json files must be processed
+        (
+            FUTURE_DATE,
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            '.json',
+            False,
+            False,
+            False,
+            True,
+        ),
+        (
+            FUTURE_DATE,
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            '.json',
+            False,
+            False,
+            True,
+            True,
+        ),
+        (
+            FUTURE_DATE,
+            PAST_DATE,
+            PRESENT_DATE,
+            FUTURE_DATE,
+            '.json',
+            False,
+            True,
+            False,
+            True,
+        ),
+    ],
+)
+@patch('azure_services.storage.update_row_object')
+@patch('azure_services.storage.send_message')
+def test_get_blobs(
+    mock_send,
+    mock_update,
+    blob_date,
+    min_date,
+    max_date,
+    desired_date,
+    extension,
+    reparse,
+    json_file,
+    inline,
+    send_events,
+):
+    """Test get_blobs obtains the blobs from a container and send their content to the socket."""
+    blob_date_str = parse(blob_date)
+    blob_list = [create_mocked_blob(blob_name=f'blob_{i}', last_modified=blob_date_str) for i in range(5)] + [
+        create_mocked_blob(blob_name=f'blob_{i}{extension}', last_modified=blob_date_str) for i in range(5)
+    ]
+
+    # The first iteration will contain a full blob list and a next_marker value
+    blob_service_iter_1 = MagicMock(next_marker='marker')
+    blob_service_iter_1.__iter__ = MagicMock(return_value=iter(blob_list))
+    # The second and last iteration won't contain blob list nor next_marker
+    blob_service_iter_2 = MagicMock(next_marker=None)
+    blob_service = MagicMock()
+    blob_service.list_blobs.side_effect = [blob_service_iter_1, blob_service_iter_2]
+
+    if json_file:
+        test_file = 'storage_events_json'
+    elif inline:
+        test_file = 'storage_events_inline'
+    else:
+        test_file = 'storage_events_plain'
+
+    with open(join(TEST_DATA_PATH, test_file)) as f:
+        contents = f.read()
+        blob_service.get_blob_to_text.return_value = MagicMock(content=contents)
+
+    container_name = 'container'
+    marker = 'marker'
+    md5_hash = 'hash'
+    tag = 'tag'
+    get_blobs(
+        container_name=container_name,
+        blob_service=blob_service,
+        md5_hash=md5_hash,
+        next_marker=marker,
+        min_datetime=parse(min_date),
+        max_datetime=parse(max_date),
+        desired_datetime=parse(desired_date),
+        tag=tag,
+        reparse=reparse,
+        json_file=json_file,
+        json_inline=inline,
+        blob_extension=extension,
+    )
+
+    blob_service.list_blobs.assert_called_with(container_name, prefix=None, marker=marker)
+    blob_service.get_blob_to_text.assert_has_calls(
+        [call(container_name, blob.name) for blob in blob_list if extension and extension in blob.name]
+    )
+    if send_events:
+        calls = list()
+        extension = extension if extension else ''
+        for blob in blob_list:
+            if extension in blob.name:
+                if json_file:
+                    for record in json.loads(contents)['records']:
+                        record['azure_tag'] = 'azure-storage'
+                        record['azure_storage_tag'] = tag
+                        calls.append(call(json.dumps(record)))
+                else:
+                    for line in [s for s in str(contents).splitlines() if s]:
+                        if inline:
+                            calls.append(
+                                call(f'{{"azure_tag": "azure-storage", "azure_storage_tag": "{tag}", {line[1:]}')
+                            )
+                        else:
+                            calls.append(call(f'azure_tag: azure-storage. azure_storage_tag: {tag}. {line}'))
+        mock_send.assert_has_calls(calls)
+        assert (
+            mock_update.call_count == len(blob_list)
+            if not extension
+            else len([blob.name for blob in blob_list if extension in blob.name])
+        )
+
+
+@patch('azure_utils.logging.debug')
+def test_that_empty_blobs_are_omitted(mock_logging):
+    """Test get_blobs checks the size of the blob and omits it if is is empty"""
+    # List of empty blobs to use
+    list_of_empty_blobs = [
+        create_mocked_blob('Example1', content_length=0),
+        create_mocked_blob('Example2', content_length=0),
+    ]
+
+    iterator_with_marker = MagicMock(next_marker=None)
+    iterator_with_marker.__iter__.return_value = list_of_empty_blobs
+
+    # Mock for the blob service
+    blob_service = MagicMock()
+    blob_service.list_blobs.return_value = iterator_with_marker
+
+    container_name = 'container'
+    marker = 'marker'
+    md5_hash = 'hash'
+    get_blobs(
+        container_name=container_name,
+        blob_service=blob_service,
+        md5_hash=md5_hash,
+        next_marker=marker,
+        min_datetime=parse(PRESENT_DATE),
+        max_datetime=parse(FUTURE_DATE),
+        desired_datetime=parse(FUTURE_DATE),
+        tag='storage_tag',
+        reparse=False,
+        json_file=False,
+        json_inline=False,
+        blob_extension=None,
+    )
+
+    # for blob in list_of_empty_blobs:
+    #     blob.properties.content_length.assert_called()
+    expected_calls = [
+        call('Empty blob Example1, skipping'),
+        call('Empty blob Example2, skipping'),
+    ]
+    mock_logging.assert_has_calls(expected_calls, any_order=False)
+    blob_service.get_blob_to_text.assert_not_called()
+
+
+@patch('azure_services.storage.update_row_object')
+@patch('azure_services.storage.send_message')
+def test_get_blobs_only_with_prefix(mock_send, mock_update):
+    """Test get_blobs process only the blobs corresponding to a specific prefix, ignoring the rest."""
+    MagicMock(blobs=None, json_file=False, json_inline=False, reparse=False)
+
+    prefix = 'test_prefix'
+    blob_date_str = parse(FUTURE_DATE)
+
+    blob_list = (
+        [create_mocked_blob(blob_name=f'blob_{i}', last_modified=blob_date_str) for i in range(5)]
+        + [create_mocked_blob(blob_name=f'{prefix}/blob_{i}', last_modified=blob_date_str) for i in range(5)]
+        + [create_mocked_blob(blob_name=f'other_prefix/blob_{i}', last_modified=blob_date_str) for i in range(5)]
+    )
+
+    # The first iteration will contain a full blob list and a none next_marker
+    blob_service_iter_1 = MagicMock(next_marker=None)
+    blob_service_iter_1.__iter__ = MagicMock(return_value=iter(blob_list))
+    blob_service = MagicMock()
+    blob_service.list_blobs.return_value = blob_service_iter_1
+    blob_service.get_blob_to_text.return_value = MagicMock(content='')
+
+    container_name = 'container'
+    md5_hash = 'hash'
+
+    get_blobs(
+        container_name=container_name,
+        blob_service=blob_service,
+        md5_hash=md5_hash,
+        min_datetime=parse(PAST_DATE),
+        max_datetime=parse(PRESENT_DATE),
+        desired_datetime=parse(FUTURE_DATE),
+        prefix=prefix,
+        tag='storage_tag',
+        reparse=False,
+        json_file=False,
+        json_inline=False,
+        blob_extension=None,
+    )
+
+    blob_service.list_blobs.assert_called_with(container_name, prefix=prefix, marker=None)
+    blob_service.get_blob_to_text.assert_has_calls(
+        [call(container_name, blob.name) for blob in blob_list if prefix in blob.name]
+    )
+
+
+@patch('azure_utils.logging.error')
+def test_get_blobs_list_blobs_ko(mock_logging):
+    """Test get_blobs_list_blobs handles exceptions from 'list_blobs'."""
+    m = MagicMock()
+    m.list_blobs.side_effect = AzureException
+
+    with pytest.raises(AzureException):
+        get_blobs(
+            container_name=None,
+            blob_service=m,
+            md5_hash=None,
+            min_datetime=None,
+            max_datetime=None,
+            desired_datetime=None,
+            tag='storage_tag',
+            reparse=False,
+            json_file=False,
+            json_inline=False,
+            blob_extension=None,
+        )
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'exception',
+    [
+        ValueError,
+        AzureException,
+        AzureHttpError(message='', status_code=''),
+    ],
+)
+@patch('azure_services.storage.logging.error')
+@patch('azure_services.storage.update_row_object')
+def test_get_blobs_blob_data_ko(mock_update, mock_logging, exception):
+    """Test get_blobs_list_blobs handles exceptions from 'get_blob_to_text'."""
+    num_blobs = 5
+    blob_list = [create_mocked_blob(blob_name=f'blob_{i}') for i in range(num_blobs)]
+    blob_service_iter = MagicMock(next_marker=None)
+    blob_service_iter.__iter__ = MagicMock(return_value=iter(blob_list))
+    blob_service = MagicMock()
+    blob_service.list_blobs.return_value = blob_service_iter
+    blob_service.get_blob_to_text.side_effect = exception
+
+    get_blobs(
+        container_name=None,
+        blob_service=blob_service,
+        md5_hash=None,
+        min_datetime=None,
+        max_datetime=None,
+        desired_datetime=None,
+        tag='storage_tag',
+        reparse=True,
+        json_file=False,
+        json_inline=False,
+        blob_extension=None,
+    )
+    assert mock_logging.call_count == num_blobs
+    mock_update.assert_not_called()
+
+
+@pytest.mark.parametrize('exception', [json.JSONDecodeError, TypeError, KeyError])
+@patch('azure_services.storage.logging.error')
+@patch('azure_services.storage.loads')
+@patch('azure_services.storage.update_row_object')
+def test_get_blobs_json_ko(mock_update, mock_loads, mock_logging, exception):
+    """Test get_blobs_list_blobs handles exceptions from 'json.loads'."""
+    num_blobs = 5
+    blob_list = [create_mocked_blob(blob_name=f'blob_{i}') for i in range(num_blobs)]
+    blob_service_iter = MagicMock(next_marker=None)
+    blob_service_iter.__iter__ = MagicMock(return_value=iter(blob_list))
+    blob_service = MagicMock()
+    blob_service.list_blobs.return_value = blob_service_iter
+    blob_service.get_blob_to_text.return_value = MagicMock(content='invalid')
+    mock_loads.side_effect = exception
+
+    get_blobs(
+        container_name=None,
+        blob_service=blob_service,
+        md5_hash=None,
+        min_datetime=None,
+        max_datetime=None,
+        desired_datetime=None,
+        tag='storage_tag',
+        reparse=True,
+        json_file=True,
+        json_inline=False,
+        blob_extension=None,
+    )
+    assert mock_logging.call_count == num_blobs
+    mock_update.assert_not_called()
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/empty_authentication_file b/src/modules/azure/scripts/tests/data/authentication_files/empty_authentication_file
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file
new file mode 100644
index 0000000000..30883001fc
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file
@@ -0,0 +1 @@
+application_id = 317...764
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_2 b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_2
new file mode 100644
index 0000000000..ac97930edf
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_2
@@ -0,0 +1,3 @@
+application_id = 317...764
+
+application_key = wUj...9cj
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_3 b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_3
new file mode 100644
index 0000000000..2c94dfe584
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/invalid_authentication_file_3
@@ -0,0 +1 @@
+application_id =
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file
new file mode 100644
index 0000000000..b39256da98
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file
@@ -0,0 +1,2 @@
+application_id = application_id_value
+application_key = application_key_value
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_alt b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_alt
new file mode 100644
index 0000000000..d9fda9a40f
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_alt
@@ -0,0 +1,2 @@
+application_key = application_key_value
+application_id = application_id_value
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_extra_line b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_extra_line
new file mode 100644
index 0000000000..b39256da98
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_extra_line
@@ -0,0 +1,2 @@
+application_id = application_id_value
+application_key = application_key_value
diff --git a/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_storage b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_storage
new file mode 100644
index 0000000000..dfc3e47268
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/authentication_files/valid_authentication_file_storage
@@ -0,0 +1,2 @@
+account_name = account_name_value
+account_key = account_key_value
diff --git a/src/modules/azure/scripts/tests/data/graph_events b/src/modules/azure/scripts/tests/data/graph_events
new file mode 100644
index 0000000000..7fe67ade89
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/graph_events
@@ -0,0 +1 @@
+{"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits", "value": [{"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","category": "ResourceManagement","correlationId": "XXXXXXXXXXXXXXXXX","result": "success","resultReason": null,"activityDisplayName": "Get Guest Usages resource","activityDateTime": "2022-06-21T08:50:10.7019038Z","loggedByService": "B2C","operationType": "","initiatedBy": {"user": null,"app": {"appId": null,"displayName": "xxxxxxxxxxxxxxxxxx","servicePrincipalId": null,"servicePrincipalName": "xxxxxxxxxxxxxxxxxx"}},"targetResources": [{"id": null,"displayName": "NotSet","type": "Directory","userPrincipalName": null,"groupType": null,"modifiedProperties": []}],"additionalDetails": [{"key": "targetTenant","value": "Undefined tenant"}, {"key": "targetEntityType","value": "Resource"}, {"key": "actorIdentityType","value": "ApplicationID"}]}, {"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","category": "Authorization","correlationId": "XXXXXXXXXXXXXXXXX","result": "success","resultReason": "User Authorization: User was granted 'Subscription Admin' access rights","activityDisplayName": "Get Guest Usages resource","createdDateTime": "2022-06-21T08:50:10.6708119Z","loggedByService": "B2C","operationType": "","initiatedBy": {"user": null,"app": {"appId": null,"displayName": "xxxxxxxxxxxxxxxxxx","servicePrincipalId": null,"servicePrincipalName": "xxxxxxxxxxxxxxxxxx"}},"targetResources": [{"id": null,"displayName": "NotSet","type": "Directory","userPrincipalName": null,"groupType": null,"modifiedProperties": []}],"additionalDetails": [{"key": "targetTenant","value": "Undefined tenant"}, {"key": "targetEntityType","value": "Resource"}, {"key": "actorIdentityType","value": "ApplicationID"}]}], "@odata.nextLink": "nextLink"}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/graph_events_no_values b/src/modules/azure/scripts/tests/data/graph_events_no_values
new file mode 100644
index 0000000000..111da7d0f4
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/graph_events_no_values
@@ -0,0 +1 @@
+{"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value": []}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates.json
new file mode 100644
index 0000000000..ecd82903a9
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates.json
@@ -0,0 +1 @@
+{"log_analytics": {"f90c15b0327962c9e661142547368572": {"min": "2021-11-28T10:41:15.080696Z", "max": "2021-12-22T14:23:05.008Z"}, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2022-01-28T10:41:15.080696Z", "max": "2022-02-22T14:23:05.008Z"}}, "graph": {"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2021-11-27T02:49:59.4427758Z", "max": "2021-11-29T09:45:47.358188Z"}, "5956825a2e7b02dbebce74ec3c2ac5a5": {"min": "2021-12-24T15:28:00.922662Z", "max": "2021-12-27T02:49:56.9180341Z"}}, "storage": {"82e049b81fa6eb88ebf85f1677785f2b": {"min": "2021-11-08T13:04:14.645523Z", "max": "2021-11-30T08:50:35.000000Z"}, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2021-10-20T11:29:37.000000Z", "max": "2021-12-28T08:56:10.000000Z"}}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_clean.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_clean.json
new file mode 100644
index 0000000000..ef486c3759
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_clean.json
@@ -0,0 +1 @@
+{"log_analytics": {}, "graph": {}, "storage": {}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_empty.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_empty.json
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_graph.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_graph.json
new file mode 100644
index 0000000000..6e4f5f801c
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_graph.json
@@ -0,0 +1 @@
+{"log_analytics": {}, "graph": {"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2021-11-27T02:49:59.4427758Z", "max": "2021-11-29T09:45:47.358188Z"}, "5956825a2e7b02dbebce74ec3c2ac5a5": {"min": "2021-12-24T15:28:00.922662Z", "max": "2021-12-27T02:49:56.9180341Z"}}, "storage": {}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_invalid.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_invalid.json
new file mode 100644
index 0000000000..e466dcbd8e
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_invalid.json
@@ -0,0 +1 @@
+invalid
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_log_analytics.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_log_analytics.json
new file mode 100644
index 0000000000..af7bb901a0
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_log_analytics.json
@@ -0,0 +1 @@
+{"log_analytics": {"f90c15b0327962c9e661142547368572": {"min": "2021-11-28T10:41:15.080696Z", "max": "2021-12-22T14:23:05.008Z"}, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2022-01-28T10:41:15.080696Z", "max": "2022-02-22T14:23:05.008Z"}}, "graph": {}, "storage": {}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old.json
new file mode 100644
index 0000000000..5422bfd063
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old.json
@@ -0,0 +1 @@
+{"log_analytics": {"f90c15b0327962c9e661142547368572": "2022-03-04T15:12:56.98Z"}, "graph": {"f90c15b0327962c9e661142547368572": "2022-03-04T15:12:56.98Z"}, "storage": {"f90c15b0327962c9e661142547368572": "2022-03-04T15:12:56.98Z"}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old_invalid_value.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old_invalid_value.json
new file mode 100644
index 0000000000..1070549b04
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_old_invalid_value.json
@@ -0,0 +1,14 @@
+{
+   "log_analytics":{
+      "f90c15b0327962c9e661142547368572":"2022-03-04T15:12:56.98Z",
+      "f90c15b0327962c9e661142547368545": "0"
+   },
+   "graph":{
+      "f90c15b0327962c9e661142547368572":"2022-03-04T15:12:56.98Z",
+     "f90c15b0327962c9e661142547368545": "0"
+   },
+   "storage":{
+      "f90c15b0327962c9e661142547368572":"2022-03-04T15:12:56.98Z",
+     "f90c15b0327962c9e661142547368545": "0"
+   }
+}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_storage.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_storage.json
new file mode 100644
index 0000000000..54e9106b18
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_storage.json
@@ -0,0 +1 @@
+{"log_analytics": {}, "graph": {}, "storage": {"82e049b81fa6eb88ebf85f1677785f2b": {"min": "2021-11-08T13:04:14.645523Z", "max": "2021-11-30T08:50:35.000000Z"}, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX": {"min": "2021-10-20T11:29:37.000000Z", "max": "2021-12-28T08:56:10.000000Z"}}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/last_date_files/last_dates_with_invalid_min_max.json b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_with_invalid_min_max.json
new file mode 100644
index 0000000000..6bfb35a738
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/last_date_files/last_dates_with_invalid_min_max.json
@@ -0,0 +1,56 @@
+{
+  "log_analytics": {
+    "valid_example": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "2021-12-22T14:23:05.008Z"
+    },
+    "invalid_min_value": {
+      "min": "0",
+      "max": "2022-02-22T14:23:05.008Z"
+    },
+    "invalid_max_value": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "0"
+    },
+    "invalid_min_max_value": {
+      "min": "0",
+      "max": "0"
+    }
+  },
+  "graph": {
+    "valid_example": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "2021-12-22T14:23:05.008Z"
+    },
+    "invalid_min_value": {
+      "min": "0",
+      "max": "2022-02-22T14:23:05.008Z"
+    },
+    "invalid_max_value": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "0"
+    },
+    "invalid_min_max_value": {
+      "min": "0",
+      "max": "0"
+    }
+  },
+  "storage": {
+    "valid_example": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "2021-12-22T14:23:05.008Z"
+    },
+    "invalid_min_value": {
+      "min": "0",
+      "max": "2022-02-22T14:23:05.008Z"
+    },
+    "invalid_max_value": {
+      "min": "2021-11-28T10:41:15.080696Z",
+      "max": "0"
+    },
+    "invalid_min_max_value": {
+      "min": "0",
+      "max": "0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/log_analytics_events b/src/modules/azure/scripts/tests/data/log_analytics_events
new file mode 100644
index 0000000000..40e2da7329
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/log_analytics_events
@@ -0,0 +1 @@
+{"tables": [{"name": "PrimaryResult", "columns": [{"name": "TenantId", "type": "string"}, {"name": "SourceSystem", "type": "string"}, {"name": "CallerIpAddress", "type": "string"}, {"name": "CategoryValue", "type": "string"}, {"name": "CorrelationId", "type": "string"}, {"name": "Authorization", "type": "string"}, {"name": "Authorization_d", "type": "dynamic"}, {"name": "Claims", "type": "string"}, {"name": "Claims_d", "type": "dynamic"}, {"name": "Level", "type": "string"}, {"name": "OperationNameValue", "type": "string"}, {"name": "Properties", "type": "string"}, {"name": "Properties_d", "type": "dynamic"}, {"name": "Caller", "type": "string"}, {"name": "EventDataId", "type": "string"}, {"name": "EventSubmissionTimestamp", "type": "datetime"}, {"name": "HTTPRequest", "type": "string"}, {"name": "OperationId", "type": "string"}, {"name": "ResourceGroup", "type": "string"}, {"name": "ResourceProviderValue", "type": "string"}, {"name": "ActivityStatusValue", "type": "string"}, {"name": "ActivitySubstatusValue", "type": "string"}, {"name": "Hierarchy", "type": "string"}, {"name": "TimeGenerated", "type": "datetime"}, {"name": "SubscriptionId", "type": "string"}, {"name": "OperationName", "type": "string"}, {"name": "ActivityStatus", "type": "string"}, {"name": "ActivitySubstatus", "type": "string"}, {"name": "Category", "type": "string"}, {"name": "ResourceId", "type": "string"}, {"name": "ResourceProvider", "type": "string"}, {"name": "Resource", "type": "string"}, {"name": "Type", "type": "string"}, {"name": "_ResourceId", "type": "string"}], "rows": [["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Azure", "XX.XX.XXX.XXX", "Administrative", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "{\"action\":\"Microsoft.Authorization/roleAssignments/write\",\"scope\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", null, "", null, "Informational", "Microsoft.Authorization/roleAssignments/write", "{\"requestbody\":\"{\\\"Id\\\":\\\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\\",\\\"Properties\\\":{\\\"PrincipalId\\\":\\\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\\",\\\"PrincipalType\\\":\\\"User\\\",\\\"RoleDefinitionId\\\":\\\"/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\\",\\\"Scope\\\":\\\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\\",\\\"Condition\\\":null,\\\"ConditionVersion\\\":null}}\",\"eventCategory\":\"Administrative\",\"entity\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"message\":\"Microsoft.Authorization/roleAssignments/write\",\"hierarchy\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", null, "wazuh.user@wazuh.com", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "2022-06-03T14:06:41.181Z", "{\"clientRequestId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"clientIpAddress\":\"XX.XX.XXX.XXX\",\"method\":\"PUT\"}", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "", "Microsoft.Authorization", "Started", "", "", "2022-06-03T14:05:09.955Z", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Create role assignment", "Started", "", "Administrative", "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Microsoft.Authorization", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "AzureActivity", "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/roleassignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Azure", "XX.XX.XXX.XXX", "Administrative", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "{\"action\":\"Microsoft.Authorization/roleAssignments/write\",\"scope\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", null, "", null, "Informational", "Microsoft.Authorization/roleAssignments/write", "{\"statusCode\":\"Created\",\"serviceRequestId\":null,\"eventCategory\":\"Administrative\",\"entity\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"message\":\"Microsoft.Authorization/roleAssignments/write\",\"hierarchy\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", null, "wazuh.user@wazuh.com", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "2022-06-03T14:06:41.181Z", "{\"clientRequestId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"clientIpAddress\":\"XX.XX.XXX.XXX\",\"method\":\"PUT\"}", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "", "Microsoft.Authorization", "Succeeded", "Created", "", "2022-06-03T14:05:13.004Z", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Create role assignment", "Succeeded", "Created (HTTP Status Code: 201)", "Administrative", "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "Microsoft.Authorization", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "AzureActivity", "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/microsoft.authorization/roleassignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]]}]}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/log_analytics_events_empty b/src/modules/azure/scripts/tests/data/log_analytics_events_empty
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/data/log_analytics_events_no_results b/src/modules/azure/scripts/tests/data/log_analytics_events_no_results
new file mode 100644
index 0000000000..ea1908b42f
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/log_analytics_events_no_results
@@ -0,0 +1 @@
+{"tables": [{"name": "PrimaryResult", "columns": [], "rows": []}]}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/storage_events_inline b/src/modules/azure/scripts/tests/data/storage_events_inline
new file mode 100644
index 0000000000..66e5d1a389
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/storage_events_inline
@@ -0,0 +1,2 @@
+{"time": "2022-04-02T08:50:06.9024666Z", "resourceId": "/tenants/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.aadiam", "operationName": "Get Guest Usages resource", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resultSignature": "None", "resultDescription": "User Authorization: User was granted 'Subscription Admin' access rights", "durationMs": 0, "callerIpAddress": "XX.XX.XX.XX", "correlationId": "e362c4d1-8997-49fa-8a44-75a34ca8f70b", "identity": "509e4652-da8d-478d-a730-e9d4a1996ca4", "Level": 4, "properties": {"id":"B2C_e362c4d1-8997-49fa-8a44-75a34ca8f70b_YOERP_157856","category":"Authorization","correlationId":"e362c4d1-8997-49fa-8a44-75a34ca8f70b","result":"success","resultReason":"User Authorization: User was granted 'Subscription Admin' access rights","activityDisplayName":"Get Guest Usages resource","activityDateTime":"2022-04-02T08:50:06.9024666+00:00","loggedByService":"B2C","operationType":"","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"509e4652-da8d-478d-a730-e9d4a1996ca4","servicePrincipalId":null,"servicePrincipalName":"509e4652-da8d-478d-a730-e9d4a1996ca4"}},"targetResources":[{"id":null,"displayName":"NotSet","type":"Directory","modifiedProperties":[],"administrativeUnits":[]}],"additionalDetails":[{"key":"targetTenant","value":"Undefined tenant"},{"key":"targetEntityType","value":"Resource"},{"key":"actorIdentityType","value":"ApplicationID"}]}}
+{"time": "2022-04-02T08:50:06.9493478Z", "resourceId": "/tenants/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.aadiam", "operationName": "Get Guest Usages resource", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "XX.XX.XX.XX", "correlationId": "e362c4d1-8997-49fa-8a44-75a34ca8f70b", "identity": "509e4652-da8d-478d-a730-e9d4a1996ca4", "Level": 4, "properties": {"id":"B2C_e362c4d1-8997-49fa-8a44-75a34ca8f70b_YOERP_157910","category":"ResourceManagement","correlationId":"e362c4d1-8997-49fa-8a44-75a34ca8f70b","result":"success","resultReason":null,"activityDisplayName":"Get Guest Usages resource","activityDateTime":"2022-04-02T08:50:06.9493478+00:00","loggedByService":"B2C","operationType":"","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"509e4652-da8d-478d-a730-e9d4a1996ca4","servicePrincipalId":null,"servicePrincipalName":"509e4652-da8d-478d-a730-e9d4a1996ca4"}},"targetResources":[{"id":null,"displayName":"NotSet","type":"Directory","modifiedProperties":[],"administrativeUnits":[]}],"additionalDetails":[{"key":"targetTenant","value":"Undefined tenant"},{"key":"targetEntityType","value":"Resource"},{"key":"actorIdentityType","value":"ApplicationID"}]}}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/storage_events_json b/src/modules/azure/scripts/tests/data/storage_events_json
new file mode 100644
index 0000000000..b8e15b2858
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/storage_events_json
@@ -0,0 +1 @@
+{"records": [{"time": "2022-04-02T08:50:06.9024666Z", "resourceId": "/tenants/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.aadiam", "operationName": "Get Guest Usages resource", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resultSignature": "None", "resultDescription": "User Authorization: User was granted 'Subscription Admin' access rights", "durationMs": 0, "callerIpAddress": "XX.XX.XX.XX", "correlationId": "e362c4d1-8997-49fa-8a44-75a34ca8f70b", "identity": "509e4652-da8d-478d-a730-e9d4a1996ca4", "Level": 4, "properties": {"id":"B2C_e362c4d1-8997-49fa-8a44-75a34ca8f70b_YOERP_157856","category":"Authorization","correlationId":"e362c4d1-8997-49fa-8a44-75a34ca8f70b","result":"success","resultReason":"User Authorization: User was granted 'Subscription Admin' access rights","activityDisplayName":"Get Guest Usages resource","activityDateTime":"2022-04-02T08:50:06.9024666+00:00","loggedByService":"B2C","operationType":"","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"509e4652-da8d-478d-a730-e9d4a1996ca4","servicePrincipalId":null,"servicePrincipalName":"509e4652-da8d-478d-a730-e9d4a1996ca4"}},"targetResources":[{"id":null,"displayName":"NotSet","type":"Directory","modifiedProperties":[],"administrativeUnits":[]}],"additionalDetails":[{"key":"targetTenant","value":"Undefined tenant"},{"key":"targetEntityType","value":"Resource"},{"key":"actorIdentityType","value":"ApplicationID"}]}},{"time": "2022-04-02T08:50:06.9493478Z", "resourceId": "/tenants/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.aadiam", "operationName": "Get Guest Usages resource", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "XX.XX.XX.XX", "correlationId": "e362c4d1-8997-49fa-8a44-75a34ca8f70b", "identity": "509e4652-da8d-478d-a730-e9d4a1996ca4", "Level": 4, "properties": {"id":"B2C_e362c4d1-8997-49fa-8a44-75a34ca8f70b_YOERP_157910","category":"ResourceManagement","correlationId":"e362c4d1-8997-49fa-8a44-75a34ca8f70b","result":"success","resultReason":null,"activityDisplayName":"Get Guest Usages resource","activityDateTime":"2022-04-02T08:50:06.9493478+00:00","loggedByService":"B2C","operationType":"","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"509e4652-da8d-478d-a730-e9d4a1996ca4","servicePrincipalId":null,"servicePrincipalName":"509e4652-da8d-478d-a730-e9d4a1996ca4"}},"targetResources":[{"id":null,"displayName":"NotSet","type":"Directory","modifiedProperties":[],"administrativeUnits":[]}],"additionalDetails":[{"key":"targetTenant","value":"Undefined tenant"},{"key":"targetEntityType","value":"Resource"},{"key":"actorIdentityType","value":"ApplicationID"}]}}]}
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/data/storage_events_plain b/src/modules/azure/scripts/tests/data/storage_events_plain
new file mode 100644
index 0000000000..3d3f3ffc8d
--- /dev/null
+++ b/src/modules/azure/scripts/tests/data/storage_events_plain
@@ -0,0 +1,3 @@
+text message 1
+text message 2
+text message 3
\ No newline at end of file
diff --git a/src/modules/azure/scripts/tests/db/__init__.py b/src/modules/azure/scripts/tests/db/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/azure/scripts/tests/db/test_db_utils.py b/src/modules/azure/scripts/tests/db/test_db_utils.py
new file mode 100644
index 0000000000..8b23398529
--- /dev/null
+++ b/src/modules/azure/scripts/tests/db/test_db_utils.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import sys
+from datetime import datetime
+from os.path import abspath, dirname
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+sys.path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+
+from azure_utils import DATETIME_MASK
+from db import orm
+from db.utils import create_new_row, update_row_object
+
+PAST_DATE = '2022-01-01T12:00:00.000000Z'
+PRESENT_DATE = '2022-06-15T12:00:00.000000Z'
+FUTURE_DATE = '2022-12-31T12:00:00.000000Z'
+
+
+@pytest.mark.parametrize(
+    'min_date, max_date',
+    [
+        (PAST_DATE, PRESENT_DATE),
+        (PAST_DATE, FUTURE_DATE),
+        (PRESENT_DATE, PRESENT_DATE),
+        (PRESENT_DATE, FUTURE_DATE),
+        (FUTURE_DATE, FUTURE_DATE),
+    ],
+)
+@patch('db.orm.update_row')
+@patch('db.orm.get_row')
+def test_update_row_object(mock_get, mock_update, min_date, max_date):
+    """Test update_row_object alter the database values when corresponds."""
+    mock_table = MagicMock(__tablename__='')
+    mock_get.return_value = MagicMock(min_processed_date=PRESENT_DATE, max_processed_date=PRESENT_DATE)
+    update_row_object(table=mock_table, md5_hash='', new_min=min_date, new_max=max_date, query='')
+    if min_date < PRESENT_DATE or max_date > PRESENT_DATE:
+        mock_update.assert_called_with(
+            table=mock_table,
+            md5='',
+            query='',
+            min_date=min_date if min_date < PRESENT_DATE else PRESENT_DATE,
+            max_date=max_date if max_date > PRESENT_DATE else PRESENT_DATE,
+        )
+    else:
+        mock_update.assert_not_called()
+
+
+@patch('azure_utils.logging.error')
+@patch('db.orm.get_row', side_effect=AttributeError)
+def test_update_row_object_ko(mock_get, mock_logging):
+    """Test update_row_object handles ORM errors as expected."""
+    with pytest.raises(SystemExit) as err:
+        update_row_object(table=MagicMock(__tablename__=''), md5_hash=None, new_min=None, new_max=None)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.logging.error')
+@patch('db.orm.update_row', side_effect=orm.AzureORMError)
+@patch(
+    'db.orm.get_row',
+    return_value=MagicMock(min_processed_date=PRESENT_DATE, max_processed_date=PRESENT_DATE),
+)
+def test_update_row_object_ko_update(mock_get, mock_update, mock_logging):
+    """Test update_row_object handles ORM errors as expected."""
+    with pytest.raises(SystemExit) as err:
+        update_row_object(
+            table=MagicMock(__tablename__=''),
+            md5_hash=None,
+            new_min=PAST_DATE,
+            new_max=FUTURE_DATE,
+        )
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('db.orm.add_row')
+def test_create_new_row(add_row):
+    """Test create_new_row invokes the ORM functionality with a valid row object."""
+    mock_table = MagicMock(__tablename__='')
+    item = create_new_row(table=mock_table, md5_hash='hash', query='query', offset=None)
+    datetime_str = datetime.utcnow().replace(hour=0, minute=0, second=0, microsecond=0).strftime(DATETIME_MASK)
+    mock_table.assert_called_with(
+        md5='hash',
+        query='query',
+        min_processed_date=datetime_str,
+        max_processed_date=datetime_str,
+    )
+    add_row.assert_called_with(row=item)
+
+
+@patch('azure_utils.logging.error')
+@patch('db.orm.add_row', side_effect=orm.AzureORMError)
+def test_create_new_row_ko(mock_add_row, mock_logging):
+    """Test create_new_row raises an error if when attempting to add a invalid row object."""
+    with pytest.raises(SystemExit) as err:
+        create_new_row(
+            table=MagicMock(__tablename__=''),
+            md5_hash='hash',
+            query='query',
+            offset=None,
+        )
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
diff --git a/src/modules/azure/scripts/tests/db/test_orm.py b/src/modules/azure/scripts/tests/db/test_orm.py
new file mode 100644
index 0000000000..9ea600683a
--- /dev/null
+++ b/src/modules/azure/scripts/tests/db/test_orm.py
@@ -0,0 +1,292 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import hashlib
+import json
+import sys
+from os.path import abspath, dirname, join, realpath
+from unittest.mock import patch
+
+import pytest
+from sqlalchemy import create_engine, inspect
+from sqlalchemy.exc import IntegrityError
+
+sys.path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+
+import db.orm as orm
+
+# Overwrite ORM's engine to avoid creating the local database file during the tests
+orm.engine = create_engine('sqlite:///', echo=False)
+orm.session = orm.sessionmaker(bind=orm.engine)()
+
+test_data_path = join(dirname(dirname(realpath(__file__))), 'data')
+test_last_dates_path = join(test_data_path, 'last_date_files')
+
+
+@pytest.fixture(scope='function')
+def create_and_teardown_db():
+    """Create the database and purge it after the test execution."""
+    orm.create_db()
+    yield
+    orm.Base.metadata.drop_all(orm.engine)
+
+
+@pytest.fixture(scope='function')
+def teardown_db():
+    """Do not create a database before the test but purge it after the execution."""
+    yield
+    orm.Base.metadata.drop_all(orm.engine)
+
+
+@pytest.mark.parametrize(
+    'expected_table_names, expected_columns',
+    [
+        (
+            ['graph', 'log_analytics', 'storage'],
+            ['md5', 'query', 'min_processed_date', 'max_processed_date'],
+        )
+    ],
+)
+def test_create_db(expected_table_names, expected_columns, teardown_db):
+    """Check if the create_db function works as expected."""
+    # Check there is no tables available
+    inspector = inspect(orm.engine)
+    assert inspector.get_table_names() == []
+
+    # Create the tables
+    orm.create_db()
+
+    # Validate the tables and their structure
+    inspector = inspect(orm.engine)
+    table_names = inspector.get_table_names()
+    assert table_names == expected_table_names
+    for table in table_names:
+        assert [x['name'] for x in inspector.get_columns(table)] == expected_columns
+
+
+def test_add_get_row(create_and_teardown_db):
+    """Test the ORM is able to insert row into the different tables and retrieve them as a whole and individually as
+    expected."""
+    # Add several entries and validate them
+    for table in [orm.Graph, orm.LogAnalytics, orm.Storage]:
+        for id_ in range(3):
+            md5 = hashlib.md5(f'{table.__tablename__}{id_}'.encode()).hexdigest()
+            original_datetime = '2022-01-01T23:59:59.1234567Z'
+            row = table(
+                md5=md5,
+                query='',
+                min_processed_date=original_datetime,
+                max_processed_date=original_datetime,
+            )
+            orm.add_row(row=row)
+            row = orm.get_row(table=table, md5=md5)
+            assert row
+            assert row.md5 == md5
+            assert row.min_processed_date == original_datetime
+            assert row.max_processed_date == original_datetime
+
+            # Update the row
+            new_datetime = '1999-01-01T23:59:59.1234567Z'
+            orm.update_row(
+                table=table,
+                md5=md5,
+                min_date=new_datetime,
+                max_date=new_datetime,
+                query='query',
+            )
+            row = orm.get_row(table=table, md5=md5)
+            assert row.min_processed_date == new_datetime
+            assert row.max_processed_date == new_datetime
+
+        assert len(orm.get_all_rows(table=table)) == 3
+
+    # Try to obtain a non-existing item
+    assert orm.get_row(table=orm.Graph, md5='non-existing') is None
+
+
+def test_add_ko(create_and_teardown_db):
+    """Test the add_row function by attempting to insert a row with None values. The commit operation should raise an
+    IntegrityError that must be caught."""
+    row = orm.Graph(md5='test', query='', min_processed_date=None, max_processed_date=None)
+    with pytest.raises(orm.AzureORMError):
+        orm.add_row(row=row)
+    assert len(orm.get_all_rows(orm.Graph)) == 0
+
+
+def test_get_rows_ko(create_and_teardown_db):
+    """Ensure the get_rows function fails when using an invalid database."""
+    orm.Base.metadata.drop_all(orm.engine)
+    with pytest.raises(orm.AzureORMError):
+        assert orm.get_row(table=orm.Graph, md5='')
+    with pytest.raises(orm.AzureORMError):
+        orm.get_all_rows(table=orm.Graph)
+
+
+@patch('db.orm.session.commit', side_effect=IntegrityError)
+def test_update_row_ko(create_and_teardown_db):
+    """Ensure the update_row function catch exceptions when trying to commit the changes."""
+    with pytest.raises(orm.AzureORMError):
+        orm.update_row(orm.Graph, md5='test', min_date='', max_date='')
+
+
+@pytest.mark.parametrize(
+    'last_dates_file_path',
+    [
+        (join(test_last_dates_path, 'last_dates.json')),
+        (join(test_last_dates_path, 'last_dates_graph.json')),
+        (join(test_last_dates_path, 'last_dates_log_analytics.json')),
+        (join(test_last_dates_path, 'last_dates_storage.json')),
+        (join(test_last_dates_path, 'last_dates_old.json')),
+        (join(test_last_dates_path, 'last_dates_clean.json')),
+        (join(test_last_dates_path, 'last_dates_with_invalid_min_max.json')),
+        (join(test_last_dates_path, 'last_dates_old_invalid_value.json')),
+    ],
+)
+def test_load_dates_json(last_dates_file_path):
+    """Check the load_dates_json function properly loads the contents of the files, regardless of their structure as
+    long as it is a valid one."""
+    with patch('db.orm.last_dates_path', new=last_dates_file_path):
+        last_dates_dict = orm.load_dates_json()
+        for key in last_dates_dict.keys():
+            assert isinstance(last_dates_dict[key], dict)
+            for md5 in last_dates_dict[key].keys():
+                assert isinstance(last_dates_dict[key][md5], dict)
+                assert set(last_dates_dict[key][md5].keys()) == {'min', 'max'}
+
+
+@patch('db.orm.exists', return_value=False)
+@patch('builtins.open')
+def test_load_dates_json_no_file(mock_open, mock_exists):
+    """Check the load_dates_json handles exception as expected when no file is provided."""
+    assert orm.load_dates_json() == orm.last_dates_default_contents
+    mock_exists.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'last_dates_file_path',
+    [(join(test_last_dates_path, 'last_dates_invalid.json'))],
+)
+def test_load_dates_json_ko(last_dates_file_path):
+    """Check the load_dates_json handles exception as expected when an invalid file is provided."""
+    with patch('db.orm.last_dates_path', new=last_dates_file_path):
+        with pytest.raises(json.JSONDecodeError):
+            orm.load_dates_json()
+
+
+@pytest.mark.parametrize(
+    'file_exists, file_size',
+    [
+        (True, 0),
+        (True, 100),
+        (False, 100),
+    ],
+)
+@patch('db.orm.create_db')
+@patch('db.orm.migrate_from_last_dates_file')
+def test_check_integrity(mock_migrate, mock_create_db, create_and_teardown_db, file_exists, file_size):
+    """Ensure that the check_integrity functions is able to create a new database file."""
+    with patch('db.orm.exists', return_value=file_exists):
+        with patch('db.orm.getsize', return_value=file_size):
+            orm.check_database_integrity()
+            mock_create_db.assert_called()
+            if file_exists and file_size > 0:
+                mock_migrate.assert_called()
+            else:
+                mock_migrate.assert_not_called()
+
+
+def test_check_integrity_ko(teardown_db):
+    """Ensure the check_integrity function returns a False value when the migration process fails."""
+    with patch('db.orm.exists'):
+        with patch('db.orm.getsize', return_value=100):
+            with patch(
+                'db.orm.migrate_from_last_dates_file',
+                side_effect=Exception,
+            ):
+                assert orm.check_database_integrity() is False
+
+
+@pytest.mark.parametrize(
+    'last_dates_file_path',
+    [
+        (join(test_last_dates_path, 'last_dates.json')),
+        (join(test_last_dates_path, 'last_dates_graph.json')),
+        (join(test_last_dates_path, 'last_dates_log_analytics.json')),
+        (join(test_last_dates_path, 'last_dates_storage.json')),
+        (join(test_last_dates_path, 'last_dates_old.json')),
+        (join(test_last_dates_path, 'last_dates_clean.json')),
+    ],
+)
+def test_migrate_from_last_dates_file(last_dates_file_path, create_and_teardown_db):
+    """Test the last_dates file migration functionality."""
+    items = orm.get_all_rows(table=orm.Graph)
+    assert len(items) == 0
+
+    with open(last_dates_file_path, 'r') as file:
+        test_file_contents = json.load(file)
+
+    with patch('db.orm.last_dates_path', new=last_dates_file_path):
+        orm.migrate_from_last_dates_file()
+
+    # Validate the contents of each table
+    for table in [orm.Graph, orm.LogAnalytics, orm.Storage]:
+        items = orm.get_all_rows(table=table)
+        if table.__tablename__ in test_file_contents:
+            assert len(items) == len(test_file_contents[table.__tablename__].keys())
+            for item in items:
+                try:
+                    assert test_file_contents[table.__tablename__][item.md5]['min'] == item.min_processed_date
+                    assert test_file_contents[table.__tablename__][item.md5]['max'] == item.max_processed_date
+                except (KeyError, TypeError):
+                    # Old last_dates.json structure
+                    assert test_file_contents[table.__tablename__][item.md5] == item.max_processed_date
+
+
+def test_min_max_valid():
+    json_content = {'min': '2022-03-07T15:12:56.98Z', 'max': '2022-03-17T15:12:56.98Z'}
+
+    result = orm.get_min_max_values(json_content)
+    assert result == json_content
+
+
+def test_min_max_invalid_min():
+    json_content = {'min': '0', 'max': '2022-03-17T15:12:56.98Z'}
+
+    result = orm.get_min_max_values(json_content)
+    assert result == {'min': json_content['max'], 'max': json_content['max']}
+
+
+def test_min_max_invalid_max():
+    json_content = {'min': '2022-03-17T15:12:56.98Z', 'max': '0'}
+
+    result = orm.get_min_max_values(json_content)
+    assert result == {'min': json_content['min'], 'max': json_content['min']}
+
+
+def test_min_max_invalid_max_and_min(monkeypatch):
+    json_content = {'min': '0', 'max': '0'}
+    expected_value = orm.get_default_min_max_values()
+    monkeypatch.setattr(orm, 'get_default_min_max_values', lambda: expected_value)
+
+    result = orm.get_min_max_values(json_content)
+    assert result == {'min': expected_value, 'max': expected_value}
+
+
+def test_min_max_valid_old_format():
+    json_content = '2022-03-04T15:12:56.98Z'
+
+    result = orm.get_min_max_values(json_content)
+    assert result == {'min': json_content, 'max': json_content}
+
+
+def test_min_max_invalid_old_format(monkeypatch):
+    json_content = '0'
+    expected_value = orm.get_default_min_max_values()
+    monkeypatch.setattr(orm, 'get_default_min_max_values', lambda: expected_value)
+
+    result = orm.get_min_max_values(json_content)
+    assert result == {'min': expected_value, 'max': expected_value}
diff --git a/src/modules/azure/scripts/tests/test_azure_utils.py b/src/modules/azure/scripts/tests/test_azure_utils.py
new file mode 100644
index 0000000000..e50ff52f9a
--- /dev/null
+++ b/src/modules/azure/scripts/tests/test_azure_utils.py
@@ -0,0 +1,266 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import os
+import socket
+import sys
+from os.path import abspath, dirname
+from unittest.mock import MagicMock, patch
+
+import pytest
+from dateutil.parser import parse
+from requests import RequestException
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+
+from azure_utils import (
+    ANALYSISD,
+    LOG_LEVELS,
+    LOGGING_DATE_FORMAT,
+    LOGGING_MSG_FORMAT,
+    SOCKET_HEADER,
+    URL_LOGGING,
+    arg_valid_blob_extension,
+    arg_valid_container_name,
+    arg_valid_graph_query,
+    arg_valid_la_query,
+    get_script_arguments,
+    get_token,
+    offset_to_datetime,
+    read_auth_file,
+    send_message,
+    set_logger,
+)
+
+TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+TEST_AUTHENTICATION_PATH = os.path.join(TEST_DATA_PATH, 'authentication_files')
+
+
+@pytest.mark.parametrize('debug_level', [0, 1, 2, 3])
+@patch('azure_utils.logging.basicConfig')
+def test_set_logger(mock_logging, debug_level):
+    """Test set_logger sets the expected logging verbosity level."""
+    set_logger(debug_level)
+    mock_logging.assert_called_with(
+        level=LOG_LEVELS.get(debug_level, logging.INFO),
+        format=LOGGING_MSG_FORMAT,
+        datefmt=LOGGING_DATE_FORMAT,
+    )
+    assert logging.getLogger('azure').level == LOG_LEVELS.get(debug_level, logging.WARNING).real
+    assert logging.getLogger('urllib3').level == logging.ERROR.real
+
+
+def test_get_script_arguments(capsys):
+    """Test get_script_arguments shows no messages when the required parameters were provided."""
+    with patch('sys.argv', ['main', '--graph']):
+        get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == '', 'stdout was not empty'
+    assert stderr == '', 'stderr was not empty'
+
+
+@pytest.mark.parametrize(
+    'args',
+    [
+        ['main'],
+        ['main', '--graph', '--log_analytics'],
+        ['main', '--graph', '--storage'],
+        ['main', '--log_analytics', '--storage'],
+    ],
+)
+def test_get_script_arguments_exclusive(capsys, args):
+    """Test get_script_arguments shows an error message when the required parameters are not provided."""
+    with patch('sys.argv', args), pytest.raises(SystemExit) as exception:
+        get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == '', 'The output was not empty'
+    assert stderr != '', 'No error message was found in the output'
+    assert exception.value.code == 2
+
+
+@pytest.mark.parametrize('arg_string', ['"string"', "'string'", None])
+def test_arg_valid_container_name(arg_string):
+    """Test arg_valid_container_name removes unwanted characters from the container name."""
+    result = arg_valid_container_name(arg_string)
+    if result:
+        assert '"' not in result
+
+
+@pytest.mark.parametrize('arg_string', ['"string"', "'string'", 'string\\$', "string 'test'", None])
+def test_arg_valid_graph_query(arg_string):
+    """Test arg_valid_graph_query removes unwanted characters from the graph query."""
+    result = arg_valid_graph_query(arg_string)
+    if result:
+        assert result[0] != "'"
+        assert result[-1] != "'"
+        assert '\\$' not in result
+
+
+@pytest.mark.parametrize('arg_string', ['string!', 'string\\!', '\\!string\\!', None])
+def test_arg_valid_la_query(arg_string):
+    """Test arg_valid_la_query removes unwanted characters from the log analytics query."""
+    result = arg_valid_la_query(arg_string)
+    if result:
+        assert '\\!' not in result
+
+
+@pytest.mark.parametrize('arg_string', ['"string"', '*', '"*"', None])
+def test_arg_valid_blob_extension(arg_string):
+    """Test arg_valid_blob_extension removes unwanted characters from the blob extension."""
+    result = arg_valid_blob_extension(arg_string)
+    if result:
+        assert '"' not in result
+        assert '*' not in result
+
+
+@pytest.mark.parametrize(
+    'file_name, fields',
+    [
+        ('valid_authentication_file', ('application_id', 'application_key')),
+        ('valid_authentication_file_alt', ('application_key', 'application_id')),
+        ('valid_authentication_file_extra_line', ('application_id', 'application_key')),
+        ('valid_authentication_file_storage', ('account_name', 'account_key')),
+    ],
+)
+def test_read_auth_file(file_name, fields):
+    """Test read_auth_file correctly handles valid authentication files."""
+    credentials = read_auth_file(auth_path=os.path.join(TEST_AUTHENTICATION_PATH, file_name), fields=fields)
+    assert isinstance(credentials, tuple)
+    for i in range(len(fields)):
+        assert credentials[i] == f'{fields[i]}_value'
+
+
+@pytest.mark.parametrize(
+    'file_name',
+    [
+        'no_file',
+        'empty_authentication_file',
+        'invalid_authentication_file',
+        'invalid_authentication_file_2',
+        'invalid_authentication_file_3',
+    ],
+)
+@patch('azure_utils.logging.error')
+def test_read_auth_file_ko(mock_logging, file_name):
+    """Test read_auth_file correctly handles invalid authentication files."""
+    with pytest.raises(SystemExit) as err:
+        read_auth_file(
+            auth_path=os.path.join(TEST_AUTHENTICATION_PATH, file_name),
+            fields=('field', 'field'),
+        )
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.post')
+def test_get_token(mock_post):
+    """Test get_token makes the expected token request and returns its value."""
+    expected_token = 'token'
+    client_id = 'client'
+    secret = 'secret'
+    scope = 'scope'
+    domain = 'domain'
+    body = {
+        'client_id': client_id,
+        'client_secret': secret,
+        'scope': scope,
+        'grant_type': 'client_credentials',
+    }
+    m = MagicMock()
+    m.json.return_value = {'access_token': expected_token}
+    mock_post.return_value = m
+    token = get_token(client_id, secret, domain, scope)
+    auth_url = f'{URL_LOGGING}/{domain}/oauth2/v2.0/token'
+    mock_post.assert_called_with(auth_url, data=body, timeout=10)
+    assert token == expected_token
+
+
+@pytest.mark.parametrize(
+    'exception, error_msg, error_codes',
+    [
+        (RequestException, None, None),
+        (None, 'unauthorized_client', None),
+        (None, 'invalid_client', None),
+        (None, 'invalid_request', [0]),
+        (None, 'invalid_request', [0, 90002]),
+        (None, 'invalid', []),
+        (None, '', []),
+        (None, None, []),
+    ],
+)
+@patch('azure_utils.logging.error')
+@patch('azure_utils.post')
+def test_get_token_ko(mock_post, mock_logging, exception, error_msg, error_codes):
+    """Test get_token handles exceptions when the 'access_token' field is not present in the response."""
+    m = MagicMock()
+    m.json.return_value = {'error': error_msg, 'error_codes': error_codes}
+    mock_post.return_value = m
+    mock_post.side_effect = exception
+    with pytest.raises(SystemExit) as err:
+        get_token(client_id=None, secret=None, domain=None, scope=None)
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
+
+
+@patch('azure_utils.socket.close')
+@patch('azure_utils.socket.send')
+@patch('azure_utils.socket.connect')
+def test_send_message(mock_connect, mock_send, mock_close):
+    """Test send_message sends the messages to the Wazuh queue socket."""
+    message = 'msg'
+    send_message(message)
+    mock_connect.assert_called_with(ANALYSISD)
+    mock_send.assert_called_with(f'{SOCKET_HEADER}{message}'.encode(errors='replace'))
+    mock_close.assert_called_once()
+
+
+@pytest.mark.parametrize('error_code', [111, 90, 1])
+@patch('azure_utils.logging.error')
+@patch('azure_utils.socket.close')
+@patch('azure_utils.socket.send')
+@patch('azure_utils.socket.connect')
+def test_send_message_ko(mock_connect, mock_send, mock_close, mock_logging, error_code):
+    """Test send_message handle the socket exceptions."""
+    s = socket.error()
+    s.errno = error_code
+    mock_send.side_effect = s
+
+    if error_code == 90:
+        send_message('')
+    else:
+        with pytest.raises(SystemExit) as err:
+            send_message('')
+        assert err.value.code == 1
+    mock_close.assert_called_once()
+    mock_logging.assert_called_once()
+
+
+@pytest.mark.parametrize(
+    'offset, expected_date',
+    [
+        ('1d', '2022-12-30T12:00:00.000000Z'),
+        ('1h', '2022-12-31T11:00:00.000000Z'),
+        ('1m', '2022-12-31T11:59:00.000000Z'),
+    ],
+)
+@patch('azure_utils.datetime')
+def test_offset_to_datetime(mock_time, offset, expected_date):
+    """Test offset_to_datetime returns the expected values for the offset provided."""
+    mock_time.utcnow.return_value = parse('2022-12-31T12:00:00.000000Z')
+    result = offset_to_datetime(offset)
+    assert result == parse(expected_date)
+
+
+@patch('azure_utils.logging.error')
+@patch('azure_utils.datetime')
+def test_offset_to_datetime_ko(mock_time, mock_logging):
+    """Test offset_to_datetime handles the exception when an invalid offset format was provided."""
+    with pytest.raises(SystemExit) as err:
+        offset_to_datetime('1x')
+    assert err.value.code == 1
+    mock_logging.assert_called_once()
diff --git a/src/modules/azure/scripts/utils.py b/src/modules/azure/scripts/utils.py
new file mode 100644
index 0000000000..93590c9ce3
--- /dev/null
+++ b/src/modules/azure/scripts/utils.py
@@ -0,0 +1,45 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+from functools import lru_cache
+
+
+@lru_cache(maxsize=None)
+def find_wazuh_path() -> str:
+    """
+    Get the Wazuh installation path.
+
+    Returns
+    -------
+    str
+        Path where Wazuh is installed or empty string if there is no framework in the environment.
+    """
+    abs_path = os.path.abspath(os.path.dirname(__file__))
+    allparts = []
+    while 1:
+        parts = os.path.split(abs_path)
+        if parts[0] == abs_path:  # sentinel for absolute paths
+            allparts.insert(0, parts[0])
+            break
+        elif parts[1] == abs_path:  # sentinel for relative paths
+            allparts.insert(0, parts[1])
+            break
+        else:
+            abs_path = parts[0]
+            allparts.insert(0, parts[1])
+
+    wazuh_path = ''
+    try:
+        for i in range(0, allparts.index('wodles')):
+            wazuh_path = os.path.join(wazuh_path, allparts[i])
+    except ValueError:
+        pass
+
+    return wazuh_path
+
+
+ANALYSISD = os.path.join(find_wazuh_path(), 'queue', 'sockets', 'queue')
+# Max size of the event that ANALYSISID can handle
+MAX_EVENT_SIZE = 65535
diff --git a/src/modules/azure/src/wm_azure.c b/src/modules/azure/src/wm_azure.c
new file mode 100644
index 0000000000..4d5b53df7e
--- /dev/null
+++ b/src/modules/azure/src/wm_azure.c
@@ -0,0 +1,555 @@
+/*
+ * Wazuh Module for Azure integration
+ * Copyright (C) 2015, Wazuh Inc.
+ * September, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WIN32
+
+#include "wmodules.h"
+#include "wm_azure.h"
+
+static wm_azure_t *azure_config;                               // Pointer to Azure-logs configuration
+static int queue_fd;                                           // Output queue file descriptor
+static unsigned int default_timeout;                           // Default timeout for every query
+
+static void* wm_azure_main(wm_azure_t *azure_config);          // Module main function. It won't return
+static void wm_azure_setup(wm_azure_t *_azure_config);           // Setup module
+static void wm_azure_cleanup();                                  // Cleanup function, doesn't overwrite wm_cleanup
+static void wm_azure_check();         // Check configuration
+static void wm_azure_destroy(wm_azure_t *azure_config);        // Destroy data
+
+static void wm_azure_log_analytics(wm_azure_api_t *log_analytics);      // Run log analytics queries
+static void wm_azure_graphs(wm_azure_api_t *graph);                     // Run graph queries
+static void wm_azure_storage(wm_azure_storage_t *storage);              // Run storage queries
+cJSON *wm_azure_dump(const wm_azure_t *azure);                          // Dump configuration to a JSON structure
+
+//  Azure module context definition
+
+const wm_context WM_AZURE_CONTEXT = {
+    .name = AZ_WM_NAME,
+    .start = (wm_routine)wm_azure_main,
+    .destroy = (void(*)(void *))wm_azure_destroy,
+    .dump = (cJSON * (*)(const void *))wm_azure_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+// Module main function. It won't return.
+
+void* wm_azure_main(wm_azure_t *azure_config) {
+
+    wm_azure_api_t *curr_api = NULL;
+    wm_azure_storage_t *curr_storage = NULL;
+    char msg[OS_SIZE_6144];
+    char * timestamp = NULL;
+
+    wm_azure_setup(azure_config);
+    mtinfo(WM_AZURE_LOGTAG, "Module started.");
+
+
+
+    // Main loop
+
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(azure_config->scan_config), WM_AZURE_LOGTAG, azure_config->flags.run_on_start);
+
+        if(azure_config->state.next_time == 0) {
+            azure_config->state.next_time = azure_config->scan_config.time_start + time_sleep;
+        }
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(azure_config->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_AZURE_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtinfo(WM_AZURE_LOGTAG, "Starting fetching of logs.");
+
+        snprintf(msg, OS_SIZE_6144, "Starting Azure-logs scan.");
+        SendMSG(queue_fd, msg, "rootcheck", ROOTCHECK_MQ);
+
+        for (curr_api = azure_config->api_config; curr_api; curr_api = curr_api->next) {
+            if (curr_api->type == LOG_ANALYTICS) {
+                mtinfo(WM_AZURE_LOGTAG, "Starting Log Analytics collection for the domain '%s'.", curr_api->tenantdomain);
+                wm_azure_log_analytics(curr_api);
+                mtinfo(WM_AZURE_LOGTAG, "Finished Log Analytics collection for the domain '%s'.", curr_api->tenantdomain);
+            } else if (curr_api->type == GRAPHS) {
+                mtinfo(WM_AZURE_LOGTAG, "Starting Graphs log collection for the domain '%s'.", curr_api->tenantdomain);
+                wm_azure_graphs(curr_api);
+                mtinfo(WM_AZURE_LOGTAG, "Finished Graphs log collection for the domain '%s'.", curr_api->tenantdomain);
+            }
+        }
+
+        for (curr_storage = azure_config->storage; curr_storage; curr_storage = curr_storage->next) {
+            mtinfo(WM_AZURE_LOGTAG, "Starting Storage log collection for '%s'.", curr_storage->tag);
+            wm_azure_storage(curr_storage);
+            mtinfo(WM_AZURE_LOGTAG, "Finished Storage log collection for '%s'.", curr_storage->tag);
+        }
+
+        snprintf(msg, OS_SIZE_6144, "Ending Azure-logs scan.");
+        SendMSG(queue_fd, msg, "rootcheck", ROOTCHECK_MQ);
+
+        mtdebug1(WM_AZURE_LOGTAG, "Fetching logs finished.");
+
+    } while (FOREVER());
+
+    return NULL;
+}
+
+void wm_azure_log_analytics(wm_azure_api_t *log_analytics) {
+
+    wm_azure_request_t * curr_request = NULL;
+    char query[OS_SIZE_1024];
+    int status;
+    unsigned int timeout;
+
+    for (curr_request = log_analytics->request; curr_request; curr_request = curr_request->next) {
+
+        char * command = NULL;
+        char * output = NULL;
+
+        // Create argument list
+        mtdebug2(WM_AZURE_LOGTAG, "Creating argument list.");
+
+        char * script = NULL;
+        os_calloc(PATH_MAX, sizeof(char), script);
+        snprintf(script, PATH_MAX, "%s", WM_AZURE_SCRIPT_PATH);
+        wm_strcat(&command, script, '\0');
+        os_free(script);
+        wm_strcat(&command, "--log_analytics", ' ');
+
+        if (log_analytics->auth_path) {
+            wm_strcat(&command, "--la_auth_path", ' ');
+            wm_strcat(&command, log_analytics->auth_path, ' ');
+        }
+
+        wm_strcat(&command, "--la_tenant_domain", ' ');
+        wm_strcat(&command, log_analytics->tenantdomain, ' ');
+
+        wm_strcat(&command, "--la_tag", ' ');
+        wm_strcat(&command, curr_request->tag, ' ');
+
+        wm_strcat(&command, "--la_query", ' ');
+        snprintf(query, OS_SIZE_1024 - 1, "\"%s\"", curr_request->query);
+        wm_strcat(&command, query, ' ');
+
+        wm_strcat(&command, "--workspace", ' ');
+        wm_strcat(&command, curr_request->workspace, ' ');
+
+        if (curr_request->time_offset) {
+            wm_strcat(&command, "--la_time_offset", ' ');
+            wm_strcat(&command, curr_request->time_offset, ' ');
+        }
+        if (isDebug()) {
+            char *int_to_string;
+            os_malloc(OS_SIZE_1024, int_to_string);
+            sprintf(int_to_string, "%d", isDebug());
+            wm_strcat(&command, "--debug", ' ');
+            wm_strcat(&command, int_to_string, ' ');
+            os_free(int_to_string);
+        }
+
+        // Check timeout defined
+        if (curr_request->timeout)
+            timeout = curr_request->timeout;
+        else
+            timeout = default_timeout;
+
+        // Run script
+        mtdebug1(WM_AZURE_LOGTAG, "Launching command: %s", command);
+        switch (wm_exec(command, &output, &status, timeout, NULL)) {
+            case 0:
+                if (status > 0) {
+                    mterror(WM_AZURE_LOGTAG, "%s: Returned error code: '%d'.", curr_request->tag, status);
+                    mtdebug1(WM_AZURE_LOGTAG, "OUTPUT: %s", output);
+                }
+                break;
+            case WM_ERROR_TIMEOUT:
+                mterror(WM_AZURE_LOGTAG, "Timeout expired at request '%s'.", curr_request->tag);
+                break;
+            default:
+                mterror(WM_AZURE_LOGTAG, "Internal error. Exiting...");
+                os_free(command);
+                pthread_exit(NULL);
+        }
+
+        mtinfo(WM_AZURE_LOGTAG, "Finished Log Analytics collection for request '%s'.", curr_request->tag);
+
+        os_free(command);
+        os_free(output);
+    }
+}
+
+void wm_azure_graphs(wm_azure_api_t *graph) {
+
+    wm_azure_request_t * curr_request = NULL;
+    char query[OS_SIZE_1024];
+    int status;
+    unsigned int timeout;
+
+    for (curr_request = graph->request; curr_request; curr_request = curr_request->next) {
+
+        char * command = NULL;
+        char * output = NULL;
+
+        // Create argument list
+        mtdebug2(WM_AZURE_LOGTAG, "Creating argument list.");
+
+        char * script = NULL;
+        os_calloc(PATH_MAX, sizeof(char), script);
+        snprintf(script, PATH_MAX, "%s", WM_AZURE_SCRIPT_PATH);
+        wm_strcat(&command, script, '\0');
+        os_free(script);
+        wm_strcat(&command, "--graph", ' ');
+
+        if (graph->auth_path) {
+            wm_strcat(&command, "--graph_auth_path", ' ');
+            wm_strcat(&command, graph->auth_path, ' ');
+        }
+
+        wm_strcat(&command, "--graph_tenant_domain", ' ');
+        wm_strcat(&command, graph->tenantdomain, ' ');
+
+        wm_strcat(&command, "--graph_tag", ' ');
+        wm_strcat(&command, curr_request->tag, ' ');
+
+        wm_strcat(&command, "--graph_query", ' ');
+        snprintf(query, OS_SIZE_1024 - 1, "\'%s\'", curr_request->query);
+        wm_strcat(&command, query, ' ');
+
+        if (curr_request->time_offset) {
+            wm_strcat(&command, "--graph_time_offset", ' ');
+            wm_strcat(&command, curr_request->time_offset, ' ');
+        }
+
+        if (isDebug()) {
+            char *int_to_string;
+            os_malloc(OS_SIZE_1024, int_to_string);
+            sprintf(int_to_string, "%d", isDebug());
+            wm_strcat(&command, "--debug", ' ');
+            wm_strcat(&command, int_to_string, ' ');
+            os_free(int_to_string);
+        }
+
+        // Check timeout defined
+        if (curr_request->timeout)
+            timeout = curr_request->timeout;
+        else
+            timeout = default_timeout;
+
+        // Run script
+        mtdebug1(WM_AZURE_LOGTAG, "Launching command: %s", command);
+        switch (wm_exec(command, &output, &status, timeout, NULL)) {
+            case 0:
+                if (status > 0) {
+                    mterror(WM_AZURE_LOGTAG, "%s: Returned error code: '%d'.", curr_request->tag, status);
+                    mtdebug1(WM_AZURE_LOGTAG, "OUTPUT: %s", output);
+                }
+                break;
+            case WM_ERROR_TIMEOUT:
+                mterror(WM_AZURE_LOGTAG, "Timeout expired at request '%s'.", curr_request->tag);
+                break;
+            default:
+                mterror(WM_AZURE_LOGTAG, "Internal error. Exiting...");
+                os_free(command);
+                pthread_exit(NULL);
+        }
+
+        mtinfo(WM_AZURE_LOGTAG, "Finished Graphs log collection for request '%s'.", curr_request->tag);
+
+        os_free(command);
+        os_free(output);
+    }
+}
+
+void wm_azure_storage(wm_azure_storage_t *storage) {
+
+    wm_azure_container_t * curr_container = NULL;
+    char name[OS_SIZE_256];
+    char blobs[OS_SIZE_256];
+    int status;
+    unsigned int timeout;
+
+    for (curr_container = storage->container; curr_container; curr_container = curr_container->next) {
+
+        char * command = NULL;
+        char * output = NULL;
+
+        // Create argument list
+        mtdebug2(WM_AZURE_LOGTAG, "Creating argument list.");
+
+        char * script = NULL;
+        os_calloc(PATH_MAX, sizeof(char), script);
+        snprintf(script, PATH_MAX, "%s", WM_AZURE_SCRIPT_PATH);
+        wm_strcat(&command, script, '\0');
+        os_free(script);
+        wm_strcat(&command, "--storage", ' ');
+
+        if (storage->auth_path) {
+            wm_strcat(&command, "--storage_auth_path", ' ');
+            wm_strcat(&command, storage->auth_path, ' ');
+        }
+
+        wm_strcat(&command, "--container", ' ');
+        snprintf(name, OS_SIZE_256 - 1, "\"%s\"", curr_container->name);
+        wm_strcat(&command, name, ' ');
+
+        wm_strcat(&command, "--blobs", ' ');
+        if (curr_container->blobs)
+            snprintf(blobs, OS_SIZE_256 - 1, "\"%s\"", curr_container->blobs);
+        else
+            snprintf(blobs, OS_SIZE_256 -1, "\"*\"");
+        wm_strcat(&command, blobs, ' ');
+
+        wm_strcat(&command, "--storage_tag", ' ');
+        wm_strcat(&command, storage->tag, ' ');
+
+        if (curr_container->content_type) {
+            if (!strncmp(curr_container->content_type, "json_file", 9)) {
+                wm_strcat(&command, "--json_file", ' ');
+            } else if (!strncmp(curr_container->content_type, "json_inline", 11)) {
+                wm_strcat(&command, "--json_inline", ' ');
+            }
+        }
+
+        if (curr_container->time_offset) {
+            wm_strcat(&command, "--storage_time_offset", ' ');
+            wm_strcat(&command, curr_container->time_offset, ' ');
+        }
+
+        if (curr_container->path) {
+            wm_strcat(&command, "--prefix", ' ');
+            wm_strcat(&command, curr_container->path, ' ');
+        }
+
+        if (isDebug()) {
+            char *int_to_string;
+            os_malloc(OS_SIZE_1024, int_to_string);
+            sprintf(int_to_string, "%d", isDebug());
+            wm_strcat(&command, "--debug", ' ');
+            wm_strcat(&command, int_to_string, ' ');
+            os_free(int_to_string);
+        }
+
+        // Check timeout defined
+        if (curr_container->timeout)
+            timeout = curr_container->timeout;
+        else
+            timeout = default_timeout;
+
+        // Run script
+        mtdebug1(WM_AZURE_LOGTAG, "Launching command: %s", command);
+        switch (wm_exec(command, &output, &status, timeout, NULL)) {
+            case 0:
+                if (status > 0) {
+                    mterror(WM_AZURE_LOGTAG, "%s: Returned error code: '%d'.", curr_container->name, status);
+                    mtdebug1(WM_AZURE_LOGTAG, "OUTPUT: %s", output);
+                }
+                break;
+            case WM_ERROR_TIMEOUT:
+                mterror(WM_AZURE_LOGTAG, "Timeout expired at request '%s'.", curr_container->name);
+                break;
+            default:
+                mterror(WM_AZURE_LOGTAG, "Internal error. Exiting...");
+                os_free(command);
+                pthread_exit(NULL);
+        }
+
+        mtinfo(WM_AZURE_LOGTAG, "Finished Storage log collection for container '%s'.", curr_container->name);
+
+        os_free(command);
+        os_free(output);
+    }
+}
+
+// Setup module
+
+void wm_azure_setup(wm_azure_t *_azure_config) {
+
+    azure_config = _azure_config;
+    wm_azure_check();
+
+    // Read running state
+
+    if (wm_state_io(WM_AZURE_CONTEXT.name, WM_IO_READ, &azure_config->state, sizeof(azure_config->state)) < 0)
+        memset(&azure_config->state, 0, sizeof(azure_config->state));
+
+    // Connect to socket
+
+    queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    if (queue_fd < 0) {
+        mterror(WM_AZURE_LOGTAG, "Can't connect to queue.");
+        pthread_exit(NULL);
+    }
+
+    // Cleanup exiting
+
+    atexit(wm_azure_cleanup);
+}
+
+// Check configuration
+
+void wm_azure_check() {
+
+    // Check if disabled
+    if (!azure_config->flags.enabled) {
+        mtinfo(WM_AZURE_LOGTAG, "Module disabled. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    // Check if necessary configuration is defined
+
+    if (!azure_config->api_config && !azure_config->storage) {
+        mtwarn(WM_AZURE_LOGTAG, "No API (log_analytics, graph or storage) defined. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    // Set default timeout
+    default_timeout = azure_config->timeout;
+
+}
+
+// Cleanup function, doesn't overwrite wm_cleanup
+
+void wm_azure_cleanup() {
+    close(queue_fd);
+    mtinfo(WM_AZURE_LOGTAG, "Module finished.");
+}
+
+// Destroy data
+
+void wm_azure_destroy(wm_azure_t *azure_config) {
+
+    wm_azure_api_t *curr_api = NULL;
+    wm_azure_api_t *next_api = NULL;
+    wm_azure_storage_t *curr_storage = NULL;
+    wm_azure_storage_t *next_storage = NULL;
+
+    for (curr_api = azure_config->api_config; curr_api; curr_api = next_api) {
+
+        next_api = curr_api->next;
+        free(curr_api->tenantdomain);
+        if (curr_api->auth_path)
+            free(curr_api->auth_path);
+
+        wm_azure_request_t *curr_request = NULL;
+        wm_azure_request_t *next_request = NULL;
+
+        for (curr_request = curr_api->request; curr_request; curr_request = next_request) {
+
+            next_request = curr_request->next;
+            free(curr_request->tag);
+            free(curr_request->query);
+            free(curr_request->time_offset);
+            if (curr_api->type == LOG_ANALYTICS)
+                free(curr_request->workspace);
+
+            free(curr_request);
+        }
+
+        free(curr_api);
+    }
+
+    for (curr_storage = azure_config->storage; curr_storage; curr_storage = next_storage) {
+
+        next_storage = curr_storage->next;
+        free(curr_storage->tag);
+        if (curr_storage->auth_path)
+            free(curr_storage->auth_path);
+
+        wm_azure_container_t *curr_container = NULL;
+        wm_azure_container_t *next_container = NULL;
+
+        for (curr_container = curr_storage->container; curr_container; curr_container = next_container) {
+
+            next_container = curr_container->next;
+            free(curr_container->name);
+            free(curr_container->blobs);
+            free(curr_container->content_type);
+            free(curr_container->time_offset);
+            free(curr_container->path);
+            free(curr_container);
+
+        }
+
+        free(curr_storage);
+    }
+
+    free(azure_config);
+}
+
+
+// Get configuration data in JSON format
+
+cJSON *wm_azure_dump(const wm_azure_t * azure) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_azure = cJSON_CreateObject();
+
+    if (azure->flags.enabled) cJSON_AddStringToObject(wm_azure,"disabled","no"); else cJSON_AddStringToObject(wm_azure,"disabled","yes");
+    if (azure->flags.run_on_start) cJSON_AddStringToObject(wm_azure,"run_on_start","yes"); else cJSON_AddStringToObject(wm_azure,"run_on_start","no");
+    sched_scan_dump(&(azure->scan_config), wm_azure);
+    cJSON_AddNumberToObject(wm_azure,"timeout",azure->timeout);
+
+    if (azure->api_config || azure->storage) {
+        cJSON *content = cJSON_CreateArray();
+        wm_azure_api_t * api_config;
+        wm_azure_storage_t * storage_conf;
+        for (api_config = azure->api_config; api_config; api_config = api_config->next) {
+            cJSON *api = cJSON_CreateObject();
+            if (api_config->type == LOG_ANALYTICS) cJSON_AddStringToObject(api, "type", "log_analytics"); else cJSON_AddStringToObject(api, "type", "graph");
+            cJSON_AddStringToObject(api, "tenantdomain", api_config->tenantdomain);
+            if (api_config->auth_path) cJSON_AddStringToObject(api, "auth_path", api_config->auth_path);
+            if (api_config->request) {
+                cJSON *requests = cJSON_CreateArray();
+                wm_azure_request_t * request_conf;
+                for (request_conf = api_config->request; request_conf; request_conf = request_conf->next) {
+                    cJSON * request = cJSON_CreateObject();
+                    cJSON_AddStringToObject(request, "tag", request_conf->tag);
+                    cJSON_AddStringToObject(request, "query", request_conf->query);
+                    cJSON_AddStringToObject(request, "time_offset", request_conf->time_offset);
+                    if (request_conf->workspace) cJSON_AddStringToObject(request, "workspace", request_conf->workspace);
+                    if (request_conf->timeout) cJSON_AddNumberToObject(request, "timeout", request_conf->timeout);
+                    cJSON_AddItemToArray(requests, request);
+                }
+            }
+            cJSON_AddItemToArray(content, api);
+        }
+        for (storage_conf = azure->storage; storage_conf; storage_conf = storage_conf->next) {
+            cJSON *storage = cJSON_CreateObject();
+            cJSON_AddStringToObject(storage, "tag", storage_conf->tag);
+            if (storage_conf->auth_path) cJSON_AddStringToObject(storage, "auth_path", storage_conf->auth_path);
+            if (storage_conf->container) {
+                cJSON *containers = cJSON_CreateArray();
+                wm_azure_container_t * container_conf;
+                for (container_conf = storage_conf->container; container_conf; container_conf = container_conf->next) {
+                    cJSON * container = cJSON_CreateObject();
+                    cJSON_AddStringToObject(container, "name", container_conf->name);
+                    cJSON_AddStringToObject(container, "blobs", container_conf->blobs);
+                    cJSON_AddStringToObject(container, "content_type", container_conf->content_type);
+                    cJSON_AddStringToObject(container, "time_offset", container_conf->time_offset);
+                    cJSON_AddStringToObject(container, "prefix", container_conf->path);
+                    if (container_conf->timeout) cJSON_AddNumberToObject(container, "timeout", container_conf->timeout);
+                    cJSON_AddItemToArray(containers, container);
+                }
+            }
+            cJSON_AddItemToArray(content, storage);
+        }
+        cJSON_AddItemToObject(wm_azure, "content", content);
+    }
+
+    cJSON_AddItemToObject(root, "azure-logs", wm_azure);
+
+    return root;
+}
+
+#endif
diff --git a/src/modules/azure/tests/unit/tests/CMakeLists.txt b/src/modules/azure/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..7a75df89ae
--- /dev/null
+++ b/src/modules/azure/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,71 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_azure")
+list(APPEND tests_flags "-Wl,--wrap=time,--wrap=w_time_delay,--wrap=w_sleep_until,--wrap=_mwarn,--wrap=_minfo,--wrap=_merror \
+                         -Wl,--wrap=_mtwarn,--wrap=_mtinfo,--wrap=_mterror,--wrap=wm_exec,--wrap=StartMQ,--wrap=FOREVER,--wrap=SendMSG \
+                         -Wl,--wrap=atexit")
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB azure ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM azure ../../../wazuh_modules/main.o)
+
+add_library(AZURE_O STATIC ${azure})
+
+set_source_files_properties(
+  ${azure}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  AZURE_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(AZURE_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        AZURE_O
+        -lcmocka
+        -ldl
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/azure/tests/unit/tests/test_wm_azure.c b/src/modules/azure/tests/unit/tests/test_wm_azure.c
new file mode 100644
index 0000000000..0d38bc96ca
--- /dev/null
+++ b/src/modules/azure/tests/unit/tests/test_wm_azure.c
@@ -0,0 +1,297 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for azure Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../../../wazuh_modules/wm_azure.h"
+
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+
+#define TEST_MAX_DATES 5
+
+static wmodule *azure_module;
+static OS_XML *lxml;
+extern int test_mode;
+
+static void wmodule_cleanup(wmodule *module){
+    wm_azure_t* module_data = (wm_azure_t *)module->data;
+    if(module_data->api_config){
+        free(module_data->api_config->auth_path);
+        free(module_data->api_config->tenantdomain);
+        free(module_data->api_config->request->time_offset);
+        free(module_data->api_config->request->workspace);
+        free(module_data->api_config->request->query);
+        free(module_data->api_config->request->tag);
+        free(module_data->api_config->request);
+        free(module_data->api_config);
+    }
+    free(module_data);
+    free(module->tag);
+    free(module);
+}
+
+
+/***  SETUPS/TEARDOWNS  ******/
+static int setup_module() {
+    azure_module = calloc(1, sizeof(wmodule));
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<interval>5m</interval>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    lxml = malloc(sizeof(OS_XML));
+    XML_NODE nodes = string_to_xml_node(string, lxml);
+    int ret = wm_azure_read(lxml, nodes, azure_module);
+    OS_ClearNode(nodes);
+    test_mode = 1;
+    return ret;
+}
+
+static int teardown_module(){
+    test_mode = 0;
+    wmodule_cleanup(azure_module);
+    OS_ClearXML(lxml);
+    return 0;
+}
+
+static int setup_test_executions(void **state) {
+    return 0;
+}
+
+static int teardown_test_executions(void **state){
+    wm_azure_t* module_data = (wm_azure_t *) *state;
+    sched_scan_free(&(module_data->scan_config));
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wm_azure_t *module_data = (wm_azure_t*)test->module->data;
+    sched_scan_free(&(module_data->scan_config));
+    wmodule_cleanup(test->module);
+    os_free(test);
+    return 0;
+}
+/************************************/
+
+void test_interval_execution(void **state) {
+    wm_azure_t* module_data = (wm_azure_t *)azure_module->data;
+    *state = module_data;
+    module_data->scan_config.next_scheduled_scan_time = 0;
+    module_data->scan_config.scan_day = 0;
+    module_data->scan_config.scan_wday = -1;
+    module_data->scan_config.interval = 1200; // 20min
+    module_data->scan_config.month_interval = false;
+
+    expect_any_count(__wrap_SendMSG, message, (TEST_MAX_DATES + 1) * 2);
+    expect_string_count(__wrap_SendMSG, locmsg, xml_rootcheck, (TEST_MAX_DATES + 1) * 2);
+    expect_value_count(__wrap_SendMSG, loc, ROOTCHECK_MQ, (TEST_MAX_DATES + 1) * 2);
+    will_return_count(__wrap_SendMSG, 1, (TEST_MAX_DATES + 1) * 2);
+
+    expect_any_always(__wrap_wm_exec, command);
+    expect_any_always(__wrap_wm_exec, secs);
+    expect_any_always(__wrap_wm_exec, add_path);
+
+    will_return_always(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 0);
+
+    will_return_count(__wrap_FOREVER, 1, TEST_MAX_DATES);
+    will_return(__wrap_FOREVER, 0);
+    expect_any_always(__wrap__mtinfo, tag);
+    expect_any_always(__wrap__mtinfo, formatted_msg);
+
+    azure_module->context->start(module_data);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<fake_tag>1</fake_tag>\n"
+        "<time>00:01</time>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake_tag' at module 'azure-logs'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_azure_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_scheduling_monthday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>00:01</time>\n"
+        "<day>4</day>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_azure_read(&(test->xml), test->nodes, test->module),0);
+    wm_azure_t *module_data = (wm_azure_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 4);
+    assert_int_equal(module_data->scan_config.interval, 1);
+    assert_int_equal(module_data->scan_config.month_interval, true);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "00:01");
+}
+
+void test_read_scheduling_weekday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>00:01</time>\n"
+        "<wday>Friday</wday>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_azure_read(&(test->xml), test->nodes, test->module),0);
+    wm_azure_t *module_data = (wm_azure_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 604800);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, 5);
+    assert_string_equal(module_data->scan_config.scan_time, "00:01");
+}
+
+void test_read_scheduling_daytime_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<time>00:10</time>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_azure_read(&(test->xml), test->nodes, test->module),0);
+    wm_azure_t *module_data = (wm_azure_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "00:10");
+}
+
+void test_read_scheduling_interval_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<interval>3h</interval>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<log_analytics>\n"
+        "    <auth_path>/var/ossec/wodles/azure/credentials.txt</auth_path>\n"
+        "    <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>\n"
+        "    <request>\n"
+        "        <tag>azure-activity</tag>\n"
+        "        <query>AzureActivity | where SubscriptionId == 2d7...61d </query>\n"
+        "        <workspace>d6b...efa</workspace>\n"
+        "        <time_offset>36h</time_offset>\n"
+        "    </request>\n"
+        "</log_analytics>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_azure_read(&(test->xml), test->nodes, test->module),0);
+    wm_azure_t *module_data = (wm_azure_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 3600*3);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_interval_execution, setup_test_executions, teardown_test_executions)
+    };
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_monthday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_weekday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_daytime_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_interval_configuration, setup_test_read, teardown_test_read)
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_with_startup, setup_module, teardown_module);
+    result += cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/command/CMakeLists.txt b/src/modules/command/CMakeLists.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/command/include/wm_command.h b/src/modules/command/include/wm_command.h
new file mode 100644
index 0000000000..ef9a2b08b5
--- /dev/null
+++ b/src/modules/command/include/wm_command.h
@@ -0,0 +1,45 @@
+/*
+ * Wazuh Module for custom command execution
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 26, 2017.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_COMMAND_H
+#define WM_COMMAND_H
+
+#define WM_COMMAND_LOGTAG ARGV0 ":command"
+#define WM_COMMAND_DEFAULT_INTERVAL 2
+
+typedef struct wm_command_state_t {
+    time_t next_time;               // Absolute time for next scan
+} wm_command_state_t;
+
+typedef struct wm_command_t {
+    char * tag;
+    char * command;
+    char * full_command;
+    char *md5_hash;
+    char *sha1_hash;
+    char *sha256_hash;
+    int queue_fd;
+    wm_command_state_t state;
+    unsigned int enabled:1;
+    unsigned int run_on_start:1;
+    unsigned int ignore_output:1;
+    unsigned int agent_cfg:1;
+    unsigned int skip_verification:1;
+    int timeout;
+    sched_scan_config scan_config;
+} wm_command_t;
+
+extern const wm_context WM_COMMAND_CONTEXT;   // Context
+
+// Parse XML
+int wm_command_read(xml_node **nodes, wmodule *module, int agent_cfg);
+
+#endif // WM_COMMAND_H
diff --git a/src/modules/command/src/wm_command.c b/src/modules/command/src/wm_command.c
new file mode 100644
index 0000000000..d14c2c2123
--- /dev/null
+++ b/src/modules/command/src/wm_command.c
@@ -0,0 +1,273 @@
+/*
+ * Wazuh Module for custom command execution
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 26, 2017.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+
+#ifdef WIN32
+static DWORD WINAPI wm_command_main(void *arg);             // Module main function. It won't return
+#else
+static void * wm_command_main(wm_command_t * command);    // Module main function. It won't return
+#endif
+static void wm_command_destroy(wm_command_t * command);   // Destroy data
+cJSON *wm_command_dump(const wm_command_t * command);
+
+// Command module context definition
+
+const wm_context WM_COMMAND_CONTEXT = {
+    .name = "command",
+    .start = (wm_routine)wm_command_main,
+    .destroy = (void(*)(void *))wm_command_destroy,
+    .dump = (cJSON * (*)(const void *))wm_command_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+// Module module main function. It won't return.
+
+#ifdef WIN32
+DWORD WINAPI wm_command_main(void *arg) {
+    wm_command_t * command = (wm_command_t *)arg;
+#else
+void * wm_command_main(wm_command_t * command) {
+#endif
+    size_t extag_len;
+    char * extag;
+    int usec = 1000000 / wm_max_eps;
+    int validation;
+    char *command_cpy;
+    char *binary;
+    char *full_path;
+    char **argv;
+    char * timestamp = NULL;
+
+    if (!command->enabled) {
+        mtinfo(WM_COMMAND_LOGTAG, "Module command:%s is disabled. Exiting.", command->tag);
+        pthread_exit(0);
+    }
+
+#ifdef CLIENT
+    if (!getDefine_Int("wazuh_command", "remote_commands", 0, 1) && command->agent_cfg) {
+        mtwarn(WM_COMMAND_LOGTAG, "Remote commands are disabled. Ignoring '%s'.", command->tag);
+        pthread_exit(0);
+    }
+#endif
+
+    // Verify command
+    if (command->md5_hash || command->sha1_hash || command->sha256_hash) {
+
+        command_cpy = strdup(command->command);
+
+        argv = w_strtok(command_cpy);
+    #ifndef __clang_analyzer__
+        if (!argv) {
+            merror("Could not split command: %s", command_cpy);
+            pthread_exit(NULL);
+        }
+    #endif
+        binary = argv[0];
+
+        if (get_binary_path(binary, &full_path) == OS_INVALID) {
+            mterror(WM_COMMAND_LOGTAG, "Cannot check binary: '%s'. Cannot stat binary file.", binary);
+            pthread_exit(NULL);
+        }
+
+        // Modify command with full path.
+        if (!command->full_command) {
+            os_malloc(strlen(full_path) + strlen(command->command) - strlen(binary) + 1, command->full_command);
+        }
+        snprintf(command->full_command, strlen(full_path) + strlen(command->command) - strlen(binary) + 1, "%s %s", full_path, command->command + strlen(binary) + 1);
+        free_strarray(argv);
+
+
+        if (command->md5_hash && command->md5_hash[0]) {
+            validation = wm_validate_command(full_path, command->md5_hash, MD5SUM);
+
+            switch (validation) {
+                case 1:
+                    mtdebug1(WM_COMMAND_LOGTAG, "MD5 checksum verification succeded for command '%s'.", command->full_command);
+                    break;
+
+                case 0:
+                    if (!command->skip_verification) {
+                        mterror(WM_COMMAND_LOGTAG, "MD5 checksum verification failed for command '%s'.", command->full_command);
+                        pthread_exit(NULL);
+                    } else {
+                        mtwarn(WM_COMMAND_LOGTAG, "MD5 checksum verification failed for command '%s'. Skipping...", command->full_command);
+                    }
+            }
+        }
+
+        if (command->sha1_hash && command->sha1_hash[0]) {
+            validation = wm_validate_command(full_path, command->sha1_hash, SHA1SUM);
+
+            switch (validation) {
+                case 1:
+                    mtdebug1(WM_COMMAND_LOGTAG, "SHA1 checksum verification succeded for command '%s'.", command->full_command);
+                    break;
+
+                case 0:
+                    if (!command->skip_verification) {
+                        mterror(WM_COMMAND_LOGTAG, "SHA1 checksum verification failed for command '%s'.", command->full_command);
+                        pthread_exit(NULL);
+                    } else {
+                        mtwarn(WM_COMMAND_LOGTAG, "SHA1 checksum verification failed for command '%s'. Skipping...", command->full_command);
+                    }
+            }
+        }
+
+        if (command->sha256_hash && command->sha256_hash[0]) {
+            validation = wm_validate_command(full_path, command->sha256_hash, SHA256SUM);
+
+            switch (validation) {
+                case 1:
+                    mtdebug1(WM_COMMAND_LOGTAG, "SHA256 checksum verification succeded for command '%s'.", command->full_command);
+                    break;
+
+                case 0:
+                    if (!command->skip_verification) {
+                        mterror(WM_COMMAND_LOGTAG, "SHA256 checksum verification failed for command '%s'.", command->full_command);
+                        pthread_exit(NULL);
+                    } else {
+                        mtwarn(WM_COMMAND_LOGTAG, "SHA256 checksum verification failed for command '%s'. Skipping...", command->full_command);
+                    }
+            }
+        }
+
+        free(command_cpy);
+        free(full_path);
+    } else {
+        command->full_command = strdup(command->command);
+    }
+
+    mtinfo(WM_COMMAND_LOGTAG, "Module command:%s started", command->tag);
+
+    // Set extended tag
+
+    extag_len = strlen(WM_COMMAND_CONTEXT.name) + strlen(command->tag) + 2;
+    os_malloc(extag_len * sizeof(char), extag);
+    snprintf(extag, extag_len, "%s_%s", WM_COMMAND_CONTEXT.name, command->tag);
+
+    if (wm_state_io(extag, WM_IO_READ, &command->state, sizeof(command->state)) < 0) {
+        memset(&command->state, 0, sizeof(command->state));
+    }
+
+    // Connect to socket
+
+#ifndef WIN32
+    if (!command->ignore_output) {
+
+        command->queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+        if (command->queue_fd < 0) {
+            mterror(WM_COMMAND_LOGTAG, "Can't connect to queue.");
+            pthread_exit(NULL);
+        }
+    }
+#endif
+
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(command->scan_config), WM_COMMAND_LOGTAG, command->run_on_start);
+
+        if(command->state.next_time == 0) {
+            command->state.next_time = command->scan_config.time_start + time_sleep;
+        }
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(command->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_COMMAND_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+
+        mtinfo(WM_COMMAND_LOGTAG, "Starting command '%s'.", command->tag);
+
+        int status = 0;
+        char *output = NULL;
+        switch (wm_exec(command->full_command, command->ignore_output ? NULL : &output, &status, command->timeout, NULL)) {
+        case 0:
+            if (status > 0) {
+                mtwarn(WM_COMMAND_LOGTAG, "Command '%s' returned exit code %d.", command->tag, status);
+
+                if (!command->ignore_output) {
+                    mtdebug2(WM_COMMAND_LOGTAG, "OUTPUT: %s", output);
+                }
+            }
+            break;
+        case WM_ERROR_TIMEOUT:
+            mterror(WM_COMMAND_LOGTAG, "%s: Timeout overtaken. You can modify your command timeout at '%s'. Exiting...", command->tag, OSSECCONF);
+            break;
+
+        default:
+            mterror(WM_COMMAND_LOGTAG, "Command '%s' failed.", command->tag);
+            break;
+        }
+
+        if (!command->ignore_output && output != NULL) {
+            char *line;
+            char *save_ptr = NULL;
+            for (line = strtok_r(output, "\n", &save_ptr); line; line = strtok_r(NULL, "\n", &save_ptr)){
+            #ifdef WIN32
+                wm_sendmsg(usec, 0, line, extag, LOCALFILE_MQ);
+            #else
+                wm_sendmsg(usec, command->queue_fd, line, extag, LOCALFILE_MQ);
+            #endif
+            }
+
+            os_free(output);
+        }
+
+
+        mtdebug1(WM_COMMAND_LOGTAG, "Command '%s' finished.", command->tag);
+    } while (FOREVER());
+
+    free(extag);
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+
+// Get read data
+
+cJSON *wm_command_dump(const wm_command_t * command) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_comm = cJSON_CreateObject();
+
+    sched_scan_dump(&(command->scan_config), wm_comm);
+
+    if (command->enabled) cJSON_AddStringToObject(wm_comm,"disabled","no"); else cJSON_AddStringToObject(wm_comm,"disabled","yes");
+    if (command->run_on_start) cJSON_AddStringToObject(wm_comm,"run_on_start","yes"); else cJSON_AddStringToObject(wm_comm,"run_on_start","no");
+    if (command->ignore_output) cJSON_AddStringToObject(wm_comm,"ignore_output","yes"); else cJSON_AddStringToObject(wm_comm,"ignore_output","no");
+    if (command->skip_verification) cJSON_AddStringToObject(wm_comm,"skip_verification","yes"); else cJSON_AddStringToObject(wm_comm,"skip_verification","no");
+    if (command->tag) cJSON_AddStringToObject(wm_comm,"tag",command->tag);
+    if (command->command) cJSON_AddStringToObject(wm_comm,"command",command->command);
+    if (command->md5_hash) cJSON_AddStringToObject(wm_comm,"verify_md5",command->md5_hash);
+    if (command->sha1_hash) cJSON_AddStringToObject(wm_comm,"verify_sha1",command->sha1_hash);
+    if (command->sha256_hash) cJSON_AddStringToObject(wm_comm,"verify_sha256",command->sha256_hash);
+
+    cJSON_AddItemToObject(root,"command",wm_comm);
+
+    return root;
+}
+
+
+// Destroy data
+void wm_command_destroy(wm_command_t * command) {
+    free(command->tag);
+    free(command->command);
+    free(command->full_command);
+    free(command);
+}
diff --git a/src/modules/command/tests/unit/tests/CMakeLists.txt b/src/modules/command/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..4d02926e68
--- /dev/null
+++ b/src/modules/command/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,70 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_command")
+list(APPEND tests_flags "-Wl,--wrap=time,--wrap=w_time_delay,--wrap=w_sleep_until,--wrap=_mwarn,--wrap=_minfo,--wrap=_merror \
+                         -Wl,--wrap=_mtwarn,--wrap=_mtinfo,--wrap=_mterror,--wrap=wm_exec,--wrap=StartMQ,--wrap=FOREVER")
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB command ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM command ../../../wazuh_modules/main.o)
+
+add_library(COMMAND_O STATIC ${command})
+
+set_source_files_properties(
+  ${command}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  COMMAND_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(COMMAND_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        COMMAND_O
+        -ldl
+        -lcmocka
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/command/tests/unit/tests/test_wm_command.c b/src/modules/command/tests/unit/tests/test_wm_command.c
new file mode 100644
index 0000000000..c29e71b127
--- /dev/null
+++ b/src/modules/command/tests/unit/tests/test_wm_command.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for command Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../../../wazuh_modules/wm_command.h"
+
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+
+#define TEST_MAX_DATES 5
+
+static wmodule *command_module;
+static OS_XML *lxml;
+extern int test_mode;
+
+/****************************************************************/
+static void wmodule_cleanup(wmodule *module){
+    wm_command_t* module_data = (wm_command_t *)module->data;
+    free(module_data->sha256_hash);
+    free(module_data->sha1_hash);
+    free(module_data->full_command);
+    free(module_data->command);
+    free(module_data->tag);
+    free(module_data);
+    free(module->tag);
+    free(module);
+}
+
+/***  SETUPS/TEARDOWNS  ******/
+static int setup_module() {
+    command_module = calloc(1, sizeof(wmodule));
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<interval>1d</interval>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<interval>10m</interval>\n"
+        "<skip_verification>yes</skip_verification>"
+    ;
+    lxml = malloc(sizeof(OS_XML));
+    XML_NODE nodes = string_to_xml_node(string, lxml);
+
+    int ret = wm_command_read(nodes, command_module, 0);
+    OS_ClearNode(nodes);
+    test_mode = 1;
+    return ret;
+}
+
+static int teardown_module(){
+    test_mode = 0;
+    wmodule_cleanup(command_module);
+    OS_ClearXML(lxml);
+    return 0;
+}
+
+static int setup_test_executions(void **state){
+    wm_max_eps = 1;
+    return 0;
+}
+
+static int teardown_test_executions(void **state){
+    wm_command_t* module_data = (wm_command_t *) *state;
+    sched_scan_free(&(module_data->scan_config));
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wm_command_t *module_data = (wm_command_t*)test->module->data;
+    sched_scan_free(&(module_data->scan_config));
+    wmodule_cleanup(test->module);
+    os_free(test);
+    return 0;
+}
+
+/** Tests **/
+void test_interval_execution(void **state) {
+    wm_command_t* module_data = (wm_command_t *)command_module->data;
+    *state = module_data;
+    module_data->scan_config.next_scheduled_scan_time = 0;
+    module_data->scan_config.scan_day = 0;
+    module_data->scan_config.scan_wday = -1;
+    module_data->scan_config.interval = 60; // 1min
+    module_data->scan_config.month_interval = false;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 0);
+
+    expect_any_always(__wrap_wm_exec, command);
+    expect_any_always(__wrap_wm_exec, secs);
+    expect_any_always(__wrap_wm_exec, add_path);
+
+    will_return_always(__wrap_wm_exec, 0);
+
+    will_return_count(__wrap_FOREVER, 1, TEST_MAX_DATES);
+    will_return(__wrap_FOREVER, 0);
+    expect_any_always(__wrap__mtinfo, tag);
+    expect_any_always(__wrap__mtinfo, formatted_msg);
+    expect_any_always(__wrap__mtwarn, tag);
+    expect_any_always(__wrap__mtwarn, formatted_msg);
+
+    command_module->context->start(module_data);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<fake>True</fake>\n"
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<timeout>1800</timeout>\n"
+        "<time>19:55</time>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<interval>10m</interval>\n"
+        "<skip_verification>yes</skip_verification>";
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake' at module 'command'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_command_read(test->nodes, test->module, 0),-1);
+}
+
+void test_read_scheduling_monthday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<time>12:05</time>\n"
+        "<day>1</day>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<timeout>1800</timeout>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<skip_verification>yes</skip_verification>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_command_read(test->nodes, test->module, 0),0);
+    wm_command_t *module_data = (wm_command_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 1);
+    assert_int_equal(module_data->scan_config.interval, 1);
+    assert_int_equal(module_data->scan_config.month_interval, true);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "12:05");
+}
+
+void test_read_scheduling_weekday_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<time>10:59</time>\n"
+        "<wday>Tuesday</wday>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<timeout>1800</timeout>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<skip_verification>yes</skip_verification>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_command_read(test->nodes, test->module, 0),0);
+    wm_command_t *module_data = (wm_command_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 604800);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, 2);
+    assert_string_equal(module_data->scan_config.scan_time, "10:59");
+}
+
+void test_read_scheduling_daytime_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<time>10:53</time>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<timeout>1800</timeout>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<skip_verification>yes</skip_verification>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one day. New interval value: 1d");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_command_read(test->nodes, test->module, 0),0);
+    wm_command_t *module_data = (wm_command_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "10:53");
+}
+
+void test_read_scheduling_interval_configuration(void **state) {
+    const char *string =
+        "<disabled>no</disabled>\n"
+        "<tag>test</tag>\n"
+        "<interval>10s</interval>\n"
+        "<command>/bin/bash /root/script.sh</command>\n"
+        "<timeout>1800</timeout>\n"
+        "<ignore_output>no</ignore_output>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<timeout>0</timeout>\n"
+        "<verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>\n"
+        "<verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>\n"
+        "<skip_verification>yes</skip_verification>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_command_read(test->nodes, test->module, 0),0);
+    wm_command_t *module_data = (wm_command_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 10); // 10 seconds
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_interval_execution, setup_test_executions, teardown_test_executions)
+    };
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_monthday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_weekday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_daytime_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_interval_configuration, setup_test_read, teardown_test_read)
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_with_startup, setup_module, teardown_module);
+    result += cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/docker/include/wm_docker.h b/src/modules/docker/include/wm_docker.h
new file mode 100644
index 0000000000..6e27de1861
--- /dev/null
+++ b/src/modules/docker/include/wm_docker.h
@@ -0,0 +1,39 @@
+/*
+ * Wazuh Module for Docker
+ * Copyright (C) 2015, Wazuh Inc.
+ * October, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_DOCKER
+#define WM_DOCKER
+#ifndef WIN32
+
+#define WM_DOCKER_LOGTAG ARGV0 ":docker-listener"
+#define WM_DOCKER_SCRIPT_PATH  "wodles/docker/DockerListener"
+
+#define WM_DOCKER_DEF_INTERVAL 60
+
+typedef struct wm_docker_flags_t {
+    unsigned int enabled:1;
+    unsigned int run_on_start:1;
+} wm_docker_flags_t;
+
+typedef struct wm_docker_t {
+    unsigned int interval;             // Time interval to retry to run the listener
+    int attempts;                      // Maximum attempts to run the module after fails
+    wm_docker_flags_t flags;           // Default flags
+    sched_scan_config scan_config;
+} wm_docker_t;
+
+extern const wm_context WM_DOCKER_CONTEXT;   // Context
+
+// Parse XML configuration
+int wm_docker_read(xml_node **nodes, wmodule *module);
+
+#endif
+#endif
diff --git a/src/modules/docker/scripts/DockerListener.py b/src/modules/docker/scripts/DockerListener.py
new file mode 100644
index 0000000000..e0ab31cb86
--- /dev/null
+++ b/src/modules/docker/scripts/DockerListener.py
@@ -0,0 +1,160 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+import os
+import threading
+import json
+import socket
+import sys
+import time
+from os.path import abspath, dirname
+
+sys.path.insert(0, dirname(dirname(abspath(__file__))))
+from utils import MAX_EVENT_SIZE
+
+try:
+    import docker
+except:
+    sys.stderr.write("'docker' module needs to be installed. Execute 'pip3 install docker' to do it.\n")
+    exit(1)
+
+
+class DockerListener:
+    wait_time = 5
+    field_debug_name = "Wodle event"
+
+    def __init__(self):
+        """"
+        DockerListener constructor
+
+        """
+        if sys.platform == "win32":
+            sys.stderr.write("This wodle does not work on Windows.\n")
+            sys.exit(1)
+        # socket variables
+        self.wazuh_path = os.path.abspath(os.path.join(__file__, "..", "..", ".."))
+        self.wazuh_queue = os.path.join(self.wazuh_path, "queue", "sockets", "queue")
+        self.msg_header = "1:Wazuh-Docker:"
+        # docker variables
+        self.client = None
+        self.thread1 = None
+        self.thread2 = None
+
+    def start(self):
+        self.send_msg(json.dumps({self.field_debug_name: "Started"}))
+        self.thread1 = threading.Thread(target=self.listen)
+        self.thread2 = threading.Thread(target=self.listen)
+        self.connect(first_time=True)
+
+    def connect(self, first_time=False):
+        """
+        Connects to Docker service, retrying if connection is not successful
+
+        """
+        if self.check_docker_service():
+            if not first_time:
+                # this is for having a thread assigned to a variable ever
+                if self.thread1.is_alive():
+                    self.thread2 = threading.Thread(target=self.listen)
+                    self.thread2.start()
+                else:
+                    self.thread1 = threading.Thread(target=self.listen)
+                    self.thread1.start()
+            else:
+                self.thread1.start()
+            print("Docker service was started.")
+            self.send_msg(json.dumps({self.field_debug_name: "Connected to Docker service"}))
+        else:
+            if first_time:
+                print("Docker service is not running.")
+                self.send_msg(json.dumps({self.field_debug_name: "Docker service is not running"}))
+            while not self.check_docker_service():
+                print("Reconnecting...")
+                time.sleep(self.wait_time)
+            self.connect()
+
+    def check_docker_service(self):
+        """
+        Checks if Docker service is running
+
+        :return: True if Docker service is active or False if it is inactive.
+        """
+        try:
+            self.client = docker.from_env()
+            self.client.ping()
+            return True
+        except Exception:
+            return False
+
+    def listen(self):
+        """
+        Listens Docker events
+
+        """
+        try:
+            for event in self.client.events():
+                self.process(event)
+        except Exception as e:
+            raise e
+        print("Docker service was stopped.")
+        self.send_msg(json.dumps({self.field_debug_name: "Disconnected from the Docker service"}))
+        self.connect()
+
+    def process(self, event):
+        """"
+        Processes a main Docker event
+
+        :param event: Docker event.
+        """
+        self.send_msg(event.decode("utf-8"))
+
+    def format_msg(self, msg):
+        """
+        Formats a Docker event
+
+        :param msg: message to be formatted.
+        :return: formatted message.
+        """
+        return {'integration': 'docker', 'docker': json.loads(msg)}
+
+    def send_msg(self, msg):
+        """
+        Sends a Docker event to the Wazuh Queue
+
+        :param msg: message to be sent.
+        """
+        try:
+            json_msg = json.dumps(self.format_msg(msg))
+            print(json_msg)
+            s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+            s.connect(self.wazuh_queue)
+
+            encoded_msg = "{header}{msg}".format(header=self.msg_header,
+                                                 msg=json_msg).encode()
+            # Logs warning if event is bigger than max size
+            if len(encoded_msg) > MAX_EVENT_SIZE:
+                sys.stderr.write(f"WARNING: Event size exceeds the maximum allowed limit of {MAX_EVENT_SIZE} bytes.")
+
+            s.send(encoded_msg)
+            s.close()
+        except socket.error as e:
+            if e.errno == 111:
+                sys.stderr.write('Wazuh must be running.\n')
+                sys.exit(11)
+            else:
+                sys.stderr.write("Error sending message to wazuh: {}\n".format(e))
+                sys.exit(13)
+        except Exception as e:
+            sys.stderr.write("Error sending message to wazuh: {}\n".format(e))
+            sys.exit(13)
+
+
+if __name__ == "__main__":
+    dl = DockerListener()
+    dl.start()
diff --git a/src/modules/docker/scripts/__init__.py b/src/modules/docker/scripts/__init__.py
new file mode 100644
index 0000000000..ea0d8aeea6
--- /dev/null
+++ b/src/modules/docker/scripts/__init__.py
@@ -0,0 +1,3 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
diff --git a/src/modules/docker/scripts/pytest.ini b/src/modules/docker/scripts/pytest.ini
new file mode 100644
index 0000000000..40880458c7
--- /dev/null
+++ b/src/modules/docker/scripts/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+asyncio_mode=auto
diff --git a/src/modules/docker/scripts/requirements.txt b/src/modules/docker/scripts/requirements.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/docker/scripts/tests/test_docker_listener.py b/src/modules/docker/scripts/tests/test_docker_listener.py
new file mode 100644
index 0000000000..8907c4d30e
--- /dev/null
+++ b/src/modules/docker/scripts/tests/test_docker_listener.py
@@ -0,0 +1,204 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import json
+import os
+import socket
+import sys
+from unittest.mock import call, patch, MagicMock
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))  # noqa: E501
+docker_listener = __import__("DockerListener")
+
+
+def test_DockerListener__init__():
+    """Test if an instance of DockerListener is created properly."""
+    dl = docker_listener.DockerListener()
+    for attribute in ['wazuh_path', 'wazuh_queue', 'msg_header', 'client', 'thread1', 'thread2']:
+        assert hasattr(dl, attribute)
+
+
+@patch('sys.platform', 'win32')
+@patch('sys.stderr.write')
+def test_DockerListener__init__ko(mock_stderr):
+    """Test DockerListener exists if attempting to run in Windows environments."""
+    with pytest.raises(SystemExit) as err:
+        docker_listener.DockerListener()
+    assert err.value.code == 1
+    mock_stderr.assert_called_once()
+
+
+@patch('DockerListener.threading.Thread')
+@patch('DockerListener.DockerListener.connect')
+@patch('DockerListener.DockerListener.send_msg')
+def test_DockerListener_start(mock_send, mock_connect, mock_thread):
+    """Test if start creates the expected Threads and calls to the connect function."""
+    dl = docker_listener.DockerListener()
+    dl.start()
+    mock_send.assert_called_once()
+    mock_connect.assert_called_with(first_time=True)
+    mock_thread.assert_has_calls([call(target=dl.listen), call(target=dl.listen)])
+    assert dl.thread1
+    assert dl.thread2
+
+
+@pytest.mark.parametrize('first_time', [True, False])
+@pytest.mark.parametrize('alive', [True, False])
+@patch('DockerListener.threading.Thread')
+@patch('DockerListener.DockerListener.send_msg')
+@patch('DockerListener.DockerListener.check_docker_service', return_value=True)
+def test_DockerListener_connect(mock_service, mock_send, mock_thread, first_time, alive):
+    """Test DockerListener successfully connects to the Docker service by starting the expected thread."""
+    dl = docker_listener.DockerListener()
+    m = MagicMock()
+    m.is_alive.return_value = alive
+    dl.thread1 = m
+
+    dl.connect(first_time=first_time)
+
+    mock_service.assert_called_once()
+
+    if first_time:
+        dl.thread1.start.assert_called_once()
+    elif alive:
+        mock_thread.assert_called_with(target=dl.listen)
+        dl.thread2.start.assert_called_once()
+    else:
+        mock_thread.assert_called_with(target=dl.listen)
+        dl.thread1.start.assert_called_once()
+
+    mock_send.assert_called_once()
+
+
+@pytest.mark.parametrize('first_time', [True, False])
+@patch('DockerListener.threading.Thread')
+@patch('DockerListener.time.sleep')
+@patch('DockerListener.DockerListener.check_docker_service')
+@patch('DockerListener.DockerListener.send_msg')
+def test_DockerListener_connect_ko(mock_send, mock_service, mock_time, mock_thread, first_time):
+    """Test connect function will attempt to reconnect to the docker service until accomplished."""
+    docker_service_values = [False, False, True, True]
+    mock_service.side_effect = docker_service_values
+
+    dl = docker_listener.DockerListener()
+    dl.thread1 = MagicMock()
+    dl.thread1.is_alive.return_value = False
+
+    dl.connect(first_time=first_time)
+
+    assert mock_service.call_count == len(docker_service_values)
+    assert mock_send.call_count == 2 if first_time else 1
+    mock_time.assert_called_with(dl.wait_time)
+    mock_thread.assert_called_with(target=dl.listen)
+    dl.thread1.start.assert_called_once()
+
+
+@patch('DockerListener.docker.from_env', return_value=MagicMock())
+def test_DockerListener_check_docker_service(mock_env):
+    """Test check_docker_service verifies the docker service status."""
+    dl = docker_listener.DockerListener()
+    is_running = dl.check_docker_service()
+    mock_env.assert_called_once()
+    dl.client.ping.assert_called_once()
+    assert is_running
+
+
+@patch('DockerListener.docker.from_env', Exception)
+def test_DockerListener_check_docker_service_ko():
+    """Test check_docker_service returns False when the service is not running."""
+    dl = docker_listener.DockerListener()
+    assert not dl.check_docker_service()
+
+
+@patch('DockerListener.DockerListener.connect')
+@patch('DockerListener.DockerListener.send_msg')
+@patch('DockerListener.DockerListener.process')
+def test_DockerListener_listen(mock_process, mock_send, mock_connect):
+    """Test listen function process every event received from the client."""
+    event_list = [1, 2, 3]
+    dl = docker_listener.DockerListener()
+    dl.client = MagicMock()
+    dl.client.events.return_value = event_list
+    dl.listen()
+    mock_process.assert_has_calls([call(x) for x in event_list])
+    mock_send.assert_called_once()
+    mock_connect.assert_called_once()
+
+
+@patch('DockerListener.DockerListener.connect')
+@patch('DockerListener.DockerListener.send_msg')
+@patch('DockerListener.DockerListener.process')
+def test_DockerListener_listen_ko(mock_process, mock_send, mock_connect):
+    """Test listen raises an exception when is caught."""
+    dl = docker_listener.DockerListener()
+    dl.client = MagicMock()
+    dl.client.events.side_effect = Exception
+    with pytest.raises(Exception):
+        dl.listen()
+    mock_process.assert_not_called()
+    mock_send.assert_not_called()
+    mock_connect.assert_not_called()
+
+
+@patch('DockerListener.DockerListener.send_msg')
+def test_DockerListener_process(mock_send):
+    """Test process function sends the decoded events to the Wazuh socket."""
+    event = b"test"
+    dl = docker_listener.DockerListener()
+    dl.process(event)
+    mock_send.assert_called_with(event.decode("utf-8"))
+
+
+def test_DockerListener_format_msg():
+    """Test format_msg returns a dict with the expected key and values."""
+    msg = '{"test": "value"}'
+    dl = docker_listener.DockerListener()
+    result = dl.format_msg(msg)
+    assert isinstance(result, dict)
+    assert result.get("integration") == "docker"
+    assert result.get("docker") == json.loads(msg)
+
+
+@patch('DockerListener.socket.socket')
+def test_DockerListener_send_msg(mock_socket):
+    """Test send_msg sends the messages with the expected contents to the Wazuh socket."""
+    msg = '{"test": "value"}'
+
+    m = MagicMock()
+    mock_socket.return_value = m
+    dl = docker_listener.DockerListener()
+    dl.send_msg(msg)
+
+    mock_socket.assert_called_with(socket.AF_UNIX, socket.SOCK_DGRAM)
+    m.connect.assert_called_with(dl.wazuh_queue)
+    formatted_msg = json.dumps(dl.format_msg(msg))
+    m.send.assert_called_with(f"{dl.msg_header}{formatted_msg}".encode())
+    m.close.assert_called_once()
+
+
+@pytest.mark.parametrize('exception_code, exit_code', [
+    (111, 11),
+    (1, 13),
+    (None, 13)
+])
+@patch('sys.stderr.write')
+@patch('DockerListener.json', MagicMock())
+@patch('DockerListener.socket.socket')
+def test_DockerListener_send_msg_ko(mock_socket, mock_stderr, exception_code, exit_code):
+    """Test send_message handle the socket exceptions."""
+    if exception_code:
+        s = socket.error()
+        s.errno = exception_code
+        mock_socket.side_effect = s
+    else:
+        mock_socket.side_effect = Exception
+
+    dl = docker_listener.DockerListener()
+
+    with pytest.raises(SystemExit) as err:
+        dl.send_msg("")
+    assert err.value.code == exit_code
+    mock_stderr.assert_called_once()
diff --git a/src/modules/docker/scripts/utils.py b/src/modules/docker/scripts/utils.py
new file mode 100644
index 0000000000..eb87acd947
--- /dev/null
+++ b/src/modules/docker/scripts/utils.py
@@ -0,0 +1,6 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+# Max size of the event that ANALYSISID can handle
+MAX_EVENT_SIZE = 65535
diff --git a/src/modules/docker/src/wm_docker.c b/src/modules/docker/src/wm_docker.c
new file mode 100644
index 0000000000..1b11a49c29
--- /dev/null
+++ b/src/modules/docker/src/wm_docker.c
@@ -0,0 +1,180 @@
+/*
+ * Wazuh Module for Docker integration
+ * Copyright (C) 2015, Wazuh Inc.
+ * October, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WIN32
+
+#include "wmodules.h"
+
+static wm_docker_t *docker_conf;                               // Pointer to docker config struct
+
+static void* wm_docker_main(wm_docker_t *docker_conf);         // Module main function. It won't return
+static void wm_docker_setup(wm_docker_t *_docker_conf);        // Setup module
+static void wm_docker_cleanup();                               // Cleanup function, doesn't overwrite wm_cleanup
+static void wm_docker_check();                                 // Check configuration, disable flag
+static void wm_docker_destroy(wm_docker_t *docker_conf);       // Destroy data
+cJSON *wm_docker_dump(const wm_docker_t *docker_conf);         // Dump docker config to JSON
+
+// Docker module context definition
+
+const wm_context WM_DOCKER_CONTEXT = {
+    .name = "docker-listener",
+    .start = (wm_routine)wm_docker_main,
+    .destroy = (void(*)(void *))wm_docker_destroy,
+    .dump = (cJSON * (*)(const void *))wm_docker_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+// Module module main function. It won't return.
+
+void* wm_docker_main(wm_docker_t *docker_conf) {
+    int status = 0;
+    char * command = WM_DOCKER_SCRIPT_PATH;
+    char * timestamp = NULL;
+    int attempts = 0;
+
+    wm_docker_setup(docker_conf);
+    mtinfo(WM_DOCKER_LOGTAG, "Module docker-listener started.");
+
+    // Main
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(docker_conf->scan_config), WM_DOCKER_LOGTAG, docker_conf->flags.run_on_start);
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(docker_conf->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_DOCKER_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtinfo(WM_DOCKER_LOGTAG, "Starting to listening Docker events.");
+
+        // Running the docker listener script
+
+        mtdebug1(WM_DOCKER_LOGTAG, "Launching command '%s'", command);
+
+        wfd_t * wfd = wpopenl(command, W_BIND_STDERR, command, NULL);
+
+        if (wfd == NULL) {
+            mterror(WM_DOCKER_LOGTAG, "Cannot launch Docker integration due to an internal error.");
+            pthread_exit(NULL);
+        }
+
+#ifdef WIN32
+        wm_append_handle(wfd->pinfo.hProcess);
+#else
+        if (0 <= wfd->pid) {
+            wm_append_sid(wfd->pid);
+        }
+#endif
+
+        char buffer[4096];
+
+        while (fgets(buffer, sizeof(buffer), wfd->file_out)) {
+            char * end = strchr(buffer, '\n');
+            if (end) {
+                *end = '\0';
+            }
+
+            mterror(WM_DOCKER_LOGTAG, "%s", buffer);
+        }
+
+        // At this point, DockerListener terminated
+#ifdef WIN32
+        wm_remove_handle(wfd->pinfo.hProcess);
+#else
+        if (0 <= wfd->pid) {
+            wm_remove_sid(wfd->pid);
+        }
+#endif
+        status = wpclose(wfd);
+        int exitcode = WEXITSTATUS(status);
+
+        switch (exitcode) {
+        case 127:
+            mterror(WM_DOCKER_LOGTAG, "Cannot launch Docker integration. Please check the file '%s'", command);
+            pthread_exit(NULL);
+
+        default:
+            if (++attempts >= docker_conf->attempts) {
+                mterror(WM_DOCKER_LOGTAG, "Maximum attempts reached to run the listener. Exiting...");
+                pthread_exit(NULL);
+            }
+            mtwarn(WM_DOCKER_LOGTAG, "Docker-listener finished unexpectedly (code %d). Retrying to run in next scheduled time...", exitcode);
+        }
+    } while (FOREVER());
+
+    return NULL;
+}
+
+
+// Get read data
+
+cJSON *wm_docker_dump(const wm_docker_t *docker_conf) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_docker = cJSON_CreateObject();
+
+    sched_scan_dump(&(docker_conf->scan_config), wm_docker);
+
+    if (docker_conf->flags.enabled) cJSON_AddStringToObject(wm_docker,"disabled","no"); else cJSON_AddStringToObject(wm_docker,"disabled","yes");
+    if (docker_conf->flags.run_on_start) cJSON_AddStringToObject(wm_docker,"run_on_start","yes"); else cJSON_AddStringToObject(wm_docker,"run_on_start","no");
+    cJSON_AddNumberToObject(wm_docker, "attempts", docker_conf->attempts);
+    cJSON_AddItemToObject(root,"docker-listener",wm_docker);
+
+    return root;
+}
+
+
+// Destroy data
+
+void wm_docker_destroy(wm_docker_t *docker_conf) {
+    free(docker_conf);
+}
+
+// Setup module
+
+void wm_docker_setup(wm_docker_t *_docker_conf) {
+
+    docker_conf = _docker_conf;
+    wm_docker_check();
+
+    // Cleanup exiting
+
+    atexit(wm_docker_cleanup);
+}
+
+
+// Check configuration
+
+void wm_docker_check() {
+    // Check if disabled
+
+    if (!docker_conf->flags.enabled) {
+        mtinfo(WM_DOCKER_LOGTAG, "Module disabled. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    // Check if interval defined; otherwise set default
+
+    if (!docker_conf->interval)
+        docker_conf->interval = WM_DOCKER_DEF_INTERVAL;
+
+}
+
+// Cleanup function, doesn't overwrite wm_cleanup
+
+void wm_docker_cleanup() {
+    mtinfo(WM_DOCKER_LOGTAG, "Module finished.");
+}
+
+#endif
diff --git a/src/modules/docker/tests/unit/tests/CMakeLists.txt b/src/modules/docker/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..62f81d5206
--- /dev/null
+++ b/src/modules/docker/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,72 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_docker")
+list(APPEND tests_flags "-Wl,--wrap=time,--wrap=w_time_delay,--wrap=w_sleep_until,--wrap=_mwarn,--wrap=_minfo,--wrap=_merror \
+                         -Wl,--wrap=_mtwarn,--wrap=_mtinfo,--wrap=_mterror,--wrap=FOREVER,--wrap=wpclose,--wrap=fgets \
+                         -Wl,--wrap=wpopenl,--wrap=fclose,--wrap=fflush,--wrap=fprintf,--wrap=fopen,--wrap=fread,--wrap=fseek \
+                         -Wl,--wrap=fwrite,--wrap=remove,--wrap=atexit -Wl,--wrap,fgetpos -Wl,--wrap=fgetc -Wl,--wrap=wfopen -Wl,--wrap,popen")
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB docker ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM docker ../../../wazuh_modules/main.o)
+
+add_library(DOCKER_O STATIC ${docker})
+
+set_source_files_properties(
+  ${docker}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  DOCKER_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(DOCKER_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        DOCKER_O
+        -ldl
+        -lcmocka
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/docker/tests/unit/tests/test_wm_docker.c b/src/modules/docker/tests/unit/tests/test_wm_docker.c
new file mode 100644
index 0000000000..33dfb837b5
--- /dev/null
+++ b/src/modules/docker/tests/unit/tests/test_wm_docker.c
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for docker Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/exec_op_wrappers.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../../../wazuh_modules/wm_docker.h"
+#include "../scheduling/wmodules_scheduling_helpers.h"
+
+#define TEST_MAX_DATES 5
+
+static wmodule *docker_module;
+static OS_XML *lxml;
+extern int test_mode;
+
+typedef struct {
+    wfd_t * wfd;
+    wm_docker_t* module_data;
+} states;
+
+/******* Helpers **********/
+
+static void wmodule_cleanup(wmodule *module){
+    free(module->data);
+    free(module->tag);
+    free(module);
+}
+
+/***  SETUPS/TEARDOWNS  ******/
+static int setup_module() {
+    docker_module = calloc(1, sizeof(wmodule));
+    const char *string =
+        "<interval>10m</interval>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n";
+    lxml = malloc(sizeof(OS_XML));
+    XML_NODE nodes = string_to_xml_node(string, lxml);
+    int ret = wm_docker_read(nodes, docker_module);
+    OS_ClearNode(nodes);
+    test_mode = 1;
+    wm_children_pool_init();
+    return ret;
+}
+
+static int teardown_module(){
+    test_mode = 0;
+    wmodule_cleanup(docker_module);
+    OS_ClearXML(lxml);
+    return 0;
+}
+
+static int setup_test_executions(void **state) {
+    states *states_ptr = calloc(1, sizeof(*states_ptr));
+    states_ptr->wfd = calloc(1, sizeof(wfd_t));
+    *state = states_ptr;
+    wm_max_eps = 1;
+
+    return 0;
+}
+
+static int teardown_test_executions(void **state){
+    states *states_ptr = *state;
+    wm_docker_t* module_data = states_ptr->module_data;
+    sched_scan_free(&(module_data->scan_config));
+
+    free(states_ptr->wfd);
+    free(states_ptr);
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wm_docker_t *module_data = (wm_docker_t*)test->module->data;
+    sched_scan_free(&(module_data->scan_config));
+    wmodule_cleanup(test->module);
+    os_free(test);
+    return 0;
+}
+
+/****************************************************************/
+
+/** Tests **/
+void test_interval_execution(void **state) {
+    states *states_ptr = *state;
+    wm_docker_t* module_data = (wm_docker_t *)docker_module->data;
+    wfd_t * wfd = states_ptr->wfd;
+
+    states_ptr->module_data = module_data;
+    module_data->scan_config.next_scheduled_scan_time = 0;
+    module_data->scan_config.scan_day = 0;
+    module_data->scan_config.scan_wday = -1;
+    module_data->scan_config.interval = 60 * 25; // 25min
+    module_data->scan_config.month_interval = false;
+
+    will_return_count(__wrap_wpopenl, wfd, TEST_MAX_DATES + 1);
+    will_return_count(__wrap_wpclose, 0, TEST_MAX_DATES + 1);
+    expect_any_count(__wrap_fgets, __stream, TEST_MAX_DATES + 1);
+    will_return_count(__wrap_fgets, 0, TEST_MAX_DATES + 1);
+    will_return_count(__wrap_FOREVER, 1, TEST_MAX_DATES);
+    will_return(__wrap_FOREVER, 0);
+    expect_any_always(__wrap__mtinfo, tag);
+    expect_any_always(__wrap__mtinfo, formatted_msg);
+    expect_any_always(__wrap__mtwarn, tag);
+    expect_any_always(__wrap__mtwarn, formatted_msg);
+
+    docker_module->context->start(module_data);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<time>19:55</time>\n"
+        "<interval>10m</interval>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n"
+        "<extra-tag>extra</extra-tag>\n";
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'extra-tag' at module 'docker-listener'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_docker_read(test->nodes, test->module),-1);
+}
+
+void test_read_scheduling_monthday_configuration(void **state) {
+    const char *string =
+        "<time>19:55</time>\n"
+        "<day>10</day>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_docker_read(test->nodes, test->module),0);
+    wm_docker_t *module_data = (wm_docker_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 10);
+    assert_int_equal(module_data->scan_config.interval, 1);
+    assert_int_equal(module_data->scan_config.month_interval, true);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "19:55");
+}
+
+void test_read_scheduling_weekday_configuration(void **state) {
+    const char *string =
+        "<time>18:55</time>\n"
+        "<wday>Thursday</wday>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_docker_read(test->nodes, test->module),0);
+    wm_docker_t *module_data = (wm_docker_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 604800);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, 4);
+    assert_string_equal(module_data->scan_config.scan_time, "18:55");
+}
+
+void test_read_scheduling_daytime_configuration(void **state) {
+    const char *string =
+        "<time>17:20</time>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one day. New interval value: 1d");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_docker_read(test->nodes, test->module),0);
+    wm_docker_t *module_data = (wm_docker_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "17:20");
+}
+
+void test_read_scheduling_interval_configuration(void **state) {
+    const char *string =
+        "<interval>1d</interval>\n"
+        "<attempts>10</attempts>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<disabled>no</disabled>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_docker_read(test->nodes, test->module),0);
+    wm_docker_t *module_data = (wm_docker_t*)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL); // 1 day
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_interval_execution, setup_test_executions, teardown_test_executions)
+    };
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_monthday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_weekday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_daytime_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_interval_configuration, setup_test_read, teardown_test_read),
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_with_startup, setup_module, teardown_module);
+    result += cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/fim/CMakeLists.txt b/src/modules/fim/CMakeLists.txt
index e69de29bb2..c21c0e331f 100644
--- a/src/modules/fim/CMakeLists.txt
+++ b/src/modules/fim/CMakeLists.txt
@@ -0,0 +1,123 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(wazuh-syscheckd)
+
+enable_testing()
+
+if(NOT CMAKE_BUILD_TYPE)
+  set(CMAKE_BUILD_TYPE Release)
+endif()
+
+get_filename_component(SRC_FOLDER ${CMAKE_SOURCE_DIR}/../ ABSOLUTE)
+
+include_directories(${SRC_FOLDER}/headers/)
+include_directories(${SRC_FOLDER}/external/cJSON/)
+include_directories(${SRC_FOLDER}/external/bzip2/)
+include_directories(${SRC_FOLDER}/external/sqlite/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+include_directories(${SRC_FOLDER}/external/audit-userspace/lib)
+include_directories(${SRC_FOLDER}/external/openssl/include/)
+include_directories(${SRC_FOLDER}/shared_modules/common/)
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/src/db/include/)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  link_directories(${INSTALL_PREFIX}/lib)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+link_directories(${SRC_FOLDER}/shared_modules/dbsync/build/lib/)
+link_directories(${SRC_FOLDER}/shared_modules/rsync/build/lib/)
+link_directories(${SRC_FOLDER}/)
+
+add_definitions(-DARGV0="wazuh-syscheckd")
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-g -fsanitize=address,leak,undefined")
+else()
+ set(CMAKE_CXX_FLAGS_DEBUG "-g")
+ if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows")
+  set(CMAKE_C_FLAGS_DEBUG "-g --coverage")
+ endif(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows")
+ if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+   set(CMAKE_CXX_FLAGS_RELEASE "-O3")
+ else()
+   set(CMAKE_CXX_FLAGS_RELEASE "-O3 -s")
+ endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+endif(FSANITIZE)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_definitions(-DWIN32=1 -DWIN_EXPORT)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+set(LIB_DIR ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${LIB_DIR})
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${LIB_DIR})
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
+set(CMAKE_CXX_FLAGS
+    "-Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2 -std=c++14 -pthread"
+)
+
+if(APPLE)
+  set(CMAKE_MACOSX_RPATH 1)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DHPUX)
+endif(APPLE)
+
+add_subdirectory("src/db")
+
+file(GLOB SYSCHECKD_SRC
+     "${CMAKE_SOURCE_DIR}/src/*.c"
+     "${CMAKE_SOURCE_DIR}/src/registry/*.c"
+     "${CMAKE_SOURCE_DIR}/src/whodata/*.c")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_library(wazuh-syscheckd STATIC ${SYSCHECKD_SRC})
+    add_library(wazuh-syscheckd-event STATIC ${SYSCHECKD_SRC})
+    target_compile_definitions(wazuh-syscheckd PUBLIC -D_WIN32_WINNT=0x600)
+    target_compile_definitions(wazuh-syscheckd-event PUBLIC -D_WIN32_WINNT=0x600 -DEVENTCHANNEL_SUPPORT)
+else()
+    add_executable(wazuh-syscheckd ${SYSCHECKD_SRC})
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+target_link_libraries(wazuh-syscheckd fimdb wazuhext pthread wazuh rootcheck)
+
+if (UNIX)
+    target_link_libraries(wazuh-syscheckd dl)
+    if (NOT APPLE)
+        if (CMAKE_SYSTEM_NAME STREQUAL "SunOS")
+            target_link_libraries(wazuh-syscheckd socket nsl resolv rt)
+            if (CMAKE_SYSTEM_VERSION STRGREATER "5.10")
+                string(APPEND CMAKE_EXE_LINKER_FLAGS " -z relax=secadj")
+            endif(CMAKE_SYSTEM_VERSION STRGREATER "5.10")
+        endif(CMAKE_SYSTEM_NAME STREQUAL "SunOS")
+        if(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+            string(REPLACE ";" ":" CXX_IMPLICIT_LINK_DIRECTORIES_STR "${CMAKE_CXX_IMPLICIT_LINK_DIRECTORIES}")
+            string(REPLACE ";" ":" PLATFORM_REQUIRED_RUNTIME_PATH_STR "${CMAKE_PLATFORM_REQUIRED_RUNTIME_PATH}")
+            target_link_libraries(wazuh-syscheckd -Wl,-blibpath:${INSTALL_PREFIX}/lib:${CXX_IMPLICIT_LINK_DIRECTORIES_STR}:${PLATFORM_REQUIRED_RUNTIME_PATH_STR})
+        elseif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+            # Do nothing for HP-UX
+        else()
+            string(APPEND CMAKE_EXE_LINKER_FLAGS " -Wl,-rpath,$ORIGIN/../lib")
+        endif(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    else()
+        string(APPEND CMAKE_EXE_LINKER_FLAGS " -Wl,-rpath,@executable_path/../lib")
+    endif(NOT APPLE)
+endif(UNIX)
+
+if(UNIT_TEST)
+  add_definitions(-DWAZUH_UNIT_TESTING)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_link_libraries(wazuh-syscheckd -fprofile-arcs cmocka)
+  else()
+    add_definitions(-fprofile-arcs -ftest-coverage)
+    target_link_libraries(wazuh-syscheckd asan ubsan cmocka gcov -fprofile-arcs)
+  endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+else()
+  if(FSANITIZE)
+    target_link_libraries(wazuh-syscheckd gcov asan ubsan)
+  endif(FSANITIZE)
+endif(UNIT_TEST)
diff --git a/src/modules/fim/db/CMakeLists.txt b/src/modules/fim/db/CMakeLists.txt
new file mode 100644
index 0000000000..4a5d9b9e67
--- /dev/null
+++ b/src/modules/fim/db/CMakeLists.txt
@@ -0,0 +1,103 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fimdb)
+
+enable_testing()
+
+include_directories(${SRC_FOLDER}/shared_modules/utils)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/syscheckd)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/src)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  link_directories(${INSTALL_PREFIX}/lib)
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+file(GLOB DB_SRC
+     ${CMAKE_SOURCE_DIR}/src/db/src/db.cpp
+     ${CMAKE_SOURCE_DIR}/src/db/src/file.cpp
+     ${CMAKE_SOURCE_DIR}/src/db/src/fimDB.cpp
+     ${CMAKE_SOURCE_DIR}/src/db/src/dbFileItem.cpp
+     ${CMAKE_SOURCE_DIR}/src/db/src/dbRegistryKey.cpp
+     ${CMAKE_SOURCE_DIR}/src/db/src/dbRegistryValue.cpp)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "SunOS")
+  add_definitions(-DSOLARIS=ON)
+endif(CMAKE_SYSTEM_NAME STREQUAL "SunOS")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_definitions(-DOS_TYPE=OSType::WINDOWS)
+  add_library(fimdb SHARED ${DB_SRC}
+                           ${CMAKE_SOURCE_DIR}/src/db/src/registry.cpp
+                           ${CMAKE_SOURCE_DIR}/src/db/src/fimDBSpecializationWindows.cpp
+                           ${SRC_FOLDER}/${RESOURCE_OBJ}
+                           )
+elseif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DOS_TYPE=OSType::OTHERS)
+  add_library(fimdb SHARED ${DB_SRC})
+else()
+  add_definitions(-DOS_TYPE=OSType::OTHERS)
+  add_library(fimdb SHARED ${DB_SRC})
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  set_target_properties(
+    fimdb PROPERTIES LINK_FLAGS "-Wl,--add-stdcall-alias -Wl,--output-def,libfimdb.def")
+elseif(UNIX AND NOT APPLE)
+  if(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    string(REPLACE ";" ":" CXX_IMPLICIT_LINK_DIRECTORIES_STR
+                 "${CMAKE_CXX_IMPLICIT_LINK_DIRECTORIES}")
+    string(REPLACE ";" ":" PLATFORM_REQUIRED_RUNTIME_PATH_STR
+                 "${CMAKE_PLATFORM_REQUIRED_RUNTIME_PATH}")
+  elseif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+    # Do nothing for HP-UX
+  else()
+    string(APPEND CMAKE_SHARED_LINKER_FLAGS " -Wl,-rpath=$ORIGIN")
+  endif(CMAKE_SYSTEM_NAME STREQUAL "AIX")
+
+
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+  target_link_libraries(fimdb dbsync rsync wazuhext)
+else()
+  target_link_libraries(
+    fimdb
+    dbsync
+    rsync
+    wazuhext
+    -Wl,-blibpath:${INSTALL_PREFIX}/lib:${CXX_IMPLICIT_LINK_DIRECTORIES_STR}:${PLATFORM_REQUIRED_RUNTIME_PATH_STR}
+  )
+endif(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  find_program(DLLTOOL i686-w64-mingw32-dlltool)
+if(NOT DLLTOOL)
+  message(FATAL_ERROR "DLL tool for delayed load libraries not found.")
+endif(NOT DLLTOOL)
+
+add_custom_command(TARGET fimdb POST_BUILD
+  COMMAND "${DLLTOOL}" -D "libfimdb.dll" --def "libfimdb.def" --output-delaylib "libfimdb.lib"
+  COMMAND cp "libfimdb.lib" "${CMAKE_BINARY_DIR}/bin/libfimdb.lib"
+  COMMENT "Creating delayed load library for fimdb.")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if(UNIT_TEST)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_link_libraries(fimdb -fprofile-arcs)
+  else()
+    target_link_libraries(fimdb gcov)
+  endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+  add_subdirectory(tests)
+else()
+  add_subdirectory(testtool)
+  if(FSANITIZE)
+    target_link_libraries(fimdb gcov)
+  endif(FSANITIZE)
+endif(UNIT_TEST)
diff --git a/src/modules/fim/db/include/db.h b/src/modules/fim/db/include/db.h
new file mode 100644
index 0000000000..5899cb03e4
--- /dev/null
+++ b/src/modules/fim/db/include/db.h
@@ -0,0 +1,240 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 24, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef FIMDB_H
+#define FIMDB_H
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+// We avoid the definition __declspec(dllimport) as a workaround for the MinGW bug
+// for delayed loaded DLLs in 32bits (https://www.sourceware.org/bugzilla/show_bug.cgi?id=14339)
+#define EXPORTED
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+#include "fimCommonDefs.h"
+#include "commonDefs.h"
+#include "syscheck.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/evp.h>
+
+#define FIM_DB_MEMORY_PATH  ":memory:"
+#define FIM_DB_DISK_PATH    "queue/fim/db/fim.db"
+
+#define EVP_MAX_MD_SIZE 64
+
+/**
+ * @brief Initialize the FIM database.
+ *
+ * It will be dbsync the responsible of managing the DB.
+ * @param storage storage 1 Store database in memory, disk otherwise.
+ * @param sync_interval Interval when the synchronization will be performed.
+ * @param sync_max_interval Maximum interval allowed for the synchronization process.
+ * @param sync_response_timeout Minimum interval for the synchronization process.
+ * @param sync_callback Callback to send the synchronization messages.
+ * @param log_callback Callback to perform logging operations.
+ * @param file_limit Maximum number of files to be monitored.
+ * @param value_limit Maximum number of registry values to be monitored.
+ * @param sync_registry_enable Flag to enable the registry synchronization.
+ * @param sync_queue_size Number to define the size of the queue to be synchronized.
+ * @param dbsync_log_function Logging function for dbsync module.
+ * @param rsync_log_function Logging function for rsync module.
+ *
+ * @return FIMDB_OK on success, FIMDB_ERROR on error.
+ */
+EXPORTED FIMDBErrorCode fim_db_init(int storage,
+                                    int sync_interval,
+                                    uint32_t sync_max_interval,
+                                    uint32_t sync_response_timeout,
+                                    fim_sync_callback_t sync_callback,
+                                    logging_callback_t log_callback,
+                                    int file_limit,
+                                    int value_limit,
+                                    bool sync_registry_enabled,
+                                    int sync_thread_pool,
+                                    unsigned int sync_queue_size,
+                                    log_fnc_t dbsync_log_function,
+                                    log_fnc_t rsync_log_function);
+
+/**
+ * @brief Get entry data using path.
+ *
+ * @param file_path File path can be a pattern or a primary key
+ * @param data Pointer to the data structure where the callback context will be stored.
+ *
+ * @retval FIMDB_OK on success.
+ * @retval FIMDB_FULL if the table limit was reached.
+ * @retval FIMDB_ERR on failure.
+ */
+EXPORTED FIMDBErrorCode fim_db_get_path(const char* file_path,
+                                        callback_context_t data);
+
+/**
+ * @brief Find entries based on pattern search.
+ *
+ * @param pattern Pattern to be searched.
+ * @param data Pointer to the data structure where the callback context will be stored.
+ *
+ * @retval FIMDB_OK on success.
+ * @retval FIMDB_FULL if the table limit was reached.
+ * @retval FIMDB_ERR on failure.
+ */
+EXPORTED FIMDBErrorCode fim_db_file_pattern_search(const char* pattern,
+                                                   callback_context_t data);
+
+/**
+ * @brief Delete entry from the DB using file path.
+ *
+ * @param path Path of the entry to be removed.
+ *
+ * @retval FIMDB_OK on success.
+ * @retval FIMDB_FULL if the table limit was reached.
+ * @retval FIMDB_ERR on failure.
+ */
+EXPORTED FIMDBErrorCode fim_db_remove_path(const char* path);
+
+/**
+ * @brief Get count of all inodes in file_entry table.
+ *
+ * @return Number of inodes in file_entry table.
+ */
+EXPORTED int fim_db_get_count_file_inode();
+
+/**
+ * @brief Get count of all entries in file_entry table.
+ *
+ * @return Number of entries in file_entry table.
+ */
+EXPORTED int fim_db_get_count_file_entry();
+
+/**
+ * @brief Makes any necessary queries to get the entry updated in the DB.
+ *
+ * @param data The information linked to the path to be created or updated.
+ * @param callback Callback to send the fim message.
+ *
+ * @return FIMDB_OK on success.
+ */
+EXPORTED FIMDBErrorCode fim_db_file_update(fim_entry* data,
+                                           callback_context_t callback);
+
+/**
+ * @brief Find entries using the inode.
+ *
+ * @param inode Inode.
+ * @param dev Device.
+ * @param data Pointer to the data structure where the callback context will be stored.
+ *
+ * @return FIMDB_OK on success.
+ */
+EXPORTED FIMDBErrorCode fim_db_file_inode_search(unsigned long long int inode,
+                                                 unsigned long int dev,
+                                                 callback_context_t data);
+
+/**
+ * @brief Push a message to the syscheck queue
+ *
+ * @param msg The specific message to be pushed
+ *
+ * @return FIMDB_OK on success.
+ */
+EXPORTED FIMDBErrorCode fim_sync_push_msg(const char* msg);
+
+/**
+ * @brief Thread that performs the syscheck data synchronization
+ *
+ * @return FIMDB_OK on success.
+ */
+EXPORTED FIMDBErrorCode fim_run_integrity();
+
+/*
+ * @brief Function that starts a new DBSync transaction.
+ *
+ * @param table Database table that will be used in the DBSync transaction.
+ * @param row_callback Callback that is going to be executed for each insertion or modification.
+ * param user_data Context that will be used in the callback.
+ *
+ * @return TXN_HANDLE Transaction handler.
+ */
+EXPORTED TXN_HANDLE fim_db_transaction_start(const char* table,
+                                             result_callback_t row_callback,
+                                             void *user_data);
+
+/**
+ * @brief Function to perform a sync row operation (ADD OR REPLACE).
+ *
+ * @param txn_handler Handler to an active transaction.
+ * @param entry FIM entry to be added/updated.
+ *
+ * @retval FIMDB_OK on success.
+ * @retval FIMDB_FULL if the table limit was reached.
+ * @retval FIMDB_ERR on failure.
+ */
+EXPORTED FIMDBErrorCode fim_db_transaction_sync_row(TXN_HANDLE txn_handler,
+                                                    const fim_entry* entry);
+
+/**
+ * @brief Function to perform the deleted rows operation.
+ *
+ * @param txn_handler Handler to an active transaction.
+ * @param callback Function to be executed for each deleted entry.
+ *
+ * @retval FIMDB_OK on success.
+ * @retval FIMDB_FULL if the table limit was reached.
+ * @retval FIMDB_ERR on failure.
+ */
+EXPORTED FIMDBErrorCode fim_db_transaction_deleted_rows(TXN_HANDLE txn_handler,
+                                                        result_callback_t callback,
+                                                        void* txn_ctx);
+
+/**
+ * @brief Turns off the services provided.
+ *
+ * It will be responsible to close sync and release resources
+ */
+EXPORTED void fim_db_teardown();
+
+#ifdef WIN32
+
+// Registry functions.
+
+/**
+ * @brief Get count of all entries in registry data table.
+ *
+ * @return Number of entries in registry data table.
+ */
+EXPORTED int fim_db_get_count_registry_data();
+
+/**
+ * @brief Get count of all entries in registry key table.
+ *
+ * @return Number of entries in registry data table.
+ */
+EXPORTED int fim_db_get_count_registry_key();
+
+#endif /* WIN32 */
+
+
+#ifdef __cplusplus
+}
+#endif // _cplusplus
+#endif // FIMDB_H
diff --git a/src/modules/fim/db/include/db.hpp b/src/modules/fim/db/include/db.hpp
new file mode 100644
index 0000000000..b8d7000184
--- /dev/null
+++ b/src/modules/fim/db/include/db.hpp
@@ -0,0 +1,195 @@
+/*
+ * Wazuh DB
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DB_HPP
+#define _DB_HPP
+#include "db.h"
+#include <string.h>
+#include <functional>
+#include <json.hpp>
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+typedef enum COUNT_SELECT_TYPE
+{
+    COUNT_ALL,
+    COUNT_INODE,
+} COUNT_SELECT_TYPE;
+
+typedef enum FILE_SEARCH_TYPE
+{
+    SEARCH_TYPE_PATH,
+    SEARCH_TYPE_INODE
+} FILE_SEARCH_TYPE;
+
+using SearchData = std::tuple<FILE_SEARCH_TYPE, std::string, std::string, std::string>;
+
+class no_entry_found : public std::exception
+{
+    public:
+        __attribute__((__returns_nonnull__))
+        const char* what() const noexcept override
+        {
+            return m_error.what();
+        }
+
+        explicit no_entry_found(const std::string& whatArg)
+            : m_error{ whatArg }
+        {}
+
+    private:
+        /// an exception object as storage for error messages
+        std::runtime_error m_error;
+};
+
+class EXPORTED DB final
+{
+    public:
+        static DB& instance()
+        {
+            static DB s_instance;
+            return s_instance;
+        }
+
+        /**
+        * @brief Init facade with database connection
+        *
+        * @param storage Storage type.
+        * @param syncInterval Sync sync interval.
+        * @param sync_max_interval Maximum interval allowed for the synchronization process.
+        * @param sync_response_timeout Minimum interval for the synchronization process.
+        * @param callbackSyncFileWrapper Callback sync file values.
+        * @param callbackSyncRegistryWrapper Callback sync registry values.
+        * @param callbackLogWrapper Callback to log lines.
+        * @param fileLimit File limit.
+        * @param valueLimit Registry value limit.
+        * @param syncRegistryEnabled Flag to enable/disable the registry sync mechanism.
+        * @param syncThreadPool Number of threads used by RSync.
+        * @param syncQueueSize Number to define the size of the queue to be synchronized.
+        */
+        void init(const int storage,
+                  const int syncInterval,
+                  const uint32_t syncMaxInterval,
+                  const uint32_t syncResponseTimeout,
+                  std::function<void(const std::string&)> callbackSyncFileWrapper,
+                  std::function<void(const std::string&)> callbackSyncRegistryWrapper,
+                  std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper,
+                  int fileLimit,
+                  int valueLimit,
+                  bool syncRegistryEnabled,
+                  const int syncThreadPool,
+                  const int syncQueueSize);
+
+        /**
+        * @brief runIntegrity Execute the integrity mechanism.
+        */
+        void runIntegrity();
+
+        /**
+        * @brief pushMessage Push a message to the queue of the integrity mechanism.
+        *
+        * @param message Message payload comming from the manager.
+        */
+        void pushMessage(const std::string& message);
+
+        /**
+        * @brief DBSyncHandle return the dbsync handle, for operations with the database.
+        *
+        * @return dbsync handle.
+        */
+        DBSYNC_HANDLE DBSyncHandle();
+
+        /**
+        * @brief createJsonEvent Create and fill the json with event data.
+        *
+        * @param fileJson The json structure with fim file data.
+        * @param resultJson The json structure with the result of the dbsync querie.
+        * @param type Represents the result type of the database operation events.
+        * @param ctx Context struct with data related to the fim_entry.
+        *
+        * @return jsonEvent The json structure with the event information.
+        */
+        nlohmann::json createJsonEvent(const nlohmann::json& fileJson,
+                                       const nlohmann::json& resultJson,
+                                       ReturnTypeCallback type,
+                                       create_json_event_ctx* ctx);
+
+        /**
+        * @brief removeFile Remove a file from the database.
+        *
+        * @param path File to remove.
+        */
+        void removeFile(const std::string& path);
+
+        /**
+        * @brief getFile Get a file from the database.
+        *
+        * @param path File to get.
+        * @param callback Callback return the file data.
+        */
+        void getFile(const std::string& path,
+                     std::function<void(const nlohmann::json&)> callback);
+
+        /**
+        * @brief countEntries Count files in the database.
+        *
+        * @param tableName Table name.
+        * @param selectType Type of count.
+        * @return Number of files.
+        */
+        int countEntries(const std::string& tableName,
+                         const COUNT_SELECT_TYPE selectType);
+
+        /**
+        * @brief updateFile Update/insert a file in the database.
+        *
+        * @param file File entry/data to update/insert.
+        * @param ctx Context struct with data related to the fim_entry.
+        * @param callback Callback to send the fim message.
+        */
+        void updateFile(const nlohmann::json& file,
+                        create_json_event_ctx* ctx,
+                        std::function<void(nlohmann::json)> callbackPrimitive);
+
+        /**
+        * @brief searchFiles Search files in the database.
+        *
+        * @param searchData parameter to search information.
+        * @param callback Callback return the file data.
+        */
+        void searchFile(const SearchData& data,
+                        std::function<void(const std::string&)> callback);
+
+        /**
+        * @brief teardown Close the fimdb instances.
+        */
+        void teardown();
+
+    private:
+        DB() = default;
+        ~DB() = default;
+        DB(const DB&) = delete;
+        DB& operator=(const DB&) = delete;
+};
+
+
+#endif //_IFIMDB_HPP
diff --git a/src/modules/fim/db/include/fimCommonDefs.h b/src/modules/fim/db/include/fimCommonDefs.h
new file mode 100644
index 0000000000..edc6a50348
--- /dev/null
+++ b/src/modules/fim/db/include/fimCommonDefs.h
@@ -0,0 +1,53 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 6, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef DB_COMMONDEFS_H
+#define DB_COMMONDEFS_H
+#include "logging_helper.h"
+#include "commonDefs.h"
+
+#define FIMDB_FILE_TABLE_NAME "file_entry"
+#define FIMDB_FILE_TXN_TABLE "{\"table\": \"file_entry\"}"
+#define FILE_PRIMARY_KEY "path"
+
+#define FIMDB_REGISTRY_KEY_TABLENAME "registry_key"
+#define FIMDB_REGISTRY_KEY_TXN_TABLE "{\"table\": \"registry_key\"}"
+#define FIMDB_REGISTRY_VALUE_TABLENAME "registry_data"
+#define FIMDB_REGISTRY_VALUE_TXN_TABLE "{\"table\": \"registry_data\"}"
+
+typedef enum FIMDBErrorCode
+{
+    FIMDB_OK = 0,
+    FIMDB_ERR = -1,
+    FIMDB_FULL = -2
+} FIMDBErrorCode;
+
+typedef void((*fim_sync_callback_t)(const char *tag, const char* buffer));
+typedef void((*logging_callback_t)(const modules_log_level_t level, const char* log));
+typedef void((*callback_t)(void *return_data, void *user_data));
+
+/**
+ * @brief callback context.
+ */
+typedef struct
+{
+    callback_t callback;
+    void *context;
+} callback_context_t;
+
+enum OSType
+{
+    OTHERS,
+    WINDOWS
+};
+
+
+#endif // DB_COMMONDEFS_H
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/CountFiles.json b/src/modules/fim/db/smokeTests/FimDBTransaction/CountFiles.json
new file mode 100644
index 0000000000..97db72957b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/CountFiles.json
@@ -0,0 +1,8 @@
+{
+    "action": "CountEntries",
+    "body":
+    {
+        "filter_type": 0,
+        "table": "file_entry"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/GetDeletedRows.json b/src/modules/fim/db/smokeTests/FimDBTransaction/GetDeletedRows.json
new file mode 100644
index 0000000000..db8422e981
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/GetDeletedRows.json
@@ -0,0 +1,4 @@
+{
+    "action": "GetDeletedRows",
+    "body": {}
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransaction.json b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransaction.json
new file mode 100644
index 0000000000..6919f40d7b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransaction.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "file_entry",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryData.json b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryData.json
new file mode 100644
index 0000000000..d5bb14aeaf
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryData.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "registry_data",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryKey.json b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryKey.json
new file mode 100644
index 0000000000..6db8dc8d8e
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/StartTransactionRegistryKey.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "registry_key",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_1.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_1.json
new file mode 100644
index 0000000000..c600946859
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_1.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_data",
+        "data":
+        [
+            {
+                "name": "testRegistry",
+                "scanned": 1,
+                "last_event": 1596489275,
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "mode": 0,
+                "size": 4925,
+                "type": 0,
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "arch": "[x64]",
+                "path": "/tmp/pathTestRegistry",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_2.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_2.json
new file mode 100644
index 0000000000..e6f2f33613
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryData_2.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_data",
+        "data":
+        [
+            {
+                "name": "testRegistryFake",
+                "scanned": 1,
+                "last_event": 1596489275,
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "mode": 0,
+                "size": 4925,
+                "type": 0,
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "arch": "[x32]",
+                "path": "/tmp/fakePath/someRegistry",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_1.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_1.json
new file mode 100644
index 0000000000..7bb54ebf23
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_1.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_key",
+        "data":
+        [
+            {
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "gid": "0",
+                "group_name": "root",
+                "arch": "[x64]",
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "uid": "0",
+                "user_name": "fakeUser",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_2.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_2.json
new file mode 100644
index 0000000000..0bae6e1c20
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRowsRegistryKey_2.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_key",
+        "data":
+        [
+            {
+                "checksum": "c2cf8f9f8f021c65c8f1b143bac977d7eeb0196e",
+                "gid": "0",
+                "group_name": "root",
+                "arch": "[x32]",
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\FAKE_APP",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "uid": "0",
+                "user_name": "fakeUser",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_1.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_1.json
new file mode 100644
index 0000000000..e13251bca2
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_1.json
@@ -0,0 +1,29 @@
+{
+    "action": "SyncTxnRows",
+    "body": {
+        "table": "file_entry",
+        "data": [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2221,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/tmp/test_1.txt",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 4925,
+                "uid": "0",
+                "user_name": "fakeUser"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_2.json b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_2.json
new file mode 100644
index 0000000000..91342b1b59
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/FimDBTransaction/SyncTxnRows_2.json
@@ -0,0 +1,29 @@
+{
+    "action": "SyncTxnRows",
+    "body": {
+        "table": "file_entry",
+        "data": [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2221,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/tmp/test_2.txt",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 4925,
+                "uid": "0",
+                "user_name": "fakeUser"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/CountFiles.json b/src/modules/fim/db/smokeTests/atomicFileOperations/CountFiles.json
new file mode 100644
index 0000000000..97db72957b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/CountFiles.json
@@ -0,0 +1,8 @@
+{
+    "action": "CountEntries",
+    "body":
+    {
+        "filter_type": 0,
+        "table": "file_entry"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/DeleteFile.json b/src/modules/fim/db/smokeTests/atomicFileOperations/DeleteFile.json
new file mode 100644
index 0000000000..647e20a876
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/DeleteFile.json
@@ -0,0 +1,7 @@
+{
+    "action": "RemoveFile",
+    "body":
+    {
+        "file_path": "/tmp/test.txt"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/GetFile.json b/src/modules/fim/db/smokeTests/atomicFileOperations/GetFile.json
new file mode 100644
index 0000000000..24a7e82cf5
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/GetFile.json
@@ -0,0 +1,7 @@
+{
+    "action": "GetFile",
+    "body":
+    {
+        "file_path": "/etc/wgetrc"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/PushMessage.json b/src/modules/fim/db/smokeTests/atomicFileOperations/PushMessage.json
new file mode 100644
index 0000000000..240cfd8f0b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/PushMessage.json
@@ -0,0 +1,7 @@
+{
+    "action": "PushMessage",
+    "body":
+    {
+        "message": "fim_file dbsync no_data {\"begin\":\"/tmp/test.txt\",\"end\":\"/tmp/test.txt\",\"id\":1650301768}"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/RunIntegrity.json b/src/modules/fim/db/smokeTests/atomicFileOperations/RunIntegrity.json
new file mode 100644
index 0000000000..94972c672d
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/RunIntegrity.json
@@ -0,0 +1,4 @@
+{
+    "action": "RunIntegrity",
+    "body": {}
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_1.json b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_1.json
new file mode 100644
index 0000000000..9799eb8e88
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_1.json
@@ -0,0 +1,31 @@
+{
+    "action": "UpdateFile",
+    "body":
+    {
+        "table": "file_entry",
+        "data":
+        [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2456,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/etc/wgetrc",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 4925,
+                "uid": "0",
+                "user_name": "fakeUser"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_2.json b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_2.json
new file mode 100644
index 0000000000..31223cd244
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_2.json
@@ -0,0 +1,31 @@
+{
+    "action": "UpdateFile",
+    "body":
+    {
+        "table": "file_entry",
+        "data":
+        [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2221,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/tmp/test.txt",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 4925,
+                "uid": "0",
+                "user_name": "fakeUser"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_3.json b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_3.json
new file mode 100644
index 0000000000..098e22d560
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/atomicFileOperations/SyncRow_3.json
@@ -0,0 +1,31 @@
+{
+    "action": "UpdateFile",
+    "body":
+    {
+        "table": "file_entry",
+        "data":
+        [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2221,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 0,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/tmp/test.txt",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 1500,
+                "uid": "0",
+                "user_name": "fakeUserModified"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/config.json b/src/modules/fim/db/smokeTests/config.json
new file mode 100644
index 0000000000..21faa55f07
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/config.json
@@ -0,0 +1,11 @@
+{
+    "storage_type": 1,
+    "sync_interval": 60,
+    "file_limit": 20,
+    "registry_limit": 1,
+    "registry_sync": true,
+    "sync_response_timeout": 10,
+    "sync_max_interval": 100,
+    "thread_pool": 1,
+    "queue_size": 100
+}
diff --git a/src/modules/fim/db/smokeTests/configWindows.json b/src/modules/fim/db/smokeTests/configWindows.json
new file mode 100644
index 0000000000..71aa9ee21e
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/configWindows.json
@@ -0,0 +1,11 @@
+{
+    "storage_type": 1,
+    "sync_interval": 60,
+    "file_limit": 20,
+    "registry_limit": 20,
+    "registry_sync": true,
+    "sync_response_timeout": 10,
+    "sync_max_interval": 100,
+    "thread_pool": 1,
+    "queue_size": 100
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/GetDeletedRows.json b/src/modules/fim/db/smokeTests/integrityOps/GetDeletedRows.json
new file mode 100644
index 0000000000..db8422e981
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/GetDeletedRows.json
@@ -0,0 +1,4 @@
+{
+    "action": "GetDeletedRows",
+    "body": {}
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/PushMessage.json b/src/modules/fim/db/smokeTests/integrityOps/PushMessage.json
new file mode 100644
index 0000000000..240cfd8f0b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/PushMessage.json
@@ -0,0 +1,7 @@
+{
+    "action": "PushMessage",
+    "body":
+    {
+        "message": "fim_file dbsync no_data {\"begin\":\"/tmp/test.txt\",\"end\":\"/tmp/test.txt\",\"id\":1650301768}"
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/RunIntegrity.json b/src/modules/fim/db/smokeTests/integrityOps/RunIntegrity.json
new file mode 100644
index 0000000000..94972c672d
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/RunIntegrity.json
@@ -0,0 +1,4 @@
+{
+    "action": "RunIntegrity",
+    "body": {}
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/StartTransaction.json b/src/modules/fim/db/smokeTests/integrityOps/StartTransaction.json
new file mode 100644
index 0000000000..6919f40d7b
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/StartTransaction.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "file_entry",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryData.json b/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryData.json
new file mode 100644
index 0000000000..d5bb14aeaf
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryData.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "registry_data",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryKey.json b/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryKey.json
new file mode 100644
index 0000000000..6db8dc8d8e
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/StartTransactionRegistryKey.json
@@ -0,0 +1,9 @@
+{
+    "action": "StartTransaction",
+    "body":
+    {
+        "table": "registry_key",
+        "thread_number": 2,
+        "queue_size": 100
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryData_1.json b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryData_1.json
new file mode 100644
index 0000000000..c600946859
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryData_1.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_data",
+        "data":
+        [
+            {
+                "name": "testRegistry",
+                "scanned": 1,
+                "last_event": 1596489275,
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "mode": 0,
+                "size": 4925,
+                "type": 0,
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "arch": "[x64]",
+                "path": "/tmp/pathTestRegistry",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryKey_1.json b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryKey_1.json
new file mode 100644
index 0000000000..7bb54ebf23
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRowsRegistryKey_1.json
@@ -0,0 +1,25 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "registry_key",
+        "data":
+        [
+            {
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "gid": "0",
+                "group_name": "root",
+                "arch": "[x64]",
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "uid": "0",
+                "user_name": "fakeUser",
+                "hash_full_path": "c26e28e20da25627fb939c9c67b04ef9d1c89f12"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRows_1.json b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRows_1.json
new file mode 100644
index 0000000000..3d7c1e7caf
--- /dev/null
+++ b/src/modules/fim/db/smokeTests/integrityOps/SyncTxnRows_1.json
@@ -0,0 +1,31 @@
+{
+    "action": "SyncTxnRows",
+    "body":
+    {
+        "table": "file_entry",
+        "data":
+        [
+            {
+                "attributes": "10",
+                "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+                "dev": 2221,
+                "gid": "0",
+                "group_name": "root",
+                "hash_md5": "4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1": "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256": "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+                "inode": 18277083,
+                "last_event": 1596489275,
+                "mode": 0,
+                "mtime": 1578075431,
+                "options": 131583,
+                "path": "/tmp/test_1.txt",
+                "perm": "-rw-rw-r--",
+                "scanned": 1,
+                "size": 4925,
+                "uid": "0",
+                "user_name": "fakeUser"
+            }
+        ]
+    }
+}
diff --git a/src/modules/fim/db/src/db.cpp b/src/modules/fim/db/src/db.cpp
new file mode 100644
index 0000000000..a062b06220
--- /dev/null
+++ b/src/modules/fim/db/src/db.cpp
@@ -0,0 +1,424 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * August 28, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "commonDefs.h"
+#include "dbsync.hpp"
+#include "dbsync.h"
+#include "db.h"
+#include "db.hpp"
+#include "fimCommonDefs.h"
+#include "fimDB.hpp"
+#include "dbFileItem.hpp"
+#include "dbRegistryKey.hpp"
+#include "dbRegistryValue.hpp"
+#include "fimDBSpecialization.h"
+#include "stringHelper.h"
+#include "cjsonSmartDeleter.hpp"
+
+void DB::init(const int storage,
+              const int syncInterval,
+              const uint32_t syncMaxInterval,
+              const uint32_t syncResponseTimeout,
+              std::function<void(const std::string&)> callbackSyncFileWrapper,
+              std::function<void(const std::string&)> callbackSyncRegistryWrapper,
+              std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper,
+              const int fileLimit,
+              const int valueLimit,
+              bool syncRegistryEnabled,
+              const int syncThreadPool,
+              const int syncQueueSize)
+{
+    auto path { storage == FIM_DB_MEMORY ? FIM_DB_MEMORY_PATH : FIM_DB_DISK_PATH };
+    auto dbsyncHandler
+    {
+        std::make_shared<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, path,
+                                 FIMDBCreator<OS_TYPE>::CreateStatement())
+    };
+
+    auto rsyncHandler { std::make_shared<RemoteSync>(syncThreadPool, syncQueueSize) };
+
+    FIMDB::instance().init(syncInterval,
+                           syncMaxInterval,
+                           syncResponseTimeout,
+                           callbackSyncFileWrapper,
+                           callbackSyncRegistryWrapper,
+                           callbackLogWrapper,
+                           dbsyncHandler,
+                           rsyncHandler,
+                           fileLimit,
+                           valueLimit,
+                           syncRegistryEnabled);
+}
+
+void DB::runIntegrity()
+{
+    FIMDB::instance().runIntegrity();
+}
+
+void DB::pushMessage(const std::string& message)
+{
+    FIMDB::instance().pushMessage(message);
+}
+
+DBSYNC_HANDLE DB::DBSyncHandle()
+{
+    return FIMDB::instance().DBSyncHandler()->handle();
+}
+
+void DB::teardown()
+{
+    FIMDB::instance().teardown();
+}
+
+const std::map<COUNT_SELECT_TYPE, std::vector<std::string>> COUNT_SELECT_TYPE_MAP
+{
+    { COUNT_SELECT_TYPE::COUNT_ALL, {"count(*) AS count"} },
+    { COUNT_SELECT_TYPE::COUNT_INODE, {"count(DISTINCT (inode || ',' || dev)) AS count"} },
+};
+
+int DB::countEntries(const std::string& tableName, const COUNT_SELECT_TYPE selectType)
+{
+    auto count { 0 };
+    auto callback
+    {
+        [&count](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            if (ReturnTypeCallback::SELECTED == type)
+            {
+                count = jsonResult.at("count");
+            }
+        }
+    };
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table(tableName)
+        .columnList(COUNT_SELECT_TYPE_MAP.at(selectType))
+        .rowFilter("")
+        .orderByOpt("")
+        .distinctOpt(false)
+        .build()
+    };
+
+    FIMDB::instance().executeQuery(selectQuery.query(), callback);
+
+    return count;
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+FIMDBErrorCode fim_db_init(int storage,
+                           int sync_interval,
+                           uint32_t sync_max_interval,
+                           uint32_t sync_response_timeout,
+                           fim_sync_callback_t sync_callback,
+                           logging_callback_t log_callback,
+                           int file_limit,
+                           int value_limit,
+                           bool sync_registry_enabled,
+                           int sync_thread_pool,
+                           unsigned int sync_queue_size,
+                           log_fnc_t dbsync_log_function,
+                           log_fnc_t rsync_log_function)
+{
+    auto retVal { FIMDBErrorCode::FIMDB_ERR };
+
+    try
+    {
+        // LCOV_EXCL_START
+        std::function<void(const std::string&)> callbackSyncFileWrapper
+        {
+            [sync_callback](const std::string & msg)
+            {
+                if (sync_callback)
+                {
+                    auto json = nlohmann::json::parse(msg);
+
+                    if (json.at("type") == "state")
+                    {
+                        std::string perm_string = json["data"]["attributes"]["perm"];
+                        auto perm_json = nlohmann::json::parse(perm_string, nullptr, false);
+
+                        if (!perm_json.is_discarded())
+                        {
+                            json["data"]["attributes"].erase("perm");
+                            json["data"]["attributes"]["perm"] = perm_json;
+                        }
+
+                        json["data"]["attributes"]["type"] = "file";
+                        json["data"]["attributes"].erase("dev");
+                        json["data"]["attributes"].erase("last_event");
+                        json["data"]["attributes"].erase("mode");
+                        json["data"]["attributes"].erase("options");
+                        json["data"]["attributes"].erase("path");
+                        json["data"]["attributes"].erase("scanned");
+
+                        FIMDB::instance().setTimeLastSyncMsg();
+                    }
+
+                    try
+                    {
+                        sync_callback(FIM_COMPONENT_FILE, json.dump().c_str());
+                    }
+                    catch (std::exception& err)
+                    {
+                        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+                    }
+                }
+            }
+        };
+
+        std::function<void(const std::string&)> callbackSyncRegistryWrapper
+        {
+            [sync_callback](const std::string & msg)
+            {
+                if (sync_callback)
+                {
+                    auto json = nlohmann::json::parse(msg);
+                    const auto component { json.at("component").get<std::string>() };
+
+                    if (json.at("type") == "state")
+                    {
+
+                        if (component == FIM_COMPONENT_REGISTRY_VALUE)
+                        {
+                            const auto registryType { json.at("data").at("attributes").at("type").get<uint32_t>() };
+                            json["data"]["attributes"]["value_type"] = RegistryTypes<OS_TYPE>::typeText(registryType);
+                            json["data"]["attributes"]["type"] = "registry_value";
+                            json["data"]["value_name"] = json["data"]["attributes"]["name"];
+                            json["data"]["attributes"].erase("name");
+                        }
+                        else
+                        {
+                            std::string perm_string = json["data"]["attributes"]["perm"];
+                            auto perm_json = nlohmann::json::parse(perm_string, nullptr, false);
+
+                            if (!perm_json.is_discarded())
+                            {
+                                json["data"]["attributes"].erase("perm");
+                                json["data"]["attributes"]["perm"] = perm_json;
+                            }
+
+                            json["data"]["attributes"]["type"] = "registry_key";
+                        }
+
+                        json["data"]["path"] = json["data"]["attributes"]["path"];
+                        json["data"]["attributes"].erase("path");
+                        json["data"]["arch"] = json["data"]["attributes"]["arch"];
+                        json["data"]["attributes"].erase("arch");
+
+                        json["data"]["attributes"].erase("hash_full_path");
+                        json["data"]["attributes"].erase("last_event");
+                        json["data"]["attributes"].erase("scanned");
+                        json["data"]["version"] = 3;
+
+                        FIMDB::instance().setTimeLastSyncMsg();
+                    }
+
+                    try
+                    {
+                        sync_callback(component.c_str(), json.dump().c_str());
+                    }
+                    catch (std::exception& err)
+                    {
+                        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+                    }
+                }
+            }
+        };
+        // LCOV_EXCL_STOP
+
+        std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper
+        {
+            [log_callback](modules_log_level_t level, const std::string & log)
+            {
+                if (log_callback)
+                {
+                    log_callback(level, log.c_str());
+                }
+            }
+        };
+
+        if (dbsync_log_function)
+        {
+            dbsync_initialize(dbsync_log_function);
+        }
+
+        if (rsync_log_function)
+        {
+            rsync_initialize(rsync_log_function);
+        }
+
+        DB::instance().init(storage,
+                            sync_interval,
+                            sync_max_interval,
+                            sync_response_timeout,
+                            callbackSyncFileWrapper,
+                            callbackSyncRegistryWrapper,
+                            callbackLogWrapper,
+                            file_limit,
+                            value_limit,
+                            sync_registry_enabled,
+                            sync_thread_pool,
+                            sync_queue_size);
+        retVal = FIMDBErrorCode::FIMDB_OK;
+
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& ex)
+    {
+        auto errorMessage { std::string("Error, id: ") + ex.what() };
+        log_callback(LOG_ERROR_EXIT, errorMessage.c_str());
+    }
+
+    // LCOV_EXCL_STOP
+    return retVal;
+}
+
+FIMDBErrorCode fim_run_integrity()
+{
+    auto retval { FIMDB_ERR };
+
+    try
+    {
+        DB::instance().runIntegrity();
+        retval = FIMDB_OK;
+    }
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    return retval;
+}
+
+FIMDBErrorCode fim_sync_push_msg(const char* msg)
+{
+    auto retval { FIMDB_ERR };
+
+    try
+    {
+        DB::instance().pushMessage(msg);
+        retval = FIMDB_OK;
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+
+    return retval;
+}
+
+TXN_HANDLE fim_db_transaction_start(const char* table, result_callback_t row_callback, void* user_data)
+{
+    const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+    {
+        cJSON_Parse(table)
+    };
+
+    callback_data_t cb_data = { .callback = row_callback, .user_data = user_data };
+
+    TXN_HANDLE dbsyncTxnHandle = dbsync_create_txn(DB::instance().DBSyncHandle(), jsInput.get(), 0,
+                                                   QUEUE_SIZE, cb_data);
+
+    return dbsyncTxnHandle;
+}
+
+FIMDBErrorCode fim_db_transaction_sync_row(TXN_HANDLE txn_handler, const fim_entry* entry)
+{
+    auto retval { FIMDB_ERR };
+
+    if (entry)
+    {
+        std::unique_ptr<DBItem> syncItem;
+
+        if (entry->type == FIM_TYPE_FILE)
+        {
+            syncItem = std::make_unique<FileItem>(entry, true);
+        }
+        else
+        {
+            if (entry->registry_entry.key == NULL)
+            {
+                syncItem = std::make_unique<RegistryValue>(entry, true);
+            }
+            else
+            {
+                syncItem = std::make_unique<RegistryKey>(entry, true);
+            }
+        }
+
+        try
+        {
+
+            const std::unique_ptr<cJSON, CJsonSmartDeleter> jsInput
+            {
+                cJSON_Parse((*syncItem->toJSON()).dump().c_str())
+            };
+
+            if (dbsync_sync_txn_row(txn_handler, jsInput.get()) == 0)
+            {
+                retval = FIMDB_OK;
+            }
+        }
+        catch (std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+    }
+
+    return retval;
+}
+
+FIMDBErrorCode fim_db_transaction_deleted_rows(TXN_HANDLE txn_handler,
+                                               result_callback_t res_callback,
+                                               void* txn_ctx)
+{
+    auto retval {FIMDB_OK};
+    callback_data_t cb_data = { .callback = res_callback, .user_data = txn_ctx };
+
+    if (dbsync_get_deleted_rows(txn_handler, cb_data) != 0)
+    {
+        retval = FIMDB_ERR;
+    }
+
+    if (dbsync_close_txn(txn_handler) != 0)
+    {
+        retval = FIMDB_ERR;
+    }
+
+    return retval;
+}
+
+void fim_db_teardown()
+{
+    try
+    {
+        DB::instance().teardown();
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+}
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/modules/fim/db/src/dbFileItem.cpp b/src/modules/fim/db/src/dbFileItem.cpp
new file mode 100644
index 0000000000..29299fb2b5
--- /dev/null
+++ b/src/modules/fim/db/src/dbFileItem.cpp
@@ -0,0 +1,101 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 24, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbFileItem.hpp"
+
+void FileItem::createFimEntry()
+{
+    fim_entry* fim = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_file_data* data = reinterpret_cast<fim_file_data*>(std::calloc(1, sizeof(fim_file_data)));
+
+    if (fim)
+    {
+        fim->type = FIM_TYPE_FILE;
+        fim->file_entry.path = const_cast<char*>(m_identifier.c_str());
+
+        if (data)
+        {
+            data->size = m_size;
+            data->perm = const_cast<char*>(m_perm.c_str());
+            data->attributes = const_cast<char*>(m_attributes.c_str());
+            data->uid = const_cast<char*>(m_uid.c_str());
+            data->gid = const_cast<char*>(m_gid.c_str());
+            data->user_name = const_cast<char*>(m_username.c_str());
+            data->group_name = const_cast<char*>(m_groupname.c_str());
+            data->mtime = m_time;
+            data->inode = m_inode;
+            std::snprintf(data->hash_md5, sizeof(data->hash_md5), "%s", m_md5.c_str());
+            std::snprintf(data->hash_sha1, sizeof(data->hash_sha1), "%s", m_sha1.c_str());
+            std::snprintf(data->hash_sha256, sizeof(data->hash_sha256), "%s", m_sha256.c_str());
+            data->mode = m_mode;
+            data->last_event = m_lastEvent;
+            data->dev = m_dev;
+            data->scanned = m_scanned;
+            data->options = m_options;
+            std::snprintf(data->checksum, sizeof(data->checksum), "%s", m_checksum.c_str());
+
+            fim->file_entry.data = data;
+            m_fimEntry = std::unique_ptr<fim_entry, FimFileDataDeleter>(fim);
+        }
+        // LCOV_EXCL_START
+        else
+        {
+            throw std::runtime_error("The memory for fim_file_data could not be allocated.");
+        }
+
+        // LCOV_EXCL_STOP
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw std::runtime_error("The memory for fim_entry could not be allocated.");
+    }
+
+    // LCOV_EXCL_STOP
+}
+
+void FileItem::createJSON()
+{
+    nlohmann::json conf;
+    nlohmann::json data;
+    nlohmann::json options;
+
+    conf["table"] = FIMDB_FILE_TABLE_NAME;
+    data["path"] = m_identifier;
+    data["mode"] = m_mode;
+    data["last_event"] = m_lastEvent;
+    data["scanned"] = m_scanned;
+    data["options"] = m_options;
+    data["checksum"] = m_checksum;
+    data["dev"] = m_dev;
+    data["inode"] = m_inode;
+    data["size"] = m_size;
+    data["perm"] = m_perm;
+    data["attributes"] = m_attributes;
+    data["uid"] = m_uid;
+    data["gid"] = m_gid;
+    data["user_name"] = m_username;
+    data["group_name"] = m_groupname;
+    data["hash_md5"] = m_md5;
+    data["hash_sha1"] = m_sha1;
+    data["hash_sha256"] = m_sha256;
+    data["mtime"] = m_time;
+    conf["data"] = nlohmann::json::array({data});
+
+    if (m_oldData)
+    {
+        options["return_old_data"] = true;
+        options["ignore"] = nlohmann::json::array({"last_event"});
+        conf["options"] = options;
+    }
+
+    m_statementConf = std::make_unique<nlohmann::json>(conf);
+}
diff --git a/src/modules/fim/db/src/dbFileItem.hpp b/src/modules/fim/db/src/dbFileItem.hpp
new file mode 100644
index 0000000000..6a69ea81a7
--- /dev/null
+++ b/src/modules/fim/db/src/dbFileItem.hpp
@@ -0,0 +1,125 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FILEITEM_HPP
+#define _FILEITEM_HPP
+#include "json.hpp"
+#include "dbItem.hpp"
+#include "fimCommonDefs.h"
+#include "fimDBSpecialization.h"
+
+struct FimFileDataDeleter
+{
+    void operator()(fim_entry* fimFile)
+    {
+        if (fimFile)
+        {
+            if (fimFile->file_entry.data)
+            {
+                std::free(fimFile->file_entry.data);
+            }
+
+            std::free(fimFile);
+        }
+    }
+};
+
+class FileItem final : public DBItem
+{
+    public:
+        FileItem(const fim_entry* const fim, bool oldData = false)
+            : DBItem(fim->file_entry.path == NULL ? "" : fim->file_entry.path
+                     , fim->file_entry.data->scanned
+                     , fim->file_entry.data->last_event
+                     , fim->file_entry.data->checksum[0] == '\0' ? "" : fim->file_entry.data->checksum
+                     , fim->file_entry.data->mode)
+        {
+            m_oldData = oldData;
+            m_options = fim->file_entry.data->options;
+            m_time = fim->file_entry.data->mtime;
+            m_size = fim->file_entry.data->size;
+            m_dev = fim->file_entry.data->dev;
+            m_inode = fim->file_entry.data->inode;
+
+            m_attributes = fim->file_entry.data->attributes == NULL ? "" : fim->file_entry.data->attributes;
+            m_username = fim->file_entry.data->user_name == NULL ? "" : fim->file_entry.data->user_name;
+            m_groupname = fim->file_entry.data->group_name == NULL ? "" : fim->file_entry.data->group_name;
+            m_perm = fim->file_entry.data->perm == NULL ? "" : fim->file_entry.data->perm;
+
+            FIMDBCreator<OS_TYPE>::encodeString(m_attributes);
+            FIMDBCreator<OS_TYPE>::encodeString(m_username);
+            FIMDBCreator<OS_TYPE>::encodeString(m_groupname);
+            FIMDBCreator<OS_TYPE>::encodeString(m_perm);
+
+            m_md5 = fim->file_entry.data->hash_md5[0] == '\0' ? "" : fim->file_entry.data->hash_md5;
+            m_sha1 = fim->file_entry.data->hash_sha1[0] == '\0' ? "" : fim->file_entry.data->hash_sha1;
+            m_sha256 = fim->file_entry.data->hash_sha256[0] == '\0' ? "" : fim->file_entry.data->hash_sha256;
+            m_uid = fim->file_entry.data->uid == NULL ? "" : fim->file_entry.data->uid;
+            m_gid = fim->file_entry.data->gid == NULL ? "" : fim->file_entry.data->gid;
+            createJSON();
+            createFimEntry();
+        };
+
+        FileItem(const nlohmann::json& fim)
+            : DBItem(fim.at("path"), fim.at("scanned"), fim.at("last_event"), fim.at("checksum"), fim.at("mode"))
+        {
+            m_options = fim.at("options");
+            m_time = fim.at("mtime");
+            m_size = fim.at("size");
+            m_dev = fim.at("dev");
+            m_inode = fim.at("inode");
+            m_attributes = fim.at("attributes");
+            m_gid = fim.at("gid");
+            m_groupname = fim.at("group_name");
+            m_md5 = fim.at("hash_md5");
+            m_perm = fim.at("perm");
+            m_sha1 = fim.at("hash_sha1");
+            m_sha256 = fim.at("hash_sha256");
+            m_uid = fim.at("uid");
+            m_username = fim.at("user_name");
+
+            createFimEntry();
+            m_statementConf = std::make_unique<nlohmann::json>(fim);
+        };
+
+        ~FileItem() = default;
+        fim_entry* toFimEntry()
+        {
+            return m_fimEntry.get();
+        };
+
+        const nlohmann::json* toJSON() const
+        {
+            return m_statementConf.get();
+        };
+
+    private:
+        int                                             m_options;
+        std::string                                     m_gid;
+        std::string                                     m_uid;
+        unsigned long int                               m_size;
+        unsigned long int                               m_dev;
+        unsigned long long int                          m_inode;
+        time_t                                          m_time;
+        std::string                                     m_attributes;
+        std::string                                     m_groupname;
+        std::string                                     m_md5;
+        std::string                                     m_perm;
+        std::string                                     m_sha1;
+        std::string                                     m_sha256;
+        std::string                                     m_username;
+        std::unique_ptr<fim_entry, FimFileDataDeleter>  m_fimEntry;
+        std::unique_ptr<nlohmann::json>                 m_statementConf;
+
+        void createFimEntry();
+        void createJSON();
+};
+#endif //_FILEITEM_HPP
diff --git a/src/modules/fim/db/src/dbItem.hpp b/src/modules/fim/db/src/dbItem.hpp
new file mode 100644
index 0000000000..017aa4f5b9
--- /dev/null
+++ b/src/modules/fim/db/src/dbItem.hpp
@@ -0,0 +1,54 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DBITEM_HPP
+#define _DBITEM_HPP
+#include "syscheck.h"
+#include "json.hpp"
+#include "fimDBSpecialization.h"
+
+class DBItem
+{
+    public:
+        DBItem(const std::string& identifier,
+               const unsigned int& scanned,
+               const time_t& lastEvent,
+               const std::string& checksum,
+               const fim_event_mode& mode)
+            : m_identifier( identifier )
+            , m_scanned( scanned )
+            , m_lastEvent( lastEvent )
+            , m_checksum( checksum )
+            , m_mode( mode )
+        {
+            FIMDBCreator<OS_TYPE>::encodeString(m_identifier);
+            m_oldData = false;
+        }
+
+        // LCOV_EXCL_START
+        virtual ~DBItem() = default;
+        // LCOV_EXCL_STOP
+        virtual fim_entry* toFimEntry() = 0;
+        virtual const nlohmann::json* toJSON() const = 0;
+        bool state()
+        {
+            return m_scanned;
+        };
+
+    protected:
+        std::string             m_identifier;
+        unsigned int            m_scanned;
+        time_t                  m_lastEvent;
+        std::string             m_checksum;
+        fim_event_mode          m_mode;
+        bool                    m_oldData;
+};
+#endif //_DBITEM_HPP
diff --git a/src/modules/fim/db/src/dbRegistryKey.cpp b/src/modules/fim/db/src/dbRegistryKey.cpp
new file mode 100644
index 0000000000..a3f9b37458
--- /dev/null
+++ b/src/modules/fim/db/src/dbRegistryKey.cpp
@@ -0,0 +1,90 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 15, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbRegistryKey.hpp"
+#include "fimCommonDefs.h"
+
+void RegistryKey::createFimEntry()
+{
+    fim_entry* fim = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_registry_key* key = reinterpret_cast<fim_registry_key*>(std::calloc(1, sizeof(fim_registry_key)));
+
+    if (fim)
+    {
+        fim->type = FIM_TYPE_REGISTRY;
+
+        if (key)
+        {
+            key->arch = m_arch;
+            std::snprintf(key->checksum, sizeof(key->checksum), "%s", m_checksum.c_str());
+            key->gid = const_cast<char*>(m_gid.c_str());
+            key->uid = const_cast<char*>(m_uid.c_str());
+            key->group_name = const_cast<char*>(m_groupname.c_str());
+            key->last_event = m_lastEvent;
+            key->mtime = m_time;
+            key->path = const_cast<char*>(m_identifier.c_str());
+            key->hash_full_path = const_cast<char*>(m_hashpath.c_str());
+            key->perm = const_cast<char*>(m_perm.c_str());
+            key->scanned =  m_scanned;
+            key->user_name = const_cast<char*>(m_username.c_str());
+
+            fim->registry_entry.key = key;
+            m_fimEntry = std::unique_ptr<fim_entry, FimRegistryKeyDeleter>(fim);
+        }
+        // LCOV_EXCL_START
+        else
+        {
+            throw std::runtime_error("The memory for fim_registry_key could not be allocated.");
+        }
+
+        // LCOV_EXCL_STOP
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw std::runtime_error("The memory for fim_entry could not be allocated.");
+    }
+
+    // LCOV_EXCL_STOP
+}
+
+void RegistryKey::createJSON()
+{
+    nlohmann::json conf;
+    nlohmann::json data;
+    nlohmann::json options;
+
+    conf["table"] = FIMDB_REGISTRY_KEY_TABLENAME;
+    data["path"] = m_identifier;
+    data["arch"] = ((m_arch == 0) ? "[x32]" : "[x64]");
+    data["last_event"] = m_lastEvent;
+    data["scanned"] = m_scanned;
+    data["checksum"] = m_checksum;
+    data["perm"] = m_perm;
+    data["uid"] = m_uid;
+    data["gid"] = m_gid;
+    data["user_name"] = m_username;
+    data["group_name"] = m_groupname;
+    data["mtime"] = m_time;
+    data["hash_full_path"] = m_hashpath;
+
+    conf["data"] = nlohmann::json::array({data});
+
+    if (m_oldData)
+    {
+        options["return_old_data"] = true;
+        options["ignore"] = nlohmann::json::array({"last_event"});
+        conf["options"] = options;
+    }
+
+    m_statementConf = std::make_unique<nlohmann::json>(conf);
+
+}
diff --git a/src/modules/fim/db/src/dbRegistryKey.hpp b/src/modules/fim/db/src/dbRegistryKey.hpp
new file mode 100644
index 0000000000..1dc5789cb0
--- /dev/null
+++ b/src/modules/fim/db/src/dbRegistryKey.hpp
@@ -0,0 +1,104 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _REGISTRYKEY_HPP
+#define _REGISTRYKEY_HPP
+#include "json.hpp"
+#include "dbItem.hpp"
+#include "fimDBSpecialization.h"
+
+struct FimRegistryKeyDeleter
+{
+    void operator()(fim_entry* fimRegistryKey)
+    {
+        if (fimRegistryKey)
+        {
+            if (fimRegistryKey->registry_entry.key)
+            {
+                std::free(fimRegistryKey->registry_entry.key);
+            }
+
+            std::free(fimRegistryKey);
+        }
+    }
+};
+
+class RegistryKey final : public DBItem
+{
+    public:
+        RegistryKey(const fim_entry* const fim, bool old_data = false)
+            : DBItem(std::string(fim->registry_entry.key->path)
+                     , fim->registry_entry.key->scanned
+                     , fim->registry_entry.key->last_event
+                     , fim->registry_entry.key->checksum
+                     , FIM_SCHEDULED)
+        {
+            m_oldData = old_data;
+            m_arch = fim->registry_entry.key->arch;
+            m_gid = fim->registry_entry.key->gid ? fim->registry_entry.key->gid : "";
+            m_uid = fim->registry_entry.key->uid ? fim->registry_entry.key->uid : "";
+            m_groupname = fim->registry_entry.key->group_name ? fim->registry_entry.key->group_name : "";
+            m_perm = fim->registry_entry.key->perm ? fim->registry_entry.key->perm : "";
+            m_username = fim->registry_entry.key->user_name ? fim->registry_entry.key->user_name : "";
+
+            FIMDBCreator<OS_TYPE>::encodeString(m_groupname);
+            FIMDBCreator<OS_TYPE>::encodeString(m_perm);
+            FIMDBCreator<OS_TYPE>::encodeString(m_username);
+
+            m_time = fim->registry_entry.key->mtime;
+            m_hashpath = fim->registry_entry.key->hash_full_path;
+            createJSON();
+            createFimEntry();
+        }
+
+        RegistryKey(const nlohmann::json& fim, bool oldData = false)
+            : DBItem(fim.at("path"), fim.at("scanned"), fim.at("last_event"), fim.at("checksum"), fim.at("mode"))
+        {
+            m_oldData = oldData;
+            m_arch = fim.at("arch");
+            m_gid = fim.at("gid");
+            m_uid = fim.at("uid");
+            m_groupname = fim.at("group_name");
+            m_perm = fim.at("perm");
+            m_username = fim.at("user_name");
+            m_time = fim.at("mtime");
+            m_hashpath = fim.at("hash_full_path");
+            createFimEntry();
+            createJSON();
+        }
+
+        ~RegistryKey() = default;
+        fim_entry* toFimEntry()
+        {
+            return m_fimEntry.get();
+        };
+
+        const nlohmann::json* toJSON() const
+        {
+            return m_statementConf.get();
+        };
+
+    private:
+        int                                                 m_arch;
+        std::string                                         m_gid;
+        std::string                                         m_uid;
+        std::string                                         m_groupname;
+        std::string                                         m_perm;
+        std::string                                         m_username;
+        time_t                                              m_time;
+        std::unique_ptr<fim_entry, FimRegistryKeyDeleter>   m_fimEntry;
+        std::unique_ptr<nlohmann::json>                     m_statementConf;
+        std::string                                         m_hashpath;
+
+        void createFimEntry();
+        void createJSON();
+};
+#endif //_REGISTRYKEY_HPP
diff --git a/src/modules/fim/db/src/dbRegistryValue.cpp b/src/modules/fim/db/src/dbRegistryValue.cpp
new file mode 100644
index 0000000000..eefbc2f374
--- /dev/null
+++ b/src/modules/fim/db/src/dbRegistryValue.cpp
@@ -0,0 +1,88 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 18, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbRegistryValue.hpp"
+#include "fimCommonDefs.h"
+
+void RegistryValue::createFimEntry()
+{
+    fim_entry* fim = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_registry_value_data* value = reinterpret_cast<fim_registry_value_data*>(std::calloc(1, sizeof(fim_registry_value_data)));
+
+    if (fim)
+    {
+        fim->type = FIM_TYPE_REGISTRY;
+
+        if (value)
+        {
+            value->path = const_cast<char*>(m_path.c_str());
+            value->hash_full_path = const_cast<char*>(m_hashpath.c_str());
+            value->size = m_size;
+            value->name = const_cast<char*>(m_identifier.c_str());
+            std::snprintf(value->hash_md5, sizeof(value->hash_md5), "%s", m_md5.c_str());
+            std::snprintf(value->hash_sha1, sizeof(value->hash_sha1), "%s", m_sha1.c_str());
+            std::snprintf(value->hash_sha256, sizeof(value->hash_sha256), "%s", m_sha256.c_str());
+            value->mode = m_mode;
+            value->last_event = m_lastEvent;
+            value->scanned = m_scanned;
+            std::snprintf(value->checksum, sizeof(value->checksum), "%s", m_checksum.c_str());
+            fim->registry_entry.value = value;
+            m_fimEntry = std::unique_ptr<fim_entry, FimRegistryValueDeleter>(fim);
+        }
+        // LCOV_EXCL_START
+        else
+        {
+            throw std::runtime_error("The memory for fim_registry_value_data could not be allocated.");
+        }
+
+        // LCOV_EXCL_STOP
+    }
+    // LCOV_EXCL_START
+    else
+    {
+        throw std::runtime_error("The memory for fim_entry could not be allocated.");
+    }
+
+    // LCOV_EXCL_STOP
+}
+
+void RegistryValue::createJSON()
+{
+
+    nlohmann::json conf;
+    nlohmann::json data;
+    nlohmann::json options;
+
+    conf["table"] = FIMDB_REGISTRY_VALUE_TABLENAME;
+    data["path"] = m_path;
+    data["arch"] = ((m_arch == 0) ? "[x32]" : "[x64]");
+    data["name"] = m_identifier;
+    data["last_event"] = m_lastEvent;
+    data["scanned"] = m_scanned;
+    data["checksum"] = m_checksum;
+    data["size"] = m_size;
+    data["hash_md5"] = m_md5;
+    data["hash_sha1"] = m_sha1;
+    data["hash_sha256"] = m_sha256;
+    data["type"] = m_type;
+    data["hash_full_path"] = m_hashpath;
+
+    conf["data"] = nlohmann::json::array({data});
+
+    if (m_oldData)
+    {
+        options["return_old_data"] = true;
+        options["ignore"] = nlohmann::json::array({"last_event"});
+        conf["options"] = options;
+    }
+
+    m_statementConf = std::make_unique<nlohmann::json>(conf);
+}
diff --git a/src/modules/fim/db/src/dbRegistryValue.hpp b/src/modules/fim/db/src/dbRegistryValue.hpp
new file mode 100644
index 0000000000..81abc7bb58
--- /dev/null
+++ b/src/modules/fim/db/src/dbRegistryValue.hpp
@@ -0,0 +1,101 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _REGISTRYVALUE_HPP
+#define _REGISTRYVALUE_HPP
+
+#include "json.hpp"
+#include "dbItem.hpp"
+#include "fimDBSpecialization.h"
+
+struct FimRegistryValueDeleter
+{
+    void operator()(fim_entry* fimRegistryValue)
+    {
+        if (fimRegistryValue)
+        {
+            if (fimRegistryValue->registry_entry.value)
+            {
+                std::free(fimRegistryValue->registry_entry.value);
+            }
+
+            std::free(fimRegistryValue);
+        }
+    }
+};
+
+class RegistryValue final : public DBItem
+{
+    public:
+        RegistryValue(const fim_entry* const fim, bool oldData = false)
+            : DBItem(fim->registry_entry.value->name ? fim->registry_entry.value->name : ""
+                     , fim->registry_entry.value->scanned
+                     , fim->registry_entry.value->last_event
+                     , fim->registry_entry.value->checksum
+                     , fim->registry_entry.value->mode)
+        {
+            m_oldData = oldData;
+            m_path = fim->registry_entry.value->path ? fim->registry_entry.value->path : "";
+            FIMDBCreator<OS_TYPE>::encodeString(m_path);
+            m_arch = fim->registry_entry.value->arch;
+            m_size = fim->registry_entry.value->size;
+            m_type = fim->registry_entry.value->type;
+            m_md5 = fim->registry_entry.value->hash_md5;
+            m_sha1 = fim->registry_entry.value->hash_sha1;
+            m_sha256 = fim->registry_entry.value->hash_sha256;
+            m_hashpath = fim->registry_entry.value->hash_full_path;
+            createJSON();
+            createFimEntry();
+        }
+
+        RegistryValue(const nlohmann::json& fim, bool oldData = false)
+            : DBItem(fim.at("name"), fim.at("scanned"), fim.at("last_event"), fim.at("checksum"), fim.at("mode"))
+        {
+            m_oldData = oldData;
+            m_size = fim.at("size");
+            m_type = fim.at("type");
+            m_md5 = fim.at("hash_md5");
+            m_sha1 = fim.at("hash_sha1");
+            m_sha256 = fim.at("hash_sha256");
+            m_arch = fim.at("arch");
+            m_path = fim.at("path");
+            m_hashpath = fim.at("hash_full_path");
+            createFimEntry();
+            createJSON();
+        }
+
+        ~RegistryValue() = default;
+        fim_entry* toFimEntry()
+        {
+            return m_fimEntry.get();
+        };
+
+        const nlohmann::json* toJSON() const
+        {
+            return m_statementConf.get();
+        };
+
+    private:
+        unsigned long int                                   m_size;
+        unsigned int                                        m_type;
+        std::string                                         m_path;
+        int                                                 m_arch;
+        std::string                                         m_md5;
+        std::string                                         m_sha1;
+        std::string                                         m_sha256;
+        std::unique_ptr<fim_entry, FimRegistryValueDeleter> m_fimEntry;
+        std::unique_ptr<nlohmann::json>                     m_statementConf;
+        std::string                                         m_hashpath;
+
+        void createFimEntry();
+        void createJSON();
+};
+#endif //_REGISTRYVALUE_HPP
diff --git a/src/modules/fim/db/src/file.cpp b/src/modules/fim/db/src/file.cpp
new file mode 100644
index 0000000000..550b88ae37
--- /dev/null
+++ b/src/modules/fim/db/src/file.cpp
@@ -0,0 +1,670 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 9, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "fimCommonDefs.h"
+#include "json.hpp"
+#include "db.h"
+#include "db.hpp"
+#include "fimDB.hpp"
+#include "dbFileItem.hpp"
+#include "cjsonSmartDeleter.hpp"
+
+static const char* FIM_EVENT_TYPE_ARRAY[] =
+{
+    "added",
+    "deleted",
+    "modified"
+};
+
+static const char* FIM_EVENT_MODE[] =
+{
+    "scheduled",
+    "realtime",
+    "whodata"
+};
+
+enum SEARCH_FIELDS
+{
+    SEARCH_FIELD_TYPE,
+    SEARCH_FIELD_PATH,
+    SEARCH_FIELD_INODE,
+    SEARCH_FIELD_DEV
+};
+
+nlohmann::json DB::createJsonEvent(const nlohmann::json& fileJson, const nlohmann::json& resultJson, ReturnTypeCallback type, create_json_event_ctx* ctx)
+{
+    nlohmann::json jsonEvent;
+    nlohmann::json data;
+
+    data = fileJson.at("data")[0];
+
+    jsonEvent["type"] = "event";
+    jsonEvent["data"]["path"] = data.at("path");
+    jsonEvent["data"]["version"] = "2.0";
+    jsonEvent["data"]["mode"] = FIM_EVENT_MODE[ctx->event->mode];
+
+    if (ReturnTypeCallback::MODIFIED == type)
+    {
+        ctx->event->type = FIM_MODIFICATION;
+    }
+    else
+    {
+        ctx->event->type = FIM_ADD;
+    }
+
+    jsonEvent["data"]["type"] = FIM_EVENT_TYPE_ARRAY[ctx->event->type];
+
+    // Attributes
+    jsonEvent["data"]["attributes"]["type"] = "file";
+
+    if (ctx->config->options & CHECK_SIZE)
+    {
+        jsonEvent["data"]["attributes"]["size"] = data.at("size");
+    }
+
+    if (ctx->config->options & CHECK_PERM)
+    {
+        jsonEvent["data"]["attributes"]["perm"] = data.at("perm");
+    }
+
+    if (data.contains("uid") && data.at("uid") != "" && ctx->config->options & CHECK_OWNER)
+    {
+        jsonEvent["data"]["attributes"]["uid"] = data.at("uid");
+    }
+
+    if (data.contains("gid") && data.at("gid") != "" && ctx->config->options & CHECK_GROUP)
+    {
+        jsonEvent["data"]["attributes"]["gid"] = data.at("gid");
+    }
+
+    if (data.at("user_name") != "")
+    {
+        jsonEvent["data"]["attributes"]["user_name"] = data.at("user_name");
+    }
+
+    if (data.at("group_name") != "")
+    {
+        jsonEvent["data"]["attributes"]["group_name"] = data.at("group_name");
+    }
+
+    if (ctx->config->options & CHECK_INODE)
+    {
+        jsonEvent["data"]["attributes"]["inode"] = data.at("inode");
+    }
+
+    if (ctx->config->options & CHECK_MTIME)
+    {
+        jsonEvent["data"]["attributes"]["mtime"] = data.at("mtime");
+    }
+
+    if (ctx->config->options & CHECK_MD5SUM)
+    {
+        jsonEvent["data"]["attributes"]["hash_md5"] = data.at("hash_md5");
+    }
+
+    if (ctx->config->options & CHECK_SHA1SUM)
+    {
+        jsonEvent["data"]["attributes"]["hash_sha1"] = data.at("hash_sha1");
+    }
+
+    if (ctx->config->options & CHECK_SHA256SUM)
+    {
+        jsonEvent["data"]["attributes"]["hash_sha256"] = data.at("hash_sha256");
+    }
+
+    if (data.at("checksum") != "")
+    {
+        jsonEvent["data"]["attributes"]["checksum"] = data.at("checksum");
+    }
+
+    if (data.at("attributes") != "" && ctx->config->options & CHECK_ATTRS)
+    {
+        jsonEvent["data"]["attributes"]["attributes"] = data.at("attributes");
+    }
+
+    // Last event
+    if (resultJson.contains("last_event"))
+    {
+        jsonEvent["data"]["timestamp"] = resultJson.at("last_event");
+    }
+    else
+    {
+        jsonEvent["data"]["timestamp"] = data.at("last_event");
+    }
+
+    // Old data attributes
+    if (resultJson.contains("old"))
+    {
+
+        nlohmann::json old_data = resultJson.at("old");
+        nlohmann::json changed_attributes = nlohmann::json::array();
+
+        jsonEvent["data"]["old_attributes"]["type"] = "file";
+
+        if (ctx->config->options & CHECK_SIZE)
+        {
+            if (old_data.contains("size"))
+            {
+                jsonEvent["data"]["old_attributes"]["size"] = old_data["size"];
+                changed_attributes.push_back("size");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["size"] = data.at("size");
+            }
+        }
+
+        if (ctx->config->options & CHECK_PERM)
+        {
+            if (old_data.contains("perm"))
+            {
+                jsonEvent["data"]["old_attributes"]["perm"] = old_data["perm"];
+                changed_attributes.push_back("permission");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["perm"] = data.at("perm");
+            }
+        }
+
+        if (data.contains("uid") && data.at("uid") != "" && ctx->config->options & CHECK_OWNER)
+        {
+            if (old_data.contains("uid"))
+            {
+                jsonEvent["data"]["old_attributes"]["uid"] = old_data["uid"];
+                changed_attributes.push_back("uid");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["uid"] = data.at("uid");
+            }
+        }
+
+        if (data.contains("gid") && data.at("gid") != "" && ctx->config->options & CHECK_GROUP)
+        {
+            if (old_data.contains("gid"))
+            {
+                jsonEvent["data"]["old_attributes"]["gid"] = old_data["gid"];
+                changed_attributes.push_back("gid");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["gid"] = data.at("gid");
+            }
+        }
+
+        if (data.at("user_name") != "")
+        {
+            if (old_data.contains("user_name"))
+            {
+                jsonEvent["data"]["old_attributes"]["user_name"] = old_data["user_name"];
+                changed_attributes.push_back("user_name");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["user_name"] = data.at("user_name");
+            }
+        }
+
+        if (data.at("group_name") != "")
+        {
+            if (old_data.contains("group_name"))
+            {
+                jsonEvent["data"]["old_attributes"]["group_name"] = old_data["group_name"];
+                changed_attributes.push_back("group_name");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["group_name"] = data.at("group_name");
+            }
+        }
+
+        if (ctx->config->options & CHECK_INODE)
+        {
+            if (old_data.contains("inode"))
+            {
+                jsonEvent["data"]["old_attributes"]["inode"] = old_data["inode"];
+                changed_attributes.push_back("inode");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["inode"] = data.at("inode");
+            }
+        }
+
+        if (ctx->config->options & CHECK_MTIME)
+        {
+            if (old_data.contains("mtime"))
+            {
+                jsonEvent["data"]["old_attributes"]["mtime"] = old_data["mtime"];
+                changed_attributes.push_back("mtime");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["mtime"] = data.at("mtime");
+            }
+        }
+
+        if (ctx->config->options & CHECK_MD5SUM)
+        {
+            if (old_data.contains("hash_md5"))
+            {
+                jsonEvent["data"]["old_attributes"]["hash_md5"] = old_data["hash_md5"];
+                changed_attributes.push_back("md5");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["hash_md5"] = data.at("hash_md5");
+            }
+        }
+
+        if (ctx->config->options & CHECK_SHA1SUM)
+        {
+            if (old_data.contains("hash_sha1"))
+            {
+                jsonEvent["data"]["old_attributes"]["hash_sha1"] = old_data["hash_sha1"];
+                changed_attributes.push_back("sha1");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["hash_sha1"] = data.at("hash_sha1");
+            }
+        }
+
+        if (ctx->config->options & CHECK_SHA256SUM)
+        {
+            if (old_data.contains("hash_sha256"))
+            {
+                jsonEvent["data"]["old_attributes"]["hash_sha256"] = old_data["hash_sha256"];
+                changed_attributes.push_back("sha256");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["hash_sha256"] = data.at("hash_sha256");
+            }
+        }
+
+        if (data.at("attributes") != "" && ctx->config->options & CHECK_ATTRS)
+        {
+            if (old_data.contains("attributes"))
+            {
+                jsonEvent["data"]["old_attributes"]["attributes"] = old_data["attributes"];
+                changed_attributes.push_back("attributes");
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["attributes"] = data.at("attributes");
+            }
+        }
+
+        if (data.at("checksum") != "")
+        {
+            if (old_data.contains("checksum"))
+            {
+                jsonEvent["data"]["old_attributes"]["checksum"] = old_data["checksum"];
+            }
+            else
+            {
+                jsonEvent["data"]["old_attributes"]["checksum"] = data.at("checksum");
+            }
+        }
+
+        jsonEvent["data"]["changed_attributes"] = changed_attributes;
+    }
+
+
+    return jsonEvent;
+}
+
+void DB::removeFile(const std::string& path)
+{
+    auto deleteQuery
+    {
+        DeleteQuery::builder()
+        .table(FIMDB_FILE_TABLE_NAME)
+        .data({{"path", path}})
+        .rowFilter("")
+        .build()
+    };
+
+    FIMDB::instance().removeItem(deleteQuery.query());
+}
+
+void DB::getFile(const std::string& path, std::function<void(const nlohmann::json&)> callback)
+{
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table(FIMDB_FILE_TABLE_NAME)
+        .columnList({"path",
+            "mode",
+            "last_event",
+            "scanned",
+            "options",
+            "checksum",
+            "dev",
+            "inode",
+            "size",
+            "perm",
+            "attributes",
+            "uid",
+            "gid",
+            "user_name",
+            "group_name",
+            "hash_md5",
+            "hash_sha1",
+            "hash_sha256",
+            "mtime"})
+        .rowFilter(std::string("WHERE path=\"") + std::string(path) + "\"")
+        .orderByOpt(FILE_PRIMARY_KEY)
+        .distinctOpt(false)
+        .countOpt(100)
+        .build()
+    };
+
+    std::vector<nlohmann::json> entryFromPath;
+    const auto internalCallback
+    {
+        [&entryFromPath](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            if (ReturnTypeCallback::SELECTED == type)
+            {
+                entryFromPath.push_back(jsonResult);
+            }
+        }
+    };
+
+    FIMDB::instance().executeQuery(selectQuery.query(), internalCallback);
+
+    if (entryFromPath.size() == 1)
+    {
+        callback(entryFromPath.front());
+    }
+    else
+    {
+        throw no_entry_found { "No entry found for " + path};
+    }
+}
+
+void DB::updateFile(const nlohmann::json& file, create_json_event_ctx* ctx, std::function<void(nlohmann::json)> callbackPrimitive)
+{
+    const auto callback
+    {
+        [file, callbackPrimitive, ctx, this](ReturnTypeCallback type, const nlohmann::json resultJson)
+        {
+            if (ctx->event->report_event)
+            {
+                callbackPrimitive(createJsonEvent(file, resultJson, type, ctx));
+            }
+        }
+    };
+
+    FIMDB::instance().updateItem(file, callback);
+
+    return;
+}
+
+void DB::searchFile(const SearchData& data, std::function<void(const std::string&)> callback)
+{
+    const auto searchType { std::get<SEARCH_FIELD_TYPE>(data) };
+    std::string filter;
+
+    if (SEARCH_TYPE_INODE == searchType)
+    {
+        filter = "WHERE inode=" + std::get<SEARCH_FIELD_INODE>(data) + " AND dev=" + std::get<SEARCH_FIELD_DEV>(data);
+    }
+    else if (SEARCH_TYPE_PATH == searchType)
+    {
+        filter = "WHERE path LIKE \"" + std::get<SEARCH_FIELD_PATH>(data) + "\"";
+    }
+    else
+    {
+        throw std::runtime_error{ "Invalid search type" };
+    }
+
+    auto selectQuery
+    {
+        SelectQuery::builder()
+        .table(FIMDB_FILE_TABLE_NAME)
+        .columnList({"path"})
+        .rowFilter(filter)
+        .orderByOpt(FILE_PRIMARY_KEY)
+        .distinctOpt(false)
+        .build()
+    };
+
+
+    const auto localCallback
+    {
+        [callback](ReturnTypeCallback type, const nlohmann::json & jsonResult)
+        {
+            if (ReturnTypeCallback::SELECTED == type)
+            {
+                callback(jsonResult.at("path"));
+            }
+        }
+    };
+
+    FIMDB::instance().executeQuery(selectQuery.query(), localCallback);
+}
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+FIMDBErrorCode fim_db_get_path(const char* file_path, callback_context_t callback)
+{
+    auto retVal { FIMDB_ERR };
+
+    if (!file_path || !callback.callback)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, "Invalid parameters");
+    }
+    else
+    {
+        try
+        {
+            DB::instance().getFile(file_path, [&callback](const nlohmann::json & jsonResult)
+            {
+                const auto file { std::make_unique<FileItem>(jsonResult) };
+                callback.callback(file->toFimEntry(), callback.context);
+            });
+            retVal = FIMDB_OK;
+        }
+        catch (const no_entry_found& err)
+        {
+            FIMDB::instance().logFunction(LOG_DEBUG_VERBOSE, err.what());
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    return retVal;
+}
+
+FIMDBErrorCode fim_db_remove_path(const char* path)
+{
+    auto retVal { FIMDB_ERR };
+
+    if (!path)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, "Invalid parameters");
+    }
+    else
+    {
+        try
+        {
+            DB::instance().removeFile(path);
+            retVal = FIMDB_OK;
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    return retVal;
+}
+
+int fim_db_get_count_file_inode()
+{
+    auto count { 0 };
+
+    try
+    {
+        count = DB::instance().countEntries(FIMDB_FILE_TABLE_NAME, COUNT_SELECT_TYPE::COUNT_INODE);
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+
+    return count;
+}
+
+int fim_db_get_count_file_entry()
+{
+    auto count { 0 };
+
+    try
+    {
+        count = DB::instance().countEntries(FIMDB_FILE_TABLE_NAME, COUNT_SELECT_TYPE::COUNT_ALL);
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+
+    return count;
+}
+
+FIMDBErrorCode fim_db_file_update(fim_entry* data, callback_context_t callback)
+{
+    auto retVal { FIMDB_ERR };
+
+    if (!data || !callback.callback)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, "Invalid parameters");
+    }
+    else
+    {
+        try
+        {
+            const auto file { std::make_unique<FileItem>(data, true) };
+            create_json_event_ctx* ctx { reinterpret_cast<create_json_event_ctx*>(callback.context)};
+            DB::instance().updateFile(*file->toJSON(), ctx, [callback](const nlohmann::json jsonResult)
+            {
+                const std::unique_ptr<cJSON, CJsonSmartDeleter> spJson{ cJSON_Parse(jsonResult.dump().c_str()) };
+                callback.callback(spJson.get(), callback.context);
+            });
+            retVal = FIMDB_OK;
+        }
+        // LCOV_EXCL_START
+        catch (DbSync::max_rows_error& max_row)
+        {
+            FIMDB::instance().logFunction(LOG_WARNING, "Reached maximum files limit monitored, due to db_entry_limit configuration for files.");
+        }
+        catch (std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    return retVal;
+}
+
+FIMDBErrorCode fim_db_file_inode_search(const unsigned long long int inode,
+                                        const unsigned long dev,
+                                        callback_context_t callback)
+{
+    auto retVal { FIMDB_ERR };
+
+    if (!callback.callback)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, "Invalid parameters");
+    }
+    else
+    {
+        try
+        {
+            DB::instance().searchFile(std::make_tuple(SEARCH_TYPE_INODE, "", std::to_string(inode), std::to_string(dev)),
+                                      [callback] (const std::string & path)
+            {
+                char* entry = const_cast<char*>(path.c_str());
+                callback.callback(entry, callback.context);
+            });
+            retVal = FIMDB_OK;
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    return retVal;
+}
+
+FIMDBErrorCode fim_db_file_pattern_search(const char* pattern, callback_context_t callback)
+{
+    auto retVal { FIMDB_ERR };
+
+    if (!pattern || !callback.callback)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, "Invalid parameters");
+    }
+    else
+    {
+        try
+        {
+            DB::instance().searchFile(std::make_tuple(SEARCH_TYPE_PATH, pattern, "", ""),
+                                      [callback] (const std::string & path)
+            {
+                char* entry = const_cast<char*>(path.c_str());
+                callback.callback(entry, callback.context);
+            });
+            retVal = FIMDB_OK;
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& err)
+        {
+            FIMDB::instance().logFunction(LOG_ERROR, err.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+
+    return retVal;
+}
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/modules/fim/db/src/fimDB.cpp b/src/modules/fim/db/src/fimDB.cpp
new file mode 100644
index 0000000000..3537adc04c
--- /dev/null
+++ b/src/modules/fim/db/src/fimDB.cpp
@@ -0,0 +1,218 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 27, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "fimDB.hpp"
+#include "fimDBSpecialization.h"
+#include "promiseFactory.h"
+#include <future>
+
+
+void FIMDB::registerRSync()
+{
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+
+    if (!m_stopping)
+    {
+        FIMDBCreator<OS_TYPE>::registerRsync(m_rsyncHandler,
+                                             m_dbsyncHandler->handle(),
+                                             m_syncFileMessageFunction,
+                                             m_syncRegistryMessageFunction,
+                                             m_syncRegistryEnabled);
+    }
+}
+
+void FIMDB::sync()
+{
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+
+    if (!m_stopping)
+    {
+        m_loggingFunction(LOG_DEBUG, "Executing FIM sync.");
+        FIMDBCreator<OS_TYPE>::sync(m_rsyncHandler,
+                                    m_dbsyncHandler->handle(),
+                                    m_syncFileMessageFunction,
+                                    m_syncRegistryMessageFunction,
+                                    m_syncRegistryEnabled);
+        m_loggingFunction(LOG_DEBUG, "Finished FIM sync.");
+    }
+}
+
+void FIMDB::syncAlgorithm()
+{
+    char debugmsg[1024];
+
+    if ((uint32_t)(getCurrentTime() - m_timeLastSyncMsg) > m_syncResponseTimeout)
+    {
+        if (m_syncSuccessful && m_currentSyncInterval > m_syncInterval)
+        {
+            m_currentSyncInterval = m_syncInterval;
+
+            snprintf(debugmsg, 1024, "Previous sync was successful. Sync interval is reset to: '%ds'", m_currentSyncInterval);
+            m_loggingFunction(LOG_DEBUG_VERBOSE, debugmsg);
+        }
+
+        m_syncSuccessful = true;
+
+        sync();
+    }
+    else
+    {
+        m_currentSyncInterval *= 2;
+
+        if (m_currentSyncInterval > m_syncMaxInterval)
+        {
+            m_currentSyncInterval = m_syncMaxInterval;
+        }
+
+        snprintf(debugmsg, 1024, "Sync still in progress. Skipped next sync and increased interval to '%ds'", m_currentSyncInterval);
+        m_loggingFunction(LOG_DEBUG_VERBOSE, debugmsg);
+    }
+}
+
+time_t FIMDB::getCurrentTime() const
+{
+    return std::time(nullptr);
+}
+
+void FIMDB::init(unsigned int syncInterval,
+                 const uint32_t syncMaxInterval,
+                 const uint32_t syncResponseTimeout,
+                 std::function<void(const std::string&)> callbackSyncFileWrapper,
+                 std::function<void(const std::string&)> callbackSyncRegistryWrapper,
+                 std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper,
+                 std::shared_ptr<DBSync> dbsyncHandler,
+                 std::shared_ptr<RemoteSync> rsyncHandler,
+                 const int fileLimit,
+                 const int registryLimit,
+                 const bool syncRegistryEnabled)
+{
+    m_syncInterval = syncInterval;
+    m_dbsyncHandler = dbsyncHandler;
+    m_rsyncHandler = rsyncHandler;
+    m_syncFileMessageFunction = callbackSyncFileWrapper;
+    m_syncRegistryMessageFunction = callbackSyncRegistryWrapper;
+    m_loggingFunction = callbackLogWrapper;
+    m_stopping = false;
+    m_runIntegrity = false;
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+    FIMDBCreator<OS_TYPE>::setLimits(m_dbsyncHandler, fileLimit, registryLimit);
+    m_syncRegistryEnabled = syncRegistryEnabled;
+    m_syncResponseTimeout = syncResponseTimeout;
+    m_syncMaxInterval = syncMaxInterval;
+    m_currentSyncInterval = m_syncInterval;
+    m_syncSuccessful = true;
+}
+
+void FIMDB::removeItem(const nlohmann::json& item)
+{
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+
+    if (!m_stopping)
+    {
+        m_dbsyncHandler->deleteRows(item);
+    }
+}
+
+void FIMDB::updateItem(const nlohmann::json& item, ResultCallbackData callbackData)
+{
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+
+    if (!m_stopping)
+    {
+        m_dbsyncHandler->syncRow(item, callbackData);
+    }
+}
+
+void FIMDB::executeQuery(const nlohmann::json& item, ResultCallbackData callbackData)
+{
+    m_dbsyncHandler->selectRows(item, callbackData);
+}
+
+void FIMDB::runIntegrity()
+{
+    std::lock_guard<std::mutex> lock{m_fimSyncMutex};
+
+    if (!m_runIntegrity)
+    {
+        m_runIntegrity = true;
+        registerRSync();
+        auto promise { PromiseFactory<PROMISE_TYPE>::getPromiseObject() };
+        m_integrityThread = std::thread([&]()
+        {
+            m_loggingFunction(LOG_INFO, "FIM sync module started.");
+            sync();
+            promise->set_value();
+            std::unique_lock<std::mutex> lockCv{m_fimSyncMutex};
+
+            while (!m_cv.wait_for(lockCv, std::chrono::seconds{m_currentSyncInterval}, [&]()
+        {
+            return m_stopping;
+        }))
+            {
+                // LCOV_EXCL_START
+                syncAlgorithm();
+                // LCOV_EXCL_STOP
+            }
+        });
+        promise->wait();
+
+    }
+    else
+    {
+        throw std::runtime_error("FIM integrity thread already running.");
+    }
+}
+
+void FIMDB::pushMessage(const std::string& data)
+{
+    std::shared_lock<std::shared_timed_mutex> lock(m_handlersMutex);
+
+    if (!m_stopping)
+    {
+        auto rawData{data};
+        Utils::replaceFirst(rawData, "dbsync ", "");
+        const auto buff{reinterpret_cast<const uint8_t*>(rawData.c_str())};
+        setTimeLastSyncMsg();
+        m_syncSuccessful = false;
+
+        try
+        {
+            m_rsyncHandler->pushMessage(std::vector<uint8_t> {buff, buff + rawData.size()});
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& ex)
+        {
+            m_loggingFunction(LOG_ERROR, ex.what());
+        }
+
+        // LCOV_EXCL_STOP
+    }
+}
+
+void FIMDB::teardown()
+{
+
+    try
+    {
+        stopIntegrity();
+        std::lock_guard<std::shared_timed_mutex> lock(m_handlersMutex);
+        m_rsyncHandler = nullptr;
+        m_dbsyncHandler = nullptr;
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& ex)
+    {
+        auto errmsg { "There is a problem to close FIMDB " + std::string(ex.what()) };
+        m_loggingFunction(LOG_ERROR, errmsg);
+    }
+
+    // LCOV_EXCL_STOP
+}
diff --git a/src/modules/fim/db/src/fimDB.hpp b/src/modules/fim/db/src/fimDB.hpp
new file mode 100644
index 0000000000..dfd01f8f62
--- /dev/null
+++ b/src/modules/fim/db/src/fimDB.hpp
@@ -0,0 +1,304 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2021, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FIMDB_HPP
+#define _FIMDB_HPP
+#include "dbsync.hpp"
+#include "rsync.hpp"
+#include "stringHelper.h"
+#include <condition_variable>
+#include <mutex>
+#include <thread>
+#include <shared_mutex>
+
+#ifdef __cplusplus
+extern "C"
+{
+#include "fimCommonDefs.h"
+}
+#endif
+
+#define FIM_COMPONENT_FILE              "fim_file"
+#define FIM_COMPONENT_REGISTRY_KEY      "fim_registry_key"
+#define FIM_COMPONENT_REGISTRY_VALUE    "fim_registry_value"
+
+constexpr auto QUEUE_SIZE
+{
+    4096
+};
+
+constexpr auto CREATE_FILE_DB_STATEMENT
+{
+    R"(CREATE TABLE IF NOT EXISTS file_entry (
+    path TEXT NOT NULL,
+    mode INTEGER,
+    last_event INTEGER,
+    scanned INTEGER,
+    options INTEGER,
+    checksum TEXT NOT NULL,
+    dev INTEGER,
+    inode INTEGER,
+    size BIGINT,
+    perm TEXT,
+    attributes TEXT,
+    uid TEXT,
+    gid TEXT,
+    user_name TEXT,
+    group_name TEXT,
+    hash_md5 TEXT,
+    hash_sha1 TEXT,
+    hash_sha256 TEXT,
+    mtime INTEGER,
+    PRIMARY KEY(path)) WITHOUT ROWID;
+    CREATE INDEX IF NOT EXISTS path_index ON file_entry (path);
+    CREATE INDEX IF NOT EXISTS inode_index ON file_entry (dev, inode);)"
+};
+
+constexpr auto CREATE_REGISTRY_KEY_DB_STATEMENT
+{
+    R"(CREATE TABLE IF NOT EXISTS registry_key (
+    path TEXT NOT NULL,
+    perm TEXT,
+    uid TEXT,
+    gid TEXT,
+    user_name TEXT,
+    group_name TEXT,
+    mtime INTEGER,
+    arch TEXT CHECK (arch IN ('[x32]', '[x64]')),
+    scanned INTEGER,
+    last_event INTEGER,
+    checksum TEXT NOT NULL,
+    hash_full_path TEXT NOT NULL,
+    PRIMARY KEY (arch, path)) WITHOUT ROWID;
+    CREATE INDEX IF NOT EXISTS path_index ON registry_key (path);)"
+};
+
+constexpr auto CREATE_REGISTRY_VALUE_DB_STATEMENT
+{
+    R"(CREATE TABLE IF NOT EXISTS registry_data (
+    path TEXT,
+    arch TEXT CHECK (arch IN ('[x32]', '[x64]')),
+    name TEXT NOT NULL,
+    type INTEGER,
+    size BIGINT,
+    hash_md5 TEXT,
+    hash_sha1 TEXT,
+    hash_sha256 TEXT,
+    scanned INTEGER,
+    last_event INTEGER,
+    checksum TEXT NOT NULL,
+    hash_full_path TEXT NOT NULL,
+    PRIMARY KEY(path, arch, name)
+    FOREIGN KEY (path) REFERENCES registry_key(path)
+    FOREIGN KEY (arch) REFERENCES registry_key(arch)) WITHOUT ROWID;
+    CREATE INDEX IF NOT EXISTS key_name_index ON registry_data (path, name);)"
+};
+
+class FIMDB
+{
+    public:
+        static FIMDB& instance()
+        {
+            static FIMDB s_instance;
+            return s_instance;
+        };
+
+        /**
+         * @brief Initialize the FIMDB singleton class, setting the attributes needed.
+         *
+         * @param syncInterval Interval in second, to determine frequency of the synchronization
+         * @param syncMaxInterval Maximum interval allowed for the synchronization process.
+         * @param syncResponseTimeout Minimum interval for the synchronization process.
+         * @param callbackSyncFileWrapper callback used to send sync messages
+         * @param callbackSyncRegistryWrapper callback used to send sync messages
+         * @param callbackLogWrapper callback used to send log messages
+         * @param dbsyncHandler Pointer to a dbsync handler.
+         * @param rsyncHandler Pointer to a rsync handler.
+         * @param fileLimit Maximum number of file entries in database.
+         * @param registryLimit Maximum number of registry values entries in database (only for Windows).
+         * @param syncRegistryEnabled Flag to specify if the synchronization for registries is enabled (only for Windows).
+         */
+        void init(unsigned int syncInterval,
+                  const uint32_t syncMaxInterval,
+                  const uint32_t syncResponseTimeout,
+                  std::function<void(const std::string&)> callbackSyncFileWrapper,
+                  std::function<void(const std::string&)> callbackSyncRegistryWrapper,
+                  std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper,
+                  std::shared_ptr<DBSync> dbsyncHandler,
+                  std::shared_ptr<RemoteSync> rsyncHandler,
+                  int fileLimit,
+                  int registryLimit = 0,
+                  bool syncRegistryEnabled = true);
+
+        /**
+         * @brief Remove a given item from the database
+         *
+         * @param item json item that represent the fim_entry data
+         */
+        void removeItem(const nlohmann::json& item);
+
+        /**
+         * @brief Update a given item in the database, or insert a new one if not exists,
+         *        then uses the callbackData for that row
+         *
+         * @param item json item that represent the fim_entry data
+         * @param callbackData Pointer to the callback used after update rows
+         */
+        void updateItem(const nlohmann::json& item,
+                        ResultCallbackData callbackData);
+
+        /**
+         * @brief Execute a query given and uses the callbackData in these rows
+         *
+         * @param item json item that represent the query to execute
+         * @param callbackData Pointer to the callback used after execute query
+         */
+        void executeQuery(const nlohmann::json& item,
+                          ResultCallbackData callbackData);
+
+        /**
+         * @brief Its the function in charge of starting the flow of synchronization
+         */
+        void registerRSync();
+
+        /**
+         * @brief Push a syscheck synchronization message to the rsync queue
+         *
+         * @param data Message to push
+         */
+        void pushMessage(const std::string& data);
+
+        /**
+         * @brief Function in chage of run synchronization integrity
+         */
+        void runIntegrity();
+
+        /**
+         * @brief Its the function in charge of stopping the sync flow
+         */
+        inline void stopIntegrity()
+        {
+            std::unique_lock<std::mutex> lock(m_fimSyncMutex);
+            m_stopping = true;
+
+            if (m_runIntegrity)
+            {
+                m_cv.notify_all();
+                lock.unlock();
+
+                if (m_integrityThread.joinable())
+                {
+                    m_integrityThread.join();
+                }
+            }
+        };
+
+        /**
+         * @brief Its the function to log an error
+         */
+        inline void logFunction(const modules_log_level_t logLevel,
+                                const std::string& msg)
+        {
+            if (m_loggingFunction)
+            {
+                m_loggingFunction(logLevel, msg);
+            }
+        }
+
+        /**
+         * @brief Function to return the DBSync handler.
+         *
+         * @return std::shared_ptr<DBSync> this a shared_ptr for DBSync.
+         */
+        std::shared_ptr<DBSync> DBSyncHandler()
+        {
+            if (!m_dbsyncHandler)
+            {
+                throw std::runtime_error("DBSyncHandler is not initialized");
+            }
+
+            return m_dbsyncHandler;
+        }
+
+        /**
+         * @brief Function to return the RSync handler.
+         *
+         * @return std::shared_ptr<RemoteSync> this a shared_ptr for RSync.
+         */
+        std::shared_ptr<RemoteSync> RSyncHandler()
+        {
+            if (!m_rsyncHandler)
+            {
+                throw std::runtime_error("RSyncHandler is not initialized");
+            }
+
+            return m_rsyncHandler;
+        }
+
+        /**
+        * @brief Turns off the services provided.
+        */
+        void teardown();
+
+        /**
+        * @brief Set m_timeLastSyncMsg variable to actual timestamp.
+        */
+        void setTimeLastSyncMsg()
+        {
+            m_timeLastSyncMsg = getCurrentTime();
+        }
+
+        /**
+        * @brief Execute the sync algorithm to avoid overlaping differents syncs.
+        */
+        void syncAlgorithm();
+
+        /**
+        * @brief Get the current timestamp using std::time() function.
+        *
+        * @return time_t timestamp in seconds.
+        */
+        virtual time_t getCurrentTime() const;
+
+    private:
+
+        unsigned int                                                            m_syncInterval;
+        bool                                                                    m_stopping;
+        std::mutex                                                              m_fimSyncMutex;
+        std::condition_variable                                                 m_cv;
+        std::shared_ptr<DBSync>                                                 m_dbsyncHandler;
+        std::shared_ptr<RemoteSync>                                             m_rsyncHandler;
+        std::function<void(const std::string&)>                                 m_syncFileMessageFunction;
+        std::function<void(const std::string&)>                                 m_syncRegistryMessageFunction;
+        std::function<void(modules_log_level_t, const std::string&)>            m_loggingFunction;
+        bool                                                                    m_runIntegrity;
+        std::thread                                                             m_integrityThread;
+        std::shared_timed_mutex                                                 m_handlersMutex;
+        bool                                                                    m_syncRegistryEnabled;
+        uint32_t                                                                m_syncResponseTimeout;
+        uint32_t                                                                m_syncMaxInterval;
+        uint32_t                                                                m_currentSyncInterval;
+        bool                                                                    m_syncSuccessful;
+        std::time_t                                                             m_timeLastSyncMsg;
+
+        /**
+        * @brief Function that executes the synchronization of the databases with the manager
+        */
+        void sync();
+
+    protected:
+        FIMDB() = default;
+        // LCOV_EXCL_START
+        virtual ~FIMDB() = default;
+        // LCOV_EXCL_STOP
+        FIMDB(const FIMDB&) = delete;
+};
+#endif //_FIMDB_HPP
diff --git a/src/modules/fim/db/src/fimDBSpecialization.h b/src/modules/fim/db/src/fimDBSpecialization.h
new file mode 100644
index 0000000000..76acc176ba
--- /dev/null
+++ b/src/modules/fim/db/src/fimDBSpecialization.h
@@ -0,0 +1,399 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2021, Wazuh Inc.
+ * September 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FIMDB_OS_SPECIALIZATION_H
+#define _FIMDB_OS_SPECIALIZATION_H
+
+#include "fimDB.hpp"
+#include "fimCommonDefs.h"
+#include "encodingWindowsHelper.h"
+#include "fimDBSpecializationWindows.hpp"
+
+static auto fileSyncConfig
+{
+    RegisterConfiguration::builder().decoderType("JSON_RANGE")
+    .table("file_entry")
+    .component("fim_file")
+    .index("path")
+    .checksumField("checksum")
+    .lastEvent("last_event")
+    .noData(QueryParameter::builder().rowFilter("WHERE path BETWEEN '?' and '?' ORDER BY path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .countRange(QueryParameter::builder().rowFilter("WHERE path BETWEEN '?' and '?' ORDER BY path")
+            .countFieldName("count")
+            .columnList({"count(*) AS count"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rowData(QueryParameter::builder().rowFilter("WHERE path = '?'")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rangeChecksum(QueryParameter::builder().rowFilter("WHERE path BETWEEN '?' and '?' ORDER BY path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+};
+
+static auto registryKeySyncConfig
+{
+    RegisterConfiguration::builder().decoderType("JSON_RANGE")
+    .table("registry_key")
+    .component("fim_registry_key")
+    .index("hash_full_path")
+    .checksumField("checksum")
+    .lastEvent("last_event")
+    .noData(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .countRange(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .countFieldName("count")
+            .columnList({"count(*) AS count"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rowData(QueryParameter::builder().rowFilter("WHERE hash_full_path = '?'")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rangeChecksum(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+};
+
+static auto registryValueSyncConfig
+{
+    RegisterConfiguration::builder().decoderType("JSON_RANGE")
+    .table("registry_data")
+    .component("fim_registry_value")
+    .index("hash_full_path")
+    .checksumField("checksum")
+    .lastEvent("last_event")
+    .noData(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .countRange(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .countFieldName("count")
+            .columnList({"count(*) AS count"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rowData(QueryParameter::builder().rowFilter("WHERE hash_full_path = '?'")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+    .rangeChecksum(QueryParameter::builder().rowFilter("WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path")
+            .columnList({"*"})
+            .distinctOpt(false)
+            .orderByOpt(""))
+};
+
+/* Statement related to files items. Defines everything necessary to perform the synchronization loop */
+constexpr auto FIM_FILE_START_CONFIG_STATEMENT
+{
+    R"({"table":"file_entry",
+        "first_query":
+            {
+                "column_list":["path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"path DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"path ASC",
+                "count_opt":1
+            },
+        "component":"fim_file",
+        "index":"path",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE path BETWEEN '?' and '?' ORDER BY path",
+                "column_list":["path, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+/* Statement related to registries items. Defines everything necessary to perform the synchronization loop */
+constexpr auto FIM_REGISTRY_START_CONFIG_STATEMENT
+{
+    R"({"table":"registry_key",
+        "first_query":
+            {
+                "column_list":["hash_full_path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hash_full_path DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["hash_full_path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hash_full_path ASC",
+                "count_opt":1
+            },
+        "component":"fim_registry_key",
+        "index":"hash_full_path",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path",
+                "column_list":["hash_full_path, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+/* Statement related to registries items. Defines everything necessary to perform the synchronization loop */
+constexpr auto FIM_VALUE_START_CONFIG_STATEMENT
+{
+    R"({"table":"registry_data",
+        "first_query":
+            {
+                "column_list":["hash_full_path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hash_full_path DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["hash_full_path"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hash_full_path ASC",
+                "count_opt":1
+            },
+        "component":"fim_registry_value",
+        "index":"hash_full_path",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE hash_full_path BETWEEN '?' and '?' ORDER BY hash_full_path",
+                "column_list":["hash_full_path, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+template <OSType osType>
+class FIMDBCreator final
+{
+    public:
+        static void setLimits(__attribute__((unused)) std::shared_ptr<DBSync> DBSyncHandler,
+                              __attribute__((unused)) const unsigned int& fileLimit,
+                              __attribute__((unused)) const unsigned int& registryLimit)
+        {
+            throw std::runtime_error
+            {
+                "Error setting limits."
+            };
+        }
+
+        static std::string CreateStatement()
+        {
+            throw std::runtime_error
+            {
+                "Error creating FIMDB statement."
+            };
+        }
+
+        static void registerRsync(__attribute__((unused)) std::shared_ptr<RemoteSync> RSyncHandler,
+                                  __attribute__((unused)) const RSYNC_HANDLE& handle,
+                                  __attribute__((unused)) std::function<void(const std::string&)> syncFileMessageFunction,
+                                  __attribute__((unused)) std::function<void(const std::string&)> syncRegistryMessageFunction,
+                                  __attribute__((unused)) const bool syncRegistryEnabled)
+        {
+            throw std::runtime_error
+            {
+                "Error registering synchronization."
+            };
+        }
+
+        static void sync(__attribute__((unused)) std::shared_ptr<RemoteSync> RSyncHandler,
+                         __attribute__((unused)) const DBSYNC_HANDLE& handle,
+                         __attribute__((unused)) std::function<void(const std::string&)> syncFileMessageFunction,
+                         __attribute__((unused)) std::function<void(const std::string&)> syncRegistryMessageFunction)
+        {
+            throw std::runtime_error
+            {
+                "Error running synchronization."
+            };
+        }
+
+        static void encodeString(__attribute__((unused)) std::string& stringToEncode)
+        {
+            throw std::runtime_error
+            {
+                "Error encoding strings."
+            };
+        }
+};
+
+template <>
+class FIMDBCreator<OSType::WINDOWS> final
+{
+    public:
+        static void setLimits(std::shared_ptr<DBSync> DBSyncHandler,
+                              const int fileLimit,
+                              const int registryLimit)
+        {
+            DBSyncHandler->setTableMaxRow("file_entry", fileLimit);
+            DBSyncHandler->setTableMaxRow("registry_key", registryLimit);
+            DBSyncHandler->setTableMaxRow("registry_data", registryLimit);
+
+        }
+
+        static std::string CreateStatement()
+        {
+            std::string ret { CREATE_FILE_DB_STATEMENT };
+            ret += CREATE_REGISTRY_KEY_DB_STATEMENT;
+            ret += CREATE_REGISTRY_VALUE_DB_STATEMENT;
+
+            return ret;
+        }
+
+        static void registerRsync(std::shared_ptr<RemoteSync> RSyncHandler,
+                                  const RSYNC_HANDLE& handle,
+                                  std::function<void(const std::string&)> syncFileMessageFunction,
+                                  std::function<void(const std::string&)> syncRegistryMessageFunction,
+                                  const bool syncRegistryEnabled)
+        {
+            RSyncHandler->registerSyncID(FIM_COMPONENT_FILE,
+                                        handle,
+                                        fileSyncConfig.config(),
+                                        syncFileMessageFunction);
+
+            if (syncRegistryEnabled)
+            {
+                RSyncHandler->registerSyncID(FIM_COMPONENT_REGISTRY_KEY,
+                                            handle,
+                                            registryKeySyncConfig.config(),
+                                            syncRegistryMessageFunction);
+
+                RSyncHandler->registerSyncID(FIM_COMPONENT_REGISTRY_VALUE,
+                                            handle,
+                                            registryValueSyncConfig.config(),
+                                            syncRegistryMessageFunction);
+            }
+
+        }
+
+        static void sync(std::shared_ptr<RemoteSync> RSyncHandler,
+                         const DBSYNC_HANDLE& handle,
+                         std::function<void(const std::string&)> syncFileMessageFunction,
+                         __attribute__((unused)) std::function<void(const std::string&)> syncRegistryMessageFunction,
+                         const bool syncRegistryEnabled)
+        {
+            RSyncHandler->startSync(handle,
+                                    nlohmann::json::parse(FIM_FILE_START_CONFIG_STATEMENT),
+                                    syncFileMessageFunction);
+
+            if (syncRegistryEnabled)
+            {
+                RSyncHandler->startSync(handle,
+                                        nlohmann::json::parse(FIM_REGISTRY_START_CONFIG_STATEMENT),
+                                        syncRegistryMessageFunction);
+                RSyncHandler->startSync(handle,
+                                        nlohmann::json::parse(FIM_VALUE_START_CONFIG_STATEMENT),
+                                        syncRegistryMessageFunction);
+            }
+        }
+
+        static void encodeString(__attribute__((unused)) std::string& stringToEncode)
+        {
+            WindowsSpecialization::encodeString(stringToEncode);
+        }
+};
+
+template <>
+class FIMDBCreator<OSType::OTHERS> final
+{
+    public:
+        static void setLimits(std::shared_ptr<DBSync> DBSyncHandler,
+                              const int fileLimit,
+                              __attribute__((unused)) const int registryLimit)
+        {
+            DBSyncHandler->setTableMaxRow("file_entry", fileLimit);
+        }
+
+        static std::string CreateStatement()
+        {
+            return CREATE_FILE_DB_STATEMENT;
+        }
+
+        static void registerRsync(std::shared_ptr<RemoteSync> RSyncHandler,
+                                  const RSYNC_HANDLE& handle,
+                                  std::function<void(const std::string&)> syncFileMessageFunction,
+                                  __attribute__((unused)) std::function<void(const std::string&)> syncRegistryMessageFunction,
+                                  __attribute__((unused)) const bool syncRegistryEnabled)
+        {
+            RSyncHandler->registerSyncID(FIM_COMPONENT_FILE,
+                                        handle,
+                                        fileSyncConfig.config(),
+                                        syncFileMessageFunction);
+        }
+
+        static void sync(std::shared_ptr<RemoteSync> RSyncHandler,
+                         const DBSYNC_HANDLE& handle,
+                         std::function<void(const std::string&)> syncFileMessageFunction,
+                         __attribute__((unused)) std::function<void(const std::string&)> syncRegistryMessageFunction,
+                         __attribute__((unused)) const bool syncRegistryEnabled)
+        {
+            RSyncHandler->startSync(handle,
+                                    nlohmann::json::parse(FIM_FILE_START_CONFIG_STATEMENT),
+                                    syncFileMessageFunction);
+        }
+
+        static void encodeString(__attribute__((unused)) std::string& stringToEncode){}
+};
+
+template <OSType osType>
+class RegistryTypes final
+{
+    public:
+        // LCOV_EXCL_START
+        static const std::string typeText(__attribute__((unused))const int32_t type)
+        {
+            throw std::runtime_error { "Invalid call for this operating system"};
+        };
+        // LCOV_EXCL_STOP
+};
+template <>
+class RegistryTypes<OSType::WINDOWS> final
+{
+    public:
+        static const std::string typeText(const int32_t type)
+        {
+            return WindowsSpecialization::registryTypeToText(type);
+        };
+};
+
+#endif // _FIMDB_OS_SPECIALIZATION_H
diff --git a/src/modules/fim/db/src/fimDBSpecializationWindows.cpp b/src/modules/fim/db/src/fimDBSpecializationWindows.cpp
new file mode 100644
index 0000000000..14cc01693d
--- /dev/null
+++ b/src/modules/fim/db/src/fimDBSpecializationWindows.cpp
@@ -0,0 +1,44 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2022, Wazuh Inc.
+ * March 6, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "fimDBSpecializationWindows.hpp"
+#include <map>
+#include <windows.h>
+#include "encodingWindowsHelper.h"
+
+#define REG_UNKNOWN 0x0000000C
+
+const std::string WindowsSpecialization::registryTypeToText(const int type)
+{
+    static const std::map<int, std::string> VALUE_TYPE =
+    {
+        { REG_NONE, "REG_NONE" },
+        { REG_SZ, "REG_SZ" },
+        { REG_EXPAND_SZ, "REG_EXPAND_SZ" },
+        { REG_BINARY, "REG_BINARY" },
+        { REG_DWORD, "REG_DWORD" },
+        { REG_DWORD_BIG_ENDIAN, "REG_DWORD_BIG_ENDIAN" },
+        { REG_LINK, "REG_LINK" },
+        { REG_MULTI_SZ, "REG_MULTI_SZ" },
+        { REG_RESOURCE_LIST, "REG_RESOURCE_LIST" },
+        { REG_FULL_RESOURCE_DESCRIPTOR, "REG_FULL_RESOURCE_DESCRIPTOR" },
+        { REG_RESOURCE_REQUIREMENTS_LIST, "REG_RESOURCE_REQUIREMENTS_LIST" },
+        { REG_QWORD, "REG_QWORD" },
+        { REG_UNKNOWN, "REG_UNKNOWN" }
+    };
+    return VALUE_TYPE.at(type);
+}
+
+void WindowsSpecialization::encodeString(std::string& str)
+{
+
+    str = Utils::EncodingWindowsHelper::stringAnsiToStringUTF8(str);
+}
diff --git a/src/modules/fim/db/src/fimDBSpecializationWindows.hpp b/src/modules/fim/db/src/fimDBSpecializationWindows.hpp
new file mode 100644
index 0000000000..b7f7b30ecb
--- /dev/null
+++ b/src/modules/fim/db/src/fimDBSpecializationWindows.hpp
@@ -0,0 +1,25 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2022, Wazuh Inc.
+ * March 6, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FIMDB_OS_WINDOWS_SPECIALIZATION_H
+#define _FIMDB_OS_WINDOWS_SPECIALIZATION_H
+
+#include <string>
+
+class WindowsSpecialization final
+{
+    public:
+        static const std::string registryTypeToText(const int type);
+        static void encodeString(std::string& str);
+};
+
+#endif // _FIMDB_OS_WINDOWS_SPECIALIZATION_H
+
diff --git a/src/modules/fim/db/src/registry.cpp b/src/modules/fim/db/src/registry.cpp
new file mode 100644
index 0000000000..e175490d88
--- /dev/null
+++ b/src/modules/fim/db/src/registry.cpp
@@ -0,0 +1,70 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * September 9, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <string.h>
+
+#ifdef WAZUH_UNIT_TESTING
+#include "fimDBHelpersUTInterface.hpp"
+#else
+#include "fimDB.hpp"
+#endif
+
+#include "dbRegistryValue.hpp"
+#include "dbRegistryKey.hpp"
+#include "fimCommonDefs.h"
+#include "db.h"
+#include "db.hpp"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int fim_db_get_count_registry_key()
+{
+    auto count { 0 };
+
+    try
+    {
+        count = DB::instance().countEntries(FIMDB_REGISTRY_KEY_TABLENAME, COUNT_SELECT_TYPE::COUNT_ALL);
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+
+    return count;
+}
+
+int fim_db_get_count_registry_data()
+{
+    auto count { 0 };
+
+    try
+    {
+        count = DB::instance().countEntries(FIMDB_REGISTRY_VALUE_TABLENAME, COUNT_SELECT_TYPE::COUNT_ALL);
+    }
+    // LCOV_EXCL_START
+    catch (const std::exception& err)
+    {
+        FIMDB::instance().logFunction(LOG_ERROR, err.what());
+    }
+
+    // LCOV_EXCL_STOP
+
+    return count;
+}
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/modules/fim/db/tests/CMakeLists.txt b/src/modules/fim/db/tests/CMakeLists.txt
new file mode 100644
index 0000000000..16ae2b8e6e
--- /dev/null
+++ b/src/modules/fim/db/tests/CMakeLists.txt
@@ -0,0 +1,22 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fimdb_unit_tests)
+
+include_directories(${CMAKE_SOURCE_DIR})
+include_directories(${SRC_FOLDER}/external/googletest/googletest/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googlemock/include/)
+include_directories(${SRC_FOLDER}/syscheckd/db/src)
+link_directories(${SRC_FOLDER}/external/googletest/lib/)
+link_directories(${SRC_FOLDER}/external/sqlite/)
+link_directories(${SRC_FOLDER}/external/cJSON/)
+link_directories(${SRC_FOLDER}/external/openssl/)
+
+add_subdirectory(db/dbItem/FileItem)
+add_subdirectory(db/dbItem/RegistryKey)
+add_subdirectory(db/dbItem/RegistryValue)
+add_subdirectory(db/FIMDB/fimDBTests)
+add_subdirectory(db/ComponentTest/fileInterface)
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_subdirectory(db/ComponentTest/registryInterface)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+add_subdirectory(db/ComponentTest/dbInterface)
diff --git a/src/modules/fim/db/tests/db/ComponentTest/dbInterface/CMakeLists.txt b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/CMakeLists.txt
new file mode 100644
index 0000000000..04fdbe89f1
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fim_db_interface_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB DB_INTERFACE_TEST_SRC
+    "*.cpp")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/tests/db/FIMDB)
+
+
+file(GLOB FILE_SRC
+    "${SRC_FOLDER}/syscheckd/src/db/src/file.cpp"
+    "${SRC_FOLDER}/syscheckd/src/db/src/db.cpp"
+    "${SRC_FOLDER}/syscheckd/src/db/src/dbFileItem.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+file(GLOB REGISTRY_SRC
+    "${SRC_FOLDER}/syscheckd/src/db/src/dbRegistry*.cpp")
+
+file(GLOB FIMDB_SRC
+     "${SRC_FOLDER}/syscheckd/src/db/src/fimDB.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_DB_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(fim_db_interface_test
+    ${DB_INTERFACE_TEST_SRC}
+    ${REGISTRY_SRC}
+    ${FILE_SRC}
+    ${FIMDB_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC}
+    ${WINDOWS_DB_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fim_db_interface_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        ssl
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(fim_db_interface_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        crypto
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME fim_db_interface_test
+         COMMAND fim_db_interface_test)
diff --git a/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.cpp b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.cpp
new file mode 100644
index 0000000000..aac83dce0a
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.cpp
@@ -0,0 +1,275 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015-2022, Wazuh Inc.
+ * January 11, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbTest.h"
+#include "db.h"
+
+
+const auto insertFileStatement = R"({
+        "attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2456, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":18277083, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+        "uid":"0", "user_name":"fakeUser"
+    }
+)"_json;
+const auto insertRegistryKeyStatement = R"({
+        "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "gid":"0", "group_name":"root", "arch":1,
+        "last_event":1596489275, "mode":0, "mtime":1578075431, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE", "perm":"-rw-rw-r--",
+        "scanned":1, "uid":"0", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880", "user_name":"fakeUser"
+    }
+)"_json;
+
+const auto insertRegistryValueStatement = R"({
+        "name":"testRegistry", "scanned":1, "last_event":1596489275, "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a",
+        "mode":0, "size":4925, "type":0, "hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+        "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+        "arch":0, "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880", "path":"/tmp/pathTestRegistry"
+    }
+)"_json;
+
+const auto minSyncInterval { 10 };
+const auto maxInterval { 600 };
+
+void transaction_callback(ReturnTypeCallback resultType, const cJSON* result_json, void* user_data)
+{
+    fim_txn_context_s *event_data = (fim_txn_context_s *) user_data;
+    auto expectedValue = R"([{
+        "arch": "[x64]",
+        "checksum": "a2fbef8f81af27155dcee5e3927ff6243593b91a",
+        "gid":  "0",
+        "group_name":   "root",
+        "last_event":   1596489275,
+        "mtime":    1578075431,
+        "path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
+        "perm": "-rw-rw-r--",
+        "scanned":  1,
+        "uid":  "0",
+        "user_name":    "fakeUser"
+    }])"_json;
+const cJSON* dbsync_event = NULL;
+cJSON* json_path = NULL;
+ASSERT_EQ(INSERTED, resultType);
+ASSERT_EQ(FIM_ADD, event_data->evt_data->type);
+
+if (cJSON_IsArray(result_json))
+{
+    if (dbsync_event = cJSON_GetArrayItem(result_json, 0), dbsync_event != NULL)
+    {
+        dbsync_event = result_json;
+
+        if (json_path = cJSON_GetObjectItem(dbsync_event, "path"), json_path != NULL)
+        {
+            ASSERT_EQ(cJSON_GetStringValue(json_path), expectedValue.at("path"));
+        }
+    }
+}
+}
+
+TEST_F(DBTestFixture, TestFimDBInit)
+{
+    EXPECT_NO_THROW(
+    {
+        const auto fileFIMTest { std::make_unique<FileItem>(insertFileStatement) };
+        ASSERT_EQ(fim_db_file_update(fileFIMTest->toFimEntry(), callback_data_added), FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimSyncPushMsg)
+{
+    const auto test{R"(fim_file no_data {"begin":"a2fbef8f81af27155dcee5e3927ff6243593b91a","end":"a2fbef8f81af27155dcee5e3927ff6243593b91b","id":1})"};
+    const auto fileFIMTest { std::make_unique<FileItem>(insertFileStatement) };
+    ASSERT_EQ(fim_db_file_update(fileFIMTest->toFimEntry(), callback_data_added), FIMDB_OK);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_INFO, "FIM sync module started.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Executing FIM sync.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Finished FIM sync.")).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_file", testing::_)).Times(1);
+#ifdef WIN32
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_key", testing::_)).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_value", testing::_)).Times(1);
+#endif
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_run_integrity();
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_sync_push_msg(test);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimRunIntegrity)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_INFO, "FIM sync module started.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Executing FIM sync.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Finished FIM sync.")).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_file", testing::_)).Times(1);
+#ifdef WIN32
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_key", testing::_)).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_value", testing::_)).Times(1);
+#endif
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_run_integrity();
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimRunIntegrityInitTwice)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "FIM integrity thread already running.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_INFO, "FIM sync module started.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Executing FIM sync.")).Times(1);
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Finished FIM sync.")).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_file", testing::_)).Times(1);
+#ifdef WIN32
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_key", testing::_)).Times(1);
+    EXPECT_CALL(*mockSync, syncMsg("fim_registry_value", testing::_)).Times(1);
+#endif
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_run_integrity();
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_run_integrity();
+        ASSERT_EQ(result, FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestTransactionsFile)
+{
+    EXPECT_NO_THROW(
+    {
+        auto handler = fim_db_transaction_start(FIMDB_FILE_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+        const auto fileFIMTest { std::make_unique<FileItem>(insertFileStatement) };
+        auto result = fim_db_transaction_sync_row(handler, fileFIMTest->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+#ifdef WIN32
+TEST_F(DBTestFixture, TestTransactionsRegistryKey)
+{
+    EXPECT_NO_THROW(
+    {
+        auto handler = fim_db_transaction_start(FIMDB_REGISTRY_KEY_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+        const auto registryKeyFIMTest { std::make_unique<RegistryKey>(insertRegistryKeyStatement) };
+        auto result = fim_db_transaction_sync_row(handler, registryKeyFIMTest->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestTransactionsRegistryValue)
+{
+    EXPECT_NO_THROW(
+    {
+        auto handler = fim_db_transaction_start(FIMDB_REGISTRY_VALUE_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+        const auto registryValueFIMTest { std::make_unique<RegistryValue>(insertRegistryValueStatement) };
+        auto result = fim_db_transaction_sync_row(handler, registryValueFIMTest->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+#endif
+
+TEST_F(DBTestFixture, TestInitTransactionWithInvalidParameters)
+{
+    auto handler = fim_db_transaction_start(nullptr, nullptr, nullptr);
+    ASSERT_FALSE(handler);
+}
+
+TEST_F(DBTestFixture, TestSyncRowTransactionWithInvalidHandler)
+{
+    const auto fileFIMTest { std::make_unique<FileItem>(insertFileStatement) };
+    auto result = fim_db_transaction_sync_row(nullptr, fileFIMTest->toFimEntry());
+    ASSERT_EQ(result, FIMDB_ERR);
+}
+
+TEST_F(DBTestFixture, TestSyncRowTransactionWithInvalidFimEntry)
+{
+    auto handler = fim_db_transaction_start(FIMDB_FILE_TXN_TABLE, transaction_callback, &txn_ctx);
+    ASSERT_TRUE(handler);
+    auto result = fim_db_transaction_sync_row(handler, nullptr);
+    ASSERT_EQ(result, FIMDB_ERR);
+    result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+    ASSERT_EQ(result, FIMDB_OK);
+}
+
+TEST_F(DBTestFixture, TestSyncDeletedRowsTransactionWithInvalidParameters)
+{
+    auto result = fim_db_transaction_deleted_rows(nullptr, nullptr, nullptr);
+    ASSERT_EQ(result, FIMDB_ERR);
+}
+
+TEST(DBTest, TestInvalidFimLimit)
+{
+    mockLog = new MockLoggingCall();
+    mockSync = new MockSyncMsg();
+
+    EXPECT_CALL(*mockLog,
+                loggingFunction(LOG_ERROR_EXIT,
+                                "Error, id: dbEngine: Invalid row limit, values below 0 not allowed.")).Times(1);
+    auto result
+    {
+        fim_db_init(FIM_DB_MEMORY,
+                    300,
+                    maxInterval,
+                    minSyncInterval,
+                    mockSyncMessage,
+                    mockLoggingFunction,
+                    -1,
+                    -1,
+                    true,
+                    0,
+                    0,
+                    nullptr,
+                    nullptr)
+    };
+    ASSERT_EQ(result, FIMDB_ERR);
+
+    delete mockLog;
+    delete mockSync;
+}
+
+TEST(DBTest, TestValidFimLimit)
+{
+    mockLog = new MockLoggingCall();
+    mockSync = new MockSyncMsg();
+
+    auto result
+    {
+        fim_db_init(FIM_DB_MEMORY,
+                    300,
+                    maxInterval,
+                    minSyncInterval,
+                    mockSyncMessage,
+                    mockLoggingFunction,
+                    100,
+                    100000,
+                    true,
+                    0,
+                    0,
+                    nullptr,
+                    nullptr)
+    };
+    ASSERT_EQ(result, FIMDB_OK);
+
+    delete mockLog;
+    delete mockSync;
+}
diff --git a/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.h b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.h
new file mode 100644
index 0000000000..803631ab9b
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/dbTest.h
@@ -0,0 +1,140 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015-2022, Wazuh Inc.
+ * January 11, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _DB_TEST_H
+#define _DB_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+#include "dbFileItem.hpp"
+#include "dbRegistryKey.hpp"
+#include "dbRegistryValue.hpp"
+#include "db.h"
+#include "fimDBTests/fimDBImpTests.hpp"
+
+
+typedef struct txn_context_test_s {
+    event_data_t *evt_data;
+} txn_context_test;
+MockLoggingCall* mockLog;
+MockSyncMsg* mockSync;
+callback_context_t callback_data_added;
+callback_context_t callback_data_modified;
+callback_context_t callback_null;
+event_data_t evt_data1;
+event_data_t evt_data2;
+directory_t configuration1;
+directory_t configuration2;
+create_json_event_ctx ctx1;
+create_json_event_ctx ctx2;
+
+void mockLoggingFunction(const modules_log_level_t logLevel, const char* tag)
+{
+    mockLog->loggingFunction(logLevel, tag);
+}
+
+void mockSyncMessage(const char* log, const char* tag)
+{
+    mockSync->syncMsg(log, tag);
+}
+
+static void callbackFileUpdateAdded(void* return_data, void* user_data)
+{
+    cJSON* json_event = (cJSON*)return_data;
+    ASSERT_TRUE(user_data);
+    ASSERT_TRUE(json_event);
+
+    cJSON* data = cJSON_GetObjectItem(json_event, "data");
+    char* type = cJSON_GetStringValue(cJSON_GetObjectItem(data, "type"));
+    ASSERT_FALSE(strcmp("added", type));
+}
+
+static void callbackFileUpdateModified(void* return_data, void* user_data)
+{
+    cJSON* json_event = (cJSON*)return_data;
+    ASSERT_TRUE(user_data);
+    ASSERT_TRUE(json_event);
+
+    cJSON* data = cJSON_GetObjectItem(json_event, "data");
+    char* type = cJSON_GetStringValue(cJSON_GetObjectItem(data, "type"));
+    ASSERT_FALSE(strcmp("modified", type));
+}
+
+class DBTestFixture : public testing::Test {
+    protected:
+        DBTestFixture() = default;
+        virtual ~DBTestFixture() = default;
+
+        txn_context_test txn_ctx;
+        event_data_t evt_data;
+
+        void SetUp() override
+        {
+            mockLog = new MockLoggingCall();
+            mockSync = new MockSyncMsg();
+
+            fim_db_init(FIM_DB_MEMORY,
+                        300,
+                        600,
+                        10,
+                        mockSyncMessage,
+                        mockLoggingFunction,
+                        MAX_FILE_LIMIT,
+                        100000,
+                        true,
+                        1,
+                        0,
+                        nullptr,
+                        nullptr);
+
+            evt_data = {};
+            evt_data.report_event = true;
+            evt_data.mode = FIM_SCHEDULED;
+            evt_data.w_evt = NULL;
+            txn_ctx = { .evt_data = &evt_data };
+
+            evt_data1 = {};
+            evt_data1.report_event = true;
+            evt_data1.mode = FIM_REALTIME;
+            evt_data1.w_evt = NULL;
+            configuration1 = {};
+            configuration1.options = -1;
+
+            evt_data2 = {};
+            evt_data2.report_event = true;
+            evt_data2.mode = FIM_REALTIME;
+            evt_data2.w_evt = NULL;
+            configuration2 = {};
+            configuration2.options = -1;
+
+            ctx1 = {};
+            ctx1.event = &evt_data1;
+            ctx1.config = &configuration1;
+
+            ctx2 = {};
+            ctx2.event = &evt_data2;
+            ctx2.config = &configuration2;
+
+            callback_data_added.callback = callbackFileUpdateAdded;
+            callback_data_added.context = &ctx1;
+            callback_data_modified.callback = callbackFileUpdateModified;
+            callback_data_modified.context = &ctx2;
+            callback_null.callback = NULL;
+            callback_null.context = NULL;
+        }
+        void TearDown() override
+        {
+            fim_db_teardown();
+            delete mockLog;
+            delete mockSync;
+        }
+};
+
+#endif //_DB_TEST_H
diff --git a/src/modules/fim/db/tests/db/ComponentTest/dbInterface/main.cpp b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/dbInterface/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/ComponentTest/fileInterface/CMakeLists.txt b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/CMakeLists.txt
new file mode 100644
index 0000000000..952e869fc7
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/CMakeLists.txt
@@ -0,0 +1,85 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fim_file_interface_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB FILE_UNIT_TEST_SRC
+    "*.cpp")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/tests/db/FIMDB)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/tests/db/ComponentTest/dbInterface)
+
+file(GLOB FILE_SRC
+    "${SRC_FOLDER}/syscheckd/src/db/src/file.cpp"
+    "${SRC_FOLDER}/syscheckd/src/db/src/db.cpp"
+    "${SRC_FOLDER}/syscheckd/src/db/src/dbFileItem.cpp")
+
+file(GLOB FIMDB_SRC
+    "${SRC_FOLDER}/syscheckd/src/db/src/fimDB.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+file(GLOB REGISTRY_SRC
+    "${SRC_FOLDER}/syscheckd/src/db/src/dbRegistry*.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_FILE_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(fim_file_interface_test
+    ${FILE_UNIT_TEST_SRC}
+    ${FILE_SRC}
+    ${REGISTRY_SRC}
+    ${FIMDB_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC}
+    ${WINDOWS_FILE_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fim_file_interface_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        ssl
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(fim_file_interface_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        crypto
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME fim_file_interface_test
+         COMMAND fim_file_interface_test)
diff --git a/src/modules/fim/db/tests/db/ComponentTest/fileInterface/fileTest.cpp b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/fileTest.cpp
new file mode 100644
index 0000000000..5317f20603
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/fileTest.cpp
@@ -0,0 +1,424 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 31, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbTest.h"
+#include "dbFileItem.hpp"
+#include "db.h"
+#include "db.hpp"
+#include "fimDBTests/fimDBImpTests.hpp"
+
+const auto insertStatement1 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2456, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":18277083, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+        "uid":"0", "user_name":"fakeUser"}]
+    }
+)"_json;
+const auto insertStatement2 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2221, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":18277083, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/tmp/test.txt", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+        "uid":"0", "user_name":"fakeUser"}]
+    }
+)"_json;
+const auto insertStatement3 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":8432, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":99997083, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/tmp/test2.txt", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+        "uid":"0", "user_name":"fakeUser"}]
+    }
+)"_json;
+const auto insertStatement4 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":8432, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/tmp/test3.txt", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+        "uid":"0", "user_name":"fakeUser"}]
+    }
+)"_json;
+const auto updateStatement1 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"11", "checksum":"e89f3b4c21c2005896c964462da4766057dd94e9", "dev":2151, "gid":"1000", "group_name":"test",
+        "hash_md5":"d6719d8eaa46012a9de38103d5f284e4", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58a",
+        "hash_sha256":"0211f049f5b1121fbd034adf7b81ea521d615b5bd8df0e77c8ec8a363459ead1", "inode":18457083, "last_event":1596489275,
+        "mode":0, "mtime":1578075435, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-rw-", "scanned":1, "size":4925,
+        "uid":"1000", "user_name":"testuser"}]
+    }
+)"_json;
+const auto updateStatement2 = R"({
+        "table": "file_entry",
+        "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2151, "gid":"0", "group_name":"root",
+        "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":18277083, "last_event":1596489275,
+        "mode":0, "mtime":1578075431, "options":131583, "path":"/tmp/test.txt", "perm":"-rw-rw-r--", "scanned":1, "size":4800,
+        "uid":"0", "user_name":"fakeUser"}]
+    }
+)"_json;
+
+static void callbackTestSearch(void* return_data, void* user_data)
+{
+    char *path = (char *)return_data;
+    ASSERT_TRUE(user_data == NULL);
+    ASSERT_TRUE(path);
+}
+
+static void callbackTestSearchPath(void* return_data, void* user_data)
+{
+    char *returnPath = (char *) return_data;
+    char *path = (char *) user_data;
+    ASSERT_EQ(std::strcmp(returnPath, path), 0);
+}
+
+static void callBackTestFIMEntry(void* return_data, void* user_data)
+{
+    fim_entry *entry = (fim_entry *) user_data;
+    fim_entry *returnEntry = (fim_entry *) return_data;
+
+    ASSERT_EQ(std::strcmp(entry->file_entry.path, returnEntry->file_entry.path), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->attributes, returnEntry->file_entry.data->attributes), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->checksum, returnEntry->file_entry.data->checksum), 0);
+    ASSERT_EQ(entry->file_entry.data->dev, returnEntry->file_entry.data->dev);
+    ASSERT_EQ(entry->file_entry.data->inode, returnEntry->file_entry.data->inode);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->hash_md5, returnEntry->file_entry.data->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->hash_sha1, returnEntry->file_entry.data->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->hash_sha256, returnEntry->file_entry.data->hash_sha256), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->gid, returnEntry->file_entry.data->gid), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->group_name, returnEntry->file_entry.data->group_name), 0);
+    ASSERT_EQ(entry->file_entry.data->last_event, returnEntry->file_entry.data->last_event);
+    ASSERT_EQ(entry->file_entry.data->mode, returnEntry->file_entry.data->mode);
+    ASSERT_EQ(entry->file_entry.data->mtime, returnEntry->file_entry.data->mtime);
+    ASSERT_EQ(entry->file_entry.data->options, returnEntry->file_entry.data->options);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->perm, returnEntry->file_entry.data->perm), 0);
+    ASSERT_EQ(entry->file_entry.data->scanned, returnEntry->file_entry.data->scanned);
+    ASSERT_EQ(entry->file_entry.data->size, returnEntry->file_entry.data->size);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->uid, returnEntry->file_entry.data->uid), 0);
+    ASSERT_EQ(std::strcmp(entry->file_entry.data->user_name, returnEntry->file_entry.data->user_name), 0);
+}
+
+TEST_F(DBTestFixture, TestFimDBFileUpdate)
+{
+
+    EXPECT_NO_THROW(
+    {
+        const auto fileFIMTest { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+        const auto fileFIMTestUpdated { std::make_unique<FileItem>(updateStatement1["data"].front()) };
+        const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+        const auto fileFIMTestUpdated2 { std::make_unique<FileItem>(updateStatement2["data"].front()) };
+
+        auto result = fim_db_file_update(fileFIMTest->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTestUpdated->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTestUpdated2->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+TEST_F(DBTestFixture, TestFimDBRemovePath)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/etc/wgetrc");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test2.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetPath)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        const auto fileFIMTest { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+        callback_context_t callback_data;
+        callback_data.callback = callBackTestFIMEntry;
+        callback_data.context = fileFIMTest->toFimEntry();
+        result = fim_db_get_path("/etc/wgetrc", callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetCountFileEntry)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 0);
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 3);
+        result = fim_db_remove_path("/etc/wgetrc");
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 2);
+        result =fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 3);
+        result =fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 3);
+        result = fim_db_remove_path("/etc/wgetrc");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test2.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_entry();
+        ASSERT_EQ(count, 0);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetCountFileInode)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 0);
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 3);
+        result = fim_db_remove_path("/etc/wgetrc");
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 2);
+        result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 3);
+        result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 3);
+        result = fim_db_remove_path("/etc/wgetrc");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_remove_path("/tmp/test2.txt");
+        ASSERT_EQ(result, FIMDB_OK);
+        count = fim_db_get_count_file_inode();
+        ASSERT_EQ(count, 0);
+    });
+}
+
+
+TEST_F(DBTestFixture, TestFimDBFileInodeSearch)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        char *test;
+        test = strdup("/etc/wgetrc");
+        callback_context_t callback_data;
+        callback_data.callback = callbackTestSearchPath;
+        callback_data.context = test;
+        result = fim_db_file_inode_search(18277083, 2456, callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+        os_free(test);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+        callback_data.callback = callbackTestSearch;
+        callback_data.context = NULL;
+        result = fim_db_file_inode_search(18457083, 2151, callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBFilePatternSearch)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement2["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        callback_context_t callback_data;
+        callback_data.callback = callbackTestSearch;
+        callback_data.context = nullptr;
+        result = fim_db_file_pattern_search("/tmp/%", callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+        char *test;
+        test = strdup("/etc/wgetrc");
+        callback_data.callback = callbackTestSearchPath;
+        callback_data.context = test;
+        result = fim_db_file_pattern_search("/etc/%", callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+        os_free(test);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBFilePatternSearchNullParameters)
+{
+    callback_context_t callback_data{};
+    callback_data.callback = callbackTestSearch;
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "Invalid parameters")).Times(testing::AtLeast(2));
+    EXPECT_NO_THROW(
+    {
+               ASSERT_EQ(fim_db_file_pattern_search(nullptr, callback_data), FIMDB_ERR);
+               callback_data.callback = nullptr;
+               ASSERT_EQ(fim_db_file_pattern_search("", callback_data), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBFileINodeSearchNullParameter)
+{
+    callback_context_t callback_data{};
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "Invalid parameters")).Times(testing::AtLeast(1));
+    EXPECT_NO_THROW(
+    {
+               ASSERT_EQ(fim_db_file_inode_search(0, 0, callback_data), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetPathNullParameters)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "Invalid parameters")).Times(testing::AtLeast(1));
+    EXPECT_NO_THROW(
+    {
+        callback_context_t callback_data {};
+        ASSERT_EQ(fim_db_get_path("/etc/wgetrc", callback_data), FIMDB_ERR);
+        callback_data.callback = callBackTestFIMEntry;
+        ASSERT_EQ(fim_db_get_path(nullptr, callback_data), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBRemovePathNullParameter)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "Invalid parameters")).Times(testing::AtLeast(1));
+    EXPECT_NO_THROW(
+    {
+        ASSERT_EQ(fim_db_remove_path(nullptr), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBFileUpdateNullParameters)
+{
+    const auto fileFIMTest { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, "Invalid parameters")).Times(testing::AtLeast(2));
+
+    EXPECT_NO_THROW(
+    {
+        ASSERT_EQ(fim_db_file_update(nullptr, callback_data_added), FIMDB_ERR);
+        ASSERT_EQ(fim_db_file_update(fileFIMTest->toFimEntry(), callback_null), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetPathNoFile)
+{
+    callback_context_t callback_data {callBackTestFIMEntry, nullptr};
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG_VERBOSE, "No entry found for /etc/wgetrc")).Times(testing::AtLeast(1));
+    EXPECT_NO_THROW(
+    {
+        ASSERT_EQ(fim_db_get_path("/etc/wgetrc", callback_data), FIMDB_ERR);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBInvalidSearchPath)
+{
+    EXPECT_THROW(
+    {
+        DB::instance().searchFile(std::make_tuple(static_cast<FILE_SEARCH_TYPE>(-1), "","",""), nullptr);
+    }, std::runtime_error);
+}
+
+TEST_F(DBTestFixture, TestFimDBFileInodeSearchWithBigInode)
+{
+    const auto fileFIMTest1 { std::make_unique<FileItem>(insertStatement1["data"].front()) };
+    const auto fileFIMTest2 { std::make_unique<FileItem>(insertStatement4["data"].front()) };
+    const auto fileFIMTest3 { std::make_unique<FileItem>(insertStatement3["data"].front()) };
+
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_file_update(fileFIMTest1->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        result = fim_db_file_update(fileFIMTest3->toFimEntry(), callback_data_added);
+        ASSERT_EQ(result, FIMDB_OK);
+        char *test;
+        test = strdup("/etc/wgetrc");
+        callback_context_t callback_data;
+        callback_data.callback = callbackTestSearchPath;
+        callback_data.context = test;
+        result = fim_db_file_inode_search(18277083, 2456, callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+        os_free(test);
+        result = fim_db_file_update(fileFIMTest2->toFimEntry(), callback_data_modified);
+        ASSERT_EQ(result, FIMDB_OK);
+        callback_data.callback = callbackTestSearch;
+        callback_data.context = NULL;
+        result = fim_db_file_inode_search(1152921500312810880, 8432, callback_data);
+        ASSERT_EQ(result, FIMDB_OK);
+    });
+}
diff --git a/src/modules/fim/db/tests/db/ComponentTest/fileInterface/main.cpp b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/fileInterface/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/ComponentTest/registryInterface/CMakeLists.txt b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/CMakeLists.txt
new file mode 100644
index 0000000000..fea209f2e8
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/CMakeLists.txt
@@ -0,0 +1,66 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fim_registry_interface_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB REGISTRY_UNIT_TEST_SRC
+         "*.cpp")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/tests/db/FIMDB)
+include_directories(${SRC_FOLDER}/syscheckd/src/db/tests/db/ComponentTest/dbInterface)
+
+file(GLOB REGISTRY_SRC
+         "${SRC_FOLDER}/syscheckd/src/db/src/registry.cpp"
+         "${SRC_FOLDER}/syscheckd/src/db/src/db.cpp"
+         "${SRC_FOLDER}/syscheckd/src/db/src/dbFileItem.cpp"
+         "${SRC_FOLDER}/syscheckd/src/db/src/dbRegistry*.cpp")
+
+file(GLOB FIMDB_SRC
+         "${SRC_FOLDER}/syscheckd/src/db/src/fimDB.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+         "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+         "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+         "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_REGISTRY_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(fim_registry_interface_test
+    ${REGISTRY_UNIT_TEST_SRC}
+    ${REGISTRY_SRC}
+    ${FIMDB_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC}
+    ${WINDOWS_REGISTRY_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fim_registry_interface_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        ssl
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME fim_registry_interface_test
+         COMMAND fim_registry_interface_test)
diff --git a/src/modules/fim/db/tests/db/ComponentTest/registryInterface/main.cpp b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/ComponentTest/registryInterface/registryTest.cpp b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/registryTest.cpp
new file mode 100644
index 0000000000..db1d967393
--- /dev/null
+++ b/src/modules/fim/db/tests/db/ComponentTest/registryInterface/registryTest.cpp
@@ -0,0 +1,155 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * December 31, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "dbTest.h"
+#include "db.h"
+#include "db.hpp"
+
+
+const auto insertRegistryKeyStatement1 = R"({
+        "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "gid":"0", "group_name":"root", "arch":1,
+        "last_event":1596489275, "mode":0, "mtime":1578075431, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\regtest1", "perm":"-rw-rw-r--",
+        "scanned":1, "uid":"0", "user_name":"fakeUser", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+    }
+)"_json;
+
+const auto insertRegistryValueStatement1 = R"({
+        "name":"testRegistry1", "scanned":1, "last_event":1596489275, "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a",
+        "mode":0, "size":4925, "type":0, "hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+        "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+        "arch":0, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\regtest1", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+    }
+)"_json;
+
+const auto insertRegistryKeyStatement2 = R"({
+        "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "gid":"0", "group_name":"root", "arch":1,
+        "last_event":1596489275, "mode":0, "mtime":1578075431, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\regtest2", "perm":"-rw-rw-r--",
+        "scanned":1, "uid":"0", "user_name":"fakeUser", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+    }
+)"_json;
+
+const auto insertRegistryValueStatement2 = R"({
+        "name":"testRegistry2", "scanned":1, "last_event":1596489275, "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a",
+        "mode":0, "size":4925, "type":0, "hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+        "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+        "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a",
+        "arch":0, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE\\regtest2", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+    }
+)"_json;
+
+void transaction_callback( __attribute__((unused)) ReturnTypeCallback resultType,
+                           __attribute__((unused)) const cJSON* result_json,
+                           __attribute__((unused)) void* user_data){}
+
+TEST_F(DBTestFixture, TestFimDBGetCountRegistryEntry)
+{
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 0);
+
+        // FIRST "SCAN"
+        // Transaction start
+        auto handler = fim_db_transaction_start(FIMDB_REGISTRY_KEY_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+
+        // First update
+        const auto registryKeyFIMTest1 { std::make_unique<RegistryKey>(insertRegistryKeyStatement1) };
+        result = fim_db_transaction_sync_row(handler, registryKeyFIMTest1->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 1);
+
+        // Second update
+        const auto registryKeyFIMTest2 { std::make_unique<RegistryKey>(insertRegistryKeyStatement2) };
+        result = fim_db_transaction_sync_row(handler, registryKeyFIMTest2->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 2);
+
+        // End of transaction
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 2);
+
+        // SECOND "SCAN"
+        // Transaction start
+        handler = fim_db_transaction_start(FIMDB_REGISTRY_KEY_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+
+        result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 2);
+
+        // End of transaction
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_key();
+        ASSERT_EQ(result, 0);
+    });
+}
+
+TEST_F(DBTestFixture, TestFimDBGetCountRegistryValueEntry)
+{
+    EXPECT_NO_THROW(
+    {
+        auto result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 0);
+
+        // FIRST "SCAN"
+        // Transaction start
+        auto handler = fim_db_transaction_start(FIMDB_REGISTRY_VALUE_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+
+        // First update
+        const auto registryValueFIMTest1 { std::make_unique<RegistryValue>(insertRegistryValueStatement1) };
+        result = fim_db_transaction_sync_row(handler, registryValueFIMTest1->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 1);
+
+        // Second update
+        const auto registryValueFIMTest2 { std::make_unique<RegistryValue>(insertRegistryValueStatement2) };
+        result = fim_db_transaction_sync_row(handler, registryValueFIMTest2->toFimEntry());
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 2);
+
+        // End of transaction
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 2);
+
+        // SECOND "SCAN"
+        // Transaction start
+        handler = fim_db_transaction_start(FIMDB_REGISTRY_VALUE_TXN_TABLE, transaction_callback, &txn_ctx);
+        ASSERT_TRUE(handler);
+
+        result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 2);
+
+        // End of transaction
+        result = fim_db_transaction_deleted_rows(handler, transaction_callback, &txn_ctx);
+        ASSERT_EQ(result, FIMDB_OK);
+
+        result = fim_db_get_count_registry_data();
+        ASSERT_EQ(result, 0);
+    });
+}
diff --git a/src/modules/fim/db/tests/db/FIMDB/fimDBTests/CMakeLists.txt b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/CMakeLists.txt
new file mode 100644
index 0000000000..a8d4f14030
--- /dev/null
+++ b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/CMakeLists.txt
@@ -0,0 +1,80 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fimdb_unit_tests)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+link_directories(${SRC_FOLDER}/shared_modules/dbsync/build/lib)
+link_directories(${SRC_FOLDER}/shared_modules/rsync/build/lib)
+link_directories(${SRC_FOLDER}/syscheckd/db/src/)
+link_directories(${SRC_FOLDER}/config/)
+link_directories(${SRC_FOLDER}/shared/)
+link_directories(${SRC_FOLDER})
+include_directories(${SRC_FOLDER}/config/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/src/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+include_directories(${SRC_FOLDER}/shared/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/)
+
+file(GLOB FIMDB_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB FIMDB_IMP_SRC
+     "${SRC_FOLDER}/syscheckd/src/db/src/fimDB.cpp"
+    )
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+add_definitions(-DWAZUH_UNIT_TESTING)
+
+add_executable(fimdb_unit_test
+    ${FIMDB_UNIT_TEST_SRC}
+    ${FIMDB_IMP_SRC}
+    ${DBSYNC_IMP_SRC}
+    ${RSYNC_IMP_SRC}
+)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fimdb_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        cjson
+        sqlite3
+        crypto
+        ws2_32
+        ssl
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(fimdb_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME fimdb_unit_test
+         COMMAND fimdb_unit_test)
diff --git a/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.cpp b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.cpp
new file mode 100644
index 0000000000..8d4d0ea37c
--- /dev/null
+++ b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.cpp
@@ -0,0 +1,371 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FIMDB_CPP_UNIT_TEST
+#define _FIMDB_CPP_UNIT_TEST
+
+#include "fimDBImpTests.hpp"
+#include <thread>
+#include "fimDBSpecialization.h"
+
+constexpr auto MOCK_DB_PATH {"temp_fimdb_ut.db"};
+constexpr auto MOCK_DB_MEM {":memory:"};
+MockLoggingCall* mockLog;
+MockSyncMsg* mockSync;
+
+void mockLoggingFunction(const modules_log_level_t logLevel, const char* tag)
+{
+    mockLog->loggingFunction(logLevel, tag);
+}
+
+void mockSyncMessage(const char* log, const char* tag)
+{
+    mockSync->syncMsg(log, tag);
+}
+
+class FimDBWinFixture : public ::testing::Test
+{
+    protected:
+        MockDBSyncHandler* mockDBSync;
+        MockRSyncHandler* mockRSync;
+        MockFIMDB fimDBMock;
+        unsigned int mockIntervalSync;
+        unsigned int mockMaxRowsFile;
+        unsigned int mockMaxRowsReg;
+        unsigned int syncResponseTimeout;
+        unsigned int syncMaxInterval;
+        bool syncRegistryEnabled;
+
+        void SetUp() override
+        {
+            constexpr auto MOCK_SQL_STATEMENT
+            {
+                R"(CREATE TABLE mock_db (
+                mock_text TEXT,
+                PRIMARY KEY (mock_text))
+                )"
+            };
+
+            mockIntervalSync = 900;
+            mockMaxRowsFile = 1000;
+            mockMaxRowsReg = 1000;
+            syncResponseTimeout = 30;
+            syncMaxInterval = 2000;
+            syncRegistryEnabled = 1;
+
+            std::function<void(const std::string&)> callbackSyncFileWrapper
+            {
+                [](const std::string & msg)
+                {
+                    mockSyncMessage(FIM_COMPONENT_FILE, msg.c_str());
+                }
+            };
+
+            std::function<void(const std::string&)> callbackSyncRegistryWrapper
+            {
+                [](const std::string & msg)
+                {
+                    mockSyncMessage(FIM_COMPONENT_REGISTRY_KEY, msg.c_str());
+                }
+            };
+
+            std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper
+            {
+                [](modules_log_level_t level, const std::string & log)
+                {
+                    mockLoggingFunction(level, log.c_str());
+                }
+            };
+
+            std::shared_ptr<DBSync> dbsyncHandler = std::make_unique<MockDBSyncHandler>(HostType::AGENT, DbEngineType::SQLITE3,
+                                                                                        MOCK_DB_PATH, MOCK_SQL_STATEMENT);
+            std::shared_ptr<RemoteSync> rsyncHandler = std::make_shared<MockRSyncHandler>();
+            mockDBSync = (MockDBSyncHandler*) dbsyncHandler.get();
+            mockRSync = (MockRSyncHandler*) rsyncHandler.get();
+            mockLog = new MockLoggingCall();
+            mockSync = new MockSyncMsg();
+
+            fimDBMock.init(mockIntervalSync,
+                           syncMaxInterval,
+                           syncResponseTimeout,
+                           callbackSyncFileWrapper,
+                           callbackSyncRegistryWrapper,
+                           callbackLogWrapper,
+                           dbsyncHandler,
+                           rsyncHandler,
+                           mockMaxRowsFile,
+                           mockMaxRowsReg,
+                           syncRegistryEnabled);
+        }
+
+        void TearDown() override
+        {
+            fimDBMock.teardown();
+            std::remove(MOCK_DB_PATH);
+            delete mockLog;
+            delete mockSync;
+        };
+};
+
+class FimDBFixture : public ::testing::Test
+{
+    protected:
+        MockDBSyncHandler* mockDBSync;
+        MockRSyncHandler* mockRSync;
+        MockFIMDB fimDBMock;
+        unsigned int mockIntervalSync;
+        unsigned int mockMaxRowsFile;
+        unsigned int mockMaxRowsReg;
+        unsigned int syncResponseTimeout;
+        unsigned int syncMaxInterval;
+        bool syncRegistryEnabled;
+
+        void SetUp() override
+        {
+            constexpr auto MOCK_SQL_STATEMENT
+            {
+                R"(CREATE TABLE mock_db (
+                mock_text TEXT,
+                PRIMARY KEY (mock_text))
+                )"
+            };
+
+            mockIntervalSync = 900;
+            mockMaxRowsFile = 1000;
+            mockMaxRowsReg = 1000;
+            syncResponseTimeout = 30;
+            syncMaxInterval = 2000;
+            syncRegistryEnabled = 1;
+
+            std::function<void(const std::string&)> callbackSyncFileWrapper
+            {
+                [](const std::string & msg)
+                {
+                    mockSyncMessage(FIM_COMPONENT_FILE, msg.c_str());
+                }
+            };
+
+            std::function<void(const std::string&)> callbackSyncRegistryWrapper
+            {
+                [](const std::string & msg)
+                {
+                    mockSyncMessage(FIM_COMPONENT_REGISTRY_KEY, msg.c_str());
+                }
+            };
+
+            std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper
+            {
+                [](modules_log_level_t level, const std::string & log)
+                {
+                    mockLoggingFunction(level, log.c_str());
+                }
+            };
+
+            std::shared_ptr<DBSync> dbsyncHandler = std::make_unique<MockDBSyncHandler>(HostType::AGENT, DbEngineType::SQLITE3,
+                                                                                        MOCK_DB_PATH, MOCK_SQL_STATEMENT);
+            std::shared_ptr<RemoteSync> rsyncHandler = std::make_shared<MockRSyncHandler>();
+            mockDBSync = (MockDBSyncHandler*) dbsyncHandler.get();
+            mockRSync = (MockRSyncHandler*) rsyncHandler.get();
+            mockLog = new MockLoggingCall();
+            mockSync = new MockSyncMsg();
+
+            EXPECT_CALL((*mockDBSync), setTableMaxRow("file_entry", mockMaxRowsFile));
+
+#ifdef WIN32
+            EXPECT_CALL((*mockDBSync), setTableMaxRow("registry_key", mockMaxRowsReg));
+            EXPECT_CALL((*mockDBSync), setTableMaxRow("registry_data", mockMaxRowsReg));
+#endif
+
+            fimDBMock.init(mockIntervalSync,
+                           syncMaxInterval,
+                           syncResponseTimeout,
+                           callbackSyncFileWrapper,
+                           callbackSyncRegistryWrapper,
+                           callbackLogWrapper,
+                           dbsyncHandler,
+                           rsyncHandler,
+                           mockMaxRowsFile,
+                           mockMaxRowsReg,
+                           syncRegistryEnabled);
+        }
+
+        void TearDown() override
+        {
+            fimDBMock.teardown();
+            std::remove(MOCK_DB_PATH);
+            delete mockLog;
+            delete mockSync;
+        };
+};
+
+TEST_F(FimDBFixture, dbSyncHandlerInitSuccess)
+{
+    ASSERT_NE(fimDBMock.DBSyncHandler()->handle(), nullptr);
+}
+
+TEST_F(FimDBFixture, insertItemSuccess)
+{
+    nlohmann::json itemJson;
+    ResultCallbackData callback;
+    EXPECT_CALL(*mockDBSync, syncRow(itemJson, testing::_));
+    fimDBMock.updateItem(itemJson, callback);
+}
+
+TEST_F(FimDBFixture, removeItemSuccess)
+{
+    nlohmann::json itemJson;
+    EXPECT_CALL(*mockDBSync, deleteRows(itemJson));
+    fimDBMock.removeItem(itemJson);
+}
+
+TEST_F(FimDBFixture, updateItemSuccess)
+{
+    nlohmann::json itemJson;
+    ResultCallbackData callback;
+    EXPECT_CALL(*mockDBSync, syncRow(itemJson, testing::_));
+    fimDBMock.updateItem(itemJson, callback);
+}
+
+TEST_F(FimDBFixture, registerSyncIDSuccess)
+{
+    EXPECT_CALL(*mockRSync, registerSyncID(testing::_, testing::_, testing::_, testing::_)).Times(testing::AtLeast(1));
+
+    fimDBMock.registerRSync();
+
+}
+
+#ifdef WIN32
+TEST_F(FimDBFixture, registerSyncIDSuccessWindows)
+{
+    EXPECT_CALL(*mockRSync, registerSyncID(testing::_, testing::_, testing::_, testing::_)).Times(testing::AtLeast(3));
+
+    fimDBMock.registerRSync();
+
+}
+#endif
+
+TEST_F(FimDBFixture, registerSyncIDError)
+{
+    EXPECT_CALL(*mockRSync, registerSyncID(testing::_, testing::_, testing::_, testing::_)).Times(testing::AtLeast(1));
+
+    fimDBMock.registerRSync();
+}
+
+TEST_F(FimDBFixture, loopRSyncSuccess)
+{
+    std::mutex test_mutex;
+
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_INFO, "FIM sync module started."));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Executing FIM sync."));
+    EXPECT_CALL(*mockRSync, startSync(testing::_, testing::_, testing::_)).Times(testing::AtLeast(1));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Finished FIM sync."));
+    EXPECT_CALL(*mockRSync, registerSyncID(testing::_, testing::_, testing::_, testing::_)).Times(testing::AtLeast(1));
+
+    fimDBMock.runIntegrity();
+}
+
+TEST_F(FimDBFixture, syncAlgorithmLoop)
+{
+    EXPECT_CALL(fimDBMock, getCurrentTime()).WillOnce(testing::Return(15)).WillOnce(testing::Return(30));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG_VERBOSE, "Sync still in progress. Skipped next sync and increased interval to '1800s'"));
+
+    fimDBMock.setTimeLastSyncMsg();
+    fimDBMock.syncAlgorithm();
+
+    EXPECT_CALL(fimDBMock, getCurrentTime()).WillOnce(testing::Return(15)).WillOnce(testing::Return(30));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG_VERBOSE, "Sync still in progress. Skipped next sync and increased interval to '2000s'"));
+
+    fimDBMock.setTimeLastSyncMsg();
+    fimDBMock.syncAlgorithm();
+
+    EXPECT_CALL(fimDBMock, getCurrentTime()).WillOnce(testing::Return(15)).WillOnce(testing::Return(60));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG_VERBOSE, "Previous sync was successful. Sync interval is reset to: '900s'"));
+
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Executing FIM sync."));
+    EXPECT_CALL(*mockRSync, startSync(testing::_, testing::_, testing::_)).Times(testing::AtLeast(1));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_DEBUG, "Finished FIM sync."));
+
+    fimDBMock.setTimeLastSyncMsg();
+    fimDBMock.syncAlgorithm();
+}
+
+TEST_F(FimDBFixture, executeQuerySuccess)
+{
+    nlohmann::json itemJson;
+    ResultCallbackData callback;
+    EXPECT_CALL(*mockDBSync, selectRows(itemJson, testing::_));
+    fimDBMock.executeQuery(itemJson, callback);
+}
+
+TEST_F(FimDBFixture, executeQueryFailMaxRows)
+{
+    nlohmann::json itemJson;
+    ResultCallbackData callback;
+    EXPECT_CALL(*mockDBSync, selectRows(itemJson, testing::_));
+    fimDBMock.executeQuery(itemJson, callback);
+}
+
+TEST_F(FimDBFixture, executeQueryFailException)
+{
+    nlohmann::json itemJson;
+    ResultCallbackData callback;
+    EXPECT_CALL(*mockDBSync, selectRows(itemJson, testing::_));
+    fimDBMock.executeQuery(itemJson, callback);
+}
+
+TEST_F(FimDBFixture, fimSyncPushMsgSuccess)
+{
+    const std::string data("testing msg");
+    auto rawData{data};
+    const auto buff{reinterpret_cast<const uint8_t*>(rawData.c_str())};
+
+    EXPECT_CALL(fimDBMock, getCurrentTime()).WillOnce(testing::Return(100));
+    EXPECT_CALL(*mockRSync, pushMessage(std::vector<uint8_t> {buff, buff + rawData.size()}));
+
+    fimDBMock.pushMessage(data);
+}
+
+TEST_F(FimDBFixture, fimSyncPushMsgException)
+{
+    const std::string data("testing msg");
+    auto rawData{data};
+    const auto buff{reinterpret_cast<const uint8_t*>(rawData.c_str())};
+
+    EXPECT_CALL(fimDBMock, getCurrentTime()).WillOnce(testing::Return(100));
+    EXPECT_CALL(*mockRSync, pushMessage(std::vector<uint8_t> {buff, buff + rawData.size()})).WillOnce(testing::Throw(std::exception()));
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_ERROR, testing::_));
+
+    fimDBMock.pushMessage(data);
+}
+
+TEST_F(FimDBFixture, logAnExceptionErr)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(testing::_, testing::_));
+    fimDBMock.logFunction(LOG_DEBUG_VERBOSE, "This is an error");
+}
+
+TEST(FimDB, notInitalizedDbSyncException)
+{
+    MockFIMDB fimDBMock;
+    EXPECT_THROW(
+    {
+        ASSERT_EQ(fimDBMock.DBSyncHandler()->handle(), nullptr);
+    }, std::runtime_error);
+}
+
+TEST_F(FimDBFixture, loopRSyncInvalidCallOrder)
+{
+    EXPECT_CALL(*mockLog, loggingFunction(LOG_INFO, "FIM sync module started."));
+    fimDBMock.stopIntegrity();
+    fimDBMock.runIntegrity();
+}
+
+#endif
diff --git a/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.hpp b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.hpp
new file mode 100644
index 0000000000..bc5048d4e4
--- /dev/null
+++ b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/fimDBImpTests.hpp
@@ -0,0 +1,94 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 23, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FIMDB_IMP_TEST_H
+#define _FIMDB_IMP_TEST_H
+
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+#include "fimDB.hpp"
+#include "dbItem.hpp"
+#include "fimCommonDefs.h"
+
+class MockDBSyncHandler: public DBSync
+{
+
+    public:
+        MockDBSyncHandler(const HostType hostType,
+                          const DbEngineType dbType,
+                          const std::string& path,
+                          const std::string& sqlStatement): DBSync(hostType, dbType, path, sqlStatement) {};
+        ~MockDBSyncHandler() {};
+        MOCK_METHOD(void, setTableMaxRow, (const std::string&, const long long), (override));
+        MOCK_METHOD(void, insertData, (const nlohmann::json&), (override));
+        MOCK_METHOD(void, deleteRows, (const nlohmann::json&), (override));
+        MOCK_METHOD(void, syncRow, (const nlohmann::json&, ResultCallbackData), (override));
+        MOCK_METHOD(void, selectRows, (const nlohmann::json&, ResultCallbackData), (override));
+};
+
+class MockRSyncHandler: public RemoteSync
+{
+
+    public:
+        MockRSyncHandler() {};
+        ~MockRSyncHandler() {};
+        MOCK_METHOD(void, registerSyncID, (const std::string&, const DBSYNC_HANDLE, const nlohmann::json&, SyncCallbackData), (override));
+        MOCK_METHOD(void, startSync, (const DBSYNC_HANDLE, const nlohmann::json&, SyncCallbackData), (override));
+        MOCK_METHOD(void, pushMessage, (const std::vector<uint8_t>&), (override));
+};
+
+class MockFIMDB: public FIMDB
+{
+    public:
+        MockFIMDB() {};
+        ~MockFIMDB() {};
+
+        void stopIntegrity()
+        {
+            FIMDB::stopIntegrity();
+        }
+
+        void teardown()
+        {
+            FIMDB::teardown();
+        }
+
+        void runIntegrity()
+        {
+            FIMDB::runIntegrity();
+        }
+
+        void syncAlgorithm()
+        {
+            FIMDB::syncAlgorithm();
+        }
+
+        void setTimeLastSyncMsg()
+        {
+            FIMDB::setTimeLastSyncMsg();
+        }
+
+        MOCK_METHOD(time_t, getCurrentTime, (), (const override));
+};
+
+class MockLoggingCall
+{
+    public:
+        MOCK_METHOD(void, loggingFunction, (const modules_log_level_t, const std::string&), ());
+};
+
+class MockSyncMsg
+{
+    public:
+        MOCK_METHOD(void, syncMsg, (const std::string&, const std::string&), ());
+};
+
+#endif //_FIMDB_IMP_TEST_H
diff --git a/src/modules/fim/db/tests/db/FIMDB/fimDBTests/main.cpp b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/FIMDB/fimDBTests/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/FileItem/CMakeLists.txt b/src/modules/fim/db/tests/db/dbItem/FileItem/CMakeLists.txt
new file mode 100644
index 0000000000..e5e5e04a51
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/FileItem/CMakeLists.txt
@@ -0,0 +1,74 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fileitem_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB fileitem_UNIT_TEST_SRC "dbFileItemTestWindows.cpp")
+else()
+    file(GLOB fileitem_UNIT_TEST_SRC "dbFileItemTest.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+
+file(GLOB FILEITEM_SRC "${SRC_FOLDER}/syscheckd/src/db/src/dbFileItem.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_FILEITEM_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(fileitem_unit_test
+    ${fileitem_UNIT_TEST_SRC}
+    ${FILEITEM_SRC}
+    ${WINDOWS_FILEITEM_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(fileitem_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(fileitem_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        crypto
+        cjson
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME fileitem_unit_test
+         COMMAND fileitem_unit_test)
diff --git a/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.cpp b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.cpp
new file mode 100644
index 0000000000..f33410afda
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.cpp
@@ -0,0 +1,230 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 5, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "dbFileItem.hpp"
+#include "dbFileItemTest.h"
+#include "syscheck.h"
+
+
+void FileItemTest::SetUp()
+{
+    fimEntryTest = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_file_data* data = reinterpret_cast<fim_file_data*>(std::calloc(1, sizeof(fim_file_data)));
+
+    fimEntryTest->type = FIM_TYPE_FILE;
+    fimEntryTest->file_entry.path = const_cast<char*>("/etc/wgetrc");
+    data->attributes = const_cast<char*>("10");
+    std::snprintf(data->checksum, sizeof(data->checksum), "a2fbef8f81af27155dcee5e3927ff6243593b91a");
+    data->dev = 2051;
+    data->gid = const_cast<char*>("0");
+    data->group_name = const_cast<char*>("root");
+    std::snprintf(data->hash_md5, sizeof(data->hash_md5), "4b531524aa13c8a54614100b570b3dc7");
+    std::snprintf(data->hash_sha1, sizeof(data->hash_sha1), "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b");
+    std::snprintf(data->hash_sha256, sizeof(data->hash_sha256), "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a");
+    data->inode = 1152921500312810880;
+    data->last_event = 1596489275;
+    data->mode = FIM_SCHEDULED;
+    data->mtime = 1578075431;
+    data->options = 131583;
+    data->perm = const_cast<char*>("-rw-rw-r--");
+    data->scanned = 1;
+    data->size = 4925;
+    data->uid = const_cast<char*>("0");
+    data->user_name = const_cast<char*>("fakeUser");
+    fimEntryTest->file_entry.data = data;
+}
+
+void FileItemTest::TearDown()
+{
+    os_free(fimEntryTest->file_entry.data);
+    os_free(fimEntryTest);
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromFIM)
+{
+    EXPECT_NO_THROW(
+    {
+        auto file = new FileItem(fimEntryTest);
+        auto scanned = file->state();
+        EXPECT_TRUE(scanned);
+        delete file;
+    });
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromFIMWithNullParameters)
+{
+    fim_entry* fimEntryTestNull = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_file_data* data = reinterpret_cast<fim_file_data*>(std::calloc(1, sizeof(fim_file_data)));
+
+    fimEntryTestNull->type = FIM_TYPE_FILE;
+    fimEntryTestNull->file_entry.path = NULL;
+    data->attributes = NULL;
+    data->checksum[0] = '\0';
+    data->dev = 0;
+    data->gid = NULL;
+    data->group_name = NULL;
+    data->hash_md5[0] = '\0';
+    data->hash_sha1[0] = '\0';
+    data->hash_sha256[0] = '\0';
+    data->inode = 0;
+    data->last_event = 0;
+    data->mode = FIM_SCHEDULED;
+    data->mtime = 0;
+    data->options = 131583;
+    data->perm = NULL;
+    data->scanned = 1;
+    data->size = 0;
+    data->uid = NULL;
+    data->user_name = NULL;
+    fimEntryTestNull->file_entry.data = data;
+    EXPECT_NO_THROW(
+    {
+        auto file = new FileItem(fimEntryTestNull);
+        auto scanned = file->state();
+        EXPECT_TRUE(scanned);
+        delete file;
+    });
+    os_free(data);
+    os_free(fimEntryTestNull);
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromJSON)
+{
+    const auto insertJSON = R"(
+        {
+            "attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2051, "gid":"0", "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+            "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+            "uid":"0", "user_name":"fakeUser"
+        }
+    )"_json;
+    EXPECT_NO_THROW(
+    {
+        auto fileTest = new FileItem(insertJSON);
+        auto scanned = fileTest->state();
+        EXPECT_TRUE(scanned);
+        delete fileTest;
+    });
+}
+
+TEST_F(FileItemTest, getFIMEntryWithFimCtr)
+{
+    auto file = new FileItem(fimEntryTest);
+    auto fileEntry = file->toFimEntry();
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.path, fimEntryTest->file_entry.path), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->attributes, fimEntryTest->file_entry.data->attributes), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->checksum, fimEntryTest->file_entry.data->checksum), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->dev, fimEntryTest->file_entry.data->dev);
+    ASSERT_EQ(fileEntry->file_entry.data->inode, fimEntryTest->file_entry.data->inode);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_md5, fimEntryTest->file_entry.data->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha1, fimEntryTest->file_entry.data->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha256, fimEntryTest->file_entry.data->hash_sha256), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->gid, fimEntryTest->file_entry.data->gid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->group_name, fimEntryTest->file_entry.data->group_name), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->last_event, fimEntryTest->file_entry.data->last_event);
+    ASSERT_EQ(fileEntry->file_entry.data->mode, fimEntryTest->file_entry.data->mode);
+    ASSERT_EQ(fileEntry->file_entry.data->mtime, fimEntryTest->file_entry.data->mtime);
+    ASSERT_EQ(fileEntry->file_entry.data->options, fimEntryTest->file_entry.data->options);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->perm, fimEntryTest->file_entry.data->perm), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->scanned, fimEntryTest->file_entry.data->scanned);
+    ASSERT_EQ(fileEntry->file_entry.data->size, fimEntryTest->file_entry.data->size);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->uid, fimEntryTest->file_entry.data->uid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->user_name, fimEntryTest->file_entry.data->user_name), 0);
+
+    delete file;
+}
+
+TEST_F(FileItemTest, getFIMEntryWithJSONCtr)
+{
+    const auto insertJSON = R"(
+        {
+            "attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2051, "gid":"0", "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+            "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+            "uid":"0", "user_name":"fakeUser"
+        }
+    )"_json;
+    auto file = new FileItem(insertJSON);
+    auto fileEntry = file->toFimEntry();
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.path, fimEntryTest->file_entry.path), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->attributes, fimEntryTest->file_entry.data->attributes), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->checksum, fimEntryTest->file_entry.data->checksum), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->dev, fimEntryTest->file_entry.data->dev);
+    ASSERT_EQ(fileEntry->file_entry.data->inode, fimEntryTest->file_entry.data->inode);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_md5, fimEntryTest->file_entry.data->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha1, fimEntryTest->file_entry.data->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha256, fimEntryTest->file_entry.data->hash_sha256), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->gid, fimEntryTest->file_entry.data->gid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->group_name, fimEntryTest->file_entry.data->group_name), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->last_event, fimEntryTest->file_entry.data->last_event);
+    ASSERT_EQ(fileEntry->file_entry.data->mode, fimEntryTest->file_entry.data->mode);
+    ASSERT_EQ(fileEntry->file_entry.data->mtime, fimEntryTest->file_entry.data->mtime);
+    ASSERT_EQ(fileEntry->file_entry.data->options, fimEntryTest->file_entry.data->options);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->perm, fimEntryTest->file_entry.data->perm), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->scanned, fimEntryTest->file_entry.data->scanned);
+    ASSERT_EQ(fileEntry->file_entry.data->size, fimEntryTest->file_entry.data->size);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->uid, fimEntryTest->file_entry.data->uid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->user_name, fimEntryTest->file_entry.data->user_name), 0);
+
+    delete file;
+}
+
+TEST_F(FileItemTest, getJSONWithFimCtr)
+{
+    auto file = new FileItem(fimEntryTest);
+    const auto expectedValue = R"(
+        {
+            "table": "file_entry",
+            "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2051, "gid":"0", "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+            "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+            "uid":"0", "user_name":"fakeUser"}]
+        }
+    )"_json;
+    ASSERT_TRUE(*file->toJSON() == expectedValue);
+    delete file;
+}
+
+TEST_F(FileItemTest, getJSONWithJSONCtr)
+{
+    auto file = new FileItem(fimEntryTest);
+    const auto expectedValue = R"(
+        {
+            "table": "file_entry",
+            "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2051, "gid":"0", "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+            "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+            "uid":"0", "user_name":"fakeUser"}]
+        }
+    )"_json;
+    ASSERT_TRUE(*file->toJSON() == expectedValue);
+    delete file;
+}
+
+TEST_F(FileItemTest, fileItemReportOldData)
+{
+    auto file = new FileItem(fimEntryTest, true);
+    const auto expectedValue = R"(
+        {
+            "table": "file_entry",
+            "data":[{"attributes":"10", "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "dev":2051, "gid":"0", "group_name":"root",
+            "hash_md5":"4b531524aa13c8a54614100b570b3dc7", "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "inode":1152921500312810880, "last_event":1596489275,
+            "mode":0, "mtime":1578075431, "options":131583, "path":"/etc/wgetrc", "perm":"-rw-rw-r--", "scanned":1, "size":4925,
+            "uid":"0", "user_name":"fakeUser"}],"options":{"return_old_data": true, "ignore":["last_event"]}
+        }
+    )"_json;
+    ASSERT_TRUE(*file->toJSON() == expectedValue);
+    delete file;
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.h b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.h
new file mode 100644
index 0000000000..df585b8917
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTest.h
@@ -0,0 +1,28 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 5, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FILEITEM_TEST_H
+#define _FILEITEM_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class FileItemTest : public testing::Test {
+    protected:
+        FileItemTest() = default;
+        virtual ~FileItemTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+        fim_entry * fimEntryTest;
+        nlohmann::json json;
+};
+
+#endif //_FILEITEM_TEST_H
diff --git a/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTestWindows.cpp b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTestWindows.cpp
new file mode 100644
index 0000000000..275e34784c
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/FileItem/dbFileItemTestWindows.cpp
@@ -0,0 +1,197 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 5, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "dbFileItem.hpp"
+#include "dbFileItemTest.h"
+#include "syscheck.h"
+
+
+void FileItemTest::SetUp()
+{
+    fimEntryTest = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_file_data* data = reinterpret_cast<fim_file_data*>(std::calloc(1, sizeof(fim_file_data)));
+
+    fimEntryTest->type = FIM_TYPE_FILE;
+    fimEntryTest->file_entry.path = const_cast<char*>("/etc/wgetrc");
+    data->attributes = const_cast<char*>("10");
+    std::snprintf(data->checksum, sizeof(data->checksum), "a2fbef8f81af27155dcee5e3927ff6243593b91a");
+    data->dev = 2051;
+    data->gid = const_cast<char*>("0");
+    data->group_name = const_cast<char*>("root");
+    std::snprintf(data->hash_md5, sizeof(data->hash_md5), "4b531524aa13c8a54614100b570b3dc7");
+    std::snprintf(data->hash_sha1, sizeof(data->hash_sha1), "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b");
+    std::snprintf(data->hash_sha256, sizeof(data->hash_sha256), "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a");
+    data->inode = 1152921500312810880;
+    data->last_event = 1596489275;
+    data->mode = FIM_SCHEDULED;
+    data->mtime = 1578075431;
+    data->options = 131583;
+    data->scanned = 1;
+    data->perm =
+        const_cast<char*>("{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}}");
+    data->size = 4925;
+    data->uid = const_cast<char*>("0");
+    data->user_name = const_cast<char*>("fakeUser");
+    fimEntryTest->file_entry.data = data;
+    json =
+    {
+        {"attributes", "10"},
+        {"checksum", "a2fbef8f81af27155dcee5e3927ff6243593b91a"},
+        {"dev", 2051},
+        {"gid", "0"},
+        {"group_name", "root"},
+        {"hash_md5", "4b531524aa13c8a54614100b570b3dc7"},
+        {"hash_sha1", "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b"},
+        {"hash_sha256", "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a"},
+        {"inode", 1152921500312810880},
+        {"last_event", 1596489275},
+        {"mode", 0},
+        {"mtime", 1578075431},
+        {"options", 131583},
+        {"path", "/etc/wgetrc"},
+        {"perm", "{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}}"},
+        {"scanned", 1},
+        {"size", 4925},
+        {"uid", "0"},
+        {"user_name", "fakeUser"}
+    };
+}
+
+void FileItemTest::TearDown()
+{
+    os_free(fimEntryTest->file_entry.data);
+    os_free(fimEntryTest);
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromFIM)
+{
+    EXPECT_NO_THROW(
+    {
+        auto file = std::make_unique<FileItem>(fimEntryTest);
+        auto scanned = file->state();
+        EXPECT_TRUE(scanned);
+    });
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromFIMWithNullParameters)
+{
+    fim_entry* fimEntryTestNull = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_file_data* data = reinterpret_cast<fim_file_data*>(std::calloc(1, sizeof(fim_file_data)));
+
+    fimEntryTestNull->type = FIM_TYPE_FILE;
+    fimEntryTestNull->file_entry.path = NULL;
+    data->attributes = NULL;
+    data->checksum[0] = '\0';
+    data->dev = 0;
+    data->gid = NULL;
+    data->group_name = NULL;
+    data->hash_md5[0] = '\0';
+    data->hash_sha1[0] = '\0';
+    data->hash_sha256[0] = '\0';
+    data->inode = 0;
+    data->last_event = 0;
+    data->mode = FIM_SCHEDULED;
+    data->mtime = 0;
+    data->options = 131583;
+    data->perm = NULL;
+    data->scanned = 1;
+    data->size = 0;
+    data->uid = NULL;
+    data->user_name = NULL;
+    fimEntryTestNull->file_entry.data = data;
+    EXPECT_NO_THROW(
+    {
+        auto file = std::make_unique<FileItem>(fimEntryTestNull);
+        auto scanned = file->state();
+        EXPECT_TRUE(scanned);
+    });
+    os_free(data);
+    os_free(fimEntryTestNull);
+}
+
+TEST_F(FileItemTest, fileItemConstructorFromJSON)
+{
+    EXPECT_NO_THROW(
+    {
+        auto fileTest = std::make_unique<FileItem>(json);
+        auto scanned = fileTest->state();
+        EXPECT_TRUE(scanned);
+    });
+}
+
+TEST_F(FileItemTest, getFIMEntryWithFimCtr)
+{
+    auto file = std::make_unique<FileItem>(fimEntryTest);
+    auto fileEntry = file->toFimEntry();
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.path, fimEntryTest->file_entry.path), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->attributes, fimEntryTest->file_entry.data->attributes), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->checksum, fimEntryTest->file_entry.data->checksum), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->dev, fimEntryTest->file_entry.data->dev);
+    ASSERT_EQ(fileEntry->file_entry.data->inode, fimEntryTest->file_entry.data->inode);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_md5, fimEntryTest->file_entry.data->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha1, fimEntryTest->file_entry.data->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha256, fimEntryTest->file_entry.data->hash_sha256), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->gid, fimEntryTest->file_entry.data->gid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->group_name, fimEntryTest->file_entry.data->group_name), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->last_event, fimEntryTest->file_entry.data->last_event);
+    ASSERT_EQ(fileEntry->file_entry.data->mode, fimEntryTest->file_entry.data->mode);
+    ASSERT_EQ(fileEntry->file_entry.data->mtime, fimEntryTest->file_entry.data->mtime);
+    ASSERT_EQ(fileEntry->file_entry.data->options, fimEntryTest->file_entry.data->options);
+    ASSERT_EQ(fileEntry->file_entry.data->scanned, fimEntryTest->file_entry.data->scanned);
+    ASSERT_EQ(fileEntry->file_entry.data->size, fimEntryTest->file_entry.data->size);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->uid, fimEntryTest->file_entry.data->uid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->user_name, fimEntryTest->file_entry.data->user_name), 0);//*/
+}
+
+TEST_F(FileItemTest, getFIMEntryWithJSONCtr)
+{
+    auto file = std::make_unique<FileItem>(json);
+    auto fileEntry = file->toFimEntry();
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.path, fimEntryTest->file_entry.path), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->attributes, fimEntryTest->file_entry.data->attributes), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->checksum, fimEntryTest->file_entry.data->checksum), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->dev, fimEntryTest->file_entry.data->dev);
+    ASSERT_EQ(fileEntry->file_entry.data->inode, fimEntryTest->file_entry.data->inode);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_md5, fimEntryTest->file_entry.data->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha1, fimEntryTest->file_entry.data->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->hash_sha256, fimEntryTest->file_entry.data->hash_sha256), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->gid, fimEntryTest->file_entry.data->gid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->group_name, fimEntryTest->file_entry.data->group_name), 0);
+    ASSERT_EQ(fileEntry->file_entry.data->last_event, fimEntryTest->file_entry.data->last_event);
+    ASSERT_EQ(fileEntry->file_entry.data->mode, fimEntryTest->file_entry.data->mode);
+    ASSERT_EQ(fileEntry->file_entry.data->mtime, fimEntryTest->file_entry.data->mtime);
+    ASSERT_EQ(fileEntry->file_entry.data->options, fimEntryTest->file_entry.data->options);
+    ASSERT_EQ(fileEntry->file_entry.data->scanned, fimEntryTest->file_entry.data->scanned);
+    ASSERT_EQ(fileEntry->file_entry.data->size, fimEntryTest->file_entry.data->size);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->uid, fimEntryTest->file_entry.data->uid), 0);
+    ASSERT_EQ(std::strcmp(fileEntry->file_entry.data->user_name, fimEntryTest->file_entry.data->user_name), 0);
+}
+
+TEST_F(FileItemTest, getJSONWithFimCtr)
+{
+    auto file = std::make_unique<FileItem>(fimEntryTest);
+    const auto returnValue = *file->toJSON();
+    ASSERT_TRUE(returnValue["data"][0] == json);
+}
+
+TEST_F(FileItemTest, getJSONWithJSONCtr)
+{
+    auto file = std::make_unique<FileItem>(fimEntryTest);
+    const auto returnValue = *file->toJSON();
+    ASSERT_TRUE(returnValue["data"][0] == json);
+}
+
+TEST_F(FileItemTest, fileItemReportOldData)
+{
+    auto file = std::make_unique<FileItem>(fimEntryTest, true);
+    const auto returnValue = *file->toJSON();
+    const auto expectedValue = R"({"return_old_data": true, "ignore":["last_event"]})"_json;
+    ASSERT_TRUE(returnValue["options"] == expectedValue);
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/FileItem/main.cpp b/src/modules/fim/db/tests/db/dbItem/FileItem/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/FileItem/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryKey/CMakeLists.txt b/src/modules/fim/db/tests/db/dbItem/RegistryKey/CMakeLists.txt
new file mode 100644
index 0000000000..aa1b82bd0a
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryKey/CMakeLists.txt
@@ -0,0 +1,71 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(registrykey_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB registrykey_UNIT_TEST_SRC
+    "*.cpp")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+
+file(GLOB REGISTRYKEY_SRC "${SRC_FOLDER}/syscheckd/src/db/src/dbRegistryKey.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_REGISTRYKEY_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(registrykey_unit_test
+    ${registrykey_UNIT_TEST_SRC}
+    ${REGISTRYKEY_SRC}
+    ${WINDOWS_REGISTRYKEY_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(registrykey_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(registrykey_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME registrykey_unit_test
+         COMMAND registrykey_unit_test)
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.cpp b/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.cpp
new file mode 100644
index 0000000000..a35b06f706
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.cpp
@@ -0,0 +1,136 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 15, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "dbRegistryKey.hpp"
+#include "dbRegistryKeyTest.h"
+#include "syscheck.h"
+
+
+void RegistryKeyTest::SetUp()
+{
+    fimEntryTest = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_registry_key* key = reinterpret_cast<fim_registry_key*>(std::calloc(1, sizeof(fim_registry_key)));
+
+    fimEntryTest->type = FIM_TYPE_REGISTRY;
+    key->arch = ARCH_64BIT;
+    std::snprintf(key->checksum, sizeof(key->checksum), "a2fbef8f81af27155dcee5e3927ff6243593b91a");
+    key->gid = const_cast<char*>("0");
+    key->group_name = const_cast<char*>("root");
+    key->last_event = 1596489275;
+    key->mtime = 1578075431;
+    key->path = const_cast<char*>("HKEY_LOCAL_MACHINE\\SOFTWARE");
+    key->hash_full_path = const_cast<char*>("00a7ee53218b25b5364c8773f37a38c93eae3880");
+    key->perm = const_cast<char*>("-rw-rw-r--");
+    key->scanned = 1;
+    key->uid = const_cast<char*>("0");
+    key->user_name = const_cast<char*>("fakeUser");
+    fimEntryTest->registry_entry.key = key;
+}
+
+void RegistryKeyTest::TearDown()
+{
+    free(fimEntryTest->registry_entry.key);
+    free(fimEntryTest);
+}
+
+TEST_F(RegistryKeyTest, registryKeyConstructorFromFIM)
+{
+    EXPECT_NO_THROW(
+    {
+        auto key = new RegistryKey(fimEntryTest);
+        auto scanned = key->state();
+        EXPECT_TRUE(scanned);
+        delete key;
+    });
+}
+
+TEST_F(RegistryKeyTest, registryKeyConstructorFromJSON)
+{
+
+    EXPECT_NO_THROW(
+    {
+        auto keyTest = new RegistryKey(inputJson);
+        auto scanned = keyTest->state();
+        EXPECT_TRUE(scanned);
+        delete keyTest;
+    });
+}
+
+TEST_F(RegistryKeyTest, getFIMEntryWithFimCtr)
+{
+    auto key = new RegistryKey(fimEntryTest);
+    auto keyEntry = key->toFimEntry();
+    ASSERT_EQ(keyEntry->registry_entry.key->id, fimEntryTest->registry_entry.key->id);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->checksum, fimEntryTest->registry_entry.key->checksum), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->gid, fimEntryTest->registry_entry.key->gid), 0);
+    ASSERT_EQ(fimEntryTest->registry_entry.key->arch, fimEntryTest->registry_entry.key->arch);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->path, fimEntryTest->registry_entry.key->path), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->hash_full_path, fimEntryTest->registry_entry.key->hash_full_path), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->group_name, fimEntryTest->registry_entry.key->group_name), 0);
+    ASSERT_EQ(keyEntry->registry_entry.key->last_event, fimEntryTest->registry_entry.key->last_event);
+    ASSERT_EQ(keyEntry->registry_entry.key->mtime, fimEntryTest->registry_entry.key->mtime);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->perm, fimEntryTest->registry_entry.key->perm), 0);
+    ASSERT_EQ(keyEntry->registry_entry.key->scanned, fimEntryTest->registry_entry.key->scanned);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->uid, fimEntryTest->registry_entry.key->uid), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->user_name, fimEntryTest->registry_entry.key->user_name), 0);
+
+    delete key;
+}
+
+TEST_F(RegistryKeyTest, getFIMEntryWithJSONCtr)
+{
+
+    auto key = new RegistryKey(inputJson);
+    auto keyEntry = key->toFimEntry();
+    ASSERT_EQ(keyEntry->registry_entry.key->id, fimEntryTest->registry_entry.key->id);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->checksum, fimEntryTest->registry_entry.key->checksum), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->gid, fimEntryTest->registry_entry.key->gid), 0);
+    ASSERT_EQ(fimEntryTest->registry_entry.key->arch, fimEntryTest->registry_entry.key->arch);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->path, fimEntryTest->registry_entry.key->path), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->hash_full_path, fimEntryTest->registry_entry.key->hash_full_path), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->group_name, fimEntryTest->registry_entry.key->group_name), 0);
+    ASSERT_EQ(keyEntry->registry_entry.key->last_event, fimEntryTest->registry_entry.key->last_event);
+    ASSERT_EQ(keyEntry->registry_entry.key->mtime, fimEntryTest->registry_entry.key->mtime);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->perm, fimEntryTest->registry_entry.key->perm), 0);
+    ASSERT_EQ(keyEntry->registry_entry.key->scanned, fimEntryTest->registry_entry.key->scanned);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->uid, fimEntryTest->registry_entry.key->uid), 0);
+    ASSERT_EQ(std::strcmp(keyEntry->registry_entry.key->user_name, fimEntryTest->registry_entry.key->user_name), 0);
+
+    delete key;
+}
+
+TEST_F(RegistryKeyTest, getJSONWithFimCtr)
+{
+    auto key = new RegistryKey(fimEntryTest);
+    ASSERT_TRUE(*key->toJSON() == expectedValue);
+    delete key;
+}
+
+TEST_F(RegistryKeyTest, getJSONWithJSONCtr)
+{
+    auto key = new RegistryKey(fimEntryTest);
+    ASSERT_TRUE(*key->toJSON() == expectedValue);
+    delete key;
+}
+
+TEST_F(RegistryKeyTest, getJSONWithJSONCtrReportOldData)
+{
+    const nlohmann::json oldDataJson = R"(
+            {
+                "data":[{"arch":"[x64]","checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a","gid":"0","group_name":"root",
+                "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880","last_event":1596489275,"mtime":1578075431,
+                "path":"HKEY_LOCAL_MACHINE\\SOFTWARE","perm":"-rw-rw-r--","scanned":1,"uid":"0", "user_name":"fakeUser"}],
+                "table":"registry_key","options":{"return_old_data": true,"ignore":["last_event"]}
+            }
+        )"_json;
+    auto key = new RegistryKey(fimEntryTest, true);
+    ASSERT_TRUE(*key->toJSON() == oldDataJson);
+    delete key;
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.h b/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.h
new file mode 100644
index 0000000000..86808d4708
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryKey/dbRegistryKeyTest.h
@@ -0,0 +1,43 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 15, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _REGISTRYKEY_TEST_H
+#define _REGISTRYKEY_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class RegistryKeyTest : public testing::Test {
+    protected:
+        RegistryKeyTest() = default;
+        virtual ~RegistryKeyTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+        fim_entry* fimEntryTest;
+        const nlohmann::json expectedValue = R"(
+            {
+                "data":[{"arch":"[x64]","checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a","gid":"0","group_name":"root",
+                "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880","last_event":1596489275,"mtime":1578075431,
+                "path":"HKEY_LOCAL_MACHINE\\SOFTWARE","perm":"-rw-rw-r--",
+                "scanned":1,"uid":"0", "user_name":"fakeUser"}],"table":"registry_key"
+            }
+        )"_json;
+
+        const nlohmann::json inputJson = R"(
+        {
+            "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "gid":"0", "group_name":"root", "arch":1,
+            "last_event":1596489275, "mode":0, "mtime":1578075431, "path":"HKEY_LOCAL_MACHINE\\SOFTWARE", "perm":"-rw-rw-r--",
+            "scanned":1, "uid":"0", "user_name":"fakeUser", "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+        }
+    )"_json;
+};
+
+#endif //_REGISTRYKEY_TEST_H
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryKey/main.cpp b/src/modules/fim/db/tests/db/dbItem/RegistryKey/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryKey/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryValue/CMakeLists.txt b/src/modules/fim/db/tests/db/dbItem/RegistryValue/CMakeLists.txt
new file mode 100644
index 0000000000..ccb6b94e6e
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryValue/CMakeLists.txt
@@ -0,0 +1,71 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(registryvalue_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+file(GLOB registryvalue_UNIT_TEST_SRC
+    "*.cpp")
+
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+
+file(GLOB REGISTRYVALUE_SRC "${SRC_FOLDER}/syscheckd/src/db/src/dbRegistryValue.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    file(GLOB WINDOWS_REGISTRYVALUE_SRC "${SRC_FOLDER}/syscheckd/src/db/src/fimDBSpecializationWindows.cpp")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_executable(registryvalue_unit_test
+    ${registryvalue_UNIT_TEST_SRC}
+    ${REGISTRYVALUE_SRC}
+    ${WINDOWS_REGISTRYVALUE_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC})
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(registryvalue_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        ws2_32
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(registryvalue_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME registryvalue_unit_test
+         COMMAND registryvalue_unit_test)
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.cpp b/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.cpp
new file mode 100644
index 0000000000..e3a73b861d
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.cpp
@@ -0,0 +1,137 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 19, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "dbRegistryValue.hpp"
+#include "dbRegistryValueTest.h"
+#include "syscheck.h"
+
+void RegistryValueTest::SetUp()
+{
+    fimEntryTest = reinterpret_cast<fim_entry*>(std::calloc(1, sizeof(fim_entry)));
+    fim_registry_value_data* value = reinterpret_cast<fim_registry_value_data*>(std::calloc(1, sizeof(fim_registry_value_data)));
+
+    fimEntryTest->type = FIM_TYPE_REGISTRY;
+    std::snprintf(value->checksum, sizeof(value->checksum), "a2fbef8f81af27155dcee5e3927ff6243593b91a");
+    std::snprintf(value->hash_md5, sizeof(value->hash_md5), "4b531524aa13c8a54614100b570b3dc7");
+    std::snprintf(value->hash_sha1, sizeof(value->hash_sha1), "7902feb66d0bcbe4eb88e1bfacf28befc38bd58b");
+    std::snprintf(value->hash_sha256, sizeof(value->hash_sha256), "e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a");
+    value->last_event = 1596489275;
+    value->mode = FIM_SCHEDULED;
+    value->name = const_cast<char*>("testRegistry");
+    value->scanned = 1;
+    value->size = 4925;
+    value->type = 0;
+    value->path = const_cast<char*>("pathTestRegistry");
+    value->hash_full_path = const_cast<char*>("00a7ee53218b25b5364c8773f37a38c93eae3880");
+    value->arch = 0;
+    fimEntryTest->registry_entry.value = value;
+}
+
+void RegistryValueTest::TearDown()
+{
+    free(fimEntryTest->registry_entry.value);
+    free(fimEntryTest);
+}
+
+TEST_F(RegistryValueTest, registryValueConstructorFromFIM)
+{
+    EXPECT_NO_THROW(
+    {
+        auto value = new RegistryValue(fimEntryTest);
+        auto scanned = value->state();
+        EXPECT_TRUE(scanned);
+        delete value;
+    });
+}
+
+TEST_F(RegistryValueTest, registryValueConstructorFromJSON)
+{
+
+    EXPECT_NO_THROW(
+    {
+        auto value = new RegistryValue(inputJson);
+        auto scanned = value->state();
+        EXPECT_TRUE(scanned);
+        delete value;
+    });
+}
+
+TEST_F(RegistryValueTest, getFIMEntryWithFimCtr)
+{
+    auto value = new RegistryValue(fimEntryTest);
+    auto registryEntry = value->toFimEntry();
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->checksum, fimEntryTest->registry_entry.value->checksum), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_md5, fimEntryTest->registry_entry.value->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_sha1, fimEntryTest->registry_entry.value->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_sha256, fimEntryTest->registry_entry.value->hash_sha256), 0);
+    ASSERT_EQ(registryEntry->registry_entry.value->last_event, fimEntryTest->registry_entry.value->last_event);
+    ASSERT_EQ(registryEntry->registry_entry.value->mode, fimEntryTest->registry_entry.value->mode);
+    ASSERT_EQ(registryEntry->registry_entry.value->scanned, fimEntryTest->registry_entry.value->scanned);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->name, fimEntryTest->registry_entry.value->name), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_full_path, fimEntryTest->registry_entry.value->hash_full_path), 0);
+    ASSERT_EQ(registryEntry->registry_entry.value->size, fimEntryTest->registry_entry.value->size);
+    ASSERT_EQ(registryEntry->registry_entry.value->type, fimEntryTest->registry_entry.value->type);
+
+    delete value;
+}
+
+TEST_F(RegistryValueTest, getFIMEntryWithJSONCtr)
+{
+
+    auto value = new RegistryValue(inputJson);
+    auto registryEntry = value->toFimEntry();
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->checksum, fimEntryTest->registry_entry.value->checksum), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_md5, fimEntryTest->registry_entry.value->hash_md5), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_sha1, fimEntryTest->registry_entry.value->hash_sha1), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_sha256, fimEntryTest->registry_entry.value->hash_sha256), 0);
+    ASSERT_EQ(registryEntry->registry_entry.value->last_event, fimEntryTest->registry_entry.value->last_event);
+    ASSERT_EQ(registryEntry->registry_entry.value->mode, fimEntryTest->registry_entry.value->mode);
+    ASSERT_EQ(registryEntry->registry_entry.value->scanned, fimEntryTest->registry_entry.value->scanned);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->name, fimEntryTest->registry_entry.value->name), 0);
+    ASSERT_EQ(std::strcmp(registryEntry->registry_entry.value->hash_full_path, fimEntryTest->registry_entry.value->hash_full_path), 0);
+    ASSERT_EQ(registryEntry->registry_entry.value->size, fimEntryTest->registry_entry.value->size);
+    ASSERT_EQ(registryEntry->registry_entry.value->type, fimEntryTest->registry_entry.value->type);
+
+    delete value;
+}
+
+TEST_F(RegistryValueTest, getJSONWithFimCtr)
+{
+    auto value = new RegistryValue(fimEntryTest);
+    ASSERT_TRUE(*value->toJSON() == expectedValue);
+
+    delete value;
+}
+
+TEST_F(RegistryValueTest, getJSONWithJSONCtr)
+{
+
+    auto value = new RegistryValue(inputJson);
+    ASSERT_TRUE(*value->toJSON() == expectedValue);
+
+    delete value;
+}
+
+TEST_F(RegistryValueTest, getJSONWithJSONCtrOldData)
+{
+    auto oldData = R"(
+            {
+            "data":[{"arch":"[x32]","checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a","hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+            "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880","hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a","last_event":1596489275,
+            "name":"testRegistry","path":"pathTestRegistry","scanned":1,"size":4925,"type":0}],"table":"registry_data",
+            "options":{"return_old_data": true, "ignore":["last_event"]}
+            }
+        )"_json;
+    auto value = new RegistryValue(fimEntryTest, true);
+    ASSERT_TRUE(*value->toJSON() == oldData);
+
+    delete value;
+}
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.h b/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.h
new file mode 100644
index 0000000000..a0020c80d2
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryValue/dbRegistryValueTest.h
@@ -0,0 +1,46 @@
+/*
+ * Wazuh Syscheck
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 18, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _REGISTRYVALUE_TEST_H
+#define _REGISTRYVALUE_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class RegistryValueTest : public testing::Test {
+    protected:
+        RegistryValueTest() = default;
+        virtual ~RegistryValueTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+        fim_entry* fimEntryTest;
+        const nlohmann::json inputJson = R"(
+            {
+                "checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a", "type":0, "size":4925, "name":"testRegistry",
+                "last_event":1596489275, "mode":0, "hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+                "hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+                "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a", "scanned":1,
+                "path":"pathTestRegistry", "arch":0, "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880"
+
+            }
+        )"_json;
+
+        const nlohmann::json expectedValue = R"(
+            {
+            "data":[{"arch":"[x32]","checksum":"a2fbef8f81af27155dcee5e3927ff6243593b91a","hash_md5":"4b531524aa13c8a54614100b570b3dc7",
+            "hash_full_path":"00a7ee53218b25b5364c8773f37a38c93eae3880","hash_sha1":"7902feb66d0bcbe4eb88e1bfacf28befc38bd58b",
+            "hash_sha256":"e403b83dd73a41b286f8db2ee36d6b0ea6e80b49f02c476e0a20b4181a3a062a","last_event":1596489275,
+            "name":"testRegistry","path":"pathTestRegistry","scanned":1,"size":4925,"type":0}],"table":"registry_data"
+            }
+        )"_json;
+};
+
+#endif //_REGISTRYVALUE_TEST_H
diff --git a/src/modules/fim/db/tests/db/dbItem/RegistryValue/main.cpp b/src/modules/fim/db/tests/db/dbItem/RegistryValue/main.cpp
new file mode 100644
index 0000000000..08fb839052
--- /dev/null
+++ b/src/modules/fim/db/tests/db/dbItem/RegistryValue/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
diff --git a/src/modules/fim/db/testtool/CMakeLists.txt b/src/modules/fim/db/testtool/CMakeLists.txt
new file mode 100644
index 0000000000..a9b5cca4c1
--- /dev/null
+++ b/src/modules/fim/db/testtool/CMakeLists.txt
@@ -0,0 +1,46 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(fimdb_test_tool)
+
+include_directories(${CMAKE_SOURCE_DIR}/testtool/)
+link_directories(${CMAKE_BINARY_DIR}/lib)
+
+if(COVERITY)
+    add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-g -Wall -Wextra -std=c++14 -pthread")
+
+if(FSANITIZE)
+    set(CMAKE_CXX_FLAGS_DEBUG "-fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+add_executable(fimdb_test_tool
+               ${CMAKE_SOURCE_DIR}/src/db/testtool/main.cpp )
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    add_definitions(-DOS_TYPE=OSType::WINDOWS)
+    target_link_libraries(fimdb_test_tool
+        rsync
+        fimdb
+        dbsync
+        -static-libstdc++
+    )
+elseif (CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+    add_definitions(-DOS_TYPE=OSType::OTHERS)
+    target_link_libraries(fimdb_test_tool
+        dbsync
+        fimdb
+        rsync
+        pthread
+    )
+else()
+    add_definitions(-DOS_TYPE=OSType::OTHERS)
+    target_link_libraries(fimdb_test_tool
+        dbsync
+        fimdb
+        rsync
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
diff --git a/src/modules/fim/db/testtool/Readme.md b/src/modules/fim/db/testtool/Readme.md
new file mode 100644
index 0000000000..289af276f2
--- /dev/null
+++ b/src/modules/fim/db/testtool/Readme.md
@@ -0,0 +1,48 @@
+# FIMDB Testing Tool
+## Index
+1. [Purpose](#purpose)
+2. [Architecture Diagram](#architecture-diagram)
+3. [Compile Wazuh](#compile-wazuh)
+4. [How to use the tool](#how-to-use-the-tool)
+
+## Purpose
+The FIMDB Testing Tool was created to test and validate the fimdb module. This tool works as a black box where an user will be able execute it with different arguments and analyze the output data as desired.
+
+## Architecture Diagram
+
+![alt text](../../../../../architecture/FIM/db/001-class-testtool.puml)
+![alt text](../../../../../architecture/FIM/db/002-sequence-testtool.puml)
+
+## Compile Wazuh
+In order to run tests on a specific wazuh target, the project needs to be built either in release or debug mode.
+```
+make TARGET=server|agent|winagent <DEBUG=1>
+```
+
+## How to use the tool
+In order to run the `fimdb_test_tool` utility the following steps need to be accomplished:
+1) Create a config json file with the following structure:
+```
+{
+    "storage_type": <0|1>,
+    "sync_interval": 60,
+    "file_limit": 20,
+    "value_limit": 1,
+    "is_windows": false
+}
+```
+Where:
+  - storage_type: Defines the storage type 0 = DISK, 1 = MEMORY.
+  - sync_interval: Integrity check interval.
+  - file_limit: File table row limit.
+  - value_limit: Registry tables row limit.
+  - is_windows: Flag to enable windows/registry tables.
+
+2) Create the needed amount of json files representing the different actions information.
+3) Define an output folder where all resulting data will be located.
+4) Once all the above steps are accomplished the tool will be used like this:
+```
+./fimdb_test_tool -c config.json -a input1.json,input2.json,input3.json -o ./output
+```
+5) Considering the example above all actions outpus will be located in ./output folder in the following format: action_1.json, action_2.json ... action_n.json where 'n' will be the number of json files passed as part of the argument "-a".
+
diff --git a/src/modules/fim/db/testtool/action.h b/src/modules/fim/db/testtool/action.h
new file mode 100644
index 0000000000..ef28dc5c29
--- /dev/null
+++ b/src/modules/fim/db/testtool/action.h
@@ -0,0 +1,416 @@
+/*
+ * Wazuh Syscheck - Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 21, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _ACTION_H
+#define _ACTION_H
+#include <json.hpp>
+#include <mutex>
+#include <iostream>
+#include <sstream>
+#include <fstream>
+#include "commonDefs.h"
+#include "dbsync.hpp"
+#include "testContext.h"
+#include "db.hpp"
+
+
+struct IAction
+{
+    virtual void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) = 0;
+
+    virtual ~IAction() = default;
+};
+
+struct RemoveFileAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        try
+        {
+            DB::instance().removeFile(value.at("file_path").get_ref<const std::string&>());
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error removing file: "
+                << value.at("file_path").get_ref<const std::string&>() << std::endl;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                { "result", retVal },
+                { "action", "RemoveFile" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct GetFileAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        nlohmann::json jsonReturn;
+        try
+        {
+            DB::instance().getFile(value.at("file_path").get_ref<const std::string&>(),
+                [&jsonReturn](const nlohmann::json& file) {
+                    jsonReturn = file;
+                });
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error getting file: "
+                << value.at("file_path").get_ref<const std::string&>() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                { "result", retVal },
+                { "value", jsonReturn },
+                { "action", "GetFile" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct CountEntriesAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        int count = 0;
+        try
+        {
+            const auto filterType
+            {
+                static_cast<COUNT_SELECT_TYPE>(value.at("filter_type").get<int32_t>())
+            };
+
+            count = DB::instance().countEntries(value.at("table").get_ref<const std::string&>(), filterType);
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error counting entries: "
+                << value.at("filter_type").get<int32_t>() << ", " << e.what() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"value", count},
+                {"action", "CountEntries"}
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct UpdateFileAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal { false };
+        nlohmann::json jsonEvent;
+
+        directory_t configuration = {};
+        configuration.options = -1;
+
+        event_data_t evt_data = {};
+        evt_data.report_event = true;
+        evt_data.mode = FIM_REALTIME;
+        evt_data.w_evt = NULL;
+
+        create_json_event_ctx callback_ctx = {};
+        callback_ctx.event = &evt_data;
+        callback_ctx.config = &configuration;
+
+        try
+        {
+            DB::instance().updateFile(value, &callback_ctx,
+            [&jsonEvent](const nlohmann::json data) {
+                jsonEvent.push_back(data);
+            });
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error updating file: "
+                << value.at("data").get_ref<const std::string&>() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"jsonEvent", jsonEvent },
+                {"action", "UpdateFile" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SearchFileAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        nlohmann::json jsonReturn;
+        try
+        {
+            const auto searchType
+            {
+                static_cast<FILE_SEARCH_TYPE>(value.at("search_type").get<int32_t>())
+            };
+            DB::instance().searchFile(
+                std::make_tuple(searchType,
+                    value.at("search_value_path").get_ref<const std::string&>(),
+                    value.at("search_value_inode").get_ref<const std::string&>(),
+                    value.at("search_value_dev").get_ref<const std::string&>()),
+                [&jsonReturn](const nlohmann::json& data) {
+                    jsonReturn.push_back(data);
+                });
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error searching files: "
+                << value["file"].get_ref<const std::string&>() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"value", jsonReturn },
+                {"action", "SearchFile" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct RunIntegrityAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& /*value*/) override
+    {
+        auto retVal = false;
+        try
+        {
+            DB::instance().runIntegrity();
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error running integrity: " << e.what() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"action", "RunIntegrity" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct PushMessageAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        try
+        {
+            const auto message = value.at("message").get_ref<const std::string&>();
+            DB::instance().pushMessage(message);
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error pushing message: " << e.what() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"action", "PushMessage" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct StartTransactionAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal = false;
+        try
+        {
+            ctx->handle = DB::instance().DBSyncHandle();
+            const auto table = value.at("table");
+            const auto threadNumber { value.at("thread_number").get<int32_t>() };
+            const auto queueSize { value.at("queue_size").get<int32_t>() };
+
+            auto txnCallback = [&ctx](ReturnTypeCallback type, const nlohmann::json & json)
+            {
+                std::lock_guard<std::mutex> lock{ ctx->txn_callback_mutex };
+
+                const auto outputFileName{ ctx->outputPath + "/txn_ops.json" };
+                nlohmann::json jsonResult {};
+
+                std::ifstream inputFile{ outputFileName };
+
+                if (inputFile.good() && inputFile.peek() != std::ifstream::traits_type::eof())
+                {
+                    jsonResult = nlohmann::json::parse(inputFile);
+                }
+
+                jsonResult["data"].push_back( {
+                        { "Operation type", RETURN_TYPE_OPERATION.at(type) },
+                        { "value", json },
+                        { "action", "SyncTxnRows" }
+                    } );
+
+                std::ofstream outputFile{ outputFileName };
+                outputFile << jsonResult.dump(4) << std::endl;
+            };
+            ctx->txn.reset();
+            ctx->txn = std::make_unique<DBSyncTxn>(ctx->handle,
+                                                   table,
+                                                   threadNumber,
+                                                   queueSize,
+                                                   txnCallback);
+
+            retVal = true;
+        }
+        catch (const std::exception &e)
+        {
+            std::cout << "Error starting transaction: " << e.what() << std::endl;
+        }
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"action", "StartTransaction" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct SyncTxnRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& value) override
+    {
+        auto retVal { false };
+
+        try
+        {
+            ctx->txn->syncTxnRow(value);
+            retVal = true;
+        }
+        catch (const std::exception& e)
+        {
+            std::cout << "Error in SyncTxnRow: " << e.what() << std::endl;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json jsonResult = {
+                {"result", retVal },
+                {"action", "SyncTxnRows" }
+            };
+
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+struct GetDeletedRowsAction final : public IAction
+{
+    void execute(std::unique_ptr<TestContext>& ctx, const nlohmann::json& /*value*/) override
+    {
+        const auto txnOutputFileName{ ctx->outputPath + "/txn_ops.json" };
+        auto callbackDelete
+        {
+            [txnOutputFileName, &ctx](ReturnTypeCallback type, const nlohmann::json & json)
+            {
+                std::lock_guard<std::mutex> lock(ctx->txn_callback_mutex);
+                std::ifstream inputFile{ txnOutputFileName };
+
+                nlohmann::json jsonResult {};
+
+                if (inputFile.good() && inputFile.peek() != std::ifstream::traits_type::eof())
+                {
+                    jsonResult = nlohmann::json::parse(inputFile);
+                }
+
+                jsonResult["data"].push_back( {
+                    {"Operation type", RETURN_TYPE_OPERATION.at(type) },
+                    {"value", json },
+                    {"action", "GetDeletedRows" }
+                    } );
+
+                std::ofstream outputFile{ txnOutputFileName };
+                outputFile << jsonResult.dump() << std::endl;
+            }
+        };
+
+        auto retVal { false };
+        try
+        {
+            ctx->txn->getDeletedRows(callbackDelete);
+            retVal = true;
+        }
+        catch (const std::exception& ex)
+        {
+            std::cerr << "Error in GetDeletedRows: " << ex.what() << std::endl;
+        }
+
+        std::stringstream oFileName;
+        oFileName << "action_" << ctx->currentId << ".json";
+        const auto& outputFileName{ ctx->outputPath + "/" + oFileName.str() };
+        std::ofstream outputFile{ outputFileName };
+        const nlohmann::json& jsonResult {
+                {"result", retVal },
+                {"action", "GetDeletedRows" }
+            };
+        outputFile << jsonResult.dump() << std::endl;
+    }
+};
+
+
+#endif //_ACTION_H
diff --git a/src/modules/fim/db/testtool/cmdArgsHelper.h b/src/modules/fim/db/testtool/cmdArgsHelper.h
new file mode 100644
index 0000000000..7b18992118
--- /dev/null
+++ b/src/modules/fim/db/testtool/cmdArgsHelper.h
@@ -0,0 +1,100 @@
+/*
+ * Wazuh Syscheck - Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 21, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _CMD_LINE_ARGS_HELPER_H_
+#define _CMD_LINE_ARGS_HELPER_H_
+
+#include <string>
+#include <sstream>
+#include <vector>
+#include <iostream>
+
+class CmdLineArgs
+{
+    public:
+        CmdLineArgs(const int argc, const char* argv[])
+            : m_configFile{ paramValueOf(argc, argv, "-c") }
+            , m_outputFolder{ paramValueOf(argc, argv, "-o") }
+            , m_actions{ splitActions(paramValueOf(argc, argv, "-a")) }
+        {}
+
+        const std::string& configFile() const
+        {
+            return m_configFile;
+        }
+
+        const std::vector<std::string>& actions() const
+        {
+            return m_actions;
+        }
+
+        const std::string& outputFolder() const
+        {
+            return m_outputFolder;
+        }
+
+        static void showHelp()
+        {
+            std::cout << "\nUsage: fimdb_test_tool <option(s)> SOURCES \n"
+                      << "Options:\n"
+                      << "\t-h \t\t\tShow this help message\n"
+                      << "\t-c JSON_CONFIG_FILE\tSpecifies the json config file to initialize the module.\n"
+                      << "\t-a ACTION_LIST\t\tSpecifies the list of actions to exercise the module.\n"
+                      << "\t-o OUTPUT_FOLDER\tSpecifies the output folder path where the results will be generated.\n"
+                      << "\nExample:"
+                      << "\n\t./fimdb_test_tool -c config.json -a input1.json,input2.json,input3.json -o ./output\n"
+                      << std::endl;
+        }
+
+    private:
+
+        static std::string paramValueOf(const int argc,
+                                        const char* argv[],
+                                        const std::string& switchValue)
+        {
+            for (int i = 1; i < argc; ++i)
+            {
+                const std::string currentValue{ argv[i] };
+
+                if (currentValue == switchValue && i + 1 < argc)
+                {
+                    // Switch found
+                    return argv[i + 1];
+                }
+            }
+
+            throw std::runtime_error
+            {
+                "Switch value: " + switchValue + " not found."
+            };
+        }
+
+        static std::vector<std::string> splitActions(const std::string& values)
+        {
+            std::vector<std::string> actionsValues;
+            std::stringstream ss{ values };
+
+            while (ss.good())
+            {
+                std::string substr;
+                getline(ss, substr, ','); // Getting each string between ',' character
+                actionsValues.push_back(std::move(substr));
+            }
+
+            return actionsValues;
+        }
+
+        const std::string m_configFile;
+        const std::string m_outputFolder;
+        const std::vector<std::string> m_actions;
+};
+
+#endif // _CMD_LINE_ARGS_HELPER_H_
diff --git a/src/modules/fim/db/testtool/factoryAction.h b/src/modules/fim/db/testtool/factoryAction.h
new file mode 100644
index 0000000000..e2413ca02c
--- /dev/null
+++ b/src/modules/fim/db/testtool/factoryAction.h
@@ -0,0 +1,69 @@
+/*
+ * Wazuh Syscheck - Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 23, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef _FACTORY_ACTION_H
+#define _FACTORY_ACTION_H
+#include <memory>
+#include "action.h"
+
+class FactoryAction
+{
+    public:
+        static std::unique_ptr<IAction> create(const std::string& actionCode)
+        {
+            if (0 == actionCode.compare("RemoveFile"))
+            {
+                return std::make_unique<RemoveFileAction>();
+            }
+            else if (0 == actionCode.compare("GetFile"))
+            {
+                return std::make_unique<GetFileAction>();
+            }
+            else if (0 == actionCode.compare("CountEntries"))
+            {
+                return std::make_unique<CountEntriesAction>();
+            }
+            else if (0 == actionCode.compare("UpdateFile"))
+            {
+                return std::make_unique<UpdateFileAction>();
+            }
+            else if (0 == actionCode.compare("SearchFile"))
+            {
+                return std::make_unique<SearchFileAction>();
+            }
+            else if (0 == actionCode.compare("RunIntegrity"))
+            {
+                return std::make_unique<RunIntegrityAction>();
+            }
+            else if (0 == actionCode.compare("PushMessage"))
+            {
+                return std::make_unique<PushMessageAction>();
+            }
+            else if (0 == actionCode.compare("StartTransaction"))
+            {
+                return std::make_unique<StartTransactionAction>();
+            }
+            else if (0 == actionCode.compare("SyncTxnRows"))
+            {
+                return std::make_unique<SyncTxnRowsAction>();
+            }
+            else if (0 == actionCode.compare("GetDeletedRows"))
+            {
+                return std::make_unique<GetDeletedRowsAction>();
+            }
+            else
+            {
+                throw std::runtime_error { "Invalid action: " + actionCode };
+            }
+        }
+};
+
+#endif //_FACTORY_ACTION_H
diff --git a/src/modules/fim/db/testtool/main.cpp b/src/modules/fim/db/testtool/main.cpp
new file mode 100644
index 0000000000..1ce773e5f3
--- /dev/null
+++ b/src/modules/fim/db/testtool/main.cpp
@@ -0,0 +1,135 @@
+/*
+ * Wazuh Syscheck - Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 21, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <fstream>
+#include <ostream>
+#include <memory>
+#include <json.hpp>
+#include "db.hpp"
+#include "fimDB.hpp"
+#include "cmdArgsHelper.h"
+#include "testContext.h"
+#include "action.h"
+#include "factoryAction.h"
+
+static void syncCallback(const char* tag, const char* msg)
+{
+    std::cout << tag << ": " << msg;
+}
+
+static void loggerFunction(modules_log_level_t level, const char* msg)
+{
+    std::cout << "Level:" << level << " Msg: " << msg << std::endl;
+}
+
+int main(int argc, const char* argv[])
+{
+    try
+    {
+        CmdLineArgs cmdLineArgs(argc, argv);
+
+        const auto actions { cmdLineArgs.actions() };
+
+        std::cout << "Actions: " << actions.size() << std::endl;
+
+        std::ifstream configFile{ cmdLineArgs.configFile() };
+
+        if (configFile.good())
+        {
+            const auto& jsonConfigFile { nlohmann::json::parse(configFile) };
+            const auto storageType{ jsonConfigFile.at("storage_type").get<const uint32_t>() };
+            const auto syncInterval{ jsonConfigFile.at("sync_interval").get<const uint32_t>() };
+            const auto fileLimit{ jsonConfigFile.at("file_limit").get<const uint32_t>() };
+            const auto registryLimit{ jsonConfigFile.at("registry_limit").get<const uint32_t>() };
+            const bool syncRegistryEnabled { jsonConfigFile.at("registry_sync") };
+            const auto syncResponseTimeout{ jsonConfigFile.at("sync_response_timeout").get<const uint32_t>() };
+            const auto syncMaxInterval{ jsonConfigFile.at("sync_max_interval").get<const uint32_t>() };
+            const auto syncThreadPool{ jsonConfigFile.at("thread_pool").get<const uint32_t>() };
+            const auto syncQueueSize{ jsonConfigFile.at("queue_size").get<const uint32_t>() };
+
+            std::function<void(const std::string&)> callbackSyncFileWrapper
+            {
+                [](const std::string & msg)
+                {
+                    syncCallback(FIM_COMPONENT_FILE, msg.c_str());
+                }
+            };
+
+            std::function<void(const std::string&)> callbackSyncRegistryWrapper
+            {
+                [](const std::string & msg)
+                {
+                    syncCallback(FIM_COMPONENT_REGISTRY_KEY, msg.c_str());
+                }
+            };
+
+            std::function<void(modules_log_level_t, const std::string&)> callbackLogWrapper
+            {
+                [](modules_log_level_t level, const std::string & log)
+                {
+                    loggerFunction(level, log.c_str());
+                }
+            };
+
+            try
+            {
+                DB::instance().init(storageType,
+                                    syncInterval,
+                                    syncMaxInterval,
+                                    syncResponseTimeout,
+                                    callbackSyncFileWrapper,
+                                    callbackSyncRegistryWrapper,
+                                    callbackLogWrapper,
+                                    fileLimit,
+                                    registryLimit,
+                                    syncRegistryEnabled,
+                                    syncThreadPool,
+                                    syncQueueSize);
+
+                std::unique_ptr<TestContext> testContext { std::make_unique<TestContext>()};
+                testContext->outputPath = cmdLineArgs.outputFolder();
+
+                // Let's take the input json list and apply the changes to the db
+                for (size_t idx = 0; idx < actions.size(); ++idx)
+                {
+                    testContext->currentId = idx;
+                    const std::string inputFile{ actions[idx] };
+                    std::ifstream actionsIdxFile{ inputFile };
+                    std::cout << "Processing file: " << inputFile << std::endl;
+                    const auto& jsonAction { nlohmann::json::parse(actionsIdxFile) };
+                    auto action { FactoryAction::create(jsonAction.at("action").get<std::string>()) };
+                    action->execute(testContext, jsonAction.at("body"));
+                }
+
+                DB::instance().teardown();
+                std::cout << "Resulting files are located in the "
+                          << cmdLineArgs.outputFolder() << " folder" << std::endl;
+            }
+            catch (const std::exception& e)
+            {
+                std::cerr << std::endl
+                          << "Something went wrong configuring the database. Please, check the config file data, "
+                          << e.what() << std::endl;
+            }
+        }
+        else
+        {
+            throw std::runtime_error { "The config file is not valid. Please, check the config file data" };
+        }
+    }
+    catch (const std::exception& ex)
+    {
+        std::cerr << ex.what() << std::endl;
+        CmdLineArgs::showHelp();
+    }
+
+    return 0;
+}
diff --git a/src/modules/fim/db/testtool/testContext.h b/src/modules/fim/db/testtool/testContext.h
new file mode 100644
index 0000000000..59874e9379
--- /dev/null
+++ b/src/modules/fim/db/testtool/testContext.h
@@ -0,0 +1,38 @@
+/*
+ * Wazuh Syscheck - Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 21, 2022.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _TEST_CONTEXT_H
+#define _TEST_CONTEXT_H
+#include <mutex>
+#include "dbsync.h"
+#include "dbsync.hpp"
+
+static const std::map<ReturnTypeCallback, std::string> RETURN_TYPE_OPERATION =
+{
+    { MODIFIED, "MODIFIED" },
+    { DELETED,  "DELETED"  },
+    { INSERTED, "INSERTED" },
+    { MAX_ROWS, "MAX_ROWS" },
+    { DB_ERROR, "DB_ERROR" },
+    { SELECTED, "SELECTED" },
+    { GENERIC,  "GENERIC"  }
+};
+
+struct TestContext
+{
+    DBSYNC_HANDLE handle;
+    std::unique_ptr<DBSyncTxn> txn;
+    std::mutex txn_callback_mutex;
+    size_t currentId;
+    std::string outputPath;
+
+};
+
+#endif //_TEST_CONTEXT_H
diff --git a/src/modules/fim/include/registry.h b/src/modules/fim/include/registry.h
new file mode 100644
index 0000000000..eee99e8306
--- /dev/null
+++ b/src/modules/fim/include/registry.h
@@ -0,0 +1,113 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef REGISTRY_H
+#define REGISTRY_H
+
+#ifdef WIN32
+
+#include "../../include/syscheck.h"
+
+/**
+ * @brief Retrieves the configuration associated with a given registry element.
+ *
+ * @param key A string holding the full path to the registry element.
+ * @param arch An integer specifying the bit count of the register element, must be ARCH_32BIT or ARCH_64BIT.
+ * @return A pointer to the associated registry configuration, NULL on error or if no valid configuration was found.
+ */
+registry_t *fim_registry_configuration(const char *key, int arch);
+
+/**
+ * @brief Free all memory associated with a registry.
+ *
+ * @param data A fim_entry object to be free'd.
+ */
+void fim_registry_free_entry(fim_entry *entry);
+
+/**
+ * @brief Main scheduled algorithm for registry scan
+ */
+void fim_registry_scan();
+
+/**
+ * @brief Create a cJSON object holding the attributes associated with a fim_registry_value_data according to its
+ * configuration.
+ *
+ * @param data A fim_registry_value_data object holding the value attributes to be tranlated.
+ * @param configuration The configuration associated with the registry value.
+ * @return A pointer to a cJSON object the translated value attributes.
+ */
+cJSON *fim_registry_value_attributes_json(const cJSON* dbsync_event, const fim_registry_value_data *data,
+                                          const registry_t *configuration);
+
+/**
+ * @brief Create a cJSON object holding the attributes associated with a fim_registry_key according to its
+ * configuration.
+ *
+ * @param data A fim_registry_key object holding the key attributes to be tranlated.
+ * @param configuration The configuration associated with the registry key.
+ * @return A pointer to a cJSON object the translated key attributes.
+ */
+cJSON *fim_registry_key_attributes_json(const cJSON* dbsync_event, const fim_registry_key *data, const registry_t *configuration);
+
+/**
+ * @brief Check and trigger a FIM event on a registry.
+ *
+ * @param new_entry New data aquired from the actual registry entry.
+ * @param saved Registry information retrieved from the FIM DB.
+ * @param configuration Configuration associated with the given registry.
+ * @param mode FIM event mode which caused the event.
+ * @param event_type Added, modifed or deleted event.
+ * @param w_evt Whodata information associated with the current event.
+ * @param diff A string holding the difference between the original and new value of the registry.
+ * @return A cJSON object holding the generated event, NULL on error.
+ */
+cJSON *fim_registry_event(const fim_entry *new_entry,
+                          const fim_entry *saved,
+                          const registry_t  *configuration,
+                          fim_event_mode mode,
+                          unsigned int event_type,
+                          whodata_evt *w_evt,
+                          const char *diff);
+
+/**
+ * @brief Calculates the `changed_attributes` and `old_attributes` for registry keys using the
+ *        information collected by the scan and the old attributes returned by DBSync.
+ *
+ * @param registry_data Data collected by the FIM scan.
+ * @param configuration Configuration of the entry.
+ * @param old_data Old attributes returned by DBSync.
+ * @param changed_attributes JSON Array where the changed attributes will be stored.
+ * @param old_attributes JSON where the old attributes will be stored.
+ */
+void fim_calculate_dbsync_difference_key(const fim_registry_key* registry_data,
+                                         const registry_t *configuration,
+                                         const cJSON* old_data,
+                                         cJSON* changed_attributes,
+                                         cJSON* old_attributes);
+
+/**
+ * @brief Calculates the `changed_attributes` and `old_attributes` for registry values using the
+ *        information collected by the scan and the old attributes returned by DBSync.
+ *
+ * @param value_data Data collected by the FIM scan.
+ * @param configuration Configuration of the entry.
+ * @param old_data Old attributes returned by DBSync.
+ * @param changed_attributes JSON Array where the changed attributes will be stored.
+ * @param old_attributes JSON where the old attributes will be stored.
+ */
+void fim_calculate_dbsync_difference_value(const fim_registry_value_data* value_data,
+                                           const registry_t* configuration,
+                                           const cJSON* old_data,
+                                           cJSON* changed_attributes,
+                                           cJSON* old_attributes);
+
+#endif
+
+#endif
diff --git a/src/modules/fim/include/syscheck.h b/src/modules/fim/include/syscheck.h
new file mode 100644
index 0000000000..a23d7f70f5
--- /dev/null
+++ b/src/modules/fim/include/syscheck.h
@@ -0,0 +1,911 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYSCHECK_H
+#define SYSCHECK_H
+
+#include "commonDefs.h"
+#include "../../config/syscheck-config.h"
+#include "syscheck_op.h"
+#include <cJSON.h>
+
+#define MAX_LINE PATH_MAX+256
+
+/* Notify list size */
+#define NOTIFY_LIST_SIZE    32
+
+/* Audit defs */
+#define WDATA_DEFAULT_INTERVAL_SCAN 300
+#define AUDIT_SOCKET                "queue/sockets/audit"
+#define AUDIT_CONF_FILE             "etc/af_wazuh.conf"
+#define AUDIT_HEALTHCHECK_DIR       "tmp"
+#define AUDIT_HEALTHCHECK_KEY       "wazuh_hc"
+#define AUDIT_HEALTHCHECK_FILE      "tmp/audit_hc"
+
+#ifdef WIN32
+#define FIM_REGULAR _S_IFREG
+#define FIM_DIRECTORY _S_IFDIR
+#else
+#define FIM_REGULAR S_IFREG
+#define FIM_DIRECTORY S_IFDIR
+#define FIM_LINK S_IFLNK
+#endif
+
+/* Global config */
+extern syscheck_config syscheck;
+extern int sys_debug_level;
+extern int audit_queue_full_reported;
+
+typedef enum fim_event_type {
+    FIM_ADD,
+    FIM_DELETE,
+    FIM_MODIFICATION
+} fim_event_type;
+
+typedef enum fim_scan_event {
+    FIM_SCAN_START,
+    FIM_SCAN_END
+} fim_scan_event;
+
+typedef enum fim_state_db {
+    FIM_STATE_DB_EMPTY,
+    FIM_STATE_DB_NORMAL,
+    FIM_STATE_DB_80_PERCENTAGE,
+    FIM_STATE_DB_90_PERCENTAGE,
+    FIM_STATE_DB_FULL
+} fim_state_db;
+
+typedef struct _event_data_s {
+    int report_event;
+    fim_event_mode mode;
+    fim_event_type type;
+    struct stat statbuf;
+    whodata_evt *w_evt;
+} event_data_t;
+
+typedef struct fim_tmp_file {
+    union { //type_storage
+        FILE *fd;
+        W_Vector *list;
+    };
+    char *path;
+    int elements;
+} fim_tmp_file;
+
+typedef struct diff_data {
+    int file_size;
+    int size_limit;
+
+    char *compress_folder;
+    char *compress_file;
+
+    char *tmp_folder;
+    char *file_origin;
+    char *uncompress_file;
+    char *compress_tmp_file;
+    char *diff_file;
+} diff_data;
+
+typedef struct get_data_ctx {
+    event_data_t *event;
+    const directory_t *config;
+    const char *path;
+} get_data_ctx;
+
+typedef struct create_json_event_ctx {
+    event_data_t* event;
+    const directory_t* config;
+} create_json_event_ctx;
+
+typedef struct fim_txn_context_s {
+    event_data_t* evt_data;
+    fim_entry* latest_entry;
+} fim_txn_context_t;
+
+#ifdef WIN32
+/* Flags to know if a directory/file's watcher has been removed */
+#define FIM_RT_HANDLE_CLOSED 0
+#define FIM_RT_HANDLE_OPEN 1
+
+/* Default value type for cases where type is undefined.
+   0x0000000C is the one after the last defined type, REG_QWORD (0x0000000B) */
+#define REG_UNKNOWN 0x0000000C
+#endif
+
+/* Win32 does not have lstat */
+#ifdef WIN32
+    #define w_stat(x, y) stat(x, y)
+#else
+    #define w_stat(x, y) lstat(x, y)
+#endif
+
+/** Function Prototypes **/
+
+/**
+ * @brief Start the file integrity monitoring daemon
+ *
+ */
+void start_daemon(void);
+
+/**
+ * @brief Read Syscheck configuration from the XML configuration file
+ *
+ * @param cfgfile Path of the XML configuration file
+ * @return 1 if there are no configured directories or registries, 0 on success, -1 on error
+ */
+int Read_Syscheck_Config(const char *cfgfile) __attribute__((nonnull));
+
+/**
+ * @brief Get the Syscheck Config object
+ *
+ * @return JSON format configuration
+ */
+cJSON *getSyscheckConfig(void);
+
+/**
+ * @brief Get the Syscheck Internal Options object
+ *
+ * @return JSON format configuration
+ */
+cJSON *getSyscheckInternalOptions(void);
+
+/**
+ * @brief Read the syscheck internal options (to be deprecated)
+ *
+ * @param debug_level Debug level to be set in the syscheck daemon
+ */
+void read_internal(int debug_level);
+
+/**
+ * @brief Performs an integrity monitoring scan
+ *
+ * @return A timestamp taken as soons as the scan ends.
+ */
+time_t fim_scan();
+
+/**
+ * @brief Stop scanning files for one second if the max number of files scanned has been reached.
+ *
+ */
+void check_max_fps();
+
+/**
+ * @brief
+ *
+ * @param [in] path Path of the file to check
+ * @param [in] evt_data Information associated to the triggered event
+ * @param [in] configuration Configuration block associated with a previous event.
+ * @param [in] dbsync_txn Handle to an active dbsync transaction.
+ */
+void fim_checker(const char *path,
+                 event_data_t *evt_data,
+                 const directory_t *parent_configuration,
+                 TXN_HANDLE dbsync_txn,
+                 fim_txn_context_t *ctx);
+
+/**
+ * @brief Check file integrity monitoring on a specific folder
+ *
+ * @param [in] dir
+ * @param [in] evt_data Information associated to the triggered event
+ * @param [in] configuration Configuration block associated with the directory.
+ * @param [in] txn_handle DBSync transaction handler. Can be NULL.
+ *
+ * @return 0 on success, -1 on failure
+ */
+
+int fim_directory(const char *dir,
+                  event_data_t *evt_data,
+                  const directory_t *configuration,
+                  TXN_HANDLE dbsync_txn,
+                  fim_txn_context_t *ctx);
+
+/**
+ * @brief Check file integrity monitoring on a specific file
+ *
+ * @param [in] path Path of the file to check
+ * @param [in] configuration Configuration block associated with a previous event.
+ * @param [in] evt_data Information associated to the triggered event
+ * @param [in] txn_handle DBSync transaction handler. Can be NULL.
+ * @param [in] ctx DBSync transaction context.
+ */
+void fim_file(const char *path,
+              const directory_t *configuration,
+              event_data_t *evt_data,
+              TXN_HANDLE txn_handle,
+              fim_txn_context_t *ctx);
+
+/**
+ * @brief Process FIM realtime event
+ *
+ * @param [in] file Path of the file to check
+ */
+void fim_realtime_event(char *file);
+
+/**
+ * @brief Process FIM whodata event
+ *
+ * @param w_evt Whodata event
+ */
+void fim_whodata_event(whodata_evt *w_evt);
+
+/**
+ * @brief Process a path that has possibly been deleted
+ *
+ * @note On Windows, calls function fim_checker meanwhile, on Linux, calls function fim_audit_inode_event. It's because Windows haven't got inodes.
+ * @param pathname Name of path
+ * @param mode Monitoring FIM mode
+ * @param w_evt Pointer to whodata information
+ */
+void fim_process_missing_entry(char * pathname, fim_event_mode mode, whodata_evt * w_evt);
+
+/**
+ * @brief Search the position of the path in directories array
+ *
+ * @param path Path to seek in the directories array
+ * @return Returns a pointer to the configuration associated with the provided path, NULL if the path is not found
+ */
+directory_t *fim_configuration_directory(const char *path);
+
+/**
+ * @brief Update directories configuration with the wildcard list, at runtime
+ *
+ */
+void update_wildcards_config();
+
+/**
+ * @brief Evaluates the depth of the directory or file to check if it exceeds the configured max_depth value
+ *
+ * @param path File name of the file/directory to check
+ * @param configuration Configuration associated with the file
+ * @return Depth of the directory/file, -1 on error
+ */
+int fim_check_depth(const char *path, const directory_t *configuration);
+
+/**
+ * @brief Get data from file
+ *
+ * @param file Name of the file to get the data from
+ * @param [in] configuration Configuration block associated with a previous event.
+ * @param [in] statbuf Buffer acquired from a stat command with information linked to 'path'
+ *
+ * @return A fim_file_data structure with the data from the file
+ */
+fim_file_data *fim_get_data(const char *file, const directory_t *configuration, const struct stat *statbuf);
+
+/**
+ * @brief Initialize a fim_file_data structure
+ *
+ * @param [out] data Data to initialize
+ */
+void init_fim_data_entry(fim_file_data *data);
+
+/**
+ * @brief Calculate checksum of a FIM entry data
+ *
+ * @param data FIM entry data to calculate the checksum with
+ */
+void fim_get_checksum(fim_file_data *data);
+
+/**
+ * @brief Prints the scan information
+ *
+ */
+void fim_print_info(struct timespec start, struct timespec end, clock_t cputime_start);
+
+/**
+ * @brief Sleep during rt_delay milliseconds
+ *
+ */
+void fim_rt_delay();
+
+
+/**
+ * @brief Produce a file change JSON event
+ *
+ * {
+ *   type:                  "event"
+ *   data: {
+ *     path:                string
+ *     mode:                "scheduled"|"real-time"|"whodata"
+ *     type:                "added"|"deleted"|"modified"
+ *     timestamp:           number
+ *     tags:                string
+ *     content_changes:     string
+ *     changed_attributes:  array   fim_json_compare_attrs()    [Only if old_data]
+ *     old_attributes:      object  fim_attributes_json()       [Only if old_data]
+ *     attributes:          object  fim_attributes_json()
+ *     audit:               object  fim_audit_json()
+ *   }
+ * }
+ *
+ * @param new_data Current file state.
+ * @param old_data Previous file state.
+ * @param configuration Pointer to the related configuration stanza.
+ * @param evt_data Information associated to the triggered event
+ * @param diff File diff if applicable.
+ * @return File event JSON object.
+ * @retval NULL No changes detected. Do not send an event.
+ */
+cJSON *fim_json_event(const fim_entry *new_data,
+                      const fim_file_data *old_data,
+                      const directory_t *configuration,
+                      const event_data_t *evt_data,
+                      const char *diff);
+
+/**
+ * @brief Frees the memory of a FIM entry data structure
+ *
+ * @param [out] data The FIM entry data to be freed
+ */
+void free_file_data(fim_file_data *data);
+
+/**
+ * @brief Start real time monitoring
+ *
+ * @return 0 on success, -1 on error
+ */
+int realtime_start(void);
+
+/**
+ * @brief Add a directory to real time monitoring
+ *
+ * @param dir Path to file or directory
+ * @param configuration Configuration associated with the file or directory
+ * @return 1 on success, -1 on realtime_start failure, -2 on set_winsacl failure, and 0 on other errors
+ */
+int realtime_adddir(const char *dir, directory_t *configuration);
+
+#ifdef INOTIFY_ENABLED
+/**
+ * @brief Add an inotify watch to monitoring directory
+ *
+ * @param dir Path to file or directory
+ * @param configuration Configuration associated with the file or directory
+ * @return 1 on success, -1 on failure
+ */
+int fim_add_inotify_watch(const char *dir, const directory_t *configuration);
+#endif
+
+/**
+ * @brief Remove an inotify watch
+ *
+ * @param configuration Configuration associated with the file or directory
+ */
+void fim_realtime_delete_watches(const directory_t *configuration);
+
+/**
+ * @brief Check whether the realtime event queue has overflown.
+ *
+ * @return 0 if the queue hasn't overflown, 1 otherwise.
+ */
+int fim_realtime_get_queue_overflow();
+
+/**
+ * @brief Set the value of the queue overflown flag.
+ *
+ * @param value The new value to set the queue overflow flag.
+ */
+void fim_realtime_set_queue_overflow(int value);
+
+/**
+ * @brief Log the number of realtime watches currently set.
+ */
+void fim_realtime_print_watches();
+
+/**
+ * @brief Process events in the real time queue
+ *
+ */
+void realtime_process(void);
+
+/**
+ * @brief Deletes subdirectories watches when a folder changes its name
+ *
+ * @param dir Directory whose subdirectories need to delete their watches
+ */
+
+void delete_subdirectories_watches(char *dir);
+
+/**
+ * @brief Remove stale watches from the realtime hashmap
+ */
+void realtime_sanitize_watch_map();
+
+/**
+ * @brief Frees the memory of a Whodata event structure
+ *
+ * @param [out] w_evt
+ */
+void free_whodata_event(whodata_evt *w_evt);
+
+/**
+ * @brief Send a message related to syscheck change/addition
+ *
+ * @param msg The message to be sent
+ */
+void send_syscheck_msg(const cJSON *msg) __attribute__((nonnull));
+
+
+// TODO
+/**
+ * @brief
+ *
+ * @param msg
+ * @return int
+ */
+int send_log_msg(const char *msg);
+
+#ifdef __linux__
+#define READING_MODE 0
+#define HEALTHCHECK_MODE 1
+
+/**
+ * @brief Initialize Audit events reader thread
+ *
+ * @return 1 on success, -1 on error
+ */
+int audit_init(void);
+
+/**
+ * @brief Retrieves the id of an audit event
+ *
+ * @param event An audit event
+ * @return The string id of the event
+ */
+char *audit_get_id(const char * event);
+
+/**
+ * @brief Initialize regular expressions
+ *
+ * @return 0 on success, -1 on error
+ */
+int init_regex(void);
+
+/**
+ * @brief Adds audit rules to directories
+ *
+ * @param path Path of the configured rule
+ */
+void add_whodata_directory(const char *path);
+
+/**
+ * @brief Function the delete the audit rule for a specfic path
+ *
+ * @param path: Path of the configured rule.
+ */
+void remove_audit_rule_syscheck(const char *path);
+
+/**
+ * @brief Read an audit event from socket
+ *
+ * @param [out] audit_sock The audit socket to read the events from
+ * @param [in] running atomic_int that holds the status of the running thread.
+ */
+void audit_read_events(int *audit_sock, atomic_int_t *running);
+
+/**
+ * @brief Thread in charge of pulling messages from the audit queue and parse them to generate events.
+ */
+void *audit_parse_thread();
+
+/**
+ * @brief Makes Audit thread to wait for audit healthcheck to be performed
+ *
+ */
+void audit_set_db_consistency(void);
+
+/**
+ * @brief Check if the Audit daemon is installed and running
+ *
+ * @return The PID of Auditd
+ */
+int check_auditd_enabled(void);
+
+/**
+ * @brief Create the necessary file to store the audit rules to be loaded by the immutable mode.
+ *
+*/
+void audit_create_rules_file();
+
+/**
+ * @brief Set all directories that don't have audit rules and have whodata enabled to realtime.
+ *
+*/
+void audit_rules_to_realtime();
+
+/**
+ * @brief Set Auditd socket configuration
+ *
+ * @return 0 on success, -1 on error
+ */
+int set_auditd_config(void);
+
+/**
+ * @brief Initialize Audit evsents socket
+ *
+ * @return File descriptor of the socket, -1 on error
+ */
+int init_auditd_socket(void);
+
+/**
+ * @brief Reloads audit rules every RELOAD_RULES_INTERVAL seconds
+ *
+ */
+void *audit_reload_thread();
+
+/**
+ * @brief Thread that performs a healthcheck on audit
+ * It reads an event from audit socket to check if it's running
+ *
+ * @param [out] audit_sock The audit socket to read the events from
+ */
+void *audit_healthcheck_thread(int *audit_sock);
+
+// TODO
+/**
+ * @brief
+ *
+ * @param cwd
+ * @param path0
+ * @param path1
+ * @return A string with generated path
+ */
+char *gen_audit_path(char *cwd, char *path0, char *path1);
+
+/**
+ * @brief Add cwd and exe of parent process
+ *
+ * @param ppid ID of parent process
+ * @param parent_name String where save the parent name (exe)
+ * @param parent_cwd String where save the parent working directory (cwd)
+ */
+void get_parent_process_info(char *ppid, char ** const parent_name, char ** const parent_cwd);
+
+/**
+ * @brief Reloads audit rules to configured directories
+ * This is necessary to include audit rules for hot added directories in the configuration
+ *
+ */
+void fim_audit_reload_rules(void);
+
+/**
+ * @brief Parses an audit event and sends the corresponding alert message
+ *
+ * @param buffer The audit event to parse
+ */
+void audit_parse(char *buffer);
+
+/**
+ * @brief Generate the audit event that the healthcheck thread should read
+ *
+ * @param audit_socket The audit socket to read the events from
+ * @return 0 on success, -1 on error
+ */
+int audit_health_check(int audit_socket);
+
+/**
+ * @brief Deletes all the existing audit rules added by FIM
+ *
+ */
+void clean_rules(void);
+
+
+#elif WIN32
+/**
+ * @brief Initializes the whodata scan mode
+ *
+ * @return 0 on success, 1 on error
+ */
+int run_whodata_scan(void);
+
+/**
+ * @brief
+ *
+ * @return 0 on success, 1 on error
+ */
+int whodata_audit_start();
+
+/**
+ * @brief Configure the SACL in a configured folder for Whodata auditing
+ *
+ * @param dir The name of the folder to configure
+ * @param configuration The configuration associated with the folder.
+ * @return 0 on success, 1 on error
+ */
+int set_winsacl(const char *dir, directory_t *configuration);
+
+/**
+ * @brief In case SACLs and policies have been set, restore them
+ */
+void audit_restore();
+
+/**
+ * @brief Thread that checks the status of the whodata configured folders
+ * It checks if the folder has ben re-added, if its SACL has been changed or if it has been deleted.
+ *
+ */
+
+long unsigned int WINAPI state_checker(__attribute__((unused)) void *_void);
+
+/**
+ * @brief Function that generates the diff file of a Windows registry when the option report_changes is activated
+ * It creates a file with the content of the value, to compute differences
+ *
+ * @param key_name Path of the registry key monitored
+ * @param value_name Name of the value that has generated the alert
+ * @param value_data Content of the value to be checked
+ * @param data_type The type of value we are checking
+ * @param configuration Config of the registry key
+ * @return String with the changes to add to the alert
+ */
+
+char *fim_registry_value_diff(const char *key_name,
+                              const char *value_name,
+                              const char *value_data,
+                              DWORD data_type,
+                              const registry_t *configuration);
+#endif
+
+/**
+ * @brief Function that generates the diff file of a file monitored when the option report_changes is activated
+ *
+ * @param filename Path of file monitored
+ * @param configuration Configuration associated with the given path.
+ * @return String with the diff to add to the alert
+ */
+
+char *fim_file_diff(const char *filename, const directory_t *configuration);
+
+/**
+ * @brief Deletes the filename diff folder and modify diff_folder_size if disk_quota enabled
+ *
+ * @param filename Path of the file that has been deleted
+ */
+void fim_diff_process_delete_file(const char *filename);
+
+#ifdef WIN32
+/**
+ * @brief Deletes the registry diff folder and modify diff_folder_size if disk_quota enabled
+ *
+ * @param key_name Path of the registry that has been deleted
+ * @param arch Arch type of the registry
+ */
+void fim_diff_process_delete_registry(const char *key_name, int arch);
+
+/**
+ * @brief Deletes the value diff folder and modifies diff_folder_size if disk_quota enabled
+ *
+ * @param key_name Path of the registry that contains the deleted value
+ * @param value_name Path of the value that has been deleted
+ * @param arch Arch type of the registry
+ */
+void fim_diff_process_delete_value(const char *key_name, const char *value_name, int arch);
+#endif
+
+/**
+ * @brief Initializes all syscheck data
+ *
+ */
+void fim_initialize();
+int fim_whodata_initialize();
+
+/**
+ * @brief Checks if a specific file has been configured to be ignored
+ *
+ * @param file_name The name of the file to check
+ * @return 1 if it has been configured to be ignored, 0 if not
+ */
+int fim_check_ignore(const char *file_name);
+
+/**
+ * @brief Checks if a specific folder has been configured to be checked with a specific restriction
+ *
+ * @param file_name The name of the file to check
+ * @param restriction The regex restriction to be checked
+ * @return 1 if the folder has been configured with the specified restriction, 0 if not
+ */
+int fim_check_restrict(const char *file_name, OSMatch *restriction);
+
+#ifndef WIN32
+
+/**
+ * @brief Thread that creates a socket for communication with the API
+ * Com request thread dispatcher
+ *
+ * @param Argument to be passed to the thread
+ */
+void *syscom_main(void *arg);
+#endif
+
+/**
+ * @brief Dispatches messages from API directed to syscheck module
+ *
+ * @param [in] command The input command sent from the API
+ * @param [out] output The output buffer to be filled (answer for the API)
+ * @return The size of the output buffer
+ */
+size_t syscom_dispatch(char *command, char **output);
+
+/**
+ * @brief
+ *
+ * @param [in] section The specific section to be checked sent from the API
+ * @param [out] output The output buffer to be filled (answer for the API)
+ * @return The size of the output buffer
+ */
+size_t syscom_getconfig(const char *section, char **output);
+
+#ifdef WIN_WHODATA
+/**
+ * @brief Updates the SACL of an specific file
+ *
+ * @param obj_path The path of the file to update the SACL of
+ * @return 0 on success, -1 on error
+ */
+int w_update_sacl(const char *obj_path);
+#endif
+
+#ifdef WIN32
+#define check_removed_file(x) ({ strstr(x, ":\\$recycle.bin") ? 1 : 0; })
+
+/**
+ * @brief Get the number of realtime watches opened by FIM.
+ *
+ * @return Number of realtime watches.
+ */
+unsigned int get_realtime_watches();
+#endif
+
+/**
+ * @brief Create file attribute set JSON from a FIM entry structure
+ *
+ * Format:
+ * {
+ *   type:        "file"|"registry"
+ *   size:        number
+ *   perm:        string
+ *   user_name:   string
+ *   group_name:  string
+ *   uid:         string
+ *   gid:         string
+ *   inode:       number
+ *   mtime:       number
+ *   hash_md5:    string
+ *   hash_sha1:   string
+ *   hash_sha256: string
+ *   checksum:    string
+ * }
+ *
+ * @param data Pointer to a FIM entry structure.
+ * @pre data is mutex-blocked.
+ * @return Pointer to cJSON structure.
+ */
+cJSON * fim_attributes_json(const fim_file_data * data);
+
+/**
+ * @brief Create file attribute comparison JSON object
+ *
+ * Format: array of strings, with the following possible strings:
+ * - size
+ * - permission
+ * - uid
+ * - user_name
+ * - gid
+ * - group_name
+ * - mtime
+ * - inode (UNIX only)
+ * - md5
+ * - sha1
+ * - sha256
+ *
+ * @param old_data
+ * @param new_data
+ * @return cJSON*
+ */
+cJSON * fim_json_compare_attrs(const fim_file_data * old_data, const fim_file_data * new_data);
+
+/**
+ * @brief Create file audit data JSON object
+ *
+ * Format:
+ * {
+ *   user_id:        string
+ *   user_name:      string
+ *   group_id:       string
+ *   group_name:     string
+ *   process_name:   string
+ *   audit_uid:      string
+ *   audit_name:     string
+ *   effective_uid:  string
+ *   effective_name: string
+ *   ppid:           number
+ *   process_id:     number
+ * }
+ *
+ * @param w_evt Pointer to event whodata structure
+ * @return cJSON object pointer.
+ */
+cJSON * fim_audit_json(const whodata_evt * w_evt);
+
+/**
+ * @brief Create scan info JSON event
+ *
+ * Format:
+ * {
+ *   type:          "scan_start"|"scan_end"
+ *   data: {
+ *     timestamp:   number
+ *   }
+ * }
+ *
+ * @param event Event type (start or end).
+ * @param timestamp Datetime in UNIX epoch.
+ * @return cJSON object pointer.
+ */
+
+cJSON * fim_scan_info_json(fim_scan_event event, long timestamp);
+
+/**
+ * @brief Send a scan info event
+ *
+ * @param event Event type (start or end).
+ */
+void fim_send_scan_info(fim_scan_event event);
+
+/**
+ * @brief Checks the DB state, sends a message alert if necessary
+ *
+ */
+void fim_check_db_state();
+
+/**
+ * @brief Checks the size of the queue/diff/local folder
+ *
+ */
+void fim_diff_folder_size();
+
+/**
+ * @brief Get the directory that will be effectively monitored depending on configuration the entry configuration and
+ * physical object in the filesystem
+ *
+ * @param dir Pointer to the configuration associated with the directory
+ * @return A string holding the element being monitored. It must be freed after it's usage.
+ */
+char *fim_get_real_path(const directory_t *dir);
+
+/**
+ * @brief Create a delete event and removes the entry from the database.
+ *
+ * @param file_path path data to be removed.
+ * @param evt_data Information associated to the triggered event.
+ * @param configuration Directory configuration to be deleted.
+ *
+ */
+int fim_generate_delete_event(const char *file_path,
+                              const void *evt_data,
+                              const void *configuration);
+
+/**
+ * @brief Send a state synchronization message.
+ *
+ * @param location Name of the component
+ * @param msg Synchronization data for the message
+ */
+void fim_send_sync_state(const char *location, const char* msg);
+
+/**
+ * @brief Get shutdown process flag.
+ *
+ * @return Process shutdown flag.
+ */
+bool fim_shutdown_process_on();
+
+#endif /* SYSCHECK_H */
diff --git a/src/modules/fim/include/syscheck_audit.h b/src/modules/fim/include/syscheck_audit.h
new file mode 100644
index 0000000000..ce64353a12
--- /dev/null
+++ b/src/modules/fim/include/syscheck_audit.h
@@ -0,0 +1,66 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef SYSCHECK_AUDIT_H
+#define SYSCHECK_AUDIT_H
+
+#include "shared.h"
+#include "syscheck.h"
+#include "audit_op.h"
+
+#define WHODATA_PERMS (AUDIT_PERM_WRITE | AUDIT_PERM_ATTR)
+
+#define AUDIT_HEALTHCHECK_KEY "wazuh_hc"
+#define AUDIT_KEY "wazuh_fim"
+
+typedef struct {
+    char *path;
+    int pending_removal;
+} whodata_directory_t;
+
+typedef enum audit_key_type {
+    FIM_AUDIT_UNKNOWN_KEY = 0,
+    FIM_AUDIT_KEY,
+    FIM_AUDIT_HC_KEY,
+    FIM_AUDIT_CUSTOM_KEY
+} audit_key_type;
+
+/**
+ * @brief Checks if the manipulation of the audit rule was done by FIM or by an user
+
+ * @return The remaining audit events:
+ * @retval 0: The modification wasn't done by FIM.
+ * @retval Positive integer: Number of remaining CONFIG_CHANGE events done by FIM.
+ */
+int fim_manipulated_audit_rules();
+
+/**
+ * @brief Initialize the list responsible for holding the configured audit rules.
+ *
+ * @return 0 if all goes well, -1 in case of an error.
+ */
+int fim_audit_rules_init();
+
+/**
+ * @brief Sweeps the configured directories and loads the required rules into audit.
+ *
+ * @return The amount of rules loaded.
+ */
+int fim_rules_initial_load();
+
+// Public parse functions
+void clean_regex();
+
+extern pthread_mutex_t audit_mutex;
+extern atomic_int_t audit_thread_active;
+extern atomic_int_t hc_thread_active;
+extern atomic_int_t audit_health_check_creation;
+extern unsigned int count_reload_retries;
+#endif // SYSCHECK_AUDIT_H
diff --git a/src/modules/fim/src/config.c b/src/modules/fim/src/config.c
new file mode 100644
index 0000000000..2a2f1f92b7
--- /dev/null
+++ b/src/modules/fim/src/config.c
@@ -0,0 +1,533 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "syscheck.h"
+#include "../config/config.h"
+#include "../rootcheck/rootcheck.h"
+
+#ifdef WIN32
+static registry_t REGISTRY_EMPTY[] = { { NULL, 0, 0, 512, 0, NULL, NULL, NULL} };
+#endif
+
+
+int Read_Syscheck_Config(const char *cfgfile)
+{
+    int modules = 0;
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    modules |= CSYSCHECK;
+
+    if (initialize_syscheck_configuration(&syscheck) == OS_INVALID) {
+        return OS_INVALID;
+    }
+
+    mdebug1(FIM_CONFIGURATION_FILE, cfgfile);
+
+    /* Read config */
+    if (ReadConfig(modules, cfgfile, &syscheck, NULL) < 0) {
+        return (OS_INVALID);
+    }
+
+#ifdef CLIENT
+    mdebug1(FIM_CLIENT_CONFIGURATION, cfgfile);
+
+    /* Read shared config */
+    modules |= CAGENT_CONFIG;
+    ReadConfig(modules, AGENTCONFIG, &syscheck, NULL);
+#endif
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->diff_size_limit == -1) {
+            dir_it->diff_size_limit = syscheck.file_size_limit;
+        }
+
+        // Check directories options to determine whether to start the whodata thread or not
+        if (dir_it->options & WHODATA_ACTIVE) {
+            syscheck.enable_whodata = 1;
+        }
+    }
+
+    switch (syscheck.disabled) {
+    case SK_CONF_UNPARSED:
+        syscheck.disabled = 1;
+        break;
+    case SK_CONF_UNDEFINED:
+        syscheck.disabled = 0;
+    }
+
+#ifndef WIN32
+    /* We must have at least one directory to check */
+    if (OSList_GetFirstNode(syscheck.directories) == NULL && syscheck.wildcards == NULL) {
+        return (1);
+    }
+#else
+    /* It used to be that we needed to ensure the dir array was not null
+       and had at least a null element, this is no longer the case. In Windows,
+       if syscheck.directories is null nothing will go wrong.
+       syscheck.registry though... That's a different story.
+     */
+    if (!syscheck.registry) {
+            syscheck.registry = REGISTRY_EMPTY;
+    } else {
+        int it = 0;
+        while (syscheck.registry[it].entry) {
+            if (syscheck.registry[it].diff_size_limit == -1) {
+                syscheck.registry[it].diff_size_limit = syscheck.file_size_limit;
+            }
+            it++;
+        }
+    }
+    if ((OSList_GetFirstNode(syscheck.directories) == NULL) && (syscheck.registry[0].entry == NULL && syscheck.wildcards == NULL)) {
+        return (1);
+    }
+    syscheck.max_fd_win_rt = (unsigned int) getDefine_Int("syscheck", "max_fd_win_rt", 1, 1024);
+#endif
+
+    return (0);
+}
+
+void free_whodata_event(whodata_evt *w_evt) {
+    if (w_evt == NULL) return;
+    if (w_evt->user_name) free(w_evt->user_name);
+#ifndef WIN32
+    if (w_evt->cwd) free(w_evt->cwd);
+    if (w_evt->audit_name) free(w_evt->audit_name);
+    if (w_evt->audit_uid) free(w_evt->audit_uid);
+    if (w_evt->effective_name) free(w_evt->effective_name);
+    if (w_evt->effective_uid) free(w_evt->effective_uid);
+    if (w_evt->group_id) free(w_evt->group_id);
+    if (w_evt->group_name) free(w_evt->group_name);
+    if (w_evt->parent_name) free(w_evt->parent_name);
+    if (w_evt->parent_cwd) free(w_evt->parent_cwd);
+    if (w_evt->inode) free(w_evt->inode);
+    if (w_evt->dev) free(w_evt->dev);
+    if (w_evt->user_id) free(w_evt->user_id);
+#else
+    if (w_evt->user_id) LocalFree(w_evt->user_id);
+#endif
+    if (w_evt->path) free(w_evt->path);
+    if (w_evt->process_name) free(w_evt->process_name);
+    free(w_evt);
+}
+
+cJSON *getSyscheckConfig(void) {
+#ifndef WIN32
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    if (OSList_GetFirstNode(syscheck.directories) == NULL) {
+        w_rwlock_unlock(&syscheck.directories_lock);
+        return NULL;
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+#endif
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *syscfg = cJSON_CreateObject();
+    unsigned int i;
+
+    if (syscheck.disabled) cJSON_AddStringToObject(syscfg,"disabled","yes"); else cJSON_AddStringToObject(syscfg,"disabled","no");
+    cJSON_AddNumberToObject(syscfg,"frequency",syscheck.time);
+    cJSON_AddStringToObject(syscfg, "skip_nfs", syscheck.skip_fs.nfs ? "yes" : "no");
+    cJSON_AddStringToObject(syscfg, "skip_dev", syscheck.skip_fs.dev ? "yes" : "no");
+    cJSON_AddStringToObject(syscfg, "skip_sys", syscheck.skip_fs.sys ? "yes" : "no");
+    cJSON_AddStringToObject(syscfg, "skip_proc", syscheck.skip_fs.proc ? "yes" : "no");
+    if (syscheck.scan_on_start) cJSON_AddStringToObject(syscfg,"scan_on_start","yes"); else cJSON_AddStringToObject(syscfg,"scan_on_start","no");
+    if (syscheck.scan_day) cJSON_AddStringToObject(syscfg,"scan_day",syscheck.scan_day);
+    if (syscheck.scan_time) cJSON_AddStringToObject(syscfg,"scan_time",syscheck.scan_time);
+    cJSON_AddNumberToObject(syscfg, "max_files_per_second", syscheck.max_files_per_second);
+
+    cJSON * file_limit = cJSON_CreateObject();
+    cJSON_AddStringToObject(file_limit, "enabled", syscheck.file_limit_enabled ? "yes" : "no");
+    cJSON_AddNumberToObject(file_limit, "entries", syscheck.file_entry_limit);
+    cJSON_AddItemToObject(syscfg, "file_limit", file_limit);
+#ifdef WIN32
+    cJSON * registry_limit = cJSON_CreateObject();
+    cJSON_AddStringToObject(registry_limit, "enabled", syscheck.registry_limit_enabled ? "yes" : "no");
+    cJSON_AddNumberToObject(registry_limit, "entries", syscheck.db_entry_registry_limit);
+    cJSON_AddItemToObject(syscfg, "registry_limit", registry_limit);
+#endif
+
+    cJSON *diff = cJSON_CreateObject();
+
+    cJSON *disk_quota = cJSON_CreateObject();
+    cJSON_AddStringToObject(disk_quota, "enabled", syscheck.disk_quota_enabled ? "yes" : "no");
+    cJSON_AddNumberToObject(disk_quota, "limit", syscheck.disk_quota_limit);
+    cJSON_AddItemToObject(diff, "disk_quota", disk_quota);
+
+    cJSON *file_size = cJSON_CreateObject();
+    cJSON_AddStringToObject(file_size, "enabled", syscheck.file_size_enabled ? "yes" : "no");
+    cJSON_AddNumberToObject(file_size, "limit", syscheck.file_size_limit);
+    cJSON_AddItemToObject(diff, "file_size", file_size);
+
+    cJSON_AddItemToObject(syscfg, "diff", diff);
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    if (OSList_GetFirstNode(syscheck.directories) != NULL) {
+        directory_t *dir_it;
+        cJSON *dirs = cJSON_CreateArray();
+        OSListNode *node_it;
+
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            cJSON *pair = cJSON_CreateObject();
+            cJSON *opts = cJSON_CreateArray();
+            if (dir_it->options & CHECK_MD5SUM) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_md5sum"));
+            }
+            if (dir_it->options & CHECK_SHA1SUM) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_sha1sum"));
+            }
+            if (dir_it->options & CHECK_PERM) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_perm"));
+            }
+            if (dir_it->options & CHECK_SIZE) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_size"));
+            }
+            if (dir_it->options & CHECK_OWNER) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_owner"));
+            }
+            if (dir_it->options & CHECK_GROUP) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_group"));
+            }
+            if (dir_it->options & CHECK_MTIME) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_mtime"));
+            }
+            if (dir_it->options & CHECK_INODE) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_inode"));
+            }
+            if (dir_it->options & REALTIME_ACTIVE) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("realtime"));
+            }
+            if (dir_it->options & CHECK_SEECHANGES) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("report_changes"));
+            }
+            if (dir_it->options & CHECK_SHA256SUM) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_sha256sum"));
+            }
+            if (dir_it->options & WHODATA_ACTIVE) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_whodata"));
+            }
+#ifdef WIN32
+            if (dir_it->options & CHECK_ATTRS) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("check_attrs"));
+            }
+#endif
+            if (dir_it->options & CHECK_FOLLOW) {
+                cJSON_AddItemToArray(opts, cJSON_CreateString("follow_symbolic_link"));
+            }
+
+            cJSON_AddItemToObject(pair,"opts",opts);
+            cJSON_AddStringToObject(pair, "dir", dir_it->path);
+            if (dir_it->symbolic_links) {
+                cJSON_AddStringToObject(pair, "symbolic_link", dir_it->symbolic_links);
+            }
+            cJSON_AddNumberToObject(pair, "recursion_level", dir_it->recursion_level);
+            if (dir_it->filerestrict) {
+                cJSON_AddStringToObject(pair, "restrict", dir_it->filerestrict->raw);
+            }
+            if (dir_it->tag) {
+                cJSON_AddStringToObject(pair, "tags", dir_it->tag);
+            }
+
+            if (syscheck.file_size_enabled && dir_it->diff_size_limit) {
+                cJSON_AddNumberToObject(pair, "diff_size_limit", dir_it->diff_size_limit);
+            }
+
+            cJSON_AddItemToArray(dirs, pair);
+        }
+        cJSON_AddItemToObject(syscfg,"directories",dirs);
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    if (syscheck.nodiff) {
+        cJSON *ndfs = cJSON_CreateArray();
+        for (i=0;syscheck.nodiff[i];i++) {
+            cJSON_AddItemToArray(ndfs, cJSON_CreateString(syscheck.nodiff[i]));
+        }
+        cJSON_AddItemToObject(syscfg,"nodiff",ndfs);
+    }
+    if (syscheck.ignore) {
+        cJSON *igns = cJSON_CreateArray();
+        for (i=0;syscheck.ignore[i];i++) {
+            cJSON_AddItemToArray(igns, cJSON_CreateString(syscheck.ignore[i]));
+        }
+        cJSON_AddItemToObject(syscfg,"ignore",igns);
+    }
+    if (syscheck.ignore_regex) {
+        cJSON *igns = cJSON_CreateArray();
+        for (i=0;syscheck.ignore_regex[i];i++) {
+            cJSON_AddItemToArray(igns, cJSON_CreateString(syscheck.ignore_regex[i]->raw));
+        }
+        cJSON_AddItemToObject(syscfg,"ignore_sregex",igns);
+    }
+#ifndef WIN32
+    cJSON *whodata = cJSON_CreateObject();
+    if (syscheck.restart_audit) {
+        cJSON_AddStringToObject(whodata,"restart_audit","yes");
+    } else {
+        cJSON_AddStringToObject(whodata,"restart_audit","no");
+    }
+    if (syscheck.audit_key) {
+        cJSON *audkey = cJSON_CreateArray();
+        for (i=0;syscheck.audit_key[i];i++) {
+            cJSON_AddItemToArray(audkey, cJSON_CreateString(syscheck.audit_key[i]));
+        }
+        if (cJSON_GetArraySize(audkey) > 0) {
+            cJSON_AddItemToObject(whodata,"audit_key",audkey);
+        } else {
+            cJSON_free(audkey);
+        }
+    }
+    if (syscheck.audit_healthcheck) {
+        cJSON_AddStringToObject(whodata,"startup_healthcheck","yes");
+    } else {
+        cJSON_AddStringToObject(whodata,"startup_healthcheck","no");
+    }
+    cJSON_AddNumberToObject(whodata, "queue_size", syscheck.queue_size);
+
+    cJSON_AddItemToObject(syscfg,"whodata",whodata);
+#endif
+
+#ifdef WIN32
+    cJSON_AddNumberToObject(syscfg, "windows_audit_interval", syscheck.wdata.interval_scan);
+
+    if (syscheck.registry) {
+        cJSON *rg = cJSON_CreateArray();
+
+        for (i=0; syscheck.registry[i].entry; i++) {
+            cJSON *pair = cJSON_CreateObject();
+            cJSON *opts = cJSON_CreateArray();
+
+            if (syscheck.registry[i].opts & CHECK_MD5SUM) cJSON_AddItemToArray(opts, cJSON_CreateString("check_md5sum"));
+            if (syscheck.registry[i].opts & CHECK_SHA1SUM) cJSON_AddItemToArray(opts, cJSON_CreateString("check_sha1sum"));
+            if (syscheck.registry[i].opts & CHECK_SHA256SUM) cJSON_AddItemToArray(opts, cJSON_CreateString("check_sha256sum"));
+            if (syscheck.registry[i].opts & CHECK_SIZE) cJSON_AddItemToArray(opts, cJSON_CreateString("check_size"));
+            if (syscheck.registry[i].opts & CHECK_OWNER) cJSON_AddItemToArray(opts, cJSON_CreateString("check_owner"));
+            if (syscheck.registry[i].opts & CHECK_GROUP) cJSON_AddItemToArray(opts, cJSON_CreateString("check_group"));
+            if (syscheck.registry[i].opts & CHECK_PERM) cJSON_AddItemToArray(opts, cJSON_CreateString("check_perm"));
+            if (syscheck.registry[i].opts & CHECK_MTIME) cJSON_AddItemToArray(opts, cJSON_CreateString("check_mtime"));
+            if (syscheck.registry[i].opts & CHECK_TYPE) cJSON_AddItemToArray(opts, cJSON_CreateString("check_type"));
+            if (syscheck.registry[i].opts & CHECK_SEECHANGES) cJSON_AddItemToArray(opts, cJSON_CreateString("report_changes"));
+
+            cJSON_AddItemToObject(pair,"opts",opts);
+            cJSON_AddStringToObject(pair, "entry", syscheck.registry[i].entry);
+
+            if (syscheck.registry[i].arch == 0) {
+                cJSON_AddStringToObject(pair, "arch", "32bit");
+            } else {
+                cJSON_AddStringToObject(pair, "arch", "64bit");
+            }
+
+            if (syscheck.registry[i].tag) {
+                cJSON_AddStringToObject(pair, "tags", syscheck.registry[i].tag);
+            }
+
+            if (syscheck.registry[i].restrict_key) {
+                cJSON_AddStringToObject(pair,"restrict_key", syscheck.registry[i].restrict_key->raw);
+            }
+            if (syscheck.registry[i].restrict_value) {
+                cJSON_AddStringToObject(pair,"restrict_value", syscheck.registry[i].restrict_value->raw);
+            }
+
+            if (syscheck.file_size_enabled && syscheck.registry[i].diff_size_limit) {
+                cJSON_AddNumberToObject(pair, "diff_size_limit", syscheck.registry[i].diff_size_limit);
+            }
+
+            cJSON_AddNumberToObject(pair,"recursion_level",syscheck.registry[i].recursion_level);
+
+            cJSON_AddItemToArray(rg, pair);
+        }
+        cJSON_AddItemToObject(syscfg, "registry", rg);
+    }
+
+    if (syscheck.key_ignore) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0; syscheck.key_ignore[i].entry; i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair, "entry", syscheck.key_ignore[i].entry);
+
+            if (syscheck.key_ignore[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg, "key_ignore", rgi);
+    }
+
+    if (syscheck.key_ignore_regex) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0;syscheck.key_ignore_regex[i].regex;i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair,"entry",syscheck.key_ignore_regex[i].regex->raw);
+
+            if (syscheck.key_ignore_regex[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg,"key_ignore_sregex",rgi);
+    }
+
+     if (syscheck.value_ignore) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0; syscheck.value_ignore[i].entry; i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair, "entry", syscheck.value_ignore[i].entry);
+
+            if (syscheck.value_ignore[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg, "value_ignore", rgi);
+    }
+
+    if (syscheck.value_ignore_regex) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0;syscheck.value_ignore_regex[i].regex;i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair,"entry",syscheck.value_ignore_regex[i].regex->raw);
+
+            if (syscheck.value_ignore_regex[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg,"value_ignore_sregex",rgi);
+    }
+
+    if (syscheck.registry_nodiff) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0; syscheck.registry_nodiff[i].entry; i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair, "entry", syscheck.registry_nodiff[i].entry);
+
+            if (syscheck.registry_nodiff[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg, "registry_nodiff", rgi);
+    }
+
+    if (syscheck.registry_nodiff_regex) {
+        cJSON *rgi = cJSON_CreateArray();
+
+        for (i=0;syscheck.registry_nodiff_regex[i].regex;i++) {
+            cJSON *pair = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(pair,"entry",syscheck.registry_nodiff_regex[i].regex->raw);
+
+            if (syscheck.registry_nodiff_regex[i].arch == 0) {
+                cJSON_AddStringToObject(pair,"arch","32bit");
+            } else {
+                cJSON_AddStringToObject(pair,"arch","64bit");
+            }
+
+            cJSON_AddItemToArray(rgi, pair);
+        }
+        cJSON_AddItemToObject(syscfg,"registry_nodiff_sregex",rgi);
+    }
+#endif
+
+    cJSON_AddStringToObject(syscfg, "allow_remote_prefilter_cmd", syscheck.allow_remote_prefilter_cmd ? "yes" : "no");
+
+    if (syscheck.prefilter_cmd) {
+        char *full_command;
+        os_strdup(syscheck.prefilter_cmd[0], full_command);
+        for (int i = 1; syscheck.prefilter_cmd[i]; i++) {
+            wm_strcat(&full_command, syscheck.prefilter_cmd[i], ' ');
+        }
+        cJSON_AddStringToObject(syscfg,"prefilter_cmd", full_command);
+        os_free(full_command);
+    }
+
+    cJSON * synchronization = cJSON_CreateObject();
+    cJSON_AddStringToObject(synchronization, "enabled", syscheck.enable_synchronization ? "yes" : "no");
+#ifdef WIN32
+    cJSON_AddStringToObject(synchronization, "registry_enabled",
+                            syscheck.enable_registry_synchronization ? "yes" : "no");
+#endif
+    cJSON_AddNumberToObject(synchronization, "queue_size", syscheck.sync_queue_size);
+    cJSON_AddNumberToObject(synchronization, "interval", syscheck.sync_interval);
+    cJSON_AddNumberToObject(synchronization, "max_eps", syscheck.sync_max_eps);
+    cJSON_AddNumberToObject(synchronization, "response_timeout", syscheck.sync_response_timeout);
+    cJSON_AddNumberToObject(synchronization, "max_interval", syscheck.sync_max_interval);
+    cJSON_AddNumberToObject(synchronization, "thread_pool", syscheck.sync_thread_pool);
+
+    cJSON_AddItemToObject(syscfg, "synchronization", synchronization);
+
+    cJSON_AddNumberToObject(syscfg, "max_eps", syscheck.max_eps);
+    cJSON_AddNumberToObject(syscfg, "process_priority", syscheck.process_priority);
+
+    // Add sql database information
+    cJSON_AddStringToObject(syscfg, "database", syscheck.database_store ? "memory" : "disk");
+
+
+    cJSON_AddItemToObject(root,"syscheck",syscfg);
+
+    return root;
+}
+
+cJSON *getSyscheckInternalOptions(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *internals = cJSON_CreateObject();
+
+    cJSON *syscheckd = cJSON_CreateObject();
+
+    cJSON_AddNumberToObject(syscheckd,"rt_delay",syscheck.rt_delay);
+    cJSON_AddNumberToObject(syscheckd,"default_max_depth",syscheck.max_depth);
+    cJSON_AddNumberToObject(syscheckd,"symlink_scan_interval",syscheck.sym_checker_interval);
+    cJSON_AddNumberToObject(syscheckd,"debug",sys_debug_level);
+    cJSON_AddNumberToObject(syscheckd,"file_max_size",syscheck.file_max_size);
+#ifdef WIN32
+    cJSON_AddNumberToObject(syscheckd,"max_fd_win_rt",syscheck.max_fd_win_rt);
+#else
+    cJSON_AddNumberToObject(syscheckd,"max_audit_entries",syscheck.max_audit_entries);
+#endif
+
+    cJSON_AddItemToObject(internals,"syscheck",syscheckd);
+
+    cJSON *rootcheckd = cJSON_CreateObject();
+
+    cJSON_AddNumberToObject(rootcheckd,"sleep",rootcheck.tsleep);
+    cJSON_AddItemToObject(internals,"rootcheck",rootcheckd);
+    cJSON_AddItemToObject(root,"internal",internals);
+
+    return root;
+}
diff --git a/src/modules/fim/src/create_db.c b/src/modules/fim/src/create_db.c
new file mode 100644
index 0000000000..cb6f845beb
--- /dev/null
+++ b/src/modules/fim/src/create_db.c
@@ -0,0 +1,1882 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "syscheck.h"
+#include "syscheck_op.h"
+#include "integrity_op.h"
+#include "time_op.h"
+#include "db/include/db.h"
+#include "registry/registry.h"
+
+#ifdef WAZUH_UNIT_TESTING
+/* Remove static qualifier when unit testing */
+#define static
+
+/* Replace assert with mock_assert */
+extern void mock_assert(const int result, const char* const expression,
+                        const char * const file, const int line);
+
+#undef assert
+#define assert(expression) \
+    mock_assert((int)(expression), #expression, __FILE__, __LINE__);
+#endif
+
+// Global variables
+static int _base_line = 0;
+
+static const char *FIM_EVENT_TYPE_ARRAY[] = {
+    "added",
+    "deleted",
+    "modified"
+};
+
+static const char *FIM_EVENT_MODE[] = {
+    "scheduled",
+    "realtime",
+    "whodata"
+};
+
+cJSON * fim_calculate_dbsync_difference(const fim_file_data *data,
+                                        const cJSON* changed_data,
+                                        cJSON* old_attributes,
+                                        cJSON* changed_attributes) {
+
+    if (old_attributes == NULL || changed_attributes == NULL || !cJSON_IsArray(changed_attributes)) {
+        return NULL;
+    }
+
+    cJSON *aux = NULL;
+
+    cJSON_AddStringToObject(old_attributes, "type", "file");
+
+    if (data->options & CHECK_SIZE) {
+        if (aux = cJSON_GetObjectItem(changed_data, "size"), aux != NULL) {
+            cJSON_AddNumberToObject(old_attributes, "size", aux->valueint);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("size"));
+        } else {
+            cJSON_AddNumberToObject(old_attributes, "size", data->size);
+        }
+    }
+
+    if (data->options & CHECK_PERM) {
+        if (aux = cJSON_GetObjectItem(changed_data, "perm"), aux != NULL) {
+#ifndef WIN32
+            cJSON_AddStringToObject(old_attributes, "perm", cJSON_GetStringValue(aux));
+#else
+            cJSON_AddItemToObject(old_attributes, "perm", cJSON_Parse(cJSON_GetStringValue(aux)));
+#endif
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("permission"));
+
+        } else {
+#ifndef WIN32
+            cJSON_AddStringToObject(old_attributes, "perm", data->perm);
+#else
+            cJSON_AddItemToObject(old_attributes, "perm", cJSON_Parse(data->perm));
+#endif
+        }
+    }
+
+    if (data->options & CHECK_OWNER) {
+        if (aux = cJSON_GetObjectItem(changed_data, "uid"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "uid", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("uid"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "uid", data->uid);
+        }
+    }
+
+    if (data->options & CHECK_GROUP) {
+        if (aux = cJSON_GetObjectItem(changed_data, "gid"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "gid", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("gid"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "gid", data->gid);
+        }
+    }
+
+    if (data->user_name) {
+        if (aux = cJSON_GetObjectItem(changed_data, "user_name"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "user_name", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("user_name"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "user_name", data->user_name);
+        }
+    }
+
+    if (data->group_name) {
+        if (aux = cJSON_GetObjectItem(changed_data, "group_name"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "group_name", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("group_name"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "group_name", data->group_name);
+        }
+    }
+
+    if (data->options & CHECK_INODE) {
+        if (aux = cJSON_GetObjectItem(changed_data, "inode"), aux != NULL) {
+            cJSON_AddNumberToObject(old_attributes, "inode", aux->valueint);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("inode"));
+
+        } else {
+            cJSON_AddNumberToObject(old_attributes, "inode", data->inode);
+        }
+    }
+
+    if (data->options & CHECK_MTIME) {
+        if (aux = cJSON_GetObjectItem(changed_data, "mtime"), aux != NULL) {
+            cJSON_AddNumberToObject(old_attributes, "mtime", aux->valueint);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("mtime"));
+
+        } else {
+            cJSON_AddNumberToObject(old_attributes, "mtime", data->mtime);
+        }
+    }
+
+    if (data->options & CHECK_MD5SUM) {
+        if (aux = cJSON_GetObjectItem(changed_data, "hash_md5"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_md5", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("md5"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_md5", data->hash_md5);
+        }
+    }
+
+    if (data->options & CHECK_SHA1SUM) {
+        if (aux = cJSON_GetObjectItem(changed_data, "hash_sha1"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_sha1", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha1"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_sha1", data->hash_sha1);
+        }
+    }
+
+    if (data->options & CHECK_SHA256SUM) {
+        if (aux = cJSON_GetObjectItem(changed_data, "hash_sha256"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_sha256", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha256"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_sha256", data->hash_sha256);
+        }
+    }
+
+#ifdef WIN32
+    if (data->options & CHECK_ATTRS) {
+        if (aux = cJSON_GetObjectItem(changed_data, "attributes"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "attributes", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("attributes"));
+
+        } else {
+            cJSON_AddStringToObject(old_attributes, "attributes", data->attributes);
+        }
+    }
+#endif
+
+    if (*data->checksum) {
+        if (aux = cJSON_GetObjectItem(changed_data, "checksum"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "checksum", cJSON_GetStringValue(aux));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "checksum", data->checksum);
+        }
+    }
+
+    return old_attributes;
+}
+
+/**
+ * @brief Function to calculate the `attributes` field using the information returned by dbsync.
+ *
+ * @param dbsync_event Information returned by dbsync.
+ * @param configuration Configuration of the specific entry.
+ * @param attributes JSON where the information will be stored.
+ */
+static void dbsync_attributes_json(const cJSON *dbsync_event, const directory_t *configuration, cJSON *attributes) {
+    if (attributes == NULL || dbsync_event == NULL || configuration == NULL) {
+        return;
+    }
+
+    cJSON *aux = NULL;
+
+    cJSON_AddStringToObject(attributes, "type", "file");
+
+    if (configuration->options & CHECK_SIZE) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "size"), aux != NULL)
+        cJSON_AddNumberToObject(attributes, "size", aux->valueint);
+    }
+
+    if (configuration->options & CHECK_PERM) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "perm"), aux != NULL) {
+#ifndef WIN32
+            cJSON_AddStringToObject(attributes, "perm", cJSON_GetStringValue(aux));
+#else
+            cJSON_AddItemToObject(attributes, "perm", cJSON_Parse(cJSON_GetStringValue(aux)));
+#endif
+        }
+    }
+
+    if (configuration->options & CHECK_OWNER) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "uid"), aux != NULL) {
+            char *uid = cJSON_GetStringValue(aux);
+            if (uid != NULL && *uid != '\0') {
+                cJSON_AddStringToObject(attributes, "uid", uid);
+            }
+        }
+    }
+
+    if (configuration->options & CHECK_GROUP) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "gid"), aux != NULL) {
+            char *gid = cJSON_GetStringValue(aux);
+            if (gid != NULL && *gid != '\0') {
+                cJSON_AddStringToObject(attributes, "gid", gid);
+            }
+        }
+    }
+
+    if (aux = cJSON_GetObjectItem(dbsync_event, "user_name"), aux != NULL) {
+        char *user_name = cJSON_GetStringValue(aux);
+        if (user_name != NULL && *user_name != '\0') {
+            cJSON_AddStringToObject(attributes, "user_name", cJSON_GetStringValue(aux));
+        }
+    }
+
+    if (aux = cJSON_GetObjectItem(dbsync_event, "group_name"), aux != NULL) {
+        char *group_name = cJSON_GetStringValue(aux);
+        if (group_name != NULL && *group_name != '\0') {
+            cJSON_AddStringToObject(attributes, "group_name", cJSON_GetStringValue(aux));
+        }
+    }
+
+    if (configuration->options & CHECK_INODE) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "inode"), aux != NULL) {
+            cJSON_AddNumberToObject(attributes, "inode", aux->valueint);
+        }
+    }
+
+    if (configuration->options & CHECK_MTIME) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "mtime"), aux != NULL) {
+            cJSON_AddNumberToObject(attributes, "mtime", aux->valueint);
+        }
+    }
+
+    if (configuration->options & CHECK_MD5SUM) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "hash_md5"), aux != NULL) {
+            cJSON_AddStringToObject(attributes, "hash_md5", cJSON_GetStringValue(aux));
+        }
+    }
+
+    if (configuration->options & CHECK_SHA1SUM) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "hash_sha1"), aux != NULL) {
+            cJSON_AddStringToObject(attributes, "hash_sha1", cJSON_GetStringValue(aux));
+        }
+    }
+
+    if (configuration->options & CHECK_SHA256SUM) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "hash_sha256"), aux != NULL) {
+            cJSON_AddStringToObject(attributes, "hash_sha256", cJSON_GetStringValue(aux));
+        }
+    }
+
+#ifdef WIN32
+    if (configuration->options & CHECK_ATTRS) {
+        if (aux = cJSON_GetObjectItem(dbsync_event, "attributes"), aux != NULL) {
+            cJSON_AddStringToObject(attributes, "attributes", cJSON_GetStringValue(aux));
+        }
+    }
+#endif
+
+    if (aux = cJSON_GetObjectItem(dbsync_event, "checksum"), aux != NULL) {
+        cJSON_AddStringToObject(attributes, "checksum", cJSON_GetStringValue(aux));
+    }
+}
+
+static void transaction_callback(ReturnTypeCallback resultType, const cJSON* result_json, void* user_data) {
+    char *path = NULL;
+    char *diff = NULL;
+    cJSON* json_event = NULL;
+    cJSON* data = NULL;
+    cJSON* old_attributes = NULL;
+    cJSON* changed_attributes = NULL;
+    cJSON* old_data = NULL;
+    cJSON *attributes = NULL;
+    cJSON* timestamp = NULL;
+    directory_t *configuration = NULL;
+    fim_txn_context_t *txn_context = (fim_txn_context_t *) user_data;
+
+    // In case of deletions, latest_entry is NULL, so we need to get the path from the json event
+    if (resultType == DELETED) {
+        cJSON *path_cjson = cJSON_GetObjectItem(result_json, "path");
+        if (path_cjson == NULL) {
+            goto end;
+        }
+        path = cJSON_GetStringValue(path_cjson);
+    } else if (txn_context->latest_entry != NULL) {
+        path = txn_context->latest_entry->file_entry.path;
+    } else {
+        goto end;
+    }
+
+    if (configuration = fim_configuration_directory(path), configuration == NULL) {
+        goto end;
+    }
+
+    if (configuration->options & CHECK_SEECHANGES && resultType != DELETED) {
+        diff = fim_file_diff(path, configuration);
+    }
+
+    // Do not process if it's the first scan
+    if (_base_line == 0) {
+        goto end; // LCOV_EXCL_LINE
+    }
+
+    switch (resultType) {
+        case INSERTED:
+            txn_context->evt_data->type = FIM_ADD;
+            break;
+
+        case MODIFIED:
+            txn_context->evt_data->type = FIM_MODIFICATION;
+            break;
+
+        case DELETED:
+            if (configuration->options & CHECK_SEECHANGES) {
+                fim_diff_process_delete_file(path);
+            }
+
+            txn_context->evt_data->type = FIM_DELETE;
+
+            break;
+
+        case MAX_ROWS:
+            mdebug1("Couldn't insert '%s' entry into DB. The DB is full, please check your configuration.", path);
+
+        // Fallthrough
+        default:
+            goto end;
+    }
+
+    json_event = cJSON_CreateObject();
+    data = cJSON_CreateObject();
+
+    if (json_event == NULL || data == NULL) {
+        goto end; // LCOV_EXCL_LINE
+    }
+
+    cJSON_AddStringToObject(json_event, "type", "event");
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", path);
+    cJSON_AddNumberToObject(data, "version", 2.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[txn_context->evt_data->mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[txn_context->evt_data->type]);
+
+    if(timestamp = cJSON_GetObjectItem(result_json, "last_event"), timestamp != NULL){
+        cJSON_AddNumberToObject(data, "timestamp", timestamp->valueint);
+    } else {
+        cJSON_AddNumberToObject(data, "timestamp", txn_context->latest_entry->file_entry.data->last_event);
+    }
+
+    if (resultType == DELETED || txn_context->latest_entry == NULL) {
+        // We need to add the `type` field to the attributes JSON. This avoid modifying the dbsync event.
+        attributes = cJSON_CreateObject();
+        dbsync_attributes_json(result_json, configuration, attributes);
+        cJSON_AddItemToObject(data, "attributes", attributes);
+    } else {
+        cJSON_AddItemToObject(data, "attributes", fim_attributes_json(txn_context->latest_entry->file_entry.data));
+
+        old_data = cJSON_GetObjectItem(result_json, "old");
+        if (old_data) {
+            old_attributes = cJSON_CreateObject();
+            changed_attributes = cJSON_CreateArray();
+            cJSON_AddItemToObject(data, "old_attributes", old_attributes);
+            cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+            fim_calculate_dbsync_difference(txn_context->latest_entry->file_entry.data,
+                                            old_data,
+                                            old_attributes,
+                                            changed_attributes);
+
+            if (cJSON_GetArraySize(changed_attributes) == 0) {
+                mdebug2(FIM_EMPTY_CHANGED_ATTRIBUTES, path);
+                goto end;
+            }
+        }
+    }
+
+    if (diff != NULL && resultType == MODIFIED) {
+        cJSON_AddStringToObject(data, "content_changes", diff);
+    }
+
+    if (configuration->tag != NULL) {
+        cJSON_AddStringToObject(data, "tags", configuration->tag);
+    }
+
+    send_syscheck_msg(json_event);
+
+end:
+    os_free(diff);
+    cJSON_Delete(json_event);
+}
+
+void process_delete_event(void * data, void * ctx)
+{
+    cJSON *json_event = NULL;
+    fim_entry *new_entry = (fim_entry *)data;
+    struct get_data_ctx *ctx_data = (struct get_data_ctx *)ctx;
+
+    // Remove path from the DB.
+    if (fim_db_remove_path(new_entry->file_entry.path) == FIMDB_ERR)
+    {
+        return;
+    }
+
+    if (ctx_data->event->report_event) {
+        json_event = fim_json_event(new_entry, NULL, ctx_data->config, ctx_data->event, NULL);
+    }
+
+    if (json_event != NULL) {
+        send_syscheck_msg(json_event);
+    }
+
+    cJSON_Delete(json_event);
+}
+
+int fim_generate_delete_event(const char *file_path,
+                              const void *_evt_data,
+                              const void *configuration) {
+    const directory_t *original_configuration = (const directory_t *)configuration;
+    get_data_ctx ctx = {
+        .event = (event_data_t *)_evt_data,
+        .config = original_configuration,
+        .path = file_path
+    };
+    callback_context_t callback_data;
+    callback_data.callback = process_delete_event;
+    callback_data.context = &ctx;
+
+    if (original_configuration->options & CHECK_SEECHANGES) {
+        fim_diff_process_delete_file(file_path);
+    }
+
+    return fim_db_get_path(file_path, callback_data);
+}
+
+time_t fim_scan() {
+    struct timespec start;
+    struct timespec end;
+    time_t end_of_scan;
+    clock_t cputime_start;
+    int nodes_count = 0;
+    OSListNode *node_it;
+    directory_t *dir_it;
+    event_data_t evt_data = { .report_event = true, .mode = FIM_SCHEDULED, .w_evt = NULL };
+    fim_txn_context_t txn_ctx = { .evt_data = &evt_data, .latest_entry = NULL };
+
+    static fim_state_db _files_db_state = FIM_STATE_DB_EMPTY;
+#ifdef WIN32
+    static fim_state_db _registry_key_state = FIM_STATE_DB_EMPTY;
+    static fim_state_db _registry_value_state = FIM_STATE_DB_EMPTY;
+#endif
+
+#ifdef WIN32
+    SafeWow64DisableWow64FsRedirection(NULL); //Disable virtual redirection to 64bits folder due this is a x86 process
+#endif
+    cputime_start = clock();
+    gettime(&start);
+    minfo(FIM_FREQUENCY_STARTED);
+    fim_send_scan_info(FIM_SCAN_START);
+
+
+    TXN_HANDLE db_transaction_handle = fim_db_transaction_start(FIMDB_FILE_TXN_TABLE, transaction_callback, &txn_ctx);
+    if (db_transaction_handle == NULL) {
+        merror(FIM_ERROR_TRANSACTION, FIMDB_FILE_TXN_TABLE);
+        return time(NULL);
+    }
+    fim_diff_folder_size();
+    syscheck.disk_quota_full_msg = true;
+
+    mdebug2(FIM_DIFF_FOLDER_SIZE, DIFF_DIR, syscheck.diff_folder_size);
+
+    w_mutex_lock(&syscheck.fim_scan_mutex);
+
+    update_wildcards_config();
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        char *path = fim_get_real_path(dir_it);
+
+        fim_checker(path, &evt_data, dir_it, db_transaction_handle, &txn_ctx);
+
+#ifndef WIN32
+        realtime_adddir(path, dir_it);
+#elif defined WIN_WHODATA
+        if (FIM_MODE(dir_it->options) == FIM_WHODATA) {
+            realtime_adddir(path, dir_it);
+        }
+#endif
+        os_free(path);
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    w_mutex_unlock(&syscheck.fim_scan_mutex);
+
+    if (syscheck.file_limit_enabled) {
+        nodes_count = fim_db_get_count_file_entry();
+    }
+
+    fim_db_transaction_deleted_rows(db_transaction_handle, transaction_callback, &txn_ctx);
+    db_transaction_handle = NULL;
+
+    if (syscheck.file_limit_enabled && (nodes_count >= syscheck.file_entry_limit)) {
+        w_mutex_lock(&syscheck.fim_scan_mutex);
+
+        db_transaction_handle = fim_db_transaction_start(FIMDB_FILE_TXN_TABLE, transaction_callback, &txn_ctx);
+
+        w_rwlock_rdlock(&syscheck.directories_lock);
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            char *path;
+            event_data_t evt_data = { .mode = FIM_SCHEDULED, .report_event = true, .w_evt = NULL };
+
+            path = fim_get_real_path(dir_it);
+
+            fim_checker(path, &evt_data, dir_it, db_transaction_handle, &txn_ctx);
+
+            // Verify the directory is being monitored correctly
+#ifndef WIN32
+            realtime_adddir(path, dir_it);
+#elif defined WIN_WHODATA
+            if (FIM_MODE(dir_it->options) == FIM_WHODATA) {
+                realtime_adddir(path, dir_it);
+            }
+#endif
+            os_free(path);
+        }
+        w_rwlock_unlock(&syscheck.directories_lock);
+
+        w_mutex_unlock(&syscheck.fim_scan_mutex);
+
+        fim_db_transaction_deleted_rows(db_transaction_handle, transaction_callback, &txn_ctx);
+        db_transaction_handle = NULL;
+    }
+
+#ifdef WIN32
+    fim_registry_scan();
+#endif
+
+    gettime(&end);
+    end_of_scan = time(NULL);
+
+    if (syscheck.file_limit_enabled) {
+        int files_count = fim_db_get_count_file_entry();
+        fim_check_db_state(syscheck.file_entry_limit, files_count, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+    }
+
+#ifdef WIN32
+    if (syscheck.registry_limit_enabled) {
+        fim_check_db_state(syscheck.db_entry_registry_limit,
+                           fim_db_get_count_registry_key(),
+                           &_registry_key_state,
+                           FIMDB_REGISTRY_KEY_TABLENAME);
+        fim_check_db_state(syscheck.db_entry_registry_limit,
+                           fim_db_get_count_registry_data(),
+                           &_registry_value_state,
+                           FIMDB_REGISTRY_VALUE_TABLENAME);
+    }
+#endif
+
+    if (_base_line == 0) {
+        _base_line = 1;
+    } else {
+        // In the first scan, the fim initialization is different between Linux and Windows.
+        // Realtime watches are set after the first scan in Windows.
+        if (fim_realtime_get_queue_overflow()) {
+            fim_realtime_set_queue_overflow(false);
+            realtime_sanitize_watch_map();
+        }
+        fim_realtime_print_watches();
+    }
+
+    minfo(FIM_FREQUENCY_ENDED);
+    fim_send_scan_info(FIM_SCAN_END);
+
+    if (isDebug()) {
+        fim_print_info(start, end, cputime_start); // LCOV_EXCL_LINE
+    }
+    audit_queue_full_reported = 0;
+
+    return end_of_scan;
+}
+
+void fim_checker(const char *path,
+                 event_data_t *evt_data,
+                 const directory_t *parent_configuration,
+                 TXN_HANDLE dbsync_txn,
+                 fim_txn_context_t *ctx) {
+    directory_t *configuration;
+    int depth;
+
+    if (!w_utf8_valid(path)) {
+        mwarn(FIM_INVALID_FILE_NAME, path);
+        return;
+    }
+
+#ifdef WIN32
+    // Ignore the recycle bin.
+    if (check_removed_file(path)){
+        return;
+    }
+#endif
+
+    configuration = fim_configuration_directory(path);
+    if (configuration == NULL) {
+        return;
+    }
+
+    if (parent_configuration == NULL) {
+        // First time entering fim_checker
+        // It's dangerous to go alone! Take this.
+        parent_configuration = configuration;
+    }
+
+    if (evt_data->mode == FIM_SCHEDULED) {
+        // If the directory has another configuration will scan it with that configuration
+        if (parent_configuration != configuration) {
+            return;
+        }
+    } else if (evt_data->mode != FIM_MODE(configuration->options)) {
+        // If this event is not generated by a scan, the mode of the event and
+        // the mode configured must match
+        return;
+    }
+
+    depth = fim_check_depth(path, configuration);
+
+    if (depth > configuration->recursion_level) {
+        mdebug2(FIM_MAX_RECURSION_LEVEL, depth, configuration->recursion_level, path);
+        return;
+    }
+
+    // Deleted file. Sending alert.
+    if (w_stat(path, &(evt_data->statbuf)) == -1) {
+        if(errno != ENOENT) {
+            mdebug1(FIM_STAT_FAILED, path, errno, strerror(errno));
+            return;
+        }
+
+        if((evt_data->mode == FIM_REALTIME && !(configuration->options & REALTIME_ACTIVE)) ||
+           (evt_data->mode == FIM_WHODATA && !(configuration->options & WHODATA_ACTIVE))) {
+            /* Don't send alert if received mode and mode in configuration aren't the same.
+            Scheduled mode events must always be processed to preserve the state of the agent's DB.
+            */
+            return;
+        }
+
+        // Delete alerts in scheduled scan is triggered in the transaction delete rows operation.
+        if (evt_data->mode != FIM_SCHEDULED) {
+            evt_data->type = FIM_DELETE;
+            get_data_ctx ctx = {
+                .event = (event_data_t *)evt_data,
+                .config = configuration,
+                .path = path
+            };
+            callback_context_t callback_data;
+            callback_data.callback = process_delete_event;
+            callback_data.context = &ctx;
+            fim_db_get_path(path, callback_data);
+
+            if (configuration->options & CHECK_SEECHANGES)
+            {
+                fim_diff_process_delete_file(path);
+            }
+        }
+
+        return;
+    }
+
+#ifdef WIN_WHODATA
+    if (evt_data->w_evt && evt_data->w_evt->scan_directory == 1) {
+        if (w_update_sacl(path)) {
+            mdebug1(FIM_SCAL_NOREFRESH, path);
+        }
+    }
+#endif
+
+    if (HasFilesystem(path, syscheck.skip_fs)) {
+        return;
+    }
+
+    if (fim_check_ignore(path) == 1) {
+        return;
+    }
+
+    switch (evt_data->statbuf.st_mode & S_IFMT) {
+#ifndef WIN32
+    case FIM_LINK:
+        // Fallthrough
+#endif
+    case FIM_REGULAR:
+        if (fim_check_restrict(path, configuration->filerestrict) == 1) {
+            return;
+        }
+
+        fim_file(path, configuration, evt_data, dbsync_txn, ctx);
+        break;
+
+    case FIM_DIRECTORY:
+        if (depth == configuration->recursion_level) {
+            mdebug2(FIM_DIR_RECURSION_LEVEL, path, depth);
+            return;
+        }
+        fim_directory(path, evt_data, configuration, dbsync_txn, ctx);
+
+#ifdef INOTIFY_ENABLED
+        if (FIM_MODE(configuration->options) == FIM_REALTIME) {
+            fim_add_inotify_watch(path, configuration);
+        }
+#endif
+        break;
+    }
+}
+
+
+int fim_directory(const char *dir,
+                  event_data_t *evt_data,
+                  const directory_t *configuration,
+                  TXN_HANDLE dbsync_txn,
+                  fim_txn_context_t *ctx) {
+    DIR *dp;
+    struct dirent *entry;
+    char *f_name;
+    char *s_name;
+    size_t path_size;
+
+    if (!dir) {
+        merror(NULL_ERROR);
+        return OS_INVALID;
+    }
+
+    // Open the directory given
+    dp = opendir(dir);
+
+    if (!dp) {
+        mwarn(FIM_PATH_NOT_OPEN, dir, strerror(errno));
+        return OS_INVALID;
+    }
+
+    os_calloc(PATH_MAX + 2, sizeof(char), f_name);
+    while ((entry = readdir(dp)) != NULL) {
+        // Ignore . and ..
+        if ((strcmp(entry->d_name, ".") == 0) ||
+                (strcmp(entry->d_name, "..") == 0)) {
+            continue;
+        }
+
+        strncpy(f_name, dir, PATH_MAX);
+        path_size = strlen(dir);
+        s_name = f_name + path_size;
+
+        // Check if the file name is already null terminated
+        if (*(s_name - 1) != PATH_SEP) {
+            *s_name++ = PATH_SEP;
+        }
+        *(s_name) = '\0';
+        path_size = strlen(f_name);
+
+#ifdef WIN32
+        // Check if the full path is too long if it is, skip this file
+        // and log a warning, PATH_MAX is 260 on windows, but reserves 1 char
+        // for the null terminator.
+        if (path_size + strlen(entry->d_name) >= PATH_MAX) {
+            mwarn(FIM_ERROR_PATH_TOO_LONG, f_name, entry->d_name, PATH_MAX);
+            continue;
+        }
+#endif
+
+        snprintf(s_name, PATH_MAX + 2 - path_size, "%s", entry->d_name);
+
+#ifdef WIN32
+        str_lowercase(f_name);
+#endif
+        // Process the event related to f_name
+        fim_checker(f_name, evt_data, configuration, dbsync_txn, ctx);
+    }
+
+    os_free(f_name);
+    closedir(dp);
+    return 0;
+}
+
+void fim_event_callback(void* data, void * ctx)
+{
+    struct create_json_event_ctx* ctx_data = (struct create_json_event_ctx*)ctx;
+    cJSON* json_event = (cJSON*)data;
+
+    if (json_event != NULL) {
+        cJSON* data_json = cJSON_GetObjectItem(json_event, "data");
+        char* path;
+
+        path = cJSON_GetStringValue(cJSON_GetObjectItem(data_json, "path"));
+
+        cJSON *changed_attributes = cJSON_GetObjectItem(data_json, "changed_attributes");
+        if (changed_attributes && cJSON_GetArraySize(changed_attributes) == 0) {
+            mdebug2(FIM_EMPTY_CHANGED_ATTRIBUTES, path);
+            return;
+        }
+
+        if (ctx_data->config->options & CHECK_SEECHANGES) {
+            char* diff;
+
+            diff = fim_file_diff(path, ctx_data->config);
+            if (diff != NULL && ctx_data->event->type == FIM_MODIFICATION) {
+                cJSON_AddStringToObject(data_json, "content_changes", diff);
+            }
+            os_free(diff);
+        }
+
+        if (ctx_data->event->w_evt) {
+            cJSON_AddItemToObject(data_json, "audit", fim_audit_json(ctx_data->event->w_evt));
+        }
+
+        if (ctx_data->config->tag != NULL) {
+            cJSON_AddStringToObject(data_json, "tags", ctx_data->config->tag);
+        }
+
+#ifdef WIN32
+        cJSON* attributes_json = cJSON_GetObjectItem(data_json, "attributes");
+        char* perm_string = cJSON_GetStringValue(cJSON_GetObjectItem(attributes_json, "perm"));
+        cJSON_ReplaceItemInObject(attributes_json, "perm", cJSON_Parse(perm_string));
+
+        cJSON* old_attributes_json = cJSON_GetObjectItem(data_json, "old_attributes");
+        if (old_attributes_json) {
+            char* old_perm_string = cJSON_GetStringValue(cJSON_GetObjectItem(old_attributes_json, "perm"));
+            cJSON_ReplaceItemInObject(old_attributes_json, "perm", cJSON_Parse(old_perm_string));
+        }
+#endif
+        send_syscheck_msg(json_event);
+    }
+}
+
+void fim_file(const char *path,
+              const directory_t *configuration,
+              event_data_t *evt_data,
+              TXN_HANDLE txn_handle,
+              fim_txn_context_t *txn_context) {
+    assert(path != NULL);
+    assert(configuration != NULL);
+    assert(evt_data != NULL);
+
+    fim_entry new_entry;
+
+    check_max_fps();
+
+    new_entry.type = FIM_TYPE_FILE;
+    new_entry.file_entry.path = (char *)path;
+    new_entry.file_entry.data = fim_get_data(path, configuration, &(evt_data->statbuf));
+
+    if (new_entry.file_entry.data == NULL) {
+        mdebug1(FIM_GET_ATTRIBUTES, path);
+        return;
+    }
+
+    if (txn_handle != NULL) {
+        txn_context->latest_entry = &new_entry;
+
+        fim_db_transaction_sync_row(txn_handle, &new_entry);
+        free_file_data(new_entry.file_entry.data);
+        txn_context->latest_entry = NULL;
+    } else {
+        create_json_event_ctx ctx = {
+            .event = evt_data,
+            .config = configuration,
+        };
+
+        callback_context_t callback_data;
+        callback_data.callback = fim_event_callback;
+        callback_data.context = &ctx;
+
+        fim_db_file_update(&new_entry, callback_data);
+        free_file_data(new_entry.file_entry.data);
+    }
+
+
+    return;
+}
+
+void fim_realtime_event(char *file) {
+    struct stat file_stat;
+
+    // If the file exists, generate add or modify events.
+    if (w_stat(file, &file_stat) >= 0) {
+        event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+
+        /* Need a sleep here to avoid triggering on vim
+         * (and finding the file removed)
+         */
+        fim_rt_delay();
+
+        fim_checker(file, &evt_data, NULL, NULL, NULL);
+    } else {
+        // Otherwise, it could be a file deleted or a directory moved (or renamed).
+        fim_process_missing_entry(file, FIM_REALTIME, NULL);
+    }
+}
+
+// Callback
+void create_windows_who_data_events(void * data, void * ctx)
+{
+    char *path = (char *)data;
+    whodata_evt *w_evt = (whodata_evt *)ctx;
+
+    fim_process_missing_entry(path, FIM_WHODATA, w_evt);
+}
+
+void fim_whodata_event(whodata_evt * w_evt) {
+
+    struct stat file_stat;
+
+    // If the file exists, generate add or modify events.
+    if(w_stat(w_evt->path, &file_stat) >= 0) {
+        event_data_t evt_data = { .mode = FIM_WHODATA, .w_evt = w_evt, .report_event = true };
+
+        fim_rt_delay();
+
+        w_rwlock_rdlock(&syscheck.directories_lock);
+        fim_checker(w_evt->path, &evt_data, NULL, NULL, NULL);
+        w_rwlock_unlock(&syscheck.directories_lock);
+    } else {
+        // Otherwise, it could be a file deleted or a directory moved (or renamed).
+        w_rwlock_rdlock(&syscheck.directories_lock);
+        fim_process_missing_entry(w_evt->path, FIM_WHODATA, w_evt);
+        w_rwlock_unlock(&syscheck.directories_lock);
+#ifndef WIN32
+        const unsigned long int inode = strtoul(w_evt->inode, NULL, 10);
+        const unsigned long int dev = strtoul(w_evt->dev, NULL, 10);
+        callback_context_t callback_data;
+        callback_data.callback = create_windows_who_data_events;
+        callback_data.context = w_evt;
+        fim_db_file_inode_search(inode, dev, callback_data);
+#endif
+    }
+}
+
+// Callback
+void fim_db_remove_entry(void * data, void * ctx)
+{
+    char *path = (char *)data;
+    get_data_ctx *ctx_data = (struct get_data_ctx *)ctx;
+
+    fim_generate_delete_event(path, ctx_data->event, ctx_data->config);
+}
+
+void fim_process_wildcard_removed(directory_t *configuration) {
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = true, .type = FIM_DELETE };
+
+    if (fim_generate_delete_event(configuration->path, &evt_data, configuration) == FIMDB_ERR)
+    {
+        return;
+    }
+
+    // Since the file doesn't exist, research if it's directory and have files in DB.
+    char pattern[PATH_MAX] = {0};
+
+    // Create the sqlite LIKE pattern -> "pathname/%"
+    snprintf(pattern, PATH_MAX, "%s%c%%", configuration->path, PATH_SEP);
+    get_data_ctx ctx = {
+        .event = (event_data_t *)&evt_data,
+        .config = configuration,
+        .path = configuration->path
+    };
+    callback_context_t callback_data;
+    callback_data.callback = fim_db_remove_entry;
+    callback_data.context = &ctx;
+    fim_db_file_pattern_search(pattern, callback_data);
+}
+
+// Callback
+void fim_db_process_missing_entry(void * data, void * ctx)
+{
+    fim_entry *new_entry = (fim_entry *)data;
+    struct get_data_ctx *ctx_data = (struct get_data_ctx *)ctx;
+
+    fim_checker(new_entry->file_entry.path, ctx_data->event, NULL, NULL, NULL);
+}
+
+void fim_process_missing_entry(char * pathname, fim_event_mode mode, whodata_evt * w_evt) {
+    event_data_t evt_data = { .mode = mode, .w_evt = w_evt, .report_event = true };
+    directory_t *configuration = NULL;
+
+    configuration = fim_configuration_directory(pathname);
+    if (NULL == configuration) {
+        return;
+    }
+
+    get_data_ctx ctx = {
+        .event = (event_data_t *)&evt_data,
+        .config = configuration,
+        .path = pathname
+    };
+
+    callback_context_t callback_data;
+    callback_data.callback = fim_db_process_missing_entry;
+    callback_data.context = &ctx;
+
+    // Exists, create event.
+    if (fim_db_get_path(pathname, callback_data) == FIMDB_OK) {
+        return;
+    }
+
+    if((evt_data.mode == FIM_REALTIME && !(configuration->options & REALTIME_ACTIVE)) ||
+      (evt_data.mode == FIM_WHODATA && !(configuration->options & WHODATA_ACTIVE)))
+    {
+        /* Don't send alert if received mode and mode in configuration aren't the same.
+        Scheduled mode events must always be processed to preserve the state of the agent's DB.
+        */
+        return;
+    }
+    // Since the file doesn't exist, research if it's directory and have files in DB.
+    char pattern[PATH_MAX] = {0};
+
+    // Create the sqlite LIKE pattern -> "pathname/%"
+    snprintf(pattern, PATH_MAX, "%s%c%%", pathname, PATH_SEP);
+    evt_data.type = FIM_DELETE;
+    ctx.event = (event_data_t *)&evt_data;
+    callback_data.callback = fim_db_remove_entry;
+    callback_data.context = &ctx;
+    fim_db_file_pattern_search(pattern, callback_data);
+}
+
+// Checks the DB state, sends a message alert if necessary
+void fim_check_db_state(int nodes_limit, int nodes_count, fim_state_db* db_state, const char* table_name) {
+    cJSON *json_event = NULL;
+    char *json_plain = NULL;
+    char alert_msg[OS_SIZE_256] = {'\0'};
+
+    if (nodes_count < 0) {
+        mwarn(FIM_DATABASE_NODES_COUNT_FAIL);
+        return;
+    }
+
+    switch (*db_state) {
+    case FIM_STATE_DB_FULL:
+        if (nodes_count >= nodes_limit) {
+            return;
+        }
+        break;
+    case FIM_STATE_DB_90_PERCENTAGE:
+        if ((nodes_count < nodes_limit) && (nodes_count >= nodes_limit * 0.9)) {
+            return;
+        }
+        break;
+    case FIM_STATE_DB_80_PERCENTAGE:
+        if ((nodes_count < nodes_limit * 0.9) && (nodes_count >= nodes_limit * 0.8)) {
+            return;
+        }
+        break;
+    case FIM_STATE_DB_NORMAL:
+        if (nodes_count == 0) {
+            *db_state = FIM_STATE_DB_EMPTY;
+            return;
+        }
+        else if (nodes_count < nodes_limit * 0.8) {
+            return;
+        }
+        break;
+    case FIM_STATE_DB_EMPTY:
+        if (nodes_count == 0) {
+            return;
+        }
+        else if (nodes_count < nodes_limit * 0.8) {
+            *db_state = FIM_STATE_DB_NORMAL;
+            return;
+        }
+        break;
+    default: // LCOV_EXCL_LINE
+        break; // LCOV_EXCL_LINE
+    }
+
+    json_event = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(json_event, "fim_db_table", table_name);
+
+    if (strcmp(table_name, FIMDB_FILE_TABLE_NAME) == 0) {
+        cJSON_AddNumberToObject(json_event, "file_limit", nodes_limit);
+        cJSON_AddNumberToObject(json_event, "file_count", nodes_count);
+    }
+#ifdef WIN32
+    else {
+        cJSON_AddNumberToObject(json_event, "registry_limit", nodes_limit);
+        cJSON_AddNumberToObject(json_event, "values_count", fim_db_get_count_registry_data());
+        cJSON_AddNumberToObject(json_event, "keys_count", fim_db_get_count_registry_key());
+    }
+#endif
+
+    if (nodes_count >= nodes_limit) {
+        *db_state = FIM_STATE_DB_FULL;
+        mwarn(strcmp(table_name, FIMDB_FILE_TABLE_NAME) ? FIM_DB_FULL_ALERT_REG : FIM_DB_FULL_ALERT_FILE);
+        cJSON_AddStringToObject(json_event, "alert_type", "full");
+    }
+    else if (nodes_count >= nodes_limit * 0.9) {
+        *db_state = FIM_STATE_DB_90_PERCENTAGE;
+        minfo(strcmp(table_name, FIMDB_FILE_TABLE_NAME) ? FIM_DB_90_PERCENTAGE_ALERT_REG : FIM_DB_90_PERCENTAGE_ALERT_FILE);
+        cJSON_AddStringToObject(json_event, "alert_type", "90_percentage");
+    }
+    else if (nodes_count >= nodes_limit * 0.8) {
+        *db_state = FIM_STATE_DB_80_PERCENTAGE;
+        minfo(strcmp(table_name, FIMDB_FILE_TABLE_NAME) ? FIM_DB_80_PERCENTAGE_ALERT_REG : FIM_DB_80_PERCENTAGE_ALERT_FILE);
+        cJSON_AddStringToObject(json_event, "alert_type", "80_percentage");
+    }
+    else if (nodes_count > 0) {
+        *db_state = FIM_STATE_DB_NORMAL;
+        minfo(strcmp(table_name, FIMDB_FILE_TABLE_NAME) ? FIM_DB_NORMAL_ALERT_REG : FIM_DB_NORMAL_ALERT_FILE);
+        cJSON_AddStringToObject(json_event, "alert_type", "normal");
+    }
+    else {
+        *db_state = FIM_STATE_DB_EMPTY;
+        minfo(strcmp(table_name, FIMDB_FILE_TABLE_NAME) ? FIM_DB_NORMAL_ALERT_REG : FIM_DB_NORMAL_ALERT_FILE);
+        cJSON_AddStringToObject(json_event, "alert_type", "normal");
+    }
+
+    json_plain = cJSON_PrintUnformatted(json_event);
+
+    snprintf(alert_msg, OS_SIZE_256, "wazuh: FIM DB: %s", json_plain);
+
+    send_log_msg(alert_msg);
+
+    os_free(json_plain);
+    cJSON_Delete(json_event);
+}
+
+// Returns the position of the path into directories array
+directory_t *fim_configuration_directory(const char *path) {
+    char full_path[OS_SIZE_4096 + 1] = {'\0'};
+    char full_entry[OS_SIZE_4096 + 1] = {'\0'};
+    directory_t *dir_it = NULL;
+    directory_t *dir = NULL;
+    OSListNode *node_it;
+    int top = 0;
+    int match = 0;
+
+    if (!path || *path == '\0') {
+        return NULL;
+    }
+
+    trail_path_separator(full_path, path, sizeof(full_path));
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        char *real_path = fim_get_real_path(dir_it);
+
+        trail_path_separator(full_entry, real_path, sizeof(full_entry));
+        match = w_compare_str(full_entry, full_path);
+
+        if (top < match && full_path[match - 1] == PATH_SEP) {
+            dir = dir_it;
+            top = match;
+        }
+
+        os_free(real_path);
+    }
+
+    if (dir == NULL) {
+        mdebug2(FIM_CONFIGURATION_NOTFOUND, "file", path);
+    }
+
+    return dir;
+}
+
+int fim_check_depth(const char *path, const directory_t *configuration) {
+    const char * pos;
+    int depth = -1;
+    char *parent_path;
+    unsigned int parent_path_size;
+
+    assert(configuration != NULL);
+
+    parent_path = fim_get_real_path(configuration);
+    parent_path_size = strlen(parent_path);
+    os_free(parent_path);
+
+    if (parent_path_size > strlen(path)) {
+        return -1;
+    }
+
+#ifdef WIN32
+    // Check for monitoring of 'U:\'
+    if(parent_path_size == 3 && path[2] == '\\') {
+        depth = 0;
+    }
+#else
+    // Check for monitoring of '/'
+    if(parent_path_size == 1) {
+        depth = 0;
+    }
+#endif
+
+    pos = path + parent_path_size;
+    while (pos) {
+        if (pos = strchr(pos, PATH_SEP), pos) {
+            depth++;
+        } else {
+            break;
+        }
+        pos++;
+    }
+
+    return depth;
+}
+
+
+// Get data from file
+fim_file_data *fim_get_data(const char *file, const directory_t *configuration, const struct stat *statbuf) {
+    fim_file_data * data = NULL;
+
+    os_calloc(1, sizeof(fim_file_data), data);
+    init_fim_data_entry(data);
+
+    if (configuration->options & CHECK_SIZE) {
+        data->size = statbuf->st_size;
+    }
+
+    if (configuration->options & CHECK_PERM) {
+#ifdef WIN32
+        int error;
+
+        error = w_get_file_permissions(file, &(data->perm_json));
+        if (error) {
+            mdebug1(FIM_EXTRACT_PERM_FAIL, file, error);
+            free_file_data(data);
+            return NULL;
+        }
+
+        decode_win_acl_json(data->perm_json);
+        data->perm = cJSON_PrintUnformatted(data->perm_json);
+#else
+        data->perm = agent_file_perm(statbuf->st_mode);
+#endif
+    }
+
+#ifdef WIN32
+    if (configuration->options & CHECK_ATTRS) {
+        os_calloc(OS_SIZE_256, sizeof(char), data->attributes);
+        decode_win_attributes(data->attributes, w_get_file_attrs(file));
+    }
+#endif
+
+    if (configuration->options & CHECK_MTIME) {
+#ifdef WIN32
+        data->mtime = get_UTC_modification_time(file);
+#else
+        data->mtime = statbuf->st_mtime;
+#endif
+    }
+
+#ifdef WIN32
+    if (configuration->options & CHECK_OWNER) {
+        data->user_name = get_file_user(file, &data->uid);
+    }
+#else
+    if (configuration->options & CHECK_OWNER) {
+        char aux[OS_SIZE_64];
+        snprintf(aux, OS_SIZE_64, "%u", statbuf->st_uid);
+        os_strdup(aux, data->uid);
+
+        data->user_name = get_user(statbuf->st_uid);
+    }
+
+    if (configuration->options & CHECK_GROUP) {
+        char aux[OS_SIZE_64];
+        snprintf(aux, OS_SIZE_64, "%u", statbuf->st_gid);
+        os_strdup(aux, data->gid);
+
+        data->group_name = get_group(statbuf->st_gid);
+    }
+#endif
+
+    snprintf(data->hash_md5, sizeof(os_md5), "%s", "d41d8cd98f00b204e9800998ecf8427e");
+    snprintf(data->hash_sha1, sizeof(os_sha1), "%s", "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+    snprintf(data->hash_sha256, sizeof(os_sha256), "%s", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
+
+    // The file exists and we don't have to delete it from the hash tables
+    data->scanned = 1;
+
+    // We won't calculate hash for symbolic links, empty or large files
+    if (S_ISREG(statbuf->st_mode) && (statbuf->st_size > 0 && (size_t)statbuf->st_size < syscheck.file_max_size) &&
+        (configuration->options & (CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM))) {
+        if (OS_MD5_SHA1_SHA256_File(file, syscheck.prefilter_cmd, data->hash_md5,
+                                    data->hash_sha1, data->hash_sha256, OS_BINARY, syscheck.file_max_size) < 0) {
+            mdebug1(FIM_HASHES_FAIL, file);
+            free_file_data(data);
+            return NULL;
+        }
+    }
+
+    if ((configuration->options & CHECK_MD5SUM) == 0) {
+        data->hash_md5[0] = '\0';
+    }
+
+    if ((configuration->options & CHECK_SHA1SUM) == 0) {
+        data->hash_sha1[0] = '\0';
+    }
+
+    if ((configuration->options & CHECK_SHA256SUM) == 0) {
+        data->hash_sha256[0] = '\0';
+    }
+
+    data->inode = statbuf->st_ino;
+    data->dev = statbuf->st_dev;
+    data->options = configuration->options;
+    data->last_event = time(NULL);
+    fim_get_checksum(data);
+
+    return data;
+}
+
+void init_fim_data_entry(fim_file_data *data) {
+    data->size = 0;
+    data->perm = NULL;
+#ifdef WIN32
+    data->perm_json = NULL;
+#endif
+    data->attributes = NULL;
+    data->uid = NULL;
+    data->gid = NULL;
+    data->user_name = NULL;
+    data->group_name = NULL;
+    data->mtime = 0;
+    data->inode = 0;
+    data->hash_md5[0] = '\0';
+    data->hash_sha1[0] = '\0';
+    data->hash_sha256[0] = '\0';
+}
+
+void fim_get_checksum (fim_file_data * data) {
+    int size;
+    char *checksum = NULL;
+
+    size = snprintf(0,
+            0,
+            "%d:%s:%s:%s:%s:%s:%s:%lu:%llu:%s:%s:%s",
+            data->size,
+            data->perm ? data->perm : "",
+            data->attributes ? data->attributes : "",
+            data->uid ? data->uid : "",
+            data->gid ? data->gid : "",
+            data->user_name ? data->user_name : "",
+            data->group_name ? data->group_name : "",
+            data->mtime,
+            data->inode,
+            data->hash_md5,
+            data->hash_sha1,
+            data->hash_sha256);
+
+    os_calloc(size + 1, sizeof(char), checksum);
+    snprintf(checksum,
+            size + 1,
+            "%d:%s:%s:%s:%s:%s:%s:%lu:%llu:%s:%s:%s",
+            data->size,
+            data->perm ? data->perm : "",
+            data->attributes ? data->attributes : "",
+            data->uid ? data->uid : "",
+            data->gid ? data->gid : "",
+            data->user_name ? data->user_name : "",
+            data->group_name ? data->group_name : "",
+            data->mtime,
+            data->inode,
+            data->hash_md5,
+            data->hash_sha1,
+            data->hash_sha256);
+
+    OS_SHA1_Str(checksum, -1, data->checksum);
+    free(checksum);
+}
+
+cJSON *fim_json_event(const fim_entry *new_data,
+                      const fim_file_data *old_data,
+                      const directory_t *configuration,
+                      const event_data_t *evt_data,
+                      const char *diff) {
+    cJSON * changed_attributes = NULL;
+
+    assert(new_data != NULL);
+
+    if (old_data != NULL) {
+        changed_attributes = fim_json_compare_attrs(old_data, new_data->file_entry.data);
+
+        // If no such changes, do not send event.
+
+        if (cJSON_GetArraySize(changed_attributes) == 0) {
+            cJSON_Delete(changed_attributes);
+            return NULL;
+        }
+    }
+
+    cJSON * json_event = cJSON_CreateObject();
+    cJSON_AddStringToObject(json_event, "type", "event");
+
+    cJSON * data = cJSON_CreateObject();
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", new_data->file_entry.path);
+    cJSON_AddNumberToObject(data, "version", 2.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[evt_data->mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[evt_data->type]);
+    cJSON_AddNumberToObject(data, "timestamp", new_data->file_entry.data->last_event);
+
+    cJSON_AddItemToObject(data, "attributes", fim_attributes_json(new_data->file_entry.data));
+
+    if (old_data) {
+        cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+        cJSON_AddItemToObject(data, "old_attributes", fim_attributes_json(old_data));
+    }
+
+    char * tags = NULL;
+    if (evt_data->w_evt) {
+        cJSON_AddItemToObject(data, "audit", fim_audit_json(evt_data->w_evt));
+    }
+
+    tags = configuration->tag;
+
+    if (diff != NULL) {
+        cJSON_AddStringToObject(data, "content_changes", diff);
+    }
+
+    if (tags != NULL) {
+        cJSON_AddStringToObject(data, "tags", tags);
+    }
+
+    return json_event;
+}
+
+// Create file attribute set JSON from a FIM entry structure
+
+cJSON * fim_attributes_json(const fim_file_data * data) {
+    cJSON * attributes = cJSON_CreateObject();
+
+    // TODO: Read structure.
+    // SQLite Development
+    cJSON_AddStringToObject(attributes, "type", "file");
+
+    if (data->options & CHECK_SIZE) {
+        cJSON_AddNumberToObject(attributes, "size", data->size);
+    }
+
+    if (data->options & CHECK_PERM) {
+#ifndef WIN32
+        cJSON_AddStringToObject(attributes, "perm", data->perm);
+#else
+        cJSON_AddItemToObject(attributes, "perm", cJSON_Parse(data->perm));
+#endif
+    }
+
+    if (data->options & CHECK_OWNER && data->uid && *data->uid != '\0' ) {
+        cJSON_AddStringToObject(attributes, "uid", data->uid);
+    }
+
+    if (data->options & CHECK_GROUP && data->gid && *data->gid != '\0' ) {
+        cJSON_AddStringToObject(attributes, "gid", data->gid);
+    }
+
+    if (data->user_name && *data->user_name != '\0' ) {
+        cJSON_AddStringToObject(attributes, "user_name", data->user_name);
+    }
+
+    if (data->group_name && *data->group_name != '\0') {
+        cJSON_AddStringToObject(attributes, "group_name", data->group_name);
+    }
+
+    if (data->options & CHECK_INODE) {
+        cJSON_AddNumberToObject(attributes, "inode", data->inode);
+    }
+
+    if (data->options & CHECK_MTIME) {
+        cJSON_AddNumberToObject(attributes, "mtime", data->mtime);
+    }
+
+    if (data->options & CHECK_MD5SUM) {
+        cJSON_AddStringToObject(attributes, "hash_md5", data->hash_md5);
+    }
+
+    if (data->options & CHECK_SHA1SUM) {
+        cJSON_AddStringToObject(attributes, "hash_sha1", data->hash_sha1);
+    }
+
+    if (data->options & CHECK_SHA256SUM) {
+        cJSON_AddStringToObject(attributes, "hash_sha256", data->hash_sha256);
+    }
+
+#ifdef WIN32
+    if (data->options & CHECK_ATTRS) {
+        cJSON_AddStringToObject(attributes, "attributes", data->attributes);
+    }
+#endif
+
+    if (*data->checksum) {
+        cJSON_AddStringToObject(attributes, "checksum", data->checksum);
+    }
+
+    return attributes;
+}
+
+// Create file attribute comparison JSON object
+
+cJSON * fim_json_compare_attrs(const fim_file_data * old_data, const fim_file_data * new_data) {
+    cJSON * changed_attributes = cJSON_CreateArray();
+
+    if ( (old_data->options & CHECK_SIZE) && (old_data->size != new_data->size) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("size"));
+    }
+
+#ifndef WIN32
+    if ( (old_data->options & CHECK_PERM) && strcmp(old_data->perm, new_data->perm) != 0 ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("permission"));
+    }
+#else
+    if ( (old_data->options & CHECK_PERM) && compare_win_permissions(old_data->perm_json, new_data->perm_json) == false ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("permission"));
+    }
+
+    if ( (old_data->options & CHECK_ATTRS) && strcmp(old_data->attributes, new_data->attributes) != 0 ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("attributes"));
+    }
+#endif
+
+    if (old_data->options & CHECK_OWNER) {
+        if (old_data->uid && new_data->uid && strcmp(old_data->uid, new_data->uid) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("uid"));
+        }
+
+#ifndef WIN32
+        if (old_data->user_name && new_data->user_name && strcmp(old_data->user_name, new_data->user_name) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("user_name"));
+        }
+#else
+        // AD might fail to solve the user name, we don't trigger an event if the user name is empty
+        if (old_data->user_name && *old_data->user_name != '\0' && new_data->user_name &&
+            *new_data->user_name != '\0' && strcmp(old_data->user_name, new_data->user_name) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("user_name"));
+        }
+#endif
+    }
+
+    if (old_data->options & CHECK_GROUP) {
+        if (old_data->gid && new_data->gid && strcmp(old_data->gid, new_data->gid) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("gid"));
+        }
+
+        if (old_data->group_name && new_data->group_name && strcmp(old_data->group_name, new_data->group_name) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("group_name"));
+        }
+    }
+
+    if ( (old_data->options & CHECK_MTIME) && (old_data->mtime != new_data->mtime) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("mtime"));
+    }
+
+#ifndef WIN32
+    if ( (old_data->options & CHECK_INODE) && (old_data->inode != new_data->inode) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("inode"));
+    }
+#endif
+
+    if ( (old_data->options & CHECK_MD5SUM) && (strcmp(old_data->hash_md5, new_data->hash_md5) != 0) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("md5"));
+    }
+
+    if ( (old_data->options & CHECK_SHA1SUM) && (strcmp(old_data->hash_sha1, new_data->hash_sha1) != 0) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha1"));
+    }
+
+    if ( (old_data->options & CHECK_SHA256SUM) && (strcmp(old_data->hash_sha256, new_data->hash_sha256) != 0) ) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha256"));
+    }
+
+    return changed_attributes;
+}
+
+// Create file audit data JSON object
+
+cJSON * fim_audit_json(const whodata_evt * w_evt) {
+    cJSON * fim_audit = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(fim_audit, "user_id", w_evt->user_id);
+    cJSON_AddStringToObject(fim_audit, "user_name", w_evt->user_name);
+    cJSON_AddStringToObject(fim_audit, "process_name", w_evt->process_name);
+    cJSON_AddNumberToObject(fim_audit, "process_id", w_evt->process_id);
+#ifndef WIN32
+    cJSON_AddStringToObject(fim_audit, "cwd", w_evt->cwd);
+    cJSON_AddStringToObject(fim_audit, "group_id", w_evt->group_id);
+    cJSON_AddStringToObject(fim_audit, "group_name", w_evt->group_name);
+    cJSON_AddStringToObject(fim_audit, "audit_uid", w_evt->audit_uid);
+    cJSON_AddStringToObject(fim_audit, "audit_name", w_evt->audit_name);
+    cJSON_AddStringToObject(fim_audit, "effective_uid", w_evt->effective_uid);
+    cJSON_AddStringToObject(fim_audit, "effective_name", w_evt->effective_name);
+    cJSON_AddStringToObject(fim_audit, "parent_name", w_evt->parent_name);
+    cJSON_AddStringToObject(fim_audit, "parent_cwd", w_evt->parent_cwd);
+    cJSON_AddNumberToObject(fim_audit, "ppid", w_evt->ppid);
+#endif
+
+    return fim_audit;
+}
+
+// Create scan info JSON event
+
+cJSON * fim_scan_info_json(fim_scan_event event, long timestamp) {
+    cJSON * root = cJSON_CreateObject();
+    cJSON * data = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(root, "type", event == FIM_SCAN_START ? "scan_start" : "scan_end");
+    cJSON_AddItemToObject(root, "data", data);
+    cJSON_AddNumberToObject(data, "timestamp", timestamp);
+
+    return root;
+}
+
+int fim_check_ignore (const char *file_name) {
+    // Check if the file should be ignored
+    if (syscheck.ignore) {
+        int i = 0;
+        while (syscheck.ignore[i] != NULL) {
+            if (strncasecmp(syscheck.ignore[i], file_name, strlen(syscheck.ignore[i])) == 0) {
+                mdebug2(FIM_IGNORE_ENTRY, file_name, syscheck.ignore[i]);
+                return 1;
+            }
+            i++;
+        }
+    }
+
+    // Check in the regex entry
+    if (syscheck.ignore_regex) {
+        int i = 0;
+        while (syscheck.ignore_regex[i] != NULL) {
+            if (OSMatch_Execute(file_name, strlen(file_name), syscheck.ignore_regex[i])) {
+                mdebug2(FIM_IGNORE_SREGEX, file_name, syscheck.ignore_regex[i]->raw);
+                return 1;
+            }
+            i++;
+        }
+    }
+
+    return 0;
+}
+
+
+int fim_check_restrict (const char *file_name, OSMatch *restriction) {
+    if (file_name == NULL) {
+        merror(NULL_ERROR);
+        return 1;
+    }
+
+    // Restrict file types
+    if (restriction) {
+        if (!OSMatch_Execute(file_name, strlen(file_name), restriction)) {
+            mdebug2(FIM_FILE_IGNORE_RESTRICT, file_name, restriction->raw);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+
+void free_file_data(fim_file_data * data) {
+    if (!data) {
+        return;
+    }
+
+#ifdef WIN32
+    cJSON_Delete(data->perm_json);
+#endif
+    os_free(data->perm);
+    os_free(data->attributes);
+    os_free(data->uid);
+    os_free(data->gid);
+    os_free(data->user_name);
+    os_free(data->group_name);
+
+    os_free(data);
+}
+
+void fim_diff_folder_size() {
+    char *diff_local;
+
+    os_malloc(strlen(DIFF_DIR) + strlen("/local") + 1, diff_local);
+
+    snprintf(diff_local, strlen(DIFF_DIR) + strlen("/local") + 1, "%s/local", DIFF_DIR);
+
+    if (IsDir(diff_local) == 0) {
+        syscheck.diff_folder_size = DirSize(diff_local) / 1024;
+    }
+
+    os_free(diff_local);
+}
+
+void update_wildcards_config() {
+    OSList *removed_entries = NULL;
+    OSListNode *node_it;
+    OSListNode *aux_it;
+    directory_t *dir_it;
+    directory_t *new_entry;
+    char **paths;
+
+    if (syscheck.wildcards == NULL || syscheck.directories == NULL) {
+        return;
+    }
+
+    mdebug2(FIM_WILDCARDS_UPDATE_START);
+    w_rwlock_wrlock(&syscheck.directories_lock);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        dir_it->is_expanded = 0;
+    }
+
+    OSList_foreach(node_it, syscheck.wildcards) {
+        dir_it = node_it->data;
+        paths = expand_wildcards(dir_it->path);
+
+        if (paths == NULL) {
+            continue;
+        }
+
+        for (int i = 0; paths[i]; i++) {
+            new_entry = fim_copy_directory(dir_it);
+            os_free(new_entry->path);
+
+            new_entry->path = paths[i];
+#ifdef WIN32
+            str_lowercase(new_entry->path);
+#endif
+            new_entry->is_expanded = 1;
+
+            if (new_entry->diff_size_limit == -1) {
+                new_entry->diff_size_limit = syscheck.file_size_limit;
+            }
+
+            fim_insert_directory(syscheck.directories, new_entry);
+        }
+        os_free(paths);
+    }
+
+    removed_entries = OSList_Create();
+    if (removed_entries == NULL) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        w_rwlock_unlock(&syscheck.directories_lock);
+        return;
+    }
+    OSList_SetFreeDataPointer(removed_entries, (void (*)(void *))free_directory);
+
+    node_it = OSList_GetFirstNode(syscheck.directories);
+    while (node_it != NULL) {
+        dir_it = node_it->data;
+        if (dir_it->is_wildcard && dir_it->is_expanded == 0) {
+#if INOTIFY_ENABLED
+            if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+                fim_realtime_delete_watches(dir_it);
+            }
+#endif
+#if ENABLE_AUDIT
+            if (FIM_MODE(dir_it->options) == FIM_WHODATA) {
+                remove_audit_rule_syscheck(dir_it->path);
+            }
+#endif
+            // Inserting like this will cause the new list to have the order reversed to the one in syscheck.directories
+            // This will cause the following loop to delete "inner" directories before "outer" ones
+            OSList_PushData(removed_entries, dir_it);
+
+            // Delete node
+            aux_it = OSList_GetNext(syscheck.directories, node_it);
+            OSList_DeleteThisNode(syscheck.directories, node_it);
+            node_it = aux_it;
+        } else {
+            node_it = OSList_GetNext(syscheck.directories, node_it);
+        }
+    }
+
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    OSList_foreach(node_it, removed_entries) {
+        dir_it = node_it->data;
+        fim_process_wildcard_removed(dir_it);
+        mdebug2(FIM_WILDCARDS_REMOVE_DIRECTORY, dir_it->path);
+    }
+    OSList_Destroy(removed_entries);
+
+    mdebug2(FIM_WILDCARDS_UPDATE_FINALIZE);
+}
+
+// LCOV_EXCL_START
+void fim_print_info(struct timespec start, struct timespec end, clock_t cputime_start) {
+    mdebug1(FIM_RUNNING_SCAN,
+            time_diff(&start, &end),
+            (double)(clock() - cputime_start) / CLOCKS_PER_SEC);
+
+#ifdef WIN32
+    mdebug1(FIM_ENTRIES_INFO, fim_db_get_count_file_entry());
+    mdebug1(FIM_REGISTRY_ENTRIES_INFO, fim_db_get_count_registry_key());
+    mdebug1(FIM_REGISTRY_VALUES_ENTRIES_INFO, fim_db_get_count_registry_data());
+#else
+    unsigned inode_items = 0;
+    unsigned inode_paths = 0;
+
+    inode_items = fim_db_get_count_file_inode();
+    inode_paths = fim_db_get_count_file_entry();
+
+    mdebug1(FIM_INODES_INFO, inode_items, inode_paths);
+#endif
+
+    return;
+}
+
+char *fim_get_real_path(const directory_t *dir) {
+    char *real_path = NULL;
+
+#ifndef WIN32
+    w_mutex_lock(&syscheck.fim_symlink_mutex);
+
+    //Create a safe copy of the path to be used by other threads.
+    if ((dir->options & CHECK_FOLLOW) == 0) {
+        os_strdup(dir->path, real_path);
+    } else if (dir->symbolic_links) {
+        os_strdup(dir->symbolic_links, real_path);
+    } else if (IsLink(dir->path) == 0) { // Broken link
+        os_strdup("", real_path);
+    } else {
+        os_strdup(dir->path, real_path);
+    }
+
+    w_mutex_unlock(&syscheck.fim_symlink_mutex);
+#else // WIN32
+    os_strdup(dir->path, real_path);
+#endif
+
+    return real_path;
+}
+
+// Sleep during rt_delay milliseconds
+
+void fim_rt_delay() {
+    if (syscheck.rt_delay){
+#ifdef WIN32
+        Sleep(syscheck.rt_delay);
+#else
+        struct timeval timeout = {0, syscheck.rt_delay * 1000};
+        select(0, NULL, NULL, NULL, &timeout);
+#endif
+    }
+}
+
+// LCOV_EXCL_STOP
diff --git a/src/modules/fim/src/fim_diff_changes.c b/src/modules/fim/src/fim_diff_changes.c
new file mode 100644
index 0000000000..deedab2120
--- /dev/null
+++ b/src/modules/fim/src/fim_diff_changes.c
@@ -0,0 +1,1026 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "../os_crypto/md5/md5_op.h"
+#include "syscheck.h"
+
+
+// Remove static qualifier from tests
+#ifdef WAZUH_UNIT_TESTING
+
+#ifdef WIN32
+#include "../unit_tests/wrappers/windows/libc/stdio_wrappers.h"
+#endif
+
+#define static
+#endif
+
+#ifdef WIN32
+#define unlink(x) _unlink(x)
+#define FileSize(x) FileSizeWin(x)
+#define PATH_OFFSET 0
+#else
+#define PATH_OFFSET 1
+#endif
+
+static const char *STR_MORE_CHANGES = "More changes...";
+
+#ifdef WIN32
+
+/* Prototypes */
+
+/**
+ * @brief Initializes the structure with the data needed for diff
+ *
+ * @param key_name Name of the key
+ * @param value_name Name of the value
+ * @param configuration Syscheck configuration related to the key
+ *
+ * @return Structure with all the data necessary to compute differences
+ */
+diff_data *initialize_registry_diff_data(const char *key_name, const char *value_name, const registry_t *configuration);
+
+/**
+ * @brief Creates file with the value, writing the data according to its type
+ *
+ * @param value_data Content of the value to be checked
+ * @param data_type The type of value we are checking
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return -1 on error 0 on success
+ */
+int fim_diff_registry_tmp(const char *value_data,
+                          DWORD data_type,
+                          const diff_data *diff);
+
+#endif
+
+/**
+ * @brief Initializes the structure with the data needed for diff
+ *
+ * @param filename Path of file monitored
+ * @param configuration Configuration associated with the file
+ *
+ * @return Structure with all the data necessary to compute differences
+ */
+diff_data *initialize_file_diff_data(const char *filename, const directory_t *configuration);
+
+/**
+ * @brief Free the structure with the data needed for diff
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ */
+void free_diff_data(diff_data *diff);
+
+/**
+ * @brief Checks that the file being processed does not exceed the configuration limit
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return 0 if success, 1 if file_size too much large, 2 if quota is exceeded
+ */
+int fim_diff_check_limits(diff_data *diff);
+
+/**
+ * @brief Deletes the folder with the compressed file last-entry.gz
+ *
+ * @param folder Path of the folder to be removed
+ *
+ * @return -1 if some error occurs, 0 on success
+ */
+int fim_diff_delete_compress_folder(const char *folder);
+
+/**
+ * @brief Checks if diff_quota is reached with a estimation of the compressed file size
+ *
+ * @param file_size Size of the uncompressed file
+ *
+ * @return False if the compressed file doesn't fit into the quota
+ */
+int fim_diff_estimate_compression(float file_size);
+
+/**
+ * @brief Compresses the file in a temporal folder and checks that it fits into the quota
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return -1 if file can't be compressed, or if it doesn't fit into the quota
+ */
+int fim_diff_create_compress_file(const diff_data *diff);
+
+/**
+ * @brief Modifies the compression ratio to be used in the following estimates
+ *
+ * @param compressed_size Size of the compressed file
+ * @param uncompressed_size Size of the uncompressed file
+ */
+void fim_diff_modify_compress_estimation(float compressed_size, float uncompressed_size);
+
+/**
+ * @brief Compares MD5 hashes of the old and new files to see if they are the same
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return -1 if old and new files are the same, 0 if they are different
+ */
+int fim_diff_compare(const diff_data *diff);
+
+/**
+ * @brief Generates the diff file with the result of the diff/fc command (only if nodiff is not configured)
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return String with the changes to add to the alert
+ */
+char *fim_diff_generate(const diff_data *diff);
+
+/**
+ * @brief Reads the diff file and generates the string with the differences
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ *
+ * @return String with the changes to add to the alert
+ */
+char *gen_diff_str(const diff_data *diff);
+
+/**
+ * @brief Checks if a specific file has been configured with the ``nodiff`` option
+ *
+ * @param filename The name of the file to check
+ * @return 1 if the file has been configured with the ``nodiff`` option, 0 if not
+ */
+int is_file_nodiff(const char *filename);
+
+/**
+ * @brief Checks if a specific registry value has been configured with the ``nodiff`` option
+ *
+ * @param key_name The name of the key to check
+ * @param value_name The name of the value to check
+ * @param arch Architecture type of the value to check
+ * @return 1 if the value has been configured with the ``nodiff`` option, 0 if not
+ */
+int is_registry_nodiff(const char *key_name, const char *value_name, int arch);
+
+/**
+ * @brief Filter a path so that it cannot contain strange symbols. In the case of Windows, change the '/' to '\'.
+ *
+ * @param string String with the path to be filtered
+ *
+ * @return A pointer to the filtered path
+ */
+char* filter(const char *string);
+
+/**
+ * @brief Saves the temporal compress file into the compress folder
+ *
+ * @param diff Structure with all the data necessary to compute differences
+ */
+void save_compress_file(const diff_data *diff);
+
+#ifdef WIN32
+
+/**
+ * @brief Adapts the fc output to be the same as the diff
+ *
+ * @param command_output Output of the fc command
+ *
+ * @return Adapted output
+ */
+char *adapt_win_fc_output(char *command_output);
+
+/* Definitions */
+
+char *fim_registry_value_diff(const char *key_name,
+                              const char *value_name,
+                              const char *value_data,
+                              DWORD data_type,
+                              const registry_t *configuration) {
+
+    char *diff_changes = NULL;
+    int ret;
+
+    // Invalid types for report_changes
+    if (!(data_type == REG_SZ ||
+          data_type == REG_EXPAND_SZ ||
+          data_type == REG_MULTI_SZ ||
+          data_type == REG_DWORD ||
+          data_type == REG_DWORD_BIG_ENDIAN ||
+          data_type == REG_QWORD)) {
+            mdebug2(FIM_REG_VAL_INVALID_TYPE, key_name, value_name);
+            return NULL;
+    }
+
+    // Generate diff structure
+    diff_data *diff = initialize_registry_diff_data(key_name, value_name, configuration);
+    if (!diff){
+        goto cleanup;
+    }
+
+    // Create tmp directory and file with de content of the registry
+    if (fim_diff_registry_tmp(value_data, data_type, diff) == -1){
+        goto cleanup;
+    }
+
+    char full_value_name[PATH_MAX];
+    snprintf(full_value_name, PATH_MAX, "%s\\%s", key_name, value_name);
+
+    // Check for file limit and disk quota
+    if (ret = fim_diff_check_limits(diff), ret == 1) {
+        mdebug2(FIM_BIG_FILE_REPORT_CHANGES, full_value_name);
+        os_strdup("Unable to calculate diff due to 'file_size' limit has been reached.", diff_changes);
+        goto cleanup;
+    } else if (ret == 2){
+        mdebug2(FIM_DISK_QUOTA_LIMIT_REACHED, "estimation", full_value_name);
+        os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        goto cleanup;
+    }
+
+    // If the file is not there, create compressed file and return.
+    if (w_uncompress_gzfile(diff->compress_file, diff->uncompress_file) != 0) {
+        if (ret = fim_diff_create_compress_file(diff), ret == 0){
+            mkdir_ex(diff->compress_folder);
+            save_compress_file(diff);
+            os_strdup("Unable to calculate diff due to no previous data stored for this registry value.", diff_changes);
+        } else if (ret == -2){
+            os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        }
+        goto cleanup;
+    }
+
+    // If it exists, estimate the new compressed file
+    float backup_file_size = (FileSize(diff->compress_file) / 1024.0f);
+    syscheck.diff_folder_size -= backup_file_size;
+    if (ret = fim_diff_create_compress_file(diff), ret != 0) {
+        syscheck.diff_folder_size += backup_file_size;
+        if (ret == -2){
+            os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        }
+        goto cleanup;
+    }
+
+    if (fim_diff_compare(diff) == -1) {
+        mdebug2(FIM_DIFF_IDENTICAL_MD5_FILES);
+        syscheck.diff_folder_size += backup_file_size;
+        os_strdup("No content changes were found for this registry value.", diff_changes);
+        goto cleanup;
+    }
+
+    if (is_registry_nodiff(key_name, value_name, configuration->arch)) {
+        os_strdup("Diff truncated due to 'nodiff' configuration detected for this registry value.", diff_changes);
+        syscheck.diff_folder_size += backup_file_size;
+        goto cleanup;
+    }
+
+    if (diff_changes = fim_diff_generate(diff), !diff_changes){
+        syscheck.diff_folder_size += backup_file_size;
+        goto cleanup;
+    }
+
+    save_compress_file(diff);
+
+cleanup:
+
+    if (rmdir_ex(diff->tmp_folder) < 0) {
+        mdebug2(RMDIR_ERROR, diff->tmp_folder, errno, strerror(errno));
+    }
+
+    free_diff_data(diff);
+
+    return diff_changes;
+}
+
+
+diff_data *initialize_registry_diff_data(const char *key_name, const char *value_name, const registry_t *configuration) {
+    diff_data *diff;
+    char buffer[PATH_MAX];
+
+    os_calloc(1, sizeof(diff_data), diff);
+
+    diff->file_size = 0;
+    diff->size_limit = configuration->diff_size_limit;
+
+    os_sha1 encoded_key;
+    os_sha1 encoded_value;
+    OS_SHA1_Str(key_name, -1, encoded_key);
+    OS_SHA1_Str(value_name, -1, encoded_value);
+
+    if (configuration->arch){
+        snprintf(buffer, PATH_MAX, "%s/registry/[x64] %s/%s", DIFF_DIR, encoded_key, encoded_value);
+    } else {
+        snprintf(buffer, PATH_MAX, "%s/registry/[x32] %s/%s", DIFF_DIR, encoded_key, encoded_value);
+    }
+    os_strdup(buffer, diff->compress_folder);
+
+    snprintf(buffer, PATH_MAX, "%s/last-entry.gz", diff->compress_folder);
+    os_strdup(buffer, diff->compress_file);
+
+    snprintf(buffer, PATH_MAX, "%s/tmp", DIFF_DIR);
+    os_strdup(buffer, diff->tmp_folder);
+
+    if (configuration->arch){
+        snprintf(buffer, PATH_MAX, "%s/[x64] %s%s", diff->tmp_folder, encoded_key, encoded_value);
+    } else {
+        snprintf(buffer, PATH_MAX, "%s/[x32] %s%s", diff->tmp_folder, encoded_key, encoded_value);
+    }
+    os_strdup(buffer, diff->file_origin);
+
+    snprintf(buffer, PATH_MAX, "%s/tmp-entry", diff->tmp_folder);
+    os_strdup(buffer, diff->uncompress_file);
+
+    snprintf(buffer, PATH_MAX, "%s/tmp-entry.gz", diff->tmp_folder);
+    os_strdup(buffer, diff->compress_tmp_file);
+
+    snprintf(buffer, PATH_MAX, "%s/diff-file", diff->tmp_folder);
+    os_strdup(buffer, diff->diff_file);
+
+    return diff;
+}
+
+int fim_diff_registry_tmp(const char *value_data,
+                          DWORD data_type,
+                          const diff_data *diff) {
+
+    char *aux_data = NULL;
+    int ret = 0;
+
+    mkdir_ex(diff->tmp_folder);
+    FILE *fp = wfopen(diff->file_origin, "w");
+    if (NULL != fp) {
+        switch (data_type) {
+            case REG_SZ:
+            case REG_EXPAND_SZ:
+                fprintf(fp, "%s", value_data);
+                break;
+
+            case REG_MULTI_SZ:
+                while (*value_data) {
+                    fprintf(fp, "%s\n", value_data);
+                    value_data += strlen(value_data) + 1;
+                }
+                break;
+
+            case REG_DWORD:
+                fprintf(fp, "%04x", *((unsigned int*)value_data));
+                break;
+
+            case REG_DWORD_BIG_ENDIAN:
+                os_calloc(1, 4, aux_data);
+
+                for (int i = 0; i < 4; i++){
+                    aux_data[i] = value_data[4 - i - 1];
+                }
+                fprintf(fp, "%04x", *((unsigned int*)aux_data));
+
+                os_free(aux_data);
+                break;
+
+            case REG_QWORD:
+                fprintf(fp, "%llx", *((unsigned long long*)value_data));
+                break;
+
+            default:
+                // Wrong type
+                mwarn(FIM_REG_VAL_WRONG_TYPE);
+                ret = -1;
+                break;
+        }
+        fclose(fp);
+    } else {
+        merror(FOPEN_ERROR, diff->file_origin, errno, strerror(errno));
+        return -1;
+    }
+
+    return ret;
+}
+
+#endif
+
+char *fim_file_diff(const char *filename, const directory_t *configuration) {
+
+    char *diff_changes = NULL;
+    int ret;
+
+    // Generate diff structure
+    diff_data *diff = initialize_file_diff_data(filename, configuration);
+    if (!diff){
+        return NULL;
+    }
+
+    mkdir_ex(diff->tmp_folder);
+
+    // Check for file limit and disk quota
+    if (ret = fim_diff_check_limits(diff), ret == 1) {
+        mdebug2(FIM_BIG_FILE_REPORT_CHANGES, filename);
+        os_strdup("Unable to calculate diff due to 'file_size' limit has been reached.", diff_changes);
+        goto cleanup;
+    } else if (ret == 2){
+        mdebug2(FIM_DISK_QUOTA_LIMIT_REACHED, "estimation", filename);
+        os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        goto cleanup;
+    }
+
+    // If the file is not there, create compressed file and return.
+    if (w_uncompress_gzfile(diff->compress_file, diff->uncompress_file) != 0) {
+        if (ret = fim_diff_create_compress_file(diff), ret == 0){
+            mkdir_ex(diff->compress_folder);
+            save_compress_file(diff);
+            os_strdup("Unable to calculate diff due to no previous data stored for this file.", diff_changes);
+        } else if (ret == -2){
+            os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        }
+        goto cleanup;
+    }
+
+    // If it exists, estimate the new compressed file
+    float backup_file_size = (FileSize(diff->compress_file) / 1024.0f);
+    syscheck.diff_folder_size -= backup_file_size;
+    if (ret = fim_diff_create_compress_file(diff), ret != 0) {
+        syscheck.diff_folder_size += backup_file_size;
+        if (ret == -2){
+            os_strdup("Unable to calculate diff due to 'disk_quota' limit has been reached.", diff_changes);
+        }
+        goto cleanup;
+    }
+
+    if (fim_diff_compare(diff) == -1) {
+        mdebug2(FIM_DIFF_IDENTICAL_MD5_FILES);
+        syscheck.diff_folder_size += backup_file_size;
+        os_strdup("No content changes were found for this file.", diff_changes);
+        goto cleanup;
+    }
+
+    if (is_file_nodiff(diff->file_origin)) {
+        os_strdup("Diff truncated due to 'nodiff' configuration detected for this file.", diff_changes);
+        syscheck.diff_folder_size += backup_file_size;
+        goto cleanup;
+    }
+
+    if (diff_changes = fim_diff_generate(diff), !diff_changes){
+        syscheck.diff_folder_size += backup_file_size;
+        goto cleanup;
+    }
+
+    save_compress_file(diff);
+
+cleanup:
+
+    if (rmdir_ex(diff->tmp_folder) < 0) {
+        mdebug2(RMDIR_ERROR, diff->tmp_folder, errno, strerror(errno));
+    }
+
+    free_diff_data(diff);
+
+    return diff_changes;
+}
+
+
+diff_data *initialize_file_diff_data(const char *filename, const directory_t *configuration){
+    diff_data *diff;
+    char buffer[PATH_MAX];
+    char abs_diff_dir_path[PATH_MAX];
+    os_sha1 encoded_path;
+
+    os_calloc(1, sizeof(diff_data), diff);
+
+    // Get diff_size_limit of filename
+    diff->file_size = 0;
+
+    if (syscheck.file_size_enabled) {
+        diff->size_limit = configuration->diff_size_limit;
+    }
+
+    // Get absolute path of filename:
+    if (abspath(filename, buffer, sizeof(buffer)) == NULL) {
+        merror(FIM_ERROR_GET_ABSOLUTE_PATH, filename, strerror(errno), errno);
+        goto error;
+    }
+
+    os_strdup(buffer, diff->file_origin);
+
+#ifdef WIN32
+    // Get cwd for Windows
+    if (abspath(DIFF_DIR, abs_diff_dir_path, sizeof(abs_diff_dir_path)) == NULL) {
+        merror(FIM_ERROR_GET_ABSOLUTE_PATH, abs_diff_dir_path, strerror(errno), errno);
+        goto error;
+    }
+#else
+    strcpy(abs_diff_dir_path, DIFF_DIR);
+#endif
+
+    OS_SHA1_Str(buffer, -1, encoded_path);
+
+    os_snprintf(buffer, PATH_MAX, "%s/file/%s", abs_diff_dir_path, encoded_path);
+    os_strdup(buffer, diff->compress_folder);
+
+    snprintf(buffer, PATH_MAX, "%s/last-entry.gz", diff->compress_folder);
+    os_strdup(buffer, diff->compress_file);
+
+    os_snprintf(buffer, PATH_MAX, "%s/tmp", abs_diff_dir_path);
+    os_strdup(buffer, diff->tmp_folder);
+
+    snprintf(buffer, PATH_MAX, "%s/tmp-entry", diff->tmp_folder);
+    os_strdup(buffer, diff->uncompress_file);
+
+    snprintf(buffer, PATH_MAX, "%s/tmp-entry.gz", diff->tmp_folder);
+    os_strdup(buffer, diff->compress_tmp_file);
+
+    snprintf(buffer, PATH_MAX, "%s/diff-file", diff->tmp_folder);
+    os_strdup(buffer, diff->diff_file);
+
+    return diff;
+
+error:
+    free_diff_data(diff);
+    return NULL;
+}
+
+void free_diff_data(diff_data *diff) {
+    if (!diff){
+        return;
+    }
+
+    os_free(diff->compress_folder);
+    os_free(diff->compress_file);
+    os_free(diff->tmp_folder);
+    os_free(diff->file_origin);
+    os_free(diff->uncompress_file);
+    os_free(diff->compress_tmp_file);
+    os_free(diff->diff_file);
+
+    free(diff);
+}
+
+int fim_diff_check_limits(diff_data *diff) {
+    diff->file_size = (float)FileSize(diff->file_origin) / 1024;
+
+    if (syscheck.file_size_enabled) {
+        if (diff->file_size > diff->size_limit) {
+            fim_diff_delete_compress_folder(diff->compress_folder);
+            return 1;
+        }
+    }
+    // Estimate if the file could fit in the disk_quota limit. If not, return.
+    if (syscheck.disk_quota_enabled && !fim_diff_estimate_compression(diff->file_size)) {
+        return 2;
+    }
+
+    return 0;
+}
+
+int fim_diff_delete_compress_folder(const char *folder) {
+    float dir_size = 0.0;
+
+    if (IsDir(folder) == -1) {
+        return -2;     // The folder does not exist
+    }
+
+    dir_size = (float)DirSize(folder) / 1024;
+
+    if (rmdir_ex(folder) < 0) {
+        mdebug2(RMDIR_ERROR, folder, errno, strerror(errno));
+        return -1;
+    } else if (dir_size != -1) {
+        syscheck.diff_folder_size -= dir_size;
+        if (!syscheck.disk_quota_full_msg) {
+            syscheck.disk_quota_full_msg = true;
+        }
+        if (syscheck.diff_folder_size < 0) {
+            syscheck.diff_folder_size = 0;
+        }
+    }
+
+    if (remove_empty_folders(folder) == -1) {
+        return -1;
+    }
+
+    mdebug2(FIM_DIFF_FOLDER_DELETED, folder);
+    return 0;
+}
+
+int fim_diff_estimate_compression(float file_size) {
+    float compressed_estimation = file_size - (syscheck.comp_estimation_perc * file_size);
+    return ((syscheck.diff_folder_size + compressed_estimation) <= syscheck.disk_quota_limit);
+}
+
+int fim_diff_create_compress_file(const diff_data *diff) {
+    if (w_compress_gzfile(diff->file_origin, diff->compress_tmp_file) != 0) {
+        mwarn(FIM_WARN_GENDIFF_SNAPSHOT, diff->file_origin);
+        return -1;
+    } else if (syscheck.disk_quota_enabled) {
+        unsigned int zip_size = FileSize(diff->compress_tmp_file) / 1024;
+
+        if (syscheck.diff_folder_size + zip_size > syscheck.disk_quota_limit) {
+            if (syscheck.disk_quota_full_msg) {
+                syscheck.disk_quota_full_msg = false;
+                mdebug2(FIM_DISK_QUOTA_LIMIT_REACHED, "calculate", diff->file_origin);
+            }
+            fim_diff_modify_compress_estimation(zip_size, diff->file_size);
+            return -2;
+        }
+    }
+
+    return 0;
+}
+
+void fim_diff_modify_compress_estimation(float compressed_size, float uncompressed_size) {
+    float compression_rate = 1 - (compressed_size / uncompressed_size);
+
+    if (compression_rate < 0.1) {
+        return;     // Small compression rates won't update the estimation value
+    }
+
+    syscheck.comp_estimation_perc = (compression_rate + syscheck.comp_estimation_perc) / 2;
+
+    if (syscheck.comp_estimation_perc < MIN_COMP_ESTIM) {
+        syscheck.comp_estimation_perc = MIN_COMP_ESTIM;
+    }
+}
+
+int fim_diff_compare(const diff_data *diff) {
+    os_md5 md5sum_old;
+    os_md5 md5sum_new;
+
+    md5sum_new[0] = '\0';
+    md5sum_old[0] = '\0';
+
+    /* Get md5sum of the old file */
+    if (OS_MD5_File(diff->uncompress_file, md5sum_old, OS_BINARY) != 0) {
+        return -1;
+    }
+
+    /* Get md5sum of the new file */
+    if (OS_MD5_File(diff->file_origin, md5sum_new, OS_BINARY) != 0) {
+        return -1;
+    }
+
+    /* If they match (not changes), keep the compress file and remove the uncompress, wait for changes */
+    if (strcmp(md5sum_new, md5sum_old) == 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+char *fim_diff_generate(const diff_data *diff) {
+    char diff_cmd[PATH_MAX * 3 + OS_SIZE_1024];
+    char *diff_str = NULL;
+    char *uncompress_file_filtered = NULL;
+    char *file_origin_filtered = NULL;
+    char *diff_file_filtered = NULL;
+    int status = -1;
+
+    uncompress_file_filtered = filter(diff->uncompress_file);
+    file_origin_filtered = filter(diff->file_origin);
+    diff_file_filtered = filter(diff->diff_file);
+
+    if (!(uncompress_file_filtered && file_origin_filtered && diff_file_filtered)) {
+        mdebug1(FIM_DIFF_SKIPPED);
+        os_free(uncompress_file_filtered);
+        os_free(file_origin_filtered);
+        os_free(diff_file_filtered);
+        return NULL;
+    }
+
+    snprintf(
+        diff_cmd,
+        sizeof(diff_cmd),
+#ifndef WIN32
+        "diff \"%s\" \"%s\" > \"%s\" 2> /dev/null",
+#else
+        "fc /n \"%s\" \"%s\" > \"%s\" 2> nul",
+#endif
+        uncompress_file_filtered,
+        file_origin_filtered,
+        diff_file_filtered
+    );
+    os_free(uncompress_file_filtered);
+    os_free(file_origin_filtered);
+    os_free(diff_file_filtered);
+
+    status = system(diff_cmd);
+
+#ifndef WIN32
+    if (status == 256){
+#else
+    if (status == 0){
+        mdebug2(FIM_DIFF_COMMAND_OUTPUT_EQUAL);
+    } else if (status == 1){
+#endif
+        diff_str = gen_diff_str(diff);
+    } else {
+        merror(FIM_DIFF_COMMAND_OUTPUT_ERROR);
+    }
+
+    return diff_str;
+}
+
+char *gen_diff_str(const diff_data *diff){
+    FILE *fp;
+    char buf[OS_MAXSTR + 1];
+    char *diff_str;
+    size_t n = 0;
+
+    fp = wfopen(diff->diff_file, "rb");
+    if (!fp) {
+        merror(FIM_ERROR_GENDIFF_OPEN, diff->diff_file);
+        return NULL;
+    }
+
+    n = fread(buf, 1, OS_MAXSTR - OS_SK_HEADER - 1, fp);
+    fclose(fp);
+    unlink(diff->diff_file);
+
+    if (!n){
+        merror(FIM_ERROR_GENDIFF_READ);
+        return NULL;
+    }
+
+    buf[n] = '\0';
+
+#ifdef WIN32
+    if (diff_str = adapt_win_fc_output(buf), !diff_str) {
+        return NULL;
+    }
+    n = strlen(diff_str);
+    char *p = strchr(buf, '\n');
+
+    if (p && p[1] != '*') {
+        if (n + strlen(STR_MORE_CHANGES) >= OS_MAXSTR - OS_SK_HEADER - 1) {
+            n -= strlen(STR_MORE_CHANGES);
+
+            while (n > 0 && diff_str[n - 1] != '\n')
+                n--;
+        }
+        strcpy(diff_str + n, STR_MORE_CHANGES);
+    }
+#else
+    os_strdup(buf, diff_str);
+
+    if(n >= OS_MAXSTR - OS_SK_HEADER - 1) {
+        n -= strlen(STR_MORE_CHANGES);
+
+        while (n > 0 && diff_str[n - 1] != '\n')
+            n--;
+
+        strcpy(diff_str + n, STR_MORE_CHANGES);
+    }
+#endif
+
+    return diff_str;
+}
+
+void save_compress_file(const diff_data *diff){
+    if (rename_ex(diff->compress_tmp_file, diff->compress_file) != 0) {
+        merror(RENAME_ERROR, diff->compress_tmp_file, diff->compress_file, errno, strerror(errno));
+        return;
+    }
+    if (syscheck.disk_quota_enabled){
+        syscheck.diff_folder_size += FileSize(diff->compress_file) / 1024.0f;
+    }
+    return;
+}
+
+int is_file_nodiff(const char *filename){
+    int i;
+    if (syscheck.nodiff){
+        for (i = 0; syscheck.nodiff[i] != NULL; i++){
+            if ((strcmp(syscheck.nodiff[i], filename)) == 0) {
+                return 1;
+            }
+        }
+    }
+    if (syscheck.nodiff_regex) {
+        for (i = 0; syscheck.nodiff_regex[i] != NULL; i++) {
+            if (OSMatch_Execute(filename, strlen(filename),
+                                syscheck.nodiff_regex[i])) {
+                 return 1;
+            }
+        }
+    }
+    return 0;
+}
+
+#ifdef WIN32
+int is_registry_nodiff(const char *key_name, const char *value_name, int arch){
+    char full_value_name[PATH_MAX];
+    int i;
+
+    snprintf(full_value_name, PATH_MAX, "%s\\%s", key_name, value_name);
+
+    if (syscheck.registry_nodiff){
+        for (i = 0; syscheck.registry_nodiff[i].entry != NULL; i++) {
+            if (syscheck.registry_nodiff[i].arch != arch) {
+                continue;
+            }
+            if ((strcmp(syscheck.registry_nodiff[i].entry, full_value_name)) == 0) {
+                return 1;
+            }
+        }
+    }
+
+    if (syscheck.registry_nodiff_regex) {
+        for (i = 0; syscheck.registry_nodiff_regex[i].regex != NULL; i++) {
+            if (syscheck.registry_nodiff_regex[i].arch != arch) {
+                continue;
+            }
+            if (OSMatch_Execute(full_value_name, strlen(full_value_name), syscheck.registry_nodiff_regex[i].regex)) {
+                return 1;
+            }
+        }
+    }
+
+    return 0;
+}
+#endif
+
+char* filter(const char *string) {
+#ifndef WIN32
+    /* Unix version: we'll escape expansion symbols */
+    char *out;
+    const char *ptr;
+    size_t clen;
+    size_t len = strcspn(string, "\"\\$`");
+    os_malloc(len + 1, out);
+    ptr = string + len;
+    strncpy(out, string, len);
+
+    while (*ptr) {
+        clen = strcspn(ptr + 1, "\"\\$`");
+        out = realloc(out, len + clen + 3);
+        if(!out){
+            merror_exit(MEM_ERROR, errno, strerror(errno)); // LCOV_EXCL_LINE
+        }
+        out[len] = '\\';
+        out[len + 1] = *ptr;
+        strncpy(out + len + 2, ptr + 1, clen);
+        len += clen + 2;
+        ptr += clen + 1;
+    }
+
+    out[len] = '\0';
+    return out;
+#else
+    /* Windows file names can't contain the following characters:
+        \ / : * ? " < > |
+        We'll ban strings that contain dangerous characters and convert / into \ */
+
+    char *s;
+    char *c;
+
+    if (strchr(string, '%'))
+        return NULL;
+
+    s = strdup(string);
+    c = s;
+
+    while (c = strchr(c, '/'), c)
+        *c = '\\';
+
+    return s;
+#endif
+}
+
+#ifdef WIN32
+char *adapt_win_fc_output(char *command_output) {
+    char *adapted_output;
+    char *line;
+    char *next_line;
+    const char *line_tag = ":  ";
+    const char *split_tag = "---";
+    char line_mode = 0; // 0: waiting for section, 1: remove, 2: add
+    char first_line = 0;
+    size_t line_tag_size = strlen(line_tag);
+    size_t written = 0;
+
+    if (line = strchr(command_output, '\n'), !line) {
+        mdebug2("%s: %s", FIM_ERROR_GENDIFF_SECONDLINE_MISSING, command_output);
+        return strdup(command_output);
+    }
+
+    os_calloc(OS_MAXSTR + 1, sizeof(char), adapted_output);
+
+    while (line) {
+        next_line = strstr(++line, "\r\n");
+
+        if (*line == '*') {
+            if (next_line) {
+                next_line++;
+            }
+
+            if (!line_mode) {
+                if (first_line) {
+                    written += snprintf(adapted_output + written, OS_MAXSTR - written, "%s\n", split_tag);
+                }
+                first_line = 1;
+            } else if (line_mode == 1) {
+                written += snprintf(adapted_output + written, OS_MAXSTR - written, "%s\n", split_tag);
+            }
+
+            line_mode = (line_mode + 1) % 3;
+            goto next_it;
+        }
+
+        if (next_line) {
+            *(next_line++) = '\0';
+            *next_line = '\0';
+        }
+
+        if (line = strstr(line, line_tag), !line) {
+            goto next_it;
+        } else {
+            line += line_tag_size;
+        }
+
+        written += snprintf(adapted_output + written, OS_MAXSTR - written, "%s%s%s", line_mode == 1 ? "< " : "> ", line, next_line ? "\n" : "");
+
+next_it:
+        line = next_line;
+    }
+
+    return adapted_output;
+}
+#endif
+
+void fim_diff_process_delete_file(const char *filename){
+    char *full_path;
+    char buffer[PATH_MAX];
+    int ret;
+    os_sha1 encoded_path;
+
+    if (abspath(filename, buffer, sizeof(buffer)) == NULL) {
+        merror(FIM_ERROR_GET_ABSOLUTE_PATH, filename, strerror(errno), errno);
+        return;
+    }
+
+    OS_SHA1_Str(buffer, -1, encoded_path);
+
+    snprintf(buffer, PATH_MAX, "%s/file/%s", DIFF_DIR, encoded_path);
+    os_strdup(buffer, full_path);
+
+    ret = fim_diff_delete_compress_folder(full_path);
+    if(ret == -1){
+        merror(FIM_DIFF_DELETE_DIFF_FOLDER_ERROR, full_path);
+    } else if (ret == -2){
+        mdebug2(FIM_DIFF_FOLDER_NOT_EXIST, full_path);
+    }
+
+    os_free(full_path);
+    return;
+}
+
+#ifdef WIN32
+void fim_diff_process_delete_registry(const char *key_name, int arch){
+    char full_path[PATH_MAX];
+    os_sha1 encoded_key;
+    int ret;
+
+    OS_SHA1_Str(key_name, strlen(key_name), encoded_key);
+
+    if (arch){
+        snprintf(full_path, PATH_MAX, "%s/registry/[x64] %s", DIFF_DIR, encoded_key);
+    } else {
+        snprintf(full_path, PATH_MAX, "%s/registry/[x32] %s", DIFF_DIR, encoded_key);
+    }
+
+    ret = fim_diff_delete_compress_folder(full_path);
+    if(ret == -1){
+        merror(FIM_DIFF_DELETE_DIFF_FOLDER_ERROR, full_path);
+    } else if (ret == -2){
+        mdebug2(FIM_DIFF_FOLDER_NOT_EXIST, full_path);
+    }
+
+    return;
+}
+
+void fim_diff_process_delete_value(const char *key_name, const char *value_name, int arch){
+    char full_path[PATH_MAX];
+    os_sha1 encoded_key;
+    os_sha1 encoded_value;
+    int ret;
+
+    OS_SHA1_Str(key_name, strlen(key_name), encoded_key);
+    OS_SHA1_Str(value_name, strlen(value_name), encoded_value);
+
+    if (arch){
+        snprintf(full_path, PATH_MAX, "%s/registry/[x64] %s/%s", DIFF_DIR, encoded_key, encoded_value);
+    } else {
+        snprintf(full_path, PATH_MAX, "%s/registry/[x32] %s/%s", DIFF_DIR, encoded_key, encoded_value);
+    }
+
+    ret = fim_diff_delete_compress_folder(full_path);
+    if(ret == -1){
+        merror(FIM_DIFF_DELETE_DIFF_FOLDER_ERROR, full_path);
+    } else if (ret == -2){
+        mdebug2(FIM_DIFF_FOLDER_NOT_EXIST, full_path);
+    }
+
+    return;
+}
+#endif
diff --git a/src/modules/fim/src/main.c b/src/modules/fim/src/main.c
new file mode 100644
index 0000000000..6d20841d0f
--- /dev/null
+++ b/src/modules/fim/src/main.c
@@ -0,0 +1,345 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Syscheck
+ * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
+ */
+#include "shared.h"
+#include "syscheck.h"
+#include "../rootcheck/rootcheck.h"
+#include "db.h"
+
+#ifndef WIN32
+
+#define Q(x) #x
+#define QUOTE(x) Q(x)
+
+// LCOV_EXCL_START
+
+/* Print help statement */
+__attribute__((noreturn)) static void help_syscheckd()
+{
+    print_header();
+    print_out("  %s: -[Vhdtf] [-c config]", ARGV0);
+    print_out("    -V          Version and license message");
+    print_out("    -h          This help message");
+    print_out("    -d          Execute in debug mode. This parameter");
+    print_out("                can be specified multiple times");
+    print_out("                to increase the debug level.");
+    print_out("    -t          Test configuration");
+    print_out("    -f          Run in foreground");
+    print_out("    -c <config> Configuration file to use (default: %s)", OSSECCONF);
+    print_out(" ");
+    exit(1);
+}
+
+extern bool is_fim_shutdown;
+
+/* Shut down syscheckd properly */
+static void fim_shutdown(int sig)
+{
+    /* Close sync thread and release dbsync and rsync */
+    minfo(SK_SHUTDOWN);
+    is_fim_shutdown = true;
+    fim_db_teardown();
+    HandleSIG(sig);
+}
+
+/* Syscheck unix main */
+int main(int argc, char **argv)
+{
+    int c, r;
+    int debug_level = 0;
+    int test_config = 0, run_foreground = 0;
+    const char *cfg = OSSECCONF;
+    gid_t gid;
+    const char *group = QUOTE(GROUPGLOBAL);
+    directory_t *dir_it = NULL;
+    int start_realtime = 0;
+
+    /* Set the name */
+    OS_SetName(ARGV0);
+
+    char * home_path = w_homedir(argv[0]);
+
+    while ((c = getopt(argc, argv, "Vtdhfc:")) != -1) {
+        switch (c) {
+            case 'V':
+                print_version();
+                break;
+            case 'h':
+                help_syscheckd();
+                break;
+            case 'd':
+                nowDebug();
+                debug_level ++;
+                break;
+            case 'f':
+                run_foreground = 1;
+                break;
+            case 'c':
+                if (!optarg) {
+                    merror_exit("-c needs an argument");
+                }
+                cfg = optarg;
+                break;
+            case 't':
+                test_config = 1;
+                break;
+            default:
+                help_syscheckd();
+                break;
+        }
+    }
+
+    /* Change current working directory */
+    if (chdir(home_path) == -1) {
+        merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno));
+    }
+
+    mdebug1(WAZUH_HOMEDIR, home_path);
+    os_free(home_path);
+
+    /* Check if the group given is valid */
+    gid = Privsep_GetGroup(group);
+    if (gid == (gid_t) - 1) {
+        merror_exit(USER_ERROR, "", group, strerror(errno), errno);
+    }
+
+    /* Privilege separation */
+    if (Privsep_SetGroup(gid) < 0) {
+        merror_exit(SETGID_ERROR, group, errno, strerror(errno));
+    }
+
+    /* Initialize error logging for shared modulesd */
+    dbsync_initialize(loggingErrorFunction);
+    rsync_initialize(loggingErrorFunction);
+
+    /* Read internal options */
+    read_internal(debug_level);
+
+    /* Check if the configuration is present */
+    if (File_DateofChange(cfg) < 0) {
+        merror_exit(NO_CONFIG, cfg);
+    }
+
+    /* Read syscheck config */
+    if ((r = Read_Syscheck_Config(cfg)) < 0) {
+        mwarn(RCONFIG_ERROR, SYSCHECK, cfg);
+        syscheck.disabled = 1;
+    } else if ((r == 1) || (syscheck.disabled == 1)) {
+        if (syscheck.directories == NULL || OSList_GetFirstNode(syscheck.directories) == NULL) {
+            if (!test_config) {
+                minfo(FIM_DIRECTORY_NOPROVIDED);
+            }
+        }
+
+        if (!syscheck.ignore) {
+            os_calloc(1, sizeof(char *), syscheck.ignore);
+        } else {
+            os_free(syscheck.ignore[0]);
+        }
+
+        if (!test_config) {
+            minfo(FIM_DISABLED);
+        }
+    }
+
+    /* Rootcheck config */
+    if (rootcheck_init(test_config) == 0) {
+        syscheck.rootcheck = 1;
+    } else {
+        syscheck.rootcheck = 0;
+    }
+
+    /* Exit if testing config */
+    if (test_config) {
+        exit(0);
+    }
+
+    /* Setup libmagic */
+#ifdef USE_MAGIC
+    init_magic(&magic_cookie);
+#endif
+
+    if (!run_foreground) {
+        nowDaemon();
+        goDaemon();
+    }
+
+    /* Start signal handling */
+    StartSIG2(ARGV0, fim_shutdown);
+
+    // Start com request thread
+    w_create_thread(syscom_main, NULL);
+
+    /* Create pid */
+    if (CreatePID(ARGV0, getpid()) < 0) {
+        merror_exit(PID_ERROR);
+    }
+
+    if (syscheck.rootcheck) {
+        rootcheck_connect();
+    }
+
+    /* Connect to the queue */
+
+    if ((syscheck.queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+        merror_exit(QUEUE_FATAL, DEFAULTQUEUE);
+    }
+
+    if (!syscheck.disabled) {
+        OSListNode *node_it;
+
+        /* Start up message */
+        minfo(STARTUP_MSG, (int)getpid());
+
+        /* Print directories to be monitored */
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            char optstr[ 1024 ];
+
+            if (dir_it->symbolic_links == NULL) {
+                minfo(FIM_MONITORING_DIRECTORY, dir_it->path,
+                      syscheck_opts2str(optstr, sizeof(optstr), dir_it->options));
+            } else {
+                minfo(FIM_MONITORING_LDIRECTORY, dir_it->path, dir_it->symbolic_links,
+                      syscheck_opts2str(optstr, sizeof(optstr), dir_it->options));
+            }
+
+            if (dir_it->tag != NULL)
+                mdebug2(FIM_TAG_ADDED, dir_it->tag, dir_it->path);
+
+            // Print diff file size limit
+            if ((dir_it->options & CHECK_SEECHANGES) && syscheck.file_size_enabled) {
+                mdebug2(FIM_DIFF_FILE_SIZE_LIMIT, dir_it->diff_size_limit, dir_it->path);
+            }
+        }
+
+        if (!syscheck.file_size_enabled) {
+            minfo(FIM_FILE_SIZE_LIMIT_DISABLED);
+        }
+
+        // Print maximum disk quota to be used by the queue/diff/local folder
+        if (syscheck.disk_quota_enabled) {
+            mdebug2(FIM_DISK_QUOTA_LIMIT, syscheck.disk_quota_limit);
+        }
+        else {
+            minfo(FIM_DISK_QUOTA_LIMIT_DISABLED);
+        }
+
+        /* Print ignores. */
+        if(syscheck.ignore)
+            for (r = 0; syscheck.ignore[r] != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_ENTRY, "file", syscheck.ignore[r]);
+
+        /* Print sregex ignores. */
+        if(syscheck.ignore_regex)
+            for (r = 0; syscheck.ignore_regex[r] != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_SREGEX, "file", syscheck.ignore_regex[r]->raw);
+
+        /* Print files with no diff. */
+        if (syscheck.nodiff){
+            r = 0;
+            while (syscheck.nodiff[r] != NULL) {
+                minfo(FIM_NO_DIFF, syscheck.nodiff[r]);
+                r++;
+            }
+        }
+
+        /* Check directories set for real time */
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            if (dir_it->options & REALTIME_ACTIVE) {
+#if defined (INOTIFY_ENABLED) || defined (WIN32)
+                minfo(FIM_REALTIME_MONITORING_DIRECTORY, dir_it->path);
+                start_realtime = 1;
+#else
+                mwarn(FIM_WARN_REALTIME_DISABLED, dir_it->path);
+                dir_it->options &= ~REALTIME_ACTIVE;
+                dir_it->options |= SCHEDULED_ACTIVE;
+#endif
+            }
+        }
+
+        OSList_foreach(node_it, syscheck.wildcards) {
+            dir_it = node_it->data;
+            if (dir_it->options & REALTIME_ACTIVE) {
+#if defined (INOTIFY_ENABLED) || defined (WIN32)
+                start_realtime = 1;
+                break;
+#else
+                mwarn(FIM_WARN_REALTIME_DISABLED, dir_it->path);
+                dir_it->options &= ~REALTIME_ACTIVE;
+                dir_it->options |= SCHEDULED_ACTIVE;
+#endif
+            }
+        }
+    }
+
+    fim_initialize();
+
+    if (start_realtime == 1) {
+        realtime_start();
+    }
+
+    // Audit events thread
+    if (!syscheck.disabled && syscheck.enable_whodata) {
+#ifdef ENABLE_AUDIT
+        if (audit_init() < 0) {
+            directory_t *dir_it;
+            OSListNode *node_it;
+
+            mwarn(FIM_WARN_AUDIT_THREAD_NOSTARTED);
+
+            // Switch who-data to real-time mode
+
+            OSList_foreach(node_it, syscheck.directories) {
+                dir_it = node_it->data;
+                if (dir_it->options & WHODATA_ACTIVE) {
+                    dir_it->options &= ~WHODATA_ACTIVE;
+                    dir_it->options |= REALTIME_ACTIVE;
+                }
+            }
+
+            OSList_foreach(node_it, syscheck.wildcards) {
+                dir_it = node_it->data;
+                if (dir_it->options & WHODATA_ACTIVE) {
+                    dir_it->options &= ~WHODATA_ACTIVE;
+                    dir_it->options |= REALTIME_ACTIVE;
+                }
+            }
+
+            w_mutex_lock(&syscheck.fim_realtime_mutex);
+            if (syscheck.realtime == NULL) {
+                realtime_start();
+            }
+            w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+        }
+#else
+        merror(FIM_ERROR_WHODATA_AUDIT_SUPPORT);
+#endif
+    }
+
+    /* Start the daemon */
+    start_daemon();
+
+    // We shouldn't reach this point unless syscheck is disabled
+    while(1) {
+        pause();
+    }
+
+    return (0);
+}
+
+#endif /* !WIN32 */
+
+// LCOV_EXCL_STOP
diff --git a/src/modules/fim/src/registry/events.c b/src/modules/fim/src/registry/events.c
new file mode 100644
index 0000000000..b675fc681c
--- /dev/null
+++ b/src/modules/fim/src/registry/events.c
@@ -0,0 +1,582 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WIN32
+
+#include "../../include/syscheck.h"
+
+static const char *FIM_EVENT_TYPE_ARRAY[] = { "added", "deleted", "modified" };
+
+static const char *FIM_EVENT_MODE[] = { "scheduled", "realtime", "whodata" };
+
+static const char *VALUE_TYPE[] = {
+    [REG_NONE] = "REG_NONE",
+    [REG_SZ] = "REG_SZ",
+    [REG_EXPAND_SZ] = "REG_EXPAND_SZ",
+    [REG_BINARY] = "REG_BINARY",
+    [REG_DWORD] = "REG_DWORD",
+    [REG_DWORD_BIG_ENDIAN] = "REG_DWORD_BIG_ENDIAN",
+    [REG_LINK] = "REG_LINK",
+    [REG_MULTI_SZ] = "REG_MULTI_SZ",
+    [REG_RESOURCE_LIST] = "REG_RESOURCE_LIST",
+    [REG_FULL_RESOURCE_DESCRIPTOR] = "REG_FULL_RESOURCE_DESCRIPTOR",
+    [REG_RESOURCE_REQUIREMENTS_LIST] = "REG_RESOURCE_REQUIREMENTS_LIST",
+    [REG_QWORD] = "REG_QWORD",
+    [REG_UNKNOWN] = "REG_UNKNOWN"
+};
+
+
+void fim_calculate_dbsync_difference_key(const fim_registry_key* registry_data,
+                                         const registry_t *configuration,
+                                         const cJSON* old_data,
+                                         cJSON* changed_attributes,
+                                         cJSON* old_attributes) {
+
+    if (old_attributes == NULL || changed_attributes == NULL || !cJSON_IsArray(changed_attributes)) {
+        return; //LCOV_EXCL_LINE
+    }
+    cJSON *aux = NULL;
+
+    cJSON_AddStringToObject(old_attributes, "type", "registry_key");
+
+    if (configuration->opts & CHECK_PERM) {
+        if (aux = cJSON_GetObjectItem(old_data, "perm"), aux != NULL) {
+            cJSON_AddItemToObject(old_attributes, "perm", cJSON_Parse(cJSON_GetStringValue(aux)));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("permission"));
+        } else {
+            cJSON_AddItemToObject(old_attributes, "perm", cJSON_Parse(registry_data->perm));
+        }
+    }
+
+    if (configuration->opts & CHECK_OWNER) {
+        if (aux = cJSON_GetObjectItem(old_data, "uid"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "uid", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("uid"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "uid", registry_data->uid);
+        }
+
+        if (aux = cJSON_GetObjectItem(old_data, "user_name"), aux != NULL) {
+            char *username = cJSON_GetStringValue(aux);
+            cJSON_AddStringToObject(old_attributes, "user_name", username);
+            // AD might fail to solve the user name, we don't trigger an event if the user name is empty
+            if (username != NULL && *username != '\0') {
+                cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("user_name"));
+            }
+        } else {
+            cJSON_AddStringToObject(old_attributes, "user_name", registry_data->user_name);
+        }
+    }
+
+    if (configuration->opts & CHECK_GROUP) {
+        if (aux = cJSON_GetObjectItem(old_data, "gid"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "gid", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("gid"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "gid", registry_data->uid);
+        }
+        if (aux = cJSON_GetObjectItem(old_data, "group_name"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "group_name", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("group_name"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "group_name", registry_data->group_name);
+        }
+    }
+
+    if (configuration->opts & CHECK_MTIME) {
+         if (aux = cJSON_GetObjectItem(old_data, "mtime"), aux != NULL) {
+            cJSON_AddNumberToObject(old_attributes, "mtime", aux->valueint);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("mtime"));
+        } else {
+            cJSON_AddNumberToObject(old_attributes, "mtime", registry_data->mtime);
+        }
+    }
+
+    if (*registry_data->checksum) {
+        cJSON_AddStringToObject(old_attributes, "checksum", registry_data->checksum);
+    }
+
+}
+
+void fim_calculate_dbsync_difference_value(const fim_registry_value_data* value_data,
+                                           const registry_t* configuration,
+                                           const cJSON* old_data,
+                                           cJSON* changed_attributes,
+                                           cJSON* old_attributes) {
+    if (value_data == NULL || old_attributes == NULL ||
+        changed_attributes == NULL || !cJSON_IsArray(changed_attributes)) {
+        return; //LCOV_EXCL_LINE
+    }
+
+    cJSON *aux = NULL;
+
+    cJSON_AddStringToObject(old_attributes, "type", "registry_value");
+
+    if (configuration->opts & CHECK_SIZE) {
+        if (aux = cJSON_GetObjectItem(old_data, "size"), aux != NULL) {
+            cJSON_AddNumberToObject(old_attributes, "size", aux->valueint);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("size"));
+        } else {
+            cJSON_AddNumberToObject(old_attributes, "size", value_data->size);
+        }
+    }
+
+    if (configuration->opts & CHECK_TYPE) {
+        if (aux = cJSON_GetObjectItem(old_data, "value_type"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "value_type", VALUE_TYPE[aux->valueint]);
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("value_type"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "value_type", VALUE_TYPE[value_data->type]);
+        }
+    }
+
+    if (configuration->opts & CHECK_MD5SUM) {
+        if (aux = cJSON_GetObjectItem(old_data, "hash_md5"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_md5", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("md5"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_md5", value_data->hash_md5);
+        }
+    }
+
+    if (configuration->opts & CHECK_SHA1SUM) {
+        if (aux = cJSON_GetObjectItem(old_data, "hash_sha1"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_sha1", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha1"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_sha1", value_data->hash_sha1);
+        }
+    }
+
+    if (configuration->opts & CHECK_SHA256SUM) {
+        if (aux = cJSON_GetObjectItem(old_data, "hash_sha256"), aux != NULL) {
+            cJSON_AddStringToObject(old_attributes, "hash_sha256", cJSON_GetStringValue(aux));
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha256"));
+        } else {
+            cJSON_AddStringToObject(old_attributes, "hash_sha256", value_data->hash_sha256);
+        }
+    }
+}
+
+cJSON *fim_registry_value_attributes_json(const cJSON* dbsync_event, const fim_registry_value_data *data,
+                                          const registry_t *configuration) {
+
+    cJSON *attributes = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(attributes, "type", "registry_value");
+
+    if (data) {
+        if (configuration->opts & CHECK_TYPE) {
+            cJSON_AddStringToObject(attributes, "value_type", VALUE_TYPE[data->type]);
+        }
+
+        if (configuration->opts & CHECK_SIZE) {
+            cJSON_AddNumberToObject(attributes, "size", data->size);
+        }
+
+        if (configuration->opts & CHECK_MD5SUM) {
+            cJSON_AddStringToObject(attributes, "hash_md5", data->hash_md5);
+        }
+
+        if (configuration->opts & CHECK_SHA1SUM) {
+            cJSON_AddStringToObject(attributes, "hash_sha1", data->hash_sha1);
+        }
+
+        if (configuration->opts & CHECK_SHA256SUM) {
+            cJSON_AddStringToObject(attributes, "hash_sha256", data->hash_sha256);
+        }
+
+        if (*data->checksum) {
+            cJSON_AddStringToObject(attributes, "checksum", data->checksum);
+        }
+
+    } else {
+        cJSON *type, *checksum, *sha256, *md5, *sha1, *size;
+
+        if (type = cJSON_GetObjectItem(dbsync_event, "type"), type != NULL) {
+            if (configuration->opts & CHECK_TYPE) {
+                cJSON_AddStringToObject(attributes, "value_type", VALUE_TYPE[type->valueint]);
+            }
+        }
+
+        if (configuration->opts & CHECK_SIZE) {
+            if (size = cJSON_GetObjectItem(dbsync_event, "size"), size != NULL) {
+                cJSON_AddNumberToObject(attributes, "size", size->valueint);
+            }
+        }
+
+        if (configuration->opts & CHECK_MD5SUM) {
+            if (md5 = cJSON_GetObjectItem(dbsync_event, "hash_md5"), md5 != NULL){
+                cJSON_AddStringToObject(attributes, "hash_md5", cJSON_GetStringValue(md5));
+            }
+        }
+
+        if (configuration->opts & CHECK_SHA1SUM) {
+            if (sha1 = cJSON_GetObjectItem(dbsync_event, "hash_sha1"), sha1 != NULL){
+                cJSON_AddStringToObject(attributes, "hash_sha1", cJSON_GetStringValue(sha1));
+            }
+        }
+
+        if (configuration->opts & CHECK_SHA256SUM) {
+            if (sha256 = cJSON_GetObjectItem(dbsync_event, "hash_sha256"), sha256 != NULL){
+                cJSON_AddStringToObject(attributes, "hash_sha256", cJSON_GetStringValue(sha256));
+            }
+        }
+
+        if (checksum = cJSON_GetObjectItem(dbsync_event, "checksum"), checksum != NULL){
+            cJSON_AddStringToObject(attributes, "checksum", cJSON_GetStringValue(checksum));
+        }
+
+    }
+
+    return attributes;
+}
+
+/**
+ * @brief Compare new and old attributes from a registry value and return an array specifying which of them changed.
+ *
+ * @param new_data A fim_registry_value_data object holding the most recent information associated with a registry
+ * value.
+ * @param old_data A fim_registry_value_data object holding information associated with a registry value retrieved from
+ * the FIM DB.
+ * @param configuration The configuration associated with the registry value.
+ * @return A pointer to a cJSON array holding strings with the changed attributes.
+ */
+cJSON *fim_registry_compare_value_attrs(const fim_registry_value_data *new_data,
+                                        const fim_registry_value_data *old_data,
+                                        const registry_t *configuration) {
+    cJSON *changed_attributes = cJSON_CreateArray();
+
+    if ((configuration->opts & CHECK_SIZE) && old_data->size != new_data->size) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("size"));
+    }
+
+    if ((configuration->opts & CHECK_TYPE) && old_data->type != new_data->type) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("type"));
+    }
+
+    if ((configuration->opts & CHECK_MD5SUM) && (strcmp(old_data->hash_md5, new_data->hash_md5) != 0)) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("md5"));
+    }
+
+    if ((configuration->opts & CHECK_SHA1SUM) && (strcmp(old_data->hash_sha1, new_data->hash_sha1) != 0)) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha1"));
+    }
+
+    if ((configuration->opts & CHECK_SHA256SUM) && (strcmp(old_data->hash_sha256, new_data->hash_sha256) != 0)) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("sha256"));
+    }
+
+    return changed_attributes;
+}
+
+
+// LCOV_EXCL_START
+// This function is not used for now, as it's ment to be used on event based monitoring.
+/**
+ * @brief Generate a registry value event from the provided information.
+ *
+ * @param new_data A fim_entry object holding the most recent information associated with a registry value.
+ * @param old_data A fim_entry object holding information associated with a registry value retrieved from the FIM DB.
+ * @param configuration The configuration associated with the registry value.
+ * @param mode A value specifying if the event has been triggered in scheduled, realtime or whodata mode.
+ * @param type A value specifying if the event corresponds to an add, delete or modify event.
+ * @param w_evt A whodata object holding information corresponding to the event.
+ * @param diff A string holding the change in the value content.
+ * @return A pointer to a cJSON object holding the FIM event, NULL on error or if no event is generated.
+ */
+
+cJSON *fim_registry_value_json_event(const fim_entry *new_data,
+                                     const fim_entry *old_data,
+                                     const registry_t *configuration,
+                                     fim_event_mode mode,
+                                     unsigned int type,
+                                     __attribute__((unused)) whodata_evt *w_evt,
+                                     const char *diff) {
+    cJSON *changed_attributes = NULL;
+
+    if (old_data != NULL && old_data->registry_entry.value != NULL) {
+        changed_attributes = fim_registry_compare_value_attrs(new_data->registry_entry.value,
+                                                              old_data->registry_entry.value, configuration);
+
+        if (cJSON_GetArraySize(changed_attributes) == 0) {
+            cJSON_Delete(changed_attributes);
+            return NULL;
+        }
+    }
+
+    cJSON *json_event = cJSON_CreateObject();
+    cJSON_AddStringToObject(json_event, "type", "event");
+
+    cJSON *data = cJSON_CreateObject();
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", new_data->registry_entry.key->path);
+    cJSON_AddNumberToObject(data, "version", 2.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[type]);
+    cJSON_AddStringToObject(data, "arch", new_data->registry_entry.key->arch == ARCH_32BIT ? "[x32]" : "[x64]");
+    cJSON_AddStringToObject(data, "value_name", new_data->registry_entry.value->name);
+    cJSON_AddNumberToObject(data, "timestamp", new_data->registry_entry.value->last_event);
+
+    //cJSON_AddItemToObject(data, "attributes",
+    //                      fim_registry_value_attributes_json(new_data->registry_entry.value, configuration));
+
+    if (old_data != NULL && old_data->registry_entry.value != NULL) {
+        cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+        //cJSON_AddItemToObject(data, "old_attributes",
+        //                      fim_registry_value_attributes_json(old_data->registry_entry.value, configuration));
+    }
+
+    if (diff != NULL) {
+        cJSON_AddStringToObject(data, "content_changes", diff);
+    }
+
+    if (configuration->tag != NULL) {
+        cJSON_AddStringToObject(data, "tags", configuration->tag);
+    }
+
+    return json_event;
+}
+// LCOV_EXCL_STOP
+
+/**
+ * @brief Create a cJSON object holding the attributes associated with a fim_registry_key according to its
+ * configuration.
+ *
+ * @param data A fim_registry_key object holding the key attributes to be tranlated.
+ * @param configuration The configuration associated with the registry key.
+ * @return A pointer to a cJSON object the translated key attributes.
+ */
+cJSON *fim_registry_key_attributes_json(const cJSON* dbsync_event, const fim_registry_key *data, const registry_t *configuration) {
+    cJSON *attributes = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(attributes, "type", "registry_key");
+
+    if (data) {
+        if (configuration->opts & CHECK_PERM) {
+            cJSON_AddItemToObject(attributes, "perm", cJSON_Parse(data->perm));
+        }
+
+        if (configuration->opts & CHECK_OWNER) {
+            cJSON_AddStringToObject(attributes, "uid", data->uid);
+
+            if (data->user_name) {
+                cJSON_AddStringToObject(attributes, "user_name", data->user_name);
+            }
+        }
+
+        if (configuration->opts & CHECK_GROUP) {
+            cJSON_AddStringToObject(attributes, "gid", data->gid);
+
+            if (data->group_name) {
+                cJSON_AddStringToObject(attributes, "group_name", data->group_name);
+            }
+        }
+
+        if (configuration->opts & CHECK_MTIME) {
+            cJSON_AddNumberToObject(attributes, "mtime", data->mtime);
+        }
+
+        if (*data->checksum) {
+            cJSON_AddStringToObject(attributes, "checksum", data->checksum);
+        }
+    } else {
+        cJSON *perm, *uid, *user_name, *gid, *group_name, *mtime, *checksum;
+
+        if (configuration->opts & CHECK_PERM) {
+            if (perm = cJSON_GetObjectItem(dbsync_event, "perm"), perm != NULL) {
+                cJSON_AddItemToObject(attributes, "perm", cJSON_Parse(cJSON_GetStringValue(perm)));
+            }
+        }
+
+        if (configuration->opts & CHECK_OWNER) {
+            if (uid = cJSON_GetObjectItem(dbsync_event, "uid"), uid != NULL) {
+                cJSON_AddStringToObject(attributes, "uid", cJSON_GetStringValue(uid));
+            }
+
+            if (user_name = cJSON_GetObjectItem(dbsync_event, "user_name"), user_name != NULL) {
+                cJSON_AddStringToObject(attributes, "user_name", cJSON_GetStringValue(user_name));
+            }
+
+        }
+
+        if (configuration->opts & CHECK_GROUP) {
+            if (gid = cJSON_GetObjectItem(dbsync_event, "gid"), gid != NULL) {
+                cJSON_AddStringToObject(attributes, "gid", cJSON_GetStringValue(gid));
+            }
+
+            if (group_name = cJSON_GetObjectItem(dbsync_event, "group_name"), group_name != NULL) {
+                cJSON_AddStringToObject(attributes, "group_name", cJSON_GetStringValue(group_name));
+            }
+
+        }
+
+        if (configuration->opts & CHECK_MTIME) {
+            if (mtime = cJSON_GetObjectItem(dbsync_event, "mtime"), mtime != NULL) {
+                cJSON_AddNumberToObject(attributes, "mtime", mtime->valueint);
+            }
+        }
+
+        if (checksum = cJSON_GetObjectItem(dbsync_event, "checksum"), checksum != NULL) {
+            cJSON_AddStringToObject(attributes, "checksum", cJSON_GetStringValue(checksum));
+        }
+
+    }
+
+    return attributes;
+}
+
+/**
+ * @brief Compare new and old attributes from a registry key and return an array specifying which of them changed.
+ *
+ * @param new_data A fim_registry_key object holding the most recent information associated with a registry key.
+ * @param old_data A fim_registry_key object holding information associated with a registry key retrieved from the FIM
+ * DB.
+ * @param configuration The configuration associated with the registry key.
+ * @return A pointer to a cJSON array holding strings with the changed attributes.
+ */
+cJSON *fim_registry_compare_key_attrs(const fim_registry_key *new_data,
+                                      const fim_registry_key *old_data,
+                                      const registry_t *configuration) {
+    cJSON *changed_attributes = cJSON_CreateArray();
+
+    if ((configuration->opts & CHECK_PERM) && strcmp(old_data->perm, new_data->perm) != 0) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("permission"));
+    }
+
+    if (configuration->opts & CHECK_OWNER) {
+        if (old_data->uid && new_data->uid && strcmp(old_data->uid, new_data->uid) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("uid"));
+        }
+
+        // AD might fail to solve the user name, we don't trigger an event if the user name is empty
+        if (old_data->user_name && *old_data->user_name != '\0' && new_data->user_name &&
+            *new_data->user_name != '\0' && strcmp(old_data->user_name, new_data->user_name) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("user_name"));
+        }
+    }
+
+    if (configuration->opts & CHECK_GROUP) {
+        if (old_data->gid && new_data->gid && strcmp(old_data->gid, new_data->gid) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("gid"));
+        }
+
+        if (old_data->group_name && new_data->group_name && strcmp(old_data->group_name, new_data->group_name) != 0) {
+            cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("group_name"));
+        }
+    }
+
+    if ((configuration->opts & CHECK_MTIME) && old_data->mtime != new_data->mtime) {
+        cJSON_AddItemToArray(changed_attributes, cJSON_CreateString("mtime"));
+    }
+
+    return changed_attributes;
+}
+
+
+// LCOV_EXCL_START
+// These functions are not used for now, as their are ment to be used on event based monitoring.
+/**
+ * @brief Generate a registry key event from the provided information.
+ *
+ * @param new_data A fim_registry_key object holding the most recent information associated with a registry key.
+ * @param old_data A fim_registry_key object holding information associated with a registry key retrieved from the FIM
+ * DB.
+ * @param configuration The configuration associated with the registry key.
+ * @param mode A value specifying if the event has been triggered in scheduled, realtime or whodata mode.
+ * @param type A value specifying if the event corresponds to an add, delete or modify event.
+ * @param w_evt A whodata object holding information corresponding to the event.
+ * @return A pointer to a cJSON object holding the FIM event, NULL on error.
+ */
+cJSON *fim_registry_key_json_event(const fim_registry_key *new_data,
+                                   const fim_registry_key *old_data,
+                                   const registry_t *configuration,
+                                   fim_event_mode mode,
+                                   unsigned int type,
+                                   __attribute__((unused)) whodata_evt *w_evt) {
+    cJSON *changed_attributes;
+
+    if (old_data != NULL) {
+        changed_attributes = fim_registry_compare_key_attrs(new_data, old_data, configuration);
+
+        if (cJSON_GetArraySize(changed_attributes) == 0) {
+            cJSON_Delete(changed_attributes);
+            return NULL;
+        }
+    }
+
+    cJSON *json_event = cJSON_CreateObject();
+    cJSON_AddStringToObject(json_event, "type", "event");
+
+    cJSON *data = cJSON_CreateObject();
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", new_data->path);
+    cJSON_AddNumberToObject(data, "version", 2.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[type]);
+    cJSON_AddStringToObject(data, "arch", new_data->arch == ARCH_32BIT ? "[x32]" : "[x64]");
+    cJSON_AddNumberToObject(data, "timestamp", new_data->last_event);
+
+    //cJSON_AddItemToObject(data, "attributes", fim_registry_key_attributes_json(new_data, configuration));
+
+    if (old_data) {
+        cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+        //cJSON_AddItemToObject(data, "old_attributes", fim_registry_key_attributes_json(old_data, configuration));
+    }
+
+    if (configuration->tag != NULL) {
+        cJSON_AddStringToObject(data, "tags", configuration->tag);
+    }
+
+    return json_event;
+}
+
+cJSON *fim_registry_event(const fim_entry *new,
+                          const fim_entry *saved,
+                          const registry_t *configuration,
+                          fim_event_mode mode,
+                          unsigned int event_type,
+                          __attribute__((unused)) whodata_evt *w_evt,
+                          const char *diff) {
+    cJSON *json_event = NULL;
+
+    if (new == NULL) {
+        mwarn(FIM_REGISTRY_EVENT_NULL_ENTRY);
+        return NULL;
+    }
+
+    if (new->registry_entry.key == NULL) {
+        mwarn(FIM_REGISTRY_EVENT_NULL_ENTRY_KEY);
+        return NULL;
+    }
+
+    if (new->type != FIM_TYPE_REGISTRY) {
+        mwarn(FIM_REGISTRY_EVENT_WRONG_ENTRY_TYPE);
+        return NULL;
+    }
+
+    if (saved && saved->type != FIM_TYPE_REGISTRY) {
+        mwarn(FIM_REGISTRY_EVENT_WRONG_SAVED_TYPE);
+        return NULL;
+    }
+
+    if (new->registry_entry.value != NULL) {
+        json_event = fim_registry_value_json_event(new, saved, configuration, mode, event_type, w_evt, diff);
+    } else {
+        json_event = fim_registry_key_json_event(new->registry_entry.key, saved ? saved->registry_entry.key : NULL,
+                                                 configuration, mode, event_type, w_evt);
+    }
+
+    return json_event;
+}
+// LCOV_EXCL_STOP
+
+#endif
diff --git a/src/modules/fim/src/registry/registry.c b/src/modules/fim/src/registry/registry.c
new file mode 100644
index 0000000000..c6f33639e3
--- /dev/null
+++ b/src/modules/fim/src/registry/registry.c
@@ -0,0 +1,1122 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WIN32
+
+#include <cJSON.h>
+#include "registry.h"
+#include "shared.h"
+#include "../../include/syscheck.h"
+#include "../../config/syscheck-config.h"
+#include "../db/include/db.h"
+#include "../os_crypto/md5/md5_op.h"
+#include "../os_crypto/sha1/sha1_op.h"
+#include "../os_crypto/md5_sha1/md5_sha1_op.h"
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+
+#ifdef WAZUH_UNIT_TESTING
+#include "../../../unit_tests/wrappers/windows/winreg_wrappers.h"
+extern int _base_line;
+#else
+static int _base_line = 0;
+#endif
+
+/* Default values */
+#define MAX_KEY_LENGTH 260
+#define MAX_VALUE_NAME 16383
+
+static const char *FIM_EVENT_TYPE_ARRAY[] = {
+    "added",
+    "deleted",
+    "modified"
+};
+
+static const char *FIM_EVENT_MODE[] = {
+    "scheduled",
+    "realtime",
+    "whodata"
+};
+
+typedef struct fim_key_txn_context_s {
+    event_data_t *evt_data;
+    fim_registry_key *key;
+} fim_key_txn_context_t;
+
+typedef struct fim_val_txn_context_s {
+    event_data_t *evt_data;
+    fim_registry_value_data *data;
+    char* diff;
+} fim_val_txn_context_t;
+
+// DBSync Callbacks
+
+/**
+ * @brief Registry key callback.
+ *
+ * @param resultType Action performed by DBSync (INSERTED|MODIFIED|DELETED|MAXROWS)
+ * @param result_json Data returned by dbsync in JSON format.
+ * @param user_data Registry key transaction context.
+ */
+static void registry_key_transaction_callback(ReturnTypeCallback resultType,
+                                              const cJSON* result_json,
+                                              void* user_data) {
+
+    registry_t *configuration = NULL;
+    cJSON *json_event = NULL;
+    cJSON *json_path = NULL;
+    cJSON *json_arch = NULL;
+    cJSON *json_hash = NULL;
+    cJSON *old_data = NULL;
+    cJSON *old_attributes = NULL;
+    cJSON *changed_attributes = NULL;
+    cJSON *aux = NULL;
+    cJSON *timestamp = NULL;
+    fim_key_txn_context_t *event_data = (fim_key_txn_context_t *) user_data;
+    fim_registry_key* key = event_data->key;
+    char *path = NULL;
+    int arch = -1;
+    char *hash_full_path;
+
+    // Do not process if it's the first scan
+    if (_base_line == 0) {
+        return;
+    }
+
+    // In case of deletions, key is NULL, so we need to get the path and arch from the json event
+    if (key == NULL) {
+        if (json_path = cJSON_GetObjectItem(result_json, "path"), json_path == NULL) {
+            goto end;
+        }
+        if (json_arch = cJSON_GetObjectItem(result_json, "arch"), json_arch == NULL) {
+            goto end;
+        }
+        if (json_hash = cJSON_GetObjectItem(result_json, "hash_full_path"), json_hash == NULL) {
+            goto end;
+        }
+        path = cJSON_GetStringValue(json_path);
+        arch = (strcmp(cJSON_GetStringValue(json_arch), "[x32]") == 0) ? ARCH_32BIT: ARCH_64BIT;
+        hash_full_path = cJSON_GetStringValue(json_hash);
+
+    } else {
+        path = key->path;
+        arch = key->arch;
+        hash_full_path = key->hash_full_path;
+    }
+
+    configuration = fim_registry_configuration(path, arch);
+
+    if (configuration == NULL) {
+        goto end;
+    }
+
+    switch (resultType) {
+        case INSERTED:
+            event_data->evt_data->type = FIM_ADD;
+            break;
+
+        case MODIFIED:
+            event_data->evt_data->type = FIM_MODIFICATION;
+            break;
+
+        case DELETED:
+            if (configuration->opts & CHECK_SEECHANGES) {
+                fim_diff_process_delete_registry(path, arch);
+            }
+            event_data->evt_data->type = FIM_DELETE;
+            break;
+
+        case MAX_ROWS:
+            mdebug1("Couldn't insert '%s' entry into DB. The DB is full, please check your configuration.", path);
+
+        // Fallthrough
+        default:
+            goto end;
+            break;
+    }
+
+    json_event = cJSON_CreateObject();
+    if (json_event == NULL) {
+        return;
+    }
+
+    cJSON_AddStringToObject(json_event, "type", "event");
+
+    cJSON* data = cJSON_CreateObject();
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", path);
+    cJSON_AddStringToObject(data, "index", hash_full_path);
+    cJSON_AddNumberToObject(data, "version", 3.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[event_data->evt_data->mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[event_data->evt_data->type]);
+    cJSON_AddStringToObject(data, "arch", arch == ARCH_32BIT ? "[x32]" : "[x64]");
+    if(timestamp = cJSON_GetObjectItem(result_json, "last_event"), timestamp != NULL){
+        cJSON_AddNumberToObject(data, "timestamp", timestamp->valueint);
+    } else {
+        cJSON_AddNumberToObject(data, "timestamp", key->last_event);
+    }
+    cJSON_AddItemToObject(data, "attributes", fim_registry_key_attributes_json(result_json, key, configuration));
+
+    old_data = cJSON_GetObjectItem(result_json, "old");
+    if (old_data != NULL) {
+        old_attributes = cJSON_CreateObject();
+        changed_attributes = cJSON_CreateArray();
+        cJSON_AddItemToObject(data, "old_attributes", old_attributes);
+        cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+        fim_calculate_dbsync_difference_key(key,
+                                            configuration,
+                                            old_data,
+                                            changed_attributes,
+                                            old_attributes);
+
+        if (cJSON_GetArraySize(changed_attributes) == 0) {
+            mdebug2(FIM_EMPTY_CHANGED_ATTRIBUTES, path);
+            goto end;
+        }
+    }
+
+    if (configuration->tag != NULL) {
+        cJSON_AddStringToObject(data, "tags", configuration->tag);
+    }
+
+    send_syscheck_msg(json_event);
+
+    end:
+        cJSON_Delete(json_event);
+}
+
+/**
+ * @brief Registry value callback.
+ *
+ * @param resultType Action performed by DBSync (INSERTED|MODIFIED|DELETED|MAXROWS)
+ * @param result_json Data returned by dbsync in JSON format.
+ * @param user_data Registry value transaction context.
+ */
+static void registry_value_transaction_callback(ReturnTypeCallback resultType,
+                                                const cJSON* result_json,
+                                                void* user_data) {
+
+    registry_t *configuration = NULL;
+    cJSON *json_event = NULL;
+    cJSON *json_path = NULL;
+    cJSON *json_arch = NULL;
+    cJSON *json_name = NULL;
+    cJSON *json_hash = NULL;
+    cJSON *old_attributes = NULL;
+    cJSON *old_data = NULL;
+    cJSON *changed_attributes = NULL;
+    cJSON *aux = NULL;
+    cJSON *timestamp = NULL;
+    char *path = NULL;
+    char *name = NULL;
+    int arch = -1;
+    fim_val_txn_context_t *event_data = (fim_val_txn_context_t *) user_data;
+    char* diff = event_data->diff;
+    fim_registry_value_data *value = event_data->data;
+    char *hash_full_path;
+
+    // Do not process if it's the first scan
+    if (_base_line == 0) {
+        return;
+    }
+
+    // In case of deletions, value is NULL, so we need to get the path and arch from the json event
+    if (value == NULL) {
+        if (json_path = cJSON_GetObjectItem(result_json, "path"), json_path == NULL) {
+            goto end;
+        }
+        if (json_arch = cJSON_GetObjectItem(result_json, "arch"), json_arch == NULL) {
+            goto end;
+        }
+        if (json_name = cJSON_GetObjectItem(result_json, "name"), json_name == NULL) {
+            goto end;
+        }
+        if (json_hash = cJSON_GetObjectItem(result_json, "hash_full_path"), json_hash == NULL) {
+            goto end;
+        }
+        path = cJSON_GetStringValue(json_path);
+        arch = (strcmp(cJSON_GetStringValue(json_arch), "[x32]") == 0) ? ARCH_32BIT: ARCH_64BIT;
+        name = cJSON_GetStringValue(json_name);
+        hash_full_path = cJSON_GetStringValue(json_hash);
+    } else {
+        path = value->path;
+        arch = value->arch;
+        name = value->name;
+        hash_full_path = value->hash_full_path;
+    }
+
+    configuration = fim_registry_configuration(path, arch);
+    if (configuration == NULL) {
+         goto end;
+    }
+
+    switch (resultType) {
+        case INSERTED:
+            event_data->evt_data->type = FIM_ADD;
+            break;
+
+        case MODIFIED:
+            event_data->evt_data->type = FIM_MODIFICATION;
+            break;
+
+        case DELETED:
+            if (configuration->opts & CHECK_SEECHANGES) {
+                fim_diff_process_delete_value(path, name, arch);
+            }
+            event_data->evt_data->type = FIM_DELETE;
+            break;
+
+        case MAX_ROWS:
+            mdebug1("Couldn't insert '%s' entry into DB. The DB is full, please check your configuration.", path);
+
+        // Fallthrough
+        default:
+            goto end;
+            break;
+    }
+
+    json_event = cJSON_CreateObject();
+    if (json_event == NULL) {
+        goto end;
+    }
+
+    cJSON_AddStringToObject(json_event, "type", "event");
+
+    cJSON* data = cJSON_CreateObject();
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    cJSON_AddStringToObject(data, "path", path);
+    cJSON_AddStringToObject(data, "index", hash_full_path);
+    cJSON_AddNumberToObject(data, "version", 3.0);
+    cJSON_AddStringToObject(data, "mode", FIM_EVENT_MODE[event_data->evt_data->mode]);
+    cJSON_AddStringToObject(data, "type", FIM_EVENT_TYPE_ARRAY[event_data->evt_data->type]);
+    cJSON_AddStringToObject(data, "arch", arch == ARCH_32BIT ? "[x32]" : "[x64]");
+    cJSON_AddStringToObject(data, "value_name", name);
+
+    if(timestamp = cJSON_GetObjectItem(result_json, "last_event"), timestamp != NULL){
+        cJSON_AddNumberToObject(data, "timestamp", timestamp->valueint);
+    } else {
+        cJSON_AddNumberToObject(data, "timestamp", value->last_event);
+    }
+
+    cJSON_AddItemToObject(data, "attributes", fim_registry_value_attributes_json(result_json, value, configuration));
+
+    old_data = cJSON_GetObjectItem(result_json, "old");
+    if (old_data != NULL) {
+        old_attributes = cJSON_CreateObject();
+        changed_attributes = cJSON_CreateArray();
+        cJSON_AddItemToObject(data, "old_attributes", old_attributes);
+        cJSON_AddItemToObject(data, "changed_attributes", changed_attributes);
+        fim_calculate_dbsync_difference_value(value,
+                                              configuration,
+                                              old_data,
+                                              changed_attributes,
+                                              old_attributes);
+
+        if (cJSON_GetArraySize(changed_attributes) == 0) {
+            mdebug2(FIM_EMPTY_CHANGED_ATTRIBUTES, path);
+            goto end;
+        }
+    }
+
+    if (configuration->tag != NULL) {
+        cJSON_AddStringToObject(data, "tags", configuration->tag);
+    }
+
+    if (diff != NULL && resultType == MODIFIED) {
+        cJSON_AddStringToObject(data, "content_changes", diff);
+    }
+
+    send_syscheck_msg(json_event);
+
+
+end:
+    cJSON_Delete(json_event);
+    if(diff != NULL){
+        os_free(diff);
+    }
+}
+
+/**
+ * @brief Set the root key and subkey associated with a given key.
+ *
+ * @param root_key_handle A pointer to a handle which will hold the root key handle on success, NULL on failure.
+ * @param full_key A string holding the full path to a registry key.
+ * @param sub_key A pointer to a pointer which will point to the byte where the first sub key of full_key starts,
+ * unchanged on error.
+ * @return 0 if the root key is properly set, -1 otherwise.
+ */
+int fim_set_root_key(HKEY *root_key_handle, const char *full_key, const char **sub_key) {
+    int root_key_length;
+
+    if (root_key_handle == NULL || full_key == NULL || sub_key == NULL) {
+        return -1;
+    }
+
+    /* Verify valid root tree */
+    if (strncmp(full_key, "HKEY_LOCAL_MACHINE", 18) == 0) {
+        *root_key_handle = HKEY_LOCAL_MACHINE;
+        root_key_length = 18;
+    } else if (strncmp(full_key, "HKEY_CLASSES_ROOT", 17) == 0) {
+        *root_key_handle = HKEY_CLASSES_ROOT;
+        root_key_length = 17;
+    } else if (strncmp(full_key, "HKEY_CURRENT_CONFIG", 19) == 0) {
+        *root_key_handle = HKEY_CURRENT_CONFIG;
+        root_key_length = 19;
+    } else if (strncmp(full_key, "HKEY_USERS", 10) == 0) {
+        *root_key_handle = HKEY_USERS;
+        root_key_length = 10;
+    } else {
+        *root_key_handle = NULL;
+        return -1;
+    }
+
+    if (full_key[root_key_length] != '\\') {
+        *root_key_handle = NULL;
+        return -1;
+    }
+
+    *sub_key = &full_key[root_key_length + 1];
+    return 0;
+}
+
+registry_t *fim_registry_configuration(const char *key, int arch) {
+    int it = 0;
+    int top = 0;
+    int match;
+    registry_t *ret = NULL;
+
+    for (it = 0; syscheck.registry[it].entry; it++) {
+        if (arch != syscheck.registry[it].arch) {
+            continue;
+        }
+
+        match = w_compare_str(syscheck.registry[it].entry, key);
+
+        if (top < match) {
+            ret = &syscheck.registry[it];
+            top = match;
+        }
+    }
+
+    if (ret == NULL) {
+        mdebug2(FIM_CONFIGURATION_NOTFOUND, "registry", key);
+    }
+
+    return ret;
+}
+
+/**
+ * @brief Validates the recursion level of a registry key.
+ *
+ * @param key_path Path of the key
+ * @param configuration The configuration associated with the registry entry.
+ * @return 0 if the path is valid, -1 if the path is to be excluded.
+ */
+int fim_registry_validate_recursion_level(const char *key_path, const registry_t *configuration) {
+    const char *pos;
+    int depth = 0;
+    unsigned int parent_path_size;
+
+    if (key_path == NULL || configuration == NULL) {
+        return -1;
+    }
+
+    /* Verify recursion level */
+    parent_path_size = strlen(configuration->entry);
+    // Recursion level only for registry keys
+    if (parent_path_size > strlen(key_path)) {
+        return -1;
+    }
+
+    pos = key_path + parent_path_size;
+    while (pos = strchr(pos, PATH_SEP), pos) {
+        depth++;
+        pos++;
+    }
+
+    if (depth > configuration->recursion_level) {
+        mdebug2(FIM_MAX_RECURSION_LEVEL, depth, configuration->recursion_level, key_path);
+        return -1;
+    }
+
+    return 0;
+}
+
+/**
+ * @brief Validates ignore restrictions of registry entry.
+ *
+ * @param entry A string holding the full path of the key or the name of the value to be validated.
+ * @param configuration The configuration associated with the registry entry.
+ * @param key 1 if the entry is a key, 0 if the entry is a value.
+ * @return 0 if the path is valid, -1 if the path is to be excluded.
+ */
+int fim_registry_validate_ignore(const char *entry, const registry_t *configuration, int key) {
+    int ign_it;
+    registry_ignore **ignore_list;
+    registry_ignore_regex **ignore_list_regex;
+
+    if (entry == NULL || configuration == NULL) {
+        return -1;
+    }
+
+    if (key) {
+        ignore_list = &syscheck.key_ignore;
+        ignore_list_regex = &syscheck.key_ignore_regex;
+    } else {
+        ignore_list = &syscheck.value_ignore;
+        ignore_list_regex = &syscheck.value_ignore_regex;
+    }
+
+    if (*ignore_list) {
+        for (ign_it = 0; (*ignore_list)[ign_it].entry; ign_it++) {
+            if ((*ignore_list)[ign_it].arch != configuration->arch) {
+                continue;
+            }
+            if (strncasecmp((*ignore_list)[ign_it].entry, entry, strlen((*ignore_list)[ign_it].entry)) == 0) {
+                mdebug2(FIM_REG_IGNORE_ENTRY, key ? "registry" : "value",
+                        (*ignore_list)[ign_it].arch == ARCH_32BIT ? "[x32]" : "[x64]", entry,
+                        (*ignore_list)[ign_it].entry);
+                return -1;
+            }
+        }
+    }
+    if (*ignore_list_regex) {
+        for (ign_it = 0; (*ignore_list_regex)[ign_it].regex; ign_it++) {
+            if ((*ignore_list_regex)[ign_it].arch != configuration->arch) {
+                continue;
+
+            }
+            if (OSMatch_Execute(entry, strlen(entry), (*ignore_list_regex)[ign_it].regex)) {
+                mdebug2(FIM_REG_IGNORE_SREGEX, key ? "registry" : "value",
+                        (*ignore_list_regex)[ign_it].arch == ARCH_32BIT ? "[x32]" : "[x64]", entry,
+                        (*ignore_list_regex)[ign_it].regex->raw);
+                return -1;
+            }
+        }
+    }
+    return 0;
+}
+/**
+ * @brief Compute checksum of a registry key
+ *
+ * @param data FIM registry key whose checksum will be computed
+ */
+void fim_registry_get_checksum_key(fim_registry_key *data) {
+    char *checksum = NULL;
+    int size;
+
+    size = snprintf(0,
+            0,
+            "%s:%s:%s:%s:%s:%u",
+            data->perm ? data->perm : "",
+            data->uid ? data->uid : "",
+            data->user_name ? data->user_name : "",
+            data->gid ? data->gid : "",
+            data->group_name ? data->group_name : "",
+            data->mtime);
+
+    os_calloc(size + 1, sizeof(char), checksum);
+    snprintf(checksum,
+            size + 1,
+            "%s:%s:%s:%s:%s:%u:%d",
+            data->perm ? data->perm : "",
+            data->uid ? data->uid : "",
+            data->gid ? data->gid : "",
+            data->user_name ? data->user_name : "",
+            data->group_name ? data->group_name : "",
+            data->mtime,
+            data->arch);
+
+    OS_SHA1_Str(checksum, -1, data->checksum);
+    free(checksum);
+}
+
+/**
+ * @brief Compute checksum of a registry value
+ *
+ * @param data FIM registry value whose checksum will be computed
+ */
+void fim_registry_get_checksum_value(fim_registry_value_data *data) {
+    char *checksum = NULL;
+    int size;
+
+    size = snprintf(0,
+            0,
+            "%u:%u:%s:%s:%s",
+            data->type,
+            data->size,
+            data->hash_md5 ,
+            data->hash_sha1,
+            data->hash_sha256);
+
+    os_calloc(size + 1, sizeof(char), checksum);
+    snprintf(checksum,
+            size + 1,
+            "%u:%u:%s:%s:%s",
+            data->type,
+            data->size,
+            data->hash_md5 ,
+            data->hash_sha1,
+            data->hash_sha256);
+
+    OS_SHA1_Str(checksum, -1, data->checksum);
+    free(checksum);
+}
+
+/**
+ * @brief Initialize digest context according to a provided configuration
+ *
+ * @param opts An integer holding the registry configuration.
+ * @param md5_ctx An uninitialized md5 context.
+ * @param sha1_ctx An uninitialized sha1 context.
+ * @param sha256_ctx An uninitialized sha256 context.
+ */
+void fim_registry_init_digests(int opts, EVP_MD_CTX *md5_ctx, EVP_MD_CTX *sha1_ctx, EVP_MD_CTX *sha256_ctx) {
+    if (opts & CHECK_MD5SUM) {
+        EVP_DigestInit(md5_ctx, EVP_md5());
+    }
+
+    if (opts & CHECK_SHA1SUM) {
+        EVP_DigestInit(sha1_ctx, EVP_sha1());
+    }
+
+    if (opts & CHECK_SHA256SUM) {
+        EVP_DigestInit(sha256_ctx, EVP_sha256());
+    }
+}
+
+/**
+ * @brief Update digests from a provided buffer.
+ *
+ * @param buffer A raw data buffer used to update digests.
+ * @param length An integer holding the length of buffer.
+ * @param opts An integer holding the registry configuration.
+ * @param md5_ctx An MD5 CTX to be updated with the contents of buffer.
+ * @param sha1_ctx An SHA1 CTX to be updated with the contents of buffer.
+ * @param sha256_ctx An SHA256 CTX to be updated with the contents of buffer.
+ */
+void fim_registry_update_digests(const BYTE *buffer,
+                                 size_t length,
+                                 int opts,
+                                 EVP_MD_CTX *md5_ctx,
+                                 EVP_MD_CTX *sha1_ctx,
+                                 EVP_MD_CTX *sha256_ctx) {
+    if (opts & CHECK_MD5SUM) {
+        EVP_DigestUpdate(md5_ctx, buffer, length);
+    }
+
+    if (opts & CHECK_SHA1SUM) {
+        EVP_DigestUpdate(sha1_ctx, buffer, length);
+    }
+
+    if (opts & CHECK_SHA256SUM) {
+        EVP_DigestUpdate(sha256_ctx, buffer, length);
+    }
+}
+
+/**
+ * @brief Prints out hashes from the provided contexts, destryoing them in the process.
+ *
+ * @param opts An integer holding the registry configuration.
+ * @param md5_ctx An MD5 CTX used to print the corresponding hash.
+ * @param sha1_ctx An SHA1 CTX used to print the corresponding hash.
+ * @param sha256_ctx An SHA256 CTX used to print the corresponding hash.
+ * @param md5_output A buffer holding the MD5 hash on exit.
+ * @param sha1_output A buffer holding the SHA1 hash on exit.
+ * @param sha256_output A buffer holding the SHA256 hash on exit.
+ */
+void fim_registry_final_digests(int opts,
+                                EVP_MD_CTX *md5_ctx,
+                                EVP_MD_CTX *sha1_ctx,
+                                EVP_MD_CTX *sha256_ctx,
+                                os_md5 md5_output,
+                                os_sha1 sha1_output,
+                                os_sha256 sha256_output) {
+    unsigned char md5_digest[MD5_DIGEST_LENGTH];
+    unsigned char sha1_digest[SHA_DIGEST_LENGTH];
+    unsigned char sha256_digest[SHA256_DIGEST_LENGTH];
+    int n;
+
+    if (opts & CHECK_MD5SUM) {
+        EVP_DigestFinal(md5_ctx, md5_digest, NULL);
+        for (n = 0; n < MD5_DIGEST_LENGTH; n++) {
+            snprintf(md5_output, 3, "%02x", md5_digest[n]);
+            md5_output += 2;
+        }
+    }
+
+    if (opts & CHECK_SHA1SUM) {
+        EVP_DigestFinal(sha1_ctx, sha1_digest, NULL);
+        for (n = 0; n < SHA_DIGEST_LENGTH; n++) {
+            snprintf(sha1_output, 3, "%02x", sha1_digest[n]);
+            sha1_output += 2;
+        }
+    }
+
+    if (opts & CHECK_SHA256SUM) {
+        EVP_DigestFinal(sha256_ctx, sha256_digest, NULL);
+        for (n = 0; n < SHA256_DIGEST_LENGTH; n++) {
+            snprintf(sha256_output, 3, "%02x", sha256_digest[n]);
+            sha256_output += 2;
+        }
+    }
+}
+
+/**
+ * @brief Calculate and store value hashes.
+ *
+ * @param entry FIM entry holding information from a value.
+ * @param configuration The confguration associated with the value.
+ * @param data_buffer Raw buffer holding the value's contents.
+ */
+void fim_registry_calculate_hashes(fim_entry *entry, registry_t *configuration, BYTE *data_buffer) {
+    EVP_MD_CTX *md5_ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX *sha1_ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX *sha256_ctx = EVP_MD_CTX_new();
+
+    char *string_it;
+    BYTE buffer[OS_SIZE_2048];
+    size_t length;
+
+    entry->registry_entry.value->hash_md5[0] = '\0';
+    entry->registry_entry.value->hash_sha1[0] = '\0';
+    entry->registry_entry.value->hash_sha256[0] = '\0';
+
+    if ((configuration->opts & (CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM)) == 0) {
+        return;
+    }
+
+    /* Initialize configured hashes */
+    fim_registry_init_digests(configuration->opts, md5_ctx, sha1_ctx, sha256_ctx);
+
+    switch (entry->registry_entry.value->type) {
+    case REG_SZ:
+    case REG_EXPAND_SZ:
+        fim_registry_update_digests(data_buffer, strlen((char *)data_buffer), configuration->opts, md5_ctx, sha1_ctx,
+                                    sha256_ctx);
+        break;
+    case REG_MULTI_SZ:
+        /* Print multiple strings */
+        for (string_it = (char *)data_buffer; *string_it; string_it += strlen(string_it) + 1) {
+            fim_registry_update_digests((BYTE *)string_it, strlen(string_it), configuration->opts, md5_ctx, sha1_ctx,
+                                        sha256_ctx);
+        }
+        break;
+    case REG_DWORD:
+        length = snprintf((char *)buffer, OS_SIZE_2048, "%08x", *((unsigned int *)data_buffer));
+        fim_registry_update_digests(buffer, length, configuration->opts, md5_ctx, sha1_ctx, sha256_ctx);
+        break;
+    default:
+        for (unsigned int i = 0; i < entry->registry_entry.value->size; i++) {
+            length = snprintf((char *)buffer, 3, "%02x", (unsigned int)data_buffer[i] & 0xFF);
+            fim_registry_update_digests(buffer, length, configuration->opts, md5_ctx, sha1_ctx, sha256_ctx);
+        }
+        break;
+    }
+
+    fim_registry_final_digests(configuration->opts, md5_ctx, sha1_ctx, sha256_ctx,
+                               entry->registry_entry.value->hash_md5, entry->registry_entry.value->hash_sha1,
+                               entry->registry_entry.value->hash_sha256);
+
+    EVP_MD_CTX_free(md5_ctx);
+    EVP_MD_CTX_free(sha1_ctx);
+    EVP_MD_CTX_free(sha256_ctx);
+}
+
+/**
+ * @brief Free all memory associated with a registry key.
+ *
+ * @param data A fim_registry_key object to be free'd.
+ */
+void fim_registry_free_key(fim_registry_key *key) {
+    if (key) {
+        os_free(key->path);
+        os_free(key->perm);
+        cJSON_Delete(key->perm_json);
+        os_free(key->uid);
+        os_free(key->gid);
+        os_free(key->user_name);
+        os_free(key->group_name);
+        free(key);
+    }
+}
+
+/**
+ * @brief Gets all information from a given registry key.
+ *
+ * @param key_handle A handle to the key whose information we want.
+ * @param path A string holding the full path to the key we want to query.
+ * @param configuration The confguration associated with the key.
+ * @return A fim_registry_key object holding the information from the queried key, NULL on error.
+ */
+fim_registry_key *fim_registry_get_key_data(HKEY key_handle, const char *path, const registry_t *configuration) {
+    fim_registry_key *key;
+
+    os_calloc(1, sizeof(fim_registry_key), key);
+
+    os_strdup(path, key->path);
+
+    key->arch = configuration->arch;
+
+     if (configuration->opts & CHECK_OWNER) {
+        key->user_name = get_registry_user(path, &key->uid, key_handle);
+    }
+
+    if (configuration->opts & CHECK_GROUP) {
+        key->group_name = get_registry_group(&key->gid, key_handle);
+    }
+
+    if (configuration->opts & CHECK_PERM) {
+        int error;
+
+        key->perm_json = NULL;
+        error = get_registry_permissions(key_handle, &(key->perm_json));
+        if (error) {
+            mdebug1(FIM_EXTRACT_PERM_FAIL, path, error);
+            fim_registry_free_key(key);
+            return NULL;
+        }
+
+        decode_win_acl_json(key->perm_json);
+        key->perm = cJSON_PrintUnformatted(key->perm_json);
+    }
+
+    if (configuration->opts & CHECK_MTIME) {
+        key->mtime = get_registry_mtime(key_handle);
+    }
+
+    key->last_event = time(NULL);
+
+    fim_registry_get_checksum_key(key);
+
+    return key;
+}
+
+/**
+ * @brief Free all memory associated with a registry value.
+ *
+ * @param data A fim_registry_value_data object to be free'd.
+ */
+void fim_registry_free_value_data(fim_registry_value_data *data) {
+    if (data) {
+        os_free(data->name);
+        free(data);
+    }
+}
+
+void fim_registry_free_entry(fim_entry *entry) {
+    if (entry) {
+        fim_registry_free_key(entry->registry_entry.key);
+        fim_registry_free_value_data(entry->registry_entry.value);
+        os_free(entry);
+    }
+}
+
+
+/**
+ * @brief Query the values belonging to a key.
+ *
+ * @param key_handle A handle to the key holding the values to query.
+ * @param new A fim_entry object holding the information gathered from the key.
+ * @param saved A fim_entry object holding the information from the key retrieved from the database.
+ * @param value_count An integer holding the amount of values stored in the queried key.
+ * @param max_value_length The size of longest value name contained in the key in unicode characters.
+ * @param max_value_data_length The size of the biggest data contained in of the keys values in bytes.
+ * @param mode A value specifying if the event has been triggered in scheduled, realtime or whodata mode.
+ */
+void fim_read_values(HKEY key_handle,
+                     char* path,
+                     int arch,
+                     DWORD value_count,
+                     DWORD max_value_length,
+                     DWORD max_value_data_length,
+                     TXN_HANDLE regval_txn_handler,
+                     fim_val_txn_context_t *txn_ctx_regval) {
+    fim_registry_value_data value_data;
+    TCHAR *value_buffer;
+    BYTE *data_buffer;
+    DWORD i;
+    fim_entry new;
+    char *value_path;
+    size_t value_path_length;
+    registry_t *configuration = NULL;
+    char* diff = NULL;
+    os_sha1 hash_full_path;
+    char* arch_string;
+
+    value_data.arch = arch;
+    value_data.path = path;
+    new.registry_entry.value = &value_data;
+    new.registry_entry.key = NULL;
+
+    os_calloc(max_value_length + 1, sizeof(TCHAR), value_buffer);
+    os_calloc(max_value_data_length, sizeof(BYTE), data_buffer);
+
+    for (i = 0; i < value_count; i++) {
+        DWORD value_size = max_value_length + 1;
+        DWORD data_size = max_value_data_length;
+        DWORD data_type = 0;
+
+        configuration = fim_registry_configuration(path, arch);
+        if (configuration == NULL) {
+            return;
+        }
+
+        if (RegEnumValue(key_handle, i, value_buffer, &value_size, NULL, &data_type, data_buffer, &data_size) !=
+            ERROR_SUCCESS) {
+            break;
+        }
+
+        new.registry_entry.value->name = value_buffer;
+        new.registry_entry.value->type = data_type <= REG_QWORD ? data_type : REG_UNKNOWN;
+        new.registry_entry.value->size = data_size;
+        new.registry_entry.value->last_event = time(NULL);
+        new.registry_entry.value->scanned = 0;
+        new.type = FIM_TYPE_REGISTRY;
+
+        value_path_length = strlen(new.registry_entry.value->path) + strlen(new.registry_entry.value->name) + 2;
+
+        os_malloc(value_path_length, value_path);
+        snprintf(value_path, value_path_length, "%s\\%s", new.registry_entry.value->path, new.registry_entry.value->name);
+
+        if (fim_registry_validate_ignore(value_path, configuration, 0)) {
+            os_free(value_path);
+            os_free(value_data.name);
+            continue;
+        }
+        os_free(value_path);
+
+        if (fim_check_restrict(new.registry_entry.value->name, configuration->restrict_value)) {
+            continue;
+        }
+
+        arch_string = (arch == ARCH_32BIT) ? "[x32]" : "[x64]";
+
+        // Hash containing "value", arch, key path and value name
+        // Index used in wazuh manager DB
+        OS_SHA1_strings(hash_full_path, "value", arch_string, new.registry_entry.value->path,
+                        new.registry_entry.value->name, NULL);
+        new.registry_entry.value->hash_full_path = hash_full_path;
+
+        fim_registry_calculate_hashes(&new, configuration, data_buffer);
+
+        fim_registry_get_checksum_value(new.registry_entry.value);
+
+        if (configuration->opts & CHECK_SEECHANGES) {
+            diff = fim_registry_value_diff(new.registry_entry.value->path, new.registry_entry.value->name,
+                                       (char *)data_buffer, new.registry_entry.value->type, configuration);
+        }
+        txn_ctx_regval->diff = diff;
+        txn_ctx_regval->data = new.registry_entry.value;
+
+        int result_transaction = fim_db_transaction_sync_row(regval_txn_handler, &new);
+
+        if (result_transaction < 0) {
+            mdebug2("dbsync transaction failed due to %d", result_transaction);
+        }
+    }
+
+    new.registry_entry.value = NULL;
+    os_free(value_data.name);
+    os_free(data_buffer);
+}
+
+/**
+ * @brief Open a registry key and scan its contents.
+ *
+ * @param root_key_handle A handle to the root key to which the key to be scanned belongs.
+ * @param full_key A string holding the full path to the key to scan.
+ * @param sub_key A string holding the path to the key to scan, excluding the root key part of the path.
+ * @param arch An integer specifying the bit count of the register to scan, must be ARCH_32BIT or ARCH_64BIT.
+ * @param mode A value specifying if the event has been triggered in scheduled, realtime or whodata mode.
+ * @param parent_configuration A pointer to the configuration of this key's "parent".
+ */
+void fim_open_key(HKEY root_key_handle,
+                  const char *full_key,
+                  const char *sub_key,
+                  int arch,
+                  fim_event_mode mode,
+                  registry_t *parent_configuration,
+                  TXN_HANDLE regkey_txn_handler,
+                  TXN_HANDLE regval_txn_handler,
+                  fim_val_txn_context_t *txn_ctx_regval,
+                  fim_key_txn_context_t *txn_ctx_reg) {
+
+    HKEY current_key_handle = NULL;
+    REGSAM access_rights;
+    DWORD sub_key_count = 0;
+    DWORD value_count;
+    DWORD max_value_length;
+    DWORD max_value_data_length;
+    FILETIME file_time = { 0 };
+    DWORD i;
+    fim_entry new;
+    registry_t *configuration;
+    int result_transaction = -1;
+    os_sha1 hash_full_path;
+    char* arch_string;
+
+    if (root_key_handle == NULL || full_key == NULL || sub_key == NULL) {
+        return;
+    }
+
+    configuration = fim_registry_configuration(full_key, arch);
+    if (configuration == NULL) {
+        return;
+    }
+
+    if (mode == FIM_SCHEDULED && parent_configuration != NULL && parent_configuration != configuration) {
+        // If a more specific configuration is available in scheduled mode, we will scan this registry later.
+        return;
+    }
+
+    // Recursion level restrictions.
+    if (fim_registry_validate_recursion_level(full_key, configuration)) {
+        return;
+    }
+
+    // Ignore restriction
+    if (fim_registry_validate_ignore(full_key, configuration, 1)) {
+        return;
+    }
+
+    access_rights = KEY_READ | (arch == ARCH_32BIT ? KEY_WOW64_32KEY : KEY_WOW64_64KEY);
+
+    if (RegOpenKeyEx(root_key_handle, sub_key, 0, access_rights, &current_key_handle) != ERROR_SUCCESS) {
+        mdebug1(FIM_REG_OPEN, sub_key, arch == ARCH_32BIT ? "[x32]" : "[x64]");
+        return;
+    }
+
+    /* We use the class_name, sub_key_count and the value count */
+    if (RegQueryInfoKey(current_key_handle, NULL, NULL, NULL, &sub_key_count, NULL, NULL, &value_count,
+                        &max_value_length, &max_value_data_length, NULL, &file_time) != ERROR_SUCCESS) {
+        RegCloseKey(current_key_handle);
+        return;
+    }
+
+    /* Query each sub_key and call open_key */
+    for (i = 0; i < sub_key_count; i++) {
+        char *new_full_key;
+        char *new_sub_key;
+        size_t new_full_key_length;
+        TCHAR sub_key_name_b[MAX_KEY_LENGTH + 1];
+        DWORD sub_key_name_s = MAX_KEY_LENGTH;
+
+        if (RegEnumKeyEx(current_key_handle, i, sub_key_name_b, &sub_key_name_s, NULL, NULL, NULL, NULL) !=
+            ERROR_SUCCESS) {
+            continue;
+        }
+
+        new_full_key_length = strlen(full_key) + sub_key_name_s + 2;
+
+        os_malloc(new_full_key_length, new_full_key);
+
+        snprintf(new_full_key, new_full_key_length, "%s\\%s", full_key, sub_key_name_b);
+
+        if (new_sub_key = strchr(new_full_key, '\\'), new_sub_key) {
+            new_sub_key++;
+        }
+
+        /* Open sub_key */
+        fim_open_key(root_key_handle, new_full_key, new_sub_key, arch, mode, configuration, regkey_txn_handler,
+                     regval_txn_handler, txn_ctx_regval, txn_ctx_reg);
+
+        os_free(new_full_key);
+    }
+
+    // Restrict check
+    if (fim_check_restrict(full_key, configuration->restrict_key)) {
+        return;
+    }
+
+    // Done scanning sub_keys, trigger an alert on the current key if required.
+    new.type = FIM_TYPE_REGISTRY;
+    new.registry_entry.key = fim_registry_get_key_data(current_key_handle, full_key, configuration);
+    new.registry_entry.value = NULL;
+
+    if (new.registry_entry.key == NULL) {
+        return;
+    }
+
+    arch_string = (arch == ARCH_32BIT) ? "[x32]" : "[x64]";
+
+    // Hash containing "key", arch and key path
+    // Index used in wazuh manager DB
+    OS_SHA1_strings(hash_full_path, "key", arch_string, new.registry_entry.key->path, NULL);
+    new.registry_entry.key->hash_full_path = hash_full_path;
+
+    txn_ctx_reg->key = new.registry_entry.key;
+
+    result_transaction = fim_db_transaction_sync_row(regkey_txn_handler, &new);
+
+    if(result_transaction < 0){
+        merror("Dbsync registry transaction failed due to %d", result_transaction);
+    }
+
+    if (value_count) {
+        fim_read_values(current_key_handle, new.registry_entry.key->path, new.registry_entry.key->arch, value_count, max_value_length, max_value_data_length,
+                        regval_txn_handler, txn_ctx_regval);
+    }
+
+    fim_registry_free_key(new.registry_entry.key);
+    RegCloseKey(current_key_handle);
+}
+
+void fim_registry_scan() {
+    HKEY root_key_handle = NULL;
+    const char *sub_key = NULL;
+    int i = 0;
+    event_data_t evt_data_registry_key = { .report_event = true, .mode = FIM_SCHEDULED, .w_evt = NULL };
+    fim_key_txn_context_t txn_ctx_reg = { .evt_data = &evt_data_registry_key };
+    TXN_HANDLE regkey_txn_handler = fim_db_transaction_start(FIMDB_REGISTRY_KEY_TXN_TABLE, registry_key_transaction_callback, &txn_ctx_reg);
+    event_data_t evt_data_registry_value = { .report_event = true, .mode = FIM_SCHEDULED, .w_evt = NULL };
+    fim_val_txn_context_t txn_ctx_regval = { .evt_data = &evt_data_registry_value };
+    TXN_HANDLE regval_txn_handler = fim_db_transaction_start(FIMDB_REGISTRY_VALUE_TXN_TABLE,
+                                                             registry_value_transaction_callback, &txn_ctx_regval);
+
+    /* Debug entries */
+    mdebug1(FIM_WINREGISTRY_START);
+    /* Get sub class and a valid registry entry */
+    for (i = 0; syscheck.registry[i].entry; i++) {
+        /* Ignored entries are zeroed */
+        if (*syscheck.registry[i].entry == '\0') {
+            continue;
+        }
+
+        /* Read syscheck registry entry */
+        mdebug2(FIM_READING_REGISTRY, syscheck.registry[i].arch == ARCH_64BIT ? "[x64] " : "[x32] ",
+                syscheck.registry[i].entry);
+
+        if (fim_set_root_key(&root_key_handle, syscheck.registry[i].entry, &sub_key) != 0) {
+            mdebug1(FIM_INV_REG, syscheck.registry[i].entry,
+                    syscheck.registry[i].arch == ARCH_64BIT ? "[x64] " : "[x32]");
+            *syscheck.registry[i].entry = '\0';
+            continue;
+        }
+        fim_open_key(root_key_handle, syscheck.registry[i].entry, sub_key, syscheck.registry[i].arch, FIM_SCHEDULED,
+                     NULL, regkey_txn_handler, regval_txn_handler, &txn_ctx_regval, &txn_ctx_reg);
+    }
+    txn_ctx_reg.key = NULL;
+    txn_ctx_regval.data = NULL;
+    fim_db_transaction_deleted_rows(regval_txn_handler, registry_value_transaction_callback, &txn_ctx_regval);
+    fim_db_transaction_deleted_rows(regkey_txn_handler, registry_key_transaction_callback, &txn_ctx_reg);
+    regkey_txn_handler = NULL;
+    regval_txn_handler = NULL;
+
+    mdebug1(FIM_WINREGISTRY_ENDED);
+
+    if (_base_line == 0) {
+        _base_line = 1;
+    }
+}
+
+#endif
diff --git a/src/modules/fim/src/run_check.c b/src/modules/fim/src/run_check.c
new file mode 100644
index 0000000000..720a131802
--- /dev/null
+++ b/src/modules/fim/src/run_check.c
@@ -0,0 +1,904 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2010 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+// SCHED_BATCH is Linux specific and is only picked up with _GNU_SOURCE
+#ifdef __linux__
+#include <sched.h>
+#endif
+
+#ifdef INOTIFY_ENABLED
+#include <sys/inotify.h>
+#endif
+
+#include "shared.h"
+#include "syscheck.h"
+#include "../os_crypto/md5_sha1_sha256/md5_sha1_sha256_op.h"
+#include "../rootcheck/rootcheck.h"
+#include "db/include/db.h"
+
+#ifdef WAZUH_UNIT_TESTING
+unsigned int files_read = 0;
+time_t last_time = 0;
+void audit_set_db_consistency(void);
+#ifdef WIN32
+
+#include "../../unit_tests/wrappers/windows/errhandlingapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/processthreadsapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/synchapi_wrappers.h"
+#define localtime_r(x, y)
+#endif
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+// Prototypes
+#ifdef WIN32
+DWORD WINAPI fim_run_realtime(__attribute__((unused)) void * args);
+#else
+void * fim_run_realtime(__attribute__((unused)) void * args);
+#endif
+
+void fim_sync_check_eps();
+
+int fim_whodata_initialize();
+#ifdef WIN32
+STATIC void set_priority_windows_thread();
+#ifdef WIN_WHODATA
+STATIC void set_whodata_mode_changes();
+#endif
+#else
+static void *symlink_checker_thread(__attribute__((unused)) void * data);
+STATIC void fim_link_update(const char *new_path, directory_t *configuration);
+STATIC void fim_link_check_delete(directory_t *configuration);
+STATIC void fim_link_delete_range(directory_t *configuration);
+STATIC void fim_link_silent_scan(const char *path, directory_t *configuration);
+STATIC void fim_link_reload_broken_link(char *path, directory_t *configuration);
+#endif
+
+bool is_fim_shutdown = false;
+
+bool fim_shutdown_process_on() {
+    bool ret = is_fim_shutdown;
+    return ret;
+}
+
+// Send a message
+STATIC void fim_send_msg(char mq, const char * location, const char * msg) {
+    if (fim_shutdown_process_on()) {
+        return;
+    }
+
+    if (SendMSGPredicated(syscheck.queue, msg, location, mq, fim_shutdown_process_on) < 0) {
+        merror(QUEUE_SEND);
+
+        if ((syscheck.queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+            merror_exit(QUEUE_FATAL, DEFAULTQUEUE);
+        }
+
+        // Try to send it again
+        SendMSGPredicated(syscheck.queue, msg, location, mq, fim_shutdown_process_on);
+    }
+}
+
+void fim_sync_check_eps() {
+    static long n_msg_sent = 0;
+
+    if (++n_msg_sent == syscheck.sync_max_eps) {
+        sleep(1);
+        n_msg_sent = 0;
+    }
+}
+// Send a state synchronization message
+void fim_send_sync_state(const char *location, const char* msg) {
+
+    if (syscheck.sync_max_eps == 0) {
+        fim_send_msg(DBSYNC_MQ, location, msg);
+        mdebug2(FIM_DBSYNC_SEND, msg);
+    } else {
+        static pthread_mutex_t sync_eps_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+        w_mutex_lock(&sync_eps_mutex);
+
+        fim_send_msg(DBSYNC_MQ, location, msg);
+        mdebug2(FIM_DBSYNC_SEND, msg);
+        fim_sync_check_eps();
+
+        w_mutex_unlock(&sync_eps_mutex);
+    }
+}
+
+// Send a message related to syscheck change/addition
+void send_syscheck_msg(const cJSON *_msg) {
+    char *msg = cJSON_PrintUnformatted(_msg);
+
+    mdebug2(FIM_SEND, msg);
+    fim_send_msg(SYSCHECK_MQ, SYSCHECK, msg);
+
+    os_free(msg);
+
+    if (syscheck.max_eps == 0) {
+        return;
+    }
+
+    static atomic_int_t n_msg_sent = ATOMIC_INT_INITIALIZER(0);
+
+    if (atomic_int_inc(&n_msg_sent) >= syscheck.max_eps) {
+        sleep(1);
+        atomic_int_set(&n_msg_sent, 0);
+    }
+}
+
+// Send a scan info event
+void fim_send_scan_info(fim_scan_event event) {
+    cJSON * json = fim_scan_info_json(event, time(NULL));
+
+    send_syscheck_msg(json);
+
+    cJSON_Delete(json);
+}
+
+void check_max_fps() {
+#ifndef WAZUH_UNIT_TESTING
+    static unsigned int files_read = 0;
+    static time_t last_time = 0;
+#endif
+    static pthread_mutex_t fps_mutex = PTHREAD_MUTEX_INITIALIZER;
+    static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+    struct timespec wait_time = {0, 0};
+
+    if (syscheck.max_files_per_second == 0) {
+        return;
+    }
+    w_mutex_lock(&fps_mutex);
+    gettime(&wait_time);
+
+    if (wait_time.tv_sec != last_time) {
+        files_read = 0;
+        last_time = wait_time.tv_sec;
+    }
+
+    if (files_read < syscheck.max_files_per_second) {
+        files_read++;
+        w_mutex_unlock(&fps_mutex);
+        return;
+    }
+    mdebug2(FIM_REACHED_MAX_FPS);
+    wait_time.tv_sec += 1;
+
+    // Wait for one second or until the thread is unlocked using w_cond_broadcast
+    int rt = pthread_cond_timedwait(&cond, &fps_mutex, &wait_time);
+    if (rt == ETIMEDOUT) {
+        // In case that the mutex is unlocked due to a timeout, free all blocked threads.
+        files_read = 0;
+        w_cond_broadcast(&cond);
+    } else if (rt != 0) {
+        mdebug2("pthread_cond_timedwait failed: %s", strerror(rt));
+    }
+    w_mutex_unlock(&fps_mutex);
+}
+
+// LCOV_EXCL_START
+// Send a message related to logs
+int send_log_msg(const char * msg)
+{
+    fim_send_msg(LOCALFILE_MQ, SYSCHECK, msg);
+    return (0);
+}
+// LCOV_EXCL_STOP
+
+
+// LCOV_EXCL_START
+// Periodically run the integrity checker
+void start_daemon()
+{
+    int day_scanned = 0;
+    int curr_day = 0;
+    time_t curr_time = 0;
+    time_t prev_time_sk = 0;
+    char curr_hour[12];
+    struct tm tm_result = { .tm_sec = 0 };
+
+    // Some time to settle
+    memset(curr_hour, '\0', 12);
+
+    // A higher nice value means a low priority.
+#ifndef WIN32
+    mdebug1(FIM_PROCESS_PRIORITY, syscheck.process_priority);
+
+    if (nice(syscheck.process_priority) == -1) {
+        merror(NICE_ERROR, strerror(errno), errno);
+    }
+#else
+    set_priority_windows_thread();
+#endif
+
+#ifndef WIN32
+    // Launch rootcheck thread
+    w_create_thread(w_rootcheck_thread, &syscheck);
+#else
+    if (CreateThread(NULL, 0, w_rootcheck_thread, &syscheck, 0, NULL) == NULL) {
+        merror(THREAD_ERROR);
+    }
+#endif
+
+    // If the scan time/day is set, reset the syscheck.time/rootcheck.time
+    if (syscheck.scan_time || syscheck.scan_day) {
+        // At least once a week
+        syscheck.time = 604800;
+    }
+
+    // Deleting content of FIM diff directory
+    char diff_file_dir[PATH_MAX];
+    char diff_registry_dir[PATH_MAX];
+    char diff_local_dir[PATH_MAX];
+
+
+    // The contents of the report_changes diff directory must be deleted whenever the agent is started.
+    // Directory used for files.
+    snprintf(diff_file_dir, PATH_MAX, "%s/file/", DIFF_DIR);
+    if (cldir_ex(diff_file_dir) == -1 && errno != ENOENT) {
+        merror("Unable to clear directory '%s': %s (%d)", diff_file_dir, strerror(errno), errno);
+    }
+    // Directory used for registries.
+    snprintf(diff_registry_dir, PATH_MAX, "%s/registry/", DIFF_DIR);
+    if (cldir_ex(diff_registry_dir) == -1 && errno != ENOENT) {
+        merror("Unable to clear directory '%s': %s (%d)", diff_registry_dir, strerror(errno), errno);
+    }
+    // Old directory used by report_changes, may be leftover from an old installation
+    snprintf(diff_local_dir, PATH_MAX, "%s/local/", DIFF_DIR);
+    if (cldir_ex(diff_local_dir) == -1 && errno != ENOENT) {
+        merror("Unable to clear directory '%s': %s (%d)", diff_local_dir, strerror(errno), errno);
+    }
+
+    if (syscheck.disabled) {
+        return;
+    }
+
+    minfo(FIM_DAEMON_STARTED);
+
+    if (syscheck.file_limit_enabled) {
+        mdebug2(FIM_FILE_LIMIT_VALUE, syscheck.file_entry_limit);
+    } else {
+        mdebug2(FIM_LIMIT_UNLIMITED, "file");
+    }
+
+#ifdef WIN32
+    if (syscheck.registry_limit_enabled) {
+        mdebug2(FIM_REGISTRY_LIMIT_VALUE, syscheck.db_entry_registry_limit);
+    } else {
+        mdebug2(FIM_LIMIT_UNLIMITED, "registry");
+    }
+#endif
+
+    // Create File integrity monitoring base-line
+    minfo(FIM_FREQUENCY_TIME, syscheck.time);
+    fim_scan();
+
+    // Launch inventory synchronization thread, if enabled
+    if (syscheck.enable_synchronization) {
+        fim_run_integrity();
+    }
+
+#ifndef WIN32
+    // Launch Real-time thread
+    w_create_thread(fim_run_realtime, &syscheck);
+
+    // Launch symbolic links checker thread
+    w_create_thread(symlink_checker_thread, NULL);
+#else
+    if (CreateThread(NULL, 0, fim_run_realtime, &syscheck, 0, NULL) == NULL) {
+
+        merror(THREAD_ERROR);
+    }
+#endif
+
+    // Launch Whodata real-time thread
+    if(syscheck.enable_whodata) {
+        fim_whodata_initialize();
+    }
+
+    // Before entering in daemon mode itself
+    prev_time_sk = time(0);
+
+    // If the scan_time or scan_day is set, we need to handle the current day/time on the loop.
+    if (syscheck.scan_time || syscheck.scan_day) {
+        curr_time = time(0);
+        localtime_r(&curr_time, &tm_result);
+
+        // Assign hour/min/sec values
+        snprintf(curr_hour, 9, "%02d:%02d:%02d",
+                 tm_result.tm_hour,
+                 tm_result.tm_min,
+                 tm_result.tm_sec);
+
+        curr_day = tm_result.tm_mday;
+
+        if (syscheck.scan_time && syscheck.scan_day) {
+            if ((OS_IsAfterTime(curr_hour, syscheck.scan_time)) &&
+                    (OS_IsonDay(tm_result.tm_wday, syscheck.scan_day))) {
+                day_scanned = 1;
+            }
+        } else if (syscheck.scan_time) {
+            if (OS_IsAfterTime(curr_hour, syscheck.scan_time)) {
+                day_scanned = 1;
+            }
+        } else if (syscheck.scan_day) {
+            if (OS_IsonDay(tm_result.tm_wday, syscheck.scan_day)) {
+                day_scanned = 1;
+            }
+        }
+    }
+
+    // Check every SYSCHECK_WAIT
+    while (1) {
+        int run_now = 0;
+        curr_time = time(0);
+
+        // Check if syscheck should be restarted
+        run_now = os_check_restart_syscheck();
+
+        // Check if a day_time or scan_time is set
+        if (syscheck.scan_time || syscheck.scan_day) {
+            localtime_r(&curr_time, &tm_result);
+
+            // Day changed
+            if (curr_day != tm_result.tm_mday) {
+                day_scanned = 0;
+                curr_day = tm_result.tm_mday;
+            }
+
+            // Check for the time of the scan
+            if (!day_scanned && syscheck.scan_time && syscheck.scan_day) {
+                // Assign hour/min/sec values
+                snprintf(curr_hour, 9, "%02d:%02d:%02d",
+                         tm_result.tm_hour, tm_result.tm_min, tm_result.tm_sec);
+
+                if ((OS_IsAfterTime(curr_hour, syscheck.scan_time)) &&
+                        (OS_IsonDay(tm_result.tm_wday, syscheck.scan_day))) {
+                    day_scanned = 1;
+                    run_now = 1;
+                }
+            } else if (!day_scanned && syscheck.scan_time) {
+                // Assign hour/min/sec values
+                snprintf(curr_hour, 9, "%02d:%02d:%02d",
+                         tm_result.tm_hour, tm_result.tm_min, tm_result.tm_sec);
+
+                if (OS_IsAfterTime(curr_hour, syscheck.scan_time)) {
+                    run_now = 1;
+                    day_scanned = 1;
+                }
+            } else if (!day_scanned && syscheck.scan_day) {
+                // Check for the day of the scan
+                if (OS_IsonDay(tm_result.tm_wday, syscheck.scan_day)) {
+                    run_now = 1;
+                    day_scanned = 1;
+                }
+            }
+        }
+
+        // If time elapsed is higher than the syscheck time, run syscheck time
+        if (((curr_time - prev_time_sk) > syscheck.time) || run_now) {
+            prev_time_sk = fim_scan();
+        }
+        sleep(SYSCHECK_WAIT);
+    }
+}
+// LCOV_EXCL_STOP
+
+// Starting Real-time thread
+#if defined WIN32
+DWORD WINAPI fim_run_realtime(__attribute__((unused)) void * args) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+    int watches;
+
+    SafeWow64DisableWow64FsRedirection(NULL); //Disable virtual redirection to 64bits folder due this is a x86 process
+    set_priority_windows_thread();
+    // Directories in Windows configured with real-time add recursive watches
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            realtime_adddir(dir_it->path, dir_it);
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    watches = get_realtime_watches();
+    if (watches != 0) {
+        mdebug2(FIM_NUM_WATCHES, watches);
+    }
+
+    while (FOREVER()) {
+
+#ifdef WIN_WHODATA
+        if (syscheck.realtime_change) {
+            set_whodata_mode_changes();
+        }
+#endif
+        if (get_realtime_watches() > 0) {
+            log_realtime_status(1);
+
+            if (WaitForSingleObjectEx(syscheck.realtime->evt, SYSCHECK_WAIT * 1000, TRUE) == WAIT_FAILED) {
+                merror(FIM_ERROR_REALTIME_WAITSINGLE_OBJECT);
+            }
+        } else {
+            sleep(SYSCHECK_WAIT);
+        }
+
+        // Directories in Windows configured with real-time add recursive watches
+        w_rwlock_wrlock(&syscheck.directories_lock);
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            if (dir_it->options & REALTIME_ACTIVE) {
+                realtime_adddir(dir_it->path, dir_it);
+            }
+        }
+        w_rwlock_unlock(&syscheck.directories_lock);
+    }
+    return 0;
+}
+
+#elif defined INOTIFY_ENABLED
+void *fim_run_realtime(__attribute__((unused)) void * args) {
+    int nfds = -1;
+
+    fim_realtime_print_watches();
+
+    while (FOREVER()) {
+        w_mutex_lock(&syscheck.fim_realtime_mutex);
+        if (syscheck.realtime && (syscheck.realtime->fd >= 0)) {
+            nfds = syscheck.realtime->fd;
+        }
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+        if (nfds >= 0) {
+            log_realtime_status(1);
+            struct timeval selecttime;
+            fd_set rfds;
+            int run_now = 0;
+
+            selecttime.tv_sec = SYSCHECK_WAIT;
+            selecttime.tv_usec = 0;
+
+            // zero-out the fd_set
+            FD_ZERO (&rfds);
+            FD_SET(nfds, &rfds);
+            run_now = select(nfds + 1, &rfds, NULL, NULL, &selecttime);
+
+            if (run_now < 0) {
+                merror(FIM_ERROR_SELECT);
+            } else if (run_now == 0) {
+                // Timeout
+            } else if (FD_ISSET (nfds, &rfds)) {
+                realtime_process();
+            }
+
+        } else {
+            sleep(SYSCHECK_WAIT);
+        }
+    }
+    return NULL;
+}
+
+#else
+void * fim_run_realtime(__attribute__((unused)) void * args) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            mwarn(FIM_WARN_REALTIME_UNSUPPORTED);
+            break;
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    pthread_exit(NULL);
+    return NULL;
+}
+#endif
+// LCOV_EXCL_STOP
+
+#ifdef WIN32
+void set_priority_windows_thread() {
+    DWORD dwCreationFlags = syscheck.process_priority <= -10 ? THREAD_PRIORITY_HIGHEST :
+                      syscheck.process_priority <= -5 ? THREAD_PRIORITY_ABOVE_NORMAL :
+                      syscheck.process_priority <= 0 ? THREAD_PRIORITY_NORMAL :
+                      syscheck.process_priority <= 5 ? THREAD_PRIORITY_BELOW_NORMAL :
+                      syscheck.process_priority <= 10 ? THREAD_PRIORITY_LOWEST :
+                      THREAD_PRIORITY_IDLE;
+
+    mdebug1(FIM_PROCESS_PRIORITY, syscheck.process_priority);
+
+    if(!SetThreadPriority(GetCurrentThread(), dwCreationFlags)) {
+        int dwError = GetLastError();
+        merror("Can't set thread priority: %d", dwError);
+    }
+}
+#endif
+
+#ifdef WIN_WHODATA
+int fim_whodata_initialize() {
+    int retval = 0;
+    long unsigned int t_id;
+    HANDLE t_hdle;
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue;
+        }
+
+        if (realtime_adddir(dir_it->path, dir_it) == -2) {
+            dir_it->dirs_status.status &= ~WD_CHECK_WHODATA;
+            dir_it->dirs_status.status |= WD_CHECK_REALTIME;
+            dir_it->options &= ~WHODATA_ACTIVE;
+            syscheck.realtime_change = 1;
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    if (syscheck.wdata.fd == NULL) {
+        OSList_foreach(node_it, syscheck.wildcards) {
+            dir_it = node_it->data;
+            if (FIM_MODE(dir_it->options) == FIM_WHODATA) {
+                whodata_audit_start();
+                break;
+            }
+        }
+    }
+
+    /* If the initialization of the Whodata engine fails,
+    Wazuh must monitor files/directories in Realtime mode. */
+    if (!run_whodata_scan()) {
+        if (t_hdle = CreateThread(NULL, 0, state_checker, NULL, 0, &t_id), !t_hdle) {
+            merror(FIM_ERROR_CHECK_THREAD);
+            retval = -1;
+        }
+    } else {
+        merror(FIM_ERROR_WHODATA_INIT);
+
+        // In case SACLs and policies have been set, restore them.
+        audit_restore();
+
+        w_rwlock_wrlock(&syscheck.directories_lock);
+        // Add proper flags for the realtime thread monitors the directories/files.
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            dir_it->dirs_status.status &= ~WD_CHECK_WHODATA;
+            dir_it->dirs_status.status |= WD_CHECK_REALTIME;
+            dir_it->options &= ~WHODATA_ACTIVE;
+            syscheck.realtime_change = 1;
+        }
+
+        retval = -1;
+        w_rwlock_unlock(&syscheck.directories_lock);
+    }
+
+    return retval;
+}
+
+#elif defined ENABLE_AUDIT
+int fim_whodata_initialize() {
+    audit_set_db_consistency();
+
+    return 0;
+}
+
+#else
+int fim_whodata_initialize() {
+    if (syscheck.enable_whodata) {
+        mwarn(FIM_WARN_WHODATA_UNSUPPORTED);
+    }
+    return -1;
+}
+#endif
+
+
+void log_realtime_status(int next) {
+    /*
+     * 0: stop (initial)
+     * 1: run
+     * 2: pause
+     */
+
+    static int status = 0;
+
+    switch (status) {
+    case 0:
+        if (next == 1) {
+            minfo(FIM_REALTIME_STARTED);
+            status = next;
+        }
+        break;
+    case 1:
+        if (next == 2) {
+            minfo(FIM_REALTIME_PAUSED);
+            status = next;
+        }
+        break;
+    case 2:
+        if (next == 1) {
+            minfo(FIM_REALTIME_RESUMED);
+            status = next;
+        }
+    }
+}
+
+//Callback
+void fim_db_remove_validated_path(void * data, void * ctx)
+{
+    char *path = (char *)data;
+    struct get_data_ctx *ctx_data = (struct get_data_ctx *)ctx;
+
+    directory_t *validated_configuration = fim_configuration_directory(path);
+
+    if (validated_configuration == ctx_data->config)
+    {
+        fim_generate_delete_event(path, ctx_data->event, ctx_data->config);
+    }
+}
+
+#ifndef WIN32
+// LCOV_EXCL_START
+static void *symlink_checker_thread(__attribute__((unused)) void * data) {
+    char *real_path;
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    mdebug1(FIM_LINKCHECK_START, syscheck.sym_checker_interval);
+
+    while (1) {
+        sleep(syscheck.sym_checker_interval);
+        mdebug1(FIM_LINKCHECK_START, syscheck.sym_checker_interval);
+
+        w_mutex_lock(&syscheck.fim_scan_mutex);
+        w_rwlock_rdlock(&syscheck.directories_lock);
+
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            if ((dir_it->options & CHECK_FOLLOW) == 0) {
+                continue;
+            }
+
+            real_path = realpath(dir_it->path, NULL);
+
+            if (dir_it->symbolic_links) {
+                if (real_path) {
+                    // Check if link has changed
+                    if (strcmp(real_path, dir_it->symbolic_links)) {
+                        mdebug2(FIM_LINKCHECK_CHANGED, dir_it->path, dir_it->symbolic_links, real_path);
+                        fim_link_update(real_path, dir_it);
+                    } else {
+                        mdebug2(FIM_LINKCHECK_NOCHANGE, dir_it->symbolic_links);
+                    }
+                } else {
+                    // Broken link
+                    char path[PATH_MAX];
+
+                    snprintf(path, PATH_MAX, "%s", dir_it->symbolic_links);
+                    fim_link_check_delete(dir_it);
+
+                    directory_t *config = fim_configuration_directory(path);
+
+                    if (config != NULL) {
+                        fim_link_silent_scan(path, config);
+                    }
+                }
+            } else {
+                // Check real_path to reload broken link.
+                if (real_path && strcmp(real_path, dir_it->path) != 0) {
+                    fim_link_reload_broken_link(real_path, dir_it);
+                }
+            }
+
+            os_free(real_path);
+        }
+
+        w_rwlock_unlock(&syscheck.directories_lock);
+        w_mutex_unlock(&syscheck.fim_scan_mutex);
+        mdebug1(FIM_LINKCHECK_FINALIZE);
+    }
+
+    return NULL;
+}
+// LCOV_EXCL_STOP
+
+STATIC void fim_link_update(const char *new_path, directory_t *configuration) {
+    int in_configuration = false;
+    int is_new_link = true;
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    // Check if the previously pointed folder is in the configuration
+    // and delete its database entries if it isn't
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it == configuration) {
+            // This is the link being changed
+            continue;
+        }
+
+        if (strcmp(configuration->symbolic_links, dir_it->symbolic_links ? dir_it->symbolic_links : dir_it->path) == 0) {
+            in_configuration = true;
+            break;
+        }
+    }
+
+    if (in_configuration == false) {
+#ifdef ENABLE_AUDIT
+        // Remove the audit rule for the previous link only if the path is not configured in other entry.
+        if (configuration->options & WHODATA_ACTIVE) {
+            remove_audit_rule_syscheck(configuration->symbolic_links);
+        }
+#endif
+        fim_link_delete_range(configuration);
+    }
+
+    // Check if the updated path of the link is already in the configuration
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it == configuration) {
+            if (strcmp(new_path, dir_it->path) == 0) {
+                // We were monitoring a link, now we are monitoring the actual directory
+#ifdef ENABLE_AUDIT
+                if (dir_it->options & WHODATA_ACTIVE) {
+                    add_whodata_directory(dir_it->path);
+                }
+#endif
+                is_new_link = false;
+                break;
+            }
+        } else if (strcmp(new_path, dir_it->symbolic_links ? dir_it->symbolic_links : dir_it->path) == 0) {
+            mdebug2(FIM_LINK_ALREADY_ADDED, dir_it->path);
+            is_new_link = false;
+            break;
+        }
+    }
+
+    w_mutex_lock(&syscheck.fim_symlink_mutex);
+    os_free(configuration->symbolic_links);
+
+    if (is_new_link) {
+        os_strdup(new_path, configuration->symbolic_links);
+    }
+
+    w_mutex_unlock(&syscheck.fim_symlink_mutex);
+    if (is_new_link) {
+        // Add new entries without alert.
+        fim_link_silent_scan(new_path, configuration);
+    }
+}
+
+STATIC void fim_link_check_delete(directory_t *configuration) {
+    struct stat statbuf;
+
+    if (w_stat(configuration->symbolic_links, &statbuf) < 0) {
+        if (errno == ENOENT) {
+#ifdef ENABLE_AUDIT
+            if (configuration->options & WHODATA_ACTIVE) {
+                remove_audit_rule_syscheck(configuration->symbolic_links);
+            }
+#endif
+            w_mutex_lock(&syscheck.fim_symlink_mutex);
+            os_free(configuration->symbolic_links);
+            w_mutex_unlock(&syscheck.fim_symlink_mutex);
+            return;
+        }
+
+        mdebug1(FIM_STAT_FAILED, configuration->symbolic_links, errno, strerror(errno));
+    } else {
+        fim_link_delete_range(configuration);
+
+        fim_realtime_delete_watches(configuration);
+
+#ifdef ENABLE_AUDIT
+        if (configuration->options & WHODATA_ACTIVE) {
+            remove_audit_rule_syscheck(configuration->symbolic_links);
+        }
+#endif
+        w_mutex_lock(&syscheck.fim_symlink_mutex);
+        os_free(configuration->symbolic_links);
+        w_mutex_unlock(&syscheck.fim_symlink_mutex);
+    }
+}
+
+STATIC void fim_link_delete_range(directory_t *configuration) {
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .report_event = false, .w_evt = NULL, .type = FIM_DELETE };
+    char pattern[PATH_MAX] = {0};
+
+    get_data_ctx ctx = {
+        .event = (event_data_t *)&evt_data,
+        .config = configuration,
+        .path = configuration->path
+    };
+    // Create the sqlite LIKE pattern.
+    snprintf(pattern, PATH_MAX, "%s%c%%", configuration->symbolic_links, PATH_SEP);
+    callback_context_t callback_data;
+    callback_data.callback = fim_db_remove_validated_path;
+    callback_data.context = &ctx;
+
+    fim_db_file_pattern_search(pattern, callback_data);
+}
+
+STATIC void fim_link_silent_scan(const char *path, directory_t *configuration) {
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = false };
+
+    fim_checker(path, &evt_data, configuration, NULL, NULL);
+
+    realtime_adddir(path, configuration);
+#ifdef ENABLE_AUDIT
+    if (configuration->options & WHODATA_ACTIVE) {
+        // Just in case, we need to remove the configured directory if it was previously monitored
+        remove_audit_rule_syscheck(configuration->path);
+    }
+#endif
+}
+
+STATIC void fim_link_reload_broken_link(char *path, directory_t *configuration) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (strcmp(path, dir_it->path) == 0) {
+            // If a configuration directory exists don't reload
+            mdebug2(FIM_LINK_ALREADY_ADDED, dir_it->path);
+            return;
+        }
+    }
+
+    // Reload broken link
+    w_mutex_lock(&syscheck.fim_symlink_mutex);
+    os_free(configuration->symbolic_links);
+    os_strdup(path, configuration->symbolic_links);
+    w_mutex_unlock(&syscheck.fim_symlink_mutex);
+
+    // Add new entries without alert.
+    fim_link_silent_scan(path, configuration);
+}
+
+#endif
+#ifdef WIN_WHODATA
+void set_whodata_mode_changes() {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    if (syscheck.realtime == NULL) {
+        realtime_start();
+    }
+
+    syscheck.realtime_change = 0;
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->dirs_status.status & WD_CHECK_REALTIME) {
+            // At this point the directories in whodata mode that have been deconfigured are added to realtime
+            dir_it->dirs_status.status &= ~WD_CHECK_REALTIME;
+            dir_it->options |= REALTIME_ACTIVE;
+            if (realtime_adddir(dir_it->path, dir_it) != 1) {
+                merror(FIM_ERROR_REALTIME_ADDDIR_FAILED, dir_it->path);
+            } else {
+                mdebug1(FIM_REALTIME_MONITORING, dir_it->path);
+            }
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+}
+#endif
diff --git a/src/modules/fim/src/run_realtime.c b/src/modules/fim/src/run_realtime.c
new file mode 100644
index 0000000000..d24873553d
--- /dev/null
+++ b/src/modules/fim/src/run_realtime.c
@@ -0,0 +1,775 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "syscheck.h"
+
+#include "fs_op.h"
+#include "hash_op.h"
+#include "debug_op.h"
+#include "syscheck.h"
+#include "syscheck_op.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#include "../../unit_tests/wrappers/windows/fileapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/handleapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/synchapi_wrappers.h"
+#include "../../unit_tests/wrappers/windows/winbase_wrappers.h"
+#endif
+#endif
+
+#ifdef INOTIFY_ENABLED
+#include <sys/inotify.h>
+
+#define REALTIME_MONITOR_FLAGS  IN_MODIFY|IN_ATTRIB|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
+#define REALTIME_EVENT_SIZE     (sizeof (struct inotify_event))
+#define REALTIME_EVENT_BUFFER   (2048 * (REALTIME_EVENT_SIZE + 16))
+
+int realtime_start() {
+    OSListNode *node_it;
+    os_calloc(1, sizeof(rtfim), syscheck.realtime);
+
+    syscheck.realtime->dirtb = OSHash_Create();
+    if (syscheck.realtime->dirtb == NULL) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        goto error;
+    }
+
+    OSHash_SetFreeDataPointer(syscheck.realtime->dirtb, (void (*)(void *))free);
+
+    syscheck.realtime->fd = inotify_init();
+    if (syscheck.realtime->fd < 0) {
+        merror(FIM_ERROR_INOTIFY_INITIALIZE);
+        goto error;
+    }
+
+    return (0);
+
+error:
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        directory_t *dir_it = node_it->data;
+
+        if (dir_it->options & REALTIME_ACTIVE) {
+            dir_it->options &= ~ REALTIME_ACTIVE;
+            dir_it->options |= SCHEDULED_ACTIVE;
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+    return -1;
+}
+
+/* Add a directory to real time checking */
+int fim_add_inotify_watch(const char *dir, const directory_t *configuration) {
+    /* Check if it is ready to use */
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+
+    if (syscheck.realtime->fd < 0) {
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return (-1);
+    } else {
+        int wd = 0;
+
+        wd =
+        inotify_add_watch(syscheck.realtime->fd, dir,
+                          (0 == (configuration->options & CHECK_FOLLOW)) ? (REALTIME_MONITOR_FLAGS | IN_DONT_FOLLOW) :
+                                                                           REALTIME_MONITOR_FLAGS);
+        if (wd < 0) {
+            if (errno == 28) {
+                merror(FIM_ERROR_INOTIFY_ADD_MAX_REACHED, dir, wd, errno);
+            }
+            else {
+                mdebug1(FIM_INOTIFY_ADD_WATCH, dir, wd, errno, strerror(errno));
+            }
+        }
+        else {
+            char wdchar[33];
+            char *data;
+            int retval;
+            snprintf(wdchar, 33, "%d", wd);
+            os_strdup(dir, data);
+            if (!OSHash_Get_ex(syscheck.realtime->dirtb, wdchar)) {
+                if (retval = OSHash_Add_ex(syscheck.realtime->dirtb, wdchar, data), retval == 0) {
+                    os_free(data);
+                    merror_exit(FIM_CRITICAL_ERROR_OUT_MEM);
+                }
+                else if (retval == 1) {
+                    mdebug2(FIM_REALTIME_HASH_DUP, data);
+                    os_free(data);
+                }
+
+                mdebug2(FIM_REALTIME_NEWDIRECTORY, dir);
+            }
+            else {
+                if (retval = OSHash_Update_ex(syscheck.realtime->dirtb, wdchar, data), retval == 0) {
+                    merror("Unable to update 'dirtb'. Directory not found: '%s'", data);
+                    os_free(data);
+                    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+                    return (-1);
+                }
+            }
+        }
+    }
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+    return 1;
+}
+
+/* Add a directory to real time checking */
+int realtime_adddir(const char *dir, directory_t *configuration) {
+    int mode = FIM_MODE(configuration->options);
+
+#ifdef ENABLE_AUDIT
+    if (mode == FIM_WHODATA){
+        add_whodata_directory(dir);
+        return 1;
+    }
+#endif
+
+    if (mode == FIM_REALTIME) {
+        return fim_add_inotify_watch(dir, configuration);
+    }
+
+    // Nothing to do here
+    return 1;
+}
+
+void fim_realtime_delete_watches(const directory_t *configuration) {
+    OSHashNode *hash_node;
+    char *data;
+    W_Vector * watch_to_delete;
+    unsigned int inode_it = 0;
+    int deletion_it = 0;
+    directory_t *watch_conf;
+
+    assert(configuration != NULL);
+
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    if (syscheck.realtime == NULL || syscheck.realtime->dirtb == NULL) {
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return;
+    }
+
+    watch_to_delete = W_Vector_init(1024);
+
+    if (watch_to_delete == NULL) {
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return;
+    }
+
+    for (hash_node = OSHash_Begin(syscheck.realtime->dirtb, &inode_it); hash_node;
+         hash_node = OSHash_Next(syscheck.realtime->dirtb, &inode_it, hash_node)) {
+        data = hash_node->data;
+        if (data == NULL) {
+            continue;
+        }
+        watch_conf = fim_configuration_directory(data);
+
+        if (configuration == watch_conf) {
+            W_Vector_insert(watch_to_delete, hash_node->key);
+            deletion_it++;
+        }
+    }
+
+    deletion_it--;
+    while(deletion_it >= 0) {
+        const char * wd_str = W_Vector_get(watch_to_delete, deletion_it);
+        if (wd_str == NULL) {
+            continue;
+        }
+
+        inotify_rm_watch(syscheck.realtime->fd, atol(wd_str));
+        free(OSHash_Delete_ex(syscheck.realtime->dirtb, wd_str));
+        deletion_it--;
+    }
+
+    W_Vector_free(watch_to_delete);
+
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    return;
+}
+
+/* Process events in the real time queue */
+void realtime_process() {
+    ssize_t len;
+    char buf[REALTIME_EVENT_BUFFER + 1];
+    struct inotify_event *event;
+
+    buf[REALTIME_EVENT_BUFFER] = '\0';
+
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    len = read(syscheck.realtime->fd, buf, REALTIME_EVENT_BUFFER);
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+    if (len < 0) {
+        merror(FIM_ERROR_REALTIME_READ_BUFFER);
+        return;
+    }
+
+    if (len == 0) {
+        // Nothing to do
+        return;
+    }
+
+    rb_tree * tree = rbtree_init();
+    for (size_t i = 0; i < (size_t) len; i += REALTIME_EVENT_SIZE + event->len) {
+        char wdchar[33];
+        char final_name[MAX_LINE + 1];
+        char *entry;
+        final_name[MAX_LINE] = '\0';
+        event = (struct inotify_event *) (void *) &buf[i];
+
+        if (event->wd == -1 && event->mask == IN_Q_OVERFLOW) {
+            mwarn("Real-time inotify kernel queue is full. Some events may be lost. Next scheduled scan will recover lost data.");
+            fim_realtime_set_queue_overflow(true);
+            send_log_msg("ossec: Real-time inotify kernel queue is full. Some events may be lost. Next scheduled scan will recover lost data.");
+            continue;
+        }
+
+        snprintf(wdchar, 33, "%d", event->wd);
+
+        w_mutex_lock(&syscheck.fim_realtime_mutex);
+        // The configured paths can end at / or not, we must check it.
+        entry = (char *) OSHash_Get_ex(syscheck.realtime->dirtb, wdchar);
+
+        if (entry == NULL) {
+            w_mutex_unlock(&syscheck.fim_realtime_mutex);
+            continue;
+        }
+
+        // Check file entries with realtime
+        if (event->len == 0) {
+            snprintf(final_name, MAX_LINE, "%s", entry);
+        } else {
+            // Check directories entries with realtime
+            if (entry[strlen(entry) - 1] == PATH_SEP) {
+                snprintf(final_name, MAX_LINE, "%s%s", entry, event->name);
+            } else {
+                snprintf(final_name, MAX_LINE, "%s/%s", entry, event->name);
+            }
+        }
+
+        if (rbtree_insert(tree, final_name, NULL) == NULL) {
+            mdebug2("Duplicate event in real-time buffer: %s", final_name);
+        }
+
+        switch(event->mask) {
+        case IN_MOVE_SELF:
+            delete_subdirectories_watches(entry);
+            // fall through
+        case IN_DELETE_SELF:
+            mdebug2(FIM_INOTIFY_WATCH_DELETED, entry);
+            free(OSHash_Delete_ex(syscheck.realtime->dirtb, wdchar));
+
+            break;
+        }
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    }
+
+    char ** paths = rbtree_keys(tree);
+
+    for (int i = 0; paths[i] != NULL; i++) {
+        w_rwlock_rdlock(&syscheck.directories_lock);
+        fim_realtime_event(paths[i]);
+        w_rwlock_unlock(&syscheck.directories_lock);
+    }
+
+    free_strarray(paths);
+    rbtree_destroy(tree);
+}
+
+int realtime_update_watch(const char *wd, const char *dir) {
+    int old_wd, new_wd;
+    char wdchar[33];
+    char *data;
+    int retval;
+    const directory_t *configuration;
+
+    if (syscheck.realtime->fd < 0) {
+        return -1;
+    }
+
+    configuration = fim_configuration_directory(dir);
+
+    if (configuration == NULL) {
+        inotify_rm_watch(syscheck.realtime->fd, atoi(wd));
+        free(OSHash_Delete_ex(syscheck.realtime->dirtb, wd));
+        return 0;
+    }
+
+    old_wd = atoi(wd);
+    new_wd =
+    inotify_add_watch(syscheck.realtime->fd, dir,
+                      (configuration->options & CHECK_FOLLOW) == 0 ? (REALTIME_MONITOR_FLAGS | IN_DONT_FOLLOW) :
+                                                                     REALTIME_MONITOR_FLAGS);
+
+    if (new_wd < 0) {
+        if (errno == ENOSPC) {
+            merror(FIM_ERROR_INOTIFY_ADD_MAX_REACHED, dir, new_wd, errno);
+            return -1;
+        } else if (errno == ENOENT) {
+            mdebug2("Removing watch on non existent directory '%s'", dir);
+            inotify_rm_watch(syscheck.realtime->fd, old_wd);
+            free(OSHash_Delete_ex(syscheck.realtime->dirtb, wd));
+            return 0;
+        } else {
+            mdebug1(FIM_INOTIFY_ADD_WATCH, dir, new_wd, errno, strerror(errno));
+            return -1;
+        }
+    }
+
+    if (new_wd == old_wd) {
+        return -1;
+    }
+
+    snprintf(wdchar, 33, "%d", new_wd);
+    os_strdup(dir, data);
+
+    // Remove the old wd entry
+    free(OSHash_Delete_ex(syscheck.realtime->dirtb, wd));
+
+    if (!OSHash_Get_ex(syscheck.realtime->dirtb, wdchar)) {
+        if (retval = OSHash_Add_ex(syscheck.realtime->dirtb, wdchar, data), retval == 0) {
+            os_free(data);
+            merror(FIM_CRITICAL_ERROR_OUT_MEM);
+            return -1;
+        }
+
+        mdebug2(FIM_REALTIME_NEWDIRECTORY, data);
+    } else if (retval = OSHash_Update_ex(syscheck.realtime->dirtb, wdchar, data), retval == 0) {
+        merror("Unable to update 'dirtb'. Directory not found: '%s'", data);
+        os_free(data);
+    }
+    return 0;
+}
+
+void delete_subdirectories_watches(char *dir) {
+    OSHashNode *hash_node;
+    char *data;
+    unsigned int inode_it = 0;
+    char *dir_slash = NULL;
+    int dir_len = strlen(dir) + 1;
+
+
+    // If the directory already ends with an slash, there is no need for adding an extra one
+    if (dir[dir_len - 1] != '/') {
+        os_calloc(dir_len + 2, sizeof(char), dir_slash);  // Length of dir plus an extra slash
+
+        // Copy the content of dir into dir_slash and add an extra slash
+        snprintf(dir_slash, dir_len + 2, "%s/", dir);
+    }
+    else {
+        os_calloc(dir_len, sizeof(char), dir_slash);
+        snprintf(dir_slash, dir_len, "%s", dir);
+    }
+
+    if(syscheck.realtime->fd) {
+        hash_node = OSHash_Begin(syscheck.realtime->dirtb, &inode_it);
+
+        while(hash_node) {
+            data = hash_node->data;
+
+            if (strncmp(dir_slash, data, strlen(dir_slash)) == 0) {
+                char * data_node = OSHash_Delete_ex(syscheck.realtime->dirtb, hash_node->key);
+                mdebug2(FIM_INOTIFY_WATCH_DELETED, data);
+                os_free(data_node);
+
+                /*
+                    If an element of the hash table is deleted, it needs to start from the
+                    beginning again to prevent going out of boundaries.
+                */
+                hash_node = OSHash_Begin(syscheck.realtime->dirtb, &inode_it);
+                continue;
+            }
+
+            hash_node = OSHash_Next(syscheck.realtime->dirtb, &inode_it, hash_node);
+        }
+    }
+
+    os_free(dir_slash);
+}
+
+void realtime_sanitize_watch_map() {
+    OSHashNode *hash_node;
+    unsigned int inode_it = 0;
+    struct timespec start;
+    struct timespec end;
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+
+    gettime(&start);
+    hash_node = OSHash_Begin(syscheck.realtime->dirtb, &inode_it);
+
+    while (hash_node) {
+        if (realtime_update_watch(hash_node->key, hash_node->data) == 0) {
+            hash_node = OSHash_Begin(syscheck.realtime->dirtb, &inode_it);
+            continue;
+        }
+
+        hash_node = OSHash_Next(syscheck.realtime->dirtb, &inode_it, hash_node);
+    }
+
+    gettime(&end);
+    mdebug2("Time spent sanitizing wd hashmap: %.3f seconds", time_diff(&start, &end));
+
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    w_rwlock_unlock(&syscheck.directories_lock);
+}
+
+#elif defined(WIN32)
+
+void free_win32rtfim_data(win32rtfim *data);
+int realtime_win32read(win32rtfim *rtlocald);
+int fim_check_realtime_directory(win32rtfim *rtlocald);
+
+void CALLBACK RTCallBack(DWORD dwerror, DWORD dwBytes, LPOVERLAPPED overlap)
+{
+    int lcount;
+    size_t offset = 0;
+    char wdchar[260 + 1] = {0};
+    char final_path[MAX_LINE + 1];
+    win32rtfim *rtlocald;
+    PFILE_NOTIFY_INFORMATION pinfo;
+    TCHAR finalfile[MAX_PATH];
+
+    memset(final_path, '\0', MAX_LINE + 1);
+
+    if (dwerror != ERROR_SUCCESS) {
+        LPSTR messageBuffer = NULL;
+        LPSTR end;
+
+        FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, dwerror, 0, (LPTSTR) &messageBuffer, 0, NULL);
+
+        if (messageBuffer) {
+            if (end = strchr(messageBuffer, '\r'), end) {
+                *end = '\0';
+            }
+
+            merror(FIM_ERROR_REALTIME_WINDOWS_CALLBACK, messageBuffer, dwerror);
+            LocalFree(messageBuffer);
+        }
+        return;
+    }
+
+    /* Get hash to parse the data */
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    snprintf(wdchar, 260, "%s", (char*)overlap->hEvent);
+    rtlocald = OSHash_Get_ex(syscheck.realtime->dirtb, wdchar);
+    if (rtlocald == NULL) {
+        merror(FIM_ERROR_REALTIME_WINDOWS_CALLBACK_EMPTY);
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        w_rwlock_unlock(&syscheck.directories_lock);
+        return;
+    }
+
+    if(rtlocald->watch_status == FIM_RT_HANDLE_CLOSED) {
+        rtlocald = OSHash_Delete_ex(syscheck.realtime->dirtb, wdchar);
+        free_win32rtfim_data(rtlocald);
+        mdebug2(FIM_REALTIME_CALLBACK, wdchar);
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        w_rwlock_unlock(&syscheck.directories_lock);
+        return;
+    }
+
+    if (dwBytes) {
+
+        do {
+            pinfo = (PFILE_NOTIFY_INFORMATION) &rtlocald->buffer[offset];
+            offset += pinfo->NextEntryOffset;
+
+            lcount = WideCharToMultiByte(CP_ACP, 0, pinfo->FileName,
+                                         pinfo->FileNameLength / sizeof(WCHAR),
+                                         finalfile, MAX_PATH - 1, NULL, NULL);
+            finalfile[lcount] = TEXT('\0');
+
+            final_path[MAX_LINE] = '\0';
+
+            if (rtlocald->dir) {
+                if (rtlocald->dir[strlen(rtlocald->dir) - 1] == PATH_SEP) {
+                    snprintf(final_path, MAX_LINE, "%s%s",
+                            rtlocald->dir,
+                            finalfile);
+                } else {
+                    snprintf(final_path, MAX_LINE, "%s\\%s",
+                            rtlocald->dir,
+                            finalfile);
+                }
+            }
+            str_lowercase(final_path);
+
+            directory_t *index = fim_configuration_directory(wdchar);
+            directory_t *file_index = fim_configuration_directory(final_path);
+
+            if (index == file_index) {
+                /* Check the change */
+                fim_realtime_event(final_path);
+            }
+
+        } while (pinfo->NextEntryOffset != 0);
+    }
+    else {
+        mwarn(FIM_WARN_REALTIME_OVERFLOW);
+    }
+
+    realtime_win32read(rtlocald);
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    w_rwlock_unlock(&syscheck.directories_lock);
+    return;
+}
+
+void free_win32rtfim_data(win32rtfim *data) {
+    if (!data) return;
+    os_free(data->overlap.hEvent);
+    os_free(data->dir);
+    os_free(data);
+}
+
+static unsigned int _get_realtime_watches() {
+    if (syscheck.realtime != NULL) {
+        return OSHash_Get_Elem_ex(syscheck.realtime->dirtb);
+    }
+    return 0;
+}
+
+unsigned int get_realtime_watches() {
+    unsigned int n_elements = 0;
+
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    n_elements = _get_realtime_watches();
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+    return n_elements;
+}
+
+int realtime_start() {
+    os_calloc(1, sizeof(rtfim), syscheck.realtime);
+
+    syscheck.realtime->dirtb = OSHash_Create();
+    if (syscheck.realtime->dirtb == NULL) {
+        OSListNode *node_it;
+
+        merror(MEM_ERROR, errno, strerror(errno));
+
+        w_rwlock_wrlock(&syscheck.directories_lock);
+        OSList_foreach(node_it, syscheck.directories) {
+            directory_t *dir_it = (directory_t *)node_it->data;
+            if (dir_it->options & REALTIME_ACTIVE) {
+                dir_it->options &= ~ REALTIME_ACTIVE;
+                dir_it->options |= SCHEDULED_ACTIVE;
+            }
+        }
+        w_rwlock_unlock(&syscheck.directories_lock);
+        return(-1);
+    }
+    OSHash_SetFreeDataPointer(syscheck.realtime->dirtb, (void (*)(void *))free_win32rtfim_data);
+
+    syscheck.realtime->evt = CreateEvent(NULL, TRUE, FALSE, NULL);
+
+    return (0);
+}
+
+int realtime_win32read(win32rtfim *rtlocald)
+{
+    int rc;
+
+    rc = ReadDirectoryChangesW(rtlocald->h,
+                               rtlocald->buffer,
+                               sizeof(rtlocald->buffer) / sizeof(TCHAR),
+                               TRUE,
+                               FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_SIZE |
+                               FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_SECURITY,
+                               0,
+                               &rtlocald->overlap,
+                               RTCallBack);
+
+    return rc;
+}
+
+int realtime_adddir(const char *dir, directory_t *configuration) {
+    char wdchar[260 + 1];
+    win32rtfim *rtlocald;
+
+    assert(configuration != NULL);
+
+    if (FIM_MODE(configuration->options) == FIM_WHODATA) {
+#ifdef WIN_WHODATA
+
+        int type;
+
+        if (!syscheck.wdata.fd && whodata_audit_start()) {
+            merror_exit(FIM_CRITICAL_DATA_CREATE, "whodata file descriptors");
+        }
+
+        // This parameter is used to indicate if the file is going to be monitored in Whodata mode,
+        // regardless of it was checked in the initial configuration (WHODATA_ACTIVE in opts)
+        configuration->dirs_status.status |= WD_CHECK_WHODATA;
+        configuration->dirs_status.status &= ~WD_CHECK_REALTIME;
+
+        // Check if the file or directory exists
+        if (type = check_path_type(dir), type == 2) {
+            configuration->dirs_status.object_type = WD_STATUS_DIR_TYPE;
+            configuration->dirs_status.status |= WD_STATUS_EXISTS;
+        } else if (type == 1) {
+            configuration->dirs_status.object_type = WD_STATUS_FILE_TYPE;
+            configuration->dirs_status.status |= WD_STATUS_EXISTS;
+        } else {
+            mdebug2(FIM_WARN_REALTIME_OPENFAIL, dir);
+
+            configuration->dirs_status.object_type = WD_STATUS_UNK_TYPE;
+            configuration->dirs_status.status &= ~WD_STATUS_EXISTS;
+            return 0;
+        }
+
+        GetSystemTime(&configuration->dirs_status.last_check);
+        if (set_winsacl(dir, configuration)) {
+            merror(FIM_ERROR_WHODATA_ADD_DIRECTORY, dir);
+            return -2;
+        }
+
+        return 1;
+#endif
+    }
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+
+    /* Set key for hash */
+    wdchar[260] = '\0';
+    snprintf(wdchar, 260, "%s", dir);
+
+    rtlocald = OSHash_Get_ex(syscheck.realtime->dirtb, wdchar);
+    if(rtlocald != NULL) {
+        if (!w_directory_exists(rtlocald->dir)) {
+            if (rtlocald->watch_status == FIM_RT_HANDLE_CLOSED) {
+                mdebug2(FIM_REALTIME_CALLBACK, rtlocald->dir);
+                rtlocald = OSHash_Delete_ex(syscheck.realtime->dirtb, rtlocald->dir);
+                free_win32rtfim_data(rtlocald);
+            } else if (rtlocald->h != NULL && rtlocald->h != INVALID_HANDLE_VALUE) {
+                CloseHandle(rtlocald->h);
+                rtlocald->watch_status = FIM_RT_HANDLE_CLOSED;
+            }
+        }
+
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return 1;
+    }
+
+    /* Maximum limit for realtime on Windows */
+    if (_get_realtime_watches() >= syscheck.max_fd_win_rt) {
+        mdebug1(FIM_REALTIME_MAXNUM_WATCHES, dir);
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return 0;
+    }
+
+    os_calloc(1, sizeof(win32rtfim), rtlocald);
+
+    rtlocald->h = CreateFile(dir, FILE_LIST_DIRECTORY, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
+                             OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED, NULL);
+
+    if (rtlocald->h == INVALID_HANDLE_VALUE || rtlocald->h == NULL) {
+        os_free(rtlocald);
+        mdebug2(FIM_REALTIME_ADD, dir);
+
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return 0;
+    }
+
+    /* Add final elements to the hash */
+    os_strdup(dir, rtlocald->dir);
+    os_strdup(dir, rtlocald->overlap.hEvent);
+    rtlocald->watch_status = FIM_RT_HANDLE_OPEN;
+
+    /* Add directory to be monitored */
+    if(realtime_win32read(rtlocald) == 0) {
+        mdebug1(FIM_REALTIME_DIRECTORYCHANGES, rtlocald->dir);
+        free_win32rtfim_data(rtlocald);
+
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        return 0;
+    }
+
+    if (!OSHash_Add_ex(syscheck.realtime->dirtb, wdchar, rtlocald)) {
+        merror_exit(FIM_CRITICAL_ERROR_OUT_MEM);
+    }
+
+    mdebug2(FIM_REALTIME_NEWDIRECTORY, dir);
+
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    return 1;
+}
+
+void fim_realtime_delete_watches(__attribute__((unused)) const directory_t *configuration) {
+    return;
+}
+
+// LCOV_EXCL_START
+void realtime_sanitize_watch_map() {
+    return;
+}
+// LCOV_EXCL_STOP
+
+#else /* !WIN32 */
+
+int realtime_start() {
+    merror(FIM_ERROR_REALTIME_INITIALIZE);
+
+    return (0);
+}
+
+int realtime_adddir(__attribute__((unused)) const char *dir,
+                    __attribute__((unused)) directory_t *configuration) {
+    return (0);
+}
+
+void fim_realtime_delete_watches(__attribute__((unused)) const directory_t *configuration) {
+    return;
+}
+
+void realtime_process()
+{
+    return;
+}
+
+void realtime_sanitize_watch_map() {
+    return;
+}
+
+#endif /* WIN32 */
+
+int fim_realtime_get_queue_overflow() {
+    int retval;
+
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    if (syscheck.realtime != NULL) {
+        retval = syscheck.realtime->queue_overflow;
+    } else {
+        retval = 0;
+    }
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+    return retval;
+}
+
+void fim_realtime_set_queue_overflow(int value) {
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    if (syscheck.realtime != NULL) {
+        syscheck.realtime->queue_overflow = value;
+    }
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+}
+
+void fim_realtime_print_watches() {
+    w_mutex_lock(&syscheck.fim_realtime_mutex);
+    if (syscheck.realtime != NULL) {
+        mdebug2(FIM_NUM_WATCHES, OSHash_Get_Elem_ex(syscheck.realtime->dirtb));
+    }
+    w_mutex_unlock(&syscheck.fim_realtime_mutex);
+}
diff --git a/src/modules/fim/src/syscheck.c b/src/modules/fim/src/syscheck.c
new file mode 100644
index 0000000000..dccbaa2f1a
--- /dev/null
+++ b/src/modules/fim/src/syscheck.c
@@ -0,0 +1,314 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Syscheck
+ * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
+ */
+
+#include "shared.h"
+#include "syscheck.h"
+#include "../rootcheck/rootcheck.h"
+#include "db/include/db.h"
+#include "db/include/fimCommonDefs.h"
+// Global variables
+syscheck_config syscheck;
+int sys_debug_level;
+int audit_queue_full_reported = 0;
+
+#ifdef USE_MAGIC
+#include <magic.h>
+magic_t magic_cookie = 0;
+
+
+void init_magic(magic_t *cookie_ptr)
+{
+    if (!cookie_ptr || *cookie_ptr) {
+        return;
+    }
+
+    *cookie_ptr = magic_open(MAGIC_MIME_TYPE);
+
+    if (!*cookie_ptr) {
+        const char *err = magic_error(*cookie_ptr);
+        merror(FIM_ERROR_LIBMAGIC_START, err ? err : "unknown");
+    } else if (magic_load(*cookie_ptr, NULL) < 0) {
+        const char *err = magic_error(*cookie_ptr);
+        merror(FIM_ERROR_LIBMAGIC_LOAD, err ? err : "unknown");
+        magic_close(*cookie_ptr);
+        *cookie_ptr = 0;
+    }
+}
+#endif /* USE_MAGIC */
+
+/* Read syscheck internal options */
+void read_internal(int debug_level)
+{
+    syscheck.rt_delay = getDefine_Int("syscheck", "rt_delay", 0, 1000);
+    syscheck.max_depth = getDefine_Int("syscheck", "default_max_depth", 1, 320);
+    syscheck.file_max_size = (size_t)getDefine_Int("syscheck", "file_max_size", 0, 4095) * 1024 * 1024;
+    syscheck.sym_checker_interval = getDefine_Int("syscheck", "symlink_scan_interval", 1, 2592000);
+
+#ifndef WIN32
+    syscheck.max_audit_entries = getDefine_Int("syscheck", "max_audit_entries", 1, 4096);
+#endif
+    sys_debug_level = getDefine_Int("syscheck", "debug", 0, 2);
+
+    /* Check current debug_level
+     * Command line setting takes precedence
+     */
+    if (debug_level == 0) {
+        int debug_level = sys_debug_level;
+        while (debug_level != 0) {
+            nowDebug();
+            debug_level--;
+        }
+    }
+
+    return;
+}
+
+
+void fim_initialize() {
+    // Create store data
+#ifndef WIN32
+    FIMDBErrorCode ret_val = fim_db_init(syscheck.database_store,
+                                         syscheck.sync_interval,
+                                         syscheck.sync_max_interval,
+                                         syscheck.sync_response_timeout,
+                                         fim_send_sync_state,
+                                         loggingFunction,
+                                         syscheck.file_entry_limit,
+                                         0,
+                                         false,
+                                         syscheck.sync_thread_pool,
+                                         syscheck.sync_queue_size,
+                                         NULL,
+                                         NULL);
+#else
+    FIMDBErrorCode ret_val = fim_db_init(syscheck.database_store,
+                                         syscheck.sync_interval,
+                                         syscheck.sync_max_interval,
+                                         syscheck.sync_response_timeout,
+                                         fim_send_sync_state,
+                                         loggingFunction,
+                                         syscheck.file_entry_limit,
+                                         syscheck.db_entry_registry_limit,
+                                         syscheck.enable_registry_synchronization,
+                                         syscheck.sync_thread_pool,
+                                         syscheck.sync_queue_size,
+                                         loggingErrorFunction,
+                                         loggingErrorFunction);
+#endif
+
+    if (ret_val != FIMDB_OK) {
+        merror_exit("Unable to initialize database.");
+    }
+
+    w_rwlock_init(&syscheck.directories_lock, NULL);
+    w_mutex_init(&syscheck.fim_scan_mutex, NULL);
+    w_mutex_init(&syscheck.fim_realtime_mutex, NULL);
+#ifndef WIN32
+    w_mutex_init(&syscheck.fim_symlink_mutex, NULL)
+#endif
+}
+
+
+#ifdef WIN32
+/* syscheck main for Windows */
+int Start_win32_Syscheck() {
+    int debug_level = 0;
+    int r = 0;
+    char *cfg = OSSECCONF;
+    OSListNode *node_it;
+
+    /* Read internal options */
+    read_internal(debug_level);
+
+    /* Check if the configuration is present */
+    if (File_DateofChange(cfg) < 0) {
+        merror_exit(NO_CONFIG, cfg);
+    }
+
+    /* Read syscheck config */
+    if ((r = Read_Syscheck_Config(cfg)) < 0) {
+        mwarn(RCONFIG_ERROR, SYSCHECK, cfg);
+        syscheck.disabled = 1;
+    } else if ((r == 1) || (syscheck.disabled == 1)) {
+        /* Disabled */
+        minfo(FIM_DIRECTORY_NOPROVIDED);
+
+        // Free directories list
+        OSList_foreach(node_it, syscheck.directories) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_CleanNodes(syscheck.directories);
+
+        if (!syscheck.ignore) {
+            os_calloc(1, sizeof(char *), syscheck.ignore);
+        } else {
+            os_free(syscheck.ignore[0]);
+        }
+
+        if (!syscheck.registry) {
+            dump_syscheck_registry(&syscheck, "", 0, NULL, NULL,  0, NULL, 0, -1);
+        }
+        os_free(syscheck.registry[0].entry);
+
+        minfo(FIM_DISABLED);
+    }
+
+    /* Rootcheck config */
+    if (rootcheck_init(0) == 0) {
+        syscheck.rootcheck = 1;
+    } else {
+        syscheck.rootcheck = 0;
+    }
+
+    if (!syscheck.disabled) {
+        directory_t *dir_it;
+        OSListNode *node_it;
+#ifndef WIN_WHODATA
+        int whodata_notification = 0;
+        /* Remove whodata attributes */
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            if (dir_it->options & WHODATA_ACTIVE) {
+                if (!whodata_notification) {
+                    whodata_notification = 1;
+                    minfo(FIM_REALTIME_INCOMPATIBLE);
+                }
+                dir_it->options &= ~WHODATA_ACTIVE;
+                dir_it->options |= REALTIME_ACTIVE;
+            }
+        }
+#endif
+
+        /* Print options */
+        r = 0;
+        // TODO: allow sha256 sum on registries
+        while (syscheck.registry[r].entry != NULL) {
+            char optstr[1024];
+            minfo(FIM_MONITORING_REGISTRY, syscheck.registry[r].entry,
+                  syscheck.registry[r].arch == ARCH_64BIT ? " [x64]" : "",
+                  syscheck_opts2str(optstr, sizeof(optstr), syscheck.registry[r].opts));
+            if (syscheck.file_size_enabled){
+                mdebug1(FIM_DIFF_FILE_SIZE_LIMIT, syscheck.registry[r].diff_size_limit, syscheck.registry[r].entry);
+            }
+            r++;
+        }
+
+        /* Print directories to be monitored */
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            char optstr[ 1024 ];
+
+            minfo(FIM_MONITORING_DIRECTORY, dir_it->path, syscheck_opts2str(optstr, sizeof(optstr), dir_it->options));
+
+            if (dir_it->tag != NULL) {
+                mdebug2(FIM_TAG_ADDED, dir_it->tag, dir_it->path);
+            }
+
+            // Print diff file size limit
+            if ((dir_it->options & CHECK_SEECHANGES) && syscheck.file_size_enabled) {
+                mdebug2(FIM_DIFF_FILE_SIZE_LIMIT, dir_it->diff_size_limit, dir_it->path);
+            }
+        }
+
+        if (!syscheck.file_size_enabled) {
+            minfo(FIM_FILE_SIZE_LIMIT_DISABLED);
+        }
+
+        // Print maximum disk quota to be used by the queue\diff\local folder
+        if (syscheck.disk_quota_enabled) {
+            mdebug2(FIM_DISK_QUOTA_LIMIT, syscheck.disk_quota_limit);
+        }
+        else {
+            minfo(FIM_DISK_QUOTA_LIMIT_DISABLED);
+        }
+
+        /* Print ignores. */
+        if(syscheck.ignore)
+            for (r = 0; syscheck.ignore[r] != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_ENTRY, "file", syscheck.ignore[r]);
+
+        /* Print sregex ignores. */
+        if(syscheck.ignore_regex)
+            for (r = 0; syscheck.ignore_regex[r] != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_SREGEX, "file", syscheck.ignore_regex[r]->raw);
+
+        /* Print registry ignores. */
+        if(syscheck.key_ignore)
+            for (r = 0; syscheck.key_ignore[r].entry != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_ENTRY, "registry", syscheck.key_ignore[r].entry);
+
+        /* Print sregex registry ignores. */
+        if(syscheck.key_ignore_regex)
+            for (r = 0; syscheck.key_ignore_regex[r].regex != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_SREGEX, "registry", syscheck.key_ignore_regex[r].regex->raw);
+
+        if(syscheck.value_ignore)
+            for (r = 0; syscheck.value_ignore[r].entry != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_ENTRY, "value", syscheck.value_ignore[r].entry);
+
+        /* Print sregex registry ignores. */
+        if(syscheck.value_ignore_regex)
+            for (r = 0; syscheck.value_ignore_regex[r].regex != NULL; r++)
+                minfo(FIM_PRINT_IGNORE_SREGEX, "value", syscheck.value_ignore_regex[r].regex->raw);
+
+        /* Print registry values with nodiff. */
+        if(syscheck.registry_nodiff)
+            for (r = 0; syscheck.registry_nodiff[r].entry != NULL; r++)
+                minfo(FIM_NO_DIFF_REGISTRY, "registry value", syscheck.registry_nodiff[r].entry);
+
+        /* Print sregex registry values with nodiff. */
+        if(syscheck.registry_nodiff_regex)
+            for (r = 0; syscheck.registry_nodiff_regex[r].regex != NULL; r++)
+                minfo(FIM_NO_DIFF_REGISTRY, "registry sregex", syscheck.registry_nodiff_regex[r].regex->raw);
+
+        /* Print files with no diff. */
+        if (syscheck.nodiff){
+            r = 0;
+            while (syscheck.nodiff[r] != NULL) {
+                minfo(FIM_NO_DIFF, syscheck.nodiff[r]);
+                r++;
+            }
+        }
+
+        /* Start up message */
+        minfo(STARTUP_MSG, getpid());
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            if (dir_it->options & REALTIME_ACTIVE) {
+                realtime_start();
+                break;
+            }
+        }
+
+        if (syscheck.realtime == NULL) {
+            // Check if a wildcard might require realtime later
+            OSList_foreach(node_it, syscheck.wildcards) {
+                dir_it = node_it->data;
+                if (dir_it->options & REALTIME_ACTIVE) {
+                    realtime_start();
+                    break;
+                }
+            }
+        }
+    }
+
+    /* Some sync time */
+    fim_initialize();
+
+    start_daemon();
+
+    return 0;
+}
+#endif /* WIN32 */
diff --git a/src/modules/fim/src/syscom.c b/src/modules/fim/src/syscom.c
new file mode 100644
index 0000000000..affe0c7b3d
--- /dev/null
+++ b/src/modules/fim/src/syscom.c
@@ -0,0 +1,207 @@
+/* Remote request listener
+ * Copyright (C) 2015, Wazuh Inc.
+ * Mar 14, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+#include "syscheck.h"
+#include "../rootcheck/rootcheck.h"
+#include "../os_net/os_net.h"
+#include "../wazuh_modules/wmodules.h"
+#include "db/include/db.h"
+
+#ifdef WAZUH_UNIT_TESTING
+/* Replace assert with mock_assert */
+extern void mock_assert(const int result, const char* const expression,
+                        const char * const file, const int line);
+#undef assert
+#define assert(expression) \
+    mock_assert((int)(expression), #expression, __FILE__, __LINE__);
+#endif
+
+
+size_t syscom_getconfig(const char * section, char ** output) {
+    assert(section != NULL);
+    assert(output != NULL);
+
+    cJSON *cfg;
+    char *json_str;
+
+    if (strcmp(section, "syscheck") == 0){
+        if (cfg = getSyscheckConfig(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "rootcheck") == 0){
+        if (cfg = getRootcheckConfig(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "internal") == 0){
+        if (cfg = getSyscheckInternalOptions(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else {
+        goto error;
+    }
+error:
+    mdebug1(FIM_SYSCOM_FAIL_GETCONFIG, section);
+    os_strdup("err Could not get requested section", *output);
+    return strlen(*output);
+}
+
+size_t syscom_dispatch(char * command, char ** output){
+    assert(command != NULL);
+    assert(output != NULL);
+
+    if (strncmp(command, HC_FIM_FILE, strlen(HC_FIM_FILE)) == 0
+        || strncmp(command, HC_FIM_REGISTRY, strlen(HC_FIM_REGISTRY)) == 0
+        || strncmp(command, HC_FIM_REGISTRY_KEY, strlen(HC_FIM_REGISTRY_KEY)) == 0
+        || strncmp(command, HC_FIM_REGISTRY_VALUE, strlen(HC_FIM_REGISTRY_VALUE)) == 0) {
+
+        fim_sync_push_msg(command);
+        return 0;
+    } else if (strncmp(command, HC_SK, strlen(HC_SK)) == 0 ||
+               strncmp(command, HC_GETCONFIG, strlen(HC_GETCONFIG)) == 0 ||
+               strncmp(command, HC_RESTART, strlen(HC_RESTART)) == 0) {
+        char *rcv_comm = NULL;
+        char *rcv_args = NULL;
+
+        if (strncmp(command, HC_SK, strlen(HC_SK)) == 0) {
+            rcv_comm = command + strlen(HC_SK);
+        } else {
+            rcv_comm = command;
+        }
+
+        if ((rcv_args = strchr(rcv_comm, ' '))){
+            *rcv_args = '\0';
+            rcv_args++;
+        }
+
+        if (strcmp(rcv_comm, "getconfig") == 0){
+            // getconfig section
+            if (!rcv_args){
+                mdebug1(FIM_SYSCOM_ARGUMENTS, "getconfig");
+                os_strdup("err SYSCOM getconfig needs arguments", *output);
+                return strlen(*output);
+            }
+            return syscom_getconfig(rcv_args, output);
+        } else if (strcmp(rcv_comm, "restart") == 0) {
+            os_set_restart_syscheck();
+            return 0;
+        }
+    }
+
+    mdebug1(FIM_SYSCOM_UNRECOGNIZED_COMMAND, command);
+    os_strdup("err Unrecognized command", *output);
+    return strlen(*output);
+}
+
+// LCOV_EXCL_START
+#ifndef WIN32
+void * syscom_main(__attribute__((unused)) void * arg) {
+    int sock;
+    int peer;
+    char *buffer = NULL;
+    char *response = NULL;
+    ssize_t length;
+    fd_set fdset;
+
+    mdebug1(FIM_SYSCOM_REQUEST_READY);
+
+    if (sock = OS_BindUnixDomain(SYS_LOCAL_SOCK, SOCK_STREAM, OS_MAXSTR), sock < 0) {
+        merror(FIM_ERROR_SYSCOM_BIND_SOCKET, SYS_LOCAL_SOCK, errno, strerror(errno));
+        return NULL;
+    }
+
+    while (1) {
+
+        // Wait for socket
+        FD_ZERO(&fdset);
+        FD_SET(sock, &fdset);
+
+        switch (select(sock + 1, &fdset, NULL, NULL, NULL)) {
+        case -1:
+            if (errno != EINTR) {
+                merror_exit(FIM_CRITICAL_ERROR_SELECT, "syscom_main()", strerror(errno));
+            }
+
+            continue;
+
+        case 0:
+            continue;
+        }
+
+        if (peer = accept(sock, NULL, NULL), peer < 0) {
+            if (errno != EINTR) {
+                merror(FIM_ERROR_SYSCOM_ACCEPT, strerror(errno));
+            }
+
+            continue;
+        }
+
+        os_calloc(OS_MAXSTR, sizeof(char), buffer);
+        switch (length = OS_RecvSecureTCP(peer, buffer,OS_MAXSTR), length) {
+        case OS_SOCKTERR:
+            merror(FIM_ERROR_SYSCOM_RECV_TOOLONG);
+            break;
+
+        case -1:
+            merror(FIM_ERROR_SYSCOM_RECV, strerror(errno));
+            break;
+
+        case 0:
+            mdebug1(FIM_SYSCOM_EMPTY_MESSAGE);
+            close(peer);
+            break;
+
+        case OS_MAXLEN:
+            merror(FIM_ERROR_SYSCOM_RECV_MAXLEN, MAX_DYN_STR);
+            close(peer);
+            break;
+
+        default:
+            length = syscom_dispatch(buffer, &response);
+
+            if (length > 0) {
+                OS_SendSecureTCP(peer, length, response);
+            }
+            os_free(response);
+
+            close(peer);
+        }
+        free(buffer);
+    }
+
+    mdebug1(FIM_SYSCOM_THREAD_FINISED);
+
+    close(sock);
+    return NULL;
+}
+
+#endif
+// LCOV_EXCL_STOP
diff --git a/src/modules/fim/src/whodata/audit_healthcheck.c b/src/modules/fim/src/whodata/audit_healthcheck.c
new file mode 100644
index 0000000000..e863ce1474
--- /dev/null
+++ b/src/modules/fim/src/whodata/audit_healthcheck.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef __linux__
+#ifdef ENABLE_AUDIT
+#include "syscheck_audit.h"
+
+atomic_int_t audit_health_check_creation = ATOMIC_INT_INITIALIZER(0);
+atomic_int_t hc_thread_active = ATOMIC_INT_INITIALIZER(0);
+
+pthread_mutex_t audit_hc_mutex;
+pthread_cond_t audit_hc_cond;
+
+
+// Audit healthcheck before starting the main thread
+int audit_health_check(int audit_socket) {
+    int retval = -1;
+    unsigned int timer = 10;
+    char abs_path_healthcheck[PATH_MAX] = {'\0'};
+    char abs_path_healthcheck_file[PATH_MAX] = {'\0'};
+    FILE *fp = NULL;
+    struct timespec wait_time = {0, 0};
+
+    w_mutex_init(&audit_hc_mutex, NULL);
+
+    // Audit needs an absolute path to add rules
+    abspath(AUDIT_HEALTHCHECK_DIR, abs_path_healthcheck, PATH_MAX);
+    abspath(AUDIT_HEALTHCHECK_FILE, abs_path_healthcheck_file, PATH_MAX);
+
+    retval = audit_add_rule(abs_path_healthcheck, WHODATA_PERMS, AUDIT_HEALTHCHECK_KEY);
+    if (retval <= 0 && retval != -EEXIST) {
+        mdebug1(FIM_AUDIT_HEALTHCHECK_RULE);
+        return -1;
+    }
+
+    mdebug1(FIM_AUDIT_HEALTHCHECK_START);
+
+    w_cond_init(&audit_hc_cond, NULL);
+
+    // Start reading thread
+    w_create_thread(audit_healthcheck_thread, &audit_socket);
+
+    w_mutex_lock(&audit_hc_mutex);
+    while (atomic_int_get(&hc_thread_active) == 0) {
+        w_cond_wait(&audit_hc_cond, &audit_hc_mutex);
+    }
+
+    w_mutex_unlock(&audit_hc_mutex);
+
+    // Generate open events until they get picked up
+    do {
+        fp = wfopen(abs_path_healthcheck_file, "w");
+
+        if (!fp) {
+            mdebug1(FIM_AUDIT_HEALTHCHECK_FILE);
+        } else {
+            fclose(fp);
+        }
+
+        sleep(1);
+    } while (atomic_int_get(&audit_health_check_creation) == 0 && --timer > 0);
+
+    if (atomic_int_get(&audit_health_check_creation) == 0) {
+        // The healthcheck creation event hasn't been triggered
+        mdebug1(FIM_HEALTHCHECK_CREATE_ERROR);
+        retval = -1;
+    } else {
+        mdebug1(FIM_HEALTHCHECK_SUCCESS);
+        retval = 0;
+    }
+
+    // Delete that file
+    unlink(abs_path_healthcheck_file);
+
+    if (audit_delete_rule(abs_path_healthcheck, WHODATA_PERMS, AUDIT_HEALTHCHECK_KEY) <= 0) {
+        mdebug1(FIM_HEALTHCHECK_CHECK_RULE); // LCOV_EXCL_LINE
+    }
+    atomic_int_set(&hc_thread_active, 0);
+
+    // Lock this thread (with 5 seconds timeout) until the healthcheck thread has ended.
+    w_mutex_lock(&audit_hc_mutex);
+    gettime(&wait_time);
+    wait_time.tv_sec += 5;
+    pthread_cond_timedwait(&audit_hc_cond, &audit_hc_mutex, &wait_time);
+    w_mutex_unlock(&audit_hc_mutex);
+
+    return retval;
+}
+
+// LCOV_EXCL_START
+void *audit_healthcheck_thread(int *audit_sock) {
+    w_mutex_lock(&audit_hc_mutex);
+    atomic_int_set(&hc_thread_active, 1);
+    w_cond_signal(&audit_hc_cond);
+    w_mutex_unlock(&audit_hc_mutex);
+
+    mdebug2(FIM_HEALTHCHECK_THREAD_ACTIVE);
+
+    audit_read_events(audit_sock, &hc_thread_active);
+
+    mdebug2(FIM_HEALTHCHECK_THREAD_FINISHED);
+
+    w_mutex_lock(&audit_hc_mutex);
+    w_cond_signal(&audit_hc_cond);
+    w_mutex_unlock(&audit_hc_mutex);
+
+    return NULL;
+}
+// LCOV_EXCL_STOP
+
+#endif // ENABLE_AUDIT
+#endif // __linux__
diff --git a/src/modules/fim/src/whodata/audit_parse.c b/src/modules/fim/src/whodata/audit_parse.c
new file mode 100644
index 0000000000..3f08cc60bb
--- /dev/null
+++ b/src/modules/fim/src/whodata/audit_parse.c
@@ -0,0 +1,990 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef __linux__
+#include "syscheck_audit.h"
+
+#define AUDIT_LOAD_RETRIES 5 // Max retries to reload Audit rules
+
+#ifdef ENABLE_AUDIT
+
+#ifndef WAZUH_UNIT_TESTING
+#define STATIC static
+#else
+#define STATIC
+#endif
+
+static regex_t regexCompiled_uid;
+static regex_t regexCompiled_pid;
+static regex_t regexCompiled_ppid;
+static regex_t regexCompiled_gid;
+static regex_t regexCompiled_auid;
+static regex_t regexCompiled_euid;
+
+static regex_t regexCompiled_cwd;
+static regex_t regexCompiled_pname;
+static regex_t regexCompiled_path0;
+static regex_t regexCompiled_path1;
+static regex_t regexCompiled_path2;
+static regex_t regexCompiled_path3;
+static regex_t regexCompiled_path4;
+
+static regex_t regexCompiled_cwd_hex;
+static regex_t regexCompiled_pname_hex;
+static regex_t regexCompiled_path0_hex;
+static regex_t regexCompiled_path1_hex;
+static regex_t regexCompiled_path2_hex;
+static regex_t regexCompiled_path3_hex;
+static regex_t regexCompiled_path4_hex;
+
+static regex_t regexCompiled_items;
+static regex_t regexCompiled_inode;
+static regex_t regexCompiled_dir;
+static regex_t regexCompiled_dir_hex;
+static regex_t regexCompiled_syscall;
+static regex_t regexCompiled_dev;
+
+// Initialize regular expressions
+int init_regex(void) {
+
+    static const char *pattern_uid = " uid=([0-9]*) ";
+    if (regcomp(&regexCompiled_uid, pattern_uid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "uid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_gid = " gid=([0-9]*) ";
+    if (regcomp(&regexCompiled_gid, pattern_gid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "gid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_auid = " auid=([0-9]*) ";
+    if (regcomp(&regexCompiled_auid, pattern_auid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "auid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_euid = " euid=([0-9]*) ";
+    if (regcomp(&regexCompiled_euid, pattern_euid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "euid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_pid = " pid=([0-9]*) ";
+    if (regcomp(&regexCompiled_pid, pattern_pid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "pid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_ppid = " ppid=([0-9]*) ";
+    if (regcomp(&regexCompiled_ppid, pattern_ppid, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "ppid"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_inode = " item=[0-9] name=.* inode=([0-9]*)";
+    if (regcomp(&regexCompiled_inode, pattern_inode, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "inode"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_items = " items=([0-9]*) ";
+    if (regcomp(&regexCompiled_items, pattern_items, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "items"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_syscall = " syscall=([0-9]*)";
+    if (regcomp(&regexCompiled_syscall, pattern_syscall, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "syscall"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_pname = " exe=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_pname, pattern_pname, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "pname"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_cwd = " cwd=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_cwd, pattern_cwd, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "cwd"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_dir = " dir=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_dir, pattern_dir, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "dir"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path0 = " item=0 name=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_path0, pattern_path0, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path0"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_path1 = " item=1 name=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_path1, pattern_path1, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path1"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_path2 = " item=2 name=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_path2, pattern_path2, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path2"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_path3 = " item=3 name=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_path3, pattern_path3, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path3"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_path4 = " item=4 name=\"([^ ]*)\"";
+    if (regcomp(&regexCompiled_path4, pattern_path4, REG_EXTENDED)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path4"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_pname_hex = " exe=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_pname_hex, pattern_pname_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "pname_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_cwd_hex = " cwd=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_cwd_hex, pattern_cwd_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "cwd_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_dir_hex = " dir=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_dir_hex, pattern_dir_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "dir_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path0_hex = " item=0 name=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_path0_hex, pattern_path0_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path0_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path1_hex = " item=1 name=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_path1_hex, pattern_path1_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path1_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path2_hex = " item=2 name=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_path2_hex, pattern_path2_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path2_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path3_hex = " item=3 name=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_path3_hex, pattern_path3_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path3_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    static const char *pattern_path4_hex = " item=4 name=([A-F0-9]*)";
+    if (regcomp(&regexCompiled_path4_hex, pattern_path4_hex, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "path4_hex"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    static const char *pattern_dev = " dev=([A-F0-9]*:[A-F0-9]*)";
+    if (regcomp(&regexCompiled_dev, pattern_dev, REG_EXTENDED | REG_ICASE)) {
+        merror(FIM_ERROR_WHODATA_COMPILE_REGEX, "dev"); // LCOV_EXCL_LINE
+        return -1; // LCOV_EXCL_LINE
+    }
+    return 0;
+}
+
+void clean_regex() {
+    static int freed = 0;
+
+    if (freed) { // Prevent double free
+        return;
+    }
+
+    regfree(&regexCompiled_uid);
+    regfree(&regexCompiled_gid);
+    regfree(&regexCompiled_auid);
+    regfree(&regexCompiled_euid);
+    regfree(&regexCompiled_pid);
+    regfree(&regexCompiled_ppid);
+    regfree(&regexCompiled_inode);
+    regfree(&regexCompiled_items);
+    regfree(&regexCompiled_syscall);
+    regfree(&regexCompiled_pname);
+    regfree(&regexCompiled_cwd);
+    regfree(&regexCompiled_dir);
+    regfree(&regexCompiled_path0);
+    regfree(&regexCompiled_path1);
+    regfree(&regexCompiled_path2);
+    regfree(&regexCompiled_path3);
+    regfree(&regexCompiled_path4);
+
+    regfree(&regexCompiled_pname_hex);
+    regfree(&regexCompiled_cwd_hex);
+    regfree(&regexCompiled_dir_hex);
+    regfree(&regexCompiled_path0_hex);
+    regfree(&regexCompiled_path1_hex);
+    regfree(&regexCompiled_path2_hex);
+    regfree(&regexCompiled_path3_hex);
+    regfree(&regexCompiled_path4_hex);
+    regfree(&regexCompiled_dev);
+
+    freed = 1;
+}
+
+/**
+ * @brief Looks for a specific field in an audit event.
+ *
+ * @param buffer Audit message.
+ * @param key Audit field to look for
+ * @return Value of the field specified in key.
+ */
+STATIC char *get_audit_field(const char *buffer, const char *key) {
+    char *value = NULL;
+    char *start = NULL;
+    char *ascii_value = NULL;
+    int is_hex_buffer = 1;
+    int limiter_pos = 0;
+    int key_length = strlen(key);
+
+    // Find the key
+    for (start = strstr(buffer, key); start != NULL; start = strstr(start + 1, key)) {
+        if (start[key_length] != '=') {
+            continue;
+        }
+        // Check if the there is a field that matches `key` argument.
+        if (start == buffer || *(start - 1) == ' ' || *(start - 1) == '\n') {
+            break;
+        }
+    }
+
+    if (start == NULL) {
+        return NULL;
+    }
+
+    start += key_length + 1;
+
+    if (*start == '"') {
+        is_hex_buffer = 0;
+        start++;
+    }
+
+    // The key can be limited by one of these three characters
+    if (limiter_pos = strcspn(start, "\n\035 \""), limiter_pos == 0) {
+        return NULL;
+    }
+
+    os_calloc(limiter_pos + 1, sizeof(char), value);
+    strncpy(value, start, limiter_pos);
+
+    if (is_hex_buffer) {
+        ascii_value = decode_hex_buffer_2_ascii_buffer(value, limiter_pos);
+        free(value);
+        return ascii_value;
+    }
+
+    return value;
+}
+
+/**
+ * @brief Scans the buffer for a valid audit key (AUDIT_KEY, AUDIT_HC_KEY or a user configured key)
+ *
+ * @param buffer Audit message being scanned.
+ * @return Type of key.
+ * @retval FIM_AUDIT_UNKNOWN_KEY if the key is unknown.
+ * @retval FIM_AUDIT_KEY if the key of the event is AUDIT_KEY.
+ * @retval FIM_AUDIT_HC_KEY if the key of the event is AUDIT_HEALTHCHECK_KEY.
+ * @retval FIM_AUDIT_CUSTOM_KEY if the key of the event is configured using the audit_key option.
+ */
+STATIC audit_key_type filterkey_audit_events(const char *buffer) {
+    char *save_ptr = NULL;
+    char *full_key = NULL;
+    char *key = NULL;
+    int i;
+
+    // Find the key
+    if (full_key = get_audit_field(buffer, "key"), full_key == NULL) {
+        return FIM_AUDIT_UNKNOWN_KEY;
+    }
+
+    for (key = strtok_r(full_key, "\001", &save_ptr); key != NULL; key = strtok_r(NULL, "\001", &save_ptr)) {
+        if (*key == '\0') {
+            continue;
+        }
+
+        if (strcmp(key, AUDIT_KEY) == 0) {
+            mdebug2(FIM_AUDIT_MATCH_KEY, full_key);
+            free(full_key);
+            return FIM_AUDIT_KEY;
+        }
+
+        if (strcmp(key, AUDIT_HEALTHCHECK_KEY) == 0) {
+            mdebug2(FIM_AUDIT_MATCH_KEY, full_key);
+            free(full_key);
+            return FIM_AUDIT_HC_KEY;
+        }
+
+        for (i = 0; syscheck.audit_key[i]; i++) {
+            if (strcmp(key, syscheck.audit_key[i]) == 0) {
+                mdebug2(FIM_AUDIT_MATCH_KEY, key);
+                free(full_key);
+                return FIM_AUDIT_CUSTOM_KEY;
+            }
+        }
+    }
+
+    free(full_key);
+    return FIM_AUDIT_UNKNOWN_KEY;
+}
+
+
+char *gen_audit_path(char *cwd, char *path0, char *path1) {
+
+    char *gen_path = NULL;
+
+    if (path0 && cwd) {
+        if (path1) {
+            if (path1[0] == '/') {
+                gen_path = strdup(path1);
+            } else if (path1[0] == '.' && path1[1] == '/') {
+                char *full_path;
+                os_malloc(strlen(cwd) + strlen(path1) + 2, full_path);
+                snprintf(full_path, strlen(cwd) + strlen(path1) + 2, "%s/%s", cwd, (path1 + 2));
+                gen_path = strdup(full_path);
+                free(full_path);
+            } else if (path1[0] == '.' && path1[1] == '.' && path1[2] == '/') {
+                gen_path = audit_clean_path(cwd, path1);
+            } else if (strlen(cwd) == 1) {
+                os_malloc(strlen(cwd) + strlen(path1) + 2, gen_path);
+                snprintf(gen_path, strlen(cwd) + strlen(path1) + 2, "%s%s", cwd, path1);
+            } else if (strncmp(path0, path1, strlen(path0)) == 0) {
+                os_malloc(strlen(cwd) + strlen(path1) + 2, gen_path);
+                snprintf(gen_path, strlen(cwd) + strlen(path1) + 2, "%s/%s", cwd, path1);
+            } else {
+                char *full_path;
+                os_malloc(strlen(path0) + strlen(path1) + 2, full_path);
+                snprintf(full_path, strlen(path0) + strlen(path1) + 2, "%s/%s", path0, path1);
+                gen_path = strdup(full_path);
+                free(full_path);
+            }
+        } else {
+            if (path0[0] == '/') {
+                gen_path = strdup(path0);
+            } else if (path0[0] == '.' && path0[1] == '/') {
+                char *full_path;
+                os_malloc(strlen(cwd) + strlen(path0) + 2, full_path);
+                snprintf(full_path, strlen(cwd) + strlen(path0) + 2, "%s/%s", cwd, (path0 + 2));
+                gen_path = strdup(full_path);
+                free(full_path);
+            } else if (path0[0] == '.' && path0[1] == '.' && path0[2] == '/') {
+                gen_path = audit_clean_path(cwd, path0);
+            } else {
+                os_malloc(strlen(cwd) + strlen(path0) + 2, gen_path);
+                snprintf(gen_path, strlen(cwd) + strlen(path0) + 2, "%s/%s", cwd, path0);
+            }
+        }
+    }
+    return gen_path;
+}
+
+
+void get_parent_process_info(char *ppid, char **const parent_name, char **const parent_cwd) {
+
+    char *slinkexe = NULL;
+    char *slinkcwd = NULL;
+    int tam_slink = strlen(ppid) + 11;
+    int tam_ppname = 0;
+    int tam_pcwd = 0;
+
+    os_malloc(tam_slink, slinkexe);
+    os_malloc(tam_slink, slinkcwd);
+
+    snprintf(slinkexe, tam_slink, "/proc/%s/exe", ppid);
+    snprintf(slinkcwd, tam_slink, "/proc/%s/cwd", ppid);
+
+    if (tam_ppname = readlink(slinkexe, *parent_name, OS_FLSIZE), tam_ppname < 0) {
+        mdebug1("Failure to obtain the name of the process: '%s'. Error: %s", ppid, strerror(errno));
+        parent_name[0][0] = '\0';
+    } else {
+        parent_name[0][tam_ppname] = '\0';
+    }
+
+    if (tam_pcwd = readlink(slinkcwd, *parent_cwd, OS_FLSIZE), tam_pcwd < 0) {
+        mdebug1("Failure to obtain the cwd of the process: '%s'. Error: %s", ppid, strerror(errno));
+        parent_cwd[0][0] = '\0';
+    } else {
+        parent_cwd[0][tam_pcwd] = '\0';
+    }
+
+    os_free(slinkexe);
+    os_free(slinkcwd);
+}
+
+
+// Extract id: node=... type=CWD msg=audit(1529332881.955:3867): cwd="..."
+char *audit_get_id(const char *event) {
+    char *begin;
+    char *end;
+    char *id;
+    size_t len;
+
+    if (begin = strstr(event, "msg=audit("), !begin) {
+        return NULL;
+    }
+
+    begin += 10;
+
+    if (end = strchr(begin, ')'), !end) {
+        return NULL;
+    }
+
+    len = end - begin;
+    os_malloc(len + 1, id);
+    memcpy(id, begin, len);
+    id[len] = '\0';
+    return id;
+}
+
+
+void audit_parse(char *buffer) {
+    static int auid_err_reported = 0;
+    char *psuccess;
+    char *pconfig;
+    char *pdelete;
+    char *endptr = NULL;
+    regmatch_t match[2];
+    int match_size;
+    char *path0 = NULL;
+    char *path1 = NULL;
+    char *path2 = NULL;
+    char *path3 = NULL;
+    char *path4 = NULL;
+    char *file_path = NULL;
+    char *dev = NULL;
+    whodata_evt *w_evt;
+    unsigned int items = 0;
+    audit_key_type filter_key;
+
+    // Checks if the key obtained is one of those configured to monitor
+    filter_key = filterkey_audit_events(buffer);
+
+    switch (filter_key) {
+    case FIM_AUDIT_KEY:
+        if ((pconfig = strstr(buffer, "type=CONFIG_CHANGE"), pconfig) &&
+            ((pdelete = strstr(buffer, "op=remove_rule"), pdelete) ||
+             (pdelete = strstr(buffer, "op=\"remove_rule\""), pdelete))) { // Detect rules modification.
+
+            // Filter rule removed
+            char *p_dir = NULL;
+            if (regexec(&regexCompiled_dir, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_calloc(1, match_size + 1, p_dir);
+                snprintf(p_dir, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            }
+
+
+            else if (regexec(&regexCompiled_dir_hex, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                if (decoded_buffer) {
+                    const int decoded_length = match_size / 2;
+                    os_malloc(decoded_length + 1, p_dir);
+                    snprintf(p_dir, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                    os_free(decoded_buffer);
+                } else {
+                    merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                }
+            }
+
+            if (p_dir && *p_dir != '\0') {
+                minfo(FIM_AUDIT_REMOVE_RULE, p_dir);
+                // Send alert
+                char msg_alert[512 + 1];
+                snprintf(msg_alert, 512, "ossec: Audit: Monitored directory was removed: Audit rule removed");
+                SendMSG(syscheck.queue, msg_alert, "syscheck", LOCALFILE_MQ);
+            } else if (fim_manipulated_audit_rules() == 0) {
+                // If the manipulation wasn't done by syscheck, increase the number of retries
+                mwarn(FIM_WARN_AUDIT_RULES_MODIFIED);
+                // Send alert
+                char msg_alert[512 + 1];
+                snprintf(msg_alert, 512, "ossec: Audit: Detected rules manipulation: Audit rules removed");
+                SendMSG(syscheck.queue, msg_alert, "syscheck", LOCALFILE_MQ);
+
+                count_reload_retries++;
+
+                if (count_reload_retries < AUDIT_LOAD_RETRIES) {
+                    // Reload rules
+                    fim_audit_reload_rules();
+                } else {
+                    // Send alert
+                    char msg_alert[512 + 1];
+                    snprintf(msg_alert, 512, "ossec: Audit: Detected rules manipulation: Max rules reload retries");
+                    SendMSG(syscheck.queue, msg_alert, "syscheck", LOCALFILE_MQ);
+                    // Stop thread
+                    atomic_int_set(&audit_thread_active, 0);
+                }
+            }
+            os_free(p_dir);
+        }
+        // Fallthrough
+    case FIM_AUDIT_CUSTOM_KEY:
+        if (psuccess = strstr(buffer, "success=yes"), psuccess) {
+
+            os_calloc(1, sizeof(whodata_evt), w_evt);
+
+            // Items
+            if (regexec(&regexCompiled_items, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *chr_item;
+                os_malloc(match_size + 1, chr_item);
+                snprintf(chr_item, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                // No further checks needed on items
+                items = strtol(chr_item, NULL, 10);
+
+                free(chr_item);
+            }
+
+            // user_name & user_id
+            if (regexec(&regexCompiled_uid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->user_id);
+                snprintf(w_evt->user_id, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                if (w_evt->user_id[0] != '\0') {
+                    errno = 0;
+                    int user_id = strtol(w_evt->user_id, &endptr, 10);
+
+                    if (errno != ERANGE && endptr != NULL && *endptr == '\0') {
+                        w_evt->user_name = get_user(user_id);
+                    }
+                    endptr = NULL;
+                }
+            }
+
+            // audit_name & audit_uid
+            if (regexec(&regexCompiled_auid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *auid = NULL;
+                os_malloc(match_size + 1, auid);
+                snprintf(auid, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                if (strcmp(auid, "4294967295") == 0) { // Invalid auid (-1)
+                    if (!auid_err_reported) {
+                        mdebug1(FIM_AUDIT_INVALID_AUID);
+                        auid_err_reported = 1;
+                    }
+                    w_evt->audit_name = NULL;
+                    w_evt->audit_uid = NULL;
+                } else {
+                    w_evt->audit_uid = auid;
+                    auid = NULL;
+
+                    if (w_evt->audit_uid[0] != '\0') {
+                        errno = 0;
+                        int audit_uid = strtol(w_evt->audit_uid, &endptr, 10);
+
+                        if (errno != ERANGE && endptr != NULL && *endptr == '\0') {
+                            w_evt->audit_name = get_user(audit_uid);
+                        }
+                        endptr = NULL;
+                    }
+                }
+                os_free(auid);
+            }
+            // effective_name && effective_uid
+            if (regexec(&regexCompiled_euid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->effective_uid);
+                snprintf(w_evt->effective_uid, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                if (w_evt->effective_uid[0] != '\0') {
+                    errno = 0;
+                    int euid = strtol(w_evt->effective_uid, &endptr, 10);
+
+                    if (errno != ERANGE && endptr != NULL && *endptr == '\0') {
+                        w_evt->effective_name = get_user(euid);
+                    }
+                    endptr = NULL;
+                }
+            }
+            // group_name & group_id
+            if (regexec(&regexCompiled_gid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->group_id);
+                snprintf(w_evt->group_id, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                if (w_evt->group_id[0] != '\0') {
+                    errno = 0;
+                    int gid = strtol(w_evt->group_id, &endptr, 10);
+
+                    if (errno != ERANGE && endptr != NULL && *endptr == '\0') {
+                        w_evt->group_name = get_group(gid);
+                    }
+                    endptr = NULL;
+                }
+            }
+            // process_id
+            if (regexec(&regexCompiled_pid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *pid = NULL;
+                os_malloc(match_size + 1, pid);
+                snprintf(pid, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                w_evt->process_id = strtol(pid, &endptr, 10);
+
+                free(pid);
+            }
+            // ppid
+            if (regexec(&regexCompiled_ppid, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *ppid = NULL;
+                os_malloc(OS_FLSIZE, w_evt->parent_name);
+                os_malloc(OS_FLSIZE, w_evt->parent_cwd);
+                os_malloc(match_size + 1, ppid);
+                snprintf(ppid, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                get_parent_process_info(ppid, &w_evt->parent_name, &w_evt->parent_cwd);
+
+                w_evt->ppid = strtol(ppid, &endptr, 10);
+
+                free(ppid);
+            }
+            // process_name
+            if (regexec(&regexCompiled_pname, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->process_name);
+                snprintf(w_evt->process_name, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            } else if (regexec(&regexCompiled_pname_hex, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                if (decoded_buffer) {
+                    const int decoded_length = match_size / 2;
+                    os_malloc(decoded_length + 1, w_evt->process_name);
+                    snprintf(w_evt->process_name, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                    os_free(decoded_buffer);
+                } else {
+                    merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                }
+            }
+
+            // cwd
+            if (regexec(&regexCompiled_cwd, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->cwd);
+                snprintf(w_evt->cwd, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            } else if (regexec(&regexCompiled_cwd_hex, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                if (decoded_buffer) {
+                    const int decoded_length = match_size / 2;
+                    os_malloc(decoded_length + 1, w_evt->cwd);
+                    snprintf(w_evt->cwd, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                    os_free(decoded_buffer);
+                } else {
+                    merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                }
+            }
+
+            // path0
+            if (regexec(&regexCompiled_path0, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, path0);
+                snprintf(path0, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            } else if (regexec(&regexCompiled_path0_hex, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                if (decoded_buffer) {
+                    const int decoded_length = match_size / 2;
+                    os_malloc(decoded_length + 1, path0);
+                    snprintf(path0, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                    os_free(decoded_buffer);
+                } else {
+                    merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                }
+            }
+
+            // path1
+            if (regexec(&regexCompiled_path1, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, path1);
+                snprintf(path1, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            } else if (regexec(&regexCompiled_path1_hex, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                if (decoded_buffer) {
+                    const int decoded_length = match_size / 2;
+                    os_malloc(decoded_length + 1, path1);
+                    snprintf(path1, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                    os_free(decoded_buffer);
+                } else {
+                    merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                }
+            }
+
+            // inode
+            if (regexec(&regexCompiled_inode, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, w_evt->inode);
+                snprintf(w_evt->inode, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            }
+            // dev
+            if (regexec(&regexCompiled_dev, buffer, 2, match, 0) == 0) {
+                match_size = match[1].rm_eo - match[1].rm_so;
+                os_malloc(match_size + 1, dev);
+                snprintf(dev, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+
+                char *aux = wstr_chr(dev, ':');
+
+                if (aux) {
+                    *(aux++) = '\0';
+
+                    os_calloc(OS_SIZE_64, sizeof(char), w_evt->dev);
+                    snprintf(w_evt->dev, OS_SIZE_64, "%s%s", dev, aux);
+                    snprintf(w_evt->dev, OS_SIZE_64, "%ld", strtol(w_evt->dev, NULL, 16));
+                } else {
+                    merror("Couldn't decode device chunk of audit log: colon not found in this string: \"%s\".",
+                           dev); // LCOV_EXCL_LINE
+                }
+
+                free(dev);
+            }
+
+            // TODO: Verify all case events
+            // TODO: Should we consider the w_evt->path if !w_evt->inode?
+            switch (items) {
+
+            case 1:
+                if (w_evt->cwd && path0) {
+                    if (file_path = gen_audit_path(w_evt->cwd, path0, NULL), file_path) {
+                        w_evt->path = file_path;
+                        mdebug2(FIM_AUDIT_EVENT(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (w_evt->path) ? w_evt->path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                    }
+                }
+                break;
+            case 2:
+                if (w_evt->cwd && path0 && path1) {
+                    if (file_path = gen_audit_path(w_evt->cwd, path0, path1), file_path) {
+                        mdebug2(FIM_AUDIT_EVENT(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (file_path) ? file_path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        w_evt->path = realpath(file_path, NULL);
+                        if (w_evt->path == NULL) {
+                            os_strdup(file_path, w_evt->path);
+                            mdebug1(FIM_CHECK_LINK_REALPATH, w_evt->path); // LCOV_EXCL_LINE
+                        }
+
+                        free(file_path);
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                    }
+                }
+                break;
+            case 3:
+                // path2
+                if (regexec(&regexCompiled_path2, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, path2);
+                    snprintf(path2, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                } else if (regexec(&regexCompiled_path2_hex, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                    if (decoded_buffer) {
+                        const int decoded_length = match_size / 2;
+                        os_malloc(decoded_length + 1, path2);
+                        snprintf(path2, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                        os_free(decoded_buffer);
+                    } else {
+                        merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                    }
+                }
+
+                if (w_evt->cwd && path1 && path2) {
+                    if (file_path = gen_audit_path(w_evt->cwd, path1, path2), file_path) {
+                        w_evt->path = file_path;
+                        mdebug2(FIM_AUDIT_EVENT(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (w_evt->path) ? w_evt->path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                    }
+                }
+                free(path2);
+                break;
+            case 4:
+                // path2
+                if (regexec(&regexCompiled_path2, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, path2);
+                    snprintf(path2, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                } else if (regexec(&regexCompiled_path2_hex, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                    if (decoded_buffer) {
+                        const int decoded_length = match_size / 2;
+                        os_malloc(decoded_length + 1, path2);
+                        snprintf(path2, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                        os_free(decoded_buffer);
+                    } else {
+                        merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                    }
+                }
+
+                // path3
+                if (regexec(&regexCompiled_path3, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, path3);
+                    snprintf(path3, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                } else if (regexec(&regexCompiled_path3_hex, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                    if (decoded_buffer) {
+                        const int decoded_length = match_size / 2;
+                        os_malloc(decoded_length + 1, path3);
+                        snprintf(path3, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                        os_free(decoded_buffer);
+                    } else {
+                        merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                    }
+                }
+
+                if (w_evt->cwd && path0 && path1 && path2 && path3) {
+                    // Send event 1/2
+                    char *file_path1;
+                    if (file_path1 = gen_audit_path(w_evt->cwd, path0, path2), file_path1) {
+                        w_evt->path = file_path1;
+                        mdebug2(FIM_AUDIT_EVENT1(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (w_evt->path) ? w_evt->path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                        free(file_path1);
+                        w_evt->path = NULL;
+                    }
+
+                    // Send event 2/2
+                    char *file_path2;
+                    if (file_path2 = gen_audit_path(w_evt->cwd, path1, path3), file_path2) {
+                        w_evt->path = file_path2;
+                        mdebug2(FIM_AUDIT_EVENT2(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (w_evt->path) ? w_evt->path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                    }
+                }
+                free(path2);
+                free(path3);
+                break;
+            case 5:
+                // path4
+                if (regexec(&regexCompiled_path4, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    os_malloc(match_size + 1, path4);
+                    snprintf(path4, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+                } else if (regexec(&regexCompiled_path4_hex, buffer, 2, match, 0) == 0) {
+                    match_size = match[1].rm_eo - match[1].rm_so;
+                    char *decoded_buffer = decode_hex_buffer_2_ascii_buffer(buffer + match[1].rm_so, match_size);
+                    if (decoded_buffer) {
+                        const int decoded_length = match_size / 2;
+                        os_malloc(decoded_length + 1, path4);
+                        snprintf(path4, decoded_length + 1, "%.*s", decoded_length, decoded_buffer);
+                        os_free(decoded_buffer);
+                    } else {
+                        merror("Error found while decoding HEX bufer: '%.*s'", match_size, buffer + match[1].rm_so);
+                    }
+                }
+
+                if (w_evt->cwd && path1 && path4) {
+                    char *file_path;
+                    if (file_path = gen_audit_path(w_evt->cwd, path1, path4), file_path) {
+                        w_evt->path = file_path;
+                        mdebug2(FIM_AUDIT_EVENT(w_evt->user_name) ? w_evt->user_name : "",
+                                (w_evt->audit_name) ? w_evt->audit_name : "",
+                                (w_evt->effective_name) ? w_evt->effective_name : "",
+                                (w_evt->group_name) ? w_evt->group_name : "", w_evt->process_id, w_evt->ppid,
+                                (w_evt->inode) ? w_evt->inode : "", (w_evt->path) ? w_evt->path : "",
+                                (w_evt->process_name) ? w_evt->process_name : "");
+
+                        if (w_evt->inode) {
+                            fim_whodata_event(w_evt);
+                        }
+                    }
+                }
+                free(path4);
+                break;
+            }
+
+            free(path0);
+            free(path1);
+            free_whodata_event(w_evt);
+        }
+        break;
+    case FIM_AUDIT_HC_KEY:
+        if (regexec(&regexCompiled_syscall, buffer, 2, match, 0) == 0) {
+            match_size = match[1].rm_eo - match[1].rm_so;
+            char *syscall = NULL;
+            os_malloc(match_size + 1, syscall);
+            snprintf(syscall, match_size + 1, "%.*s", match_size, buffer + match[1].rm_so);
+            if (!strcmp(syscall, "2") || !strcmp(syscall, "257") || !strcmp(syscall, "5") || 
+                !strcmp(syscall, "295") || !strcmp(syscall, "56")) {
+                // x86_64: 2 open
+                // x86_64: 257 openat
+                // i686: 5 open
+                // i686: 295 openat
+                // aarch64: 56 openat
+                mdebug2(FIM_HEALTHCHECK_CREATE, syscall);
+                atomic_int_set(&audit_health_check_creation, 1);
+            } else if (!strcmp(syscall, "87") || !strcmp(syscall, "263") || !strcmp(syscall, "10") ||
+                       !strcmp(syscall, "301") || !strcmp(syscall, "35")) {
+                // x86_64: 87 unlink
+                // x86_64: 263 unlinkat
+                // i686: 10 unlink
+                // i686: 301 unlinkat
+                // aarch64: 35 unlinkat
+                mdebug2(FIM_HEALTHCHECK_DELETE, syscall);
+            } else {
+                mdebug2(FIM_HEALTHCHECK_UNRECOGNIZED_EVENT, syscall);
+            }
+            os_free(syscall);
+        }
+        break;
+    default:
+        break;
+    }
+}
+
+#endif // ENABLE_AUDIT
+#endif // __linux__
diff --git a/src/modules/fim/src/whodata/audit_rule_handling.c b/src/modules/fim/src/whodata/audit_rule_handling.c
new file mode 100644
index 0000000000..80b7be9959
--- /dev/null
+++ b/src/modules/fim/src/whodata/audit_rule_handling.c
@@ -0,0 +1,297 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef __linux__
+#include "syscheck_audit.h"
+#include "list_op.h"
+
+#define RELOAD_RULES_INTERVAL 30 // Seconds to re-add Audit rules
+
+#ifdef ENABLE_AUDIT
+
+#ifdef WAZUH_UNIT_TESTING
+#define static
+#endif
+
+static OSList *whodata_directories;
+static pthread_mutex_t rules_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+static int audit_rule_manipulation = 0;
+
+static void free_whodata_directory(whodata_directory_t *directory) {
+    os_free(directory->path);
+    os_free(directory);
+}
+
+static void _add_whodata_directory(const char *path) {
+    OSListNode *node;
+    whodata_directory_t *directory;
+
+    if (whodata_directories == NULL) {
+        merror(FIM_ERROR_WHODATA_UNINITIALIZED, path);
+        return;
+    }
+
+    // Search for duplicates
+    for (node = OSList_GetFirstNode(whodata_directories); node != NULL;
+         node = OSList_GetNextNode(whodata_directories)) {
+        directory = (whodata_directory_t *)node->data;
+
+        if (strcmp(path, directory->path) == 0) {
+            directory->pending_removal = 0;
+            return;
+        }
+    }
+
+    // If we got here, we need to add a new directory
+    os_malloc(sizeof(whodata_directory_t), directory);
+
+    os_strdup(path, directory->path);
+    directory->pending_removal = 0;
+
+    if (OSList_AddData(whodata_directories, directory) == NULL) {
+        free_whodata_directory(directory); // LCOV_EXCL_LINE
+    }
+}
+
+void add_whodata_directory(const char *path) {
+    w_mutex_lock(&rules_mutex);
+    _add_whodata_directory(path);
+    w_mutex_unlock(&rules_mutex);
+}
+
+void remove_audit_rule_syscheck(const char *path) {
+    OSListNode *node;
+
+    w_mutex_lock(&rules_mutex);
+
+    for (node = OSList_GetFirstNode(whodata_directories); node != NULL;
+         node = OSList_GetNextNode(whodata_directories)) {
+        whodata_directory_t *directory = (whodata_directory_t *)node->data;
+
+        if (strcmp(path, directory->path) == 0) {
+            directory->pending_removal = 1;
+            break;
+        }
+    }
+
+    w_mutex_unlock(&rules_mutex);
+}
+
+int fim_rules_initial_load() {
+    int retval;
+    char *directory = NULL;
+    directory_t *dir_it = NULL;
+    OSListNode *node_it;
+    int rules_added = 0;
+    int auditd_fd = audit_open();
+    int res = audit_get_rule_list(auditd_fd);
+
+    audit_close(auditd_fd);
+
+    if (!res) {
+        merror(FIM_ERROR_WHODATA_READ_RULE); // LCOV_EXCL_LINE
+    }
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    w_mutex_lock(&rules_mutex);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        // Check if dir[i] is set in whodata mode
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue; // LCOV_EXCL_LINE
+        }
+
+        directory = fim_get_real_path(dir_it);
+        if (*directory == '\0') {
+            free(directory); // LCOV_EXCL_LINE
+            continue; // LCOV_EXCL_LINE
+        }
+
+        // Add whodata directories until max_audit_entries is reached.
+        if (rules_added >= syscheck.max_audit_entries) {
+            merror(FIM_ERROR_WHODATA_MAXNUM_WATCHES, directory, syscheck.max_audit_entries);
+            free(directory);
+            break;
+        }
+
+        _add_whodata_directory(directory);
+
+        switch (search_audit_rule(directory, WHODATA_PERMS, AUDIT_KEY)) {
+        // The rule is not in audit_rule_list
+        case 0:
+            if (retval = audit_add_rule(directory, WHODATA_PERMS, AUDIT_KEY), retval > 0) {
+                mdebug2(FIM_AUDIT_NEWRULE, directory);
+                rules_added++;
+            } else if (retval != -EEXIST) {
+                mwarn(FIM_WARN_WHODATA_ADD_RULE, directory);
+            } else {
+                mdebug2(FIM_AUDIT_ALREADY_ADDED, directory);
+            }
+            break;
+
+        case 1:
+            mdebug2(FIM_AUDIT_RULEDUP, directory);
+            break;
+
+        default:
+            merror(FIM_ERROR_WHODATA_CHECK_RULE);
+            break;
+        }
+        // real_path can't be NULL
+        free(directory);
+    }
+    w_mutex_unlock(&rules_mutex);
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    return rules_added;
+}
+
+void fim_audit_reload_rules() {
+    int retval;
+    int rules_added = 0;
+    static bool reported = 0;
+    int auditd_fd;
+    int res;
+    OSListNode *node = NULL;
+
+    mdebug1(FIM_AUDIT_RELOADING_RULES);
+
+    auditd_fd = audit_open();
+    res = audit_get_rule_list(auditd_fd);
+
+    audit_close(auditd_fd);
+
+    if (!res) {
+        merror(FIM_ERROR_WHODATA_READ_RULE); // LCOV_EXCL_LINE
+    }
+
+    w_mutex_lock(&rules_mutex);
+
+    node = OSList_GetFirstNode(whodata_directories);
+
+    while (node != NULL) {
+        whodata_directory_t *directory = (whodata_directory_t *)node->data;
+
+        switch (search_audit_rule(directory->path, WHODATA_PERMS, AUDIT_KEY)) {
+        // The rule is not in audit_rule_list
+        case 0:
+            // If we had to remove it, we are done
+            if (directory->pending_removal != 0) {
+                free_whodata_directory(directory);
+                OSList_DeleteCurrentlyNode(whodata_directories);
+                node = OSList_GetCurrentlyNode(whodata_directories);
+                continue;
+            }
+
+            if (rules_added >= syscheck.max_audit_entries) {
+                if (!reported) {
+                    merror(FIM_ERROR_WHODATA_MAXNUM_WATCHES, directory->path, syscheck.max_audit_entries);
+                } else {
+                    mdebug2(FIM_ERROR_WHODATA_MAXNUM_WATCHES, directory->path, syscheck.max_audit_entries);
+                }
+                reported = 1;
+                break;
+            }
+
+            if (retval = audit_add_rule(directory->path, WHODATA_PERMS, AUDIT_KEY), retval > 0) {
+                mdebug2(FIM_AUDIT_NEWRULE, directory->path);
+                rules_added++;
+            } else if (retval != -EEXIST) {
+                mdebug1(FIM_WARN_WHODATA_ADD_RULE, directory->path);
+            } else {
+                mdebug2(FIM_AUDIT_ALREADY_ADDED, directory->path);
+            }
+
+            break;
+
+        case 1:
+            if (directory->pending_removal != 0) {
+                audit_rule_manipulation++;
+                audit_delete_rule(directory->path, WHODATA_PERMS, AUDIT_KEY);
+                free_whodata_directory(directory);
+                OSList_DeleteCurrentlyNode(whodata_directories);
+                node = OSList_GetCurrentlyNode(whodata_directories);
+                continue;
+            } else {
+                mdebug2(FIM_AUDIT_RULEDUP, directory->path);
+            }
+            break;
+
+        default:
+            merror(FIM_ERROR_WHODATA_CHECK_RULE);
+            break;
+        }
+
+        node = OSList_GetNextNode(whodata_directories);
+    }
+    w_mutex_unlock(&rules_mutex);
+
+    mdebug1(FIM_AUDIT_RELOADED_RULES, rules_added);
+}
+
+int fim_manipulated_audit_rules() {
+    int retval;
+
+    w_mutex_lock(&rules_mutex);
+    retval = audit_rule_manipulation;
+
+    if (audit_rule_manipulation != 0) {
+        audit_rule_manipulation--;
+    }
+    w_mutex_unlock(&rules_mutex);
+
+    return retval;
+}
+
+void clean_rules(void) {
+    OSListNode *node;
+
+    w_mutex_lock(&rules_mutex);
+
+    atomic_int_set(&audit_thread_active, 0);
+    mdebug2(FIM_AUDIT_DELETE_RULE);
+
+    for (node = OSList_GetFirstNode(whodata_directories); node != NULL;
+         node = OSList_GetNextNode(whodata_directories)) {
+        whodata_directory_t *directory = (whodata_directory_t *)node->data;
+
+        audit_delete_rule(directory->path, WHODATA_PERMS, AUDIT_KEY);
+    }
+
+    audit_rules_list_free();
+    OSList_CleanNodes(whodata_directories);
+    w_mutex_unlock(&rules_mutex);
+}
+
+// LCOV_EXCL_START
+int fim_audit_rules_init() {
+    whodata_directories = OSList_Create();
+    if (whodata_directories == NULL) {
+        return -1;
+    }
+
+    OSList_SetFreeDataPointer(whodata_directories, (void (*)(void *))free_whodata_directory);
+
+    return 0;
+}
+
+void *audit_reload_thread() {
+    sleep(RELOAD_RULES_INTERVAL);
+    while (atomic_int_get(&audit_thread_active) == 1) {
+        fim_audit_reload_rules();
+
+        sleep(RELOAD_RULES_INTERVAL);
+    }
+
+    return NULL;
+}
+// LCOV_EXCL_STOP
+
+#endif // ENABLE_AUDIT
+#endif // __linux__
diff --git a/src/modules/fim/src/whodata/syscheck_audit.c b/src/modules/fim/src/whodata/syscheck_audit.c
new file mode 100644
index 0000000000..78791d6e7e
--- /dev/null
+++ b/src/modules/fim/src/whodata/syscheck_audit.c
@@ -0,0 +1,700 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 13, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef __linux__
+#include "syscheck_audit.h"
+#include "../external/procps/readproc.h"
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include "../os_net/os_net.h"
+#include "syscheck_op.h"
+#include "audit_op.h"
+#include "string_op.h"
+
+#define AUDIT_RULES_FILE            "etc/audit_rules_wazuh.rules"
+#define AUDIT_RULES_LINK            "/etc/audit/rules.d/audit_rules_wazuh.rules"
+#define PLUGINS_DIR_AUDIT_2         "/etc/audisp/plugins.d"
+#define PLUGINS_DIR_AUDIT_3         "/etc/audit/plugins.d"
+#define AUDIT_CONF_LINK             "af_wazuh.conf"
+#define BUF_SIZE OS_MAXSTR
+#define MAX_CONN_RETRIES 5          // Max retries to reconnect to Audit socket
+
+// Global variables
+pthread_mutex_t audit_mutex;
+pthread_mutex_t audit_rules_mutex;
+pthread_cond_t audit_db_consistency;
+pthread_cond_t audit_thread_started;
+
+unsigned int count_reload_retries;
+
+static const char *const AUDISP_CONFIGURATION = "active = yes\ndirection = out\npath = builtin_af_unix\n"
+                                                "type = builtin\nargs = 0640 %s\nformat = string\n";
+
+w_queue_t * audit_queue;
+
+//This variable controls if the the modification of the rule is made by syscheck.
+
+volatile int audit_db_consistency_flag = 0;
+atomic_int_t audit_parse_thread_active = ATOMIC_INT_INITIALIZER(0);
+atomic_int_t audit_thread_active = ATOMIC_INT_INITIALIZER(0);
+
+#ifdef ENABLE_AUDIT
+typedef struct _audit_data_s {
+    int socket;
+    audit_mode mode;
+} audit_data_t;
+
+/**
+ * @brief Creates the necessary threads to process audit events
+ *
+ * @param [out] audit_data Struct that saves the audit socket to read the events from and the audit mode.
+ */
+static void *audit_main(audit_data_t *audit_data);
+
+int check_auditd_enabled(void) {
+    PROCTAB *proc = openproc(PROC_FILLSTAT | PROC_FILLSTATUS | PROC_FILLCOM );
+    proc_t *proc_info;
+    int auditd_pid = -1;
+
+    if (!proc) {
+        return -1;
+    }
+
+    while (proc_info = readproc(proc, NULL), proc_info != NULL) {
+        if(strcmp(proc_info->cmd,"auditd") == 0) {
+            auditd_pid = proc_info->tid;
+            freeproc(proc_info);
+            break;
+        }
+
+        freeproc(proc_info);
+    }
+
+    closeproc(proc);
+    return auditd_pid;
+}
+
+
+int configure_audisp(const char *audisp_path, const char *audisp_config) {
+    FILE *fp;
+    char buffer[PATH_MAX] = {'\0'};
+
+    minfo(FIM_AUDIT_SOCKET, AUDIT_CONF_FILE);
+
+    abspath(AUDIT_CONF_FILE, buffer, PATH_MAX);
+
+    fp = wfopen(AUDIT_CONF_FILE, "w");
+    if (!fp) {
+        merror(FOPEN_ERROR, AUDIT_CONF_FILE, errno, strerror(errno));
+        return -1;
+    }
+
+    fwrite(audisp_config, sizeof(char), strlen(audisp_config), fp);
+
+    if (fclose(fp)) {
+        merror(FCLOSE_ERROR, AUDIT_CONF_FILE, errno, strerror(errno));
+        return -1;
+    }
+
+    if (symlink(buffer, audisp_path) < 0) {
+        switch (errno) {
+        case EEXIST:
+            if (unlink(audisp_path) < 0) {
+                merror(UNLINK_ERROR, audisp_path, errno, strerror(errno));
+                return -1;
+            }
+
+            if (symlink(buffer, audisp_path) == 0) {
+                break;
+            }
+
+        // Fallthrough
+        default:
+            merror(LINK_ERROR, audisp_path, AUDIT_CONF_FILE, errno, strerror(errno));
+            return -1;
+        }
+    }
+
+    if (syscheck.restart_audit) {
+        minfo(FIM_AUDIT_RESTARTING, AUDIT_CONF_FILE);
+        return audit_restart();
+    } else {
+        mwarn(FIM_WARN_AUDIT_CONFIGURATION_MODIFIED);
+        return 1;
+    }
+}
+
+// Set Auditd socket configuration
+int set_auditd_config(void) {
+    char audisp_path[50] = {0};
+    char *configuration = NULL;
+    int configuration_length;
+    char abs_path_socket[PATH_MAX] = {'\0'};
+    int retval = 1;
+    os_sha1 file_sha1, configuration_sha1;
+
+    // Check audisp version
+    if (IsDir(PLUGINS_DIR_AUDIT_3) == 0) {
+        // Audit 3.X
+        snprintf(audisp_path, sizeof(audisp_path) - 1, "%s/%s", PLUGINS_DIR_AUDIT_3, AUDIT_CONF_LINK);
+    } else if (IsDir(PLUGINS_DIR_AUDIT_2) == 0) {
+        // Audit 2.X
+        snprintf(audisp_path, sizeof(audisp_path) - 1, "%s/%s", PLUGINS_DIR_AUDIT_2, AUDIT_CONF_LINK);
+    } else {
+        return 0;
+    }
+
+    abspath(AUDIT_SOCKET, abs_path_socket, PATH_MAX);
+
+    configuration_length = snprintf(NULL, 0, AUDISP_CONFIGURATION, abs_path_socket);
+
+    if (configuration_length <= 0) {
+        return -1; // LCOV_EXCL_LINE
+    }
+
+    os_calloc(configuration_length + 1, sizeof(char), configuration);
+
+    snprintf(configuration, configuration_length + 1, AUDISP_CONFIGURATION, abs_path_socket);
+
+    // Sanity check the configuration file
+    OS_SHA1_Str(configuration, configuration_length, configuration_sha1);
+
+    if (OS_SHA1_File(audisp_path, file_sha1, OS_TEXT) != 0) {
+        retval = configure_audisp(audisp_path, configuration);
+        goto end;
+    }
+
+    if (strcmp(file_sha1, configuration_sha1) != 0) {
+        retval = configure_audisp(audisp_path, configuration);
+        goto end;
+    }
+
+    // Check that the socket exists
+    if (IsSocket(AUDIT_SOCKET) == 0) {
+        retval = 0;
+        goto end;
+    }
+
+    if (syscheck.restart_audit) {
+        minfo(FIM_AUDIT_NOSOCKET, AUDIT_SOCKET);
+        retval = audit_restart();
+        goto end;
+    }
+
+    mwarn(FIM_WARN_AUDIT_SOCKET_NOEXIST, AUDIT_SOCKET);
+end:
+    os_free(configuration);
+    return retval;
+}
+
+
+// Init Audit events socket
+int init_auditd_socket(void) {
+    int sfd;
+
+    if (sfd = OS_ConnectUnixDomain(AUDIT_SOCKET, SOCK_STREAM, OS_MAXSTR), sfd < 0) {
+        merror(FIM_ERROR_WHODATA_SOCKET_CONNECT, AUDIT_SOCKET);
+        return (-1);
+    }
+
+    return sfd;
+}
+
+void audit_create_rules_file() {
+    char *real_path = NULL;
+    directory_t *dir_it = NULL;
+    OSListNode *node_it;
+    FILE *fp;
+
+    fp = wfopen(AUDIT_RULES_FILE, "w");
+    if (!fp) {
+        merror(FOPEN_ERROR, AUDIT_RULES_FILE, errno, strerror(errno));
+        return;
+    }
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue;
+        }
+        real_path = fim_get_real_path(dir_it);
+
+        mdebug2(FIM_ADDED_RULE_TO_FILE, real_path);
+        fprintf(fp, "-w %s -p wa -k %s\n", real_path, AUDIT_KEY);
+
+        free(real_path);
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    if (fclose(fp)) {
+        merror(FCLOSE_ERROR, AUDIT_RULES_FILE, errno, strerror(errno));
+        return;
+    }
+
+    char abs_rules_file_path[PATH_MAX] = {'\0'};
+    abspath(AUDIT_RULES_FILE, abs_rules_file_path, PATH_MAX);
+
+    // Create symlink to audit rules file
+    if (symlink(abs_rules_file_path, AUDIT_RULES_LINK) < 0) {
+        if (errno != EEXIST) {
+            merror(LINK_ERROR, AUDIT_RULES_LINK, abs_rules_file_path, errno, strerror(errno));
+            return;
+        }
+        if (unlink(AUDIT_RULES_LINK) < 0) {
+            merror(UNLINK_ERROR, AUDIT_RULES_LINK, errno, strerror(errno));
+            return;
+        }
+        if (symlink(abs_rules_file_path, AUDIT_RULES_LINK) < 0) {
+            merror(LINK_ERROR, AUDIT_RULES_LINK, abs_rules_file_path, errno, strerror(errno));
+            return;
+        }
+    }
+
+    minfo(FIM_AUDIT_CREATED_RULE_FILE);
+}
+
+void audit_rules_to_realtime() {
+    char *real_path = NULL;
+    directory_t *dir_it = NULL;
+    OSListNode *node_it;
+    int found;
+    int realtime_check = 0;
+
+    // Initialize audit_rule_list
+    int auditd_fd = audit_open();
+    int res = audit_get_rule_list(auditd_fd);
+    audit_close(auditd_fd);
+
+    if (!res) {
+        merror(FIM_ERROR_WHODATA_READ_RULE); // LCOV_EXCL_LINE
+    }
+
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue;
+        }
+
+        found = 0;
+        real_path = fim_get_real_path(dir_it);
+
+        if (search_audit_rule(real_path, WHODATA_PERMS, AUDIT_KEY) == 1) {
+            free(real_path);
+            continue;
+        }
+
+        for (int j = 0; syscheck.audit_key[j]; j++) {
+            if (search_audit_rule(real_path, WHODATA_PERMS, syscheck.audit_key[j]) == 1) {
+                found = 1;
+                break;
+            }
+        }
+
+        if (!found){
+            realtime_check = 1;
+            mwarn(FIM_ERROR_WHODATA_ADD_DIRECTORY, real_path);
+            dir_it->options &= ~WHODATA_ACTIVE;
+            dir_it->options |= REALTIME_ACTIVE;
+        }
+
+        free(real_path);
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    if (realtime_check) {
+        w_mutex_lock(&syscheck.fim_realtime_mutex);
+        if (syscheck.realtime == NULL) {
+            realtime_start();
+        }
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+    }
+}
+
+// LCOV_EXCL_START
+int audit_init(void) {
+    static audit_data_t audit_data = { .socket = -1, .mode = AUDIT_DISABLED };
+
+    w_mutex_init(&audit_mutex, NULL);
+
+    // Check if auditd is installed and running.
+    int aupid = check_auditd_enabled();
+
+    if (aupid <= 0) {
+        mwarn(FIM_AUDIT_NORUNNING);
+        return (-1);
+    }
+
+    // Check audit socket configuration
+    switch (set_auditd_config()) {
+    case -1:
+        mdebug1(FIM_AUDIT_NOCONF);
+        return (-1);
+    case 0:
+        break;
+    default:
+        return (-1);
+    }
+
+    // Initialize Audit socket
+    audit_data.socket = init_auditd_socket();
+    if (audit_data.socket < 0) {
+        merror("Can't init auditd socket in 'init_auditd_socket()'");
+        return -1;
+    }
+
+    int regex_comp = init_regex();
+    if (regex_comp < 0) {
+        merror("Can't init regex in 'init_regex()'");
+        return -1;
+    }
+
+    if (fim_audit_rules_init() != 0) {
+        return -1;
+    }
+
+    // Initialize audit queue
+    audit_queue = queue_init(syscheck.queue_size);
+    atomic_int_set(&audit_parse_thread_active, 1);
+    w_create_thread(audit_parse_thread, NULL);
+
+    // Print audit queue size
+    minfo(FIM_AUDIT_QUEUE_SIZE, syscheck.queue_size);
+
+    // Perform Audit healthcheck
+    if (syscheck.audit_healthcheck) {
+        if(audit_health_check(audit_data.socket)) {
+            merror(FIM_ERROR_WHODATA_HEALTHCHECK_START);
+            return -1;
+        }
+    } else {
+        minfo(FIM_AUDIT_HEALTHCHECK_DISABLE);
+    }
+
+    // Change to realtime directories that don't have any rules when Auditd is in immutable mode
+    int auditd_fd = audit_open();
+    audit_data.mode = audit_is_enabled(auditd_fd);
+    audit_close(auditd_fd);
+
+    switch (audit_data.mode) {
+    case AUDIT_IMMUTABLE:
+        audit_create_rules_file();
+        audit_rules_to_realtime();
+        break;
+    case AUDIT_ENABLED:
+        fim_rules_initial_load();
+        atexit(clean_rules);
+        break;
+    case AUDIT_DISABLED:
+        mwarn(FIM_AUDIT_DISABLED);
+        return -1;
+    default:
+        merror(FIM_ERROR_AUDIT_MODE, strerror(errno), errno);
+        return -1;
+    }
+
+    // Start audit thread
+    w_cond_init(&audit_thread_started, NULL);
+    w_cond_init(&audit_db_consistency, NULL);
+    w_create_thread(audit_main, &audit_data);
+    w_mutex_lock(&audit_mutex);
+    while (atomic_int_get(&audit_thread_active) == 0) {
+        w_cond_wait(&audit_thread_started, &audit_mutex);
+    }
+    w_mutex_unlock(&audit_mutex);
+    return 1;
+
+}
+// LCOV_EXCL_STOP
+
+
+// LCOV_EXCL_START
+void audit_set_db_consistency(void) {
+    w_mutex_lock(&audit_mutex);
+    audit_db_consistency_flag = 1;
+    w_cond_signal(&audit_db_consistency);
+    w_mutex_unlock(&audit_mutex);
+}
+// LCOV_EXCL_STOP
+
+// LCOV_EXCL_START
+void *audit_main(audit_data_t *audit_data) {
+    char *path = NULL;
+    directory_t *dir_it = NULL;
+    OSListNode *node_it;
+    count_reload_retries = 0;
+    atomic_int_set(&audit_thread_active,0);
+
+    w_mutex_lock(&audit_mutex);
+    atomic_int_set(&audit_thread_active, 1);
+    w_cond_signal(&audit_thread_started);
+
+    while (!audit_db_consistency_flag) {
+        w_cond_wait(&audit_db_consistency, &audit_mutex);
+    }
+
+    w_mutex_unlock(&audit_mutex);
+
+    if (audit_data->mode == AUDIT_ENABLED) {
+        // Start rules reloading thread
+        w_create_thread(audit_reload_thread, NULL);
+    }
+
+    minfo(FIM_WHODATA_STARTED);
+
+    // Read events
+    audit_read_events(&audit_data->socket, &audit_thread_active);
+
+    // Auditd is not runnig or socket closed.
+    mdebug1(FIM_AUDIT_THREAD_STOPED);
+    close(audit_data->socket);
+
+    // Clean regexes used for parsing events
+    clean_regex();
+    // Change Audit monitored folders to Inotify.
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue;
+        }
+        path = fim_get_real_path(dir_it);
+        // Check if it's a broken link.
+        if (*path == '\0') {
+            free(path);
+            continue;
+        }
+        dir_it->options &= ~ WHODATA_ACTIVE;
+        dir_it->options |= REALTIME_ACTIVE;
+
+        w_mutex_lock(&syscheck.fim_realtime_mutex);
+        if (syscheck.realtime == NULL) {
+            realtime_start();
+        }
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+        realtime_adddir(path, dir_it);
+        free(path);
+    }
+
+    OSList_foreach(node_it, syscheck.wildcards) {
+        dir_it = node_it->data;
+        if ((dir_it->options & WHODATA_ACTIVE) == 0) {
+            continue;
+        }
+
+        w_mutex_lock(&syscheck.fim_realtime_mutex);
+        if (syscheck.realtime == NULL) {
+            realtime_start();
+        }
+        w_mutex_unlock(&syscheck.fim_realtime_mutex);
+
+        dir_it->options &= ~ WHODATA_ACTIVE;
+        dir_it->options |= REALTIME_ACTIVE;
+    }
+
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    atomic_int_set(&audit_parse_thread_active, 0);
+
+    // Clean Audit added rules.
+    if (audit_data->mode == AUDIT_ENABLED) {
+        clean_rules();
+    }
+
+    return NULL;
+}
+// LCOV_EXCL_STOP
+
+void *audit_parse_thread() {
+    char * audit_logs;
+
+    while (atomic_int_get(&audit_parse_thread_active)) {
+        audit_logs = queue_pop_ex(audit_queue);
+        audit_parse(audit_logs);
+        os_free(audit_logs);
+    }
+    queue_free(audit_queue);
+
+    return NULL;
+}
+
+void audit_read_events(int *audit_sock, atomic_int_t *running) {
+    size_t byteRead;
+    char * cache;
+    char * cache_id = NULL;
+    char * line;
+    char * endline;
+    size_t cache_i = 0;
+    size_t buffer_i = 0; // Buffer offset
+    size_t len;
+    fd_set fdset;
+    struct timeval timeout;
+    count_reload_retries = 0;
+    int conn_retries;
+    char * eoe_found = NULL;
+    char * cache_dup = NULL;
+
+    char *buffer;
+    os_malloc(BUF_SIZE * sizeof(char), buffer);
+    os_malloc(BUF_SIZE, cache);
+
+    while (atomic_int_get(running)) {
+        FD_ZERO(&fdset);
+        FD_SET(*audit_sock, &fdset);
+
+        timeout.tv_sec = 1;
+        timeout.tv_usec = 0;
+
+        switch (select(*audit_sock + 1, &fdset, NULL, NULL, &timeout)) {
+        case -1:
+            merror(SELECT_ERROR, errno, strerror(errno));
+            sleep(1);
+            continue;
+
+        case 0:
+            if (cache_i) {
+                // Flush cache
+                os_strdup(cache, cache_dup);
+                if (queue_push_ex(audit_queue, cache_dup)) {
+                    if (!audit_queue_full_reported) {
+                        mwarn(FIM_FULL_AUDIT_QUEUE);
+                        audit_queue_full_reported = 1;
+                    }
+                    os_free(cache_dup);
+                }
+                cache_i = 0;
+            }
+
+            continue;
+
+        default:
+            if (atomic_int_get(running) == 0) {
+                continue;
+            }
+
+            break;
+        }
+
+        if (byteRead = recv(*audit_sock, buffer + buffer_i, BUF_SIZE - buffer_i - 1, 0), !byteRead) {
+            // Connection closed
+            mwarn(FIM_WARN_AUDIT_CONNECTION_CLOSED);
+            // Reconnect
+            conn_retries = 0;
+            sleep(1);
+            minfo(FIM_AUDIT_RECONNECT, ++conn_retries);
+            *audit_sock = init_auditd_socket();
+            while (conn_retries < MAX_CONN_RETRIES && *audit_sock < 0) {
+                minfo(FIM_AUDIT_RECONNECT, ++conn_retries);
+                sleep(1);
+                *audit_sock = init_auditd_socket();
+            }
+            if (*audit_sock >= 0) {
+                minfo(FIM_AUDIT_CONNECT);
+                // Reload rules
+                fim_audit_reload_rules();
+                continue;
+            }
+            // Send alert
+            char msg_alert[512 + 1];
+            snprintf(msg_alert, 512, "ossec: Audit: Connection closed");
+            SendMSG(syscheck.queue, msg_alert, "syscheck", LOCALFILE_MQ);
+            break;
+        }
+
+        buffer[buffer_i += byteRead] = '\0';
+
+        // Find first endline
+
+        if (endline = strchr(buffer, '\n'), !endline) {
+            // No complete line yet.
+            continue;
+        }
+
+        // Get all the lines
+        line = buffer;
+
+        char * id;
+        char *event_too_long_id = NULL;
+
+        do {
+            *endline = '\0';
+
+            if (id = audit_get_id(line), id) {
+                // If there was cached data and the ID is different, parse cache first
+
+                if (cache_id && strcmp(cache_id, id) && cache_i) {
+                    if (!event_too_long_id) {
+                        os_strdup(cache, cache_dup);
+                        if (queue_push_ex(audit_queue, cache_dup)) {
+                            if (!audit_queue_full_reported) {
+                                mwarn(FIM_FULL_AUDIT_QUEUE);
+                                audit_queue_full_reported = 1;
+                            }
+                            os_free(cache_dup);
+                        }
+                    }
+                    cache_i = 0;
+                }
+
+                // Append to cache
+                len = endline - line;
+                if (cache_i + len + 1 <= BUF_SIZE) {
+                    strncpy(cache + cache_i, line, len);
+                    cache_i += len;
+                    cache[cache_i++] = '\n';
+                    cache[cache_i] = '\0';
+                } else if (!event_too_long_id){
+                    mwarn(FIM_WARN_WHODATA_EVENT_TOOLONG, id);
+                    os_strdup(id, event_too_long_id);
+                }
+                eoe_found = strstr(line, "type=EOE");
+
+                free(cache_id);
+                cache_id = id;
+            } else {
+                mwarn(FIM_WARN_WHODATA_GETID, line);
+            }
+
+            line = endline + 1;
+        } while (*line && (endline = strchr(line, '\n'), endline));
+
+        // If some audit log remains in the cache and it is complet (line "end of event" is found), flush cache
+        if (eoe_found && !event_too_long_id){
+            os_strdup(cache, cache_dup);
+            if (queue_push_ex(audit_queue, cache_dup)) {
+                if (!audit_queue_full_reported) {
+                    mwarn(FIM_FULL_AUDIT_QUEUE);
+                    audit_queue_full_reported = 1;
+                }
+                os_free(cache_dup);
+            }
+            cache_i = 0;
+        }
+
+        // If some data remains in the buffer, move it to the beginning
+        if (*line) {
+            buffer_i = strlen(line);
+            memmove(buffer, line, buffer_i);
+        } else {
+            buffer_i = 0;
+        }
+
+        os_free(event_too_long_id);
+    }
+
+    free(cache_id);
+    free(cache);
+    free(buffer);
+}
+
+#endif
+#endif
diff --git a/src/modules/fim/src/whodata/win_whodata.c b/src/modules/fim/src/whodata/win_whodata.c
new file mode 100644
index 0000000000..2e8a26f168
--- /dev/null
+++ b/src/modules/fim/src/whodata/win_whodata.c
@@ -0,0 +1,1848 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * June 13, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "shared.h"
+#include "hash_op.h"
+#include "syscheck.h"
+#include "syscheck_op.h"
+
+#ifdef WIN_WHODATA
+
+#include <ntsecapi.h>
+#include <winsock2.h>
+#include <windows.h>
+#include <aclapi.h>
+#include <sddl.h>
+#include <winevt.h>
+
+#define WLIST_ALERT_THRESHOLD 80 // 80%
+#define WLIST_REMOVE_MAX 10 // 10%
+#define WCLIST_MAX_SIZE OS_SIZE_1024
+#define WPOL_BACKUP_COMMAND "auditpol /backup /file:\"%s\""
+#define WPOL_RESTORE_COMMAND "auditpol /restore /file:\"%s\""
+#define WPOL_BACKUP_FILE "tmp\\backup-policies"
+#define WPOL_NEW_FILE "tmp\\new-policies"
+#define modify_criteria (FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES)
+#define criteria (DELETE | modify_criteria)
+#define WHODATA_DIR_REMOVE_INTERVAL 2
+#define FILETIME_SECOND 10000000
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#include "../../../unit_tests/wrappers/windows/aclapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/ntsecapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/errhandlingapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/fileapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/handleapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/heapapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/processthreadsapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/sddl_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/securitybaseapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/stringapiset_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/synchapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/sysinfoapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/timezoneapi_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/winbase_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/winevt_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/winreg_wrappers.h"
+#include "../../../unit_tests/wrappers/windows/libc/stdio_wrappers.h"
+#endif
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+// Variables whodata
+STATIC char sys_64 = 1;
+STATIC PSID everyone_sid = NULL;
+STATIC size_t ev_sid_size = 0;
+static unsigned short inherit_flag = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE; //SUB_CONTAINERS_AND_OBJECTS_INHERIT
+STATIC EVT_HANDLE context;
+STATIC const wchar_t* event_fields[] = {
+    L"Event/System/EventID",
+    L"Event/EventData/Data[@Name='SubjectUserName']",
+    L"Event/EventData/Data[@Name='ObjectName']",
+    L"Event/EventData/Data[@Name='ProcessName']",
+    L"Event/EventData/Data[@Name='ProcessId']",
+    L"Event/EventData/Data[@Name='HandleId']",
+    L"Event/EventData/Data[@Name='AccessMask']",
+    L"Event/EventData/Data[@Name='SubjectUserSid']",
+    L"Event/System/TimeCreated/@SystemTime"
+};
+enum rendered_fields {
+    RENDERED_EVENT_ID = 0,
+    RENDERED_USER_NAME,
+    RENDERED_PATH,
+    RENDERED_PROCESS_NAME,
+    RENDERED_PROCESS_ID,
+    RENDERED_HANDLE_ID,
+    RENDERED_ACCESS_MASK,
+    RENDERED_USER_SID,
+    RENDERED_TIMESTAMP
+};
+
+static unsigned int fields_number = sizeof(event_fields) / sizeof(LPWSTR);
+static const unsigned __int64 AUDIT_SUCCESS = 0x20000000000000;
+static LPCTSTR priv = "SeSecurityPrivilege";
+STATIC int restore_policies = 0;
+STATIC int policies_checked = 0;
+atomic_int_t whodata_end = ATOMIC_INT_INITIALIZER(0);
+EVT_HANDLE evt_subscribe_handle;  // Subscribe handle.
+
+// Whodata function headers
+void restore_sacls();
+int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable);
+unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, __attribute__((unused)) void *_void, EVT_HANDLE event);
+int set_policies();
+void set_subscription_query(wchar_t *query);
+extern int wm_exec(char *command, char **output, int *exitcode, int secs, const char * add_path);
+int restore_audit_policies();
+int whodata_hash_add(OSHash *table, char *id, void *data, char *tag);
+void notify_SACL_change(char *dir);
+int whodata_path_filter(char **path);
+int whodata_check_arch();
+/**
+ * @brief Release all whodata allocated resources. Frees all data stored in the structure, not the structure.
+ * Also switches the directories to realtime.
+ */
+STATIC void win_whodata_release_resources(whodata *wdata);
+
+/**
+ * @brief Checks the sacl status of an object.
+ *
+ * @param obj String with the object to be checked
+ * @param is_file Boolean to check if it is file
+
+ * @return Returns the sacl status of an object.
+ * @retval 0: if the object has valid sacl.
+ * @retval 1: if the object has invalid sacl.
+ * @retval 2: if the object cannot be opened, set privileges or obtain security information.
+ */
+int check_object_sacl(char *obj, int is_file);
+
+/**
+ * @brief Checks if sacl is valid
+ *
+ * @param sacl PACL with the sacl to be checked
+ * @param is_file Boolean to check if it is file
+
+ * @return Returns the status of the sacl passed as a parameter
+ * @retval 0: if sacl is valid
+ * @retval 1: if sacl is invalid or NULL
+ * @retval 2: if we cannot allocate the everyone_sid variable
+ */
+int is_valid_sacl(PACL sacl, int is_file);
+
+// Whodata list operations
+char *get_whodata_path(const short unsigned int *win_path);
+
+// Get volumes and paths of Windows system
+int get_volume_names();
+int get_drive_names(wchar_t *volume_name, char *device);
+void replace_device_path(char **path);
+
+/**
+ * @brief Function to check if a global policy is configured as Success.
+ *
+ * @return int 0 if the policies are configured properly, 1 if not and -1 if some function fail.
+ */
+int policy_check();
+
+STATIC void win_whodata_release_resources(whodata *wdata) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+    // Move all directories to realtime
+    w_rwlock_wrlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = (directory_t *) node_it->data;
+        dir_it->dirs_status.status &= ~WD_CHECK_WHODATA;
+        dir_it->options &= ~WHODATA_ACTIVE;
+        dir_it->dirs_status.status &= ~WD_IGNORE_REST;
+        dir_it->dirs_status.status |= WD_CHECK_REALTIME;
+        syscheck.realtime_change = 1;
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+    if (evt_subscribe_handle != NULL) {
+        EvtClose(evt_subscribe_handle);
+    }
+
+    if (wdata->fd != NULL) {
+        OSHash_Free(wdata->fd);
+        wdata->fd = NULL;
+    }
+
+    if (wdata->directories != NULL) {
+        OSHash_Free(wdata->directories);
+        wdata->directories = NULL;
+    }
+
+    if (wdata->device != NULL) {
+        free_strarray(wdata->device);
+        wdata->device = NULL;
+    }
+
+    if (wdata->drive != NULL) {
+        free_strarray(wdata->drive);
+        wdata->drive = NULL;
+    }
+
+    atomic_int_set(&whodata_end, 1);
+}
+
+int set_winsacl(const char *dir, directory_t *configuration) {
+    DWORD result = 0;
+    PACL old_sacl = NULL, new_sacl = NULL;
+    PSECURITY_DESCRIPTOR security_descriptor = NULL;
+    SYSTEM_AUDIT_ACE *ace = NULL;
+    PVOID entry_access_it = NULL;
+    HANDLE hdle;
+    unsigned int i;
+    ACL_SIZE_INFORMATION old_sacl_info;
+    unsigned long new_sacl_size;
+    int retval = 1;
+    int privilege_enabled = 0;
+
+    assert(configuration != NULL);
+
+    mdebug2(FIM_SACL_CONFIGURE, dir);
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hdle)) {
+        merror(FIM_ERROR_SACL_OPENPROCESSTOKEN, GetLastError());
+        return 1;
+    }
+
+    if (set_privilege(hdle, priv, TRUE)) {
+        merror(FIM_ERROR_SACL_ELEVATE_PRIVILEGE, GetLastError());
+        goto end;
+    }
+
+    privilege_enabled = 1;
+
+    if (result = GetNamedSecurityInfo(dir, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &old_sacl, &security_descriptor), result != ERROR_SUCCESS) {
+        merror(FIM_ERROR_SACL_GETSECURITYINFO, result);
+        goto end;
+    }
+
+    ZeroMemory(&old_sacl_info, sizeof(ACL_SIZE_INFORMATION));
+
+    // Check if the sacl has what the whodata scanner needs
+    int is_file = configuration->dirs_status.object_type == WD_STATUS_FILE_TYPE ? 1 : 0;
+
+    switch (is_valid_sacl(old_sacl, is_file)) {
+    case 0:
+        // It is not necessary to configure the SACL of the directory
+        retval = 0;
+        goto end;
+    case 1:
+        mdebug2(FIM_SACL_CHECK_CONFIGURE, dir);
+        configuration->dirs_status.status |= WD_IGNORE_REST;
+
+        // Empty SACL
+        if (!old_sacl) {
+            old_sacl_info.AclBytesInUse = sizeof(ACL);
+        } else {
+            // Get SACL size
+            if (!GetAclInformation(old_sacl, (LPVOID)&old_sacl_info, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) {
+                merror(FIM_ERROR_SACL_GETSIZE, dir);
+                goto end;
+            }
+        }
+        break;
+    default:
+        // Can't access everyone_sid variable, nothing to do
+        break;
+    }
+
+    if (!ev_sid_size) {
+        ev_sid_size = GetLengthSid(everyone_sid);
+    }
+
+    // Set the new ACL size
+    new_sacl_size = old_sacl_info.AclBytesInUse + sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(unsigned long);
+
+    if (new_sacl = (PACL)win_alloc(new_sacl_size), !new_sacl) {
+        merror(FIM_ERROR_SACL_NOMEMORY, dir);
+        goto end;
+    }
+
+    if (!InitializeAcl(new_sacl, new_sacl_size, ACL_REVISION)) {
+        merror(FIM_ERROR_SACL_CREATE, dir);
+        goto end;
+    }
+
+    // If SACL is present, copy it to a new SACL
+    if (old_sacl) {
+        if (old_sacl_info.AceCount) {
+            for (i = 0; i < old_sacl_info.AceCount; i++) {
+               if (!GetAce(old_sacl, i, &entry_access_it)) {
+                   merror(FIM_ERROR_SACL_ACE_GET, i, dir);
+                   goto end;
+               }
+
+               if (!AddAce(new_sacl, ACL_REVISION, MAXDWORD, entry_access_it, ((PACE_HEADER)entry_access_it)->AceSize)) {
+                   merror(FIM_ERROR_SACL_ACE_CPY, i, dir);
+                   goto end;
+               }
+           }
+        }
+    }
+    // Build the new ACE
+    if (ace = (SYSTEM_AUDIT_ACE *)win_alloc(sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(DWORD)), !ace) {
+        merror(FIM_ERROR_SACL_ACE_NOMEMORY, dir);
+        goto end;
+    }
+
+    ace->Header.AceType  = SYSTEM_AUDIT_ACE_TYPE;
+    ace->Header.AceFlags = inherit_flag | SUCCESSFUL_ACCESS_ACE_FLAG;
+    ace->Header.AceSize  = LOWORD(sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(DWORD));
+    ace->Mask            = criteria;
+    if (!CopySid(ev_sid_size, &ace->SidStart, everyone_sid)) {
+        goto end;
+    }
+
+    // Add the new ACE
+    if (!AddAce(new_sacl, ACL_REVISION, 0, (LPVOID)ace, ace->Header.AceSize)) {
+        merror(FIM_ERROR_SACL_ACE_ADD, dir);
+        goto end;
+    }
+
+    // Set a new ACL for the security descriptor
+    if (result = SetNamedSecurityInfo((char *) dir, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, new_sacl), result != ERROR_SUCCESS) {
+        merror(FIM_ERROR_SACL_SETSECURITYINFO, result);
+        goto end;
+    }
+
+    retval = 0;
+end:
+    if (privilege_enabled) {
+        // Disable the privilege
+        if (set_privilege(hdle, priv, FALSE)) {
+            merror(FIM_ERROR_SACL_SET_PRIVILEGE, GetLastError());
+        }
+    }
+
+    if (hdle) {
+        CloseHandle(hdle);
+    }
+
+    if (security_descriptor) {
+        LocalFree((HLOCAL)security_descriptor);
+    }
+
+    if (old_sacl) {
+        LocalFree((HLOCAL)old_sacl);
+    }
+
+    if (new_sacl) {
+        LocalFree((HLOCAL)new_sacl);
+    }
+    if (ace) {
+        LocalFree((HLOCAL)ace);
+    }
+    return retval;
+}
+
+int is_valid_sacl(PACL sacl, int is_file) {
+    int i;
+    ACCESS_ALLOWED_ACE *ace;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    if (!everyone_sid) {
+        if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid)) {
+            merror(FIM_ERROR_WHODATA_GET_SID, GetLastError());
+            return 2;
+        }
+    }
+
+    if (!sacl) {
+        mdebug2(FIM_SACL_NOT_FOUND);
+        return 1;
+    }
+
+    for (i = 0; i < sacl->AceCount; i++) {
+        if (!GetAce(sacl, i, (LPVOID*)&ace)) {
+            merror(FIM_ERROR_WHODATA_GET_ACE, GetLastError());
+            return 1;
+        }
+
+        if ((is_file || (ace->Header.AceFlags & inherit_flag)) && // Check folder and subfolders
+            (ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) && // Check successful attemp
+            ((ace->Mask & (criteria)) == criteria) && // Check write, delete, change_permissions and change_attributes permission
+            (EqualSid((PSID)&ace->SidStart, everyone_sid))) { // Check everyone user
+            return 0;
+        }
+    }
+    return 1;
+}
+
+int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable) {
+    TOKEN_PRIVILEGES tp;
+    LUID pr_uid;
+
+    // Get the privilege UID
+    if (!LookupPrivilegeValue(NULL, privilege, &pr_uid)) {
+        merror(FIM_ERROR_SACL_FIND_PRIVILEGE, privilege, GetLastError());
+        return 1;
+    }
+
+    tp.PrivilegeCount = 1;
+    tp.Privileges[0].Luid = pr_uid;
+
+    if (enable) {
+        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+    } else {
+        tp.Privileges[0].Attributes = 0;
+    }
+
+    // Set the privilege to the process
+    if (!AdjustTokenPrivileges(hdle, 0, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) {
+        merror(FIM_ERROR_WHODATA_TOKENPRIVILEGES, GetLastError());
+        return 1;
+    }
+
+    if (enable) {
+        mdebug2(FIM_ELEVATE_PRIVILEGE, privilege);
+    } else {
+        mdebug2(FIM_REDUCE_PRIVILEGE, privilege);
+    }
+
+    return 0;
+}
+
+int run_whodata_scan() {
+    wchar_t query[OS_MAXSTR];
+    int result;
+
+    if (whodata_check_arch()) {
+        return 1;
+    }
+
+    // Set the signal handler to restore the policies
+    atexit(audit_restore);
+
+    // Set the system audit policies
+    if (result = set_policies(), result) {
+        merror(FIM_WARN_WHODATA_LOCALPOLICIES);
+        return 1;
+    }
+
+    // Select the interesting fields
+    if (context = EvtCreateRenderContext(fields_number, event_fields, EvtRenderContextValues), !context) {
+        merror(FIM_ERROR_WHODATA_CONTEXT, GetLastError());
+        return 1;
+    }
+
+    set_subscription_query(query);
+    // Set the whodata callback
+
+    evt_subscribe_handle = EvtSubscribe(NULL,
+                           NULL,
+                           L"Security",
+                           query,
+                           NULL,
+                           NULL,
+                           (EVT_SUBSCRIBE_CALLBACK) whodata_callback,
+                           EvtSubscribeToFutureEvents);
+    if (evt_subscribe_handle == NULL) {
+        merror(FIM_ERROR_WHODATA_EVENTCHANNEL);
+        return 1;
+    }
+
+    minfo(FIM_WHODATA_STARTED);
+
+    return 0;
+}
+
+void audit_restore() {
+    restore_sacls();
+    if (restore_policies) {
+        restore_audit_policies();
+    }
+}
+
+/* Removes added security audit policies */
+void restore_sacls() {
+    PACL sacl_it;
+    HANDLE hdle = NULL;
+    HANDLE c_process = NULL;
+    LPCTSTR priv = "SeSecurityPrivilege";
+    DWORD result = 0;
+    PSECURITY_DESCRIPTOR security_descriptor = NULL;
+    int privilege_enabled = 0;
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    c_process = GetCurrentProcess();
+    if (!OpenProcessToken(c_process, TOKEN_ADJUST_PRIVILEGES, &hdle)) {
+        merror(FIM_ERROR_SACL_OPENPROCESSTOKEN, GetLastError());
+        goto end;
+    }
+
+    if (set_privilege(hdle, priv, TRUE)) {
+        merror(FIM_ERROR_SACL_ELEVATE_PRIVILEGE, GetLastError());
+        goto end;
+    }
+
+    privilege_enabled = 1;
+
+    w_rwlock_rdlock(&syscheck.directories_lock);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->dirs_status.status & WD_IGNORE_REST) {
+            sacl_it = NULL;
+
+            result = GetNamedSecurityInfo(dir_it->path, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL,
+                                          &sacl_it, &security_descriptor);
+            if (result != ERROR_SUCCESS) {
+                merror(FIM_ERROR_SACL_GETSECURITYINFO, result);
+                break;
+            }
+
+            // The ACE we added is in position 0
+            if (!DeleteAce(sacl_it, 0)) {
+                merror(FIM_ERROR_SACL_ACE_DELETE, GetLastError());
+                break;
+            }
+
+            // Set the SACL
+            result = SetNamedSecurityInfo(dir_it->path, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, sacl_it);
+            if (result != ERROR_SUCCESS) {
+                merror(FIM_ERROR_SACL_SETSECURITYINFO, result);
+                break;
+            }
+
+            if (sacl_it) {
+                LocalFree((HLOCAL)sacl_it);
+            }
+
+            if (security_descriptor) {
+                LocalFree((HLOCAL)security_descriptor);
+            }
+            mdebug2(FIM_SACL_RESTORED, dir_it->path);
+        }
+    }
+    w_rwlock_unlock(&syscheck.directories_lock);
+
+end:
+    if (privilege_enabled) {
+        // Disable the privilege
+        if (set_privilege(hdle, priv, FALSE)) {
+            merror(FIM_ERROR_SACL_SET_PRIVILEGE, GetLastError());
+        }
+    }
+
+    if (hdle) {
+        CloseHandle(hdle);
+    }
+    if (c_process) {
+        CloseHandle(c_process);
+    }
+}
+
+int restore_audit_policies() {
+    char command[OS_SIZE_1024];
+    int result_code;
+    snprintf(command, OS_SIZE_1024, WPOL_RESTORE_COMMAND, WPOL_BACKUP_FILE);
+
+    if (IsFile(WPOL_BACKUP_FILE)) {
+        merror(FIM_ERROR_WHODATA_RESTORE_POLICIES);
+        return 1;
+    }
+
+    // Get the current policies
+    char *cmd_output = NULL;
+    int wm_exec_ret_code, i = 0;
+    int retries = 5;
+    int timeout = 5;
+    BOOL cmd_failed;
+    do {
+        cmd_failed = 0;
+        wm_exec_ret_code = wm_exec(command, &cmd_output, &result_code, timeout+i, NULL);
+        if (wm_exec_ret_code < 0) {
+            merror(FIM_ERROR_WHODATA_AUDITPOL, "failed to execute command");
+            cmd_failed = 1;
+        } else if (wm_exec_ret_code == 1) {
+            merror(FIM_ERROR_WHODATA_AUDITPOL, "time overtaken while running the command");
+            os_free(cmd_output);
+            cmd_failed = 1;
+        } else if (!wm_exec_ret_code && result_code) {
+            char error_msg[OS_MAXSTR];
+            snprintf(error_msg, OS_MAXSTR, FIM_ERROR_WHODATA_AUDITPOL, "command returned failure'. Output: '%s");
+            merror(error_msg, cmd_output);
+            os_free(cmd_output);
+            cmd_failed = 1;
+        }
+        if (cmd_failed) {
+            merror(FIM_AUDITPOL_ATTEMPT_FAIL, i+1);
+        }
+        i++;
+    } while (i <= retries && cmd_failed);
+    
+    if (i == retries + 1) {
+       merror(FIM_AUDITPOL_FINAL_FAIL, i);
+    } 
+
+    return cmd_failed;
+}
+
+PEVT_VARIANT whodata_event_render(EVT_HANDLE event) {
+    PEVT_VARIANT buffer = NULL;
+    unsigned long used_size;
+    unsigned long property_count;
+
+    // Extract the necessary memory size
+    EvtRender(context, event, EvtRenderEventValues, 0, NULL, &used_size, &property_count);
+
+    os_malloc(used_size, buffer);
+    memset(buffer, 0, used_size);
+
+    if (!EvtRender(context, event, EvtRenderEventValues, used_size, buffer, &used_size, &property_count)) {
+        mwarn(FIM_WHODATA_RENDER_EVENT, GetLastError());
+        os_free(buffer);
+        return buffer;
+    }
+
+    if (property_count != fields_number) {
+        mwarn(FIM_WHODATA_RENDER_PARAM);
+        os_free(buffer);
+    }
+
+    return buffer;
+}
+
+int whodata_get_event_id(const PEVT_VARIANT raw_data, short *event_id) {
+    if (!raw_data || !event_id) {
+        return -1;
+    }
+
+    // EventID
+    if (raw_data[RENDERED_EVENT_ID].Type != EvtVarTypeUInt16) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_EVENT_ID].Type, "event_id");
+        return -1;
+    }
+    *event_id = raw_data[RENDERED_EVENT_ID].Int16Val;
+
+    return 0;
+}
+
+int whodata_get_handle_id(const PEVT_VARIANT raw_data, unsigned __int64 *handle_id) {
+    if (!raw_data || !handle_id) {
+        return -1;
+    }
+
+    // HandleId
+    // In 32-bit Windows we find EvtVarTypeSizeT or EvtVarTypeHexInt32
+    if (raw_data[RENDERED_HANDLE_ID].Type != EvtVarTypeHexInt64) {
+        if (raw_data[RENDERED_HANDLE_ID].Type == EvtVarTypeSizeT) {
+            *handle_id = (unsigned __int64) raw_data[RENDERED_HANDLE_ID].SizeTVal;
+        } else if (raw_data[RENDERED_HANDLE_ID].Type == EvtVarTypeHexInt32) {
+            *handle_id = (unsigned __int64) raw_data[RENDERED_HANDLE_ID].UInt32Val;
+        } else {
+            mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_HANDLE_ID].Type, "handle_id");
+            return -1;
+        }
+    } else {
+        *handle_id = raw_data[RENDERED_HANDLE_ID].UInt64Val;
+    }
+    return 0;
+}
+
+int whodata_get_access_mask(const PEVT_VARIANT raw_data, unsigned long *mask) {
+    if (!raw_data || !mask) {
+        return -1;
+    }
+
+    // AccessMask
+    if (raw_data[RENDERED_ACCESS_MASK].Type != EvtVarTypeHexInt32) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_ACCESS_MASK].Type, "mask");
+        return -1;
+    }
+    *mask = raw_data[RENDERED_ACCESS_MASK].UInt32Val;
+
+    return 0;
+}
+
+int whodata_event_parse(const PEVT_VARIANT raw_data, whodata_evt *event_data) {
+    if (!raw_data || !event_data) {
+        return -1;
+    }
+
+    // ObjectName
+    if (raw_data[RENDERED_PATH].Type != EvtVarTypeString) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_PATH].Type, "path");
+        return -1;
+    }  else {
+        if (event_data->path = get_whodata_path(raw_data[RENDERED_PATH].XmlVal), !event_data->path) {
+            return -1;
+        }
+
+        // Replace in string path \device\harddiskvolumeX\ by drive letter
+        replace_device_path(&event_data->path);
+
+        str_lowercase(event_data->path);
+        if (whodata_path_filter(&event_data->path)) {
+            return -1;
+        }
+    }
+
+    // SubjectUserName
+    if (raw_data[RENDERED_USER_NAME].Type != EvtVarTypeString) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_USER_NAME].Type, "user_name");
+        event_data->user_name = NULL;
+    } else {
+        event_data->user_name = convert_windows_string(raw_data[RENDERED_USER_NAME].XmlVal);
+    }
+
+    // ProcessName
+    if (raw_data[RENDERED_PROCESS_NAME].Type != EvtVarTypeString) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_PROCESS_NAME].Type, "process_name");
+        event_data->process_name = NULL;
+    } else {
+        event_data->process_name = convert_windows_string(raw_data[RENDERED_PROCESS_NAME].XmlVal);
+    }
+
+    // ProcessId
+    // In 32-bit Windows we find EvtVarTypeSizeT
+    if (raw_data[RENDERED_PROCESS_ID].Type != EvtVarTypeHexInt64) {
+        if (raw_data[RENDERED_PROCESS_ID].Type == EvtVarTypeSizeT) {
+            event_data->process_id = (unsigned __int64) raw_data[RENDERED_PROCESS_ID].SizeTVal;
+        } else if (raw_data[RENDERED_PROCESS_ID].Type == EvtVarTypeHexInt32) {
+            event_data->process_id = (unsigned __int64) raw_data[RENDERED_PROCESS_ID].UInt32Val;
+        } else {
+            mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_PROCESS_ID].Type, "process_id");
+            event_data->process_id = 0;
+        }
+    } else {
+        event_data->process_id = raw_data[RENDERED_PROCESS_ID].UInt64Val;
+    }
+
+    // SubjectUserSid
+    if (raw_data[RENDERED_USER_SID].Type != EvtVarTypeSid) {
+        mwarn(FIM_WHODATA_PARAMETER, raw_data[RENDERED_USER_SID].Type, "user_id");
+        event_data->user_id = NULL;
+    } else if (!ConvertSidToStringSid(raw_data[RENDERED_USER_SID].SidVal, &event_data->user_id)) {
+        if (event_data->user_name) {
+            mdebug1(FIM_WHODATA_INVALID_UID, event_data->user_name);
+        } else {
+            mdebug1(FIM_WHODATA_INVALID_UNKNOWN_UID);
+        }
+        return -1;
+    }
+
+    return 0;
+}
+
+unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, __attribute__((unused)) void *_void, EVT_HANDLE event) {
+    unsigned int retval = 1;
+    int result;
+    PEVT_VARIANT buffer = NULL;
+    whodata_evt *w_evt;
+    short event_id;
+    unsigned __int64 handle_id;
+    char is_directory;
+    whodata_directory *w_dir;
+    unsigned long mask = 0;
+    directory_t *configuration;
+
+    SafeWow64DisableWow64FsRedirection(NULL); //Disable virtual redirection to 64bits folder due this is a x86 process
+    if (action == EvtSubscribeActionDeliver) {
+        char hash_id[21];
+
+        if (buffer = whodata_event_render(event), !buffer) {
+            goto clean;
+        }
+
+        if (whodata_get_event_id(buffer, &event_id)) {
+            goto clean;
+        }
+
+        if (event_id == 4656 || event_id == 4663 || event_id == 4658) {
+            if (whodata_get_handle_id(buffer, &handle_id)) {
+                goto clean;
+            }
+            snprintf(hash_id, 21, "%llu", handle_id);
+        }
+
+        switch(event_id) {
+
+            // Open fd
+            case 4656:
+                is_directory = 0;
+
+                os_calloc(1, sizeof(whodata_evt), w_evt);
+                if (whodata_event_parse(buffer, w_evt) != 0) {
+                    free_whodata_event(w_evt);
+                    goto clean;
+                }
+
+                if (whodata_get_access_mask(buffer, &mask)) {
+                    free_whodata_event(w_evt);
+                    goto clean;
+                }
+
+                w_rwlock_rdlock(&syscheck.directories_lock);
+                configuration = fim_configuration_directory(w_evt->path);
+                if (configuration == NULL && !(mask & (FILE_APPEND_DATA | FILE_WRITE_DATA))) {
+                    // Discard the file or directory if its monitoring has not been activated
+                    mdebug2(FIM_WHODATA_NOT_ACTIVE, w_evt->path);
+                    free_whodata_event(w_evt);
+                    w_rwlock_unlock(&syscheck.directories_lock);
+                    goto clean;
+                }
+
+                if (configuration != NULL) {
+                    // Ignore the file if belongs to a non-whodata directory
+                    if (!(configuration->dirs_status.status & WD_CHECK_WHODATA) &&
+                        !(mask & (FILE_APPEND_DATA | FILE_WRITE_DATA))) {
+                        mdebug2(FIM_WHODATA_CANCELED, w_evt->path);
+                        free_whodata_event(w_evt);
+                        w_rwlock_unlock(&syscheck.directories_lock);
+                        goto clean;
+                    }
+
+                    // Ignore any and all events that are beyond the configured recursion level.
+                    int depth = fim_check_depth(w_evt->path, configuration);
+                    if (depth > configuration->recursion_level) {
+                        mdebug2(FIM_MAX_RECURSION_LEVEL, depth, configuration->recursion_level, w_evt->path);
+                        free_whodata_event(w_evt);
+                        w_rwlock_unlock(&syscheck.directories_lock);
+                        goto clean;
+                    }
+                }
+                w_rwlock_unlock(&syscheck.directories_lock);
+
+                int device_type;
+
+                // If it is an existing directory, check_path_type returns 2
+                if (device_type = check_path_type(w_evt->path), device_type == 2) {
+                    is_directory = 1;
+                } else if (device_type == 0) {
+                    // If the device could not be found, it was monitored by Syscheck, has not recently been removed,
+                    // and had never been entered in the hash table before, we can deduce that it is a removed directory
+                    if (mask & DELETE || mask & FILE_APPEND_DATA) {
+                        mdebug2(FIM_WHODATA_REMOVE_FOLDEREVENT, w_evt->path);
+                        is_directory = 1;
+                    }
+                }
+
+                // In deferred delete events the access mask comes with delete access only,
+                // we need it to scan the directory this file belongs to
+                if (mask == DELETE || mask == (DELETE | FILE_READ_ATTRIBUTES)) {
+                    w_evt->mask = DELETE;
+                } else {
+                    w_evt->mask = 0;
+                }
+                w_evt->scan_directory = is_directory;
+
+                if (result = whodata_hash_add(syscheck.wdata.fd, hash_id, w_evt, "whodata"), result == 0) {
+                    free_whodata_event(w_evt);
+                    goto clean;
+                }
+
+                // Duplicate event handle, attempt to replace it
+                if (result == 1) {
+                    whodata_evt *w_evtdup;
+
+                    mdebug2(FIM_WHODATA_HANDLE_UPDATE, hash_id);
+                    if (w_evtdup = OSHash_Delete_ex(syscheck.wdata.fd, hash_id), !w_evtdup) {
+                        merror(FIM_ERROR_WHODATA_HANDLER_REMOVE, hash_id);
+                        free_whodata_event(w_evt);
+                        goto clean;
+                    }
+                    free_whodata_event(w_evtdup);
+
+                    if (result = whodata_hash_add(syscheck.wdata.fd, hash_id, w_evt, "whodata"), result != 2) {
+                        if(result == 1){
+                            merror(FIM_ERROR_WHODATA_EVENTADD, "whodata", hash_id); // LCOV_EXCL_LINE
+                        }
+                        free_whodata_event(w_evt);
+                        goto clean;
+                    }
+                }
+            break;
+
+            // Write fd
+            case 4663:
+                if (w_evt = OSHash_Get(syscheck.wdata.fd, hash_id), !w_evt) {
+                    goto clean;
+                }
+
+                // Check if the mask is relevant
+                if (whodata_get_access_mask(buffer, &mask)) {
+                    goto clean;
+                }
+
+                if (!mask) {
+                    goto clean;
+                }
+
+                w_evt->mask |= mask;
+
+                // Get the event time
+                if (buffer[RENDERED_TIMESTAMP].Type != EvtVarTypeFileTime) {
+                    mwarn(FIM_WHODATA_PARAMETER, buffer[RENDERED_TIMESTAMP].Type, "event_time");
+                    w_evt->scan_directory = 2;
+                    goto clean;
+                }
+
+                // Check if it is a rename or copy event
+                if (w_evt->scan_directory == 0 || (w_evt->mask & (FILE_WRITE_DATA | FILE_APPEND_DATA)) == 0) {
+                    goto clean;
+                }
+
+                // Check if is a valid directory
+                w_rwlock_rdlock(&syscheck.directories_lock);
+                if (fim_configuration_directory(w_evt->path) == NULL) {
+                    mdebug2(FIM_WHODATA_DIRECTORY_DISCARDED, w_evt->path);
+                    w_evt->scan_directory = 2;
+                    w_rwlock_unlock(&syscheck.directories_lock);
+                    break;
+                }
+                w_rwlock_unlock(&syscheck.directories_lock);
+
+                w_rwlock_wrlock(&syscheck.wdata.directories->mutex);
+
+                if (w_dir = OSHash_Get(syscheck.wdata.directories, w_evt->path), w_dir) {
+                    FILETIME ft;
+
+                    if ((buffer[RENDERED_TIMESTAMP].FileTimeVal - w_dir->QuadPart) < FILETIME_SECOND) {
+                        w_rwlock_unlock(&syscheck.wdata.directories->mutex);
+                        mdebug2(FIM_WHODATA_DIRECTORY_SCANNED, w_evt->path);
+                        w_evt->scan_directory = 3;
+                        break;
+                    }
+                    GetSystemTimeAsFileTime(&ft);
+                    w_dir->LowPart = ft.dwLowDateTime;
+                    w_dir->HighPart = ft.dwHighDateTime;
+
+                    w_rwlock_unlock(&syscheck.wdata.directories->mutex);
+
+                    mdebug2(FIM_WHODATA_CHECK_NEW_FILES, w_evt->path);
+                } else {
+                    w_rwlock_unlock(&syscheck.wdata.directories->mutex);
+                    os_calloc(1, sizeof(whodata_directory), w_dir);
+
+                    if (result = whodata_hash_add(syscheck.wdata.directories, w_evt->path, w_dir, "directories"), result != 2) {
+                        w_evt->scan_directory = 2;
+                        free(w_dir);
+                        break;
+                    } else {
+                        mdebug2(FIM_WHODATA_CHECK_NEW_FILES, w_evt->path);
+                    }
+                }
+            break;
+
+            // Close fd
+            case 4658:
+                if (w_evt = OSHash_Delete_ex(syscheck.wdata.fd, hash_id), w_evt && w_evt->path) {
+
+                    if (!w_evt->scan_directory) {
+                        fim_whodata_event(w_evt);
+                    } else if (w_evt->scan_directory == 1) {
+                        // Directory scan has been aborted if scan_directory is 2
+                        if (w_evt->mask & DELETE) {
+                            fim_whodata_event(w_evt);
+
+                        } else if(w_evt->mask & FILE_APPEND_DATA || w_evt->mask & FILE_WRITE_DATA) {
+                            // Find new files
+                            fim_whodata_event(w_evt);
+
+                        } else {
+                            mdebug2(FIM_WHODATA_NO_NEW_FILES, w_evt->path, w_evt->mask);
+                        }
+
+                    } else if (w_evt->scan_directory == 2) {
+                        mdebug1(FIM_WHODATA_SCAN_ABORTED, w_evt->path);
+                    }
+                }
+
+                free_whodata_event(w_evt);
+                break;
+
+            case 4719:
+                if (policies_checked) {
+                    mwarn(FIM_WHODATA_POLICY_CHANGE_CHANNEL);
+                    win_whodata_release_resources(&syscheck.wdata);
+                }
+            break;
+            default:
+                merror(FIM_ERROR_WHODATA_EVENTID);
+                goto clean;
+        }
+    }
+    retval = 0;
+clean:
+    os_free(buffer);
+    return retval;
+}
+
+int whodata_audit_start() {
+    // Set the hash table of directories
+    if (syscheck.wdata.directories = OSHash_Create(), !syscheck.wdata.directories) {
+        return 1;
+    }
+    // Set the hash table of file descriptors
+    // We assume that its default value is 1024
+    if (syscheck.wdata.fd = OSHash_Create(), !syscheck.wdata.fd) {
+        return 1;
+    }
+
+    OSHash_SetFreeDataPointer(syscheck.wdata.fd, (void (*)(void *))free_whodata_event);
+
+    minfo(FIM_WHODATA_VOLUMES);
+    get_volume_names();
+
+    return 0;
+}
+
+int policy_check() {
+    static const char *guid_ObjectAccess = "{6997984a-797a-11d9-bed3-505054503030}";
+    static const char *guid_FileSystem = "{0CCE921D-69AE-11D9-BED3-505054503030}";
+    static const char *guid_Handle =  "{0CCE9223-69AE-11D9-BED3-505054503030}";
+
+    int file_system_success = 0;
+    int handle_manipulation_success = 0;
+    LSA_HANDLE PolicyHandle;
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    PPOLICY_AUDIT_EVENTS_INFO AuditEvents;
+    GUID *pAuditSubCategoryGuids = NULL;
+    AUDIT_POLICY_INFORMATION *pAuditPolicies = NULL;
+    BOOL open_policy = FALSE;
+    NTSTATUS Status;
+    DWORD err_code;
+
+    ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
+    Status = LsaOpenPolicy(NULL, &ObjectAttributes, POLICY_VIEW_AUDIT_INFORMATION, &PolicyHandle);
+
+    if(!Status) {
+        open_policy = TRUE;
+        Status = LsaQueryInformationPolicy(PolicyHandle, PolicyAuditEventsInformation, (PVOID *)&AuditEvents);
+
+        if(!Status) {
+            if(AuditEvents->AuditingMode) {
+                GUID auditCategoryId;
+                ULONG subCategoryCount = 0;
+                ULONG policyAuditEventType = 0;
+                char guid_string[40];
+
+                mdebug2(FIM_WHODATA_POLICY_OPENED);
+
+                while (policyAuditEventType < AuditEvents->MaximumAuditEventCount) {
+                    if(AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, &auditCategoryId) == FALSE) {
+                        goto error;
+                    }
+                    snprintf(guid_string, 40, "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}",
+                                                auditCategoryId.Data1, auditCategoryId.Data2, auditCategoryId.Data3,
+                                                auditCategoryId.Data4[0], auditCategoryId.Data4[1], auditCategoryId.Data4[2], auditCategoryId.Data4[3],
+                                                auditCategoryId.Data4[4], auditCategoryId.Data4[5], auditCategoryId.Data4[6], auditCategoryId.Data4[7]);
+
+                    if(!strcasecmp(guid_string, guid_ObjectAccess)) {
+                        mdebug2(FIM_WHODATA_OBJECT_ACCESS, guid_string);
+
+                        if(AuditEnumerateSubCategories(&auditCategoryId, FALSE, &pAuditSubCategoryGuids, &subCategoryCount) == FALSE) {
+                            goto error;
+                        }
+
+                        if(AuditQuerySystemPolicy(pAuditSubCategoryGuids, subCategoryCount, &pAuditPolicies) == FALSE) {
+                            goto error;
+                        }
+
+                        // Probe each subcategory in the category
+                        for(ULONG subcategoryIndex = 0; subcategoryIndex < subCategoryCount; subcategoryIndex++) {
+                            AUDIT_POLICY_INFORMATION currentPolicy = pAuditPolicies[subcategoryIndex];
+
+                            snprintf(guid_string, 40, "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}",
+                                                        currentPolicy.AuditSubCategoryGuid.Data1, currentPolicy.AuditSubCategoryGuid.Data2, currentPolicy.AuditSubCategoryGuid.Data3,
+                                                        currentPolicy.AuditSubCategoryGuid.Data4[0], currentPolicy.AuditSubCategoryGuid.Data4[1], currentPolicy.AuditSubCategoryGuid.Data4[2], currentPolicy.AuditSubCategoryGuid.Data4[3],
+                                                        currentPolicy.AuditSubCategoryGuid.Data4[4], currentPolicy.AuditSubCategoryGuid.Data4[5], currentPolicy.AuditSubCategoryGuid.Data4[6], currentPolicy.AuditSubCategoryGuid.Data4[7]);
+
+                            if(currentPolicy.AuditingInformation & POLICY_AUDIT_EVENT_SUCCESS) {
+                                if(!strcasecmp(guid_string, guid_FileSystem)) {
+                                    file_system_success = 1;
+                                    mdebug2(FIM_WHODATA_SUCCESS_POLICY, "File System", guid_string);
+                                }
+                                if(!strcasecmp(guid_string, guid_Handle)) {
+                                    handle_manipulation_success = 1;
+                                    mdebug2(FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_string);
+                                }
+                                if(file_system_success && handle_manipulation_success) {
+                                    LsaFreeMemory(AuditEvents);
+                                    LsaClose(PolicyHandle);
+
+                                    return 0;
+                                }
+                            }
+                        }
+                    }
+                    policyAuditEventType++;
+                }
+            }
+        } else {
+            SetLastError(LsaNtStatusToWinError(Status));
+            goto error;
+        }
+    } else {
+        SetLastError(LsaNtStatusToWinError(Status));
+        goto error;
+    }
+    LsaFreeMemory(AuditEvents);
+    LsaClose(PolicyHandle);
+
+    return 1;
+
+error:
+    err_code = GetLastError();
+    char err_msg[OS_SIZE_1024];
+    memset(err_msg, 0, OS_SIZE_1024);
+    FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,
+                  NULL, err_code, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &err_msg, OS_SIZE_1024, NULL);
+    mwarn(FIM_WHODATA_ERROR_CHECKING_POL, err_msg, err_code);
+
+    if(open_policy) {
+        LsaFreeMemory(AuditEvents);
+        LsaClose(PolicyHandle);
+    }
+
+    return -1;
+}
+
+long unsigned int WINAPI state_checker(__attribute__((unused)) void *_void) {
+   SafeWow64DisableWow64FsRedirection(NULL); //Disable virtual redirection to 64bits folder due this is a x86 process
+
+    int exists;
+    whodata_dir_status *d_status;
+    int interval;
+    OSHashNode *w_dir_node;
+    OSHashNode *w_dir_node_next;
+    whodata_directory *w_dir;
+    directory_t *dir_it;
+    OSListNode *node_it;
+    unsigned int w_dir_it;
+    FILETIME current_time;
+    ULARGE_INTEGER stale_time;
+
+    if (!syscheck.wdata.interval_scan) {
+        interval = WDATA_DEFAULT_INTERVAL_SCAN;
+    } else {
+        interval = syscheck.wdata.interval_scan;
+    }
+
+    mdebug1(FIM_WHODATA_CHECKTHREAD, interval);
+
+    while (atomic_int_get(&whodata_end) == 0) {
+        mdebug2(FIM_WHODATA_STATE_CHECKER);
+
+        // Check File System and Handle Manipulation policies. Switch to realtime in case these policies are disabled.
+        if (policy_check() == 1) {
+            mwarn(FIM_WHODATA_POLICY_CHANGE_CHECKER);
+            win_whodata_release_resources(&syscheck.wdata);
+            break;
+        }
+
+        w_rwlock_wrlock(&syscheck.directories_lock);
+        OSList_foreach(node_it, syscheck.directories) {
+            dir_it = node_it->data;
+            exists = 0;
+            d_status = &dir_it->dirs_status;
+
+            if (!(d_status->status & WD_CHECK_WHODATA)) {
+                // It is not whodata
+                continue;
+            }
+
+            switch (check_path_type(dir_it->path)) {
+            case 0:
+                // Unknown device type or does not exist
+                exists = 0;
+                break;
+            case 1:
+                exists = 1;
+                d_status->object_type = WD_STATUS_FILE_TYPE;
+                break;
+            case 2:
+                exists = 1;
+                d_status->object_type = WD_STATUS_DIR_TYPE;
+                break;
+            }
+
+            if (exists) {
+                if (!(d_status->status & WD_STATUS_EXISTS)) {
+                    minfo(FIM_WHODATA_READDED, dir_it->path);
+                    if (set_winsacl(dir_it->path, dir_it)) {
+                        merror(FIM_ERROR_WHODATA_ADD_DIRECTORY, dir_it->path);
+                        d_status->status &= ~WD_CHECK_WHODATA;
+                        dir_it->options &= ~WHODATA_ACTIVE;
+                        d_status->status |= WD_CHECK_REALTIME;
+                        syscheck.realtime_change = 1;
+                        continue;
+                    }
+                    d_status->status |= WD_STATUS_EXISTS;
+                } else {
+                    // Check if the SACL is invalid
+                    if (check_object_sacl(dir_it->path, (d_status->object_type == WD_STATUS_FILE_TYPE)) == 1) {
+                        minfo(FIM_WHODATA_SACL_CHANGED, dir_it->path);
+                        // Mark the directory to prevent its children from
+                        // sending partial whodata alerts
+                        d_status->status &= ~WD_CHECK_WHODATA;
+                        // Removes CHECK_WHODATA from directory properties to prevent from
+                        // being found in the whodata callback for Windows
+                        dir_it->options &= ~WHODATA_ACTIVE;
+                        // Mark it to prevent the restoration of its SACL
+                        d_status->status &= ~WD_IGNORE_REST;
+                        // Mark it to be monitored by Realtime
+                        d_status->status |= WD_CHECK_REALTIME;
+                        syscheck.realtime_change = 1;
+                        notify_SACL_change(dir_it->path);
+                        continue;
+                    }
+                }
+            } else {
+                mdebug2(FIM_WHODATA_DELETE, dir_it->path);
+                d_status->status &= ~WD_STATUS_EXISTS;
+                d_status->object_type = WD_STATUS_UNK_TYPE;
+            }
+            // Set the timestamp
+            GetSystemTime(&d_status->last_check);
+        }
+        w_rwlock_unlock(&syscheck.directories_lock);
+
+        // Go through syscheck.wdata.directories and remove stale entries
+        GetSystemTimeAsFileTime(&current_time);
+
+        stale_time.LowPart = current_time.dwLowDateTime;
+        stale_time.HighPart = current_time.dwHighDateTime;
+
+        // 5 seconds ago
+        stale_time.QuadPart -= 5 * FILETIME_SECOND;
+
+        w_dir_it = 0;
+        w_rwlock_wrlock(&syscheck.wdata.directories->mutex);
+
+        while (w_dir_it <= syscheck.wdata.directories->rows) {
+            w_dir_node = syscheck.wdata.directories->table[w_dir_it];
+            w_dir_node_next = w_dir_node;
+
+            while(w_dir_node_next) {
+                w_dir_node_next = w_dir_node_next->next;
+
+                w_dir = w_dir_node->data;
+                if (w_dir->QuadPart < stale_time.QuadPart) {
+                    if (w_dir = OSHash_Delete(syscheck.wdata.directories, w_dir_node->key), w_dir) {
+                        free(w_dir);
+                    }
+                }
+                w_dir_node = w_dir_node_next;
+            }
+            w_dir_it++;
+        }
+
+        w_rwlock_unlock(&syscheck.wdata.directories->mutex);
+
+        sleep(interval);
+
+        if (!policies_checked) {
+            policies_checked = 1;
+        }
+    }
+
+    return 0;
+}
+
+int set_policies() {
+    int result_code = 0;
+    FILE *f_backup = NULL;
+    FILE *f_new = NULL;
+    char buffer[OS_MAXSTR];
+    char command[OS_SIZE_1024];
+    int retval = 1;
+    static const char *WPOL_FILE_SYSTEM_SUC = ",System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},,,1\n";
+    static const char *WPOL_HANDLE_SUC = ",System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},,,1\n";
+
+    if (!IsFile(WPOL_BACKUP_FILE) && remove(WPOL_BACKUP_FILE)) {
+        merror(FIM_ERROR_WPOL_BACKUP_FILE_REMOVE, WPOL_BACKUP_FILE, strerror(errno), errno);
+        goto end;
+    }
+
+    snprintf(command, OS_SIZE_1024, WPOL_BACKUP_COMMAND, WPOL_BACKUP_FILE);
+
+    // Get the current policies
+    int wm_exec_ret_code, i = 0;
+    int retries = 5;
+    int timeout = 5;
+    do {
+        wm_exec_ret_code = wm_exec(command, NULL, &result_code, timeout+i, NULL);
+        if (wm_exec_ret_code || result_code) {
+            retval = 2;
+            merror(FIM_AUDITPOL_ATTEMPT_FAIL, i+1);
+        } else {
+            retval = 1;
+        }
+        i++;
+    } while (i <= retries && (wm_exec_ret_code || result_code));
+
+    if (retval == 2) {
+        merror(FIM_WARN_WHODATA_AUTOCONF);
+        goto end;
+    }
+
+    if (f_backup = wfopen(WPOL_BACKUP_FILE, "r"), !f_backup) {
+        merror(FIM_ERROR_WPOL_BACKUP_FILE_OPEN, WPOL_BACKUP_FILE, strerror(errno), errno);
+        goto end;
+    }
+    if (f_new = wfopen(WPOL_NEW_FILE, "w"), !f_new) {
+        merror(FIM_ERROR_WPOL_BACKUP_FILE_OPEN, WPOL_NEW_FILE, strerror(errno), errno);
+        goto end;
+    }
+
+    // Copy the policies
+    while (fgets(buffer, OS_MAXSTR - 60, f_backup)) {
+        fprintf(f_new, buffer);
+    }
+
+    // Add the new policies
+    fprintf(f_new, WPOL_FILE_SYSTEM_SUC);
+    fprintf(f_new, WPOL_HANDLE_SUC);
+
+    fclose(f_new);
+
+    snprintf(command, OS_SIZE_1024, WPOL_RESTORE_COMMAND, WPOL_NEW_FILE);
+
+    // Set the new policies
+    i = 0;
+    do { 
+        wm_exec_ret_code = wm_exec(command, NULL, &result_code, timeout+i, NULL);
+        if (wm_exec_ret_code || result_code) {
+            retval = 2;
+            merror(FIM_AUDITPOL_ATTEMPT_FAIL, i+1);
+        } else {
+            retval = 1;
+        }
+        i++;
+    } while (i <= retries && (wm_exec_ret_code || result_code));
+
+    if (retval == 2) {
+        merror(FIM_WARN_WHODATA_AUTOCONF);
+        goto end;
+    }
+
+    retval = 0;
+    restore_policies = 1;
+end:
+    if (f_backup) {
+        fclose(f_backup);
+    }
+    return retval;
+}
+
+void set_subscription_query(wchar_t *query) {
+    snwprintf(query, OS_MAXSTR, L"Event[ System[band(Keywords, %llu)] " \
+                                    "and " \
+                                        "( " \
+                                            "( " \
+                                                "( " \
+                                                    "EventData/Data[@Name='ObjectType'] = 'File' " \
+                                                ") " \
+                                            "and " \
+                                                "( " \
+                                                    "(  " \
+                                                        "System/EventID = 4656 " \
+                                                    "or " \
+                                                        "System/EventID = 4663 " \
+                                                    ") " \
+                                                "and " \
+                                                    "( " \
+                                                        "EventData[band(Data[@Name='AccessMask'], %lu)] " \
+                                                    ") " \
+                                                ") " \
+                                            ") " \
+                                        "or " \
+                                            "( " \
+                                                "System/EventID = 4658 " \
+                                            ") " \
+                                        "or " \
+                                            "( " \
+                                                "System/EventID = 4719 " \
+                                                "and " \
+                                                    "( " \
+                                                        "EventData/Data[@Name='SubcategoryGuid'] = '{0CCE9223-69AE-11D9-BED3-505054503030}' " \
+                                                    "or " \
+                                                        "EventData/Data[@Name='SubcategoryGuid'] = '{0CCE921D-69AE-11D9-BED3-505054503030}' " \
+                                                    ") " \
+                                                "and " \
+                                                    "( " \
+                                                        "EventData/Data[@Name='AuditPolicyChanges'] = '%%%%8448'" \
+                                                    "or " \
+                                                        "EventData/Data[@Name='AuditPolicyChanges'] = '%%%%8448, %%%%8450'" \
+                                                    "or " \
+                                                        "EventData/Data[@Name='AuditPolicyChanges'] = '%%%%8448, %%%%8451'" \
+                                                    " )" \
+                                            ") " \
+                                        ") " \
+                                    "]",
+            AUDIT_SUCCESS, // Only successful events
+            criteria); // For 4663 and 4656 events need write, delete, change_attributes or change_permissions accesss
+}
+
+int check_object_sacl(char *obj, int is_file) {
+    HANDLE hdle = NULL;
+    PACL sacl = NULL;
+    int retval = 2;
+    PSECURITY_DESCRIPTOR security_descriptor = NULL;
+    long int result;
+    int privilege_enabled = 0;
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hdle)) {
+        merror(FIM_ERROR_SACL_OPENPROCESSTOKEN, GetLastError());
+        return retval;
+    }
+
+    if (set_privilege(hdle, priv, TRUE)) {
+        merror(FIM_ERROR_SACL_ELEVATE_PRIVILEGE, GetLastError());
+        goto end;
+    }
+
+    privilege_enabled = 1;
+    if (result = GetNamedSecurityInfo(obj, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &sacl, &security_descriptor), result != ERROR_SUCCESS) {
+        merror(FIM_ERROR_SACL_GETSECURITYINFO, result);
+        goto end;
+    }
+
+    retval = is_valid_sacl(sacl, is_file);
+
+end:
+    if (privilege_enabled) {
+        // Disable the privilege
+        if (set_privilege(hdle, priv, FALSE)) {
+            merror(FIM_ERROR_SACL_SET_PRIVILEGE, GetLastError());
+        }
+    }
+    if (hdle) {
+        CloseHandle(hdle);
+    }
+    if (security_descriptor) {
+        LocalFree((HLOCAL)security_descriptor);
+    }
+    if (sacl) {
+        LocalFree((HLOCAL)sacl);
+    }
+    return retval;
+}
+
+int whodata_hash_add(OSHash *table, char *id, void *data, char *tag) {
+    int result;
+
+    if (result = OSHash_Add_ex(table, id, data), result != 2) {
+        if (!result) {
+            merror(FIM_ERROR_WHODATA_EVENTADD, tag, id);
+        } else if (result == 1) {
+            mdebug2(FIM_ERROR_WHODATA_EVENTADD_DUP, tag, id);
+        }
+    }
+
+    return result;
+}
+
+void notify_SACL_change(char *dir) {
+    char msg_alert[OS_SIZE_1024 + 1];
+    snprintf(msg_alert, OS_SIZE_1024, "ossec: Audit: The SACL of '%s' has been modified and can no longer be scanned in whodata mode.", dir);
+    SendMSG(syscheck.queue, msg_alert, "syscheck", LOCALFILE_MQ);
+}
+
+int get_volume_names() {
+    char *convert_device;
+    char *convert_volume;
+    wchar_t device_name[MAX_PATH] = L"";
+    wchar_t volume_name[MAX_PATH] = L"";
+    HANDLE fh = INVALID_HANDLE_VALUE;
+    unsigned long char_count = 0;
+    size_t index = 0;
+    size_t success = -1;
+    size_t win_error = ERROR_SUCCESS;
+
+    // Enumerate all volumes in the system.
+    fh = FindFirstVolumeW(volume_name, ARRAYSIZE(volume_name));
+
+    if (fh == INVALID_HANDLE_VALUE) {
+        win_error = GetLastError();
+        mwarn("FindFirstVolumeW failed (%u)'%s'", win_error, strerror(win_error));
+        FindVolumeClose(fh);
+        return success;
+    }
+
+    os_calloc(MAX_PATH, sizeof(char), convert_volume);
+    os_calloc(MAX_PATH, sizeof(char), convert_device);
+
+    // The loop ends when there are no more volumes
+    while (1) {
+        //  Skip the \\?\ prefix and remove the trailing backslash.
+        index = wcslen(volume_name) - 1;
+
+        // Convert volume_name
+        wcstombs(convert_volume, volume_name, ARRAYSIZE(volume_name));
+
+        if (volume_name[0]     != L'\\' ||
+            volume_name[1]     != L'\\' ||
+            volume_name[2]     != L'?'  ||
+            volume_name[3]     != L'\\' ||
+            volume_name[index] != L'\\')
+        {
+            mwarn("Find Volume returned a bad path: %s", convert_volume);
+            break;
+        }
+
+        // QueryDosDeviceW does not allow a trailing backslash,
+        // so temporarily remove it.
+        volume_name[index] = '\0';
+        char_count = QueryDosDeviceW(&volume_name[4], device_name, ARRAYSIZE(device_name));
+        volume_name[index] = '\\';
+
+        if (char_count == 0) {
+            win_error = GetLastError();
+            mwarn("QueryDosDeviceW failed (%u)'%s'", win_error, strerror(win_error));
+            break;
+        }
+
+        // Convert device name
+        wcstombs(convert_device, device_name, ARRAYSIZE(device_name));
+        /* Add a backslash to the device name */
+        strncat(convert_device, "\\", MAX_PATH);
+        // Get all drive letters
+        get_drive_names(volume_name, convert_device);
+
+        // Move on to the next volume.
+        if (!FindNextVolumeW(fh, volume_name, ARRAYSIZE(volume_name))) {
+            win_error = GetLastError();
+
+            if (win_error != ERROR_NO_MORE_FILES) {
+                mwarn("FindNextVolumeW failed (%u)'%s'", win_error, strerror(win_error));
+                break;
+            }
+
+            // Finished iterating, through all the volumes.
+            success = 0;
+            break;
+        }
+
+    }
+
+    FindVolumeClose(fh);
+
+    os_free(convert_device);
+    os_free(convert_volume);
+
+    return success;
+}
+
+int get_drive_names(wchar_t *volume_name, char *device) {
+
+    wchar_t *names = NULL;
+    wchar_t *nameit = NULL;
+    unsigned long char_count = MAX_PATH + 1;
+    unsigned int device_it;
+    size_t success = -1;
+    size_t retval = -1;
+    unsigned int name_len = 0;
+
+    while (1) {
+        // Allocate a buffer to hold the paths.
+        os_calloc(char_count, sizeof(wchar_t), names);
+
+        // Obtain all of the paths for this volume.
+        success = GetVolumePathNamesForVolumeNameW(
+            volume_name, names, char_count, &char_count
+            );
+
+        if (success) {
+            break;
+        }
+
+        if (retval = GetLastError(), retval != ERROR_MORE_DATA) {
+            mwarn("GetVolumePathNamesForVolumeNameW (%u)'%s'", retval, strerror(retval));
+            break;
+        }
+
+        //  Try again with the new suggested size.
+        os_free(names);
+        names = NULL;
+    }
+
+    if (success) {
+        // Save information in FIM whodata structure
+        char convert_name[MAX_PATH] = "";
+        for (nameit = names; nameit[0] != L'\0'; nameit += name_len + 1) {
+            name_len = wcslen(nameit);
+            wcstombs(convert_name, nameit, name_len);
+            mdebug1(FIM_WHODATA_DEVICE_LETTER, device, convert_name);
+
+            if(syscheck.wdata.device) {
+                device_it = 0;
+
+                while(syscheck.wdata.device[device_it]) {
+                    device_it++;
+                }
+
+                os_realloc(syscheck.wdata.device,
+                        (device_it + 2) * sizeof(char*),
+                        syscheck.wdata.device);
+                os_strdup(device, syscheck.wdata.device[device_it]);
+                syscheck.wdata.device[device_it + 1] = NULL;
+
+                os_realloc(syscheck.wdata.drive,
+                        (device_it + 2) * sizeof(char*),
+                        syscheck.wdata.drive);
+                os_strdup(convert_name, syscheck.wdata.drive[device_it]);
+                syscheck.wdata.drive[device_it + 1] = NULL;
+
+            } else {
+                os_calloc(2, sizeof(char*), syscheck.wdata.device);
+                os_strdup(device, syscheck.wdata.device[0]);
+                syscheck.wdata.device[1] = NULL;
+
+                os_calloc(2, sizeof(char*), syscheck.wdata.drive);
+                os_strdup(convert_name, syscheck.wdata.drive[0]);
+                syscheck.wdata.drive[1] = NULL;
+            }
+        }
+    }
+    os_free(names);
+
+    return 0;
+}
+
+void replace_device_path(char **path) {
+    char *new_path;
+    unsigned int iterator = 0;
+
+    if (**path != '\\') {
+        return;
+    }
+
+    while (syscheck.wdata.device[iterator]) {
+        size_t dev_size = strlen(syscheck.wdata.device[iterator]);
+
+        mdebug2(FIM_WHODATA_DEVICE_PATH, syscheck.wdata.device[iterator], *path);
+
+        if (!strncmp(*path, syscheck.wdata.device[iterator], dev_size)) {
+            size_t new_path_size = strlen(syscheck.wdata.drive[iterator]) + (size_t) (*path - dev_size);
+
+            os_calloc(new_path_size + 1, sizeof(char), new_path);
+            snprintf(new_path, new_path_size, "%s%s", syscheck.wdata.drive[iterator], *path + dev_size);
+            mdebug2(FIM_WHODATA_DEVICE_REPLACE, *path, new_path);
+
+            os_free(*path);
+            *path = new_path;
+            break;
+        }
+
+        iterator++;
+    }
+
+}
+
+char *get_whodata_path(const short unsigned int *win_path) {
+    int count;
+    char *path = NULL;
+    int error = -1;
+
+    if (count = WideCharToMultiByte(CP_ACP, 0, win_path, -1, NULL, 0, NULL, NULL), count > 0) {
+        os_calloc(count + 1, sizeof(char), path);
+        if (count = WideCharToMultiByte(CP_ACP, 0, win_path, -1, path, count, NULL, NULL), count > 0) {
+            path[count] = '\0';
+        } else {
+            error = GetLastError();
+        }
+    } else {
+        error = GetLastError();
+    }
+
+    if (count <= 0) {
+        mdebug1(FIM_WHODATA_PATH_NOPROCCESED, error);
+        os_free(path);
+    }
+
+    return path;
+}
+
+int whodata_path_filter(char **path) {
+    if (check_removed_file(*path)) {
+        mdebug2(FIM_DISCARD_RECYCLEBIN, *path);
+        return 1;
+    }
+
+    return 0;
+}
+
+int whodata_check_arch() {
+    HKEY RegistryKey;
+    int retval = OS_INVALID;
+    char arch[64 + 1] = "";
+    long unsigned int data_size = 64;
+    unsigned int result;
+    const char *environment_key = "System\\CurrentControlSet\\Control\\Session Manager\\Environment";
+    const char *processor_arch = "PROCESSOR_ARCHITECTURE";
+
+    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, environment_key, 0, KEY_READ, &RegistryKey) != ERROR_SUCCESS) {
+        merror(SK_REG_OPEN, environment_key);
+        return OS_INVALID;
+    } else {
+        if (result = RegQueryValueEx(RegistryKey, TEXT(processor_arch), NULL, NULL, (LPBYTE)&arch, &data_size), result != ERROR_SUCCESS) {
+            merror(FIM_ERROR_WHODATA_WIN_ARCH, (unsigned int)result);
+        } else {
+
+            if (!strncmp(arch, "AMD64", 5) || !strncmp(arch, "IA64", 4) || !strncmp(arch, "ARM64", 5)) {
+                sys_64 = 1;
+                retval = 0;
+            } else if (!strncmp(arch, "x86", 3)) {
+                sys_64 = 0;
+                retval = 0;
+            }
+        }
+        RegCloseKey(RegistryKey);
+    }
+
+    return retval;
+}
+
+int w_update_sacl(const char *obj_path) {
+    SYSTEM_AUDIT_ACE *ace = NULL;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    HANDLE hdle = NULL;
+    PSECURITY_DESCRIPTOR security_descriptor = NULL;
+    PACL old_sacl = NULL;
+    PACL new_sacl = NULL;
+    long unsigned result;
+    unsigned long new_sacl_size;
+    int retval = OS_INVALID;
+    int privilege_enabled = 0;
+    ACL_SIZE_INFORMATION old_sacl_info;
+    PVOID entry_access_it = NULL;
+    unsigned int i;
+
+    if (!everyone_sid) {
+        if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid)) {
+            merror(FIM_ERROR_WHODATA_WIN_SIDERROR, GetLastError());
+            goto end;
+        }
+    }
+
+    if (!ev_sid_size) {
+        ev_sid_size = GetLengthSid(everyone_sid);
+    }
+
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hdle)) {
+        merror(FIM_ERROR_WHODATA_OPEN_TOKEN, GetLastError());
+        goto end;
+    }
+
+    if (set_privilege(hdle, priv, TRUE)) {
+        merror(FIM_ERROR_WHODATA_ACTIVATE_PRIV, GetLastError());
+        goto end;
+    }
+
+    privilege_enabled = 1;
+
+    if (result = GetNamedSecurityInfo(obj_path, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &old_sacl, &security_descriptor), result != ERROR_SUCCESS) {
+        merror(FIM_ERROR_WHODATA_GETNAMEDSECURITY, result);
+        goto end;
+    }
+
+    ZeroMemory(&old_sacl_info, sizeof(ACL_SIZE_INFORMATION));
+    // Get SACL size
+    if (old_sacl && !GetAclInformation(old_sacl, (LPVOID)&old_sacl_info, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) {
+        merror(FIM_ERROR_WHODATA_SACL_SIZE, obj_path);
+        goto end;
+    }
+
+    // Set the new ACL size
+    new_sacl_size = (old_sacl ? old_sacl_info.AclBytesInUse : sizeof(ACL)) + sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size;
+
+    if (new_sacl = (PACL)win_alloc(new_sacl_size), !new_sacl) {
+        merror(FIM_ERROR_WHODATA_SACL_MEMORY, obj_path);
+        goto end;
+    }
+
+    if (!InitializeAcl(new_sacl, new_sacl_size, ACL_REVISION)) {
+        merror(FIM_ERROR_WHODATA_SACL_NOCREATE, obj_path, GetLastError());
+        goto end;
+    }
+
+    if (ace = (SYSTEM_AUDIT_ACE *)win_alloc(sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(DWORD)), !ace) {
+        merror(FIM_ERROR_WHODATA_ACE_MEMORY, obj_path, GetLastError());
+        goto end;
+    }
+
+    ace->Header.AceType  = SYSTEM_AUDIT_ACE_TYPE;
+    ace->Header.AceFlags = FAILED_ACCESS_ACE_FLAG;
+    ace->Header.AceSize  = LOWORD(sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(DWORD));
+    ace->Mask            = 0;
+
+    if (!CopySid(ev_sid_size, &ace->SidStart, everyone_sid)) {
+        merror(FIM_ERROR_WHODATA_COPY_SID, obj_path, ev_sid_size, GetLastError());
+        goto end;
+    }
+
+    if (old_sacl) {
+        if (old_sacl_info.AceCount) {
+            for (i = 0; i < old_sacl_info.AceCount; i++) {
+               if (!GetAce(old_sacl, i, &entry_access_it)) {
+                   merror(FIM_ERROR_WHODATA_ACE_NOOBTAIN, i, obj_path);
+                   goto end;
+               }
+
+               if (!AddAce(new_sacl, ACL_REVISION, MAXDWORD, entry_access_it, ((PACE_HEADER)entry_access_it)->AceSize)) {
+                   merror(FIM_ERROR_WHODATA_ACE_NUMBER, i, obj_path);
+                   goto end;
+               }
+           }
+        }
+    }
+
+    // Add the new ACE
+    if (!AddAce(new_sacl, ACL_REVISION, 0, (LPVOID)ace, ace->Header.AceSize)) {
+        merror(FIM_ERROR_WHODATA_ACE_NOADDED, obj_path, GetLastError());
+        goto end;
+    }
+
+    if (result = SetNamedSecurityInfo((char *) obj_path, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, new_sacl), result != ERROR_SUCCESS) {
+        merror(FIM_ERROR_WHODATA_SETNAMEDSECURITY, result);
+        goto end;
+    }
+
+    retval = 0;
+end:
+    if (privilege_enabled && set_privilege(hdle, priv, FALSE)) {
+        merror(FIM_ERROR_WHODATA_ACTIVATE_PRIV, GetLastError());
+        goto end;
+    }
+
+    if (security_descriptor) {
+        LocalFree((HLOCAL)security_descriptor);
+    }
+
+    if (old_sacl) {
+        LocalFree((HLOCAL)old_sacl);
+    }
+
+    if (new_sacl) {
+        LocalFree((HLOCAL)new_sacl);
+    }
+
+    if (hdle) {
+        CloseHandle(hdle);
+    }
+
+    if (ace) {
+        LocalFree((HLOCAL)ace);
+    }
+
+    return retval;
+}
+
+#endif
diff --git a/src/modules/fim/tests/integration/conftest.py b/src/modules/fim/tests/integration/conftest.py
new file mode 100644
index 0000000000..6db5f01131
--- /dev/null
+++ b/src/modules/fim/tests/integration/conftest.py
@@ -0,0 +1,462 @@
+"""
+Copyright (C) 2015-2024, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+import os
+from time import sleep
+import distro
+import pytest
+import re
+import subprocess
+import sys
+from typing import List
+
+if sys.platform == 'win32':
+    import win32con
+
+from typing import Any
+from pathlib import Path
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import LINUX, WINDOWS, MACOS, CENTOS, UBUNTU, DEBIAN
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.fim.patterns import MONITORING_PATH, EVENT_TYPE_SCAN_END
+from wazuh_testing.modules.fim.utils import create_registry, delete_registry
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.tools.simulators.authd_simulator import AuthdSimulator
+from wazuh_testing.tools.simulators.remoted_simulator import RemotedSimulator
+from wazuh_testing.utils import configuration, file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.services import control_service
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([LINUX,
+                      WINDOWS,
+                      MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            file.truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            file.truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def file_to_monitor(test_metadata: dict) -> Any:
+    path = test_metadata.get('file_to_monitor')
+    path = os.path.abspath(path)
+    data = test_metadata.setdefault('content', '')
+    isBinary = test_metadata.setdefault('binary_content', False)
+
+    if isBinary:
+        data = data.encode('utf-8')
+
+    file.write_file(path, data)
+
+    yield path
+
+    file.remove_file(path)
+
+
+@pytest.fixture()
+def folder_to_monitor(test_metadata: dict) -> None:
+    path = test_metadata.get('folder_to_monitor')
+    path = os.path.abspath(path)
+
+    file.recursive_directory_creation(path)
+
+    yield path
+
+    file.delete_path_recursively(path)
+
+
+@pytest.fixture()
+def fill_folder_to_monitor(test_metadata: dict) -> None:
+    path = test_metadata.get('folder_to_monitor')
+    amount = test_metadata.get('files_amount')
+    amount = 2 if not amount else amount
+    max_retries = 3
+    retry_delay = 1
+
+    if not file.exists(path):
+        file.recursive_directory_creation(path)
+
+    [file.write_file(Path(path, f'test{i}.log'), 'content') for i in range(amount)]
+
+    yield
+
+    for i in range(amount):
+        retry_count = 0
+        while retry_count < max_retries:
+            try:
+                file.remove_file(Path(path, f'test{i}.log'))
+                break
+            except Exception as e:
+                print(f"Error deleting file {i}: {e}")
+                retry_count += 1
+                if retry_count == max_retries:
+                    print(f"Failed to delete file {i} after {max_retries} attempts.")
+                    break
+                else:
+                    print(f"Retrying in {retry_delay} seconds...")
+                    sleep(retry_delay)
+
+@pytest.fixture()
+def start_monitoring() -> None:
+    FileMonitor(WAZUH_LOG_PATH).start(generate_callback(MONITORING_PATH))
+
+
+@pytest.fixture(scope='module', autouse=True)
+def set_agent_config(request: pytest.FixtureRequest):
+    if not hasattr(request.module, 'test_configuration'):
+        return
+
+    configurations = getattr(request.module, 'test_configuration')
+    agent_conf = {"section": "client", "elements": [
+        {"server": {"elements": [
+            {"address": {"value": "127.0.0.1"}},
+            {"port": {"value": 1514}},
+            {"protocol": {"value": "tcp"}}]}}]}
+
+    for index, _ in enumerate(configurations):
+        configurations[index]['sections'].append(agent_conf)
+
+    request.module.test_configuration = configurations
+
+
+@pytest.fixture(scope='session', autouse=True)
+def install_audit():
+    """Automatically install auditd before test session on linux distros."""
+    if sys.platform == WINDOWS or sys.platform == MACOS:
+        return
+
+    # Check distro
+    linux_distro = distro.id()
+
+    if re.match(linux_distro, CENTOS):
+        package_management = "yum"
+        audit = "audit"
+        option = "--assumeyes"
+    elif re.match(linux_distro, UBUNTU) or re.match(linux_distro, DEBIAN):
+        package_management = "apt-get"
+        audit = "auditd"
+        option = "--yes"
+    else:
+        raise ValueError(
+            f"Linux distro ({linux_distro}) not supported for install audit")
+
+    subprocess.run([package_management, "install", audit, option], check=True)
+    subprocess.run(["service", "auditd", "start"], check=True)
+
+
+@pytest.fixture()
+def create_links_to_file(folder_to_monitor: str, file_to_monitor: str, test_metadata: dict) -> None:
+    hardlink_amount = test_metadata.get('hardlink_amount', 0)
+    symlink_amount = test_metadata.get('symlink_amount', 0)
+
+    def hardlink(i: int):
+        Path(folder_to_monitor, f'test_h{i}').symlink_to(file_to_monitor)
+
+    def symlink(i: int):
+        Path(folder_to_monitor, f'test_s{i}').hardlink_to(file_to_monitor)
+
+    [hardlink(i) for i in range(hardlink_amount)]
+    [symlink(i) for i in range(symlink_amount)]
+
+    yield
+
+    [file.remove_file(f'test_h{i}') for i in range(hardlink_amount)]
+    [file.remove_file(f'test_s{i}') for i in range(symlink_amount)]
+
+
+@pytest.fixture()
+def create_registry_key(test_metadata: dict) -> None:
+    key = win32con.HKEY_LOCAL_MACHINE
+    sub_key = test_metadata.get('sub_key')
+    arch = win32con.KEY_WOW64_64KEY if test_metadata.get('arch') == 'x64' else win32con.KEY_WOW64_32KEY
+
+    create_registry(key, sub_key, arch)
+
+    yield
+
+    delete_registry(key, sub_key, arch)
+
+
+@pytest.fixture()
+def detect_end_scan(test_metadata: dict) -> None:
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(timeout=60, callback=generate_callback(EVENT_TYPE_SCAN_END))
+    assert wazuh_log_monitor.callback_result
+
+
+@pytest.fixture()
+def create_paths_files(test_metadata: dict) -> str:
+    to_edit = test_metadata.get('path_or_files_to_create')
+
+    if not isinstance(to_edit, list):
+        raise TypeError(f"`files` should be a 'list', not a '{type(to_edit)}'")
+
+    created_files = []
+    for item in to_edit:
+        item_path = Path(item)
+        if item_path.exists():
+            raise FileExistsError(f"`{item_path}` already exists.")
+
+        # If file does not have suffixes, consider it a directory
+        if item_path.suffixes == []:
+            # Add a dummy file to the target directory to create the directory
+            created_files.extend(file.create_parent_directories(
+                Path(item_path).joinpath('dummy.file')))
+        else:
+            created_files.extend(file.create_parent_directories(item_path))
+
+            file.write_file(file_path=item_path, data='')
+            created_files.append(item_path)
+
+    yield to_edit
+
+    for item in to_edit:
+        item_path = Path(item)
+        file.delete_path_recursively(item_path)
+
+
+@pytest.fixture(autouse=True)
+def autostart_simulators(request: pytest.FixtureRequest) -> None:
+    """
+    Fixture for starting simulators in wazuh-agent executions.
+
+    This fixture starts both Authd and Remoted simulators, and when the test function is not already
+    using the simulator fixture, if it does use one of them, only start the remaining simulator.
+
+    This is required so all wazuh-agent instances are being tested with the wazuh-manager connection
+    being mocked.
+    """
+    create_authd = 'authd_simulator' not in request.fixturenames
+    create_remoted = 'remoted_simulator' not in request.fixturenames
+
+    authd = AuthdSimulator() if create_authd else None
+    remoted = RemotedSimulator() if create_remoted else None
+
+    authd.start() if create_authd else None
+    remoted.start() if create_remoted else None
+
+    yield
+
+    authd.shutdown() if create_authd else None
+    remoted.shutdown() if create_remoted else None
diff --git a/src/modules/fim/tests/integration/pytest.ini b/src/modules/fim/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/fim/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/fim/tests/integration/test_files/__init__.py b/src/modules/fim/tests/integration/test_files/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/__init__.py b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_ignore_works_over_restrict.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_ignore_works_over_restrict.yaml
new file mode 100644
index 0000000000..3fa0a60695
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_ignore_works_over_restrict.yaml
@@ -0,0 +1,36 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: 3
+        - directories:
+            value: TEST_DIR
+            attributes:
+              - restrict: RESTRICT
+              - whodata: WHODATA
+              - realtime: REALTIME
+        - ignore:
+            value: !!python/object/apply:os.path.join [/test_dir_1, testfile]
+        - ignore:
+            value: regex_testfile$
+            attributes:
+              - type: sregex
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_ambiguous_thread.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_ambiguous_thread.yaml
new file mode 100644
index 0000000000..6687449f2c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_ambiguous_thread.yaml
@@ -0,0 +1,30 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - directories:
+            value: TEST_DIR1
+            attributes:
+              - whodata: WHODATA1
+        - directories:
+            value: TEST_DIR2
+            attributes:
+              - whodata: WHODATA2
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_works_over_realtime.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_works_over_realtime.yaml
new file mode 100644
index 0000000000..cd311d79da
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_works_over_realtime.yaml
@@ -0,0 +1,27 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - directories:
+            value: TEST_DIR
+            attributes:
+              - whodata: WHODATA
+              - realtime: REALTIME
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_ignore_works_over_restrict.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_ignore_works_over_restrict.yaml
new file mode 100644
index 0000000000..b08060ffbd
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_ignore_works_over_restrict.yaml
@@ -0,0 +1,125 @@
+- name: ignore_file_pattern_over_restrict_regex_scheduled
+  description: Check ignore pattern is applied over restrict regex
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'no'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/testfile]
+    is_pattern: true
+    regex: .*?Ignoring path '(.*)' due to pattern '(.*)'.*
+    fim_mode: scheduled
+
+- name: ignore_file_pattern_over_restrict_regex_realtime
+  description: Check ignore pattern is applied over restrict regex
+  configuration_parameters:
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/testfile]
+    is_pattern: true
+    regex: .*?Ignoring path '(.*)' due to pattern '(.*)'.*
+    fim_mode: realtime
+
+- name: ignore_file_pattern_over_restrict_regex_whodata
+  description: Check ignore pattern is applied over restrict regex
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/testfile]
+    is_pattern: true
+    regex: .*?Ignoring path '(.*)' due to pattern '(.*)'.*
+    fim_mode: whodata
+
+- name: ignore_sregex_over_restrict_regex_different_regex_scheduled
+  description: Check ignore with sregex is applied over restrict regex - Regexes are different
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'no'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: scheduled
+
+- name: ignore_sregex_over_restrict_regex_different_regex_realtime
+  description: Check ignore with sregex is applied over restrict regex - Regexes are different
+  configuration_parameters:
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: realtime
+
+- name: ignore_sregex_over_restrict_regex_different_regex_whodata
+  description: Check ignore with sregex is applied over restrict regex - Regexes are different
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    RESTRICT: testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_1]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_1]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_1/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: whodata
+
+- name: ignore_sregex_over_restrict_regex_same_regex_scheduled
+  description: Check ignore with sregex is applied over restrict regex - Regexes are the same
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'no'
+    RESTRICT: regex_testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_2]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_2]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_2/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: scheduled
+
+- name: ignore_sregex_over_restrict_regex_same_regex_realtime
+  description: Check ignore with sregex is applied over restrict regex - Regexes are the same
+  configuration_parameters:
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    RESTRICT: regex_testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_2]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_2]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_2/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: realtime
+
+- name: ignore_sregex_over_restrict_regex_same_regex_whodata
+  description: Check ignore with sregex is applied over restrict regex - Regexes are the same
+  configuration_parameters:
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    RESTRICT: regex_testfile$
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir_2]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir_2]
+    file_to_monitor: !!python/object/apply:os.path.join [/test_dir_2/regex_testfile]
+    is_pattern: false
+    regex: .*?Ignoring path '(.*)' due to sregex '(.*)'.*
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_ambiguous_thread.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_ambiguous_thread.yaml
new file mode 100644
index 0000000000..0a8683f9b5
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_ambiguous_thread.yaml
@@ -0,0 +1,39 @@
+- name: whodata_thread_disabled
+  description: Check Whodata thread is disabled when last directory has it set to 'no'
+  configuration_parameters:
+    WHODATA1: 'yes'
+    WHODATA2: 'no'
+    TEST_DIR1: !!python/object/apply:os.path.join [/, test_dir_1]
+    TEST_DIR2: !!python/object/apply:os.path.join [/, test_dir_1]
+  metadata:
+    whodata: false
+
+- name: whodata_thread_enabled
+  description: Check Whodata thread is enabled when last directory has it set to 'yes'
+  configuration_parameters:
+    WHODATA1: 'no'
+    WHODATA2: 'yes'
+    TEST_DIR1: !!python/object/apply:os.path.join [/, test_dir_1]
+    TEST_DIR2: !!python/object/apply:os.path.join [/, test_dir_1]
+  metadata:
+    whodata: true
+
+- name: whodata_thread_enabled_different_dirs
+  description: Check Whodata thread is enabled when last directory has it set to 'yes'
+  configuration_parameters:
+    WHODATA1: 'no'
+    WHODATA2: 'yes'
+    TEST_DIR1: !!python/object/apply:os.path.join [/, test_dir_1]
+    TEST_DIR2: !!python/object/apply:os.path.join [/, test_dir_2]
+  metadata:
+    whodata: true
+
+- name: whodata_thread_enabled_different_dirs_inverted
+  description: Check Whodata thread is enabled when last directory has it set to 'yes'
+  configuration_parameters:
+    WHODATA1: 'yes'
+    WHODATA2: 'no'
+    TEST_DIR1: !!python/object/apply:os.path.join [/, test_dir_1]
+    TEST_DIR2: !!python/object/apply:os.path.join [/, test_dir_2]
+  metadata:
+    whodata: true
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_works_over_realtime.yaml b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_works_over_realtime.yaml
new file mode 100644
index 0000000000..1870e92cbb
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/data/test_cases/cases_whodata_works_over_realtime.yaml
@@ -0,0 +1,19 @@
+- name: whodata_thread_started_with_realtime_enabled
+  description: Check Whodata thread is enabled and is used with realtime enabled on same tag
+  configuration_parameters:
+    WHODATA: 'yes'
+    REALTIME: 'yes'
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join [/, test_dir, test_file.log]
+
+- name: whodata_thread_started_with_realtime_disabled
+  description: Check Whodata thread is enabled and is used with realtime disabled on same tag
+  configuration_parameters:
+    WHODATA: 'yes'
+    REALTIME: 'no'
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join [/, test_dir, test_file.log]
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py
new file mode 100644
index 0000000000..ef6d55d443
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py
@@ -0,0 +1,169 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. All these tests will be performed using ambiguous directory configurations,
+       such as directories and subdirectories with opposite monitoring settings. In particular, it
+       will be verified that the value of the 'ignore' attribute prevails over the 'restrict' one.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_ambiguous_complex
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-agentd
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_ambiguous_confs
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=2)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_ignore_works_over_restrict.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_ignore_works_over_restrict.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_ignore_works_over_restrict(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                                    truncate_monitored_files, folder_to_monitor, daemons_handler, file_to_monitor, start_monitoring):
+    '''
+    description: Check if the 'ignore' tag prevails over the 'restrict' one when using both in the same directory.
+                 For example, when a directory is ignored and at the same time monitoring is restricted to a file
+                 that is in that directory, no FIM events should be generated when that file is modified.
+                 For this purpose, the test case configuration is applied, and it is checked if FIM events
+                 are generated when required.
+
+    test_phases:
+        - setup:
+            - Set wazuh configuration and local_internal_options.
+            - Create custom folder and file for monitoring
+        - test:
+            - Create file and detect event creation event
+            - Validate ignored event is generated with matching regex
+        - teardown:
+            - Delete custom monitored folder
+            - Restore configuration
+            - Stop Wazuh
+            - Clean logs
+
+    wazuh_min_version: 4.2.0
+
+    tier: 2
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that when a directory is ignored, the 'restrict' attribute
+          is not taken into account to generate FIM events.
+
+    input_description: The file 'configuration_works_over_restrict.yaml' provides the configuration
+                       template.
+                       The file 'cases_ignore_works_over_restrict.yaml' provides the tes cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r".*Ignoring '.*?' '(.*?)' due to (sregex|pattern)? '.*?'" (When the FIM event should be ignored)
+
+    tags:
+        - fim
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=generate_callback(test_metadata['regex']))
+
+    assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_ambiguous_thread.py b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_ambiguous_thread.py
new file mode 100644
index 0000000000..16f6ada9a3
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_ambiguous_thread.py
@@ -0,0 +1,157 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check if the 'who-data' feature of the File Integrity Monitoring (FIM)
+       system works properly. 'who-data' information contains the user who made the changes
+       on the monitored files and also the program name or process used to carry them out.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks
+       configured files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_ambiguous_complex
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_ambiguous_confs
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import REALTIME_WHODATA_ENGINE_STARTED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=2)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_whodata_ambiguous_thread.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_whodata_ambiguous_thread.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_whodata_ambiguous_thread(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                                  truncate_monitored_files, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon starts the 'whodata' thread when the configuration
+                 is ambiguous. For example, when using 'whodata' on the same directory using conflicting
+                 values ('yes' and 'no'). For this purpose, the configuration is applied and it checks
+                 that the last value detected for 'whodata' in the 'ossec.conf' file is the one used.
+
+    test_phases:
+        - setup:
+            - Set wazuh configuration and local_internal_options.
+            - Clean logs files and restart wazuh to apply the configuration.
+        - test:
+            - Detect if real-time whodata thread has been started
+        - teardown:
+            - Restore configuration
+            - Stop wazuh
+            - Clean logs
+
+    wazuh_min_version: 4.2.0
+
+    tier: 2
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that 'whodata' thread is started when the last 'whodata' value detected is set to 'yes'.
+        - Verify that 'whodata' thread is not started when the last 'whodata' value detected is set to 'no'.
+
+    input_description: Two test cases are contained in external YAML file (cases_whodata_ambiguous_thread.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor.
+
+    expected_output:
+        - r'File integrity monitoring real-time Whodata engine started'
+
+    tags:
+        - who_data
+    '''
+    monitor = FileMonitor(WAZUH_LOG_PATH)
+    monitor.start(callback=generate_callback(REALTIME_WHODATA_ENGINE_STARTED))
+
+    assert bool(monitor.callback_result) == test_metadata['whodata']
diff --git a/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_works_over_realtime.py b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_works_over_realtime.py
new file mode 100644
index 0000000000..4e7430e4e6
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ambiguous_confs/test_whodata_works_over_realtime.py
@@ -0,0 +1,185 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check if the 'who-data' feature of the File Integrity Monitoring (FIM) system
+       works properly. 'who-data' information contains the user who made the changes on the monitored
+       files and also the program name or process used to carry them out. In particular, it will be
+       verified that the value of the 'whodata' attribute prevails over the 'realtime' one.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_ambiguous_complex
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_ambiguous_confs
+'''
+import re
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=2)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_whodata_works_over_realtime.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_whodata_works_over_realtime.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_whodata_works_over_realtime(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                                     truncate_monitored_files, folder_to_monitor, daemons_handler, file_to_monitor):
+    '''
+    description: Check if when using the options who-data and real-time at the same time
+                 the value of 'whodata' is the one used. For example, when using 'whodata=yes'
+                 and 'realtime=no' on the same directory, real-time file monitoring
+                 will be enabled, as who-data requires it.
+                 For this purpose, the configuration is applied and it is verified that when
+                 'who-data' is set to 'yes', the 'realtime' value is not taken into account,
+                 enabling in this case the real-time file monitoring.
+
+    test_phases:
+        - setup:
+            - Set wazuh configuration and local_internal_options.
+            - Create custom folder for monitoring
+            - Clean logs files and restart wazuh to apply the configuration.
+        - test:
+            - Create file and detect event creation event
+            - Validate mode is whodata
+            - Delete file and detect event deletion event
+            - Validate mode is whodata
+        - teardown:
+            - Delete custom monitored folder
+            - Restore configuration
+            - Stop wazuh
+            - Clear logs
+
+    wazuh_min_version: 4.2.0
+
+    tier: 2
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+
+    assertions:
+        - Verify that real-time whodata thread active.
+
+    input_description: The file 'configuration_whodata_prevails_over_realtime.yaml' provides the configuration
+                       template.
+                       The file 'cases_whodata_prevails_over_realtime.yaml' provides the tes cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$'
+
+    tags:
+        - who_data
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    file_to_monitor = test_metadata.get('file_to_monitor')
+
+    # Write the file
+    file.write_file(file_to_monitor)
+    wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_ADDED))
+
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result
+
+    event_data = get_fim_event_data(callback_result)
+    assert event_data.get('mode') == 'whodata'
+
+    # Remove the file
+    file.remove_file(file_to_monitor)
+    wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_DELETED))
+
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result
+
+    event_data = get_fim_event_data(callback_result)
+    assert event_data.get('mode') == 'whodata'
diff --git a/src/modules/fim/tests/integration/test_files/test_audit/__init__.py b/src/modules/fim/tests/integration/test_files/test_audit/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_audit/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_audit/conftest.py b/src/modules/fim/tests/integration/test_files/test_audit/conftest.py
new file mode 100644
index 0000000000..8fd62223c9
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_audit/conftest.py
@@ -0,0 +1,36 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+import distro
+import re
+import pytest
+import subprocess
+
+from wazuh_testing.constants.platforms import CENTOS, UBUNTU, DEBIAN
+
+@pytest.fixture(scope='module')
+def uninstall_audit():
+    """Uninstall auditd before test and install after test"""
+
+    # Check distro
+    linux_distro = distro.id()
+
+    if re.match(linux_distro, CENTOS):
+        package_management = "yum"
+        audit = "audit"
+        option = "--assumeyes"
+    elif re.match(linux_distro, UBUNTU) or re.match(linux_distro, DEBIAN):
+        package_management = "apt-get"
+        audit = "auditd"
+        option = "--yes"
+    else:
+        raise ValueError(f"Linux distro ({linux_distro}) not supported for uninstall audit")
+
+    # Uninstall audit
+    subprocess.run([package_management, "remove", audit, option], check=True)
+
+    yield
+
+    # Install audit and start the service
+    subprocess.run([package_management, "install", audit, option], check=True)
+    subprocess.run(["service", "auditd", "start"], check=True)
diff --git a/src/modules/fim/tests/integration/test_files/test_audit/data/configuration_templates/configuration_remove_audit.yaml b/src/modules/fim/tests/integration/test_files/test_audit/data/configuration_templates/configuration_remove_audit.yaml
new file mode 100644
index 0000000000..f97bab03de
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_audit/data/configuration_templates/configuration_remove_audit.yaml
@@ -0,0 +1,26 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - directories:
+            value: /testdir1
+            attributes:
+              - whodata: WHODATA
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_audit/data/test_cases/cases_remove_audit.yaml b/src/modules/fim/tests/integration/test_files/test_audit/data/test_cases/cases_remove_audit.yaml
new file mode 100644
index 0000000000..0465303b2f
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_audit/data/test_cases/cases_remove_audit.yaml
@@ -0,0 +1,6 @@
+- name: Remove auditd - Whodata cannot start
+  description: When Auditd is removed, whodata thread cannot start and monitoring is done in realtime
+  configuration_parameters:
+    WHODATA: 'yes'
+  metadata:
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_audit/test_remove_audit.py b/src/modules/fim/tests/integration/test_files/test_audit/test_remove_audit.py
new file mode 100644
index 0000000000..e6bf744410
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_audit/test_remove_audit.py
@@ -0,0 +1,162 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check if the 'wazuh-syscheckd' and 'auditd' daemons work together properly.
+       In particular, it will be verified that when there is no 'auditd' package installed on
+       the system, the directories monitored with 'who-data' mode are monitored with 'realtime'.
+       The 'who-data' feature of the of the File Integrity Monitoring (FIM) system uses
+       the Linux Audit subsystem to get the information about who made the changes in a monitored directory.
+       These changes produce audit events that are processed by 'syscheck' and reported to the manager.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_audit
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_audit
+'''
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG
+from wazuh_testing.modules.fim.patterns import WHODATA_NOT_STARTED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_remove_audit.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_remove_audit.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2,AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_remove_audit(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                      uninstall_audit, truncate_monitored_files, daemons_handler):
+    '''
+    description: Check if FIM switches the monitoring mode of the testing directories from 'who-data'
+                 to 'realtime' when the 'auditd' package is not installed. For this purpose, the test
+                 will monitor several folders using 'whodata' and uninstall the 'authd' package.
+                 Once FIM starts, it will wait until the monitored directories using 'whodata'
+                 are monitored with 'realtime' verifying that the proper FIM events are generated.
+                 Finally, the test will install the 'auditd' package again.
+
+
+    test_phases:
+        - setup:
+            - Apply ossec.conf configuration changes according to the configuration template and use case.
+            - Apply custom settings in local_internal_options.conf.
+            - Remove auditd
+            - Truncate wazuh logs.
+            - Restart wazuh to apply configuration changes.
+        - test:
+            - Check that whodata cannot start and monitoring of configured folder is changed to realtime mode.
+        - teardown:
+            - Install auditd
+            - Restore initial configuration, both ossec.conf and local_internal_options.conf.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - uninstall_audit:
+            type: fixture
+            brief: Uninstall 'auditd' before the test and install it again after the test run.
+
+    assertions:
+        - Verify that FIM switches the monitoring mode of the testing directories from 'whodata' to 'realtime'
+          if the 'authd' package is not installed.
+
+    input_description: A test case is contained in external YAML file (configuration_remove_audit.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon
+                       and, it is combined with the testing directories to be monitored
+                       defined in this module.
+
+    expected_output:
+        - r'.*Who-data engine could not start. Switching who-data to real-time.'
+
+    tags:
+        - who_data
+    '''
+    monitor = FileMonitor(WAZUH_LOG_PATH)
+    monitor.start(callback=generate_callback(WHODATA_NOT_STARTED))
+
+    assert monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/__init__.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/conftest.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/conftest.py
new file mode 100644
index 0000000000..1b9e05fdfb
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/conftest.py
@@ -0,0 +1,30 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+
+
+@pytest.fixture()
+def path_to_edit(test_metadata: dict) -> str:
+    to_edit = test_metadata.get('path_to_edit')
+    is_directory = test_metadata.get('is_directory')
+
+    if is_directory:
+        file.recursive_directory_creation(to_edit)
+        file.write_file(Path(to_edit, 'newfile'), 'test')
+    else:
+        file.write_file(to_edit, 'test')
+
+    FileMonitor(WAZUH_LOG_PATH).start(generate_callback(EVENT_TYPE_ADDED))
+
+    yield to_edit
+
+    file.delete_path_recursively(to_edit)
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_basic.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_basic.yaml
new file mode 100644
index 0000000000..7e116bff77
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_basic.yaml
@@ -0,0 +1,28 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'no'
+    - frequency:
+        value: FREQUENCY
+    - directories:
+        value: TEST_DIR
+        attributes:
+        - check_all: 'yes'
+        - FIM_MODE
+    - windows_audit_interval:
+        value: 1
+  - section: sca
+    elements:
+    - enabled:
+        value: 'no'
+  - section: rootcheck
+    elements:
+    - disabled:
+        value: 'yes'
+  - section: wodle
+    attributes:
+      - name: 'syscollector'
+    elements:
+      - disabled:
+          value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_empty_directories_tag.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_empty_directories_tag.yaml
new file mode 100644
index 0000000000..769301ed10
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_empty_directories_tag.yaml
@@ -0,0 +1,25 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'no'
+    - frequency:
+        value: FREQUENCY
+    - directories:
+        value: ''
+        attributes:
+        - FIM_MODE
+  - section: sca
+    elements:
+    - enabled:
+        value: 'no'
+  - section: rootcheck
+    elements:
+    - disabled:
+        value: 'yes'
+  - section: wodle
+    attributes:
+      - name: 'syscollector'
+    elements:
+      - disabled:
+          value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_fim_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_fim_disabled.yaml
new file mode 100644
index 0000000000..e957a30f65
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/configuration_templates/configuration_fim_disabled.yaml
@@ -0,0 +1,25 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'yes'
+    - frequency:
+        value: FREQUENCY
+    - directories:
+        value: TEST_DIR
+        attributes:
+        - FIM_MODE
+  - section: sca
+    elements:
+    - enabled:
+        value: 'no'
+  - section: rootcheck
+    elements:
+    - disabled:
+        value: 'yes'
+  - section: wodle
+    attributes:
+      - name: 'syscollector'
+    elements:
+      - disabled:
+          value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_create_after_delete.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_create_after_delete.yaml
new file mode 100644
index 0000000000..18323470ac
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_create_after_delete.yaml
@@ -0,0 +1,32 @@
+- name: Create after delete - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile.log]
+    fim_mode: whodata
+
+- name: Create after delete - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile.log]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_directory.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_directory.yaml
new file mode 100644
index 0000000000..55d3675b94
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_directory.yaml
@@ -0,0 +1,32 @@
+- name: Delete folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, testfile.log]
+    fim_mode: realtime
+
+- name: Delete folder - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, testfile.log]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_hardlink_symlink.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_hardlink_symlink.yaml
new file mode 100644
index 0000000000..da90230721
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_hardlink_symlink.yaml
@@ -0,0 +1,74 @@
+- name: Delete hardlink symlink - One hardlink plus one symlink
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    hardlink_amount: 1
+    symlink_amount: 1
+
+- name: Delete hardlink symlink - One hardlink plus four symlink
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    hardlink_amount: 1
+    symlink_amount: 4
+
+- name: Delete hardlink symlink - Four hardlink plus one symlink
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    hardlink_amount: 4
+    symlink_amount: 1
+
+- name: Delete hardlink symlink - No hardlink plus one symlink
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    hardlink_amount: 0
+    symlink_amount: 1
+
+- name: Delete hardlink symlink - One hardlink plus no symlink
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    hardlink_amount: 1
+    symlink_amount: 0
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_multiple_files.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_multiple_files.yaml
new file mode 100644
index 0000000000..94c4337015
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_delete_multiple_files.yaml
@@ -0,0 +1,40 @@
+- name: Delete multiple files - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: realtime
+    files_amount: 4
+
+- name: Delete multiple files - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: scheduled
+    files_amount: 4
+
+- name: Delete multiple files - Who-data
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: whodata
+    files_amount: 4
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_empty_directories_tag.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_empty_directories_tag.yaml
new file mode 100644
index 0000000000..c92041300d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_empty_directories_tag.yaml
@@ -0,0 +1,20 @@
+- name: No directory tag - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    fim_mode: realtime
+
+- name: No directory tag - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_fim_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_fim_disabled.yaml
new file mode 100644
index 0000000000..41a3166d83
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_fim_disabled.yaml
@@ -0,0 +1,22 @@
+- name: FIM Disabled - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+
+- name: FIM Disabled - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_move.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_move.yaml
new file mode 100644
index 0000000000..e00025d402
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_move.yaml
@@ -0,0 +1,57 @@
+- name: Move file - Real-time
+  description: When a real-time monitored directory es moved
+               FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: No
+    fim_mode: realtime
+
+- name: Move file - Scheduled
+  description: When a scheduled monitored directory es moved
+               FIM raises a log in the next scan, in this case
+               the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: No
+    fim_mode: scheduled
+
+- name: Move folder - Real-time
+  description: When a real-time monitored directory es moved
+               FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: Yes
+    fim_mode: realtime
+
+- name: Move folder - Scheduled
+  description: When a scheduled monitored directory es moved
+               FIM raises a log in the next scan, in this case
+               the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: Yes
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_rename.yaml b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_rename.yaml
new file mode 100644
index 0000000000..73e99d78b7
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/data/test_cases/cases_rename.yaml
@@ -0,0 +1,57 @@
+- name: Rename directory - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: Yes
+    fim_mode: realtime
+
+- name: Rename directory - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: Yes
+    fim_mode: scheduled
+
+- name: Rename file - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: No
+    fim_mode: realtime
+
+- name: Rename file - Scheduled
+  description: When a scheduled monitored directory es deleted
+               or added FIM raises a log in the next scan, in
+               this case the scan are made every 3 secconds.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/, test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/, test_dir]
+    path_to_edit: !!python/object/apply:os.path.join [/, test_dir, path_to_edit]
+    is_directory: No
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_create_after_delete_dir.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_create_after_delete_dir.py
new file mode 100644
index 0000000000..89645e540b
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_create_after_delete_dir.py
@@ -0,0 +1,181 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import time
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, MONITORING_PATH
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_create_after_delete.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_create_after_delete(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, file_to_monitor, daemons_handler):
+    '''
+    description: Check if a monitored directory keeps reporting FIM events after deleting and creating it again.
+                 Under Windows systems, it verifies that the directory watcher is refreshed (checks the SACLs)
+                 after directory re-creation one second after. For this purpose, the test creates the testing
+                 directory to be monitored, checks that FIM events are generated, and then deletes it.
+                 Finally, it creates the directory again and verifies that the events are still generated correctly.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that FIM events are still generated when a monitored directory is deleted and created again.
+
+    input_description: The test cases are contained in external YAML file (cases_create_after_delete_dir.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*"type":"deleted".*'.
+        - r'.*"type":"added".*'
+
+    tags:
+        - scheduled
+        - realtime
+        - who_data
+    '''
+    if sys.platform == WINDOWS:
+        pytest.skip(reason="Unstable behavior when deleting monitored folder")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(generate_callback(MONITORING_PATH), timeout=60)
+    assert wazuh_log_monitor.callback_result
+
+    fim_mode = test_metadata.get('fim_mode')
+    folder_to_delete = test_metadata.get('folder_to_monitor')
+    filename = test_metadata.get('file_to_monitor')
+
+    file.delete_path_recursively(folder_to_delete)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED), timeout=60)
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
+
+    file.recursive_directory_creation(folder_to_delete)
+    time.sleep(2)
+    file.write_file(filename, 'content')
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=60)
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_directory.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_directory.py
new file mode 100644
index 0000000000..000f57b7aa
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_directory.py
@@ -0,0 +1,171 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_DELETED, EVENT_TYPE_MODIFIED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_delete_directory.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_delete_dir(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                    truncate_monitored_files, folder_to_monitor, file_to_monitor, daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects 'deleted' events from the files contained
+                 in a folder that is being deleted.
+                 For this purpose, the test will monitor a folder, create the testing files inside it,
+                 then, remove the monitored folder, and finally, the test verifies that the 'deleted'
+                 events have been generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that when a monitored folder is deleted, the files inside it
+          generate FIM events of the type 'deleted'.
+
+    input_description: The test cases are contained in external YAML file (cases_delete_directory.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    if sys.platform == WINDOWS:
+        pytest.skip(reason="Unstable behavior when deleting monitored folder")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+    folder_to_delete = test_metadata.get('folder_to_monitor')
+    filename = test_metadata.get('file_to_monitor')
+
+    file.write_file(filename, 'test')
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED))
+    assert wazuh_log_monitor.callback_result
+
+    file.delete_path_recursively(folder_to_delete)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_hardlink_symlink.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_hardlink_symlink.py
new file mode 100644
index 0000000000..8d799a1148
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_hardlink_symlink.py
@@ -0,0 +1,161 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import INODE_ENTRIES_PATH_COUNT
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_delete_hardlink_symlink.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_delete_hardlink_symlink(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                                 configure_local_internal_options, folder_to_monitor, create_links_to_file,
+                                 daemons_handler, start_monitoring):
+    '''
+    description: Check if FIM events contain the correct number of file paths when 'hard'
+                 and 'symbolic' links are used. For this purpose, the test will monitor
+                 a testing folder and create regular files, also 'symlink' and 'hard link'
+                 before the scan starts. Finally, it verifies in the generated FIM event
+                 that the correct inodes and file paths are detected.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - create_links_to_file:
+            type: str
+            brief: Create the required hardlinks and symlinks.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that when using hard and symbolic links, the FIM events contain
+          the number of inodes and paths to files consistent.
+
+    input_description: The test cases are contained in external YAML file (cases_delete_hardlink_symlink.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r".*Fim inode entries: '(d+)', path count: '(d+)'"
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    hardlink_amount = test_metadata.get('hardlink_amount')
+    symlink_amount = test_metadata.get('symlink_amount')
+
+    file.delete_files_in_folder(folder_to_monitor)
+    wazuh_log_monitor.start(generate_callback(INODE_ENTRIES_PATH_COUNT))
+    inode_entries, path_count = wazuh_log_monitor.callback_result
+
+    assert int(inode_entries) == 1 + hardlink_amount
+    assert int(path_count) == 1 + hardlink_amount + symlink_amount
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_multiple_files.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_multiple_files.py
new file mode 100644
index 0000000000..5f87d12f17
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_delete_multiple_files.py
@@ -0,0 +1,165 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_DELETED, INODE_ENTRIES_PATH_COUNT
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_delete_multiple_files.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_delete_multiple_files(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                               configure_local_internal_options, folder_to_monitor, fill_folder_to_monitor,
+                               daemons_handler, start_monitoring):
+    '''
+    description: Check if FIM events contain the correct number of file paths when a folder
+                 that contains multiple files is deleted. For this purpose, the test will monitor
+                 a testing folder and create multiple files before the scan starts. Finally, it
+                 verifies in the generated FIM event that the correct inodes and file paths
+                 are detected.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - fill_folder_to_monitor:
+            type: str
+            brief: Fill the monitored folder with test files.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify the FIM events contain the number of inodes and paths to files consistent.
+
+    input_description: The test cases are contained in external YAML file (cases_delete_hardlink_symlink.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r".*Fim inode entries: '(d+)', path count: '(d+)'"
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+    files_amount = test_metadata.get('files_amount')
+
+    file.delete_files_in_folder(folder_to_monitor)
+
+    # Assert
+    wazuh_log_monitor.start(generate_callback(INODE_ENTRIES_PATH_COUNT))
+    inode_entries, path_count = wazuh_log_monitor.callback_result
+    assert inode_entries == path_count
+    assert int(path_count) == files_amount
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_empty_directories_tag.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_empty_directories_tag.py
new file mode 100644
index 0000000000..cb8b029af5
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_empty_directories_tag.py
@@ -0,0 +1,144 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EMPTY_DIRECTORIES_TAG
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_empty_directories_tag.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_empty_directories_tag.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_empty_directories_tag(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                               truncate_monitored_files, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon shows a debug message when an empty 'directories' tag is found.
+                 For this purpose, the test uses a configuration without specifying the directory to monitor.
+                 It will then verify that the appropriate debug message is generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that the 'wazuh-syscheckd' daemon generates a debug log when
+          the 'directories' configuration tag is empty.
+
+    input_description: The test cases are contained in external YAML file (cases_empty_directories_tag.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_empty_directories_tag.yaml).
+
+    expected_output:
+        - r'.*Empty directories tag found in the configuration.*'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    # Arrange
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    # Assert
+    wazuh_log_monitor.start(generate_callback(EMPTY_DIRECTORIES_TAG))
+    assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_fim_disabled.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_fim_disabled.py
new file mode 100644
index 0000000000..44391e8096
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_fim_disabled.py
@@ -0,0 +1,145 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import SENDING_FIM_EVENT
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_fim_disabled.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_fim_disabled(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                      configure_local_internal_options, folder_to_monitor, daemons_handler):
+
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon generates FIM events when it is disabled
+                 in the main configuration file. For this purpose, the test will monitor a testing
+                 folder and finally verifies that no FIM events have been generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that when the 'wazuh-syscheckd' daemon is disabled, no FIM events are generated.
+
+    input_description: The test cases are contained in external YAML file (cases_fim_disabled.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - No FIM events should be generated.
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(generate_callback(SENDING_FIM_EVENT))
+    assert not wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_move.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_move.py
new file mode 100644
index 0000000000..f306f14c1c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_move.py
@@ -0,0 +1,168 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_move.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_move(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+              truncate_monitored_files, folder_to_monitor, daemons_handler, start_monitoring, path_to_edit, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects 'added' and 'deleted' events when moving a
+                 subdirectory or a file from a monitored folder to another one. For this purpose, the test
+                 will move a testing subfolder or file from the source directory to the target directory,
+                 then, it verifies that the expected FIM events have been generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+        - path_to_edit:
+            type: str
+            brief: Create the required directory or file to edit.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that FIM events of type 'added' and 'deleted' are generated
+          when subfolders or files are moved between monitored directories.
+
+    input_description: The test cases are contained in external YAML file (cases_move.yaml) which includes
+                       configuration parameters for the 'wazuh-syscheckd' daemon and testing directories
+                       to monitor. The configuration template is contained in another external YAML file
+                       (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*"type":"deleted".*'.
+        - r'.*"type":"added".*'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+
+    # Assert
+    file.move(path_to_edit, Path(folder_to_monitor, 'test'))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_basic_usage/test_rename.py b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_rename.py
new file mode 100644
index 0000000000..36758feec4
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_basic_usage/test_rename.py
@@ -0,0 +1,163 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_rename.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_rename(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                truncate_monitored_files, folder_to_monitor, daemons_handler, start_monitoring, path_to_edit):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects 'added' and 'deleted' events when renaming a
+                 subdirectory or a file. For this purpose, the test will rename a testing subfolder or file
+                 then, it verifies that the expected FIM events have been generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - path_to_edit:
+            type: str
+            brief: Create the required directory or file to edit.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that FIM events of type 'added' and 'deleted' are generated
+          when subfolders or files are renamed.
+
+    input_description: The test cases are contained in external YAML file (cases_rename.yaml) which includes
+                       configuration parameters for the 'wazuh-syscheckd' daemon and testing directories
+                       to monitor. The configuration template is contained in another external YAML file
+                       (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*"type":"deleted".*'.
+        - r'.*"type":"added".*'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+
+    file.rename(path_to_edit, Path(folder_to_monitor, 'test'))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_checkers/__init__.py b/src/modules/fim/tests/integration/test_files/test_checkers/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_checkers/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_checkers/data/configuration_templates/configuration_basic.yaml b/src/modules/fim/tests/integration/test_files/test_checkers/data/configuration_templates/configuration_basic.yaml
new file mode 100644
index 0000000000..aab4701e1a
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_checkers/data/configuration_templates/configuration_basic.yaml
@@ -0,0 +1,22 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: "no"
+        - frequency:
+            value: FREQUENCY
+        - directories:
+            value: TEST_DIR
+            attributes: ATTRIBUTES
+    - section: sca
+      elements:
+        - enabled:
+            value: "no"
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: "yes"
+    - section: active-response
+      elements:
+        - disabled:
+            value: "yes"
diff --git a/src/modules/fim/tests/integration/test_files/test_checkers/data/test_cases/cases_checkers.yaml b/src/modules/fim/tests/integration/test_files/test_checkers/data/test_cases/cases_checkers.yaml
new file mode 100644
index 0000000000..e3977a4caf
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_checkers/data/test_cases/cases_checkers.yaml
@@ -0,0 +1,548 @@
+- name: Check None - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks: []
+
+- name: Check All - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_mtime - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+      - check_mtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_size - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+      - check_size: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha256sum - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+      - check_sha256sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_md5sum - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+      - check_md5sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_sha1'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha1sum - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - check_all: 'yes'
+      - check_sha1sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: whodata
+    checks:
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check None - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks: []
+
+- name: Check All - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_mtime - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+      - check_mtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_size - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+      - check_size: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha256sum - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+      - check_sha256sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_md5sum - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+      - check_md5sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_sha1'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha1sum - Scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    ATTRIBUTES:
+      - realtime: 'no'
+      - check_all: 'yes'
+      - check_sha1sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: scheduled
+    checks:
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check None - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks: []
+
+- name: Check All - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_mtime - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+      - check_mtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_size - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+      - check_size: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha256sum - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+      - check_sha256sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_sha1'
+      - 'hash_md5'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_md5sum - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+      - check_md5sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_sha1'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
+
+- name: Check All but check_sha1sum - Real-Time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - check_all: 'yes'
+      - check_sha1sum: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    file_to_monitor:  !!python/object/apply:os.path.join [/test_dir, testfile.log]
+    fim_mode: realtime
+    checks:
+      - 'hash_md5'
+      - 'hash_sha256'
+      - 'size'
+      - 'uid'
+      - 'user_name'
+      - 'gid'
+      - 'group_name'
+      - 'perm'
+      - 'mtime'
+      - 'inode'
+      - 'type'
+      - 'checksum'
diff --git a/src/modules/fim/tests/integration/test_files/test_checkers/test_checkers.py b/src/modules/fim/tests/integration/test_files/test_checkers/test_checkers.py
new file mode 100644
index 0000000000..89a5109b87
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_checkers/test_checkers.py
@@ -0,0 +1,189 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import time
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, EVENT_TYPE_MODIFIED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim import configuration
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_checkers.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {configuration.SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+base_checks = [configuration.ATTR_CHECKSUM, configuration.ATTR_TYPE]
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_checkers(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                  truncate_monitored_files, folder_to_monitor, file_to_monitor, daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the 'check_' specified in
+                 the configuration. These checks are attributes indicating that a monitored directory entry has
+                 been modified. For example, if 'check_all=yes' and 'check_perm=no' are set for the same entry,
+                 'syscheck' must send an event containing every possible 'check_' except the perms.
+                 For this purpose, the test will monitor a directory using the 'check_all' attribute in
+                 conjunction with one or more 'check_' on the same directory, having 'check_all' to 'yes' and the other
+                 one to 'no'. Then it will make directory operations inside it, and finally, the test
+                 will verify that the FIM events generated contain only the fields of the 'checks' specified for
+                 the monitored keys/values.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that the FIM events generated contains the 'check_' fields specified in the configuration.
+
+    input_description: The test cases are contained in external YAML file (cases_checkers.yaml) which includes
+                       configuration parameters for the 'wazuh-syscheckd' daemon and testing directories to monitor.
+                       The configuration template is contained in another external YAML file
+                       (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events)
+
+    tags:
+        - scheduled
+        - realtime
+        - who_data
+    '''
+    monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+    checks = set(test_metadata.get('checks'))
+
+    # Update
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(file_to_monitor, "update")
+    monitor.start(generate_callback(EVENT_TYPE_MODIFIED))
+    if not checks:
+        assert not monitor.callback_result
+        checks.update(configuration.ATTR_BASE)
+    else:
+        fim_data = get_fim_event_data(monitor.callback_result)
+        assert fim_data['mode'] == fim_mode
+        assert set(fim_data['attributes'].keys()) == checks
+        time.sleep(0.1)
+
+    # Delete
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.remove_file(file_to_monitor)
+    monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    fim_data = get_fim_event_data(monitor.callback_result)
+    assert fim_data['mode'] == fim_mode
+    assert set(fim_data['attributes'].keys()) == checks
+
+    # Create
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(file_to_monitor)
+    monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    fim_data = get_fim_event_data(monitor.callback_result)
+    assert fim_data['mode'] == fim_mode
+    assert set(fim_data['attributes'].keys()) == checks
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/__init__.py b/src/modules/fim/tests/integration/test_files/test_file_limit/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/data/configuration_templates/configuration_basic.yaml b/src/modules/fim/tests/integration/test_files/test_file_limit/data/configuration_templates/configuration_basic.yaml
new file mode 100644
index 0000000000..449d02b500
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/data/configuration_templates/configuration_basic.yaml
@@ -0,0 +1,24 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: "no"
+        - frequency:
+            value: FREQUENCY
+        - directories:
+            value: TEST_DIR
+            attributes:
+              - FIM_MODE
+        - file_limit: FILE_LIMIT
+    - section: sca
+      elements:
+        - enabled:
+            value: "no"
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: "yes"
+    - section: active-response
+      elements:
+        - disabled:
+            value: "yes"
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_fill_capacity.yaml b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_fill_capacity.yaml
new file mode 100644
index 0000000000..dfc70c2035
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_fill_capacity.yaml
@@ -0,0 +1,627 @@
+- name: Default file limit fill 10% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 10000
+    fill_percentage: 10
+    fim_mode: realtime
+
+
+
+- name: Default file limit fill 100% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 100000
+    fill_percentage: 100
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 50% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 50
+    fill_percentage: 50
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 79% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 79
+    fill_percentage: 79
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 80% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 80
+    fill_percentage: 80
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 85% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 85
+    fill_percentage: 80
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 90% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 90
+    fill_percentage: 90
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 99% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 99
+    fill_percentage: 90
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 100% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 100
+    fill_percentage: 100
+    fim_mode: realtime
+
+- name: Max file limit of 100 fill 120% - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 120
+    fill_percentage: 100
+    fim_mode: realtime
+
+- name: Default file limit fill 10% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 10000
+    fill_percentage: 10
+    fim_mode: whodata
+
+- name: Default file limit fill 100% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 100000
+    fill_percentage: 100
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 50% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 50
+    fill_percentage: 50
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 79% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 79
+    fill_percentage: 79
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 80% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 80
+    fill_percentage: 80
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 85% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 85
+    fill_percentage: 80
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 90% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 90
+    fill_percentage: 90
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 99% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 99
+    fill_percentage: 90
+    fim_mode: whodata
+
+- name: Max file limit of 100 fill 100% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 100
+    fill_percentage: 100
+    fim_mode: whodata
+
+- name: Default file limit fill 10% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 10000
+    fill_percentage: 10
+    fim_mode: scheduled
+
+- name: Default file limit fill 100% - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100000
+    files_amount: 100000
+    fill_percentage: 100
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 50% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 50
+    fill_percentage: 50
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 79% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 79
+    fill_percentage: 79
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 80% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 80
+    fill_percentage: 80
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 85% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 85
+    fill_percentage: 80
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 90% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 90
+    fill_percentage: 90
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 99% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 99
+    fill_percentage: 90
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 100% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 100
+    fill_percentage: 100
+    fim_mode: scheduled
+
+- name: Max file limit of 100 fill 120% - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 100
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    max_files_entries: 100
+    files_amount: 120
+    fill_percentage: 100
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_full_capacity_create_delete.yaml b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_full_capacity_create_delete.yaml
new file mode 100644
index 0000000000..027a4bf94c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_full_capacity_create_delete.yaml
@@ -0,0 +1,59 @@
+- name: Delete and create at full capacity - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: realtime
+
+- name: Delete and create at full capacity - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: whodata
+
+- name: Delete and create at full capacity - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'yes'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_limit_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_limit_disabled.yaml
new file mode 100644
index 0000000000..ae5b387ada
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/data/test_cases/cases_limit_disabled.yaml
@@ -0,0 +1,59 @@
+- name: No limit capacity - Real-time
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'no'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: realtime
+
+- name: No limit capacity - Who-data
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'no'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: whodata
+
+- name: No limit capacity - Scheduled
+  description: ''
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+    FILE_LIMIT:
+        elements:
+          - enabled:
+              value: 'no'
+          - entries:
+              value: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    files_amount: 10
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/test_fill_capacity.py b/src/modules/fim/tests/integration/test_files/test_file_limit/test_fill_capacity.py
new file mode 100644
index 0000000000..39afdccab3
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/test_fill_capacity.py
@@ -0,0 +1,178 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_LIMIT_PERCENTAGE, INODE_ENTRIES_PATH_COUNT, FILE_LIMIT_AMOUNT, FILE_ENTRIES_PATH_COUNT
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_fill_capacity.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_fill_capacity(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                       configure_local_internal_options, folder_to_monitor, fill_folder_to_monitor,
+                       daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon generates events for different capacity thresholds limits.
+                 For this purpose, the test will monitor a directory in which several testing files will be created,
+                 corresponding to different percentages of the total file limit. Then, it will check if FIM events
+                 are generated when the files amount exceeds 80% of the total. Finally, the test will verify that
+                 on the FIM event, inodes and monitored files number match.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - fill_folder_to_monitor:
+            type: str
+            brief: Fill the monitored folder with test files.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that FIM events are generated when the number of files to be monitored
+          exceeds the established threshold and vice versa.
+        - Verify that the FIM events contain the same number of inodes and files in the monitored directory.
+
+    input_description: The test cases are contained in external YAML file (cases_fill_capacity.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r".*Fim inode entries: '(d+)', path count: '(d+)'"
+        - r".*Maximum number of files to be monitored: '(d+)'"
+        - r'.*File database is (d+)% full.'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    files_amount = test_metadata.get('files_amount')
+    fill_percentage = test_metadata.get('fill_percentage')
+    max_entries = test_metadata.get('max_files_entries')
+
+    log_monitor.start(generate_callback(FILE_LIMIT_AMOUNT), timeout=60)
+    assert int(log_monitor.callback_result[0]) == max_entries
+
+    files_amount = files_amount if files_amount <= max_entries else max_entries
+    if sys.platform == WINDOWS:
+        log_monitor.start(generate_callback(FILE_ENTRIES_PATH_COUNT), timeout=300)
+    else:
+        log_monitor.start(generate_callback(INODE_ENTRIES_PATH_COUNT), timeout=60)
+
+    assert int(log_monitor.callback_result[0]) == files_amount
+
+    log_monitor.start(generate_callback(FILE_LIMIT_PERCENTAGE), timeout=60)
+    if fill_percentage >= 80:
+        assert int(log_monitor.callback_result[0]) == fill_percentage
+    else:
+        assert not log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/test_full_capacity_create_delete.py b/src/modules/fim/tests/integration/test_files/test_file_limit/test_full_capacity_create_delete.py
new file mode 100644
index 0000000000..6d06ee5c3a
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/test_full_capacity_create_delete.py
@@ -0,0 +1,180 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_full_capacity_create_delete.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS:
+    local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_full_capacity_create_delete(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                                     configure_local_internal_options, folder_to_monitor, fill_folder_to_monitor,
+                                     daemons_handler, start_monitoring):
+    '''
+    description: Check if a testing file is not inserted in the FIM database when the maximum monitored
+                 files limit has already been reached, and if the FIM event 'delete' is generated when
+                 an already monitored file is deleted. For this purpose, the test will monitor a directory
+                 and fill it with several test files until the maximum limit of monitored files is reached.
+                 Then, it will create a testfile and wait for no FIM events to be generated. Finally,
+                 it will delete the already monitored files and verify the 'deleted' FIM event is raised.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - fill_folder_to_monitor:
+            type: str
+            brief: Fill the monitored folder with test files.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that the FIM database is in 'full database alert' mode
+          when the maximum number of files to monitor has been reached.
+        - Verify that proper FIM events are generated while the database is in 'full database alert' mode.
+
+    input_description: The test cases are contained in external YAML file (cases_full_capacity_create_delete.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*"type":"added".*'
+        - r'.*"type":"deleted".*'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    fim_mode = test_metadata.get('fim_mode')
+
+    # Create and delete at full capacity.
+    file.write_file(Path(folder_to_monitor, f'test66.log'))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert not wazuh_log_monitor.callback_result
+
+    file.remove_file(Path(folder_to_monitor, f'test66.log'))
+    assert not wazuh_log_monitor.callback_result
+
+    # Create after free some capacity
+    file.delete_files_in_folder(folder_to_monitor)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
+
+    file.write_file(Path(folder_to_monitor, f'test66.log'))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == fim_mode
diff --git a/src/modules/fim/tests/integration/test_files/test_file_limit/test_limit_disabled.py b/src/modules/fim/tests/integration/test_files/test_file_limit/test_limit_disabled.py
new file mode 100644
index 0000000000..0748ddc8de
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_file_limit/test_limit_disabled.py
@@ -0,0 +1,151 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_LIMIT_DISABLED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_limit_disabled.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_limit_disabled(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                        configure_local_internal_options, folder_to_monitor, daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects that the 'file_limit' feature of FIM is disabled.
+                 For this purpose, the test will monitor a testing directory, and finally, it will verify
+                 that the FIM event 'no limit' is generated.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify the FIM event 'no limit' is generated when the 'file_limit' feature is disabled.
+
+    input_description: The test cases are contained in external YAML file (cases_limit_disabled.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*No limit set to maximum number of file entries to be monitored'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(generate_callback(FILE_LIMIT_DISABLED))
+    assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/__init__.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/conftest.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/conftest.py
new file mode 100644
index 0000000000..6990956d22
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/conftest.py
@@ -0,0 +1,53 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.utils import file
+
+
+@pytest.fixture()
+def symlink_target(test_metadata: dict) -> str:
+    path = test_metadata.get('symlink_target')
+    if file.exists(path):
+        file.remove_file(path)
+
+    if not '.' in path:
+        file.recursive_directory_creation(path)
+    else:
+        file.write_file(path)
+
+    yield Path(path)
+
+    file.remove_file(path)
+
+
+@pytest.fixture()
+def symlink(symlink_target: Path, test_metadata: dict) -> str:
+    symlink_path = test_metadata.get('symlink')
+    if file.exists(symlink_path):
+        file.remove_file(symlink_path)
+
+    Path(symlink_path).symlink_to(symlink_target)
+
+    yield Path(symlink_path)
+
+    file.remove_file(symlink_path)
+
+
+@pytest.fixture()
+def symlink_new_target(test_metadata: dict) -> Path:
+    path = test_metadata.get('symlink_new_target')
+    if file.exists(path):
+        file.remove_file(path)
+
+    if not '\\.' in path:
+        file.recursive_directory_creation(path)
+    else:
+        file.write_file(path)
+
+    yield Path(path)
+
+    file.remove_file(path)
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_basic.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_basic.yaml
new file mode 100644
index 0000000000..0e46472b0d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_basic.yaml
@@ -0,0 +1,26 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'no'
+    - frequency:
+        value: FREQUENCY
+    - directories:
+        value: TEST_DIR
+        attributes:
+        - FIM_MODE
+        - follow_symbolic_link: 'yes'
+  - section: sca
+    elements:
+    - enabled:
+        value: 'no'
+  - section: rootcheck
+    elements:
+    - disabled:
+        value: 'yes'
+  - section: wodle
+    attributes:
+      - name: 'syscollector'
+    elements:
+      - disabled:
+          value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_disabled.yaml
new file mode 100644
index 0000000000..97f8305850
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/configuration_templates/configuration_disabled.yaml
@@ -0,0 +1,26 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'no'
+    - frequency:
+        value: FREQUENCY
+    - directories:
+        value: TEST_DIR
+        attributes:
+        - follow_symbolic_link: 'no'
+        - FIM_MODE
+  - section: sca
+    elements:
+    - enabled:
+        value: 'no'
+  - section: rootcheck
+    elements:
+    - disabled:
+        value: 'yes'
+  - section: wodle
+    attributes:
+      - name: 'syscollector'
+    elements:
+      - disabled:
+          value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_audit_rules_with_symlink.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_audit_rules_with_symlink.yaml
new file mode 100644
index 0000000000..36873cf1d2
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_audit_rules_with_symlink.yaml
@@ -0,0 +1,89 @@
+- name: Audit rule is deleted when symlink is moved inside the monitored folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_dir, test_path]
+    fim_mode: realtime
+
+- name: Audit rule is deleted when symlink is moved outside the monitored folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_path]
+    fim_mode: realtime
+
+- name: Audit rule is deleted when symlink is moved inside the monitored folder - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_dir, test_path]
+    fim_mode: whodata
+
+- name: Audit rule is deleted when symlink is moved outside the monitored folder - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_path]
+    fim_mode: whodata
+
+- name: Audit rule is deleted when symlink is moved inside the monitored folder - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_dir, test_path]
+    fim_mode: scheduled
+
+- name: Audit rule is deleted when symlink is moved outside the monitored folder - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/test_dir]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/test_dir]
+    symlink:  !!python/object/apply:os.path.join [/test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/test_dir]
+    symlink_new_target:  !!python/object/apply:os.path.join [/test_path]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_change_target.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_change_target.yaml
new file mode 100644
index 0000000000..0337919101
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_change_target.yaml
@@ -0,0 +1,108 @@
+- name: Change symlink target - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: realtime
+
+- name: Change symlink target in nested folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target, new_target]
+    fim_mode: realtime
+
+- name: Change symlink target - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+      # whodata: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: whodata
+
+- name: Change symlink target in nested folder - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target, new_target]
+    fim_mode: whodata
+
+- name: Change symlink target - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: scheduled
+
+- name: Change symlink target in nested folder - scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target, new_target]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_cud.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_cud.yaml
new file mode 100644
index 0000000000..3c790ad26b
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_cud.yaml
@@ -0,0 +1,96 @@
+- name: Create update delete - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: realtime
+
+- name: Create update delete in nested folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: realtime
+
+- name: Create update delete - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+      # whodata: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: whodata
+
+- name: Create update delete in nested folder - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: whodata
+
+- name: Create update delete - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: scheduled
+
+- name: Create update delete in nested folder - scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], target]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_disabled.yaml
new file mode 100644
index 0000000000..032aa7e4e0
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_disabled.yaml
@@ -0,0 +1,119 @@
+- name: Symlink follow disabled - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, new_target]
+    fim_mode: realtime
+
+- name: Symlink follow disabled - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: realtime
+
+- name: Symlink follow disabled - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, new_target]
+    fim_mode: whodata
+
+- name: Symlink follow disabled - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: whodata
+
+- name: Symlink follow disabled - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, new_target]
+    fim_mode: scheduled
+
+- name: Symlink follow disabled - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+          args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, symlink]
+    symlink_target:  !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    symlink_new_target: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], new_target]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_new_target_populated.yaml b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_new_target_populated.yaml
new file mode 100644
index 0000000000..a1ed5a86a6
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/data/test_cases/cases_new_target_populated.yaml
@@ -0,0 +1,96 @@
+- name: New target is populated - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/new_target]
+    fim_mode: realtime
+
+- name: New target is populated in nested folder - Real-time
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/target, new_target]
+    fim_mode: realtime
+
+- name: New target is populated - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      realtime: 'yes'
+      # whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/new_target]
+    fim_mode: whodata
+
+- name: New target is populated in nested folder - Who-data
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 43200 # As default 12 hs
+    FIM_MODE:
+      whodata: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/target, new_target]
+    fim_mode: whodata
+
+- name: New target is populated - Schedule
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/new_target]
+    fim_mode: scheduled
+
+- name: New target is populated in nested folder - scheduled
+  description: When a real-time monitored directory es deleted
+               or added FIM inmediately raises a log.
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/symlink]
+    FREQUENCY: 3
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/new_target]
+    files_amount: 4
+    symlink:  !!python/object/apply:os.path.join [/symlink]
+    symlink_target:  !!python/object/apply:os.path.join [/target]
+    symlink_new_target:  !!python/object/apply:os.path.join [/target, new_target]
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_audit_rules_with_symlink.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_audit_rules_with_symlink.py
new file mode 100644
index 0000000000..f06761b62e
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_audit_rules_with_symlink.py
@@ -0,0 +1,172 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import AUDIT_RULES_RELOADED, EVENT_TYPE_MODIFIED, LINKS_SCAN_FINALIZED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYMLINK_SCAN_INTERVAL, SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file, commands
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_audit_rules_with_symlink.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0, SYMLINK_SCAN_INTERVAL: 2}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_audit_rules_with_symlink(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                                  configure_local_internal_options, folder_to_monitor, symlink, symlink_new_target,
+                                  daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon removes the 'audit' rules when the target of
+                 a monitored symlink is changed. For this purpose, the test will monitor a 'symbolic link'
+                 pointing to a directory. Once FIM starts, it will create and expect events inside the
+                 pointed folder. After the events are processed, the test will change the target of the
+                 link to another folder and wait until the thread that checks the 'symbolic links' updates
+                 the link's target. Finally, it will generate some events inside the new target and verify
+                 that the audit rule of the previous target folder has been removed (via 'auditctl -l').
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - symlink:
+            type: str
+            brief: Create the required symlink.
+        - symlink_new_target:
+            type: str
+            brief: Create the directory/file that will be the new symlink`s target.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that FIM automatically removes the 'audit' rule from the target of a monitored 'symbolic link'
+          when the target of that link is replaced.
+
+    input_description: The test cases are contained in external YAML file (cases_delete_hardlink_symlink.yaml)
+                       which includes configuration parameters for the 'wazuh-syscheckd' daemon and testing
+                       directories to monitor. The configuration template is contained in another external YAML
+                       file (configuration_basic.yaml).
+
+    expected_output:
+        - r'.*Links check finalized.*'
+        - r'.*Audit rules reloaded\. Rules loaded: (.+)'
+        - r'.*"type":"modified".*'
+
+    tags:
+        - scheduled
+        - realtime
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    testfile_name = 'testie.txt'
+
+    file.modify_symlink_target(symlink_new_target, symlink)
+    file.write_file(symlink_new_target.joinpath(testfile_name))
+
+    wazuh_log_monitor.start(generate_callback(LINKS_SCAN_FINALIZED))
+    assert wazuh_log_monitor.callback_result
+    wazuh_log_monitor.start(generate_callback(AUDIT_RULES_RELOADED))
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED))
+    rules_paths = commands.get_rules_path()
+    assert wazuh_log_monitor.callback_result
+    assert testfile_name not in rules_paths
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_change_target.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_change_target.py
new file mode 100644
index 0000000000..11c3d12ba9
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_change_target.py
@@ -0,0 +1,133 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import time
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.platforms import MACOS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, LINKS_SCAN_FINALIZED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYMLINK_SCAN_INTERVAL, SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_change_target.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0, SYMLINK_SCAN_INTERVAL: 2}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_change_target(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                       configure_local_internal_options, symlink_target, symlink, symlink_new_target,
+                       daemons_handler, start_monitoring):
+
+    if sys.platform == MACOS and not test_metadata['fim_mode'] == 'scheduled':
+        pytest.skip(reason="Realtime and whodata are not supported on macos")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    testfile_name = 'testie.txt'
+
+    # Create in original target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(symlink_target.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+
+    # Delete in original target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.remove_file(symlink_target.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
+
+    # Change target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.modify_symlink_target(symlink_new_target, symlink)
+    wazuh_log_monitor.start(generate_callback(LINKS_SCAN_FINALIZED))
+    assert wazuh_log_monitor.callback_result
+
+    # Create in new target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(symlink_new_target.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+
+    # Delete in new target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.remove_file(symlink_new_target.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_cud.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_cud.py
new file mode 100644
index 0000000000..65cb689ea6
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_cud.py
@@ -0,0 +1,120 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.platforms import MACOS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, EVENT_TYPE_MODIFIED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYMLINK_SCAN_INTERVAL, SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_cud.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0, SYMLINK_SCAN_INTERVAL: 2}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_cud(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+             configure_local_internal_options, symlink_target, symlink, daemons_handler,
+             start_monitoring):
+
+    if sys.platform == MACOS and not test_metadata['fim_mode'] == 'scheduled':
+        pytest.skip(reason="Realtime and whodata are not supported on macos")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    testfile_name = 'testie.txt'
+
+    # Create
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert wazuh_log_monitor.callback_result
+
+    # Update
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(symlink.joinpath(testfile_name), 'new_text')
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED))
+    assert wazuh_log_monitor.callback_result
+
+    # Remove
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.remove_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_disabled.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_disabled.py
new file mode 100644
index 0000000000..2c9b9ee3fe
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_disabled.py
@@ -0,0 +1,130 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.platforms import MACOS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, LINKS_SCAN_FINALIZED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYMLINK_SCAN_INTERVAL, SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.darwin, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_disabled.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_disabled.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0, SYMLINK_SCAN_INTERVAL: 2}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_disabled(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                  configure_local_internal_options, folder_to_monitor, symlink_target, symlink,
+                  symlink_new_target, daemons_handler, start_monitoring):
+
+    if sys.platform == MACOS and not test_metadata['fim_mode'] == 'scheduled':
+        pytest.skip(reason="Realtime and whodata are not supported on macos")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    testfile_name = 'testie.txt'
+
+    # Create in original target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.write_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert not wazuh_log_monitor.callback_result
+
+    # Delete in original target.
+    file.remove_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert not wazuh_log_monitor.callback_result
+
+    # Change target.
+    file.modify_symlink_target(symlink_new_target, symlink)
+    wazuh_log_monitor.start(generate_callback(LINKS_SCAN_FINALIZED))
+    assert wazuh_log_monitor.callback_result
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    file.truncate_file(WAZUH_LOG_PATH)
+
+    # Create in new target.
+    file.write_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert not wazuh_log_monitor.callback_result
+
+    # Delete in new target.
+    file.remove_file(symlink.joinpath(testfile_name))
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert not wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_new_target_populated.py b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_new_target_populated.py
new file mode 100644
index 0000000000..c5c6d93c2c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_follow_symbolic_link/test_new_target_populated.py
@@ -0,0 +1,110 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. In particular, these tests will check if FIM events are still generated when
+       a monitored directory is deleted and created again.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: basic_usage
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://man7.org/linux/man-pages/man8/auditd.8.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim
+'''
+import sys
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_MODIFIED, LINKS_SCAN_FINALIZED
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim.configuration import SYMLINK_SCAN_INTERVAL, SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import file
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_new_target_populated.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_basic.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0, SYMLINK_SCAN_INTERVAL: 2}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_new_target_populated(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                              configure_local_internal_options, symlink_target, symlink, symlink_new_target,
+                              fill_folder_to_monitor, daemons_handler, start_monitoring):
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    testfile_name = 'testie.txt'
+
+    # Change target.
+    file.truncate_file(WAZUH_LOG_PATH)
+    file.modify_symlink_target(symlink_new_target, symlink)
+    wazuh_log_monitor.start(generate_callback(LINKS_SCAN_FINALIZED))
+    assert wazuh_log_monitor.callback_result
+
+    # No added event is raised.
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED))
+    assert not wazuh_log_monitor.callback_result
+    # No modified event is raised.
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED))
+    assert not wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_ignore/__init__.py b/src/modules/fim/tests/integration/test_files/test_ignore/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ignore/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_ignore/data/configuration_templates/configuration_ignore_linux.yaml b/src/modules/fim/tests/integration/test_files/test_ignore/data/configuration_templates/configuration_ignore_linux.yaml
new file mode 100644
index 0000000000..bbd4ea887d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ignore/data/configuration_templates/configuration_ignore_linux.yaml
@@ -0,0 +1,20 @@
+- sections:
+    - section: syscheck
+      elements: SYSCHECK
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_ignore/data/test_cases/cases_ignore_linux.yaml b/src/modules/fim/tests/integration/test_files/test_ignore/data/test_cases/cases_ignore_linux.yaml
new file mode 100644
index 0000000000..ec6ba24670
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ignore/data/test_cases/cases_ignore_linux.yaml
@@ -0,0 +1,6537 @@
+- name: not_ignore_sregex_scheduled
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_2
+  description: Check 2 ignores with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_2
+  description: Check 2 ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_2
+  description: Check 2 ignores with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_binary_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_binary_content
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_binary_content
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_binary_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_binary_content
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_binary_content
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_binary_content
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_binary_content
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_binary_content
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_binary_content_2
+  description: Check ignore with 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_binary_content_2
+  description: Check ignore with 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_binary_content_2
+  description: Check ignore with 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_empty_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_empty_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_empty_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_empty_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_empty_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_empty_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_empty_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_empty_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_empty_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_empty_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_empty_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_empty_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_empty_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_empty_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_empty_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_empty_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_empty_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_empty_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_empty_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_empty_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_empty_content
+  description: Check ignore2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_empty_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_empty_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_empty_binary_content
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_empty_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_empty_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_empty_binary_content
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_empty_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_empty_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_empty_binary_content
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_empty_binary_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_empty_binary_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_empty_binary_content
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_empty_binary_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_empty_binary_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_empty_binary_content
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_empty_binary_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_empty_binary_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_empty_binary_content
+  description: Check ignore pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_empty_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_empty_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_empty_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_scheduled
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_realtime
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_whodata
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_sregex_with_OR_scheduled
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_with_OR_realtime
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_with_OR_whodata
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_2_sregex_scheduled
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_2_sregex_realtime
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_2_sregex_whodata
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, btestfile2.ignore]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_2
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_2
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - ignore:
+            value: '/testdir1/not_exists'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile]
+    content: 'Sample content'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_binary_content_2
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_binary_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_binary_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_binary_content_2
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_binary_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_binary_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+      SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_binary_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_binary_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_binary_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/testdir1/ignore_this'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_binary_content
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile]
+    content: 'Sample content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_empty_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_empty_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_empty_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_empty_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_empty_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_empty_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_empty_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_empty_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_empty_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_empty_content_2
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_empty_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_empty_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_empty_content_2
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_empty_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_empty_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_empty_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_empty_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_empty_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_empty_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_empty_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_empty_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, testfile2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_empty_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_empty_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_empty_binary_content_2
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_empty_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_empty_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_empty_binary_content_2
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_empty_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_empty_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_empty_binary_content_2
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_empty_binary_content_2
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_empty_binary_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_empty_binary_content_2
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_empty_binary_content_2
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_empty_binary_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_empty_binary_content_2
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_empty_binary_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_empty_binary_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_empty_binary_content_2
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_empty_binary_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_empty_binary_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_empty_binary_content_2
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, subdir, btestfile2]
+    content: ''
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_scheduled_2
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_realtime_2
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_whodata_2
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_sregex_with_OR_scheduled_2
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_with_OR_realtime_2
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_with_OR_whodata_2
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_2_sregex_scheduled_2
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_2_sregex_realtime_2
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_2_sregex_whodata_2
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+
+- name: not_ignore_sregex_scheduled_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_3
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_3
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_3
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_3
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_3
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_3
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_scheduled_3
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_realtime_3
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_whodata_3
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_sregex_with_OR_scheduled_3
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_with_OR_realtime_3
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_with_OR_whodata_3
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_2_sregex_scheduled_3
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_2_sregex_realtime_3
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_2_sregex_whodata_3
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignore]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_4
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_4
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_4
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_4
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_4
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_4
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$|.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_4
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_4
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_4
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_4
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_4
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_4
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_4
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_4
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_4
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, subdir, another.ignored]
+    content: 'other content'
+    binary_content: !!python/object/apply:eval ['True']
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_scheduled_empty_content_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_realtime_empty_content_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_whodata_empty_content_3
+  description: Check ignore sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_with_OR_scheduled_empty_content_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_with_OR_realtime_empty_content_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_with_OR_whodata_empty_content_3
+  description: Check ignore sregex with OR triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$|.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_sregex_scheduled_empty_content_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_sregex_realtime_empty_content_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_sregex_whodata_empty_content_3
+  description: Check ignore with 2 sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: 'sregex'
+      - ignore:
+          value: '.ignore2$'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_empty_content_3
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_empty_content_3
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_empty_content_3
+  description: Check ignore with sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_path_prefix_scheduled_empty_content_3
+  description: Check ignore sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_path_prefix_realtime_empty_content_3
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_path_prefix_whodata_empty_content_3
+  description: Check ignore with sregex with path and prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '^/testdir1/ignore_prefix'
+          attributes:
+          - type: 'sregex'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_pattern_scheduled_empty_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_pattern_realtime_empty_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_pattern_whodata_empty_content_3
+  description: Check ignore with pattern with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_2_patterns_scheduled_empty_content_3
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_2_patterns_realtime_empty_content_3
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_2_patterns_whodata_empty_content_3
+  description: Check ignore 2 patterns with path triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '/testdir1/ignore_this'
+      -  ignore:
+          value: '/testdir1/not_exists'
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignored2]
+    content: ''
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_with_OR_scheduled_4
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_with_OR_realtime_4
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_with_OR_whodata_4
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_2_sregex_scheduled_4
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_2_sregex_realtime_4
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_2_sregex_whodata_4
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, another.ignore2]
+    content: ''
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_sregex_scheduled_4
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: ignore_sregex_realtime_4
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: ignore_sregex_whodata_4
+  description: Check ignore with sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: '.ignore$'
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_with_OR_scheduled_5
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - frequency:
+          value: 3
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: ignore_sregex_with_OR_realtime_5
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'no'
+          - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: ignore_sregex_with_OR_whodata_5
+  description: Check ignore with sregex with OR no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+      - ignore:
+          value: ".ignore$|.ignore2$"
+          attributes:
+          - type: sregex
+      - directories:
+          value: '/testdir1,/testdir2'
+          attributes:
+          - check_all: 'yes'
+          - whodata: 'yes'
+          - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_with_2_sregex_scheduled_5
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: ignore_with_2_sregex_realtime_5
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: ignore_with_2_sregex_whodata_5
+  description: Check ignore with 2 sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '.ignore$'
+            attributes:
+            - type: 'sregex'
+        - ignore:
+            value: '.ignore2$'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: not_ignore_sregex_prefix_scheduled_5
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+
+- name: not_ignore_sregex_prefix_realtime_5
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_sregex_prefix_whodata_5
+  description: Check ignore sregex with prefix triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_sregex_path_prefix_scheduled
+  description: Check ignore sregex with path and prefix no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_sregex_path_prefix_realtime
+  description: Check ignore sregex with path and prefix no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_sregex_path_prefix_whodata
+  description: Check ignore sregex with path and prefix no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/ignore_prefix'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, ignore_prefix_test.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_empty_sregex_scheduled
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, whatever.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_empty_sregex_realtime
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, whatever.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_empty_sregex_whodata
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, whatever.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_empty_sregex_scheduled_2
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, whatever2.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_empty_sregex_realtime_2
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, whatever2.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_empty_sregex_whodata_2
+  description: Check ignore with empty sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: ''
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir2]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir2, whatever2.txt]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: not_ignore_with_negated_sregex_scheduled
+  description: Check ignore with negated sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, mytest]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: scheduled
+    xfail: !!python/object/apply:eval ['True']
+
+- name: not_ignore_with_negated_sregex_realtime
+  description: Check ignore with negated sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, mytest]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: realtime
+
+- name: not_ignore_with_negated_sregex_whodata
+  description: Check ignore with negated sregex triggers event because there is no match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, mytest]
+    content: 'test'
+    triggers_event: !!python/object/apply:eval ['True']
+    fim_mode: whodata
+
+- name: ignore_with_negated_sregex_scheduled
+  description: Check ignore with negated sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, othername]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_negated_sregex_realtime
+  description: Check ignore with negated sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, othername]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_negated_sregex_whodata
+  description: Check ignore with negated sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '!mytest'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, othername]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_incomplete_sregex_scheduled
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_incomplete_sregex_realtime
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_incomplete_sregex_whodata
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_with_incomplete_sregex_scheduled_2
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder, file2]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_with_incomplete_sregex_realtime_2
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder, file2]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_with_incomplete_sregex_whodata_2
+  description: Check ignore with incomplete sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '^/testdir1/f'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, folder, file2]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
+
+- name: ignore_disk_sregex_scheduled
+  description: Check ignore with root sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - frequency:
+            value: 3
+        - ignore:
+            value: '/'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: scheduled
+
+- name: ignore_disk_sregex_realtime
+  description: Check ignore with root sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'no'
+            - realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: realtime
+
+- name: ignore_disk_sregex_whodata
+  description: Check ignore with root sregex no triggers event because there is match
+  configuration_parameters:
+    SYSCHECK:
+        - ignore:
+            value: '/'
+            attributes:
+            - type: 'sregex'
+        - directories:
+            value: '/testdir1,/testdir2'
+            attributes:
+            - check_all: 'yes'
+            - whodata: 'yes'
+            - realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, file1]
+    content: 'test'
+    is_pattern : !!python/object/apply:eval ['False']
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_ignore/test_ignore_valid.py b/src/modules/fim/tests/integration/test_files/test_ignore/test_ignore_valid.py
new file mode 100644
index 0000000000..7eaea1bea2
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_ignore/test_ignore_valid.py
@@ -0,0 +1,171 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM ignores the elements
+       set in the 'ignore' option using both regex and regular names for specifying them.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks
+       configured files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_ignore
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#ignore
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_ignore
+'''
+
+from pathlib import Path
+
+import pytest
+from wazuh_testing import global_parameters
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, IGNORING_DUE_TO_SREGEX, IGNORING_DUE_TO_PATTERN
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+
+# Pytest marks to run on any service type on linux or windows.
+# Skipped on Windows due Issue https://github.com/wazuh/wazuh/issues/9298"
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=2)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_ignore_linux.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_ignore_linux.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2 }
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_ignore_subdirectory(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler,
+                             file_to_monitor):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon ignores the files that are in a monitored subdirectory
+                 when using the 'ignore' option. It also ensures that events for files tha are not being ignored
+                 are still detected. For this purpose, the test will monitor folders containing files to be ignored
+                 using names or regular expressions. Then it will create these files and check if FIM events should
+                 be generated. Finally, the test will verify that the generated FIM events correspond to the files
+                 that must not be ignored.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 2
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+
+    assertions:
+        - Verify that FIM 'ignore' events are generated for each ignored element.
+        - Verify that FIM 'added' events are generated for files
+          that do not match the value of the 'ignore' option.
+
+    input_description: Different test cases are contained in external YAML files
+                       (cases_ignore_linux.yaml) which includes configuration settings
+                       for the 'wazuh-syscheckd' daemon and testing directories to monitor.
+
+    inputs:
+        - 288 test cases including multiple regular expressions and names for testing files and directories.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+        - r'.*Ignoring .* due to'
+
+    tags:
+        - ignore
+    '''
+
+    if test_metadata.setdefault('xfail', False):
+        pytest.xfail(reason="Expected fail - Issue https://github.com/wazuh/wazuh/issues/22186.")
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    if test_metadata.setdefault('triggers_event', False) == True:
+        wazuh_log_monitor.start(timeout=60, callback=generate_callback(EVENT_TYPE_ADDED))
+        callback_result = wazuh_log_monitor.callback_result
+        assert callback_result
+
+        event_data = get_fim_event_data(callback_result)
+        assert event_data.get('path') == test_metadata['file_to_monitor'], 'Event path not equal'
+        assert event_data.get('mode') == test_metadata['fim_mode'], 'FIM mode not equal'
+    else:
+        if test_metadata['is_pattern'] == False:
+            wazuh_log_monitor.start(callback=generate_callback(IGNORING_DUE_TO_SREGEX))
+            assert wazuh_log_monitor.callback_result
+        else:
+            wazuh_log_monitor.start(callback=generate_callback(IGNORING_DUE_TO_PATTERN))
+            assert wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_inotify/__init__.py b/src/modules/fim/tests/integration/test_files/test_inotify/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_inotify/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_inotify/data/configuration_templates/configuration_num_watches.yaml b/src/modules/fim/tests/integration/test_files/test_inotify/data/configuration_templates/configuration_num_watches.yaml
new file mode 100644
index 0000000000..1f5f26fead
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_inotify/data/configuration_templates/configuration_num_watches.yaml
@@ -0,0 +1,9 @@
+- sections:
+    - section: syscheck
+      elements:
+      - frequency:
+          value: 15
+      - directories:
+          value: TEST_DIR
+          attributes:
+          - FIM_MODE
diff --git a/src/modules/fim/tests/integration/test_files/test_inotify/data/test_cases/cases_num_watches.yaml b/src/modules/fim/tests/integration/test_files/test_inotify/data/test_cases/cases_num_watches.yaml
new file mode 100644
index 0000000000..e010dbaabb
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_inotify/data/test_cases/cases_num_watches.yaml
@@ -0,0 +1,51 @@
+- name: num_watch_deleting_folder_scheduled
+  description: Check if number of watchs is correct after deleting a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/testdir1]
+    FREQUENCY: 15
+    FIM_MODE:
+      realtime: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1, sub1]
+    watches_before: 0
+    watches_after: 0
+    action: 'delete'
+
+- name: num_watch_deleting_folder_realtime
+  description: Check if number of watchs is correct after deleting a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/testdir1]
+    FREQUENCY: 15
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    watches_before: 1
+    watches_after: 0
+    action: 'delete'
+
+- name: num_watch_deleting_folder_realtime
+  description: Check if number of watchs is correct after renaming a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/testdir1]
+    FREQUENCY: 15
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    watches_before: 1
+    watches_after: 0
+    action: 'rename'
+
+- name: num_watch_deleting_folder_realtime
+  description: Check if number of watchs is correct after some time on a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join [/testdir1]
+    FREQUENCY: 40
+    FIM_MODE:
+      realtime: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    watches_before: 1
+    watches_after: 1
+    action: 'none'
diff --git a/src/modules/fim/tests/integration/test_files/test_inotify/test_num_watches.py b/src/modules/fim/tests/integration/test_files/test_inotify/test_num_watches.py
new file mode 100644
index 0000000000..9ad7bc8721
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_inotify/test_num_watches.py
@@ -0,0 +1,166 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts
+       when these files are modified. Specifically, these tests will verify that FIM detects
+       the correct 'inotify watches' number when renaming and deleting a monitored directory.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_inotify
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_inotify
+'''
+
+from pathlib import Path
+
+import pytest
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import NUM_INOTIFY_WATCHES
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_num_watches.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_num_watches.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2 }
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_num_watches(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects the correct number of 'inotify watches' when
+                 renaming and deleting a monitored directory. For this purpose, the test will create and monitor
+                 a folder with two subdirectories. Once FIM is started, it will verify that three watches have
+                 been detected. If these 'inotify watches' are correct, the test will make file operations on
+                 the monitored folder or do nothing. Finally, it will verify that the 'inotify watches' number
+                 detected in the generated FIM events is correct.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that FIM detects that the 'inotify watches' number is correct
+          before and after modifying the monitored folder.
+        - Verify that FIM adds 'inotify watches' when monitored directories have been removed or renamed, and
+          they are restored.
+
+    input_description: A test case (num_watches_conf) is contained in external YAML file (cases_num_watches.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are
+                       combined with the testing directories to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Folders monitored with real-time engine'
+
+    tags:
+        - watches
+    '''
+
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(timeout=60, callback=generate_callback(NUM_INOTIFY_WATCHES))
+    watches = int(wazuh_log_monitor.callback_result[0]) if wazuh_log_monitor.callback_result else 0
+
+    assert watches == test_metadata['watches_before']
+
+    if test_metadata['action'] == 'delete':
+        file.delete_path_recursively(test_metadata['folder_to_monitor'])
+    elif test_metadata['action'] == 'rename':
+        file.rename(test_metadata['folder_to_monitor'], '/changed_name')
+
+    wazuh_log_monitor.start(timeout=60, callback=generate_callback(NUM_INOTIFY_WATCHES), only_new_events=True)
+
+    watches = int(wazuh_log_monitor.callback_result[0]) if wazuh_log_monitor.callback_result else 0
+
+    assert watches == test_metadata['watches_after']
+
+    if file.exists('/changed_name'):
+        file.delete_path_recursively('/changed_name')
diff --git a/src/modules/fim/tests/integration/test_files/test_max_eps/__init__.py b/src/modules/fim/tests/integration/test_files/test_max_eps/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_max_eps/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_max_eps/data/configuration_templates/configuration_max_eps.yaml b/src/modules/fim/tests/integration/test_files/test_max_eps/data/configuration_templates/configuration_max_eps.yaml
new file mode 100644
index 0000000000..da7a6459d5
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_max_eps/data/configuration_templates/configuration_max_eps.yaml
@@ -0,0 +1,30 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - directories:
+          value: TEST_DIR
+          attributes:
+            - FIM_MODE
+      - max_eps:
+          value: MAX_EPS
+      - windows_audit_interval:
+          value: 1
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_max_eps/data/test_cases/cases_max_eps.yaml b/src/modules/fim/tests/integration/test_files/test_max_eps/data/test_cases/cases_max_eps.yaml
new file mode 100644
index 0000000000..b65b1b5b6a
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_max_eps/data/test_cases/cases_max_eps.yaml
@@ -0,0 +1,55 @@
+- name: 10_eps_creating_multiple_files_realtime
+  description: Check if number of eps is correct after create multiple files on a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'yes'
+    MAX_EPS: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    max_eps: 10
+    fim_mode: 'realtime'
+
+- name: 10_eps_creating_multiple_files_whodata
+  description: Check if number of eps is correct after create multiple files on a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      whodata: 'yes'
+    MAX_EPS: 10
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    max_eps: 10
+    fim_mode: 'whodata'
+
+- name: 50_eps_creating_multiple_files_realtime
+  description: Check if number of eps is correct after create multiple files on a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'yes'
+    MAX_EPS: 50
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    max_eps: 50
+    fim_mode: 'realtime'
+
+- name: 50_eps_creating_multiple_files_whodata
+  description: Check if number of eps is correct after create multiple files on a monitored folder
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      whodata: 'yes'
+    MAX_EPS: 50
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    max_eps: 50
+    fim_mode: 'whodata'
diff --git a/src/modules/fim/tests/integration/test_files/test_max_eps/test_max_eps.py b/src/modules/fim/tests/integration/test_files/test_max_eps/test_max_eps.py
new file mode 100644
index 0000000000..cfe47cb9d5
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_max_eps/test_max_eps.py
@@ -0,0 +1,199 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts
+       when these files are modified. Specifically, these tests will verify that FIM limits
+       the maximum events per second that it generates, set in the 'max_eps' tag.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_max_eps
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_max_eps
+'''
+
+from pathlib import Path
+
+import sys
+import os
+import time
+import re
+from datetime import datetime
+
+import pytest
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import SENDING_FIM_EVENT, PATH_MONITORED_REALTIME, PATH_MONITORED_WHODATA, PATH_MONITORED_WHODATA_WINDOWS
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_max_eps.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_max_eps.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2 }
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_max_eps(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon applies the limit set in the 'max_eps' tag when
+                 a lot of 'syscheck' events are generated. For this purpose, the test will monitor a folder,
+                 and once FIM is started, it will create multiple testing files in it. Then, the test
+                 will collect FIM 'added' events generated and check if the number of events matches
+                 the testing files created. Finally, it will verify the limit of events per second (eps)
+                 is not exceeded by checking the creation time of the testing files.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+
+    assertions:
+        - Verify that FIM events are generated for each testing file created.
+        - Verify that the eps limit set in the 'max_eps' tag has not been exceeded at generating FIM events.
+
+    input_description: A test case (max_eps) is contained in external YAML file (cases_max_eps.yaml) which
+                       includes configuration settings for the 'wazuh-syscheckd' daemon and, these are
+                       combined with the testing directory to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+
+    tags:
+        - scheduled
+    '''
+    max_eps = int(test_metadata['max_eps'])
+    fim_mode = test_metadata['fim_mode']
+    test_directories = test_metadata['folder_to_monitor']
+
+    if fim_mode == 'whodata' and sys.platform == WINDOWS:
+        pytest.skip(reason="Unstable behavior on github actions")
+
+    if sys.platform == WINDOWS:
+        regex = PATH_MONITORED_REALTIME if test_metadata['fim_mode'] == 'realtime' else PATH_MONITORED_WHODATA_WINDOWS
+    else:
+        regex = PATH_MONITORED_REALTIME if test_metadata['fim_mode'] == 'realtime' else PATH_MONITORED_WHODATA
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=generate_callback(regex))
+    assert wazuh_log_monitor.callback_result
+
+    file_names = []
+    for i in range(int(max_eps) * 4):
+        file_name = f'file{i}_to_max_eps_{max_eps}_{fim_mode}_mode{time.time()}_.txt'
+        path = os.path.join(test_directories, file_name)
+        file_names.append(path)
+    file.create_files(file_names)
+
+    n_results = max_eps * 3
+
+    wazuh_log_monitor.start(accumulations=n_results, callback=generate_callback(SENDING_FIM_EVENT))
+    assert wazuh_log_monitor.callback_result
+
+    result = parse_integrity_message(wazuh_log_monitor.callback_result)
+    date_time_count = {}
+
+    for date_time in result:
+        if date_time in date_time_count:
+            date_time_count[date_time] += 1
+        else:
+            date_time_count[date_time] = 1
+
+    for date_time, n_occurrences in date_time_count.items():
+        assert n_occurrences <= max_eps, f"Sent {n_occurrences} but a maximum of {max_eps} was set"
+
+
+def parse_integrity_message(lines):
+    result = []
+    for line in lines:
+        match = re.match(r"(\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}).*({.*?})$", line)
+        if match:
+            result.append(datetime.strptime(match.group(1), '%Y/%m/%d %H:%M:%S'))
+    return result
diff --git a/src/modules/fim/tests/integration/test_files/test_moving_files/__init__.py b/src/modules/fim/tests/integration/test_files/test_moving_files/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_moving_files/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_moving_files/data/configuration_templates/configuration_moving_files.yaml b/src/modules/fim/tests/integration/test_files/test_moving_files/data/configuration_templates/configuration_moving_files.yaml
new file mode 100644
index 0000000000..6f859e38f2
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_moving_files/data/configuration_templates/configuration_moving_files.yaml
@@ -0,0 +1,35 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - directories:
+          value: TEST_DIR_1
+          attributes:
+            - whodata: 'yes'
+      - directories:
+          value: TEST_DIR_2
+          attributes:
+            - realtime: 'yes'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: active-response
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_moving_files/data/test_cases/cases_moving_files.yaml b/src/modules/fim/tests/integration/test_files/test_moving_files/data/test_cases/cases_moving_files.yaml
new file mode 100644
index 0000000000..3728c1ee6f
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_moving_files/data/test_cases/cases_moving_files.yaml
@@ -0,0 +1,33 @@
+- name: moving_files
+  description: Checks if the event is generated correctly when a file is moved from a whodata directory to realtime.
+  configuration_parameters:
+    TEST_DIR_1: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    TEST_DIR_2: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir2]
+  metadata:
+    folder_src: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    folder_dst: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir2]
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir1], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir2], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir1, testfile1.txt]]
+    filename: 'testfile1.txt'
+    mod_del_event: 'whodata'
+    mod_add_event: 'realtime'
+
+- name: moving_files
+  description: Checks if the event is generated correctly when a file is moved from a realtime directory to whodata.
+  configuration_parameters:
+    TEST_DIR_1: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    TEST_DIR_2: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir2]
+  metadata:
+    folder_src: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir2]
+    folder_dst: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir1], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir2], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir2, testfile1.txt]]
+    filename: 'testfile1.txt'
+    mod_del_event: 'realtime'
+    mod_add_event: 'whodata'
diff --git a/src/modules/fim/tests/integration/test_files/test_moving_files/test_moving_files.py b/src/modules/fim/tests/integration/test_files/test_moving_files/test_moving_files.py
new file mode 100644
index 0000000000..4ba793c04e
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_moving_files/test_moving_files.py
@@ -0,0 +1,175 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts
+       when these files are modified. Specifically, these tests will check if FIM detects
+       moving files from one directory using the 'whodata' monitoring mode to another using
+       the 'realtime' monitoring mode and vice versa.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_moving_files
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_moving_files
+'''
+import os
+
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_DELETED, EVENT_TYPE_ADDED
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_moving_files.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_moving_files.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2}
+
+
+# Test
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_moving_file_to_whodata(test_configuration, test_metadata, set_wazuh_configuration, truncate_monitored_files,
+                                configure_local_internal_options, create_paths_files, daemons_handler, start_monitoring):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects events when moving files from a directory
+                 monitored by 'whodata' to another monitored by 'realtime' and vice versa. For this purpose,
+                 the test will monitor two folders using both FIM monitoring modes and create a testing file
+                 inside each one. Then, it will rename the testing file of the target folder using the name
+                 of the one inside the source folder. Finally, the test will verify that the FIM events
+                 generated to match the monitoring mode used in the folders.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - create_paths_files:
+            type: list
+            brief: Create the required directory or file to edit.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - start_monitoring:
+            type: fixture
+            brief: Wait FIM to start.
+
+    assertions:
+        - Verify that the 'mode' field in FIM 'deleted' events match with one used
+          in the source folder of moved files.
+        - Verify that the 'mode' field in FIM 'added' events match with one used
+          in the target folder of moved files.
+
+    input_description: A test case is contained in external YAML files (configuration_moving_files.yaml, cases_moving_files.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are
+                       combined with the testing directories to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' and 'deleted' events)
+
+    tags:
+        - realtime
+        - who_data
+    '''
+    dirsrc = test_metadata.get('folder_src')
+    dirdst = test_metadata.get('folder_dst')
+    filename = test_metadata.get('filename')
+    mod_del_event = test_metadata.get('mod_del_event')
+    mod_add_event = test_metadata.get('mod_add_event')
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    os.rename(os.path.join(dirsrc, filename), os.path.join(dirdst, filename))
+
+    # Check event 'delete'
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED), timeout=60)
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result
+
+    event_data = get_fim_event_data(callback_result)
+    assert event_data.get('path') == os.path.join(dirsrc, filename), 'Event path not equal'
+    assert event_data.get('type') == 'deleted', 'Event type not equal'
+    assert event_data.get('mode') == mod_del_event, 'FIM mode not equal'
+
+    # Check event 'add'
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=60)
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result
+
+    event_data = get_fim_event_data(callback_result)
+    assert event_data.get('path') == os.path.join(dirdst, filename), 'Event path not equal'
+    assert event_data.get('type') == 'added', 'Event type not equal'
+    assert event_data.get('mode') == mod_add_event, 'FIM mode not equal'
diff --git a/src/modules/fim/tests/integration/test_files/test_process_priority/__init__.py b/src/modules/fim/tests/integration/test_files/test_process_priority/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_process_priority/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_process_priority/data/configuration_templates/configuration_process_priority.yaml b/src/modules/fim/tests/integration/test_files/test_process_priority/data/configuration_templates/configuration_process_priority.yaml
new file mode 100644
index 0000000000..5962338632
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_process_priority/data/configuration_templates/configuration_process_priority.yaml
@@ -0,0 +1,11 @@
+- sections:
+  - section: syscheck
+    elements:
+    - disabled:
+        value: 'no'
+    - directories:
+        value: TEST_DIR
+        attributes:
+        - FIM_MODE
+    - process_priority:
+        value: PROCESS_PRIORITY
diff --git a/src/modules/fim/tests/integration/test_files/test_process_priority/data/test_cases/cases_process_priority.yaml b/src/modules/fim/tests/integration/test_files/test_process_priority/data/test_cases/cases_process_priority.yaml
new file mode 100644
index 0000000000..68c0665913
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_process_priority/data/test_cases/cases_process_priority.yaml
@@ -0,0 +1,143 @@
+- name: process_priority_0_scheduled
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 0
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 0
+    fim_mode: 'scheduled'
+
+- name: process_priority_0_realtime
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'yes'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 0
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 0
+    fim_mode: 'realtime'
+
+- name: process_priority_0_whodata
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'yes'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 0
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 0
+    fim_mode: 'whodata'
+
+- name: process_priority_4_scheduled
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 4
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 4
+    fim_mode: 'scheduled'
+
+- name: process_priority_4_realtime
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'yes'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 4
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 4
+    fim_mode: 'realtime'
+
+- name: process_priority_4_whodata
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'yes'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: 4
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: 4
+    fim_mode: 'whodata'
+
+- name: process_priority_-5_scheduled
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: -5
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: -5
+    fim_mode: 'scheduled'
+
+- name: process_priority_-5_realtime
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'yes'
+      whodata: 'no'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: -5
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: -5
+    fim_mode: 'realtime'
+
+- name: process_priority_-5_whodata
+  description: Check if configured process priorty is correct
+  configuration_parameters:
+    TEST_DIR: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    FIM_MODE:
+      realtime: 'no'
+      whodata: 'yes'
+    MAX_EPS: 10
+    PROCESS_PRIORITY: -5
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir1]
+    priority: -5
+    fim_mode: 'whodata'
diff --git a/src/modules/fim/tests/integration/test_files/test_process_priority/test_process_priority.py b/src/modules/fim/tests/integration/test_files/test_process_priority/test_process_priority.py
new file mode 100644
index 0000000000..285f251d98
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_process_priority/test_process_priority.py
@@ -0,0 +1,153 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if the process priority of
+       the 'wazuh-syscheckd' daemon set in the 'process_priority' tag is applied successfully.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks
+       configured files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_process_priority
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#process-priority
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_process_priority
+'''
+
+from pathlib import Path
+
+import sys
+import os
+
+import pytest
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG
+from wazuh_testing.constants.platforms import MACOS
+from wazuh_testing.utils.services import search_process_by_command
+from wazuh_testing.constants.daemons import SYSCHECK_DAEMON
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+
+# Pytest marks to run on any service type on linux or windows.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_process_priority.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_process_priority.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2 }
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_process_priority(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler):
+    '''
+    description: Check if the process priority of the 'wazuh-syscheckd' daemon set in the 'process_priority' tag
+                 is updated correctly. For this purpose, the test will monitor a testing folder and, once FIM starts,
+                 it will get the priority value from the 'process_priority' tag and the system information of
+                 the 'wazuh-syscheckd' process. Finally, the test will compare the current process priority
+                 with the target priority to verify that they match.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that the 'wazuh-syscheckd' daemon is running.
+        - Verify that the process priority of the 'wazuh-syscheckd' daemon matches the 'process_priority' tag.
+
+    input_description: A test case (ossec_conf) is contained in external YAML file (cases_process_priority.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and,
+                       these are combined with the testing directory to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+        - r'.*Ignoring .* due to'
+
+    tags:
+        - realtime
+        - scheduled
+    '''
+
+    priority = int(test_metadata['priority'])
+    syscheckd_process = search_process_by_command(SYSCHECK_DAEMON)
+
+    assert syscheckd_process is not None, f'Process {SYSCHECK_DAEMON} not found'
+    assert (os.getpriority(os.PRIO_PROCESS, syscheckd_process.pid)) == priority, \
+        f'Process {SYSCHECK_DAEMON} has not updated its priority.'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/__init__.py b/src/modules/fim/tests/integration/test_files/test_report_changes/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_diff_size.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_diff_size.yaml
new file mode 100644
index 0000000000..038d250611
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_diff_size.yaml
@@ -0,0 +1,29 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - frequency:
+            value: 3
+      - directories:
+          value: TEST_DIRECTORIES
+          attributes: ATTRIBUTES
+      - diff:
+          elements:
+            - file_size:
+                elements:
+                  - enabled:
+                      value: FILE_SIZE_ENABLED
+                  - limit:
+                      value: FILE_SIZE_LIMIT
+            - disk_quota:
+                elements:
+                  - enabled:
+                      value: DISK_QUOTA_ENABLED
+                  - limit:
+                      value: DISK_QUOTA_LIMIT
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_disk_quota_default.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_disk_quota_default.yaml
new file mode 100644
index 0000000000..f5e175f366
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_disk_quota_default.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - frequency:
+            value: 3
+      - directories:
+          value: TEST_DIRECTORIES
+          attributes: ATTRIBUTES
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_large_changes.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_large_changes.yaml
new file mode 100644
index 0000000000..7c2542c201
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_large_changes.yaml
@@ -0,0 +1,32 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: INTERVAL
+        - directories:
+            value: TEST_DIRECTORIES
+            attributes:
+              - check_all: 'yes'
+              - realtime: REALTIME
+              - whodata: WHODATA
+              - report_changes: 'yes'
+              - diff_size_limit: 200KB
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_changes_and_diff.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_changes_and_diff.yaml
new file mode 100644
index 0000000000..91d5c54832
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_changes_and_diff.yaml
@@ -0,0 +1,40 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: INTERVAL
+        - directories:
+            value: TEST_DIRECTORIES
+            attributes:
+              - check_all: 'yes'
+              - realtime: REALTIME
+              - whodata: WHODATA
+              - report_changes: 'yes'
+        - directories:
+            value: TEST_DIRECTORIES_NO_DIFF
+            attributes:
+              - check_all: 'yes'
+              - realtime: REALTIME
+              - whodata: WHODATA
+              - report_changes: 'yes'
+        - nodiff:
+            value: NODIFF_FILE
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_deleted_diff.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_deleted_diff.yaml
new file mode 100644
index 0000000000..e7f677c87d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/configuration_templates/configuration_report_deleted_diff.yaml
@@ -0,0 +1,32 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: 3
+        - directories:
+            value: TEST_DIRECTORIES
+            attributes: ATTRIBUTES
+        - directories:
+            value: TEST_DIRECTORIES_NO_DIFF
+            attributes: ATTRIBUTES
+        - nodiff:
+            value: NODIFF_FILE
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_diff_size_limit.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_diff_size_limit.yaml
new file mode 100644
index 0000000000..92d56e4c2f
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_diff_size_limit.yaml
@@ -0,0 +1,109 @@
+- name: Test 'diff' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+      - diff_size_limit: '2kb'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1GB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: scheduled
+    report_changes: 'yes'
+    diff_size_limit_kb: '2'
+    file_size_enabled: 'yes'
+    file_size_limit: '1GB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'diff' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+      - diff_size_limit: '2kb'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1GB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: realtime
+    report_changes: 'yes'
+    diff_size_limit_kb: '2'
+    file_size_enabled: 'yes'
+    file_size_limit: '1GB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'diff' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+      - diff_size_limit: '2kb'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1GB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: whodata
+    report_changes: 'yes'
+    diff_size_limit_kb: '2'
+    file_size_enabled: 'yes'
+    file_size_limit: '1GB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'diff' information, fim_mode = scheduled
+  description: Check if the default 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: scheduled
+    report_changes: 'yes'
+    diff_size_limit_kb: '51200'
+
+- name: Test 'diff' information, fim_mode = realtime
+  description: Check if the default 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: realtime
+    report_changes: 'yes'
+    diff_size_limit_kb: '51200'
+
+- name: Test 'diff' information, fim_mode = whodata
+  description: Check if the default 'wazuh-syscheckd' daemon limits
+                the size of 'diff' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: whodata
+    report_changes: 'yes'
+    diff_size_limit_kb: '51200'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_default.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_default.yaml
new file mode 100644
index 0000000000..dcd00ccd68
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_default.yaml
@@ -0,0 +1,37 @@
+- name: Test 'disk_quota' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'disk_quota' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: scheduled
+    report_changes: 'yes'
+
+- name: Test 'disk_quota' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'disk_quota' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: realtime
+    report_changes: 'yes'
+
+- name: Test 'disk_quota' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits
+                the size of 'disk_quota' information.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join [/test_dir]
+    fim_mode: whodata
+    report_changes: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_disabled.yaml
new file mode 100644
index 0000000000..a04fa0d1d8
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_disk_quota_disabled.yaml
@@ -0,0 +1,73 @@
+- name: Test 'disk_quota' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
+
+- name: Test 'disk_quota' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+      - realtime: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
+
+- name: Test 'disk_quota' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+      - whodata: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_default.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_default.yaml
new file mode 100644
index 0000000000..caebed6d1f
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_default.yaml
@@ -0,0 +1,46 @@
+- name: Test 'file_size' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: scheduled
+    report_changes: 'yes'
+
+- name: Test 'file_size' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: realtime
+    report_changes: 'yes'
+
+- name: Test 'file_size' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: whodata
+    report_changes: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_disabled.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_disabled.yaml
new file mode 100644
index 0000000000..eb4cde4b68
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_disabled.yaml
@@ -0,0 +1,73 @@
+- name: Test 'disk_quota' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'yes'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'yes'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
+
+- name: Test 'disk_quota' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+      - realtime: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'yes'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'yes'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
+
+- name: Test 'disk_quota' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon skips disk_quota check.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+      - whodata: 'yes'
+    FILE_SIZE_ENABLED: 'no'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'yes'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    file_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir, testfile]
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'no'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'yes'
+    disk_quota_limit: '2KB'
+    string_size: 10000000
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_values.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_values.yaml
new file mode 100644
index 0000000000..8b6fcd2f36
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_file_size_values.yaml
@@ -0,0 +1,283 @@
+- name: Test 'file_size' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '100KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '100KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '10MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'scheduled'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '10MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '100KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '100KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - realtime: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '10MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'realtime'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '10MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '100KB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '100KB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '1MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '1MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
+
+- name: Test 'file_size' information, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                'diff' information from the default value of the 'file_size' option.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    ATTRIBUTES:
+      - whodata: 'yes'
+      - report_changes: 'yes'
+    FILE_SIZE_ENABLED: 'yes'
+    FILE_SIZE_LIMIT: '10MB'
+    DISK_QUOTA_ENABLED: 'no'
+    DISK_QUOTA_LIMIT: '2KB'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: 'testfile'
+    fim_mode: 'whodata'
+    report_changes: 'yes'
+    file_size_enabled: 'yes'
+    file_size_limit: '10MB'
+    disk_quota_enabled: 'no'
+    disk_quota_limit: '2KB'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes.yaml
new file mode 100644
index 0000000000..2acabbf94a
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes.yaml
@@ -0,0 +1,203 @@
+- name: Test changes smaller than limit (Scheduled mode)
+  description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_1
+    original_size: 500
+    modified_size: 500
+    has_more_changes: false
+    fim_mode: scheduled
+
+- name: Test changes smaller than limit (Realtime mode)
+  description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_1
+    original_size: 500
+    modified_size: 500
+    has_more_changes: false
+    fim_mode: realtime
+
+- name: Test changes smaller than limit (Whodata mode)
+  description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_1
+    original_size: 500
+    modified_size: 500
+    has_more_changes: false
+    fim_mode: whodata
+
+- name: Test large changes - Same size (Scheduled mode)
+  description: Test when changes are same size of set limit, 'More changes' appears in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_2
+    original_size: 200000
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: scheduled
+
+- name: Test large changes - Same size (Realtime mode)
+  description: Test when changes are same size of set limit, 'More changes' appears in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_2
+    original_size: 200000
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: realtime
+
+- name: Test large changes - Same size (Whodata mode)
+  description: Test when changes are same size of set limit, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_2
+    original_size: 200000
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: whodata
+
+- name: Test large changes - File bigger after change (Scheduled mode)
+  description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_3
+    original_size: 10
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: scheduled
+
+- name: Test large changes - File bigger after change (Realtime mode)
+  description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_3
+    original_size: 10
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: realtime
+
+- name: Test large changes - File bigger after change (Whodata mode)
+  description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_3
+    original_size: 10
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: whodata
+
+- name: Test large changes - File smaller after change (Scheduled mode)
+  description: Test when file is smaller after change, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_4
+    original_size: 200000
+    modified_size: 10
+    has_more_changes: true
+    fim_mode: scheduled
+
+- name: Test large changes - File smaller after change (Realtime mode)
+  description: Test when file is smaller after change, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_4
+    original_size: 200000
+    modified_size: 10
+    has_more_changes: true
+    fim_mode: realtime
+
+- name: Test large changes - File smaller after change (Whodata mode)
+  description: Test when file is smaller after change, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_4
+    original_size: 200000
+    modified_size: 10
+    has_more_changes: true
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes_macos.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes_macos.yaml
new file mode 100644
index 0000000000..3ea9054157
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_large_changes_macos.yaml
@@ -0,0 +1,67 @@
+- name: Test changes smaller than limit (Scheduled mode)
+  description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_1
+    original_size: 500
+    modified_size: 500
+    has_more_changes: false
+    fim_mode: scheduled
+
+- name: Test large changes - Same size (Scheduled mode)
+  description: Test when changes are same size of set limit, 'More changes' appears in content_changes
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_2
+    original_size: 200000
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: scheduled
+
+- name: Test large changes - File bigger after change (Scheduled mode)
+  description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_3
+    original_size: 10
+    modified_size: 200000
+    has_more_changes: true
+    fim_mode: scheduled
+
+- name: Test large changes - File smaller after change (Scheduled mode)
+  description: Test when file is smaller after change, 'More changes' appears in content_changes.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    INTERVAL: 4
+    REALTIME: 'no'
+    WHODATA: 'no'
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], test_dir]
+    filename: regular_4
+    original_size: 200000
+    modified_size: 10
+    has_more_changes: true
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff.yaml
new file mode 100644
index 0000000000..841998be7e
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff.yaml
@@ -0,0 +1,101 @@
+- name: report_changes_found_scheduled
+  description: When a file is monitored with report_changes, the diff file and changes are reported (Scheduled mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 5
+    REALTIME: 'no'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports]
+    filename: regular_file
+    fim_mode: scheduled
+
+- name: report_changes_truncated_scheduled
+  description: When a file is set to nodiff, report_changes information is truncated (Scheduled mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 5
+    REALTIME: 'no'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regular_file
+    fim_mode: scheduled
+
+- name: report_changes_found_realtime
+  description: When a file is monitored with report_changes, the diff file and changes are reported (Realtime mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 1000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports]
+    filename: regular_file
+    fim_mode: realtime
+
+- name: report_changes_truncated_realtime
+  description: When a file is set to nodiff, report_changes information is truncated (Realtime mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 1000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regular_file
+    fim_mode: realtime
+
+- name: report_changes_found_whodata
+  description: When a file is monitored with report_changes, the diff file and changes are reported (Whodata mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 1000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports]
+    filename: regular_file
+    fim_mode: whodata
+
+- name: report_changes_truncated_whodata
+  description: When a file is set to nodiff, report_changes information is truncated (Whodata mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 1000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regular_file
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff_macos.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff_macos.yaml
new file mode 100644
index 0000000000..73c8b7f3e1
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_changes_and_diff_macos.yaml
@@ -0,0 +1,33 @@
+- name: report_changes_found_scheduled
+  description: When a file is monitored with report_changes, the diff file and changes are reported (Scheduled mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 5
+    REALTIME: 'no'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports]
+    filename: regular_file
+    fim_mode: scheduled
+
+- name: report_changes_truncated_scheduled
+  description: When a file is set to nodiff, report_changes information is truncated (Scheduled mode)
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    INTERVAL: 5
+    REALTIME: 'no'
+    WHODATA: 'no'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regular_file
+    fim_mode: scheduled
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_deleted_diff.yaml b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_deleted_diff.yaml
new file mode 100644
index 0000000000..62992bd4b7
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/data/test_cases/cases_report_deleted_diff.yaml
@@ -0,0 +1,52 @@
+- name: Test deletes the 'diff' folder, fim_mode = scheduled
+  description: Check if the 'wazuh-syscheckd' daemon deletes the 'diff' folder created.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    ATTRIBUTES:
+      - check_all: 'yes'
+      - report_changes: 'yes'
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regularfile
+    fim_mode: scheduled
+
+- name: Test deletes the 'diff' folder, fim_mode = realtime
+  description: Check if the 'wazuh-syscheckd' daemon deletes the 'diff' folder created.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    ATTRIBUTES:
+      - check_all: 'yes'
+      - report_changes: 'yes'
+      - realtime: "yes"
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regularfile
+    fim_mode: realtime
+
+- name: Test deletes the 'diff' folder, fim_mode = whodata
+  description: Check if the 'wazuh-syscheckd' daemon deletes the 'diff' folder created.
+  configuration_parameters:
+    TEST_DIRECTORIES: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_reports]
+    TEST_DIRECTORIES_NO_DIFF: !!python/object/apply:os.path.join
+              args: [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    ATTRIBUTES:
+      - check_all: 'yes'
+      - report_changes: 'yes'
+      - whodata: "yes"
+    NODIFF_FILE: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], 'testdir_nodiff', 'regular_file']
+  metadata:
+    path_or_files_to_create: [!!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_reports], !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]]
+    folder: !!python/object/apply:os.path.join [!!python/object/apply:os.getcwd [], testdir_nodiff]
+    filename: regularfile
+    fim_mode: whodata
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_diff_size_limit.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_diff_size_limit.py
new file mode 100644
index 0000000000..0ed7d3d142
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_diff_size_limit.py
@@ -0,0 +1,153 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if FIM limits the size of
+       'diff' information to generate from the file monitored when the 'diff_size_limit' and
+       the 'report_changes' options are enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+        scheduled: Implies scheduled scan
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import DIFF_MAXIMUM_FILE_SIZE, ERROR_MSG_MAXIMUM_FILE_SIZE_EVENT, ERROR_MSG_WRONG_VALUE_MAXIMUM_FILE_SIZE
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_diff_size_limit.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_diff_size.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_diff_size_limit(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of 'diff' information to generate from
+                 the value set in the 'diff_size_limit' attribute when the global 'file_size' tag is different.
+                 For this purpose, the test will monitor a directory and, once the FIM is started, it will wait
+                 for the FIM event related to the maximum file size to generate 'diff' information. Finally,
+                 the test will verify that the value gotten from that FIM event corresponds with the one set
+                 in the 'diff_size_limit'.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that an FIM event is generated indicating the size limit of 'diff' information to generate
+          set in the 'diff_size_limit' attribute when the global 'file_size' tag is different.
+
+    input_description: An external YAML file (configuration_diff_size.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_diff_size_limit_configured.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*Maximum file size limit to generate diff information configured to'
+
+    tags:
+        - diff
+        - scheduled
+        - realtime
+        - who_data
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(DIFF_MAXIMUM_FILE_SIZE), timeout=30)
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result, ERROR_MSG_MAXIMUM_FILE_SIZE_EVENT
+    assert str(wazuh_log_monitor.callback_result[0]) == test_metadata.get('diff_size_limit_kb'), ERROR_MSG_WRONG_VALUE_MAXIMUM_FILE_SIZE
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_default.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_default.py
new file mode 100644
index 0000000000..6a9353c43d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_default.py
@@ -0,0 +1,151 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if FIM limits the size of
+       the 'queue/diff/local' folder, where Wazuh stores the compressed files used to perform
+       the 'diff' operation, to the default value when the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#disk-quota
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import DISK_QUOTA_LIMIT_CONFIGURED_VALUE, ERROR_MSG_DISK_QUOTA_LIMIT
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_disk_quota_default.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_disk_quota_default.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+DISK_QUOTA_DEFAULT_VALUE = 1048576
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_disk_quota_default(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of the folder where the data used to perform
+                 the 'diff' operations is stored to the default value. For this purpose, the test will monitor
+                 a directory and, once the FIM is started, it will wait for the FIM event related to the maximum
+                 disk quota to store 'diff' information. Finally, the test will verify that the value gotten from
+                 that FIM event corresponds with the default value of the 'disk_quota' tag (1GB).
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that an FIM event is generated indicating the size limit of the folder
+          to store 'diff' information to the default limit of the 'disk_quota' tag (1GB).
+
+    input_description: An external YAML file (configuration_diff_size.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_disk_quota_default.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*Maximum disk quota size limit configured to'
+
+    tags:
+        - disk_quota
+        - scheduled
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(DISK_QUOTA_LIMIT_CONFIGURED_VALUE), timeout=30)
+    callback_result = wazuh_log_monitor.callback_result
+    assert callback_result, ERROR_MSG_DISK_QUOTA_LIMIT
+    assert str(wazuh_log_monitor.callback_result[0]) == str(DISK_QUOTA_DEFAULT_VALUE), 'Wrong value for disk_quota'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_disabled.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_disabled.py
new file mode 100644
index 0000000000..bd6bb970eb
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_disk_quota_disabled.py
@@ -0,0 +1,161 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM does not limit
+       the size of the 'queue/diff/local' folder where Wazuh stores the compressed files used
+       to perform the 'diff' operation when the 'disk_quota' option is disabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#disk-quota
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_EXCEEDS_DISK_QUOTA
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_disk_quota_disabled.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_diff_size.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_disk_quota_disabled(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, file_to_monitor, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of the folder where the data used
+                 to perform the 'diff' operations is stored when the 'disk_quota' option is disabled.
+                 For this purpose, the test will monitor a directory and, once the FIM is started, it
+                 will create a testing file that, when compressed, is larger than the configured
+                 'disk_quota' limit. Finally, the test will verify that the FIM event related
+                 to the reached disk quota has not been generated.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that no FIM events are generated indicating the disk quota exceeded for monitored files
+          when the 'disk_quota' option is disabled.
+
+    input_description: An external YAML file (configuration_diff_size.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_disk_quota_disabled.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*The (.*) of the file size .* exceeds the disk_quota.*' (if the test fails)
+
+    tags:
+        - disk_quota
+        - scheduled
+    '''
+    to_write = generate_string(test_metadata.get('string_size'), '0')
+    write_file(test_metadata.get('file_to_monitor'), data=to_write)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(generate_callback(FILE_EXCEEDS_DISK_QUOTA), timeout=30)
+
+    assert (wazuh_log_monitor.callback_result == None), f'Error exceeds disk quota detected.'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_default.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_default.py
new file mode 100644
index 0000000000..f47a19d1db
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_default.py
@@ -0,0 +1,185 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. Specifically, these tests will check if FIM limits the size of the file
+       monitored to generate 'diff' information to the default value of the 'file_size' tag when
+       the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-size
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+import os
+
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_SIZE_LIMIT_REACHED, EVENT_TYPE_ADDED, ERROR_MSG_FIM_EVENT_NOT_DETECTED, ERROR_MSG_FILE_LIMIT_REACHED
+from wazuh_testing.modules.fim.utils import make_diff_file_path
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file, translate_size
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_file_size_default.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_disk_quota_default.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_file_size_default(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information from the default value of the 'file_size' option. For this purpose,
+                 the test will monitor a directory, create a testing file smaller than the default limit,
+                 and check if the compressed file has been created. Then, it will increase the size of
+                 the testing file. Finally, the test will verify that the FIM event related to the
+                 reached file size limit has been generated, and the compressed file in the 'queue/diff/local'
+                 directory does not exist.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that the 'diff' folder is created when a monitored file does not exceed the size limit.
+        - Verify that FIM events are generated indicating the size limit reached of monitored files
+          to generate 'diff' information with the default limit of the 'file_size' tag (50MB).
+        - Verify that the 'diff' folder is removed when a monitored file exceeds the size limit.
+
+    input_description: An external YAML file (configuration_disk_quota_default.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_file_size_default.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+        - r'.*File .* is too big for configured maximum size to perform diff operation'
+
+    tags:
+        - diff
+        - scheduled
+    '''
+    size_limit = translate_size('50MB')
+    diff_file_path = make_diff_file_path(folder=test_metadata.get('folder_to_monitor'), filename=test_metadata.get('filename'))
+    test_file_path = os.path.join(test_metadata.get('folder_to_monitor'), test_metadata.get('filename'))
+
+    # Create file with a smaller size than the configured value
+    to_write = generate_string(int(size_limit / 10), '0')
+    write_file(test_file_path, data=to_write)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+
+    if not os.path.exists(diff_file_path):
+        pytest.raises(FileNotFoundError(f"{diff_file_path} not found. It should exist before increasing the size."))
+
+    # Increase the size of the file over the configured value
+    to_write = generate_string(size_limit, '0')
+    write_file(test_file_path, data=to_write * 3)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(FILE_SIZE_LIMIT_REACHED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FILE_LIMIT_REACHED
+
+    if os.path.exists(diff_file_path):
+        pytest.raises(FileExistsError(f"{diff_file_path} found. It should not exist after incresing the size."))
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_disabled.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_disabled.py
new file mode 100644
index 0000000000..503d088abf
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_disabled.py
@@ -0,0 +1,159 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. Specifically, these tests will verify that FIM does not limit the size of
+       the file monitored to generate 'diff' information when disabling the 'file_size' tag and
+       the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-size
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_SIZE_LIMIT_REACHED
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_file_size_disabled.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_diff_size.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_file_size_disabled(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, file_to_monitor, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information when the 'file_size' option is disabled. For this purpose, the test
+                 will monitor a directory and create a testing file larger than the limit set in the
+                 'file_size' tag. Finally, the test will verify that the FIM event related to the
+                 reached file size limit has not been generated.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that no FIM events are generated indicating the reached file size limit of monitored files
+          when the 'file_size' option is disabled.
+
+    input_description: An external YAML file (configuration_diff_size.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_file_size_disabled.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*The (.*) of the file size .* exceeds the disk_quota.*' (if the test fails)
+
+    tags:
+        - diff
+        - scheduled
+    '''
+    to_write = generate_string(test_metadata.get('string_size'), '0')
+    write_file(test_metadata.get('file_to_monitor'), data=to_write)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(FILE_SIZE_LIMIT_REACHED), timeout=30)
+    assert (wazuh_log_monitor.callback_result == None), f'Error exceeds disk quota detected.'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_values.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_values.py
new file mode 100644
index 0000000000..320a0783ba
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_file_size_values.py
@@ -0,0 +1,190 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if FIM limits the size of
+       the file monitored to generate 'diff' information to the limit set in the 'file_size' tag
+       when the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-size
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+import os
+
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG, FILE_MAX_SIZE
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import FILE_SIZE_LIMIT_REACHED, EVENT_TYPE_ADDED, ERROR_MSG_FIM_EVENT_NOT_DETECTED, ERROR_MSG_FILE_LIMIT_REACHED, DIFF_FOLDER_DELETED, ERROR_MSG_FOLDER_DELETED
+from wazuh_testing.modules.fim.utils import make_diff_file_path
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file, translate_size
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_file_size_values.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_diff_size.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: 2, FILE_MAX_SIZE: 0}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_file_size_values(test_configuration, test_metadata, configure_local_internal_options,
+                                    truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon limits the size of the monitored file to generate
+                 'diff' information from the limit set in the 'file_size' tag. For this purpose, the test
+                 will monitor a directory, create a testing file smaller than the 'file_limit' value,
+                 and check if the compressed file has been created. Then, it will increase the size of
+                 the testing file. Finally, the test will verify that the FIM event related to the reached
+                 file size limit has been generated, and the compressed file in the 'queue/diff/local'
+                 directory does not exist.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that the 'diff' folder is created when a monitored file does not exceed the size limit.
+        - Verify that FIM events are generated indicating the size limit reached of monitored files
+          to generate 'diff' information when a limit is set in the 'file_size' tag.
+        - Verify that the 'diff' folder is removed when a monitored file exceeds the size limit.
+
+    input_description: An external YAML file (configuration_diff_size.yaml) includes configuration settings for the agent.
+                       Different test cases are found in the cases_file_size_values.yaml file and include parameters for
+                       the environment setup, the requests to be made, and the expected result.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+        - r'.*Folder .* has been deleted.*'
+        - r'.*File .* is too big for configured maximum size to perform diff operation'
+
+    tags:
+        - diff
+        - scheduled
+    '''
+    size_limit = translate_size(test_metadata.get('file_size_limit'))
+    diff_file_path = make_diff_file_path(folder=test_metadata.get('folder_to_monitor'), filename=test_metadata.get('filename'))
+    test_file_path = os.path.join(test_metadata.get('folder_to_monitor'), test_metadata.get('filename'))
+
+    # Create file with a smaller size than the configured value
+    to_write = generate_string(int(size_limit / 2), '0')
+    write_file(test_file_path, data=to_write)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+
+    if not os.path.exists(diff_file_path):
+        pytest.raises(FileNotFoundError(f"{diff_file_path} not found. It should exist before increasing the size."))
+
+    # Increase the size of the file over the configured value
+    to_write = generate_string(size_limit, '0')
+    write_file(test_file_path, data=to_write * 3)
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(DIFF_FOLDER_DELETED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FOLDER_DELETED
+
+    if os.path.exists(diff_file_path):
+        pytest.raises(FileExistsError(f"{diff_file_path} found. It should not exist after incresing the size."))
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(generate_callback(FILE_SIZE_LIMIT_REACHED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FILE_LIMIT_REACHED
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_large_changes.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_large_changes.py
new file mode 100644
index 0000000000..94298e66d2
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_large_changes.py
@@ -0,0 +1,203 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM events include
+       the 'content_changes' field with the tag 'More changes' when it exceeds the maximum size
+       allowed, and the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Solaris 10
+    - Solaris 11
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#diff
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+import os
+import sys
+
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.platforms import WINDOWS, MACOS
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_MODIFIED, EVENT_TYPE_ADDED, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import truncate_file, write_file_write
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = ''
+if sys.platform == MACOS:
+    cases_path = Path(TEST_CASES_PATH, 'cases_large_changes_macos.yaml')
+else:
+    cases_path = Path(TEST_CASES_PATH, 'cases_large_changes.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_large_changes.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: 2}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_large_changes(test_configuration, test_metadata, configure_local_internal_options,
+                        truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects the character limit in the file changes is reached
+                 showing the 'More changes' tag in the 'content_changes' field of the generated events. For this
+                 purpose, the test will monitor a directory, add a testing file and modify it, adding more characters
+                 than the allowed limit. Then, it will unzip the 'diff' and get the size of the changes. Finally,
+                 the test will verify that the generated FIM event contains in its 'content_changes' field the proper
+                 value depending on the test case.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that FIM events are generated when adding and modifying the testing file.
+        - Verify that FIM events include the 'content_changes' field with the 'More changes' tag when
+          the changes made on the testing file have more characters than the allowed limit.
+        - Verify that FIM events include the 'content_changes' field with the old content
+          of the monitored file.
+        - Verify that FIM events include the 'content_changes' field with the new content
+          of the monitored file when the old content is lower than the allowed limit or
+          the testing platform is Windows.
+
+    input_description: The file 'configuration_large_changes.yaml' provides the configuration template.
+                       The file 'cases_large_changes.yaml' provides the test cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' and 'modified' events)
+        - The 'More changes' message appears in content_changes when the changes size is bigger than the set limit.
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    limit = 50000
+    test_file_path = os.path.join(test_metadata.get('folder_to_monitor'), test_metadata.get('filename'))
+
+    # Create the file and and capture the event.
+    truncate_file(WAZUH_LOG_PATH)
+    original_string = generate_string(test_metadata.get('original_size'), '0')
+    write_file_write(test_file_path, content=original_string)
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+
+    # Modify the file with new content
+    truncate_file(WAZUH_LOG_PATH)
+    modified_string = generate_string(test_metadata.get('modified_size'), '1')
+    write_file_write(test_file_path, content=modified_string)
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED), timeout=20)
+    assert wazuh_log_monitor.callback_result
+
+    event = get_fim_event_data(wazuh_log_monitor.callback_result)
+
+    # Assert 'More changes' is shown when the command returns more than 'limit' characters
+    if test_metadata.get('has_more_changes'):
+        assert 'More changes' in event['content_changes'], 'Did not find event with "More changes" within content_changes.'
+    else:
+        assert 'More changes' not in event['content_changes'], '"More changes" found within content_changes.'
+
+    # Assert old content is shown in content_changes
+    assert '0' in event['content_changes'], '"0" is the old value but it is not found within content_changes'
+
+    # Assert new content is shown when old content is lower than the limit or platform is Windows
+    if test_metadata.get('original_size') < limit or sys.platform == WINDOWS:
+        assert '1' in event['content_changes'], '"1" is the new value but it is not found within content_changes'
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_changes_and_diff.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_changes_and_diff.py
new file mode 100644
index 0000000000..fd81fb42c4
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_changes_and_diff.py
@@ -0,0 +1,211 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM events include
+       the 'content_changes' field with the tag 'More changes' when it exceeds the maximum size
+       allowed, and the 'report_changes' option is enabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Solaris 10
+    - Solaris 11
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#diff
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+import os
+import sys
+
+from pathlib import Path
+
+import pytest
+
+from wazuh_testing.constants.platforms import MACOS
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_MODIFIED, EVENT_TYPE_ADDED, ERROR_MSG_FIM_EVENT_NOT_DETECTED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import make_diff_file_path, get_fim_event_data
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file_write, delete_files_in_folder, truncate_file
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = ''
+if sys.platform == MACOS:
+    cases_path = Path(TEST_CASES_PATH, 'cases_report_changes_and_diff_macos.yaml')
+else:
+    cases_path = Path(TEST_CASES_PATH, 'cases_report_changes_and_diff.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_report_changes_and_diff.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: 2}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_reports_file_and_nodiff(test_configuration, test_metadata, configure_local_internal_options,
+                        truncate_monitored_files, set_wazuh_configuration, create_paths_files, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon reports the file changes (or truncates if required)
+                 in the generated events using the 'nodiff' tag and vice versa. For this purpose, the test
+                 will monitor a directory and make file operations inside it. Then, it will check if a
+                 'diff' file is created for the modified testing file. Finally, if the testing file matches
+                 the 'nodiff' tag, the test will verify that the FIM event generated contains in its
+                 'content_changes' field a message indicating that 'diff' is truncated because
+                 the 'nodiff' option is used.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - create_paths_files:
+            type: list
+            brief: Create the required directory or file to edit.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that for each modified file a 'diff' file is generated.
+        - Verify that FIM events include the 'content_changes' field.
+        - Verify that FIM events truncate the modifications made in a monitored file
+          when it matches the 'nodiff' tag.
+        - Verify that FIM events include the modifications made in a monitored file
+          when it does not match the 'nodiff' tag.
+
+    input_description: A test case is contained in external YAML files (configuration_report_changes_and_diff.yaml, cases_report_changes_and_diff.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are
+                       combined with the testing directories to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events)
+
+    tags:
+        - diff
+        - scheduled
+    '''
+    is_truncated = 'testdir_nodiff' in test_metadata.get('folder')
+    folder = test_metadata.get('folder')
+    test_file_path = os.path.join(folder, test_metadata.get('filename'))
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    # Create the file and and capture the event.
+    truncate_file(WAZUH_LOG_PATH)
+    original_string = generate_string(1, '0')
+    write_file_write(test_file_path, content=original_string)
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_ADDED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+
+    # Modify the file with new content.
+    truncate_file(WAZUH_LOG_PATH)
+    modified_string = generate_string(10, '1')
+    write_file_write(test_file_path, content=modified_string)
+
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_MODIFIED), timeout=20)
+    assert wazuh_log_monitor.callback_result
+    event = get_fim_event_data(wazuh_log_monitor.callback_result)
+
+    # Validate content_changes attribute exists in the event
+    diff_file = make_diff_file_path(folder=test_metadata.get('folder'), filename=test_metadata.get('filename'))
+    assert os.path.exists(diff_file), f'{diff_file} does not exist'
+    assert event.get('content_changes') is not None, 'content_changes is empty'
+
+    # Validate content_changes value is truncated if the file is set to no_diff
+    if is_truncated:
+        assert "Diff truncated due to 'nodiff' configuration detected for this file." in event.get('content_changes'), \
+            'content_changes is not truncated'
+    else:
+        assert "Diff truncated due to 'nodiff' configuration detected for this file." not in event.get('content_changes'), \
+            'content_changes is truncated'
+
+    truncate_file(WAZUH_LOG_PATH)
+    delete_files_in_folder(folder)
+    wazuh_log_monitor.start(generate_callback(EVENT_TYPE_DELETED))
+    assert get_fim_event_data(wazuh_log_monitor.callback_result)['mode'] == test_metadata.get('fim_mode')
diff --git a/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_deleted_diff.py b/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_deleted_diff.py
new file mode 100644
index 0000000000..87b6c429c5
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_report_changes/test_report_deleted_diff.py
@@ -0,0 +1,185 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if FIM manages properly
+       the 'diff' folder created in the 'queue/diff/local' directory when removing a monitored
+       folder or the 'report_changes' option is disabled.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_report_changes
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#diff
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_report_changes
+'''
+import os
+
+from pathlib import Path
+
+import pytest
+import time
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, ERROR_MSG_FIM_EVENT_NOT_DETECTED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.fim.utils import make_diff_file_path
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.file import write_file, delete_files_in_folder
+from wazuh_testing.utils.string import generate_string
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=1)]
+
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_report_deleted_diff.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_report_deleted_diff.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+
+# Set configurations required by the fixtures.
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: 2}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_report_when_deleted_directories(test_configuration, test_metadata, configure_local_internal_options,
+                        truncate_monitored_files, set_wazuh_configuration, create_paths_files, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon deletes the 'diff' folder created in the 'queue/diff/local'
+                 directory when removing a monitored folder and the 'report_changes' option is enabled.
+                 For this purpose, the test will monitor a directory and add a testing file inside it. Then,
+                 it will check if a 'diff' file is created for the modified testing file. Finally, the test
+                 will remove the monitored folder, wait for the FIM 'deleted' event, and verify that
+                 the corresponding 'diff' folder is deleted.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - create_paths_files:
+            type: list
+            brief: Create the required directory or file to edit.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that the FIM event is generated when removing the monitored folder.
+        - Verify that FIM adds the 'diff' file in the 'queue/diff/local' directory
+          when monitoring the corresponding testing file.
+        - Verify that FIM deletes the 'diff' folder in the 'queue/diff/local' directory
+          when removing the corresponding monitored folder.
+
+    input_description: Different test cases are contained in external YAML file (configuration_report_deleted_diff.yaml) which
+                       includes configuration settings for the 'wazuh-syscheckd' daemon and, these
+                       are combined with the testing directory to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('deleted' events)
+
+    tags:
+        - diff
+        - scheduled
+    '''
+    fim_mode = test_metadata.get('fim_mode')
+    folder = test_metadata.get('folder')
+    test_file_path = os.path.join(folder, test_metadata.get('filename'))
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    # Create the file and and capture the event.
+    original_string = generate_string(1, '0')
+    write_file(test_file_path, data=original_string)
+
+    wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_ADDED), timeout=30)
+    assert wazuh_log_monitor.callback_result, ERROR_MSG_FIM_EVENT_NOT_DETECTED
+
+    # Validate content_changes attribute exists in the event
+    diff_file = make_diff_file_path(folder=test_metadata.get('folder'), filename=test_metadata.get('filename'))
+    assert os.path.exists(diff_file), f'{diff_file} does not exist'
+
+    delete_files_in_folder(folder)
+    wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_DELETED))
+
+    # Wait a second so diff path is deleted
+    if 'scheduled' not in fim_mode:
+        time.sleep(2)
+    assert not os.path.exists(diff_file), f'{diff_file} exists'
diff --git a/src/modules/fim/tests/integration/test_files/test_restrict/__init__.py b/src/modules/fim/tests/integration/test_files/test_restrict/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_restrict/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_restrict/data/configuration_templates/config_restrict.yaml b/src/modules/fim/tests/integration/test_files/test_restrict/data/configuration_templates/config_restrict.yaml
new file mode 100644
index 0000000000..772429f86d
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_restrict/data/configuration_templates/config_restrict.yaml
@@ -0,0 +1,27 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: 2
+        - directories:
+            value: TEST_DIRECTORIES
+            attributes:
+              - check_all: 'yes'
+              - FIM_MODE
+              - restrict: RESTRICT
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_restrict/data/test_cases/cases_restrict.yaml b/src/modules/fim/tests/integration/test_files/test_restrict/data/test_cases/cases_restrict.yaml
new file mode 100644
index 0000000000..634da7814c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_restrict/data/test_cases/cases_restrict.yaml
@@ -0,0 +1,159 @@
+- name: Restrict valid_empty
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: ""
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2.txt]
+    fim_mode: 'realtime'
+    restrict: ""
+    data: ['testfile2.txt', True]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: .restricted.txt$
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1,.restricted.txt]
+    fim_mode: 'realtime'
+    restrict: .restricted.txt$
+    data: ['.restricted.txt', True]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: .restricted.txt$
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, binary.restricted.txt]
+    fim_mode: 'realtime'
+    restrict: .restricted.txt$
+    data: ['binary.restricted.txt', True]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: ^restricted
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2.txt]
+    fim_mode: 'realtime'
+    restrict: ^restricted
+    data: ['testfile2.txt', False]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: filerestricted|other_restricted.txt$
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testfile2.txt]
+    fim_mode: 'realtime'
+    restrict: filerestricted|other_restricted.txt$
+    data: ['testfile2.txt', False]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: filerestricted|other_restricted.txt$
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, myother_restricted.txt]
+    fim_mode: 'realtime'
+    restrict: filerestricted|other_restricted.txt$
+    data: ['myother_restricted.txt', True]
+
+- name: Restrict valid regex
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: filerestricted|other_restricted.txt$
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, myfilerestricted.txt]
+    fim_mode: 'realtime'
+    restrict: filerestricted|other_restricted.txt$
+    data: ['myfilerestricted.txt', True]
+
+- name: Restrict valid_regex_incomplete_unix
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: ^/testdir1/f|^/testdir1/subdir/f
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, fileinfolder.txt]
+    fim_mode: 'realtime'
+    restrict: ^/testdir1/f|^/testdir1/subdir/f
+    data: ['fileinfolder.txt', True]
+
+- name: Restrict valid_regex_incomplete_unix
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: ^/testdir1/f|^/testdir1/subdir/f
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, fileinfolder1.txt]
+    fim_mode: 'realtime'
+    restrict: ^/testdir1/f|^/testdir1/subdir/f
+    data: ['fileinfolder1.txt', True]
+
+- name: Restrict valid_regex_incomplete_unix
+  description: ''
+  configuration_parameters:
+    BASE_DIR: !!python/object/apply:os.path.join
+              args: [/testdir1]
+    TEST_DIRECTORIES: '/testdir1'
+    FIM_MODE:
+      realtime: 'yes'
+    RESTRICT: ^/testdir1/f|^/testdir1/subdir/f
+  metadata:
+    folder_to_monitor: !!python/object/apply:os.path.join [/testdir1]
+    file_to_monitor: !!python/object/apply:os.path.join [/testdir1, testing_regex.txt]
+    fim_mode: 'realtime'
+    restrict: ^/testdir1/f|^/testdir1/subdir/f
+    data: ['testing_regex.txt', False]
diff --git a/src/modules/fim/tests/integration/test_files/test_restrict/test_restrict.py b/src/modules/fim/tests/integration/test_files/test_restrict/test_restrict.py
new file mode 100644
index 0000000000..43aa9d5b2c
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_restrict/test_restrict.py
@@ -0,0 +1,160 @@
+"""
+ copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM generates events
+       only for file operations in monitored directories that do not match the 'restrict' attribute.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: files_restrict
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_restrict
+"""
+
+import sys
+import pytest
+import os
+
+from pathlib import Path
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.agentd.configuration import AGENTD_DEBUG, AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, FIM_EVENT_RESTRICT
+from wazuh_testing.modules.fim.utils import get_fim_event_data
+from wazuh_testing.modules.monitord.configuration import MONITORD_ROTATE_LOG
+from wazuh_testing.modules.fim import configuration
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Pytest marks to run on any service type on linux.
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=2)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_restrict.yaml')
+config_path = Path(CONFIGS_PATH, 'config_restrict.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+local_internal_options = {configuration.SYSCHECK_DEBUG: 2, AGENTD_DEBUG: 2, MONITORD_ROTATE_LOG: 0}
+if sys.platform == WINDOWS: local_internal_options.update({AGENTD_WINDOWS_DEBUG: 2})
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_restrict(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                  truncate_monitored_files, folder_to_monitor, daemons_handler, file_to_monitor):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects or ignores events in monitored files depending
+                 on the value set in the 'restrict' attribute. This attribute limit checks to files that match
+                 the entered string or regex and its file name. For this purpose, the test will monitor a folder
+                 and create a testing file inside it. Finally, the test will verify that FIM 'added' events are
+                 generated only for the testing files that not are restricted.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 2
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - file_to_monitor:
+            type: str
+            brief: File created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+
+    assertions:
+        - Verify that FIM events are only generated for file operations in monitored directories
+          that do not match the 'restrict' attribute.
+        - Verify that FIM 'ignoring' events are generated for monitored files that are restricted.
+
+    input_description: Different test cases are contained in external YAML file (wazuh_conf.yaml) which
+                       includes configuration settings for the 'wazuh-syscheckd' daemon and, these
+                       are combined with the testing directories to be monitored defined in the module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' events)
+        - r'.*Ignoring entry .* due to restriction .*'
+
+    tags:
+        - scheduled
+    '''
+
+    path = os.path.join(test_metadata['folder_to_monitor'], test_metadata['data'][0])
+
+    monitor = FileMonitor(WAZUH_LOG_PATH)
+    
+    if test_metadata['data'][1] == True:
+        monitor.start(generate_callback(EVENT_TYPE_ADDED))
+        print(monitor.callback_result)
+        assert monitor.callback_result
+        fim_data = get_fim_event_data(monitor.callback_result)
+        assert fim_data['path'] == path
+    else:
+        ignored_file = monitor.start(generate_callback(FIM_EVENT_RESTRICT))
+        assert monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/__init__.py b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/configuration_templates/conf_win_system_folder_redir.yaml b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/configuration_templates/conf_win_system_folder_redir.yaml
new file mode 100644
index 0000000000..86d9a8db1a
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/configuration_templates/conf_win_system_folder_redir.yaml
@@ -0,0 +1,32 @@
+- sections:
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'no'
+        - frequency:
+            value: INTERVAL
+        - directories:
+            value: TEST_DIRECTORIES
+            attributes:
+              - realtime: REALTIME
+              - whodata: WHODATA
+              - recursion_level: 0
+        - windows_audit_interval:
+            value: 500
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/test_cases/cases_windows_system_folder_redirection.yaml b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/test_cases/cases_windows_system_folder_redirection.yaml
new file mode 100644
index 0000000000..b6a77fd7f1
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/data/test_cases/cases_windows_system_folder_redirection.yaml
@@ -0,0 +1,134 @@
+- name: monitor /Windows/System32 - scheduled
+  description: Monitor the System32 folder without redirection in Scheduled mode
+  configuration_parameters:
+    INTERVAL: 3
+    REALTIME: 'no'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+    fim_mode: scheduled
+  metadata:
+    folder: system32
+    fim_mode: scheduled
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor /Windows/System32 - realtime
+  description: Monitor the System32 folder without redirection in Realtime mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+    fim_mode: realtime
+  metadata:
+    folder: system32
+    fim_mode: realtime
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor /Windows/System32 - whodata
+  description: Monitor the System32 folder without redirection in Whodata mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+    fim_mode: whodata
+  metadata:
+    folder: system32
+    fim_mode: whodata
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor /Windows/Sysnative - scheduled
+  description: Monitor the System32 through Sysnative redirection in Scheduled mode
+  configuration_parameters:
+    INTERVAL: 3
+    REALTIME: 'no'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+    fim_mode: scheduled
+  metadata:
+    folder: system32
+    fim_mode: scheduled
+    redirected: true
+    folder_to_monitor: !!python/object/apply:os.path.join
+        args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor /Windows/Sysnative - realtime
+  description: Monitor the System32 through Sysnative redirection in Realtime mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+    fim_mode: realtime
+  metadata:
+    folder: system32
+    fim_mode: realtime
+    redirected: true
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor /Windows/Sysnative - whodata
+  description: Monitor the System32 through Sysnative redirection in Whodata mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+    fim_mode: whodata
+  metadata:
+    folder: system32
+    fim_mode: whodata
+    redirected: true
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor SyWOW64 - scheduled
+  description: Monitor the SysWOW64 without redirection in Scheduled mode
+  configuration_parameters:
+    INTERVAL: 3
+    REALTIME: 'no'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+    fim_mode: scheduled
+  metadata:
+    folder: syswow64
+    fim_mode: scheduled
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor SysWOW64 - realtime
+  description: Monitor the SysWOW64 without redirection in Realtime mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'yes'
+    WHODATA: 'no'
+    TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+    fim_mode: realtime
+  metadata:
+    folder: syswow64
+    fim_mode: realtime
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
+
+- name: monitor SysWOW64 - whodata
+  description: Monitor the SysWOW64 without redirection in Whodata mode
+  configuration_parameters:
+    INTERVAL: 10000
+    REALTIME: 'no'
+    WHODATA: 'yes'
+    TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+    fim_mode: whodata
+  metadata:
+    folder: syswow64
+    fim_mode: whodata
+    redirected: false
+    folder_to_monitor: !!python/object/apply:os.path.join
+          args: [\%WINDIR\%, System32, testdir1]
diff --git a/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/test_windows_system_folder_redirection.py b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/test_windows_system_folder_redirection.py
new file mode 100644
index 0000000000..5e0b3cc874
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_files/test_windows_system_folder_redirection/test_windows_system_folder_redirection.py
@@ -0,0 +1,151 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are
+       added, modified or deleted. Specifically, these tests will check that FIM is able to monitor Windows system
+       folders. FIM can redirect %WINDIR%/Sysnative monitoring toward System32 folder, so the tests also check that
+       when monitoring Sysnative the path is converted to system32 and events are generated there properly.
+
+components:
+    - fim
+
+suite: windows_system_folder_redirection
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - windows
+
+os_version:
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+
+pytest_args:
+    - fim_mode:
+        scheduled: File monitoring is done after every configured interval elapses.
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - windows_folder_redirection
+'''
+from pathlib import Path
+
+import os
+
+import pytest
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, WIN_CONVERT_FOLDER
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_windows_system_folder_redirection.yaml')
+config_path = Path(CONFIGS_PATH, 'conf_win_system_folder_redir.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2, AGENTD_WINDOWS_DEBUG: 2 }
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_windows_system_monitoring(test_configuration, test_metadata, configure_local_internal_options,
+                             truncate_monitored_files, set_wazuh_configuration, folder_to_monitor, daemons_handler):
+    '''
+    description: Check if the 'wazuh-syscheckd' monitors the windows system folders (System32 and SysWOW64) properly,
+    and that monitoring for Sysnative folder is redirected to System32 and works properly.
+
+    test_phases:
+        - setup:
+            - Set wazuh configuration and local_internal_options.
+            - Create custom folder for monitoring
+            - Clean logs files and restart wazuh to apply the configuration.
+        - test:
+            - In case of monitoring Sysnative, check it is redirected to System32.
+            - Write file in monitored folders, and check logs appear.
+        - teardown:
+            - Delete custom monitored folder
+            - Restore configuration
+            - Stop wazuh
+
+    wazuh_min_version: 4.6.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - folder_to_monitor:
+            type: str
+            brief: Folder created for monitoring.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that for each modified file a FIM event is generated.
+        - Verify that log due to folder converted is generated.
+
+    input_description: The file 'configuration_windows_system_folder_redirection.yaml' provides the configuration
+                       template.
+                       The file 'cases_windows_system_folder_redirection.yaml' provides the tes cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r'.*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events.'
+        - r'.*Sending FIM event: (.+)$' ('added' events)'
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    # If monitoring sysnative, check redirection log message
+    if test_metadata['redirected']:
+        wazuh_log_monitor.start(callback=generate_callback(WIN_CONVERT_FOLDER))
+        assert wazuh_log_monitor.callback_result
+
+    file_to_monitor = os.path.join(test_metadata['folder_to_monitor'], 'testfile')
+
+    # Write the file
+    file.write_file(file_to_monitor)
+    wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_ADDED))
diff --git a/src/modules/fim/tests/integration/test_registry/__init__.py b/src/modules/fim/tests/integration/test_registry/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/__init__.py b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/__init__.py
new file mode 100644
index 0000000000..be20efa8ec
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/__init__.py
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_key.yaml b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_key.yaml
new file mode 100644
index 0000000000..0d754859ab
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_key.yaml
@@ -0,0 +1,27 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - windows_registry:
+          value: WINDOWS_REGISTRY
+          attributes:
+            - check_all: 'yes'
+            - arch: ARCH
+            - restrict_key: RESTRICT_KEY
+      - frequency:
+          value: 3
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+    - section: wodle
+      attributes:
+        - name: 'syscollector'
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_value.yaml b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_value.yaml
new file mode 100644
index 0000000000..1cc803c065
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/configuration_templates/configuration_registry_restrict_value.yaml
@@ -0,0 +1,27 @@
+- sections:
+    - section: syscheck
+      elements:
+      - disabled:
+          value: 'no'
+      - windows_registry:
+          value: WINDOWS_REGISTRY
+          attributes:
+            - check_all: 'yes'
+            - arch: ARCH
+            - restrict_value: RESTRICT_VALUE
+      - frequency:
+          value: 3
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+    - section: wodle
+      attributes:
+        - name: 'syscollector'
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_key.yaml b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_key.yaml
new file mode 100644
index 0000000000..42f3f43817
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_key.yaml
@@ -0,0 +1,58 @@
+- name: Key restrict not triggers event x64
+  description: The event should not trigger when the key does not match the restriction on a 64-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_KEY: 'key_restrict$'
+    ARCH: '64bit'
+  metadata:
+    fim_mode: scheduled
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x64'
+    triggers_event: !!python/object/apply:eval ['False']
+
+- name: Key restrict not triggers event x32
+  description: The event should not trigger when the key does not match the restriction on a 32-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_KEY: 'key_restrict$'
+    ARCH: '32bit'
+  metadata:
+    fim_mode: scheduled
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x32'
+    triggers_event: !!python/object/apply:eval ['False']
+
+- name: Key restrict triggers event x64
+  description: The event should trigger when the key matches the restriction on a 64-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_KEY: 'testkey$'
+    ARCH: '64bit'
+  metadata:
+    fim_mode: scheduled
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x64'
+    triggers_event: !!python/object/apply:eval ['True']
+
+- name: Key restrict triggers event x32
+  description: The event should trigger when the key matches the restriction on a 32-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, testkey]
+    RESTRICT_KEY: 'testkey$'
+    ARCH: '32bit'
+  metadata:
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, testkey]
+    arch: 'x32'
+    triggers_event: !!python/object/apply:eval ['True']
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_value.yaml b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_value.yaml
new file mode 100644
index 0000000000..6d8897d204
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/data/test_cases/cases_registry_restrict_value.yaml
@@ -0,0 +1,59 @@
+- name: Value restrict not triggers event x64
+  description: The event should not trigger when the value does not match the restriction on a 64-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_VALUE: 'value_restrict$'
+    ARCH: '64bit'
+  metadata:
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x64'
+    value_name: 'some_value'
+    triggers_event: !!python/object/apply:eval ['False']
+
+- name: Value restrict not triggers event x32
+  description: The event should not trigger when the value does not match the restriction on a 32-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_VALUE: 'value_restrict$'
+    ARCH: '32bit'
+  metadata:
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x32'
+    value_name: 'some_value'
+    triggers_event: !!python/object/apply:eval ['False']
+
+- name: Value restrict not triggers event x64
+  description: The event should trigger when the value matches the restriction on a 64-bit system.
+  configuration_parameters:
+    WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+          args: [HKEY_LOCAL_MACHINE, SOFTWARE, Classes, testkey]
+    RESTRICT_VALUE: 'value_restrict$'
+    ARCH: '64bit'
+  metadata:
+    key: 'HKEY_LOCAL_MACHINE'
+    sub_key: !!python/object/apply:os.path.join
+          args: [SOFTWARE, Classes, testkey]
+    arch: 'x64'
+    value_name: 'value_restrict'
+    triggers_event: !!python/object/apply:eval ['True']
+
+- name: Value restrict triggers event x32
+  description: The event should trigger when the value matches the restriction on a 32-bit system.
+  configuration_parameters:
+   WINDOWS_REGISTRY: !!python/object/apply:os.path.join
+         args: [HKEY_LOCAL_MACHINE, SOFTWARE, testkey]
+   RESTRICT_VALUE: 'value_restrict$'
+   ARCH: '32bit'
+  metadata:
+   key: 'HKEY_LOCAL_MACHINE'
+   sub_key: !!python/object/apply:os.path.join
+         args: [SOFTWARE, testkey]
+   arch: 'x32'
+   value_name: 'value_restrict'
+   triggers_event: !!python/object/apply:eval ['True']
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_key.py b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_key.py
new file mode 100644
index 0000000000..54ccdfac67
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_key.py
@@ -0,0 +1,178 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM generates events
+       only for registry entry operations in monitored keys that do not match the 'restrict_key'
+       or the 'restrict_value' attributes.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: registry_restrict
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - windows
+
+os_version:
+    - Windows 10
+    - Windows 8
+    - Windows 7
+    - Windows Server 2019
+    - Windows Server 2016
+    - Windows Server 2012
+    - Windows Server 2003
+    - Windows XP
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_registry_restrict
+'''
+from pathlib import Path
+
+import os
+import sys
+
+if sys.platform == 'win32':
+    import win32con
+    from win32con import KEY_WOW64_32KEY, KEY_WOW64_64KEY
+
+import pytest
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_DELETED, IGNORING_DUE_TO_RESTRICTION
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.configuration import SYSCHECK_DEBUG
+from wazuh_testing.modules.fim.utils import get_fim_event_data, delete_registry
+
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+
+pytestmark = [pytest.mark.agent, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_registry_restrict_key.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_registry_restrict_key.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {SYSCHECK_DEBUG: 2}
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_restrict_key(test_configuration, test_metadata,configure_local_internal_options,
+                            truncate_monitored_files, set_wazuh_configuration, daemons_handler, detect_end_scan, create_registry_key):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects or ignores events in monitored registry entries
+                 depending on the value set in the 'restrict_key' attribute. This attribute limit checks to
+                 keys that match the entered string or regex and its name. For this purpose, the test will
+                 monitor a key, create testing subkeys inside it, and make operations on those subkeys. Finally,
+                 the test will verify that FIM 'added' and 'deleted' events are generated only for the testing
+                 subkeys that are not restricted.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - create_registry_key
+            type: fixture
+            brief: Create windows registry key.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that FIM events are only generated for operations in monitored keys
+          that do not match the 'restrict_key' attribute.
+        - Verify that FIM 'ignoring' events are generated for monitored keys that are restricted.
+
+    input_description: The file 'configuration_registry_restrict_key.yaml' provides the configuration
+                       template.
+                       The file 'cases_registry_restrict_key.yaml' provides the tes cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added', 'deleted' events)
+        - r'.*Ignoring entry .* due to restriction .*'
+
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    if test_metadata['triggers_event']:
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_ADDED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'added', 'Event type not equal'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Event path not equal'
+        assert event['arch'].strip('[]') == test_metadata['arch'], 'Arch not equal'
+
+        delete_registry(win32con.HKEY_LOCAL_MACHINE, test_metadata['sub_key'], KEY_WOW64_64KEY if test_metadata['arch'] == 'x64' else KEY_WOW64_32KEY)
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_DELETED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'deleted', 'Event type not equal'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Event path not equal'
+        assert event['arch'].strip('[]') == test_metadata['arch'], 'Arch not equal'
+    else:
+        wazuh_log_monitor.start(callback=generate_callback(IGNORING_DUE_TO_RESTRICTION))
+        assert wazuh_log_monitor.callback_result
+
+        delete_registry(win32con.HKEY_LOCAL_MACHINE, test_metadata['sub_key'], KEY_WOW64_64KEY if test_metadata['arch'] == 'x64' else KEY_WOW64_32KEY)
+
+        wazuh_log_monitor.start(callback=generate_callback(IGNORING_DUE_TO_RESTRICTION), only_new_events=True)
+        assert not wazuh_log_monitor.callback_result
+
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_DELETED))
+        assert not wazuh_log_monitor.callback_result
diff --git a/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_value.py b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_value.py
new file mode 100644
index 0000000000..8e834db2cf
--- /dev/null
+++ b/src/modules/fim/tests/integration/test_registry/test_registry_restrict/test_registry_restrict_value.py
@@ -0,0 +1,203 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will verify that FIM generates events
+       only for registry entry operations in monitored keys that do not match the 'restrict_key'
+       or the 'restrict_value' attributes.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
+       files for changes to the checksums, permissions, and ownership.
+
+components:
+    - fim
+
+suite: registry_restrict
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - windows
+
+os_version:
+    - Windows 10
+    - Windows 8
+    - Windows 7
+    - Windows Server 2019
+    - Windows Server 2016
+    - Windows Server 2012
+    - Windows Server 2003
+    - Windows XP
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_registry_restrict
+'''
+from pathlib import Path
+
+import os
+import sys
+
+if sys.platform == 'win32':
+    import win32con
+    from win32con import KEY_WOW64_32KEY, KEY_WOW64_64KEY
+
+import pytest
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data, load_configuration_template
+from wazuh_testing.utils.callbacks import generate_callback
+from wazuh_testing.utils import file
+from wazuh_testing.modules.fim.patterns import EVENT_TYPE_ADDED, EVENT_TYPE_MODIFIED, EVENT_TYPE_DELETED
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.modules.fim.utils import get_fim_event_data, delete_registry, delete_registry_value, create_registry_value
+
+
+from . import TEST_CASES_PATH, CONFIGS_PATH
+
+# Marks
+
+pytestmark = [pytest.mark.agent, pytest.mark.win32, pytest.mark.tier(level=1)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_registry_restrict_value.yaml')
+config_path = Path(CONFIGS_PATH, 'configuration_registry_restrict_value.yaml')
+test_configuration, test_metadata, cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Set configurations required by the fixtures.
+daemons_handler_configuration = {'all_daemons': True}
+local_internal_options = {AGENTD_WINDOWS_DEBUG: 2}
+
+# Tests
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=cases_ids)
+def test_restrict_value(test_configuration, test_metadata,configure_local_internal_options,
+                            truncate_monitored_files, set_wazuh_configuration, create_registry_key, daemons_handler, detect_end_scan):
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon detects or ignores events in monitored registry entries
+                 depending on the value set in the 'restrict_value' attribute. This attribute limit checks to
+                 keys that match the entered string or regex and its name. For this purpose, the test will
+                 monitor a key, create testing subkeys inside it, and make operations on their values. Finally,
+                 the test will verify that FIM 'added' and 'deleted' events are generated only for the testing
+                 subkeys that are not restricted.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 1
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Configuration values for ossec.conf.
+        - test_metadata:
+            type: dict
+            brief: Test case data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set local_internal_options.conf file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set ossec.conf configuration.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - create_registry_key
+            type: fixture
+            brief: Create windows registry key.
+        - detect_end_scan
+            type: fixture
+            brief: Check first scan end.
+
+    assertions:
+        - Verify that FIM events are only generated for operations in monitored keys
+          that do not match the 'restrict_key' attribute.
+        - Verify that FIM 'ignoring' events are generated for monitored keys that are restricted.
+
+    input_description: The file 'configuration_registry_restrict_value.yaml' provides the configuration
+                       template.
+                       The file 'cases_registry_restrict_value.yaml' provides the tes cases configuration
+                       details for each test case.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added', 'deleted' events)
+        - r'.*Ignoring entry .* due to restriction .*'
+
+    '''
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    # Create values
+    create_registry_value(win32con.HKEY_LOCAL_MACHINE, test_metadata['sub_key'], test_metadata['value_name'], win32con.REG_SZ, "added", KEY_WOW64_64KEY if test_metadata['arch'] == 'x64' else KEY_WOW64_32KEY)
+
+    if test_metadata['triggers_event']:
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_MODIFIED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'modified', 'Key event not modified'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Key event wrong path'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Key event arch not equal'
+
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_ADDED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'added', 'Event type not equal'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Event path not equal'
+        assert event['value_name'] == test_metadata['value_name'], 'Value name not equal'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Value event arch not equal'
+    else:
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_MODIFIED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'modified', 'Key event not modified'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Key event wrong path'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Key event arch not equal'
+
+    delete_registry_value(win32con.HKEY_LOCAL_MACHINE, test_metadata['sub_key'], test_metadata['value_name'], KEY_WOW64_64KEY if test_metadata['arch'] == 'x64' else KEY_WOW64_32KEY)
+
+    if test_metadata['triggers_event']:
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_MODIFIED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'modified', 'Key event not modified'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Key event wrong path'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Key event arch not equal'
+
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_DELETED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        assert event['type'] == 'deleted', 'Event type not equal'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Event path not equal'
+        assert event['value_name'] == test_metadata['value_name'], 'Value name not equal'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Value event arch not equal'
+    else:
+        wazuh_log_monitor.start(callback=generate_callback(EVENT_TYPE_MODIFIED))
+        assert wazuh_log_monitor.callback_result
+        event = get_fim_event_data(wazuh_log_monitor.callback_result)
+        # After deleting the value, we don't expect any message of the value because it's not in the DB
+        assert event['type'] == 'modified', 'Key event not modified'
+        assert event['path'] == os.path.join(test_metadata['key'], test_metadata['sub_key']), 'Key event wrong path'
+        assert event['arch'] == '[x32]' if test_metadata['arch'] == KEY_WOW64_32KEY else '[x64]', 'Key event arch not equal'
diff --git a/src/modules/fim/tests/unit/tests/CMakeLists.txt b/src/modules/fim/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..374fbb14fd
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,389 @@
+# Generate syscheck library
+if(${TARGET} STREQUAL "winagent")
+  file(GLOB sysfiles ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd-event.dir/src/*.obj
+                     ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd-event.dir/src/*/*.obj)
+  list(REMOVE_ITEM sysfiles ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd.dir/src/main.c.obj)
+else()
+  file(GLOB sysfiles ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd.dir/src/*.o
+                     ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd.dir/src/*/*.o)
+  list(REMOVE_ITEM sysfiles ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd.dir/src/main.c.o)
+endif()
+
+file(GLOB rootfiles ${SRC_FOLDER}/rootcheck/*.o)
+
+if(${TARGET} STREQUAL "winagent")
+  # Exclude winagent file
+  list(FILTER rootfiles EXCLUDE REGEX ".*_rk.o$")
+
+  # Add test wrappers
+  file(GLOB test_wrapper_files
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/audit/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/bzip2/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/cJSON/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/openssl/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/procpc/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/externals/sqlite/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/libc/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/linux/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/posix/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/os_crypto/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/os_net/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/os_regex/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/syscheckd/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/wazuh_db/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/wazuh/wazuh_modules/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/windows/*.o
+       ${SRC_FOLDER}/unit_tests/wrappers/windows/libc/*.o
+       )
+  list(APPEND sysfiles ${test_wrapper_files})
+endif()
+
+add_library(SYSCHECK_O STATIC ${sysfiles})
+add_library(ROOTCHECK_O STATIC ${rootfiles})
+
+set_source_files_properties(
+  ${sysfiles}
+  ${rootfiles}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  SYSCHECK_O
+  ROOTCHECK_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(SYSCHECK_O ROOTCHECK_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Add fim_tools library to compilation
+include_directories(${SRC_FOLDER}/syscheckd/include)
+include_directories(${SRC_FOLDER}/syscheckd/src)
+include_directories(${SRC_FOLDER}/unit_tests)
+include_directories(${SRC_FOLDER}/unit_tests/syscheckd)
+include_directories(${SRC_FOLDER}/config)
+
+add_library(fim_shared STATIC expect_run_check.c
+                              expect_fim_diff_changes.c
+                              utils.c)
+
+set_target_properties(fim_shared PROPERTIES LINKER_LANGUAGE C )
+
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Generate syscheckd-event library
+if(${TARGET} STREQUAL "winagent")
+  file(GLOB syscheck_event_files ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd-event.dir/src/*.obj
+                                 ${SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd-event.dir/src/*/*.obj)
+  list(REMOVE_ITEM sysfiles {SRC_FOLDER}/syscheckd/build/CMakeFiles/wazuh-syscheckd-event.dir/src/main.obj)
+  add_library(SYSCHECK_EVENT_O STATIC ${syscheck_event_files})
+
+  set_source_files_properties(
+    ${syscheck_event_files}
+    PROPERTIES
+    EXTERNAL_OBJECT true
+    GENERATED true
+    )
+
+  set_target_properties(
+    SYSCHECK_EVENT_O
+    ROOTCHECK_O
+    PROPERTIES
+    LINKER_LANGUAGE C
+    )
+
+  target_link_libraries(SYSCHECK_EVENT_O ROOTCHECK_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+  add_subdirectory(registry)
+endif()
+
+add_subdirectory(whodata)
+
+# Generate Syscheckd tests
+# syscom.c tests
+list(APPEND syscheckd_tests_names "syscom")
+set(FIM_SYSCOM_BASE_FLAGS "-Wl,--wrap,getSyscheckConfig -Wl,--wrap,getRootcheckConfig -Wl,--wrap,getSyscheckInternalOptions \
+                           -Wl,--wrap,getpid -Wl,--wrap,fim_sync_push_msg ${DEBUG_OP_WRAPPERS}")
+
+if(${TARGET} STREQUAL "winagent")
+  list(APPEND syscheckd_tests_flags "${FIM_SYSCOM_BASE_FLAGS} -Wl,--wrap=Start_win32_Syscheck -Wl,--wrap=fim_db_init -Wl,--wrap,fim_sync_push_msg \
+                                     -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key \
+                                     -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                                     -Wl,--wrap=fim_db_file_pattern_search -Wl,--wrap=fim_db_transaction_start \
+                                     -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_db_transaction_deleted_rows \
+                                     -Wl,--wrap=fim_db_file_update -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=is_fim_shutdown \
+                                     -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+  list(APPEND syscheckd_tests_flags "${FIM_SYSCOM_BASE_FLAGS}")
+endif()
+
+# fim_diff_changes.c tests
+set(FIM_DIFF_CHANGES_BASE_FLAGS "-Wl,--wrap,lstat -Wl,--wrap,stat \
+                                 -Wl,--wrap,fopen -Wl,--wrap,fread -Wl,--wrap,fclose -Wl,--wrap,fwrite -Wl,--wrap,wfopen \
+                                 -Wl,--wrap,w_compress_gzfile -Wl,--wrap,IsDir -Wl,--wrap,mkdir_ex -Wl,--wrap,fflush \
+                                 -Wl,--wrap,w_uncompress_gzfile -Wl,--wrap,OS_MD5_File -Wl,--wrap,File_DateofChange \
+                                 -Wl,--wrap,rename -Wl,--wrap,system -Wl,--wrap,fseek -Wl,--wrap,remove,--wrap=fprintf \
+                                 -Wl,--wrap=fgets -Wl,--wrap,atexit -Wl,--wrap,getpid,--wrap=_mdebug2,--wrap=rmdir_ex,--wrap=rename_ex \
+                                 -Wl,--wrap=DirSize,--wrap=remove_empty_folders,--wrap=abspath,--wrap=getpid \
+                                 -Wl,--wrap,fgetpos -Wl,--wrap=fgetc -Wl,--wrap=pthread_rwlock_wrlock -Wl,--wrap=pthread_mutex_lock \
+                                 -Wl,--wrap=pthread_mutex_unlock -Wl,--wrap=pthread_rwlock_unlock -Wl,--wrap=pthread_rwlock_rdlock \
+                                 -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                                 -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                                 -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_db_init -Wl,--wrap=fim_run_integrity \
+                                 -Wl,--wrap=fim_db_transaction_start -Wl,--wrap=fim_db_transaction_sync_row \
+                                 -Wl,--wrap=fim_db_transaction_deleted_rows -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+list(APPEND syscheckd_tests_names "fim_diff_changes")
+if(${TARGET} STREQUAL "winagent")
+  list(APPEND syscheckd_tests_flags "${FIM_DIFF_CHANGES_BASE_FLAGS} -Wl,--wrap=FileSizeWin -Wl,--wrap,fim_sync_push_msg \
+                                     -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                     -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                     -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+  list(APPEND syscheckd_tests_flags "${FIM_DIFF_CHANGES_BASE_FLAGS} -Wl,--wrap=unlink -Wl,--wrap=FileSize")
+endif()
+
+# run_realtime.c tests
+set(RUN_REALTIME_BASE_FLAGS "-Wl,--wrap,inotify_init -Wl,--wrap,inotify_add_watch -Wl,--wrap,fim_db_get_path -Wl,--wrap,fim_db_file_pattern_search \
+                             -Wl,--wrap,read -Wl,--wrap,rbtree_insert -Wl,--wrap,fim_db_init -Wl,--wrap,fim_db_file_update \
+                             -Wl,--wrap,W_Vector_insert_unique -Wl,--wrap,send_log_msg  -Wl,--wrap,fim_db_remove_path \
+                             -Wl,--wrap,rbtree_keys -Wl,--wrap,fim_realtime_event -Wl,--wrap=pthread_mutex_lock -Wl,--wrap,wfopen \
+                             -Wl,--wrap=pthread_mutex_unlock -Wl,--wrap=getpid -Wl,--wrap=atexit -Wl,--wrap=os_random \
+                             -Wl,--wrap,inotify_rm_watch -Wl,--wrap,pthread_rwlock_wrlock -Wl,--wrap,pthread_rwlock_unlock \
+                             -Wl,--wrap,fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode -Wl,--wrap,fim_db_get_count_file_entry \
+                             -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                             -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                             ${HASH_OP_WRAPPERS} ${DEBUG_OP_WRAPPERS}")
+
+list(APPEND syscheckd_tests_names "run_realtime")
+if(${TARGET} STREQUAL "winagent")
+  list(APPEND syscheckd_tests_flags "${RUN_REALTIME_BASE_FLAGS} -Wl,--wrap=fim_configuration_directory -Wl,--wrap,fim_sync_push_msg \
+                                     -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                     -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                     -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+
+  # Create event channel tests for run_realtime
+  list(APPEND syscheckd_event_tests_names "test_run_realtime_event")
+  list(APPEND syscheckd_event_tests_flags "${RUN_REALTIME_BASE_FLAGS} -Wl,--wrap=whodata_audit_start \
+                                           -Wl,--wrap=check_path_type,--wrap=set_winsacl,--wrap=w_directory_exists \
+                                           -Wl,--wrap,fim_sync_push_msg -Wl,--wrap=fim_db_get_count_registry_data \
+                                           -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch
+                                           -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                           -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+else()
+  list(APPEND syscheckd_tests_flags "${RUN_REALTIME_BASE_FLAGS}")
+endif()
+
+# syscheck_config.c tests
+set(SYSCHECK_CONFIG_BASE_FLAGS "-Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap,pthread_rwlock_unlock \
+                                -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_rwlock_wrlock \
+                                -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,fim_db_init \
+                                -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                                -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                                -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                                -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                                ${DEBUG_OP_WRAPPERS}")
+
+list(APPEND syscheckd_tests_names "config")
+if(${TARGET} STREQUAL "agent")
+  list(APPEND syscheckd_tests_flags "${SYSCHECK_CONFIG_BASE_FLAGS}")
+else()
+  if(${TARGET} STREQUAL "winagent")
+    list(APPEND syscheckd_tests_flags "${SYSCHECK_CONFIG_BASE_FLAGS} -Wl,--wrap,fim_sync_push_msg \
+                                      -Wl,--wrap=fim_db_get_count_registry_data \
+                                      -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                      -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                      -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+  else()
+    list(APPEND syscheckd_tests_flags "${SYSCHECK_CONFIG_BASE_FLAGS} -Wl,--wrap,getpid")
+  endif()
+endif()
+
+# syscheck.c tests
+set(SYSCHECK_BASE_FLAGS "-Wl,--wrap,fim_db_init -Wl,--wrap,getDefine_Int -Wl,--wrap,wfopen \
+                         -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                         -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                         -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                         -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                         ${DEBUG_OP_WRAPPERS}")
+list(APPEND syscheckd_tests_names "syscheck")
+if(${TARGET} STREQUAL "winagent")
+  list(APPEND syscheckd_tests_flags "${SYSCHECK_BASE_FLAGS} \
+                                    -Wl,--wrap=Read_Syscheck_Config \
+                                    -Wl,--wrap=rootcheck_init \
+                                    -Wl,--wrap=start_daemon \
+                                    -Wl,--wrap=File_DateofChange \
+                                    -Wl,--wrap,getpid,--wrap,realtime_start \
+                                    -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap,pthread_rwlock_unlock \
+                                    -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_rwlock_wrlock \
+                                    -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,fim_sync_push_msg \
+                                    -Wl,--wrap=fim_db_get_count_registry_data \
+                                    -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                    -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                    -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+
+else()
+  list(APPEND syscheckd_tests_flags "${SYSCHECK_BASE_FLAGS}")
+endif()
+
+# run_check.c tests
+set(RUN_CHECK_BASE_FLAGS "-Wl,--wrap,sleep -Wl,--wrap,SendMSGPredicated -Wl,--wrap,StartMQ \
+                          -Wl,--wrap,realtime_adddir -Wl,--wrap,audit_set_db_consistency -Wl,--wrap,fim_checker \
+                          -Wl,--wrap,lstat -Wl,--wrap,fim_db_file_pattern_search \
+                          -Wl,--wrap,fim_configuration_directory -Wl,--wrap,inotify_rm_watch -Wl,--wrap,os_random \
+                          -Wl,--wrap,stat -Wl,--wrap,getpid -Wl,--wrap,gettime \
+                          -Wl,--wrap,remove_audit_rule_syscheck -Wl,--wrap,realtime_process -Wl,--wrap,FOREVER \
+                          -Wl,--wrap,select -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_mutex_unlock \
+                          -Wl,--wrap=fim_db_init,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                          -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                          -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                          -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                          -Wl,--wrap=fim_generate_delete_event ${DEBUG_OP_WRAPPERS}")
+
+list(APPEND syscheckd_tests_names "run_check")
+if(${TARGET} STREQUAL "agent")
+  list(APPEND syscheckd_tests_flags "${RUN_CHECK_BASE_FLAGS} -Wl,--wrap=sleep -Wl,--wrap,time")
+elseif(${TARGET} STREQUAL "winagent")
+  list(APPEND syscheckd_tests_flags "${RUN_CHECK_BASE_FLAGS} -Wl,--wrap=realtime_start \
+                                     -Wl,--wrap,WaitForSingleObjectEx -Wl,--wrap,pthread_rwlock_rdlock \
+                                     -Wl,--wrap,pthread_rwlock_unlock -Wl,--wrap,pthread_rwlock_wrlock \
+                                     -Wl,--wrap,fim_sync_push_msg -Wl,--wrap=fim_db_get_count_registry_data \
+                                     -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                     -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                     -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+
+  # Create event channel tests for run_check
+  list(APPEND syscheckd_event_tests_names "test_run_check_event")
+  list(APPEND syscheckd_event_tests_flags "${RUN_CHECK_BASE_FLAGS} -Wl,--wrap=realtime_start,--wrap=run_whodata_scan \
+                                                                   -Wl,--wrap=audit_restore
+                                                                   -Wl,--wrap,pthread_rwlock_rdlock \
+                                                                   -Wl,--wrap,pthread_rwlock_unlock \
+                                                                   -Wl,--wrap,pthread_mutex_lock \
+                                                                   -Wl,--wrap,pthread_rwlock_wrlock \
+                                                                   -Wl,--wrap,pthread_mutex_unlock \
+                                                                   -Wl,--wrap,fim_sync_push_msg \
+                                                                   -Wl,--wrap=fim_db_get_count_registry_data \
+                                                                   -Wl,--wrap=fim_db_get_count_registry_key \
+                                                                   -Wl,--wrap=syscom_dispatch \
+                                                                   -Wl,--wrap=fim_generate_delete_event \
+                                                                   -Wl,--wrap=is_fim_shutdown \
+                                                                   -Wl,--wrap=_imp__dbsync_initialize \
+                                                                   -Wl,--wrap=_imp__rsync_initialize \
+                                                                   -Wl,--wrap=fim_db_teardown")
+else()
+  list(APPEND syscheckd_tests_flags "${RUN_CHECK_BASE_FLAGS} -Wl,--wrap=sleep,--wrap,time")
+endif()
+
+# Compiling tests
+list(LENGTH syscheckd_tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET syscheckd_tests_names ${counter} test_name)
+    list(GET syscheckd_tests_flags ${counter} test_flags)
+
+    add_executable(test_${test_name} test_${test_name}.c)
+    target_link_libraries(
+      test_${test_name}
+      SYSCHECK_O
+      ${TEST_DEPS}
+    )
+
+    if(${TARGET} STREQUAL "winagent")
+      target_link_libraries(test_${test_name} fimdb)
+    endif(${TARGET} STREQUAL "winagent")
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            test_${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME test_${test_name} COMMAND test_${test_name})
+endforeach()
+
+if(${TARGET} STREQUAL "winagent")
+  # Compile event channel tests
+  list(LENGTH syscheckd_event_tests_names count)
+  math(EXPR count "${count} - 1")
+  foreach(counter RANGE ${count})
+      list(GET syscheckd_event_tests_names ${counter} test_name)
+      list(GET syscheckd_event_tests_flags ${counter} test_flags)
+
+      string(REPLACE "_event" ".c" test_file ${test_name})
+      add_executable(${test_name} ${test_file})
+
+      target_link_libraries(
+        ${test_name}
+        SYSCHECK_EVENT_O
+        ${TEST_EVENT_DEPS}
+        fimdb
+      )
+
+      target_compile_definitions(${test_name} PUBLIC WIN_WHODATA)
+
+      if(NOT test_flags STREQUAL " ")
+          target_link_libraries(
+              ${test_name}
+              ${test_flags}
+          )
+      endif()
+      add_test(NAME ${test_name} COMMAND ${test_name})
+  endforeach()
+endif()
+
+# create_db.c tests
+add_executable(test_create_db test_create_db.c)
+
+target_compile_options(test_create_db PRIVATE "-Wall")
+
+set(CREATE_DB_BASE_FLAGS "-Wl,--wrap,fim_send_scan_info -Wl,--wrap,send_syscheck_msg \
+                          -Wl,--wrap,readdir -Wl,--wrap,opendir -Wl,--wrap,closedir -Wl,--wrap,realtime_adddir \
+                          -Wl,--wrap,HasFilesystem -Wl,--wrap,fim_db_get_path \
+                          -Wl,--wrap,delete_target_file -Wl,--wrap,OS_MD5_SHA1_SHA256_File \
+                          -Wl,--wrap,seechanges_addfile -Wl,--wrap,fim_db_delete_not_scanned \
+                          -Wl,--wrap,get_group,--wrap,mdebug2 -Wl,--wrap,wfopen \
+                          -Wl,--wrap,send_log_msg -Wl,--wrap,IsDir \
+                          -Wl,--wrap,DirSize -Wl,--wrap,seechanges_get_diff_path -Wl,--wrap,stat \
+                          -Wl,--wrap,fim_file_diff -Wl,--wrap,fim_diff_process_delete_file \
+                          -Wl,--wrap,fim_db_get_count_entries \
+                          -Wl,--wrap,fim_db_file_is_scanned -Wl,--wrap,fim_db_data_exists \
+                          -Wl,--wrap,fim_db_append_paths_from_inode -Wl,--wrap,pthread_rwlock_wrlock \
+                          -Wl,--wrap,pthread_rwlock_unlock -Wl,--wrap,pthread_rwlock_rdlock \
+                          -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_mutex_unlock \
+                          -Wl,--wrap,expand_wildcards -Wl,--wrap,fim_add_inotify_watch \
+                          -Wl,--wrap,realtime_sanitize_watch_map,--wrap=fim_db_remove_path \
+                          -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_init \
+                          -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                          -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                          -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                          ${DEBUG_OP_WRAPPERS}")
+
+target_link_libraries(test_create_db SYSCHECK_O ${TEST_DEPS} fim_shared)
+if(${TARGET} STREQUAL "winagent")
+    target_link_libraries(test_create_db "${CREATE_DB_BASE_FLAGS} -Wl,--wrap=w_get_file_permissions
+                                          -Wl,--wrap,getpid -Wl,--wrap=fim_db_get_count_registry_data \
+                                          -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                          -Wl,--wrap=decode_win_acl_json,--wrap=w_get_file_attrs -Wl,--wrap=os_winreg_check \
+                                          -Wl,--wrap,get_file_user -Wl,--wrap,fim_registry_scan \
+                                          -Wl,--wrap,get_UTC_modification_time -Wl,--wrap,fim_sync_push_msg \
+                                          -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                          -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown"
+                                          fimdb)
+else()
+    target_link_libraries(test_create_db "${CREATE_DB_BASE_FLAGS} -Wl,--wrap=lstat -Wl,--wrap=count_watches \
+                                          -Wl,--wrap,get_user -Wl,--wrap,realpath -Wl,--wrap,add_whodata_directory \
+                                          -Wl,--wrap,atexit -Wl,--wrap,remove_audit_rule_syscheck")
+endif()
+
+add_test(NAME test_create_db COMMAND test_create_db)
diff --git a/src/modules/fim/tests/unit/tests/expect_fim_diff_changes.c b/src/modules/fim/tests/unit/tests/expect_fim_diff_changes.c
new file mode 100644
index 0000000000..1fc42120db
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/expect_fim_diff_changes.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "test_fim.h"
+
+void expect_fim_diff_delete_compress_folder(struct dirent *dir) {
+    expect_any(__wrap_IsDir, file);
+    will_return(__wrap_IsDir, 0);
+
+    expect_any(__wrap_DirSize, path);
+    will_return(__wrap_DirSize, 0);
+
+    expect_any(__wrap_rmdir_ex, name);
+    will_return(__wrap_rmdir_ex, 0);
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    will_return(__wrap_opendir, 1);
+    will_return(__wrap_readdir, dir);
+    will_return(__wrap_readdir, NULL);
+}
diff --git a/src/modules/fim/tests/unit/tests/expect_run_check.c b/src/modules/fim/tests/unit/tests/expect_run_check.c
new file mode 100644
index 0000000000..ee2b66075f
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/expect_run_check.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "test_fim.h"
+
+void expect_fim_send_msg(char mq, const char *location, const char *msg, int retval) {
+    if (msg == NULL) {
+        expect_any(__wrap_SendMSG, message);
+    } else {
+        expect_string(__wrap_SendMSG, message, msg);
+    }
+    expect_string(__wrap_SendMSG, locmsg, location);
+    expect_value(__wrap_SendMSG, loc, mq);
+    will_return(__wrap_SendMSG, retval);
+}
+
+void expect_send_syscheck_msg(const char *msg) {
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    expect_fim_send_msg(SYSCHECK_MQ, SYSCHECK, msg, 0);
+}
diff --git a/src/modules/fim/tests/unit/tests/registry/CMakeLists.txt b/src/modules/fim/tests/unit/tests/registry/CMakeLists.txt
new file mode 100644
index 0000000000..3a82a4cb07
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/registry/CMakeLists.txt
@@ -0,0 +1,53 @@
+include_directories(${SRC_FOLDER}/syscheckd/src)
+include_directories(${SRC_FOLDER}/syscheckd/include)
+
+link_directories(${SRC_FOLDER}/unit_tests/wrappers/syscheckd/registry)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# registry.c tests
+add_executable(test_registry test_registry.c)
+
+target_compile_options(test_registry PRIVATE "-Wall")
+target_compile_options(test_registry PRIVATE "-g")
+
+target_link_libraries(test_registry SYSCHECK_O ${TEST_DEPS} fim_shared)
+target_link_libraries(test_registry "${DEBUG_OP_WRAPPERS} \
+                                     -Wl,--wrap=send_syscheck_msg -Wl,--wrap=os_random -Wl,--wrap,getpid \
+                                     -Wl,--wrap=fim_registry_value_diff -Wl,--wrap=get_registry_permissions \
+                                     -Wl,--wrap=decode_win_acl_json -Wl,--wrap=pthread_mutex_lock -Wl,--wrap=pthread_mutex_unlock \
+                                     -Wl,--wrap,fim_db_init -Wl,--wrap=fim_sync_push_msg -Wl,--wrap=syscom_dispatch \
+                                     -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key \
+                                     -Wl,--wrap=fim_db_file_pattern_search -Wl,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                                     -Wl,--wrap=fim_db_file_update -Wl,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                                     -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                                     -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                                     -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                                     -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+
+if(${TARGET} STREQUAL "winagent")
+    target_link_libraries(test_registry fimdb)
+endif(${TARGET} STREQUAL "winagent")
+
+add_test(NAME test_registry COMMAND test_registry)
+
+# events.c tests
+add_executable(test_events test_events.c)
+
+target_compile_options(test_events PRIVATE "-Wall")
+
+target_link_libraries(test_events SYSCHECK_O ${TEST_DEPS} fim_shared)
+target_link_libraries(test_events "${DEBUG_OP_WRAPPERS} \
+                                   -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows -Wl,--wrap=fim_run_integrity \
+                                   -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_db_transaction_start -Wl,--wrap,fim_db_init \
+                                   -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                                   -Wl,--wrap=fim_db_file_update -Wl,--wrap,fim_db_get_path -Wl,--wrap=fim_db_file_pattern_search -Wl,--wrap=fim_db_remove_path \
+                                   -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown")
+
+if(${TARGET} STREQUAL "winagent")
+    target_link_libraries(test_events fimdb)
+endif(${TARGET} STREQUAL "winagent")
+
+add_test(NAME test_events COMMAND test_events)
diff --git a/src/modules/fim/tests/unit/tests/registry/test_events.c b/src/modules/fim/tests/unit/tests/registry/test_events.c
new file mode 100644
index 0000000000..3571ff00ec
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/registry/test_events.c
@@ -0,0 +1,528 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "../../../syscheckd/include/syscheck.h"
+#include "../../../syscheckd/src/registry/registry.h"
+#include "test_fim.h"
+
+#define CHECK_REGISTRY_ALL                                                                             \
+    CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MTIME | CHECK_MD5SUM | CHECK_SHA1SUM | \
+    CHECK_SHA256SUM | CHECK_SEECHANGES | CHECK_TYPE
+
+fim_registry_key DEFAULT_REGISTRY_KEY = { .id = 3, .path = "HKEY_USERS\\Some\\random\\key", .perm_json = NULL, .perm = "", .uid = "110", .gid = "220", .user_name = "user_old_name", .group_name = "group_old_name", .mtime = 1100, .arch = ARCH_64BIT, .scanned = 0, .last_event = 1234, .checksum = "234567890ABCDEF1234567890ABCDEF123456789", .hash_full_path = "234567890ABCDEF1234567890ABCDEF123456111"};
+fim_registry_value_data DEFAULT_REGISTRY_VALUE = { .id = 3, .path = "key\\path", .hash_full_path = "234567890ABCDEF1234567890ABCDEF123456111", .arch = ARCH_64BIT, .name = "the\\value", .type = REG_SZ, .size = 50, .hash_md5 = "1234567890ABCDEF1234567890ABCDEF", . hash_sha1 = "1234567890ABCDEF1234567890ABCDEF12345678", .hash_sha256 = "1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF", .scanned = 0, .last_event = 10000, .checksum = "1234567890ABCDEF1234567890ABCDEF12345678", .mode = FIM_MODIFICATION };
+typedef struct fim_key_txn_context_s {
+    event_data_t *evt_data;
+    fim_registry_key *key;
+} fim_key_txn_context_t;
+
+typedef struct fim_val_txn_context_s {
+    event_data_t *evt_data;
+    fim_registry_value_data *data;
+    char* diff;
+} fim_val_txn_context_t;
+
+typedef struct key_difference_s {
+    cJSON *old_data;
+    cJSON *changed_attributes;
+    cJSON *old_attributes;
+} key_difference_t;
+
+typedef struct json_data_s {
+    cJSON *data1;
+    cJSON *data2;
+} json_data_t;
+
+static int setup_dbsync_difference(void **state) {
+    key_difference_t *data = calloc(1, sizeof(key_difference_t));
+    if (data == NULL) {
+        return 1;
+    }
+
+    data->old_data = cJSON_CreateObject();
+
+    if (data->old_data == NULL) {
+        return 1;
+    }
+
+    data->changed_attributes = cJSON_CreateArray();
+    if (data->changed_attributes == NULL) {
+        return 1;
+    }
+
+    data->old_attributes = cJSON_CreateObject();
+    if (data->old_attributes == NULL) {
+        return 1;
+    }
+    *state = data;
+    return 0;
+}
+
+static int teardown_dbsync_difference(void **state) {
+    key_difference_t * data = (key_difference_t*) *state;
+
+    cJSON_Delete(data->changed_attributes);
+    cJSON_Delete(data->old_attributes);
+    cJSON_Delete(data->old_data);
+
+    free(data);
+    return 0;
+}
+
+static int teardown_cjson_object(void **state) {
+    cJSON *object = *state;
+
+    cJSON_Delete(object);
+
+    return 0;
+}
+
+static int teardown_cjson_data(void **state) {
+    json_data_t *data = *state;
+
+    cJSON_Delete(data->data2);
+    free(data);
+
+    return 0;
+}
+
+cJSON* fim_dbsync_registry_value_json_event(const cJSON* dbsync_event,
+                                            const fim_registry_value_data *value,
+                                            const registry_t *configuration,
+                                            fim_event_mode mode,
+                                            const event_data_t *evt_data,
+                                            __attribute__((unused)) whodata_evt *w_evt,
+                                            const char* diff);
+cJSON* fim_registry_compare_key_attrs(const fim_registry_key *new_data,
+                               const fim_registry_key *old_data,
+                               const registry_t *configuration);
+cJSON* fim_registry_compare_value_attrs(const fim_registry_value_data *new_data,
+                                        const fim_registry_value_data *old_data,
+                                        const registry_t *configuration);
+
+
+
+static void test_fim_registry_compare_key_attrs(void **state){
+    cJSON *permissions = create_win_permissions_object();
+    fim_registry_key new_key = { .id = 3,
+                                 .path = "HKEY_USERS\\Some\\random\\key",
+                                 .perm_json = permissions,
+                                 .perm = cJSON_PrintUnformatted(permissions),
+                                 .uid = "100",
+                                 .gid = "200",
+                                 .user_name = "user_name",
+                                 .group_name = "group_name",
+                                 .mtime = 1000,
+                                 .arch = ARCH_64BIT,
+                                 .scanned = 0,
+                                 .last_event = 1234,
+                                 .checksum = "1234567890ABCDEF1234567890ABCDEF12345678" };
+    cJSON *saved_permissions = cJSON_CreateObject();
+    fim_registry_key saved_key = { .id = 3,
+                                 .path = "HKEY_USERS\\Some\\random\\key",
+                                 .perm_json = saved_permissions,
+                                 .perm = cJSON_PrintUnformatted(saved_permissions),
+                                 .uid = "110",
+                                 .gid = "220",
+                                 .user_name = "user_old_name",
+                                 .group_name = "group_old_name",
+                                 .mtime = 1100,
+                                 .arch = ARCH_64BIT,
+                                 .scanned = 0,
+                                 .last_event = 1234,
+                                 .checksum = "234567890ABCDEF1234567890ABCDEF123456789" };
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *ret, *it;
+    char *changed_attributes[] = { "permission", "uid", "user_name", "gid", "group_name", "mtime" };
+    int attributes_it = 0;
+
+
+    ret = fim_registry_compare_key_attrs(&new_key, &saved_key, &configuration);
+
+    *state = ret;
+
+    cJSON_ArrayForEach(it, ret) {
+        assert_string_equal(cJSON_GetStringValue(it), changed_attributes[attributes_it++]);
+    }
+
+    free(new_key.perm);
+    free(saved_key.perm);
+    cJSON_Delete(permissions);
+    cJSON_Delete(saved_permissions);
+}
+
+static void test_fim_registry_compare_value_attrs(void **state){
+    fim_registry_value_data new_value = { 3,
+                                          "key\\path",
+                                          "234567890ABCDEF1234567890ABCDEF123456111",
+                                          ARCH_64BIT,
+                                          "the\\value",
+                                          REG_SZ,
+                                          50,
+                                          "1234567890ABCDEF1234567890ABCDEF",
+                                          "1234567890ABCDEF1234567890ABCDEF12345678",
+                                          "1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF",
+                                          0,
+                                          10000,
+                                          "1234567890ABCDEF1234567890ABCDEF12345678",
+                                          FIM_MODIFICATION };
+
+    fim_registry_value_data saved_value = { 3,
+                                          "key\\path",
+                                          "234567890ABCDEF1234567890ABCDEF123456111",
+                                          ARCH_64BIT,
+                                          "the\\value",
+                                          REG_DWORD,
+                                          49,
+                                          "234567890ABCDEF1234567890ABCDEF1",
+                                          "234567890ABCDEF1234567890ABCDEF123456789",
+                                          "234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1",
+                                          0,
+                                          11000,
+                                          "234567890ABCDEF1234567890ABCDEF123456789",
+                                          FIM_MODIFICATION };
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *ret, *it;
+    char *changed_attributes[] = { "size", "type", "md5", "sha1", "sha256", "last_event", "checksum" };
+    int attributes_it = 0;
+
+    ret = fim_registry_compare_value_attrs(&new_value, &saved_value, &configuration);
+
+    *state = ret;
+
+    cJSON_ArrayForEach(it, ret) {
+        assert_string_equal(cJSON_GetStringValue(it), changed_attributes[attributes_it++]);
+    }
+}
+
+void test_calculate_dbsync_difference_key_perm_change(void **state) {
+
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    const char* old_entry_str = "{\"type\":\"registry_key\",\"perm\":{\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]},\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-3-0\":{\"name\":\"CREATOR OWNER\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-15-2-1\":{\"name\":\"ALL APPLICATION PACKAGES\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]}},\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"110\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    char *perm_string = "{\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]},\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-3-0\":{\"name\":\"CREATOR OWNER\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-15-2-1\":{\"name\":\"ALL APPLICATION PACKAGES\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]}}";
+    cJSON_AddItemToObject(old_data, "perm", cJSON_CreateString(perm_string));
+
+    fim_registry_key registry_data =  DEFAULT_REGISTRY_KEY;
+
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"permission\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_entry_str);
+}
+
+void test_calculate_dbsync_difference_key_no_change(void **state) {
+
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    fim_registry_key registry_data =  DEFAULT_REGISTRY_KEY;
+
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[]");
+}
+
+void test_calculate_dbsync_difference_key_uid_change(void **state) {
+
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    const char *old_attributes_str = "{\"type\":\"registry_key\",\"uid\":\"210\",\"user_name\":\"user_old_name\",\"gid\":\"110\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "uid", "210");
+
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"uid\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_key_username_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    const char* old_attributes_str = "{\"type\":\"registry_key\",\"uid\":\"110\",\"user_name\":\"previous_username\",\"gid\":\"110\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "user_name", "previous_username");
+
+    fim_registry_key registry_data =  DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"user_name\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_key_username_no_change_empty(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+    cJSON_AddStringToObject(old_data, "user_name", "");
+
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[]");
+}
+
+
+void test_calculate_dbsync_difference_key_gid_change(void **state) {
+
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    const char *old_attributes_str = "{\"type\":\"registry_key\",\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"210\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "gid", "210");
+
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"gid\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_key_groupname_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    const char* old_attributes_str = "{\"type\":\"registry_key\",\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"110\",\"group_name\":\"previous_groupname\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "group_name", "previous_groupname");
+
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"group_name\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_key_mtime_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char* old_attributes_str = "{\"type\":\"registry_key\",\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"110\",\"group_name\":\"group_old_name\",\"mtime\":98765432,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddNumberToObject(old_data, "mtime", 98765432);
+
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    fim_calculate_dbsync_difference_key(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"mtime\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_value_size_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char *old_attributes_str = "{\"type\":\"registry_value\",\"size\":98765432,\"value_type\":\"REG_SZ\",\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddNumberToObject(old_data, "size", 98765432);
+
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"size\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+
+}
+
+void test_calculate_dbsync_difference_value_type_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char *old_attributes_str = "{\"type\":\"registry_value\",\"size\":50,\"value_type\":\"REG_EXPAND_SZ\",\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddNumberToObject(old_data, "value_type", 2);
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"value_type\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_value_md5_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char *old_attributes_str = "{\"type\":\"registry_value\",\"size\":50,\"value_type\":\"REG_SZ\",\"hash_md5\":\"FEDCBA0987654321FEDCBA0987654321\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "hash_md5", "FEDCBA0987654321FEDCBA0987654321");
+
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"md5\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_value_sha1_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char *old_attributes_str = "{\"type\":\"registry_value\",\"size\":50,\"value_type\":\"REG_SZ\",\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"FEDCBA0987654321FEDCBA0987654321FEDCBA09\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "hash_sha1", "FEDCBA0987654321FEDCBA0987654321FEDCBA09");
+
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"sha1\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+
+void test_calculate_dbsync_difference_value_sha256_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    const char *old_attributes_str = "{\"type\":\"registry_value\",\"size\":50,\"value_type\":\"REG_SZ\",\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321\"}";
+
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    cJSON_AddStringToObject(old_data, "hash_sha256", "FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321");
+
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[\"sha256\"]");
+    assert_string_equal(cJSON_PrintUnformatted(old_attributes), old_attributes_str);
+}
+
+void test_calculate_dbsync_difference_value_no_change(void **state) {
+    key_difference_t *data = (key_difference_t *) *state;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+    cJSON *old_data = data->old_data;
+    cJSON *changed_attributes = data->changed_attributes;
+    cJSON *old_attributes = data->old_attributes;
+
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+
+    fim_calculate_dbsync_difference_value(&registry_data, &configuration, old_data, changed_attributes, old_attributes);
+    assert_string_equal(cJSON_PrintUnformatted(changed_attributes), "[]");
+}
+
+void test_registry_key_attributes_json_entry(void **state) {
+    json_data_t *data = calloc(1, sizeof(json_data_t));
+    char perm_data[OS_MAXSTR] = "{\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]},\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-3-0\":{\"name\":\"CREATOR OWNER\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-15-2-1\":{\"name\":\"ALL APPLICATION PACKAGES\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]}}";
+
+    const char* event_str = "{\"type\":\"registry_key\",\"perm\":{\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]},\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-3-0\":{\"name\":\"CREATOR OWNER\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-15-2-1\":{\"name\":\"ALL APPLICATION PACKAGES\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]}},\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"220\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    fim_registry_key registry_data = DEFAULT_REGISTRY_KEY;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+
+    registry_data.perm = perm_data;
+
+    cJSON *event = fim_registry_key_attributes_json(NULL, &registry_data, &configuration);
+
+    data->data2 = event;
+    *state = data;
+
+    assert_string_equal(event_str, cJSON_PrintUnformatted(event));
+}
+
+void test_registry_key_attributes_json_dbsync(void **state) {
+    json_data_t *data = calloc(1, sizeof(json_data_t));
+    cJSON *dbsync_event = cJSON_Parse("{\"perm\":\"{\\\"S-1-5-32-545\\\":{\\\"name\\\":\\\"Users\\\",\\\"allowed\\\":[\\\"read_control\\\",\\\"read_data\\\",\\\"read_ea\\\",\\\"write_ea\\\"]},\\\"S-1-5-32-544\\\":{\\\"name\\\":\\\"Administrators\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\"]},\\\"S-1-5-18\\\":{\\\"name\\\":\\\"SYSTEM\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\"]},\\\"S-1-3-0\\\":{\\\"name\\\":\\\"CREATOR OWNER\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\"]},\\\"S-1-15-2-1\\\":{\\\"name\\\":\\\"ALL APPLICATION PACKAGES\\\",\\\"allowed\\\":[\\\"read_control\\\",\\\"read_data\\\",\\\"read_ea\\\",\\\"write_ea\\\"]}}\",\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"220\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}");
+    const char* event_str = "{\"type\":\"registry_key\",\"perm\":{\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]},\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-3-0\":{\"name\":\"CREATOR OWNER\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-15-2-1\":{\"name\":\"ALL APPLICATION PACKAGES\",\"allowed\":[\"read_control\",\"read_data\",\"read_ea\",\"write_ea\"]}},\"uid\":\"110\",\"user_name\":\"user_old_name\",\"gid\":\"220\",\"group_name\":\"group_old_name\",\"mtime\":1100,\"checksum\":\"234567890ABCDEF1234567890ABCDEF123456789\"}";
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+
+    cJSON *event = fim_registry_key_attributes_json(dbsync_event, NULL, &configuration);
+
+    data->data1 = dbsync_event;
+    data->data2 = event;
+    *state = data;
+    assert_string_equal(event_str, cJSON_PrintUnformatted(event));
+}
+
+
+void test_registry_value_attributes_json_entry(void **state) {
+    json_data_t *data = calloc(1, sizeof(json_data_t));
+    const char* event_str = "{\"type\":\"registry_value\",\"value_type\":\"REG_SZ\",\"size\":50,\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\",\"checksum\":\"1234567890ABCDEF1234567890ABCDEF12345678\"}";
+    fim_registry_value_data registry_data = DEFAULT_REGISTRY_VALUE;
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+
+    cJSON *event = fim_registry_value_attributes_json(NULL, &registry_data, &configuration);
+
+    data->data1 = event;
+    *state = data;
+
+    assert_string_equal(event_str, cJSON_PrintUnformatted(event));
+}
+
+void test_registry_value_attributes_json_dbsync(void **state) {
+    json_data_t *data = calloc(1, sizeof(json_data_t));
+    const char* event_str = "{\"type\":\"registry_value\",\"value_type\":\"REG_SZ\",\"size\":50,\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\",\"checksum\":\"1234567890ABCDEF1234567890ABCDEF12345678\"}";
+    cJSON *dbsync_event = cJSON_Parse("{\"arch\":\"[x64]\",\"checksum\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_md5\":\"1234567890ABCDEF1234567890ABCDEF\",\"hash_sha1\":\"1234567890ABCDEF1234567890ABCDEF12345678\",\"hash_sha256\":\"1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF\",\"last_event\":1645700674,\"name\":\"New Value 1\",\"path\":\"HKEY_USERS\\\\Some\",\"scanned\":0,\"size\":50,\"type\":1}");
+    registry_t configuration = { "HKEY_USERS\\Some", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL };
+
+
+    cJSON *event = fim_registry_value_attributes_json(dbsync_event, NULL, &configuration);
+    data->data1 = dbsync_event;
+    data->data2 = event;
+    *state = data;
+
+    assert_string_equal(event_str, cJSON_PrintUnformatted(event));
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // tests registry key transaction callback
+        cmocka_unit_test_teardown(test_fim_registry_compare_key_attrs, teardown_cjson_object),
+        cmocka_unit_test_teardown(test_fim_registry_compare_value_attrs, teardown_cjson_object),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_perm_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_no_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_uid_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_username_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_username_no_change_empty, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_gid_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_groupname_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_key_mtime_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_size_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_type_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_md5_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_sha1_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_sha256_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_setup_teardown(test_calculate_dbsync_difference_value_no_change, setup_dbsync_difference, teardown_dbsync_difference),
+        cmocka_unit_test_teardown(test_registry_key_attributes_json_entry, teardown_cjson_data),
+        cmocka_unit_test_teardown(test_registry_key_attributes_json_dbsync, teardown_cjson_data),
+        cmocka_unit_test_teardown(test_registry_value_attributes_json_entry, teardown_cjson_data),
+        cmocka_unit_test_teardown(test_registry_value_attributes_json_dbsync, teardown_cjson_data),
+
+    };
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/fim/tests/unit/tests/registry/test_registry.c b/src/modules/fim/tests/unit/tests/registry/test_registry.c
new file mode 100644
index 0000000000..8be5c707b7
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/registry/test_registry.c
@@ -0,0 +1,1190 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "syscheck.h"
+#include "registry/registry.h"
+#include "registry/registry.c"
+
+#include "../../wrappers/common.h"
+#include "../../wrappers/windows/sddl_wrappers.h"
+#include "../../wrappers/windows/aclapi_wrappers.h"
+#include "../../wrappers/windows/winreg_wrappers.h"
+#include "../../wrappers/windows/winbase_wrappers.h"
+#include "../../wrappers/windows/securitybaseapi_wrappers.h"
+#include "../../wrappers/wazuh/syscheckd/fim_db_wrappers.h"
+#include "../../wrappers/wazuh/shared/syscheck_op_wrappers.h"
+#include "../../wrappers/wazuh/syscheckd/fim_diff_changes_wrappers.h"
+
+#include "test_fim.h"
+
+#define CHECK_REGISTRY_ALL                                                                             \
+    CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MTIME | CHECK_MD5SUM | CHECK_SHA1SUM | \
+    CHECK_SHA256SUM | CHECK_SEECHANGES | CHECK_TYPE
+
+char inv_hKey[50];
+
+static registry_t default_config[] = {
+    { "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE\\Software\\RecursionLevel0", ARCH_64BIT, CHECK_REGISTRY_ALL, 0, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { inv_hKey, ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE\\Software\\FailToInsert", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { NULL, 0, 0, 320, 0, NULL, NULL, NULL }
+};
+
+static registry_t one_entry_config[] = {
+    { "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { NULL, 0, 0, 320, 0, NULL, NULL, NULL }
+};
+
+static registry_ignore default_ignore[] = { { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_32BIT},
+                                            { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_64BIT},
+                                            { NULL, 0} };
+
+static char *default_ignore_regex_patterns[] = { "IgnoreRegex", "IgnoreRegex", NULL };
+
+static registry_ignore_regex default_ignore_regex[] = { { NULL, ARCH_32BIT }, { NULL, ARCH_64BIT }, { NULL, 0 } };
+
+extern int _base_line;
+
+typedef struct tmp_file_entry_s {
+    fim_tmp_file *file;
+    fim_entry *entry;
+} tmp_file_entry_t;
+
+void registry_key_transaction_callback(ReturnTypeCallback resultType, const cJSON* result_json, void* user_data);
+void registry_value_transaction_callback(ReturnTypeCallback resultType, const cJSON* result_json, void* user_data);
+int fim_set_root_key(HKEY *root_key_handle, const char *full_key, const char **sub_key);
+registry_t *fim_registry_configuration(const char *key, int arch);
+int fim_registry_validate_recursion_level(const char *key_path, const registry_t *configuration);
+int fim_registry_validate_ignore(const char *entry, const registry_t *configuration, int key);
+void fim_registry_free_entry(fim_entry *entry);
+void fim_registry_free_key(fim_registry_key *key);
+void fim_registry_free_value_data(fim_registry_value_data *data);
+fim_registry_key *fim_registry_get_key_data(HKEY key_handle, const char *path, const registry_t *configuration);
+void fim_registry_calculate_hashes(fim_entry *entry, registry_t *configuration, BYTE *data_buffer);
+void expect_SendMSG_call(const char *message_expected, const char *locmsg_expected, char loc_expected, int ret){
+    expect_string(__wrap_SendMSG, message, message_expected);
+    expect_string(__wrap_SendMSG, locmsg, locmsg_expected);
+    expect_value(__wrap_SendMSG, loc, loc_expected);
+    will_return(__wrap_SendMSG, ret);
+}
+
+void expect_fim_registry_get_key_data_call(LPSTR usid,
+                                           LPSTR gsid,
+                                           char *uname,
+                                           char *gname,
+                                           const char *permissions,
+                                           FILETIME last_write_time) {
+    expect_GetSecurityInfo_call((PSID) "userid", NULL, ERROR_SUCCESS);
+    expect_ConvertSidToStringSid_call(usid, 1);
+    expect_LookupAccountSid_call((PSID)uname, "domain", 1);
+
+    expect_GetSecurityInfo_call(NULL, (PSID) "groupid", ERROR_SUCCESS);
+    expect_ConvertSidToStringSid_call(gsid, 1);
+    expect_LookupAccountSid_call((PSID)gname, "domain", 1);
+
+    expect_get_registry_permissions(create_win_permissions_object(), ERROR_SUCCESS);
+
+    expect_any(__wrap_decode_win_acl_json, perms);
+
+    expect_RegQueryInfoKeyA_call(&last_write_time, ERROR_SUCCESS);
+}
+
+fim_registry_key *create_reg_key(int id, const char *path, int arch, const char *perm, const char *uid, const char *gid, const char *user_name,
+                                 const char *group_name) {
+    fim_registry_key *ret;
+
+    os_calloc(1, sizeof(fim_registry_key), ret);
+
+    ret->id = id;
+    os_strdup(path, ret->path);
+    ret->arch = arch;
+    os_strdup(perm, ret->perm);
+    os_strdup(uid, ret->uid);
+    os_strdup(gid, ret->gid);
+    os_strdup(user_name, ret->user_name);
+    os_strdup(group_name, ret->group_name);
+
+    return ret;
+}
+
+fim_registry_value_data *create_reg_value_data(int id, char *name, unsigned int type, unsigned int size) {
+    fim_registry_value_data *ret;
+
+    os_calloc(1, sizeof(fim_registry_value_data), ret);
+
+    ret->id = id;
+    os_strdup(name, ret->name);
+    ret->type = type;
+    ret->size = size;
+
+    return ret;
+}
+
+int delete_tables(){
+    char *err_msg = NULL;
+    // DELETE TABLES
+    sqlite3_exec(syscheck.database->db, "DELETE FROM registry_data;", NULL, NULL, &err_msg);
+    if (err_msg) {
+        fail_msg("%s", err_msg);
+        sqlite3_free(err_msg);
+
+        return -1;
+    }
+    sqlite3_exec(syscheck.database->db, "DELETE FROM registry_key;", NULL, NULL, &err_msg);
+    if (err_msg) {
+        fail_msg("%s", err_msg);
+        sqlite3_free(err_msg);
+
+        return -1;
+    }
+    return 0;
+}
+
+static int setup_group(void **state) {
+    int i;
+    time_mock_value = 9999999;
+    strcpy(inv_hKey, "HKEY_LOCAL_MACHINE_Invalid_key\\Software\\Ignore");
+
+    syscheck.registry = default_config;
+    syscheck.key_ignore = default_ignore;
+
+    for (i = 0; default_ignore_regex_patterns[i]; i++) {
+        default_ignore_regex[i].regex = calloc(1, sizeof(OSMatch));
+
+        if (default_ignore_regex[i].regex == NULL) {
+            return -1;
+        }
+
+        if (!OSMatch_Compile(default_ignore_regex_patterns[i], default_ignore_regex[i].regex, 0)) {
+            return -1;
+        }
+    }
+
+    syscheck.key_ignore_regex = default_ignore_regex;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    int i;
+
+    syscheck.registry = NULL;
+    syscheck.key_ignore = NULL;
+    syscheck.value_ignore = NULL;
+
+    for (i = 0; syscheck.key_ignore_regex[i].regex; i++) {
+        OSMatch_FreePattern(syscheck.key_ignore_regex[i].regex);
+    }
+    syscheck.key_ignore_regex = NULL;
+
+    return 0;
+}
+
+static int setup_test_hashes(void **state) {
+    syscheck.registry = default_config;
+
+    fim_entry *entry;
+    os_calloc(1, sizeof(fim_entry), entry);
+
+    fim_registry_key *key;
+    os_calloc(1, sizeof(fim_registry_key), key);
+    key->id = 3;
+    os_strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", key->path);
+    os_strdup("sid (allowed): delete|write_dac|write_data|append_data|write_attributes", key->perm);
+    os_strdup("100", key->uid);
+    os_strdup("200", key->gid);
+    os_strdup("username", key->user_name);
+    os_strdup("groupname", key->group_name);
+    key->arch = 1;
+
+    fim_registry_value_data *value;
+    os_calloc(1, sizeof(fim_registry_value_data), value);
+    value->id = 3;
+    os_strdup("valuename", value->name);
+    strcpy(value->hash_md5, "1234567890ABCDEF1234567890ABCDEF");
+    strcpy(value->hash_sha1, "1234567890ABCDEF1234567890ABCDEF12345678");
+    strcpy(value->hash_sha256, "1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF");
+    strcpy(value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+
+    entry->type = FIM_TYPE_REGISTRY;
+    entry->registry_entry.key = key;
+    entry->registry_entry.value = value;
+
+    *state = entry;
+    return 0;
+}
+
+static int teardown_test_hashes(void **state) {
+    fim_entry *entry = *state;
+
+    if (entry){
+        fim_registry_free_key(entry->registry_entry.key);
+        fim_registry_free_value_data(entry->registry_entry.value);
+        free(entry);
+    }
+
+    return 0;
+}
+
+// TESTS
+
+static void test_fim_set_root_key_null_root_key(void **state) {
+    int ret;
+    char *full_key = NULL;
+    const char *sub_key;
+
+    ret = fim_set_root_key(NULL, full_key, &sub_key);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_set_root_key_null_full_key(void **state) {
+    int ret;
+    HKEY root_key;
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, NULL, &sub_key);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_set_root_key_null_sub_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = NULL;
+
+    ret = fim_set_root_key(&root_key, full_key, NULL);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_set_root_key_invalid_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "This wont match to any root key";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, -1);
+    assert_null(root_key);
+}
+
+static void test_fim_set_root_key_invalid_root_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "HKEY_LOCAL_MACHINE_This_is_almost_valid\\but\\not\\quite\\valid";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, -1);
+    assert_null(root_key);
+}
+
+static void test_fim_set_root_key_valid_HKEY_LOCAL_MACHINE_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "HKEY_LOCAL_MACHINE\\This\\is_a_valid\\key";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, 0);
+    assert_ptr_equal(root_key, HKEY_LOCAL_MACHINE);
+    assert_ptr_equal(sub_key, full_key + 19);
+}
+
+static void test_fim_set_root_key_valid_HKEY_CLASSES_ROOT_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "HKEY_CLASSES_ROOT\\This\\is_a_valid\\key";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, 0);
+    assert_ptr_equal(root_key, HKEY_CLASSES_ROOT);
+    assert_ptr_equal(sub_key, full_key + 18);
+}
+
+static void test_fim_set_root_key_valid_HKEY_CURRENT_CONFIG_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "HKEY_CURRENT_CONFIG\\This\\is_a_valid\\key";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, 0);
+    assert_ptr_equal(root_key, HKEY_CURRENT_CONFIG);
+    assert_ptr_equal(sub_key, full_key + 20);
+}
+
+static void test_fim_set_root_key_valid_HKEY_USERS_key(void **state) {
+    int ret;
+    HKEY root_key;
+    char *full_key = "HKEY_USERS\\This\\is_a_valid\\key";
+    const char *sub_key;
+
+    ret = fim_set_root_key(&root_key, full_key, &sub_key);
+
+    assert_int_equal(ret, 0);
+    assert_ptr_equal(root_key, HKEY_USERS);
+    assert_ptr_equal(sub_key, full_key + 11);
+}
+
+static void test_fim_registry_configuration_registry_found(void **state) {
+    registry_t *configuration;
+
+    configuration = fim_registry_configuration("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\something", ARCH_64BIT);
+    assert_non_null(configuration);
+    assert_string_equal(configuration->entry, "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile");
+    assert_int_equal(configuration->arch, ARCH_64BIT);
+}
+
+static void test_fim_registry_configuration_registry_not_found_arch_does_not_match(void **state) {
+    registry_t *configuration;
+
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    configuration = fim_registry_configuration("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\something", ARCH_32BIT);
+    assert_null(configuration);
+}
+
+static void test_fim_registry_configuration_registry_not_found_path_does_not_match(void **state) {
+    registry_t *configuration;
+
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    configuration = fim_registry_configuration("HKEY_LOCAL_MACHINE\\Software\\Classes\\something", ARCH_64BIT);
+    assert_null(configuration);
+}
+
+static void test_fim_registry_configuration_null_key(void **state) {
+    registry_t *configuration;
+
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    configuration = fim_registry_configuration(NULL, ARCH_64BIT);
+    assert_null(configuration);
+}
+
+static void test_fim_registry_validate_recursion_level_null_configuration(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\something";
+    int ret;
+
+    ret = fim_registry_validate_recursion_level(path, NULL);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_recursion_level_null_entry_path(void **state) {
+    registry_t *configuration = &syscheck.registry[0];
+    int ret;
+
+    ret = fim_registry_validate_recursion_level(NULL, configuration);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_recursion_level_valid_entry_path(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\Some\\valid\\path";
+    registry_t *configuration = &syscheck.registry[0];
+    int ret;
+
+    ret = fim_registry_validate_recursion_level(path, configuration);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_fim_registry_validate_recursion_level_invalid_recursion_level(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\RecursionLevel0\\This\\must\\fail";
+    registry_t *configuration = &syscheck.registry[1];
+    int ret;
+    expect_string(__wrap__mdebug2, formatted_msg,
+                  "(6217): Maximum level of recursion reached. Depth:3 recursion_level:0 "
+                  "'HKEY_LOCAL_MACHINE\\Software\\RecursionLevel0\\This\\must\\fail'");
+
+    ret = fim_registry_validate_recursion_level(path, configuration);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_ignore_null_configuration(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\something";
+    int ret;
+
+    ret = fim_registry_validate_ignore(path, NULL, 1);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_ignore_null_entry_path(void **state) {
+    registry_t *configuration = &syscheck.registry[0];
+    int ret;
+
+    ret = fim_registry_validate_ignore(NULL, configuration, 1);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_ignore_valid_entry_path(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\Some\\valid\\path";
+    registry_t *configuration = &syscheck.registry[0];
+    int ret;
+
+    ret = fim_registry_validate_ignore(path, configuration, 1);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_fim_registry_validate_ignore_ignore_entry(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Ignore";
+    registry_t *configuration = &syscheck.registry[2];
+    int ret;
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+                  "(6260): Ignoring 'registry' '[x64] HKEY_LOCAL_MACHINE\\Software\\Ignore' due to "
+                  "'HKEY_LOCAL_MACHINE\\Software\\Ignore'");
+
+    ret = fim_registry_validate_ignore(path, configuration, 1);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_validate_ignore_regex_ignore_entry(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\IgnoreRegex\\This\\must\\fail";
+    registry_t *configuration = &syscheck.registry[0];
+    int ret;
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+                  "(6259): Ignoring 'registry' '[x64] "
+                  "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\IgnoreRegex\\This\\must\\fail' due to sregex "
+                  "'IgnoreRegex'");
+
+    ret = fim_registry_validate_ignore(path, configuration, 1);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_fim_registry_get_key_data_check_owner(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_OWNER;
+    HKEY key_handle = HKEY_LOCAL_MACHINE;
+    fim_registry_key *ret_key;
+
+    expect_GetSecurityInfo_call((PSID)"userid", NULL, ERROR_SUCCESS);
+    expect_ConvertSidToStringSid_call((LPSTR)"userid", 1);
+    expect_LookupAccountSid_call((PSID)"username", "domain", 1);
+
+    ret_key = fim_registry_get_key_data(key_handle, path, configuration);
+
+    assert_string_equal(ret_key->uid, "userid");
+    assert_string_equal(ret_key->user_name, "username");
+    assert_null(ret_key->gid);
+    assert_null(ret_key->group_name);
+    assert_null(ret_key->perm);
+    assert_null(ret_key->mtime);
+}
+
+static void test_fim_registry_get_key_data_check_group(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_GROUP;
+    HKEY key_handle = HKEY_LOCAL_MACHINE;
+    fim_registry_key *ret_key;
+
+    expect_GetSecurityInfo_call((PSID)"groupid", NULL, ERROR_SUCCESS);
+    expect_ConvertSidToStringSid_call((LPSTR)"groupid", 1);
+    expect_LookupAccountSid_call((PSID)"groupname", "domain", 1);
+
+    ret_key = fim_registry_get_key_data(key_handle, path, configuration);
+
+    assert_null(ret_key->uid);
+    assert_null(ret_key->user_name);
+    assert_string_equal(ret_key->gid, "groupid");
+    assert_string_equal(ret_key->group_name, "groupname");
+    assert_null(ret_key->perm);
+    assert_null(ret_key->mtime);
+}
+
+static void test_fim_registry_get_key_data_check_perm(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_PERM;
+    HKEY key_handle = HKEY_LOCAL_MACHINE;
+    fim_registry_key *ret_key;
+    cJSON *permissions = create_win_permissions_object();
+
+    expect_get_registry_permissions(permissions, ERROR_SUCCESS);
+
+    expect_string(__wrap_decode_win_acl_json, perms, permissions);
+
+    ret_key = fim_registry_get_key_data(key_handle, path, configuration);
+
+    assert_null(ret_key->uid);
+    assert_null(ret_key->user_name);
+    assert_null(ret_key->gid);
+    assert_null(ret_key->group_name);
+    assert_non_null(ret_key->perm);
+    assert_non_null(ret_key->perm_json);
+    assert_null(ret_key->mtime);
+}
+
+static void test_fim_registry_get_key_data_check_mtime(void **state) {
+    char *path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_MTIME;
+    HKEY key_handle = HKEY_LOCAL_MACHINE;
+    fim_registry_key *ret_key;
+    FILETIME last_write_time = { 0, 1000 };
+
+    expect_RegQueryInfoKeyA_call(&last_write_time, ERROR_SUCCESS);
+
+    ret_key = fim_registry_get_key_data(key_handle, path, configuration);
+
+    assert_null(ret_key->uid);
+    assert_null(ret_key->user_name);
+    assert_null(ret_key->gid);
+    assert_null(ret_key->group_name);
+    assert_null(ret_key->perm);
+    assert_int_equal(ret_key->mtime, 1240857784);
+}
+
+static void test_fim_registry_calculate_hashes_CHECK_MD5SUM(void **state) {
+    fim_entry *entry = *state;
+
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_MD5SUM;
+    BYTE *data_buffer = (unsigned char *)"value_data";
+    entry->registry_entry.value->type = REG_EXPAND_SZ;
+
+    fim_registry_calculate_hashes(entry, configuration, data_buffer);
+
+    assert_string_equal(entry->registry_entry.value->hash_md5, "51718cc02664f7b131b76f8b53918927");
+    assert_string_equal(entry->registry_entry.value->hash_sha1, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha256, "");
+    assert_string_equal(entry->registry_entry.value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+}
+
+static void test_fim_registry_calculate_hashes_CHECK_SHA1SUM(void **state) {
+    fim_entry *entry = *state;
+
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_SHA1SUM;
+    BYTE *data_buffer = (unsigned char *)"value_data\0";
+    entry->registry_entry.value->type = REG_MULTI_SZ;
+
+    fim_registry_calculate_hashes(entry, configuration, data_buffer);
+
+
+    assert_string_equal(entry->registry_entry.value->hash_md5, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha1, "ee6cf811813827f6e18d07f0fb7e22a43337d63c");
+    assert_string_equal(entry->registry_entry.value->hash_sha256, "");
+    assert_string_equal(entry->registry_entry.value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+}
+
+static void test_fim_registry_calculate_hashes_CHECK_SHA256SUM(void **state) {
+    fim_entry *entry = *state;
+
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_SHA256SUM;
+    BYTE *data_buffer = (unsigned char *)"value_data";
+    entry->registry_entry.value->type = REG_DWORD;
+
+    fim_registry_calculate_hashes(entry, configuration, data_buffer);
+
+
+    assert_string_equal(entry->registry_entry.value->hash_md5, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha1, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha256, "482e0d08067b0965649aba1eef95350f71f60ba9079c7096f2f4e4b018f4cc09");
+    assert_string_equal(entry->registry_entry.value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+}
+
+static void test_fim_registry_calculate_hashes_default_type(void **state) {
+    fim_entry *entry = *state;
+
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = CHECK_REGISTRY_ALL;
+    BYTE *data_buffer = (unsigned char *)"value_data";
+    entry->registry_entry.value->type = -1;
+
+    fim_registry_calculate_hashes(entry, configuration, data_buffer);
+
+
+    assert_string_equal(entry->registry_entry.value->hash_md5, "d41d8cd98f00b204e9800998ecf8427e");
+    assert_string_equal(entry->registry_entry.value->hash_sha1, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+    assert_string_equal(entry->registry_entry.value->hash_sha256, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
+    assert_string_equal(entry->registry_entry.value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+}
+
+static void test_fim_registry_calculate_hashes_no_config(void **state) {
+    fim_entry *entry = *state;
+
+    syscheck.registry = one_entry_config;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->opts = 0;
+    BYTE *data_buffer = (unsigned char *)"value_data";
+    entry->registry_entry.value->type = -1;
+
+    fim_registry_calculate_hashes(entry, configuration, data_buffer);
+
+    assert_string_equal(entry->registry_entry.value->hash_md5, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha1, "");
+    assert_string_equal(entry->registry_entry.value->hash_sha256, "");
+    assert_string_equal(entry->registry_entry.value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+}
+
+static void test_fim_registry_scan_base_line_generation(void **state) {
+    syscheck.registry = one_entry_config;
+    syscheck.registry[0].opts = CHECK_REGISTRY_ALL;
+
+    // Set value of FirstSubKey
+    char *value_name = "test_value";
+    unsigned int value_type = REG_DWORD;
+    unsigned int value_size = 4;
+    DWORD value_data = 123456;
+    TXN_HANDLE mock_handle;
+
+    LPSTR usid = "userid";
+    LPSTR gsid = "groupid";
+    FILETIME last_write_time = { 0, 1000 };
+
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_START);
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    // Scan a subkey of batfile
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile", 0, KEY_READ | KEY_WOW64_64KEY, NULL,
+                             ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(1, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("FirstSubKey", 12, ERROR_SUCCESS);
+
+    // Scan a value of FirstSubKey
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile\\FirstSubKey", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(0, 1, &last_write_time, ERROR_SUCCESS);
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username", "groupname",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+    expect_string(__wrap__merror, formatted_msg, "Dbsync registry transaction failed due to -1");
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+    expect_RegEnumValue_call(value_name, value_type, (LPBYTE)&value_data, value_size, ERROR_SUCCESS);
+
+    expect_fim_registry_value_diff("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\FirstSubKey", "test_value",
+                                   (const char *)&value_data, 4, REG_DWORD, NULL);
+
+
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username", "groupname",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+
+    will_return(__wrap_fim_db_transaction_sync_row, 0);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_ENDED);
+
+    // Test
+    fim_registry_scan();
+    assert_int_equal(_base_line, 1);
+}
+
+static void test_fim_registry_scan_regular_scan(void **state) {
+    syscheck.registry = default_config;
+
+    // Set value of FirstSubKey
+    char *value_name = "test_value";
+    unsigned int value_type = REG_DWORD;
+    unsigned int value_size = 4;
+    DWORD value_data = 123456;
+    TXN_HANDLE mock_handle;
+
+    LPSTR usid = "userid";
+    LPSTR gsid = "groupid";
+    FILETIME last_write_time = { 0, 1000 };
+
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_START);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6919): Invalid syscheck registry entry: 'HKEY_LOCAL_MACHINE_Invalid_key\\Software\\Ignore' arch: '[x64] '.");
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+    expect_any_always(__wrap__merror, formatted_msg);
+
+    // Scan a subkey of batfile
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(1, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("FirstSubKey", 12, ERROR_SUCCESS);
+
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile\\FirstSubKey", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(0, 1, &last_write_time, ERROR_SUCCESS);
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username", "groupname",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+
+    expect_RegEnumValue_call(value_name, value_type, (LPBYTE)&value_data, value_size, ERROR_SUCCESS);
+
+
+    expect_fim_registry_value_diff("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\FirstSubKey", "test_value",
+                                   (const char *)&value_data, 4, REG_DWORD, NULL);
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username", "groupname",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+
+    // Scan a subkey of RecursionLevel0
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\RecursionLevel0", 0, KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(1, 0, &last_write_time, ERROR_SUCCESS);
+    expect_RegEnumKeyEx_call("depth0", 7, ERROR_SUCCESS);
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username2", "groupname2",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+
+    will_return(__wrap_fim_db_transaction_sync_row, -1);
+
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\FailToInsert", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(0, 0, &last_write_time, ERROR_SUCCESS);
+
+
+    // Inside fim_registry_get_key_data
+    expect_fim_registry_get_key_data_call(usid, gsid, "username2", "groupname2",
+                                          "sid (allowed): delete|write_dac|write_data|append_data|write_attributes",
+                                          last_write_time);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_ENDED);
+
+    // Test
+    fim_registry_scan();
+}
+
+static void test_fim_registry_scan_RegOpenKeyEx_fail(void **state) {
+    syscheck.registry = one_entry_config;
+    syscheck.registry[0].opts = CHECK_REGISTRY_ALL;
+    TXN_HANDLE mock_handle;
+
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_START);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6920): Unable to open registry key: 'Software\\Classes\\batfile' arch: '[x64]'.");
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_ENDED);
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    // Scan a subkey of batfile
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, -1);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+
+    // Test
+    fim_registry_scan();
+}
+
+static void test_fim_registry_scan_RegQueryInfoKey_fail(void **state) {
+    FILETIME last_write_time = { 0, 1000 };
+
+    syscheck.registry = one_entry_config;
+    syscheck.registry[0].opts = CHECK_REGISTRY_ALL;
+    TXN_HANDLE mock_handle;
+
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_START);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WINREGISTRY_ENDED);
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    // Scan a subkey of batfile
+    expect_RegOpenKeyEx_call(HKEY_LOCAL_MACHINE, "Software\\Classes\\batfile", 0,
+                             KEY_READ | KEY_WOW64_64KEY, NULL, ERROR_SUCCESS);
+    expect_RegQueryInfoKey_call(1, 0, &last_write_time, -1);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+
+    // Test
+    fim_registry_scan();
+}
+
+static void test_fim_registry_key_transaction_callback_empty_changed_attributes(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    fim_registry_key key = {
+        .path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile",
+        .arch = ARCH_64BIT,
+        .hash_full_path = "234567890ABCDEF1234567890ABCDEF123456111",
+        .last_event = 12345
+    };
+    ReturnTypeCallback resultType = MODIFIED;
+    const cJSON *result_json = cJSON_Parse("{\"new\":{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\",\"arch\":\"[x64]\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"},\"old\":{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\"}}");
+    fim_key_txn_context_t user_data = {.key = &key, .evt_data = &event_data};
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6954): Entry 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile' does not have any modified fields. No event will be generated.");
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_base_line(){
+    _base_line = 0;
+    ReturnTypeCallback resultType = INSERTED;
+    const cJSON* result_json = NULL;
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = NULL};
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_empty_json_array(){
+    _base_line = 1;
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = NULL};
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_null_configuration(){
+    _base_line = 1;
+    event_data_t event_data;
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x32]\", \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = &event_data};
+
+    // fim_registry_configuration
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_insert(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = &event_data};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_modify(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = MODIFIED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = &event_data};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_delete(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = DELETED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = NULL, .evt_data = &event_data};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6355): Can't remove folder 'queue/diff/registry/[x64] b9b175e8810d3475f15976dd3b5f9210f3af6604', it does not exist.");
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_key_transaction_callback_max_rows(){
+    _base_line = 1;
+    event_data_t event_data;
+    fim_registry_key key;
+    key.path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    key.arch = ARCH_64BIT;
+    ReturnTypeCallback resultType = MAX_ROWS;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\", \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_key_txn_context_t user_data = {.key = &key, .evt_data = &event_data};
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Couldn't insert 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile' entry into DB. The DB is full, please check your configuration.");
+
+    registry_key_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_empty_changed_attributes(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    fim_registry_value_data value;
+    value.path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    value.arch = ARCH_64BIT;
+    value.name = "mock_value_name";
+    value.hash_full_path = "234567890ABCDEF1234567890ABCDEF123456111";
+    ReturnTypeCallback resultType = MODIFIED;
+    const cJSON *result_json = cJSON_Parse("{\"new\":{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\",\"arch\":\"[x64]\",\"name\":\"mock_name_value\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"},\"old\":{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\",\"name\":\"mock_name_value\"}}");
+    fim_val_txn_context_t user_data = {.data = &value, .evt_data = &event_data, .diff = NULL};
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6954): Entry 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile' does not have any modified fields. No event will be generated.");
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_base_line(){
+    _base_line = 0;
+    event_data_t event_data;
+    ReturnTypeCallback resultType = INSERTED;
+    const cJSON* result_json = NULL;
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = NULL};
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_empty_json_array(){
+    _base_line = 1;
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = NULL, .diff = NULL};
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_null_configuration(){
+    _base_line = 1;
+    event_data_t event_data;
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x32]\", \"name\":\"mock_name_value\", \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = NULL};
+
+    // fim_registry_configuration
+    expect_any_always(__wrap__mdebug2, formatted_msg);
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_insert(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = INSERTED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\",\"arch\":\"[x64]\", \"name\":\"mock_name_value\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = NULL};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_modify(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = MODIFIED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\",\"arch\":\"[x64]\",\"name\":\"mock_name_value\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = NULL};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_modify_with_diff(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = MODIFIED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\",\"arch\":\"[x64]\",\"name\":\"mock_name_value\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = "test diff string"};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_delete(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    ReturnTypeCallback resultType = DELETED;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\", \"name\":\"mock_name_value\",\"last_event\":12345, \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = NULL, .evt_data = &event_data, .diff = NULL};
+
+    expect_function_call(__wrap_send_syscheck_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6355): Can't remove folder 'queue/diff/registry/[x64] b9b175e8810d3475f15976dd3b5f9210f3af6604/6797a8200934259ad5d56d1eb8dd24afc4f7ae2e', it does not exist.");
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_value_transaction_callback_max_rows(){
+    _base_line = 1;
+    event_data_t event_data = {.mode = FIM_SCHEDULED};
+    fim_registry_value_data value;
+    value.path = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    value.arch = ARCH_64BIT;
+    value.name = "mock_value_name";
+    ReturnTypeCallback resultType = MAX_ROWS;
+    const char* json_string = "{\"path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Classes\\\\batfile\", \"arch\":\"[x64]\", \"name\":\"mock_name_value\", \"hash_full_path\":\"234567890ABCDEF1234567890ABCDEF123456111\"}";
+    const cJSON* result_json = cJSON_Parse(json_string);
+    fim_val_txn_context_t user_data = {.data = &value, .evt_data = &event_data, .diff = NULL};
+
+    expect_string(__wrap__mdebug1, formatted_msg, "Couldn't insert 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile' entry into DB. The DB is full, please check your configuration.");
+
+    registry_value_transaction_callback(resultType, result_json, &user_data);
+}
+
+static void test_fim_registry_free_entry(){
+    fim_entry *entry;
+    os_calloc(1, sizeof(fim_entry), entry);
+
+    fim_registry_key *key;
+    os_calloc(1, sizeof(fim_registry_key), key);
+    key->id = 3;
+    os_strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", key->path);
+    os_strdup("234567890ABCDEF1234567890ABCDEF123456111", key->hash_full_path);
+    os_strdup("sid (allowed): delete|write_dac|write_data|append_data|write_attributes", key->perm);
+    os_strdup("100", key->uid);
+    os_strdup("200", key->gid);
+    os_strdup("username", key->user_name);
+    os_strdup("groupname", key->group_name);
+    key->arch = 1;
+
+    fim_registry_value_data *value;
+    os_calloc(1, sizeof(fim_registry_value_data), value);
+    value->id = 3;
+    os_strdup("valuename", value->name);
+    strcpy(value->hash_md5, "1234567890ABCDEF1234567890ABCDEF");
+    strcpy(value->hash_sha1, "1234567890ABCDEF1234567890ABCDEF12345678");
+    strcpy(value->hash_sha256, "1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF");
+    strcpy(value->checksum, "1234567890ABCDEF1234567890ABCDEF12345678");
+
+    entry->type = FIM_TYPE_REGISTRY;
+    entry->registry_entry.key = key;
+    entry->registry_entry.value = value;
+
+    fim_registry_free_entry(entry);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        /* fim_set_root_key test */
+        cmocka_unit_test(test_fim_set_root_key_null_root_key),
+        cmocka_unit_test(test_fim_set_root_key_null_full_key),
+        cmocka_unit_test(test_fim_set_root_key_null_sub_key),
+        cmocka_unit_test(test_fim_set_root_key_invalid_key),
+        cmocka_unit_test(test_fim_set_root_key_invalid_root_key),
+        cmocka_unit_test(test_fim_set_root_key_valid_HKEY_LOCAL_MACHINE_key),
+        cmocka_unit_test(test_fim_set_root_key_valid_HKEY_CLASSES_ROOT_key),
+        cmocka_unit_test(test_fim_set_root_key_valid_HKEY_CURRENT_CONFIG_key),
+        cmocka_unit_test(test_fim_set_root_key_valid_HKEY_USERS_key),
+
+        /* fim_registry_configuration tests */
+        cmocka_unit_test(test_fim_registry_configuration_registry_found),
+        cmocka_unit_test(test_fim_registry_configuration_registry_not_found_arch_does_not_match),
+        cmocka_unit_test(test_fim_registry_configuration_registry_not_found_path_does_not_match),
+        cmocka_unit_test(test_fim_registry_configuration_null_key),
+
+        /* fim_registry_validate_recursion_level tests */
+        cmocka_unit_test(test_fim_registry_validate_recursion_level_null_configuration),
+        cmocka_unit_test(test_fim_registry_validate_recursion_level_null_entry_path),
+        cmocka_unit_test(test_fim_registry_validate_recursion_level_valid_entry_path),
+        cmocka_unit_test(test_fim_registry_validate_recursion_level_invalid_recursion_level),
+
+        /* fim_registry_validate_ignore tests */
+        cmocka_unit_test(test_fim_registry_validate_ignore_null_configuration),
+        cmocka_unit_test(test_fim_registry_validate_ignore_null_entry_path),
+        cmocka_unit_test(test_fim_registry_validate_ignore_valid_entry_path),
+        cmocka_unit_test(test_fim_registry_validate_ignore_ignore_entry),
+        cmocka_unit_test(test_fim_registry_validate_ignore_regex_ignore_entry),
+
+        /* fim_registry_get_key_data tests */
+        cmocka_unit_test(test_fim_registry_get_key_data_check_owner),
+        cmocka_unit_test(test_fim_registry_get_key_data_check_group),
+        cmocka_unit_test(test_fim_registry_get_key_data_check_perm),
+        cmocka_unit_test(test_fim_registry_get_key_data_check_mtime),
+
+        /* fim_registry_calculate_hashes tests */
+        cmocka_unit_test_setup_teardown(test_fim_registry_calculate_hashes_CHECK_MD5SUM, setup_test_hashes, teardown_test_hashes),
+        cmocka_unit_test_setup_teardown(test_fim_registry_calculate_hashes_CHECK_SHA1SUM, setup_test_hashes, teardown_test_hashes),
+        cmocka_unit_test_setup_teardown(test_fim_registry_calculate_hashes_CHECK_SHA256SUM, setup_test_hashes, teardown_test_hashes),
+        cmocka_unit_test_setup_teardown(test_fim_registry_calculate_hashes_default_type, setup_test_hashes, teardown_test_hashes),
+        cmocka_unit_test_setup_teardown(test_fim_registry_calculate_hashes_no_config, setup_test_hashes, teardown_test_hashes),
+
+        /* fim_registry_scan tests */
+        cmocka_unit_test(test_fim_registry_scan_base_line_generation),
+        cmocka_unit_test(test_fim_registry_scan_regular_scan),
+        cmocka_unit_test(test_fim_registry_scan_RegOpenKeyEx_fail),
+        cmocka_unit_test(test_fim_registry_scan_RegQueryInfoKey_fail),
+
+        /* fim registry key transaction callback tests */
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_empty_changed_attributes),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_empty_json_array),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_base_line),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_null_configuration),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_insert),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_modify),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_delete),
+        cmocka_unit_test(test_fim_registry_key_transaction_callback_max_rows),
+
+        /* fim registry value transaction callback tests */
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_empty_changed_attributes),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_empty_json_array),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_base_line),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_null_configuration),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_insert),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_modify),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_modify_with_diff),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_delete),
+        cmocka_unit_test(test_fim_registry_value_transaction_callback_max_rows),
+
+        /* fim_registry_free_entry */
+        cmocka_unit_test(test_fim_registry_free_entry)
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/test_config.c b/src/modules/fim/tests/unit/tests/test_config.c
new file mode 100644
index 0000000000..6b73a287e2
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_config.c
@@ -0,0 +1,926 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../syscheckd/include/syscheck.h"
+#include "../config/syscheck-config.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+#include "../wrappers/wazuh/os_regex/os_regex_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+
+/* redefinitons/wrapping */
+typedef struct entry_struct_s {
+    directory_t *dir1;
+    directory_t *dir2;
+    char *filerestrict;
+} entry_struct_t;
+
+static int setup_read_config(void **state) {
+    test_mode = 0;
+
+    return 0;
+}
+
+static int restart_syscheck(void **state)
+{
+    test_mode = 1;
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    cJSON *data = *state;
+    if (data) {
+        cJSON_Delete(data);
+    }
+    Free_Syscheck(&syscheck);
+    memset(&syscheck, 0, sizeof(syscheck_config));
+    return 0;
+}
+
+/* setup and teardown */
+
+static int setup_group(void **state) {
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+
+    return 0;
+}
+
+static int setup_entry(void **state) {
+    entry_struct_t *entries = calloc(1, sizeof(entry_struct_t));
+    if (entries == NULL) {
+        return 1;
+    }
+
+    *state = entries;
+    return 0;
+}
+
+static int teardown_entry(void **state) {
+    entry_struct_t *entries = *state;
+
+    if (entries->dir1) {
+        free_directory(entries->dir1);
+    }
+
+    if (entries->dir2) {
+        free_directory(entries->dir2);
+    }
+
+    if (entries->filerestrict) {
+        free(entries->filerestrict);
+    }
+
+    free(entries);
+    return 0;
+}
+/* tests */
+
+void test_Read_Syscheck_Config_success(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+    expect_any_always(__wrap__mwarn, formatted_msg);
+
+
+    test_mode = 0;
+    ret = Read_Syscheck_Config("test_syscheck_max_dir.conf");
+    test_mode = 1;
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.rootcheck, 0);
+
+    assert_int_equal(syscheck.disabled, 0);
+    assert_int_equal(syscheck.skip_fs.nfs, 1);
+    assert_int_equal(syscheck.skip_fs.dev, 1);
+    assert_int_equal(syscheck.skip_fs.sys, 1);
+    assert_int_equal(syscheck.skip_fs.proc, 1);
+    assert_int_equal(syscheck.scan_on_start, 1);
+    assert_int_equal(syscheck.time, 43200);
+    assert_non_null(syscheck.ignore);
+    assert_non_null(syscheck.ignore_regex);
+    assert_non_null(syscheck.nodiff);
+    assert_non_null(syscheck.nodiff_regex);
+    assert_null(syscheck.scan_day);
+    assert_null(syscheck.scan_time);
+    assert_non_null(syscheck.directories);
+    // Directories configuration have 100 directories in one line. It only can monitor 64 per line.
+    // With the first 10 directories in other lines, the count should be 74 (75 should be NULL)
+    for (int i = 0; i < 70; i++){
+        assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, i)));
+    }
+    assert_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 74)));
+    assert_int_equal(syscheck.enable_synchronization, 1);
+    assert_int_equal(syscheck.restart_audit, 1);
+    assert_int_equal(syscheck.enable_whodata, 1);
+    assert_null(syscheck.realtime);
+    assert_int_equal(syscheck.audit_healthcheck, 1);
+    assert_int_equal(syscheck.process_priority, 10);
+    assert_int_equal(syscheck.allow_remote_prefilter_cmd, true);
+    assert_non_null(syscheck.prefilter_cmd);    // It should be a valid binary absolute path
+    assert_int_equal(syscheck.sync_interval, 600);
+    assert_int_equal(syscheck.sync_queue_size, 16384);
+    assert_int_equal(syscheck.sync_thread_pool, 1);
+    assert_int_equal(syscheck.max_eps, 200);
+    assert_int_equal(syscheck.disk_quota_enabled, true);
+    assert_int_equal(syscheck.disk_quota_limit, 1024 * 1024);
+    assert_int_equal(syscheck.file_size_enabled, true);
+    assert_int_equal(syscheck.file_size_limit, 50 * 1024);
+    assert_int_equal(syscheck.diff_folder_size, 0);
+    assert_int_equal(syscheck.file_limit_enabled, 1);
+    assert_int_equal(syscheck.file_entry_limit, 50000);
+#ifdef WIN32
+    assert_int_equal(syscheck.registry_limit_enabled, 1);
+    assert_int_equal(syscheck.db_entry_registry_limit, 50000);
+#endif
+}
+
+void test_Read_Syscheck_Config_invalid(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+    expect_string(__wrap__merror, formatted_msg, "(1226): Error reading XML file 'invalid.conf': XMLERR: File 'invalid.conf' not found. (line 0).");
+
+    ret = Read_Syscheck_Config("invalid.conf");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_Read_Syscheck_Config_undefined(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    ret = Read_Syscheck_Config("test_syscheck2.conf");
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.rootcheck, 0);
+
+    assert_int_equal(syscheck.disabled, 0);
+    assert_int_equal(syscheck.skip_fs.nfs, 0);
+    assert_int_equal(syscheck.skip_fs.dev, 0);
+    assert_int_equal(syscheck.skip_fs.sys, 0);
+    assert_int_equal(syscheck.skip_fs.proc, 0);
+    assert_int_equal(syscheck.scan_on_start, 0);
+    assert_int_equal(syscheck.time, 43200);
+    assert_null(syscheck.ignore);
+    assert_null(syscheck.ignore_regex);
+    assert_null(syscheck.nodiff);
+    assert_null(syscheck.nodiff_regex);
+    assert_null(syscheck.scan_day);
+    assert_null(syscheck.scan_time);
+    assert_non_null(syscheck.directories);
+    assert_int_equal(syscheck.enable_synchronization, 0);
+    assert_int_equal(syscheck.restart_audit, 0);
+    assert_int_equal(syscheck.enable_whodata, 1);
+    assert_null(syscheck.realtime);
+    assert_int_equal(syscheck.audit_healthcheck, 0);
+    assert_int_equal(syscheck.process_priority, 10);
+    assert_int_equal(syscheck.allow_remote_prefilter_cmd, false);
+    assert_null(syscheck.prefilter_cmd);
+    assert_int_equal(syscheck.sync_interval, 600);
+    assert_int_equal(syscheck.sync_queue_size, 16384);
+    assert_int_equal(syscheck.sync_thread_pool, 1);
+    assert_int_equal(syscheck.max_eps, 200);
+    assert_int_equal(syscheck.disk_quota_enabled, true);
+    assert_int_equal(syscheck.disk_quota_limit, 2 * 1024 * 1024);
+    assert_int_equal(syscheck.file_size_enabled, true);
+    assert_int_equal(syscheck.file_size_limit, 5);
+    assert_int_equal(syscheck.diff_folder_size, 0);
+    assert_int_equal(syscheck.file_limit_enabled, 1);
+    assert_int_equal(syscheck.file_entry_limit, 50000);
+#ifdef WIN32
+    assert_int_equal(syscheck.db_entry_registry_limit, 50000);
+#endif
+}
+
+void test_Read_Syscheck_Config_unparsed(void **state)
+{
+    (void) state;
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    ret = Read_Syscheck_Config("test_empty_config.conf");
+
+    assert_int_equal(ret, 1);
+
+    // Default values
+    assert_int_equal(syscheck.rootcheck, 0);
+    assert_int_equal(syscheck.disabled, 1);
+    assert_int_equal(syscheck.skip_fs.nfs, 1);
+    assert_int_equal(syscheck.skip_fs.dev, 1);
+    assert_int_equal(syscheck.skip_fs.sys, 1);
+    assert_int_equal(syscheck.skip_fs.proc, 1);
+    assert_int_equal(syscheck.scan_on_start, 1);
+    assert_int_equal(syscheck.time, 43200);
+    assert_null(syscheck.ignore);
+    assert_null(syscheck.ignore_regex);
+    assert_null(syscheck.nodiff);
+    assert_null(syscheck.nodiff_regex);
+    assert_null(syscheck.scan_day);
+    assert_null(syscheck.scan_time);
+    assert_non_null(syscheck.directories);
+    assert_null(OSList_GetFirstNode(syscheck.directories));
+    assert_int_equal(syscheck.enable_synchronization, 1);
+    assert_int_equal(syscheck.restart_audit, 1);
+    assert_int_equal(syscheck.enable_whodata, 0);
+    assert_null(syscheck.realtime);
+    assert_int_equal(syscheck.audit_healthcheck, 1);
+    assert_int_equal(syscheck.process_priority, 10);
+    assert_int_equal(syscheck.allow_remote_prefilter_cmd, false);
+    assert_null(syscheck.prefilter_cmd);
+    assert_int_equal(syscheck.sync_interval, 300);
+    assert_int_equal(syscheck.sync_queue_size, 16384);
+    assert_int_equal(syscheck.sync_thread_pool, 1);
+    assert_int_equal(syscheck.max_eps, 50);
+    assert_int_equal(syscheck.disk_quota_enabled, true);
+    assert_int_equal(syscheck.disk_quota_limit, 1024 * 1024);
+    assert_int_equal(syscheck.file_size_enabled, true);
+    assert_int_equal(syscheck.file_size_limit, 50 * 1024);
+    assert_int_equal(syscheck.diff_folder_size, 0);
+}
+
+void test_getSyscheckConfig(void **state)
+{
+    (void) state;
+    cJSON * ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicated registration entry: HKEY_SOME_KEY\\the_key9");
+#endif
+
+    Read_Syscheck_Config("test_syscheck_config.conf");
+    ret = getSyscheckConfig();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_int_equal(cJSON_GetArraySize(ret), 1);
+
+    cJSON *sys_items = cJSON_GetObjectItem(ret, "syscheck");
+    #if defined(TEST_SERVER) || defined(TEST_AGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_items), 21);
+    #elif defined(TEST_WINAGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_items), 29);
+    #endif
+
+    cJSON *disabled = cJSON_GetObjectItem(sys_items, "disabled");
+    assert_string_equal(cJSON_GetStringValue(disabled), "no");
+    cJSON *frequency = cJSON_GetObjectItem(sys_items, "frequency");
+    assert_int_equal(frequency->valueint, 43200);
+
+    cJSON *db_file_entry_limit = cJSON_GetObjectItem(sys_items, "file_limit");
+    cJSON *db_file_entry_limit_enabled = cJSON_GetObjectItem(db_file_entry_limit, "enabled");
+    assert_string_equal(cJSON_GetStringValue(db_file_entry_limit_enabled), "yes");
+    cJSON *db_entry_limit_file_limit = cJSON_GetObjectItem(db_file_entry_limit, "entries");
+    assert_int_equal(db_entry_limit_file_limit->valueint, 50000);
+
+    cJSON *diff = cJSON_GetObjectItem(sys_items, "diff");
+
+    cJSON *disk_quota = cJSON_GetObjectItem(diff, "disk_quota");
+    cJSON *disk_quota_enabled = cJSON_GetObjectItem(disk_quota, "enabled");
+    assert_string_equal(cJSON_GetStringValue(disk_quota_enabled), "yes");
+    cJSON *disk_quota_limit = cJSON_GetObjectItem(disk_quota, "limit");
+    assert_int_equal(disk_quota_limit->valueint, 1024 * 1024);
+
+    cJSON *file_size = cJSON_GetObjectItem(diff, "file_size");
+    cJSON *file_size_enabled = cJSON_GetObjectItem(file_size, "enabled");
+    assert_string_equal(cJSON_GetStringValue(file_size_enabled), "yes");
+    cJSON *file_size_limit = cJSON_GetObjectItem(file_size, "limit");
+    assert_int_equal(file_size_limit->valueint, 50 * 1024);
+
+    cJSON *skip_nfs = cJSON_GetObjectItem(sys_items, "skip_nfs");
+    assert_string_equal(cJSON_GetStringValue(skip_nfs), "yes");
+    cJSON *skip_dev = cJSON_GetObjectItem(sys_items, "skip_dev");
+    assert_string_equal(cJSON_GetStringValue(skip_dev), "yes");
+    cJSON *skip_sys = cJSON_GetObjectItem(sys_items, "skip_sys");
+    assert_string_equal(cJSON_GetStringValue(skip_sys), "yes");
+    cJSON *skip_proc = cJSON_GetObjectItem(sys_items, "skip_proc");
+    assert_string_equal(cJSON_GetStringValue(skip_proc), "yes");
+    cJSON *scan_on_start = cJSON_GetObjectItem(sys_items, "scan_on_start");
+    assert_string_equal(cJSON_GetStringValue(scan_on_start), "yes");
+
+    cJSON *sys_dir = cJSON_GetObjectItem(sys_items, "directories");
+
+#if defined(TEST_SERVER) || defined(TEST_AGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_dir), 6);
+    #elif defined(TEST_WINAGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_dir), 13);
+#endif
+
+
+    cJSON *sys_nodiff = cJSON_GetObjectItem(sys_items, "nodiff");
+    assert_int_equal(cJSON_GetArraySize(sys_nodiff), 1);
+
+    cJSON *sys_ignore = cJSON_GetObjectItem(sys_items, "ignore");
+#if defined(TEST_SERVER) || defined(TEST_AGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_ignore), 12);
+    #elif defined(TEST_WINAGENT)
+    assert_int_equal(cJSON_GetArraySize(sys_ignore), 2);
+#endif
+
+#ifdef TEST_WINAGENT
+    cJSON *sys_ignore_regex = cJSON_GetObjectItem(sys_items, "ignore_sregex");
+    assert_int_equal(cJSON_GetArraySize(sys_ignore_regex), 1);
+
+    cJSON *sys_windows_audit_interval = cJSON_GetObjectItem(sys_items, "windows_audit_interval");
+    assert_int_equal(sys_windows_audit_interval->valueint, 0);
+
+    cJSON *sys_registry = cJSON_GetObjectItem(sys_items, "registry");
+    assert_int_equal(cJSON_GetArraySize(sys_registry), 42);
+    cJSON *sys_registry_ignore = cJSON_GetObjectItem(sys_items, "key_ignore");
+    assert_int_equal(cJSON_GetArraySize(sys_registry_ignore), 12);
+    cJSON *sys_registry_ignore_sregex = cJSON_GetObjectItem(sys_items, "key_ignore_sregex");
+    assert_int_equal(cJSON_GetArraySize(sys_registry_ignore_sregex), 1);
+    cJSON *sys_registry_value_ignore = cJSON_GetObjectItem(sys_items, "value_ignore");
+    assert_int_equal(cJSON_GetArraySize(sys_registry_value_ignore), 5);
+    cJSON *sys_registry_value_ignore_sregex = cJSON_GetObjectItem(sys_items, "value_ignore_sregex");
+    assert_int_equal(cJSON_GetArraySize(sys_registry_value_ignore_sregex), 4);
+#endif
+
+#ifndef TEST_WINAGENT
+    cJSON *sys_whodata = cJSON_GetObjectItem(sys_items, "whodata");
+    cJSON *whodata_restart_audit = cJSON_GetObjectItem(sys_whodata, "restart_audit");
+    assert_string_equal(cJSON_GetStringValue(whodata_restart_audit), "yes");
+    cJSON *whodata_audit_key = cJSON_GetObjectItem(sys_whodata, "audit_key");
+    assert_int_equal(cJSON_GetArraySize(whodata_audit_key), 2);
+    cJSON *whodata_startup_healthcheck = cJSON_GetObjectItem(sys_whodata, "startup_healthcheck");
+    assert_string_equal(cJSON_GetStringValue(whodata_startup_healthcheck), "yes");
+#endif
+
+    cJSON *allow_remote_prefilter_cmd = cJSON_GetObjectItem(sys_items, "allow_remote_prefilter_cmd");
+    assert_string_equal(cJSON_GetStringValue(allow_remote_prefilter_cmd), "yes");
+    cJSON *prefilter_cmd = cJSON_GetObjectItem(sys_items, "prefilter_cmd");
+#ifndef TEST_WINAGENT
+    assert_string_equal(cJSON_GetStringValue(prefilter_cmd), "/bin/ls");
+#else
+    assert_string_equal(cJSON_GetStringValue(prefilter_cmd), "c:\\windows\\system32\\cmd.exe");
+#endif
+
+    cJSON *sys_synchronization = cJSON_GetObjectItem(sys_items, "synchronization");
+    cJSON *synchronization_enabled = cJSON_GetObjectItem(sys_synchronization, "enabled");
+    assert_string_equal(cJSON_GetStringValue(synchronization_enabled), "yes");
+    cJSON *synchronization_interval = cJSON_GetObjectItem(sys_synchronization, "interval");
+    assert_int_equal(synchronization_interval->valueint, 600);
+
+    cJSON *sys_max_eps = cJSON_GetObjectItem(sys_items, "max_eps");
+    assert_int_equal(sys_max_eps->valueint, 200);
+    cJSON *sys_process_priority = cJSON_GetObjectItem(sys_items, "process_priority");
+    assert_int_equal(sys_process_priority->valueint, 10);
+
+    cJSON *database = cJSON_GetObjectItem(sys_items, "database");
+    assert_string_equal(cJSON_GetStringValue(database), "disk");
+}
+
+void test_getSyscheckConfig_no_audit(void **state)
+{
+    (void) state;
+    cJSON * ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    Read_Syscheck_Config("test_syscheck2.conf");
+
+    ret = getSyscheckConfig();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_int_equal(cJSON_GetArraySize(ret), 1);
+
+    cJSON *sys_items = cJSON_GetObjectItem(ret, "syscheck");
+    #ifndef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(sys_items), 17);
+    #else
+    assert_int_equal(cJSON_GetArraySize(sys_items), 21);
+    #endif
+
+    cJSON *disabled = cJSON_GetObjectItem(sys_items, "disabled");
+    assert_string_equal(cJSON_GetStringValue(disabled), "no");
+    cJSON *frequency = cJSON_GetObjectItem(sys_items, "frequency");
+    assert_int_equal(frequency->valueint, 43200);
+
+    cJSON *db_file_entry_limit = cJSON_GetObjectItem(sys_items, "file_limit");
+    cJSON *db_file_entry_limit_enabled = cJSON_GetObjectItem(db_file_entry_limit, "enabled");
+    assert_string_equal(cJSON_GetStringValue(db_file_entry_limit_enabled), "yes");
+    cJSON *db_entry_limit_file_limit = cJSON_GetObjectItem(db_file_entry_limit, "entries");
+    assert_int_equal(db_entry_limit_file_limit->valueint, 50000);
+
+    cJSON *diff = cJSON_GetObjectItem(sys_items, "diff");
+
+    cJSON *disk_quota = cJSON_GetObjectItem(diff, "disk_quota");
+    cJSON *disk_quota_enabled = cJSON_GetObjectItem(disk_quota, "enabled");
+    assert_string_equal(cJSON_GetStringValue(disk_quota_enabled), "yes");
+    cJSON *disk_quota_limit = cJSON_GetObjectItem(disk_quota, "limit");
+    assert_int_equal(disk_quota_limit->valueint, 2 * 1024 * 1024);
+
+    cJSON *file_size = cJSON_GetObjectItem(diff, "file_size");
+    cJSON *file_size_enabled = cJSON_GetObjectItem(file_size, "enabled");
+    assert_string_equal(cJSON_GetStringValue(file_size_enabled), "yes");
+    cJSON *file_size_limit = cJSON_GetObjectItem(file_size, "limit");
+    assert_int_equal(file_size_limit->valueint, 5);
+
+    cJSON *skip_nfs = cJSON_GetObjectItem(sys_items, "skip_nfs");
+    assert_string_equal(cJSON_GetStringValue(skip_nfs), "no");
+    cJSON *skip_dev = cJSON_GetObjectItem(sys_items, "skip_dev");
+    assert_string_equal(cJSON_GetStringValue(skip_dev), "no");
+    cJSON *skip_sys = cJSON_GetObjectItem(sys_items, "skip_sys");
+    assert_string_equal(cJSON_GetStringValue(skip_sys), "no");
+    cJSON *skip_proc = cJSON_GetObjectItem(sys_items, "skip_proc");
+    assert_string_equal(cJSON_GetStringValue(skip_proc), "no");
+    cJSON *scan_on_start = cJSON_GetObjectItem(sys_items, "scan_on_start");
+    assert_string_equal(cJSON_GetStringValue(scan_on_start), "no");
+
+    cJSON *sys_dir = cJSON_GetObjectItem(sys_items, "directories");
+#ifndef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(sys_dir), 8);
+#else
+    assert_int_equal(cJSON_GetArraySize(sys_dir), 6);
+#endif
+
+    cJSON *sys_nodiff = cJSON_GetObjectItem(sys_items, "nodiff");
+    assert_null(sys_nodiff);
+
+    cJSON *sys_ignore = cJSON_GetObjectItem(sys_items, "ignore");
+    assert_null(sys_ignore);
+
+#ifndef TEST_WINAGENT
+    cJSON *sys_whodata = cJSON_GetObjectItem(sys_items, "whodata");
+    cJSON *whodata_restart_audit = cJSON_GetObjectItem(sys_whodata, "restart_audit");
+    assert_string_equal(cJSON_GetStringValue(whodata_restart_audit), "no");
+    cJSON *whodata_audit_key = cJSON_GetObjectItem(sys_whodata, "audit_key");
+    assert_null(whodata_audit_key);
+    cJSON *whodata_startup_healthcheck = cJSON_GetObjectItem(sys_whodata, "startup_healthcheck");
+    assert_string_equal(cJSON_GetStringValue(whodata_startup_healthcheck), "no");
+#else
+    cJSON *windows_audit_interval = cJSON_GetObjectItem(sys_items, "windows_audit_interval");
+    assert_int_equal(windows_audit_interval->valueint, 0);
+    cJSON *win_registry = cJSON_GetObjectItem(sys_items, "registry");
+    assert_int_equal(cJSON_GetArraySize(win_registry), 33);
+    cJSON *win_registry_ignore = cJSON_GetObjectItem(sys_items, "key_ignore");
+    assert_int_equal(cJSON_GetArraySize(win_registry_ignore), 11);
+    cJSON *win_registry_ignore_regex = cJSON_GetObjectItem(sys_items, "key_ignore_sregex");
+    assert_int_equal(cJSON_GetArraySize(win_registry_ignore_regex), 1);
+#endif
+
+    cJSON *allow_remote_prefilter_cmd = cJSON_GetObjectItem(sys_items, "allow_remote_prefilter_cmd");
+    assert_string_equal(cJSON_GetStringValue(allow_remote_prefilter_cmd), "no");
+    cJSON *prefilter_cmd = cJSON_GetObjectItem(sys_items, "prefilter_cmd");
+    assert_null(prefilter_cmd);
+
+    cJSON *sys_synchronization = cJSON_GetObjectItem(sys_items, "synchronization");
+    cJSON *synchronization_enabled = cJSON_GetObjectItem(sys_synchronization, "enabled");
+    assert_string_equal(cJSON_GetStringValue(synchronization_enabled), "no");
+    cJSON *synchronization_interval = cJSON_GetObjectItem(sys_synchronization, "interval");
+    assert_int_equal(synchronization_interval->valueint, 600);
+
+    cJSON *database = cJSON_GetObjectItem(sys_items, "database");
+    assert_string_equal(cJSON_GetStringValue(database), "memory");
+}
+
+#ifndef TEST_WINAGENT
+void test_getSyscheckConfig_no_directories(void **state)
+{
+    (void) state;
+    cJSON * ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    Read_Syscheck_Config("test_empty_config.conf");
+
+    ret = getSyscheckConfig();
+
+    assert_null(ret);
+}
+#else
+void test_getSyscheckConfig_no_directories(void **state)
+{
+    (void) state;
+    cJSON * ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    Read_Syscheck_Config("test_empty_config.conf");
+
+    ret = getSyscheckConfig();
+
+
+    assert_non_null(ret);
+    assert_int_equal(cJSON_GetArraySize(ret), 1);
+
+    cJSON *sys_items = cJSON_GetObjectItem(ret, "syscheck");
+    assert_int_equal(cJSON_GetArraySize(sys_items), 18);
+    cJSON *disabled = cJSON_GetObjectItem(sys_items, "disabled");
+    assert_string_equal(cJSON_GetStringValue(disabled), "yes");
+    cJSON *frequency = cJSON_GetObjectItem(sys_items, "frequency");
+    assert_int_equal(frequency->valueint, 43200);
+
+    cJSON *file_limit = cJSON_GetObjectItem(sys_items, "file_limit");
+    cJSON *file_limit_enabled = cJSON_GetObjectItem(file_limit, "enabled");
+    assert_string_equal(cJSON_GetStringValue(file_limit_enabled), "yes");
+    cJSON *file_limit_entries = cJSON_GetObjectItem(file_limit, "entries");
+    assert_int_equal(file_limit_entries->valueint, 100000);
+
+    cJSON *registry_limit = cJSON_GetObjectItem(sys_items, "registry_limit");
+    cJSON *registry_limit_enabled = cJSON_GetObjectItem(registry_limit, "enabled");
+    assert_string_equal(cJSON_GetStringValue(registry_limit_enabled), "yes");
+    cJSON *registry_limit_entries = cJSON_GetObjectItem(registry_limit, "entries");
+
+    assert_int_equal(registry_limit_entries->valueint, 100000);
+
+    cJSON *diff = cJSON_GetObjectItem(sys_items, "diff");
+
+    cJSON *disk_quota = cJSON_GetObjectItem(diff, "disk_quota");
+    cJSON *disk_quota_enabled = cJSON_GetObjectItem(disk_quota, "enabled");
+    assert_string_equal(cJSON_GetStringValue(disk_quota_enabled), "yes");
+    cJSON *disk_quota_limit = cJSON_GetObjectItem(disk_quota, "limit");
+    assert_int_equal(disk_quota_limit->valueint, 1024 * 1024);
+
+    cJSON *file_size = cJSON_GetObjectItem(diff, "file_size");
+    cJSON *file_size_enabled = cJSON_GetObjectItem(file_size, "enabled");
+    assert_string_equal(cJSON_GetStringValue(file_size_enabled), "yes");
+    cJSON *file_size_limit = cJSON_GetObjectItem(file_size, "limit");
+    assert_int_equal(file_size_limit->valueint, 50 * 1024);
+
+    cJSON *skip_nfs = cJSON_GetObjectItem(sys_items, "skip_nfs");
+    assert_string_equal(cJSON_GetStringValue(skip_nfs), "yes");
+    cJSON *skip_dev = cJSON_GetObjectItem(sys_items, "skip_dev");
+    assert_string_equal(cJSON_GetStringValue(skip_dev), "yes");
+    cJSON *skip_sys = cJSON_GetObjectItem(sys_items, "skip_sys");
+    assert_string_equal(cJSON_GetStringValue(skip_sys), "yes");
+    cJSON *skip_proc = cJSON_GetObjectItem(sys_items, "skip_proc");
+    assert_string_equal(cJSON_GetStringValue(skip_proc), "yes");
+    cJSON *scan_on_start = cJSON_GetObjectItem(sys_items, "scan_on_start");
+    assert_string_equal(cJSON_GetStringValue(scan_on_start), "yes");
+    cJSON *windows_audit_interval = cJSON_GetObjectItem(sys_items, "windows_audit_interval");
+    assert_int_equal(windows_audit_interval->valueint, 0);
+    cJSON *registry = cJSON_GetObjectItem(sys_items, "registry");
+    assert_int_equal(cJSON_GetArraySize(registry), 0);
+    cJSON *allow_remote_prefilter_cmd = cJSON_GetObjectItem(sys_items, "allow_remote_prefilter_cmd");
+    assert_string_equal(cJSON_GetStringValue(allow_remote_prefilter_cmd), "no");
+    cJSON *max_eps = cJSON_GetObjectItem(sys_items, "max_eps");
+    assert_int_equal(max_eps->valueint, 50);
+    cJSON *process_priority = cJSON_GetObjectItem(sys_items, "process_priority");
+    assert_int_equal(process_priority->valueint, 10);
+
+    cJSON *synchronization = cJSON_GetObjectItem(sys_items, "synchronization");
+    assert_int_equal(cJSON_GetArraySize(synchronization), 8);
+    cJSON *enabled = cJSON_GetObjectItem(synchronization, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "yes");
+    cJSON *interval = cJSON_GetObjectItem(synchronization, "interval");
+    assert_int_equal(interval->valueint, 300);
+    cJSON *sync_max_eps = cJSON_GetObjectItem(synchronization, "max_eps");
+    assert_int_equal(sync_max_eps->valueint, 10);
+}
+#endif
+
+void test_SyscheckConf_DirectoriesWithCommas(void **state) {
+    (void) state;
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    ret = Read_Syscheck_Config("test_syscheck3.conf");
+    assert_int_equal(ret, 0);
+
+    #ifdef WIN32
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path, "c:\\,testcommas");
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->path, "c:\\test,commas");
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 2))->path, "c:\\testcommas,");
+    #else
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path, "/,testcommas");
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->path, "/test,commas");
+    assert_string_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 2))->path, "/testcommas,");
+    #endif
+}
+
+void test_getSyscheckInternalOptions(void **state)
+{
+    (void) state;
+    cJSON * ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    Read_Syscheck_Config("test_syscheck.conf");
+
+    ret = getSyscheckInternalOptions();
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_int_equal(cJSON_GetArraySize(ret), 1);
+    cJSON *items = cJSON_GetObjectItem(ret, "internal");
+    assert_int_equal(cJSON_GetArraySize(items), 2);
+    cJSON *sys_items = cJSON_GetObjectItem(items, "syscheck");
+    assert_int_equal(cJSON_GetArraySize(sys_items), 6);
+    cJSON *root_items = cJSON_GetObjectItem(items, "rootcheck");
+    assert_int_equal(cJSON_GetArraySize(root_items), 1);
+}
+
+void test_fim_create_directory_add_new_entry(void **state) {
+    const char *path = "./mock_path";
+    int options = CHECK_FOLLOW;
+    const char *filerestrict = "restrict";
+    int recursion_level = 0;
+    const char *tag = "mock_tag";
+    int diff_size_limit = 0;
+    unsigned int is_wildcard = 0;
+    directory_t *new_entry;
+    entry_struct_t *test_struct = *state;
+
+    new_entry = fim_create_directory(path, options, filerestrict, recursion_level, tag, diff_size_limit, is_wildcard);
+    test_struct->dir1 = new_entry;
+
+    assert_non_null(new_entry);
+    assert_string_equal(tag, new_entry->tag);
+    assert_string_equal(path, new_entry->path);
+    assert_int_equal(is_wildcard, new_entry->is_wildcard);
+}
+
+void test_fim_create_directory_OSMatch_Compile_fail_maxsize(void **state) {
+    const char *path = "./mock_path";
+    int recursion_level = 0;
+    const char *tag = "mock_tag";
+    int options = CHECK_FOLLOW;
+    int diff_size_limit = 0;
+    unsigned int is_wildcard = 0;
+    directory_t *new_entry;
+    char error_msg[OS_MAXSTR + 1];
+    entry_struct_t *test_struct = *state;
+
+    test_struct->filerestrict = calloc(OS_PATTERN_MAXSIZE + 2, sizeof(char));
+    memset(test_struct->filerestrict, 'a', OS_PATTERN_MAXSIZE + 1);
+
+    snprintf(error_msg, OS_MAXSTR, REGEX_COMPILE, test_struct->filerestrict, OS_REGEX_MAXSIZE);
+
+    expect_string(__wrap__merror, formatted_msg, error_msg);
+
+    new_entry = fim_create_directory(path, options, test_struct->filerestrict, recursion_level, tag, diff_size_limit, is_wildcard);
+    test_struct->dir1 = new_entry;
+    assert_non_null(new_entry);
+    assert_string_equal(tag, new_entry->tag);
+}
+
+void test_fim_insert_directory_duplicate_entry(void **state) {
+    OSList list;
+    OSListNode first_list_node;
+    entry_struct_t *test_struct = *state;
+
+    test_struct->dir1 = calloc(1, sizeof(directory_t));
+    test_struct->dir2 = calloc(1, sizeof(directory_t));
+
+    test_struct->dir2->path = strdup("same_path");
+    test_struct->dir2->tag = strdup("new_entry_tag");
+    first_list_node.data = test_struct->dir1;
+    list.first_node = &first_list_node;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    test_struct->dir1->path = strdup(test_struct->dir2->path);
+    fim_insert_directory(&list, test_struct->dir2);
+
+    assert_string_equal(test_struct->dir2->tag, ((directory_t*)(list.first_node->data))->tag);
+    // test_struct->dir1 is already freed.
+    test_struct->dir1 = NULL;
+    *state = test_struct;
+}
+
+void test_fim_insert_directory_insert_entry_before(void **state) {
+    OSList list = {0};
+    OSList_SetFreeDataPointer(&list, (void (*)(void *))free_directory);
+    OSListNode *first_list_node = calloc(1, sizeof(OSListNode));
+    entry_struct_t *test_struct= *state;
+
+    test_struct->dir1 = calloc(1, sizeof(directory_t));
+    test_struct->dir2 = calloc(1, sizeof(directory_t));
+
+    test_struct->dir1->path = strdup("BPath");
+    test_struct->dir2->path = strdup("APath");
+    test_struct->dir2->tag = strdup("new_entry_tag");
+
+    first_list_node->data = test_struct->dir1;
+    list.first_node = first_list_node;
+    list.last_node = list.first_node;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    fim_insert_directory(&list, test_struct->dir2);
+    assert_string_equal(test_struct->dir2->tag, ((directory_t*)(list.first_node->data))->tag);
+
+    OSList_CleanNodes(&list);
+    test_struct->dir1 = NULL;
+    test_struct->dir2 = NULL;
+}
+
+void test_fim_insert_directory_insert_entry_last(void **state) {
+    OSList list = {0};
+
+    OSList_SetFreeDataPointer(&list, (void (*)(void *))free_directory);
+    OSListNode *first_list_node = calloc(1, sizeof(OSListNode));
+
+    entry_struct_t *test_struct = *state;
+
+    test_struct->dir1 = calloc(1, sizeof(directory_t));
+    test_struct->dir2 = calloc(1, sizeof(directory_t));
+
+    test_struct->dir1->path = strdup("APath");
+    test_struct->dir2->path = strdup("BPath");
+    test_struct->dir2->tag = strdup("new_entry_tag");
+
+    first_list_node->data = test_struct->dir1;
+    list.first_node = first_list_node;
+    list.last_node = list.first_node;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    fim_insert_directory(&list, test_struct->dir2);
+    assert_string_equal(test_struct->dir2->tag, ((directory_t*)(list.last_node->data))->tag);
+
+    OSList_CleanNodes(&list);
+
+    test_struct->dir1 = NULL;
+    test_struct->dir2 = NULL;
+}
+
+void test_fim_copy_directory_null(void **state) {
+    directory_t *dir = NULL;
+    directory_t *return_dir;
+
+    return_dir = fim_copy_directory(dir);
+
+    assert_null(return_dir);
+
+}
+
+void test_fim_copy_directory_return_dir_copied(void **state) {
+    directory_t directory_copied;
+    directory_t *new_entry;
+    directory_copied.filerestrict = NULL;
+    directory_copied.path = "mock_path";
+    directory_copied.options = 0;
+    directory_copied.recursion_level = 3;
+    directory_copied.tag = "mock_tag";
+    directory_copied.diff_size_limit = 10;
+    directory_copied.is_wildcard = 0;
+    entry_struct_t *test_struct = *state;
+
+    new_entry = fim_copy_directory(&directory_copied);
+
+    assert_non_null(new_entry);
+    assert_string_equal(directory_copied.tag, new_entry->tag);
+    assert_string_equal(directory_copied.path, new_entry->path);
+    assert_int_equal(directory_copied.is_wildcard, new_entry->is_wildcard);
+    test_struct->dir1 = new_entry;
+}
+
+void test_fim_adjust_path_no_changes (void **state) {
+    char *path = strdup("c:\\a\\path\\not\\replaced");
+
+    fim_adjust_path(&path);
+
+    assert_string_equal(path, "c:\\a\\path\\not\\replaced");
+
+    free(path);
+}
+
+void test_fim_adjust_path_convert_sysnative (void **state) {
+    char *path = strdup("C:\\windows\\sysnative\\test");
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6307): Convert 'c:\\windows\\sysnative\\test' to 'c:\\windows\\system32\\test' to process the FIM events.");
+
+    fim_adjust_path(&path);
+
+    assert_string_equal(path, "c:\\windows\\system32\\test");
+
+    free(path);
+}
+
+void test_fim_adjust_path_convert_syswow64 (void **state) {
+
+    char *path = strdup("C:\\windows\\syswow64\\test");
+
+    fim_adjust_path(&path);
+
+    assert_string_equal(path, "c:\\windows\\syswow64\\test");
+
+    free(path);
+}
+
+void test_fim_adjust_path_convert_system32 (void **state) {
+
+    char *path = strdup("c:\\windows\\system32\\test");
+
+    fim_adjust_path(&path);
+
+    assert_string_equal(path, "c:\\windows\\system32\\test");
+
+    free(path);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_Read_Syscheck_Config_success, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_Read_Syscheck_Config_invalid, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_Read_Syscheck_Config_undefined, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_Read_Syscheck_Config_unparsed, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_getSyscheckConfig, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_getSyscheckConfig_no_audit, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_getSyscheckConfig_no_directories, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_getSyscheckInternalOptions, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_SyscheckConf_DirectoriesWithCommas, setup_read_config, restart_syscheck),
+        cmocka_unit_test_setup_teardown(test_fim_create_directory_add_new_entry, setup_entry, teardown_entry),
+        cmocka_unit_test_setup_teardown(test_fim_create_directory_OSMatch_Compile_fail_maxsize, setup_entry, teardown_entry),
+        cmocka_unit_test_setup_teardown(test_fim_insert_directory_duplicate_entry, setup_entry, teardown_entry),
+        cmocka_unit_test_setup_teardown(test_fim_insert_directory_insert_entry_before, setup_entry, teardown_entry),
+        cmocka_unit_test_setup_teardown(test_fim_insert_directory_insert_entry_last, setup_entry, teardown_entry),
+        cmocka_unit_test(test_fim_copy_directory_null),
+        cmocka_unit_test_setup_teardown(test_fim_copy_directory_return_dir_copied, setup_entry, teardown_entry),
+	    cmocka_unit_test(test_fim_adjust_path_no_changes),
+        cmocka_unit_test(test_fim_adjust_path_convert_sysnative),
+        cmocka_unit_test(test_fim_adjust_path_convert_syswow64),
+        cmocka_unit_test(test_fim_adjust_path_convert_system32)
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/test_create_db.c b/src/modules/fim/tests/unit/tests/test_create_db.c
new file mode 100644
index 0000000000..abce8159e6
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_create_db.c
@@ -0,0 +1,4480 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../wrappers/common.h"
+#include "../wrappers/posix/dirent_wrappers.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+#include "../wrappers/posix/stat_wrappers.h"
+#include "../wrappers/wazuh/config/syscheck_config_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/shared/fs_op_wrappers.h"
+#include "../wrappers/wazuh/shared/syscheck_op_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/fim_db_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/run_check_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/run_realtime_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/fim_diff_changes_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/registry.h"
+#include "../wrappers/wazuh/os_crypto/md5_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+
+#include "syscheck.h"
+#include "../../config/syscheck-config.h"
+#include "db/include/db.h"
+
+#include "test_fim.h"
+
+fim_state_db _files_db_state = FIM_STATE_DB_NORMAL;
+
+void update_wildcards_config();
+void fim_process_wildcard_removed(directory_t *configuration);
+void transaction_callback(ReturnTypeCallback resultType, const cJSON* result_json, void* user_data);
+void fim_event_callback(void* data, void * ctx);
+cJSON * fim_calculate_dbsync_difference(const fim_file_data *data, const cJSON* changed_data, cJSON* old_attributes,
+                                        cJSON* changed_attributes);
+void create_windows_who_data_events(void * data, void * ctx);
+void fim_db_remove_entry(void * data, void * ctx);
+void process_delete_event(void * data, void * ctx);
+void fim_db_process_missing_entry(void * data, void * ctx);
+void dbsync_attributes_json(const cJSON *dbsync_event, const directory_t *configuration, cJSON *attributes);
+
+/* auxiliary structs */
+typedef struct __fim_data_s {
+    event_data_t *evt_data;
+    whodata_evt *w_evt;
+    fim_entry *fentry;
+    fim_file_data *new_data;
+    fim_file_data *old_data;
+    fim_file_data *local_data; // Used on certain tests, not affected by group setup/teardown
+    struct dirent *entry;       // Used on fim_directory tests, not affected by group setup/teardown
+    cJSON *json;
+    OSList *list;
+    rb_tree *tree;
+} fim_data_t;
+
+typedef struct _txn_data_s {
+    fim_txn_context_t *txn_context;
+    char *diff;
+    cJSON *dbsync_event;
+} txn_data_t;
+
+typedef struct _json_struct_s {
+    cJSON *json1;
+    cJSON *json2;
+} json_struct_t;
+
+const struct stat DEFAULT_STATBUF = { .st_mode = S_IFREG | 00444,
+                                      .st_size = 1000,
+                                      .st_uid = 0,
+                                      .st_gid = 0,
+                                      .st_ino = 1234,
+                                      .st_dev = 2345,
+                                      .st_mtime = 3456 };
+
+static OSList *removed_entries;
+
+fim_file_data DEFAULT_FILE_DATA = {
+    // Checksum attributes
+    .size = 0,
+    .attributes = NULL,
+    .uid = "1000",
+    .gid = "1000",
+    .user_name = "root",
+    .group_name = "root",
+    .mtime = 123456789,
+    .inode = 1,
+    .hash_md5 = "0123456789abcdef0123456789abcdef",
+    .hash_sha1 = "0123456789abcdef0123456789abcdef01234567",
+    .hash_sha256 = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+    #ifdef TEST_WINAGENT
+    .perm = "{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}}",
+    #else
+    .perm = "rw-rw-r--",
+    #endif
+    // Options
+    .mode = FIM_REALTIME,
+    .last_event = 0,
+    .dev = 100,
+    .scanned = 0,
+    .options = (CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MTIME | CHECK_INODE | CHECK_MD5SUM |
+                CHECK_SHA1SUM | CHECK_SHA256SUM),
+    .checksum = "0123456789abcdef0123456789abcdef01234567",
+};
+
+/* redefinitons/wrapping */
+
+#ifdef TEST_WINAGENT
+void __wrap_decode_win_attributes(char *str, unsigned int attrs) {
+    check_expected(str);
+    check_expected(attrs);
+}
+#endif
+
+static int setup_fim_data(void **state) {
+    fim_data_t *fim_data = calloc(1, sizeof(fim_data_t));
+
+    test_mode = 0;
+
+    if(fim_data == NULL)
+        return -1;
+
+    if (fim_data->evt_data = calloc(1, sizeof(event_data_t)), fim_data->evt_data == NULL)
+        return -1;
+
+    if(fim_data->w_evt = calloc(1, sizeof(whodata_evt)), fim_data->w_evt == NULL)
+        return -1;
+
+    if(fim_data->new_data = calloc(1, sizeof(fim_file_data)), fim_data->new_data == NULL)
+        return -1;
+
+    if(fim_data->old_data = calloc(1, sizeof(fim_file_data)), fim_data->old_data == NULL)
+        return -1;
+
+    // Setup mock whodata event
+    fim_data->w_evt->user_id = strdup("100");
+    fim_data->w_evt->user_name = strdup("test");
+    fim_data->w_evt->process_name = strdup("test_proc");
+    fim_data->w_evt->path = strdup("./test/test.file");
+#ifndef TEST_WINAGENT
+    fim_data->w_evt->group_id = strdup("1000");
+    fim_data->w_evt->group_name = strdup("testing");
+    fim_data->w_evt->audit_uid = strdup("99");
+    fim_data->w_evt->audit_name = strdup("audit_user");
+    fim_data->w_evt->effective_uid = strdup("999");
+    fim_data->w_evt->effective_name = strdup("effective_user");
+    fim_data->w_evt->inode = strdup("606060");
+    fim_data->w_evt->dev = strdup("12345678");
+    fim_data->w_evt->parent_name = strdup("parent_name");
+    fim_data->w_evt->parent_cwd = strdup("parent_cwd");
+    fim_data->w_evt->ppid = 1000;
+    fim_data->w_evt->cwd = strdup("process_cwd");
+#endif
+    fim_data->w_evt->process_id = 1001;
+
+    // Setup mock old fim_entry
+    fim_data->old_data->size = 1500;
+    fim_data->old_data->perm = strdup("0664");
+#ifdef TEST_WINAGENT
+    fim_data->old_data->perm_json = cJSON_CreateObject();
+#endif
+    fim_data->old_data->attributes = strdup("r--r--r--");
+    fim_data->old_data->uid = strdup("100");
+    fim_data->old_data->gid = strdup("1000");
+    fim_data->old_data->user_name = strdup("test");
+    fim_data->old_data->group_name = strdup("testing");
+    fim_data->old_data->mtime = 1570184223;
+    fim_data->old_data->inode = 606060;
+    strcpy(fim_data->old_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->old_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->old_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->old_data->mode = FIM_REALTIME;
+    fim_data->old_data->last_event = 1570184220;
+    fim_data->old_data->dev = 12345678;
+    fim_data->old_data->scanned = 123456;
+    fim_data->old_data->options = 511;
+    strcpy(fim_data->old_data->checksum, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    // Setup mock new fim_entry
+    fim_data->new_data->size = 1501;
+    fim_data->new_data->perm = strdup("0666");
+#ifdef TEST_WINAGENT
+    fim_data->new_data->perm_json = create_win_permissions_object();
+#endif
+    fim_data->new_data->attributes = strdup("rw-rw-rw-");
+    fim_data->new_data->uid = strdup("101");
+    fim_data->new_data->gid = strdup("1001");
+    fim_data->new_data->user_name = strdup("test1");
+    fim_data->new_data->group_name = strdup("testing1");
+    fim_data->new_data->mtime = 1570184224;
+    fim_data->new_data->inode = 1152921500312810880;
+    strcpy(fim_data->new_data->hash_md5, "3691689a513ace7e508297b583d7550d");
+    strcpy(fim_data->new_data->hash_sha1, "07f05add1049244e7e75ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->new_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e9959643c6262667b61fbe57694df224d40");
+    fim_data->new_data->mode = FIM_REALTIME;
+    fim_data->new_data->last_event = 1570184221;
+    fim_data->new_data->dev = 12345678;
+    fim_data->new_data->scanned = 123456;
+    fim_data->new_data->options = 511;
+    strcpy(fim_data->new_data->checksum, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+
+    fim_data->json = NULL;
+
+    *state = fim_data;
+
+    return 0;
+}
+
+static int teardown_fim_data(void **state) {
+    fim_data_t *fim_data = *state;
+
+    free(fim_data->evt_data);
+    free_whodata_event(fim_data->w_evt);
+    free_file_data(fim_data->new_data);
+    free_file_data(fim_data->old_data);
+    free(fim_data);
+
+    return 0;
+}
+
+static int setup_group(void **state) {
+    if(setup_fim_data(state) != 0)
+        return -1;
+
+    test_mode = 0;
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    // Read and setup global values.
+    Read_Syscheck_Config("test_syscheck.conf");
+
+    syscheck.rt_delay = 1;
+    syscheck.max_depth = 256;
+    syscheck.file_max_size = 1024;
+
+    test_mode = 1;
+
+    removed_entries = OSList_Create();
+    if (removed_entries == NULL) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        return -1;
+    }
+    OSList_SetFreeDataPointer(removed_entries, (void (*)(void *))free_directory);
+
+#ifdef TEST_WINAGENT
+    char *path = "C:\\a\\random\\path";
+#else
+    char *path = "/a/random/path";
+#endif
+    directory_t *directory0 = fim_create_directory(path, WHODATA_ACTIVE, NULL, 512, NULL, 1024, 1);
+
+    OSList_InsertData(removed_entries, NULL, directory0);
+
+    return 0;
+}
+
+static int setup_wildcards(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    // Wildcards list
+    syscheck.wildcards = OSList_Create();
+    if (syscheck.wildcards == NULL) {
+        return -1;
+    }
+    OSList_SetFreeDataPointer(syscheck.wildcards, (void (*)(void *))free_directory);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_realpath, path, "/testdir?");
+    will_return(__wrap_realpath, NULL);
+    expect_string(__wrap_realpath, path, "/*/path");
+    will_return(__wrap_realpath, NULL);
+
+    char buffer1[20] = "/testdir?";
+    char buffer2[20] = "/*/path";
+    int options = WHODATA_ACTIVE | CHECK_FOLLOW;
+#else
+    char buffer1[20] = "c:\\testdir?";
+    char buffer2[20] = "c:\\*\\path";
+    int options = WHODATA_ACTIVE;
+#endif
+
+    directory_t *wildcard0 = fim_create_directory(buffer1, options, NULL, 512,
+                                                  NULL, -1, 1);
+
+    directory_t *wildcard1 = fim_create_directory(buffer2, options, NULL, 512,
+                                                  NULL, -1, 1);
+
+    OSList_InsertData(syscheck.wildcards, NULL, wildcard0);
+    OSList_InsertData(syscheck.wildcards, NULL, wildcard1);
+
+    // Directories list
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int setup_root_group(void **state) {
+    if(setup_fim_data(state) != 0)
+        return -1;
+
+    test_mode = 0;
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    // Read and setup global values.
+    Read_Syscheck_Config("test_syscheck_top_level.conf");
+
+    syscheck.rt_delay = 1;
+    syscheck.max_depth = 256;
+    syscheck.file_max_size = 1024;
+
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if(teardown_fim_data(state) != 0)
+        return -1;
+
+    Free_Syscheck(&syscheck);
+
+    syscheck.audit_key = NULL;
+
+#ifdef TEST_WINAGENT
+    syscheck.key_ignore = NULL;
+    syscheck.key_ignore_regex = NULL;
+#endif
+
+    return 0;
+}
+
+static int teardown_wildcards(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (syscheck.wildcards) {
+        OSList_SetFreeDataPointer(syscheck.wildcards, (void (*)(void *))free_directory);
+        OSList_Destroy(syscheck.wildcards);
+        syscheck.wildcards = NULL;
+    }
+
+    if (syscheck.directories) {
+        OSList_SetFreeDataPointer(syscheck.directories, (void (*)(void *))free_directory);
+        OSList_Destroy(syscheck.directories);
+        syscheck.directories = NULL;
+    }
+
+    return 0;
+}
+
+static int teardown_delete_json(void **state) {
+    fim_data_t *fim_data = *state;
+    cJSON_Delete(fim_data->json);
+    return 0;
+}
+
+static int setup_fim_entry(void **state) {
+    fim_data_t *fim_data = *state;
+
+    if(fim_data->fentry = calloc(1, sizeof(fim_entry)), fim_data->fentry == NULL)
+        return -1;
+
+    fim_data->fentry->type = FIM_TYPE_FILE;
+
+    if(fim_data->local_data = calloc(1, sizeof(fim_file_data)), fim_data->local_data == NULL)
+        return -1;
+
+    fim_data->fentry->file_entry.path = NULL;
+
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    return 0;
+}
+
+static int teardown_fim_entry(void **state) {
+    fim_data_t *fim_data = *state;
+    if(fim_data->fentry != NULL) {
+        if (fim_data->fentry->file_entry.path != NULL) {
+                free(fim_data->fentry->file_entry.path);
+        }
+        free(fim_data->fentry);
+    }
+    if (fim_data != NULL) {
+        free(fim_data->local_data->perm);
+        free(fim_data->local_data->uid);
+        free(fim_data->local_data->gid);
+        free(fim_data->local_data->attributes);
+        free(fim_data->local_data->user_name);
+        free(fim_data->local_data->group_name);
+        free(fim_data->local_data);
+    }
+    return 0;
+}
+
+static int teardown_local_data(void **state) {
+    fim_data_t *fim_data = *state;
+
+    free_file_data(fim_data->local_data);
+    return 0;
+}
+
+static int setup_struct_dirent(void **state) {
+    fim_data_t *fim_data = *state;
+
+    if(fim_data->entry = calloc(1, sizeof(struct dirent)), fim_data->entry == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int teardown_struct_dirent(void **state) {
+    fim_data_t *fim_data = *state;
+
+    free(fim_data->entry);
+
+    return 0;
+}
+
+static int setup_file_limit(void **state) {
+    syscheck.file_limit_enabled = false;
+    syscheck.file_entry_limit = 0;
+#ifdef TEST_WINAGENT
+    syscheck.registry_limit_enabled = false;
+    syscheck.db_entry_registry_limit = 0;
+#endif
+    return 0;
+}
+
+static int teardown_file_limit(void **state) {
+    syscheck.file_limit_enabled = true;
+    syscheck.file_entry_limit = 50000;
+#ifdef TEST_WINAGENT
+    syscheck.registry_limit_enabled = true;
+    syscheck.db_entry_registry_limit = 100000;
+#endif
+    return 0;
+}
+
+static int setup_fim_double_scan(void **state) {
+    activate_full_db = true;
+    struct dirent *dirent_st = calloc(1, sizeof(struct dirent));
+    syscheck.database = calloc (1, sizeof(fdb_t));
+
+    if (!dirent_st || !syscheck.database ) {
+        return -1;
+    }
+
+    strcpy(dirent_st->d_name, "test_file");
+
+#ifndef TEST_WINAGENT
+    dirent_st->d_type = DT_REG;
+    dirent_st->d_ino = 1;
+#else
+    dirent_st->d_ino = 0;
+    dirent_st->d_reclen = 0;
+    dirent_st->d_namlen = 9;
+#endif
+    *state = dirent_st;
+
+    return 0;
+}
+
+static int teardown_fim_double_scan(void **state) {
+    struct dirent *sd = state[0];
+    free(sd);
+    free(syscheck.database);
+    syscheck.database = NULL;
+    sd = NULL;
+    activate_full_db = false;
+
+#ifdef TEST_WINAGENT
+    char *file = state[1];
+    free(file);
+#endif
+
+    return 0;
+}
+
+static int setup_fim_not_double_scan(void **state) {
+    syscheck.database = calloc (1, sizeof(fdb_t));
+
+    if(!syscheck.database ) {
+        return -1;
+    }
+    syscheck.database->full = true;
+    return 0;
+}
+
+static int teardown_fim_not_double_scan(void **state) {
+    free(syscheck.database);
+    syscheck.database = NULL;
+    return 0;
+}
+
+#ifndef TEST_WINAGENT
+static int setup_fim_scan_realtime(void **state) {
+
+    syscheck.database = calloc (1, sizeof(fdb_t));
+
+    if (!syscheck.database) {
+        return -1;
+    }
+
+    syscheck.database->full = true;
+    return 0;
+}
+
+static int teardown_fim_scan_realtime(void **state) {
+    os_free(syscheck.database);
+
+    syscheck.realtime = NULL; // Used with local variables in some tests
+
+    return 0;
+}
+
+#endif
+
+static int setup_transaction_callback(void **state) {
+    txn_data_t *txn_data = calloc(1, sizeof(txn_data_t));
+
+    if (txn_data == NULL) {
+        return 1;
+    }
+
+    txn_data->txn_context = calloc(1, sizeof(fim_txn_context_t));
+    if (txn_data->txn_context == NULL) {
+        return 1;
+    }
+    txn_data->txn_context->evt_data = calloc(1, sizeof(event_data_t));
+    txn_data->txn_context->evt_data->report_event = true;
+    txn_data->txn_context->evt_data->mode = FIM_SCHEDULED;
+    txn_data->txn_context->evt_data->type = FIM_DELETE;
+
+    *state = txn_data;
+    return 0;
+}
+
+static int teardown_transaction_callback(void **state) {
+    txn_data_t *txn_data = (txn_data_t *) *state;
+    cJSON_Delete (txn_data->dbsync_event);
+
+    if (txn_data->diff != NULL) {
+        free(txn_data->diff);
+    }
+
+    if (txn_data->txn_context != NULL) {
+        if (txn_data->txn_context->evt_data != NULL) {
+            free(txn_data->txn_context->evt_data);
+        }
+        free(txn_data->txn_context);
+    }
+
+    free(txn_data);
+    return 0;
+}
+
+static int setup_json_event_attributes(void **state) {
+    json_struct_t *data = calloc(1, sizeof(json_struct_t));
+    if (data == NULL) {
+        return 1;
+    }
+
+    *state = data;
+    return 0;
+}
+
+static int teardown_json_event_attributes(void **state) {
+    json_struct_t *data = *state;
+
+    cJSON_Delete(data->json1);
+    cJSON_Delete(data->json2);
+
+    free(data);
+
+    return 0;
+}
+
+/* Auxiliar functions */
+void expect_get_data (char *user, char *group, char *file_path, int calculate_checksums) {
+#ifndef TEST_WINAGENT
+    expect_get_user(0, user);
+    expect_get_group(0, group);
+#else
+    cJSON *perms = cJSON_CreateObject();
+
+    expect_get_file_user(file_path, "0", user);
+    expect_w_get_file_permissions(file_path, perms, 0);
+
+    expect_value(__wrap_decode_win_acl_json, perms, perms);
+
+    expect_string(__wrap_get_UTC_modification_time, file_path, file_path);
+    will_return(__wrap_get_UTC_modification_time, 123456);
+#endif
+    if (calculate_checksums) {
+        expect_OS_MD5_SHA1_SHA256_File_call(file_path,
+                                            syscheck.prefilter_cmd,
+                                            "d41d8cd98f00b204e9800998ecf8427e",
+                                            "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+                                            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                                            OS_BINARY,
+                                            0x400,
+                                            0);
+    }
+}
+
+/* tests */
+static void test_fim_json_event(void **state) {
+    fim_data_t *fim_data = *state;
+    fim_entry entry = { .file_entry.path = "test.file", .file_entry.data = fim_data->new_data };
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .type = FIM_MODIFICATION };
+    directory_t configuration = { .tag = "tag1,tag2" };
+
+    fim_data->json = fim_json_event(&entry, fim_data->old_data, &configuration, &evt_data, NULL);
+
+    assert_non_null(fim_data->json);
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "event");
+    cJSON *data = cJSON_GetObjectItem(fim_data->json, "data");
+    assert_non_null(data);
+    cJSON *path = cJSON_GetObjectItem(data, "path");
+    assert_string_equal(cJSON_GetStringValue(path), "test.file");
+    cJSON *mode = cJSON_GetObjectItem(data, "mode");
+    assert_string_equal(cJSON_GetStringValue(mode), "realtime");
+    cJSON *data_type = cJSON_GetObjectItem(data, "type");
+    assert_string_equal(cJSON_GetStringValue(data_type), "modified");
+    cJSON *timestamp = cJSON_GetObjectItem(data, "timestamp");
+    assert_non_null(timestamp);
+    assert_int_equal(timestamp->valueint, 1570184221);
+    cJSON *tags = cJSON_GetObjectItem(data, "tags");
+    assert_string_equal(cJSON_GetStringValue(tags), "tag1,tag2");
+#ifndef TEST_WINAGENT
+    cJSON *hard_links = cJSON_GetObjectItem(data, "hard_links");
+    assert_null(hard_links);
+#endif
+    cJSON *attributes = cJSON_GetObjectItem(data, "attributes");
+    assert_non_null(attributes);
+    cJSON *changed_attributes = cJSON_GetObjectItem(data, "changed_attributes");
+    assert_non_null(changed_attributes);
+    cJSON *old_attributes = cJSON_GetObjectItem(data, "old_attributes");
+    assert_non_null(old_attributes);
+
+#ifdef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(changed_attributes), 10);
+#else
+    assert_int_equal(cJSON_GetArraySize(changed_attributes), 11);
+#endif
+    assert_int_equal(cJSON_GetArraySize(attributes), 13);
+    assert_int_equal(cJSON_GetArraySize(old_attributes), 13);
+
+}
+
+
+static void test_fim_json_event_whodata(void **state) {
+    fim_data_t *fim_data = *state;
+    fim_entry entry = { .file_entry.path = "test.file", .file_entry.data = fim_data->new_data };
+    event_data_t evt_data = {
+        .mode = FIM_WHODATA, .w_evt = fim_data->w_evt, .report_event = true, .type = FIM_MODIFICATION
+    };
+    directory_t configuration = { .tag = "tag1,tag2" };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options |= CHECK_SEECHANGES;
+
+    fim_data->json = fim_json_event(&entry, fim_data->old_data, &configuration, &evt_data, "diff");
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options &= ~CHECK_SEECHANGES;
+
+    assert_non_null(fim_data->json);
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "event");
+    cJSON *data = cJSON_GetObjectItem(fim_data->json, "data");
+    assert_non_null(data);
+    cJSON *path = cJSON_GetObjectItem(data, "path");
+    assert_string_equal(cJSON_GetStringValue(path), "test.file");
+    cJSON *mode = cJSON_GetObjectItem(data, "mode");
+    assert_string_equal(cJSON_GetStringValue(mode), "whodata");
+    cJSON *data_type = cJSON_GetObjectItem(data, "type");
+    assert_string_equal(cJSON_GetStringValue(data_type), "modified");
+    cJSON *timestamp = cJSON_GetObjectItem(data, "timestamp");
+    assert_non_null(timestamp);
+    assert_int_equal(timestamp->valueint, 1570184221);
+    cJSON *tags = cJSON_GetObjectItem(data, "tags");
+    assert_string_equal(cJSON_GetStringValue(tags), "tag1,tag2");
+#ifndef TEST_WINAGENT
+    cJSON *hard_links = cJSON_GetObjectItem(data, "hard_links");
+    assert_null(hard_links);
+#endif
+    cJSON *audit = cJSON_GetObjectItem(data, "audit");
+    assert_non_null(audit);
+#ifdef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(audit), 4);
+#else
+    assert_int_equal(cJSON_GetArraySize(audit), 14);
+#endif
+    cJSON *diff = cJSON_GetObjectItem(data, "content_changes");
+    assert_string_equal(cJSON_GetStringValue(diff), "diff");
+}
+
+
+static void test_fim_json_event_no_changes(void **state) {
+    fim_data_t *fim_data = *state;
+    fim_entry entry = { .file_entry.path = "test.file", .file_entry.data = fim_data->new_data };
+    event_data_t evt_data = {
+        .mode = FIM_WHODATA, .w_evt = fim_data->w_evt, .report_event = true, .type = FIM_MODIFICATION
+    };
+    directory_t configuration = { .tag = "tag1,tag2" };
+
+    fim_data->json = fim_json_event(&entry, fim_data->new_data, &configuration, &evt_data, NULL);
+
+    assert_null(fim_data->json);
+}
+
+static void test_fim_json_event_hardlink_one_path(void **state) {
+    fim_data_t *fim_data = *state;
+    fim_entry entry = { .file_entry.path = "test.file", .file_entry.data = fim_data->new_data };
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .type = FIM_MODIFICATION };
+    directory_t configuration = { .tag = NULL };
+
+    fim_data->json = fim_json_event(&entry, fim_data->old_data, &configuration, &evt_data, NULL);
+
+    assert_non_null(fim_data->json);
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "event");
+    cJSON *data = cJSON_GetObjectItem(fim_data->json, "data");
+    assert_non_null(data);
+    cJSON *path = cJSON_GetObjectItem(data, "path");
+    assert_string_equal(cJSON_GetStringValue(path), "test.file");
+    cJSON *mode = cJSON_GetObjectItem(data, "mode");
+    assert_string_equal(cJSON_GetStringValue(mode), "realtime");
+    cJSON *data_type = cJSON_GetObjectItem(data, "type");
+    assert_string_equal(cJSON_GetStringValue(data_type), "modified");
+    cJSON *timestamp = cJSON_GetObjectItem(data, "timestamp");
+    assert_non_null(timestamp);
+    assert_int_equal(timestamp->valueint, 1570184221);
+    cJSON *tags = cJSON_GetObjectItem(data, "tags");
+    assert_null(tags);
+#ifndef TEST_WINAGENT
+    cJSON *hard_links = cJSON_GetObjectItem(data, "hard_links");
+    assert_null(hard_links);
+#endif
+    cJSON *attributes = cJSON_GetObjectItem(data, "attributes");
+    assert_non_null(attributes);
+    cJSON *changed_attributes = cJSON_GetObjectItem(data, "changed_attributes");
+    assert_non_null(changed_attributes);
+    cJSON *old_attributes = cJSON_GetObjectItem(data, "old_attributes");
+    assert_non_null(old_attributes);
+
+#ifndef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(changed_attributes), 11);
+#else
+    assert_int_equal(cJSON_GetArraySize(changed_attributes), 10);
+#endif
+    assert_int_equal(cJSON_GetArraySize(attributes), 13);
+    assert_int_equal(cJSON_GetArraySize(old_attributes), 13);
+}
+
+static void test_fim_attributes_json(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->json = fim_attributes_json(fim_data->old_data);
+
+    assert_non_null(fim_data->json);
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 13);
+
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "file");
+    cJSON *size = cJSON_GetObjectItem(fim_data->json, "size");
+    assert_non_null(size);
+    assert_int_equal(size->valueint, 1500);
+    cJSON *perm = cJSON_GetObjectItem(fim_data->json, "perm");
+#ifndef TEST_WINAGENT
+    assert_string_equal(cJSON_GetStringValue(perm), "0664");
+#else
+    assert_non_null(perm);
+#endif
+    cJSON *uid = cJSON_GetObjectItem(fim_data->json, "uid");
+    assert_string_equal(cJSON_GetStringValue(uid), "100");
+    cJSON *gid = cJSON_GetObjectItem(fim_data->json, "gid");
+    assert_string_equal(cJSON_GetStringValue(gid), "1000");
+    cJSON *user_name = cJSON_GetObjectItem(fim_data->json, "user_name");
+    assert_string_equal(cJSON_GetStringValue(user_name), "test");
+    cJSON *group_name = cJSON_GetObjectItem(fim_data->json, "group_name");
+    assert_string_equal(cJSON_GetStringValue(group_name), "testing");
+    cJSON *inode = cJSON_GetObjectItem(fim_data->json, "inode");
+    assert_non_null(inode);
+    assert_int_equal(inode->valueint, 606060);
+    cJSON *mtime = cJSON_GetObjectItem(fim_data->json, "mtime");
+    assert_non_null(mtime);
+    assert_int_equal(mtime->valueint, 1570184223);
+    cJSON *hash_md5 = cJSON_GetObjectItem(fim_data->json, "hash_md5");
+    assert_string_equal(cJSON_GetStringValue(hash_md5), "3691689a513ace7e508297b583d7050d");
+    cJSON *hash_sha1 = cJSON_GetObjectItem(fim_data->json, "hash_sha1");
+    assert_string_equal(cJSON_GetStringValue(hash_sha1), "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    cJSON *hash_sha256 = cJSON_GetObjectItem(fim_data->json, "hash_sha256");
+    assert_string_equal(cJSON_GetStringValue(hash_sha256), "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    cJSON *checksum = cJSON_GetObjectItem(fim_data->json, "checksum");
+    assert_string_equal(cJSON_GetStringValue(checksum), "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_fim_attributes_json_without_options(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->old_data->options = 0;
+
+    fim_data->json = fim_attributes_json(fim_data->old_data);
+
+    fim_data->old_data->options = 511;
+
+    assert_non_null(fim_data->json);
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 4);
+
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "file");
+    cJSON *user_name = cJSON_GetObjectItem(fim_data->json, "user_name");
+    assert_string_equal(cJSON_GetStringValue(user_name), "test");
+    cJSON *group_name = cJSON_GetObjectItem(fim_data->json, "group_name");
+    assert_string_equal(cJSON_GetStringValue(group_name), "testing");
+    cJSON *checksum = cJSON_GetObjectItem(fim_data->json, "checksum");
+    assert_string_equal(cJSON_GetStringValue(checksum), "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+}
+
+static void test_fim_json_compare_attrs(void **state) {
+    fim_data_t *fim_data = *state;
+    int i = 0;
+
+    fim_data->json = fim_json_compare_attrs(
+        fim_data->old_data,
+        fim_data->new_data
+    );
+
+    assert_non_null(fim_data->json);
+#ifdef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 10);
+#else
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 11);
+#endif
+
+    cJSON *size = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(size), "size");
+    cJSON *permission = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(permission), "permission");
+    cJSON *uid = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(uid), "uid");
+    cJSON *user_name = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(user_name), "user_name");
+    cJSON *gid = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(gid), "gid");
+    cJSON *group_name = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(group_name), "group_name");
+    cJSON *mtime = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(mtime), "mtime");
+#ifndef TEST_WINAGENT
+    cJSON *inode = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(inode), "inode");
+#endif
+    cJSON *md5 = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(md5), "md5");
+    cJSON *sha1 = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(sha1), "sha1");
+    cJSON *sha256 = cJSON_GetArrayItem(fim_data->json, i++);
+    assert_string_equal(cJSON_GetStringValue(sha256), "sha256");
+
+}
+
+static void test_fim_json_compare_attrs_without_options(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->old_data->options = 0;
+
+    fim_data->json = fim_json_compare_attrs(
+        fim_data->old_data,
+        fim_data->new_data
+    );
+
+    fim_data->old_data->options = 511;
+
+    assert_non_null(fim_data->json);
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 0);
+
+}
+
+
+static void test_fim_audit_json(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->json = fim_audit_json(fim_data->w_evt);
+
+    assert_non_null(fim_data->json);
+#ifdef TEST_WINAGENT
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 4);
+#else
+    assert_int_equal(cJSON_GetArraySize(fim_data->json), 14);
+#endif
+
+    cJSON *user_id = cJSON_GetObjectItem(fim_data->json, "user_id");
+    assert_string_equal(cJSON_GetStringValue(user_id), "100");
+    cJSON *user_name = cJSON_GetObjectItem(fim_data->json, "user_name");
+    assert_string_equal(cJSON_GetStringValue(user_name), "test");
+    cJSON *process_name = cJSON_GetObjectItem(fim_data->json, "process_name");
+    assert_string_equal(cJSON_GetStringValue(process_name), "test_proc");
+    cJSON *process_id = cJSON_GetObjectItem(fim_data->json, "process_id");
+    assert_non_null(process_id);
+    assert_int_equal(process_id->valueint, 1001);
+
+#ifndef TEST_WINAGENT
+    cJSON *cwd = cJSON_GetObjectItem(fim_data->json, "cwd");
+    assert_string_equal(cJSON_GetStringValue(cwd), "process_cwd");
+    cJSON *group_id = cJSON_GetObjectItem(fim_data->json, "group_id");
+    assert_string_equal(cJSON_GetStringValue(group_id), "1000");
+    cJSON *group_name = cJSON_GetObjectItem(fim_data->json, "group_name");
+    assert_string_equal(cJSON_GetStringValue(group_name), "testing");
+    cJSON *audit_uid = cJSON_GetObjectItem(fim_data->json, "audit_uid");
+    assert_string_equal(cJSON_GetStringValue(audit_uid), "99");
+    cJSON *audit_name = cJSON_GetObjectItem(fim_data->json, "audit_name");
+    assert_string_equal(cJSON_GetStringValue(audit_name), "audit_user");
+    cJSON *effective_uid = cJSON_GetObjectItem(fim_data->json, "effective_uid");
+    assert_string_equal(cJSON_GetStringValue(effective_uid), "999");
+    cJSON *effective_name = cJSON_GetObjectItem(fim_data->json, "effective_name");
+    assert_string_equal(cJSON_GetStringValue(effective_name), "effective_user");
+    cJSON *ppid = cJSON_GetObjectItem(fim_data->json, "ppid");
+    assert_non_null(ppid);
+    assert_int_equal(ppid->valueint, 1000);
+    cJSON *parent_cwd = cJSON_GetObjectItem(fim_data->json, "parent_cwd");
+    assert_string_equal(cJSON_GetStringValue(parent_cwd), "parent_cwd");
+    cJSON *parent_name = cJSON_GetObjectItem(fim_data->json, "parent_name");
+    assert_string_equal(cJSON_GetStringValue(parent_name), "parent_name");
+#endif
+}
+
+#ifndef TEST_WINAGENT
+static void test_fim_check_ignore_strncasecmp(void **state) {
+    int ret;
+    char debug_msg[OS_MAXSTR];
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_ENTRY, "/EtC/dumPDateS", "/etc/dumpdates");
+
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    ret = fim_check_ignore("/EtC/dumPDateS");
+
+    assert_int_equal(ret, 1);
+}
+#else
+static void test_fim_check_ignore_strncasecmp(void **state) {
+    int ret;
+    char *path = "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DeskTop.ini";
+    char expanded_path[OS_MAXSTR];
+    char debug_msg[OS_MAXSTR];
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_ENTRY, expanded_path, syscheck.ignore[0]);
+
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+
+    ret = fim_check_ignore(expanded_path);
+
+    assert_int_equal(ret, 1);
+}
+#endif
+
+static void test_fim_check_ignore_regex(void **state) {
+    int ret;
+    char debug_msg[OS_MAXSTR];
+
+
+#ifndef TEST_WINAGENT
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_SREGEX, "/test/files/test.swp", ".log$|.swp$");
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+#else
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_SREGEX, "/test/files/test.swp", ".log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$|.swp$");
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+#endif
+
+    ret = fim_check_ignore("/test/files/test.swp");
+
+    assert_int_equal(ret, 1);
+}
+
+
+static void test_fim_check_ignore_failure(void **state) {
+   int ret;
+
+    ret = fim_check_ignore("/test/files/test.sp");
+
+    assert_int_equal(ret, 0);
+}
+
+
+static void test_fim_check_restrict_success(void **state) {
+   int ret;
+
+    OSMatch *restriction;
+    restriction = calloc(1, sizeof(OSMatch));
+    OSMatch_Compile("test$", restriction, 0);
+
+    ret = fim_check_restrict("my_test", restriction);
+    OSMatch_FreePattern(restriction);
+    free(restriction);
+
+    assert_int_equal(ret, 0);
+}
+
+
+static void test_fim_check_restrict_failure(void **state) {
+   int ret;
+
+    OSMatch *restriction;
+    restriction = calloc(1, sizeof(OSMatch));
+    OSMatch_Compile("test$", restriction, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6203): Ignoring entry 'my_test_' due to restriction 'test$'");
+
+    ret = fim_check_restrict("my_test_", restriction);
+    OSMatch_FreePattern(restriction);
+    free(restriction);
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_fim_check_restrict_null_filename(void **state) {
+   int ret;
+
+    OSMatch *restriction;
+    restriction = calloc(1, sizeof(OSMatch));
+    OSMatch_Compile("test$", restriction, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1105): Attempted to use null string.");
+
+    ret = fim_check_restrict(NULL, restriction);
+    OSMatch_FreePattern(restriction);
+    free(restriction);
+
+    assert_int_equal(ret, 1);
+}
+
+static void test_fim_check_restrict_null_restriction(void **state) {
+   int ret;
+
+    ret = fim_check_restrict("my_test", NULL);
+
+    assert_int_equal(ret, 0);
+}
+
+
+static void test_fim_scan_info_json_start(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->json = fim_scan_info_json(FIM_SCAN_START, 1570184220);
+
+    assert_non_null(fim_data->json);
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(type->valuestring, "scan_start");
+    cJSON *data = cJSON_GetObjectItem(fim_data->json, "data");
+    assert_non_null(data);
+    cJSON *timestamp = cJSON_GetObjectItem(data, "timestamp");
+    assert_non_null(timestamp);
+    assert_int_equal(timestamp->valueint, 1570184220);
+}
+
+
+static void test_fim_scan_info_json_end(void **state) {
+    fim_data_t *fim_data = *state;
+
+    fim_data->json = fim_scan_info_json(FIM_SCAN_END, 1570184220);
+
+    assert_non_null(fim_data->json);
+    cJSON *type = cJSON_GetObjectItem(fim_data->json, "type");
+    assert_string_equal(type->valuestring, "scan_end");
+    cJSON *data = cJSON_GetObjectItem(fim_data->json, "data");
+    assert_non_null(data);
+    cJSON *timestamp = cJSON_GetObjectItem(data, "timestamp");
+    assert_non_null(timestamp);
+    assert_int_equal(timestamp->valueint, 1570184220);
+}
+
+
+static void test_fim_get_checksum(void **state) {
+    fim_entry entry = {.file_entry.path = "/media/test", .file_entry.data=&DEFAULT_FILE_DATA};
+
+    fim_get_checksum(entry.file_entry.data);
+#ifdef TEST_WINAGENT
+    assert_string_equal(entry.file_entry.data->checksum, "6ec831114b5d930f19a90d7c34996e0fce4e7b84");
+#else
+    assert_string_equal(entry.file_entry.data->checksum, "98e039efc1b8490965e7e1247a9dc31cf7379051");
+#endif
+}
+
+
+static void test_fim_get_checksum_wrong_size(void **state) {
+    fim_data_t *fim_data = *state;
+    fim_data->local_data = calloc(1, sizeof(fim_file_data));
+
+    fim_data->local_data->size = -1;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    fim_get_checksum(fim_data->local_data);
+    assert_string_equal(fim_data->local_data->checksum, "551cab7f774d4633a3be09207b4cdea1db03b9c0");
+}
+
+static void test_fim_check_depth_success(void **state) {
+#ifndef TEST_WINAGENT
+    char * path = "/usr/bin/folder1/folder2/folder3/file";
+    directory_t configuration = { .path = "/usr/bin", .recursion_level = 4 };
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#else
+
+    char *aux_path = "c:\\windows\\System32\\wbem\\folder1\\folder2\\folder3\\path.exe";
+    directory_t configuration = { .path = "c:\\windows\\System32\\wbem", .recursion_level = 4 };
+    char path[OS_MAXSTR];
+
+    if(!ExpandEnvironmentStrings(aux_path, path, OS_MAXSTR))
+        fail();
+#endif
+    int ret;
+
+    ret = fim_check_depth(path, &configuration);
+
+    assert_int_equal(ret, 3);
+}
+
+
+static void test_fim_check_depth_failure_strlen(void **state) {
+    char * path = "fl/fd";
+    directory_t configuration = { .path = "/usr/bin", .recursion_level = 4 };
+    int ret;
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    ret = fim_check_depth(path, &configuration);
+
+    assert_int_equal(ret, -1);
+
+}
+
+static void test_fim_check_depth_failure_null_directory(void **state) {
+    char * path = "/usr/bin";
+    directory_t configuration = { .path = "/usr/bin", .recursion_level = 6 };
+    int ret;
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    ret = fim_check_depth(path, &configuration);
+
+    assert_int_equal(ret, -1);
+
+}
+
+static void test_fim_configuration_directory_no_path(void **state) {
+    directory_t *ret;
+
+    ret = fim_configuration_directory(NULL);
+
+    assert_null(ret);
+}
+
+
+#ifndef TEST_WINAGENT
+static void test_fim_configuration_directory_file(void **state) {
+    directory_t *ret;
+
+    const char * path = "/media";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    ret = fim_configuration_directory(path);
+
+    assert_non_null(ret);
+    assert_ptr_equal(ret, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3)));
+}
+#else
+static void test_fim_configuration_directory_file(void **state) {
+    char *aux_path = "%WINDIR%\\System32\\drivers\\etc";
+    char path[OS_MAXSTR];
+    directory_t *ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if(!ExpandEnvironmentStrings(aux_path, path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(path);
+
+    ret = fim_configuration_directory(path);
+
+    assert_ptr_equal(ret, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3)));
+}
+#endif
+
+
+static void test_fim_configuration_directory_not_found(void **state) {
+    const char *path = "/invalid";
+    directory_t *ret;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'/invalid'");
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    ret = fim_configuration_directory(path);
+
+    assert_null(ret);
+}
+
+static void test_init_fim_data_entry(void **state) {
+    fim_file_data entry;
+    init_fim_data_entry(&entry);
+
+    assert_int_equal(entry.size, 0);
+    assert_null(entry.perm);
+    assert_null(entry.attributes);
+    assert_null(entry.uid);
+    assert_null(entry.gid);
+    assert_null(entry.user_name);
+    assert_null(entry.group_name);
+    assert_int_equal(entry.mtime, 0);
+    assert_int_equal(entry.inode, 0);
+    assert_int_equal(entry.hash_md5[0], 0);
+    assert_int_equal(entry.hash_sha1[0], 0);
+    assert_int_equal(entry.hash_sha256[0], 0);
+}
+
+static void test_fim_file_add(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .statbuf = DEFAULT_STATBUF };
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MD5SUM |
+                                             CHECK_SHA1SUM | CHECK_MTIME | CHECK_SHA256SUM | CHECK_SEECHANGES };
+#ifdef TEST_WINAGENT
+    char file_path[OS_SIZE_256] = "c:\\windows\\system32\\cmd.exe";
+#else
+    char file_path[OS_SIZE_256] = "/bin/ls";
+#endif
+
+    expect_get_data(strdup("user"), strdup("group"), file_path, 1);
+
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_file(file_path, &configuration, &evt_data, NULL, NULL);
+}
+
+static void test_fim_file_modify_transaction(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = true, .statbuf = DEFAULT_STATBUF };
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MD5SUM |
+                                             CHECK_SHA1SUM | CHECK_SHA256SUM };
+    TXN_HANDLE mock_handle = (TXN_HANDLE)1;
+
+    fim_txn_context_t mock_context = {0};
+
+#ifdef TEST_WINAGENT
+    char file_path[OS_SIZE_256] = "c:\\windows\\system32\\cmd.exe";
+    cJSON *permissions = create_win_permissions_object();
+#else
+    char file_path[OS_SIZE_256] = "/bin/ls";
+#endif
+
+    fim_data->fentry->file_entry.path = strdup("file");
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    // Inside fim_get_data
+#ifndef TEST_WINAGENT
+    expect_get_user(0, strdup("user"));
+
+    expect_get_group(0, strdup("group"));
+#else
+
+    expect_get_file_user(file_path, "0", strdup("user"));
+    expect_w_get_file_permissions(file_path, permissions, 0);
+
+    expect_value(__wrap_decode_win_acl_json, perms, permissions);
+#endif
+
+    expect_OS_MD5_SHA1_SHA256_File_call(file_path, syscheck.prefilter_cmd, "d41d8cd98f00b204e9800998ecf8427e",
+                                        "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+                                        "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", OS_BINARY,
+                                        0x400, 0);
+
+    will_return(__wrap_fim_db_transaction_sync_row, FIMDB_OK);
+
+    fim_file(file_path, &configuration, &evt_data, mock_handle, &mock_context);
+}
+
+static void test_fim_file_modify(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .statbuf = DEFAULT_STATBUF };
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MD5SUM |
+                                             CHECK_SHA1SUM | CHECK_SHA256SUM };
+#ifdef TEST_WINAGENT
+    char file_path[OS_SIZE_256] = "c:\\windows\\system32\\cmd.exe";
+    cJSON *permissions = create_win_permissions_object();
+#else
+    char file_path[OS_SIZE_256] = "/bin/ls";
+#endif
+
+    fim_data->fentry->file_entry.path = strdup("file");
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    // Inside fim_get_data
+#ifndef TEST_WINAGENT
+    expect_get_user(0, strdup("user"));
+
+    expect_get_group(0, strdup("group"));
+#else
+
+    expect_get_file_user(file_path, "0", strdup("user"));
+    expect_w_get_file_permissions(file_path, permissions, 0);
+
+    expect_value(__wrap_decode_win_acl_json, perms, permissions);
+#endif
+
+    expect_OS_MD5_SHA1_SHA256_File_call(file_path, syscheck.prefilter_cmd, "d41d8cd98f00b204e9800998ecf8427e",
+                                        "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+                                        "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", OS_BINARY,
+                                        0x400, 0);
+
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_file(file_path, &configuration, &evt_data, NULL, NULL);
+}
+
+static void test_fim_file_no_attributes(void **state) {
+    char buffer1[OS_SIZE_256];
+    char buffer2[OS_SIZE_256];
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = true, .statbuf = DEFAULT_STATBUF };
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MD5SUM |
+                                             CHECK_SHA1SUM | CHECK_SHA256SUM };
+#ifdef TEST_WINAGENT
+    char file_path[] = "c:\\windows\\system32\\cmd.exe";
+    cJSON *permissions = create_win_permissions_object();
+#else
+    char file_path[] = "/bin/ls";
+#endif
+
+    // Inside fim_get_data
+#ifndef TEST_WINAGENT
+    expect_get_user(0, strdup("user"));
+    expect_get_group(0, strdup("group"));
+#else
+    expect_get_file_user(file_path, "0", strdup("user"));
+
+    expect_w_get_file_permissions(file_path, permissions, 0);
+
+    expect_value(__wrap_decode_win_acl_json, perms, permissions);
+#endif
+
+    expect_OS_MD5_SHA1_SHA256_File_call(file_path,
+                                        syscheck.prefilter_cmd,
+                                        "d41d8cd98f00b204e9800998ecf8427e",
+                                        "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+                                        "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                                        OS_BINARY,
+                                        0x400,
+                                        -1);
+
+    snprintf(buffer1, OS_SIZE_256, FIM_HASHES_FAIL, file_path);
+    snprintf(buffer2, OS_SIZE_256, FIM_GET_ATTRIBUTES, file_path);
+
+    expect_string(__wrap__mdebug1, formatted_msg, buffer1);
+    expect_string(__wrap__mdebug1, formatted_msg, buffer2);
+
+
+    fim_file(file_path, &configuration, &evt_data, NULL, NULL);
+}
+
+static void test_fim_file_error_on_insert(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = true, .statbuf = DEFAULT_STATBUF };
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MD5SUM |
+                                             CHECK_SHA1SUM | CHECK_SHA256SUM };
+#ifdef TEST_WINAGENT
+    char file_path[OS_SIZE_256] = "c:\\windows\\system32\\cmd.exe";
+    cJSON *permissions = create_win_permissions_object();
+#else
+    char file_path[OS_SIZE_256] = "/bin/ls";
+#endif
+
+    fim_data->fentry->file_entry.path = strdup(file_path);
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    // Inside fim_get_data
+#ifndef TEST_WINAGENT
+    expect_get_user(0, strdup("user"));
+    expect_get_group(0, strdup("group"));
+#else
+    expect_get_file_user(file_path, "0", strdup("user"));
+    expect_w_get_file_permissions(file_path, permissions, 0);
+
+    expect_value(__wrap_decode_win_acl_json, perms, permissions);
+#endif
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, fname, file_path);
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, prefilter_cmd, syscheck.prefilter_cmd);
+#else
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, prefilter_cmd, syscheck.prefilter_cmd);
+#endif
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, md5output, "d41d8cd98f00b204e9800998ecf8427e");
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha1output, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha256output, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, mode, OS_BINARY);
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, max_size, 0x400);
+    will_return(__wrap_OS_MD5_SHA1_SHA256_File, 0);
+
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_file(file_path, &configuration, &evt_data, NULL, NULL);
+}
+
+static void test_fim_checker_scheduled_configuration_directory_error(void **state) {
+    char * path = "/not/found/test.file";
+    event_data_t evt_data = { .mode = FIM_SCHEDULED, .w_evt = NULL, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'/not/found/test.file'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_not_scheduled_configuration_directory_error(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/not/found/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'/not/found/test.file'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+#ifndef TEST_WINAGENT
+static void test_fim_checker_over_max_recursion_level(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/media/a/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->recursion_level = 0;
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6217): Maximum level of recursion reached. Depth:1 recursion_level:0 '/media/a/test.file'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->recursion_level = 50;
+}
+
+static void test_fim_checker_deleted_file(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat statbuf = DEFAULT_STATBUF;
+    const char *path = "/media/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+                  "(6222): Stat() function failed on: '/media/test.file' due to [(1)-(Operation not permitted)]");
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, -1);
+
+    errno = 1;
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+
+    errno = 0;
+}
+
+static void test_fim_checker_deleted_file_enoent(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat statbuf = DEFAULT_STATBUF;
+    const char *path = "/media/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->options |= CHECK_SEECHANGES;
+
+    fim_data->fentry->file_entry.path = strdup("/media/test.file");
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, -1);
+    errno = ENOENT;
+
+    expect_fim_db_get_path("/media/test.file", FIMDB_ERR);
+    expect_fim_diff_process_delete_file(path, 0);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+
+    errno = 0;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->options &= ~CHECK_SEECHANGES;
+}
+
+static void test_fim_checker_no_file_system(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat statbuf = DEFAULT_STATBUF;
+    const char *path = "/media/test.file";
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, "/media/test.file");
+    will_return(__wrap_HasFilesystem, -1);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular(void **state) {
+    const char *path = "/media/test.file";
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat statbuf = { .st_mode = S_IFREG,
+                            .st_dev = 1,
+                            .st_ino = 999,
+                            .st_uid = 0,
+                            .st_gid = 0,
+                            .st_mtime = 1433395216,
+                            .st_size = 1500 };
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    // Inside fim_file
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("user"));
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("group"));
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_warning(void **state) {
+    const char *path = "/media/test.file";
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat statbuf = { .st_mode = S_IFREG,
+                            .st_dev = 1,
+                            .st_ino = 999,
+                            .st_uid = 0,
+                            .st_gid = 0,
+                            .st_mtime = 1433395216,
+                            .st_size = 1500 };
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, "/media/test.file");
+    will_return(__wrap_HasFilesystem, 0);
+
+    // Inside fim_file
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("user"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("group"));
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_ignore(void **state) {
+    struct stat statbuf = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_WHODATA, .w_evt = NULL, .report_event = true };
+    const char *path = "/etc/mtab";
+    char debug_msg[OS_MAXSTR];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_ENTRY, path, path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_restrict(void **state) {
+    struct stat statbuf = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/media/test";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6203): Ignoring entry '/media/test' due to restriction 'file$'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_directory(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat directory_stat = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/media/";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    directory_stat.st_mode = S_IFDIR;
+
+    expect_string(__wrap_lstat, filename, "/media/");
+    will_return(__wrap_lstat, &directory_stat);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_lstat, filename, "/media/test");
+    will_return(__wrap_lstat, &directory_stat);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, "/media/");
+    expect_string(__wrap_HasFilesystem, path, "/media/test");
+    will_return_always(__wrap_HasFilesystem, 0);
+
+    expect_string(__wrap_fim_add_inotify_watch, dir, "/media/test");
+    will_return(__wrap_fim_add_inotify_watch, 0);
+    expect_string(__wrap_fim_add_inotify_watch, dir, "/media/");
+    will_return(__wrap_fim_add_inotify_watch, 0);
+
+    strcpy(fim_data->entry->d_name, "test");
+
+    will_return_always(__wrap_opendir, 1);
+    will_return(__wrap_readdir, fim_data->entry);
+    will_return(__wrap_readdir, NULL);
+    will_return(__wrap_readdir, NULL);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_directory_on_max_recursion_level(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat statbuf = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/media";
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    statbuf.st_mode = S_IFDIR;
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->recursion_level = 0;
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    expect_string(__wrap_fim_add_inotify_watch, dir, path);
+    will_return(__wrap_fim_add_inotify_watch, 0);
+
+    will_return(__wrap_opendir, 1);
+    strcpy(fim_data->entry->d_name, "test");
+    will_return(__wrap_readdir, fim_data->entry);
+
+    expect_string(__wrap_lstat, filename, "/media/test");
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, "/media/test");
+    will_return(__wrap_HasFilesystem, 0);
+
+    will_return(__wrap_readdir, NULL);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6347): Directory '/media/test' is already on the max recursion_level (0), it will not be scanned.");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->recursion_level = 50;
+}
+
+static void test_fim_checker_root_ignore_file_under_recursion_level(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/media/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6217): Maximum level of recursion reached. Depth:1 recursion_level:0 '/media/test.file'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_root_file_within_recursion_level(void **state) {
+    struct stat statbuf = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    const char *path = "/test.file";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    statbuf.st_size = 0;
+
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &statbuf);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, path);
+    will_return(__wrap_HasFilesystem, 0);
+    // Inside fim_file
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("user"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("group"));
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_scan_db_full_double_scan(void **state) {
+    struct stat directory_buf = { .st_mode = S_IFDIR };
+    directory_t *dir_it;
+    OSListNode *node_it;
+    TXN_HANDLE mock_handle = NULL;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    // First scan
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        expect_string(__wrap_lstat, filename, dir_it->path);
+        will_return(__wrap_lstat, &directory_buf);
+        will_return(__wrap_lstat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, dir_it->path);
+        will_return(__wrap_HasFilesystem, 0);
+
+        if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+            expect_string(__wrap_fim_add_inotify_watch, dir, dir_it->path);
+            will_return(__wrap_fim_add_inotify_watch, 0);
+        }
+
+        expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+        will_return(__wrap_realtime_adddir, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+
+    expect_wrapper_fim_db_get_count_file_entry(50000);
+    expect_function_call_any(__wrap_fim_db_transaction_deleted_rows);
+
+    // Second scan
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        expect_string(__wrap_lstat, filename, dir_it->path);
+        will_return(__wrap_lstat, &directory_buf);
+        will_return(__wrap_lstat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, dir_it->path);
+        will_return(__wrap_HasFilesystem, 0);
+
+        if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+            expect_string(__wrap_fim_add_inotify_watch, dir, dir_it->path);
+            will_return(__wrap_fim_add_inotify_watch, 0);
+        }
+
+        expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+        will_return(__wrap_realtime_adddir, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+    expect_wrapper_fim_db_get_count_file_entry(50000);
+
+    // fim_check_db_state
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    // fim_send_scan_info
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+}
+
+
+static void test_fim_scan_db_full_not_double_scan(void **state) {
+    struct stat directory_buf = { .st_mode = S_IFDIR };
+    directory_t *dir_it;
+    OSListNode *node_it;
+    TXN_HANDLE mock_handle = NULL;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    // First scan
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        expect_string(__wrap_lstat, filename, dir_it->path);
+        will_return(__wrap_lstat, &directory_buf);
+        will_return(__wrap_lstat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, dir_it->path);
+        will_return(__wrap_HasFilesystem, 0);
+
+        if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+            expect_string(__wrap_fim_add_inotify_watch, dir, dir_it->path);
+            will_return(__wrap_fim_add_inotify_watch, 0);
+        }
+
+        expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+        will_return(__wrap_realtime_adddir, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+
+    expect_wrapper_fim_db_get_count_file_entry(25000);
+    expect_function_call_any(__wrap_fim_db_transaction_deleted_rows);
+    expect_wrapper_fim_db_get_count_file_entry(25000);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+}
+
+static void test_fim_scan_realtime_enabled(void **state) {
+    OSHashNode empty_table = { .key = NULL }, *table = &empty_table;
+    OSHash dirtb = { .elements = 10, .table = &table, .rows = 0 }; // this hash is not reallistic but works for testing
+    rtfim realtime = { .queue_overflow = true, .dirtb = &dirtb };
+    struct stat directory_buf = { .st_mode = S_IFDIR };
+    directory_t *dir_it;
+    OSListNode *node_it;
+    TXN_HANDLE mock_handle = NULL;
+    char debug_buffer[OS_SIZE_128] = {0};
+    int rt_folder = 0;
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+
+    syscheck.realtime = &realtime;
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    // First scan
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        expect_string(__wrap_lstat, filename, dir_it->path);
+        will_return(__wrap_lstat, &directory_buf);
+        will_return(__wrap_lstat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, dir_it->path);
+        will_return(__wrap_HasFilesystem, 0);
+
+        if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+            rt_folder++;
+            expect_string(__wrap_fim_add_inotify_watch, dir, dir_it->path);
+            will_return(__wrap_fim_add_inotify_watch, 0);
+        }
+
+        expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+        will_return(__wrap_realtime_adddir, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+
+    // fim_scan
+    expect_wrapper_fim_db_get_count_file_entry(25000);
+
+    expect_function_call_any(__wrap_fim_db_transaction_deleted_rows);
+
+    // fim_check_db_state
+    expect_wrapper_fim_db_get_count_file_entry(50000);
+    expect_function_call(__wrap_realtime_sanitize_watch_map);
+
+    // fim_check_db_state
+    snprintf(debug_buffer, OS_SIZE_128, FIM_NUM_WATCHES, dirtb.elements);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_buffer);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+
+    assert_int_equal(syscheck.realtime->queue_overflow, false);
+}
+
+static void test_fim_scan_no_limit(void **state) {
+    struct stat directory_buf = { .st_mode = S_IFDIR };
+    directory_t *dir_it;
+    OSListNode *node_it;
+    TXN_HANDLE mock_handle = NULL;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    // First scan
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        expect_string(__wrap_lstat, filename, dir_it->path);
+        will_return(__wrap_lstat, &directory_buf);
+        will_return(__wrap_lstat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, dir_it->path);
+        will_return(__wrap_HasFilesystem, 0);
+
+        if (FIM_MODE(dir_it->options) == FIM_REALTIME) {
+            expect_string(__wrap_fim_add_inotify_watch, dir, dir_it->path);
+            will_return(__wrap_fim_add_inotify_watch, 0);
+        }
+
+        expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+        will_return(__wrap_realtime_adddir, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+    expect_function_call_any(__wrap_fim_db_transaction_deleted_rows);
+
+    // In fim_scan
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+}
+
+#else
+static void test_fim_checker_over_max_recursion_level(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true, .w_evt = NULL };
+    char *path = "%WINDIR%\\System32\\drivers\\etc\\random\\test.exe";
+    char expanded_path[OS_MAXSTR];
+    char debug_msg[OS_MAXSTR];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 2))->recursion_level = 0;
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    snprintf(debug_msg, OS_MAXSTR,
+        "(6217): Maximum level of recursion reached. Depth:1 recursion_level:0 '%s'", expanded_path);
+
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_deleted_file(void **state) {
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char *path = "%WINDIR%\\System32\\drivers\\etc\\test.exe";
+    char expanded_path[OS_MAXSTR];
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6222): Stat() function failed on: 'c:\\windows\\system32\\drivers\\etc\\test.exe' due to [(1)-(Operation not permitted)]");
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, -1);
+
+    errno = 1;
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+
+    errno = 0;
+}
+
+static void test_fim_checker_deleted_file_enoent(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char *path = "%WINDIR%\\System32\\drivers\\etc\\test.exe";
+    char expanded_path[OS_MAXSTR];
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->options |= CHECK_SEECHANGES;
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    fim_data->fentry->file_entry.path = strdup(expanded_path);
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, -1);
+
+    errno = ENOENT;
+
+    expect_string(__wrap_fim_db_get_path, file_path, expanded_path);
+    will_return(__wrap_fim_db_get_path, FIMDB_ERR);
+
+    expect_fim_diff_process_delete_file(expanded_path, 0);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+
+    errno = 0;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3))->options &= ~CHECK_SEECHANGES;
+}
+
+static void test_fim_checker_fim_regular(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char *path = "%WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
+    char expanded_path[OS_SIZE_128];
+    event_data_t evt_data = { .mode = FIM_WHODATA, .w_evt = fim_data->w_evt, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    if (!ExpandEnvironmentStrings(path, expanded_path, OS_SIZE_128)) {
+        fail();
+    }
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+
+    str_lowercase(expanded_path);
+
+    expect_string(__wrap_HasFilesystem, path, expanded_path);
+
+    will_return(__wrap_HasFilesystem, 0);
+    // Inside fim_file
+    expect_get_data(strdup("user"), "group", expanded_path, 0);
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+    expect_string(__wrap_w_get_file_attrs, file_path, expanded_path);
+    will_return(__wrap_w_get_file_attrs, 123456);
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_ignore(void **state) {
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char *path = "%WINDIR%\\System32\\drivers\\etc\\ignored.file";
+    char expanded_path[OS_MAXSTR];
+    char debug_msg[OS_MAXSTR];
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, expanded_path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_IGNORE_ENTRY, expanded_path, expanded_path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_restrict(void **state) {
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char * path = "%WINDIR%\\System32\\wbem\\restricted.exe";
+    char expanded_path[OS_MAXSTR];
+    char debug_msg[OS_MAXSTR];
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, expanded_path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    snprintf(debug_msg, OS_MAXSTR, "(6203): Ignoring entry '%s' due to restriction 'wmic.exe$'", expanded_path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_regular_warning(void **state) {
+    struct stat stat_s = { .st_mode = S_IFREG };
+    char *path = "%WINDIR%\\System32\\drivers\\etc\\test.exe";
+    char expanded_path[OS_MAXSTR];
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, expanded_path);
+    will_return(__wrap_HasFilesystem, 0);
+
+    // Inside fim_file
+    expect_get_data(strdup("user"), "group", expanded_path, 0);
+
+    expect_string(__wrap_w_get_file_attrs, file_path, expanded_path);
+    will_return(__wrap_w_get_file_attrs, 123456);
+
+    will_return(__wrap_fim_db_file_update, FIMDB_OK);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_fim_directory(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat stat_s = { .st_mode = S_IFDIR };
+    char * path = "%WINDIR%\\System32\\drivers\\etc";
+    char skip_directory_message[OS_MAXSTR];
+    char expanded_path[OS_MAXSTR];
+    char expanded_path_test[OS_MAXSTR];
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(expanded_path);
+
+    snprintf(expanded_path_test, OS_MAXSTR, "%s\\test", expanded_path);
+
+    expect_string(__wrap_stat, __file, expanded_path);
+    expect_string(__wrap_stat, __file, expanded_path_test);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+    will_return(__wrap_stat, &stat_s);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, expanded_path);
+    expect_string(__wrap_HasFilesystem, path, expanded_path_test);
+    will_return_always(__wrap_HasFilesystem, 0);
+
+    strcpy(fim_data->entry->d_name, "test");
+
+    will_return_always(__wrap_opendir, 1);
+    will_return(__wrap_readdir, fim_data->entry);
+    will_return(__wrap_readdir, NULL);
+
+
+    snprintf(skip_directory_message, OS_MAXSTR,
+        "(6347): Directory '%s' is already on the max recursion_level (0), it will not be scanned.", expanded_path_test);
+    expect_string(__wrap__mdebug2, formatted_msg, skip_directory_message);
+
+    fim_checker(expanded_path, &evt_data, NULL, NULL, NULL);
+}
+
+
+static void test_fim_checker_root_ignore_file_under_recursion_level(void **state) {
+    char * path = "c:\\windows\\test.file";
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true };
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6217): Maximum level of recursion reached. Depth:1 recursion_level:0 'c:\\windows\\test.file'");
+
+    fim_checker(path, &evt_data, NULL, NULL, NULL);
+}
+
+static void test_fim_checker_root_file_within_recursion_level(void **state) {
+    char * path = "c:\\test.file";
+    struct stat statbuf = DEFAULT_STATBUF;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .report_event = true, .w_evt = NULL };
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    TXN_HANDLE txn_handle = (TXN_HANDLE) 1;
+    fim_txn_context_t mock_context = {0};
+    statbuf.st_size = 0;
+
+    // Inside fim_file
+    expect_get_data(strdup("user"), "", path, 0);
+
+    expect_string(__wrap_w_get_file_attrs, file_path, "c:\\test.file");
+    will_return(__wrap_w_get_file_attrs, 123456);
+
+    expect_string(__wrap_stat, __file, "c:\\test.file");
+    will_return(__wrap_stat, &statbuf);
+    will_return(__wrap_stat, 0);
+
+    expect_string(__wrap_HasFilesystem, path, "c:\\test.file");
+    will_return(__wrap_HasFilesystem, 0);
+
+    will_return(__wrap_fim_db_transaction_sync_row, 0);
+    fim_checker(path, &evt_data, NULL, &txn_handle, &mock_context);
+}
+
+static void test_fim_scan_db_full_double_scan(void **state) {
+    char test_file_path[OS_SIZE_256];
+    struct stat directory_stat = { .st_mode = S_IFDIR };
+    TXN_HANDLE mock_handle;
+    char expanded_dirs[10][OS_SIZE_1024];
+    char directories[6][OS_SIZE_256] = {
+        "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+        "%WINDIR%",
+        "%WINDIR%\\System32",
+        "%WINDIR%\\System32\\drivers\\etc",
+        "%WINDIR%\\System32\\wbem",
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+    };
+    int i;
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, mock_handle);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    for(i = 0; i < 6; i++) {
+        if(!ExpandEnvironmentStrings(directories[i], expanded_dirs[i], OS_SIZE_1024)) {
+            fail();
+        }
+        str_lowercase(expanded_dirs[i]);
+
+        expect_string(__wrap_stat, __file, expanded_dirs[i]);
+        will_return(__wrap_stat, &directory_stat);
+        will_return(__wrap_stat, 0);
+
+        expect_string(__wrap_HasFilesystem, path, expanded_dirs[i]);
+        will_return(__wrap_HasFilesystem, 0);
+
+        will_return(__wrap_readdir, NULL);
+        will_return(__wrap_opendir, 1);
+    }
+    expect_string_count(__wrap_realtime_adddir, dir, "c:\\windows\\system32\\windowspowershell\\v1.0",1);
+    will_return_maybe(__wrap_realtime_adddir, 0);
+
+    will_return(__wrap_fim_db_get_count_file_entry, 1);
+    will_return(__wrap_fim_db_get_count_file_entry, 1);
+    will_return(__wrap_fim_db_get_count_registry_data, 1);
+    will_return(__wrap_fim_db_get_count_registry_key, 1);
+
+    snprintf(test_file_path, 160, "%s\\test_file", expanded_dirs[0]);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+    fim_scan();
+}
+
+static void test_fim_scan_db_full_not_double_scan(void **state) {
+    char expanded_dirs[10][OS_SIZE_1024];
+    char directories[6][OS_SIZE_256] = {
+        "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+        "%WINDIR%",
+        "%WINDIR%\\System32",
+        "%WINDIR%\\System32\\drivers\\etc",
+        "%WINDIR%\\System32\\wbem",
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+    };
+    int i;
+    struct stat buf = { .st_mode = S_IFDIR };
+    TXN_HANDLE mock_handle;
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    for(i = 0; i < 6; i++) {
+        if(!ExpandEnvironmentStrings(directories[i], expanded_dirs[i], OS_SIZE_1024)) {
+            fail();
+        }
+        str_lowercase(expanded_dirs[i]);
+
+        expect_string(__wrap_stat, __file, expanded_dirs[i]);
+        will_return(__wrap_stat, &buf);
+        will_return(__wrap_stat, 0);
+        expect_string(__wrap_HasFilesystem, path, expanded_dirs[i]);
+        will_return(__wrap_HasFilesystem, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+
+    expect_string_count(__wrap_realtime_adddir, dir, "c:\\windows\\system32\\windowspowershell\\v1.0",1);
+    will_return_maybe(__wrap_realtime_adddir, 0);
+
+    will_return(__wrap_fim_db_get_count_file_entry, 1);
+    will_return(__wrap_fim_db_get_count_file_entry, 1);
+    will_return(__wrap_fim_db_get_count_registry_data, 1);
+    will_return(__wrap_fim_db_get_count_registry_key, 1);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+}
+
+static void test_fim_scan_no_limit(void **state) {
+    char expanded_dirs[10][OS_SIZE_1024];
+    char directories[6][OS_SIZE_256] = {
+        "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+        "%WINDIR%",
+        "%WINDIR%\\System32",
+        "%WINDIR%\\System32\\drivers\\etc",
+        "%WINDIR%\\System32\\wbem",
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+    };
+    int i;
+    struct stat buf = { .st_mode = S_IFDIR };
+    TXN_HANDLE mock_handle;
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_fim_db_transaction_start, &mock_handle);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_STARTED);
+
+    // fim_diff_folder_size
+    expect_string(__wrap_IsDir, file, "queue/diff/local");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, "queue/diff/local");
+    will_return(__wrap_DirSize, 0.0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6348): Size of 'queue/diff' folder: 0.00000 KB.");
+
+    for(i = 0; i < 6; i++) {
+        if(!ExpandEnvironmentStrings(directories[i], expanded_dirs[i], OS_SIZE_1024)) {
+            fail();
+        }
+        str_lowercase(expanded_dirs[i]);
+
+        expect_string(__wrap_stat, __file, expanded_dirs[i]);
+        will_return(__wrap_stat, &buf);
+        will_return(__wrap_stat, 0);
+        expect_string(__wrap_HasFilesystem, path, expanded_dirs[i]);
+        will_return(__wrap_HasFilesystem, 0);
+
+        will_return(__wrap_opendir, 1);
+        will_return(__wrap_readdir, NULL);
+    }
+    expect_string_count(__wrap_realtime_adddir, dir, "c:\\windows\\system32\\windowspowershell\\v1.0",1);
+    will_return_maybe(__wrap_realtime_adddir, 0);
+
+    expect_function_call(__wrap_fim_db_transaction_deleted_rows);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FREQUENCY_ENDED);
+
+    fim_scan();
+}
+
+#endif
+
+static void test_fim_checker_unsupported_path(void **state) {
+    const char * PATH = "Unsupported\xFF\x02";
+    expect_string(__wrap__mwarn, formatted_msg, "(6955): Ignoring file 'Unsupported\xFF\x02' due to unsupported name (non-UTF8).");
+
+    fim_checker(PATH, NULL, NULL, NULL, NULL);
+}
+
+/* fim_check_db_state */
+static void test_fim_check_db_state_normal_to_empty(void **state) {
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 0, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+}
+
+static void test_fim_check_db_state_empty_to_empty(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+
+    fim_check_db_state(syscheck.file_entry_limit, 0, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+}
+
+static void test_fim_check_db_state_empty_to_full(void **state) {
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+
+    fim_check_db_state(syscheck.file_entry_limit, 50000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+}
+
+static void test_fim_check_db_state_full_to_empty(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":0,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 0, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+}
+
+static void test_fim_check_db_state_empty_to_90_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6040): File database is 90% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":46000,\"alert_type\":\"90_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+
+    fim_check_db_state(syscheck.file_entry_limit, 46000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_90_percentage_to_empty(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":0,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 0, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+}
+
+static void test_fim_check_db_state_empty_to_80_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6038): File database is 80% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":41000,\"alert_type\":\"80_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+
+    fim_check_db_state(syscheck.file_entry_limit, 41000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_80_percentage_to_empty(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":0,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 0, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+}
+
+static void test_fim_check_db_state_empty_to_normal(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_EMPTY);
+
+    fim_check_db_state(syscheck.file_entry_limit, 10000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+static void test_fim_check_db_state_normal_to_normal(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 20000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+static void test_fim_check_db_state_normal_to_full(void **state) {
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 50000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+}
+
+static void test_fim_check_db_state_full_to_normal(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":10000,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 10000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+static void test_fim_check_db_state_normal_to_90_percentage(void **state) {
+
+    expect_string(__wrap__minfo, formatted_msg, "(6040): File database is 90% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":46000,\"alert_type\":\"90_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 46000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_90_percentage_to_normal(void **state) {
+
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":10000,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 10000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+static void test_fim_check_db_state_normal_to_80_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6038): File database is 80% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":41000,\"alert_type\":\"80_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 41000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_80_percentage_to_80_percentage(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 42000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_80_percentage_to_full(void **state) {
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 50000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+}
+
+static void test_fim_check_db_state_full_to_80_percentage(void **state) {
+
+    expect_string(__wrap__minfo, formatted_msg, "(6038): File database is 80% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":41000,\"alert_type\":\"80_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 41000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_80_percentage_to_90_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6040): File database is 90% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":46000,\"alert_type\":\"90_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 46000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_90_percentage_to_90_percentage(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 48000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_90_percentage_to_full(void **state) {
+    expect_string(__wrap__mwarn, formatted_msg, "(6926): File database is 100% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":50000,\"alert_type\":\"full\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 50000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+}
+
+static void test_fim_check_db_state_full_to_full(void **state) {
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 60000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+}
+
+static void test_fim_check_db_state_full_to_90_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6040): File database is 90% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":46000,\"alert_type\":\"90_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_FULL);
+
+    fim_check_db_state(syscheck.file_entry_limit, 46000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_90_percentage_to_80_percentage(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6038): File database is 80% full.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":41000,\"alert_type\":\"80_percentage\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_90_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 41000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+}
+
+static void test_fim_check_db_state_80_percentage_to_normal(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6036): The file database status returns to normal.");
+    expect_string(__wrap_send_log_msg, msg, "wazuh: FIM DB: {\"fim_db_table\":\"file_entry\",\"file_limit\":50000,\"file_count\":10000,\"alert_type\":\"normal\"}");
+    will_return(__wrap_send_log_msg, 1);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_80_PERCENTAGE);
+
+    fim_check_db_state(syscheck.file_entry_limit, 10000, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+static void test_fim_check_db_state_nodes_count_database_error(void **state) {
+    expect_string(__wrap__mwarn, formatted_msg, "(6948): Unable to get the number of entries in database.");
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+
+    fim_check_db_state(syscheck.file_entry_limit, -1, &_files_db_state, FIMDB_FILE_TABLE_NAME);
+
+    assert_int_equal(_files_db_state, FIM_STATE_DB_NORMAL);
+}
+
+/* fim_directory */
+static void test_fim_directory(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .type = FIM_MODIFICATION };
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    strcpy(fim_data->entry->d_name, "test");
+
+    will_return(__wrap_opendir, 1);
+    will_return(__wrap_readdir, fim_data->entry);
+    will_return(__wrap_readdir, NULL);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'test/test'");
+#else
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'test\\test'");
+#endif
+
+    ret = fim_directory("test", &evt_data, NULL, NULL, NULL);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_fim_directory_ignore(void **state) {
+    fim_data_t *fim_data = *state;
+    event_data_t evt_data = { .mode = FIM_REALTIME, .w_evt = NULL, .report_event = true, .type = FIM_MODIFICATION };
+    int ret;
+
+    strcpy(fim_data->entry->d_name, ".");
+
+    will_return(__wrap_opendir, 1);
+    will_return(__wrap_readdir, fim_data->entry);
+    will_return(__wrap_readdir, NULL);
+
+    ret = fim_directory(".", &evt_data, NULL, NULL, NULL);
+
+    assert_int_equal(ret, 0);
+}
+
+static void test_fim_directory_nodir(void **state) {
+    int ret;
+
+    expect_string(__wrap__merror, formatted_msg, "(1105): Attempted to use null string.");
+
+    ret = fim_directory(NULL, NULL, NULL, NULL, NULL);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_fim_directory_opendir_error(void **state) {
+    int ret;
+
+    will_return(__wrap_opendir, 0);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6922): Cannot open 'test': Permission denied");
+
+    errno = EACCES;
+
+    ret = fim_directory("test", NULL, NULL, NULL, NULL);
+
+    errno = 0;
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+/* fim_get_data */
+static void test_fim_get_data(void **state) {
+    fim_data_t *fim_data = *state;
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_MTIME | CHECK_OWNER | CHECK_GROUP |
+                                             CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM };
+    struct stat statbuf = { .st_mode = S_IFREG | 00444,
+                            .st_size = 1000,
+                            .st_uid = 0,
+                            .st_gid = 0,
+                            .st_ino = 1234,
+                            .st_dev = 2345,
+                            .st_mtime = 3456 };
+
+    expect_get_data(strdup("user"), strdup("group"), "test", 1);
+    fim_data->local_data = fim_get_data("test", &configuration, &statbuf);
+
+#ifndef TEST_WINAGENT
+    assert_string_equal(fim_data->local_data->perm, "r--r--r--");
+#else
+    assert_string_equal(fim_data->local_data->perm, "{}");
+    assert_non_null(fim_data->local_data->perm_json);
+#endif
+    assert_string_equal(fim_data->local_data->hash_md5, "d41d8cd98f00b204e9800998ecf8427e");
+    assert_string_equal(fim_data->local_data->hash_sha1, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+    assert_string_equal(fim_data->local_data->hash_sha256, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
+}
+
+static void test_fim_get_data_no_hashes(void **state) {
+    fim_data_t *fim_data = *state;
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_MTIME | CHECK_OWNER | CHECK_GROUP };
+    struct stat statbuf = { .st_mode = S_IFREG | 00444,
+                            .st_size = 1000,
+                            .st_uid = 0,
+                            .st_gid = 0,
+                            .st_ino = 1234,
+                            .st_dev = 2345,
+                            .st_mtime = 3456 };
+
+    expect_get_data(strdup("user"), strdup("group"), "test", 0);
+
+    fim_data->local_data = fim_get_data("test", &configuration, &statbuf);
+
+#ifndef TEST_WINAGENT
+    assert_string_equal(fim_data->local_data->perm, "r--r--r--");
+#else
+    assert_string_equal(fim_data->local_data->perm, "{}");
+    assert_non_null(fim_data->local_data->perm_json);
+#endif
+    assert_string_equal(fim_data->local_data->hash_md5, "");
+    assert_string_equal(fim_data->local_data->hash_sha1, "");
+    assert_string_equal(fim_data->local_data->hash_sha256, "");
+}
+
+static void test_fim_get_data_hash_error(void **state) {
+    fim_data_t *fim_data = *state;
+    directory_t configuration = { .options = CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM | CHECK_MTIME |
+                          CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP };
+    struct stat statbuf = { .st_mode = S_IFREG | 00444,
+                            .st_size = 1000,
+                            .st_uid = 0,
+                            .st_gid = 0,
+                            .st_ino = 1234,
+                            .st_dev = 2345,
+                            .st_mtime = 3456 };
+
+    expect_get_data(strdup("user"), strdup("group"), "test", 0);
+
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, fname, "test");
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, prefilter_cmd, syscheck.prefilter_cmd);
+#else
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, prefilter_cmd, syscheck.prefilter_cmd);
+#endif
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, md5output, "d41d8cd98f00b204e9800998ecf8427e");
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha1output, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
+    expect_string(__wrap_OS_MD5_SHA1_SHA256_File, sha256output, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, mode, OS_BINARY);
+    expect_value(__wrap_OS_MD5_SHA1_SHA256_File, max_size, 0x400);
+    will_return(__wrap_OS_MD5_SHA1_SHA256_File, -1);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6324): Couldn't generate hashes for 'test'");
+
+    fim_data->local_data = fim_get_data("test", &configuration, &statbuf);
+
+    assert_null(fim_data->local_data);
+}
+
+#ifdef TEST_WINAGENT
+static void test_fim_get_data_fail_to_get_file_premissions(void **state) {
+    fim_data_t *fim_data = *state;
+    directory_t configuration = { .options = CHECK_SIZE | CHECK_PERM | CHECK_MTIME | CHECK_OWNER | CHECK_GROUP |
+                                             CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM };
+    struct stat statbuf = DEFAULT_STATBUF;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6325): It was not possible to extract the permissions of 'test'. Error: 5");
+
+    expect_string(__wrap_w_get_file_permissions, file_path, "test");
+    will_return(__wrap_w_get_file_permissions, NULL);
+    will_return(__wrap_w_get_file_permissions, ERROR_ACCESS_DENIED);
+
+
+    fim_data->local_data = fim_get_data("test", &configuration, &statbuf);
+
+    assert_null(fim_data->local_data);
+}
+#endif
+
+static void test_fim_realtime_event_file_exists(void **state) {
+    struct stat buf = { .st_mode = 0 };
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_lstat, filename, "/test");
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+#else
+    expect_string(__wrap_stat, __file, "/test");
+    will_return(__wrap_stat, &buf);
+    will_return(__wrap_stat, 0);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'/test'");
+
+    fim_realtime_event("/test");
+}
+
+static void test_fim_realtime_event_file_missing(void **state) {
+
+    struct stat stat_buf = { .st_mode = 0 };
+    char mdebug_msg[70];
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+#ifdef TEST_WINAGENT
+    char *path = "C:\\a\\random\\path";
+#else
+    char *path = "/a/random/path";
+#endif
+    char buff[OS_SIZE_128] = {0};
+    snprintf(buff, OS_SIZE_128, "%s%c%%", path, PATH_SEP);
+    sprintf(mdebug_msg, FIM_CONFIGURATION_NOTFOUND, "file", path);
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_lstat, filename, path);
+    will_return(__wrap_lstat, &stat_buf);
+    will_return(__wrap_lstat, -1);
+#else
+    expect_string(__wrap_stat, __file, path);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, -1);
+#endif
+    errno = ENOENT;
+
+    expect_string(__wrap__mdebug2, formatted_msg, mdebug_msg);
+
+    fim_realtime_event(path);
+    errno = 0;
+}
+
+static void test_fim_whodata_event_file_exists(void **state) {
+
+    fim_data_t *fim_data = *state;
+    struct stat buf = { .st_mode = 0 };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_lstat, filename, fim_data->w_evt->path);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, 0);
+#else
+    expect_string(__wrap_stat, __file, fim_data->w_evt->path);
+    will_return(__wrap_stat, &buf);
+    will_return(__wrap_stat, 0);
+#endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'./test/test.file'");
+
+    fim_whodata_event(fim_data->w_evt);
+}
+
+static void test_fim_whodata_event_file_missing(void **state) {
+    fim_data_t *fim_data = *state;
+    struct stat buf = { .st_mode = 0 };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_lstat, filename, fim_data->w_evt->path);
+    will_return(__wrap_lstat, &buf);
+    will_return(__wrap_lstat, -1);
+#else
+    expect_string(__wrap_stat, __file, fim_data->w_evt->path);
+    will_return(__wrap_stat, &buf);
+    will_return(__wrap_stat, -1);
+#endif
+    errno = ENOENT;
+
+#ifndef TEST_WINAGENT
+    expect_fim_db_file_inode_search(606060, 12345678, FIMDB_OK);
+#endif
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'./test/test.file'");
+    fim_whodata_event(fim_data->w_evt);
+    errno = 0;
+}
+
+/* fim_process_missing_entry */
+
+static void test_fim_process_missing_entry_null_configuration(void **state) {
+#ifdef TEST_WINAGENT
+    char *path = "C:\\a\\random\\path";
+#else
+    char *path = "/a/random/path";
+#endif
+
+    char buff[OS_SIZE_128] = {0};
+    snprintf(buff, OS_SIZE_128, "%s%c%%", path, PATH_SEP);
+    char debug_msg[70];
+    sprintf(debug_msg,"(6319): No configuration found for (file):'%s'", path);
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_process_missing_entry(path, FIM_REALTIME, NULL);
+}
+
+static void test_fim_process_missing_entry_data_exists(void **state) {
+    fim_data_t *fim_data = (fim_data_t*) *state;
+    free(fim_data->w_evt->path);
+#ifdef TEST_WINAGENT
+    char *aux_path = "%WINDIR%\\SysNative\\drivers\\etc";
+    char path[OS_MAXSTR];
+
+    if(!ExpandEnvironmentStrings(aux_path, path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(path);
+    fim_data->w_evt->path = strdup(path);
+#else
+    fim_data->w_evt->path = strdup("/media/test.txt");
+#endif
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_string(__wrap_fim_db_get_path, file_path, fim_data->w_evt->path);
+    will_return(__wrap_fim_db_get_path, FIMDB_OK);
+
+    fim_process_missing_entry(fim_data->w_evt->path, FIM_WHODATA, fim_data->w_evt);
+}
+
+void test_fim_process_missing_entry_whodata_disabled(void **state){
+    fim_data_t *fim_data = (fim_data_t*) *state;
+    free(fim_data->w_evt->path);
+#ifdef TEST_WINAGENT
+    char *aux_path = "%WINDIR%\\SysNative\\drivers\\etc";
+    char path[OS_MAXSTR];
+
+    if(!ExpandEnvironmentStrings(aux_path, path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(path);
+    fim_data->w_evt->path = strdup(path);
+#else
+    fim_data->w_evt->path = strdup("/media/test.txt");
+#endif
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_string(__wrap_fim_db_get_path, file_path, fim_data->w_evt->path);
+    will_return(__wrap_fim_db_get_path, FIMDB_ERR);
+
+    fim_process_missing_entry(fim_data->w_evt->path, FIM_WHODATA, fim_data->w_evt);
+}
+
+void test_fim_process_missing_entry(void **state){
+    fim_data_t *fim_data = (fim_data_t*) *state;
+    free(fim_data->w_evt->path);
+#ifdef TEST_WINAGENT
+    char *aux_path = "%WINDIR%\\SysNative\\drivers\\etc";
+    char path[OS_MAXSTR];
+
+    if(!ExpandEnvironmentStrings(aux_path, path, OS_MAXSTR))
+        fail();
+
+    str_lowercase(path);
+    fim_data->w_evt->path = strdup(path);
+#else
+    fim_data->w_evt->path = strdup("/etc/test.txt");
+#endif
+
+    char pattern[PATH_MAX] = {0};
+    snprintf(pattern, PATH_MAX, "%s%c%%", fim_data->w_evt->path, PATH_SEP);
+
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_string(__wrap_fim_db_get_path, file_path, fim_data->w_evt->path);
+    will_return(__wrap_fim_db_get_path, FIMDB_ERR);
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, pattern);
+    will_return(__wrap_fim_db_file_pattern_search, FIMDB_OK);
+
+    fim_process_missing_entry(fim_data->w_evt->path, FIM_SCHEDULED, fim_data->w_evt);
+}
+
+static void test_fim_process_wildcard_removed_no_data(void **state) {
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    directory_t *directory0 = OSList_GetFirstNode(removed_entries)->data;
+
+    char buff[OS_SIZE_128] = {0};
+    snprintf(buff, OS_SIZE_128, "%s%c%%", directory0->path, PATH_SEP);
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, buff);
+    will_return(__wrap_fim_db_file_pattern_search, FIMDB_OK);
+
+    expect_string(__wrap_fim_db_get_path, file_path, directory0->path);
+    will_return(__wrap_fim_db_get_path, NULL);
+
+
+    fim_process_wildcard_removed(directory0);
+}
+
+static void test_fim_process_wildcard_removed_failure(void **state) {
+    fim_tmp_file *file = calloc(1, sizeof(fim_tmp_file));
+    file->elements = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    directory_t *directory0 = OSList_GetFirstNode(removed_entries)->data;
+
+    char buff[OS_SIZE_128] = {0};
+
+    snprintf(buff, OS_SIZE_128, "%s%c%%", directory0->path, PATH_SEP);
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, buff);
+    will_return(__wrap_fim_db_file_pattern_search, FIMDB_OK);
+    expect_string(__wrap_fim_db_get_path, file_path, directory0->path);
+    will_return(__wrap_fim_db_get_path, NULL);
+
+    fim_process_wildcard_removed(directory0);
+
+    free(file);
+}
+
+static void test_fim_process_wildcard_removed_data_exists(void **state) {
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    fim_data_t *fim_data = *state;
+    directory_t *directory0 = OSList_GetFirstNode(removed_entries)->data;
+
+    fim_data->fentry->file_entry.path = strdup("file");
+    fim_data->fentry->file_entry.data = fim_data->local_data;
+
+    fim_data->local_data->size = 1500;
+    fim_data->local_data->perm = strdup("0664");
+    fim_data->local_data->attributes = strdup("r--r--r--");
+    fim_data->local_data->uid = strdup("100");
+    fim_data->local_data->gid = strdup("1000");
+    fim_data->local_data->user_name = strdup("test");
+    fim_data->local_data->group_name = strdup("testing");
+    fim_data->local_data->mtime = 1570184223;
+    fim_data->local_data->inode = 606060;
+    strcpy(fim_data->local_data->hash_md5, "3691689a513ace7e508297b583d7050d");
+    strcpy(fim_data->local_data->hash_sha1, "07f05add1049244e7e71ad0f54f24d8094cd8f8b");
+    strcpy(fim_data->local_data->hash_sha256, "672a8ceaea40a441f0268ca9bbb33e99f9643c6262667b61fbe57694df224d40");
+    fim_data->local_data->mode = FIM_REALTIME;
+    fim_data->local_data->last_event = 1570184220;
+    fim_data->local_data->dev = 12345678;
+    fim_data->local_data->scanned = 123456;
+    fim_data->local_data->options = 511;
+    strcpy(fim_data->local_data->checksum, "");
+    char pattern[100];
+    snprintf(pattern, PATH_MAX, "%s%c%%", directory0->path, PATH_SEP);
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, pattern);
+    will_return(__wrap_fim_db_file_pattern_search, FIMDB_OK);
+    expect_string(__wrap_fim_db_get_path, file_path, directory0->path);
+    will_return(__wrap_fim_db_get_path, fim_data->fentry);
+
+    fim_process_wildcard_removed(directory0);
+}
+
+void test_fim_diff_folder_size(void **state) {
+    (void) state;
+    char *diff_local;
+
+    diff_local = (char *)calloc(strlen(DIFF_DIR) + strlen("/local") + 1, sizeof(char));
+
+    snprintf(diff_local, strlen(DIFF_DIR) + strlen("/local") + 1, "%s/local", DIFF_DIR);
+
+    expect_string(__wrap_IsDir, file, diff_local);
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, diff_local);
+    will_return(__wrap_DirSize, 20 * 1024);
+
+    fim_diff_folder_size();
+
+    assert_int_equal(syscheck.diff_folder_size, 20);
+
+    if (diff_local) {
+        free(diff_local);
+    }
+}
+
+static void test_update_wildcards_config() {
+    char **paths;
+#ifndef TEST_WINAGENT
+    char wildcard1[20] = "/testdir?";
+    char wildcard2[20] = "/*/path";
+    char resolvedpath1[20] = "/testdir1";
+    char resolvedpath2[20] = "/testdir2";
+#else
+    char wildcard1[20] = "c:\\testdir?";
+    char wildcard2[20] = "c:\\*\\path";
+    char resolvedpath1[20] = "c:\\testdir1";
+    char resolvedpath2[20] = "c:\\testdir2";
+#endif
+    os_calloc(3, sizeof(char *), paths);
+    os_strdup(resolvedpath1, paths[0]);
+    os_strdup(resolvedpath2, paths[1]);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WILDCARDS_UPDATE_START);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WILDCARDS_UPDATE_FINALIZE);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap_expand_wildcards, path, wildcard1);
+    will_return(__wrap_expand_wildcards, paths);
+    expect_string(__wrap_expand_wildcards, path, wildcard2);
+    will_return(__wrap_expand_wildcards, NULL);
+
+#ifndef WIN32
+    expect_string_count(__wrap_realpath, path, wildcard1, 2);
+    will_return_count(__wrap_realpath, NULL, 2);
+#endif
+
+    update_wildcards_config();
+
+    // Filled config
+    directory_t *directory0 = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0);
+    assert_string_equal(directory0->path, resolvedpath1);
+    directory_t *directory1 = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+    assert_string_equal(directory1->path, resolvedpath2);
+}
+
+static void test_update_wildcards_config_remove_config() {
+#ifndef TEST_WINAGENT
+    char wildcard1[20] = "/testdir?";
+    char wildcard2[20] = "/*/path";
+    char resolvedpath1[20] = "/testdir1";
+    char resolvedpath2[20] = "/testdir2";
+    char pattern1[20] = "/testdir1/%";
+    char pattern2[20] = "/testdir2/%";
+#else
+    char wildcard1[20] = "c:\\testdir?";
+    char wildcard2[20] = "c:\\*\\path";
+    char resolvedpath1[20] = "c:\\testdir1";
+    char resolvedpath2[20] = "c:\\testdir2";
+    char pattern1[20] = "c:\\testdir1\\%";
+    char pattern2[20] = "c:\\testdir2\\%";
+#endif
+
+    char error_msg[OS_MAXSTR];
+    char error_msg2[OS_MAXSTR];
+
+    snprintf(error_msg, OS_MAXSTR, FIM_WILDCARDS_REMOVE_DIRECTORY, resolvedpath1);
+    snprintf(error_msg2, OS_MAXSTR, FIM_WILDCARDS_REMOVE_DIRECTORY, resolvedpath2);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WILDCARDS_UPDATE_START);
+    expect_string(__wrap__mdebug2, formatted_msg, error_msg2);
+    expect_string(__wrap__mdebug2, formatted_msg, error_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WILDCARDS_UPDATE_FINALIZE);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap_expand_wildcards, path, wildcard1);
+    will_return(__wrap_expand_wildcards, NULL);
+    expect_string(__wrap_expand_wildcards, path, wildcard2);
+    will_return(__wrap_expand_wildcards, NULL);
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_remove_audit_rule_syscheck, path, resolvedpath1);
+    expect_string(__wrap_remove_audit_rule_syscheck, path, resolvedpath2);
+#endif
+
+    // Remove configuration loop
+    expect_string(__wrap_fim_db_get_path, file_path, resolvedpath2);
+    will_return(__wrap_fim_db_get_path, NULL);
+
+    expect_string(__wrap_fim_db_get_path, file_path, resolvedpath1);
+    will_return(__wrap_fim_db_get_path, NULL);
+
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, pattern2);
+    will_return(__wrap_fim_db_file_pattern_search, 0);
+
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, pattern1);
+    will_return(__wrap_fim_db_file_pattern_search, 0);
+    update_wildcards_config();
+
+    // Empty config
+    directory_t *directory0 = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0);
+    assert_null(directory0);
+}
+
+static void test_update_wildcards_config_list_null() {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (syscheck.wildcards) {
+        OSList_Destroy(syscheck.wildcards);
+        syscheck.wildcards = NULL;
+    }
+    update_wildcards_config();
+}
+
+static void test_transaction_callback_add(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    char *path = "/etc/a_test_file.txt";
+#else
+    char *path = "c:\\windows\\a_test_file.txt";
+#endif
+
+    fim_txn_context_t *txn_context = data->txn_context;
+    fim_entry entry = {.type = FIM_TYPE_FILE, .file_entry.path = path, .file_entry.data=&DEFAULT_FILE_DATA};
+    cJSON *result = cJSON_Parse("[{\"attributes\":\"\",\"checksum\":\"d0e2e27875639745261c5d1365eb6c9fb7319247\",\"dev\":64768,\"gid\":0,\"group_name\":\"root\",\"hash_md5\":\"d41d8cd98f00b204e9800998ecf8427e\",\"hash_sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\",\"hash_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"inode\":801978,\"last_event\":0,\"mode\":0,\"mtime\":1645001030,\"options\":139775,\"path\":\"/etc/a_test_file.txt\",\"perm\":\"rw-r--r--\",\"scanned\":1,\"size\":0,\"uid\":0,\"user_name\":\"root\"}]");
+
+    txn_context->latest_entry = &entry;
+    data->dbsync_event = result;
+
+#ifndef TEST_WINAGENT // The order of the functions is different between windows an linux
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(INSERTED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_ADD);
+
+    data->txn_context->latest_entry = NULL;
+}
+
+static void test_transaction_callback_modify(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    char *path = "/etc/a_test_file.txt";
+#else
+    char *path = "c:\\windows\\a_test_file.txt";
+#endif
+    fim_txn_context_t *txn_context = data->txn_context;
+    fim_entry entry = {.type = FIM_TYPE_FILE, .file_entry.path = path, .file_entry.data=&DEFAULT_FILE_DATA};
+    txn_context->latest_entry = &entry;
+
+    cJSON *result = cJSON_Parse("[{\"new\":{\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\",\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"mtime\":1645001693,\"path\":\"/etc/a_test_file.txt\",\"size\":11},\"old\":{\"checksum\":\"d0e2e27875639745261c5d1365eb6c9fb7319247\",\"hash_md5\":\"d41d8cd98f00b204e9800998ecf8427e\",\"hash_sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\",\"hash_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"mtime\":1645001030,\"path\":\"/etc/a_test_file.txt\",\"size\":0}}]");
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(MODIFIED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_MODIFICATION);
+
+    data->txn_context->latest_entry = NULL;
+}
+
+static void test_transaction_callback_modify_empty_changed_attributes(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    char *path = "/etc/a_test_file.txt";
+#else
+    char *path = "c:\\windows\\a_test_file.txt";
+#endif
+    fim_txn_context_t *txn_context = data->txn_context;
+    fim_entry entry = {.type = FIM_TYPE_FILE, .file_entry.path = path, .file_entry.data=&DEFAULT_FILE_DATA};
+    txn_context->latest_entry = &entry;
+
+    cJSON *result = cJSON_Parse("{\"new\":{\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\",\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"mtime\":1645001693,\"path\":\"/etc/a_test_file.txt\",\"size\":11},\"old\":{\"path\":\"/etc/a_test_file.txt\"}}");
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "(6954): Entry '/etc/a_test_file.txt' does not have any modified fields. No event will be generated.");
+#else
+    expect_string(__wrap__mdebug2, formatted_msg, "(6954): Entry 'c:\\windows\\a_test_file.txt' does not have any modified fields. No event will be generated.");
+#endif
+    transaction_callback(MODIFIED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_MODIFICATION);
+
+    data->txn_context->latest_entry = NULL;
+}
+
+static void test_transaction_callback_modify_report_changes(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    char *path = "/etc/a_test_file.txt";
+#else
+    char *path = "c:\\windows\\a_test_file.txt";
+#endif
+    fim_txn_context_t *txn_context = data->txn_context;
+    fim_entry entry = {.type = FIM_TYPE_FILE, .file_entry.path = path, .file_entry.data=&DEFAULT_FILE_DATA};
+    txn_context->latest_entry = &entry;
+
+
+    cJSON *result = cJSON_Parse("[{\"new\":{\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\",\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"mtime\":1645001693,\"path\":\"/etc/a_test_file.txt\",\"size\":11},\"old\":{\"checksum\":\"d0e2e27875639745261c5d1365eb6c9fb7319247\",\"hash_md5\":\"d41d8cd98f00b204e9800998ecf8427e\",\"hash_sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\",\"hash_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"mtime\":1645001030,\"path\":\"/etc/a_test_file.txt\",\"size\":0}}]");
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options |= CHECK_SEECHANGES;
+
+    expect_fim_file_diff(entry.file_entry.path, strdup("diff"));
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(MODIFIED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_MODIFICATION);
+
+    data->txn_context->latest_entry = NULL;
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options &= ~CHECK_SEECHANGES;
+}
+
+static void test_transaction_callback_delete(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    cJSON *result = cJSON_Parse("{\"path\":\"/etc/a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#else
+    cJSON *result = cJSON_Parse("{\"path\":\"c:\\\\windows\\\\a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#endif
+
+    fim_txn_context_t *txn_context = data->txn_context;
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(DELETED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_DELETE);
+}
+
+static void test_transaction_callback_delete_report_changes(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+
+    fim_txn_context_t *txn_context = data->txn_context;
+#ifndef TEST_WINAGENT
+    const char* path = "/etc/a_test_file.txt";
+    cJSON *result = cJSON_Parse("{\"path\":\"/etc/a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#else
+    const char *path = "c:\\windows\\a_test_file.txt";
+    cJSON *result = cJSON_Parse("{\"path\":\"c:\\\\windows\\\\a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#endif
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options |= CHECK_SEECHANGES;
+
+
+    expect_fim_diff_process_delete_file(path, 0);
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(DELETED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_DELETE);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options &= ~CHECK_SEECHANGES;
+}
+
+static void test_transaction_callback_delete_full_db(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    cJSON *result = cJSON_Parse("{\"path\":\"/etc/a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#else
+    cJSON *result = cJSON_Parse("{\"path\":\"c:\\\\windows\\\\a_test_file.txt\",\"size\":11,\"last_event\":123456789,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#endif
+
+    fim_txn_context_t *txn_context = data->txn_context;
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    transaction_callback(DELETED, result, txn_context);
+    assert_int_equal(txn_context->evt_data->type, FIM_DELETE);
+}
+
+static void test_transaction_callback_full_db(void **state) {
+    txn_data_t *data = (txn_data_t *) *state;
+#ifndef TEST_WINAGENT
+    char* path = "/etc/a_test_file.txt";
+    cJSON *result = cJSON_Parse("{\"path\":\"/etc/a_test_file.txt\",\"size\":11,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#else
+    char *path = "c:\\windows\\a_test_file.txt";
+    cJSON *result = cJSON_Parse("{\"path\":\"c:\\\\windows\\\\a_test_file.txt\",\"size\":11,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":801978,\"mtime\":1645001693,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"cfdd740677ed8b250e93081e72b4d97b1c846fdc\"}");
+#endif
+    char debug_msg[OS_SIZE_128] = {0};
+
+    fim_txn_context_t *txn_context = data->txn_context;
+    fim_entry entry = {.type = FIM_TYPE_FILE, .file_entry.path = path, .file_entry.data=&DEFAULT_FILE_DATA};
+
+    txn_context->latest_entry = &entry;
+    data->dbsync_event = result;
+
+    // These functions are called every time transaction_callback calls fim_configuration_directory
+#ifndef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+#else
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    snprintf(debug_msg, OS_SIZE_128, "Couldn't insert '%s' entry into DB. The DB is full, please check your configuration.", path);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg);
+
+    transaction_callback(MAX_ROWS, result, txn_context);
+}
+
+static void test_fim_event_callback(void **state) {
+    whodata_evt w_event = {.user_name = "audit_user_name" };
+    event_data_t evt_data = { .report_event = true, .w_evt = &w_event };
+    directory_t configuration = { .options = -1, .tag = "tag_name" };
+    create_json_event_ctx callback_ctx = { .event = &evt_data, .config = &configuration };
+
+    cJSON* json_event = cJSON_CreateObject();
+    cJSON* data = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(data, "path", "/path/to/file");
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    expect_fim_file_diff("/path/to/file", strdup("diff"));
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    fim_event_callback(json_event, &callback_ctx);
+#ifndef TEST_WINAGENT
+    char* test_event = "{\"data\":{\"path\":\"/path/to/file\",\"audit\":{\"user_name\":\"audit_user_name\",\"process_id\":0,\"ppid\":0},\"tags\":\"tag_name\"}}";
+#else
+    char* test_event = "{\"data\":{\"path\":\"/path/to/file\",\"audit\":{\"user_name\":\"audit_user_name\",\"process_id\":0},\"tags\":\"tag_name\"}}";
+#endif
+    char* string_event = cJSON_PrintUnformatted(json_event);
+    assert_string_equal(string_event, test_event);
+
+    os_free(string_event);
+    cJSON_Delete(json_event);
+}
+
+static void test_fim_event_callback_empty_changed_attributes(void **state) {
+    whodata_evt w_event = {.user_name = "audit_user_name" };
+    event_data_t evt_data = { .report_event = true, .w_evt = &w_event };
+    directory_t configuration = { .options = -1, .tag = "tag_name" };
+    create_json_event_ctx callback_ctx = { .event = &evt_data, .config = &configuration };
+
+    cJSON* json_event = cJSON_CreateObject();
+    cJSON* data = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(data, "path", "/path/to/file");
+    cJSON_AddArrayToObject(data, "changed_attributes");
+    cJSON_AddItemToObject(json_event, "data", data);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6954): Entry '/path/to/file' does not have any modified fields. No event will be generated.");
+
+    fim_event_callback(json_event, &callback_ctx);
+
+    char* test_event = "{\"data\":{\"path\":\"/path/to/file\",\"changed_attributes\":[]}}";
+    char* string_event = cJSON_PrintUnformatted(json_event);
+    assert_string_equal(string_event, test_event);
+
+    os_free(string_event);
+    cJSON_Delete(json_event);
+}
+
+void test_fim_calculate_dbsync_difference_no_attributes(void **state){
+
+    cJSON* output = fim_calculate_dbsync_difference(NULL,
+                                        NULL,
+                                        NULL,
+                                        NULL);
+    assert_null(output);
+}
+
+/* fim_calculate_dbsync_difference */
+void test_fim_calculate_dbsync_difference(void **state){
+
+    #ifndef TEST_WINAGENT
+        char* changed_data = "{\"size\":0, \"perm\":\"rw-rw-r--\", \"attributes\":\"NULL\", \"uid\":\"1000\", \"gid\":\"1000\", \
+        \"user_name\":\"root\", \"group_name\":\"root\", \"mtime\":123456789, \"inode\":1, \"hash_md5\":\"0123456789abcdef0123456789abcdef\", \
+        \"hash_sha1\":\"0123456789abcdef0123456789abcdef01234567\", \"hash_sha256\":\"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\", \
+        \"checksum\":\"0123456789abcdef0123456789abcdef01234567\" }";
+    #else
+        DEFAULT_FILE_DATA.options |= CHECK_ATTRS;
+        char* changed_data = "{\"size\":0, \"perm\":\"{\\\"S-1-5-32-544\\\":{\\\"name\\\":\\\"Administrators\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]},\\\"S-1-5-18\\\":{\\\"name\\\":\\\"SYSTEM\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]},\\\"S-1-5-32-545\\\":{\\\"name\\\":\\\"Users\\\",\\\"allowed\\\":[\\\"read_control\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"read_ea\\\",\\\"execute\\\",\\\"read_attributes\\\"]},\\\"S-1-5-11\\\":{\\\"name\\\":\\\"Authenticated Users\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]}}\", \"attributes\":\"NULL\", \"uid\":\"1000\", \"gid\":\"1000\", \
+        \"user_name\":\"root\", \"group_name\":\"root\", \"mtime\":123456789, \"inode\":1, \"hash_md5\":\"0123456789abcdef0123456789abcdef\", \
+        \"hash_sha1\":\"0123456789abcdef0123456789abcdef01234567\", \"hash_sha256\":\"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\", \
+        \"checksum\":\"0123456789abcdef0123456789abcdef01234567\" }";
+    #endif
+
+    cJSON* changed_data_json = cJSON_Parse(changed_data);
+    cJSON* old_attributes = cJSON_CreateObject();
+    cJSON* changed_attributes = cJSON_CreateArray();
+
+    fim_calculate_dbsync_difference(&DEFAULT_FILE_DATA,
+                                        changed_data_json,
+                                        old_attributes,
+                                        changed_attributes);
+
+    #ifdef TEST_WINAGENT
+        DEFAULT_FILE_DATA.options &= ~CHECK_ATTRS;
+    #endif
+
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "size")->valueint, 0);
+    #ifdef TEST_WINAGENT
+    assert_string_equal(cJSON_PrintUnformatted(cJSON_GetObjectItem(old_attributes, "perm")), "{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}}");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "attributes")->valuestring, "NULL");
+    #else
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "perm")->valuestring, "rw-rw-r--");
+    #endif
+
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "uid")->valuestring, "1000");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "gid")->valuestring, "1000");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "user_name")->valuestring, "root");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "group_name")->valuestring, "root");
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "mtime")->valueint, 123456789);
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "inode")->valueint, 1);
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_md5")->valuestring, "0123456789abcdef0123456789abcdef");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_sha1")->valuestring, "0123456789abcdef0123456789abcdef01234567");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_sha256")->valuestring, "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "checksum")->valuestring, "0123456789abcdef0123456789abcdef01234567");
+    cJSON_Delete(changed_data_json);
+    cJSON_Delete(old_attributes);
+    cJSON_Delete(changed_attributes);
+
+}
+
+void test_fim_calculate_dbsync_difference_no_changed_data(void **state){
+
+    cJSON* changed_data_json = NULL;
+    cJSON* old_attributes = cJSON_CreateObject();
+    cJSON* changed_attributes = cJSON_CreateArray();
+
+#ifdef TEST_WINAGENT
+    DEFAULT_FILE_DATA.attributes = "NULL";
+    DEFAULT_FILE_DATA.options |= CHECK_ATTRS;
+#endif
+
+    fim_calculate_dbsync_difference(&DEFAULT_FILE_DATA,
+                                        changed_data_json,
+                                        old_attributes,
+                                        changed_attributes);
+#ifdef TEST_WINAGENT
+    DEFAULT_FILE_DATA.options &= ~CHECK_ATTRS;
+#endif
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "size")->valueint, 0);
+#ifndef TEST_WINAGENT
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "perm")->valuestring, "rw-rw-r--");
+#else
+    assert_string_equal(cJSON_PrintUnformatted(cJSON_GetObjectItem(old_attributes, "perm")), "{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}}");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "attributes")->valuestring, "NULL");
+#endif
+
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "uid")->valuestring, "1000");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "gid")->valuestring, "1000");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "user_name")->valuestring, "root");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "group_name")->valuestring, "root");
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "mtime")->valueint, 123456789);
+    assert_int_equal(cJSON_GetObjectItem(old_attributes, "inode")->valueint, 1);
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_md5")->valuestring, "0123456789abcdef0123456789abcdef");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_sha1")->valuestring, "0123456789abcdef0123456789abcdef01234567");
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "hash_sha256")->valuestring, "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef");
+#ifdef TEST_WINAGENT
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "checksum")->valuestring, "6ec831114b5d930f19a90d7c34996e0fce4e7b84");
+#else
+    assert_string_equal(cJSON_GetObjectItem(old_attributes, "checksum")->valuestring, "98e039efc1b8490965e7e1247a9dc31cf7379051");
+#endif
+    cJSON_Delete(old_attributes);
+    cJSON_Delete(changed_attributes);
+}
+
+void test_process_delete_event(void **state){
+    fim_data_t* entry = (fim_data_t*) *state;
+    directory_t config;
+    config.tag = "tag";
+    event_data_t evt;
+    evt.w_evt = NULL;
+    evt.mode = FIM_SCHEDULED;
+    evt.type = FIM_ADD;
+    evt.report_event = 1;
+    get_data_ctx ctx_data;
+    ctx_data.config = &config;
+    ctx_data.event = &evt;
+    entry->fentry->file_entry.path = "path";
+    expect_string(__wrap_fim_db_remove_path, path, entry->fentry->file_entry.path);
+    will_return(__wrap_fim_db_remove_path, 0);
+
+    expect_function_call(__wrap_send_syscheck_msg);
+
+    process_delete_event(entry->fentry, &ctx_data);
+    entry->fentry->file_entry.path = NULL;
+}
+
+void test_create_windows_who_data_events(void **state){
+    fim_data_t* fim_data = (fim_data_t*) *state;
+    char *path = fim_data->w_evt->path;
+
+    #ifndef TEST_WINAGENT
+        expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+        expect_function_call_any(__wrap_pthread_rwlock_unlock);
+        expect_function_call_any(__wrap_pthread_mutex_lock);
+        expect_function_call_any(__wrap_pthread_mutex_unlock);
+        expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    #else
+        expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+        expect_function_call_any(__wrap_pthread_rwlock_unlock);
+        expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+        expect_function_call_any(__wrap_pthread_mutex_lock);
+        expect_function_call_any(__wrap_pthread_mutex_unlock);
+    #endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'./test/test.file'");
+    create_windows_who_data_events(path, fim_data->w_evt);
+}
+
+void test_fim_db_remove_entry(void **state){
+    fim_data_t* fim_data = (fim_data_t*) *state;
+    char *path = fim_data->w_evt->path;
+    directory_t config;
+    config.options = CHECK_SEECHANGES;
+    get_data_ctx get_data;
+    get_data.config = &config;
+
+    expect_string(__wrap_fim_db_get_path, file_path, path);
+    will_return(__wrap_fim_db_get_path, FIMDB_OK);
+    expect_string(__wrap_fim_diff_process_delete_file, filename, path);
+    will_return(__wrap_fim_diff_process_delete_file, 0);
+    fim_db_remove_entry(path, &get_data);
+}
+
+void test_fim_db_process_missing_entry(void **state){
+    fim_data_t* fim_data = (fim_data_t*) *state;
+    fim_data->fentry->file_entry.path = "mock_path";
+    directory_t config;
+    get_data_ctx get_data;
+    get_data.config = &config;
+
+    #ifndef TEST_WINAGENT
+        expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+        expect_function_call_any(__wrap_pthread_rwlock_unlock);
+        expect_function_call_any(__wrap_pthread_mutex_lock);
+        expect_function_call_any(__wrap_pthread_mutex_unlock);
+        expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    #else
+        expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+        expect_function_call_any(__wrap_pthread_rwlock_unlock);
+        expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+        expect_function_call_any(__wrap_pthread_mutex_lock);
+        expect_function_call_any(__wrap_pthread_mutex_unlock);
+    #endif
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'mock_path'");
+
+    fim_db_process_missing_entry(fim_data->fentry, &get_data);
+    fim_data->fentry->file_entry.path = NULL;
+}
+
+static void test_dbsync_attributes_json(void **state) {
+    directory_t configuration = { .options = -1, .tag = "tag_name" };
+    json_struct_t *data = *state;
+#ifndef TEST_WINAGENT
+    const char *result_str = "{\"type\":\"file\",\"size\":11,\"perm\":\"rw-r--r--\",\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"root\",\"group_name\":\"root\",\"inode\":271017,\"mtime\":1646124392,\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"checksum\":\"c0edc82c463da5f4ab8dd420a778a9688a923a72\"}";
+    cJSON *dbsync_event = cJSON_Parse("{\"attributes\":\"\",\"checksum\":\"c0edc82c463da5f4ab8dd420a778a9688a923a72\",\"dev\":64768,\"gid\":\"0\",\"group_name\":\"root\",\"hash_md5\":\"d73b04b0e696b0945283defa3eee4538\",\"hash_sha1\":\"e7509a8c032f3bc2a8df1df476f8ef03436185fa\",\"hash_sha256\":\"8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d\",\"inode\":271017,\"last_event\":1646124394,\"mode\":0,\"mtime\":1646124392,\"options\":131583,\"path\":\"/etc/testfile\",\"perm\":\"rw-r--r--\",\"scanned\":1,\"size\":11,\"uid\":\"0\",\"user_name\":\"root\"}");
+#else
+    cJSON *dbsync_event = cJSON_Parse("{\"size\":0, \"perm\":\"{\\\"S-1-5-32-544\\\":{\\\"name\\\":\\\"Administrators\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]},\\\"S-1-5-18\\\":{\\\"name\\\":\\\"SYSTEM\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"write_dac\\\",\\\"write_owner\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]},\\\"S-1-5-32-545\\\":{\\\"name\\\":\\\"Users\\\",\\\"allowed\\\":[\\\"read_control\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"read_ea\\\",\\\"execute\\\",\\\"read_attributes\\\"]},\\\"S-1-5-11\\\":{\\\"name\\\":\\\"Authenticated Users\\\",\\\"allowed\\\":[\\\"delete\\\",\\\"read_control\\\",\\\"synchronize\\\",\\\"read_data\\\",\\\"write_data\\\",\\\"append_data\\\",\\\"read_ea\\\",\\\"write_ea\\\",\\\"execute\\\",\\\"read_attributes\\\",\\\"write_attributes\\\"]}}\", \"attributes\":\"ARCHIVE\", \"uid\":\"0\", \"gid\":\"0\", \
+        \"user_name\":\"Administrators\", \"group_name\":\"\", \"mtime\":1646145212, \"inode\":0, \"hash_md5\":\"d41d8cd98f00b204e9800998ecf8427e\", \
+        \"hash_sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\", \"hash_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\", \
+        \"checksum\":\"ac962fef86e12e656b882fc88170fff24bf10a77\" }");
+
+    char *result_str = "{\"type\":\"file\",\"size\":0,\"perm\":{\"S-1-5-32-544\":{\"name\":\"Administrators\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]},\"S-1-5-32-545\":{\"name\":\"Users\",\"allowed\":[\"read_control\",\"synchronize\",\"read_data\",\"read_ea\",\"execute\",\"read_attributes\"]},\"S-1-5-11\":{\"name\":\"Authenticated Users\",\"allowed\":[\"delete\",\"read_control\",\"synchronize\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\",\"read_attributes\",\"write_attributes\"]}},\"uid\":\"0\",\"gid\":\"0\",\"user_name\":\"Administrators\",\"inode\":0,\"mtime\":1646145212,\"hash_md5\":\"d41d8cd98f00b204e9800998ecf8427e\",\"hash_sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\",\"hash_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"attributes\":\"ARCHIVE\",\"checksum\":\"ac962fef86e12e656b882fc88170fff24bf10a77\"}";
+#endif
+    cJSON *attributes = cJSON_CreateObject();
+
+    data->json1 = dbsync_event;
+    data->json2 = attributes;
+
+    dbsync_attributes_json(dbsync_event, &configuration, attributes);
+    char * json_attributes_str = cJSON_PrintUnformatted(attributes);
+
+    assert_string_equal(json_attributes_str, result_str);
+    free(json_attributes_str);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        /* fim_json_event */
+        cmocka_unit_test_teardown(test_fim_json_event, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_json_event_whodata, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_json_event_no_changes, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_json_event_hardlink_one_path, teardown_delete_json),
+
+        /* fim_attributes_json */
+        cmocka_unit_test_teardown(test_fim_attributes_json, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_attributes_json_without_options, teardown_delete_json),
+
+        /* fim_json_compare_attrs */
+        cmocka_unit_test_teardown(test_fim_json_compare_attrs, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_json_compare_attrs_without_options, teardown_delete_json),
+
+        /* fim_audit_json */
+        cmocka_unit_test_teardown(test_fim_audit_json, teardown_delete_json),
+
+        /* fim_check_ignore */
+        cmocka_unit_test(test_fim_check_ignore_strncasecmp),
+        cmocka_unit_test(test_fim_check_ignore_regex),
+        cmocka_unit_test(test_fim_check_ignore_failure),
+
+        /* fim_check_restrict */
+        cmocka_unit_test(test_fim_check_restrict_success),
+        cmocka_unit_test(test_fim_check_restrict_failure),
+        cmocka_unit_test(test_fim_check_restrict_null_filename),
+        cmocka_unit_test(test_fim_check_restrict_null_restriction),
+
+        /* fim_scan_info */
+        cmocka_unit_test_teardown(test_fim_scan_info_json_start, teardown_delete_json),
+        cmocka_unit_test_teardown(test_fim_scan_info_json_end, teardown_delete_json),
+
+        /* fim_get_checksum */
+        cmocka_unit_test(test_fim_get_checksum),
+        cmocka_unit_test_teardown(test_fim_get_checksum_wrong_size, teardown_local_data),
+
+        /* fim_check_depth */
+        cmocka_unit_test(test_fim_check_depth_success),
+        cmocka_unit_test(test_fim_check_depth_failure_strlen),
+        cmocka_unit_test(test_fim_check_depth_failure_null_directory),
+
+        /* fim_configuration_directory */
+        cmocka_unit_test(test_fim_configuration_directory_no_path),
+        cmocka_unit_test(test_fim_configuration_directory_file),
+        cmocka_unit_test(test_fim_configuration_directory_not_found),
+
+        /* init_fim_data_entry */
+        cmocka_unit_test(test_init_fim_data_entry),
+
+        /* fim_file */
+        cmocka_unit_test(test_fim_file_add),
+        cmocka_unit_test_setup_teardown(test_fim_file_modify, setup_fim_entry, teardown_fim_entry),
+        cmocka_unit_test_setup_teardown(test_fim_file_modify_transaction, setup_fim_entry, teardown_fim_entry),
+
+        cmocka_unit_test(test_fim_file_no_attributes),
+        cmocka_unit_test_setup_teardown(test_fim_file_error_on_insert, setup_fim_entry, teardown_fim_entry),
+
+        /* fim_scan */
+        cmocka_unit_test_setup_teardown(test_fim_scan_db_full_double_scan, setup_fim_double_scan,
+                                        teardown_fim_double_scan),
+        cmocka_unit_test_setup_teardown(test_fim_scan_db_full_not_double_scan, setup_fim_not_double_scan,
+                                        teardown_fim_not_double_scan),
+        cmocka_unit_test_setup_teardown(test_fim_scan_no_limit, setup_file_limit, teardown_file_limit),
+
+        /* fim_check_db_state */
+        cmocka_unit_test(test_fim_check_db_state_normal_to_empty),
+        cmocka_unit_test(test_fim_check_db_state_empty_to_empty),
+        cmocka_unit_test(test_fim_check_db_state_empty_to_full),
+        cmocka_unit_test(test_fim_check_db_state_full_to_empty),
+        cmocka_unit_test(test_fim_check_db_state_empty_to_90_percentage),
+        cmocka_unit_test(test_fim_check_db_state_90_percentage_to_empty),
+        cmocka_unit_test(test_fim_check_db_state_empty_to_80_percentage),
+        cmocka_unit_test(test_fim_check_db_state_80_percentage_to_empty),
+        cmocka_unit_test(test_fim_check_db_state_empty_to_normal),
+        cmocka_unit_test(test_fim_check_db_state_normal_to_normal),
+        cmocka_unit_test(test_fim_check_db_state_normal_to_full),
+        cmocka_unit_test(test_fim_check_db_state_full_to_normal),
+        cmocka_unit_test(test_fim_check_db_state_normal_to_90_percentage),
+        cmocka_unit_test(test_fim_check_db_state_90_percentage_to_normal),
+        cmocka_unit_test(test_fim_check_db_state_normal_to_80_percentage),
+        cmocka_unit_test(test_fim_check_db_state_80_percentage_to_80_percentage),
+        cmocka_unit_test(test_fim_check_db_state_80_percentage_to_full),
+        cmocka_unit_test(test_fim_check_db_state_full_to_80_percentage),
+        cmocka_unit_test(test_fim_check_db_state_80_percentage_to_90_percentage),
+        cmocka_unit_test(test_fim_check_db_state_90_percentage_to_90_percentage),
+        cmocka_unit_test(test_fim_check_db_state_90_percentage_to_full),
+        cmocka_unit_test(test_fim_check_db_state_full_to_full),
+        cmocka_unit_test(test_fim_check_db_state_full_to_90_percentage),
+        cmocka_unit_test(test_fim_check_db_state_90_percentage_to_80_percentage),
+        cmocka_unit_test(test_fim_check_db_state_80_percentage_to_normal),
+        cmocka_unit_test(test_fim_check_db_state_nodes_count_database_error),
+#ifndef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_fim_scan_realtime_enabled, setup_fim_scan_realtime,
+                                        teardown_fim_scan_realtime),
+#endif
+        /* fim_checker */
+        cmocka_unit_test(test_fim_checker_scheduled_configuration_directory_error),
+        cmocka_unit_test(test_fim_checker_not_scheduled_configuration_directory_error),
+        cmocka_unit_test(test_fim_checker_over_max_recursion_level),
+        cmocka_unit_test(test_fim_checker_deleted_file),
+        cmocka_unit_test_setup_teardown(test_fim_checker_deleted_file_enoent, setup_fim_entry, teardown_fim_entry),
+#ifndef TEST_WINAGENT
+        cmocka_unit_test(test_fim_checker_no_file_system),
+#endif
+        cmocka_unit_test(test_fim_checker_fim_regular),
+        cmocka_unit_test(test_fim_checker_fim_regular_warning),
+        cmocka_unit_test(test_fim_checker_fim_regular_ignore),
+        cmocka_unit_test(test_fim_checker_fim_regular_restrict),
+        cmocka_unit_test_setup_teardown(test_fim_checker_fim_directory, setup_struct_dirent, teardown_struct_dirent),
+#ifndef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_fim_checker_fim_directory_on_max_recursion_level, setup_struct_dirent, teardown_struct_dirent),
+#endif
+        cmocka_unit_test(test_fim_checker_unsupported_path),
+
+        /* fim_directory */
+        cmocka_unit_test_setup_teardown(test_fim_directory, setup_struct_dirent, teardown_struct_dirent),
+        cmocka_unit_test_setup_teardown(test_fim_directory_ignore, setup_struct_dirent, teardown_struct_dirent),
+        cmocka_unit_test(test_fim_directory_nodir),
+        cmocka_unit_test(test_fim_directory_opendir_error),
+
+        /* fim_get_data */
+        cmocka_unit_test_teardown(test_fim_get_data, teardown_local_data),
+        cmocka_unit_test_teardown(test_fim_get_data_no_hashes, teardown_local_data),
+        cmocka_unit_test(test_fim_get_data_hash_error),
+#ifdef TEST_WINAGENT
+        cmocka_unit_test(test_fim_get_data_fail_to_get_file_premissions),
+#endif
+
+        /* fim_realtime_event */
+        cmocka_unit_test(test_fim_realtime_event_file_exists),
+        cmocka_unit_test(test_fim_realtime_event_file_missing),
+
+        /* fim_whodata_event */
+        cmocka_unit_test(test_fim_whodata_event_file_exists),
+        cmocka_unit_test(test_fim_whodata_event_file_missing),
+
+        /* fim_process_missing_entry */
+        cmocka_unit_test(test_fim_process_missing_entry_null_configuration),
+        cmocka_unit_test_setup_teardown(test_fim_process_missing_entry_data_exists, setup_fim_data, teardown_fim_data),
+        cmocka_unit_test_setup_teardown(test_fim_process_missing_entry_whodata_disabled, setup_fim_data, teardown_fim_data),
+        cmocka_unit_test_setup_teardown(test_fim_process_missing_entry, setup_fim_entry, teardown_fim_entry),
+
+        /* fim_process_wildcard_removed */
+        cmocka_unit_test(test_fim_process_wildcard_removed_no_data),
+        cmocka_unit_test(test_fim_process_wildcard_removed_failure),
+        cmocka_unit_test_setup_teardown(test_fim_process_wildcard_removed_data_exists, setup_fim_entry, teardown_fim_entry),
+
+        /* fim_diff_folder_size */
+        cmocka_unit_test(test_fim_diff_folder_size),
+
+        /* transaction_callback */
+        cmocka_unit_test_setup_teardown(test_transaction_callback_add, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_modify, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_modify_empty_changed_attributes, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_modify_report_changes, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_delete, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_delete_report_changes, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown (test_transaction_callback_delete_full_db, setup_transaction_callback, teardown_transaction_callback),
+        cmocka_unit_test_setup_teardown(test_transaction_callback_full_db, setup_transaction_callback, teardown_transaction_callback),
+
+        /* fim_event_callback */
+        cmocka_unit_test(test_fim_event_callback),
+        cmocka_unit_test(test_fim_event_callback_empty_changed_attributes),
+
+        cmocka_unit_test(test_fim_calculate_dbsync_difference_no_attributes),
+        cmocka_unit_test(test_fim_calculate_dbsync_difference),
+        cmocka_unit_test(test_fim_calculate_dbsync_difference_no_changed_data),
+        cmocka_unit_test_setup_teardown(test_create_windows_who_data_events, setup_fim_data, teardown_fim_data),
+        cmocka_unit_test_setup_teardown(test_process_delete_event, setup_fim_entry, teardown_fim_entry),
+        cmocka_unit_test_setup_teardown(test_fim_db_remove_entry, setup_fim_entry, teardown_fim_entry),
+        cmocka_unit_test_setup_teardown(test_fim_db_process_missing_entry, setup_fim_entry, teardown_fim_entry),
+
+        /* dbsync_attributes_json */
+        cmocka_unit_test_setup_teardown(test_dbsync_attributes_json, setup_json_event_attributes, teardown_json_event_attributes),
+    };
+
+    const struct CMUnitTest root_monitor_tests[] = {
+        cmocka_unit_test(test_fim_checker_root_ignore_file_under_recursion_level),
+        cmocka_unit_test(test_fim_checker_root_file_within_recursion_level),
+    };
+    const struct CMUnitTest wildcards_tests[] = {
+        /* update_wildcards_config */
+        cmocka_unit_test(test_update_wildcards_config),
+        cmocka_unit_test(test_update_wildcards_config_remove_config),
+        cmocka_unit_test(test_update_wildcards_config_list_null),
+    };
+    int retval;
+
+    retval = cmocka_run_group_tests(tests, setup_group, teardown_group);
+    retval += cmocka_run_group_tests(root_monitor_tests, setup_root_group, teardown_group);
+    retval += cmocka_run_group_tests(wildcards_tests, setup_wildcards, teardown_wildcards);
+
+    return retval;
+
+}
diff --git a/src/modules/fim/tests/unit/tests/test_fim.h b/src/modules/fim/tests/unit/tests/test_fim.h
new file mode 100644
index 0000000000..f5c6cbd249
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_fim.h
@@ -0,0 +1,29 @@
+#ifndef __TEST_FIM_H
+#define __TEST_FIM_H
+
+#include "../syscheckd/include/syscheck.h"
+#include "../config/syscheck-config.h"
+
+#include "wrappers/posix/pthread_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/mq_op_wrappers.h"
+
+/**********************************************************************************************************************\
+ * Auxiliar expect functions
+\**********************************************************************************************************************/
+void expect_fim_send_msg(char mq, const char *location, const char *msg, int retval);
+void expect_send_syscheck_msg(const char *msg);
+
+void expect_fim_diff_delete_compress_folder(struct dirent *dir);
+
+cJSON *create_win_permissions_object();
+
+/**********************************************************************************************************************\
+ * Setups/Teardowns
+\**********************************************************************************************************************/
+int setup_os_list(void **state);
+int teardown_os_list(void **state);
+int setup_rb_tree(void **state);
+int teardown_rb_tree(void **state);
+
+#endif // __TEST_FIM_H
diff --git a/src/modules/fim/tests/unit/tests/test_fim_diff_changes.c b/src/modules/fim/tests/unit/tests/test_fim_diff_changes.c
new file mode 100644
index 0000000000..d19d0e18d2
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_fim_diff_changes.c
@@ -0,0 +1,2122 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include "../syscheckd/include/syscheck.h"
+#include "../config/syscheck-config.h"
+#include "../wrappers/wazuh/os_crypto/md5_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/libc/stdlib_wrappers.h"
+#include "../wrappers/posix/stat_wrappers.h"
+
+#ifdef TEST_WINAGENT
+#define CHECK_REGISTRY_ALL                                                                             \
+    CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MTIME | CHECK_MD5SUM | CHECK_SHA1SUM | \
+    CHECK_SHA256SUM | CHECK_SEECHANGES | CHECK_TYPE
+
+static registry_t default_reg_config[] = {
+    { "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE\\Software\\RecursionLevel0", ARCH_64BIT, CHECK_REGISTRY_ALL, 0, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { "HKEY_LOCAL_MACHINE_Invalid_key\\Software\\Ignore", ARCH_64BIT, CHECK_REGISTRY_ALL, 320, 0, NULL, NULL, NULL },
+    { NULL, 0, 0, 320, 0, NULL, NULL, NULL }
+};
+
+static registry_ignore default_reg_ignore[] = { { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_32BIT},
+                                            { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_64BIT},
+                                            { NULL, 0} };
+
+static registry_t default_reg_nodiff[] = { { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_32BIT},
+                                            { "HKEY_LOCAL_MACHINE\\Software\\Ignore", ARCH_64BIT},
+                                            { NULL, 0} };
+
+static char *default_reg_ignore_regex_patterns[] = { "IgnoreRegex", "batfile", NULL };
+
+static registry_ignore_regex default_reg_ignore_regex[] = { { NULL, ARCH_32BIT }, { NULL, ARCH_64BIT }, { NULL, 0 } };
+
+#define KEY_NAME_HASHED "b9b175e8810d3475f15976dd3b5f9210f3af6604"
+#define VALUE_NAME_HASHED "3f17670fd80d6563a3d4283adfe14140907b75b0"
+#define FILE_NAME_HASHED "750621a746c8d786022a931ab9a99b918f7208f4"
+
+static const char GENERIC_PATH [OS_SIZE_256] =        "c:\\file\\path";
+static const char COMPRESS_FOLDER_REG [OS_SIZE_256] = "queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED;
+static const char COMPRESS_FOLDER [OS_SIZE_256] =     "queue/diff/file/" FILE_NAME_HASHED "";
+static const char COMPRESS_FILE [OS_SIZE_256] =       "queue/diff/file/" FILE_NAME_HASHED "/last-entry.gz";
+static const char UNCOMPRESS_FILE [OS_SIZE_256] =     "queue/diff/tmp/tmp-entry";
+static const char COMPRESS_TMP_FILE [OS_SIZE_256] =   "queue/diff/tmp/tmp-entry.gz";
+
+#else
+
+#define FILE_NAME_HASHED "7cdbc5364a7aeb60f61d8fd2e6243056227bd6d3"
+
+static const char GENERIC_PATH [OS_SIZE_256] =        "/path/to/file";
+static const char COMPRESS_FOLDER [OS_SIZE_256] =     "queue/diff/file/" FILE_NAME_HASHED "";
+static const char COMPRESS_FILE [OS_SIZE_256] =       "queue/diff/file/" FILE_NAME_HASHED "/last-entry.gz";
+static const char UNCOMPRESS_FILE [OS_SIZE_256] =     "queue/diff/tmp/tmp-entry";
+static const char COMPRESS_TMP_FILE [OS_SIZE_256] =   "queue/diff/tmp/tmp-entry.gz";
+
+#endif
+
+static const char TMP_FOLDER [OS_SIZE_256] =          "queue/diff/tmp";
+
+static char *syscheck_nodiff[] = {"c:\\file\\nodiff", "/path/to/ignore", NULL};
+
+static char *syscheck_nodiff_regex_patterns[] = {"regex", NULL};
+static OSMatch *syscheck_nodiff_regex[] = { NULL, NULL };
+
+static const char *STR_MORE_CHANGES = "More changes...";
+
+#define DEFAULT_OPTIONS                                                                                    \
+    CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM | CHECK_PERM | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | \
+    CHECK_MTIME | CHECK_INODE
+
+typedef struct gen_diff_struct {
+    diff_data *diff;
+    char **strarray;
+} gen_diff_struct;
+
+
+#ifdef TEST_WINAGENT
+char *adapt_win_fc_output(char *command_output);
+diff_data *initialize_registry_diff_data(const char *key_name, const char *value_name, const registry_t *configuration);
+int fim_diff_registry_tmp(const char *value_data, DWORD data_type, const diff_data *diff);
+#endif
+
+diff_data *initialize_file_diff_data(const char *filename);
+char* filter(const char *string);
+void free_diff_data(diff_data *diff);
+int fim_diff_check_limits(diff_data *diff);
+int fim_diff_delete_compress_folder(const char *folder);
+int fim_diff_estimate_compression(float file_size);
+int fim_diff_create_compress_file(const diff_data *diff);
+void fim_diff_modify_compress_estimation(float compressed_size, float uncompressed_size);
+int fim_diff_compare(const diff_data *diff);
+void save_compress_file(const diff_data *diff);
+int is_file_nodiff(const char *filename);
+int is_registry_nodiff(const char *key_name, const char *value_name, int arch);
+char *gen_diff_str(const diff_data *diff);
+char *fim_diff_generate(const diff_data *diff);
+
+void expect_gen_diff_generate(gen_diff_struct *gen_diff_data_container) {
+    FILE *fp = (FILE*)2345;
+    size_t n = strlen(gen_diff_data_container->strarray[0]);
+
+    expect_wfopen(gen_diff_data_container->diff->diff_file, "rb", fp);
+
+    expect_fread(gen_diff_data_container->strarray[0], n);
+
+    expect_fclose(fp, 0);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_unlink, file, gen_diff_data_container->diff->diff_file);
+    will_return(__wrap_unlink, 0);
+#endif
+}
+
+void expect_initialize_file_diff_data(const char *path, int ret_abspath){
+    expect_abspath(path, ret_abspath);
+    if (!ret_abspath) {
+        expect_any(__wrap__merror, formatted_msg);
+    } else {
+#ifdef TEST_WINAGENT
+        expect_abspath("queue/diff", 1);
+#endif
+    }
+}
+
+void expect_fim_diff_registry_tmp(const char *folder, const char *file, FILE *fp, const char *value_data) {
+    expect_mkdir_ex(folder, 0);
+    expect_wfopen(file, "w", fp);
+    if (fp){
+        expect_fprintf(fp, value_data, 0);
+        expect_fclose(fp, 0);
+    } else {
+        expect_any(__wrap__merror, formatted_msg);
+    }
+
+}
+
+void expect_fim_diff_check_limits(const char *file_origin, const char *compress_folder, int ret) {
+    int file_size = 512 * 1024;
+    syscheck.file_size_enabled = 1;
+    syscheck.disk_quota_enabled = 0;
+    syscheck.disk_quota_limit = 1024;
+
+    if (ret) {
+        file_size = 2048 * 1024;
+        if (ret == 2) {
+            syscheck.file_size_enabled = 0;
+            syscheck.disk_quota_enabled = 1;
+        }
+    }
+
+    expect_FileSize(file_origin, file_size);
+
+    if (ret == 1){
+        expect_string(__wrap_IsDir, file, compress_folder);
+        will_return(__wrap_IsDir, -1);
+    }
+}
+
+void expect_fim_diff_create_compress_file(const char *file_origin, const char *compress_tmp_file, int ret) {
+    syscheck.disk_quota_enabled = 0;
+
+    expect_string(__wrap_w_compress_gzfile, filesrc, file_origin);
+    expect_string(__wrap_w_compress_gzfile, filedst, compress_tmp_file);
+    will_return(__wrap_w_compress_gzfile, ret);
+}
+
+void expect_save_compress_file(const char *compress_tmp_file, const char *compress_file, int rename_fail) {
+    syscheck.disk_quota_enabled = 0;
+
+    expect_rename_ex(compress_tmp_file, compress_file, rename_fail);
+}
+
+void expect_fim_diff_compare(const char *uncompress_file, const char *file_origin, os_md5 md5sum_old, os_md5 md5sum_new, int ret) {
+    expect_OS_MD5_File_call(uncompress_file, md5sum_old, OS_BINARY, ret);
+    if (!ret) {
+        expect_OS_MD5_File_call(file_origin, md5sum_new, OS_BINARY, ret);
+    }
+}
+
+void expect_fim_diff_generate(gen_diff_struct *gen_diff_data_container, int generate_fail) {
+    if (generate_fail) {
+        expect_system(-1);
+    } else {
+#ifndef TEST_WINAGENT
+        expect_system(256);
+#else
+        expect_system(1);
+#endif
+        expect_gen_diff_generate(gen_diff_data_container);
+    }
+}
+
+void expect_fim_diff_delete_compress_folder(const char *folder, int isDir_ret, int rmdir_ex_ret, int remove_empty_folder_ret) {
+    syscheck.diff_folder_size = -1;
+
+    expect_string(__wrap_IsDir, file, folder);
+    will_return(__wrap_IsDir, isDir_ret);
+
+    if (isDir_ret != -1) {
+        expect_string(__wrap_DirSize, path, folder);
+        will_return(__wrap_DirSize, 1024 * 1024);
+
+        expect_string(__wrap_rmdir_ex, name, folder);
+        will_return(__wrap_rmdir_ex, rmdir_ex_ret);
+
+        if (rmdir_ex_ret >= 0) {
+            expect_string(__wrap_remove_empty_folders, folder, folder);
+            expect_any(__wrap__mdebug2, formatted_msg);
+            will_return(__wrap_remove_empty_folders, remove_empty_folder_ret);
+        } else {
+            expect_any(__wrap__mdebug2, formatted_msg);
+        }
+    }
+}
+
+/* Setup/teardown */
+
+static int setup_group(void **state) {
+
+    // No diff
+    for (int i = 0; syscheck_nodiff_regex_patterns[i]; i++) {
+        syscheck_nodiff_regex[i] = calloc(1, sizeof(OSMatch));
+
+        if (syscheck_nodiff_regex[i] == NULL) {
+            return -1;
+        }
+
+        if (!OSMatch_Compile(syscheck_nodiff_regex_patterns[i], syscheck_nodiff_regex[i], 0)) {
+            return -1;
+        }
+    }
+    syscheck.nodiff = syscheck_nodiff;
+    syscheck.nodiff_regex = syscheck_nodiff_regex;
+
+#ifdef TEST_WINAGENT
+    syscheck.registry = default_reg_config;
+
+    // Ignore registries
+    for (int i = 0; default_reg_ignore_regex_patterns[i]; i++) {
+        default_reg_ignore_regex[i].regex = calloc(1, sizeof(OSMatch));
+
+        if (default_reg_ignore_regex[i].regex == NULL) {
+            return -1;
+        }
+
+        if (!OSMatch_Compile(default_reg_ignore_regex_patterns[i], default_reg_ignore_regex[i].regex, 0)) {
+            return -1;
+        }
+    }
+    syscheck.key_ignore = default_reg_ignore;
+    syscheck.key_ignore_regex = default_reg_ignore_regex;
+
+    // No diff registries
+    syscheck.registry_nodiff = default_reg_nodiff;
+    syscheck.registry_nodiff_regex = default_reg_ignore_regex;
+#endif
+
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+
+    return 0;
+}
+
+static int teardown_free_string(void **state) {
+    char * string = *state;
+    free(string);
+    return 0;
+}
+
+static int setup_diff_data(void **state) {
+    diff_data *diff = calloc(1, sizeof(diff_data));
+    if (!diff) {
+        return 1;
+    }
+
+    *state = diff;
+
+    return 0;
+}
+
+static int teardown_free_diff_data(void **state) {
+    diff_data *diff = *state;
+
+    free_diff_data(diff);
+
+    return 0;
+}
+
+static int teardown_disk_quota_exceeded(void **state) {
+    syscheck.disk_quota_full_msg = false;
+    return 0;
+}
+
+static int setup_array_strings(void **state) {
+    char **strarray = calloc(2, sizeof(char*));
+
+    if(strarray == NULL)
+        return -1;
+
+    *state = strarray;
+
+    return 0;
+}
+
+static int teardown_array_strings(void **state) {
+    char **strarray = *state;
+
+    free(strarray[0]);
+    free(strarray[1]);
+    free(strarray);
+
+    return 0;
+}
+
+static int setup_gen_diff_str(void **state) {
+    gen_diff_struct *gen_diff_data_container = calloc(1, sizeof(gen_diff_struct));
+
+    if(gen_diff_data_container == NULL)
+        return -1;
+
+    setup_array_strings((void **)&gen_diff_data_container->strarray);
+    setup_diff_data((void **)&gen_diff_data_container->diff);
+
+#ifdef TEST_WINAGENT
+    gen_diff_data_container->strarray[0] = strdup(
+        "Comparing files start.txt and end.txt\r\n"
+        "***** start.txt\r\n"
+        "    1:  First line\r\n"
+        "***** END.TXT\r\n"
+        "    1:  First Line 123\r\n"
+        "    2:  Last line\r\n"
+        "*****\r\n\r\n\r\n");
+#else
+    gen_diff_data_container->strarray[0] = strdup(
+        "< First line\n"
+        "---\n"
+        "> First Line 123\n"
+        "> Last line\n");
+#endif
+    if(gen_diff_data_container->strarray[0] == NULL) fail();
+
+    char *output = strdup(
+        "< First line\n"
+        "---\n"
+        "> First Line 123\n"
+        "> Last line\n");
+
+    if(output == NULL) fail();
+    gen_diff_data_container->strarray[1] = output;
+
+    *state = gen_diff_data_container;
+
+    return 0;
+}
+
+static int teardown_free_gen_diff_str(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+
+    teardown_array_strings((void **)&gen_diff_data_container->strarray);
+
+    teardown_free_diff_data((void **)&gen_diff_data_container->diff);
+    os_free(gen_diff_data_container);
+
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+static int setup_full_diff_functionality(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+
+    setup_gen_diff_str(state);
+
+    syscheck.registry_nodiff = NULL;
+    syscheck.registry_nodiff_regex = NULL;
+
+    return 0;
+}
+
+static int teardown_full_diff_functionality(void **state) {
+    teardown_free_gen_diff_str(state);
+
+    syscheck.registry_nodiff = default_reg_nodiff;
+    syscheck.registry_nodiff_regex = default_reg_ignore_regex;
+
+    return 0;
+}
+#endif
+
+/**********************************************************************************************************************\
+ * Tests
+\**********************************************************************************************************************/
+
+void test_filter(void **state) {
+    (void) state;
+
+#ifdef TEST_WINAGENT
+    const char * file_name = "a/unix/style/path/";
+#else
+    const char * file_name = "$file/$test";
+#endif
+
+    char * out = filter(file_name);
+    *state = out;
+    assert_non_null(out);
+
+#ifdef TEST_WINAGENT
+    assert_string_equal(out, "a\\unix\\style\\path\\");
+#else
+    assert_string_equal(out, "\\$file/\\$test");
+#endif
+}
+
+// Windows test
+
+#ifdef TEST_WINAGENT
+void test_filter_unchanged_string(void **state) {
+    char *input = "This string wont change";
+    char *output;
+
+    output = filter(input);
+
+    *state = output;
+
+    assert_string_equal(output, input);
+}
+
+void test_filter_percentage_char(void **state) {
+    char *input = "This % is not valid";
+    char *output;
+
+    output = filter(input);
+
+    assert_null(output);
+}
+
+void test_adapt_win_fc_output_success(void **state) {
+    char **strarray = *state;
+    char *output;
+    char *input = strdup(
+        "Comparing files start.txt and end.txt\r\n"
+        "***** start.txt\r\n"
+        "    1:  First line\r\n"
+        "***** END.TXT\r\n"
+        "    1:  First Line 123\r\n"
+        "    2:  Last line\r\n"
+        "*****\r\n\r\n\r\n");
+
+    if(input == NULL) fail();
+
+    strarray[0] = input;
+
+    output = adapt_win_fc_output(input);
+
+    assert_non_null(output);
+
+    strarray[1] = output;
+
+    assert_string_equal(output, "< First line\n---\n> First Line 123\n> Last line\n");
+}
+
+void test_adapt_win_fc_output_invalid_input(void **state) {
+    char **strarray = *state;
+    char *output;
+    char *input = strdup("This is invalid");
+
+    if(input == NULL) fail();
+
+    strarray[0] = input;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6667): Unable to find second line of alert string.: This is invalid");
+
+    output = adapt_win_fc_output(input);
+
+    assert_non_null(output);
+
+    strarray[1] = output;
+
+    assert_string_equal(output, input);
+}
+
+void test_adapt_win_fc_output_no_differences(void **state) {
+    char **strarray = *state;
+    char *output;
+    char *input = strdup(
+        "Comparing files start.txt and end.txt\r\n"
+        "FC: no differences encountered\r\n\r\n\r\n");
+
+    if(input == NULL) fail();
+
+    strarray[0] = input;
+
+    output = adapt_win_fc_output(input);
+
+    assert_non_null(output);
+
+    strarray[1] = output;
+
+    assert_string_equal(output, "");
+}
+
+void test_initialize_registry_diff_data(void **state) {
+    diff_data *diff = *state;
+    registry_t *configuration = &syscheck.registry[0];
+
+    diff = initialize_registry_diff_data("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile", "valuename", configuration);
+
+    assert_non_null(diff);
+    assert_string_equal(diff->compress_folder, COMPRESS_FOLDER_REG);
+    assert_string_equal(diff->compress_file, "queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz");
+    assert_string_equal(diff->tmp_folder, "queue/diff/tmp");
+    assert_string_equal(diff->file_origin, "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED);
+    assert_string_equal(diff->uncompress_file, "queue/diff/tmp/tmp-entry");
+    assert_string_equal(diff->compress_tmp_file, "queue/diff/tmp/tmp-entry.gz");
+    assert_string_equal(diff->diff_file, "queue/diff/tmp/diff-file");
+}
+
+void test_initialize_file_diff_data(void **state) {
+    diff_data *diff = *state;
+
+    expect_abspath("C:\\path\\to\\file", 1);
+    expect_abspath("queue/diff", 1);
+
+    diff = initialize_file_diff_data("C:\\path\\to\\file");
+
+    assert_non_null(diff);
+    assert_string_equal(diff->compress_folder, "queue/diff/file/95632dd0fe0cc86cd21b6b7cf6d9db8d0cc1fe6c");
+    assert_string_equal(diff->compress_file, "queue/diff/file/95632dd0fe0cc86cd21b6b7cf6d9db8d0cc1fe6c/last-entry.gz");
+    assert_string_equal(diff->tmp_folder, "queue/diff/tmp");
+    assert_string_equal(diff->file_origin, "C:\\path\\to\\file");
+    assert_string_equal(diff->uncompress_file, "queue/diff/tmp/tmp-entry");
+    assert_string_equal(diff->compress_tmp_file, "queue/diff/tmp/tmp-entry.gz");
+    assert_string_equal(diff->diff_file, "queue/diff/tmp/diff-file");
+}
+
+#else // END TEST_WINAGENT
+
+void test_initialize_file_diff_data(void **state) {
+    diff_data *diff;
+
+    expect_abspath(GENERIC_PATH, 1);
+
+    diff = initialize_file_diff_data(GENERIC_PATH);
+    *state = diff;
+
+    assert_non_null(diff);
+    assert_string_equal(diff->compress_folder, COMPRESS_FOLDER);
+    assert_string_equal(diff->compress_file, COMPRESS_FILE);
+    assert_string_equal(diff->tmp_folder, TMP_FOLDER);
+    assert_string_equal(diff->file_origin, GENERIC_PATH);
+    assert_string_equal(diff->uncompress_file, UNCOMPRESS_FILE);
+    assert_string_equal(diff->compress_tmp_file, COMPRESS_TMP_FILE);
+    assert_string_equal(diff->diff_file, "queue/diff/tmp/diff-file");
+}
+
+#endif // END TEST_AGENT and TEST_SERVER
+
+void test_initialize_file_diff_data_abspath_fail(void **state) {
+    diff_data *diff = *state;
+
+    expect_abspath(GENERIC_PATH, 0);
+    errno = 0;
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__merror, formatted_msg, "(6711): Cannot get absolute path of 'c:\\file\\path': Success (0)");
+#else
+    expect_string(__wrap__merror, formatted_msg, "(6711): Cannot get absolute path of '/path/to/file': Success (0)");
+#endif
+    diff = initialize_file_diff_data(GENERIC_PATH);
+
+    assert_null(diff);
+}
+
+void test_fim_diff_check_limits(void **state) {
+    diff_data *diff = *state;
+
+    diff->size_limit = 2048;
+    diff->file_origin = strdup(GENERIC_PATH);
+    syscheck.file_size_enabled = 1;
+
+    expect_FileSize(diff->file_origin, 1024 * 1024);
+
+    int ret = fim_diff_check_limits(diff);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_check_limits_size_limit_reached(void **state) {
+    diff_data *diff = *state;
+
+    diff->size_limit = 1024;
+    diff->file_origin = strdup(GENERIC_PATH);
+    diff->compress_folder = strdup(COMPRESS_FOLDER);
+    syscheck.file_size_enabled = 1;
+
+    expect_FileSize(diff->file_origin, 2048 * 1024);
+
+    expect_string(__wrap_IsDir, file, diff->compress_folder);
+    will_return(__wrap_IsDir, -1);
+
+    int ret = fim_diff_check_limits(diff);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_fim_diff_check_limits_estimate_compression(void **state) {
+    diff_data *diff = *state;
+
+    diff->size_limit = 2048;
+    diff->file_origin = strdup(GENERIC_PATH);
+    syscheck.file_size_enabled = 0;
+    syscheck.disk_quota_enabled = 1;
+
+    expect_FileSize(diff->file_origin, 1024 * 1024);
+
+    int ret = fim_diff_check_limits(diff);
+
+    assert_int_equal(ret, 2);
+}
+
+void test_fim_diff_delete_compress_folder(void **state) {
+    char *folder = strdup("/path/to/folder");
+
+    syscheck.diff_folder_size = -1;
+
+    expect_string(__wrap_IsDir, file, folder);
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, folder);
+    will_return(__wrap_DirSize, 1024 * 1024);
+
+    expect_string(__wrap_rmdir_ex, name, folder);
+    will_return(__wrap_rmdir_ex, 0);
+
+    expect_string(__wrap_remove_empty_folders, folder, folder);
+    will_return(__wrap_remove_empty_folders, 0);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    int ret = fim_diff_delete_compress_folder(folder);
+
+    os_free(folder);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_delete_compress_folder_no_dir(void **state) {
+    char *folder = strdup("/path/to/folder");
+
+    syscheck.diff_folder_size = -1;
+
+    expect_string(__wrap_IsDir, file, folder);
+    will_return(__wrap_IsDir, -1);
+
+    int ret = fim_diff_delete_compress_folder(folder);
+
+    os_free(folder);
+
+    assert_int_equal(ret, -2);
+}
+
+void test_fim_diff_delete_compress_folder_rmdir_ex_fail(void **state) {
+    char *folder = strdup("/path/to/folder");
+
+    syscheck.diff_folder_size = -1;
+
+    expect_string(__wrap_IsDir, file, folder);
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, folder);
+    will_return(__wrap_DirSize, 1024 * 1024);
+
+    expect_string(__wrap_rmdir_ex, name, folder);
+    will_return(__wrap_rmdir_ex, -1);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    int ret = fim_diff_delete_compress_folder(folder);
+
+    os_free(folder);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_delete_compress_folder_remove_folder_fail(void **state) {
+    char *folder = strdup("/path/to/folder");
+
+    syscheck.diff_folder_size = -1;
+
+    expect_string(__wrap_IsDir, file, folder);
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap_DirSize, path, folder);
+    will_return(__wrap_DirSize, 1024 * 1024);
+
+    expect_string(__wrap_rmdir_ex, name, folder);
+    will_return(__wrap_rmdir_ex, 0);
+
+    expect_string(__wrap_remove_empty_folders, folder, folder);
+    will_return(__wrap_remove_empty_folders, -1);
+
+    int ret = fim_diff_delete_compress_folder(folder);
+
+    os_free(folder);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_estimate_compression_file_not_fit(void **state) {
+    syscheck.diff_folder_size = 10240;
+    syscheck.disk_quota_limit = 10240;
+
+    int ret = fim_diff_estimate_compression(1024);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_estimate_compression_ok(void **state) {
+    syscheck.diff_folder_size = 5120;
+    syscheck.disk_quota_limit = 10240;
+
+    int ret = fim_diff_estimate_compression(1024);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_fim_diff_create_compress_file_fail_compress(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = strdup("/path/file/origin");
+    diff->compress_tmp_file = strdup("/path/compress/tmp/file");
+
+    expect_string(__wrap_w_compress_gzfile, filesrc, diff->file_origin);
+    expect_string(__wrap_w_compress_gzfile, filedst, diff->compress_tmp_file);
+    will_return(__wrap_w_compress_gzfile, -1);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6914): Cannot create a snapshot of file '/path/file/origin'");
+
+    int ret = fim_diff_create_compress_file(diff);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_create_compress_file_ok(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = strdup("/path/file/origin");
+    diff->compress_tmp_file = strdup("/path/compress/tmp/file");
+    syscheck.disk_quota_enabled = 1;
+    syscheck.diff_folder_size = 5120;
+    syscheck.disk_quota_limit = 10240;
+
+    expect_string(__wrap_w_compress_gzfile, filesrc, diff->file_origin);
+    expect_string(__wrap_w_compress_gzfile, filedst, diff->compress_tmp_file);
+    will_return(__wrap_w_compress_gzfile, 0);
+
+    expect_FileSize(diff->compress_tmp_file, 1024 * 1024);
+
+    int ret = fim_diff_create_compress_file(diff);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_create_compress_file_quota_reached(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = strdup("/path/file/origin");
+    diff->compress_tmp_file = strdup("/path/compress/tmp/file");
+    syscheck.disk_quota_enabled = 1;
+    syscheck.diff_folder_size = 10240;
+    syscheck.disk_quota_limit = 10240;
+    syscheck.disk_quota_full_msg = true;
+
+    expect_string(__wrap_w_compress_gzfile, filesrc, diff->file_origin);
+    expect_string(__wrap_w_compress_gzfile, filedst, diff->compress_tmp_file);
+    will_return(__wrap_w_compress_gzfile, 0);
+
+    expect_FileSize(diff->compress_tmp_file, 1024 * 1024);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6350): The calculate of the file size '/path/file/origin' exceeds the disk_quota. Operation discarded.");
+
+    int ret = fim_diff_create_compress_file(diff);
+
+    assert_int_equal(ret, -2);
+}
+
+void test_fim_diff_modify_compress_estimation_small_compresion_rate(void **state) {
+    syscheck.comp_estimation_perc = 0.9;
+
+    fim_diff_modify_compress_estimation(10240, 10240);
+
+    // Rate unmodified
+    assert_float_equal(syscheck.comp_estimation_perc, 0.9, 0.001);
+}
+
+void test_fim_diff_modify_compress_estimation_MIN_COMP_ESTIM(void **state) {
+    syscheck.comp_estimation_perc = 0.6;
+
+    fim_diff_modify_compress_estimation(9216, 10240);
+
+    // Rate set at minimun
+    assert_float_equal(syscheck.comp_estimation_perc, 0.4, 0.001);
+}
+
+void test_fim_diff_modify_compress_estimation_ok(void **state) {
+    syscheck.comp_estimation_perc = 0.9;
+
+    fim_diff_modify_compress_estimation(5120, 10240);
+
+    // Rate modified
+    assert_float_equal(syscheck.comp_estimation_perc, 0.7, 0.001);
+}
+
+void test_fim_diff_compare_fail_uncompress_MD5(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+
+    expect_OS_MD5_File_call(diff->uncompress_file, md5sum_old, OS_BINARY, -1);
+
+    int ret = fim_diff_compare(diff);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_compare_fail_origin_MD5(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    diff->file_origin = strdup("/path/to/original/file");
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "3c183a30cffcda1408daf1c61d47b274";
+
+    expect_OS_MD5_File_call(diff->uncompress_file, md5sum_old, OS_BINARY, 0);
+    expect_OS_MD5_File_call(diff->file_origin, md5sum_new, OS_BINARY, 0);
+
+    int ret = fim_diff_compare(diff);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_compare_fail_not_match(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    diff->file_origin = strdup("/path/to/original/file");
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+
+    expect_OS_MD5_File_call(diff->uncompress_file, md5sum_old, OS_BINARY, 0);
+    expect_OS_MD5_File_call(diff->file_origin, md5sum_new, OS_BINARY, 0);
+
+    int ret = fim_diff_compare(diff);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_compare_fail_match(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    diff->file_origin = strdup("/path/to/original/file");
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "3c183a30cffcda1408daf1c61d47b274";
+
+    expect_OS_MD5_File_call(diff->uncompress_file, md5sum_old, OS_BINARY, 0);
+    expect_OS_MD5_File_call(diff->file_origin, md5sum_new, OS_BINARY, 0);
+
+    int ret = fim_diff_compare(diff);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_save_compress_file_ok(void **state) {
+    diff_data *diff = *state;
+    diff->compress_tmp_file = strdup("/path/to/compress/tmp/file");
+    diff->compress_file = strdup("/path/to/compress/file");
+    syscheck.disk_quota_enabled = 1;
+    syscheck.diff_folder_size = 0;
+
+    expect_rename_ex(diff->compress_tmp_file, diff->compress_file, 0);
+
+    expect_FileSize(diff->compress_file, 1024 * 1024);
+
+    save_compress_file(diff);
+    assert_int_equal(syscheck.diff_folder_size, 1024);
+}
+
+void test_save_compress_file_rename_fail(void **state) {
+    diff_data *diff = *state;
+    diff->compress_tmp_file = strdup("/path/to/compress/tmp/file");
+    diff->compress_file = strdup("/path/to/compress/file");
+    syscheck.disk_quota_enabled = 1;
+    syscheck.diff_folder_size = 0;
+
+    expect_rename_ex(diff->compress_tmp_file, diff->compress_file, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1124): Could not rename file '/path/to/compress/tmp/file' to '/path/to/compress/file' due to [(0)-(Success)].");
+
+    save_compress_file(diff);
+    assert_int_equal(syscheck.diff_folder_size, 0);
+}
+
+void test_is_file_nodiff_normal_check(void **state) {
+#ifdef TEST_WINAGENT
+    int ret = is_file_nodiff("c:\\file\\nodiff");
+#else
+    int ret = is_file_nodiff("/path/to/ignore");
+#endif
+    assert_int_equal(ret, 1);
+}
+
+void test_is_file_nodiff_regex_check(void **state) {
+
+    int ret = is_file_nodiff("/file/nodiff/regex/");
+    assert_int_equal(ret, 1);
+}
+
+void test_is_file_nodiff_not_match(void **state) {
+
+    int ret = is_file_nodiff("/file/nodiff/no_config");
+    assert_int_equal(ret, 0);
+}
+
+#ifdef TEST_WINAGENT
+void test_is_registry_nodiff_normal_check(void **state) {
+
+    int ret = is_registry_nodiff("HKEY_LOCAL_MACHINE\\Software", "Ignore", 1);
+    assert_int_equal(ret, 1);
+}
+
+void test_is_registry_nodiff_regex_check(void **state) {
+
+    int ret = is_registry_nodiff("HKEY_LOCAL_MACHINE\\Software", "batfile", 1);
+    assert_int_equal(ret, 1);
+}
+
+void test_is_registry_nodiff_not_match(void **state) {
+
+    int ret = is_registry_nodiff("HKEY_LOCAL_MACHINE\\Software", "RecursionLevel0", 1);
+    assert_int_equal(ret, 0);
+}
+#endif
+
+// gen_diff_str function tests
+
+void test_gen_diff_str_wfropen_fail(void **state) {
+    diff_data *diff = *state;
+    diff->diff_file = strdup("/path/to/diff/file");
+
+    expect_wfopen(diff->diff_file, "rb", NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(6665): Unable to generate diff alert (fopen)'/path/to/diff/file'.");
+
+    char *diff_str = gen_diff_str(diff);
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_gen_diff_str_fread_fail(void **state) {
+    diff_data *diff = *state;
+    diff->diff_file = strdup("/path/to/diff/file");
+    FILE *fp = (FILE*)2345;
+    char *diff_contain = "diff_contain";
+
+    expect_wfopen(diff->diff_file, "rb", fp);
+
+    expect_fread(diff_contain, 0);
+
+    expect_fclose(fp, 0);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_unlink, file, "/path/to/diff/file");
+    will_return(__wrap_unlink, 0);
+#endif
+
+    expect_string(__wrap__merror, formatted_msg, "(6666): Unable to generate diff alert (fread).");
+
+    char *diff_str = gen_diff_str(diff);
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_gen_diff_str_ok(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+    gen_diff_data_container->diff->diff_file = strdup("/path/to/diff/file");
+
+    FILE *fp = (FILE*)2345;
+    size_t n = 145;
+
+    expect_wfopen(gen_diff_data_container->diff->diff_file, "rb", fp);
+
+    expect_fread(gen_diff_data_container->strarray[0], n);
+
+    expect_fclose(fp, 0);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap_unlink, file, "/path/to/diff/file");
+    will_return(__wrap_unlink, 0);
+#endif
+
+    char *diff_str = gen_diff_str(gen_diff_data_container->diff);
+    assert_string_equal(diff_str, gen_diff_data_container->strarray[1]);
+    free(diff_str);
+}
+
+#ifdef TEST_WINAGENT
+void test_fim_diff_generate_filters_fail(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("\%wrong path");
+    diff->file_origin = strdup("\%wrong path");
+    diff->diff_file = strdup("\%wrong path");
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6200): Diff execution skipped for containing insecure characters.");
+
+    char *diff_str = fim_diff_generate(diff);
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_diff_generate_status_equal(void **state) {
+    diff_data *diff = *state;
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    diff->file_origin = strdup("/path/to/file/origin");
+    diff->diff_file = strdup("/path/to/diff/file");
+
+    expect_system(0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6352): Command diff/fc output 0, files are the same");
+
+    char *diff_str = fim_diff_generate(diff);
+    assert_ptr_equal(diff_str, NULL);
+}
+#endif
+
+void test_fim_diff_generate_status_error(void **state) {
+    diff_data *diff = *state;
+
+    diff->uncompress_file = strdup("/path/to/uncompress/file");
+    diff->file_origin = strdup("/path/to/file/origin");
+    diff->diff_file = strdup("/path/to/diff/file");
+
+    expect_system(-1);
+
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__merror, formatted_msg, "(6714): Command fc output an error");
+#else
+    expect_string(__wrap__merror, formatted_msg, "(6714): Command diff output an error");
+#endif
+
+    char *diff_str = fim_diff_generate(diff);
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_diff_generate_status_ok(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+
+    gen_diff_data_container->diff->uncompress_file = strdup("/path/to/uncompress/file");
+    gen_diff_data_container->diff->file_origin = strdup("/path/to/file/origin");
+    gen_diff_data_container->diff->diff_file = strdup("/path/to/diff/file");
+
+#ifndef TEST_WINAGENT
+    expect_system(256);
+#else
+    expect_system(1);
+#endif
+
+    expect_gen_diff_generate(gen_diff_data_container);
+
+    char *diff_str = fim_diff_generate(gen_diff_data_container->diff);
+    assert_string_equal(diff_str, gen_diff_data_container->strarray[1]);
+    free(diff_str);
+}
+
+#ifdef TEST_WINAGENT
+void test_fim_diff_registry_tmp_fopen_fail(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = strdup("/path/to/file/origin");
+    diff->tmp_folder = strdup("/path/to/tmp/folder");
+    FILE *fp = NULL;
+    const char *value_data = "value_data";
+    DWORD data_type = 0;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_string(__wrap__merror, formatted_msg, "(1103): Could not open file '/path/to/file/origin' due to [(2)-(No such file or directory)].");
+
+    int ret = fim_diff_registry_tmp(value_data, data_type, diff);
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_diff_registry_tmp_REG_SZ(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_fprintf(fp, value_data, 0);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp(value_data, data_type, diff);
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_registry_tmp_REG_MULTI_SZ(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    const char *value_data = "value_data\0value_data2\0";
+    const char *value_data_formatted = "value_data\n";
+    const char *value_data_formatted2 = "value_data2\n";
+    DWORD data_type = REG_MULTI_SZ;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_fprintf(fp, value_data_formatted, 0);
+    expect_fprintf(fp, value_data_formatted2, 0);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp((char *)value_data, data_type, diff);
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_registry_tmp_REG_DWORD(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    unsigned long value_data = 0x12345;
+    DWORD data_type = REG_DWORD;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_fprintf(fp, "12345", 0);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp((char *)&value_data, data_type, diff);
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_registry_tmp_REG_DWORD_BIG_ENDIAN(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    unsigned int value_data = 0x12345;
+    DWORD data_type = REG_DWORD_BIG_ENDIAN;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_fprintf(fp, "45230100", 0);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp((char *)&value_data, data_type, diff);
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_registry_tmp_REG_QWORD(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    unsigned long long value_data = 0x12345;
+    DWORD data_type = REG_QWORD;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_fprintf(fp, "12345", 0);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp((char *)&value_data, data_type, diff);
+    assert_int_equal(ret, 0);
+}
+
+void test_fim_diff_registry_tmp_default_type(void **state) {
+    diff_data *diff = *state;
+    diff->file_origin = "/path/to/file/origin";
+    diff->tmp_folder = "/path/to/tmp/folder";
+    FILE *fp = (FILE*)2345;
+    const char *value_data = "value_data";
+    DWORD data_type = -1;
+
+    expect_mkdir_ex(diff->tmp_folder, 0);
+
+    expect_wfopen(diff->file_origin, "w", fp);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_REG_VAL_WRONG_TYPE);
+
+    expect_fclose(fp, 0);
+
+    int ret = fim_diff_registry_tmp((char *)&value_data, data_type, diff);
+    assert_int_equal(ret, -1);
+}
+
+void test_fim_registry_value_diff_wrong_data_type(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_NONE;
+    registry_t *configuration = &syscheck.registry[0];
+
+    char debug2_message[OS_SIZE_1024];
+    snprintf(debug2_message, OS_SIZE_1024, FIM_REG_VAL_INVALID_TYPE, key_name, value_name);
+    expect_string(__wrap__mdebug2, formatted_msg, debug2_message);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_registry_value_diff_wrong_registry_tmp(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, NULL, value_data);
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_registry_value_diff_wrong_too_big_file(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->diff_size_limit = 1024;
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6349): File 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\valuename' is too big for configured maximum size to perform diff operation.");
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to 'file_size' limit has been reached.");
+    
+    free(diff_str);
+}
+
+void test_fim_registry_value_diff_wrong_quota_reached(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    configuration->diff_size_limit = 1024;
+    syscheck.comp_estimation_perc = 0.4;
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 2);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6350): The estimation of the file size 'HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile\\valuename' exceeds the disk_quota. Operation discarded.");
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to 'disk_quota' limit has been reached.");
+    
+    free(diff_str);
+}
+
+void test_fim_registry_value_diff_uncompress_fail(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", (FILE *)1234);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", 0);
+
+    expect_mkdir_ex(COMPRESS_FOLDER_REG, 0);
+
+    expect_save_compress_file("queue/diff/tmp/tmp-entry.gz", "queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 0);
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to no previous data stored for this registry value.");
+    
+    free(diff_str);
+}
+
+void test_fim_registry_value_diff_create_compress_fail(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", NULL);
+
+    expect_FileSize("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", -1);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6914): Cannot create a snapshot of file 'queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED "'");
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_registry_value_diff_compare_fail(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "3c183a30cffcda1408daf1c61d47b274";
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", NULL);
+
+    expect_FileSize("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", 0);
+
+    expect_fim_diff_compare("queue/diff/tmp/tmp-entry", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, md5sum_old, md5sum_new, -1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6351): The files are identical, don't compute differences");
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, "No content changes were found for this registry value.");
+    
+    free(diff_str);
+}
+
+void test_fim_registry_value_diff_nodiff(void **state) {
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", NULL);
+
+    expect_FileSize("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", 0);
+
+    expect_fim_diff_compare("queue/diff/tmp/tmp-entry", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, md5sum_old, md5sum_new, 0);
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, "Diff truncated due to 'nodiff' configuration detected for this registry value.");
+
+    free(diff_str);
+}
+
+void test_fim_registry_value_diff_generate_fail(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+
+    gen_diff_data_container->diff->uncompress_file = "queue/diff/tmp/tmp-entry";
+    gen_diff_data_container->diff->file_origin = "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED;
+    gen_diff_data_container->diff->diff_file = "queue/diff/tmp/diff-file";
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", NULL);
+
+    expect_FileSize("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", 0);
+
+    expect_fim_diff_compare("queue/diff/tmp/tmp-entry", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, md5sum_old, md5sum_new, 0);
+
+    expect_fim_diff_generate(gen_diff_data_container, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(6714): Command fc output an error");
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_registry_value_diff_generate_diff_str(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+
+    const char *key_name = "HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile";
+    const char *value_name = "valuename";
+    const char *value_data = "value_data";
+    DWORD data_type = REG_EXPAND_SZ;
+    registry_t *configuration = &syscheck.registry[0];
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+
+    gen_diff_data_container->diff->uncompress_file = "queue/diff/tmp/tmp-entry";
+    gen_diff_data_container->diff->file_origin = "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED;
+    gen_diff_data_container->diff->diff_file = "queue/diff/tmp/diff-file";
+
+    expect_fim_diff_registry_tmp("queue/diff/tmp", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, (FILE *)1234, value_data);
+
+    expect_fim_diff_check_limits("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, COMPRESS_FOLDER_REG, 0);
+
+    expect_w_uncompress_gzfile("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", "queue/diff/tmp/tmp-entry", NULL);
+
+    expect_FileSize("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, "queue/diff/tmp/tmp-entry.gz", 0);
+
+    expect_fim_diff_compare("queue/diff/tmp/tmp-entry", "queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED, md5sum_old, md5sum_new, 0);
+
+    expect_fim_diff_generate(gen_diff_data_container, 0);
+
+    expect_save_compress_file("queue/diff/tmp/tmp-entry.gz", "queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED "/last-entry.gz", 0);
+
+    expect_string(__wrap_rmdir_ex, name, "queue/diff/tmp");
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_registry_value_diff(key_name, value_name, value_data, data_type, configuration);
+
+    assert_string_equal(diff_str, gen_diff_data_container->strarray[1]);
+}
+#endif
+
+void test_fim_file_diff_wrong_initialize(void **state) {
+    const char *filename = GENERIC_PATH;
+    const directory_t configuration = { .diff_size_limit = 0 };
+
+    expect_initialize_file_diff_data(filename, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_file_diff_wrong_too_big_file(void **state) {
+    const char *filename = GENERIC_PATH;
+    const directory_t configuration = { .diff_size_limit = 0 };
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 1);
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "(6349): File 'c:\\file\\path' is too big for configured maximum size to perform diff operation.");
+#else
+    expect_string(__wrap__mdebug2, formatted_msg, "(6349): File '/path/to/file' is too big for configured maximum size to perform diff operation.");
+#endif
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to 'file_size' limit has been reached.");
+    
+    free(diff_str);
+}
+
+void test_fim_file_diff_wrong_quota_reached(void **state) {
+    const char *filename = GENERIC_PATH;
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+    const directory_t configuration = { .diff_size_limit = 0 };
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 2);
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "(6350): The estimation of the file size 'c:\\file\\path' exceeds the disk_quota. Operation discarded.");
+#else
+    expect_string(__wrap__mdebug2, formatted_msg, "(6350): The estimation of the file size '/path/to/file' exceeds the disk_quota. Operation discarded.");
+#endif
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to 'disk_quota' limit has been reached.");
+    
+    free(diff_str);
+}
+
+void test_fim_file_diff_uncompress_fail(void **state) {
+    const char *filename = GENERIC_PATH;
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, (FILE *)1234);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, 0);
+
+    expect_mkdir_ex(COMPRESS_FOLDER, 0);
+
+    expect_save_compress_file(COMPRESS_TMP_FILE, COMPRESS_FILE, 0);
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "Unable to calculate diff due to no previous data stored for this file.");
+    
+    free(diff_str);
+}
+
+void test_fim_file_diff_create_compress_fail(void **state) {
+    const char *filename = GENERIC_PATH;
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize(COMPRESS_FILE, 1024 * 1024);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, -1);
+
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mwarn, formatted_msg, "(6914): Cannot create a snapshot of file 'c:\\file\\path'");
+#else
+    expect_string(__wrap__mwarn, formatted_msg, "(6914): Cannot create a snapshot of file '/path/to/file'");
+#endif
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_file_diff_compare_fail(void **state) {
+    const char *filename = GENERIC_PATH;
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize(COMPRESS_FILE, 1024 * 1024);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, GENERIC_PATH, md5sum_old, md5sum_new, -1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6351): The files are identical, don't compute differences");
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "No content changes were found for this file.");
+    
+    free(diff_str);
+}
+
+#ifdef TEST_WINAGENT
+void test_fim_file_diff_nodiff(void **state) {
+    const char *filename = "c:\\file\\nodiff";
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits("c:\\file\\nodiff", "aaa", 0);
+
+    expect_w_uncompress_gzfile("queue/diff/file/2ddcb012cae2957e19d31b10df12abc8c852cfb7/last-entry.gz", UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize("queue/diff/file/2ddcb012cae2957e19d31b10df12abc8c852cfb7/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("c:\\file\\nodiff", COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, "c:\\file\\nodiff", md5sum_old, md5sum_new, 0);
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "Diff truncated due to 'nodiff' configuration detected for this file.");
+    
+    free(diff_str);
+}
+#else
+void test_fim_file_diff_nodiff(void **state) {
+    const char *filename = "/path/to/ignore";
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+    expect_initialize_file_diff_data(filename, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits("/path/to/ignore", "aaa", 0);
+
+    expect_w_uncompress_gzfile("queue/diff/file/2ee531af6f6a5f133cdd38e818e1de895c29114c/last-entry.gz", UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize("queue/diff/file/2ee531af6f6a5f133cdd38e818e1de895c29114c/last-entry.gz", 1024 * 1024);
+
+    expect_fim_diff_create_compress_file("/path/to/ignore", COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, "/path/to/ignore", md5sum_old, md5sum_new, 0);
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(filename, &configuration);
+
+    assert_string_equal(diff_str, "Diff truncated due to 'nodiff' configuration detected for this file.");
+
+    free(diff_str);
+}
+#endif
+
+void test_fim_file_diff_generate_fail(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+#ifndef TEST_WINAGENT
+    gen_diff_data_container->diff->uncompress_file = strdup(UNCOMPRESS_FILE);
+    gen_diff_data_container->diff->file_origin = strdup("/path/to/file/origin");
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#else
+    gen_diff_data_container->diff->uncompress_file = strdup("queue/diff/tmp/tmp-entry");
+    gen_diff_data_container->diff->file_origin = strdup("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED);
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#endif
+
+    expect_initialize_file_diff_data(GENERIC_PATH, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize(COMPRESS_FILE, 1024 * 1024);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, GENERIC_PATH, md5sum_old, md5sum_new, 0);
+
+    expect_fim_diff_generate(gen_diff_data_container, 1);
+
+#ifndef TEST_WINAGENT
+    expect_string(__wrap__merror, formatted_msg, "(6714): Command diff output an error");
+#else
+    expect_string(__wrap__merror, formatted_msg, "(6714): Command fc output an error");
+#endif
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(GENERIC_PATH, &configuration);
+
+    assert_ptr_equal(diff_str, NULL);
+}
+
+void test_fim_file_diff_generate_diff_str(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+#ifndef TEST_WINAGENT
+    gen_diff_data_container->diff->uncompress_file = strdup(UNCOMPRESS_FILE);
+    gen_diff_data_container->diff->file_origin = strdup("/path/to/file/origin");
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#else
+    gen_diff_data_container->diff->uncompress_file = strdup("queue/diff/tmp/tmp-entry");
+    gen_diff_data_container->diff->file_origin = strdup("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED);
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#endif
+
+    expect_initialize_file_diff_data(GENERIC_PATH, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize(COMPRESS_FILE, 1024 * 1024);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, GENERIC_PATH, md5sum_old, md5sum_new, 0);
+
+    expect_fim_diff_generate(gen_diff_data_container, 0);
+
+    expect_save_compress_file(COMPRESS_TMP_FILE, COMPRESS_FILE, 0);
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+
+    char *diff_str = fim_file_diff(GENERIC_PATH, &configuration);
+
+    assert_string_equal(diff_str, gen_diff_data_container->strarray[1]);
+
+    free(diff_str);
+}
+
+void test_fim_file_diff_generate_diff_str_too_long(void **state) {
+    gen_diff_struct *gen_diff_data_container = *state;
+    os_md5 md5sum_old = "3c183a30cffcda1408daf1c61d47b274";
+    os_md5 md5sum_new = "abc44bfb4ab4cf4af49a4fa9b04fa44a";
+    const directory_t configuration = { .diff_size_limit = 1024 };
+
+    syscheck.comp_estimation_perc = 0.4;
+    syscheck.diff_folder_size = 512;
+
+#ifndef TEST_WINAGENT
+    int input_size = strlen(gen_diff_data_container->strarray[0]);
+    os_realloc(gen_diff_data_container->strarray[0], OS_MAXSTR, gen_diff_data_container->strarray[0]);
+    memset(gen_diff_data_container->strarray[0] + input_size - 1, 'a', OS_MAXSTR - input_size);
+    gen_diff_data_container->strarray[0][OS_MAXSTR - 1] = '\0';
+
+    os_realloc(gen_diff_data_container->strarray[1], strlen(gen_diff_data_container->strarray[1]) - 12 + strlen(STR_MORE_CHANGES) + 1, gen_diff_data_container->strarray[1]);
+    strcpy(gen_diff_data_container->strarray[1] + strlen(gen_diff_data_container->strarray[1]) - 12, STR_MORE_CHANGES);
+
+    gen_diff_data_container->diff->uncompress_file = strdup(UNCOMPRESS_FILE);
+    gen_diff_data_container->diff->file_origin = strdup("/path/to/file/origin");
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#else
+    strcpy(gen_diff_data_container->strarray[0], "Comparing files start.txt and end.txt\r\n"
+                                                 "Error diffs\r\n"
+                                                 "***** start.txt\r\n"
+                                                 "    1:  First line\r\n"
+                                                 "***** END.TXT\r\n"
+                                                 "    1:  First Line 123\r\n"
+                                                 "    2:  Last line");
+    int input_size = strlen(gen_diff_data_container->strarray[0]);
+    os_realloc(gen_diff_data_container->strarray[0], OS_MAXSTR, gen_diff_data_container->strarray[0]);
+    memset(gen_diff_data_container->strarray[0] + input_size, 'a', OS_MAXSTR - input_size);
+    gen_diff_data_container->strarray[0][OS_MAXSTR - 1] = '\0';
+
+    int output_size = strlen(gen_diff_data_container->strarray[1]);
+    os_realloc(gen_diff_data_container->strarray[1], OS_MAXSTR, gen_diff_data_container->strarray[1]);
+    memset(gen_diff_data_container->strarray[1] + output_size - 1, 'a', OS_MAXSTR - output_size - OS_SK_HEADER - 85 - strlen(STR_MORE_CHANGES));
+    strcat(gen_diff_data_container->strarray[1], STR_MORE_CHANGES);
+
+    gen_diff_data_container->diff->uncompress_file = strdup("queue/diff/tmp/tmp-entry");
+    gen_diff_data_container->diff->file_origin = strdup("queue/diff/tmp/[x64] " KEY_NAME_HASHED VALUE_NAME_HASHED);
+    gen_diff_data_container->diff->diff_file = strdup("queue/diff/tmp/diff-file");
+#endif
+
+    expect_initialize_file_diff_data(GENERIC_PATH, 1);
+
+    expect_mkdir_ex(TMP_FOLDER, 0);
+
+    expect_fim_diff_check_limits(GENERIC_PATH, COMPRESS_FOLDER, 0);
+
+    expect_w_uncompress_gzfile(COMPRESS_FILE, UNCOMPRESS_FILE, NULL);
+
+    expect_FileSize(COMPRESS_FILE, 1024 * 1024);
+
+    expect_fim_diff_create_compress_file(GENERIC_PATH, COMPRESS_TMP_FILE, 0);
+
+    expect_fim_diff_compare(UNCOMPRESS_FILE, GENERIC_PATH, md5sum_old, md5sum_new, 0);
+
+    expect_fim_diff_generate(gen_diff_data_container, 0);
+
+    expect_save_compress_file(COMPRESS_TMP_FILE, COMPRESS_FILE, 0);
+
+    expect_string(__wrap_rmdir_ex, name, TMP_FOLDER);
+    will_return(__wrap_rmdir_ex, 0);
+    char *diff_str = fim_file_diff(GENERIC_PATH, &configuration);
+
+    assert_string_equal(diff_str, gen_diff_data_container->strarray[1]);
+    free(diff_str);
+}
+
+void test_fim_diff_process_delete_file_ok(void **state) {
+#ifdef TEST_WINAGENT
+    expect_abspath("c:\\file\\path", 1);
+#else
+    expect_abspath("/path/to/file", 1);
+#endif
+    expect_fim_diff_delete_compress_folder(COMPRESS_FOLDER, 0, 0, 0);
+
+    fim_diff_process_delete_file(GENERIC_PATH);
+}
+
+void test_fim_diff_process_delete_file_delete_error(void **state) {
+#ifdef TEST_WINAGENT
+    expect_abspath("c:\\file\\path", 1);
+#else
+    expect_abspath("/path/to/file", 1);
+#endif
+    expect_fim_diff_delete_compress_folder(COMPRESS_FOLDER, 0, -1, 0);
+
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__merror, formatted_msg, "(6713): Cannot remove diff folder for file: 'queue/diff/file/750621a746c8d786022a931ab9a99b918f7208f4'");
+#else
+    expect_string(__wrap__merror, formatted_msg, "(6713): Cannot remove diff folder for file: 'queue/diff/file/7cdbc5364a7aeb60f61d8fd2e6243056227bd6d3'");
+#endif
+
+    fim_diff_process_delete_file(GENERIC_PATH);
+}
+
+void test_fim_diff_process_delete_file_folder_not_exist(void **state) {
+#ifdef TEST_WINAGENT
+    expect_abspath("c:\\file\\path", 1);
+#else
+    expect_abspath("/path/to/file", 1);
+#endif
+    expect_fim_diff_delete_compress_folder(COMPRESS_FOLDER, -1, 0, 0);
+
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mdebug2, formatted_msg, "(6355): Can't remove folder 'queue/diff/file/750621a746c8d786022a931ab9a99b918f7208f4', it does not exist.");
+#else
+    expect_string(__wrap__mdebug2, formatted_msg, "(6355): Can't remove folder 'queue/diff/file/7cdbc5364a7aeb60f61d8fd2e6243056227bd6d3', it does not exist.");
+#endif
+
+    fim_diff_process_delete_file(GENERIC_PATH);
+}
+
+#ifdef TEST_WINAGENT
+void test_fim_diff_process_delete_registry_ok(void **state) {
+    const char *key_name = strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile");
+
+    expect_fim_diff_delete_compress_folder("queue/diff/registry/[x32] " KEY_NAME_HASHED, 0, 0, 0);
+
+    fim_diff_process_delete_registry(key_name, 0);
+}
+
+void test_fim_diff_process_delete_registry_delete_error(void **state) {
+    const char *key_name = strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile");
+
+    expect_string(__wrap__merror, formatted_msg, "(6713): Cannot remove diff folder for file: 'queue/diff/registry/[x64] b9b175e8810d3475f15976dd3b5f9210f3af6604'");
+
+    expect_fim_diff_delete_compress_folder("queue/diff/registry/[x64] " KEY_NAME_HASHED, 0, -1, 0);
+
+    fim_diff_process_delete_registry(key_name, 1);
+}
+
+void test_fim_diff_process_delete_value_ok(void **state) {
+    const char *key_name = strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile");
+
+    expect_fim_diff_delete_compress_folder("queue/diff/registry/[x32] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED, 0, 0, 0);
+
+    fim_diff_process_delete_value(key_name, "valuename", 0);
+}
+
+void test_fim_diff_process_delete_value_delete_error(void **state) {
+    const char *key_name = strdup("HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile");
+
+    expect_string(__wrap__merror, formatted_msg, "(6713): Cannot remove diff folder for file: 'queue/diff/registry/[x64] b9b175e8810d3475f15976dd3b5f9210f3af6604/3f17670fd80d6563a3d4283adfe14140907b75b0'");
+
+    expect_fim_diff_delete_compress_folder("queue/diff/registry/[x64] " KEY_NAME_HASHED "/" VALUE_NAME_HASHED, 0, -1, 0);
+
+    fim_diff_process_delete_value(key_name, "valuename", 1);
+}
+#endif
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+
+#ifdef TEST_WINAGENT
+        // filter
+        cmocka_unit_test_teardown(test_filter_unchanged_string, teardown_free_string),
+        cmocka_unit_test(test_filter_percentage_char),
+
+        // adapt_win_fc_output
+        cmocka_unit_test_setup_teardown(test_adapt_win_fc_output_success, setup_array_strings, teardown_array_strings),
+        cmocka_unit_test_setup_teardown(test_adapt_win_fc_output_invalid_input, setup_array_strings, teardown_array_strings),
+        cmocka_unit_test_setup_teardown(test_adapt_win_fc_output_no_differences, setup_array_strings, teardown_array_strings),
+
+        // initialize_registry_diff_data
+        cmocka_unit_test_teardown(test_initialize_registry_diff_data, teardown_free_diff_data),
+#endif
+        // initialize_file_diff_data
+        cmocka_unit_test_teardown(test_initialize_file_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_teardown(test_initialize_file_diff_data_abspath_fail, teardown_free_diff_data),
+
+        // filter
+        cmocka_unit_test_teardown(test_filter, teardown_free_string),
+
+        // fim_diff_check_limits
+        cmocka_unit_test_setup_teardown(test_fim_diff_check_limits, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_check_limits_size_limit_reached, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_check_limits_estimate_compression, setup_diff_data, teardown_free_diff_data),
+
+        // fim_diff_delete_compress_folder
+        cmocka_unit_test_teardown(test_fim_diff_delete_compress_folder, teardown_disk_quota_exceeded),
+        cmocka_unit_test(test_fim_diff_delete_compress_folder_no_dir),
+        cmocka_unit_test(test_fim_diff_delete_compress_folder_rmdir_ex_fail),
+        cmocka_unit_test_setup_teardown(test_fim_diff_delete_compress_folder_remove_folder_fail, setup_diff_data, teardown_free_diff_data),
+
+        // fim_diff_estimate_compression
+        cmocka_unit_test(test_fim_diff_estimate_compression_file_not_fit),
+        cmocka_unit_test(test_fim_diff_estimate_compression_ok),
+
+        // fim_diff_create_compress_file
+        cmocka_unit_test_setup_teardown(test_fim_diff_create_compress_file_fail_compress, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_create_compress_file_ok, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_create_compress_file_quota_reached, setup_diff_data, teardown_free_diff_data),
+
+        // fim_diff_modify_compress_estimation
+        cmocka_unit_test(test_fim_diff_modify_compress_estimation_small_compresion_rate),
+        cmocka_unit_test(test_fim_diff_modify_compress_estimation_MIN_COMP_ESTIM),
+        cmocka_unit_test(test_fim_diff_modify_compress_estimation_ok),
+
+        // fim_diff_compare
+        cmocka_unit_test_setup_teardown(test_fim_diff_compare_fail_uncompress_MD5, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_compare_fail_origin_MD5, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_compare_fail_not_match, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_compare_fail_match, setup_diff_data, teardown_free_diff_data),
+
+        // save_compress_file
+        cmocka_unit_test_setup_teardown(test_save_compress_file_ok, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_save_compress_file_rename_fail, setup_diff_data, teardown_free_diff_data),
+
+        // is_file_nodiff
+        cmocka_unit_test(test_is_file_nodiff_normal_check),
+        cmocka_unit_test(test_is_file_nodiff_regex_check),
+        cmocka_unit_test(test_is_file_nodiff_not_match),
+
+#ifdef TEST_WINAGENT
+        // is_registry_nodiff
+        cmocka_unit_test(test_is_registry_nodiff_normal_check),
+        cmocka_unit_test(test_is_registry_nodiff_regex_check),
+        cmocka_unit_test(test_is_registry_nodiff_not_match),
+#endif
+
+        // gen_diff_str
+        cmocka_unit_test_setup_teardown(test_gen_diff_str_wfropen_fail, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_gen_diff_str_fread_fail, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_gen_diff_str_ok, setup_gen_diff_str, teardown_free_gen_diff_str),
+
+        // fim_diff_generate
+        cmocka_unit_test_setup_teardown(test_fim_diff_generate_status_error, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_generate_status_ok, setup_gen_diff_str, teardown_free_gen_diff_str),
+#ifdef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_fim_diff_generate_filters_fail, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_generate_status_equal, setup_diff_data, teardown_free_diff_data),
+
+        // fim_diff_registry_tmp
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_fopen_fail, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_REG_SZ, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_REG_MULTI_SZ, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_REG_DWORD, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_REG_DWORD_BIG_ENDIAN, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_REG_QWORD, setup_diff_data, teardown_free_diff_data),
+        cmocka_unit_test_setup_teardown(test_fim_diff_registry_tmp_default_type, setup_diff_data, teardown_free_diff_data),
+
+        // fim_registry_value_diff
+        cmocka_unit_test(test_fim_registry_value_diff_wrong_data_type),
+        cmocka_unit_test(test_fim_registry_value_diff_wrong_registry_tmp),
+        cmocka_unit_test(test_fim_registry_value_diff_wrong_too_big_file),
+        cmocka_unit_test(test_fim_registry_value_diff_wrong_quota_reached),
+        cmocka_unit_test(test_fim_registry_value_diff_uncompress_fail),
+        cmocka_unit_test(test_fim_registry_value_diff_create_compress_fail),
+        cmocka_unit_test(test_fim_registry_value_diff_compare_fail),
+        cmocka_unit_test(test_fim_registry_value_diff_nodiff),
+        cmocka_unit_test_setup_teardown(test_fim_registry_value_diff_generate_fail, setup_full_diff_functionality, teardown_full_diff_functionality),
+        cmocka_unit_test_setup_teardown(test_fim_registry_value_diff_generate_diff_str, setup_full_diff_functionality, teardown_full_diff_functionality),
+#endif
+
+        // fim_file_diff
+        cmocka_unit_test(test_fim_file_diff_wrong_initialize),
+        cmocka_unit_test(test_fim_file_diff_wrong_too_big_file),
+        cmocka_unit_test(test_fim_file_diff_wrong_quota_reached),
+        cmocka_unit_test(test_fim_file_diff_uncompress_fail),
+        cmocka_unit_test(test_fim_file_diff_create_compress_fail),
+        cmocka_unit_test(test_fim_file_diff_compare_fail),
+        cmocka_unit_test(test_fim_file_diff_nodiff),
+#ifdef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_fim_file_diff_generate_fail, setup_full_diff_functionality, teardown_full_diff_functionality),
+        cmocka_unit_test_setup_teardown(test_fim_file_diff_generate_diff_str, setup_full_diff_functionality, teardown_full_diff_functionality),
+#else
+        cmocka_unit_test_setup_teardown(test_fim_file_diff_generate_fail, setup_gen_diff_str, teardown_free_gen_diff_str),
+        cmocka_unit_test_setup_teardown(test_fim_file_diff_generate_diff_str, setup_gen_diff_str, teardown_free_gen_diff_str),
+#endif
+        cmocka_unit_test_setup_teardown(test_fim_file_diff_generate_diff_str_too_long, setup_gen_diff_str, teardown_free_gen_diff_str),
+
+        // fim_diff_process_delete_file
+        cmocka_unit_test(test_fim_diff_process_delete_file_ok),
+        cmocka_unit_test(test_fim_diff_process_delete_file_delete_error),
+        cmocka_unit_test(test_fim_diff_process_delete_file_folder_not_exist),
+
+#ifdef TEST_WINAGENT
+        // fim_diff_process_delete_registry
+        cmocka_unit_test(test_fim_diff_process_delete_registry_ok),
+        cmocka_unit_test(test_fim_diff_process_delete_registry_delete_error),
+
+        // fim_diff_process_delete_value
+        cmocka_unit_test(test_fim_diff_process_delete_value_ok),
+        cmocka_unit_test(test_fim_diff_process_delete_value_delete_error),
+#endif
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/test_run_check.c b/src/modules/fim/tests/unit/tests/test_run_check.c
new file mode 100644
index 0000000000..40bdd60ebb
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_run_check.c
@@ -0,0 +1,1146 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../wrappers/common.h"
+#include "../wrappers/posix/stat_wrappers.h"
+#include "../wrappers/linux/inotify_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../wrappers/wazuh/shared/randombytes_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/create_db_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/fim_db_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/run_realtime_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/win_whodata_wrappers.h"
+
+#include "../syscheckd/include/syscheck.h"
+#include "../syscheckd/src/db/include/db.h"
+#include "../config/syscheck-config.h"
+
+#ifdef TEST_WINAGENT
+#include "../wrappers/windows/processthreadsapi_wrappers.h"
+
+void set_priority_windows_thread();
+void set_whodata_mode_changes();
+#endif
+
+/* External 'static' functions prototypes */
+void fim_send_msg(char mq, const char * location, const char * msg);
+#ifdef WIN32
+DWORD WINAPI fim_run_realtime(__attribute__((unused)) void * args);
+
+extern void free_win32rtfim_data(win32rtfim *data);
+
+#else
+void * fim_run_realtime(__attribute__((unused)) void * args);
+#endif
+
+#ifndef TEST_WINAGENT
+void fim_link_update(const char *new_path, directory_t *configuration);
+void fim_link_check_delete(directory_t *configuration);
+void fim_link_delete_range(const directory_t *configuration);
+void fim_link_silent_scan(char *path, directory_t *configuration);
+void fim_link_reload_broken_link(char *path, directory_t *configuration);
+void fim_realtime_delete_watches(const directory_t *configuration);
+#endif
+
+void fim_db_remove_validated_path(void * data, void * ctx);
+
+extern time_t last_time;
+extern unsigned int files_read;
+
+/* redefinitons/wrapping */
+
+#ifdef TEST_WINAGENT
+int __wrap_audit_restore(void) {
+    return mock();
+}
+#else
+time_t __wrap_time(time_t *timer) {
+    return mock_type(time_t);
+}
+
+#endif
+
+
+extern bool fim_shutdown_process_on();
+/* Setup/Teardown */
+
+static int setup_group(void ** state) {
+#ifdef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6287): Reading configuration file: 'test_syscheck.conf'");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$|.swp$");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$|.swp$ OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex size 0");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex size 0");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node test_$");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node test_$ OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex size 1");
+#else // !TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6287): Reading configuration file: 'test_syscheck.conf'");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.swp$");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.swp$ OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex size 0");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex size 0");
+
+#endif // TEST_WINAGENT
+#if defined(TEST_AGENT) || defined(TEST_WINAGENT)
+    expect_string(__wrap__mdebug1, formatted_msg, "(6208): Reading Client Configuration [test_syscheck.conf]");
+#endif
+
+    will_return_always(__wrap_os_random, 12345);
+
+    if(Read_Syscheck_Config("test_syscheck.conf"))
+        fail();
+
+    syscheck.realtime = (rtfim *) calloc(1, sizeof(rtfim));
+    if(syscheck.realtime == NULL) {
+        return -1;
+    }
+#ifndef TEST_WINAGENT
+    will_return(__wrap_time, 1);
+#endif
+    syscheck.realtime->dirtb = OSHash_Create();
+    if (syscheck.realtime->dirtb == NULL) {
+        return -1;
+    }
+
+
+#ifdef TEST_WINAGENT
+    time_mock_value = 1;
+#else
+    OSHash_Add_ex(syscheck.realtime->dirtb, "key", strdup("data"));
+#endif
+    return 0;
+}
+
+#ifndef TEST_WINAGENT
+
+static int setup_symbolic_links(void **state) {
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    directory_t *config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    if (config->path != NULL) {
+        free(config->path);
+        config->path = NULL;
+    }
+
+    config->path = strdup("/link");
+    config->symbolic_links = strdup("/folder");
+    config->options |= REALTIME_ACTIVE;
+
+    if (config->path == NULL || config->symbolic_links == NULL) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int teardown_symbolic_links(void **state) {
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    directory_t *config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+    if (config->path != NULL) {
+        free(config->path);
+        config->path = NULL;
+    }
+
+    if (config->symbolic_links != NULL) {
+        free(config->symbolic_links);
+        config->symbolic_links = NULL;
+    }
+
+    config->path = strdup("/etc");
+    config->options &= ~REALTIME_ACTIVE;
+
+    if (config->path == NULL) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int setup_tmp_file(void **state) {
+    fim_tmp_file *tmp_file = calloc(1, sizeof(fim_tmp_file));
+    tmp_file->elements = 1;
+
+    if (setup_symbolic_links(NULL) < 0) {
+        return -1;
+    }
+
+    *state = tmp_file;
+
+    return 0;
+}
+
+static int teardown_tmp_file(void **state) {
+    fim_tmp_file *tmp_file = *state;
+    free(tmp_file);
+
+    if (teardown_symbolic_links(NULL) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+#endif
+
+static int teardown_group(void **state) {
+#ifdef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (syscheck.realtime) {
+        if (syscheck.realtime->dirtb) {
+            OSHash_Free(syscheck.realtime->dirtb);
+        }
+        free(syscheck.realtime);
+        syscheck.realtime = NULL;
+    }
+#else
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+#endif
+
+    Free_Syscheck(&syscheck);
+
+    return 0;
+}
+
+/**
+ * @brief This function loads expect and will_return calls for the function send_sync_msg
+*/
+static void expect_w_send_sync_msg(const char *msg, const char *locmsg, char location,  bool (*fn_ptr)(), int ret) {
+    expect_SendMSGPredicated_call(msg, locmsg, location, fn_ptr, ret);
+}
+
+static int setup_max_fps(void **state) {
+    syscheck.max_files_per_second = 1;
+    return 0;
+}
+
+static int teardown_max_fps(void **state) {
+    syscheck.max_files_per_second = 0;
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+
+static int setup_hash(void **state) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    win32rtfim *rtlocald;
+    rtlocald = calloc(1, sizeof(win32rtfim));
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            OSHash_Add_ex(syscheck.realtime->dirtb, dir_it->path, rtlocald);
+        }
+    }
+    syscheck.realtime->evt = (HANDLE)234;
+    return 0;
+}
+
+static int teardown_hash(void **state) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            free_win32rtfim_data(OSHash_Delete_ex(syscheck.realtime->dirtb, dir_it->path));
+        }
+    }
+    return 0;
+}
+#endif
+
+static int teardown_dbsync_msg(void **state) {
+    char *ret_msg = *state;
+    free(ret_msg);
+    return 0;
+}
+/* tests */
+
+void test_fim_whodata_initialize(void **state)
+{
+    int ret;
+#ifdef TEST_WINAGENT
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    int i;
+    char *dirs[] = {
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+        NULL
+    };
+    char expanded_dirs[1][OS_SIZE_1024];
+
+    // Expand directories
+    for(i = 0; dirs[i]; i++) {
+        if(!ExpandEnvironmentStrings(dirs[i], expanded_dirs[i], OS_SIZE_1024))
+            fail();
+
+        str_lowercase(expanded_dirs[i]);
+        expect_realtime_adddir_call(expanded_dirs[i], 0);
+    }
+    will_return(__wrap_run_whodata_scan, 0);
+    will_return(wrap_CreateThread, (HANDLE)123456);
+#endif
+
+    ret = fim_whodata_initialize();
+
+    assert_int_equal(ret, 0);
+}
+
+void test_log_realtime_status(void **state)
+{
+    (void) state;
+
+    log_realtime_status(2);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_REALTIME_STARTED);
+    log_realtime_status(1);
+    log_realtime_status(1);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_REALTIME_PAUSED);
+    log_realtime_status(2);
+    log_realtime_status(2);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_REALTIME_RESUMED);
+    log_realtime_status(1);
+}
+
+#ifndef TEST_WINAGENT
+
+void test_fim_run_realtime_first_error(void **state) {
+    char debug_msg[OS_SIZE_128] = {0};
+    syscheck.realtime->fd = 4;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_select, -1);
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_SELECT);
+
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_first_timeout(void **state) {
+    syscheck.realtime->fd = 4;
+    char debug_msg[OS_SIZE_128] = {0};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+
+    will_return(__wrap_select, 0);
+
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_first_sleep(void **state) {
+
+    syscheck.realtime->fd = -1;
+    char debug_msg[OS_SIZE_128] = {0};
+    expect_function_call(__wrap_pthread_mutex_lock);
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_value(__wrap_sleep, seconds, SYSCHECK_WAIT);
+
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_first_process(void **state) {
+    syscheck.realtime->fd = 4;
+    char debug_msg[OS_SIZE_128] = {0};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_select, 4);
+    expect_function_call(__wrap_realtime_process);
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_process_after_timeout(void **state) {
+    syscheck.realtime->fd = 4;
+    char debug_msg[OS_SIZE_128] = {0};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_select, 0);
+
+    will_return(__wrap_FOREVER, 1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    will_return(__wrap_select, 4);
+    expect_function_call(__wrap_realtime_process);
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+#else
+
+void test_fim_run_realtime_w_first_timeout(void **state) {
+    char debug_msg[OS_SIZE_128] = {0};
+    directory_t *dir_it;
+    OSListNode *node_it;
+    int added_dirs = 0;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    // set_priority_windows_thread
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '10'");
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_LOWEST, true);
+
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+            added_dirs++;
+        }
+    }
+    will_return(__wrap_FOREVER, 1);
+
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, added_dirs);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    expect_value(wrap_WaitForSingleObjectEx, hHandle, (DWORD)234);
+    expect_value(wrap_WaitForSingleObjectEx, dwMilliseconds, SYSCHECK_WAIT * 1000);
+    expect_value(wrap_WaitForSingleObjectEx, bAlertable, TRUE);
+    will_return(wrap_WaitForSingleObjectEx, WAIT_FAILED);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_REALTIME_WAITSINGLE_OBJECT);
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+            added_dirs++;
+        }
+    }
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_w_wait_success(void **state) {
+    char debug_msg[OS_SIZE_128] = {0};
+    directory_t *dir_it;
+    OSListNode *node_it;
+    int added_dirs = 0;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    // set_priority_windows_thread
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '10'");
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_LOWEST, true);
+
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+            added_dirs++;
+        }
+    }
+
+    will_return(__wrap_FOREVER, 1);
+
+    snprintf(debug_msg, OS_SIZE_128, FIM_NUM_WATCHES, added_dirs);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    expect_value(wrap_WaitForSingleObjectEx, hHandle, (DWORD)234);
+    expect_value(wrap_WaitForSingleObjectEx, dwMilliseconds, SYSCHECK_WAIT * 1000);
+    expect_value(wrap_WaitForSingleObjectEx, bAlertable, TRUE);
+    will_return(wrap_WaitForSingleObjectEx, WAIT_IO_COMPLETION);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+            added_dirs++;
+        }
+    }
+
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_run_realtime_w_sleep(void **state) {
+    char debug_msg[OS_SIZE_128] = {0};
+    directory_t *dir_it;
+    OSListNode *node_it;
+    int added_dirs = 0;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    // set_priority_windows_thread
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '10'");
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_LOWEST, true);
+
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+        }
+    }
+    will_return(__wrap_FOREVER, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, SYSCHECK_WAIT * 1000);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (dir_it->options & REALTIME_ACTIVE) {
+            expect_string(__wrap_realtime_adddir, dir, dir_it->path);
+            will_return(__wrap_realtime_adddir, 0);
+            added_dirs++;
+        }
+    }
+
+    will_return(__wrap_FOREVER, 0);
+
+    fim_run_realtime(NULL);
+}
+
+void test_fim_whodata_initialize_fail_set_policies(void **state)
+{
+    int ret;
+    int i;
+    char *dirs[] = {
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+        NULL
+    };
+    char expanded_dirs[1][OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    // Expand directories
+    for(i = 0; dirs[i]; i++) {
+        if(!ExpandEnvironmentStrings(dirs[i], expanded_dirs[i], OS_SIZE_1024))
+            fail();
+
+        str_lowercase(expanded_dirs[i]);
+        expect_realtime_adddir_call(expanded_dirs[i], 0);
+    }
+
+    will_return(__wrap_run_whodata_scan, 1);
+    expect_string(__wrap__merror, formatted_msg,
+      "(6710): Failed to start the Whodata engine. Directories/files will be monitored in Realtime mode");
+
+    will_return(__wrap_audit_restore, NULL);
+
+    ret = fim_whodata_initialize();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_set_priority_windows_thread_highest(void **state) {
+    syscheck.process_priority = -10;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '-10'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_HIGHEST, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_above_normal(void **state) {
+    syscheck.process_priority = -8;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '-8'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_ABOVE_NORMAL, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_normal(void **state) {
+    syscheck.process_priority = 0;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '0'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_NORMAL, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_below_normal(void **state) {
+    syscheck.process_priority = 2;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '2'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_BELOW_NORMAL, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_lowest(void **state) {
+    syscheck.process_priority = 7;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '7'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_LOWEST, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_idle(void **state) {
+    syscheck.process_priority = 20;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '20'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_IDLE, true);
+
+    set_priority_windows_thread();
+}
+
+void test_set_priority_windows_thread_error(void **state) {
+    syscheck.process_priority = 10;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6320): Setting process priority to: '10'");
+
+    will_return(wrap_GetCurrentThread, (HANDLE)123456);
+    expect_SetThreadPriority_call((HANDLE)123456, THREAD_PRIORITY_LOWEST, false);
+
+    will_return(wrap_GetLastError, 2345);
+
+    expect_string(__wrap__merror, formatted_msg, "Can't set thread priority: 2345");
+
+    set_priority_windows_thread();
+}
+
+#ifdef WIN_WHODATA
+void test_set_whodata_mode_changes(void **state) {
+    int i;
+    char *dirs[] = {
+        "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
+        "%WINDIR%\\System32\\wbem",
+        "%WINDIR%\\System32\\Windowspowershell\\v1.0",
+        NULL
+    };
+    char expanded_dirs[3][OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // Mark directories to be added in realtime
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status |= WD_CHECK_REALTIME;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status &= ~WD_CHECK_WHODATA;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 4))->dirs_status.status |= WD_CHECK_REALTIME;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 4))->dirs_status.status &= ~WD_CHECK_WHODATA;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5))->dirs_status.status |= WD_CHECK_REALTIME;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5))->dirs_status.status &= ~WD_CHECK_WHODATA;
+
+    // Expand directories
+    for(i = 0; dirs[i]; i++) {
+        if(!ExpandEnvironmentStrings(dirs[i], expanded_dirs[i], OS_SIZE_1024))
+            fail();
+
+        str_lowercase(expanded_dirs[i]);
+        expect_realtime_adddir_call(expanded_dirs[i], i % 2 == 0);
+    }
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6225): The 'c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup' directory starts to be monitored in real-time mode.");
+    expect_string(__wrap__merror, formatted_msg, "(6611): 'realtime_adddir' failed, the directory 'c:\\windows\\system32\\wbem' couldn't be added to real time mode.");
+    expect_string(__wrap__mdebug1, formatted_msg, "(6225): The 'c:\\windows\\system32\\windowspowershell\\v1.0' directory starts to be monitored in real-time mode.");
+
+    set_whodata_mode_changes();
+}
+
+void test_fim_whodata_initialize_eventchannel(void **state) {
+    int ret;
+    int i;
+    char *dirs[] = {
+        "%WINDIR%\\System32\\WindowsPowerShell\\v1.0",
+        NULL
+    };
+    char expanded_dirs[1][OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    // Expand directories
+    for(i = 0; dirs[i]; i++) {
+        if(!ExpandEnvironmentStrings(dirs[i], expanded_dirs[i], OS_SIZE_1024))
+            fail();
+
+        str_lowercase(expanded_dirs[i]);
+        expect_realtime_adddir_call(expanded_dirs[i], 0);
+    }
+
+    will_return(__wrap_run_whodata_scan, 0);
+
+    will_return(wrap_CreateThread, (HANDLE)123456);
+
+    ret = fim_whodata_initialize();
+
+    assert_int_equal(ret, 0);
+}
+#endif  // WIN_WHODATA
+#endif
+
+void test_fim_send_scan_info(void **state) {
+    (void) state;
+    const char *msg = "{\"type\":\"scan_start\",\"data\":{\"timestamp\":1}}";
+#ifndef TEST_WINAGENT
+    will_return(__wrap_time, 1);
+#endif
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6321): Sending FIM event: {\"type\":\"scan_start\",\"data\":{\"timestamp\":1}}");
+    expect_w_send_sync_msg(msg, SYSCHECK, SYSCHECK_MQ, fim_shutdown_process_on, 0);
+    fim_send_scan_info(FIM_SCAN_START);
+}
+
+#ifndef TEST_WINAGENT
+void test_fim_link_update(void **state) {
+    char *new_path = "/new_path";
+    char pattern[PATH_MAX] = {0};
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    expect_string(__wrap_remove_audit_rule_syscheck, path, affected_config->symbolic_links);
+
+    snprintf(pattern, PATH_MAX, "%s%c%%", affected_config->symbolic_links, PATH_SEP);
+    expect_fim_db_file_pattern_search(pattern, 0);
+
+    expect_fim_checker_call(new_path, affected_config);
+    expect_realtime_adddir_call(new_path, 0);
+    expect_string(__wrap_remove_audit_rule_syscheck, path, affected_config->path);
+
+    fim_link_update(new_path, affected_config);
+
+    assert_string_equal(affected_config->path, "/link");
+    assert_string_equal(affected_config->symbolic_links, new_path);
+}
+
+void test_fim_link_update_already_added(void **state) {
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    char *link_path = "/home";
+    char error_msg[OS_SIZE_128];
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    free(affected_config->symbolic_links);
+    affected_config->symbolic_links = strdup("/home");
+
+    snprintf(error_msg, OS_SIZE_128, FIM_LINK_ALREADY_ADDED, link_path);
+
+    expect_string(__wrap__mdebug2, formatted_msg, error_msg);
+
+    fim_link_update(link_path, affected_config);
+
+    assert_string_equal(affected_config->path, "/link");
+    assert_null(affected_config->symbolic_links);
+}
+
+void test_fim_link_check_delete(void **state) {
+    char *link_path = "/link";
+    char *pointed_folder = "/folder";
+    char pattern[PATH_MAX] = {0};
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    expect_string(__wrap_lstat, filename, affected_config->symbolic_links);
+    will_return(__wrap_lstat, 0);
+    will_return(__wrap_lstat, 0);
+
+    expect_string(__wrap_remove_audit_rule_syscheck, path, affected_config->symbolic_links);
+
+    snprintf(pattern, PATH_MAX, "%s%c%%", affected_config->symbolic_links, PATH_SEP);
+    expect_fim_db_file_pattern_search(pattern, 0);
+
+    expect_fim_configuration_directory_call("data", NULL);
+    fim_link_check_delete(affected_config);
+
+    assert_string_equal(affected_config->path, link_path);
+    assert_null(affected_config->symbolic_links);
+}
+
+void test_fim_link_check_delete_lstat_error(void **state) {
+    char *link_path = "/link";
+    char *pointed_folder = "/folder";
+    char error_msg[OS_SIZE_128];
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    expect_string(__wrap_lstat, filename, pointed_folder);
+    will_return(__wrap_lstat, 0);
+    will_return(__wrap_lstat, -1);
+    errno = 0;
+
+    snprintf(error_msg, OS_SIZE_128, FIM_STAT_FAILED, pointed_folder, 0, "Success");
+
+    expect_string(__wrap__mdebug1, formatted_msg, error_msg);
+
+    fim_link_check_delete(affected_config);
+
+    assert_string_equal(affected_config->path, link_path);
+    assert_string_equal(affected_config->symbolic_links, pointed_folder);
+}
+
+void test_fim_link_check_delete_noentry_error(void **state) {
+    char *link_path = "/link";
+    char *pointed_folder = "/folder";
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    expect_string(__wrap_lstat, filename, pointed_folder);
+    will_return(__wrap_lstat, 0);
+    will_return(__wrap_lstat, -1);
+    expect_string(__wrap_remove_audit_rule_syscheck, path, affected_config->symbolic_links);
+
+    errno = ENOENT;
+
+    fim_link_check_delete(affected_config);
+
+    errno = 0;
+
+    assert_string_equal(affected_config->path, link_path);
+    assert_null(affected_config->symbolic_links);
+}
+
+void test_fim_delete_realtime_watches(void **state) {
+    unsigned int pos;
+    char *link_path = "/link";
+    char *pointed_folder = "/folder";
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_fim_configuration_directory_call("data", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1)));
+
+    will_return(__wrap_inotify_rm_watch, 1);
+
+    fim_realtime_delete_watches(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1)));
+
+    assert_null(OSHash_Begin(syscheck.realtime->dirtb, &pos));
+}
+
+void test_fim_link_delete_range(void **state) {
+    fim_tmp_file *tmp_file = *state;
+    char pattern[PATH_MAX] = {0};
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    snprintf(pattern, PATH_MAX, "%s%c%%", "/folder", PATH_SEP);
+    expect_fim_db_file_pattern_search(pattern, 0);
+
+    fim_link_delete_range(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1)));
+}
+
+void test_fim_link_silent_scan(void **state) {
+    char *link_path = "/link";
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 3);
+
+    expect_realtime_adddir_call(link_path, 0);
+    expect_fim_checker_call(link_path, affected_config);
+
+    fim_link_silent_scan(link_path, affected_config);
+}
+
+void test_fim_link_reload_broken_link_already_monitored(void **state) {
+    char *link_path = "/link";
+    char *pointed_folder = "/folder";
+    char error_msg[OS_SIZE_128];
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    snprintf(error_msg, OS_SIZE_128, FIM_LINK_ALREADY_ADDED, link_path);
+
+    expect_string(__wrap__mdebug2, formatted_msg, error_msg);
+
+    fim_link_reload_broken_link(link_path, affected_config);
+
+    assert_string_equal(affected_config->path, link_path);
+    assert_string_equal(affected_config->symbolic_links, pointed_folder);
+}
+
+void test_fim_link_reload_broken_link_reload_broken(void **state) {
+    char *link_path = "/link";
+    char *pointed_folder = "/new_path";
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    directory_t *affected_config = (directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1);
+
+    expect_fim_checker_call(pointed_folder, affected_config);
+
+    expect_string(__wrap_realtime_adddir, dir, pointed_folder);
+    will_return(__wrap_realtime_adddir, 0);
+
+    expect_string(__wrap_remove_audit_rule_syscheck, path, link_path);
+
+    fim_link_reload_broken_link(pointed_folder, affected_config);
+
+    assert_string_equal(affected_config->path, link_path);
+    assert_string_equal(affected_config->symbolic_links, pointed_folder);
+}
+#endif
+
+void test_check_max_fps_no_sleep(void **state) {
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_gettime, last_time + 1);
+
+    check_max_fps();
+}
+
+void test_check_max_fps_sleep(void **state) {
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    last_time = 10;
+    files_read = syscheck.max_files_per_second;
+
+    will_return(__wrap_gettime, last_time);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_REACHED_MAX_FPS);
+    check_max_fps();
+}
+
+void test_send_sync_state(void **state) {
+    char debug_msg[OS_SIZE_256] = {0};
+    char *event = "{\"data\":\"random_string\"}";
+
+    snprintf(debug_msg, OS_SIZE_256, FIM_DBSYNC_SEND, event);
+    syscheck.sync_max_eps = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_w_send_sync_msg(event, "fim_file", DBSYNC_MQ, fim_shutdown_process_on, 0);
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, 1 * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, 1);
+#endif
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    fim_send_sync_state("fim_file", event);
+}
+
+void test_send_sync_state_without_max_eps(void **state) {
+    char debug_msg[OS_SIZE_256] = {0};
+    char *event = "{\"data\":\"random_string\"}";
+
+    snprintf(debug_msg, OS_SIZE_256, FIM_DBSYNC_SEND, event);
+    syscheck.sync_max_eps = 0;
+
+    expect_w_send_sync_msg(event, "fim_file", DBSYNC_MQ, fim_shutdown_process_on, 0);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    fim_send_sync_state("fim_file", event);
+}
+
+void test_fim_db_remove_validated_path(void **state){
+
+    char* path = "path";
+    directory_t mock_config;
+    get_data_ctx mock_data;
+    mock_data.config = &mock_config;
+
+    expect_fim_configuration_directory_call(path, &mock_config);
+    expect_function_call(__wrap_fim_generate_delete_event);
+
+    fim_db_remove_validated_path(path, &mock_data);
+}
+
+int main(void) {
+#ifndef WIN_WHODATA
+    const struct CMUnitTest tests[] = {
+#ifdef TEST_WINAGENT
+        cmocka_unit_test(test_set_priority_windows_thread_highest),
+        cmocka_unit_test(test_set_priority_windows_thread_above_normal),
+        cmocka_unit_test(test_set_priority_windows_thread_normal),
+        cmocka_unit_test(test_set_priority_windows_thread_below_normal),
+        cmocka_unit_test(test_set_priority_windows_thread_lowest),
+        cmocka_unit_test(test_set_priority_windows_thread_idle),
+        cmocka_unit_test(test_set_priority_windows_thread_error),
+#endif
+
+        cmocka_unit_test(test_log_realtime_status),
+        cmocka_unit_test(test_fim_db_remove_validated_path),
+        cmocka_unit_test(test_fim_send_scan_info),
+        cmocka_unit_test_setup_teardown(test_check_max_fps_no_sleep, setup_max_fps, teardown_max_fps),
+        cmocka_unit_test_setup_teardown(test_check_max_fps_sleep, setup_max_fps, teardown_max_fps),
+#ifndef TEST_WINAGENT
+        cmocka_unit_test(test_fim_run_realtime_first_error),
+        cmocka_unit_test(test_fim_run_realtime_first_timeout),
+        cmocka_unit_test(test_fim_run_realtime_first_sleep),
+        cmocka_unit_test(test_fim_run_realtime_first_process),
+        cmocka_unit_test(test_fim_run_realtime_process_after_timeout),
+        cmocka_unit_test_setup_teardown(test_fim_link_update, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_update_already_added, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_check_delete, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_check_delete_lstat_error, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_check_delete_noentry_error, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_delete_realtime_watches, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_delete_range, setup_tmp_file, teardown_tmp_file),
+        cmocka_unit_test_setup_teardown(test_fim_link_silent_scan, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_reload_broken_link_already_monitored, setup_symbolic_links, teardown_symbolic_links),
+        cmocka_unit_test_setup_teardown(test_fim_link_reload_broken_link_reload_broken, setup_symbolic_links, teardown_symbolic_links),
+#else
+        cmocka_unit_test_setup_teardown(test_fim_run_realtime_w_first_timeout, setup_hash, teardown_hash),
+        cmocka_unit_test_setup_teardown(test_fim_run_realtime_w_wait_success, setup_hash, teardown_hash),
+        cmocka_unit_test(test_fim_run_realtime_w_sleep),
+#endif
+        cmocka_unit_test(test_send_sync_state),
+        cmocka_unit_test(test_send_sync_state_without_max_eps),
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+#else  // WIN_WHODATA
+    const struct CMUnitTest eventchannel_tests[] = {
+        cmocka_unit_test(test_fim_whodata_initialize),
+        cmocka_unit_test(test_set_whodata_mode_changes),
+        cmocka_unit_test(test_fim_whodata_initialize_eventchannel),
+        cmocka_unit_test(test_fim_whodata_initialize_fail_set_policies),
+    };
+    return cmocka_run_group_tests(eventchannel_tests, setup_group, teardown_group);
+#endif
+}
diff --git a/src/modules/fim/tests/unit/tests/test_run_realtime.c b/src/modules/fim/tests/unit/tests/test_run_realtime.c
new file mode 100644
index 0000000000..44e636bbaa
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_run_realtime.c
@@ -0,0 +1,2036 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+#ifndef TEST_WINAGENT
+#include <sys/inotify.h>
+#endif
+
+#include "../wrappers/common.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+#include "../wrappers/posix/unistd_wrappers.h"
+#include "../wrappers/linux/inotify_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/fs_op_wrappers.h"
+#include "../wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "../wrappers/wazuh/shared/randombytes_wrappers.h"
+#include "../wrappers/wazuh/shared/syscheck_op_wrappers.h"
+#include "../wrappers/wazuh/shared/vector_op_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/create_db_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/run_check_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/win_whodata_wrappers.h"
+
+#include "../syscheckd/include/syscheck.h"
+#include "../config/syscheck-config.h"
+
+#ifdef TEST_WINAGENT
+// This struct should always reflect the one defined in run_realtime.c
+
+int realtime_win32read(win32rtfim *rtlocald);
+void free_win32rtfim_data(win32rtfim *data);
+void CALLBACK RTCallBack(DWORD dwerror, DWORD dwBytes, LPOVERLAPPED overlap);
+#endif
+
+
+typedef struct realtime_process_data{
+    struct inotify_event *event;
+    OSHashNode *node;
+} realtime_process_data;
+
+static int setup_OSHash(void **state);
+static int teardown_OSHash(void **state);
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    expect_any_always(__wrap__mdebug1, formatted_msg);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    test_mode = 0;
+    Read_Syscheck_Config("test_syscheck.conf");
+
+    syscheck.realtime = (rtfim *) calloc(1, sizeof(rtfim));
+
+    if(syscheck.realtime == NULL)
+        return -1;
+
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    Free_Syscheck(&syscheck);
+
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+#ifndef WIN_WHODATA
+static int setup_RTCallBack(void **state) {
+    win32rtfim *rt = calloc(1, sizeof(win32rtfim));
+
+    if(rt == NULL)
+        return -1;
+
+    *state = rt;
+    return 0;
+}
+
+static int teardown_RTCallBack(void **state) {
+    win32rtfim *rt = *state;
+
+    if(rt->dir)
+        free(rt->dir);
+
+    free(rt);
+
+    return 0;
+}
+#endif // WIN_WHODATA
+
+static int setup_realtime_adddir_realtime_start_error(void **state) {
+    *state = syscheck.realtime;
+    return 0;
+}
+
+static int teardown_realtime_adddir_realtime_start_error(void **state) {
+    return 0;
+}
+
+# else // TEST_WINAGENT
+
+static int setup_realtime_adddir_realtime_start_error(void **state) {
+    *state = syscheck.realtime;
+    syscheck.realtime->fd = -1;
+    return 0;
+}
+
+static int teardown_realtime_adddir_realtime_start_error(void **state) {
+    syscheck.realtime->fd = ((rtfim *)state)->fd;
+
+    return 0;
+}
+#endif
+
+static int setup_realtime_start(void **state) {
+    OSHash *hash = calloc(1, sizeof(OSHash));
+
+    if(hash == NULL)
+        return -1;
+
+    *state = hash;
+
+    state[1] = syscheck.realtime;
+    syscheck.realtime = NULL;
+
+    return 0;
+}
+
+static int teardown_realtime_start(void **state) {
+    OSHash *hash = *state;
+
+    free(hash);
+
+    if (syscheck.realtime) {
+        free(syscheck.realtime);
+    }
+
+    syscheck.realtime = state[1];
+    state[1] = NULL;
+
+    return 0;
+}
+
+static int setup_inotify_event(void **state) {
+    struct inotify_event *event;
+
+    if (setup_OSHash(state) != 0) {
+        return -1;
+    }
+
+    event = calloc(1, OS_SIZE_512);
+
+    if (!event) {
+        return -1;
+    }
+    *state = event;
+
+    return 0;
+}
+
+static int teardown_inotify_event(void **state) {
+    struct inotify_event *event = *state;
+
+    if (teardown_OSHash(state) != 0) {
+        return -1;
+    }
+
+    if (event) {
+        free(event);
+    }
+
+    return 0;
+}
+
+static int setup_hash_node(void **state) {
+    OSHashNode *node = (OSHashNode *)calloc(1, sizeof(OSHashNode));
+
+    if (!node) {
+        return -1;
+    }
+
+    node->next = NULL;
+    node->prev = NULL;
+    node->key = "dummy_key";
+
+    if (node->key == NULL) {
+        return -1;
+    }
+
+    *state = node;
+
+    return 0;
+}
+
+static int teardown_hash_node(void **state) {
+    OSHashNode *node = *state;
+
+    if (node) {
+        free(node);
+    }
+
+    return 0;
+}
+
+static int setup_realtime_process(void **state) {
+    realtime_process_data *data = (realtime_process_data *)calloc(1, sizeof(realtime_process_data));
+
+    if (!data) {
+        return -1;
+    }
+
+    if (setup_hash_node((void **) &data->node)) {
+        return -1;
+    }
+
+    if (setup_inotify_event((void **) &data->event)) {
+        return -1;
+    }
+    *state = data;
+
+    return 0;
+}
+
+static int teardown_realtime_process(void **state) {
+    realtime_process_data *data = *state;
+
+    if (teardown_hash_node((void **) &data->node)) {
+        return -1;
+    }
+
+    if (teardown_inotify_event((void **) &data->event)) {
+        return -1;
+    }
+    if (data) {
+        free(data);
+    }
+
+    return 0;
+}
+
+static int setup_OSHash(void **state) {
+    test_mode = 0;
+    will_return_always(__wrap_os_random, 12345);
+    if (setup_hashmap(state) != 0) {
+        return -1;
+    }
+
+    __real_OSHash_SetFreeDataPointer(mock_hashmap, free);
+
+    syscheck.realtime->dirtb = mock_hashmap;
+
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_OSHash(void **state) {
+    test_mode = 0;
+
+    if (teardown_hashmap(state) != 0) {
+        return -1;
+    }
+
+    syscheck.realtime->dirtb = NULL;
+    errno = 0;
+
+    return 0;
+}
+
+static int setup_sanitize_watch_map(void **state) {
+    test_mode = 0;
+
+    will_return_always(__wrap_os_random, 12345);
+    if (setup_hashmap(state) != 0) {
+        return -1;
+    }
+
+    syscheck.realtime->dirtb = mock_hashmap;
+
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_sanitize_watch_map(void **state) {
+    test_mode = 0;
+    OSHash *hash = *state;
+    if (teardown_hashmap(state) != 0) {
+        return -1;
+    }
+
+    syscheck.realtime->dirtb = NULL;
+    errno = 0;
+    test_mode = 1;
+    return 0;
+}
+
+/* tests */
+
+void test_realtime_start_success(void **state) {
+    OSHash *hash = *state;
+    int ret;
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, hash);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 0);
+
+#if defined(TEST_SERVER) || defined(TEST_AGENT)
+    will_return(__wrap_inotify_init, 0);
+#else
+    expect_value(wrap_CreateEvent, lpEventAttributes, NULL);
+    expect_value(wrap_CreateEvent, bManualReset, TRUE);
+    expect_value(wrap_CreateEvent, bInitialState, FALSE);
+    expect_value(wrap_CreateEvent, lpName, NULL);
+    will_return(wrap_CreateEvent, (HANDLE)123456);
+#endif
+
+    ret = realtime_start();
+
+    assert_int_equal(ret, 0);
+#ifdef TEST_WINAGENT
+    assert_ptr_equal(syscheck.realtime->evt, 123456);
+#endif
+}
+
+
+void test_realtime_start_failure_hash(void **state) {
+    int ret;
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    errno = ENOMEM;
+    expect_string(__wrap__merror, formatted_msg,
+        "(1102): Could not acquire memory due to [(12)-(Cannot allocate memory)].");
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_start();
+
+    errno = 0;
+    assert_int_equal(ret, -1);
+}
+
+#if defined(TEST_SERVER) || defined(TEST_AGENT)
+
+void test_realtime_start_failure_inotify(void **state) {
+    OSHash *hash = *state;
+    int ret;
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, hash);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 0);
+
+    will_return(__wrap_inotify_init, -1);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_INOTIFY_INITIALIZE);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_start();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_realtime_adddir_realtime_start_failure(void **state) {
+    int ret;
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    const char * path = "/etc/folder";
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_realtime_adddir_realtime_failure(void **state) {
+    int ret;
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    const char * path = "/etc/folder";
+
+    syscheck.realtime->fd = -1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+
+    assert_int_equal(ret, -1);
+}
+
+
+void test_realtime_adddir_realtime_watch_max_reached_failure(void **state) {
+    int ret;
+    directory_t config = { .options = REALTIME_ACTIVE };
+    const char * path = "/etc/folder";
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, -1);
+    expect_string(__wrap__merror, formatted_msg, "(6700): Unable to add inotify watch to real time monitoring: '/etc/folder'. '-1' '28': "
+                                                "The maximum limit of inotify watches has been reached.");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    errno = 28;
+
+    ret = realtime_adddir(path, &config);
+
+    errno = 0;
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_realtime_adddir_realtime_watch_generic_failure(void **state) {
+    int ret;
+    directory_t config = { .options = REALTIME_ACTIVE };
+    const char * path = "/etc/folder";
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, -1);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6272): Unable to add inotify watch to real time monitoring: '/etc/folder'. '-1' '0':'Success'");
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_realtime_adddir_realtime_add(void **state) {
+    int ret;
+    char * path = strdup("/etc/folder");
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6224): Entry '/etc/folder' already exists in the RT hash table.");
+    expect_string(__wrap__mdebug2, formatted_msg, "(6227): Directory added for real time monitoring: '/etc/folder'");
+
+    test_mode = 0;
+    OSHash_Add_ex(syscheck.realtime->dirtb, "1", path); // Duplicate simulation
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+    test_mode = 1;
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_realtime_adddir_realtime_add_hash_failure(void **state) {
+    int ret;
+    const char * path = "/etc/folder";
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, 1);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, 0);
+
+    OSHash_Add_ex_check_data = 0;
+    expect_value(__wrap_OSHash_Add_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Add_ex, key, "1");
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(6697): Out of memory. Exiting.");
+
+    test_mode = 1;
+    expect_assert_failure(realtime_adddir(path, &config));
+    test_mode = 0;
+}
+
+
+void test_realtime_adddir_realtime_update(void **state) {
+    int ret;
+    char *path = strdup("/etc/folder");
+    const char *dummy_key = "1";
+
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, dummy_key, (void *) path);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, 1);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, dummy_key);
+    will_return(__wrap_OSHash_Get_ex, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_realtime_adddir_realtime_update_failure(void **state) {
+    int ret;
+    const char * path = "/etc/folder";
+    directory_t config = { .options = REALTIME_ACTIVE };
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    syscheck.realtime->fd = 1;
+    will_return(__wrap_inotify_add_watch, 1);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Unable to update 'dirtb'. Directory not found: '/etc/folder'");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    ret = realtime_adddir(path, &config);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_realtime_process(void **state) {
+
+    syscheck.realtime->fd = 1;
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    will_return(__wrap_read, "");
+    will_return(__wrap_read, 0);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    realtime_process();
+}
+
+void test_realtime_process_len(void **state) {
+    struct inotify_event *event = *state;
+    event->wd = 1;
+    event->mask = 2;
+    event->cookie = 0;
+    event->len = 5;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 21);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicate event in real-time buffer: test/test");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    test_mode = 1;
+    realtime_process();
+    test_mode = 0;
+}
+
+void test_realtime_process_len_zero(void **state) {
+    struct inotify_event *event = *state;
+    event->wd = 1;
+    event->mask = 2;
+    event->cookie = 0;
+    event->len = 0;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 16);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicate event in real-time buffer: test");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    test_mode = 1;
+    realtime_process();
+    test_mode = 0;
+}
+
+void test_realtime_process_len_path_separator(void **state) {
+    struct inotify_event *event = *state;
+    event->wd = 1;
+    event->mask = 2;
+    event->cookie = 0;
+    event->len = 5;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 21);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, "test/");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicate event in real-time buffer: test/test");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    test_mode = 1;
+    realtime_process();
+    test_mode = 0;
+}
+
+void test_realtime_process_overflow(void **state) {
+    struct inotify_event *event = *state;
+    event->wd = -1;
+    event->mask = 16384;
+    event->cookie = 0;
+    event->len = 5;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 21);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mwarn, formatted_msg, "Real-time inotify kernel queue is full. Some events may be lost. Next scheduled scan will recover lost data.");
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_string(__wrap_send_log_msg, msg, "ossec: Real-time inotify kernel queue is full. Some events may be lost. Next scheduled scan will recover lost data.");
+    will_return(__wrap_send_log_msg, 1);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    realtime_process();
+
+    assert_int_equal(syscheck.realtime->queue_overflow, true);
+}
+
+void test_realtime_process_delete(void **state) {
+    struct inotify_event *event = *state;
+    event->wd = 1;
+    event->mask = 1024;
+    event->cookie = 0;
+    event->len = 5;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 21);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicate event in real-time buffer: test/test");
+
+    char *data = strdup("delete this");
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1");
+    will_return(__wrap_OSHash_Delete_ex, data);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6344): Inotify watch deleted for 'test'");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    test_mode = 1;
+    realtime_process();
+    test_mode = 0;
+}
+
+void test_realtime_process_move_self(void **state) {
+    realtime_process_data *data = *state;
+    struct inotify_event *event = data->event;
+
+    event->wd = 1;
+    event->mask = 2048;
+    event->cookie = 0;
+    event->len = 5;
+    strcpy(event->name, "test");
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, event);
+    will_return(__wrap_read, 21);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "1");
+    will_return(__wrap_OSHash_Get_ex, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Duplicate event in real-time buffer: test/test");
+
+    // In delete_subdirectories_watches
+    OSHashNode *node = data->node;
+
+    node->data = "test/sub";
+
+    syscheck.realtime->fd = 1;
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, node);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6344): Inotify watch deleted for 'test/sub'");
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    // Back to realtime_process
+    char *str_data = strdup("delete this");
+    expect_value_count(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb, 2);
+    expect_string(__wrap_OSHash_Delete_ex, key, "dummy_key");
+    expect_string(__wrap_OSHash_Delete_ex, key, "1");
+    will_return(__wrap_OSHash_Delete_ex, str_data);
+    will_return(__wrap_OSHash_Delete_ex, NULL);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6344): Inotify watch deleted for 'test'");
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    char **paths = NULL;
+    paths = os_AddStrArray("/test", paths);
+
+    will_return(__wrap_rbtree_keys, paths);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_string(__wrap_fim_realtime_event, file, "/test");
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    test_mode = 1;
+    realtime_process();
+    test_mode = 0;
+}
+
+void test_realtime_process_failure(void **state)
+{
+    (void) state;
+
+    syscheck.realtime->fd = 1;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_read, NULL);
+    will_return(__wrap_read, 0);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_REALTIME_READ_BUFFER);
+
+    realtime_process();
+}
+
+void test_delete_subdirectories_watches_realtime_fd_null(void **state) {
+    (void) state;
+    char *dir = "/test";
+
+    syscheck.realtime->fd = 0;
+
+    delete_subdirectories_watches(dir);
+}
+
+void test_delete_subdirectories_watches_hash_node_null(void **state) {
+    (void) state;
+    char *dir = "/test";
+    int inode_it = 0;
+
+    syscheck.realtime->fd = 1;
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    delete_subdirectories_watches(dir);
+}
+
+void test_delete_subdirectories_watches_not_same_name(void **state) {
+    (void) state;
+    char *dir = "/test/";
+    OSHashNode *node = *state;
+
+    node->data = "/other/sub";
+
+    syscheck.realtime->fd = 1;
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, node);
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    delete_subdirectories_watches(dir);
+}
+
+void test_delete_subdirectories_watches_deletes(void **state) {
+    char *dir = "/test";
+    OSHashNode *node = *state;
+
+    node->data = "/test/sub";
+
+    syscheck.realtime->fd = 1;
+    syscheck.realtime->dirtb = (OSHash *)8;
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, node);
+
+    char *data = strdup("delete this");
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "dummy_key");
+    will_return(__wrap_OSHash_Delete_ex, data);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6344): Inotify watch deleted for '/test/sub'");
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    test_mode = 1;
+    delete_subdirectories_watches(dir);
+    test_mode = 0;
+}
+
+
+void test_realtime_sanitize_watch_map_empty_hash(void **state) {
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+}
+
+void test_realtime_sanitize_watch_map_inotify_not_connected(void **state) {
+    OSHashNode node;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, &node);
+
+    syscheck.realtime->fd = -1;
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+}
+
+void test_realtime_sanitize_watch_map_entry_with_no_configuration(void **state) {
+    char *path = strdup("/some/path");
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    will_return(__wrap_inotify_rm_watch, 0);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1234");
+    will_return(__wrap_OSHash_Delete_ex, path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 0);
+}
+
+void test_realtime_sanitize_watch_map_unable_to_add_more_watches(void **state) {
+    char *path = "/media/some/path";
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, -1);
+
+    errno = ENOSPC;
+
+    expect_string(__wrap__merror, formatted_msg,
+                  "(6700): Unable to add inotify watch to real time monitoring: '/media/some/path'. '-1' '28': The "
+                  "maximum limit of inotify watches has been reached.");
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 1);
+}
+
+void test_realtime_sanitize_watch_map_entry_deleted(void **state) {
+    char *path = strdup("/media/some/path");
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, -1);
+
+    errno = ENOENT;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Removing watch on non existent directory '/media/some/path'");
+
+    will_return(__wrap_inotify_rm_watch, 0);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1234");
+    will_return(__wrap_OSHash_Delete_ex, path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 0);
+}
+
+void test_realtime_sanitize_watch_map_inotify_error(void **state) {
+    char *path = "/media/some/path";
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, -1);
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+                  "(6272): Unable to add inotify watch to real time monitoring: '/media/some/path'. '-1' "
+                  "'0':'Success'");
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 1);
+}
+
+void test_realtime_sanitize_watch_map_entry_already_up_to_date(void **state) {
+    char *path = "/media/some/path";
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, 1234);
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    test_mode = 0;
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 1);
+}
+
+void test_realtime_sanitize_watch_map_entry_with_new_watch_number(void **state) {
+    char *path = strdup("/media/some/path");
+    int i = 0;
+
+    if (path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, 4321);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "4321");
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+                  "(6227): Directory added for real time monitoring: '/media/some/path'");
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    test_mode = 0;
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 1);
+    assert_string_equal(__real_OSHash_Get_ex(syscheck.realtime->dirtb, "4321"), "/media/some/path");
+    free(__real_OSHash_Delete(syscheck.realtime->dirtb, "4321"));
+}
+
+void test_realtime_sanitize_watch_map_entry_with_new_watch_number_fail(void **state) {
+    char *path = "/media/some/path";
+    char *freeable = strdup("path to be free'd");
+    int i = 0;
+
+    if (path == NULL || freeable == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, 4321);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1234");
+    will_return(__wrap_OSHash_Delete_ex, freeable);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "4321");
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_value(__wrap_OSHash_Add_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Add_ex, key, "4321");
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_CRITICAL_ERROR_OUT_MEM);
+
+    expect_value(__wrap_OSHash_Next, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Next, NULL);
+    expect_any(__wrap__mdebug2, formatted_msg);
+    test_mode = 1;
+    realtime_sanitize_watch_map();
+}
+
+void test_realtime_sanitize_watch_map_update_existing_watch_with_new_directory(void **state) {
+    char *path = strdup("/media/some/path");
+    char *other_path = strdup("/media/some/other/path");
+    int i = 0;
+
+    if (path == NULL || other_path == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "4321", other_path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, 4321);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1234");
+    will_return(__wrap_OSHash_Delete_ex, path);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "4321");
+    will_return(__wrap_OSHash_Get_ex, other_path);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    realtime_sanitize_watch_map();
+
+    assert_int_equal(syscheck.realtime->dirtb->elements, 1);
+    free(other_path);
+    free(__real_OSHash_Delete(syscheck.realtime->dirtb, "4321"));
+}
+
+void test_realtime_sanitize_watch_map_update_existing_watch_with_new_directory_fail(void **state) {
+    char *path = strdup("/media/some/path");
+    char *other_path = strdup("/media/some/other/path");
+    char *freeable = strdup("path to be free'd");
+    int i = 0;
+
+    if (path == NULL || other_path == NULL || freeable == NULL) {
+        fail();
+    }
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "1234", path);
+    __real_OSHash_Add_ex(syscheck.realtime->dirtb, "4321", other_path);
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, __real_OSHash_Begin(syscheck.realtime->dirtb, &i));
+
+    syscheck.realtime->fd = 1;
+
+    will_return(__wrap_inotify_add_watch, 34321);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1234");
+    will_return(__wrap_OSHash_Delete_ex, freeable);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "34321");
+    will_return(__wrap_OSHash_Get_ex, other_path);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Unable to update 'dirtb'. Directory not found: '/media/some/path'");
+
+    expect_value(__wrap_OSHash_Begin, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    expect_any(__wrap__mdebug2, formatted_msg);
+
+    test_mode = 1;
+    realtime_sanitize_watch_map();
+    free(other_path);
+    free(path);
+}
+
+#else // TEST_WINAGENT
+void test_realtime_win32read_success(void **state) {
+    win32rtfim rtlocal;
+    int ret;
+
+    will_return(wrap_ReadDirectoryChangesW, 1);
+
+    ret = realtime_win32read(&rtlocal);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_realtime_win32read_unable_to_read_directory(void **state) {
+    win32rtfim rtlocal;
+    int ret;
+
+    rtlocal.dir = "C:\\a\\path";
+
+    will_return(wrap_ReadDirectoryChangesW, 0);
+
+    ret = realtime_win32read(&rtlocal);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_free_win32rtfim_data_null_input(void **state) {
+    // Nothing to check on this condition
+    free_win32rtfim_data(NULL);
+}
+
+void test_free_win32rtfim_data_full_data(void **state) {
+    win32rtfim *data = calloc(1, sizeof(win32rtfim));
+
+    if(data == NULL)
+        fail();
+
+    data->h = (HANDLE)123456;
+
+    data->overlap.hEvent = calloc(1, sizeof(PVOID));
+
+    if(data->overlap.hEvent == NULL) {
+        free(data);
+        fail();
+    }
+
+    data->dir = strdup("c:\\a\\path");
+
+    if(data->dir == NULL) {
+        free(data->overlap.hEvent);
+        free(data);
+        fail();
+    }
+
+    free_win32rtfim_data(data);
+}
+
+void test_realtime_adddir_whodata_non_existent_file(void **state) {
+    int ret;
+    directory_t *configuration;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    configuration = ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5));
+    configuration->dirs_status.status &= ~WD_CHECK_WHODATA;
+    configuration->dirs_status.status |= WD_CHECK_REALTIME;
+
+    expect_string(__wrap_check_path_type, dir, "C:\\a\\path");
+    will_return(__wrap_check_path_type, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6907): 'C:\\a\\path' does not exist. Monitoring discarded.");
+
+    ret = realtime_adddir("C:\\a\\path", configuration);
+
+    assert_int_equal(ret, 0);
+    assert_non_null(configuration->dirs_status.status & WD_CHECK_WHODATA);
+    assert_null(configuration->dirs_status.status & WD_CHECK_REALTIME);
+    assert_int_equal(configuration->dirs_status.object_type, WD_STATUS_UNK_TYPE);
+    assert_null(configuration->dirs_status.status & WD_STATUS_EXISTS);
+}
+
+void test_realtime_adddir_whodata_error_adding_whodata_dir(void **state) {
+    int ret;
+    directory_t *configuration;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    configuration = ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5));
+    configuration->dirs_status.status &= ~WD_CHECK_WHODATA;
+    configuration->dirs_status.status |= WD_CHECK_REALTIME;
+
+    expect_string(__wrap_check_path_type, dir, "C:\\a\\path");
+    will_return(__wrap_check_path_type, 2);
+
+    expect_string(__wrap_set_winsacl, dir, "C:\\a\\path");
+    expect_value(__wrap_set_winsacl, configuration, configuration);
+    will_return(__wrap_set_winsacl, 1);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6619): Unable to add directory to whodata real time monitoring: 'C:\\a\\path'. It will be monitored in Realtime");
+
+    ret = realtime_adddir("C:\\a\\path", configuration);
+
+    assert_int_equal(ret, -2);
+    assert_non_null(configuration->dirs_status.status & WD_CHECK_WHODATA);
+    assert_null(configuration->dirs_status.status & WD_CHECK_REALTIME);
+    assert_int_equal(configuration->dirs_status.object_type, WD_STATUS_DIR_TYPE);
+    assert_non_null(configuration->dirs_status.status & WD_STATUS_EXISTS);
+}
+
+void test_realtime_adddir_whodata_file_success(void **state) {
+    int ret;
+    directory_t *configuration;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    configuration = ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5));
+    configuration->dirs_status.status &= ~WD_CHECK_WHODATA;
+    configuration->dirs_status.status |= WD_CHECK_REALTIME;
+
+    expect_string(__wrap_check_path_type, dir, "C:\\a\\path");
+    will_return(__wrap_check_path_type, 1);
+
+    expect_string(__wrap_set_winsacl, dir, "C:\\a\\path");
+    expect_value(__wrap_set_winsacl, configuration, configuration);
+    will_return(__wrap_set_winsacl, 0);
+
+    ret = realtime_adddir("C:\\a\\path", configuration);
+
+    assert_int_equal(ret, 1);
+    assert_non_null(configuration->dirs_status.status & WD_CHECK_WHODATA);
+    assert_null(configuration->dirs_status.status & WD_CHECK_REALTIME);
+    assert_int_equal(configuration->dirs_status.object_type, WD_STATUS_FILE_TYPE);
+    assert_non_null(configuration->dirs_status.status & WD_STATUS_EXISTS);
+}
+
+void test_realtime_adddir_whodata_dir_success(void **state) {
+    int ret;
+    directory_t *configuration;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    configuration = ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 5));
+    configuration->dirs_status.status &= ~WD_CHECK_WHODATA;
+    configuration->dirs_status.status |= WD_CHECK_REALTIME;
+
+    expect_string(__wrap_check_path_type, dir, "C:\\a\\path");
+    will_return(__wrap_check_path_type, 2);
+
+    expect_string(__wrap_set_winsacl, dir, "C:\\a\\path");
+    expect_value(__wrap_set_winsacl, configuration, configuration);
+    will_return(__wrap_set_winsacl, 0);
+
+    ret = realtime_adddir("C:\\a\\path", configuration);
+
+    assert_int_equal(ret, 1);
+    assert_non_null(configuration->dirs_status.status & WD_CHECK_WHODATA);
+    assert_null(configuration->dirs_status.status & WD_CHECK_REALTIME);
+    assert_int_equal(configuration->dirs_status.object_type, WD_STATUS_DIR_TYPE);
+    assert_non_null(configuration->dirs_status.status & WD_STATUS_EXISTS);
+}
+
+void test_realtime_adddir_max_limit_reached(void **state) {
+    int ret;
+    char msg[OS_SIZE_256] = { '\0' };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_value(__wrap_OSHash_Get_Elem_ex, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Get_Elem_ex, 257);
+
+    snprintf(msg, OS_SIZE_256, FIM_REALTIME_MAXNUM_WATCHES, "C:\\a\\path");
+    expect_string(__wrap__mdebug1, formatted_msg, msg);
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 0);
+}
+
+void test_realtime_adddir_duplicate_entry(void **state) {
+    win32rtfim rtlocald = { .dir = "C:\\a\\path" };
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, &rtlocald);
+
+    expect_string(__wrap_w_directory_exists, path, "C:\\a\\path");
+    will_return(__wrap_w_directory_exists, 1);
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_realtime_adddir_duplicate_entry_non_existent_directory_valid_handle(void **state) {
+    win32rtfim rtlocald = { .dir = "C:\\a\\path", .watch_status = FIM_RT_HANDLE_OPEN, .h = (HANDLE)1234 };
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+        expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, &rtlocald);
+
+    expect_string(__wrap_w_directory_exists, path, "C:\\a\\path");
+    will_return(__wrap_w_directory_exists, 0);
+
+    expect_value(wrap_CloseHandle, hObject, 1234);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+
+}
+
+void test_realtime_adddir_duplicate_entry_non_existent_directory_closed_handle(void **state) {
+    win32rtfim *rtlocald = calloc(1, sizeof(win32rtfim));
+    char debug_msg[OS_SIZE_128];
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (rtlocald == NULL) {
+        fail_msg("Failed to allocate 'rtlocald'");
+    }
+
+
+    rtlocald->dir = strdup("C:\\a\\path");
+
+    if (rtlocald->dir == NULL) {
+        free(rtlocald);
+        fail_msg("Failed to allocate 'rtlocald->dir'");
+    }
+
+    rtlocald->watch_status = FIM_RT_HANDLE_CLOSED;
+    rtlocald->h = (HANDLE)1234;
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, rtlocald);
+
+    expect_string(__wrap_w_directory_exists, path, "C:\\a\\path");
+    will_return(__wrap_w_directory_exists, 0);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Delete_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Delete_ex, rtlocald);
+
+    snprintf(debug_msg, OS_SIZE_128, FIM_REALTIME_CALLBACK, "C:\\a\\path");
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_realtime_adddir_duplicate_entry_non_existent_directory_invalid_handle(void **state) {
+    win32rtfim rtlocald = { .dir = "C:\\a\\path", .watch_status = FIM_RT_HANDLE_OPEN, .h = INVALID_HANDLE_VALUE };
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, &rtlocald);
+
+    expect_string(__wrap_w_directory_exists, path, "C:\\a\\path");
+    will_return(__wrap_w_directory_exists, 0);
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_realtime_adddir_handle_error(void **state) {
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_value(__wrap_OSHash_Get_Elem_ex, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Get_Elem_ex, 128);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, 0);
+
+    expect_string(wrap_CreateFile, lpFileName, "C:\\a\\path");
+    will_return(wrap_CreateFile, INVALID_HANDLE_VALUE);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6290): Unable to add directory to real time monitoring: 'C:\\a\\path'");
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 0);
+}
+
+void test_realtime_adddir_success(void **state) {
+    int ret;
+
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, 0);
+
+    OSHash_Add_ex_check_data = 0;
+    expect_value(__wrap_OSHash_Add_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Add_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Add_ex, 1);
+
+    expect_string(wrap_CreateFile, lpFileName, "C:\\a\\path");
+    will_return(wrap_CreateFile, (HANDLE)123456);
+
+    will_return(wrap_ReadDirectoryChangesW, 1);
+    expect_value(__wrap_OSHash_Get_Elem_ex, self, syscheck.realtime->dirtb);
+    will_return(__wrap_OSHash_Get_Elem_ex, 127);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+                  "(6227): Directory added for real time monitoring: 'C:\\a\\path'");
+
+    ret = realtime_adddir("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_RTCallBack_error_on_callback(void **state) {
+    OVERLAPPED ov = {.hEvent = "C:\\a\\path"};
+
+    will_return(wrap_FormatMessage, "Path not found.");
+    expect_string(__wrap__merror, formatted_msg, "(6613): Real time Windows callback process: 'Path not found.' (3).");
+
+    RTCallBack(ERROR_PATH_NOT_FOUND, 0, &ov);
+}
+
+void test_RTCallBack_empty_hash_table(void **state) {
+    OVERLAPPED ov = {.hEvent = "C:\\a\\path"};
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_any(__wrap_OSHash_Get_ex, key);
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_REALTIME_WINDOWS_CALLBACK_EMPTY);
+
+    RTCallBack(ERROR_SUCCESS, 1, &ov);
+}
+
+void test_RTCallBack_no_bytes_returned(void **state) {
+    win32rtfim *rt = *state;
+    OVERLAPPED ov = {.hEvent = "C:\\a\\path"};
+
+    rt->watch_status = 1;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_any(__wrap_OSHash_Get_ex, key);
+    will_return(__wrap_OSHash_Get_ex, rt);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_WARN_REALTIME_OVERFLOW);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // Inside realtime_win32read
+    will_return(wrap_ReadDirectoryChangesW, 1);
+
+    RTCallBack(ERROR_SUCCESS, 0, &ov);
+}
+
+void test_RTCallBack_acquired_changes_null_dir(void **state) {
+    win32rtfim *rt = *state;
+    OVERLAPPED ov;
+    PFILE_NOTIFY_INFORMATION pinfo;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    // Fill the win32rtfim struct with testing data
+    pinfo = (PFILE_NOTIFY_INFORMATION) rt->buffer;
+    wcscpy(pinfo->FileName, L"C:\\a\\path");
+    pinfo->FileNameLength = wcslen(pinfo->FileName) * sizeof(WCHAR);
+    pinfo->NextEntryOffset = 0;
+
+    // This condition is not taken into account
+    rt->dir = NULL;
+    rt->watch_status = 1;
+
+    ov.hEvent = "C:\\a\\path";
+
+    // Begin calls to mock functions
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path");
+    will_return(__wrap_OSHash_Get_ex, rt);
+
+    expect_string(__wrap_fim_configuration_directory, path, "C:\\a\\path");
+    will_return(__wrap_fim_configuration_directory, 0);
+
+    expect_string(__wrap_fim_configuration_directory, path, "");
+    will_return(__wrap_fim_configuration_directory, -1);
+
+    // Inside realtime_win32read
+    will_return(wrap_ReadDirectoryChangesW, 1);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    RTCallBack(ERROR_SUCCESS, 1, &ov);
+}
+
+void test_RTCallBack_acquired_changes(void **state) {
+    win32rtfim *rt = *state;
+    OVERLAPPED ov;
+    PFILE_NOTIFY_INFORMATION pinfo;
+
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    // Fill the win32rtfim struct with testing data
+    pinfo = (PFILE_NOTIFY_INFORMATION) rt->buffer;
+    wcscpy(pinfo->FileName, L"file.test");
+    pinfo->FileNameLength = wcslen(pinfo->FileName) * sizeof(WCHAR);
+    pinfo->NextEntryOffset = 0;
+
+    // This condition is not taken into account
+    rt->dir = strdup("C:\\a\\path");
+    rt->watch_status = 1;
+
+    ov.hEvent = "C:\\a\\path\\file.test";
+
+    // Begin calls to mock functions
+
+    expect_value(__wrap_OSHash_Get_ex, self, syscheck.realtime->dirtb);
+    expect_string(__wrap_OSHash_Get_ex, key, "C:\\a\\path\\file.test");
+    will_return(__wrap_OSHash_Get_ex, rt);
+
+    expect_string(__wrap_fim_configuration_directory, path, "C:\\a\\path\\file.test");
+    will_return(__wrap_fim_configuration_directory, 0);
+
+    expect_string(__wrap_fim_configuration_directory, path, "c:\\a\\path\\file.test");
+    will_return(__wrap_fim_configuration_directory, 0);
+
+    expect_string(__wrap_fim_realtime_event, file, "c:\\a\\path\\file.test");
+
+    // Inside realtime_win32read
+    will_return(wrap_ReadDirectoryChangesW, 1);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    RTCallBack(ERROR_SUCCESS, 1, &ov);
+}
+#endif
+
+static void test_fim_realtime_get_queue_overflow(void **state) {
+    rtfim realtime = { .queue_overflow = false };
+    int retval;
+
+    syscheck.realtime = &realtime;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    retval = fim_realtime_get_queue_overflow();
+
+    assert_int_equal(retval, false);
+
+    realtime.queue_overflow = true;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    retval = fim_realtime_get_queue_overflow();
+
+    assert_int_equal(retval, true);
+
+    syscheck.realtime = NULL;
+}
+
+static void test_fim_realtime_set_queue_overflow(void **state) {
+    rtfim realtime = { .queue_overflow = false };
+
+    syscheck.realtime = &realtime;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    fim_realtime_set_queue_overflow(true);
+
+    assert_int_equal(realtime.queue_overflow, true);
+
+    syscheck.realtime = NULL;
+}
+
+static void test_fim_realtime_print_watches(void **state) {
+    rtfim realtime = { .queue_overflow = false };
+    char msg[OS_SIZE_256];
+
+    syscheck.realtime = &realtime;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_any(__wrap_OSHash_Get_Elem_ex, self);
+    will_return(__wrap_OSHash_Get_Elem_ex, 257);
+
+    snprintf(msg, OS_SIZE_256, FIM_NUM_WATCHES, 257);
+    expect_string(__wrap__mdebug2, formatted_msg, msg);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    fim_realtime_print_watches();
+
+    syscheck.realtime = NULL;
+
+}
+
+
+int main(void) {
+#ifndef WIN_WHODATA
+    const struct CMUnitTest tests[] = {
+        /* realtime_start */
+        cmocka_unit_test_setup_teardown(test_realtime_start_success, setup_realtime_start, teardown_realtime_start),
+        cmocka_unit_test_setup_teardown(test_realtime_start_failure_hash, setup_realtime_start, teardown_realtime_start),
+
+#if defined(TEST_SERVER) || defined(TEST_AGENT)
+        cmocka_unit_test_setup_teardown(test_realtime_start_failure_inotify, setup_realtime_start, teardown_realtime_start),
+
+        /* realtime_adddir */
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_realtime_start_failure, setup_realtime_adddir_realtime_start_error, teardown_realtime_adddir_realtime_start_error),
+        cmocka_unit_test(test_realtime_adddir_realtime_failure),
+        cmocka_unit_test(test_realtime_adddir_realtime_watch_max_reached_failure),
+        cmocka_unit_test(test_realtime_adddir_realtime_watch_generic_failure),
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_realtime_add, setup_OSHash, teardown_OSHash),
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_realtime_add_hash_failure, setup_OSHash, teardown_OSHash),
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_realtime_update, setup_OSHash, teardown_OSHash),
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_realtime_update_failure, setup_OSHash, teardown_OSHash),
+
+        /* realtime_process */
+        cmocka_unit_test(test_realtime_process),
+        cmocka_unit_test_setup_teardown(test_realtime_process_len, setup_inotify_event, teardown_inotify_event),
+        cmocka_unit_test_setup_teardown(test_realtime_process_len_zero, setup_inotify_event, teardown_inotify_event),
+        cmocka_unit_test_setup_teardown(test_realtime_process_len_path_separator, setup_inotify_event, teardown_inotify_event),
+        cmocka_unit_test_setup_teardown(test_realtime_process_overflow, setup_inotify_event, teardown_inotify_event),
+        cmocka_unit_test_setup_teardown(test_realtime_process_delete, setup_inotify_event, teardown_inotify_event),
+        cmocka_unit_test_setup_teardown(test_realtime_process_move_self, setup_realtime_process, teardown_realtime_process),
+        cmocka_unit_test(test_realtime_process_failure),
+
+        /* delete_subdirectories_watches */
+        cmocka_unit_test_setup_teardown(test_delete_subdirectories_watches_realtime_fd_null, setup_hash_node, teardown_hash_node),
+        cmocka_unit_test_setup_teardown(test_delete_subdirectories_watches_hash_node_null, setup_hash_node, teardown_hash_node),
+        cmocka_unit_test_setup_teardown(test_delete_subdirectories_watches_not_same_name, setup_hash_node, teardown_hash_node),
+        cmocka_unit_test_setup_teardown(test_delete_subdirectories_watches_deletes, setup_hash_node, teardown_hash_node),
+
+#else
+        // realtime_win32read
+        cmocka_unit_test(test_realtime_win32read_success),
+        cmocka_unit_test(test_realtime_win32read_unable_to_read_directory),
+
+        // free_win32rtfim_data
+        cmocka_unit_test(test_free_win32rtfim_data_null_input),
+        cmocka_unit_test(test_free_win32rtfim_data_full_data),
+
+        // RTCallBack
+        cmocka_unit_test(test_RTCallBack_error_on_callback),
+        cmocka_unit_test(test_RTCallBack_empty_hash_table),
+        cmocka_unit_test_setup_teardown(test_RTCallBack_no_bytes_returned, setup_RTCallBack, teardown_RTCallBack),
+        cmocka_unit_test_setup_teardown(test_RTCallBack_acquired_changes_null_dir, setup_RTCallBack, teardown_RTCallBack),
+        cmocka_unit_test_setup_teardown(test_RTCallBack_acquired_changes, setup_RTCallBack, teardown_RTCallBack),
+#endif
+
+        /* realtime_sanitize_watch_map */
+#ifndef TEST_WINAGENT
+        cmocka_unit_test(test_realtime_sanitize_watch_map_empty_hash),
+        cmocka_unit_test(test_realtime_sanitize_watch_map_inotify_not_connected),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_entry_with_no_configuration,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_unable_to_add_more_watches,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_entry_deleted, setup_sanitize_watch_map,
+                                        teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_inotify_error, setup_sanitize_watch_map,
+                                        teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_entry_already_up_to_date,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_entry_with_new_watch_number,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_entry_with_new_watch_number_fail,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup_teardown(test_realtime_sanitize_watch_map_update_existing_watch_with_new_directory,
+                                        setup_sanitize_watch_map, teardown_sanitize_watch_map),
+        cmocka_unit_test_setup(test_realtime_sanitize_watch_map_update_existing_watch_with_new_directory_fail,
+                                        setup_sanitize_watch_map),
+#endif
+    };
+#else
+    const struct CMUnitTest tests[] = {
+        // realtime_adddir
+        cmocka_unit_test(test_realtime_adddir_whodata_non_existent_file),
+        cmocka_unit_test(test_realtime_adddir_whodata_error_adding_whodata_dir),
+        cmocka_unit_test(test_realtime_adddir_whodata_file_success),
+        cmocka_unit_test(test_realtime_adddir_whodata_dir_success),
+        cmocka_unit_test(test_realtime_adddir_max_limit_reached),
+        cmocka_unit_test(test_realtime_adddir_duplicate_entry),
+        cmocka_unit_test(test_realtime_adddir_handle_error),
+        cmocka_unit_test(test_realtime_adddir_duplicate_entry_non_existent_directory_valid_handle),
+        cmocka_unit_test(test_realtime_adddir_duplicate_entry_non_existent_directory_closed_handle),
+        cmocka_unit_test(test_realtime_adddir_duplicate_entry_non_existent_directory_invalid_handle),
+        cmocka_unit_test_setup_teardown(test_realtime_adddir_success, setup_OSHash, teardown_OSHash),
+    };
+#endif
+
+    const struct CMUnitTest realtime_helper_tests[] = {
+        cmocka_unit_test(test_fim_realtime_get_queue_overflow),
+        cmocka_unit_test(test_fim_realtime_set_queue_overflow),
+        cmocka_unit_test(test_fim_realtime_print_watches),
+    };
+
+    int results = 0;
+
+    results += cmocka_run_group_tests(tests, setup_group, teardown_group);
+    results += cmocka_run_group_tests(realtime_helper_tests, NULL, NULL);
+
+    return results;
+}
diff --git a/src/modules/fim/tests/unit/tests/test_syscheck.c b/src/modules/fim/tests/unit/tests/test_syscheck.c
new file mode 100644
index 0000000000..89ec056537
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_syscheck.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/shared/fs_op_wrappers.h"
+#include "../wrappers/wazuh/shared/validate_op_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/create_db_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/fim_db_wrappers.h"
+
+#include "syscheck.h"
+
+/* setup/teardowns */
+static int setup_group(void **state) {
+
+    if (initialize_syscheck_configuration(&syscheck) == OS_INVALID) {
+        return OS_INVALID;
+    }
+
+    fdb_t *fdb = calloc(1, sizeof(fdb_t));
+    if (fdb == NULL)
+        return -1;
+
+    *state = fdb;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    fdb_t *fdb = *state;
+
+    free(fdb);
+
+    return 0;
+}
+
+static int setup_syscheck_config(void **state) {
+    syscheck_config *syscheck_conf = calloc(1, sizeof(syscheck_config));
+
+    syscheck_conf->database_store            = FIM_DB_DISK;
+    syscheck_conf->sync_interval             = 300;
+    syscheck_conf->sync_response_timeout     = 30;
+    syscheck_conf->sync_max_interval         = 3600;
+    syscheck_conf->sync_thread_pool          = 1;
+    syscheck_conf->sync_queue_size           = 16384;
+    syscheck_conf->file_entry_limit          = 100000;
+#ifdef WIN32
+    syscheck_conf->db_entry_registry_limit   = 100000;
+#endif
+    *state = syscheck_conf;
+    return 0;
+}
+
+static int teardown_syscheck_config(void **state) {
+    syscheck_config *syscheck_conf = *state;
+
+    free(syscheck_conf);
+
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+static int setup_group_win(void **state) {
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int teardown_group_win(void **state) {
+    OSListNode *node_it;
+    if (syscheck.directories) {
+        OSList_foreach(node_it, syscheck.directories) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(syscheck.directories);
+        syscheck.directories = NULL;
+    }
+
+    return 0;
+}
+#endif
+
+/* tests */
+
+void test_fim_initialize(void **state)
+{
+    syscheck_config *syscheck_conf = *state;
+
+#ifdef TEST_WINAGENT
+    expect_wrapper_fim_db_init(syscheck_conf->database_store,
+                               syscheck_conf->sync_interval,
+                               syscheck_conf->sync_max_interval,
+                               syscheck_conf->sync_response_timeout,
+                               syscheck_conf->file_entry_limit,
+                               syscheck_conf->db_entry_registry_limit,
+                               1,
+                               syscheck_conf->sync_thread_pool,
+                               syscheck_conf->sync_queue_size);
+#else
+    expect_wrapper_fim_db_init(syscheck_conf->database_store,
+                               syscheck_conf->sync_interval,
+                               syscheck_conf->sync_max_interval,
+                               syscheck_conf->sync_response_timeout,
+                               syscheck_conf->file_entry_limit,
+                               0,
+                               0,
+                               syscheck_conf->sync_thread_pool,
+                               syscheck_conf->sync_queue_size);
+#endif
+    fim_initialize();
+}
+
+void test_read_internal(void **state)
+{
+    (void) state;
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    read_internal(0);
+}
+
+void test_read_internal_debug(void **state)
+{
+    (void) state;
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    read_internal(1);
+}
+#ifdef TEST_WINAGENT
+int Start_win32_Syscheck();
+
+int __wrap_Read_Syscheck_Config(const char * file)
+{
+    check_expected_ptr(file);
+    return mock();
+}
+
+int __wrap_rootcheck_init(int value, char * home_path)
+{
+    return mock();
+}
+
+void __wrap_start_daemon()
+{
+    function_called();
+}
+
+void __wrap_read_internal(int debug_level)
+{
+    function_called();
+}
+
+void test_Start_win32_Syscheck_no_config_file(void **state) {
+    directory_t EMPTY = { 0 };
+    registry_t REGISTRY_EMPTY[] = { { NULL, 0, 0, 0, 0, NULL, NULL } };
+
+    syscheck.registry = REGISTRY_EMPTY;
+    syscheck.disabled = 1;
+
+
+    /* Conf file not found */
+    will_return_always(__wrap_getDefine_Int, 1);
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, -1);
+    expect_string(__wrap__merror_exit, formatted_msg, "(1239): Configuration file not found: 'ossec.conf'.");
+
+    expect_assert_failure(Start_win32_Syscheck());
+}
+
+void test_Start_win32_Syscheck_corrupted_config_file(void **state) {
+    directory_t EMPTY = { 0 };
+    registry_t REGISTRY_EMPTY[] = { { NULL, 0, 0, 0, 0, NULL, NULL } };
+
+    syscheck.registry = REGISTRY_EMPTY;
+    syscheck.disabled = 1;
+
+    will_return_always(__wrap_getDefine_Int, 1);
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, 0);
+
+    expect_string(__wrap_Read_Syscheck_Config, file, "ossec.conf");
+    will_return(__wrap_Read_Syscheck_Config, -1);
+    expect_string(__wrap__mwarn, formatted_msg, "(1207): syscheck remote configuration in 'ossec.conf' is corrupted.");
+
+    will_return(__wrap_rootcheck_init, 1);
+
+    expect_wrapper_fim_db_init(0, 300, 3600, 30, 100000, 100000, 1, 1, 16384);
+    expect_function_call(__wrap_start_daemon);
+    assert_int_equal(Start_win32_Syscheck(), 0);
+}
+
+void test_Start_win32_Syscheck_syscheck_disabled_1(void **state) {
+    syscheck.directories = NULL;
+    syscheck.registry = NULL;
+    syscheck.disabled = 0;
+    char info_msg[OS_MAXSTR];
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, 0);
+
+    expect_string(__wrap_Read_Syscheck_Config, file, "ossec.conf");
+    will_return(__wrap_Read_Syscheck_Config, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6678): No directory provided for syscheck to monitor.");
+
+    expect_string(__wrap__minfo, formatted_msg, "(6001): File integrity monitoring disabled.");
+
+    will_return(__wrap_rootcheck_init, 0);
+
+    expect_wrapper_fim_db_init(0, 300, 3600, 30, 100000, 100000, 1, 1, 16384);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FILE_SIZE_LIMIT_DISABLED);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_DISK_QUOTA_LIMIT_DISABLED);
+
+    snprintf(info_msg, OS_MAXSTR, "Started (pid: %d).", getpid());
+    expect_string(__wrap__minfo, formatted_msg, info_msg);
+    expect_function_call(__wrap_start_daemon);
+    assert_int_equal(Start_win32_Syscheck(), 0);
+}
+
+void test_Start_win32_Syscheck_syscheck_disabled_2(void **state) {
+    directory_t EMPTY = { 0 };
+    char info_msg[OS_MAXSTR];
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, 0);
+
+    expect_string(__wrap_Read_Syscheck_Config, file, "ossec.conf");
+    will_return(__wrap_Read_Syscheck_Config, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6678): No directory provided for syscheck to monitor.");
+
+    expect_string(__wrap__minfo, formatted_msg, "(6001): File integrity monitoring disabled.");
+
+    will_return(__wrap_rootcheck_init, 0);
+
+    expect_wrapper_fim_db_init(0, 300, 3600, 30, 100000, 100000, 1, 1, 16384);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FILE_SIZE_LIMIT_DISABLED);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_DISK_QUOTA_LIMIT_DISABLED);
+
+    snprintf(info_msg, OS_MAXSTR, "Started (pid: %d).", getpid());
+    expect_string(__wrap__minfo, formatted_msg, info_msg);
+    expect_function_call(__wrap_start_daemon);
+    assert_int_equal(Start_win32_Syscheck(), 0);
+}
+
+void test_Start_win32_Syscheck_dirs_and_registry(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    directory_t *directory0 = fim_create_directory("c:\\dir1", 0, NULL, 512, NULL, 1024, 0);
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+    syscheck.disabled = 0;
+
+    registry_t syscheck_registry[] = { { "Entry1", 1, 0, 0, 0, NULL, NULL, "Tag1" },
+                                     { NULL, 0, 0, 0, 0, NULL, NULL, NULL } };
+    syscheck.registry = syscheck_registry;
+
+    char *syscheck_ignore[] = {"dir1", NULL};
+    syscheck.ignore = syscheck_ignore;
+    syscheck.file_size_enabled = 0;
+    syscheck.disk_quota_enabled = 0;
+    OSMatch regex;
+    regex.raw = "^regex$";
+    OSMatch *syscheck_ignore_regex[] = {&regex, NULL};
+    syscheck.ignore_regex = syscheck_ignore_regex;
+
+    registry_ignore syscheck_registry_ignore[] = { { "Entry1", 1 }, { NULL, 0 } };
+    syscheck.key_ignore = syscheck_registry_ignore;
+
+    char *syscheck_nodiff[] = {"Diff", NULL};
+    syscheck.nodiff = syscheck_nodiff;
+
+    char info_msg[OS_MAXSTR];
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, 0);
+
+    expect_string(__wrap_Read_Syscheck_Config, file, "ossec.conf");
+    will_return(__wrap_Read_Syscheck_Config, 0);
+
+    will_return(__wrap_rootcheck_init, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6002): Monitoring registry entry: 'Entry1 [x64]', with options ''");
+    expect_string(__wrap__minfo, formatted_msg, "(6003): Monitoring path: 'c:\\dir1', with options ''.");
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_FILE_SIZE_LIMIT_DISABLED);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_DISK_QUOTA_LIMIT_DISABLED);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6206): Ignore 'file' entry 'dir1'");
+
+    expect_string(__wrap__minfo, formatted_msg, "(6207): Ignore 'file' sregex '^regex$'");
+
+    expect_string(__wrap__minfo, formatted_msg, "(6206): Ignore 'registry' entry 'Entry1'");
+
+    expect_string(__wrap__minfo, formatted_msg, "(6004): No diff for file: 'Diff'");
+
+    expect_wrapper_fim_db_init(0, 300, 3600, 30, 100000, 100000, 1, 1, 16384);
+    snprintf(info_msg, OS_MAXSTR, "Started (pid: %d).", getpid());
+    expect_string(__wrap__minfo, formatted_msg, info_msg);
+
+    expect_function_call(__wrap_start_daemon);
+    assert_int_equal(Start_win32_Syscheck(), 0);
+
+    free_directory(directory0);
+    OSList_DeleteThisNode(syscheck.directories, syscheck.directories->first_node);
+}
+
+void test_Start_win32_Syscheck_whodata_active(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    directory_t *directory0 = fim_create_directory("c:\\dir1", WHODATA_ACTIVE, NULL, 512, NULL, -1, 0);
+
+    registry_t syscheck_registry[] = { { NULL, 0, 0, 0, 0, NULL, NULL } };
+
+    syscheck.disabled = 0;
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+    syscheck.registry = syscheck_registry;
+
+    syscheck.ignore = NULL;
+    syscheck.ignore_regex = NULL;
+    syscheck.key_ignore = NULL;
+    syscheck.nodiff = NULL;
+
+    char info_msg[OS_MAXSTR];
+
+    will_return_always(__wrap_getDefine_Int, 1);
+
+    expect_string(__wrap_File_DateofChange, file, "ossec.conf");
+    will_return(__wrap_File_DateofChange, 0);
+
+    expect_string(__wrap_Read_Syscheck_Config, file, "ossec.conf");
+    will_return(__wrap_Read_Syscheck_Config, 0);
+
+    will_return(__wrap_rootcheck_init, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6003): Monitoring path: 'c:\\dir1', with options 'whodata'.");
+
+    expect_wrapper_fim_db_init(0, 300, 3600, 30, 100000, 100000, 1, 1, 16384);
+    expect_string(__wrap__minfo, formatted_msg, FIM_FILE_SIZE_LIMIT_DISABLED);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_DISK_QUOTA_LIMIT_DISABLED);
+
+    snprintf(info_msg, OS_MAXSTR, "Started (pid: %d).", getpid());
+    expect_string(__wrap__minfo, formatted_msg, info_msg);
+    expect_function_call(__wrap_start_daemon);
+    assert_int_equal(Start_win32_Syscheck(), 0);
+
+    free_directory(directory0);
+    OSList_DeleteThisNode(syscheck.directories, syscheck.directories->first_node);
+}
+
+#endif
+
+int main(void) {
+    int ret;
+    const struct CMUnitTest tests[] = {
+            cmocka_unit_test_setup_teardown(test_fim_initialize, setup_syscheck_config, teardown_syscheck_config),
+            cmocka_unit_test(test_read_internal),
+            cmocka_unit_test(test_read_internal_debug),
+    };
+        /* Windows specific tests */
+#ifdef TEST_WINAGENT
+    const struct CMUnitTest tests_win[] = {
+            cmocka_unit_test(test_Start_win32_Syscheck_no_config_file),
+            cmocka_unit_test_setup_teardown(test_Start_win32_Syscheck_corrupted_config_file, setup_syscheck_config, teardown_syscheck_config),
+            cmocka_unit_test(test_Start_win32_Syscheck_dirs_and_registry),
+            cmocka_unit_test(test_Start_win32_Syscheck_whodata_active),
+            cmocka_unit_test(test_Start_win32_Syscheck_syscheck_disabled_1),
+            cmocka_unit_test(test_Start_win32_Syscheck_syscheck_disabled_2),
+    };
+#endif
+
+    ret = cmocka_run_group_tests(tests, setup_group, teardown_group);
+#ifdef TEST_WINAGENT
+    ret += cmocka_run_group_tests(tests_win, setup_group_win, teardown_group_win);
+#endif
+
+    return ret;
+}
diff --git a/src/modules/fim/tests/unit/tests/test_syscom.c b/src/modules/fim/tests/unit/tests/test_syscom.c
new file mode 100644
index 0000000000..06fa8d94a3
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/test_syscom.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/config_wrappers.h"
+#include "../wrappers/wazuh/syscheckd/fim_sync_wrappers.h"
+#include "../../syscheckd/include/syscheck.h"
+#include "../../config/syscheck-config.h"
+
+
+/* redefinitons/wrapping */
+
+static int delete_string(void **state)
+{
+    char *data = *state;
+    free(data);
+    return 0;
+}
+
+
+/* tests */
+
+
+void test_syscom_dispatch_getconfig_agent(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "syscheck getconfig args";
+    char * output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6283): At SYSCOM getconfig: Could not get 'args' section.");
+
+    ret = syscom_dispatch(command, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Could not get requested section");
+    assert_int_equal(ret, 35);
+}
+
+void test_syscom_dispatch_getconfig_manager(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "getconfig args";
+    char * output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6283): At SYSCOM getconfig: Could not get 'args' section.");
+
+    ret = syscom_dispatch(command, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Could not get requested section");
+    assert_int_equal(ret, 35);
+}
+
+
+void test_syscom_dispatch_getconfig_noargs(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "syscheck getconfig";
+    char * output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6281): SYSCOM getconfig needs arguments.");
+
+    ret = syscom_dispatch(command, &output);
+    *state = output;
+
+    assert_string_equal(output, "err SYSCOM getconfig needs arguments");
+    assert_int_equal(ret, 36);
+}
+
+
+void test_syscom_dispatch_dbsync(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "fim_file dbsync args";
+    char *output;
+
+    expect_string(__wrap_fim_sync_push_msg, msg, "fim_file dbsync args");
+
+    ret = syscom_dispatch(command, &output);
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_syscom_dispatch_dbsync_noargs(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "fim_file dbsync";
+    char *output;
+
+    expect_string(__wrap_fim_sync_push_msg, msg, "fim_file dbsync");
+
+    ret = syscom_dispatch(command, &output);
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_syscom_dispatch_restart_agent(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "syscheck restart";
+    char *output;
+
+    ret = syscom_dispatch(command, &output);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_syscom_dispatch_restart_manager(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "restart";
+    char *output;
+
+    ret = syscom_dispatch(command, &output);
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_syscom_dispatch_getconfig_unrecognized(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char command[] = "invalid";
+    char * output;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6282): SYSCOM Unrecognized command 'invalid'");
+
+    ret = syscom_dispatch(command, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Unrecognized command");
+    assert_int_equal(ret, 24);
+}
+
+void test_syscom_dispatch_null_command(void **state)
+{
+    char * output;
+
+    expect_assert_failure(syscom_dispatch(NULL, &output));
+}
+
+void test_syscom_dispatch_null_output(void **state)
+{
+    char command[] = "invalid";
+
+    expect_assert_failure(syscom_dispatch(command, NULL));
+}
+
+void test_syscom_getconfig_syscheck(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "syscheck";
+    char * output;
+
+    cJSON * root = cJSON_CreateObject();
+    cJSON_AddStringToObject(root, "test", "syscheck");
+
+    will_return(__wrap_getSyscheckConfig, root);
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "ok {\"test\":\"syscheck\"}");
+    assert_int_equal(ret, 22);
+}
+
+
+void test_syscom_getconfig_syscheck_failure(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "syscheck";
+    char * output;
+
+    will_return(__wrap_getSyscheckConfig, NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6283): At SYSCOM getconfig: Could not get 'syscheck' section.");
+
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Could not get requested section");
+    assert_int_equal(ret, 35);
+}
+
+
+void test_syscom_getconfig_rootcheck(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "rootcheck";
+    char * output;
+
+    cJSON * root = cJSON_CreateObject();
+    cJSON_AddStringToObject(root, "test", "rootcheck");
+
+    will_return(__wrap_getRootcheckConfig, root);
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "ok {\"test\":\"rootcheck\"}");
+    assert_int_equal(ret, 23);
+}
+
+
+void test_syscom_getconfig_rootcheck_failure(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "rootcheck";
+    char * output;
+
+    will_return(__wrap_getRootcheckConfig, NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6283): At SYSCOM getconfig: Could not get 'rootcheck' section.");
+
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Could not get requested section");
+    assert_int_equal(ret, 35);
+}
+
+
+void test_syscom_getconfig_internal(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "internal";
+    char * output;
+
+    cJSON * root = cJSON_CreateObject();
+    cJSON_AddStringToObject(root, "test", "internal");
+
+    will_return(__wrap_getSyscheckInternalOptions, root);
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "ok {\"test\":\"internal\"}");
+    assert_int_equal(ret, 22);
+}
+
+
+void test_syscom_getconfig_internal_failure(void **state)
+{
+    (void) state;
+    size_t ret;
+
+    char * section = "internal";
+    char * output;
+
+    will_return(__wrap_getSyscheckInternalOptions, NULL);
+    expect_string(__wrap__mdebug1, formatted_msg, "(6283): At SYSCOM getconfig: Could not get 'internal' section.");
+
+    ret = syscom_getconfig(section, &output);
+    *state = output;
+
+    assert_string_equal(output, "err Could not get requested section");
+    assert_int_equal(ret, 35);
+}
+
+void test_syscom_getconfig_null_section(void **state)
+{
+    char * output;
+
+    expect_assert_failure(syscom_getconfig(NULL, &output));
+}
+
+void test_syscom_getconfig_null_output(void **state)
+{
+    char * section = "internal";
+
+    expect_assert_failure(syscom_getconfig(section, NULL));
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_teardown(test_syscom_dispatch_getconfig_agent, delete_string),
+        cmocka_unit_test_teardown(test_syscom_dispatch_getconfig_manager, delete_string),
+        cmocka_unit_test_teardown(test_syscom_dispatch_getconfig_noargs, delete_string),
+        cmocka_unit_test(test_syscom_dispatch_dbsync),
+        cmocka_unit_test(test_syscom_dispatch_dbsync_noargs),
+        cmocka_unit_test(test_syscom_dispatch_restart_agent),
+        cmocka_unit_test(test_syscom_dispatch_restart_manager),
+        cmocka_unit_test_teardown(test_syscom_dispatch_getconfig_unrecognized, delete_string),
+        cmocka_unit_test_teardown(test_syscom_dispatch_null_command, delete_string),
+        cmocka_unit_test(test_syscom_dispatch_null_output),
+        cmocka_unit_test_teardown(test_syscom_getconfig_syscheck, delete_string),
+        cmocka_unit_test_teardown(test_syscom_getconfig_syscheck_failure, delete_string),
+        cmocka_unit_test_teardown(test_syscom_getconfig_rootcheck, delete_string),
+        cmocka_unit_test_teardown(test_syscom_getconfig_rootcheck_failure, delete_string),
+        cmocka_unit_test_teardown(test_syscom_getconfig_internal, delete_string),
+        cmocka_unit_test_teardown(test_syscom_getconfig_internal_failure, delete_string),
+        cmocka_unit_test(test_syscom_getconfig_null_section),
+        cmocka_unit_test(test_syscom_getconfig_null_output),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/fim/tests/unit/tests/utils.c b/src/modules/fim/tests/unit/tests/utils.c
new file mode 100644
index 0000000000..9358d83731
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/utils.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "test_fim.h"
+
+int setup_os_list(void **state) {
+    OSList *list = OSList_Create();
+
+    if (list == NULL) {
+        return -1;
+    }
+
+    *state = list;
+
+    return 0;
+}
+
+int teardown_os_list(void **state) {
+    OSList *list = *state;
+
+    OSList_Destroy(list);
+
+    return 0;
+}
+
+int setup_rb_tree(void **state) {
+    rb_tree *tree = rbtree_init();
+
+    if (tree == NULL) {
+        return -1;
+    }
+
+    *state = tree;
+
+    return 0;
+}
+
+int teardown_rb_tree(void **state) {
+    rb_tree *tree = *state;
+
+    rbtree_destroy(tree);
+
+    return 0;
+}
+
+#define BASE_WIN_ALLOWED_ACE "[" \
+    "\"delete\"," \
+    "\"read_control\"," \
+    "\"write_dac\"," \
+    "\"write_owner\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"write_data\"," \
+    "\"append_data\"," \
+    "\"read_ea\"," \
+    "\"write_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"," \
+    "\"write_attributes\"" \
+"]"
+
+#define BASE_WIN_DENIED_ACE "[" \
+    "\"read_control\"," \
+    "\"synchronize\"," \
+    "\"read_data\"," \
+    "\"read_ea\"," \
+    "\"execute\"," \
+    "\"read_attributes\"" \
+"]"
+
+#define BASE_WIN_ACE "{" \
+    "\"name\": \"Users\"," \
+    "\"allowed\": " BASE_WIN_ALLOWED_ACE "," \
+    "\"denied\": " BASE_WIN_DENIED_ACE \
+"}"
+
+cJSON *create_win_permissions_object() {
+    static const char * const BASE_WIN_PERMS = "{\"S-1-5-32-636\": " BASE_WIN_ACE "}";
+    return cJSON_Parse(BASE_WIN_PERMS);
+}
diff --git a/src/modules/fim/tests/unit/tests/whodata/CMakeLists.txt b/src/modules/fim/tests/unit/tests/whodata/CMakeLists.txt
new file mode 100644
index 0000000000..20cfcfd957
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/CMakeLists.txt
@@ -0,0 +1,140 @@
+include_directories(${SRC_FOLDER}/syscheckd/include)
+include_directories(${SRC_FOLDER}/syscheckd/src)
+include_directories(${SRC_FOLDER}/unit_tests)
+include_directories(${SRC_FOLDER}/config)
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+if(NOT ${TARGET} STREQUAL "winagent")
+    # test_audit_healthcheck tests
+    add_executable(test_audit_healthcheck test_audit_healthcheck.c)
+    target_compile_options(test_audit_healthcheck PRIVATE "-Wall")
+
+    set(AUDIT_HC_FLAGS "-Wl,--wrap=_mdebug1,--wrap=_mdebug2 -Wl,--wrap,audit_add_rule \
+                        -Wl,--wrap,pthread_cond_wait -Wl,--wrap,pthread_mutex_lock \
+                        -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,CreateThread -Wl,--wrap,wfopen \
+                        -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fgetpos \
+                        -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fgetc \
+                        -Wl,--wrap,getpid -Wl,--wrap,sleep -Wl,--wrap,unlink -Wl,--wrap,audit_delete_rule \
+                        -Wl,--wrap,select -Wl,--wrap,audit_parse -Wl,--wrap=abspath -Wl,--wrap,atomic_int_get \
+                        -Wl,--wrap,atomic_int_set -Wl,--wrap,atomic_int_dec -Wl,--wrap,atomic_int_inc \
+                        -Wl,--wrap,pthread_cond_timedwait -Wl,--wrap,gettime -Wl,--wrap,fim_db_init \
+                        -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                        -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                        -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                        -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows -Wl,--wrap,popen")
+
+    target_link_libraries(test_audit_healthcheck SYSCHECK_O ${TEST_DEPS})
+
+    target_link_libraries(test_audit_healthcheck "${AUDIT_HC_FLAGS}")
+    add_test(NAME test_audit_healthcheck COMMAND test_audit_healthcheck)
+
+    # test_syscheck_rule_handling tests
+    add_executable(test_audit_rule_handling test_audit_rule_handling.c)
+    target_compile_options(test_audit_rule_handling PRIVATE "-Wall")
+
+    set(SYSCHECK_AUDIT_FLAGS "-Wl,--wrap=_mdebug1,--wrap=_mdebug2,--wrap=_merror,--wrap=_mwarn,--wrap=audit_add_rule\
+                              -Wl,--wrap=pthread_mutex_lock,--wrap=pthread_mutex_unlock,--wrap=fim_db_init \
+                              -Wl,--wrap=pthread_rwlock_rdlock,--wrap=pthread_rwlock_wrlock,--wrap=pthread_rwlock_unlock \
+                              -Wl,--wrap=fopen,--wrap=fclose,--wrap=fflush,--wrap=fgets,--wrap=fgetpos,--wrap=wfopen \
+                              -Wl,--wrap=fread,--wrap=fseek,--wrap=fwrite,--wrap=remove,--wrap=fgetc \
+                              -Wl,--wrap=getpid,--wrap=sleep,--wrap=unlink,--wrap=audit_delete_rule \
+                              -Wl,--wrap=select,--wrap=audit_parse,--wrap=audit_get_rule_list,--wrap=audit_close \
+                              -Wl,--wrap=search_audit_rule,--wrap=audit_open -Wl,--wrap,atomic_int_get \
+                              -Wl,--wrap,atomic_int_set -Wl,--wrap,atomic_int_dec -Wl,--wrap,atomic_int_inc \
+                              -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                              -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                              -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                              -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows -Wl,--wrap,popen")
+
+    target_link_libraries(test_audit_rule_handling SYSCHECK_O ${TEST_DEPS})
+
+    target_link_libraries(test_audit_rule_handling "${SYSCHECK_AUDIT_FLAGS}")
+    add_test(NAME test_audit_rule_handling COMMAND test_audit_rule_handling)
+
+    # test_syscheck_audit tests
+    add_executable(test_syscheck_audit test_syscheck_audit.c)
+    target_compile_options(test_syscheck_audit PRIVATE "-Wall")
+
+    set(SYSCHECK_AUDIT_FLAGS "-Wl,--wrap,pthread_cond_wait -Wl,--wrap,pthread_mutex_lock \
+                              -Wl,--wrap,openproc -Wl,--wrap,readproc -Wl,--wrap,freeproc -Wl,--wrap,popen \
+                              -Wl,--wrap,OS_ConnectUnixDomain -Wl,--wrap,audit_add_rule -Wl,--wrap,audit_restart  \
+                              -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,closeproc  -Wl,--wrap,recv -Wl,--wrap,IsDir \
+                              -Wl,--wrap,IsLink -Wl,--wrap,IsFile -Wl,--wrap,IsSocket -Wl,--wrap,fprintf -Wl,--wrap,wfopen \
+                              -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fgetpos \
+                              -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fgetc \
+                              -Wl,--wrap,getpid -Wl,--wrap,sleep -Wl,--wrap,unlink -Wl,--wrap,audit_delete_rule \
+                              -Wl,--wrap,select -Wl,--wrap,audit_parse -Wl,--wrap,symlink -Wl,--wrap,SendMSG \
+                              -Wl,--wrap,audit_get_rule_list -Wl,--wrap,fim_audit_reload_rules \
+                              -Wl,--wrap,search_audit_rule -Wl,--wrap,abspath -Wl,--wrap,atomic_int_get \
+                              -Wl,--wrap,atomic_int_set -Wl,--wrap,atomic_int_dec -Wl,--wrap,atomic_int_inc \
+                              -Wl,--wrap,pthread_rwlock_wrlock -Wl,--wrap,pthread_rwlock_unlock \
+                              -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap,OS_SHA1_Str -Wl,--wrap,fim_db_init \
+                              -Wl,--wrap,OS_SHA1_File -Wl,--wrap,audit_open -Wl,--wrap,audit_close \
+                              -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                              -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                              -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                              -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                              ${DEBUG_OP_WRAPPERS}")
+
+    target_link_libraries(test_syscheck_audit SYSCHECK_O ${TEST_DEPS})
+
+    target_link_libraries(test_syscheck_audit "${SYSCHECK_AUDIT_FLAGS}")
+    add_test(NAME test_syscheck_audit COMMAND test_syscheck_audit)
+
+    # test_audit_parse tests
+    add_executable(test_audit_parse test_audit_parse.c)
+    target_compile_options(test_audit_parse PRIVATE "-Wall")
+
+    set(AUDIT_PARSE_FLAGS "-Wl,--wrap=_mdebug1,--wrap=_mdebug2 -Wl,--wrap=_mwarn -Wl,--wrap=_minfo \
+                           -Wl,--wrap,audit_add_rule -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,popen \
+                           -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush \
+                           -Wl,--wrap,fgets -Wl,--wrap,fgetpos -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite\
+                           -Wl,--wrap,remove -Wl,--wrap,fgetc -Wl,--wrap,getpid -Wl,--wrap,sleep -Wl,--wrap,unlink \
+                           -Wl,--wrap,audit_delete_rule -Wl,--wrap,realpath -Wl,--wrap,atexit -Wl,--wrap,audit_open\
+                           -Wl,--wrap,get_user -Wl,--wrap,get_group -Wl,--wrap,readlink -Wl,--wrap,audit_get_rule_list \
+                           -Wl,--wrap,SendMSG -Wl,--wrap,fim_whodata_event -Wl,--wrap,search_audit_rule \
+                           -Wl,--wrap,audit_close -Wl,--wrap,fim_manipulated_audit_rules -Wl,--wrap,wfopen \
+                           -Wl,--wrap,fim_audit_reload_rules -Wl,--wrap,remove_audit_rule_syscheck \
+                           -Wl,--wrap,atomic_int_get -Wl,--wrap,atomic_int_set -Wl,--wrap,atomic_int_dec \
+                           -Wl,--wrap,atomic_int_inc -Wl,--wrap,pthread_rwlock_wrlock -Wl,--wrap,pthread_rwlock_unlock \
+                           -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                           -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                           -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_db_init \
+                           -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap=fim_run_integrity -Wl,--wrap=fim_db_transaction_start \
+                           -Wl,--wrap=fim_db_transaction_sync_row -Wl,--wrap=fim_db_transaction_deleted_rows \
+                           ${DEBUG_OP_WRAPPERS}")
+
+    target_link_libraries(test_audit_parse SYSCHECK_O ${TEST_DEPS})
+
+    target_link_libraries(test_audit_parse "${AUDIT_PARSE_FLAGS}")
+    add_test(NAME test_audit_parse COMMAND test_audit_parse)
+else()
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+    add_executable(test_win_whodata test_win_whodata.c)
+    target_compile_options(test_win_whodata PRIVATE "-Wall")
+    set(WIN_WHODATA_FLAGS "-Wl,--wrap,wstr_replace -Wl,--wrap,SendMSG -Wl,--wrap,popen \
+                           -Wl,--wrap,free_whodata_event -Wl,--wrap,IsFile -Wl,--wrap=remove \
+                           -Wl,--wrap=fim_db_get_count_registry_data -Wl,--wrap=fim_db_get_count_registry_key -Wl,--wrap=syscom_dispatch \
+                           -Wl,--wrap,wm_exec -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,atexit -Wl,--wrap,wfopen \
+                           -Wl,--wrap,check_path_type -Wl,--wrap,pthread_rwlock_unlock -Wl,--wrap,fim_whodata_event \
+                           -Wl,--wrap,fim_checker -Wl,--wrap,os_random -Wl,--wrap,wpopenv -Wl,--wrap,atomic_int_get\
+                           -Wl,--wrap,convert_windows_string -Wl,--wrap,FOREVER -Wl,--wrap,wpclose \
+                           -Wl,--wrap,fflush -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,fprintf \
+                           -Wl,--wrap,fgets -Wl,--wrap,wstr_split -Wl,--wrap,pthread_rwlock_wrlock \
+                           -Wl,--wrap,fgetpos -Wl,--wrap,fgetc -Wl,--wrap,getDefine_Int -Wl,--wrap,pthread_rwlock_rdlock \
+                           -Wl,--wrap,pthread_mutex_lock -Wl,--wrap,pthread_mutex_unlock \
+                           -Wl,--wrap=fim_db_file_pattern_search,--wrap=fim_db_remove_path -Wl,--wrap,fim_db_get_path \
+                           -Wl,--wrap=fim_db_file_update,--wrap=fim_db_file_inode_search -Wl,--wrap,fim_db_get_count_file_inode \
+                           -Wl,--wrap=fim_db_get_count_file_entry -Wl,--wrap=fim_db_init -Wl,--wrap=fim_run_integrity \
+                           -Wl,--wrap=fim_db_transaction_start -Wl,--wrap=fim_db_transaction_sync_row \
+                           -Wl,--wrap=fim_db_transaction_deleted_rows,--wrap=fim_sync_push_msg \
+                           -Wl,--wrap=is_fim_shutdown -Wl,--wrap=_imp__dbsync_initialize \
+                           -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown ${HASH_OP_WRAPPERS} \
+                           ${DEBUG_OP_WRAPPERS}")
+    target_link_libraries(test_win_whodata SYSCHECK_EVENT_O ${TEST_EVENT_DEPS} fimdb)
+
+    target_link_libraries(test_win_whodata "${WIN_WHODATA_FLAGS}")
+    add_test(NAME test_win_whodata COMMAND test_win_whodata)
+endif()
diff --git a/src/modules/fim/tests/unit/tests/whodata/test_audit_healthcheck.c b/src/modules/fim/tests/unit/tests/whodata/test_audit_healthcheck.c
new file mode 100644
index 0000000000..763a1b05d5
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/test_audit_healthcheck.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../../wrappers/common.h"
+#include "../../../syscheckd/include/syscheck.h"
+
+#include "wrappers/externals/audit/libaudit_wrappers.h"
+#include "wrappers/externals/procpc/readproc_wrappers.h"
+#include "wrappers/libc/stdio_wrappers.h"
+#include "wrappers/libc/stdlib_wrappers.h"
+#include "wrappers/posix/unistd_wrappers.h"
+#include "wrappers/wazuh/shared/audit_op_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/file_op_wrappers.h"
+#include "wrappers/wazuh/shared/atomic_wrappers.h"
+#include "wrappers/wazuh/shared/time_op_wrappers.h"
+#include "wrappers/wazuh/shared/pthreads_op_wrappers.h"
+
+
+#include "wrappers/wazuh/syscheckd/audit_parse_wrappers.h"
+
+
+#define PERMS (AUDIT_PERM_WRITE | AUDIT_PERM_ATTR)
+
+
+extern atomic_int_t audit_health_check_creation;
+extern atomic_int_t hc_thread_active;
+extern atomic_int_t audit_thread_active;
+extern pthread_mutex_t audit_hc_mutex;
+extern pthread_cond_t audit_hc_cond;
+
+extern void __real_atomic_int_set(atomic_int_t *atomic, int value);
+extern int __real_atomic_int_get(atomic_int_t *atomic);
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    (void) state;
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    (void) state;
+    memset(&syscheck, 0, sizeof(syscheck_config));
+    Free_Syscheck(&syscheck);
+    test_mode = 0;
+    return 0;
+}
+
+int __wrap_pthread_cond_timedwait(pthread_cond_t *restrict cond, pthread_mutex_t *restrict mutex,
+                                   const struct timespec *restrict abstime) {
+    function_called();
+    return 0;
+}
+
+/**
+ * @brief Functions that prepares the wraps calls for starting the audit healthcheck thread
+ */
+void prepare_audit_healthcheck_thread() {
+    will_return(__wrap_audit_add_rule, -EEXIST);
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_AUDIT_HEALTHCHECK_START);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_atomic_int_get, atomic, &hc_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+    expect_value(__wrap_pthread_cond_wait, cond, &audit_hc_cond);
+    expect_value(__wrap_pthread_cond_wait, mutex, &audit_hc_mutex);
+
+    expect_value(__wrap_atomic_int_get, atomic, &hc_thread_active);
+    will_return(__wrap_atomic_int_get, 1);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+}
+
+
+/**
+ * @brief Functions that prepares the wraps calls for stopping the audit healthcheck thread
+ */
+void prepare_post_audit_healthcheck_thread() {
+    expect_string(__wrap_unlink, file, AUDIT_HEALTHCHECK_FILE);
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap_audit_delete_rule, path, AUDIT_HEALTHCHECK_DIR);
+    expect_value(__wrap_audit_delete_rule, perms, PERMS);
+    expect_string(__wrap_audit_delete_rule, key, "wazuh_hc");
+    will_return(__wrap_audit_delete_rule, 1);
+
+    expect_value(__wrap_atomic_int_set, atomic, &hc_thread_active);
+    will_return(__wrap_atomic_int_set, 0);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_gettime, 1232);
+    expect_function_call(__wrap_pthread_cond_timedwait);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+}
+
+/* audit_health_check() tests */
+void test_audit_health_check_fail_to_add_rule(void **state) {
+    int ret;
+
+    expect_abspath(AUDIT_HEALTHCHECK_DIR, 1);
+    expect_abspath(AUDIT_HEALTHCHECK_FILE, 1);
+
+    will_return(__wrap_audit_add_rule, -1);
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_AUDIT_HEALTHCHECK_RULE);
+
+    ret = audit_health_check(123456);
+
+    assert_int_equal(ret, -1);
+    assert_int_equal(hc_thread_active.data, 0);
+}
+
+void test_audit_health_check_fail_to_create_hc_file(void **state) {
+    int ret;
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    __real_atomic_int_set(&hc_thread_active, 1);
+
+    expect_abspath(AUDIT_HEALTHCHECK_DIR, 1);
+    expect_abspath(AUDIT_HEALTHCHECK_FILE, 1);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    __real_atomic_int_set(&audit_health_check_creation, 0);
+
+    prepare_audit_healthcheck_thread();
+
+    expect_string_count(__wrap_wfopen, path, AUDIT_HEALTHCHECK_FILE, 10);
+    expect_string_count(__wrap_wfopen, mode, "w", 10);
+    will_return_count(__wrap_wfopen, 0, 10);
+
+    expect_string_count(__wrap__mdebug1, formatted_msg, FIM_AUDIT_HEALTHCHECK_FILE, 10);
+
+    expect_value_count(__wrap_sleep, seconds, 1, 10);
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_health_check_creation, 10);
+    will_return_count(__wrap_atomic_int_get, 0, 10);
+    // outside do while
+    expect_value(__wrap_atomic_int_get, atomic, &audit_health_check_creation);
+    will_return(__wrap_atomic_int_get, 0);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_HEALTHCHECK_CREATE_ERROR);
+
+    prepare_post_audit_healthcheck_thread();
+
+    ret = audit_health_check(123456);
+
+    assert_int_equal(ret, -1);
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    assert_int_equal(__real_atomic_int_get(&hc_thread_active), 0);
+}
+
+void test_audit_health_check_no_creation_event_detected(void **state) {
+    int ret;
+
+    expect_abspath(AUDIT_HEALTHCHECK_DIR, 1);
+    expect_abspath(AUDIT_HEALTHCHECK_FILE, 1);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    __real_atomic_int_set(&hc_thread_active, 0);
+
+    prepare_audit_healthcheck_thread();
+
+    expect_string_count(__wrap_wfopen, path, AUDIT_HEALTHCHECK_FILE, 10);
+    expect_string_count(__wrap_wfopen, mode, "w", 10);
+    will_return_count(__wrap_wfopen, 1, 10);
+
+    expect_value_count(__wrap_fclose, _File, 1, 10);
+    will_return_count(__wrap_fclose, 0, 10);
+
+    expect_value_count(__wrap_sleep, seconds, 1, 10);
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_health_check_creation, 10);
+    will_return_count(__wrap_atomic_int_get, 0, 10);
+
+    // outside the loop
+    expect_value(__wrap_atomic_int_get, atomic, &audit_health_check_creation);
+    will_return(__wrap_atomic_int_get, 0);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_HEALTHCHECK_CREATE_ERROR);
+
+    prepare_post_audit_healthcheck_thread();
+
+    ret = audit_health_check(123456);
+
+    assert_int_equal(ret, -1);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    assert_int_equal(__real_atomic_int_get(&hc_thread_active), 0);
+}
+
+void test_audit_health_check_success(void **state) {
+    int ret;
+
+    expect_abspath(AUDIT_HEALTHCHECK_DIR, 1);
+    expect_abspath(AUDIT_HEALTHCHECK_FILE, 1);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    __real_atomic_int_set(&hc_thread_active, 0);
+
+    prepare_audit_healthcheck_thread();
+
+    expect_string(__wrap_wfopen, path, AUDIT_HEALTHCHECK_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    expect_value(__wrap_sleep, seconds, 1);
+    expect_value(__wrap_atomic_int_get, atomic, &audit_health_check_creation);
+    will_return(__wrap_atomic_int_get, 1);
+
+    // outside the loop
+    expect_value(__wrap_atomic_int_get, atomic, &audit_health_check_creation);
+    will_return(__wrap_atomic_int_get, 1);
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_HEALTHCHECK_SUCCESS);
+
+    prepare_post_audit_healthcheck_thread();
+
+    ret = audit_health_check(123456);
+    assert_int_equal(ret, 0);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    assert_int_equal(__real_atomic_int_get(&hc_thread_active), 0);
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+       cmocka_unit_test(test_audit_health_check_fail_to_add_rule),
+        cmocka_unit_test(test_audit_health_check_fail_to_create_hc_file),
+        cmocka_unit_test(test_audit_health_check_no_creation_event_detected),
+        cmocka_unit_test(test_audit_health_check_success),
+        };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/whodata/test_audit_parse.c b/src/modules/fim/tests/unit/tests/whodata/test_audit_parse.c
new file mode 100644
index 0000000000..3417233ec5
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/test_audit_parse.c
@@ -0,0 +1,1366 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../../wrappers/common.h"
+#include "../../../syscheckd/include/syscheck.h"
+#include "../../../syscheckd/src/whodata/syscheck_audit.h"
+
+#include "wrappers/externals/audit/libaudit_wrappers.h"
+#include "wrappers/externals/procpc/readproc_wrappers.h"
+#include "wrappers/libc/stdio_wrappers.h"
+#include "wrappers/libc/stdlib_wrappers.h"
+#include "wrappers/posix/unistd_wrappers.h"
+#include "wrappers/wazuh/shared/audit_op_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/file_op_wrappers.h"
+#include "wrappers/wazuh/syscheckd/audit_rule_handling_wrappers.h"
+
+
+#define PERMS (AUDIT_PERM_WRITE | AUDIT_PERM_ATTR)
+
+extern unsigned int count_reload_retries;
+audit_key_type filterkey_audit_events(char *buffer);
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    (void) state;
+    test_mode = 1;
+    init_regex();
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    (void) state;
+    memset(&syscheck, 0, sizeof(syscheck_config));
+    Free_Syscheck(&syscheck);
+    clean_regex();
+    test_mode = 0;
+    return 0;
+}
+
+static int setup_config(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    directory_t *directory0 = fim_create_directory("/var/test", WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return -1;
+    }
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+    return 0;
+}
+
+static int teardown_config(void **state) {
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if (syscheck.directories) {
+        OSList_foreach(node_it, syscheck.directories) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(syscheck.directories);
+        syscheck.directories = NULL;
+    }
+
+    return 0;
+}
+
+static int free_string(void **state) {
+    char * string = *state;
+    free(string);
+    return 0;
+}
+
+static int setup_custom_key(void **state) {
+    syscheck.audit_key = calloc(2, sizeof(char *));
+    if (syscheck.audit_key == NULL) {
+        return 1;
+    }
+
+    syscheck.audit_key[0] = calloc(OS_SIZE_64, sizeof(char));
+    if (syscheck.audit_key[0] == NULL) {
+        return 1;
+    }
+    return 0;
+}
+
+static int teardown_custom_key(void **state) {
+    free(syscheck.audit_key[0]);
+    free(syscheck.audit_key);
+    syscheck.audit_key = NULL;
+    return 0;
+}
+
+
+void test_filterkey_audit_events_custom(void **state) {
+    (void) state;
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=\"test_key\"";
+    char *key = "test_key";
+    char buff[OS_SIZE_128] = {0};
+
+    snprintf(syscheck.audit_key[0], strlen(key) + 1, "%s", key);
+
+    snprintf(buff, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, key);
+    expect_string(__wrap__mdebug2, formatted_msg, buff);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_CUSTOM_KEY);
+}
+
+
+void test_filterkey_audit_events_discard(void **state) {
+    (void) state;
+
+    char *key = "test_key";
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=\"test_invalid_key\"";
+
+    syscheck.audit_key = calloc(2, sizeof(char *));
+    syscheck.audit_key[0] = calloc(strlen(key) + 2, sizeof(char));
+    snprintf(syscheck.audit_key[0], strlen(key) + 1, "%s", key);
+
+    ret = filterkey_audit_events(event);
+
+    free(syscheck.audit_key[0]);
+    free(syscheck.audit_key);
+
+    assert_int_equal(ret, FIM_AUDIT_UNKNOWN_KEY);
+}
+
+
+void test_filterkey_audit_events_hc(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=\"wazuh_hc\"";
+    char buff[OS_SIZE_128] = {0};
+
+    snprintf(buff, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_hc");
+    expect_string(__wrap__mdebug2, formatted_msg, buff);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_HC_KEY);
+}
+
+
+void test_filterkey_audit_events_fim(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=\"wazuh_fim\"";
+    char audit_key_msg[OS_SIZE_128] = {0};
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_KEY);
+}
+
+void test_filterkey_audit_events_missing_whitespace(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57key=\"wazuh_fim\"";
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_UNKNOWN_KEY);
+}
+
+void test_filterkey_audit_events_missing_equal_sign(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key\"wazuh_fim\"";
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_UNKNOWN_KEY);
+}
+
+void test_filterkey_audit_events_no_key(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57";
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_UNKNOWN_KEY);
+}
+
+void test_filterkey_audit_events_key_at_the_beggining(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "key=\"wazuh_fim\" type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_KEY);
+}
+
+void test_filterkey_audit_events_key_end_line(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 \nkey=\"wazuh_fim\"";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_KEY);
+}
+
+void test_filterkey_audit_events_hex_coded_key_no_fim(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    snprintf(syscheck.audit_key[0], OS_SIZE_64, "key_1");
+
+    // The decoded key in the event is "key_1\001key_2"
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=6B65795F31016B65795F32";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "key_1");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_CUSTOM_KEY);
+}
+
+void test_filterkey_audit_events_hex_coded_key_no_fim_second_key(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    snprintf(syscheck.audit_key[0], OS_SIZE_64, "key_2");
+    // The decoded key in the event is "key_1\001key_2"
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=6B65795F31016B65795F32";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "key_2");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_CUSTOM_KEY);
+}
+
+void test_filterkey_audit_events_hex_coded_key_fim(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    // The decoded key of the event is "wazuh_fim\001key_2\001key_1"
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=77617A75685F66696D016B65795F32016B65795F31 ";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_KEY);
+}
+
+void test_filterkey_audit_events_path_named_key(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    snprintf(syscheck.audit_key[0], OS_SIZE_64, "key_1");
+    // The decoded key in the event is "key_1\001key_2"
+    char * event = "path=\"key\" type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=6B65795F31016B65795F32";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "key_1");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_CUSTOM_KEY);
+}
+
+void test_filterkey_audit_events_separator(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    // The decoded key of the event is "wazuh_fim\001key_2\001key_1"
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=77617A75685F66696D016B65795F32016B65795F31\035ARCH= ";
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_KEY);
+}
+
+void test_filterkey_audit_events_separator_in_key(void **state) {
+    (void) state;
+
+    audit_key_type ret;
+    // The decoded key of the event is "wazuh_f`5\001key_2\001key_1"
+    char * event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 key=77617A75685F666035016B65795F32016B65795F31\035ARCH= ";
+    snprintf(syscheck.audit_key[0], OS_SIZE_64, "wazuh_f`5");
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_f`5");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    ret = filterkey_audit_events(event);
+
+    assert_int_equal(ret, FIM_AUDIT_CUSTOM_KEY);
+}
+
+
+void test_gen_audit_path(void **state) {
+    (void) state;
+
+    char * cwd = "/root";
+    char * path0 = "/root/test/";
+    char * path1 = "/root/test/file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, path1);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/test/file");
+}
+
+
+void test_gen_audit_path2(void **state) {
+    (void) state;
+
+    char * cwd = "/root";
+    char * path0 = "./test/";
+    char * path1 = "./test/file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, path1);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/test/file");
+}
+
+
+void test_gen_audit_path3(void **state) {
+    (void) state;
+
+    char * cwd = "/";
+    char * path0 = "root/test/";
+    char * path1 = "root/test/file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, path1);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/test/file");
+}
+
+
+void test_gen_audit_path4(void **state) {
+    (void) state;
+
+    char * cwd = "/";
+    char * path0 = "/file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, NULL);
+    *state = ret;
+
+    assert_string_equal(ret, "/file");
+}
+
+
+void test_gen_audit_path5(void **state) {
+    (void) state;
+
+    char * cwd = "/root/test";
+    char * path0 = "../test/";
+    char * path1 = "../test/file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, path1);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/test/file");
+}
+
+
+void test_gen_audit_path6(void **state) {
+    (void) state;
+
+    char * cwd = "/root";
+    char * path0 = "./file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, NULL);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/file");
+}
+
+
+void test_gen_audit_path7(void **state) {
+    (void) state;
+
+    char * cwd = "/root";
+    char * path0 = "../file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, NULL);
+    *state = ret;
+
+    assert_string_equal(ret, "/file");
+}
+
+
+void test_gen_audit_path8(void **state) {
+    (void) state;
+
+    char * cwd = "/root";
+    char * path0 = "file";
+
+    char * ret;
+    ret = gen_audit_path(cwd, path0, NULL);
+    *state = ret;
+
+    assert_string_equal(ret, "/root/file");
+}
+
+void test_get_process_parent_info_failed(void **state) {
+    (void) state;
+
+    char *parent_name;
+    char *parent_cwd;
+
+    parent_name = malloc(10);
+    parent_cwd = malloc(10);
+    errno = 17;
+    will_return(__wrap_readlink, -1);
+    expect_string(__wrap__mdebug1, formatted_msg, "Failure to obtain the name of the process: '1515'. Error: File exists");
+
+    will_return(__wrap_readlink, -1);
+    expect_string(__wrap__mdebug1, formatted_msg, "Failure to obtain the cwd of the process: '1515'. Error: File exists");
+    get_parent_process_info("1515", &parent_name, &parent_cwd);
+    errno = 0;
+
+    assert_string_equal(parent_name, "");
+    assert_string_equal(parent_cwd, "");
+
+    if (parent_name != NULL) {
+        free(parent_name);
+        parent_name = NULL;
+    }
+
+    if (parent_cwd != NULL) {
+        free(parent_cwd);
+        parent_cwd = NULL;
+    }
+}
+
+void test_get_process_parent_info_passsed(void **state) {
+    (void) state;
+
+    char *parent_name;
+    char *parent_cwd;
+
+    parent_name = malloc(10);
+    parent_cwd = malloc(10);
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    get_parent_process_info("1515", &parent_name, &parent_cwd);
+
+    assert_string_equal(parent_name, "");
+    assert_string_equal(parent_cwd, "");
+
+    if (parent_name != NULL) {
+        free(parent_name);
+        parent_name = NULL;
+    }
+
+    if (parent_cwd != NULL) {
+        free(parent_cwd);
+        parent_cwd = NULL;
+    }
+}
+
+void test_audit_parse(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 items=2 ppid=3211 pid=44082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" exe=\"74657374C3B1\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571914029.306:3004254): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571914029.306:3004254): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571914029.306:3004254): item=1 name=\"test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571914029.306:3004254): proctitle=726D0074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_AUDIT_INVALID_AUID);
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=root, auid=, euid=root, gid=root, pid=44082, ppid=3211, inode=19, path=/root/test/test, pname=74657374C3B1");
+
+    expect_string(__wrap_realpath, path, "/root/test/test");
+    will_return(__wrap_realpath, strdup("/root/test/test"));
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 44082);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "74657374C3B1");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "19");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3211);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse3(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 items=3 ppid=3211 pid=44082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" exe=\"74657374C3B1\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571914029.306:3004254): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=\"./\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=\"folder/\" inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=\"./test\" inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571914029.306:3004254): proctitle=726D0074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=root, auid=, euid=root, gid=root, pid=44082, ppid=3211, inode=28, path=/root/test/test, pname=74657374C3B1");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 44082);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "74657374C3B1");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "28");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3211);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse4(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571923546.947:3004294): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe425fc770 a2=ffffff9c a3=7ffe425fc778 items=4 ppid=3212 pid=51452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"mv\" exe=66696C655FC3B1 key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571923546.947:3004294): cwd=2F726F6F742F746573742F74657374C3B1 \
+        type=PATH msg=audit(1571923546.947:3004294): item=0 name=\"./\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=1 name=\"folder/\" inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=2 name=\"./test\" inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=3 name=\"folder/test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571923546.947:3004294): proctitle=6D760066696C655FC3B1002E2E2F74657374C3B1322F66696C655FC3B163 \
+    ";
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6248): audit_event_1/2: uid=root, auid=root, euid=root, gid=root, pid=51452, ppid=3212, inode=19, path=/root/test/testñ/test, pname=file_ñ");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6249): audit_event_2/2: uid=root, auid=root, euid=root, gid=root, pid=51452, ppid=3212, inode=19, path=/root/test/testñ/folder/test, pname=file_ñ");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 51452);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "file_ñ");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/testñ/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "19");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3212);
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 51452);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "file_ñ");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/testñ/folder/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "19");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3212);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_hex(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571923546.947:3004294): arch=c000003e syscall=316 success=yes exit=0 a0=ffffff9c a1=7ffe425fc770 a2=ffffff9c a3=7ffe425fc778 items=4 ppid=3212 pid=51452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"mv\" exe=66696C655FC3B1 key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571923546.947:3004294): cwd=2F726F6F742F746573742F74657374C3B1 \
+        type=PATH msg=audit(1571923546.947:3004294): item=0 name=2F726F6F742F746573742F74657374C3B1 inode=19 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=1 name=2E2E2F74657374C3B1322F inode=30 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=2 name=66696C655FC3B1 inode=29 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571923546.947:3004294): item=3 name=2E2E2F74657374C3B1322F66696C655FC3B163 inode=29 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571923546.947:3004294): proctitle=6D760066696C655FC3B1002E2E2F74657374C3B1322F66696C655FC3B163 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6248): audit_event_1/2: uid=root, auid=root, euid=root, gid=root, pid=51452, ppid=3212, inode=29, path=/root/test/testñ/file_ñ, pname=file_ñ");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6249): audit_event_2/2: uid=root, auid=root, euid=root, gid=root, pid=51452, ppid=3212, inode=29, path=/root/test/testñ2/file_ñc, pname=file_ñ");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 51452);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "file_ñ");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/testñ/file_ñ");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "29");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3212);
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 51452);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "file_ñ");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/testñ2/file_ñc");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "29");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3212);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_empty_fields(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" key=\"wazuh_fim\" \
+        type=PROCTITLE msg=audit(1571914029.306:3004254): proctitle=726D0074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+
+
+    char * buffer = "type=CONFIG_CHANGE msg=audit(1571920603.069:3004276): auid=0 ses=5 op=\"remove_rule\" key=\"wazuh_fim\" list=4 res=1";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    will_return(__wrap_fim_manipulated_audit_rules, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6911): Detected Audit rules manipulation: Audit rules removed.");
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Audit rules removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+    expect_function_call(__wrap_fim_audit_reload_rules);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_recursive(void **state) {
+    char * buffer = "type=CONFIG_CHANGE msg=audit(1571920603.069:3004276): auid=0 ses=5 op=remove_rule key=\"wazuh_fim\" list=4 res=1";
+
+    syscheck.max_audit_entries = 100;
+    char audit_key_msg[OS_SIZE_128] = {0};
+
+    count_reload_retries = 0;
+    // In audit_reload_rules()
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string_count(__wrap__mdebug2, formatted_msg, audit_key_msg, 5);
+
+    will_return_count(__wrap_fim_manipulated_audit_rules, 0, 5);
+    expect_string_count(__wrap__mwarn, formatted_msg, FIM_WARN_AUDIT_RULES_MODIFIED, 5);
+    expect_function_calls(__wrap_fim_audit_reload_rules, 4);
+
+    expect_value(__wrap_atomic_int_set, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_set, 0);
+
+    expect_string_count(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Audit rules removed", 5);
+    expect_string_count(__wrap_SendMSG, locmsg, SYSCHECK, 6);
+    expect_value_count(__wrap_SendMSG, loc, LOCALFILE_MQ, 6);
+    will_return_always(__wrap_SendMSG, 1);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Max rules reload retries");
+    int i;
+    for (i = 0; i < 5; i++) {
+        audit_parse(buffer);
+    }
+
+    count_reload_retries = 0;
+}
+
+
+void test_audit_parse_mv(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571925844.299:3004308): arch=c000003e syscall=82 success=yes exit=0 a0=7ffdbb76377e a1=556c16f6c2e0 a2=0 a3=100 items=5 ppid=3210 pid=52277 auid=20 uid=30 gid=40 euid=50 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"mv\" exe=\"/usr/bin/mv\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571925844.299:3004308): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=\"./\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=\"folder/\" inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=\"./test\" inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=3 name=\"folder/test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=4 name=\"folder/test\" inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571925844.299:3004308): proctitle=6D76002E2F7465737400666F6C646572 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 30);
+    will_return(__wrap_get_user, strdup("user30"));
+    expect_value(__wrap_get_user, uid, 20);
+    will_return(__wrap_get_user, strdup("user20"));
+    expect_value(__wrap_get_user, uid, 50);
+    will_return(__wrap_get_user, strdup("user50"));
+
+    expect_value(__wrap_get_group, gid, 40);
+    will_return(__wrap_get_group, strdup("src"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=user30, auid=user20, euid=user50, gid=src, pid=52277, ppid=3210, inode=28, path=/root/test/folder/test, pname=/usr/bin/mv");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 52277);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "30");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "40");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/mv");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/folder/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "20");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "50");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "28");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3210);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_mv_hex(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571925844.299:3004308): arch=c000003e syscall=82 success=yes exit=0 a0=7ffdbb76377e a1=556c16f6c2e0 a2=0 a3=100 items=5 ppid=3210 pid=52277 auid=20 uid=30 gid=40 euid=50 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"mv\" exe=\"/usr/bin/mv\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571925844.299:3004308): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=\"./\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=\"folder/\" inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=\"./test\" inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=3 name=666F6C6465722F74657374 inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=4 name=666F6C6465722F74657374 inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571925844.299:3004308): proctitle=6D76002E2F7465737400666F6C646572 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 30);
+    will_return(__wrap_get_user, strdup("user30"));
+    expect_value(__wrap_get_user, uid, 20);
+    will_return(__wrap_get_user, strdup("user20"));
+    expect_value(__wrap_get_user, uid, 50);
+    will_return(__wrap_get_user, strdup("user50"));
+
+    expect_value(__wrap_get_group, gid, 40);
+    will_return(__wrap_get_group, strdup("src"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=user30, auid=user20, euid=user50, gid=src, pid=52277, ppid=3210, inode=28, path=/root/test/folder/test, pname=/usr/bin/mv");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 52277);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "30");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "40");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/mv");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/folder/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "20");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "50");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "28");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3210);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_rm(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571988027.797:3004340): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55578e6d8490 a2=200 a3=7f9cd931bca0 items=3 ppid=3211 pid=56650 auid=2 uid=30 gid=5 euid=2 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"rm\" exe=\"/usr/bin/rm\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571988027.797:3004340): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571988027.797:3004340): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=1 name=(null) inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=2 name=(null) inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571988027.797:3004340): proctitle=726D002D726600666F6C6465722F \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 30);
+    will_return(__wrap_get_user, strdup("user30"));
+    expect_value(__wrap_get_user, uid, 2);
+    will_return(__wrap_get_user, strdup("daemon"));
+    expect_value(__wrap_get_user, uid, 2);
+    will_return(__wrap_get_user, strdup("daemon"));
+
+    expect_value(__wrap_get_group, gid, 5);
+    will_return(__wrap_get_group, strdup("tty"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=user30, auid=daemon, euid=daemon, gid=tty, pid=56650, ppid=3211, inode=24, path=/root/test/, pname=/usr/bin/rm");
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 56650);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "30");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "5");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/rm");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "2");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "2");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "24");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3211);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_chmod(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571992092.822:3004348): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=5648a8ab74c0 a2=1ff a3=fff items=1 ppid=3211 pid=58280 auid=4 uid=99 gid=78 euid=29 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"chmod\" exe=\"/usr/bin/chmod\" key=\"wazuh_fim\" \
+        type=CWD msg=audit(1571992092.822:3004348): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571992092.822:3004348): item=0 name=\"/root/test/file\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571992092.822:3004348): proctitle=63686D6F6400373737002F726F6F742F746573742F66696C65 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_value(__wrap_get_user, uid, 99);
+    will_return(__wrap_get_user, strdup("user99"));
+    expect_value(__wrap_get_user, uid, 4);
+    will_return(__wrap_get_user, strdup("lp"));
+    expect_value(__wrap_get_user, uid, 29);
+    will_return(__wrap_get_user, strdup("user29"));
+
+    expect_value(__wrap_get_group, gid, 78);
+    will_return(__wrap_get_group, NULL);
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6247): audit_event: uid=user99, auid=lp, euid=user29, gid=, pid=58280, ppid=3211, inode=19, path=/root/test/file, pname=/usr/bin/chmod");
+
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 58280);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "99");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "78");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/chmod");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test/file");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "4");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "29");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "19");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 3211);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_rm_hc(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571988027.797:3004340): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55578e6d8490 a2=200 a3=7f9cd931bca0 items=3 ppid=3211 pid=56650 auid=2 uid=30 gid=5 euid=2 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"rm\" exe=\"/usr/bin/rm\" key=\"wazuh_hc\" \
+        type=CWD msg=audit(1571988027.797:3004340): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571988027.797:3004340): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=1 name=(null) inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=2 name=(null) inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571988027.797:3004340): proctitle=726D002D726600666F6C6465722F \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_hc");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6253): Whodata health-check: Detected file deletion event (263)");
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_add_hc(void **state) {
+    (void) state;
+    extern atomic_int_t audit_health_check_creation;
+    char audit_key_msg[OS_SIZE_128] = {0};
+
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571988027.797:3004340): arch=c000003e syscall=257 success=yes exit=0 a0=ffffff9c a1=55578e6d8490 a2=200 a3=7f9cd931bca0 items=3 ppid=3211 pid=56650 auid=2 uid=30 gid=5 euid=2 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"touch\" exe=\"/usr/bin/touch\" key=\"wazuh_hc\" \
+        type=CWD msg=audit(1571988027.797:3004340): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571988027.797:3004340): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=1 name=(null) inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=2 name=(null) inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571988027.797:3004340): proctitle=726D002D726600666F6C6465722F \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_hc");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6252): Whodata health-check: Detected file creation event (257)");
+
+    expect_value(__wrap_atomic_int_set, atomic, &audit_health_check_creation);
+    will_return(__wrap_atomic_int_set, 1);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_unknown_hc(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571988027.797:3004340): arch=c000003e syscall=90 success=yes exit=0 a0=ffffff9c a1=55578e6d8490 a2=200 a3=7f9cd931bca0 items=3 ppid=3211 pid=56650 auid=2 uid=30 gid=5 euid=2 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"chmod\" exe=\"/usr/bin/chmod\" key=\"wazuh_hc\" \
+        type=CWD msg=audit(1571988027.797:3004340): cwd=\"/root/test\" \
+        type=PATH msg=audit(1571988027.797:3004340): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=1 name=(null) inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571988027.797:3004340): item=2 name=(null) inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1571988027.797:3004340): proctitle=726D002D726600666F6C6465722F \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_hc");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6254): Whodata health-check: Unrecognized event (90)");
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_folder(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=CONFIG_CHANGE msg=audit(1572878838.610:220): op=remove_rule dir=\"/root/test\" key=\"wazuh_fim\" list=4 res=1 \
+        type=SYSCALL msg=audit(1572878838.610:220): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c2b7d7f490 a2=200 a3=7f2b8055bca0 items=2 ppid=4340 pid=62845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=\"rm\" exe=\"/usr/bin/rm\" key=(null) \
+        type=CWD msg=audit(1572878838.610:220): cwd=\"/root\" \
+        type=PATH msg=audit(1572878838.610:220): item=0 name=\"/root\" inode=655362 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1572878838.610:220): item=1 name=\"test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1572878838.610:220): proctitle=726D002D72660074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__minfo, formatted_msg, "(6027): Monitored directory '/root/test' was removed: Audit rule removed.");
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6247): audit_event: uid=root, auid=root, euid=root, gid=root, pid=62845, ppid=4340, inode=110, path=/root/test, pname=/usr/bin/rm");
+
+    expect_string(__wrap_realpath, path, "/root/test");
+    will_return(__wrap_realpath, strdup("/root/test"));
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 62845);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/rm");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "110");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 4340);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Monitored directory was removed: Audit rule removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_folder_hex(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=CONFIG_CHANGE msg=audit(1572878838.610:220): op=remove_rule dir=2F726F6F742F746573742F74657374C3B1 key=\"wazuh_fim\" list=4 res=1 \
+        type=SYSCALL msg=audit(1572878838.610:220): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c2b7d7f490 a2=200 a3=7f2b8055bca0 items=2 ppid=4340 pid=62845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=\"rm\" exe=\"/usr/bin/rm\" key=(null) \
+        type=CWD msg=audit(1572878838.610:220): cwd=\"/root\" \
+        type=PATH msg=audit(1572878838.610:220): item=0 name=\"/root\" inode=655362 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1572878838.610:220): item=1 name=\"test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1572878838.610:220): proctitle=726D002D72660074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__minfo, formatted_msg, "(6027): Monitored directory '/root/test/testñ' was removed: Audit rule removed.");
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6247): audit_event: uid=root, auid=root, euid=root, gid=root, pid=62845, ppid=4340, inode=110, path=/root/test, pname=/usr/bin/rm");
+
+    expect_string(__wrap_realpath, path, "/root/test");
+    will_return(__wrap_realpath, strdup("/root/test"));
+
+
+    expect_value(__wrap_fim_whodata_event, w_evt->process_id, 62845);
+    expect_string(__wrap_fim_whodata_event, w_evt->user_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->group_id, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->process_name, "/usr/bin/rm");
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "/root/test");
+    expect_string(__wrap_fim_whodata_event, w_evt->audit_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->effective_uid, "0");
+    expect_string(__wrap_fim_whodata_event, w_evt->inode, "110");
+    expect_value(__wrap_fim_whodata_event, w_evt->ppid, 4340);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Monitored directory was removed: Audit rule removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_folder_hex3_error(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=CONFIG_CHANGE msg=audit(1572878838.610:220): op=remove_rule dir=0 key=\"wazuh_fim\" list=4 res=1 \
+        type=SYSCALL msg=audit(1572878838.610:220): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c2b7d7f490 a2=200 a3=7f2b8055bca0 items=3 ppid=4340 pid=62845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=\"rm\" exe=1 key=(null) \
+        type=CWD msg=audit(1572878838.610:220): cwd=2 \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=3 inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=4 inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=5 inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1572878838.610:220): proctitle=726D002D72660074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '0'");
+
+    will_return(__wrap_fim_manipulated_audit_rules, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6911): Detected Audit rules manipulation: Audit rules removed.");
+    expect_function_call(__wrap_fim_audit_reload_rules);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Audit rules removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '1'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '2'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '3'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '4'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '5'");
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_folder_hex4_error(void **state) {
+    (void) state;
+    char audit_key_msg[OS_SIZE_128] = {0};
+
+    char * buffer = " \
+        type=CONFIG_CHANGE msg=audit(1572878838.610:220): op=remove_rule dir=0 key=\"wazuh_fim\" list=4 res=1 \
+        type=SYSCALL msg=audit(1572878838.610:220): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c2b7d7f490 a2=200 a3=7f2b8055bca0 items=4 ppid=4340 pid=62845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=\"rm\" exe=1 key=(null) \
+        type=CWD msg=audit(1572878838.610:220): cwd=2 \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=3 inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=4 inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=5 inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=3 name=6 inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1572878838.610:220): proctitle=726D002D72660074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '0'");
+
+    will_return(__wrap_fim_manipulated_audit_rules, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6911): Detected Audit rules manipulation: Audit rules removed.");
+    expect_function_call(__wrap_fim_audit_reload_rules);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Audit rules removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '1'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '2'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '3'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '4'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '5'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '6'");
+
+    audit_parse(buffer);
+}
+
+
+void test_audit_parse_delete_folder_hex5_error(void **state) {
+    (void) state;
+
+    char audit_key_msg[OS_SIZE_128] = {0};
+    char * buffer = " \
+        type=CONFIG_CHANGE msg=audit(1572878838.610:220): op=remove_rule dir=0 key=\"wazuh_fim\" list=4 res=1 \
+        type=SYSCALL msg=audit(1572878838.610:220): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c2b7d7f490 a2=200 a3=7f2b8055bca0 items=5 ppid=4340 pid=62845 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm=\"rm\" exe=1 key=(null) \
+        type=CWD msg=audit(1572878838.610:220): cwd=2 \
+        type=PATH msg=audit(1571925844.299:3004308): item=0 name=3 inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=1 name=4 inode=24 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=2 name=5 inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=3 name=6 inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PATH msg=audit(1571925844.299:3004308): item=4 name=7 inode=28 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 \
+        type=PROCTITLE msg=audit(1572878838.610:220): proctitle=726D002D72660074657374 \
+    ";
+
+    snprintf(audit_key_msg, OS_SIZE_128, FIM_AUDIT_MATCH_KEY, "wazuh_fim");
+    expect_string(__wrap__mdebug2, formatted_msg, audit_key_msg);
+
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '0'");
+
+    will_return(__wrap_fim_manipulated_audit_rules, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6911): Detected Audit rules manipulation: Audit rules removed.");
+    expect_function_call(__wrap_fim_audit_reload_rules);
+
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Detected rules manipulation: Audit rules removed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+    expect_value(__wrap_get_user, uid, 0);
+    will_return(__wrap_get_user, strdup("root"));
+
+    expect_value(__wrap_get_group, gid, 0);
+    will_return(__wrap_get_group, strdup("root"));
+
+    will_return(__wrap_readlink, 0);
+    will_return(__wrap_readlink, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '1'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '2'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '3'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '4'");
+    expect_string(__wrap__merror, formatted_msg, "Error found while decoding HEX bufer: '7'");
+
+    audit_parse(buffer);
+}
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_filterkey_audit_events_custom, setup_custom_key, teardown_custom_key),
+        cmocka_unit_test(test_filterkey_audit_events_discard),
+        cmocka_unit_test(test_filterkey_audit_events_fim),
+        cmocka_unit_test(test_filterkey_audit_events_hc),
+        cmocka_unit_test(test_filterkey_audit_events_missing_whitespace),
+        cmocka_unit_test(test_filterkey_audit_events_missing_equal_sign),
+        cmocka_unit_test(test_filterkey_audit_events_no_key),
+        cmocka_unit_test(test_filterkey_audit_events_key_at_the_beggining),
+        cmocka_unit_test(test_filterkey_audit_events_key_end_line),
+        cmocka_unit_test(test_filterkey_audit_events_hex_coded_key_fim),
+        cmocka_unit_test(test_filterkey_audit_events_separator),
+        cmocka_unit_test_setup_teardown(test_filterkey_audit_events_separator_in_key, setup_custom_key, teardown_custom_key),
+        cmocka_unit_test_setup_teardown(test_filterkey_audit_events_hex_coded_key_no_fim, setup_custom_key, teardown_custom_key),
+        cmocka_unit_test_setup_teardown(test_filterkey_audit_events_hex_coded_key_no_fim_second_key, setup_custom_key, teardown_custom_key),
+        cmocka_unit_test_setup_teardown(test_filterkey_audit_events_path_named_key, setup_custom_key, teardown_custom_key),
+        cmocka_unit_test_teardown(test_gen_audit_path, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path2, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path3, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path4, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path5, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path6, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path7, free_string),
+        cmocka_unit_test_teardown(test_gen_audit_path8, free_string),
+        cmocka_unit_test(test_get_process_parent_info_failed),
+        cmocka_unit_test(test_get_process_parent_info_passsed),
+        cmocka_unit_test(test_audit_parse),
+        cmocka_unit_test(test_audit_parse3),
+        cmocka_unit_test(test_audit_parse4),
+        cmocka_unit_test(test_audit_parse_hex),
+        cmocka_unit_test(test_audit_parse_empty_fields),
+        cmocka_unit_test(test_audit_parse_delete),
+        cmocka_unit_test_setup_teardown(test_audit_parse_delete_recursive, setup_config, teardown_config),
+        cmocka_unit_test(test_audit_parse_mv),
+        cmocka_unit_test(test_audit_parse_mv_hex),
+        cmocka_unit_test(test_audit_parse_rm),
+        cmocka_unit_test(test_audit_parse_chmod),
+        cmocka_unit_test(test_audit_parse_rm_hc),
+        cmocka_unit_test(test_audit_parse_add_hc),
+        cmocka_unit_test(test_audit_parse_unknown_hc),
+        cmocka_unit_test(test_audit_parse_delete_folder),
+        cmocka_unit_test(test_audit_parse_delete_folder_hex),
+        cmocka_unit_test(test_audit_parse_delete_folder_hex3_error),
+        cmocka_unit_test(test_audit_parse_delete_folder_hex4_error),
+        cmocka_unit_test(test_audit_parse_delete_folder_hex5_error),
+        };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/whodata/test_audit_rule_handling.c b/src/modules/fim/tests/unit/tests/whodata/test_audit_rule_handling.c
new file mode 100644
index 0000000000..5f59446845
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/test_audit_rule_handling.c
@@ -0,0 +1,491 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../../wrappers/common.h"
+#include "../../../syscheckd/include/syscheck.h"
+#include "../../../syscheckd/src/whodata/syscheck_audit.h"
+
+
+#include "wrappers/externals/audit/libaudit_wrappers.h"
+#include "wrappers/externals/procpc/readproc_wrappers.h"
+#include "wrappers/libc/stdio_wrappers.h"
+#include "wrappers/libc/stdlib_wrappers.h"
+#include "wrappers/posix/unistd_wrappers.h"
+#include "wrappers/wazuh/shared/audit_op_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/file_op_wrappers.h"
+#include "wrappers/wazuh/syscheckd/audit_parse_wrappers.h"
+
+
+#define PERMS (AUDIT_PERM_WRITE | AUDIT_PERM_ATTR)
+#define CHECK_ALL                                                                                           \
+    (CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM | CHECK_PERM | CHECK_SIZE | CHECK_OWNER | CHECK_GROUP | \
+     CHECK_MTIME | CHECK_INODE)
+
+extern OSList *whodata_directories;
+OSList *GENERAL_CONFIG;
+OSList *RELOAD_CONFIG;
+
+extern int audit_rule_manipulation;
+
+extern atomic_int_t audit_thread_active;
+
+/* setup/teardown */
+static int setup_group(void **state) {
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    directory_t *directory0 = fim_create_directory("/testdir0", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory1 = fim_create_directory("/testdir1", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory2 = fim_create_directory("/testdir2", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory3 = fim_create_directory("/testdir3", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory4 = fim_create_directory("/testdir4", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory5 = fim_create_directory("/testdir5", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+    directory_t *directory6 = fim_create_directory("/etc", CHECK_ALL | WHODATA_ACTIVE, NULL, 512, NULL, 1024, 0);
+
+    directory_t *general_directory0 = fim_copy_directory(directory0);
+    directory_t *general_directory1 = fim_copy_directory(directory1);
+    directory_t *general_directory2 = fim_copy_directory(directory2);
+    directory_t *general_directory3 = fim_copy_directory(directory3);
+    directory_t *general_directory4 = fim_copy_directory(directory4);
+
+    // Initialize directories list
+    GENERAL_CONFIG = OSList_Create();
+    RELOAD_CONFIG = OSList_Create();
+    if (GENERAL_CONFIG == NULL || RELOAD_CONFIG == NULL) {
+        return -1;
+    }
+
+    OSList_InsertData(GENERAL_CONFIG, NULL, general_directory0);
+    OSList_InsertData(GENERAL_CONFIG, NULL, general_directory1);
+    OSList_InsertData(GENERAL_CONFIG, NULL, general_directory2);
+    OSList_InsertData(GENERAL_CONFIG, NULL, general_directory3);
+    OSList_InsertData(GENERAL_CONFIG, NULL, general_directory4);
+
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory0);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory1);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory2);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory3);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory4);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory5);
+    OSList_InsertData(RELOAD_CONFIG, NULL, directory6);
+
+    syscheck.directories = GENERAL_CONFIG;
+
+    // The basic list needs to be created, we won't test this function.
+    fim_audit_rules_init();
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if (GENERAL_CONFIG) {
+        OSList_foreach(node_it, GENERAL_CONFIG) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(GENERAL_CONFIG);
+        GENERAL_CONFIG = NULL;
+    }
+
+    if (RELOAD_CONFIG) {
+        OSList_foreach(node_it, RELOAD_CONFIG) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(RELOAD_CONFIG);
+        RELOAD_CONFIG = NULL;
+    }
+
+    return 0;
+}
+
+static int teardown_clean_rules_list(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    OSList_CleanNodes(whodata_directories);
+
+    return 0;
+}
+
+static int setup_add_directories_to_whodata_list(void **state) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    syscheck.directories = RELOAD_CONFIG;
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        whodata_directory_t *dir = calloc(1, sizeof(whodata_directory_t));
+
+        if (dir == NULL) {
+            return -1;
+        }
+
+        dir->path = strdup(dir_it->path);
+
+        if (dir->path == NULL) {
+            return -1;
+        }
+
+        OSList_AddData(whodata_directories, dir);
+    }
+
+    syscheck.max_audit_entries = whodata_directories->currently_size;
+
+    return 0;
+}
+
+static int teardown_reload_rules(void **state) {
+    syscheck.directories = GENERAL_CONFIG;
+
+    syscheck.max_audit_entries = 256;
+
+    teardown_clean_rules_list(state);
+
+    return 0;
+}
+
+static void test_add_whodata_directory(void **state) {
+    const char *test_string = "/some/path";
+    whodata_directory_t *probe;
+
+    assert_int_equal(whodata_directories->currently_size, 0);
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    add_whodata_directory(test_string);
+
+    assert_int_equal(whodata_directories->currently_size, 1);
+
+    probe = whodata_directories->first_node->data;
+    assert_string_equal(probe->path, test_string);
+
+    probe->pending_removal = 1;
+
+    add_whodata_directory(test_string);
+
+    assert_ptr_equal(probe, whodata_directories->first_node->data);
+    assert_int_equal(probe->pending_removal, 0);
+}
+
+static void test_remove_audit_rule_syscheck(void **state) {
+    whodata_directory_t *dir = calloc(1, sizeof(whodata_directory_t));
+
+    if (dir == NULL) {
+        fail_msg("Failed to allocate memory for whodata_directory_t");
+    }
+
+    dir->pending_removal = 0;
+    dir->path = strdup("/some/path");
+
+    if (dir->path == NULL) {
+        fail_msg("Failed to allocate memory for path");
+    }
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (OSList_AddData(whodata_directories, dir) == NULL) {
+        fail_msg("Failed to add directory to the whodata rules list");
+    }
+
+    remove_audit_rule_syscheck("/some/path");
+
+    assert_int_equal(dir->pending_removal, 1);
+}
+
+static void test_fim_manipulated_audit_rules(void **state) {
+    audit_rule_manipulation = 2;
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    assert_int_equal(fim_manipulated_audit_rules(), 2);
+    assert_int_equal(fim_manipulated_audit_rules(), 1);
+    assert_int_equal(fim_manipulated_audit_rules(), 0);
+    assert_int_equal(fim_manipulated_audit_rules(), 0);
+}
+
+void test_rules_initial_load_new_rules(void **state) {
+    char log_messages[5][OS_SIZE_512];
+    int total_rules;
+
+    syscheck.max_audit_entries = 256; // Default value
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // First directory will be added
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, 15);
+
+    snprintf(log_messages[0], OS_SIZE_512, FIM_AUDIT_NEWRULE, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[0]);
+
+    // Second directory will have the rule already configured
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, -EEXIST);
+
+    snprintf(log_messages[1], OS_SIZE_512, FIM_AUDIT_ALREADY_ADDED, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 1))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[1]);
+
+    // Third directory will encounter an error
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, -1);
+    snprintf(log_messages[2], OS_SIZE_512, FIM_WARN_WHODATA_ADD_RULE, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 2))->path);
+    expect_string(__wrap__mwarn, formatted_msg, log_messages[2]);
+
+    // Fourth directory will be duplicated on the audit_op list
+    will_return(__wrap_search_audit_rule, 1);
+
+    snprintf(log_messages[3], OS_SIZE_512, FIM_AUDIT_RULEDUP, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 3))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[3]);
+
+    // Fifth directory will encounter an error
+    will_return(__wrap_search_audit_rule, -1);
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_WHODATA_CHECK_RULE);
+
+    total_rules = fim_rules_initial_load();
+
+    assert_int_equal(total_rules, 1);
+}
+
+void test_rules_initial_load_max_audit_entries(void **state) {
+    char log_messages[2][OS_SIZE_512];
+    int total_rules;
+
+    syscheck.max_audit_entries = 1;
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // First directory will be added
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, 15);
+
+    snprintf(log_messages[0], OS_SIZE_512, FIM_AUDIT_NEWRULE, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[0]);
+
+    // Second directory will be ignored, since we have room for 1 entry
+    snprintf(log_messages[1], OS_SIZE_512, FIM_ERROR_WHODATA_MAXNUM_WATCHES, ((directory_t *)OSList_GetDataFromIndex(GENERAL_CONFIG, 1))->path,
+             syscheck.max_audit_entries);
+    expect_string(__wrap__merror, formatted_msg, log_messages[1]);
+
+    total_rules = fim_rules_initial_load();
+
+    assert_int_equal(total_rules, 1);
+}
+
+static void test_clean_rules(void **state) {
+    // Ensure there are rules loaded prior to trying to delete them
+    assert_int_not_equal(whodata_directories->currently_size, 0);
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_AUDIT_DELETE_RULE);
+
+    expect_value(__wrap_atomic_int_set, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_set, 0);
+
+    expect_any_count(__wrap_audit_delete_rule, path, whodata_directories->currently_size);
+    expect_any_count(__wrap_audit_delete_rule, perms, whodata_directories->currently_size);
+    expect_any_count(__wrap_audit_delete_rule, key, whodata_directories->currently_size);
+    will_return_count(__wrap_audit_delete_rule, 1, whodata_directories->currently_size);
+
+    clean_rules();
+
+    assert_int_equal(whodata_directories->currently_size, 0);
+}
+
+static void test_fim_audit_reload_rules(void **state) {
+    char log_messages[7][OS_SIZE_512];
+    int initial_rules = whodata_directories->currently_size;
+    whodata_directory_t *probe;
+
+    assert_int_not_equal(initial_rules, 0);
+
+    // We will mark the first and third entry for removal.
+    probe = whodata_directories->first_node->data;
+    probe->pending_removal = 1;
+
+    probe = whodata_directories->first_node->next->next->data;
+    probe->pending_removal = 1;
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_AUDIT_RELOADING_RULES);
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // First directory won't have a configured rule
+    will_return(__wrap_search_audit_rule, 0);
+
+    // Second directory will be added to audit
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, 15);
+
+    snprintf(log_messages[1], OS_SIZE_512, FIM_AUDIT_NEWRULE, ((directory_t *)OSList_GetDataFromIndex(RELOAD_CONFIG, 1))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[1]);
+
+    // Third directory will be removed from audit
+    will_return(__wrap_search_audit_rule, 1);
+    expect_string(__wrap_audit_delete_rule, path, ((directory_t *)OSList_GetDataFromIndex(RELOAD_CONFIG, 2))->path);
+    expect_value(__wrap_audit_delete_rule, perms, PERMS);
+    expect_string(__wrap_audit_delete_rule, key, AUDIT_KEY);
+    will_return(__wrap_audit_delete_rule, 1);
+
+    // Fourth directory will be a rule that is already added to audit
+    will_return(__wrap_search_audit_rule, 1);
+
+    snprintf(log_messages[3], OS_SIZE_512, FIM_AUDIT_RULEDUP, ((directory_t *)OSList_GetDataFromIndex(RELOAD_CONFIG, 3))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[3]);
+
+    // Fifth directory will fail to be added
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, -1);
+    snprintf(log_messages[4], OS_SIZE_512, FIM_WARN_WHODATA_ADD_RULE, ((directory_t *)OSList_GetDataFromIndex(RELOAD_CONFIG, 4))->path);
+    expect_string(__wrap__mdebug1, formatted_msg, log_messages[4]);
+
+    // Sixth directory will attempt to be added, but find it's duplicated
+    will_return(__wrap_search_audit_rule, 0);
+    will_return(__wrap_audit_add_rule, -EEXIST);
+
+    snprintf(log_messages[5], OS_SIZE_512, FIM_AUDIT_ALREADY_ADDED, ((directory_t *)OSList_GetDataFromIndex(RELOAD_CONFIG, 5))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, log_messages[5]);
+
+    // Seventh directory will encounter an error when searching the rule
+    will_return(__wrap_search_audit_rule, -1);
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_WHODATA_CHECK_RULE);
+
+    expect_any(__wrap__mdebug1, formatted_msg);
+
+    fim_audit_reload_rules();
+
+    assert_int_equal(whodata_directories->currently_size, initial_rules - 2);
+    assert_int_equal(audit_rule_manipulation, 1);
+}
+
+static void test_fim_audit_reload_rules_full(void **state) {
+    char log_messages[7][OS_SIZE_512];
+    int initial_rules = whodata_directories->currently_size;
+    int i = 0;
+    OSListNode *node_it;
+    directory_t *dir_it;
+
+    // We trick fim_audit_reload_rules() into thinking it already has added all possible rules.
+    syscheck.max_audit_entries = 0;
+
+    assert_int_not_equal(initial_rules, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_AUDIT_RELOADING_RULES);
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    will_return_always(__wrap_search_audit_rule, 0);
+
+    OSList_foreach(node_it, RELOAD_CONFIG) {
+        dir_it = node_it->data;
+        snprintf(log_messages[i], OS_SIZE_512, FIM_ERROR_WHODATA_MAXNUM_WATCHES, dir_it->path, 0);
+        if (i == 0) {
+            // First directory will cause an error message
+            expect_string(__wrap__merror, formatted_msg, log_messages[i]);
+        } else {
+            // The rest of them will trigger debug messages
+            expect_string(__wrap__mdebug2, formatted_msg, log_messages[i]);
+        }
+        i++;
+    }
+
+    expect_any(__wrap__mdebug1, formatted_msg);
+
+    fim_audit_reload_rules();
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_teardown(test_add_whodata_directory, teardown_clean_rules_list),
+        cmocka_unit_test_teardown(test_remove_audit_rule_syscheck, teardown_clean_rules_list),
+        cmocka_unit_test(test_fim_manipulated_audit_rules),
+
+        // fim_rules_initial_load
+        cmocka_unit_test_teardown(test_rules_initial_load_new_rules, teardown_clean_rules_list),
+        cmocka_unit_test(test_rules_initial_load_max_audit_entries),
+
+        cmocka_unit_test_setup(test_clean_rules, setup_add_directories_to_whodata_list),
+
+        cmocka_unit_test_setup_teardown(test_fim_audit_reload_rules, setup_add_directories_to_whodata_list,
+                                        teardown_reload_rules),
+        cmocka_unit_test_setup_teardown(test_fim_audit_reload_rules_full, setup_add_directories_to_whodata_list,
+                                        teardown_reload_rules),
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/whodata/test_syscheck_audit.c b/src/modules/fim/tests/unit/tests/whodata/test_syscheck_audit.c
new file mode 100644
index 0000000000..edd3870a6f
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/test_syscheck_audit.c
@@ -0,0 +1,1534 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "wrappers/common.h"
+#include "../../../syscheckd/include/syscheck.h"
+#include "../../../syscheckd/src/whodata/syscheck_audit.h"
+
+#include "wrappers/externals/procpc/readproc_wrappers.h"
+#include "wrappers/libc/stdio_wrappers.h"
+#include "wrappers/libc/stdlib_wrappers.h"
+#include "wrappers/posix/unistd_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/file_op_wrappers.h"
+#include "wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "wrappers/wazuh/os_net/os_net_wrappers.h"
+#include "wrappers/wazuh/os_crypto/sha1_op_wrappers.h"
+#include "wrappers/wazuh/syscheckd/audit_parse_wrappers.h"
+#include "wrappers/wazuh/syscheckd/audit_rule_handling_wrappers.h"
+
+#include "../../../external/procps/readproc.h"
+
+extern atomic_int_t audit_health_check_creation;
+extern atomic_int_t hc_thread_active;
+extern atomic_int_t audit_thread_active;
+extern atomic_int_t audit_parse_thread_active;
+extern w_queue_t * audit_queue;
+
+#define AUDIT_RULES_FILE            "etc/audit_rules_wazuh.rules"
+#define AUDIT_RULES_LINK            "/etc/audit/rules.d/audit_rules_wazuh.rules"
+
+int hc_success = 0;
+
+int __wrap_recv(int __fd, void *__buf, size_t __n, int __flags) {
+    int ret;
+    int n;
+    check_expected(__fd);
+    n = mock();
+    if(n < __n)
+        ret = n;
+    else
+        ret = __n;
+    if(ret > 0)
+        memcpy(__buf, mock_type(void*), ret);
+
+    return ret;
+}
+
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    (void) state;
+    test_mode = 1;
+    w_mutex_init(&(audit_health_check_creation.mutex), NULL);
+    w_mutex_init(&(hc_thread_active.mutex), NULL);
+    w_mutex_init(&(audit_thread_active.mutex), NULL);
+    w_mutex_init(&(audit_parse_thread_active.mutex), NULL);
+    audit_queue = queue_init(2);
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    (void) state;
+    memset(&syscheck, 0, sizeof(syscheck_config));
+    Free_Syscheck(&syscheck);
+    test_mode = 0;
+    return 0;
+}
+
+static int free_string(void **state) {
+    char * string = *state;
+    free(string);
+    return 0;
+}
+
+static char *CUSTOM_KEY[] = { [0] = "custom_key", [1] = NULL };
+
+static int setup_syscheck_dir_links(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    syscheck.audit_key = CUSTOM_KEY;
+
+    directory_t *directory0 = fim_create_directory("/test0", WHODATA_ACTIVE, NULL, 512,
+                                                NULL, -1, 0);
+
+    directory_t *directory1 = fim_create_directory("/test1", WHODATA_ACTIVE, NULL, 512,
+                                                NULL, -1, 0);
+
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return (1);
+    }
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+    OSList_InsertData(syscheck.directories, NULL, directory1);
+
+    return 0;
+}
+
+static int teardown_syscheck_dir_links(void **state) {
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    if (syscheck.directories) {
+        OSList_foreach(node_it, syscheck.directories) {
+            free_directory(node_it->data);
+            node_it->data = NULL;
+        }
+        OSList_Destroy(syscheck.directories);
+        syscheck.directories = NULL;
+    }
+
+    return 0;
+}
+
+static int teardown_rules_to_realtime(void **state) {
+    OSHash_Free(syscheck.realtime->dirtb);
+    free(syscheck.realtime);
+    syscheck.realtime = NULL;
+    teardown_syscheck_dir_links(state);
+    return 0;
+}
+
+void test_check_auditd_enabled_success(void **state) {
+    (void) state;
+    int ret;
+
+    proc_t *mock_proc;
+
+    mock_proc = calloc(3, sizeof(proc_t));
+
+    snprintf(mock_proc[0].cmd, 16, "not-auditd");
+    mock_proc[0].tid = 20;
+
+    snprintf(mock_proc[1].cmd, 16, "something");
+    mock_proc[1].tid = 25;
+
+    snprintf(mock_proc[2].cmd, 16, "auditd");
+    mock_proc[2].tid = 15;
+
+    expect_value(__wrap_openproc, flags, PROC_FILLSTAT | PROC_FILLSTATUS | PROC_FILLCOM);
+    will_return(__wrap_openproc, 1234);
+
+    expect_value_count(__wrap_readproc, PT, 1234, 3);
+    expect_value_count(__wrap_readproc, p, NULL, 3);
+    will_return(__wrap_readproc, &mock_proc[0]);
+    will_return(__wrap_readproc, &mock_proc[1]);
+    will_return(__wrap_readproc, &mock_proc[2]);
+
+    expect_value(__wrap_freeproc, p, &mock_proc[0]);
+    expect_value(__wrap_freeproc, p, &mock_proc[1]);
+    expect_value(__wrap_freeproc, p, &mock_proc[2]);
+
+    expect_value(__wrap_closeproc, PT, 1234);
+
+    ret = check_auditd_enabled();
+    assert_return_code(ret, 0);
+    free(mock_proc);
+}
+
+void test_check_auditd_enabled_openproc_error(void **state) {
+    (void) state;
+    int ret;
+
+    expect_value(__wrap_openproc, flags, PROC_FILLSTAT | PROC_FILLSTATUS | PROC_FILLCOM);
+    will_return(__wrap_openproc, NULL);
+
+    ret = check_auditd_enabled();
+    assert_int_equal(ret, -1);
+}
+
+void test_check_auditd_enabled_readproc_error(void **state) {
+    (void) state;
+    int ret;
+
+    expect_value(__wrap_openproc, flags, PROC_FILLSTAT | PROC_FILLSTATUS | PROC_FILLCOM);
+    will_return(__wrap_openproc, 1234);
+
+    expect_value(__wrap_readproc, PT, 1234);
+    expect_value(__wrap_readproc, p, NULL);
+    will_return(__wrap_readproc, NULL);
+
+    expect_value(__wrap_closeproc, PT, 1234);
+
+    ret = check_auditd_enabled();
+    assert_int_equal(ret, -1);
+}
+
+static int test_audit_read_events_setup(void **state) {
+    int *audit_sock;
+    audit_sock = calloc(1, sizeof(int));
+    *state = audit_sock;
+    return 0;
+}
+
+static int test_audit_read_events_teardown(void **state) {
+    int *audit_sock = *state;
+    free(audit_sock);
+    return 0;
+}
+
+
+/* tests */
+
+void test_init_auditd_socket_success(void **state) {
+    (void) state;
+    int ret;
+
+    expect_any(__wrap_OS_ConnectUnixDomain, path);
+    expect_any(__wrap_OS_ConnectUnixDomain, type);
+    expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+    will_return(__wrap_OS_ConnectUnixDomain, 124);
+
+    ret = init_auditd_socket();
+    assert_int_equal(ret, 124);
+}
+
+
+void test_init_auditd_socket_failure(void **state) {
+    (void) state;
+    int ret;
+    char buffer[OS_SIZE_128] = {0};
+
+    expect_any(__wrap_OS_ConnectUnixDomain, path);
+    expect_any(__wrap_OS_ConnectUnixDomain, type);
+    expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+    will_return(__wrap_OS_ConnectUnixDomain, -5);
+
+    snprintf(buffer, OS_SIZE_128, FIM_ERROR_WHODATA_SOCKET_CONNECT, AUDIT_SOCKET);
+    expect_string(__wrap__merror, formatted_msg, buffer);
+
+    ret = init_auditd_socket();
+    assert_int_equal(ret, -1);
+}
+
+
+void test_set_auditd_config_audit3_plugin_created(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_abspath(AUDIT_SOCKET, 0);
+
+    // Plugin already created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_IsSocket, sock, AUDIT_SOCKET);
+    will_return(__wrap_IsSocket, 0);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_set_auditd_config_wrong_audit_version(void **state) {
+    (void) state;
+
+    // Not Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 1);
+    // Not Audit 2
+    expect_string(__wrap_IsDir, file, "/etc/audisp/plugins.d");
+    will_return(__wrap_IsDir, 1);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_set_auditd_config_audit2_plugin_created(void **state) {
+    // Not Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 1);
+    // Audit 2
+    expect_string(__wrap_IsDir, file, "/etc/audisp/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_abspath(AUDIT_SOCKET, 0);
+
+    // Plugin already created
+    const char *audit2_socket = "/etc/audisp/plugins.d/af_wazuh.conf";
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit2_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_IsSocket, sock, AUDIT_SOCKET);
+    will_return(__wrap_IsSocket, 0);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_set_auditd_config_audit_socket_not_created(void **state) {
+    char buffer[OS_SIZE_128] = {0};
+    syscheck.restart_audit = 0;
+
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_abspath(AUDIT_SOCKET, 0);
+
+    // Plugin already created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    snprintf(buffer, OS_SIZE_128, FIM_WARN_AUDIT_SOCKET_NOEXIST, AUDIT_SOCKET);
+    expect_string(__wrap_IsSocket, sock, AUDIT_SOCKET);
+
+    will_return(__wrap_IsSocket, 1);
+
+    expect_string(__wrap__mwarn, formatted_msg, buffer);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_set_auditd_config_audit_socket_not_created_restart(void **state) {
+    char buffer[OS_SIZE_128] = {0};
+    syscheck.restart_audit = 1;
+
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_abspath(AUDIT_SOCKET, 0);
+
+    // Plugin already created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    snprintf(buffer, OS_SIZE_128, FIM_AUDIT_NOSOCKET, AUDIT_SOCKET);
+    expect_string(__wrap__minfo, formatted_msg, buffer);
+    expect_string(__wrap_IsSocket, sock, AUDIT_SOCKET);
+    will_return(__wrap_IsSocket, 1);
+
+    will_return(__wrap_audit_restart, 99);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 99);
+}
+
+
+void test_set_auditd_config_audit_plugin_tampered_configuration(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, "/etc/audit/plugins.d/af_wazuh.conf");
+    will_return(__wrap_unlink, 0);
+
+    // Delete and create
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6025): Audit plugin configuration (etc/af_wazuh.conf) was modified. Restarting Auditd service.");
+
+    // Restart
+    syscheck.restart_audit = 1;
+    will_return(__wrap_audit_restart, 99);
+
+    int ret;
+    ret = set_auditd_config();
+
+    errno = 0;
+    assert_int_equal(ret, 99);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+    will_return(__wrap_OS_SHA1_File, -1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6025): Audit plugin configuration (etc/af_wazuh.conf) was modified. Restarting Auditd service.");
+
+    // Restart
+    syscheck.restart_audit = 1;
+    will_return(__wrap_audit_restart, 99);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 99);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_fopen_error(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1103): Could not open file 'etc/af_wazuh.conf' due to [(0)-(Success)].");
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, -1);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_fclose_error(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1140): Could not close file 'etc/af_wazuh.conf' due to [(0)-(Success)].");
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, -1);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_recreate_symlink(void **state) {
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, "/etc/audit/plugins.d/af_wazuh.conf");
+    will_return(__wrap_unlink, 0);
+
+    // Delete and create
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, 0);
+
+    // Do not restart
+    syscheck.restart_audit = 0;
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6910): Audit plugin configuration was modified. You need to restart Auditd. Who-data will be disabled.");
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 1);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_recreate_symlink_restart(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, "/etc/audit/plugins.d/af_wazuh.conf");
+    will_return(__wrap_unlink, 0);
+
+    // Delete and create
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6025): Audit plugin configuration (etc/af_wazuh.conf) was modified. Restarting Auditd service.");
+
+    // Restart
+    syscheck.restart_audit = 1;
+    will_return(__wrap_audit_restart, 99);
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, 99);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_recreate_symlink_error(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, "/etc/audit/plugins.d/af_wazuh.conf");
+    will_return(__wrap_unlink, 0);
+
+    // Delete and create
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1134): Unable to link from '/etc/audit/plugins.d/af_wazuh.conf' to 'etc/af_wazuh.conf' due to [(17)-(File exists)].");
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, -1);
+}
+
+
+void test_set_auditd_config_audit_plugin_not_created_recreate_symlink_unlink_error(void **state) {
+    // Audit 3
+    expect_string(__wrap_IsDir, file, "/etc/audit/plugins.d");
+    will_return(__wrap_IsDir, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6024): Generating Auditd socket configuration file: 'etc/af_wazuh.conf'");
+
+    // Plugin not created
+    const char *audit3_socket = "/etc/audit/plugins.d/af_wazuh.conf";
+
+    expect_abspath(AUDIT_SOCKET, 1);
+    expect_abspath(AUDIT_CONF_FILE, 1);
+
+    expect_any(__wrap_OS_SHA1_Str, str);
+    expect_any(__wrap_OS_SHA1_Str, length);
+    will_return(__wrap_OS_SHA1_Str, "6e3a100fc85241f04ed9686d37738e7d08086fb4");
+
+    expect_string(__wrap_OS_SHA1_File, fname, audit3_socket);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_TEXT);
+    will_return(__wrap_OS_SHA1_File, "0123456789abcdef0123456789abcdef01234567");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    expect_string(__wrap_wfopen, path, "etc/af_wazuh.conf");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 0);
+
+    // Create plugin
+    expect_string(__wrap_symlink, path1, "etc/af_wazuh.conf");
+    expect_string(__wrap_symlink, path2, audit3_socket);
+    will_return(__wrap_symlink, -1);
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, "/etc/audit/plugins.d/af_wazuh.conf");
+    will_return(__wrap_unlink, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1123): Unable to delete file: '/etc/audit/plugins.d/af_wazuh.conf' due to [(17)-(File exists)].");
+
+    int ret;
+    ret = set_auditd_config();
+
+    assert_int_equal(ret, -1);
+}
+
+
+void test_audit_get_id(void **state) {
+    (void) state;
+
+    const char* event = "type=LOGIN msg=audit(1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 res=1";
+
+    char *ret;
+    ret = audit_get_id(event);
+    *state = ret;
+
+    assert_string_equal(ret, "1571145421.379:659");
+}
+
+
+void test_audit_get_id_begin_error(void **state) {
+    (void) state;
+
+    const char* event = "audit1571145421.379:659): pid=16455 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=57 res=1";
+
+    char *ret;
+    ret = audit_get_id(event);
+
+    assert_null(ret);
+}
+
+
+void test_audit_get_id_end_error(void **state) {
+    (void) state;
+
+    const char* event = "type=LOGIN msg=audit(1571145421.379:659";
+
+    char *ret;
+    ret = audit_get_id(event);
+
+    assert_null(ret);
+
+}
+
+
+void test_init_regex(void **state) {
+    (void) state;
+    int ret;
+
+    ret = init_regex();
+
+    assert_int_equal(ret, 0);
+}
+
+
+void test_audit_read_events_select_error(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    // Switch
+    will_return(__wrap_select, -1);
+    expect_string(__wrap__merror, formatted_msg, "(1114): Error during select()-call due to [(17)-(File exists)].");
+    expect_value(__wrap_sleep, seconds, 1);
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_case_0(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    errno = EEXIST;
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 items=2 ppid=3211 pid=44082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" exe=\"74657374C3B1\" key=\"wazuh_fim\"\n\
+        type=CWD msg=audit(1571914029.306:3004254): cwd=\"/root/test\"\n\
+        type=PATH msg=audit(1571914029.306:3004254): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PATH msg=audit(1571914029.306:3004254): item=1 name=\"test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PROCTITLE msg=audit(1571914029.306:3004254): proctitle=726D0074657374\n";
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    // Switch
+    will_return(__wrap_select, 1);
+    will_return(__wrap_select, 0);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer));
+    will_return(__wrap_recv, buffer);
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_error_audit_connection_closed(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+    int counter = 0;
+    int max_retries = 5;
+    char buffer[OS_SIZE_128] = {0};
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+
+
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6912): Audit: connection closed.");
+    expect_value(__wrap_sleep, seconds, 1);
+    expect_string(__wrap__minfo, formatted_msg, "(6029): Audit: reconnecting... (1)");
+
+    // init_auditd_socket failure
+    expect_any(__wrap_OS_ConnectUnixDomain, path);
+    expect_any(__wrap_OS_ConnectUnixDomain, type);
+    expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+    will_return(__wrap_OS_ConnectUnixDomain, -5);
+    snprintf(buffer, OS_SIZE_128, FIM_ERROR_WHODATA_SOCKET_CONNECT, AUDIT_SOCKET);
+    expect_string(__wrap__merror, formatted_msg, buffer);
+
+    while (++counter < max_retries){
+        expect_any(__wrap__minfo, formatted_msg);
+        expect_value(__wrap_sleep, seconds, 1);
+        // init_auditd_socket failure
+        expect_any(__wrap_OS_ConnectUnixDomain, path);
+        expect_any(__wrap_OS_ConnectUnixDomain, type);
+        expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+        will_return(__wrap_OS_ConnectUnixDomain, -5);
+        expect_string(__wrap__merror, formatted_msg, buffer);
+    }
+    expect_string(__wrap_SendMSG, message, "ossec: Audit: Connection closed");
+    expect_string(__wrap_SendMSG, locmsg, SYSCHECK);
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 1);
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_error_audit_reconnect(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    char buffer[OS_SIZE_128] = {0};
+    errno = EEXIST;
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, 0);
+    expect_string(__wrap__mwarn, formatted_msg, "(6912): Audit: connection closed.");
+    expect_value(__wrap_sleep, seconds, 1);
+    expect_string(__wrap__minfo, formatted_msg, "(6029): Audit: reconnecting... (1)");
+
+    // init_auditd_socket failure
+    expect_any(__wrap_OS_ConnectUnixDomain, path);
+    expect_any(__wrap_OS_ConnectUnixDomain, type);
+    expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+    will_return(__wrap_OS_ConnectUnixDomain, -5);
+    snprintf(buffer, OS_SIZE_128, FIM_ERROR_WHODATA_SOCKET_CONNECT, AUDIT_SOCKET);
+    expect_string(__wrap__merror, formatted_msg, buffer);
+
+    // While (*audit_sock < 0)
+    // init_auditd_socket succes
+    expect_any(__wrap__minfo, formatted_msg);
+    expect_value(__wrap_sleep, seconds, 1);
+    expect_any(__wrap_OS_ConnectUnixDomain, path);
+    expect_any(__wrap_OS_ConnectUnixDomain, type);
+    expect_any(__wrap_OS_ConnectUnixDomain, max_msg_size);
+    will_return(__wrap_OS_ConnectUnixDomain, 124);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6030): Audit: connected.");
+
+    // In audit_reload_rules()
+    expect_function_call(__wrap_fim_audit_reload_rules);
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_success(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 items=2 ppid=3211 pid=44082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" exe=\"74657374C3B1\" key=\"wazuh_fim\"\n\
+        type=CWD msg=audit(1571914029.306:3004254): cwd=\"/root/test\"\n\
+        type=PATH msg=audit(1571914029.306:3004254): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PATH msg=audit(1571914029.306:3004254): item=1 name=\"test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PROCTITLE msg=audit(1571914029.306:3004254): proctitle=726D0074657374\n\
+        type=EOE msg=audit(1571914029.306:3004254):\n\
+        type=SYSCALL msg=audit(1571914029.306:3004255): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55c5f8170490 a2=0 a3=7ff365c5eca0 items=2 ppid=3211 pid=44082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=5 comm=\"test\" exe=\"74657374C3B1\" key=\"wazuh_fim\"\n\
+        type=CWD msg=audit(1571914029.306:3004255): cwd=\"/root/test\"\n\
+        type=PATH msg=audit(1571914029.306:3004255): item=0 name=\"/root/test\" inode=110 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PATH msg=audit(1571914029.306:3004255): item=1 name=\"test\" inode=19 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0\n\
+        type=PROCTITLE msg=audit(1571914029.306:3004255): proctitle=726D0074657374\n\
+        type=EOE msg=audit(1571914029.306:3004255):\n";
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_FULL_AUDIT_QUEUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer));
+    will_return(__wrap_recv, buffer);
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_success_no_endline(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+    char * buffer = " \
+        type=SYSCALL msg=audit(1571914029.306:3004254): arch=c000003e syscall=263 success=yes exit\
+    ";
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer));
+    will_return(__wrap_recv, buffer);
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_success_no_id(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+    char * buffer = " \
+        type=SYSC arch=c000003e syscall=263 success=yes exit\n\
+    ";
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer));
+    will_return(__wrap_recv, buffer);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6928): Couldn't get event ID from Audit message. Line: '         type=SYSC arch=c000003e syscall=263 success=yes exit'.");
+
+    audit_read_events(audit_sock, &audit_thread_active);
+}
+
+void test_audit_read_events_select_success_recv_success_too_long(void **state) {
+    (void) state;
+    int *audit_sock = *state;
+    audit_thread_active.data = 1;
+    errno = EEXIST;
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value_count(__wrap_atomic_int_get, atomic, &audit_thread_active, 2);
+    will_return_count(__wrap_atomic_int_get, 1, 2);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+    // Event too long, 65535 char
+    char * buffer = malloc(65530 * sizeof(char));
+    char * extra_buffer = "aaaaaaaaaa";
+    strcpy (buffer,"type=SYSCALLmsg=audit(1571914029.306:3004254):");
+    for (int i = 0; i < 6548; i++) {
+        strcat (buffer, extra_buffer);
+    }
+    strcat (buffer,"\n");
+
+    // Switch
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer));
+    will_return(__wrap_recv, buffer);
+
+
+    char * buffer2 = "type=SYSCALLmsg=audit(1571914029.306:3004254):aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n";
+
+    will_return(__wrap_select, 1);
+
+    // If (!byteRead)
+    expect_value(__wrap_recv, __fd, *audit_sock);
+    will_return(__wrap_recv, strlen(buffer2));
+    will_return(__wrap_recv, buffer2);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6929): Caching Audit message: event too long. Event with ID: '1571914029.306:3004254' will be discarded.");
+
+    audit_read_events(audit_sock, &audit_thread_active);
+
+    os_free(buffer);
+}
+
+void test_audit_parse_thread(void **state) {
+    audit_parse_thread_active.data = 1;
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_parse_thread_active);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_audit_parse);
+
+    expect_value(__wrap_atomic_int_get, atomic, &audit_parse_thread_active);
+    will_return(__wrap_atomic_int_get, 0);
+
+    audit_parse_thread();
+}
+
+void test_audit_rules_to_realtime(void **state) {
+    char error_msg[OS_SIZE_128];
+    char error_msg2[OS_SIZE_128];
+
+    // Mutex
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    will_return_count(__wrap_search_audit_rule, 0, 4);
+
+    snprintf(error_msg, OS_SIZE_128, FIM_ERROR_WHODATA_ADD_DIRECTORY, "/test0");
+    expect_string(__wrap__mwarn, formatted_msg, error_msg);
+    snprintf(error_msg2, OS_SIZE_128, FIM_ERROR_WHODATA_ADD_DIRECTORY, "/test1");
+    expect_string(__wrap__mwarn, formatted_msg, error_msg2);
+
+    audit_rules_to_realtime();
+
+    // Check that the options have been correctly changed
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE) {
+        fail();
+    }
+
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options & WHODATA_ACTIVE) {
+        fail();
+    }
+}
+
+void test_audit_rules_to_realtime_first_search_audit_rule_fail(void **state) {
+    char error_msg[OS_SIZE_128];
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    will_return(__wrap_search_audit_rule, 1);
+    will_return_count(__wrap_search_audit_rule, 0, 2);
+
+    snprintf(error_msg, OS_SIZE_128, FIM_ERROR_WHODATA_ADD_DIRECTORY, "/test1");
+    expect_string(__wrap__mwarn, formatted_msg, error_msg);
+
+    audit_rules_to_realtime();
+
+    // Check that the options have been correctly changed
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & ~WHODATA_ACTIVE) {
+        fail();
+    }
+
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options & WHODATA_ACTIVE) {
+        fail();
+    }
+}
+
+void test_audit_rules_to_realtime_second_search_audit_rule_fail(void **state) {
+    char error_msg[OS_SIZE_128];
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    will_return(__wrap_audit_open, 1);
+    will_return(__wrap_audit_get_rule_list, 1);
+    will_return(__wrap_audit_close, 1);
+
+    will_return_count(__wrap_search_audit_rule, 0, 2);
+    will_return(__wrap_search_audit_rule, 1);
+
+    snprintf(error_msg, OS_SIZE_128, FIM_ERROR_WHODATA_ADD_DIRECTORY, "/test0");
+    expect_string(__wrap__mwarn, formatted_msg, error_msg);
+
+    audit_rules_to_realtime();
+
+    // Check that the options have been correctly changed
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE) {
+        fail();
+    }
+
+    if (((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 1))->options & ~WHODATA_ACTIVE) {
+        fail();
+    }
+}
+
+void test_audit_create_rules_file(void **state) {
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test0' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test0 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test1' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test1 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    expect_abspath(AUDIT_RULES_FILE, 0);
+
+    expect_string(__wrap_symlink, path1, AUDIT_RULES_FILE);
+    expect_string(__wrap_symlink, path2, AUDIT_RULES_LINK);
+    will_return(__wrap_symlink, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6045): Created audit rules file, due to audit immutable mode rules will be loaded in the next reboot.");
+
+    audit_create_rules_file();
+}
+
+void test_audit_create_rules_file_fopen_fail(void **state) {
+    char error_msg[OS_SIZE_128];
+
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 0);
+
+    snprintf(error_msg, OS_SIZE_128, FOPEN_ERROR, AUDIT_RULES_FILE, errno, strerror(errno));
+    expect_string(__wrap__merror, formatted_msg, error_msg);
+
+    audit_create_rules_file();
+}
+
+void test_audit_create_rules_file_fclose_fail(void **state) {
+    char error_msg[OS_SIZE_128];
+
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test0' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test0 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test1' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test1 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 1);
+
+    snprintf(error_msg, OS_SIZE_128, FCLOSE_ERROR, AUDIT_RULES_FILE, errno, strerror(errno));
+    expect_string(__wrap__merror, formatted_msg, error_msg);
+
+    audit_create_rules_file();
+}
+
+void test_audit_create_rules_file_symlink_exist(void **state) {
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test0' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test0 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test1' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test1 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    expect_abspath(AUDIT_RULES_FILE, 0);
+
+    expect_string(__wrap_symlink, path1, AUDIT_RULES_FILE);
+    expect_string(__wrap_symlink, path2, AUDIT_RULES_LINK);
+    will_return(__wrap_symlink, -1);
+
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, AUDIT_RULES_LINK);
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap_symlink, path1, AUDIT_RULES_FILE);
+    expect_string(__wrap_symlink, path2, AUDIT_RULES_LINK);
+    will_return(__wrap_symlink, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6045): Created audit rules file, due to audit immutable mode rules will be loaded in the next reboot.");
+
+    audit_create_rules_file();
+}
+
+void test_audit_create_rules_file_unlink_fail(void **state) {
+    char error_msg[OS_SIZE_128];
+
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test0' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test0 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test1' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test1 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    expect_abspath(AUDIT_RULES_FILE, 0);
+
+    expect_string(__wrap_symlink, path1, AUDIT_RULES_FILE);
+    expect_string(__wrap_symlink, path2, AUDIT_RULES_LINK);
+    will_return(__wrap_symlink, -1);
+
+    errno = EEXIST;
+
+    expect_string(__wrap_unlink, file, AUDIT_RULES_LINK);
+    will_return(__wrap_unlink, -1);
+
+    snprintf(error_msg, OS_SIZE_128, UNLINK_ERROR, AUDIT_RULES_LINK, errno, strerror(errno));
+    expect_string(__wrap__merror, formatted_msg, error_msg);
+
+    audit_create_rules_file();
+}
+
+void test_audit_create_rules_file_symlink_fail(void **state) {
+    char error_msg[OS_SIZE_256];
+
+    expect_string(__wrap_wfopen, path, AUDIT_RULES_FILE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 1);
+
+    // Mutex inside get_real_path
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test0' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test0 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6365): Added directory '/test1' to audit rules file.");
+
+    expect_any(__wrap_fprintf, __stream);
+    expect_string(__wrap_fprintf, formatted_msg, "-w /test1 -p wa -k wazuh_fim\n");
+    will_return(__wrap_fprintf, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    expect_abspath(AUDIT_RULES_FILE, 0);
+
+    expect_string(__wrap_symlink, path1, AUDIT_RULES_FILE);
+    expect_string(__wrap_symlink, path2, AUDIT_RULES_LINK);
+    will_return(__wrap_symlink, -1);
+
+    errno = 1;
+
+    snprintf(error_msg, OS_SIZE_256, LINK_ERROR, AUDIT_RULES_LINK, AUDIT_RULES_FILE, errno, strerror(errno));
+    expect_string(__wrap__merror, formatted_msg, error_msg);
+
+    audit_create_rules_file();
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_check_auditd_enabled_success),
+        cmocka_unit_test(test_check_auditd_enabled_openproc_error),
+        cmocka_unit_test(test_check_auditd_enabled_readproc_error),
+        cmocka_unit_test(test_init_auditd_socket_success),
+        cmocka_unit_test(test_init_auditd_socket_failure),
+        cmocka_unit_test(test_set_auditd_config_wrong_audit_version),
+        cmocka_unit_test(test_set_auditd_config_audit2_plugin_created),
+        cmocka_unit_test(test_set_auditd_config_audit3_plugin_created),
+        cmocka_unit_test(test_set_auditd_config_audit_socket_not_created),
+        cmocka_unit_test(test_set_auditd_config_audit_socket_not_created_restart),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_tampered_configuration),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_fopen_error),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_fclose_error),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_recreate_symlink),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_recreate_symlink_restart),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_recreate_symlink_error),
+        cmocka_unit_test(test_set_auditd_config_audit_plugin_not_created_recreate_symlink_unlink_error),
+        cmocka_unit_test_teardown(test_audit_get_id, free_string),
+        cmocka_unit_test(test_audit_get_id_begin_error),
+        cmocka_unit_test(test_audit_get_id_end_error),
+        cmocka_unit_test(test_init_regex),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_error, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_case_0, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_error_audit_connection_closed, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_error_audit_reconnect, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_success, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_success_no_endline, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_success_no_id, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test_setup_teardown(test_audit_read_events_select_success_recv_success_too_long, test_audit_read_events_setup, test_audit_read_events_teardown),
+        cmocka_unit_test(test_audit_parse_thread),
+        cmocka_unit_test_setup_teardown(test_audit_rules_to_realtime, setup_syscheck_dir_links, teardown_rules_to_realtime),
+        cmocka_unit_test_setup_teardown(test_audit_rules_to_realtime_first_search_audit_rule_fail, setup_syscheck_dir_links, teardown_rules_to_realtime),
+        cmocka_unit_test_setup_teardown(test_audit_rules_to_realtime_second_search_audit_rule_fail, setup_syscheck_dir_links, teardown_rules_to_realtime),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file_fopen_fail, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file_fclose_fail, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file_symlink_exist, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file_unlink_fail, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        cmocka_unit_test_setup_teardown(test_audit_create_rules_file_symlink_fail, setup_syscheck_dir_links, teardown_syscheck_dir_links),
+        };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/fim/tests/unit/tests/whodata/test_win_whodata.c b/src/modules/fim/tests/unit/tests/whodata/test_win_whodata.c
new file mode 100644
index 0000000000..8bd807441e
--- /dev/null
+++ b/src/modules/fim/tests/unit/tests/whodata/test_win_whodata.c
@@ -0,0 +1,8359 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <winsock2.h>
+#include <windows.h>
+#include <aclapi.h>
+#include <ntsecapi.h>
+#include <sddl.h>
+#include <winevt.h>
+
+#include "wrappers/common.h"
+#include "wrappers/libc/stdio_wrappers.h"
+#include "wrappers/libc/stdlib_wrappers.h"
+#include "wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "wrappers/wazuh/shared/file_op_wrappers.h"
+#include "wrappers/wazuh/shared/fs_op_wrappers.h"
+#include "wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "wrappers/wazuh/shared/string_op_wrappers.h"
+#include "wrappers/wazuh/shared/randombytes_wrappers.h"
+#include "wrappers/wazuh/syscheckd/config_wrappers.h"
+#include "wrappers/wazuh/syscheckd/create_db_wrappers.h"
+#include "wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+#include "wrappers/wazuh/shared/validate_op_wrappers.h"
+#include "wrappers/windows/winevt_wrappers.h"
+#include "wrappers/windows/ntsecapi_wrappers.h"
+
+
+#include "../../../syscheckd/include/syscheck.h"
+
+int set_winsacl(const char *dir, directory_t *configuration);
+extern int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable);
+extern int w_update_sacl(const char *obj_path);
+extern char *get_whodata_path(const short unsigned int *win_path);
+extern int whodata_path_filter(char **path);
+extern int whodata_check_arch();
+extern int is_valid_sacl(PACL sacl, int is_file);
+extern void replace_device_path(char **path);
+extern int get_drive_names(wchar_t *volume_name, char *device);
+extern int get_volume_names();
+extern void notify_SACL_change(char *dir);
+extern int whodata_hash_add(OSHash *table, char *id, void *data, char *tag);
+extern void restore_sacls();
+extern int restore_audit_policies();
+extern void audit_restore();
+extern int check_object_sacl(char *obj, int is_file);
+extern void set_subscription_query(wchar_t *query);
+extern int set_policies();
+extern void whodata_list_set_values();
+extern void whodata_list_remove_multiple(size_t quantity);
+unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, __attribute__((unused)) void *_void, EVT_HANDLE event);
+extern int whodata_audit_start();
+extern PEVT_VARIANT whodata_event_render(EVT_HANDLE event);
+extern int whodata_get_event_id(const PEVT_VARIANT raw_data, short *event_id);
+extern int whodata_get_handle_id(const PEVT_VARIANT raw_data, unsigned __int64 *handle_id);
+extern int whodata_get_access_mask(const PEVT_VARIANT raw_data, unsigned long *mask);
+extern int whodata_event_parse(const PEVT_VARIANT raw_data, whodata_evt *event_data);
+int policy_check();
+void win_whodata_release_resources(whodata *wdata);
+
+extern char sys_64;
+extern PSID everyone_sid;
+extern size_t ev_sid_size;
+extern int restore_policies;
+extern int policies_checked;
+extern EVT_HANDLE context;
+extern atomic_int_t whodata_end;
+
+extern const wchar_t* event_fields[];
+
+const int NUM_EVENTS = 10;
+int SIZE_EVENTS;
+
+const PWCHAR WCS_TEST_PATH = L"C:\\Windows\\a\\path";
+const char *STR_TEST_PATH = "c:\\windows\\a\\path";
+
+static const char *guid_ObjectAccess = "{6997984A-797A-11D9-BED3-505054503030}";
+static const char *guid_FileSystem = "{0CCE921D-69AE-11D9-BED3-505054503030}";
+static const char *guid_Handle =  "{0CCE9223-69AE-11D9-BED3-505054503030}";
+
+typedef struct PolicyInfo {
+    GUID *category_guid;
+    GUID *subcategory_guid1;
+    GUID *subcategory_guid2;
+    PPOLICY_AUDIT_EVENTS_INFO audit_event_info;
+    AUDIT_POLICY_INFORMATION *paudit_policy;
+} policy_info;
+
+/**************************************************************************/
+/*******************Helper functions*************************************/
+static void successful_whodata_event_render(EVT_HANDLE event, PEVT_VARIANT raw_data) {
+    /* EvtRender first call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+    will_return(wrap_EvtRender, NULL); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS); // BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 0);
+
+    /* EvtRender second call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, SIZE_EVENTS); // BufferSize
+    will_return(wrap_EvtRender, raw_data); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS); // BufferUsed
+    will_return(wrap_EvtRender, 9); // PropertyCount
+    will_return(wrap_EvtRender, 1);
+}
+
+void expect_policy_check_match_call(NTSTATUS status1,
+                                    PPOLICY_AUDIT_EVENTS_INFO audit_event_info, NTSTATUS status2,
+                                    GUID *category_guid, BOOLEAN ret1,
+                                    ULONG subcategory_count, BOOLEAN ret2,
+                                    AUDIT_POLICY_INFORMATION *paudit_policy, BOOLEAN ret3) {
+
+    will_return(wrap_LsaOpenPolicy, status1);
+
+    if (status1 == (NTSTATUS)0){
+        will_return(wrap_LsaQueryInformationPolicy, audit_event_info);
+        will_return(wrap_LsaQueryInformationPolicy, status2);
+
+        if (status2 == (NTSTATUS)0){
+            will_return(wrap_AuditLookupCategoryGuidFromCategoryId, category_guid);
+            will_return(wrap_AuditLookupCategoryGuidFromCategoryId, ret1);
+
+            if (ret1 == true){
+                will_return(wrap_AuditEnumerateSubCategories, subcategory_count);
+                will_return(wrap_AuditEnumerateSubCategories, ret2);
+
+                if (ret2 == true){
+                    will_return(wrap_AuditQuerySystemPolicy, paudit_policy);
+                    will_return(wrap_AuditQuerySystemPolicy, ret3);
+
+                    if (ret3 == true){
+                        return;
+                    }
+                }
+            }
+        }
+    }
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+    will_return(wrap_FormatMessage, "Access is denied");
+    expect_string(__wrap__mwarn, formatted_msg, "(6951): Unable to check the necessary policies for whodata: Access is denied (5).");
+}
+
+/**************************************************************************/
+/*************************WRAPS - FIXTURES*********************************/
+int syscheck_teardown(void ** state) {
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    // Free wdata
+    if (syscheck.wdata.fd) {
+        OSHash_Free(syscheck.wdata.fd);
+    }
+
+    if (syscheck.wdata.directories) {
+        OSHash_Free(syscheck.wdata.directories);
+    }
+
+    if (syscheck.wdata.drive) {
+        free_strarray(syscheck.wdata.drive);
+    }
+
+    if (syscheck.wdata.device) {
+        free_strarray(syscheck.wdata.device);
+    }
+
+    syscheck.wdata.fd = NULL;
+    syscheck.wdata.directories = NULL;
+    syscheck.wdata.drive = NULL;
+    syscheck.wdata.device = NULL;
+
+    // Free everything else in syscheck
+    Free_Syscheck(&syscheck);
+
+    syscheck.scan_day = NULL;
+    syscheck.scan_time = NULL;
+    syscheck.ignore = NULL;
+    syscheck.ignore_regex = NULL;
+    syscheck.nodiff = NULL;
+    syscheck.nodiff_regex = NULL;
+    syscheck.directories = NULL;
+    syscheck.key_ignore = NULL;
+    syscheck.key_ignore_regex = NULL;
+    syscheck.registry = NULL;
+    syscheck.realtime = NULL;
+    syscheck.prefilter_cmd = NULL;
+    syscheck.audit_key = NULL;
+
+    return 0;
+}
+
+int test_group_setup(void **state) {
+    int ret;
+    expect_string(__wrap__mdebug1, formatted_msg, "(6287): Reading configuration file: '../test_syscheck.conf'");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$|.swp$");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex node .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$|.swp$ OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found ignore regex size 0");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node ^file OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex size 0");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node test_$");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex node test_$ OK?");
+    expect_string(__wrap__mdebug1, formatted_msg, "Found nodiff regex size 1");
+    expect_string(__wrap__mdebug1, formatted_msg, "(6208): Reading Client Configuration [../test_syscheck.conf]");
+    will_return_always(__wrap_getDefine_Int, 0);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    test_mode = 0;
+    ret = Read_Syscheck_Config("../test_syscheck.conf");
+
+    SIZE_EVENTS = sizeof(EVT_VARIANT) * NUM_EVENTS;
+    test_mode = 1;
+    return ret;
+}
+
+static int test_group_teardown(void **state) {
+    test_mode = 0;
+
+    if (syscheck_teardown(state) != 0)
+        return -1;
+
+    return 0;
+}
+
+OSHash * __real_OSHash_Create();
+int __real_OSHash_SetFreeDataPointer(OSHash * self, void(free_data_function)(void *));
+static int setup_whodata_callback_group(void ** state) {
+#ifdef TEST_WINAGENT
+    will_return_count(__wrap_os_random, 12345, 2);
+#endif
+    if (syscheck.wdata.directories = __real_OSHash_Create(), !syscheck.wdata.directories) {
+        return -1;
+    }
+
+    __real_OSHash_SetFreeDataPointer(syscheck.wdata.directories, free);
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return -1;
+    }
+
+    int options = CHECK_SIZE | CHECK_PERM | CHECK_OWNER | CHECK_GROUP | CHECK_MTIME | CHECK_INODE |
+                  CHECK_MD5SUM | CHECK_SHA1SUM | CHECK_SHA256SUM | CHECK_ATTRS | WHODATA_ACTIVE;
+    directory_t *directory0 = fim_create_directory("c:\\windows", options, NULL, 50, NULL, -1, 0);
+    directory0->dirs_status.status = WD_CHECK_WHODATA;
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+    OSHash_Add_ex_check_data = 0;
+    SIZE_EVENTS = sizeof(EVT_VARIANT) * NUM_EVENTS;
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_whodata_callback_group(void ** state) {
+    if (test_group_teardown(state))
+        return -1;
+
+    OSHash_Add_ex_check_data = 1;
+    return 0;
+}
+
+static int setup_policy_check(void ** state) {
+    policy_info *pol_data = NULL;
+    os_calloc(1, sizeof(policy_info), pol_data);
+
+    AUDIT_POLICY_INFORMATION *audit_pol_array;
+    os_calloc(2, sizeof(AUDIT_POLICY_INFORMATION), audit_pol_array);
+    AUDIT_POLICY_INFORMATION file_system_policy;
+    AUDIT_POLICY_INFORMATION handle_policy;
+
+    PPOLICY_AUDIT_EVENTS_INFO AuditEvents;
+    os_calloc(1, sizeof(PPOLICY_AUDIT_EVENTS_INFO), AuditEvents);
+
+    AuditEvents->AuditingMode = true;
+    AuditEvents->MaximumAuditEventCount = 1;
+
+    GUID *guid_ObjectAccess;
+    os_calloc(1, sizeof(GUID), guid_ObjectAccess);
+    GUID *guid_FileSystem;
+    os_calloc(1, sizeof(GUID), guid_FileSystem);
+    GUID *guid_Handle;
+    os_calloc(1, sizeof(GUID), guid_Handle);
+
+    CLSIDFromString(OLESTR("{6997984a-797a-11d9-bed3-505054503030}"), guid_ObjectAccess);
+    CLSIDFromString(OLESTR("{0CCE921D-69AE-11D9-BED3-505054503030}"), guid_FileSystem);
+    CLSIDFromString(OLESTR("{0CCE9223-69AE-11D9-BED3-505054503030}"), guid_Handle);
+
+    file_system_policy.AuditSubCategoryGuid = *guid_FileSystem;
+    file_system_policy.AuditingInformation = POLICY_AUDIT_EVENT_SUCCESS;
+    handle_policy.AuditSubCategoryGuid = *guid_Handle;
+    handle_policy.AuditingInformation = POLICY_AUDIT_EVENT_SUCCESS;
+
+    audit_pol_array[0] = file_system_policy;
+    audit_pol_array[1] = handle_policy;
+
+    pol_data->category_guid = guid_ObjectAccess;
+    pol_data->audit_event_info = AuditEvents;
+    pol_data->paudit_policy = audit_pol_array;
+    pol_data->subcategory_guid1 = guid_FileSystem;
+    pol_data->subcategory_guid2 = guid_Handle;
+
+    *state = pol_data;
+
+    return 0;
+}
+
+static int teardown_policy_check(void ** state) {
+    policy_info *pol_data = *state;
+
+    os_free(pol_data->category_guid);
+    os_free(pol_data->subcategory_guid1);
+    os_free(pol_data->subcategory_guid2);
+    os_free(pol_data->audit_event_info);
+    os_free(pol_data->paudit_policy);
+
+    os_free(pol_data);
+
+    return 0;
+}
+
+static int setup_wdata_dirs_cleanup(void ** state) {
+#ifdef TEST_WINAGENT
+    will_return_count(__wrap_os_random, 12345, 2);
+#endif
+    if (syscheck.wdata.directories = __real_OSHash_Create(), !syscheck.wdata.directories) {
+        return -1;
+    }
+
+    __real_OSHash_SetFreeDataPointer(syscheck.wdata.directories, free);
+
+    syscheck.directories = OSList_Create();
+    if (syscheck.directories == NULL) {
+        return -1;
+    }
+
+    if (setup_policy_check(state) != 0)
+        return -1;
+
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_memblock(void **state) {
+    if(*state)
+        free(*state);
+
+    return 0;
+}
+
+static int teardown_wdata_device() {
+    free_strarray(syscheck.wdata.device);
+    free_strarray(syscheck.wdata.drive);
+
+    syscheck.wdata.device = NULL;
+    syscheck.wdata.drive = NULL;
+
+    return 0;
+}
+
+static int setup_replace_device_path(void **state) {
+    syscheck.wdata.device = calloc(10, sizeof(char*));
+    syscheck.wdata.drive = calloc(10, sizeof(char *));
+
+    if(syscheck.wdata.device == NULL || syscheck.wdata.drive == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int teardown_replace_device_path(void **state) {
+    if(teardown_wdata_device(state))
+        return -1;
+
+    if(teardown_memblock(state))
+        return -1;
+
+    return 0;
+}
+
+static int teardown_reset_errno(void **state) {
+    errno = 0;
+    return 0;
+}
+
+static int setup_state_checker(void ** state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    syscheck.directories = OSList_Create();
+    if (!syscheck.directories) {
+        return -1;
+    }
+
+    directory_t *directory0 = fim_create_directory("c:\\a\\path", WHODATA_ACTIVE, NULL, 50, NULL, -1, 0);
+    directory0->dirs_status.status = WD_CHECK_WHODATA;
+    directory0->dirs_status.object_type = WD_STATUS_DIR_TYPE;
+    directory0->dirs_status.status = WD_CHECK_WHODATA | WD_STATUS_EXISTS;
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+#ifdef TEST_WINAGENT
+    will_return_count(__wrap_os_random, 12345, 2);
+#endif
+
+    if (syscheck.wdata.directories = __real_OSHash_Create(), !syscheck.wdata.directories) {
+        return -1;
+    }
+
+    __real_OSHash_SetFreeDataPointer(syscheck.wdata.directories, free);
+
+    if (setup_policy_check(state) != 0)
+        return -1;
+
+    test_mode = 1;
+
+    return 0;
+}
+
+static int teardown_state_checker(void ** state) {
+    test_mode = 0;
+
+    if (teardown_policy_check(state) != 0)
+        return -1;
+
+    if (syscheck_teardown(state) != 0)
+        return -1;
+
+    return 0;
+}
+
+static int teardown_whodata_audit_start(void ** state) {
+    syscheck.wdata.directories = NULL;
+    syscheck.wdata.fd = NULL;
+
+    return 0;
+}
+
+static int setup_win_whodata_evt(void **state) {
+    whodata_evt *w_evt = calloc(1, sizeof(whodata_evt));
+
+    if(!w_evt)
+        return -1;
+
+    *state = w_evt;
+
+    return 0;
+}
+
+static int teardown_win_whodata_evt(void **state) {
+    whodata_evt *w_evt = *state;
+
+    free_whodata_event(w_evt);
+
+    return 0;
+}
+
+static int teardown_whodata_callback_restore_globals(void ** state) {
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    directory_t *directory0 = ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0));
+    directory0->dirs_status.status |= WD_CHECK_WHODATA;
+    directory0->recursion_level = 50;
+    return 0;
+}
+
+static int teardown_state_checker_restore_globals(void ** state) {
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    OSList_CleanNodes(syscheck.directories);
+    directory_t *directory0 = fim_create_directory("c:\\a\\path", WHODATA_ACTIVE, NULL, 50, NULL, -1, 0);
+
+    directory0->dirs_status.object_type = WD_STATUS_DIR_TYPE;
+    directory0->dirs_status.status = WD_CHECK_WHODATA | WD_STATUS_EXISTS;
+
+    OSList_InsertData(syscheck.directories, NULL, directory0);
+
+    return 0;
+}
+
+static int teardown_clean_directories_hash(void ** state) {
+    // Destroy and recreate the hash table for future tests
+    OSHash_Free(syscheck.wdata.directories);
+
+#ifdef TEST_WINAGENT
+    will_return_count(__wrap_os_random, 12345, 2);
+#endif
+
+    if (syscheck.wdata.directories = __real_OSHash_Create(), !syscheck.wdata.directories) {
+        return -1;
+    }
+
+    __real_OSHash_SetFreeDataPointer(syscheck.wdata.directories, free);
+
+    return 0;
+}
+
+/**************************************************************************/
+/***************************set_winsacl************************************/
+void test_set_winsacl_failed_opening(void **state) {
+    char debug_msg[OS_MAXSTR];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_SACL_CONFIGURE, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 0);
+
+    will_return(wrap_GetLastError, (unsigned int) 500);
+    expect_string(__wrap__merror, formatted_msg, "(6648): OpenProcessToken() failed. Error '500'.");
+
+    set_winsacl(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+}
+
+void test_set_winsacl_failed_privileges(void **state) {
+    char debug_msg[OS_MAXSTR];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_SACL_CONFIGURE, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 0);
+    will_return(wrap_LookupPrivilegeValue, 0); // Fail lookup privilege
+
+    will_return(wrap_GetLastError, (unsigned int) 500);
+    expect_string(__wrap__merror, formatted_msg,  "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 500");
+
+    will_return(wrap_GetLastError, (unsigned int) 501);
+    expect_string(__wrap__merror, formatted_msg,  "(6659): The privilege could not be activated. Error: '501'.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    set_winsacl(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+}
+
+void test_set_winsacl_failed_security_descriptor(void **state) {
+    char debug_msg[OS_MAXSTR];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_SACL_CONFIGURE, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 0);
+    will_return(wrap_LookupPrivilegeValue, 1);
+
+    // Increase privileges
+    expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+    expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+    will_return(wrap_AdjustTokenPrivileges, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, -1);
+    expect_string(__wrap__merror, formatted_msg, "(6650): GetNamedSecurityInfo() failed. Error '-1'");
+
+    // Reduce Privilege
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 234567);
+    will_return(wrap_LookupPrivilegeValue, 1);
+    expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+    expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+    will_return(wrap_AdjustTokenPrivileges, 1);
+    expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    set_winsacl(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+}
+
+void test_set_winsacl_no_need_to_configure_acl(void **state) {
+    ACL old_sacl;
+    ACCESS_ALLOWED_ACE ace;
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        everyone_sid = NULL;
+        ev_sid_size = 1;
+
+        // Set the ACL and ACE data
+        ace.Header.AceFlags = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG;
+        ace.Mask = FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES | DELETE;
+
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &ace);
+        will_return(wrap_GetAce, 1);
+
+        will_return(wrap_EqualSid, 1);
+    }
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 0);
+}
+
+void test_set_winsacl_unable_to_get_acl_info(void **state) {
+    ACL old_sacl;
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(6651): The size of the 'C:\\a\\path' SACL could not be obtained.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_winsacl_fail_to_alloc_new_sacl(void **state) {
+    ACL old_sacl;
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(6652): No memory could be reserved for the new SACL of 'C:\\a\\path'.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_winsacl_fail_to_initialize_new_sacl(void **state) {
+    ACL old_sacl;
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(6653): The new SACL for 'C:\\a\\path' could not be created.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_winsacl_fail_getting_ace_from_old_sacl(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, NULL);
+    will_return(wrap_GetAce, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(6654): The ACE number 0 for 'C:\\a\\path' could not be obtained.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_winsacl_fail_adding_old_ace_into_new_sacl(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6655): The ACE number 0 of 'C:\\a\\path' could not be copied to the new ACL.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+void test_set_winsacl_fail_to_alloc_new_ace(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, NULL);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6656): No memory could be reserved for the new ACE of 'C:\\a\\path'.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_winsacl_fail_to_copy_sid(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SYSTEM_AUDIT_ACE ace;
+
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 0);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(ace.Header.AceType, SYSTEM_AUDIT_ACE_TYPE);
+    assert_int_equal(ace.Header.AceFlags, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG);
+    assert_int_equal(ace.Header.AceSize, 9);
+    assert_int_equal(ace.Mask, DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES);
+}
+
+void test_set_winsacl_fail_to_add_ace(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SYSTEM_AUDIT_ACE ace;
+
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(6657): The new ACE could not be added to 'C:\\a\\path'.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(ace.Header.AceType, SYSTEM_AUDIT_ACE_TYPE);
+    assert_int_equal(ace.Header.AceFlags, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG);
+    assert_int_equal(ace.Header.AceSize, 9);
+    assert_int_equal(ace.Mask, DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES);
+}
+
+void test_set_winsacl_fail_to_set_security_info(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SYSTEM_AUDIT_ACE ace;
+
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, 1234);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6658): SetNamedSecurityInfo() failed. Error: '5'.");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(ace.Header.AceType, SYSTEM_AUDIT_ACE_TYPE);
+    assert_int_equal(ace.Header.AceFlags, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG);
+    assert_int_equal(ace.Header.AceSize, 9);
+    assert_int_equal(ace.Mask, DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES);
+}
+
+void test_set_winsacl_success(void **state) {
+    ACL old_sacl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SYSTEM_AUDIT_ACE ace;
+
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    int ret;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    ev_sid_size = 1;
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'C:\\a\\path' will be configured.");
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_sacl);
+    will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &old_sacl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'C:\\a\\path'");
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, 1234);
+
+    expect_value(wrap_InitializeAcl, pAcl, 1234);
+    expect_value(wrap_InitializeAcl, nAclLength, 9);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    expect_value(wrap_AddAce, pAcl, 1234);
+    will_return(wrap_AddAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, 1234);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = set_winsacl("C:\\a\\path", ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0)));
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(ace.Header.AceType, SYSTEM_AUDIT_ACE_TYPE);
+    assert_int_equal(ace.Header.AceFlags, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG);
+    assert_int_equal(ace.Header.AceSize, 9);
+    assert_int_equal(ace.Mask, DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES);
+}
+
+/**************************************************************************/
+
+void test_set_privilege_lookup_error (void **state) {
+    int ret;
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 0);
+    will_return(wrap_LookupPrivilegeValue, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 5");
+
+    ret = set_privilege((HANDLE)123456, "SeSecurityPrivilege", 0);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_privilege_adjust_token_error (void **state) {
+    int ret;
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 234567);
+    will_return(wrap_LookupPrivilegeValue, 1);
+
+    expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+    expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+    will_return(wrap_AdjustTokenPrivileges, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6634): AdjustTokenPrivileges() failed. Error: '5'");
+
+    ret = set_privilege((HANDLE)123456, "SeSecurityPrivilege", 0);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_privilege_elevate_privilege (void **state) {
+    int ret;
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 234567);
+    will_return(wrap_LookupPrivilegeValue, 1);
+
+    expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+    expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+    will_return(wrap_AdjustTokenPrivileges, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+
+    ret = set_privilege((HANDLE)123456, "SeSecurityPrivilege", 1);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_set_privilege_reduce_privilege (void **state) {
+    int ret;
+
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 234567);
+    will_return(wrap_LookupPrivilegeValue, 1);
+
+    expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+    expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+    will_return(wrap_AdjustTokenPrivileges, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+
+    ret = set_privilege((HANDLE)123456, "SeSecurityPrivilege", 0);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_w_update_sacl_AllocateAndInitializeSid_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    everyone_sid = NULL;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6683): Could not obtain the sid of Everyone. Error '5'.");
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_OpenProcessToken_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) NULL);
+    will_return(wrap_OpenProcessToken, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6684): OpenProcessToken() failed. Error '5'.");
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_add_privilege_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 0);
+        will_return(wrap_LookupPrivilegeValue, 0);
+
+        will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+        expect_string(__wrap__merror, formatted_msg, "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 5");
+    }
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6685): The privilege could not be activated. Error: '5'.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_GetNamedSecurityInfo_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_FILE_NOT_FOUND);
+
+    expect_string(__wrap__merror, formatted_msg, "(6686): GetNamedSecurityInfo() failed. Error '2'");
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_GetAclInformation_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL old_acl;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(6687): The size of the 'C:\\a\\path' SACL could not be obtained.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_alloc_new_sacl_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL old_acl;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(6688): No memory could be reserved for the new SACL of 'C:\\a\\path'.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_InitializeAcl_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL old_acl;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6689): The new SACL for 'C:\\a\\path' could not be created. Error: '5'.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_alloc_ace_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL old_acl;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, NULL);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6690): No memory could be reserved for the new ACE of 'C:\\a\\path'. Error: '5'.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_CopySid_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL old_acl;
+    SYSTEM_AUDIT_ACE ace;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, NULL);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6691): Could not copy the everyone SID for 'C:\\a\\path'. Error: '1-5'.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_old_sacl_GetAce_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, NULL);
+    will_return(wrap_GetAce, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6692): The ACE number 0 for 'C:\\a\\path' could not be obtained.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_old_sacl_AddAce_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6693): The ACE number 0 of 'C:\\a\\path' could not be copied to the new ACL.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_new_sacl_AddAce_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6694): The new ACE could not be added to 'C:\\a\\path'. Error: '5'.");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_SetNamedSecurityInfo_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, 34567);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_PATH_NOT_FOUND);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6695): SetNamedSecurityInfo() failed. Error: '3'");
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_w_update_sacl_remove_privilege_error(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, 34567);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 0);
+        will_return(wrap_LookupPrivilegeValue, 0);
+
+        will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+        expect_string(__wrap__merror, formatted_msg, "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 5");
+    }
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6685): The privilege could not be activated. Error: '5'.");
+
+    /* Retry set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, 0);
+}
+
+void test_w_update_sacl_success(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEM_AUDIT_ACE ace;
+    ACL old_acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {
+        .AceCount = 1,
+    };
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &old_acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR) 2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    will_return(wrap_GetAclInformation, &old_sacl_info);
+    will_return(wrap_GetAclInformation, 1);
+
+    expect_value(wrap_win_alloc, size, 13);
+    will_return(wrap_win_alloc, (LPVOID) 34567);
+
+    expect_value(wrap_InitializeAcl, pAcl, (LPVOID) 34567);
+    expect_value(wrap_InitializeAcl, nAclLength, 13);
+    expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+    will_return(wrap_InitializeAcl, 1);
+
+    expect_value(wrap_win_alloc, size, 9);
+    will_return(wrap_win_alloc, &ace);
+
+    will_return(wrap_CopySid, 1);
+
+    will_return(wrap_GetAce, &old_sacl_info);
+    will_return(wrap_GetAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_value(wrap_AddAce, pAcl, 34567);
+    will_return(wrap_AddAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, 34567);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+    /* goto end */
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = w_update_sacl("C:\\a\\path");
+
+    assert_int_equal(ret, 0);
+}
+
+void test_whodata_check_arch_open_registry_key_error(void **state) {
+    int ret;
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, NULL);
+    will_return(wrap_RegOpenKeyEx, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1758): Unable to open registry key: 'System\\CurrentControlSet\\Control\\Session Manager\\Environment'.");
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_whodata_check_arch_query_key_value_error(void **state) {
+    int ret;
+    HKEY key;
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, NULL);
+    will_return(wrap_RegQueryValueEx, ERROR_OUTOFMEMORY);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6682): Error reading 'Architecture' from Windows registry. (Error 14)");
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_whodata_check_arch_not_supported_arch(void **state) {
+    int ret;
+    HKEY key;
+    const BYTE data[64] = "N/A";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+void test_whodata_check_arch_x86(void **state) {
+    int ret;
+    HKEY key;
+    const BYTE data[64] = "x86";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(sys_64, 0);
+}
+
+void test_whodata_check_arch_amd64(void **state) {
+    int ret;
+    HKEY key;
+    const BYTE data[64] = "AMD64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(sys_64, 1);
+}
+
+void test_whodata_check_arch_ia64(void **state) {
+    int ret;
+    HKEY key;
+    const BYTE data[64] = "IA64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(sys_64, 1);
+}
+
+void test_whodata_check_arch_arm64(void **state) {
+    int ret;
+    HKEY key;
+    const BYTE data[64] = "ARM64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+    ret = whodata_check_arch();
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(sys_64, 1);
+}
+
+void test_whodata_path_filter_32_bit_system(void **state) {
+    char *path = "C:\\windows\\system32\\test";
+    int ret;
+
+    sys_64 = 0;
+
+    ret = whodata_path_filter(&path);
+
+    assert_int_equal(ret, 0);
+    assert_string_equal(path, "C:\\windows\\system32\\test");
+}
+
+void test_get_whodata_path_error_determining_buffer_size(void **state) {
+    const char *win_path = "C:\\a\\path";
+    char *ret;
+
+    expect_string(wrap_WideCharToMultiByte, lpWideCharStr, "C:\\a\\path");
+    expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+    will_return(wrap_WideCharToMultiByte, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6306): The path could not be processed in Whodata mode. Error: 5");
+
+    ret = get_whodata_path((const short unsigned int *)win_path);
+
+    assert_null(ret);
+}
+
+void test_get_whodata_path_error_copying_buffer(void **state) {
+    const char *win_path = "C:\\a\\path";
+    char *ret;
+
+    expect_string(wrap_WideCharToMultiByte, lpWideCharStr, "C:\\a\\path");
+    expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+    will_return(wrap_WideCharToMultiByte, 10);
+
+    expect_string(wrap_WideCharToMultiByte, lpWideCharStr, "C:\\a\\path");
+    expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+    will_return(wrap_WideCharToMultiByte, "");
+    will_return(wrap_WideCharToMultiByte, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6306): The path could not be processed in Whodata mode. Error: 5");
+
+    ret = get_whodata_path((const short unsigned int *)win_path);
+
+    assert_null(ret);
+}
+
+void test_get_whodata_path_success(void **state) {
+    const char *win_path = "C:\\a\\path";
+    char *ret;
+
+    expect_string(wrap_WideCharToMultiByte, lpWideCharStr, "C:\\a\\path");
+    expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+    will_return(wrap_WideCharToMultiByte, 21);
+
+    expect_string(wrap_WideCharToMultiByte, lpWideCharStr, "C:\\a\\path");
+    expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+    will_return(wrap_WideCharToMultiByte, "C:\\another\\path.file");
+    will_return(wrap_WideCharToMultiByte, 21);
+
+    ret = get_whodata_path((const short unsigned int *)win_path);
+
+    *state = ret;
+
+    assert_non_null(ret);
+    assert_string_equal(ret, "C:\\another\\path.file");
+}
+
+void test_is_valid_sacl_sid_error(void **state) {
+    int ret = 0;
+    PACL sacl = NULL;
+    everyone_sid = NULL;
+
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 0);
+
+    will_return(wrap_GetLastError, (unsigned int) 700);
+
+    expect_string(__wrap__merror, formatted_msg, "(6632): Could not obtain the sid of Everyone. Error '700'.");
+
+    ret = is_valid_sacl(sacl, 0);
+    assert_int_equal(ret, 2);
+}
+
+void test_is_valid_sacl_sacl_not_found(void **state) {
+    int ret = 0;
+    PACL sacl = NULL;
+    everyone_sid = NULL;
+
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6267): No SACL found on target. A new one will be created.");
+
+    ret = is_valid_sacl(sacl, 0);
+    assert_int_equal(ret, 1);
+}
+
+void test_is_valid_sacl_ace_not_found(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    PACL new_sacl = NULL;
+    unsigned long new_sacl_size;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    // Set the new ACL size
+    new_sacl_size = sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(unsigned long);
+    new_sacl = (PACL) win_alloc(new_sacl_size);
+    InitializeAcl(new_sacl, new_sacl_size, ACL_REVISION);
+    new_sacl->AceCount=1;
+
+    will_return(wrap_GetAce, NULL);
+    will_return(wrap_GetAce, 0);
+
+    will_return(wrap_GetLastError, (unsigned int) 800);
+    expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '800'.");
+
+    ret = is_valid_sacl(new_sacl, 0);
+    assert_int_equal(ret, 1);
+}
+
+void test_is_valid_sacl_not_valid(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    PACL new_sacl = NULL;
+    unsigned long new_sacl_size;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    // Set the new ACL size
+    new_sacl_size = sizeof(SYSTEM_AUDIT_ACE) + ev_sid_size - sizeof(unsigned long);
+    new_sacl = (PACL) win_alloc(new_sacl_size);
+    InitializeAcl(new_sacl, new_sacl_size, ACL_REVISION);
+    new_sacl->AceCount=1;
+
+    will_return(wrap_GetAce, &new_sacl);
+    will_return(wrap_GetAce, 1);
+
+    ret = is_valid_sacl(new_sacl, 1);
+    assert_int_equal(ret, 1);
+}
+
+void test_is_valid_sacl_valid(void **state) {
+    int ret;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    ACL new_sacl;
+    ACCESS_ALLOWED_ACE ace;
+
+    everyone_sid = NULL;
+    ev_sid_size = 1;
+
+    // Set the ACL and ACE data
+    new_sacl.AceCount=1;
+    ace.Header.AceFlags = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG;
+    ace.Mask = FILE_WRITE_DATA | WRITE_DAC | FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES | DELETE;
+
+    expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+    expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+    will_return(wrap_AllocateAndInitializeSid, 1);
+
+    will_return(wrap_GetAce, &ace);
+    will_return(wrap_GetAce, 1);
+
+    will_return(wrap_EqualSid, 1);
+
+    ret = is_valid_sacl(&new_sacl, 1);
+    assert_int_equal(ret, 0);
+}
+
+void test_replace_device_path_invalid_path(void **state) {
+    char *path = strdup("invalid\\path");
+
+    replace_device_path(&path);
+
+    *state = path;
+
+    assert_string_equal(path, "invalid\\path");
+}
+
+void test_replace_device_path_empty_wdata_device(void **state) {
+    char *path = strdup("\\C:\\a\\path");
+
+    replace_device_path(&path);
+
+    *state = path;
+
+    assert_string_equal(path, "\\C:\\a\\path");
+}
+
+void test_replace_device_path_device_not_found(void **state) {
+    char *path = strdup("\\Device\\NotFound0\\a\\path");
+    syscheck.wdata.device[0] = strdup("\\Device\\HarddiskVolume1");
+    syscheck.wdata.drive[0] = strdup("D:");
+    syscheck.wdata.device[1] = strdup("\\Device\\Floppy0");
+    syscheck.wdata.drive[1] = strdup("A:");
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6304): Find device '\\Device\\HarddiskVolume1' in path '\\Device\\NotFound0\\a\\path'");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6304): Find device '\\Device\\Floppy0' in path '\\Device\\NotFound0\\a\\path'");
+
+    replace_device_path(&path);
+
+    *state = path;
+
+    assert_string_equal(path, "\\Device\\NotFound0\\a\\path");
+}
+
+void test_replace_device_path_device_found(void **state) {
+    char *path = strdup("\\Device\\Floppy0\\a\\path");
+    syscheck.wdata.device[0] = strdup("\\Device\\HarddiskVolume1");
+    syscheck.wdata.drive[0] = strdup("D:");
+    syscheck.wdata.device[1] = strdup("\\Device\\Floppy0");
+    syscheck.wdata.drive[1] = strdup("A:");
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6304): Find device '\\Device\\HarddiskVolume1' in path '\\Device\\Floppy0\\a\\path'");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6304): Find device '\\Device\\Floppy0' in path '\\Device\\Floppy0\\a\\path'");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6305): Replacing '\\Device\\Floppy0\\a\\path' to 'A:\\a\\path'");
+
+    replace_device_path(&path);
+
+    *state = path;
+
+    assert_string_equal(path, "A:\\a\\path");
+}
+
+void test_get_drive_names_access_denied_error(void **state) {
+    wchar_t *volume_name = L"\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}";
+    char *device = "C";
+
+    expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, OS_MAXSTR);
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mwarn, formatted_msg, "GetVolumePathNamesForVolumeNameW (5)'Input/output error'");
+
+    get_drive_names(volume_name, device);
+}
+
+void test_get_drive_names_more_data_error(void **state) {
+    wchar_t *volume_name = L"\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}";
+    char *device = "C";
+
+    expect_string(wrap_GetVolumePathNamesForVolumeNameW,
+        lpszVolumeName, L"\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}");
+
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, OS_MAXSTR);
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 0);
+
+    will_return(wrap_GetLastError, ERROR_MORE_DATA);
+
+    expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 1);
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, L"");
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mwarn, formatted_msg, "GetVolumePathNamesForVolumeNameW (5)'Input/output error'");
+
+    get_drive_names(volume_name, device);
+}
+
+void test_get_drive_names_success(void **state) {
+    wchar_t *volume_name = L"\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}";
+    char *device = "C";
+    wchar_t *volume_paths = L"A\0C\0\\Some\\path\0";
+
+    expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 16);
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, volume_paths);
+    will_return(wrap_GetVolumePathNamesForVolumeNameW, 1);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C' associated with the mounting point 'A'");
+    expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C' associated with the mounting point 'C'");
+    expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C' associated with the mounting point '\\Some\\path'");
+
+
+    get_drive_names(volume_name, device);
+}
+
+void test_get_volume_names_unable_to_find_first_volume(void **state) {
+    int ret;
+    will_return(wrap_FindFirstVolumeW, L"");
+    will_return(wrap_FindFirstVolumeW, INVALID_HANDLE_VALUE);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mwarn, formatted_msg, "FindFirstVolumeW failed (5)'Input/output error'");
+
+    expect_value(wrap_FindVolumeClose, hFindVolume, INVALID_HANDLE_VALUE);
+    will_return(wrap_FindVolumeClose, 1);
+
+    ret = get_volume_names();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_get_volume_names_bad_path(void **state) {
+    int ret;
+    will_return(wrap_FindFirstVolumeW, L"Not a valid volume");
+    will_return(wrap_FindFirstVolumeW, (HANDLE)123456);
+
+    expect_string(__wrap__mwarn, formatted_msg, "Find Volume returned a bad path: Not a valid volume");
+
+    expect_value(wrap_FindVolumeClose, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindVolumeClose, 1);
+
+    ret = get_volume_names();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_get_volume_names_no_dos_device(void **state) {
+    int ret;
+    wchar_t *str = L"";
+    will_return(wrap_FindFirstVolumeW, L"\\\\?\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}\\");
+    will_return(wrap_FindFirstVolumeW, (HANDLE)123456);
+
+    expect_string(wrap_QueryDosDeviceW, lpDeviceName, L"Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}");
+    will_return(wrap_QueryDosDeviceW, wcslen(str));
+    will_return(wrap_QueryDosDeviceW, str);
+    will_return(wrap_QueryDosDeviceW, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mwarn, formatted_msg, "QueryDosDeviceW failed (5)'Input/output error'");
+
+    expect_value(wrap_FindVolumeClose, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindVolumeClose, 1);
+
+    ret = get_volume_names();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_get_volume_names_error_on_next_volume(void **state) {
+    int ret;
+    wchar_t *str = L"C:";
+    wchar_t *volume_name = L"\\\\?\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}\\";
+
+    will_return(wrap_FindFirstVolumeW, volume_name);
+    will_return(wrap_FindFirstVolumeW, (HANDLE)123456);
+
+    expect_string(wrap_QueryDosDeviceW, lpDeviceName, L"Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}");
+    will_return(wrap_QueryDosDeviceW, wcslen(str));
+    will_return(wrap_QueryDosDeviceW, str);
+    will_return(wrap_QueryDosDeviceW, wcslen(str));
+
+    // Inside get_drive_names
+    {
+        wchar_t *volume_paths = L"A\0C\0\\Some\\path\0";
+
+        expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, 16);
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, volume_paths);
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, 1);
+
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'A'");
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'C'");
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point '\\Some\\path'");
+    }
+
+    expect_value(wrap_FindNextVolumeW, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindNextVolumeW, L"");
+    will_return(wrap_FindNextVolumeW, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__mwarn, formatted_msg, "FindNextVolumeW failed (5)'Input/output error'");
+
+    expect_value(wrap_FindVolumeClose, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindVolumeClose, 1);
+
+    ret = get_volume_names();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_get_volume_names_no_more_files(void **state) {
+    int ret;
+    wchar_t *str = L"C:";
+    wchar_t *volume_name = L"\\\\?\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}\\";
+
+    will_return(wrap_FindFirstVolumeW, volume_name);
+    will_return(wrap_FindFirstVolumeW, (HANDLE)123456);
+
+    expect_string(wrap_QueryDosDeviceW, lpDeviceName, L"Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}");
+    will_return(wrap_QueryDosDeviceW, wcslen(str));
+    will_return(wrap_QueryDosDeviceW, str);
+    will_return(wrap_QueryDosDeviceW, wcslen(str));
+
+    // Inside get_drive_names
+    {
+        wchar_t *volume_paths = L"A\0C\0\\Some\\path\0";
+
+        expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, 16);
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, volume_paths);
+        will_return(wrap_GetVolumePathNamesForVolumeNameW, 1);
+
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'A'");
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'C'");
+        expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point '\\Some\\path'");
+    }
+
+    expect_value(wrap_FindNextVolumeW, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindNextVolumeW, L"");
+    will_return(wrap_FindNextVolumeW, 0);
+
+    will_return(wrap_GetLastError, ERROR_NO_MORE_FILES);
+
+    expect_value(wrap_FindVolumeClose, hFindVolume, (HANDLE)123456);
+    will_return(wrap_FindVolumeClose, 1);
+
+    ret = get_volume_names();
+
+    assert_int_equal(ret, 0);
+}
+
+void test_notify_SACL_change(void **state) {
+    expect_string(__wrap_SendMSG, message,
+        "ossec: Audit: The SACL of 'C:\\a\\path' has been modified and can no longer be scanned in whodata mode.");
+    expect_string(__wrap_SendMSG, locmsg, "syscheck");
+    expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+    will_return(__wrap_SendMSG, 0); // Return value is discarded
+
+    notify_SACL_change("C:\\a\\path");
+}
+
+void test_whodata_hash_add_unable_to_add(void **state) {
+    wchar_t *data = L"Some random data";
+    int ret;
+
+    expect_value(__wrap_OSHash_Add_ex, self, (OSHash*)123456);
+    expect_string(__wrap_OSHash_Add_ex, key, "key");
+    expect_memory(__wrap_OSHash_Add_ex, data, data, wcslen(data));
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6631): The event could not be added to the 'tag' hash table. Target: 'key'.");
+
+    ret = whodata_hash_add((OSHash*)123456, "key", data, "tag");
+
+    assert_int_equal(ret, 0);
+}
+
+void test_whodata_hash_add_duplicate_entry(void **state) {
+    wchar_t *data = L"Some random data";
+    int ret;
+
+    expect_value(__wrap_OSHash_Add_ex, self, (OSHash*)123456);
+    expect_string(__wrap_OSHash_Add_ex, key, "key");
+    expect_memory(__wrap_OSHash_Add_ex, data, data, wcslen(data));
+    will_return(__wrap_OSHash_Add_ex, 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6630): The event could not be added to the 'tag' hash table because it is duplicated. Target: 'key'.");
+
+    ret = whodata_hash_add((OSHash*)123456, "key", data, "tag");
+
+    assert_int_equal(ret, 1);
+}
+
+void test_whodata_hash_add_success(void **state) {
+    wchar_t *data = L"Some random data";
+    int ret;
+
+    expect_value(__wrap_OSHash_Add_ex, self, (OSHash*)123456);
+    expect_string(__wrap_OSHash_Add_ex, key, "key");
+    expect_memory(__wrap_OSHash_Add_ex, data, data, wcslen(data));
+    will_return(__wrap_OSHash_Add_ex, 2);
+
+    ret = whodata_hash_add((OSHash*)123456, "key", data, "tag");
+
+    assert_int_equal(ret, 2);
+}
+/*****************************restore_sacls********************************/
+void test_restore_sacls_openprocesstoken_failed(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 0);
+
+    will_return(wrap_GetLastError, (unsigned int) 500);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6648): OpenProcessToken() failed. Error '500'.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+
+    restore_sacls();
+}
+
+void test_restore_sacls_set_privilege_failed(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // set_privilege
+    expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+    will_return(wrap_LookupPrivilegeValue, 0);
+    will_return(wrap_LookupPrivilegeValue, 0);
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+    expect_string(__wrap__merror, formatted_msg, "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 5");
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+    expect_string(__wrap__merror, formatted_msg, "(6659): The privilege could not be activated. Error: '5'.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+    restore_sacls();
+}
+
+int setup_restore_sacls(void **state) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        dir_it->dirs_status.status &= ~WD_IGNORE_REST;
+    }
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status |= WD_IGNORE_REST;
+
+    return 0;
+}
+
+int teardown_restore_sacls(void **state) {
+    directory_t *dir_it;
+    OSListNode *node_it;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    OSList_foreach(node_it, syscheck.directories) {
+        dir_it = node_it->data;
+        if (FIM_MODE(dir_it->options) == FIM_WHODATA) {
+            ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status |= WD_IGNORE_REST;
+        }
+    }
+
+    return 0;
+}
+
+void test_restore_sacls_securityNameInfo_failed(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_FILE_NOT_FOUND);
+    expect_string(__wrap__merror, formatted_msg, "(6650): GetNamedSecurityInfo() failed. Error '2'");
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+
+    restore_sacls();
+}
+
+void test_restore_sacls_deleteAce_failed(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    ACL acl;
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    expect_value(wrap_DeleteAce, pAcl, &acl);
+    expect_value(wrap_DeleteAce, dwAceIndex, 0);
+    will_return(wrap_DeleteAce, 0);
+    will_return(wrap_GetLastError, 500);
+    expect_string(__wrap__merror, formatted_msg, "(6646): DeleteAce() failed restoring the SACLs. Error '500'");
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+
+    restore_sacls();
+}
+
+void test_restore_sacls_SetNamedSecurityInfo_failed(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    ACL acl;
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    expect_value(wrap_DeleteAce, pAcl, &acl);
+    expect_value(wrap_DeleteAce, dwAceIndex, 0);
+    will_return(wrap_DeleteAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, &acl);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_PATH_NOT_FOUND);
+    expect_string(__wrap__merror, formatted_msg, "(6658): SetNamedSecurityInfo() failed. Error: '3'.");
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+
+    restore_sacls();
+}
+
+void test_restore_sacls_success(void **state){
+    will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+    // GetNamedSecurity
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    ACL acl;
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    expect_value(wrap_DeleteAce, pAcl, &acl);
+    expect_value(wrap_DeleteAce, dwAceIndex, 0);
+    will_return(wrap_DeleteAce, 1);
+
+    expect_string(wrap_SetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+    expect_value(wrap_SetNamedSecurityInfo, pSacl, &acl);
+    will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+    char debug_msg[OS_MAXSTR];
+
+    snprintf(debug_msg, OS_MAXSTR, FIM_SACL_RESTORED, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+    /* Inside set_privilege */
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+    will_return(wrap_CloseHandle, 0);
+
+    restore_sacls();
+}
+/***********************************restore_audit_policies***********************************/
+void test_restore_audit_policies_backup_not_found(void **state) {
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, -1);
+    expect_string(__wrap__merror, formatted_msg, "(6622): There is no backup of audit policies. Policies will not be restored.");
+
+    int ret = restore_audit_policies();
+    assert_int_equal(ret, 1);
+}
+
+void test_restore_audit_policies_command_failed(void **state) {
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries + 1][OS_SIZE_1024];
+
+    for (i = 0;  i <= retries; i++) {
+	    expect_wm_exec("auditpol /restore /file:\"tmp\\backup-policies\"", retries+i, NULL, "OUTPUT COMMAND", -1, -1);
+        expect_string(__wrap__merror, formatted_msg, "(6635): Auditpol backup error: 'failed to execute command'.");
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg, "(6956): After 6 attempts the Auditpol command could not be executed successfully.");
+    int ret = restore_audit_policies();
+    assert_int_equal(ret, 1);
+}
+
+void test_restore_audit_policies_command2_failed(void **state) {
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries + 1][OS_SIZE_1024];
+
+
+    for (i = 0;  i <= retries; i++) {
+        expect_wm_exec("auditpol /restore /file:\"tmp\\backup-policies\"", retries+i, NULL, "OUTPUT COMMAND", -1, 1);
+        expect_string(__wrap__merror, formatted_msg, "(6635): Auditpol backup error: 'time overtaken while running the command'.");
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg, "(6956): After 6 attempts the Auditpol command could not be executed successfully.");
+    int ret = restore_audit_policies();
+    assert_int_equal(ret, 1);
+}
+
+void test_restore_audit_policies_command3_failed(void **state) {
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries + 1][OS_SIZE_1024];
+
+    for (i = 0;  i <= retries; i++) {
+        expect_wm_exec("auditpol /restore /file:\"tmp\\backup-policies\"", retries+i, NULL, "OUTPUT COMMAND", -1, 0);
+        expect_string(__wrap__merror, formatted_msg, "(6635): Auditpol backup error: 'command returned failure'. Output: 'OUTPUT COMMAND'.");
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg, "(6956): After 6 attempts the Auditpol command could not be executed successfully.");
+    int ret = restore_audit_policies();
+    assert_int_equal(ret, 1);
+}
+
+void test_restore_audit_policies_success(void **state) {
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /restore /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, "OUTPUT COMMAND");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    int ret = restore_audit_policies();
+    assert_int_equal(ret, 0);
+}
+/****************************************audit_restore**************************************/
+void test_audit_restore(void **state) {
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // restore_sacls
+    {
+        will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+        expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+        will_return(wrap_OpenProcessToken, (HANDLE) 123456);
+        will_return(wrap_OpenProcessToken, 1);
+
+        // set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+        }
+        // GetNamedSecurity
+        expect_string(wrap_GetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+        ACL acl;
+        expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        will_return(wrap_GetNamedSecurityInfo, &acl);
+        will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+        will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+        expect_value(wrap_DeleteAce, pAcl, &acl);
+        expect_value(wrap_DeleteAce, dwAceIndex, 0);
+        will_return(wrap_DeleteAce, 1);
+
+        expect_string(wrap_SetNamedSecurityInfo, pObjectName, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+        expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, pSacl, &acl);
+        will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+        char debug_msg[OS_MAXSTR];
+
+        snprintf(debug_msg, OS_MAXSTR, FIM_SACL_RESTORED, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+        expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+        /* Inside set_privilege */
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+        }
+
+        expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+        will_return(wrap_CloseHandle, 0);
+        expect_value(wrap_CloseHandle, hObject, (HANDLE)4321);
+        will_return(wrap_CloseHandle, 0);
+    }
+
+    // restore_audit_policies
+    {
+        expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+        will_return(__wrap_IsFile, 0);
+
+        expect_string(__wrap_wm_exec, command, "auditpol /restore /file:\"tmp\\backup-policies\"");
+        expect_value(__wrap_wm_exec, secs, 5);
+        expect_value(__wrap_wm_exec, add_path, NULL);
+        will_return(__wrap_wm_exec, "OUTPUT COMMAND");
+        will_return(__wrap_wm_exec, 0);
+        will_return(__wrap_wm_exec, 0);
+    }
+
+    restore_policies = 1;
+    audit_restore();
+
+}
+
+/********************************************************************************************/
+/**********************************whodata_event_render**************************************/
+void test_whodata_event_render_fail_to_render_event(void **state) {
+    EVT_HANDLE event = NULL;
+    PEVT_VARIANT result = NULL;
+
+    /* EvtRender first call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+    will_return(wrap_EvtRender, NULL); // Buffer
+    will_return(wrap_EvtRender, 0); // BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 0);
+
+    /* EvtRender second call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+    will_return(wrap_EvtRender, NULL); // Buffer
+    will_return(wrap_EvtRender, 0);// BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 0);
+
+    will_return(wrap_GetLastError, 500);
+    expect_string(__wrap__mwarn, formatted_msg, "(6933): Error rendering the event. Error 500.");
+
+    result = whodata_event_render(event);
+
+    assert_null(result);
+}
+
+void test_whodata_event_render_wrong_property_count(void **state) {
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT buffer[NUM_EVENTS];
+    PEVT_VARIANT result = NULL;
+
+    /* EvtRender first call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+    will_return(wrap_EvtRender, NULL); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS); // BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 0);
+
+    /* EvtRender second call */
+    memset(buffer, 0, SIZE_EVENTS);
+    buffer[0].Type = EvtVarTypeNull; // Wrong buffer type
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, SIZE_EVENTS); // BufferSize
+    will_return(wrap_EvtRender, buffer); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS);// BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 1);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6934): Invalid number of rendered parameters.");
+
+    result = whodata_event_render(event);
+    assert_null(result);
+}
+
+void test_whodata_event_render_success(void **state) {
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT buffer[NUM_EVENTS];
+    PEVT_VARIANT result = NULL;
+
+    /* EvtRender first call */
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+    will_return(wrap_EvtRender, NULL); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS); // BufferUsed
+    will_return(wrap_EvtRender, 0); // PropertyCount
+    will_return(wrap_EvtRender, 0);
+
+    /* EvtRender second call */
+    memset(buffer, 0, SIZE_EVENTS);
+    buffer[0].Type = EvtVarTypeNull; // Wrong buffer type
+    expect_value(wrap_EvtRender, Context, context);
+    expect_value(wrap_EvtRender, Fragment, event);
+    expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+    expect_value(wrap_EvtRender, BufferSize, SIZE_EVENTS); // BufferSize
+    will_return(wrap_EvtRender, buffer); // Buffer
+    will_return(wrap_EvtRender, SIZE_EVENTS);// BufferUsed
+    will_return(wrap_EvtRender, 9); // PropertyCount
+    will_return(wrap_EvtRender, 1);
+
+    result = whodata_event_render(event);
+
+    *state = result;
+    assert_non_null(result);
+    assert_int_equal(result[0].Type, EvtVarTypeNull);
+}
+
+/********************************************************************************************/
+/**********************************whodata_get_event_id**************************************/
+void test_whodata_get_event_id_null_raw_data(void **state) {
+    PEVT_VARIANT raw_data = NULL;
+    short event_id;
+    int result;
+
+    result = whodata_get_event_id(raw_data, &event_id);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_event_id_null_event_id(void **state) {
+    EVT_VARIANT raw_data;
+    int result;
+
+    result = whodata_get_event_id(&raw_data, NULL);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_event_id_wrong_event_type(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    short event_id;
+    int result;
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'event_id'.");
+
+    result = whodata_get_event_id(raw_data, &event_id);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_event_id_success(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=1234,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    short event_id;
+    int result;
+
+    result = whodata_get_event_id(raw_data, &event_id);
+
+    assert_int_equal(result, 0);
+    assert_int_equal(event_id, 1234);
+}
+
+/********************************************************************************************/
+/**********************************whodata_get_handle_id**************************************/
+void test_whodata_get_handle_id_null_raw_data(void **state) {
+    PEVT_VARIANT raw_data = NULL;
+    unsigned __int64 handle_id;
+    int result;
+
+    result = whodata_get_handle_id(raw_data, &handle_id);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_handle_id_null_handle_id(void **state) {
+    EVT_VARIANT raw_data;
+    int result;
+
+    result = whodata_get_handle_id(&raw_data, NULL);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_handle_id_64bit_handle_success(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned __int64 handle_id;
+    int result;
+
+    result = whodata_get_handle_id(raw_data, &handle_id);
+
+    assert_int_equal(result, 0);
+    assert_int_equal(handle_id, 0x123456);
+}
+
+void test_whodata_get_handle_id_32bit_handle_wrong_type(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned __int64 handle_id;
+    int result;
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'handle_id'.");
+
+    result = whodata_get_handle_id(raw_data, &handle_id);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_handle_id_32bit_success(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeSizeT },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned __int64 handle_id;
+    int result;
+
+    result = whodata_get_handle_id(raw_data, &handle_id);
+
+    assert_int_equal(result, 0);
+    assert_int_equal(handle_id, 0x123456);
+}
+
+void test_whodata_get_handle_id_32bit_hex_success(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned __int64 handle_id;
+    int result;
+
+    result = whodata_get_handle_id(raw_data, &handle_id);
+
+    assert_int_equal(result, 0);
+    assert_int_equal(handle_id, 0x123456);
+}
+
+/********************************************************************************************/
+/**********************************whodata_get_access_mask**************************************/
+void test_whodata_get_access_mask_null_raw_data(void **state) {
+    PEVT_VARIANT raw_data = NULL;
+    unsigned long mask;
+    int result;
+
+    result = whodata_get_access_mask(raw_data, &mask);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_access_mask_null_mask(void **state) {
+    EVT_VARIANT raw_data;
+    int result;
+
+    result = whodata_get_access_mask(&raw_data, NULL);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_access_mask_wrong_type(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long mask;
+    int result;
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'mask'.");
+
+    result = whodata_get_access_mask(raw_data, &mask);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_get_access_mask_success(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long mask;
+    int result;
+
+    result = whodata_get_access_mask(raw_data, &mask);
+
+    assert_int_equal(result, 0);
+    assert_int_equal(mask, 0x123456);
+}
+
+/********************************************************************************************/
+/**********************************whodata_event_parse**************************************/
+void test_whodata_event_parse_null_raw_data(void **state) {
+    PEVT_VARIANT raw_data = NULL;
+    whodata_evt event_data;
+    int result;
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_event_parse_null_event_data(void **state) {
+    EVT_VARIANT raw_data;
+    int result;
+
+    result = whodata_event_parse(&raw_data, NULL);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_event_parse_wrong_path_type(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'path'.");
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_event_parse_fail_to_get_path(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, 0);
+
+        will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+        expect_string(__wrap__mdebug1, formatted_msg, "(6306): The path could not be processed in Whodata mode. Error: 5");
+    }
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_event_parse_filter_path(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"C:\\$recycle.bin\\test.file",    .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0,                                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,                           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",                         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte,
+                      lpWideCharStr,
+                      L"C:\\$recycle.bin\\test.file",
+                      wcslen(L"C:\\$recycle.bin\\test.file"));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, 27);
+
+        expect_memory(wrap_WideCharToMultiByte,
+                      lpWideCharStr,
+                      L"C:\\$recycle.bin\\test.file",
+                      wcslen(L"C:\\$recycle.bin\\test.file"));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, "C:\\$recycle.bin\\test.file");
+        will_return(wrap_WideCharToMultiByte, 27);
+    }
+
+    // Inside whodata_path_filter
+    {
+        expect_string(__wrap__mdebug2, formatted_msg,
+            "(6289): File 'c:\\$recycle.bin\\test.file' is in the recycle bin. It will be discarded.");
+    }
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+}
+
+void test_whodata_event_parse_wrong_types(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+    }
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'user_name'.");
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'process_name'.");
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'process_id'.");
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'user_id'.");
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, 0);
+    assert_string_equal(event_data.path, STR_TEST_PATH);
+    assert_null(event_data.user_name);
+    assert_null(event_data.process_name);
+    assert_null(event_data.process_id);
+    assert_null(event_data.user_id);
+}
+
+void test_whodata_event_parse_32bit_process_id(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeSizeT },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+    }
+
+    expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+    will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+    expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+    will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+    will_return(wrap_ConvertSidToStringSid, NULL);
+    will_return(wrap_ConvertSidToStringSid, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(6246): Invalid identifier for user 'user_name'");
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+    assert_string_equal(event_data.path, STR_TEST_PATH);
+    assert_string_equal(event_data.user_name, "user_name");
+    assert_string_equal(event_data.process_name, "process_name");
+    assert_int_equal(event_data.process_id, 0x123456);
+    assert_null(event_data.user_id);
+}
+
+void test_whodata_event_parse_32bit_hex_process_id(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Arr=NULL,               .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Arr=NULL,               .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .Int64Arr=NULL,               .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+    }
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'user_name'.");
+
+    expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+    will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+    will_return(wrap_ConvertSidToStringSid, NULL);
+    will_return(wrap_ConvertSidToStringSid, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, FIM_WHODATA_INVALID_UNKNOWN_UID);
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, -1);
+    assert_string_equal(event_data.path, STR_TEST_PATH);
+    assert_null(event_data.user_name);
+    assert_string_equal(event_data.process_name, "process_name");
+    assert_int_equal(event_data.process_id, 0x123456);
+    assert_null(event_data.user_id);
+}
+
+void test_whodata_event_parse_64bit_process_id(void **state) {
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    whodata_evt event_data;
+    int result;
+
+    // Inside get_whodata_path
+    {
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+        expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+        expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+        will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+        will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+    }
+
+    expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+    will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+    expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+    will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+    will_return(wrap_ConvertSidToStringSid, "S-8-15");
+    will_return(wrap_ConvertSidToStringSid, 6);
+
+    result = whodata_event_parse(raw_data, &event_data);
+
+    assert_int_equal(result, 0);
+    assert_string_equal(event_data.path, STR_TEST_PATH);
+    assert_string_equal(event_data.user_name, "user_name");
+    assert_string_equal(event_data.process_name, "process_name");
+    assert_int_equal(event_data.process_id, 0x123456);
+    assert_string_equal(event_data.user_id, "S-8-15");
+}
+
+/********************************************************************************************/
+/**********************************whodata_callback**************************************/
+void test_whodata_callback_fail_to_render_event(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    unsigned long result;
+
+    // Inside whodata_event_render
+    {
+        /* EvtRender first call */
+        expect_value(wrap_EvtRender, Context, context);
+        expect_value(wrap_EvtRender, Fragment, event);
+        expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+        expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+        will_return(wrap_EvtRender, NULL); // Buffer
+        will_return(wrap_EvtRender, 0); // BufferUsed
+        will_return(wrap_EvtRender, 0); // PropertyCount
+        will_return(wrap_EvtRender, 0);
+
+        /* EvtRender second call */
+        expect_value(wrap_EvtRender, Context, context);
+        expect_value(wrap_EvtRender, Fragment, event);
+        expect_value(wrap_EvtRender, Flags, EvtRenderEventValues);
+        expect_value(wrap_EvtRender, BufferSize, 0); // BufferSize
+        will_return(wrap_EvtRender, NULL); // Buffer
+        will_return(wrap_EvtRender, 0);// BufferUsed
+        will_return(wrap_EvtRender, 0); // PropertyCount
+        will_return(wrap_EvtRender, 0);
+
+        will_return(wrap_GetLastError, 500);
+        expect_string(__wrap__mwarn, formatted_msg, "(6933): Error rendering the event. Error 500.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_fail_to_get_event_id(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_get_event_id
+    {
+        expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'event_id'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_fail_to_get_handle_id(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_get_handle_id
+    {
+        expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'handle_id'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_fail_to_parse_event(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'path'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_fail_to_get_access_mask(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    // Inside whodata_get_access_mask
+    {
+        expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'mask'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_non_monitored_directory(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"C:\\non\\monitored", .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123450,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, L"C:\\non\\monitored", wcslen(L"C:\\non\\monitored") * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen("c:\\non\\monitored"));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, L"C:\\non\\monitored", wcslen(L"C:\\non\\monitored") * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, "c:\\non\\monitored");
+            will_return(wrap_WideCharToMultiByte, strlen("c:\\non\\monitored"));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6319): No configuration found for (file):'c:\\non\\monitored'");
+    expect_string(__wrap__mdebug2, formatted_msg, "(6239): 'c:\\non\\monitored' is discarded because its monitoring is not activated.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_non_whodata_directory(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123450,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status &= ~WD_CHECK_WHODATA;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6240): The monitoring of 'c:\\windows\\a\\path' in whodata mode has been canceled. Added to the ignore list.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_path_above_recursion_level(void ** state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x10000,            .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->recursion_level = 0;
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6217): Maximum level of recursion reached. Depth:1 recursion_level:0 'c:\\windows\\a\\path'");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_fail_to_add_event_to_hashmap(void ** state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x10000,            .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap_check_path_type, dir, STR_TEST_PATH);
+    will_return(__wrap_check_path_type, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6298): Removed folder event received for 'c:\\windows\\a\\path'");
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.fd);
+        expect_string(__wrap_OSHash_Add_ex, key, "1193046");
+        will_return(__wrap_OSHash_Add_ex, 0);
+
+        expect_string(__wrap__merror, formatted_msg,
+            "(6631): The event could not be added to the 'whodata' hash table. Target: '1193046'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_duplicate_handle_id_fail_to_delete(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap_check_path_type, dir, STR_TEST_PATH);
+    will_return(__wrap_check_path_type, 2);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.fd);
+        expect_string(__wrap_OSHash_Add_ex, key, "1193046");
+        will_return(__wrap_OSHash_Add_ex, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg,
+            "(6630): The event could not be added to the 'whodata' hash table because it is duplicated. Target: '1193046'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6229): The handler ('1193046') will be updated.");
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, (whodata_evt *)NULL);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6626): The handler '1193046' could not be removed from the whodata hash table.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_duplicate_handle_id_fail_to_readd(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evtdup = malloc(sizeof(whodata_evt));
+
+    if(w_evtdup == NULL)
+        fail();
+
+    memset(w_evtdup, 0, sizeof(whodata_evt));
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap_check_path_type, dir, STR_TEST_PATH);
+    will_return(__wrap_check_path_type, 2);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.fd);
+        expect_string(__wrap_OSHash_Add_ex, key, "1193046");
+        will_return(__wrap_OSHash_Add_ex, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg,
+            "(6630): The event could not be added to the 'whodata' hash table because it is duplicated. Target: '1193046'.");
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6229): The handler ('1193046') will be updated.");
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evtdup);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.fd);
+        expect_string(__wrap_OSHash_Add_ex, key, "1193046");
+        will_return(__wrap_OSHash_Add_ex, 0);
+
+        expect_string(__wrap__merror, formatted_msg,
+            "(6631): The event could not be added to the 'whodata' hash table. Target: '1193046'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4656_success(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4656,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    // Inside whodata_event_parse
+    {
+        // Inside get_whodata_path
+        {
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+
+            expect_memory(wrap_WideCharToMultiByte, lpWideCharStr, WCS_TEST_PATH, wcslen(WCS_TEST_PATH) * sizeof(WCHAR));
+            expect_value(wrap_WideCharToMultiByte, cchWideChar, -1);
+            will_return(wrap_WideCharToMultiByte, STR_TEST_PATH);
+            will_return(wrap_WideCharToMultiByte, strlen(STR_TEST_PATH));
+        }
+
+        expect_memory(__wrap_convert_windows_string, string, L"user_name", wcslen(L"user_name"));
+        will_return(__wrap_convert_windows_string, strdup("user_name"));
+
+        expect_memory(__wrap_convert_windows_string, string, L"process_name", wcslen(L"process_name"));
+        will_return(__wrap_convert_windows_string, strdup("process_name"));
+
+        will_return(wrap_ConvertSidToStringSid, "S-8-15");
+        will_return(wrap_ConvertSidToStringSid, 6);
+    }
+
+    expect_string(__wrap_check_path_type, dir, STR_TEST_PATH);
+    will_return(__wrap_check_path_type, 2);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.fd);
+        expect_string(__wrap_OSHash_Add_ex, key, "1193046");
+        will_return(__wrap_OSHash_Add_ex, 2);
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4719_success(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4719,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    policies_checked = 1;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_WHODATA_POLICY_CHANGE_CHANNEL);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4663_fail_to_get_mask(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'mask'.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4663_no_permissions(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x0,                .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4663_fail_to_recover_event(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, NULL);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+void test_whodata_callback_4663_event_is_on_file(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=72623859790382856,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    w_evt->scan_directory = 0;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+    assert_int_equal(w_evt->mask, 0x123456);
+}
+
+void test_whodata_callback_4663_event_is_not_rename_or_copy(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x10000,            .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=72623859790382856,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    w_evt->scan_directory = 1;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+    assert_int_equal(w_evt->mask, 0x10000);
+}
+
+void test_whodata_callback_4663_non_monitored_directory(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=72623859790382856,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6319): No configuration found for (file):'c:\\a\\path'");
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6243): The 'c:\\a\\path' directory has been discarded because it is not being monitored in whodata mode.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 2);
+}
+
+void test_whodata_callback_4663_fail_to_add_new_directory(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=72623859790382856,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\windows"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.directories);
+    expect_string(__wrap_OSHash_Get, key, "c:\\windows");
+    will_return(__wrap_OSHash_Get, NULL);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.directories);
+        expect_string(__wrap_OSHash_Add_ex, key, "c:\\windows");
+        will_return(__wrap_OSHash_Add_ex, 0);
+
+        expect_string(__wrap__merror, formatted_msg,
+            "(6631): The event could not be added to the 'directories' hash table. Target: 'c:\\windows'.");
+    }
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 2);
+}
+
+void test_whodata_callback_4663_new_files_added(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=72623859790382856,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\windows"), !w_evt->path)
+        fail();
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    w_evt->scan_directory = 1;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.directories);
+    expect_string(__wrap_OSHash_Get, key, "c:\\windows");
+    will_return(__wrap_OSHash_Get, NULL);
+
+    // Inside whodata_hash_add
+    {
+        expect_value(__wrap_OSHash_Add_ex, self, syscheck.wdata.directories);
+        expect_string(__wrap_OSHash_Add_ex, key, "c:\\windows");
+        will_return(__wrap_OSHash_Add_ex, 2);
+    }
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6244): New files have been detected in the 'c:\\windows' directory and will be scanned.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 1);
+}
+
+void test_whodata_callback_4663_wrong_time_type(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=0,                  .Count=0, .Type=EvtVarTypeNull },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\windows"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_string(__wrap__mwarn, formatted_msg, "(6932): Invalid parameter type (0) for 'event_time'.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 2);
+}
+
+void test_whodata_callback_4663_abort_scan(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=133022717170000000,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+    whodata_directory w_dir;
+
+    if(w_evt->path = strdup("c:\\windows"), !w_evt->path)
+        fail();
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    w_evt->scan_directory = 1;
+
+    memset(&w_dir, 0, sizeof(whodata_directory));
+    w_dir.QuadPart = 133022717170000000;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.directories);
+    expect_string(__wrap_OSHash_Get, key, "c:\\windows");
+    will_return(__wrap_OSHash_Get, &w_dir);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6241): The 'c:\\windows' directory has been scanned. It does not need to be scanned again.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 3);
+}
+
+void test_whodata_callback_4663_directory_will_be_scanned(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4663,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+        { .Int64Val=133022717170000000,  .Count=1, .Type=EvtVarTypeFileTime },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+    whodata_directory w_dir;
+
+    if(w_evt->path = strdup("c:\\windows"), !w_evt->path)
+        fail();
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    w_evt->scan_directory = 1;
+
+    memset(&w_dir, 0, sizeof(whodata_directory));
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Get, key, "1193046");
+    will_return(__wrap_OSHash_Get, w_evt);
+
+    expect_value(__wrap_OSHash_Get, self, syscheck.wdata.directories);
+    expect_string(__wrap_OSHash_Get, key, "c:\\windows");
+    will_return(__wrap_OSHash_Get, &w_dir);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(6244): New files have been detected in the 'c:\\windows' directory and will be scanned.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+    assert_int_equal(w_evt->mask, 0x123456);
+    assert_int_equal(w_evt->scan_directory, 1);
+    assert_int_not_equal(w_dir.QuadPart, 0);
+}
+
+void test_whodata_callback_4658_no_event_recovered(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, NULL);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_file_event(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 0;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "c:\\a\\path");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_directory_delete_event(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,            .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+    w_evt->mask = 0x10000;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "c:\\a\\path");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_directory_new_file_detected(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+    w_evt->mask = 0x2;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "c:\\a\\path");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_directory_scan_for_new_files(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+    w_evt->mask = 0x4;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap_fim_whodata_event, w_evt->path, "c:\\a\\path");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_directory_no_new_files(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 1;
+    w_evt->mask = 0x0;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6245): The 'c:\\a\\path' directory has not been scanned because no new files have been detected. Mask: '0'");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_4658_scan_aborted(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=4658,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+    whodata_evt *w_evt = *state;
+
+    if(w_evt->path = strdup("c:\\a\\path"), !w_evt->path)
+        fail();
+
+    w_evt->scan_directory = 2;
+    w_evt->mask = 0x0;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_value(__wrap_OSHash_Delete_ex, self, syscheck.wdata.fd);
+    expect_string(__wrap_OSHash_Delete_ex, key, "1193046");
+    will_return(__wrap_OSHash_Delete_ex, w_evt);
+
+    expect_string(__wrap__mdebug1, formatted_msg,
+        "(6232): Scanning of the 'c:\\a\\path' directory is aborted because something has gone wrong.");
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 0);
+}
+
+void test_whodata_callback_unexpected_event_id(void **state) {
+    EVT_SUBSCRIBE_NOTIFY_ACTION action = EvtSubscribeActionDeliver;
+    EVT_HANDLE event = NULL;
+    EVT_VARIANT raw_data[] = {
+        { .UInt16Val=1234,              .Count=1, .Type=EvtVarTypeUInt16 },
+        { .StringVal=L"user_name",      .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=WCS_TEST_PATH,     .Count=1, .Type=EvtVarTypeString },
+        { .StringVal=L"process_name",   .Count=1, .Type=EvtVarTypeString },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int64Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt64 },
+        { .Int32Val=0x123456,           .Count=1, .Type=EvtVarTypeHexInt32 },
+        { .StringVal=L"S-8-15",         .Count=1, .Type=EvtVarTypeSid },
+    };
+    unsigned long result;
+
+    successful_whodata_event_render(event, raw_data);
+
+    expect_string(__wrap__merror, formatted_msg, FIM_ERROR_WHODATA_EVENTID);
+
+    result = whodata_callback(action, NULL, event);
+    assert_int_equal(result, 1);
+}
+
+/********************************************************************************************/
+void test_check_object_sacl_open_process_error(void **state) {
+    int ret;
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)NULL);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)NULL);
+    will_return(wrap_OpenProcessToken, 0);
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6648): OpenProcessToken() failed. Error '5'.");
+
+    ret = check_object_sacl("C:\\a\\path", 0);
+
+    assert_int_equal(ret, 2);
+}
+
+void test_check_object_sacl_unable_to_set_privilege(void **state) {
+    int ret;
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)123456);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 0);
+        will_return(wrap_LookupPrivilegeValue, 0);
+
+        will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+        expect_string(__wrap__merror, formatted_msg,
+            "(6647): Could not find the 'SeSecurityPrivilege' privilege. Error: 5");
+    }
+
+    will_return(wrap_GetLastError, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg, "(6659): The privilege could not be activated. Error: '5'.");
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = check_object_sacl("C:\\a\\path", 0);
+
+    assert_int_equal(ret, 2);
+}
+
+void test_check_object_sacl_unable_to_retrieve_security_info(void **state) {
+    int ret;
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)123456);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, NULL);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_FILE_NOT_FOUND);
+
+    expect_string(__wrap__merror, formatted_msg, "(6650): GetNamedSecurityInfo() failed. Error '2'");
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = check_object_sacl("C:\\a\\path", 0);
+
+    assert_int_equal(ret, 2);
+}
+
+void test_check_object_sacl_invalid_sacl(void **state) {
+    ACL acl;
+    int ret;
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)123456);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // is_valid_sacl
+    {
+        SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &acl);
+        will_return(wrap_GetAce, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 700);
+
+        expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+    }
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = check_object_sacl("C:\\a\\path", 0);
+
+    assert_int_equal(ret, 1);
+}
+
+void test_check_object_sacl_valid_sacl(void **state) {
+    ACL acl;
+    int ret;
+
+    will_return(wrap_GetCurrentProcess, (HANDLE)123456);
+    expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+    will_return(wrap_OpenProcessToken, (HANDLE)123456);
+    will_return(wrap_OpenProcessToken, 1);
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+    }
+
+    expect_string(wrap_GetNamedSecurityInfo, pObjectName, "C:\\a\\path");
+    expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+    expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+    will_return(wrap_GetNamedSecurityInfo, &acl);
+    will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+    will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+    // Inside is_valid_sacl
+    {
+        SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+        ACCESS_ALLOWED_ACE ace;
+
+        everyone_sid = NULL;
+        ev_sid_size = 1;
+
+        // Set the ACL and ACE data
+        ace.Header.AceFlags = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG;
+        ace.Mask = FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES | DELETE;
+
+        expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+        expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+        will_return(wrap_AllocateAndInitializeSid, 1);
+
+        will_return(wrap_GetAce, &ace);
+        will_return(wrap_GetAce, 1);
+
+        will_return(wrap_EqualSid, 1);
+    }
+
+    // Inside set_privilege
+    {
+        expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+        will_return(wrap_LookupPrivilegeValue, 234567);
+        will_return(wrap_LookupPrivilegeValue, 1);
+
+        expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+        expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+        will_return(wrap_AdjustTokenPrivileges, 1);
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+    }
+
+    expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+    will_return(wrap_CloseHandle, 0);
+
+    ret = check_object_sacl("C:\\a\\path", 0);
+
+    assert_int_equal(ret, 0);
+}
+
+/* run_whodata_scan */
+
+void test_run_whodata_scan_invalid_arch(void **state) {
+    int ret;
+/* whodata_check_arch() */
+{
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, NULL);
+    will_return(wrap_RegOpenKeyEx, ERROR_ACCESS_DENIED);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1758): Unable to open registry key: 'System\\CurrentControlSet\\Control\\Session Manager\\Environment'.");
+}
+    ret = run_whodata_scan();
+    assert_int_equal(ret, 1);
+}
+
+void test_run_whodata_scan_no_audit_policies(void **state) {
+    int ret;
+
+/* Inside whodata_check_arch */
+{
+    HKEY key;
+    const BYTE data[64] = "ARM64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+}
+
+/* Inside set_policies */
+{
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+    expect_string(__wrap_remove, filename, "tmp\\backup-policies");
+    will_return(__wrap_remove, 1);
+
+    expect_any(__wrap__merror, formatted_msg);
+}
+
+    expect_string(__wrap__merror, formatted_msg,
+         "(6916): Local audit policies could not be configured.");
+
+    ret = run_whodata_scan();
+    assert_int_equal(ret, 1);
+}
+
+void test_run_whodata_scan_no_auto_audit_policies(void **state) {
+    int ret;
+
+/* Inside whodata_check_arch */
+{
+    HKEY key;
+    const BYTE data[64] = "ARM64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+}
+
+/* Inside set_policies */
+{
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+    expect_string(__wrap_remove, filename, "tmp\\backup-policies");
+    will_return(__wrap_remove, 0);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries + 1][OS_SIZE_1024];
+
+    for (i = 0;  i <= retries; i++) {
+        expect_wm_exec("auditpol /backup /file:\"tmp\\backup-policies\"", retries+i, NULL, NULL, 1, 0);
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6915): Audit policies could not be auto-configured due to the Windows version. Check if they are correct for whodata mode.");
+
+}
+    expect_string(__wrap__merror, formatted_msg, "(6916): Local audit policies could not be configured.");
+
+    ret = run_whodata_scan();
+    assert_int_equal(ret, 1);
+}
+
+void test_run_whodata_scan_error_event_channel(void **state) {
+    int ret;
+
+/* Inside whodata_check_arch */
+{
+    HKEY key;
+    const BYTE data[64] = "ARM64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+}
+
+/* Inside set_policies */
+{
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1234);
+
+    expect_string(__wrap_wfopen, path, "tmp\\new-policies");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE*)2345);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, "some policies");
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, "some policies");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, NULL);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)2345);
+    will_return(__wrap_fclose, 0);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /restore /file:\"tmp\\new-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)1234);
+    will_return(__wrap_fclose, 0);
+}
+
+    DWORD fields_number = 9;
+    EVT_HANDLE event;
+
+    expect_value(wrap_EvtCreateRenderContext, ValuePathsCount, fields_number);
+    expect_value(wrap_EvtCreateRenderContext, ValuePaths, event_fields);
+    expect_value(wrap_EvtCreateRenderContext, Flags, EvtRenderContextValues);
+    will_return(wrap_EvtCreateRenderContext, event);
+
+    wchar_t *query = L"Event[ System[band(Keywords, 9007199254740992)] and "
+                            "( ( ( EventData/Data[@Name='ObjectType'] = 'File' ) and "
+                            "( (  System/EventID = 4656 or System/EventID = 4663 ) and "
+                            "( EventData[band(Data[@Name='AccessMask'], 327938‬)] ) ) ) or "
+                            "System/EventID = 4658 or System/EventID = 4660 ) ]";
+
+    expect_value(wrap_EvtSubscribe, Session, NULL);
+    expect_value(wrap_EvtSubscribe, SignalEvent, NULL);
+    expect_string(wrap_EvtSubscribe, ChannelPath, L"Security");
+    expect_string(wrap_EvtSubscribe, Query, query);
+    expect_value(wrap_EvtSubscribe, Bookmark, NULL);
+    expect_value(wrap_EvtSubscribe, Context, NULL);
+    expect_value(wrap_EvtSubscribe, Callback, (EVT_SUBSCRIBE_CALLBACK)whodata_callback);
+    expect_value(wrap_EvtSubscribe, Flags, EvtSubscribeToFutureEvents);
+
+    will_return(wrap_EvtSubscribe, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(6621): Event Channel subscription could not be made. Whodata scan is disabled.");
+
+    ret = run_whodata_scan();
+    assert_int_equal(ret, 1);
+}
+
+void test_run_whodata_scan_success(void **state) {
+    int ret;
+
+/* Inside whodata_check_arch */
+{
+    HKEY key;
+    const BYTE data[64] = "ARM64";
+
+    expect_value(wrap_RegOpenKeyEx, hKey, HKEY_LOCAL_MACHINE);
+    expect_string(wrap_RegOpenKeyEx, lpSubKey,
+        "System\\CurrentControlSet\\Control\\Session Manager\\Environment");
+    expect_value(wrap_RegOpenKeyEx, ulOptions, 0);
+    expect_value(wrap_RegOpenKeyEx, samDesired, KEY_READ);
+    will_return(wrap_RegOpenKeyEx, &key);
+    will_return(wrap_RegOpenKeyEx, ERROR_SUCCESS);
+
+    expect_string(wrap_RegQueryValueEx, lpValueName, "PROCESSOR_ARCHITECTURE");
+    expect_value(wrap_RegQueryValueEx, lpReserved, NULL);
+    expect_value(wrap_RegQueryValueEx, lpType, NULL);
+    will_return(wrap_RegQueryValueEx, data);
+    will_return(wrap_RegQueryValueEx, ERROR_SUCCESS);
+
+}
+
+/* Inside set_policies */
+{
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1234);
+
+    expect_string(__wrap_wfopen, path, "tmp\\new-policies");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE*)2345);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, "some policies");
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, "some policies");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, NULL);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)2345);
+    will_return(__wrap_fclose, 0);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /restore /file:\"tmp\\new-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)1234);
+    will_return(__wrap_fclose, 0);
+}
+
+    DWORD fields_number = 9;
+    EVT_HANDLE event;
+
+    expect_value(wrap_EvtCreateRenderContext, ValuePathsCount, fields_number);
+    expect_value(wrap_EvtCreateRenderContext, ValuePaths, event_fields);
+    expect_value(wrap_EvtCreateRenderContext, Flags, EvtRenderContextValues);
+    will_return(wrap_EvtCreateRenderContext, event);
+
+    wchar_t *query = L"Event[ System[band(Keywords, 9007199254740992)] and "
+                            "( ( ( EventData/Data[@Name='ObjectType'] = 'File' ) and "
+                            "( (  System/EventID = 4656 or System/EventID = 4663 ) and "
+                            "( EventData[band(Data[@Name='AccessMask'], 327938‬)] ) ) ) or "
+                            "System/EventID = 4658 or System/EventID = 4660 ) ]";
+
+    expect_value(wrap_EvtSubscribe, Session, NULL);
+    expect_value(wrap_EvtSubscribe, SignalEvent, NULL);
+    expect_string(wrap_EvtSubscribe, ChannelPath, L"Security");
+    expect_string(wrap_EvtSubscribe, Query, query);
+    expect_value(wrap_EvtSubscribe, Bookmark, NULL);
+    expect_value(wrap_EvtSubscribe, Context, NULL);
+    expect_value(wrap_EvtSubscribe, Callback, (EVT_SUBSCRIBE_CALLBACK)whodata_callback);
+    expect_value(wrap_EvtSubscribe, Flags, EvtSubscribeToFutureEvents);
+
+    will_return(wrap_EvtSubscribe, 1);
+
+    expect_string(__wrap__minfo, formatted_msg, "(6019): File integrity monitoring real-time Whodata engine started.");
+
+    ret = run_whodata_scan();
+    assert_int_equal(ret, 0);
+}
+
+void test_set_subscription_query(void **state) {
+    wchar_t output[OS_MAXSTR];
+    wchar_t *expected_output = L"Event[ System[band(Keywords, 9007199254740992)] and "
+                                "( ( ( EventData/Data[@Name='ObjectType'] = 'File' ) and "
+                                "( (  System/EventID = 4656 or System/EventID = 4663 ) and "
+                                "( EventData[band(Data[@Name='AccessMask'], 327938‬)] ) ) ) or "
+                                "System/EventID = 4658 or System/EventID = 4660 ) ]";
+
+    set_subscription_query(output);
+
+    assert_memory_equal(output, expected_output, wcslen(expected_output));
+}
+
+void test_set_policies_unable_to_remove_backup_file(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap_remove, filename, "tmp\\backup-policies");
+    will_return(__wrap_remove, -1);
+    errno = EACCES;
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6660): 'tmp\\backup-policies' could not be removed: 'Permission denied' (13).");
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_policies_fail_getting_policies(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries+1][OS_SIZE_1024];
+
+    for (i = 0;  i <= retries; i++) {
+        expect_wm_exec("auditpol /backup /file:\"tmp\\backup-policies\"", retries+i, NULL, NULL, 1, 0);
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg,
+    "(6915): Audit policies could not be auto-configured due to the Windows version. Check if they are correct for whodata mode.");
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 2);
+}
+
+void test_set_policies_unable_to_open_backup_file(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, NULL);
+    errno = EACCES;
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6661): 'tmp\\backup-policies' could not be opened: 'Permission denied' (13).");
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_policies_unable_to_open_new_file(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1234);
+
+    expect_string(__wrap_wfopen, path, "tmp\\new-policies");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, NULL);
+    errno = EACCES;
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6661): 'tmp\\new-policies' could not be opened: 'Permission denied' (13).");
+
+    expect_value(__wrap_fclose, _File, (FILE*)1234);
+    will_return(__wrap_fclose, 0);
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 1);
+}
+
+void test_set_policies_unable_to_restore_policies(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1234);
+
+    expect_string(__wrap_wfopen, path, "tmp\\new-policies");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE*)2345);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, "some policies");
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, "some policies");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, NULL);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)2345);
+    will_return(__wrap_fclose, 0);
+
+    int i;
+    int retries = 5;
+    char error_msgs[retries+1][OS_SIZE_1024];
+
+    for (i = 0;  i <= retries; i++) {
+        expect_wm_exec("auditpol /restore /file:\"tmp\\new-policies\"", retries+i, NULL, NULL, 1, 0);
+        snprintf(error_msgs[i], sizeof(error_msgs[i]), "(6955): Auditpol command failed, attempt number: %d", i + 1);
+        expect_string(__wrap__merror, formatted_msg, error_msgs[i]);
+    }
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6915): Audit policies could not be auto-configured due to the Windows version. Check if they are correct for whodata mode.");
+
+    expect_value(__wrap_fclose, _File, (FILE*)1234);
+    will_return(__wrap_fclose, 0);
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 2);
+}
+
+void test_set_policies_success(void **state) {
+    int ret;
+
+    expect_string(__wrap_IsFile, file, "tmp\\backup-policies");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /backup /file:\"tmp\\backup-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap_wfopen, path, "tmp\\backup-policies");
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1234);
+
+    expect_string(__wrap_wfopen, path, "tmp\\new-policies");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE*)2345);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, "some policies");
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, "some policies");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fgets, __stream, (FILE*)1234);
+    will_return(wrap_fgets, NULL);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(wrap_fprintf, __stream, 2345);
+    expect_string(wrap_fprintf, formatted_msg, ",System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},,,1\n");
+    will_return(wrap_fprintf, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)2345);
+    will_return(__wrap_fclose, 0);
+
+    expect_string(__wrap_wm_exec, command, "auditpol /restore /file:\"tmp\\new-policies\"");
+    expect_value(__wrap_wm_exec, secs, 5);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_value(__wrap_fclose, _File, (FILE*)1234);
+    will_return(__wrap_fclose, 0);
+
+    ret = set_policies();
+
+    assert_int_equal(ret, 0);
+}
+
+void test_state_checker_no_files_to_check(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    OSList_CleanNodes(syscheck.directories);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_state_checker_file_not_whodata(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    // Leverage Free_Syscheck not free the wdata struct
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status &= ~WD_CHECK_WHODATA;
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_state_checker_file_does_not_exist(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    SYSTEMTIME st;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    memset(&st, 0, sizeof(SYSTEMTIME));
+    st.wYear = 2020;
+    st.wMonth = 3;
+    st.wDay = 3;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    expect_string(__wrap_check_path_type, dir, "c:\\a\\path");
+    will_return(__wrap_check_path_type, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg,
+        "(6022): 'c:\\a\\path' has been deleted. It will not be monitored in real-time Whodata mode.");
+
+    will_return(wrap_GetSystemTime, &st);
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+    assert_memory_equal(&((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.last_check, &st, sizeof(SYSTEMTIME));
+    assert_int_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type, WD_STATUS_UNK_TYPE);
+    assert_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status & WD_STATUS_EXISTS);
+}
+
+void test_state_checker_file_with_invalid_sacl(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    ACL acl;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    acl.AceCount = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    expect_string(__wrap_check_path_type, dir, "c:\\a\\path");
+    will_return(__wrap_check_path_type, 1);
+
+    // Inside check_object_sacl
+    {
+        will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+        expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+        will_return(wrap_OpenProcessToken, (HANDLE)123456);
+        will_return(wrap_OpenProcessToken, 1);
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+        }
+
+        expect_string(wrap_GetNamedSecurityInfo, pObjectName, "c:\\a\\path");
+        expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        will_return(wrap_GetNamedSecurityInfo, &acl);
+        will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+        will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+        // is_valid_sacl
+        {
+
+            expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+            expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+            will_return(wrap_AllocateAndInitializeSid, 1);
+
+            will_return(wrap_GetAce, &acl);
+            will_return(wrap_GetAce, 0);
+
+            will_return(wrap_GetLastError, (unsigned int) 700);
+
+            expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+        }
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+        }
+
+        expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+        will_return(wrap_CloseHandle, 0);
+    }
+
+    expect_string(__wrap__minfo, formatted_msg,
+        "(6021): The SACL of 'c:\\a\\path' has been modified and it is not valid for the real-time Whodata mode. Whodata will not be available for this file.");
+
+    // Inside notify_SACL_change
+    {
+        expect_string(__wrap_SendMSG, message,
+            "ossec: Audit: The SACL of 'c:\\a\\path' has been modified and can no longer be scanned in whodata mode.");
+        expect_string(__wrap_SendMSG, locmsg, "syscheck");
+        expect_value(__wrap_SendMSG, loc, LOCALFILE_MQ);
+        will_return(__wrap_SendMSG, 0); // Return value is discarded
+    }
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type, WD_STATUS_FILE_TYPE);
+    assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status & WD_STATUS_EXISTS);
+    assert_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE);
+}
+
+void test_state_checker_file_with_valid_sacl(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    SYSTEMTIME st;
+    ACL acl;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    memset(&st, 0, sizeof(SYSTEMTIME));
+    st.wYear = 2020;
+    st.wMonth = 3;
+    st.wDay = 3;
+
+    acl.AceCount = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    expect_string(__wrap_check_path_type, dir, "c:\\a\\path");
+    will_return(__wrap_check_path_type, 1);
+
+    // Inside check_object_sacl
+    {
+        will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+        expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+        will_return(wrap_OpenProcessToken, (HANDLE)123456);
+        will_return(wrap_OpenProcessToken, 1);
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+        }
+
+        expect_string(wrap_GetNamedSecurityInfo, pObjectName, "c:\\a\\path");
+        expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        will_return(wrap_GetNamedSecurityInfo, &acl);
+        will_return(wrap_GetNamedSecurityInfo, (PSECURITY_DESCRIPTOR)2345);
+        will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+        // Inside is_valid_sacl
+        {
+            SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+            ACCESS_ALLOWED_ACE ace;
+
+            everyone_sid = NULL;
+            ev_sid_size = 1;
+
+            // Set the ACL and ACE data
+            ace.Header.AceFlags = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG;
+            ace.Mask = FILE_WRITE_DATA | FILE_APPEND_DATA | WRITE_DAC | FILE_WRITE_ATTRIBUTES | DELETE;
+
+            expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+            expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+            will_return(wrap_AllocateAndInitializeSid, 1);
+
+            will_return(wrap_GetAce, &ace);
+            will_return(wrap_GetAce, 1);
+
+            will_return(wrap_EqualSid, 1);
+        }
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+        }
+
+        expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+        will_return(wrap_CloseHandle, 0);
+    }
+
+    will_return(wrap_GetSystemTime, &st);
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+    assert_memory_equal(&((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.last_check, &st, sizeof(SYSTEMTIME));
+    assert_int_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type, WD_STATUS_FILE_TYPE);
+    assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status & WD_STATUS_EXISTS);
+    assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE);
+}
+
+void test_state_checker_dir_readded_error(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    char debug_msg[OS_MAXSTR];
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status &= ~WD_STATUS_EXISTS;
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    expect_string(__wrap_check_path_type, dir, "c:\\a\\path");
+    will_return(__wrap_check_path_type, 2);
+
+    expect_string(__wrap__minfo, formatted_msg,
+        "(6020): 'c:\\a\\path' has been re-added. It will be monitored in real-time Whodata mode.");
+
+    // Inside set_winsacl
+    {
+        snprintf(debug_msg, OS_MAXSTR, FIM_SACL_CONFIGURE, ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->path);
+        expect_string(__wrap__mdebug2, formatted_msg, debug_msg);
+
+        will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+        expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+        will_return(wrap_OpenProcessToken, (HANDLE)123456);
+        will_return(wrap_OpenProcessToken, 0);
+
+        will_return(wrap_GetLastError, (unsigned int) 500);
+        expect_string(__wrap__merror, formatted_msg, "(6648): OpenProcessToken() failed. Error '500'.");
+    }
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(6619): Unable to add directory to whodata real time monitoring: 'c:\\a\\path'. It will be monitored in Realtime");
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type, WD_STATUS_DIR_TYPE);
+    assert_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status & WD_STATUS_EXISTS);
+    assert_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE);
+}
+
+void test_state_checker_dir_readded_succesful(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    ACL acl;
+    ACL_SIZE_INFORMATION old_sacl_info = {.AceCount = 1};
+    SYSTEM_AUDIT_ACE ace;
+    SECURITY_DESCRIPTOR security_descriptor;
+    SID_IDENTIFIER_AUTHORITY world_auth = {SECURITY_WORLD_SID_AUTHORITY};
+    SYSTEMTIME st;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    acl.AceCount = 1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status &= ~WD_STATUS_EXISTS;
+    ((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type = WD_STATUS_UNK_TYPE;
+
+    memset(&st, 0, sizeof(SYSTEMTIME));
+    st.wYear = 2020;
+    st.wMonth = 3;
+    st.wDay = 3;
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    expect_string(__wrap_check_path_type, dir, "c:\\a\\path");
+    will_return(__wrap_check_path_type, 2);
+
+    expect_string(__wrap__minfo, formatted_msg,
+        "(6020): 'c:\\a\\path' has been re-added. It will be monitored in real-time Whodata mode.");
+
+    // Inside set_winsacl
+    {
+        ev_sid_size = 1;
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6266): The SACL of 'c:\\a\\path' will be configured.");
+
+        will_return(wrap_GetCurrentProcess, (HANDLE)4321);
+        expect_value(wrap_OpenProcessToken, DesiredAccess, TOKEN_ADJUST_PRIVILEGES);
+        will_return(wrap_OpenProcessToken, (HANDLE)123456);
+        will_return(wrap_OpenProcessToken, 1);
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6268): The 'SeSecurityPrivilege' privilege has been added.");
+        }
+
+        // GetNamedSecurity
+        expect_string(wrap_GetNamedSecurityInfo, pObjectName, "c:\\a\\path");
+        expect_value(wrap_GetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_GetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        will_return(wrap_GetNamedSecurityInfo, &acl);
+        will_return(wrap_GetNamedSecurityInfo, &security_descriptor);
+        will_return(wrap_GetNamedSecurityInfo, ERROR_SUCCESS);
+
+        // Inside is_valid_sacl
+        {
+            expect_memory(wrap_AllocateAndInitializeSid, pIdentifierAuthority, &world_auth, 6);
+            expect_value(wrap_AllocateAndInitializeSid, nSubAuthorityCount, 1);
+            will_return(wrap_AllocateAndInitializeSid, 1);
+
+            will_return(wrap_GetAce, &acl);
+            will_return(wrap_GetAce, 0);
+
+            will_return(wrap_GetLastError, (unsigned int) 700);
+
+            expect_string(__wrap__merror, formatted_msg, "(6633): Could not extract the ACE information. Error: '700'.");
+        }
+
+        expect_string(__wrap__mdebug2, formatted_msg, "(6263): Setting up SACL for 'c:\\a\\path'");
+
+        will_return(wrap_GetAclInformation, &old_sacl_info);
+        will_return(wrap_GetAclInformation, 1);
+
+        expect_value(wrap_win_alloc, size, 9);
+        will_return(wrap_win_alloc, 1234);
+
+        expect_value(wrap_InitializeAcl, pAcl, 1234);
+        expect_value(wrap_InitializeAcl, nAclLength, 9);
+        expect_value(wrap_InitializeAcl, dwAclRevision, ACL_REVISION);
+        will_return(wrap_InitializeAcl, 1);
+
+        will_return(wrap_GetAce, &old_sacl_info);
+        will_return(wrap_GetAce, 1);
+
+        expect_value(wrap_AddAce, pAcl, 1234);
+        will_return(wrap_AddAce, 1);
+
+        expect_value(wrap_win_alloc, size, 9);
+        will_return(wrap_win_alloc, &ace);
+
+        will_return(wrap_CopySid, 1);
+
+        expect_value(wrap_AddAce, pAcl, 1234);
+        will_return(wrap_AddAce, 1);
+
+        expect_string(wrap_SetNamedSecurityInfo, pObjectName, "c:\\a\\path");
+        expect_value(wrap_SetNamedSecurityInfo, ObjectType, SE_FILE_OBJECT);
+        expect_value(wrap_SetNamedSecurityInfo, SecurityInfo, SACL_SECURITY_INFORMATION);
+        expect_value(wrap_SetNamedSecurityInfo, psidOwner, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, psidGroup, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, pDacl, NULL);
+        expect_value(wrap_SetNamedSecurityInfo, pSacl, 1234);
+        will_return(wrap_SetNamedSecurityInfo, ERROR_SUCCESS);
+
+        // Inside set_privilege
+        {
+            expect_string(wrap_LookupPrivilegeValue, lpName, "SeSecurityPrivilege");
+            will_return(wrap_LookupPrivilegeValue, 234567);
+            will_return(wrap_LookupPrivilegeValue, 1);
+
+            expect_value(wrap_AdjustTokenPrivileges, TokenHandle, (HANDLE)123456);
+            expect_value(wrap_AdjustTokenPrivileges, DisableAllPrivileges, 0);
+            will_return(wrap_AdjustTokenPrivileges, 1);
+
+            expect_string(__wrap__mdebug2, formatted_msg, "(6269): The 'SeSecurityPrivilege' privilege has been removed.");
+        }
+
+        expect_value(wrap_CloseHandle, hObject, (HANDLE)123456);
+        will_return(wrap_CloseHandle, 0);
+    }
+
+    will_return(wrap_GetSystemTime, &st);
+
+    ret = state_checker(input);
+
+    assert_int_equal(ret, 0);
+    assert_memory_equal(&((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.last_check, &st, sizeof(SYSTEMTIME));
+    assert_int_equal(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.object_type, WD_STATUS_DIR_TYPE);
+    assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->dirs_status.status & WD_STATUS_EXISTS);
+    assert_non_null(((directory_t *)OSList_GetDataFromIndex(syscheck.directories, 0))->options & WHODATA_ACTIVE);
+}
+
+void test_state_checker_not_match_policy(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    void *input = NULL;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    OSList_CleanNodes(syscheck.directories);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    pol_data->paudit_policy[0].AuditingInformation = POLICY_AUDIT_EVENT_FAILURE;
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_string(__wrap__mwarn, formatted_msg, FIM_WHODATA_POLICY_CHANGE_CHECKER);
+
+    ret = state_checker(input);
+
+    pol_data->paudit_policy[0].AuditingInformation = POLICY_AUDIT_EVENT_SUCCESS;
+
+    assert_int_equal(ret, 0);
+}
+
+void test_state_checker_dirs_cleanup_no_nodes(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    ret = state_checker(NULL);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 0);
+}
+
+void test_state_checker_dirs_cleanup_single_non_stale_node(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    whodata_directory * w_dir;
+    FILETIME current_time;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    if (w_dir = calloc(1, sizeof(whodata_directory)), !w_dir)
+        fail();
+
+    GetSystemTimeAsFileTime(&current_time);
+
+    w_dir->LowPart = current_time.dwLowDateTime;
+    w_dir->HighPart = current_time.dwHighDateTime;
+
+    if (__real_OSHash_Add(syscheck.wdata.directories, "C:\\some\\path", w_dir) != 2)
+        fail();
+
+    ret = state_checker(NULL);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 1);
+    assert_non_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path"));
+}
+
+void test_state_checker_dirs_cleanup_single_stale_node(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    whodata_directory * w_dir;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    if (w_dir = calloc(1, sizeof(whodata_directory)), !w_dir)
+        fail();
+
+    w_dir->LowPart = 0;
+    w_dir->HighPart = 0;
+
+    if (__real_OSHash_Add(syscheck.wdata.directories, "C:\\some\\path", w_dir) != 2)
+        fail();
+
+    expect_value(__wrap_OSHash_Delete, self, syscheck.wdata.directories);
+    expect_string(__wrap_OSHash_Delete, key, "C:\\some\\path");
+    will_return(__wrap_OSHash_Delete, w_dir);
+
+    ret = state_checker(NULL);
+
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path");
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 0);
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path"));
+}
+
+void test_state_checker_dirs_cleanup_multiple_nodes_none_stale(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    FILETIME current_time;
+    int i;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    for (i = 0; i < 3; i++) {
+        char key[OS_SIZE_256];
+        whodata_directory * w_dir;
+
+        if (w_dir = calloc(1, sizeof(whodata_directory)), !w_dir)
+            fail();
+
+        GetSystemTimeAsFileTime(&current_time);
+
+        w_dir->LowPart = current_time.dwLowDateTime;
+        w_dir->HighPart = current_time.dwHighDateTime;
+
+        snprintf(key, OS_SIZE_256, "C:\\some\\path-%d", i);
+
+        if (__real_OSHash_Add(syscheck.wdata.directories, key, w_dir) != 2)
+            fail();
+    }
+
+    ret = state_checker(NULL);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 3);
+    assert_non_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-0"));
+    assert_non_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-1"));
+    assert_non_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-2"));
+}
+
+void test_state_checker_dirs_cleanup_multiple_nodes_some_stale(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    FILETIME current_time;
+    int i;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    for (i = 0; i < 3; i++) {
+        char key[OS_SIZE_256];
+        whodata_directory * w_dir;
+
+        snprintf(key, OS_SIZE_256, "C:\\some\\path-%d", i);
+
+        if (w_dir = calloc(1, sizeof(whodata_directory)), !w_dir)
+            fail();
+
+        if (i % 2 == 0) {
+            w_dir->LowPart = 0;
+            w_dir->HighPart = 0;
+
+            expect_value(__wrap_OSHash_Delete, self, syscheck.wdata.directories);
+            expect_any(__wrap_OSHash_Delete, key);
+            will_return(__wrap_OSHash_Delete, w_dir);
+        } else {
+            GetSystemTimeAsFileTime(&current_time);
+
+            w_dir->LowPart = current_time.dwLowDateTime;
+            w_dir->HighPart = current_time.dwHighDateTime;
+
+        }
+
+        if (__real_OSHash_Add(syscheck.wdata.directories, key, w_dir) != 2)
+            fail();
+
+    }
+
+    ret = state_checker(NULL);
+
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path-0");
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path-2");
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 1);
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-0"));
+    assert_non_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-1"));
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-2"));
+}
+
+void test_state_checker_dirs_cleanup_multiple_nodes_all_stale(void ** state) {
+    policy_info *pol_data = *state;
+    int ret;
+    int i;
+    char debug_msg1[OS_SIZE_1024];
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    snprintf(debug_msg1, OS_SIZE_1024, FIM_WHODATA_CHECKTHREAD, 300);
+    expect_string(__wrap__mdebug1, formatted_msg, debug_msg1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_STATE_CHECKER);
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 0);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    expect_value(__wrap_atomic_int_get, atomic, &whodata_end);
+    will_return(__wrap_atomic_int_get, 1);
+
+    expect_value(wrap_Sleep, dwMilliseconds, WDATA_DEFAULT_INTERVAL_SCAN * 1000);
+
+    for (i = 0; i < 3; i++) {
+        char key[OS_SIZE_256];
+        whodata_directory * w_dir;
+
+        if (w_dir = calloc(1, sizeof(whodata_directory)), !w_dir)
+            fail();
+
+        w_dir->LowPart = 0;
+        w_dir->HighPart = 0;
+
+        snprintf(key, OS_SIZE_256, "C:\\some\\path-%d", i);
+
+        expect_value(__wrap_OSHash_Delete, self, syscheck.wdata.directories);
+        expect_any(__wrap_OSHash_Delete, key);
+        will_return(__wrap_OSHash_Delete, w_dir);
+
+        if (__real_OSHash_Add(syscheck.wdata.directories, key, w_dir) != 2)
+            fail();
+    }
+    ret = state_checker(NULL);
+
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path-0");
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path-1");
+    __real_OSHash_Delete(syscheck.wdata.directories, "C:\\some\\path-2");
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(syscheck.wdata.directories->elements, 0);
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-0"));
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-1"));
+    assert_null(__real_OSHash_Get(syscheck.wdata.directories, "C:\\some\\path-2"));
+}
+
+void test_whodata_audit_start_fail_to_create_directories_hash_table(void **state) {
+    int ret;
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    ret = whodata_audit_start();
+
+    assert_int_equal(ret, 1);
+    assert_null(syscheck.wdata.directories);
+}
+
+void test_whodata_audit_start_fail_to_create_fd_hash_table(void **state) {
+    int ret;
+
+    expect_function_calls(__wrap_OSHash_Create, 2);
+    will_return(__wrap_OSHash_Create, 1234);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    ret = whodata_audit_start();
+
+    assert_int_equal(ret, 1);
+    assert_ptr_equal(syscheck.wdata.directories, 1234);
+    assert_null(syscheck.wdata.fd);
+}
+
+void test_whodata_audit_start_success(void **state) {
+    wchar_t *str = L"C:";
+    wchar_t *volume_name = L"\\\\?\\Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}\\";
+    int ret;
+
+    expect_function_calls(__wrap_OSHash_Create, 2);
+    will_return(__wrap_OSHash_Create, 1234);
+    will_return(__wrap_OSHash_Create, 2345);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, FIM_WHODATA_VOLUMES);
+
+    // Inside get_volume_names
+    {
+        will_return(wrap_FindFirstVolumeW, volume_name);
+        will_return(wrap_FindFirstVolumeW, (HANDLE)123456);
+
+        expect_string(wrap_QueryDosDeviceW, lpDeviceName, L"Volume{6B29FC40-CA47-1067-B31D-00DD010662DA}");
+        will_return(wrap_QueryDosDeviceW, wcslen(str));
+        will_return(wrap_QueryDosDeviceW, str);
+        will_return(wrap_QueryDosDeviceW, wcslen(str));
+
+        // Inside get_drive_names
+        {
+            wchar_t *volume_paths = L"A\0C\0\\Some\\path\0";
+
+            expect_memory(wrap_GetVolumePathNamesForVolumeNameW, lpszVolumeName, volume_name, wcslen(volume_name));
+
+            will_return(wrap_GetVolumePathNamesForVolumeNameW, 16);
+            will_return(wrap_GetVolumePathNamesForVolumeNameW, volume_paths);
+            will_return(wrap_GetVolumePathNamesForVolumeNameW, 1);
+
+            expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'A'");
+            expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point 'C'");
+            expect_string(__wrap__mdebug1, formatted_msg, "(6303): Device 'C\\' associated with the mounting point '\\Some\\path'");
+        }
+
+        expect_value(wrap_FindNextVolumeW, hFindVolume, (HANDLE)123456);
+        will_return(wrap_FindNextVolumeW, L"");
+        will_return(wrap_FindNextVolumeW, 0);
+
+        will_return(wrap_GetLastError, ERROR_NO_MORE_FILES);
+
+        expect_value(wrap_FindVolumeClose, hFindVolume, (HANDLE)123456);
+        will_return(wrap_FindVolumeClose, 1);
+    }
+
+    ret = whodata_audit_start();
+
+    assert_int_equal(ret, 0);
+    assert_ptr_equal(syscheck.wdata.directories, 1234);
+    assert_ptr_equal(syscheck.wdata.fd, 2345);
+}
+
+void test_policy_check_match(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg3[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg3, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "File System", guid_FileSystem);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg3);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, 0);
+}
+
+void test_policy_check_not_match(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    char debug_msg2[OS_SIZE_1024];
+    char debug_msg4[OS_SIZE_1024];
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+    snprintf(debug_msg4, OS_SIZE_1024, FIM_WHODATA_SUCCESS_POLICY, "Handle Manipulation", guid_Handle);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg4);
+
+    pol_data->paudit_policy[0].AuditingInformation = POLICY_AUDIT_EVENT_FAILURE;
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    pol_data->paudit_policy[0].AuditingInformation = POLICY_AUDIT_EVENT_SUCCESS;
+
+    assert_int_equal(ret, 1);
+}
+
+void test_policy_check_LsaOpenPolicy_fail(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+
+    expect_policy_check_match_call((NTSTATUS)1,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_policy_check_LsaQueryInformationPolicy_fail(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)1,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_policy_check_AuditLookupCategoryGuidFromCategoryId_fail(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, FALSE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_policy_check_AuditEnumerateSubCategories_fail(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    char debug_msg2[OS_SIZE_1024];
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, FALSE,
+                                   pol_data->paudit_policy, TRUE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_policy_check_AuditQuerySystemPolicy_fail(void **state) {
+    policy_info *pol_data = *state;
+    int ret;
+    char debug_msg2[OS_SIZE_1024];
+
+    expect_string(__wrap__mdebug2, formatted_msg, FIM_WHODATA_POLICY_OPENED);
+    snprintf(debug_msg2, OS_SIZE_1024, FIM_WHODATA_OBJECT_ACCESS, guid_ObjectAccess);
+    expect_string(__wrap__mdebug2, formatted_msg, debug_msg2);
+
+    expect_policy_check_match_call((NTSTATUS)0,
+                                   pol_data->audit_event_info, (NTSTATUS)0,
+                                   pol_data->category_guid, TRUE,
+                                   2, TRUE,
+                                   pol_data->paudit_policy, FALSE);
+
+    ret = policy_check();
+
+    assert_int_equal(ret, -1);
+}
+
+void test_win_whodata_release_resources(void **state) {
+    will_return_count(__wrap_os_random, 12345, 2);
+    syscheck.wdata.fd = __real_OSHash_Create();
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+    expect_function_call_any(__wrap_pthread_mutex_lock);
+    expect_function_call_any(__wrap_pthread_mutex_unlock);
+
+    will_return(wrap_EvtClose, 0);
+
+    win_whodata_release_resources(&syscheck.wdata);
+
+}
+
+/**************************************************************************/
+int main(void) {
+    int ret;
+    const struct CMUnitTest tests[] = {
+        /* set_winsacl */
+        cmocka_unit_test(test_set_winsacl_failed_opening),
+        cmocka_unit_test(test_set_winsacl_failed_privileges),
+        cmocka_unit_test(test_set_winsacl_failed_security_descriptor),
+        cmocka_unit_test(test_set_winsacl_no_need_to_configure_acl),
+        cmocka_unit_test(test_set_winsacl_unable_to_get_acl_info),
+        cmocka_unit_test(test_set_winsacl_fail_to_alloc_new_sacl),
+        cmocka_unit_test(test_set_winsacl_fail_to_initialize_new_sacl),
+        cmocka_unit_test(test_set_winsacl_fail_getting_ace_from_old_sacl),
+        cmocka_unit_test(test_set_winsacl_fail_adding_old_ace_into_new_sacl),
+        cmocka_unit_test(test_set_winsacl_fail_to_alloc_new_ace),
+        cmocka_unit_test(test_set_winsacl_fail_to_copy_sid),
+        cmocka_unit_test(test_set_winsacl_fail_to_add_ace),
+        cmocka_unit_test(test_set_winsacl_fail_to_set_security_info),
+        cmocka_unit_test(test_set_winsacl_success),
+        /* set_privilege */
+        cmocka_unit_test(test_set_privilege_lookup_error),
+        cmocka_unit_test(test_set_privilege_adjust_token_error),
+        cmocka_unit_test(test_set_privilege_elevate_privilege),
+        cmocka_unit_test(test_set_privilege_reduce_privilege),
+        /* w_update_sacl */
+        cmocka_unit_test(test_w_update_sacl_AllocateAndInitializeSid_error),
+        cmocka_unit_test(test_w_update_sacl_OpenProcessToken_error),
+        cmocka_unit_test(test_w_update_sacl_add_privilege_error),
+        cmocka_unit_test(test_w_update_sacl_GetNamedSecurityInfo_error),
+        cmocka_unit_test(test_w_update_sacl_GetAclInformation_error),
+        cmocka_unit_test(test_w_update_sacl_alloc_new_sacl_error),
+        cmocka_unit_test(test_w_update_sacl_InitializeAcl_error),
+        cmocka_unit_test(test_w_update_sacl_alloc_ace_error),
+        cmocka_unit_test(test_w_update_sacl_CopySid_error),
+        cmocka_unit_test(test_w_update_sacl_old_sacl_GetAce_error),
+        cmocka_unit_test(test_w_update_sacl_old_sacl_AddAce_error),
+        cmocka_unit_test(test_w_update_sacl_new_sacl_AddAce_error),
+        cmocka_unit_test(test_w_update_sacl_SetNamedSecurityInfo_error),
+        cmocka_unit_test(test_w_update_sacl_remove_privilege_error),
+        cmocka_unit_test(test_w_update_sacl_success),
+        /* whodata_check_arch */
+        cmocka_unit_test(test_whodata_check_arch_open_registry_key_error),
+        cmocka_unit_test(test_whodata_check_arch_query_key_value_error),
+        cmocka_unit_test(test_whodata_check_arch_not_supported_arch),
+        cmocka_unit_test(test_whodata_check_arch_x86),
+        cmocka_unit_test(test_whodata_check_arch_amd64),
+        cmocka_unit_test(test_whodata_check_arch_ia64),
+        cmocka_unit_test(test_whodata_check_arch_arm64),
+        /* get_whodata_path */
+        cmocka_unit_test(test_get_whodata_path_error_determining_buffer_size),
+        cmocka_unit_test(test_get_whodata_path_error_copying_buffer),
+        cmocka_unit_test_teardown(test_get_whodata_path_success, teardown_memblock),
+        /* is_valid_sacl */
+        cmocka_unit_test(test_is_valid_sacl_sid_error),
+        cmocka_unit_test(test_is_valid_sacl_sacl_not_found),
+        cmocka_unit_test(test_is_valid_sacl_ace_not_found),
+        cmocka_unit_test(test_is_valid_sacl_not_valid),
+        cmocka_unit_test(test_is_valid_sacl_valid),
+        /* replace_device_path */
+        cmocka_unit_test_setup_teardown(test_replace_device_path_invalid_path, setup_replace_device_path, teardown_replace_device_path),
+        cmocka_unit_test_setup_teardown(test_replace_device_path_empty_wdata_device, setup_replace_device_path, teardown_replace_device_path),
+        cmocka_unit_test_setup_teardown(test_replace_device_path_device_not_found, setup_replace_device_path, teardown_replace_device_path),
+        cmocka_unit_test_setup_teardown(test_replace_device_path_device_found, setup_replace_device_path, teardown_replace_device_path),
+        /* get_drive_names */
+        cmocka_unit_test(test_get_drive_names_access_denied_error),
+        cmocka_unit_test(test_get_drive_names_more_data_error),
+        cmocka_unit_test_teardown(test_get_drive_names_success, teardown_wdata_device),
+        /* get_volume_names */
+        cmocka_unit_test(test_get_volume_names_unable_to_find_first_volume),
+        cmocka_unit_test(test_get_volume_names_bad_path),
+        cmocka_unit_test(test_get_volume_names_no_dos_device),
+        cmocka_unit_test(test_get_volume_names_error_on_next_volume),
+        cmocka_unit_test(test_get_volume_names_no_more_files),
+        /* notify_SACL_change */
+        cmocka_unit_test(test_notify_SACL_change),
+        /* whodata_hash_add */
+        // TODO: Should we add tests for NULL input parameter?
+        cmocka_unit_test(test_whodata_hash_add_unable_to_add),
+        cmocka_unit_test(test_whodata_hash_add_duplicate_entry),
+        cmocka_unit_test(test_whodata_hash_add_success),
+        /* restore_sacls */
+        cmocka_unit_test(test_restore_sacls_openprocesstoken_failed),
+        cmocka_unit_test(test_restore_sacls_set_privilege_failed),
+        cmocka_unit_test_setup_teardown(test_restore_sacls_securityNameInfo_failed, setup_restore_sacls, teardown_restore_sacls),
+        cmocka_unit_test_setup_teardown(test_restore_sacls_deleteAce_failed, setup_restore_sacls, teardown_restore_sacls),
+        cmocka_unit_test_setup_teardown(test_restore_sacls_SetNamedSecurityInfo_failed, setup_restore_sacls, teardown_restore_sacls),
+        cmocka_unit_test_setup_teardown(test_restore_sacls_success, setup_restore_sacls, teardown_restore_sacls),
+        /* restore_audit_policies */
+        cmocka_unit_test(test_restore_audit_policies_backup_not_found),
+        cmocka_unit_test(test_restore_audit_policies_command_failed),
+        cmocka_unit_test(test_restore_audit_policies_command2_failed),
+        cmocka_unit_test(test_restore_audit_policies_command3_failed),
+        cmocka_unit_test(test_restore_audit_policies_success),
+        /* audit_restore */
+        cmocka_unit_test_setup_teardown(test_audit_restore, setup_restore_sacls, teardown_restore_sacls),
+        /* whodata_event_render */
+        cmocka_unit_test(test_whodata_event_render_fail_to_render_event),
+        cmocka_unit_test(test_whodata_event_render_wrong_property_count),
+        cmocka_unit_test_teardown(test_whodata_event_render_success, teardown_memblock),
+        /* whodata_get_event_id */
+        cmocka_unit_test(test_whodata_get_event_id_null_raw_data),
+        cmocka_unit_test(test_whodata_get_event_id_null_event_id),
+        cmocka_unit_test(test_whodata_get_event_id_wrong_event_type),
+        cmocka_unit_test(test_whodata_get_event_id_success),
+        /* whodata_get_handle_id */
+        cmocka_unit_test(test_whodata_get_handle_id_null_raw_data),
+        cmocka_unit_test(test_whodata_get_handle_id_null_handle_id),
+        cmocka_unit_test(test_whodata_get_handle_id_64bit_handle_success),
+        cmocka_unit_test(test_whodata_get_handle_id_32bit_handle_wrong_type),
+        cmocka_unit_test(test_whodata_get_handle_id_32bit_success),
+        cmocka_unit_test(test_whodata_get_handle_id_32bit_hex_success),
+        /* whodata_get_access_mask */
+        cmocka_unit_test(test_whodata_get_access_mask_null_raw_data),
+        cmocka_unit_test(test_whodata_get_access_mask_null_mask),
+        cmocka_unit_test(test_whodata_get_access_mask_wrong_type),
+        cmocka_unit_test(test_whodata_get_access_mask_success),
+        /* whodata_event_parse */
+        cmocka_unit_test(test_whodata_event_parse_null_raw_data),
+        cmocka_unit_test(test_whodata_event_parse_null_event_data),
+        cmocka_unit_test(test_whodata_event_parse_wrong_path_type),
+        cmocka_unit_test(test_whodata_event_parse_fail_to_get_path),
+        cmocka_unit_test(test_whodata_event_parse_filter_path),
+        cmocka_unit_test(test_whodata_event_parse_wrong_types),
+        cmocka_unit_test(test_whodata_event_parse_32bit_process_id),
+        cmocka_unit_test(test_whodata_event_parse_32bit_hex_process_id),
+        cmocka_unit_test(test_whodata_event_parse_64bit_process_id),
+        /* check_object_sacl */
+        cmocka_unit_test(test_check_object_sacl_open_process_error),
+        cmocka_unit_test(test_check_object_sacl_unable_to_set_privilege),
+        cmocka_unit_test(test_check_object_sacl_unable_to_retrieve_security_info),
+        cmocka_unit_test(test_check_object_sacl_invalid_sacl),
+        cmocka_unit_test(test_check_object_sacl_valid_sacl),
+        /* run_whodata_scan */
+        cmocka_unit_test(test_run_whodata_scan_invalid_arch),
+        cmocka_unit_test(test_run_whodata_scan_no_audit_policies),
+        cmocka_unit_test(test_run_whodata_scan_no_auto_audit_policies),
+        cmocka_unit_test(test_run_whodata_scan_error_event_channel),
+        cmocka_unit_test(test_run_whodata_scan_success),
+        /* set_subscription_query */
+        cmocka_unit_test(test_set_subscription_query),
+        /* set_policies */
+        cmocka_unit_test_teardown(test_set_policies_unable_to_remove_backup_file, teardown_reset_errno),
+        cmocka_unit_test(test_set_policies_fail_getting_policies),
+        cmocka_unit_test_teardown(test_set_policies_unable_to_open_backup_file, teardown_reset_errno),
+        cmocka_unit_test_teardown(test_set_policies_unable_to_open_new_file, teardown_reset_errno),
+        cmocka_unit_test(test_set_policies_unable_to_restore_policies),
+        cmocka_unit_test(test_set_policies_success),
+        /* whodata_audit_start */
+        cmocka_unit_test_teardown(test_whodata_audit_start_fail_to_create_directories_hash_table, teardown_whodata_audit_start),
+        cmocka_unit_test_teardown(test_whodata_audit_start_fail_to_create_fd_hash_table, teardown_whodata_audit_start),
+        cmocka_unit_test_teardown(test_whodata_audit_start_success, teardown_whodata_audit_start),
+        /* policy_check */
+        cmocka_unit_test_setup_teardown(test_policy_check_match, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_not_match, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_LsaOpenPolicy_fail, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_LsaQueryInformationPolicy_fail, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_AuditLookupCategoryGuidFromCategoryId_fail, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_AuditEnumerateSubCategories_fail, setup_policy_check, teardown_policy_check),
+        cmocka_unit_test_setup_teardown(test_policy_check_AuditQuerySystemPolicy_fail, setup_policy_check, teardown_policy_check),
+        /* win_whodata_release_resources */
+        cmocka_unit_test(test_win_whodata_release_resources),
+    };
+    const struct CMUnitTest whodata_callback_tests[] = {
+        /* whodata_callback */
+        cmocka_unit_test(test_whodata_callback_fail_to_render_event),
+        cmocka_unit_test(test_whodata_callback_fail_to_get_event_id),
+        cmocka_unit_test(test_whodata_callback_fail_to_get_handle_id),
+        cmocka_unit_test(test_whodata_callback_4656_fail_to_parse_event),
+        cmocka_unit_test(test_whodata_callback_4656_fail_to_get_access_mask),
+        cmocka_unit_test(test_whodata_callback_4656_non_monitored_directory),
+        cmocka_unit_test_teardown(test_whodata_callback_4656_non_whodata_directory, teardown_whodata_callback_restore_globals),
+        cmocka_unit_test_teardown(test_whodata_callback_4656_path_above_recursion_level, teardown_whodata_callback_restore_globals),
+        cmocka_unit_test(test_whodata_callback_4656_fail_to_add_event_to_hashmap),
+        cmocka_unit_test(test_whodata_callback_4656_duplicate_handle_id_fail_to_delete),
+        cmocka_unit_test(test_whodata_callback_4656_duplicate_handle_id_fail_to_readd),
+        cmocka_unit_test(test_whodata_callback_4656_success),
+        cmocka_unit_test(test_whodata_callback_4719_success),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_fail_to_get_mask, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_no_permissions, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test(test_whodata_callback_4663_fail_to_recover_event),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_event_is_on_file, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_event_is_not_rename_or_copy, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_non_monitored_directory, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_fail_to_add_new_directory, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_new_files_added, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_wrong_time_type, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_abort_scan, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4663_directory_will_be_scanned, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test(test_whodata_callback_4658_no_event_recovered),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_file_event, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_directory_delete_event, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_directory_new_file_detected, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_directory_scan_for_new_files, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_directory_no_new_files, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test_setup_teardown(test_whodata_callback_4658_scan_aborted, setup_win_whodata_evt, teardown_win_whodata_evt),
+        cmocka_unit_test(test_whodata_callback_unexpected_event_id),
+    };
+    const struct CMUnitTest state_checker_tests[] = {
+        /* state_checker */
+        cmocka_unit_test_teardown(test_state_checker_no_files_to_check, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_file_not_whodata, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_file_does_not_exist, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_file_with_invalid_sacl, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_file_with_valid_sacl, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_dir_readded_error, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_dir_readded_succesful, teardown_state_checker_restore_globals),
+        cmocka_unit_test_teardown(test_state_checker_not_match_policy, teardown_state_checker_restore_globals),
+    };
+    // The following group of tests are also executed on state_checker,
+    // though they only test the cleanup part of syscheck.wdata.directories logic.
+    // The context for these tests are different than the ones on the rest of the function, it might be a good idea to
+    // move this into its own thread.
+    const struct CMUnitTest wdata_directories_cleanup_tests[] = {
+        cmocka_unit_test(test_state_checker_dirs_cleanup_no_nodes),
+        cmocka_unit_test_teardown(test_state_checker_dirs_cleanup_single_non_stale_node, teardown_clean_directories_hash),
+        cmocka_unit_test_teardown(test_state_checker_dirs_cleanup_single_stale_node, teardown_clean_directories_hash),
+        cmocka_unit_test_teardown(test_state_checker_dirs_cleanup_multiple_nodes_none_stale, teardown_clean_directories_hash),
+        cmocka_unit_test_teardown(test_state_checker_dirs_cleanup_multiple_nodes_some_stale, teardown_clean_directories_hash),
+        cmocka_unit_test_teardown(test_state_checker_dirs_cleanup_multiple_nodes_all_stale, teardown_clean_directories_hash),
+    };
+
+
+    ret = cmocka_run_group_tests(whodata_callback_tests, setup_whodata_callback_group, teardown_whodata_callback_group);
+    ret += cmocka_run_group_tests(state_checker_tests, setup_state_checker, teardown_state_checker);
+    ret += cmocka_run_group_tests(wdata_directories_cleanup_tests, setup_wdata_dirs_cleanup, teardown_state_checker);
+    ret += cmocka_run_group_tests(tests, test_group_setup, test_group_teardown);
+
+    return ret;
+}
diff --git a/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.c b/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.c
new file mode 100644
index 0000000000..f07500ca65
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.c
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "audit_parse_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_audit_parse(__attribute__((unused)) char *buffer) {
+    function_called();
+}
diff --git a/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.h b/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.h
new file mode 100644
index 0000000000..767c544de0
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/audit_parse_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef AUDIT_PARSE_WRAPPERS
+#define AUDIT_PARSE_WRAPPERS
+
+void __wrap_audit_parse(char *buffer);
+
+#endif // AUDIT_PARSE_WRAPPERS
diff --git a/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.c b/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.c
new file mode 100644
index 0000000000..d1fbb1542c
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.c
@@ -0,0 +1,35 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "audit_rule_handling_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+
+void __wrap_fim_rules_initial_load() {
+    function_called();
+}
+
+void __wrap_add_whodata_directory(const char *path) {
+    check_expected_ptr(path);
+}
+
+void __wrap_remove_audit_rule_syscheck(const char *path) {
+    check_expected_ptr(path);
+}
+
+void __wrap_fim_audit_reload_rules() {
+    function_called();
+}
+
+int __wrap_fim_manipulated_audit_rules() {
+    return mock_type(int);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.h b/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.h
new file mode 100644
index 0000000000..1179d260fd
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/audit_rule_handling_wrappers.h
@@ -0,0 +1,24 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef AUDIT_RULE_HANDLING_WRAPPERS
+#define AUDIT_RULE_HANDLING_WRAPPERS
+
+void __wrap_fim_rules_initial_load();
+
+void __wrap_add_whodata_directory(const char *path);
+
+void __wrap_remove_audit_rule_syscheck(const char *path);
+
+void __wrap_fim_audit_reload_rules();
+
+int __wrap_fim_manipulated_audit_rules();
+
+#endif // AUDIT_RULE_HANDLING_WRAPPERS
diff --git a/src/modules/fim/tests/unit/wrappers/config_wrappers.c b/src/modules/fim/tests/unit/wrappers/config_wrappers.c
new file mode 100644
index 0000000000..3013fa4151
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/config_wrappers.c
@@ -0,0 +1,34 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "config_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int OSHash_Add_ex_check_data = 1;
+
+void __wrap_free_whodata_event(whodata_evt *w_evt) {
+    if (OSHash_Add_ex_check_data) {
+        check_expected(w_evt);
+    }
+}
+
+cJSON * __wrap_getRootcheckConfig() {
+    return mock_type(cJSON*);
+}
+
+cJSON * __wrap_getSyscheckConfig() {
+    return mock_type(cJSON*);
+}
+
+cJSON * __wrap_getSyscheckInternalOptions() {
+    return mock_type(cJSON*);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/config_wrappers.h b/src/modules/fim/tests/unit/wrappers/config_wrappers.h
new file mode 100644
index 0000000000..1c00ad346b
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/config_wrappers.h
@@ -0,0 +1,25 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSCHECKD_CONFIG_WRAPPERS_H
+#define SYSCHECKD_CONFIG_WRAPPERS_H
+
+#include "../syscheckd/include/syscheck.h"
+#include <cJSON.h>
+
+void __wrap_free_whodata_event(whodata_evt *w_evt);
+
+cJSON * __wrap_getRootcheckConfig();
+
+cJSON * __wrap_getSyscheckConfig();
+
+cJSON * __wrap_getSyscheckInternalOptions();
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/create_db_wrappers.c b/src/modules/fim/tests/unit/wrappers/create_db_wrappers.c
new file mode 100644
index 0000000000..8f0eceb0b3
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/create_db_wrappers.c
@@ -0,0 +1,95 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "create_db_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_fim_checker(const char *path, event_data_t *evt_data, const directory_t *configuration) {
+    check_expected(path);
+    check_expected(evt_data);
+    check_expected(configuration);
+}
+
+directory_t *__wrap_fim_configuration_directory(const char *path) {
+    check_expected(path);
+    return mock_type(directory_t *);
+}
+
+cJSON *__wrap_fim_json_event() {
+    return mock_type(cJSON *);
+}
+
+void __wrap_fim_realtime_event(char *file) {
+    check_expected(file);
+}
+
+int __wrap_fim_registry_event(__attribute__((unused)) char *key,
+                              __attribute__((unused)) fim_file_data *data,
+                              __attribute__((unused)) int pos) {
+    return mock();
+}
+
+int __wrap_fim_whodata_event(whodata_evt * w_evt)
+{
+    if (w_evt->process_id) check_expected(w_evt->process_id);
+    if (w_evt->user_id) check_expected(w_evt->user_id);
+    if (w_evt->process_name) check_expected(w_evt->process_name);
+    if (w_evt->path) check_expected(w_evt->path);
+#ifndef WIN32
+    if (w_evt->group_id) check_expected(w_evt->group_id);
+    if (w_evt->audit_uid) check_expected(w_evt->audit_uid);
+    if (w_evt->effective_uid) check_expected(w_evt->effective_uid);
+    if (w_evt->inode) check_expected(w_evt->inode);
+    if (w_evt->ppid) check_expected(w_evt->ppid);
+#endif
+    return 1;
+}
+
+void expect_fim_checker_call(const char *path, const directory_t *configuration) {
+    expect_string(__wrap_fim_checker, path, path);
+    expect_any(__wrap_fim_checker, evt_data);
+    expect_value(__wrap_fim_checker, configuration, configuration);
+}
+
+void expect_fim_configuration_directory_call(const char *path, directory_t *ret) {
+    expect_string(__wrap_fim_configuration_directory, path, path);
+    will_return(__wrap_fim_configuration_directory, ret);
+}
+
+void __wrap_free_entry(__attribute__((unused)) fim_entry *entry) {
+    return;
+}
+
+void __wrap_fim_db_transaction_deleted_rows(__attribute__((unused))TXN_HANDLE txn_handler,
+                                            __attribute__((unused))result_callback_t callback,
+                                            __attribute__((unused))void* txn_ctx) {
+    function_called();
+}
+
+int __wrap_fim_db_transaction_sync_row(__attribute__((unused))TXN_HANDLE txn_handler, __attribute__((unused))const fim_entry* entry){
+    return mock_type(int);
+}
+
+TXN_HANDLE __wrap_fim_db_transaction_start(__attribute__((unused))const char* table,
+                                           __attribute__((unused))result_callback_t row_callback,
+                                           __attribute__((unused))void *user_data){
+    return mock_type(TXN_HANDLE);
+}
+
+int __wrap_Start_win32_Syscheck() {
+    function_called();
+    return mock();
+}
+
+void __wrap_fim_generate_delete_event(){
+    function_called();
+}
diff --git a/src/modules/fim/tests/unit/wrappers/create_db_wrappers.h b/src/modules/fim/tests/unit/wrappers/create_db_wrappers.h
new file mode 100644
index 0000000000..221c55ac10
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/create_db_wrappers.h
@@ -0,0 +1,51 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef CREATE_DB_WRAPPERS_H
+#define CREATE_DB_WRAPPERS_H
+
+#include "../../../../syscheckd/include/syscheck.h"
+
+void __wrap_fim_checker(const char *path, event_data_t *evt_data, const directory_t *configuration);
+
+directory_t *__wrap_fim_configuration_directory(const char *path);
+
+cJSON *__wrap_fim_json_event();
+
+void __wrap_fim_realtime_event(char *file);
+
+int __wrap_fim_registry_event(char *key, fim_file_data *data, int pos);
+
+int __wrap_fim_whodata_event(whodata_evt * w_evt);
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of fim_configuration_directory
+ */
+void expect_fim_configuration_directory_call(const char *path, directory_t *ret);
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of fim_checker
+ */
+void expect_fim_checker_call(const char *path, const directory_t *configuration);
+
+void __wrap_free_entry(fim_entry *entry);
+
+
+TXN_HANDLE __wrap_fim_db_transaction_start(const char*, result_callback_t, void*);
+
+int __wrap_fim_db_transaction_sync_row(TXN_HANDLE, const fim_entry*);
+
+void __wrap_fim_db_transaction_deleted_rows(TXN_HANDLE txn_handler,
+                                            result_callback_t callback,
+                                            void* txn_ctx);
+int __wrap_Start_win32_Syscheck();
+
+void __wrap_fim_generate_delete_event();
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.c b/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.c
new file mode 100644
index 0000000000..580b46035e
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.c
@@ -0,0 +1,172 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "fim_db_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_fim_db_get_count_file_entry(){
+    return mock();
+}
+
+int __wrap_fim_db_get_count_registry_data(){
+    return mock();
+}
+
+int __wrap_fim_db_get_count_registry_key(){
+    return mock();
+}
+
+FIMDBErrorCode __wrap_fim_db_get_path(const char* file_path,
+                                     __attribute__((unused))callback_context_t callback) {
+    check_expected(file_path);
+
+    return mock();
+}
+
+void expect_fim_db_get_path(const char* path, int ret_val) {
+    expect_value(__wrap_fim_db_get_path, file_path, path);
+    will_return(__wrap_fim_db_get_path, ret_val);
+}
+
+FIMDBErrorCode __wrap_fim_db_init(int storage,
+                                  int sync_interval,
+                                  uint32_t sync_max_interval,
+                                  uint32_t sync_response_timeout,
+                                  __attribute__((unused)) fim_sync_callback_t sync_callback,
+                                  __attribute__((unused)) logging_callback_t log_callback,
+                                  int file_limit,
+                                  int value_limit,
+                                  int sync_registry_enable,
+                                  int sync_thread_pool,
+                                  int sync_queue_size) {
+    check_expected(storage);
+    check_expected(sync_interval);
+    check_expected(sync_max_interval);
+    check_expected(sync_response_timeout);
+    check_expected(file_limit);
+    check_expected(value_limit);
+    check_expected(sync_registry_enable);
+    check_expected(sync_thread_pool);
+    check_expected(sync_queue_size);
+
+    return mock_type(int);
+}
+
+void expect_wrapper_fim_db_init(int storage,
+                                int sync_interval,
+                                uint32_t sync_max_interval,
+                                uint32_t sync_response_timeout,
+                                int file_limit,
+                                int value_limit,
+                                int sync_registry_enable,
+                                int sync_thread_pool,
+                                int sync_queue_size) {
+    expect_value(__wrap_fim_db_init, storage, storage);
+    expect_value(__wrap_fim_db_init, sync_interval, sync_interval);
+    expect_value(__wrap_fim_db_init, file_limit, file_limit);
+    expect_value(__wrap_fim_db_init, sync_response_timeout, sync_response_timeout);
+    expect_value(__wrap_fim_db_init, sync_max_interval, sync_max_interval);
+    expect_value(__wrap_fim_db_init, value_limit, value_limit);
+    expect_value(__wrap_fim_db_init, sync_registry_enable, sync_registry_enable);
+    expect_value(__wrap_fim_db_init, sync_thread_pool, sync_thread_pool);
+    expect_value(__wrap_fim_db_init, sync_queue_size, sync_queue_size);
+
+    will_return(__wrap_fim_db_init, FIMDB_OK);
+}
+
+FIMDBErrorCode __wrap_fim_db_remove_path(const char *path) {
+    check_expected(path);
+
+    return mock_type(int);
+}
+
+int __wrap_fim_db_read_line_from_file(fim_tmp_file *file, int storage, int it, char **buffer) {
+    check_expected_ptr(file);
+    check_expected(storage);
+    check_expected(it);
+
+    *buffer = mock_type(char *);
+
+    return mock();
+}
+
+void __wrap_fim_db_clean_file(fim_tmp_file **file, int storage) {
+    check_expected_ptr(file);
+    check_expected(storage);
+}
+
+void expect_wrapper_fim_db_get_count_file_entry(int ret) {
+    will_return(__wrap_fim_db_get_count_file_entry, ret);
+}
+
+void expect_fim_db_remove_path(const char *path, int ret_val) {
+    expect_string(__wrap_fim_db_remove_path, path, path);
+    will_return(__wrap_fim_db_remove_path, ret_val);
+}
+
+FIMDBErrorCode __wrap_fim_db_file_update(__attribute__((unused)) fim_entry* new,
+                              __attribute__((unused)) callback_context_t callback)
+{
+    return mock_type(int);
+}
+
+FIMDBErrorCode __wrap_fim_db_file_pattern_search(const char* pattern,
+                                      __attribute__((unused)) callback_context_t callback) {
+    check_expected(pattern);
+
+    return mock();
+}
+
+void expect_fim_db_file_pattern_search(const char* pattern, int ret_val) {
+    expect_string(__wrap_fim_db_file_pattern_search, pattern, pattern);
+    will_return(__wrap_fim_db_file_pattern_search, ret_val);
+}
+
+FIMDBErrorCode __wrap_fim_db_file_inode_search(const unsigned long inode,
+                                    const unsigned long dev,
+                                    __attribute__((unused)) callback_context_t callback) {
+    check_expected(inode);
+    check_expected(dev);
+    return mock_type(int);
+}
+
+void expect_fim_db_file_inode_search(const unsigned long inode,
+                                     const unsigned long dev,
+                                     int retval) {
+    expect_value(__wrap_fim_db_file_inode_search, inode, inode);
+    expect_value(__wrap_fim_db_file_inode_search, dev, dev);
+    will_return(__wrap_fim_db_file_inode_search, retval);
+}
+
+int __wrap_fim_db_get_count_file_inode() {
+    return mock();
+}
+
+void __wrap_fim_run_integrity() {
+    function_called();
+}
+
+void __wrap_is_fim_shutdown() {
+    function_called();
+}
+
+void __wrap_fim_db_teardown() {
+    function_called();
+}
+
+void __wrap__imp__dbsync_initialize() {
+    function_called();
+}
+
+void __wrap__imp__rsync_initialize() {
+    function_called();
+}
diff --git a/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.h b/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.h
new file mode 100644
index 0000000000..d1c6f7478d
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_db_wrappers.h
@@ -0,0 +1,106 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef FIM_DB_WRAPPERS_H
+#define FIM_DB_WRAPPERS_H
+
+#include "../../../../syscheckd/include/syscheck.h"
+#include "../../../../syscheckd/src/db/include/fimCommonDefs.h"
+
+int __wrap_fim_db_get_checksum_range(fdb_t *fim_sql,
+                                     fim_type type,
+                                     const char *start,
+                                     const char *top,
+                                     int n,
+                                     EVP_MD_CTX *ctx_left,
+                                     EVP_MD_CTX *ctx_right,
+                                     char **str_pathlh,
+                                     char **str_pathuh);
+
+int __wrap_fim_db_get_count_file_entry();
+
+int __wrap_fim_db_get_count_registry_data();
+
+int __wrap_fim_db_get_count_registry_key();
+
+int __wrap_fim_db_get_count_range(fdb_t *fim_sql,
+                                  fim_type type,
+                                  char *start,
+                                  char *top,
+                                  int *count);
+
+FIMDBErrorCode __wrap_fim_db_get_path(const char *file_path, callback_context_t callback);
+void expect_fim_db_get_path(const char* path, int ret_val);
+
+FIMDBErrorCode __wrap_fim_db_init(int storage,
+                                  int sync_interval,
+                                  uint32_t sync_max_interval,
+                                  uint32_t sync_response_timeout,
+                                  fim_sync_callback_t sync_callback,
+                                  logging_callback_t log_callback,
+                                  int file_limit,
+                                  int value_limit,
+                                  int sync_registry_enable,
+                                  int sync_thread_pool,
+                                  int sync_queue_size);
+
+void expect_wrapper_fim_db_init(int storage,
+                                int sync_interval,
+                                uint32_t sync_max_interval,
+                                uint32_t sync_response_timeout,
+                                int file_limit,
+                                int value_limit,
+                                int sync_registry_enable,
+                                int sync_thread_pool,
+                                int sync_queue_size);
+
+FIMDBErrorCode __wrap_fim_db_remove_path(const char *path);
+
+int __wrap_fim_db_read_line_from_file(fim_tmp_file *file, int storage, int it, char **buffer);
+
+void __wrap_fim_db_clean_file(fim_tmp_file **file, int storage);
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of fim_db_get_count_file_entry
+ */
+void expect_wrapper_fim_db_get_count_file_entry(int ret);
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of fim_db_remove_path
+ */
+void expect_fim_db_remove_path(const char *path, int ret_val);
+
+FIMDBErrorCode __wrap_fim_db_file_update(fim_entry* new, callback_context_t callback);
+
+FIMDBErrorCode __wrap_fim_db_file_pattern_search(const char* pattern,
+                                      __attribute__((unused)) callback_context_t callback);
+
+void expect_fim_db_file_pattern_search(const char* pattern, int ret_val);
+
+FIMDBErrorCode __wrap_fim_db_file_inode_search(const unsigned long inode,
+                                    const unsigned long dev,
+                                    __attribute__((unused)) callback_context_t callback);
+void expect_fim_db_file_inode_search(const unsigned long inode,
+                                     const unsigned long dev,
+                                     int ret_val);
+
+int __wrap_fim_db_get_count_file_inode();
+
+void __wrap_fim_run_integrity();
+
+void __wrap_is_fim_shutdown();
+
+void __wrap_fim_db_teardown();
+
+void __wrap__imp__dbsync_initialize();
+
+void __wrap__imp__rsync_initialize();
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.c b/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.c
new file mode 100644
index 0000000000..dcbb7a8bfb
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.c
@@ -0,0 +1,64 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "fim_diff_changes_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+char *__wrap_fim_file_diff(const char *filename) {
+    check_expected(filename);
+
+    return mock_type(char *);
+}
+
+int __wrap_fim_diff_process_delete_file(const char *filename) {
+    check_expected(filename);
+
+    return mock();
+}
+
+void expect_fim_file_diff(const char *filename, char *ret) {
+    expect_string(__wrap_fim_file_diff, filename, filename);
+    will_return(__wrap_fim_file_diff, ret);
+}
+
+void expect_fim_diff_process_delete_file(const char *filename, int ret) {
+    expect_string(__wrap_fim_diff_process_delete_file, filename, filename);
+    will_return(__wrap_fim_diff_process_delete_file, ret);
+}
+
+#ifdef WIN32
+char *__wrap_fim_registry_value_diff(const char *key_name,
+                                     const char *value_name,
+                                     const char *value_data,
+                                     DWORD data_type,
+                                     __attribute__((unused)) const registry_t *configuration) {
+    check_expected(key_name);
+    check_expected(value_name);
+    check_expected(value_data);
+    check_expected(data_type);
+
+    return mock_type(char *);
+}
+
+void expect_fim_registry_value_diff(const char *key_name,
+                                    const char *value_name,
+                                    const char *value_data,
+                                    DWORD data_size,
+                                    DWORD data_type,
+                                    char *ret) {
+    expect_string(__wrap_fim_registry_value_diff, key_name, key_name);
+    expect_string(__wrap_fim_registry_value_diff, value_name, value_name);
+    expect_memory(__wrap_fim_registry_value_diff, value_data, value_data, data_size);
+    expect_value(__wrap_fim_registry_value_diff, data_type, data_type);
+    will_return(__wrap_fim_registry_value_diff, ret);
+}
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.h b/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.h
new file mode 100644
index 0000000000..5878c4d5f7
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_diff_changes_wrappers.h
@@ -0,0 +1,52 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef DIFF_CHANGES_WRAPPERS_H
+#define DIFF_CHANGES_WRAPPERS_H
+
+#ifdef WIN32
+#include <winsock2.h>
+#include <windows.h>
+#include "../../../../config/syscheck-config.h"
+#endif
+
+
+char *__wrap_fim_file_diff(const char *filename);
+
+int __wrap_fim_diff_process_delete_file(const char *file_name);
+
+/**
+ * @brief This function loads the expect and will return of the function fim_file_diff
+ */
+void expect_fim_file_diff(const char *filename, char *ret);
+
+/**
+ * @brief This function loads the expect and will return of the function fim_diff_process_delete_file
+ */
+void expect_fim_diff_process_delete_file(const char *filename, int ret);
+
+#ifdef WIN32
+char *__wrap_fim_registry_value_diff(const char *key_name,
+                                     const char *value_name,
+                                     const char *value_data,
+                                     DWORD data_type,
+                                     const registry_t *configuration);
+
+/**
+ * @brief This function loads the expect and will return of the function fim_registry_value_diff
+ */
+void expect_fim_registry_value_diff(const char *key_name,
+                                    const char *value_name,
+                                    const char *value_data,
+                                    DWORD data_size,
+                                    DWORD data_type,
+                                    char *ret);
+#endif
+#endif /* DIFF_CHANGES_WRAPPERS_H */
diff --git a/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.c b/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.c
new file mode 100644
index 0000000000..0ce09c7520
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.c
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "fim_sync_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_fim_sync_push_msg(const char * msg) {
+    check_expected(msg);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.h b/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.h
new file mode 100644
index 0000000000..9da4ff0d78
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/fim_sync_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef FIM_SYNC_WRAPPERS_H
+#define FIM_SYNC_WRAPPERS_H
+
+void __wrap_fim_sync_push_msg(const char * msg);
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/registry.c b/src/modules/fim/tests/unit/wrappers/registry.c
new file mode 100644
index 0000000000..fb5c1ae0cf
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/registry.c
@@ -0,0 +1,23 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "registry.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <cJSON.h>
+
+void __wrap_fim_registry_scan() {
+    return;
+}
+
+cJSON* __wrap_fim_dbsync_registry_value_json_event(){
+    return mock_ptr_type(cJSON*);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/registry.h b/src/modules/fim/tests/unit/wrappers/registry.h
new file mode 100644
index 0000000000..12e417801b
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/registry.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#include <cJSON.h>
+
+#ifndef WIN_REGISTRY_WRAPPERS_H
+#define WIN_REGISTRY_WRAPPERS_H
+
+void __wrap_fim_registry_scan();
+
+cJSON* __wrap_fim_dbsync_registry_value_json_event();
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/run_check_wrappers.c b/src/modules/fim/tests/unit/wrappers/run_check_wrappers.c
new file mode 100644
index 0000000000..6c6fa12b47
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/run_check_wrappers.c
@@ -0,0 +1,43 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "run_check_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <cJSON.h>
+void __wrap_fim_send_scan_info(__attribute__ ((__unused__)) fim_scan_event event) {
+    return;
+}
+
+int __wrap_send_log_msg(const char * msg) {
+    check_expected(msg);
+    return mock();
+}
+
+void __wrap_send_syscheck_msg(__attribute__((unused)) char *msg) {
+    function_called();
+    return;
+}
+
+void __wrap_fim_sync_check_eps() {
+    function_called();
+}
+
+// Send a state synchronization message
+void __wrap_fim_send_sync_state(const char* location, const char* msg) {
+    check_expected(location);
+    check_expected(msg);
+}
+
+void expect_fim_send_sync_state_call(const char* location, const char* msg) {
+    expect_value(__wrap_fim_send_sync_state, location, location);
+    expect_value(__wrap_fim_send_sync_state, msg, msg);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/run_check_wrappers.h b/src/modules/fim/tests/unit/wrappers/run_check_wrappers.h
new file mode 100644
index 0000000000..22b75f76e6
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/run_check_wrappers.h
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef RUN_CHECK_WRAPPERS_H
+#define RUN_CHECK_WRAPPERS_H
+
+#include "../../../../syscheckd/include/syscheck.h"
+
+void __wrap_fim_send_scan_info(fim_scan_event event);
+
+int __wrap_send_log_msg(const char * msg);
+
+void __wrap_send_syscheck_msg(char *msg);
+
+void __wrap_fim_sync_check_eps();
+
+// Send a state synchronization message
+void __wrap_fim_send_sync_state(const char* location, const char* msg);
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.c b/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.c
new file mode 100644
index 0000000000..c0d1469cef
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.c
@@ -0,0 +1,45 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "run_realtime_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_realtime_adddir(const char *dir,
+                           __attribute__((unused)) directory_t *configuration) {
+    check_expected(dir);
+
+    return mock();
+}
+
+
+int __wrap_realtime_start() {
+    return 0;
+}
+void __wrap_realtime_process() {
+    function_called();
+}
+
+void expect_realtime_adddir_call(const char *path, int ret) {
+    expect_string(__wrap_realtime_adddir, dir, path);
+    will_return(__wrap_realtime_adddir, ret);
+}
+
+int __wrap_fim_add_inotify_watch(const char *dir,
+                                 __attribute__((unused)) const directory_t *configuration) {
+    check_expected(dir);
+
+    return mock();
+}
+
+void __wrap_realtime_sanitize_watch_map() {
+    function_called();
+}
diff --git a/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.h b/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.h
new file mode 100644
index 0000000000..19bfa5453d
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/run_realtime_wrappers.h
@@ -0,0 +1,31 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+#ifndef RUN_REALTIME_WRAPPERS_H
+#define RUN_REALTIME_WRAPPERS_H
+
+#include "../../../../config/syscheck-config.h"
+
+int __wrap_realtime_adddir(const char *dir,
+                           directory_t *configuration);
+
+int __wrap_realtime_start();
+
+/**
+ * @brief This function loads the expect and will_return calls for the wrapper of realtime_adddir
+ */
+void expect_realtime_adddir_call(const char *path, int ret);
+
+int __wrap_fim_add_inotify_watch(const char *dir,
+                                 const directory_t *configuration);
+
+void __wrap_realtime_process();
+
+void __wrap_realtime_sanitize_watch_map();
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.c b/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.c
new file mode 100644
index 0000000000..b819332320
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.c
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_audit_read_events(int *audit_sock, int mode) {
+    check_expected(mode);
+    *audit_sock = mock_type(int);
+}
+
+int __wrap_init_auditd_socket(void) {
+    return mock_type(int);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.h b/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.h
new file mode 100644
index 0000000000..14b8be342c
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscheck_audit_wrappers.h
@@ -0,0 +1,17 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSCHECK_AUDIT_WRAPPERS
+#define SYSCHECK_AUDIT_WRAPPERS
+
+void __wrap_audit_read_events(int *audit_sock, int mode);
+
+int __wrap_init_auditd_socket(void);
+#endif // SYSCHECK_AUDIT_WRAPPERS
diff --git a/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.c b/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.c
new file mode 100644
index 0000000000..a286f83616
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.c
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include "syscheck_config_wrappers.h"
+
+char **__wrap_expand_wildcards(const char *path) {
+    check_expected(path);
+
+    return mock_type(char **);
+}
diff --git a/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.h b/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.h
new file mode 100644
index 0000000000..69ac6658ab
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscheck_config_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSCHECK_CONFIG_WRAPPERS
+#define SYSCHECK_CONFIG_WRAPPERS
+
+char **__wrap_expand_wildcards(const char *path);
+
+#endif // SYSCHECK_CONFIG_WRAPPERS
diff --git a/src/modules/fim/tests/unit/wrappers/syscom_wrappers.c b/src/modules/fim/tests/unit/wrappers/syscom_wrappers.c
new file mode 100644
index 0000000000..1afaac6e4e
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscom_wrappers.c
@@ -0,0 +1,20 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "syscom_wrappers.h"
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+size_t __wrap_syscom_dispatch(char * command, char ** output) {
+    check_expected(command);
+
+    *output = mock_type(char*);
+    return mock();
+}
diff --git a/src/modules/fim/tests/unit/wrappers/syscom_wrappers.h b/src/modules/fim/tests/unit/wrappers/syscom_wrappers.h
new file mode 100644
index 0000000000..c4d2f35b07
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/syscom_wrappers.h
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef SYSCOM_WRAPPERS_H
+#define SYSCOM_WRAPPERS_H
+
+#include <stddef.h>
+
+size_t __wrap_syscom_dispatch(char * command, char ** output);
+
+#endif
diff --git a/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.c b/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.c
new file mode 100644
index 0000000000..07f11a5575
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.c
@@ -0,0 +1,29 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "win_whodata_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_run_whodata_scan() {
+    return mock();
+}
+
+int __wrap_set_winsacl(const char *dir, directory_t *configuration) {
+    check_expected(dir);
+    check_expected(configuration);
+
+    return mock();
+}
+
+int __wrap_whodata_audit_start() {
+    return 0;
+}
diff --git a/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.h b/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.h
new file mode 100644
index 0000000000..1077ad1d11
--- /dev/null
+++ b/src/modules/fim/tests/unit/wrappers/win_whodata_wrappers.h
@@ -0,0 +1,22 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef WIN_WHODATA_WRAPPERS_H
+#define WIN_WHODATA_WRAPPERS_H
+
+#include "../../../../config/syscheck-config.h"
+
+int __wrap_run_whodata_scan();
+
+int __wrap_set_winsacl(const char *dir, directory_t *configuration);
+
+int __wrap_whodata_audit_start();
+
+#endif
diff --git a/src/modules/gcp/include/wm_gcp.h b/src/modules/gcp/include/wm_gcp.h
new file mode 100755
index 0000000000..0e24b60c78
--- /dev/null
+++ b/src/modules/gcp/include/wm_gcp.h
@@ -0,0 +1,69 @@
+/*
+ * Wazuh Module for Security Configuration Assessment
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 25, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_GCP_H
+#define WM_GCP_H
+
+#define WM_GCP_PUBSUB_LOGTAG ARGV0 ":gcp-pubsub"
+#define WM_GCP_BUCKET_LOGTAG ARGV0 ":gcp-bucket"
+#define WM_GCP_SCRIPT_PATH "wodles/gcloud/gcloud"
+#define WM_GCP_LOGGING_TOKEN ":gcloud_wodle:"
+
+#define WM_GCP_DEF_INTERVAL 3600
+
+typedef struct wm_gcp_pubsub {
+    int enabled;
+    int pull_on_start;
+    int max_messages;
+    int num_threads;
+    time_t next_time;
+    char *project_id;
+    char *subscription_name;
+    char *credentials_file;
+    sched_scan_config scan_config;
+} wm_gcp_pubsub;
+
+typedef struct wm_gcp_bucket {
+    char *bucket;                       // Bucket name
+    char *type;                         // String defining bucket type.
+    char *credentials_file;             // Path to the credentials file
+    char *prefix;                       // Prefix or path to filter files
+    char *only_logs_after;              // Date (YYYY-MMM-DD) to only parse logs after
+    unsigned int remove_from_bucket:1;  // Remove the logs from the bucket
+    struct wm_gcp_bucket *next;         // Pointer to next
+} wm_gcp_bucket;
+
+typedef struct wm_gcp_bucket_base {
+    unsigned int enabled:1;
+    unsigned int run_on_start:1;
+    sched_scan_config scan_config;
+    time_t next_time;                   // Absolute time for next scan
+    wm_gcp_bucket *buckets;             // buckets (linked list)
+} wm_gcp_bucket_base;
+
+extern const wm_context WM_GCP_PUBSUB_CONTEXT;   // Context
+extern const wm_context WM_GCP_BUCKET_CONTEXT;   // Context
+
+/**
+ * @brief Read the configuration for Google Cloud Pub/Sub
+ * @param nodes XML nodes to analyze
+ * @param module Wazuh module to initialize
+ */
+int wm_gcp_pubsub_read(xml_node **nodes, wmodule *module);
+
+/**
+ * @brief Read the configuration for a Google Cloud bucket
+ * @param nodes XML nodes to analyze
+ * @param module Wazuh module to initialize
+ */
+int wm_gcp_bucket_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+#endif
diff --git a/src/modules/gcp/scripts/__init__.py b/src/modules/gcp/scripts/__init__.py
new file mode 100644
index 0000000000..ea0d8aeea6
--- /dev/null
+++ b/src/modules/gcp/scripts/__init__.py
@@ -0,0 +1,3 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
diff --git a/src/modules/gcp/scripts/buckets/access_logs.py b/src/modules/gcp/scripts/buckets/access_logs.py
new file mode 100644
index 0000000000..7a9adeafd2
--- /dev/null
+++ b/src/modules/gcp/scripts/buckets/access_logs.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import csv
+import logging
+from os.path import dirname, realpath
+from sys import path
+
+path.append(dirname(realpath(__file__)))  # noqa: E501
+from bucket import WazuhGCloudBucket
+
+
+class GCSAccessLogs(WazuhGCloudBucket):
+    """Class for getting Google Cloud Storage Access Logs logs"""
+    def __init__(self, credentials_file: str, logger: logging.Logger, **kwargs):
+        """Class constructor.
+
+        Parameters
+        ----------
+        credentials_file : str
+            Path to credentials file.
+        logger : logging.Logger
+            Logger to use.
+        kwargs : any
+            Additional named arguments for WazuhGCloudBucket.
+        """
+        super().__init__(credentials_file, logger, **kwargs)
+        self.db_table_name = "access_logs"
+
+    def load_information_from_file(self, msg: str):
+        """Load the contents of an Access Logs blob and process them.
+
+        GCS Access Logs blobs will always contain the fieldnames as the first line while the remaining lines store the
+        data of the log itself.
+
+        Parameters
+        ----------
+        msg : str
+            A string with the contents of the blob file.
+
+        Returns
+        -------
+        list
+            A list of JSON formatted events.
+        """
+        # Clean and split each line in the file
+        lines = msg.replace('"', '').split("\n")
+
+        # Get the fieldnames from the first line
+        fieldnames = [field.strip() for field in lines[0].split(",")]
+        values = lines[1:]
+        tsv_file = csv.DictReader(values, fieldnames=fieldnames, delimiter=',')
+        return [dict(x, source='gcp_bucket') for x in tsv_file]
diff --git a/src/modules/gcp/scripts/buckets/bucket.py b/src/modules/gcp/scripts/buckets/bucket.py
new file mode 100644
index 0000000000..4c60760f8c
--- /dev/null
+++ b/src/modules/gcp/scripts/buckets/bucket.py
@@ -0,0 +1,326 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+import logging
+import sqlite3
+from sys import exit, path
+from datetime import datetime, timezone
+from json import dumps, JSONDecodeError
+from os.path import join, dirname, realpath
+
+path.append(join(dirname(realpath(__file__)), '..', '..'))  # noqa: E501
+import utils
+import exceptions
+import tools
+from integration import WazuhGCloudIntegration
+
+try:
+    from google.cloud import storage
+    from google.api_core import exceptions as google_exceptions
+    import pytz
+except ImportError as e:
+    raise exceptions.WazuhIntegrationException(errcode=1003, package=e.name)
+
+
+class WazuhGCloudBucket(WazuhGCloudIntegration):
+    """Class for getting Google Cloud Storage Bucket logs"""
+
+    def __init__(self, credentials_file: str, logger: logging.Logger, bucket_name: str, prefix: str = None,
+            delete_file: bool = False, only_logs_after: datetime = None, reparse : bool = False):
+        """Class constructor.
+
+        Parameters
+        ----------
+        credentials_file : str
+            Path to credentials file.
+        logger : logging.Logger
+            Logger to use.
+        bucket_name : str
+            Name of the bucket to read the logs from.
+        prefix : prefix
+            Expected prefix for the logs. It can be used to specify the relative path where the logs are stored.
+        delete_file : bool
+            Indicate whether blobs should be deleted after being processed.
+        only_logs_after : datetime
+            Date after which obtain logs.
+        reparse : bool
+            Whether to parse already parsed logs or not
+
+        Raises
+        ------
+        exceptions.GCloudError
+            If the credentials file doesn't exist or doesn't have the required
+            structure.
+        """
+        super().__init__(logger)
+        self.bucket_name = bucket_name
+        self.bucket = None
+        try:
+            self.client = storage.client.Client.from_service_account_json(credentials_file)
+        except JSONDecodeError as error:
+            raise exceptions.GCloudError(1000, credentials_file=credentials_file) from error
+        except FileNotFoundError as error:
+            raise exceptions.GCloudError(1001, credentials_file=credentials_file) from error
+        self.project_id = self.client.project
+        self.prefix = prefix if not prefix or prefix[-1] == '/' else f'{prefix}/'
+        self.delete_file = delete_file
+        self.only_logs_after = only_logs_after
+        self.default_date = datetime.now(timezone.utc).replace(hour=0, minute=0, second=0, microsecond=0)
+        self.db_path = join(utils.find_wazuh_path(), "wodles/gcloud/gcloud.db")
+        self.db_connector = None
+        self.db_table_name = None
+        self.datetime_format = "%Y-%m-%d %H:%M:%S.%f%z"
+        self.reparse = reparse
+
+        self.sql_create_table = """
+            CREATE TABLE
+                {table_name} (
+                project_id 'text' NOT NULL,
+                bucket_name 'text' NOT NULL,
+                prefix 'text' NULL,
+                blob_name 'text' NOT NULL,
+                creation_time 'text' NOT NULL,
+                PRIMARY KEY (project_id, bucket_name, prefix, blob_name));"""
+        self.sql_delete_processed_files = """
+            DELETE FROM
+                {table_name}
+            WHERE
+                project_id=:project_id AND
+                bucket_name=:bucket_name AND
+                prefix=:prefix;"""
+        self.sql_insert_processed_file = """
+            INSERT INTO {table_name} (
+                project_id,
+                bucket_name,
+                prefix,
+                blob_name,
+                creation_time)
+            VALUES
+                (:project_id,
+                :bucket_name,
+                :prefix,
+                :blob_name,
+                :creation_time);"""
+        self.sql_find_last_creation_time = """
+            SELECT
+                creation_time
+            FROM
+                {table_name}
+            WHERE
+                project_id=:project_id AND
+                bucket_name=:bucket_name AND
+                prefix =:prefix
+            ORDER BY
+                creation_time DESC
+            LIMIT 1;"""
+        self.sql_find_processed_files = """
+            SELECT
+                blob_name
+            FROM
+                {table_name}
+            WHERE
+                project_id=:project_id AND
+                bucket_name=:bucket_name AND
+                prefix =:prefix
+            ORDER BY
+                blob_name;"""
+
+    def _get_last_processed_files(self):
+        """Get the names of the blobs processed during the last execution.
+
+        Returns
+        -------
+        List of str
+            List with the filenames of all the previously processed blobs.
+        """
+        processed_files = self.db_connector.execute(
+            self.sql_find_processed_files.format(table_name=self.db_table_name), {
+                'project_id': self.project_id,
+                'bucket_name': self.bucket_name,
+                'prefix': self.prefix
+            })
+        return [p[0] for p in processed_files.fetchall()]
+
+    def _update_last_processed_files(self, processed_files: list):
+        """Remove the records for the previous execution and store the new values from the current one.
+
+        Parameters
+        ----------
+        processed_files : List of storage.blob
+            List with all the blobs successfully processed by the module.
+        """
+        if processed_files:
+            self.logger.info('Updating previously processed files.')
+            try:
+                self.db_connector.execute(self.sql_delete_processed_files.format(table_name=self.db_table_name), {
+                    'project_id': self.project_id,
+                    'bucket_name': self.bucket_name,
+                    'prefix': self.prefix
+                })
+            except sqlite3.OperationalError:
+                pass
+
+            for blob in processed_files:
+                creation_time = datetime.strftime(blob.time_created, self.datetime_format)
+                self.db_connector.execute(self.sql_insert_processed_file.format(table_name=self.db_table_name), {
+                    'project_id': self.project_id,
+                    'bucket_name': self.bucket_name,
+                    'prefix': self.prefix,
+                    'blob_name': blob.name,
+                    'creation_time': creation_time
+                })
+
+    def _get_last_creation_time(self):
+        """Get the latest creation time value stored in the database for the given project, bucket_name and
+        prefix.
+
+        Returns
+        -------
+        datetime or None
+            The datetime of the last log parsed or None if no log have been parsed yet for that bucket.
+        """
+        creation_time = datetime.min.replace(tzinfo=pytz.UTC)
+        query_creation_time = self.db_connector.execute(
+            self.sql_find_last_creation_time.format(table_name=self.db_table_name), {
+                'project_id': self.project_id,
+                'bucket_name': self.bucket_name,
+                'prefix': self.prefix
+            })
+        try:
+            creation_time_result = query_creation_time.fetchone()[0]
+            creation_time = datetime.strptime(creation_time_result, self.datetime_format)
+        except (TypeError, IndexError):
+            pass
+        return creation_time
+
+    def check_permissions(self):
+        """
+        Check if the Service Account has access to the bucket.
+
+        Raises
+        ------
+        exceptions.GCloudError
+            If the specified bucket doesn't exist or the client doesn't
+            have permissions to access it.
+        """
+        try:
+            self.bucket = self.client.get_bucket(self.bucket_name)
+        except google_exceptions.NotFound:
+            raise exceptions.GCloudError(1100, bucket_name=self.bucket_name)
+        except google_exceptions.Forbidden:
+            raise exceptions.GCloudError(1101, permissions='storage.buckets.get',
+                                         resource_name=self.bucket_name)
+
+    def init_db(self):
+        """Connect to the database and try to access the table. The database file and the table will be created if they
+         do not exist yet."""
+        self.db_connector = sqlite3.connect(self.db_path)
+        try:
+            self.db_connector.execute(self.sql_create_table.format(table_name=self.db_table_name), {
+                    'project_id': self.project_id,
+                    'bucket_name': self.bucket_name,
+                    'prefix': self.prefix
+                })
+        except sqlite3.OperationalError:
+            # The table already exist
+            pass
+
+    def process_data(self):
+        """Iterate over the contents of the bucket and process each blob contained.
+        As the 'list_blobs' function will always return the complete list of blobs contained in the bucket this function
+        checks if a particular file should be processed by taking into account the 'only_logs_after' and 'prefix', as
+        well as the creation time of each blob.
+
+        Returns
+        -------
+        int
+            Number of blobs processed.
+        """
+
+        try:
+            bucket_contents = self.bucket.list_blobs(prefix=self.prefix, delimiter='/')
+            processed_files = []
+            processed_messages = 0
+            new_creation_time = datetime.min.replace(tzinfo=pytz.UTC)
+
+            self.init_db()
+            last_creation_time = self._get_last_creation_time()
+            previous_processed_files = self._get_last_processed_files()
+
+            if self.reparse:
+                self.logger.info('Reparse Mode ON')
+
+            for blob in bucket_contents:
+                # Skip folders
+                if blob.name.endswith('/'):
+                    continue
+
+                current_creation_time = blob.time_created
+                comparison_date = self.only_logs_after if self.only_logs_after else self.default_date
+
+                if current_creation_time >= comparison_date:
+                    if (current_creation_time > last_creation_time) or \
+                            (current_creation_time == last_creation_time and blob.name not in previous_processed_files):
+                        self.logger.info(f'Processing {blob.name}')
+                        processed_messages += self.process_blob(blob)
+
+                        if current_creation_time > new_creation_time:
+                            processed_files.clear()
+                            new_creation_time = current_creation_time
+
+                        processed_files.append(blob)
+
+                    elif self.reparse:
+                        processed_messages += self.process_blob(blob)
+                        processed_files.append(blob)
+
+                    else:
+                        self.logger.info(f'Skipping previously processed file: {blob.name}')
+
+                else:
+                    self.logger.info(f'The creation time of {blob.name} is older than {comparison_date}. '
+                                     f'Skipping it...')
+
+        finally:
+            # Ensure the changes are committed to the database even if an exception was raised
+            if self.db_connector:
+                self._update_last_processed_files(processed_files)
+                self.db_connector.commit()
+                self.db_connector.close()
+        return processed_messages
+
+    def load_information_from_file(self, msg: str):
+        raise NotImplementedError
+
+    def process_blob(self, blob):
+        """Format every event obtained from `load_information_from_file` and send them to Analysisd. If the
+        `delete_file` was used the blob will be removed from the bucket after being processed.
+
+        Parameters
+        ----------
+        blob : google.cloud.storage.blob.Blob
+            A blob object obtained from the bucket.
+        Returns
+        -------
+        int
+            Number of events processed.
+        """
+        num_events = 0
+        try:
+            events = self.load_information_from_file(blob.download_as_text())
+            if len(events) > 0:
+                with self.initialize_socket():
+                    for event in events:
+                        self.send_msg(self.format_msg(dumps(event)))
+                        num_events += 1
+            if self.delete_file:
+                self.bucket.delete_blob(blob.name)
+        except google_exceptions.NotFound:
+            self.logger.warning(f'Unable to find "{blob.name}" in {self.bucket_name}')
+
+        return num_events
diff --git a/src/modules/gcp/scripts/exceptions.py b/src/modules/gcp/scripts/exceptions.py
new file mode 100644
index 0000000000..b44ee6f3c2
--- /dev/null
+++ b/src/modules/gcp/scripts/exceptions.py
@@ -0,0 +1,124 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""This module contains the different exceptions that could be raised
+   by the Gcloud package.
+"""
+
+import tools
+
+
+UNKNOWN_ERROR_ERRCODE = 999
+
+
+class WazuhIntegrationException(Exception):
+    """Class that represents an exception for the Wazuh external integrations.
+
+    Parameters
+    ----------
+    error : int
+        Error key.
+    kwargs : str
+        Values of the error message that should be substituted.
+    """
+    def __init__(self, errcode: int, **kwargs):
+        self._errcode = errcode
+        info = self.__class__.ERRORS[errcode]
+        self._message = info['message'].format(**kwargs) if kwargs else \
+            info['message']
+        self._key = info['key']
+        super().__init__(f'{self.key}: {self.message}')
+
+    @property
+    def errcode(self):
+        return self._errcode
+
+    @property
+    def key(self):
+        return self._key
+
+    @property
+    def message(self):
+        return self._message
+
+
+class WazuhIntegrationInternalError(WazuhIntegrationException):
+    """Class that represents a critical exception for the Wazuh external integrations."""
+    ERRORS = {
+        # 1-99 -> Internal errors
+        1: {
+            'key': 'GCloudWazuhNotRunning',
+            'message': 'Wazuh must be running'
+        },
+        2: {
+            'key': 'GCloudSocketError',
+            'message': 'Error initializing {socket_path} socket'
+        },
+        3: {
+            'key': 'GCloudSocketSendError',
+            'message': 'Error sending event to Wazuh'
+        },
+    }
+
+class GCloudError(WazuhIntegrationException):
+    """Class that represents an error of the GCloud package."""
+    ERRORS = {
+        # 1000-1099 General errors
+        1000: {
+            'key': 'GCloudCredentialsStructureError',
+            'message': "The '{credentials_file}' credentials file doesn't have the required structure"},
+        1001: {
+            'key': 'GCloudCredentialsNotFoundError',
+            'message': "The '{credentials_file}' file doesn't exist"},
+        1002: {
+            'key': 'GCloudIntegrationTypeError',
+            'message': 'Unsupported gcloud integration type: "{integration_type}".' f'The supported types are {*tools.valid_types,}'},
+        1003: {
+            'key': 'GCloudImportError',
+            'message': "The '{package}' module is required"},
+
+        # 1100-1199 -> GCP Bucket errors
+        1100: {
+            'key': 'GCloudBucketNotFound',
+            'message': "The bucket '{bucket_name}' does not exist"},
+        1101: {
+            'key': 'GCloudBucketForbidden',
+            'message': "The Service Account provided does not have {permissions} permissions to access the '{resource_name}' bucket or it does not exist in the account"},
+        1102: {
+            'key': 'GCloudBucketNumThreadsError',
+            'message': 'The parameter -t/--num_threads only works with the Pub/Sub module.'},
+        1103: {
+            'key': 'GCloudBucketNameError',
+            'message': 'The name of the bucket is required. Use -b <BUCKET_NAME> to specify it.'},
+        1104: {
+            'key': 'GCloudBucketLastProcessedFilesError',
+            'message': 'Database error trying to get the last processed files for table_name={table_name}, project_id={project_id}, bucket_name={bucket_name}, prefix={prefix}'},
+
+        # 1200-1299 -> Pub/Sub errors
+        1200: {
+            'key': 'GCloudPubSubNoSubscriptionID',
+            'message': 'A subscription ID is required. Use -s <SUBSCRIPTION ID> to specify it.'},
+        1201: {
+            'key': 'GCloudPubSubNoProjectID',
+            'message': 'A project ID is required. Use -p <PROJECT ID> to specify it.'},
+        1202: {
+            'key': 'GCloudPubSubNumThreadsError',
+            'message': f'The minimum number of threads is {tools.min_num_threads}. Please check your configuration.'},
+        1203: {
+            'key':
+            'GCloudPubSubNumMessagesError', 'message': f'The minimum number of messages is {tools.min_num_messages}. Please check your configuration.'},
+        1204: {
+            'key': 'GCloudPubSubSubscriptionError',
+            'message': "The '{subscription}' subscription is incorrect or the user credentials are not valid"},
+        1205: {
+            'key': 'GCloudPubSubProjectError',
+            'message': "The '{project}' project ID is incorrect or the user does not have permissions to access to it"},
+        1206: {
+            'key': 'GCloudPubSubForbidden',
+            'message': "The client does not have the {permissions} required permissions"}
+    }
+
+
+
diff --git a/src/modules/gcp/scripts/gcloud.py b/src/modules/gcp/scripts/gcloud.py
new file mode 100644
index 0000000000..e0687714bf
--- /dev/null
+++ b/src/modules/gcp/scripts/gcloud.py
@@ -0,0 +1,115 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""This module processes events from Google Cloud PubSub service and GCS Buckets."""
+
+import tools
+import exceptions
+from sys import exit
+from os import cpu_count
+from buckets.access_logs import GCSAccessLogs
+from pubsub.subscriber import WazuhGCloudSubscriber
+from concurrent.futures import ThreadPoolExecutor
+
+
+def main():
+    logger = tools.get_stdout_logger(tools.logger_name)
+
+    try:
+        # get script arguments
+        arguments = tools.get_script_arguments()
+        logger.setLevel(arguments.log_level)
+        credentials_file = arguments.credentials_file
+        log_level = arguments.log_level
+        num_processed_messages = 0
+
+        if arguments.integration_type == "pubsub":
+            logger.info("Working with Google Cloud Pub/Sub")
+            if arguments.subscription_id is None:
+                raise exceptions.GCloudError(1200)
+            if arguments.project is None:
+                raise exceptions.GCloudError(1201)
+
+            project = arguments.project
+            subscription_id = arguments.subscription_id
+            max_messages = arguments.max_messages
+            n_threads = arguments.n_threads
+
+            try:
+                max_threads = cpu_count() * 5
+            except TypeError:
+                max_threads = 5
+
+            if n_threads > max_threads:
+                n_threads = max_threads
+                logger.warning(f'Reached maximum number of threads. Truncating to {max_threads}.')
+            if n_threads < tools.min_num_threads:
+                raise exceptions.GCloudError(1202)
+            if max_messages < tools.min_num_messages:
+                raise exceptions.GCloudError(1203)
+
+            logger.debug(f"Setting {n_threads} thread{'s' if n_threads > 1 else ''} to pull {max_messages}"
+                         f" message{'s' if max_messages > 1 else ''} in total")
+
+            # process messages
+            with ThreadPoolExecutor() as executor:
+                futures = []
+
+                # check permissions
+                subscriber_client = WazuhGCloudSubscriber(credentials_file, project, logger, subscription_id)
+                logger.debug("Checking credentials")
+                subscriber_client.check_permissions()
+                messages_per_thread = max_messages // n_threads
+                remaining_messages = max_messages % n_threads
+                futures.append(executor.submit(subscriber_client.process_messages, messages_per_thread + remaining_messages))
+
+                if messages_per_thread > 0:
+                    for _ in range(n_threads - 1):
+                        client = WazuhGCloudSubscriber(credentials_file, project, logger, subscription_id)
+                        futures.append(executor.submit(client.process_messages, messages_per_thread))
+
+            num_processed_messages = sum([future.result() for future in futures])
+
+        elif arguments.integration_type == "access_logs":
+            logger.info("Working with Google Cloud Access Logs")
+            if not arguments.bucket_name:
+                raise exceptions.GCloudError(1103)
+
+            f_kwargs = {"bucket_name": arguments.bucket_name,
+                        "prefix": arguments.prefix,
+                        "delete_file": arguments.delete_file,
+                        "only_logs_after": arguments.only_logs_after,
+                        "reparse": arguments.reparse}
+            integration = GCSAccessLogs(arguments.credentials_file, logger, **f_kwargs)
+            logger.debug("Checking credentials")
+            integration.check_permissions()
+            num_processed_messages = integration.process_data()
+
+        else:
+            raise exceptions.GCloudError(1002, integration_type=arguments.integration_type)
+
+    except exceptions.WazuhIntegrationException as gcloud_exception:
+        logging_func = logger.critical if \
+            isinstance(gcloud_exception, exceptions.WazuhIntegrationInternalError) else \
+            logger.error
+
+        logging_func(f'An exception happened while running the wodle: {gcloud_exception}', exc_info=log_level == 1)
+        exit(gcloud_exception.errcode)
+
+    except Exception as e:
+        logger.critical(f'Unknown error: {e}', exc_info=True)
+        exit(exceptions.UNKNOWN_ERROR_ERRCODE)
+
+    else:
+        logger.info(f'Received {"and acknowledged " if arguments.integration_type == "pubsub" else ""}'
+                    f'{num_processed_messages} message{"s" if num_processed_messages != 1 else ""}')
+        exit(0)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/modules/gcp/scripts/integration.py b/src/modules/gcp/scripts/integration.py
new file mode 100644
index 0000000000..f78d3d0bd5
--- /dev/null
+++ b/src/modules/gcp/scripts/integration.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""This module contains tools for processing events from a Google Cloud subscription."""  # noqa: E501
+
+import logging
+import socket
+from sys import path
+from os.path import dirname, abspath
+path.insert(0, dirname(dirname(abspath(__file__))))
+import exceptions
+from utils import ANALYSISD, MAX_EVENT_SIZE
+
+
+class WazuhGCloudIntegration:
+    """Class for sending events from Google Cloud to Wazuh."""
+
+    header = '1:Wazuh-GCloud:'
+    key_name = 'gcp'
+
+    def __init__(self, logger: logging.Logger):
+        """Instantiate a WazuhGCloudIntegration object.
+
+        Parameters
+        ----------
+        logger: logging.Logger
+            The logger that will be used to send messages to stdout.
+        """
+        self.logger = logger
+        self.socket = None
+
+    def check_permissions(self):
+        raise NotImplementedError
+
+    def format_msg(self, msg: str) -> str:
+        """Format a message.
+
+        Parameters
+        ----------
+        msg : str
+            Message to be formatted.
+
+        Returns
+        -------
+        str
+            The formatted message.
+        """
+        # Insert msg as value of self.key_name key.
+        return f'{{"integration": "gcp", "{self.key_name}": {msg}}}'
+
+    def initialize_socket(self):
+        """Initialize a socket and connect it to an address.
+
+        Returns
+        -------
+        socket
+            The initialized socket to be able to use it as a context manager.
+
+        Raises
+        ------
+        exceptions.WazuhIntegrationInternalError
+            If the socket is unable to establish a connection or send a message
+             to analysisd.
+        """
+        try:
+            self.socket = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+            self.socket.connect(ANALYSISD)
+            return self.socket
+        except ConnectionRefusedError:
+            raise exceptions.WazuhIntegrationInternalError(1)
+        except OSError:
+            raise exceptions.WazuhIntegrationInternalError(2, socket_path=ANALYSISD)
+
+    def process_data(self):
+        raise NotImplementedError
+
+    def send_msg(self, msg: str):
+        """Send an event to the Wazuh queue.
+
+        Parameters
+        ----------
+        msg : str
+            Event to be sent.
+
+        Raises
+        ------
+        exceptions.WazuhIntegrationInternalError
+            If the socket is unable to send the message to analysisd.
+        """
+        event_json = f'{self.header}{msg}'.encode(errors='replace')
+
+        # Logs warning if event is bigger than max size
+        if len(event_json) > MAX_EVENT_SIZE:
+            logging.warning(f"WARNING: Event size exceeds the maximum allowed limit of {MAX_EVENT_SIZE} bytes.")
+
+        self.logger.debug(f'Sending msg to analysisd: "{event_json}"')
+        try:
+            self.socket.send(event_json)
+        except OSError:
+            raise exceptions.WazuhIntegrationInternalError(3)
diff --git a/src/modules/gcp/scripts/pubsub/subscriber.py b/src/modules/gcp/scripts/pubsub/subscriber.py
new file mode 100644
index 0000000000..bc3bbd8264
--- /dev/null
+++ b/src/modules/gcp/scripts/pubsub/subscriber.py
@@ -0,0 +1,172 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+import logging
+from os.path import abspath, dirname
+from sys import path
+from json import JSONDecodeError
+
+path.insert(0, dirname(dirname(dirname(abspath(__file__)))))
+import exceptions
+from integration import WazuhGCloudIntegration
+
+
+try:
+    from google.cloud import pubsub_v1 as pubsub
+    import google.api_core.exceptions
+except ImportError as e:
+    raise exceptions.GCloudError(errcode=1003, package=e.name)
+
+
+class WazuhGCloudSubscriber(WazuhGCloudIntegration):
+    """Class for sending events from Google Cloud to Wazuh."""
+
+    def __init__(self, credentials_file: str, project: str, logger: logging.Logger, subscription_id: str):
+        """Instantiate a WazuhGCloudSubscriber object.
+
+        Parameters
+        ----------
+        credentials_file : str
+            Path to credentials file.
+        project : str
+            Project name.
+        subscription_id : str
+            Subscription ID.
+        logger: logging.Logger
+            The logger that will be used to send messages to stdout.
+
+        Raises
+        ------
+        exceptions.GCloudError
+            If the credentials file doesn't exist or have a wrong structure.
+        """
+        super().__init__(logger)
+
+        # get subscriber
+        try:
+            self.subscriber = self.get_subscriber_client(credentials_file)
+            self.subscription_path = self.get_subscription_path(project, subscription_id)
+        except JSONDecodeError as error:
+            raise exceptions.GCloudError(1000, credentials_file=credentials_file) from error
+        except FileNotFoundError as error:
+            raise exceptions.GCloudError(1001, credentials_file=credentials_file) from error
+
+    @staticmethod
+    def get_subscriber_client(credentials_file: str) -> pubsub.subscriber.Client:
+        """Get a subscriber client.
+
+        Parameters
+        ----------
+        credentials_file : str
+            Path to credentials file.
+
+        Returns
+        -------
+        pubsub.subscriber.Client
+            Instance of subscriber client object created with the provided key.
+        """
+        return pubsub.subscriber.Client.from_service_account_file(credentials_file)  # noqa: E501
+
+    def get_subscription_path(self, project: str, subscription_id: str) -> str:
+        """Get the subscription path.
+
+        Parameters
+        ----------
+        project : str
+            Project name.
+        subscription_id : str
+            Subscription ID.
+
+        Returns
+        -------
+        str
+            String with the subscription path.
+        """
+        return self.subscriber.subscription_path(project, subscription_id)
+
+    def check_permissions(self):
+        """
+        Check if permissions are OK for executing the wodle.
+
+        Raises
+        ------
+        exceptions.GCloudError
+            If the parameters or credentials are invalid.
+        """
+        required_permissions = {'pubsub.subscriptions.consume'}
+        try:
+            response = self.subscriber.test_iam_permissions(
+                request={'resource': self.subscription_path,
+                         'permissions': required_permissions})
+
+        except google.api_core.exceptions.NotFound as e:
+            if 'project not found or user does not have access' in e.message:
+                raise exceptions.GCloudError(1205, project=self.subscription_path.split('/')[1])
+            else:
+                raise exceptions.GCloudError(1204, subscription=self.subscription_path.split('/')[-1])
+
+        if required_permissions.difference(response.permissions) != set():
+            raise exceptions.GCloudError(1206, permissions=required_permissions.difference(response.permissions))
+
+    def pull_request(self, max_messages: int) -> int:
+        """Make request for pulling messages from the subscription and acknowledge them.
+
+        Parameters
+        ----------
+        max_messages: int
+            Maximum number of messages to retrieve.
+
+        Returns
+        -------
+        int
+            Number of messages received and acknowledged.
+        """
+        try:
+            response = self.subscriber.pull(
+                request={'subscription': self.subscription_path,
+                         'max_messages': max_messages}
+            )
+        except google.api_core.exceptions.DeadlineExceeded:
+            self.logger.warning('Deadline exceeded when pulling messages. No more messages will be retrieved on this '
+                                'execution')
+            return 0
+
+        ack_ids = []
+        for received_message in response.received_messages:
+            formatted_message = self.format_msg(received_message.message.data.decode(errors='replace'))
+            self.logger.debug(f'Processing event: {formatted_message}')
+            ack_ids.append(received_message.ack_id)
+            self.send_msg(formatted_message)
+
+        ack_ids and self.subscriber.acknowledge(
+            request={'subscription': self.subscription_path, 'ack_ids': ack_ids}
+        )
+
+        return len(response.received_messages)
+
+    def process_messages(self, max_messages: int = 100) -> int:
+        """Process the available messages in the subscription.
+
+        Parameters
+        ----------
+        max_messages: int
+            Maximum number of messages to retrieve.
+
+        Returns
+        -------
+        int
+            Number of messages processed.
+        """
+        with self.subscriber, self.initialize_socket():
+            processed_messages = 0
+            pulled_messages = self.pull_request(max_messages)
+            while pulled_messages > 0 and processed_messages < max_messages:
+                processed_messages += pulled_messages
+                # get more messages
+                if processed_messages < max_messages:
+                    pulled_messages = self.pull_request(max_messages - processed_messages)
+        return processed_messages
diff --git a/src/modules/gcp/scripts/pytest.ini b/src/modules/gcp/scripts/pytest.ini
new file mode 100644
index 0000000000..40880458c7
--- /dev/null
+++ b/src/modules/gcp/scripts/pytest.ini
@@ -0,0 +1,2 @@
+[pytest]
+asyncio_mode=auto
diff --git a/src/modules/gcp/scripts/requirements.txt b/src/modules/gcp/scripts/requirements.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/gcp/scripts/tests/data/access_logs.log b/src/modules/gcp/scripts/tests/data/access_logs.log
new file mode 100644
index 0000000000..80898fe768
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/data/access_logs.log
@@ -0,0 +1,2 @@
+Field_1,Field 2,Field-3,Field4
+Field_1_value,Field 2_value,Field-3_value,Field4_value
diff --git a/src/modules/gcp/scripts/tests/data/invalid_credentials_file.json b/src/modules/gcp/scripts/tests/data/invalid_credentials_file.json
new file mode 100644
index 0000000000..3a81882aa8
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/data/invalid_credentials_file.json
@@ -0,0 +1,5 @@
+{
+  "type",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509"
+}
diff --git a/src/modules/gcp/scripts/tests/data/testing_database.sql b/src/modules/gcp/scripts/tests/data/testing_database.sql
new file mode 100644
index 0000000000..38202b6541
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/data/testing_database.sql
@@ -0,0 +1,15 @@
+PRAGMA foreign_keys=OFF;
+BEGIN TRANSACTION;
+CREATE TABLE test_table (
+    project_id 'text' NOT NULL,
+    bucket_name 'text' NOT NULL,
+    prefix 'text' NULL,
+    blob_name 'text' NOT NULL,
+    creation_time 'text' NOT NULL,
+    PRIMARY KEY (project_id, bucket_name, prefix, blob_name)
+);
+INSERT INTO test_table VALUES('project_123', 'test_bucket', '', 'blob_file_1', '2021-01-01 12:00:00.123456Z');
+INSERT INTO test_table VALUES('project_123', 'test_bucket', '', 'blob_file_2', '2021-01-01 12:00:00.123456Z');
+INSERT INTO test_table VALUES('project_123', 'test_bucket_2', '', 'blob_file_1', '2021-01-01 12:00:00.123456Z');
+INSERT INTO test_table VALUES('project_123', 'test_bucket_2', '', 'blob_file_2', '2021-01-01 12:00:00.123456Z');
+COMMIT;
diff --git a/src/modules/gcp/scripts/tests/test_bucket.py b/src/modules/gcp/scripts/tests/test_bucket.py
new file mode 100644
index 0000000000..85db948d68
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/test_bucket.py
@@ -0,0 +1,478 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""Unit tests for bucket module."""
+
+import json
+import os
+import sqlite3
+import sys
+from datetime import datetime
+from logging import Logger
+from unittest.mock import MagicMock
+from unittest.mock import call, patch
+
+import pytest
+import pytz
+from google.api_core import exceptions as google_exceptions
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))  # noqa: E501
+import exceptions
+from buckets.access_logs import GCSAccessLogs
+from buckets.bucket import WazuhGCloudBucket
+
+
+BUCKET_ATTRIBUTES = ['bucket_name', 'bucket', 'client', 'project_id', 'prefix', 'delete_file', 'only_logs_after',
+                     'db_connector', 'datetime_format']
+TABLE_COLUMNS = ["project_id", "bucket_name", "prefix", "blob_name", "creation_time"]
+TEST_TABLE_NAME = "test_table"
+TEST_BUCKET_NAME = "test_bucket"
+TEST_PROJECT_ID = "project_123"
+TEST_BLOB_LIST = ["test_blob_1", "test_blob_2"]
+TEST_BLOB_LIST_WITH_FOLDER = ['blob_1', 'blob_2', 'folder/']
+
+data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data/')
+SQL_FILE = "testing_database.sql"
+
+
+@pytest.fixture(scope='function')
+def clean_shared_cache():
+    """Drop any table present in the cached database before and after the test."""
+    _drop_all_tables()
+    yield
+    _drop_all_tables()
+
+
+def _drop_all_tables():
+    """List and drop every user table."""
+    db_connector = sqlite3.connect('file::memory:?cache=shared', uri=True)
+    table_names = get_all_table_names(db_connector)
+    for table in table_names:
+        db_connector.execute(f"DROP TABLE {table};")
+    db_connector.close()
+
+
+def get_wodle_config(credentials_file: str = "credentials.json", logger: Logger = None,
+                     bucket_name: str = "test_bucket", prefix: str = "", delete_file: bool = False,
+                     only_logs_after: str = None, reparse: bool = False) -> dict:
+    """Return a dict containing every parameter supported by WazuhGCloudBucket. Used to simulate different ossec.conf
+    configurations.
+
+    Parameters
+    ----------
+    credentials_file : str
+        Path to credentials file.
+    logger: logging.Logger
+        The logger that will be used to send messages to stdout.
+    bucket_name : str
+        Name of the bucket to read the logs from.
+    prefix : prefix
+        Expected prefix for the logs. It can be used to specify the relative path where the logs are stored.
+    delete_file : bool
+        Indicate whether blobs should be deleted after being processed.
+    only_logs_after : datetime
+        Date after which obtain logs.
+    reparse : bool
+        Whether to parse already parsed logs or not
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their values
+    """
+    return {'credentials_file': credentials_file, 'logger': logger if logger else MagicMock(),
+            'bucket_name': bucket_name, 'prefix': prefix, 'delete_file': delete_file, 'reparse': reparse,
+            'only_logs_after': only_logs_after.replace(tzinfo=pytz.UTC) if only_logs_after else None}
+
+
+def get_num_rows(db_connector: sqlite3.Connection, table_name: str) -> int:
+    """Get the row count for the given table_name.
+
+    Parameters
+    ----------
+    db_connector : sqlite3.Connection
+        The connector used to execute the query.
+    table_name : str
+        The name of the table to count the rows.
+
+    Returns
+    -------
+    int
+        The row count for the given table.
+    """
+    return db_connector.execute(f"SELECT count(*) FROM {table_name}").fetchone()[0]
+
+
+def get_blobs_in_database(db_connector, table_name, bucket_name, project_id, prefix) -> list[str]:
+    """List the blobs available for the given parameters.
+
+    Parameters
+    ----------
+    db_connector : sqlite3.Connection
+        The connector used to execute the query.
+    table_name : str
+        The name of the table to list the blobs.
+    bucket_name : str
+        The name of the table to list the blobs.
+    project_id : str
+        The name of the project for a pubsub integration
+    prefix : prefix
+        Expected prefix for the logs. It can be used to specify the relative path where the logs are stored.
+
+    Returns
+    -------
+    list[str]
+        List of blob names.
+    """
+    rows = db_connector.execute(f"SELECT blob_name FROM {table_name} where "
+                                f"bucket_name='{bucket_name}' and "
+                                f"project_id='{project_id}' and "
+                                f"prefix='{prefix}'").fetchall()
+    return [row[0] for row in rows]
+
+
+def get_all_table_names(db_connector) -> list[str]:
+    """List all tables present in the database.
+
+    Parameters
+    ----------
+    db_connector : sqlite3.Connection
+        The connector used to execute the query.
+
+    Returns
+    -------
+    list[str]
+        List of table names.
+    """
+    table_list = db_connector.execute(
+        "SELECT name FROM sqlite_master WHERE type ='table' AND name NOT LIKE 'sqlite_%';"
+    ).fetchall()
+    return [table[0] for table in table_list]
+
+
+def create_mocked_blob(blob_name: str, creation_time: datetime = None):
+    """Return a fake blob with name and creation time.
+
+    Parameters:
+    ----------
+    blob_name : str
+        The name of the fake blob.
+    creation_time : str
+        The creation time of the fake blob. datetime.now() will be used if no creation_time is provided.
+
+    Returns
+    -------
+    MagicMock
+         A fake blob
+    """
+    blob = MagicMock()
+    blob.name = blob_name
+    blob.time_created = creation_time if creation_time else datetime.now()
+    blob.time_created = blob.time_created.replace(tzinfo=pytz.UTC)
+    return blob
+
+
+def create_custom_database():
+    """Create a custom database in memory without cache."""
+    memory_db = sqlite3.connect(':memory:')
+    with open(os.path.join(data_path, SQL_FILE)) as f:
+        memory_db.cursor().executescript(f.read())
+    return memory_db
+
+
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket__init__(mock_client):
+    """Test if an instance of WazuhGCloudBucket is created properly."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    for attribute in BUCKET_ATTRIBUTES:
+        assert hasattr(bucket, attribute)
+
+
+@pytest.mark.parametrize('credentials_file, errcode', [
+    ('un-existent_file', 1001),
+    ('invalid_credentials_file.json', 1000)
+])
+def test_WazuhGCloudBucket__init__ko(credentials_file, errcode):
+    """Test that the appropriate exceptions are raised when the WazuhGCloudBucket constructor is called with
+    invalid parameters."""
+    with pytest.raises(exceptions.GCloudError) as e:
+        WazuhGCloudBucket(**get_wodle_config(credentials_file=os.path.join(data_path, credentials_file)))
+    assert e.value.errcode == errcode
+
+
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_init_db(mock_client, clean_shared_cache):
+    """Test init_db creates the database with the expected tables with valid structures."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    bucket.db_table_name = TEST_TABLE_NAME
+    # Set database in memory using cache
+    with patch('buckets.bucket.sqlite3.connect', return_value=sqlite3.connect('file::memory:?cache=shared', uri=True)):
+        bucket.init_db()
+        # Call init again to force an operational error because the table already exists. Execution must continue.
+        bucket.init_db()
+    
+    # Check there is only one table, and it has the expected name
+    table_list = get_all_table_names(bucket.db_connector)
+    assert len(table_list) == 1
+    assert table_list[0] == TEST_TABLE_NAME
+
+    # Check the table has the expected 
+    table_columns = bucket.db_connector.execute(f"SELECT * FROM {TEST_TABLE_NAME}").description
+    assert set([column[0] for column in table_columns]) == set(TABLE_COLUMNS)
+
+
+@pytest.mark.parametrize('project_id, expected_length', [(TEST_PROJECT_ID, 2), ("invalid_project_id", 0)])
+@patch('buckets.bucket.WazuhGCloudBucket.init_db')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_get_last_processed_files(mock_client, mock_db, project_id, expected_length):
+    """Test _get_last_processed_files returns the expected number of items."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    bucket.db_connector = create_custom_database()
+    bucket.db_table_name = TEST_TABLE_NAME
+    bucket.project_id = project_id
+    item_list = bucket._get_last_processed_files()
+    assert isinstance(item_list, list)
+    assert len(item_list) == expected_length
+
+
+@pytest.mark.parametrize('project_id, prefix, processed_files', [
+    (TEST_PROJECT_ID, "", []),
+    (TEST_PROJECT_ID, "", TEST_BLOB_LIST),
+    (TEST_PROJECT_ID, "prefix/", TEST_BLOB_LIST),
+    ("non-existent_project_id", "", TEST_BLOB_LIST),
+])
+@patch('buckets.bucket.WazuhGCloudBucket.init_db')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_update_last_processed_files(mock_client, mock_db, project_id, prefix,
+                                                       processed_files):
+    """Test _update_last_processed_files updates the database by adding and removing rows when required."""
+    bucket = WazuhGCloudBucket(**get_wodle_config(prefix=prefix))
+    bucket.db_connector = create_custom_database()
+    bucket.db_table_name = TEST_TABLE_NAME
+    bucket.project_id = project_id
+
+    # Initialize the blob list
+    blob_list = [create_mocked_blob(blob_name=name) for name in processed_files]
+
+    # Check database state before the call
+    row_count_before_test = get_num_rows(table_name=TEST_TABLE_NAME, db_connector=bucket.db_connector)
+    previous_processed_files = get_blobs_in_database(db_connector=bucket.db_connector, table_name=TEST_TABLE_NAME,
+                                                     bucket_name=TEST_BUCKET_NAME, project_id=bucket.project_id,
+                                                     prefix=prefix)
+
+    # Invoke the function we want to test
+    bucket._update_last_processed_files(processed_files=blob_list)
+
+    # Check database state after the call
+    row_count_after_test = get_num_rows(table_name=TEST_TABLE_NAME, db_connector=bucket.db_connector)
+    new_processed_files = get_blobs_in_database(db_connector=bucket.db_connector, table_name=TEST_TABLE_NAME,
+                                                bucket_name=TEST_BUCKET_NAME, project_id=bucket.project_id, prefix=prefix)
+
+    # Check that the integrity of the database has been preserved, with no uninvolved rows deleted
+    assert row_count_after_test == row_count_before_test + (len(new_processed_files) - len(previous_processed_files))
+
+    # Check the blobs stored in the database for the last processed files are the expected ones
+    if processed_files:
+        assert len(new_processed_files) == len(processed_files)
+        assert set(new_processed_files) == set(processed_files)
+    else:
+        assert set(previous_processed_files) == set(new_processed_files)
+
+
+@patch('buckets.bucket.WazuhGCloudBucket.init_db')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_update_last_processed_files_ko(mock_client, mock_db):
+    """Test _update_last_processed_files does not remove any row when an exception is raised."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    bucket.db_connector = create_custom_database()
+    bucket.db_table_name = TEST_TABLE_NAME
+    bucket.project_id = TEST_PROJECT_ID
+
+    # Initialize the blob list
+    blob_list = [create_mocked_blob(blob_name=name) for name in TEST_BLOB_LIST]
+
+    # Check database state before the call
+    row_count_before_test = get_num_rows(table_name=TEST_TABLE_NAME, db_connector=bucket.db_connector)
+
+    # Replace the deletion query before invoking the function to ensure the deletion process fails
+    bucket.sql_delete_processed_files = "invalid query"
+    bucket._update_last_processed_files(processed_files=blob_list)
+
+    # Check database state after the call
+    row_count_after_test = get_num_rows(table_name=TEST_TABLE_NAME, db_connector=bucket.db_connector)
+    assert row_count_before_test == row_count_after_test - len(TEST_BLOB_LIST)
+
+
+@pytest.mark.parametrize('project_id, expected_result', [("project_123", 2), ("invalid_project_id", 0)])
+@patch('buckets.bucket.WazuhGCloudBucket.init_db')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_get_last_creation_time(mock_client, mock_db, project_id, expected_result):
+    """Test _get_last_creation_time always returns a datetime object."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    bucket.db_connector = create_custom_database()
+    bucket.db_table_name = TEST_TABLE_NAME
+    bucket.project_id = project_id
+    item_list = bucket._get_last_creation_time()
+    assert isinstance(item_list, datetime)
+
+
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+@pytest.mark.parametrize('google_exception, errcode', [
+    (google_exceptions.NotFound, 1100),
+    (google_exceptions.Forbidden, 1101)
+])
+def test_WazuhGCloudBucket_check_permissions(mock_client, google_exception, errcode):
+    """Test check_permissions raises the expected exceptions when the user doesn't have the required permissions."""
+    mock_client.get_bucket.side_effect = google_exception("placeholder")
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    bucket.client = mock_client
+    with pytest.raises(exceptions.GCloudError) as e:
+        bucket.check_permissions()
+    assert e.value.errcode == errcode
+
+
+@patch('buckets.bucket.WazuhGCloudBucket.init_db')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+@pytest.mark.parametrize('prefix, blob_creation_time, only_logs_after, last_creation_time, reparse, message_per_blob, total_messages', [
+    # Every blob will be skipped because of comparison_date
+    ('', datetime(2022, 1, 1, 12, 00, 00, 0), None, datetime.min, False, 100, 0),
+    ('prefix/', datetime(2022, 1, 1, 12, 00, 00, 0), None, datetime.min, False, 100, 0),
+    # Every blob will be processed. Only the last blob will be stored in processed_files
+    ('', None, datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 200),
+    ('prefix/', None, datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 200),
+    # Every blob will be processed. Every blob will be stored in processed_files
+    ('', datetime(2022, 12, 31, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 200),
+    ('prefix/', datetime(2022, 12, 31, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 200),
+    # Every blob will be processed because of the reparse option
+    ('', datetime(2022, 1, 1, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime(9999, 1, 1, 12, 00, 00, 0), True, 100, 200),
+    ('prefix/', datetime(2022, 1, 1, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime(9999, 1, 1, 12, 00, 00, 0), True, 100, 200),
+    # Every blob will be skipped as they are considered already processed because of the last_creation_time
+    ('', datetime(2022, 1, 1, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime(9999, 1, 1, 12, 00, 00, 0), False, 100, 0),
+    ('prefix/', datetime(2022, 1, 1, 12, 00, 00, 0), datetime(2022, 1, 1, 12, 00, 00, 0), datetime(9999, 1, 1, 12, 00, 00, 0), False, 100, 0),
+    # Every blob will be skipped because they are old
+    ('', datetime.min, datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 0),
+    ('prefix/', datetime.min, datetime(2022, 1, 1, 12, 00, 00, 0), datetime.min, False, 100, 0)
+])
+def test_WazuhGCloudBucket_process_data(mock_client, mock_init_db, prefix, blob_creation_time,
+                                        only_logs_after, last_creation_time, reparse, message_per_blob, total_messages):
+    """Test process_data ignore or process the different blobs taking into account only_logs_after, creation dates and
+    already processed files."""
+    bucket = WazuhGCloudBucket(**get_wodle_config(prefix=prefix, only_logs_after=only_logs_after, reparse=reparse))
+    bucket.db_table_name = TEST_TABLE_NAME
+    blob_list = [create_mocked_blob(blob_name=name, creation_time=blob_creation_time) for name in TEST_BLOB_LIST_WITH_FOLDER]
+    filtered_blob_list = [blob for blob in blob_list if not blob.name.endswith('/')]
+
+    # Setup mocks
+    mock_db_connector = MagicMock()
+    mock_update_last_processed_files = MagicMock()
+    mock_bucket = MagicMock()
+    mock_bucket.list_blobs.return_value = blob_list
+    mock_process_blob = MagicMock(return_value=message_per_blob)
+    mock_last_creation_time = MagicMock(return_value=last_creation_time.replace(tzinfo=pytz.UTC))
+
+    # Apply mocks
+    bucket.bucket = mock_bucket
+    bucket.process_blob = mock_process_blob
+    bucket.db_connector = mock_db_connector
+    bucket._update_last_processed_files = mock_update_last_processed_files
+    bucket._get_last_creation_time = mock_last_creation_time
+
+    # Call the function we want to test
+    processed_messages = bucket.process_data()
+
+    # Assert mocks
+    mock_bucket.list_blobs.assert_called_with(prefix=prefix, delimiter='/')
+    mock_init_db.assert_called_once()
+
+    if blob_creation_time and not only_logs_after:
+        # The creation time of blob is older than the only_logs_after value. They should be skipped.
+        mock_process_blob.assert_not_called()
+        mock_update_last_processed_files.assert_called_with([])
+    elif not blob_creation_time and only_logs_after:
+        # The blobs don't share the same creation time.
+        # Every blob should be processed, but only the last one should be stored in the last_processed_files
+        mock_process_blob.assert_has_calls([call(blob) for blob in filtered_blob_list])
+        mock_update_last_processed_files.assert_called_with(filtered_blob_list[-1:])
+    elif blob_creation_time > only_logs_after or reparse:
+        # The blobs share the same creation time. They should be processed because of their creation time or reparse
+        mock_process_blob.assert_has_calls([call(blob) for blob in filtered_blob_list])
+        mock_update_last_processed_files.assert_called_with(filtered_blob_list)
+    else:
+        # The blobs share the same creation time, but it's older than the only_logs_after value and there is no reparse
+        mock_process_blob.assert_not_called()
+        mock_update_last_processed_files.assert_called_with([])
+
+    mock_db_connector.commit.assert_called_once()
+    mock_db_connector.close.assert_called_once()
+    assert processed_messages == total_messages
+
+
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_load_information_from_file(mock_client):
+    """Test load_information_from_file is not implemented for this base class."""
+    bucket = WazuhGCloudBucket(**get_wodle_config())
+    with pytest.raises(NotImplementedError):
+        bucket.load_information_from_file('')
+
+
+@patch('buckets.access_logs.GCSAccessLogs.send_msg')
+@patch('buckets.access_logs.GCSAccessLogs.initialize_socket')
+@patch('buckets.access_logs.GCSAccessLogs.load_information_from_file')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+@pytest.mark.parametrize('delete_file', [False, True])
+def test_WazuhGCloudBucket_process_blob(mock_client, mock_load_information, mock_socket, mock_send_msg, delete_file):
+    """Test process_blob sends formatted messages to the socket and request blob deletion if required."""
+    num_events = 100
+    mock_load_information.return_value = [f"event {i}" for i in range(num_events)]
+    bucket = GCSAccessLogs(**get_wodle_config(delete_file=delete_file))
+    bucket.db_table_name = TEST_TABLE_NAME
+    bucket.bucket = MagicMock()
+    num_messages_sent = bucket.process_blob(create_mocked_blob("blob"))
+    mock_send_msg.assert_has_calls([call(bucket.format_msg(json.dumps(msg))) for msg in mock_load_information()])
+    assert num_messages_sent == num_events
+    if delete_file:
+        bucket.bucket.delete_blob.assert_called_with("blob")
+
+
+@patch('buckets.access_logs.GCSAccessLogs.load_information_from_file')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_WazuhGCloudBucket_process_blob_ko(mock_client, mock_load_information):
+    """Test process_blob handles exceptions as expected."""
+    mock_load_information.side_effect = google_exceptions.NotFound("")
+    bucket = GCSAccessLogs(**get_wodle_config())
+    num_messages_sent = bucket.process_blob(create_mocked_blob("blob"))
+    assert num_messages_sent == 0
+
+
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_GCSAccessLogs__init__(mock_client):
+    """Test if an instance of GCSAccessLogs is created properly."""
+    bucket = GCSAccessLogs(**get_wodle_config())
+    for attribute in BUCKET_ATTRIBUTES:
+        assert hasattr(bucket, attribute)
+    assert bucket.db_table_name == "access_logs"
+
+
+@pytest.mark.parametrize('file_path', [os.path.join(data_path, "access_logs.log")])
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+def test_GSCAccessLogs_load_information_from_file(mock_client, file_path):
+    """Test load_information_from_file process files with the expected format and returns valid events."""
+    contents = None
+    header = None
+    with open(file_path) as f:
+        contents = f.read()
+        f.seek(0, 0)
+        header = f.readline().rstrip()
+    header = header.split(",")
+    header.append("source")
+    bucket = GCSAccessLogs(**get_wodle_config())
+    for event in bucket.load_information_from_file(contents):
+        keys = event.keys()
+        assert set(header) == set(keys)
+        for key in keys:
+            assert event[key] == "gcp_bucket" if key == "source" else event[key] == f'{key}_value'
diff --git a/src/modules/gcp/scripts/tests/test_gcloud.py b/src/modules/gcp/scripts/tests/test_gcloud.py
new file mode 100644
index 0000000000..94433579c4
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/test_gcloud.py
@@ -0,0 +1,100 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""Unit tests for gcloud module."""
+
+import os
+import sys
+from argparse import Namespace
+from unittest.mock import patch
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))  # noqa: E501
+import gcloud
+
+
+def get_wodle_config(integration_type: str, credentials_file: str = None, log_level: int = 1,
+                     subscription: str = "subscription", project: str = 'project', max_messages: int = 100,
+                     n_threads: int = 100, bucket_name: str = "test_bucket", prefix: str = "",
+                     delete_file: bool = False, only_logs_after: str = None, reparse: bool = False) -> dict:
+    """Return a dict containing every parameter for the different supported integration types. Used to simulate
+    different ossec.conf configurations.
+
+    Parameters
+    ----------
+    integration_type : str
+        Determine the type of the integration. Current supported values: pubsub and access_logs
+    credentials_file : str
+        Path to credentials file.
+    log_level : int
+        The level of verbosity for the logger
+    subscription : str
+        Subscription ID.
+    project : str
+        The name of the project for a pubsub integration
+    max_messages: int
+        Maximum number of messages to retrieve.
+    n_threads : int
+        Number of threads used to process the pubsub messages
+    bucket_name : str
+        Name of the bucket to read the logs from.
+    prefix : prefix
+        Expected prefix for the logs. It can be used to specify the relative path where the logs are stored.
+    delete_file : bool
+        Indicate whether blobs should be deleted after being processed.
+    only_logs_after : datetime
+        Date after which obtain logs.
+    reparse : bool
+        Whether to parse already parsed logs or not
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their values
+    """
+    return {'integration_type': integration_type, 'credentials_file': credentials_file, 'log_level': log_level,
+            'subscription_id': subscription, 'project': project, 'max_messages': max_messages, 'n_threads': n_threads,
+            'bucket_name': bucket_name, 'prefix': prefix, 'delete_file': delete_file, 'only_logs_after': only_logs_after,
+            'reparse': reparse}
+
+
+@pytest.mark.parametrize('integration_type', ['pubsub', 'access_logs'])
+@patch('gcloud.GCSAccessLogs')
+@patch('gcloud.WazuhGCloudSubscriber')
+@patch('gcloud.ThreadPoolExecutor')
+@patch('gcloud.tools.get_stdout_logger')
+@patch('gcloud.cpu_count', side_effect=TypeError)
+def test_gcloud(mock_cpu_count, mock_logger, mock_threads, mock_subscriber, mock_access_logs, integration_type):
+    """Test gcloud module run and exits without errors using valid configurations."""
+    kwargs = get_wodle_config(integration_type=integration_type)
+    with patch('tools.get_script_arguments', return_value=Namespace(**kwargs)), pytest.raises(SystemExit) as err:
+        gcloud.main()
+    assert err.type == SystemExit
+    assert err.value.code == 0
+
+
+@pytest.mark.parametrize('parameters, errcode', [
+    ({'integration_type': 'type'}, 1002),
+    ({'integration_type': 'access_logs', 'bucket_name': ''}, 1103),
+    ({'integration_type': 'pubsub', 'subscription': None}, 1200),
+    ({'integration_type': 'pubsub', 'project': None}, 1201),
+    ({'integration_type': 'pubsub', 'n_threads': 0}, 1202),
+    ({'integration_type': 'pubsub', 'max_messages': 0}, 1203),
+    ({'integration_type': 'pubsub', 'n_threads': None}, 999)
+])
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+@patch('pubsub.subscriber.WazuhGCloudSubscriber.check_permissions')
+@patch('pubsub.subscriber.WazuhGCloudSubscriber.process_messages')
+@patch('buckets.bucket.storage.client.Client.from_service_account_json')
+@patch('buckets.access_logs.GCSAccessLogs.process_data', return_value=0)
+@patch('gcloud.tools.get_stdout_logger')
+def test_gcloud_ko(mock_logger, mock_data, mock_json, mock_messages, mock_permissions, mock_file, parameters, errcode):
+    """Test gcloud module aborts its execution when called with invalid parameters."""
+    kwargs = get_wodle_config(**parameters)
+    with patch('tools.get_script_arguments', return_value=Namespace(**kwargs)), pytest.raises(SystemExit) as err:
+        gcloud.main()
+    assert err.type == SystemExit
+    assert err.value.code == errcode
diff --git a/src/modules/gcp/scripts/tests/test_integration.py b/src/modules/gcp/scripts/tests/test_integration.py
new file mode 100644
index 0000000000..693609a7f3
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/test_integration.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""Unit tests for integration module."""
+
+import json
+import sys
+from os.path import join, dirname, realpath
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+import pytest
+
+sys.path.append(join(dirname(realpath(__file__)), '..'))  # noqa: E501
+from integration import WazuhGCloudIntegration, ANALYSISD
+import exceptions
+
+
+test_data_path = join(dirname(realpath(__file__)), 'data')
+test_message = 'test-message'
+
+
+def test_WazuhGCloudIntegration__init__():
+    """Test if an instance of WazuhGCloudIntegration is created properly."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    for attribute in ['logger', 'socket']:
+        assert hasattr(integration, attribute)
+
+
+def test_WazuhGCloudIntegration_format_msg():
+    """Test format_msg returns a well-formatted message."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    msg = integration.format_msg(json.dumps(test_message))
+    assert isinstance(msg, str)
+    msg_json = json.loads(msg)
+    assert msg_json.get('integration') == 'gcp'
+    assert msg_json.get('gcp') == test_message
+
+
+@patch('integration.socket.socket')
+def test_WazuhGCloudIntegration_initialize_socket(mock_socket):
+    """Test initialize_socket establish a connection with the ANALYSISD socket."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    integration.initialize_socket()
+    integration.socket.connect.assert_called_with(ANALYSISD)
+
+
+@pytest.mark.parametrize('raised_exception, errcode', [
+    (ConnectionRefusedError, 1),
+    (OSError, 2)
+])
+def test_WazuhGCloudIntegration_initialize_socket_ko(raised_exception, errcode):
+    """Test initialize_socket properly handles exceptions."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    with patch('socket.socket', side_effect=raised_exception), pytest.raises(exceptions.WazuhIntegrationInternalError) as e:
+        integration.initialize_socket()
+    assert errcode == e.value.errcode
+
+
+def test_WazuhGCloudIntegration_process_data():
+    """Test process_data is not implemented for this base class."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    with pytest.raises(NotImplementedError):
+        integration.process_data()
+
+
+@patch('integration.socket.socket')
+def test_WazuhGCloudIntegration_send_message(mock_socket):
+    """Test if messages are sent to Wazuh queue socket."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    with integration.initialize_socket():
+        integration.send_msg(test_message)
+    mock_socket.return_value.send.assert_called_with(
+        f'{WazuhGCloudIntegration.header}{test_message}'.encode(errors='replace'))
+
+
+def test_WazuhGCloudIntegration_send_message_ko():
+    """Test send_message when the socket hasn't been initialized."""
+    integration = WazuhGCloudIntegration(logger=MagicMock())
+    integration.socket = MagicMock()
+    integration.socket.send.side_effect = OSError
+    with pytest.raises(exceptions.WazuhIntegrationInternalError) as e:
+        integration.send_msg(test_message)
+    assert e.value.errcode == 3
diff --git a/src/modules/gcp/scripts/tests/test_subscriber.py b/src/modules/gcp/scripts/tests/test_subscriber.py
new file mode 100644
index 0000000000..92a237f12d
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/test_subscriber.py
@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""Unit tests for subscriber module."""
+
+import os
+import sys
+from logging import Logger
+from unittest.mock import MagicMock
+from unittest.mock import call, patch
+
+import pytest
+from google.api_core import exceptions as google_exceptions
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))  # noqa: E501
+from pubsub.subscriber import WazuhGCloudSubscriber
+from exceptions import GCloudError
+
+
+data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data/')
+MAX_MESSAGES = 100
+
+
+def get_wodle_config(credentials_file: str = "credentials.json", project: str = "test_project",
+                     subscription_id: str = "test_subscription", logger: Logger = None) -> dict:
+    """Return a dict containing every parameter supported by WazuhGCloudSubscriber. Used to simulate different
+    ossec.conf configurations.
+
+    Parameters
+    ----------
+    credentials_file : str
+        Path to credentials file.
+    project : str
+        Project name.
+    subscription_id : str
+        Subscription ID.
+    logger: logging.Logger
+        The logger that will be used to send messages to stdout.
+
+    Returns
+    -------
+    dict
+        A dict containing the configuration parameters with their values
+    """
+    return {'credentials_file': credentials_file, 'project': project, 'subscription_id': subscription_id,
+            'logger': logger if logger else MagicMock()}
+
+
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber__init__(mock_client):
+    """Test if an instance of WazuhGCloudSubscriber is created properly."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    for attribute in ['logger', 'subscriber', 'subscription_path']:
+        assert hasattr(pubsub, attribute)
+    mock_client.assert_called_once()
+
+
+@pytest.mark.parametrize('credentials_file, errcode', [
+    ('invalid_credentials_file.json', 1000),
+    ('unexistent_file', 1001)
+])
+def test_WazuhGCloudSubscriber__init__ko(credentials_file, errcode):
+    """Test that the appropriate exceptions are raised when the WazuhGCloudSubscriber constructor is called with
+    invalid parameters.
+    """
+    with pytest.raises(GCloudError) as e:
+        WazuhGCloudSubscriber(**get_wodle_config(credentials_file=os.path.join(data_path, credentials_file)))
+    assert e.value.errcode == errcode
+
+
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_get_subscriber_client(mock_credentials):
+    """Test get_subscriber_client attempts to create a client object using the provided credentials file."""
+    WazuhGCloudSubscriber.get_subscriber_client("credentials.json")
+    mock_credentials.assert_called_with("credentials.json")
+
+
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_get_subscription_path(mock_credentials):
+    """Test get_subscription_path calls the subscription_path with the expected parameters."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    pubsub.subscriber = MagicMock()
+    pubsub.get_subscription_path(project="project", subscription_id="subscription")
+    pubsub.subscriber.subscription_path.assert_called_with("project", "subscription")
+
+
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_check_permissions(mock_credentials):
+    """Test check_permissions to make sure it checks the required permissions to be present for the subscriber."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    pubsub.subscriber.test_iam_permissions.return_value = MagicMock(permissions={'pubsub.subscriptions.consume'})
+    pubsub.check_permissions()
+    mock_credentials.assert_called_once()
+
+
+@pytest.mark.parametrize('errcode, msg', [
+    (1204, ""),
+    (1205, "project not found or user does not have access"),
+    (1206, "")
+])
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_check_permissions_ko(mock_credentials, errcode, msg):
+    """Test check_permissions raises the expected GCloudError when the subscriber does not have the required
+    permissions."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config(credentials_file="credentials"))
+    if errcode != 1206:
+        pubsub.subscriber.test_iam_permissions.side_effect = google_exceptions.NotFound(msg)
+    with pytest.raises(GCloudError) as e:
+        pubsub.check_permissions()
+    assert e.value.errcode == errcode
+    mock_credentials.assert_called_once()
+
+
+@pytest.mark.parametrize('num_messages', [1, 10, 100])
+@patch('pubsub.subscriber.WazuhGCloudSubscriber.send_msg')
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_pull_request(mock_credentials, mock_send_msg, num_messages):
+    """Test pull_request makes the request using the provided parameters and returns the expected number of messages."""
+    # Create a large list of fake messages
+    message_list = [MagicMock() for _ in range(100)]
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    pubsub.subscriber.pull.return_value = MagicMock(received_messages=message_list[:num_messages])
+    assert pubsub.pull_request(max_messages=num_messages) == num_messages
+    pubsub.subscriber.pull.assert_called_with(request={'subscription': pubsub.subscription_path,
+                                                       'max_messages': num_messages})
+
+
+@patch('pubsub.subscriber.WazuhGCloudSubscriber.send_msg')
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_pull_request_ko(mock_credentials, mock_send_msg):
+    """Test pull_request returns no messages when an exception is raised."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    pubsub.subscriber.pull.side_effect = google_exceptions.DeadlineExceeded("placeholder")
+    assert pubsub.pull_request(max_messages=MAX_MESSAGES) == 0
+
+
+@patch('pubsub.subscriber.pubsub.subscriber.Client.from_service_account_file')
+def test_WazuhGCloudSubscriber_process_messages(mock_credentials):
+    """Test process_messages invoke the pull_request function several times until the required number of messages is
+    returned."""
+    pubsub = WazuhGCloudSubscriber(**get_wodle_config())
+    pubsub.initialize_socket = MagicMock()
+    pubsub.pull_request = MagicMock(return_value=MAX_MESSAGES/2)
+    assert pubsub.process_messages(max_messages=MAX_MESSAGES) == MAX_MESSAGES
+    pubsub.pull_request.assert_has_calls([call(MAX_MESSAGES), call(MAX_MESSAGES/2)])
diff --git a/src/modules/gcp/scripts/tests/test_tools.py b/src/modules/gcp/scripts/tests/test_tools.py
new file mode 100644
index 0000000000..af4b7be56c
--- /dev/null
+++ b/src/modules/gcp/scripts/tests/test_tools.py
@@ -0,0 +1,59 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import argparse
+import logging
+import os
+import sys
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
+import pytest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))  # noqa: E501
+import tools
+
+
+def test_get_script_arguments(capsys):
+    """Test get_script_arguments shows no messages when the required parameters were provided."""
+    with patch("sys.argv", ['main', '--integration_type', 'any', '--credentials_file', 'any']):
+        tools.get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == "", 'stdout was not empty'
+    assert stderr == "", 'stderr was not empty'
+
+
+@pytest.mark.parametrize('args', [
+    ['main'],
+    ['main', '--integration_type', 'any'],
+    ['main', '--credentials_file', 'any'],
+])
+def test_get_script_arguments_required(capsys, args):
+    """Test get_script_arguments shows an error message when the required parameters are not provided."""
+    with patch("sys.argv", args), pytest.raises(SystemExit) as exception:
+        tools.get_script_arguments()
+    stdout, stderr = capsys.readouterr()
+    assert stdout == "", 'The output was not empty'
+    assert stderr != "", 'No error message was found in the output'
+    assert exception.value.code == 2
+
+
+@pytest.mark.parametrize('level, expected_logging_level', [
+    (0, logging.WARNING),
+    (1, logging.INFO),
+    (2, logging.DEBUG)
+])
+@patch('tools.logging.getLogger')
+def test_get_stdout_logger(mock_logger, level, expected_logging_level):
+    """Test the get_stdout_logger function created a logger object with the expected logging level value."""
+    with patch('tools.logger') as mock_l:
+        mock_l.setLevel = MagicMock()
+        tools.get_stdout_logger(name='test', level=level)
+        mock_l.setLevel.assert_called_with(expected_logging_level)
+
+
+def test_arg_valid_date():
+    """Test arg_valid_dates raises an error when a date parameter doesn't have a valid format."""
+    with pytest.raises(argparse.ArgumentTypeError):
+        tools.arg_valid_date('invalid_date')
diff --git a/src/modules/gcp/scripts/tools.py b/src/modules/gcp/scripts/tools.py
new file mode 100644
index 0000000000..da96861836
--- /dev/null
+++ b/src/modules/gcp/scripts/tools.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+# -*- coding: UTF-8 -*-
+#
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of GPLv2
+
+"""This module contains generic functions for this wodle."""
+
+import argparse
+import logging
+from sys import stdout
+from datetime import datetime
+from logging.handlers import TimedRotatingFileHandler
+from pytz import UTC
+
+
+logger_name = ':gcloud_wodle:'
+logger = logging.getLogger(logger_name)
+log_levels = {0: logging.WARNING,
+              1: logging.INFO,
+              2: logging.DEBUG}
+logging_format = logging.Formatter('%(name)s - %(levelname)s - %(message)s')
+min_num_threads = 1
+min_num_messages = 1
+valid_types = ['pubsub', 'access_logs']
+
+
+def get_script_arguments():
+    """Get script arguments.
+
+    Returns
+    -------
+    Namespace
+        Namespace with the arguments passed to the script.
+    """
+    parser = argparse.ArgumentParser(usage="usage: %(prog)s [options]",
+                                     description="Wazuh wodle for monitoring Google Cloud",
+                                     formatter_class=argparse.RawTextHelpFormatter)
+
+    parser.add_argument('-T', '--integration_type', dest='integration_type',
+                        help=f'Supported integration types: {*valid_types,}', required=True)
+
+    parser.add_argument('-p', '--project', dest='project',
+                        help='Project ID')
+
+    parser.add_argument('-s', '--subscription_id', dest='subscription_id',
+                        help='Subscription name')
+
+    parser.add_argument('-c', '--credentials_file', dest='credentials_file',
+                        help='Path to credentials file', required=True)
+
+    parser.add_argument('-m', '--max_messages', dest='max_messages', type=int,
+                        help='Number of maximum messages pulled in each iteration', default=100)
+
+    parser.add_argument('-l', '--log_level', dest='log_level', type=int,
+                        help='Log level', required=False, default=0)
+
+    parser.add_argument('-b', '--bucket_name', dest='bucket_name', type=str,
+                        help='The name of the bucket to read the logs from')
+
+    parser.add_argument('-P', '--prefix', dest='prefix', help='The relative path to the logs', default='')
+
+    parser.add_argument('-r', '--remove', action='store_true', dest='delete_file',
+                        help='Remove processed blobs from the GCS bucket', default=False)
+
+    parser.add_argument('-o', '--only_logs_after', dest='only_logs_after',
+                        help='Only parse logs after this date - format YYYY-MMM-DD',
+                        default=None, type=arg_valid_date)
+
+    parser.add_argument('-t', '--num_threads', dest='n_threads', type=int,
+                        help='Number of threads', required=False, default=min_num_threads)
+    
+    parser.add_argument('--reparse', action='store_true', dest='reparse', 
+                        help='Parse the log, even if its been parsed before', default=False)
+
+    return parser.parse_args()
+
+
+def get_stdout_logger(name: str, level: int = 0) -> logging.Logger:
+    """Create a logger which returns the messages by stdout.
+
+    Parameters
+    ----------
+    name : str
+        Logger name.
+    level : int
+        Log level to be set.
+
+    Returns
+    -------
+    logging.Logger
+        Logger configured with input parameters. Returns the messages by stdout.
+    """
+    logger_stdout = logging.getLogger(name)
+    # set log level
+    logger.setLevel(log_levels.get(level, logging.WARNING))
+    # set handler for stdout
+    stdout_handler = logging.StreamHandler(stdout)
+    stdout_handler.setFormatter(logging_format)
+    logger_stdout.addHandler(stdout_handler)
+
+    return logger_stdout
+
+
+def arg_valid_date(arg_string: str) -> datetime:
+    """Validation function for only_logs_after dates.
+
+    Parameters
+    ----------
+    arg_string : str
+        The only_logs_after value in YYYY-MMM-DD format.
+
+    Returns
+    -------
+    datetime
+        The date corresponding to the string passed.
+
+    Raises
+    ------
+    ValueError
+        If the parameter passed is not in the expected format.
+    """
+    try:
+        return datetime.strptime(arg_string, "%Y-%b-%d").replace(tzinfo=UTC)
+    except ValueError:
+        raise argparse.ArgumentTypeError(f"Argument not a valid date in format YYYY-MMM-DD: '{arg_string}'.")
diff --git a/src/modules/gcp/scripts/utils.py b/src/modules/gcp/scripts/utils.py
new file mode 100644
index 0000000000..93590c9ce3
--- /dev/null
+++ b/src/modules/gcp/scripts/utils.py
@@ -0,0 +1,45 @@
+# Copyright (C) 2015, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+from functools import lru_cache
+
+
+@lru_cache(maxsize=None)
+def find_wazuh_path() -> str:
+    """
+    Get the Wazuh installation path.
+
+    Returns
+    -------
+    str
+        Path where Wazuh is installed or empty string if there is no framework in the environment.
+    """
+    abs_path = os.path.abspath(os.path.dirname(__file__))
+    allparts = []
+    while 1:
+        parts = os.path.split(abs_path)
+        if parts[0] == abs_path:  # sentinel for absolute paths
+            allparts.insert(0, parts[0])
+            break
+        elif parts[1] == abs_path:  # sentinel for relative paths
+            allparts.insert(0, parts[1])
+            break
+        else:
+            abs_path = parts[0]
+            allparts.insert(0, parts[1])
+
+    wazuh_path = ''
+    try:
+        for i in range(0, allparts.index('wodles')):
+            wazuh_path = os.path.join(wazuh_path, allparts[i])
+    except ValueError:
+        pass
+
+    return wazuh_path
+
+
+ANALYSISD = os.path.join(find_wazuh_path(), 'queue', 'sockets', 'queue')
+# Max size of the event that ANALYSISID can handle
+MAX_EVENT_SIZE = 65535
diff --git a/src/modules/gcp/src/wm_gcp.c b/src/modules/gcp/src/wm_gcp.c
new file mode 100755
index 0000000000..4fc088aa3f
--- /dev/null
+++ b/src/modules/gcp/src/wm_gcp.c
@@ -0,0 +1,529 @@
+/*
+ * Wazuh Module for Security Configuration Assessment
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 25, 2019.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+#include "os_net/os_net.h"
+#include <sys/stat.h>
+#include "os_crypto/sha256/sha256_op.h"
+#include "shared.h"
+
+#ifdef WAZUH_UNIT_TESTING
+/* Remove static qualifier when testing */
+#define static
+#endif
+
+/**
+ * @brief Run module function for Google Cloud Pub/Sub
+ * @param data Module configuration structure
+ */
+static void wm_gcp_pubsub_run(const wm_gcp_pubsub *data);            // Running python script
+
+/**
+ * @brief Dump configuration structure in JSON for Google Cloud Pub/Sub
+ * @param gcp_config Module configuration structure
+ * @return JSON structure with module configuration
+ */
+cJSON *wm_gcp_pubsub_dump(const wm_gcp_pubsub *gcp_config);          // Read config
+#ifdef WIN32
+/**
+ * @brief Main function for Google Cloud Pub/Sub
+ * @param gcp_config Module configuration structure
+ */
+static DWORD WINAPI wm_gcp_pubsub_main(void *arg);                     // Module main function. It won't return
+
+/**
+ * @brief Main function for Google Cloud bucket
+ * @param gcp_config Module configuration structure
+ */
+static DWORD WINAPI wm_gcp_bucket_main(void *arg);                     // Module main function. It won't return
+#else
+/**
+ * @brief Main function for Google Cloud Pub/Sub
+ * @param gcp_config Module configuration structure
+ */
+static void* wm_gcp_pubsub_main(wm_gcp_pubsub *gcp_config);          // Module main function. It won't return
+
+/**
+ * @brief Main function for Google Cloud bucket
+ * @param gcp_config Module configuration structure
+ */
+static void* wm_gcp_bucket_main(wm_gcp_bucket_base *gcp_config);          // Module main function. It won't return
+#endif
+
+/**
+ * @brief Free configuration structure for Google Cloud Pub/Sub
+ * @param gcp_config Module configuration structure
+ */
+static void wm_gcp_pubsub_destroy(wm_gcp_pubsub *gcp_config);        // Destroy data
+
+/**
+ * @brief Free configuration structure for Google Cloud bucket
+ * @param gcp_config Module configuration structure
+ */
+static void wm_gcp_bucket_destroy(wm_gcp_bucket_base *gcp_config);        // Destroy data
+
+/**
+ * @brief Run module function for Google Cloud bucket
+ * @param exec_bucket Bucket configuration structure
+ */
+static void wm_gcp_bucket_run(wm_gcp_bucket *exec_bucket);            // Running python script
+
+/**
+ * @brief Dump configuration structure in JSON for Google Cloud bucket
+ * @param gcp_config Module configuration structure
+ * @return JSON structure with module configuration
+ */
+cJSON *wm_gcp_bucket_dump(const wm_gcp_bucket_base *gcp_config);          // Read config
+
+/**
+ * @brief Parse the output of the GCP script and prints it depending on the debug
+ *        level stated by the script
+ * @param output Output returned by the call to the script
+ * @param tag Tag that should be used when printing the messages
+ */
+static void wm_gcp_parse_output(char *output, char *tag);
+
+
+/* Context definition */
+
+const wm_context WM_GCP_PUBSUB_CONTEXT = {
+    .name = GCP_PUBSUB_WM_NAME,
+    .start = (wm_routine)wm_gcp_pubsub_main,
+    .destroy = (void(*)(void *))wm_gcp_pubsub_destroy,
+    .dump = (cJSON * (*)(const void *))wm_gcp_pubsub_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+const wm_context WM_GCP_BUCKET_CONTEXT = {
+    .name = GCP_BUCKET_WM_NAME,
+    .start = (wm_routine)wm_gcp_bucket_main,
+    .destroy = (void(*)(void *))wm_gcp_bucket_destroy,
+    .dump = (cJSON * (*)(const void *))wm_gcp_bucket_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+#ifdef WAZUH_UNIT_TESTING
+// Replace pthread_exit for testing purposes
+#define pthread_exit(a) return a
+#endif
+// Module main function. It won't return
+#ifdef WIN32
+DWORD WINAPI wm_gcp_pubsub_main(void *arg) {
+    wm_gcp_pubsub *data = (wm_gcp_pubsub *)arg;
+#else
+void* wm_gcp_pubsub_main(wm_gcp_pubsub *data) {
+#endif
+    char * timestamp = NULL;
+    // If module is disabled, exit
+    if (data->enabled) {
+        mtinfo(WM_GCP_PUBSUB_LOGTAG, "Module started.");
+    } else {
+        mtinfo(WM_GCP_PUBSUB_LOGTAG, "Module disabled. Exiting.");
+        pthread_exit(NULL);
+    }
+
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(data->scan_config), WM_GCP_PUBSUB_LOGTAG, data->pull_on_start);
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(data->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_GCP_PUBSUB_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtdebug1(WM_GCP_PUBSUB_LOGTAG, "Starting fetching of logs.");
+
+        wm_gcp_pubsub_run(data);
+
+        mtdebug1(WM_GCP_PUBSUB_LOGTAG, "Fetching logs finished.");
+    } while (FOREVER());
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+#ifdef WIN32
+DWORD WINAPI wm_gcp_bucket_main(void *arg) {
+    wm_gcp_bucket_base *data = (wm_gcp_bucket_base *)arg;
+#else
+void* wm_gcp_bucket_main(wm_gcp_bucket_base *data) {
+#endif
+    char * timestamp = NULL;
+    // If module is disabled, exit
+    if (data->enabled) {
+        mtinfo(WM_GCP_BUCKET_LOGTAG, "Module started.");
+    } else {
+        mtinfo(WM_GCP_BUCKET_LOGTAG, "Module disabled. Exiting.");
+        pthread_exit(NULL);
+    }
+
+    wm_gcp_bucket *cur_bucket;
+    char *log_info;
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(data->scan_config), WM_GCP_BUCKET_LOGTAG, data->run_on_start);
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(data->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_GCP_BUCKET_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtdebug1(WM_GCP_BUCKET_LOGTAG, "Starting fetching of logs.");
+
+        for (cur_bucket = data->buckets; cur_bucket; cur_bucket = cur_bucket->next) {
+
+            log_info = NULL;
+
+            wm_strcat(&log_info, "Executing Bucket Analysis: (Bucket:", '\0');
+            if (cur_bucket->bucket) {
+                wm_strcat(&log_info, cur_bucket->bucket, ' ');
+            }
+            else {
+                wm_strcat(&log_info, "unknown_bucket", ' ');
+            }
+
+
+            if (cur_bucket->prefix) {
+                wm_strcat(&log_info, ", Path:", '\0');
+                wm_strcat(&log_info, cur_bucket->prefix, ' ');
+            }
+
+            if (cur_bucket->type) {
+                wm_strcat(&log_info, ", Type:", '\0');
+                wm_strcat(&log_info, cur_bucket->type, ' ');
+            }
+
+            if (cur_bucket->credentials_file) {
+                wm_strcat(&log_info, ", Credentials file:", '\0');
+                wm_strcat(&log_info, cur_bucket->credentials_file, ' ');
+            }
+
+            wm_strcat(&log_info, ")", '\0');
+
+            mtinfo(WM_GCP_BUCKET_LOGTAG, "%s", log_info);
+            wm_gcp_bucket_run(cur_bucket);
+            free(log_info);
+        }
+
+        mtdebug1(WM_GCP_BUCKET_LOGTAG, "Fetching logs finished.");
+    } while (FOREVER());
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+#ifdef WAZUH_UNIT_TESTING
+/* Replace pthread_exit for testing purposes */
+#undef pthread_exit
+#define pthread_exit(a) return
+
+__attribute__((weak))
+#endif
+void wm_gcp_pubsub_run(const wm_gcp_pubsub *data) {
+    int status;
+    char *output = NULL;
+    char *command = NULL;
+
+    // Create arguments
+    mtdebug2(WM_GCP_PUBSUB_LOGTAG, "Create argument list");
+
+    char * script = NULL;
+    os_calloc(PATH_MAX, sizeof(char), script);
+
+    snprintf(script, PATH_MAX, "%s", WM_GCP_SCRIPT_PATH);
+
+    wm_strcat(&command, script, '\0');
+    os_free(script);
+
+    wm_strcat(&command, "--integration_type pubsub", ' ');
+
+    if (data->project_id) {
+        wm_strcat(&command, "--project", ' ');
+        wm_strcat(&command, data->project_id, ' ');
+    }
+    if (data->subscription_name) {
+        wm_strcat(&command, "--subscription_id", ' ');
+        wm_strcat(&command, data->subscription_name, ' ');
+    }
+    if (data->credentials_file) {
+        wm_strcat(&command, "--credentials_file", ' ');
+        wm_strcat(&command, data->credentials_file, ' ');
+    }
+
+    if (data->max_messages) {
+        char *int_to_string;
+        os_malloc(OS_SIZE_1024, int_to_string);
+        sprintf(int_to_string, "%d", data->max_messages);
+        wm_strcat(&command, "--max_messages", ' ');
+        wm_strcat(&command, int_to_string, ' ');
+        os_free(int_to_string);
+    }
+    if (data->num_threads) {
+        char *int_to_string;
+        os_malloc(OS_SIZE_1024, int_to_string);
+        sprintf(int_to_string, "%d", data->num_threads);
+        wm_strcat(&command, "--num_threads", ' ');
+        wm_strcat(&command, int_to_string, ' ');
+        os_free(int_to_string);
+    }
+
+    if (isDebug()){
+        char *int_to_string;
+        os_malloc(OS_SIZE_1024, int_to_string);
+        sprintf(int_to_string, "%d", isDebug());
+        wm_strcat(&command, "--log_level", ' ');
+        wm_strcat(&command, int_to_string, ' ');
+        os_free(int_to_string);
+    }
+
+    // Execute
+
+    mtdebug1(WM_GCP_PUBSUB_LOGTAG, "Launching command: %s", command);
+
+    const int wm_exec_ret_code = wm_exec(command, &output, &status, 0, NULL);
+
+    os_free(command);
+
+    if (wm_exec_ret_code != 0){
+        mterror(WM_GCP_PUBSUB_LOGTAG, "Internal error. Exiting...");
+        if (wm_exec_ret_code > 0) {
+            os_free(output);
+        }
+        pthread_exit(NULL);
+    } else if (status > 0) {
+        mtwarn(WM_GCP_PUBSUB_LOGTAG, "Command returned exit code %d", status);
+    }
+
+    wm_gcp_parse_output(output, WM_GCP_PUBSUB_LOGTAG);
+    os_free(output);
+}
+
+static void wm_gcp_parse_output(char *output, char *tag){
+    char *line;
+    char * parsing_output = output;
+    int debug_level = isDebug();
+
+    for (line = strstr(parsing_output, WM_GCP_LOGGING_TOKEN); line; line = strstr(parsing_output, WM_GCP_LOGGING_TOKEN)) {
+        char * tokenized_line;
+        os_calloc(WM_STRING_MAX, sizeof(char), tokenized_line);
+        char * next_lines;
+
+        line += strlen(WM_GCP_LOGGING_TOKEN);
+        next_lines = strstr(line, WM_GCP_LOGGING_TOKEN);
+
+        int next_lines_chars = next_lines == NULL ? 0 : strlen(next_lines);
+
+        // 1 is added because it's mandatory to consider the null byte
+        int cp_length = 1 + strlen(line) - next_lines_chars > WM_STRING_MAX ? WM_STRING_MAX : 1 + strlen(line) - next_lines_chars;
+        snprintf(tokenized_line, cp_length, "%s", line);
+        if (tokenized_line[cp_length - 2] == '\n') tokenized_line[cp_length - 2] = '\0';
+
+        char *p_line = NULL;
+
+        if (debug_level >= 2) {
+            if ((p_line = strstr(tokenized_line, "- DEBUG - "))) {
+                p_line += 10;
+                mtdebug1(tag, "%s", p_line);
+            }
+        }
+        if (debug_level >= 1) {
+            if ((p_line = strstr(tokenized_line, "- INFO - "))) {
+                p_line += 9;
+                mtinfo(tag, "%s", p_line);
+            }
+        }
+        if (debug_level >= 0) {
+            if ((p_line = strstr(tokenized_line, "- CRITICAL - "))) {
+                p_line += 13;
+                mterror(tag, "%s", p_line);
+            }
+            if ((p_line = strstr(tokenized_line, "- ERROR - "))) {
+                p_line += 10;
+                mterror(tag, "%s", p_line);
+            }
+            if ((p_line = strstr(tokenized_line, "- WARNING - "))) {
+                p_line += 12;
+                mtwarn(tag, "%s", p_line);
+            }
+        }
+
+        parsing_output += cp_length + strlen(WM_GCP_LOGGING_TOKEN) - 1;
+        os_free(tokenized_line);
+    }
+}
+
+void wm_gcp_bucket_run(wm_gcp_bucket *exec_bucket) {
+    int status;
+    char *output = NULL;
+    char *command = NULL;
+
+    // Create arguments
+    mtdebug2(WM_GCP_BUCKET_LOGTAG, "Create argument list");
+
+    char * script = NULL;
+    os_calloc(PATH_MAX, sizeof(char), script);
+
+    snprintf(script, PATH_MAX, "%s", WM_GCP_SCRIPT_PATH);
+
+    wm_strcat(&command, script, '\0');
+    os_free(script);
+
+    wm_strcat(&command, "--integration_type", ' ');
+    wm_strcat(&command, exec_bucket->type, ' ');
+
+    wm_strcat(&command, "--bucket_name", ' ');
+    wm_strcat(&command, exec_bucket->bucket, ' ');
+
+    if (exec_bucket->credentials_file) {
+        wm_strcat(&command, "--credentials_file", ' ');
+        wm_strcat(&command, exec_bucket->credentials_file, ' ');
+    }
+    if (exec_bucket->prefix) {
+        wm_strcat(&command, "--prefix", ' ');
+        wm_strcat(&command, exec_bucket->prefix, ' ');
+    }
+    if (exec_bucket->only_logs_after) {
+        wm_strcat(&command, "--only_logs_after", ' ');
+        wm_strcat(&command, exec_bucket->only_logs_after, ' ');
+    }
+    if (exec_bucket->remove_from_bucket) {
+        wm_strcat(&command, "--remove", ' ');
+    }
+
+    if (isDebug()){
+        char *int_to_string;
+        os_malloc(OS_SIZE_1024, int_to_string);
+        sprintf(int_to_string, "%d", isDebug());
+        wm_strcat(&command, "--log_level", ' ');
+        wm_strcat(&command, int_to_string, ' ');
+        os_free(int_to_string);
+    }
+
+    // Execute
+
+    mtdebug1(WM_GCP_BUCKET_LOGTAG, "Launching command: %s", command);
+
+    const int wm_exec_ret_code = wm_exec(command, &output, &status, 0, NULL);
+
+    os_free(command);
+
+    if (wm_exec_ret_code != 0){
+        mterror(WM_GCP_BUCKET_LOGTAG, "Internal error. Exiting...");
+        if (wm_exec_ret_code > 0) {
+            os_free(output);
+        }
+        pthread_exit(NULL);
+    } else if (status > 0) {
+        mtwarn(WM_GCP_BUCKET_LOGTAG, "Command returned exit code %d", status);
+    }
+
+    wm_gcp_parse_output(output, WM_GCP_BUCKET_LOGTAG);
+    os_free(output);
+}
+
+void wm_gcp_pubsub_destroy(wm_gcp_pubsub * data) {
+    if (data->project_id) os_free(data->project_id);
+    if (data->subscription_name) os_free(data->subscription_name);
+    if (data->credentials_file) os_free(data->credentials_file);
+    os_free(data);
+}
+
+void wm_gcp_bucket_destroy(wm_gcp_bucket_base * data) {
+    wm_gcp_bucket *cur_bucket;
+    wm_gcp_bucket *next_bucket = data->buckets;
+    while(next_bucket){
+        cur_bucket = next_bucket;
+        next_bucket = next_bucket->next;
+        if (cur_bucket->bucket) os_free(cur_bucket->bucket);
+        if (cur_bucket->type) os_free(cur_bucket->type);
+        if (cur_bucket->credentials_file) os_free(cur_bucket->credentials_file);
+        if (cur_bucket->prefix) os_free(cur_bucket->prefix);
+        if (cur_bucket->only_logs_after) os_free(cur_bucket->only_logs_after);
+        os_free(cur_bucket);
+    }
+    os_free(data);
+}
+
+cJSON *wm_gcp_pubsub_dump(const wm_gcp_pubsub *data) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_wd = cJSON_CreateObject();
+
+    sched_scan_dump(&(data->scan_config), wm_wd);
+
+    cJSON_AddStringToObject(wm_wd, "enabled", data->enabled ? "yes" : "no");
+    cJSON_AddStringToObject(wm_wd, "pull_on_start", data->pull_on_start ? "yes" : "no");
+    if (data->max_messages) cJSON_AddNumberToObject(wm_wd, "max_messages", data->max_messages);
+    if (data->num_threads) cJSON_AddNumberToObject(wm_wd, "num_threads", data->num_threads);
+    if (data->project_id) cJSON_AddStringToObject(wm_wd, "project_id", data->project_id);
+    if (data->subscription_name) cJSON_AddStringToObject(wm_wd, "subscription_name", data->subscription_name);
+    if (data->credentials_file) cJSON_AddStringToObject(wm_wd, "credentials_file", data->credentials_file);
+
+    int debug_level = isDebug();
+
+    if (debug_level >= 2) cJSON_AddStringToObject(wm_wd, "logging", "debug");
+    if (debug_level == 1) cJSON_AddStringToObject(wm_wd, "logging", "info");
+    if (debug_level == 0) cJSON_AddStringToObject(wm_wd, "logging", "warning");
+
+    cJSON_AddItemToObject(root, "gcp-pubsub", wm_wd);
+
+    return root;
+}
+
+cJSON *wm_gcp_bucket_dump(const wm_gcp_bucket_base *data) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_wd = cJSON_CreateObject();
+
+    sched_scan_dump(&(data->scan_config), wm_wd);
+    cJSON_AddStringToObject(wm_wd, "enabled", data->enabled ? "yes" : "no");
+    cJSON_AddStringToObject(wm_wd, "run_on_start", data->run_on_start ? "yes" : "no");
+
+    if (data->buckets) {
+        wm_gcp_bucket *cur_bucket;
+        cJSON *arr_buckets = cJSON_CreateArray();
+        for (cur_bucket = data->buckets; cur_bucket; cur_bucket = cur_bucket->next) {
+            cJSON *buck = cJSON_CreateObject();
+            if (cur_bucket->bucket) cJSON_AddStringToObject(buck, "bucket", cur_bucket->bucket);
+            if (cur_bucket->type) cJSON_AddStringToObject(buck, "type", cur_bucket->type);
+            if (cur_bucket->credentials_file) cJSON_AddStringToObject(buck, "credentials_file", cur_bucket->credentials_file);
+            if (cur_bucket->prefix) cJSON_AddStringToObject(buck, "prefix", cur_bucket->prefix);
+            if (cur_bucket->only_logs_after) cJSON_AddStringToObject(buck, "only_logs_after", cur_bucket->only_logs_after);
+            if (cur_bucket->remove_from_bucket) cJSON_AddNumberToObject(buck, "remove_from_bucket", cur_bucket->remove_from_bucket);
+            cJSON_AddItemToArray(arr_buckets, buck);
+        }
+        if (cJSON_GetArraySize(arr_buckets) > 0) {
+            cJSON_AddItemToObject(wm_wd, "buckets", arr_buckets);
+        } else {
+            cJSON_free(arr_buckets);
+        }
+    }
+
+    int debug_level = isDebug();
+
+    if (debug_level >= 2) cJSON_AddStringToObject(wm_wd, "logging", "debug");
+    if (debug_level == 1) cJSON_AddStringToObject(wm_wd, "logging", "info");
+    if (debug_level == 0) cJSON_AddStringToObject(wm_wd, "logging", "warning");
+
+    cJSON_AddItemToObject(root, "gcp-bucket", wm_wd);
+
+    return root;
+}
diff --git a/src/modules/gcp/tests/unit/tests/CMakeLists.txt b/src/modules/gcp/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..5bc48d2249
--- /dev/null
+++ b/src/modules/gcp/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,71 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_gcp")
+list(APPEND tests_flags "-Wl,--wrap,wm_exec \
+                         -Wl,--wrap,sched_scan_dump,--wrap,sched_scan_get_time_until_next_scan \
+                         -Wl,--wrap,cJSON_CreateObject -Wl,--wrap,FOREVER,--wrap,w_get_timestamp \
+                         -Wl,--wrap,w_sleep_until,--wrap,isDebug ${DEBUG_OP_WRAPPERS}")
+list(APPEND use_shared_libs 0)
+
+list(APPEND tests_names "test_wmodules_gcp")
+list(APPEND tests_flags "-Wl,--wrap,sched_scan_read,--wrap,realpath,--wrap,IsFile,--wrap,atexit -Wl,--wrap,wfopen ${DEBUG_OP_WRAPPERS}")
+list(APPEND use_shared_libs 0)
+
+# Generate wazuh modules library
+file(GLOB gcp ../../../wazuh_modules/*.o ../../../config/*.o)
+list(REMOVE_ITEM gcp ../../../wazuh_modules/main.o)
+
+add_library(GCP_O STATIC ${gcp})
+
+set_source_files_properties(
+  ${gcp}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  GCP_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(GCP_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        GCP_O
+        -ldl
+        -lcmocka
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/gcp/tests/unit/tests/test_wm_gcp.c b/src/modules/gcp/tests/unit/tests/test_wm_gcp.c
new file mode 100644
index 0000000000..a361700158
--- /dev/null
+++ b/src/modules/gcp/tests/unit/tests/test_wm_gcp.c
@@ -0,0 +1,2557 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/wm_gcp.h"
+#include "../../headers/defs.h"
+#include "../../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/schedule_scan_wrappers.h"
+#include "../../wrappers/wazuh/shared/time_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+
+void wm_gcp_pubsub_run(const wm_gcp_pubsub *data);
+cJSON *wm_gcp_pubsub_dump(const wm_gcp_pubsub *data);
+void wm_gcp_pubsub_destroy(wm_gcp_pubsub * data);
+void* wm_gcp_pubsub_main(wm_gcp_pubsub *data);
+
+void wm_gcp_bucket_run(wm_gcp_bucket *exec_bucket);
+cJSON *wm_gcp_bucket_dump(const wm_gcp_bucket_base *data);
+void wm_gcp_bucket_destroy(wm_gcp_bucket_base *data);
+void* wm_gcp_bucket_main(wm_gcp_bucket_base *data);
+
+/* Generic setup/teardown */
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* Auxiliar structs for pubsub*/
+typedef struct __gcp_pubsub_dump_s {
+    wm_gcp_pubsub *config;
+    cJSON *dump;
+    cJSON *root;
+    cJSON *wm_wd;
+}gcp_pubsub_dump_t;
+
+/* wraps */
+int __wrap_isDebug() {
+    return mock();
+}
+
+/* setup/teardown for pubsub*/
+static int setup_group_pubsub(void **state) {
+    wm_gcp_pubsub *gcp_config;
+    os_calloc(1, sizeof(wm_gcp_pubsub), gcp_config);
+
+    if(gcp_config == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_config->project_id);
+    if(gcp_config->project_id == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_config->subscription_name);
+    if(gcp_config->subscription_name == NULL)
+        return -1;
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_config->credentials_file);
+    if(gcp_config->credentials_file == NULL)
+        return -1;
+
+    *state = gcp_config;
+
+    return 0;
+}
+
+static int teardown_group_pubsub(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    if (gcp_config->project_id) os_free(gcp_config->project_id);
+    if (gcp_config->subscription_name) os_free(gcp_config->subscription_name);
+    if (gcp_config->credentials_file) os_free(gcp_config->credentials_file);
+
+    os_free(gcp_config);
+
+    return 0;
+}
+
+static int setup_gcp_pubsub_dump(void **state) {
+    setup_group_pubsub(state);
+
+    gcp_pubsub_dump_t *dump_data = calloc(1, sizeof(gcp_pubsub_dump_t));
+
+    if(dump_data == NULL)
+        return -1;
+
+    if(dump_data->root = __real_cJSON_CreateObject(), dump_data->root == NULL)
+        return -1;
+
+    if(dump_data->wm_wd = __real_cJSON_CreateObject(), dump_data->wm_wd == NULL)
+        return -1;
+
+    // Move some pointers around in order to add some info for these tests
+    dump_data->config = *state;
+    *state = dump_data;
+
+    return 0;
+}
+
+static int teardown_gcp_pubsub_dump(void **state) {
+    gcp_pubsub_dump_t *dump_data = *state;
+
+    // Make sure to keep the group information.
+    *state = dump_data->config;
+
+    teardown_group_pubsub(state);
+
+    // Free/delete everything else
+    cJSON_Delete(dump_data->dump);
+    os_free(dump_data);
+
+    return 0;
+}
+
+static int setup_gcp_pubsub_destroy(void **state) {
+    setup_group_pubsub(state);
+
+    wm_gcp_pubsub **gcp_config;
+
+    if(gcp_config = calloc(2, sizeof(wm_gcp_pubsub*)), gcp_config == NULL)
+        return -1;
+
+    // Save the globally used gcp_config
+    gcp_config[1] = *state;
+
+    // And create a new one to be destroyed by tests
+    if(gcp_config[0] = calloc(1, sizeof(wm_gcp_pubsub)), gcp_config[0] == NULL)
+        return -1;
+
+    if(gcp_config[0]->project_id = calloc(OS_SIZE_1024, sizeof(char)), gcp_config[0]->project_id == NULL)
+        return -1;
+
+    if(gcp_config[0]->subscription_name = calloc(OS_SIZE_1024, sizeof(char)), gcp_config[0]->subscription_name == NULL)
+        return -1;
+
+    if(gcp_config[0]->credentials_file = calloc(OS_SIZE_1024, sizeof(char)), gcp_config[0]->credentials_file == NULL)
+        return -1;
+
+    *state = gcp_config;
+
+    return 0;
+}
+
+static int teardown_gcp_pubsub_destroy(void **state) {
+    wm_gcp_pubsub **gcp_config;
+
+    gcp_config = *state;
+
+    // gcp_config[0] was destroyed by the test, restore the original into state
+    *state = gcp_config[1];
+
+    teardown_group_pubsub(state);
+
+    os_free(gcp_config);
+
+    return 0;
+}
+
+/* Auxiliar structs for buckets*/
+typedef struct __gcp_bucket_dump_s {
+    wm_gcp_bucket_base *config;
+    cJSON *dump;
+    cJSON *root;
+    cJSON *wm_wd;
+    cJSON *cur_bucket;
+}gcp_bucket_dump_t;
+
+/* setup/teardown for buckets*/
+static int setup_group_bucket(void **state) {
+    wm_gcp_bucket_base *gcp_config;
+    wm_gcp_bucket *gcp_bucket;
+
+    os_calloc(OS_SIZE_1024, sizeof(wm_gcp_bucket_base), gcp_config);
+    os_calloc(OS_SIZE_1024, sizeof(wm_gcp_bucket), gcp_bucket);
+
+    if(gcp_config == NULL)
+        return -1;
+
+    if(gcp_bucket == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->bucket);
+    if(gcp_bucket->bucket == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->type);
+    if(gcp_bucket->type == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->credentials_file);
+    if(gcp_bucket->credentials_file == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->prefix);
+    if(gcp_bucket->prefix == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->only_logs_after);
+    if(gcp_bucket->only_logs_after == NULL)
+        return -1;
+
+    gcp_bucket->remove_from_bucket = 1;
+
+    gcp_config->buckets = gcp_bucket;
+    *state = gcp_config;
+
+    return 0;
+}
+
+static int teardown_group_bucket(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *gcp_bucket = gcp_config->buckets;
+
+    if (gcp_bucket->bucket) os_free(gcp_bucket->bucket);
+    if (gcp_bucket->type) os_free(gcp_bucket->type);
+    if (gcp_bucket->credentials_file) os_free(gcp_bucket->credentials_file);
+    if (gcp_bucket->prefix) os_free(gcp_bucket->prefix);
+    if (gcp_bucket->only_logs_after) os_free(gcp_bucket->only_logs_after);
+
+    os_free(gcp_bucket);
+    os_free(gcp_config);
+
+    return 0;
+}
+
+static int setup_gcp_bucket_dump(void **state) {
+    setup_group_bucket(state);
+
+    gcp_bucket_dump_t *dump_data;
+    os_calloc(1, sizeof(gcp_bucket_dump_t), dump_data);
+
+    if(dump_data == NULL)
+        return -1;
+
+    if(dump_data->root = __real_cJSON_CreateObject(), dump_data->root == NULL)
+        return -1;
+
+    if(dump_data->wm_wd = __real_cJSON_CreateObject(), dump_data->wm_wd == NULL)
+        return -1;
+
+    if(dump_data->cur_bucket = __real_cJSON_CreateObject(), dump_data->cur_bucket == NULL)
+        return -1;
+
+    // Move some pointers around in order to add some info for these tests
+    dump_data->config = *state;
+    *state = dump_data;
+
+    return 0;
+}
+
+static int teardown_gcp_bucket_dump(void **state) {
+    gcp_bucket_dump_t *dump_data = *state;
+
+    // Make sure to keep the group information.
+    *state = dump_data->config;
+
+    // Free/delete everything else
+    cJSON_Delete(dump_data->dump);
+
+    teardown_group_bucket(state);
+    os_free(dump_data);
+
+    return 0;
+}
+
+static int setup_gcp_bucket_destroy(void **state) {
+    setup_group_bucket(state);
+    wm_gcp_bucket_base **gcp_config;
+    wm_gcp_bucket *gcp_bucket;
+
+    os_calloc(OS_SIZE_1024, sizeof(wm_gcp_bucket_base*), gcp_config);
+    os_calloc(OS_SIZE_1024, sizeof(wm_gcp_bucket), gcp_bucket);
+
+    if(gcp_config == NULL)
+        return -1;
+
+    if(gcp_bucket == NULL)
+        return -1;
+
+    // Save the globally used gcp_config
+    gcp_config[1] = *state;
+
+    // And create a new one to be destroyed by tests
+    os_calloc(1, sizeof(wm_gcp_bucket_base), gcp_config[0]);
+    if(gcp_config[0] == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->bucket);
+    if(gcp_bucket->bucket == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->type);
+    if(gcp_bucket->type == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->credentials_file);
+    if(gcp_bucket->credentials_file == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->prefix);
+    if(gcp_bucket->prefix == NULL)
+        return -1;
+
+    os_calloc(OS_SIZE_1024, sizeof(char), gcp_bucket->only_logs_after);
+    if(gcp_bucket->only_logs_after == NULL)
+        return -1;
+
+    gcp_bucket->remove_from_bucket = 1;
+
+    gcp_config[0]->buckets = gcp_bucket;
+    *state = gcp_config;
+
+    return 0;
+}
+
+static int teardown_gcp_bucket_destroy(void **state) {
+    wm_gcp_bucket_base **gcp_config;
+
+    gcp_config = *state;
+
+    // gcp_config[0] was destroyed by the test, restore the original into state
+    *state = gcp_config[1];
+
+    teardown_group_bucket(state);
+
+    os_free(gcp_config);
+
+    return 0;
+}
+
+
+/* tests */
+/* wm_gcp_pubsub_run */
+static void test_wm_gcp_pubsub_run_error_running_command(void **state)  {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 1);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Internal error. Exiting...");
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_unknown_error(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Unknown error - This is an unknown error.");
+    will_return(__wrap_wm_exec, 1);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 1");
+
+    will_return(__wrap_isDebug, 1);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_unknown_error_no_description(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Unknown error - This is an unknown error.");
+    will_return(__wrap_wm_exec, 1);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 1");
+
+    will_return(__wrap_isDebug, 1);
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_error_parsing_args(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Error!! integration.py: error: unable to parse");
+    will_return(__wrap_wm_exec, 2);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 2");
+
+    will_return(__wrap_isDebug, 1);
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_error_parsing_args_no_description(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Error!! But won't trigger a specific message");
+    will_return(__wrap_wm_exec, 2);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 2");
+
+    will_return(__wrap_isDebug, 1);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_generic_error(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "ERROR: A specific error message.");
+    will_return(__wrap_wm_exec, 3);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 3");
+
+    will_return(__wrap_isDebug, 0);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_generic_error_no_description(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "A specific error message.");
+    will_return(__wrap_wm_exec, 3);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 3");
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_warning_message_warning(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - WARNING - This is a warning message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "This is a warning message");
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_debug_message_not_debug_discarded(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output - This is a message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 2);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+
+static void test_wm_gcp_pubsub_run_logging_debug_message_not_debug(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - INFO - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "This is an info message");
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_info_message_info(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - INFO - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "This is an info message");
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_info_message_debug(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - DEBUG - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_info_message_warning(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - WARNING - This is a warning message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "This is a warning message");
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_warning_message_error(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is an error message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is an error message");
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_warning_multiline_message_error(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is a \nmultiline\nerror message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is a \nmultiline\nerror message");
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_warning_multimessage_message_error(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is a \nmultiline\nerror message\n"
+		":gcloud_wodle:Test output - ERROR - This is the second message\n"
+		":gcloud_wodle:Test output - CRITICAL - This is a critical message\n");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is a \nmultiline\nerror message");
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is the second message");
+    expect_string(__wrap__mterror, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is a critical message");
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_run_logging_default_message_debug(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 6");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 6");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output - DEBUG - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    wm_gcp_pubsub_run(gcp_config);
+}
+
+/* wm_gcp_pubsub_dump */
+static void test_wm_gcp_pubsub_dump_success_logging_debug(void **state) {
+    gcp_pubsub_dump_t *gcp_pubsub_dump_data = *state;
+
+    gcp_pubsub_dump_data->config->enabled = 0;
+    gcp_pubsub_dump_data->config->pull_on_start = 0;
+    gcp_pubsub_dump_data->config->max_messages = 100;
+    gcp_pubsub_dump_data->config->num_threads = 2;
+
+    snprintf(gcp_pubsub_dump_data->config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_pubsub_dump_data->config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_pubsub_dump_data->config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->wm_wd);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_pubsub_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_pubsub_dump_data->wm_wd);
+    will_return(__wrap_isDebug, 2);
+
+    gcp_pubsub_dump_data->dump = wm_gcp_pubsub_dump(gcp_pubsub_dump_data->config);
+
+    assert_non_null(gcp_pubsub_dump_data->dump);
+    assert_ptr_equal(gcp_pubsub_dump_data->dump, gcp_pubsub_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub_dump_data->dump), 1);
+
+    cJSON *gcp_pubsub = cJSON_GetObjectItem(gcp_pubsub_dump_data->dump, "gcp-pubsub");
+    assert_non_null(gcp_pubsub);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub), 8);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_pubsub, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *pull_on_start = cJSON_GetObjectItem(gcp_pubsub, "pull_on_start");
+    assert_string_equal(cJSON_GetStringValue(pull_on_start), "no");
+    cJSON *max_messages = cJSON_GetObjectItem(gcp_pubsub, "max_messages");
+    assert_non_null(max_messages);
+    assert_int_equal(max_messages->valueint, 100);
+    cJSON *num_threads = cJSON_GetObjectItem(gcp_pubsub, "num_threads");
+    assert_non_null(num_threads);
+    assert_int_equal(num_threads->valueint, 2);
+    cJSON *project_id = cJSON_GetObjectItem(gcp_pubsub, "project_id");
+    assert_string_equal(cJSON_GetStringValue(project_id), "wazuh-gcp-test");
+    cJSON *subscription_name = cJSON_GetObjectItem(gcp_pubsub, "subscription_name");
+    assert_string_equal(cJSON_GetStringValue(subscription_name), "wazuh-subscription-test");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_pubsub, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+
+static void test_wm_gcp_pubsub_dump_success_logging_info(void **state) {
+    gcp_pubsub_dump_t *gcp_pubsub_dump_data = *state;
+
+    gcp_pubsub_dump_data->config->enabled = 1;
+    gcp_pubsub_dump_data->config->pull_on_start = 0;
+    gcp_pubsub_dump_data->config->max_messages = 100;
+    gcp_pubsub_dump_data->config->num_threads = 2;
+
+    snprintf(gcp_pubsub_dump_data->config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_pubsub_dump_data->config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_pubsub_dump_data->config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->wm_wd);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_pubsub_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_pubsub_dump_data->wm_wd);
+    will_return(__wrap_isDebug, 1);
+
+    gcp_pubsub_dump_data->dump = wm_gcp_pubsub_dump(gcp_pubsub_dump_data->config);
+
+    assert_non_null(gcp_pubsub_dump_data->dump);
+    assert_ptr_equal(gcp_pubsub_dump_data->dump, gcp_pubsub_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub_dump_data->dump), 1);
+
+    cJSON *gcp_pubsub = cJSON_GetObjectItem(gcp_pubsub_dump_data->dump, "gcp-pubsub");
+    assert_non_null(gcp_pubsub);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub), 8);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_pubsub, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "yes");
+    cJSON *pull_on_start = cJSON_GetObjectItem(gcp_pubsub, "pull_on_start");
+    assert_string_equal(cJSON_GetStringValue(pull_on_start), "no");
+    cJSON *max_messages = cJSON_GetObjectItem(gcp_pubsub, "max_messages");
+    assert_non_null(max_messages);
+    assert_int_equal(max_messages->valueint, 100);
+    cJSON *num_threads = cJSON_GetObjectItem(gcp_pubsub, "num_threads");
+    assert_non_null(num_threads);
+    assert_int_equal(num_threads->valueint, 2);
+    cJSON *project_id = cJSON_GetObjectItem(gcp_pubsub, "project_id");
+    assert_string_equal(cJSON_GetStringValue(project_id), "wazuh-gcp-test");
+    cJSON *subscription_name = cJSON_GetObjectItem(gcp_pubsub, "subscription_name");
+    assert_string_equal(cJSON_GetStringValue(subscription_name), "wazuh-subscription-test");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_pubsub, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_pubsub_dump_success_logging_warning(void **state) {
+    gcp_pubsub_dump_t *gcp_pubsub_dump_data = *state;
+
+    gcp_pubsub_dump_data->config->enabled = 0;
+    gcp_pubsub_dump_data->config->pull_on_start = 1;
+    gcp_pubsub_dump_data->config->max_messages = 100;
+    gcp_pubsub_dump_data->config->num_threads = 2;
+
+    snprintf(gcp_pubsub_dump_data->config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_pubsub_dump_data->config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_pubsub_dump_data->config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->wm_wd);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_pubsub_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_pubsub_dump_data->wm_wd);
+    will_return(__wrap_isDebug, 0);
+
+    gcp_pubsub_dump_data->dump = wm_gcp_pubsub_dump(gcp_pubsub_dump_data->config);
+
+    assert_non_null(gcp_pubsub_dump_data->dump);
+    assert_ptr_equal(gcp_pubsub_dump_data->dump, gcp_pubsub_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub_dump_data->dump), 1);
+
+    cJSON *gcp_pubsub = cJSON_GetObjectItem(gcp_pubsub_dump_data->dump, "gcp-pubsub");
+    assert_non_null(gcp_pubsub);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub), 8);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_pubsub, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *pull_on_start = cJSON_GetObjectItem(gcp_pubsub, "pull_on_start");
+    assert_string_equal(cJSON_GetStringValue(pull_on_start), "yes");
+    cJSON *max_messages = cJSON_GetObjectItem(gcp_pubsub, "max_messages");
+    assert_non_null(max_messages);
+    assert_int_equal(max_messages->valueint, 100);
+    cJSON *num_threads = cJSON_GetObjectItem(gcp_pubsub, "num_threads");
+    assert_non_null(num_threads);
+    assert_int_equal(num_threads->valueint, 2);
+    cJSON *project_id = cJSON_GetObjectItem(gcp_pubsub, "project_id");
+    assert_string_equal(cJSON_GetStringValue(project_id), "wazuh-gcp-test");
+    cJSON *subscription_name = cJSON_GetObjectItem(gcp_pubsub, "subscription_name");
+    assert_string_equal(cJSON_GetStringValue(subscription_name), "wazuh-subscription-test");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_pubsub, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_pubsub_dump_error_allocating_wm_wd(void **state) {
+    gcp_pubsub_dump_t *gcp_pubsub_dump_data = *state;
+
+    gcp_pubsub_dump_data->config->enabled = 0;
+    gcp_pubsub_dump_data->config->pull_on_start = 0;
+    gcp_pubsub_dump_data->config->max_messages = 100;
+    gcp_pubsub_dump_data->config->num_threads = 2;
+
+    snprintf(gcp_pubsub_dump_data->config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_pubsub_dump_data->config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_pubsub_dump_data->config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    // Since we won't use wm_wd, we can just free it to prevent memory leaks.
+    os_free(gcp_pubsub_dump_data->wm_wd);
+    gcp_pubsub_dump_data->wm_wd = NULL;
+
+    will_return(__wrap_cJSON_CreateObject, gcp_pubsub_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, NULL);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_pubsub_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, NULL);
+    will_return(__wrap_isDebug, 0);
+
+    gcp_pubsub_dump_data->dump = wm_gcp_pubsub_dump(gcp_pubsub_dump_data->config);
+
+    assert_non_null(gcp_pubsub_dump_data->dump);
+    assert_ptr_equal(gcp_pubsub_dump_data->dump, gcp_pubsub_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_pubsub_dump_data->dump), 0);
+}
+
+static void test_wm_gcp_pubsub_dump_error_allocating_root(void **state) {
+    gcp_pubsub_dump_t *gcp_pubsub_dump_data = *state;
+
+    gcp_pubsub_dump_data->config->enabled = 0;
+    gcp_pubsub_dump_data->config->pull_on_start = 0;
+    gcp_pubsub_dump_data->config->max_messages = 100;
+
+    snprintf(gcp_pubsub_dump_data->config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_pubsub_dump_data->config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_pubsub_dump_data->config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    // Since we won't use wm_wd or root, we can just free them to prevent memory leaks.
+    os_free(gcp_pubsub_dump_data->wm_wd);
+    gcp_pubsub_dump_data->wm_wd = NULL;
+
+    os_free(gcp_pubsub_dump_data->root);
+    gcp_pubsub_dump_data->root = NULL;
+
+    will_return(__wrap_cJSON_CreateObject, NULL);
+    will_return(__wrap_cJSON_CreateObject, NULL);   // If we cannot alloc root, wm_wd won't be alloced either.
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_pubsub_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, NULL);
+    will_return(__wrap_isDebug, 0);
+
+    gcp_pubsub_dump_data->dump = wm_gcp_pubsub_dump(gcp_pubsub_dump_data->config);
+
+    assert_null(gcp_pubsub_dump_data->dump);
+}
+
+/* wm_gcp_pubsub_destroy */
+static void test_wm_gcp_pubsub_destroy(void **state) {
+    wm_gcp_pubsub **gcp_config = *state;
+
+    // gcp_config[0] is to be destroyed by the test
+    wm_gcp_pubsub_destroy(gcp_config[0]);
+
+    // No assertions are possible on this test, it's meant to be used along valgrind to check memory leaks.
+}
+
+/* wm_gcp_pubsub_main */
+static void test_wm_gcp_pubsub_main_disabled(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+
+    gcp_config->enabled = 0;
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module disabled. Exiting.");
+
+    wm_gcp_pubsub_main(gcp_config);
+}
+
+static void test_wm_gcp_pubsub_main_pull_on_start(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+    void *ret;
+
+    gcp_config->enabled = 1;
+    gcp_config->pull_on_start = 1;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module started.");
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &gcp_config->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_GCP_PUBSUB_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Starting fetching of logs.");
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Fetching logs finished.");
+
+    will_return(__wrap_FOREVER, 0);
+    will_return(__wrap_isDebug, 1);
+
+    ret = wm_gcp_pubsub_main(gcp_config);
+
+    assert_null(ret);
+}
+
+static void test_wm_gcp_pubsub_main_sleep_then_run(void **state) {
+    wm_gcp_pubsub *gcp_config = *state;
+    void *ret;
+
+    gcp_config->enabled = 1;
+    gcp_config->pull_on_start = 1;
+
+    snprintf(gcp_config->project_id, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(gcp_config->subscription_name, OS_SIZE_1024, "wazuh-subscription-test");
+    snprintf(gcp_config->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+
+    gcp_config->max_messages = 10;
+    gcp_config->num_threads = 2;
+
+    int create_time = 123456789;
+    gcp_config->scan_config.next_scheduled_scan_time = create_time; // sleep 10 seconds
+
+    char *create_time_timestamp = NULL;
+    os_strdup("20/10/21 15:35:48.111", create_time_timestamp);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module started.");
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &gcp_config->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_GCP_PUBSUB_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, create_time);
+
+    expect_value(__wrap_w_get_timestamp, time, create_time);
+    will_return(__wrap_w_get_timestamp, create_time_timestamp);
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sleeping until: 20/10/21 15:35:48.111");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Starting fetching of logs.");
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type pubsub --project wazuh-gcp-test --subscription_id wazuh-subscription-test "
+        "--credentials_file /wazuh/credentials/test.json --max_messages 10 --num_threads 2 --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_PUBSUB_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Fetching logs finished.");
+
+    will_return(__wrap_FOREVER, 0);
+    will_return(__wrap_isDebug, 2);
+
+    ret = wm_gcp_pubsub_main(gcp_config);
+
+    assert_null(ret);
+}
+
+/* wm_gcp_bucket_run */
+static void test_wm_gcp_bucket_run_success(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_error_running_command(void **state)  {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 1);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Internal error. Exiting...");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_error(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Unknown error - This is an unknown error.");
+    will_return(__wrap_wm_exec, 1);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 1");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_error_no_description(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "This description does not match the criteria");
+    will_return(__wrap_wm_exec, 1);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 1");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_error_parsing_args(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Error!! integration.py: error: unable to parse");
+    will_return(__wrap_wm_exec, 2);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 2");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_error_parsing_args_no_description(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Error!! But won't trigger a specific message");
+    will_return(__wrap_wm_exec, 2);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 2");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_generic_error(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "ERROR: A specific error message.");
+    will_return(__wrap_wm_exec, 3);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 3");
+
+    will_return(__wrap_isDebug, 0);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_generic_error_no_description(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test "
+        "--credentials_file /wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "A specific error message.");
+    will_return(__wrap_wm_exec, 3);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "Command returned exit code 3");
+
+    will_return(__wrap_isDebug, 0);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_debug_message_debug(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - DEBUG - This is a debug message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "This is a debug message");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_debug_message_not_debug_discarded(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - This is a discarded message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 2);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_debug_message_not_debug(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 2);
+    will_return(__wrap_isDebug, 2);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 2");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - INFO - This is an info message\n");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "This is an info message");
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_info_message_info(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - INFO - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "This is an info message");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_info_message_debug(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output - DEBUG - This is an info message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_info_message_warning(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - WARNING - This is a warning message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "This is a warning message");
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_warning_message_warning(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - WARNING - This is a warning message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtwarn, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtwarn, formatted_msg, "This is a warning message");
+    will_return(__wrap_isDebug, 1);
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_warning_message_debug(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+    will_return(__wrap_isDebug, 0);
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output - DEBUG - This is a debug message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_warning_message_error(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is an error message");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is an error message");
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_warning_multiline_message_error(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is a\nmultiline\n error message\n");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is a\nmultiline\n error message");
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+static void test_wm_gcp_bucket_run_logging_warning_multimessage_message_error(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, ":gcloud_wodle:Test output - ERROR - This is a\nmultimessage\n error message\n"
+		":gcloud_wodle:Test critical - CRITICAL - This is another error message\n"
+		":gcloud_wodle:Test info - INFO - This is a test info message\n");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mterror, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is a\nmultimessage\n error message");
+    expect_string(__wrap__mterror, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "This is another error message");
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "This is a test info message");
+    wm_gcp_bucket_run(cur_bucket);
+}
+
+/* wm_gcp_bucket_dump */
+
+static void test_wm_gcp_bucket_dump_success_logging_debug(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+    cJSON *gcp_bucket_base = cJSON_GetObjectItem(gcp_bucket_dump_data->dump, "gcp-bucket");
+    assert_non_null(gcp_bucket_base);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_base), 4);
+    cJSON *enabled = cJSON_GetObjectItem(gcp_bucket_base, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *run_on_start = cJSON_GetObjectItem(gcp_bucket_base, "run_on_start");
+    assert_string_equal(cJSON_GetStringValue(run_on_start), "no");
+    cJSON *gcp_bucket = cJSON_GetObjectItem(gcp_bucket_dump_data->dump->child, "buckets");
+    assert_non_null(gcp_bucket);
+    cJSON *bucket = cJSON_GetObjectItem(gcp_bucket->child, "bucket");
+    assert_string_equal(cJSON_GetStringValue(bucket), "wazuh-gcp-test");
+    cJSON *type = cJSON_GetObjectItem(gcp_bucket->child, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "access_logs");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_bucket->child, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+
+static void test_wm_gcp_bucket_dump_success_logging_info(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 1;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+
+    cJSON *gcp_bucket_base = cJSON_GetObjectItem(gcp_bucket_dump_data->dump, "gcp-bucket");
+    assert_non_null(gcp_bucket_base);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_base), 4);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_bucket_base, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "yes");
+    cJSON *run_on_start = cJSON_GetObjectItem(gcp_bucket_base, "run_on_start");
+    assert_string_equal(cJSON_GetStringValue(run_on_start), "no");
+
+    cJSON *gcp_bucket = cJSON_GetObjectItem(gcp_bucket_dump_data->dump->child, "buckets");
+    assert_non_null(gcp_bucket);
+    cJSON *bucket = cJSON_GetObjectItem(gcp_bucket->child, "bucket");
+    assert_string_equal(cJSON_GetStringValue(bucket), "wazuh-gcp-test");
+    cJSON *type = cJSON_GetObjectItem(gcp_bucket->child, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "access_logs");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_bucket->child, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_bucket_dump_success(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 1;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    will_return(__wrap_isDebug, 0);
+
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+
+    cJSON *gcp_bucket_base = cJSON_GetObjectItem(gcp_bucket_dump_data->dump, "gcp-bucket");
+    assert_non_null(gcp_bucket_base);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_base), 4);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_bucket_base, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *run_on_start = cJSON_GetObjectItem(gcp_bucket_base, "run_on_start");
+    assert_string_equal(cJSON_GetStringValue(run_on_start), "yes");
+    cJSON *gcp_bucket = cJSON_GetObjectItem(gcp_bucket_dump_data->dump->child, "buckets");
+    assert_non_null(gcp_bucket);
+    cJSON *bucket = cJSON_GetObjectItem(gcp_bucket->child, "bucket");
+    assert_string_equal(cJSON_GetStringValue(bucket), "wazuh-gcp-test");
+    cJSON *type = cJSON_GetObjectItem(gcp_bucket->child, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "access_logs");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_bucket->child, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_bucket_dump_success_logging_critical(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+
+    cJSON *gcp_bucket_base = cJSON_GetObjectItem(gcp_bucket_dump_data->dump, "gcp-bucket");
+    assert_non_null(gcp_bucket_base);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_base), 4);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_bucket_base, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *run_on_start = cJSON_GetObjectItem(gcp_bucket_base, "run_on_start");
+    assert_string_equal(cJSON_GetStringValue(run_on_start), "no");
+    cJSON *gcp_bucket = cJSON_GetObjectItem(gcp_bucket_dump_data->dump->child, "buckets");
+    assert_non_null(gcp_bucket);
+    cJSON *bucket = cJSON_GetObjectItem(gcp_bucket->child, "bucket");
+    assert_string_equal(cJSON_GetStringValue(bucket), "wazuh-gcp-test");
+    cJSON *type = cJSON_GetObjectItem(gcp_bucket->child, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "access_logs");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_bucket->child, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_bucket_dump_success_logging_default(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+
+    cJSON *gcp_bucket_base = cJSON_GetObjectItem(gcp_bucket_dump_data->dump, "gcp-bucket");
+    assert_non_null(gcp_bucket_base);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_base), 4);
+
+    cJSON *enabled = cJSON_GetObjectItem(gcp_bucket_base, "enabled");
+    assert_string_equal(cJSON_GetStringValue(enabled), "no");
+    cJSON *run_on_start = cJSON_GetObjectItem(gcp_bucket_base, "run_on_start");
+    assert_string_equal(cJSON_GetStringValue(run_on_start), "no");
+    cJSON *gcp_bucket = cJSON_GetObjectItem(gcp_bucket_dump_data->dump->child, "buckets");
+    assert_non_null(gcp_bucket);
+    cJSON *bucket = cJSON_GetObjectItem(gcp_bucket->child, "bucket");
+    assert_string_equal(cJSON_GetStringValue(bucket), "wazuh-gcp-test");
+    cJSON *type = cJSON_GetObjectItem(gcp_bucket->child, "type");
+    assert_string_equal(cJSON_GetStringValue(type), "access_logs");
+    cJSON *credentials_file = cJSON_GetObjectItem(gcp_bucket->child, "credentials_file");
+    assert_string_equal(cJSON_GetStringValue(credentials_file), "/wazuh/credentials/test.json");
+}
+
+static void test_wm_gcp_bucket_dump_error_allocating_wm_wd(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->root);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->wm_wd);
+    will_return(__wrap_cJSON_CreateObject, gcp_bucket_dump_data->cur_bucket);
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, gcp_bucket_dump_data->wm_wd);
+
+    will_return(__wrap_isDebug, 1);
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_non_null(gcp_bucket_dump_data->dump);
+    assert_ptr_equal(gcp_bucket_dump_data->dump, gcp_bucket_dump_data->root);
+    assert_int_equal(cJSON_GetArraySize(gcp_bucket_dump_data->dump), 1);
+}
+
+static void test_wm_gcp_bucket_dump_error_allocating_root(void **state) {
+    gcp_bucket_dump_t *gcp_bucket_dump_data = *state;
+    wm_gcp_bucket *cur_bucket = gcp_bucket_dump_data->config->buckets;
+
+    gcp_bucket_dump_data->config->enabled = 0;
+    gcp_bucket_dump_data->config->run_on_start = 0;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    // Since we won't use wm_wd or root, we can just free them to prevent memory leaks.
+    os_free(gcp_bucket_dump_data->wm_wd);
+    gcp_bucket_dump_data->wm_wd = NULL;
+
+    os_free(gcp_bucket_dump_data->root);
+    gcp_bucket_dump_data->root = NULL;
+
+    os_free(gcp_bucket_dump_data->cur_bucket);
+    gcp_bucket_dump_data->cur_bucket = NULL;
+
+    will_return(__wrap_cJSON_CreateObject, NULL);
+    will_return(__wrap_cJSON_CreateObject, NULL);
+    will_return(__wrap_cJSON_CreateObject, NULL);   // If we cannot alloc root, wm_wd won't be alloced either.
+
+    expect_value(__wrap_sched_scan_dump, scan_config, &gcp_bucket_dump_data->config->scan_config);
+    expect_value(__wrap_sched_scan_dump, cjson_object, NULL);
+
+    will_return(__wrap_isDebug, 1);
+    gcp_bucket_dump_data->dump = wm_gcp_bucket_dump(gcp_bucket_dump_data->config);
+
+    assert_null(gcp_bucket_dump_data->dump);
+}
+
+/* wm_gcp_bucket_destroy */
+static void test_wm_gcp_bucket_destroy(void **state) {
+    wm_gcp_bucket_base **gcp_config = *state;
+
+    // gcp_config[0] is to be destroyed by the test
+    wm_gcp_bucket_destroy(gcp_config[0]);
+
+    // No assertions are possible on this test, it's meant to be used along valgrind to check memory leaks.
+}
+
+/* wm_gcp_bucket_main */
+static void test_wm_gcp_bucket_main_disabled(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+
+    gcp_config->enabled = 0;
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module disabled. Exiting.");
+
+    wm_gcp_bucket_main(gcp_config);
+}
+
+static void test_wm_gcp_bucket_main_run_on_start(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+    void *ret;
+
+    snprintf(cur_bucket->bucket, OS_SIZE_1024, "wazuh-gcp-test");
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+    gcp_config->enabled = 1;
+    gcp_config->run_on_start = 1;
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module started.");
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &gcp_config->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_GCP_BUCKET_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, 0);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Starting fetching of logs.");
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name wazuh-gcp-test --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Executing Bucket Analysis: (Bucket: wazuh-gcp-test, "
+        "Path: access_logs/, Type: access_logs, Credentials file: /wazuh/credentials/test.json)");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Fetching logs finished.");
+
+    will_return(__wrap_FOREVER, 0);
+    
+
+    ret = wm_gcp_bucket_main(gcp_config);
+
+    assert_null(ret);
+}
+
+static void test_wm_gcp_bucket_main_sleep_then_run(void **state) {
+    wm_gcp_bucket_base *gcp_config = *state;
+    wm_gcp_bucket *cur_bucket = gcp_config->buckets;
+    void *ret;
+
+    os_free(cur_bucket->bucket);
+    snprintf(cur_bucket->type, OS_SIZE_1024, "access_logs");
+    snprintf(cur_bucket->credentials_file, OS_SIZE_1024, "/wazuh/credentials/test.json");
+    snprintf(cur_bucket->prefix, OS_SIZE_1024, "access_logs/");
+    snprintf(cur_bucket->only_logs_after, OS_SIZE_1024, "2021-JAN-01");
+
+    cur_bucket->remove_from_bucket = 1; // enabled
+    gcp_config->enabled = 1;
+    gcp_config->run_on_start = 1;
+
+    int create_time = 123456789;
+    gcp_config->scan_config.next_scheduled_scan_time = create_time; // sleep 10 seconds
+
+    char *create_time_timestamp = NULL;
+    os_strdup("20/10/21 15:35:48.111", create_time_timestamp);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module started.");
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &gcp_config->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_GCP_BUCKET_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, create_time);
+
+    expect_value(__wrap_w_get_timestamp, time, create_time);
+    will_return(__wrap_w_get_timestamp, create_time_timestamp);
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sleeping until: 20/10/21 15:35:48.111");
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Starting fetching of logs.");
+
+    expect_string(__wrap__mtdebug2, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug2, formatted_msg, "Create argument list");
+
+    will_return(__wrap_isDebug, 1);
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Launching command: "
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+
+    expect_string(__wrap_wm_exec, command,
+        "wodles/gcloud/gcloud --integration_type access_logs --bucket_name --credentials_file "
+        "/wazuh/credentials/test.json --prefix access_logs/ --only_logs_after 2021-JAN-01 --remove --log_level 1");
+    expect_value(__wrap_wm_exec, secs, 0);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+
+    will_return(__wrap_wm_exec, "Test output");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    expect_string(__wrap__mtinfo, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Executing Bucket Analysis: (Bucket: unknown_bucket, "
+        "Path: access_logs/, Type: access_logs, Credentials file: /wazuh/credentials/test.json)");
+
+    will_return(__wrap_isDebug, 1);
+
+    expect_string(__wrap__mtdebug1, tag, WM_GCP_BUCKET_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Fetching logs finished.");
+
+    will_return(__wrap_FOREVER, 0);
+
+    ret = wm_gcp_bucket_main(gcp_config);
+
+    assert_null(ret);
+}
+
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        /* wm_gcp_pubsub_run */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_error_running_command, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_unknown_error, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_unknown_error_no_description, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_error_parsing_args, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_error_parsing_args_no_description, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_generic_error, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_generic_error_no_description, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_warning_message_warning, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_warning_multiline_message_error, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_warning_multimessage_message_error, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_debug_message_not_debug, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_debug_message_not_debug_discarded, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_info_message_info, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_info_message_debug, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_info_message_warning, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_warning_message_warning, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_run_logging_warning_message_error, setup_group_pubsub, teardown_group_pubsub),
+
+        /* wm_gcp_pubsub_dump */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_dump_success_logging_debug, setup_gcp_pubsub_dump, teardown_gcp_pubsub_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_dump_success_logging_info, setup_gcp_pubsub_dump, teardown_gcp_pubsub_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_dump_success_logging_warning, setup_gcp_pubsub_dump, teardown_gcp_pubsub_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_dump_error_allocating_wm_wd, setup_gcp_pubsub_dump, teardown_gcp_pubsub_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_dump_error_allocating_root, setup_gcp_pubsub_dump, teardown_gcp_pubsub_dump),
+
+        /* wm_gcp_pubsub_destroy */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_destroy, setup_gcp_pubsub_destroy, teardown_gcp_pubsub_destroy),
+
+        /* wm_gcp_pubsub_main */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_main_disabled, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_main_pull_on_start, setup_group_pubsub, teardown_group_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_main_sleep_then_run, setup_group_pubsub, teardown_group_pubsub),
+
+        /* wm_gcp_bucket_run */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_success, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_error_running_command, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_error, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_error_no_description, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_error_parsing_args, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_error_parsing_args_no_description, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_generic_error, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_generic_error_no_description, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_debug_message_debug, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_debug_message_not_debug, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_debug_message_not_debug_discarded, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_info_message_info, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_info_message_debug, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_info_message_warning, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_warning_message_warning, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_warning_message_debug, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_warning_message_error, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_warning_multiline_message_error, setup_group_bucket, teardown_group_bucket),
+	cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_run_logging_warning_multimessage_message_error, setup_group_bucket, teardown_group_bucket),
+
+        /* wm_gcp_bucket_dump */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_dump_success, setup_gcp_bucket_dump, teardown_gcp_bucket_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_dump_error_allocating_wm_wd, setup_gcp_bucket_dump, teardown_gcp_bucket_dump),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_dump_error_allocating_root, setup_gcp_bucket_dump, teardown_gcp_bucket_dump),
+
+        /* wm_gcp_bucket_destroy */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_destroy, setup_gcp_bucket_destroy, teardown_gcp_bucket_destroy),
+
+        /* wm_gcp_bucket_main */
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_main_disabled, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_main_run_on_start, setup_group_bucket, teardown_group_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_main_sleep_then_run, setup_group_bucket, teardown_group_bucket),
+    };
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/gcp/tests/unit/tests/test_wmodules_gcp.c b/src/modules/gcp/tests/unit/tests/test_wmodules_gcp.c
new file mode 100644
index 0000000000..17a0ff08ea
--- /dev/null
+++ b/src/modules/gcp/tests/unit/tests/test_wmodules_gcp.c
@@ -0,0 +1,1428 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "../../headers/shared.h"
+#include "../../os_xml/os_xml.h"
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/wm_gcp.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/schedule_scan_wrappers.h"
+
+static const char *XML_ENABLED = "enabled";
+static const char *XML_PROJECT_ID = "project_id";
+static const char *XML_SUBSCRIPTION_NAME = "subscription_name";
+static const char *XML_CREDENTIALS_FILE = "credentials_file";
+static const char *XML_MAX_MESSAGES = "max_messages";
+static const char *XML_NUM_THREADS = "num_threads";
+static const char *XML_PULL_ON_START = "pull_on_start";
+static const char *XML_LOGGING = "logging";
+
+static const char *XML_RUN_ON_START = "run_on_start";
+static const char *XML_BUCKET = "bucket";
+static const char *XML_BUCKET_TYPE = "type";
+static const char *XML_BUCKET_NAME = "name";
+static const char *XML_PREFIX = "path";
+static const char *XML_ONLY_LOGS_AFTER = "only_logs_after";
+static const char *XML_REMOVE_FROM_BUCKET = "remove_from_bucket";
+
+static const char *ACCESS_LOGS_BUCKET_TYPE = "access_logs";
+
+typedef struct __group_data_s {
+    OS_XML *xml;
+    xml_node **nodes;
+    wmodule *module;
+} group_data_t;
+
+/* Auxiliar functions */
+int replace_configuration_value(XML_NODE nodes, const char *tag, const char *new_value) {
+    int i;
+
+    if(tag == NULL || nodes == NULL || *nodes == NULL)
+        return -1;
+
+    // find the required tag and change it to the new value
+    for(i = 0; nodes[i]; i++) {
+        if(!strcmp(nodes[i]->element, tag)) {
+            os_free(nodes[i]->content);
+            if(new_value != NULL){
+                nodes[i]->content = strdup(new_value);
+
+                if(nodes[i]->content == NULL)
+                    return -1;
+            } else {
+                nodes[i]->content = NULL;
+            }
+            return 0;
+        }
+    }
+    // If we got here, the given tag was not found
+    return -2;
+}
+
+int replace_bucket_configuration_value(group_data_t *data, const char *tag, const char *new_value) {
+    int i;
+    int j;
+    OS_XML *xml = data->xml;
+    XML_NODE nodes = data->nodes;
+    xml_node **children = NULL;
+
+    if(xml == NULL || tag == NULL || nodes == NULL || *nodes == NULL)
+        return -1;
+
+    // find the required tag and change it to the new value
+    for(i = 0; nodes[i]; i++) {
+        if(!strcmp(nodes[i]->element, "bucket")) {
+            if (!(children = OS_GetElementsbyNode(xml, nodes[i])))
+                continue;
+
+            for (j = 0; children[j]; j++) {
+                if (!strcmp(children[j]->element, tag)) {
+                    OS_ClearNode(children);
+                    OS_ClearNode(data->nodes);
+                    os_free(xml->ct[i+j+2])
+                    os_strdup(new_value, xml->ct[i+j+2]);
+                    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+                        return -1;
+                    return 0;
+                }
+            }
+            OS_ClearNode(children);
+        }
+    }
+    // If we got here, the given tag was not found
+    return -2;
+}
+
+int replace_bucket_configuration_attribute(group_data_t *data, const char *tag, const char *new_value) {
+    int i;
+    int j;
+    OS_XML *xml = data->xml;
+    XML_NODE nodes = data->nodes;
+
+    if(xml == NULL || tag == NULL || nodes == NULL || *nodes == NULL)
+        return -1;
+
+    // find the required tag and change it to the new value
+    for(i = 0; nodes[i]; i++) {
+        if(!strcmp(nodes[i]->element, "bucket")) {
+            if (strcmp(*nodes[i]->attributes, tag) == 0){
+                os_free(xml->ct[i+1])
+                os_strdup(new_value, xml->ct[i+1]);
+                OS_ClearNode(data->nodes);
+                if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+                    return -1;
+                return 0;
+            }
+        }
+    }
+    // If we got here, the given tag was not found
+    return -2;
+}
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    group_data_t *data;
+    os_calloc(1, sizeof(group_data_t), data);
+
+    if(data == NULL)
+        return -1;
+
+    if(os_calloc(1, sizeof(wmodule), data->module), data->module == NULL)
+        return -1;
+
+    if(os_calloc(1, sizeof(OS_XML), data->xml), data->xml == NULL)
+        return -1;
+
+    *state = data;
+
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    group_data_t *data = *state;
+
+    os_free(data->xml);
+    os_free(data->module);
+
+    os_free(data);
+
+    return 0;
+}
+
+static int setup_test_pubsub(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<pull_on_start>no</pull_on_start>"
+                        "<project_id>wazuh-gcp-pubsub-tests</project_id>"
+                        "<subscription_name>testing-id</subscription_name>"
+                        "<credentials_file>credentials.json</credentials_file>"
+                        "<max_messages>100</max_messages>"
+                        "<num_threads>2</num_threads>"
+                        "<day>15</day>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_pubsub_no_project_id(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<pull_on_start>no</pull_on_start>"
+                        "<subscription_name>testing-id</subscription_name>"
+                        "<credentials_file>credentials.json</credentials_file>"
+                        "<max_messages>100</max_messages>"
+                        "<num_threads>2</num_threads>"
+                        "<day>15</day>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_pubsub_no_subscription_name(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<pull_on_start>no</pull_on_start>"
+                        "<project_id>wazuh-gcp-pubsub-tests</project_id>"
+                        "<credentials_file>credentials.json</credentials_file>"
+                        "<max_messages>100</max_messages>"
+                        "<num_threads>2</num_threads>"
+                        "<day>15</day>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_pubsub_no_credentials_file(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<pull_on_start>no</pull_on_start>"
+                        "<project_id>wazuh-gcp-pubsub-tests</project_id>"
+                        "<subscription_name>testing-id</subscription_name>"
+                        "<max_messages>100</max_messages>"
+                        "<num_threads>2</num_threads>"
+                        "<day>15</day>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int teardown_test_pubsub(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_pubsub *gcp = data->module->data;
+
+    os_free(data->module->tag);
+
+    if(gcp->project_id) os_free(gcp->project_id);
+    if(gcp->subscription_name) os_free(gcp->subscription_name);
+    if(gcp->credentials_file) os_free(gcp->credentials_file);
+
+    os_free(gcp);
+
+    data->module->data = NULL;
+
+    OS_ClearXML(data->xml);
+    OS_ClearNode(data->nodes);
+
+    return 0;
+}
+
+static int setup_test_bucket(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests-2</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-02</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>yes</remove_from_bucket>"
+                        "</bucket>"
+                        "<bucket></bucket>";
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_no_bucket(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>";
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_element_invalid(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<invalid>wazuh-gcp-bucket-tests</invalid>"
+                        "</bucket>";
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_attribute_invalid(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket invalid='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_no_bucket(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_no_bucket_type(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+
+static int setup_test_bucket_no_only_logs_after(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_no_credentials_file(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_no_path(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<remove_from_bucket>no</remove_from_bucket>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int setup_test_bucket_no_remove(void **state) {
+    group_data_t *data = *state;
+    char *base_config = "<enabled>yes</enabled>"
+                        "<run_on_start>no</run_on_start>"
+                        "<bucket type='access_logs'>"
+                          "<name>wazuh-gcp-bucket-tests</name>"
+                          "<credentials_file>credentials.json</credentials_file>"
+                          "<only_logs_after>2021-JUN-01</only_logs_after>"
+                          "<path>access_logs/</path>"
+                        "</bucket>";
+
+
+    if(OS_ReadXMLString(base_config, data->xml) != 0){
+        return -1;
+    }
+
+    if(data->nodes = OS_GetElementsbyNode(data->xml, NULL), data->nodes == NULL)
+        return -1;
+
+    return 0;
+}
+
+static int teardown_test_bucket(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_bucket_base *gcp_config = data->module->data;;
+    wm_gcp_bucket *gcp_bucket = gcp_config->buckets;
+
+    os_free(data->module->tag);
+
+    if (gcp_bucket) {
+        if (gcp_bucket->next) {
+            if (gcp_bucket->next->next) {
+                os_free(gcp_bucket->next->next);
+            }
+            if (gcp_bucket->next->bucket) os_free(gcp_bucket->next->bucket);
+            if (gcp_bucket->next->type) os_free(gcp_bucket->next->type);
+            if (gcp_bucket->next->credentials_file) os_free(gcp_bucket->next->credentials_file);
+            if (gcp_bucket->next->prefix) os_free(gcp_bucket->next->prefix);
+            if (gcp_bucket->next->only_logs_after) os_free(gcp_bucket->next->only_logs_after);
+            os_free(gcp_bucket->next);
+        }
+        if (gcp_bucket->bucket) os_free(gcp_bucket->bucket);
+        if (gcp_bucket->type) os_free(gcp_bucket->type);
+        if (gcp_bucket->credentials_file) os_free(gcp_bucket->credentials_file);
+        if (gcp_bucket->prefix) os_free(gcp_bucket->prefix);
+        if (gcp_bucket->only_logs_after) os_free(gcp_bucket->only_logs_after);
+        os_free(gcp_bucket);
+    }
+    os_free(gcp_config);
+
+    data->module->data = NULL;
+
+    OS_ClearXML(data->xml);
+    OS_ClearNode(data->nodes);
+
+    return 0;
+}
+
+/* tests */
+/* wm_gcp_pubsub_read */
+static void test_wm_gcp_pubsub_read_full_configuration(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_pubsub *gcp;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, 0);
+
+    gcp = data->module->data;
+
+    assert_non_null(gcp);
+    assert_int_equal(gcp->enabled, 1);
+    assert_int_equal(gcp->pull_on_start, 0);
+    assert_string_equal(gcp->project_id, "wazuh-gcp-pubsub-tests");
+    assert_string_equal(gcp->subscription_name, "testing-id");
+    assert_string_equal(gcp->credentials_file, "credentials.json");
+    assert_int_equal(gcp->max_messages, 100);
+    assert_int_equal(gcp->num_threads, 2);
+
+    assert_ptr_equal(data->module->context, &WM_GCP_PUBSUB_CONTEXT);
+    assert_string_equal(data->module->tag, GCP_PUBSUB_WM_NAME);
+}
+
+static void test_wm_gcp_pubsub_read_sched_read_invalid(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_pubsub *gcp;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, -1);
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_pubsub_read_enabled_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_ENABLED, "invalid") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'enabled'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_project_id_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_PROJECT_ID, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'project_id' at module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_no_project_id_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No value defined for tag 'project_id' in module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_subscription_name_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_SUBSCRIPTION_NAME, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'subscription_name' at module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_no_subscription_name_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No value defined for tag 'subscription_name' in module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_credentials_file_full_path(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_pubsub *gcp;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_CREDENTIALS_FILE, "/some/path/credentials.json") != 0)
+        fail();
+
+    expect_string(__wrap_IsFile, file, "/some/path/credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, 0);
+
+    gcp = data->module->data;
+
+    assert_non_null(gcp);
+    assert_int_equal(gcp->enabled, 1);
+    assert_int_equal(gcp->pull_on_start, 0);
+    assert_string_equal(gcp->project_id, "wazuh-gcp-pubsub-tests");
+    assert_string_equal(gcp->subscription_name, "testing-id");
+    assert_string_equal(gcp->credentials_file, "/some/path/credentials.json");
+    assert_int_equal(gcp->max_messages, 100);
+    assert_int_equal(gcp->num_threads, 2);
+
+    assert_ptr_equal(data->module->context, &WM_GCP_PUBSUB_CONTEXT);
+    assert_string_equal(data->module->tag, GCP_PUBSUB_WM_NAME);
+}
+
+static void test_wm_gcp_pubsub_read_credentials_file_tag_empty(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_CREDENTIALS_FILE, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'credentials_file' at module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_credentials_file_tag_too_long(void **state) {
+    group_data_t *data = *state;
+    char buffer[OS_MAXSTR];
+    int ret;
+
+    memset(buffer, 'a', OS_MAXSTR);
+    buffer[OS_MAXSTR - 1] = '\0';
+
+    if(replace_configuration_value(data->nodes, XML_CREDENTIALS_FILE, buffer) != 0)
+        fail();
+
+    snprintf(buffer, OS_MAXSTR, "File path is too long. Max path length is %d.", PATH_MAX);
+    expect_string(__wrap__merror, formatted_msg, buffer);
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_credentials_file_tag_realpath_error(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+
+    will_return(__wrap_realpath, (char *) NULL);   //  realpath failed
+
+    expect_string(__wrap__merror, formatted_msg, "File '' from tag 'credentials_file' not found.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_credentials_file_tag_file_not_found(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "File 'credentials.json' not found. Check your configuration.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_no_credentials_file_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_PUBSUB_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No value defined for tag 'credentials_file' in module 'gcp-pubsub'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_max_messages_tag_empty(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_MAX_MESSAGES, "") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'max_messages'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_max_messages_tag_not_digit(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_MAX_MESSAGES, "invalid") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Tag 'max_messages' from the 'gcp-pubsub' module should not have an alphabetic character.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_num_threads_tag_empty(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_NUM_THREADS, "") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'num_threads'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_num_threads_tag_not_digit(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_NUM_THREADS, "invalid") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Tag 'num_threads' from the 'gcp-pubsub' module should not have an alphabetic character.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_pull_on_start_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_PULL_ON_START, "invalid") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'pull_on_start'");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_pubsub_read_invalid_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    // Make an invalid XML tag element
+    os_free(data->nodes[0]->element);
+
+    if(data->nodes[0]->element = strdup("invalid"), data->nodes[0]->element == NULL)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'invalid' at module 'gcp-pubsub'.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_pubsub_read_invalid_element(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    // Make an invalid XML tag element
+    os_free(data->nodes[0]->element);
+    data->nodes[0]->element = NULL;
+
+    expect_string(__wrap__merror, formatted_msg, "(1231): Invalid NULL element in the configuration.");
+
+    ret = wm_gcp_pubsub_read(data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_pubsub_read_invalid_nodes(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap__merror, formatted_msg, "Empty configuration at module 'gcp-pubsub'.");
+
+    ret = wm_gcp_pubsub_read(NULL, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+/* tests */
+/* wm_gcp_pubsub_read */
+static void test_wm_gcp_bucket_read_full_configuration(void **state) {
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    group_data_t *data = *state;
+    wm_gcp_bucket_base *gcp;
+
+    int ret;
+
+    expect_string_count(__wrap_realpath, path, "credentials.json", 2);
+    will_return_count(__wrap_realpath, "credentials.json", 2);
+
+    expect_string_count(__wrap_IsFile, file, "credentials.json", 2);
+    will_return_count(__wrap_IsFile, 0, 2);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_BUCKET_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, 0);
+
+    gcp = data->module->data;
+
+    assert_non_null(gcp);
+    assert_int_equal(gcp->enabled, 1);
+    assert_int_equal(gcp->run_on_start, 0);
+    assert_string_equal(gcp->buckets->bucket, "wazuh-gcp-bucket-tests");
+    assert_string_equal(gcp->buckets->only_logs_after, "2021-JUN-01");
+    assert_string_equal(gcp->buckets->credentials_file, "credentials.json");
+    assert_string_equal(gcp->buckets->prefix, "access_logs/");
+    assert_int_equal(gcp->buckets->remove_from_bucket, 0);
+
+    assert_ptr_equal(data->module->context, &WM_GCP_BUCKET_CONTEXT);
+    assert_string_equal(data->module->tag, GCP_BUCKET_WM_NAME);
+}
+
+static void test_wm_gcp_bucket_read_sched_read_invalid(void **state) {
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+    group_data_t *data = *state;
+    wm_gcp_bucket_base *gcp;
+
+    int ret;
+
+    expect_string_count(__wrap_realpath, path, "credentials.json", 2);
+    will_return_count(__wrap_realpath, "credentials.json", 2);
+
+    expect_string_count(__wrap_IsFile, file, "credentials.json", 2);
+    will_return_count(__wrap_IsFile, 0, 2);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_BUCKET_WM_NAME);
+    will_return(__wrap_sched_scan_read, -1);
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_bucket_read_enabled_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_ENABLED, "invalid") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'enabled'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_no_bucket(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_BUCKET_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No buckets or services definitions found at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_no_bucket_type(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+    expect_string(__wrap__merror, formatted_msg, "No bucket type was specified. The valid one is 'access_logs'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+
+static void test_wm_gcp_bucket_read_bucket_type_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_attribute(data, XML_BUCKET_TYPE, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid bucket type ''. The valid one is 'access_logs'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_bucket_element_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    expect_string(__wrap__merror, formatted_msg, "No such child tag 'invalid' of bucket at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_bucket_attribute_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+    expect_string(__wrap__merror, formatted_msg, "Attribute name 'invalid' is not valid. The valid one is 'type'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_bucket_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_BUCKET_NAME, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'name' at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_no_bucket_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No value defined for tag 'name' in module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_remove_from_bucket_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_REMOVE_FROM_BUCKET, "") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'remove_from_bucket' at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_path_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_PREFIX, "") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'path' at module 'gcp-bucket'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_only_logs_after_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_ONLY_LOGS_AFTER, "") != 0)
+        fail();
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'only_logs_after' at module 'gcp-bucket'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_credentials_file_full_path(void **state) {
+    group_data_t *data = *state;
+    wm_gcp_bucket_base *gcp;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_CREDENTIALS_FILE, "/some/path/credentials.json") != 0)
+        fail();
+
+    expect_string(__wrap_IsFile, file, "/some/path/credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_value(__wrap_sched_scan_read, nodes, data->nodes);
+    expect_string(__wrap_sched_scan_read, MODULE_NAME, GCP_BUCKET_WM_NAME);
+    will_return(__wrap_sched_scan_read, 0);
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, 0);
+
+    gcp = data->module->data;
+
+    assert_non_null(gcp);
+    assert_int_equal(gcp->enabled, 1);
+    assert_int_equal(gcp->run_on_start, 0);
+    assert_string_equal(gcp->buckets->bucket, "wazuh-gcp-bucket-tests");
+    assert_string_equal(gcp->buckets->only_logs_after, "2021-JUN-01");
+    assert_string_equal(gcp->buckets->credentials_file, "/some/path/credentials.json");
+    assert_string_equal(gcp->buckets->prefix, "access_logs/");
+    assert_int_equal(gcp->buckets->remove_from_bucket, 0);
+
+    assert_ptr_equal(data->module->context, &WM_GCP_BUCKET_CONTEXT);
+    assert_string_equal(data->module->tag, GCP_BUCKET_WM_NAME);
+}
+
+static void test_wm_gcp_bucket_read_credentials_file_tag_empty(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_CREDENTIALS_FILE, "") != 0)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'credentials_file' at module 'gcp-bucket'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_credentials_file_tag_too_long(void **state) {
+    group_data_t *data = *state;
+    char buffer[OS_MAXSTR + 1] = {0};
+    int ret;
+
+    memset(buffer, 'a', OS_MAXSTR);
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    if(replace_bucket_configuration_value(data, XML_CREDENTIALS_FILE, buffer) != 0)
+        fail();
+
+    snprintf(buffer, OS_MAXSTR, "File path is too long. Max path length is %d.", PATH_MAX);
+    expect_string(__wrap__merror, formatted_msg, buffer);
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_credentials_file_tag_realpath_error(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+
+    will_return(__wrap_realpath, (char *) NULL);   //  realpath failed
+
+    expect_string(__wrap__merror, formatted_msg, "File '' from tag 'credentials_file' not found.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_credentials_file_tag_file_not_found(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "File 'credentials.json' not found. Check your configuration.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_no_credentials_file_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_any_always(__wrap__mtdebug2, tag);
+    expect_any_always(__wrap__mtdebug2, formatted_msg);
+
+    expect_string(__wrap_realpath, path, "credentials.json");
+    will_return(__wrap_realpath, "credentials.json");
+
+    expect_string(__wrap_IsFile, file, "credentials.json");
+    will_return(__wrap_IsFile, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "No value defined for tag 'credentials_file' in module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_run_on_start_tag_invalid(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    if(replace_configuration_value(data->nodes, XML_RUN_ON_START, "invalid") != 0)
+        fail();
+
+
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'run_on_start'");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, OS_INVALID);
+}
+
+static void test_wm_gcp_bucket_read_invalid_tag(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    // Make an invalid XML tag element
+    os_free(data->nodes[0]->element);
+
+    if(data->nodes[0]->element = strdup("invalid"), data->nodes[0]->element == NULL)
+        fail();
+
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'invalid' at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_bucket_read_invalid_element(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    // Make an invalid XML tag element
+    os_free(data->nodes[0]->element);
+    data->nodes[0]->element = NULL;
+
+    expect_string(__wrap__merror, formatted_msg, "(1231): Invalid NULL element in the configuration.");
+
+    ret = wm_gcp_bucket_read(data->xml, data->nodes, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+static void test_wm_gcp_bucket_read_invalid_nodes(void **state) {
+    group_data_t *data = *state;
+    int ret;
+
+    expect_string(__wrap__merror, formatted_msg, "Empty configuration at module 'gcp-bucket'.");
+
+    ret = wm_gcp_bucket_read(data->xml, NULL, data->module);
+
+    assert_int_equal(ret, -1);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_full_configuration, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_sched_read_invalid, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_enabled_tag_invalid, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_project_id_tag_invalid, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_no_project_id_tag, setup_test_pubsub_no_project_id, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_subscription_name_tag_invalid, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_no_subscription_name_tag, setup_test_pubsub_no_subscription_name, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_credentials_file_full_path, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_credentials_file_tag_empty, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_credentials_file_tag_too_long, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_credentials_file_tag_realpath_error, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_credentials_file_tag_file_not_found, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_no_credentials_file_tag, setup_test_pubsub_no_credentials_file, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_max_messages_tag_empty, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_max_messages_tag_not_digit, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_num_threads_tag_empty, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_num_threads_tag_not_digit, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_pull_on_start_tag_invalid, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_invalid_tag, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_invalid_element, setup_test_pubsub, teardown_test_pubsub),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_pubsub_read_invalid_nodes, setup_test_pubsub, teardown_test_pubsub),
+
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_full_configuration, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_sched_read_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_enabled_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_no_bucket, setup_test_no_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_bucket_element_invalid, setup_test_element_invalid, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_bucket_type_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_bucket_attribute_invalid, setup_test_bucket_attribute_invalid, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_no_bucket_type, setup_test_bucket_no_bucket_type, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_bucket_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_no_bucket_tag, setup_test_bucket_no_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_remove_from_bucket_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_path_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_only_logs_after_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_credentials_file_full_path, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_credentials_file_tag_empty, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_credentials_file_tag_too_long, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_credentials_file_tag_realpath_error, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_credentials_file_tag_file_not_found, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_no_credentials_file_tag, setup_test_bucket_no_credentials_file, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_run_on_start_tag_invalid, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_invalid_tag, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_invalid_element, setup_test_bucket, teardown_test_bucket),
+        cmocka_unit_test_setup_teardown(test_wm_gcp_bucket_read_invalid_nodes, setup_test_bucket, teardown_test_bucket),
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/github/include/wm_github.h b/src/modules/github/include/wm_github.h
new file mode 100644
index 0000000000..bb71d70e28
--- /dev/null
+++ b/src/modules/github/include/wm_github.h
@@ -0,0 +1,69 @@
+/*
+ * Wazuh Module for GitHub logs
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 3, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_GITHUB_H
+#define WM_GITHUB_H
+
+#define WM_GITHUB_LOGTAG ARGV0 ":" GITHUB_WM_NAME
+
+#define WM_GITHUB_DEFAULT_ENABLED 1
+#define WM_GITHUB_DEFAULT_ONLY_FUTURE_EVENTS 1
+#define WM_GITHUB_DEFAULT_INTERVAL 60
+#define WM_GITHUB_DEFAULT_DELAY 30
+#define WM_GITHUB_MSG_DELAY 1000000 / wm_max_eps
+#define WM_GITHUB_DEFAULT_CURL_MAX_SIZE 1048576L
+#define WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT 60L
+
+#define ITEM_PER_PAGE 100
+#define RETRIES_TO_SEND_ERROR 3
+#define GITHUB_NEXT_PAGE_REGEX "<(\\S+)>;\\s*rel=\"next\""
+
+#define GITHUB_API_URL "https://api.github.com/orgs/%s/audit-log?phrase=created:%s..%s&include=%s&order=asc&per_page=%d"
+
+#define EVENT_TYPE_ALL "all"
+#define EVENT_TYPE_GIT "git"
+#define EVENT_TYPE_WEB "web"
+
+typedef struct wm_github_auth {
+    char *org_name;                         // Organization name
+    char *api_token;                        // Personal access token
+    struct wm_github_auth *next;
+} wm_github_auth;
+
+typedef struct wm_github_state {
+    time_t last_log_time;                      // Absolute time of last scan
+} wm_github_state;
+
+typedef struct wm_github_fail {
+    int fails;
+    char *org_name;
+    char *event_type;
+    struct wm_github_fail *next;
+} wm_github_fail;
+
+typedef struct wm_github {
+    int enabled;
+    int only_future_events;
+    time_t interval;                        // Interval betweeen events in seconds
+    time_t time_delay;
+    ssize_t curl_max_size;
+    wm_github_auth *auth;
+    char *event_type;                       // Event types to include: web/git/all
+    wm_github_fail *fails;
+    int queue_fd;
+} wm_github;
+
+extern const wm_context WM_GITHUB_CONTEXT;  // Context
+
+// Parse XML
+int wm_github_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+#endif
diff --git a/src/modules/github/src/wm_github.c b/src/modules/github/src/wm_github.c
new file mode 100644
index 0000000000..9704b1d89b
--- /dev/null
+++ b/src/modules/github/src/wm_github.c
@@ -0,0 +1,488 @@
+/*
+ * Wazuh Module for GitHub logs
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 3, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#if defined(WIN32) || defined(__linux__) || defined(__MACH__)
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+#ifdef WIN32
+    #include "../unit_tests/wrappers/wazuh/shared/url_wrappers.h"
+#endif
+#else
+#define STATIC static
+#endif
+
+#include "wmodules.h"
+
+#ifdef WIN32
+#ifdef WAZUH_UNIT_TESTING
+#define gmtime_r(x, y)
+#else
+#define gmtime_r(x, y) gmtime_s(y, x)
+#endif
+#endif
+
+static char* event_types[] = {
+    EVENT_TYPE_GIT,
+    EVENT_TYPE_WEB
+};
+
+#ifdef WIN32
+STATIC DWORD WINAPI wm_github_main(void* arg);              // Module main function. It won't return
+#else
+STATIC void* wm_github_main(wm_github* github_config);    // Module main function. It won't return
+#endif
+STATIC void wm_github_destroy(wm_github* github_config);
+STATIC void wm_github_auth_destroy(wm_github_auth* github_auth);
+STATIC void wm_github_fail_destroy(wm_github_fail* github_fails);
+cJSON *wm_github_dump(const wm_github* github_config);
+
+/**
+ * @brief Execute a scan
+ * @param github_config GitHub configuration structure
+ * @param initial_scan Whether it is the first scan or not
+ */
+STATIC void wm_github_execute_scan(wm_github *github_config, int initial_scan);
+
+/**
+ * @brief Get organization node from organizations failure list
+ * @param fails Organizations failure list
+ * @param org_name Organization name to search
+ * @param subscription_name Event type to search
+ * @return Pointer to organization node if exists, NULL otherwise
+ */
+STATIC wm_github_fail* wm_github_get_fail_by_org_and_type(wm_github_fail *fails, char *org_name, char* event_type);
+
+/**
+ * @brief Increase failure counter for organization node and send failure message to manager if necessary
+ * @param current_fails Organizations failure list
+ * @param org_name Organization name to search
+ * @param subscription_name Event type to search
+ * @param error_msg Error message to send
+ * @param queue_fd Socket ID
+ */
+STATIC void wm_github_scan_failure_action(wm_github_fail **current_fails, char *org_name, char* event_type, char *error_msg, int queue_fd);
+
+/* Context definition */
+const wm_context WM_GITHUB_CONTEXT = {
+    .name = GITHUB_WM_NAME,
+    .start = (wm_routine)wm_github_main,
+    .destroy = (void(*)(void *))wm_github_destroy,
+    .dump = (cJSON * (*)(const void *))wm_github_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+#ifdef WIN32
+DWORD WINAPI wm_github_main(void* arg) {
+    wm_github* github_config = (wm_github *)arg;
+#else
+void * wm_github_main(wm_github* github_config) {
+#endif
+    if (github_config->enabled) {
+        mtinfo(WM_GITHUB_LOGTAG, "Module GitHub started.");
+
+#ifndef WIN32
+        // Connect to queue
+        github_config->queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+        if (github_config->queue_fd < 0) {
+            mterror(WM_GITHUB_LOGTAG, "Can't connect to queue. Closing module.");
+#ifdef WIN32
+            return 0;
+#else
+            return NULL;
+#endif
+        }
+#endif
+
+        // Execute initial scan
+        wm_github_execute_scan(github_config, 1);
+
+        while (1) {
+            sleep(github_config->interval);
+            wm_github_execute_scan(github_config, 0);
+            #ifdef WAZUH_UNIT_TESTING
+                break;
+            #endif
+        }
+    } else {
+        mtinfo(WM_GITHUB_LOGTAG, "Module GitHub disabled.");
+    }
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+void wm_github_destroy(wm_github* github_config) {
+    mtinfo(WM_GITHUB_LOGTAG, "Module GitHub finished.");
+    wm_github_auth_destroy(github_config->auth);
+    wm_github_fail_destroy(github_config->fails);
+    os_free(github_config->event_type);
+    os_free(github_config);
+}
+
+void wm_github_auth_destroy(wm_github_auth* github_auth)
+{
+    wm_github_auth* current = github_auth;
+    wm_github_auth* next = NULL;
+    while (current != NULL)
+    {
+        next = current->next;
+        os_free(current->api_token);
+        os_free(current->org_name);
+        os_free(current);
+        current = next;
+    }
+    github_auth = NULL;
+}
+
+void wm_github_fail_destroy(wm_github_fail* github_fails)
+{
+    wm_github_fail* current = github_fails;
+    wm_github_fail* next = NULL;
+    while (current != NULL)
+    {
+        next = current->next;
+        os_free(current->org_name);
+        os_free(current->event_type);
+        os_free(current);
+        current = next;
+    }
+    github_fails = NULL;
+}
+
+cJSON *wm_github_dump(const wm_github* github_config) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_info = cJSON_CreateObject();
+
+    if (github_config->enabled) {
+        cJSON_AddStringToObject(wm_info, "enabled", "yes");
+    } else {
+        cJSON_AddStringToObject(wm_info, "enabled", "no");
+    }
+    if (github_config->only_future_events) {
+        cJSON_AddStringToObject(wm_info, "only_future_events", "yes");
+    } else {
+        cJSON_AddStringToObject(wm_info, "only_future_events", "no");
+    }
+    if (github_config->interval) {
+        cJSON_AddNumberToObject(wm_info, "interval", github_config->interval);
+    }
+    if (github_config->time_delay) {
+        cJSON_AddNumberToObject(wm_info, "time_delay", github_config->time_delay);
+    }
+    if (github_config->curl_max_size) {
+        cJSON_AddNumberToObject(wm_info, "curl_max_size", github_config->curl_max_size);
+    }
+    if (github_config->auth) {
+        wm_github_auth *iter;
+        cJSON *arr_auth = cJSON_CreateArray();
+        for (iter = github_config->auth; iter; iter = iter->next) {
+            cJSON *api_auth = cJSON_CreateObject();
+            if (iter->org_name) {
+                cJSON_AddStringToObject(api_auth, "org_name", iter->org_name);
+            }
+            if (iter->api_token) {
+                cJSON_AddStringToObject(api_auth, "api_token", iter->api_token);
+            }
+            cJSON_AddItemToArray(arr_auth, api_auth);
+        }
+        if (cJSON_GetArraySize(arr_auth) > 0) {
+            cJSON_AddItemToObject(wm_info, "api_auth", arr_auth);
+        } else {
+            cJSON_free(arr_auth);
+        }
+    }
+    if (github_config->event_type) {
+        cJSON_AddStringToObject(wm_info, "event_type", github_config->event_type);
+    }
+    cJSON_AddItemToObject(root, "github", wm_info);
+
+    return root;
+}
+
+STATIC void wm_github_execute_scan(wm_github *github_config, int initial_scan) {
+    int scan_finished = 0;
+    int fail = 0;
+    unsigned int event_types_len = 0;
+    unsigned int event_types_it = 0;
+    char **headers = NULL;
+    char *payload = NULL;
+    char *error_msg = NULL;
+    char *next_page = NULL;
+    char url[OS_SIZE_8192];
+    char org_state_name[OS_SIZE_1024];
+    time_t last_scan_time;
+    time_t new_scan_time;
+    curl_response *response;
+    wm_github_auth* next = NULL;
+    wm_github_fail *org_fail;
+    wm_github_state org_state_struc;
+    wm_github_auth* current = github_config->auth;
+    char new_scan_time_str[80];
+    char last_scan_time_str[80];
+    struct tm tm_scan = { .tm_sec = 0 };
+
+    while (current != NULL)
+    {
+        next = current->next;
+
+        mtdebug1(WM_GITHUB_LOGTAG, "Scanning organization: '%s'", current->org_name);
+
+        event_types_len = array_size(event_types);
+
+        for (event_types_it = 0; event_types_it < event_types_len; ++event_types_it) {
+
+            if (!strcmp(github_config->event_type, EVENT_TYPE_ALL) || !strcmp(event_types[event_types_it], github_config->event_type)) {
+                scan_finished = 0;
+                fail = 0;
+
+                memset(org_state_name, '\0', OS_SIZE_1024);
+                snprintf(org_state_name, OS_SIZE_1024 -1, "%s-%s-%s", WM_GITHUB_CONTEXT.name, current->org_name, event_types[event_types_it]);
+
+                memset(&org_state_struc, 0, sizeof(org_state_struc));
+
+                // Load state for organization
+                if (wm_state_io(org_state_name, WM_IO_READ, &org_state_struc, sizeof(org_state_struc)) < 0) {
+                    memset(&org_state_struc, 0, sizeof(org_state_struc));
+                }
+
+                new_scan_time = time(0) - github_config->time_delay;
+
+                if (initial_scan && (!org_state_struc.last_log_time || github_config->only_future_events)) {
+                    org_state_struc.last_log_time = new_scan_time;
+                    if (wm_state_io(org_state_name, WM_IO_WRITE, &org_state_struc, sizeof(org_state_struc)) < 0) {
+                        mterror(WM_GITHUB_LOGTAG, "Couldn't save running state.");
+                    } else if (isDebug()) {
+                        memset(new_scan_time_str, '\0', 80);
+                        gmtime_r(&new_scan_time, &tm_scan);
+                        strftime(new_scan_time_str, sizeof(new_scan_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_scan);
+                        mtdebug1(WM_GITHUB_LOGTAG, "Bookmark updated to '%s' for organization '%s' and event type '%s', waiting '%ld' seconds to run first scan.",
+                            new_scan_time_str, current->org_name, event_types[event_types_it], github_config->interval);
+                    }
+                    continue;
+                }
+
+                last_scan_time = (time_t)org_state_struc.last_log_time + 1;
+
+                memset(last_scan_time_str, '\0', 80);
+                gmtime_r(&last_scan_time, &tm_scan);
+                strftime(last_scan_time_str, sizeof(last_scan_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_scan);
+
+                memset(new_scan_time_str, '\0', 80);
+                gmtime_r(&new_scan_time, &tm_scan);
+                strftime(new_scan_time_str, sizeof(new_scan_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_scan);
+
+                memset(url, '\0', OS_SIZE_8192);
+                snprintf(url, OS_SIZE_8192 -1, GITHUB_API_URL, current->org_name, last_scan_time_str, new_scan_time_str, event_types[event_types_it], ITEM_PER_PAGE);
+
+                mtdebug1(WM_GITHUB_LOGTAG, "GitHub API URL: '%s'", url);
+
+                char auth_header[OS_SIZE_8192];
+                snprintf(auth_header, OS_SIZE_8192 -1, "Authorization: token %s", current->api_token);
+
+                os_calloc(2, sizeof(char*), headers);
+                headers[0] = auth_header;
+                headers[1] = NULL;
+
+                while (!scan_finished) {
+                    response = wurl_http_request(WURL_GET_METHOD, headers, url, NULL, github_config->curl_max_size, WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT);
+
+                    if (response) {
+                        if (response->max_size_reached) {
+                            mtdebug1(WM_GITHUB_LOGTAG, "Libcurl error, reached maximum response size.");
+                            scan_finished = 1;
+                        } else if (response->status_code == 200) {
+                            // Load body to json and sent as localfile
+                            cJSON *array_logs_json = NULL;
+
+                            if (array_logs_json = cJSON_Parse(response->body), !array_logs_json) {
+                                mtdebug1(WM_GITHUB_LOGTAG, "Error parsing response body.");
+                                scan_finished = 1;
+                                fail = 1;
+                            } else {
+                                int response_lenght = cJSON_GetArraySize(array_logs_json);
+
+                                for (int i = 0 ; i < response_lenght ; i++) {
+                                    cJSON * subitem = cJSON_GetArrayItem(array_logs_json, i);
+
+                                    if (subitem) {
+                                        cJSON * github = cJSON_CreateObject();
+
+                                        cJSON_AddStringToObject(github, "integration", WM_GITHUB_CONTEXT.name);
+                                        cJSON_AddItemToObject(github, "github", cJSON_Duplicate(subitem, true));
+
+                                        payload = cJSON_PrintUnformatted(github);
+
+                                        mtdebug2(WM_GITHUB_LOGTAG, "Sending GitHub log: '%s'", payload);
+
+                                        if (wm_sendmsg(WM_GITHUB_MSG_DELAY, github_config->queue_fd, payload, WM_GITHUB_CONTEXT.name, LOCALFILE_MQ) < 0) {
+                                            mterror(WM_GITHUB_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+                                        }
+
+                                        os_free(payload);
+                                        cJSON_Delete(github);
+                                    }
+                                }
+
+                                if (response_lenght == ITEM_PER_PAGE) {
+                                    next_page = wm_read_http_header_element(response->header, GITHUB_NEXT_PAGE_REGEX);
+                                    if ((next_page == NULL) || (strlen(next_page) >= OS_SIZE_8192)) {
+                                        scan_finished = 1;
+                                    } else {
+                                        snprintf(url, sizeof(url), "%s", next_page);
+                                        os_free(next_page);
+                                    }
+                                } else {
+                                    scan_finished = 1;
+                                }
+
+                                cJSON_Delete(array_logs_json);
+                            }
+                        } else {
+                            if (response->body) {
+                                os_strdup(response->body, error_msg);
+                            }
+                            scan_finished = 1;
+                            fail = 1;
+                        }
+
+                        wurl_free_response(response);
+                    } else {
+                        scan_finished = 1;
+                        fail = 1;
+                    }
+                }
+
+                if (fail) {
+                    wm_github_scan_failure_action(&github_config->fails, current->org_name, event_types[event_types_it], error_msg, github_config->queue_fd);
+                } else {
+                    org_state_struc.last_log_time = new_scan_time;
+                    if (wm_state_io(org_state_name, WM_IO_WRITE, &org_state_struc, sizeof(org_state_struc)) < 0) {
+                        mterror(WM_GITHUB_LOGTAG, "Couldn't save running state.");
+                    } else {
+                        mtdebug1(WM_GITHUB_LOGTAG, "Bookmark updated to '%s' for organization '%s' and event type '%s', waiting '%ld' seconds to run next scan.",
+                            new_scan_time_str, current->org_name, event_types[event_types_it], github_config->interval);
+                    }
+
+                    if (org_fail = wm_github_get_fail_by_org_and_type(github_config->fails,
+                        current->org_name, event_types[event_types_it]), org_fail && org_fail->fails) {
+                        mtinfo(WM_GITHUB_LOGTAG, "Github organization '%s' and event type '%s', connected successfully.",
+                            current->org_name, event_types[event_types_it]);
+                        org_fail->fails = 0;
+                    }
+                }
+
+                os_free(error_msg);
+                os_free(headers);
+            }
+        }
+
+        current = next;
+    }
+}
+
+STATIC wm_github_fail* wm_github_get_fail_by_org_and_type(wm_github_fail *fails, char *org_name, char* event_type) {
+    wm_github_fail* current;
+    current = fails;
+    int target_org = 0;
+
+    while (!target_org)
+    {
+        if (current == NULL) {
+            target_org = 1;
+            continue;
+        }
+
+        if (!strncmp(current->org_name, org_name, strlen(org_name)) && (!current->event_type ||
+            (event_type && current->event_type && !strncmp(current->event_type, event_type, strlen(event_type))))) {
+            target_org = 1;
+        } else {
+            current = current->next;
+        }
+
+    }
+
+    return current;
+}
+
+STATIC void wm_github_scan_failure_action(wm_github_fail **current_fails, char *org_name, char* event_type, char *error_msg, int queue_fd) {
+    char *payload;
+    wm_github_fail *org_fail;
+
+    org_fail = wm_github_get_fail_by_org_and_type(*current_fails, org_name, event_type);
+
+    if (org_fail == NULL) {
+        os_calloc(1, sizeof(wm_github_fail), org_fail);
+
+        if (*current_fails) {
+            wm_github_fail *aux = *current_fails;
+
+            while (aux->next) {
+                aux = aux->next;
+            }
+            aux->next = org_fail;
+        } else {
+            // First wm_github_fail
+            *current_fails = org_fail;
+        }
+
+        os_strdup(org_name, org_fail->org_name);
+        if (event_type) {
+            os_strdup(event_type, org_fail->event_type);
+        }
+
+        org_fail->fails = 1;
+    } else {
+        org_fail->fails++;
+
+        if (org_fail->fails == RETRIES_TO_SEND_ERROR) {
+            // Send fail message
+            cJSON *msg_obj = cJSON_Parse(error_msg);
+            cJSON *fail_object = cJSON_CreateObject();
+            cJSON *fail_github = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(fail_object, "actor", "wazuh");
+            cJSON_AddStringToObject(fail_object, "organization", org_name);
+            if (event_type) {
+                cJSON_AddStringToObject(fail_object, "event_type", event_type);
+            }
+
+            if (msg_obj) {
+                payload = cJSON_PrintUnformatted(msg_obj);
+                cJSON_AddStringToObject(fail_object, "response", payload);
+                os_free(payload);
+            } else {
+                cJSON_AddStringToObject(fail_object, "response", "Unknown error");
+            }
+
+            cJSON_AddStringToObject(fail_github, "integration", WM_GITHUB_CONTEXT.name);
+            cJSON_AddItemToObject(fail_github, "github", fail_object);
+
+            payload = cJSON_PrintUnformatted(fail_github);
+
+            mtwarn(WM_GITHUB_LOGTAG, "Sending GitHub internal message: '%s'", payload);
+
+            if (wm_sendmsg(WM_GITHUB_MSG_DELAY, queue_fd, payload, WM_GITHUB_CONTEXT.name, LOCALFILE_MQ) < 0) {
+                mterror(WM_GITHUB_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+            }
+
+            os_free(payload);
+            cJSON_Delete(fail_github);
+            cJSON_Delete(msg_obj);
+        }
+    }
+}
+#endif
diff --git a/src/modules/github/tests/integration/conftest.py b/src/modules/github/tests/integration/conftest.py
new file mode 100644
index 0000000000..436b304896
--- /dev/null
+++ b/src/modules/github/tests/integration/conftest.py
@@ -0,0 +1,253 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+import subprocess
+import pytest
+from typing import List
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import callbacks, configuration, services
+from wazuh_testing.utils.file import truncate_file
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            services.control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                services.control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        services.control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            services.control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def wait_for_github_start():
+    # Wait for module github starts
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_STARTED, {
+                              'integration': 'GitHub'
+                          }))
+    assert (wazuh_log_monitor.callback_result == None), f'Error invalid configuration event not detected'
diff --git a/src/modules/github/tests/integration/pytest.ini b/src/modules/github/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/github/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/github/tests/integration/test_configuration/__init__.py b/src/modules/github/tests/integration/test_configuration/__init__.py
new file mode 100644
index 0000000000..9dd1135920
--- /dev/null
+++ b/src/modules/github/tests/integration/test_configuration/__init__.py
@@ -0,0 +1,9 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/github/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml b/src/modules/github/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
new file mode 100644
index 0000000000..ff920495c9
--- /dev/null
+++ b/src/modules/github/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
@@ -0,0 +1,45 @@
+- sections:
+    - section: github
+      elements:
+        - enabled:
+            value: 'ENABLED'
+        - only_future_events:
+            value: 'ONLY_FUTURE_EVENTS'
+        - interval:
+            value: 'INTERVAL'
+        - curl_max_size:
+            value: 'CURL_MAX_SIZE'
+        - time_delay:
+            value: 'TIME_DELAY'
+        - api_auth:
+            elements:
+              - org_name:
+                  value: 'ORG_NAME'
+              - api_token:
+                  value: 'API_TOKEN'
+        - api_parameters:
+            elements:
+              - event_type:
+                  value: 'EVENT_TYPE'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/github/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml b/src/modules/github/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
new file mode 100644
index 0000000000..3a4e6fd388
--- /dev/null
+++ b/src/modules/github/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
@@ -0,0 +1,133 @@
+- name: Invalid_Enabled
+  description: Check github integration does not start with Invalid Enabled
+  configuration_parameters:
+    ENABLED: 'invalid'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'enabled'
+    error_type: 'Invalid'
+    module: 'github'
+
+- name: Invalid_Only_Future_Events
+  description: Check github integration does not start with Invalid Only Future Events
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'invalid'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'only_future_events'
+    error_type: 'Invalid'
+    module: 'github'
+
+
+- name: Invalid_Interval
+  description: Check github integration does not start with Invalid Interval
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '-5s'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'interval'
+    error_type: 'Invalid'
+    module: 'github'
+
+
+- name: Invalid_Curl_Max_Size
+  description: Check github integration does not start with Invalid Curl Max Size
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '-12'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'curl_max_size'
+    error_type: 'Invalid'
+    module: 'github'
+
+
+- name: Invalid_Time_Delay
+  description: Check github integration does not start with Invalid Time Delay
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '7k'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'time_delay'
+    error_type: 'Invalid'
+    module: 'github'
+
+
+- name: Empty_Org_Name
+  description: Check github integration does not start with Invalid Org Name
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: ''
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'org_name'
+    error_type: 'Empty'
+    module: 'github'
+
+
+- name: Empty_Api_Token
+  description: Check github integration does not start with Invalid Api Token
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: ''
+    EVENT_TYPE: 'all'
+  metadata:
+    event_monitor: 'api_token'
+    error_type: 'Empty'
+    module: 'github'
+
+
+- name: Invalid_Event_Type
+  description: Check github integration does not start with Invalid Event Type
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TIME_DELAY: '1s'
+    ORG_NAME: 'dummy'
+    API_TOKEN: 'token'
+    EVENT_TYPE: 'invalid'
+  metadata:
+    event_monitor: 'event_type'
+    error_type: 'Invalid'
+    module: 'github'
diff --git a/src/modules/github/tests/integration/test_configuration/test_invalid.py b/src/modules/github/tests/integration/test_configuration/test_invalid.py
new file mode 100644
index 0000000000..da76257893
--- /dev/null
+++ b/src/modules/github/tests/integration/test_configuration/test_invalid.py
@@ -0,0 +1,136 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The Wazuh 'github' module allows you to collect all the 'audit logs' from GitHub using its API.
+       Specifically, these tests will check if that module detects invalid configurations and indicates
+       the location of the errors detected. The 'audit log' allows organization admins to quickly review
+       the actions performed by members of your organization. It includes details such as who performed
+       the action, what the action was, and when it was performed.
+
+components:
+    - github
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-monitord
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://github.com/wazuh/wazuh-documentation/blob/develop/source/github/monitoring-github-activity.rst
+
+tags:
+    - github_configuration
+'''
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data
+from wazuh_testing.utils.configuration import load_configuration_template
+from wazuh_testing.utils import callbacks
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Configuration and cases data.
+configs_path = Path(CONFIGS_PATH, 'config_invalid_configuration.yaml')
+cases_path = Path(TEST_CASES_PATH, 'cases_invalid_configuration.yaml')
+
+# Test configurations.
+config_parameters, test_metadata, test_cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(configs_path, config_parameters, test_metadata)
+daemons_handler_configuration = {'all_daemons': True, 'ignore_errors': True}
+local_internal_options = {MODULESD_DEBUG: '2'}
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_invalid(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_github_start):
+    '''
+    description: Check if the 'github' module detects invalid configurations. For this purpose, the test
+                 will configure that module using invalid configuration settings with different attributes.
+                 Finally, it will verify that error events are generated indicating the source of the errors.
+
+    wazuh_min_version: 4.3.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_github_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+
+    assertions:
+        - Verify that the 'github' module generates error events when invalid configurations are used.
+
+    input_description: A configuration template (github_integration) is contained in an external YAML file
+                       (wazuh_conf.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'github' module.
+
+    expected_output:
+        - r'wm_github_read(): ERROR.* Invalid content for tag .*'
+        - r'wm_github_read(): ERROR.* Empty content for tag .*'
+
+    tags:
+        - invalid_settings
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_CONFIGURATION_ERROR, {
+                              'error_type': str(test_metadata['error_type']),
+                              'tag': str(test_metadata['event_monitor']),
+                              'integration': str(test_metadata['module']),
+                          }))
+
+    assert (wazuh_log_monitor.callback_result != None), f'Error invalid configuration event not detected'
diff --git a/src/modules/github/tests/unit/tests/CMakeLists.txt b/src/modules/github/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..13b411c8f0
--- /dev/null
+++ b/src/modules/github/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,99 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_github")
+set(WM_GITHUB_BASE_FLAGS "-Wl,--wrap,_mwarn -Wl,--wrap,_mdebug1 -Wl,--wrap,_merror -Wl,--wrap,_mtinfo -Wl,--wrap,_mterror\
+                          -Wl,--wrap,_mtwarn -Wl,--wrap,_mtdebug1 -Wl,--wrap,_mtdebug2 -Wl,--wrap,StartMQ -Wl,--wrap,sleep \
+                          -Wl,--wrap,OS_IsValidIP -Wl,--wrap,OSMatch_Execute -Wl,--wrap,wm_sendmsg -Wl,--wrap,OSRegex_Compile \
+                          -Wl,--wrap,wm_state_io -Wl,--wrap,OSRegex_Execute -Wl,--wrap,OSRegex_Execute_ex -Wl,--wrap,OSMatch_Compile \
+                          -Wl,--wrap,OSRegex_FreePattern -Wl,--wrap,wurl_http_request -Wl,--wrap,strftime -Wl,--wrap,gmtime_r \
+                          -Wl,--wrap,isDebug")
+if(${TARGET} STREQUAL "winagent")
+    list(APPEND tests_flags "${WM_GITHUB_BASE_FLAGS} -Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck -Wl,--wrap=is_fim_shutdown \
+                             -Wl,--wrap=fim_db_teardown -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize")
+else()
+    list(APPEND tests_flags "${WM_GITHUB_BASE_FLAGS}")
+endif()
+
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB github ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM github ../../../wazuh_modules/main.o)
+
+add_library(GITHUB_O STATIC ${github})
+
+set_source_files_properties(
+  ${github}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  GITHUB_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(GITHUB_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            GITHUB_O
+            -lcmocka
+            -ldl
+            -fprofile-arcs
+            -ftest-coverage
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+            target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/modules/github/tests/unit/tests/test_wm_github.c b/src/modules/github/tests/unit/tests/test_wm_github.c
new file mode 100644
index 0000000000..3f61f521f0
--- /dev/null
+++ b/src/modules/github/tests/unit/tests/test_wm_github.c
@@ -0,0 +1,1417 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for github Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../../../wazuh_modules/wm_github.h"
+#include "../../../wazuh_modules/wm_github.c"
+
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/os_regex/os_regex_wrappers.c"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/shared/url_wrappers.h"
+#include "../../wrappers/libc/time_wrappers.h"
+
+unsigned int __wrap_sleep(unsigned int __seconds) {
+    check_expected(__seconds);
+    return mock_type(unsigned int);
+}
+
+unsigned int __wrap_gmtime_r(__attribute__ ((__unused__)) const time_t *t, __attribute__ ((__unused__)) struct tm *tm) {
+    return mock_type(unsigned int);
+}
+
+int __wrap_isDebug() {
+    return mock();
+}
+
+////////////////  test wm-github /////////////////
+
+typedef struct test_struct {
+    wm_github *github_config;
+    curl_response* response;
+    char *root_c;
+} test_struct_t;
+
+static int setup_conf(void **state) {
+    test_struct_t *init_data = NULL;
+    os_calloc(1,sizeof(test_struct_t), init_data);
+    os_calloc(1, sizeof(wm_github), init_data->github_config);
+    test_mode = 1;
+    *state = init_data;
+    return 0;
+}
+
+static int teardown_conf(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    test_mode = 0;
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module GitHub finished.");
+    wm_github_destroy(data->github_config);
+    os_free(data->root_c);
+    os_free(data);
+
+    return 0;
+}
+
+void test_github_main_disabled(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 0;
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module GitHub disabled.");
+
+    wm_github_main(data->github_config);
+}
+
+void test_github_main_fail_StartMQ(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module GitHub started.");
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mterror, formatted_msg, "Can't connect to queue. Closing module.");
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, -1);
+
+    wm_github_main(data->github_config);
+}
+
+void test_github_main_enable(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->interval = 2;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 1);
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module GitHub started.");
+
+    expect_value(__wrap_sleep, __seconds, 2);
+    will_return(__wrap_sleep, 0);
+
+    wm_github_main(data->github_config);
+}
+
+void test_github_get_next_page_warn(void **state) {
+    char *header = "test";
+
+    expect_string(__wrap_OSRegex_Compile, pattern,"<(\\S+)>;\\s*rel=\"next\"");
+    will_return(__wrap_OSRegex_Compile, 0);
+
+    expect_string(__wrap__mwarn, formatted_msg, "Cannot compile regex.");
+
+    assert_null(wm_read_http_header_element(header, GITHUB_NEXT_PAGE_REGEX));
+}
+
+void test_github_get_next_page_execute(void **state) {
+    char *header = "test";
+
+    expect_string(__wrap_OSRegex_Compile, pattern, "<(\\S+)>;\\s*rel=\"next\"");
+    will_return(__wrap_OSRegex_Compile, 1);
+
+    expect_string(__wrap_OSRegex_Execute, str, "test");
+    will_return(__wrap_OSRegex_Execute, NULL);
+
+    expect_any(__wrap_OSRegex_FreePattern, reg);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "No match regex.");
+
+    assert_null(wm_read_http_header_element(header, GITHUB_NEXT_PAGE_REGEX));
+}
+
+void test_github_get_next_page_sub_string(void **state) {
+    char *header = "test";
+
+    expect_string(__wrap_OSRegex_Compile, pattern, "<(\\S+)>;\\s*rel=\"next\"");
+    will_return(__wrap_OSRegex_Compile, 1);
+
+    expect_string(__wrap_OSRegex_Execute, str, "test");
+    will_return(__wrap_OSRegex_Execute, "yes");
+
+    expect_any(__wrap_OSRegex_FreePattern, reg);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "No element was captured.");
+
+    assert_null(wm_read_http_header_element(header, GITHUB_NEXT_PAGE_REGEX));
+}
+
+void test_github_get_next_page_complete(void **state) {
+    wm_github* github_config = *state;
+    char *header = "test_1";
+    char *next_page = NULL;
+
+    expect_string(__wrap_OSRegex_Compile, pattern, "<(\\S+)>;\\s*rel=\"next\"");
+    will_return(__wrap_OSRegex_Compile, 1);
+
+    expect_string(__wrap_OSRegex_Execute, str, "test_1");
+    will_return(__wrap_OSRegex_Execute, "yes");
+
+    expect_any(__wrap_OSRegex_FreePattern, reg);
+
+    next_page = wm_read_http_header_element(header, GITHUB_NEXT_PAGE_REGEX);
+
+    assert_string_equal(next_page, "https://api.com/");
+    os_free(next_page);
+}
+
+void test_github_dump_no_options(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *test = "{\"github\":{\"enabled\":\"no\",\"only_future_events\":\"no\"}}";
+
+    cJSON *root = wm_github_dump(data->github_config);
+    data->root_c = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+
+    assert_string_equal(data->root_c, test);
+}
+
+void test_github_dump_yes_options(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    os_strdup("all", data->github_config->event_type);
+
+    char *test = "{\"github\":{\"enabled\":\"yes\",\"only_future_events\":\"yes\",\"interval\":10,\"time_delay\":1,\"curl_max_size\":2,\"api_auth\":[{\"org_name\":\"test_org\",\"api_token\":\"test_token\"}],\"event_type\":\"all\"}}";
+
+    cJSON *root = wm_github_dump(data->github_config);
+    data->root_c = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+
+    assert_string_equal(data->root_c, test);
+}
+
+void test_github_scan_failure_action_1(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails);
+    data->github_config->fails->fails = 1;
+    os_strdup("test_org", data->github_config->fails->org_name);
+    os_strdup("test_event", data->github_config->fails->event_type);
+    data->github_config->fails->next = NULL;
+    char *org_name = "test_org";
+    char *event_type = "test_event";
+    char *error_msg = "test_error";
+    int queue_fd = 1;
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_int_equal(data->github_config->fails->fails, 2);
+}
+
+void test_github_scan_failure_action_2(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails);
+    data->github_config->fails->fails = 1;
+    os_strdup("test_org", data->github_config->fails->org_name);
+    os_strdup("test_event", data->github_config->fails->event_type);
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails->next);
+    data->github_config->fails->next->fails = 1;
+    os_strdup("test_org2", data->github_config->fails->next->org_name);
+    os_strdup("test_event2", data->github_config->fails->next->event_type);
+    data->github_config->fails->next->next = NULL;
+    char *org_name = "test_org3";
+    char *event_type = "test_event3";
+    char *error_msg = "test_error";
+    int queue_fd = 1;
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_string_equal(data->github_config->fails->next->org_name, "test_org2");
+    assert_string_equal(data->github_config->fails->next->event_type, "test_event2");
+    assert_string_equal(data->github_config->fails->next->next->org_name, "test_org3");
+    assert_string_equal(data->github_config->fails->next->next->event_type, "test_event3");
+    assert_int_equal(data->github_config->fails->fails, 1);
+    assert_int_equal(data->github_config->fails->next->fails, 1);
+    assert_int_equal(data->github_config->fails->next->next->fails, 1);
+}
+
+void test_github_scan_failure_action_3(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails);
+    data->github_config->fails->fails = 2;
+    os_strdup("test_org", data->github_config->fails->org_name);
+    os_strdup("test_event", data->github_config->fails->event_type);
+    data->github_config->fails->next = NULL;
+    char *org_name = "test_org";
+    char *event_type = "test_event";
+    char *error_msg = "test_error";
+    int queue_fd = 1;
+    wm_max_eps = 1;
+
+    int result = 0;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, 1);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"Unknown error\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "github");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtwarn, formatted_msg, "Sending GitHub internal message: '{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"Unknown error\"}}'");
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_int_equal(data->github_config->fails->fails, 3);
+}
+
+void test_github_scan_failure_action_4(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails);
+    data->github_config->fails->fails = 2;
+    os_strdup("test_org", data->github_config->fails->org_name);
+    os_strdup("test_event", data->github_config->fails->event_type);
+    data->github_config->fails->next = NULL;
+    char *org_name = "test_org";
+    char *event_type = "test_event";
+    char *error_msg = "{\"test\":\"test_error\"}";
+    int queue_fd = 1;
+    wm_max_eps = 1;
+
+    int result = 0;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, 1);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"{\\\"test\\\":\\\"test_error\\\"}\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "github");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtwarn, formatted_msg, "Sending GitHub internal message: '{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"{\\\"test\\\":\\\"test_error\\\"}\"}}'");
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_int_equal(data->github_config->fails->fails, 3);
+}
+
+void test_github_scan_failure_action_error(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    os_calloc(1, sizeof(wm_github_fail), data->github_config->fails);
+    data->github_config->fails->fails = 2;
+    os_strdup("test_org", data->github_config->fails->org_name);
+    os_strdup("test_event", data->github_config->fails->event_type);
+    data->github_config->fails->next = NULL;
+    char *org_name = "test_org";
+    char *event_type = "test_event";
+    char *error_msg = "test_error";
+    int queue_fd = 1;
+    wm_max_eps = 1;
+
+    int result = -1;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, 1);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"Unknown error\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "github");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtwarn, formatted_msg, "Sending GitHub internal message: '{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\",\"organization\":\"test_org\",\"event_type\":\"test_event\",\"response\":\"Unknown error\"}}'");
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Success'");
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_int_equal(data->github_config->fails->fails, 3);
+}
+
+void test_github_scan_failure_action_org_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->fails = NULL;
+    char *org_name = "test_org";
+    char *event_type = "test_event";
+    char *error_msg = "test_error";
+    int queue_fd = 1;
+    wm_max_eps = 1;
+
+    wm_github_scan_failure_action(&data->github_config->fails, org_name, event_type, error_msg, queue_fd);
+
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+    assert_string_equal(data->github_config->fails->event_type, "test_event");
+    assert_int_equal(data->github_config->fails->fails, 1);
+}
+
+void test_github_execute_scan(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    data->github_config->auth->next = NULL;
+    os_strdup("all", data->github_config->event_type);
+
+    int initial_scan = 1;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning organization: 'test_org'");
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2021-05-07T12:24:56Z' for organization 'test_org' and event type 'git', waiting '10' seconds to run first scan.");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-git");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-git");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07T11:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2021-05-07T11:24:56Z' for organization 'test_org' and event type 'web', waiting '10' seconds to run first scan.");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-web");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-web");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+}
+
+void test_github_execute_scan_current_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->auth = NULL;
+
+    int initial_scan = 1;
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+}
+
+void test_github_execute_scan_no_initial_scan(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    data->github_config->auth->next = NULL;
+    os_strdup("git", data->github_config->event_type);
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 404;
+    data->response->body = NULL;
+
+    int initial_scan = 0;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning organization: 'test_org'");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-git");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:34:56");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+
+    assert_int_equal(data->github_config->fails->fails, 1);
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+}
+
+void test_github_execute_scan_status_code_200(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    data->github_config->auth->next = NULL;
+    os_strdup("web", data->github_config->event_type);
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->body = NULL;
+
+    int initial_scan = 0;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning organization: 'test_org'");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-web");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:34:56");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error parsing response body.");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+
+    assert_int_equal(data->github_config->fails->fails, 1);
+    assert_string_equal(data->github_config->fails->org_name, "test_org");
+}
+
+void test_github_execute_scan_status_code_200_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    data->github_config->auth->next = NULL;
+    os_strdup("git", data->github_config->event_type);
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"github\":{\"actor\":\"wazuh\"}}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    int initial_scan = 0;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning organization: 'test_org'");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-git");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:34:56");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, 0);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "github");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, 0);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending GitHub log: '{\"integration\":\"github\",\"github\":{\"actor\":\"wazuh\"}}'");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-git");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mterror, formatted_msg, "Couldn't save running state.");
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+}
+
+void test_github_execute_scan_max_size_reached(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->github_config->enabled = 1;
+    data->github_config->only_future_events = 1;
+    data->github_config->interval = 10;
+    data->github_config->time_delay = 1;
+    data->github_config->curl_max_size = 2;
+    os_calloc(1, sizeof(wm_github_auth), data->github_config->auth);
+    os_strdup("test_token", data->github_config->auth->api_token);
+    os_strdup("test_org", data->github_config->auth->org_name);
+    data->github_config->auth->next = NULL;
+    os_strdup("web", data->github_config->event_type);
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->max_size_reached = true;
+
+    int initial_scan = 0;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning organization: 'test_org'");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-web");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07T12:34:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_GITHUB_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Libcurl error, reached maximum response size.");
+
+    expect_string(__wrap_wm_state_io, tag, "github-test_org-web");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:github");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2021-05-07T12:34:56Z' for organization 'test_org' and event type 'web', waiting '10' seconds to run next scan.");
+
+    wm_github_execute_scan(data->github_config, initial_scan);
+
+}
+
+////////////////  test wmodules-github /////////////////
+
+static int setup_test_read(void **state) {
+    test_structure *test;
+    os_calloc(1, sizeof(test_structure), test);
+    os_calloc(1, sizeof(wmodule), test->module);
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    if((wm_github*)test->module->data){
+        if(((wm_github*)test->module->data)->auth){
+            os_free(((wm_github*)test->module->data)->auth->org_name);
+            os_free(((wm_github*)test->module->data)->auth->api_token);
+            if(((wm_github*)test->module->data)->auth->next) {
+                os_free(((wm_github*)test->module->data)->auth->next->org_name);
+                os_free(((wm_github*)test->module->data)->auth->next->api_token);
+                os_free(((wm_github*)test->module->data)->auth->next->next);
+            }
+            os_free(((wm_github*)test->module->data)->auth->next);
+            os_free(((wm_github*)test->module->data)->auth);
+        }
+        os_free(((wm_github*)test->module->data)->event_type);
+    }
+    os_free(test->module->data);
+    os_free(test->module->tag);
+    os_free(test->module);
+    os_free(test);
+    return 0;
+}
+
+void test_read_configuration(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2048</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->interval, 600);
+    assert_int_equal(module_data->time_delay, 1);
+    assert_int_equal(module_data->curl_max_size, 2048);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_string_equal(module_data->auth->org_name, "Wazuh");
+    assert_string_equal(module_data->auth->api_token, "Wazuh_token");
+    assert_string_equal(module_data->event_type, "git");
+}
+
+void test_read_configuration_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_auth>"
+            "<org_name>Wazuh1</org_name>"
+            "<api_token>Wazuh_token1</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->interval, 600);
+    assert_int_equal(module_data->time_delay, 1);
+    assert_int_equal(module_data->curl_max_size, 2048);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_string_equal(module_data->auth->org_name, "Wazuh");
+    assert_string_equal(module_data->auth->api_token, "Wazuh_token");
+    assert_string_equal(module_data->auth->next->org_name, "Wazuh1");
+    assert_string_equal(module_data->auth->next->api_token, "Wazuh_token1");
+    assert_string_equal(module_data->event_type, "git");
+}
+
+void test_read_default_configuration(void **state) {
+    const char *string =
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->interval, 60);
+    assert_int_equal(module_data->time_delay, 30);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_string_equal(module_data->auth->org_name, "Wazuh");
+    assert_string_equal(module_data->auth->api_token, "Wazuh_token");
+    assert_string_equal(module_data->event_type, "all");
+}
+
+void test_read_interval(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->interval, 10);
+}
+
+void test_read_interval_s(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>50s</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->interval, 50);
+}
+
+void test_read_interval_m(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>1m</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->interval, 60);
+}
+
+void test_read_interval_h(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>2h</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->interval, 7200);
+}
+
+void test_read_interval_d(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>3d</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->interval, 259200);
+}
+
+void test_read_curl_max_size(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->curl_max_size, 2048);
+}
+
+void test_repeatd_tag(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+        "<api_parameters>"
+            "<event_type>git</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),0);
+    wm_github *module_data = (wm_github*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->interval, 600);
+    assert_int_equal(module_data->time_delay, 1);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_string_equal(module_data->auth->org_name, "Wazuh");
+    assert_string_equal(module_data->auth->api_token, "Wazuh_token");
+    assert_string_equal(module_data->event_type, "git");
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+        "<fake-tag>ASD</fake-tag>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake-tag' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_2(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>yes</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'event_type' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_3(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>invalid</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'only_future_events' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_4(void **state) {
+    const char *string =
+        "<enabled>invalid</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>yes</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'enabled' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_5(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>invalid</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>yes</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_6(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<curl_max_size>invalid</curl_max_size>"
+        "<only_future_events>yes</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'github'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_time_delay_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>-1</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'time_delay' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_time_delay_2(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1y</time_delay>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'time_delay' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_curl_max_size_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<curl_max_size>100</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'github'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_curl_max_size_2(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<curl_max_size>-1m</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'github'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_curl_max_size_3(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>10</time_delay>"
+        "<curl_max_size>invalid</curl_max_size>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>invalid</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'github'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_auth(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_auth' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_auth_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<invalid>Wazuh</invalid>"
+            "<invalid>Wazuh_token</invalid>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'invalid' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_org_name(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name></org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'org_name' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_org_name_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "'org_name' is missing at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_token(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token></api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_token' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_token_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<event_type>all</event_type>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "'api_token' is missing at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_event_type_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>\n"
+        "<interval>10m</interval>\n"
+        "<time_delay>1s</time_delay>"
+        "<only_future_events>no</only_future_events>"
+        "<api_auth>"
+            "<org_name>Wazuh</org_name>"
+            "<api_token>Wazuh_token</api_token>"
+        "</api_auth>"
+        "<api_parameters>"
+            "<invalid>all</invalid>"
+        "</api_parameters>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'invalid' at module 'github'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_github_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+int main(void) {
+
+    const struct CMUnitTest tests_functionality[] = {
+        #ifndef WIN32
+            cmocka_unit_test_setup_teardown(test_github_main_fail_StartMQ, setup_conf, teardown_conf),
+            cmocka_unit_test_setup_teardown(test_github_main_enable, setup_conf, teardown_conf),
+        #endif
+        cmocka_unit_test_setup_teardown(test_github_main_disabled, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_get_next_page_warn, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_get_next_page_execute, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_get_next_page_sub_string, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_get_next_page_complete, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_dump_no_options, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_dump_yes_options, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_1, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_2, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_3, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_4, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_error, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_scan_failure_action_org_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan_current_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan_no_initial_scan, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan_status_code_200, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan_status_code_200_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_github_execute_scan_max_size_reached, setup_conf, teardown_conf),
+    };
+    const struct CMUnitTest tests_configuration[] = {
+        cmocka_unit_test_setup_teardown(test_read_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_configuration_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_default_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_s, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_m, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_h, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_d, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_curl_max_size, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_repeatd_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_2, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_3, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_4, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_5, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_6, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_time_delay_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_time_delay_2, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_curl_max_size_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_curl_max_size_2, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_curl_max_size_3, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_auth, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_auth_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_org_name, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_org_name_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_token, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_token_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_event_type_1, setup_test_read, teardown_test_read),
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_functionality, NULL, NULL);
+    result += cmocka_run_group_tests(tests_configuration, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/inventory/CMakeLists.txt b/src/modules/inventory/CMakeLists.txt
index e69de29bb2..4e712a910c 100644
--- a/src/modules/inventory/CMakeLists.txt
+++ b/src/modules/inventory/CMakeLists.txt
@@ -0,0 +1,208 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(syscollector)
+
+enable_testing()
+
+if(NOT CMAKE_BUILD_TYPE)
+  set(CMAKE_BUILD_TYPE Release)
+endif()
+
+get_filename_component(SRC_FOLDER     ${CMAKE_SOURCE_DIR}/../../ ABSOLUTE)
+get_filename_component(FLATBUFFERS_FOLDER ${SRC_FOLDER}/shared_modules/utils/flatbuffers/schemas/ ABSOLUTE)
+get_filename_component(FLATC_PATH ${SRC_FOLDER}/external/flatbuffers/build/ ABSOLUTE)
+
+if(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+  add_definitions(-DPROMISE_TYPE=PromiseType::SLEEP)
+else()
+  add_definitions(-DPROMISE_TYPE=PromiseType::NORMAL)
+endif(CMAKE_SYSTEM_NAME STREQUAL "HP-UX")
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+
+set(CMAKE_CXX_FLAGS "-Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2 -std=c++14 -pthread")
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g")
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3")
+else()
+  set(CMAKE_CXX_FLAGS_RELEASE "-O3 -s")
+endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-g -fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
+
+if(APPLE)
+  set(CMAKE_MACOSX_RPATH 1)
+endif(APPLE)
+
+include_directories(${SRC_FOLDER}/headers/)
+include_directories(${SRC_FOLDER}/external/sqlite/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+include_directories(${SRC_FOLDER}/external/cJSON/)
+include_directories(${SRC_FOLDER}/external/procps/)
+include_directories(${SRC_FOLDER}/external/bzip2/)
+include_directories(${SRC_FOLDER}/external/openssl/include/)
+include_directories(${SRC_FOLDER}/shared_modules/utils)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/common/)
+include_directories(${SRC_FOLDER}/data_provider/include/)
+include_directories(${CMAKE_SOURCE_DIR}/include)
+
+link_directories(${SRC_FOLDER}/shared_modules/dbsync/build/lib)
+link_directories(${SRC_FOLDER}/shared_modules/rsync/build/lib)
+link_directories(${SRC_FOLDER}/data_provider/build/lib)
+link_directories(${SRC_FOLDER})
+
+link_directories(${SRC_FOLDER}/external/openssl/)
+link_directories(${SRC_FOLDER}/external/sqlite/)
+link_directories(${SRC_FOLDER}/external/cJSON/)
+link_directories(${SRC_FOLDER}/external/procps/)
+link_directories(${SRC_FOLDER}/external/bzip2/)
+link_directories(${SRC_FOLDER}/external/flatbuffers/build/)
+
+# add_custom_command does not create a new target. You have to define targets explicitly
+# by add_executable, add_library or add_custom_target in order to make them visible to make
+# For this reason, add_custom_target adds a target with the given name that executes the given commands.
+# The target has no output file and is always considered out of date even if the commands try to create a
+# file with the name of the target.
+
+if (NOT ${TARGET} STREQUAL "")
+  if(${TARGET} STREQUAL "server")
+    list(APPEND Schemas
+                syscollector_synchronization
+    )
+
+    add_custom_target(compile_schemas)
+    foreach(schema IN LISTS Schemas)
+      set(FILE "${FLATBUFFERS_FOLDER}/syscollectorRsync/${schema}.fbs")
+      set(RSYNC_OUTPUT_HEADER_GENERATED "${FLATBUFFERS_FOLDER}/../include/${schema}_generated.h")
+      set(RSYNC_OUTPUT_HEADER "${FLATBUFFERS_FOLDER}/../include/${schema}_schema.h")
+
+      add_custom_command(
+          OUTPUT "${RSYNC_OUTPUT_HEADER_GENERATED}"
+          COMMAND ${FLATC_PATH}/flatc
+          ARGS --cpp
+          ARGS -o "${FLATBUFFERS_FOLDER}/../include" "${FILE}"
+          ARGS --no-warnings
+          COMMENT "Building C++ header for ${schema} schema."
+          DEPENDS ${FILE}
+          WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+
+      add_custom_command(
+          OUTPUT "${RSYNC_OUTPUT_HEADER}"
+          COMMAND bash -c "echo -e '// This file was generated from ${FILE} , do not modify \\n#ifndef ${schema}_HEADER\\n#define ${schema}_HEADER\\n#define ${schema}_SCHEMA \"'`cat ${FILE}`'\" \\n#endif // ${schema}_HEADER\\n ' > ${FLATBUFFERS_FOLDER}/../include/${schema}_schema.h"
+          COMMENT "Creating header from schema file: '${schema}'"
+          DEPENDS "${RSYNC_OUTPUT_HEADER_GENERATED}"
+          WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+          VERBATIM)
+
+      add_custom_target(${schema}_schema_target DEPENDS ${RSYNC_OUTPUT_HEADER})
+      add_dependencies(compile_schemas ${schema}_schema_target)
+    endforeach()
+  endif()
+endif()
+
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  add_definitions(-DWIN32=1
+                  -D_WIN32_WINNT=0x600
+                  -DWIN_EXPORT)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+file(GLOB SYSCOLLECTOR_SRC
+    "${CMAKE_SOURCE_DIR}/src/*.cpp"
+    )
+
+add_library(syscollector SHARED
+    ${SYSCOLLECTOR_SRC}
+    ${SRC_FOLDER}/${RESOURCE_OBJ}
+    )
+
+if (NOT ${TARGET} STREQUAL "")
+  if(${TARGET} STREQUAL "server")
+    add_dependencies(${PROJECT_NAME} compile_schemas) #Add a dependency between top-level targets.
+  endif()
+endif()
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+  set_target_properties(syscollector PROPERTIES
+        PREFIX ""
+        SUFFIX ".dll"
+        LINK_FLAGS "-Wl,--add-stdcall-alias"
+        POSITION_INDEPENDENT_CODE 0 # this is to avoid MinGW warning;
+        # MinGW generates position-independent-code for DLL by default
+  )
+elseif(UNIX AND NOT APPLE)
+  if(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    string(APPEND CMAKE_SHARED_LINKER_FLAGS " -Wl,-rpath=$ORIGIN")
+  endif(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+if (NOT ${TARGET} STREQUAL "")
+  if(${TARGET} STREQUAL "server")
+    list(APPEND DeltaSchemas
+                syscollector_deltas
+    )
+
+    add_custom_target(compile_schemas_deltas)
+    foreach(schema IN LISTS DeltaSchemas)
+      set(FBS_FILE "${FLATBUFFERS_FOLDER}/syscollectorDeltas/${schema}.fbs")
+      set(RSYNC_OUTPUT_HEADER_GENERATED "${FLATBUFFERS_FOLDER}/../include/${schema}_generated.h")
+      set(RSYNC_OUTPUT_HEADER "${FLATBUFFERS_FOLDER}/../include/${schema}_schema.h")
+
+      add_custom_command(
+        OUTPUT "${RSYNC_OUTPUT_HEADER_GENERATED}"
+        COMMAND ${FLATC_PATH}/flatc
+        ARGS -c
+        ARGS -o "${FLATBUFFERS_FOLDER}/../include" "${FBS_FILE}"
+        ARGS --no-warnings
+        COMMENT "Executing flatc to generate ${schema} header file."
+      )
+
+      add_custom_command(
+          OUTPUT "${RSYNC_OUTPUT_HEADER}"
+          COMMAND bash -c "echo -e '// This file was generated from ${FBS_FILE} , do not modify \\n#ifndef ${schema}_HEADER\\n#define ${schema}_HEADER\\n#define ${schema}_SCHEMA \"'`cat ${FBS_FILE}`'\" \\n#endif // ${schema}_HEADER\\n ' > ${FLATBUFFERS_FOLDER}/../include/${schema}_schema.h"
+          COMMENT "Creating header from schema file: '${schema}'"
+          DEPENDS "${RSYNC_OUTPUT_HEADER_GENERATED}"
+          WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+          VERBATIM)
+
+      add_custom_target(${schema}_schema_deltas_target DEPENDS ${RSYNC_OUTPUT_HEADER})
+      add_dependencies(compile_schemas_deltas ${schema}_schema_deltas_target)
+    endforeach()
+
+    add_dependencies(syscollector compile_schemas_deltas)
+  endif()
+endif()
+
+if(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+  target_link_libraries(syscollector dbsync rsync sysinfo wazuhext)
+else()
+  string(REPLACE ";" ":" CXX_IMPLICIT_LINK_DIRECTORIES_STR "${CMAKE_CXX_IMPLICIT_LINK_DIRECTORIES}")
+  string(REPLACE ";" ":" PLATFORM_REQUIRED_RUNTIME_PATH_STR "${CMAKE_PLATFORM_REQUIRED_RUNTIME_PATH}")
+  target_link_libraries(syscollector dbsync rsync sysinfo wazuhext -Wl,-blibpath:${INSTALL_PREFIX}/lib:${CXX_IMPLICIT_LINK_DIRECTORIES_STR}:${PLATFORM_REQUIRED_RUNTIME_PATH_STR})
+endif(NOT CMAKE_SYSTEM_NAME STREQUAL "AIX")
+
+if(UNIT_TEST)
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    target_link_libraries(syscollector -fprofile-arcs)
+  else()
+    target_link_libraries(syscollector gcov)
+  endif(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+  add_subdirectory(tests)
+else()
+  if(FSANITIZE)
+    target_link_libraries(syscollector gcov)
+  endif(FSANITIZE)
+  add_subdirectory(testtool)
+endif(UNIT_TEST)
diff --git a/src/modules/inventory/include/syscollector.h b/src/modules/inventory/include/syscollector.h
new file mode 100644
index 0000000000..fb9e60252c
--- /dev/null
+++ b/src/modules/inventory/include/syscollector.h
@@ -0,0 +1,90 @@
+/*
+ * Wazuh Syscollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+
+#ifndef _SYSCOLLECTOR_H
+#define _SYSCOLLECTOR_H
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+#include <stdbool.h>
+#include "commonDefs.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+#include "logging_helper.h"
+
+typedef void((*log_callback_t)(const modules_log_level_t level, const char* log, const char* tag));
+
+typedef void((*send_data_callback_t)(const void* buffer));
+
+EXPORTED void syscollector_start(const unsigned int inverval,
+                                 send_data_callback_t callbackDiff,
+                                 send_data_callback_t callbackSync,
+                                 log_callback_t callbackLog,
+                                 const char* dbPath,
+                                 const char* normalizerConfigPath,
+                                 const char* normalizerType,
+                                 const bool scanOnStart,
+                                 const bool hardware,
+                                 const bool os,
+                                 const bool network,
+                                 const bool packages,
+                                 const bool ports,
+                                 const bool portsAll,
+                                 const bool processes,
+                                 const bool hotfixes);
+
+EXPORTED void syscollector_stop();
+
+EXPORTED int syscollector_sync_message(const char* data);
+
+
+
+#ifdef __cplusplus
+}
+#endif
+
+typedef void(*syscollector_start_func)(const unsigned int inverval,
+                                       send_data_callback_t callbackDiff,
+                                       send_data_callback_t callbackSync,
+                                       log_callback_t callbackLog,
+                                       const char* dbPath,
+                                       const char* normalizerConfigPath,
+                                       const char* normalizerType,
+                                       const bool scanOnStart,
+                                       const bool hardware,
+                                       const bool os,
+                                       const bool network,
+                                       const bool packages,
+                                       const bool ports,
+                                       const bool portsAll,
+                                       const bool processes,
+                                       const bool hotfixes);
+
+typedef void(*syscollector_stop_func)();
+
+typedef int (*syscollector_sync_message_func)(const char* data);
+
+typedef void (*rsync_initialize_full_log_func)(full_log_fnc_t log_function);
+
+#endif //_SYSCOLLECTOR_H
diff --git a/src/modules/inventory/include/syscollector.hpp b/src/modules/inventory/include/syscollector.hpp
new file mode 100644
index 0000000000..7ac5a7a11d
--- /dev/null
+++ b/src/modules/inventory/include/syscollector.hpp
@@ -0,0 +1,131 @@
+/*
+ * Wazuh SysCollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 8, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSCOLLECTOR_HPP
+#define _SYSCOLLECTOR_HPP
+#include <chrono>
+#include <thread>
+#include <condition_variable>
+#include <mutex>
+#include <memory>
+#include "sysInfoInterface.h"
+#include "commonDefs.h"
+#include "dbsync.hpp"
+#include "rsync.hpp"
+#include "syscollectorNormalizer.h"
+#include "syscollector.h"
+
+// Define EXPORTED for any platform
+#ifdef _WIN32
+#ifdef WIN_EXPORT
+#define EXPORTED __declspec(dllexport)
+#else
+#define EXPORTED __declspec(dllimport)
+#endif
+#elif __GNUC__ >= 4
+#define EXPORTED __attribute__((visibility("default")))
+#else
+#define EXPORTED
+#endif
+
+class EXPORTED Syscollector final
+{
+    public:
+        static Syscollector& instance()
+        {
+            static Syscollector s_instance;
+            return s_instance;
+        }
+
+        void init(const std::shared_ptr<ISysInfo>& spInfo,
+                  const std::function<void(const std::string&)> reportDiffFunction,
+                  const std::function<void(const std::string&)> reportSyncFunction,
+                  const std::function<void(const modules_log_level_t, const std::string&)> logFunction,
+                  const std::string& dbPath,
+                  const std::string& normalizerConfigPath,
+                  const std::string& normalizerType,
+                  const unsigned int inverval = 3600ul,
+                  const bool scanOnStart = true,
+                  const bool hardware = true,
+                  const bool os = true,
+                  const bool network = true,
+                  const bool packages = true,
+                  const bool ports = true,
+                  const bool portsAll = true,
+                  const bool processes = true,
+                  const bool hotfixes = true,
+                  const bool notifyOnFirstScan = false);
+
+        void destroy();
+        void push(const std::string& data);
+    private:
+        Syscollector();
+        ~Syscollector() = default;
+        Syscollector(const Syscollector&) = delete;
+        Syscollector& operator=(const Syscollector&) = delete;
+
+        std::string getCreateStatement() const;
+        nlohmann::json getOSData();
+        nlohmann::json getHardwareData();
+        nlohmann::json getNetworkData();
+        nlohmann::json getPortsData();
+
+        void registerWithRsync();
+        void updateChanges(const std::string& table,
+                           const nlohmann::json& values);
+        void notifyChange(ReturnTypeCallback result,
+                          const nlohmann::json& data,
+                          const std::string& table);
+        void scanHardware();
+        void scanOs();
+        void scanNetwork();
+        void scanPackages();
+        void scanHotfixes();
+        void scanPorts();
+        void scanProcesses();
+        void syncOs();
+        void syncHardware();
+        void syncNetwork();
+        void syncPackages();
+        void syncHotfixes();
+        void syncPorts();
+        void syncProcesses();
+        void scan();
+        void sync();
+        void syncLoop(std::unique_lock<std::mutex>& lock);
+        void syncAlgorithm();
+        std::shared_ptr<ISysInfo>                                               m_spInfo;
+        std::function<void(const std::string&)>                                 m_reportDiffFunction;
+        std::function<void(const std::string&)>                                 m_reportSyncFunction;
+        std::function<void(const modules_log_level_t, const std::string&)>      m_logFunction;
+        std::chrono::seconds                                                       m_intervalValue;
+        std::chrono::seconds                                                       m_currentIntervalValue;
+        bool                                                                    m_scanOnStart;
+        bool                                                                    m_hardware;
+        bool                                                                    m_os;
+        bool                                                                    m_network;
+        bool                                                                    m_packages;
+        bool                                                                    m_ports;
+        bool                                                                    m_portsAll;
+        bool                                                                    m_processes;
+        bool                                                                    m_hotfixes;
+        bool                                                                    m_stopping;
+        bool                                                                    m_notify;
+        std::unique_ptr<DBSync>                                                 m_spDBSync;
+        std::unique_ptr<RemoteSync>                                             m_spRsync;
+        std::condition_variable                                                 m_cv;
+        std::mutex                                                              m_mutex;
+        std::unique_ptr<SysNormalizer>                                          m_spNormalizer;
+        std::string                                                             m_scanTime;
+        std::chrono::seconds                                           m_lastSyncMsg;
+};
+
+
+#endif //_SYSCOLLECTOR_HPP
diff --git a/src/modules/inventory/include/syscollectorNormalizer.h b/src/modules/inventory/include/syscollectorNormalizer.h
new file mode 100644
index 0000000000..81f2f76867
--- /dev/null
+++ b/src/modules/inventory/include/syscollectorNormalizer.h
@@ -0,0 +1,36 @@
+/*
+ * Wazuh SysCollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSCOLLECTOR_NORMALIZER_H
+#define _SYSCOLLECTOR_NORMALIZER_H
+#include <json.hpp>
+#include <string>
+#include <map>
+
+class SysNormalizer
+{
+    public:
+        SysNormalizer(const std::string& configFile,
+                      const std::string& target);
+        ~SysNormalizer() = default;
+        void normalize(const std::string& type,
+                       nlohmann::json& data) const;
+        void removeExcluded(const std::string& type,
+                            nlohmann::json& data) const;
+    private:
+        static std::map<std::string, nlohmann::json> getTypeValues(const std::string& configFile,
+                                                                   const std::string& target,
+                                                                   const std::string& type);
+        const std::map<std::string, nlohmann::json> m_typeExclusions;
+        const std::map<std::string, nlohmann::json> m_typeDictionary;
+};
+
+
+#endif //_SYSCOLLECTOR_NORMALIZER_H
diff --git a/src/modules/inventory/include/wm_syscollector.h b/src/modules/inventory/include/wm_syscollector.h
new file mode 100644
index 0000000000..de90efa4a3
--- /dev/null
+++ b/src/modules/inventory/include/wm_syscollector.h
@@ -0,0 +1,54 @@
+/*
+ * Wazuh Module for System inventory
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 17, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules_def.h"
+#include "../os_xml/os_xml.h"
+
+#ifndef WM_SYSCOLLECTOR
+#define WM_SYSCOLLECTOR
+
+extern const wm_context WM_SYS_CONTEXT;     // Context
+
+#define WM_SYS_LOGTAG ARGV0 ":syscollector" // Tag for log messages
+#define WM_SYSCOLLECTOR_DEFAULT_INTERVAL W_HOUR_SECONDS
+
+typedef struct wm_sys_flags_t {
+    unsigned int enabled:1;                 // Main switch
+    unsigned int scan_on_start:1;           // Scan always on start
+    unsigned int hwinfo:1;                  // Hardware inventory
+    unsigned int netinfo:1;                 // Network inventory
+    unsigned int osinfo:1;                  // OS inventory
+    unsigned int programinfo:1;             // Installed packages inventory
+    unsigned int hotfixinfo:1;              // Windows hotfixes installed
+    unsigned int portsinfo:1;               // Opened ports inventory
+    unsigned int allports:1;                // Scan only listening ports or all
+    unsigned int procinfo:1;                // Running processes inventory
+} wm_sys_flags_t;
+
+typedef struct wm_sys_state_t {
+    time_t next_time;                       // Absolute time for next scan
+} wm_sys_state_t;
+
+typedef struct wm_sys_db_sync_flags_t {
+    long sync_max_eps;                      // Maximum events per second for synchronization messages.
+} wm_sys_db_sync_flags_t;
+
+typedef struct wm_sys_t {
+    unsigned int interval;                  // Time interval between cycles (seconds)
+    wm_sys_flags_t flags;                   // Flag bitfield
+    wm_sys_state_t state;                   // Running state
+    wm_sys_db_sync_flags_t sync;            // Database synchronization value
+} wm_sys_t;
+
+// Parse XML configuration
+int wm_syscollector_read(const OS_XML *xml, XML_NODE node, wmodule *module);
+
+#endif
diff --git a/src/modules/inventory/norm_config.json b/src/modules/inventory/norm_config.json
new file mode 100644
index 0000000000..953a7df205
--- /dev/null
+++ b/src/modules/inventory/norm_config.json
@@ -0,0 +1,144 @@
+{
+    "exclusions": [
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "field_name": "name",
+            "pattern": "(Siri)"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "field_name": "name",
+            "pattern": "(iCloud)"
+        }
+    ],
+    "dictionary": [
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*Microsoft.*",
+            "add_field": "vendor",
+            "add_value": "Microsoft"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*VMware.*",
+            "add_field": "vendor",
+            "add_value": "VMware"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*Symantec.*",
+            "add_field": "vendor",
+            "add_value": "Symantec"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*(Quick ).*",
+            "add_field": "vendor",
+            "add_value": "Quick Heal"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*QuickHeal.*",
+            "add_field": "vendor",
+            "add_value": "QuickHeal"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field": "name",
+            "replace_pattern": "(zoom.us)",
+            "replace_value": "zoom"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": "Kaspersky.*",
+            "replace_pattern": "( For Mac)",
+            "replace_field": "name",
+            "replace_value": ""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*McAfee.*",
+            "add_field": "vendor",
+            "add_value": "McAfee",
+            "replace_field":"name",
+            "replace_pattern":"( For Mac)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(McAfee )",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*TotalDefense.*",
+            "add_field": "vendor",
+            "add_value": "TotalDefense",
+            "replace_field":"name",
+            "replace_pattern":"(forMac)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*TotalDefense.*",
+            "replace_field":"name",
+            "replace_pattern":"(Antivirus)",
+            "replace_value":"Anti-Virus"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(TotalDefense)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*AVG.*",
+            "add_field": "vendor",
+            "add_value": "AVG",
+            "replace_field":"name",
+            "replace_pattern":"(Antivirus)",
+            "replace_value":"Anti-Virus"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(AVG)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field": "name",
+            "replace_pattern": "(AntivirusforMac)",
+            "replace_value":"Antivirus"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/src/modules/inventory/src/syscollector.cpp b/src/modules/inventory/src/syscollector.cpp
new file mode 100644
index 0000000000..dcb4103ad5
--- /dev/null
+++ b/src/modules/inventory/src/syscollector.cpp
@@ -0,0 +1,121 @@
+/*
+ * Wazuh SysCollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "syscollector.hpp"
+#include "sysInfo.hpp"
+#include "dbsync.hpp"
+#include <iostream>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+#include "../../wm_syscollector.h"
+
+void syscollector_start(const unsigned int inverval,
+                        send_data_callback_t callbackDiff,
+                        send_data_callback_t callbackSync,
+                        log_callback_t callbackLog,
+                        const char* dbPath,
+                        const char* normalizerConfigPath,
+                        const char* normalizerType,
+                        const bool scanOnStart,
+                        const bool hardware,
+                        const bool os,
+                        const bool network,
+                        const bool packages,
+                        const bool ports,
+                        const bool portsAll,
+                        const bool processes,
+                        const bool hotfixes)
+{
+    std::function<void(const std::string&)> callbackDiffWrapper
+    {
+        [callbackDiff](const std::string & data)
+        {
+            callbackDiff(data.c_str());
+        }
+    };
+
+    std::function<void(const std::string&)> callbackSyncWrapper
+    {
+        [callbackSync](const std::string & data)
+        {
+            callbackSync(data.c_str());
+        }
+    };
+
+    std::function<void(const modules_log_level_t, const std::string&)> callbackLogWrapper
+    {
+        [callbackLog](const modules_log_level_t level, const std::string & data)
+        {
+            callbackLog(level, data.c_str(), WM_SYS_LOGTAG);
+        }
+    };
+
+    std::function<void(const std::string&)> callbackErrorLogWrapper
+    {
+        [callbackLog](const std::string & data)
+        {
+            callbackLog(LOG_ERROR, data.c_str(), WM_SYS_LOGTAG);
+        }
+    };
+
+    DBSync::initialize(callbackErrorLogWrapper);
+
+    try
+    {
+        Syscollector::instance().init(std::make_shared<SysInfo>(),
+                                      std::move(callbackDiffWrapper),
+                                      std::move(callbackSyncWrapper),
+                                      std::move(callbackLogWrapper),
+                                      dbPath,
+                                      normalizerConfigPath,
+                                      normalizerType,
+                                      inverval,
+                                      scanOnStart,
+                                      hardware,
+                                      os,
+                                      network,
+                                      packages,
+                                      ports,
+                                      portsAll,
+                                      processes,
+                                      hotfixes);
+    }
+    catch (const std::exception& ex)
+    {
+        callbackErrorLogWrapper(ex.what());
+    }
+}
+void syscollector_stop()
+{
+    Syscollector::instance().destroy();
+}
+
+int syscollector_sync_message(const char* data)
+{
+    int ret{-1};
+
+    try
+    {
+        Syscollector::instance().push(data);
+        ret = 0;
+    }
+    catch (...)
+    {
+    }
+
+    return ret;
+}
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/modules/inventory/src/syscollectorImp.cpp b/src/modules/inventory/src/syscollectorImp.cpp
new file mode 100644
index 0000000000..586bdfc2c8
--- /dev/null
+++ b/src/modules/inventory/src/syscollectorImp.cpp
@@ -0,0 +1,1696 @@
+/*
+ * Wazuh SysCollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "syscollector.h"
+#include "syscollector.hpp"
+#include "json.hpp"
+#include <iostream>
+#include "stringHelper.h"
+#include "hashHelper.h"
+#include "timeHelper.h"
+
+constexpr std::chrono::seconds MAX_DELAY_TIME
+{
+    300
+};
+
+#define TRY_CATCH_TASK(task)                                            \
+do                                                                      \
+{                                                                       \
+    try                                                                 \
+    {                                                                   \
+        if(!m_stopping)                                                 \
+        {                                                               \
+            task();                                                     \
+        }                                                               \
+    }                                                                   \
+    catch(const std::exception& ex)                                     \
+    {                                                                   \
+        if(m_logFunction)                                               \
+        {                                                               \
+            m_logFunction(LOG_ERROR, std::string{ex.what()});           \
+        }                                                               \
+    }                                                                   \
+}while(0)
+
+constexpr auto QUEUE_SIZE
+{
+    4096
+};
+
+static const std::map<ReturnTypeCallback, std::string> OPERATION_MAP
+{
+    // LCOV_EXCL_START
+    {MODIFIED, "MODIFIED"},
+    {DELETED, "DELETED"},
+    {INSERTED, "INSERTED"},
+    {MAX_ROWS, "MAX_ROWS"},
+    {DB_ERROR, "DB_ERROR"},
+    {SELECTED, "SELECTED"},
+    // LCOV_EXCL_STOP
+};
+
+constexpr auto OS_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_osinfo (
+    hostname TEXT,
+    architecture TEXT,
+    os_name TEXT,
+    os_version TEXT,
+    os_codename TEXT,
+    os_major TEXT,
+    os_minor TEXT,
+    os_patch TEXT,
+    os_build TEXT,
+    os_platform TEXT,
+    sysname TEXT,
+    release TEXT,
+    version TEXT,
+    os_release TEXT,
+    os_display_version TEXT,
+    checksum TEXT,
+    PRIMARY KEY (os_name)) WITHOUT ROWID;)"
+};
+
+constexpr auto OS_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_osinfo",
+        "component":"syscollector_osinfo",
+        "index":"os_name",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE os_name BETWEEN '?' and '?' ORDER BY os_name",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE os_name BETWEEN '?' and '?' ORDER BY os_name",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE os_name ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE os_name BETWEEN '?' and '?' ORDER BY os_name",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto OS_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_osinfo",
+        "first_query":
+            {
+                "column_list":["os_name"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"os_name DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["os_name"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"os_name ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_osinfo",
+        "index":"os_name",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE os_name BETWEEN '?' and '?' ORDER BY os_name",
+                "column_list":["os_name, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+constexpr auto HW_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_hwinfo (
+    board_serial TEXT,
+    cpu_name TEXT,
+    cpu_cores INTEGER,
+    cpu_mhz DOUBLE,
+    ram_total INTEGER,
+    ram_free INTEGER,
+    ram_usage INTEGER,
+    checksum TEXT,
+    PRIMARY KEY (board_serial)) WITHOUT ROWID;)"
+};
+
+constexpr auto HW_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_hwinfo",
+        "component":"syscollector_hwinfo",
+        "index":"board_serial",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE board_serial BETWEEN '?' and '?' ORDER BY board_serial",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE board_serial BETWEEN '?' and '?' ORDER BY board_serial",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE board_serial ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE board_serial BETWEEN '?' and '?' ORDER BY board_serial",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto HW_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_hwinfo",
+        "first_query":
+            {
+                "column_list":["board_serial"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"board_serial DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["board_serial"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"board_serial ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_hwinfo",
+        "index":"board_serial",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE board_serial BETWEEN '?' and '?' ORDER BY board_serial",
+                "column_list":["board_serial, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+
+constexpr auto HOTFIXES_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_hotfixes(
+    hotfix TEXT,
+    checksum TEXT,
+    PRIMARY KEY (hotfix)) WITHOUT ROWID;)"
+};
+
+constexpr auto HOTFIXES_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_hotfixes",
+        "component":"syscollector_hotfixes",
+        "index":"hotfix",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE hotfix BETWEEN '?' and '?' ORDER BY hotfix",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE hotfix BETWEEN '?' and '?' ORDER BY hotfix",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE hotfix ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE hotfix BETWEEN '?' and '?' ORDER BY hotfix",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto HOTFIXES_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_hotfixes",
+        "first_query":
+            {
+                "column_list":["hotfix"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hotfix DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["hotfix"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"hotfix ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_hotfixes",
+        "index":"hotfix",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE hotfix BETWEEN '?' and '?' ORDER BY hotfix",
+                "column_list":["hotfix, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+constexpr auto PACKAGES_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_packages(
+    name TEXT,
+    version TEXT,
+    vendor TEXT,
+    install_time TEXT,
+    location TEXT,
+    architecture TEXT,
+    groups TEXT,
+    description TEXT,
+    size INTEGER,
+    priority TEXT,
+    multiarch TEXT,
+    source TEXT,
+    format TEXT,
+    checksum TEXT,
+    item_id TEXT,
+    PRIMARY KEY (name,version,architecture,format,location)) WITHOUT ROWID;)"
+};
+static const std::vector<std::string> PACKAGES_ITEM_ID_FIELDS{"name", "version", "architecture", "format", "location"};
+
+constexpr auto PACKAGES_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_packages",
+        "component":"syscollector_packages",
+        "index":"item_id",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE item_id ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto PACKAGES_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_packages",
+        "first_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_packages",
+        "index":"item_id",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["item_id, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":100
+            }
+        })"
+};
+
+constexpr auto PROCESSES_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_processes",
+        "first_query":
+            {
+                "column_list":["pid"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"pid DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["pid"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"pid ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_processes",
+        "index":"pid",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE pid BETWEEN '?' and '?' ORDER BY pid",
+                "column_list":["pid, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":1000
+            }
+        })"
+};
+
+constexpr auto PROCESSES_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_processes",
+        "component":"syscollector_processes",
+        "index":"pid",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE pid BETWEEN '?' and '?' ORDER BY pid",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE pid BETWEEN '?' and '?' ORDER BY pid",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE pid ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE pid BETWEEN '?' and '?' ORDER BY pid",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto PROCESSES_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_processes (
+    pid TEXT,
+    name TEXT,
+    state TEXT,
+    ppid BIGINT,
+    utime BIGINT,
+    stime BIGINT,
+    cmd TEXT,
+    argvs TEXT,
+    euser TEXT,
+    ruser TEXT,
+    suser TEXT,
+    egroup TEXT,
+    rgroup TEXT,
+    sgroup TEXT,
+    fgroup TEXT,
+    priority BIGINT,
+    nice BIGINT,
+    size BIGINT,
+    vm_size BIGINT,
+    resident BIGINT,
+    share BIGINT,
+    start_time BIGINT,
+    pgrp BIGINT,
+    session BIGINT,
+    nlwp BIGINT,
+    tgid BIGINT,
+    tty BIGINT,
+    processor BIGINT,
+    checksum TEXT,
+    PRIMARY KEY (pid)) WITHOUT ROWID;)"
+};
+
+constexpr auto PORTS_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_ports",
+        "first_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_ports",
+        "index":"item_id",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["item_id, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":1000
+            }
+        })"
+};
+
+constexpr auto PORTS_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_ports",
+        "component":"syscollector_ports",
+        "index":"item_id",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE item_id ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto PORTS_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_ports (
+       protocol TEXT,
+       local_ip TEXT,
+       local_port BIGINT,
+       remote_ip TEXT,
+       remote_port BIGINT,
+       tx_queue BIGINT,
+       rx_queue BIGINT,
+       inode BIGINT,
+       state TEXT,
+       pid BIGINT,
+       process TEXT,
+       checksum TEXT,
+       item_id TEXT,
+       PRIMARY KEY (inode, protocol, local_ip, local_port)) WITHOUT ROWID;)"
+};
+static const std::vector<std::string> PORTS_ITEM_ID_FIELDS{"inode", "protocol", "local_ip", "local_port"};
+
+constexpr auto NETIFACE_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_network_iface",
+        "first_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_network_iface",
+        "index":"item_id",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["item_id, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":1000
+            }
+        })"
+};
+
+constexpr auto NETIFACE_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_network_iface",
+        "component":"syscollector_network_iface",
+        "index":"item_id",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE item_id ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto NETIFACE_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_network_iface (
+       name TEXT,
+       adapter TEXT,
+       type TEXT,
+       state TEXT,
+       mtu BIGINT,
+       mac TEXT,
+       tx_packets INTEGER,
+       rx_packets INTEGER,
+       tx_bytes BIGINT,
+       rx_bytes BIGINT,
+       tx_errors INTEGER,
+       rx_errors INTEGER,
+       tx_dropped INTEGER,
+       rx_dropped INTEGER,
+       checksum TEXT,
+       item_id TEXT,
+       PRIMARY KEY (name,adapter,type)) WITHOUT ROWID;)"
+};
+static const std::vector<std::string> NETIFACE_ITEM_ID_FIELDS{"name", "adapter", "type"};
+
+constexpr auto NETPROTO_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_network_protocol",
+        "first_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_network_protocol",
+        "index":"item_id",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["item_id, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":1000
+            }
+        })"
+};
+
+constexpr auto NETPROTO_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_network_protocol",
+        "component":"syscollector_network_protocol",
+        "index":"item_id",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE item_id ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto NETPROTO_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_network_protocol (
+       iface TEXT,
+       type TEXT,
+       gateway TEXT,
+       dhcp TEXT NOT NULL CHECK (dhcp IN ('enabled', 'disabled', 'unknown', 'BOOTP')) DEFAULT 'unknown',
+       metric TEXT,
+       checksum TEXT,
+       item_id TEXT,
+       PRIMARY KEY (iface,type)) WITHOUT ROWID;)"
+};
+static const std::vector<std::string> NETPROTO_ITEM_ID_FIELDS{"iface", "type"};
+
+constexpr auto NETADDRESS_START_CONFIG_STATEMENT
+{
+    R"({"table":"dbsync_network_address",
+        "first_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id DESC",
+                "count_opt":1
+            },
+        "last_query":
+            {
+                "column_list":["item_id"],
+                "row_filter":" ",
+                "distinct_opt":false,
+                "order_by_opt":"item_id ASC",
+                "count_opt":1
+            },
+        "component":"syscollector_network_address",
+        "index":"item_id",
+        "last_event":"last_event",
+        "checksum_field":"checksum",
+        "range_checksum_query_json":
+            {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["item_id, checksum"],
+                "distinct_opt":false,
+                "order_by_opt":"",
+                "count_opt":1000
+            }
+        })"
+};
+
+constexpr auto NETADDRESS_SYNC_CONFIG_STATEMENT
+{
+    R"(
+    {
+        "decoder_type":"JSON_RANGE",
+        "table":"dbsync_network_address",
+        "component":"syscollector_network_address",
+        "index":"item_id",
+        "checksum_field":"checksum",
+        "no_data_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "count_range_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "count_field_name":"count",
+                "column_list":["count(*) AS count "],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "row_data_query_json": {
+                "row_filter":"WHERE item_id ='?'",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        },
+        "range_checksum_query_json": {
+                "row_filter":"WHERE item_id BETWEEN '?' and '?' ORDER BY item_id",
+                "column_list":["*"],
+                "distinct_opt":false,
+                "order_by_opt":""
+        }
+    }
+    )"
+};
+
+constexpr auto NETADDR_SQL_STATEMENT
+{
+    R"(CREATE TABLE dbsync_network_address (
+       iface TEXT,
+       proto INTEGER,
+       address TEXT,
+       netmask TEXT,
+       broadcast TEXT,
+       checksum TEXT,
+       item_id TEXT,
+       PRIMARY KEY (iface,proto,address)) WITHOUT ROWID;)"
+};
+static const std::vector<std::string> NETADDRESS_ITEM_ID_FIELDS{"iface", "proto", "address"};
+
+constexpr auto NET_IFACE_TABLE    { "dbsync_network_iface"    };
+constexpr auto NET_PROTOCOL_TABLE { "dbsync_network_protocol" };
+constexpr auto NET_ADDRESS_TABLE  { "dbsync_network_address"  };
+constexpr auto PACKAGES_TABLE     { "dbsync_packages"         };
+constexpr auto HOTFIXES_TABLE     { "dbsync_hotfixes"         };
+constexpr auto PORTS_TABLE        { "dbsync_ports"            };
+constexpr auto PROCESSES_TABLE    { "dbsync_processes"        };
+constexpr auto OS_TABLE           { "dbsync_osinfo"           };
+constexpr auto HW_TABLE           { "dbsync_hwinfo"           };
+
+
+static std::string getItemId(const nlohmann::json& item, const std::vector<std::string>& idFields)
+{
+    Utils::HashData hash;
+
+    for (const auto& field : idFields)
+    {
+        const auto& value{item.at(field)};
+
+        if (value.is_string())
+        {
+            const auto& valueString{value.get<std::string>()};
+            hash.update(valueString.c_str(), valueString.size());
+        }
+        else
+        {
+            const auto& valueNumber{value.get<unsigned long>()};
+            const auto valueString{std::to_string(valueNumber)};
+            hash.update(valueString.c_str(), valueString.size());
+        }
+    }
+
+    return Utils::asciiToHex(hash.hash());
+}
+
+static std::string getItemChecksum(const nlohmann::json& item)
+{
+    const auto content{item.dump()};
+    Utils::HashData hash;
+    hash.update(content.c_str(), content.size());
+    return Utils::asciiToHex(hash.hash());
+}
+
+static void removeKeysWithEmptyValue(nlohmann::json& input)
+{
+    for (auto& data : input)
+    {
+        for (auto it = data.begin(); it != data.end(); )
+        {
+            if (it.value().type() == nlohmann::detail::value_t::string &&
+                    it.value().get_ref<const std::string&>().empty())
+            {
+                it = data.erase(it);
+            }
+            else
+            {
+                ++it;
+            }
+        }
+    }
+}
+
+static bool isElementDuplicated(const nlohmann::json& input, const std::pair<std::string, std::string>& keyValue)
+{
+    const auto it
+    {
+        std::find_if (input.begin(), input.end(), [&keyValue](const auto & elem)
+        {
+            return elem.at(keyValue.first) == keyValue.second;
+        })
+    };
+    return it != input.end();
+}
+
+void Syscollector::notifyChange(ReturnTypeCallback result, const nlohmann::json& data, const std::string& table)
+{
+    if (DB_ERROR == result)
+    {
+        m_logFunction(LOG_ERROR, data.dump());
+    }
+    else if (m_notify && !m_stopping)
+    {
+        if (data.is_array())
+        {
+            for (const auto& item : data)
+            {
+                nlohmann::json msg;
+                msg["type"] = table;
+                msg["operation"] = OPERATION_MAP.at(result);
+                msg["data"] = item;
+                msg["data"]["scan_time"] = m_scanTime;
+                removeKeysWithEmptyValue(msg["data"]);
+                const auto msgToSend{msg.dump()};
+                m_reportDiffFunction(msgToSend);
+                m_logFunction(LOG_DEBUG_VERBOSE, "Delta sent: " + msgToSend);
+            }
+        }
+        else
+        {
+            // LCOV_EXCL_START
+            nlohmann::json msg;
+            msg["type"] = table;
+            msg["operation"] = OPERATION_MAP.at(result);
+            msg["data"] = data;
+            msg["data"]["scan_time"] = m_scanTime;
+            removeKeysWithEmptyValue(msg["data"]);
+            const auto msgToSend{msg.dump()};
+            m_reportDiffFunction(msgToSend);
+            m_logFunction(LOG_DEBUG_VERBOSE, "Delta sent: " + msgToSend);
+            // LCOV_EXCL_STOP
+        }
+    }
+}
+
+void Syscollector::updateChanges(const std::string& table,
+                                 const nlohmann::json& values)
+{
+    const auto callback
+    {
+        [this, table](ReturnTypeCallback result, const nlohmann::json & data)
+        {
+            notifyChange(result, data, table);
+        }
+    };
+    DBSyncTxn txn
+    {
+        m_spDBSync->handle(),
+        nlohmann::json{table},
+        0,
+        QUEUE_SIZE,
+        callback
+    };
+    nlohmann::json input;
+    input["table"] = table;
+    input["data"] = values;
+    txn.syncTxnRow(input);
+    txn.getDeletedRows(callback);
+}
+
+Syscollector::Syscollector()
+    : m_intervalValue { 0 }
+    , m_scanOnStart { false }
+    , m_hardware { false }
+    , m_os { false }
+    , m_network { false }
+    , m_packages { false }
+    , m_ports { false }
+    , m_portsAll { false }
+    , m_processes { false }
+    , m_hotfixes { false }
+    , m_stopping { true }
+    , m_notify { false }
+{}
+
+std::string Syscollector::getCreateStatement() const
+{
+    std::string ret;
+
+    ret += OS_SQL_STATEMENT;
+    ret += HW_SQL_STATEMENT;
+    ret += PACKAGES_SQL_STATEMENT;
+    ret += HOTFIXES_SQL_STATEMENT;
+    ret += PROCESSES_SQL_STATEMENT;
+    ret += PORTS_SQL_STATEMENT;
+    ret += NETIFACE_SQL_STATEMENT;
+    ret += NETPROTO_SQL_STATEMENT;
+    ret += NETADDR_SQL_STATEMENT;
+    return ret;
+}
+
+
+void Syscollector::registerWithRsync()
+{
+    const auto reportSyncWrapper
+    {
+        [this](const std::string & dataString)
+        {
+            auto jsonData(nlohmann::json::parse(dataString));
+            auto it{jsonData.find("data")};
+
+            m_lastSyncMsg = Utils::secondsSinceEpoch();
+
+            if (!m_stopping)
+            {
+                if (it != jsonData.end())
+                {
+                    auto& data{*it};
+                    it = data.find("attributes");
+
+                    if (it != data.end())
+                    {
+                        auto& fieldData { *it };
+                        removeKeysWithEmptyValue(fieldData);
+                        fieldData["scan_time"] = Utils::getCurrentTimestamp();
+                        const auto msgToSend{jsonData.dump()};
+                        m_reportSyncFunction(msgToSend);
+                        m_logFunction(LOG_DEBUG_VERBOSE, "Sync sent: " + msgToSend);
+                    }
+                    else
+                    {
+                        m_reportSyncFunction(dataString);
+                        m_logFunction(LOG_DEBUG_VERBOSE, "Sync sent: " + dataString);
+                    }
+                }
+                else
+                {
+                    //LCOV_EXCL_START
+                    m_reportSyncFunction(dataString);
+                    m_logFunction(LOG_DEBUG_VERBOSE, "Sync sent: " + dataString);
+                    //LCOV_EXCL_STOP
+                }
+            }
+        }
+    };
+
+    if (m_os)
+    {
+        m_spRsync->registerSyncID("syscollector_osinfo",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(OS_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_hardware)
+    {
+        m_spRsync->registerSyncID("syscollector_hwinfo",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(HW_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_processes)
+    {
+        m_spRsync->registerSyncID("syscollector_processes",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(PROCESSES_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_packages)
+    {
+        m_spRsync->registerSyncID("syscollector_packages",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(PACKAGES_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_hotfixes)
+    {
+        m_spRsync->registerSyncID("syscollector_hotfixes",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(HOTFIXES_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_ports)
+    {
+        m_spRsync->registerSyncID("syscollector_ports",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(PORTS_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+
+    if (m_network)
+    {
+        m_spRsync->registerSyncID("syscollector_network_iface",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(NETIFACE_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+        m_spRsync->registerSyncID("syscollector_network_protocol",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(NETPROTO_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+        m_spRsync->registerSyncID("syscollector_network_address",
+                                  m_spDBSync->handle(),
+                                  nlohmann::json::parse(NETADDRESS_SYNC_CONFIG_STATEMENT),
+                                  reportSyncWrapper);
+    }
+}
+void Syscollector::init(const std::shared_ptr<ISysInfo>& spInfo,
+                        const std::function<void(const std::string&)> reportDiffFunction,
+                        const std::function<void(const std::string&)> reportSyncFunction,
+                        const std::function<void(const modules_log_level_t, const std::string&)> logFunction,
+                        const std::string& dbPath,
+                        const std::string& normalizerConfigPath,
+                        const std::string& normalizerType,
+                        const unsigned int interval,
+                        const bool scanOnStart,
+                        const bool hardware,
+                        const bool os,
+                        const bool network,
+                        const bool packages,
+                        const bool ports,
+                        const bool portsAll,
+                        const bool processes,
+                        const bool hotfixes,
+                        const bool notifyOnFirstScan)
+{
+    m_spInfo = spInfo;
+    m_reportDiffFunction = reportDiffFunction;
+    m_reportSyncFunction = reportSyncFunction;
+    m_logFunction = logFunction;
+    m_intervalValue = std::chrono::seconds{interval};
+    m_scanOnStart = scanOnStart;
+    m_hardware = hardware;
+    m_os = os;
+    m_network = network;
+    m_packages = packages;
+    m_ports = ports;
+    m_portsAll = portsAll;
+    m_processes = processes;
+    m_hotfixes = hotfixes;
+    m_notify = notifyOnFirstScan;
+    m_currentIntervalValue = m_intervalValue;
+
+    std::unique_lock<std::mutex> lock{m_mutex};
+    m_stopping = false;
+    m_spDBSync = std::make_unique<DBSync>(HostType::AGENT, DbEngineType::SQLITE3, dbPath, getCreateStatement());
+    m_spRsync = std::make_unique<RemoteSync>();
+    m_spNormalizer = std::make_unique<SysNormalizer>(normalizerConfigPath, normalizerType);
+    registerWithRsync();
+    syncLoop(lock);
+}
+
+void Syscollector::destroy()
+{
+    std::unique_lock<std::mutex> lock{m_mutex};
+    m_stopping = true;
+    m_cv.notify_all();
+    lock.unlock();
+}
+
+nlohmann::json Syscollector::getHardwareData()
+{
+    nlohmann::json ret;
+    ret[0] = m_spInfo->hardware();
+    ret[0]["checksum"] = getItemChecksum(ret[0]);
+    return ret;
+}
+
+void Syscollector::scanHardware()
+{
+    if (m_hardware)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting hardware scan");
+        const auto& hwData{getHardwareData()};
+        updateChanges(HW_TABLE, hwData);
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending hardware scan");
+    }
+}
+
+void Syscollector::syncHardware()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(HW_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+nlohmann::json Syscollector::getOSData()
+{
+    nlohmann::json ret;
+    ret[0] = m_spInfo->os();
+    ret[0]["checksum"] = std::to_string(std::chrono::system_clock::now().time_since_epoch().count());
+    return ret;
+}
+
+void Syscollector::scanOs()
+{
+    if (m_os)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting os scan");
+        const auto& osData{getOSData()};
+        updateChanges(OS_TABLE, osData);
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending os scan");
+    }
+}
+
+void Syscollector::syncOs()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(OS_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+nlohmann::json Syscollector::getNetworkData()
+{
+    nlohmann::json ret;
+    const auto& networks { m_spInfo->networks() };
+    nlohmann::json ifaceTableDataList {};
+    nlohmann::json protoTableDataList {};
+    nlohmann::json addressTableDataList {};
+    constexpr auto IPV4 { 0 };
+    constexpr auto IPV6 { 1 };
+    static const std::map<int, std::string> IP_TYPE
+    {
+        { IPV4, "ipv4" },
+        { IPV6, "ipv6" }
+    };
+
+    if (!networks.is_null())
+    {
+        const auto& itIface { networks.find("iface") };
+
+        if (networks.end() != itIface)
+        {
+            for (const auto& item : itIface.value())
+            {
+                // Split the resulting networks data into the specific DB tables
+                // "dbsync_network_iface" table data to update and notify
+                nlohmann::json ifaceTableData {};
+                ifaceTableData["name"]       = item.at("name");
+                ifaceTableData["adapter"]    = item.at("adapter");
+                ifaceTableData["type"]       = item.at("type");
+                ifaceTableData["state"]      = item.at("state");
+                ifaceTableData["mtu"]        = item.at("mtu");
+                ifaceTableData["mac"]        = item.at("mac");
+                ifaceTableData["tx_packets"] = item.at("tx_packets");
+                ifaceTableData["rx_packets"] = item.at("rx_packets");
+                ifaceTableData["tx_errors"]  = item.at("tx_errors");
+                ifaceTableData["rx_errors"]  = item.at("rx_errors");
+                ifaceTableData["tx_bytes"]   = item.at("tx_bytes");
+                ifaceTableData["rx_bytes"]   = item.at("rx_bytes");
+                ifaceTableData["tx_dropped"] = item.at("tx_dropped");
+                ifaceTableData["rx_dropped"] = item.at("rx_dropped");
+                ifaceTableData["checksum"]   = getItemChecksum(ifaceTableData);
+                ifaceTableData["item_id"]    = getItemId(ifaceTableData, NETIFACE_ITEM_ID_FIELDS);
+                ifaceTableDataList.push_back(std::move(ifaceTableData));
+
+                if (item.find("IPv4") != item.end())
+                {
+                    // "dbsync_network_protocol" table data to update and notify
+                    nlohmann::json protoTableData {};
+                    protoTableData["iface"]   = item.at("name");
+                    protoTableData["gateway"] = item.at("gateway");
+                    protoTableData["type"]    = IP_TYPE.at(IPV4);
+                    protoTableData["dhcp"]    = item.at("IPv4").begin()->at("dhcp");
+                    protoTableData["metric"]  = item.at("IPv4").begin()->at("metric");
+                    protoTableData["checksum"]  = getItemChecksum(protoTableData);
+                    protoTableData["item_id"]   = getItemId(protoTableData, NETPROTO_ITEM_ID_FIELDS);
+                    protoTableDataList.push_back(std::move(protoTableData));
+
+                    for (auto addressTableData : item.at("IPv4"))
+                    {
+                        // "dbsync_network_address" table data to update and notify
+                        addressTableData["iface"]     = item.at("name");
+                        addressTableData["proto"]     = IPV4;
+                        addressTableData["checksum"]  = getItemChecksum(addressTableData);
+                        addressTableData["item_id"]   = getItemId(addressTableData, NETADDRESS_ITEM_ID_FIELDS);
+                        // Remove unwanted fields for dbsync_network_address table
+                        addressTableData.erase("dhcp");
+                        addressTableData.erase("metric");
+
+                        addressTableDataList.push_back(std::move(addressTableData));
+                    }
+                }
+
+                if (item.find("IPv6") != item.end())
+                {
+                    // "dbsync_network_protocol" table data to update and notify
+                    nlohmann::json protoTableData {};
+                    protoTableData["iface"]   = item.at("name");
+                    protoTableData["gateway"] = item.at("gateway");
+                    protoTableData["type"]    = IP_TYPE.at(IPV6);
+                    protoTableData["dhcp"]    = item.at("IPv6").begin()->at("dhcp");
+                    protoTableData["metric"]  = item.at("IPv6").begin()->at("metric");
+                    protoTableData["checksum"]  = getItemChecksum(protoTableData);
+                    protoTableData["item_id"]   = getItemId(protoTableData, NETPROTO_ITEM_ID_FIELDS);
+                    protoTableDataList.push_back(std::move(protoTableData));
+
+                    for (auto addressTableData : item.at("IPv6"))
+                    {
+                        // "dbsync_network_address" table data to update and notify
+                        addressTableData["iface"]     = item.at("name");
+                        addressTableData["proto"]     = IPV6;
+                        addressTableData["checksum"]  = getItemChecksum(addressTableData);
+                        addressTableData["item_id"]   = getItemId(addressTableData, NETADDRESS_ITEM_ID_FIELDS);
+                        // Remove unwanted fields for dbsync_network_address table
+                        addressTableData.erase("dhcp");
+                        addressTableData.erase("metric");
+
+                        addressTableDataList.push_back(std::move(addressTableData));
+                    }
+                }
+            }
+
+            ret[NET_IFACE_TABLE] = std::move(ifaceTableDataList);
+            ret[NET_PROTOCOL_TABLE] = std::move(protoTableDataList);
+            ret[NET_ADDRESS_TABLE] = std::move(addressTableDataList);
+        }
+    }
+
+    return ret;
+}
+
+void Syscollector::scanNetwork()
+{
+    if (m_network)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting network scan");
+        const auto networkData(getNetworkData());
+
+        if (!networkData.is_null())
+        {
+            const auto itIface { networkData.find(NET_IFACE_TABLE) };
+
+            if (itIface != networkData.end())
+            {
+                updateChanges(NET_IFACE_TABLE, itIface.value());
+            }
+
+            const auto itProtocol { networkData.find(NET_PROTOCOL_TABLE) };
+
+            if (itProtocol != networkData.end())
+            {
+                updateChanges(NET_PROTOCOL_TABLE, itProtocol.value());
+            }
+
+            const auto itAddress { networkData.find(NET_ADDRESS_TABLE) };
+
+            if (itAddress != networkData.end())
+            {
+                updateChanges(NET_ADDRESS_TABLE, itAddress.value());
+            }
+        }
+
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending network scan");
+    }
+}
+
+void Syscollector::syncNetwork()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(NETIFACE_START_CONFIG_STATEMENT), m_reportSyncFunction);
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(NETPROTO_START_CONFIG_STATEMENT), m_reportSyncFunction);
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(NETADDRESS_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+void Syscollector::scanPackages()
+{
+    if (m_packages)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting packages scan");
+        const auto callback
+        {
+            [this](ReturnTypeCallback result, const nlohmann::json & data)
+            {
+                notifyChange(result, data, PACKAGES_TABLE);
+            }
+        };
+        DBSyncTxn txn
+        {
+            m_spDBSync->handle(),
+            nlohmann::json{PACKAGES_TABLE},
+            0,
+            QUEUE_SIZE,
+            callback
+        };
+        m_spInfo->packages([this, &txn](nlohmann::json & rawData)
+        {
+            nlohmann::json input;
+
+            rawData["checksum"] = getItemChecksum(rawData);
+            rawData["item_id"] = getItemId(rawData, PACKAGES_ITEM_ID_FIELDS);
+
+            input["table"] = PACKAGES_TABLE;
+            m_spNormalizer->normalize("packages", rawData);
+            m_spNormalizer->removeExcluded("packages", rawData);
+
+            if (!rawData.empty())
+            {
+                input["data"] = nlohmann::json::array( { rawData } );
+                txn.syncTxnRow(input);
+            }
+        });
+        txn.getDeletedRows(callback);
+
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending packages scan");
+    }
+}
+
+void Syscollector::scanHotfixes()
+{
+    if (m_hotfixes)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting hotfixes scan");
+        auto hotfixes = m_spInfo->hotfixes();
+
+        if (!hotfixes.is_null())
+        {
+            for (auto& hotfix : hotfixes)
+            {
+                hotfix["checksum"] = getItemChecksum(hotfix);
+            }
+
+            updateChanges(HOTFIXES_TABLE, hotfixes);
+        }
+
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending hotfixes scan");
+    }
+}
+
+void Syscollector::syncPackages()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(PACKAGES_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+void Syscollector::syncHotfixes()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(HOTFIXES_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+nlohmann::json Syscollector::getPortsData()
+{
+    nlohmann::json ret;
+    constexpr auto PORT_LISTENING_STATE { "listening" };
+    constexpr auto TCP_PROTOCOL { "tcp" };
+    constexpr auto UDP_PROTOCOL { "udp" };
+    auto data(m_spInfo->ports());
+
+    if (!data.is_null())
+    {
+        for (auto& item : data)
+        {
+            const auto protocol { item.at("protocol").get_ref<const std::string&>() };
+
+            if (Utils::startsWith(protocol, TCP_PROTOCOL))
+            {
+                // All ports.
+                if (m_portsAll)
+                {
+                    const auto& itemId { getItemId(item, PORTS_ITEM_ID_FIELDS) };
+
+                    if (!isElementDuplicated(ret, std::make_pair("item_id", itemId)))
+                    {
+                        item["checksum"] = getItemChecksum(item);
+                        item["item_id"] = itemId;
+                        ret.push_back(item);
+                    }
+                }
+                else
+                {
+                    // Only listening ports.
+                    const auto isListeningState { item.at("state") == PORT_LISTENING_STATE };
+
+                    if (isListeningState)
+                    {
+                        const auto& itemId { getItemId(item, PORTS_ITEM_ID_FIELDS) };
+
+                        if (!isElementDuplicated(ret, std::make_pair("item_id", itemId)))
+                        {
+                            item["checksum"] = getItemChecksum(item);
+                            item["item_id"] = itemId;
+                            ret.push_back(item);
+                        }
+                    }
+                }
+            }
+            else if (Utils::startsWith(protocol, UDP_PROTOCOL))
+            {
+                const auto& itemId { getItemId(item, PORTS_ITEM_ID_FIELDS) };
+
+                if (!isElementDuplicated(ret, std::make_pair("item_id", itemId)))
+                {
+                    item["checksum"] = getItemChecksum(item);
+                    item["item_id"] = itemId;
+                    ret.push_back(item);
+                }
+            }
+        }
+    }
+
+    return ret;
+}
+
+void Syscollector::scanPorts()
+{
+    if (m_ports)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting ports scan");
+        const auto& portsData { getPortsData() };
+        updateChanges(PORTS_TABLE, portsData);
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending ports scan");
+    }
+}
+
+void Syscollector::syncPorts()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(PORTS_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+void Syscollector::scanProcesses()
+{
+    if (m_processes)
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Starting processes scan");
+        const auto callback
+        {
+            [this](ReturnTypeCallback result, const nlohmann::json & data)
+            {
+                notifyChange(result, data, PROCESSES_TABLE);
+            }
+        };
+        DBSyncTxn txn
+        {
+            m_spDBSync->handle(),
+            nlohmann::json{PROCESSES_TABLE},
+            0,
+            QUEUE_SIZE,
+            callback
+        };
+        m_spInfo->processes([&txn](nlohmann::json & rawData)
+        {
+            nlohmann::json input;
+
+            rawData["checksum"] = getItemChecksum(rawData);
+
+            input["table"] = PROCESSES_TABLE;
+            input["data"] = nlohmann::json::array( { rawData } );
+
+            txn.syncTxnRow(input);
+        });
+        txn.getDeletedRows(callback);
+
+        m_logFunction(LOG_DEBUG_VERBOSE, "Ending processes scan");
+    }
+}
+
+void Syscollector::syncProcesses()
+{
+    m_spRsync->startSync(m_spDBSync->handle(), nlohmann::json::parse(PROCESSES_START_CONFIG_STATEMENT), m_reportSyncFunction);
+}
+
+void Syscollector::scan()
+{
+    m_logFunction(LOG_INFO, "Starting evaluation.");
+    m_scanTime = Utils::getCurrentTimestamp();
+
+    TRY_CATCH_TASK(scanHardware);
+    TRY_CATCH_TASK(scanOs);
+    TRY_CATCH_TASK(scanNetwork);
+    TRY_CATCH_TASK(scanPackages);
+    TRY_CATCH_TASK(scanHotfixes);
+    TRY_CATCH_TASK(scanPorts);
+    TRY_CATCH_TASK(scanProcesses);
+    m_notify = true;
+    m_logFunction(LOG_INFO, "Evaluation finished.");
+}
+
+void Syscollector::sync()
+{
+    m_logFunction(LOG_DEBUG, "Starting syscollector sync");
+    TRY_CATCH_TASK(syncHardware);
+    TRY_CATCH_TASK(syncOs);
+    TRY_CATCH_TASK(syncNetwork);
+    TRY_CATCH_TASK(syncPackages);
+    TRY_CATCH_TASK(syncHotfixes);
+    TRY_CATCH_TASK(syncPorts);
+    TRY_CATCH_TASK(syncProcesses);
+    m_logFunction(LOG_DEBUG, "Ending syscollector sync");
+}
+
+void Syscollector::syncAlgorithm()
+{
+    m_currentIntervalValue = m_intervalValue / 2 >= MAX_DELAY_TIME ? MAX_DELAY_TIME : m_intervalValue / 2;
+
+    if (Utils::secondsSinceEpoch() - m_lastSyncMsg > m_currentIntervalValue)
+    {
+        scan();
+        sync();
+        m_currentIntervalValue = m_intervalValue;
+    }
+    else
+    {
+        m_logFunction(LOG_DEBUG_VERBOSE, "Syscollector synchronization process concluded recently, delaying scan for " + std::to_string(m_currentIntervalValue.count()) + " second/s");
+    }
+}
+
+void Syscollector::syncLoop(std::unique_lock<std::mutex>& lock)
+{
+    m_logFunction(LOG_INFO, "Module started.");
+
+    if (m_scanOnStart)
+    {
+        scan();
+        sync();
+    }
+
+    while (!m_cv.wait_for(lock, std::chrono::seconds{m_currentIntervalValue}, [&]()
+{
+    return m_stopping;
+}))
+    {
+        syncAlgorithm();
+    }
+    m_spRsync.reset(nullptr);
+    m_spDBSync.reset(nullptr);
+}
+
+void Syscollector::push(const std::string& data)
+{
+    std::unique_lock<std::mutex> lock{m_mutex};
+
+    if (!m_stopping)
+    {
+        auto rawData{data};
+        Utils::replaceFirst(rawData, "dbsync ", "");
+        const auto buff{reinterpret_cast<const uint8_t*>(rawData.c_str())};
+
+        try
+        {
+            m_spRsync->pushMessage(std::vector<uint8_t> {buff, buff + rawData.size()});
+        }
+        // LCOV_EXCL_START
+        catch (const std::exception& ex)
+        {
+            m_logFunction(LOG_ERROR, ex.what());
+        }
+    }
+
+    // LCOV_EXCL_STOP
+}
diff --git a/src/modules/inventory/src/syscollectorNormalizer.cpp b/src/modules/inventory/src/syscollectorNormalizer.cpp
new file mode 100644
index 0000000000..e1508b8a02
--- /dev/null
+++ b/src/modules/inventory/src/syscollectorNormalizer.cpp
@@ -0,0 +1,174 @@
+/*
+ * Wazuh SysCollector
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <iostream>
+#include <fstream>
+#include <regex>
+#include <syscollectorNormalizer.h>
+
+SysNormalizer::SysNormalizer(const std::string& configFile,
+                             const std::string& target)
+    : m_typeExclusions{getTypeValues(configFile, target, "exclusions")}
+    , m_typeDictionary{getTypeValues(configFile, target, "dictionary")}
+{
+}
+
+void SysNormalizer::removeExcluded(const std::string& type,
+                                   nlohmann::json& data) const
+{
+    const auto exclusionsIt{m_typeExclusions.find(type)};
+
+    if (exclusionsIt != m_typeExclusions.cend())
+    {
+        for (const auto& exclusionItem : exclusionsIt->second)
+        {
+            try
+            {
+                std::regex pattern{exclusionItem["pattern"].get_ref<const std::string&>()};
+                const auto& fieldName{exclusionItem["field_name"].get_ref<const std::string&>()};
+
+                if (data.is_array())
+                {
+                    for (auto item{data.begin()}; item != data.end(); ++item)
+                    {
+                        const auto fieldIt{item->find(fieldName)};
+
+                        if (fieldIt != item->end() && std::regex_match(fieldIt->get_ref<const std::string&>(), pattern))
+                        {
+                            data.erase(item);
+                        }
+                    }
+                }
+                else
+                {
+                    const auto fieldIt{data.find(fieldName)};
+
+                    if (fieldIt != data.end() && std::regex_match(fieldIt->get_ref<const std::string&>(), pattern))
+                    {
+                        data.clear();
+                    }
+                }
+            }
+            // LCOV_EXCL_START
+            catch (...)
+            {}
+
+            // LCOV_EXCL_STOP
+        }
+    }
+}
+
+
+static void normalizeItem(const nlohmann::json& dictionary,
+                          nlohmann::json& item)
+{
+    for (const auto& dictItem : dictionary)
+    {
+        const auto itFindPattern{dictItem.find("find_pattern")};
+        const auto itFindField{dictItem.find("find_field")};
+
+        if (itFindPattern != dictItem.end() && itFindField != dictItem.end())
+        {
+            const auto fieldIt{item.find(itFindField->get_ref<const std::string&>())};
+            std::regex pattern{itFindPattern->get_ref<const std::string&>()};
+
+            if (fieldIt == item.end() ||
+                    !std::regex_match(fieldIt->get_ref<const std::string&>(), pattern))
+            {
+                //no field in the item or no matching, we continue
+                continue;
+            }
+        }
+        else if (itFindPattern != dictItem.end() || itFindField != dictItem.end())
+        {
+            //we won't evaluate an incomplete item.
+            continue;
+        }
+
+        const auto itReplacePattern{dictItem.find("replace_pattern")};
+        const auto itReplaceField{dictItem.find("replace_field")};
+        const auto itReplaceValue{dictItem.find("replace_value")};
+
+        if (itReplacePattern != dictItem.end() && itReplaceField != dictItem.end() && itReplaceValue != dictItem.end())
+        {
+            std::regex pattern{itReplacePattern->get_ref<const std::string&>()};
+            const auto fieldIt{item.find(itReplaceField->get_ref<const std::string&>())};
+
+            if (fieldIt != item.end())
+            {
+                *fieldIt = std::regex_replace(fieldIt->get_ref<const std::string&>(), pattern, itReplaceValue->get_ref<const std::string&>());
+            }
+        }
+
+        const auto itAddField{dictItem.find("add_field")};
+        const auto itAddValue{dictItem.find("add_value")};
+
+        if (itAddField != dictItem.end() && itAddValue != dictItem.end())
+        {
+            item[itAddField->get_ref<const std::string&>()] = itAddValue->get_ref<const std::string&>();
+        }
+    }
+}
+
+void SysNormalizer::normalize(const std::string& type,
+                              nlohmann::json& data) const
+{
+    const auto dictionaryIt{m_typeDictionary.find(type)};
+
+    if (dictionaryIt != m_typeDictionary.cend())
+    {
+        if (data.is_array())
+        {
+            for (auto& item : data)
+            {
+                normalizeItem(dictionaryIt->second, item);
+            }
+        }
+        else
+        {
+            normalizeItem(dictionaryIt->second, data);
+        }
+    }
+}
+
+std::map<std::string, nlohmann::json> SysNormalizer::getTypeValues(const std::string& configFile,
+                                                                   const std::string& target,
+                                                                   const std::string& type)
+{
+    std::map<std::string, nlohmann::json> ret;
+
+    try
+    {
+        std::ifstream config{ configFile };
+        nlohmann::json data;
+
+        if (config.is_open())
+        {
+            const nlohmann::json& jsonConfigFile { nlohmann::json::parse(config) };
+            const auto it{jsonConfigFile.find(type)};
+
+            if (it != jsonConfigFile.end())
+            {
+                for (const auto& item : *it)
+                {
+                    if (item["target"] == target)
+                    {
+                        ret[item["data_type"]].push_back(item);
+                    }
+                }
+            }
+        }
+    }
+    catch (...)
+    {
+    }
+
+    return ret;
+}
diff --git a/src/modules/inventory/src/wm_syscollector.c b/src/modules/inventory/src/wm_syscollector.c
new file mode 100644
index 0000000000..b2f8fcfec3
--- /dev/null
+++ b/src/modules/inventory/src/wm_syscollector.c
@@ -0,0 +1,329 @@
+/*
+ * Wazuh SYSCOLLECTOR
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 11, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <stdlib.h>
+#include "../../wmodules_def.h"
+#include "wmodules.h"
+#include "wm_syscollector.h"
+#include "syscollector.h"
+#include "sym_load.h"
+#include "defs.h"
+#include "mq_op.h"
+#include "headers/logging_helper.h"
+#include "commonDefs.h"
+
+#ifndef CLIENT
+#include "router.h"
+#include "utils/flatbuffers/include/syscollector_synchronization_schema.h"
+#include "utils/flatbuffers/include/syscollector_deltas_schema.h"
+#include "agent_messages_adapter.h"
+#endif // CLIENT
+
+#ifdef WIN32
+static DWORD WINAPI wm_sys_main(void *arg);         // Module main function. It won't return
+#else
+static void* wm_sys_main(wm_sys_t *sys);        // Module main function. It won't return
+#endif
+static void wm_sys_destroy(wm_sys_t *data);      // Destroy data
+static void wm_sys_stop(wm_sys_t *sys);         // Module stopper
+const char *WM_SYS_LOCATION = "syscollector";   // Location field for event sending
+cJSON *wm_sys_dump(const wm_sys_t *sys);
+int wm_sync_message(const char *data);
+pthread_cond_t sys_stop_condition = PTHREAD_COND_INITIALIZER;
+pthread_mutex_t sys_stop_mutex = PTHREAD_MUTEX_INITIALIZER;
+bool need_shutdown_wait = false;
+pthread_mutex_t sys_reconnect_mutex = PTHREAD_MUTEX_INITIALIZER;
+bool shutdown_process_started = false;
+
+const wm_context WM_SYS_CONTEXT = {
+    .name = "syscollector",
+    .start = (wm_routine)wm_sys_main,
+    .destroy = (void(*)(void *))wm_sys_destroy,
+    .dump = (cJSON * (*)(const void *))wm_sys_dump,
+    .sync = (int(*)(const char*))wm_sync_message,
+    .stop = (void(*)(void *))wm_sys_stop,
+    .query = NULL,
+};
+
+void *syscollector_module = NULL;
+syscollector_start_func syscollector_start_ptr = NULL;
+syscollector_stop_func syscollector_stop_ptr = NULL;
+syscollector_sync_message_func syscollector_sync_message_ptr = NULL;
+
+#ifndef CLIENT
+void *router_module_ptr = NULL;
+router_provider_create_func router_provider_create_func_ptr = NULL;
+router_provider_send_fb_func router_provider_send_fb_func_ptr = NULL;
+ROUTER_PROVIDER_HANDLE rsync_handle = NULL;
+ROUTER_PROVIDER_HANDLE syscollector_handle = NULL;
+int disable_manager_scan = 1;
+#endif // CLIENT
+
+long syscollector_sync_max_eps = 10;    // Database synchronization number of events per second (default value)
+int queue_fd = 0;                       // Output queue file descriptor
+
+static bool is_shutdown_process_started() {
+    bool ret_val = shutdown_process_started;
+    return ret_val;
+}
+
+static void wm_sys_send_message(const void* data, const char queue_id) {
+    if (!is_shutdown_process_started()) {
+        const int eps = 1000000/syscollector_sync_max_eps;
+        if (wm_sendmsg_ex(eps, queue_fd, data, WM_SYS_LOCATION, queue_id, &is_shutdown_process_started) < 0) {
+    #ifdef CLIENT
+            mterror(WM_SYS_LOGTAG, "Unable to send message to '%s' (wazuh-agentd might be down). Attempting to reconnect.", DEFAULTQUEUE);
+    #else
+            mterror(WM_SYS_LOGTAG, "Unable to send message to '%s' (wazuh-analysisd might be down). Attempting to reconnect.", DEFAULTQUEUE);
+    #endif
+            // Since this method is beign called by multiple threads it's necessary this particular portion of code
+            // to be mutually exclusive. When one thread is successfully reconnected, the other ones will make use of it.
+            w_mutex_lock(&sys_reconnect_mutex);
+            if (!is_shutdown_process_started() && wm_sendmsg_ex(eps, queue_fd, data, WM_SYS_LOCATION, queue_id, &is_shutdown_process_started) < 0) {
+                if (queue_fd = MQReconnectPredicated(DEFAULTQUEUE, &is_shutdown_process_started), 0 <= queue_fd) {
+                    mtinfo(WM_SYS_LOGTAG, "Successfully reconnected to '%s'", DEFAULTQUEUE);
+                    if (wm_sendmsg_ex(eps, queue_fd, data, WM_SYS_LOCATION, queue_id, &is_shutdown_process_started) < 0) {
+                        mterror(WM_SYS_LOGTAG, "Unable to send message to '%s' after a successfull reconnection...", DEFAULTQUEUE);
+                    }
+                }
+            }
+            w_mutex_unlock(&sys_reconnect_mutex);
+        }
+    }
+}
+
+static void wm_sys_send_diff_message(const void* data) {
+    wm_sys_send_message(data, SYSCOLLECTOR_MQ);
+#ifndef CLIENT
+    if(!disable_manager_scan)
+    {
+        char* msg_to_send = adapt_delta_message(data, "localhost", "000", "127.0.0.1", NULL);
+        if (msg_to_send && router_provider_send_fb_func_ptr) {
+            router_provider_send_fb_func_ptr(syscollector_handle, msg_to_send, syscollector_deltas_SCHEMA);
+        }
+        cJSON_free(msg_to_send);
+    }
+#endif // CLIENT
+}
+
+static void wm_sys_send_dbsync_message(const void* data) {
+    wm_sys_send_message(data, DBSYNC_MQ);
+#ifndef CLIENT
+    if(!disable_manager_scan)
+    {
+        char* msg_to_send = adapt_sync_message(data, "localhost", "000", "127.0.0.1", NULL);
+        if (msg_to_send && router_provider_send_fb_func_ptr) {
+            router_provider_send_fb_func_ptr(rsync_handle, msg_to_send, syscollector_synchronization_SCHEMA);
+        }
+        cJSON_free(msg_to_send);
+    }
+#endif // CLIENT
+}
+
+static void wm_sys_log_config(wm_sys_t *sys)
+{
+    cJSON * config_json = wm_sys_dump(sys);
+    if (config_json) {
+        char * config_str = cJSON_PrintUnformatted(config_json);
+        if (config_str) {
+            mtdebug1(WM_SYS_LOGTAG, "%s", config_str);
+            cJSON_free(config_str);
+        }
+        cJSON_Delete(config_json);
+    }
+}
+
+#ifdef WIN32
+DWORD WINAPI wm_sys_main(void *arg) {
+    wm_sys_t *sys = (wm_sys_t *)arg;
+#else
+void* wm_sys_main(wm_sys_t *sys) {
+#endif
+    w_cond_init(&sys_stop_condition, NULL);
+    w_mutex_init(&sys_stop_mutex, NULL);
+    w_mutex_init(&sys_reconnect_mutex, NULL);
+
+    if (!sys->flags.enabled) {
+        mtinfo(WM_SYS_LOGTAG, "Module disabled. Exiting...");
+        pthread_exit(NULL);
+    }
+
+    #ifndef WIN32
+    // Connect to socket
+    queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    if (queue_fd < 0) {
+        mterror(WM_SYS_LOGTAG, "Can't connect to queue.");
+        pthread_exit(NULL);
+    }
+    #endif
+
+    if (syscollector_module = so_get_module_handle("syscollector"), syscollector_module)
+    {
+        syscollector_start_ptr = so_get_function_sym(syscollector_module, "syscollector_start");
+        syscollector_stop_ptr = so_get_function_sym(syscollector_module, "syscollector_stop");
+        syscollector_sync_message_ptr = so_get_function_sym(syscollector_module, "syscollector_sync_message");
+
+        void* rsync_module = NULL;
+        if(rsync_module = so_check_module_loaded("rsync"), rsync_module) {
+            rsync_initialize_full_log_func rsync_initialize_log_function_ptr = so_get_function_sym(rsync_module, "rsync_initialize_full_log_function");
+            if(rsync_initialize_log_function_ptr) {
+                rsync_initialize_log_function_ptr(mtLoggingFunctionsWrapper);
+            }
+            // Even when the RTLD_NOLOAD flag was used for dlopen(), we need a matching call to dlclose()
+#ifndef WIN32
+            so_free_library(rsync_module);
+#endif
+        }
+#ifndef CLIENT
+        // Load router module only for manager if is enabled
+        disable_manager_scan = getDefine_Int("vulnerability-detection", "disable_scan_manager", 0, 1);
+        if (router_module_ptr = so_get_module_handle("router"), router_module_ptr) {
+                router_provider_create_func_ptr = so_get_function_sym(router_module_ptr, "router_provider_create");
+                router_provider_send_fb_func_ptr = so_get_function_sym(router_module_ptr, "router_provider_send_fb");
+                if (router_provider_create_func_ptr && router_provider_send_fb_func_ptr) {
+                    mtdebug1(WM_SYS_LOGTAG, "Router module loaded.");
+                } else {
+                    mwarn("Failed to load methods from router module.");
+                }
+            } else {
+                mwarn("Failed to load router module.");
+            }
+#endif // CLIENT
+    } else {
+#ifdef __hpux
+        mtinfo(WM_SYS_LOGTAG, "Not supported in HP-UX.");
+#else
+        mterror(WM_SYS_LOGTAG, "Can't load syscollector.");
+#endif
+        pthread_exit(NULL);
+    }
+    if (syscollector_start_ptr) {
+        mtdebug1(WM_SYS_LOGTAG, "Starting Syscollector.");
+        w_mutex_lock(&sys_stop_mutex);
+        need_shutdown_wait = true;
+        w_mutex_unlock(&sys_stop_mutex);
+        const long max_eps = sys->sync.sync_max_eps;
+        if (0 != max_eps) {
+            syscollector_sync_max_eps = max_eps;
+        }
+        // else: if max_eps is 0 (from configuration) let's use the default max_eps value (10)
+        wm_sys_log_config(sys);
+#ifndef CLIENT
+        // Router providers initialization
+        if (router_provider_create_func_ptr){
+            if(syscollector_handle = router_provider_create_func_ptr("deltas-syscollector", true), !syscollector_handle) {
+                mdebug2("Failed to create router handle for 'syscollector'.");
+            }
+
+            if (rsync_handle = router_provider_create_func_ptr("rsync-syscollector", true), !rsync_handle) {
+                mdebug2("Failed to create router handle for 'rsync'.");
+            }
+        }
+#endif // CLIENT
+        syscollector_start_ptr(sys->interval,
+                               wm_sys_send_diff_message,
+                               wm_sys_send_dbsync_message,
+                               taggedLogFunction,
+                               SYSCOLLECTOR_DB_DISK_PATH,
+                               SYSCOLLECTOR_NORM_CONFIG_DISK_PATH,
+                               SYSCOLLECTOR_NORM_TYPE,
+                               sys->flags.scan_on_start,
+                               sys->flags.hwinfo,
+                               sys->flags.osinfo,
+                               sys->flags.netinfo,
+                               sys->flags.programinfo,
+                               sys->flags.portsinfo,
+                               sys->flags.allports,
+                               sys->flags.procinfo,
+                               sys->flags.hotfixinfo);
+    } else {
+        mterror(WM_SYS_LOGTAG, "Can't get syscollector_start_ptr.");
+        pthread_exit(NULL);
+    }
+    syscollector_sync_message_ptr = NULL;
+    syscollector_start_ptr = NULL;
+    syscollector_stop_ptr = NULL;
+
+    if (queue_fd) {
+        close(queue_fd);
+        queue_fd = 0;
+    }
+    so_free_library(syscollector_module);
+#ifndef CLIENT
+    so_free_library(router_module_ptr);
+    router_module_ptr = NULL;
+#endif // CLIENT
+    syscollector_module = NULL;
+    mtinfo(WM_SYS_LOGTAG, "Module finished.");
+    w_mutex_lock(&sys_stop_mutex);
+    w_cond_signal(&sys_stop_condition);
+    w_mutex_unlock(&sys_stop_mutex);
+    return 0;
+}
+
+void wm_sys_destroy(wm_sys_t *data) {
+    free(data);
+}
+
+void wm_sys_stop(__attribute__((unused))wm_sys_t *data) {
+    mtinfo(WM_SYS_LOGTAG, "Stop received for Syscollector.");
+    syscollector_sync_message_ptr = NULL;
+    if (syscollector_stop_ptr){
+        shutdown_process_started = true;
+        syscollector_stop_ptr();
+    }
+    w_mutex_lock(&sys_stop_mutex);
+    if (need_shutdown_wait) {
+        w_cond_wait(&sys_stop_condition, &sys_stop_mutex);
+    }
+    w_mutex_unlock(&sys_stop_mutex);
+
+    w_cond_destroy(&sys_stop_condition);
+    w_mutex_destroy(&sys_stop_mutex);
+    w_mutex_destroy(&sys_reconnect_mutex);
+}
+
+cJSON *wm_sys_dump(const wm_sys_t *sys) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_sys = cJSON_CreateObject();
+
+    // System provider values
+    if (sys->flags.enabled) cJSON_AddStringToObject(wm_sys,"disabled","no"); else cJSON_AddStringToObject(wm_sys,"disabled","yes");
+    if (sys->flags.scan_on_start) cJSON_AddStringToObject(wm_sys,"scan-on-start","yes"); else cJSON_AddStringToObject(wm_sys,"scan-on-start","no");
+    cJSON_AddNumberToObject(wm_sys,"interval",sys->interval);
+    if (sys->flags.netinfo) cJSON_AddStringToObject(wm_sys,"network","yes"); else cJSON_AddStringToObject(wm_sys,"network","no");
+    if (sys->flags.osinfo) cJSON_AddStringToObject(wm_sys,"os","yes"); else cJSON_AddStringToObject(wm_sys,"os","no");
+    if (sys->flags.hwinfo) cJSON_AddStringToObject(wm_sys,"hardware","yes"); else cJSON_AddStringToObject(wm_sys,"hardware","no");
+    if (sys->flags.programinfo) cJSON_AddStringToObject(wm_sys,"packages","yes"); else cJSON_AddStringToObject(wm_sys,"packages","no");
+    if (sys->flags.portsinfo) cJSON_AddStringToObject(wm_sys,"ports","yes"); else cJSON_AddStringToObject(wm_sys,"ports","no");
+    if (sys->flags.allports) cJSON_AddStringToObject(wm_sys,"ports_all","yes"); else cJSON_AddStringToObject(wm_sys,"ports_all","no");
+    if (sys->flags.procinfo) cJSON_AddStringToObject(wm_sys,"processes","yes"); else cJSON_AddStringToObject(wm_sys,"processes","no");
+#ifdef WIN32
+    if (sys->flags.hotfixinfo) cJSON_AddStringToObject(wm_sys,"hotfixes","yes"); else cJSON_AddStringToObject(wm_sys,"hotfixes","no");
+#endif
+    // Database synchronization values
+    cJSON_AddNumberToObject(wm_sys,"sync_max_eps",sys->sync.sync_max_eps);
+
+    cJSON_AddItemToObject(root,"syscollector",wm_sys);
+
+    return root;
+}
+
+int wm_sync_message(const char *data)
+{
+    int ret_val = 0;
+
+    if (syscollector_sync_message_ptr) {
+        ret_val = syscollector_sync_message_ptr(data);
+    }
+
+    return ret_val;
+}
diff --git a/src/modules/inventory/tests/CMakeLists.txt b/src/modules/inventory/tests/CMakeLists.txt
index e69de29bb2..ae2a5cf481 100644
--- a/src/modules/inventory/tests/CMakeLists.txt
+++ b/src/modules/inventory/tests/CMakeLists.txt
@@ -0,0 +1,12 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(unit_tests)
+
+include_directories(${CMAKE_SOURCE_DIR})
+include_directories(${CMAKE_SOURCE_DIR}/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googletest/include/)
+include_directories(${SRC_FOLDER}/external/googletest/googlemock/include/)
+link_directories(${SRC_FOLDER}/external/googletest/lib/)
+
+add_subdirectory(sysCollectorImp)
+add_subdirectory(sysNormalizer)
diff --git a/src/modules/inventory/tests/sysCollectorImp/CMakeLists.txt b/src/modules/inventory/tests/sysCollectorImp/CMakeLists.txt
new file mode 100644
index 0000000000..f4930d7ee3
--- /dev/null
+++ b/src/modules/inventory/tests/sysCollectorImp/CMakeLists.txt
@@ -0,0 +1,71 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(syscollectorimp_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+
+link_directories(${SRC_FOLDER}/shared_modules/dbsync/build/lib)
+link_directories(${SRC_FOLDER}/shared_modules/rsync/build/lib)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/src/)
+
+file(GLOB SYSCOLLECTOR_IMP_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYSCOLLECTOR_IMP_SRC
+    "${CMAKE_SOURCE_DIR}/src/syscollectorImp.cpp"
+    "${CMAKE_SOURCE_DIR}/src/syscollectorNormalizer.cpp")
+
+file(GLOB RSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/rsync/src/*.cpp")
+
+file(GLOB DBSYNC_IMP_SRC
+    "${SRC_FOLDER}/shared_modules/dbsync/src/*.cpp"
+    "${SRC_FOLDER}/shared_modules/dbsync/src/sqlite/*.cpp")
+
+add_definitions(-DWAZUH_UNIT_TESTING)
+
+add_executable(syscollectorimp_unit_test
+    ${SYSCOLLECTOR_IMP_UNIT_TEST_SRC}
+    ${SYSCOLLECTOR_IMP_SRC}
+    ${RSYNC_IMP_SRC}
+    ${DBSYNC_IMP_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(syscollectorimp_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        cjson
+        sqlite3
+        crypto
+        ws2_32
+        ssl
+        crypt32
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(syscollectorimp_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        sqlite3
+        cjson
+        crypto
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME syscollectorimp_unit_test
+         COMMAND syscollectorimp_unit_test)
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysCollectorImp/main.cpp b/src/modules/inventory/tests/sysCollectorImp/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/modules/inventory/tests/sysCollectorImp/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.cpp b/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.cpp
new file mode 100644
index 0000000000..cf79dd051c
--- /dev/null
+++ b/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.cpp
@@ -0,0 +1,2399 @@
+/*
+ * Wazuh SyscollectorImp
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 9, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include <cstdio>
+#include "syscollectorImp_test.h"
+#include "syscollector.hpp"
+
+constexpr auto SYSCOLLECTOR_DB_PATH {"TEMP.db"};
+
+void SyscollectorImpTest::SetUp() {};
+
+void SyscollectorImpTest::TearDown()
+{
+    std::remove(SYSCOLLECTOR_DB_PATH);
+};
+
+using ::testing::_;
+using ::testing::Return;
+
+class SysInfoWrapper: public ISysInfo
+{
+    public:
+        SysInfoWrapper() = default;
+        ~SysInfoWrapper() = default;
+        MOCK_METHOD(nlohmann::json, hardware, (), (override));
+        MOCK_METHOD(nlohmann::json, packages, (), (override));
+        MOCK_METHOD(void, packages, (std::function<void(nlohmann::json&)>), (override));
+        MOCK_METHOD(nlohmann::json, os, (), (override));
+        MOCK_METHOD(nlohmann::json, networks, (), (override));
+        MOCK_METHOD(nlohmann::json, processes, (), (override));
+        MOCK_METHOD(void, processes, (std::function<void(nlohmann::json&)>), (override));
+        MOCK_METHOD(nlohmann::json, ports, (), (override));
+        MOCK_METHOD(nlohmann::json, hotfixes, (), (override));
+};
+
+class CallbackMock
+{
+    public:
+        CallbackMock() = default;
+        ~CallbackMock() = default;
+        MOCK_METHOD(void, callbackMock, (const std::string&), ());
+};
+
+void reportFunction(const std::string& /*payload*/)
+{
+    // std::cout << payload << std::endl;
+}
+
+void logFunction(const modules_log_level_t /*level*/, const std::string& /*log*/)
+{
+    // static const std::map<modules_log_level_t, std::string> s_logStringMap
+    // {
+    //     {LOG_ERROR, "ERROR"},
+    //     {LOG_INFO, "INFO"},
+    //     {LOG_DEBUG, "DEBUG"},
+    //     {LOG_DEBUG_VERBOSE, "DEBUG2"}
+    // };
+    // std::cout << s_logStringMap.at(level) << ": " << log << std::endl;
+}
+
+TEST_F(SyscollectorImpTest, defaultCtor)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta.at("type").get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          5, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, intervalSeconds)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"},{"hotfix":"KB87654321"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(::testing::AtLeast(2))
+    .WillRepeatedly(testing::InvokeArgument<0>(nlohmann::json::parse(
+                                                   R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})")));
+
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(2))
+    .WillRepeatedly(::testing::InvokeArgument<0>
+                    (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json));
+
+    std::thread t
+    {
+        [&spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          1, true, true, true, true, true, true, true, true, true, true);
+
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{10});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noScanOnStart)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, os()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, packages(_)).Times(0);
+    EXPECT_CALL(*spInfoWrapper, networks()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, processes(_)).Times(0);
+    EXPECT_CALL(*spInfoWrapper, ports()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).Times(0);
+
+    std::thread t
+    {
+        [&spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, false);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noHardware)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_hwinfo","data":{},"type":"integrity_clear"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, false, true, true, true, true, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+
+}
+
+TEST_F(SyscollectorImpTest, noOs)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, os()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_osinfo","data":{},"type":"integrity_clear"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, false, true, true, true, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(2));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noNetwork)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"component":"syscollector_network_address","data":{},"type":"integrity_clear"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_network_protocol","data":{},"type":"integrity_clear"})"
+    };
+    const auto expectedResult22
+    {
+        R"({"component":"syscollector_network_iface","data":{},"type":"integrity_clear"})"
+    };
+
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult22)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, true, false, true, true, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noPackages)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_)).Times(0);
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_packages","data":{},"type":"integrity_clear"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackDataDelta, &callbackData]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, true, true, false, true, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noPorts)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).Times(0);
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_ports","data":{},"type":"integrity_clear"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          5, true, true, true, true, true, false, true, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noPortsAll)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"udp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"","tx_queue":0},{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"7046b3f9cda975eb6567259c2469748e634dde49","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"09d591fb0ed092c387f77b24af5bada43b5d519d","inode":0,"item_id":"7046b3f9cda975eb6567259c2469748e634dde49","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"udp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":null,"tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, true, true, true, true, false, true, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noProcesses)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_)).Times(0);
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"component":"syscollector_processes","data":{},"type":"integrity_clear"})"
+    };
+
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, true, true, true, true, true, false, true, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, noHotfixes)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz", "ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).Times(0);
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"data":{"checksum":"039934723aa69928b52e470c8d27365b0924b615","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"431625","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult9
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c084f78ed87ed19974b1fd90bbf727c2d1416f7d","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"431625","end":"431625"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"component":"syscollector_hotfixes","data":{},"type":"integrity_clear"})"
+    };
+
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult9)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult19)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData, &callbackDataDelta]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, true, true, true, true, true, true, true, false, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, pushMessageOk)
+{
+    constexpr auto messageToPush{R"(syscollector_network_iface dbsync checksum_fail {"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c","id":1606851004})"};
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json));
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    std::thread t
+    {
+        [&spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          60, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().push(messageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, pushMessageOk1)
+{
+    constexpr auto messageToPush{R"(syscollector_processes dbsync checksum_fail {"begin":"1","end":"99","id":1})"};
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":"411","source":"xorg","version":"1:7.7+19ubuntu14", "os_patch":"","format":"deb","location":" "})"_json));
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":"45","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("id");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    CallbackMock wrapperDelta;
+    std::function<void(const std::string&)> callbackDataDelta
+    {
+        [&wrapperDelta](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+
+            if (delta["type"].get_ref<const std::string&>().compare("dbsync_osinfo") == 0)
+            {
+                delta["data"].erase("checksum");
+            }
+
+            delta["data"].erase("scan_time");
+            wrapperDelta.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"component":"syscollector_hwinfo","data":{"begin":"Intel Corporation","end":"Intel Corporation"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult2
+    {
+        R"({"component":"syscollector_osinfo","data":{"begin":"Microsoft Windows 7","end":"Microsoft Windows 7"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult3
+    {
+        R"({"component":"syscollector_network_iface","data":{"begin":"25eef9a0a422a9b644fb6b73650453148bc6151c","end":"25eef9a0a422a9b644fb6b73650453148bc6151c"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult4
+    {
+        R"({"component":"syscollector_network_protocol","data":{"begin":"9dff246584835755137820c975f034d089e90b6f","end":"d633b040008ea38303d778431ee2fd0b4ee5a37a"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult5
+    {
+        R"({"component":"syscollector_packages","data":{"begin":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","end":"4846c220a185b0fc251a07843efbfbb0d90ac4a5"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult6
+    {
+        R"({"component":"syscollector_hotfixes","data":{"begin":"KB12345678","end":"KB12345678"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult7
+    {
+        R"({"component":"syscollector_ports","data":{"begin":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","end":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult8
+    {
+        R"({"component":"syscollector_processes","data":{"begin":"45","end":"45"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult10
+    {
+        R"({"component":"syscollector_network_address","data":{"begin":"3d48ddc47fac84c62a19746af66fbfcf78547de9","end":"65973316a5dc8615a6d20b2d6c4ce52ecd074496"},"type":"integrity_check_global"})"
+    };
+    const auto expectedResult11
+    {
+        R"({"data":{"board_serial":"Intel Corporation","checksum":"af7b22eef8f5e06c04af4db49c9f8d1d28963918","cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54},"operation":"INSERTED","type":"dbsync_hwinfo"})"
+    };
+    const auto expectedResult12
+    {
+        R"({"data":{"architecture":"x86_64","hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"},"operation":"INSERTED","type":"dbsync_osinfo"})"
+    };
+    const auto expectedResult13
+    {
+        R"({"data":{"adapter":" ","checksum":"165f7160ecd2838479ee4c43c1012b723736d90a","item_id":"25eef9a0a422a9b644fb6b73650453148bc6151c","mac":"d4:5d:64:51:07:5d","mtu":1500,"name":"enp4s0","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":"ethernet"},"operation":"INSERTED","type":"dbsync_network_iface"})"
+    };
+    const auto expectedResult14
+    {
+        R"({"data":{"checksum":"ff63981c231f110a0877ac6acd8862ac09877b5d","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"d633b040008ea38303d778431ee2fd0b4ee5a37a","metric":" ","type":"ipv4"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+    const auto expectedResult15
+    {
+        R"({"data":{"address":"192.168.153.1","broadcast":"192.168.153.255","checksum":"72dfd66759bd8062cdc17607d760a48c906189b3","iface":"enp4s0","item_id":"3d48ddc47fac84c62a19746af66fbfcf78547de9","netmask":"255.255.255.0","proto":0},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult16
+    {
+        R"({"data":{"address":"fe80::250:56ff:fec0:8","checksum":"f606d1a1c551874d8fab33e4e5cfaa0370673ec8","iface":"enp4s0","item_id":"65973316a5dc8615a6d20b2d6c4ce52ecd074496","netmask":"ffff:ffff:ffff:ffff::","proto":1},"operation":"INSERTED","type":"dbsync_network_address"})"
+    };
+    const auto expectedResult17
+    {
+        R"({"data":{"architecture":"amd64","checksum":"c1a125f40a70bab20a252f42ea4ec0dcf90733e8","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","os_patch":null,"priority":"optional","size":"411","source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+    const auto expectedResult18
+    {
+        R"({"data":{"checksum":"56162cd7bb632b4728ec868e8e271b01222ff131","hotfix":"KB12345678"},"operation":"INSERTED","type":"dbsync_hotfixes"})"
+    };
+    const auto expectedResult19
+    {
+        R"({"data":{"checksum":"f25348b1ce5310f36c1ed859d13138fbb4e6bacb","inode":0,"item_id":"cbf2ac25a6775175f912ebf2abc72f6f51ab48ba","local_ip":"127.0.0.1","local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+    const auto expectedResult20
+    {
+        R"({"data":{"checksum":"af3801fac517cf9ae30f746092ce3e4058574454","egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","nice":0,"nlwp":1,"pgrp":0,"pid":"45","ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0},"operation":"INSERTED","type":"dbsync_processes"})"
+    };
+    const auto expectedResult21
+    {
+        R"({"data":{"checksum":"ea17673e7422c0ab04c4f1f111a5828be8cd366a","dhcp":"unknown","gateway":"192.168.0.1|600","iface":"enp4s0","item_id":"9dff246584835755137820c975f034d089e90b6f","metric":" ","type":"ipv6"},"operation":"INSERTED","type":"dbsync_network_protocol"})"
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult4)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult5)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult6)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult7)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult8)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult10)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult11)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult12)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult13)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult14)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult15)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult16)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult17)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult18)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult19)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult20)).Times(1);
+    EXPECT_CALL(wrapperDelta, callbackMock(expectedResult21)).Times(1);
+
+    std::thread t
+    {
+        [&callbackData, &callbackDataDelta, &spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackDataDelta,
+                                          callbackData,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          60, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().push(messageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, pushMessageInvalid)
+{
+    constexpr auto messageToPush{R"(syscollector_network_iface dbsync checksum_fail {"end":"Loopback Pseudo-Interface 1","id":1606851004})"};
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"},{"hotfix":"KB87654321"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json));
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    std::thread t
+    {
+        [&spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          60, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().push(messageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, scanInvalidData)
+{
+    constexpr auto messageToPush{R"(syscollector_network_iface dbsync checksum_fail {"end":"Loopback Pseudo-Interface 1","id":1606851004})"};
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"},{"hotfix":"KB87654321"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json));
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(1))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    std::thread t
+    {
+        [&spInfoWrapper]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          60, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().push(messageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+
+TEST_F(SyscollectorImpTest, portAllEnable)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(R"(
+    [
+        {
+            "inode":43481,
+            "local_ip":"0.0.0.0",
+            "local_port":47748,
+            "pid":0,
+            "process_name":"",
+            "protocol":"udp",
+            "remote_ip":"0.0.0.0",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"",
+            "tx_queue":0
+        },
+        {
+            "inode":43482,
+            "local_ip":"::",
+            "local_port":51087,
+            "pid":0,
+            "process_name":"",
+            "protocol":"udp6",
+            "remote_ip":"::",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"",
+            "tx_queue":0
+        },
+        {
+            "inode":50324,
+            "local_ip":"127.0.0.1",
+            "local_port":33060,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"0.0.0.0",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"listening",
+            "tx_queue":0
+        },
+        {
+            "inode":122575,
+            "local_ip":"192.168.0.104",
+            "local_port":39106,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"44.238.116.130",
+            "remote_port":443,
+            "rx_queue":0,
+            "state":"established",
+            "tx_queue":0
+        },
+        {
+            "inode":122575,
+            "local_ip":"192.168.0.104",
+            "local_port":39106,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"44.238.116.130",
+            "remote_port":443,
+            "rx_queue":0,
+            "state":"established",
+            "tx_queue":0
+        }
+    ])")));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("scan_time");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+    const auto expectedResult1
+    {
+        R"({"data":{"inode":43481,"item_id":"12903a43db24ab10d872547cdd1d786a5876a0da","local_ip":"0.0.0.0","local_port":47748,"pid":0,"process_name":null,"protocol":"udp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":null,"tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    const auto expectedResult2
+    {
+        R"({"data":{"inode":43482,"item_id":"ca7c9aff241cb251c6ad31e30b806366ecb2ad5f","local_ip":"::","local_port":51087,"pid":0,"process_name":null,"protocol":"udp6","remote_ip":"::","remote_port":0,"rx_queue":0,"state":null,"tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    const auto expectedResult3
+    {
+        R"({"data":{"inode":50324,"item_id":"8c790ef53962dd27f4516adb1d7f3f6096bc6d29","local_ip":"127.0.0.1","local_port":33060,"pid":0,"process_name":null,"protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    const auto expectedResult4
+    {
+        R"({"data":{"inode":122575,"item_id":"d5511242275bd3f2d57175f248108d6c3b39c438","local_ip":"192.168.0.104","local_port":39106,"pid":0,"process_name":null,"protocol":"tcp","remote_ip":"44.238.116.130","remote_port":443,"rx_queue":0,"state":"established","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult3)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult4)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackData,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, false, false, false, false, true, true, false, false, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F(SyscollectorImpTest, portAllDisable)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(R"(
+    [
+        {
+            "inode":43481,
+            "local_ip":"0.0.0.0",
+            "local_port":47748,
+            "pid":0,
+            "process_name":"",
+            "protocol":"udp",
+            "remote_ip":"0.0.0.0",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"",
+            "tx_queue":0
+        },
+        {
+            "inode":43482,
+            "local_ip":"::",
+            "local_port":51087,
+            "pid":0,
+            "process_name":"",
+            "protocol":"udp6",
+            "remote_ip":"::",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"",
+            "tx_queue":0
+        },
+        {
+            "inode":50324,
+            "local_ip":"127.0.0.1",
+            "local_port":33060,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"0.0.0.0",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"listening",
+            "tx_queue":0
+        },
+        {
+            "inode":50324,
+            "local_ip":"127.0.0.1",
+            "local_port":33060,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"0.0.0.0",
+            "remote_port":0,
+            "rx_queue":0,
+            "state":"listening",
+            "tx_queue":0
+        },
+        {
+            "inode":122575,
+            "local_ip":"192.168.0.104",
+            "local_port":39106,
+            "pid":0,
+            "process_name":"",
+            "protocol":"tcp",
+            "remote_ip":"44.238.116.130",
+            "remote_port":443,
+            "rx_queue":0,
+            "state":"established",
+            "tx_queue":0
+        }
+    ])")));
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("scan_time");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+    const auto expectedResult1
+    {
+        R"({"data":{"inode":43481,"item_id":"12903a43db24ab10d872547cdd1d786a5876a0da","local_ip":"0.0.0.0","local_port":47748,"pid":0,"process_name":null,"protocol":"udp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":null,"tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    const auto expectedResult2
+    {
+        R"({"data":{"inode":43482,"item_id":"ca7c9aff241cb251c6ad31e30b806366ecb2ad5f","local_ip":"::","local_port":51087,"pid":0,"process_name":null,"protocol":"udp6","remote_ip":"::","remote_port":0,"rx_queue":0,"state":null,"tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    const auto expectedResult3
+    {
+        R"({"data":{"inode":50324,"item_id":"8c790ef53962dd27f4516adb1d7f3f6096bc6d29","local_ip":"127.0.0.1","local_port":33060,"pid":0,"process_name":null,"protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0},"operation":"INSERTED","type":"dbsync_ports"})"
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(expectedResult1)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult2)).Times(1);
+    EXPECT_CALL(wrapper, callbackMock(expectedResult3)).Times(1);
+
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackData,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, false, false, false, false, true, false, false, false, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+
+TEST_F(SyscollectorImpTest, PackagesDuplicated)
+{
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(1))
+    .WillOnce(::testing::DoAll(
+                  ::testing::InvokeArgument<0>
+                  (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json),
+                  ::testing::InvokeArgument<0>
+                  (R"({"architecture":"amd64","scan_time":"2020/12/28 21:49:50", "group":"x11","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14","format":"deb","location":" "})"_json)));
+
+
+
+    CallbackMock wrapper;
+    std::function<void(const std::string&)> callbackData
+    {
+        [&wrapper](const std::string & data)
+        {
+            auto delta = nlohmann::json::parse(data);
+            delta["data"].erase("checksum");
+            delta["data"].erase("scan_time");
+            wrapper.callbackMock(delta.dump());
+        }
+    };
+
+    const auto expectedResult1
+    {
+        R"({"data":{"architecture":"amd64","format":"deb","group":"x11","item_id":"4846c220a185b0fc251a07843efbfbb0d90ac4a5","location":" ","name":"xserver-xorg","priority":"optional","size":411,"source":"xorg","version":"1:7.7+19ubuntu14"},"operation":"INSERTED","type":"dbsync_packages"})"
+    };
+
+    EXPECT_CALL(wrapper, callbackMock(expectedResult1)).Times(1);
+    std::thread t
+    {
+        [&spInfoWrapper, &callbackData]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          callbackData,
+                                          reportFunction,
+                                          logFunction,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          3600, true, false, false, false, true, false, false, false, false, true);
+        }
+    };
+
+    std::this_thread::sleep_for(std::chrono::seconds{2});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
+
+TEST_F (SyscollectorImpTest, SyncOverlap)
+{
+    constexpr auto firstMessageToPush{R"(syscollector_packages no_data {"begin":"0005a2bdc731445bbe68d6706e452937bdbc9e2f","end":"fff931b8ce752c06e9b219189281b7eae4285d44","id":1713982194})"};
+    constexpr auto secondMessageToPush{R"(syscollector_packages checksum_fail {"begin":"0005a2bdc731445bbe68d6706e452937bdbc9e2f","end":"fff931b8ce752c06e9b219189281b7eae4285d44","id":1713982197})"};
+    const time_t intervalValue = 3;
+
+    const auto spInfoWrapper{std::make_shared<SysInfoWrapper>()};
+    EXPECT_CALL(*spInfoWrapper, hardware()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"board_serial":"Intel Corporation","scan_time":"2020/12/28 21:49:50", "cpu_MHz":2904,"cpu_cores":2,"cpu_name":"Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz","ram_free":2257872,"ram_total":4972208,"ram_usage":54})")));
+    EXPECT_CALL(*spInfoWrapper, networks()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                      R"({"iface":[{"address":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "mac":"d4:5d:64:51:07:5d", "gateway":"192.168.0.1|600","broadcast":"127.255.255.255", "name":"ens1", "mtu":1500, "name":"enp4s0", "adapter":" ", "type":"ethernet", "state":"up", "dhcp":"disabled","iface":"Loopback Pseudo-Interface 1","metric":"75","netmask":"255.0.0.0","proto":"IPv4","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0, "IPv4":[{"address":"192.168.153.1","broadcast":"192.168.153.255","dhcp":"unknown","metric":" ","netmask":"255.255.255.0"}], "IPv6":[{"address":"fe80::250:56ff:fec0:8","dhcp":"unknown","metric":" ","netmask":"ffff:ffff:ffff:ffff::"}]}]})")));
+    EXPECT_CALL(*spInfoWrapper, os()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                R"({"architecture":"x86_64","scan_time":"2020/12/28 21:49:50", "hostname":"UBUNTU","os_build":"7601","os_major":"6","os_minor":"1","os_name":"Microsoft Windows 7","os_release":"sp1","os_version":"6.1.7601"})")));
+    EXPECT_CALL(*spInfoWrapper, ports()).WillRepeatedly(Return(nlohmann::json::parse(
+                                                                   R"([{"inode":0,"local_ip":"127.0.0.1","scan_time":"2020/12/28 21:49:50", "local_port":631,"pid":0,"process_name":"System Idle Process","protocol":"tcp","remote_ip":"0.0.0.0","remote_port":0,"rx_queue":0,"state":"listening","tx_queue":0}])")));
+    EXPECT_CALL(*spInfoWrapper, hotfixes()).WillRepeatedly(Return(R"([{"hotfix":"KB12345678"}])"_json));
+    EXPECT_CALL(*spInfoWrapper, packages(_))
+    .Times(::testing::AtLeast(2))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"name":"TEXT", "scan_time":"2020/12/28 21:49:50", "version":"TEXT", "vendor":"TEXT", "install_time":"TEXT", "location":"TEXT", "architecture":"TEXT", "groups":"TEXT", "description":"TEXT", "size":"TEXT", "priority":"TEXT", "multiarch":"TEXT", "source":"TEXT", "os_patch":"TEXT"})"_json));
+
+    EXPECT_CALL(*spInfoWrapper, processes(_))
+    .Times(testing::AtLeast(2))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json))
+    .WillOnce(::testing::InvokeArgument<0>
+              (R"({"egroup":"root","euser":"root","fgroup":"root","name":"kworker/u256:2-","scan_time":"2020/12/28 21:49:50", "nice":0,"nlwp":1,"pgrp":0,"pid":431625,"ppid":2,"priority":20,"processor":1,"resident":0,"rgroup":"root","ruser":"root","session":0,"sgroup":"root","share":0,"size":0,"start_time":9302261,"state":"I","stime":3,"suser":"root","tgid":431625,"tty":0,"utime":0,"vm_size":0})"_json));
+
+    const auto captureLog
+    {
+        [](const modules_log_level_t /*level*/, const std::string & log)
+        {
+            std::string expectedStr {"Syscollector synchronization process concluded recently, delaying scan for 1 second/s"};
+
+            if (log.find("Discarded") != std::string::npos)
+            {
+                EXPECT_STREQ(log.c_str(), expectedStr.c_str());
+            }
+        }
+    };
+
+    std::thread t
+    {
+        [&spInfoWrapper, &captureLog, &intervalValue]()
+        {
+            Syscollector::instance().init(spInfoWrapper,
+                                          reportFunction,
+                                          reportFunction,
+                                          captureLog,
+                                          SYSCOLLECTOR_DB_PATH,
+                                          "",
+                                          "",
+                                          intervalValue, true, true, true, true, true, true, true, true, true, true);
+        }
+    };
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().push(firstMessageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{intervalValue});
+    Syscollector::instance().push(secondMessageToPush);
+    std::this_thread::sleep_for(std::chrono::seconds{1});
+    Syscollector::instance().destroy();
+
+    if (t.joinable())
+    {
+        t.join();
+    }
+}
diff --git a/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.h b/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.h
new file mode 100644
index 0000000000..d9ac6bd72b
--- /dev/null
+++ b/src/modules/inventory/tests/sysCollectorImp/syscollectorImp_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh SyscollectorImp
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 9, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYSCOLLECTOR_IMP_TEST_H
+#define _SYSCOLLECTOR_IMP_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SyscollectorImpTest : public ::testing::Test
+{
+    protected:
+
+        SyscollectorImpTest() = default;
+        virtual ~SyscollectorImpTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYSCOLLECTOR_IMP_TEST_H
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysNormalizer/CMakeLists.txt b/src/modules/inventory/tests/sysNormalizer/CMakeLists.txt
new file mode 100644
index 0000000000..f3290609e3
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/CMakeLists.txt
@@ -0,0 +1,48 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(sys_normalizer_unit_test)
+
+set(CMAKE_CXX_FLAGS_DEBUG "-g --coverage")
+
+
+file(GLOB SYS_NORMALIZER_UNIT_TEST_SRC
+    "*.cpp")
+
+file(GLOB SYS_NORMALIZER_SRC
+    "${CMAKE_SOURCE_DIR}/src/syscollectorNormalizer.cpp")
+
+add_definitions(-DWAZUH_UNIT_TESTING)
+
+add_executable(sys_normalizer_unit_test
+    ${SYS_NORMALIZER_UNIT_TEST_SRC}
+    ${SYS_NORMALIZER_SRC})
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(sys_normalizer_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        -static-libgcc -static-libstdc++
+    )
+else()
+    target_link_libraries(sys_normalizer_unit_test
+        debug gtestd
+        debug gmockd
+        debug gtest_maind
+        debug gmock_maind
+        optimized gtest
+        optimized gmock
+        optimized gtest_main
+        optimized gmock_main
+        pthread
+        dl
+    )
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+
+add_test(NAME sys_normalizer_unit_test
+         COMMAND sys_normalizer_unit_test)
diff --git a/src/modules/inventory/tests/sysNormalizer/main.cpp b/src/modules/inventory/tests/sysNormalizer/main.cpp
new file mode 100644
index 0000000000..fd7a178715
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/main.cpp
@@ -0,0 +1,7 @@
+#include "gtest/gtest.h"
+
+int main(int argc, char** argv)
+{
+    ::testing::InitGoogleTest(&argc, argv);
+    return RUN_ALL_TESTS();
+}
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.cpp b/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.cpp
new file mode 100644
index 0000000000..57a2866bb4
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.cpp
@@ -0,0 +1,248 @@
+/*
+ * Wazuh SyscollectorNormalizer
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "sysNormalizer_test.h"
+#include "test_config.h"
+#include "test_input.h"
+#include "syscollectorNormalizer.h"
+#include <fstream>
+#include <cstdio>
+
+
+void SysNormalizerTest::SetUp()
+{
+    std::ofstream testConfigFile{TEST_CONFIG_FILE_NAME};
+
+    if (testConfigFile.is_open())
+    {
+        testConfigFile << TEST_CONFIG_FILE_CONTENT;
+    }
+};
+
+void SysNormalizerTest::TearDown()
+{
+    std::remove(TEST_CONFIG_FILE_NAME);
+};
+
+using ::testing::_;
+using ::testing::Return;
+
+TEST_F(SysNormalizerTest, ctor)
+{
+    EXPECT_NO_THROW((SysNormalizer{TEST_CONFIG_FILE_NAME, "macos"}));
+}
+
+TEST_F(SysNormalizerTest, ctorNonExistingFile)
+{
+    EXPECT_NO_THROW((SysNormalizer{"TEST_CONFIG_FILE_NAME", "macos"}));
+}
+
+TEST_F(SysNormalizerTest, ctorWrongFormatConfig)
+{
+    constexpr auto WRONG_FORMAT_FILE{"wrong_format.json"};
+    std::ofstream testConfigFile{WRONG_FORMAT_FILE};
+
+    if (testConfigFile.is_open())
+    {
+        testConfigFile << R"({"exclusions":[})";
+    }
+
+    EXPECT_NO_THROW((SysNormalizer{WRONG_FORMAT_FILE, "macos"}));
+    std::remove(WRONG_FORMAT_FILE);
+}
+
+TEST_F(SysNormalizerTest, excludeSiriAndiTunes)
+{
+    auto inputJson(nlohmann::json::parse(TEST_INPUT_DATA));
+    const auto size{inputJson.size()};
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.removeExcluded("packages", inputJson);
+    EXPECT_EQ(size, inputJson.size() + 2);
+}
+
+TEST_F(SysNormalizerTest, excludeSingleItemNoMatch)
+{
+    const auto& origJson{nlohmann::json::parse(R"(
+        {
+            "description": "com.apple.FaceTime",
+            "group": "public.app-category.social-networking",
+            "name": "FaceTime",
+            "version": "3.0"
+        })")};
+    nlohmann::json normalized(origJson);
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.removeExcluded("packages", normalized);
+    EXPECT_EQ(normalized, origJson);
+}
+
+TEST_F(SysNormalizerTest, excludeSingleItemMatch)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.apple.siri.launcher",
+            "group": "public.app-category.utilities",
+            "name": "Siri",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.removeExcluded("packages", inputJson);
+    EXPECT_TRUE(inputJson.empty());
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleMicosoft)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.microsoft.antivirus",
+            "group": "public.app-category.security",
+            "name": "Microsoft Defender",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "Microsoft");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleMcAfee1)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.mcafee.antivirus",
+            "group": "public.app-category.security",
+            "name": "McAfee Antivirus For Mac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "McAfee");
+    EXPECT_EQ(inputJson["name"], "Antivirus");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleMcAfee2)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.mcafee.antivirus",
+            "group": "public.app-category.security",
+            "name": "McAfee Endpoint Protection For Mac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "McAfee");
+    EXPECT_EQ(inputJson["name"], "Endpoint Protection");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleTotalDefense1)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.totaldefense.antivirus",
+            "group": "public.app-category.security",
+            "name": "TotalDefenseAntivirusforMac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "TotalDefense");
+    EXPECT_EQ(inputJson["name"], "Anti-Virus");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleTotalDefense2)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.totaldefense.antivirus",
+            "group": "public.app-category.security",
+            "name": "TotalDefenseOtherProductforMac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "TotalDefense");
+    EXPECT_EQ(inputJson["name"], "OtherProduct");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleAVG1)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.avg.antivirus",
+            "group": "public.app-category.security",
+            "name": "AVGAntivirus",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "AVG");
+    EXPECT_EQ(inputJson["name"], "Anti-Virus");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleAVG2)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.avg.antivirus",
+            "group": "public.app-category.security",
+            "name": "AVGOtherProduct",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["vendor"], "AVG");
+    EXPECT_EQ(inputJson["name"], "OtherProduct");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleKaspersky1)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.kaspersky.antivirus",
+            "group": "public.app-category.security",
+            "name": "Kaspersky Antivirus For Mac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["name"], "Kaspersky Antivirus");
+}
+
+TEST_F(SysNormalizerTest, normalizeSingleKaspersky2)
+{
+    auto inputJson(nlohmann::json::parse(R"(
+        {
+            "description": "com.kaspersky.internetsecurity",
+            "group": "public.app-category.security",
+            "name": "Kaspersky Internet Security For Mac",
+            "version": "1.0"
+        })"));
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_FALSE(inputJson.empty());
+    EXPECT_EQ(inputJson["name"], "Kaspersky Internet Security");
+}
+
+TEST_F(SysNormalizerTest, normalizeItemMatch)
+{
+    auto inputJson(nlohmann::json::parse(TEST_INPUT_DATA));
+    const auto origJson(inputJson);
+    SysNormalizer normalizer{TEST_CONFIG_FILE_NAME, "macos"};
+    normalizer.normalize("packages", inputJson);
+    EXPECT_EQ(inputJson.size(), origJson.size());
+    EXPECT_NE(inputJson, origJson);
+}
diff --git a/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.h b/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.h
new file mode 100644
index 0000000000..8e166e7635
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/sysNormalizer_test.h
@@ -0,0 +1,27 @@
+/*
+ * Wazuh SyscollectorNormalizer
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 12, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifndef _SYS_NORMALIZER_TEST_H
+#define _SYS_NORMALIZER_TEST_H
+#include "gtest/gtest.h"
+#include "gmock/gmock.h"
+
+class SysNormalizerTest : public ::testing::Test
+{
+    protected:
+
+        SysNormalizerTest() = default;
+        virtual ~SysNormalizerTest() = default;
+
+        void SetUp() override;
+        void TearDown() override;
+};
+
+#endif //_SYS_NORMALIZER_TEST_H
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysNormalizer/test_config.h b/src/modules/inventory/tests/sysNormalizer/test_config.h
new file mode 100644
index 0000000000..64feebf38d
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/test_config.h
@@ -0,0 +1,164 @@
+#ifndef _TEST_CONFIG_H
+#define _TEST_CONFIG_H
+constexpr auto TEST_CONFIG_FILE_CONTENT
+{
+    R"DELIMITER({
+    "exclusions": [
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "field_name": "name",
+            "pattern": "(Siri)"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "field_name": "name",
+            "pattern": "(iCloud)"
+        }
+    ],
+    "dictionary": [
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*Microsoft.*",
+            "add_field": "vendor",
+            "add_value": "Microsoft"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*VMware.*",
+            "add_field": "vendor",
+            "add_value": "VMware"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*Symantec.*",
+            "add_field": "vendor",
+            "add_value": "Symantec"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*(Quick ).*",
+            "add_field": "vendor",
+            "add_value": "Quick Heal"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*QuickHeal.*",
+            "add_field": "vendor",
+            "add_value": "QuickHeal"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field": "name",
+            "replace_pattern": "(zoom.us)",
+            "replace_value": "zoom"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": "Kaspersky.*",
+            "replace_pattern": "( For Mac)",
+            "replace_field": "name",
+            "replace_value": ""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*McAfee.*",
+            "add_field": "vendor",
+            "add_value": "McAfee",
+            "replace_field":"name",
+            "replace_pattern":"( For Mac)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(McAfee )",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*TotalDefense.*",
+            "add_field": "vendor",
+            "add_value": "TotalDefense",
+            "replace_field":"name",
+            "replace_pattern":"(forMac)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*TotalDefense.*",
+            "replace_field":"name",
+            "replace_pattern":"(Antivirus)",
+            "replace_value":"Anti-Virus"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(TotalDefense)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name",
+            "find_pattern": ".*AVG.*",
+            "add_field": "vendor",
+            "add_value": "AVG",
+            "replace_field":"name",
+            "replace_pattern":"(Antivirus)",
+            "replace_value":"Anti-Virus"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field":"name",
+            "replace_pattern":"(AVG)",
+            "replace_value":""
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "replace_field": "name",
+            "replace_pattern": "(AntivirusforMac)",
+            "replace_value":"Antivirus"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "someinexistentfield",
+            "find_pattern": "(somepattern)"
+        },
+        {
+            "target": "macos",
+            "data_type": "packages",
+            "find_field": "name"
+        }
+    ]
+    })DELIMITER"
+};
+
+constexpr auto TEST_CONFIG_FILE_NAME {"test_config.json"};
+
+#endif //_TEST_CONFIG_H
\ No newline at end of file
diff --git a/src/modules/inventory/tests/sysNormalizer/test_input.h b/src/modules/inventory/tests/sysNormalizer/test_input.h
new file mode 100644
index 0000000000..104d13e2d2
--- /dev/null
+++ b/src/modules/inventory/tests/sysNormalizer/test_input.h
@@ -0,0 +1,260 @@
+#ifndef _TEST_INPUT_H
+#define _TEST_INPUT_H
+constexpr auto TEST_INPUT_DATA
+{
+    R"([
+        {
+        "description": "com.apple.appstore",
+        "group": "public.app-category.utilities",
+        "name": "App Store",
+        "version": "2.2.1"
+        }, {
+            "description": "com.apple.Automator",
+            "group": "public.app-category.utilities",
+            "name": "Automator",
+            "version": "2.7"
+        }, {
+            "description": "com.apple.calculator",
+            "group": "public.app-category.utilities",
+            "name": "Calculator",
+            "version": "10.8"
+        }, {
+            "description": "com.apple.iCal",
+            "group": "public.app-category.productivity",
+            "name": "Calendar",
+            "version": "9.0"
+        }, {
+            "description": "com.apple.Chess",
+            "group": "public.app-category.board-games",
+            "name": "Chess",
+            "version": "3.14"
+        }, {
+            "description": "com.apple.AddressBook",
+            "group": "public.app-category.productivity",
+            "name": "Contacts",
+            "version": "10.0"
+        }, {
+            "description": "com.apple.dashboardlauncher",
+            "group": "public.app-category.utilities",
+            "name": "Dashboard",
+            "version": "1.8"
+        }, {
+            "description": "com.apple.Dictionary",
+            "group": "public.app-category.reference",
+            "name": "Dictionary",
+            "version": "2.2.1"
+        }, {
+            "description": "com.apple.DVDPlayer",
+            "group": "public.app-category.video",
+            "name": "DVD Player",
+            "version": "5.8"
+        }, {
+            "description": "com.apple.FaceTime",
+            "group": "public.app-category.social-networking",
+            "name": "FaceTime",
+            "version": "3.0"
+        }, {
+            "description": "com.apple.FontBook",
+            "group": "public.app-category.utilities",
+            "name": "Font Book",
+            "version": "7.0"
+        }, {
+            "description": "com.apple.iBooksX",
+            "group": "public.app-category.education",
+            "name": "iBooks",
+            "version": "1.10"
+        }, {
+            "description": "com.apple.Image_Capture",
+            "group": "public.app-category.utilities",
+            "name": "Image Capture",
+            "version": "6.8"
+        }, {
+            "description": "com.apple.iCloud",
+            "group": "public.app-category.social-networking",
+            "name": "iCloud",
+            "version": "12.6.2"
+        }, {
+            "description": "com.apple.launchpad.launcher",
+            "group": "public.app-category.utilities",
+            "name": "Launchpad",
+            "version": "1.0"
+        }, {
+            "description": "com.apple.mail",
+            "group": "public.app-category.productivity",
+            "name": "Mail",
+            "version": "10.3"
+        }, {
+            "description": "com.apple.Maps",
+            "group": "public.app-category.travel",
+            "name": "Maps",
+            "version": "2.0"
+        }, {
+            "description": "com.apple.iChat",
+            "group": "public.app-category.social-networking",
+            "name": "Messages",
+            "version": "10.0"
+        }, {
+            "description": "com.apple.exposelauncher",
+            "group": "public.app-category.utilities",
+            "name": "Mission Control",
+            "version": "1.2"
+        }, {
+            "description": "com.apple.Notes",
+            "group": "public.app-category.productivity",
+            "name": "Notes",
+            "version": "4.4"
+        }, {
+            "description": "fr.whitebox.Packages",
+            "group": "public.app-category.developer-tools",
+            "name": "Packages",
+            "version": "1.2.7"
+        }, {
+            "description": "com.apple.PhotoBooth",
+            "group": "public.app-category.entertainment",
+            "name": "Photo Booth",
+            "version": "8.0"
+        }, {
+            "description": "com.apple.Photos",
+            "group": "public.app-category.photography",
+            "name": "Photos",
+            "version": "2.0"
+        }, {
+            "description": "com.apple.Preview",
+            "group": "public.app-category.productivity",
+            "name": "Preview",
+            "version": "9.0"
+        }, {
+            "description": "com.apple.QuickTimePlayerX",
+            "group": "public.app-category.video",
+            "name": "QuickTime Player",
+            "version": "10.4"
+        }, {
+            "description": "com.apple.reminders",
+            "group": "public.app-category.productivity",
+            "name": "Reminders",
+            "version": "4.0"
+        }, {
+            "description": "com.apple.Safari",
+            "group": "public.app-category.productivity",
+            "name": "Safari",
+            "version": "10.1.2"
+        }, {
+            "description": "com.apple.siri.launcher",
+            "group": "public.app-category.utilities",
+            "name": "Siri",
+            "version": "1.0"
+        }, {
+            "description": "com.apple.Stickies",
+            "group": "public.app-category.productivity",
+            "name": "Stickies",
+            "version": "10.0"
+        }, {
+            "description": "com.apple.systempreferences",
+            "group": "public.app-category.utilities",
+            "name": "System Preferences",
+            "version": "14.0"
+        }, {
+            "description": "com.apple.TextEdit",
+            "group": "public.app-category.productivity",
+            "name": "TextEdit",
+            "version": "1.12"
+        }, {
+            "description": "com.apple.backup.launcher",
+            "group": "public.app-category.utilities",
+            "name": "Time Machine",
+            "version": "1.3"
+        }, {
+            "description": "com.apple.ActivityMonitor",
+            "group": "public.app-category.utilities",
+            "name": "Activity Monitor",
+            "version": "10.12"
+        }, {
+            "description": "com.apple.airport.airportutility",
+            "group": "public.app-category.utilities",
+            "name": "AirPort Utility",
+            "version": "6.3.7"
+        }, {
+            "description": "com.apple.audio.AudioMIDISetup",
+            "group": "public.app-category.utilities",
+            "name": "Audio MIDI Setup",
+            "version": "3.1"
+        }, {
+            "description": "com.apple.BluetoothFileExchange",
+            "group": "public.app-category.utilities",
+            "name": "Bluetooth File Exchange",
+            "version": "5.0.5"
+        }, {
+            "description": "com.apple.bootcampassistant",
+            "group": "public.app-category.utilities",
+            "name": "Boot Camp Assistant",
+            "version": "6.1.0"
+        }, {
+            "description": "com.apple.ColorSyncUtility",
+            "group": "public.app-category.productivity",
+            "name": "ColorSync Utility",
+            "version": "4.12.0"
+        }, {
+            "description": "com.apple.Console",
+            "group": "public.app-category.utilities",
+            "name": "Console",
+            "version": "1.0"
+        }, {
+            "description": "com.apple.DigitalColorMeter",
+            "group": "public.app-category.productivity",
+            "name": "Digital Color Meter",
+            "version": "5.11"
+        }, {
+            "description": "com.apple.DiskUtility",
+            "name": "Disk Utility",
+            "version": "16.3"
+        }, {
+            "description": "com.apple.Grab",
+            "group": "public.app-category.utilities",
+            "name": "Grab",
+            "version": "1.9"
+        }, {
+            "description": "com.apple.grapher",
+            "group": "public.app-category.education",
+            "name": "Grapher",
+            "version": "2.5"
+        }, {
+            "description": "com.apple.keychainaccess",
+            "group": "public.app-category.utilities",
+            "name": "Keychain Access",
+            "version": "9.0"
+        }, {
+            "description": "com.apple.MigrateAssistant",
+            "group": "public.app-category.utilities",
+            "name": "Migration Assistant",
+            "version": "10.12"
+        }, {
+            "description": "com.apple.ScriptEditor2",
+            "group": "public.app-category.utilities",
+            "name": "Script Editor",
+            "version": "2.9"
+        }, {
+            "description": "com.apple.SystemProfiler",
+            "group": "public.app-category.utilities",
+            "name": "System Information",
+            "version": "10.12"
+        }, {
+            "description": "com.apple.Terminal",
+            "group": "public.app-category.utilities",
+            "name": "Terminal",
+            "version": "2.7.3"
+        }, {
+            "description": "com.apple.VoiceOverUtility",
+            "group": "public.app-category.utilities",
+            "name": "VoiceOver Utility",
+            "version": "7.0"
+        },
+        {
+            "description": "com.kaspersky.antivirus",
+            "group": "public.app-category.security",
+            "name": "Kaspersky AntivirusforMac",
+            "version": "1.0"
+        }
+    ])"
+};
+
+#endif //_TEST_INPUT_H
\ No newline at end of file
diff --git a/src/modules/inventory/testtool/CMakeLists.txt b/src/modules/inventory/testtool/CMakeLists.txt
new file mode 100644
index 0000000000..3dac44034f
--- /dev/null
+++ b/src/modules/inventory/testtool/CMakeLists.txt
@@ -0,0 +1,82 @@
+cmake_minimum_required(VERSION 3.12.4)
+
+project(syscollector_test_tool)
+
+include_directories(${CMAKE_SOURCE_DIR}/)
+include_directories(${CMAKE_SOURCE_DIR}/testtool/)
+include_directories(${SRC_FOLDER}/shared_modules/common/)
+include_directories(${SRC_FOLDER}/shared_modules/dbsync/include/)
+include_directories(${SRC_FOLDER}/shared_modules/rsync/include/)
+include_directories(${SRC_FOLDER}/external/nlohmann/)
+include_directories(${CMAKE_SOURCE_DIR}/src/)
+
+link_directories(${SRC_FOLDER}/shared_modules/dbsync/build/lib)
+link_directories(${SRC_FOLDER}/shared_modules/rsync/build/lib)
+link_directories(${SRC_FOLDER}/data_provider/build/lib)
+link_directories(${SRC_FOLDER}/external/openssl/)
+link_directories(${SRC_FOLDER}/external/procps/)
+
+if(COVERITY)
+  add_definitions(-D__GNUC__=8)
+endif(COVERITY)
+add_definitions(-DWAZUH_UNIT_TESTING)
+
+set(CMAKE_CXX_FLAGS "-g -Wall -Wextra -Wshadow -Wnon-virtual-dtor -Woverloaded-virtual -Wunused -Wcast-align -Wformat=2 -std=c++14 -pthread")
+
+if(FSANITIZE)
+  set(CMAKE_CXX_FLAGS_DEBUG "-fsanitize=address,leak,undefined")
+endif(FSANITIZE)
+
+file(GLOB SYSCOLLECTOR_TESTTOOL_SRC
+        "${CMAKE_SOURCE_DIR}/testtool/*.cpp"
+        )
+
+add_executable(syscollector_test_tool
+               ${SYSCOLLECTOR_TESTTOOL_SRC}
+               )
+
+if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+    target_link_libraries(syscollector_test_tool
+        rsync
+        dbsync
+        sysinfo
+        syscollector
+        psapi
+        iphlpapi
+        crypto
+        ssl
+        ws2_32
+        crypt32
+        -static-libstdc++
+    )
+elseif (CMAKE_SYSTEM_NAME STREQUAL "OpenBSD")
+    target_link_libraries(syscollector_test_tool
+        rsync
+        dbsync
+        sysinfo
+        syscollector
+        pthread)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "AIX")
+    target_link_libraries(syscollector_test_tool
+        rsync
+        dbsync
+        sysinfo
+        syscollector
+        dl)
+else()
+    target_link_libraries(syscollector_test_tool
+        rsync
+        dbsync
+        sysinfo
+        syscollector
+        dl
+        proc
+    )
+
+    if(SOLARIS)
+        target_link_libraries(syscollector_test_tool
+            nsl
+            socket
+        )
+    endif(SOLARIS)
+endif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
diff --git a/src/modules/inventory/testtool/Readme.md b/src/modules/inventory/testtool/Readme.md
new file mode 100644
index 0000000000..853893ff3e
--- /dev/null
+++ b/src/modules/inventory/testtool/Readme.md
@@ -0,0 +1,45 @@
+# Syscollector Testing Tool
+## Index
+1. [Purpose](#purpose)
+2. [Compile Wazuh](#compile-wazuh)
+3. [How to use the tool](#how-to-use-the-tool)
+
+## Purpose
+The Syscollector Testing Tool was created to test and validate the data obtained by the module's execution. This tool works as a black box where an user will be able execute it and analyze the output data as desired.
+
+## Compile Wazuh
+In order compile the solution on a specific wazuh target, the project needs to be built either in release or debug mode.
+```
+make TARGET=server|agent <DEBUG=1>
+```
+
+## How to use the tool
+In order to run the `syscollector_test_tool` (located in `src/wazuh_modules/syscollector/build/bin` folder) utility the only step to be followed is just to execute the tool (without parameters):
+```
+./syscollector_test_tool
+```
+
+The information output will vary based on the Operating System the tool is being executed.
+A brief example could be similar to the following one:
+
+```
+Syscollector started.
+sync output payload:
+{"component":"syscollector_hwinfo","data":{"begin":" ","checksum":"3db55e04fee8f5aa7419d8b9d4d1617a3b8fd2ef","end":" ","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_osinfo","data":{"begin":"Ubuntu","checksum":"0c240d543ff8a7b79b5c2d0c4e2e29ca373ed307","end":"Ubuntu","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_network_iface","data":{"begin":"337c5c4e7d7cd33351bef413cfc2d6303f13e83e","checksum":"2c2e4ad6d01264dc57b2b3039e49a96ca1509330","end":"d131e91c2db8ceb58409fc3bb90aaeb4d1e4ec91","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_network_protocol","data":{"begin":"0e1a576f6770c94e91a84fa0edfd614c6dc12a97","checksum":"2378bf6ee268515ac6cad0945e4a34be8dd631d5","end":"db5cc5ed93bcde1022fcc50aa26b9de65c1f15e2","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_network_address","data":{"begin":"2ccf6b2db44e65a68d86a6b9ef6f17a80a907569","checksum":"d41fee050466607400a5f290ed9b894029db85fc","end":"e9981f5ab4c34df5aa88d243e53b1d4426a0516b","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_packages","data":{"begin":"003015c0ebad681afe5d952aefdd4b4594c5582f","checksum":"d7f1fddc385a2b2ed217d4e4f69d8dea91c59b3b","end":"fff4269c511fbd018de2f99a51418cb7df642b5d","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_hotfixes","data":{"id":1612989513},"type":"integrity_clear"}
+sync output payload:
+{"component":"syscollector_ports","data":{"begin":"0314f72c149cf5039a8b5600bfd37c84cc7ec864","checksum":"5e7653d32d990ee20d8721c5d364031d81a24ea9","end":"e4275099e8eda9a6361665b27d166208ac573609","id":1612989513},"type":"integrity_check_global"}
+sync output payload:
+{"component":"syscollector_processes","data":{"begin":"1","checksum":"57e84d8e1c7b05489f68e5e013db408f5ef2abbd","end":"984","id":1612989513},"type":"integrity_check_global"}
+```
diff --git a/src/modules/inventory/testtool/main.cpp b/src/modules/inventory/testtool/main.cpp
new file mode 100644
index 0000000000..3c69a863d9
--- /dev/null
+++ b/src/modules/inventory/testtool/main.cpp
@@ -0,0 +1,137 @@
+/*
+ * Wazuh SysCollector Test tool
+ * Copyright (C) 2015, Wazuh Inc.
+ * October 7, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <fstream>
+#include <iostream>
+#include <stdio.h>
+#include <memory>
+#include <chrono>
+#include "defs.h"
+#include "dbsync.hpp"
+#include "rsync.hpp"
+#include "sysInfo.hpp"
+#include "syscollector.hpp"
+
+constexpr int DEFAULT_SLEEP_TIME { 60 };
+
+int main(int argc, const char* argv[])
+{
+    auto timedMainLoop { false };
+    auto sleepTime { DEFAULT_SLEEP_TIME };
+
+    if (2 == argc)
+    {
+        timedMainLoop = true;
+        std::string firstArgument { argv[1] };
+
+        sleepTime = firstArgument.find_first_not_of("0123456789") == std::string::npos ? std::stoi(firstArgument) : DEFAULT_SLEEP_TIME;
+
+    }
+    else if (2 < argc)
+    {
+        return -1;
+    }
+
+    const auto reportDiffFunction
+    {
+        [](const std::string & payload)
+        {
+            std::cout << "diff output payload:" << std::endl;
+            std::cout << payload << std::endl;
+        }
+    };
+    const auto reportSyncFunction
+    {
+        [](const std::string & payload)
+        {
+            std::cout << "sync output payload:" << std::endl;
+            std::cout << payload << std::endl;
+        }
+    };
+
+    const auto logFunction
+    {
+        [](const modules_log_level_t level, const std::string & log)
+        {
+            static const std::map<modules_log_level_t, std::string> s_logStringMap
+            {
+                {LOG_ERROR, "ERROR"},
+                {LOG_INFO, "INFO"},
+                {LOG_DEBUG, "DEBUG"},
+                {LOG_DEBUG_VERBOSE, "DEBUG2"}
+            };
+            std::cout << s_logStringMap.at(level) << ": " << log << std::endl;
+        }
+    };
+
+    const auto logErrorFunction
+    {
+        [](const std::string & log)
+        {
+            std::cout << "ERROR: " << log << std::endl;
+        }
+    };
+
+    const auto spInfo{ std::make_shared<SysInfo>() };
+    RemoteSync::initialize(logErrorFunction);
+    DBSync::initialize(logErrorFunction);
+
+    try
+    {
+        std::thread thread
+        {
+            [timedMainLoop, sleepTime]
+            {
+                if (!timedMainLoop)
+                {
+                    while (std::cin.get() != 'q');
+                }
+                else
+                {
+                    std::this_thread::sleep_for(std::chrono::seconds(sleepTime));
+                }
+
+                Syscollector::instance().destroy();
+            }
+        };
+
+        Syscollector::instance().init(spInfo,
+                                      reportDiffFunction,
+                                      reportSyncFunction,
+                                      logFunction,
+                                      SYSCOLLECTOR_DB_DISK_PATH,
+                                      SYSCOLLECTOR_NORM_CONFIG_DISK_PATH,
+                                      SYSCOLLECTOR_NORM_TYPE,
+                                      15ul,
+                                      true,
+                                      true,
+                                      true,
+                                      true,
+                                      true,
+                                      true,
+                                      true,
+                                      true,
+                                      true);
+
+        if (thread.joinable())
+        {
+            thread.join();
+        }
+    }
+    catch (const std::exception& ex)
+    {
+        std::cout << ex.what() << std::endl;
+    }
+
+    RemoteSync::teardown();
+    DBSync::teardown();
+    return 0;
+}
diff --git a/src/modules/logcollector/include/journal_log.h b/src/modules/logcollector/include/journal_log.h
new file mode 100644
index 0000000000..56b3206407
--- /dev/null
+++ b/src/modules/logcollector/include/journal_log.h
@@ -0,0 +1,190 @@
+#ifndef w_journal_H
+#define w_journal_H
+
+#include <shared.h>
+#include "../config/localfile-config.h"
+
+#include "cJSON.h"
+#include "expression.h"
+
+/*******************************************************************************
+ * NOTE: This module is not thread-safe.
+ *
+ * This library is used to interact with the journal log through the sd_journal
+ * library.
+ * All functions listed here are thread-agnostic and only a single specific
+ * thread may operate on a given object during its entire lifetime.
+ * It's safe to allocate multiple independent objects and use each from a
+ * specific thread in parallel.
+ * However, it's not safe to allocate such an object in one thread, and operate
+ * or free it from any other, even if locking is used to ensure these threads
+ * don't operate on it at the very same time.
+ * The library tries to dinamically load the sd_journal library, so it's not
+ * necessary to link it at compile time.
+ * All functions are added in version 187 unless otherwise noted.
+ *******************************************************************************/
+
+/**********************************************************
+ *               Journald library related
+ ***********************************************************/
+typedef struct sd_journal sd_journal;           ///< sd_journal type
+typedef struct w_journal_lib_t w_journal_lib_t; ///< Journal library functions
+
+/**********************************************************
+ *                    Context related
+ ***********************************************************/
+
+/**
+ * @brief Journal log context
+ */
+typedef struct {
+    w_journal_lib_t * lib; ///< Journal functions
+    sd_journal * journal;  ///< Journal context
+    uint64_t timestamp;    ///< Last timestamp processed (__REALTIME_TIMESTAMP)
+} w_journal_context_t;
+
+/**
+ * @brief Get a new journal log context
+ *
+ * The caller is responsible for freeing the returned context.
+ * @param ctx Journal log context
+ * @return int 0 on success or -1 on error
+ * @note The context should be created and used by a single thread only.
+ */
+int w_journal_context_create(w_journal_context_t ** ctx);
+
+/**
+ * @brief Free the journal log context and all its resources
+ *
+ * The context pointer is invalid after the call.
+ * @param ctx Journal log context
+ */
+void w_journal_context_free(w_journal_context_t * ctx);
+
+/**
+ * @brief Try update the timestamp in the journal log context with the timestamp of the current entry
+ *
+ * If failed to get the timestamp, the timestamp updated with the current time.
+ * @param ctx Journal log context
+ */
+void w_journal_context_update_timestamp(w_journal_context_t * ctx);
+
+/**
+ * @brief Move the cursor to the most recent entry
+ *
+ * @param ctx Journal log context
+ * @return int 0 on success or a negative errno-style error code.
+ * @note This function is not thread-safe.
+ *
+ */
+int w_journal_context_seek_most_recent(w_journal_context_t * ctx);
+
+/**
+ * @brief Move the cursor to the entry with the specified timestamp or the next newer entry available.
+ *
+ * If the timestamp is in the future or 0, the cursor is moved most recent entry.
+ * If the timestamp is older than the oldest available entry, the cursor is moved to the oldest entry.
+ * @param ctx Journal log context
+ * @param timestamp The timestamp to seek
+ * @return int 0 on success or a negative errno-style error code.
+ */
+int w_journal_context_seek_timestamp(w_journal_context_t * ctx, uint64_t timestamp);
+
+/**
+ * @brief Move the cursor to the next newest entry
+ *
+ * @param ctx Journal log context
+ * @return int 0 no more entries or a negative errno-style error code.
+ * @note This function is not thread-safe.
+ */
+int w_journal_context_next_newest(w_journal_context_t * ctx);
+
+/**
+ * @brief Move the cursor to the next newest entry that matches the filters
+ *
+ * If filters is NULL, the function will return the next newest entry.
+ * If filters is not NULL, the function will return the next newest entry that matches the filters.
+ * If no entry matches the filters, the function will return 0, but the cursor will be moved to the next newest entry.
+ * @param ctx Journal log context
+ * @param filters The filters to match
+ * @return int 0 no more entries or a negative errno-style error code.
+ */
+int w_journal_context_next_newest_filtered(w_journal_context_t * ctx, w_journal_filters_list_t filters);
+
+/**
+ * @brief Get the oldest accessible timestamp in the journal (__REALTIME_TIMESTAMP)
+ *
+ * @param ctx Journal log context
+ * @param timestamp The oldest timestamp
+ * @return int 0 on success or a negative errno-style error code.
+ * @note This function is not thread-safe.
+ */
+int w_journal_context_get_oldest_timestamp(w_journal_context_t * ctx, uint64_t * timestamp);
+
+/**********************************************************
+ *                   Entry related
+ **********************************************************/
+/**
+ * @brief Determine the types of dump of a journal log entry
+ */
+typedef enum {
+    W_JOURNAL_ENTRY_DUMP_TYPE_INVALID = -1, ///< Invalid dump type
+    W_JOURNAL_ENTRY_DUMP_TYPE_JSON,         ///< JSON dump
+    W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG,       ///< Syslog dump
+} w_journal_entry_dump_type_t;
+
+/**
+ * @brief Represents a dump of a journal log entry
+ */
+typedef struct {
+    w_journal_entry_dump_type_t type; ///< Dump type
+    union {
+        cJSON * json;   ///< JSON dump
+        char * syslog;  ///< Syslog dump
+    } data;             ///< Dump data
+    uint64_t timestamp; ///< Indexing timestamp (__REALTIME_TIMESTAMP)
+} w_journal_entry_t;
+
+/**
+ * @brief Create the entry from the current entry in the journal log context
+ *
+ * The caller is responsible for freeing the returned entry.
+ * @param ctx Journal log context
+ * @param type The type of dump
+ * @return w_journal_entry_t* The current entry or NULL on error
+ * @note This function is not thread-safe.
+ */
+w_journal_entry_t * w_journal_entry_dump(w_journal_context_t * ctx, w_journal_entry_dump_type_t type);
+
+/**
+ * @brief Free the entry and all its resources,
+ *
+ * The entry pointer is invalid after the call.
+ * @param entry Journal log entry
+ */
+void w_journal_entry_free(w_journal_entry_t * entry);
+
+/**
+ * @brief Dump the current entry to a string representation
+ *
+ * The caller is responsible for freeing the returned string.
+ * @param entry Journal log entry
+ * @return char*  The string representation of the entry or NULL on error
+ */
+char * w_journal_entry_to_string(w_journal_entry_t * entry);
+
+/**********************************************************
+ *                   Filter related
+ **********************************************************/
+
+/**
+ * @brief Apply the filter to the journal log context
+ *
+ * The filter will be applied to the journal log context.
+ * @param ctx Journal log context
+ * @param filter Journal log filter
+ * @return int positive number of entries matched, 0 if no entries matched, or a negative errno-style error code.
+ */
+int w_journal_filter_apply(w_journal_context_t * ctx, w_journal_filter_t * filter);
+
+#endif // w_journal_H
diff --git a/src/modules/logcollector/include/logcollector.h b/src/modules/logcollector/include/logcollector.h
index e69de29bb2..6d117bfa60 100644
--- a/src/modules/logcollector/include/logcollector.h
+++ b/src/modules/logcollector/include/logcollector.h
@@ -0,0 +1,355 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef LOGREADER_H
+#define LOGREADER_H
+
+#ifndef ARGV0
+#define ARGV0 "wazuh-logcollector"
+#endif
+
+#define N_MIN_INPUT_THREADS 1
+#define N_OUPUT_THREADS 1
+#define OUTPUT_MIN_QUEUE_SIZE 128
+#define WIN32_MAX_FILES 200
+
+///< Size of hash table to save the status file
+#define LOCALFILES_TABLE_SIZE 40
+
+///< JSON path wich contains the files position of last read
+#ifdef WIN32
+#define LOCALFILE_STATUS   "queue\\logcollector\\file_status.json"
+#else
+#define LOCALFILE_STATUS        "queue/logcollector/file_status.json"
+#endif
+
+///< JSON fields for file_status
+#define OS_LOGCOLLECTOR_JSON_FILES      "files"
+#define OS_LOGCOLLECTOR_JSON_PATH       "path"
+#define OS_LOGCOLLECTOR_JSON_HASH       "hash"
+#define OS_LOGCOLLECTOR_JSON_OFFSET     "offset"
+
+
+#include "shared.h"
+#include "../config/localfile-config.h"
+#include "../config/config.h"
+#include "../os_crypto/sha1/sha1_op.h"
+#include "macos_log.h"
+
+
+/*** Function prototypes ***/
+
+/* Read logcollector config */
+int LogCollectorConfig(const char *cfgfile);
+
+/* Parse read config into JSON format */
+cJSON *getLocalfileConfig(void);
+cJSON *getSocketConfig(void);
+cJSON *getLogcollectorInternalOptions(void);
+
+/* Start log collector daemon */
+void LogCollectorStart(void) __attribute__((noreturn));
+
+/* Handle files */
+int handle_file(int i, int j, int do_fseek, int do_log);
+
+/* Reload file: open after close, and restore position */
+int reload_file(logreader * lf);
+
+/* Close file and save position */
+void close_file(logreader * lf);
+
+/* Read syslog file */
+void *read_syslog(logreader *lf, int *rc, int drop_it);
+
+#ifdef WIN32
+/* Read ucs2 LE file*/
+void *read_ucs2_le(logreader *lf, int *rc, int drop_it);
+
+/* Read ucs2 BE file */
+void *read_ucs2_be(logreader *lf, int *rc, int drop_it);
+#endif
+
+/* Read snort full file */
+void *read_snortfull(logreader *lf, int *rc, int drop_it);
+
+/* Read ossec alert file */
+void *read_ossecalert(logreader *lf, int *rc, int drop_it);
+
+/* Read nmap grepable format */
+void *read_nmapg(logreader *lf, int *rc, int drop_it);
+
+/* Read mysql log format */
+void *read_mysql_log(logreader *lf, int *rc, int drop_it);
+
+/* Read mysql log format */
+void *read_mssql_log(logreader *lf, int *rc, int drop_it);
+
+/* Read postgresql log format */
+void *read_postgresql_log(logreader *lf, int *rc, int drop_it);
+
+/* Read multi line logs */
+void *read_multiline(logreader *lf, int *rc, int drop_it);
+
+/**
+ * @brief Check if any logs should be ignored
+ *
+ * @param ignore_exp List of ignore regex expressions to be checked
+ * @param restrict_exp List of restrict regex expressions to be checked
+ * @param log_line Log where to search for a match
+ * @return 0 if log should be processed, 1 if log should be ignored
+ */
+int check_ignore_and_restrict(OSList * ignore_exp, OSList * restrict_exp, const char *log_line);
+
+/**
+ * @brief Read multi line logs with variable lenght
+ *
+ * @param lf status and configuration of the log file
+ * @param rc output parameter, returns zero
+ * @param drop_it if drop_it is different from 0, the logs will be read and discarded
+ * @return NULL
+ */
+void *read_multiline_regex(logreader *lf, int *rc, int drop_it);
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+/**
+ * @brief Read macOS log process output
+ *
+ * @param lf status and configuration of the macOS instance
+ * @param rc output parameter, returns zero
+ * @param drop_it if drop_it is different from 0, the logs will be read and discarded
+ * @return NULL
+ */
+void *read_macos(logreader *lf, int *rc, int drop_it);
+#endif
+
+#ifdef __linux__
+/**
+ * @brief Read journald logs
+ *
+ * @param lf status and configuration of the log file
+ * @param rc output parameter, returns zero
+ * @param drop_it if drop_it is different from 0, the logs will be read and discarded
+ * @return NULL
+ */
+void *read_journald(logreader *lf, int *rc, int drop_it);
+
+/**
+ * @brief Check if journald can be read for a specific id
+ * 
+ * If the journal is not opened, the the function try to open it, returning false if it fails and true if it succeeds.
+ * The function sets the id as the owner of the journal.
+ * If the journal is opened, the function checks if the id is the owner of the journal,
+ * returning true if it is, and false if it is not.
+ * @param id the id to be checked
+ * @return true if the id is the owner of the journal, false otherwise
+ * @note This function is not thread-safe.
+ */
+bool w_journald_can_read(unsigned long id); 
+
+/**
+ * @brief Set the only future events flag to the journal log context
+ * @param ofe True if only future events should be read, false otherwise
+ */
+void w_journald_set_ofe(bool ofe);
+
+/**
+ * @brief Set the status of the journal log from a JSON object (timestamp to start reading)
+ * 
+ * @param global_json JSON object containing the journal log status
+ */
+void w_journald_set_status_from_JSON(cJSON * global_json);
+
+/**
+ * @brief Get the status of the journal log as a JSON object
+ * 
+ * @return JSON object containing the journal log status
+ */
+cJSON * w_journald_get_status_as_JSON();
+
+#endif
+
+/* Read DJB multilog format */
+/* Initializes multilog */
+int init_djbmultilog(logreader *lf);
+void *read_djbmultilog(logreader *lf, int *rc, int drop_it);
+
+/* Read events from output of command */
+void *read_command(logreader *lf, int *rc, int drop_it);
+void *read_fullcommand(logreader *lf, int *rc, int drop_it);
+
+/* Read auditd events */
+void *read_audit(logreader *lf, int *rc, int drop_it);
+
+/* Read json events */
+void *read_json(logreader *lf, int *rc, int drop_it);
+
+#ifdef WIN32
+void win_startel();
+void win_readel();
+void win_read_vista_sec();
+int win_start_event_channel(char *evt_log, char future, char *query, int reconnect_time);
+void win_format_event_string(char *string);
+#endif
+
+#ifndef WIN32
+// Com request thread dispatcher
+void * lccom_main(void * arg);
+#endif
+size_t lccom_dispatch(char * command, char ** output);
+size_t lccom_getconfig(const char * section, char ** output);
+size_t lccom_getstate(char ** output, bool getNextPage);
+
+/*** Global variables ***/
+extern int loop_timeout;
+extern int logr_queue;
+extern int open_file_attempts;
+extern logreader *logff;
+extern logreader_glob *globs;
+extern socket_forwarder *logsk;
+extern int vcheck_files;
+extern int maximum_lines;
+extern socket_forwarder default_agent;
+extern int force_reload;
+extern int reload_interval;
+extern int reload_delay;
+extern int free_excluded_files_interval;
+extern int state_interval;
+
+typedef enum {
+    CONTINUE_IT,
+    NEXT_IT,
+    LEAVE_IT
+} IT_control;
+
+/* Message queue */
+typedef struct w_msg_queue_t{
+    w_queue_t *msg_queue;
+    pthread_mutex_t mutex;
+    pthread_cond_t available;
+} w_msg_queue_t;
+
+
+/* Hash table of queues */
+extern OSHash * msg_queues_table;
+
+/* Message structure */
+typedef struct w_message_t {
+    char *file;
+    char *buffer;
+    char queue_mq;
+    unsigned int size;
+    logtarget *log_target;
+} w_message_t;
+
+
+/* Input thread range */
+typedef struct w_input_range_t{
+    int start_i;
+    int start_j;
+    int end_i;
+    int end_j;
+} w_input_range_t;
+
+///< Struct to save the position of last line read and the SHA1 hash content
+typedef struct file_status {
+    int64_t offset;  ///< Position to read
+    EVP_MD_CTX *context;    ///< It stores the hashed data calculated so far
+    os_sha1 hash;       ///< Content file SHA1 hash
+} os_file_status_t;
+
+extern w_input_range_t *w_input_threads_range;
+
+/* Init queue hash table */
+void w_msg_hash_queues_init();
+
+/* Add entry to queue hash table */
+int w_msg_hash_queues_add_entry(const char *key);
+
+/* Push message into the hash queue */
+int w_msg_hash_queues_push(const char *str, char *file, unsigned long size, logtarget * targets, char queue_mq);
+
+/* Push message into the queue */
+int w_msg_queue_push(w_msg_queue_t * msg, const char * buffer, char *file, unsigned long size, logtarget * log_target, char queue_mq);
+
+/* Pop message from the queue */
+w_message_t * w_msg_queue_pop(w_msg_queue_t * queue);
+
+/* Output processing thread*/
+#ifdef WIN32
+DWORD WINAPI w_output_thread(void * args);
+#else
+void * w_output_thread(void * args);
+#endif
+
+/* Prepare pool of output threads */
+void w_create_output_threads();
+
+/* Input processing thread */
+#ifdef WIN32
+DWORD WINAPI w_input_thread(__attribute__((unused)) void * t_id);
+#else
+void * w_input_thread(__attribute__((unused)) void * t_id);
+#endif
+
+/* Prepare pool of input threads */
+void w_create_input_threads();
+
+/* Set mutexes for each file */
+void w_set_file_mutexes();
+
+/* Read stop signal from reader threads */
+int can_read();
+
+/**
+ * @brief Update the read position in file status hash table
+ * @param path the path is the hash key
+ * @param pos new read position
+ * @param context EVP_MD_CTX context.
+ * @return 0 on succes, otherwise -1
+ */
+int w_update_file_status(const char * path, int64_t pos, EVP_MD_CTX *context);
+
+/**
+ * @brief Get EVP_MD_CTX context or initialize it
+ * @param lf Structure that contains file information, with `fd` and `file` non-null.
+ * @param context EVP_MD_CTX context.
+ * @param position end file position.
+ * @return true if returns a valid context, false in otherwise.
+ */
+bool w_get_hash_context(logreader *lf, EVP_MD_CTX **context, int64_t position);
+
+extern int sample_log_length;
+extern int lc_debug_level;
+extern int accept_remote;
+extern int N_INPUT_THREADS;
+extern int OUTPUT_QUEUE_SIZE;
+#ifndef WIN32
+extern rlim_t nofile;
+#endif
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+/**
+ * @brief This function is called to release macOS log's "show" and/or "stream" resources
+ */
+void w_macos_release_log_execution(void);
+
+/**
+ * @brief This function is called to release macOS log's "show" resources
+ */
+void w_macos_release_log_show(void);
+
+/**
+ * @brief This function is called to release macOS log's "stream" resources
+ */
+void w_macos_release_log_stream(void);
+#endif
+
+#endif /* LOGREADER_H */
diff --git a/src/modules/logcollector/include/macos_log.h b/src/modules/logcollector/include/macos_log.h
new file mode 100644
index 0000000000..1b958e7c04
--- /dev/null
+++ b/src/modules/logcollector/include/macos_log.h
@@ -0,0 +1,174 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef MACOS_LOG_H
+#define MACOS_LOG_H
+
+/* ******************  INCLUDES  ****************** */
+
+#include "shared.h"
+#include "../config/localfile-config.h"
+#include "sysinfo_utils.h"
+
+/* ******************  DEFINES  ****************** */
+
+#define MACOS_LOG_NAME          "macos" ///< Name to be displayed in the localfile' statistics
+
+#define LOG_CMD_STR             "/usr/bin/log"  ///< It is the name of the command used to collect macos' logs
+
+#define LOG_STREAM_OPT_STR      "stream"        ///< "stream" is a mode in which the "log" command can be executed
+#define LOG_SHOW_OPT_STR        "show"          ///< "show" is a mode in which the "log" command can be executed
+
+#define STYLE_OPT_STR           "--style"       ///< This precedes the logs' output style to be used by "log stream"
+#define SYSLOG_STR              "syslog"        ///< This is the style chosen to show the "log stream" output
+
+#define PREDICATE_OPT_STR       "--predicate"   ///< This precedes the "query" filter to be used by "log stream"
+#define TYPE_OPT_STR            "--type"        ///< This precedes a "type" filter to be used by "log stream"
+#define LEVEL_OPT_STR           "--level"       ///< This precedes the "level" filter to be used by "log stream"
+
+#define SHOW_INFO_OPT_STR       "--info"        ///< Option to acquire up to the intermediate macOS log level
+#define SHOW_DEBUG_OPT_STR      "--debug"       ///< Option to acquire all the macOS log levels
+
+#define SHOW_START_OPT_STR      "--start"       ///< This option precedes the starting date to be used by "log show"
+
+#define SHOW_TYPE_ACTIVITY_STR  "eventType == activityCreateEvent "         \
+                                "OR eventType == activityTransitionEvent "  \
+                                "OR eventType == userActionEvent"
+#define SHOW_TYPE_LOG_STR       "eventType == logEvent"
+#define SHOW_TYPE_TRACE_STR     "eventType == traceEvent"
+#define SHOW_OR_TYPE_LOG_STR    " OR eventType == logEvent"
+#define SHOW_OR_TYPE_TRACE_STR  " OR eventType == traceEvent"
+
+#define MAX_LOG_CMD_ARGS        17
+#define MAX_LOG_STREAM_CMD_ARGS MAX_LOG_CMD_ARGS    ///< This value takes into account the largest case of use
+#define MAX_LOG_SHOW_CMD_ARGS   MAX_LOG_CMD_ARGS    ///< This value takes into account the largest case of use
+
+#define QUERY_AND_TYPE_PREDICATE    "( %s ) AND ( %s )"
+
+#define MACOS_LOG_SHOW_CHILD_EXITED      LOGCOLLECTOR_MACOS_LOG_CHILD_EXITED,"show"
+#define MACOS_LOG_STREAM_CHILD_EXITED    LOGCOLLECTOR_MACOS_LOG_CHILD_EXITED,"stream"
+
+#define MACOS_SIERRA_CODENAME_STR   "Sierra"            ///< String to compare macOS version
+#define SCRIPT_CMD_STR              "/usr/bin/script"   ///< `script` tool path
+#define SCRIPT_CMD_ARGS             "-q"                ///< `script` tool quiet argument
+#define SCRIPT_CMD_SINK             "/dev/null"         ///> `script` tool output redirection
+
+
+///< macOS ULS milliseconds lenght i.e .123456
+#define OS_LOGCOLLECTOR_TIMESTAMP_MS_LEN        7
+///< macOS ULS timezone lenght i.e -0700
+#define OS_LOGCOLLECTOR_TIMESTAMP_TZ_LEN        5
+///< macOS ULS basic timestamp lenght i.e 2021-04-27 08:07:20
+#define OS_LOGCOLLECTOR_TIMESTAMP_BASIC_LEN     19
+///< macOS ULS short timestamp lenght i.e 2021-04-27 08:07:20-0700
+#define OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN     OS_LOGCOLLECTOR_TIMESTAMP_BASIC_LEN + OS_LOGCOLLECTOR_TIMESTAMP_TZ_LEN
+///< macOS ULS full timestamp lenght i.e 2020-11-09 05:45:08.000000-0800
+#define OS_LOGCOLLECTOR_TIMESTAMP_FULL_LEN      OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN + OS_LOGCOLLECTOR_TIMESTAMP_MS_LEN
+///< JSON fields for file_status related to macOS ULS
+#define OS_LOGCOLLECTOR_JSON_MACOS      MACOS_LOG_NAME
+#define OS_LOGCOLLECTOR_JSON_TIMESTAMP  "timestamp"
+#define OS_LOGCOLLECTOR_JSON_SETTINGS   "settings"
+
+/* ******************  DATATYPES  ****************** */
+
+/**
+ * @brief Stores the configuration of the `log` call for the next startup (only future events)
+ */
+typedef struct {
+    pthread_rwlock_t mutex;                                  ///< Prevent the RC on this structure
+    char timestamp[OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN + 1]; ///< Timestamp of last log received
+    char * settings;                                         ///< `log` command arguments
+    bool is_valid_data;                                      ///< false when log was called with an invalid predicate
+} w_macos_log_vault_t;
+
+/* ******************  PROTOTYPES  ****************** */
+
+/**
+ * @brief Creates the environment for collecting logs on macOS Systems
+ * @param current logreader structure with `log`'s input arguments and w_macos_log_config_t structure to be set
+ * @param global_sysinfo sysinfo reference used to get useful information
+ */
+void w_macos_create_log_env(logreader * lf, w_sysinfo_helpers_t * global_sysinfo);
+
+/**
+ * @brief Set string containing the last recorded timestamp.
+ *
+ * @param timestamp macOS ULS short timestamp
+ */
+void w_macos_set_last_log_timestamp(char * timestamp);
+
+/**
+ * @brief Set string containing the last macOS ULS settings used.
+ *
+ * @param predicate macOS ULS settings
+ */
+void w_macos_set_log_settings(char * settings);
+
+/**
+ * @brief Get string containing the last recorded timestamp.
+ *
+ * @return Allocated string containing last recorded timestamp. NULL otherwise
+ */
+char * w_macos_get_last_log_timestamp(void);
+
+/**
+ * @brief Get string containing the last macOS ULS settings used.
+ *
+ * @return Allocated string containing last macOS ULS settings used. NULL otherwise
+ */
+char * w_macos_get_log_settings(void);
+
+/**
+ * @brief Get macos vault as JSON
+ *
+ * @return cJSON* macos vault
+ */
+cJSON * w_macos_get_status_as_JSON(void);
+
+/**
+ * @brief Set macos vault from JSON
+ *
+ * @param global_json JSON object containing macos vault information
+ */
+void w_macos_set_status_from_JSON(cJSON * global_json);
+
+/**
+ * @brief Check if curret macOS codename is Sierra
+ *
+ * @return true if Sierra. false otherwise
+ */
+bool w_is_macos_sierra();
+
+/**
+ * @brief Get first child process found
+ *
+ * @param parent_pid parent pid
+ * @return pid_t found child. Zero otherwise
+ */
+pid_t w_get_first_child(pid_t parent_pid);
+
+/**
+ * @brief Sets the validity of the \ref macos_log_vault data.
+ *
+ * Enables or disables the generation of the json object with the macOS log status.
+ * \ref w_macos_get_status_as_JSON.
+ * @param is_valid true if generates the JSON
+ */
+void w_macos_set_is_valid_data(bool is_valid);
+
+/**
+ * @brief Gets the validity of the \ref macos_log_vault data
+ *
+ * @return true if valid data has been stored
+ * @return false if invalid data has been stored
+ */
+bool w_macos_get_is_valid_data(void);
+
+#endif /* MACOS_LOG_H */
diff --git a/src/modules/logcollector/include/state.h b/src/modules/logcollector/include/state.h
new file mode 100644
index 0000000000..6b9023a5f2
--- /dev/null
+++ b/src/modules/logcollector/include/state.h
@@ -0,0 +1,116 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef LOGCOLLECTOR_STAT_H
+#define LOGCOLLECTOR_STAT_H
+
+#include "shared.h"
+
+#ifdef WIN32
+#define LOGCOLLECTOR_STATE      "wazuh-logcollector.state"
+#else
+#define LOGCOLLECTOR_STATE      "var/run/wazuh-logcollector.state"
+#endif
+
+#define LOGCOLLECTOR_STATE_FILES_MAX   40                   ///< Size of the statistics hash table
+#define LOGCOLLECTOR_STATE_DESCRIPTION "logcollector_state" ///< String identifier for errors
+
+// Macros to add files/targets node to states
+#define w_logcollector_state_add_file(x)      w_logcollector_state_update_file(x, 0)
+#define w_logcollector_state_add_target(x, y) w_logcollector_state_update_target(x, y, false)
+
+/**
+ * @brief state storage structure
+ * key: location option value. value: w_lc_state_file_t
+ */
+typedef struct {
+    time_t start;    ///< initial state timestamp
+    OSHash * states; ///< state storage
+} w_lc_state_storage_t;
+
+/**
+ * @brief target state storage
+ *
+ */
+typedef struct {
+    char * name;    ///< target name
+    uint64_t drops; ///< drop count
+} w_lc_state_target_t;
+
+/**
+ * @brief file state storage
+ *
+ */
+typedef struct {
+    uint64_t bytes;               ///< bytes count
+    uint64_t events;              ///< events count
+    w_lc_state_target_t ** targets; ///< array of poiters to file's different targets
+} w_lc_state_file_t;
+
+/**
+ * @brief statistics types
+ *
+ */
+typedef enum {
+    LC_STATE_GLOBAL = 0x1 << 0,  ///< statistics since the begining of program execution
+    LC_STATE_INTERVAL = 0x1 << 1 ///< periodically calculated statistic
+} w_lc_state_type_t;
+
+/**
+ * @brief Initialize storing structures
+ *
+ * @param state_type statistics to calculate
+ * @param state_file_enabled enable saving state to file
+ */
+void w_logcollector_state_init(w_lc_state_type_t state_type, bool state_file_enabled);
+
+/**
+ * @brief Logcollector state main thread function
+ * @param args optional parameter. state interval value
+ * @return void* default return value for thread function prototype (unused)
+ */
+#ifdef WIN32
+DWORD WINAPI w_logcollector_state_main(void * args);
+#else
+void * w_logcollector_state_main(void * args);
+#endif
+
+/**
+ * @brief Update/register current drop count for a target belonging to a particular file
+ *
+ * @param fpath file path or locafile location value
+ * @param target target name
+ * @param dropped true if want to register a drop.
+ */
+void w_logcollector_state_update_target(char * fpath, char * target, bool dropped);
+
+/**
+ * @brief Update/register current event and byte count for a particular file/location
+ *
+ * @param fpath file path or locafile location value
+ * @param bytes amount of bytes. If bigger than zero, event counter will increment.
+ */
+void w_logcollector_state_update_file(char * fpath, uint64_t bytes);
+
+/**
+ * @brief Removes the `fpath` file from statistics
+ * 
+ * @param fpath file path or locafile location value
+ */
+void w_logcollector_state_delete_file(char * fpath);
+
+/**
+ * @brief Get current state in JSON format
+ *
+ * @return cJSON* allocated object with current state.
+ * The cJSON* is heap allocated memory that must be freed by the caller using cJSON_Delete.
+ */
+cJSON * w_logcollector_state_get();
+
+#endif /* LOGCOLLECTOR_STAT_H */
diff --git a/src/modules/logcollector/src/config.c b/src/modules/logcollector/src/config.c
new file mode 100644
index 0000000000..6c5c4c94b8
--- /dev/null
+++ b/src/modules/logcollector/src/config.c
@@ -0,0 +1,354 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "list_op.h"
+
+/* To string size of max-size option */
+#define OFFSET_SIZE 11
+
+int accept_remote;
+int lc_debug_level;
+#ifndef WIN32
+rlim_t nofile;
+#endif
+
+void _getLocalfilesListJSON(logreader *list, cJSON *array, int gl);
+
+/* Read the config file (the localfiles) */
+int LogCollectorConfig(const char *cfgfile)
+{
+    int modules = 0;
+    logreader_config log_config;
+
+    modules |= CLOCALFILE;
+    modules |= CLGCSOCKET;
+
+    log_config.config = NULL;
+    log_config.globs = NULL;
+    log_config.socket_list = NULL;
+    log_config.agent_cfg = 0;
+    accept_remote = getDefine_Int("logcollector", "remote_commands", 0, 1);
+    log_config.accept_remote = accept_remote;
+
+    /* Get loop timeout */
+    loop_timeout = getDefine_Int("logcollector", "loop_timeout", 1, 120);
+    open_file_attempts = getDefine_Int("logcollector", "open_attempts", 0, 998);
+    vcheck_files = getDefine_Int("logcollector", "vcheck_files", 0, 1024);
+    maximum_lines = getDefine_Int("logcollector", "max_lines", 0, 1000000);
+    maximum_files = getDefine_Int("logcollector", "max_files", 1, 100000);
+    sock_fail_time = getDefine_Int("logcollector", "sock_fail_time", 1, 3600);
+    sample_log_length = getDefine_Int("logcollector", "sample_log_length", 1, 4096);
+    force_reload = getDefine_Int("logcollector", "force_reload", 0, 1);
+    reload_interval = getDefine_Int("logcollector", "reload_interval", 1, 86400);
+    reload_delay = getDefine_Int("logcollector", "reload_delay", 0, 30000);
+    free_excluded_files_interval = getDefine_Int("logcollector", "exclude_files_interval", 1, 172800);
+    state_interval = getDefine_Int("logcollector", "state_interval", 0, 3600);
+
+    /* Current and total files counter */
+    total_files = 0;
+    current_files = 0;
+
+    if (force_reload && reload_interval < vcheck_files) {
+        mwarn("Reload interval (%d) must be greater or equal than the checking interval (%d).", reload_interval, vcheck_files);
+    }
+
+#ifndef WIN32
+    nofile = getDefine_Int("logcollector", "rlimit_nofile", 1024, 1048576);
+#endif
+
+    if (maximum_lines > 0 && maximum_lines < 100) {
+        merror("Definition 'logcollector.max_lines' must be 0 or 100..1000000.");
+        return OS_INVALID;
+    }
+
+#ifndef WIN32
+    if (maximum_files > (int)nofile - 100) {
+        merror("Definition 'logcollector.max_files' must be lower than ('logcollector.rlimit_nofile' - 100).");
+        return OS_SIZELIM;
+    }
+#else
+    if (maximum_files > WIN32_MAX_FILES) {
+        /* Limit files on Windows as file descriptors are shared */
+        maximum_files = WIN32_MAX_FILES;
+        mdebug1("The maximum number of files to monitor cannot exceed %d in Windows, so it will be limited.", WIN32_MAX_FILES);
+    }
+#endif
+
+    if (ReadConfig(modules, cfgfile, &log_config, NULL) < 0) {
+        return (OS_INVALID);
+    }
+
+#ifdef CLIENT
+    modules |= CAGENT_CONFIG;
+    log_config.agent_cfg = 1;
+    ReadConfig(modules, AGENTCONFIG, &log_config, NULL);
+    log_config.agent_cfg = 0;
+#endif
+
+    logff = log_config.config;
+    globs = log_config.globs;
+    logsk = log_config.socket_list;
+
+    return (1);
+}
+
+
+void _getLocalfilesListJSON(logreader *list, cJSON *array, int gl) {
+
+    unsigned int i = 0;
+    unsigned int j;
+
+    while ((!gl && list[i].target) || (gl && list[i].file)) {
+        cJSON *file = cJSON_CreateObject();
+
+        if (list[i].file) cJSON_AddStringToObject(file,"file",list[i].file);
+        if (list[i].channel_str != NULL) cJSON_AddStringToObject(file, "channel", list[i].channel_str);
+        if (list[i].logformat) cJSON_AddStringToObject(file,"logformat",list[i].logformat);
+        if (list[i].command) cJSON_AddStringToObject(file,"command",list[i].command);
+        if (list[i].djb_program_name) cJSON_AddStringToObject(file,"djb_program_name",list[i].djb_program_name);
+        if (list[i].alias) cJSON_AddStringToObject(file,"alias",list[i].alias);
+        if (list[i].query != NULL) {
+            cJSON * query = cJSON_CreateObject();
+            if (*list[i].query != '\0') {
+                cJSON_AddStringToObject(query, "value", list[i].query);
+            }
+            if (list[i].query_level != NULL) {
+                cJSON_AddStringToObject(query, "level", list[i].query_level);
+            }
+            if (list[i].query_type > 0) {
+                cJSON *type = cJSON_CreateArray();
+                if (list[i].query_type & MACOS_LOG_TYPE_LOG) {
+                    cJSON_AddItemToArray(type, cJSON_CreateString(MACOS_LOG_TYPE_LOG_STR));
+                }
+                if (list[i].query_type & MACOS_LOG_TYPE_ACTIVITY) {
+                    cJSON_AddItemToArray(type, cJSON_CreateString(MACOS_LOG_TYPE_ACTIVITY_STR));
+                }
+                if (list[i].query_type & MACOS_LOG_TYPE_TRACE) {
+                    cJSON_AddItemToArray(type, cJSON_CreateString(MACOS_LOG_TYPE_TRACE_STR));
+                }
+                cJSON_AddItemToObject(query, "type", type);
+            }
+            cJSON_AddItemToObject(file, "query", query);
+        }
+        // Invalid configuration for journal logs
+        if (list[i].journal_log == NULL) {
+            cJSON_AddStringToObject(file, "ignore_binaries", list[i].filter_binary ? "yes" : "no");
+        }
+
+        if (list[i].age_str) cJSON_AddStringToObject(file,"age",list[i].age_str);
+        if (list[i].exclude) cJSON_AddStringToObject(file,"exclude",list[i].exclude);
+
+        if (list[i].logformat != NULL &&
+            strcmp(list[i].logformat, EVENTLOG) != 0 &&
+            strcmp(list[i].logformat, "command") != 0 &&
+            strcmp(list[i].logformat, "full_command") != 0) {
+
+            if (list[i].future == 1){
+                cJSON_AddStringToObject(file, "only-future-events", "yes");
+            } else {
+                char offset[OFFSET_SIZE] = {0};
+                sprintf(offset, "%ld", list[i].diff_max_size);
+                cJSON_AddStringToObject(file, "only-future-events", "no");
+                cJSON_AddStringToObject(file, "max-size", offset);
+            }
+        }
+
+        if (list[i].target && *list[i].target) {
+            cJSON *target = cJSON_CreateArray();
+            for (j=0;list[i].target[j];j++) {
+                cJSON_AddItemToArray(target, cJSON_CreateString(list[i].target[j]));
+            }
+            cJSON_AddItemToObject(file,"target",target);
+        }
+        if (list[i].out_format && *list[i].out_format) {
+            cJSON *outformat = cJSON_CreateArray();
+            for (j=0;list[i].out_format[j] && list[i].out_format[j]->format;j++) {
+                cJSON *item = cJSON_CreateObject();
+                if (list[i].out_format[j]->target)
+                    cJSON_AddStringToObject(item,"target",list[i].out_format[j]->target);
+                else
+                    cJSON_AddStringToObject(item,"target","all");
+                cJSON_AddStringToObject(item,"format",list[i].out_format[j]->format);
+                cJSON_AddItemToArray(outformat, item);
+            }
+            cJSON_AddItemToObject(file,"out_format",outformat);
+        }
+        if (list[i].duplicated) cJSON_AddNumberToObject(file,"duplicate",list[i].duplicated);
+        if (list[i].labels && list[i].labels[0].key) {
+            cJSON *label = cJSON_CreateObject();
+            for (j=0;list[i].labels[j].key;j++) {
+                cJSON_AddStringToObject(label,list[i].labels[j].key,list[i].labels[j].value);
+            }
+            cJSON_AddItemToObject(file,"labels",label);
+        }
+        if (list[i].ign && list[i].logformat != NULL && (strcmp(list[i].logformat,"command")==0 || strcmp(list[i].logformat,"full_command")==0)) cJSON_AddNumberToObject(file,"frequency",list[i].ign);
+        if (list[i].reconnect_time && list[i].logformat != NULL && strcmp(list[i].logformat,"eventchannel")==0) cJSON_AddNumberToObject(file,"reconnect_time",list[i].reconnect_time);
+        if (list[i].multiline) {
+            cJSON * multiline = cJSON_CreateObject();
+            cJSON_AddStringToObject(multiline, "match", multiline_attr_match_str(list[i].multiline->match_type));
+            cJSON_AddStringToObject(multiline, "replace", multiline_attr_replace_str(list[i].multiline->replace_type));
+            cJSON_AddStringToObject(multiline, "regex", w_expression_get_regex_pattern(list[i].multiline->regex));
+            cJSON_AddNumberToObject(multiline, "timeout", list[i].multiline->timeout);
+            cJSON_AddItemToObject(file, "multiline_regex", multiline);
+        }
+        if (list[i].journal_log != NULL && list[i].journal_log->filters != NULL) {
+
+            cJSON * filters = w_journal_filter_list_as_json(list[i].journal_log->filters);
+            if (filters != NULL) {
+                cJSON_AddItemToObject(file, "filters", filters);
+            }
+
+            cJSON_AddBoolToObject(file, "filters_disabled", list[i].journal_log->disable_filters);
+        }
+        if (list[i].regex_ignore != NULL) {
+            OSListNode *node_it;
+            w_expression_t *exp_it;
+            cJSON * ignore_array = cJSON_CreateArray();
+
+            OSList_foreach(node_it, list[i].regex_ignore) {
+                exp_it = node_it->data;
+                cJSON * ignore_object = cJSON_CreateObject();
+
+                cJSON_AddStringToObject(ignore_object, "value", w_expression_get_regex_pattern(exp_it));
+                cJSON_AddStringToObject(ignore_object, "type", w_expression_get_regex_type(exp_it));
+
+                cJSON_AddItemToArray(ignore_array, ignore_object);
+            }
+
+            if (cJSON_GetArraySize(ignore_array) > 0) {
+                cJSON_AddItemToObject(file, "ignore", ignore_array);
+            } else {
+                cJSON_free(ignore_array);
+            }
+        }
+        if (list[i].regex_restrict != NULL) {
+            OSListNode *node_it;
+            w_expression_t *exp_it;
+            cJSON * restrict_array = cJSON_CreateArray();
+
+            OSList_foreach(node_it, list[i].regex_restrict) {
+                exp_it = node_it->data;
+                cJSON * restrict_object = cJSON_CreateObject();
+
+                cJSON_AddStringToObject(restrict_object, "value", w_expression_get_regex_pattern(exp_it));
+                cJSON_AddStringToObject(restrict_object, "type", w_expression_get_regex_type(exp_it));
+
+                cJSON_AddItemToArray(restrict_array, restrict_object);
+            }
+
+            if (cJSON_GetArraySize(restrict_array) > 0) {
+                cJSON_AddItemToObject(file, "restrict", restrict_array);
+            } else {
+                cJSON_free(restrict_array);
+            }
+        }
+
+        cJSON_AddItemToArray(array, file);
+        i++;
+    }
+}
+
+
+cJSON *getLocalfileConfig(void) {
+
+    if (!logff) {
+        return NULL;
+    }
+
+    cJSON *root = cJSON_CreateObject();
+
+    cJSON *localfiles = cJSON_CreateArray();
+    _getLocalfilesListJSON(logff, localfiles, 0);
+
+    if (globs) {
+        unsigned int i = 0;
+        while (globs[i].gfiles) {
+            _getLocalfilesListJSON(globs[i].gfiles, localfiles, 1);
+            i++;
+        }
+    }
+
+    if (cJSON_GetArraySize(localfiles) > 0) {
+        cJSON_AddItemToObject(root,"localfile",localfiles);
+    } else {
+        cJSON_free(localfiles);
+    }
+
+    return root;
+}
+
+cJSON *getSocketConfig(void) {
+
+    if (!logsk) {
+        return NULL;
+    }
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *sockets = cJSON_CreateArray();
+    int i;
+
+    for (i=0;logsk[i].name;i++) {
+        cJSON *socket = cJSON_CreateObject();
+
+        cJSON_AddStringToObject(socket,"name",logsk[i].name);
+        cJSON_AddStringToObject(socket,"location",logsk[i].location);
+        if (logsk[i].mode == IPPROTO_UDP) {
+            cJSON_AddStringToObject(socket,"mode","udp");
+        } else {
+            cJSON_AddStringToObject(socket,"mode","tcp");
+        }
+        if (logsk[i].prefix) cJSON_AddStringToObject(socket,"prefix",logsk[i].prefix);
+
+        cJSON_AddItemToArray(sockets, socket);
+    }
+
+    if (cJSON_GetArraySize(sockets) > 0) {
+        cJSON_AddItemToObject(root,"socket",sockets);
+    } else {
+        cJSON_free(sockets);
+    }
+
+    return root;
+}
+
+cJSON *getLogcollectorInternalOptions(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *internals = cJSON_CreateObject();
+    cJSON *logcollector = cJSON_CreateObject();
+
+    cJSON_AddNumberToObject(logcollector,"remote_commands",accept_remote);
+    cJSON_AddNumberToObject(logcollector,"loop_timeout",loop_timeout);
+    cJSON_AddNumberToObject(logcollector,"open_attempts",open_file_attempts);
+    cJSON_AddNumberToObject(logcollector,"vcheck_files",vcheck_files);
+    cJSON_AddNumberToObject(logcollector,"max_lines",maximum_lines);
+    cJSON_AddNumberToObject(logcollector,"max_files",maximum_files);
+    cJSON_AddNumberToObject(logcollector,"sock_fail_time",sock_fail_time);
+    cJSON_AddNumberToObject(logcollector,"debug",lc_debug_level);
+    cJSON_AddNumberToObject(logcollector,"sample_log_length",sample_log_length);
+    cJSON_AddNumberToObject(logcollector,"queue_size",OUTPUT_QUEUE_SIZE);
+    cJSON_AddNumberToObject(logcollector,"input_threads",N_INPUT_THREADS);
+    cJSON_AddNumberToObject(logcollector,"force_reload",force_reload);
+    cJSON_AddNumberToObject(logcollector,"reload_interval",reload_interval);
+    cJSON_AddNumberToObject(logcollector,"reload_delay",reload_delay);
+    cJSON_AddNumberToObject(logcollector, "exclude_files_interval", free_excluded_files_interval);
+    cJSON_AddNumberToObject(logcollector, "state_interval", state_interval);
+
+#ifndef WIN32
+    cJSON_AddNumberToObject(logcollector,"rlimit_nofile",nofile);
+#endif
+
+    cJSON_AddItemToObject(internals,"logcollector",logcollector);
+    cJSON_AddItemToObject(root,"internal",internals);
+
+    return root;
+}
diff --git a/src/modules/logcollector/src/journal_log.c b/src/modules/logcollector/src/journal_log.c
new file mode 100644
index 0000000000..4fdd050e5e
--- /dev/null
+++ b/src/modules/logcollector/src/journal_log.c
@@ -0,0 +1,707 @@
+#if defined(__linux__)
+
+#include "journal_log.h"
+
+#include <dlfcn.h>
+#include <inttypes.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/time.h>
+
+#include "debug_op.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove STATIC qualifier from tests
+#define STATIC
+#define INLINE
+#else
+#define STATIC static
+#define INLINE inline
+#endif
+
+STATIC const int W_SD_JOURNAL_LOCAL_ONLY = 1 << 0;     ///< Open the journal log for the local machine
+STATIC const char * W_LIB_SYSTEMD = "libsystemd.so.0"; ///< Name of the systemd library
+
+// Function added on version 187 of systemd
+typedef int (*w_journal_open)(sd_journal ** ret, int flags);            ///< sd_journal_open
+typedef void (*w_journal_close)(sd_journal * j);                        ///< sd_journal_close
+typedef int (*w_journal_previous)(sd_journal * j);                      ///< sd_journal_previous
+typedef int (*w_journal_next)(sd_journal * j);                          ///< sd_journal_next
+typedef int (*w_journal_seek_tail)(sd_journal * j);                     ///< sd_journal_seek_tail
+typedef int (*w_journal_seek_timestamp)(sd_journal * j, uint64_t usec); ///< sd_journal_seek_realtime_usec
+typedef int (*w_journal_get_cutoff_timestamp)(sd_journal * j,
+                                              uint64_t * from,
+                                              uint64_t * to);           ///< sd_journal_get_cutoff_realtime_usec
+typedef int (*w_journal_get_timestamp)(sd_journal * j, uint64_t * ret); ///< sd_journal_get_realtime_usec
+typedef int (*w_journal_get_data)(sd_journal * j,
+                                  const char * field,
+                                  const void ** data,
+                                  size_t * l);                                           ///< sd_journal_get_data
+typedef void (*w_journal_restart_data)(sd_journal * j);                                  ///< sd_journal_restart_data
+typedef int (*w_journal_enumerate_date)(sd_journal * j, const void ** data, size_t * l); ///< sd_journal_enumerate_data
+
+/**
+ * @brief Journal log library
+ *
+ * This structure is used to store the functions of the journal log library.
+ * The functions are used to interact with the journal log.
+ */
+struct w_journal_lib_t {
+    // Open and close functions
+    w_journal_open open;   ///< Open the journal log
+    w_journal_close close; ///< Close the journal log
+    // Cursor functions
+    w_journal_previous previous;             ///< Move the cursor to the previous entry
+    w_journal_next next;                     ///< Move the cursor to the next entry
+    w_journal_seek_tail seek_tail;           ///< Move the cursor to the end of the journal log
+    w_journal_seek_timestamp seek_timestamp; ///< Move the cursor to the entry with the specified timestamp
+    // Timestamp functions
+    w_journal_get_cutoff_timestamp get_cutoff_timestamp; ///< Get the oldest timestamps in the journal
+    w_journal_get_timestamp get_timestamp;               ///< Get the current time of the journal log
+    // Data functions
+    w_journal_get_data get_data;             ///< Get the data of the specified field in the current entry
+    w_journal_restart_data restart_data;     ///< Restart the enumeration of the available data
+    w_journal_enumerate_date enumerate_date; ///< Enumerate the available data in the current entry
+    void * handle;                           ///< Handle of the library
+};
+
+/**********************************************************
+ *                    Auxiliar functions
+ ***********************************************************/
+
+/**
+ * @brief Return the epoch time in microseconds
+ *
+ * @return int64_t
+ */
+STATIC INLINE uint64_t w_get_epoch_time() {
+    struct timeval tv = {0};
+    gettimeofday(&tv, NULL);
+    return (uint64_t) tv.tv_sec * 1000000 + tv.tv_usec;
+}
+
+/**
+ * @brief Convert the epoch time to a human-readable string (ISO 8601)
+ * 2022-12-19T15:02:53.288+00:00 hostnameTest processName[123]: Message Test >> Wazuh no extra el hostname
+ * The caller is responsible for freeing the returned string.
+ * @param timestamp The epoch time
+ * @return char* The human-readable string or NULL on error
+ */
+STATIC INLINE char * w_timestamp_to_string(uint64_t timestamp) {
+    struct tm tm;
+    time_t time = timestamp / 1000000;
+    if (gmtime_r(&time, &tm) == NULL) {
+        return NULL;
+    }
+
+    char * str;
+    os_calloc(sizeof("Mar 01 12:39:34") + 1, sizeof(char), str);
+    strftime(str, sizeof("Mar 01 12:39:34"), "%b %d %T", &tm);
+    return str;
+}
+
+/**
+ * @brief Convert the epoch time to a journal --since time format %Y-%m-%d %H:%M:%S
+ * i.e. 2024-03-14 14:08:52
+ * The caller is responsible for freeing the returned string.
+ * @param timestamp The epoch time
+ * @return char* The human-readable string or NULL on error
+ */
+STATIC INLINE char * w_timestamp_to_journalctl_since(uint64_t timestamp) {
+    struct tm tm;
+    time_t time = timestamp / 1000000;
+    if (gmtime_r(&time, &tm) == NULL) {
+        return NULL;
+    }
+
+    char * str;
+    os_calloc(sizeof("2024-03-14 14:08:52") + 1, sizeof(char), str);
+    strftime(str, sizeof("2024-03-14 14:08:52"), "%Y-%m-%d %T", &tm);
+    return str;
+}
+
+/**********************************************************
+ *                    Load library related
+ ***********************************************************/
+/**
+ * @brief Finds the path of a library in the process memory maps.
+ *
+ * This function searches for the specified library name in the process memory maps
+ * and returns the path of the library if found.
+ *
+ * @param library_name The name of the library to search for.
+ * @return The path of the library if found, or NULL if not found or an error occurred.
+ */
+STATIC INLINE char * find_library_path(const char * library_name) {
+    FILE * maps_file = fopen("/proc/self/maps", "r");
+    if (maps_file == NULL) {
+        return NULL;
+    }
+
+    char * line = NULL;
+    size_t len = 0;
+    char * path = NULL;
+
+    while (getline(&line, &len, maps_file) != -1) {
+        if (strstr(line, library_name) != NULL) {
+            char * path_start = strchr(line, '/');
+            if (path_start == NULL) {                
+                break; // Never happens
+            }
+            char * path_end = strchr(path_start, '\n');
+            if (path_end == NULL) {                
+                break; // Never happens
+            }
+            *path_end = '\0';
+            path = strndup(path_start, path_end - path_start);
+            break;
+        }
+    }
+
+    os_free(line);
+    fclose(maps_file);
+    return path;
+}
+
+/**
+ * @brief Checks if a file is owned by the root user.
+ *
+ * This function checks the ownership of a file by retrieving the file's
+ * stat structure and comparing the user ID (UID) with the root user's UID (0).
+ *
+ * @param library_path The path to the file to be checked.
+ * @return true if the file is owned by the root user, false otherwise.
+ */
+STATIC INLINE bool is_owned_by_root(const char * library_path) {
+    struct stat file_stat;
+    if (stat(library_path, &file_stat) != 0) {
+        return false;
+    }
+
+    return file_stat.st_uid == 0;
+}
+
+/**
+ * @brief Load and validate a function from a library.
+ *
+ * @param handle Library handle
+ * @param name Function name
+ * @param func Function pointer
+ * @return true if the function was loaded and validated successfully, false otherwise.
+ */
+STATIC INLINE bool load_and_validate_function(void * handle, const char * name, void ** func) {
+    *func = dlsym(handle, name);
+    if (*func == NULL) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_LIB_FAIL_LOAD, name, dlerror());
+        return false;
+    }
+    return true;
+}
+
+/**
+ * @brief Initialize the journal library functions
+ *
+ * The caller is responsible for freeing the returned library.
+ * @return w_journal_lib_t* The library or NULL on error
+ */
+STATIC INLINE w_journal_lib_t * w_journal_lib_init() {
+    w_journal_lib_t * lib = NULL;
+    os_calloc(1, sizeof(w_journal_lib_t), lib);
+
+    // Load the library
+    lib->handle = dlopen(W_LIB_SYSTEMD, RTLD_LAZY);
+    if (lib->handle == NULL) {
+        char * err = dlerror();
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_LIB_FAIL_LOAD, W_LIB_SYSTEMD, err == NULL ? "Unknown error" : err);
+        os_free(lib);
+        return NULL;
+    }
+
+    // Verify the ownership of the library
+    char * library_path = find_library_path(W_LIB_SYSTEMD);
+    if (library_path == NULL || !is_owned_by_root(library_path)) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_LIB_FAIL_OWN, W_LIB_SYSTEMD);
+        os_free(library_path);
+        dlclose(lib->handle);
+        os_free(lib);
+        return NULL;
+    }
+    os_free(library_path);
+
+    // Load and verify the functions
+    bool ok =
+        load_and_validate_function(lib->handle, "sd_journal_open", (void **) &lib->open)
+        && load_and_validate_function(lib->handle, "sd_journal_close", (void **) &lib->close)
+        && load_and_validate_function(lib->handle, "sd_journal_previous", (void **) &lib->previous)
+        && load_and_validate_function(lib->handle, "sd_journal_next", (void **) &lib->next)
+        && load_and_validate_function(lib->handle, "sd_journal_seek_tail", (void **) &lib->seek_tail)
+        && load_and_validate_function(lib->handle, "sd_journal_seek_realtime_usec", (void **) &lib->seek_timestamp)
+        && load_and_validate_function(lib->handle, "sd_journal_get_realtime_usec", (void **) &lib->get_timestamp)
+        && load_and_validate_function(lib->handle, "sd_journal_get_data", (void **) &lib->get_data)
+        && load_and_validate_function(lib->handle, "sd_journal_restart_data", (void **) &lib->restart_data)
+        && load_and_validate_function(lib->handle, "sd_journal_enumerate_data", (void **) &lib->enumerate_date)
+        && load_and_validate_function(
+            lib->handle, "sd_journal_get_cutoff_realtime_usec", (void **) &lib->get_cutoff_timestamp);
+
+    if (!ok) {
+        dlclose(lib->handle);
+        os_free(lib);
+        return NULL;
+    }
+
+    return lib;
+}
+
+/**********************************************************
+ *                    Context related
+ ***********************************************************/
+
+int w_journal_context_create(w_journal_context_t ** ctx) {
+    int ret = -1; // Return error by default
+
+    if (ctx == NULL) {
+        return ret;
+    }
+    os_calloc(1, sizeof(w_journal_context_t), (*ctx));
+
+    (*ctx)->lib = w_journal_lib_init();
+    if ((*ctx)->lib == NULL) {
+        os_free(*ctx);
+        return ret;
+    }
+
+    ret = (*ctx)->lib->open(&((*ctx)->journal), W_SD_JOURNAL_LOCAL_ONLY);
+    if (ret < 0) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_FAIL_OPEN, strerror(-ret));
+        dlclose((*ctx)->lib->handle);
+        os_free((*ctx)->lib);
+        os_free(*ctx);
+    }
+    return ret;
+}
+
+void w_journal_context_free(w_journal_context_t * ctx) {
+    if (ctx == NULL) {
+        return;
+    }
+
+    ctx->lib->close(ctx->journal);
+    dlclose(ctx->lib->handle);
+    os_free(ctx->lib);
+    os_free(ctx);
+}
+
+void w_journal_context_update_timestamp(w_journal_context_t * ctx) {
+    static bool failed_logged = false;
+    if (ctx == NULL) {
+        return;
+    }
+
+    int err = ctx->lib->get_timestamp(ctx->journal, &(ctx->timestamp));
+    if (err < 0) {
+        ctx->timestamp = w_get_epoch_time();
+        if (!failed_logged) {
+            failed_logged = true;
+            mwarn(LOGCOLLECTOR_JOURNAL_LOG_FAIL_READ_TS, strerror(-err));
+        }
+    }
+}
+
+int w_journal_context_seek_most_recent(w_journal_context_t * ctx) {  
+    
+    if (ctx == NULL) {
+        return -1;
+    }
+
+    int err = ctx->lib->seek_tail(ctx->journal);
+    if (err < 0) {
+        return err;
+    }
+
+    err = ctx->lib->previous(ctx->journal);
+    // if change cursor, update timestamp
+    if (err > 0) {
+        w_journal_context_update_timestamp(ctx);
+    }
+    return err;
+}
+
+int w_journal_context_seek_timestamp(w_journal_context_t * ctx, uint64_t timestamp) {
+    
+    if (ctx == NULL) {
+        return -1;
+    }
+
+    // If the timestamp is in the future or invalid, seek the most recent entry
+    if (timestamp == 0 || timestamp > w_get_epoch_time()) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_FUTURE_TS, timestamp);
+        return w_journal_context_seek_most_recent(ctx);
+    }
+
+    // Check if the timestamp is older than the oldest available
+    uint64_t oldest;
+    int err = w_journal_context_get_oldest_timestamp(ctx, &oldest);
+
+    if (err < 0) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_FAIL_READ_OLD_TS, strerror(-err));
+    } else if (timestamp < oldest) {
+        mwarn(LOGCOLLECTOR_JOURNAL_LOG_CHANGE_TS, timestamp);
+        timestamp = oldest;
+    }
+
+    err = ctx->lib->seek_timestamp(ctx->journal, timestamp);
+    if (err < 0) {
+        return err;
+    }
+
+    err = ctx->lib->next(ctx->journal);
+    if (err > 0) // if the cursor change, update timestamp
+    {
+        w_journal_context_update_timestamp(ctx);
+    }
+    return err;
+}
+
+int w_journal_context_next_newest(w_journal_context_t * ctx) {
+    
+    if (ctx == NULL) {
+        return -1;
+    }
+
+    int ret = ctx->lib->next(ctx->journal);
+
+    // if change cursor, update timestamp
+    if (ret > 0) {
+        w_journal_context_update_timestamp(ctx);
+    }
+
+    return ret;
+}
+
+int w_journal_context_next_newest_filtered(w_journal_context_t * ctx, w_journal_filters_list_t filters) {
+
+    if (filters == NULL) {
+        return w_journal_context_next_newest(ctx);
+    }
+
+    int ret = 0;
+    while ((ret = w_journal_context_next_newest(ctx)) > 0) {
+        if (isDebug()) {
+            char * ts = w_timestamp_to_journalctl_since(ctx->timestamp);
+            mdebug2(LOGCOLLECTOR_JOURNAL_LOG_CHECK_FILTER, ts == NULL ? "unknown" : ts);
+            os_free(ts);
+        }
+
+        for (size_t i = 0; filters[i] != NULL; i++) {
+            if (w_journal_filter_apply(ctx, filters[i]) > 0) {
+                return 1;
+            }
+        }
+    };
+
+    return ret;
+}
+
+// Check return value on value un error
+int w_journal_context_get_oldest_timestamp(w_journal_context_t * ctx, uint64_t * timestamp) {
+    return ctx->lib->get_cutoff_timestamp(ctx->journal, timestamp, NULL);
+}
+
+/**********************************************************
+ *                   Entry related
+ **********************************************************/
+/**
+ * @brief Create a JSON object with the available data in the journal log context
+ *
+ * The caller is responsible for freeing the returned cJSON object.
+ * @param ctx Journal log context
+ * @return cJSON* JSON object with the available data or NULL on error
+ */
+STATIC INLINE cJSON * entry_as_json(w_journal_context_t * ctx) {
+    cJSON * dump = cJSON_CreateObject();
+    int isEmpty = 1; // Flag to check if the entry is empty
+
+    // Iterate through the available data
+    const void * data;
+    size_t length;
+    ctx->lib->restart_data(ctx->journal);
+    while (ctx->lib->enumerate_date(ctx->journal, &data, &length) > 0) {
+        // Value is a string "key=value" without null-terminator
+        const char * equal_sign = memchr(data, '=', length);
+        if (!equal_sign) {
+            continue;
+        }
+
+        size_t key_len = equal_sign - (const char *) data;
+        size_t value_len = length - key_len - 1;
+
+        char * key = strndup(data, key_len);
+        char * value = strndup(equal_sign + 1, value_len);
+
+        // Add the key and value to the JSON object
+        cJSON_AddStringToObject(dump, key, value);
+        isEmpty = 0;
+
+        os_free(key);
+        os_free(value);
+    }
+
+    // Error or no data
+    if (isEmpty) {
+        cJSON_Delete(dump);
+        return NULL;
+    }
+    return dump;
+}
+
+/**
+ * @brief Get the field pointer from the current entry in the journal log context
+ *
+ * @param ctx Journal log context
+ * @param field Field to get
+ * @param value
+ * @return int
+ */
+STATIC INLINE char * get_field_ptr(w_journal_context_t * ctx, const char * field) {
+    const void * data;
+    size_t length;
+
+    int err = ctx->lib->get_data(ctx->journal, field, &data, &length);
+    if (err < 0) {
+        return NULL;
+    }
+
+    // Assume that the value is a string "key=value"
+    const char * equal_sign = memchr(data, '=', length);
+    if (!equal_sign) {
+        return NULL; // Invalid value
+    }
+
+    // Copy the value
+    size_t key_len = equal_sign - (const char *) data;
+    size_t value_len = length - key_len - 1;
+
+    return strndup(equal_sign + 1, value_len);
+}
+
+/**
+ * @brief Create a syslog plaain text message from the basic fields
+ *
+ * The syslog format is: $TIMESTAMP $HOSTNAME $SYSLOG_IDENTIFIER[$PID]: $MESSAGE
+ *
+ *  * The caller is responsible for freeing the returned string.
+ * @param timestamp  The timestamp
+ * @param hostname
+ * @param syslog_identifier
+ * @param pid
+ * @param message
+ * @return char*
+ * @warning The arguments must be valid strings (except pid)
+ */
+STATIC INLINE char * create_plain_syslog(const char * timestamp,
+                                         const char * hostname,
+                                         const char * syslog_identifier,
+                                         const char * pid,
+                                         const char * message) {
+    static const char * syslog_format = "%s %s %s%s%s%s: %s";
+
+    size_t size = snprintf(NULL,
+                           0,
+                           syslog_format,
+                           timestamp,
+                           hostname,
+                           syslog_identifier,
+                           pid ? "[" : "",
+                           pid ? pid : "",
+                           pid ? "]" : "",
+                           message)
+                  + 1;
+
+    char * syslog_msg;
+    os_calloc(size, sizeof(char), syslog_msg);
+    snprintf(syslog_msg,
+             size,
+             syslog_format,
+             timestamp,
+             hostname,
+             syslog_identifier,
+             pid ? "[" : "",
+             pid ? pid : "",
+             pid ? "]" : "",
+             message);
+    return syslog_msg;
+}
+
+/**
+ * @brief Create the entry from the current entry in the journal log context
+ *
+ * @param ctx
+ * @param type
+ * @return w_journal_entry_t*
+ */
+STATIC INLINE char * entry_as_syslog(w_journal_context_t * ctx) {
+
+    char * hostname = get_field_ptr(ctx, "_HOSTNAME");
+    char * syslog_identifier = get_field_ptr(ctx, "SYSLOG_IDENTIFIER");
+    char * message = get_field_ptr(ctx, "MESSAGE");
+    char * pid = get_field_ptr(ctx, "SYSLOG_PID");
+    if (pid == NULL) {
+        pid = get_field_ptr(ctx, "_PID");
+    }
+    char * timestamp = w_timestamp_to_string(ctx->timestamp);
+
+    if (!hostname || !syslog_identifier || !message || !timestamp) {
+        mdebug2(LOGCOLLECTOR_JOURNAL_LOG_NOT_SYSLOG, ctx->timestamp);
+        os_free(hostname);
+        os_free(syslog_identifier);
+        os_free(message);
+        os_free(pid);
+        os_free(timestamp);
+        return NULL;
+    }
+
+    char * syslog_msg = create_plain_syslog(timestamp, hostname, syslog_identifier, pid, message);
+
+    // Free the memory
+    os_free(hostname);
+    os_free(syslog_identifier);
+    os_free(message);
+    os_free(pid);
+    os_free(timestamp);
+
+    return syslog_msg;
+}
+
+w_journal_entry_t * w_journal_entry_dump(w_journal_context_t * ctx, w_journal_entry_dump_type_t type) {
+
+    if (ctx == NULL || ctx->journal == NULL) {
+        return NULL;
+    }
+
+    w_journal_entry_t * entry = NULL;
+    os_calloc(1, sizeof(w_journal_entry_t), entry);
+    entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_INVALID;
+    entry->timestamp = ctx->timestamp;
+
+    // Create the dump
+    switch (type) {
+    case W_JOURNAL_ENTRY_DUMP_TYPE_JSON:
+        entry->data.json = entry_as_json(ctx);
+        if (entry->data.json != NULL) {
+            entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_JSON;
+        }
+        break;
+    case W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG:
+        entry->data.syslog = entry_as_syslog(ctx);
+        if (entry->data.syslog != NULL) {
+            entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG;
+        }
+        break;
+    default:
+        break;
+    }
+
+    if (entry->type == W_JOURNAL_ENTRY_DUMP_TYPE_INVALID) {
+        os_free(entry);
+        return NULL;
+    }
+    return entry;
+}
+
+void w_journal_entry_free(w_journal_entry_t * entry) {
+
+    if (entry == NULL) {
+        return;
+    }
+
+    switch (entry->type) {
+    case W_JOURNAL_ENTRY_DUMP_TYPE_JSON:
+        cJSON_Delete(entry->data.json);
+        break;
+    case W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG:
+        os_free(entry->data.syslog);
+        break;
+    default:
+        break;
+    }
+    os_free(entry);
+}
+
+char * w_journal_entry_to_string(w_journal_entry_t * entry) {
+
+    if (entry == NULL) {
+        return NULL;
+    }
+
+    char * str = NULL;
+    switch (entry->type) {
+    case W_JOURNAL_ENTRY_DUMP_TYPE_JSON:
+        str = cJSON_PrintUnformatted(entry->data.json);
+        break;
+    case W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG:
+        str = strdup(entry->data.syslog);
+        break;
+    default:
+        break;
+    }
+    return str;
+}
+
+/**********************************************************
+ *                   Filter related
+ **********************************************************/
+
+/**
+ * @brief Apply the filter to the current entry of the journal log context.
+ *
+ * @param ctx Journal log context
+ * @param filter Journal log filter
+ * @return int 1 if the entry matches the filter, 0 if it does not match, -1 on error
+ */
+int w_journal_filter_apply(w_journal_context_t * ctx, w_journal_filter_t * filter) {
+
+    if (ctx == NULL || filter == NULL) {
+        return -1;
+    }
+
+    for (size_t i = 0; i < filter->units_size; i++) {
+        _w_journal_filter_unit_t * unit = filter->units[i];
+
+        // Get the data
+        const char * data;
+        size_t length;
+
+        int err = ctx->lib->get_data(ctx->journal, unit->field, (const void **) &data, &length);
+        if (err < 0) {
+            if (unit->ignore_if_missing) {
+                continue;
+            } else {
+                mdebug2(LOGCOLLECTOR_JOURNAL_LOG_FIELD_ERROR, unit->field, ctx->timestamp, strerror(-err));
+                return err;
+            }
+        }
+
+        // Extract the value (data: key=value)
+        size_t keyPart_len = strnlen(unit->field, length) + 1;
+        if (keyPart_len > length) {
+            return -1; // invalid value
+        }
+        size_t value_len = length - keyPart_len;
+        char * value_str = strndup(data + keyPart_len, value_len);
+        const char * end_match;
+
+        bool match = w_expression_match(unit->exp, value_str, &end_match, NULL);
+
+        os_free(value_str);
+        if (!match) {
+            return 0; // No match
+        }
+    }
+
+    return 1; // Match
+}
+
+#endif
diff --git a/src/modules/logcollector/src/lccom.c b/src/modules/logcollector/src/lccom.c
new file mode 100644
index 0000000000..5d1ffee723
--- /dev/null
+++ b/src/modules/logcollector/src/lccom.c
@@ -0,0 +1,579 @@
+/* Remote request listener
+ * Copyright (C) 2015, Wazuh Inc.
+ * Mar 12, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <shared.h>
+#include "logcollector.h"
+#include "wazuh_modules/wmodules.h"
+#include "os_net/os_net.h"
+#include "state.h"
+
+#define LEN_LOCATION        (10)    /*!< length of "location"*/
+#define LEN_BOOL_STR        (5)     /*!< length of "false"*/
+#define MAX_LEN_HEADER      (150)   /*!< length of maximun header*/
+#define OFFSET_HEADER_TAGS  (3)
+#define OFFSET_CLOSING_TAGS (2)
+#define AMOUNT_CLOSING_TAGS (4)
+
+#define TAG_ERROR           "{\"error\""
+#define TAG_DATA            "\"data\""
+#define TAG_GLOBAL          "\"global\""
+#define TAG_FILES           "\"files\""
+#define TAG_INTERVAL        "\"interval\""
+#define TAG_LOCATION        "\"location\""
+
+bool getObjectIndexFromJsonStats(char *outjson_aux, size_t *ptrs, uint16_t *amountObj);
+uint16_t checkJson64k(char *outjson, uint16_t initialIndex, uint16_t amountObj, size_t *ptrs, char *output, size_t *sizeOutput);
+void addHeader(char *strJson, char *bufferTmp, char *headerData, size_t lenHeaderData, char *header, size_t lenHeader);
+void addClosingTags(char *strJson);
+void extractHeadersFromJson(char *buffJson, char *headerGlobal, char *headerInterval, char *headerData, size_t *LenHeaderInterval, size_t *LenHeaderData, size_t *LenHeaderGlobal);
+void addStartandEndTagsToJsonStrBlock(char *buffJson, char *headerGlobal, char *headerInterval, char *headerData, size_t LenHeaderInterval, size_t LenHeaderData, size_t LenHeaderGlobal, size_t counter, bool getNextPage);
+bool isJsonUpdated(void);
+uint16_t getJsonStr64kBlockFromLatestIndex(char **output, bool getNextPage);
+void replaceBoolToStr(char *buffer, char *match, bool value);
+
+size_t lccom_dispatch(char * command, char ** output){
+
+    const char *rcv_comm = command;
+    char *rcv_args = NULL;
+
+    if ((rcv_args = strchr(rcv_comm, ' '))){
+        *rcv_args = '\0';
+        rcv_args++;
+    }
+
+    if (strcmp(rcv_comm, "getconfig") == 0){
+        // getconfig section
+        if (!rcv_args){
+            mdebug1("LCCOM getconfig needs arguments.");
+            os_strdup("err LCCOM getconfig needs arguments", *output);
+            return strlen(*output);
+        }
+        return lccom_getconfig(rcv_args, output);
+
+    } else if (strcmp(rcv_comm, "getstate") == 0) {
+        if (rcv_args && !strncmp(rcv_args, "next", 4)){
+            return lccom_getstate(output, true);
+        }
+        return lccom_getstate(output, false);
+    } else {
+        mdebug1("LCCOM Unrecognized command '%s'.", rcv_comm);
+        os_strdup("err Unrecognized command", *output);
+        return strlen(*output);
+    }
+}
+
+/**
+ * @brief Get the Object Index From Json Stats object
+ *
+ * @param outjson_aux json data file in string format
+ * @param ptrs pointer to json data for store all positions of "location" or Index
+ * @param amountObj amount objects inside json data file
+ * @return true all indexes are stored
+ * @return false not all indexes are stored
+ */
+bool getObjectIndexFromJsonStats(char *outjson_aux, size_t *ptrs, uint16_t *amountObj) {
+    bool isReadyIndex = false;
+    int i = 0;
+    ptrs[i++] = (size_t)outjson_aux;   //ptrs[0] inicio de estadisticas sin 1er location
+
+    while (outjson_aux != NULL) {
+        outjson_aux = strstr(outjson_aux, TAG_LOCATION);
+        if (outjson_aux == NULL) {
+            isReadyIndex =  true;
+            break;
+        }
+        ptrs[i++] = (size_t)(&outjson_aux[0]);
+        outjson_aux = outjson_aux + LEN_LOCATION;
+    }
+    *amountObj = i;
+    return isReadyIndex;
+}
+
+/**
+ * @brief Check that the json file is lower than 64k and split it
+ *
+ * @param outjson json data file in string format
+ * @param initialIndex start index for next request
+ * @param amountObj amount objects inside json data file
+ * @param ptrs pointer to json data for store all positions of "location"
+ * @param output json string split without closing and opening tags, no greater than 64KB
+ * @param sizeOutput size output
+ * @return uint16_t last calculated index
+ */
+uint16_t checkJson64k(char *outjson, uint16_t initialIndex, uint16_t amountObj, size_t *ptrs, char *output, size_t *sizeOutput) {
+
+    size_t counter = 0;
+    uint16_t currentIndex = (initialIndex == 0) ? 1 : initialIndex;
+    uint16_t lastIndex = 0;
+
+    if (output != NULL && outjson != NULL) {
+        while ( currentIndex < amountObj ) {
+            size_t len = ptrs[currentIndex] - ptrs[currentIndex-1];
+            size_t currentLength = len;
+            counter += currentLength;
+            if (counter < OS_MAXSTR - OS_SIZE_1024) {
+                currentIndex++;
+            } else {
+                memset(output, 0, OS_MAXSTR);
+                memcpy(output, (const char *)ptrs[initialIndex], ptrs[currentIndex-1] - ptrs[initialIndex]);
+                lastIndex = currentIndex - 1;
+                counter = 0;
+                currentIndex = 1;
+                break;
+            }
+        }
+
+        if (currentIndex != 1 && (counter < OS_MAXSTR - OS_SIZE_1024)) {
+            memset(output, 0, OS_MAXSTR);
+            strncpy(output, outjson + ptrs[initialIndex] - ptrs[0],
+                ptrs[currentIndex-1] - ptrs[initialIndex == 0 ? initialIndex : (initialIndex-1)] +
+                strlen(outjson + ptrs[currentIndex-1] - ptrs[0]));
+        }
+    }
+    *sizeOutput = counter;
+    return currentIndex == 1 ? lastIndex : currentIndex;
+}
+
+/**
+ * @brief add error and global/interval header tag to json block
+ *
+ * @param strJson json string split without closing and opening tags, no greater than 64KB
+ * @param bufferTmp temporal buffer for store closing and opening tags
+ * @param headerData header tag to object data
+ * @param lenHeaderData header tag length for object data
+ * @param header header tag to object global/interval
+ * @param lenHeader header tag length for object global/interval
+ */
+void addHeader(char *strJson, char *bufferTmp, char *headerData, size_t lenHeaderData, char *header, size_t lenHeader) {
+    if (bufferTmp != NULL && strJson != NULL) {
+        memcpy(bufferTmp, headerData, lenHeaderData);
+        memcpy(bufferTmp + lenHeaderData, header, lenHeader);
+        memcpy(bufferTmp + lenHeaderData + lenHeader, strJson, OS_MAXSTR - lenHeaderData - lenHeader - 1);
+        memset(strJson, 0 , OS_MAXSTR);
+        memcpy(strJson, bufferTmp, OS_MAXSTR - 1);
+    }
+}
+
+/**
+ * @brief add closing tags
+ *
+ * @param strJson json string split with opening tags but without closing tags, no greater than 64k
+ */
+void addClosingTags(char *strJson) {
+    if (strJson != NULL) {
+        memcpy(strJson + strlen(strJson) - OFFSET_CLOSING_TAGS, "]}}}", AMOUNT_CLOSING_TAGS);
+    }
+}
+
+/**
+ * @brief extract all headers tags from json data
+ *
+ * @param buffJson json data file in string format
+ * @param headerGlobal buffer to store global header
+ * @param headerInterval buffer to store interval header
+ * @param headerData buffer to store data header
+ * @param LenHeaderInterval pointer to store length of interval
+ * @param LenHeaderData pointer to store length of data
+ * @param LenHeaderGlobal pointer to store length of global
+ */
+void extractHeadersFromJson(char *buffJson, char *headerGlobal, char *headerInterval, char *headerData, size_t *LenHeaderInterval, size_t *LenHeaderData, size_t *LenHeaderGlobal) {
+    char *ptrInterval = NULL;
+    char *ptrFilesInterval = NULL;
+    char *ptrGlobal = NULL;
+    char *ptrFilesGlobal = NULL;
+    char *ptrData = NULL;
+
+    if (buffJson != NULL) {
+        if (headerGlobal != NULL && headerInterval != NULL) {
+            if ((ptrGlobal = strstr(buffJson, TAG_GLOBAL)) != NULL) {
+                if ((ptrFilesGlobal = strstr(ptrGlobal, TAG_FILES)) != NULL) {
+                    *LenHeaderGlobal = ptrFilesGlobal - ptrGlobal + strlen(TAG_FILES) + OFFSET_HEADER_TAGS;
+                    memcpy(headerGlobal, ptrGlobal, *LenHeaderGlobal);
+                }
+            }
+        }
+
+        if (headerInterval != NULL && LenHeaderInterval != NULL) {
+            if ((ptrInterval = strstr(buffJson, TAG_INTERVAL)) != NULL) {
+                if ((ptrFilesInterval = strstr(ptrInterval, TAG_FILES)) != NULL) {
+                    *LenHeaderInterval = ptrFilesInterval - ptrInterval + strlen(TAG_FILES) + OFFSET_HEADER_TAGS;
+                    memcpy(headerInterval, ptrInterval, *LenHeaderInterval);
+                }
+            }
+        }
+
+        if (headerData != NULL && LenHeaderData != NULL) {
+            if ((ptrData = strstr(buffJson, TAG_DATA)) != NULL) {
+                *LenHeaderData = ptrData + strlen(TAG_FILES) - buffJson + 1;
+                memcpy(headerData, buffJson, *LenHeaderData);
+            }
+        }
+    }
+}
+
+/**
+ * @brief add opening and closing tags to json block less than 64KB
+ *
+ * @param buffJson json data file in string format
+ * @param headerGlobal buffer containing the global header
+ * @param headerInterval buffer containing the interval header
+ * @param headerData buffer containing the data header
+ * @param LenHeaderInterval length of interval header
+ * @param LenHeaderData length of interval header
+ * @param LenHeaderGlobal length of interval header
+ * @param counter block size, if it is 0 it means that the block is larger than 64KB
+ * @param getNextPage false mean that start from first page, otherwise the get next page sequentially
+ */
+void addStartandEndTagsToJsonStrBlock(char *buffJson, char *headerGlobal, char *headerInterval, char *headerData, size_t LenHeaderInterval, size_t LenHeaderData, size_t LenHeaderGlobal, size_t counter, bool getNextPage) {
+    static bool flag_interval = false;
+    static bool flag_global   = false;
+    char bufferTmp[OS_MAXSTR] = {0};
+    memset(bufferTmp, 0, OS_MAXSTR);
+
+    /* starts from the first page when the request is getstate*/
+    if (getNextPage == false) {
+        flag_interval = false;
+        flag_global   = false;
+    }
+
+    if (buffJson != NULL && headerGlobal != NULL && headerInterval != NULL && headerData != NULL) {
+        if (flag_global == false) {
+            if (strstr(buffJson, TAG_ERROR) != NULL) {
+                if (strstr(buffJson, TAG_DATA) != NULL) {
+                    if (strstr(buffJson, TAG_GLOBAL) != NULL) {
+                        flag_global = true;
+                        if (strstr(buffJson, TAG_FILES) != NULL) {
+                            if (strstr(buffJson, TAG_INTERVAL) != NULL) {
+                                flag_interval = true;
+                                if (counter == 0) {
+                                    /* 1: find error,data,global,files,intervals,files
+                                            and greather than 64k
+                                    */
+                                    addClosingTags(buffJson);
+                                } else {
+                                    /* 2: find error,data,global,files,intervals,files
+                                            and lower than 64k, it closes self
+                                    */
+                                    flag_interval = false;
+                                    flag_global = false;
+                                }
+                            } else {
+                                /* 3:
+                                find error,data,global,files, dont find intervals,files
+                                and greather than 64k
+                                */
+                                addClosingTags(buffJson);
+                                flag_interval = false;
+                            }
+                        }
+                    } else {
+                        flag_global = false;
+                        mwarn("'global' tag no found in logcollector JSON stats");
+                    }
+                }
+            }
+        } else if (flag_interval == false && flag_global == true) {
+            if (strstr(buffJson, TAG_INTERVAL) != NULL) {
+                flag_interval = true;
+                if (counter == 0) {
+                    /* 4: remainder of first block onwards, already find global
+                    find intervals,files and greather than 64k
+                    */
+                    addClosingTags(buffJson);
+                    addHeader(buffJson, bufferTmp, headerData, LenHeaderData, headerGlobal, LenHeaderGlobal);
+                } else  {
+                    /* 5: remainder of first block onwards, already find global
+                    find intervals,files and lower than 64k, it closes self
+                    */
+                    addHeader(buffJson, bufferTmp, headerData, LenHeaderData, headerGlobal, LenHeaderGlobal);
+                    flag_interval = false;
+                }
+            } else {
+                /* 6: remainder of first block onwards, already find global
+                intervals,files not found and greather than 64k
+                always  global and interval are full json therefore dont is need lower than 64k
+                */
+                addClosingTags(buffJson);
+                addHeader(buffJson, bufferTmp, headerData, LenHeaderData, headerGlobal, LenHeaderGlobal);
+                flag_interval = false;
+            }
+        } else if (flag_interval == true && flag_global == true) {
+            if (counter == 0) {
+                /* 7:
+                remainder of interval block onwards
+                greather than 64k
+                */
+                addClosingTags(buffJson);
+                addHeader(buffJson, bufferTmp, headerData, LenHeaderData, headerInterval, LenHeaderInterval);
+            } else {
+                /* 8:
+                remainder of interval block onwards
+                lower than 64k, it closes self
+                */
+                addHeader(buffJson, bufferTmp, headerData, LenHeaderData, headerInterval, LenHeaderInterval);
+                flag_interval = false;
+                flag_global = false;
+            }
+        }
+    }
+}
+
+/**
+ * @brief returns if at this moment the json file was updated automatically
+ *
+ * @return true it was updated
+ * @return false it was not updated
+ */
+bool isJsonUpdated(void) {
+    static time_t mtime_prev = 0;
+    time_t mtime_current = 0;
+    struct stat outstat;
+    struct tm *tm_stat;
+    char date_string[256];
+    bool isJsonUpdated = false;
+
+    /*should be reset index to the first page when some files are added or removed*/
+    if (stat(LOGCOLLECTOR_STATE, &outstat) == 0) {
+        tm_stat = localtime(&outstat.st_mtime);
+        /* Get localized date string. */
+        strftime(date_string, sizeof(date_string), "%c", tm_stat);
+        mtime_current = mktime(tm_stat);
+        mdebug2(" %s %s", date_string, LOGCOLLECTOR_STATE);
+    }
+
+    if (difftime(mtime_current, mtime_prev) != 0 && mtime_prev != 0) {
+        mdebug2("Logcollector JSON stats have been updated.");
+        isJsonUpdated = true;
+    }
+    mtime_prev = mtime_current;
+
+    return isJsonUpdated;
+}
+
+/**
+ * @brief Get the Json Str64k Block From Latest Index object
+ *
+ * @param output double pointer to store global json data
+ * @param getNextPage indicate that you should request the next page (true) or first page (false)
+ * @return uint16_t size of *output
+ */
+uint16_t getJsonStr64kBlockFromLatestIndex(char **output, bool getNextPage) {
+    char buffer[OS_MAXSTR] = {0};
+    char headerGlobal[MAX_LEN_HEADER] = {0};
+    char headerInterval[MAX_LEN_HEADER] = {0};
+    char headerData[MAX_LEN_HEADER] = {0};
+    bool isReadyIndex = 0;
+    uint16_t i = 0;
+    static uint16_t apiLatestIndex = 0;
+    size_t ptrs[OS_MAXSTR] = {0};
+    size_t counter = 0;
+    size_t LenHeaderInterval = 0;
+    size_t LenHeaderData = 0;
+    size_t LenHeaderGlobal = 0;
+
+    isReadyIndex = getObjectIndexFromJsonStats(*output, ptrs, &i);
+    apiLatestIndex = (getNextPage == false) ? 0 : apiLatestIndex;
+    extractHeadersFromJson(*output, headerGlobal, headerInterval, headerData, &LenHeaderInterval, &LenHeaderData, &LenHeaderGlobal);
+
+    if (isReadyIndex) {
+        apiLatestIndex = checkJson64k(*output, apiLatestIndex, i, ptrs, buffer, &counter);
+        addStartandEndTagsToJsonStrBlock(buffer, headerGlobal, headerInterval, headerData,
+                                        LenHeaderInterval, LenHeaderData, LenHeaderGlobal, counter, getNextPage);
+
+        if (apiLatestIndex == i) {
+            apiLatestIndex = 0;
+            i = 0;
+            memset(headerGlobal, 0, MAX_LEN_HEADER);
+            memset(headerInterval, 0, MAX_LEN_HEADER);
+            memset(headerData, 0, MAX_LEN_HEADER);
+            memset(ptrs, 0, OS_MAXSTR - 1);
+            LenHeaderInterval = 0;
+            LenHeaderData = 0;
+            LenHeaderGlobal = 0;
+        }
+        os_free(*output);
+        os_strdup(buffer, *output);
+    }
+    return  strlen(buffer);
+}
+
+/**
+ * @brief replace bool to string bool in json block str
+ *
+ * @param buffer json block
+ * @param match object name to match from json block
+ * @param value true or false
+ */
+void replaceBoolToStr(char *buffer, char *match, bool value) {
+    char *ptr = NULL;
+    if (buffer != NULL && match != NULL) {
+        if ((ptr = strstr(buffer, match)) != NULL) {
+            memcpy(ptr + strlen(match), value == true ? "true " : "false", LEN_BOOL_STR);
+        }
+    }
+}
+
+size_t lccom_getstate(char ** output, bool getNextPage) {
+    size_t retval = 0;
+    cJSON * state_json = NULL;
+    cJSON * w_packet = cJSON_CreateObject();
+    if (state_json = w_logcollector_state_get(), state_json == NULL) {
+        cJSON_AddNumberToObject(w_packet, "error", 1);
+        cJSON_AddObjectToObject(w_packet, "data");
+        cJSON_AddStringToObject(w_packet, "message", "Statistics unavailable");
+        mdebug1("At LCCOM getstate: Statistics unavailable");
+    } else {
+        cJSON_AddNumberToObject(w_packet, "error", 0);
+        cJSON_AddFalseToObject(w_packet, "remaining");
+        cJSON_AddFalseToObject(w_packet, "json_updated");
+        cJSON_AddItemToObject(w_packet, "data", state_json);
+    }
+    *output = cJSON_PrintUnformatted(w_packet);
+    cJSON_Delete(w_packet);
+
+    /* '*output' point to the global json without split*/
+    if (strlen(*output) >= OS_MAXSTR) {
+        retval = getJsonStr64kBlockFromLatestIndex(output, getNextPage);
+
+        /* '*output' point to the block of length <= 64k*/
+        replaceBoolToStr(*output, "\"remaining\":", strlen(*output) >= OS_MAXSTR - (2*OS_SIZE_1024));
+        replaceBoolToStr(*output, "\"json_updated\":", isJsonUpdated());
+    } else {
+        retval = strlen(*output);
+    }
+    return retval;
+}
+
+size_t lccom_getconfig(const char * section, char ** output) {
+
+    cJSON *cfg;
+    char *json_str;
+
+    if (strcmp(section, "localfile") == 0){
+        if (cfg = getLocalfileConfig(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "socket") == 0){
+        if (cfg = getSocketConfig(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else if (strcmp(section, "internal") == 0){
+        if (cfg = getLogcollectorInternalOptions(), cfg) {
+            os_strdup("ok", *output);
+            json_str = cJSON_PrintUnformatted(cfg);
+            wm_strcat(output, json_str, ' ');
+            free(json_str);
+            cJSON_Delete(cfg);
+            return strlen(*output);
+        } else {
+            goto error;
+        }
+    } else {
+        goto error;
+    }
+error:
+    mdebug1("At LCCOM getconfig: Could not get '%s' section", section);
+    os_strdup("err Could not get requested section", *output);
+    return strlen(*output);
+}
+
+
+#ifndef WIN32
+void * lccom_main(__attribute__((unused)) void * arg) {
+    int sock;
+    int peer;
+    char *buffer = NULL;
+    char *response = NULL;
+    ssize_t length;
+    fd_set fdset;
+
+    mdebug1("Local requests thread ready");
+
+    if (sock = OS_BindUnixDomain(LC_LOCAL_SOCK, SOCK_STREAM, OS_MAXSTR), sock < 0) {
+        merror("Unable to bind to socket '%s': (%d) %s.", LC_LOCAL_SOCK, errno, strerror(errno));
+        return NULL;
+    }
+
+    while (1) {
+
+        // Wait for socket
+        FD_ZERO(&fdset);
+        FD_SET(sock, &fdset);
+
+        switch (select(sock + 1, &fdset, NULL, NULL, NULL)) {
+        case -1:
+            if (errno != EINTR) {
+                merror_exit("At lccom_main(): select(): %s", strerror(errno));
+            }
+
+            continue;
+
+        case 0:
+            continue;
+        }
+
+        if (peer = accept(sock, NULL, NULL), peer < 0) {
+            if (errno != EINTR) {
+                merror("At lccom_main(): accept(): %s", strerror(errno));
+            }
+
+            continue;
+        }
+
+        os_calloc(OS_MAXSTR, sizeof(char), buffer);
+        switch (length = OS_RecvSecureTCP(peer, buffer,OS_MAXSTR), length) {
+        case OS_SOCKTERR:
+            merror("At lccom_main(): OS_RecvSecureTCP(): response size is bigger than expected");
+            break;
+
+        case -1:
+            merror("At lccom_main(): OS_RecvSecureTCP(): %s", strerror(errno));
+            break;
+
+        case 0:
+            mdebug1("Empty message from local client.");
+            close(peer);
+            break;
+
+        case OS_MAXLEN:
+            merror("Received message > %i", MAX_DYN_STR);
+            close(peer);
+            break;
+
+        default:
+            length = lccom_dispatch(buffer, &response);
+            OS_SendSecureTCP(peer, length, response);
+            free(response);
+            close(peer);
+        }
+        free(buffer);
+    }
+
+    mdebug1("Local server thread finished.");
+
+    close(sock);
+    return NULL;
+}
+
+#endif
diff --git a/src/modules/logcollector/src/logcollector.c b/src/modules/logcollector/src/logcollector.c
index e69de29bb2..564c181cf9 100644
--- a/src/modules/logcollector/src/logcollector.c
+++ b/src/modules/logcollector/src/logcollector.c
@@ -0,0 +1,2988 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "state.h"
+#include <math.h>
+#include <pthread.h>
+#include "sysinfo_utils.h"
+#include <openssl/evp.h>
+
+// Remove STATIC qualifier from tests
+#ifdef WAZUH_UNIT_TESTING
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+#define MAX_ASCII_LINES 10
+#define MAX_UTF8_CHARS 1400
+#define OFFSET_SIZE     21  ///< Maximum 64-bit integer is 20-char long, plus 1 because of the '\0'
+
+/* Prototypes */
+static int update_fname(int i, int j);
+static int update_current(logreader **current, int *i, int *j);
+static void set_read(logreader *current, int i, int j);
+static IT_control remove_duplicates(logreader *current, int i, int j);
+static int find_duplicate_inode(logreader * lf);
+static void set_sockets();
+static void files_lock_init(void);
+static void check_text_only();
+static int check_pattern_expand(int do_seek);
+static void check_pattern_expand_excluded();
+static void set_can_read(int value);
+
+/**
+ * @brief Releases the data structure stored in the hash table 'files_status'.
+ * @param data Structure of the data to be released
+ */
+STATIC void free_files_status_data(os_file_status_t *data);
+
+/**
+ * @brief Create files_status hash and load the previous estatus from JSON file
+ */
+STATIC void w_initialize_file_status();
+
+/**
+ * @brief Before stop logcollector save the files_status hash on JSON file
+ */
+STATIC void w_save_file_status();
+
+/**
+ * @brief Load files_status data to hash
+ * @param global_json json wich contains the previous files_status hash
+ */
+STATIC void w_load_files_status(cJSON *global_json);
+
+/**
+ * @brief Parse the hash files_status to JSON
+ * @return json of all read status files in a string
+ */
+STATIC char * w_save_files_status_to_cJSON();
+
+/**
+ * @brief Set file on the last line read or on the end in case the status hasn't been saved.
+ * @param lf logreader to set
+ * @return 0 on success, otherwise -1
+ */
+STATIC int w_set_to_last_line_read(logreader *lf);
+
+/**
+ * @brief Set file on the end
+ * @param lf logreader to set
+ * @return 0 on success, otherwise -1
+ */
+STATIC int64_t w_set_to_pos(logreader *lf, int64_t pos, int mode);
+
+/**
+ * @brief Update or add (if it not exit) hash node
+ * @param path Hash key
+ * @param pos Offset of hash
+ * @return 0 on success, otherwise -1
+ */
+STATIC int w_update_hash_node(char * path, int64_t pos);
+
+/* Global variables */
+int loop_timeout;
+int logr_queue;
+int open_file_attempts;
+logreader *logff;
+logreader_glob *globs;
+socket_forwarder *logsk;
+int vcheck_files;
+int maximum_lines;
+int sample_log_length;
+int force_reload;
+int reload_interval;
+int reload_delay;
+int free_excluded_files_interval;
+int state_interval;
+OSHash * msg_queues_table;
+
+///< To asociate the path, the position to read, and the hash key of lines read.
+OSHash * files_status;
+///< Use for log messages
+char *files_status_name = "file_status";
+static int _cday = 0;
+int N_INPUT_THREADS = N_MIN_INPUT_THREADS;
+int OUTPUT_QUEUE_SIZE = OUTPUT_MIN_QUEUE_SIZE;
+socket_forwarder default_agent = { .name = "agent" };
+logtarget default_target[2] = { { .log_socket = &default_agent } };
+
+/* Output thread variables */
+static pthread_mutex_t mutex;
+#ifdef WIN32
+static pthread_mutex_t win_el_mutex;
+static pthread_mutexattr_t win_el_mutex_attr;
+#endif
+
+/* can read synchronization */
+static int _can_read = 0;
+static rwlock_t can_read_rwlock;
+
+/* Multiple readers / one write mutex */
+static rwlock_t files_update_rwlock;
+
+static OSHash *excluded_files = NULL;
+static OSHash *excluded_binaries = NULL;
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+
+STATIC w_macos_log_procceses_t * macos_processes = NULL;
+
+#endif
+
+int check_ignore_and_restrict(OSList * ignore_exp_list, OSList * restrict_exp_list, const char *log_line) {
+    OSListNode *node_it;
+    w_expression_t *exp_it;
+
+    if (ignore_exp_list) {
+        OSList_foreach(node_it, ignore_exp_list) {
+            exp_it = node_it->data;
+            /* Check ignore regex, if it matches, do not process the log */
+            if (w_expression_match(exp_it, log_line, NULL, NULL)) {
+                mdebug2(LF_MATCH_REGEX, log_line, "ignore", w_expression_get_regex_pattern(exp_it));
+                return true;
+            }
+        }
+    }
+
+    if (restrict_exp_list) {
+        OSList_foreach(node_it, restrict_exp_list) {
+            exp_it = node_it->data;
+            /* Check restrict regex, only if match every log is processed */
+            if (!w_expression_match(exp_it, log_line, NULL, NULL)) {
+                mdebug2(LF_MATCH_REGEX, log_line, "restrict", w_expression_get_regex_pattern(exp_it));
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
+
+/* Handle file management */
+void LogCollectorStart()
+{
+    int i = 0, j = -1, tg;
+    int f_check = 0;
+    int f_reload = 0;
+    int f_free_excluded = 0;
+    IT_control f_control = 0;
+    IT_control duplicates_removed = 0;
+    logreader *current;
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+    w_sysinfo_helpers_t * sysinfo = NULL;
+    os_calloc(1, sizeof(w_sysinfo_helpers_t), sysinfo);
+    if (!w_sysinfo_init(sysinfo)) {
+        merror(SYSINFO_DYNAMIC_INIT_ERROR);
+    }
+#endif
+
+    /* Create store data */
+    excluded_files = OSHash_Create();
+    if (!excluded_files) {
+        merror_exit(LIST_ERROR);
+    }
+
+    /* Create store for binaries data */
+    excluded_binaries = OSHash_Create();
+    if (!excluded_binaries) {
+        merror_exit(LIST_ERROR);
+    }
+
+    /* Initialize status file struct (files_status) and set w_save_file_status at the process exit */
+    w_initialize_file_status();
+
+    if (atexit(w_save_file_status)) {
+        merror(ATEXIT_ERROR);
+    }
+
+    /* Initialize state component */
+    if (state_interval == 0) {
+        w_logcollector_state_init(LC_STATE_GLOBAL, false);
+    } else if (state_interval > 0) {
+        w_logcollector_state_init(LC_STATE_GLOBAL | LC_STATE_INTERVAL, true);
+    }
+
+
+    /* Create the state thread */
+#ifndef WIN32
+    w_create_thread(w_logcollector_state_main, (void *) &state_interval);
+#else
+    w_create_thread(NULL,
+                    0,
+                    w_logcollector_state_main,
+                    (void *) &state_interval,
+                    0,
+                    NULL);
+#endif
+
+    set_sockets();
+    files_lock_init();
+
+    // Check for expanded files
+    check_pattern_expand(1);
+    check_pattern_expand_excluded();
+
+    w_mutex_init(&mutex, NULL);
+#ifndef WIN32
+    /* To check for inode changes */
+    struct stat tmp_stat;
+
+    /* Check for ASCII, UTF-8 */
+    check_text_only();
+
+    /* Set the files mutexes */
+    w_set_file_mutexes();
+#else
+    BY_HANDLE_FILE_INFORMATION lpFileInformation;
+    memset(&lpFileInformation, 0, sizeof(BY_HANDLE_FILE_INFORMATION));
+    const char *m_uname;
+
+    m_uname = getuname();
+
+    /* Check if we are on Windows Vista */
+    if (!checkVista()) {
+        minfo("Windows version is older than 6.0. (%s).", m_uname);
+    } else {
+        minfo("Windows version is 6.0 or newer. (%s).", m_uname);
+    }
+
+    /* Read vista descriptions */
+    if (isVista) {
+        win_read_vista_sec();
+    }
+
+    /* Check for ASCII, UTF-8 */
+    check_text_only();
+
+    w_mutexattr_init(&win_el_mutex_attr);
+    w_mutexattr_settype(&win_el_mutex_attr, PTHREAD_MUTEX_ERRORCHECK);
+#endif
+
+    mdebug1("Entering LogCollectorStart().");
+
+    /* Initialize each file and structure */
+    for (i = 0;; i++) {
+        if (f_control = update_current(&current, &i, &j), f_control) {
+            if (f_control == NEXT_IT) {
+                continue;
+            } else {
+                break;
+            }
+        }
+
+        /* Remove duplicate entries */
+        /* Returns NEXT_IT if duplicates were removed, LEAVE_IT if an error occurred
+           or CONTINUE_IT to continue with the current iteration */
+        duplicates_removed = remove_duplicates(current, i, j);
+        if (duplicates_removed == NEXT_IT) {
+            i--;
+            continue;
+        }
+
+        if (!current->file) {
+            /* Do nothing, duplicated entry */
+        } else if (!strcmp(current->logformat, "eventlog")) {
+#ifdef WIN32
+
+            minfo(READING_EVTLOG, current->file);
+            os_strdup(current->file, current->channel_str);
+            win_startel(current->file);
+
+            /* Mutexes are not previously initialized under Windows*/
+            w_mutex_init(&current->mutex, &win_el_mutex_attr);
+#else
+            free(current->file);
+#endif
+            current->file = NULL;
+            current->command = NULL;
+            current->fp = NULL;
+        } else if (!strcmp(current->logformat, "eventchannel")) {
+#ifdef WIN32
+
+#ifdef EVENTCHANNEL_SUPPORT
+            minfo(READING_EVTLOG, current->file);
+            os_strdup(current->file, current->channel_str);
+            win_start_event_channel(current->file, current->future, current->query, current->reconnect_time);
+#else
+            mwarn("eventchannel not available on this version of Windows");
+#endif
+
+            /* Mutexes are not previously initialized under Windows*/
+            w_mutex_init(&current->mutex, &win_el_mutex_attr);
+#else
+            free(current->file);
+#endif
+            current->file = NULL;
+            current->command = NULL;
+            current->fp = NULL;
+        } else if (strcmp(current->logformat, "command") == 0) {
+            current->file = NULL;
+            current->fp = NULL;
+            current->size = 0;
+
+#ifdef WIN32
+            /* Mutexes are not previously initialized under Windows*/
+            w_mutex_init(&current->mutex, &win_el_mutex_attr);
+#endif
+            if (current->command) {
+                current->read = read_command;
+
+                minfo("Monitoring output of command(%d): %s", current->ign, current->command);
+                tg = 0;
+                if (current->target) {
+                    while (current->target[tg]) {
+                        mdebug1("Socket target for '%s' -> %s", current->command, current->target[tg]);
+                        tg++;
+                    }
+                }
+
+                if (!current->alias) {
+                    os_strdup(current->command, current->alias);
+                }
+            } else {
+                merror("Missing command argument. Ignoring it.");
+            }
+        } else if (strcmp(current->logformat, "full_command") == 0) {
+            current->file = NULL;
+            current->fp = NULL;
+            current->size = 0;
+
+#ifdef WIN32
+            /* Mutexes are not previously initialized under Windows*/
+            w_mutex_init(&current->mutex, &win_el_mutex_attr);
+#endif
+
+            if (current->command) {
+                current->read = read_fullcommand;
+
+                minfo("Monitoring full output of command(%d): %s", current->ign, current->command);
+                tg = 0;
+                if (current->target){
+                    while (current->target[tg]) {
+                        mdebug1("Socket target for '%s' -> %s", current->command, current->target[tg]);
+                        tg++;
+                    }
+                }
+
+                if (!current->alias) {
+                    os_strdup(current->command, current->alias);
+                }
+            } else {
+                merror("Missing command argument. Ignoring it.");
+            }
+        }
+
+        else if (strcmp(current->logformat, MACOS) == 0) {
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+            /* Get macOS version */
+            w_macos_create_log_env(current, sysinfo);
+            current->read = read_macos;
+            if (current->macos_log->state != LOG_NOT_RUNNING) {
+                if (atexit(w_macos_release_log_execution)) {
+                    merror(ATEXIT_ERROR);
+                }
+                /* macOS log's resources need to be globally reachable to be released */
+                macos_processes = &current->macos_log->processes;
+
+                for (int tg_idx = 0; current->target[tg_idx]; tg_idx++) {
+                    mdebug1("Socket target for '%s' -> %s", MACOS_LOG_NAME, current->target[tg_idx]);
+                    w_logcollector_state_add_target(MACOS_LOG_NAME, current->target[tg_idx]);
+                }
+            }
+#else
+            minfo(LOGCOLLECTOR_ONLY_MACOS);
+#endif
+            os_free(current->file);
+            current->command = NULL;
+            os_free(current->fp);
+        }
+
+        else if (strcmp(current->logformat, JOURNALD_LOG) == 0) {
+#ifdef __linux__
+            current->read = read_journald;
+            w_journald_set_ofe(current->future);
+
+            if (current->target != NULL) {
+                for (int tg_idx = 0; current->target[tg_idx]; tg_idx++) {
+                    mdebug1(LOGCOLLECTOR_SOCKET_TARGET, JOURNALD_LOG, current->target[tg_idx]);
+                    w_logcollector_state_add_target(JOURNALD_LOG, current->target[tg_idx]);
+                }
+            }
+#else
+            minfo(LOGCOLLECTOR_JOURNALD_ONLY_LINUX);
+            w_journal_log_config_free(&(current->journal_log));
+#endif
+            os_free(current->file);
+            current->command = NULL;
+            os_free(current->fp);
+        }
+
+        else if (j < 0) {
+            set_read(current, i, j);
+            if (current->file) {
+                minfo(READING_FILE, current->file);
+            }
+            /* More tweaks for Windows. For some reason IIS places
+             * some weird characters at the end of the files and getc
+             * always returns 0 (even after clearerr).
+             */
+#ifdef WIN32
+            if (current->fp) {
+                if (current->future == 0) {
+                    w_set_to_last_line_read(current);
+                } else {
+                    int64_t offset = w_set_to_pos(current, 0, SEEK_END);
+                    w_update_hash_node(current->file, offset);
+                }
+            }
+
+            /* Mutexes are not previously initialized under Windows*/
+            w_mutex_init(&current->mutex, &win_el_mutex_attr);
+#endif
+        } else {
+            /* On Windows we need to forward the seek for wildcard files */
+#ifdef WIN32
+            if (current->file) {
+                minfo(READING_FILE, current->file);
+            }
+
+            if (current->fp) {
+                if (current->future == 0) {
+                    w_set_to_last_line_read(current);
+                } else {
+                    int64_t offset = w_set_to_pos(current, 0, SEEK_END);
+                    w_update_hash_node(current->file, offset);
+                }
+            }
+#endif
+        }
+    }
+
+    //Save status localfiles to disk
+    w_save_file_status();
+
+    // Initialize message queue's log builder
+    mq_log_builder_init();
+
+    /* Create the output threads */
+    w_create_output_threads();
+
+    /* Create the input threads */
+    w_create_input_threads();
+
+    /* Start up message */
+    minfo(STARTUP_MSG, (int)getpid());
+    mdebug1(CURRENT_FILES, current_files, maximum_files);
+
+#ifndef WIN32
+    // Start com request thread
+    w_create_thread(lccom_main, NULL);
+#endif
+    set_can_read(1);
+    /* Daemon loop */
+    while (1) {
+
+        /* Free hash table content for excluded files */
+        if (f_free_excluded >= free_excluded_files_interval) {
+            set_can_read(0); // Stop reading threads
+            rwlock_lock_write(&files_update_rwlock);
+            set_can_read(1); // Clean signal once we have the lock
+            mdebug1("Refreshing excluded files list.");
+
+            OSHash_Free(excluded_files);
+            excluded_files = OSHash_Create();
+
+            if (!excluded_files) {
+                merror_exit(LIST_ERROR);
+            }
+
+            OSHash_Free(excluded_binaries);
+            excluded_binaries = OSHash_Create();
+
+            if (!excluded_binaries) {
+                merror_exit(LIST_ERROR);
+            }
+
+            f_free_excluded = 0;
+
+            rwlock_unlock(&files_update_rwlock);
+        }
+
+        if (f_check >= vcheck_files) {
+            set_can_read(0); // Stop reading threads
+            rwlock_lock_write(&files_update_rwlock);
+            set_can_read(1); // Clean signal once we have the lock
+            int i;
+            int j = -1;
+            f_reload += f_check;
+
+            mdebug1("Performing file check.");
+
+            // Force reload, if enabled
+
+            if (force_reload && f_reload >= reload_interval) {
+                struct timespec delay = { reload_delay / 1000, (reload_delay % 1000) * 1000000 };
+
+                // Close files
+
+                for (i = 0, j = -1;; i++) {
+                    if (f_control = update_current(&current, &i, &j), f_control) {
+                        if (f_control == NEXT_IT) {
+                            continue;
+                        } else {
+                            break;
+                        }
+                    }
+
+                    if (current->file && current->fp) {
+                        close_file(current);
+                    }
+                }
+
+                // Delay: yield mutex
+
+                rwlock_unlock(&files_update_rwlock);
+
+                if (reload_delay) {
+                    nanosleep(&delay, NULL);
+                }
+
+                set_can_read(0); // Stop reading threads
+                rwlock_lock_write(&files_update_rwlock);
+                set_can_read(1); // Clean signal once we have the lock
+
+                // Open files again, and restore position
+
+                for (i = 0, j = -1;; i++) {
+                    if (f_control = update_current(&current, &i, &j), f_control) {
+                        if (f_control == NEXT_IT) {
+                            continue;
+                        } else {
+                            break;
+                        }
+                    }
+
+                    if (current->file && current->exists) {
+                        if (reload_file(current) == -1) {
+                            minfo(FORGET_FILE, current->file);
+                            os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                            EVP_MD_CTX_free(old_file_status->context);
+                            os_free(old_file_status);
+                            w_logcollector_state_delete_file(current->file);
+                            current->exists = 0;
+                            current->ign++;
+
+                            // Only expanded files that have been deleted will be forgotten
+
+                            if (j >= 0) {
+                                if (Remove_Localfile(&(globs[j].gfiles), i, 1, 0,&globs[j])) {
+                                    merror(REM_ERROR, current->file);
+                                } else {
+                                    mdebug1(CURRENT_FILES, current_files, maximum_files);
+                                    i--;
+                                    continue;
+                                }
+                            } else if (open_file_attempts) {
+                                mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                            } else {
+                                mdebug1(OPEN_UNABLE, current->file);
+                            }
+                        }
+                    }
+                }
+            }
+
+            /* Check if any file has been renamed/removed */
+            for (i = 0, j = -1;; i++) {
+                if (f_control = update_current(&current, &i, &j), f_control) {
+                    if (f_control == NEXT_IT) {
+                        continue;
+                    } else {
+                        break;
+                    }
+                }
+
+                /* These are the windows logs or ignored files */
+                if (!current->file) {
+                    continue;
+                }
+
+                /* Files with date -- check for day change */
+                if (current->ffile) {
+                    if (update_fname(i, j)) {
+                        if (current->fp) {
+                            fclose(current->fp);
+                        }
+                        current->fp = NULL;
+                        current->exists = 1;
+
+                        handle_file(i, j, 0, 1);
+                        continue;
+                    }
+
+                    /* Variable file name */
+                    else if (!current->fp && open_file_attempts - current->ign > 0) {
+                        handle_file(i, j, 1, 1);
+                        continue;
+                    }
+                }
+
+                /* Check for file change -- if the file is open already */
+                if (current->fp) {
+#ifndef WIN32
+
+                    /* To help detect a file rollover, temporarily open the file a second time.
+                     * Previously the fstat would work on "cached" file data, but this should
+                     * ensure it's fresh when hardlinks are used (like alerts.log).
+                     */
+                    FILE *tf;
+                    tf = wfopen(current->file, "r");
+                    if(tf == NULL) {
+                        if (errno == ENOENT) {
+                            if(current->exists==1){
+                                minfo(FORGET_FILE, current->file);
+                                os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                                EVP_MD_CTX_free(old_file_status->context);
+                                os_free(old_file_status);
+                                w_logcollector_state_delete_file(current->file);
+                                current->exists = 0;
+                            }
+                            current->ign++;
+
+                            // Only expanded files that have been deleted will be forgotten
+                            if (j >= 0) {
+                                if (Remove_Localfile(&(globs[j].gfiles), i, 1, 0,&globs[j])) {
+                                    merror(REM_ERROR, current->file);
+                                } else {
+                                    mdebug1(CURRENT_FILES, current_files, maximum_files);
+                                    i--;
+                                    continue;
+                                }
+                            } else if (open_file_attempts) {
+                                mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                            } else {
+                                mdebug1(OPEN_UNABLE, current->file);
+                            }
+                        } else {
+                            merror(FOPEN_ERROR, current->file, errno, strerror(errno));
+                        }
+                    }
+
+                    else if ((fstat(fileno(tf), &tmp_stat)) == -1) {
+                        fclose(current->fp);
+                        fclose(tf);
+                        current->fp = NULL;
+
+                        merror(FSTAT_ERROR, current->file, errno, strerror(errno));
+                    }
+                    else if (fclose(tf) == EOF) {
+                        merror("Closing the temporary file %s did not work (%d): %s", current->file, errno, strerror(errno));
+                    }
+#else
+                    HANDLE h1;
+
+                    h1 = CreateFile(current->file, GENERIC_READ,
+                                    FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
+                                    NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+                    if (h1 == INVALID_HANDLE_VALUE) {
+                        fclose(current->fp);
+                        current->fp = NULL;
+                        minfo(LOGCOLLECTOR_INVALID_HANDLE_VALUE, current->file);
+                    } else if (GetFileInformationByHandle(h1, &lpFileInformation) == 0) {
+                        fclose(current->fp);
+                        CloseHandle(h1);
+                        current->fp = NULL;
+                        minfo(LOGCOLLECTOR_INVALID_HANDLE_VALUE, current->file);
+                    }
+
+                    if (!current->fp) {
+                        if(current->exists==1){
+                            minfo(FORGET_FILE, current->file);
+                            os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                            EVP_MD_CTX_free(old_file_status->context);
+                            os_free(old_file_status);
+                            w_logcollector_state_delete_file(current->file);
+                            current->exists = 0;
+                        }
+                        current->ign++;
+
+                        // Only expanded files that have been deleted will be forgotten
+                        if (j >= 0) {
+                            if (Remove_Localfile(&(globs[j].gfiles), i, 1, 0,&globs[j])) {
+                                merror(REM_ERROR, current->file);
+                            } else {
+                                mdebug2(CURRENT_FILES, current_files, maximum_files);
+                                i--;
+                                continue;
+                            }
+                        } else if (open_file_attempts) {
+                            mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                        } else {
+                            mdebug1(OPEN_UNABLE, current->file);
+                        }
+                    }
+#endif
+
+#ifdef WIN32
+                    else if (current->fd != (lpFileInformation.nFileIndexLow + lpFileInformation.nFileIndexHigh))
+#else
+                    else if (current->fd != tmp_stat.st_ino)
+#endif
+                    {
+                        current->exists = 1;
+
+                        char msg_alert[512 + 1];
+
+                        snprintf(msg_alert, 512, "ossec: File rotated (inode "
+                                 "changed): '%s'.",
+                                 current->file);
+
+                        /* Send message about log rotated */
+                        w_msg_hash_queues_push(msg_alert, "logcollector", strlen(msg_alert) + 1, default_target, LOCALFILE_MQ);
+
+                        mdebug1("File inode changed. %s",
+                               current->file);
+
+                        os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                        EVP_MD_CTX_free(old_file_status->context);
+                        os_free(old_file_status);
+                        w_logcollector_state_delete_file(current->file);
+
+                        fclose(current->fp);
+
+#ifdef WIN32
+                        CloseHandle(h1);
+#endif
+
+                        current->fp = NULL;
+                        handle_file(i, j, 0, 1);
+                        continue;
+                    }
+#ifdef WIN32
+                    else if ((DWORD)current->size > (lpFileInformation.nFileSizeHigh + lpFileInformation.nFileSizeLow))
+#else
+                    else if (current->size > tmp_stat.st_size)
+#endif
+                    {
+                        current->exists = 1;
+                        char msg_alert[512 + 1];
+
+                        snprintf(msg_alert, 512, "ossec: File size reduced "
+                                 "(inode remained): '%s'.",
+                                 current->file);
+
+                        /* Send message about log rotated */
+                        w_msg_hash_queues_push(msg_alert, "logcollector", strlen(msg_alert) + 1, default_target, LOCALFILE_MQ);
+
+                        mdebug1("File size reduced. %s",
+                                current->file);
+
+                        /* Get new file */
+                        os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                        EVP_MD_CTX_free(old_file_status->context);
+                        os_free(old_file_status);
+                        w_logcollector_state_delete_file(current->file);
+
+                        fclose(current->fp);
+
+#ifdef WIN32
+                        CloseHandle(h1);
+#endif
+                        current->fp = NULL;
+                        handle_file(i, j, 0, 1);
+                    } else {
+#ifdef WIN32
+                        CloseHandle(h1);
+
+                        /* Update file size */
+                        current->size = lpFileInformation.nFileSizeHigh + lpFileInformation.nFileSizeLow;
+#else
+                        current->exists = 1;
+                        current->size = tmp_stat.st_size;
+#endif
+                    }
+                } else {
+#ifdef WIN32
+                    if (!current->command && strcmp(current->logformat,EVENTCHANNEL) && strcmp(current->logformat,EVENTLOG)) {
+
+                        int file_exists = 1;
+                        HANDLE h1;
+
+                        h1 = CreateFile(current->file, GENERIC_READ,
+                                        FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
+                                        NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+                        if (h1 == INVALID_HANDLE_VALUE) {
+                            mdebug1(LOGCOLLECTOR_INVALID_HANDLE_VALUE, current->file);
+                            file_exists = 0;
+                            w_logcollector_state_delete_file(current->file);
+                        } else if (GetFileInformationByHandle(h1, &lpFileInformation) == 0) {
+                            mdebug1(LOGCOLLECTOR_INVALID_HANDLE_VALUE, current->file);
+                            file_exists = 0;
+                            w_logcollector_state_delete_file(current->file);
+                        }
+
+                        CloseHandle(h1);
+
+                        // Only expanded files that have been deleted will be forgotten
+                        if (j >= 0) {
+                            if (!file_exists) {
+                                if (Remove_Localfile(&(globs[j].gfiles), i, 1, 0, &globs[j])) {
+                                    merror(REM_ERROR, current->file);
+                                } else {
+                                    mdebug2(CURRENT_FILES, current_files, maximum_files);
+                                    i--;
+                                    continue;
+                                }
+                            }
+                        } else if (open_file_attempts) {
+                            mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                        } else {
+                            mdebug1(OPEN_UNABLE, current->file);
+                        }
+                    }
+#endif
+                }
+
+                /* If open_file_attempts is at 0 the files aren't forgotted ever*/
+                if(open_file_attempts == 0){
+                    current->ign = -1;
+                }
+                /* Too many errors for the file */
+                if (current->ign >= open_file_attempts) {
+                    /* 999 Maximum ignore */
+                    if (current->ign == 999) {
+                        continue;
+                    }
+
+                    if(!strcmp(current->logformat, "eventchannel")){
+                        mdebug1(LOGC_FILE_ERROR, current->file);
+                    } else {
+                        minfo(LOGC_FILE_ERROR, current->file);
+                    }
+
+                    if (current->fp) {
+                        fclose(current->fp);
+                    }
+
+                    current->fp = NULL;
+                    current->ign = 999;
+
+                    if (j >= 0) {
+#ifndef WIN32
+                        struct stat stat_fd;
+                        if (stat(current->file, &stat_fd) == -1 && ENOENT == errno) {
+#else
+                        if (!PathFileExists(current->file)) {
+#endif
+                            os_file_status_t * old_file_status = OSHash_Delete_ex(files_status, current->file);
+                            EVP_MD_CTX_free(old_file_status->context);
+                            os_free(old_file_status);
+                            w_logcollector_state_delete_file(current->file);
+
+                            if (Remove_Localfile(&(globs[j].gfiles), i, 1, 0,&globs[j])) {
+                                merror(REM_ERROR, current->file);
+                            } else {
+                                mdebug1(CURRENT_FILES, current_files, maximum_files);
+                                i--;
+                            }
+                        } else {
+#ifndef WIN32
+                            merror(FSTAT_ERROR, current->file, errno, strerror(errno));
+#endif
+                        }
+                    }
+                    continue;
+                }
+
+                /* File not open */
+                if (!current->fp) {
+                    if (current->ign >= 999) {
+                        continue;
+                    } else {
+                        /* Try for a few times to open the file */
+                        handle_file(i, j, 1, 1);
+                        continue;
+                    }
+                }
+            }
+
+            // Check for new files to be expanded
+            if (check_pattern_expand(1)) {
+                /* Remove duplicate entries */
+                for (i = 0, j = -1;; i++) {
+                    if (f_control = update_current(&current, &i, &j), f_control) {
+                        if (f_control == NEXT_IT) {
+                            continue;
+                        } else {
+                            break;
+                        }
+                    }
+
+                    duplicates_removed = remove_duplicates(current, i, j);
+                    if (duplicates_removed == NEXT_IT) {
+                        i--;
+                        continue;
+                    }
+                }
+            }
+
+            /* Check for excluded files */
+            check_pattern_expand_excluded();
+
+            /* Check for ASCII, UTF-8 */
+            check_text_only();
+
+
+            rwlock_unlock(&files_update_rwlock);
+
+            if (f_reload >= reload_interval) {
+                f_reload = 0;
+            }
+
+            //Save status localfiles to disk
+            w_save_file_status();
+
+            f_check = 0;
+
+            if (mq_log_builder_update() == -1) {
+                mdebug1("Output log pattern data could not be updated.");
+            }
+        }
+
+        sleep(1);
+
+        f_check++;
+        f_free_excluded++;
+    }
+}
+
+int update_fname(int i, int j)
+{
+    time_t __ctime = time(0);
+    char lfile[OS_FLSIZE + 1];
+    size_t ret;
+    logreader *lf;
+    struct tm tm_result = { .tm_sec = 0 };
+
+    if (j < 0) {
+        lf = &logff[i];
+    } else {
+        lf = &globs[j].gfiles[i];
+    }
+
+    localtime_r(&__ctime, &tm_result);
+
+    /* Handle file */
+    if (tm_result.tm_mday == _cday) {
+        return (0);
+    }
+
+    lfile[OS_FLSIZE] = '\0';
+    ret = strftime(lfile, OS_FLSIZE, lf->ffile, &tm_result);
+    if (ret == 0) {
+        merror_exit(PARSE_ERROR, lf->ffile);
+    }
+
+    /* Update the filename */
+    if (strcmp(lfile, lf->file)) {
+        os_free(lf->file);
+        os_strdup(lfile, lf->file);
+        minfo(VAR_LOG_MON, lf->file);
+
+        /* Setting cday to zero because other files may need
+         * to be changed.
+         */
+        _cday = 0;
+        return (1);
+    }
+
+    _cday = tm_result.tm_mday;
+    return (0);
+}
+
+/* Open, get the fileno, seek to the end and update mtime */
+int handle_file(int i, int j, __attribute__((unused)) int do_fseek, int do_log)
+{
+    logreader *lf;
+
+    if (j < 0) {
+        lf = &logff[i];
+    } else {
+        lf = &globs[j].gfiles[i];
+    }
+
+    /* We must be able to open the file, fseek and get the
+     * time of change from it.
+     */
+    
+    /* TODO: Support text mode on Windows */
+    lf->fp = wfopen(lf->file, "rb");
+    if (!lf->fp) {
+        if (do_log == 1 && lf->exists == 1) {
+            merror(FOPEN_ERROR, lf->file, errno, strerror(errno));
+            lf->exists = 0;
+        }
+        goto error;
+    }
+
+#ifndef WIN32
+    struct stat stat_fd = { .st_mode = 0 };
+    int fd;
+
+    /* Get inode number for fp */
+    fd = fileno(lf->fp);
+    if (fstat(fd, &stat_fd) == -1) {
+        merror(FSTAT_ERROR, lf->file, errno, strerror(errno));
+        fclose(lf->fp);
+        lf->fp = NULL;
+        goto error;
+    }
+
+    lf->fd = stat_fd.st_ino;
+    lf->size =  stat_fd.st_size;
+    lf->dev =  stat_fd.st_dev;
+
+#else
+    BY_HANDLE_FILE_INFORMATION lpFileInformation;
+    memset(&lpFileInformation, 0, sizeof(BY_HANDLE_FILE_INFORMATION));
+
+    /* On windows, we also need the real inode, which is the combination
+     * of the index low + index high numbers.
+     */
+    if (!get_fp_file_information(lf->fp, &lpFileInformation)) {
+        merror("Unable to get file information by handle.");
+        fclose(lf->fp);
+        lf->fp = NULL;
+        goto error;
+    }
+
+    lf->fd = (lpFileInformation.nFileIndexLow + lpFileInformation.nFileIndexHigh);
+    lf->size = (lpFileInformation.nFileSizeHigh + lpFileInformation.nFileSizeLow);
+
+#endif
+
+    if (find_duplicate_inode(lf)) {
+        mdebug1(DUP_FILE_INODE, lf->file);
+        close_file(lf);
+        return 0;
+    }
+
+/* Windows and fseek causes some weird issues */
+#ifndef WIN32
+    if (do_fseek == 1 && S_ISREG(stat_fd.st_mode)) {
+        if (lf->future == 0) {
+            if (w_set_to_last_line_read(lf) < 0) {
+                goto error;
+            }
+        } else {
+            int64_t offset;
+            if (offset = w_set_to_pos(lf, 0, SEEK_END), offset < 0) {
+                goto error;
+            }
+            w_update_hash_node(lf->file, offset);
+        }
+    }
+#endif
+
+    /* Set ignore to zero */
+    lf->ign = 0;
+    lf->exists = 1;
+    return (0);
+
+error:
+    lf->ign++;
+
+    if (open_file_attempts && j < 0) {
+        mdebug1(OPEN_ATTEMPT, lf->file, open_file_attempts - lf->ign);
+    } else {
+        mdebug1(OPEN_UNABLE, lf->file);
+    }
+
+    return -1;
+}
+
+/* Reload file: open after close, and restore position */
+int reload_file(logreader * lf) {
+    
+    /* TODO: Support text mode on Windows */
+    lf->fp = wfopen(lf->file, "rb");
+
+    if (!lf->fp) {
+        return -1;
+    }
+
+    fsetpos(lf->fp, &lf->position);
+    return 0;
+}
+
+/* Close file and save position */
+void close_file(logreader * lf) {
+    if (!(lf && lf->fp)) {
+        // This should not occur.
+        return;
+    }
+
+    fgetpos(lf->fp, &lf->position);
+    fclose(lf->fp);
+    lf->fp = NULL;
+
+#ifdef WIN32
+    lf->h = NULL;
+#endif
+}
+
+#ifdef WIN32
+
+/* Remove newlines and replace tabs in the argument fields with spaces */
+void win_format_event_string(char *string)
+{
+    if (string == NULL) {
+        return;
+    }
+
+    while (*string != '\0') {
+        if (*string == '\n' || *string == '\r' || *string == ':') {
+            if (*string == '\n' || *string == '\r') {
+                *string = ' ';
+            }
+
+            string++;
+
+            while (*string == '\t') {
+                *string = ' ';
+                string++;
+            }
+
+            continue;
+        }
+
+        string++;
+    }
+}
+
+#endif /* WIN32 */
+
+int update_current(logreader **current, int *i, int *j)
+{
+    if (*j < 0) {
+        /* Check for normal files */
+        *current = &logff[*i];
+        if(!(*current)->logformat) {
+            if (globs && globs->gfiles) {
+                *i = -1;
+                *j = 0;
+                return NEXT_IT;
+            } else {
+                return LEAVE_IT;
+            }
+        }
+    } else {
+
+        /* Check boundaries */
+        if ( *i > globs[*j].num_files) {
+            *i=-1;
+            (*j)++;
+             if(!globs[*j].gpath) {
+                return LEAVE_IT;
+            } else {
+                return NEXT_IT;
+            }
+        }
+
+        /* Check expanded files */
+        *current = &globs[*j].gfiles[*i];
+        if (!(*current)->file) {
+            *i=-1;
+            (*j)++;
+            if(!globs[*j].gpath) {
+                return LEAVE_IT;
+            } else {
+                return NEXT_IT;
+            }
+        }
+    }
+    return CONTINUE_IT;
+}
+
+void set_read(logreader *current, int i, int j) {
+    int tg;
+    current->command = NULL;
+    current->ign = 0;
+    w_logcollector_state_add_file(current->file);
+    /* Initialize the files */
+    if (current->ffile) {
+
+        /* Day must be zero for all files to be initialized */
+        _cday = 0;
+        if (update_fname(i, j)) {
+            handle_file(i, j, 1, 1);
+        } else {
+            merror_exit(PARSE_ERROR, current->ffile);
+        }
+
+    } else {
+        handle_file(i, j, 1, 1);
+    }
+
+    tg = 0;
+    if (current->target) {
+        while (current->target[tg]) {
+            mdebug1("Socket target for '%s' -> %s", current->file, current->target[tg]);
+            w_logcollector_state_add_target(current->file, current->target[tg]);
+            tg++;
+        }
+    }
+
+    /* Get the log type */
+    if (strcmp("snort-full", current->logformat) == 0) {
+        current->read = read_snortfull;
+    }
+#ifndef WIN32
+    if (strcmp("ossecalert", current->logformat) == 0) {
+        current->read = read_ossecalert;
+    }
+#endif
+    else if (strcmp("nmapg", current->logformat) == 0) {
+        current->read = read_nmapg;
+    } else if (strcmp("json", current->logformat) == 0) {
+        current->read = read_json;
+    } else if (strcmp("mysql_log", current->logformat) == 0) {
+        current->read = read_mysql_log;
+    } else if (strcmp("mssql_log", current->logformat) == 0) {
+        current->read = read_mssql_log;
+    } else if (strcmp("postgresql_log", current->logformat) == 0) {
+        current->read = read_postgresql_log;
+    } else if (strcmp("djb-multilog", current->logformat) == 0) {
+        if (!init_djbmultilog(current)) {
+            merror(INV_MULTILOG, current->file);
+            if (current->fp) {
+                fclose(current->fp);
+                current->fp = NULL;
+            }
+            current->file = NULL;
+        }
+        current->read = read_djbmultilog;
+    } else if (strncmp(current->logformat, "multi-line:", 11) == 0) {
+        current->read = read_multiline;
+    } else if (strcmp("audit", current->logformat) == 0) {
+        current->read = read_audit;
+    } else if (strcmp(MULTI_LINE_REGEX, current->logformat) == 0) {
+        current->read = read_multiline_regex;
+    } else {
+#ifdef WIN32
+        if (current->filter_binary) {
+            /* If the file is empty, set it to UCS-2 LE */
+            if (FileSizeWin(current->file) == 0) {
+                current->ucs2 = UCS2_LE;
+                current->read = read_ucs2_le;
+                mdebug2("File '%s' is empty. Setting encoding to UCS-2 LE.",current->file);
+                return;
+            }
+        }
+
+        if(current->ucs2 == UCS2_LE){
+            mdebug1("File '%s' is UCS-2 LE",current->file);
+            current->read = read_ucs2_le;
+            return;
+        }
+
+        if(current->ucs2 == UCS2_BE){
+            mdebug1("File '%s' is UCS-2 BE",current->file);
+            current->read = read_ucs2_be;
+            return;
+        }
+#endif
+        current->read = read_syslog;
+    }
+}
+
+#ifndef WIN32
+int check_pattern_expand(int do_seek) {
+    glob_t g;
+    int err;
+    int glob_offset;
+    int found;
+    int i, j;
+    int retval = 0;
+
+    pthread_mutexattr_t attr;
+    w_mutexattr_init(&attr);
+    w_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
+
+    if (globs) {
+        for (j = 0; globs[j].gpath; j++) {
+            if (current_files >= maximum_files) {
+                break;
+            }
+            glob_offset = 0;
+            if (err = glob(globs[j].gpath, 0, NULL, &g), err) {
+                if (err == GLOB_NOMATCH) {
+                    mdebug1(GLOB_NFOUND, globs[j].gpath);
+                } else {
+                    mdebug1(GLOB_ERROR, globs[j].gpath);
+                }
+                continue;
+            }
+            while (g.gl_pathv[glob_offset] != NULL) {
+                if (current_files >= maximum_files) {
+                    mwarn(FILE_LIMIT, maximum_files);
+                    break;
+                }
+
+                struct stat statbuf;
+                if (lstat(g.gl_pathv[glob_offset], &statbuf) < 0) {
+                    merror("Error on lstat '%s' due to [(%d)-(%s)]", g.gl_pathv[glob_offset], errno, strerror(errno));
+                    glob_offset++;
+                    continue;
+                }
+
+                if ((statbuf.st_mode & S_IFMT) != S_IFREG) {
+                    mdebug1("File %s is not a regular file. Skipping it.", g.gl_pathv[glob_offset]);
+                    glob_offset++;
+                    continue;
+                }
+
+                found = 0;
+                for (i = 0; globs[j].gfiles[i].file; i++) {
+                    if (!strcmp(globs[j].gfiles[i].file, g.gl_pathv[glob_offset])) {
+                        found = 1;
+                        break;
+                    }
+                }
+                if (!found) {
+                    retval = 1;
+                    char *ex_file = OSHash_Get(excluded_files,g.gl_pathv[glob_offset]);
+                    int added = 0;
+
+                    if(!ex_file) {
+                        mdebug1(NEW_GLOB_FILE, globs[j].gpath, g.gl_pathv[glob_offset]);
+
+                        os_realloc(globs[j].gfiles, (i +2)*sizeof(logreader), globs[j].gfiles);
+
+                        /* Copy the current item to the end mark as it should be a pattern */
+                        memcpy(globs[j].gfiles + i + 1, globs[j].gfiles + i, sizeof(logreader));
+                        // Clone the multiline configuration if it exists
+                        globs[j].gfiles[i + 1].multiline = w_multiline_log_config_clone(globs[j].gfiles[i].multiline);
+
+                        os_strdup(g.gl_pathv[glob_offset], globs[j].gfiles[i].file);
+                        w_mutex_init(&globs[j].gfiles[i].mutex, &attr);
+                        globs[j].gfiles[i].fp = NULL;
+                        globs[j].gfiles[i].exists = 1;
+                        globs[j].gfiles[i + 1].file = NULL;
+                        globs[j].gfiles[i + 1].target = NULL;
+                        current_files++;
+                        globs[j].num_files++;
+                        mdebug2(CURRENT_FILES, current_files, maximum_files);
+                        if  (!globs[j].gfiles[i].read) {
+                            set_read(&globs[j].gfiles[i], i, j);
+                        } else {
+                            handle_file(i, j, do_seek, 1);
+                        }
+
+                        added = 1;
+                    }
+
+                    char *file_excluded_binary = OSHash_Get(excluded_binaries,g.gl_pathv[glob_offset]);
+
+                    /* This file could have to non binary file */
+                    if (file_excluded_binary && !added) {
+                        os_realloc(globs[j].gfiles, (i +2)*sizeof(logreader), globs[j].gfiles);
+
+                        /* Copy the current item to the end mark as it should be a pattern */
+                        memcpy(globs[j].gfiles + i + 1, globs[j].gfiles + i, sizeof(logreader));
+                        // Clone the multiline configuration if it exists
+                        globs[j].gfiles[i + 1].multiline = w_multiline_log_config_clone(globs[j].gfiles[i].multiline);
+
+                        os_strdup(g.gl_pathv[glob_offset], globs[j].gfiles[i].file);
+                        w_mutex_init(&globs[j].gfiles[i].mutex, &attr);
+                        globs[j].gfiles[i].fp = NULL;
+                        globs[j].gfiles[i].exists = 1;
+                        globs[j].gfiles[i + 1].file = NULL;
+                        globs[j].gfiles[i + 1].target = NULL;
+                        current_files++;
+                        globs[j].num_files++;
+                        mdebug2(CURRENT_FILES, current_files, maximum_files);
+                        if  (!globs[j].gfiles[i].read) {
+                            set_read(&globs[j].gfiles[i], i, j);
+                        } else {
+                            handle_file(i, j, do_seek, 1);
+                        }
+                    }
+                }
+                glob_offset++;
+            }
+            globfree(&g);
+        }
+    }
+
+    w_mutexattr_destroy(&attr);
+
+    return retval;
+}
+
+static void check_pattern_expand_excluded() {
+    glob_t g;
+    int err;
+    int glob_offset;
+    int found;
+    int j;
+
+    if (globs) {
+        for (j = 0; globs[j].gpath; j++) {
+
+            if (!globs[j].exclude_path) {
+                continue;
+            }
+
+            /* Check for files to exclude */
+            glob_offset = 0;
+            if (err = glob(globs[j].exclude_path, 0, NULL, &g), err) {
+                if (err == GLOB_NOMATCH) {
+                    mdebug1(GLOB_NFOUND, globs[j].exclude_path);
+                } else {
+                    mdebug1(GLOB_ERROR, globs[j].exclude_path);
+                }
+                continue;
+            }
+            while (g.gl_pathv[glob_offset] != NULL) {
+                found = 0;
+                int k;
+                for (k = 0; globs[j].gfiles[k].file; k++) {
+                    if (!strcmp(globs[j].gfiles[k].file, g.gl_pathv[glob_offset])) {
+                        found = 1;
+                        break;
+                    }
+                }
+
+                /* Excluded file found, remove it completely */
+                if(found) {
+                    int result;
+
+                    result = Remove_Localfile(&(globs[j].gfiles), k, 1, 0,&globs[j]);
+
+                    if (result) {
+                        merror_exit(REM_ERROR,g.gl_pathv[glob_offset]);
+                    } else {
+
+                        /* Add the excluded file to the hash table */
+                        char *file = OSHash_Get(excluded_files,g.gl_pathv[glob_offset]);
+
+                        if(!file) {
+                            OSHash_Add(excluded_files,g.gl_pathv[glob_offset],(void *)1);
+                            minfo(EXCLUDE_FILE,g.gl_pathv[glob_offset]);
+                        }
+
+                        mdebug2(CURRENT_FILES, current_files, maximum_files);
+                    }
+                }
+                glob_offset++;
+            }
+            globfree(&g);
+        }
+    }
+}
+
+#else
+int check_pattern_expand(int do_seek) {
+    int found;
+    int i, j;
+    int retval = 0;
+
+    if (globs) {
+        for (j = 0; globs[j].gpath; j++) {
+
+            if (current_files >= maximum_files) {
+                mwarn(FILE_LIMIT, maximum_files);
+                break;
+            }
+
+            char** result = expand_win32_wildcards(globs[j].gpath);
+
+            if (result) {
+
+                int file;
+                char *full_path = NULL;
+
+                for (file = 0; result[file] != NULL; file++) {
+
+                    if (current_files >= maximum_files) {
+                        mwarn(FILE_LIMIT, maximum_files);
+                        for (int f = file; result[f] != NULL; f++) {
+                            os_free(result[f]);
+                        }
+                        break;
+                    }
+
+                    os_strdup(result[file], full_path);
+                    os_free(result[file]);
+
+                    found = 0;
+                    for (i = 0; globs[j].gfiles[i].file; i++) {
+                        if (!strcmp(globs[j].gfiles[i].file, full_path)) {
+                            found = 1;
+                            break;
+                        }
+                    }
+
+                    if (!found) {
+                        retval = 1;
+                        int added = 0;
+
+                        char *ex_file = OSHash_Get(excluded_files, full_path);
+
+                        if (!ex_file) {
+
+                            /*  Because Windows cache's files, we need to check if the file
+                                exists. Deleted files can still appear due to caching */
+                            HANDLE h1;
+
+                            h1 = CreateFile(full_path, GENERIC_READ,
+                                            FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
+                                            NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+
+                            if (h1 == INVALID_HANDLE_VALUE) {
+                                os_free(full_path);
+                                continue;
+                            }
+
+                            CloseHandle(h1);
+
+                            minfo(NEW_GLOB_FILE, globs[j].gpath, full_path);
+                            os_realloc(globs[j].gfiles, (i + 2) * sizeof(logreader), globs[j].gfiles);
+                            /* Copy the current item to the end mark as it should be a pattern */
+                            memcpy(globs[j].gfiles + i + 1, globs[j].gfiles + i, sizeof(logreader));
+                            // Clone the multiline configuration if it exists
+                            globs[j].gfiles[i + 1].multiline = w_multiline_log_config_clone(globs[j].gfiles[i].multiline);
+
+                            os_strdup(full_path, globs[j].gfiles[i].file);
+                            w_mutex_init(&globs[j].gfiles[i].mutex, &win_el_mutex_attr);
+                            globs[j].gfiles[i].fp = NULL;
+                            globs[j].gfiles[i].exists = 1;
+                            globs[j].gfiles[i + 1].file = NULL;
+                            globs[j].gfiles[i + 1].target = NULL;
+                            current_files++;
+                            globs[j].num_files++;
+                            mdebug2(CURRENT_FILES, current_files, maximum_files);
+
+                            if (!globs[j].gfiles[i].read) {
+                                set_read(&globs[j].gfiles[i], i, j);
+                            } else {
+                                handle_file(i, j, do_seek, 1);
+                            }
+
+                            added = 1;
+                        }
+
+                        char *file_excluded_binary = OSHash_Get(excluded_binaries, full_path);
+
+                        /* This file could have to non binary file */
+                        if (file_excluded_binary && !added) {
+                            os_realloc(globs[j].gfiles, (i + 2) * sizeof(logreader), globs[j].gfiles);
+
+                            /* Copy the current item to the end mark as it should be a pattern */
+                            memcpy(globs[j].gfiles + i + 1, globs[j].gfiles + i, sizeof(logreader));
+                            // Clone the multiline configuration if it exists
+                            globs[j].gfiles[i + 1].multiline = w_multiline_log_config_clone(globs[j].gfiles[i].multiline);
+
+                            os_strdup(full_path, globs[j].gfiles[i].file);
+                            w_mutex_init(&globs[j].gfiles[i].mutex, &win_el_mutex_attr);
+                            globs[j].gfiles[i].fp = NULL;
+                            globs[j].gfiles[i].exists = 1;
+                            globs[j].gfiles[i + 1].file = NULL;
+                            globs[j].gfiles[i + 1].target = NULL;
+                            current_files++;
+                            globs[j].num_files++;
+                            mdebug2(CURRENT_FILES, current_files, maximum_files);
+
+                            if (!globs[j].gfiles[i].read) {
+                                set_read(&globs[j].gfiles[i], i, j);
+                            } else {
+                                handle_file(i, j, do_seek, 1);
+                            }
+                        }
+                    }
+                    os_free(full_path);
+                }
+                os_free(result);
+            }
+        }
+    }
+    return retval;
+}
+#endif
+
+static IT_control remove_duplicates(logreader *current, int i, int j) {
+    IT_control d_control = CONTINUE_IT;
+    IT_control f_control;
+    int r, k;
+    logreader *dup;
+
+    if (current->file && !current->command) {
+        for (r = 0, k = -1;; r++) {
+            if (f_control = update_current(&dup, &r, &k), f_control) {
+                if (f_control == NEXT_IT) {
+                    continue;
+                } else {
+                    break;
+                }
+            }
+
+            if (current != dup && dup->file && !strcmp(current->file, dup->file)) {
+                mwarn(DUP_FILE, current->file);
+                int result;
+
+                if (j < 0) {
+                    result = Remove_Localfile(&logff, i, 0, 1,NULL);
+                } else {
+                    result = Remove_Localfile(&(globs[j].gfiles), i, 1, 0,&globs[j]);
+                }
+                if (result) {
+                    merror_exit(REM_ERROR, current->file);
+                } else {
+                    mdebug1(CURRENT_FILES, current_files, maximum_files);
+                }
+                d_control = NEXT_IT;
+                break;
+            }
+        }
+    }
+
+    return d_control;
+}
+
+int find_duplicate_inode(logreader * lf) {
+    if (lf->file == NULL && lf->command != NULL) {
+        return 0;
+    }
+
+    int r;
+    int k;
+    logreader * dup;
+    IT_control f_control;
+
+    for (r = 0, k = -1;; r++) {
+        if (f_control = update_current(&dup, &r, &k), f_control) {
+            if (f_control == NEXT_IT) {
+                continue;
+            } else {
+                break;
+            }
+        }
+
+        /* If the entry is different, the file is open,
+         * and both inode and device match,
+         * then the link is a duplicate.
+         */
+
+        if (lf != dup && dup->fp != NULL && lf->fd == dup->fd && lf->dev == dup->dev) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+static void set_sockets() {
+    int i, j, k, t;
+    logreader *current;
+    char *file;
+
+    // List read sockets
+    unsigned int sk;
+    for (sk=0; logsk && logsk[sk].name; sk++) {
+        mdebug1("Socket '%s' (%s) added. Location: %s", logsk[sk].name, logsk[sk].mode == IPPROTO_UDP ? "udp" : "tcp", logsk[sk].location);
+    }
+
+    for (i = 0, t = -1;; i++) {
+        if (t == -1 && logff && logff[i].file) {
+            current = &logff[i];
+            file = logff[i].file;
+        } else if (globs && globs[++t].gpath){
+            current = globs[t].gfiles;
+            file = globs[t].gpath;
+        } else {
+            break;
+        }
+
+        os_malloc(sizeof(logtarget), current->log_target);
+
+        for (j = 0; current->target[j]; j++) {
+            os_realloc(current->log_target, (j + 2) * sizeof(logtarget), current->log_target);
+            memset(current->log_target + j, 0, 2 * sizeof(logtarget));
+
+            if (strcmp(current->target[j], "agent") == 0) {
+                current->log_target[j].log_socket = &default_agent;
+                w_msg_hash_queues_add_entry("agent");
+                continue;
+            }
+            int found = -1;
+            for (k = 0; logsk && logsk[k].name; k++) {
+                found = strcmp(logsk[k].name, current->target[j]);
+                if (found == 0) {
+                    break;
+                }
+            }
+            if (found != 0) {
+                merror_exit("Socket '%s' for '%s' is not defined.", current->target[j], file);
+            } else {
+                current->log_target[j].log_socket = &logsk[k];
+                w_msg_hash_queues_add_entry(logsk[k].name);
+            }
+        }
+
+        memset(current->log_target + j, 0, sizeof(logtarget));
+
+        // Add output formats
+
+        if (current->out_format) {
+            for (j = 0; current->out_format[j]; ++j) {
+                if (current->out_format[j]->target) {
+                    // Fill the corresponding target
+
+                    for (k = 0; current->target[k]; ++k) {
+                        if (strcmp(current->target[k], current->out_format[j]->target) == 0) {
+                            current->log_target[k].format = current->out_format[j]->format;
+                            break;
+                        }
+                    }
+
+                    if (!current->target[k]) {
+                        mwarn("Log target '%s' not found for the output format of localfile '%s'.", current->out_format[j]->target, current->file);
+                    }
+                } else {
+                    // Fill the targets that don't yet have a format
+
+                    for (k = 0; current->target[k]; k++) {
+                        if (!current->log_target[k].format) {
+                            current->log_target[k].format = current->out_format[j]->format;
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+void w_set_file_mutexes(){
+    logreader *current;
+    IT_control f_control;
+    int r,k;
+
+    pthread_mutexattr_t attr;
+    w_mutexattr_init(&attr);
+    w_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
+
+    for (r = 0, k = -1;; r++) {
+        if (f_control = update_current(&current, &r, &k), f_control) {
+            if (f_control == NEXT_IT) {
+                continue;
+            } else {
+                break;
+            }
+        }
+
+        if (k < 0) {
+            w_mutex_init(&current->mutex, &attr);
+        }
+    }
+
+    w_mutexattr_destroy(&attr);
+}
+
+void free_msg_queue(w_msg_queue_t *msg) {
+    if (msg->msg_queue) queue_free(msg->msg_queue);
+    free(msg);
+}
+
+void w_msg_hash_queues_init(){
+
+    OUTPUT_QUEUE_SIZE = getDefine_Int("logcollector", "queue_size", OUTPUT_MIN_QUEUE_SIZE, 220000);
+    msg_queues_table = OSHash_Create();
+
+    if(!msg_queues_table){
+        merror_exit("Failed to create hash table for queue threads");
+    }
+
+    OSHash_SetFreeDataPointer(msg_queues_table, (void (*)(void *))free_msg_queue);
+}
+
+int w_msg_hash_queues_add_entry(const char *key){
+    int result;
+    w_msg_queue_t *msg;
+
+    os_calloc(1,sizeof(w_msg_queue_t), msg);
+    msg->msg_queue = queue_init(OUTPUT_QUEUE_SIZE);
+    w_mutex_init(&msg->mutex, NULL);
+    w_cond_init(&msg->available, NULL);
+
+    if (result = OSHash_Add(msg_queues_table, key, msg), result != 2) {
+        queue_free(msg->msg_queue);
+        w_mutex_destroy(&msg->mutex);
+        w_cond_destroy(&msg->available);
+        free(msg);
+    }
+
+    return result;
+}
+
+int w_msg_hash_queues_push(const char *str, char *file, unsigned long size, logtarget * targets, char queue_mq) {
+    w_msg_queue_t *msg;
+    int i;
+    char *file_cpy;
+    int result;
+
+    w_logcollector_state_update_file(file, size);
+
+    for (i = 0; targets[i].log_socket; i++)
+    {
+        w_mutex_lock(&mutex);
+
+        msg = (w_msg_queue_t *)OSHash_Get(msg_queues_table, targets[i].log_socket->name);
+
+        w_mutex_unlock(&mutex);
+
+        if (msg) {
+            os_strdup(file, file_cpy);
+            result = w_msg_queue_push(msg, str, file_cpy, size, &targets[i], queue_mq);
+
+            if (result < 0) {
+                w_logcollector_state_update_target(file,targets[i].log_socket->name, true);
+            }
+        }
+    }
+
+    return 0;
+}
+
+int w_msg_queue_push(w_msg_queue_t * msg, const char * buffer, char *file, unsigned long size, logtarget * log_target, char queue_mq) {
+    w_message_t *message;
+    static int reported = 0;
+    int result;
+
+    w_mutex_lock(&msg->mutex);
+
+    os_calloc(1,sizeof(w_message_t),message);
+    os_calloc(size,sizeof(char),message->buffer);
+    memcpy(message->buffer,buffer,size);
+    message->size = size;
+    message->file = file;
+    message->log_target = log_target;
+    message->queue_mq = queue_mq;
+
+
+    if (result = queue_push(msg->msg_queue, message), result == 0) {
+        w_cond_signal(&msg->available);
+    }
+
+    if ((result < 0) && !reported) {
+        #ifndef WIN32
+            mwarn("Target '%s' message queue is full (%zu). Log lines may be lost.", log_target->log_socket->name, msg->msg_queue->size);
+        #else
+            mwarn("Target '%s' message queue is full (%u). Log lines may be lost.", log_target->log_socket->name, msg->msg_queue->size);
+        #endif
+            reported = 1;
+    }
+
+    w_mutex_unlock(&msg->mutex);
+
+    if (result < 0) {
+        free(message->file);
+        free(message->buffer);
+        free(message);
+        mdebug2("Discarding log line for target '%s'", log_target->log_socket->name);
+    }
+
+    return result;
+}
+
+w_message_t * w_msg_queue_pop(w_msg_queue_t * msg){
+    w_message_t *message;
+    w_mutex_lock(&msg->mutex);
+
+    while (message = (w_message_t *)queue_pop(msg->msg_queue), !message) {
+        w_cond_wait(&msg->available, &msg->mutex);
+    }
+
+    w_mutex_unlock(&msg->mutex);
+    return message;
+}
+
+#ifdef WIN32
+DWORD WINAPI w_output_thread(void * args) {
+#else
+void * w_output_thread(void * args){
+#endif
+    char *queue_name = args;
+    w_message_t *message;
+    w_msg_queue_t *msg_queue;
+    int result;
+
+    if (msg_queue = OSHash_Get(msg_queues_table, queue_name), !msg_queue) {
+        mwarn("Could not found the '%s'.", queue_name);
+    #ifdef WIN32
+        exit(1);
+    #else
+        return NULL;
+    #endif
+    }
+
+    while(1)
+    {
+        int sleep_time = 5;
+        /* Pop message from the queue */
+        message = w_msg_queue_pop(msg_queue);
+
+        if (strcmp(message->log_target->log_socket->name, "agent") == 0) {
+            // When dealing with this type of messages we don't want any of them to be lost
+            // Continuously attempt to reconnect to the queue and send the message.
+            result = SendMSGtoSCK(logr_queue, message->buffer, message->file,
+                                  message->queue_mq, message->log_target);
+            if (result != 0) {
+                if (result != 1) {
+#ifdef CLIENT
+                    merror("Unable to send message to '%s' (wazuh-agentd might be down). Attempting to reconnect.", DEFAULTQUEUE);
+#else
+                    merror("Unable to send message to '%s' (wazuh-analysisd might be down). Attempting to reconnect.", DEFAULTQUEUE);
+#endif
+                }
+                // Retry to connect infinitely.
+                logr_queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+                minfo("Successfully reconnected to '%s'", DEFAULTQUEUE);
+
+                if (result = SendMSGtoSCK(logr_queue, message->buffer, message->file, message->queue_mq, message->log_target),
+                    result != 0) {
+                    // We reconnected but are still unable to send the message, notify it and go on.
+                    if (result != 1) {
+                        merror("Unable to send message to '%s' after a successfull reconnection...", DEFAULTQUEUE);
+                    }
+                    result = 1;
+                }
+            }
+
+            w_logcollector_state_update_target(message->file,
+                                               message->log_target->log_socket->name,
+                                               result == 1);
+
+        } else {
+            const int MAX_RETRIES = 3;
+            int retries = 0;
+            result = 1;
+            while (retries < MAX_RETRIES) {
+                result = SendMSGtoSCK(logr_queue, message->buffer, message->file,
+                                      message->queue_mq, message->log_target);
+                if (result < 0) {
+                    merror(QUEUE_SEND);
+
+                    sleep(sleep_time);
+
+                    // If we failed, we will wait longer before reattempting to connect
+                    sleep_time += 5;
+                    retries++;
+                } else {
+                    break;
+                }
+            }
+
+            w_logcollector_state_update_target(message->file,
+                                               message->log_target->log_socket->name,
+                                               result == 1);
+
+            if (retries == MAX_RETRIES) {
+                merror(SEND_ERROR, message->log_target->log_socket->location, message->buffer);
+            }
+        }
+        free(message->file);
+        free(message->buffer);
+        free(message);
+    }
+
+#ifndef WIN32
+    return NULL;
+#endif
+}
+
+void w_create_output_threads(){
+    unsigned int i;
+    const OSHashNode *curr_node;
+
+    for(i = 0; i <= msg_queues_table->rows; i++){
+        if(msg_queues_table->table[i]){
+            curr_node = msg_queues_table->table[i];
+
+            /* Create one thread per valid hash entry */
+            if(curr_node->key){
+#ifndef WIN32
+                w_create_thread(w_output_thread, curr_node->key);
+#else
+                w_create_thread(NULL,
+                    0,
+                    w_output_thread,
+                    curr_node->key,
+                    0,
+                    NULL);
+#endif
+            }
+        }
+    }
+}
+
+#ifdef WIN32
+DWORD WINAPI w_input_thread(__attribute__((unused)) void * t_id) {
+#else
+void * w_input_thread(__attribute__((unused)) void * t_id){
+#endif
+    logreader *current;
+    int i = 0, r = 0, j = -1;
+    IT_control f_control = 0;
+    time_t curr_time = 0;
+#ifdef __linux__
+    unsigned long thread_id = (unsigned long) pthread_self();
+#endif
+#ifndef WIN32
+    int int_error = 0;
+    struct timeval fp_timeout;
+    struct stat tmp_stat;
+#else
+    BY_HANDLE_FILE_INFORMATION lpFileInformation;
+    memset(&lpFileInformation, 0, sizeof(BY_HANDLE_FILE_INFORMATION));
+#endif
+
+    /* Daemon loop */
+    while (1) {
+#ifndef WIN32
+        fp_timeout.tv_sec = loop_timeout;
+        fp_timeout.tv_usec = 0;
+
+        /* Wait for the select timeout */
+        if ((r = select(0, NULL, NULL, NULL, &fp_timeout)) < 0) {
+            merror(SELECT_ERROR, errno, strerror(errno));
+            int_error++;
+
+            if (int_error >= 5) {
+                merror_exit(SYSTEM_ERROR);
+            }
+            continue;
+        }
+#else
+
+        /* Windows doesn't like select that way */
+        sleep(loop_timeout + 2);
+
+        /* Check for messages in the event viewer */
+
+        if (pthread_mutex_trylock(&win_el_mutex) == 0) {
+            win_readel();
+            w_mutex_unlock(&win_el_mutex);
+        }
+#endif
+
+        /* Check which file is available */
+        for (i = 0, j = -1;; i++) {
+
+            rwlock_lock_read(&files_update_rwlock);
+            if (f_control = update_current(&current, &i, &j), f_control) {
+                rwlock_unlock(&files_update_rwlock);
+
+                if (f_control == NEXT_IT) {
+                    continue;
+                } else {
+                    break;
+                }
+            }
+
+            if (pthread_mutex_trylock(&current->mutex) == 0){
+
+                if (!current->fp) {
+                    /* Run the command */
+                    if (current->command) {
+                        curr_time = time(0);
+                        if ((curr_time - current->size) >= current->ign) {
+                            current->size = curr_time;
+                            current->read(current, &r, 0);
+                        }
+                    }
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+                    /* Read the macOS `log` process output */
+                    else if (current->macos_log != NULL && current->macos_log->state != LOG_NOT_RUNNING) {
+                        current->read(current, &r, 0);
+                    }
+#endif
+#ifdef __linux__
+                    /* Read the journald logs */
+                    else if (current->journal_log != NULL) {
+                        if (w_journald_can_read(thread_id)) {
+                            current->read(current, &r, 0);
+                        } else {
+                            mdebug2(LOGCOLLECTOR_JOURNAL_LOG_NOT_OWNER);
+                        }
+                    }
+#endif
+                    w_mutex_unlock(&current->mutex);
+                    rwlock_unlock(&files_update_rwlock);
+                    continue;
+                }
+
+                /* Windows with IIS logs is very strange.
+                * For some reason it always returns 0 (not EOF)
+                * the fgetc. To solve this problem, we always
+                * pass it to the function pointer directly.
+                */
+    #ifndef WIN32
+
+                if(current->age) {
+                    if ((fstat(fileno(current->fp), &tmp_stat)) == -1) {
+                        merror(FSTAT_ERROR, current->file, errno, strerror(errno));
+
+                    } else {
+                        struct timespec c_currenttime;
+                        gettime(&c_currenttime);
+
+                        /* Ignore file */
+                        if((c_currenttime.tv_sec - (int)current->age) >= tmp_stat.st_mtime) {
+                            mdebug1("Ignoring file '%s' due to modification time",current->file);
+                            fclose(current->fp);
+                            current->fp = NULL;
+                            w_mutex_unlock(&current->mutex);
+                            rwlock_unlock(&files_update_rwlock);
+                            continue;
+                        }
+                    }
+                }
+
+                /* We check for the end of file. If is returns EOF,
+                * we don't attempt to read it.
+                * Excluding multiline_regex log format which has its own handler.
+                */
+               if (current->multiline == NULL) {
+                   if ((r = fgetc(current->fp)) == EOF) {
+                       clearerr(current->fp);
+                       w_mutex_unlock(&current->mutex);
+                       rwlock_unlock(&files_update_rwlock);
+                       continue;
+                   }
+
+                   /* If it is not EOF, we need to return the read character */
+                   ungetc(r, current->fp);
+                }
+    #endif
+
+#ifdef WIN32
+            if(current->age) {
+                if (current->h && (GetFileInformationByHandle(current->h, &lpFileInformation) == 0)) {
+                    merror("Unable to get file information by handle.");
+                    w_mutex_unlock(&current->mutex);
+                    rwlock_unlock(&files_update_rwlock);
+                    continue;
+                } else {
+                    FILETIME ft_handle = lpFileInformation.ftLastWriteTime;
+
+                    /* Current machine EPOCH time */
+                    long long int c_currenttime = get_windows_time_epoch();
+
+                    /* Current file EPOCH time */
+                    long long int file_currenttime = get_windows_file_time_epoch(ft_handle);
+
+                    /* Ignore file */
+                    if((c_currenttime - current->age) >= file_currenttime) {
+                        mdebug1("Ignoring file '%s' due to modification time",current->file);
+                        fclose(current->fp);
+                        current->fp = NULL;
+                        current->h = NULL;
+                        w_mutex_unlock(&current->mutex);
+                        rwlock_unlock(&files_update_rwlock);
+                        continue;
+                    }
+                }
+            }
+
+            int ucs2 = is_usc2(current->file);
+            if (ucs2) {
+                current->ucs2 = ucs2;
+                if (current->filter_binary) {
+                    /* If the file is empty, set it to UCS-2 LE */
+                    if (FileSizeWin(current->file) == 0) {
+                        current->ucs2 = UCS2_LE;
+                        current->read = read_ucs2_le;
+                        mdebug2("File '%s' is empty. Setting encoding to UCS-2 LE.",current->file);
+                    } else {
+
+                        if (current->ucs2 == UCS2_LE) {
+                            mdebug1("File '%s' is UCS-2 LE",current->file);
+                            current->read = read_ucs2_le;
+                        }
+
+                        if (current->ucs2 == UCS2_BE) {
+                            mdebug1("File '%s' is UCS-2 BE",current->file);
+                            current->read = read_ucs2_be;
+                        }
+                    }
+                }
+            }
+
+            if (current->filter_binary) {
+                /* If the file is empty, set it to UCS-2 LE */
+                if (FileSizeWin(current->file) == 0) {
+                    current->ucs2 = UCS2_LE;
+                    current->read = read_ucs2_le;
+                    mdebug2("File '%s' is empty. Setting encoding to UCS-2 LE.",current->file);
+                } else {
+
+                    if (!ucs2) {
+                        if (!strcmp("syslog", current->logformat) || !strcmp("generic", current->logformat)) {
+                            current->read = read_syslog;
+                        } else if (strcmp("multi-line", current->logformat) == 0) {
+                            current->read = read_multiline;
+                        } else if (strcmp(MULTI_LINE_REGEX, current->logformat) == 0) {
+                            current->read = read_multiline_regex;
+                        }
+                    }
+                }
+            }
+#endif
+                /* Finally, send to the function pointer to read it */
+                current->read(current, &r, 0);
+                /* Check for error */
+                if (!ferror(current->fp)) {
+                    /* Clear EOF */
+                    clearerr(current->fp);
+
+                    /* Parsing error */
+                    if (r != 0) {
+                        current->ign++;
+
+                        if (open_file_attempts && j < 0) {
+                            mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                        } else {
+                            mdebug1(OPEN_UNABLE, current->file);
+                        }
+
+                    }
+                    w_mutex_unlock(&current->mutex);
+                }
+                /* If ferror is set */
+                else {
+                    merror(FREAD_ERROR, current->file, errno, strerror(errno));
+    #ifndef WIN32
+                    if (fseek(current->fp, 0, SEEK_END) < 0)
+    #else
+                    if (1)
+    #endif
+                    {
+
+    #ifndef WIN32
+                        merror(FSEEK_ERROR, current->file, errno, strerror(errno));
+    #endif
+
+                        /* Close the file */
+                        fclose(current->fp);
+                        current->fp = NULL;
+
+                        /* Try to open it again */
+                        if (handle_file(i, j, 0, 1)) {
+                            w_mutex_unlock(&current->mutex);
+                            rwlock_unlock(&files_update_rwlock);
+                            continue;
+                        }
+#ifdef WIN32
+                        if (current->fp != NULL) {
+                            if (current->future == 0) {
+                                w_set_to_last_line_read(current);
+                            } else {
+                                int64_t offset = w_set_to_pos(current, 0, SEEK_END);
+                                w_update_hash_node(current->file, offset);
+                            }
+                        }
+#endif
+                    }
+                    /* Increase the error count  */
+                    current->ign++;
+
+                    if (open_file_attempts && j < 0) {
+                        mdebug1(OPEN_ATTEMPT, current->file, open_file_attempts - current->ign);
+                    } else {
+                        mdebug1(OPEN_UNABLE, current->file);
+                    }
+
+                    if (current->fp) {
+                        clearerr(current->fp);
+                    }
+
+                    w_mutex_unlock(&current->mutex);
+                }
+            }
+
+            rwlock_unlock(&files_update_rwlock);
+        }
+    }
+
+#ifndef WIN32
+    return NULL;
+#endif
+}
+
+void w_create_input_threads(){
+
+    int i;
+
+    N_INPUT_THREADS = getDefine_Int("logcollector", "input_threads", N_MIN_INPUT_THREADS, 128);
+
+#ifdef WIN32
+    w_mutex_init(&win_el_mutex, &win_el_mutex_attr);
+    w_mutexattr_destroy(&win_el_mutex_attr);
+#endif
+
+    for(i = 0; i < N_INPUT_THREADS; i++) {
+#ifndef WIN32
+        w_create_thread(w_input_thread,NULL);
+#else
+        w_create_thread(NULL,
+                     0,
+                     w_input_thread,
+                     NULL,
+                     0,
+                     NULL);
+#endif
+    }
+}
+
+void files_lock_init()
+{
+    rwlock_init(&files_update_rwlock);
+    rwlock_init(&can_read_rwlock);
+}
+
+static void check_text_only() {
+
+    int i, j;
+
+    IT_control f_control = 0;
+    logreader *current;
+    char file_name[PATH_MAX];
+
+    for (i = 0, j = -1;; i++) {
+        if (f_control = update_current(&current, &i, &j), f_control) {
+            if (f_control == NEXT_IT) {
+                continue;
+            } else {
+                break;
+            }
+        }
+
+        /* Check for files to exclude */
+        if(current->file && !current->command && current->filter_binary) {
+            snprintf(file_name, PATH_MAX, "%s", current->file);
+
+            char *file_excluded = OSHash_Get(excluded_files,file_name);
+
+            if(is_ascii_utf8(current->file,MAX_ASCII_LINES,MAX_UTF8_CHARS)) {
+                #ifdef WIN32
+
+                    int ucs2 = is_usc2(current->file);
+                    if(ucs2) {
+                        current->ucs2 = ucs2;
+                        continue;
+                    }
+
+                #endif
+                int result = 0;
+                if (j < 0) {
+                    result = Remove_Localfile(&logff, i, 0, 1, NULL);
+                } else {
+                    result = Remove_Localfile(&(globs[j].gfiles), i, 1, 0, &globs[j]);
+                }
+
+                if (result) {
+                    merror_exit(REM_ERROR, file_name);
+                } else {
+                    mdebug2(NON_TEXT_FILE, file_name);
+                    mdebug2(CURRENT_FILES, current_files, maximum_files);
+
+                    if(!file_excluded) {
+                        OSHash_Add(excluded_files,file_name,(void *)1);
+                    }
+
+                    /* Add to binary hash table */
+                    char *file_excluded_binary = OSHash_Get(excluded_binaries,file_name);
+
+                    if (!file_excluded_binary) {
+                        OSHash_Add(excluded_binaries,file_name,(void *)1);
+                    }
+
+                }
+                i--;
+            } else {
+
+                if(file_excluded) {
+                    OSHash_Delete(excluded_files,file_name);
+                }
+            }
+        }
+    }
+}
+
+#ifdef WIN32
+static void check_pattern_expand_excluded() {
+
+    int found;
+    int j;
+
+    if (globs) {
+        for (j = 0; globs[j].gpath; j++) {
+
+            if (!globs[j].exclude_path) {
+                continue;
+            }
+
+            char *global_path = NULL;
+            char *wildcard = NULL;
+            os_strdup(globs[j].exclude_path,global_path);
+
+            wildcard = strrchr(global_path,'\\');
+
+            if (wildcard) {
+
+                DIR *dir = NULL;
+                struct dirent *dirent = NULL;
+
+                *wildcard = '\0';
+                wildcard++;
+
+                if (dir = opendir(global_path), !dir) {
+                    merror("Couldn't open directory '%s' due to: %s", global_path, win_strerror(WSAGetLastError()));
+                    os_free(global_path);
+                    continue;
+                }
+
+                while (dirent = readdir(dir), dirent) {
+
+                    // Skip "." and ".."
+                    if (dirent->d_name[0] == '.' && (dirent->d_name[1] == '\0' || (dirent->d_name[1] == '.' && dirent->d_name[2] == '\0'))) {
+                        continue;
+                    }
+
+                    char full_path[PATH_MAX] = {0};
+                    snprintf(full_path,PATH_MAX,"%s\\%s",global_path,dirent->d_name);
+
+                    /* Skip file if it is a directory */
+                    DIR *is_dir = NULL;
+
+                    if (is_dir = opendir(full_path), is_dir) {
+                        mdebug2("File %s is a directory. Skipping it.", full_path);
+                        closedir(is_dir);
+                        continue;
+                    }
+
+                    /* Match wildcard */
+                    char *regex = NULL;
+                    regex = wstr_replace(wildcard,".","\\p");
+                    os_free(regex);
+                    regex = wstr_replace(wildcard,"*","\\.*");
+
+                    /* Add the starting ^ regex */
+                    {
+                        char p[PATH_MAX] = {0};
+                        snprintf(p,PATH_MAX,"^%s",regex);
+                        os_free(regex);
+                        os_strdup(p,regex);
+                    }
+
+                    /* If wildcard is only ^\.* add another \.* */
+                    if (strlen(regex) == 4) {
+                        char *rgx = NULL;
+                        rgx = wstr_replace(regex,"\\.*","\\.*\\.*");
+                        os_free(regex);
+                        regex = rgx;
+                    }
+
+                    /* Add $ at the end of the regex */
+                    wm_strcat(&regex, "$", 0);
+
+                    if(!OS_Regex(regex,dirent->d_name)) {
+                        mdebug2("Regex %s doesn't match with file '%s'",regex,dirent->d_name);
+                        os_free(regex);
+                        continue;
+                    }
+
+                    os_free(regex);
+
+                    found = 0;
+                    int k;
+                    for (k = 0; globs[j].gfiles[k].file; k++) {
+                        if (!strcmp(globs[j].gfiles[k].file, full_path)) {
+                            found = 1;
+                            break;
+                        }
+                    }
+
+                    /* Excluded file found, remove it completely */
+                    if(found) {
+                        int result;
+
+                        if (j < 0) {
+                            result = Remove_Localfile(&logff, k, 0, 1, NULL);
+                        } else {
+                            result = Remove_Localfile(&(globs[j].gfiles), k, 1, 0, &globs[j]);
+                        }
+
+                        if (result) {
+                            merror_exit(REM_ERROR,full_path);
+                        } else {
+
+                            /* Add the excluded file to the hash table */
+                            char *file = OSHash_Get(excluded_files,full_path);
+
+                            if(!file) {
+                                OSHash_Add(excluded_files,full_path,(void *)1);
+                                minfo(EXCLUDE_FILE,full_path);
+                            }
+
+                            mdebug2(EXCLUDE_FILE,full_path);
+                            mdebug2(CURRENT_FILES, current_files, maximum_files);
+                        }
+                    }
+                }
+                closedir(dir);
+            }
+            os_free(global_path);
+        }
+    }
+}
+#endif
+
+
+static void set_can_read(int value){
+
+    RWLOCK_LOCK_WRITE(&can_read_rwlock, {
+        _can_read = value;
+    });
+}
+
+int can_read() {
+
+    int ret;
+    RWLOCK_LOCK_READ(&can_read_rwlock, {
+        ret = _can_read;
+    });
+    return ret;
+}
+
+int w_update_file_status(const char * path, int64_t pos, EVP_MD_CTX * context) {
+
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+
+    data->context = context;
+
+    os_sha1 output;
+    OS_SHA1_Stream(context, output, NULL);
+    memcpy(data->hash, output, sizeof(os_sha1));
+
+    data->offset = pos;
+
+    if (OSHash_Update_ex(files_status, path, data) != 1) {
+        if (OSHash_Add_ex(files_status, path, data) != 2) {
+            EVP_MD_CTX_free(context);
+            os_free(data);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+void free_files_status_data(os_file_status_t *data) {
+    if (!data) return;
+    EVP_MD_CTX_free(data->context);
+    os_free(data);
+}
+
+STATIC void w_initialize_file_status() {
+
+    /* Initialize hash table to associate paths and read position */
+    if (files_status = OSHash_Create(), files_status == NULL) {
+        merror_exit(HCREATE_ERROR, files_status_name);
+    }
+
+    if (OSHash_setSize(files_status, LOCALFILES_TABLE_SIZE) == 0) {
+        merror_exit(HSETSIZE_ERROR, files_status_name);
+    }
+
+    OSHash_SetFreeDataPointer(files_status, (void (*)(void *))free_files_status_data);
+
+    /* Read json file to load last read positions */
+    FILE * fd = NULL;
+
+    if (fd = wfopen(LOCALFILE_STATUS, "r"), fd != NULL) {
+        char str[OS_MAXSTR] = {0};
+
+        if (fread(str, 1, OS_MAXSTR - 1, fd) < 1) {
+            merror(FREAD_ERROR, LOCALFILE_STATUS, errno, strerror(errno));
+            clearerr(fd);
+        } else {
+            cJSON * global_json = cJSON_Parse(str);
+            w_load_files_status(global_json);
+            cJSON_Delete(global_json);
+        }
+
+        fclose(fd);
+    } else if (errno != ENOENT) {
+        merror(FOPEN_ERROR, LOCALFILE_STATUS, errno, strerror(errno));
+    }
+}
+
+STATIC void w_save_file_status() {
+
+    char * str = w_save_files_status_to_cJSON();
+
+    if (str == NULL) {
+        return;
+    }
+
+    FILE * fd = NULL;
+    size_t size_str = strlen(str);
+
+    if (fd = wfopen(LOCALFILE_STATUS, "w"), fd != NULL) {
+        if (fwrite(str, 1, size_str, fd) == 0) {
+            merror(FWRITE_ERROR, LOCALFILE_STATUS, errno, strerror(errno));
+            clearerr(fd);
+        }
+        fclose(fd);
+    } else {
+        merror_exit(FOPEN_ERROR, LOCALFILE_STATUS, errno, strerror(errno));
+    }
+
+    os_free(str);
+}
+
+STATIC void w_load_files_status(cJSON * global_json) {
+
+    cJSON * localfiles_array = cJSON_GetObjectItem(global_json, OS_LOGCOLLECTOR_JSON_FILES);
+    int array_size = cJSON_GetArraySize(localfiles_array);
+
+    for (int i = 0; i < array_size; i++) {
+        cJSON * localfile_item = cJSON_GetArrayItem(localfiles_array, i);
+
+        cJSON * path = cJSON_GetObjectItem(localfile_item, OS_LOGCOLLECTOR_JSON_PATH);
+        if (path == NULL) {
+            continue;
+        }
+
+        char * path_str = cJSON_GetStringValue(path);
+        if (path_str == NULL) {
+            continue;
+        }
+
+        struct stat stat_fd;
+
+        if (stat(path_str, &stat_fd) == -1) {
+            continue;
+        }
+
+        cJSON * hash = cJSON_GetObjectItem(localfile_item, OS_LOGCOLLECTOR_JSON_HASH);
+        if (hash == NULL) {
+            continue;
+        }
+
+        char * hash_str = cJSON_GetStringValue(hash);
+        if (hash_str == NULL) {
+            continue;
+        }
+
+        cJSON * offset = cJSON_GetObjectItem(localfile_item, OS_LOGCOLLECTOR_JSON_OFFSET);
+        if (offset == NULL) {
+            continue;
+        }
+
+        char * offset_str = cJSON_GetStringValue(offset);
+        if (offset_str == NULL) {
+            continue;
+        }
+
+        char * end;
+
+#ifdef WIN32
+        int64_t value_offset = strtoll(offset_str, &end, 10);
+#else
+        int64_t value_offset = strtol(offset_str, &end, 10);
+#endif
+
+        if (value_offset < 0 || *end != '\0') {
+            continue;
+        }
+
+        os_file_status_t * data;
+
+        os_malloc(sizeof(os_file_status_t), data);
+        memcpy(data->hash, hash_str, sizeof(os_sha1));
+        data->offset = value_offset;
+
+        EVP_MD_CTX *context = EVP_MD_CTX_new();
+        os_sha1 output;
+
+        if (OS_SHA1_File_Nbytes(path_str, &context, output, OS_BINARY, value_offset) < 0) {
+            mdebug1(LOGCOLLECTOR_FILE_NOT_EXIST, path_str);
+            EVP_MD_CTX_free(context);
+            os_free(data);
+            return;
+        }
+        data->context = context;
+
+        if (OSHash_Update_ex(files_status, path_str, data) != 1) {
+            if (OSHash_Add_ex(files_status, path_str, data) != 2) {
+                merror(HADD_ERROR, path_str, files_status_name);
+                EVP_MD_CTX_free(context);
+                os_free(data);
+            }
+        }
+    }
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+
+   w_macos_set_status_from_JSON(global_json);
+
+#endif
+
+#ifdef __linux__
+    w_journald_set_status_from_JSON(global_json);
+#endif
+
+}
+
+STATIC char * w_save_files_status_to_cJSON() {
+
+    unsigned int index = 0;
+    cJSON * global_json = NULL;
+    char * global_json_str = NULL;
+    OSHashNode * hash_node = NULL;
+
+    w_rwlock_rdlock(&files_status->mutex);
+    if (hash_node = OSHash_Begin(files_status, &index), hash_node != NULL) {
+        os_file_status_t * data = NULL;
+        cJSON * array = NULL;
+        cJSON * item = NULL;
+        char * path = NULL;
+        char offset[OFFSET_SIZE] = {0};
+
+        global_json = cJSON_CreateObject();
+        array = cJSON_AddArrayToObject(global_json, OS_LOGCOLLECTOR_JSON_FILES);
+
+        while (hash_node != NULL) {
+            data = hash_node->data;
+            path = hash_node->key;
+            memset(offset, 0, OFFSET_SIZE);
+
+            snprintf(offset, OFFSET_SIZE, "%" PRIi64, data->offset);
+
+            item = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(item, OS_LOGCOLLECTOR_JSON_PATH, path);
+            cJSON_AddStringToObject(item, OS_LOGCOLLECTOR_JSON_HASH, data->hash);
+            cJSON_AddStringToObject(item, OS_LOGCOLLECTOR_JSON_OFFSET, offset);
+            cJSON_AddItemToArray(array, item);
+
+            hash_node = OSHash_Next(files_status, &index, hash_node);
+        }
+    }
+    w_rwlock_unlock(&files_status->mutex);
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+
+    cJSON * macos_status = w_macos_get_status_as_JSON();
+    if (macos_status != NULL && macos_processes != NULL) {
+        if (global_json == NULL) {
+            global_json = cJSON_CreateObject();
+        }
+        cJSON_AddItemToObject(global_json, OS_LOGCOLLECTOR_JSON_MACOS, macos_status);
+    }
+
+#endif
+
+#ifdef __linux__
+    cJSON * journald_status = w_journald_get_status_as_JSON();
+    if (journald_status != NULL) {
+        if (global_json == NULL) {
+            global_json = cJSON_CreateObject();
+        }
+        cJSON_AddItemToObject(global_json, JOURNALD_LOG, journald_status);
+    }
+#endif
+
+    if (global_json != NULL) {
+        global_json_str = cJSON_PrintUnformatted(global_json);
+        cJSON_Delete(global_json);
+    }
+
+    return global_json_str;
+}
+
+STATIC int w_set_to_last_line_read(logreader * lf) {
+
+    os_file_status_t * data;
+
+    if (lf->file == NULL) {
+        return 0;
+    }
+
+    if (data = (os_file_status_t *)OSHash_Get_ex(files_status, lf->file), data == NULL) {
+        w_set_to_pos(lf, 0, SEEK_END);
+        if (w_update_hash_node(lf->file, w_ftell(lf->fp)) == -1) {
+            merror(HUPDATE_ERROR, lf->file, files_status_name);
+        }
+        return 0;
+    }
+
+    struct stat stat_fd;
+
+    if (fstat(fileno(lf->fp), &stat_fd) == -1) {
+        merror(FSTAT_ERROR, lf->file, errno, strerror(errno));
+        return -1;
+    }
+
+    int64_t result = 0;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+
+    if (OS_SHA1_File_Nbytes(lf->file, &context, output, OS_BINARY, data->offset) < 0) {
+        merror(FAIL_SHA1_GEN, lf->file);
+        EVP_MD_CTX_free(context);
+        return -1;
+    }
+
+    if (strcmp(output, data->hash)) {
+        result = w_set_to_pos(lf, 0, SEEK_SET);
+    } else if (stat_fd.st_size - data->offset > lf->diff_max_size) {
+        result = w_set_to_pos(lf, 0, SEEK_END);
+    } else {
+        EVP_MD_CTX_free(context);
+        return w_set_to_pos(lf, data->offset, SEEK_SET);
+    }
+
+    if (result >= 0) {
+        if (w_update_hash_node(lf->file, result) == -1) {
+            merror(HUPDATE_ERROR, lf->file, files_status_name);
+        }
+    }
+
+    EVP_MD_CTX_free(context);
+    return result;
+}
+
+STATIC int w_update_hash_node(char * path, int64_t pos) {
+
+    os_file_status_t * data;
+
+    if (path == NULL) {
+        return -1;
+    }
+
+    os_malloc(sizeof(os_file_status_t), data);
+
+    data->offset = pos;
+
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+
+    if (OS_SHA1_File_Nbytes(path, &context, output, OS_BINARY, pos) < 0) {
+        merror(FAIL_SHA1_GEN, path);
+        EVP_MD_CTX_free(context);
+        os_free(data);
+        return -1;
+    }
+    memcpy(data->hash, output, sizeof(os_sha1));
+    data->context = context;
+
+    if (OSHash_Update_ex(files_status, path, data) != 1) {
+        if (OSHash_Add_ex(files_status, path, data) != 2) {
+            EVP_MD_CTX_free(context);
+            os_free(data);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+STATIC int64_t w_set_to_pos(logreader * lf, int64_t pos, int mode) {
+
+    if (lf == NULL || lf->file == NULL) {
+        return -1;
+    }
+
+    if (w_fseek(lf->fp, pos, mode) < 0) {
+        merror(FSEEK_ERROR, lf->file, errno, strerror(errno));
+        fclose(lf->fp);
+        lf->fp = NULL;
+        return -1;
+    }
+
+    return w_ftell(lf->fp);
+}
+
+bool w_get_hash_context(logreader *lf, EVP_MD_CTX ** context, int64_t position) {
+
+    os_file_status_t * data = (os_file_status_t *) OSHash_Get_ex(files_status, lf->file);
+
+    if (data == NULL) {
+        os_sha1 output;
+        if (OS_SHA1_File_Nbytes_with_fp_check(lf->file, context, output, OS_BINARY, position, lf->fd) < 0) {
+            return false;
+        }
+    } else {
+        EVP_DigestInit(*context, EVP_sha1());
+        EVP_MD_CTX_copy(*context, data->context);
+    }
+    return true;
+}
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+void w_macos_release_log_show(void) {
+
+    if (macos_processes != NULL && macos_processes->show.wfd != NULL) {
+        mdebug1("macOS ULS: Releasing macOS `log show` resources.");
+        if (macos_processes->show.wfd->pid > 0) {
+            kill(macos_processes->show.wfd->pid, SIGTERM);
+        }
+        if (macos_processes->show.child > 0) {
+            kill(macos_processes->show.child, SIGTERM);
+        }
+        wpclose(macos_processes->show.wfd);
+        macos_processes->show.wfd = NULL;
+        macos_processes->show.child = 0;
+    }
+}
+
+void w_macos_release_log_stream(void) {
+
+    if (macos_processes != NULL && macos_processes->stream.wfd != NULL) {
+        mdebug1("macOS ULS: Releasing macOS `log stream` resources.");
+        if (macos_processes->stream.wfd->pid > 0) {
+            kill(macos_processes->stream.wfd->pid, SIGTERM);
+        }
+        if (macos_processes->stream.child > 0) {
+            kill(macos_processes->stream.child, SIGTERM);
+        }
+        wpclose(macos_processes->stream.wfd);
+        macos_processes->stream.wfd = NULL;
+        macos_processes->stream.child = 0;
+    }
+}
+
+void w_macos_release_log_execution(void) {
+
+    w_macos_release_log_show();
+    w_macos_release_log_stream();
+}
+
+#endif
diff --git a/src/modules/logcollector/src/macos_log.c b/src/modules/logcollector/src/macos_log.c
new file mode 100644
index 0000000000..e9e308e00f
--- /dev/null
+++ b/src/modules/logcollector/src/macos_log.c
@@ -0,0 +1,562 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+#include "macos_log.h"
+
+/* Removes STATIC/INLINE qualifiers from the tests */
+#ifdef WAZUH_UNIT_TESTING
+#define STATIC
+#define INLINE
+#else
+#define STATIC static
+#define INLINE inline
+#endif
+
+STATIC w_macos_log_vault_t macos_log_vault = { .mutex = PTHREAD_RWLOCK_INITIALIZER, .timestamp = "",
+                                               .settings = NULL, .is_valid_data = false };
+
+STATIC char * macos_codename = NULL;
+
+STATIC w_sysinfo_helpers_t * sysinfo = NULL;
+/**
+ * @brief Check if agent is running on macOS Sierra
+ *
+ * @return true if agent is running in macOS Sierra. false otherwise
+ */
+bool w_is_macos_sierra() {
+
+    if (macos_codename != NULL && strcmp(macos_codename, MACOS_SIERRA_CODENAME_STR) == 0) {
+        return true;
+    }
+    return false;
+}
+
+/**
+ * @brief Prepend `script` command arguments when macOS Sierra is being used
+ *
+ * @param log_cmd_array array of arguments
+ * @param log_cmd_array_idx index of the array
+ */
+STATIC INLINE void w_macos_add_sierra_support(char ** log_cmd_array, size_t * log_cmd_array_idx) {
+
+    w_strdup(SCRIPT_CMD_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+    w_strdup(SCRIPT_CMD_ARGS, log_cmd_array[(*log_cmd_array_idx)++]);
+    w_strdup(SCRIPT_CMD_SINK, log_cmd_array[(*log_cmd_array_idx)++]);
+}
+
+/**
+ * @brief Validates whether the predicate is valid or not
+ * @param predicate Contains the `log`'s predicate filter to be used as a string
+ * @return true if valid, otherwise false
+ */
+STATIC INLINE bool w_macos_is_log_predicate_valid(char * predicate) {
+
+    if (strlen(predicate) > 0) {
+        return true;
+    }
+    return false;
+}
+
+/**
+ * @brief Adds to the `log show` aguments array the level arguments
+ *
+ * @param log_cmd_array `log show` array of arguments
+ * @param log_cmd_array_idx Index of the `log show` array
+ * @param level String that contains the `log show` levels
+ */
+STATIC INLINE void w_macos_log_show_array_add_level(char ** log_cmd_array, size_t * log_cmd_array_idx, char * level) {
+
+    /* Log Show's Level section: adds, or not, `--debug` and/or `--info`. This that assumes `debug` contains `info` */
+    if (level != NULL && strcmp(level, MACOS_LOG_LEVEL_DEFAULT_STR) != 0) {
+
+        /* If the level is not `default`, because it is set to `info` or `debug`, then the info logs are acquired */
+        w_strdup(SHOW_INFO_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+
+        if (strcmp(level, MACOS_LOG_LEVEL_DEBUG_STR) == 0) {
+            /* Only when the level is set to `debug` the debug logs are acquired */
+            w_strdup(SHOW_DEBUG_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        }
+    }
+}
+
+/**
+ * @brief Creates the predicate fragment related to the type that will be then concatenated with the rest of the filter
+ *
+ * @param type Contains the `log show`'s type filters to be used (as combined bit flags)
+ * @return char * containing a string with the predicate fragment related to the type or NULL if no type filter was set
+ */
+STATIC INLINE char * w_macos_log_show_create_type_predicate(int type) {
+
+    char * type_predicate = NULL;
+
+    if (type & MACOS_LOG_TYPE_ACTIVITY) {
+        w_strdup(SHOW_TYPE_ACTIVITY_STR, type_predicate);
+    }
+    if (type & MACOS_LOG_TYPE_LOG) {
+        if (type_predicate == NULL) {
+            w_strdup(SHOW_TYPE_LOG_STR, type_predicate);
+        } else {
+            type_predicate = w_strcat(type_predicate, SHOW_OR_TYPE_LOG_STR, strlen(SHOW_OR_TYPE_LOG_STR));
+        }
+    }
+    if (type & MACOS_LOG_TYPE_TRACE) {
+        if (type_predicate == NULL) {
+            w_strdup(SHOW_TYPE_TRACE_STR, type_predicate);
+        } else {
+            type_predicate = w_strcat(type_predicate, SHOW_OR_TYPE_TRACE_STR, strlen(SHOW_OR_TYPE_TRACE_STR));
+        }
+    }
+
+    return type_predicate;
+}
+
+/**
+ * @brief Adds to the `log show` aguments array the predicate arguments by joining user's predicate with the "type" one
+ *
+ * @param log_cmd_array `log show` array of arguments
+ * @param log_cmd_array_idx index of the `log show` array
+ * @param query String containing the user's raw predicate
+ * @param type_predicate String containing the predicate's type fragment
+ */
+STATIC INLINE void w_macos_log_show_array_add_predicate(char ** log_cmd_array, size_t * log_cmd_array_idx, char * query,
+                                                        char * type_predicate) {
+
+    char * predicate = NULL;
+
+    if (query != NULL) {
+        if (w_macos_is_log_predicate_valid(query)) {
+            w_strdup(PREDICATE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+
+            if (type_predicate != NULL) {
+                const int PREDICATE_SIZE = strlen(query) + strlen(type_predicate) + strlen(QUERY_AND_TYPE_PREDICATE);
+                os_calloc(PREDICATE_SIZE, sizeof(char), predicate);
+                snprintf(predicate, PREDICATE_SIZE, QUERY_AND_TYPE_PREDICATE, query, type_predicate);
+
+            } else {
+                w_strdup(query, predicate);
+            }
+            w_strdup(predicate, log_cmd_array[(*log_cmd_array_idx)++]);
+            os_free(predicate);
+
+        } else if (type_predicate != NULL) {
+            w_strdup(PREDICATE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+            w_strdup(type_predicate, log_cmd_array[(*log_cmd_array_idx)++]);
+        }
+    } else if (type_predicate != NULL) {
+        w_strdup(PREDICATE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        w_strdup(type_predicate, log_cmd_array[(*log_cmd_array_idx)++]);
+    }
+}
+
+/**
+ * @brief Generates the `log show` command array with its arguments
+ *
+ * @param predicate Contains the `log show`'s predicate filter to be used as a string
+ * @param level Contains, or not, the `log show`'s level filter to be used as a string (default/info/debug)
+ * @param type Contains the `log show`'s type filters to be used (as combined bit flags)
+ * @return A pointer to an array containing the executable arguments
+ */
+STATIC INLINE char ** w_macos_create_log_show_array(char * start_date, char * query, char * level, int type) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    char * type_predicate = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    if (w_is_macos_sierra()) {
+        w_macos_add_sierra_support(log_cmd_array, &log_cmd_array_idx);
+    }
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(start_date, log_cmd_array[log_cmd_array_idx++]);
+
+    w_macos_log_show_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    os_free(type_predicate);
+
+    return log_cmd_array;
+}
+
+/**
+ * @brief Adds to the `log stream` aguments array the level arguments
+ *
+ * @param log_cmd_array `log stream` array of arguments
+ * @param log_cmd_array_idx index of the `log stream` array
+ * @param level string that contains the `log stream` levels
+ */
+STATIC INLINE void w_macos_log_stream_array_add_level(char ** log_cmd_array, size_t * log_cmd_array_idx, char * level) {
+
+    if (level != NULL) {
+        w_strdup(LEVEL_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        w_strdup(level, log_cmd_array[(*log_cmd_array_idx)++]);
+    }
+}
+
+/**
+ * @brief Adds to the `log stream` aguments array the type arguments
+ *
+ * @param log_cmd_array `log stream` array of arguments
+ * @param log_cmd_array_idx index of the `log stream` array
+ * @param type Contains the `log stream`'s type filters to be used (as combined bit flags)
+ */
+STATIC INLINE void w_macos_log_stream_array_add_type(char ** log_cmd_array, size_t * log_cmd_array_idx, int type) {
+
+    if (type != 0) {
+        if (type & MACOS_LOG_TYPE_ACTIVITY) {
+            w_strdup(TYPE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+            w_strdup(MACOS_LOG_TYPE_ACTIVITY_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        }
+        if (type & MACOS_LOG_TYPE_LOG) {
+            w_strdup(TYPE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+            w_strdup(MACOS_LOG_TYPE_LOG_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        }
+        if (type & MACOS_LOG_TYPE_TRACE) {
+            w_strdup(TYPE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+            w_strdup(MACOS_LOG_TYPE_TRACE_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+        }
+    }
+}
+
+/**
+ * @brief Adds to the `log stream` aguments array the predicate arguments
+ *
+ * @param log_cmd_array `log stream` array of arguments
+ * @param log_cmd_array_idx index of the `log stream` array
+ * @param predicate string that contains the `log stream` predicate
+ */
+STATIC INLINE void w_macos_log_stream_array_add_predicate(char ** log_cmd_array, size_t * log_cmd_array_idx,
+                                                          char * predicate) {
+
+    if (predicate != NULL && w_macos_is_log_predicate_valid(predicate)) {
+        w_strdup(PREDICATE_OPT_STR, log_cmd_array[(*log_cmd_array_idx)++]);
+
+        w_strdup(predicate, log_cmd_array[(*log_cmd_array_idx)++]);
+    }
+}
+
+/**
+ * @brief Generates the `log stream` command array with its arguments
+ *
+ * @param predicate Contains the `log stream`'s predicate filter to be used as a string
+ * @param level Contains, or not, the `log stream`'s level filter to be used as a string (default/info/debug)
+ * @param type Contains the `log stream`'s type filters to be used (as combined bit flags)
+ * @return A pointer to an array containing the executable arguments
+ */
+STATIC char ** w_macos_create_log_stream_array(char * predicate, char * level, int type) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_STREAM_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    if (w_is_macos_sierra()) {
+        w_macos_add_sierra_support(log_cmd_array, &log_cmd_array_idx);
+    }
+
+    /* Adding `log` and `stream` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_STREAM_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    w_macos_log_stream_array_add_type(log_cmd_array, &log_cmd_array_idx, type);
+
+    w_macos_log_stream_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    w_macos_log_stream_array_add_predicate(log_cmd_array, &log_cmd_array_idx, predicate);
+
+    return log_cmd_array;
+}
+
+/**
+ * @brief Executes the `log stream/show` command with its arguments and sets to non-blocking the output pipe
+ *
+ * @param log_cmd_array Contains the arguments of the command to be executed
+ * @param flags Are the flags to be used along with wpopenv()
+ * @return A pointer to a fulfilled wfd_t structure, on success, or NULL
+ */
+STATIC wfd_t * w_macos_log_exec(char ** log_cmd_array, u_int32_t flags) {
+
+    int log_pipe_fd = -1;
+    int log_pipe_fd_flags = 0;
+    wfd_t * macos_log_wfd = wpopenv(*log_cmd_array, log_cmd_array, flags);
+
+    if (macos_log_wfd == NULL) {
+        merror(WPOPENV_ERROR, strerror(errno), errno);
+    } else {
+        /* The file descriptor, from which the output of `log stream` will be read, is set to non-blocking */
+        log_pipe_fd = fileno(macos_log_wfd->file_out); // Gets the file descriptor from a file pointer
+
+        if (log_pipe_fd <= 0) {
+            merror(FP_TO_FD_ERROR, strerror(errno), errno);
+            wpclose(macos_log_wfd);
+            macos_log_wfd = NULL;
+        } else {
+            log_pipe_fd_flags = fcntl(log_pipe_fd, F_GETFL, 0); // Gets current flags
+
+            if (log_pipe_fd_flags < 0) {
+                merror(GET_FLAGS_ERROR, strerror(errno), errno);
+                wpclose(macos_log_wfd);
+                macos_log_wfd = NULL;
+            } else {
+                log_pipe_fd_flags |= O_NONBLOCK; // Adds the NON-BLOCKING flag to current flags
+                const int set_flags_retval = fcntl(log_pipe_fd, F_SETFL, log_pipe_fd_flags); // Sets the new Flags
+
+                if (set_flags_retval < 0) {
+                    merror(SET_FLAGS_ERROR, strerror(errno), errno);
+                    wpclose(macos_log_wfd);
+                    macos_log_wfd = NULL;
+                }
+            }
+        }
+    }
+
+    return macos_log_wfd;
+}
+
+/**
+ * @brief Checks whether the `log` command can be executed or not by using the access() function
+ * @warning if macOS Sierra is beeing used, also `script` command will be checked.
+ * @return true when `log` command can be executed, false otherwise.
+ */
+STATIC INLINE bool w_macos_is_log_executable(void) {
+
+    if (w_is_macos_sierra() && access(SCRIPT_CMD_STR, X_OK) != 0) {
+        merror(ACCESS_ERROR, SCRIPT_CMD_STR, strerror(errno), errno);
+        return false;
+    }
+
+    const int retval = access(LOG_CMD_STR, X_OK);
+    if (retval == 0) {
+        return true;
+    }
+    merror(ACCESS_ERROR, LOG_CMD_STR, strerror(errno), errno);
+    return false;
+}
+
+/**
+ * @brief Creates the environment for collecting "show" logs on macOS Systems
+ *
+ * @param lf localfile's logreader structure with `log show`'s arguments and its configuration structure to be set
+ */
+STATIC INLINE void w_macos_create_log_show_env(logreader * lf) {
+
+    char ** log_show_array = NULL;
+
+    char * timestamp = w_macos_get_last_log_timestamp();
+
+    lf->macos_log->processes.show.wfd = NULL;
+
+    if (timestamp[0] == '\0') {
+        os_free(timestamp);
+        return;
+    }
+
+    log_show_array = w_macos_create_log_show_array(timestamp, lf->query, lf->query_level, lf->query_type);
+
+    lf->macos_log->processes.show.wfd = w_macos_log_exec(log_show_array, W_BIND_STDOUT | W_BIND_STDERR);
+
+    char * log_show_str = w_strcat_list(log_show_array, ' ');
+
+    if (lf->macos_log->processes.show.wfd != NULL) {
+        lf->macos_log->state = LOG_RUNNING_SHOW;
+        minfo(LOGCOLLECTOR_MACOS_LOG_SHOW_INFO, log_show_str);
+    } else {
+        merror(LOGCOLLECTOR_MACOS_LOG_SHOW_EXEC_ERROR, log_show_str);
+    }
+
+    os_free(timestamp);
+    os_free(log_show_str);
+    free_strarray(log_show_array);
+}
+
+/**
+ * @brief Creates the environment for collecting "stream" logs on MacOS Systems
+ *
+ * @param lf localfile's logreader structure with `log stream`'s arguments and its configuration structure to be set
+ */
+STATIC INLINE void w_macos_create_log_stream_env(logreader * lf) {
+
+    char ** log_stream_array = NULL;
+
+    lf->macos_log->processes.stream.wfd = NULL;
+
+    log_stream_array = w_macos_create_log_stream_array(lf->query, lf->query_level, lf->query_type);
+
+    lf->macos_log->processes.stream.wfd = w_macos_log_exec(log_stream_array, W_BIND_STDOUT | W_BIND_STDERR);
+
+    char * log_stream_str = w_strcat_list(log_stream_array, ' ');
+
+    if (lf->macos_log->processes.stream.wfd != NULL) {
+        if (lf->macos_log->state == LOG_NOT_RUNNING) {
+            lf->macos_log->state = LOG_RUNNING_STREAM;
+        }
+        minfo(LOGCOLLECTOR_MACOS_LOG_STREAM_INFO, log_stream_str);
+    } else {
+        merror(LOGCOLLECTOR_MACOS_LOG_STREAM_EXEC_ERROR, log_stream_str);
+    }
+
+    os_free(log_stream_str);
+    free_strarray(log_stream_array);
+}
+
+void w_macos_create_log_env(logreader * lf, w_sysinfo_helpers_t * global_sysinfo) {
+
+    lf->macos_log->state = LOG_NOT_RUNNING;
+
+    sysinfo = global_sysinfo;
+
+    macos_codename = w_get_os_codename(sysinfo);
+
+    if (w_macos_is_log_executable()) {
+
+        /* `log stream` command parameters are stored to keep track of the settings changes that may occur,
+            and to determine whether past events should be retrieved or not */
+        char ** current_settings_list = w_macos_create_log_stream_array(lf->query, lf->query_level, lf->query_type);
+        lf->macos_log->current_settings = w_strcat_list(current_settings_list, ' ');
+        free_strarray(current_settings_list);
+
+        if (macos_codename != NULL) {
+            mdebug1("macOS ULS: Creating environment for macOS %s.", macos_codename);
+        }
+
+        /* If only-future-events is disabled, so past events are retrieved, then `log show` is also executed */
+        if (!lf->future) {
+            char * previous_settings = w_macos_get_log_settings();
+
+            if (previous_settings != NULL) {
+                if (strcmp(lf->macos_log->current_settings, previous_settings) == 0) {
+                    w_macos_create_log_show_env(lf);
+                } else {
+                    mdebug1("macOS ULS: Current predicate differs from the stored one. Discarding old events.");
+                }
+                os_free(previous_settings);
+            }
+        }
+
+        w_macos_create_log_stream_env(lf);
+    }
+    os_free(lf->file);
+    lf->fp = NULL;
+}
+
+pid_t w_get_first_child(pid_t parent_pid) {
+
+    pid_t first_child = 0;
+    pid_t * childs = w_get_process_childs(sysinfo, parent_pid, 1);
+    if (childs != NULL && *childs != 0) {
+        first_child = *childs;
+    }
+    os_free(childs);
+
+    return first_child;
+}
+
+void w_macos_set_last_log_timestamp(char * timestamp) {
+
+    w_rwlock_wrlock(&macos_log_vault.mutex);
+    strncpy(macos_log_vault.timestamp, timestamp, OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN);
+    w_rwlock_unlock(&macos_log_vault.mutex);
+}
+
+char * w_macos_get_last_log_timestamp(void) {
+
+    char * short_timestamp = NULL;
+    w_rwlock_rdlock(&macos_log_vault.mutex);
+    w_strdup(macos_log_vault.timestamp, short_timestamp);
+    w_rwlock_unlock(&macos_log_vault.mutex);
+    return short_timestamp;
+}
+
+void w_macos_set_log_settings(char * settings) {
+
+    w_rwlock_wrlock(&macos_log_vault.mutex);
+    os_free(macos_log_vault.settings);
+    w_strdup(settings, macos_log_vault.settings);
+    w_rwlock_unlock(&macos_log_vault.mutex);
+}
+
+char * w_macos_get_log_settings(void) {
+
+    char * settings = NULL;
+    w_rwlock_rdlock(&macos_log_vault.mutex);
+    w_strdup(macos_log_vault.settings, settings);
+    w_rwlock_unlock(&macos_log_vault.mutex);
+    return settings;
+}
+
+
+bool w_macos_get_is_valid_data() {
+
+    w_rwlock_rdlock(&macos_log_vault.mutex);
+    bool retval = macos_log_vault.is_valid_data;
+    w_rwlock_unlock(&macos_log_vault.mutex);
+
+    return retval;
+}
+
+void w_macos_set_is_valid_data(bool is_valid) {
+
+    w_rwlock_wrlock(&macos_log_vault.mutex);
+    macos_log_vault.is_valid_data = is_valid;
+    w_rwlock_unlock(&macos_log_vault.mutex);
+}
+
+cJSON * w_macos_get_status_as_JSON(void) {
+
+    if (!w_macos_get_is_valid_data()) {
+        return NULL;
+    }
+
+    cJSON * macos_log = NULL;
+    char * timestamp = w_macos_get_last_log_timestamp();
+    char * settings = w_macos_get_log_settings();
+
+    if (w_strlen(timestamp) == OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN && settings != NULL) {
+        macos_log = cJSON_CreateObject();
+        cJSON_AddItemToObject(macos_log, OS_LOGCOLLECTOR_JSON_TIMESTAMP, cJSON_CreateString(timestamp));
+        cJSON_AddItemToObject(macos_log, OS_LOGCOLLECTOR_JSON_SETTINGS, cJSON_CreateString(settings));
+    }
+    os_free(settings);
+    os_free(timestamp);
+
+    return macos_log;
+}
+
+void w_macos_set_status_from_JSON(cJSON * global_json) {
+    cJSON * macos_log = cJSON_GetObjectItem(global_json, OS_LOGCOLLECTOR_JSON_MACOS);
+    char * timestamp = cJSON_GetStringValue(cJSON_GetObjectItem(macos_log, OS_LOGCOLLECTOR_JSON_TIMESTAMP));
+    char * settings = cJSON_GetStringValue(cJSON_GetObjectItem(macos_log, OS_LOGCOLLECTOR_JSON_SETTINGS));
+    if (w_strlen(timestamp) == OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN && settings != NULL) {
+        w_macos_set_last_log_timestamp(timestamp);
+        w_macos_set_log_settings(settings);
+        w_macos_set_is_valid_data(true);
+    }
+}
+
+#endif
diff --git a/src/modules/logcollector/src/main.c b/src/modules/logcollector/src/main.c
new file mode 100644
index 0000000000..0d657a22c8
--- /dev/null
+++ b/src/modules/logcollector/src/main.c
@@ -0,0 +1,198 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Logcollector daemon
+ * Monitor some files and forward the output to our analysis system
+ */
+
+#include "shared.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+
+#include "os_regex/os_regex.h"
+#include "logcollector.h"
+
+/* Prototypes */
+static void help_logcollector(char * home_path) __attribute__((noreturn));
+
+
+/* Print help statement */
+static void help_logcollector(char * home_path)
+{
+    print_header();
+    print_out("  %s: -[Vhdtf] [-c config]", ARGV0);
+    print_out("    -V          Version and license message");
+    print_out("    -h          This help message");
+    print_out("    -d          Execute in debug mode. This parameter");
+    print_out("                can be specified multiple times");
+    print_out("                to increase the debug level.");
+    print_out("    -t          Test configuration");
+    print_out("    -f          Run in foreground");
+    print_out("    -c <config> Configuration file to use (default: %s)", OSSECCONF);
+    print_out(" ");
+    os_free(home_path);
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    int c;
+    int debug_level = 0;
+    int test_config = 0, run_foreground = 0;
+
+    /* Set the name */
+    OS_SetName(ARGV0);
+
+    // Define current working directory
+    char * home_path = w_homedir(argv[0]);
+    if (chdir(home_path) == -1) {
+        merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno));
+    }
+
+    const char *cfg = OSSECCONF;
+    gid_t gid;
+    const char *group = GROUPGLOBAL;
+    lc_debug_level = getDefine_Int("logcollector", "debug", 0, 2);
+
+    /* Setup random */
+    srandom_init();
+
+    while ((c = getopt(argc, argv, "Vtdhfc:")) != -1) {
+        switch (c) {
+            case 'V':
+                print_version();
+                break;
+            case 'h':
+                help_logcollector(home_path);
+                break;
+            case 'd':
+                nowDebug();
+                debug_level = 1;
+                break;
+            case 'f':
+                run_foreground = 1;
+                break;
+            case 'c':
+                if (!optarg) {
+                    merror_exit("-c needs an argument");
+                }
+                cfg = optarg;
+                break;
+            case 't':
+                test_config = 1;
+                break;
+            default:
+                help_logcollector(home_path);
+                break;
+        }
+
+    }
+
+    /* Check if the group given is valid */
+    gid = Privsep_GetGroup(group);
+    if (gid == (gid_t) - 1) {
+        merror_exit(USER_ERROR, "", group, strerror(errno), errno);
+    }
+
+    /* Privilege separation */
+    if (Privsep_SetGroup(gid) < 0) {
+        merror_exit(SETGID_ERROR, group, errno, strerror(errno));
+    }
+
+    /* Check current debug_level
+     * Command line setting takes precedence
+     */
+    if (debug_level == 0) {
+        /* Get debug level */
+        debug_level = lc_debug_level;
+        while (debug_level != 0) {
+            nowDebug();
+            debug_level--;
+        }
+    }
+
+    mdebug1(WAZUH_HOMEDIR, home_path);
+    os_free(home_path);
+
+    /* Init message queue */
+    w_msg_hash_queues_init();
+
+    /* Read config file */
+    if (LogCollectorConfig(cfg) < 0) {
+        mlerror_exit(LOGLEVEL_ERROR, CONFIG_ERROR, cfg);
+    }
+
+    /* Exit if test config */
+    if (test_config) {
+        exit(0);
+    }
+
+    /* No file available to monitor -- continue */
+    if (logff == NULL) {
+        os_calloc(2, sizeof(logreader), logff);
+        logff[0].file = NULL;
+        logff[0].ffile = NULL;
+        logff[0].logformat = NULL;
+        logff[0].fp = NULL;
+        logff[1].file = NULL;
+        logff[1].logformat = NULL;
+
+        minfo(NO_FILE);
+    }
+
+    /* No sockets defined */
+    if (logsk == NULL) {
+        os_calloc(2, sizeof(socket_forwarder), logsk);
+        logsk[0].name = NULL;
+        logsk[0].location = NULL;
+        logsk[0].mode = 0;
+        logsk[0].prefix = NULL;
+        logsk[1].name = NULL;
+        logsk[1].location = NULL;
+        logsk[1].mode = 0;
+        logsk[1].prefix = NULL;
+    }
+
+    /* Start signal handler */
+    StartSIG(ARGV0);
+
+    // Set max open files limit
+    struct rlimit rlimit = { nofile, nofile };
+
+    if (setrlimit(RLIMIT_NOFILE, &rlimit) < 0) {
+        merror("Could not set resource limit for file descriptors to %d: %s (%d)", (int)nofile, strerror(errno), errno);
+    }
+
+    if (!run_foreground) {
+        /* Going on daemon mode */
+        nowDaemon();
+        goDaemon();
+    }
+
+    /* Create PID file */
+    if (CreatePID(ARGV0, getpid()) < 0) {
+        merror_exit(PID_ERROR);
+    }
+
+    /* Start the queue */
+    if ((logr_queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+        merror_exit(QUEUE_FATAL, DEFAULTQUEUE);
+    }
+
+    /* Main loop */
+    LogCollectorStart();
+
+    return (0);
+}
diff --git a/src/modules/logcollector/src/read_audit.c b/src/modules/logcollector/src/read_audit.c
new file mode 100644
index 0000000000..75d9c11a5a
--- /dev/null
+++ b/src/modules/logcollector/src/read_audit.c
@@ -0,0 +1,161 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+#define MAX_CACHE 16
+#define MAX_HEADER 64
+
+/* Compile message from cache and send through queue */
+static void audit_send_msg(char **cache, int top, int drop_it, logreader *lf) {
+    int i;
+    size_t n = 0;
+    size_t z;
+    char message[OS_MAX_LOG_SIZE] = {0};
+
+    for (i = 0; i < top; i++) {
+        z = strlen(cache[i]);
+
+        if (n + z + 1 < sizeof(message)) {
+            if (n > 0)
+                message[n++] = ' ';
+
+            strncat(message + n, cache[i], OS_MAX_LOG_SIZE - 1 - n);
+            n += z;
+        }
+
+        free(cache[i]);
+    }
+    message[n] = '\0';
+
+    /* Check ignore and restrict log regex, if configured. */
+    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, message)) {
+        /* Send message to queue */
+        w_msg_hash_queues_push(message, (char *)lf->file, strlen(message) + 1, lf->log_target, LOCALFILE_MQ);
+    }
+}
+
+void *read_audit(logreader *lf, int *rc, int drop_it) {
+    char *cache[MAX_CACHE];
+    char header[MAX_HEADER] = { '\0' };
+    int icache = 0;
+    char buffer[OS_MAX_LOG_SIZE];
+    char *id;
+    char *p;
+    size_t z;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    int lines = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    offset = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, offset);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgets(buffer, OS_MAX_LOG_SIZE, lf->fp) && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        lines++;
+
+        if (buffer[rbytes - 1] == '\n') {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, buffer);
+            }
+
+            buffer[rbytes - 1] = '\0';
+
+            if ((int64_t)strlen(buffer) != rbytes - 1)
+            {
+                mdebug2("Line in '%s' contains some zero-bytes (valid=" FTELL_TT " / total=" FTELL_TT "). Dropping line.", lf->file, FTELL_INT64 strlen(buffer), FTELL_INT64 rbytes - 1);
+                continue;
+            }
+        } else {
+            if (rbytes == OS_MAX_LOG_SIZE - 1) {
+                // Message too large, discard line
+                for (offset += rbytes; fgets(buffer, OS_MAX_LOG_SIZE, lf->fp); offset += rbytes) {
+                    rbytes = w_ftell(lf->fp) - offset;
+
+                    /* Flow control */
+                    if (rbytes <= 0) {
+                        break;
+                    }
+                    if (is_valid_context_file) {
+                        OS_SHA1_Stream(context, NULL, buffer);
+                    }
+
+                    if (buffer[rbytes - 1] == '\n') {
+                        break;
+                    }
+                }
+            } else if (feof(lf->fp)) {
+                mdebug2("Message not complete. Trying again: '%s'", buffer);
+
+                if (fseek(lf->fp, offset, SEEK_SET) < 0) {
+                   merror(FSEEK_ERROR, lf->file, errno, strerror(errno));
+                   break;
+               }
+            }
+
+            break;
+        }
+
+        // Extract header: "\.*type=\.* msg=audit(.*):"
+        //                                        --
+
+        if (strlen(buffer) == 0) {
+            mdebug2("audit reader: empty line, skipping.");
+            break;
+        }
+
+        if (!((id = strstr(buffer, "type=")) && (id = strstr(id + 5, " msg=audit(")) && (p = strstr(id += 11, "):")))) {
+            mwarn("Discarding audit message because of invalid syntax.");
+            break;
+        }
+
+        z = p - id;
+
+        if (strncmp(id, header, z)) {
+            // Current message belongs to another event: send cached messages
+            if (icache > 0)
+                audit_send_msg(cache, icache, drop_it, lf);
+
+            // Store current event
+            *cache = strdup(buffer);
+            icache = 1;
+            strncpy(header, id, z < MAX_HEADER ? z : MAX_HEADER - 1);
+        } else {
+            // The header is the same: store
+            if (icache == MAX_CACHE)
+                merror("Discarding audit message because cache is full.");
+            else
+                cache[icache++] = strdup(buffer);
+        }
+    }
+
+    if (icache > 0)
+        audit_send_msg(cache, icache, drop_it, lf);
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, offset, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return NULL;
+}
diff --git a/src/modules/logcollector/src/read_command.c b/src/modules/logcollector/src/read_command.c
new file mode 100644
index 0000000000..08da2ed1a4
--- /dev/null
+++ b/src/modules/logcollector/src/read_command.c
@@ -0,0 +1,80 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+
+
+/* Read Output of commands */
+void *read_command(logreader *lf, int *rc, int drop_it) {
+    size_t cmd_size = 0;
+    char *p;
+    char str[OS_MAXSTR + 1];
+    FILE *cmd_output;
+    int lines = 0;
+
+    str[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    mdebug2("Running command '%s'", lf->command);
+
+    cmd_output = popen(lf->command, "r");
+    if (!cmd_output) {
+        merror("Unable to execute command: '%s'.",
+               lf->command);
+
+        lf->command = NULL;
+        return (NULL);
+    }
+
+    snprintf(str, 256, "ossec: output: '%s': ",
+             (NULL != lf->alias)
+             ? lf->alias
+             : lf->command);
+    cmd_size = strlen(str);
+
+    while (can_read() && fgets(str + cmd_size, OS_MAXSTR - OS_LOG_HEADER - 256, cmd_output) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Remove empty lines */
+#ifdef WIN32
+        if (str[0] == '\r' && str[1] == '\0') {
+            continue;
+        }
+#endif
+        if (str[0] == '\0') {
+            continue;
+        }
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+            continue;
+        }
+
+        mdebug2("Reading command message: '%s'", str);
+
+        /* Send message to queue */
+        if (drop_it == 0) {
+            w_msg_hash_queues_push(str, lf->alias ? lf->alias : lf->command, strlen(str) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+
+        continue;
+    }
+
+    pclose(cmd_output);
+
+    mdebug2("Read %d lines from command '%s'", lines, lf->command);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_djb_multilog.c b/src/modules/logcollector/src/read_djb_multilog.c
new file mode 100644
index 0000000000..a411537cc4
--- /dev/null
+++ b/src/modules/logcollector/src/read_djb_multilog.c
@@ -0,0 +1,203 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Read DJB multilog */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* To translate between month (int) to month (char) */
+static const char *(djb_month[]) = {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+                                    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+                                   };
+static char djb_host[512 + 1];
+
+
+/* Initialize multilog */
+int init_djbmultilog(logreader *lf) {
+    char *djbp_name = NULL;
+    char *tmp_str = NULL;
+
+    lf->djb_program_name = NULL;
+
+    /* Initialize hostname */
+    memset(djb_host, '\0', 512 + 1);
+
+#ifndef WIN32
+    if (gethostname(djb_host, 512 - 1) != 0) {
+        strncpy(djb_host, "unknown", 512 - 1);
+    } else {
+        char *_ltmp;
+
+        /* Remove domain part if available */
+        _ltmp = strchr(djb_host, '.');
+        if (_ltmp) {
+            *_ltmp = '\0';
+        }
+    }
+#else
+    strncpy(djb_host, "win32", 512 - 1);
+#endif
+
+    /* Multilog must be in the following format: /path/program_name/current */
+    tmp_str = strrchr(lf->file, '/');
+    if (!tmp_str) {
+        return (0);
+    }
+
+    /* Must end with /current and must not be in the beginning of the string */
+    if ((strcmp(tmp_str, "/current") != 0) || (tmp_str == lf->file)) {
+        return (0);
+    }
+
+    tmp_str[0] = '\0';
+
+    /* Get final name */
+    djbp_name = strrchr(lf->file, '/');
+    if (djbp_name == lf->file) {
+        tmp_str[0] = '/';
+        return (0);
+    }
+
+    os_strdup(djbp_name + 1, lf->djb_program_name);
+    tmp_str[0] = '/';
+
+    minfo("Using program name '%s' for DJB multilog file: '%s'.",
+            lf->djb_program_name, lf->file);
+
+    return (1);
+}
+
+void *read_djbmultilog(logreader *lf, int *rc, int drop_it) {
+    size_t str_len = 0;
+    int need_clear = 0;
+    char *p;
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char buffer[OS_MAX_LOG_SIZE] = {0};
+    int lines = 0;
+    *rc = 0;
+
+    /* Must have a valid program name */
+    if (!lf->djb_program_name) {
+        return (NULL);
+    }
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    /* Get new entry */
+    while (can_read() && fgets(str, OS_MAX_LOG_SIZE, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        lines++;
+        /* Get buffer size */
+        str_len = strlen(str);
+
+        /* Getting the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+
+            /* If need_clear is set, we just get the line and ignore it */
+            if (need_clear) {
+                need_clear = 0;
+                continue;
+            }
+        } else {
+            need_clear = 1;
+        }
+
+        /* Multilog messages have the following format:
+         * @40000000463246020c2ca16c xx...
+         */
+        if ((str_len > 26) &&
+                (str[0] == '@') &&
+                isalnum((int)str[1]) &&
+                isalnum((int)str[2]) &&
+                isalnum((int)str[3]) &&
+                isalnum((int)str[24]) &&
+                (str[25] == ' ')) {
+            /* Remove spaces and tabs */
+            p = str + 26;
+            while (*p == ' ' || *p == '\t') {
+                p++;
+            }
+
+            /* If message has a valid syslog header, send as is */
+            if ((str_len > 44) &&
+                    (p[3] == ' ') &&
+                    (p[6] == ' ') &&
+                    (p[9] == ':') &&
+                    (p[12] == ':') &&
+                    (p[15] == ' ')) {
+                p += 16;
+                snprintf(buffer, sizeof(buffer), "%s", p);
+            } else {
+                /* We will add a proper syslog header */
+                time_t djbtime;
+                struct tm tm_result = { .tm_sec = 0 };
+
+                djbtime = time(NULL);
+                localtime_r(&djbtime, &tm_result);
+
+                /* Syslog time: Apr 27 14:50:32  */
+                const int size = snprintf(buffer, sizeof(buffer), "%s %02d %02d:%02d:%02d %s %s: %s",
+                         djb_month[tm_result.tm_mon],
+                         tm_result.tm_mday,
+                         tm_result.tm_hour,
+                         tm_result.tm_min,
+                         tm_result.tm_sec,
+                         djb_host,
+                         lf->djb_program_name,
+                         p);
+
+                if (size < 0) {
+                    merror("Error %d (%s) while reading message: '%s' (length = " FTELL_TT "): '%s'...", errno, strerror(errno), lf->file, FTELL_INT64 size, buffer);
+                } else if ((size_t)size >= sizeof(buffer)) {
+                    merror("Message size too big on file '%s' (length = " FTELL_TT "): '%s'...", lf->file, FTELL_INT64 size, buffer);
+                }
+            }
+        }
+
+        else {
+            mdebug2("Invalid DJB log: '%s'", str);
+            continue;
+        }
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+            continue;
+        }
+
+        mdebug2("Reading DJB multilog message: '%s'", buffer);
+
+        /* Send message to queue */
+        if (drop_it == 0) {
+            w_msg_hash_queues_push(buffer, lf->file, strlen(buffer) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+    }
+
+    current_position = w_ftell(lf->fp);
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_fullcommand.c b/src/modules/logcollector/src/read_fullcommand.c
new file mode 100644
index 0000000000..f083a1f1e6
--- /dev/null
+++ b/src/modules/logcollector/src/read_fullcommand.c
@@ -0,0 +1,84 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2010 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+
+
+/* Read Output of commands */
+void *read_fullcommand(logreader *lf, int *rc, int drop_it) {
+   size_t n = 0;
+    size_t cmd_size = 0;
+    char *p;
+    char str[OS_MAXSTR + 1];
+    char strfinal[OS_MAXSTR + 1];
+    FILE *cmd_output;
+
+    str[OS_MAXSTR] = '\0';
+    strfinal[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    mdebug2("Running full command '%s'", lf->command);
+
+    cmd_output = popen(lf->command, "r");
+    if (!cmd_output) {
+        merror("Unable to execute command: '%s'.",
+               lf->command);
+
+        lf->command = NULL;
+        return (NULL);
+    }
+
+    snprintf(str, 256, "ossec: output: '%s':\n",
+             (NULL != lf->alias)
+             ? lf->alias
+             : lf->command);
+    cmd_size = strlen(str);
+
+    n = fread(str + cmd_size, 1, OS_MAXSTR - OS_LOG_HEADER - 256, cmd_output);
+    if (n > 0) {
+        str[cmd_size + n] = '\0';
+
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+        }
+
+        mdebug2("Reading command message: '%s'", str);
+
+        /* Remove empty lines */
+        n = 0;
+        p = str;
+        while (*p != '\0') {
+            if (p[0] == '\r') {
+                p++;
+                continue;
+            }
+
+            if (p[0] == '\n' && p[1] == '\n') {
+                p++;
+            }
+            strfinal[n] = *p;
+            n++;
+            p++;
+        }
+        strfinal[n] = '\0';
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, strfinal)) {
+            /* Send message to queue */
+            w_msg_hash_queues_push(strfinal, lf->alias ? lf->alias : lf->command, strlen(strfinal) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+    }
+
+    pclose(cmd_output);
+
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_journald.c b/src/modules/logcollector/src/read_journald.c
new file mode 100644
index 0000000000..34f1d8cec6
--- /dev/null
+++ b/src/modules/logcollector/src/read_journald.c
@@ -0,0 +1,238 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifdef __linux__
+
+#include "shared.h"
+#include "logcollector.h"
+#include "journal_log.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove STATIC qualifier from tests
+#define STATIC
+#define INLINE
+// Ajust the buffer size for testing
+#undef OS_MAXSTR
+#define OS_MAXSTR 16
+#undef OS_LOG_HEADER
+#define OS_LOG_HEADER 0
+#else
+#define STATIC static
+#define INLINE inline
+#endif
+
+/* Constants */
+#define OFE_TIMESTAMP "timestamp"
+
+/**
+ * @brief Configuration and status of the journal log
+ * @note not thread safe, only accessible from Inputs threads
+ */
+typedef struct {
+    unsigned long owner_id;            ///< Owner ID of the journal log
+    bool is_disabled;                  ///< Flag to disable the journal log, error on initialization
+    w_journal_context_t * journal_ctx; ///< Journal log context
+} w_journald_global_t;                 ///< Current configuration and status of the journal log
+
+STATIC w_journald_global_t gs_journald_global = {
+    .owner_id = 0,
+    .is_disabled = false,
+    .journal_ctx = NULL,
+}; ///< Current configuration and status of the journal log
+
+/**
+ * @brief Only future events configuration and status
+ * @note Only accessible from Input Owner Thread and Deamon Thread (main thread)
+ */
+typedef struct {
+    bool exist_journal;           ///< Flag to indicate if the journal log exists
+    bool only_future_events;      ///< Flag to indicate if only future events are read
+    uint64_t last_read_timestamp; ///< Last read timestamp from the journal log
+    pthread_mutex_t mutex;        ///< Mutex to protect the timestamp, only resource shared with the Input Owner Thread
+} w_journald_ofe_t;
+
+STATIC w_journald_ofe_t gs_journald_ofe = {
+    .exist_journal = false,
+    .only_future_events = true,
+    .last_read_timestamp = 0,
+    .mutex = PTHREAD_MUTEX_INITIALIZER,
+}; ///< Only future events configuration and status
+
+#ifdef WAZUH_UNIT_TESTING
+void set_gs_journald_ofe(bool exist, bool ofe, uint64_t timestamp) {
+    gs_journald_ofe.exist_journal = exist;
+    gs_journald_ofe.only_future_events = ofe;
+    gs_journald_ofe.last_read_timestamp = timestamp;
+}
+
+void set_gs_journald_global(unsigned long owner_id, bool is_disabled, void * journal_ctx) {
+    gs_journald_global.owner_id = owner_id;
+    gs_journald_global.is_disabled = is_disabled;
+    gs_journald_global.journal_ctx = journal_ctx;
+}
+
+bool journald_isDisabled() {
+    return gs_journald_global.is_disabled;
+}
+#endif
+
+
+bool w_journald_can_read(unsigned long owner_id) {
+
+    if (gs_journald_global.is_disabled) {
+        return false;
+    }
+
+    if (gs_journald_global.owner_id == 0) {
+
+        gs_journald_global.owner_id = owner_id;
+ 
+        if (gs_journald_global.journal_ctx == NULL && w_journal_context_create(&gs_journald_global.journal_ctx) != 0) {
+            merror(LOGCOLLECTOR_JOURNAL_LOG_DISABLING);
+            gs_journald_global.is_disabled = true;
+            return false;
+        }
+
+        // Set the pointer to the journal log
+        w_mutex_lock(&gs_journald_ofe.mutex);
+        uint64_t lr_ts = gs_journald_ofe.last_read_timestamp;
+        w_mutex_unlock(&gs_journald_ofe.mutex);
+
+        int ret = gs_journald_ofe.only_future_events
+                      ? w_journal_context_seek_most_recent(gs_journald_global.journal_ctx)
+                      : w_journal_context_seek_timestamp(gs_journald_global.journal_ctx, lr_ts);
+
+        if (ret < 0) {
+            merror(LOGCOLLECTOR_JOURNAL_LOG_FAIL_SEEK, strerror(-ret));
+            gs_journald_global.is_disabled = true;
+            return false;
+        }
+
+        minfo(LOGCOLLECTOR_JOURNALD_MONITORING);
+
+    } else if (gs_journald_global.owner_id != owner_id) {
+        return false;
+    }
+
+    return true;
+}
+
+void * read_journald(logreader * lf, int * rc, __attribute__((unused)) int drop_it) {
+    const unsigned long MAX_LINE_LEN = OS_MAXSTR - OS_LOG_HEADER;
+    char read_buffer[OS_MAXSTR + 1];
+    read_buffer[OS_MAXSTR] = '\0';
+    int count_logs = 0;
+    *rc = 0;
+    w_journal_filters_list_t filters = lf->journal_log->disable_filters ? NULL : lf->journal_log->filters;
+
+    while ((maximum_lines == 0 || count_logs < maximum_lines) && can_read()) {
+        // Get the next entry
+        int result_get_next = w_journal_context_next_newest_filtered(gs_journald_global.journal_ctx, filters);
+        if (result_get_next < 0) {
+            merror(LOGCOLLECTOR_JOURNAL_LOG_FAIL_NEXT, strerror(-result_get_next));
+            gs_journald_global.is_disabled = true;
+            break;
+        } else if (result_get_next == 0) {
+            mdebug2(LOGCOLLECTOR_JOURNAL_LOG_NO_NEW);
+            break;
+        }
+
+        // Get the message
+        w_journal_entry_t * entry =
+            w_journal_entry_dump(gs_journald_global.journal_ctx, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+        char * entry_str = w_journal_entry_to_string(entry);
+        w_journal_entry_free(entry);
+
+        if (entry_str == NULL) {
+            merror(LOGCOLLECTOR_JOURNAL_LOG_FAIL_GET);
+            break;
+        }
+
+        // Copy the message to the buffer
+        unsigned long entry_str_len = strlen(entry_str);
+        if (entry_str_len > MAX_LINE_LEN) {
+            mdebug1(LOGCOLLECTOR_JOURNAL_LOG_TRUNCATED);
+            entry_str_len = MAX_LINE_LEN;
+        }
+        strncpy(read_buffer, entry_str, entry_str_len);
+        read_buffer[entry_str_len] = '\0';
+        os_free(entry_str);
+
+        if (isDebug()) {
+            mdebug2(LOGCOLLECTOR_JOURNAL_LOG_READING, read_buffer);
+        }
+
+        // Send the message to the manager
+        w_msg_hash_queues_push(read_buffer, JOURNALD_LOG, entry_str_len + 1, lf->log_target, LOCALFILE_MQ);
+        count_logs++;
+    }
+
+    // Update timestamp
+    w_mutex_lock(&gs_journald_ofe.mutex);
+    gs_journald_ofe.last_read_timestamp = gs_journald_global.journal_ctx->timestamp;
+    w_mutex_unlock(&gs_journald_ofe.mutex);
+
+    return NULL;
+}
+
+/** ONLY FUTURE EVENTS configuration */
+
+void w_journald_set_ofe(bool ofe) {
+    gs_journald_ofe.only_future_events = ofe;
+    gs_journald_ofe.exist_journal = true;
+}
+
+cJSON * w_journald_get_status_as_JSON() {
+
+    // Maybe journal log is not initialized yet
+    if (!gs_journald_ofe.exist_journal) {
+        return NULL;
+    }
+
+    w_mutex_lock(&gs_journald_ofe.mutex);
+    uint64_t timestamp = gs_journald_ofe.last_read_timestamp;
+    w_mutex_unlock(&gs_journald_ofe.mutex);
+
+    // Convert the timestamp uint64_t to a string
+    char timestamp_str[OS_SIZE_256] = {0};
+    snprintf(timestamp_str, OS_SIZE_256 - 1, "%" PRIu64, timestamp);
+    cJSON * journald_log = cJSON_CreateObject();
+    cJSON_AddStringToObject(journald_log, OFE_TIMESTAMP, timestamp_str);
+
+    return journald_log;
+}
+
+void w_journald_set_status_from_JSON(cJSON * global_json) {
+
+    if (global_json == NULL) {
+        return;
+    }
+
+    cJSON * jurnald_log = cJSON_GetObjectItem(global_json, JOURNALD_LOG);
+    char * timestamp = cJSON_GetStringValue(cJSON_GetObjectItem(jurnald_log, OFE_TIMESTAMP));
+
+    if (timestamp == NULL) {
+        return;
+    }
+
+    // Convert the timestamp to a uint64_t
+    uint64_t timestamp_uint = strtoull(timestamp, NULL, 10);
+    if (timestamp_uint == 0 || timestamp_uint == ULLONG_MAX) {
+        return;
+    }
+
+    // Set the timestamp
+    w_mutex_lock(&gs_journald_ofe.mutex);
+    gs_journald_ofe.last_read_timestamp = timestamp_uint;
+    w_mutex_unlock(&gs_journald_ofe.mutex);
+
+    mdebug2(LOGCOLLECTOR_JOURNAL_LOG_SET_LAST, timestamp_uint);
+}
+
+#endif
diff --git a/src/modules/logcollector/src/read_json.c b/src/modules/logcollector/src/read_json.c
new file mode 100644
index 0000000000..b39c7186ff
--- /dev/null
+++ b/src/modules/logcollector/src/read_json.c
@@ -0,0 +1,168 @@
+/* Copyright (C) 2015 Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Read the json */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Read json files */
+void *read_json(logreader *lf, int *rc, int drop_it) {
+    int __ms = 0;
+    int __ms_reported = 0;
+    int i;
+    char *jsonParsed;
+    char str[OS_MAXSTR + 1];
+    int lines = 0;
+    cJSON * obj;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    str[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgets(str, OS_MAXSTR - OS_LOG_HEADER, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+        lines++;
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        /* Get the last occurrence of \n */
+        if (str[rbytes - 1] == '\n') {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+
+            str[rbytes - 1] = '\0';
+
+            if ((int64_t)strlen(str) != rbytes - 1)
+            {
+                mdebug2("Line in '%s' contains some zero-bytes (valid=" FTELL_TT " / total=" FTELL_TT "). Dropping line.", lf->file, FTELL_INT64 strlen(str), FTELL_INT64 rbytes - 1);
+                continue;
+            }
+        }
+
+        /* If we didn't get the new line, because the
+         * size is large, send what we got so far.
+         */
+        else if (rbytes == OS_MAXSTR - OS_LOG_HEADER - 1) {
+            /* Message size > maximum allowed */
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            __ms = 1;
+        } else if (feof(lf->fp)) {
+            /* Message not complete. Return. */
+            mdebug2("Message not complete from '%s'. Trying again: '%.*s'%s", lf->file, sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+            if(current_position >= 0) {
+                w_fseek(lf->fp, current_position, SEEK_SET);
+            }
+            break;
+        }
+
+#ifdef WIN32
+        char * p;
+
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on Windows) */
+        if (rbytes <= 2) {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+        /* Windows can have comment on their logs */
+
+        if (str[0] == '#') {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+#endif
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+            continue;
+        }
+
+        const char *jsonErrPtr;
+        if (obj = cJSON_ParseWithOpts(str, &jsonErrPtr, 0), obj && cJSON_IsObject(obj)) {
+          for (i = 0; lf->labels && lf->labels[i].key; i++) {
+              W_JSON_AddField(obj, lf->labels[i].key, lf->labels[i].value);
+          }
+
+          jsonParsed = cJSON_PrintUnformatted(obj);
+          cJSON_Delete(obj);
+        } else {
+          cJSON_Delete(obj);
+          mdebug1("Line '%.*s'%s read from '%s' is not a JSON object.", sample_log_length, str, rbytes > sample_log_length ? "..." : "", lf->file);
+          continue;
+        }
+
+        mdebug2("Reading json message: '%.*s'%s", sample_log_length, jsonParsed, strlen(jsonParsed) > (size_t)sample_log_length ? "..." : "");
+
+        /* Send message to queue */
+        if (drop_it == 0) {
+            w_msg_hash_queues_push(jsonParsed, lf->file, strlen(jsonParsed) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+        free(jsonParsed);
+        /* Incorrect message size */
+        if (__ms) {
+            // strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)
+            // truncate str before logging to ossec.log
+
+            if (!__ms_reported) {
+                merror("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+                __ms_reported = 1;
+            } else {
+                mdebug2("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+            }
+
+            for (offset += rbytes; fgets(str, OS_MAXSTR - 2, lf->fp) != NULL; offset += rbytes) {
+                rbytes = w_ftell(lf->fp) - offset;
+
+                /* Flow control */
+                if (rbytes <= 0) {
+                    break;
+                }
+
+                if (is_valid_context_file) {
+                    OS_SHA1_Stream(context, NULL, str);
+                }
+
+                /* Get the last occurrence of \n */
+                if (str[rbytes - 1] == '\n') {
+                    break;
+                }
+            }
+            __ms = 0;
+        }
+
+        current_position = w_ftell(lf->fp);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_macos.c b/src/modules/logcollector/src/read_macos.c
new file mode 100644
index 0000000000..f5198a0a30
--- /dev/null
+++ b/src/modules/logcollector/src/read_macos.c
@@ -0,0 +1,452 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#if defined(Darwin) || (defined(__linux__) && defined(WAZUH_UNIT_TESTING))
+
+#include "shared.h"
+#include "logcollector.h"
+#include "macos_log.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove STATIC qualifier from tests
+#define STATIC
+#define INLINE
+#else
+#define STATIC static
+#define INLINE inline
+#endif
+
+#define LOG_ERROR_STR    "log:"
+#define LOG_ERROR_LENGHT 4
+
+/**
+ * @brief Gets a log from macOS log's output
+ *
+ * @param [out] buffer Contains the read log
+ * @param length Buffer's max length
+ * @param stream File pointer to log stream's output pipe
+ * @param macos_log_cfg macOS log configuration structure
+ * @return  true if a new log was collected,
+ *          false otherwise
+ */
+STATIC bool w_macos_log_getlog(char * buffer, int length, FILE * stream, w_macos_log_config_t * macos_log_cfg);
+
+/**
+ * @brief Restores the context from backup
+ *
+ * @warning Notice that `buffer` must be previously allocated, the function does
+ * not verify nor allocate or release the buffer memory
+ * @param buffer Destination buffer
+ * @param ctxt Backup context
+ * @return true if the context was restored, otherwise returns false
+ */
+STATIC bool w_macos_log_ctxt_restore(char * buffer, w_macos_log_ctxt_t * ctxt);
+
+/**
+ * @brief Generates a backup of the reading context
+ *
+ * @param buffer Context to backup
+ * @param ctxt Context's backup destination
+ */
+STATIC INLINE void w_macos_log_ctxt_backup(char * buffer, w_macos_log_ctxt_t * ctxt);
+
+/**
+ * @brief Cleans the backup context
+ *
+ * @warning Notice that this function does not release the context memory
+ * @param ctxt context backup to clean
+ */
+STATIC INLINE void w_macos_log_ctxt_clean(w_macos_log_ctxt_t * ctxt);
+
+/**
+ * @brief Checks if a backup context has expired
+ *
+ * @todo  Remove timeout and use a define
+ * @param timeout A timeout that a context without updating is valid
+ * @param ctxt Context to check
+ * @return true if the context has expired, otherwise returns false
+ */
+STATIC bool w_macos_is_log_ctxt_expired(time_t timeout, w_macos_log_ctxt_t * ctxt);
+
+/**
+ * @brief Gets the pointer to the beginning of the last line contained in the string
+ *
+ * @warning If `str` has one line, returns NULL
+ * @warning If `str` ends with a `\n`, this newline character is ignored
+ * @param str String to be analyzed
+ * @return Pointer to the beginning of the last line, NULL otherwise
+ */
+STATIC char * w_macos_log_get_last_valid_line(char * str);
+
+/**
+ * @brief Checks whether the `log stream` cli command returns a header or a log.
+ *
+ * Detects predicate errors and discards filtering headers and columun descriptions.
+ * @param macos_log_cfg macOS log configuration structure
+ * @param buffer line to check
+ * @return Returns false if the read line is a log, otherwise returns true
+ */
+STATIC bool w_macos_is_log_header(w_macos_log_config_t * macos_log_cfg, char * buffer);
+
+/**
+ * @brief Trim milliseconds from a macOS ULS full timestamp
+ *
+ * @param full_timestamp Timestamp to trim
+ * @warning @full_timestamp must be an array with \ref OS_LOGCOLLECTOR_TIMESTAMP_FULL_LEN +1 length
+ * @warning @full_timestamp must be in format i.e 2020-11-09 05:45:08.000000-0800
+ * @warning return value will be in short format timestamp i.e 2020-11-09 05:45:08-0800
+ * @return Allocated short timestamp. NULL on error
+ */
+STATIC char * w_macos_trim_full_timestamp(const char * full_timestamp);
+
+void * read_macos(logreader * lf, int * rc, __attribute__((unused)) int drop_it) {
+
+    char full_timestamp[OS_LOGCOLLECTOR_TIMESTAMP_FULL_LEN + 1] = {'\0'};
+    const int MAX_LINE_LEN = OS_MAXSTR - OS_LOG_HEADER;
+    char read_buffer[OS_MAXSTR + 1];
+    char * short_timestamp = NULL;
+    unsigned long size = 0;
+    int count_logs = 0;
+
+    wfd_t * log_mode_wfd = (lf->macos_log->state == LOG_RUNNING_SHOW) ?
+                            lf->macos_log->processes.show.wfd : lf->macos_log->processes.stream.wfd;
+
+    if (can_read() == 0) {
+        return NULL;
+    }
+
+    read_buffer[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    while ((maximum_lines == 0 || count_logs < maximum_lines)
+            && w_macos_log_getlog(read_buffer, MAX_LINE_LEN, log_mode_wfd->file_out, lf->macos_log)) {
+
+        size = strlen(read_buffer);
+        if (size > 0) {
+            /* Check ignore and restrict log regex, if configured. */
+            if (check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, read_buffer)) {
+                continue;
+            }
+
+            w_msg_hash_queues_push(read_buffer, MACOS_LOG_NAME, size + 1, lf->log_target, LOCALFILE_MQ);
+            memcpy(full_timestamp, read_buffer, OS_LOGCOLLECTOR_TIMESTAMP_FULL_LEN);
+        } else {
+            mdebug2("macOS ULS: Discarding empty message.");
+        }
+
+        count_logs++;
+    }
+
+    short_timestamp = w_macos_trim_full_timestamp(full_timestamp);
+    if (short_timestamp != NULL) {
+        w_macos_set_last_log_timestamp(short_timestamp);
+        if (!lf->macos_log->store_current_settings) {
+            w_macos_set_log_settings(lf->macos_log->current_settings);
+            lf->macos_log->store_current_settings = true;
+        }
+        os_free(short_timestamp);
+    }
+
+    /* This "if" is true when the amount of readed logs is less than the maximum allowed */
+    if (count_logs < maximum_lines) {
+        int status = 0;
+        int retval = 0;
+
+        /* Checks if the macOS' log process is still alive or exited */
+        retval = waitpid(log_mode_wfd->pid, &status, WNOHANG);      // Tries to get the child' "soul"
+        if (retval == log_mode_wfd->pid) {                          // This is true in the case that the child exited
+            if (lf->macos_log->state == LOG_RUNNING_SHOW) {
+                if (status == 0) {
+                    // Normal process' end of execution
+                    minfo(MACOS_LOG_SHOW_CHILD_EXITED, log_mode_wfd->pid, status);
+                } else {
+                    // Abnormal process' end of execution
+                    merror(MACOS_LOG_SHOW_CHILD_EXITED, log_mode_wfd->pid, status);
+                }
+                w_macos_release_log_show();
+                if (lf->macos_log->processes.stream.wfd != NULL) {
+                    /* This variable is reseted as, by changing the log mode, stream header must be processed as well */
+                    /* In case a multi-line context is still stored, it is forced to send it */
+                    lf->macos_log->is_header_processed = false;
+                    lf->macos_log->ctxt.force_send = (lf->macos_log->ctxt.buffer[0] != '\0');
+                    lf->macos_log->state = LOG_RUNNING_STREAM;
+                } else {
+                    lf->macos_log->state = LOG_NOT_RUNNING;
+                }
+            } else {    // LOG_RUNNING_STREAM
+                merror(MACOS_LOG_STREAM_CHILD_EXITED, log_mode_wfd->pid, status);
+                w_macos_release_log_stream();
+                lf->macos_log->state = LOG_NOT_RUNNING;
+            }
+        } else if (retval != 0) {
+            merror(WAITPID_ERROR, errno, strerror(errno));
+        }
+    }
+
+    return NULL;
+}
+
+STATIC bool w_macos_log_getlog(char * buffer, int length, FILE * stream, w_macos_log_config_t * macos_log_cfg) {
+
+    bool retval = false; // This variable will be set to true if there is a buffered log
+
+    int offset = 0;          // Amount of chars in the buffer
+    char * str = buffer;     // Auxiliar buffer pointer, it points where the new data will be stored
+    int chunk_sz = 0;        // Size of the last read data
+    char * last_line = NULL; // Pointer to the last line stored in the buffer
+    bool is_buffer_full;     // Will be set to true if the buffer is full (forces data to be sent)
+    bool is_endline;         // Will be set to true if the last read line ends with an '\n' character
+    bool do_split;           // Indicates whether the buffer will be splited (two chunks at most)
+
+    *str = '\0';
+
+    /* Checks if a context recover is needed for incomplete logs */
+    if (w_macos_log_ctxt_restore(str, &macos_log_cfg->ctxt)) {
+        offset = strlen(str);
+
+        /* If the context is expired then frees it and returns the log */
+        if (w_macos_is_log_ctxt_expired((time_t) MACOS_LOG_TIMEOUT, &macos_log_cfg->ctxt)
+           || (macos_log_cfg->ctxt.force_send)) {
+            w_macos_log_ctxt_clean(&macos_log_cfg->ctxt);
+            /* delete last end-of-line character */
+            if (buffer[offset - 1] == '\n') {
+                buffer[offset - 1] = '\0';
+            }
+            /* Force sending the last log of `log show` */
+            retval = (macos_log_cfg->is_header_processed || macos_log_cfg->ctxt.force_send);
+            macos_log_cfg->ctxt.force_send = false;
+
+            return retval;
+        }
+
+        str += offset;
+    }
+
+    /* Gets streamed data, the minimum chunk size of a log is one line */
+    while (can_read() && (fgets(str, length - offset, stream) != NULL)) {
+
+        chunk_sz = strlen(str);
+        offset += chunk_sz;
+        str += chunk_sz;
+        last_line = NULL;
+        is_buffer_full = false;
+        is_endline = (*(str - 1) == '\n');
+        do_split = false;
+
+        /* Deletes CR from macOS Sierra */
+        if (is_endline && offset >= 2 && *(str - 2) == '\r') {
+            str--;
+            offset--;
+            *str = '\0';
+            *(str - 1) = '\n';
+        }
+
+        /* Avoid fgets infinite loop behavior when size parameter is 1
+         * If we didn't get the new line, because the size is large, send what we got so far.
+         */
+        if (offset + 1 == length) {
+            // Cleans the context and forces to send a log
+            w_macos_log_ctxt_clean(&macos_log_cfg->ctxt);
+            is_buffer_full = true;
+        } else if (!is_endline) {
+            mdebug2("macOS ULS: Incomplete message.");
+            // Saves the context
+            w_macos_log_ctxt_backup(buffer, &macos_log_cfg->ctxt);
+            continue;
+        }
+
+        /* Checks if the first line is the header or an error in the predicate. */
+        if (!macos_log_cfg->is_header_processed) {
+            /* Get child PID in case of macOS Sierra */
+            if (w_is_macos_sierra()) {
+                if (macos_log_cfg->processes.show.wfd != NULL && macos_log_cfg->processes.show.child == 0) {
+                    macos_log_cfg->processes.show.child =
+                        w_get_first_child(macos_log_cfg->processes.show.wfd->pid);
+                }
+                if (macos_log_cfg->processes.stream.wfd != NULL && macos_log_cfg->processes.stream.child == 0) {
+                    macos_log_cfg->processes.stream.child =
+                        w_get_first_child(macos_log_cfg->processes.stream.wfd->pid);
+                }
+            }
+            /* Processes and discards lines up to the first log */
+            if (w_macos_is_log_header(macos_log_cfg, buffer)) {
+                // Forces to continue reading
+                w_macos_log_ctxt_clean(&macos_log_cfg->ctxt);
+                retval = true;
+                *buffer = '\0';
+                break;
+            }
+        }
+
+        /* If this point has been reached, there is something to process in the buffer. */
+
+        last_line = w_macos_log_get_last_valid_line(buffer);
+
+        if (isDebug() == 2) {
+            char * d_str_msg = (last_line == NULL) ?  buffer : (last_line +1);
+            bool is_chunck_message = (int) w_strlen(d_str_msg) - 1 > sample_log_length;
+            int  d_str_lenght = is_chunck_message ? sample_log_length : (int) w_strlen(d_str_msg) - 1;
+
+            mdebug2("Reading macOS message: '%.*s'%s", d_str_lenght, d_str_msg, is_chunck_message  ? "..." : "");
+
+        }
+
+        /* If there are 2 logs, they should be splited before sending them */
+        if (is_endline && last_line != NULL) {
+            do_split = w_expression_match(macos_log_cfg->log_start_regex, last_line + 1, NULL, NULL);
+        }
+
+        if (!do_split && is_buffer_full) {
+            /* If the buffer is full but the message is larger than the buffer size,
+             * then the rest of the message is discarded up to the '\n' character.
+             */
+            if (!is_endline) {
+                if (last_line == NULL) {
+                    int c;
+                    // Discards the rest of the log, up to the end of line
+                    do {
+                        c = fgetc(stream);
+                    } while (c != '\n' && c != '\0' && c != EOF);
+                    mdebug2("macOS ULS: Maximum message length reached. The remainder was discarded.");
+                } else {
+                    do_split = true;
+                    mdebug2("macOS ULS: Maximum message length reached. The remainder will be send separately.");
+                }
+            }
+        }
+
+        /* splits the logs */
+        /* If a new log is received, we store it in the context and send the previous one. */
+        if (do_split) {
+            w_macos_log_ctxt_clean(&macos_log_cfg->ctxt);
+            *last_line = '\0';
+            strncpy(macos_log_cfg->ctxt.buffer, last_line + 1, offset - (last_line - buffer) + 1);
+            macos_log_cfg->ctxt.timestamp = time(NULL);
+        } else if (!is_buffer_full) {
+            w_macos_log_ctxt_backup(buffer, &macos_log_cfg->ctxt);
+        }
+
+        if (do_split || is_buffer_full) {
+            retval = true;
+            /* deletes last end-of-line character  */
+            if (buffer[offset - 1] == '\n') {
+                buffer[offset - 1] = '\0';
+            }
+            break;
+        }
+    }
+
+    return retval;
+}
+
+STATIC bool w_macos_log_ctxt_restore(char * buffer, w_macos_log_ctxt_t * ctxt) {
+
+    if (ctxt->buffer[0] == '\0') {
+        return false;
+    }
+
+    strcpy(buffer, ctxt->buffer);
+    return true;
+}
+
+STATIC bool w_macos_is_log_ctxt_expired(time_t timeout, w_macos_log_ctxt_t * ctxt) {
+
+    if (time(NULL) - ctxt->timestamp > timeout) {
+        return true;
+    }
+
+    return false;
+}
+
+STATIC INLINE void w_macos_log_ctxt_clean(w_macos_log_ctxt_t * ctxt) {
+
+    ctxt->buffer[0] = '\0';
+    ctxt->timestamp = 0;
+}
+
+STATIC INLINE void w_macos_log_ctxt_backup(char * buffer, w_macos_log_ctxt_t * ctxt) {
+
+    /* Backup */
+    strncpy(ctxt->buffer, buffer, OS_MAXSTR - 1);
+    ctxt->timestamp = time(NULL);
+}
+
+STATIC char * w_macos_log_get_last_valid_line(char * str) {
+
+    char * retval = NULL;
+    char ignored_char = '\0';
+    size_t size = 0;
+
+    if (str == NULL || *str == '\0') {
+        return retval;
+    }
+
+    /* Ignores the last character */
+    size = strlen(str);
+
+    ignored_char = str[size - 1];
+    str[size - 1] = '\0';
+
+    retval = strrchr(str, '\n');
+    str[size - 1] = ignored_char;
+
+    return retval;
+}
+
+STATIC bool w_macos_is_log_header(w_macos_log_config_t * macos_log_cfg, char * buffer) {
+
+    bool retval = true;
+    const ssize_t buffer_size = strlen(buffer);
+
+    /* if the buffer contains a log, then there won't be headers anymore */
+    if (w_expression_match(macos_log_cfg->log_start_regex, buffer, NULL, NULL)) {
+        macos_log_cfg->is_header_processed = true;
+        w_macos_set_is_valid_data(true);
+        retval = false;
+    }
+    /* Error in the execution of the `log stream` cli command, probably there is an error in the predicate. */
+    else if (strncmp(buffer, LOG_ERROR_STR, LOG_ERROR_LENGHT) == 0) {
+
+        // "log: error description:\n"
+        if (buffer[buffer_size - 2] == ':') {
+            buffer[buffer_size - 2] = '\0';
+        } else if (buffer[buffer_size - 1] == '\n') {
+            buffer[buffer_size - 1] = '\0';
+        }
+        merror(LOGCOLLECTOR_MACOS_LOG_ERROR_AFTER_EXEC, buffer);
+        w_macos_set_is_valid_data(false);
+    }
+    /* Rows header or remaining error lines */
+    else {
+        if (buffer[buffer_size - 1] == '\n') {
+            buffer[buffer_size - 1] = '\0';
+        }
+        mdebug2("macOS ULS: Reading other log headers or errors: '%s'.", buffer);
+    }
+
+    return retval;
+}
+
+STATIC char * w_macos_trim_full_timestamp(const char * full_timestamp) {
+
+    char * short_timestamp = NULL;
+
+    if (w_strlen(full_timestamp) == OS_LOGCOLLECTOR_TIMESTAMP_FULL_LEN) {
+
+        os_calloc(OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN + 1, sizeof(char), short_timestamp);
+        memcpy(short_timestamp, full_timestamp, OS_LOGCOLLECTOR_TIMESTAMP_BASIC_LEN);
+        memcpy(short_timestamp + OS_LOGCOLLECTOR_TIMESTAMP_BASIC_LEN,
+                full_timestamp + OS_LOGCOLLECTOR_TIMESTAMP_BASIC_LEN + OS_LOGCOLLECTOR_TIMESTAMP_MS_LEN,
+                OS_LOGCOLLECTOR_TIMESTAMP_TZ_LEN);
+    }
+
+    return short_timestamp;
+}
+
+#endif
diff --git a/src/modules/logcollector/src/read_mssql_log.c b/src/modules/logcollector/src/read_mssql_log.c
new file mode 100644
index 0000000000..ae33c90602
--- /dev/null
+++ b/src/modules/logcollector/src/read_mssql_log.c
@@ -0,0 +1,166 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Read MS SQL logs */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Send MS SQL message and check the return code */
+static void __send_mssql_msg(logreader *lf, int drop_it, char *buffer) {
+    mdebug2("Reading MSSQL message: '%s'", buffer);
+
+    /* Check ignore and restrict log regex, if configured. */
+    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, buffer)) {
+        /* Send message to queue */
+        w_msg_hash_queues_push(buffer, lf->file, strlen(buffer) + 1, lf->log_target, LOCALFILE_MQ);
+    }
+}
+
+/* Read MS SQL log files */
+void *read_mssql_log(logreader *lf, int *rc, int drop_it) {
+    size_t str_len = 0;
+    int need_clear = 0;
+    char *p;
+    char str[OS_MAX_LOG_SIZE];
+    char buffer[OS_MAX_LOG_SIZE];
+    int lines = 0;
+    /* Zero buffer and str */
+    buffer[0] = '\0';
+    buffer[OS_MAX_LOG_SIZE - 1] = '\0';
+    str[OS_MAX_LOG_SIZE - 1] = '\0';
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    /* Get new entry */
+    while (can_read() && fgets(str, OS_MAX_LOG_SIZE, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+        /* Get buffer size */
+        str_len = strlen(str);
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        /* Check str_len size. Very useless, but just to make sure */
+        if (str_len >= sizeof(buffer) - 2) {
+            str_len = sizeof(buffer) - 10;
+        }
+
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+
+            /* If need clear is set, we just get the line and ignore it */
+            if (need_clear) {
+                need_clear = 0;
+                continue;
+            }
+        } else {
+            need_clear = 1;
+        }
+
+#ifdef WIN32
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on windows) */
+        if (str_len <= 1) {
+            continue;
+        }
+
+        /* Windows can have comment on their logs */
+        if (str[0] == '#') {
+            continue;
+        }
+#endif
+
+        /* MS SQL messages have the following formats:
+         * 2009-03-25 04:47:30.01 Server
+         * 2003-10-09 00:00:06.68 sys1
+         * 2009-02-06 11:48:59     Server
+         */
+        if ((str_len > 19) &&
+                (str[4] == '-') &&
+                (str[7] == '-') &&
+                (str[10] == ' ') &&
+                (str[13] == ':') &&
+                (str[16] == ':') &&
+                isdigit((int)str[0]) &&
+                isdigit((int)str[1]) &&
+                isdigit((int)str[2]) &&
+                isdigit((int)str[3])) {
+
+            /* If the saved message is empty, set it and continue */
+            if (buffer[0] == '\0') {
+                snprintf(buffer, sizeof(buffer), "%s", str);
+                continue;
+            }
+
+            /* If not, send the saved one and store the new one for later */
+            else {
+                __send_mssql_msg(lf, drop_it, buffer);
+
+                /* Store current one at the buffer */
+                snprintf(buffer, sizeof(buffer), "%s", str);
+            }
+        }
+
+        /* Query logs can be in multiple lines
+         * They always start with a tab in the additional lines
+         */
+        else if ((str_len > 2) && (buffer[0] != '\0')) {
+            /* Size of the buffer */
+            size_t buffer_len = strlen(buffer);
+
+            p = str;
+
+            /* Remove extra spaces and tabs */
+            while (*p == ' ' || *p == '\t') {
+                p++;
+            }
+
+            /* Add additional message to the saved buffer */
+            if (sizeof(buffer) - buffer_len > str_len) {
+                /* Here we make sure that the size of the buffer
+                 * minus what was used (strlen) is greater than
+                 * the length of the received message.
+                 */
+                buffer[buffer_len] = ' ';
+                buffer[buffer_len + 1] = '\0';
+                strncat(buffer, str, str_len + 3);
+            }
+        }
+    }
+
+    current_position = w_ftell(lf->fp);
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    /* Send whatever is stored */
+    if (buffer[0] != '\0') {
+        __send_mssql_msg(lf, drop_it, buffer);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_multiline.c b/src/modules/logcollector/src/read_multiline.c
new file mode 100644
index 0000000000..2fd28153c7
--- /dev/null
+++ b/src/modules/logcollector/src/read_multiline.c
@@ -0,0 +1,154 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2010 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Read multiline logs */
+void *read_multiline(logreader *lf, int *rc, int drop_it) {
+    int __ms = 0;
+    int __ms_reported = 0;
+    int linesgot = 0;
+    size_t buffer_size = 0;
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char buffer[OS_MAX_LOG_SIZE] = {0};
+    int lines = 0;
+    int size = 0;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgets(str, OS_MAX_LOG_SIZE, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+        lines++;
+        linesgot++;
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        /* Get the last occurrence of \n */
+        if (str[rbytes - 1] == '\n') {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            str[rbytes - 1] = '\0';
+
+            if ((int64_t)strlen(str) != rbytes - 1)
+            {
+                mdebug2("Line in '%s' contains some zero-bytes (valid=" FTELL_TT " / total=" FTELL_TT "). Dropping line.", lf->file, FTELL_INT64 strlen(str), FTELL_INT64 rbytes - 1);
+                continue;
+            }
+        }
+
+        /* If we didn't get the new line, because the
+         * size is large, send what we got so far.
+         */
+        else if (rbytes == OS_MAX_LOG_SIZE - 1) {
+            /* Message size > maximum allowed */
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            __ms = 1;
+        } else if (feof(lf->fp)) {
+            /* Message not complete. Return. */
+            mdebug2("Message not complete from '%s'. Trying again: '%.*s'%s", lf->file, sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+            if(current_position >= 0) {
+                w_fseek(lf->fp, current_position, SEEK_SET);
+            }
+            break;
+        }
+
+#ifdef WIN32
+        char * p;
+
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+#endif
+
+        /* Add to buffer */
+        buffer_size = strlen(buffer);
+        if (buffer[0] != '\0' && buffer_size < sizeof(buffer) - 1) {
+            buffer[buffer_size] = ' ';
+            buffer_size++;
+        }
+
+        size = snprintf(buffer + buffer_size, sizeof(buffer) - buffer_size, "%s", str);
+
+        if ((size_t)size >= sizeof(buffer) - buffer_size) {
+            __ms = 1;
+        }
+
+        if (linesgot < lf->linecount) {
+            continue;
+        }
+        linesgot = 0;
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, buffer)) {
+            /* Send message to queue */
+            mdebug2("Reading message: '%.*s'%s", sample_log_length, buffer, strlen(buffer) > (size_t)sample_log_length ? "..." : "");
+            w_msg_hash_queues_push(buffer, lf->file, strlen(buffer) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+
+        buffer[0] = '\0';
+
+
+        /* Incorrect message size */
+        if (__ms) {
+            if (!__ms_reported) {
+                merror("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+                __ms_reported = 1;
+            } else {
+                mdebug2("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+            }
+
+            for (offset += rbytes; fgets(str, sizeof(str), lf->fp) != NULL; offset += rbytes) {
+                rbytes = w_ftell(lf->fp) - offset;
+
+                /* Flow control */
+                if (rbytes <= 0) {
+                    break;
+                }
+
+                if (is_valid_context_file) {
+                    OS_SHA1_Stream(context, NULL, str);
+                }
+
+                /* Get the last occurrence of \n */
+                if (str[rbytes - 1] == '\n') {
+                    break;
+                }
+            }
+            __ms = 0;
+        }
+
+        current_position = w_ftell(lf->fp);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_multiline_regex.c b/src/modules/logcollector/src/read_multiline_regex.c
new file mode 100644
index 0000000000..b085408b54
--- /dev/null
+++ b/src/modules/logcollector/src/read_multiline_regex.c
@@ -0,0 +1,563 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove STATIC qualifier from tests
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+/**
+ * @brief Restore read context from backup
+ *
+ * Restores the buffer and number of lines reads from a context backup
+ * Buffer must be allocated, function does not check, allocate or release memory from the buffer
+ * @param buffer Destination buffer
+ * @param readed_lines Destination number of lines read
+ * @param ctxt context backup
+ * @return true if a context was restored. Otherwise returns false
+ */
+STATIC bool multiline_ctxt_restore(char * buffer, int * readed_lines, w_multiline_ctxt_t * ctxt);
+
+/**
+ * @brief Generate a backup of the reading context
+ *
+ * If the backup does not exist (*ctxt = NULL), it creates it.
+ * If the backup exists, the new content is appended and updates the lines read
+ * @param buffer to backup
+ * @param readed_lines to backup
+ * @param ctxt backup destination
+ */
+STATIC void multiline_ctxt_backup(char * buffer, int readed_lines, w_multiline_ctxt_t ** ctxt);
+
+/**
+ * @brief frees a context backup
+ *
+ * @param ctxt context backup to free
+ */
+STATIC void multiline_ctxt_free(w_multiline_ctxt_t ** ctxt);
+
+/**
+ * @brief check if a context in a backup expired
+ *
+ * @param timeout A timeout that a context without updating is valid.
+ * @param ctxt context to check
+ * @return true if the context does not exist or expired. Otherwise returns false
+ */
+STATIC bool multiline_ctxt_is_expired(time_t timeout, w_multiline_ctxt_t * ctxt);
+
+/**
+ * @brief Get log from file with multiline log support.
+ *
+ * @param buffer readed log output
+ * @param length max lenth
+ * @param stream log file
+ * @param ml_cfg multiline configuration
+ * @return  if = 0 indicates no more logs available.
+ *          if > 0 indicate log's lines count.
+ */
+STATIC int multiline_getlog(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+
+/**
+ * @brief Get log from file with multiline log support using \ref ML_MATCH_START
+ *
+ * @param buffer readed log output
+ * @param length max lenth
+ * @param stream log file
+ * @param ml_cfg multiline configuration
+ * @return  if = 0 indicates no more logs available.
+ *          if > 0 indicate log's lines count.
+ */
+STATIC int multiline_getlog_start(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+
+/**
+ * @brief Get log from file with multiline log support using \ref ML_MATCH_END
+ *
+ * @param buffer readed log output
+ * @param length max lenth
+ * @param stream log file
+ * @param ml_cfg multiline configuration
+ * @return  if = 0 indicates no more logs available.
+ *          if > 0 indicate log's lines count.
+ */
+STATIC int multiline_getlog_end(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+
+/**
+ * @brief Get log from file with multiline log support using \ref ML_MATCH_ALL
+ *
+ * @param buffer readed log output
+ * @param length max lenth
+ * @param stream log file
+ * @param ml_cfg multiline configuration
+ * @return  if = 0 indicates no more logs available.
+ *          if > 0 indicate log's lines count.
+ */
+STATIC int multiline_getlog_all(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+
+/**
+ * @brief Get specific chunk of file between two positions
+ *
+ * @param stream File stream
+ * @param initial_pos initial position
+ * @param final_pos final position
+ * @return allocated buffer containing the readed chunk. NULL on error
+ */
+STATIC char * get_file_chunk(FILE * stream, int64_t initial_pos, int64_t final_pos);
+
+/* Misc functions */
+
+/**
+ * @brief If the last character of the string is an end of line, replace it.
+ *
+ * Replace the last character of `str` (only if it is an end of line) according to` type`.
+ * if type is ML_REPLACE_NO_REPLACE does not replace the end of the line
+ * if type is ML_REPLACE_NONE remove the end of the line
+ * if type is ML_REPLACE_WSPACE replace the end of line with a blank space ' '
+ * if type is ML_REPLACE_TAB replace the end of line with a tab character '\t'
+ * @param str String to replace character.
+ * @param type Replacement type
+ */
+STATIC void multiline_replace(char * str, w_multiline_replace_type_t type);
+
+void * read_multiline_regex(logreader * lf, int * rc, int drop_it) {
+    char read_buffer[OS_MAXSTR + 1];
+    int count_lines = 0;
+    int rlines;
+    const int max_line_len = OS_MAXSTR - OS_LOG_HEADER;
+
+    /* Continue from last read line */
+    EVP_MD_CTX *context = NULL;
+    int64_t initial_pos;
+    char * raw_data = NULL;
+
+    if (can_read() == 0) {
+        return NULL;
+    } else if (lf->multiline->offset_last_read == 0 || w_ftell(lf->fp) < lf->multiline->offset_last_read) {
+        lf->multiline->offset_last_read = w_ftell(lf->fp);
+    }
+
+    context = EVP_MD_CTX_new();
+    bool is_valid_context_file = w_get_hash_context(lf, &context, lf->multiline->offset_last_read);
+
+    read_buffer[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    while (rlines = multiline_getlog(read_buffer, max_line_len, lf->fp, lf->multiline),
+           rlines > 0 && (maximum_lines == 0 || count_lines < maximum_lines)) {
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, read_buffer)) {
+            /* Send message to queue */
+            w_msg_hash_queues_push(read_buffer, lf->file, strlen(read_buffer) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+        count_lines += rlines;
+
+        /* Continue from last read line */
+        initial_pos = lf->multiline->offset_last_read;
+        lf->multiline->offset_last_read = w_ftell(lf->fp);
+
+        raw_data = get_file_chunk(lf->fp, initial_pos, lf->multiline->offset_last_read);
+        if (raw_data == NULL) {
+            continue;
+        }
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, raw_data);
+        }
+
+        os_free(raw_data);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, lf->multiline->offset_last_read, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    return NULL;
+}
+
+STATIC int multiline_getlog(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg) {
+
+    int readed_lines = 0;
+
+    switch (ml_cfg->match_type) {
+        case ML_MATCH_START:
+            readed_lines = multiline_getlog_start(buffer, length, stream, ml_cfg);
+            break;
+
+        case ML_MATCH_END:
+            readed_lines = multiline_getlog_end(buffer, length, stream, ml_cfg);
+            break;
+
+        case ML_MATCH_ALL:
+            readed_lines = multiline_getlog_all(buffer, length, stream, ml_cfg);
+            break;
+
+        default:
+            *buffer = '\0';
+            break;
+    }
+
+    return readed_lines;
+}
+
+STATIC int multiline_getlog_start(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg) {
+
+    char * str = buffer;
+    char * retstr = NULL;
+    int offset = 0;
+    int chunk_sz = 0;
+    bool collecting_lines = false;
+    int readed_lines = 0;
+    int c = 0;
+    *str = '\0';
+    int64_t pos = w_ftell(stream);
+
+    /* Check if a context restore is needed */
+    if (ml_cfg->ctxt) {
+        multiline_ctxt_restore(str, &readed_lines, ml_cfg->ctxt);
+        offset = strlen(str);
+        str += offset;
+        collecting_lines = true;
+        /* If the context it's expired then free it and return log */
+        if (multiline_ctxt_is_expired(ml_cfg->timeout, ml_cfg->ctxt)) {
+            multiline_ctxt_free(&ml_cfg->ctxt);
+            /* delete last end-of-line character (LF / CR LF) */
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            return readed_lines;
+        }
+    }
+
+    while (can_read() && (retstr = fgets(str, length - offset, stream)) != NULL) {
+
+        /* Check if current line match start regex */
+        if (collecting_lines && w_expression_match(ml_cfg->regex, str, NULL, NULL)) {
+            /* Rewind. This line dont belong to last log */
+            buffer[offset] = '\0';
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            w_fseek(stream, pos, SEEK_SET);
+            break;
+        }
+
+        multiline_replace(str, ml_cfg->replace_type);
+        chunk_sz = strlen(str);
+        offset += chunk_sz;
+        str += chunk_sz;
+        readed_lines++;
+        /* Save current posistion in case we have to rewind */
+        pos = w_ftell(stream);
+        collecting_lines = true;
+        /* Allow save new content in the context in case can_read() fail */
+        retstr = NULL;
+        /* Avoid fgets infinite loop behavior when size parameter is 1 */
+        if (offset == length - 1) {
+            break;
+        }
+    }
+
+    /* Check if we have to save/create context in case
+       Multiline log found but MAYBE not finished yet */
+    if (collecting_lines && retstr == NULL && length > offset + 1) {
+        multiline_ctxt_backup(buffer, readed_lines, &ml_cfg->ctxt);
+        readed_lines = 0;
+    } else if (length == offset + 1) {
+        // Discard the rest of the log, moving the pointer to the next end of line
+        while (true) {
+            c = fgetc(stream);
+            if (c == '\n' || c == '\0' || c == EOF) {
+                break;
+            }
+        }
+    }
+
+    /* If the lastest line complete the multiline log, free the context */
+    if (ml_cfg->ctxt && readed_lines > 0) {
+        multiline_ctxt_free(&ml_cfg->ctxt);
+    }
+
+    return readed_lines;
+}
+
+STATIC int multiline_getlog_end(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg) {
+    char * str = buffer;
+    char * retstr = NULL;
+    int offset = 0;
+    int chunk_sz = 0;
+    bool collecting_lines = false;
+    int readed_lines = 0;
+    int c = 0;
+    *str = '\0';
+
+    /* Check if a context restore is needed */
+    if (ml_cfg->ctxt) {
+        multiline_ctxt_restore(str, &readed_lines, ml_cfg->ctxt);
+        offset = strlen(str);
+        str += offset;
+        collecting_lines = true;
+        /* If the context it's expired then free it and return log */
+        if (multiline_ctxt_is_expired(ml_cfg->timeout, ml_cfg->ctxt)) {
+            multiline_ctxt_free(&ml_cfg->ctxt);
+            /* delete last end-of-line character (LF / CR LF) */
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            return readed_lines;
+        }
+    }
+
+    while (can_read() && (retstr = fgets(str, length - offset, stream)) != NULL) {
+
+        readed_lines++;
+        if (w_expression_match(ml_cfg->regex, str, NULL, NULL)) {
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            collecting_lines = false;
+            break;
+        }
+        multiline_replace(str, ml_cfg->replace_type);
+        chunk_sz = strlen(str);
+        offset += chunk_sz;
+        str += chunk_sz;
+        collecting_lines = true;
+        /* Allow save new content in the context in case can_read() fail */
+        retstr = NULL;
+        /* Avoid fgets infinite loop behauvior when size parameter is 1 */
+        if (offset == length - 1) {
+            break;
+        }
+    }
+
+    /* Check if we have to save/create context in case
+       Multiline log found but not finished yet */
+    if (collecting_lines && retstr == NULL && length > offset + 1) {
+        multiline_ctxt_backup(buffer, readed_lines, &ml_cfg->ctxt);
+        readed_lines = 0;
+    } else if (length == offset + 1) {
+        // Discard the rest of the log, moving the pointer to the next end of line
+        while (true) {
+            c = fgetc(stream);
+            if (c == '\n' || c == '\0' || c == EOF) {
+                break;
+            }
+        }
+    }
+
+    /* If the lastest line complete the multiline log, free the context */
+    if (ml_cfg->ctxt && readed_lines > 0) {
+        multiline_ctxt_free(&ml_cfg->ctxt);
+    }
+
+    return readed_lines;
+}
+
+STATIC int multiline_getlog_all(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg) {
+
+    char * str = buffer;
+    char * retstr = NULL;
+    int offset = 0;
+    int chunk_sz = 0;
+    bool collecting_lines = false;
+    int readed_lines = 0;
+    int c = 0;
+    *str = '\0';
+
+    /* Check if a context restore is needed */
+    if (ml_cfg->ctxt) {
+        multiline_ctxt_restore(str, &readed_lines, ml_cfg->ctxt);
+        offset = strlen(str);
+        str += offset;
+        collecting_lines = true;
+        /* If the context it's expired then free it and return log */
+        if (multiline_ctxt_is_expired(ml_cfg->timeout, ml_cfg->ctxt)) {
+            multiline_ctxt_free(&ml_cfg->ctxt);
+            /* delete last end-of-line character (LF / CR LF) */
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            return readed_lines;
+        }
+    }
+
+    while (can_read() && (retstr = fgets(str, length - offset, stream)) != NULL) {
+
+        readed_lines++;
+        if (w_expression_match(ml_cfg->regex, buffer, NULL, NULL)) {
+            multiline_replace(buffer, ML_REPLACE_NONE);
+            collecting_lines = false;
+            break;
+        }
+
+        multiline_replace(str, ml_cfg->replace_type);
+        chunk_sz = strlen(str);
+        offset += chunk_sz;
+        str += chunk_sz;
+        collecting_lines = true;
+        /* Allow save new content in the context in case can_read() fail */
+        retstr = NULL;
+        /* Avoid fgets infinite loop behauvior when size parameter is 1 */
+        if (offset == length - 1) {
+            break;
+        }
+    }
+
+    /* Check if we have to save/create context in case
+       Multiline log found but not finished yet */
+    if (collecting_lines && retstr == NULL && length > offset + 1) {
+        multiline_ctxt_backup(buffer, readed_lines, &ml_cfg->ctxt);
+        readed_lines = 0;
+    } else if (length == offset + 1) {
+        // Discard the rest of the log, moving the pointer to the next end of line
+        while (true) {
+            c = fgetc(stream);
+            if (c == '\n' || c == '\0' || c == EOF) {
+                break;
+            }
+        }
+    }
+
+    /* If the lastest line complete the multiline log, free the context */
+    if (ml_cfg->ctxt && readed_lines > 0) {
+        multiline_ctxt_free(&ml_cfg->ctxt);
+    }
+
+    return readed_lines;
+}
+
+STATIC void multiline_replace(char * str, w_multiline_replace_type_t type) {
+
+    const char newline = '\n';
+    const char creturn = '\r';
+    const char tab = '\t';
+    const char wspace = ' ';
+    char * pos_newline;
+    char * pos_creturn;
+
+    if (str == NULL || str[0] == '\0') {
+        return;
+    }
+
+    if (pos_newline = (str + strlen(str) - 1), *pos_newline != newline) {
+        return;
+    }
+
+    pos_creturn = (strlen(str) > 1) && (*(pos_newline - 1) == creturn) ? (pos_newline - 1) : NULL;
+
+    switch (type) {
+    case ML_REPLACE_WSPACE:
+        if (pos_creturn) {
+            *pos_creturn = wspace;
+            *pos_newline = '\0';
+        } else {
+            *pos_newline = wspace;
+        }
+
+        break;
+
+    case ML_REPLACE_TAB:
+        if (pos_creturn) {
+            *pos_creturn = tab;
+            *pos_newline = '\0';
+        } else {
+            *pos_newline = tab;
+        }
+
+        break;
+
+    case ML_REPLACE_NONE:
+        if (pos_creturn) {
+            *pos_creturn = '\0';
+        } else {
+            *pos_newline = '\0';
+        }
+        break;
+
+    default:
+    case ML_REPLACE_NO_REPLACE:
+        break;
+    }
+}
+
+STATIC void multiline_ctxt_backup(char * buffer, int readed_lines, w_multiline_ctxt_t ** ctxt) {
+
+    size_t current_bsize = strlen(buffer);
+
+    if (*ctxt && (strlen((*ctxt)->buffer) == current_bsize)) {
+        return;
+    }
+
+    if (*ctxt) {
+        size_t old_size = strlen((*ctxt)->buffer);
+        os_realloc((*ctxt)->buffer, sizeof(char) * (current_bsize + 1), (*ctxt)->buffer);
+        strcpy((*ctxt)->buffer + old_size, buffer + old_size);
+
+    } else {
+        os_calloc(1, sizeof(w_multiline_ctxt_t), *ctxt);
+        os_calloc(current_bsize + 1, sizeof(char), (*ctxt)->buffer);
+        strcpy((*ctxt)->buffer, buffer);
+    }
+
+    (*ctxt)->lines_count = readed_lines;
+    (*ctxt)->timestamp = time(NULL);
+}
+
+STATIC void multiline_ctxt_free(w_multiline_ctxt_t ** ctxt) {
+
+    if ((*ctxt) == NULL) {
+        return;
+    }
+    if ((*ctxt)->buffer) {
+        os_free((*ctxt)->buffer);
+    }
+
+    os_free(*ctxt);
+}
+
+STATIC bool multiline_ctxt_restore(char * buffer, int * readed_lines, w_multiline_ctxt_t * ctxt) {
+
+    if (ctxt == NULL) {
+        return false;
+    }
+    strcpy(buffer, ctxt->buffer);
+    *readed_lines = ctxt->lines_count;
+    return true;
+}
+
+STATIC bool multiline_ctxt_is_expired(time_t timeout, w_multiline_ctxt_t * ctxt) {
+
+    if (ctxt == NULL) {
+        return true;
+    }
+
+    if (time(NULL) - ctxt->timestamp > timeout) {
+        return true;
+    }
+
+    return false;
+}
+
+STATIC char * get_file_chunk(FILE * stream, int64_t initial_pos, int64_t final_pos) {
+
+    char * ret_buffer = NULL;
+    int64_t read_length = final_pos - initial_pos;
+
+    if (read_length <= 0 || w_fseek(stream, initial_pos, SEEK_SET) != 0) {
+        return ret_buffer;
+    }
+
+    os_calloc((size_t) read_length + 1, sizeof(char), ret_buffer);
+    int64_t ret = (int64_t) fread(ret_buffer, sizeof(char), read_length, stream);
+
+    if (ret != read_length) {
+        /* do not move the pointer to the file, it will remain at the end */
+        os_free(ret_buffer);
+    }
+
+    return ret_buffer;
+}
diff --git a/src/modules/logcollector/src/read_mysql_log.c b/src/modules/logcollector/src/read_mysql_log.c
new file mode 100644
index 0000000000..014cd3f5fa
--- /dev/null
+++ b/src/modules/logcollector/src/read_mysql_log.c
@@ -0,0 +1,261 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Read MySQL logs */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+/* Starting last time */
+static char __mysql_last_time[36] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+
+
+void *read_mysql_log(logreader *lf, int *rc, int drop_it) {
+    size_t str_len = 0;
+    int need_clear = 0;
+    char *p;
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char buffer[OS_MAX_LOG_SIZE] = {0};
+    int lines = 0;
+    int bytes_written = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    /* Get new entry */
+    while (can_read() && fgets(str, sizeof(str), lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+        /* Get buffer size */
+        str_len = strlen(str);
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+
+            /* If need clear is set, we just get the line and ignore it */
+            if (need_clear) {
+                need_clear = 0;
+                continue;
+            }
+        } else {
+            need_clear = 1;
+        }
+
+#ifdef WIN32
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on windows) */
+        if (str_len <= 2) {
+            continue;
+        }
+
+
+        /* Windows can have comment on their logs */
+        if (str[0] == '#') {
+            continue;
+        }
+#endif
+
+        /* MySQL messages have the following format:
+         * 070823 21:01:30 xx
+         */
+        if ((str_len > 18) &&
+                (str[6] == ' ') &&
+                (str[9] == ':') &&
+                (str[12] == ':') &&
+                isdigit((int)str[0]) &&
+                isdigit((int)str[1]) &&
+                isdigit((int)str[2]) &&
+                isdigit((int)str[3]) &&
+                isdigit((int)str[4]) &&
+                isdigit((int)str[5]) &&
+                isdigit((int)str[7]) &&
+                isdigit((int)str[8])) {
+            /* Save last time */
+            strncpy(__mysql_last_time, str, 16);
+            __mysql_last_time[15] = '\0';
+
+
+            /* Remove spaces and tabs */
+            p = str + 15;
+            while (*p == ' ' || *p == '\t') {
+                p++;
+            }
+
+            /* Valid MySQL message */
+            bytes_written = snprintf(buffer, sizeof(buffer), "MySQL log: %s %s",
+                     __mysql_last_time, p);
+        }
+
+       /* MySQL 5.7 messages have the following format(in case of NOT utc):
+        * YYYY-MM-DDThh:mm:ss.uuuuuu±hh:mm XX
+        * ref: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_log_timestamps
+        */
+       else if ((str_len > 35) &&
+               (str[4] == '-') &&
+               (str[7] == '-') &&
+               (str[10] == 'T') &&
+               (str[13] == ':') &&
+               (str[16] == ':') &&
+               (str[19] == '.') &&
+               ((str[26] == '-') || (str[26] == '+')) &&
+               (str[29] == ':') &&
+               (str[32] == ' ') &&
+               isdigit((int)str[0]) &&
+               isdigit((int)str[1]) &&
+               isdigit((int)str[2]) &&
+               isdigit((int)str[3]) &&
+               isdigit((int)str[5]) &&
+               isdigit((int)str[6]) &&
+               isdigit((int)str[8]) &&
+               isdigit((int)str[9]) &&
+               isdigit((int)str[11]) &&
+               isdigit((int)str[12]) &&
+               isdigit((int)str[14]) &&
+               isdigit((int)str[15]) &&
+               isdigit((int)str[17]) &&
+               isdigit((int)str[18]) &&
+               isdigit((int)str[20]) &&
+               isdigit((int)str[21]) &&
+               isdigit((int)str[22]) &&
+               isdigit((int)str[23]) &&
+               isdigit((int)str[24]) &&
+               isdigit((int)str[25]) &&
+               isdigit((int)str[27]) &&
+               isdigit((int)str[28]) &&
+               isdigit((int)str[30]) &&
+               isdigit((int)str[31])) {
+           /* Save last time */
+           strncpy(__mysql_last_time, str, 33);
+           __mysql_last_time[32] = '\0';
+
+           /* Remove spaces and tabs */
+           p = str + 32;
+           while (*p == ' ' || *p == '\t') {
+               p++;
+           }
+
+           /* Valid MySQL message */
+           bytes_written = snprintf(buffer, sizeof(buffer), "MySQL log: %s %s",
+                    __mysql_last_time, p);
+       }
+
+      /* MySQL 5.7 messages have the following format(in case of utc):
+       * YYYY-MM-DDThh:mm:ss.uuuuuuZ XX
+       * ref: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_log_timestamps
+       */
+      else if ((str_len > 30) &&
+              (str[4] == '-') &&
+              (str[7] == '-') &&
+              (str[10] == 'T') &&
+              (str[13] == ':') &&
+              (str[16] == ':') &&
+              (str[19] == '.') &&
+              (str[26] == 'Z') &&
+              (str[27] == ' ') &&
+              isdigit((int)str[0]) &&
+              isdigit((int)str[1]) &&
+              isdigit((int)str[2]) &&
+              isdigit((int)str[3]) &&
+              isdigit((int)str[5]) &&
+              isdigit((int)str[6]) &&
+              isdigit((int)str[8]) &&
+              isdigit((int)str[9]) &&
+              isdigit((int)str[11]) &&
+              isdigit((int)str[12]) &&
+              isdigit((int)str[14]) &&
+              isdigit((int)str[15]) &&
+              isdigit((int)str[17]) &&
+              isdigit((int)str[18]) &&
+              isdigit((int)str[20]) &&
+              isdigit((int)str[21]) &&
+              isdigit((int)str[22]) &&
+              isdigit((int)str[23]) &&
+              isdigit((int)str[24]) &&
+              isdigit((int)str[25])) {
+          /* Save last time */
+          strncpy(__mysql_last_time, str, 28);
+          __mysql_last_time[27] = '\0';
+
+          /* Remove spaces and tabs */
+          p = str + 27;
+          while (*p == ' ' || *p == '\t') {
+              p++;
+          }
+
+          /* Valid MySQL message */
+          bytes_written = snprintf(buffer, sizeof(buffer), "MySQL log: %s %s",
+                   __mysql_last_time, p);
+      }
+
+        /* Multiple events at the same second share the same timestamp:
+         * 0909 2020 2020 2020 20
+         */
+        else if ((str_len > 10) && (__mysql_last_time[0] != '\0') &&
+                 (str[0] == 0x09) &&
+                 (str[1] == 0x09) &&
+                 (str[2] == 0x20) &&
+                 (str[3] == 0x20) &&
+                 (str[4] == 0x20) &&
+                 (str[5] == 0x20) &&
+                 (str[6] == 0x20) &&
+                 (str[7] == 0x20)) {
+            p = str + 2;
+
+            /* Remove extra spaces and tabs */
+            while (*p == ' ' || *p == '\t') {
+                p++;
+            }
+
+            /* Valid MySQL message */
+            bytes_written = snprintf(buffer, sizeof(buffer), "MySQL log: %s %s",
+                     __mysql_last_time, p);
+        } else {
+            continue;
+        }
+
+        if (bytes_written < 0) {
+            merror("Error %d (%s) while reading message: '%s' (length = " FTELL_TT "): '%s'...", errno, strerror(errno), lf->file, FTELL_INT64 bytes_written, buffer);
+        } else if ((size_t)bytes_written >= sizeof(buffer)) {
+            merror("Message size too big on file '%s' (length = " FTELL_TT "): '%s'...", lf->file, FTELL_INT64 bytes_written, buffer);
+        }
+
+        mdebug2("Reading mysql messages: '%s'", buffer);
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, buffer)) {
+            /* Send message to queue */
+            w_msg_hash_queues_push(buffer, lf->file, strlen(buffer) + 1, lf->log_target, LOCALFILE_MQ);
+        }
+    }
+
+    current_position = w_ftell(lf->fp);
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_nmapg.c b/src/modules/logcollector/src/read_nmapg.c
new file mode 100644
index 0000000000..efe1ab928a
--- /dev/null
+++ b/src/modules/logcollector/src/read_nmapg.c
@@ -0,0 +1,284 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+#define NMAPG_HOST  "Host: "
+#define NMAPG_PORT  "Ports:"
+#define NMAPG_OPEN  "open/"
+#define NMAPG_STAT  "Status:"
+#define PORT_PROTO  " %s(%s)"
+
+/* Prototypes */
+static char *__go_after(char *x, const char *y);
+static char *__get_port(char *str, char *proto, char *port, size_t msize);
+
+
+/* Get port and protocol */
+static char *__get_port(char *str, char *proto, char *port, size_t msize)
+{
+    int filtered = 0;
+    char *p, *q;
+
+    /* Remov whitespace */
+    while (*str == ' ') {
+        str++;
+    }
+
+    /* Get port */
+    p = strchr(str, '/');
+    if (!p) {
+        return (NULL);
+    }
+    *p = '\0';
+    p++;
+
+    /* Get port */
+    strncpy(port, str, msize);
+    port[msize - 1] = '\0';
+
+    /* Check if the port is open */
+    q = __go_after(p, NMAPG_OPEN);
+    if (!q) {
+        /* Port is not open */
+        filtered = 1;
+        q = p;
+
+        /* Going to the start of protocol field */
+        p = strchr(q, '/');
+        if (!p) {
+            return (NULL);
+        }
+        p++;
+    } else {
+        p = q;
+    }
+
+    /* Get protocol */
+    str = p;
+    p = strchr(str, '/');
+    if (!p) {
+        return (NULL);
+    }
+    *p = '\0';
+    p++;
+
+    strncpy(proto, str, msize);
+    proto[msize - 1] = '\0';
+
+    /* Set proto to null if port is not open */
+    if (filtered) {
+        proto[0] = '\0';
+    }
+
+    /* Remove slashes */
+    if (*p == '/') {
+        p++;
+        q = p;
+        p = strchr(p, ',');
+        if (p) {
+            return (p);
+        }
+
+        return (q);
+    }
+
+    return (NULL);
+}
+
+/* Check if the string matches */
+static char *__go_after(char *x, const char *y)
+{
+    size_t x_s;
+    size_t y_s;
+
+    /* X and Y must be not null */
+    if (!x || !y) {
+        return (NULL);
+    }
+
+    x_s = strlen(x);
+    y_s = strlen(y);
+
+    if (x_s <= y_s) {
+        return (NULL);
+    }
+
+    /* String does not match */
+    if (strncmp(x, y, y_s) != 0) {
+        return (NULL);
+    }
+
+    x += y_s;
+
+    return (x);
+}
+
+/* Read Nmap grepable files */
+void *read_nmapg(logreader *lf, int *rc, int drop_it) {
+    int final_msg_s;
+    int index = 0;
+    int need_clear = 0;
+
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char final_msg[OS_MAX_LOG_SIZE] = {0};
+    char port[17] = {0};
+    char proto[17] = {0};
+
+    char *ip = NULL;
+    char *p;
+    char *q;
+
+    int lines = 0;
+    int bytes_written = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    while (can_read() && fgets(str, sizeof(str), lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        /* If need clear is set, we need to clear the line */
+        if (need_clear) {
+            if (q = strchr(str, '\n'), q != NULL) {
+                need_clear = 0;
+            }
+            continue;
+        }
+
+        /* Remove \n at the end of the string */
+        if ((q = strchr(str, '\n')) != NULL) {
+            *q = '\0';
+        } else {
+            need_clear = 1;
+        }
+
+        /* Do not get commented lines */
+        if ((str[0] == '#') || (str[0] == '\0')) {
+            continue;
+        }
+
+        /* Get host */
+        q = __go_after(str, NMAPG_HOST);
+        if (!q) {
+            goto file_error;
+        }
+
+        /* Get ip/hostname */
+        p = strchr(q, ')');
+        if (!p) {
+            goto file_error;
+        }
+
+        /* Setting the valid ip */
+        ip = q;
+
+        /* Get the ports */
+        q = strchr(p, '\t');
+        if (!q) {
+            goto file_error;
+        }
+        q++;
+
+        /* Now fixing p, to have the closing parenthesis */
+        p++;
+        *p = '\0';
+
+        /* q now should point to the ports */
+        p = __go_after(q, NMAPG_PORT);
+        if (!p) {
+            /* Check if no port is available */
+            p = __go_after(q, NMAPG_STAT);
+            if (p) {
+                continue;
+            }
+
+            goto file_error;
+        }
+
+        /* Generate final msg */
+        bytes_written = snprintf(final_msg, sizeof(final_msg), "Host: %s, open ports:",
+                 ip);
+
+        if (bytes_written < 0) {
+            final_msg_s = 0;
+            merror("Error %d (%s) formatting string from file '%s' (length = " FTELL_TT "): '%s'...", errno, strerror(errno), lf->file, FTELL_INT64 bytes_written, final_msg);
+        } else if ((size_t)bytes_written < sizeof(final_msg)) {
+            final_msg_s = OS_MAX_LOG_SIZE - strlen(final_msg);
+        } else {
+            final_msg_s = 0;
+            merror("Large message size from file '%s' (length = " FTELL_TT "): '%s'...", lf->file, FTELL_INT64 bytes_written, final_msg);
+        }
+
+        /* Get port and protocol */
+        do {
+            /* Avoid filling the buffer (3*port size) */
+            if (final_msg_s < 27) {
+                break;
+            }
+
+            p = __get_port(p, proto, port, 9);
+            if (!p) {
+                mdebug1("Bad formated nmap grepable file (port).");
+                break;
+            }
+
+            /* Port not open */
+            if (proto[0] == '\0') {
+                continue;
+            }
+
+            /* Add ports */
+            index = strlen(final_msg);
+            index = snprintf((final_msg + index), final_msg_s, PORT_PROTO, port, proto);
+            final_msg_s -= index;
+
+        } while (*p == ',' && (p++));
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, final_msg)) {
+            /* Send message to queue */
+            w_msg_hash_queues_push(final_msg, lf->file, strlen(final_msg) + 1, lf->log_target, HOSTINFO_MQ);
+        }
+
+        /* Get next */
+        continue;
+
+        /* Handle errors */
+file_error:
+
+        merror("Bad formated nmap grepable file.");
+        EVP_MD_CTX_free(context);
+        *rc = -1;
+        return (NULL);
+
+    }
+
+    current_position = w_ftell(lf->fp);
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_ossecalert.c b/src/modules/logcollector/src/read_ossecalert.c
new file mode 100644
index 0000000000..ae07a5221b
--- /dev/null
+++ b/src/modules/logcollector/src/read_ossecalert.c
@@ -0,0 +1,120 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2012 Daniel B. Cid (http://dcid.me)
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "headers/read-alert.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+void *read_ossecalert(logreader *lf, __attribute__((unused)) int *rc, int drop_it) {
+    alert_data *al_data;
+    char user_msg[256];
+    char srcip_msg[256];
+    char syslog_msg[OS_SIZE_2048 + 1];
+
+    *rc = 0;
+
+    al_data = GetAlertData(0, lf->fp);
+    if (!al_data) {
+        return (NULL);
+    }
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    os_sha1 output;
+    int64_t current_position = w_ftell(lf->fp);
+
+    if (OS_SHA1_File_Nbytes(lf->file, &context, output, OS_BINARY, current_position) < 0) {
+        merror(FAIL_SHA1_GEN, lf->file);
+    }
+
+    w_update_file_status(lf->file, current_position, context);
+
+    memset(syslog_msg, '\0', OS_SIZE_2048 + 1);
+
+    /* Add source ip */
+    if (!al_data->srcip ||
+            ((al_data->srcip[0] == '(') &&
+             (al_data->srcip[1] == 'n') &&
+             (al_data->srcip[2] == 'o'))) {
+        srcip_msg[0] = '\0';
+    } else {
+        snprintf(srcip_msg, 255, " srcip: %s;", al_data->srcip);
+    }
+
+    /* Add username */
+    if (!al_data->user ||
+            ((al_data->user[0] == '(') &&
+             (al_data->user[1] == 'n') &&
+             (al_data->user[2] == 'o'))) {
+        user_msg[0] = '\0';
+    } else {
+        snprintf(user_msg, 255, " user: %s;", al_data->user);
+    }
+
+    if (al_data->log[1] == NULL) {
+        /* Build syslog message */
+        snprintf(syslog_msg, OS_SIZE_2048,
+                 "ossec: Alert Level: %d; Rule: %d - %s; "
+                 "Location: %s;%s%s  %s",
+                 al_data->level, al_data->rule, al_data->comment,
+                 al_data->location,
+                 srcip_msg,
+                 user_msg,
+                 al_data->log[0]);
+    } else {
+        char *tmp_msg = NULL;
+        short int j = 0;
+
+        while (al_data->log[j] != NULL) {
+            tmp_msg = os_LoadString(tmp_msg, al_data->log[j]);
+            tmp_msg = os_LoadString(tmp_msg, "\n");
+            if (tmp_msg == NULL) {
+                FreeAlertData(al_data);
+                return (NULL);
+            }
+            j++;
+        }
+
+        if (tmp_msg == NULL) {
+            FreeAlertData(al_data);
+            return (NULL);
+        }
+
+        if (strlen(tmp_msg) > 1596) {
+            tmp_msg[1594] = '.';
+            tmp_msg[1595] = '.';
+            tmp_msg[1596] = '.';
+            tmp_msg[1597] = '\0';
+        }
+        snprintf(syslog_msg, OS_SIZE_2048,
+                 "ossec: Alert Level: %d; Rule: %d - %s; "
+                 "Location: %s;%s%s  %s",
+                 al_data->level, al_data->rule, al_data->comment,
+                 al_data->location,
+                 srcip_msg,
+                 user_msg,
+                 tmp_msg);
+
+        free(tmp_msg);
+    }
+
+    /* Clear the memory */
+    FreeAlertData(al_data);
+
+    /* Check ignore and restrict log regex, if configured. */
+    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, syslog_msg)) {
+        /* Send message to queue */
+        w_msg_hash_queues_push(syslog_msg, lf->file, strlen(syslog_msg) + 1, lf->log_target, LOCALFILE_MQ);
+    }
+
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_postgresql_log.c b/src/modules/logcollector/src/read_postgresql_log.c
new file mode 100644
index 0000000000..e69201c2ad
--- /dev/null
+++ b/src/modules/logcollector/src/read_postgresql_log.c
@@ -0,0 +1,160 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Read PostgreSQL logs */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Send pgsql message and check the return code */
+static void __send_pgsql_msg(logreader *lf, int drop_it, char *buffer) {
+    mdebug2("Reading PostgreSQL message: '%s'", buffer);
+
+    /* Check ignore and restrict log regex, if configured. */
+    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, buffer)) {
+        /* Send message to queue */
+        w_msg_hash_queues_push(buffer, lf->file, strlen(buffer) + 1, lf->log_target, LOCALFILE_MQ);
+    }
+}
+
+/* Read PostgreSQL log files */
+void *read_postgresql_log(logreader *lf, int *rc, int drop_it) {
+    size_t str_len = 0;
+    int need_clear = 0;
+    char *p;
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char buffer[OS_MAX_LOG_SIZE] = {0};
+    int lines = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    /* Get new entry */
+    while (can_read() && fgets(str, sizeof(str), lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+        /* Get buffer size */
+        str_len = strlen(str);
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        /* Check str_len size. Very useless, but just to make sure.. */
+        if (str_len >= sizeof(buffer) - 2) {
+            str_len = sizeof(buffer) - 10;
+        }
+
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(str, '\n')) != NULL) {
+            *p = '\0';
+
+            /* If need_clear is set, we just get the line and ignore it. */
+            if (need_clear) {
+                need_clear = 0;
+                continue;
+            }
+        } else {
+            need_clear = 1;
+        }
+
+#ifdef WIN32
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on Windows) */
+        if (str_len <= 1) {
+            continue;
+        }
+
+        /* Windows can have comment on their logs */
+        if (str[0] == '#') {
+            continue;
+        }
+#endif
+
+        /* PostgreSQL messages have the following format:
+         * [2007-08-31 19:17:32.186 ADT] 192.168.2.99:db_name
+         */
+        if ((str_len > 32) &&
+                (str[0] == '[') &&
+                (str[5] == '-') &&
+                (str[8] == '-') &&
+                (str[11] == ' ') &&
+                (str[14] == ':') &&
+                (str[17] == ':') &&
+                isdigit((int)str[1]) &&
+                isdigit((int)str[12])) {
+
+            /* If the saved message is empty, set it and continue */
+            if (buffer[0] == '\0') {
+                snprintf(buffer, sizeof(buffer), "%s", str);
+                continue;
+            }
+
+            /* If not, send the saved one and store the new one for later */
+            else {
+                __send_pgsql_msg(lf, drop_it, buffer);
+                /* Store current one at the buffer */
+                snprintf(buffer, sizeof(buffer), "%s", str);
+            }
+        }
+
+        /* Query logs can be in multiple lines
+         * They always start with a tab in the additional ones
+         */
+        else if ((str_len > 2) && (buffer[0] != '\0') &&
+                 (str[0] == '\t')) {
+            /* Size of the buffer */
+            size_t buffer_len = strlen(buffer);
+
+            p = str + 1;
+
+            /* Remove extra spaces and tabs */
+            while (*p == ' ' || *p == '\t') {
+                p++;
+            }
+
+            /* Add additional message to the saved buffer */
+            if (sizeof(buffer) - buffer_len > str_len) {
+                /* Here we make sure that the size of the buffer
+                 * minus what was used (strlen) is greater than
+                 * the length of the received message.
+                 */
+                buffer[buffer_len] = ' ';
+                buffer[buffer_len + 1] = '\0';
+                strncat(buffer, str, str_len + 3);
+            }
+        }
+
+    }
+
+    /* Send whatever is stored */
+    if (buffer[0] != '\0') {
+        __send_pgsql_msg(lf, drop_it, buffer);
+    }
+
+    current_position = w_ftell(lf->fp);
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_snortfull.c b/src/modules/logcollector/src/read_snortfull.c
new file mode 100644
index 0000000000..3fe8392efc
--- /dev/null
+++ b/src/modules/logcollector/src/read_snortfull.c
@@ -0,0 +1,136 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+#define LABEL_PREPROCESSOR_MESSAGE  "[Classification: Preprocessor] [Priority: 3] "
+
+/* Read snort_full files */
+void *read_snortfull(logreader *lf, int *rc, int drop_it) {
+    int f_msg_size = OS_MAX_LOG_SIZE - 1;
+    const char *one = "one";
+    const char *two = "two";
+    const char *p = NULL;
+    char *q;
+    char str[OS_MAX_LOG_SIZE] = {0};
+    char f_msg[OS_MAX_LOG_SIZE] = {0};
+    int lines = 0;
+
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    while (can_read() && fgets(str, sizeof(str), lf->fp) != NULL && (!maximum_lines || lines < maximum_lines)) {
+
+        lines++;
+
+        if (is_valid_context_file) {
+            OS_SHA1_Stream(context, NULL, str);
+        }
+
+        /* Remove \n at the end of the string */
+        if ((q = strrchr(str, '\n')) != NULL) {
+            *q = '\0';
+        } else {
+            goto file_error;
+        }
+
+        /* First part of the message */
+        if (p == NULL) {
+            if (strncmp(str, "[**] [", 6) == 0) {
+                snprintf(f_msg, sizeof(f_msg), "%s", str);
+                f_msg_size -= strlen(str);
+                p = one;
+            }
+        } else {
+            if (p == one) {
+                /* Second line has the [Classification: */
+                if (strncmp(str, "[Classification: ", 16) == 0) {
+                    strncat(f_msg, str, f_msg_size);
+                    f_msg_size -= strlen(str);
+                    p = two;
+                } else if (strncmp(str, "[Priority: ", 10) == 0) {
+                    strncat(f_msg, LABEL_PREPROCESSOR_MESSAGE, f_msg_size);
+                    f_msg_size -= sizeof(LABEL_PREPROCESSOR_MESSAGE) - 1;
+                    p = two;
+                }
+
+                /* If it is a preprocessor message, it will not have
+                 * the classification.
+                 */
+                else if ((str[2] == '/') && (str[5] == '-') && (q = strchr(str, ' '))) {
+                    strncat(f_msg, LABEL_PREPROCESSOR_MESSAGE, f_msg_size);
+                    f_msg_size -= sizeof(LABEL_PREPROCESSOR_MESSAGE) - 1;
+                    strncat(f_msg, ++q, f_msg_size - 40);
+
+                    /* Clean for next event */
+                    p = NULL;
+
+                    /* Check ignore and restrict log regex, if configured. */
+                    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+                        /* Send message to queue */
+                        w_msg_hash_queues_push(str, lf->file, strlen(f_msg), lf->log_target, LOCALFILE_MQ);
+                    }
+
+                    f_msg[0] = '\0';
+                    f_msg_size = OS_MAX_LOG_SIZE - 1;
+                    str[0] = '\0';
+                } else {
+                    goto file_error;
+                }
+            } else if (p == two) {
+                /* Third line has the 01/13-15 (date) */
+                if ((str[2] == '/') && (str[5] == '-') && (q = strchr(str, ' '))) {
+                    strncat(f_msg, ++q, f_msg_size);
+                    p = NULL;
+
+                    /* Check ignore and restrict log regex, if configured. */
+                    if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+                        /* Send message to queue */
+                        w_msg_hash_queues_push(str, lf->file, strlen(str) + 1, lf->log_target, LOCALFILE_MQ);
+                    }
+
+                    f_msg[0] = '\0';
+                    f_msg_size = OS_MAX_LOG_SIZE - 1;
+                    str[0] = '\0';
+                } else {
+                    goto file_error;
+                }
+
+            }
+        }
+
+        continue;
+
+file_error:
+
+        merror("Bad formated snort full file.");
+        *rc = -1;
+        EVP_MD_CTX_free(context);
+        return (NULL);
+
+    }
+
+    current_position = w_ftell(lf->fp);
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_syslog.c b/src/modules/logcollector/src/read_syslog.c
new file mode 100644
index 0000000000..1355fc1b56
--- /dev/null
+++ b/src/modules/logcollector/src/read_syslog.c
@@ -0,0 +1,154 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Read the syslog */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Read syslog files */
+void *read_syslog(logreader *lf, int *rc, int drop_it) {
+    int __ms = 0;
+    int __ms_reported = 0;
+    char str[OS_MAXSTR + 1];
+    int64_t current_position = 0;
+    int lines = 0;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    str[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    current_position = w_ftell(lf->fp);
+
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgets(str, OS_MAXSTR - OS_LOG_HEADER, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+        lines++;
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        /* Get the last occurrence of \n */
+        if (str[rbytes - 1] == '\n') {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            str[rbytes - 1] = '\0';
+
+            if ((int64_t)strlen(str) != rbytes - 1)
+            {
+                mdebug2("Line in '%s' contains some zero-bytes (valid=" FTELL_TT "/ total=" FTELL_TT "). Dropping line.", lf->file, FTELL_INT64 strlen(str), FTELL_INT64 rbytes - 1);
+                continue;
+            }
+        }
+
+        /* If we didn't get the new line, because the
+         * size is large, send what we got so far.
+         */
+        else if (rbytes == OS_MAXSTR - OS_LOG_HEADER - 1) {
+            /* Message size > maximum allowed */
+            __ms = 1;
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            str[rbytes - 1] = '\0';
+        } else {
+            /* We may not have gotten a line feed
+             * because we reached EOF.
+             */
+             if (feof(lf->fp)) {
+                /* Message not complete. Return. */
+                mdebug2("Message not complete from '%s'. Trying again: '%.*s'%s", lf->file, sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+                if(current_position >= 0) {
+                    w_fseek(lf->fp, current_position, SEEK_SET);
+                }
+                break;
+            }
+        }
+
+#ifdef WIN32
+        char * p;
+
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on Windows) */
+        if (rbytes <= 2) {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+
+        /* Windows can have comment on their logs */
+        if (str[0] == '#') {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+#endif
+
+        mdebug2("Reading syslog message: '%.*s'%s", sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+
+        /* Check ignore and restrict log regex, if configured. */
+        if (drop_it == 0 && !check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, str)) {
+            /* Send message to queue */
+            w_msg_hash_queues_push(str, lf->file, rbytes, lf->log_target, LOCALFILE_MQ);
+        }
+
+        /* Incorrect message size */
+        if (__ms) {
+            // strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)
+            // truncate str before logging to ossec.log
+
+            if (!__ms_reported) {
+                merror("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+                __ms_reported = 1;
+            } else {
+                mdebug2("Large message size from file '%s' (length = " FTELL_TT "): '%.*s'...", lf->file, FTELL_INT64 rbytes, sample_log_length, str);
+            }
+
+            for (offset += rbytes; fgets(str, OS_MAXSTR - 2, lf->fp) != NULL; offset += rbytes) {
+                rbytes = w_ftell(lf->fp) - offset;
+
+                /* Flow control */
+                if (rbytes <= 0) {
+                    break;
+                }
+
+                if (is_valid_context_file) {
+                    OS_SHA1_Stream(context, NULL, str);
+                }
+
+                /* Get the last occurrence of \n */
+                if (str[rbytes - 1] == '\n') {
+                    break;
+                }
+            }
+            __ms = 0;
+        }
+        current_position = w_ftell(lf->fp);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
diff --git a/src/modules/logcollector/src/read_ucs2_be.c b/src/modules/logcollector/src/read_ucs2_be.c
new file mode 100644
index 0000000000..90afbddcc1
--- /dev/null
+++ b/src/modules/logcollector/src/read_ucs2_be.c
@@ -0,0 +1,172 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Read the syslog */
+#ifdef WIN32
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+#define OS_MAXSTR_BE OS_MAXSTR * 2
+
+/* Read ucs2 files */
+void *read_ucs2_be(logreader *lf, int *rc, int drop_it) {
+    int __ms = 0;
+    int __ms_reported = 0;
+    char str[OS_MAXSTR_BE + 1];
+    int lines = 0;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    str[OS_MAXSTR_BE] = '\0';
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgets(str, OS_MAXSTR_BE - OS_LOG_HEADER, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+        lines++;
+
+        mdebug2("Bytes read from '%s': %lld bytes",lf->file,rbytes);
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        /* Get the last occurrence of \n */
+        if (str[rbytes - 1] == '\n') {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            str[rbytes - 1] = '\0';
+        }
+        /* If we didn't get the new line, because the
+         * size is large, send what we got so far.
+         */
+        else if (rbytes == OS_MAXSTR_BE - OS_LOG_HEADER - 1) {
+            /* Message size > maximum allowed */
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, str);
+            }
+            __ms = 1;
+            str[rbytes - 1] = '\0';
+        } else {
+            /* We may not have gotten a line feed
+             * because we reached EOF.
+             */
+            if (lf->ucs2 == UCS2_LE && feof(lf->fp)) {
+                /* Message not complete. Return. */
+                mdebug2("Message not complete from '%s'. Trying again: '%.*s'%s", lf->file, sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+                w_fseek(lf->fp, current_position, SEEK_SET);
+                break;
+            }
+        }
+
+        char * p;
+
+        if ((p = strrchr(str, '\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on Windows) */
+        if (rbytes <= 4) {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+
+        /* Windows can have comment on their logs */
+        if (str[1] == '#') {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+
+        mdebug2("Reading syslog message: '%.*s'%s", sample_log_length, str, rbytes > sample_log_length ? "..." : "");
+
+        /* Send message to queue */
+        if (drop_it == 0) {
+
+            long int utf8_bytes = 0;
+            char *utf8_string = NULL;
+
+            /* If the file is Big Endian, swap every byte */
+            int i;
+            int j = 0;
+            for (i = 0; i < (OS_MAXSTR_BE / 2); i++) {
+                char c = str[j];
+                str[j] = str[j+1];
+                str[j+1] = c;
+                j+=2;
+            }
+
+            if (utf8_bytes = WideCharToMultiByte(CP_UTF8, 0, (wchar_t *) str, -1, NULL, 0, NULL, NULL), utf8_bytes > 0) {
+                os_calloc(utf8_bytes + 1, sizeof(char), utf8_string);
+                utf8_bytes = WideCharToMultiByte(CP_UTF8, 0, (wchar_t *) str, -1, utf8_string, utf8_bytes, NULL, NULL);
+                utf8_string[utf8_bytes] = '\0';
+                mdebug2("Line converted to UTF-8 is %ld bytes",utf8_bytes);
+            }
+
+            if (!utf8_bytes) {
+                mdebug1("Couldn't transform read line to UTF-8: %lu.", GetLastError());
+                os_free(utf8_string);
+                continue;
+            }
+
+            if (!check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, utf8_string)) {
+                w_msg_hash_queues_push(utf8_string, lf->file, utf8_bytes, lf->log_target, LOCALFILE_MQ);
+            }
+
+            os_free(utf8_string);
+        }
+        /* Incorrect message size */
+        if (__ms) {
+
+            if (!__ms_reported) {
+                merror("Large message size from file '%s' (length = %lld): '%.*s'...", lf->file, rbytes, sample_log_length, str);
+                __ms_reported = 1;
+            } else {
+                mdebug2("Large message size from file '%s' (length = %lld): '%.*s'...", lf->file, rbytes, sample_log_length, str);
+            }
+
+            for (offset += rbytes; fgets(str, OS_MAXSTR_BE - 2, lf->fp) != NULL; offset += rbytes) {
+                rbytes = w_ftell(lf->fp) - offset;
+
+                /* Flow control */
+                if (rbytes <= 0) {
+                    break;
+                }
+
+                if (is_valid_context_file) {
+                    OS_SHA1_Stream(context, NULL, str);
+                }
+
+                /* Get the last occurrence of \n */
+                if (str[rbytes - 1] == '\n') {
+                    break;
+                }
+            }
+            __ms = 0;
+        }
+        current_position = w_ftell(lf->fp);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
+#endif
diff --git a/src/modules/logcollector/src/read_ucs2_le.c b/src/modules/logcollector/src/read_ucs2_le.c
new file mode 100644
index 0000000000..77933f59e3
--- /dev/null
+++ b/src/modules/logcollector/src/read_ucs2_le.c
@@ -0,0 +1,166 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/* Read the syslog */
+#ifdef WIN32
+
+#include "shared.h"
+#include "logcollector.h"
+#include "os_crypto/sha1/sha1_op.h"
+
+
+/* Read ucs2 files */
+void *read_ucs2_le(logreader *lf, int *rc, int drop_it) {
+    int __ms = 0;
+    int __ms_reported = 0;
+    wchar_t str[OS_MAXSTR + 1];
+    int lines = 0;
+    int64_t offset = 0;
+    int64_t rbytes = 0;
+
+    str[OS_MAXSTR] = '\0';
+    *rc = 0;
+
+    /* Obtain context to calculate hash */
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t current_position = w_ftell(lf->fp);
+    bool is_valid_context_file = w_get_hash_context(lf, &context, current_position);
+
+    for (offset = w_ftell(lf->fp); can_read() && fgetws(str, OS_MAXSTR - OS_LOG_HEADER, lf->fp) != NULL && (!maximum_lines || lines < maximum_lines) && offset >= 0; offset += rbytes) {
+        rbytes = w_ftell(lf->fp) - offset;
+        lines++;
+
+        mdebug2("Bytes read from '%s': %lld bytes",lf->file,rbytes);
+
+        /* Flow control */
+        if (rbytes <= 0) {
+            break;
+        }
+
+        wchar_t * n;
+        /* Get the last occurrence of \n */
+        if ((n = wcsrchr(str, L'\n')) != NULL) {
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, (char *) str);
+            }
+            *n = '\0';
+        }
+        /* If we didn't get the new line, because the
+         * size is large, send what we got so far.
+         */
+        if (rbytes == OS_MAXSTR - OS_LOG_HEADER - 1) {
+            /* Message size > maximum allowed */
+            if (is_valid_context_file) {
+                OS_SHA1_Stream(context, NULL, (char *) str);
+            }
+            __ms = 1;
+            str[rbytes - 1] = '\0';
+        } else {
+            /* We may not have gotten a line feed
+             * because we reached EOF.
+             */
+            if (lf->ucs2 == UCS2_LE && feof(lf->fp)) {
+                /* Message not complete. Return. */
+                mdebug2("Message not complete from '%s'. Trying again: '%.*s'%s", lf->file, sample_log_length,(char* ) str, rbytes > sample_log_length ? "..." : "");
+                w_fseek(lf->fp, current_position, SEEK_SET);
+                break;
+            }
+        }
+
+        wchar_t * p;
+
+        if ((p = wcsrchr(str, L'\r')) != NULL) {
+            *p = '\0';
+        }
+
+        /* Look for empty string (only on Windows) */
+        if (rbytes <= 4) {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+
+        /* Windows can have comment on their logs */
+        if (str[0] == '#') {
+            current_position = w_ftell(lf->fp);
+            continue;
+        }
+
+        mdebug2("Reading syslog message: '%.*s'%s", sample_log_length, (char * )str, rbytes > sample_log_length ? "..." : "");
+
+        /* Send message to queue */
+        if (drop_it == 0) {
+
+            long int utf8_bytes = 0;
+            char *utf8_string = NULL;
+
+            if (utf8_bytes = WideCharToMultiByte(CP_UTF8, 0, (wchar_t *)str, -1, NULL, 0, NULL, NULL), utf8_bytes > 0) {
+                os_calloc(utf8_bytes + 1, sizeof(char), utf8_string);
+                utf8_bytes = WideCharToMultiByte(CP_UTF8, 0, (wchar_t *)str, -1, utf8_string, utf8_bytes, NULL, NULL);
+                utf8_string[utf8_bytes] = '\0';
+                mdebug2("Line converted to UTF-8 is %ld bytes",utf8_bytes);
+            }
+
+            if (!utf8_bytes) {
+                mdebug1("Couldn't transform read line to UTF-8: %lu.", GetLastError());
+                os_free(utf8_string);
+                continue;
+            }
+
+            if (!check_ignore_and_restrict(lf->regex_ignore, lf->regex_restrict, utf8_string)) {
+                w_msg_hash_queues_push(utf8_string, lf->file, utf8_bytes, lf->log_target, LOCALFILE_MQ);
+            }
+
+            os_free(utf8_string);
+        }
+        /* Incorrect message size */
+        if (__ms) {
+            // strlen(str) >= (OS_MAXSTR - OS_LOG_HEADER - 2)
+            // truncate str before logging to ossec.log
+
+            if (!__ms_reported) {
+                merror("Large message size from file '%s' (length = %lld): '%.*s'...", lf->file, rbytes, sample_log_length, (char* ) str);
+                __ms_reported = 1;
+            } else {
+                mdebug2("Large message size from file '%s' (length = %lld): '%.*s'...", lf->file, rbytes, sample_log_length, (char* ) str);
+            }
+
+            for (offset += rbytes; fgetws(str, OS_MAXSTR - 2, lf->fp) != NULL; offset += rbytes) {
+                rbytes = w_ftell(lf->fp) - offset;
+
+                /* Flow control */
+                if (rbytes <= 1) {
+                    break;
+                }
+
+                if (is_valid_context_file) {
+                    OS_SHA1_Stream(context, NULL, (char *) str);
+                }
+
+                /* Get the last occurrence of \n */
+                if (str[rbytes - 2] == '\n') {
+                    break;
+                }
+            }
+            __ms = 0;
+        }
+
+        current_position = w_ftell(lf->fp);
+    }
+
+    if (is_valid_context_file) {
+        w_update_file_status(lf->file, current_position, context);
+    } else {
+        EVP_MD_CTX_free(context);
+    }
+
+    mdebug2("Read %d lines from %s", lines, lf->file);
+    return (NULL);
+}
+#endif
diff --git a/src/modules/logcollector/src/read_win_el.c b/src/modules/logcollector/src/read_win_el.c
new file mode 100644
index 0000000000..25d243a953
--- /dev/null
+++ b/src/modules/logcollector/src/read_win_el.c
@@ -0,0 +1,662 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "logcollector.h"
+#include "state.h"
+
+#ifdef WIN32
+
+#define BUFFER_SIZE 2048*256
+
+/* Event logging local structure */
+typedef struct _os_el {
+    int time_of_last;
+    char *name;
+
+    EVENTLOGRECORD *er;
+    HANDLE h;
+
+    DWORD record;
+
+} os_el;
+
+/** Global variables **/
+
+/* Maximum of 9 event log sources */
+os_el el[9];
+int el_last = 0;
+void *vista_sec_id_hash = NULL;
+void *dll_hash = NULL;
+
+
+/* Start the event logging for each el */
+int startEL(char *app, os_el *el)
+{
+    DWORD NumberOfRecords = 0;
+
+    /* Open the event log */
+    el->h = OpenEventLog(NULL, app);
+    if (!el->h) {
+        merror(EVTLOG_OPEN, app);
+        return (-1);
+    }
+
+    el->name = app;
+    if (GetOldestEventLogRecord(el->h, &el->record) == 0) {
+        /* Unable to read oldest event log record */
+        merror(EVTLOG_GETLAST, app);
+        CloseEventLog(el->h);
+        el->h = NULL;
+        return (-1);
+    }
+
+    if (GetNumberOfEventLogRecords(el->h, &NumberOfRecords) == 0) {
+        merror(EVTLOG_GETLAST, app);
+        CloseEventLog(el->h);
+        el->h = NULL;
+        return (-1);
+    }
+
+    if (NumberOfRecords <= 0) {
+        return (0);
+    }
+
+    return ((int)NumberOfRecords);
+}
+
+/* Returns a string that is a human readable datetime from an epoch int */
+char *epoch_to_human(time_t epoch)
+{
+    static char buf[80];
+    struct tm tm_result = { .tm_sec = 0 };
+
+    localtime_r(&epoch, &tm_result);
+    strftime(buf, sizeof(buf), "%Y %b %d %H:%M:%S", &tm_result);
+    return (buf);
+}
+
+/* Returns a string related to the category id of the log */
+char *el_getCategory(int category_id)
+{
+    char *cat;
+    switch (category_id) {
+        case EVENTLOG_ERROR_TYPE:
+            cat = "ERROR";
+            break;
+        case EVENTLOG_WARNING_TYPE:
+            cat = "WARNING";
+            break;
+        case EVENTLOG_INFORMATION_TYPE:
+            cat = "INFORMATION";
+            break;
+        case EVENTLOG_AUDIT_SUCCESS:
+            cat = "AUDIT_SUCCESS";
+            break;
+        case EVENTLOG_AUDIT_FAILURE:
+            cat = "AUDIT_FAILURE";
+            break;
+        default:
+            cat = "Unknown";
+            break;
+    }
+    return (cat);
+}
+
+/* Returns the event */
+char *el_getEventDLL(char *evt_name, char *source, char *event)
+{
+    char *ret_str;
+    HKEY key;
+    DWORD ret;
+    char keyname[512] = {'\0'};
+    char *skey = NULL, *sval = NULL;
+
+    snprintf(keyname, 510,
+             "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
+             evt_name,
+             source);
+
+    /* Check if we have it in memory */
+    ret_str = OSHash_Get(dll_hash, keyname + 42);
+    if (ret_str) {
+        return (ret_str);
+    }
+
+    /* Open Registry */
+    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0,
+                     KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) {
+        return (NULL);
+    }
+
+    ret = MAX_PATH - 1;
+    if (RegQueryValueEx(key, "EventMessageFile", NULL,
+                        NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS) {
+        event[0] = '\0';
+        RegCloseKey(key);
+        return (NULL);
+    } else {
+        /* Adding to memory */
+        skey = strdup(keyname + 42);
+        sval = strdup(event);
+
+        if (skey != NULL && sval != NULL) {
+            if (OSHash_Add(dll_hash, skey, sval) != 2) free(sval);
+            free(skey);
+        } else {
+            merror(MEM_ERROR, errno, strerror(errno));
+            if (skey != NULL) free(skey);
+            if (sval != NULL) free(sval);
+        }
+
+        skey = NULL;
+        sval = NULL;
+    }
+
+    RegCloseKey(key);
+    return (event);
+}
+
+/* Returns a descriptive message of the event - Vista only */
+char *el_vista_getMessage(int evt_id_int, LPTSTR *el_sstring)
+{
+    DWORD fm_flags = 0;
+    LPSTR message = NULL;
+    char *desc_string;
+    char evt_id[16];
+
+    /* Flags for format event */
+    fm_flags |= FORMAT_MESSAGE_FROM_STRING;
+    fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
+    fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
+
+    /* Get descriptive message */
+    evt_id[15] = '\0';
+    snprintf(evt_id, 15, "%d", evt_id_int);
+
+    desc_string = OSHash_Get(vista_sec_id_hash, evt_id);
+    if (!desc_string) {
+        return (NULL);
+    }
+
+    if (!FormatMessage(fm_flags, desc_string, 0, 0,
+                       (LPTSTR) &message, 0, el_sstring)) {
+        return (NULL);
+    }
+
+    return (message);
+}
+
+/* Returns a descriptive message of the event */
+char *el_getMessage(EVENTLOGRECORD *er,  char *name,
+                    char *source, LPTSTR *el_sstring)
+{
+    DWORD fm_flags = 0;
+    char tmp_str[257];
+    char event[MAX_PATH + 1];
+    char *curr_str;
+    char *next_str;
+    LPSTR message = NULL;
+
+    HMODULE hevt;
+
+    /* Initialize variables */
+    event[MAX_PATH] = '\0';
+    tmp_str[256] = '\0';
+
+    /* Flags for format event */
+    fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
+    fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
+    fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
+
+    /* Get the file name from the registry (stored on event) */
+    if (!(curr_str = el_getEventDLL(name, source, event))) {
+        return (NULL);
+    }
+
+    /* If our event has multiple libraries, try each one of them */
+    while ((next_str = strchr(curr_str, ';'))) {
+        *next_str = '\0';
+
+        ExpandEnvironmentStrings(curr_str, tmp_str, 255);
+
+        /* Revert back old value */
+        *next_str = ';';
+
+        /* Load library */
+        hevt = LoadLibraryEx(tmp_str, NULL,
+                             DONT_RESOLVE_DLL_REFERENCES |
+                             LOAD_LIBRARY_AS_DATAFILE);
+        if (hevt) {
+            if (!FormatMessage(fm_flags, hevt, er->EventID, 0,
+                               (LPTSTR) &message, 0, el_sstring)) {
+                message = NULL;
+            }
+            FreeLibrary(hevt);
+
+            /* If we have a message, we can return it */
+            if (message) {
+                return (message);
+            }
+        }
+
+        curr_str = next_str + 1;
+    }
+
+    /* Get last value */
+    ExpandEnvironmentStrings(curr_str, tmp_str, 255);
+    hevt = LoadLibraryEx(tmp_str, NULL,
+                         DONT_RESOLVE_DLL_REFERENCES |
+                         LOAD_LIBRARY_AS_DATAFILE);
+    if (hevt) {
+        int hr;
+        if (hr = FormatMessage(fm_flags, hevt, er->EventID,
+                               0,
+                               (LPTSTR) &message, 0, el_sstring), !hr) {
+            message = NULL;
+        }
+        FreeLibrary(hevt);
+
+        /* If we have a message, we can return it */
+        if (message) {
+            return (message);
+        }
+    }
+
+    return (NULL);
+}
+
+/* Reads the event log */
+void readel(os_el *el, int printit)
+{
+    DWORD _evtid = 65535;
+    DWORD nstr;
+    DWORD user_size;
+    DWORD domain_size;
+    DWORD read, needed;
+    int size_left;
+    int str_size;
+    int id;
+    static int counter = 0;
+
+    char mbuffer[BUFFER_SIZE + 1];
+    LPSTR sstr = NULL;
+
+    char *tmp_str = NULL;
+    char *category;
+    char *source;
+    char *computer_name;
+    char *descriptive_msg;
+
+    char el_user[OS_FLSIZE + 1];
+    char el_domain[OS_FLSIZE + 1];
+    char el_string[OS_MAXSTR + 1];
+    char final_msg[OS_MAXSTR + 1];
+    LPSTR el_sstring[OS_FLSIZE + 1] = {0};
+
+    /* er must point to the mbuffer */
+    el->er = (EVENTLOGRECORD *) &mbuffer;
+
+    /* Zero the values */
+    el_string[OS_MAXSTR] = '\0';
+    el_user[OS_FLSIZE] = '\0';
+    el_domain[OS_FLSIZE] = '\0';
+    final_msg[OS_MAXSTR] = '\0';
+
+    /* Event log is not open */
+    if (!el->h) {
+        el->er = NULL;
+        return;
+    }
+
+    /* Read the event log */
+    while (ReadEventLog(el->h,
+                        EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
+                        0,
+                        el->er, BUFFER_SIZE - 1, &read, &needed)) {
+        if (!printit) {
+            /* Set er to the beginning of the buffer */
+            el->er = (EVENTLOGRECORD *)&mbuffer;
+            continue;
+        }
+
+
+        while (read > 0) {
+            /* We need to initialize every variable before the loop */
+            category = el_getCategory(el->er->EventType);
+            source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
+            computer_name = source + strlen(source) + 1;
+            descriptive_msg = NULL;
+
+            /* Get event id */
+            id = (int)el->er->EventID & _evtid;
+
+            /* Initialize domain/user size */
+            user_size = 255;
+            domain_size = 255;
+            el_domain[0] = '\0';
+            el_user[0] = '\0';
+
+            /* We must have some description */
+            if (el->er->NumStrings) {
+                size_left = OS_MAXSTR - OS_SIZE_1024;
+
+                sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
+                el_string[0] = '\0';
+
+                for (nstr = 0; nstr < el->er->NumStrings && sstr; nstr++) {
+                    str_size = strlen(sstr);
+                    if (size_left > 1) {
+                        strncat(el_string, sstr, size_left);
+                    }
+
+                    tmp_str = strchr(el_string, '\0');
+                    if (tmp_str) {
+                        *tmp_str = ' ';
+                        tmp_str++;
+                        *tmp_str = '\0';
+                    } else {
+                        merror("Invalid application string (size+)");
+                    }
+                    size_left -= str_size + 2;
+
+                    if (nstr <= 92) {
+                        el_sstring[nstr] = (LPSTR)sstr;
+                        el_sstring[nstr + 1] = NULL;
+                    }
+
+                    sstr = strchr( (LPSTR)sstr, '\0');
+                    if (sstr) {
+                        sstr++;
+                    }
+                }
+
+                /* Get a more descriptive message (if available) */
+                if (isVista && strcmp(el->name, "Security") == 0) {
+                    descriptive_msg = el_vista_getMessage(id, el_sstring);
+                }
+
+                else {
+                    descriptive_msg = el_getMessage(el->er,
+                                                    el->name,
+                                                    source,
+                                                    el_sstring);
+                }
+
+                if (descriptive_msg != NULL) {
+                    /* format message */
+                    win_format_event_string(descriptive_msg);
+                }
+            } else {
+                strncpy(el_string, "(no message)", 128);
+            }
+
+            /* Get username */
+            if (el->er->UserSidLength) {
+                SID_NAME_USE account_type;
+                if (!LookupAccountSid(NULL,
+                                      (SID *)((LPSTR)el->er +
+                                              el->er->UserSidOffset),
+                                      el_user,
+                                      &user_size,
+                                      el_domain,
+                                      &domain_size,
+                                      &account_type)) {
+                    strncpy(el_user, "(no user)", 255);
+                    strncpy(el_domain, "no domain", 255);
+                }
+            }
+
+            else if (isVista && strcmp(el->name, "Security") == 0) {
+                int uid_array_id = -1;
+
+                switch (id) {
+                    case 4624:
+                        uid_array_id = 5;
+                        break;
+                    case 4634:
+                        uid_array_id = 1;
+                        break;
+                    case 4647:
+                        uid_array_id = 1;
+                        break;
+                    case 4769:
+                        uid_array_id = 0;
+                        break;
+                }
+
+                if ((uid_array_id >= 0) &&
+                        el_sstring[uid_array_id] &&
+                        el_sstring[uid_array_id + 1]) {
+                    strncpy(el_user, el_sstring[uid_array_id], OS_FLSIZE);
+                    strncpy(el_domain, el_sstring[uid_array_id + 1], OS_FLSIZE);
+                } else {
+                    strncpy(el_user, "(no user)", 255);
+                    strncpy(el_domain, "no domain", 255);
+                }
+            }
+
+            else {
+                strncpy(el_user, "(no user)", 255);
+                strncpy(el_domain, "no domain", 255);
+            }
+
+            if (printit) {
+                DWORD _evtid = 65535;
+                int id = (int)el->er->EventID & _evtid;
+
+                final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0';
+                final_msg[OS_MAXSTR - OS_LOG_HEADER - 1] = '\0';
+
+                snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER - 1,
+                         "%s WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
+                         epoch_to_human((int)el->er->TimeGenerated),
+                         el->name,
+                         category,
+                         id,
+                         source,
+                         el_user,
+                         el_domain,
+                         computer_name,
+                         descriptive_msg != NULL ? descriptive_msg : el_string);
+
+                w_logcollector_state_update_file(el->name, strlen(final_msg));
+
+                if (SendMSG(logr_queue, final_msg, "WinEvtLog", LOCALFILE_MQ) < 0) {
+                    merror(QUEUE_SEND);
+                    w_logcollector_state_update_target(el->name, "agent", true);
+                } else {
+                    w_logcollector_state_update_target(el->name, "agent", false);
+                }
+            }
+
+            if (descriptive_msg != NULL) {
+                LocalFree(descriptive_msg);
+            }
+
+            /* Change the point to the er */
+            read -= el->er->Length;
+            el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
+        }
+
+        /* Set er to the beginning of the buffer */
+        el->er = (EVENTLOGRECORD *)&mbuffer;
+    }
+
+    id = GetLastError();
+    if (id == ERROR_HANDLE_EOF) {
+        el->er = NULL;
+        return;
+    }
+
+    /* Event log was cleared */
+    else if (id == ERROR_EVENTLOG_FILE_CHANGED) {
+        char msg_alert[512 + 1];
+        msg_alert[512] = '\0';
+        mwarn("Event log cleared: '%s'", el->name);
+
+        /* Send message about cleared */
+        snprintf(msg_alert, 512, "ossec: Event log cleared: '%s'", el->name);
+        SendMSG(logr_queue, msg_alert, "WinEvtLog", LOCALFILE_MQ);
+
+        /* Close the event log and reopen */
+        CloseEventLog(el->h);
+        el->h = NULL;
+
+        /* Reopen */
+        if (startEL(el->name, el) < 0) {
+            merror("Unable to reopen event log '%s'", el->name);
+        }
+    }
+
+
+    /* Event log was closed and re-opened */
+    else if (id == ERROR_INVALID_HANDLE) {
+        mdebug1("The EventLog service has been restarted. Reconnecting to '%s' channel.", el->name);
+
+        CloseEventLog(el->h);
+        el->h = NULL;
+
+        /* Reopen */
+        if (startEL(el->name, el) < 0) {
+            merror(
+            "Could not subscribe for (%s) which returned (%d)",
+            el->name,
+            id);
+        } else {
+            counter = 0;
+            minfo("'%s' channel has been reconnected succesfully.", el->name);
+        }
+    }
+
+    else if (id == RPC_S_SERVER_UNAVAILABLE || id == RPC_S_UNKNOWN_IF) {
+        /* Prevent message flooding when EventLog is stopped */
+        el->er = NULL;
+        if (counter == 0) {
+            mwarn("The EventLog service is down. Unable to collect logs from its channels.");
+            counter = 1;
+        }
+    }
+
+    else {
+        mdebug1("Error reading event log: %d", id);
+    }
+}
+
+/* Read Windows Vista security description */
+void win_read_vista_sec()
+{
+    char *p = NULL, *key = NULL, *desc = NULL;
+    char buf[OS_MAXSTR + 1] = {'\0'};
+    FILE *fp;
+
+    /* Vista security */
+    fp = wfopen("vista_sec.txt", "r");
+    if (!fp) merror_exit("Unable to read vista security descriptions.");
+
+    /* Creating the hash */
+    vista_sec_id_hash = OSHash_Create();
+    if (!vista_sec_id_hash) {
+        fclose(fp);
+        merror_exit("Unable to read vista security descriptions.");
+    }
+
+    /* Read the whole file and add it to memory */
+    while (fgets(buf, OS_MAXSTR, fp) != NULL) {
+        /* Get the last occurrence of \n */
+        if ((p = strrchr(buf, '\n')) != NULL) {
+            *p = '\0';
+        }
+
+        p = strchr(buf, ',');
+        if (!p) {
+            merror("Invalid entry on the Vista security description.");
+            continue;
+        }
+
+        *p = '\0';
+        p++;
+
+        /* Remove whitespace */
+        while (*p == ' ') {
+            p++;
+        }
+
+        /* Allocate memory */
+        key = strdup(buf);
+        desc = strdup(p);
+
+        if (!key || !desc) {
+            merror("Invalid entry on the Vista security description.");
+            if (key) free(key);
+            if (desc) free(desc);
+        } else {
+            /* Insert on hash */
+            if (OSHash_Add(vista_sec_id_hash, key, desc) != 2) free(desc);
+
+            /* OSHash_Add() duplicates the key, but not the data */
+            free(key);
+        }
+
+        /* Reset pointer addresses before using strdup() again */
+        /* The hash will keep the needed memory references */
+        key = NULL;
+        desc = NULL;
+    }
+
+    fclose(fp);
+}
+
+/* Start the event logging for windows */
+void win_startel(char *evt_log)
+{
+    int entries_count = 0;
+
+    /* Maximum size */
+    if (el_last == 9) {
+        merror(EVTLOG_DUP, evt_log);
+        return;
+    }
+
+    /* Create the DLL hash */
+    if (!dll_hash) {
+        dll_hash = OSHash_Create();
+        if (!dll_hash) {
+            merror("Unable to create DLL hash.");
+        }
+    }
+
+    w_logcollector_state_add_file(evt_log);
+    w_logcollector_state_add_target(evt_log, "agent");
+
+    /* Start event log -- going to last available record */
+    if (entries_count = startEL(evt_log, &el[el_last]), entries_count < 0) {
+        merror(INV_EVTLOG, evt_log);
+        return;
+    } else {
+        readel(&el[el_last], 0);
+    }
+    el_last++;
+}
+
+/* Read the event logging for windows */
+void win_readel()
+{
+    int i = 0;
+
+    /* Sleep plus 2 seconds before reading again */
+    Sleep(2000);
+
+    for (; i < el_last; i++) {
+        readel(&el[i], 1);
+    }
+}
+
+#endif
diff --git a/src/modules/logcollector/src/read_win_event_channel.c b/src/modules/logcollector/src/read_win_event_channel.c
new file mode 100644
index 0000000000..1602548527
--- /dev/null
+++ b/src/modules/logcollector/src/read_win_event_channel.c
@@ -0,0 +1,694 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifdef WIN32
+#ifdef EVENTCHANNEL_SUPPORT
+
+/* Saying we are on Vista in order to have the API */
+#define _WIN32_WINNT 0x0600
+
+/* Using Secure APIs */
+#define MINGW_HAS_SECURE_API 1
+
+/* Bookmarks directory */
+#define BOOKMARKS_DIR "bookmarks"
+
+/* Logging levels */
+#define WINEVENT_AUDIT		0
+#define WINEVENT_CRITICAL	1
+#define WINEVENT_ERROR		2
+#define WINEVENT_WARNING	3
+#define WINEVENT_INFORMATION	4
+#define WINEVENT_VERBOSE	5
+
+/* Audit types */
+#define WINEVENT_AUDIT_FAILURE 0x10000000000000LL
+#define WINEVENT_AUDIT_SUCCESS 0x20000000000000LL
+
+#include "shared.h"
+#include "logcollector.h"
+#include "state.h"
+
+#include <stdint.h>
+#include <winevt.h>
+#include <sec_api/stdlib_s.h>
+#include <winerror.h>
+#include <sddl.h>
+
+#ifdef WAZUH_UNIT_TESTING
+#include "../unit_tests/wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../unit_tests/wrappers/windows/errhandlingapi_wrappers.h"
+#include "../unit_tests/wrappers/windows/winbase_wrappers.h"
+#include "../unit_tests/wrappers/windows/winevt_wrappers.h"
+
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+typedef struct _os_event {
+    char *name;
+    unsigned int id;
+    char *source;
+    SID *uid;
+    char *user;
+    char *domain;
+    char *computer;
+    char *message;
+    ULONGLONG time_created;
+    char *timestamp;
+    int64_t keywords;
+    int64_t level;
+    char *category;
+} os_event;
+
+typedef struct _os_channel {
+    char *evt_log;
+    char *bookmark_name;
+    char bookmark_enabled;
+    char bookmark_filename[OS_MAXSTR];
+    char *query;
+    int reconnect_time;
+    EVT_HANDLE subscription;
+} os_channel;
+
+STATIC char *get_message(EVT_HANDLE evt, LPCWSTR provider_name, DWORD flags);
+STATIC EVT_HANDLE read_bookmark(os_channel *channel);
+
+wchar_t *convert_unix_string(char *string)
+{
+    wchar_t *dest = NULL;
+    size_t size = 0;
+    int result = 0;
+
+    if (string == NULL) {
+        return (NULL);
+    }
+
+    /* Determine size required */
+    size = MultiByteToWideChar(CP_UTF8,
+                               MB_ERR_INVALID_CHARS,
+                               string,
+                               -1,
+                               NULL,
+                               0);
+
+    if (size == 0) {
+        merror(
+            "Could not MultiByteToWideChar() when determining size which returned (%lu)",
+            GetLastError());
+        return (NULL);
+    }
+
+    if ((dest = calloc(size, sizeof(wchar_t))) == NULL) {
+        merror(
+            "Could not calloc() memory for MultiByteToWideChar() which returned [(%d)-(%s)]",
+            errno,
+            strerror(errno));
+        return (NULL);
+    }
+
+    result = MultiByteToWideChar(CP_UTF8,
+                                 MB_ERR_INVALID_CHARS,
+                                 string,
+                                 -1,
+                                 dest,
+                                 size);
+
+    if (result == 0) {
+        merror(
+            "Could not MultiByteToWideChar() which returned (%lu)",
+            GetLastError());
+        free(dest);
+        return (NULL);
+    }
+
+    return (dest);
+}
+
+STATIC char *get_message(EVT_HANDLE evt, LPCWSTR provider_name, DWORD flags)
+{
+    char *message = NULL;
+    EVT_HANDLE publisher = NULL;
+    DWORD size = 0;
+    wchar_t *buffer = NULL;
+    int result = 0;
+
+    publisher = EvtOpenPublisherMetadata(NULL,
+                                         provider_name,
+                                         NULL,
+                                         0,
+                                         0);
+    if (publisher == NULL) {
+        LSTATUS err = GetLastError();
+        char error_msg[OS_SIZE_1024];
+        memset(error_msg, 0, OS_SIZE_1024);
+        FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
+                | FORMAT_MESSAGE_MAX_WIDTH_MASK,
+                NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                (LPTSTR) &error_msg, OS_SIZE_1024, NULL);
+
+        mdebug1(
+            "Could not EvtOpenPublisherMetadata() with flags (%lu) which returned (%lu): %s",
+            flags,
+            err,
+            error_msg);
+        goto cleanup;
+    }
+
+    /* Make initial call to determine buffer size */
+    result = EvtFormatMessage(publisher,
+                              evt,
+                              0,
+                              0,
+                              NULL,
+                              flags,
+                              0,
+                              NULL,
+                              &size);
+    if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+        merror(
+            "Could not EvtFormatMessage() to determine buffer size with flags (%lu) which returned (%lu)",
+            flags,
+            GetLastError());
+        goto cleanup;
+    }
+
+    /* Increase buffer size by one due to the difference in the size count between EvtFormatMessage() and
+       WideCharToMultiByte() */
+    size += 1;
+    if ((buffer = calloc(size, sizeof(wchar_t))) == NULL) {
+        merror(
+            "Could not calloc() memory which returned [(%d)-(%s)]",
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    result = EvtFormatMessage(publisher,
+                              evt,
+                              0,
+                              0,
+                              NULL,
+                              flags,
+                              size,
+                              buffer,
+                              &size);
+    if (result == FALSE) {
+        merror(
+            "Could not EvtFormatMessage() with flags (%lu) which returned (%lu)",
+            flags,
+            GetLastError());
+        goto cleanup;
+    }
+
+    message = convert_windows_string(buffer);
+
+cleanup:
+    free(buffer);
+
+    if (publisher != NULL) {
+        EvtClose(publisher);
+    }
+
+    return (message);
+}
+
+/* Read an existing bookmark (if one exists) */
+EVT_HANDLE read_bookmark(os_channel *channel)
+{
+    EVT_HANDLE bookmark = NULL;
+    size_t size = 0;
+    FILE *fp = NULL;
+    wchar_t bookmark_xml[OS_MAXSTR];
+
+    /* If we have a stored bookmark, start from it */
+    if ((fp = wfopen(channel->bookmark_filename, "r")) == NULL) {
+        /* Check if the error was not because the
+         * file did not exist which should be logged
+         */
+        if (errno != ENOENT) {
+            merror(
+                "Could not wfopen() existing bookmark (%s) for (%s) which returned [(%d)-(%s)]",
+                channel->bookmark_filename,
+                channel->evt_log,
+                errno,
+                strerror(errno));
+        }
+        return (NULL);
+    }
+
+    size = fread(bookmark_xml, sizeof(wchar_t), OS_MAXSTR, fp);
+    if (ferror(fp)) {
+        merror(
+            "Could not fread() bookmark (%s) for (%s) which returned [(%d)-(%s)]",
+            channel->bookmark_filename,
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        fclose(fp);
+        return (NULL);
+    }
+
+    fclose(fp);
+
+    /* Make sure bookmark data was read */
+    if (size == 0) {
+        return (NULL);
+    }
+
+    /* Make sure bookmark is terminated properly */
+    bookmark_xml[size] = L'\0';
+
+    /* Create bookmark from saved XML */
+    if ((bookmark = EvtCreateBookmark(bookmark_xml)) == NULL) {
+        merror(
+            "Could not EvtCreateBookmark() bookmark (%s) for (%s) which returned (%lu)",
+            channel->bookmark_filename,
+            channel->evt_log,
+            GetLastError());
+        return (NULL);
+    }
+
+    return (bookmark);
+}
+
+/* Update the log position of a bookmark */
+int update_bookmark(EVT_HANDLE evt, os_channel *channel)
+{
+    DWORD size = 0;
+    DWORD count = 0;
+    void *buffer = NULL;
+    int result = 0;
+    int status = 0;
+    EVT_HANDLE bookmark = NULL;
+    FILE *fp = NULL;
+
+    if ((bookmark = EvtCreateBookmark(NULL)) == NULL) {
+        merror(
+            "Could not EvtCreateBookmark() bookmark (%s) for (%s) which returned (%lu)",
+            channel->bookmark_filename,
+            channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+
+    if (!EvtUpdateBookmark(bookmark, evt)) {
+        merror(
+            "Could not EvtUpdateBookmark() bookmark (%s) for (%s) which returned (%lu)",
+            channel->bookmark_filename,
+            channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+
+    /* Make initial call to determine buffer size */
+    result = EvtRender(NULL,
+                       bookmark,
+                       EvtRenderBookmark,
+                       0,
+                       NULL,
+                       &size,
+                       &count);
+    if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+        merror(
+            "Could not EvtRender() to get buffer size to update bookmark (%s) for (%s) which returned (%lu)",
+            channel->bookmark_filename,
+            channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+
+    if (buffer = calloc(size, sizeof(void)), buffer == NULL) {
+        merror(
+            "Could not calloc() memory to save bookmark (%s) for (%s) which returned [(%d)-(%s)]",
+            channel->bookmark_filename,
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    if (!EvtRender(NULL,
+                   bookmark,
+                   EvtRenderBookmark,
+                   size,
+                   buffer,
+                   &size,
+                   &count)) {
+        merror(
+            "Could not EvtRender() bookmark (%s) for (%s) which returned (%lu)",
+            channel->bookmark_filename, channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+
+    if ((fp = wfopen(channel->bookmark_filename, "w")) == NULL) {
+        mwarn(
+            "Could not wfopen() bookmark (%s) for (%s) which returned [(%d)-(%s)]",
+            channel->bookmark_filename,
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    if ((fwrite(buffer, 1, size, fp)) < size) {
+        merror(
+            "Could not fwrite() to bookmark (%s) for (%s) which returned [(%d)-(%s)]",
+            channel->bookmark_filename,
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    fclose(fp);
+
+    /* Success */
+    status = 1;
+
+cleanup:
+    free(buffer);
+
+    if (bookmark != NULL) {
+        EvtClose(bookmark);
+    }
+
+    if (fp) {
+        fclose(fp);
+    }
+
+    return (status);
+}
+
+
+void send_channel_event(EVT_HANDLE evt, os_channel *channel)
+{
+    DWORD buffer_length = 0;
+    PEVT_VARIANT properties_values = NULL;
+    DWORD count = 0;
+    int result = 0;
+    wchar_t *wprovider_name = NULL;
+    char *msg_sent = NULL;
+    char *provider_name = NULL;
+    char *msg_from_prov = NULL;
+    char *xml_event = NULL;
+    char *beg_prov = NULL;
+    char *end_prov = NULL;
+    char *find_prov = NULL;
+    size_t num;
+
+    cJSON *event_json = cJSON_CreateObject();
+
+    os_malloc(OS_MAXSTR, provider_name);
+
+    result = EvtRender(NULL,
+                       evt,
+                       EvtRenderEventXml,
+                       0,
+                       NULL,
+                       &buffer_length,
+                       &count);
+    if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+        merror(
+            "Could not EvtRender() to determine buffer size for (%s) which returned (%lu)",
+            channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+
+    if ((properties_values = malloc(buffer_length)) == NULL) {
+        merror(
+            "Could not malloc() memory to process event (%s) which returned [(%d)-(%s)]",
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    if (!EvtRender(NULL,
+                   evt,
+                   EvtRenderEventXml,
+                   buffer_length,
+                   properties_values,
+                   &buffer_length,
+                   &count)) {
+        merror(
+            "Could not EvtRender() for (%s) which returned (%lu)",
+            channel->evt_log,
+            GetLastError());
+        goto cleanup;
+    }
+    xml_event = convert_windows_string((LPCWSTR) properties_values);
+
+    if (!xml_event) {
+        goto cleanup;
+    }
+
+    find_prov = strstr(xml_event, "Provider Name=");
+
+    if(find_prov){
+        beg_prov = strchr(find_prov, '\'');
+        if(beg_prov){
+            end_prov = strchr(beg_prov+1, '\'');
+
+            if (end_prov){
+                num = end_prov - beg_prov - 1;
+
+                if(num > OS_MAXSTR - 1){
+                    mwarn("The event message has exceeded the maximum size.");
+                    goto cleanup;
+                }
+
+                memcpy(provider_name, beg_prov+1, num);
+                provider_name[num] = '\0';
+                find_prov = '\0';
+                beg_prov = '\0';
+                end_prov = '\0';
+            }
+        }
+    }
+
+     if (provider_name) {
+        wprovider_name = convert_unix_string(provider_name);
+
+        if (wprovider_name && (msg_from_prov = get_message(evt, wprovider_name, EvtFormatMessageEvent)) == NULL) {
+            merror(
+                "Could not get message for (%s)",
+                channel->evt_log);
+        }
+        else {
+            cJSON_AddStringToObject(event_json, "Message", msg_from_prov);
+        }
+    }
+
+    win_format_event_string(xml_event);
+
+    cJSON_AddStringToObject(event_json, "Event", xml_event);
+    msg_sent = cJSON_PrintUnformatted(event_json);
+
+    w_logcollector_state_update_file(channel->evt_log, strlen(msg_sent));
+
+    if (SendMSG(logr_queue, msg_sent, "EventChannel", WIN_EVT_MQ) < 0) {
+        merror(QUEUE_SEND);
+        w_logcollector_state_update_target(channel->evt_log, "agent", true);
+    } else {
+        w_logcollector_state_update_target(channel->evt_log, "agent", false);
+    }
+
+    if (channel->bookmark_enabled) {
+        update_bookmark(evt, channel);
+    }
+
+cleanup:
+    os_free(msg_from_prov);
+    os_free(xml_event);
+    os_free(msg_sent);
+    os_free(properties_values);
+    os_free(provider_name);
+    os_free(wprovider_name);
+    cJSON_Delete(event_json);
+
+    return;
+}
+
+/**
+ * @brief Destroy os_channel structure
+ *
+ * This function closes the subscription and frees the tructure, including bookmark_name.
+ * Nothing happens if channel is NULL.
+ *
+ * @param channel Pointer to an os_channel structure.
+ */
+void os_channel_destroy(os_channel * channel) {
+    if (channel != NULL) {
+        free(channel->bookmark_name);
+
+        if (channel->subscription != NULL) {
+            if (!EvtClose(channel->subscription)) {
+                merror("Could not close subscription to channel '%s': %lu", channel->evt_log, GetLastError());
+            }
+        }
+
+        free(channel);
+    }
+}
+
+DWORD WINAPI event_channel_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, os_channel *channel, EVT_HANDLE evt)
+{
+    if (action == EvtSubscribeActionDeliver) {
+        send_channel_event(evt, channel);
+    } else {
+        mwarn("The eventlog service is down. Unable to collect logs from '%s' channel.", channel->evt_log);
+
+        while(1) {
+            /* Try to restart EventChannel */
+            if (win_start_event_channel(channel->evt_log, !channel->bookmark_enabled, channel->query, channel->reconnect_time) == -1) {
+                mdebug1("Trying to reconnect %s channel in %i seconds.", channel->evt_log, channel->reconnect_time );
+                sleep(channel->reconnect_time);
+            } else {
+                minfo("'%s' channel has been reconnected succesfully.", channel->evt_log);
+                os_channel_destroy(channel);
+                break;
+            }
+        }
+    }
+
+    return (0);
+}
+
+int win_start_event_channel(char *evt_log, char future, char *query, int reconnect_time)
+{
+    wchar_t *wchannel = NULL;
+    wchar_t *wquery = NULL;
+    char *filtered_query = NULL;
+    os_channel *channel = NULL;
+    DWORD flags = EvtSubscribeToFutureEvents;
+    EVT_HANDLE bookmark = NULL;
+    int status = 0;
+
+    os_calloc(1, sizeof(os_channel), channel);
+
+    channel->evt_log = evt_log;
+    channel->reconnect_time = reconnect_time;
+
+    /* Create copy of event log string */
+    os_strdup(channel->evt_log, channel->bookmark_name);
+
+    /* Create copy of query string */
+    channel->query = query;
+
+    /* Replace '/' with '_' */
+    if (strchr(channel->bookmark_name, '/')) {
+        *(strrchr(channel->bookmark_name, '/')) = '_';
+    }
+
+    /* Convert evt_log to Windows string */
+    if ((wchannel = convert_unix_string(channel->evt_log)) == NULL) {
+        merror(
+            "Could not convert_unix_string() evt_log for (%s) which returned [(%d)-(%s)]",
+            channel->evt_log,
+            errno,
+            strerror(errno));
+        goto cleanup;
+    }
+
+    /* Convert query to Windows string */
+    if (query) {
+        if ((filtered_query = filter_special_chars(query)) == NULL) {
+            merror(
+                "Could not filter_special_chars() query for (%s) which returned [(%d)-(%s)]",
+                channel->evt_log,
+                errno,
+                strerror(errno));
+            goto cleanup;
+        }
+
+        if ((wquery = convert_unix_string(filtered_query)) == NULL) {
+            merror(
+                "Could not convert_unix_string() query for (%s) which returned [(%d)-(%s)]",
+                channel->evt_log,
+                errno,
+                strerror(errno));
+            goto cleanup;
+        }
+    }
+
+    channel->bookmark_enabled = !future;
+
+    if (channel->bookmark_enabled) {
+        /* Create bookmark file name */
+        snprintf(channel->bookmark_filename,
+                 sizeof(channel->bookmark_filename), "%s/%s", BOOKMARKS_DIR,
+                 channel->bookmark_name);
+
+        /* Try to read existing bookmark */
+        if ((bookmark = read_bookmark(channel)) != NULL) {
+            flags = EvtSubscribeStartAfterBookmark;
+        }
+    }
+
+    channel->subscription = EvtSubscribe(NULL,
+                          NULL,
+                          wchannel,
+                          wquery,
+                          bookmark,
+                          channel,
+                          (EVT_SUBSCRIBE_CALLBACK)event_channel_callback,
+                          flags);
+
+    if (channel->subscription == NULL && flags == EvtSubscribeStartAfterBookmark) {
+        channel->subscription = EvtSubscribe(NULL,
+                              NULL,
+                              wchannel,
+                              wquery,
+                              NULL,
+                              channel,
+                              (EVT_SUBSCRIBE_CALLBACK)event_channel_callback,
+                              EvtSubscribeToFutureEvents);
+    }
+
+    if (channel->subscription == NULL) {
+        unsigned long id = GetLastError();
+        if (id != RPC_S_SERVER_UNAVAILABLE && id != RPC_S_UNKNOWN_IF) {
+            merror(
+                "Could not EvtSubscribe() for (%s) which returned (%lu)",
+                channel->evt_log,
+                id);
+        }
+        goto cleanup;
+    }
+
+    w_logcollector_state_add_file(channel->evt_log);
+    w_logcollector_state_add_target(channel->evt_log, "agent");
+
+    /* Success */
+    status = 1;
+
+cleanup:
+    free(wchannel);
+    free(wquery);
+    free(filtered_query);
+
+    if (status == 0) {
+        os_channel_destroy(channel);
+    }
+
+    if (bookmark != NULL) {
+        EvtClose(bookmark);
+    }
+
+    return status ? 0 : -1;
+}
+
+#endif /* EVENTCHANNEL_SUPPORT */
+#endif /* WIN32 */
diff --git a/src/modules/logcollector/src/state.c b/src/modules/logcollector/src/state.c
new file mode 100644
index 0000000000..329045b9fc
--- /dev/null
+++ b/src/modules/logcollector/src/state.c
@@ -0,0 +1,425 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "state.h"
+#include "shared.h"
+
+#ifdef WAZUH_UNIT_TESTING
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+#define W_LC_STATE_TIME_FORMAT "%Y-%m-%d %H:%M:%S" ///< Time format for the JSON and the file output
+#define W_LC_STATE_TIME_LENGHT (19 + 1)            ///< Maximum time size
+
+/* Global variables */
+
+w_lc_state_type_t g_lc_state_type;       ///< state enabled flag
+bool g_lc_state_file_enabled;          ///< state file dump enable
+cJSON * g_lc_json_stats;               ///< JSON representation of states
+w_lc_state_storage_t * g_lc_states_global;      ///< global state struct storage
+w_lc_state_storage_t * g_lc_states_interval;    ///< interval state struct storage
+pthread_mutex_t g_lc_raw_stats_mutex;  ///< g_lc_states_* structs mutual exclusion mechanism
+pthread_mutex_t g_lc_json_stats_mutex; ///< g_lc_json_stats mutual exclusion mechanism
+
+/**
+ * @brief Trigger the generation of states
+ *
+ */
+STATIC void w_logcollector_state_generate();
+
+/**
+ * @brief Generate and process the current states information
+ *
+ * @param state state to generate
+ * @param restart restart counters and date after generating
+ * @return cJSON * json decription with state information
+ */
+STATIC cJSON * _w_logcollector_generate_state(w_lc_state_storage_t * state, bool restart);
+
+/**
+ * @brief Update/register current event and byte count for a particular file/location
+ *
+ * @param state state to be used
+ * @param fpath file path or locafile location value
+ * @param bytes amount of bytes
+ */
+STATIC void _w_logcollector_state_update_file(w_lc_state_storage_t * state, char * fpath, uint64_t bytes);
+
+/**
+ * @brief Update/register current drop count for a target belonging to a particular file
+ *
+ * @param state state to be used
+ * @param fpath file path or locafile location value
+ * @param target target name
+ * @param dropped true if want to register a drop.
+ */
+STATIC void _w_logcollector_state_update_target(w_lc_state_storage_t * state, char * fpath, char * target, bool dropped);
+
+/**
+ * @brief Removes the `fpath` file from `state`
+ *
+ * @param state state to be used
+ * @param fpath file path or locafile location value
+ */
+STATIC void _w_logcollector_state_delete_file(w_lc_state_storage_t * state, char * fpath);
+
+/**
+ * @brief Dump state information to file
+ *
+ */
+STATIC void w_logcollector_state_dump();
+
+#ifdef WIN32
+DWORD WINAPI w_logcollector_state_main(void * args) {
+#else
+void * w_logcollector_state_main(void * args) {
+#endif
+
+    int interval = *(int *) args;
+
+    if (interval > 0) {
+        while (FOREVER()) {
+            sleep(interval);
+            w_logcollector_state_generate();
+            if (g_lc_state_file_enabled) {
+                w_logcollector_state_dump();
+            }
+        }
+    }
+
+#ifndef WIN32
+    return NULL;
+#else
+    return 0;
+#endif
+}
+
+STATIC void w_logcollector_state_dump() {
+
+    cJSON * lc_state_json = w_logcollector_state_get();
+    char * lc_state_str = cJSON_Print(lc_state_json);
+    cJSON_Delete(lc_state_json);
+
+    // Add trailing newline
+    const size_t len = strlen(lc_state_str);
+    os_realloc(lc_state_str, len + 2, lc_state_str);
+    lc_state_str[len] = '\n';
+    lc_state_str[len + 1] = '\0';
+
+    FILE * lc_state_file = NULL;
+
+    if (lc_state_file = wfopen(LOGCOLLECTOR_STATE, "w"), lc_state_file != NULL) {
+        if (fwrite(lc_state_str, sizeof(char), len + 1, lc_state_file) < 1) {
+            merror(FWRITE_ERROR, LOGCOLLECTOR_STATE, errno, strerror(errno));
+        }
+        fclose(lc_state_file);
+    } else {
+        merror(FOPEN_ERROR, LOGCOLLECTOR_STATE, errno, strerror(errno));
+    }
+
+    os_free(lc_state_str);
+}
+
+void w_logcollector_state_init(w_lc_state_type_t state_type, bool state_file_enabled) {
+
+    w_mutex_init(&g_lc_raw_stats_mutex, NULL);
+
+    if (state_type & LC_STATE_GLOBAL) {
+
+        os_calloc(1, sizeof(w_lc_state_storage_t), g_lc_states_global);
+
+        g_lc_states_global->start = time(NULL);
+
+        if (g_lc_states_global->states = OSHash_Create(), g_lc_states_global->states == NULL) {
+            merror_exit(HCREATE_ERROR, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+        if (OSHash_setSize(g_lc_states_global->states, LOGCOLLECTOR_STATE_FILES_MAX) == 0) {
+            merror_exit(HSETSIZE_ERROR, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+    }
+
+    if (state_type & LC_STATE_INTERVAL) {
+        w_mutex_init(&g_lc_json_stats_mutex, NULL);
+
+        os_calloc(1, sizeof(w_lc_state_storage_t), g_lc_states_interval);
+
+        g_lc_states_interval->start = time(NULL);
+
+        if (g_lc_states_interval->states = OSHash_Create(), g_lc_states_interval->states == NULL) {
+            merror_exit(HCREATE_ERROR, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+
+        if (OSHash_setSize(g_lc_states_interval->states, LOGCOLLECTOR_STATE_FILES_MAX) == 0) {
+            merror_exit(HSETSIZE_ERROR, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+    }
+
+    g_lc_state_type = state_type;
+    g_lc_state_file_enabled = state_file_enabled;
+}
+
+void w_logcollector_state_update_target(char * fpath, char * target, bool dropped) {
+
+    if (fpath == NULL || target == NULL) {
+        return;
+    }
+
+    w_mutex_lock(&g_lc_raw_stats_mutex);
+
+    if (g_lc_state_type & LC_STATE_GLOBAL) {
+        _w_logcollector_state_update_target(g_lc_states_global, fpath, target, dropped);
+    }
+
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        _w_logcollector_state_update_target(g_lc_states_interval, fpath, target, dropped);
+    }
+    w_mutex_unlock(&g_lc_raw_stats_mutex);
+}
+
+void w_logcollector_state_update_file(char * fpath, uint64_t bytes) {
+
+    if (fpath == NULL) {
+        return;
+    }
+
+    w_mutex_lock(&g_lc_raw_stats_mutex);
+
+    if (g_lc_state_type & LC_STATE_GLOBAL) {
+        _w_logcollector_state_update_file(g_lc_states_global, fpath, bytes);
+    }
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        _w_logcollector_state_update_file(g_lc_states_interval, fpath, bytes);
+    }
+
+    w_mutex_unlock(&g_lc_raw_stats_mutex);
+}
+
+void _w_logcollector_state_update_file(w_lc_state_storage_t * state, char * fpath, uint64_t bytes) {
+
+    w_lc_state_file_t * data = NULL;
+
+    // Try to get file stats. Create it if not initialized yet,
+    if (data = (w_lc_state_file_t *) OSHash_Get(state->states, fpath), data == NULL) {
+        os_calloc(1, sizeof(w_lc_state_file_t), data);
+        os_calloc(1, sizeof(w_lc_state_target_t *), data->targets);
+    }
+
+    if (bytes > 0) {
+        data->events++;
+        data->bytes += bytes;
+    }
+
+    if (OSHash_Update(state->states, fpath, data) != 1) {
+        if (OSHash_Add(state->states, fpath, data) != 2) {
+            w_lc_state_target_t ** target = data->targets;
+            while (*target != NULL) {
+                os_free(*target);
+                target++;
+            }
+            os_free(data->targets);
+            os_free(data);
+            merror(HUPDATE_ERROR, fpath, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+    }
+}
+
+void _w_logcollector_state_update_target(w_lc_state_storage_t * state, char * fpath, char * target, bool dropped) {
+
+    w_lc_state_file_t * data = NULL;
+    w_lc_state_target_t ** current_target = NULL;
+    int len = 0;
+
+    // Try to get file stats. Create it if not initialized yet,
+    if (data = (w_lc_state_file_t *) OSHash_Get(state->states, fpath), data == NULL) {
+        os_calloc(1, sizeof(w_lc_state_file_t), data);
+        os_calloc(1, sizeof(w_lc_state_target_t *), data->targets);
+    }
+
+    // Try to find target
+    for (len = 0, current_target = data->targets; *current_target != NULL; len++, current_target++) {
+        if (strcmp(target, (*current_target)->name) == 0) {
+            break;
+        }
+    }
+
+    // If target was not found, create it.
+    if (*current_target == NULL) {
+        os_realloc(data->targets, (len + 2) * sizeof(w_lc_state_target_t *), data->targets);
+        os_calloc(1, sizeof(w_lc_state_target_t), data->targets[len]);
+        data->targets[len + 1] = NULL;
+        current_target = &data->targets[len];
+        os_strdup(target, (*current_target)->name);
+    }
+
+    if (dropped) {
+        (*current_target)->drops++;
+    }
+
+    if (OSHash_Update(state->states, fpath, data) != 1) {
+        if (OSHash_Add(state->states, fpath, data) != 2) {
+            w_lc_state_target_t ** target = data->targets;
+            while (*target != NULL) {
+                os_free((*target)->name);
+                os_free(*target);
+                target++;
+            }
+            os_free(data->targets);
+            os_free(data);
+            merror(HUPDATE_ERROR, fpath, LOGCOLLECTOR_STATE_DESCRIPTION);
+        }
+    }
+}
+
+void w_logcollector_state_delete_file(char * fpath) {
+
+    if (fpath == NULL) {
+        return;
+    }
+
+    w_mutex_lock(&g_lc_raw_stats_mutex);
+
+    if (g_lc_state_type & LC_STATE_GLOBAL) {
+        _w_logcollector_state_delete_file(g_lc_states_global, fpath);
+    }
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        _w_logcollector_state_delete_file(g_lc_states_interval, fpath);
+    }
+
+    w_mutex_unlock(&g_lc_raw_stats_mutex);
+}
+
+void _w_logcollector_state_delete_file(w_lc_state_storage_t * state, char * fpath) {
+
+    w_lc_state_file_t * data = NULL;
+
+    if (data = (w_lc_state_file_t *) OSHash_Delete(state->states, fpath), data == NULL) {
+        return;
+    }
+
+    w_lc_state_target_t ** target = data->targets;
+    while (*target != NULL) {
+        os_free((*target)->name);
+        os_free(*target);
+        target++;
+    }
+    os_free(data->targets);
+    os_free(data);
+
+    return;
+}
+
+void w_logcollector_state_generate() {
+
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        w_mutex_lock(&g_lc_json_stats_mutex);
+    }
+    w_mutex_lock(&g_lc_raw_stats_mutex);
+    cJSON_Delete(g_lc_json_stats);
+
+    g_lc_json_stats = cJSON_CreateObject();
+    if (g_lc_state_type & LC_STATE_GLOBAL) {
+        cJSON * lc_stats_json_global = _w_logcollector_generate_state(g_lc_states_global, false);
+        cJSON_AddItemToObject(g_lc_json_stats, "global", lc_stats_json_global);
+    }
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        cJSON * lc_stats_json_interval = _w_logcollector_generate_state(g_lc_states_interval, true);
+        cJSON_AddItemToObject(g_lc_json_stats, "interval", lc_stats_json_interval);
+    }
+
+    w_mutex_unlock(&g_lc_raw_stats_mutex);
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        w_mutex_unlock(&g_lc_json_stats_mutex);
+    }
+}
+
+cJSON * w_logcollector_state_get() {
+
+    cJSON * json_state = NULL;
+
+    if (g_lc_state_type & LC_STATE_INTERVAL) {
+        w_mutex_lock(&g_lc_json_stats_mutex);
+        if (g_lc_json_stats != NULL) {
+            json_state = cJSON_Duplicate(g_lc_json_stats, true);
+        }
+        w_mutex_unlock(&g_lc_json_stats_mutex);
+    } else if (g_lc_state_type & LC_STATE_GLOBAL) {
+        w_mutex_lock(&g_lc_raw_stats_mutex);
+        json_state = _w_logcollector_generate_state(g_lc_states_global, false);
+        w_mutex_unlock(&g_lc_raw_stats_mutex);
+    }
+
+    return json_state;
+}
+
+cJSON * _w_logcollector_generate_state(w_lc_state_storage_t * state, bool restart) {
+
+    OSHashNode * hash_node = NULL;
+    unsigned int index = 0;
+    struct tm tm = {.tm_sec = 0};
+    char timestamp_tmp[W_LC_STATE_TIME_LENGHT] = {0};
+
+    if (hash_node = OSHash_Begin(state->states, &index), hash_node == NULL) {
+        return NULL;
+    }
+
+    cJSON * lc_stats_json = cJSON_CreateObject();
+    cJSON * lc_stats_files_array = cJSON_CreateArray();
+
+    // Iterate for each file
+    while (hash_node) {
+        w_lc_state_file_t * data = hash_node->data;
+
+        // Target logic
+        cJSON * lc_stats_targets_array = cJSON_CreateArray();
+        w_lc_state_target_t ** target = data->targets;
+        while (*target != NULL) {
+            cJSON * lc_stats_target = cJSON_CreateObject();
+            cJSON_AddStringToObject(lc_stats_target, "name", (*target)->name);
+            cJSON_AddNumberToObject(lc_stats_target, "drops", (*target)->drops);
+            cJSON_AddItemToArray(lc_stats_targets_array, lc_stats_target);
+            if (restart) {
+                (*target)->drops = 0;
+            }
+            target++;
+        }
+
+        // Files
+        cJSON * lc_stats_file = cJSON_CreateObject();
+        cJSON_AddStringToObject(lc_stats_file, "location", hash_node->key);
+        cJSON_AddNumberToObject(lc_stats_file, "events", data->events);
+        cJSON_AddNumberToObject(lc_stats_file, "bytes", data->bytes);
+        cJSON_AddItemToObject(lc_stats_file, "targets", lc_stats_targets_array);
+
+        if (restart) {
+            data->bytes = 0;
+            data->events = 0;
+        }
+        cJSON_AddItemToArray(lc_stats_files_array, lc_stats_file);
+        hash_node = OSHash_Next(state->states, &index, hash_node);
+    }
+
+    // Convert timestamp to string
+    localtime_r(&state->start, &tm);
+    strftime(timestamp_tmp, sizeof(timestamp_tmp), W_LC_STATE_TIME_FORMAT, &tm);
+    cJSON_AddStringToObject(lc_stats_json, "start", timestamp_tmp);
+
+    time_t now = time(NULL);
+    localtime_r(&now, &tm);
+    strftime(timestamp_tmp, sizeof(timestamp_tmp), W_LC_STATE_TIME_FORMAT, &tm);
+    cJSON_AddStringToObject(lc_stats_json, "end", timestamp_tmp);
+
+    cJSON_AddItemToObject(lc_stats_json, "files", lc_stats_files_array);
+
+    if (restart) {
+        state->start = time(NULL);
+    }
+    return lc_stats_json;
+}
diff --git a/src/modules/logcollector/tests/integration/conftest.py b/src/modules/logcollector/tests/integration/conftest.py
new file mode 100644
index 0000000000..62ed660e13
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/conftest.py
@@ -0,0 +1,369 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+           Created by Wazuh, Inc. <info@wazuh.com>.
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+import os
+import sys
+import subprocess
+import pytest
+from typing import List
+
+from os.path import join as path_join
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.paths import WAZUH_PATH
+from wazuh_testing.constants.paths.configurations import WAZUH_CONF_PATH
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.logcollector.patterns import LOGCOLLECTOR_MODULE_START
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file, replace_regex_in_file, write_json_file
+
+# Logcollector internal paths
+LOGCOLLECTOR_OFE_PATH = path_join(WAZUH_PATH, 'queue', 'logcollector', 'file_status.json')
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+def daemons_handler_implementation(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Wrapper of `daemons_handler_implementation` which contains the general implementation.
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    yield from daemons_handler_implementation(request)
+
+
+@pytest.fixture(scope='module')
+def daemons_handler_module(request: pytest.FixtureRequest) -> None:
+    """Wrapper of `daemons_handler_implementation` which contains the general implementation.
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    yield from daemons_handler_implementation(request)
+
+
+@pytest.fixture()
+def stop_logcollector(request):
+    """Stop wazuh-logcollector and truncate logs file."""
+    control_service('stop', daemon=LOGCOLLECTOR_DAEMON)
+    truncate_file(WAZUH_LOG_PATH)
+
+
+@pytest.fixture()
+def wait_for_logcollector_start(request):
+    # Wait for logcollector thread to start
+    log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    log_monitor.start(callback=callbacks.generate_callback(LOGCOLLECTOR_MODULE_START))
+    assert (log_monitor.callback_result != None), f'Error logcollector start event not detected'
+
+
+@pytest.fixture()
+def remove_all_localfiles_wazuh_config(request):
+    """Configure a custom settting for testing. Restart Wazuh is needed for applying the configuration. """
+    # Backup the original configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Remove localfiles from the configuration
+    list_tags = [r"<localfile>[\s\S]*?<\/localfile>"]
+    replace_regex_in_file(list_tags, [''] * len(list_tags), WAZUH_CONF_PATH, True)
+
+    yield
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def reset_ofe_status(request: pytest.FixtureRequest, test_metadata: dict):
+    """Reset the status file of the logcollector only future events."""
+
+    def get_journal_last_log_timestamp():
+        '''
+        Get the timestamp of the last log message in the journal.
+
+        Returns:
+            int: The timestamp of the last log message in the journal.
+        '''
+        from subprocess import Popen, PIPE
+        from shlex import split
+
+        # Get the last log message in the journal
+        command = 'journalctl -o json -n1'
+        process = Popen(split(command), stdout=PIPE, stderr=PIPE)
+        output, error = process.communicate()
+
+        if error:
+            raise Exception(f"Error getting the last log message from the journal: {error.decode()}")
+
+        # Get the timestamp of the last log message
+        import json
+        log_message = json.loads(output.decode())
+        return log_message.get('_SOURCE_REALTIME_TIMESTAMP')
+
+    def get_ofe_journald():
+        '''
+        Get the status of the logcollector for journald.
+
+        Set the timestamp of the last log message in the journal as the timestamp for the journald.
+        if the test_metadata contains the key 'force_timestamp', the value of this key will be used as the timestamp.
+
+        Returns:
+            dict: The status of the logcollector for journald.
+        '''
+
+        if 'force_timestamp' in test_metadata:
+            epoch_timestamp = test_metadata['force_timestamp']
+        else:
+            epoch_timestamp = get_journal_last_log_timestamp()
+
+        status: dict = { "timestamp": str(epoch_timestamp) }
+        return status
+
+    # File status for logcollector
+    file_status: dict = {}
+
+    # Configure the file status for each logreader
+    file_status['journald'] = get_ofe_journald()
+
+    # Write the file status
+    write_json_file(LOGCOLLECTOR_OFE_PATH, file_status)
+
+
+@pytest.fixture()
+def pre_send_journal_logs(request: pytest.FixtureRequest, test_metadata: dict):
+    """Send log messages to the journal before starting the logcollector."""
+    from utils import send_log_to_journal
+
+    if 'pre_input_logs' not in test_metadata:
+        raise Exception(f"The test_metadata does not contain the key 'pre_input_logs'")
+    else:
+        for log_message in test_metadata['pre_input_logs']:
+            send_log_to_journal(log_message)
diff --git a/src/modules/logcollector/tests/integration/pytest.ini b/src/modules/logcollector/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/logcollector/tests/integration/test_configuration/__init__.py b/src/modules/logcollector/tests/integration/test_configuration/__init__.py
new file mode 100644
index 0000000000..fb5b8575fc
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/__init__.py
@@ -0,0 +1,11 @@
+"""
+Copyright (C) 2015-2024, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+from pathlib import Path
+
+# Constants & base paths
+TEST_DATA_PATH = Path(Path(__file__).parent, 'data')
+TEST_CASES_PATH = Path(TEST_DATA_PATH, 'test_cases')
+CONFIGURATIONS_PATH = Path(TEST_DATA_PATH, 'configuration_templates')
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration.yaml
new file mode 100644
index 0000000000..cdcb2e5794
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration.yaml
@@ -0,0 +1,9 @@
+- sections:
+    - section: localfile
+      elements:
+        - command:
+            value: 'COMMAND'
+        - log_format:
+            value: 'LOG_FORMAT'
+        - alias:
+            value: 'ALIAS'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_command.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_command.yaml
new file mode 100644
index 0000000000..2710134901
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_command.yaml
@@ -0,0 +1,7 @@
+- sections:
+    - section: localfile
+      elements:
+        - command:
+            value: 'COMMAND'
+        - log_format:
+            value: 'LOG_FORMAT'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_label.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_label.yaml
new file mode 100644
index 0000000000..43fb1f0f8e
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_label.yaml
@@ -0,0 +1,11 @@
+- sections:
+    - section: localfile
+      elements:
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'json'
+        - label:
+            value: 'LABEL'
+            attributes:
+            - key: KEY
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format.yaml
new file mode 100644
index 0000000000..793af6c698
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format.yaml
@@ -0,0 +1,9 @@
+- sections:
+    - section: localfile
+      elements:
+        - command:
+            value: 'COMMAND'
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'LOG_FORMAT'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format_location.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format_location.yaml
new file mode 100644
index 0000000000..802489f05e
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_log_format_location.yaml
@@ -0,0 +1,7 @@
+- sections:
+    - section: localfile
+      elements:
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'LOG_FORMAT'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_out_format.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_out_format.yaml
new file mode 100644
index 0000000000..3d8d0818ac
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_out_format.yaml
@@ -0,0 +1,19 @@
+- sections:
+    - section: socket
+      elements:
+        - name:
+            value: 'SOCKET_NAME'
+        - location:
+            value: 'SOCKET_PATH'
+    - section: localfile
+      elements:
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'LOG_FORMAT'
+        - target:
+            value: 'TARGET'
+        - out_format:
+            value: OUT_FORMAT
+            attributes:
+              - target: TARGET_OUT_FORMAT
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_reconnect_time.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_reconnect_time.yaml
new file mode 100644
index 0000000000..3bdbfaa95c
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_reconnect_time.yaml
@@ -0,0 +1,9 @@
+- sections:
+    - section: localfile
+      elements:
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'LOG_FORMAT'
+        - reconnect_time:
+            value: 'RECONNECT_TIME'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_target.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_target.yaml
new file mode 100644
index 0000000000..5ff58c5b9c
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_basic_configuration_target.yaml
@@ -0,0 +1,15 @@
+- sections:
+    - section: socket
+      elements:
+        - name:
+            value: 'SOCKET_NAME'
+        - location:
+            value: 'SOCKET_PATH'
+    - section: localfile
+      elements:
+        - location:
+            value: 'LOCATION'
+        - log_format:
+            value: 'LOG_FORMAT'
+        - target:
+            value: 'TARGET'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_duplicated_macos_configuration.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_duplicated_macos_configuration.yaml
new file mode 100644
index 0000000000..5722700e5e
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_duplicated_macos_configuration.yaml
@@ -0,0 +1,17 @@
+- sections:
+    - section: localfile
+      attributes:
+        - name: 'logcollector_configuration_block1'
+      elements:
+          - location:
+              value: 'LOCATION1'
+          -  log_format:
+              value: 'LOG_FORMAT1'
+    - section: localfile
+      attributes:
+        - name: 'logcollector_configuration_block2'
+      elements:
+          - location:
+              value: 'LOCATION2'
+          -  log_format:
+              value: 'LOG_FORMAT2'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_no_defined_location_macos_configuration.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_no_defined_location_macos_configuration.yaml
new file mode 100644
index 0000000000..fac708f8ce
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/configuration_templates/wazuh_no_defined_location_macos_configuration.yaml
@@ -0,0 +1,5 @@
+- sections:
+    - section: localfile
+      elements:
+        - log_format:
+            value: 'LOG_FORMAT'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_alias.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_alias.yaml
new file mode 100644
index 0000000000..476ae4921d
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_alias.yaml
@@ -0,0 +1,21 @@
+- name: Basic configuration alias
+  description: Basic configuration alias
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: 'to_replace'
+    ALIAS: 'alias'
+  metadata:
+    log_format: 'command'
+    command: 'to_replace'
+    alias: 'alias'
+
+- name: Basic configuration alias
+  description: Basic configuration alias
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'to_replace'
+    ALIAS: 'alias2'
+  metadata:
+    log_format: 'full_command'
+    command: 'to_replace'
+    alias: 'alias2'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_command.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_command.yaml
new file mode 100644
index 0000000000..466302f76f
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_command.yaml
@@ -0,0 +1,89 @@
+- name: Basic configuration command
+  description: Basic configuration command
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: 'echo Testing'
+  metadata:
+    log_format: 'command'
+    command: 'echo Testing'
+
+- name: Basic configuration command
+  description: Basic configuration command
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: 'df -P'
+  metadata:
+    log_format: 'command'
+    command: 'df -P'
+
+- name: Basic configuration command
+  description: Basic configuration command
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: 'find / -type f -perm 4000'
+  metadata:
+    log_format: 'command'
+    command: 'find / -type f -perm 4000'
+
+- name: Basic configuration command
+  description: Basic configuration command
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: 'ls /tmp/*'
+  metadata:
+    log_format: 'command'
+    command: 'ls /tmp/*'
+
+- name: Basic configuration command
+  description: Basic configuration command
+  configuration_parameters:
+    LOG_FORMAT: 'command'
+    COMMAND: '/tmp/script/my_script -a 1 -v 2 -b 3 -g 444 -k Testing'
+  metadata:
+    log_format: 'command'
+    command: '/tmp/script/my_script -a 1 -v 2 -b 3 -g 444 -k Testing'
+
+- name: Basic configuration full_command
+  description: Basic configuration full_command
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'echo Testing'
+  metadata:
+    log_format: 'full_command'
+    command: 'echo Testing'
+
+- name: Basic configuration full_command
+  description: Basic configuration full_command
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'df -P'
+  metadata:
+    log_format: 'full_command'
+    command: 'df -P'
+
+- name: Basic configuration full_command
+  description: Basic configuration full_command
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'find / -type f -perm 4000'
+  metadata:
+    log_format: 'full_command'
+    command: 'find / -type f -perm 4000'
+
+- name: Basic configuration full_command
+  description: Basic configuration full_command
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'ls /tmp/*'
+  metadata:
+    log_format: 'full_command'
+    command: 'ls /tmp/*'
+
+- name: Basic configuration full_command
+  description: Basic configuration full_command
+  configuration_parameters:
+    LOG_FORMAT: 'full_command'
+    COMMAND: '/tmp/script/my_script -a 1 -v 2 -b 3 -g 444 -k Testing'
+  metadata:
+    log_format: 'full_command'
+    command: '/tmp/script/my_script -a 1 -v 2 -b 3 -g 444 -k Testing'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_journald.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_journald.yaml
new file mode 100644
index 0000000000..96626cd668
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_journald.yaml
@@ -0,0 +1,353 @@
+- name: Journald default configuration
+  description: A basic configuration for journald, 1 block without filters
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+  metadata:
+    expected_logs:
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config:
+      logformat: journald
+      only-future-events: 'yes'
+      target: 
+        - agent
+
+- name: Journald, ignore bad location
+  description: A basic configuration for journald ignore the bad location
+  configuration_parameters:
+    - - location:
+          value: bad location
+      - log_format:
+          value: journald
+  metadata:
+    expected_logs:
+      - .*Invalid location value 'bad location'.*Default value will be used
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config:
+      logformat: journald
+      only-future-events: 'yes'
+      target: 
+        - agent
+
+- name: Journald, ignore missing location
+  description: A basic configuration for journald ignore the missing location
+  configuration_parameters:
+    - - log_format:
+          value: journald
+  metadata:
+    expected_logs:
+      - .*Missing 'location' element when using 'journald' as 'log_format'. Default value will be used.
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries..*
+    expected_config:
+      logformat: journald
+      only-future-events: 'yes'
+      target: 
+        - agent
+
+- name: Journald fail basic configuration
+  description: A basic configuration for journald, 1 block without filters, but fails building the filter (Missing field)
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: '\w+'
+           attributes:
+             - not_field: 'syslogtag'
+             - ignore_if_missing: 'yes'
+  metadata:
+    expected_logs:
+      - ".*The field for the journal filter cannot be empty.*"
+      - ".*Cannot add filter, the block will be ignored.*"
+    journal_disabled: True
+
+- name: Test merge 2 blocks of journal and both with filters
+  description: Test merge blocks of journal and both with filters, the localfiles merge on one logreader
+  configuration_parameters:
+    # Block 1
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 1A'
+           attributes:
+             - field: 'field 1A'
+             - ignore_if_missing: 'yes'
+      - filter:
+           value: 'Filter 1B'
+           attributes:
+             - field: 'field 1B'
+    # Block 2
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 2A'
+           attributes:
+             - field: 'field 2A'
+  metadata:
+    expected_logs:
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config: 
+      logformat: journald
+      filters_disabled: false
+      filters:
+      - - expression: Filter 1A
+          field: field 1A
+          ignore_if_missing: true
+        - expression: Filter 1B
+          field: field 1B
+          ignore_if_missing: false
+      - - expression: Filter 2A
+          field: field 2A
+          ignore_if_missing: false
+      only-future-events: 'yes'
+      target:
+      - agent
+
+- name: Test merge with 3 blocks and all with filters
+  description: Test merge 3 blocks and all with filters, the localfiles merge on one logreader
+  configuration_parameters:
+    # Block 1
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 1A'
+           attributes:
+             - field: 'field 1A'
+             - ignore_if_missing: 'yes'
+      - filter:
+           value: 'Filter 1B'
+           attributes:
+             - field: 'field 1B'
+    # Block 2
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 2A'
+           attributes:
+             - field: 'field 2A'
+    # Block 3
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 3A'
+           attributes:
+             - field: 'field 3A'
+             - ignore_if_missing: 'no'
+  metadata:
+    expected_logs:
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config: 
+      logformat: journald
+      filters_disabled: false
+      filters:
+      - - expression: Filter 1A
+          field: field 1A
+          ignore_if_missing: true
+        - expression: Filter 1B
+          field: field 1B
+          ignore_if_missing: false
+      - - expression: Filter 2A
+          field: field 2A
+          ignore_if_missing: false
+      - - expression: Filter 3A
+          field: field 3A
+          ignore_if_missing: false
+      only-future-events: 'yes'
+      target:
+      - agent
+
+
+- name: Test merge with 3 blocks and 1 without filters
+  description: Test merge with 3 blocks and 1 without filters, then the global filters are disabled
+  configuration_parameters:
+    # Block 1
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 1A'
+           attributes:
+             - field: 'field 1A'
+             - ignore_if_missing: 'yes'
+      - filter:
+           value: 'Filter 1B'
+           attributes:
+             - field: 'field 1B'
+    # Block 2
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+    # Block 3
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 3A'
+           attributes:
+             - field: 'field 3A'
+             - ignore_if_missing: 'no'
+  metadata:
+    expected_logs:
+      - .*The filters of the journald log will be disabled in the merge.*
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config: 
+      logformat: journald
+      filters_disabled: true
+      filters:
+      - - expression: 'Filter 1A'
+          field: field 1A
+          ignore_if_missing: true
+        - expression: 'Filter 1B'
+          field: field 1B
+          ignore_if_missing: false
+      - - expression: 'Filter 3A'
+          field: field 3A
+          ignore_if_missing: false
+      only-future-events: 'yes'
+      target:
+      - agent
+
+
+- name: Test merge with 3 blocks and all with filters, but 1 block fails compiling the regex
+  description: Test merge with 3 blocks and all with filters, but 1 block fails compiling the regex, the block will be ignored
+  configuration_parameters:
+    # Block 1
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: '\w+ Filter 1A'
+           attributes:
+             - field: 'field 1A'
+             - ignore_if_missing: 'yes'
+      - filter:
+           value: '\w+ Filter 1B'
+           attributes:
+             - field: 'field 1B'
+    # Block 2
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: '\w+ [ Filter 2A'
+           attributes:
+             - field: 'field 2A'
+    # Block 3
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: '\w+ Filter 3A'
+           attributes:
+             - field: 'field 3A'
+             - ignore_if_missing: 'no'
+  metadata:
+    expected_logs:
+      - .*Error compiling the PCRE2 expression.*
+      - .*Cannot add filter, the block will be ignored
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config: 
+      logformat: journald
+      filters_disabled: false
+      filters:
+      - - expression: \w+ Filter 1A
+          field: field 1A
+          ignore_if_missing: true
+        - expression: \w+ Filter 1B
+          field: field 1B
+          ignore_if_missing: false
+      - - expression: \w+ Filter 3A
+          field: field 3A
+          ignore_if_missing: false
+      only-future-events: 'yes'
+      target:
+      - agent
+
+- name: Test merge with 3 blocks and all with filters, preserve only-future-events from last block
+  description: Test merge with 3 blocks and all with filters, preserve only-future-events from last block
+  configuration_parameters:
+    # Block 1
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 1A'
+           attributes:
+             - field: 'field 1A'
+             - ignore_if_missing: 'yes'
+      - filter:
+           value: 'Filter 1B'
+           attributes:
+             - field: 'field 1B'
+    # Block 2
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 2A'
+           attributes:
+             - field: 'field 2A'
+    # Block 3
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: 'Filter 3A'
+           attributes:
+             - field: 'field 3A'
+             - ignore_if_missing: 'no'
+      - only-future-events:
+          value: 'no'
+  metadata:
+    expected_logs:
+      - .*Socket target for 'journald' -> agent
+      - .*Monitoring journal entries.
+    expected_config: 
+      logformat: journald
+      only-future-events: 'no'
+      filters:
+      - - expression: Filter 1A
+          field: field 1A
+          ignore_if_missing: true
+        - expression: Filter 1B
+          field: field 1B
+          ignore_if_missing: false
+      - - expression: Filter 2A
+          field: field 2A
+          ignore_if_missing: false
+      - - expression: Filter 3A
+          field: field 3A
+          ignore_if_missing: false
+      filters_disabled: false
+      max-size: '0'
+      target:
+      - agent
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_label.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_label.yaml
new file mode 100644
index 0000000000..4974e95b03
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_label.yaml
@@ -0,0 +1,87 @@
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: '@source'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: '@source'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: 'agent.type'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: 'agent.type'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: 'agent.location'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: 'agent.location'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: 'agent.idgroup'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: 'agent.idgroup'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: 'group.groupnname'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: 'group.groupnname'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: '109304'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: '109304'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: 'TestingTagNames'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: 'TestingTagNames'
+
+- name: Basic configuration label
+  description: Basic configuration label
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LABEL: 'myapp'
+    KEY: '?atag_tname'
+  metadata:
+    location: 'to_replace'
+    label: 'myapp'
+    key: '?atag_tname'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location.yaml
new file mode 100644
index 0000000000..a3b2cc27a0
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location.yaml
@@ -0,0 +1,79 @@
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: 'test.txt'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'test.txt'
+    log_format: 'syslog'
+    validate_config: True
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: '*'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: '*'
+    log_format: 'syslog'
+    validate_config: False
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: 'Testing white spaces'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'Testing white spaces'
+    log_format: 'syslog'
+    validate_config: True
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: '%F%H%K%L'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: '%F%H%K%L'
+    log_format: 'syslog'
+    validate_config: False
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: 'test.*'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'test.*'
+    log_format: 'syslog'
+    validate_config: False
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: 'c*test.txt'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'c*test.txt'
+    log_format: 'syslog'
+    validate_config: False
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: '?^*We.- Nmae'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: '?^*We.- Nmae'
+    log_format: 'syslog'
+    validate_config: False
+
+- name: Basic configuration location
+  description: Basic configuration location
+  configuration_parameters:
+    LOCATION: 'file.log-%Y-%m-%d'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'file.log-%Y-%m-%d'
+    log_format: 'syslog'
+    validate_config: False
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_macos.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_macos.yaml
new file mode 100644
index 0000000000..869f64ac1d
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_macos.yaml
@@ -0,0 +1,9 @@
+- name: Basic configuration location macos
+  description: Basic configuration location macos
+  configuration_parameters:
+    LOCATION: 'macos'
+    LOG_FORMAT: 'macos'
+  metadata:
+    location: 'macos'
+    log_format: 'macos'
+    validate_config: True
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_win.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_win.yaml
new file mode 100644
index 0000000000..c9a8717745
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_location_win.yaml
@@ -0,0 +1,80 @@
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Microsoft-Windows-Sysmon/Operational'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Microsoft-Windows-Sysmon/Operational'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Application'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Application'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'System'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'System'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Microsoft-Windows-Windows Defender/Operational'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Microsoft-Windows-Windows Defender/Operational'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'File Replication Service'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'File Replication Service'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'Service Microsoft-Windows-TerminalServices-RemoteConnectionManager'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'Service Microsoft-Windows-TerminalServices-RemoteConnectionManager'
+    log_format: 'eventchannel'
+
+- name: Basic configuration location windows
+  description: Basic configuration location windows
+  configuration_parameters:
+    LOCATION: 'invalidchannel'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: 'invalidchannel'
+    log_format: 'eventchannel'
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format.yaml
new file mode 100644
index 0000000000..2143bf83bf
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format.yaml
@@ -0,0 +1,197 @@
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'syslog'
+  metadata:
+    location: 'to_replace'
+    log_format: 'syslog'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'json'
+  metadata:
+    location: 'to_replace'
+    log_format: 'json'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'snort-full'
+  metadata:
+    location: 'to_replace'
+    log_format: 'snort-full'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'mysql_log'
+  metadata:
+    location: 'to_replace'
+    log_format: 'mysql_log'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'postgresql_log'
+  metadata:
+    location: 'to_replace'
+    log_format: 'postgresql_log'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'nmapg'
+  metadata:
+    location: 'to_replace'
+    log_format: 'nmapg'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'iis'
+  metadata:
+    location: 'to_replace'
+    log_format: 'iis'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'command'
+    COMMAND: 'example-command'
+  metadata:
+    location: 'to_replace'
+    log_format: 'command'
+    command: 'example-command'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'full_command'
+    COMMAND: 'example-command'
+  metadata:
+    location: 'to_replace'
+    log_format: 'full_command'
+    command: 'example-command'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: '/var/log/testing/current'
+    LOG_FORMAT: 'djb-multilog'
+  metadata:
+    location: '/var/log/testing/current'
+    log_format: 'djb-multilog'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'multi-line:3'
+  metadata:
+    location: 'to_replace'
+    log_format: 'multi-line:3'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'squid'
+  metadata:
+    location: 'to_replace'
+    log_format: 'squid'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'audit'
+  metadata:
+    location: 'to_replace'
+    log_format: 'audit'
+    valid_value: True
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'invalid'
+  metadata:
+    location: 'to_replace'
+    log_format: 'invalid'
+    valid_value: False
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'testing'
+  metadata:
+    location: 'to_replace'
+    log_format: 'testing'
+    valid_value: False
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'iisTesting'
+  metadata:
+    location: 'to_replace'
+    log_format: 'iisTesting'
+    valid_value: False
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'nmapgFSKF'
+  metadata:
+    location: 'to_replace'
+    log_format: 'nmapgFSKF'
+    valid_value: False
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'jsonLGK'
+    COMMAND: 'example-command'
+  metadata:
+    location: 'to_replace'
+    log_format: 'jsonLGK'
+    command: 'example-command'
+    valid_value: False
+
+- name: Basic configuration log format
+  description: Basic configuration log format
+  configuration_parameters:
+    LOCATION: 'to_replace'
+    LOG_FORMAT: 'commandFLKD'
+    COMMAND: 'example-command'
+  metadata:
+    location: 'to_replace'
+    log_format: 'commandFLKD'
+    command: 'example-command'
+    valid_value: False
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_duplicated.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_duplicated.yaml
new file mode 100644
index 0000000000..7ac9a0bd7f
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_duplicated.yaml
@@ -0,0 +1,13 @@
+- name: Basic configuration log format macos duplicated
+  description: Basic configuration log format duplicated
+  configuration_parameters:
+    LOCATION1: 'macos'
+    LOG_FORMAT1: 'macos'
+    LOCATION2: 'macos'
+    LOG_FORMAT2: 'macos'
+  metadata:
+    location1: 'macos'
+    log_format1: 'macos'
+    location2: 'macos'
+    log_format2: 'macos'
+    valid_value: True
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_no_defined.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_no_defined.yaml
new file mode 100644
index 0000000000..d70cc13b83
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_macos_no_defined.yaml
@@ -0,0 +1,7 @@
+- name: Basic configuration log format macos location no defined
+  description: Basic configuration log format macos location no defined
+  configuration_parameters:
+    LOG_FORMAT: 'macos'
+  metadata:
+    log_format: 'macos'
+    valid_value: True
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_win.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_win.yaml
new file mode 100644
index 0000000000..2188ffe94f
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_log_format_win.yaml
@@ -0,0 +1,19 @@
+- name: Basic configuration log format windows
+  description: Basic configuration log format windows
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventlog'
+  metadata:
+    location: 'Security'
+    log_format: 'eventlog'
+    valid_value: True
+
+- name: Basic configuration log format windows
+  description: Basic configuration log format windows
+  configuration_parameters:
+    LOCATION: '/tmp/test.txt'
+    LOG_FORMAT: 'eventchannel'
+  metadata:
+    location: '/tmp/test.txt'
+    log_format: 'eventchannel'
+    valid_value: True
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_out_format.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_out_format.yaml
new file mode 100644
index 0000000000..43a544da71
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_out_format.yaml
@@ -0,0 +1,219 @@
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(timestamp %Y-%m-%d %H:%M:%S)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(timestamp %Y-%m-%d %H:%M:%S)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(log)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(log)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(base64_log)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(base64_log)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(json_escaped_log)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(json_escaped_log)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(location)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(location)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(output)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(output)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(command)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(command)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(timestamp)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(timestamp)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(hostname)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(hostname)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(host_ip)'
+    TARGET_OUT_FORMAT: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(host_ip)'
+    target_out_format: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration out format
+  description: Basic configuration out format
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+    OUT_FORMAT: '$(host_ip)'
+    TARGET_OUT_FORMAT: 'no_defined_custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    out_format: '$(host_ip)'
+    target_out_format: 'no_defined_custom_socket'
+    valid_value: False
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_reconnect_time.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_reconnect_time.yaml
new file mode 100644
index 0000000000..3fcebe0fba
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_reconnect_time.yaml
@@ -0,0 +1,131 @@
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '3s'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '3s'
+    valid_value: True
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '4000s'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '4000s'
+    valid_value: True
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '5m'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '5m'
+    valid_value: True
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '99h'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '99h'
+    valid_value: True
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '94201d'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '94201d'
+    valid_value: True
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '44sTesting'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '44sTesting'
+    valid_value: False
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: 'Testing44s'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: 'Testing44s'
+    valid_value: False
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '9hTesting'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '9hTesting'
+    valid_value: False
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '400mTesting'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '400mTesting'
+    valid_value: False
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: '3992'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: '3992'
+    valid_value: False
+
+- name: Basic configuration reconnect time
+  description: Basic configuration reconnect time
+  configuration_parameters:
+    LOCATION: 'Security'
+    LOG_FORMAT: 'eventchannel'
+    RECONNECT_TIME: 'Testing'
+  metadata:
+    location: 'Security'
+    log_format: 'eventchannel'
+    reconnect_time: 'Testing'
+    valid_value: False
diff --git a/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_target.yaml b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_target.yaml
new file mode 100644
index 0000000000..b0fbfe61ac
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/data/test_cases/cases_basic_configuration_target.yaml
@@ -0,0 +1,47 @@
+- name: Basic configuration target
+  description: Basic configuration target
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'syslog'
+    TARGET: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'syslog'
+    target: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration target
+  description: Basic configuration target
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'json'
+    TARGET: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'json'
+    target: 'custom_socket'
+    valid_value: True
+
+- name: Basic configuration target
+  description: Basic configuration target
+  configuration_parameters:
+    SOCKET_NAME: 'custom_socket2'
+    SOCKET_PATH: '/var/log/messages'
+    LOCATION: '/tmp/testing.log'
+    LOG_FORMAT: 'json'
+    TARGET: 'custom_socket'
+  metadata:
+    socket_name: 'custom_socket2'
+    socket_path: '/var/log/messages'
+    location: '/tmp/testing.log'
+    log_format: 'json'
+    target: 'custom_socket'
+    valid_value: False
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_alias.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_alias.py
new file mode 100644
index 0000000000..30203b57a0
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_alias.py
@@ -0,0 +1,164 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the log collector generates events using the alias
+       specified in the 'alias' tag when monitoring a command, and the Wazuh API returns the same
+       values for the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+    - macos
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#alias
+
+tags:
+    - logcollector_configuration
+'''
+import pytest
+import sys
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS, MACOS
+from wazuh_testing.modules.agentd import configuration as agentd_configuration
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Variables
+local_internal_options = {logcollector_configuration.LOGCOLLECTOR_DEBUG: '2', logcollector_configuration.LOGCOLLECTOR_REMOTE_COMMANDS: '1', agentd_configuration.AGENTD_WINDOWS_DEBUG: '2'}
+
+if sys.platform == WINDOWS:
+    command = 'tasklist'
+elif sys.platform == MACOS:
+    command = 'ps aux'
+else:
+    command = 'ps -aux'
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_alias.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+for test in test_metadata:
+    if test['command']:
+        test['command'] = command
+for test in test_configuration:
+    if test['COMMAND']:
+        test['COMMAND'] = command
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_alias(test_configuration, test_metadata, configure_local_internal_options, truncate_monitored_files,
+                            set_wazuh_configuration, daemons_handler):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon changes a command name in the log messages by
+                 the one defined in the 'alias' tag. For this purpose, the test will monitor a command
+                 using an alias. Then, it will verify that the 'reading command' event is generated.
+                 This event includes the output of the command executed and its alias. Finally, the test
+                 will verify that the Wazuh API returns the same values for the 'localfile' section that
+                 the configured one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that the logcollector monitors a command with an assigned alias.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+    input_description: A configuration template (test_basic_configuration_alias) is contained in an external YAML file
+                       (wazuh_basic_configuration.yaml). That template is combined with two test cases defined
+                       in the module. Those include configuration settings for the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'Reading command message.*'
+
+    tags:
+        - logs
+    '''
+
+    # Wait for command
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_READING_COMMAND_ALIAS, {
+                              'alias': test_metadata['alias']
+                          }))
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_COMMAND_MONITORING
+
+    if sys.platform != WINDOWS:
+        utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_command.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_command.py
new file mode 100644
index 0000000000..c178ce88b3
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_command.py
@@ -0,0 +1,160 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if monitored commands that use several parameters are
+       correctly executed by the logcollector, and the Wazuh API returns the same values for
+       the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+    - macos
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#command
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#alias
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format
+
+tags:
+    - logcollector_configuration
+'''
+import pytest, sys
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Variables
+local_internal_options = {logcollector_configuration.LOGCOLLECTOR_DEBUG: '2', logcollector_configuration.LOGCOLLECTOR_REMOTE_COMMANDS: '1'}
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_command.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_command.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_command(test_configuration, test_metadata, configure_local_internal_options, truncate_monitored_files,
+                            set_wazuh_configuration, daemons_handler):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon can monitor commands that use multiple parameters.
+                 For this purpose, the test will configure the logcollector to monitor a command, setting it
+                 in the 'command' tag. Once the logcollector has started, it will check if the 'monitoring'
+                 event, indicating that the command is being monitored, has been generated. Finally, the test
+                 will verify that the Wazuh API returns the same values for the 'localfile' section that
+                 the configured one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that the logcollector monitors the command specified in the 'command' tag.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+    input_description: A configuration template (test_basic_configuration_location) is contained in an external
+                       YAML file (wazuh_basic_configuration.yaml). That template is combined with different
+                       test cases defined in the module. Those include configuration settings for
+                       the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'INFO: Monitoring .* of command.*'
+
+    tags:
+        - logs
+    '''
+
+    # Wait for command
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    callback = None
+    if test_metadata['log_format'] == 'full_command':
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MONITORING_FULL_COMMAND, {
+                              'command': test_metadata['command']
+                          })
+    else:
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MONITORING_COMMAND, {
+                              'command': test_metadata['command']
+                          })
+    wazuh_log_monitor.start(callback=callback)
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_COMMAND_MONITORING
+
+    if sys.platform != WINDOWS:
+        utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_journald.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_journald.py
new file mode 100644
index 0000000000..9c9580a047
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_journald.py
@@ -0,0 +1,155 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the Wazuh component (agent or manager) starts when
+       the 'localfile' with 'journal' as 'log_format' is set in the configuration, and the Wazuh API returns the 
+       correct values for the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+
+tier: 0
+
+modules:
+    - logcollector
+
+components:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - CentOS 8
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
+
+tags:
+    - logcollector
+'''
+
+
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.utils import configuration
+
+from . import TEST_CASES_PATH
+from utils import build_tc_config, assert_list_logs
+
+
+LOG_COLLECTOR_GLOBAL_TIMEOUT = 40
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration
+journald_case_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_journald.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(journald_case_path)
+test_configuration = build_tc_config(test_configuration)
+
+daemon_debug = logcollector_configuration.LOGCOLLECTOR_DEBUG
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+local_internal_options = {daemon_debug: '1'}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_location(test_configuration, test_metadata, truncate_monitored_files, configure_local_internal_options,
+                                remove_all_localfiles_wazuh_config, set_wazuh_configuration, daemons_handler, wait_for_logcollector_start):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon starts properly when the 'journald' tag is used as log_format.
+                 For this purpose, the test will configure the logcollector to monitor a 'journald'.
+                 Finally, the test will verify that the Wazuh component is started by checking its process, and the Wazuh API returns the correct values
+                 for the 'localfile' section.
+
+    wazuh_min_version: 4.9.0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the 'local_internal_options' section in the 'internal_options.conf' file.
+        - remove_all_localfiles_wazuh_config:
+            type: fixture
+            brief: Remove all 'localfile' sections from the Wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - wait_for_logcollector_start:
+            type: fixture
+            brief: Wait for the logcollector startup log.
+
+    assertions:
+        - Verify that the Wazuh component (agent or manager) can start when the 'jouranld' tag is used as log_format.
+        - Verify that the Wazuh API returns the correct values for the 'localfile' section.
+        - Verify the correct messages are generated in the log file in the correct order.
+
+    input_description: A configuration file with journal block settings and the expected output for each test case.
+                       Those include configuration settings for `journal` configuration in 'wazuh-logcollector'.
+
+    expected_output:
+        - Boolean values to indicate the state of the Wazuh component.
+        - Did not receive the expected "ERROR: Could not EvtSubscribe() for ... which returned ..." event.
+
+    tags:
+        - invalid_settings
+    '''
+
+    # Logcollector always start, regardless of the configuration
+    utils.check_logcollector_socket()
+
+    # Check the messages in the log file
+    if 'expected_logs' in test_metadata:
+        assert_list_logs(test_metadata['expected_logs'])
+
+    # Get the localfile list from the runtime configuration
+    localfile_list = utils.get_localfile_runtime_configuration()
+
+    # Regardless of configuration, there should never be more than one journal block.
+    if 'journal_disabled' in test_metadata and test_metadata['journal_disabled']:
+        assert len(localfile_list) == 0, f"Invalid configuration but journal block found."
+        return
+    else:
+        assert len(localfile_list) == 1, f"Invalid configuration. More than one journal block found."
+
+    # Validate the test configuration with the runtime configuration
+    if 'expected_config' in test_metadata:
+        assert localfile_list[0] == test_metadata['expected_config'], f"Invalid configuration. Expected: {test_metadata['expected_config']}. Found: {localfile_list[0]}"
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_label.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_label.py
new file mode 100644
index 0000000000..e2068a12cb
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_label.py
@@ -0,0 +1,160 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the Wazuh component (agent or manager) starts when
+       the 'label' tag is set in the configuration, and the Wazuh API returns the same values for
+       the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+    - macos
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#label
+
+tags:
+    - logcollector_configuration
+'''
+
+import pytest, sys, tempfile, re, os
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Configuration
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_label.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_label.yaml')
+
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+
+folder_path = tempfile.gettempdir()
+location = os.path.join(folder_path, 'test.txt')
+for test in test_metadata:
+    if test['location']:
+        test['location'] = re.escape(location)
+for test in test_configuration:
+    if test['LOCATION']:
+        test['LOCATION'] = location
+
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_label(test_configuration, test_metadata, set_wazuh_configuration, daemons_handler_module, stop_logcollector):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon can monitor log files configured to use labels.
+                 For this purpose, the test will configure the logcollector to use labels, setting them
+                 in the label 'tag'. Once the logcollector has started, it will check if the 'analyzing'
+                 event, indicating that the testing log file is being monitored, has been generated.
+                 Finally, the test will verify that the Wazuh API returns the same values for
+                 the 'localfile' section that the configured one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler_module:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - stop_logcollector:
+            type: fixture
+            brief: Stop logcollector daemon.
+
+    assertions:
+        - Verify that the logcollector monitors files when using the 'label' tag.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+    input_description: A configuration template (test_basic_configuration_label) is contained in an external
+                       YAML file (wazuh_basic_configuration.yaml). That template is combined with different
+                       test cases defined in the module. Those include configuration settings for
+                       the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'Analyzing file.*'
+
+    tags:
+        - invalid_settings
+        - logs
+    '''
+
+    control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+
+    # Wait for command
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_ANALYZING_FILE, {
+                              'file': test_metadata['location']
+                          }), timeout=10)
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_ANALYZING_FILE
+
+    if sys.platform != WINDOWS:
+        utils.check_logcollector_socket()
+        utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_location.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_location.py
new file mode 100644
index 0000000000..7d0340dc80
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_location.py
@@ -0,0 +1,194 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the Wazuh component (agent or manager) starts when
+       the 'location' tag is set in the configuration, and the Wazuh API returns the same values for
+       the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+
+tier: 0
+
+modules:
+    - logcollector
+
+components:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+    - macos
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format
+
+tags:
+    - logcollector
+'''
+
+
+import pytest, sys, os
+import tempfile
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS, MACOS
+from wazuh_testing.modules.agentd import configuration as agentd_configuration
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+LOG_COLLECTOR_GLOBAL_TIMEOUT = 40
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Configuration
+default_config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_log_format_location.yaml')
+default_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_location.yaml')
+
+macos_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_location_macos.yaml')
+
+win_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_location_win.yaml')
+
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(default_cases_path)
+
+folder_path = tempfile.gettempdir()
+for test in test_metadata:
+    if test['location']:
+        location = test['location']
+        test['location'] = f'{os.path.join(folder_path, location)}'
+for test in test_configuration:
+    if test['LOCATION']:
+        location = test['LOCATION']
+        test['LOCATION'] = f'{os.path.join(folder_path, location)}'
+
+test_configuration = configuration.load_configuration_template(default_config_path, test_configuration, test_metadata)
+
+test_macos_configuration, test_macos_metadata, test_macos_cases_ids = configuration.get_test_cases_data(macos_cases_path)
+test_macos_dup_configuration = configuration.load_configuration_template(default_config_path, test_macos_configuration, test_macos_metadata)
+
+test_win_configuration, test_win_metadata, test_win_cases_ids = configuration.get_test_cases_data(win_cases_path)
+test_win_configuration = configuration.load_configuration_template(default_config_path, test_win_configuration, test_win_metadata)
+
+
+daemon_debug = logcollector_configuration.LOGCOLLECTOR_DEBUG
+
+if sys.platform == MACOS:
+    test_configuration += test_macos_dup_configuration
+    test_metadata += test_macos_metadata
+    test_cases_ids += test_macos_cases_ids
+if sys.platform == WINDOWS:
+    test_configuration += test_win_configuration
+    test_metadata += test_win_metadata
+    test_cases_ids += test_win_cases_ids
+    daemon_debug = agentd_configuration.AGENTD_WINDOWS_DEBUG
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+local_internal_options = {daemon_debug: '1'}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_location(test_configuration, test_metadata, truncate_monitored_files, configure_local_internal_options,
+                                set_wazuh_configuration, daemons_handler, wait_for_logcollector_start):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon starts properly when the 'location' tag is used.
+                 For this purpose, the test will configure the logcollector to monitor a 'syslog' directory
+                 and use a pathname with special characteristics. Finally, the test will verify that the
+                 Wazuh component is started by checking its process, and the Wazuh API returns the same
+                 values for the 'localfile' section that the configured one.
+
+    wazuh_min_version: 4.2.0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - wait_for_logcollector_start:
+            type: fixture
+            brief: Wait for the logcollector startup log.
+
+    assertions:
+        - Verify that the Wazuh component (agent or manager) can start when the 'location' tag is used.
+        - Verify that the Wazuh API returns the same value for the 'localfile' section as the configured one.
+        - Verify that the expected event is present in the log file.
+
+    input_description: A configuration template (test_basic_configuration_location) is contained in an external
+                       YAML file (wazuh_basic_configuration.yaml). That template is combined with different
+                       test cases defined in the module. Those include configuration settings for
+                       the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - Boolean values to indicate the state of the Wazuh component.
+        - Did not receive the expected "ERROR: Could not EvtSubscribe() for ... which returned ..." event.
+
+    tags:
+        - invalid_settings
+    '''
+
+    if sys.platform == WINDOWS:
+        if test_metadata['location'] == 'invalidchannel':
+            wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+            callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_EVENTCHANNEL_BAD_FORMAT,
+                                                            {'event_location': test_metadata['location']})
+            wazuh_log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=callback)
+            assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_EVENTCHANNEL
+    else:
+        if test_metadata['validate_config']:
+            utils.check_logcollector_socket()
+            if test_metadata['location'] != 'macos' and test_metadata['log_format'] != 'macos':
+                utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_log_format.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_log_format.py
new file mode 100644
index 0000000000..d8ec6639cb
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_log_format.py
@@ -0,0 +1,327 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the logcollector detects invalid values for
+       the 'log_format' tag and the Wazuh API returns the same values for the configured
+       'localfile' section. They also check some special aspects when macOS is used.
+       Log data collection is the real-time process of making sense out of
+       the records generated by servers or devices. This component can receive logs through
+       text files or Windows event logs. It can also directly receive logs via remote syslog
+       which is useful for firewalls and other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+    - macos
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location
+
+tags:
+    - logcollector_configuration
+'''
+
+import pytest, sys, os, tempfile, re
+import subprocess as sb
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH, MACOS_LOG_COMMAND_PATH
+from wazuh_testing.constants.platforms import WINDOWS, MACOS
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.modules.logcollector import patterns, PREFIX
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+LOG_COLLECTOR_GLOBAL_TIMEOUT = 40
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Configuration
+
+default_config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_log_format.yaml')
+default_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_log_format.yaml')
+
+macos_duplicated_config_path = Path(CONFIGURATIONS_PATH, 'wazuh_duplicated_macos_configuration.yaml')
+macos_duplicated_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_log_format_macos_duplicated.yaml')
+
+macos_no_defined_config_path = Path(CONFIGURATIONS_PATH, 'wazuh_no_defined_location_macos_configuration.yaml')
+macos_no_defined_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_log_format_macos_no_defined.yaml')
+
+win_config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_log_format_location.yaml')
+win_cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_log_format_win.yaml')
+
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(default_cases_path)
+
+folder_path = tempfile.gettempdir()
+location = os.path.join(folder_path, 'test.txt')
+for test in test_metadata:
+    if test['location'] and test['log_format'] != 'djb-multilog':
+        test['location'] = re.escape(location)
+for test in test_configuration:
+    if test['LOCATION'] and test['LOG_FORMAT'] != 'djb-multilog':
+        test['LOCATION'] = location
+
+test_configuration = configuration.load_configuration_template(default_config_path, test_configuration, test_metadata)
+
+test_macos_dup_configuration, test_macos_dup_metadata, test_macos_dup_cases_ids = configuration.get_test_cases_data(macos_duplicated_cases_path)
+test_macos_dup_configuration = configuration.load_configuration_template(macos_duplicated_config_path, test_macos_dup_configuration, test_macos_dup_metadata)
+
+test_macos_nodef_configuration, test_macos_nodef_metadata, test_macos_nodef_cases_ids = configuration.get_test_cases_data(macos_no_defined_cases_path)
+test_macos_nodef_configuration = configuration.load_configuration_template(macos_no_defined_config_path, test_macos_nodef_configuration, test_macos_nodef_metadata)
+
+test_win_configuration, test_win_metadata, test_win_cases_ids = configuration.get_test_cases_data(win_cases_path)
+test_win_configuration = configuration.load_configuration_template(win_config_path, test_win_configuration, test_win_metadata)
+
+
+if sys.platform == MACOS:
+    test_configuration += test_macos_dup_configuration
+    test_configuration += test_macos_nodef_configuration
+    test_metadata += test_macos_dup_metadata
+    test_metadata += test_macos_nodef_metadata
+    test_cases_ids += test_macos_dup_cases_ids
+    test_cases_ids += test_macos_nodef_cases_ids
+if sys.platform == WINDOWS:
+    test_configuration += test_win_configuration
+    test_metadata += test_win_metadata
+    test_cases_ids += test_win_cases_ids
+
+
+local_internal_options = {logcollector_configuration.LOGCOLLECTOR_REMOTE_COMMANDS: '1', logcollector_configuration.LOGCOLLECTOR_DEBUG: '2'}
+
+log_format_not_print_analyzing_info = ['command', 'full_command', 'eventlog', 'eventchannel', 'macos']
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+def check_log_format_valid(test_configuration, test_metadata):
+    """Check if Wazuh run correctly with the specified log formats.
+
+    Ensure logcollector allows the specified log formats. Also, in the case of the manager instance, check if the API
+    answer for localfile block coincides.
+
+    Raises:
+        TimeoutError: If the "Analyzing file" callback is not generated.
+        AssertError: In the case of a server instance, the API response is different that the real configuration.
+    """
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    if test_metadata['log_format'] not in log_format_not_print_analyzing_info:
+        wazuh_log_monitor.start(timeout=5,
+                                callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_ANALYZING_FILE,
+                                                   {'file': test_metadata['location']}))
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_ANALYZING_FILE
+    elif 'command' in test_metadata['log_format']:
+        if test_metadata['log_format'] == 'full_command':
+            callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MONITORING_FULL_COMMAND, {
+                                'command': test_metadata['command']})
+        else:
+            callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MONITORING_COMMAND, {
+                                'command': test_metadata['command']})
+        wazuh_log_monitor.start(timeout=5, callback=callback)
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_COMMAND_MONITORING
+    elif test_metadata['log_format'] == 'djb-multilog':
+        wazuh_log_monitor.start(timeout=5,
+                                callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_DJB_PROGRAM_NAME,
+                                                   {'program_name': test_metadata['location']}))
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_DJB_MULTILOG_NOT_PRODUCED
+    elif test_metadata['log_format'] == 'macos':
+        if 'location' in test_metadata and test_metadata['location'] != 'macos':
+            wazuh_log_monitor.start(timeout=5,
+                                    callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MACOS_INVALID_LOCATION,
+                                                    {'location': test_metadata['location']}))
+            assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_INVALID_MACOS_VALUE
+        if 'location' not in test_metadata:
+            wazuh_log_monitor.start(timeout=5,
+                                    callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MACOS_MISSING_LOCATION))
+            assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_MISSING_LOCATION_VALUE
+
+        wazuh_log_monitor.start(timeout=5,
+                                callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MACOS_MONITORING_LOGS,
+                                                   {'command_path': MACOS_LOG_COMMAND_PATH}))
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_MACOS_LOG_NOT_PRODUCED
+
+
+def check_log_format_invalid(test_metadata):
+    """Check if Wazuh fails because a invalid frequency configuration value.
+
+    Args:
+        test_configuration (dict): Dictionary with the localfile configuration.
+
+    Raises:
+        TimeoutError: If error callback are not generated.
+    """
+
+    if test_metadata['valid_value']:
+        pytest.skip('Valid values provided')
+
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    log_callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_INVALID_VALUE_ELEMENT,
+                                                {'prefix' : PREFIX,
+                                                'option': 'log_format',
+                                                'value' : test_metadata['log_format']})
+    wazuh_log_monitor.start(timeout=5, callback=log_callback)
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_GENERIC_MESSAGE
+
+    log_callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_CONFIGURATION_ERROR,
+                                                {'prefix' : PREFIX,
+                                                 'severity' : 'ERROR',
+                                                'conf_path' : "etc/ossec.conf"})
+    wazuh_log_monitor.start(timeout=5, callback=log_callback)
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_GENERIC_MESSAGE
+
+    if sys.platform != WINDOWS:
+
+        log_callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_CONFIGURATION_ERROR,
+                                                {'prefix' : PREFIX,
+                                                 'severity' : 'ERROR',
+                                                'conf_path' : "etc/ossec.conf"})
+        wazuh_log_monitor.start(timeout=5, callback=log_callback)
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_GENERIC_MESSAGE
+
+
+def check_log_file_duplicated():
+    """Check if Wazuh shows a warning message when the configuration is duplicated."""
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT,
+                            callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_LOG_FILE_DUPLICATED))
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_LOG_FILE_DUPLICATED
+    wazuh_log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT,
+                            callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_MACOS_MONITORING_LOGS,
+                                                                 {'command_path': MACOS_LOG_COMMAND_PATH}))
+    assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_ANALYZING_MACOS
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_log_format(test_configuration, test_metadata, configure_local_internal_options, truncate_monitored_files,
+                    set_wazuh_configuration, daemons_handler_module, stop_logcollector):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon detects invalid configurations for the 'log_format' tag.
+                 It also checks some special aspects when using macOS. For this purpose, the test will set a
+                 'localfile' section using valid/invalid values for the 'log_format' tag. Then, it will check if
+                 an error event is generated when using an invalid value. If macOS is the host system, the test
+                 will verify that only one configuration block is used, and the 'location' tag allows invalid values.
+                 Finally, the test will verify that the Wazuh API returns the same values for the 'localfile' section
+                 that the configured one.
+
+    wazuh_min_version: 4.4.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler_module:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - stop_logcollector:
+            type: fixture
+            brief: Stop logcollector daemon.
+
+    assertions:
+        - Verify that the logcollector generates error events when using invalid values for the 'log_format' tag.
+        - Verify that the logcollector accepts invalid values for the 'location' tag when 'macos' log format is set.
+        - Verify that the logcollector uses the default macOS value for the 'location' tag when it is not defined.
+        - Verify that the logcollector allows only one macOS configuration section.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+
+    input_description: A configuration templates (test_basic_configuration_log_format) are contained in externals
+                       YAML files (wazuh_basic_configuration.yaml, wazuh_duplicated_macos_configuration.yaml, and
+                       wazuh_no_defined_location_macos_configuration.yaml). Those templates are combined with
+                       different test cases defined in the module. Those include configuration settings for
+                       the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'Analyzing file.*'
+        - r'INFO: Monitoring .* of command.*'
+        - r'INFO: Using program name .* for DJB multilog file.*'
+        - r'Invalid value for element .*'
+        - r'Configuration error at .*'
+        - r"Can't add more than one 'macos' block"
+        - r'Monitoring macOS logs with'
+        - r"Invalid location value .* when using 'macos' as 'log_format'. Default value will be used."
+        - r"Missing 'location' element when using 'macos' as 'log_format'. Default value will be used."
+
+    tags:
+        - invalid_settings
+        - logs
+    '''
+
+    if test_metadata['valid_value']:
+        control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+        if 'location1' in test_metadata:
+            check_log_file_duplicated()
+        else:
+            check_log_format_valid(test_configuration, test_metadata)
+    else:
+        if sys.platform == WINDOWS:
+            pytest.xfail("Windows agent allows invalid localfile configuration:\
+                          https://github.com/wazuh/wazuh/issues/10890")
+            expected_exception = ValueError
+        else:
+            expected_exception = sb.CalledProcessError
+
+        with pytest.raises(expected_exception):
+            control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+        check_log_format_invalid(test_metadata)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_out_format.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_out_format.py
new file mode 100644
index 0000000000..8a72f14d13
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_out_format.py
@@ -0,0 +1,163 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the logcollector detects invalid values for
+       the 'out_format' tag and the Wazuh API returns the same values for the configured
+       'localfile' section. Log data collection is the real-time process of making sense out
+       of the records generated by servers or devices. This component can receive logs through
+       text files or Windows event logs. It can also directly receive logs via remote syslog
+       which is useful for firewalls and other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format
+
+tags:
+    - logcollector_configuration
+'''
+import pytest, sys
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_out_format.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_out_format.yaml')
+local_internal_options = {logcollector_configuration.LOGCOLLECTOR_DEBUG: '2'}
+
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_out_format(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options, daemons_handler_module, stop_logcollector):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon detects invalid settings for the 'out_format' tag.
+                 For this purpose, the test will set a 'localfile' section using both valid and invalid values
+                 for that tag. It also will set a 'socket' section to specify a custom socket. Finally, the
+                 test will verify that the 'socket target' event is triggered when using a valid value or if
+                 an error event is generated when using an invalid one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - daemons_handler_module:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - stop_logcollector:
+            type: fixture
+            brief: Stop logcollector daemon.
+
+    assertions:
+        - Verify that the logcollector generates error events when using invalid values
+          for the 'out_format' tag.
+        - Verify that the logcollector generates 'socket target' events when using valid values
+          for the 'out_format' tag.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+    input_description: A configuration template (test_basic_configuration_out_format) is contained in an
+                       external YAML file (wazuh_basic_configuration.yaml). That template is combined with
+                       different test cases defined in the module. Those include configuration settings
+                       for the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'DEBUG: Socket target for .* -> .*'
+        - r'WARNING: Log target .* not found for the output format of localfile .*'
+
+    tags:
+        - invalid_settings
+        - logs
+    '''
+
+    control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+
+    callback = None
+    assert_error = None
+    if test_metadata['valid_value']:
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_SOCKET_TARGET_VALID, {
+                              'location': test_metadata['location'],
+                              'socket_name': test_metadata['target']
+                          })
+        assert_error = patterns.ERROR_TARGET_SOCKET
+    else:
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_LOG_TARGET_NOT_FOUND, {
+                              'socket_name': test_metadata['target_out_format'],
+                              'location': test_metadata['location']
+                          })
+        assert_error = patterns.ERROR_TARGET_SOCKET_NOT_FOUND
+
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback, timeout=10)
+
+    assert wazuh_log_monitor.callback_result, assert_error
+
+
+    if test_metadata['valid_value'] and sys.platform != WINDOWS:
+        utils.check_logcollector_socket()
+        utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_reconnect_time.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_reconnect_time.py
new file mode 100644
index 0000000000..ad4e6cfa2e
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_reconnect_time.py
@@ -0,0 +1,151 @@
+'''
+copyright: Copyright (C) 2015-2024 Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the logcollector detects invalid values for the
+       'reconnect_time' tag. Log data collection is the real-time process of making sense out
+       of the records generated by servers or devices. This component can receive logs through
+       text files or Windows event logs. It can also directly receive logs via remote syslog
+       which is useful for firewalls and other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+
+os_platform:
+    - windows
+
+os_version:
+    - Windows 10
+    - Windows 8
+    - Windows 7
+    - Windows Server 2019
+    - Windows Server 2016
+    - Windows Server 2012
+    - Windows Server 2003
+    - Windows XP
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#reconnect-time
+
+tags:
+    - logcollector_configuration
+'''
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+LOG_COLLECTOR_GLOBAL_TIMEOUT = 40
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Test metadata, configuration and ids.
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_reconnect_time.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_reconnect_time.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+problematic_values = ['44sTesting', '9hTesting', '400mTesting', '3992']
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_reconnect_time(test_configuration, test_metadata, truncate_monitored_files,
+                                      set_wazuh_configuration, daemons_handler_module, stop_logcollector):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon detects invalid settings for the 'reconnect_time' tag.
+                 For this purpose, the test will set a 'localfile' section using both valid and invalid values
+                 for that tag. Finally, the test will verify that the 'analyzing' event is triggered when using
+                 a valid value or if the 'invalid' event is generated when using an invalid one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler_module:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - stop_logcollector:
+            type: fixture
+            brief: Stop logcollector daemon.
+
+    assertions:
+        - Verify that the logcollector generates 'invalid' events when using invalid values
+          for the 'reconnect_time' tag.
+        - Verify that the logcollector monitors a log file when using valid values for the 'reconnect_time' tag.
+
+    input_description: A configuration template (test_basic_configuration_reconnect_time) is contained in an
+                       external YAML file (wazuh_basic_configuration.yaml). That template is combined with
+                       different test cases defined in the module. Those include configuration settings
+                       for the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'Analyzing event log.*'
+        - r'Invalid reconnection time value. Changed to .* seconds.'
+
+    tags:
+        - invalid_settings
+        - logs
+    '''
+
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    if test_metadata['valid_value']:
+        control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+        callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_ANALYZING_EVENT_LOG,
+                                                            {'event_location': test_metadata['location']})
+        wazuh_log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=callback)
+        assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_GENERIC_MESSAGE
+    else:
+        if test_metadata['reconnect_time'] in problematic_values:
+            pytest.xfail("Logcolector accepts invalid values. Issue: https://github.com/wazuh/wazuh/issues/8158")
+        else:
+            control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+            callback = callbacks.generate_callback(patterns.LOGCOLLECTOR_INVALID_RECONNECTION_TIME_VALUE,
+                                                            {'severity': 'WARNING',
+                                                             'default_value':'5'})
+            wazuh_log_monitor.start(timeout=5, callback=callback)
+            assert (wazuh_log_monitor.callback_result != None), patterns.ERROR_INVALID_RECONNECTION_TIME
diff --git a/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_target.py b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_target.py
new file mode 100644
index 0000000000..629e301211
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_configuration/test_basic_configuration_target.py
@@ -0,0 +1,163 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the logcollector detects that a custom socket is
+       undefined if the 'target' attribute of the 'out_format' tag has the name of an unexistent
+       socket (invalid value). Log data collection is the real-time process of making sense out
+       of the records generated by servers or devices. This component can receive logs through
+       text files or Windows event logs. It can also directly receive logs via remote syslog
+       which is useful for firewalls and other such devices.
+
+components:
+    - logcollector
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+
+os_platform:
+    - linux
+    - macos
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - macOS Catalina
+    - macOS Server
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format
+
+tags:
+    - logcollector_configuration
+'''
+
+import pytest, sys
+
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+from wazuh_testing.constants.daemons import LOGCOLLECTOR_DAEMON
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.modules.logcollector import patterns
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file
+
+from . import TEST_CASES_PATH, CONFIGURATIONS_PATH
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.darwin, pytest.mark.tier(level=0)]
+
+# Configuration
+cases_path = Path(TEST_CASES_PATH, 'cases_basic_configuration_target.yaml')
+config_path = Path(CONFIGURATIONS_PATH, 'wazuh_basic_configuration_target.yaml')
+local_internal_options = {logcollector_configuration.LOGCOLLECTOR_DEBUG: '2'}
+
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(cases_path)
+
+test_configuration = configuration.load_configuration_template(config_path, test_configuration, test_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_target(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options, daemons_handler_module, stop_logcollector):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon detects invalid configurations for the 'target' attribute
+                 of the 'out_format' tag. For this purpose, the test will set a 'socket' section to specify a custom
+                 socket, and a 'localfile' section using valid/invalid values for that attribute. Then, it will check
+                 if an event indicating that the socket is not defined when using an invalid value, or if an event
+                 indicating that the socket is detected when using valid ones. Finally, the test will verify that
+                 the Wazuh API returns the same values for the 'localfile' section that the configured one.
+
+    wazuh_min_version: 4.2.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the Wazuh local internal options.
+        - daemons_handler_module:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - stop_logcollector:
+            type: fixture
+            brief: Stop logcollector daemon.
+
+    assertions:
+        - Verify that the logcollector detects undefined sockets when using invalid values for the 'target' attribute.
+        - Verify that the logcollector detects custom sockets when using valid values for the 'target' attribute.
+        - Verify that the Wazuh API returns the same values for the 'localfile' section as the configured one.
+
+    input_description: A configuration template (test_basic_configuration_target) is contained in an external
+                       YAML file (wazuh_basic_configuration.yaml). That template is combined with different
+                       test cases defined in the module. Those include configuration settings
+                       for the 'wazuh-logcollector' daemon.
+
+    expected_output:
+        - r'Socket target for .* -> .*'
+        - r'Socket .* for .* is not defined."
+
+    tags:
+        - invalid_settings
+    '''
+
+    control_service('start', daemon=LOGCOLLECTOR_DAEMON)
+
+    callback = None
+    assert_error = None
+    if test_metadata['valid_value']:
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_SOCKET_TARGET_VALID, {
+                              'location': test_metadata['location'],
+                              'socket_name': test_metadata['target']
+                          })
+        assert_error = patterns.ERROR_TARGET_SOCKET
+    else:
+        callback=callbacks.generate_callback(patterns.LOGCOLLECTOR_SOCKET_TARGET_NOT_DEFINED, {
+                              'socket_name': test_metadata['target'],
+                              'location': test_metadata['location']
+                          })
+        assert_error = patterns.ERROR_TARGET_SOCKET_NOT_FOUND
+
+    wazuh_log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback, timeout=10)
+    assert wazuh_log_monitor.callback_result, assert_error
+
+    if test_metadata['valid_value'] and sys.platform != WINDOWS:
+        utils.check_logcollector_socket()
+        utils.validate_test_config_with_module_config(test_configuration=test_configuration)
diff --git a/src/modules/logcollector/tests/integration/test_read/__init__.py b/src/modules/logcollector/tests/integration/test_read/__init__.py
new file mode 100644
index 0000000000..c1e575f1cd
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_read/__init__.py
@@ -0,0 +1,12 @@
+"""
+Copyright (C) 2015-2024, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+from pathlib import Path
+
+
+# Constants & base paths
+TEST_DATA_PATH = Path(Path(__file__).parent, 'data')
+TEST_CASES_PATH = Path(TEST_DATA_PATH, 'test_cases')
+CONFIGURATIONS_PATH = Path(TEST_DATA_PATH, 'configuration_templates')
diff --git a/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_basic.yaml b/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_basic.yaml
new file mode 100644
index 0000000000..2f88721fea
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_basic.yaml
@@ -0,0 +1,86 @@
+# Basic configuration for journald without filters or merge
+- name: Test Journal reader default configuration
+  description: A basic configuration for journald, 1 block without filters, read all
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+  metadata:
+    expected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ \S+\[\d+]: This is a message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ \S+\[\d+]: This is a message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ \S+\[\d+]: This is a message from journald 3'
+    input_logs:
+      - message: This is a message from journald 1
+      - message: This is a message from journald 2
+      - message: This is a message from journald 3
+      
+
+- name:  Test Journal reader Filter by field
+  description: Test Journal reader, filter by field
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: test-IT-tag-\d
+           attributes:
+             - field: SYSLOG_IDENTIFIER
+             - ignore_if_missing: 'no'
+  metadata:
+    expected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-1\[\d+]: This is a message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-2\[\d+]: This is a message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-3\[\d+]: This is a message from journald 3'
+    unexpected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ other-tag\[\d+]: .*'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ other-tag-2\[\d+]: .*'
+    input_logs:
+      - message: "This is a message from journald 1"
+        tag: "test-IT-tag-1"
+      - message: "This is a message from other proccess"
+        tag: "other-tag"
+      - message: "This is a message from journald 2"
+        tag: "test-IT-tag-2"
+      - message: "This is a message from other proccess 2"
+        tag: "other-tag-2"
+      - message: "This is a message from journald 3"
+        tag: "test-IT-tag-3"
+      
+
+- name: Test Journal reader, merge, with disabled filters in journal
+  description: Disable filters on merge, 2 blocks, 1 with filter, 1 without filter
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - filter:
+           value: test-IT-tag-\d
+           attributes:
+             - field: SYSLOG_IDENTIFIER
+             - ignore_if_missing: 'no'
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+  metadata:
+    expected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-1\[\d+]: This is a message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ other-tag\[\d+]: .*'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-2\[\d+]: This is a message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ other-tag-2\[\d+]: .*'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-IT-tag-3\[\d+]: This is a message from journald 3'
+    input_logs:
+      - message: "This is a message from journald 1"
+        tag: "test-IT-tag-1"
+      - message: "This is a message from other proccess"
+        tag: "other-tag"
+      - message: "This is a message from journald 2"
+        tag: "test-IT-tag-2"
+      - message: "This is a message from other proccess 2"
+        tag: "other-tag-2"
+      - message: "This is a message from journald 3"
+        tag: "test-IT-tag-3"
diff --git a/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_ofe.yaml b/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_ofe.yaml
new file mode 100644
index 0000000000..8a86b0219e
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_read/data/test_cases/cases_read_journald_ofe.yaml
@@ -0,0 +1,132 @@
+- name: Test Journal only future events
+  description: This test check if logcollector is able to read old logs from journald before the agent starts
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - only-future-events:
+          value: 'no'
+      - filter:
+           value: test-journald-ofe
+           attributes:
+             - field: SYSLOG_IDENTIFIER
+             - ignore_if_missing: 'no'
+
+  metadata:
+    expected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 3'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 4'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 5'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 6'
+    # Logs before the start the agent
+    pre_input_logs:
+      - message: "Message from journald 1"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 2"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 3"
+        tag: "test-journald-ofe"
+    # Logs after the start the agent
+    post_input_logs:
+      - message: "Message from journald 4"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 5"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 6"
+        tag: "test-journald-ofe"
+
+
+# Basic configuration for journald without filters or merge
+- name: Test Journal only future events, with timestamp set in the future 
+  description: | 
+          This test set the timestamp in the future, so it shuold be detected and 
+          the logs should be read in realtime before logcollector starts
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - only-future-events:
+          value: 'no'
+      - filter:
+           value: test-journald-ofe
+           attributes:
+             - field: SYSLOG_IDENTIFIER
+             - ignore_if_missing: 'no'
+
+  metadata:
+    force_timestamp: "2051233199000000" # 2034-12-31 23:59:59
+    unexpected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 3'
+    expected_logs:
+      - The timestamp '2051233199000000' is in the future or invalid. Using the most recent entry.
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 4'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 5'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 6'
+    # Logs before the start the agent
+    pre_input_logs:
+      - message: "Message from journald 1"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 2"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 3"
+        tag: "test-journald-ofe"
+    # Logs after the start the agent
+    post_input_logs:
+      - message: "Message from journald 4"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 5"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 6"
+        tag: "test-journald-ofe"
+
+# Basic configuration for journald without filters or merge
+- name: Test Journal only future events, with timestamp set in the future 
+  description: |
+        This test set the timestamp in the future, so it shuold be detected and the logs 
+        should be read in realtime before logcollector starts
+  configuration_parameters:
+    - - location:
+          value: journald
+      - log_format:
+          value: journald
+      - only-future-events:
+          value: 'no'
+      - filter:
+           value: test-journald-ofe
+           attributes:
+             - field: SYSLOG_IDENTIFIER
+             - ignore_if_missing: 'no'
+
+  metadata:
+    force_timestamp: "0" # 2034-12-31 23:59:59
+    unexpected_logs:
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 1'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 2'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 3'
+    expected_logs:
+      - The timestamp '0' is in the future or invalid. Using the most recent entry.
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 4'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 5'
+      - '\w+ \d+ \d+:\d+:\d+ \S+ test-journald-ofe\[\d+]: Message from journald 6'
+    # Logs before the start the agent
+    pre_input_logs:
+      - message: "Message from journald 1"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 2"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 3"
+        tag: "test-journald-ofe"
+    # Logs after the start the agent
+    post_input_logs:
+      - message: "Message from journald 4"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 5"
+        tag: "test-journald-ofe"
+      - message: "Message from journald 6"
+        tag: "test-journald-ofe"
diff --git a/src/modules/logcollector/tests/integration/test_read/test_read_journald_basic.py b/src/modules/logcollector/tests/integration/test_read/test_read_journald_basic.py
new file mode 100644
index 0000000000..d262a9e6f1
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_read/test_read_journald_basic.py
@@ -0,0 +1,167 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the Wazuh component (agent or manager) starts when
+       the 'location' tag is set in the configuration, and the Wazuh API returns the same values for
+       the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+       This test suite will check the 'journald' log format, which is a system service that collects and stores
+       logging data. The 'journald' log format is used by the 'systemd-journald' API.
+
+tier: 0
+
+modules:
+    - logcollector
+
+components:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - CentOS 8
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
+
+tags:
+    - logcollector
+'''
+
+
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.utils import configuration
+
+from . import TEST_CASES_PATH
+from utils import build_tc_config, assert_list_logs, assert_not_list_logs, send_log_to_journal
+
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration
+journald_case_path = Path(TEST_CASES_PATH, 'cases_read_journald_basic.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(journald_case_path)
+test_configuration = build_tc_config(test_configuration)
+
+daemon_debug = logcollector_configuration.LOGCOLLECTOR_DEBUG
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+local_internal_options = {daemon_debug: '2'}
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_location(test_configuration, test_metadata, truncate_monitored_files, configure_local_internal_options,
+                                remove_all_localfiles_wazuh_config, set_wazuh_configuration, daemons_handler, wait_for_logcollector_start):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon starts properly when the 'journald' tag is used and read the logs from the 'systemd/journald' component.
+                 For this purpose, the test will configure the logcollector to monitor a 'journald'.
+                 Finally, the test will verify that the Wazuh-logcollector read the logs, and the Wazuh API returns the correct values
+                 for the 'localfile' section.
+
+    wazuh_min_version: 4.9.0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the 'local_internal_options' section in the 'internal_options.conf' file.
+        - remove_all_localfiles_wazuh_config:
+            type: fixture
+            brief: Remove all 'localfile' sections from the Wazuh configuration.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - wait_for_logcollector_start:
+            type: fixture
+            brief: Wait for the logcollector startup log.
+
+    assertions:
+        - Verify that the Wazuh component (agent or manager) can start when the 'jouranld' tag is used.
+        - Verify that the Wazuh component (agent or manager) can read the logs from the 'systemd-journald'.
+        - Verify the correct messages are generated in the log file in the correct order.
+
+
+    input_description: A configuration file with journal block settings and the expected log messages.
+                       Those include configuration settings for `journal` configuration in 'wazuh-logcollector'.
+
+    expected_output:
+        - Boolean values to indicate the state of the Wazuh component.
+        - Did not receive the expected "ERROR: Could not EvtSubscribe() for ... which returned ..." event.
+
+    tags:
+        - invalid_settings
+    '''
+
+    # Logcollector always start, regardless of the configuration
+    utils.check_logcollector_socket()
+
+    # Send log messages to the monitored file
+    if 'input_logs' not in test_metadata:
+        raise Exception(f"Log messages not found in the test metadata.")
+    else:
+        for log_message in test_metadata['input_logs']:
+            send_log_to_journal(log_message)
+
+    # Check the messages in the log file
+    if 'expected_logs' in test_metadata:
+        # Append regex to expected logs
+        for i, log_message in enumerate(test_metadata['expected_logs']):
+            test_metadata['expected_logs'][i] = f".*Reading from journal: '{log_message}'"
+        assert_list_logs(test_metadata['expected_logs'])
+    
+    if 'unexpected_logs' in test_metadata:
+        # Append regex to unexpected logs
+        for i, log_message in enumerate(test_metadata['unexpected_logs']):
+            test_metadata['unexpected_logs'][i] = f".*Reading from journal: '{log_message}'"
+        assert_not_list_logs(test_metadata['unexpected_logs'])
+
+    # Get the localfile list from the runtime configuration
+    localfile_list = utils.get_localfile_runtime_configuration()
+
+    # Regardless of configuration, there should never be more than one journal block.
+    if 'journal_disabled' in test_metadata and test_metadata['journal_disabled']:
+        assert len(localfile_list) == 0, f"Invalid configuration but journal block found."
+        return
+    else:
+        assert len(localfile_list) == 1, f"Invalid configuration. More than one journal block found."
diff --git a/src/modules/logcollector/tests/integration/test_read/test_read_journald_ofe.py b/src/modules/logcollector/tests/integration/test_read/test_read_journald_ofe.py
new file mode 100644
index 0000000000..f8735429b7
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/test_read/test_read_journald_ofe.py
@@ -0,0 +1,178 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages.
+       Specifically, these tests will check if the Wazuh component (agent or manager) starts when
+       the 'location' tag is set in the configuration, and the Wazuh API returns the same values for
+       the configured 'localfile' section.
+       Log data collection is the real-time process of making sense out of the records generated by
+       servers or devices. This component can receive logs through text files or Windows event logs.
+       It can also directly receive logs via remote syslog which is useful for firewalls and
+       other such devices.
+       This test suite will check the 'journald' log format, which is a system service that collects and stores
+       logging data. The 'journald' log format is used by the 'systemd-journald' API.
+
+tier: 0
+
+modules:
+    - logcollector
+
+components:
+    - agent
+
+daemons:
+    - wazuh-logcollector
+    - wazuh-apid
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - CentOS 8
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
+
+tags:
+    - logcollector
+'''
+
+
+import pytest
+
+from pathlib import Path
+
+from wazuh_testing.modules.logcollector import utils
+from wazuh_testing.modules.logcollector import configuration as logcollector_configuration
+from wazuh_testing.utils import configuration
+from wazuh_testing.utils.file import write_json_file
+
+from . import TEST_CASES_PATH
+from utils import build_tc_config, assert_list_logs, assert_not_list_logs, send_log_to_journal
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration
+journald_case_path = Path(TEST_CASES_PATH, 'cases_read_journald_ofe.yaml')
+test_configuration, test_metadata, test_cases_ids = configuration.get_test_cases_data(journald_case_path)
+test_configuration = build_tc_config(test_configuration)
+
+daemon_debug = logcollector_configuration.LOGCOLLECTOR_DEBUG
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+local_internal_options = {daemon_debug: '2'}
+
+
+# Test function.
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_configuration_location(test_configuration, test_metadata, truncate_monitored_files, configure_local_internal_options,
+                                reset_ofe_status, remove_all_localfiles_wazuh_config, set_wazuh_configuration, pre_send_journal_logs,
+                                daemons_handler, wait_for_logcollector_start):
+    '''
+    description: Check if the 'wazuh-logcollector' daemon starts properly when the 'journald' tag is used 
+                 and read the logs from the 'systemd/journald' component and is able to read logs older than
+                 the current start logcollector time.
+                 For this purpose, the test will configure the logcollector to monitor a 'journald' with only-future-event = no and
+                 manipulate the journalctl logs to send logs older than the current logcollector start time.
+                 Finally, the test will verify that the Wazuh-logcollector read the logs, and the Wazuh API returns the correct values
+                 for the 'localfile' section.
+
+    wazuh_min_version: 4.9.0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the 'local_internal_options' section in the 'internal_options.conf' file.
+        - remove_all_localfiles_wazuh_config:
+            type: fixture
+            brief: Remove all 'localfile' sections from the Wazuh configuration.
+        - reset_ofe_status:
+            type: fixture
+            brief: Reset the 'only-future-event' status in the 'status' file.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - pre_send_journal_logs:
+            type: fixture
+            brief: Send logs to the journalctl before the logcollector starts.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+        - wait_for_logcollector_start:
+            type: fixture
+            brief: Wait for the logcollector startup log.
+
+    assertions:
+        - Verify that the Wazuh component (agent or manager) can start when the 'jouranld' tag is used.
+        - Verify that the Wazuh component (agent or manager) can read the logs from the 'journald' log format and the logs older than the current logcollector start time.
+
+    input_description: A configuration file with journal block settings and the expected log messages.
+                       Those include configuration settings for `journal` configuration in 'wazuh-logcollector'.
+
+    expected_output:
+        - Boolean values to indicate the state of the Wazuh component.
+        - Did not receive the expected "ERROR: Could not EvtSubscribe() for ... which returned ..." event.
+
+    tags:
+        - invalid_settings
+    '''
+
+    # Logcollector always start, regardless of the configuration
+    utils.check_logcollector_socket()
+
+    # Send log messages to the monitored file
+    if 'post_input_logs' in test_metadata:
+        for log_message in test_metadata['post_input_logs']:
+            send_log_to_journal(log_message)
+
+    # Check the messages in the log file
+    if 'expected_logs' in test_metadata:
+        # Append regex to expected logs
+        for i, log_message in enumerate(test_metadata['expected_logs']):
+            test_metadata['expected_logs'][i] = f".*logcollector.*{log_message}.*"
+        assert_list_logs(test_metadata['expected_logs'])
+    
+    if 'unexpected_logs' in test_metadata:
+        # Append regex to unexpected logs
+        for i, log_message in enumerate(test_metadata['unexpected_logs']):
+            test_metadata['unexpected_logs'][i] = f".*logcollector.*{log_message}.*"
+        assert_not_list_logs(test_metadata['unexpected_logs'])
+
+    # Get the localfile list from the runtime configuration
+    localfile_list = utils.get_localfile_runtime_configuration()
+
+    # Regardless of configuration, there should never be more than one journal block.
+    if 'journal_disabled' in test_metadata and test_metadata['journal_disabled']:
+        assert len(localfile_list) == 0, f"Invalid configuration but journal block found."
+        return
+    else:
+        assert len(localfile_list) == 1, f"Invalid configuration. More than one journal block found."
+
+    # Validate the test configuration with the runtime configuration
+    if 'expected_config' in test_metadata:
+        assert localfile_list[0] == test_metadata['expected_config'], f"Invalid configuration. Expected: {test_metadata['expected_config']}. Found: {localfile_list[0]}"
diff --git a/src/modules/logcollector/tests/integration/utils.py b/src/modules/logcollector/tests/integration/utils.py
new file mode 100644
index 0000000000..90ea2038cc
--- /dev/null
+++ b/src/modules/logcollector/tests/integration/utils.py
@@ -0,0 +1,121 @@
+"""
+Copyright (C) 2015-2024, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+from os.path import join as path_join
+
+
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.utils import callbacks
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+
+def build_tc_config(tc_conf_list):
+    '''
+    Build the configuration for each test case.
+
+    Args:
+        tc_conf_list (list): List of test case localfile configurations.
+
+    Returns:
+        list: List of configurations for each test case.
+    '''
+
+    config_list = []  # List of configurations for each test case
+
+    # Build the configuration for each test case
+    for tc_config in tc_conf_list:
+        sections = []
+        # Build the configuration for each localfile
+        for i, elements in enumerate(tc_config, start=1):
+            section = {
+                "section": "localfile",
+                "attributes": [{"unique_id": str(i)}],  # Prevents duplicated localfiles sections
+                "elements": elements
+            }
+            sections.append(section)
+
+        config_list.append({"sections": sections})
+
+    return config_list
+
+
+def assert_list_logs(regex_messages: list):
+    '''
+    Asserts if the expected messages are present in the log file in the expected order.
+
+    Args:
+        regex_messages (list): List of regular expressions to search in the log file.
+    '''
+
+    def get_epoch_timestamp(log):
+        '''
+        Get the timestamp of the log message in epoch format.
+
+        Args:
+            log (str): Log message.
+
+        Returns:
+            int: Timestamp of the log message.
+        '''
+        from datetime import datetime
+
+        date_str = log.split(' ')[0] + ' ' + log.split(' ')[1]
+        return int(datetime.strptime(date_str, '%Y/%m/%d %H:%M:%S').timestamp())
+
+
+    # Monitor the ossec.log file
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    last_log_timestamp = 0
+
+    for regex in regex_messages:
+        log_monitor.start(callback=callbacks.generate_callback(regex))
+        assert (log_monitor.callback_result != None), f'Did not receive the expected messages in the log file. Expected: {regex}'
+
+        log_timestamp = get_epoch_timestamp(log_monitor.callback_result)
+        assert (log_timestamp >= last_log_timestamp), f'The logs are not in the expected order. Expected: {regex}'
+        last_log_timestamp = log_timestamp
+
+def assert_not_list_logs(regex_messages: list):
+    '''
+    Asserts if the expected messages are not present in the log file, the timeout is set to 0.
+
+    The function will return an assertion error if the expected messages are found in the log file.
+    The function dont wait for the messages to appear in the log file, reads the current content of the file.
+    
+    Args:
+        regex_messages (list): List of regular expressions to search in the log file.
+    '''
+
+    # Monitor the ossec.log file
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    for regex in regex_messages:
+        log_monitor.start(callback=callbacks.generate_callback(regex), timeout=0)
+        assert (log_monitor.callback_result == None), f'Received the expected messages in the log file. Expected: {regex}'
+
+# Journal functions
+def send_log_to_journal(conf_message: dict):
+    '''
+    Send a log message to the journal.
+
+    This function sends a log message to the journal using the 'logger' command to avoid use third-party libraries.
+    Args:
+        conf_message (dic): The message to send to the journal, with the following fields:
+            - message (str): The message to send to the journal.
+            - tag (str): The tag of the message. Default is 'wazuh-itest'.
+            - priority (str): The priority of the message. Default is 'info'.
+    '''
+    import subprocess as sp
+
+    # Send the log message to the journal
+    try:
+        tag = conf_message['tag'] if 'tag' in conf_message else 'wazuh-itest'
+        priority = conf_message['priority'] if 'priority' in conf_message else 'info'
+        message = conf_message['message']
+        if not message:
+            raise Exception("The message field is required in the configuration.")
+        sp.run(['logger', '-t', tag, '-p', priority, message], check=True)
+    except sp.CalledProcessError as e:
+        raise Exception(f"Error sending log message to journal: {e}")
diff --git a/src/modules/logcollector/tests/unit/tests/CMakeLists.txt b/src/modules/logcollector/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..4816b5402d
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,166 @@
+# Generate logcollector library
+file(GLOB logcollector_files
+    ${SRC_FOLDER}/logcollector/*.o)
+add_library(LOGCOLLECTOR_O STATIC ${logcollector_files})
+set_source_files_properties(
+    ${logcollector_files}
+    PROPERTIES
+    EXTERNAL_OBJECT true
+    GENERATED true
+)
+set_target_properties(
+    LOGCOLLECTOR_O
+    PROPERTIES
+    LINKER_LANGUAGE C
+)
+target_link_libraries(LOGCOLLECTOR_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Generate logcollector tests
+if(${TARGET} STREQUAL "winagent")
+    list(APPEND logcollector_names "test_read_win_event_channel")
+    list(APPEND logcollector_flags "-Wl,--wrap,wstr_split -Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck \
+                                    -Wl,--wrap=is_fim_shutdown -Wl,--wrap,convert_windows_string \
+                                    ${DEBUG_OP_WRAPPERS}")
+else()
+    list(APPEND logcollector_names "test_logcollector")
+    list(APPEND logcollector_flags "-Wl,--wrap,OS_SHA1_Stream -Wl,--wrap,merror_exit \
+                                    -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fread -Wl,--wrap,fseek \
+                                    -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fgetpos \
+                                    -Wl,--wrap,cJSON_CreateObject -Wl,--wrap,cJSON_AddArrayToObject -Wl,--wrap,cJSON_AddStringToObject \
+                                    -Wl,--wrap,cJSON_AddStringToObject -Wl,--wrap,cJSON_AddItemToArray -Wl,--wrap,pthread_rwlock_wrlock \
+                                    -Wl,--wrap,cJSON_PrintUnformatted -Wl,--wrap,cJSON_Delete -Wl,--wrap,fopen -Wl,--wrap,clearerr \
+                                    -Wl,--wrap,cJSON_GetObjectItem -Wl,--wrap,cJSON_GetArraySize -Wl,--wrap,cJSON_GetArrayItem \
+                                    -Wl,--wrap,cJSON_GetStringValue -Wl,--wrap,OS_SHA1_File_Nbytes -Wl,--wrap,fileno -Wl,--wrap,fstat \
+                                    -Wl,--wrap,pthread_rwlock_rdlock -Wl,--wrap,pthread_rwlock_unlock -Wl,--wrap,wfopen \
+                                    -Wl,--wrap,stat -Wl,--wrap=fgetc -Wl,--wrap=w_fseek -Wl,--wrap,w_ftell \
+                                    -Wl,--wrap,OS_SHA1_File_Nbytes_with_fp_check -Wl,--wrap,cJSON_CreateString \
+                                    -Wl,--wrap,cJSON_AddItemToObject -Wl,--wrap,wpclose -Wl,--wrap,kill \
+                                    -Wl,--wrap,so_get_function_sym -Wl,--wrap,so_get_module_handle -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS} \
+                                    ${HASH_OP_WRAPPERS}")
+
+    list(APPEND logcollector_names "test_read_multiline_regex")
+    list(APPEND logcollector_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,popen \
+                                    -Wl,--wrap,fread -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fseek -Wl,--wrap=fgetc\
+                                    -Wl,--wrap,time -Wl,--wrap,can_read -Wl,--wrap,w_ftell -Wl,--wrap,w_expression_match \
+                                    -Wl,--wrap,w_msg_hash_queues_push -Wl,--wrap,fgetpos -Wl,--wrap=w_update_file_status \
+                                    -Wl,--wrap=w_get_hash_context -Wl,--wrap=_fseeki64 -Wl,--wrap=OS_SHA1_Stream \
+                                    -Wl,--wrap=w_fseek -Wl,--wrap,_mdebug2 -Wl,--wrap,wfopen")
+
+    list(APPEND logcollector_names "test_localfile_config")
+    list(APPEND logcollector_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,wfopen \
+                                    -Wl,--wrap,fread -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fseek -Wl,--wrap=fgetc\
+                                    -Wl,--wrap,w_get_attr_val_by_name -Wl,--wrap,fgetpos -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS} \
+                                    -Wl,--wrap,cJSON_CreateObject -Wl,--wrap,cJSON_AddStringToObject \
+                                    -Wl,--wrap,cJSON_AddBoolToObject -Wl,--wrap,cJSON_Delete -Wl,--wrap,cJSON_CreateArray \
+                                    -Wl,--wrap,cJSON_AddItemToArray")
+
+    list(APPEND logcollector_names "test_state")
+    list(APPEND logcollector_flags "-Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets \
+                                    -Wl,--wrap,fread -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fseek -Wl,--wrap=fgetc \
+                                    -Wl,--wrap,fgetpos -Wl,--wrap,time -Wl,--wrap,wfopen \
+                                    -Wl,--wrap,cJSON_CreateObject -Wl,--wrap,cJSON_CreateArray \
+                                    -Wl,--wrap,cJSON_AddStringToObject -Wl,--wrap,cJSON_AddNumberToObject \
+                                    -Wl,--wrap,cJSON_AddItemToArray -Wl,--wrap,cJSON_AddItemToObject \
+                                    -Wl,--wrap,pthread_mutex_unlock -Wl,--wrap,pthread_mutex_lock \
+                                    -Wl,--wrap,cJSON_Delete -Wl,--wrap,cJSON_Print -Wl,--wrap,getDefine_Int \
+                                    -Wl,--wrap,FOREVER -Wl,--wrap,sleep -Wl,--wrap,getpid -Wl,--wrap,cJSON_Duplicate \
+                                    -Wl,--wrap,strftime -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS} ${HASH_OP_WRAPPERS}")
+
+    list(APPEND logcollector_names "test_lccom")
+    list(APPEND logcollector_flags "-Wl,--wrap,w_logcollector_state_get -Wl,--wrap,cJSON_CreateObject \
+                                    -Wl,--wrap,cJSON_AddNumberToObject \
+                                    -Wl,--wrap,cJSON_AddObjectToObject -Wl,--wrap,cJSON_AddStringToObject \
+                                    -Wl,--wrap,cJSON_AddItemToObject -Wl,--wrap,cJSON_AddFalseToObject -Wl,--wrap,cJSON_PrintUnformatted \
+                                    -Wl,--wrap,cJSON_Delete -Wl,--wrap,_mwarn -Wl,--wrap,stat -Wl,--wrap,_mdebug2 \
+                                    -Wl,--wrap,difftime -Wl,--wrap,strftime ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND logcollector_names "test_macos_log")
+    list(APPEND logcollector_flags "-Wl,--wrap,wpopenv -Wl,--wrap,fileno -Wl,--wrap,fcntl -Wl,--wrap,_merror \
+                                    -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fgetpos \
+                                    -Wl,--wrap,fopen -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite \
+                                    -Wl,--wrap,remove -Wl,--wrap,fgetc -Wl,--wrap,wpclose -Wl,--wrap,access \
+                                    -Wl,--wrap,getpid -Wl,--wrap,_minfo -Wl,--wrap,pthread_rwlock_wrlock \
+                                    -Wl,--wrap,pthread_rwlock_unlock -Wl,--wrap,pthread_rwlock_rdlock \
+                                    -Wl,--wrap,so_get_function_sym -Wl,--wrap,so_get_module_handle -Wl,--wrap,wfopen \
+                                    -Wl,--wrap,_mdebug1 -Wl,--wrap,w_get_os_codename -Wl,--wrap,w_get_process_childs -Wl,--wrap,popen")
+
+    list(APPEND logcollector_names "test_read_macos")
+    list(APPEND logcollector_flags "-Wl,--wrap,w_expression_match -Wl,--wrap,can_read -Wl,--wrap,fgets \
+                                    -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgetpos -Wl,--wrap,_mdebug2\
+                                    -Wl,--wrap,fopen -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,popen \
+                                    -Wl,--wrap,remove -Wl,--wrap,fgetc -Wl,--wrap,_merror -Wl,--wrap,waitpid \
+                                    -Wl,--wrap,w_msg_hash_queues_push -Wl,--wrap,_mdebug1 -Wl,--wrap,_minfo \
+                                    -Wl,--wrap,kill -Wl,--wrap,wpopenv -Wl,--wrap,wpclose -Wl,--wrap,strerror \
+                                    -Wl,--wrap,time -Wl,--wrap,so_get_function_sym -Wl,--wrap,so_get_module_handle \
+                                    -Wl,--wrap,isDebug -Wl,--wrap,w_get_first_child -Wl,--wrap,w_is_macos_sierra \
+                                    -Wl,--wrap,w_macos_set_log_settings -Wl,--wrap,w_macos_set_last_log_timestamp \
+                                    -Wl,--wrap,w_macos_set_is_valid_data -Wl,--wrap,wfopen")
+
+    list(APPEND logcollector_names "test_read_multiline")
+    list(APPEND logcollector_flags "-Wl,--wrap,fopen -Wl,--wrap,popen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets \
+                                    -Wl,--wrap,fread -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fseek -Wl,--wrap=fgetc \
+                                    -Wl,--wrap,time -Wl,--wrap,can_read -Wl,--wrap,w_ftell -Wl,--wrap,w_expression_match \
+                                    -Wl,--wrap,fgetpos -Wl,--wrap=w_update_file_status -Wl,--wrap,_merror \
+                                    -Wl,--wrap=w_get_hash_context -Wl,--wrap=_fseeki64 -Wl,--wrap=OS_SHA1_Stream \
+                                    -Wl,--wrap=w_fseek -Wl,--wrap,wfopen")
+
+    list(APPEND logcollector_names "test_read_journal")
+    list(APPEND logcollector_flags "-Wl,--wrap,_mwarn -Wl,--wrap,fgets -Wl,--wrap,remove -Wl,--wrap,fgetc \
+                                    -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgetpos -Wl,--wrap,_mdebug2\
+                                    -Wl,--wrap,fopen -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,popen \
+                                    -Wl,--wrap,w_journal_context_create -Wl,--wrap,w_journal_context_seek_most_recent \
+                                    -Wl,--wrap,w_journal_context_seek_timestamp -Wl,--wrap,w_journal_entry_dump \
+                                    -Wl,--wrap,w_journal_entry_to_string -Wl,--wrap,w_journal_entry_free \
+                                    -Wl,--wrap,w_journal_context_next_newest_filtered -Wl,--wrap,_merror -Wl,--wrap,_minfo \
+                                    -Wl,--wrap,_mdebug1 -Wl,--wrap,_mdebug2 -Wl,--wrap,isDebug -Wl,--wrap,w_msg_hash_queues_push \
+                                    -Wl,--wrap,can_read")
+
+    list(APPEND logcollector_names "test_journal_log")
+    list(APPEND logcollector_flags "-Wl,--wrap,stat -Wl,--wrap,_mwarn -Wl,--wrap,dlsym -Wl,--wrap,dlerror -Wl,--wrap,gettimeofday \
+                                    -Wl,--wrap,_mdebug1 -Wl,--wrap,_mdebug2 -Wl,--wrap,isDebug \
+                                    -Wl,--wrap,fopen -Wl,--wrap,popen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets \
+                                    -Wl,--wrap,fread -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,fseek -Wl,--wrap=fgetc \
+                                    -Wl,--wrap,fgetpos -Wl,--wrap,gmtime_r -Wl,--wrap,getline -Wl,--wrap,dlopen -Wl,--wrap,dlclose \
+                                    -Wl,--wrap,sd_journal_open -Wl,--wrap,sd_journal_close -Wl,--wrap,sd_journal_previous \
+                                    -Wl,--wrap,sd_journal_next -Wl,--wrap,sd_journal_seek_tail \
+                                    -Wl,--wrap,sd_journal_seek_realtime_usec -Wl,--wrap,sd_journal_get_realtime_usec \
+                                    -Wl,--wrap,sd_journal_get_data -Wl,--wrap,sd_journal_restart_data \
+                                    -Wl,--wrap,sd_journal_enumerate_data -Wl,--wrap,sd_journal_get_cutoff_realtime_usec \
+                                    -Wl,--wrap,cJSON_CreateObject -Wl,--wrap,cJSON_AddArrayToObject -Wl,--wrap,cJSON_AddStringToObject \
+                                    -Wl,--wrap,cJSON_AddStringToObject -Wl,--wrap,cJSON_AddItemToArray -Wl,--wrap,pthread_rwlock_wrlock \
+                                    -Wl,--wrap,cJSON_PrintUnformatted -Wl,--wrap,cJSON_Delete")
+endif()
+
+list(LENGTH logcollector_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET logcollector_names ${counter} logcollector_test_name)
+    list(GET logcollector_flags ${counter} logcollector_test_flags)
+    add_executable(${logcollector_test_name} ${logcollector_test_name}.c)
+    target_link_libraries(
+        ${logcollector_test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        LOGCOLLECTOR_O
+        ${TEST_DEPS}
+    )
+
+    if(${TARGET} STREQUAL "winagent")
+        target_link_libraries(${logcollector_test_name} fimdb)
+    endif(${TARGET} STREQUAL "winagent")
+
+    if(NOT logcollector_test_flags STREQUAL " ")
+        target_link_libraries(
+            ${logcollector_test_name}
+            ${logcollector_test_flags}
+        )
+    endif()
+    add_test(NAME ${logcollector_test_name} COMMAND ${logcollector_test_name})
+endforeach()
diff --git a/src/modules/logcollector/tests/unit/tests/json_data.h b/src/modules/logcollector/tests/unit/tests/json_data.h
new file mode 100644
index 0000000000..b6c69b99ce
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/json_data.h
@@ -0,0 +1,60 @@
+#ifndef _JSON_DATA_H
+#define _JSON_DATA_H
+
+//global full json
+char *global_outjson = "{\"error\":0,\"remaining\":false,\"json_updated\":false,\"data\":{\"global\":{\"start\":\"2023-06-28 16:31:45\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"last -n 20\",\"events\":25,\"bytes\":20175,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-1234567-689.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":11,\"bytes\":925,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":5,\"bytes\":495,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-977.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-902.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-875.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-87.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-838.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-800.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-773.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-736.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-671.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-634.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-532.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-468.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-430.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-366.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-329.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-264.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-227.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-162.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-125.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-12.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-968.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-930.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-866.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-829.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-78.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-764.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-727.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-662.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-625.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-598.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-560.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-523.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-496.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-459.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-421.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-40.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-394.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-357.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-292.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-255.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-218.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-190.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-153.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-116.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-959.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-921.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-894.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-857.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-792.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-755.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-718.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-690.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-69.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-653.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-616.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-589.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-551.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-514.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-487.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-412.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-385.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-348.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-310.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-31.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-283.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-246.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-209.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-181.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-144.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-107.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-987.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-97.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-912.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-885.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-848.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-810.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-8.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-783.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-746.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-709.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-681.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-644.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-607.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-542.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-505.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-478.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-440.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-403.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-376.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-339.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-301.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-274.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-237.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-22.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-172.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-135.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-978.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-940.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-903.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-88.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-876.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-839.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-801.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-774.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-737.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-672.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-635.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-570.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-533.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-50.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-469.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-431.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-367.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-265.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-228.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-163.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-13.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-126.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-969.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-931.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-867.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-79.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-765.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-728.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-663.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-626.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-599.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-561.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-524.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-497.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-422.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-41.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-395.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-358.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-320.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-293.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-256.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-219.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-191.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-154.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-117.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-922.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-895.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-858.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-820.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-793.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-756.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-719.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-691.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-654.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-617.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-552.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-515.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-488.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-450.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-413.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-386.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-349.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-32.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-311.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-284.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-247.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-182.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-145.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-108.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-988.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-98.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-950.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-913.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-9.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-886.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-849.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-811.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-784.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-747.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-682.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-645.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-608.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-60.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-580.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-543.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-506.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-479.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-441.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-404.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-377.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-302.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-275.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-238.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-23.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-200.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-173.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-136.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-979.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-941.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-904.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-89.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-877.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-802.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-775.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-738.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-700.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-673.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-636.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-571.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-534.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-51.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-432.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-368.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-330.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-266.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-229.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-164.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-14.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-127.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-932.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-868.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-830.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-766.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-729.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-664.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-627.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-562.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-525.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-498.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-460.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-423.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-42.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-396.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-359.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-321.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-294.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-257.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-192.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-155.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-118.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-960.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-923.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-896.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-859.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-821.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-794.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-757.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-70.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-692.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-655.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-618.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-590.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-553.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-516.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-489.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-451.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-414.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-387.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-33.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-312.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-285.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-248.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-210.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-183.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-146.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-109.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"netstat listening ports\",\"events\":25,\"bytes\":7625,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-99.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-989.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-951.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-914.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-887.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-812.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-785.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-748.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-710.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-683.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-646.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-61.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-609.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-581.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-544.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-507.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-442.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-405.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-378.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-340.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-303.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-276.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-24.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-239.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-201.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-174.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-137.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-942.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-905.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-878.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-840.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-803.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-776.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-739.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-701.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-674.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-637.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-572.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-535.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-52.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-470.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-433.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-369.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-331.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-267.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-165.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-15.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-128.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-0.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-970.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-933.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-869.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-831.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-80.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-767.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-665.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-628.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-563.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-526.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-499.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-461.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-43.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-424.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-397.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-322.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-295.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-258.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-220.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-193.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-156.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-119.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-961.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-924.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-897.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-822.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-795.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-758.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-720.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-71.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-693.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-656.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-619.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-591.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-554.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-517.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-452.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-415.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-388.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-350.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-34.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-313.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-286.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-249.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-211.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-184.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-147.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-952.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-915.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-888.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-850.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-813.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-786.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-749.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-711.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-684.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-647.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-62.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-582.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-545.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-508.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-480.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-443.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-406.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-379.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-341.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-304.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-277.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-25.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-202.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-175.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-138.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-100.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-980.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-943.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-906.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-90.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-879.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-841.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-804.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-777.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-702.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-675.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-638.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-600.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-573.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-536.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-53.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-471.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-434.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-332.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-268.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-230.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-166.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-16.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-129.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-971.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-934.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-832.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-81.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-768.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-730.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-666.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-629.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-564.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-527.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-462.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-44.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-425.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-398.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-360.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-323.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-296.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-259.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-221.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-194.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-157.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"df -P\",\"events\":225,\"bytes\":20025,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-962.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-925.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-898.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-860.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-823.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-796.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-759.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-721.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-72.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-694.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-657.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-592.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-555.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-518.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-490.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-453.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-416.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-389.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-351.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-35.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-314.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-287.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-212.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-185.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-148.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-110.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-990.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-953.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-916.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-889.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-851.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-814.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-787.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-712.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-685.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-648.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-63.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-610.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-583.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-546.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-509.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-481.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-444.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-407.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-342.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-305.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-278.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-26.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-240.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-203.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-176.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-139.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-101.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-981.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-944.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-91.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-907.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-842.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-805.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-778.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-740.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-703.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-676.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-639.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-601.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-574.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-54.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-537.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-472.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-435.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-370.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-333.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-269.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-231.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-2.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-17.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-167.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-972.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-935.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-870.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-833.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-82.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-769.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-731.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-667.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-45.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-963.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-926.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-899.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-861.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-824.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-797.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-73.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-722.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-695.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-658.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-620.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-36.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-991.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-954.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-917.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-852.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-815.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-788.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-750.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-713.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-686.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-649.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-64.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-611.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-27.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-102.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-28 18:56:47\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"last -n 20\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-1234567-689.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-977.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-902.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-875.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-87.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-838.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-800.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-773.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-736.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-671.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-634.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-532.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-468.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-430.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-366.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-329.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-264.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-227.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-162.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-125.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-12.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-968.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-930.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-866.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-829.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-78.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-764.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-727.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-662.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-625.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-598.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-560.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-523.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-496.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-459.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-421.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-40.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-394.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-357.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-292.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-255.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-218.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-190.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-153.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-116.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-959.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-921.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-894.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-857.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-792.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-755.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-718.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-690.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-69.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-653.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-616.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-589.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-551.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-514.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-487.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-412.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-385.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-348.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-310.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-31.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-283.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-246.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-209.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-181.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-144.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-107.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-987.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-97.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-912.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-885.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-848.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-810.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-8.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-783.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-746.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-709.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-681.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-644.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-607.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-542.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-505.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-478.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-440.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-403.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-376.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-339.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-301.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-274.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-237.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-22.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-172.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-135.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-978.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-940.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-903.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-88.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-876.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-839.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-801.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-774.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-737.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-672.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-635.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-570.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-533.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-50.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-469.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-431.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-367.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-265.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-228.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-163.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-13.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-126.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-969.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-931.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-867.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-79.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-765.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-728.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-663.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-626.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-599.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-561.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-524.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-497.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-422.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-41.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-395.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-358.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-320.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-293.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-256.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-219.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-191.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-154.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-117.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-922.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-895.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-858.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-820.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-793.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-756.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-719.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-691.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-654.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-617.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-552.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-515.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-488.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-450.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-413.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-386.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-349.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-32.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-311.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-284.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-247.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-182.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-145.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-108.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-988.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-98.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-950.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-913.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-9.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-886.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-849.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-811.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-784.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-747.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-682.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-645.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-608.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-60.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-580.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-543.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-506.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-479.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-441.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-404.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-377.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-302.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-275.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-238.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-23.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-200.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-173.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-136.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-979.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-941.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-904.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-89.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-877.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-802.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-775.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-738.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-700.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-673.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-636.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-571.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-534.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-51.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-432.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-368.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-330.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-266.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-229.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-164.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-14.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-127.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-932.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-868.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-830.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-766.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-729.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-664.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-627.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-562.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-525.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-498.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-460.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-423.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-42.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-396.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-359.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-321.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-294.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-257.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-192.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-155.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-118.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-960.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-923.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-896.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-859.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-821.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-794.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-757.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-70.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-692.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-655.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-618.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-590.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-553.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-516.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-489.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-451.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-414.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-387.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-33.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-312.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-285.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-248.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-210.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-183.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-146.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-109.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"netstat listening ports\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-99.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-989.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-951.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-914.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-887.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-812.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-785.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-748.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-710.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-683.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-646.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-61.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-609.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-581.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-544.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-507.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-442.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-405.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-378.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-340.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-303.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-276.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-24.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-239.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-201.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-174.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-137.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-942.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-905.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-878.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-840.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-803.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-776.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-739.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-701.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-674.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-637.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-572.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-535.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-52.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-470.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-433.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-369.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-331.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-267.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-165.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-15.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-128.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-0.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-970.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-933.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-869.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-831.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-80.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-767.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-665.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-628.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-563.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-526.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-499.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-461.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-43.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-424.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-397.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-322.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-295.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-258.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-220.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-193.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-156.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-119.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-961.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-924.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-897.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-822.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-795.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-758.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-720.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-71.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-693.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-656.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-619.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-591.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-554.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-517.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-452.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-415.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-388.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-350.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-34.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-313.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-286.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-249.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-211.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-184.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-147.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-952.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-915.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-888.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-850.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-813.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-786.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-749.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-711.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-684.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-647.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-62.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-582.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-545.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-508.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-480.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-443.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-406.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-379.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-341.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-304.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-277.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-25.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-202.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-175.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-138.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-100.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-980.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-943.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-906.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-90.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-879.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-841.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-804.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-777.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-702.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-675.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-638.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-600.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-573.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-536.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-53.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-471.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-434.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-332.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-268.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-230.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-166.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-16.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-129.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-971.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-934.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-832.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-81.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-768.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-730.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-666.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-629.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-564.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-527.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-462.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-44.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-425.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-398.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-360.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-323.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-296.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-259.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-221.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-194.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-157.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"df -P\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-962.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-925.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-898.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-860.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-823.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-796.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-759.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-721.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-72.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-694.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-657.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-592.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-555.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-518.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-490.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-453.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-416.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-389.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-351.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-35.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-314.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-287.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-212.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-185.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-148.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-110.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-990.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-953.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-916.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-889.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-851.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-814.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-787.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-712.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-685.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-648.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-63.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-610.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-583.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-546.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-509.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-481.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-444.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-407.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-342.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-305.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-278.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-26.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-240.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-203.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-176.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-139.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-101.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-981.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-944.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-91.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-907.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-842.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-805.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-778.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-740.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-703.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-676.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-639.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-601.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-574.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-54.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-537.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-472.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-435.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-370.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-333.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-269.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-231.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-2.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-17.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-167.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-972.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-935.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-870.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-833.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-82.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-769.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-731.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-667.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-45.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-963.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-926.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-899.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-861.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-824.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-797.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-73.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-722.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-695.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-658.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-620.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-36.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-991.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-954.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-917.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-852.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-815.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-788.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-750.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-713.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-686.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-649.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-64.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-611.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-27.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-102.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//reponse first block
+char *outjson_block1 = "{\"error\":0,\"remaining\":true ,\"json_updated\":false,\"data\":{\"global\":{\"start\":\"2023-06-28 16:31:45\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"last -n 20\",\"events\":25,\"bytes\":20175,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-1234567-689.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":11,\"bytes\":925,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":5,\"bytes\":495,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-977.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-902.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-875.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-87.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-838.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-800.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-773.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-736.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-671.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-634.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-532.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-468.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-430.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-366.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-329.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-264.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-227.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-162.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-125.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-12.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-968.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-930.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-866.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-829.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-78.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-764.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-727.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-662.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-625.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-598.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-560.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-523.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-496.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-459.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-421.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-40.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-394.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-357.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-292.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-255.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-218.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-190.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-153.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-116.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-959.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-921.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-894.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-857.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-792.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-755.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-718.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-690.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-69.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-653.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-616.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-589.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-551.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-514.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-487.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-412.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-385.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-348.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-310.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-31.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-283.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-246.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-209.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-181.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-144.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-107.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-987.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-97.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-912.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-885.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-848.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-810.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-8.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-783.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-746.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-709.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-681.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-644.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-607.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-542.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-505.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-478.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-440.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-403.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-376.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-339.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-301.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-274.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-237.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-22.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-172.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-135.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-978.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-940.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-903.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-88.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-876.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-839.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-801.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-774.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-737.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-672.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-635.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-570.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-533.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-50.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-469.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-431.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-367.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-265.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-228.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-163.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-13.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-126.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-969.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-931.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-867.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-79.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-765.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-728.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-663.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-626.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-599.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-561.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-524.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-497.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-422.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-41.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-395.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-358.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-320.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-293.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-256.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-219.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-191.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-154.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-117.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-922.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-895.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-858.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-820.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-793.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-756.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-719.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-691.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-654.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-617.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-552.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-515.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-488.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-450.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-413.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-386.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-349.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-32.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-311.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-284.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-247.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-182.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-145.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-108.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-988.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-98.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-950.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-913.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-9.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-886.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-849.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-811.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-784.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-747.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-682.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-645.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-608.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-60.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-580.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-543.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-506.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-479.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-441.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-404.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-377.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-302.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-275.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-238.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-23.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-200.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-173.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-136.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-979.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-941.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-904.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-89.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-877.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-802.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-775.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-738.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-700.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-673.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-636.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-571.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-534.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-51.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-432.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-368.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-330.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-266.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-229.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-164.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-14.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-127.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-932.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-868.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-830.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-766.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-729.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-664.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-627.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-562.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-525.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-498.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-460.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-423.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-42.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-396.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-359.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-321.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-294.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-257.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-192.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-155.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-118.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-960.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-923.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-896.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-859.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-821.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//reponse second block
+char *outjson_block2 = "{\"error\":0,\"remaining\":true ,\"json_updated\":false,\"data\":{\"global\":{\"start\":\"2023-06-28 16:31:45\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-794.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-757.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-70.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-692.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-655.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-618.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-590.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-553.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-516.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-489.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-451.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-414.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-387.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-33.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-312.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-285.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-248.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-210.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-183.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-146.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-109.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"netstat listening ports\",\"events\":25,\"bytes\":7625,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-99.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-989.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-951.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-914.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-887.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-812.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-785.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-748.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-710.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-683.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-646.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-61.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-609.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-581.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-544.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-507.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-442.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-405.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-378.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-340.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-303.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-276.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-24.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-239.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-201.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-174.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-137.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-942.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-905.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-878.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-840.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-803.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-776.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-739.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-701.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-674.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-637.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-572.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-535.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-52.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-470.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-433.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-369.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-331.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-267.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-165.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-15.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-128.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-0.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-970.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-933.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-869.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-831.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-80.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-767.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-665.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-628.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-563.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-526.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-499.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-461.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-43.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-424.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-397.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-322.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-295.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-258.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-220.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-193.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-156.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-119.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-961.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-924.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-897.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-822.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-795.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-758.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-720.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-71.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-693.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-656.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-619.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-591.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-554.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-517.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-452.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-415.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-388.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-350.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-34.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-313.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-286.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-249.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-211.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-184.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-147.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-952.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-915.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-888.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-850.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-813.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-786.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-749.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-711.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-684.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-647.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-62.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-582.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-545.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-508.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-480.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-443.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-406.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-379.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-341.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-304.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-277.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-25.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-202.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-175.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-138.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-100.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-980.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-943.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-906.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-90.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-879.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-841.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-804.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-777.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-702.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-675.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-638.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-600.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-573.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-536.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-53.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-471.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-434.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-332.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-268.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-230.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-166.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-16.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-129.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-971.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-934.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-832.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-81.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-768.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-730.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-666.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-629.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-564.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-527.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-462.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-44.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-425.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-398.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-360.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-323.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-296.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-259.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-221.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-194.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-157.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"df -P\",\"events\":225,\"bytes\":20025,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-962.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-925.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-898.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-860.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-823.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-796.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-759.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-721.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-72.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-694.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-657.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-592.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-555.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-518.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-490.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-453.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-416.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-389.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-351.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-35.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-314.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-287.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-212.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-185.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-148.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-110.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-990.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-953.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-916.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-889.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-851.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-814.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-787.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-712.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-685.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-648.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-63.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-610.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-583.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-546.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-509.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-481.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-444.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-407.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-342.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-305.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-278.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-26.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-240.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-203.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-176.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-139.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-101.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-981.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-944.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-91.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-907.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-842.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-805.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-778.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-740.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-703.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-676.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-639.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-601.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-574.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-54.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-537.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-472.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-435.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-370.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-333.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-269.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-231.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-2.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-17.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-167.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-972.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-935.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-870.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-833.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-82.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-769.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-731.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-667.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-45.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-963.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-926.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-899.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-861.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-824.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-797.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-73.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-722.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-695.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-658.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-620.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-36.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-991.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-954.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-917.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-852.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-815.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-788.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-750.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-713.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-686.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-649.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-64.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-611.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-27.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-102.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-28 18:56:47\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"last -n 20\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-1234567-689.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//reponse third block
+char *outjson_block3 = "{\"error\":0,\"remaining\":true ,\"json_updated\":false,\"data\":{\"interval\":{\"start\":\"2023-06-28 18:56:47\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-977.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-902.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-875.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-87.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-838.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-800.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-773.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-736.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-671.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-634.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-532.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-468.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-430.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-366.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-329.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-264.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-227.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-162.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-125.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-12.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-968.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-930.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-866.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-829.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-78.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-764.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-727.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-662.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-625.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-598.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-560.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-523.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-496.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-459.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-421.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-40.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-394.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-357.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-292.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-255.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-218.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-190.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-153.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-116.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-959.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-921.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-894.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-857.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-792.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-755.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-718.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-690.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-69.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-653.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-616.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-589.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-551.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-514.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-487.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-412.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-385.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-348.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-310.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-31.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-283.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-246.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-209.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-181.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-144.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-107.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-987.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-97.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-912.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-885.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-848.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-810.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-8.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-783.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-746.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-709.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-681.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-644.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-607.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-542.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-505.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-478.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-440.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-403.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-376.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-339.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-301.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-274.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-237.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-22.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-172.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-135.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-978.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-940.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-903.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-88.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-876.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-839.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-801.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-774.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-737.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-672.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-635.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-570.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-533.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-50.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-469.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-431.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-367.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-265.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-228.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-163.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-13.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-126.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-969.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-931.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-867.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-79.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-765.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-728.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-663.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-626.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-599.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-561.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-524.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-497.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-422.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-41.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-395.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-358.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-320.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-293.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-256.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-219.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-191.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-154.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-117.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-922.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-895.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-858.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-820.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-793.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-756.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-719.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-691.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-654.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-617.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-552.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-515.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-488.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-450.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-413.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-386.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-349.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-32.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-311.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-284.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-247.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-182.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-145.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-108.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-988.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-98.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-950.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-913.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-9.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-886.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-849.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-811.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-784.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-747.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-682.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-645.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-608.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-60.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-580.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-543.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-506.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-479.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-441.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-404.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-377.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-302.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-275.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-238.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-23.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-200.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-173.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-136.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-979.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-941.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-904.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-89.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-877.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-802.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-775.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-738.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-700.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-673.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-636.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-571.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-534.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-51.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-432.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-368.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-330.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-266.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-229.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-164.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-14.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-127.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-932.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-868.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-830.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-766.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-729.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-664.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-627.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-562.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-525.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-498.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-460.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-423.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-42.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-396.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-359.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-321.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-294.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-257.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-192.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-155.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-118.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-960.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-923.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-896.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-859.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-821.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-794.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-757.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-70.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-692.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-655.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-618.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-590.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-553.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-516.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-489.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-451.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-414.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-387.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-33.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-312.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-285.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-248.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-210.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-183.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-146.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-109.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"netstat listening ports\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-99.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-989.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-951.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-914.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-887.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-812.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-785.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-748.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-710.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-683.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-646.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-61.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-609.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-581.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-544.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-507.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-442.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-405.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-378.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-340.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-303.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-276.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-24.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-239.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-201.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-174.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-137.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-942.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-905.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-878.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-840.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-803.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-776.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-739.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-701.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-674.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-637.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-572.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-535.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-52.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-470.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-433.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-369.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-331.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-267.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-165.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-15.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-128.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-0.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-970.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-933.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-869.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-831.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-80.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-767.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-665.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-628.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-563.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-526.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-499.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-461.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-43.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-424.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-397.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-322.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-295.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-258.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-220.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-193.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-156.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-119.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-961.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-924.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-897.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-822.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-795.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-758.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-720.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-71.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-693.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-656.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-619.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-591.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-554.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-517.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-452.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-415.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-388.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-350.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-34.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-313.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-286.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-249.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-211.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-184.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-147.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-952.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-915.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-888.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-850.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-813.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-786.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-749.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-711.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-684.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-647.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-62.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-582.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-545.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-508.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-480.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-443.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-406.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-379.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-341.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-304.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-277.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-25.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-202.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-175.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-138.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-100.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-980.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-943.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-906.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-90.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-879.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-841.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-804.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-777.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-702.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-675.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-638.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-600.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-573.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-536.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-53.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-471.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-434.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-332.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-268.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-230.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-166.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-16.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-129.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-971.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-934.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-832.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-81.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-768.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-730.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-666.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-629.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-564.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-527.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-462.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-44.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-425.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-398.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-360.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-323.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-296.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-259.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-221.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-194.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-157.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"df -P\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-962.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-925.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-898.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-860.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-823.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-796.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-759.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-721.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-72.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-694.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-657.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-592.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-555.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-518.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-490.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-453.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-416.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-389.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-351.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-35.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-314.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-287.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-212.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-185.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-148.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-110.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-990.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-953.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-916.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-889.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-851.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-814.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-787.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-712.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-685.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-648.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-63.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-610.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-583.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-546.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-509.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-481.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-444.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-407.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-342.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-305.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-278.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-26.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-240.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-203.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-176.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-139.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-101.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-981.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-944.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-91.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-907.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-842.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-805.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-778.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-740.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-703.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-676.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-639.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-601.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-574.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-54.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-537.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-472.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-435.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-370.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-333.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-269.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-231.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-2.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-17.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-167.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-972.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-935.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-870.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-833.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-82.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-769.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-731.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-667.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-45.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-963.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-926.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-899.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-861.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-824.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-797.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-73.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-722.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-695.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-658.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-620.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-36.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-991.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-954.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-917.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-852.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-815.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-788.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-750.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-713.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-686.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//reponse fourth block
+char *outjson_block4 = "{\"error\":0,\"remaining\":false,\"json_updated\":false,\"data\":{\"interval\":{\"start\":\"2023-06-28 18:56:47\",\"end\":\"2023-06-28 18:57:47\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-649.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-64.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-611.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-27.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-102.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//json for case 1
+char * outjson1 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.logJULIAN1\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log1\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.logJULIAN2\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log2\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.logJULIAN3\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log3\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.logJULIAN4\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log4\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-982.logJULIAN5\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log5\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+//response block case 1
+char *outjson_block_case_1 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+char * outjson2 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+//response block case 2
+char *outjson_block_case_2 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+//json for case 5
+char * outjson5 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+char *outjson_block_case_5 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-171.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1365.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+
+char *outjson_block_case_5_1 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-134.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.loGG\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+char * outjson6 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+
+char *outjson_block_case_6 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-908.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-880.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-843.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-806.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-779.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-741.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-704.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-677.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-602.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-55.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-3.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-18.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1565.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1528.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1463.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1426.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1399.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1361.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1324.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1297.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1222.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1195.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1158.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1120.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1093.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1056.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1019.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"last -n 20\",\"events\":1,\"bytes\":66,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-973.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-936.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-871.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-834.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-83.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-732.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-668.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-630.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-46.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1593.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1556.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1519.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1491.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1454.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1417.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1352.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1315.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1288.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1250.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1213.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1186.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1149.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1111.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1084.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1047.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/dpkg.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-964.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-927.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-862.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-825.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-798.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-760.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-74.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-723.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-696.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-659.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-621.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-37.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1584.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1547.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1482.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1445.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1408.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1380.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1343.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1306.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1279.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1241.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1204.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1177.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1102.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1075.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1038.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1000.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-992.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-955.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-918.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-890.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-853.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-816.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-789.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-751.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-714.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-687.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-65.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-612.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-28.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1575.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1538.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1500.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1473.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1436.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1371.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1334.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1232.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1168.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1130.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1066.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1029.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-983.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-946.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-93.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-909.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-881.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-844.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-807.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-742.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-705.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-678.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-640.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-603.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-56.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-4.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-19.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1566.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1529.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1464.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1427.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1362.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1325.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1298.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1260.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1223.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1196.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1159.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1121.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1094.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1057.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-974.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-937.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-872.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-84.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-835.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-770.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-733.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-669.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-631.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-47.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1594.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1557.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1492.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1455.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1418.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1390.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1353.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1316.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1289.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1251.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1214.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1187.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1112.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1085.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1048.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1010.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-965.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-928.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-863.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-826.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-799.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-761.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-75.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-724.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-697.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-622.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-38.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1585.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1548.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1510.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1483.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1446.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1409.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1381.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1344.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1307.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1242.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1205.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1178.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1140.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1103.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1076.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1039.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1001.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-993.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-956.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-919.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-891.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-854.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-817.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-752.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-715.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-688.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-66.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-650.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-613.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-29.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1576.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1539.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1501.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1474.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1437.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1372.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1335.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1270.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1233.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1169.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1131.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1067.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/ossec/logs/active-responses.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-984.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-947.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-94.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-882.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-845.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-808.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-780.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-743.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-706.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-679.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-641.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-604.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-57.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-5.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1567.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1465.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1428.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1363.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1326.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1299.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1261.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1224.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1197.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1122.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1095.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1058.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1020.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-975.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-938.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-900.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-873.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-85.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-836.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-771.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-734.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-632.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-48.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1595.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1558.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1520.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1493.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1456.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1419.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1391.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1354.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1317.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1252.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1215.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1188.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1150.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1113.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1086.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1049.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1011.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-10.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-966.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-929.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-864.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-827.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-762.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-76.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-725.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-698.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-660.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-623.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-39.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1586.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1549.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1511.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1484.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1447.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1382.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1345.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1308.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1280.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1243.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1206.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1179.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1141.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1104.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1077.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1002.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/syslog\",\"events\":4,\"bytes\":245,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/var/log/auth.log\",\"events\":1,\"bytes\":87,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-994.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-957.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-892.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-855.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-818.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-790.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-753.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-716.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-689.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-67.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-651.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-614.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1577.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1502.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1475.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1438.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1400.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1373.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1336.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1271.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1234.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1132.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1068.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1030.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-985.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-95.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-948.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-910.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-883.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-846.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-809.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-781.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-744.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-707.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-642.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-605.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-6.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-58.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-20.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1568.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1530.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1466.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1429.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1364.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1327.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1262.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1225.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1198.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1160.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1123.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1096.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1059.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1021.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-976.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-939.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-901.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-874.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-86.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-837.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-772.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-735.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-670.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-633.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-569.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-531.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-49.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-467.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-365.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-328.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-263.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-226.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-199.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-161.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1596.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1559.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1521.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1494.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1457.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1392.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1355.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1318.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1290.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1253.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-124.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1216.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1189.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1151.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1114.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-11.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1087.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1012.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-967.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-865.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-828.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-77.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-763.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-726.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-699.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-661.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-624.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-597.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-522.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-495.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-458.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-420.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-393.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-356.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-319.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-291.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-254.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-217.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1587.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-152.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1512.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1485.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1448.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1410.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1383.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1346.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1309.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1281.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1244.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1207.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-115.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1142.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1105.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1078.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1040.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1003.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/var/log/kern.log\",\"events\":0,\"bytes\":0,\"targets\":[{\"name\":\"agent\",\"drops\":0}]},{\"location\":\"/root/logs/my-log-for-any-thing-example-995.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-958.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-920.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-893.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-856.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-819.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-791.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-754.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-717.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-68.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-652.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-615.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-588.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-550.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-513.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-486.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-449.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-411.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-384.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-347.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-30.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-282.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-245.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-208.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-180.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1578.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1540.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1503.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1476.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1439.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-143.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1401.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1374.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1337.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1272.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1235.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1170.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1133.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-106.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1031.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-986.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-96.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-949.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-911.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-884.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-847.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-782.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-745.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-708.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-7.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-680.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-643.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-606.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-59.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-579.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-541.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-504.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-477.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-402.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-375.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-338.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-300.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-273.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-236.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-21.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+
+char *outjson_block_case_6_1 = "{\"error\":0,\"data\":{\"global\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]}}}";
+
+
+char *outjson_no_global = "{\"error\":0,\"data\":{\"glob\":{\"start\":\"2023-06-01 19:20:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-982.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-945.log\",\"events\":0,\"bytes\":0,\"targets\":[]},{\"location\":\"/root/logs/my-log-for-any-thing-example-92.log\",\"events\":0,\"bytes\":0,\"targets\":[]}]},\"interval\":{\"start\":\"2023-06-01 19:21:35\",\"end\":\"2023-06-01 19:22:35\",\"files\":[{\"location\":\"/root/logs/my-log-for-any-thing-example-1069.log\",\"events\":0,\"bytes\":0,\"targets\":[]}";
+
+#endif /*_JSON_DATA_H*/
diff --git a/src/modules/logcollector/tests/unit/tests/test_journal_log.c b/src/modules/logcollector/tests/unit/tests/test_journal_log.c
new file mode 100644
index 0000000000..ff19679358
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_journal_log.c
@@ -0,0 +1,4562 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/journal_log.h"
+
+#include "../wrappers/posix/stat_wrappers.h"
+#include "../wrappers/common.h"
+#include "../wrappers/externals/pcre2/pcre2_wrappers.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/linux/dlfcn_wrappers.h"
+
+#define _XOPEN_SOURCE
+
+bool is_owned_by_root(const char * library_path);
+bool load_and_validate_function(void * handle, const char * name, void ** func);
+uint64_t w_get_epoch_time();
+char * w_timestamp_to_string(uint64_t timestamp);
+char * w_timestamp_to_journalctl_since(uint64_t timestamp);
+char * find_library_path(const char * library_name);
+w_journal_lib_t * w_journal_lib_init();
+cJSON * entry_as_json(w_journal_context_t * ctx);
+char * get_field_ptr(w_journal_context_t * ctx, const char * field);
+char * create_plain_syslog(const char * timestamp,
+                           const char * hostname,
+                           const char * syslog_identifier,
+                           const char * pid,
+                           const char * message);
+char * entry_as_syslog(w_journal_context_t * ctx);
+w_journal_entry_t * w_journal_entry_dump(w_journal_context_t * ctx, w_journal_entry_dump_type_t type);
+
+// Mocks
+
+/* Mock of the sd_journal_* functions */
+int __wrap_sd_journal_open(sd_journal ** journal, int flags) { return mock_type(int); }
+
+void __wrap_sd_journal_close(sd_journal * j) { function_called(); }
+
+int __wrap_sd_journal_previous(sd_journal * j) { return mock_type(int); }
+
+int __wrap_sd_journal_next(sd_journal * j) { return mock_type(int); }
+
+int __wrap_sd_journal_seek_tail(sd_journal * j) { return mock_type(int); }
+
+int __wrap_sd_journal_seek_realtime_usec(sd_journal * j, uint64_t usec) { return mock_type(int); }
+
+// The expected value is returned in the usec parameter
+// If the expected value positive, the function returns 0 and the expected value is stored in usec
+int __wrap_sd_journal_get_realtime_usec(sd_journal * j, uint64_t * usec) {
+    int64_t ret = mock_type(int64_t);
+    if (ret >= 0) {
+        *usec = (uint64_t) ret;
+        return 0;
+    }
+    return ret;
+}
+
+int __wrap_sd_journal_get_data(sd_journal * j, const char * field, const void ** data, size_t * length) {
+    check_expected(field);
+    int retval = mock_type(int);
+    // If function returns a positive value, return a simulated data
+    if (retval >= 0) {
+        *data = mock_ptr_type(char *);
+        *length = strlen(*data);
+    }
+    return retval;
+}
+
+int __wrap_sd_journal_restart_data(sd_journal * j) { return mock_type(int); }
+
+int __wrap_sd_journal_enumerate_data(sd_journal * j, const void ** data, size_t * length) {
+
+    int retval = mock_type(int);
+    if (retval > 0) {
+        *data = mock_ptr_type(char *);
+        *length = strlen(*data);
+    }
+    return retval;
+}
+
+int __wrap_sd_journal_get_cutoff_realtime_usec(sd_journal * j, uint64_t * from, uint64_t * to) {
+    int64_t ret = mock_type(int64_t);
+    if (ret >= 0) {
+        *from = (uint64_t) ret;
+        return 0;
+    }
+    return ret;
+}
+
+extern unsigned int __real_gmtime_r(const time_t * t, struct tm * tm);
+unsigned int __wrap_gmtime_r(__attribute__((__unused__)) const time_t * t, __attribute__((__unused__)) struct tm * tm) {
+    unsigned int mock = mock_type(unsigned int);
+    if (mock == 0) {
+        return mock;
+    } else {
+        return __real_gmtime_r(t, tm);
+    }
+}
+
+int __wrap_isDebug() { return mock(); }
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    w_test_pcre2_wrappers(false);
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    w_test_pcre2_wrappers(true);
+    return 0;
+}
+
+// Test is_owned_by_root
+
+// Test is_owned_by_root with root owned
+void test_is_owned_by_root_root_owned(void ** state) {
+    (void) state;
+
+    const char * library_path = "existent_file_root";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_value(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    bool result = is_owned_by_root(library_path);
+
+    // Assert
+    assert_true(result);
+}
+
+// Test is_owned_by_root with not root owned
+void test_is_owned_by_root_not_root_owned(void ** state) {
+    (void) state;
+
+    const char * library_path = "existent_file_no_root";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 1000;
+
+    expect_value(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    bool result = is_owned_by_root(library_path);
+
+    // Assert
+    assert_false(result);
+}
+
+// Test is_owned_by_root with stat fails
+void test_is_owned_by_root_stat_fails(void ** state) {
+    (void) state;
+
+    const char * library_path = "nonexistent_file";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 1000;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, -1);
+
+    bool result = is_owned_by_root(library_path);
+
+    // Assert
+    assert_false(result);
+}
+
+// Test load_and_validate_function
+
+// Test load_and_validate_function success
+static void test_load_and_validate_function_success(void ** state) {
+    // Arrange
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+    const char * function_name = "valid_function";
+    void * function_pointer;
+
+    expect_any(__wrap_dlsym, handle);
+    expect_string(__wrap_dlsym, symbol, "valid_function");
+    will_return(__wrap_dlsym, mock_function);
+
+    // Act
+    bool result = load_and_validate_function(handle, function_name, &function_pointer);
+
+    // Assert
+    assert_true(result);
+    assert_non_null(function_pointer);
+}
+
+// Test load_and_validate_function failure
+static void test_load_and_validate_function_failure(void ** state) {
+    // Arrange
+    void * handle = NULL; // Simulate invalid handle
+    void * mock_function = NULL;
+    const char * function_name = "invalid_function";
+    void * function_pointer = (void *) 1;
+
+    expect_any(__wrap_dlsym, handle);
+    expect_string(__wrap_dlsym, symbol, "invalid_function");
+    will_return(__wrap_dlsym, mock_function);
+
+    will_return(__wrap_dlerror, "ERROR");
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8008): Failed to load 'invalid_function': 'ERROR'.");
+
+    // Act
+    bool result = load_and_validate_function(handle, function_name, &function_pointer);
+
+    // Assert
+    assert_false(result);
+    assert_null(function_pointer);
+}
+
+// Test w_get_epoch_time
+
+static void test_w_get_epoch_time(void ** state) {
+    // Arrange
+    will_return(__wrap_gettimeofday, 0);
+
+    // Act
+    uint64_t result = w_get_epoch_time();
+
+    // Cant assert the result because it is a time value and the wrapper is not set in the test
+
+}
+
+// Test w_timestamp_to_string
+
+static void test_w_timestamp_to_string(void ** state) {
+    // Arrange
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds
+    will_return(__wrap_gmtime_r, 1);
+
+    // Act
+    char * result = w_timestamp_to_string(timestamp);
+
+    // Assert
+    free(result);
+}
+
+// Test w_timestamp_to_journalctl_since
+
+static void test_w_timestamp_to_journalctl_since_success(void ** state) {
+    // Arrange
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+
+    will_return(__wrap_gmtime_r, 1618849174000000);
+
+    // Act
+    char * result = w_timestamp_to_journalctl_since(timestamp);
+
+    // Assert
+    assert_non_null(result);
+
+    // Verify the result is the expected format
+    assert_int_equal(strlen(result), strlen("1900-01-00 00:00:00"));
+    assert_string_equal(result, "2021-04-19 16:19:34");
+    free(result);
+}
+
+static void test_w_timestamp_to_journalctl_since_failure(void ** state) {
+    // Arrange
+    uint64_t timestamp = 0; // Timestamp que provocará el error
+
+    will_return(__wrap_gmtime_r, 0);
+
+    // Act
+    char * result = w_timestamp_to_journalctl_since(timestamp);
+
+    // Assert
+    assert_null(result);
+}
+
+// Test find_library_path
+
+static void test_find_library_path_success(void ** state) {
+    // Arrange
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /path/to/libtest.so\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // Act
+    char * result = find_library_path("libtest.so");
+
+    // Assert
+    assert_non_null(result);
+    assert_string_equal(result, "/path/to/libtest.so");
+
+    // Clean
+    free(result);
+}
+
+static void test_find_library_path_failure(void ** state) {
+    // Arrange
+
+    // Set expectations for fopen
+    const char * library_name = "libtest.so";
+    const char * expected_mode = "r";
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Setting the return value for fopen
+    FILE * maps_file = NULL; // Simulate fopen error
+    will_return(__wrap_fopen, maps_file);
+
+    // Act
+    char * result = find_library_path(library_name);
+
+    // Assert
+    assert_null(result);
+
+    // Clean
+    free(result);
+}
+
+#define W_LIB_SYSTEMD "libsystemd.so.0"
+#define RTLD_LAZY     1
+
+// Test w_journal_lib_init
+
+// Define a test case for the scenario where dlopen fails
+static void test_w_journal_lib_init_dlopen_fail(void ** state) {
+    // Arrange
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, NULL);
+
+    will_return(__wrap_dlerror, "Library load failed");
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8008): Failed to load 'libsystemd.so.0': 'Library load failed'.");
+
+    // Act
+    w_journal_lib_t * result = w_journal_lib_init();
+
+    // Assert
+    assert_null(result);
+}
+
+// Define a test case for the scenario where find_library_path fails
+static void test_w_journal_lib_init_find_library_path_fail(void ** state) {
+    // Arrange
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_failure
+    // Set expectations for fopen
+    const char * library_name = "libtest.so";
+    const char * expected_mode = "r";
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Setting the return value for fopen
+    FILE * maps_file = NULL; // Simulate fopen error
+    will_return(__wrap_fopen, maps_file);
+
+    // expect_any(__wrap_mwarn, id);
+    expect_string(__wrap__mwarn, formatted_msg, "(8009): The library 'libsystemd.so.0' is not owned by the root user.");
+
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+
+    // Act
+    w_journal_lib_t * result = w_journal_lib_init();
+
+    // Assert
+    assert_null(result);
+}
+
+// Define a test case for the scenario where is_owned_by_root fails
+static void test_w_journal_lib_init_is_owned_by_root_fail(void ** state) {
+    // Arrange
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_stat_fails
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 1000;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, -1);
+
+    // expect_any(__wrap_mwarn, id);
+    expect_string(__wrap__mwarn, formatted_msg, "(8009): The library 'libsystemd.so.0' is not owned by the root user.");
+
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+
+    // Act
+    w_journal_lib_t * result = w_journal_lib_init();
+
+    // Assert
+    assert_null(result);
+}
+
+// Define a test case for the scenario where load_and_validate_function fails
+static void test_w_journal_lib_init_load_and_validate_function_fail(void ** state) {
+    // Arrange
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    // test_load_and_validate_function_failure
+    void * handle = NULL; // Simulate invalid handle
+    void * mock_function = NULL;
+    const char * function_name = "sd_journal_open";
+    void * function_pointer = (void *) 1;
+
+    expect_any(__wrap_dlsym, handle);
+    expect_string(__wrap_dlsym, symbol, function_name);
+    will_return(__wrap_dlsym, mock_function);
+
+    will_return(__wrap_dlerror, "ERROR");
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8008): Failed to load 'sd_journal_open': 'ERROR'.");
+
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);
+
+    // Act
+    w_journal_lib_t * result = w_journal_lib_init();
+
+    // Assert
+    assert_null(result);
+}
+
+// Define a test case for the scenario where everything succeeds
+
+//  Auxiliary function for setting dlsym wrap expectations
+static void setup_dlsym_expectations(const char * symbol) {
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0x1;
+
+    if (strcmp(symbol, "sd_journal_open") == 0) {
+        mock_function = (void *) __wrap_sd_journal_open;
+    } else if (strcmp(symbol, "sd_journal_close") == 0) {
+        mock_function = (void *) __wrap_sd_journal_close;
+    } else if (strcmp(symbol, "sd_journal_previous") == 0) {
+        mock_function = (void *) __wrap_sd_journal_previous;
+    } else if (strcmp(symbol, "sd_journal_next") == 0) {
+        mock_function = (void *) __wrap_sd_journal_next;
+    } else if (strcmp(symbol, "sd_journal_seek_tail") == 0) {
+        mock_function = (void *) __wrap_sd_journal_seek_tail;
+    } else if (strcmp(symbol, "sd_journal_seek_realtime_usec") == 0) {
+        mock_function = (void *) __wrap_sd_journal_seek_realtime_usec;
+    } else if (strcmp(symbol, "sd_journal_get_realtime_usec") == 0) {
+        mock_function = (void *) __wrap_sd_journal_get_realtime_usec;
+    } else if (strcmp(symbol, "sd_journal_get_data") == 0) {
+        mock_function = (void *) __wrap_sd_journal_get_data;
+    } else if (strcmp(symbol, "sd_journal_restart_data") == 0) {
+        mock_function = (void *) __wrap_sd_journal_restart_data;
+    } else if (strcmp(symbol, "sd_journal_enumerate_data") == 0) {
+        mock_function = (void *) __wrap_sd_journal_enumerate_data;
+    } else if (strcmp(symbol, "sd_journal_get_cutoff_realtime_usec") == 0) {
+        mock_function = (void *) __wrap_sd_journal_get_cutoff_realtime_usec;
+    } else {
+        // Invalid symbol
+        assert_true(false);
+    }
+
+    expect_any(__wrap_dlsym, handle);
+    expect_string(__wrap_dlsym, symbol, symbol);
+    will_return(__wrap_dlsym, mock_function);
+}
+
+static void test_w_journal_lib_init_success(void ** state) {
+    // Arrange
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    // Act
+    w_journal_lib_t * result = w_journal_lib_init();
+
+    // Assert
+    assert_non_null(result);
+    free(result);
+}
+
+// Test w_journal_context_create
+
+// Test case for a successful context creation
+static void test_w_journal_context_create_success(void ** state) {
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expect to call w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    // Open the journal
+    will_return(__wrap_sd_journal_open, 0);
+
+    // Call the function under test
+    int ret = w_journal_context_create(&ctx);
+
+    // Check the result
+    assert_int_equal(ret, 0); // Success
+    assert_non_null(ctx);     // ctx non null
+
+    // Clear dynamically allocated memory
+    os_free(ctx->journal);
+    os_free(ctx->lib);
+    os_free(ctx);
+}
+
+// Test case for a failure due to NULL context pointer
+static void test_w_journal_context_create_null_pointer(void ** state) {
+    // Call the function with a NULL context pointer
+    int ret = w_journal_context_create(NULL);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+}
+
+// Test case for a failure in library initialization
+static void test_w_journal_context_create_lib_init_fail(void ** state) {
+    // Allocate memory for the context
+    w_journal_context_t * ctx = NULL;
+
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, NULL);
+
+    will_return(__wrap_dlerror, "Library load failed");
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8008): Failed to load 'libsystemd.so.0': 'Library load failed'.");
+
+    // Call the function under test
+    int ret = w_journal_context_create(&ctx);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+    assert_null(ctx);
+}
+
+// Test case for a failure in journal opening
+static void test_w_journal_context_create_journal_open_fail(void ** state) {
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, -1); // Fail w_journal_lib_open
+    expect_string(__wrap__mwarn, formatted_msg, "(8010): Failed open journal log: 'Operation not permitted'.");
+
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+
+    // Call the function under test
+    int ret = w_journal_context_create(&ctx);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+    assert_null(ctx);
+}
+
+// Test w_journal_context_free
+
+// Test case for freeing a NULL context
+static void test_w_journal_context_free_null(void ** state) {
+    w_journal_context_t * ctx = NULL;
+    w_journal_context_free(ctx); // Should not cause any issues
+
+    // Assert
+    assert_null(ctx);
+}
+
+// Test case for freeing a valid context
+static void test_w_journal_context_free_valid(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+
+    // Perform the function under test
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+
+    // No need to check the memory deallocation of ctx since it's freed
+}
+
+// Test w_journal_context_update_timestamp
+
+// Test for w_journal_context_update_timestamp succeeds
+static void test_w_journal_context_update_timestamp_success(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+    w_journal_context_update_timestamp(ctx);
+
+    // Verify that the timestamp has been updated correctly.
+    assert_int_equal(ctx->timestamp, 123456);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_update_timestamp with null ctx
+static void test_w_journal_context_update_timestamp_ctx_null(void ** state) {
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Perform the function under test
+    w_journal_context_update_timestamp(ctx);
+}
+
+// Test for w_journal_context_update_timestamp with error when getting the timestamp
+static void test_w_journal_context_update_timestamp_fail(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_get_realtime_usec, -EACCES); // Fail to get the timestamp value and return an error
+    will_return(__wrap_gettimeofday, NULL);
+    expect_string(__wrap__mwarn,
+                  formatted_msg,
+                  "(8011): Failed to read timestamp from journal log: 'Permission denied'. Using current time.");
+    w_journal_context_update_timestamp(ctx);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test w_journal_context_seek_most_recent
+
+// Test for w_journal_context_seek_most_recent update timestamp
+static void test_w_journal_context_seek_most_recent_update_tamestamp(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_seek_tail, 0);              // Mocked return value
+    will_return(__wrap_sd_journal_previous, 1);               // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+    int ret = w_journal_context_seek_most_recent(ctx);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_most_recent with error when seeking tail
+static void test_w_journal_context_seek_most_recent_seek_tail_fail(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_seek_tail, -1); // Mocked return value
+    int ret = w_journal_context_seek_most_recent(ctx);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_most_recent success
+static void test_w_journal_context_seek_most_recent_success(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_seek_tail, 0); // Mocked return value
+    will_return(__wrap_sd_journal_previous, 0);  // Mocked return value
+    int ret = w_journal_context_seek_most_recent(ctx);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_most_recent with null ctx
+static void test_w_journal_context_seek_most_recent_ctx_null(void ** state) {
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Perform the function under test
+    int ret = w_journal_context_seek_most_recent(ctx);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+}
+
+// Test w_journal_context_seek_timestamp
+
+// Test for w_journal_context_seek_timestamp with null params
+static void test_w_journal_context_seek_timestamp_null_params(void ** state) {
+    assert_int_equal(w_journal_context_seek_timestamp(NULL, 0), -1);
+}
+
+// Test for w_journal_context_seek_timestamp with future timestamp
+static void test_w_journal_context_seek_timestamp_future_timestamp(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_gettimeofday, NULL);
+    expect_string(__wrap__mwarn,
+                  formatted_msg,
+                  "(8012): The timestamp '1234567' is in the future or invalid. Using the most recent entry.");
+    will_return(__wrap_sd_journal_seek_tail, 0); // Mocked return value
+    will_return(__wrap_sd_journal_previous, 0);  // Mocked return value
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp error when getting oldest timestamp
+static void test_w_journal_context_seek_timestamp_fail_read_old_ts(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, -1); // Mocked oldest timestamp
+    expect_string(__wrap__mwarn,
+                  formatted_msg,
+                  "(8013): Failed to read oldest timestamp from journal log: 'Operation not permitted'.");
+    will_return(__wrap_sd_journal_seek_realtime_usec, 0);
+    will_return(__wrap_sd_journal_next, 0);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp with timestamp older than oldest available
+static void test_w_journal_context_seek_timestamp_change_ts(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1233, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 22345678); // Mocked oldest timestamp
+    expect_string(
+        __wrap__mwarn,
+        formatted_msg,
+        "(8014): The timestamp '1234567' is older than the oldest available in journal. Using the oldest entry.");
+    will_return(__wrap_sd_journal_seek_realtime_usec, 0);
+    will_return(__wrap_sd_journal_next, 0);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp with error when seeking timestamp
+static void test_w_journal_context_seek_timestamp_seek_timestamp_fail(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 0); // Mocked oldest timestamp
+    will_return(__wrap_sd_journal_seek_realtime_usec, -1);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp with error when seek the timestamp
+static void test_w_journal_context_seek_timestamp_fail_seek(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 0); // Mocked oldest timestamp
+    will_return(__wrap_sd_journal_seek_realtime_usec, -1);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp with error when getting next entry
+static void test_w_journal_context_seek_timestamp_next_fail(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 0); // Mocked oldest timestamp
+    will_return(__wrap_sd_journal_seek_realtime_usec, 0);
+    will_return(__wrap_sd_journal_next, -1);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 1234567);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_seek_timestamp success
+static void test_w_journal_context_seek_timestamp_success(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 0); // Mocked oldest timestamp
+    will_return(__wrap_sd_journal_seek_realtime_usec, 0);
+    will_return(__wrap_sd_journal_next, 0);
+
+    int ret = w_journal_context_seek_timestamp(ctx, 123457);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+static void test_w_journal_context_seek_timestamp_success_new_entry(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    struct timeval expected_time = {.tv_sec = 1234, .tv_usec = 5678};
+    struct timeval actual_time;
+    will_return(__wrap_gettimeofday, &expected_time);
+    will_return(__wrap_sd_journal_get_cutoff_realtime_usec, 0); // Mocked oldest timestamp
+    will_return(__wrap_sd_journal_seek_realtime_usec, 0);
+    will_return(__wrap_sd_journal_next, 1);
+
+    // update timestamp
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    int ret = w_journal_context_seek_timestamp(ctx, 123457);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test w_journal_context_next_newest
+
+// Test for w_journal_context_next_newest with null ctx
+static void test_w_journal_context_next_newest_ctx_null(void ** state) {
+    // Perform the function under test
+    int ret = w_journal_context_next_newest(NULL);
+
+    // Check the result
+    assert_int_equal(ret, -1);
+}
+
+// Test for w_journal_context_next_newest updating timestamp
+static void test_w_journal_context_next_newest_update_timestamp(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 1);                   // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    int ret = w_journal_context_next_newest(ctx);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_next_newest success
+static void test_w_journal_context_next_newest_success(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 0); // Mocked return value
+
+    int ret = w_journal_context_next_newest(ctx);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test w_journal_filter_apply
+
+// Test for w_journal_filter_apply with null params
+void test_w_journal_filter_apply_null_params(void ** state) {
+
+    assert_int_equal(w_journal_filter_apply(NULL, (w_journal_filter_t *) 0x1), -1);
+    assert_int_equal(w_journal_filter_apply((w_journal_context_t *) 0x1, NULL), -1);
+}
+
+// Test for w_journal_filter_apply with fail to get data
+void test_w_journal_filter_apply_fail_get_data_ignore_test(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Set timestamp
+    ctx->timestamp = 123456;
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field_to_ignore", ".", true));
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field_no_ignore", ".", false));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field_to_ignore");
+    will_return(__wrap_sd_journal_get_data, -1); // Fail get data, ignore
+
+    expect_string(__wrap_sd_journal_get_data, field, "field_no_ignore");
+    will_return(__wrap_sd_journal_get_data, -1); // Fail get data, not ignore
+
+    // Expect err message and return error
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9003): Failed to get data field 'field_no_ignore' from entry with timestamp '123456'. Error: "
+                  "Operation not permitted");
+
+    // Apply filter
+    assert_int_equal(-1, w_journal_filter_apply(ctx, ufilters));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_filter_apply with fail parse data
+void test_w_journal_filter_apply_fail_parse(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Set timestamp
+    ctx->timestamp = 123456;
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);    // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "f="); // Should be a valid data, 'field='
+
+    // Apply filter
+    assert_int_equal(-1, w_journal_filter_apply(ctx, ufilters));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_filter_apply with empty field
+void test_w_journal_filter_apply_empty_field(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Set timestamp
+    ctx->timestamp = 123456;
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);        // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "field="); // Empty field
+
+    // Apply filter
+    assert_int_equal(0, w_journal_filter_apply(ctx, ufilters));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_filter_apply with match fail
+void test_w_journal_filter_apply_match_fail(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Set timestamp
+    ctx->timestamp = 123456;
+
+    // Create filter for arg, match with number fail
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", "^\\d", false));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);                 // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "field=test text"); // Empty field
+
+    // Apply filter
+    assert_int_equal(0, w_journal_filter_apply(ctx, ufilters));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_filter_apply with match success
+void test_w_journal_filter_apply_match_success(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Set timestamp
+    ctx->timestamp = 123456;
+
+    // Create filter for arg, match with number ok
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", "^\\d", false));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);              // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "field=123123"); // Empty field
+
+    // Apply filter
+    assert_int_equal(1, w_journal_filter_apply(ctx, ufilters));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test w_journal_context_next_newest_filtered
+
+// Test for w_journal_context_next_newest_filtered with null filters
+static void test_w_journal_context_next_newest_filtered_null_filters(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 0); // Mocked return value
+    int ret = w_journal_context_next_newest_filtered(ctx, NULL);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_next_newest_filtered with no filters
+static void test_w_journal_context_next_newest_filtered_no_filters(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 0); // Mocked return value
+    int ret = w_journal_context_next_newest_filtered(ctx, (w_journal_filters_list_t) NULL);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+}
+
+// Test for w_journal_context_next_newest_filtered with one filter
+static void test_w_journal_context_next_newest_filtered_one_filter(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 0); // Mocked return value
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+
+    int ret = w_journal_context_next_newest_filtered(ctx, (w_journal_filters_list_t) ufilters);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_context_next_newest_filtered is debug
+static void test_w_journal_context_next_newest_filtered_is_debug(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 1);                   // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+
+    // Set debug
+    will_return(__wrap_isDebug, 1);
+
+    will_return(__wrap_gmtime_r, 0); // Mocked time
+    // mock mdebug2
+    expect_string(__wrap__mdebug2, formatted_msg, "(9004): Checking filters for timestamp 'unknown'");
+
+    int ret = w_journal_context_next_newest_filtered(ctx, (w_journal_filters_list_t) ufilters);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_context_next_newest_filtered is debug false
+static void test_w_journal_context_next_newest_filtered_is_debug_false(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 1);                   // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+
+    // Set debug
+    will_return(__wrap_isDebug, 0);
+
+    int ret = w_journal_context_next_newest_filtered(ctx, (w_journal_filters_list_t) ufilters);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+    // Free filter
+    w_journal_filter_free(ufilters);
+}
+
+// Test for w_journal_context_next_newest_filtered with filter apply
+static void test_w_journal_context_next_newest_filtered_filter_apply(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 1);                   // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    // Set debug
+    will_return(__wrap_isDebug, 0);
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filters_list_t filter_list = NULL;
+
+    // Prepare the filter
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", ".", true));
+    // Add filter to the list
+    assert_true(w_journal_add_filter_to_list(&filter_list, ufilters));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);              // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "field=123123"); // Empty field
+
+    int ret = w_journal_context_next_newest_filtered(ctx, filter_list);
+
+    // Check the result
+    assert_int_equal(ret, 1);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+    // Free filter list
+    w_journal_filters_list_free(filter_list);
+}
+
+// Test for w_journal_context_next_newest_filtered with filter apply fail
+static void test_w_journal_context_next_newest_filtered_filter_apply_fail(void ** state) {
+    // test_w_journal_context_create_success
+    // Define a pointer to w_journal_context_t
+    w_journal_context_t * ctx = NULL;
+
+    // Expectativas de llamada a w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456); // Mocked handle
+
+    // test_find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+
+    // Simulate the successful opening of a file
+    FILE * maps_file = (FILE *) 0x123456; // Simulated address
+    will_return(__wrap_fopen, maps_file);
+
+    // Simulate a line containing the searched library
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+
+    // test_is_owned_by_root_root_owned
+
+    const char * library_path = "/libsystemd.so.0";
+
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+
+    void * handle = (void *) 1; // Simulate handle
+    void * mock_function = (void *) 0xabcdef;
+
+    // Set expectations for dlsym wrap
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+
+    // Perform the function under test
+    will_return(__wrap_sd_journal_next, 1);                   // Mocked return value
+    will_return(__wrap_sd_journal_get_realtime_usec, 123456); // Mocked timestamp
+
+    // Set debug
+    will_return(__wrap_isDebug, 0);
+
+    // Create filter for arg, ignore if missing data = false
+    w_journal_filters_list_t filter_list = NULL;
+
+    // Prepare the filter
+    w_journal_filter_t * ufilters = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&ufilters, "field", "^\\d", true));
+    // Add filter to the list
+    assert_true(w_journal_add_filter_to_list(&filter_list, ufilters));
+
+    // Apply filter expected
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);            // get data ok, the load data
+    will_return(__wrap_sd_journal_get_data, "field=test"); // Empty field
+
+    will_return(__wrap_sd_journal_next, 0);
+
+    int ret = w_journal_context_next_newest_filtered(ctx, filter_list);
+
+    // Check the result
+    assert_int_equal(ret, 0);
+
+    // Memory release
+    expect_function_call(__wrap_sd_journal_close);
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456); // Mocked handle
+    will_return(__wrap_dlclose, 0);                          // Simulate dlclose success
+    w_journal_context_free(ctx);
+    // Free filter list
+    w_journal_filters_list_free(filter_list);
+}
+
+// Test entry_as_json
+void test_entry_as_json_empty(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 0x123456);
+    will_return(__wrap_sd_journal_restart_data, 0);
+    // Empty entry
+    will_return(__wrap_sd_journal_enumerate_data, 0);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    assert_null(entry_as_json(ctx));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_json_fail_parse_field(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 0x123456);
+    will_return(__wrap_sd_journal_restart_data, 0);
+    // Empty entry
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field >> no equal sign");
+    will_return(__wrap_sd_journal_enumerate_data, 0);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    assert_null(entry_as_json(ctx));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_json_success(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 0x123456);
+    will_return(__wrap_sd_journal_restart_data, 0);
+    // 3 entryes
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field=value");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "value");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field2=123");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field2");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "123");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field3=");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field3");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 0);
+
+    assert_non_null(entry_as_json(ctx));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+// Test get_field_ptr
+void test_get_field_ptr_fail_get_data(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    assert_null(get_field_ptr(ctx, "field"));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_get_field_ptr_fail_parse(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "field >> no equal sign");
+
+    assert_null(get_field_ptr(ctx, "field"));
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_get_field_ptr_empty_field(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "field=");
+
+    char * value = get_field_ptr(ctx, "field");
+    assert_non_null(value);
+    assert_string_equal(value, "");
+    os_free(value);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_get_field_ptr_success(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+
+    // Expect
+    expect_string(__wrap_sd_journal_get_data, field, "field");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "field=value");
+
+    char * val = get_field_ptr(ctx, "field");
+    assert_non_null(val);
+    assert_string_equal(val, "value");
+    os_free(val);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+// Test create_plain_syslog
+void test_create_plain_syslog_with_pid(void ** state) {
+
+    char * retval = create_plain_syslog("<timestamp>", "hosname", "tag", "pid", "message");
+    assert_non_null(retval);
+    assert_string_equal(retval, "<timestamp> hosname tag[pid]: message");
+    os_free(retval);
+}
+
+void test_create_plain_syslog_without_pid(void ** state) {
+
+    char * retval = create_plain_syslog("<timestamp>", "hosname", "tag", NULL, "message");
+    assert_non_null(retval);
+    assert_string_equal(retval, "<timestamp> hosname tag: message");
+    os_free(retval);
+}
+
+// Test entry_as_syslog
+void test_entry_as_syslog_success(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_PID=<pid>");
+
+    // Get timestamp
+
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_non_null(retval);
+    assert_string_equal(retval, "Apr 19 16:19:34 <hostname> <tag>[<pid>]: <message>");
+    os_free(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_success_system_pid(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_PID=<spid>");
+
+    // Get timestamp
+
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_non_null(retval);
+    assert_string_equal(retval, "Apr 19 16:19:34 <hostname> <tag>[<spid>]: <message>");
+    os_free(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_success_no_pid(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    // Get timestamp
+
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_non_null(retval);
+    assert_string_equal(retval, "Apr 19 16:19:34 <hostname> <tag>: <message>");
+    os_free(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_missing_hostname(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_PID=<pid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Debug msg
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9002): Failed to get the required fields, discarted log with timestamp '1618849174000000'");
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_null(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_missing_tag(void ** state) {
+
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_PID=<spid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Debug msg
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9002): Failed to get the required fields, discarted log with timestamp '1618849174000000'");
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_null(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_missing_message(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_PID=<spid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Debug msg
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9002): Failed to get the required fields, discarted log with timestamp '1618849174000000'");
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_null(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_entry_as_syslog_missing_timestamp(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_PID=<spid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, 0);
+
+    // Debug msg
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9002): Failed to get the required fields, discarted log with timestamp '1618849174000000'");
+
+    // Check the result
+    char * retval = entry_as_syslog(ctx);
+    assert_null(retval);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+// Test w_journal_entry_dump
+void test_w_journal_entry_dump_null_params(void ** state) {
+    assert_null(w_journal_entry_dump(NULL, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG));
+    assert_null(w_journal_entry_dump(NULL, W_JOURNAL_ENTRY_DUMP_TYPE_JSON));
+}
+
+void test_w_journal_entry_dump_invalid_type(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->timestamp = 123456;
+    ctx->journal = (void *) 0x123456;
+
+    assert_null(w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_INVALID));
+
+    // Test Free invalid
+    w_journal_entry_t * entry = calloc(1, sizeof(w_journal_entry_t));
+    entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_INVALID;
+    entry->timestamp = ctx->timestamp;
+    assert_null(w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_INVALID));
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_w_journal_entry_dump_json_success(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->timestamp = 123456;
+    ctx->journal = (void *) 0x123456;
+
+    // Expect
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 0x123456);
+    will_return(__wrap_sd_journal_restart_data, 0);
+    // 3 entryes
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field=value");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "value");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field2=123");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field2");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "123");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 1);
+    will_return(__wrap_sd_journal_enumerate_data, "field3=");
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field3");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_sd_journal_enumerate_data, 0);
+
+    w_journal_entry_t * entry = w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_JSON);
+    assert_non_null(entry);
+    assert_non_null(entry->data.json);
+    assert_int_equal(entry->type, W_JOURNAL_ENTRY_DUMP_TYPE_JSON);
+    assert_int_equal(entry->timestamp, ctx->timestamp);
+
+    // Free entry (test)
+    expect_function_call(__wrap_cJSON_Delete);
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_w_journal_entry_dump_syslog_fail_json(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->timestamp = 123456;
+    ctx->journal = (void *) 0x123456;
+
+    // Expect
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 0x123456);
+    will_return(__wrap_sd_journal_restart_data, 0);
+    // Empty entry
+    will_return(__wrap_sd_journal_enumerate_data, 0);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    w_journal_entry_t * entry = w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_JSON);
+    assert_null(entry);
+
+    // Free entry (test)
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_w_journal_entry_dump_syslog_success(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->journal = (void *) 0x123456;
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Expect
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_PID=<pid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    w_journal_entry_t * entry = w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+    assert_non_null(entry);
+    assert_non_null(entry->data.syslog);
+    assert_int_equal(entry->type, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+    assert_int_equal(entry->timestamp, ctx->timestamp);
+
+    // Free entry (test)
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_w_journal_entry_dump_syslog_fail(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->journal = (void *) 0x123456;
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Extract fail
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, -1);
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_PID=<pid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    // Debug msg
+    expect_string(__wrap__mdebug2,
+                  formatted_msg,
+                  "(9002): Failed to get the required fields, discarted log with timestamp '1618849174000000'");
+
+    // Get timestamp
+
+    w_journal_entry_t * entry = w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+    assert_null(entry);
+    // Free entry (test)
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+// Test w_journal_entry_to_string
+void test_w_journal_entry_to_string_null_params(void ** state) { assert_null(w_journal_entry_to_string(NULL)); }
+
+void test_w_journal_entry_to_string_syslog(void ** state) {
+    // init ctx
+    w_journal_context_t * ctx = NULL;
+    // >>>> Start Init conext
+    //      w_journal_lib_init
+    expect_string(__wrap_dlopen, filename, W_LIB_SYSTEMD);
+    expect_value(__wrap_dlopen, flags, RTLD_LAZY);
+    will_return(__wrap_dlopen, (void *) 0x123456);
+    //      find_library_path_success
+    expect_string(__wrap_fopen, path, "/proc/self/maps");
+    expect_string(__wrap_fopen, mode, "r");
+    FILE * maps_file = (FILE *) 0x123456;
+    will_return(__wrap_fopen, maps_file);
+    char * simulated_line = strdup("00400000-0040b000 r-xp 00000000 08:01 6711792           /libsystemd.so.0\n");
+    will_return(__wrap_getline, simulated_line);
+    expect_value(__wrap_fclose, _File, 0x123456);
+    will_return(__wrap_fclose, 1);
+    //      is_owned_by_root_root_owned
+    const char * library_path = "/libsystemd.so.0";
+    struct stat mock_stat;
+    mock_stat.st_uid = 0;
+    expect_string(__wrap_stat, __file, library_path);
+    will_return(__wrap_stat, &mock_stat);
+    will_return(__wrap_stat, 0);
+    void * handle = (void *) 1;
+    void * mock_function = (void *) 0xabcdef;
+    //     dlsym
+    setup_dlsym_expectations("sd_journal_open");
+    setup_dlsym_expectations("sd_journal_close");
+    setup_dlsym_expectations("sd_journal_previous");
+    setup_dlsym_expectations("sd_journal_next");
+    setup_dlsym_expectations("sd_journal_seek_tail");
+    setup_dlsym_expectations("sd_journal_seek_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_realtime_usec");
+    setup_dlsym_expectations("sd_journal_get_data");
+    setup_dlsym_expectations("sd_journal_restart_data");
+    setup_dlsym_expectations("sd_journal_enumerate_data");
+    setup_dlsym_expectations("sd_journal_get_cutoff_realtime_usec");
+    will_return(__wrap_sd_journal_open, 0);
+    w_journal_context_create(&ctx);
+    // <<<< End init conetxt
+    ctx->journal = (void *) 0x123456;
+    uint64_t timestamp = 1618849174000000; // Timestamp in microseconds (2021-04-19 16:19:34)
+    ctx->timestamp = timestamp;
+
+    // Expect
+
+    // Extract
+    expect_string(__wrap_sd_journal_get_data, field, "_HOSTNAME");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "_HOSTNAME=<hostname>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_IDENTIFIER");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_IDENTIFIER=<tag>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "MESSAGE");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "MESSAGE=<message>");
+
+    expect_string(__wrap_sd_journal_get_data, field, "SYSLOG_PID");
+    will_return(__wrap_sd_journal_get_data, 0);
+    will_return(__wrap_sd_journal_get_data, "SYSLOG_PID=<pid>");
+
+    // Get timestamp
+    will_return(__wrap_gmtime_r, timestamp);
+
+    w_journal_entry_t * entry = w_journal_entry_dump(ctx, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+    assert_non_null(entry);
+    assert_non_null(entry->data.syslog);
+    assert_int_equal(entry->type, W_JOURNAL_ENTRY_DUMP_TYPE_SYSLOG);
+    assert_int_equal(entry->timestamp, ctx->timestamp);
+
+    char * str = w_journal_entry_to_string(entry);
+    assert_non_null(str);
+    assert_string_equal(str, "Apr 19 16:19:34 <hostname> <tag>[<pid>]: <message>");
+
+    // Free entry (test)
+    os_free(str);
+    w_journal_entry_free(entry);
+
+    // >>>> Start context free
+    expect_value(__wrap_dlclose, handle, (void *) 0x123456);
+    will_return(__wrap_dlclose, 0);
+    expect_function_call(__wrap_sd_journal_close);
+    w_journal_context_free(ctx);
+    // <<<< End Context free
+}
+
+void test_w_journal_entry_to_string_json(void ** state) {
+    w_journal_entry_t * entry = calloc(1, sizeof(w_journal_entry_t));
+    entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_JSON;
+    entry->timestamp = 123456;
+    entry->data.json = (cJSON *) 0x123456;
+
+    will_return(__wrap_cJSON_PrintUnformatted, strdup("json_string"));
+    char * str = w_journal_entry_to_string(entry);
+
+    assert_non_null(str);
+    assert_string_equal(str, "json_string");
+
+    os_free(str);
+    os_free(entry);
+}
+
+void test_w_journal_entry_to_string_invalid_type(void ** state) {
+
+    w_journal_entry_t * entry = calloc(1, sizeof(w_journal_entry_t));
+    entry->type = W_JOURNAL_ENTRY_DUMP_TYPE_INVALID;
+    entry->timestamp = 123456;
+    entry->data.json = (cJSON *) 0x123456;
+
+    char * str = w_journal_entry_to_string(entry);
+
+    assert_null(str);
+
+    os_free(entry);
+}
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        // Test is_owned_by_root
+        cmocka_unit_test(test_is_owned_by_root_root_owned),
+        cmocka_unit_test(test_is_owned_by_root_not_root_owned),
+        cmocka_unit_test(test_is_owned_by_root_stat_fails),
+        // Test load_and_validate_function
+        cmocka_unit_test(test_load_and_validate_function_success),
+        cmocka_unit_test(test_load_and_validate_function_failure),
+        // Test w_get_epoch_time
+        cmocka_unit_test(test_w_get_epoch_time),
+        // Test w_timestamp_to_string
+        cmocka_unit_test(test_w_timestamp_to_string),
+        cmocka_unit_test(test_w_timestamp_to_journalctl_since_success),
+        cmocka_unit_test(test_w_timestamp_to_journalctl_since_failure),
+        // Test find_library_path
+        cmocka_unit_test(test_find_library_path_success),
+        cmocka_unit_test(test_find_library_path_failure),
+        // Test w_journal_context_create
+        cmocka_unit_test(test_w_journal_lib_init_dlopen_fail),
+        cmocka_unit_test(test_w_journal_lib_init_find_library_path_fail),
+        cmocka_unit_test(test_w_journal_lib_init_is_owned_by_root_fail),
+        cmocka_unit_test(test_w_journal_lib_init_load_and_validate_function_fail),
+        cmocka_unit_test(test_w_journal_lib_init_success),
+        // Test w_journal_context_create
+        cmocka_unit_test(test_w_journal_context_create_success),
+        cmocka_unit_test(test_w_journal_context_create_null_pointer),
+        cmocka_unit_test(test_w_journal_context_create_lib_init_fail),
+        cmocka_unit_test(test_w_journal_context_create_journal_open_fail),
+        // Test w_journal_context_free
+        cmocka_unit_test(test_w_journal_context_free_null),
+        cmocka_unit_test(test_w_journal_context_free_valid),
+        // Test w_journal_context_update_timestamp
+        cmocka_unit_test(test_w_journal_context_update_timestamp_success),
+        cmocka_unit_test(test_w_journal_context_update_timestamp_ctx_null),
+        cmocka_unit_test(test_w_journal_context_update_timestamp_fail),
+        // Test w_journal_context_seek_timestamp
+        cmocka_unit_test(test_w_journal_context_seek_most_recent_update_tamestamp),
+        cmocka_unit_test(test_w_journal_context_seek_most_recent_seek_tail_fail),
+        cmocka_unit_test(test_w_journal_context_seek_most_recent_success),
+        cmocka_unit_test(test_w_journal_context_seek_most_recent_ctx_null),
+        // Test w_journal_context_seek_timestamp
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_null_params),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_future_timestamp),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_fail_read_old_ts),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_change_ts),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_fail_seek),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_seek_timestamp_fail),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_next_fail),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_success),
+        cmocka_unit_test(test_w_journal_context_seek_timestamp_success_new_entry),
+        // Test w_journal_context_next_newest
+        cmocka_unit_test(test_w_journal_context_next_newest_ctx_null),
+        cmocka_unit_test(test_w_journal_context_next_newest_update_timestamp),
+        cmocka_unit_test(test_w_journal_context_next_newest_success),
+        // Test w_journal_filter_apply
+        cmocka_unit_test(test_w_journal_filter_apply_null_params),
+        cmocka_unit_test(test_w_journal_filter_apply_fail_get_data_ignore_test),
+        cmocka_unit_test(test_w_journal_filter_apply_fail_parse),
+        cmocka_unit_test(test_w_journal_filter_apply_empty_field),
+        cmocka_unit_test(test_w_journal_filter_apply_match_fail),
+        cmocka_unit_test(test_w_journal_filter_apply_match_success),
+        // Test w_journal_context_next_newest_filtered
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_null_filters),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_no_filters),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_one_filter),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_is_debug),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_is_debug_false),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_filter_apply),
+        cmocka_unit_test(test_w_journal_context_next_newest_filtered_filter_apply_fail),
+        // Test entry_as_json
+        cmocka_unit_test(test_entry_as_json_empty),
+        cmocka_unit_test(test_entry_as_json_fail_parse_field),
+        cmocka_unit_test(test_entry_as_json_success),
+        // Test get_field_ptr
+        cmocka_unit_test(test_get_field_ptr_fail_get_data),
+        cmocka_unit_test(test_get_field_ptr_fail_parse),
+        cmocka_unit_test(test_get_field_ptr_empty_field),
+        cmocka_unit_test(test_get_field_ptr_success),
+        // Test create_plain_syslog
+        cmocka_unit_test(test_create_plain_syslog_with_pid),
+        cmocka_unit_test(test_create_plain_syslog_without_pid),
+        // Test entry_as_syslog
+        cmocka_unit_test(test_entry_as_syslog_success),
+        cmocka_unit_test(test_entry_as_syslog_success_system_pid),
+        cmocka_unit_test(test_entry_as_syslog_success_no_pid),
+        cmocka_unit_test(test_entry_as_syslog_missing_hostname),
+        cmocka_unit_test(test_entry_as_syslog_missing_tag),
+        cmocka_unit_test(test_entry_as_syslog_missing_message),
+        cmocka_unit_test(test_entry_as_syslog_missing_timestamp),
+        // Test w_journal_entry_dump
+        cmocka_unit_test(test_w_journal_entry_dump_null_params),
+        cmocka_unit_test(test_w_journal_entry_dump_invalid_type),
+        cmocka_unit_test(test_w_journal_entry_dump_json_success),
+        cmocka_unit_test(test_w_journal_entry_dump_syslog_fail_json),
+        cmocka_unit_test(test_w_journal_entry_dump_syslog_success),
+        cmocka_unit_test(test_w_journal_entry_dump_syslog_fail),
+        // Test w_journal_entry_to_string
+        cmocka_unit_test(test_w_journal_entry_to_string_null_params),
+        cmocka_unit_test(test_w_journal_entry_to_string_syslog),
+        cmocka_unit_test(test_w_journal_entry_to_string_json),
+        cmocka_unit_test(test_w_journal_entry_to_string_invalid_type),
+
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_lccom.c b/src/modules/logcollector/tests/unit/tests/test_lccom.c
new file mode 100644
index 0000000000..3670719d36
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_lccom.c
@@ -0,0 +1,386 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../../headers/shared.h"
+#include "../../logcollector/state.h"
+#include "../../logcollector/logcollector.h"
+#include "../../wazuh_modules/wmodules.h"
+#include "../../os_net/os_net.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+
+#include "json_data.h"
+
+size_t lccom_getstate(char ** output, bool getNextPage);
+uint16_t getJsonStr64kBlockFromLatestIndex(char **output, bool getNextPage);
+void addStartandEndTagsToJsonStrBlock(char *buffJson, char *headerGlobal, char *headerInterval, char *headerData, size_t LenHeaderInterval, size_t LenHeaderData, size_t LenHeaderGlobal, size_t counter, bool getNextPage);
+bool isJsonUpdated(void);
+
+/* setup/teardown */
+
+static int setup_group(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* wraps */
+
+cJSON * __wrap_w_logcollector_state_get() {
+    return mock_type(cJSON *);
+}
+
+double __wrap_difftime (time_t __time1, time_t __time0) {
+    return mock();
+}
+
+/* tests */
+
+/* lccom_getstate */
+
+void test_lccom_getstate_ok(void ** state) {
+
+    char * output = NULL;
+    char json[] = "test json";
+    state_interval = true;
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 2);
+    will_return(__wrap_w_logcollector_state_get, (cJSON *) 3);
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "error");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 0);
+    will_return(__wrap_cJSON_AddNumberToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "remaining");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "json_updated");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, 0);
+
+    will_return(__wrap_cJSON_PrintUnformatted, json);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    size_t retval = lccom_getstate(&output, false);
+
+    assert_int_equal(strlen(json), retval);
+    assert_string_equal(json, output);
+}
+
+void test_lccom_getstate_null(void ** state) {
+
+    char * output = NULL;
+    char json[] = "test json";
+    state_interval = true;
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 2);
+    will_return(__wrap_w_logcollector_state_get, NULL);
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "error");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 1);
+    will_return(__wrap_cJSON_AddNumberToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddObjectToObject, name, "data");
+    expect_value(__wrap_cJSON_AddObjectToObject, object, (cJSON *) 2);
+    will_return(__wrap_cJSON_AddObjectToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "message");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "Statistics unavailable");
+    will_return(__wrap_cJSON_AddStringToObject, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "At LCCOM getstate: Statistics unavailable");
+
+    will_return(__wrap_cJSON_PrintUnformatted, json);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    size_t retval = lccom_getstate(&output, false);
+
+    assert_int_equal(strlen(json), retval);
+    assert_string_equal(json, output);
+}
+
+
+void _test_lccom_getstate_tmp (char *fullJson, char *ExpectedBlock, bool getNextPage){
+    char * output = NULL;
+    char *json = NULL;
+    os_strdup(fullJson, json);
+    state_interval = true;
+    struct stat stat_buf = { .st_mode = 0040000 };
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 2);
+    will_return(__wrap_w_logcollector_state_get, (cJSON *) 3);
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "error");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 0);
+    will_return(__wrap_cJSON_AddNumberToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "remaining");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "json_updated");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, 0);
+
+    will_return(__wrap_cJSON_PrintUnformatted, json);
+    expect_function_call(__wrap_cJSON_Delete);
+
+    if (strstr(fullJson, outjson2) == NULL) {
+        expect_string(__wrap_stat, __file, "var/run/wazuh-logcollector.state");
+        will_return(__wrap_stat, &stat_buf);
+        will_return(__wrap_stat, 0);
+        will_return(__wrap_difftime, 10);
+        will_return(__wrap_strftime,"Wed Dec 31 19:00:00 1969");
+        will_return(__wrap_strftime, 20);
+        expect_string(__wrap__mdebug2, formatted_msg, " Wed Dec 31 19:00:00 1969 var/run/wazuh-logcollector.state");
+    }
+
+    size_t retval = lccom_getstate(&output, getNextPage);
+    assert_int_equal(strlen(output), retval);
+    assert_string_equal(ExpectedBlock, output);
+    os_free(output);
+}
+
+
+void test_lccom_getstate_first_json_block_greather_than_64k(void ** state) {
+    _test_lccom_getstate_tmp (global_outjson, outjson_block1, false);
+}
+
+void test_lccom_getstate_second_json_block_greather_than_64k(void ** state) {
+    _test_lccom_getstate_tmp (global_outjson, outjson_block2, true);
+}
+
+void test_lccom_getstate_third_json_block_greather_than_64k(void ** state) {
+    _test_lccom_getstate_tmp (global_outjson, outjson_block3, true);
+}
+
+void test_lccom_getstate_end_json_block_lower_than_64k(void ** state) {
+   _test_lccom_getstate_tmp (global_outjson, outjson_block4, true);
+}
+
+void test_lccom_getstate_first_json_block_greather_than_64k_case1(void ** state) {
+   _test_lccom_getstate_tmp (outjson1, outjson_block_case_1, false);
+}
+
+void test_lccom_getstate_first_json_block_lower_than_64k_case2(void ** state) {
+   _test_lccom_getstate_tmp (outjson2, outjson_block_case_2, false);
+}
+
+void test_lccom_getstate_first_json_block_lower_than_64k_case5(void ** state) {
+   _test_lccom_getstate_tmp (outjson5, outjson_block_case_5, false);
+}
+
+void test_lccom_getstate_first_json_block_lower_than_64k_case5_block1(void ** state) {
+   _test_lccom_getstate_tmp (outjson5, outjson_block_case_5_1, true);
+}
+
+void test_lccom_getstate_first_json_block_lower_than_64k_case6(void ** state) {
+   _test_lccom_getstate_tmp (outjson6, outjson_block_case_6, false);
+}
+
+void test_lccom_getstate_first_json_block_lower_than_64k_case6_block1(void ** state) {
+   _test_lccom_getstate_tmp (outjson6, outjson_block_case_6_1, true);
+}
+
+void test_lccom_getstate_first_json_block_no_global(void ** state) {
+    expect_string(__wrap__mwarn, formatted_msg, "'global' tag no found in logcollector JSON stats");
+    addStartandEndTagsToJsonStrBlock(outjson_no_global, "{\"global\":{\"start\":", "\"interval\":{\"start\":", "{\"error\":0,\"data\":{\"global\":{\"start\":", 0, 0, 0, 0, false);
+    assert_string_equal(outjson_no_global, outjson_no_global);
+}
+
+void test_lccom_getJsonStr64kBlockFromLatestIndex(void ** state) {
+    char * output = NULL;
+    char *json = NULL;
+    os_strdup(outjson2, json);
+
+    size_t retval = getJsonStr64kBlockFromLatestIndex(&json, false);
+    assert_int_equal(strlen(json), retval);
+    assert_string_equal(outjson2, json);
+    os_free(json);
+}
+
+void test_lccom_isJsonUpdated(void ** state) {
+    struct stat stat_buf = { .st_mode = 0040000 };
+    expect_string(__wrap_stat, __file, "var/run/wazuh-logcollector.state");
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+    will_return(__wrap_difftime, 10);
+    will_return(__wrap_strftime,"Wed Dec 31 19:00:00 1969");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mdebug2, formatted_msg, " Wed Dec 31 19:00:00 1969 var/run/wazuh-logcollector.state");
+    size_t retval = isJsonUpdated();
+}
+
+void test_lccom_dispatch_getconfig_ok() {
+    char * command = NULL;
+    char * output = NULL;
+
+    os_strdup("getconfig test", command);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "At LCCOM getconfig: Could not get 'test' section");
+
+    size_t retval = lccom_dispatch(command, &output);
+
+    assert_int_equal(retval, 35);
+    assert_string_equal(output, "err Could not get requested section");
+
+    os_free(command);
+    os_free(output);
+}
+
+void test_lccom_dispatch_getconfig_err() {
+    char * command = NULL;
+    char * output = NULL;
+
+    os_strdup("getconfig", command);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "LCCOM getconfig needs arguments.");
+
+    size_t retval = lccom_dispatch(command, &output);
+
+    assert_int_equal(retval, 35);
+    assert_string_equal(output, "err LCCOM getconfig needs arguments");
+
+    os_free(command);
+    os_free(output);
+}
+
+void test_lccom_dispatch_getstate() {
+    char * command = NULL;
+    char * output = NULL;
+    char json[] = "test json";
+    state_interval = true;
+
+    os_strdup("getstate", command);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 2);
+    will_return(__wrap_w_logcollector_state_get, (cJSON *) 3);
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "error");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 0);
+    will_return(__wrap_cJSON_AddNumberToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "remaining");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "json_updated");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, 0);
+
+    will_return(__wrap_cJSON_PrintUnformatted, strdup(json));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    size_t retval = lccom_dispatch(command, &output);
+
+    assert_int_equal(retval, 9);
+    assert_string_equal(output, "test json");
+
+    os_free(command);
+    os_free(output);
+}
+
+void test_lccom_dispatch_getstate_next() {
+    char * command = NULL;
+    char * output = NULL;
+    char json[] = "test json";
+    state_interval = true;
+
+    os_strdup("getstate next", command);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 2);
+    will_return(__wrap_w_logcollector_state_get, (cJSON *) 3);
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "error");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 0);
+    will_return(__wrap_cJSON_AddNumberToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "remaining");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_string(__wrap_cJSON_AddFalseToObject, name, "json_updated");
+    will_return(__wrap_cJSON_AddFalseToObject, NULL);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, 0);
+
+    will_return(__wrap_cJSON_PrintUnformatted, strdup(json));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    size_t retval = lccom_dispatch(command, &output);
+
+    assert_int_equal(retval, 9);
+    assert_string_equal(output, "test json");
+
+    os_free(command);
+    os_free(output);
+}
+
+void test_lccom_dispatch_err() {
+    char * command = NULL;
+    char * output = NULL;
+
+    os_strdup("test", command);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "LCCOM Unrecognized command 'test'.");
+
+    size_t retval = lccom_dispatch(command, &output);
+
+    assert_int_equal(retval, 24);
+    assert_string_equal(output, "err Unrecognized command");
+
+    os_free(command);
+    os_free(output);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+
+        // Tests lccom_getstate
+        cmocka_unit_test(test_lccom_getstate_ok),
+        cmocka_unit_test(test_lccom_getstate_null),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_greather_than_64k),
+        cmocka_unit_test(test_lccom_getstate_second_json_block_greather_than_64k),
+        cmocka_unit_test(test_lccom_getstate_third_json_block_greather_than_64k),
+        cmocka_unit_test(test_lccom_getstate_end_json_block_lower_than_64k),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_greather_than_64k_case1),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_lower_than_64k_case2),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_lower_than_64k_case5),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_lower_than_64k_case5_block1),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_lower_than_64k_case6),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_lower_than_64k_case6_block1),
+        cmocka_unit_test(test_lccom_getstate_first_json_block_no_global),
+        cmocka_unit_test(test_lccom_getJsonStr64kBlockFromLatestIndex),
+        cmocka_unit_test(test_lccom_isJsonUpdated),
+        cmocka_unit_test(test_lccom_dispatch_getconfig_ok),
+        cmocka_unit_test(test_lccom_dispatch_getconfig_err),
+        cmocka_unit_test(test_lccom_dispatch_getstate),
+        cmocka_unit_test(test_lccom_dispatch_getstate_next),
+        cmocka_unit_test(test_lccom_dispatch_err),
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_localfile_config.c b/src/modules/logcollector/tests/unit/tests/test_localfile_config.c
new file mode 100644
index 0000000000..f570ab7306
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_localfile_config.c
@@ -0,0 +1,1106 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "shared.h"
+#include "../config/localfile-config.h"
+#include "../config/config.h"
+#include "../wrappers/wazuh/os_xml/os_xml_wrappers.h"
+#include "../wrappers/externals/pcre2/pcre2_wrappers.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+
+const char * multiline_attr_match_str(w_multiline_match_type_t match_type);
+const char * multiline_attr_replace_str(w_multiline_replace_type_t replace_type);
+unsigned int w_get_attr_timeout(xml_node * node);
+w_multiline_replace_type_t w_get_attr_replace(xml_node * node);
+w_multiline_match_type_t w_get_attr_match(xml_node * node);
+int w_logcollector_get_macos_log_type(const char * content);
+
+// Journal
+#define VALID_PCRE2_REGEX "valid regex \\w+"
+#define INVALID_PCRE2_REGEX "invalid regex [a \\w+{-1"
+
+_w_journal_filter_unit_t * create_unit_filter(const char * field, char * expression, bool ignore_if_missing);
+void free_unit_filter(_w_journal_filter_unit_t * unit);
+cJSON * unit_filter_as_json(_w_journal_filter_unit_t * unit);
+cJSON * filter_as_json(w_journal_filter_t * filter);
+
+/* setup/teardown */
+static int setup_group(void **state) {
+    test_mode = 1;
+    w_test_pcre2_wrappers(false);
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    w_test_pcre2_wrappers(true);
+    return 0;
+}
+
+/* wraps */
+
+/* tests */
+
+/* multiline_attr_replace_str */
+void test_multiline_attr_replace_str_no_replace(void ** state) {
+    w_multiline_replace_type_t replace_type = ML_REPLACE_NO_REPLACE;
+    const char expected_retval[] = "no-replace";
+    const char * retval = multiline_attr_replace_str(replace_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+void test_multiline_attr_replace_str_none(void ** state) {
+    w_multiline_replace_type_t replace_type = ML_REPLACE_NONE;
+    const char expected_retval[] = "none";
+    const char * retval = multiline_attr_replace_str(replace_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+void test_multiline_attr_replace_str_ws(void ** state) {
+    w_multiline_replace_type_t replace_type = ML_REPLACE_WSPACE;
+    const char expected_retval[] = "wspace";
+    const char * retval = multiline_attr_replace_str(replace_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+void test_multiline_attr_replace_str_tab(void ** state) {
+    w_multiline_replace_type_t replace_type = ML_REPLACE_TAB;
+    const char expected_retval[] = "tab";
+    const char * retval = multiline_attr_replace_str(replace_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+/* multiline_attr_match_str */
+void test_multiline_attr_match_str_start(void ** state) {
+    w_multiline_match_type_t match_type = ML_MATCH_START;
+    const char expected_retval[] = "start";
+    const char * retval = multiline_attr_match_str(match_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+void test_multiline_attr_match_str_all(void ** state) {
+    w_multiline_match_type_t match_type = ML_MATCH_ALL;
+    const char expected_retval[] = "all";
+    const char * retval = multiline_attr_match_str(match_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+void test_multiline_attr_match_str_end(void ** state) {
+    w_multiline_match_type_t match_type = ML_MATCH_END;
+    const char expected_retval[] = "end";
+    const char * retval = multiline_attr_match_str(match_type);
+    assert_string_equal(retval, expected_retval);
+}
+
+/* w_get_attr_timeout */
+void test_w_get_attr_timeout_missing(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, NULL);
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_empty(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value '' for attribute 'timeout' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_not_number(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "test");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value 'test' for attribute 'timeout' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_mixed(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "11test11");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value '11test11' for attribute 'timeout' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_zero(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "0");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value '0' for attribute 'timeout' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_out_range(void ** state) {
+
+    unsigned int expect_retval = MULTI_LINE_REGEX_TIMEOUT;
+    unsigned int retval;
+    char str_timeout[10] = {0};
+    char str_msg[300] = {0};
+
+    sprintf(str_timeout, "%i", MULTI_LINE_REGEX_MAX_TIMEOUT + 4);
+    sprintf(str_msg, "(8000): Invalid value '%s' for attribute 'timeout' in "
+                  "'multiline_regex' option. Default value will be used.", str_timeout);
+
+    will_return(__wrap_w_get_attr_val_by_name, str_timeout);
+    expect_string(__wrap__mwarn, formatted_msg, str_msg);
+
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_timeout_out_ok(void ** state) {
+
+    unsigned int expect_retval = 30;
+    unsigned int retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "30");
+    retval = w_get_attr_timeout(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+// Test w_get_attr_replace
+void test_w_get_attr_replace_missing(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_NO_REPLACE;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, NULL);
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_replace_no_replace(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_NO_REPLACE;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "no-replace");
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_replace_ws(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_WSPACE;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "wspace");
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_replace_tab(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_TAB;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "tab");
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_replace_none(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_NONE;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "none");
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_replace_invalid(void ** state) {
+
+    w_multiline_replace_type_t expect_retval = ML_REPLACE_NO_REPLACE;
+    w_multiline_replace_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "invalid_attr");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value 'invalid_attr' for attribute 'replace' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_replace(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+/* w_get_attr_match */
+void test_w_get_attr_match_invalid(void ** state) {
+
+    w_multiline_match_type_t expect_retval = ML_MATCH_START;
+    w_multiline_match_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "invalid_attr");
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8000): Invalid value 'invalid_attr' for attribute 'match' in "
+                  "'multiline_regex' option. Default value will be used.");
+    retval = w_get_attr_match(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_match_missing(void ** state) {
+
+    w_multiline_match_type_t expect_retval = ML_MATCH_START;
+    w_multiline_match_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, NULL);
+    retval = w_get_attr_match(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_match_start(void ** state) {
+
+    w_multiline_match_type_t expect_retval = ML_MATCH_START;
+    w_multiline_match_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "start");
+    retval = w_get_attr_match(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_match_all(void ** state) {
+
+    w_multiline_match_type_t expect_retval = ML_MATCH_ALL;
+    w_multiline_match_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "all");
+    retval = w_get_attr_match(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+void test_w_get_attr_match_end(void ** state) {
+
+    w_multiline_match_type_t expect_retval = ML_MATCH_END;
+    w_multiline_match_type_t retval;
+
+    will_return(__wrap_w_get_attr_val_by_name, "end");
+    retval = w_get_attr_match(NULL);
+
+    assert_int_equal(expect_retval, retval);
+}
+
+/*  w_logcollector_get_macos_log_type  */
+void test_w_logcollector_get_macos_log_type_content_NULL(void ** state) {
+    const char * content = NULL;
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, 0);
+}
+
+void test_w_logcollector_get_macos_log_type_content_empty(void ** state) {
+    const char * content = "";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, 0);
+}
+
+void test_w_logcollector_get_macos_log_type_content_ignore_values(void ** state) {
+    const char * content = "  hello, ,world  ";
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8003): Invalid value 'hello' for attribute 'type' in 'query' option."\
+                  " Attribute will be ignored.");
+
+    expect_string(__wrap__mwarn, formatted_msg, "(8003): Invalid value 'world' for attribute 'type' in 'query' option."\
+                  " Attribute will be ignored.");
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, 0);
+}
+
+void test_w_logcollector_get_macos_log_type_content_activity(void ** state) {
+    const char * content = " activity ";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_ACTIVITY);
+}
+
+void test_w_logcollector_get_macos_log_type_content_log(void ** state) {
+    const char * content = "log ";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_LOG);
+}
+
+void test_w_logcollector_get_macos_log_type_content_trace(void ** state) {
+    const char * content = " trace, ";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_TRACE);
+}
+
+void test_w_logcollector_get_macos_log_type_content_trace_activity(void ** state) {
+    const char * content = " trace, activity,,";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_TRACE | MACOS_LOG_TYPE_ACTIVITY);
+}
+
+void test_w_logcollector_get_macos_log_type_content_trace_log_activity(void ** state) {
+    const char * content = " trace, ,activity,,log ";
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_TRACE | MACOS_LOG_TYPE_ACTIVITY | MACOS_LOG_TYPE_LOG);
+}
+
+void test_w_logcollector_get_macos_log_type_content_log_multiword_invalid(void ** state) {
+    const char * content = "log, trace  activity";
+
+    expect_string(__wrap__mwarn, formatted_msg,
+                  "(8003): Invalid value 'trace  activity' for attribute 'type' in 'query' option."
+                  " Attribute will be ignored.");
+
+    int ret = w_logcollector_get_macos_log_type(content);
+    assert_int_equal(ret, MACOS_LOG_TYPE_LOG);
+}
+
+/* init_w_journal_log_config_t */
+void test_init_w_journal_log_config_t_ok(void ** state) {
+    w_journal_log_config_t * config = NULL;
+    bool ret = init_w_journal_log_config_t(&config);
+    assert_true(ret);
+    assert_non_null(config);
+    assert_false(config->disable_filters);
+    assert_null(config->filters);
+    os_free(config);
+}
+
+void test_init_w_journal_log_config_t_fail(void ** state) {
+    w_journal_log_config_t * config = (w_journal_log_config_t *) 0x1;
+    bool ret = init_w_journal_log_config_t(&config);
+    assert_false(ret);
+    assert_non_null(config);
+}
+
+/* w_journal_log_config_free */
+void test_w_journal_log_config_free_null(void ** state) {
+    w_journal_log_config_t * config = NULL;
+
+    w_journal_log_config_free(NULL);
+    w_journal_log_config_free(&config);
+}
+
+void test_w_journal_log_config_free_ok(void ** state) {
+
+    w_journal_log_config_t * config = NULL;
+
+    assert_true(init_w_journal_log_config_t(&config));
+    w_journal_log_config_free(&config);
+}
+
+/* free_unit_filter */
+void test_free_unit_filter_null(void ** state) {
+    _w_journal_filter_unit_t * ufilter = NULL;
+    free_unit_filter(ufilter);
+}
+
+void test_free_unit_filter_ok(void ** state) {
+    _w_journal_filter_unit_t * ufilter = calloc(1, sizeof(_w_journal_filter_unit_t));
+    ufilter->field = strdup("test");
+    w_calloc_expression_t(&ufilter->exp, EXP_TYPE_PCRE2);
+    w_expression_compile(ufilter->exp, VALID_PCRE2_REGEX, 0);
+
+    free_unit_filter(ufilter);
+}
+
+/* create_unit_filter */
+void test_create_unit_filter_null_param(void ** state) {
+
+    assert_null(create_unit_filter("field", NULL, false));
+    assert_null(create_unit_filter(NULL, VALID_PCRE2_REGEX, false));
+}
+
+void test_create_unit_filter_inv_expresion(void ** state) {
+
+    assert_null(create_unit_filter("fied", INVALID_PCRE2_REGEX, false));
+}
+
+void test_create_unit_filter_ok(void ** state) {
+    _w_journal_filter_unit_t * ufilter = create_unit_filter("fied_test", VALID_PCRE2_REGEX, true);
+
+    assert_non_null(ufilter);
+    assert_true(ufilter->ignore_if_missing);
+    assert_string_equal(ufilter->exp->pcre2->raw_pattern, VALID_PCRE2_REGEX);
+    assert_string_equal(ufilter->field, "fied_test");
+
+    free_unit_filter(ufilter);
+}
+
+/* unit_filter_as_json */
+void test_unit_filter_as_json_null_params(void ** state) {
+
+    _w_journal_filter_unit_t unit = {.exp = NULL, .field = NULL, .ignore_if_missing = false};
+
+    assert_null(unit_filter_as_json(NULL));
+
+    assert_null(unit_filter_as_json(&unit));
+
+    unit.field = "test field";
+    assert_null(unit_filter_as_json(&unit));
+}
+
+void test_unit_filter_as_json_ok(void ** state) {
+
+    _w_journal_filter_unit_t unit = {.exp = NULL, .field = "test field", .ignore_if_missing = true};
+
+    w_calloc_expression_t(&unit.exp, EXP_TYPE_PCRE2);
+    w_expression_compile(unit.exp, VALID_PCRE2_REGEX, 0);
+
+    will_return(__wrap_cJSON_CreateObject, (void *) 0x1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test field");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "expression");
+    expect_string(__wrap_cJSON_AddStringToObject, string, VALID_PCRE2_REGEX);
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_AddBoolToObject, (cJSON *) 1);
+
+    assert_non_null(unit_filter_as_json(&unit));
+
+    w_free_expression(unit.exp);
+}
+
+/* w_journal_filter_add_condition */
+void test_w_journal_filter_add_condition_null_params(void ** state) {
+    w_journal_filter_t * filters = NULL;
+    assert_int_not_equal(0, w_journal_filter_add_condition(&filters, "field", NULL, false));
+    assert_int_not_equal(0, w_journal_filter_add_condition(&filters, NULL, VALID_PCRE2_REGEX, false));
+    assert_int_not_equal(0, w_journal_filter_add_condition(NULL, "field", VALID_PCRE2_REGEX, false));
+}
+
+void test_w_journal_filter_add_condition_bad_exp(void ** state) {
+    w_journal_filter_t * filters = NULL;
+    assert_int_not_equal(0, w_journal_filter_add_condition(&filters, "field", INVALID_PCRE2_REGEX, false));
+}
+
+void test_w_journal_filter_add_condition_ok_first_cond(void ** state) {
+    w_journal_filter_t * filters = NULL;
+
+    assert_int_equal(0, w_journal_filter_add_condition(&filters, "field", VALID_PCRE2_REGEX, false));
+
+    assert_non_null(filters);
+    assert_int_equal(1, filters->units_size);
+    assert_non_null(filters->units);
+    assert_non_null(filters->units[0]);
+    assert_non_null(filters->units[0]->exp->pcre2->code);
+    assert_null(filters->units[1]);
+
+    w_journal_filter_free(filters); // test w_journal_filter_free
+}
+
+void test_w_journal_filter_add_condition_ok_other_cond(void ** state) {
+
+    w_journal_filter_t * filters = NULL;
+
+    assert_int_equal(0, w_journal_filter_add_condition(&filters, "field", VALID_PCRE2_REGEX, false));
+
+    assert_non_null(filters);
+    assert_int_equal(1, filters->units_size);
+    assert_non_null(filters->units);
+    assert_non_null(filters->units[0]);
+    assert_non_null(filters->units[0]->exp->pcre2->code);
+    assert_int_equal(filters->units[0]->ignore_if_missing, false);
+    assert_null(filters->units[1]);
+
+    // Add second filter
+    assert_int_equal(0, w_journal_filter_add_condition(&filters, "field2", VALID_PCRE2_REGEX, true));
+
+    assert_int_equal(2, filters->units_size);
+    assert_non_null(filters->units);
+    assert_non_null(filters->units[0]);
+    assert_non_null(filters->units[0]->exp->pcre2->code);
+    assert_string_equal(filters->units[0]->field, "field");
+    assert_non_null(filters->units[1]);
+    assert_non_null(filters->units[1]->exp->pcre2->code);
+    assert_int_equal(filters->units[1]->ignore_if_missing, true);
+    assert_string_equal(filters->units[1]->field, "field2");
+
+    assert_null(filters->units[2]);
+
+    w_journal_filter_free(filters); // test w_journal_filter_free
+}
+
+/* w_journal_filter_free */
+void test_w_journal_filter_free_null(void ** state) { w_journal_filter_free(NULL); }
+
+/* Test filter_as_json */
+void test_filter_as_json_null_params(void ** state) {
+
+    w_journal_filter_t filter = {0};
+
+    assert_null(filter_as_json(NULL));
+    assert_null(filter_as_json(&filter));
+}
+
+void test_filter_as_json_fail_array(void ** state) {
+
+    w_journal_filter_t * filter = NULL;
+
+    assert_int_equal(0, w_journal_filter_add_condition(&filter, "test field", VALID_PCRE2_REGEX, false));
+
+    will_return(__wrap_cJSON_CreateArray, (cJSON *) NULL);
+
+    assert_null(filter_as_json(filter));
+
+    w_journal_filter_free(filter);
+}
+
+void test_filter_as_json_one_unit(void ** state) {
+
+    w_journal_filter_t * filter = NULL;
+
+    assert_int_equal(0, w_journal_filter_add_condition(&filter, "test field", VALID_PCRE2_REGEX, false));
+
+    will_return(__wrap_cJSON_CreateArray, (cJSON *) 0x1);
+
+    // start: unit filter as json
+    will_return(__wrap_cJSON_CreateObject, (void *) 0x1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test field");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "expression");
+    expect_string(__wrap_cJSON_AddStringToObject, string, VALID_PCRE2_REGEX);
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_AddBoolToObject, (cJSON *) 1);
+    // end: unit filter as json
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    assert_non_null(filter_as_json(filter));
+
+    w_journal_filter_free(filter);
+}
+
+/* w_journal_add_filter_to_list */
+void test_w_journal_add_filter_to_list_null_params(void ** state) {
+
+    w_journal_filters_list_t list = NULL;
+    w_journal_filter_t filter;
+    assert_false(w_journal_add_filter_to_list(&list, NULL));
+    assert_false(w_journal_add_filter_to_list(NULL, &filter));
+}
+
+void test_w_journal_add_filter_to_list_new_list(void ** state) {
+
+    w_journal_filters_list_t list = NULL;
+    w_journal_filter_t filter = {0};
+
+    assert_true(w_journal_add_filter_to_list(&list, &filter));
+
+    assert_non_null(list);
+    assert_non_null(list[0]);
+    assert_ptr_equal(list[0], &filter);
+    assert_null(list[1]);
+
+    os_free(list);
+}
+
+void test_w_journal_add_filter_to_list_exist_list(void ** state) {
+
+    w_journal_filters_list_t list = NULL;
+    w_journal_filter_t filter = {0};
+
+    assert_true(w_journal_add_filter_to_list(&list, &filter));
+
+    assert_non_null(list);
+    assert_non_null(list[0]);
+    assert_ptr_equal(list[0], &filter);
+    assert_null(list[1]);
+
+    // Add second item
+    w_journal_filter_t filter2 = {0};
+    assert_true(w_journal_add_filter_to_list(&list, &filter2));
+
+    assert_non_null(list[0]);
+    assert_ptr_equal(list[0], &filter);
+    assert_non_null(list[1]);
+    assert_ptr_equal(list[1], &filter2);
+    assert_null(list[2]);
+
+    os_free(list);
+}
+
+// Test w_journal_filter_list_as_json
+void test_w_journal_filter_list_as_json_null_params(void ** state) { assert_null(w_journal_filter_list_as_json(NULL)); }
+
+void test_w_journal_filter_list_as_json_fail_array(void ** state) {
+
+    w_journal_filters_list_t list = NULL;
+
+    // Prepare the filter
+    w_journal_filter_t * filter = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&filter, "test field", VALID_PCRE2_REGEX, false));
+    // Add filter to the list
+    assert_true(w_journal_add_filter_to_list(&list, filter));
+
+    // Print the list
+    // start: Print as json
+    will_return(__wrap_cJSON_CreateArray, (cJSON *) NULL);
+    assert_null(w_journal_filter_list_as_json(list));
+
+    w_journal_filters_list_free(list); // Test w_journal_filters_list_free
+}
+
+void test_w_journal_filter_list_as_json_success(void ** state) {
+
+    w_journal_filters_list_t list = NULL;
+
+    // Prepare the filter
+    w_journal_filter_t * filter = NULL;
+    assert_int_equal(0, w_journal_filter_add_condition(&filter, "test field", VALID_PCRE2_REGEX, false));
+    // Add filter to the list
+    assert_true(w_journal_add_filter_to_list(&list, filter));
+
+    // Print the list
+
+    // start: Print as json
+    will_return(__wrap_cJSON_CreateArray, (cJSON *) 0x1);
+
+    // - filter_as_json
+    will_return(__wrap_cJSON_CreateArray, (cJSON *) 0x1);
+    // - - unit_filter_as_json
+    will_return(__wrap_cJSON_CreateObject, (void *) 0x1);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "field");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test field");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "expression");
+    expect_string(__wrap_cJSON_AddStringToObject, string, VALID_PCRE2_REGEX);
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 1);
+    will_return(__wrap_cJSON_AddBoolToObject, (cJSON *) 1);
+    // - end: filter_as_json
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    assert_non_null(w_journal_filter_list_as_json(list));
+
+    w_journal_filters_list_free(list); // Test w_journal_filters_list_free
+}
+
+// ------------------------------------------------
+/* journald_add_condition_to_filter */
+void test_journald_add_condition_to_filter_invalid_params(void ** state) {
+
+    assert_false(journald_add_condition_to_filter(NULL, NULL));
+    assert_false(journald_add_condition_to_filter(NULL, (w_journal_filter_t **) 0x1));
+    assert_false(journald_add_condition_to_filter((xml_node *) 0x1, NULL));
+}
+
+void test_journald_add_condition_to_filter_non_field(void ** state) {
+
+    xml_node node = {0};
+    char * node_content = "regex xml content";
+    node.content = node_content;
+
+    w_journal_filter_t * filter = NULL;
+
+    // Null field
+    will_return(__wrap_w_get_attr_val_by_name, NULL);
+    expect_string(__wrap__mwarn, formatted_msg, "(8019): The field for the journal filter cannot be empty.");
+
+    assert_false(journald_add_condition_to_filter(&node, &filter));
+}
+
+void test_journald_add_condition_to_filter_empty_field(void ** state) {
+
+    xml_node node = {0};
+    char * node_content = "regex xml content";
+    node.content = node_content;
+
+    w_journal_filter_t * filter = NULL;
+
+    // Null field
+    will_return(__wrap_w_get_attr_val_by_name, "");
+    expect_string(__wrap__mwarn, formatted_msg, "(8019): The field for the journal filter cannot be empty.");
+
+    assert_false(journald_add_condition_to_filter(&node, &filter));
+}
+
+void test_journald_add_condition_to_filter_empty_regex(void ** state) {
+
+    xml_node node = {0};
+    char * node_content = "";
+    node.content = node_content;
+
+    w_journal_filter_t * filter = NULL;
+
+    // Null field
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    expect_string(__wrap__mwarn, formatted_msg, "(8020): The expression for the journal filter cannot be empty.");
+
+    assert_false(journald_add_condition_to_filter(&node, &filter));
+}
+
+void test_journald_add_condition_to_filter_null_regex(void ** state) {
+
+    xml_node node = {0};
+    node.content = NULL;
+
+    w_journal_filter_t * filter = NULL;
+
+    // Null field
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    expect_string(__wrap__mwarn, formatted_msg, "(8020): The expression for the journal filter cannot be empty.");
+
+    assert_false(journald_add_condition_to_filter(&node, &filter));
+}
+
+void test_journald_add_condition_to_filter_ingore_no(void ** state) {
+
+    xml_node node = {0};
+    node.content = VALID_PCRE2_REGEX;
+
+    w_journal_filter_t * filter = NULL;
+
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    will_return(__wrap_w_get_attr_val_by_name, "no");
+
+    // w_journal_filter_add_condition ok
+    assert_true(journald_add_condition_to_filter(&node, &filter));
+
+    assert_non_null(filter);
+    assert_int_equal(filter->units_size, 1);
+    assert_non_null(filter->units);
+    assert_non_null(filter->units[0]);
+    assert_string_equal(filter->units[0]->exp->pcre2->raw_pattern, VALID_PCRE2_REGEX);
+    assert_string_equal(filter->units[0]->field, "field");
+    assert_false(filter->units[0]->ignore_if_missing);
+    assert_null(filter->units[1]);
+
+    w_journal_filter_free(filter);
+}
+
+void test_journald_add_condition_to_filter_ingore_missing(void ** state) {
+
+    xml_node node = {0};
+    node.content = VALID_PCRE2_REGEX;
+
+    w_journal_filter_t * filter = NULL;
+
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    will_return(__wrap_w_get_attr_val_by_name, NULL);
+
+    // w_journal_filter_add_condition ok
+    assert_true(journald_add_condition_to_filter(&node, &filter));
+
+    assert_non_null(filter);
+    assert_int_equal(filter->units_size, 1);
+    assert_non_null(filter->units);
+    assert_non_null(filter->units[0]);
+    assert_string_equal(filter->units[0]->exp->pcre2->raw_pattern, VALID_PCRE2_REGEX);
+    assert_string_equal(filter->units[0]->field, "field");
+    assert_false(filter->units[0]->ignore_if_missing);
+    assert_null(filter->units[1]);
+
+    w_journal_filter_free(filter);
+}
+
+void test_journald_add_condition_to_filter_ingore_wrong(void ** state) {
+
+    xml_node node = {0};
+    node.content = VALID_PCRE2_REGEX;
+
+    w_journal_filter_t * filter = NULL;
+
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    will_return(__wrap_w_get_attr_val_by_name, "bad attribute");
+    expect_string(__wrap__mwarn,
+                  formatted_msg,
+                  "(8000): Invalid value 'bad attribute' for attribute 'ignore_if_missing' in 'journal' option. "
+                  "Default value will be used.");
+
+    // w_journal_filter_add_condition ok
+    assert_true(journald_add_condition_to_filter(&node, &filter));
+
+    assert_non_null(filter);
+    assert_int_equal(filter->units_size, 1);
+    assert_non_null(filter->units);
+    assert_non_null(filter->units[0]);
+    assert_string_equal(filter->units[0]->exp->pcre2->raw_pattern, VALID_PCRE2_REGEX);
+    assert_string_equal(filter->units[0]->field, "field");
+    assert_false(filter->units[0]->ignore_if_missing);
+    assert_null(filter->units[1]);
+
+    w_journal_filter_free(filter);
+}
+
+void test_journald_add_condition_to_filter_ingore_yes(void ** state) {
+
+    xml_node node = {0};
+    node.content = VALID_PCRE2_REGEX;
+
+    w_journal_filter_t * filter = NULL;
+
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    will_return(__wrap_w_get_attr_val_by_name, "yes");
+
+    // w_journal_filter_add_condition ok
+    assert_true(journald_add_condition_to_filter(&node, &filter));
+
+    assert_non_null(filter);
+    assert_int_equal(filter->units_size, 1);
+    assert_non_null(filter->units);
+    assert_non_null(filter->units[0]);
+    assert_string_equal(filter->units[0]->exp->pcre2->raw_pattern, VALID_PCRE2_REGEX);
+    assert_string_equal(filter->units[0]->field, "field");
+    assert_true(filter->units[0]->ignore_if_missing);
+    assert_null(filter->units[1]);
+
+    w_journal_filter_free(filter);
+}
+
+void test_journald_add_condition_to_filter_fail_regex(void ** state) {
+
+    xml_node node = {0};
+    node.content = INVALID_PCRE2_REGEX;
+
+    w_journal_filter_t * filter = NULL;
+
+    will_return(__wrap_w_get_attr_val_by_name, "field");
+    will_return(__wrap_w_get_attr_val_by_name, "no");
+
+    expect_string(
+        __wrap__mwarn,
+        formatted_msg,
+        "(8021): Error compiling the PCRE2 expression 'invalid regex [a \\w+{-1' for field 'field' in journal filter.");
+    // w_journal_filter_add_condition fail
+    assert_false(journald_add_condition_to_filter(&node, &filter));
+}
+
+/* w_multiline_log_config_free */
+void test_w_multiline_log_config_free_null(void **state)
+{
+    w_multiline_log_config_free(NULL);
+
+    w_multiline_config_t *config = NULL;
+    w_multiline_log_config_free(&config);
+}
+
+void test_w_multiline_log_config_free_success(void ** state) {
+    w_multiline_config_t * config = NULL;
+    os_calloc(1, sizeof(w_multiline_config_t), config);
+
+    // Set a valid config
+
+    // Regex config
+    w_calloc_expression_t(&config->regex, EXP_TYPE_PCRE2);
+    assert_true(w_expression_compile(config->regex, "valid regex .*", 0));
+
+    // collector config
+    config->match_type = ML_MATCH_START;
+    config->replace_type = ML_REPLACE_NO_REPLACE;
+    config->timeout = 10;
+
+    // Simulate non-empty ctxt
+    os_calloc(1, sizeof(w_multiline_ctxt_t), config->ctxt);
+    os_calloc(100, sizeof(char), config->ctxt->buffer);
+
+    w_multiline_log_config_free(&config);
+    assert_null(config);
+}
+
+// Test w_multiline_log_config_clone
+void test_w_multiline_log_config_clone_null(void ** state) {
+    assert_null(w_multiline_log_config_clone(NULL));
+}
+
+void test_w_multiline_log_config_clone_success(void ** state) {
+
+
+    w_multiline_config_t * config = NULL;
+    os_calloc(1, sizeof(w_multiline_config_t), config);
+
+    // Set a valid config
+    w_calloc_expression_t(&config->regex, EXP_TYPE_PCRE2);
+    assert_true(w_expression_compile(config->regex, "valid regex .*", 0));
+
+    // collector config
+    config->match_type = ML_MATCH_END;
+    config->replace_type = ML_REPLACE_NONE;
+    config->timeout = 10;
+
+    // Simulate non-empty ctxt
+    os_calloc(1, sizeof(w_multiline_ctxt_t), config->ctxt);
+    os_calloc(100, sizeof(char), config->ctxt->buffer);
+
+
+    // Test clone
+    w_multiline_config_t * cloned_config = w_multiline_log_config_clone(config);
+    w_multiline_log_config_free(&config);
+
+    // Checks
+    assert_non_null(cloned_config);
+    assert_non_null(cloned_config->regex);
+    assert_string_equal(w_expression_get_regex_pattern(cloned_config->regex), "valid regex .*");
+
+    assert_int_equal(cloned_config->match_type, ML_MATCH_END);
+    assert_int_equal(cloned_config->replace_type, ML_REPLACE_NONE);
+    assert_int_equal(cloned_config->timeout, 10);
+
+    assert_null(cloned_config->ctxt); // Should be a empty context
+
+    w_multiline_log_config_free(&cloned_config);
+
+}
+
+/* main */
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // Tests replace_char
+        cmocka_unit_test(test_multiline_attr_match_str_start),
+        cmocka_unit_test(test_multiline_attr_match_str_all),
+        cmocka_unit_test(test_multiline_attr_match_str_end),
+        // Tests multiline_attr_replace_str
+        cmocka_unit_test(test_multiline_attr_replace_str_no_replace),
+        cmocka_unit_test(test_multiline_attr_replace_str_none),
+        cmocka_unit_test(test_multiline_attr_replace_str_ws),
+        cmocka_unit_test(test_multiline_attr_replace_str_tab),
+        // Tests w_get_attr_timeout
+        cmocka_unit_test(test_w_get_attr_timeout_missing),
+        cmocka_unit_test(test_w_get_attr_timeout_empty),
+        cmocka_unit_test(test_w_get_attr_timeout_zero),
+        cmocka_unit_test(test_w_get_attr_timeout_not_number),
+        cmocka_unit_test(test_w_get_attr_timeout_mixed),
+        cmocka_unit_test(test_w_get_attr_timeout_out_range),
+        cmocka_unit_test(test_w_get_attr_timeout_out_ok),
+        // Tests w_get_attr_replace
+        cmocka_unit_test(test_w_get_attr_replace_missing),
+        cmocka_unit_test(test_w_get_attr_replace_no_replace),
+        cmocka_unit_test(test_w_get_attr_replace_ws),
+        cmocka_unit_test(test_w_get_attr_replace_tab),
+        cmocka_unit_test(test_w_get_attr_replace_none),
+        cmocka_unit_test(test_w_get_attr_replace_invalid),
+        // Tests w_get_attr_match
+        cmocka_unit_test(test_w_get_attr_match_missing),
+        cmocka_unit_test(test_w_get_attr_match_start),
+        cmocka_unit_test(test_w_get_attr_match_all),
+        cmocka_unit_test(test_w_get_attr_match_end),
+        cmocka_unit_test(test_w_get_attr_match_invalid),
+        // Tests w_logcollector_get_macos_log_type
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_NULL),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_empty),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_ignore_values),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_activity),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_log),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_trace),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_trace_activity),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_trace_log_activity),
+        cmocka_unit_test(test_w_logcollector_get_macos_log_type_content_log_multiword_invalid),
+        // Test init_w_journal_log_config_t
+        cmocka_unit_test(test_init_w_journal_log_config_t_fail),
+        cmocka_unit_test(test_init_w_journal_log_config_t_ok),
+        // Test w_journal_log_config_free
+        cmocka_unit_test(test_w_journal_log_config_free_null),
+        cmocka_unit_test(test_w_journal_log_config_free_ok),
+        // Test free_unit_filter
+        cmocka_unit_test(test_free_unit_filter_null),
+        cmocka_unit_test(test_free_unit_filter_ok),
+        // Test create_unit_filter
+        cmocka_unit_test(test_create_unit_filter_null_param),
+        cmocka_unit_test(test_create_unit_filter_inv_expresion),
+        cmocka_unit_test(test_create_unit_filter_ok),
+        // Test unit_filter_as_json
+        cmocka_unit_test(test_unit_filter_as_json_null_params),
+        cmocka_unit_test(test_unit_filter_as_json_ok),
+        // Test w_journal_filter_add_condition
+        cmocka_unit_test(test_w_journal_filter_add_condition_null_params),
+        cmocka_unit_test(test_w_journal_filter_add_condition_bad_exp),
+        cmocka_unit_test(test_w_journal_filter_add_condition_ok_first_cond),
+        cmocka_unit_test(test_w_journal_filter_add_condition_ok_other_cond),
+        // Test w_journal_filter_add_condition w_journal_filter_free
+        cmocka_unit_test(test_w_journal_filter_free_null),
+        // Test filter_as_json
+        cmocka_unit_test(test_filter_as_json_null_params),
+        cmocka_unit_test(test_filter_as_json_fail_array),
+        cmocka_unit_test(test_filter_as_json_one_unit),
+        // Test w_journal_add_filter_to_list
+        cmocka_unit_test(test_w_journal_add_filter_to_list_null_params),
+        cmocka_unit_test(test_w_journal_add_filter_to_list_new_list),
+        cmocka_unit_test(test_w_journal_add_filter_to_list_exist_list),
+        // Test w_journal_filter_list_as_json
+        cmocka_unit_test(test_w_journal_filter_list_as_json_null_params),
+        cmocka_unit_test(test_w_journal_filter_list_as_json_fail_array),
+        cmocka_unit_test(test_w_journal_filter_list_as_json_success),
+        // Test journald_add_condition_to_filter
+        cmocka_unit_test(test_journald_add_condition_to_filter_invalid_params),
+        cmocka_unit_test(test_journald_add_condition_to_filter_non_field),
+        cmocka_unit_test(test_journald_add_condition_to_filter_empty_field),
+        cmocka_unit_test(test_journald_add_condition_to_filter_empty_regex),
+        cmocka_unit_test(test_journald_add_condition_to_filter_null_regex),
+        cmocka_unit_test(test_journald_add_condition_to_filter_ingore_no),
+        cmocka_unit_test(test_journald_add_condition_to_filter_ingore_missing),
+        cmocka_unit_test(test_journald_add_condition_to_filter_ingore_wrong),
+        cmocka_unit_test(test_journald_add_condition_to_filter_ingore_yes),
+        cmocka_unit_test(test_journald_add_condition_to_filter_fail_regex),
+        // Test w_multiline_log_config_free
+        cmocka_unit_test(test_w_multiline_log_config_free_null),
+        cmocka_unit_test(test_w_multiline_log_config_free_success),
+        // Test w_multiline_log_config_clone
+        cmocka_unit_test(test_w_multiline_log_config_clone_null),
+        cmocka_unit_test(test_w_multiline_log_config_clone_success),
+
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+    //return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_logcollector.c b/src/modules/logcollector/tests/unit/tests/test_logcollector.c
new file mode 100644
index 0000000000..b0de0c0868
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_logcollector.c
@@ -0,0 +1,2786 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../../headers/shared.h"
+#include "../../logcollector/logcollector.h"
+#include <math.h>
+#include <pthread.h>
+#include "../../os_crypto/sha1/sha1_op.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/wazuh/os_crypto/sha1_op_wrappers.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+#include "../wrappers/posix/signal_wrappers.h"
+
+
+extern OSHash *files_status;
+
+bool w_get_hash_context(logreader *lf, EVP_MD_CTX **context, int64_t position);
+ssize_t w_set_to_pos(logreader *lf, long pos, int mode);
+char * w_save_files_status_to_cJSON();
+void w_save_file_status();
+void w_load_files_status(cJSON *global_json);
+void w_initialize_file_status();
+int w_update_hash_node(char * path, int64_t pos);
+int w_set_to_last_line_read(logreader *lf);
+void free_files_status_data(os_file_status_t *data);
+
+// Auxiliar structs
+typedef struct test_logcollector_s {
+    logreader *log_reader;
+    EVP_MD_CTX *context;
+    os_file_status_t *status;
+    OSHashNode *node;
+} test_logcollector_t;
+
+extern w_macos_log_vault_t macos_log_vault;
+extern w_macos_log_procceses_t * macos_processes;
+static wfd_t * stream_backup;
+static wfd_t * show_backup;
+
+// Aux functions
+void set_gs_journald_ofe(bool exist, bool ofe, uint64_t timestamp);
+
+/* setup/teardown */
+
+static int setup_group(void **state) {
+    test_mode = 1;
+    macos_log_vault.is_valid_data = true;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+void free_os_file_status_t_struct(os_file_status_t *data) {
+    EVP_MD_CTX_free(data->context);
+    os_free(data);
+}
+
+static int setup_local_hashmap(void **state) {
+    if (setup_hashmap(state) != 0) {
+        return 1;
+    }
+    __real_OSHash_SetFreeDataPointer(mock_hashmap, (void (*)(void *))free_os_file_status_t_struct);
+    files_status = mock_hashmap;
+    return 0;
+}
+
+static int teardown_local_hashmap(void **state) {
+    if (teardown_hashmap(state) != 0) {
+        return 1;
+    }
+    return 0;
+}
+
+static int setup_log_context(void **state) {
+    if (setup_local_hashmap(state) != 0) {
+        return 1;
+    }
+
+    test_logcollector_t *test_struct = calloc(1, sizeof(test_logcollector_t));
+    if (test_struct == NULL) {
+        return 1;
+    }
+
+    test_struct->log_reader = calloc(1, sizeof(logreader));
+    test_struct->context = EVP_MD_CTX_new();
+    test_struct->status = calloc(1, sizeof(os_file_status_t));
+    test_struct->node = calloc(1, sizeof(OSHashNode));
+
+    if (test_struct->log_reader == NULL || test_struct->context == NULL || test_struct->status == NULL ||
+        test_struct->node == NULL) {
+        return 1;
+    }
+
+    test_struct->log_reader->fp = (FILE *) 1;
+    *state = test_struct;
+    return 0;
+}
+
+static int teardown_log_context(void **state) {
+    if (teardown_local_hashmap(state) != 0) {
+        return 1;
+    }
+    test_logcollector_t * test_struct = *state;
+
+    expect_any(__wrap_fclose, _File);
+    will_return_always(__wrap_fclose, 0);
+    Free_Logreader(test_struct->log_reader);
+
+    free(test_struct->log_reader);
+    EVP_MD_CTX_free(test_struct->context);
+    free(test_struct->status);
+    free(test_struct->node);
+    free(test_struct);
+
+    return 0;
+}
+
+static int setup_process(void **state) {
+    w_macos_log_procceses_t * local_macos_processes = calloc(1, sizeof(w_macos_log_procceses_t));
+    os_calloc(1, sizeof(wfd_t), local_macos_processes->show.wfd);
+    os_calloc(1, sizeof(wfd_t), local_macos_processes->stream.wfd);
+    stream_backup = local_macos_processes->stream.wfd;
+    show_backup = local_macos_processes->show.wfd;
+    *state = local_macos_processes;
+
+    return 0;
+}
+
+static int teardown_process(void **state) {
+    w_macos_log_procceses_t * local_macos_processes = *state;
+
+    os_free(stream_backup);
+    os_free(show_backup);
+    os_free(local_macos_processes);
+
+    return 0;
+}
+
+static int setup_regex(void **state) {
+    logreader *regex_config = calloc(1, sizeof(logreader));
+    regex_config->regex_ignore = NULL;
+    regex_config->regex_restrict = NULL;
+
+    regex_config->regex_ignore = OSList_Create();
+    if (regex_config->regex_ignore == NULL) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        return -1;
+    }
+    OSList_SetFreeDataPointer(regex_config->regex_ignore, (void (*)(void *))w_free_expression);
+
+    regex_config->regex_restrict = OSList_Create();
+    if (regex_config->regex_restrict == NULL) {
+        merror(MEM_ERROR, errno, strerror(errno));
+        return -1;
+    }
+    OSList_SetFreeDataPointer(regex_config->regex_restrict, (void (*)(void *))w_free_expression);
+
+    *state = regex_config;
+
+    return 0;
+}
+
+static int teardown_regex(void **state) {
+    logreader *regex_config = *state;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    if (regex_config->regex_ignore) {
+        OSList_Destroy(regex_config->regex_ignore);
+        regex_config->regex_ignore = NULL;
+    }
+    if (regex_config->regex_restrict) {
+        OSList_Destroy(regex_config->regex_restrict);
+        regex_config->regex_restrict = NULL;
+    }
+
+    os_free(regex_config);
+
+    return 0;
+}
+
+/* wraps */
+
+/* tests */
+
+/* w_get_hash_context */
+
+void test_w_get_hash_context_NULL_file_exist(void ** state) {
+    EVP_MD_CTX *context = NULL;
+    int64_t position = 10;
+    test_logcollector_t *test_struct = *state;
+
+    logreader *lf = test_struct->log_reader;
+
+    lf->file = strdup("/test_path");
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, lf->file);
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fname, lf->file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, mode, OS_BINARY);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, nbytes, position);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fd_check, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, 0);
+
+    bool ret = w_get_hash_context(lf, &context, position);
+
+    assert_true(ret);
+}
+
+void test_w_get_hash_context_NULL_file_not_exist(void ** state) {
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+    int64_t position = 10;
+    test_logcollector_t *test_struct = *state;
+    logreader *lf = test_struct->log_reader;
+
+    lf->file = strdup("/test_path");
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, lf->file);
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fname, lf->file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, mode, OS_BINARY);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, nbytes, position);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fd_check, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, -1);
+
+    bool ret = w_get_hash_context (lf, &context, position);
+    EVP_MD_CTX_free(context);
+    assert_false(ret);
+}
+
+void test_w_get_hash_context_done(void ** state) {
+    int64_t position = 10;
+    test_logcollector_t *test_struct = *state;
+
+    logreader *lf = test_struct->log_reader;
+    EVP_MD_CTX *context = test_struct->context;
+    os_file_status_t *data = test_struct->status;
+
+    lf->file = strdup("/test_path");
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, lf->file);
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fname, lf->file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, mode, OS_BINARY);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, nbytes, position);
+    expect_value(__wrap_OS_SHA1_File_Nbytes_with_fp_check, fd_check, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes_with_fp_check, -1);
+
+    bool ret = w_get_hash_context (lf, &context, position);
+
+    assert_false(ret);
+}
+
+/* w_update_file_status */
+void test_w_update_file_status_fail_update_add_table_hash(void ** state) {
+    char * path = "test/test.log";
+    long pos = 0;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+
+    expect_value(__wrap_OS_SHA1_Stream, buf, NULL);
+    will_return(__wrap_OS_SHA1_Stream, "a7a899f25aeda32989d1029839ef2e594835c211");
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    OSHash_Add_ex_check_data = 0;
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, path);
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    int retval = w_update_file_status(path, pos, context);
+
+    assert_int_equal(retval,-1);
+}
+
+void test_w_update_file_status_update_fail_add_OK(void ** state) {
+
+    char * path = "test/test.log";
+    long pos = 0;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+
+    expect_value(__wrap_OS_SHA1_Stream, buf, NULL);
+    will_return(__wrap_OS_SHA1_Stream, "a7a899f25aeda32989d1029839ef2e594835c211");
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    OSHash_Add_ex_check_data = 0;
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, path);
+    will_return(__wrap_OSHash_Add_ex, 2);
+
+    int retval = w_update_file_status(path, pos, context);
+
+    assert_int_equal(retval,0);
+
+}
+
+void test_w_update_file_status_update_OK(void ** state) {
+    char * path = "test/test.log";
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+    data->context = EVP_MD_CTX_new();
+
+    __real_OSHash_Add_ex(mock_hashmap, path, data);
+
+    long pos = 0;
+    EVP_MD_CTX *context = EVP_MD_CTX_new();
+
+    expect_value(__wrap_OS_SHA1_Stream, buf, NULL);
+    will_return(__wrap_OS_SHA1_Stream, "a7a899f25aeda32989d1029839ef2e594835c211");
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    int retval = w_update_file_status(path, pos, context);
+
+    assert_int_equal(retval,0);;
+}
+
+/* w_set_to_pos */
+
+void test_w_set_to_pos_localfile_NULL(void ** state) {
+    logreader *lf = NULL;
+    long pos = 0;
+    int mode = OS_BINARY;
+
+    int retval = w_set_to_pos(lf, pos, mode);
+
+    assert_int_equal(retval, -1);
+
+}
+
+void test_w_set_to_pos_fseek_error(void ** state) {
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    lf->fp = (FILE*)1;
+    os_strdup("test", lf->file);
+    long pos = 0;
+    int mode = OS_BINARY;
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1116): Could not set position in file 'test' due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    int retval = w_set_to_pos(lf, pos, mode);
+
+    assert_int_equal(retval, -1);
+
+    os_free(lf->file);
+    os_free(lf->fp);
+    os_free(lf);
+}
+
+void test_w_set_to_pos_OK(void ** state) {
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    lf->fp = (FILE*)1;
+    os_strdup("test", lf->file);
+    long pos = 0;
+    int mode = OS_BINARY;
+    fpos_t position_stack = {.__pos = 1};
+    test_position = &position_stack;
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    expect_value(__wrap_w_ftell, x, 1);
+    will_return(__wrap_w_ftell, 1);
+
+    ssize_t retval = w_set_to_pos(lf, pos, mode);
+
+    assert_int_equal(retval, 1);
+
+    os_free(lf->file);
+    os_free(lf);
+}
+
+/* w_save_files_status_to_cJSON */
+
+void test_w_save_files_status_to_cJSON_begin_NULL(void ** state) {
+    OSHashNode *hash_node = NULL;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    char * ret = w_save_files_status_to_cJSON();
+    assert_null(ret);
+}
+
+void test_w_save_files_status_to_cJSON_OK(void ** state) {
+    test_logcollector_t *test_data = *state;
+
+    os_file_status_t * data = test_data->status;
+    OSHashNode *hash_node = test_data->node;
+
+    strcpy(data->hash,"test1234");
+    data->offset = 5;
+
+    hash_node->key = "test";
+    hash_node->data = data;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddArrayToObject, name, "files");
+    will_return(__wrap_cJSON_AddArrayToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "path");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "hash");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test1234");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "offset");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "5");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_value(__wrap_OSHash_Next, self, files_status);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_PrintUnformatted, "test_1234");
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    char * ret = w_save_files_status_to_cJSON();
+
+    assert_string_equal(ret, "test_1234");
+}
+
+void test_w_save_files_status_to_cJSON_macos_invalid_vault(void ** state) {
+    test_mode = 1;
+
+    OSHashNode *hash_node = NULL;
+
+    strcpy(macos_log_vault.timestamp,"any timestamp");
+    macos_log_vault.settings = "my settings";
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    char * ret = w_save_files_status_to_cJSON();
+    assert_null(ret);
+
+}
+
+void test_w_save_files_status_to_cJSON_macos_valid_vault(void ** state) {
+    test_mode = 1;
+
+    OSHashNode *hash_node = NULL;
+    w_macos_log_procceses_t * bak_macos_processes = macos_processes;
+    macos_processes = (w_macos_log_procceses_t *) 1;
+
+    strcpy(macos_log_vault.timestamp,"2021-04-27 08:07:20-0700");
+    macos_log_vault.settings = "/usr/bin/log stream --style syslog";
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_CreateString, string, "2021-04-27 08:07:20-0700");
+    will_return(__wrap_cJSON_CreateString, (cJSON *) 1);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    expect_string(__wrap_cJSON_CreateString, string, "/usr/bin/log stream --style syslog");
+    will_return(__wrap_cJSON_CreateString, (cJSON *) 1);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    will_return(__wrap_cJSON_PrintUnformatted, "test_1234");
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    char * ret = w_save_files_status_to_cJSON();
+
+    assert_string_equal(ret, "test_1234");
+    macos_processes = bak_macos_processes;
+
+}
+
+void test_w_save_files_status_to_cJSON_journal_valid(void ** state) {
+    test_mode = 1;
+
+    OSHashNode * hash_node = NULL;
+
+    strcpy(macos_log_vault.timestamp, "any timestamp");
+    macos_log_vault.settings = "my settings";
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // Set journald
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "timestamp");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "123456");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *) 2);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 3);
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    will_return(__wrap_cJSON_PrintUnformatted, "test_1234");
+    expect_function_call(__wrap_cJSON_Delete);
+
+    set_gs_journald_ofe(true, false, 123456);
+
+    assert_non_null(w_save_files_status_to_cJSON());
+
+    set_gs_journald_ofe(false, true, 0);
+}
+
+void test_w_save_files_status_invalid_vault(void ** state) {
+
+    test_mode = 1;
+    bool back_valid_json = macos_log_vault.is_valid_data;
+    macos_log_vault.is_valid_data = false;
+
+    OSHashNode *hash_node = NULL;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    char * ret = w_save_files_status_to_cJSON();
+    assert_null(ret);
+    assert_false(macos_log_vault.is_valid_data);
+    macos_log_vault.is_valid_data = back_valid_json;
+
+}
+
+void test_w_save_files_status_to_cJSON_data(void ** state) {
+    test_mode = 1;
+
+    w_macos_log_procceses_t * bak_macos_processes = macos_processes;
+    macos_processes = (w_macos_log_procceses_t *) 1;
+    os_file_status_t * data;
+    os_calloc(1, sizeof(os_file_status_t), data);
+    strcpy(data->hash,"test1234");
+    data->offset = 5;
+
+    OSHashNode *hash_node = NULL;
+    os_calloc(1, sizeof(OSHashNode), hash_node);
+    hash_node->key = "test";
+    hash_node->data = data;
+
+    strcpy(macos_log_vault.timestamp,"2021-04-27 08:07:20-0700");
+    macos_log_vault.settings = "/usr/bin/log stream --style syslog";
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddArrayToObject, name, "files");
+    will_return(__wrap_cJSON_AddArrayToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "path");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "hash");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test1234");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "offset");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "5");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_value(__wrap_OSHash_Next, self, files_status);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_CreateString, string, "2021-04-27 08:07:20-0700");
+    will_return(__wrap_cJSON_CreateString, (cJSON *) 1);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    expect_string(__wrap_cJSON_CreateString, string, "/usr/bin/log stream --style syslog");
+    will_return(__wrap_cJSON_CreateString, (cJSON *) 1);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_cJSON_AddItemToObject, true);
+
+    will_return(__wrap_cJSON_PrintUnformatted, "test_1234");
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    char * ret = w_save_files_status_to_cJSON();
+
+    assert_string_equal(ret, "test_1234");
+    macos_processes = bak_macos_processes;
+    os_free(data);
+    os_free(hash_node);
+
+}
+
+/* w_save_file_status */
+
+void test_w_save_file_status_str_NULL(void ** state) {
+    OSHashNode *hash_node = NULL;
+    strcpy(macos_log_vault.timestamp,"any timestamp");
+    macos_log_vault.settings = "my settings";
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    w_save_file_status();
+
+}
+
+
+void test_w_save_file_status_wfopen_error(void ** state) {
+    test_logcollector_t *test_data = *state;
+
+    os_file_status_t * data = test_data->status;
+    OSHashNode *hash_node = test_data->node;
+
+    strcpy(data->hash,"test1234");
+    data->offset = 5;
+
+    hash_node->key = "test";
+    hash_node->data = data;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddArrayToObject, name, "files");
+    will_return(__wrap_cJSON_AddArrayToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "path");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "hash");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test1234");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "offset");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "5");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_value(__wrap_OSHash_Next, self, files_status);
+    will_return(__wrap_OSHash_Next, NULL);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_PrintUnformatted, "test_1234");
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, "queue/logcollector/file_status.json");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 0);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1103): Could not open file 'queue/logcollector/file_status.json' due to [(0)-(Success)].");
+    expect_assert_failure(w_save_file_status());
+}
+
+void test_w_save_file_status_fwrite_error(void ** state) {
+    test_logcollector_t *test_data = *state;
+
+    os_file_status_t * data = test_data->status;
+    OSHashNode *hash_node = test_data->node;
+
+    strcpy(data->hash,"test1234");
+    data->offset = 5;
+
+    hash_node->key = "test";
+    hash_node->data = data;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddArrayToObject, name, "files");
+    will_return(__wrap_cJSON_AddArrayToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "path");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "hash");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test1234");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "offset");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "5");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_value(__wrap_OSHash_Next, self, files_status);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_PrintUnformatted, strdup("test_1234"));
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, "queue/logcollector/file_status.json");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, "test");
+
+    will_return(__wrap_fwrite, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1110): Could not write file 'queue/logcollector/file_status.json' due to [(0)-(Success)].");
+
+    expect_function_call(__wrap_clearerr);
+    expect_string(__wrap_clearerr, __stream, "test");
+
+    expect_value(__wrap_fclose, _File, "test");
+    will_return(__wrap_fclose, 1);
+
+    w_save_file_status();
+}
+
+void test_w_save_file_status_OK(void ** state) {
+    test_logcollector_t *test_data = *state;
+
+    os_file_status_t * data = test_data->status;
+    OSHashNode *hash_node = test_data->node;
+
+    strcpy(data->hash,"test1234");
+    data->offset = 5;
+
+    hash_node->key = "test";
+    hash_node->data = data;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    expect_value(__wrap_OSHash_Begin, self, files_status);
+    will_return(__wrap_OSHash_Begin, hash_node);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddArrayToObject, name, "files");
+    will_return(__wrap_cJSON_AddArrayToObject, (cJSON *) 1);
+
+    will_return(__wrap_cJSON_CreateObject, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "path");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "hash");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "test1234");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "offset");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "5");
+    will_return(__wrap_cJSON_AddStringToObject, (cJSON *)1);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+    will_return(__wrap_cJSON_AddItemToArray, true);
+
+    expect_value(__wrap_OSHash_Next, self, files_status);
+    will_return(__wrap_OSHash_Next, NULL);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_cJSON_PrintUnformatted, strdup("test_1234"));
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, "queue/logcollector/file_status.json");
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, "test");
+
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, "test");
+    will_return(__wrap_fclose, 1);
+
+    w_save_file_status();
+}
+
+/* w_load_files_status */
+
+void test_w_load_files_status_empty_array(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+    // >> w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    
+        // >> w_journald_set_status_from_JSON// << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_path_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_path_str_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_no_file(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, -1);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_hash_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_hash_str_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_offset_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_offset_str_NULL(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+
+void test_w_load_files_status_invalid_offset(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "-1");
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_update_add_fail(void ** state) {
+    char * file = "test";
+
+    cJSON *global_json = (cJSON*)1;
+
+    int mode = OS_BINARY;
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "32bb98743e298dee0a654a654765c765d765ae80");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, file);
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1298): Failure to add 'test' to 'file_status' hash table");
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+
+void test_w_load_files_status_update_hash_fail (void ** state) {
+    char * file = "test";
+
+    cJSON *global_json = (cJSON*)1;
+
+    int mode = OS_BINARY;
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "32bb98743e298dee0a654a654765c765d765ae80");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, -1);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "(9000): File 'test' no longer exists.");
+
+    w_load_files_status(global_json);
+}
+
+void test_w_load_files_status_update_fail(void ** state) {
+    char * file = "test";
+
+    cJSON *global_json = (cJSON*)1;
+
+    int mode = OS_BINARY;
+    struct stat stat_buf = { .st_mode = 0040000 };
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "32bb98743e298dee0a654a654765c765d765ae80");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, file);
+    will_return(__wrap_OSHash_Add_ex, 2);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_OK(void ** state) {
+    char * file = "test";
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+    data->context = EVP_MD_CTX_new();
+
+    __real_OSHash_Add_ex(mock_hashmap, file, data);
+    cJSON *global_json = (cJSON*)1;
+
+    int mode = OS_BINARY;
+    struct stat stat_buf = { .st_mode = 0040000 };
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "32bb98743e298dee0a654a654765c765d765ae80");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+}
+
+void test_w_load_files_status_valid_timestamp_only(void ** state) {
+    test_mode = 1;
+
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "2021-04-27 08:07:20-0700");
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+    assert_string_equal(macos_log_vault.settings, "my settings");
+    assert_string_equal(macos_log_vault.timestamp, "hi 123");
+}
+
+void test_w_load_files_status_valid_settings_only(void ** state) {
+    test_mode = 1;
+
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "/usr/bin/log stream --style syslog");
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+
+    assert_string_equal(macos_log_vault.settings, "my settings");
+    assert_string_equal(macos_log_vault.timestamp, "hi 123");
+
+}
+
+void test_w_load_files_status_valid_vault(void ** state) {
+    test_mode = 1;
+
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    os_strdup("my settings", macos_log_vault.settings);
+    macos_log_vault.is_valid_data = false;
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "2021-04-27 08:07:20-0700");
+
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "/usr/bin/log stream --style syslog");
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // << w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // >> w_journald_set_status_from_JSON
+    
+    w_load_files_status(global_json);
+
+    assert_string_equal(macos_log_vault.timestamp, "2021-04-27 08:07:20-0700");
+    assert_string_equal(macos_log_vault.settings, "/usr/bin/log stream --style syslog");
+    assert_true(macos_log_vault.is_valid_data);
+
+    os_free(macos_log_vault.settings);
+}
+
+// Related only to journal
+void test_w_load_files_status_jorunal_no_journal_obj(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+    // >> w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_macos_set_status_from_JSON
+
+    // >> w_journald_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+void test_w_load_files_status_jorunal_no_journal_timestmap(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+    // >> w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_macos_set_status_from_JSON
+
+    // >> w_journald_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, 0x1);
+    will_return(__wrap_cJSON_GetObjectItem, 0x0);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+void test_w_load_files_status_jorunal_invalid_timestamp(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+    // >> w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_macos_set_status_from_JSON
+
+    // >> w_journald_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, "invalid timestamp");
+    // << w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+void test_w_load_files_status_jorunal_success(void ** state) {
+    cJSON *global_json = (cJSON*)1;
+    strcpy(macos_log_vault.timestamp,"hi 123");
+    macos_log_vault.settings = "my settings";
+
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 0);
+    // >> w_macos_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+    // << w_macos_set_status_from_JSON
+
+    // >> w_journald_set_status_from_JSON
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+    will_return(__wrap_cJSON_GetStringValue, "123456");
+    expect_string(__wrap__mdebug2, formatted_msg, "(9009): Setting last read timestamp to '123456'");
+    // << w_journald_set_status_from_JSON
+
+    w_load_files_status(global_json);
+}
+
+/* w_initialize_file_status */
+
+void test_w_initialize_file_status_OSHash_Create_fail(void ** state) {
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1296): Unable to create a 'file_status' hash table");
+
+    expect_assert_failure(w_initialize_file_status());
+}
+
+void test_w_initialize_file_status_OSHash_setSize_fail(void ** state) {
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, 1);
+
+    will_return(__wrap_OSHash_setSize, NULL);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1297): Unable to set size of 'file_status' hash table");
+
+    expect_assert_failure(w_initialize_file_status());
+
+}
+
+void test_w_initialize_file_status_fopen_fail(void ** state) {
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, 1);
+
+    will_return(__wrap_OSHash_setSize, 1);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 1);
+
+    expect_string(__wrap_wfopen, path, LOCALFILE_STATUS);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1103): Could not open file 'queue/logcollector/file_status.json' due to [(0)-(Success)].");
+
+    w_initialize_file_status();
+}
+
+void test_w_initialize_file_status_fread_fail(void ** state) {
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, 1);
+
+    will_return(__wrap_OSHash_setSize, 1);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 1);
+
+    expect_string(__wrap_wfopen, path, LOCALFILE_STATUS);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, "test");
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1115): Could not read from file 'queue/logcollector/file_status.json' due to [(0)-(Success)].");
+
+    expect_function_call(__wrap_clearerr);
+    expect_string(__wrap_clearerr, __stream, "test");
+
+    expect_value(__wrap_fclose, _File, "test");
+    will_return(__wrap_fclose, 1);
+
+    w_initialize_file_status();
+}
+
+void test_w_initialize_file_status_OK(void ** state) {
+    int mode = OS_BINARY;
+    char * file = "test";
+    struct stat stat_buf = { .st_mode = 0040000 };
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+    data->context = EVP_MD_CTX_new();
+
+    __real_OSHash_Add_ex(mock_hashmap, file, data);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, 1);
+
+    will_return(__wrap_OSHash_setSize, 1);
+
+    expect_function_call(__wrap_OSHash_SetFreeDataPointer);
+    will_return(__wrap_OSHash_SetFreeDataPointer, 1);
+
+    expect_string(__wrap_wfopen, path, LOCALFILE_STATUS);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, "test");
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 1);
+
+    //w_load_files_status
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetArraySize, 1);
+
+    will_return(__wrap_cJSON_GetArrayItem, NULL);
+
+    //Path
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "test");
+
+    expect_string(__wrap_stat, __file, file);
+    will_return(__wrap_stat, &stat_buf);
+    will_return(__wrap_stat, 0);
+
+    //Hash
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "32bb98743e298dee0a654a654765c765d765ae80");
+
+    //Offset
+    will_return(__wrap_cJSON_GetObjectItem, 1);
+
+    will_return(__wrap_cJSON_GetStringValue, "1");
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    will_return(__wrap_cJSON_GetObjectItem, NULL);
+
+    will_return(__wrap_cJSON_GetStringValue, NULL);
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_value(__wrap_fclose, _File, "test");
+    will_return(__wrap_fclose, 1);
+
+    w_initialize_file_status();
+}
+
+/* w_update_hash_node */
+
+void test_w_update_hash_node_path_NULL(void ** state) {
+    char * path = NULL;
+
+    int ret = w_update_hash_node(path, 0);
+
+    assert_int_equal(ret, -1);
+
+}
+
+void test_w_update_hash_node_update_fail(void ** state) {
+    int mode = OS_BINARY;
+    char * path = "test";
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, path);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, path);
+    will_return(__wrap_OSHash_Add_ex, 2);
+
+    int ret = w_update_hash_node(path, 0);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_w_update_hash_node_sha_fail(void ** state) {
+    int mode = OS_BINARY;
+
+    char * path = "test";
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, path);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1969): Failure to generate the SHA1 hash from file 'test'");
+
+    int ret = w_update_hash_node(path, 0);
+
+    assert_int_equal(ret, -1);
+
+}
+
+void test_w_update_hash_node_add_fail(void ** state) {
+    int mode = OS_BINARY;
+
+    char * path = "test";
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, path);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, path);
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    int ret = w_update_hash_node(path, 0);
+
+    assert_int_equal(ret, -1);
+
+}
+
+void test_w_update_hash_node_OK(void ** state) {
+    int mode = OS_BINARY;
+    char * path = "test";
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+    data->context = EVP_MD_CTX_new();
+
+    __real_OSHash_Add_ex(mock_hashmap, path, data);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, path);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    int ret = w_update_hash_node(path, 0);
+
+    assert_int_equal(ret, 0);
+}
+
+/*  w_set_to_last_line_read */
+void test_w_set_to_last_line_read_null_reader(void ** state) {
+    logreader lf = {0};
+    int ret = w_set_to_last_line_read(&lf);
+    assert_int_equal(ret, 0);
+
+}
+
+void test_w_set_to_last_line_read_OSHash_Get_ex_fail(void ** state) {
+    fpos_t position_stack = {.__pos = 1};
+    logreader log_reader = {.fp = (FILE *)1, .file = "test"};
+
+    test_position = &position_stack;
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+    os_file_status_t * data;
+    os_malloc(sizeof(os_file_status_t), data);
+    data->context = EVP_MD_CTX_new();
+
+    __real_OSHash_Add_ex(mock_hashmap, log_reader.file, data);
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, NULL);
+
+    //w_set_pos
+    long pos = 0;
+    int mode = OS_BINARY;
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    expect_value(__wrap_w_ftell, x, 1);
+    will_return(__wrap_w_ftell, 1);
+
+    expect_value(__wrap_w_ftell, x, 1);
+    will_return(__wrap_w_ftell, 1);
+
+
+    //w_update_hash_node
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, log_reader.file);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 1);
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, 0);
+}
+
+void test_w_set_to_last_line_read_fstat_fail(void ** state) {
+    os_file_status_t *data = *state;
+
+    logreader log_reader = {.fp = (FILE *)1, .file = "test"};
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, 1);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 0);
+    will_return(__wrap_fstat, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1118): Could not retrieve information of file 'test' due to [(0)-(Success)].");
+
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_w_set_to_last_line_read_OS_SHA1_File_Nbytes_fail(void ** state) {
+    int mode = OS_BINARY;
+
+    os_file_status_t data = {0};
+    fpos_t position_stack = {.__pos = 1};
+    logreader log_reader = {.fp = (FILE *)1, .file= "test"};
+    test_position = &position_stack;
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, &data);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 0);
+    will_return(__wrap_fstat, 1);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 0);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1969): Failure to generate the SHA1 hash from file 'test'");
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_w_set_to_last_line_read_diferent_file(void ** state) {
+    int mode = OS_BINARY;
+    os_file_status_t data = {.hash = "1234", .offset = 1};
+    logreader log_reader = {.fp = (FILE *)1, .file= "test"};
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, &data);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 0);
+    will_return(__wrap_fstat, 1);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "32bb98743e298dee0a654a654765c765d765ae80");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    //w_set_pos
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1116): Could not set position in file 'test' due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_w_set_to_last_line_read_same_file(void ** state) {
+    int mode = OS_BINARY;
+
+    os_file_status_t data = {.hash = "1234", .offset = 1};
+    logreader log_reader = {.fp = (FILE *)1, .file= "test", .diff_max_size = 0};
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, &data);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 1);
+    will_return(__wrap_fstat, 1);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "1234");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    //w_set_pos
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 1);
+    will_return(__wrap_w_fseek, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1116): Could not set position in file 'test' due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_w_set_to_last_line_read_same_file_rotate(void ** state) {
+    int mode = OS_BINARY;
+    logreader log_reader = {.fp = (FILE *)1, .file= "test", .diff_max_size = 0};
+    os_file_status_t data = {.hash = "1234", .offset = 1};
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, &data);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 10);
+    will_return(__wrap_fstat, 1);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "1234");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, -1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1116): Could not set position in file 'test' due to [(0)-(Success)].");
+
+    expect_value(__wrap_fclose, _File, 1);
+    will_return(__wrap_fclose, 1);
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, -1);
+}
+
+void test_w_set_to_last_line_read_update_hash_node_error(void ** state) {
+    int mode = OS_BINARY;
+    logreader log_reader = {.fp = (FILE *)1, .file= "test", .diff_max_size = 0};
+    os_file_status_t data = {.hash = "1234", .offset = 1};
+
+
+    expect_any(__wrap_OSHash_Get_ex, self);
+    expect_string(__wrap_OSHash_Get_ex, key, "test");
+    will_return(__wrap_OSHash_Get_ex, &data);
+
+    expect_value(__wrap_fileno, __stream, log_reader.fp);
+    will_return(__wrap_fileno, 1);
+
+    expect_value(__wrap_fstat, __fd, 1);
+    will_return(__wrap_fstat, 0040000);
+    will_return(__wrap_fstat, 10);
+    will_return(__wrap_fstat, 1);
+
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "1234");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    //w_set_pos
+
+    os_calloc(1, sizeof(fpos_t), test_position);
+    test_position->__pos = 1;
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    expect_value(__wrap_w_ftell, x, 1);
+    will_return(__wrap_w_ftell, 1);
+
+    //w_update_hash_node
+    expect_string(__wrap_OS_SHA1_File_Nbytes, fname, "test");
+    expect_value(__wrap_OS_SHA1_File_Nbytes, mode, mode);
+    expect_value(__wrap_OS_SHA1_File_Nbytes, nbytes, 1);
+    will_return(__wrap_OS_SHA1_File_Nbytes, "1234");
+    will_return(__wrap_OS_SHA1_File_Nbytes, 1);
+
+    will_return(__wrap_OSHash_Update_ex, 0);
+
+    expect_value(__wrap_OSHash_Add_ex, self, files_status);
+    expect_string(__wrap_OSHash_Add_ex, key, log_reader.file);
+    will_return(__wrap_OSHash_Add_ex, 0);
+
+    expect_string(__wrap__merror, formatted_msg, "(1299): Failure to update 'test' to 'file_status' hash table");
+
+    int ret = w_set_to_last_line_read(&log_reader);
+
+    assert_int_equal(ret, 1);
+}
+
+/* _macos_release_log_show */
+
+void test_w_macos_release_log_show_not_launched(void ** state) {
+    macos_processes = *state;
+    macos_processes->show.wfd = NULL;
+
+    w_macos_release_log_show();
+
+}
+
+void test_w_macos_release_log_show_launched_and_running(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd->pid = 10;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_show();
+
+    assert_null(macos_processes->show.wfd);
+
+}
+
+void test_w_macos_release_log_show_launched_and_running_with_child(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd->pid = 10;
+    macos_processes->show.child = 11;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 11);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_show();
+
+    assert_null(macos_processes->show.wfd);
+
+}
+
+void test_w_macos_release_log_show_launched_and_not_running(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd->pid = 0;
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_show();
+
+    assert_null(macos_processes->show.wfd);
+
+}
+
+/* w_macos_release_log_stream */
+
+void test_w_macos_release_log_stream_not_launched(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->stream.wfd = NULL;
+
+    w_macos_release_log_stream();
+
+}
+
+void test_w_macos_release_log_stream_launched_and_running(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->stream.wfd->pid = 10;
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_stream();
+
+    assert_null(macos_processes->stream.wfd);
+
+}
+
+void test_w_macos_release_log_stream_launched_and_running_with_child(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->stream.wfd->pid = 10;
+    macos_processes->stream.child = 11;
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 11);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_stream();
+
+    assert_null(macos_processes->stream.wfd);
+
+}
+
+void test_w_macos_release_log_stream_launched_and_not_running(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->stream.wfd->pid = 0;
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_stream();
+
+    assert_null(macos_processes->stream.wfd);
+
+}
+
+/* w_macos_release_log_execution */
+
+void test_w_macos_release_log_execution_log_stream_and_show_not_launched(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd = NULL;
+    macos_processes->stream.wfd = NULL;
+
+    w_macos_release_log_execution();
+
+}
+
+void test_w_macos_release_log_execution_log_stream_and_show_launched_and_running(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd->pid =10;
+    macos_processes->stream.wfd->pid = 11;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 11);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_execution();
+
+    assert_null(macos_processes->stream.wfd);
+    assert_null(macos_processes->show.wfd);
+
+}
+
+void test_w_macos_release_log_execution_log_stream_launched_and_show_not_launched(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd = NULL;
+    macos_processes->stream.wfd->pid = 10;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_execution();
+
+    assert_null(macos_processes->stream.wfd);
+
+}
+
+void test_w_macos_release_log_execution_log_stream_not_launched_and_show_launched(void ** state) {
+
+    macos_processes = *state;
+    macos_processes->show.wfd->pid = 10;
+    macos_processes->stream.wfd = NULL;
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, 0);
+
+    w_macos_release_log_execution();
+
+    assert_null(macos_processes->show.wfd);
+
+}
+
+void check_ignore_and_restrict_null_config(void ** state) {
+    logreader *regex_config = *state;
+
+    int ret = check_ignore_and_restrict(NULL, NULL, "testing log line");
+    assert_false(ret);
+}
+
+void check_ignore_and_restrict_not_ignored(void ** state) {
+    logreader *regex_config = *state;
+    w_expression_t * expression_ignore;
+    char *str_test = "testing log not match";
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    w_calloc_expression_t(&expression_ignore, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_ignore, "ignore.*", 0);
+    OSList_InsertData(regex_config->regex_ignore, NULL, expression_ignore);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 0);
+
+    int ret = check_ignore_and_restrict(regex_config->regex_ignore, NULL, str_test);
+
+    assert_false(ret);
+}
+
+void check_ignore_and_restrict_ignored(void ** state) {
+    logreader *regex_config = *state;
+    w_expression_t * expression_ignore;
+    char *str_test = "testing log with ignore word";
+    char *aux[2];
+    aux[0] = str_test;
+    aux[1] = str_test+1;
+    char log_str[PATH_MAX + 1] = {0};
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    w_calloc_expression_t(&expression_ignore, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_ignore, "ignore.*", 0);
+    OSList_InsertData(regex_config->regex_ignore, NULL, expression_ignore);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 1);
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    snprintf(log_str, PATH_MAX, LF_MATCH_REGEX, "testing log with ignore word", "ignore", "ignore.*");
+    expect_string(__wrap__mdebug2, formatted_msg, log_str);
+
+    int ret = check_ignore_and_restrict(regex_config->regex_ignore, NULL, str_test);
+
+    assert_true(ret);
+}
+
+void check_ignore_and_restrict_not_restricted(void ** state) {
+    logreader *regex_config = *state;
+    w_expression_t * expression_restrict;
+    char *str_test = "testing log with restrict word";
+    char *aux[2];
+    aux[0] = str_test;
+    aux[1] = str_test+1;
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+    expect_function_call_any(__wrap_pthread_rwlock_rdlock);
+
+    w_calloc_expression_t(&expression_restrict, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_restrict, "restrict.*", 0);
+    OSList_InsertData(regex_config->regex_restrict, NULL, expression_restrict);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 1);
+    will_return(wrap_pcre2_get_ovector_pointer, aux);
+
+    int ret = check_ignore_and_restrict(NULL, regex_config->regex_restrict, str_test);
+
+    assert_false(ret);
+}
+
+void check_ignore_and_restrict_restricted(void ** state) {
+    logreader *regex_config = *state;
+    w_expression_t * expression_restrict;
+    char *str_test = "testing log not match";
+    char log_str[PATH_MAX + 1] = {0};
+
+    expect_function_call_any(__wrap_pthread_rwlock_wrlock);
+    expect_function_call_any(__wrap_pthread_rwlock_unlock);
+
+    w_calloc_expression_t(&expression_restrict, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_restrict, "restrict.*", 0);
+    OSList_InsertData(regex_config->regex_restrict, NULL, expression_restrict);
+
+    will_return(wrap_pcre2_match_data_create_from_pattern, 1);
+    will_return(wrap_pcre2_match, 0);
+
+    snprintf(log_str, PATH_MAX, LF_MATCH_REGEX, "testing log not match", "restrict", "restrict.*");
+    expect_string(__wrap__mdebug2, formatted_msg, log_str);
+
+    int ret = check_ignore_and_restrict(NULL, regex_config->regex_restrict, str_test);
+
+    assert_true(ret);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // Test w_get_hash_context
+        cmocka_unit_test_setup_teardown(test_w_get_hash_context_NULL_file_exist, setup_log_context, teardown_log_context),
+        cmocka_unit_test_setup_teardown(test_w_get_hash_context_NULL_file_not_exist, setup_log_context, teardown_log_context),
+        cmocka_unit_test_setup_teardown(test_w_get_hash_context_done, setup_log_context, teardown_log_context),
+
+        // Test w_update_file_status
+        cmocka_unit_test_setup_teardown(test_w_update_file_status_fail_update_add_table_hash, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_update_file_status_update_fail_add_OK, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_update_file_status_update_OK, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test w_set_to_pos
+        cmocka_unit_test_setup_teardown(test_w_set_to_pos_localfile_NULL, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_pos_fseek_error, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_pos_OK, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test w_save_files_status_to_cJSON
+        // Related only to files
+        cmocka_unit_test_setup_teardown(test_w_save_files_status_to_cJSON_begin_NULL, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_save_files_status_to_cJSON_OK, setup_log_context, teardown_log_context),
+        // Related only to macos
+        cmocka_unit_test(test_w_save_files_status_to_cJSON_macos_invalid_vault),
+        cmocka_unit_test(test_w_save_files_status_to_cJSON_macos_valid_vault),
+        // Related only to journal
+        cmocka_unit_test(test_w_save_files_status_to_cJSON_journal_valid),
+        // Related to files and macos
+        cmocka_unit_test(test_w_save_files_status_to_cJSON_data),
+
+        // Test w_save_file_status
+        cmocka_unit_test_setup_teardown(test_w_save_file_status_str_NULL, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_save_file_status_wfopen_error, setup_log_context, teardown_log_context),
+        cmocka_unit_test_setup_teardown(test_w_save_file_status_fwrite_error, setup_log_context, teardown_log_context),
+        cmocka_unit_test_setup_teardown(test_w_save_file_status_OK, setup_log_context, teardown_log_context),
+
+        // Test w_load_files_status
+        cmocka_unit_test(test_w_load_files_status_empty_array),
+        cmocka_unit_test(test_w_load_files_status_path_NULL),
+        cmocka_unit_test(test_w_load_files_status_path_str_NULL),
+        cmocka_unit_test(test_w_load_files_status_no_file),
+        cmocka_unit_test(test_w_load_files_status_hash_NULL),
+        cmocka_unit_test(test_w_load_files_status_hash_str_NULL),
+        cmocka_unit_test(test_w_load_files_status_offset_NULL),
+        cmocka_unit_test(test_w_load_files_status_offset_str_NULL),
+        cmocka_unit_test(test_w_load_files_status_invalid_offset),
+        cmocka_unit_test_setup_teardown(test_w_load_files_status_update_add_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_load_files_status_update_hash_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_load_files_status_update_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_load_files_status_OK, setup_local_hashmap, teardown_local_hashmap),
+        // Related only to macos
+        cmocka_unit_test(test_w_load_files_status_valid_timestamp_only),
+        cmocka_unit_test(test_w_load_files_status_valid_settings_only),
+        cmocka_unit_test(test_w_load_files_status_valid_vault),
+        cmocka_unit_test(test_w_save_files_status_invalid_vault),
+        // Related only to journal
+        cmocka_unit_test(test_w_load_files_status_jorunal_no_journal_obj),
+        cmocka_unit_test(test_w_load_files_status_jorunal_no_journal_timestmap),
+        cmocka_unit_test(test_w_load_files_status_jorunal_invalid_timestamp),
+        cmocka_unit_test(test_w_load_files_status_jorunal_success),
+        
+
+        // Test w_initialize_file_status
+        cmocka_unit_test(test_w_initialize_file_status_OSHash_Create_fail),
+        cmocka_unit_test(test_w_initialize_file_status_OSHash_setSize_fail),
+        cmocka_unit_test(test_w_initialize_file_status_fopen_fail),
+        cmocka_unit_test(test_w_initialize_file_status_fread_fail),
+        cmocka_unit_test_setup_teardown(test_w_initialize_file_status_OK, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test w_update_hash_node
+        cmocka_unit_test(test_w_update_hash_node_path_NULL),
+        cmocka_unit_test(test_w_update_hash_node_sha_fail),
+        cmocka_unit_test_setup_teardown(test_w_update_hash_node_update_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_update_hash_node_add_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_update_hash_node_OK, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test w_set_to_last_line_read
+        cmocka_unit_test(test_w_set_to_last_line_read_null_reader),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_OSHash_Get_ex_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test(test_w_set_to_last_line_read_fstat_fail),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_OS_SHA1_File_Nbytes_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_diferent_file, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_same_file, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_same_file_rotate, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test_w_set_to_last_line_read_update_hash_node_error, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test w_macos_release_log_show
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_show_not_launched, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_show_launched_and_running, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_show_launched_and_running_with_child, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_show_launched_and_not_running, setup_process, teardown_process),
+
+
+        // Test w_macos_release_log_stream
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_stream_not_launched, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_stream_launched_and_running, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_stream_launched_and_running_with_child, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_stream_launched_and_not_running, setup_process, teardown_process),
+
+        // Test w_macos_release_log_execution
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_execution_log_stream_and_show_not_launched, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_execution_log_stream_and_show_launched_and_running, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_execution_log_stream_launched_and_show_not_launched, setup_process, teardown_process),
+        cmocka_unit_test_setup_teardown(test_w_macos_release_log_execution_log_stream_not_launched_and_show_launched, setup_process, teardown_process),
+
+        // Test w_macos_release_log_execution
+        cmocka_unit_test_setup_teardown(check_ignore_and_restrict_null_config, setup_regex, teardown_regex),
+        cmocka_unit_test_setup_teardown(check_ignore_and_restrict_not_ignored, setup_regex, teardown_regex),
+        cmocka_unit_test_setup_teardown(check_ignore_and_restrict_ignored, setup_regex, teardown_regex),
+        cmocka_unit_test_setup_teardown(check_ignore_and_restrict_not_restricted, setup_regex, teardown_regex),
+        cmocka_unit_test_setup_teardown(check_ignore_and_restrict_restricted, setup_regex, teardown_regex)
+
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_macos_log.c b/src/modules/logcollector/tests/unit/tests/test_macos_log.c
new file mode 100644
index 0000000000..44a1caccd4
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_macos_log.c
@@ -0,0 +1,3483 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/logcollector.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/linux/socket_wrappers.h"
+#include "../wrappers/posix/unistd_wrappers.h"
+#include "../wrappers/wazuh/shared/sysinfo_utils_wrappers.h"
+
+bool w_macos_is_log_predicate_valid(char * predicate);
+char ** w_macos_create_log_stream_array(char * predicate, char * level, int type);
+wfd_t * w_macos_log_exec(char ** log_cmd_array, u_int32_t flags);
+void w_macos_create_log_env(logreader * lf, w_sysinfo_helpers_t * global_sysinfo);
+bool w_macos_is_log_executable(void);
+void w_macos_create_log_stream_env(logreader * lf);
+void w_macos_log_show_array_add_level(char ** log_cmd_array, size_t * log_cmd_array_idx, char * level);
+char * w_macos_log_show_create_type_predicate(int type);
+void w_macos_log_show_array_add_predicate(char ** log_cmd_array,
+                                          size_t * log_cmd_array_idx,
+                                          char * query,
+                                          char * type_predicate);
+char ** w_macos_create_log_show_array(char * start_date, char * query, char * level, int type);
+void w_macos_set_last_log_timestamp(char * timestamp);
+char * w_macos_get_last_log_timestamp();
+void w_macos_set_last_log_settings(char * timestamp);
+char * w_macos_get_last_log_settings();
+void w_macos_create_log_show_env(logreader * lf);
+void w_macos_create_log_stream_env(logreader * lf);
+void w_macos_add_sierra_support(char ** log_cmd_array, size_t * log_cmd_array_idx);
+pid_t w_get_first_child(pid_t parent_pid);
+
+extern w_macos_log_vault_t macos_log_vault;
+
+extern char * macos_codename;
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+
+}
+
+static int setup_file(void **state) {
+    wfd_t * wfd = calloc(1, sizeof(wfd_t));
+
+    *state = wfd;
+
+    return 0;
+}
+
+static int teardown_file(void **state) {
+    wfd_t * wfd = *state;
+
+    free(wfd);
+
+    return 0;
+}
+
+static int teardown_settings(void **state) {
+    os_free(macos_log_vault.settings);
+
+    return 0;
+}
+
+static int setup_timestamp_null(void **state) {
+    macos_log_vault.timestamp[0] = '\0';
+
+    return 0;
+}
+
+static int teardown_timestamp_null(void **state) {
+    strncpy(macos_log_vault.timestamp, "2021-04-27 12:29:25-0700", OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN);
+
+    return 0;
+}
+
+/* wraps */
+
+
+/* w_macos_is_log_predicate_valid */
+void test_w_macos_is_log_predicate_valid_empty(void ** state) {
+
+    char predicate[] = "";
+
+    bool ret = w_macos_is_log_predicate_valid(predicate);
+    assert_false(ret);
+
+}
+
+void test_w_macos_is_log_predicate_valid_existing(void ** state) {
+
+    char predicate[] = "test";
+
+    bool ret = w_macos_is_log_predicate_valid(predicate);
+    assert_true(ret);
+
+}
+
+/* w_macos_create_log_stream_array */
+void test_w_macos_create_log_stream_array_NULL(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_null(ret[4]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], level);
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], level);
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], level);
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("default", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "default");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("info", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "info");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_log(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("debug", level);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "debug");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+
+}
+
+
+//PREDICADO
+
+void test_w_macos_create_log_stream_array_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--predicate");
+    assert_string_equal(ret[5], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[6]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], "default");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], "info");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 0;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--level");
+    assert_string_equal(ret[5], "debug");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--predicate");
+    assert_string_equal(ret[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[8]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_type_activity_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "default");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "default");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_default_type_activity_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("default", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "default");
+    assert_string_equal(ret[12], "--predicate");
+    assert_string_equal(ret[13], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[14]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "info");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "info");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_info_type_activity_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("info", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "info");
+    assert_string_equal(ret[12], "--predicate");
+    assert_string_equal(ret[13], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[14]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 1;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 2;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 4;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "trace");
+    assert_string_equal(ret[6], "--level");
+    assert_string_equal(ret[7], "debug");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_log_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 3;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 5;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 6;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "log");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "trace");
+    assert_string_equal(ret[8], "--level");
+    assert_string_equal(ret[9], "debug");
+    assert_string_equal(ret[10], "--predicate");
+    assert_string_equal(ret[11], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[12]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace_predicate(void ** state) {
+
+    char * predicate = NULL;
+    char * level = NULL;
+    int type = 7;
+
+    os_strdup("debug", level);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", predicate);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "stream");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--type");
+    assert_string_equal(ret[5], "activity");
+    assert_string_equal(ret[6], "--type");
+    assert_string_equal(ret[7], "log");
+    assert_string_equal(ret[8], "--type");
+    assert_string_equal(ret[9], "trace");
+    assert_string_equal(ret[10], "--level");
+    assert_string_equal(ret[11], "debug");
+    assert_string_equal(ret[12], "--predicate");
+    assert_string_equal(ret[13], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(ret[14]);
+
+    free_strarray(ret);
+    os_free(level);
+    os_free(predicate);
+
+}
+
+void test_w_macos_create_log_stream_array_on_sierra(void ** state) {
+
+    int type = 0;
+    char * level = NULL;
+    char * predicate = NULL;
+    char * backup_codename = NULL;
+
+    /* Sets the name "Sierra" to the global variable for the system to be identified as a Sierra Version of macOS */
+    if (macos_codename != NULL) {
+        /* Just in case, backups the previous codename to be restored */
+        w_strdup(macos_codename, backup_codename);
+    }
+
+    w_strdup(MACOS_SIERRA_CODENAME_STR, macos_codename);
+
+    char ** ret = w_macos_create_log_stream_array(predicate, level, type);
+
+    assert_string_equal(ret[0], SCRIPT_CMD_STR);
+    assert_string_equal(ret[1], SCRIPT_CMD_ARGS);
+    assert_string_equal(ret[2], SCRIPT_CMD_SINK);
+    assert_string_equal(ret[3], "/usr/bin/log");
+    assert_string_equal(ret[4], "stream");
+    assert_string_equal(ret[5], "--style");
+    assert_string_equal(ret[6], "syslog");
+    assert_null(ret[7]);
+
+    free_strarray(ret);
+
+    os_free(macos_codename);
+    if (backup_codename != NULL) {
+        w_strdup(backup_codename, macos_codename);
+        os_free(backup_codename);
+    }
+}
+
+/* w_macos_log_exec */
+void test_w_macos_log_exec_wpopenv_error(void ** state) {
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1974): An error ocurred while calling wpopenv(): Success (0).");
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_null(ret);
+    os_free(log_cmd_array);
+
+}
+
+void test_w_macos_log_exec_fileno_error(void ** state) {
+
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1971): The file descriptor couldn't be obtained from the file pointer of the Log Stream pipe: Success (0).");
+
+    will_return(__wrap_wpclose, 0);
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_ptr_equal(ret, 0);
+    os_free(log_cmd_array);
+
+}
+
+void test_w_macos_log_exec_fp_to_fd_error(void ** state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1971): The file descriptor couldn't be obtained from the file pointer of the Log Stream pipe: Success (0).");
+
+    will_return(__wrap_wpclose, 0);
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_ptr_equal(ret, 0);
+    os_free(log_cmd_array);
+
+}
+
+void test_w_macos_log_exec_get_flags_error(void ** state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, -1);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1972): The flags couldn't be obtained from the file descriptor: Success (0).");
+
+    will_return(__wrap_wpclose, 0);
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_ptr_equal(ret, 0);
+    os_free(log_cmd_array);
+
+}
+
+void test_w_macos_log_exec_set_flags_error(void ** state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, 0);
+
+    will_return(__wrap_fcntl, -1);
+
+    expect_string(__wrap__merror, formatted_msg,
+        "(1973): The flags couldn't be set in the file descriptor: Success (0).");
+
+    will_return(__wrap_wpclose, 0);
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_ptr_equal(ret, 0);
+
+    os_free(log_cmd_array);
+
+}
+
+void test_w_macos_log_exec_success(void ** state) {
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    char * log_cmd_array = NULL;
+    os_strdup("log stream", log_cmd_array);
+    u_int32_t flags = 0;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, 0);
+
+    will_return(__wrap_fcntl, 0);
+
+    wfd_t * ret = w_macos_log_exec(&log_cmd_array, flags);
+
+    assert_ptr_equal(ret->file_out,  wfd->file_out);
+    assert_int_equal(ret->pid, 0);
+
+    os_free(log_cmd_array);
+
+}
+
+/* w_macos_is_log_executable */
+void test_w_macos_is_log_executable_success(void ** state) {
+
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    bool ret = w_macos_is_log_executable();
+
+    assert_true(ret);
+
+}
+
+void test_w_macos_is_log_executable_error(void ** state) {
+
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1250): Error trying to execute \"/usr/bin/log\": Success (0).");
+
+    bool ret = w_macos_is_log_executable();
+
+    assert_false(ret);
+
+}
+
+void test_w_macos_is_log_executable_sierra_access_fail(void ** state) {
+
+    char * backup_codename = NULL;
+
+    if (macos_codename != NULL) {
+        w_strdup(macos_codename, backup_codename);
+    }
+
+    w_strdup(MACOS_SIERRA_CODENAME_STR, macos_codename);
+
+    expect_string(__wrap_access, __name, "/usr/bin/script");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1250): Error trying to execute \"/usr/bin/script\": Success (0).");
+
+    bool ret = w_macos_is_log_executable();
+
+    assert_false(ret);
+
+    os_free(macos_codename);
+    if (backup_codename != NULL) {
+        w_strdup(backup_codename, macos_codename);
+        os_free(backup_codename);
+    }
+}
+
+/* w_macos_create_log_stream_env */
+void test_w_macos_create_log_stream_env_not_executable(void ** state) {
+
+    logreader *current = NULL;
+    os_calloc(1, sizeof(logreader), current);
+    current->fp = (FILE*)1;
+    os_strdup("test", current->file);
+    current->diff_max_size = 0;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), current->macos_log);
+    current->macos_log->state = LOG_NOT_RUNNING;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", current->query);
+    os_strdup("debug", current->query_level);
+    current->query_type = 7;
+
+    os_calloc(1, sizeof(wfd_t), current->macos_log->processes.stream.wfd);
+    current->macos_log->processes.stream.wfd->file_out = (FILE*)1;
+
+    // test_w_macos_is_log_executable_error
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 1);
+
+    expect_string(__wrap__merror, formatted_msg, "(1250): Error trying to execute \"/usr/bin/log\": Success (0).");
+
+    w_macos_create_log_stream_env(current);
+
+    os_free(current->file);
+    os_free(current->query);
+    os_free(current->query_level);
+    os_free(current->macos_log->processes.stream.wfd);
+    os_free(current->macos_log);
+    os_free(current);
+
+}
+
+void test_w_macos_create_log_stream_env_log_wfd_NULL(void ** state) {
+
+    logreader *current = NULL;
+    os_calloc(1, sizeof(logreader), current);
+    current->fp = (FILE*)1;
+    os_strdup("test", current->file);
+    current->diff_max_size = 0;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), current->macos_log);
+    current->macos_log->state = LOG_NOT_RUNNING;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", current->query);
+    os_strdup("debug", current->query_level);
+    current->query_type = 7;
+
+    // test_w_macos_is_log_executable_error
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    // test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace_predicate
+
+    // test_w_macos_log_exec_wpopenv_error
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1974): An error ocurred while calling wpopenv(): Success (0).");
+
+    w_macos_create_log_stream_env(current);
+
+    os_free(current->file);
+    os_free(current->query);
+    os_free(current->query_level);
+    os_free(current->macos_log->processes.stream.wfd);
+    os_free(current->macos_log);
+    os_free(current);
+
+}
+
+void test_w_macos_create_log_stream_env_complete(void ** state) {
+
+    logreader *current = NULL;
+    os_calloc(1, sizeof(logreader), current);
+    current->fp = (FILE*)1;
+    os_strdup("test", current->file);
+    current->diff_max_size = 0;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), current->macos_log);
+    current->macos_log->state = LOG_NOT_RUNNING;
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", current->query);
+    os_strdup("debug", current->query_level);
+    current->query_type = 7;
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    // test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace_predicate
+
+    // test_w_macos_log_exec_success
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, 0);
+
+    will_return(__wrap_fcntl, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level debug --predicate processImagePath CONTAINS[c] 'com.apple.geod'");
+
+    w_macos_create_log_stream_env(current);
+
+    os_free(current->file);
+    os_free(current->query);
+    os_free(current->query_level);
+    os_free(current->macos_log);
+    os_free(current);
+
+}
+
+/* w_macos_log_show_array_add_level */
+
+void test_w_macos_log_show_array_add_level_NULL(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    char * type_predicate = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * level = NULL;
+
+    w_macos_log_show_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_null(log_cmd_array[6]);
+
+    free_strarray(log_cmd_array);
+
+}
+
+void test_w_macos_log_show_array_add_level_default(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    char * type_predicate = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * level = MACOS_LOG_LEVEL_DEFAULT_STR;
+
+    w_macos_log_show_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_null(log_cmd_array[6]);
+
+    free_strarray(log_cmd_array);
+
+}
+
+void test_w_macos_log_show_array_add_level_info(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    char * type_predicate = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * level = SHOW_INFO_OPT_STR;
+
+    w_macos_log_show_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--info");
+    assert_null(log_cmd_array[7]);
+
+    free_strarray(log_cmd_array);
+
+}
+
+void test_w_macos_log_show_array_add_level_debug(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    char * type_predicate = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * level = MACOS_LOG_LEVEL_DEBUG_STR;
+
+    w_macos_log_show_array_add_level(log_cmd_array, &log_cmd_array_idx, level);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--info");
+    assert_string_equal(log_cmd_array[7], "--debug");
+    assert_null(log_cmd_array[8]);
+
+    free_strarray(log_cmd_array);
+
+}
+
+/* w_macos_log_show_create_type_predicate */
+
+void test_w_macos_log_show_create_type_predicate_NULL(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 0;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_null(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_activity(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 1;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == activityCreateEvent " \
+                                        "OR eventType == activityTransitionEvent " \
+                                        "OR eventType == userActionEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_log(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 2;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == logEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_trace(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 4;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == traceEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_activity_log(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 3;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == activityCreateEvent " \
+                                        "OR eventType == activityTransitionEvent " \
+                                        "OR eventType == userActionEvent " \
+                                        "OR eventType == logEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_activity_trace(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 5;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == activityCreateEvent " \
+                                        "OR eventType == activityTransitionEvent " \
+                                        "OR eventType == userActionEvent " \
+                                        "OR eventType == traceEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_log_trace(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 6;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == logEvent OR eventType == traceEvent");
+
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_create_type_predicate_activity_log_trace(void ** state) {
+
+    char * type_predicate = NULL;
+
+    int type = 7;
+
+    type_predicate = w_macos_log_show_create_type_predicate(type);
+
+    assert_string_equal(type_predicate, "eventType == activityCreateEvent " \
+                                        "OR eventType == activityTransitionEvent " \
+                                        "OR eventType == userActionEvent " \
+                                        "OR eventType == logEvent " \
+                                        "OR eventType == traceEvent");
+
+    os_free(type_predicate);
+
+}
+
+/* w_macos_log_show_array_add_predicate */
+
+void test_w_macos_log_show_array_add_predicate_query_and_predicate_null(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+
+    char * type_predicate = NULL;
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_null(log_cmd_array[6]);
+
+    free_strarray(log_cmd_array);
+
+}
+
+void test_w_macos_log_show_array_add_predicate_query_null_and_valid_predicate(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+
+    char * type_predicate = NULL;
+    os_strdup("eventType == logEvent", type_predicate);
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--predicate");
+    assert_string_equal(log_cmd_array[7], "eventType == logEvent");
+    assert_null(log_cmd_array[8]);
+
+    free_strarray(log_cmd_array);
+    os_free(query);
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_array_add_predicate_invalid_query_and_predicate_null(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+    os_strdup("", query);
+
+    char * type_predicate = NULL;
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_null(log_cmd_array[6]);
+
+    free_strarray(log_cmd_array);
+    os_free(query);
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_array_add_predicate_invalid_query_valid_type_and_predicate_null(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+    os_strdup("", query);
+
+    char * type_predicate = NULL;
+    w_strdup("message CONTAINS \"test\"", type_predicate);
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--predicate");
+    assert_string_equal(log_cmd_array[7], "message CONTAINS \"test\"");
+    assert_null(log_cmd_array[8]);
+
+    free_strarray(log_cmd_array);
+    os_free(query);
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_array_add_predicate_valid_query_and_predicate_null(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", query);
+
+    char * type_predicate = NULL;
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--predicate");
+    assert_string_equal(log_cmd_array[7], "processImagePath CONTAINS[c] 'com.apple.geod'");
+    assert_null(log_cmd_array[8]);
+
+    free_strarray(log_cmd_array);
+    os_free(query);
+    os_free(type_predicate);
+
+}
+
+void test_w_macos_log_show_array_add_predicate_valid_query_and_predicate(void ** state) {
+
+    size_t log_cmd_array_idx = 0;
+    char ** log_cmd_array = NULL;
+
+    os_calloc(MAX_LOG_SHOW_CMD_ARGS + 1, sizeof(char *), log_cmd_array);
+
+    /* Adding `log` and `show` to the array */
+    w_strdup(LOG_CMD_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(LOG_SHOW_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the style lines to the array (`--style syslog`) */
+    w_strdup(STYLE_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup(SYSLOG_STR, log_cmd_array[log_cmd_array_idx++]);
+
+    /* Adding the starting date lines to the array (`--start 2021-04-27 12:29:25-0700`) */
+    w_strdup(SHOW_START_OPT_STR, log_cmd_array[log_cmd_array_idx++]);
+    w_strdup("2021-04-27 12:29:25-0700", log_cmd_array[log_cmd_array_idx++]);
+
+    char * query = NULL;
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", query);
+
+    char * type_predicate = NULL;
+    os_strdup("eventType == logEvent", type_predicate);
+
+    w_macos_log_show_array_add_predicate(log_cmd_array, &log_cmd_array_idx, query, type_predicate);
+
+    assert_string_equal(log_cmd_array[0], "/usr/bin/log");
+    assert_string_equal(log_cmd_array[1], "show");
+    assert_string_equal(log_cmd_array[2], "--style");
+    assert_string_equal(log_cmd_array[3], "syslog");
+    assert_string_equal(log_cmd_array[4], "--start");
+    assert_string_equal(log_cmd_array[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(log_cmd_array[6], "--predicate");
+    assert_string_equal(log_cmd_array[7], "( processImagePath CONTAINS[c] 'com.apple.geod' ) AND ( eventType == logEvent )");
+    assert_null(log_cmd_array[8]);
+
+    free_strarray(log_cmd_array);
+    os_free(query);
+    os_free(type_predicate);
+
+}
+
+/* w_macos_create_log_show_array */
+
+void test_w_macos_create_log_show_array_complete(void ** state) {
+
+    char start_date[25] = "2021-04-27 12:29:25-0700";
+
+    char * query = NULL;
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", query);
+
+    char * level = MACOS_LOG_LEVEL_DEBUG_STR;
+
+    int type = 7;
+
+    char ** ret = w_macos_create_log_show_array(start_date, query, level, type);
+
+    assert_string_equal(ret[0], "/usr/bin/log");
+    assert_string_equal(ret[1], "show");
+    assert_string_equal(ret[2], "--style");
+    assert_string_equal(ret[3], "syslog");
+    assert_string_equal(ret[4], "--start");
+    assert_string_equal(ret[5], "2021-04-27 12:29:25-0700");
+    assert_string_equal(ret[6], "--info");
+    assert_string_equal(ret[7], "--debug");
+    assert_string_equal(ret[8], "--predicate");
+    assert_string_equal(ret[9], "( processImagePath CONTAINS[c] 'com.apple.geod' ) " \
+                                "AND ( eventType == activityCreateEvent " \
+                                "OR eventType == activityTransitionEvent " \
+                                "OR eventType == userActionEvent " \
+                                "OR eventType == logEvent OR eventType == traceEvent )");
+    assert_null(ret[10]);
+
+    free_strarray(ret);
+    os_free(query);
+
+}
+
+void test_w_macos_create_log_show_array_complete_on_sierra(void ** state) {
+
+    char start_date[25] = "2021-04-27 12:29:25-0700";
+
+    char * query = NULL;
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", query);
+
+    char * level = MACOS_LOG_LEVEL_DEBUG_STR;
+
+    int type = 7;
+
+    char * backup_codename = NULL;
+
+    if (macos_codename != NULL) {
+        w_strdup(macos_codename, backup_codename);
+    }
+
+    w_strdup(MACOS_SIERRA_CODENAME_STR, macos_codename);
+
+    char ** ret = w_macos_create_log_show_array(start_date, query, level, type);
+
+    assert_string_equal(ret[0], SCRIPT_CMD_STR);
+    assert_string_equal(ret[1], SCRIPT_CMD_ARGS);
+    assert_string_equal(ret[2], SCRIPT_CMD_SINK);
+    assert_string_equal(ret[3], "/usr/bin/log");
+    assert_string_equal(ret[4], "show");
+    assert_string_equal(ret[5], "--style");
+    assert_string_equal(ret[6], "syslog");
+    assert_string_equal(ret[7], "--start");
+    assert_string_equal(ret[8], "2021-04-27 12:29:25-0700");
+    assert_string_equal(ret[9], "--info");
+    assert_string_equal(ret[10], "--debug");
+    assert_string_equal(ret[11], "--predicate");
+    assert_string_equal(ret[12], "( processImagePath CONTAINS[c] 'com.apple.geod' ) " \
+                                "AND ( eventType == activityCreateEvent " \
+                                "OR eventType == activityTransitionEvent " \
+                                "OR eventType == userActionEvent " \
+                                "OR eventType == logEvent OR eventType == traceEvent )");
+    assert_null(ret[13]);
+
+    free_strarray(ret);
+    os_free(query);
+
+    os_free(macos_codename);
+    if (backup_codename != NULL) {
+        w_strdup(backup_codename, macos_codename);
+        os_free(backup_codename);
+    }
+}
+
+/* w_macos_set_last_log_timestamp */
+
+void test_w_macos_set_last_log_timestamp_complete(void ** state) {
+
+    char * timestamp = NULL;
+    os_strdup("2021-04-27 12:29:25-0700", timestamp);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    w_macos_set_last_log_timestamp(timestamp);
+
+    os_free(timestamp);
+
+}
+
+/* w_macos_get_last_log_timestamp */
+
+void test_w_macos_get_last_log_timestamp_complete(void ** state) {
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    char * ret = w_macos_get_last_log_timestamp();
+
+    assert_string_equal(ret, "2021-04-27 12:29:25-0700");
+
+    os_free(ret);
+
+}
+
+/* w_macos_set_log_settings */
+
+void test_w_macos_set_log_settings_complete(void ** state) {
+
+    char * settings = NULL;
+    os_strdup("test", settings);
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    w_macos_set_log_settings(settings);
+
+    os_free(settings);
+
+}
+
+/* w_macos_get_log_settings */
+
+void test_w_macos_get_log_settings_complete(void ** state) {
+
+    os_strdup("test", macos_log_vault.settings);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    char * ret = w_macos_get_log_settings();
+
+    assert_string_equal(ret, "test");
+
+    os_free(ret);
+
+}
+
+/* w_macos_create_log_show_env */
+
+void test_w_macos_create_log_show_env_timestamp_NULL(void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    // test_w_macos_get_last_log_timestamp_complete */
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    w_macos_create_log_show_env(lf);
+
+    os_free(lf->macos_log);
+    os_free(lf);
+
+}
+
+void test_w_macos_create_log_show_env_show_wfd_NULL(void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+
+    // test_w_macos_get_last_log_timestamp_complete
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // test_w_macos_log_exec_wpopenv_error
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1974): An error ocurred while calling wpopenv(): Success (0).");
+
+    expect_string(__wrap__merror, formatted_msg, "(1605): Error while trying to execute `log show` as follows: " \
+                                                 "/usr/bin/log show --style syslog --start 2021-04-27 12:29:25-0700 " \
+                                                 "--info --debug --predicate processImagePath CONTAINS[c] 'com.apple.geod'.");
+
+    w_macos_create_log_show_env(lf);
+
+    os_free(lf->macos_log->processes.show.wfd);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+
+}
+
+void test_w_macos_create_log_show_env_success(void ** state) {
+
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+
+    // test_w_macos_get_last_log_timestamp_complete
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // test_w_macos_log_exec_success
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, 0);
+
+    will_return(__wrap_fcntl, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(1603): Monitoring macOS old logs with: " \
+                                                 "/usr/bin/log show --style syslog --start 2021-04-27 12:29:25-0700 " \
+                                                 "--info --debug --predicate processImagePath CONTAINS[c] 'com.apple.geod'.");
+
+    w_macos_create_log_show_env(lf);
+
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+
+}
+
+/* w_macos_create_log_stream_env */
+void test_w_macos_create_log_stream_env_show_wfd_NULL(void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+
+    // test_w_macos_log_exec_wpopenv_error
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_string(__wrap__merror, formatted_msg, "(1974): An error ocurred while calling wpopenv(): Success (0).");
+
+    expect_string(__wrap__merror, formatted_msg, "(1606): Error while trying to execute `log stream` as follows: " \
+                                                 "/usr/bin/log stream --style syslog --level debug " \
+                                                 "--predicate processImagePath CONTAINS[c] 'com.apple.geod'.");
+
+    w_macos_create_log_stream_env(lf);
+
+    os_free(lf->macos_log->processes.show.wfd);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+
+}
+
+void test_w_macos_create_log_stream_env_success(void ** state) {
+
+    wfd_t * wfd = *state;
+    wfd->file_out = (FILE*) 1234;
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+
+    // test_w_macos_log_exec_success
+    will_return(__wrap_wpopenv, wfd);
+
+    expect_value(__wrap_fileno, __stream, wfd->file_out);
+    will_return(__wrap_fileno, 1);
+
+    will_return(__wrap_fcntl, 0);
+
+    will_return(__wrap_fcntl, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(1604): Monitoring macOS logs with: " \
+                                                 "/usr/bin/log stream --style syslog --level debug " \
+                                                 "--predicate processImagePath CONTAINS[c] 'com.apple.geod'.");
+
+    w_macos_create_log_stream_env(lf);
+
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+
+}
+
+void test_w_macos_create_log_env_codename_null_only_future (void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+    lf->future = 1; // No past events
+
+    will_return(__wrap_w_get_os_codename, NULL);
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_any(__wrap__merror, formatted_msg);
+    expect_any(__wrap__merror, formatted_msg);
+
+    w_macos_create_log_env(lf, NULL);
+
+    os_free(lf->macos_log->current_settings);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+}
+
+void test_w_macos_create_log_env_codename_not_null_only_future (void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+    lf->future = 1; // No past events
+
+    will_return(__wrap_w_get_os_codename, "macTEST");
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Creating environment for macOS macTEST.");
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_any(__wrap__merror, formatted_msg);
+    expect_any(__wrap__merror, formatted_msg);
+
+    w_macos_create_log_env(lf, NULL);
+
+    os_free(lf->macos_log->current_settings);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+}
+
+void test_w_macos_create_log_env_codename_null_previous_settings_null (void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+
+    lf->query_type = 0;
+    lf->future = 0; // Look for past events
+    macos_log_vault.settings = NULL;
+
+    will_return(__wrap_w_get_os_codename, NULL);
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_any(__wrap__merror, formatted_msg);
+    expect_any(__wrap__merror, formatted_msg);
+
+    w_macos_create_log_env(lf, NULL);
+
+    os_free(lf->macos_log->current_settings);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+}
+
+void test_w_macos_create_log_env_codename_null_current_and_previous_settings_missmatch (void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+    lf->future = 0; // Look for past events
+
+    /* Forces the missmatch */
+    w_strdup("some random setting", macos_log_vault.settings);
+
+    will_return(__wrap_w_get_os_codename, NULL);
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    /* For reading the */
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Current predicate differs from the stored one. Discarding old events.");
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_any(__wrap__merror, formatted_msg);
+    expect_any(__wrap__merror, formatted_msg);
+
+    w_macos_create_log_env(lf, NULL);
+
+    os_free(macos_log_vault.settings);
+    os_free(lf->macos_log->current_settings);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+}
+
+void test_w_macos_create_log_env_codename_null_settings_match (void ** state) {
+
+    logreader *lf = NULL;
+    os_calloc(1, sizeof(logreader), lf);
+    os_calloc(1, sizeof(w_macos_log_config_t), lf->macos_log);
+
+    os_strdup("processImagePath CONTAINS[c] 'com.apple.geod'", lf->query);
+    os_strdup(MACOS_LOG_LEVEL_DEBUG_STR, lf->query_level);
+    lf->query_type = 0;
+    lf->future = 0; // Look for past events
+    w_strdup("/usr/bin/log stream --style syslog --level debug --predicate processImagePath CONTAINS[c] 'com.apple.geod'", macos_log_vault.settings);
+
+    bzero(macos_log_vault.timestamp, OS_LOGCOLLECTOR_TIMESTAMP_SHORT_LEN + 1); // Prevents log show execution
+
+    will_return(__wrap_w_get_os_codename, NULL);
+
+    // test_w_macos_is_log_executable_success
+    expect_string(__wrap_access, __name, "/usr/bin/log");
+    expect_value(__wrap_access, __type, 1);
+    will_return(__wrap_access, 0);
+
+    // w_macos_get_log_settings locks
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    // w_macos_get_last_log_timestamp locks
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    will_return(__wrap_wpopenv, NULL);
+
+    expect_any(__wrap__merror, formatted_msg);
+    expect_any(__wrap__merror, formatted_msg);
+
+    w_macos_create_log_env(lf, NULL);
+
+    os_free(macos_log_vault.settings);
+    os_free(lf->macos_log->current_settings);
+    os_free(lf->query_level);
+    os_free(lf->query);
+    os_free(lf->macos_log);
+    os_free(lf);
+}
+
+void test_w_macos_add_sierra_support(void ** state) {
+
+    size_t index = 0;
+    char ** log_cmd_array_idx = NULL;
+    os_calloc(4, sizeof(char *), log_cmd_array_idx);
+
+    w_macos_add_sierra_support(log_cmd_array_idx, &index);
+
+    assert_int_equal(index, 3);
+    assert_string_equal(log_cmd_array_idx[0], SCRIPT_CMD_STR);
+    assert_string_equal(log_cmd_array_idx[1], SCRIPT_CMD_ARGS);
+    assert_string_equal(log_cmd_array_idx[2], SCRIPT_CMD_SINK);
+
+    free_strarray(log_cmd_array_idx);
+}
+
+void test_w_get_first_child_NULL(void ** state) {
+
+    will_return(__wrap_w_get_process_childs, NULL);
+
+    assert_int_equal(w_get_first_child(0), 0);
+}
+
+void test_w_get_first_child_non_null_non_zero(void ** state) {
+
+    pid_t * pid_array = NULL;
+
+    os_calloc(4, sizeof(pid_t), pid_array);
+
+    pid_array[0] = 7;
+    pid_array[1] = 9;
+    pid_array[2] = 11;
+    pid_array[3] = 0;
+
+    will_return(__wrap_w_get_process_childs, pid_array);
+
+    assert_int_equal(w_get_first_child(0), 7);
+}
+
+void test_w_get_first_child_non_null_zero(void ** state) {
+
+    pid_t * pid_array = NULL;
+
+    os_calloc(4, sizeof(pid_t), pid_array);
+
+    pid_array[0] = 0;
+    pid_array[1] = 9;
+    pid_array[2] = 11;
+    pid_array[3] = 20;
+
+    will_return(__wrap_w_get_process_childs, pid_array);
+
+    assert_int_equal(w_get_first_child(0), 0);
+}
+
+// Test w_macos_set_is_valid_data
+void test_w_macos_set_is_valid_data_ok(void ** state) {
+
+    bool bak_is_valid_data = macos_log_vault.is_valid_data;
+    macos_log_vault.is_valid_data = false;
+
+    expect_function_call(__wrap_pthread_rwlock_wrlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+    w_macos_set_is_valid_data(true);
+
+    assert_true(macos_log_vault.is_valid_data);
+    macos_log_vault.is_valid_data = bak_is_valid_data;
+
+}
+
+// Test w_macos_get_is_valid_data
+void test_w_macos_get_is_valid_data_ok(void ** state) {
+
+    bool bak_is_valid_data = macos_log_vault.is_valid_data;
+    macos_log_vault.is_valid_data = false;
+
+    expect_function_call(__wrap_pthread_rwlock_rdlock);
+    expect_function_call(__wrap_pthread_rwlock_unlock);
+
+    assert_false(w_macos_get_is_valid_data());
+    macos_log_vault.is_valid_data = bak_is_valid_data;
+}
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        // Test w_macos_is_log_predicate_valid
+        cmocka_unit_test(test_w_macos_is_log_predicate_valid_empty),
+        cmocka_unit_test(test_w_macos_is_log_predicate_valid_existing),
+        // Test w_macos_create_log_stream_array
+        cmocka_unit_test(test_w_macos_create_log_stream_array_NULL),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_log),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_type_activity_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_default_type_activity_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_info_type_activity_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_log_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_level_debug_type_activity_log_trace_predicate),
+        cmocka_unit_test(test_w_macos_create_log_stream_array_on_sierra),
+        // Test w_macos_log_exec
+        cmocka_unit_test(test_w_macos_log_exec_wpopenv_error),
+        cmocka_unit_test_setup_teardown(test_w_macos_log_exec_fileno_error, setup_file, teardown_file),
+        cmocka_unit_test_setup_teardown(test_w_macos_log_exec_fp_to_fd_error, setup_file, teardown_file),
+        cmocka_unit_test_setup_teardown(test_w_macos_log_exec_get_flags_error, setup_file, teardown_file),
+        cmocka_unit_test_setup_teardown(test_w_macos_log_exec_set_flags_error, setup_file, teardown_file),
+        cmocka_unit_test_setup_teardown(test_w_macos_log_exec_success, setup_file, teardown_file),
+        // Test w_macos_is_log_executable
+        cmocka_unit_test(test_w_macos_is_log_executable_success),
+        cmocka_unit_test(test_w_macos_is_log_executable_error),
+        cmocka_unit_test(test_w_macos_is_log_executable_sierra_access_fail),
+        // Test w_macos_log_show_array_add_level
+        cmocka_unit_test(test_w_macos_log_show_array_add_level_NULL),
+        cmocka_unit_test(test_w_macos_log_show_array_add_level_default),
+        cmocka_unit_test(test_w_macos_log_show_array_add_level_info),
+        cmocka_unit_test(test_w_macos_log_show_array_add_level_debug),
+        // Test w_macos_log_show_create_type_predicate
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_NULL),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_activity),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_log),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_trace),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_activity_log),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_activity_trace),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_log_trace),
+        cmocka_unit_test(test_w_macos_log_show_create_type_predicate_activity_log_trace),
+        // Test w_macos_log_show_array_add_predicate
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_query_and_predicate_null),
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_query_null_and_valid_predicate),
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_invalid_query_and_predicate_null),
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_invalid_query_valid_type_and_predicate_null),
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_valid_query_and_predicate_null),
+        cmocka_unit_test(test_w_macos_log_show_array_add_predicate_valid_query_and_predicate),
+        // Test w_macos_create_log_show_array
+        cmocka_unit_test(test_w_macos_create_log_show_array_complete),
+        cmocka_unit_test(test_w_macos_create_log_show_array_complete_on_sierra),
+        // Test w_macos_set_last_log_timestamp
+        cmocka_unit_test(test_w_macos_set_last_log_timestamp_complete),
+        // Test w_macos_get_last_log_timestamp
+        cmocka_unit_test(test_w_macos_get_last_log_timestamp_complete),
+        // Test w_macos_set_log_settings
+        cmocka_unit_test_teardown(test_w_macos_set_log_settings_complete, teardown_settings),
+        // Test w_macos_get_log_settings
+        cmocka_unit_test_teardown(test_w_macos_get_log_settings_complete, teardown_settings),
+        // Test w_macos_create_log_show_env
+        cmocka_unit_test_setup_teardown(test_w_macos_create_log_show_env_timestamp_NULL, setup_timestamp_null, teardown_timestamp_null),
+        cmocka_unit_test(test_w_macos_create_log_show_env_show_wfd_NULL),
+        cmocka_unit_test_setup_teardown(test_w_macos_create_log_show_env_success, setup_file, teardown_file),
+        // Test w_macos_create_log_stream_env
+        cmocka_unit_test(test_w_macos_create_log_stream_env_show_wfd_NULL),
+        cmocka_unit_test_setup_teardown(test_w_macos_create_log_stream_env_success, setup_file, teardown_file),
+        // Test w_macos_create_log_env
+        cmocka_unit_test(test_w_macos_create_log_env_codename_null_only_future),
+        cmocka_unit_test(test_w_macos_create_log_env_codename_not_null_only_future),
+        cmocka_unit_test(test_w_macos_create_log_env_codename_null_previous_settings_null),
+        cmocka_unit_test(test_w_macos_create_log_env_codename_null_current_and_previous_settings_missmatch),
+        cmocka_unit_test(test_w_macos_create_log_env_codename_null_settings_match),
+        // Test w_macos_add_sierra_support
+        cmocka_unit_test(test_w_macos_add_sierra_support),
+        // Test w_get_first_child
+        cmocka_unit_test(test_w_get_first_child_NULL),
+        cmocka_unit_test(test_w_get_first_child_non_null_non_zero),
+        cmocka_unit_test(test_w_get_first_child_non_null_zero),
+        // Test w_macos_set_is_valid_data
+        cmocka_unit_test(test_w_macos_set_is_valid_data_ok),
+        // Test w_macos_get_is_valid_data
+        cmocka_unit_test(test_w_macos_get_is_valid_data_ok),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_read_journal.c b/src/modules/logcollector/tests/unit/tests/test_read_journal.c
new file mode 100644
index 0000000000..2080a895f1
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_read_journal.c
@@ -0,0 +1,348 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Includes */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/logcollector.h"
+#include "../../logcollector/journal_log.h"
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+
+bool w_journald_can_read(unsigned long owner_id);
+void set_gs_journald_global(unsigned long owner_id, bool is_disabled, void * journal_ctx);
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* Wraps of journal_log */
+int __wrap_w_journal_context_create(w_journal_context_t ** ctx) { return mock_type(int); }
+
+int __wrap_w_journal_context_seek_most_recent(w_journal_context_t * ctx) { return mock_type(int); }
+
+int __wrap_w_journal_context_seek_timestamp(w_journal_context_t * ctx, uint64_t timestamp) {
+    // check timestamp
+    check_expected(timestamp);
+    return mock_type(int);
+}
+
+int __wrap_w_journal_context_next_newest_filtered(w_journal_context_t * ctx, w_journal_filters_list_t filters) {
+    return mock_type(int);
+}
+
+w_journal_entry_t * __wrap_w_journal_entry_dump(w_journal_context_t * ctx, w_journal_entry_dump_type_t type) {
+    return mock_type(w_journal_entry_t *);
+}
+
+char * __wrap_w_journal_entry_to_string(w_journal_entry_t * entry) { return mock_type(char *); }
+
+void __wrap_w_journal_entry_free(w_journal_entry_t * entry) { function_called(); }
+
+/* Aux setters */
+void set_gs_journald_ofe(bool exist, bool ofe, uint64_t timestamp);
+bool journald_isDisabled();
+
+/* Other wraps */
+int __wrap_isDebug() { return mock(); }
+
+int __wrap_w_msg_hash_queues_push(
+    const char * str, char * file, unsigned long size, logtarget * targets, char queue_mq) {
+    check_expected(str);
+    check_expected(size);
+    return mock_type(int);
+}
+
+int __wrap_can_read() { return mock_type(int); }
+
+/* Test w_journald_can_read */
+void test_w_journald_can_read_disable(void ** state) {
+    set_gs_journald_global(0, true, NULL);
+    assert_false(w_journald_can_read(0));
+}
+
+void test_w_journald_can_read_check_owner(void ** state) {
+    set_gs_journald_global(2, false, NULL);
+    assert_false(w_journald_can_read(1));
+    assert_true(w_journald_can_read(2));
+}
+
+void test_w_journald_can_read_first_time_init_fail() {
+    int tid = 3;
+
+    set_gs_journald_global(0, false, NULL);
+
+    will_return(__wrap_w_journal_context_create, -1);
+    expect_string(__wrap__merror, formatted_msg, "(1608): Failed to connect to the journal, disabling journal log.");
+
+    assert_false(w_journald_can_read(tid));
+    assert_true(journald_isDisabled());
+}
+
+void test_w_journald_can_read_first_time_init_fail_seek() {
+    int tid = 3;
+
+    set_gs_journald_global(0, false, NULL);
+    set_gs_journald_ofe(true, true, 123);
+
+    will_return(__wrap_w_journal_context_create, 0);
+
+    will_return(__wrap_w_journal_context_seek_most_recent, -1);
+
+    expect_string(__wrap__merror,
+                  formatted_msg,
+                  "(1609): Failed to move to the end of the journal, disabling journal log: Operation not permitted.");
+
+    assert_false(w_journald_can_read(tid));
+    assert_true(journald_isDisabled());
+}
+
+void test_w_journald_can_read_first_time_init_ofe_yes(void ** state) {
+
+    int tid = 3;
+
+    set_gs_journald_global(0, false, NULL);
+    set_gs_journald_ofe(true, true, 123);
+
+    will_return(__wrap_w_journal_context_create, 0);
+
+    will_return(__wrap_w_journal_context_seek_most_recent, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(9203): Monitoring journal entries.");
+
+    assert_true(w_journald_can_read(tid));
+    assert_false(journald_isDisabled());
+}
+
+void test_w_journald_can_read_first_time_init_ofe_no(void ** state) {
+    int tid = 3;
+
+    set_gs_journald_global(0, false, NULL);
+    set_gs_journald_ofe(true, false, 123);
+
+    will_return(__wrap_w_journal_context_create, 0);
+
+    expect_value(__wrap_w_journal_context_seek_timestamp, timestamp, 123);
+    will_return(__wrap_w_journal_context_seek_timestamp, 0);
+
+    expect_string(__wrap__minfo, formatted_msg, "(9203): Monitoring journal entries.");
+
+    assert_true(w_journald_can_read(tid));
+    assert_false(journald_isDisabled());
+}
+
+/* w_journald_set_ofe */
+void test_w_journald_set_ofe(void ** state) {
+    w_journald_set_ofe(true);
+    w_journald_set_ofe(false);
+}
+
+void test_read_journald_can_read_false(void ** state) {
+
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    will_return(__wrap_can_read, 0);
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_false(journald_isDisabled());
+}
+
+void test_read_journald_next_entry_error(void ** state) {
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    // Can read
+    will_return(__wrap_can_read, 1);
+
+    // Fail get nex entry
+    will_return(__wrap_w_journal_context_next_newest_filtered, -1);
+    expect_string(__wrap__merror,
+                  formatted_msg,
+                  "(1610): Failed to get the next entry, disabling journal log: Operation not permitted.");
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_true(journald_isDisabled());
+}
+
+void test_read_journald_next_entry_no_new_entry(void ** state) {
+
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    // Can read
+    will_return(__wrap_can_read, 1);
+
+    // Nothing to read
+    will_return(__wrap_w_journal_context_next_newest_filtered, 0);
+    expect_string(__wrap__mdebug2, formatted_msg, "(9006): No new entries in the journal.");
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_false(journald_isDisabled());
+}
+
+void test_read_journald_dump_entry_error(void ** state) {
+
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    // Can read
+    will_return(__wrap_can_read, 1);
+
+    // Fail get nex entry
+    will_return(__wrap_w_journal_context_next_newest_filtered, 1);
+    will_return(__wrap_w_journal_entry_dump, NULL);
+    will_return(__wrap_w_journal_entry_to_string, NULL);
+    expect_function_call(__wrap_w_journal_entry_free);
+
+    expect_string(__wrap__merror, formatted_msg, "(1611): Failed to get the message from the journal");
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_false(journald_isDisabled());
+}
+
+void test_read_journald_dump_entry_max_len(void ** state) {
+
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    // Can read
+    will_return(__wrap_can_read, 1);
+
+    // Fail get nex entry
+    will_return(__wrap_w_journal_context_next_newest_filtered, 1);
+    will_return(__wrap_w_journal_entry_dump, 0x1);
+    will_return(__wrap_w_journal_entry_to_string, strdup("MAX_STR_>>>_16_|xxxxxxxx"));
+    expect_function_call(__wrap_w_journal_entry_free);
+
+    expect_string(
+        __wrap__mdebug1, formatted_msg, "(9007): Message size > maximum allowed, The message will be truncated.");
+
+    will_return(__wrap_isDebug, 0);
+
+    // Check message
+    expect_string(__wrap_w_msg_hash_queues_push, str, "MAX_STR_>>>_16_|");
+    expect_value(__wrap_w_msg_hash_queues_push, size, strlen("MAX_STR_>>>_16_|") + 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    // Brek the loop
+    will_return(__wrap_can_read, 0);
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_false(journald_isDisabled());
+}
+
+void test_read_journald_dump_entry_debug(void ** state) {
+
+    // Prepare environment
+    w_journal_context_t ctxt = {0};
+    set_gs_journald_global(0, false, &ctxt);
+
+    // Prepare args
+    logreader lf = {0};
+    w_journal_log_config_t journal_log = {0};
+    lf.journal_log = &journal_log;
+    int rc = 0;
+
+    // Can read
+    will_return(__wrap_can_read, 1);
+
+    // Fail get nex entry
+    will_return(__wrap_w_journal_context_next_newest_filtered, 1);
+    will_return(__wrap_w_journal_entry_dump, 0x1);
+    will_return(__wrap_w_journal_entry_to_string, strdup("message test"));
+    expect_function_call(__wrap_w_journal_entry_free);
+
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "(9008): Reading from journal: 'message test'.");
+
+    // Check message
+    expect_string(__wrap_w_msg_hash_queues_push, str, "message test");
+    expect_value(__wrap_w_msg_hash_queues_push, size, strlen("message test") + 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    // Brek the loop
+    will_return(__wrap_can_read, 0);
+
+    assert_null(read_journald(&lf, &rc, 0));
+    assert_false(journald_isDisabled());
+}
+
+int main(void) {
+
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_w_journald_set_ofe),
+        /* Test w_journald_can_read */
+        cmocka_unit_test(test_w_journald_can_read_disable),
+        cmocka_unit_test(test_w_journald_can_read_check_owner),
+        cmocka_unit_test(test_w_journald_can_read_first_time_init_fail),
+        cmocka_unit_test(test_w_journald_can_read_first_time_init_fail_seek),
+        cmocka_unit_test(test_w_journald_can_read_first_time_init_ofe_yes),
+        cmocka_unit_test(test_w_journald_can_read_first_time_init_ofe_no),
+        /* Test read_journald */
+        cmocka_unit_test(test_read_journald_can_read_false),
+        cmocka_unit_test(test_read_journald_next_entry_error),
+        cmocka_unit_test(test_read_journald_next_entry_no_new_entry),
+        cmocka_unit_test(test_read_journald_dump_entry_error),
+        cmocka_unit_test(test_read_journald_dump_entry_max_len),
+        cmocka_unit_test(test_read_journald_dump_entry_debug),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_read_macos.c b/src/modules/logcollector/tests/unit/tests/test_read_macos.c
new file mode 100644
index 0000000000..ca53f412b9
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_read_macos.c
@@ -0,0 +1,1945 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+/* Includes */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/logcollector.h"
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/linux/socket_wrappers.h"
+#include "../wrappers/wazuh/shared/expression_wrappers.h"
+#include "../wrappers/wazuh/logcollector/logcollector_wrappers.h"
+#include "../wrappers/wazuh/logcollector/macos_log_wrappers.h"
+#include "../wrappers/posix/signal_wrappers.h"
+#include "../wrappers/linux/wait_wrappers.h"
+#include "../wrappers/posix/time_wrappers.h"
+
+/* Defines */
+
+#define TESTING_MAXIMUM_LINES   1000
+
+/* Prototypes */
+
+bool w_macos_log_ctxt_restore(char * buffer, w_macos_log_ctxt_t * ctxt);
+void w_macos_log_ctxt_backup(char * buffer, w_macos_log_ctxt_t * ctxt);
+void w_macos_log_ctxt_clean(w_macos_log_ctxt_t * ctxt);
+bool w_macos_is_log_ctxt_expired(time_t timeout, w_macos_log_ctxt_t * ctxt);
+char * w_macos_log_get_last_valid_line(char * str);
+bool w_macos_is_log_header(w_macos_log_config_t * macos_log_cfg, char * buffer);
+bool w_macos_log_getlog(char * buffer, int length, FILE * stream, w_macos_log_config_t * macos_log_cfg);
+char * w_macos_trim_full_timestamp(char *);
+char * w_macos_get_last_log_timestamp(void);
+
+/* Globals */
+
+extern w_macos_log_procceses_t * macos_processes;
+
+extern int maximum_lines;
+extern int errno;
+
+/* Tests */
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+
+    test_mode = 0;
+    return 0;
+}
+
+/* wraps */
+
+int __wrap_isDebug() {
+    return mock();
+}
+
+int __wrap_can_read() {
+
+    return mock_type(int);
+}
+
+// todo: this function is repeated in other file
+int __wrap_w_msg_hash_queues_push(void) {
+
+    return mock_type(int);
+}
+
+/* tests */
+
+/* w_macos_log_ctxt_restore */
+
+void test_w_macos_log_ctxt_restore_false(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+
+    char * buffer = NULL;
+
+    bool ret = w_macos_log_ctxt_restore(buffer, &ctxt);
+    assert_false(ret);
+}
+
+void test_w_macos_log_ctxt_restore_true(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    bool ret = w_macos_log_ctxt_restore(buffer, &ctxt);
+    assert_true(ret);
+}
+
+/* w_macos_log_ctxt_backup */
+
+void test_w_macos_log_ctxt_backup_success(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    char buffer[OS_MAXSTR + 1];
+
+    buffer[OS_MAXSTR] = '\0';
+
+    strncpy(buffer, "test\n", OS_MAXSTR);
+    will_return(__wrap_time, 123456);
+
+    w_macos_log_ctxt_backup(buffer, &ctxt);
+
+    assert_string_equal(ctxt.buffer, "test\n");
+    assert_int_equal(ctxt.timestamp, 123456);
+}
+
+/* w_macos_log_ctxt_clean */
+
+void test_w_macos_log_ctxt_clean_success(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+    ctxt.timestamp = 123456;
+
+
+    w_macos_log_ctxt_clean(&ctxt);
+
+    assert_int_equal(ctxt.timestamp, 0);
+    assert_string_equal(ctxt.buffer, "\0");
+}
+
+/* w_macos_is_log_ctxt_expired */
+
+void test_w_macos_is_log_ctxt_expired_true(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    time_t timeout = (time_t) MACOS_LOG_TIMEOUT;
+
+    ctxt.timestamp = (time_t) 1000;
+
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+    bool ret = w_macos_is_log_ctxt_expired(timeout, &ctxt);
+
+    assert_true(ret);
+}
+
+void test_w_macos_is_log_ctxt_expired_false(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    time_t timeout = (time_t) MACOS_LOG_TIMEOUT;
+
+    ctxt.timestamp = 1000;
+
+    // threshold timeout
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT);
+
+    bool ret = w_macos_is_log_ctxt_expired(timeout, &ctxt);
+
+    assert_false(ret);
+}
+
+/* w_macos_log_get_last_valid_line */
+
+void test_w_macos_log_get_last_valid_line_str_null(void ** state) {
+
+    char * str = NULL;
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_null(ret);
+}
+
+void test_w_macos_log_get_last_valid_line_str_empty(void ** state) {
+
+    char * str = '\0';
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_null(ret);
+}
+
+void test_w_macos_log_get_last_valid_line_str_without_new_line(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_null(ret);
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_new_line_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_null(ret);
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_new_line_not_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n2021-04-22 12:00:00.230270-0700 test2", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_string_equal(ret, "\n2021-04-22 12:00:00.230270-0700 test2");
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_two_new_lines_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n2021-04-22 12:00:00.230270-0700 test2\n", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_string_equal(ret, "\n2021-04-22 12:00:00.230270-0700 test2\n");
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_two_new_lines_not_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n2021-04-22 12:00:00.230270-0700 test2\n2021-04-22 12:00:00.230270-0700 test3", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_string_equal(ret, "\n2021-04-22 12:00:00.230270-0700 test3");
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_three_new_lines_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n2021-04-22 12:00:00.230270-0700 test2\n2021-04-22 12:00:00.230270-0700 test3\n", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_string_equal(ret, "\n2021-04-22 12:00:00.230270-0700 test3\n");
+    os_free(str);
+}
+
+void test_w_macos_log_get_last_valid_line_str_with_three_new_lines_not_end(void ** state) {
+
+    char * str = NULL;
+
+    os_strdup("2021-04-22 12:00:00.230270-0700 test\n2021-04-22 12:00:00.230270-0700 test2\n2021-04-22 12:00:00.230270-0700 test3\n2021-04-22 12:00:00.230270-0700 test4", str);
+
+    char * ret = w_macos_log_get_last_valid_line(str);
+
+    assert_string_equal(ret, "\n2021-04-22 12:00:00.230270-0700 test4");
+    os_free(str);
+}
+
+/* w_macos_is_log_header */
+
+void test_w_macos_is_log_header_false(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("test", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = false;
+
+    will_return(__wrap_w_expression_match, true);
+    expect_value(__wrap_w_macos_set_is_valid_data, is_valid, true);
+
+    bool ret = w_macos_is_log_header(& macos_log_cfg, buffer);
+
+    assert_false(ret);
+
+    os_free(buffer);
+}
+
+void test_w_macos_is_log_header_log_stream_execution_error_after_exec(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("log: test", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = true;
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__merror, formatted_msg, "(1602): Execution error 'log: test'");
+
+    expect_value(__wrap_w_macos_set_is_valid_data, is_valid, false);
+
+    bool ret = w_macos_is_log_header(&macos_log_cfg, buffer);
+
+    assert_true(ret);
+
+    os_free(buffer);
+}
+
+void test_w_macos_is_log_header_log_stream_execution_error_colon(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("log: ", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = true;
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__merror, formatted_msg, "(1602): Execution error 'log'");
+    expect_value(__wrap_w_macos_set_is_valid_data, is_valid, false);
+
+    bool ret = w_macos_is_log_header(& macos_log_cfg, buffer);
+
+    assert_true(ret);
+
+    os_free(buffer);
+}
+
+void test_w_macos_is_log_header_log_stream_execution_error_line_break(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("log: test\n", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = true;
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__merror, formatted_msg, "(1602): Execution error 'log: test'");
+    expect_value(__wrap_w_macos_set_is_valid_data, is_valid, false);
+
+    bool ret = w_macos_is_log_header(& macos_log_cfg, buffer);
+
+    assert_true(ret);
+
+    os_free(buffer);
+}
+
+void test_w_macos_is_log_header_reading_other_log(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("test", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = false;
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Reading other log headers or errors: 'test'.");
+
+    bool ret = w_macos_is_log_header(& macos_log_cfg, buffer);
+
+    assert_true(ret);
+
+    os_free(buffer);
+}
+
+void test_w_macos_is_log_header_reading_other_log_line_break(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char * buffer = NULL;
+    os_strdup("test\n", buffer);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.log_start_regex = NULL;
+    macos_log_cfg.is_header_processed = false;
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Reading other log headers or errors: 'test'.");
+
+    bool ret = w_macos_is_log_header(& macos_log_cfg, buffer);
+
+    assert_true(ret);
+
+    os_free(buffer);
+}
+
+/* w_macos_log_getlog */
+void test_w_macos_log_getlog_context_expired(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_true
+    ctxt.timestamp = (time_t) 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR - OS_LOG_HEADER;
+
+    FILE * stream = NULL;
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_true(ret);
+    assert_string_equal(buffer, "test");
+}
+
+void test_w_macos_log_getlog_context_expired_new_line(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_true
+    ctxt.timestamp = (time_t) 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR - OS_LOG_HEADER;
+
+    FILE * stream = NULL;
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_true(ret);
+    assert_string_equal(buffer, "test");
+}
+
+void test_w_macos_log_getlog_context_not_expired(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR - OS_LOG_HEADER;
+
+    FILE * stream = (FILE*)1;
+
+    will_return(__wrap_can_read, 1);
+
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, NULL);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal("test\n", macos_log_cfg.ctxt.buffer);
+    assert_int_equal(ctxt.timestamp, 1000);
+}
+
+void test_w_macos_log_getlog_context_buffer_full(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\n", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 1;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test");
+
+    //test_w_macos_log_get_last_valid_line
+
+    will_return(__wrap_isDebug, 0);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "test");
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_context_buffer_full_no_endl_force_split(void ** state) {
+
+    /* It must split the log, because the last line received (incomplete) can be part of a second log  */
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+
+    const char *test_str = "test large\nlog";
+    char buffer[OS_MAXSTR + 1];
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(test_str) + 1;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, test_str);
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Maximum message length reached. The remainder will be send separately.");
+    will_return(__wrap_time, 1000);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "test large");
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "log");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000);
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_context_not_endline(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test-\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 10;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Incomplete message.");
+    will_return(__wrap_time, ctxt.timestamp + 1);
+
+    //test_w_macos_log_ctxt_backup_success
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "test-test");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000 + 1);
+    assert_false(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_context_full_buffer(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test--max...\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "more content................");
+    int length = strlen(ctxt.buffer) + strlen("more content...") + 1;
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_fgetc, '\n');
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Maximum message length reached. The remainder was discarded.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "test--max...more content...");
+    assert_string_equal("", macos_log_cfg.ctxt.buffer);
+    assert_int_equal(0, macos_log_cfg.ctxt.timestamp);
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_discards_irrelevant_headers(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "Other headers, line1\n\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = false;
+
+    int length = strlen(ctxt.buffer) + 100;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "Other headers, line2\n");
+
+    will_return(__wrap_w_is_macos_sierra, false);
+
+    //test_w_macos_is_log_header_reading_other_log
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Reading other log headers or errors:"
+                                                  " 'Other headers, line1\nOther headers, line2'.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "");
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_discards_irrelevant_headers_sierra_child_processes_already_set(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "Other headers, line1\n\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = false;
+    macos_log_cfg.processes.show.wfd = (wfd_t*) 123;
+    macos_log_cfg.processes.stream.wfd = (wfd_t*) 124;
+    macos_log_cfg.processes.show.child = 5;
+    macos_log_cfg.processes.stream.child = 6;
+
+    int length = strlen(ctxt.buffer) + 100;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "Other headers, line2\n");
+
+    will_return(__wrap_w_is_macos_sierra, true);
+
+    //test_w_macos_is_log_header_reading_other_log
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Reading other log headers or errors:"
+                                                  " 'Other headers, line1\nOther headers, line2'.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "");
+    assert_true(ret);
+    assert(macos_log_cfg.processes.show.child == 5);
+    assert(macos_log_cfg.processes.stream.child == 6);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_discards_irrelevant_headers_sierra_stream_and_show_without_child_pid(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "Other headers, line1\n\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = false;
+    os_calloc(1, sizeof(wfd_t), macos_log_cfg.processes.show.wfd);
+    os_calloc(1, sizeof(wfd_t), macos_log_cfg.processes.stream.wfd);
+    macos_log_cfg.processes.show.wfd->pid = 10;
+    macos_log_cfg.processes.stream.wfd->pid = 11;
+    macos_log_cfg.processes.show.child = 0;
+    macos_log_cfg.processes.stream.child = 0;
+
+    int length = strlen(ctxt.buffer) + 100;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "Other headers, line2\n");
+
+    will_return(__wrap_w_is_macos_sierra, true);
+    expect_value(__wrap_w_get_first_child, parent_pid, 10);
+    will_return(__wrap_w_get_first_child, 5);
+    expect_value(__wrap_w_get_first_child, parent_pid, 11);
+    will_return(__wrap_w_get_first_child, 6);
+
+
+    //test_w_macos_is_log_header_reading_other_log
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Reading other log headers or errors:"
+                                                  " 'Other headers, line1\nOther headers, line2'.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "");
+    assert_true(ret);
+    assert(macos_log_cfg.processes.show.child == 5);
+    assert(macos_log_cfg.processes.stream.child == 6);
+
+    os_free(stream);
+    os_free(macos_log_cfg.processes.show.wfd);
+    os_free(macos_log_cfg.processes.stream.wfd);
+}
+
+void test_w_macos_log_getlog_split_two_logs(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "log 1 first line\nlog 1 second line\n", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 100;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "log 2 first line\r\n");
+
+    //test_w_macos_log_get_last_valid_line
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, 1001);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "log 1 first line\nlog 1 second line");
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "log 2 first line\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1001);
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_backup_context(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+    ctxt.timestamp = 0;
+    ctxt.force_send = false;
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test\n");
+    will_return(__wrap_time, 1000);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_isDebug, 0);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "test\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_backup_context_sierra(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+    ctxt.timestamp = 0;
+    ctxt.force_send = false;
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test\r\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_time, 1000);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "test\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_backup_context_sierra_multiline(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+    ctxt.timestamp = 0;
+    ctxt.force_send = false;
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test multiline line 1\r\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_time, 1000);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test multiline line 2\r\n");
+    will_return(__wrap_w_expression_match, false);
+    will_return(__wrap_time, 1000);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_isDebug, 0);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "test multiline line 1\ntest multiline line 2\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_backup_context_sierra_new_line(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    ctxt.buffer[0] = '\0';
+    ctxt.timestamp = 0;
+    ctxt.force_send = false;
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "\r\n");
+    will_return(__wrap_time, 1000);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_isDebug, 0);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1000);
+
+    os_free(stream);
+}
+
+void test_w_macos_log_getlog_cannot_read(void ** state) {
+
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test", OS_MAXSTR);
+    ctxt.force_send = false;
+    time_t now = 1000;
+    ctxt.timestamp = now;
+    will_return(__wrap_time, 1000 + 1);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = OS_MAXSTR;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 0);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_false(ret);
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "test");
+    assert(macos_log_cfg.ctxt.timestamp == now);
+    os_free(stream);
+
+}
+
+void test_w_macos_log_getlog_discard_until_null(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 1;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test");
+
+    will_return(__wrap_isDebug, 0);
+
+    //test_w_macos_log_ctxt_backup_success
+
+    will_return(__wrap_fgetc, 'X');
+    will_return(__wrap_fgetc, 'X');
+    will_return(__wrap_fgetc, NULL);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Maximum message length reached. The remainder was discarded.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    //assert_string_equal(buffer, "test");
+    assert_true(ret);
+
+    os_free(stream);
+
+}
+
+void test_w_macos_log_getlog_discard_until_eof(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "test\0", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 1;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_fgetc, 'X');
+    will_return(__wrap_fgetc, 'X');
+    will_return(__wrap_fgetc, EOF);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Maximum message length reached. The remainder was discarded.");
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    //assert_string_equal(buffer, "test");
+    assert_true(ret);
+
+    os_free(stream);
+
+}
+
+void test_w_macos_log_getlog_split_two_logs_debug(void ** state) {
+
+    //test_w_macos_ctxt_restore_true
+    w_macos_log_ctxt_t ctxt;
+    strncpy(ctxt.buffer, "log 1 first line\nlog 1 second line\n", OS_MAXSTR);
+
+    char buffer[OS_MAXSTR + 1];
+    buffer[OS_MAXSTR] = '\0';
+
+    //test_w_macos_is_log_ctxt_expired_false
+    ctxt.timestamp = 1000;
+    ctxt.force_send = false;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    w_macos_log_config_t macos_log_cfg;
+    macos_log_cfg.ctxt = ctxt;
+    macos_log_cfg.is_header_processed = true;
+
+    int length = strlen(ctxt.buffer) + 100;
+
+    FILE * stream;
+    os_calloc(1, sizeof(FILE *), stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "log 2 first line\r\n");
+
+    //test_w_macos_log_ctxt_backup_success
+
+    //test_w_macos_is_log_header_false
+    will_return(__wrap_w_expression_match, true);
+
+    //test_w_macos_log_get_last_valid_line
+
+    will_return(__wrap_isDebug, 2);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "Reading macOS message: ''...");
+
+    will_return(__wrap_time, 1001);
+
+    bool ret = w_macos_log_getlog(buffer, length, stream, &macos_log_cfg);
+
+    assert_string_equal(buffer, "log 1 first line\nlog 1 second line");
+    assert_string_equal(macos_log_cfg.ctxt.buffer, "log 2 first line\n");
+    assert_int_equal(macos_log_cfg.ctxt.timestamp, 1001);
+    assert_true(ret);
+
+    os_free(stream);
+}
+
+/* w_macos_trim_full_timestamp */
+
+void test_w_macos_trim_full_timestamp_null_pointer(void ** state) {
+
+    assert_null(w_macos_trim_full_timestamp(NULL));
+}
+
+void test_w_macos_trim_full_timestamp_empty_string(void ** state) {
+
+    assert_null(w_macos_trim_full_timestamp(""));
+}
+
+void test_w_macos_trim_full_timestamp_incomplete_timestamp(void ** state) {
+
+    char * INCOMPLETE_TIMESTAMP = "2019-12-14 05:43:58.9";
+
+    assert_null(w_macos_trim_full_timestamp(INCOMPLETE_TIMESTAMP));
+}
+
+void test_w_macos_trim_full_timestamp_full_timestamp(void ** state) {
+
+    char * FULL_TIMESTAMP = "2019-12-14 05:43:58.972536-0800";
+    char * EXPECTED_TRIMMED_TIMESTAMP = "2019-12-14 05:43:58-0800";
+    char * retstr;
+
+    retstr = w_macos_trim_full_timestamp(FULL_TIMESTAMP);
+
+    assert_non_null(retstr);
+    assert_string_equal(retstr, EXPECTED_TRIMMED_TIMESTAMP);
+
+    os_free(retstr);
+}
+
+/* read_macos */
+
+void test_read_macos_can_read_false(void ** state) {
+
+    logreader dummy_lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), dummy_lf.macos_log);
+    dummy_lf.macos_log->state = LOG_RUNNING_STREAM;
+
+    will_return(__wrap_can_read, 0);
+
+    assert_null(read_macos(&dummy_lf, &dummy_rc, 0));
+
+    os_free(dummy_lf.macos_log);
+}
+
+void test_read_macos_getlog_false(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_can_read, 0); // forces w_macos_log_getlog to return NULL
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 0);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_empty_log(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->is_header_processed = true;
+
+
+    will_return(__wrap_can_read, 1);
+
+    // This block forces w_macos_log_getlog to return "true" and an empty buffer
+    lf.macos_log->ctxt.buffer[0] = '\n';
+    lf.macos_log->ctxt.buffer[1] = '\0';
+    lf.macos_log->ctxt.timestamp = 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Discarding empty message.");
+    will_return(__wrap_can_read, 0); // second loop
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 0);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_incomplete_short_log(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->ctxt.buffer[0] = '\0';
+
+    will_return(__wrap_can_read, 1);
+
+    will_return(__wrap_can_read, 1);
+    lf.macos_log->ctxt.timestamp = 1000;
+    will_return(__wrap_time, 999 + MACOS_LOG_TIMEOUT);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "test");
+
+    expect_string(__wrap__mdebug2, formatted_msg, "macOS ULS: Incomplete message.");
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 0);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_single_full_log_store_timestamp_and_setting(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->is_header_processed = true;
+    lf.macos_log->store_current_settings = false;
+    lf.macos_log->current_settings = "some log command with predicate and stuff";
+    lf.macos_log->ctxt.timestamp = 1000;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 0);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+    expect_string(__wrap_w_macos_set_log_settings, settings, lf.macos_log->current_settings);
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 0);
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_true(lf.macos_log->store_current_settings);
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_more_logs_than_maximum(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+    int TIMESTAMP_TIME = 10;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->is_header_processed = true;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->ctxt.timestamp = TIMESTAMP_TIME;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+    maximum_lines = 3;
+
+    will_return(__wrap_can_read, 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:54.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+     will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:55.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:56.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:55-0700");
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    maximum_lines = TESTING_MAXIMUM_LINES;
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_disable_maximum_lines(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+    int TIMESTAMP_TIME = 10;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->is_header_processed = true;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->ctxt.timestamp = TIMESTAMP_TIME;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+    maximum_lines = 0;
+
+    will_return(__wrap_can_read, 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:54.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:55.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "2021-05-17 15:31:56.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_isDebug, 0);
+
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_time, TIMESTAMP_TIME);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_time, TIMESTAMP_TIME + 100);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:56-0700");
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    maximum_lines = TESTING_MAXIMUM_LINES;
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_toggle_correctly_ended_show_to_stream(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.show.wfd);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    wfd_t * show_ptr = lf.macos_log->processes.show.wfd;
+    wfd_t * stream_ptr = lf.macos_log->processes.stream.wfd;
+    lf.macos_log->state = LOG_RUNNING_SHOW;
+    lf.macos_log->processes.show.wfd->pid = 10;
+    lf.macos_log->processes.stream.wfd->pid = 11;
+    macos_processes = &lf.macos_log->processes;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->is_header_processed = true;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+
+    // Save an expired context to send it immediately
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib)\n");
+    lf.macos_log->ctxt.timestamp = 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 10);
+
+    expect_string(__wrap__minfo, formatted_msg, "(1607): macOS 'log show' process exited, pid: 10, exit value: 0.");
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, NULL);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_string_equal(lf.macos_log->ctxt.buffer, "");
+    assert_true(lf.macos_log->store_current_settings);
+    assert_int_equal(lf.macos_log->state, LOG_RUNNING_STREAM);
+    assert_non_null(lf.macos_log->processes.stream.wfd);
+    assert_false(lf.macos_log->is_header_processed);
+
+    os_free(show_ptr);
+    os_free(stream_ptr);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_toggle_faulty_ended_show_to_stream(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.show.wfd);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    wfd_t * show_ptr = lf.macos_log->processes.show.wfd;
+    wfd_t * stream_ptr = lf.macos_log->processes.stream.wfd;
+    lf.macos_log->state = LOG_RUNNING_SHOW;
+    lf.macos_log->processes.show.wfd->pid = 10;
+    lf.macos_log->processes.stream.wfd->pid = 11;
+    macos_processes = &lf.macos_log->processes;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->is_header_processed = true;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+
+    // Save an expired context to send it immediately
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib)\n");
+    lf.macos_log->ctxt.timestamp = 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 1);
+    will_return(__wrap_waitpid, 10);
+
+    expect_string(__wrap__merror, formatted_msg, "(1607): macOS 'log show' process exited, pid: 10, exit value: 1.");
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, NULL);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_string_equal(lf.macos_log->ctxt.buffer, "");
+    assert_true(lf.macos_log->store_current_settings);
+    assert_int_equal(lf.macos_log->state, LOG_RUNNING_STREAM);
+    assert_non_null(lf.macos_log->processes.stream.wfd);
+    assert_false(lf.macos_log->is_header_processed);
+
+    os_free(show_ptr);
+    os_free(stream_ptr);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_toggle_correctly_ended_show_to_faulty_stream(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.show.wfd);
+    wfd_t * show_ptr = lf.macos_log->processes.show.wfd;
+    lf.macos_log->state = LOG_RUNNING_SHOW;
+    lf.macos_log->processes.show.wfd->pid = 10;
+    lf.macos_log->processes.stream.wfd = NULL;
+    macos_processes = &lf.macos_log->processes;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->is_header_processed = true;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+
+    // Save an expired context to send it immediately
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib)\n");
+    lf.macos_log->ctxt.timestamp = 1000;
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 10);
+
+    expect_string(__wrap__minfo, formatted_msg, "(1607): macOS 'log show' process exited, pid: 10, exit value: 0.");
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log show` resources.");
+
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, NULL);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_string_equal(lf.macos_log->ctxt.buffer, "");
+    assert_true(lf.macos_log->store_current_settings);
+    assert_int_equal(lf.macos_log->state, LOG_NOT_RUNNING);
+    assert_null(macos_processes->show.wfd);
+
+    os_free(show_ptr);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_faulty_ended_stream(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+    wfd_t * stream_ptr = lf.macos_log->processes.stream.wfd;
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = 10;
+    macos_processes = &lf.macos_log->processes;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->is_header_processed = true;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+
+    // Save an expired context to send it immediately
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib)\n");
+    lf.macos_log->ctxt.timestamp = 1000;
+
+    will_return(__wrap_can_read, 1);
+
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 1);
+    will_return(__wrap_waitpid, 10);
+
+    expect_string(__wrap__merror, formatted_msg, "(1607): macOS 'log stream' process exited, pid: 10, exit value: 1.");
+    expect_string(__wrap__mdebug1, formatted_msg, "macOS ULS: Releasing macOS `log stream` resources.");
+
+    expect_value(__wrap_kill, sig, SIGTERM);
+    expect_value(__wrap_kill, pid, 10);
+    will_return(__wrap_kill, 0);
+    will_return(__wrap_wpclose, NULL);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_string_equal(lf.macos_log->ctxt.buffer, "");
+    assert_true(lf.macos_log->store_current_settings);
+    assert_int_equal(lf.macos_log->state, LOG_NOT_RUNNING);
+    assert_null(macos_processes->show.wfd);
+
+
+    os_free(stream_ptr);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_faulty_waitpid(void ** state) {
+
+    logreader lf;
+    int dummy_rc;
+    errno = 123;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = 10;
+    macos_processes = &lf.macos_log->processes;
+    lf.macos_log->store_current_settings = true;
+    lf.macos_log->is_header_processed = true;
+    lf.regex_ignore = NULL;
+    lf.regex_restrict = NULL;
+
+    // Save an expired context to send it immediately
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib)\n");
+    lf.macos_log->ctxt.timestamp = 1000;
+
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_string(__wrap_w_macos_set_last_log_timestamp, timestamp, "2021-05-17 15:31:53-0700");
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 1);
+    will_return(__wrap_waitpid, 2);
+    will_return(__wrap_strerror, "error test");
+
+    expect_string(__wrap__merror, formatted_msg, "(1111): Error during waitpid()-call due to [(123)-(error test)].");
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+    assert_string_equal(lf.macos_log->ctxt.buffer, "");
+    assert_true(lf.macos_log->store_current_settings);
+    assert_null(macos_processes->show.wfd);
+
+
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+}
+
+void test_read_macos_log_ignored(void ** state) {
+    logreader lf;
+    int dummy_rc;
+    char log_str[PATH_MAX + 1] = {0};
+    w_expression_t * expression_ignore;
+
+    os_calloc(1, sizeof(w_macos_log_config_t), lf.macos_log);
+    os_calloc(1, sizeof(wfd_t), lf.macos_log->processes.stream.wfd);
+
+    lf.regex_ignore = OSList_Create();
+    OSList_SetFreeDataPointer(lf.regex_ignore, (void (*)(void *))w_free_expression);
+
+    w_calloc_expression_t(&expression_ignore, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_ignore, "ignore.*", 0);
+    OSList_InsertData(lf.regex_ignore, NULL, expression_ignore);
+
+    lf.macos_log->state = LOG_RUNNING_STREAM;
+    lf.macos_log->processes.stream.wfd->pid = getpid();
+    lf.macos_log->is_header_processed = true;
+    lf.macos_log->store_current_settings = false;
+    lf.macos_log->current_settings = "some log command with predicate and stuff";
+    lf.macos_log->ctxt.timestamp = 1000;
+    lf.regex_restrict = NULL;
+    strcpy(lf.macos_log->ctxt.buffer, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name\n");
+
+    will_return(__wrap_can_read, 1);
+    will_return(__wrap_time, 1000 + MACOS_LOG_TIMEOUT + 1);
+    will_return(__wrap_w_expression_match, true);
+
+    snprintf(log_str, PATH_MAX, LF_MATCH_REGEX, "2021-05-17 15:31:53.586313-0700  localhost sshd[880]: (libsystem_info.dylib) Created Activity ID: 0x2040, Description: Retrieve User by Name", "ignore", "ignore.*");
+    expect_string(__wrap__mdebug2, formatted_msg, log_str);
+
+    will_return(__wrap_can_read, 0);
+
+    expect_any(__wrap_waitpid, __pid);
+    expect_any(__wrap_waitpid, __options);
+    will_return(__wrap_waitpid, 0);
+    will_return(__wrap_waitpid, 0);
+
+    assert_null(read_macos(&lf, &dummy_rc, 0));
+
+    os_free(lf.macos_log->processes.stream.wfd);
+    os_free(lf.macos_log);
+
+    if (lf.regex_ignore) {
+        OSList_Destroy(lf.regex_ignore);
+        lf.regex_ignore = NULL;
+    }
+}
+
+int main(void) {
+
+    maximum_lines = TESTING_MAXIMUM_LINES;
+    const struct CMUnitTest tests[] = {
+        // Test w_macos_log_ctxt_restore
+        cmocka_unit_test(test_w_macos_log_ctxt_restore_false),
+        cmocka_unit_test(test_w_macos_log_ctxt_restore_true),
+        // Test w_macos_log_ctxt_backup
+        cmocka_unit_test(test_w_macos_log_ctxt_backup_success),
+        // Test w_macos_log_ctxt_clean
+        cmocka_unit_test(test_w_macos_log_ctxt_clean_success),
+        // Test w_macos_is_log_ctxt_expired
+        cmocka_unit_test(test_w_macos_is_log_ctxt_expired_true),
+        cmocka_unit_test(test_w_macos_is_log_ctxt_expired_false),
+        // Test w_macos_log_get_last_valid_line
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_null),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_empty),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_without_new_line),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_with_new_line_end),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_with_new_line_not_end),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_with_two_new_lines_end),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_with_two_new_lines_not_end),
+        cmocka_unit_test(test_w_macos_log_get_last_valid_line_str_with_three_new_lines_not_end),
+        // Test w_macos_is_log_header
+        cmocka_unit_test(test_w_macos_is_log_header_false),
+        cmocka_unit_test(test_w_macos_is_log_header_log_stream_execution_error_after_exec),
+        cmocka_unit_test(test_w_macos_is_log_header_log_stream_execution_error_colon),
+        cmocka_unit_test(test_w_macos_is_log_header_log_stream_execution_error_line_break),
+        cmocka_unit_test(test_w_macos_is_log_header_reading_other_log),
+        cmocka_unit_test(test_w_macos_is_log_header_reading_other_log_line_break),
+        // Test w_macos_log_getlog
+        cmocka_unit_test(test_w_macos_log_getlog_context_expired),
+        cmocka_unit_test(test_w_macos_log_getlog_context_expired_new_line),
+        cmocka_unit_test(test_w_macos_log_getlog_context_not_expired),
+        cmocka_unit_test(test_w_macos_log_getlog_context_buffer_full),
+        cmocka_unit_test(test_w_macos_log_getlog_context_buffer_full_no_endl_force_split),
+        cmocka_unit_test(test_w_macos_log_getlog_context_not_endline),
+        cmocka_unit_test(test_w_macos_log_getlog_context_full_buffer),
+        cmocka_unit_test(test_w_macos_log_getlog_discards_irrelevant_headers),
+        cmocka_unit_test(test_w_macos_log_getlog_discards_irrelevant_headers_sierra_child_processes_already_set),
+        cmocka_unit_test(test_w_macos_log_getlog_discards_irrelevant_headers_sierra_stream_and_show_without_child_pid),
+        cmocka_unit_test(test_w_macos_log_getlog_split_two_logs),
+        cmocka_unit_test(test_w_macos_log_getlog_backup_context),
+        cmocka_unit_test(test_w_macos_log_getlog_backup_context_sierra),
+        cmocka_unit_test(test_w_macos_log_getlog_backup_context_sierra_multiline),
+        cmocka_unit_test(test_w_macos_log_getlog_backup_context_sierra_new_line),
+        cmocka_unit_test(test_w_macos_log_getlog_cannot_read),
+        cmocka_unit_test(test_w_macos_log_getlog_discard_until_eof),
+        cmocka_unit_test(test_w_macos_log_getlog_discard_until_null),
+        cmocka_unit_test(test_w_macos_log_getlog_split_two_logs_debug),
+        // Test w_macos_trim_full_timestamp
+        cmocka_unit_test(test_w_macos_trim_full_timestamp_null_pointer),
+        cmocka_unit_test(test_w_macos_trim_full_timestamp_empty_string),
+        cmocka_unit_test(test_w_macos_trim_full_timestamp_incomplete_timestamp),
+        cmocka_unit_test(test_w_macos_trim_full_timestamp_full_timestamp),
+        // Test w_read_macos
+        cmocka_unit_test(test_read_macos_can_read_false),
+        cmocka_unit_test(test_read_macos_getlog_false),
+        cmocka_unit_test(test_read_macos_empty_log),
+        cmocka_unit_test(test_read_macos_incomplete_short_log),
+        cmocka_unit_test(test_read_macos_single_full_log_store_timestamp_and_setting),
+        cmocka_unit_test(test_read_macos_more_logs_than_maximum),
+        cmocka_unit_test(test_read_macos_disable_maximum_lines),
+        cmocka_unit_test(test_read_macos_toggle_correctly_ended_show_to_stream),
+        cmocka_unit_test(test_read_macos_toggle_faulty_ended_show_to_stream),
+        cmocka_unit_test(test_read_macos_toggle_correctly_ended_show_to_faulty_stream),
+        cmocka_unit_test(test_read_macos_faulty_ended_stream),
+        cmocka_unit_test(test_read_macos_faulty_waitpid),
+        cmocka_unit_test(test_read_macos_log_ignored),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_read_multiline.c b/src/modules/logcollector/tests/unit/tests/test_read_multiline.c
new file mode 100644
index 0000000000..c2ab1c86c4
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_read_multiline.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/logcollector.h"
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+
+/* Setup & Teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* Wraps */
+int __wrap_can_read() {
+    return mock_type(int);
+}
+
+bool __wrap_w_get_hash_context(const char * path, EVP_MD_CTX * context, int64_t position) {
+    return mock_type(bool);
+}
+
+int __wrap_w_update_file_status(const char * path, int64_t pos, EVP_MD_CTX * context) {
+    bool free_context = mock_type(bool);
+    if (free_context) {
+        EVP_MD_CTX_free(context);
+    }
+    return mock_type(int);
+}
+
+void __wrap_OS_SHA1_Stream(EVP_MD_CTX *c, os_sha1 output, char * buf) {
+    function_called();
+    return;
+}
+
+/* Tests */
+
+void test_buffer_space(void ** state) {
+    logreader lf = { .file = "test", .linecount = 3 };
+    int rc;
+    char * input_str = malloc(OS_MAX_LOG_SIZE);
+    memset(input_str, '.', OS_MAX_LOG_SIZE - 1);
+    input_str[OS_MAX_LOG_SIZE - 1] = '\0';
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_w_get_hash_context, true);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, input_str);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) OS_MAX_LOG_SIZE - 1);
+
+    expect_function_call(__wrap_OS_SHA1_Stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "\n");
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) OS_MAX_LOG_SIZE);
+
+    expect_function_call(__wrap_OS_SHA1_Stream);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, input_str);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) (OS_MAX_LOG_SIZE) * 2 - 1);
+
+    expect_function_call(__wrap_OS_SHA1_Stream);
+
+    expect_any(__wrap__merror, formatted_msg);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) (OS_MAX_LOG_SIZE) * 2 - 1);
+
+    will_return(__wrap_can_read, 0);
+
+    will_return(__wrap_w_update_file_status, true);
+    will_return(__wrap_w_update_file_status, 0);
+
+    read_multiline(&lf, &rc, 1);
+
+    free(input_str);
+}
+
+void test_buffer_space_invalid_context(void ** state) {
+    logreader lf = { .file = "test", .linecount = 3 };
+    int rc;
+    char * input_str = malloc(OS_MAX_LOG_SIZE);
+    memset(input_str, '.', OS_MAX_LOG_SIZE - 1);
+    input_str[OS_MAX_LOG_SIZE - 1] = '\0';
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_w_get_hash_context, false);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, input_str);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) OS_MAX_LOG_SIZE - 1);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "\n");
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) OS_MAX_LOG_SIZE);
+
+    will_return(__wrap_can_read, 1);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, input_str);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) (OS_MAX_LOG_SIZE) * 2 - 1);
+
+    expect_any(__wrap__merror, formatted_msg);
+
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) (OS_MAX_LOG_SIZE) * 2 - 1);
+
+    will_return(__wrap_can_read, 0);
+
+    read_multiline(&lf, &rc, 1);
+
+    free(input_str);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_buffer_space),
+        cmocka_unit_test(test_buffer_space_invalid_context),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_read_multiline_regex.c b/src/modules/logcollector/tests/unit/tests/test_read_multiline_regex.c
new file mode 100644
index 0000000000..eb700dd30c
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_read_multiline_regex.c
@@ -0,0 +1,1902 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../logcollector/logcollector.h"
+#include "../../headers/shared.h"
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+
+void multiline_replace(char * buffer, w_multiline_replace_type_t type);
+bool multiline_ctxt_is_expired(time_t timeout, w_multiline_ctxt_t * ctxt);
+bool multiline_ctxt_restore(char * buffer, int * readed_lines, w_multiline_ctxt_t * ctxt);
+void multiline_ctxt_free(w_multiline_ctxt_t ** ctxt);
+void multiline_ctxt_backup(char * buffer, int readed_lines, w_multiline_ctxt_t ** ctxt);
+
+int multiline_getlog_start(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+int multiline_getlog_end(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+int multiline_getlog_all(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+int multiline_getlog(char * buffer, int length, FILE * stream, w_multiline_config_t * ml_cfg);
+void * read_multiline_regex(logreader * lf, int * rc, int drop_it);
+char * get_file_chunk(FILE * stream, int64_t initial_pos, int64_t final_pos);
+
+/* setup/teardown */
+
+static int group_setup(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int group_teardown(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+/* wraps */
+int __wrap_can_read() {
+    return mock_type(int);
+}
+
+bool __wrap_w_expression_match(w_expression_t * expression, const char * str_test, const char ** end_match,
+                               regex_matching * regex_match) {
+    return mock_type(bool);
+}
+
+int __wrap_w_msg_hash_queues_push(const char * str, char * file, unsigned long size, logtarget * targets,
+                                  char queue_mq) {
+    return mock_type(int);
+}
+
+bool __wrap_w_get_hash_context(const char * path, EVP_MD_CTX * context, int64_t position) {
+    return mock_type(bool);
+}
+
+int __wrap_w_update_file_status(const char * path, int64_t pos, EVP_MD_CTX * context) {
+    bool free_context = mock_type(bool);
+    if (free_context) {
+        EVP_MD_CTX_free(context);
+    }
+    return mock_type(int);
+}
+
+void __wrap_OS_SHA1_Stream(EVP_MD_CTX *c, os_sha1 output, char * buf) {
+    function_called();
+    return;
+}
+
+/* tests */
+
+/* multiline_replace linux */
+void test_multiline_replace_ws_not_found(void ** state) {
+
+    char str[] = "test replace white space";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace white space";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_ws_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_ws_char_empty_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    char str[] = "";
+    multiline_replace(str, type);
+}
+
+void test_multiline_replace_ws_char_noreplace(void ** state) {
+
+    char str[] = "test replace\nwhite space";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace\nwhite space";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_ws_char_replace_last(void ** state) {
+
+    char str[] = "test replace\ntab\n";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace\ntab ";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_tab_not_found(void ** state) {
+
+    char str[] = "test replace tab";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace tab";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_tab_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_tab_char_empty_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    char str[] = "";
+    multiline_replace(str, type);
+}
+
+void test_multiline_replace_tab_char_noreplace(void ** state) {
+
+    char str[] = "test replace\ntab";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace\ntab";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_tab_char_replace_last(void ** state) {
+
+    char str[] = "test replace\ntab\n";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace\ntab\t";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_none_not_found(void ** state) {
+
+    char str[] = "test replace none";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace none";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_none_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_none_char_empty_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    char str[] = "";
+    multiline_replace(str, type);
+}
+
+void test_multiline_replace_none_char_noreplace(void ** state) {
+
+    char str[] = "test replace\nnone";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace\nnone";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_none_char_replace_last(void ** state) {
+
+    char str[] = "test replace\nnone\n";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace\nnone";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_noreplace_not_found(void ** state) {
+
+    char str[] = "test replace no replace";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace no replace";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_noreplace_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_noreplace_char_replace(void ** state) {
+
+    char str[] = "test replace\nno replace";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace\nno replace";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_noreplace_char_replace_last(void ** state) {
+
+    char str[] = "test replace\nno replace\n";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace\nno replace\n";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+/* multiline_replace windows */
+void test_multiline_replace_w_ws_not_found(void ** state) {
+
+    char str[] = "test replace white space";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace white space";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_ws_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_w_ws_char_noreplace(void ** state) {
+
+    char str[] = "test replace\r\nwhite space";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace\r\nwhite space";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_ws_char_replace_last(void ** state) {
+
+    char str[] = "test replace\r\ntab\r\n";
+    w_multiline_replace_type_t type = ML_REPLACE_WSPACE;
+    const char str_expected[] = "test replace\r\ntab ";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_tab_not_found(void ** state) {
+
+    char str[] = "test replace tab";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace tab";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_tab_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_w_tab_char_noreplace(void ** state) {
+
+    char str[] = "test replace\r\ntab";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace\r\ntab";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_tab_char_replace_last(void ** state) {
+
+    char str[] = "test replace\r\ntab\r\n";
+    w_multiline_replace_type_t type = ML_REPLACE_TAB;
+    const char str_expected[] = "test replace\r\ntab\t";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_none_not_found(void ** state) {
+
+    char str[] = "test replace none";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace none";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_none_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_w_none_char_noreplace(void ** state) {
+
+    char str[] = "test replace\r\nnone";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace\r\nnone";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_none_char_replace_last(void ** state) {
+
+    char str[] = "test replace\r\nnone\r\n";
+    w_multiline_replace_type_t type = ML_REPLACE_NONE;
+    const char str_expected[] = "test replace\r\nnone";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_noreplace_not_found(void ** state) {
+
+    char str[] = "test replace no replace";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace no replace";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_noreplace_char_null_str(void ** state) {
+
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    multiline_replace(NULL, type);
+}
+
+void test_multiline_replace_w_noreplace_char_noreplace(void ** state) {
+
+    char str[] = "test replace\r\nno replace";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace\r\nno replace";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+
+void test_multiline_replace_w_noreplace_char_replace_last(void ** state) {
+
+    char str[] = "test replace\r\nno replace\r\n";
+    w_multiline_replace_type_t type = ML_REPLACE_NO_REPLACE;
+    const char str_expected[] = "test replace\r\nno replace\r\n";
+
+    multiline_replace(str, type);
+    assert_string_equal(str, str_expected);
+}
+// Test multiline_ctxt_is_expired
+void test_multiline_ctxt_is_expired_not_found(void ** state) { assert_true(multiline_ctxt_is_expired(1, NULL)); }
+
+void test_multiline_ctxt_is_expired_not_expired(void ** state) {
+
+    w_multiline_ctxt_t ctxt = {.timestamp = 50};
+    unsigned int timeout = 75;
+
+    will_return(__wrap_time, (unsigned int) 100);
+
+    assert_false(multiline_ctxt_is_expired(timeout, &ctxt));
+}
+
+void test_multiline_ctxt_is_expired_expired(void ** state) {
+    w_multiline_ctxt_t ctxt = {.timestamp = 50};
+    unsigned int timeout = 10;
+
+    will_return(__wrap_time, (unsigned int) 100);
+
+    assert_true(multiline_ctxt_is_expired(timeout, &ctxt));
+}
+
+/* multiline_ctxt_restore */
+void test_multiline_ctxt_restore_restore(void ** state) {
+
+    // orginal content
+    w_multiline_ctxt_t ctxt = {
+        .buffer = "Test buffer",
+        .lines_count = 100,
+        .timestamp = 0,
+    };
+    // restore
+    int readed_lines = -1;
+    char * buffer;
+    os_calloc(strlen(ctxt.buffer) + 1, sizeof(char), buffer);
+
+    assert_true(multiline_ctxt_restore(buffer, &readed_lines, &ctxt));
+    assert_int_equal(readed_lines, ctxt.lines_count);
+    assert_string_equal(buffer, ctxt.buffer);
+
+    os_free(buffer);
+}
+
+void test_multiline_ctxt_restore_null(void ** state) {
+
+    // restore
+    int readed_lines = -1;
+    char * buffer = NULL;
+
+    assert_false(multiline_ctxt_restore(buffer, &readed_lines, NULL));
+    assert_int_equal(readed_lines, -1);
+    assert_null(buffer);
+}
+
+/* multiline_ctxt_free */
+void test_multiline_ctxt_free_null(void ** state) {
+
+    w_multiline_ctxt_t * ctxt = NULL;
+    multiline_ctxt_free(&ctxt);
+}
+
+void test_multiline_ctxt_free_free(void ** state) {
+
+    w_multiline_ctxt_t * ctxt;
+    os_calloc(1, sizeof(w_multiline_ctxt_t), ctxt);
+    os_calloc(1, sizeof(char), ctxt->buffer);
+    multiline_ctxt_free(&ctxt);
+    assert_null(ctxt);
+}
+
+/* multiline_ctxt_backup */
+void test_multiline_ctxt_backup_no_restore(void ** state) {
+
+    char buffer[] = "hi!, no new content";
+    int readed_lines = 6;
+    w_multiline_ctxt_t * ctxt;
+    os_calloc(1, sizeof(w_multiline_ctxt_t), ctxt);
+    w_strdup(buffer, ctxt->buffer);
+    ctxt->lines_count = readed_lines;
+    ctxt->timestamp = (time_t) 5;
+
+    multiline_ctxt_backup(buffer, readed_lines, &ctxt);
+
+    assert_int_equal(ctxt->timestamp, 5);
+    assert_int_equal(readed_lines, 6);
+    assert_string_equal(buffer, ctxt->buffer);
+
+    multiline_ctxt_free(&ctxt);
+}
+
+void test_multiline_ctxt_backup_new_ctxt(void ** state) {
+
+    char buffer[] = "hi!, new content";
+    int readed_lines = 6;
+    w_multiline_ctxt_t * ctxt = NULL;
+
+    will_return(__wrap_time, 10);
+    multiline_ctxt_backup(buffer, readed_lines, &ctxt);
+
+    assert_int_equal(ctxt->timestamp, 10);
+    assert_int_equal(readed_lines, 6);
+    assert_string_equal(buffer, ctxt->buffer);
+
+    multiline_ctxt_free(&ctxt);
+}
+
+void test_multiline_ctxt_backup_increment(void ** state) {
+
+    char buffer[] = "old content + New content";
+    int readed_lines = 6;
+    w_multiline_ctxt_t * ctxt;
+    os_calloc(1, sizeof(w_multiline_ctxt_t), ctxt);
+    w_strdup("old content + ", ctxt->buffer);
+    ctxt->lines_count = 5;
+    ctxt->timestamp = (time_t) 5;
+
+    will_return(__wrap_time, 10);
+    multiline_ctxt_backup(buffer, readed_lines, &ctxt);
+
+    assert_int_equal(ctxt->timestamp, 10);
+    assert_int_equal(readed_lines, 6);
+    assert_string_equal(buffer, ctxt->buffer);
+
+    multiline_ctxt_free(&ctxt);
+}
+
+/* multiline_getlog_start */
+void test_multiline_getlog_start_single_no_context(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_time, 1);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 0);
+    assert_string_equal(ml_confg.ctxt->buffer, "no match\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 1);
+    assert_int_equal(ml_confg.ctxt->timestamp, 1);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_start_ctxt_timeout(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+    os_strdup("no match\n", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 1;
+    ml_confg.ctxt->timestamp = 0;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+    will_return(__wrap_time, timeout + 1);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match");
+}
+
+void test_multiline_getlog_start_ctxt_append_ctxt(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+    const char * msg = "no match\nno match2\n";
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_time, timeout - 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match3\n");
+    will_return(__wrap_w_expression_match, false);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+    will_return(__wrap_time, timeout);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "no match\nno match2\nno match3\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 3);
+    assert_int_equal(ml_confg.ctxt->timestamp, timeout);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_start_ctxt_match(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+    const char * msg = "no match\nno match2\n";
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_time, timeout - 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "match");
+    will_return(__wrap_w_expression_match, true);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match\nno match2");
+}
+
+void test_multiline_getlog_start_no_ctxt_match(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match2\n");
+    will_return(__wrap_w_expression_match, false);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "match");
+    will_return(__wrap_w_expression_match, true);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_string_equal(buffer, "no match\nno match2");
+    assert_null(ml_confg.ctxt);
+}
+
+void test_multiline_getlog_start_no_ctxt_overflow(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "01234567890123456789------");
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "0123456789012345678");
+}
+
+void test_multiline_getlog_start_ctxt_overflow(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "0123456789------");
+
+    will_return(__wrap_w_expression_match, false);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "123456789\n012345678");
+}
+
+void test_multiline_getlog_start_no_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_multiline_getlog_start_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_START;
+    ml_confg.ctxt->lines_count = 1;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "123456789\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 1);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_start_match_multi_replace(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NONE;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match-\n");
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, ">no match2\n");
+
+    will_return(__wrap_w_expression_match, false);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "next header");
+    will_return(__wrap_w_expression_match, true);
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    retval = multiline_getlog_start(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match->no match2");
+}
+
+/* multiline_getlog_end_single */
+void test_multiline_getlog_end_single_match_no_context(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "end match");
+}
+
+void test_multiline_getlog_end_ctxt_timeout(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+    os_strdup("no match\n", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 1;
+    ml_confg.ctxt->timestamp = 0;
+
+    will_return(__wrap_time, timeout + 1);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match");
+}
+
+void test_multiline_getlog_end_ctxt_append_ctxt(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+    const char * msg = "no match\nno match2\n";
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+
+    will_return(__wrap_time, timeout - 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match3\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+    will_return(__wrap_time, timeout);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "no match\nno match2\nno match3\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 3);
+    assert_int_equal(ml_confg.ctxt->timestamp, timeout);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_end_multi_match_no_context(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup("initial\n ctx\n", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_time, timeout - 1);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 4);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "initial\n ctx\nno match\nend match");
+}
+
+void test_multiline_getlog_end_multi_match_context(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match\nend match");
+}
+
+void test_multiline_getlog_end_no_ctxt_overflow(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "01234567890123456789------");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "0123456789012345678");
+}
+
+void test_multiline_getlog_end_ctxt_overflow(void ** state) {
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "0123456789------");
+
+    will_return(__wrap_w_expression_match, false);
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "123456789\n012345678");
+}
+
+void test_multiline_getlog_end_no_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_multiline_getlog_end_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+    ml_confg.ctxt->lines_count = 1;
+
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "123456789\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 1);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_end_match_multi_replace(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup("initial ctx", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NONE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_time, timeout - 1);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_end(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 4);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "initial ctxno matchend match");
+}
+
+// Test multiline_getlog_all
+void test_multiline_getlog_all_single_match_no_context(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "all match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "all match");
+}
+
+void test_multiline_getlog_all_ctxt_timeout(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+    os_strdup("no match\n", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 1;
+    ml_confg.ctxt->timestamp = 0;
+
+    will_return(__wrap_time, timeout + 1);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match");
+}
+
+void test_multiline_getlog_all_ctxt_append_ctxt(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500 + 1] = {0};
+    const char * msg = "no match\nno match2\n";
+    w_multiline_config_t ml_confg = {0};
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+
+    will_return(__wrap_time, timeout - 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match3\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+    will_return(__wrap_time, timeout);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "no match\nno match2\nno match3\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 3);
+    assert_int_equal(ml_confg.ctxt->timestamp, timeout);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_all_multi_match_no_context(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup("initial\n ctx\n", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_time, timeout - 1);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 4);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "initial\n ctx\nno match\nend match");
+}
+
+void test_multiline_getlog_all_multi_match_context(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match\nend match");
+}
+
+void test_multiline_getlog_all_no_ctxt_overflow(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "01234567890123456789------");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "0123456789012345678");
+}
+
+void test_multiline_getlog_all_ctxt_overflow(void ** state) {
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "0123456789------");
+
+    will_return(__wrap_w_expression_match, false);
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '-');
+    will_return(__wrap_fgetc, '\0');
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "123456789\n012345678");
+}
+
+void test_multiline_getlog_all_no_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_multiline_getlog_all_ctxt_cant_read(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 20;
+    const time_t timeout = (time_t) 100;
+    char buffer[20];
+    w_multiline_config_t ml_confg = {0};
+
+    const char * msg = "123456789\n";
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+    ml_confg.ctxt->lines_count = 1;
+
+    will_return(__wrap_time, 0);
+
+    will_return(__wrap_can_read, 0);
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+    assert_int_equal(retval, 0);
+    assert_non_null(ml_confg.ctxt);
+    assert_string_equal(ml_confg.ctxt->buffer, "123456789\n");
+    assert_int_equal(ml_confg.ctxt->lines_count, 1);
+    multiline_ctxt_free(&ml_confg.ctxt);
+}
+
+void test_multiline_getlog_all_match_multi_replace(void ** state) {
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup("initial ctx", ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NONE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_time, timeout - 1);
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "no match\n");
+    will_return(__wrap_w_expression_match, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog_all(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 4);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "initial ctxno matchend match");
+}
+
+/* multiline_getlog */
+void test_multiline_getlog_unknown(void ** state) {
+
+    char buffer[] = "1234567890";
+    int length = 100;
+    int retval;
+    w_multiline_config_t ml_cfg = {0};
+    ml_cfg.match_type = ML_MATCH_MAX;
+
+    retval = multiline_getlog(buffer, length, 0, &ml_cfg);
+
+    assert_int_equal(retval, 0);
+    assert_int_equal(strlen(buffer), 0);
+}
+
+void test_multiline_getlog_start(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500] = {0};
+    const char * msg = "no match\nno match2\n";
+    w_multiline_config_t ml_confg = {0};
+
+    os_calloc(1, sizeof(w_multiline_config_t), ml_confg.ctxt);
+    os_strdup(msg, ml_confg.ctxt->buffer);
+    ml_confg.ctxt->lines_count = 2;
+    ml_confg.ctxt->timestamp = 0;
+    ml_confg.timeout = timeout;
+    ml_confg.match_type = ML_MATCH_START;
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, 0);
+    will_return(__wrap_time, timeout - 1);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "match");
+    will_return(__wrap_w_expression_match, true);
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 0);
+    will_return(__wrap_w_fseek, 0);
+
+    retval = multiline_getlog(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 2);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "no match\nno match2");
+}
+
+void test_multiline_getlog_end(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "end match");
+}
+
+void test_multiline_getlog_all(void ** state) {
+
+    int retval;
+    const size_t buffer_size = 500;
+    const time_t timeout = (time_t) 100;
+    char buffer[500];
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = timeout;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_ALL;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+
+    retval = multiline_getlog(buffer, buffer_size, 0, &ml_confg);
+
+    assert_int_equal(retval, 1);
+    assert_null(ml_confg.ctxt);
+    assert_string_equal(buffer, "end match");
+}
+
+/* read_multiline_regex */
+void test_read_multiline_regex_log_process(void ** state) {
+
+    logreader lf = {0};
+    int rc = 0;
+    int drop_it = 0;
+
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = 500;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    lf.multiline = &ml_confg;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 5);
+    will_return(__wrap_w_get_hash_context, true);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 10);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 5);
+    will_return(__wrap_w_fseek, 0);
+
+    will_return(__wrap_fread, "test0");
+    will_return(__wrap_fread, 5);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_function_call(__wrap_OS_SHA1_Stream);
+    will_return(__wrap_w_update_file_status, true);
+    will_return(__wrap_w_update_file_status, 0);
+
+    void * retval = read_multiline_regex(&lf, &rc, drop_it);
+    assert_ptr_equal(retval, NULL);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_read_multiline_regex_no_aviable_log(void ** state) {
+    logreader lf = {0};
+    int rc = 0;
+    int drop_it = 0;
+
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = 500;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    lf.multiline = &ml_confg;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 5);
+    will_return(__wrap_w_get_hash_context, true);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    will_return(__wrap_w_update_file_status, true);
+    will_return(__wrap_w_update_file_status, 0);
+
+    void * retval = read_multiline_regex(&lf, &rc, drop_it);
+    assert_ptr_equal(retval, NULL);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_read_multiline_regex_cant_read(void ** state) {
+    logreader lf = {0};
+    int rc = 0;
+    int drop_it = 0;
+
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = 500;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    lf.multiline = &ml_confg;
+
+    will_return(__wrap_can_read, 0);
+    void * retval = read_multiline_regex(&lf, &rc, drop_it);
+    assert_ptr_equal(retval, NULL);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_read_multiline_regex_invalid_context(void ** state) {
+
+    logreader lf = {0};
+    int rc = 0;
+    int drop_it = 0;
+
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = 500;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    lf.multiline = &ml_confg;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 5);
+    will_return(__wrap_w_get_hash_context, false);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "end match\n");
+    will_return(__wrap_w_expression_match, true);
+    will_return(__wrap_w_msg_hash_queues_push, 0);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 10);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 5);
+    will_return(__wrap_w_fseek, 0);
+
+    will_return(__wrap_fread, "test0");
+    will_return(__wrap_fread, 5);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    void * retval = read_multiline_regex(&lf, &rc, drop_it);
+    assert_ptr_equal(retval, NULL);
+    assert_null(ml_confg.ctxt);
+}
+
+void test_read_multiline_regex_log_ignored(void ** state) {
+
+    logreader lf = {0};
+    int rc = 0;
+    int drop_it = 0;
+    char log_str[PATH_MAX + 1] = {0};
+    w_expression_t * expression_ignore;
+
+    lf.regex_ignore = OSList_Create();
+    OSList_SetFreeDataPointer(lf.regex_ignore, (void (*)(void *))w_free_expression);
+
+    w_calloc_expression_t(&expression_ignore, EXP_TYPE_PCRE2);
+    w_expression_compile(expression_ignore, "ignore.*", 0);
+    OSList_InsertData(lf.regex_ignore, NULL, expression_ignore);
+
+    w_multiline_config_t ml_confg = {0};
+
+    ml_confg.timeout = 500;
+    ml_confg.replace_type = ML_REPLACE_NO_REPLACE;
+    ml_confg.match_type = ML_MATCH_END;
+
+    lf.multiline = &ml_confg;
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 5);
+    will_return(__wrap_w_get_hash_context, true);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, "ignore this log\n");
+    will_return(__wrap_w_expression_match, true);
+
+    will_return(__wrap_w_expression_match, true);
+
+    snprintf(log_str, PATH_MAX, LF_MATCH_REGEX, "ignore this log", "ignore", "ignore.*");
+    expect_string(__wrap__mdebug2, formatted_msg, log_str);
+
+    expect_any(__wrap_w_ftell, x);
+    will_return(__wrap_w_ftell, (int64_t) 10);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 5);
+    will_return(__wrap_w_fseek, 0);
+
+    will_return(__wrap_fread, "test0");
+    will_return(__wrap_fread, 5);
+
+    will_return(__wrap_can_read, 1);
+    expect_any(__wrap_fgets, __stream);
+    will_return(__wrap_fgets, NULL);
+
+    expect_function_call(__wrap_OS_SHA1_Stream);
+    will_return(__wrap_w_update_file_status, true);
+    will_return(__wrap_w_update_file_status, 0);
+
+    void * retval = read_multiline_regex(&lf, &rc, drop_it);
+
+    assert_ptr_equal(retval, NULL);
+    assert_null(ml_confg.ctxt);
+
+    if (lf.regex_ignore) {
+        OSList_Destroy(lf.regex_ignore);
+        lf.regex_ignore = NULL;
+    }
+}
+
+// Test get_file_chunk
+void test_get_file_chunk_fseek_fail(void ** state) {
+
+    char * retval;
+    int64_t initial_pos = 10;
+    int64_t final_pos = 5;
+
+    retval = get_file_chunk(NULL, initial_pos, final_pos);
+    assert_null(retval);
+}
+
+void test_get_file_chunk_size_reduce(void ** state) {
+
+    char * retval;
+    int64_t initial_pos = 5;
+    int64_t final_pos = 10;
+
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 4);
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 5);
+    will_return(__wrap_w_fseek, 0);
+
+    retval = get_file_chunk(NULL, initial_pos, final_pos);
+    assert_null(retval);
+}
+
+void test_get_file_chunk_ok(void ** state) {
+
+    char * retval;
+    int64_t initial_pos = 5;
+    int64_t final_pos = 10;
+
+    expect_any(__wrap_w_fseek, x);
+    expect_value(__wrap_w_fseek, pos, 5);
+    will_return(__wrap_w_fseek, 0);
+    will_return(__wrap_fread, "test");
+    will_return(__wrap_fread, 5);
+
+    retval = get_file_chunk(NULL, initial_pos, final_pos);
+    assert_string_equal("test", retval);
+    os_free(retval);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // Test replace_char
+        cmocka_unit_test(test_multiline_replace_ws_not_found),
+        cmocka_unit_test(test_multiline_replace_ws_char_null_str),
+        cmocka_unit_test(test_multiline_replace_ws_char_empty_str),
+        cmocka_unit_test(test_multiline_replace_ws_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_ws_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_tab_not_found),
+        cmocka_unit_test(test_multiline_replace_tab_char_null_str),
+        cmocka_unit_test(test_multiline_replace_tab_char_empty_str),
+        cmocka_unit_test(test_multiline_replace_tab_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_tab_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_none_not_found),
+        cmocka_unit_test(test_multiline_replace_none_char_null_str),
+        cmocka_unit_test(test_multiline_replace_none_char_empty_str),
+        cmocka_unit_test(test_multiline_replace_none_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_none_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_noreplace_not_found),
+        cmocka_unit_test(test_multiline_replace_noreplace_char_null_str),
+        cmocka_unit_test(test_multiline_replace_noreplace_char_replace),
+        cmocka_unit_test(test_multiline_replace_noreplace_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_w_ws_not_found),
+        cmocka_unit_test(test_multiline_replace_w_ws_char_null_str),
+        cmocka_unit_test(test_multiline_replace_w_ws_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_w_ws_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_w_tab_not_found),
+        cmocka_unit_test(test_multiline_replace_w_tab_char_null_str),
+        cmocka_unit_test(test_multiline_replace_w_tab_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_w_tab_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_w_none_not_found),
+        cmocka_unit_test(test_multiline_replace_w_none_char_null_str),
+        cmocka_unit_test(test_multiline_replace_w_none_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_w_none_char_replace_last),
+        cmocka_unit_test(test_multiline_replace_w_noreplace_not_found),
+        cmocka_unit_test(test_multiline_replace_w_noreplace_char_null_str),
+        cmocka_unit_test(test_multiline_replace_w_noreplace_char_noreplace),
+        cmocka_unit_test(test_multiline_replace_w_noreplace_char_replace_last),
+        // Test multiline_ctxt_is_expired
+        cmocka_unit_test(test_multiline_ctxt_is_expired_not_found),
+        cmocka_unit_test(test_multiline_ctxt_is_expired_not_expired),
+        cmocka_unit_test(test_multiline_ctxt_is_expired_expired),
+        // Test multiline_ctxt_restore
+        cmocka_unit_test(test_multiline_ctxt_restore_null),
+        cmocka_unit_test(test_multiline_ctxt_restore_restore),
+        // Test multiline_ctxt_free
+        cmocka_unit_test(test_multiline_ctxt_free_null),
+        cmocka_unit_test(test_multiline_ctxt_free_free),
+        // Test multiline_ctxt_backup
+        cmocka_unit_test(test_multiline_ctxt_backup_no_restore),
+        cmocka_unit_test(test_multiline_ctxt_backup_new_ctxt),
+        cmocka_unit_test(test_multiline_ctxt_backup_increment),
+        // Test multiline_getlog_start
+        cmocka_unit_test(test_multiline_getlog_start_single_no_context),
+        cmocka_unit_test(test_multiline_getlog_start_ctxt_timeout),
+        cmocka_unit_test(test_multiline_getlog_start_ctxt_append_ctxt),
+        cmocka_unit_test(test_multiline_getlog_start_ctxt_match),
+        cmocka_unit_test(test_multiline_getlog_start_no_ctxt_match),
+        cmocka_unit_test(test_multiline_getlog_start_no_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_start_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_start_no_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_start_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_start_match_multi_replace),
+        // Test multiline_getlog_end
+        cmocka_unit_test(test_multiline_getlog_end_single_match_no_context),
+        cmocka_unit_test(test_multiline_getlog_end_ctxt_timeout),
+        cmocka_unit_test(test_multiline_getlog_end_ctxt_append_ctxt),
+        cmocka_unit_test(test_multiline_getlog_end_multi_match_no_context),
+        cmocka_unit_test(test_multiline_getlog_end_multi_match_context),
+        cmocka_unit_test(test_multiline_getlog_end_no_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_end_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_end_no_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_end_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_end_match_multi_replace),
+        // Test multiline_getlog_all
+        cmocka_unit_test(test_multiline_getlog_all_single_match_no_context),
+        cmocka_unit_test(test_multiline_getlog_all_ctxt_timeout),
+        cmocka_unit_test(test_multiline_getlog_all_ctxt_append_ctxt),
+        cmocka_unit_test(test_multiline_getlog_all_multi_match_no_context),
+        cmocka_unit_test(test_multiline_getlog_all_multi_match_context),
+        cmocka_unit_test(test_multiline_getlog_all_no_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_all_ctxt_overflow),
+        cmocka_unit_test(test_multiline_getlog_all_no_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_all_ctxt_cant_read),
+        cmocka_unit_test(test_multiline_getlog_all_match_multi_replace),
+        // Tests multiline_getlog
+        cmocka_unit_test(test_multiline_getlog_unknown),
+        cmocka_unit_test(test_multiline_getlog_start),
+        cmocka_unit_test(test_multiline_getlog_end),
+        cmocka_unit_test(test_multiline_getlog_all),
+        // Tests read_multiline_regex
+        cmocka_unit_test(test_read_multiline_regex_no_aviable_log),
+        cmocka_unit_test(test_read_multiline_regex_log_process),
+        cmocka_unit_test(test_read_multiline_regex_cant_read),
+        cmocka_unit_test(test_read_multiline_regex_invalid_context),
+        cmocka_unit_test(test_read_multiline_regex_log_ignored),
+        // Test get_file_chunk
+        cmocka_unit_test(test_get_file_chunk_fseek_fail),
+        cmocka_unit_test(test_get_file_chunk_size_reduce),
+        cmocka_unit_test(test_get_file_chunk_ok),
+    };
+
+    return cmocka_run_group_tests(tests, group_setup, group_teardown);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_read_win_event_channel.c b/src/modules/logcollector/tests/unit/tests/test_read_win_event_channel.c
new file mode 100644
index 0000000000..30dcba1fbd
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_read_win_event_channel.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#include "shared.h"
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include <stdint.h>
+#include <sec_api/stdlib_s.h>
+#include <winerror.h>
+#include <winevt.h>
+
+typedef struct test_struct {
+    EVT_HANDLE evt;
+    LPCWSTR provider_name;
+    const char *message;
+} test_struct_t;
+
+char *get_message(EVT_HANDLE evt, LPCWSTR provider_name, DWORD flags);
+
+/* Setup & Teardown */
+
+static int test_setup(void ** state) {
+    test_struct_t *init_data = NULL;
+
+    os_calloc(1, sizeof(test_struct_t), init_data);
+    init_data->evt = NULL;
+    init_data->provider_name = L"provider_name";
+    init_data->message = "Test_Message";
+    *state = init_data;
+
+    test_mode = 1;
+    return 0;
+}
+
+static int test_teardown(void ** state) {
+    test_struct_t *data = (test_struct_t*)*state;
+
+    os_free(data);
+
+    test_mode = 0;
+    return 0;
+}
+
+/* Wraps */
+
+/* Tests */
+
+void test_get_message_get_publisher_fail(void ** state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    expect_value(wrap_EvtOpenPublisherMetadata, Session, NULL);
+    expect_string(wrap_EvtOpenPublisherMetadata, PublisherId, data->provider_name);
+    expect_value(wrap_EvtOpenPublisherMetadata, LogFilePath, NULL);
+    expect_value(wrap_EvtOpenPublisherMetadata, Locale, 0);
+    expect_value(wrap_EvtOpenPublisherMetadata, Flags, 0);
+    will_return(wrap_EvtOpenPublisherMetadata, NULL);
+
+    will_return(wrap_GetLastError, ERROR_FILE_NOT_FOUND);
+    will_return(wrap_FormatMessage, "File not found.");
+    expect_string(__wrap__mdebug1, formatted_msg, "Could not EvtOpenPublisherMetadata() with flags (1) which returned (2): File not found.");
+
+    assert_null(get_message(data->evt, data->provider_name, EvtFormatMessageEvent));
+}
+
+void test_get_message_get_size_fail(void ** state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    expect_value(wrap_EvtOpenPublisherMetadata, Session, NULL);
+    expect_string(wrap_EvtOpenPublisherMetadata, PublisherId, data->provider_name);
+    expect_value(wrap_EvtOpenPublisherMetadata, LogFilePath, NULL);
+    expect_value(wrap_EvtOpenPublisherMetadata, Locale, 0);
+    expect_value(wrap_EvtOpenPublisherMetadata, Flags, 0);
+    will_return(wrap_EvtOpenPublisherMetadata, 1);
+
+    will_return(wrap_EvtFormatMessage, strlen(data->message));
+    will_return(wrap_EvtFormatMessage, TRUE);
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+    expect_string(__wrap__merror, formatted_msg, "Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (122)");
+
+    will_return(wrap_EvtClose, TRUE);
+
+    assert_null(get_message(data->evt, data->provider_name, EvtFormatMessageEvent));
+
+}
+
+void test_get_message_format_fail(void ** state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    expect_value(wrap_EvtOpenPublisherMetadata, Session, NULL);
+    expect_string(wrap_EvtOpenPublisherMetadata, PublisherId, data->provider_name);
+    expect_value(wrap_EvtOpenPublisherMetadata, LogFilePath, NULL);
+    expect_value(wrap_EvtOpenPublisherMetadata, Locale, 0);
+    expect_value(wrap_EvtOpenPublisherMetadata, Flags, 0);
+    will_return(wrap_EvtOpenPublisherMetadata, 1);
+
+    will_return(wrap_EvtFormatMessage, strlen(data->message));
+    will_return(wrap_EvtFormatMessage, FALSE);
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+
+    will_return(wrap_EvtFormatMessage, data->message);
+    will_return(wrap_EvtFormatMessage, FALSE);
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+    expect_string(__wrap__merror, formatted_msg, "Could not EvtFormatMessage() with flags (1) which returned (122)");
+
+    will_return(wrap_EvtClose, TRUE);
+
+    assert_null(get_message(data->evt, data->provider_name, EvtFormatMessageEvent));
+}
+
+void test_get_message_convert_string_fail(void ** state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    expect_value(wrap_EvtOpenPublisherMetadata, Session, NULL);
+    expect_string(wrap_EvtOpenPublisherMetadata, PublisherId, data->provider_name);
+    expect_value(wrap_EvtOpenPublisherMetadata, LogFilePath, NULL);
+    expect_value(wrap_EvtOpenPublisherMetadata, Locale, 0);
+    expect_value(wrap_EvtOpenPublisherMetadata, Flags, 0);
+    will_return(wrap_EvtOpenPublisherMetadata, 1);
+
+    will_return(wrap_EvtFormatMessage, strlen(data->message));
+    will_return(wrap_EvtFormatMessage, FALSE);
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+
+    will_return(wrap_EvtFormatMessage, data->message);
+    will_return(wrap_EvtFormatMessage, TRUE);
+
+    expect_string(__wrap_convert_windows_string, string, "Test_Message");
+    will_return(__wrap_convert_windows_string, NULL);
+
+    will_return(wrap_EvtClose, TRUE);
+
+    assert_null(get_message(data->evt, data->provider_name, EvtFormatMessageEvent));
+}
+
+void test_get_message_success(void ** state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    expect_value(wrap_EvtOpenPublisherMetadata, Session, NULL);
+    expect_string(wrap_EvtOpenPublisherMetadata, PublisherId, data->provider_name);
+    expect_value(wrap_EvtOpenPublisherMetadata, LogFilePath, NULL);
+    expect_value(wrap_EvtOpenPublisherMetadata, Locale, 0);
+    expect_value(wrap_EvtOpenPublisherMetadata, Flags, 0);
+    will_return(wrap_EvtOpenPublisherMetadata, 1);
+
+    will_return(wrap_EvtFormatMessage, strlen(data->message));
+    will_return(wrap_EvtFormatMessage, FALSE);
+    will_return(wrap_GetLastError, ERROR_INSUFFICIENT_BUFFER);
+
+    will_return(wrap_EvtFormatMessage, data->message);
+    will_return(wrap_EvtFormatMessage, TRUE);
+
+    expect_string(__wrap_convert_windows_string, string, "Test_Message");
+    will_return(__wrap_convert_windows_string, "Test_Message");
+
+    will_return(wrap_EvtClose, TRUE);
+
+    assert_non_null(get_message(data->evt, data->provider_name, EvtFormatMessageEvent));
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_get_message_get_publisher_fail, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_message_get_size_fail, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_message_format_fail, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_message_convert_string_fail, test_setup, test_teardown),
+        cmocka_unit_test_setup_teardown(test_get_message_success, test_setup, test_teardown)
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/logcollector/tests/unit/tests/test_state.c b/src/modules/logcollector/tests/unit/tests/test_state.c
new file mode 100644
index 0000000000..e735467778
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/tests/test_state.c
@@ -0,0 +1,1233 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "../../headers/shared.h"
+#include "../../logcollector/state.h"
+
+#include "../wrappers/common.h"
+#include "../wrappers/wazuh/shared/hash_op_wrappers.h"
+#include "../wrappers/wazuh/shared/validate_op_wrappers.h"
+#include "../wrappers/libc/stdio_wrappers.h"
+#include "../wrappers/posix/unistd_wrappers.h"
+#include "../wrappers/externals/cJSON/cJSON_wrappers.h"
+#include "../wrappers/posix/pthread_wrappers.h"
+
+void w_logcollector_state_init(w_lc_state_type_t state_type, bool state_file_enabled);
+cJSON * w_logcollector_state_get();
+cJSON * _w_logcollector_generate_state(w_lc_state_storage_t * state, bool restart);
+void _w_logcollector_state_update_file(w_lc_state_storage_t * state, char * fpath, uint64_t bytes);
+void w_logcollector_state_update_file(char * fpath, uint64_t bytes);
+void _w_logcollector_state_update_target(w_lc_state_storage_t * state, char * fpath, char * target, bool dropped);
+void w_logcollector_state_update_target(char * fpath, char * target, bool dropped);
+void w_logcollector_state_generate();
+void w_logcollector_state_dump();
+void * w_logcollector_state_main(__attribute__((unused)) void * args);
+void _w_logcollector_state_delete_file(w_lc_state_storage_t * state, char * fpath);
+void w_logcollector_state_delete_file(char * fpath);
+
+extern cJSON * g_lc_json_stats;
+extern w_lc_state_storage_t * g_lc_states_global;
+extern w_lc_state_storage_t * g_lc_states_interval;
+extern w_lc_state_type_t g_lc_state_type;
+
+void free_state_file(w_lc_state_file_t * data) {
+    if (data == NULL) {
+        return;
+    }
+
+    if (data->targets != NULL) {
+        w_lc_state_target_t ** target = data->targets;
+        while (target && *target != NULL) {
+            os_free((*target)->name);
+            os_free(*target);
+            target++;
+        }
+        os_free(data->targets);
+    }
+    os_free(data);
+}
+
+/* setup/teardown */
+static int setup_local_hashmap(void **state) {
+    if (mock_hashmap == NULL) {
+        will_return(__wrap_time, (time_t) 50);
+        if (setup_hashmap(state) != 0) {
+            return 1;
+        }
+    }
+
+    OSHash *hash;
+
+    will_return(__wrap_time, (time_t) 50);
+
+
+    hash = __real_OSHash_Create();
+
+    if (hash == NULL) {
+        return -1;
+    }
+
+    *state = hash;
+
+    return 0;
+}
+
+
+static int setup_hashmap_state_file(void **state) {
+    if (setup_local_hashmap(state) != 0) {
+        return 1;
+    }
+    __real_OSHash_SetFreeDataPointer(mock_hashmap, (void (*)(void *))free_state_file);
+
+    return 0;
+}
+
+static int teardown_local_hashmap(void **state) {
+    if (teardown_hashmap(state) != 0) {
+        return 1;
+    }
+    OSHash *hash = *state;
+
+    if (hash == NULL) {
+        return 0;
+    }
+
+    OSHash_Free(hash);
+    return 0;
+}
+
+static int setup_global_variables(void ** state) {
+    os_calloc(1, sizeof(w_lc_state_storage_t), g_lc_states_global);
+    os_calloc(1, sizeof(w_lc_state_storage_t), g_lc_states_interval);
+
+    if (setup_local_hashmap((void **)&(g_lc_states_global->states))) {
+        return -1;
+    }
+
+    if (setup_local_hashmap((void **)&(g_lc_states_interval->states))) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static int teardown_global_variables(void ** state) {
+    if (g_lc_states_global != NULL) {
+        if (teardown_local_hashmap((void **)&(g_lc_states_global->states))) {
+            return -1;
+        }
+    }
+
+    if (g_lc_states_interval != NULL) {
+        if (teardown_local_hashmap((void **)&(g_lc_states_interval->states))) {
+            return -1;
+        }
+    }
+
+    os_free(g_lc_states_global);
+    os_free(g_lc_states_interval);
+
+    return 0;
+}
+
+static int setup_group(void ** state) {
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void ** state) {
+    test_mode = 0;
+    return 0;
+}
+
+static int setup_global(void ** state) {
+    char **array = calloc(10, sizeof(char*));
+
+    if(array == NULL)
+        return -1;
+
+    *state = array;
+
+    return 0;
+}
+
+static int teardown_global(void ** state) {
+
+    return 0;
+}
+
+/* wraps */
+size_t __wrap_strftime(char *s, size_t max, const char *format,
+                       const struct tm *tm) {
+    strncpy(s, mock_type(char *), max);
+    return mock();
+}
+
+/* tests */
+
+/* w_logcollector_state_init */
+void test_w_logcollector_state_init_fail_hash_create_global(void ** state) {
+    will_return(__wrap_time, (time_t) 50);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1296): Unable to create a 'logcollector_state' hash table");
+    expect_assert_failure(w_logcollector_state_init(LC_STATE_GLOBAL|LC_STATE_INTERVAL, true));
+}
+
+void test_w_logcollector_state_init_fail_hash_create_interval(void ** state) {
+    os_free(g_lc_states_global);
+    os_free(g_lc_states_interval);
+    OSHash *mock_local_hash = *state;
+    will_return(__wrap_time, (time_t) 50);
+
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, mock_local_hash);
+
+    will_return(__wrap_OSHash_setSize, 1);
+    will_return(__wrap_time, 51);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, NULL);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1296): Unable to create a 'logcollector_state' hash table");
+    expect_assert_failure(w_logcollector_state_init(LC_STATE_GLOBAL|LC_STATE_INTERVAL, true));
+}
+
+void test_w_logcollector_state_init_fail_hash_setsize_global(void ** state) {
+    os_free(g_lc_states_global);
+    os_free(g_lc_states_interval);
+
+    OSHash *mock_local_hash = *state;
+
+    will_return(__wrap_time, (time_t) 50);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, mock_local_hash);
+    will_return(__wrap_OSHash_setSize, 0);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1297): Unable to set size of 'logcollector_state' hash table");
+
+    expect_assert_failure(w_logcollector_state_init(LC_STATE_GLOBAL|LC_STATE_INTERVAL, true));
+}
+
+void test_w_logcollector_state_init_fail_hash_setsize_interval(void ** state) {
+    os_free(g_lc_states_global);
+    os_free(g_lc_states_interval);
+    will_return_always(__wrap_time, (time_t) 50);
+
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, __real_OSHash_Create());
+    will_return(__wrap_OSHash_setSize, 1);
+
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, __real_OSHash_Create());
+    will_return(__wrap_OSHash_setSize, 0);
+
+    expect_string(__wrap__merror_exit, formatted_msg, "(1297): Unable to set size of 'logcollector_state' hash table");
+
+    expect_assert_failure(w_logcollector_state_init(LC_STATE_GLOBAL|LC_STATE_INTERVAL, true));
+}
+
+void test_w_logcollector_state_init_ok(void ** state) {
+    g_lc_state_type = 0;
+    will_return(__wrap_time, (time_t) 50);
+    will_return(__wrap_time, (time_t) 51);
+
+    OSHash *global_state = __real_OSHash_Create();
+    OSHash *states_interval = __real_OSHash_Create();
+
+    will_return(__wrap_time, (time_t) 50);
+    will_return(__wrap_time, (time_t) 51);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, global_state);
+
+    expect_function_call(__wrap_OSHash_Create);
+    will_return(__wrap_OSHash_Create, states_interval);
+
+    will_return(__wrap_OSHash_setSize, 1);
+    will_return(__wrap_OSHash_setSize, 1);
+
+    w_logcollector_state_init(LC_STATE_GLOBAL | LC_STATE_INTERVAL, true);
+
+    assert_non_null(g_lc_states_global);
+    assert_non_null(g_lc_states_interval);
+
+    assert_ptr_equal(g_lc_states_global->states, global_state);
+    assert_ptr_equal(g_lc_states_interval->states, states_interval);
+
+    assert_int_equal(g_lc_state_type, LC_STATE_GLOBAL | LC_STATE_INTERVAL);
+}
+
+
+void test_w_logcollector_state_get_null(void ** state) {
+    g_lc_state_type = LC_STATE_INTERVAL;
+    g_lc_json_stats = NULL;
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    assert_null(w_logcollector_state_get());
+}
+
+void test_w_logcollector_state_get_non_null(void ** state) {
+
+    cJSON * expect_retval = (cJSON *) 3;
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    g_lc_json_stats = (cJSON *) 5;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_cJSON_Duplicate, expect_retval);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    cJSON * retval = w_logcollector_state_get();
+
+    assert_ptr_not_equal(g_lc_json_stats, retval);
+    assert_ptr_equal(expect_retval, retval);
+}
+
+/* Test _w_logcollector_generate_state */
+void test__w_logcollector_generate_state_fail_get_node(void ** state) {
+
+    w_lc_state_storage_t stats = {.states = (OSHash *) 2};
+    cJSON * retval;
+    expect_value(__wrap_OSHash_Begin, self, stats.states);
+    will_return(__wrap_OSHash_Begin, NULL);
+
+    retval = _w_logcollector_generate_state(&stats, 0);
+    assert_null(retval);
+}
+
+void test__w_logcollector_generate_state_one_target(void ** state) {
+     cJSON * retval;
+    w_lc_state_storage_t stats = {.states = (OSHash *) 2 , };
+    w_lc_state_target_t target = {.drops = 10, .name = "sock1"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node = {.data = &data, .key = "key_test"};
+
+    expect_value(__wrap_OSHash_Begin, self, stats.states);
+    will_return(__wrap_OSHash_Begin, &hash_node);
+
+    will_return_always(__wrap_cJSON_AddNumberToObject, 1);
+    will_return_always(__wrap_cJSON_AddStringToObject, 1);
+    will_return_always(__wrap_cJSON_AddItemToArray, true);
+    will_return_always(__wrap_cJSON_AddItemToObject, true);
+
+    will_return_always(__wrap_cJSON_CreateObject, (cJSON *) 10);
+    will_return_always(__wrap_cJSON_CreateArray, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, stats.states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    retval = _w_logcollector_generate_state(&stats, false);
+    assert_ptr_equal(retval, (cJSON *) 10);
+    assert_int_equal(data.bytes, 100);
+    assert_int_equal(data.events, 5);
+}
+
+void test__w_logcollector_generate_state_one_target_restart(void ** state) {
+
+    cJSON * retval;
+    w_lc_state_storage_t stats = {.states = (OSHash *) 2, .start = (time_t) 2020};
+    w_lc_state_target_t target = {.drops = 10, .name = "sock1"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node = {.data = &data, .key = "key_test"};
+
+    expect_value(__wrap_OSHash_Begin, self, stats.states);
+    will_return(__wrap_OSHash_Begin, &hash_node);
+
+    will_return_always(__wrap_cJSON_AddNumberToObject, 1);
+    will_return_always(__wrap_cJSON_AddStringToObject, 1);
+    will_return_always(__wrap_cJSON_AddItemToArray, true);
+    will_return_always(__wrap_cJSON_AddItemToObject, true);
+
+    will_return_always(__wrap_cJSON_CreateObject, (cJSON *) 10);
+    will_return_always(__wrap_cJSON_CreateArray, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, stats.states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);;
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_time, (time_t) 2525);
+
+    retval = _w_logcollector_generate_state(&stats, true);
+
+    assert_ptr_equal(retval, (cJSON *) 10);
+    assert_int_equal(data.bytes, 0);
+    assert_int_equal(data.events, 0);
+    assert_int_equal(stats.start, 2525);
+}
+
+/* Test _w_logcollector_state_update_file */
+void test__w_logcollector_state_update_file_new_data(void ** state) {
+    w_lc_state_storage_t stat = {0};
+    stat.states = *state;
+    __real_OSHash_SetFreeDataPointer(mock_hashmap, (void (*)(void *))free_state_file);
+
+    expect_value(__wrap_OSHash_Get, self, stat.states);
+    expect_string(__wrap_OSHash_Get, key, "/test_path");
+    will_return(__wrap_OSHash_Get, NULL);
+
+    will_return(__wrap_OSHash_Update, 0);
+
+    expect_value(__wrap_OSHash_Add, key, "/test_path");
+    will_return(__wrap_OSHash_Add, 2);
+
+    _w_logcollector_state_update_file(&stat, "/test_path", 100);
+}
+
+void test__w_logcollector_state_update_file_update(void ** state) {
+    w_lc_state_storage_t stat = { .states = *state };
+    w_lc_state_file_t *data = calloc(1, sizeof(w_lc_state_file_t));
+
+    expect_value(__wrap_OSHash_Get, self, stat.states);
+    expect_string(__wrap_OSHash_Get, key, "/test_path");
+    will_return(__wrap_OSHash_Get, data);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    _w_logcollector_state_update_file(&stat, "/test_path", 100);
+
+    assert_int_equal(data->bytes, 100);
+    assert_int_equal(data->events, 1);
+    free(data);
+}
+
+/* w_logcollector_state_update_file */
+void test__w_logcollector_state_update_file_fail_update(void ** state) {
+    w_lc_state_storage_t stat = { .states = *state };
+    __real_OSHash_SetFreeDataPointer(stat.states, (void (*)(void *))free_state_file);
+
+    w_lc_state_file_t * data = NULL;
+    os_calloc(1, sizeof(w_lc_state_file_t), data);
+    os_calloc(2, sizeof(w_lc_state_target_t *), data->targets);
+    os_calloc(1, sizeof(w_lc_state_target_t), data->targets[0]);
+
+    expect_value(__wrap_OSHash_Get, self, stat.states);
+    expect_string(__wrap_OSHash_Get, key, "/test_path");
+    will_return(__wrap_OSHash_Get, data);
+
+    will_return(__wrap_OSHash_Update, 0);
+    expect_value(__wrap_OSHash_Add, key, "/test_path");
+    will_return(__wrap_OSHash_Add, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+                  "(1299): Failure to update '/test_path' to 'logcollector_state' hash table");
+
+    _w_logcollector_state_update_file(&stat, "/test_path", 100);
+}
+
+/* w_logcollector_state_update_file */
+void test_w_logcollector_state_update_file_null(void ** state) {
+    w_logcollector_state_update_file(NULL, 500);
+}
+
+
+/* _w_logcollector_state_update_target */
+void test__w_logcollector_state_update_target_get_file_stats_fail(void ** state) {
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    w_lc_state_storage_t stats = { .states = *state };
+    w_lc_state_file_t *mock_entry = calloc(1, sizeof(w_lc_state_file_t));
+    char *fpath = "/test_path";
+    char *target = "test";
+
+    __real_OSHash_Add_ex(mock_hashmap, fpath, mock_entry);
+    bool dropped = false;
+
+    expect_value(__wrap_OSHash_Get, self, stats.states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, NULL);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    _w_logcollector_state_update_target(&stats, fpath, target, dropped);
+}
+
+void test__w_logcollector_state_update_target_find_target_fail(void ** state) {
+    char * fpath = "/test_path";
+    char * target_str = "test2";
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+
+    __real_OSHash_Add_ex(mock_hashmap, fpath, calloc(1, sizeof(w_lc_state_file_t)));
+
+    w_lc_state_storage_t * stats = NULL;
+    os_calloc(1, sizeof(w_lc_state_storage_t), stats);
+    stats->states = *state;
+    stats->start = (time_t) 2020;
+
+    w_lc_state_target_t * target;
+    os_calloc(1, sizeof(w_lc_state_target_t), target);
+    target->drops = 10;
+    os_strdup("test", target->name);
+
+    w_lc_state_target_t ** target_array;
+    os_calloc(2, sizeof(w_lc_state_target_t *), target_array);
+    target_array[0] = target;
+
+    w_lc_state_file_t * data;
+    os_calloc(1, sizeof(w_lc_state_file_t), data);
+    data->targets = target_array;
+    data->bytes = 100;
+    data->events = 5;
+
+    bool dropped = false;
+
+    expect_value(__wrap_OSHash_Get, self, stats->states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, data);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    _w_logcollector_state_update_target(stats, fpath, target_str, dropped);
+    free(stats);
+}
+
+
+void test__w_logcollector_state_update_target_find_target_ok(void ** state) {
+    char * fpath = "/test_path";
+    char * target_str = "test";
+
+    bool dropped = false;
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    w_lc_state_storage_t stats = {.states = *state, .start = (time_t) 2020};
+    w_lc_state_target_t target = {.drops = 10, .name = "test"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+
+
+    expect_value(__wrap_OSHash_Get, self, stats.states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, &data);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    _w_logcollector_state_update_target(&stats, fpath, target_str, dropped);
+}
+
+void test__w_logcollector_state_update_target_dropped_true(void ** state) {
+
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    w_lc_state_storage_t stats = {.states = (OSHash *) *state, .start = (time_t) 2020};
+    w_lc_state_target_t target = {.drops = 10, .name = "test"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+
+    char * fpath = "/test_path";
+    char * target_str = "test";
+
+    expect_value(__wrap_OSHash_Get, self, stats.states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, &data);
+
+    will_return(__wrap_OSHash_Update, 1);
+    bool dropped = true;
+
+    _w_logcollector_state_update_target(&stats, fpath, target_str, dropped);
+}
+
+void test__w_logcollector_state_update_target_OSHash_Update_fail(void ** state) {
+
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    w_lc_state_storage_t stats = {.states = (OSHash *) *state, .start = (time_t) 2020};
+    w_lc_state_target_t target = {.drops = 10, .name = "test"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+
+    char * fpath = "/test_path";
+    char * target_str = "test";
+
+    bool dropped = true;
+
+
+    expect_value(__wrap_OSHash_Get, self, stats.states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, &data);
+
+    will_return(__wrap_OSHash_Update, 0);
+
+    expect_value(__wrap_OSHash_Add, key, "/test_path");
+    will_return(__wrap_OSHash_Add, 2);
+
+    _w_logcollector_state_update_target(&stats, fpath, target_str, dropped);
+}
+
+void test__w_logcollector_state_update_target_OSHash_Add_fail(void ** state) {
+
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+    w_lc_state_storage_t stats = {.states = (OSHash *) *state};
+    w_lc_state_target_t * target;
+    os_calloc(1, sizeof(w_lc_state_target_t), target);
+    target->drops = 10;
+    os_strdup("test", target->name);
+
+    w_lc_state_target_t ** target_array;
+    os_calloc(2, sizeof(w_lc_state_target_t *), target_array);
+    target_array[0] = target;
+
+    w_lc_state_file_t * data;
+    os_calloc(1, sizeof(w_lc_state_file_t), data);
+    data->targets = target_array;
+    data->bytes = 100;
+    data->events = 5;
+
+    char * fpath = "/test_path";
+    char * target_str = "test";
+
+    bool dropped = true;
+
+    expect_value(__wrap_OSHash_Get, self, stats.states);
+    expect_string(__wrap_OSHash_Get, key, fpath);
+    will_return(__wrap_OSHash_Get, data);
+
+    will_return(__wrap_OSHash_Update, 0);
+
+    expect_value(__wrap_OSHash_Add, key, "/test_path");
+    will_return(__wrap_OSHash_Add, 0);
+
+    expect_string(__wrap__merror, formatted_msg,
+                  "(1299): Failure to update '/test_path' to 'logcollector_state' hash table");
+
+    _w_logcollector_state_update_target(&stats, fpath, target_str, dropped);
+}
+
+void test_w_logcollector_state_update_file_ok(void ** state) {
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+
+    w_lc_state_file_t data = {0};
+    w_lc_state_file_t data2 = {.bytes = 10, .events = 5};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_value(__wrap_OSHash_Get, self, g_lc_states_global->states);
+    expect_string(__wrap_OSHash_Get, key, "/test_path");
+    will_return(__wrap_OSHash_Get, &data);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    expect_value(__wrap_OSHash_Get, self, g_lc_states_interval->states);
+    expect_string(__wrap_OSHash_Get, key, "/test_path");
+    will_return(__wrap_OSHash_Get, &data2);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    w_logcollector_state_update_file("/test_path", 500);
+
+    assert_int_equal(data.bytes, 500);
+    assert_int_equal(data.events, 1);
+    assert_int_equal(data2.bytes, 510);
+    assert_int_equal(data2.events, 6);
+}
+
+// Tests w_logcollector_state_update_target
+void test_w_logcollector_state_update_target_null_target(void ** state) {
+    w_logcollector_state_update_target("test path", NULL, false);
+}
+
+void test_w_logcollector_state_update_target_null_path(void ** state) {
+    w_logcollector_state_update_target(NULL, "test_target", false);
+}
+
+void test_w_logcollector_state_update_target_ok(void ** state) {
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;
+
+    w_lc_state_target_t target = {.drops = 10, .name = "test_target"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Get, self, g_lc_states_global->states);
+    expect_string(__wrap_OSHash_Get, key, "test_path");
+    will_return(__wrap_OSHash_Get, &data);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    w_lc_state_target_t target2 = {.drops = 10, .name = "test_target"};
+    w_lc_state_target_t * target_array2[2] = {&target, NULL};
+    w_lc_state_file_t data2 = {.targets = (w_lc_state_target_t **) &target_array2, .bytes = 100, .events = 5};
+
+    expect_value(__wrap_OSHash_Get, self, g_lc_states_interval->states);
+    expect_string(__wrap_OSHash_Get, key, "test_path");
+    will_return(__wrap_OSHash_Get, &data2);
+
+    will_return(__wrap_OSHash_Update, 1);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    w_logcollector_state_update_target("test_path", "test_target", false);
+}
+
+/* w_logcollector_state_generate */
+void test_w_logcollector_generate_state_ok(void ** state) {
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;;
+
+    w_lc_state_target_t target = {.drops = 10, .name = "sock1"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node = {.data = &data, .key = "key_test"};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    will_return_always(__wrap_cJSON_CreateObject, (cJSON *) 10);
+
+    expect_value(__wrap_OSHash_Begin, self, g_lc_states_global->states);
+    will_return(__wrap_OSHash_Begin, &hash_node);
+
+    will_return_always(__wrap_cJSON_AddNumberToObject, 1);
+    will_return_always(__wrap_cJSON_AddStringToObject, 1);
+    will_return_always(__wrap_cJSON_AddItemToArray, true);
+    will_return_always(__wrap_cJSON_AddItemToObject, true);
+
+    will_return_always(__wrap_cJSON_CreateArray, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, g_lc_states_global->states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    g_lc_states_interval->start = (time_t) 2020;
+
+    w_lc_state_file_t data2 = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node2 = {.data = &data2, .key = "key_test"};
+
+    expect_value(__wrap_OSHash_Begin, self, g_lc_states_interval->states);
+    will_return(__wrap_OSHash_Begin, &hash_node2);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, g_lc_states_interval->states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_time, (time_t) 2525);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    w_logcollector_state_generate();
+
+    assert_int_equal(data.bytes, 100);
+    assert_int_equal(data.events, 5);
+    assert_int_equal(data2.bytes, 0);
+    assert_int_equal(data2.events, 0);
+    assert_int_equal(g_lc_states_interval->start, 2525);
+}
+
+/* w_logcollector_state_dump */
+void test_w_logcollector_state_dump_fail_open(void ** state) {
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_cJSON_Duplicate, (cJSON *) 3);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_cJSON_Print, strdup("Test 123"));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, LOGCOLLECTOR_STATE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, NULL);
+
+    const char * error_msg = "(1103): Could not open file "
+                             "'" LOGCOLLECTOR_STATE "' due to";
+
+    expect_memory(__wrap__merror, formatted_msg, error_msg, strlen(error_msg));
+
+    w_logcollector_state_dump();
+}
+
+void test_w_logcollector_state_dump_fail_write(void ** state) {
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_cJSON_Duplicate, (cJSON *) 3);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_cJSON_Print, strdup("Test 123"));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, LOGCOLLECTOR_STATE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE *) 100);
+    will_return(__wrap_fwrite, 0);
+
+    const char * error_msg = "(1110): Could not write file "
+                             "'" LOGCOLLECTOR_STATE "' due to";
+
+    expect_memory(__wrap__merror, formatted_msg, error_msg, strlen(error_msg));
+
+    expect_value(__wrap_fclose, _File, (FILE *) 100);
+    will_return(__wrap_fclose, 0);
+
+    w_logcollector_state_dump();
+}
+
+void test_w_logcollector_state_dump_ok(void ** state) {
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_cJSON_Duplicate, (cJSON *) 3);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_cJSON_Print, strdup("Test 123"));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, LOGCOLLECTOR_STATE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE *) 100);
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, (FILE *) 100);
+    will_return(__wrap_fclose, 0);
+
+    w_logcollector_state_dump();
+}
+
+void test_w_logcollector_state_main_bad_interval(void ** state) {
+
+    g_lc_state_type = LC_STATE_GLOBAL | LC_STATE_INTERVAL;;
+    int interval = -1;
+    w_logcollector_state_main((void *) &interval);
+}
+
+void test_w_logcollector_state_main_ok(void ** state) {
+
+    int interval = 105;
+    will_return(__wrap_FOREVER, 1);
+    expect_value(__wrap_sleep, seconds, interval);
+
+    w_lc_state_target_t target = {.drops = 10, .name = "sock1"};
+    w_lc_state_target_t * target_array[2] = {&target, NULL};
+
+    w_lc_state_file_t data = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node = {.data = &data, .key = "key_test"};
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_function_call(__wrap_cJSON_Delete);
+
+    will_return_always(__wrap_cJSON_CreateObject, (cJSON *) 10);
+
+    expect_value(__wrap_OSHash_Begin, self, g_lc_states_global->states);
+    will_return(__wrap_OSHash_Begin, &hash_node);
+
+    will_return_always(__wrap_cJSON_AddNumberToObject, 1);
+    will_return_always(__wrap_cJSON_AddStringToObject, 1);
+    will_return_always(__wrap_cJSON_AddItemToArray, true);
+    will_return_always(__wrap_cJSON_AddItemToObject, true);
+
+    will_return_always(__wrap_cJSON_CreateArray, (cJSON *) 1);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, g_lc_states_global->states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    g_lc_states_interval->start = (time_t) 2020;
+
+    w_lc_state_file_t data2 = {.targets = (w_lc_state_target_t **) &target_array, .bytes = 100, .events = 5};
+    OSHashNode hash_node2 = {.data = &data2, .key = "key_test"};
+
+    expect_value(__wrap_OSHash_Begin, self, g_lc_states_interval->states);
+    will_return(__wrap_OSHash_Begin, &hash_node2);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "name");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "sock1");
+
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "drops");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 10);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "location");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "key_test");
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "events");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 5);
+    expect_string(__wrap_cJSON_AddNumberToObject, name, "bytes");
+    expect_value(__wrap_cJSON_AddNumberToObject, number, 100);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_cJSON_AddItemToArray);
+
+    expect_value(__wrap_OSHash_Next, self, g_lc_states_interval->states);
+    will_return(__wrap_OSHash_Next, NULL);
+
+    will_return(__wrap_strftime,"2019-02-05 12:18:37");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_cJSON_AddStringToObject, name, "start");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:37");
+
+    will_return(__wrap_time, (time_t) 2525);
+    will_return(__wrap_strftime,"2019-02-05 12:18:42");
+    will_return(__wrap_strftime, 20);
+    expect_string(__wrap_cJSON_AddStringToObject, name, "end");
+    expect_string(__wrap_cJSON_AddStringToObject, string, "2019-02-05 12:18:42");
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+    will_return(__wrap_time, (time_t) 2525);
+
+    expect_function_call(__wrap_cJSON_AddItemToObject);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    will_return(__wrap_cJSON_Duplicate, (cJSON *) 3);
+    expect_function_call(__wrap_pthread_mutex_unlock);
+    will_return(__wrap_cJSON_Print, strdup("Test 123"));
+    expect_function_call(__wrap_cJSON_Delete);
+
+    expect_string(__wrap_wfopen, path, LOGCOLLECTOR_STATE);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, (FILE *) 100);
+    will_return(__wrap_fwrite, 1);
+
+    expect_value(__wrap_fclose, _File, (FILE *) 100);
+    will_return(__wrap_fclose, 0);
+
+    will_return(__wrap_FOREVER, 0);
+
+    w_logcollector_state_main((void *) &interval);
+}
+
+/* _test_w_logcollector_state_delete_file */
+
+void test__w_logcollector_state_delete_file_no_data(void ** state) {
+    w_lc_state_storage_t storage = { .states = *state };
+
+    expect_value(__wrap_OSHash_Delete, self, storage.states);
+    expect_string(__wrap_OSHash_Delete, key, "test_path");
+    will_return(__wrap_OSHash_Delete, NULL);
+
+    _w_logcollector_state_delete_file(&storage, "test_path");
+}
+
+void test__w_logcollector_state_delete_file_ok(void ** state) {
+    w_lc_state_storage_t storage = {.states = *state};
+
+    w_lc_state_file_t * data = NULL;
+    os_calloc(1, sizeof(w_lc_state_file_t), data);
+    os_calloc(3, sizeof(w_lc_state_target_t *), data->targets);
+    os_calloc(1, sizeof(w_lc_state_target_t), data->targets[0]);
+    os_strdup("target name 1", data->targets[0]->name);
+    os_calloc(1, sizeof(w_lc_state_target_t), data->targets[1]);
+    os_strdup("target name 2", data->targets[1]->name);
+
+    expect_value(__wrap_OSHash_Delete, self, storage.states);
+    expect_string(__wrap_OSHash_Delete, key, "test_path");
+    will_return(__wrap_OSHash_Delete, data);
+
+    _w_logcollector_state_delete_file(&storage, "test_path");
+}
+
+/* w_logcollector_state_delete_file */
+
+void test_w_logcollector_state_delete_file_fpath_NULL(void ** state) {
+
+    char * fpath = NULL;
+
+    w_logcollector_state_delete_file(fpath);
+
+}
+
+void test_w_logcollector_state_delete_file_global(void ** state) {
+    g_lc_state_type = 1;
+    char * fpath = "test";
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Delete, self, g_lc_states_global->states);
+    expect_string(__wrap_OSHash_Delete, key, fpath);
+    will_return(__wrap_OSHash_Delete, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    w_logcollector_state_delete_file(fpath);
+}
+
+void test_w_logcollector_state_delete_file_interval(void ** state) {
+    char * fpath = "test";
+    g_lc_state_type = 2;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+
+    expect_value(__wrap_OSHash_Delete, self, g_lc_states_interval->states);
+    expect_string(__wrap_OSHash_Delete, key, fpath);
+    will_return(__wrap_OSHash_Delete, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    w_logcollector_state_delete_file(fpath);
+}
+
+void test_w_logcollector_state_delete_file_global_interval(void ** state) {
+    char * fpath = "test";
+    g_lc_state_type = 3;
+
+    expect_function_call(__wrap_pthread_mutex_lock);
+    expect_value(__wrap_OSHash_Delete, self, g_lc_states_global->states);
+    expect_string(__wrap_OSHash_Delete, key, fpath);
+    will_return(__wrap_OSHash_Delete, NULL);
+
+    expect_value(__wrap_OSHash_Delete, self, g_lc_states_interval->states);
+    expect_string(__wrap_OSHash_Delete, key, fpath);
+    will_return(__wrap_OSHash_Delete, NULL);
+
+    expect_function_call(__wrap_pthread_mutex_unlock);
+
+    w_logcollector_state_delete_file(fpath);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // Tests w_logcollector_state_init
+        cmocka_unit_test_teardown(test_w_logcollector_state_init_fail_hash_create_global, teardown_global_variables),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_init_fail_hash_create_interval, setup_local_hashmap, teardown_global_variables),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_init_fail_hash_setsize_global, setup_local_hashmap, teardown_global_variables),
+        cmocka_unit_test_teardown(test_w_logcollector_state_init_fail_hash_setsize_interval, teardown_global_variables),
+        cmocka_unit_test_teardown(test_w_logcollector_state_init_ok, teardown_global_variables),
+
+        // Tests w_logcollector_state_get
+        cmocka_unit_test(test_w_logcollector_state_get_null),
+        cmocka_unit_test(test_w_logcollector_state_get_non_null),
+
+        // Tests _w_logcollector_generate_state
+        cmocka_unit_test_setup_teardown(test__w_logcollector_generate_state_fail_get_node, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_generate_state_one_target, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_generate_state_one_target_restart, setup_local_hashmap, teardown_local_hashmap),
+
+        // Tests _w_logcollector_state_update_file
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_file_new_data, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_file_update, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_file_fail_update, setup_local_hashmap, teardown_local_hashmap),
+
+        // Tests w_logcollector_state_update_file
+        cmocka_unit_test(test_w_logcollector_state_update_file_null),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_update_file_ok, setup_global_variables, teardown_global_variables),
+
+        // Tests _w_logcollector_state_update_target
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_get_file_stats_fail, setup_hashmap_state_file, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_find_target_fail, setup_hashmap_state_file, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_find_target_ok, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_dropped_true, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_OSHash_Update_fail, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_update_target_OSHash_Add_fail, setup_local_hashmap, teardown_local_hashmap),
+
+        // Tests w_logcollector_state_update_target
+        cmocka_unit_test(test_w_logcollector_state_update_target_null_path),
+        cmocka_unit_test(test_w_logcollector_state_update_target_null_target),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_update_target_ok, setup_global_variables, teardown_global_variables),
+
+        // Tests w_logcollector_state_generate
+        cmocka_unit_test_setup_teardown(test_w_logcollector_generate_state_ok, setup_global_variables, teardown_global_variables),
+
+        // Tests w_logcollector_state_dump
+        cmocka_unit_test(test_w_logcollector_state_dump_fail_open),
+        cmocka_unit_test(test_w_logcollector_state_dump_fail_write),
+        cmocka_unit_test(test_w_logcollector_state_dump_ok),
+
+        // Tests w_logcollector_state_main
+        cmocka_unit_test(test_w_logcollector_state_main_bad_interval),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_main_ok, setup_global_variables, teardown_global_variables),
+
+        // Test _w_logcollector_state_delete_file
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_delete_file_no_data, setup_local_hashmap, teardown_local_hashmap),
+        cmocka_unit_test_setup_teardown(test__w_logcollector_state_delete_file_ok, setup_local_hashmap, teardown_local_hashmap),
+
+        // Test _w_logcollector_state_delete_file
+        cmocka_unit_test(test_w_logcollector_state_delete_file_fpath_NULL),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_delete_file_global, setup_global_variables, teardown_global_variables),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_delete_file_interval, setup_global_variables, teardown_global_variables),
+        cmocka_unit_test_setup_teardown(test_w_logcollector_state_delete_file_global_interval, setup_global_variables, teardown_global_variables),
+
+    };
+
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.c b/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.c
new file mode 100644
index 0000000000..1a894d02f8
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.c
@@ -0,0 +1,18 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "logcollector_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+int __wrap_can_read() {
+    return mock_type(int);
+}
diff --git a/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.h b/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.h
new file mode 100644
index 0000000000..b1ddd37b2d
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/wrappers/logcollector_wrappers.h
@@ -0,0 +1,16 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+
+#ifndef LOGCOLLECTOR_WRAPPERS_H
+#define LOGCOLLECTOR_WRAPPERS_H
+
+int __wrap_can_read();
+
+#endif
diff --git a/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.c b/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.c
new file mode 100644
index 0000000000..4ce2df2e86
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.c
@@ -0,0 +1,69 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "macos_log_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_w_macos_create_log_env(logreader * lf, w_sysinfo_helpers_t * global_sysinfo) {
+
+    check_expected_ptr(lf);
+    check_expected(global_sysinfo);
+}
+
+void __wrap_w_macos_set_last_log_timestamp(char * timestamp) {
+
+    check_expected(timestamp);
+}
+
+void __wrap_w_macos_set_log_settings(char * settings) {
+
+    check_expected(settings);
+}
+
+char * __wrap_w_macos_get_last_log_timestamp(void) {
+
+    return mock_ptr_type(char *);
+}
+
+char * __wrap_w_macos_get_log_settings(void) {
+
+    return mock_ptr_type(char *);
+}
+
+cJSON * __wrap_w_macos_get_status_as_JSON(void) {
+
+    return mock_ptr_type(cJSON *);
+}
+
+void __wrap_w_macos_set_status_from_JSON(cJSON * global_json) {
+
+    check_expected(global_json);
+}
+
+bool __wrap_w_is_macos_sierra() {
+
+    return mock_type(bool);
+}
+
+pid_t __wrap_w_get_first_child(pid_t parent_pid) {
+
+    check_expected(parent_pid);
+    return mock_type(pid_t);
+}
+
+bool __wrap_w_macos_get_is_valid_data() {
+    return mock_type(bool);
+}
+
+void __wrap_w_macos_set_is_valid_data(bool is_valid) {
+    check_expected(is_valid);
+}
diff --git a/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.h b/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.h
new file mode 100644
index 0000000000..674e793bc2
--- /dev/null
+++ b/src/modules/logcollector/tests/unit/wrappers/macos_log_wrappers.h
@@ -0,0 +1,37 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef MACOS_LOG_WRAPPERS_H
+#define MACOS_LOG_WRAPPERS_H
+
+#include "../../../logcollector/macos_log.h"
+
+void __wrap_w_macos_create_log_env(logreader * lf, w_sysinfo_helpers_t * global_sysinfo);
+
+void __wrap_w_macos_set_last_log_timestamp(char * timestamp);
+
+void __wrap_w_macos_set_log_settings(char * settings);
+
+char * __wrap_w_macos_get_last_log_timestamp(void);
+
+char * __wrap_w_macos_get_log_settings(void);
+
+cJSON * __wrap_w_macos_get_status_as_JSON(void);
+
+void __wrap_w_macos_set_status_from_JSON(cJSON * global_json);
+
+bool __wrap_w_is_macos_sierra();
+
+pid_t __wrap_w_get_first_child(pid_t parent_pid);
+
+bool __wrap_w_macos_get_is_valid_data();
+
+void __wrap_w_macos_set_is_valid_data(bool is_valid);
+
+#endif
diff --git a/src/modules/ms_graph/include/wm_ms_graph.h b/src/modules/ms_graph/include/wm_ms_graph.h
new file mode 100644
index 0000000000..31ce2f02d0
--- /dev/null
+++ b/src/modules/ms_graph/include/wm_ms_graph.h
@@ -0,0 +1,78 @@
+/*
+ * Wazuh Module for Microsoft Graph
+ * Copyright (C) 2023, InfoDefense Inc.
+ * March, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_MS_GRAPH_H
+#define WM_MS_GRAPH_H
+
+#define WM_MS_GRAPH_LOGTAG ARGV0 ":" MS_GRAPH_WM_NAME
+
+#define WM_MS_GRAPH_SCRIPT_PATH "wodles/ms_graph/ms-graph-logs"
+
+#define WM_MS_GRAPH_DEFAULT_ENABLED true
+#define WM_MS_GRAPH_DEFAULT_ONLY_FUTURE_EVENTS true
+#define WM_MS_GRAPH_DEFAULT_CURL_MAX_SIZE 1048576L
+#define WM_MS_GRAPH_DEFAULT_RUN_ON_START true
+#define WM_MS_GRAPH_DEFAULT_VERSION "v1.0"
+
+#define WM_MS_GRAPH_DEFAULT_TIMEOUT 60L
+#define WM_MS_GRAPH_TIMESTAMP_SIZE_80 80
+
+#define WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN "login.microsoftonline.com"
+#define WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN "graph.microsoft.com"
+#define WM_MS_GRAPH_GCC_HIGH_API_LOGIN_FQDN "login.microsoftonline.us"
+#define WM_MS_GRAPH_GCC_HIGH_API_QUERY_FQDN "graph.microsoft.us"
+#define WM_MS_GRAPH_DOD_API_LOGIN_FQDN "login.microsoftonline.us"
+#define WM_MS_GRAPH_DOD_API_QUERY_FQDN "dod-graph.microsoft.us"
+
+
+#define WM_MS_GRAPH_API_URL "https://%s/%s/%s/%s?$filter=createdDateTime+gt+%s"
+#define WM_MS_GRAPH_ACCESS_TOKEN_URL "https://%s/%s/oauth2/v2.0/token"
+#define WM_MS_GRAPH_ACCESS_TOKEN_PAYLOAD "scope=https://%s/.default&grant_type=client_credentials&client_id=%s&client_secret=%s"
+
+typedef struct wm_ms_graph_state_t {
+	time_t next_time;
+} wm_ms_graph_state_t;
+
+typedef struct wm_ms_graph_auth {
+	char* client_id;
+	char* tenant_id;
+	char* secret_value;
+	char* login_fqdn;
+	char* query_fqdn;
+	char* access_token;
+	time_t token_expiration_time;
+} wm_ms_graph_auth;
+
+typedef struct wm_ms_graph_resource {
+	char* name;
+	char** relationships;
+	unsigned int num_relationships;
+} wm_ms_graph_resource;
+
+typedef struct wm_ms_graph {
+	bool enabled;
+	bool only_future_events;
+	ssize_t curl_max_size;
+	bool run_on_start;
+	char* version;
+	sched_scan_config scan_config;
+	wm_ms_graph_auth **auth_config;
+	wm_ms_graph_resource* resources;
+	unsigned int num_resources;
+	wm_ms_graph_state_t state;
+} wm_ms_graph;
+
+extern const wm_context WM_MS_GRAPH_CONTEXT; // Context
+
+// Parse XML
+int wm_ms_graph_read(const OS_XML* xml, xml_node** nodes, wmodule* module);
+
+#endif // WM_MS_GRAPH_H
diff --git a/src/modules/ms_graph/src/wm_ms_graph.c b/src/modules/ms_graph/src/wm_ms_graph.c
new file mode 100644
index 0000000000..19fefb7047
--- /dev/null
+++ b/src/modules/ms_graph/src/wm_ms_graph.c
@@ -0,0 +1,453 @@
+/*
+ * Wazuh Module for Microsoft Graph integration
+ * Copyright (C) 2023, InfoDefense Inc.
+ * March, 2023.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#if defined(WIN32) || defined(__linux__) || defined(__MACH__)
+
+#include "wmodules.h"
+#include "wm_ms_graph.h"
+
+#ifdef WIN32
+#ifdef WAZUH_UNIT_TESTING
+#define gmtime_r(x, y)
+#else
+#define gmtime_r(x, y) gmtime_s(y, x)
+#endif
+#endif
+
+static void* wm_ms_graph_main(wm_ms_graph* ms_graph);
+static bool wm_ms_graph_setup(wm_ms_graph* ms_graph);
+static bool wm_ms_graph_check();
+static void wm_ms_graph_get_access_token(wm_ms_graph_auth* auth_config, const ssize_t curl_max_size);
+static void wm_ms_graph_scan_relationships(wm_ms_graph* ms_graph, const bool initial_scan);
+static void wm_ms_graph_destroy(wm_ms_graph* ms_graph);
+static void wm_ms_graph_cleanup();
+cJSON* wm_ms_graph_dump(const wm_ms_graph* ms_graph);
+
+static int queue_fd; // Socket ID
+
+const wm_context WM_MS_GRAPH_CONTEXT = {
+    .name = MS_GRAPH_WM_NAME,
+    .start = (wm_routine)wm_ms_graph_main,
+    .destroy = (void (*)(void*))wm_ms_graph_destroy,
+    .dump = (cJSON* (*)(const void*))wm_ms_graph_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+void* wm_ms_graph_main(wm_ms_graph* ms_graph) {
+    char* timestamp = NULL;
+
+    if (!wm_ms_graph_setup(ms_graph)) {
+        return NULL;
+    } else {
+        mtinfo(WM_MS_GRAPH_LOGTAG, "Started module.");
+
+        bool initial = true;
+        int i;
+        wm_ms_graph_auth *it;
+
+        while (FOREVER()) {
+            const time_t time_sleep = sched_scan_get_time_until_next_scan(&ms_graph->scan_config, WM_MS_GRAPH_LOGTAG, ms_graph->run_on_start);
+
+            if (ms_graph->state.next_time == 0) {
+                ms_graph->state.next_time = ms_graph->scan_config.time_start + time_sleep;
+            }
+
+            if (time_sleep) {
+                const time_t next_scan_time = sched_get_next_scan_time(ms_graph->scan_config);
+                timestamp = w_get_timestamp(next_scan_time);
+                mtdebug1(WM_MS_GRAPH_LOGTAG, "Waiting until: %s", timestamp);
+                os_free(timestamp);
+                w_sleep_until(next_scan_time);
+            }
+
+            for (i = 0; ms_graph->auth_config[i]; i++) {
+                it = ms_graph->auth_config[i];
+
+                if (!it->access_token || time(NULL) >= it->token_expiration_time) {
+                    mtinfo(WM_MS_GRAPH_LOGTAG, "Obtaining access token.");
+                    wm_ms_graph_get_access_token(it, ms_graph->curl_max_size);
+                }
+
+                if (it->access_token && time(NULL) < it->token_expiration_time) {
+                    mtinfo(WM_MS_GRAPH_LOGTAG, "Scanning tenant '%s'", it->tenant_id);
+                    wm_ms_graph_scan_relationships(ms_graph, initial);
+                    initial = false;
+                }
+            }
+        }
+    }
+    return NULL;
+}
+
+bool wm_ms_graph_setup(wm_ms_graph* ms_graph) {
+
+    if (!wm_ms_graph_check(ms_graph)) {
+        return false;
+    }
+
+    if (wm_state_io(WM_MS_GRAPH_CONTEXT.name, WM_IO_READ, &ms_graph->state, sizeof(ms_graph->state)) < 0) {
+        memset(&ms_graph->state, 0, sizeof(ms_graph->state));
+    }
+
+    queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    if (queue_fd < 0) {
+        mterror(WM_MS_GRAPH_LOGTAG, "Unable to connect to Message Queue. Exiting...");
+        #ifdef WAZUH_UNIT_TESTING
+        return false;
+        #else
+        pthread_exit(NULL);
+        #endif
+    }
+
+    atexit(wm_ms_graph_cleanup);
+    return true;
+
+}
+
+bool wm_ms_graph_check(wm_ms_graph* ms_graph) {
+
+    if (!ms_graph || !ms_graph->enabled) {
+        mtinfo(WM_MS_GRAPH_LOGTAG, "Module disabled. Exiting...");
+        #ifdef WAZUH_UNIT_TESTING
+        return false;
+        #else
+        pthread_exit(NULL);
+        #endif
+    } else if (!ms_graph->resources || ms_graph->num_resources == 0) {
+        mterror(WM_MS_GRAPH_LOGTAG, "Invalid module configuration (Missing API info, resources, relationships). Exiting...");
+        #ifdef WAZUH_UNIT_TESTING
+        return false;
+        #else
+        pthread_exit(NULL);
+        #endif
+    } else {
+        for (unsigned int resource = 0; resource < ms_graph->num_resources; resource++) {
+            if (ms_graph->resources[resource].num_relationships == 0) {
+                mterror(WM_MS_GRAPH_LOGTAG, "Invalid module configuration (Missing API info, resources, relationships). Exiting...");
+                #ifdef WAZUH_UNIT_TESTING
+                return false;
+                #else
+                pthread_exit(NULL);
+                #endif
+            }
+        }
+    }
+    return true;
+}
+
+void wm_ms_graph_get_access_token(wm_ms_graph_auth* auth_config, const ssize_t curl_max_size) {
+    char url[OS_SIZE_8192] = { '\0' };
+    char payload[OS_SIZE_8192] = { '\0' };
+    char* headers[] = { "Content-Type: application/x-www-form-urlencoded", NULL };
+    curl_response* response;
+
+    snprintf(url, OS_SIZE_8192 - 1, WM_MS_GRAPH_ACCESS_TOKEN_URL, auth_config->login_fqdn, auth_config->tenant_id);
+    mtdebug1(WM_MS_GRAPH_LOGTAG, "Microsoft Graph API Access Token URL: '%s'", url);
+    snprintf(payload, OS_SIZE_8192 - 1, WM_MS_GRAPH_ACCESS_TOKEN_PAYLOAD, auth_config->query_fqdn, auth_config->client_id, auth_config->secret_value);
+
+    response = wurl_http_request(WURL_POST_METHOD, headers, url, payload, curl_max_size, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    if (response) {
+        if (response->status_code != 200) {
+            char status_code[4];
+            snprintf(status_code, 4, "%ld", response->status_code);
+            mtwarn(WM_MS_GRAPH_LOGTAG, "Received unsuccessful status code when attempting to obtain access token: Status code was '%s' & response was '%s'", status_code, response->body);
+        } else if (response->max_size_reached) {
+            mtwarn(WM_MS_GRAPH_LOGTAG, "Reached maximum CURL size when attempting to obtain access token. Consider increasing the value of 'curl_max_size'.");
+        } else {
+            cJSON* response_body = NULL;
+            if (response_body = cJSON_Parse(response->body), response_body) {
+                cJSON* access_token_value = cJSON_GetObjectItem(response_body, "access_token");
+                cJSON* access_token_expiration = cJSON_GetObjectItem(response_body, "expires_in");
+                if (cJSON_IsString(access_token_value) && cJSON_IsNumber(access_token_expiration)) {
+                    os_strdup(access_token_value->valuestring, auth_config->access_token);
+                    auth_config->token_expiration_time = time(NULL) + access_token_expiration->valueint;
+                } else {
+                    mtwarn(WM_MS_GRAPH_LOGTAG, "Incomplete access token response, value or expiration time not present.");
+                }
+                cJSON_Delete(response_body);
+            } else {
+                mtwarn(WM_MS_GRAPH_LOGTAG, "Failed to parse access token JSON body.");
+            }
+        }
+        wurl_free_response(response);
+    } else {
+        mtwarn(WM_MS_GRAPH_LOGTAG, "No response received when attempting to obtain access token.");
+    }
+}
+
+void wm_ms_graph_scan_relationships(wm_ms_graph* ms_graph, const bool initial_scan) {
+    char url[OS_SIZE_8192] = { '\0' };
+    char auth_header[OS_SIZE_2048] = { '\0' };
+    char* headers[] = { NULL, NULL };
+    curl_response* response;
+    char relationship_state_name[OS_SIZE_1024] = { '\0' };
+    char start_time_str[WM_MS_GRAPH_TIMESTAMP_SIZE_80] = { '\0' };
+    struct tm tm_aux = { .tm_sec = 0 };
+    wm_ms_graph_state_t relationship_state_struc;
+    time_t now;
+    bool fail;
+
+    for (unsigned int resource_num = 0; resource_num < ms_graph->num_resources; resource_num++) {
+
+        for (unsigned int relationship_num = 0; relationship_num < ms_graph->resources[resource_num].num_relationships; relationship_num++) {
+
+            int e;
+            wm_ms_graph_auth *it;
+
+            for (e = 0; ms_graph->auth_config[e]; e++) {
+                it = ms_graph->auth_config[e];
+
+                snprintf(relationship_state_name, OS_SIZE_1024 -1, "%s-%s-%s-%s", WM_MS_GRAPH_CONTEXT.name,
+                    it->tenant_id, ms_graph->resources[resource_num].name, ms_graph->resources[resource_num].relationships[relationship_num]);
+
+                memset(&relationship_state_struc, 0, sizeof(relationship_state_struc));
+
+                // Load state for tenant-resource-relationship
+                if (wm_state_io(relationship_state_name, WM_IO_READ, &relationship_state_struc, sizeof(relationship_state_struc)) < 0) {
+                    memset(&relationship_state_struc, 0, sizeof(relationship_state_struc));
+                }
+
+                now = time(0);
+
+                if ((initial_scan && (!relationship_state_struc.next_time || ms_graph->only_future_events)) ||
+                    (!initial_scan && !relationship_state_struc.next_time)) {
+                    relationship_state_struc.next_time = now;
+                    if (wm_state_io(relationship_state_name, WM_IO_WRITE, &relationship_state_struc, sizeof(relationship_state_struc)) < 0) {
+                        mterror(WM_MS_GRAPH_LOGTAG, "Couldn't save running state.");
+                    } else if (isDebug()) {
+                        gmtime_r(&now, &tm_aux);
+                        strftime(start_time_str, sizeof(start_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+                        mtdebug1(WM_MS_GRAPH_LOGTAG, "Bookmark updated to '%s' for tenant '%s' resource '%s' and relationship '%s', waiting '%d' seconds to run first scan.",
+                            start_time_str, it->tenant_id, ms_graph->resources[resource_num].name, ms_graph->resources[resource_num].relationships[relationship_num], ms_graph->scan_config.interval);
+                    }
+                    continue;
+                }
+
+                gmtime_r(&relationship_state_struc.next_time, &tm_aux);
+                strftime(start_time_str, sizeof(start_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+
+                snprintf(auth_header, OS_SIZE_2048 - 1, "Authorization: Bearer %s", it->access_token);
+                os_strdup(auth_header, headers[0]);
+
+                snprintf(url, OS_SIZE_8192 - 1, WM_MS_GRAPH_API_URL,
+                it->query_fqdn,
+                ms_graph->version,
+                ms_graph->resources[resource_num].name,
+                ms_graph->resources[resource_num].relationships[relationship_num],
+                start_time_str);
+
+                mtdebug1(WM_MS_GRAPH_LOGTAG, "Microsoft Graph API Log URL: '%s'", url);
+
+                fail = true;
+                response = wurl_http_request(WURL_GET_METHOD, headers, url, "", ms_graph->curl_max_size, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+                // It takes the time right after the response to be saved for the next scan.
+                now = time(0);
+                if (response) {
+                    if (response->status_code != 200) {
+                        char status_code[4];
+                        snprintf(status_code, 4, "%ld", response->status_code);
+                        mtwarn(WM_MS_GRAPH_LOGTAG, "Received unsuccessful status code when attempting to get relationship '%s' logs: Status code was '%s' & response was '%s'",
+                        ms_graph->resources[resource_num].relationships[relationship_num],
+                        status_code,
+                        response->body);
+                    } else if (response->max_size_reached) {
+                        mtwarn(WM_MS_GRAPH_LOGTAG, "Reached maximum CURL size when attempting to get relationship '%s' logs. Consider increasing the value of 'curl_max_size'.",
+                        ms_graph->resources[resource_num].relationships[relationship_num]);
+                    } else {
+                        cJSON* body_parse = NULL;
+                        if (body_parse = cJSON_Parse(response->body), body_parse) {
+                            cJSON* logs = cJSON_GetObjectItem(body_parse, "value");
+                            int num_logs = cJSON_GetArraySize(logs);
+                            if (num_logs > 0) {
+                                for (int log_index = 0; log_index < num_logs; log_index++) {
+                                    cJSON* log = NULL;
+                                    if (log = cJSON_GetArrayItem(logs, log_index), log) {
+                                        cJSON* full_log = cJSON_CreateObject();
+                                        char* payload;
+
+                                        cJSON_AddStringToObject(log, "resource", ms_graph->resources[resource_num].name);
+                                        cJSON_AddStringToObject(log, "relationship", ms_graph->resources[resource_num].relationships[relationship_num]);
+                                        cJSON_AddStringToObject(full_log, "integration", WM_MS_GRAPH_CONTEXT.name);
+                                        cJSON_AddItemToObject(full_log, WM_MS_GRAPH_CONTEXT.name, cJSON_Duplicate(log, true));
+
+                                        payload = cJSON_PrintUnformatted(full_log);
+                                        mtdebug2(WM_MS_GRAPH_LOGTAG, "Sending log: '%s'", payload);
+                                        if (wm_sendmsg(1000000 / wm_max_eps, queue_fd, payload, WM_MS_GRAPH_CONTEXT.name, LOCALFILE_MQ) < 0) {
+                                            mterror(WM_MS_GRAPH_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+                                        }
+
+                                        os_free(payload);
+                                        cJSON_Delete(full_log);
+                                    } else {
+                                        mtwarn(WM_MS_GRAPH_LOGTAG, "Failed to parse log array into singular log.");
+                                    }
+                                }
+                                fail = false;
+                            } else {
+                                mtdebug2(WM_MS_GRAPH_LOGTAG, "No new logs received.");
+                                fail = false;
+                            }
+                            cJSON_Delete(body_parse);
+                        } else {
+                            mtwarn(WM_MS_GRAPH_LOGTAG, "Failed to parse relationship '%s' JSON body.", ms_graph->resources[resource_num].relationships[relationship_num]);
+                        }
+                    }
+                    wurl_free_response(response);
+                } else {
+                    mtwarn(WM_MS_GRAPH_LOGTAG, "No response received when attempting to get relationship '%s' from resource '%s' on API version '%s'.",
+                    ms_graph->resources[resource_num].relationships[relationship_num],
+                    ms_graph->resources[resource_num].name,
+                    ms_graph->version);
+                }
+
+                if (!fail) {
+                    relationship_state_struc.next_time = now;
+                    gmtime_r(&relationship_state_struc.next_time, &tm_aux);
+                    strftime(start_time_str, sizeof(start_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+                    if (wm_state_io(relationship_state_name, WM_IO_WRITE, &relationship_state_struc, sizeof(relationship_state_struc)) < 0) {
+                        mterror(WM_MS_GRAPH_LOGTAG, "Couldn't save running state.");
+                    } else {
+                        mtdebug1(WM_MS_GRAPH_LOGTAG, "Bookmark updated to '%s' for tenant '%s' resource '%s' and relationship '%s', waiting '%d' seconds to run next scan.",
+                            start_time_str, it->tenant_id, ms_graph->resources[resource_num].name, ms_graph->resources[resource_num].relationships[relationship_num], ms_graph->scan_config.interval);
+                    }
+                }
+                os_free(headers[0]);
+            }
+        }
+    }
+}
+
+void wm_ms_graph_destroy(wm_ms_graph* ms_graph) {
+
+    for (unsigned int resource = 0; resource < ms_graph->num_resources; resource++) {
+        for (unsigned int relationship = 0; relationship < ms_graph->resources[resource].num_relationships; relationship++) {
+            os_free(ms_graph->resources[resource].relationships[relationship]);
+        }
+        os_free(ms_graph->resources[resource].name);
+        os_free(ms_graph->resources[resource].relationships);
+    }
+    os_free(ms_graph->resources);
+
+    int e;
+    wm_ms_graph_auth *it;
+
+    for (e = 0; ms_graph->auth_config && ms_graph->auth_config[e]; e++) {
+        it = ms_graph->auth_config[e];
+        os_free(it->tenant_id);
+        os_free(it->client_id);
+        os_free(it->secret_value);
+        os_free(it->login_fqdn);
+        os_free(it->query_fqdn);
+        os_free(it->access_token);
+
+        os_free(it);
+    }
+
+    os_free(ms_graph->auth_config);
+
+    os_free(ms_graph->version);
+
+    os_free(ms_graph);
+}
+
+void wm_ms_graph_cleanup() {
+    close(queue_fd);
+    mtinfo(WM_MS_GRAPH_LOGTAG, "Module shutdown.");
+}
+
+cJSON* wm_ms_graph_dump(const wm_ms_graph* ms_graph) {
+    cJSON* root = cJSON_CreateObject();
+    cJSON* ms_graph_info = cJSON_CreateObject();
+    cJSON* ms_graph_auth = cJSON_CreateObject();
+
+    if (ms_graph->enabled) {
+        cJSON_AddStringToObject(ms_graph_info, "enabled", "yes");
+    } else {
+        cJSON_AddStringToObject(ms_graph_info, "enabled", "no");
+    }
+    if (ms_graph->only_future_events) {
+        cJSON_AddStringToObject(ms_graph_info, "only_future_events", "yes");
+    } else {
+        cJSON_AddStringToObject(ms_graph_info, "only_future_events", "no");
+    }
+    if (ms_graph->curl_max_size) {
+        cJSON_AddNumberToObject(ms_graph_info, "curl_max_size", ms_graph->curl_max_size);
+    }
+    if (ms_graph->run_on_start) {
+        cJSON_AddStringToObject(ms_graph_info, "run_on_start", "yes");
+    } else {
+        cJSON_AddStringToObject(ms_graph_info, "run_on_start", "no");
+    }
+    if (ms_graph->version) {
+        cJSON_AddStringToObject(ms_graph_info, "version", ms_graph->version);
+    }
+    sched_scan_dump(&ms_graph->scan_config, ms_graph_info);
+
+    int e;
+    wm_ms_graph_auth *it;
+
+    for (e = 0; ms_graph->auth_config[e]; e++) {
+        it = ms_graph->auth_config[e];
+
+        if (it->client_id) {
+            cJSON_AddStringToObject(ms_graph_auth, "client_id", it->client_id);
+        }
+        if (it->tenant_id) {
+            cJSON_AddStringToObject(ms_graph_auth, "tenant_id", it->tenant_id);
+        }
+        if (it->secret_value) {
+            cJSON_AddStringToObject(ms_graph_auth, "secret_value", it->secret_value);
+        }
+        // The FQDN used for querying the API is unique across types, so we can ignore the login FQDN
+        if (!strcmp(it->query_fqdn, WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN)) {
+            cJSON_AddStringToObject(ms_graph_auth, "api_type", "global");
+        } else if (!strcmp(it->query_fqdn, WM_MS_GRAPH_GCC_HIGH_API_QUERY_FQDN)) {
+            cJSON_AddStringToObject(ms_graph_auth, "api_type", "gcc-high");
+        } else if (!strcmp(it->query_fqdn, WM_MS_GRAPH_DOD_API_QUERY_FQDN)) {
+            cJSON_AddStringToObject(ms_graph_auth, "api_type", "dod");
+        }
+    }
+    cJSON_AddItemToObject(ms_graph_info, "api_auth", ms_graph_auth);
+
+    if (ms_graph->resources) {
+        cJSON* resource_array = cJSON_CreateArray();
+        for (unsigned int resource_num = 0; resource_num < ms_graph->num_resources; resource_num++) {
+            cJSON* resource = cJSON_CreateObject();
+            if (ms_graph->resources[resource_num].name) {
+                cJSON_AddStringToObject(ms_graph_auth, "name", ms_graph->resources[resource_num].name);
+            } else {
+                cJSON_free(resource);
+                continue;
+            }
+            if (ms_graph->resources[resource_num].relationships) {
+                for (unsigned int relationship_num = 0; relationship_num < ms_graph->resources[resource_num].num_relationships; relationship_num++) {
+                    if (ms_graph->resources[resource_num].relationships[relationship_num]) {
+                        cJSON_AddStringToObject(resource, "relationship", ms_graph->resources[resource_num].relationships[relationship_num]);
+                    }
+                }
+            }
+            cJSON_AddItemToArray(resource_array, resource);
+        }
+        if (cJSON_GetArraySize(resource_array) > 0) {
+            cJSON_AddItemToObject(ms_graph_info, "resources", resource_array);
+        } else {
+            cJSON_free(resource_array);
+        }
+    }
+    cJSON_AddItemToObject(root, "ms_graph", ms_graph_info);
+
+    return root;
+}
+
+#endif // WIN32 || defined __linux__ || defined __MACH__
diff --git a/src/modules/ms_graph/tests/integration/conftest.py b/src/modules/ms_graph/tests/integration/conftest.py
new file mode 100644
index 0000000000..a6e04aa7f3
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/conftest.py
@@ -0,0 +1,270 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import pytest
+import subprocess
+import os
+import sys
+from pathlib import Path
+from typing import List
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.paths import WAZUH_PATH
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import callbacks, configuration, services
+from wazuh_testing.utils.file import remove_file, truncate_file
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            services.control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                services.control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        services.control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            services.control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def wait_for_msgraph_start():
+    # Wait for module ms-graph starts
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_STARTED, {
+                              'integration': 'ms-graph'
+                          }))
+    assert (wazuh_log_monitor.callback_result == None), f'Error invalid configuration event not detected'
+
+
+@pytest.fixture(scope="session")
+def proxy_setup():
+    RESPONSES_PATH = Path(Path(__file__).parent, 'test_API', 'data', 'response_samples', 'responses.json')
+    m365proxy = subprocess.Popen(["/tmp/m365proxy/m365proxy", "--mocks-file", RESPONSES_PATH])
+    # Configurate proxy for Wazuh (will only work for systemctl start/restart)
+    subprocess.run("systemctl set-environment http_proxy=http://localhost:8000", shell=True)
+    remove_file(os.path.join(WAZUH_PATH, 'var', 'wodles', 'ms-graph-tenant_id-resource_name-resource_relationship'))
+
+    yield
+
+    subprocess.run("systemctl unset-environment http_proxy", shell=True)
+    m365proxy.kill()
+    m365proxy.wait()
diff --git a/src/modules/ms_graph/tests/integration/pytest.ini b/src/modules/ms_graph/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/ms_graph/tests/integration/test_API/__init__.py b/src/modules/ms_graph/tests/integration/test_API/__init__.py
new file mode 100644
index 0000000000..9dd1135920
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/__init__.py
@@ -0,0 +1,9 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/configuration_templates/config_API.yaml b/src/modules/ms_graph/tests/integration/test_API/data/configuration_templates/config_API.yaml
new file mode 100644
index 0000000000..81ce7132ed
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/configuration_templates/config_API.yaml
@@ -0,0 +1,55 @@
+- sections:
+    - section: ms-graph
+      elements:
+        - enabled:
+            value: 'ENABLED'
+        - only_future_events:
+            value: 'ONLY_FUTURE'
+        - interval:
+            value: 'INTERVAL'
+        - curl_max_size:
+            value: 'CURL_SIZE'
+        - run_on_start:
+            value: 'yes'
+        - version:
+            value: 'v1.0'
+        - api_auth:
+            elements:
+              - tenant_id:
+                  value: 'TENANT_ID'
+              - client_id:
+                  value: 'client_id'
+              - secret_value:
+                  value: 'secret_value'
+              - api_type:
+                  value: 'global'
+        - resource:
+            elements:
+              - name:
+                  value: 'RESOURCE_NAME'
+              - relationship:
+                  value: 'RESOURCE_RELATIONSHIP1'
+              - relationship:
+                  value: 'RESOURCE_RELATIONSHIP2'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/response_samples/responses.json b/src/modules/ms_graph/tests/integration/test_API/data/response_samples/responses.json
new file mode 100644
index 0000000000..061e85bb1e
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/response_samples/responses.json
@@ -0,0 +1,71 @@
+{
+  "responses": [
+    {
+      "url": "http://login.microsoftonline.com/tenant_id/oauth2/v2.0/token",
+      "method": "POST",
+      "responseCode": 200,
+      "responseBody": {
+        "expires_in": 3600,
+        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9.eyJhdWQiOiI2ZTc0MTcyYi1iZTU2LTQ4NDMtOWZmNC1lNjZhMzliYjEyZTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3L3YyLjAiLCJpYXQiOjE1MzcyMzEwNDgsIm5iZiI6MTUzNzIzMTA0OCwiZXhwIjoxNTM3MjM0OTQ4LCJhaW8iOiJBWFFBaS84SUFBQUF0QWFaTG8zQ2hNaWY2S09udHRSQjdlQnE0L0RjY1F6amNKR3hQWXkvQzNqRGFOR3hYZDZ3TklJVkdSZ2hOUm53SjFsT2NBbk5aY2p2a295ckZ4Q3R0djMzMTQwUmlvT0ZKNGJDQ0dWdW9DYWcxdU9UVDIyMjIyZ0h3TFBZUS91Zjc5UVgrMEtJaWpkcm1wNjlSY3R6bVE9PSIsImF6cCI6IjZlNzQxNzJiLWJlNTYtNDg0My05ZmY0LWU2NmEzOWJiMTJlMyIsImF6cGFjciI6IjAiLCJuYW1lIjoiQWJlIExpbmNvbG4iLCJvaWQiOiI2OTAyMjJiZS1mZjFhLTRkNTYtYWJkMS03ZTRmN2QzOGU0NzQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhYmVsaUBtaWNyb3NvZnQuY29tIiwicmgiOiJJIiwic2NwIjoiYWNjZXNzX2FzX3VzZXIiLCJzdWIiOiJIS1pwZmFIeVdhZGVPb3VZbGl0anJJLUtmZlRtMjIyWDVyclYzeERxZktRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidXRpIjoiZnFpQnFYTFBqMGVRYTgyUy1JWUZBQSIsInZlciI6IjIuMCJ9.pj4N-w_3Us9DrBLfpCt"
+      }
+    },
+
+    {
+      "url": "http://login.microsoftonline.com/*/oauth2/v2.0/token",
+      "method": "POST",
+      "responseCode": 400,
+      "responseBody": {
+        "expires_in": 0,
+        "access_token": ""
+      }
+    },
+    {
+      "url": "http://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+*",
+      "method": "GET",
+      "responseCode": 200,
+      "responseBody": {
+        "value": [
+          "microsoft.graph.security.alert"
+        ]
+      }
+    },
+    {
+      "url": "http://graph.microsoft.com/v1.0/security/incidents?$filter=createdDateTime+gt+*",
+      "method": "GET",
+      "responseCode": 200,
+      "responseBody": {
+        "value": [
+          "microsoft.graph.security.incident"
+        ]
+      }
+    },
+    {
+      "url": "http://graph.microsoft.com/v1.0/resource_name/resource_relationship?$filter=createdDateTime+gt+*",
+      "method": "GET",
+      "responseCode": 200,
+      "responseBody": {
+        "value": [
+          "Example"
+        ]
+      }
+    },
+    {
+      "url": "http://*/*/*/*$filter=createdDateTime+gt+*",
+      "method": "GET",
+      "responseCode": 403,
+      "responseBody": {
+        "value": [
+          {
+            "error":
+            {
+              "code":"Unauthorized",
+              "message":"Unauthorized request.",
+              "innerError":{"date":"2023-08-09T15:54:29","request-id":"7fd4af1f-8a50-43a9-ae82-92d92f6706d3",
+              "client-request-id":"7fd4af1f-8a50-43a9-ae82-92d92f6706d3"}
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_curl_size.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_curl_size.yaml
new file mode 100644
index 0000000000..31018fe47f
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_curl_size.yaml
@@ -0,0 +1,11 @@
+- name: Test_Curl_Max_Size_Reached
+  description: Check ms-graph integration when `curl_max_size` is reached.
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'no'
+    INTERVAL: '10s'
+    CURL_SIZE: '1K'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP1: 'resource_relationship'
+    RESOURCE_RELATIONSHIP2: 'resource_relationship'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_no.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_no.yaml
new file mode 100644
index 0000000000..d9a37655b4
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_no.yaml
@@ -0,0 +1,11 @@
+- name: Test_Only_Future_Events_Disabled
+  description: Check ms-graph integration when `only_future_events` tag is set to no
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'no'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP1: 'resource_relationship'
+    RESOURCE_RELATIONSHIP2: 'resource_relationship'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_yes.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_yes.yaml
new file mode 100644
index 0000000000..23d4fa4c59
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_future_yes.yaml
@@ -0,0 +1,11 @@
+- name: Test_Only_Future_Events_Enabled
+  description: Check ms-graph integration when `only_future_events` tag is set to yes
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'yes'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP1: 'resource_relationship'
+    RESOURCE_RELATIONSHIP2: 'resource_relationship'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_auth.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_auth.yaml
new file mode 100644
index 0000000000..c3dc857e39
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_auth.yaml
@@ -0,0 +1,11 @@
+- name: Test_Get_Access_Token_Invalid_Tenant
+  description: Check ms-graph integration access token when 'tenant_id' is invalid
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'no'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_invalid'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP1: 'resource_relationship'
+    RESOURCE_RELATIONSHIP2: 'resource_relationship'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_resource.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_resource.yaml
new file mode 100644
index 0000000000..4d58e2d034
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_invalid_resource.yaml
@@ -0,0 +1,11 @@
+- name: Test_Invalid_Resource
+  description: Check ms-graph integration when `resource` tag `name` is invalid
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'yes'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'invalid'
+    RESOURCE_RELATIONSHIP1: 'invalid'
+    RESOURCE_RELATIONSHIP2: 'invalid'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_auth.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_auth.yaml
new file mode 100644
index 0000000000..3f5538b7b9
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_auth.yaml
@@ -0,0 +1,11 @@
+- name: Test_Get_Access_Token_Valid
+  description: Check ms-graph integration access token when 'tenant_id' is valid
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'no'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP1: 'resource_relationship'
+    RESOURCE_RELATIONSHIP2: 'resource_relationship'
diff --git a/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_resource.yaml b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_resource.yaml
new file mode 100644
index 0000000000..6055c6f2e8
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/data/test_cases/cases_valid_resource.yaml
@@ -0,0 +1,11 @@
+- name: Test_Valid_Resource
+  description: Check ms-graph integration when `resource` tags `name` and `relationship` are valid
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE: 'yes'
+    INTERVAL: '10s'
+    CURL_SIZE: '10M'
+    TENANT_ID: 'tenant_id'
+    RESOURCE_NAME: 'security'
+    RESOURCE_RELATIONSHIP1: 'alerts_v2'
+    RESOURCE_RELATIONSHIP2: 'incidents'
diff --git a/src/modules/ms_graph/tests/integration/test_API/test_API.py b/src/modules/ms_graph/tests/integration/test_API/test_API.py
new file mode 100644
index 0000000000..3b8b081135
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_API/test_API.py
@@ -0,0 +1,515 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The Wazuh 'ms-graph' module is capable of communicating with Microsoft Graph & parsing its various
+       logging sources, with an emphasis on the security resource. This includes a full set of rules for
+       categorizing these logs, alongside a standardized suite of configuration options that mirror other
+       modules, such as Azure, GCP, and Office365.
+
+components:
+    - ms-graph
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-monitord
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+tags:
+    - ms-graph_configuration
+'''
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data
+from wazuh_testing.utils.configuration import load_configuration_template
+from wazuh_testing.utils import callbacks
+from wazuh_testing.utils.services import control_service
+from wazuh_testing.utils.file import truncate_file
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration and cases data.
+configs_path = Path(CONFIGS_PATH, 'config_API.yaml')
+
+# ---------------------------------------------------- TEST_FUTURE_EVENTS ---------------------------------------------
+# Test configurations
+t1_cases_path = Path(TEST_CASES_PATH, 'cases_future_yes.yaml')
+t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path)
+t1_configurations = load_configuration_template(configs_path, t1_configuration_parameters,
+                                                t1_configuration_metadata)
+
+# Test configurations
+t2_cases_path = Path(TEST_CASES_PATH, 'cases_future_no.yaml')
+t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path)
+t2_configurations = load_configuration_template(configs_path, t2_configuration_parameters,
+                                                t2_configuration_metadata)
+
+# ---------------------------------------------------- TEST_CURL_SIZE ---------------------------------------------------
+# Test configurations
+t3_cases_path = Path(TEST_CASES_PATH, 'cases_curl_size.yaml')
+t3_configuration_parameters, t3_configuration_metadata, t3_case_ids = get_test_cases_data(t3_cases_path)
+t3_configurations = load_configuration_template(configs_path, t3_configuration_parameters,
+                                                t3_configuration_metadata)
+
+# ---------------------------------------------------- TEST_RESOURCES ---------------------------------------------------
+# Test configurations
+t4_cases_path = Path(TEST_CASES_PATH, 'cases_valid_resource.yaml')
+t4_configuration_parameters, t4_configuration_metadata, t4_case_ids = get_test_cases_data(t4_cases_path)
+t4_configurations = load_configuration_template(configs_path, t4_configuration_parameters,
+                                                t4_configuration_metadata)
+
+# Test configurations
+t5_cases_path = Path(TEST_CASES_PATH, 'cases_invalid_resource.yaml')
+t5_configuration_parameters, t5_configuration_metadata, t5_case_ids = get_test_cases_data(t5_cases_path)
+t5_configurations = load_configuration_template(configs_path, t5_configuration_parameters,
+                                                t5_configuration_metadata)
+
+# ---------------------------------------------------- TEST_AUTH_TOKEN ---------------------------------------------------
+# Test configurations
+t6_cases_path = Path(TEST_CASES_PATH, 'cases_valid_auth.yaml')
+t6_configuration_parameters, t6_configuration_metadata, t6_case_ids = get_test_cases_data(t6_cases_path)
+t6_configurations = load_configuration_template(configs_path, t6_configuration_parameters,
+                                                t6_configuration_metadata)
+
+# Test configurations
+t7_cases_path = Path(TEST_CASES_PATH, 'cases_invalid_auth.yaml')
+t7_configuration_parameters, t7_configuration_metadata, t7_case_ids = get_test_cases_data(t7_cases_path)
+t7_configurations = load_configuration_template(configs_path, t7_configuration_parameters,
+                                                t7_configuration_metadata)
+
+# Test configurations.
+daemons_handler_configuration = {'all_daemons': True, 'ignore_errors': True}
+local_internal_options = {MODULESD_DEBUG: '2'}
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids)
+def test_future_events_yes(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `only_future_events` tag is set to yes.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `only_future_events` option is set to `yes`, the ms-graph module saves a bookmark,
+        and after a restart, it waits for a first scan.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*Bookmark updated'
+        - r'.*wazuh-modulesd:ms-graph.*seconds to run first scan'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*Bookmark updated"))
+
+    if(wazuh_log_monitor.callback_result != None):
+        control_service('stop')
+        truncate_file(WAZUH_LOG_PATH)
+        control_service('start')
+        wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*seconds to run first scan"))
+        assert (wazuh_log_monitor.callback_result != None), f'Error, `first scan` not found in log'
+    else:
+        assert (False), f'Error `Bookmark updated` not found in log'
+
+
+@pytest.mark.skip(reason="Unstable, the testing tool is not returning the expected values. This needs to be investigated.")
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids)
+def test_future_events_no(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `only_future_events` tag is set to no.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `only_future_events` option is set to `no`, the ms-graph module saves a bookmark,
+        and after a restart, it does not wait for a first scan.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*Bookmark updated'
+        - r'.*wazuh-modulesd:ms-graph.*seconds to run next scan'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*Bookmark updated"))
+
+    if(wazuh_log_monitor.callback_result != None):
+        control_service('stop')
+        truncate_file(WAZUH_LOG_PATH)
+        control_service('start')
+
+        wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*seconds to run next scan"))
+        assert (wazuh_log_monitor.callback_result != None), f'Error, `next scan` not found in log'
+
+        wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*seconds to run first scan"), timeout=10)
+        assert (wazuh_log_monitor.callback_result == None), f'Error, `first scan` not found in log'
+    else:
+        assert (False), f'Error `Bookmark updated` not found in log'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t3_configurations, t3_configuration_metadata), ids=t3_case_ids)
+def test_curl_max_size(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `curl_max_size` is reached.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `curl_max_size` is less than the request size, the ms-graph module shows a warning.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*Reached maximum CURL size'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*Reached maximum CURL size"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `maximum CURL size` not found in log'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t4_configurations, t4_configuration_metadata), ids=t4_case_ids)
+def test_valid_resource(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `resource` tags `name` and `relationship` are valid.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `resource` `name` equals `security` and has `relationship` as `alerts_v2` and `incidents`
+          it gets the correct responses.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*microsoft.graph.security.alert'
+        - r'.*wazuh-modulesd:ms-graph.*microsoft.graph.security.incident'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*microsoft.graph.security.alert"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `security.alert` not found in log'
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*microsoft.graph.security.incident"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `security.incident` not found in log'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t5_configurations, t5_configuration_metadata), ids=t5_case_ids)
+def test_invalid_resource(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `resource` tags `name` and `relationship` are invalid.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `resource` values `name` and `relationship` are invalid for the API
+          it gets the correct error.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*Received unsuccessful status
+            code when attempting to get relationship \'invalid\'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(
+        callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*Received unsuccessful "\
+                                             r"status code when attempting to get relationship \'invalid\'"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `unsuccessful status code` not found in log'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t6_configurations, t6_configuration_metadata), ids=t6_case_ids)
+def test_valid_auth(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `tenant_id` tag is valid.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `tenant_id` is valid it does not get an error.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*INFO: Scanning tenant'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*INFO: Scanning tenant"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `Scanning tenant` not found in log'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t7_configurations, t7_configuration_metadata), ids=t7_case_ids)
+def test_invalid_auth(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start, proxy_setup):
+    '''
+    description: Check 'ms-graph' behavior when `resource` tags `name` and `relationship` are invalid.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+        - proxy_setup:
+            type: fixture
+            brief: Setups the API proxy application.
+
+    assertions:
+        - Verify that when the `tenant_id` is invalid it gets an error.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_API.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*WARNING: Recieved unsuccessful
+            status code when attempting to obtain access token'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(
+        callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*WARNING: Received unsuccessful "\
+                                             r"status code when attempting to obtain access token"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error, `unsuccessful status code` not found in log'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/__init__.py b/src/modules/ms_graph/tests/integration/test_configuration/__init__.py
new file mode 100644
index 0000000000..9dd1135920
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/__init__.py
@@ -0,0 +1,9 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_basic.yaml b/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_basic.yaml
new file mode 100644
index 0000000000..2b0158b475
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_basic.yaml
@@ -0,0 +1,53 @@
+- sections:
+    - section: ms-graph
+      elements:
+        - enabled:
+            value: 'ENABLED'
+        - only_future_events:
+            value: 'yes'
+        - interval:
+            value: 'INTERVAL'
+        - curl_max_size:
+            value: '1024'
+        - run_on_start:
+            value: 'RUN_ON_START'
+        - version:
+            value: 'v1.0'
+        - api_auth:
+            elements:
+              - tenant_id:
+                  value: 'tenant_id'
+              - client_id:
+                  value: 'client_id'
+              - secret_value:
+                  value: 'secret_value'
+              - api_type:
+                  value: 'global'
+        - resource:
+            elements:
+              - name:
+                  value: 'resource_name'
+              - relationship:
+                  value: 'resource_relationship'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml b/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
new file mode 100644
index 0000000000..708866b643
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
@@ -0,0 +1,53 @@
+- sections:
+    - section: ms-graph
+      elements:
+        - enabled:
+            value: 'ENABLED'
+        - only_future_events:
+            value: 'ONLY_FUTURE_EVENTS'
+        - interval:
+            value: 'INTERVAL'
+        - curl_max_size:
+            value: 'CURL_MAX_SIZE'
+        - run_on_start:
+            value: 'RUN_ON_START'
+        - version:
+            value: 'VERSION'
+        - api_auth:
+            elements:
+              - tenant_id:
+                  value: 'TENANT_ID'
+              - client_id:
+                  value: 'CLIENT_ID'
+              - secret_value:
+                  value: 'SECRET_VALUE'
+              - api_type:
+                  value: 'API_TYPE'
+        - resource:
+            elements:
+              - name:
+                  value: 'RESOURCE_NAME'
+              - relationship:
+                  value: 'RESOURCE_RELATIONSHIP'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_disabled.yaml b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_disabled.yaml
new file mode 100644
index 0000000000..5849a6acf2
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_disabled.yaml
@@ -0,0 +1,8 @@
+- name: Test_Disabled
+  description: Check ms-graph integration does not start when it is disabled
+  configuration_parameters:
+    ENABLED: 'no'
+    INTERVAL: '1m'
+    RUN_ON_START: 'yes'
+  metadata:
+    module: 'ms-graph'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_enabled.yaml b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_enabled.yaml
new file mode 100644
index 0000000000..4c98e28a80
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_enabled.yaml
@@ -0,0 +1,17 @@
+- name: Test_Enabled_Run_On_Start
+  description: Check ms-graph integration start when it is enabled and started
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: '1m'
+    RUN_ON_START: 'yes'
+  metadata:
+    msg: 'INFO: Obtaining access token.'
+
+- name: Test_Enabled_No_Run_On_Start
+  description: Check ms-graph integration start when it is enabled and start delayed
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: '1m'
+    RUN_ON_START: 'no'
+  metadata:
+    msg: 'DEBUG: Waiting until:'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
new file mode 100644
index 0000000000..b81c8a8f3e
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
@@ -0,0 +1,228 @@
+- name: Invalid_Enabled
+  description: Check ms-graph integration does not start with Invalid Enabled
+  configuration_parameters:
+    ENABLED: 'invalid'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'enabled'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+- name: Invalid_Only_Future_Events
+  description: Check ms-graph integration does not start with Invalid Only Future Events
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'invalid'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'only_future_events'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+
+- name: Invalid_Interval
+  description: Check ms-graph integration does not start with Invalid Interval
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: 'interval'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'interval'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+
+- name: Invalid_Curl_Max_Size
+  description: Check ms-graph integration does not start with Invalid Curl Max Size
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '-12'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'curl_max_size'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+
+- name: Invalid_Run_On_Start
+  description: Check ms-graph integration does not start with Invalid Run On Start
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'invalid'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'run_on_start'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+
+- name: Invalid_Version
+  description: Check ms-graph integration does not start with Invalid Version
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.6'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'version'
+    error_type: 'Invalid'
+    module: 'ms-graph'
+
+
+- name: Empty_Tenant_Id
+  description: Check ms-graph integration does not start with Empty Tenant Id
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: ''
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'tenant_id'
+    error_type: 'Empty'
+    module: 'ms-graph'
+
+
+- name: Empty_Client_Id
+  description: Check ms-graph integration does not start with Empty Client Id
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: ''
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'client_id'
+    error_type: 'Empty'
+    module: 'ms-graph'
+
+
+- name: Empty_Client_Secret
+  description: Check ms-graph integration does not start with Empty Client Secret
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: ''
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'secret_value'
+    error_type: 'Empty'
+    module: 'ms-graph'
+
+
+- name: Empty_Resource_Name
+  description: Check ms-graph integration does not start with Empty Resource Name
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: ''
+    RESOURCE_RELATIONSHIP: 'resource_relationship'
+  metadata:
+    event_monitor: 'name'
+    error_type: 'Empty'
+    module: 'ms-graph'
+
+
+- name: Empty_Resource_Relationship
+  description: Check ms-graph integration does not start with Empty Resource Relationship
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    RUN_ON_START: 'yes'
+    VERSION: 'v1.0'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    SECRET_VALUE: 'secret_value'
+    API_TYPE: 'global'
+    RESOURCE_NAME: 'resource_name'
+    RESOURCE_RELATIONSHIP: ''
+  metadata:
+    event_monitor: 'relationship'
+    error_type: 'Empty'
+    module: 'ms-graph'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/test_basic.py b/src/modules/ms_graph/tests/integration/test_configuration/test_basic.py
new file mode 100644
index 0000000000..ddd8fca75e
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/test_basic.py
@@ -0,0 +1,183 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The Wazuh 'ms-graph' module is capable of communicating with Microsoft Graph & parsing its various
+       logging sources, with an emphasis on the security resource. This includes a full set of rules for
+       categorizing these logs, alongside a standardized suite of configuration options that mirror other
+       modules, such as Azure, GCP, and Office365.
+
+components:
+    - ms-graph
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-monitord
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+tags:
+    - ms-graph_configuration
+'''
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data
+from wazuh_testing.utils.configuration import load_configuration_template
+from wazuh_testing.utils import callbacks
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration and cases data.
+configs_path = Path(CONFIGS_PATH, 'config_basic.yaml')
+
+# ---------------------------------------------------- TEST_ENABLED ---------------------------------------------------
+# Test configurations
+t1_cases_path = Path(TEST_CASES_PATH, 'cases_enabled.yaml')
+t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path)
+t1_configurations = load_configuration_template(configs_path, t1_configuration_parameters,
+                                                t1_configuration_metadata)
+
+# ---------------------------------------------------- TEST_DISABLED --------------------------------------------------
+# Test configurations
+t2_cases_path = Path(TEST_CASES_PATH, 'cases_disabled.yaml')
+t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path)
+t2_configurations = load_configuration_template(configs_path, t2_configuration_parameters,
+                                                t2_configuration_metadata)
+
+# Test configurations.
+daemons_handler_configuration = {'all_daemons': True, 'ignore_errors': True}
+local_internal_options = {MODULESD_DEBUG: '2'}
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids)
+def test_enabled(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start):
+    '''
+    description: Check 'ms-graph' behavior when enabled tag is set to yes and if run_on_start is enabled or not.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+
+    assertions:
+        - Verify that when the `enabled` option is set to `yes`, the ms-graph module is enabled.
+        - Verify that when the `run_on_start` option is set to `yes`, the ms-graph module is started.
+        - Verify that when the `run_on_start` option is set to `no`, the ms-graph module start is delayed.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_basic.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*INFO: Started module'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*INFO: Started module"))
+    assert (wazuh_log_monitor.callback_result != None), f'Error module enabled event not detected'
+
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*{msg}", {
+                              'msg': str(test_metadata['msg'])}))
+    assert (wazuh_log_monitor.callback_result != None), f'Error module started or delayed event not detected'
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids)
+def test_disabled(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start):
+    '''
+    description: Check 'ms-graph' behavior when enabled tag is set to no.
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+
+    assertions:
+        - Verify that when the `enabled` option is set to `no`, the ms-graph module does not start.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_basic.yaml). That template is combined with a test case defined in
+                       the module. This include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'.*wazuh-modulesd:ms-graph.*INFO: (Module disabled). Exiting.'
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(r".*wazuh-modulesd:ms-graph.*INFO: (Module disabled). Exiting."))
+
+    assert (wazuh_log_monitor.callback_result != None), f'Error module disabled event not detected'
diff --git a/src/modules/ms_graph/tests/integration/test_configuration/test_invalid.py b/src/modules/ms_graph/tests/integration/test_configuration/test_invalid.py
new file mode 100644
index 0000000000..68c5dab285
--- /dev/null
+++ b/src/modules/ms_graph/tests/integration/test_configuration/test_invalid.py
@@ -0,0 +1,128 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The Wazuh 'ms-graph' module is capable of communicating with Microsoft Graph & parsing its various
+       logging sources, with an emphasis on the security resource. This includes a full set of rules for
+       categorizing these logs, alongside a standardized suite of configuration options that mirror other
+       modules, such as Azure, GCP, and Office365.
+
+components:
+    - ms-graph
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-monitord
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+
+tags:
+    - ms-graph_configuration
+'''
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data
+from wazuh_testing.utils.configuration import load_configuration_template
+from wazuh_testing.utils import callbacks
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.tier(level=0)]
+
+# Configuration and cases data.
+configs_path = Path(CONFIGS_PATH, 'config_invalid_configuration.yaml')
+cases_path = Path(TEST_CASES_PATH, 'cases_invalid_configuration.yaml')
+
+# Test configurations.
+config_parameters, test_metadata, test_cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(configs_path, config_parameters, test_metadata)
+daemons_handler_configuration = {'all_daemons': True, 'ignore_errors': True}
+local_internal_options = {MODULESD_DEBUG: '2'}
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_invalid(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_msgraph_start):
+    '''
+    description: Check if the 'ms-graph' module detects invalid configurations. For this purpose, the test
+                 will configure that module using invalid configuration settings with different attributes.
+                 Finally, it will verify that error events are generated indicating the source of the errors.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_msgraph_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+
+    assertions:
+        - Verify that the 'ms-graph' module generates error events when invalid configurations are used.
+
+    input_description: A configuration template is contained in an external YAML file
+                       (config_invalid_configuration.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'ms-graph' module.
+
+    expected_output:
+        - r'wm_ms_graph_read(): ERROR.* Invalid content for tag .*'
+        - r'wm_ms_graph_read(): ERROR.* Empty content for tag .*'
+
+    tags:
+        - invalid_settings
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_CONFIGURATION_ERROR, {
+                              'error_type': str(test_metadata['error_type']),
+                              'tag': str(test_metadata['event_monitor']),
+                              'integration': str(test_metadata['module']),
+                          }))
+
+    assert (wazuh_log_monitor.callback_result != None), f'Error invalid configuration event not detected'
diff --git a/src/modules/ms_graph/tests/unit/tests/CMakeLists.txt b/src/modules/ms_graph/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..9acd16bef5
--- /dev/null
+++ b/src/modules/ms_graph/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,83 @@
+# Copyright (C) 2023, InfoDefense Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_ms_graph")
+list(APPEND tests_flags "-Wl,--wrap=_merror -Wl,--wrap=_mtinfo -Wl,--wrap=_mtwarn -Wl,--wrap,_mtdebug1 -Wl,--wrap=_mterror -Wl,--wrap,wurl_http_request \
+                        -Wl,--wrap,atexit -Wl,--wrap,time -Wl,--wrap,wm_state_io -Wl,--wrap,StartMQ -Wl,--wrap,gmtime_r -Wl,--wrap,isDebug \
+                        -Wl,--wrap,sched_scan_get_time_until_next_scan -Wl,--wrap,is_fim_shutdown -Wl,--wrap,fim_db_teardown -Wl,--wrap,Start_win32_Syscheck \
+                        -Wl,--wrap,strftime -Wl,--wrap,_mtdebug2 -Wl,--wrap,wm_sendmsg -Wl,--wrap,strerror -Wl,--wrap,_imp__rsync_initialize \
+                        -Wl,--wrap,syscom_dispatch -Wl,--wrap,_imp__dbsync_initialize -Wl,--wrap,w_get_timestamp -Wl,--wrap,FOREVER")
+                        
+
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB ms_graph ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM ms_graph ../../../wazuh_modules/main.o)
+
+add_library(MS_GRAPH_O STATIC ${ms_graph})
+
+set_source_files_properties(
+  ${ms_graph}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  MS_GRAPH_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(MS_GRAPH_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            MS_GRAPH_O
+            -lcmocka
+            -ldl
+            -fprofile-arcs
+            -ftest-coverage
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/modules/ms_graph/tests/unit/tests/test_wm_ms_graph.c b/src/modules/ms_graph/tests/unit/tests/test_wm_ms_graph.c
new file mode 100644
index 0000000000..4e37cb119e
--- /dev/null
+++ b/src/modules/ms_graph/tests/unit/tests/test_wm_ms_graph.c
@@ -0,0 +1,3094 @@
+/*
+ * Copyright (C) 2023, InfoDefense Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for ms-graph Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+#include <stdlib.h>
+
+#include "shared.h"
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/wm_ms_graph.h"
+#include "../../wazuh_modules/wm_ms_graph.c"
+
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/shared/time_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/url_wrappers.h"
+#include "../../wrappers/wazuh/shared/schedule_scan_wrappers.h"
+#include "../../wrappers/libc/time_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+
+#define TEST_MAX_DATES 5
+#define TEST_MAX_TENANT 3
+
+static wmodule *ms_graph_module;
+static OS_XML *lxml;
+
+unsigned int __wrap_gmtime_r(__attribute__ ((__unused__)) const time_t *t, __attribute__ ((__unused__)) struct tm *tm) {
+    return mock_type(unsigned int);
+}
+
+int __wrap_isDebug() {
+    return mock();
+}
+
+static void wmodule_cleanup(wmodule *module){
+    wm_ms_graph* module_data = (wm_ms_graph*)module->data;
+    if(module_data){
+        os_free(module_data->version);
+        for(unsigned int resource = 0; resource < module_data->num_resources; resource++){
+            for(unsigned int relationship = 0; relationship < module_data->resources[resource].num_relationships; relationship++){
+                os_free(module_data->resources[resource].relationships[relationship]);
+            }
+            os_free(module_data->resources[resource].relationships);
+            os_free(module_data->resources[resource].name);
+        }
+        os_free(module_data->resources);
+        for(int i = 0; module_data->auth_config[i]; i++) {
+            os_free(module_data->auth_config[i]->tenant_id);
+            os_free(module_data->auth_config[i]->client_id);
+            os_free(module_data->auth_config[i]->secret_value);
+            os_free(module_data->auth_config[i]->access_token);
+            os_free(module_data->auth_config[i]->login_fqdn);
+            os_free(module_data->auth_config[i]->query_fqdn);
+
+            os_free(module_data->auth_config[i]);
+        }
+
+        os_free(module_data->auth_config);
+        os_free(module_data);
+    }
+    os_free(module->tag);
+    os_free(module);
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wm_ms_graph* module_data = (wm_ms_graph*)test->module->data;
+    if(module_data && &(module_data->scan_config)){
+        sched_scan_free(&(module_data->scan_config));
+    }
+    wmodule_cleanup(test->module);
+    os_free(test);
+    return 0;
+}
+
+static int setup_conf(void **state) {
+    wm_ms_graph* init_data = NULL;
+    os_calloc(1,sizeof(wm_ms_graph), init_data);
+    test_mode = true;
+    *state = init_data;
+    return 0;
+}
+
+static int teardown_conf(void **state) {
+    wm_ms_graph *data  = (wm_ms_graph *)*state;
+    test_mode = false;
+    wm_ms_graph_destroy(data);
+    return 0;
+}
+
+// XML reading tests
+void test_bad_tag(void **state) {
+    const char* config =
+        "<invalid>yes</invalid>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1233): Invalid attribute 'invalid' in the configuration: 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_empty_module(void **state) {
+    const char* config = "";
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty configuration found in module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_invalid_enabled(void **state) {
+    const char* config =
+        "<enabled>invalid</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'enabled' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_enabled_no(void **state) {
+    const char* config =
+        "<enabled>no</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 1);
+    assert_string_equal(module_data->version, "v1.0");
+
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_invalid_only_future_events(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>invalid</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'only_future_events' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_disabled_only_future_events(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>no</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 1);
+    assert_string_equal(module_data->version, "v1.0");
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_invalid_curl_max_size(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>invalid</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'ms-graph'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_invalid_negative_curl_max_size(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>-1</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'ms-graph'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_value_curl_max_size(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>4k</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->curl_max_size, 4096);
+}
+
+void test_invalid_run_on_start(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>invalid</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'run_on_start' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_disabled_run_on_start(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>no</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 0);
+    assert_string_equal(module_data->version, "v1.0");
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_invalid_interval(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>invalid</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_INVALID);
+}
+
+void test_invalid_version(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>invalid</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'version' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_api_auth(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'api_auth' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_empty_api_auth(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth></api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_auth' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_invalid_client_id(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id></client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'client_id' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_client_id(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'client_id' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_invalid_tenant_id(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id></tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'tenant_id' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_tenant_id(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'tenant_id' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_invalid_secret_value(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value></secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'secret_value' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_secret_value(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'secret_value' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_invalid_api_type(void **state){
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>invalid</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'api_type' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_api_type(void **state){
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'api_type' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_empty_api_type(void **state){
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type></api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_type' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_invalid_attribute_api_type(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "  <invalid>attribute</invalid>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1233): Invalid attribute 'invalid' in the configuration: 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_resource(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'resource' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_empty_resource(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource></resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'resource' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_name(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'name' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_empty_name(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name></name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'name' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_missing_relationship(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1228): Element 'relationship' without any option.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_NOTFOUND);
+}
+
+void test_empty_relationship(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship></relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'relationship' at module 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+void test_invalid_attribute_resource(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <invalid>resource</invalid>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "(1233): Invalid attribute 'invalid' in the configuration: 'ms-graph'.");
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_CFGERR);
+}
+
+// Main program tests
+void test_normal_config(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>global</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 1);
+    assert_string_equal(module_data->version, "v1.0");
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_normal_config_api_type_gcc(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>gcc-high</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 1);
+    assert_string_equal(module_data->version, "v1.0");
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_string_equal(module_data->auth_config[0]->login_fqdn, "login.microsoftonline.us");
+    assert_string_equal(module_data->auth_config[0]->query_fqdn, "graph.microsoft.us");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_normal_config_api_type_dod(void **state) {
+    const char* config =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>yes</only_future_events>\n"
+        "<curl_max_size>1M</curl_max_size>\n"
+        "<run_on_start>yes</run_on_start>\n"
+        "<interval>5m</interval>\n"
+        "<version>v1.0</version>\n"
+        "<api_auth>\n"
+        "  <client_id>example_string</client_id>\n"
+        "  <tenant_id>example_string</tenant_id>\n"
+        "  <secret_value>example_string</secret_value>\n"
+        "  <api_type>dod</api_type>\n"
+        "</api_auth>\n"
+        "<resource>\n"
+        "  <name>security</name>\n"
+        "  <relationship>alerts_v2</relationship>\n"
+        "  <relationship>incidents</relationship>\n"
+        "</resource>\n"
+        "<resource>\n"
+        "  <name>identityProtection</name>\n"
+        "  <relationship>riskyUsers</relationship>\n"
+        "</resource>\n"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(config, &(test->xml));
+    assert_int_equal(wm_ms_graph_read(&(test->xml), test->nodes, test->module), OS_SUCCESS);
+    wm_ms_graph *module_data = (wm_ms_graph*)test->module->data;
+    assert_int_equal(module_data->enabled, 1);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->curl_max_size, OS_SIZE_1048576);
+    assert_int_equal(module_data->run_on_start, 1);
+    assert_string_equal(module_data->version, "v1.0");
+    assert_string_equal(module_data->auth_config[0]->tenant_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->client_id, "example_string");
+    assert_string_equal(module_data->auth_config[0]->secret_value, "example_string");
+    assert_string_equal(module_data->auth_config[0]->login_fqdn, "login.microsoftonline.us");
+    assert_string_equal(module_data->auth_config[0]->query_fqdn, "dod-graph.microsoft.us");
+    assert_int_equal(module_data->num_resources, 2);
+    assert_string_equal(module_data->resources[0].name, "security");
+    assert_int_equal(module_data->resources[0].num_relationships, 2);
+    assert_string_equal(module_data->resources[0].relationships[0], "alerts_v2");
+    assert_string_equal(module_data->resources[0].relationships[1], "incidents");
+    assert_string_equal(module_data->resources[1].name, "identityProtection");
+    assert_int_equal(module_data->resources[1].num_relationships, 1);
+    assert_string_equal(module_data->resources[1].relationships[0], "riskyUsers");
+}
+
+void test_cleanup() {
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module shutdown.");
+    wm_ms_graph_cleanup();
+}
+
+void test_setup_complete(void **state) {
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_string", module_data->auth_config[0]->client_id);
+    os_strdup("example_string", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_string", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource) * 2, module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    os_strdup("identityProtection", module_data->resources[1].name);
+    module_data->num_resources = 2;
+    os_malloc(sizeof(char*) * 2, module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    os_strdup("incidents", module_data->resources[0].relationships[1]);
+    module_data->resources[0].num_relationships = 2;
+    os_malloc(sizeof(char*) * 2, module_data->resources[1].relationships);
+    os_strdup("alerts_v1", module_data->resources[1].relationships[0]);
+    os_strdup("incidents1", module_data->resources[1].relationships[1]);
+    module_data->resources[1].num_relationships = 2;
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_value(__wrap_wm_state_io, state, &module_data->state);
+    expect_value(__wrap_wm_state_io, size, sizeof(module_data->state));
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, -1);
+
+    expect_string(__wrap__mterror, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Unable to connect to Message Queue. Exiting...");
+
+    wm_ms_graph_setup(module_data);
+}
+
+void test_main_token(void **state) {
+    current_time = 1;
+    unsigned int run_on_start = 1;
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"access_token\":\"token_value\",\"expires_in\":-1}", response->body);
+    os_strdup("test", response->header);
+
+    will_return(__wrap_FOREVER, 1);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_value(__wrap_wm_state_io, state, &module_data->state);
+    expect_value(__wrap_wm_state_io, size, sizeof(module_data->state));
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 1);
+
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Started module.");
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &module_data->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_MS_GRAPH_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, 1);
+
+    char* test_date = strdup("2023/08/07 12:00:00");
+    expect_value(__wrap_w_get_timestamp, time, 0);
+    will_return(__wrap_w_get_timestamp, test_date);
+
+    expect_string(__wrap__mtdebug1, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtdebug1, formatted_msg, "Waiting until: 2023/08/07 12:00:00");
+
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Obtaining access token.");
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    will_return(__wrap_FOREVER, 0);
+
+    wm_ms_graph_main(module_data);
+}
+
+void test_main_relationships(void **state) {
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = true;
+
+    os_strdup("token", module_data->auth_config[0]->access_token);
+    module_data->auth_config[0]->token_expiration_time = 276447231;
+
+    will_return(__wrap_FOREVER, 1);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_value(__wrap_wm_state_io, state, &module_data->state);
+    expect_value(__wrap_wm_state_io, size, sizeof(module_data->state));
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 1);
+
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, config, &module_data->scan_config);
+    expect_string(__wrap_sched_scan_get_time_until_next_scan, MODULE_TAG, WM_MS_GRAPH_LOGTAG);
+    expect_value(__wrap_sched_scan_get_time_until_next_scan, run_on_start, 1);
+    will_return(__wrap_sched_scan_get_time_until_next_scan, 0);
+
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Started module.");
+
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Scanning tenant 'example_tenant'");
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run first scan.");
+
+    will_return(__wrap_FOREVER, 0);
+
+    wm_ms_graph_main(module_data);
+}
+
+void test_disabled(void **state) {
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    module_data->enabled = false;
+
+    expect_string(__wrap__mtinfo, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mtinfo, formatted_msg, "Module disabled. Exiting...");
+
+    wm_ms_graph_main(module_data);
+}
+
+void test_no_resources(void **state) {
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    module_data->enabled = true;
+    module_data->num_resources = 0;
+
+    expect_string(__wrap__mterror, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Invalid module configuration (Missing API info, resources, relationships). Exiting...");
+
+    wm_ms_graph_main(module_data);
+}
+
+void test_no_relationships(void **state) {
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    module_data->enabled = true;
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    module_data->resources[0].num_relationships = 0;
+    module_data->num_resources = 1;
+
+    expect_string(__wrap__mterror, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Invalid module configuration (Missing API info, resources, relationships). Exiting...");
+
+    wm_ms_graph_main(module_data);
+
+    os_free(module_data->resources);
+    module_data->num_resources = 0;
+}
+
+void test_dump(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_string", module_data->auth_config[0]->client_id);
+    os_strdup("example_string", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_string", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+
+    cJSON* dump = wm_ms_graph_dump(module_data);
+    char* dump_text = cJSON_PrintUnformatted(dump);
+
+    assert_string_equal(dump_text, "{\"ms_graph\":{\"enabled\":\"yes\",\"only_future_events\":\"no\",\"curl_max_size\":1024,\"run_on_start\":\"yes\",\"version\":\"v1.0\",\"wday\":\"sunday\",\"api_auth\":{\"client_id\":\"example_string\",\"tenant_id\":\"example_string\",\"secret_value\":\"example_string\",\"api_type\":\"global\",\"name\":\"security\"},\"resources\":[{\"relationship\":\"alerts_v2\"}]}}");
+
+    cJSON_Delete(dump);
+    os_free(dump_text);
+}
+
+void test_dump_gcc_configuration(void **state) {
+    /*
+    <enabled>no</enabled>
+    <only_future_events>yes</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>no</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>gcc-high</api_type>
+    </api_auth>
+    <resource>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = false;
+    module_data->only_future_events = true;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = false;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_string", module_data->auth_config[0]->client_id);
+    os_strdup("example_string", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_string", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GCC_HIGH_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GCC_HIGH_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    module_data->resources[0].name = NULL;
+    module_data->num_resources = 1;
+
+    cJSON* dump = wm_ms_graph_dump(module_data);
+    char* dump_text = cJSON_PrintUnformatted(dump);
+
+    assert_string_equal(dump_text, "{\"ms_graph\":{\"enabled\":\"no\",\"only_future_events\":\"yes\",\"curl_max_size\":1024,\"run_on_start\":\"no\",\"version\":\"v1.0\",\"wday\":\"sunday\",\"api_auth\":{\"client_id\":\"example_string\",\"tenant_id\":\"example_string\",\"secret_value\":\"example_string\",\"api_type\":\"gcc-high\"}}}");
+
+    cJSON_Delete(dump);
+    os_free(dump_text);
+    os_free(module_data->resources[0].name);
+    os_free(module_data->resources);
+    module_data->num_resources = 0;
+}
+
+void test_dump_dod_configuration(void **state) {
+    /*
+    <enabled>no</enabled>
+    <only_future_events>yes</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>no</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>dod</api_type>
+    </api_auth>
+    <resource>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = false;
+    module_data->only_future_events = true;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = false;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_string", module_data->auth_config[0]->client_id);
+    os_strdup("example_string", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_string", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_DOD_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_DOD_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+
+    cJSON* dump = wm_ms_graph_dump(module_data);
+    char* dump_text = cJSON_PrintUnformatted(dump);
+
+    assert_string_equal(dump_text, "{\"ms_graph\":{\"enabled\":\"no\",\"only_future_events\":\"yes\",\"curl_max_size\":1024,\"run_on_start\":\"no\",\"version\":\"v1.0\",\"wday\":\"sunday\",\"api_auth\":{\"client_id\":\"example_string\",\"tenant_id\":\"example_string\",\"secret_value\":\"example_string\",\"api_type\":\"dod\"}}}");
+
+    cJSON_Delete(dump);
+    os_free(dump_text);
+}
+
+void test_wm_ms_graph_get_access_token_no_response(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "No response received when attempting to obtain access token.");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+
+    assert_null(module_data->auth_config[0]->access_token);
+}
+
+void test_wm_ms_graph_get_access_token_unsuccessful_status_code(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Received unsuccessful status code when attempting to obtain access token: Status code was '400' & response was '{\"error\":\"bad_request\"}'");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+
+    assert_null(module_data->auth_config[0]->access_token);
+}
+
+void test_wm_ms_graph_get_access_token_curl_max_size(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = true;
+    os_strdup("{\"error\":\"bad_request\"}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Reached maximum CURL size when attempting to obtain access token. Consider increasing the value of 'curl_max_size'.");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+
+    assert_null(module_data->auth_config[0]->access_token);
+}
+
+void test_wm_ms_graph_get_access_token_parse_json_fail(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("no json", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Failed to parse access token JSON body.");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+
+    assert_null(module_data->auth_config[0]->access_token);
+}
+
+void test_wm_ms_graph_get_access_token_success(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+    current_time = 100;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"access_token\":\"token_value\",\"expires_in\":123}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+
+    assert_string_equal(module_data->auth_config[0]->access_token, "token_value");
+#ifdef WIN32
+    assert_int_equal(module_data->auth_config[0]->token_expiration_time, 123);
+#else
+    assert_int_equal(module_data->auth_config[0]->token_expiration_time, 223);
+#endif
+}
+
+void test_wm_ms_graph_get_access_token_no_access_token(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"no_access_token\":\"token_value\",\"expires_in\":123}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Incomplete access token response, value or expiration time not present.");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+}
+
+void test_wm_ms_graph_get_access_token_no_expire_time(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_string</client_id>
+      <tenant_id>example_string</tenant_id>
+      <secret_value>example_string</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"access_token\":\"token_value\",\"no_expires_in\":123}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Access Token URL: 'https://login.microsoftonline.com/example_tenant/oauth2/v2.0/token'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Incomplete access token response, value or expiration time not present.");
+
+    wm_ms_graph_get_access_token(module_data->auth_config[0], max_size);
+}
+
+void test_wm_ms_graph_scan_relationships_single_initial_only_no(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = true;
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run first scan.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_initial_only_yes_fail_write(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>yes</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    module_data->enabled = true;
+    module_data->only_future_events = true;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = true;
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap__mterror, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "Couldn't save running state.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_initial_only_no_next_time_no_response(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_strdup("token", module_data->auth_config[0]->access_token);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = true;
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "No response received when attempting to get relationship 'alerts_v2' from resource 'security' on API version 'v1.0'.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_no_initial_no_timestamp(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run first scan.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_unsuccessful_status_code(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Received unsuccessful status code when attempting to get relationship 'alerts_v2' logs: Status code was '400' & response was '{\"error\":\"bad_request\"}'");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_reached_curl_size(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = true;
+    os_strdup("{\"error\":\"bad_request\"}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Reached maximum CURL size when attempting to get relationship 'alerts_v2' logs. Consider increasing the value of 'curl_max_size'.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_failed_parse(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("no json", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtwarn, formatted_msg, "Failed to parse relationship 'alerts_v2' JSON body.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_no_logs(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"value\":[]}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "No new logs received.");
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run next scan.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_success_one_log(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+    wm_max_eps = 1;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"value\":[{\"full_log\":\"log1\"}]}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending log: '{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}'");
+
+    int result = 1;
+    queue_fd = 0;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "ms-graph");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run next scan.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_success_two_logs(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource), module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    module_data->num_resources = 1;
+    os_malloc(sizeof(char*), module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+    wm_max_eps = 1;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"value\":[{\"full_log\":\"log1\"},{\"full_log\":\"log2\"}]}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending log: '{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}'");
+
+    queue_fd = 0;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "ms-graph");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, -1);
+
+    will_return(__wrap_strerror, "Error");
+
+    expect_string(__wrap__mterror, tag, WM_MS_GRAPH_LOGTAG);
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Error'");
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending log: '{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log2\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}'");
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log2\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "ms-graph");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run next scan.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+void test_wm_ms_graph_scan_relationships_single_success_two_resources(void **state) {
+    /*
+    <enabled>yes</enabled>
+    <only_future_events>no</only_future_events>
+    <curl_max_size>1M</curl_max_size>
+    <run_on_start>yes</run_on_start>
+    <version>v1.0</version>
+    <api_auth>
+      <client_id>example_client</client_id>
+      <tenant_id>example_tenant</tenant_id>
+      <secret_value>example_secret</secret_value>
+      <api_type>global</api_type>
+    </api_auth>
+    <resource>
+      <name>security</name>
+      <relationship>alerts_v2</relationship>
+    </resource>
+    <resource>
+      <name>auditlogs</name>
+      <relationship>signIns</relationship>
+    </resource>
+    */
+    wm_ms_graph* module_data = (wm_ms_graph *)*state;
+    wm_ms_graph_state_t relationship_state_struc;
+    wm_ms_graph_state_t relationship_state_struc_2;
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config);
+    os_calloc(1, sizeof(wm_ms_graph_auth), module_data->auth_config[0]);
+    relationship_state_struc.next_time = 10;
+    relationship_state_struc_2.next_time = 10;
+    module_data->enabled = true;
+    module_data->only_future_events = false;
+    module_data->curl_max_size = 1024L;
+    module_data->run_on_start = true;
+    module_data->scan_config.interval = 60;
+    os_strdup("v1.0", module_data->version);
+    os_strdup("example_client", module_data->auth_config[0]->client_id);
+    os_strdup("example_tenant", module_data->auth_config[0]->tenant_id);
+    os_strdup("example_secret", module_data->auth_config[0]->secret_value);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_LOGIN_FQDN, module_data->auth_config[0]->login_fqdn);
+    os_strdup(WM_MS_GRAPH_GLOBAL_API_QUERY_FQDN, module_data->auth_config[0]->query_fqdn);
+    os_malloc(sizeof(wm_ms_graph_resource) * 2, module_data->resources);
+    os_strdup("security", module_data->resources[0].name);
+    os_strdup("auditlogs", module_data->resources[1].name);
+    module_data->num_resources = 2;
+    os_malloc(sizeof(char*) * 2, module_data->resources[0].relationships);
+    os_strdup("alerts_v2", module_data->resources[0].relationships[0]);
+    module_data->resources[0].num_relationships = 1;
+    os_malloc(sizeof(char*) * 2, module_data->resources[1].relationships);
+    os_strdup("signIns", module_data->resources[1].relationships[0]);
+    module_data->resources[1].num_relationships = 1;
+    size_t max_size = OS_SIZE_8192;
+    bool initial = false;
+    curl_response* response;
+    wm_max_eps = 1;
+
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"value\":[{\"full_log\":\"log1\"}]}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending log: '{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}'");
+
+    queue_fd = 0;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1\",\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "ms-graph");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-security-alerts_v2");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2023-02-08T12:24:56Z' for tenant 'example_tenant' resource 'security' and relationship 'alerts_v2', waiting '60' seconds to run next scan.");
+
+    // resource auditlogs
+    os_calloc(1, sizeof(curl_response), response);
+    response->status_code = 200;
+    response->max_size_reached = false;
+    os_strdup("{\"value\":[{\"full_log\":\"log1_resource_2\"}]}", response->body);
+    os_strdup("test", response->header);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-auditlogs-signIns");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&relationship_state_struc_2);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/auditlogs/signIns?$filter=createdDateTime+gt+2023-02-08T12:24:56Z'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_MS_GRAPH_DEFAULT_TIMEOUT);
+    will_return(__wrap_wurl_http_request, response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending log: '{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1_resource_2\",\"resource\":\"auditlogs\",\"relationship\":\"signIns\"}}'");
+
+    queue_fd = 0;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"ms-graph\",\"ms-graph\":{\"full_log\":\"log1_resource_2\",\"resource\":\"auditlogs\",\"relationship\":\"signIns\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "ms-graph");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2023-02-08T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap_wm_state_io, tag, "ms-graph-example_tenant-auditlogs-signIns");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:ms-graph");
+    expect_string(__wrap__mterror, formatted_msg, "Couldn't save running state.");
+
+    wm_ms_graph_scan_relationships(module_data, initial);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test(test_cleanup),
+        cmocka_unit_test_setup_teardown(test_bad_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_module, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_enabled, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_enabled_no, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_only_future_events, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_disabled_only_future_events, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_curl_max_size, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_negative_curl_max_size, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_value_curl_max_size, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_run_on_start, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_disabled_run_on_start, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_version, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_api_auth, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_api_auth, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_client_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_client_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_tenant_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_tenant_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_secret_value, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_secret_value, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_api_type, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_api_type, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_api_type, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_attribute_api_type, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_resource, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_resource, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_name, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_name, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_missing_relationship, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_empty_relationship, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_attribute_resource, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_normal_config, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_normal_config_api_type_gcc, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_normal_config_api_type_dod, setup_test_read, teardown_test_read)
+    };
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_setup_complete, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_main_token, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_main_relationships, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_disabled, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_no_resources, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_no_relationships, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_dump, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_dump_gcc_configuration, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_dump_dod_configuration, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_no_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_unsuccessful_status_code, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_curl_max_size, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_parse_json_fail, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_success, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_no_access_token, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_get_access_token_no_expire_time, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_initial_only_no, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_initial_only_yes_fail_write, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_initial_only_no_next_time_no_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_no_initial_no_timestamp, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_unsuccessful_status_code, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_reached_curl_size, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_failed_parse, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_no_logs, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_success_one_log, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_success_two_logs, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_ms_graph_scan_relationships_single_success_two_resources, setup_conf, teardown_conf)
+    };
+    int result = 0;
+    result = cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    result += cmocka_run_group_tests(tests_with_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/office365/include/wm_office365.h b/src/modules/office365/include/wm_office365.h
new file mode 100644
index 0000000000..5eefa14a53
--- /dev/null
+++ b/src/modules/office365/include/wm_office365.h
@@ -0,0 +1,86 @@
+/*
+ * Wazuh Module for Office365 events
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_OFFICE365_H
+#define WM_OFFICE365_H
+
+#define WM_OFFICE365_LOGTAG ARGV0 ":" OFFICE365_WM_NAME
+
+#define WM_OFFICE365_DEFAULT_ENABLED 1
+#define WM_OFFICE365_DEFAULT_ONLY_FUTURE_EVENTS 1
+#define WM_OFFICE365_DEFAULT_INTERVAL 60
+#define WM_OFFICE365_DEFAULT_CURL_MAX_SIZE 1048576L
+#define WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT 60L
+#define WM_OFFICE365_DEFAULT_API_LOGIN_FQDN "login.microsoftonline.com"
+#define WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN "manage.office.com"
+
+#define WM_OFFICE365_GCC_API_LOGIN_FQDN "login.microsoftonline.com"
+#define WM_OFFICE365_GCC_API_MANAGEMENT_FQDN "manage-gcc.office.com"
+
+#define WM_OFFICE365_GCC_HIGH_API_LOGIN_FQDN "login.microsoftonline.us"
+#define WM_OFFICE365_GCC_HIGH_API_MANAGEMENT_FQDN "manage.office365.us"
+
+#define WM_OFFICE365_MSG_DELAY 1000000 / wm_max_eps
+#define WM_OFFICE365_RETRIES_TO_SEND_ERROR 3
+#define WM_OFFICE365_NEXT_PAGE_REGEX "NextPageUri:\\s*(\\S+)"
+
+#define WM_OFFICE365_API_ACCESS_TOKEN_URL "https://%s/%s/oauth2/v2.0/token"
+#define WM_OFFICE365_API_SUBSCRIPTION_URL "https://%s/api/v1.0/%s/activity/feed/subscriptions/%s?contentType=%s"
+#define WM_OFFICE365_API_CONTENT_BLOB_URL "https://%s/api/v1.0/%s/activity/feed/subscriptions/content?contentType=%s&startTime=%s&endTime=%s"
+
+#define WM_OFFICE365_API_ACCESS_TOKEN_PAYLOAD "client_id=%s&scope=https://%s/.default&grant_type=client_credentials&client_secret=%s"
+
+#define WM_OFFICE365_API_SUBSCRIPTION_START "start"
+#define WM_OFFICE365_API_SUBSCRIPTION_STOP "stop"
+
+typedef struct wm_office365_auth {
+    char *tenant_id;
+    char *client_id;
+    char *client_secret_path;
+    char *client_secret;
+    char *login_fqdn;
+    char *management_fqdn;
+    struct wm_office365_auth *next;
+} wm_office365_auth;
+
+typedef struct wm_office365_subscription {
+    char *subscription_name;
+    struct wm_office365_subscription *next;
+} wm_office365_subscription;
+
+typedef struct wm_office365_state {
+    time_t last_log_time;
+} wm_office365_state;
+
+typedef struct wm_office365_fail {
+    int fails;
+    char *tenant_id;
+    char *subscription_name;
+    struct wm_office365_fail *next;
+} wm_office365_fail;
+
+typedef struct wm_office365 {
+    int enabled;
+    int only_future_events;
+    time_t interval;                        // Interval betweeen events in seconds
+    ssize_t curl_max_size;
+    wm_office365_auth *auth;
+    wm_office365_subscription *subscription;
+    wm_office365_fail *fails;
+    int queue_fd;
+} wm_office365;
+
+extern const wm_context WM_OFFICE365_CONTEXT;  // Context
+
+// Parse XML
+int wm_office365_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+#endif
diff --git a/src/modules/office365/src/wm_office365.c b/src/modules/office365/src/wm_office365.c
new file mode 100644
index 0000000000..b8c0d3c3ca
--- /dev/null
+++ b/src/modules/office365/src/wm_office365.c
@@ -0,0 +1,843 @@
+/*
+ * Wazuh Module for Office365 events
+ * Copyright (C) 2015, Wazuh Inc.
+ * May 18, 2021.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#if defined(WIN32) || defined(__linux__) || defined(__MACH__)
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+#ifdef WIN32
+    #include "../unit_tests/wrappers/wazuh/shared/url_wrappers.h"
+#endif
+#else
+#define STATIC static
+#endif
+
+#include "wmodules.h"
+
+#ifdef WIN32
+#ifdef WAZUH_UNIT_TESTING
+#define gmtime_r(x, y)
+#else
+#define gmtime_r(x, y) gmtime_s(y, x)
+#endif
+#endif
+
+#ifdef WIN32
+STATIC DWORD WINAPI wm_office365_main(void *arg);                   // Module main function. It won't return
+#else
+STATIC void* wm_office365_main(wm_office365* office365_config);    // Module main function. It won't return
+#endif
+STATIC void wm_office365_destroy(wm_office365* office365_config);
+STATIC void wm_office365_auth_destroy(wm_office365_auth* office365_auth);
+STATIC void wm_office365_subscription_destroy(wm_office365_subscription* office365_subscription);
+STATIC void wm_office365_fail_destroy(wm_office365_fail* office365_fails);
+cJSON *wm_office365_dump(const wm_office365* office365_config);
+
+/**
+ * @brief Execute a scan
+ * @param github_config Office365 configuration structure
+ * @param initial_scan Whether it is the first scan or not
+ */
+STATIC void wm_office365_execute_scan(wm_office365* office365_config, int initial_scan);
+
+/**
+ * @brief Get access token through Office365 API
+ * @param auth Office365 authentication node
+ * @param max_size Max response size allowed
+ * @param error_msg Error message to complete in case of failure
+ * @return access_token if no error, NULL otherwise
+ */
+STATIC char* wm_office365_get_access_token(wm_office365_auth* auth, size_t max_size, char **error_msg);
+
+/**
+ * @brief Start/stop a subscription through Office365 API
+ * @param subscription Office365 subscription node
+ * @param management_fqdn Office365 management API endpoint domain
+ * @param client_id Client ID
+ * @param token Authentication token
+ * @param start Whether to start/end a subscription
+ * @param max_size Max response size allowed
+ * @param error_msg Error message to complete in case of failure
+ * @return 0 if no error, -1 otherwise
+ */
+STATIC int wm_office365_manage_subscription(wm_office365_subscription* subscription, const char* management_fqdn, const char* client_id, const char* token, int start, size_t max_size, char **error_msg);
+
+/**
+ * @brief Get a content blob through Office365 API
+ * @param url URL to request
+ * @param token Authentication token
+ * @param next_page Variable to store next page URL if exists
+ * @param max_size Max response size allowed
+ * @param buffer_size_reached Flag to set if max response size error happens
+ * @param error_msg Error message to complete in case of failure
+ * @return JSON content blob if no error, NULL otherwise
+ */
+STATIC cJSON* wm_office365_get_content_blobs(const char* url, const char* token, char** next_page, size_t max_size, bool* buffer_size_reached, char **error_msg);
+
+/**
+ * @brief Get logs from content blob through Office365 API
+ * @param url URL to request
+ * @param token Authentication token
+ * @param max_size Max response size allowed
+ * @param buffer_size_reached Flag to set if max response size error happens
+ * @param error_msg Error message to complete in case of failure
+ * @return JSON logs if no error, NULL otherwise
+ */
+STATIC cJSON* wm_office365_get_logs_from_blob(const char* url, const char* token, size_t max_size, bool* buffer_size_reached, char **error_msg);
+
+/**
+ * @brief Get tenant and subscription node from office365 failure list
+ * @param fails Office365 failure list
+ * @param tenant_id Tenant ID to search
+ * @param subscription_name Subscription name to search
+ * @return Pointer to tenant and subscription node if exists, NULL otherwise
+ */
+STATIC wm_office365_fail* wm_office365_get_fail_by_tenant_and_subscription(wm_office365_fail* fails, char* tenant_id, char* subscription_name);
+
+/**
+ * @brief Increase failure counter for tenant and subscription node and send failure message to manager if necessary
+ * @param current_fails Office365 failure list
+ * @param tenant_id Tenant ID to search
+ * @param subscription_name Subscription name to search
+ * @param error_msg Error message to send
+ * @param queue_fd Socket ID
+ */
+STATIC void wm_office365_scan_failure_action(wm_office365_fail** current_fails, char* tenant_id, char* subscription_name, char *error_msg, int queue_fd);
+
+/* Context definition */
+const wm_context WM_OFFICE365_CONTEXT = {
+    .name = OFFICE365_WM_NAME,
+    .start = (wm_routine)wm_office365_main,
+    .destroy = (void(*)(void *))wm_office365_destroy,
+    .dump = (cJSON * (*)(const void *))wm_office365_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+#ifdef WIN32
+STATIC DWORD WINAPI wm_office365_main(void *arg) {
+    wm_office365* office365_config = (wm_office365 *)arg;
+#else
+void * wm_office365_main(wm_office365* office365_config) {
+#endif
+    if (office365_config->enabled) {
+        mtinfo(WM_OFFICE365_LOGTAG, "Module Office365 started.");
+
+#ifndef WIN32
+        // Connect to queue
+        office365_config->queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+        if (office365_config->queue_fd < 0) {
+            mterror(WM_OFFICE365_LOGTAG, "Can't connect to queue. Closing module.");
+            return NULL;
+        }
+#endif
+
+        // Execute initial scan
+        wm_office365_execute_scan(office365_config, 1);
+
+        while (1) {
+            sleep(office365_config->interval);
+            wm_office365_execute_scan(office365_config, 0);
+            #ifdef WAZUH_UNIT_TESTING
+                break;
+            #endif
+        }
+    } else {
+        mtinfo(WM_OFFICE365_LOGTAG, "Module Office365 disabled.");
+    }
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+void wm_office365_destroy(wm_office365* office365_config) {
+    mtinfo(WM_OFFICE365_LOGTAG, "Module Office365 finished.");
+    wm_office365_auth_destroy(office365_config->auth);
+    wm_office365_subscription_destroy(office365_config->subscription);
+    wm_office365_fail_destroy(office365_config->fails);
+    os_free(office365_config);
+}
+
+void wm_office365_auth_destroy(wm_office365_auth* office365_auth) {
+    wm_office365_auth* current = office365_auth;
+    wm_office365_auth* next = NULL;
+    while (current != NULL)
+    {
+        next = current->next;
+        os_free(current->tenant_id);
+        os_free(current->client_id);
+        os_free(current->client_secret_path);
+        os_free(current->client_secret);
+        os_free(current->login_fqdn);
+        os_free(current->management_fqdn);
+        os_free(current);
+        current = next;
+    }
+    office365_auth = NULL;
+}
+
+void wm_office365_subscription_destroy(wm_office365_subscription* office365_subscription) {
+    wm_office365_subscription* current = office365_subscription;
+    wm_office365_subscription* next = NULL;
+    while (current != NULL)
+    {
+        next = current->next;
+        os_free(current->subscription_name);
+        os_free(current);
+        current = next;
+    }
+    office365_subscription = NULL;
+}
+
+STATIC void wm_office365_fail_destroy(wm_office365_fail* office365_fails) {
+    wm_office365_fail* current = office365_fails;
+    wm_office365_fail* next = NULL;
+    while (current != NULL)
+    {
+        next = current->next;
+        os_free(current->tenant_id);
+        os_free(current->subscription_name);
+        os_free(current);
+        current = next;
+    }
+    office365_fails = NULL;
+}
+
+cJSON *wm_office365_dump(const wm_office365* office365_config) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_info = cJSON_CreateObject();
+
+    if (office365_config->enabled) {
+        cJSON_AddStringToObject(wm_info, "enabled", "yes");
+    } else {
+        cJSON_AddStringToObject(wm_info, "enabled", "no");
+    }
+    if (office365_config->only_future_events) {
+        cJSON_AddStringToObject(wm_info, "only_future_events", "yes");
+    } else {
+        cJSON_AddStringToObject(wm_info, "only_future_events", "no");
+    }
+    if (office365_config->interval) {
+        cJSON_AddNumberToObject(wm_info, "interval", office365_config->interval);
+    }
+    if (office365_config->curl_max_size) {
+        cJSON_AddNumberToObject(wm_info, "curl_max_size", office365_config->curl_max_size);
+    }
+    if (office365_config->auth) {
+        wm_office365_auth *iter;
+        cJSON *arr_auth = cJSON_CreateArray();
+        for (iter = office365_config->auth; iter; iter = iter->next) {
+            cJSON *api_auth = cJSON_CreateObject();
+            if (iter->tenant_id) {
+                cJSON_AddStringToObject(api_auth, "tenant_id", iter->tenant_id);
+            }
+            if (iter->client_id) {
+                cJSON_AddStringToObject(api_auth, "client_id", iter->client_id);
+            }
+            if (iter->client_secret_path) {
+                cJSON_AddStringToObject(api_auth, "client_secret_path", iter->client_secret_path);
+            }
+            if (iter->client_secret) {
+                cJSON_AddStringToObject(api_auth, "client_secret", iter->client_secret);
+            }
+            // The management API FQDN is unique between API types, so the login FQDN can be safely ignored
+            if (iter->management_fqdn) {
+                if (!strncmp(iter->management_fqdn, WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, 17)) {
+                    cJSON_AddStringToObject(api_auth, "api_type", "commercial");
+                }
+                if (!strncmp(iter->management_fqdn, WM_OFFICE365_GCC_API_MANAGEMENT_FQDN, 21)) {
+                    cJSON_AddStringToObject(api_auth, "api_type", "gcc");
+                }
+                if (!strncmp(iter->management_fqdn, WM_OFFICE365_GCC_HIGH_API_MANAGEMENT_FQDN, 19)) {
+                    cJSON_AddStringToObject(api_auth, "api_type", "gcc-high");
+                }
+            }
+            cJSON_AddItemToArray(arr_auth, api_auth);
+        }
+        if (cJSON_GetArraySize(arr_auth) > 0) {
+            cJSON_AddItemToObject(wm_info, "api_auth", arr_auth);
+        } else {
+            cJSON_free(arr_auth);
+        }
+    }
+    if (office365_config->subscription) {
+        wm_office365_subscription *iter;
+        cJSON *arr_subscription = cJSON_CreateArray();
+        for (iter = office365_config->subscription; iter; iter = iter->next) {
+            cJSON_AddItemToArray(arr_subscription, cJSON_CreateString(iter->subscription_name));
+        }
+        if (cJSON_GetArraySize(arr_subscription) > 0) {
+            cJSON_AddItemToObject(wm_info, "subscriptions", arr_subscription);
+        } else {
+            cJSON_free(arr_subscription);
+        }
+    }
+
+    cJSON_AddItemToObject(root, "office365", wm_info);
+
+    return root;
+}
+
+STATIC void wm_office365_execute_scan(wm_office365* office365_config, int initial_scan) {
+    int scan_finished = 0;
+    int fail = 0;
+    char url[OS_SIZE_8192];
+    char tenant_state_name[OS_SIZE_1024];
+    char *access_token = NULL;
+    char *next_page = NULL;
+    char *payload = NULL;
+    char *error_msg = NULL;
+    time_t saved;
+    time_t now;
+    time_t start_time;
+    time_t end_time;
+    wm_office365_state tenant_state_struc;
+    wm_office365_auth* next_auth = NULL;
+    wm_office365_auth* current_auth = office365_config->auth;
+    wm_office365_subscription* next_subscription = NULL;
+    wm_office365_subscription* current_subscription = NULL;
+    wm_office365_fail *tenant_fail = NULL;
+    char start_time_str[80];
+    char end_time_str[80];
+    struct tm tm_aux = { .tm_sec = 0 };
+
+    while (current_auth != NULL)
+    {
+        next_auth = current_auth->next;
+
+        mtdebug1(WM_OFFICE365_LOGTAG, "Scanning tenant: '%s'", current_auth->tenant_id);
+
+        // Get access token
+        if (!initial_scan || !office365_config->only_future_events) {
+            if (access_token = wm_office365_get_access_token(current_auth, office365_config->curl_max_size, &error_msg), !access_token) {
+                wm_office365_scan_failure_action(&office365_config->fails, current_auth->tenant_id, NULL, error_msg, office365_config->queue_fd);
+                current_auth = next_auth;
+                os_free(error_msg);
+                continue;
+            } else {
+                if (tenant_fail = wm_office365_get_fail_by_tenant_and_subscription(office365_config->fails,
+                    current_auth->tenant_id, NULL), tenant_fail && tenant_fail->fails) {
+                    mtinfo(WM_OFFICE365_LOGTAG, "Office365 tenant '%s', connected successfully.", current_auth->tenant_id);
+                    tenant_fail->fails = 0;
+                }
+            }
+        }
+
+        next_subscription = NULL;
+        current_subscription = office365_config->subscription;
+
+        while (current_subscription != NULL)
+        {
+            next_subscription = current_subscription->next;
+
+            memset(tenant_state_name, '\0', OS_SIZE_1024);
+            snprintf(tenant_state_name, OS_SIZE_1024 -1, "%s-%s-%s", WM_OFFICE365_CONTEXT.name,
+                current_auth->tenant_id, current_subscription->subscription_name);
+
+            memset(&tenant_state_struc, 0, sizeof(tenant_state_struc));
+
+            // Load state for tenant
+            if (wm_state_io(tenant_state_name, WM_IO_READ, &tenant_state_struc, sizeof(tenant_state_struc)) < 0) {
+                memset(&tenant_state_struc, 0, sizeof(tenant_state_struc));
+            }
+
+            now = time(0);
+
+            if ((initial_scan && (!tenant_state_struc.last_log_time || office365_config->only_future_events)) ||
+                (!initial_scan && !tenant_state_struc.last_log_time)) {
+                tenant_state_struc.last_log_time = now;
+                if (wm_state_io(tenant_state_name, WM_IO_WRITE, &tenant_state_struc, sizeof(tenant_state_struc)) < 0) {
+                    mterror(WM_OFFICE365_LOGTAG, "Couldn't save running state.");
+                }
+                else if (isDebug()) {
+                    memset(start_time_str, '\0', 80);
+                    gmtime_r(&now, &tm_aux);
+                    strftime(start_time_str, sizeof(start_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+                    mtdebug1(WM_OFFICE365_LOGTAG, "Bookmark updated to '%s' for tenant '%s' and subscription '%s', waiting '%ld' seconds to run first scan.",
+                        start_time_str, current_auth->tenant_id, current_subscription->subscription_name, office365_config->interval);
+                }
+                current_subscription = next_subscription;
+                continue;
+            }
+
+            // Start subscription
+            if (wm_office365_manage_subscription(current_subscription, current_auth->management_fqdn, current_auth->client_id, access_token, 1, office365_config->curl_max_size, &error_msg)) {
+                wm_office365_scan_failure_action(&office365_config->fails, current_auth->tenant_id,
+                    current_subscription->subscription_name, error_msg, office365_config->queue_fd);
+                current_subscription = next_subscription;
+                os_free(error_msg);
+                continue;
+            } else {
+                if (tenant_fail = wm_office365_get_fail_by_tenant_and_subscription(office365_config->fails,
+                    current_auth->tenant_id, current_subscription->subscription_name), tenant_fail) {
+                    tenant_fail->fails = 0;
+                }
+            }
+
+            saved = (time_t)tenant_state_struc.last_log_time;
+
+            if (saved > 0 && saved < now) {
+                start_time = saved;
+            } else {
+                start_time = now;
+            }
+            end_time = now;
+
+            while ((end_time - start_time) > 0) {
+                memset(start_time_str, '\0', 80);
+                gmtime_r(&start_time, &tm_aux);
+                strftime(start_time_str, sizeof(start_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+
+                if ((end_time - start_time) > DAY_SEC) {
+                    end_time = start_time + DAY_SEC;
+                }
+
+                memset(end_time_str, '\0', 80);
+                gmtime_r(&end_time, &tm_aux);
+                strftime(end_time_str, sizeof(end_time_str), "%Y-%m-%dT%H:%M:%SZ", &tm_aux);
+
+                memset(url, '\0', OS_SIZE_8192);
+                snprintf(url, OS_SIZE_8192 -1, WM_OFFICE365_API_CONTENT_BLOB_URL, current_auth->management_fqdn, current_auth->client_id, current_subscription->subscription_name,
+                    start_time_str, end_time_str);
+
+                scan_finished = 0;
+                fail = 0;
+
+                while (!scan_finished) {
+                    cJSON *blobs_array = NULL;
+                    bool buffer_size_reached = false;
+
+                    if (blobs_array = wm_office365_get_content_blobs(url, access_token, &next_page, office365_config->curl_max_size, &buffer_size_reached, &error_msg), blobs_array) {
+                        int size_blobs = cJSON_GetArraySize(blobs_array);
+
+                        for (int i = 0; !scan_finished && (i < size_blobs); i++) {
+                            cJSON *blob = cJSON_GetArrayItem(blobs_array, i);
+                            cJSON *content = cJSON_GetObjectItem(blob, "contentUri");
+
+                            if (content && (content->type == cJSON_String)) {
+                                cJSON *logs_array = NULL;
+
+                                if (logs_array = wm_office365_get_logs_from_blob(content->valuestring, access_token, office365_config->curl_max_size, &buffer_size_reached, &error_msg), logs_array) {
+                                    int size_logs = cJSON_GetArraySize(logs_array);
+
+                                    for (int i = 0 ; i < size_logs ; i++) {
+                                        cJSON *log = cJSON_GetArrayItem(logs_array, i);
+
+                                        if (log) {
+                                            cJSON *office365 = cJSON_CreateObject();
+
+                                            cJSON_AddStringToObject(log, "Subscription", current_subscription->subscription_name);
+
+                                            cJSON_AddStringToObject(office365, "integration", WM_OFFICE365_CONTEXT.name);
+                                            cJSON_AddItemToObject(office365, "office365", cJSON_Duplicate(log, true));
+
+                                            payload = cJSON_PrintUnformatted(office365);
+
+                                            mtdebug2(WM_OFFICE365_LOGTAG, "Sending Office365 log: '%s'", payload);
+
+                                            if (wm_sendmsg(WM_OFFICE365_MSG_DELAY, office365_config->queue_fd,
+                                                payload, WM_OFFICE365_CONTEXT.name, LOCALFILE_MQ) < 0) {
+                                                mterror(WM_OFFICE365_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+                                            }
+
+                                            os_free(payload);
+                                            cJSON_Delete(office365);
+                                        }
+                                    }
+
+                                    cJSON_Delete(logs_array);
+                                } else {
+                                    scan_finished = 1;
+                                    if (!buffer_size_reached) {
+                                        fail = 1;
+                                    }
+                                }
+                            }
+                        }
+
+                        if (!scan_finished) {
+                            if ((next_page == NULL) || (strlen(next_page) >= OS_SIZE_8192)) {
+                                scan_finished = 1;
+                            } else {
+                                snprintf(url, sizeof(url), "%s", next_page);
+                                os_free(next_page);
+                            }
+                        }
+
+                        cJSON_Delete(blobs_array);
+                    } else {
+                        scan_finished = 1;
+                        if (!buffer_size_reached) {
+                            fail = 1;
+                        }
+                    }
+                }
+
+                if (fail) {
+                    wm_office365_scan_failure_action(&office365_config->fails, current_auth->tenant_id,
+                        current_subscription->subscription_name, error_msg, office365_config->queue_fd);
+                    os_free(error_msg);
+                    break;
+                } else {
+                    tenant_state_struc.last_log_time = end_time;
+                    if (wm_state_io(tenant_state_name, WM_IO_WRITE, &tenant_state_struc, sizeof(tenant_state_struc)) < 0) {
+                        mterror(WM_OFFICE365_LOGTAG, "Couldn't save running state.");
+                    }
+                    else {
+                        mtdebug1(WM_OFFICE365_LOGTAG, "Bookmark updated to '%s' for tenant '%s' and subscription '%s', waiting '%ld' seconds to run next scan.",
+                            end_time_str, current_auth->tenant_id, current_subscription->subscription_name, office365_config->interval);
+                    }
+
+                    if (tenant_fail = wm_office365_get_fail_by_tenant_and_subscription(office365_config->fails,
+                        current_auth->tenant_id, current_subscription->subscription_name), tenant_fail) {
+                        tenant_fail->fails = 0;
+                    }
+                }
+
+                start_time = end_time;
+                end_time = now;
+            }
+
+            current_subscription = next_subscription;
+        }
+
+        current_auth = next_auth;
+
+        os_free(access_token);
+    }
+}
+
+STATIC char* wm_office365_get_access_token(wm_office365_auth* auth, size_t max_size, char **error_msg) {
+    char **headers = NULL;
+    char url[OS_SIZE_8192];
+    char auth_payload[OS_SIZE_8192];
+    char auth_secret[OS_SIZE_1024];
+    char *access_token = NULL;
+    curl_response *response;
+
+    memset(auth_secret, '\0', OS_SIZE_1024);
+    if (auth->client_secret) {
+        snprintf(auth_secret, OS_SIZE_1024 -1, "%s", auth->client_secret);
+    } else if (auth->client_secret_path) {
+        FILE *fd = NULL;
+
+        if (fd = wfopen(auth->client_secret_path, "r"), fd) {
+            char str[OS_SIZE_1024 -1] = {0};
+            size_t size_read = 0;
+
+            if (size_read = fread(str, 1, OS_SIZE_1024 -2, fd), size_read > 0) {
+                str[size_read] = '\0';
+                snprintf(auth_secret, OS_SIZE_1024 -1, "%s", str);
+            }
+            fclose(fd);
+        }
+    }
+
+    memset(auth_payload, '\0', OS_SIZE_8192);
+    snprintf(auth_payload, OS_SIZE_8192 -1, WM_OFFICE365_API_ACCESS_TOKEN_PAYLOAD, auth->client_id, auth->management_fqdn, auth_secret);
+
+    memset(url, '\0', OS_SIZE_8192);
+    snprintf(url, OS_SIZE_8192 -1, WM_OFFICE365_API_ACCESS_TOKEN_URL, auth->login_fqdn, auth->tenant_id);
+
+    mtdebug1(WM_OFFICE365_LOGTAG, "Office 365 API access token URL: '%s'", url);
+
+    char auth_header[OS_SIZE_8192];
+    snprintf(auth_header, OS_SIZE_8192 -1, "Content-Type: application/x-www-form-urlencoded");
+
+    os_calloc(2, sizeof(char*), headers);
+    headers[0] = auth_header;
+    headers[1] = NULL;
+
+    response = wurl_http_request(WURL_POST_METHOD, headers, url, auth_payload, max_size, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+
+    if (response) {
+        cJSON *response_json = NULL;
+
+        if (response->max_size_reached) {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Libcurl error, reached maximum response size.");
+        } else if (response_json = cJSON_Parse(response->body), response_json) {
+            cJSON *access_token_json = cJSON_GetObjectItem(response_json, "access_token");
+
+            if ((response->status_code == 200) && access_token_json && (access_token_json->type == cJSON_String)) {
+                os_strdup(access_token_json->valuestring, access_token);
+            } else {
+                os_strdup(response->body, *error_msg);
+                mtdebug1(WM_OFFICE365_LOGTAG, "Error while getting access token: '%s'", response->body);
+            }
+            cJSON_Delete(response_json);
+        } else {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Error while parsing access token JSON response.");
+        }
+        wurl_free_response(response);
+    } else {
+        mtdebug1(WM_OFFICE365_LOGTAG, "Unknown error while getting access token.");
+    }
+
+    os_free(headers);
+
+    return access_token;
+}
+
+STATIC int wm_office365_manage_subscription(wm_office365_subscription* subscription, const char* management_fqdn, const char* client_id, const char* token, int start, size_t max_size, char **error_msg) {
+    char **headers = NULL;
+    char url[OS_SIZE_8192];
+    curl_response *response;
+    int ret_value = OS_INVALID;
+
+    memset(url, '\0', OS_SIZE_8192);
+    if (start) {
+        snprintf(url, OS_SIZE_8192 -1, WM_OFFICE365_API_SUBSCRIPTION_URL, management_fqdn, client_id, WM_OFFICE365_API_SUBSCRIPTION_START, subscription->subscription_name);
+    } else {
+        snprintf(url, OS_SIZE_8192 -1, WM_OFFICE365_API_SUBSCRIPTION_URL, management_fqdn, client_id, WM_OFFICE365_API_SUBSCRIPTION_STOP, subscription->subscription_name);
+    }
+
+    mtdebug1(WM_OFFICE365_LOGTAG, "Office 365 API subscription URL: '%s'", url);
+
+    char auth_header1[OS_SIZE_8192];
+    snprintf(auth_header1, OS_SIZE_8192 -1, "Content-Type: application/json");
+
+    char auth_header2[OS_SIZE_8192];
+    snprintf(auth_header2, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    os_calloc(3, sizeof(char*), headers);
+    headers[0] = auth_header1;
+    headers[1] = auth_header2;
+    headers[2] = NULL;
+
+    response = wurl_http_request(WURL_POST_METHOD, headers, url, "", max_size, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+
+    if (response) {
+        cJSON *response_json = NULL;
+
+        if (response->max_size_reached) {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Libcurl error, reached maximum response size.");
+        } else if (response_json = cJSON_Parse(response->body), response_json) {
+            cJSON *code_json = cJSON_GetObjectItem(cJSON_GetObjectItem(response_json, "error"), "code");
+
+            if ((response->status_code == 200)
+                || ((response->status_code == 400) && code_json && (code_json->type == cJSON_String) && !strncmp(code_json->valuestring, "AF20024", 7))) {
+                // Error AF20024: The subscription is already enabled. No property change.
+                ret_value = OS_SUCCESS;
+            } else {
+                os_strdup(response->body, *error_msg);
+                mtdebug1(WM_OFFICE365_LOGTAG, "Error while managing subscription: '%s'", response->body);
+            }
+            cJSON_Delete(response_json);
+        } else {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Error while parsing managing subscription JSON response.");
+        }
+        wurl_free_response(response);
+    } else {
+        mtdebug1(WM_OFFICE365_LOGTAG, "Unknown error while managing subscription.");
+    }
+
+    os_free(headers);
+
+    return ret_value;
+}
+
+STATIC cJSON* wm_office365_get_content_blobs(const char* url, const char* token, char** next_page, size_t max_size, bool* buffer_size_reached, char **error_msg) {
+    char **headers = NULL;
+    curl_response *response;
+    cJSON *blobs_array = NULL;
+
+    mtdebug1(WM_OFFICE365_LOGTAG, "Office 365 API content blobs URL: '%s'", url);
+
+    char auth_header1[OS_SIZE_8192];
+    snprintf(auth_header1, OS_SIZE_8192 -1, "Content-Type: application/json");
+
+    char auth_header2[OS_SIZE_8192];
+    snprintf(auth_header2, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    os_calloc(3, sizeof(char*), headers);
+    headers[0] = auth_header1;
+    headers[1] = auth_header2;
+    headers[2] = NULL;
+
+    response = wurl_http_request(WURL_GET_METHOD, headers, url, "", max_size, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+
+    if (response) {
+        cJSON *response_json = NULL;
+
+        if (response->max_size_reached) {
+            *buffer_size_reached = true;
+            mtdebug1(WM_OFFICE365_LOGTAG, "Libcurl error, reached maximum response size.");
+        } else if (response_json = cJSON_Parse(response->body), response_json) {
+            cJSON *code_json = cJSON_GetObjectItem(cJSON_GetObjectItem(response_json, "error"), "code");
+
+            if ((response->status_code == 200) && (response_json->type == cJSON_Array)) {
+                blobs_array = cJSON_Duplicate(response_json, true);
+
+                if (cJSON_GetArraySize(blobs_array) > 0) {
+                    *next_page = wm_read_http_header_element(response->header, WM_OFFICE365_NEXT_PAGE_REGEX);
+                }
+            } else if ((response->status_code == 400) && code_json && (code_json->type == cJSON_String) && !strncmp(code_json->valuestring, "AF20055", 7)) {
+                // Error AF20055: Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart,
+                // with the start time prior to end time and start time no more than 7 days in the past.
+                blobs_array = cJSON_CreateArray();
+            } else {
+                os_strdup(response->body, *error_msg);
+                mtdebug1(WM_OFFICE365_LOGTAG, "Error while getting content blobs: '%s'", response->body);
+            }
+            cJSON_Delete(response_json);
+        } else {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Error while parsing content blobs JSON response.");
+        }
+        wurl_free_response(response);
+    } else {
+        mtdebug1(WM_OFFICE365_LOGTAG, "Unknown error while getting content blobs.");
+    }
+
+    os_free(headers);
+
+    return blobs_array;
+}
+
+STATIC cJSON* wm_office365_get_logs_from_blob(const char* url, const char* token, size_t max_size, bool* buffer_size_reached, char **error_msg) {
+    char **headers = NULL;
+    curl_response *response;
+    cJSON *logs_array = NULL;
+
+    mtdebug1(WM_OFFICE365_LOGTAG, "Office 365 API content URI: '%s'", url);
+
+    char auth_header1[OS_SIZE_8192];
+    snprintf(auth_header1, OS_SIZE_8192 -1, "Content-Type: application/json");
+
+    char auth_header2[OS_SIZE_8192];
+    snprintf(auth_header2, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    os_calloc(3, sizeof(char*), headers);
+    headers[0] = auth_header1;
+    headers[1] = auth_header2;
+    headers[2] = NULL;
+
+    response = wurl_http_request(WURL_GET_METHOD, headers, url, "", max_size, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+
+    if (response) {
+        cJSON *response_json = NULL;
+
+        if (response->max_size_reached) {
+            *buffer_size_reached = true;
+            mtdebug1(WM_OFFICE365_LOGTAG, "Libcurl error, reached maximum response size.");
+        } else if (response_json = cJSON_Parse(response->body), response_json) {
+            if ((response->status_code == 200) && (response_json->type == cJSON_Array)) {
+                logs_array = cJSON_Duplicate(response_json, true);
+            } else {
+                os_strdup(response->body, *error_msg);
+                mtdebug1(WM_OFFICE365_LOGTAG, "Error while getting logs from blob: '%s'", response->body);
+            }
+            cJSON_Delete(response_json);
+        } else {
+            mtdebug1(WM_OFFICE365_LOGTAG, "Error while parsing logs from blob JSON response.");
+        }
+        wurl_free_response(response);
+    } else {
+        mtdebug1(WM_OFFICE365_LOGTAG, "Unknown error while getting logs from blob.");
+    }
+
+    os_free(headers);
+
+    return logs_array;
+}
+
+STATIC wm_office365_fail* wm_office365_get_fail_by_tenant_and_subscription(wm_office365_fail* fails, char* tenant_id, char* subscription_name) {
+    wm_office365_fail* current;
+    current = fails;
+    int target_tenant = 0;
+
+    while (!target_tenant)
+    {
+        if (current == NULL) {
+            target_tenant = 1;
+            continue;
+        }
+
+        if (!strncmp(current->tenant_id, tenant_id, strlen(tenant_id)) && ((!subscription_name && !current->subscription_name) ||
+            (subscription_name && current->subscription_name && !strncmp(current->subscription_name, subscription_name, strlen(subscription_name))))) {
+            target_tenant = 1;
+        } else {
+            current = current->next;
+        }
+    }
+
+    return current;
+}
+
+STATIC void wm_office365_scan_failure_action(wm_office365_fail** current_fails, char* tenant_id, char* subscription_name, char *error_msg, int queue_fd) {
+    char *payload;
+    wm_office365_fail *tenant_fail = NULL;
+
+    if (tenant_fail = wm_office365_get_fail_by_tenant_and_subscription(*current_fails, tenant_id, subscription_name), !tenant_fail) {
+        os_calloc(1, sizeof(wm_office365_fail), tenant_fail);
+
+        if (*current_fails) {
+            wm_office365_fail *aux = *current_fails;
+
+            while (aux->next) {
+                aux = aux->next;
+            }
+            aux->next = tenant_fail;
+        } else {
+            // First wm_office365_fail
+            *current_fails = tenant_fail;
+        }
+
+        os_strdup(tenant_id, tenant_fail->tenant_id);
+        if (subscription_name) {
+            os_strdup(subscription_name, tenant_fail->subscription_name);
+        }
+
+        tenant_fail->fails = 1;
+    } else {
+        tenant_fail->fails++;
+
+        if (tenant_fail->fails == WM_OFFICE365_RETRIES_TO_SEND_ERROR) {
+            // Send fail message
+            cJSON *msg_obj = cJSON_Parse(error_msg);
+            cJSON *fail_object = cJSON_CreateObject();
+            cJSON *fail_office365 = cJSON_CreateObject();
+
+            cJSON_AddStringToObject(fail_object, "actor", "wazuh");
+            cJSON_AddStringToObject(fail_object, "tenant_id", tenant_id);
+            if (subscription_name) {
+                cJSON_AddStringToObject(fail_object, "subscription_name", subscription_name);
+            }
+
+            if (msg_obj) {
+                payload = cJSON_PrintUnformatted(msg_obj);
+                cJSON_AddStringToObject(fail_object, "response", payload);
+                os_free(payload);
+            } else {
+                cJSON_AddStringToObject(fail_object, "response", "Unknown error");
+            }
+
+            cJSON_AddStringToObject(fail_office365, "integration", WM_OFFICE365_CONTEXT.name);
+            cJSON_AddItemToObject(fail_office365, "office365", fail_object);
+
+            payload = cJSON_PrintUnformatted(fail_office365);
+
+            mtwarn(WM_OFFICE365_LOGTAG, "Sending Office365 internal message: '%s'", payload);
+
+            if (wm_sendmsg(WM_OFFICE365_MSG_DELAY, queue_fd, payload, WM_OFFICE365_CONTEXT.name, LOCALFILE_MQ) < 0) {
+                mterror(WM_OFFICE365_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+            }
+
+            os_free(payload);
+            cJSON_Delete(fail_office365);
+            cJSON_Delete(msg_obj);
+        }
+    }
+}
+#endif
diff --git a/src/modules/office365/tests/integration/conftest.py b/src/modules/office365/tests/integration/conftest.py
new file mode 100644
index 0000000000..74cea469b3
--- /dev/null
+++ b/src/modules/office365/tests/integration/conftest.py
@@ -0,0 +1,253 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import os
+import sys
+import subprocess
+import pytest
+from typing import List
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants import platforms
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.logger import logger
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils import callbacks, configuration, services
+from wazuh_testing.utils.file import truncate_file
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([platforms.LINUX,
+                      platforms.WINDOWS,
+                      platforms.MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            services.control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                services.control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        services.control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            services.control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def wait_for_office365_start():
+    # Wait for module office365 starts
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_STARTED, {
+                              'integration': 'Office365'
+                          }))
+    assert (wazuh_log_monitor.callback_result == None), f'Error invalid configuration event not detected'
diff --git a/src/modules/office365/tests/integration/pytest.ini b/src/modules/office365/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/office365/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/office365/tests/integration/test_configuration/__init__.py b/src/modules/office365/tests/integration/test_configuration/__init__.py
new file mode 100644
index 0000000000..9dd1135920
--- /dev/null
+++ b/src/modules/office365/tests/integration/test_configuration/__init__.py
@@ -0,0 +1,9 @@
+# Copyright (C) 2015-2024, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+from pathlib import Path
+
+# Constants & base paths
+DATA_PATH = Path(Path(__file__).parent, 'data')
+CONFIGS_PATH = Path(DATA_PATH, 'configuration_templates')
+TEST_CASES_PATH = Path(DATA_PATH, 'test_cases')
diff --git a/src/modules/office365/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml b/src/modules/office365/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
new file mode 100644
index 0000000000..c396371940
--- /dev/null
+++ b/src/modules/office365/tests/integration/test_configuration/data/configuration_templates/config_invalid_configuration.yaml
@@ -0,0 +1,45 @@
+- sections:
+    - section: office365
+      elements:
+        - enabled:
+            value: 'ENABLED'
+        - only_future_events:
+            value: 'ONLY_FUTURE_EVENTS'
+        - interval:
+            value: 'INTERVAL'
+        - curl_max_size:
+            value: 'CURL_MAX_SIZE'
+        - api_auth:
+            elements:
+              - tenant_id:
+                  value: 'TENANT_ID'
+              - client_id:
+                  value: 'CLIENT_ID'
+              - client_secret:
+                  value: 'CLIENT_SECRET'
+        - subscriptions:
+            elements:
+              - subscription:
+                  value: 'SUSCRIPTION'
+
+    - section: sca
+      elements:
+        - enabled:
+            value: 'no'
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
\ No newline at end of file
diff --git a/src/modules/office365/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml b/src/modules/office365/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
new file mode 100644
index 0000000000..2040eb21ed
--- /dev/null
+++ b/src/modules/office365/tests/integration/test_configuration/data/test_cases/cases_invalid_configuration.yaml
@@ -0,0 +1,133 @@
+- name: Invalid_Enabled
+  description: Check office365 integration does not start with Invalid Enabled
+  configuration_parameters:
+    ENABLED: 'invalid'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'enabled'
+    error_type: 'Invalid'
+    module: 'office365'
+
+- name: Invalid_Only_Future_Events
+  description: Check office365 integration does not start with Invalid Only Future Events
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'invalid'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'only_future_events'
+    error_type: 'Invalid'
+    module: 'office365'
+
+
+- name: Invalid_Interval
+  description: Check office365 integration does not start with Invalid Interval
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '-5s'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'interval'
+    error_type: 'Invalid'
+    module: 'office365'
+
+
+- name: Invalid_Curl_Max_Size
+  description: Check office365 integration does not start with Invalid Curl Max Size
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '-12'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'curl_max_size'
+    error_type: 'Invalid'
+    module: 'office365'
+
+
+- name: Empty_Tenant_Id
+  description: Check office365 integration does not start with Empty Tenant Id
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: ''
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'tenant_id'
+    error_type: 'Empty'
+    module: 'office365'
+
+
+- name: Empty_Client_Id
+  description: Check office365 integration does not start with Empty Client Id
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: ''
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'client_id'
+    error_type: 'Empty'
+    module: 'office365'
+
+
+- name: Empty_Client_Secret
+  description: Check office365 integration does not start with Empty Client Secret
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: ''
+    SUSCRIPTION: 'suscription'
+  metadata:
+    event_monitor: 'client_secret'
+    error_type: 'Empty'
+    module: 'office365'
+
+
+- name: Empty_Suscription
+  description: Check office365 integration does not start with Empty Suscription
+  configuration_parameters:
+    ENABLED: 'yes'
+    ONLY_FUTURE_EVENTS: 'yes'
+    INTERVAL: '1m'
+    CURL_MAX_SIZE: '1024'
+    TENANT_ID: 'tenant_id'
+    CLIENT_ID: 'client_id'
+    CLIENT_SECRET: 'client_secret'
+    SUSCRIPTION: ''
+  metadata:
+    event_monitor: 'subscription'
+    error_type: 'Empty'
+    module: 'office365'
\ No newline at end of file
diff --git a/src/modules/office365/tests/integration/test_configuration/test_invalid.py b/src/modules/office365/tests/integration/test_configuration/test_invalid.py
new file mode 100644
index 0000000000..662ce11d18
--- /dev/null
+++ b/src/modules/office365/tests/integration/test_configuration/test_invalid.py
@@ -0,0 +1,133 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: The Wazuh 'office365' module allows you to collect all the logs from Office 365 using its API.
+       Specifically, these tests will check if that module detects invalid configurations and indicates
+       the location of the errors detected. The Office 365 Management Activity API aggregates actions
+       and events into tenant-specific content blobs, which are classified by the type and source
+       of the content they contain.
+
+components:
+    - office365
+
+suite: configuration
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-analysisd
+    - wazuh-monitord
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+tags:
+    - office365_configuration
+'''
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.modulesd import patterns
+from wazuh_testing.tools.monitors.file_monitor import FileMonitor
+from wazuh_testing.utils.configuration import get_test_cases_data
+from wazuh_testing.utils.configuration import load_configuration_template
+from wazuh_testing.utils import callbacks
+from . import CONFIGS_PATH, TEST_CASES_PATH
+
+# Marks
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+# Configuration and cases data.
+configs_path = Path(CONFIGS_PATH, 'config_invalid_configuration.yaml')
+cases_path = Path(TEST_CASES_PATH, 'cases_invalid_configuration.yaml')
+
+# Test configurations.
+config_parameters, test_metadata, test_cases_ids = get_test_cases_data(cases_path)
+test_configuration = load_configuration_template(configs_path, config_parameters, test_metadata)
+daemons_handler_configuration = {'all_daemons': True, 'ignore_errors': True}
+local_internal_options = {MODULESD_DEBUG: '2'}
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(test_configuration, test_metadata), ids=test_cases_ids)
+def test_invalid(test_configuration, test_metadata, set_wazuh_configuration, configure_local_internal_options,
+                 truncate_monitored_files, daemons_handler, wait_for_office365_start):
+    '''
+    description: Check if the 'office365' module detects invalid configurations. For this purpose, the test
+                 will configure that module using invalid configuration settings with different attributes.
+                 Finally, it will verify that error events are generated indicating the source of the errors.
+
+    wazuh_min_version: 4.3.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: data
+            brief: Configuration used in the test.
+        - test_metadata:
+            type: data
+            brief: Configuration cases.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Set internal configuration for testing.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Reset the 'ossec.log' file and start a new monitor.
+        - daemons_handler:
+            type: fixture
+            brief: Manages daemons to reset Wazuh.
+        - wait_for_office365_start:
+            type: fixture
+            brief: Checks integration start message does not appear.
+
+    assertions:
+        - Verify that the 'office365' module generates error events when invalid configurations are used.
+
+    input_description: A configuration template (office365_integration) is contained in an external YAML file
+                       (wazuh_conf.yaml). That template is combined with different test cases defined in
+                       the module. Those include configuration settings for the 'office365' module.
+
+    expected_output:
+        - r'wm_office365_read(): ERROR.* Invalid content for tag .*'
+        - r'wm_office365_read(): ERROR.* Empty content for tag .*'
+
+    tags:
+        - invalid_settings
+    '''
+
+    wazuh_log_monitor = FileMonitor(WAZUH_LOG_PATH)
+    wazuh_log_monitor.start(callback=callbacks.generate_callback(patterns.MODULESD_CONFIGURATION_ERROR, {
+                              'error_type': str(test_metadata['error_type']),
+                              'tag': str(test_metadata['event_monitor']),
+                              'integration': str(test_metadata['module']),
+                          }))
+
+    assert (wazuh_log_monitor.callback_result != None), f'Error invalid configuration event not detected'
diff --git a/src/modules/office365/tests/unit/tests/CMakeLists.txt b/src/modules/office365/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..62df7a2b3c
--- /dev/null
+++ b/src/modules/office365/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,95 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_office365")
+list(APPEND tests_flags "-Wl,--wrap,access -Wl,--wrap,wurl_http_request \
+                        -Wl,--wrap,wurl_free_response -Wl,--wrap,wm_sendmsg -Wl,--wrap,strftime -Wl,--wrap,gmtime_r \
+                        -Wl,--wrap,wm_state_io -Wl,--wrap,time -Wl,--wrap,StartMQ -Wl,--wrap,wfopen \
+                        -Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck \ -Wl,--wrap=is_fim_shutdown \
+                        -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown \
+                        -Wl,--wrap,fim_sync_push_msg -Wl,--wrap,fim_run_integrity -Wl,--wrap,fim_db_remove_path \
+                        -Wl,--wrap,fim_db_get_path -Wl,--wrap,fim_db_transaction_start -Wl,--wrap,fim_db_transaction_deleted_rows \
+                        -Wl,--wrap,fim_db_transaction_sync_row -Wl,--wrap,fim_db_file_update -Wl,--wrap,fim_db_file_pattern_search \
+                        -Wl,--wrap,fim_db_init ${DEBUG_OP_WRAPPERS} -Wl,--wrap,isDebug")
+
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB office365 ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM office365 ../../../wazuh_modules/main.o)
+
+add_library(OFFICE365_O STATIC ${office365})
+
+set_source_files_properties(
+  ${office365}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  OFFICE365_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(OFFICE365_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+if(${TARGET} STREQUAL "winagent")
+    link_directories(${SRC_FOLDER}/syscheckd/build/bin)
+endif(${TARGET} STREQUAL "winagent")
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            OFFICE365_O
+            -lcmocka
+            -ldl
+            -fprofile-arcs
+            -ftest-coverage
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+        if(${TARGET} STREQUAL "winagent")
+          target_link_libraries(${test_name} fimdb)
+        endif(${TARGET} STREQUAL "winagent")
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/modules/office365/tests/unit/tests/test_wm_office365.c b/src/modules/office365/tests/unit/tests/test_wm_office365.c
new file mode 100644
index 0000000000..49381b9f85
--- /dev/null
+++ b/src/modules/office365/tests/unit/tests/test_wm_office365.c
@@ -0,0 +1,3261 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for Office365 Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+
+#include "shared.h"
+#include "../wazuh_modules/wmodules.h"
+#include "../wazuh_modules/wm_office365.h"
+#include "../wazuh_modules/wm_office365.c"
+
+#include "../scheduling/wmodules_scheduling_helpers.h"
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/shared/time_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/url_wrappers.h"
+#include "../../wrappers/libc/time_wrappers.h"
+#ifdef WIN32
+#include "../../wrappers/wazuh/shared/file_op_wrappers.h"
+#endif
+
+int __wrap_access(const char *__name, int __type) {
+    check_expected(__name);
+    return mock_type(int);
+}
+
+unsigned int __wrap_sleep(unsigned int __seconds) {
+    check_expected(__seconds);
+    return mock_type(unsigned int);
+}
+
+unsigned int __wrap_gmtime_r(__attribute__ ((__unused__)) const time_t *t, __attribute__ ((__unused__)) struct tm *tm) {
+    return mock_type(unsigned int);
+}
+
+int __wrap_isDebug() {
+    return mock();
+}
+
+////////////////  test wmodules-office365 /////////////////
+
+typedef struct test_struct {
+    wm_office365 *office365_config;
+    curl_response* response;
+    char *root_c;
+} test_struct_t;
+
+static int setup_conf(void **state) {
+    test_struct_t *init_data = NULL;
+    os_calloc(1,sizeof(test_struct_t), init_data);
+    os_calloc(1, sizeof(wm_office365), init_data->office365_config);
+    test_mode = 1;
+    *state = init_data;
+    return 0;
+}
+
+static int teardown_conf(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    test_mode = 0;
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module Office365 finished.");
+
+    wm_office365_destroy(data->office365_config);
+    os_free(data->root_c);
+    os_free(data);
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test;
+    os_calloc(1, sizeof(test_structure), test);
+    os_calloc(1, sizeof(wmodule), test->module);
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    if ((wm_office365*)test->module->data) {
+        if (((wm_office365*)test->module->data)->auth) {
+            os_free(((wm_office365*)test->module->data)->auth->tenant_id);
+            os_free(((wm_office365*)test->module->data)->auth->client_id);
+            os_free(((wm_office365*)test->module->data)->auth->client_secret_path);
+            os_free(((wm_office365*)test->module->data)->auth->client_secret);
+            os_free(((wm_office365*)test->module->data)->auth->login_fqdn);
+            os_free(((wm_office365*)test->module->data)->auth->management_fqdn);
+            if (((wm_office365*)test->module->data)->auth->next) {
+                os_free(((wm_office365*)test->module->data)->auth->next->tenant_id);
+                os_free(((wm_office365*)test->module->data)->auth->next->client_id);
+                os_free(((wm_office365*)test->module->data)->auth->next->client_secret_path);
+                os_free(((wm_office365*)test->module->data)->auth->next->client_secret);
+                os_free(((wm_office365*)test->module->data)->auth->next->login_fqdn);
+                os_free(((wm_office365*)test->module->data)->auth->next->management_fqdn);
+                if (((wm_office365*)test->module->data)->auth->next->next) {
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->tenant_id);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->client_id);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->client_secret_path);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->client_secret);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->login_fqdn);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->management_fqdn);
+                    os_free(((wm_office365*)test->module->data)->auth->next->next->next);
+                }
+                os_free(((wm_office365*)test->module->data)->auth->next->next);
+            }
+            os_free(((wm_office365*)test->module->data)->auth->next);
+            os_free(((wm_office365*)test->module->data)->auth);
+        }
+        if (((wm_office365*)test->module->data)->subscription) {
+            os_free(((wm_office365*)test->module->data)->subscription->subscription_name);
+            if (((wm_office365*)test->module->data)->subscription->next) {
+                os_free(((wm_office365*)test->module->data)->subscription->next->subscription_name);
+            }
+            if (((wm_office365*)test->module->data)->subscription->next->next) {
+                os_free(((wm_office365*)test->module->data)->subscription->next->next->subscription_name);
+            }
+            if (((wm_office365*)test->module->data)->subscription->next->next->next) {
+                os_free(((wm_office365*)test->module->data)->subscription->next->next->next->subscription_name);
+            }
+            if (((wm_office365*)test->module->data)->subscription->next->next->next->next) {
+                os_free(((wm_office365*)test->module->data)->subscription->next->next->next->next->subscription_name);
+            }
+            os_free(((wm_office365*)test->module->data)->subscription->next->next->next->next);
+            os_free(((wm_office365*)test->module->data)->subscription->next->next->next);
+            os_free(((wm_office365*)test->module->data)->subscription->next->next);
+            os_free(((wm_office365*)test->module->data)->subscription->next);
+            os_free(((wm_office365*)test->module->data)->subscription);
+        }
+    }
+    os_free(test->module->data);
+    os_free(test->module->tag);
+    os_free(test->module);
+    os_free(test);
+    return 0;
+}
+
+void test_read_configuration(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10m</interval>"
+        "<curl_max_size>2048</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_int_equal(module_data->interval, 600);
+    assert_int_equal(module_data->curl_max_size, 2048);
+    assert_string_equal(module_data->auth->tenant_id, "your_tenant_id");
+    assert_string_equal(module_data->auth->client_id, "your_client_id");
+    assert_string_equal(module_data->auth->client_secret, "your_secret");
+    assert_string_equal(module_data->auth->login_fqdn, WM_OFFICE365_DEFAULT_API_LOGIN_FQDN); // retrocompatability test
+    assert_string_equal(module_data->auth->management_fqdn, WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN); // retrocompatability test
+    assert_string_equal(module_data->subscription->subscription_name, "Audit.AzureActiveDirectory");
+    assert_string_equal(module_data->subscription->next->subscription_name, "Audit.Exchange");
+    assert_string_equal(module_data->subscription->next->next->subscription_name, "Audit.SharePoint");
+    assert_string_equal(module_data->subscription->next->next->next->subscription_name, "Audit.General");
+    assert_string_equal(module_data->subscription->next->next->next->next->subscription_name, "DLP.All");
+}
+
+void test_read_configuration_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>yes</only_future_events>"
+        "<interval>10m</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id_1</tenant_id>"
+            "<client_id>your_client_id_1</client_id>"
+            "<client_secret>your_secret_1</client_secret>"
+            "<api_type>gcc</api_type>"
+        "</api_auth>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id_2</tenant_id>"
+            "<client_id>your_client_id_2</client_id>"
+            "<client_secret_path>/path/to/secret</client_secret_path>"
+            "<api_type>gcc-high</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap_access, __name, "/path/to/secret");
+    will_return(__wrap_access, 0);
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->only_future_events, 1);
+    assert_int_equal(module_data->interval, 600);
+    assert_int_equal(module_data->curl_max_size, 2048);
+    assert_string_equal(module_data->auth->tenant_id, "your_tenant_id");
+    assert_string_equal(module_data->auth->client_id, "your_client_id");
+    assert_string_equal(module_data->auth->client_secret, "your_secret");
+    assert_string_equal(module_data->auth->login_fqdn, WM_OFFICE365_DEFAULT_API_LOGIN_FQDN);
+    assert_string_equal(module_data->auth->management_fqdn, WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN);
+    assert_string_equal(module_data->auth->next->tenant_id, "your_tenant_id_1");
+    assert_string_equal(module_data->auth->next->client_id, "your_client_id_1");
+    assert_string_equal(module_data->auth->next->client_secret, "your_secret_1");
+    assert_string_equal(module_data->auth->next->login_fqdn, WM_OFFICE365_GCC_API_LOGIN_FQDN);
+    assert_string_equal(module_data->auth->next->management_fqdn, WM_OFFICE365_GCC_API_MANAGEMENT_FQDN);
+    assert_string_equal(module_data->auth->next->next->tenant_id, "your_tenant_id_2");
+    assert_string_equal(module_data->auth->next->next->client_id, "your_client_id_2");
+    assert_string_equal(module_data->auth->next->next->client_secret_path, "/path/to/secret");
+    assert_string_equal(module_data->auth->next->next->login_fqdn, WM_OFFICE365_GCC_HIGH_API_LOGIN_FQDN);
+    assert_string_equal(module_data->auth->next->next->management_fqdn, WM_OFFICE365_GCC_HIGH_API_MANAGEMENT_FQDN);
+    assert_string_equal(module_data->subscription->subscription_name, "Audit.AzureActiveDirectory");
+    assert_string_equal(module_data->subscription->next->subscription_name, "Audit.Exchange");
+    assert_string_equal(module_data->subscription->next->next->subscription_name, "Audit.SharePoint");
+    assert_string_equal(module_data->subscription->next->next->next->subscription_name, "Audit.General");
+    assert_string_equal(module_data->subscription->next->next->next->next->subscription_name, "DLP.All");
+}
+
+void test_read_default_configuration(void **state) {
+    const char *string =
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'subscriptions' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_interval(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_int_equal(module_data->interval, 10);
+    assert_int_equal(module_data->curl_max_size, 2048);
+    assert_string_equal(module_data->auth->tenant_id, "your_tenant_id");
+    assert_string_equal(module_data->auth->client_id, "your_client_id");
+    assert_string_equal(module_data->auth->client_secret, "your_secret");
+    assert_string_equal(module_data->auth->login_fqdn, WM_OFFICE365_DEFAULT_API_LOGIN_FQDN);
+    assert_string_equal(module_data->auth->management_fqdn, WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN);
+    assert_string_equal(module_data->subscription->subscription_name, "Audit.AzureActiveDirectory");
+    assert_string_equal(module_data->subscription->next->subscription_name, "Audit.Exchange");
+    assert_string_equal(module_data->subscription->next->next->subscription_name, "Audit.SharePoint");
+    assert_string_equal(module_data->subscription->next->next->next->subscription_name, "Audit.General");
+    assert_string_equal(module_data->subscription->next->next->next->next->subscription_name, "DLP.All");
+}
+
+void test_read_interval_s(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>50s</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->interval, 50);
+}
+
+void test_read_interval_s_fail(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>90000s</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_interval_m(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1m</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->interval, 60);
+}
+
+void test_read_interval_m_fail(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1500m</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_interval_h(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>2h</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->interval, 7200);
+}
+
+void test_read_interval_h_fail(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>30h</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_interval_d(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->interval, 86400);
+}
+
+void test_read_interval_d_fail(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>2d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_curl_max_size(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10</interval>"
+        "<curl_max_size>4k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),0);
+    wm_office365 *module_data = (wm_office365*)test->module->data;
+    assert_int_equal(module_data->enabled, 0);
+    assert_int_equal(module_data->only_future_events, 0);
+    assert_int_equal(module_data->interval, 10);
+    assert_int_equal(module_data->curl_max_size, 4096);
+    assert_string_equal(module_data->auth->tenant_id, "your_tenant_id");
+    assert_string_equal(module_data->auth->client_id, "your_client_id");
+    assert_string_equal(module_data->auth->client_secret, "your_secret");
+    assert_string_equal(module_data->auth->login_fqdn, WM_OFFICE365_DEFAULT_API_LOGIN_FQDN);
+    assert_string_equal(module_data->auth->management_fqdn, WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN);
+    assert_string_equal(module_data->subscription->subscription_name, "Audit.AzureActiveDirectory");
+    assert_string_equal(module_data->subscription->next->subscription_name, "Audit.Exchange");
+    assert_string_equal(module_data->subscription->next->next->subscription_name, "Audit.SharePoint");
+    assert_string_equal(module_data->subscription->next->next->next->subscription_name, "Audit.General");
+    assert_string_equal(module_data->subscription->next->next->next->next->subscription_name, "DLP.All");
+}
+
+void test_read_curl_max_size_invalid_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10</interval>"
+        "<curl_max_size>0</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'office365'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_curl_max_size_invalid_2(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10</interval>"
+        "<curl_max_size>-1</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'office365'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_curl_max_size_invalid_3(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>10</interval>"
+        "<curl_max_size>invalid</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'curl_max_size' at module 'office365'. The minimum value allowed is 1KB.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_secret_path_and_secret(void **state) {
+    const char *string =
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret_path>/path/to/secret</client_secret_path>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "It is not allowed to set 'client_secret' and 'client_secret_path' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+        "<fake-tag>ASD</fake-tag>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake-tag' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_fake_tag_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+            "<fake-tag>ASD</fake-tag>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'fake-tag' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_1(void **state) {
+    const char *string =
+        "<enabled>no</enabled>"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription></subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'subscription' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_2(void **state) {
+    const char *string =
+        "<enabled>invalid</enabled>\n"
+        "<only_future_events>no</only_future_events>"
+        "<interval>1d</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'enabled' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_3(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>no</only_future_events>"
+        "<interval>invalid</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_content_4(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<only_future_events>invalid</only_future_events>"
+        "<interval>yes</interval>"
+        "<curl_max_size>2k</curl_max_size>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'only_future_events' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_invalid_interval(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>-10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'interval' at module 'office365'. The maximum value allowed is 1 day.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_auth(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_auth' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_auth_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<invalid>your_tenant_id</invalid>"
+            "<invalid>your_client_id</invalid>"
+            "<invalid>your_secret</invalid>"
+            "<invalid>commercial</invalid>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "No such tag 'invalid' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_tenant_id(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id></tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'tenant_id' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_tenant_id_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "'tenant_id' is missing at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_id(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id></client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'client_id' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_id_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "'client_id' is missing at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_secret(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret></client_secret>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'client_secret' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_secret_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "'client_secret' is missing at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_secret_path(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret_path>/path/to/secret</client_secret_path>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap_access, __name, "/path/to/secret");
+    will_return(__wrap_access, -1);
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'client_secret_path' at module 'office365': The path cannot be opened.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_client_secret_path_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret_path></client_secret_path>"
+            "<api_type>commercial</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'client_secret_path' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_type(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type>invalid</api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Invalid content for tag 'api_type' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_error_api_type_1(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>10</interval>"
+        "<api_auth>"
+            "<tenant_id>your_tenant_id</tenant_id>"
+            "<client_id>your_client_id</client_id>"
+            "<client_secret>your_secret</client_secret>"
+            "<api_type></api_type>"
+        "</api_auth>"
+        "<subscriptions>"
+            "<subscription>Audit.AzureActiveDirectory</subscription>"
+            "<subscription>Audit.Exchange</subscription>"
+            "<subscription>Audit.SharePoint</subscription>"
+            "<subscription>Audit.General</subscription>"
+            "<subscription>DLP.All</subscription>"
+        "</subscriptions>"
+    ;
+    test_structure *test = *state;
+    expect_string(__wrap__merror, formatted_msg, "Empty content for tag 'api_type' at module 'office365'.");
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_office365_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_wm_office365_dump_no_options(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *test = "{\"office365\":{\"enabled\":\"no\",\"only_future_events\":\"no\"}}";
+
+    cJSON *root = wm_office365_dump(data->office365_config);
+    data->root_c = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+
+    assert_string_equal(data->root_c, test);
+}
+
+void test_wm_office365_dump_yes_options_empty_arrays(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->office365_config->enabled = 1;
+    data->office365_config->only_future_events = 1;
+    data->office365_config->interval = 10;
+    data->office365_config->curl_max_size = 1024;
+    data->office365_config->queue_fd = 1;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("", data->office365_config->subscription->subscription_name);
+
+    char *test = "{\"office365\":{\"enabled\":\"yes\",\"only_future_events\":\"yes\",\"interval\":10,\"curl_max_size\":1024,\"api_auth\":[{}],\"subscriptions\":[\"\"]}}";
+
+    cJSON *root = wm_office365_dump(data->office365_config);
+    data->root_c = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+
+    assert_string_equal(data->root_c, test);
+}
+
+void test_wm_office365_dump_yes_options(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->office365_config->enabled = 1;
+    data->office365_config->only_future_events = 1;
+    data->office365_config->interval = 10;
+    data->office365_config->queue_fd = 1;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret_path", data->office365_config->auth->client_secret_path);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    char *test = "{\"office365\":{\"enabled\":\"yes\",\"only_future_events\":\"yes\",\"interval\":10,\"api_auth\":[{\"tenant_id\":\"test_tenant_id\",\"client_id\":\"test_client_id\",\"client_secret_path\":\"test_client_secret_path\",\"client_secret\":\"test_client_secret\",\"api_type\":\"commercial\"}],\"subscriptions\":[\"test_subscription_name\"]}}";
+
+    cJSON *root = wm_office365_dump(data->office365_config);
+    data->root_c = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+
+    assert_string_equal(data->root_c, test);
+}
+
+void test_wm_office365_main_disabled(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->office365_config->enabled = 0;
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module Office365 disabled.");
+
+    wm_office365_main(data->office365_config);
+}
+
+void test_wm_office365_main_fail_StartMQ(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->office365_config->enabled = 1;
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module Office365 started.");
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mterror, formatted_msg, "Can't connect to queue. Closing module.");
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, -1);
+
+    wm_office365_main(data->office365_config);
+}
+
+void test_wm_office365_main_enable(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    data->office365_config->enabled = 1;
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->only_future_events = 1;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 1);
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtinfo, formatted_msg, "Module Office365 started.");
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    will_return(__wrap_isDebug, 0);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting access token.");
+
+    wm_office365_main(data->office365_config);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret(void **state) {
+    size_t max_size = OS_SIZE_8192;
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->response = NULL;
+    char *access_token = NULL;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting access token.");
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_null(access_token);
+    assert_null(error_msg);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_path(void **state) {
+    size_t max_size = OS_SIZE_8192;
+    test_struct_t *data  = (test_struct_t *)*state;
+    data->response = NULL;
+    char *access_token = NULL;
+    char *error_msg = NULL;
+
+    const char *filename = "test_client_secret_path";
+    FILE *outfile;
+    outfile = fopen(filename, "wb");
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret_path", data->office365_config->auth->client_secret_path);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting access token.");
+
+    test_mode = 0;
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+    test_mode = 1;
+
+    fclose(outfile);
+
+    assert_null(access_token);
+    assert_null(error_msg);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_response_400(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *access_token = NULL;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while getting access token: '{\"error\":\"bad_request\"}'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_null(access_token);
+    assert_string_equal(error_msg, data->response->body);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(error_msg);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_response_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *access_token = NULL;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting access token.");
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_null(access_token);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_response_max_size_reached(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *access_token = NULL;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", data->response->body);
+    os_strdup("test", data->response->header);
+    data->response->max_size_reached = 1;
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Libcurl error, reached maximum response size.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_null(access_token);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_error_json_response(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *access_token = NULL;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":\"bad_requ", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while parsing access token JSON response.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_null(access_token);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_get_access_token_with_auth_secret_response_200(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    char *access_token = NULL;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    access_token = wm_office365_get_access_token(data->office365_config->auth, max_size, &error_msg);
+
+    assert_string_equal(access_token, "wazuh");
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(access_token);
+}
+
+void test_wm_office365_manage_subscription_start_response_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 1;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while managing subscription.");
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_INVALID);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_manage_subscription_start_code_200(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 1;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_SUCCESS);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_manage_subscription_stop_error_json_response(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 0;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":{\"code\":", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while parsing managing subscription JSON response.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_INVALID);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_manage_subscription_stop_error_max_size_reached(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 0;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":{\"code\":", data->response->body);
+    os_strdup("test", data->response->header);
+    data->response->max_size_reached = 1;
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Libcurl error, reached maximum response size.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_INVALID);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_manage_subscription_stop_code_400_error_AF20024(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 0;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":{\"code\":\"AF20024\"}}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_SUCCESS);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_manage_subscription_stop_code_400_error_different_AF20024(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    size_t max_size = OS_SIZE_8192;
+    char *error_msg = NULL;
+
+    char *token = "test_token";
+    char* client_id = "test_client_id";
+    char* management_fqdn = WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN;
+    int start = 0;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":{\"code\":\"AF20023\"}}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while managing subscription: '{\"error\":{\"code\":\"AF20023\"}}'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    value = wm_office365_manage_subscription(data->office365_config->subscription, management_fqdn, client_id, token, start, max_size, &error_msg);
+
+    assert_int_equal(value, OS_INVALID);
+    assert_string_equal(error_msg, data->response->body);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(error_msg);
+}
+
+void test_wm_office365_get_fail_by_tenant_and_subscription_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *result = NULL;
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription";
+    fails->tenant_id = "tenant";
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+
+    result = wm_office365_get_fail_by_tenant_and_subscription(fails, tenant_id, subscription_name);
+    assert_null(result);
+    os_free(fails);
+}
+
+void test_wm_office365_get_fail_by_tenant_and_subscription_not_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *result = NULL;
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription_name";
+    fails->tenant_id = "tenant_id";
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+
+    result = wm_office365_get_fail_by_tenant_and_subscription(fails, tenant_id, subscription_name);
+    assert_string_equal(result->tenant_id, tenant_id);
+    assert_string_equal(result->subscription_name, subscription_name);
+
+    os_free(fails);
+}
+
+void test_wm_office365_get_content_blobs_response_null(void **state) {
+    size_t max_size = OS_SIZE_8192;
+    char* client_id = "test_client_id";
+    const char* url = "test_url";
+    const char* token = "test_token";
+    char** next_page;
+    bool buffer_size_reached = 0;
+    char *error_msg = NULL;
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting content blobs.");
+
+    cJSON *blob = wm_office365_get_content_blobs(url, token, next_page, max_size, &buffer_size_reached, &error_msg);
+    assert_null(blob);
+    assert_null(error_msg);
+    cJSON_Delete(blob);
+}
+
+void test_wm_office365_get_content_blobs_response_max_size_reached(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    char* client_id = "test_client_id";
+    const char* url = "test_url";
+    const char* token = "test_token";
+    char** next_page;
+    bool buffer_size_reached = 0;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+    data->response->max_size_reached = 1;
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Libcurl error, reached maximum response size.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    cJSON *blob = wm_office365_get_content_blobs(url, token, next_page, max_size, &buffer_size_reached, &error_msg);
+    assert_null(blob);
+    assert_null(error_msg);
+    assert_int_equal(buffer_size_reached, 1);
+    cJSON_Delete(blob);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_get_content_blobs_error_json_response(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    char* client_id = "test_client_id";
+    const char* url = "test_url";
+    const char* token = "test_token";
+    char** next_page;
+    bool buffer_size_reached = 0;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while parsing content blobs JSON response.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    cJSON *blob = wm_office365_get_content_blobs(url, token, next_page, max_size, &buffer_size_reached, &error_msg);
+    assert_null(blob);
+    assert_null(error_msg);
+    cJSON_Delete(blob);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_get_content_blobs_bad_response(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    char* client_id = "test_client_id";
+    const char* url = "test_url";
+    const char* token = "test_token";
+    char** next_page;
+    bool buffer_size_reached = 0;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"response\":\"test\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while getting content blobs: '{\"response\":\"test\"}'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    cJSON *blob = wm_office365_get_content_blobs(url, token, next_page, max_size, &buffer_size_reached, &error_msg);
+    assert_null(blob);
+    assert_string_equal(error_msg, data->response->body);
+    cJSON_Delete(blob);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(error_msg);
+}
+
+void test_wm_office365_get_content_blobs_400_code_AF20055(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    char* client_id = "test_client_id";
+    const char* url = "test_url";
+    const char* token = "test_token";
+    char** next_page;
+    bool buffer_size_reached = 0;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":{\"code\":\"AF20055\"}}", data->response->body);
+    os_strdup("NextPageUri: valueNextPageUri", data->response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    cJSON *blob = wm_office365_get_content_blobs(url, token, next_page, max_size, &buffer_size_reached, &error_msg);
+    assert_non_null(blob);
+    assert_null(error_msg);
+    cJSON_Delete(blob);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_scan_failure_action_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription";
+    fails->tenant_id = "tenant";
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+    int queue_fd = 0;
+    char *error_msg = NULL;
+
+    wm_office365_scan_failure_action(&fails, tenant_id, subscription_name, error_msg, queue_fd);
+    assert_string_equal(fails->next->tenant_id, tenant_id);
+    assert_string_equal(fails->next->subscription_name, subscription_name);
+
+    os_free(fails->next->tenant_id);
+    os_free(fails->next->subscription_name);
+    os_free(fails->next);
+    os_free(fails);
+}
+
+void test_wm_office365_scan_failure_action_no_fail(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *fails = NULL;
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+    int queue_fd = 0;
+    char *error_msg = NULL;
+
+    wm_office365_scan_failure_action(&fails, tenant_id, subscription_name, error_msg, queue_fd);
+    assert_string_equal(fails->tenant_id, tenant_id);
+    assert_string_equal(fails->subscription_name, subscription_name);
+
+    os_free(fails->tenant_id);
+    os_free(fails->subscription_name);
+    os_free(fails);
+}
+
+void test_wm_office365_scan_failure_action_null_mult_next(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription";
+    fails->tenant_id = "tenant";
+    os_calloc(1, sizeof(wm_office365_fail), fails->next);
+    fails->next->subscription_name = "subscription1";
+    fails->next->tenant_id = "tenant1";
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+    int queue_fd = 0;
+    char *error_msg = NULL;
+
+    wm_office365_scan_failure_action(&fails, tenant_id, subscription_name, error_msg, queue_fd);
+    assert_string_equal(fails->next->next->tenant_id, tenant_id);
+    assert_string_equal(fails->next->next->subscription_name, subscription_name);
+
+    os_free(fails->next->next->tenant_id);
+    os_free(fails->next->next->subscription_name);
+    os_free(fails->next->next);
+    os_free(fails->next);
+    os_free(fails);
+}
+
+void test_wm_office365_scan_failure_action_not_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription_name";
+    fails->tenant_id = "tenant_id";
+    fails->fails = 2;
+    wm_max_eps = 1;
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+    int queue_fd = 1;
+    char *error_msg = NULL;
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtwarn, formatted_msg, "Sending Office365 internal message: '{\"integration\":\"office365\",\"office365\":{\"actor\":\"wazuh\",\"tenant_id\":\"tenant_id\",\"subscription_name\":\"subscription_name\",\"response\":\"Unknown error\"}}'");
+
+    int result = -1;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"office365\",\"office365\":{\"actor\":\"wazuh\",\"tenant_id\":\"tenant_id\",\"subscription_name\":\"subscription_name\",\"response\":\"Unknown error\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "office365");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Success'");
+
+    wm_office365_scan_failure_action(&fails, tenant_id, subscription_name, error_msg, queue_fd);
+
+    os_free(fails);
+}
+
+void test_wm_office365_scan_failure_action_not_null_error_msg(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    wm_office365_fail *fails = NULL;
+    os_calloc(1, sizeof(wm_office365_fail), fails);
+    fails->subscription_name = "subscription_name";
+    fails->tenant_id = "tenant_id";
+    fails->fails = 2;
+    wm_max_eps = 1;
+
+    char* subscription_name = "subscription_name";
+    char* tenant_id = "tenant_id";
+    int queue_fd = 1;
+    char *error_msg = "{\"response\":\"test\"}";
+
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtwarn, formatted_msg, "Sending Office365 internal message: '{\"integration\":\"office365\",\"office365\":{\"actor\":\"wazuh\",\"tenant_id\":\"tenant_id\",\"subscription_name\":\"subscription_name\",\"response\":\"{\\\"response\\\":\\\"test\\\"}\"}}'");
+
+    int result = -1;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"office365\",\"office365\":{\"actor\":\"wazuh\",\"tenant_id\":\"tenant_id\",\"subscription_name\":\"subscription_name\",\"response\":\"{\\\"response\\\":\\\"test\\\"}\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "office365");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Success'");
+
+    wm_office365_scan_failure_action(&fails, tenant_id, subscription_name, error_msg, queue_fd);
+
+    os_free(fails);
+}
+
+void test_wm_office365_get_logs_from_blob_response_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting logs from blob.");
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_null(logs_array);
+    assert_null(error_msg);
+
+}
+
+void test_wm_office365_get_logs_from_blob_response_max_size_reached(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->max_size_reached = true;
+    os_strdup("[{\"test\":{\"code\":\"test\"", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Libcurl error, reached maximum response size.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_null(logs_array);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+
+}
+
+void test_wm_office365_get_logs_from_blob_response_parsing_error(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->max_size_reached = false;
+    os_strdup("[{\"test\":{\"code\":\"test\"", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while parsing logs from blob JSON response.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_null(logs_array);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+
+}
+
+void test_wm_office365_get_logs_from_blob_response_code_400(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    data->response->max_size_reached = false;
+    os_strdup("[{\"test\":{\"code\":\"test\"}}]", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while getting logs from blob: '[{\"test\":{\"code\":\"test\"}}]'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_null(logs_array);
+    assert_string_equal(error_msg, data->response->body);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(error_msg);
+
+}
+
+void test_wm_office365_get_logs_from_blob_response_no_array(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->max_size_reached = false;
+    os_strdup("{\"test\":{\"code\":\"test\"}}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while getting logs from blob: '{\"test\":{\"code\":\"test\"}}'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_null(logs_array);
+    assert_string_equal(error_msg, data->response->body);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    os_free(error_msg);
+
+}
+
+void test_wm_office365_get_logs_from_blob_ok(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int value = 0;
+    cJSON *logs_array = NULL;
+
+    size_t max_size = OS_SIZE_8192;
+    char *token = "test_token";
+    char *url = "https://test_url.com";
+    bool buffer_size_reached = false;
+    char *error_msg = NULL;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    data->response->max_size_reached = false;
+    os_strdup("[{\"test\":{\"code\":\"test\"}}]", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", token);
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    logs_array = wm_office365_get_logs_from_blob(url, token, max_size, &buffer_size_reached, &error_msg);
+
+    assert_non_null(logs_array);
+    assert_null(error_msg);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+    cJSON_Delete(logs_array);
+
+}
+
+void test_wm_office365_execute_scan_all(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    wm_office365_state tenant_state_struc;
+    tenant_state_struc.last_log_time = 160;
+    current_time = 161;
+    wm_max_eps = 1;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    data->office365_config->auth->next = NULL;
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->subscription->next = NULL;
+
+    os_calloc(1, sizeof(wm_office365_fail), data->office365_config->fails);
+    os_strdup("subscription_name", data->office365_config->fails->subscription_name);
+    os_strdup("tenant_id", data->office365_config->fails->tenant_id);
+    data->office365_config->interval = 10;
+
+    int initial_scan = 1;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    // wm_office365_get_content_blobs
+    curl_response *get_content_blobs_response;
+    os_calloc(1, sizeof(curl_response), get_content_blobs_response);
+    get_content_blobs_response->status_code = 200;
+    get_content_blobs_response->max_size_reached = false;
+    os_strdup("[{\"contentUri\":\"https://contentUri1.com\"}]", get_content_blobs_response->body);
+    os_strdup("test", get_content_blobs_response->header);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    const char expected_token_url[] = "Office 365 API access token URL: 'https://" WM_OFFICE365_DEFAULT_API_LOGIN_FQDN "/test_tenant_id/oauth2/v2.0/token'";
+    expect_string(__wrap__mtdebug1, formatted_msg, expected_token_url);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&tenant_state_struc);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer wazuh");
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    const char expected_subscription_url[] = "Office 365 API subscription URL: 'https://" WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN "/api/v1.0/test_client_id/activity/feed/subscriptions/start?contentType=test_subscription_name'";
+    expect_string(__wrap__mtdebug1, formatted_msg, expected_subscription_url);
+
+    #ifndef WIN32
+        will_return(__wrap_gmtime_r, 1);
+        will_return(__wrap_gmtime_r, 1);
+    #endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer wazuh");
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, get_content_blobs_response);
+
+    expect_any(__wrap__mdebug1, formatted_msg);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    const char expected_blob_url[] = "Office 365 API content blobs URL: 'https://" WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN "/api/v1.0/test_client_id/activity/feed/subscriptions/content?contentType=test_subscription_name&startTime=2021-05-07 12:24:56&endTime=2021-05-07 12:24:56'";
+    expect_string(__wrap__mtdebug1, formatted_msg, expected_blob_url);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Office 365 API content URI: 'https://contentUri1.com'");
+
+    expect_value(__wrap_wurl_free_response, response, get_content_blobs_response);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer wazuh");
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, get_content_blobs_response);
+
+    expect_value(__wrap_wurl_free_response, response, get_content_blobs_response);
+
+    expect_string(__wrap__mtdebug2, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug2, formatted_msg, "Sending Office365 log: '{\"integration\":\"office365\",\"office365\":{\"contentUri\":\"https://contentUri1.com\",\"Subscription\":\"test_subscription_name\"}}'");
+
+    int result = 1;
+    int queue_fd = 0;
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue_fd);
+    expect_string(__wrap_wm_sendmsg, message, "{\"integration\":\"office365\",\"office365\":{\"contentUri\":\"https://contentUri1.com\",\"Subscription\":\"test_subscription_name\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, "office365");
+    expect_value(__wrap_wm_sendmsg, loc, LOCALFILE_MQ);
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2021-05-07 12:24:56' for tenant 'test_tenant_id' and subscription 'test_subscription_name', waiting '10' seconds to run next scan.");
+
+    wm_office365_execute_scan(data->office365_config, initial_scan);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+
+    os_free(get_content_blobs_response->body);
+    os_free(get_content_blobs_response->header);
+    os_free(get_content_blobs_response);
+}
+
+void test_wm_office365_execute_scan_initial_scan_only_future_events(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->only_future_events = 1;
+    data->office365_config->interval = 10;
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 1);
+
+    will_return(__wrap_isDebug, 1);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Bookmark updated to '2021-05-07 12:24:56' for tenant 'test_tenant_id' and subscription 'test_subscription_name', waiting '10' seconds to run first scan.");
+
+    wm_office365_execute_scan(data->office365_config, 1);
+}
+
+void test_wm_office365_execute_scan_access_token_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->only_future_events = 1;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 400;
+    os_strdup("{\"error\":\"bad_request\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Error while getting access token: '{\"error\":\"bad_request\"}'");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    wm_office365_execute_scan(data->office365_config, 0);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_execute_scan_manage_subscription_error(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+    wm_office365_state tenant_state_struc;
+
+    tenant_state_struc.last_log_time = 123456789;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->only_future_events = 0;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&tenant_state_struc);
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_any(__wrap_wurl_http_request, method);
+
+    char expHeader[OS_SIZE_8192];
+    snprintf(expHeader, OS_SIZE_8192 -1, "Authorization: Bearer %s", "wazuh");
+
+    expect_string(__wrap_wurl_http_request, header, expHeader);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while managing subscription.");
+
+    wm_office365_execute_scan(data->office365_config, 0);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_execute_scan_saving_running_state_error(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int initial_scan = 0;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"access_token_value\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    /* wm_office365_get_access_token */
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_WRITE);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mterror, formatted_msg, "Couldn't save running state.");
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    wm_office365_execute_scan(data->office365_config, initial_scan);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_execute_scan_content_blobs_fail(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    int initial_scan = 1;
+
+    wm_office365_state tenant_state_struc;
+    tenant_state_struc.last_log_time = 123456789;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    data->office365_config->only_future_events = 0;
+
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"access_token_value\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    /* wm_office365_get_access_token */
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    /* wm_office365_get_access_token */
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&tenant_state_struc);
+
+    /* wm_office365_manage_subscription */
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    expect_string(__wrap_wurl_http_request, header, "Authorization: Bearer access_token_value");
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+    /* wm_office365_manage_subscription */
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-07 12:24:56");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-05-08 12:24:55");
+    will_return(__wrap_strftime, 20);
+
+    /* wm_office365_get_content_blobs */
+    expect_any(__wrap_wurl_http_request, method);
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+
+    expect_string(__wrap_wurl_http_request, header, "Authorization: Bearer access_token_value");
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting content blobs.");
+    /* wm_office365_get_content_blobs */
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    wm_office365_execute_scan(data->office365_config, initial_scan);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+}
+
+void test_wm_office365_execute_scan_get_logs_from_blob_response_null(void **state) {
+    test_struct_t *data  = (test_struct_t *)*state;
+    size_t max_size = OS_SIZE_8192;
+    wm_office365_state tenant_state_struc;
+
+    tenant_state_struc.last_log_time = 123456789;
+
+    os_calloc(1, sizeof(wm_office365_auth), data->office365_config->auth);
+    os_strdup("test_tenant_id", data->office365_config->auth->tenant_id);
+    os_strdup("test_client_id", data->office365_config->auth->client_id);
+    os_strdup("test_client_secret", data->office365_config->auth->client_secret);
+    os_strdup(WM_OFFICE365_DEFAULT_API_LOGIN_FQDN, data->office365_config->auth->login_fqdn);
+    os_strdup(WM_OFFICE365_DEFAULT_API_MANAGEMENT_FQDN, data->office365_config->auth->management_fqdn);
+    os_calloc(1, sizeof(wm_office365_subscription), data->office365_config->subscription);
+    os_strdup("test_subscription_name", data->office365_config->subscription->subscription_name);
+    data->office365_config->only_future_events = 0;
+
+    os_calloc(1, sizeof(curl_response), data->response);
+    data->response->status_code = 200;
+    os_strdup("{\"access_token\":\"wazuh\"}", data->response->body);
+    os_strdup("test", data->response->header);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Scanning tenant: 'test_tenant_id'");
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, data->response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, data->response);
+
+    expect_string(__wrap_wm_state_io, tag, "office365-test_tenant_id-test_subscription_name");
+    expect_value(__wrap_wm_state_io, op, WM_IO_READ);
+    expect_any(__wrap_wm_state_io, state);
+    expect_any(__wrap_wm_state_io, size);
+    will_return(__wrap_wm_state_io, 0);
+    will_return(__wrap_wm_state_io, (void *)&tenant_state_struc);
+
+    curl_response *manage_subscription_response;
+    os_calloc(1, sizeof(curl_response), manage_subscription_response);
+    manage_subscription_response->status_code = 200;
+    manage_subscription_response->max_size_reached = false;
+    os_strdup("{\"test\":\"wazuh\"}", manage_subscription_response->body);
+    os_strdup("test", manage_subscription_response->header);
+
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, manage_subscription_response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, manage_subscription_response);
+
+    // while ((end_time - start_time) > 0)
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-06-11T12:24:56Z");
+    will_return(__wrap_strftime, 20);
+
+#ifndef WIN32
+    will_return(__wrap_gmtime_r, 1);
+#endif
+
+    will_return(__wrap_strftime,"2021-06-11T12:34:56Z");
+    will_return(__wrap_strftime, 20);
+
+    // wm_office365_get_content_blobs
+    curl_response *get_content_blobs_response;
+    os_calloc(1, sizeof(curl_response), get_content_blobs_response);
+    get_content_blobs_response->status_code = 200;
+    get_content_blobs_response->max_size_reached = false;
+    os_strdup("[{\"contentUri\":\"https://contentUri1.com\"}]", get_content_blobs_response->body);
+    os_strdup("test", get_content_blobs_response->header);
+
+    expect_any(__wrap__mdebug1, formatted_msg);
+
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, get_content_blobs_response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_any(__wrap__mtdebug1, formatted_msg);
+
+    expect_value(__wrap_wurl_free_response, response, get_content_blobs_response);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Office 365 API content URI: 'https://contentUri1.com'");
+
+    expect_string(__wrap_wurl_http_request, header, "Content-Type: application/json");
+    expect_string(__wrap_wurl_http_request, header, "Authorization: Bearer wazuh");
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, method);
+    expect_any(__wrap_wurl_http_request, header);
+    expect_any(__wrap_wurl_http_request, url);
+    expect_any(__wrap_wurl_http_request, payload);
+    expect_any(__wrap_wurl_http_request, max_size);
+    expect_value(__wrap_wurl_http_request, timeout, WM_OFFICE365_DEFAULT_CURL_REQUEST_TIMEOUT);
+    will_return(__wrap_wurl_http_request, NULL);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:office365");
+    expect_string(__wrap__mtdebug1, formatted_msg, "Unknown error while getting logs from blob.");
+
+    wm_office365_execute_scan(data->office365_config, 0);
+
+    os_free(data->response->body);
+    os_free(data->response->header);
+    os_free(data->response);
+
+    os_free(manage_subscription_response->body);
+    os_free(manage_subscription_response->header);
+    os_free(manage_subscription_response);
+
+    os_free(get_content_blobs_response->body);
+    os_free(get_content_blobs_response->header);
+    os_free(get_content_blobs_response);
+}
+
+int main(void) {
+    const struct CMUnitTest tests_configuration[] = {
+        cmocka_unit_test_setup_teardown(test_read_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_configuration_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_default_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_s, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_s_fail, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_m, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_m_fail, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_h, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_h_fail, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_d, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_interval_d_fail, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_curl_max_size, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_curl_max_size_invalid_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_curl_max_size_invalid_2, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_curl_max_size_invalid_3, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_secret_path_and_secret, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_fake_tag_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_2, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_3, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_content_4, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_invalid_interval, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_auth, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_auth_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_tenant_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_tenant_id_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_id, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_id_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_secret, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_secret_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_secret_path, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_client_secret_path_1, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_type, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_error_api_type_1, setup_test_read, teardown_test_read),
+    };
+    const struct CMUnitTest tests_functionality[] = {
+        cmocka_unit_test_setup_teardown(test_wm_office365_main_disabled, setup_conf, teardown_conf),
+        #ifndef WIN32
+            cmocka_unit_test_setup_teardown(test_wm_office365_main_fail_StartMQ, setup_conf, teardown_conf),
+            cmocka_unit_test_setup_teardown(test_wm_office365_main_enable, setup_conf, teardown_conf),
+        #endif
+        cmocka_unit_test_setup_teardown(test_wm_office365_dump_no_options, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_dump_yes_options_empty_arrays, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_dump_yes_options, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_path, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_response_400, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_response_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_response_max_size_reached, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_error_json_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_access_token_with_auth_secret_response_200, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_stop_error_json_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_stop_error_max_size_reached, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_start_code_200, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_start_response_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_stop_code_400_error_AF20024, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_manage_subscription_stop_code_400_error_different_AF20024, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_fail_by_tenant_and_subscription_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_fail_by_tenant_and_subscription_not_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_content_blobs_response_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_content_blobs_response_max_size_reached, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_content_blobs_error_json_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_content_blobs_bad_response, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_content_blobs_400_code_AF20055, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_scan_failure_action_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_scan_failure_action_no_fail, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_scan_failure_action_null_mult_next, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_scan_failure_action_not_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_scan_failure_action_not_null_error_msg, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_response_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_response_max_size_reached, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_response_parsing_error, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_response_code_400, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_response_no_array, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_get_logs_from_blob_ok, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_initial_scan_only_future_events, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_access_token_null, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_manage_subscription_error, setup_conf, teardown_conf),
+        cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_saving_running_state_error, setup_conf, teardown_conf),
+        #ifndef WIN32
+            cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_content_blobs_fail, setup_conf, teardown_conf),
+            cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_get_logs_from_blob_response_null, setup_conf, teardown_conf),
+            cmocka_unit_test_setup_teardown(test_wm_office365_execute_scan_all, setup_conf, teardown_conf),
+        #endif
+    };
+
+    int result;
+    result = cmocka_run_group_tests(tests_configuration, NULL, NULL);
+    result += cmocka_run_group_tests(tests_functionality, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/osquery/CMakeLists.txt b/src/modules/osquery/CMakeLists.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/modules/osquery/include/wm_osquery_monitor.h b/src/modules/osquery/include/wm_osquery_monitor.h
new file mode 100644
index 0000000000..5e1eaac42a
--- /dev/null
+++ b/src/modules/osquery/include/wm_osquery_monitor.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "../headers/shared.h"
+
+#ifndef WM_OSQUERYMONITOR
+#define WM_OSQUERYMONITOR
+
+#define WM_OSQUERYMONITOR_LOGTAG ARGV0 ":osquery"
+
+extern const wm_context WM_OSQUERYMONITOR_CONTEXT;
+
+typedef struct wm_osquery_pack_t {
+    char * name;
+    char * path;
+} wm_osquery_pack_t;
+
+typedef struct wm_osquery_monitor_t {
+   char* bin_path;
+   char* log_path;
+   char* config_path;
+   int disable;
+   int msg_delay;
+   int queue_fd;
+   wm_osquery_pack_t ** packs;
+   signed int add_labels:2;
+   signed int run_daemon:2;
+} wm_osquery_monitor_t;
+
+int wm_osquery_monitor_read(xml_node **nodes, wmodule *module);
+
+#endif
diff --git a/src/modules/osquery/src/wm_osquery_monitor.c b/src/modules/osquery/src/wm_osquery_monitor.c
new file mode 100644
index 0000000000..7c9bdce8ff
--- /dev/null
+++ b/src/modules/osquery/src/wm_osquery_monitor.c
@@ -0,0 +1,730 @@
+/*
+ * Wazuh Integration with Osquery
+ * Copyright (C) 2015, Wazuh Inc.
+ * April 5, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+#include <sys/stat.h>
+#include <pthread.h>
+#include <time.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <stdio.h>
+
+#define TMP_CONFIG_PATH "tmp/osquery.conf.tmp"
+
+#ifdef WIN32
+#define OSQUERYD_BIN "osqueryd.exe"
+#else
+#define OSQUERYD_BIN "osqueryd"
+#endif
+
+#undef minfo
+#undef mwarn
+#undef merror
+#undef mdebug1
+#undef mdebug2
+
+#define minfo(msg, ...) _mtinfo(WM_OSQUERYMONITOR_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mwarn(msg, ...) _mtwarn(WM_OSQUERYMONITOR_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define merror(msg, ...) _mterror(WM_OSQUERYMONITOR_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mdebug1(msg, ...) _mtdebug1(WM_OSQUERYMONITOR_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mdebug2(msg, ...) _mtdebug2(WM_OSQUERYMONITOR_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+#ifdef WIN32
+static DWORD WINAPI wm_osquery_monitor_main(void *arg);
+#else
+static void *wm_osquery_monitor_main(wm_osquery_monitor_t *osquery_monitor);
+#endif
+static void wm_osquery_monitor_destroy(wm_osquery_monitor_t *osquery_monitor);
+static int wm_osquery_check_logfile(const char * path, FILE * fp);
+static int wm_osquery_packs(wm_osquery_monitor_t *osquery);
+STATIC char * wm_osquery_already_running(char * text);
+cJSON *wm_osquery_dump(const wm_osquery_monitor_t *osquery_monitor);
+
+static volatile int active = 1;
+
+const wm_context WM_OSQUERYMONITOR_CONTEXT = {
+    .name = "osquery",
+    .start = (wm_routine)wm_osquery_monitor_main,
+    .destroy = (void(*)(void *))wm_osquery_monitor_destroy,
+    .dump = (cJSON * (*)(const void *))wm_osquery_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+void *Read_Log(wm_osquery_monitor_t * osquery)
+{
+    int i = 0;
+    wino_t current_inode;
+    char line[OS_MAXSTR];
+    FILE *result_log = NULL;
+    char * end;
+    char * payload;
+    cJSON * root;
+    cJSON * name;
+    cJSON * osquery_json;
+    char * begin;
+
+    while (active) {
+        // Wait to open log file
+
+        while (result_log = wfopen(osquery->log_path, "r"), !result_log && active) {
+            i += i < 60;
+            mwarn("Results file '%s' not available: %s (%d). Retrying in %d sec.", osquery->log_path, strerror(errno), errno, i);
+            sleep(i);
+        }
+
+        if (!active) {
+            if (result_log) {
+                fclose(result_log);
+            }
+
+            break;
+        }
+
+        minfo("Following osquery results file '%s'.", osquery->log_path);
+
+        // Move to end of the file
+
+        if (fseek(result_log, 0, SEEK_END) < 0) {
+            merror(FSEEK_ERROR, osquery->log_path, errno, strerror(errno));
+            fclose(result_log);
+            continue;
+        }
+
+        // Save file inode
+
+        if (current_inode = get_fp_inode(result_log), current_inode == (wino_t)-1) {
+            merror("Couldn't get inode of file '%s': %s (%d)", osquery->log_path, strerror(errno), errno);
+            fclose(result_log);
+            continue;
+        }
+
+        // Read the file
+
+        while (active) {
+            clearerr(result_log);
+
+            // Get file until EOF
+
+            while (fgets(line, OS_MAXSTR, result_log)) {
+
+                // Remove newline
+
+                if (end = strchr(line, '\n'), end) {
+                    *end = '\0';
+                }
+
+                const char *jsonErrPtr;
+                if (osquery_json = cJSON_ParseWithOpts(line, &jsonErrPtr, 0), osquery_json) {
+
+                    // Nest object into a "osquery" object
+
+                    root = cJSON_CreateObject();
+                    cJSON_AddItemToObject(root, "osquery", osquery_json);
+
+                    if (!cJSON_GetObjectItem(osquery_json, "pack")) {
+
+                        // Try to find a name matching "pack_.*_.+"
+
+                        if (name = cJSON_GetObjectItem(osquery_json, "name"), name && cJSON_IsString(name)) {
+                            if (strstr(name->valuestring, "pack_")) {
+                                begin = name->valuestring + 5;
+
+                                if (end = strchr(begin, '_'), end && end[1]) {
+                                    *end = '\0';
+                                    cJSON_AddStringToObject(osquery_json, "pack", begin);
+                                    *end = '_';
+                                    end += 1;
+                                    cJSON_AddStringToObject(osquery_json, "subquery", end);
+                                }
+                            }
+                        }
+                    }
+
+                    payload = cJSON_PrintUnformatted(root);
+                    mdebug2("Sending... '%s'", payload);
+
+                    if (wm_sendmsg(osquery->msg_delay, osquery->queue_fd, payload, "osquery", LOCALFILE_MQ) < 0) {
+                        mterror(WM_OSQUERYMONITOR_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+                    }
+
+                    free(payload);
+                    cJSON_Delete(root);
+                } else {
+                    static int reported = 0;
+
+                    if (!reported) {
+                        mwarn("Result line not in JSON format: '%64s'...", line);
+                        reported = 1;
+                    }
+                }
+            }
+
+            // Check if result path inode has changed.
+
+            switch (wm_osquery_check_logfile(osquery->log_path, result_log)) {
+            case -1:
+                if (errno == ENOENT) {
+                    minfo("Results file '%s' was deleted.", osquery->log_path);
+                } else {
+                    mwarn("Couldn't access results file '%s': %s (%d)", osquery->log_path, strerror(errno), errno);
+                }
+
+                goto endloop;
+            case 0:
+                // File did not change
+                sleep(1);
+                break;
+            case 1:
+                minfo("Results file '%s' truncated. Reloading.", osquery->log_path);
+
+                if (fseek(result_log, 0, SEEK_SET) < 0) {
+                    merror(FSEEK_ERROR, osquery->log_path, errno, strerror(errno));
+                    goto endloop;
+                }
+
+                break;
+            case 2:
+                minfo("Results file '%s' rotated. Reloading.", osquery->log_path);
+                goto endloop;
+            }
+        }
+
+endloop:
+        fclose(result_log);
+    }
+
+    return NULL;
+}
+
+/*
+ * Check if file changed.
+ * -1: error, file no longer exists.
+ * 0: file did not change.
+ * 1: file truncated.
+ * 2: file rotated (inode changed)
+ */
+int wm_osquery_check_logfile(const char * path, FILE * fp) {
+    struct stat buf;
+    wino_t old_inode;
+    long old_size;
+
+    if (old_inode = get_fp_inode(fp), old_inode == (wino_t)-1) {
+        return -1;
+    } else if (old_size = ftell(fp), old_size < 0) {
+        return -1;
+    }
+
+    if (stat(path, &buf) < 0) {
+        return -1;
+    }
+
+#ifdef WIN32
+    HANDLE hFile;
+    BY_HANDLE_FILE_INFORMATION fileInfo;
+
+    if (hFile = CreateFile(path, GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL), hFile == INVALID_HANDLE_VALUE) {
+        return -1;
+    }
+
+    if (GetFileInformationByHandle(hFile, &fileInfo) == 0) {
+        CloseHandle(hFile);
+        return -1;
+    }
+
+    CloseHandle(hFile);
+
+    if (((wino_t)fileInfo.nFileIndexHigh << 32 | fileInfo.nFileIndexLow) != old_inode) {
+        return 2;
+    }
+
+#else
+    if (buf.st_ino != old_inode) {
+        return 2;
+    }
+#endif
+
+    return buf.st_size < old_size ? 1 : 0;
+}
+
+void *Execute_Osquery(wm_osquery_monitor_t *osquery)
+{
+    char osqueryd_path[PATH_MAX];
+    char config_path[PATH_MAX];
+    char * strpid = NULL;
+    int running_count = 0;
+
+    // Windows agent needs the complete path to osqueryd
+#ifndef WIN32
+    if (!(osquery->bin_path && *osquery->bin_path)) {
+        /* Osquery installation path was moved from /usr/local to /opt/osquery in Osquery v5.0.1,
+        so we check both paths by default to support older and newer versions */
+        if (w_is_file("/opt/osquery/bin/" OSQUERYD_BIN)) {
+            snprintf(osqueryd_path, sizeof(osqueryd_path), "%s/" OSQUERYD_BIN, "/opt/osquery/bin");
+        } else {
+            strncpy(osqueryd_path, OSQUERYD_BIN, sizeof(osqueryd_path));
+            osqueryd_path[sizeof(osqueryd_path) - 1] = '\0';
+        }
+    } else
+#endif
+    {
+        snprintf(osqueryd_path, sizeof(osqueryd_path), "%s/" OSQUERYD_BIN, osquery->bin_path);
+    }
+
+    mdebug1("Launching '%s' with config file '%s'", osqueryd_path, osquery->config_path);
+
+#ifdef WIN32
+    snprintf(config_path, sizeof(config_path), "--config_path=\"%s\"", osquery->config_path);
+#else
+    snprintf(config_path, sizeof(config_path), "--config_path=%s", osquery->config_path);
+#endif
+
+    // We check that the osquery demon is not down, in which case we run it again.
+
+    while (1) {
+        char buffer[4096];
+        time_t time_started;
+        wfd_t * wfd;
+        int wstatus;
+        char * text;
+        char * end;
+
+        // Check that the configuration file is valid
+
+        if (access(osquery->config_path, R_OK) < 0) {
+            mwarn("The configuration file '%s' is not accessible: %s (%d)", osquery->config_path, strerror(errno), errno);
+            sleep(600);
+            continue;
+        }
+
+        // Run osquery
+
+        if (wfd = wpopenl(osqueryd_path, W_BIND_STDERR, osqueryd_path, config_path, NULL), !wfd) {
+            mwarn("Couldn't execute osquery (%s). Sleeping for 10 minutes.", osqueryd_path);
+            sleep(600);
+            continue;
+        }
+
+#ifdef WIN32
+        wm_append_handle(wfd->pinfo.hProcess);
+#else
+        if (0 <= wfd->pid) {
+            wm_append_sid(wfd->pid);
+        }
+#endif
+
+        time_started = time(NULL);
+
+        // Get stderr
+
+        while (fgets(buffer, sizeof(buffer), wfd->file_out)) {
+            // Filter Bash colors: \e[*m
+            text = buffer[0] == '\e' && buffer[1] == '[' && (end = strchr(buffer + 2, 'm'), end) ? end + 1 : buffer;
+
+            // Remove newline
+            if (end = strchr(text, '\n'), end) {
+                *end = '\0';
+            }
+
+            if (strlen(text)) {
+                // Parse most common osquery errors
+
+                if (strstr(text, "[Ref #1382]")) {
+                    mwarn("osqueryd has unsafe permissions.");
+                } else if (strstr(text, "[Ref #1629]")) {
+                    mwarn("osqueryd initialize failed: Could not initialize database.");
+                } else if (end = wm_osquery_already_running(text), end) {
+                    os_free(strpid);
+                    strpid = end;
+
+                    // Don't report the first time
+
+                    if (!running_count++) {
+                        continue;
+                    }
+                }
+                else {
+                    switch (text[0]) {
+                    case 'E':
+                    case 'W':
+                        mwarn("%s", text);
+                        break;
+                    default:
+                        mdebug2("%s", text);
+                    }
+                }
+
+                // Report to manager
+
+                if (wm_sendmsg(osquery->msg_delay, osquery->queue_fd, text, "osquery", LOCALFILE_MQ) < 0) {
+                    mterror(WM_OSQUERYMONITOR_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+                }
+            }
+        }
+
+#ifdef WIN32
+        wm_remove_handle(wfd->pinfo.hProcess);
+#else
+        if (0 <= wfd->pid) {
+            wm_remove_sid(wfd->pid);
+        }
+#endif
+
+        // If this point is reached, osquery exited
+        int wp_closefd = wpclose(wfd);
+        wstatus = WEXITSTATUS(wp_closefd);
+
+        if (wstatus == 127) {
+            // 127 means error in exec
+            merror("Couldn't execute osquery (%s). Check file and permissions. Sleeping for 10 minutes.", osqueryd_path);
+            sleep(600);
+        } else if (strpid) {
+            // Osquery is already running.
+            if (running_count == 1) {
+                minfo("osqueryd is already running with pid %s. Will run again in 1 minute.", strpid);
+                sleep(60);
+            } else {
+                minfo("osqueryd is already running with pid %s. Will run again in 10 minutes.", strpid);
+                sleep(600);
+            }
+        } else if (time(NULL) - time_started < 10) {
+            // If osquery was alive less than 10 seconds, give up
+            merror("Osquery exited with code %d. Closing module.", wstatus);
+            active = 0;
+            break;
+        } else {
+            mwarn("Osquery exited with code %d. Restarting.", wstatus);
+        }
+    }
+
+    os_free(strpid);
+    return NULL;
+}
+
+char * wm_osquery_already_running(char * text) {
+    const char * PATTERNS[] = { "osqueryd (", ") is already running" , "Pidfile::Error::Busy" };
+    char * begin;
+    char * end;
+
+    // Find "osqueryd (xxxx) is already running"
+    if (text != NULL) {
+        if (begin = strstr(text, PATTERNS[0]), begin && (end = strstr(begin += strlen(PATTERNS[0]), PATTERNS[1]), end)) {
+            *end = '\0';
+            os_strdup(begin, text);
+            *end = *PATTERNS[1];
+
+            // Find "Pidfile::Error::Busy"
+        } else if (strstr(text, PATTERNS[2]) != NULL) {
+            os_strdup("unknown", text);
+        } else {
+            text = NULL;
+        }
+    }
+    return text;
+}
+
+int wm_osquery_decorators(wm_osquery_monitor_t * osquery)
+{
+    char *key = NULL;
+    char *value = NULL;
+    cJSON *root = NULL;
+    cJSON *decorators;
+    cJSON *always;
+    wlabel_t *labels;
+    char buffer[OS_MAXSTR];
+    int retval = -1;
+    int i;
+
+    // Is label addition enabled?
+
+    if (!osquery->add_labels) {
+        return 0;
+    }
+
+    os_calloc(1, sizeof(wlabel_t), labels);
+
+    if (ReadConfig(CLABELS, OSSECCONF, &labels, NULL) < 0)
+        goto end;
+
+#ifdef CLIENT
+    ReadConfig(CLABELS | CAGENT_CONFIG, AGENTCONFIG, &labels, NULL);
+#endif
+
+    // Do we have labels defined?
+
+    if (!labels[0].key) {
+        retval = 0;
+        goto end;
+    }
+
+    // Load original osquery configuration
+
+    if (root = json_fread(osquery->config_path, 1), !root) {
+        if (errno) {
+            merror("Couldn't load configuration file '%s': %s (%d)", osquery->config_path, strerror(errno), errno);
+        } else {
+            merror("Couldn't load configuration file '%s'. Maybe format is invalid.", osquery->config_path);
+        }
+
+        goto end;
+    }
+
+    // Add labels to JSON as decorators
+
+    if (decorators = cJSON_GetObjectItem(root, "decorators"), !decorators) {
+        decorators = cJSON_CreateObject();
+        cJSON_AddItemToObject(root, "decorators", decorators);
+    }
+
+    if (always = cJSON_GetObjectItem(decorators, "always"), !always) {
+        always = cJSON_CreateArray();
+        cJSON_AddItemToObject(decorators, "always", always);
+    }
+
+    for (i = 0; labels[i].key; ++i) {
+        if (labels[i].flags.hidden) {
+            continue;
+        }
+
+        // Prevent SQL injection
+        key = wstr_replace(labels[i].key, "'", "''");
+        value = wstr_replace(labels[i].value, "'", "''");
+
+        if (snprintf(buffer, sizeof(buffer), "SELECT '%s' AS '%s';", value, key) < (int)sizeof(buffer)) {
+            mdebug2("Adding decorator: %s", buffer);
+            cJSON_AddItemToArray(always, cJSON_CreateString(buffer));
+        } else {
+            mwarn("Label '%s' too long. Couldn't insert decorator.", labels[i].key);
+        }
+
+        free(key);
+        free(value);
+    }
+
+    // Change configuration file path
+
+    free(osquery->config_path);
+
+    os_strdup(TMP_CONFIG_PATH, osquery->config_path);
+
+    // Write new configuration
+
+    if (json_fwrite(osquery->config_path, root) < 0) {
+        merror("Couldn't write JSON content into configuration '%s': %s (%d)", osquery->config_path, strerror(errno), errno);
+        goto end;
+    }
+
+    retval = 0;
+
+end:
+    labels_free(labels);
+    cJSON_Delete(root);
+    return retval;
+}
+
+int wm_osquery_packs(wm_osquery_monitor_t *osquery)
+{
+    cJSON * root;
+    cJSON * packs;
+    int i;
+    int retval = 0;
+
+    // Do we have packs defined?
+
+    for (i = 0; osquery->packs[i]; ++i);
+
+    if (!i) {
+        return 0;
+    }
+
+    // Load original osquery configuration
+
+    if (root = json_fread(osquery->config_path, 1), !root) {
+        if (errno) {
+            merror("Couldn't load configuration file '%s': %s (%d)", osquery->config_path, strerror(errno), errno);
+        } else {
+            merror("Couldn't load configuration file '%s'. Maybe format is invalid.", osquery->config_path);
+        }
+
+        return -1;
+    }
+
+    // Add packs to JSON
+
+    if (packs = cJSON_GetObjectItem(root, "packs"), !packs) {
+        packs = cJSON_CreateObject();
+        cJSON_AddItemToObject(root, "packs", packs);
+    }
+
+    for (i = 0; osquery->packs[i]; ++i) {
+        if (strcmp(osquery->packs[i]->name, "*")) {
+            // Check if the file exists
+
+            if (access(osquery->packs[i]->path, R_OK) < 0) {
+                mwarn("Possible invalid configuration: Pack file '%s' is not accessible: %s (%d)", osquery->packs[i]->path, strerror(errno), errno);
+            }
+        } else if (!strchr(osquery->packs[i]->path, '*')) {
+            // If name is "*" but no "*" is in the path, log a warning
+            mwarn("Possible invalid configuration for pack '*' (%s): no such wildcards.", osquery->packs[i]->path);
+        }
+
+        cJSON_AddStringToObject(packs, osquery->packs[i]->name, osquery->packs[i]->path);
+    }
+
+    // Change configuration file path
+
+    free(osquery->config_path);
+
+    os_strdup(TMP_CONFIG_PATH, osquery->config_path);
+
+    // Write new configuration
+
+    if (json_fwrite(osquery->config_path, root) < 0) {
+        merror("Couldn't write JSON content into configuration '%s': %s (%d)", osquery->config_path, strerror(errno), errno);
+        retval = -1;
+    }
+
+    cJSON_Delete(root);
+    return retval;
+}
+
+#ifdef WIN32
+DWORD WINAPI wm_osquery_monitor_main(void *arg) {
+    wm_osquery_monitor_t *osquery = (wm_osquery_monitor_t *)arg;
+#else
+void *wm_osquery_monitor_main(wm_osquery_monitor_t *osquery) {
+#endif
+    pthread_t tlauncher = 0;
+    pthread_t treader = 0;
+
+    if (osquery->disable) {
+        minfo("Module disabled. Exiting...");
+#ifdef WIN32
+        return 0;
+#else
+        return NULL;
+#endif
+    }
+
+    minfo("Module started.");
+    osquery->msg_delay = 1000000 / wm_max_eps;
+
+#ifndef WIN32
+    // Connect to queue
+
+    osquery->queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+    if (osquery->queue_fd < 0) {
+        mterror(WM_OSQUERYMONITOR_LOGTAG, "Can't connect to queue. Closing module.");
+        return NULL;
+    }
+
+#endif
+
+    if( pthread_create(&treader, NULL, (void *)&Read_Log, osquery) != 0){
+        merror("Error while creating Read_Log thread.");
+#ifdef WIN32
+        return 0;
+#else
+        return NULL;
+#endif
+    }
+
+    if (osquery->run_daemon) {
+        // Handle configuration
+
+        if (wm_osquery_packs(osquery) < 0 || wm_osquery_decorators(osquery) < 0) {
+#ifdef WIN32
+            return 0;
+#else
+            return NULL;
+#endif
+        }
+
+        if( pthread_create(&tlauncher, NULL, (void *)&Execute_Osquery, osquery) != 0){
+            merror("Error while creating Execute_Osquery thread.");
+#ifdef WIN32
+            return 0;
+#else
+            return NULL;
+#endif
+        }
+        pthread_join(tlauncher, NULL);
+    } else {
+        minfo("run_daemon disabled, finding detached osquery process results.");
+    }
+
+    pthread_join(treader, NULL);
+
+    minfo("Closing module.");
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+void wm_osquery_monitor_destroy(wm_osquery_monitor_t *osquery_monitor) {
+    int i;
+
+    if (osquery_monitor)
+    {
+        free(osquery_monitor->bin_path);
+        free(osquery_monitor->log_path);
+        free(osquery_monitor->config_path);
+
+        for (i = 0; osquery_monitor->packs[i]; ++i) {
+            free(osquery_monitor->packs[i]->name);
+            free(osquery_monitor->packs[i]->path);
+            free(osquery_monitor->packs[i]);
+        }
+
+        free(osquery_monitor->packs);
+        free(osquery_monitor);
+    }
+}
+
+// Get read data
+cJSON *wm_osquery_dump(const wm_osquery_monitor_t *osquery_monitor) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_osq = cJSON_CreateObject();
+    unsigned int i;
+
+    if (osquery_monitor->disable) cJSON_AddStringToObject(wm_osq,"disabled","yes"); else cJSON_AddStringToObject(wm_osq,"disabled","no");
+    if (osquery_monitor->run_daemon) cJSON_AddStringToObject(wm_osq,"run_daemon","yes"); else cJSON_AddStringToObject(wm_osq,"run_daemon","no");
+    if (osquery_monitor->add_labels) cJSON_AddStringToObject(wm_osq,"add_labels","yes"); else cJSON_AddStringToObject(wm_osq,"add_labels","no");
+    if (osquery_monitor->bin_path) cJSON_AddStringToObject(wm_osq,"bin_path",osquery_monitor->bin_path);
+    if (osquery_monitor->log_path) cJSON_AddStringToObject(wm_osq,"log_path",osquery_monitor->log_path);
+    if (osquery_monitor->config_path) cJSON_AddStringToObject(wm_osq,"config_path",osquery_monitor->config_path);
+
+    if (osquery_monitor->packs && *osquery_monitor->packs) {
+        cJSON *packs = cJSON_CreateArray();
+        for (i=0;osquery_monitor->packs[i] && osquery_monitor->packs[i]->name;i++) {
+            cJSON *pack = cJSON_CreateObject();
+            cJSON_AddStringToObject(pack,"name",osquery_monitor->packs[i]->name);
+            cJSON_AddStringToObject(pack,"path",osquery_monitor->packs[i]->path);
+            cJSON_AddItemToArray(packs, pack);
+        }
+        cJSON_AddItemToObject(wm_osq,"packs",packs);
+    }
+
+    cJSON_AddItemToObject(root,"osquery",wm_osq);
+
+    return root;
+}
diff --git a/src/modules/osquery/tests/unit/tests/CMakeLists.txt b/src/modules/osquery/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..4501b02418
--- /dev/null
+++ b/src/modules/osquery/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,81 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_osquery_already_running")
+list(APPEND tests_flags "-Wl,--wrap,access -Wl,--wrap,wurl_http_request \
+                         -Wl,--wrap,wurl_free_response -Wl,--wrap,wm_sendmsg -Wl,--wrap,strftime \
+                         -Wl,--wrap,wm_state_io -Wl,--wrap,time -Wl,--wrap,StartMQ \
+                         -Wl,--wrap=syscom_dispatch -Wl,--wrap=Start_win32_Syscheck \ -Wl,--wrap=is_fim_shutdown \
+                         -Wl,--wrap=_imp__dbsync_initialize -Wl,--wrap=_imp__rsync_initialize -Wl,--wrap=fim_db_teardown \
+                         -Wl,--wrap,fim_sync_push_msg -Wl,--wrap,fim_run_integrity -Wl,--wrap,fim_db_remove_path \
+                         -Wl,--wrap,fim_db_get_path -Wl,--wrap,fim_db_transaction_start -Wl,--wrap,fim_db_transaction_deleted_rows \
+                         -Wl,--wrap,fim_db_transaction_sync_row -Wl,--wrap,fim_db_file_update -Wl,--wrap,fim_db_file_pattern_search \
+                         -Wl,--wrap,fim_db_init,--wrap,getpid")
+
+# Generate wazuh modules library
+file(GLOB osquery ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM osquery ../../../wazuh_modules/main.o)
+
+add_library(OSQUERY_O STATIC ${osquery})
+
+set_source_files_properties(
+  ${osquery}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  OSQUERY_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(OSQUERY_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    if(${TARGET} STREQUAL "server")
+        target_link_libraries(
+            ${test_name}
+            ${WAZUHLIB}
+            ${WAZUHEXT}
+            OSQUERY_O
+            -lcmocka
+            -ldl
+            -fprofile-arcs
+            -ftest-coverage
+        )
+    else()
+        target_link_libraries(
+            ${test_name}
+            ${TEST_DEPS}
+        )
+    endif()
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/modules/osquery/tests/unit/tests/test_wm_osquery_already_running.c b/src/modules/osquery/tests/unit/tests/test_wm_osquery_already_running.c
new file mode 100644
index 0000000000..a5b8b1737c
--- /dev/null
+++ b/src/modules/osquery/tests/unit/tests/test_wm_osquery_already_running.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+char * wm_osquery_already_running(char * text);
+
+void test_wm_osquery_already_running_null(void **state)
+{
+    char *input = NULL;
+    char *output = wm_osquery_already_running(input);
+
+    assert_null(output);
+}
+
+void test_wm_osquery_already_running_pattern_1(void **state)
+{
+    char input[] = "osqueryd (1000) is already running";
+    char *output = wm_osquery_already_running(input);
+
+    assert_non_null(output);
+    assert_string_equal(output, "1000");
+
+    free(output);
+}
+
+void test_wm_osquery_already_running_pattern_2(void **state)
+{
+    char input[] = "Pidfile::Error::Busy";
+    char *output = wm_osquery_already_running(input);
+
+    assert_non_null(output);
+    assert_string_equal(output, "unknown");
+
+    free(output);
+}
+
+void test_wm_osquery_already_running_no_match(void **state)
+{
+    char input[] = "No match";
+    char *output = wm_osquery_already_running(input);
+    assert_null(output);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // wm_osquery_already_running
+        cmocka_unit_test(test_wm_osquery_already_running_null),
+        cmocka_unit_test(test_wm_osquery_already_running_pattern_1),
+        cmocka_unit_test(test_wm_osquery_already_running_pattern_2),
+        cmocka_unit_test(test_wm_osquery_already_running_no_match),
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/rootcheck/include/rootcheck.h b/src/modules/rootcheck/include/rootcheck.h
index e69de29bb2..bff9d284bc 100644
--- a/src/modules/rootcheck/include/rootcheck.h
+++ b/src/modules/rootcheck/include/rootcheck.h
@@ -0,0 +1,152 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef ROOTCHECK_H
+#define ROOTCHECK_H
+
+#include "list_op.h"
+#include "../config/rootcheck-config.h"
+#include <cJSON.h>
+
+#ifdef WIN32
+#define PATH_SEP '\\'
+#else
+#define PATH_SEP '/'
+#endif
+
+extern rkconfig rootcheck;
+
+/* Output types */
+#define QUEUE       101
+#define SYSLOG_RK   102
+
+/* Maximum files to search on the whole system */
+#define MAX_RK_SYS      512
+
+/* rk_types */
+#define ALERT_OK                0
+#define ALERT_SYSTEM_ERR        1
+#define ALERT_SYSTEM_CRIT       2
+#define ALERT_ROOTKIT_FOUND     3
+#define ALERT_POLICY_VIOLATION  4
+
+#define ROOTCHECK           "rootcheck"
+
+/* Default to 12 hours */
+#define ROOTCHECK_WAIT          43200
+
+/** Prototypes **/
+
+/* Check if file is present on dir */
+int isfile_ondir(const char *file, const char *dir);
+
+int rk_check_file(char *file, char *pattern);
+
+int rk_check_dir(const char *dir, const char *file, char *pattern);
+
+/* Parse read config into JSON format */
+cJSON *getRootcheckConfig(void);
+
+/* Check if pattern is present on string */
+int pt_matches(const char *str, char *pattern);
+
+/* Check if the patterns is made up completely of negate matches */
+int pt_check_negate(const char *pattern);
+
+/* Check if a file exist (using stat, fopen and opendir) */
+int is_file(char *file_name);
+
+/* Check if an entry is in the registry */
+int is_registry(char *entry_name, char *reg_option, char *reg_value);
+
+/* Read cl configuration file */
+int rkcl_get_entry(FILE *fp, const char *msg, OSList *p_list);
+
+/* Normalize a string, removing white spaces and tabs
+ * from the beginning and the end of it.
+ */
+char *normalize_string(char *str);
+
+/* Check if regex is present on the file.
+ * Similar to `strings file | grep -r regex`
+ */
+int os_string(char *file, char *regex);
+
+/* Check for NTFS ADS (Windows only) */
+int os_check_ads(const char *full_path);
+
+/* Get list of processes */
+OSList *os_get_process_list(void);
+
+/* Check if a process is running */
+int is_process(char *value, OSList *p_list);
+
+/*  Delete the process list */
+int del_plist(OSList *p_list);
+
+/* Used to report messages */
+int notify_rk(int rk_type, const char *msg);
+
+/* Start the rootcheck externally */
+int rootcheck_init(int test_config);
+
+/* Connect Rootcheck queue */
+void rootcheck_connect();
+
+/* run_rk_check: checks the integrity of the files against the
+ * saved database
+ */
+void run_rk_check(void);
+
+/* Rootcheck thread */
+#ifdef WIN32
+DWORD WINAPI w_rootcheck_thread(__attribute__((unused)) void * args);
+#else
+void * w_rootcheck_thread(__attribute__((unused)) void * args);
+#endif
+/*** Plugins prototypes ***/
+void check_rc_files(const char *basedir, FILE *fp);
+void check_rc_trojans(const char *basedir, FILE *fp);
+void check_rc_unixaudit(FILE *fp, OSList *p_list);
+void check_rc_winaudit(FILE *fp, OSList *p_list);
+void check_rc_winmalware(FILE *fp, OSList *p_list);
+void check_rc_winapps(FILE *fp, OSList *p_list);
+void check_rc_dev(const char *basedir);
+void check_rc_sys(const char *basedir);
+void check_rc_pids(void);
+
+/* Verify if "pid" is in the proc directory */
+int check_rc_readproc(int pid);
+
+void check_rc_ports(void);
+void check_open_ports(void);
+void check_rc_if(void);
+
+/*Checks if the path or file is user-ignored */
+ int check_ignore(const char *path_to_ignore);
+
+int Read_Rootcheck_Config(const char *cfgfile);
+
+/* Global variables */
+extern char **rk_sys_file;
+extern char **rk_sys_name;
+extern int rk_sys_count;
+
+/* All the ports */
+extern char total_ports_udp[65535 + 1];
+extern char total_ports_tcp[65535 + 1];
+
+/* Process struct */
+typedef struct _Proc_Info {
+    char *p_name;
+    char *p_path;
+} Proc_Info;
+
+#endif /* ROOTCHECK_H */
diff --git a/src/modules/rootcheck/src/check_open_ports.c b/src/modules/rootcheck/src/check_open_ports.c
new file mode 100644
index 0000000000..eb891034dd
--- /dev/null
+++ b/src/modules/rootcheck/src/check_open_ports.c
@@ -0,0 +1,122 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+*/
+
+#include "shared.h"
+#include "headers/debug_op.h"
+#include "headers/defs.h"
+#include "rootcheck.h"
+
+#ifndef OSSECHIDS
+
+/* Prototypes */
+static int  connect_to_port(int proto, int port);
+static void try_to_access_ports(void);
+
+/* Global variables */
+static int  _ports_open;
+static int  open_ports_size;
+static char open_ports_str[OS_SIZE_1024 + 1];
+
+
+static int connect_to_port(int proto, int port)
+{
+    int rc = 0;
+    int ossock;
+    struct sockaddr_in server;
+
+    if (proto == IPPROTO_UDP) {
+        if ((ossock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+            return (0);
+        }
+    } else if (proto == IPPROTO_TCP) {
+        if ((ossock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
+            return (0);
+        }
+    } else {
+        return (0);
+    }
+
+    memset(&server, 0, sizeof(server));
+    server.sin_family      = AF_INET;
+    server.sin_port        = htons(port);
+    server.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+    if (connect(ossock, (struct sockaddr *)&server, sizeof(server)) == 0) {
+        rc = 1;
+    }
+
+    close(ossock);
+
+    return (rc);
+}
+
+static void try_to_access_ports()
+{
+    int i;
+
+    for (i = 0; i <= 65535; i++) {
+        if (total_ports_tcp[i] && connect_to_port(IPPROTO_TCP, i)) {
+            char port_proto[64];
+
+            if (_ports_open == 0) {
+                snprintf(port_proto, 64, "\n      %d (tcp),", i);
+            } else {
+                snprintf(port_proto, 64, "%d (tcp),", i);
+            }
+            strncat(open_ports_str, port_proto, open_ports_size);
+            open_ports_size -= strlen(port_proto) + 1;
+
+            _ports_open++;
+        }
+
+        if (total_ports_udp[i] && connect_to_port(IPPROTO_UDP, i)) {
+            char port_proto[64];
+
+            if (_ports_open == 0) {
+                snprintf(port_proto, 64, "\n      %d (udp),", i);
+            } else {
+                snprintf(port_proto, 64, "%d (udp),", i);
+            }
+
+            strncat(open_ports_str, port_proto, open_ports_size);
+            open_ports_size -= strlen(port_proto) + 1;
+
+            _ports_open++;
+        }
+
+        if (_ports_open >= 4) {
+            _ports_open = 0;
+        }
+    }
+
+}
+#endif
+
+void check_open_ports()
+{
+#ifndef OSSECHIDS
+    memset(open_ports_str, '\0', OS_SIZE_1024 + 1);
+    open_ports_size = OS_SIZE_1024 - 1;
+    _ports_open = 0;
+
+    snprintf(open_ports_str, OS_SIZE_1024, "The following ports are open:");
+    open_ports_size -= strlen(open_ports_str) + 1;
+
+    /* Testing All ports */
+    try_to_access_ports();
+
+    open_ports_str[strlen(open_ports_str) - 1] = '\0';
+
+    notify_rk(ALERT_OK, open_ports_str);
+
+#endif
+    return;
+}
+
diff --git a/src/modules/rootcheck/src/check_rc_dev.c b/src/modules/rootcheck/src/check_rc_dev.c
new file mode 100644
index 0000000000..5de2160b6d
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_dev.c
@@ -0,0 +1,187 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+#include "shared.h"
+#include "rootcheck.h"
+
+/* Prototypes */
+static int read_dev_file(const char *file_name);
+static int read_dev_dir(const char *dir_name);
+
+/* Global variables */
+static int _dev_errors;
+static int _dev_total;
+
+
+static int read_dev_file(const char *file_name)
+{
+    struct stat statbuf;
+
+    if (lstat(file_name, &statbuf) < 0) {
+        return (-1);
+    }
+
+    /* Process directories recursively */
+    if (S_ISDIR(statbuf.st_mode)) {
+        mtdebug2(ARGV0, "Reading dir: %s\n", file_name);
+        return (read_dev_dir(file_name));
+    }
+
+    else if (S_ISREG(statbuf.st_mode)) {
+        char op_msg[OS_SIZE_1024 + 1];
+        const char op_msg_fmt[] = "File '%*s' present on /dev. Possible hidden file.";
+
+        const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name);
+
+        if (size >= 0) {
+            if ((size_t)size < sizeof(op_msg)) {
+                snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name);
+            } else {
+                const unsigned int surplus = size - sizeof(op_msg) + 1;
+                snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name);
+            }
+
+            notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+        } else {
+            mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s\n", errno, strerror(errno), file_name);
+        }
+        _dev_errors++;
+    }
+
+    return (0);
+}
+
+static int read_dev_dir(const char *dir_name)
+{
+    int i;
+    DIR *dp;
+    struct dirent *entry = NULL;
+    char f_name[PATH_MAX + 2];
+    char f_dir[PATH_MAX + 2];
+
+    /* When will these people learn that /dev is not
+     * meant to store log files or other kind of texts?
+     */
+    const char *(ignore_dev[]) = {"MAKEDEV", "README.MAKEDEV",
+                                  "MAKEDEV.README", ".udevdb",
+                                  ".udev.tdb", ".initramfs-tools",
+                                  "MAKEDEV.local", ".udev", ".initramfs",
+                                  "oprofile", "fd", "cgroup",
+#ifdef SOLARIS
+                                  ".devfsadm_dev.lock",
+                                  ".devlink_db_lock",
+                                  ".devlink_db",
+                                  ".devfsadm_daemon.lock",
+                                  ".devfsadm_deamon.lock",
+                                  ".devfsadm_synch_door",
+                                  ".zone_reg_door",
+#endif
+                                  NULL
+                                 };
+
+    /* Full path ignore */
+    const char *(ignore_dev_full_path[]) = {"shm/sysconfig",
+                                            "bus/usb/.usbfs",
+                                            "shm",
+                                            "gpmctl",
+                                            NULL
+                                           };
+
+    if (dir_name == NULL || strlen(dir_name) > PATH_MAX) {
+        mterror(ARGV0, "Invalid directory given.");
+        return (-1);
+    }
+
+    /* Open directory */
+    dp = opendir(dir_name);
+    if (!dp) {
+        return (-1);
+    }
+
+    /* Iterate over all files in the directory */
+    while ((entry = readdir(dp)) != NULL) {
+        /* Ignore . and ..  */
+        if (strcmp(entry->d_name, ".") == 0 ||
+                strcmp(entry->d_name, "..") == 0) {
+            continue;
+        }
+
+        _dev_total++;
+
+        /* Do not look for the ignored files */
+        for (i = 0; ignore_dev[i] != NULL; i++) {
+            if (strcmp(ignore_dev[i], entry->d_name) == 0) {
+                break;
+            }
+        }
+        if (ignore_dev[i] != NULL) {
+            continue;
+        }
+
+        *f_name = '\0';
+        snprintf(f_name, PATH_MAX + 1, "%s/%s", dir_name, entry->d_name);
+
+        /* Do not look for the full ignored files */
+        for (i = 0; ignore_dev_full_path[i] != NULL; i++) {
+            snprintf(f_dir, PATH_MAX + 1, "%s/%s", dir_name, ignore_dev_full_path[i]);
+            if (strcmp(f_dir, f_name) == 0) {
+                break;
+            }
+        }
+
+        /* Check against the full path */
+        if (ignore_dev_full_path[i] != NULL) {
+            continue;
+        }
+
+        /* Do not look for the user ignored paths and files */
+        if (check_ignore(f_name)) {
+            continue;
+        }
+
+        /* Found a non-ignored entry in the directory, so process it */
+        read_dev_file(f_name);
+    }
+
+    closedir(dp);
+    return (0);
+}
+
+void check_rc_dev(const char *basedir)
+{
+    char file_path[OS_SIZE_1024 + 1];
+
+    _dev_total = 0, _dev_errors = 0;
+    mtdebug1(ARGV0, "Starting on check_rc_dev");
+
+    snprintf(file_path, OS_SIZE_1024, "%s/dev", basedir);
+
+    read_dev_dir(file_path);
+    if (_dev_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "No problem detected on the /dev "
+                 "directory. Analyzed %d files",
+                 _dev_total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+
+    return;
+}
+
+#else
+
+/* Not relevant on Windows */
+void check_rc_dev(__attribute__((unused)) char *basedir)
+{
+    return;
+}
+
+#endif /* WIN32 */
diff --git a/src/modules/rootcheck/src/check_rc_files.c b/src/modules/rootcheck/src/check_rc_files.c
new file mode 100644
index 0000000000..34fc75d023
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_files.c
@@ -0,0 +1,225 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+
+/* Read the file pointer specified (rootkit_files)
+ * and check if the configured file is there
+ */
+void check_rc_files(const char *basedir, FILE *fp)
+{
+    char buf[OS_SIZE_1024 + 1];
+    char file_path[OS_SIZE_1024 + 1];
+
+    char *file;
+    char *name;
+    char *link;
+    char * _file_name;
+
+    int _errors = 0;
+    int _total = 0;
+
+    mtdebug1(ARGV0, "Starting on check_rc_files");
+
+    while (fgets(buf, OS_SIZE_1024, fp) != NULL) {
+        char *nbuf;
+
+        /* Remove newline at the end */
+        nbuf = strchr(buf, '\n');
+        if (nbuf) {
+            *nbuf = '\0';
+        }
+
+        /* Assign buf to be used */
+        nbuf = buf;
+
+        /* Skip comments and blank lines */
+        while (*nbuf != '\0') {
+            if (*nbuf == ' ' || *nbuf == '\t') {
+                nbuf++;
+                continue;
+            } else if (*nbuf == '#') {
+                goto newline;
+            } else {
+                break;
+            }
+        }
+
+        if (*nbuf == '\0') {
+            goto newline;
+        }
+
+        /* File now may be valid */
+        file = nbuf;
+        name = nbuf;
+
+        /* Get the file and the rootkit name */
+        while (*nbuf != '\0') {
+            if (*nbuf == ' ' || *nbuf == '\t') {
+                /* Set the limit for the file */
+                *nbuf = '\0';
+                nbuf++;
+                break;
+            } else {
+                nbuf++;
+            }
+        }
+
+        if (*nbuf == '\0') {
+            goto newline;
+        }
+
+        /* Some ugly code to remove spaces and \t */
+        while (*nbuf != '\0') {
+            if (*nbuf == '!') {
+                nbuf++;
+                if (*nbuf == ' ' || *nbuf == '\t') {
+                    nbuf++;
+                    name = nbuf;
+
+                    break;
+                }
+            } else if (*nbuf == ' ' || *nbuf == '\t') {
+                nbuf++;
+                continue;
+            } else {
+                goto newline;
+            }
+        }
+
+        /* Get the link (if present) */
+        link = strchr(nbuf, ':');
+        if (link) {
+            *link = '\0';
+
+            link++;
+            if (*link == ':') {
+                link++;
+            }
+        }
+
+        /* Clean any space or tab at the end */
+        nbuf = strchr(nbuf, ' ');
+        if (nbuf) {
+            *nbuf = '\0';
+
+            nbuf = strchr(nbuf, '\t');
+            if (nbuf) {
+                *nbuf = '\0';
+            }
+        }
+
+        _total++;
+        /* Check if it is a file to search everywhere */
+        if (*file == '*') {
+            /* Maximum number of global files reached */
+            if (rk_sys_count >= MAX_RK_SYS) {
+                mterror(ARGV0, MAX_RK_MSG, MAX_RK_SYS);
+            }
+
+            else {
+                /* Remove all slashes from the file */
+                file++;
+                if (*file == '/') {
+                    file++;
+                }
+
+                rk_sys_file[rk_sys_count] = strdup(file);
+                rk_sys_name[rk_sys_count] = strdup(name);
+
+                if (!rk_sys_name[rk_sys_count] ||
+                        !rk_sys_file[rk_sys_count] ) {
+                    mterror(ARGV0, MEM_ERROR, errno, strerror(errno));
+
+                    if (rk_sys_file[rk_sys_count]) {
+                        free(rk_sys_file[rk_sys_count]);
+                    }
+                    if (rk_sys_name[rk_sys_count]) {
+                        free(rk_sys_name[rk_sys_count]);
+                    }
+
+                    rk_sys_file[rk_sys_count] = NULL;
+                    rk_sys_name[rk_sys_count] = NULL;
+                }
+
+                rk_sys_count++;
+
+                /* Always assign the last as NULL */
+                rk_sys_file[rk_sys_count] = NULL;
+                rk_sys_name[rk_sys_count] = NULL;
+            }
+            continue;
+        }
+        int bytes_written = 0;
+        // Check if it is a full path
+#ifdef WIN32
+        if (strlen(file) > 3 && file[1] == ':' && file[2] == '\\') {
+#else
+        if (*file == '/') {
+#endif
+            bytes_written = snprintf(file_path, sizeof(file_path), "%s", file);
+        } else {
+            bytes_written = snprintf(file_path, sizeof(file_path), "%s%c%s", basedir, PATH_SEP, file);
+        }
+
+       if (bytes_written < 0 || (size_t)bytes_written > (sizeof(file_path) - 1)) {
+            mtdebug2(ARGV0, "Path file was truncated (%s)\n", file_path);
+            continue;
+       }
+
+
+        if (_file_name = strrchr(file_path, PATH_SEP), !_file_name) {
+            continue;
+        }
+        _file_name++;
+
+        char _path[OS_SIZE_1024 + 1];
+        strncpy(_path, file_path, OS_SIZE_1024 + 1);
+        _path[strlen(file) - strlen(_file_name)] = '\0';
+
+        if (check_ignore(file_path)) {
+            continue;
+        }
+
+        if (is_file(file_path)) {
+            const char op_msg_fmt[] = "Rootkit '%s' detected by the presence of file '%*s'.";
+            char op_msg[OS_SIZE_2048];
+
+            const int size = snprintf(NULL, 0, op_msg_fmt, name, (int)strlen(file_path), file_path);
+
+            if (size >= 0) {
+                if ((size_t)size < sizeof(op_msg)) {
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, name, (int)strlen(file_path), file_path);
+                }
+                else {
+                    const unsigned int surplus = size - sizeof(op_msg) + 1;
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, name, (int)(strlen(file_path) - surplus), file_path);
+                }
+
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            } else {
+                mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_path);
+            }
+
+            _errors = 1;
+        }
+newline:
+        continue;
+    }
+
+    if (_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "No presence of public rootkits detected."
+                 " Analyzed %d files.", _total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+}
diff --git a/src/modules/rootcheck/src/check_rc_if.c b/src/modules/rootcheck/src/check_rc_if.c
new file mode 100644
index 0000000000..83fcaec2c4
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_if.c
@@ -0,0 +1,128 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+#include <shared.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <pthread.h>
+
+#ifdef SOLARIS
+#include <stropts.h>
+#include <sys/sockio.h>
+#endif
+
+#include "headers/debug_op.h"
+#include "headers/defs.h"
+#include "rootcheck.h"
+
+#ifndef IFCONFIG
+#define IFCONFIG "ifconfig %s | grep PROMISC > /dev/null 2>&1"
+#endif
+
+/* Prototypes */
+static int run_ifconfig(const char *ifconfig);
+
+
+/* Execute the ifconfig command
+ * Returns 1 if the interface is in promiscuous mode
+ */
+static int run_ifconfig(const char *ifconfig)
+{
+    char nt[OS_SIZE_1024 + 1];
+
+    snprintf(nt, OS_SIZE_1024, IFCONFIG, ifconfig);
+    if (system(nt) == 0) {
+        return (1);
+    }
+
+    return (0);
+}
+
+/* Check all interfaces for promiscuous mode */
+void check_rc_if()
+{
+    int _fd, _errors = 0, _total = 0;
+    struct ifreq tmp_str[16];
+    const int max_if = sizeof(tmp_str)/sizeof(struct ifreq);
+    int index = 0;
+    struct ifconf _if;
+    struct ifreq _ifr;
+
+    _fd = socket(AF_INET, SOCK_DGRAM, 0);
+    if (_fd < 0) {
+        mterror(ARGV0, "Error checking interfaces (socket)");
+        return;
+    }
+
+    memset(tmp_str, 0, sizeof(struct ifreq) * 16);
+    _if.ifc_len = sizeof(tmp_str);
+    _if.ifc_buf = (caddr_t)(tmp_str);
+
+    if (ioctl(_fd, SIOCGIFCONF, &_if) < 0) {
+        close(_fd);
+        mterror(ARGV0, "Error checking interfaces (ioctl)");
+        return;
+    }
+
+    /* Loop over all interfaces */
+    for (index = 0; index < max_if; index++) {
+        memcpy(_ifr.ifr_name, tmp_str[index].ifr_name, sizeof(_ifr.ifr_name));
+
+        /* Get information from each interface */
+        if (ioctl(_fd, SIOCGIFFLAGS, (char *)&_ifr) == -1) {
+            continue;
+        }
+
+        _total++;
+
+        if ((_ifr.ifr_flags & IFF_PROMISC) ) {
+            char op_msg[OS_SIZE_1024 + 1];
+            if (run_ifconfig(_ifr.ifr_name)) {
+                snprintf(op_msg, OS_SIZE_1024, "Interface '%s' in promiscuous"
+                         " mode.", _ifr.ifr_name);
+                notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+            } else {
+                snprintf(op_msg, OS_SIZE_1024, "Interface '%s' in promiscuous"
+                         " mode, but ifconfig is not showing it"
+                         "(probably trojaned).", _ifr.ifr_name);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            }
+            _errors++;
+        }
+    }
+
+    close(_fd);
+
+    if (_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "No problem detected on ifconfig/ifs."
+                 " Analyzed %d interfaces.", _total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+
+    return;
+}
+
+#else /* WIN32 */
+
+/* Not implemented on Windows */
+void check_rc_if()
+{
+    return;
+}
+
+#endif /* WIN32 */
diff --git a/src/modules/rootcheck/src/check_rc_pids.c b/src/modules/rootcheck/src/check_rc_pids.c
new file mode 100644
index 0000000000..019790523a
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_pids.c
@@ -0,0 +1,329 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+#include "shared.h"
+#include "rootcheck.h"
+
+/* Prototypes */
+static int  proc_read(int pid);
+static int  proc_opendir(int pid);
+static int  proc_stat(int pid);
+static void loop_all_pids(const char *ps, pid_t max_pid, int *_errors, int *_total);
+
+/* Global variables */
+static int noproc;
+
+
+/* If /proc is mounted, check to see if the pid is present */
+static int proc_read(int pid)
+{
+    char dir[OS_SIZE_1024 + 1];
+
+    if (noproc) {
+        return (0);
+    }
+
+    snprintf(dir, OS_SIZE_1024, "%d", pid);
+    if (isfile_ondir(dir, "/proc")) {
+        return (1);
+    }
+    return (0);
+}
+
+/* If /proc is mounted, check to see if the pid is present */
+static int proc_opendir(int pid)
+{
+    char    dir[OS_SIZE_1024 + 1];
+    DIR     *dp = NULL;
+
+    if (noproc) {
+        return (0);
+    }
+    
+    dp  = opendir("/proc");
+    if (!dp) {
+        return 0;
+    }
+    closedir(dp);
+    
+    snprintf(dir, OS_SIZE_1024, "/proc/%d", pid);
+    dp  = opendir(dir);
+    if (!dp) {
+        return 0;
+    }
+    closedir(dp);
+
+    return (1);
+}
+
+/* If /proc is mounted, check to see if the pid is present there */
+static int proc_stat(int pid)
+{
+    char proc_dir[OS_SIZE_1024 + 1];
+
+    if (noproc) {
+        return (0);
+    }
+
+    snprintf(proc_dir, OS_SIZE_1024, "%s/%d", "/proc", pid);
+
+    if (is_file(proc_dir)) {
+        return (1);
+    }
+
+    return (0);
+}
+
+/* Check all the available PIDs for hidden stuff */
+static void loop_all_pids(const char *ps, pid_t max_pid, int *_errors, int *_total)
+{
+    int _kill0 = 0;
+    int _kill1 = 0;
+    int _gsid0 = 0;
+    int _gsid1 = 0;
+    int _gpid0 = 0;
+    int _gpid1 = 0;
+    int _ps0 = -1;
+    int _proc_stat  = 0;
+    int _proc_read  = 0;
+    int _proc_opendir = 0;
+
+    pid_t i = 1;
+    pid_t my_pid;
+
+    char command[OS_SIZE_1024 + 64];
+
+    my_pid = getpid();
+
+    for (;; i++) {
+        if ((i <= 0) || (i > max_pid)) {
+            break;
+        }
+
+        (*_total)++;
+
+        _kill0 = 0;
+        _kill1 = 0;
+        _gsid0 = 0;
+        _gsid1 = 0;
+        _gpid0 = 0;
+        _gpid1 = 0;
+        _ps0 = -1;
+
+        /* kill test */
+        if (!((kill(i, 0) == -1) && (errno == ESRCH))) {
+            _kill0 = 1;
+        }
+
+        /* getsid test */
+        if (!((getsid(i) == -1) && (errno == ESRCH))) {
+            _gsid0 = 1;
+        }
+
+        /* getpgid test */
+        if (!((getpgid(i) == -1) && (errno == ESRCH))) {
+            _gpid0 = 1;
+        }
+
+        /* /proc test */
+        _proc_stat = proc_stat(i);
+        _proc_read = proc_read(i);
+        _proc_opendir = proc_opendir(i);
+
+        /* If PID does not exist, move on */
+        if (!_kill0     && !_gsid0     && !_gpid0 &&
+                !_proc_stat && !_proc_read && !_proc_opendir) {
+            continue;
+        }
+
+        /* Ignore our own pid */
+        if (i == my_pid) {
+            continue;
+        }
+
+        /* Check the number of errors */
+        if ((*_errors) > 15) {
+            char op_msg[OS_SIZE_1024 + 1];
+            snprintf(op_msg, OS_SIZE_1024, "Excessive number of hidden processes"
+                     ". It maybe a false-positive or "
+                     "something really bad is going on.");
+            notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+            return;
+        }
+
+        /* Check if the process appears in ps(1) output */
+        if (*ps) {
+            snprintf(command, sizeof(command), "%s -p %d > /dev/null 2>&1", ps, (int)i);
+            _ps0 = 0;
+            if (system(command) == 0) {
+                _ps0 = 1;
+            }
+        }
+
+        /* If we are run in the context of OSSEC-HIDS, sleep here (no rush) */
+#ifdef OSSECHIDS
+#ifdef WIN32
+        Sleep(rootcheck.tsleep);
+#else
+        struct timeval timeout = {0, rootcheck.tsleep * 1000};
+        select(0, NULL, NULL, NULL, &timeout);
+#endif
+#endif
+
+        /* Everything fine, move on */
+        if (_ps0 && _kill0 && _gsid0 && _gpid0 && _proc_stat && _proc_read) {
+            continue;
+        }
+
+        /*
+         * If our kill or getsid system call got the PID but ps(1) did not,
+         * find out if the PID is deleted (not used anymore)
+         */
+        if (!((getsid(i) == -1) && (errno == ESRCH))) {
+            _gsid1 = 1;
+        }
+        if (!((kill(i, 0) == -1) && (errno == ESRCH))) {
+            _kill1 = 1;
+        }
+        if (!((getpgid(i) == -1) && (errno == ESRCH))) {
+            _gpid1 = 1;
+        }
+
+        _proc_stat = proc_stat(i);
+        _proc_read = proc_read(i);
+        _proc_opendir = proc_opendir(i);
+
+        /* If it matches, process was terminated in the meantime, so move on */
+        if (!_gsid1 && !_kill1 && !_gpid1 && !_proc_stat &&
+                !_proc_read && !_proc_opendir) {
+            continue;
+        }
+
+#ifdef AIX
+        /* Ignore AIX wait and sched programs */
+        if (_gsid0 == _gsid1 &&
+                _kill0 == _kill1 &&
+                _gpid0 == _gpid1 &&
+                _ps0 == 1 &&
+                _gsid0 == 1 &&
+                _kill0 == 0) {
+            /* The wait and sched programs do not respond to kill 0.
+             * So if everything else finds it, including ps, getpid, getsid,
+             * but not kill, we can safely ignore on AIX.
+             * A malicious program would specially try to hide from ps.
+             */
+            continue;
+        }
+#endif
+
+        if (_gsid0 == _gsid1 &&
+                _kill0 == _kill1 &&
+                _gsid0 != _kill0) {
+            /* If kill worked, but getsid and getpgid did not, it may
+             * be a defunct process -- ignore.
+             */
+            if (! (_kill0 == 1 && _gsid0 == 0 && _gpid0 == 0 && _gsid1 == 0) ) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
+                         "kill (%d) or getsid (%d). Possible kernel-level"
+                         " rootkit.", (int)i, _kill0, _gsid0);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                (*_errors)++;
+            }
+        } else if (_kill1 != _gsid1 ||
+                   _gpid1 != _kill1 ||
+                   _gpid1 != _gsid1) {
+            /* See defunct process comment above */
+            if (! (_kill1 == 1 && _gsid1 == 0 && _gpid0 == 0) ) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
+                         "kill (%d), getsid (%d) or getpgid. Possible "
+                         "kernel-level rootkit.", (int)i, _kill1, _gsid1);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                (*_errors)++;
+            }
+        } else if (_proc_read != _proc_stat  ||
+                   _proc_read != _proc_opendir ||
+                   _proc_stat != _kill1) {
+            /* Check if the pid is a thread (not showing in /proc */
+            if (!noproc && !check_rc_readproc((int)i)) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
+                         "/proc. Possible kernel level rootkit.", (int)i);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                (*_errors)++;
+            }
+        } else if (_gsid1 && _kill1 && !_ps0) {
+            /* checking if the pid is a thread (not showing on ps */
+            if (!check_rc_readproc((int)i)) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
+                         "ps. Possible trojaned version installed.",
+                         (int)i);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                (*_errors)++;
+            }
+        }
+    }
+}
+
+/* Scan the whole filesystem looking for possible issues */
+void check_rc_pids()
+{
+    int _total = 0;
+    int _errors = 0;
+
+    char ps[OS_SIZE_1024 + 1];
+
+    char proc_0[] = "/proc";
+    char proc_1[] = "/proc/1";
+
+    pid_t max_pid = MAX_PID;
+    noproc = 1;
+
+    /* Checking where ps is */
+    memset(ps, '\0', OS_SIZE_1024 + 1);
+    strncpy(ps, "/bin/ps", OS_SIZE_1024);
+    if (!is_file(ps)) {
+        strncpy(ps, "/usr/bin/ps", OS_SIZE_1024);
+        if (!is_file(ps)) {
+            ps[0] = '\0';
+        }
+    }
+
+    /* Proc is mounted */
+    if (is_file(proc_0) && is_file(proc_1)) {
+        noproc = 0;
+    }
+
+    loop_all_pids(ps, max_pid, &_errors, &_total);
+
+    if (_errors == 0) {
+        char op_msg[OS_SIZE_2048];
+        snprintf(op_msg, OS_SIZE_2048, "No hidden process by Kernel-level "
+                 "rootkits.\n      %s is not trojaned. "
+                 "Analyzed %d processes.", ps, _total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+
+    return;
+}
+
+#else
+void check_rc_pids()
+{
+    return;
+}
+#endif
diff --git a/src/modules/rootcheck/src/check_rc_policy.c b/src/modules/rootcheck/src/check_rc_policy.c
new file mode 100644
index 0000000000..92ebe1d253
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_policy.c
@@ -0,0 +1,49 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+
+/* Read the file pointer specified
+ * and check if the configured file is there
+ */
+void check_rc_unixaudit(FILE *fp, OSList *p_list)
+{
+    mtdebug1(ARGV0, "Starting on check_rc_unixaudit");
+    rkcl_get_entry(fp, "System Audit:", p_list);
+}
+
+/* Read the file pointer specified
+ * and check if the configured file is there
+ */
+void check_rc_winaudit(FILE *fp, OSList *p_list)
+{
+    mtdebug1(ARGV0, "Starting on check_rc_winaudit");
+    rkcl_get_entry(fp, "Windows Audit:", p_list);
+}
+
+/* Read the file pointer specified
+ * and check if the configured file is there
+ */
+void check_rc_winmalware(FILE *fp, OSList *p_list)
+{
+    mtdebug1(ARGV0, "Starting on check_rc_winmalware");
+    rkcl_get_entry(fp, "Windows Malware:", p_list);
+}
+
+/* Read the file pointer specified
+ * and check if the configured file is there
+ */
+void check_rc_winapps(FILE *fp, OSList *p_list)
+{
+    mtdebug1(ARGV0, "Starting on check_rc_winapps");
+    rkcl_get_entry(fp, "Application Found:", p_list);
+}
diff --git a/src/modules/rootcheck/src/check_rc_ports.c b/src/modules/rootcheck/src/check_rc_ports.c
new file mode 100644
index 0000000000..068d81fa60
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_ports.c
@@ -0,0 +1,183 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+
+#include "shared.h"
+#include "rootcheck.h"
+
+#if defined(sun) || defined(__sun__)
+#define NETSTAT         "netstat -an -P %s | "\
+                        "grep \"[^0-9]%d \" > /dev/null 2>&1"
+#else
+#define NETSTAT         "netstat -an | grep \"^%s\" | " \
+                        "grep \"[^0-9]%d \" > /dev/null 2>&1"
+#endif
+
+/* Prototypes */
+static int  run_netstat(int proto, int port);
+static int  conn_port(int proto, int port);
+static void test_ports(int proto, int *_errors, int *_total);
+
+
+static int run_netstat(int proto, int port)
+{
+    int ret;
+    char nt[OS_SIZE_1024 + 1];
+
+    if (proto == IPPROTO_TCP) {
+        snprintf(nt, OS_SIZE_1024, NETSTAT, "tcp", port);
+    } else if (proto == IPPROTO_UDP) {
+        snprintf(nt, OS_SIZE_1024, NETSTAT, "udp", port);
+    } else {
+        mterror(ARGV0, "Netstat error (wrong protocol)");
+        return (0);
+    }
+
+    ret = system(nt);
+
+    if (ret == 0) {
+        return (1);
+    } else if (ret == 1) {
+        return (0);
+    }
+
+    return (1);
+}
+
+static int conn_port(int proto, int port)
+{
+    int rc = 0;
+    int ossock;
+    struct sockaddr_in server;
+
+    if (proto == IPPROTO_UDP) {
+        if ((ossock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+            return (0);
+        }
+    } else if (proto == IPPROTO_TCP) {
+        if ((ossock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
+            return (0);
+        }
+    } else {
+        return (0);
+    }
+
+    memset(&server, 0, sizeof(server));
+    server.sin_family = AF_INET;
+    server.sin_port = htons(port);
+    server.sin_addr.s_addr = htonl(INADDR_ANY);
+
+    /* If we can't bind, it means the port is open */
+    if (bind(ossock, (struct sockaddr *) &server, sizeof(server)) < 0) {
+        rc = 1;
+    }
+
+    /* Setting if port is open or closed */
+    if (proto == IPPROTO_TCP) {
+        total_ports_tcp[port] = (char) rc;
+    } else {
+        total_ports_udp[port] = (char) rc;
+    }
+
+    close(ossock);
+    return (rc);
+}
+
+static void test_ports(int proto, int *_errors, int *_total)
+{
+    int i;
+
+    for (i = 0; i <= 65535; i++) {
+        (*_total)++;
+        if (conn_port(proto, i)) {
+            /* Check if we can find it using netstat. If not,
+             * check again to see if the port is still being used.
+             */
+            if (run_netstat(proto, i)) {
+                continue;
+            }
+
+#ifdef OSSECHIDS
+            /* If we are in the context of OSSEC-HIDS, sleep here (no rush) */
+#ifdef WIN32
+        Sleep(rootcheck.tsleep);
+#else
+        struct timeval timeout = {0, rootcheck.tsleep * 1000};
+        select(0, NULL, NULL, NULL, &timeout);
+#endif
+#endif
+
+            if (!run_netstat(proto, i) && conn_port(proto, i)) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                (*_errors)++;
+
+                snprintf(op_msg, OS_SIZE_1024, "Port '%d'(%s) hidden. "
+                         "Kernel-level rootkit or trojaned "
+                         "version of netstat.", i,
+                         (proto == IPPROTO_UDP) ? "udp" : "tcp");
+
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            }
+        }
+
+        if ((*_errors) > 20) {
+            char op_msg[OS_SIZE_1024 + 1];
+
+            snprintf(op_msg, OS_SIZE_1024, "Excessive number of '%s' ports "
+                     "hidden. It maybe a false-positive or "
+                     "something really bad is going on.",
+                     (proto == IPPROTO_UDP) ? "udp" : "tcp" );
+            notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+            return;
+        }
+    }
+
+}
+
+void check_rc_ports()
+{
+    int _errors = 0;
+    int _total = 0;
+
+    int i = 0;
+
+    while (i <= 65535) {
+        total_ports_tcp[i] = 0;
+        total_ports_udp[i] = 0;
+        i++;
+    }
+
+    /* Test both TCP and UDP ports */
+    test_ports(IPPROTO_TCP, &_errors, &_total);
+    test_ports(IPPROTO_UDP, &_errors, &_total);
+
+    if (_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+
+        snprintf(op_msg, OS_SIZE_1024, "No kernel-level rootkit hiding any port."
+                 "\n      Netstat is acting correctly."
+                 " Analyzed %d ports.", _total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+
+    return;
+}
+
+#else /* WIN32 */
+
+/* Not implemented on Windows */
+void check_rc_ports()
+{
+    return;
+}
+
+#endif /* WIN32 */
diff --git a/src/modules/rootcheck/src/check_rc_readproc.c b/src/modules/rootcheck/src/check_rc_readproc.c
new file mode 100644
index 0000000000..8febcd6172
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_readproc.c
@@ -0,0 +1,128 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WIN32
+
+#include "shared.h"
+#include "rootcheck.h"
+
+#define PROC 0
+#define PID  1
+#define TASK 2
+
+/* Prototypes */
+static int read_proc_file(const char *file_name, const char *pid, int position);
+static int read_proc_dir(const char *dir_name, const char *pid, int position);
+
+/* Global variables */
+static int proc_pid_found;
+
+
+static int read_proc_file(const char *file_name, const char *pid, int position)
+{
+    struct stat statbuf;
+
+    if (lstat(file_name, &statbuf) < 0) {
+        return (-1);
+    }
+
+    /* If directory, read the directory */
+    if (S_ISDIR(statbuf.st_mode)) {
+        return (read_proc_dir(file_name, pid, position));
+    }
+
+    return (0);
+}
+
+int read_proc_dir(const char *dir_name, const char *pid, int position)
+{
+    DIR *dp;
+    struct dirent *entry = NULL;
+
+    if ((dir_name == NULL) || (strlen(dir_name) > PATH_MAX)) {
+        mterror(ARGV0, "Invalid directory given");
+        return (-1);
+    }
+
+    /* Open the directory */
+    dp = opendir(dir_name);
+    if (!dp) {
+        return (0);
+    }
+
+    while ((entry = readdir(dp)) != NULL) {
+        char f_name[PATH_MAX + 2];
+
+        /* Ignore . and ..  */
+        if (strcmp(entry->d_name, ".")  == 0 ||
+                strcmp(entry->d_name, "..") == 0) {
+            continue;
+        }
+
+        if (position == PROC) {
+            char *tmp_str;
+
+            tmp_str = entry->d_name;
+            while (*tmp_str != '\0') {
+                if (!isdigit((int)*tmp_str)) {
+                    break;
+                }
+                tmp_str++;
+            }
+
+            if (*tmp_str != '\0') {
+                continue;
+            }
+
+            snprintf(f_name, PATH_MAX + 1, "%s/%s", dir_name, entry->d_name);
+            read_proc_file(f_name, pid, position + 1);
+        } else if (position == PID) {
+            if (strcmp(entry->d_name, "task") == 0) {
+                snprintf(f_name, PATH_MAX + 1, "%s/%s", dir_name, entry->d_name);
+                read_proc_file(f_name, pid, position + 1);
+            }
+        } else if (position == TASK) {
+            /* Check under proc/pid/task/lwp */
+            if (strcmp(entry->d_name, pid) == 0) {
+                proc_pid_found = 1;
+                break;
+            }
+        } else {
+            break;
+        }
+    }
+
+    closedir(dp);
+
+    return (0);
+}
+
+/*  Read the /proc directory (if present) and check if it can find
+ *  the given pid (as a pid or as a thread)
+ */
+int check_rc_readproc(int pid)
+{
+    char char_pid[32];
+
+    proc_pid_found = 0;
+
+    /* NL threads */
+    snprintf(char_pid, 31, "/proc/.%d", pid);
+    if (is_file(char_pid)) {
+        return (1);
+    }
+
+    snprintf(char_pid, 31, "%d", pid);
+    read_proc_dir("/proc", char_pid, PROC);
+
+    return (proc_pid_found);
+}
+
+#endif
diff --git a/src/modules/rootcheck/src/check_rc_sys.c b/src/modules/rootcheck/src/check_rc_sys.c
new file mode 100644
index 0000000000..14f210a793
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_sys.c
@@ -0,0 +1,492 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+*/
+
+#include "shared.h"
+#include "rootcheck.h"
+
+/* Prototypes */
+static int read_sys_file(const char *file_name, int do_read);
+static int read_sys_dir(const char *dir_name, int do_read);
+
+/* Global variables */
+static int   _sys_errors;
+static int   _sys_total;
+static dev_t did;
+static FILE *_wx;
+static FILE *_ww;
+static FILE *_suid;
+
+
+static int read_sys_file(const char *file_name, int do_read)
+{
+    struct stat statbuf;
+
+    _sys_total++;
+
+#ifdef WIN32
+    /* Check for NTFS ADS on Windows */
+    os_check_ads(file_name);
+#endif
+    if (lstat(file_name, &statbuf) < 0) {
+#ifndef WIN32
+        const char op_msg_fmt[] = "Anomaly detected in file '%*s'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.";
+        char op_msg[OS_SIZE_1024 + 1];
+
+        const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name);
+
+        if (size >= 0) {
+            if ((size_t)size < sizeof(op_msg)) {
+                snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name);
+            } else {
+                const unsigned int surplus = size - sizeof(op_msg) + 1;
+                snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name);
+            }
+
+            notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+        } else {
+            mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_name);
+        }
+
+        _sys_errors++;
+#endif
+        return (-1);
+    }
+
+    /* If directory, read the directory */
+    else if (S_ISDIR(statbuf.st_mode)) {
+        /* Make Darwin happy. For some reason,
+         * when I read /dev/fd, it goes forever on
+         * /dev/fd5, /dev/fd6, etc.. weird
+         */
+        if (strstr(file_name, "/dev/fd") != NULL) {
+            return (0);
+        }
+
+        /* Ignore the /proc directory (it has size 0) */
+        if (statbuf.st_size == 0) {
+            return (0);
+        }
+
+        return (read_sys_dir(file_name, do_read));
+    }
+
+    /* Check if the size from stats is the same as when we read the file */
+    if (S_ISREG(statbuf.st_mode) && do_read) {
+        char buf[OS_SIZE_1024];
+        int fd;
+        ssize_t nr;
+        long int total = 0;
+
+        fd = open(file_name, O_RDONLY, 0);
+
+        /* It may not necessarily open */
+        if (fd >= 0) {
+            while ((nr = read(fd, buf, sizeof(buf))) > 0) {
+                total += nr;
+            }
+            close(fd);
+
+            if (strcmp(file_name, "/dev/bus/usb/.usbfs/devices") == 0) {
+                /* Ignore .usbfs/devices */
+            } else if (total != statbuf.st_size) {
+                struct stat statbuf2;
+
+                if ((lstat(file_name, &statbuf2) == 0) &&
+                        (total != statbuf2.st_size) &&
+                        (statbuf.st_size == statbuf2.st_size)) {
+                    const char op_msg_fmt[] = "Anomaly detected in file '%*s'. File size doesn't match what we found. Possible kernel level rootkit.";
+                    char op_msg[OS_SIZE_1024 + 1];
+
+                    const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name);
+
+                    if (size >= 0) {
+                        if ((size_t)size < sizeof(op_msg)) {
+                            snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name);
+                        } else {
+                            const unsigned int surplus = size - sizeof(op_msg) + 1;
+                            snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name);
+                        }
+
+                        notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                    } else {
+                        mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_name);
+                    }
+
+                    _sys_errors++;
+                }
+            }
+        }
+    }
+
+    /* If has OTHER write and exec permission, alert */
+#ifndef WIN32
+    if ((statbuf.st_mode & S_IWOTH) == S_IWOTH && S_ISREG(statbuf.st_mode)) {
+        if ((statbuf.st_mode & S_IXUSR) == S_IXUSR) {
+            if (_wx) {
+                fprintf(_wx, "%s\n", file_name);
+            }
+
+            _sys_errors++;
+        } else {
+            if (_ww) {
+                fprintf(_ww, "%s\n", file_name);
+            }
+        }
+
+        if (statbuf.st_uid == 0) {
+            char op_msg[OS_SIZE_1024 + 1];
+#ifdef OSSECHIDS
+            const char op_msg_fmt[] = "File '%*s' is owned by root and has written permissions to anyone.";
+
+            const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name);
+
+            if (size >= 0) {
+                if ((size_t)size < sizeof(op_msg)) {
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name);
+                } else {
+                    const unsigned int surplus = size - sizeof(op_msg) + 1;
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name);
+                }
+
+                notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+            } else {
+                mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_name);
+            }
+
+            _sys_errors++;
+
+#else
+            const char op_msg_fmt[] = "File '%*s' is: \n          - owned by root,\n          - has write permissions to anyone.";
+
+            const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name);
+
+            if (size >= 0) {
+                if ((size_t)size < sizeof(op_msg)) {
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name);
+                } else {
+                    const unsigned int surplus = size - sizeof(op_msg) + 1;
+                    snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name);
+                }
+
+                notify_rk(ALERT_SYSTEM_CRIT, op_msg);
+            } else {
+                mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_name);
+            }
+
+            _sys_errors++;
+#endif
+        }
+    } else if ((statbuf.st_mode & S_ISUID) == S_ISUID) {
+        if (_suid) {
+            fprintf(_suid, "%s\n", file_name);
+        }
+    }
+#endif /* WIN32 */
+    return (0);
+}
+
+static int read_sys_dir(const char *dir_name, int do_read)
+{
+    int i = 0;
+    unsigned int entry_count = 0;
+    int did_changed = 0;
+    DIR *dp;
+    struct dirent *entry = NULL;
+    struct stat statbuf;
+    short is_nfs;
+    short skip_fs;
+
+#ifndef WIN32
+    const char *(dirs_to_doread[]) = { "/bin", "/sbin", "/usr/bin",
+                                       "/usr/sbin", "/dev", "/etc",
+                                       "/boot", NULL
+                                     };
+#endif
+
+    if ((dir_name == NULL) || (strlen(dir_name) > PATH_MAX)) {
+        mterror(ARGV0, "Invalid directory given.");
+        return (-1);
+    }
+
+    /* Should we check for NFS? */
+    if(rootcheck.skip_nfs)
+    {
+        is_nfs = IsNFS(dir_name);
+        if(is_nfs != 0)
+        {
+            // Error will be -1, and 1 means skipped
+            return(is_nfs);
+        }
+    }
+
+    /* Getting the number of nodes. The total number on opendir
+     * must be the same
+     */
+    if(lstat(dir_name, &statbuf) < 0)
+    {
+        return(-1);
+    }
+
+    /* Current device id */
+    if (did != statbuf.st_dev) {
+        if (did != 0) {
+            did_changed = 1;
+        }
+        did = statbuf.st_dev;
+    }
+
+    if (!S_ISDIR(statbuf.st_mode)) {
+        return (-1);
+    }
+
+#ifndef WIN32
+    /* Check if the do_read is valid for this directory */
+    while (dirs_to_doread[i]) {
+        if (strcmp(dir_name, dirs_to_doread[i]) == 0) {
+            do_read = 1;
+            break;
+        }
+        i++;
+    }
+#else
+    do_read = 0;
+#endif
+
+    /* Open the directory */
+    dp = opendir(dir_name);
+    if (!dp) {
+        if ((strcmp(dir_name, "") == 0) &&
+                (dp = opendir("/"))) {
+            /* ok */
+        } else {
+            return (-1);
+        }
+    }
+
+    /* Read every entry in the directory */
+    while ((entry = readdir(dp)) != NULL) {
+        char f_name[PATH_MAX + 2];
+        struct stat statbuf_local;
+
+        /* Ignore . and ..  */
+        if ((strcmp(entry->d_name, ".") == 0) ||
+                (strcmp(entry->d_name, "..") == 0)) {
+            entry_count++;
+            continue;
+        }
+
+        /* Create new file + path string */
+        if (strlen(dir_name) == 1 && *dir_name == PATH_SEP) {
+            snprintf(f_name, PATH_MAX + 1, "%c%s", PATH_SEP, entry->d_name);
+        } else {
+            snprintf(f_name, PATH_MAX + 1, "%s%c%s", dir_name, PATH_SEP, entry->d_name);
+        }
+
+        /* Check if file is a directory */
+        if (lstat(f_name, &statbuf_local) == 0) {
+            /* On all the systems except Darwin, the
+             * link count is only increased on directories
+             */
+#ifndef Darwin
+            if (S_ISDIR(statbuf_local.st_mode))
+#else
+            if (S_ISDIR(statbuf_local.st_mode) ||
+                    S_ISREG(statbuf_local.st_mode)
+            /* No S_ISLNK on Windows */
+#ifndef WIN32
+		    || S_ISLNK(statbuf_local.st_mode)
+#endif
+		    )
+#endif
+            {
+                entry_count++;
+            }
+        }
+
+        /* Ignore the /proc and /sys filesystems */
+        if (check_ignore(f_name) || !strcmp(f_name, "/proc") || !strcmp(f_name, "/sys")) {
+            continue;
+        }
+
+        /* Check every file against the rootkit database */
+        for (i = 0; i <= rk_sys_count; i++) {
+            if (!rk_sys_file[i]) {
+                break;
+            }
+
+            if (strcmp(rk_sys_file[i], entry->d_name) == 0) {
+                char op_msg[OS_SIZE_1024 + 1];
+
+                _sys_errors++;
+                snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
+                         "by the presence of file '%s/%s'.",
+                         rk_sys_name[i], dir_name, rk_sys_file[i]);
+
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            }
+        }
+
+        read_sys_file(f_name, do_read);
+    }
+
+    /* skip further test because the FS cant deliver the stats (btrfs link count always is 1) */
+    skip_fs = skipFS(dir_name);
+    if(skip_fs != 0)
+    {
+        // Error will be -1, and 1 means skipped
+        closedir(dp);
+        return(0);
+    }
+
+    /* Entry count for directory different than the actual
+     * link count from stats
+     */
+    if ((entry_count != (unsigned) statbuf.st_nlink) &&
+            ((did_changed == 0) || ((entry_count + 1) != (unsigned) statbuf.st_nlink))) {
+#ifndef WIN32
+        struct stat statbuf2;
+        char op_msg[OS_SIZE_1024 + 1];
+
+        if ((lstat(dir_name, &statbuf2) == 0) &&
+                ((unsigned) statbuf2.st_nlink != entry_count)) {
+            snprintf(op_msg, OS_SIZE_1024, "Files hidden inside directory "
+                     "'%s'. Link count does not match number of files "
+                     "(%d,%d).",
+                     dir_name, entry_count, (int)statbuf.st_nlink);
+
+            /* Solaris /boot is terrible :), as is /dev! */
+#ifdef SOLARIS
+            if ((strncmp(dir_name, "/boot", strlen("/boot")) != 0) && (strncmp(dir_name, "/dev", strlen("/dev")) != 0)) {
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                _sys_errors++;
+            }
+#elif defined(Darwin) || defined(FreeBSD)
+            if (strncmp(dir_name, "/dev", strlen("/dev")) != 0) {
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                _sys_errors++;
+            }
+#else
+            if (!check_ignore(dir_name)) {
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+                _sys_errors++;
+            }
+
+#endif
+        }
+#endif /* WIN32 */
+    }
+
+    closedir(dp);
+
+    return (0);
+}
+
+/* Scan the whole filesystem looking for possible issues */
+void check_rc_sys(const char *basedir)
+{
+    char file_path[OS_SIZE_1024 + 1];
+    char dir_path[OS_SIZE_1024 + 1];
+
+    mtdebug1(ARGV0, "Starting on check_rc_sys");
+
+    _sys_errors = 0;
+    _sys_total = 0;
+    did = 0; /* device id */
+
+    snprintf(file_path, OS_SIZE_1024, "%s", basedir);
+
+    /* Open output files */
+    if (rootcheck.notify != QUEUE) {
+        _wx = wfopen("rootcheck-rw-rw-rw-.txt", "w");
+        _ww = wfopen("rootcheck-rwxrwxrwx.txt", "w");
+        _suid = wfopen("rootcheck-suid-files.txt", "w");
+    } else {
+        _wx = NULL;
+        _ww = NULL;
+        _suid = NULL;
+    }
+
+    if (rootcheck.scanall) {
+        /* Scan the whole file system -- may be slow */
+#ifndef WIN32
+        snprintf(file_path, 3, "%s", "/");
+#else
+        snprintf(file_path, 5, "%s", "C:\\");
+#endif
+        read_sys_dir(file_path, rootcheck.readall);
+    } else {
+        /* Scan only specific directories */
+        int _i;
+#ifndef WIN32
+        const char *(dirs_to_scan[]) = {"bin", "sbin", "usr/bin",
+                                        "usr/sbin", "dev", "lib",
+                                        "etc", "root", "var/log",
+                                        "var/mail", "var/lib", "var/www",
+                                        "usr/lib", "usr/include",
+                                        "tmp", "boot", "usr/local",
+                                        "var/tmp", "sys", NULL
+                                       };
+
+#else
+        const char *(dirs_to_scan[]) = {"WINDOWS", "Program Files", NULL};
+#endif
+
+        _i = 0;
+        while (dirs_to_scan[_i] != NULL) {
+            snprintf(dir_path, OS_SIZE_1024, "%s%c%s", basedir, PATH_SEP, dirs_to_scan[_i]);
+            read_sys_dir(dir_path, rootcheck.readall);
+            _i++;
+        }
+    }
+
+    if (_sys_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "No problem found on the system."
+                 " Analyzed %d files.", _sys_total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+
+    else if (_wx && _ww && _suid) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "Check the following files for more "
+                 "information:\n%s%s%s",
+                 (ftell(_wx) == 0) ? "" :
+                 "       rootcheck-rw-rw-rw-.txt (list of world writable files)\n",
+                 (ftell(_ww) == 0) ? "" :
+                 "       rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)\n",
+                 (ftell(_suid) == 0) ? "" :
+                 "       rootcheck-suid-files.txt (list of suid files)");
+
+        notify_rk(ALERT_SYSTEM_ERR, op_msg);
+    }
+
+    if (_wx) {
+        if (ftell(_wx) == 0) {
+            unlink("rootcheck-rw-rw-rw-.txt");
+        }
+        fclose(_wx);
+    }
+
+    if (_ww) {
+        if (ftell(_ww) == 0) {
+            unlink("rootcheck-rwxrwxrwx.txt");
+        }
+        fclose(_ww);
+    }
+
+    if (_suid) {
+        if (ftell(_suid) == 0) {
+            unlink("rootcheck-suid-files.txt");
+        }
+        fclose(_suid);
+    }
+
+    return;
+}
diff --git a/src/modules/rootcheck/src/check_rc_trojans.c b/src/modules/rootcheck/src/check_rc_trojans.c
new file mode 100644
index 0000000000..e7c24bebee
--- /dev/null
+++ b/src/modules/rootcheck/src/check_rc_trojans.c
@@ -0,0 +1,119 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+
+/* Read the file pointer specified (rootkit_trojans)
+ * and check if any trojan entry is in the configured files
+ */
+void check_rc_trojans(const char *basedir, FILE *fp)
+{
+    int i = 0, _errors = 0, _total = 0;
+    char buf[OS_SIZE_1024 + 1];
+    char file_path[OS_SIZE_1024 + 1];
+    char *file;
+    char *string_to_look;
+
+#ifndef WIN32
+    const char *(all_paths[]) = {"bin", "sbin", "usr/bin", "usr/sbin", NULL};
+#else
+    const char *(all_paths[]) = {"Windows\\", NULL};
+#endif
+
+    mtdebug1(ARGV0, "Starting on check_rc_trojans");
+
+    while (fgets(buf, OS_SIZE_1024, fp) != NULL) {
+        char *nbuf;
+        char *message = NULL;
+
+        i = 0;
+        /* Remove end of line */
+        nbuf = strchr(buf, '\n');
+        if (nbuf) {
+            *nbuf = '\0';
+        }
+
+        nbuf = normalize_string(buf);
+
+        if (*nbuf == '\0' || *nbuf == '#') {
+            continue;
+        }
+
+        /* File now may be valid */
+        file = nbuf;
+
+        string_to_look = strchr(file, '!');
+        if (!string_to_look) {
+            continue;
+        }
+
+        *string_to_look = '\0';
+        string_to_look++;
+
+        message = strchr(string_to_look, '!');
+        if (!message) {
+            continue;
+        }
+        *message = '\0';
+        message++;
+
+        string_to_look = normalize_string(string_to_look);
+        file = normalize_string(file);
+        message = normalize_string(message);
+
+        if (*file == '\0' || *string_to_look == '\0') {
+            continue;
+        }
+
+        _total++;
+
+        /* Try with all possible paths */
+        while (all_paths[i] != NULL) {
+            if (*file != PATH_SEP) {
+                snprintf(file_path, OS_SIZE_1024, "%s%c%s%c%s", basedir, PATH_SEP,
+                         all_paths[i], PATH_SEP,
+                         file);
+            } else {
+                strncpy(file_path, file, OS_SIZE_1024);
+                file_path[OS_SIZE_1024 - 1] = '\0';
+            }
+
+            /* Check if entry is found */
+            if (is_file(file_path) && os_string(file_path, string_to_look)) {
+                char op_msg[OS_SIZE_2048];
+                _errors = 1;
+
+                snprintf(op_msg, OS_SIZE_2048, "Trojaned version of file "
+                         "'%s' detected. Signature used: '%s' (%s).",
+                         file_path,
+                         string_to_look,
+                         *message == '\0' ?
+                         "Generic" : message);
+
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            }
+
+            if (*file == '/') {
+                break;
+            }
+            i++;
+        }
+        continue;
+    }
+
+    if (_errors == 0) {
+        char op_msg[OS_SIZE_1024 + 1];
+        snprintf(op_msg, OS_SIZE_1024, "No binaries with any trojan detected. "
+                 "Analyzed %d files.", _total);
+        notify_rk(ALERT_OK, op_msg);
+    }
+}
diff --git a/src/modules/rootcheck/src/common.c b/src/modules/rootcheck/src/common.c
new file mode 100644
index 0000000000..0e67c350ca
--- /dev/null
+++ b/src/modules/rootcheck/src/common.c
@@ -0,0 +1,580 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+#include "os_regex/os_regex.h"
+
+/* Prototypes */
+static int _is_str_in_array(char *const *ar, const char *str);
+
+
+/* Check if the specified string is already in the array */
+static int _is_str_in_array(char *const *ar, const char *str)
+{
+    while (*ar) {
+        if (strcmp(*ar, str) == 0) {
+            return (1);
+        }
+        ar++;
+    }
+    return (0);
+}
+
+int rk_check_dir(const char *dir, const char *file, char *pattern)
+{
+    int ret_code = 0;
+    char f_name[PATH_MAX + 2];
+    struct dirent *entry = NULL;
+    struct stat statbuf_local;
+    DIR *dp = NULL;
+
+    f_name[PATH_MAX + 1] = '\0';
+
+    dp = opendir(dir);
+    if (!dp) {
+        return (0);
+    }
+
+    while ((entry = readdir(dp)) != NULL) {
+        /* Ignore . and ..  */
+        if ((strcmp(entry->d_name, ".") == 0) ||
+                (strcmp(entry->d_name, "..") == 0)) {
+            continue;
+        }
+
+        /* Create new file + path string */
+        snprintf(f_name, PATH_MAX + 1, "%s/%s", dir, entry->d_name);
+
+        /* Check if the read entry matches the provided file name */
+        if (strncasecmp(file, "r:", 2) == 0) {
+            if (OS_Regex(file + 2, entry->d_name)) {
+                if (rk_check_file(f_name, pattern)) {
+                    ret_code = 1;
+                }
+            }
+        } else {
+            /* ... otherwise try without regex */
+            if (OS_Match2(file, entry->d_name)) {
+                if (rk_check_file(f_name, pattern)) {
+                    ret_code = 1;
+                }
+            }
+        }
+
+        /* Check if file is a directory */
+        if (lstat(f_name, &statbuf_local) == 0) {
+            if (S_ISDIR(statbuf_local.st_mode)) {
+                if (rk_check_dir(f_name, file, pattern)) {
+                    ret_code = 1;
+                }
+            }
+        }
+    }
+
+    closedir(dp);
+    return (ret_code);
+
+}
+
+int rk_check_file(char *file, char *pattern)
+{
+    char *split_file;
+    int full_negate = 0;
+    int pt_result = 0;
+    FILE *fp;
+    char buf[OS_SIZE_2048 + 1];
+
+    if (file == NULL) {
+        return (0);
+    }
+
+    /* Check if the file is divided */
+    split_file = strchr(file, ',');
+    if (split_file) {
+        *split_file = '\0';
+        split_file++;
+    }
+
+    /* Get each file */
+    do {
+        /* If we don't have a pattern, just check if the file/dir is there */
+        if (pattern == NULL) {
+            if (is_file(file)) {
+                int i = 0;
+                char _b_msg[OS_SIZE_1024 + 1];
+
+                _b_msg[OS_SIZE_1024] = '\0';
+                snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
+                         file);
+
+                /* Already present */
+                if (_is_str_in_array(rootcheck.alert_msg, _b_msg)) {
+                    return (1);
+                }
+
+                while (rootcheck.alert_msg[i] && (i < 255)) {
+                    i++;
+                }
+
+                if (!rootcheck.alert_msg[i]) {
+                    os_strdup(_b_msg, rootcheck.alert_msg[i]);
+                }
+
+                return (1);
+            }
+        } else {
+            full_negate = pt_check_negate(pattern);
+            /* Check for content in the file */
+            mtdebug2(ARGV0, "Checking file: %s", file);
+            fp = wfopen(file, "r");
+            if (fp) {
+
+                mtdebug2(ARGV0, "Starting new file: %s", file);
+                buf[OS_SIZE_2048] = '\0';
+                while (fgets(buf, OS_SIZE_2048, fp) != NULL) {
+                    char *nbuf;
+
+                    /* Remove end of line */
+                    nbuf = strchr(buf, '\n');
+                    if (nbuf) {
+                        *nbuf = '\0';
+                    }
+#ifdef WIN32
+                    /* Remove end of line */
+                    nbuf = strchr(buf, '\r');
+                    if (nbuf) {
+                        *nbuf = '\0';
+                    }
+#endif
+                    /* Matched */
+                    pt_result = pt_matches(buf, pattern);
+                    mtdebug2(ARGV0, "Buf == \"%s\"", buf);
+                    mtdebug2(ARGV0, "Pattern == \"%s\"", pattern);
+                    mtdebug2(ARGV0, "pt_result == %d and full_negate == %d", pt_result, full_negate);
+                    if ((pt_result == 1 && full_negate == 0) ) {
+                        mtdebug1(ARGV0, "Alerting file %s on line %s", file, buf);
+                        int i = 0;
+                        char _b_msg[OS_SIZE_1024 + 1];
+
+                        /* Close the file before dealing with the alert */
+                        fclose(fp);
+
+                        /* Generate the alert itself */
+                        _b_msg[OS_SIZE_1024] = '\0';
+                        snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
+                                 file);
+
+                        /* Already present */
+                        if (_is_str_in_array(rootcheck.alert_msg, _b_msg)) {
+                            return (1);
+                        }
+
+                        while (rootcheck.alert_msg[i] && (i < 255)) {
+                            i++;
+                        }
+
+                        if (!rootcheck.alert_msg[i]) {
+                            os_strdup(_b_msg, rootcheck.alert_msg[i]);
+                        }
+
+                        return (1);
+                    } else if ((pt_result == 0 && full_negate == 1) ) {
+                        /* Found a full+negate match so no longer need to search
+                         * break out of loop and make sure the full negate does
+                         * not alert.
+                         */
+                        mtdebug2(ARGV0, "Found a complete match for full_negate");
+                        full_negate = 0;
+                        break;
+                    }
+                }
+
+                fclose(fp);
+
+                if (full_negate == 1) {
+                    mtdebug2(ARGV0, "Full_negate alerting - file %s", file);
+                    int i = 0;
+                    char _b_msg[OS_SIZE_1024 + 1];
+
+                    /* Generate the alert itself */
+                    _b_msg[OS_SIZE_1024] = '\0';
+                    snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
+                             file);
+
+                    /* Already present */
+                    if (_is_str_in_array(rootcheck.alert_msg, _b_msg)) {
+                        return (1);
+                    }
+
+                    while (rootcheck.alert_msg[i] && (i < 255)) {
+                        i++;
+                    }
+
+                    if (!rootcheck.alert_msg[i]) {
+                        os_strdup(_b_msg, rootcheck.alert_msg[i]);
+                    }
+
+                    return (1);
+                }
+            }
+        }
+
+        if (split_file) {
+            file = split_file;
+            split_file = strchr(split_file, ',');
+            if (split_file) {
+                split_file++;
+            }
+        }
+
+
+    } while (split_file);
+
+    return (0);
+}
+
+/* Check if the pattern is all negate values */
+int pt_check_negate(const char *pattern)
+{
+    char *mypattern = NULL;
+    os_strdup(pattern, mypattern);
+    char *tmp_pt = mypattern;
+    char *tmp_pattern = mypattern;
+
+    while (tmp_pt != NULL) {
+        /* First look for " && " */
+        tmp_pt = strchr(tmp_pattern, ' ');
+        if (tmp_pt && tmp_pt[1] == '&' && tmp_pt[2] == '&' && tmp_pt[3] == ' ') {
+            *tmp_pt = '\0';
+            tmp_pt += 4;
+        } else {
+            tmp_pt = NULL;
+        }
+
+        if (*tmp_pattern != '!') {
+            free(mypattern);
+            return 0;
+        }
+
+        tmp_pattern = tmp_pt;
+    }
+
+    mtdebug2(ARGV0, "Pattern: %s is fill_negate", pattern);
+    free(mypattern);
+    return (1);
+}
+
+/* Checks if the specific pattern is present on str.
+ * A pattern can be preceded by:
+ *                                =: (for equal) - default - strcasecmp
+ *                                r: (for ossec regexes)
+ *                                >: (for strcmp greater)
+ *                                <: (for strcmp  lower)
+ *
+ * Multiple patterns can be specified by using " && " between them.
+ * All of them must match for it to return true.
+ */
+int pt_matches(const char *str, char *pattern)
+{
+    int neg = 0;
+    int ret_code = 0;
+    char *tmp_pt = pattern;
+    char *tmp_ret = NULL;
+
+    if (str == NULL) {
+        return (0);
+    }
+
+    while (tmp_pt != NULL) {
+        /* First look for " && " */
+        tmp_pt = strchr(pattern, ' ');
+        if (tmp_pt && tmp_pt[1] == '&' && tmp_pt[2] == '&' && tmp_pt[3] == ' ') {
+            /* Mark pointer to clean it up */
+            tmp_ret = tmp_pt;
+
+            *tmp_pt = '\0';
+            tmp_pt += 4;
+        } else {
+            tmp_pt = NULL;
+        }
+
+        /* Check for negate values */
+        neg = 0;
+        ret_code = 0;
+        if (*pattern == '!') {
+            pattern++;
+            neg = 1;
+        }
+
+        /* Do the actual comparison */
+        if (strncasecmp(pattern, "=:", 2) == 0) {
+            pattern += 2;
+            if (strcasecmp(pattern, str) == 0) {
+                ret_code = 1;
+            }
+        } else if (strncasecmp(pattern, "r:", 2) == 0) {
+            pattern += 2;
+            if (OS_Regex(pattern, str)) {
+                mtdebug2(ARGV0, "Pattern: %s matches %s.", pattern, str);
+                ret_code = 1;
+            }
+        } else if (strncasecmp(pattern, "<:", 2) == 0) {
+            pattern += 2;
+            if (strcmp(pattern, str) < 0) {
+                ret_code = 1;
+            }
+        } else if (strncasecmp(pattern, ">:", 2) == 0) {
+            pattern += 2;
+            if (strcmp(pattern, str) > 0) {
+                ret_code = 1;
+            }
+        } else {
+#ifdef WIN32
+            char final_file[2048 + 1];
+
+            /* Try to get Windows variable */
+            if (*pattern == '%') {
+                final_file[0] = '\0';
+                final_file[2048] = '\0';
+
+                ExpandEnvironmentStrings(pattern, final_file, 2047);
+            } else {
+                strncpy(final_file, pattern, 2047);
+            }
+
+            /* Compare against the expanded variable */
+            if (strcasecmp(final_file, str) == 0) {
+                ret_code = 1;
+            }
+#else
+            if (strcasecmp(pattern, str) == 0) {
+                ret_code = 1;
+            }
+#endif
+        }
+        /* Fix tmp_ret entry */
+        if (tmp_ret != NULL) {
+            *tmp_ret = ' ';
+            tmp_ret = NULL;
+        }
+
+        /* If we have "!", return true if we don't match */
+        if (neg == 1) {
+            if (ret_code) {
+                ret_code = 0;
+                break;
+            }
+        } else {
+            if (!ret_code) {
+                ret_code = 0;
+                break;
+            }
+        }
+
+        ret_code = 1;
+        pattern = tmp_pt;
+    }
+
+    return (ret_code);
+}
+
+/* Normalizes a string, removing white spaces and tabs
+ * from the beginning and the end of it.
+ */
+char *normalize_string(char *str)
+{
+    size_t str_sz = strlen(str);
+    /* Return zero-length str as is */
+    if (str_sz == 0) {
+        return str;
+    } else {
+        str_sz--;
+    }
+    /* Remove trailing spaces */
+    while (str[str_sz] == ' ' || str[str_sz] == '\t') {
+        if (str_sz == 0) {
+            break;
+        }
+
+        str[str_sz--] = '\0';
+    }
+    /* ignore leading spaces */
+    while (*str != '\0') {
+        if (*str == ' ' || *str == '\t') {
+            str++;
+        } else {
+            break;
+        }
+    }
+
+    return (str);
+}
+
+/* Check if 'file' is present on 'dir' using readdir */
+int isfile_ondir(const char *file, const char *dir)
+{
+    DIR *dp = NULL;
+    struct dirent *entry = NULL;
+    dp = opendir(dir);
+
+    if (!dp) {
+        return (0);
+    }
+
+    while ((entry = readdir(dp)) != NULL) {
+        if (strcmp(entry->d_name, file) == 0) {
+            closedir(dp);
+            return (1);
+        }
+    }
+
+    closedir(dp);
+    return (0);
+}
+
+/* Check if the file is present using several methods
+ * to avoid being tricked by syscall hiding
+ */
+int is_file(char *file_name)
+{
+    struct  stat statbuf;
+    int     ret = 0;
+    FILE    *fp = NULL;
+    DIR     *dp = NULL;
+
+    if (!file_name) {
+        mtdebug2(ARGV0, "RK: Invalid file name: NULL!");
+        return ret;
+    }
+
+    dp = opendir(file_name);
+    if (dp) {
+        closedir(dp);
+        ret = 1;
+#ifndef WIN32
+    } else if (errno == ENOTDIR) {
+        ret = 1;
+#endif
+    }
+
+    /* Trying other calls */
+    if ((stat(file_name, &statbuf) < 0) &&
+#ifndef WIN32
+            (access(file_name, F_OK) < 0) &&
+#endif
+            ((fp = wfopen(file_name, "r")) == NULL)) {
+        return ret;
+    }
+
+    if (fp) {
+        ret = 1;
+        fclose(fp);
+    }
+
+    return ret;
+}
+
+/* Delete the process list */
+int del_plist(OSList *p_list)
+{
+    OSListNode *l_node;
+    OSListNode *p_node = NULL;
+
+    if (p_list == NULL) {
+        return (0);
+    }
+
+    l_node = OSList_GetFirstNode(p_list);
+    while (l_node) {
+        Proc_Info *pinfo;
+
+        pinfo = (Proc_Info *)l_node->data;
+
+        if (pinfo->p_name) {
+            free(pinfo->p_name);
+        }
+
+        if (pinfo->p_path) {
+            free(pinfo->p_path);
+        }
+
+        free(l_node->data);
+
+        if (p_node) {
+            free(p_node);
+            p_node = NULL;
+        }
+        p_node = l_node;
+
+        l_node = OSList_GetNextNode(p_list);
+    }
+
+    if (p_node) {
+        free(p_node);
+        p_node = NULL;
+    }
+
+    pthread_mutex_destroy(&(p_list->mutex));
+    pthread_rwlock_destroy(&(p_list->wr_mutex));
+
+    free(p_list);
+
+    return (1);
+}
+
+/* Check if a process is running */
+int is_process(char *value, OSList *p_list)
+{
+    OSListNode *l_node;
+    if (p_list == NULL) {
+        return (0);
+    }
+    if (!value) {
+        return (0);
+    }
+
+    l_node = OSList_GetFirstNode(p_list);
+    while (l_node) {
+        Proc_Info *pinfo;
+
+        pinfo = (Proc_Info *)l_node->data;
+
+        /* Check if value matches */
+        if (pt_matches(pinfo->p_path, value)) {
+            int i = 0;
+            char _b_msg[OS_SIZE_1024 + 1];
+
+            _b_msg[OS_SIZE_1024] = '\0';
+
+            snprintf(_b_msg, OS_SIZE_1024, " Process: %s.",
+                     pinfo->p_path);
+
+            /* Already present */
+            if (_is_str_in_array(rootcheck.alert_msg, _b_msg)) {
+                return (1);
+            }
+
+            while (rootcheck.alert_msg[i] && (i < 255)) {
+                i++;
+            }
+
+            if (!rootcheck.alert_msg[i]) {
+                os_strdup(_b_msg, rootcheck.alert_msg[i]);
+            }
+
+            return (1);
+        }
+
+        l_node = OSList_GetNextNode(p_list);
+    }
+
+    return (0);
+}
diff --git a/src/modules/rootcheck/src/common_rcl.c b/src/modules/rootcheck/src/common_rcl.c
new file mode 100644
index 0000000000..97f929cd4f
--- /dev/null
+++ b/src/modules/rootcheck/src/common_rcl.c
@@ -0,0 +1,608 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+/* Prototypes */
+static char *_rkcl_getfp(FILE *fp, char *buf);
+static int   _rkcl_is_name(const char *buf);
+static int   _rkcl_get_vars(OSStore *vars, char *nbuf);
+static char *_rkcl_get_name(char *buf, char *ref, int *condition);
+static char *_rkcl_get_pattern(char *value);
+static char *_rkcl_get_value(char *buf, int *type);
+
+/* Types of values */
+#define RKCL_TYPE_FILE      1
+#define RKCL_TYPE_REGISTRY  2
+#define RKCL_TYPE_PROCESS   3
+#define RKCL_TYPE_DIR       4
+
+#define RKCL_COND_ALL       0x001
+#define RKCL_COND_ANY       0x002
+#define RKCL_COND_REQ       0x004
+#define RKCL_COND_NON       0x008
+#define RKCL_COND_INV       0x016
+#ifdef WIN32
+char *_rkcl_getrootdir(char *root_dir, int dir_size)
+{
+    char final_file[2048 + 1];
+    char *tmp;
+
+    final_file[0] = '\0';
+    final_file[2048] = '\0';
+
+    ExpandEnvironmentStrings("%WINDIR%", final_file, 2047);
+
+    tmp = strchr(final_file, '\\');
+    if (tmp) {
+        *tmp = '\0';
+        const int bytes_written = snprintf(root_dir, dir_size, "%s", final_file);
+
+        if (bytes_written < 0 || bytes_written >= dir_size) {
+            return (NULL);
+        }
+
+        return (root_dir);
+    }
+
+    return (NULL);
+}
+#endif
+
+/* Get next available buffer in file */
+static char *_rkcl_getfp(FILE *fp, char *buf)
+{
+    while (fgets(buf, OS_SIZE_1024, fp) != NULL) {
+        char *nbuf;
+
+        /* Remove end of line */
+        nbuf = strchr(buf, '\n');
+        if (nbuf) {
+            *nbuf = '\0';
+        }
+
+        /* Assign buf to be used */
+        nbuf = buf;
+
+        /* Exclude commented lines or blanked ones */
+        while (*nbuf != '\0') {
+            if (*nbuf == ' ' || *nbuf == '\t') {
+                nbuf++;
+                continue;
+            } else if (*nbuf == '#') {
+                *nbuf = '\0';
+                continue;
+            } else {
+                break;
+            }
+        }
+
+        /* Go to next line if empty */
+        if (*nbuf == '\0') {
+            continue;
+        }
+
+        return (nbuf);
+    }
+
+    return (NULL);
+}
+
+static int _rkcl_is_name(const char *buf)
+{
+    if (*buf == '[' && buf[strlen(buf) - 1] == ']') {
+        return (1);
+    }
+    return (0);
+}
+
+static int _rkcl_get_vars(OSStore *vars, char *nbuf)
+{
+    char *var_value;
+    char *tmp;
+
+    /* If not a variable, return 0 */
+    if (*nbuf != '$') {
+        return (0);
+    }
+
+    /* Remove semicolon from the end */
+    tmp = strchr(nbuf, ';');
+    if (tmp) {
+        *tmp = '\0';
+    } else {
+        return (-1);
+    }
+
+    /* Get value */
+    tmp = strchr(nbuf, '=');
+    if (tmp) {
+        *tmp = '\0';
+        tmp++;
+    } else {
+        return (-1);
+    }
+
+    /* Dump the variable options */
+    os_strdup(tmp, var_value);
+
+    /* Add entry to the storage */
+    OSStore_Put(vars, nbuf, var_value);
+    return (1);
+}
+
+static char *_rkcl_get_name(char *buf, char *ref, int *condition)
+{
+    char *tmp_location;
+    char *tmp_location2;
+    *condition = 0;
+
+    /* Check if name is valid */
+    if (!_rkcl_is_name(buf)) {
+        return (NULL);
+    }
+
+    /* Set name */
+    buf++;
+    tmp_location = strchr(buf, ']');
+    if (!tmp_location) {
+        return (NULL);
+    }
+    *tmp_location = '\0';
+
+    /* Get condition */
+    tmp_location++;
+    if (*tmp_location != ' ' && tmp_location[1] != '[') {
+        return (NULL);
+    }
+    tmp_location += 2;
+
+    tmp_location2 = strchr(tmp_location, ']');
+    if (!tmp_location2) {
+        return (NULL);
+    }
+    *tmp_location2 = '\0';
+    tmp_location2++;
+
+    /* Get condition */
+    if (strcmp(tmp_location, "all") == 0) {
+        *condition |= RKCL_COND_ALL;
+    } else if (strcmp(tmp_location, "any") == 0) {
+        *condition |= RKCL_COND_ANY;
+    } else if (strcmp(tmp_location, "none") == 0) {
+        *condition |= RKCL_COND_NON;
+    } else if (strcmp(tmp_location, "any required") == 0) {
+        *condition |= RKCL_COND_ANY;
+        *condition |= RKCL_COND_REQ;
+    } else if (strcmp(tmp_location, "all required") == 0) {
+        *condition |= RKCL_COND_ALL;
+        *condition |= RKCL_COND_REQ;
+    } else {
+        *condition = RKCL_COND_INV;
+        return (NULL);
+    }
+
+    /* Get reference */
+    if (*tmp_location2 != ' ' && tmp_location2[1] != '[') {
+        return (NULL);
+    }
+
+    tmp_location2 += 2;
+    tmp_location = strchr(tmp_location2, ']');
+    if (!tmp_location) {
+        return (NULL);
+    }
+    *tmp_location = '\0';
+
+    /* Copy reference */
+    strncpy(ref, tmp_location2, 255);
+
+    return (strdup(buf));
+}
+
+static char *_rkcl_get_pattern(char *value)
+{
+    while (*value != '\0') {
+        if ((*value == ' ') && (value[1] == '-') &&
+                (value[2] == '>') && (value[3] == ' ')) {
+            *value = '\0';
+            value += 4;
+
+            return (value);
+        }
+        value++;
+    }
+
+    return (NULL);
+}
+
+static char *_rkcl_get_value(char *buf, int *type)
+{
+    char *tmp_str;
+    char *value;
+
+    /* Zero type before using it to make sure return is valid
+     * in case of error.
+     */
+    *type = 0;
+
+    value = strchr(buf, ':');
+    if (value == NULL) {
+        return (NULL);
+    }
+
+    *value = '\0';
+    value++;
+
+    tmp_str = strchr(value, ';');
+    if (tmp_str == NULL) {
+        return (NULL);
+    }
+    *tmp_str = '\0';
+
+    /* Get types - removing negate flag (using later) */
+    if (*buf == '!') {
+        buf++;
+    }
+
+    if (strcmp(buf, "f") == 0) {
+        *type = RKCL_TYPE_FILE;
+    } else if (strcmp(buf, "r") == 0) {
+        *type = RKCL_TYPE_REGISTRY;
+    } else if (strcmp(buf, "p") == 0) {
+        *type = RKCL_TYPE_PROCESS;
+    } else if (strcmp(buf, "d") == 0) {
+        *type = RKCL_TYPE_DIR;
+    } else {
+        return (NULL);
+    }
+
+    return (value);
+}
+
+int rkcl_get_entry(FILE *fp, const char *msg, OSList *p_list)
+{
+    int type = 0, condition = 0;
+    char *nbuf;
+    char buf[OS_SIZE_1024 + 2] = {0};
+#ifdef WIN32
+    char root_dir[OS_SIZE_1024 + 2] = {0};
+    char final_file[2048 + 1] = {0};
+#endif
+    char ref[255 + 1] = {0};
+    char *value;
+    char *name = NULL;
+    OSStore *vars;
+
+#ifdef WIN32
+    /* Get Windows rootdir */
+    _rkcl_getrootdir(root_dir, sizeof(root_dir));
+    if (root_dir[0] == '\0') {
+        mterror(ARGV0, INVALID_ROOTDIR);
+    }
+#endif
+    /* Get variables */
+    vars = OSStore_Create();
+
+    /* We first read all variables -- they must be defined at the top */
+    while (1) {
+        int rc_code = 0;
+        nbuf = _rkcl_getfp(fp, buf);
+        if (nbuf == NULL) {
+            goto clean_return;
+        }
+
+        rc_code = _rkcl_get_vars(vars, nbuf);
+        if (rc_code == 0) {
+            break;
+        } else if (rc_code == -1) {
+            mterror(ARGV0, INVALID_RKCL_VAR, nbuf);
+            goto clean_return;
+        }
+    }
+
+    /* Get first name */
+    name = _rkcl_get_name(nbuf, ref, &condition);
+    if (name == NULL || condition == RKCL_COND_INV) {
+        mterror(ARGV0, INVALID_RKCL_NAME, nbuf);
+        goto clean_return;
+    }
+
+    /* Get the real entries */
+    do {
+        int g_found = 0;
+        int not_found = 0;
+
+        mtdebug2(ARGV0, "Checking entry: '%s'.", name);
+
+        /* Get each value */
+        do {
+            int negate = 0;
+            int found = 0;
+            value = NULL;
+
+            nbuf = _rkcl_getfp(fp, buf);
+            if (nbuf == NULL) {
+                break;
+            }
+
+            /* First try to get the name, looking for new entries */
+            if (_rkcl_is_name(nbuf)) {
+                break;
+            }
+
+            /* Get value to look for */
+            value = _rkcl_get_value(nbuf, &type);
+            if (value == NULL) {
+                mterror(ARGV0, INVALID_RKCL_VALUE, nbuf);
+                goto clean_return;
+            }
+
+            /* Get negate value */
+            if (*value == '!') {
+                negate = 1;
+                value++;
+            }
+
+            /* Check for a file */
+            if (type == RKCL_TYPE_FILE) {
+                char *pattern = NULL;
+                char *f_value = NULL;
+
+                pattern = _rkcl_get_pattern(value);
+                f_value = value;
+                assert(f_value != NULL);
+
+                /* Get any variable */
+                if (value[0] == '$') {
+                    f_value = (char *) OSStore_Get(vars, value);
+                    if (!f_value) {
+                        mterror(ARGV0, INVALID_RKCL_VAR, value);
+                        continue;
+                    }
+                }
+
+#ifdef WIN32
+                else if (value[0] == '\\') {
+                    final_file[0] = '\0';
+                    final_file[sizeof(final_file) - 1] = '\0';
+
+                    snprintf(final_file, sizeof(final_file) - 2, "%s%s",
+                             root_dir, value);
+                    f_value = final_file;
+                } else {
+                    final_file[0] = '\0';
+                    final_file[sizeof(final_file) - 1] = '\0';
+
+                    ExpandEnvironmentStrings(value, final_file,
+                                             sizeof(final_file) - 2);
+                    f_value = final_file;
+                }
+#endif
+
+                mtdebug2(ARGV0, "Checking file: '%s'.", f_value);
+                if (rk_check_file(f_value, pattern)) {
+                    mtdebug2(ARGV0, "Found file.");
+                    found = 1;
+                }
+            }
+
+#ifdef WIN32
+            /* Check for a registry entry */
+            else if (type == RKCL_TYPE_REGISTRY) {
+                char *entry = NULL;
+                char *pattern = NULL;
+
+                /* Look for additional entries in the registry
+                 * and a pattern to match.
+                 */
+                entry = _rkcl_get_pattern(value);
+                if (entry) {
+                    pattern = _rkcl_get_pattern(entry);
+                }
+
+                mtdebug2(ARGV0, "Checking registry: '%s'.", value);
+                if (is_registry(value, entry, pattern)) {
+                    mtdebug2(ARGV0, "Found registry.");
+                    found = 1;
+                }
+
+            }
+#endif
+            /* Check for a directory */
+            else if (type == RKCL_TYPE_DIR) {
+                char *file = NULL;
+                char *pattern = NULL;
+                char *f_value = NULL;
+                char *dir = NULL;
+
+                file = _rkcl_get_pattern(value);
+                if (!file) {
+                    mterror(ARGV0, INVALID_RKCL_VAR, value);
+                    continue;
+                }
+
+                pattern = _rkcl_get_pattern(file);
+
+                /* Get any variable */
+                if (value[0] == '$') {
+                    f_value = (char *) OSStore_Get(vars, value);
+                    if (!f_value) {
+                        mterror(ARGV0, INVALID_RKCL_VAR, value);
+                        continue;
+                    }
+                } else {
+                    f_value = value;
+                }
+
+                /* Check for multiple comma separated directories */
+                dir = f_value;
+                f_value = strchr(dir, ',');
+                if (f_value) {
+                    *f_value = '\0';
+                }
+
+                while (dir) {
+
+                    mtdebug2(ARGV0, "Checking dir: %s", dir);
+
+                    short is_nfs = IsNFS(dir);
+                    if( is_nfs == 1 && rootcheck.skip_nfs ) {
+                        mtdebug1(ARGV0, "rootcheck.skip_nfs enabled and %s is flagged as NFS.", dir);
+                    }
+                    else {
+                        mtdebug2(ARGV0, "%s => is_nfs=%d, skip_nfs=%d", dir, is_nfs, rootcheck.skip_nfs);
+
+                        if (rk_check_dir(dir, file, pattern)) {
+                            mtdebug2(ARGV0, "Found dir.");
+                            found = 1;
+                        }
+                    }
+
+                    if (f_value) {
+                        *f_value = ',';
+                        f_value++;
+
+                        dir = f_value;
+
+                        f_value = strchr(dir, ',');
+                        if (f_value) {
+                            *f_value = '\0';
+                        }
+                    } else {
+                        dir = NULL;
+                    }
+                }
+            }
+
+            /* Check for a process */
+            else if (type == RKCL_TYPE_PROCESS) {
+                mtdebug2(ARGV0, "Checking process: '%s'.", value);
+                if (is_process(value, p_list)) {
+                    mtdebug2(ARGV0, "Found process.");
+                    found = 1;
+                }
+            }
+
+            /* Switch the values if ! is present */
+            if (negate) {
+                if (found) {
+                    found = 0;
+                } else {
+                    found = 1;
+                }
+            }
+
+            /* Check the conditions */
+            if (condition & RKCL_COND_ANY) {
+                mtdebug2(ARGV0, "Condition ANY.");
+                if (found) {
+                    g_found = 1;
+                }
+            } else if (condition & RKCL_COND_NON) {
+                mtdebug2(ARGV0, "Condition NON.");
+                if (!found && (not_found != -1)) {
+                    mtdebug2(ARGV0, "Condition NON setze not_found=1.");
+                    not_found = 1;
+                } else {
+                    not_found = -1;
+                }
+            } else {
+                /* Condition for ALL */
+                mtdebug2(ARGV0, "Condition ALL.");
+                if (found && (g_found != -1)) {
+                    g_found = 1;
+                } else {
+                    g_found = -1;
+                }
+            }
+        } while (value != NULL);
+
+        if (condition & RKCL_COND_NON) {
+           if (not_found == -1){ g_found = 0;} else {g_found = 1;}
+        }
+
+        /* Alert if necessary */
+        if (g_found == 1) {
+            int j = 0;
+            char op_msg[OS_SIZE_1024 + 1];
+            char **p_alert_msg = rootcheck.alert_msg;
+
+            while (1) {
+                if (ref[0] != '\0') {
+                    snprintf(op_msg, OS_SIZE_1024, "%s %s.%s"
+                             " Reference: %s .", msg, name,
+                             p_alert_msg[j] ? p_alert_msg[j] : "\0",
+                             ref);
+                } else {
+                    snprintf(op_msg, OS_SIZE_1024, "%s %s.%s", msg,
+                             name, p_alert_msg[j] ? p_alert_msg[j] : "\0");
+                }
+
+                if ((type == RKCL_TYPE_DIR) || (j == 0)) {
+                    notify_rk(ALERT_POLICY_VIOLATION, op_msg);
+                }
+
+                if (p_alert_msg[j]) {
+                    free(p_alert_msg[j]);
+                    p_alert_msg[j] = NULL;
+                    j++;
+
+                    if (!p_alert_msg[j]) {
+                        break;
+                    }
+                } else {
+                    break;
+                }
+            }
+        } else {
+            int j = 0;
+            while (rootcheck.alert_msg[j]) {
+                free(rootcheck.alert_msg[j]);
+                rootcheck.alert_msg[j] = NULL;
+                j++;
+            }
+
+            /* Check if this entry is required for the rest of the file */
+            if (condition & RKCL_COND_REQ) {
+                goto clean_return;
+            }
+        }
+
+        /* End if we don't have anything else */
+        if (!nbuf) {
+            goto clean_return;
+        }
+
+        /* Clean up name */
+        if (name) {
+            free(name);
+            name = NULL;
+        }
+
+        /* Get name already read */
+        name = _rkcl_get_name(nbuf, ref, &condition);
+        if (!name) {
+            mterror(ARGV0, INVALID_RKCL_NAME, nbuf);
+            goto clean_return;
+        }
+    } while (nbuf != NULL);
+
+    /* Clean up memory */
+clean_return:
+    if (name) {
+        free(name);
+        name = NULL;
+    }
+    OSStore_Free(vars);
+
+    return (1);
+}
diff --git a/src/modules/rootcheck/src/config.c b/src/modules/rootcheck/src/config.c
new file mode 100644
index 0000000000..26b672330b
--- /dev/null
+++ b/src/modules/rootcheck/src/config.c
@@ -0,0 +1,108 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifdef OSSECHIDS
+#include "shared.h"
+#include "rootcheck.h"
+#include "config/config.h"
+#include "external/cJSON/cJSON.h"
+
+
+/* Read the rootcheck config */
+int Read_Rootcheck_Config(const char *cfgfile)
+{
+    int modules = 0;
+
+    modules |= CROOTCHECK;
+    if (ReadConfig(modules, cfgfile, &rootcheck, NULL) < 0) {
+        return (OS_INVALID);
+    }
+
+#ifdef CLIENT
+    /* Read shared config */
+    modules |= CAGENT_CONFIG;
+    ReadConfig(modules, AGENTCONFIG, &rootcheck, NULL);
+#endif
+
+    switch (rootcheck.disabled) {
+    case RK_CONF_UNPARSED:
+        rootcheck.disabled = 1;
+        break;
+    case RK_CONF_UNDEFINED:
+        rootcheck.disabled = 0;
+    }
+
+    return (0);
+}
+
+
+cJSON *getRootcheckConfig(void) {
+
+    cJSON *root = cJSON_CreateObject();
+    cJSON *rtck = cJSON_CreateObject();
+    unsigned int i;
+
+    if (rootcheck.disabled) cJSON_AddStringToObject(rtck,"disabled","yes"); else cJSON_AddStringToObject(rtck,"disabled","no");
+    if (rootcheck.basedir) cJSON_AddStringToObject(rtck,"base_directory",rootcheck.basedir);
+    if (rootcheck.rootkit_files) cJSON_AddStringToObject(rtck,"rootkit_files",rootcheck.rootkit_files);
+    if (rootcheck.rootkit_trojans) cJSON_AddStringToObject(rtck,"rootkit_trojans",rootcheck.rootkit_trojans);
+    if (rootcheck.scanall) cJSON_AddStringToObject(rtck,"scanall","yes"); else cJSON_AddStringToObject(rtck,"scanall","no");
+    if (rootcheck.skip_nfs) cJSON_AddStringToObject(rtck,"skip_nfs","yes"); else cJSON_AddStringToObject(rtck,"skip_nfs","no");
+    cJSON_AddNumberToObject(rtck,"frequency",rootcheck.time);
+    if (rootcheck.checks.rc_dev) cJSON_AddStringToObject(rtck,"check_dev","yes"); else cJSON_AddStringToObject(rtck,"check_dev","no");
+    if (rootcheck.checks.rc_files) cJSON_AddStringToObject(rtck,"check_files","yes"); else cJSON_AddStringToObject(rtck,"check_files","no");
+    if (rootcheck.checks.rc_if) cJSON_AddStringToObject(rtck,"check_if","yes"); else cJSON_AddStringToObject(rtck,"check_if","no");
+    if (rootcheck.checks.rc_pids) cJSON_AddStringToObject(rtck,"check_pids","yes"); else cJSON_AddStringToObject(rtck,"check_pids","no");
+    if (rootcheck.checks.rc_ports) cJSON_AddStringToObject(rtck,"check_ports","yes"); else cJSON_AddStringToObject(rtck,"check_ports","no");
+    if (rootcheck.checks.rc_sys) cJSON_AddStringToObject(rtck,"check_sys","yes"); else cJSON_AddStringToObject(rtck,"check_sys","no");
+    if (rootcheck.checks.rc_trojans) cJSON_AddStringToObject(rtck,"check_trojans","yes"); else cJSON_AddStringToObject(rtck,"check_trojans","no");
+#ifdef WIN32
+    if (rootcheck.checks.rc_winaudit) cJSON_AddStringToObject(rtck,"check_winaudit","yes"); else cJSON_AddStringToObject(rtck,"check_winaudit","no");
+    if (rootcheck.checks.rc_winmalware) cJSON_AddStringToObject(rtck,"check_winmalware","yes"); else cJSON_AddStringToObject(rtck,"check_winmalware","no");
+    if (rootcheck.checks.rc_winapps) cJSON_AddStringToObject(rtck,"check_winapps","yes"); else cJSON_AddStringToObject(rtck,"check_winapps","no");
+    if (rootcheck.winapps) cJSON_AddStringToObject(rtck,"windows_apps",rootcheck.winapps);
+    if (rootcheck.winmalware) cJSON_AddStringToObject(rtck,"windows_malware",rootcheck.winmalware);
+    if (rootcheck.winaudit) cJSON_AddStringToObject(rtck,"windows_audit",rootcheck.winaudit);
+#else
+    if (rootcheck.checks.rc_unixaudit) cJSON_AddStringToObject(rtck,"check_unixaudit","yes"); else cJSON_AddStringToObject(rtck,"check_unixaudit","no");
+    if (rootcheck.unixaudit) {
+        cJSON *uaudit = cJSON_CreateArray();
+        for (i=0;rootcheck.unixaudit[i];i++) {
+            cJSON_AddItemToArray(uaudit, cJSON_CreateString(rootcheck.unixaudit[i]));
+        }
+        cJSON_AddItemToObject(rtck,"system_audit",uaudit);
+    }
+
+#endif
+
+    if (rootcheck.ignore) {
+        cJSON *igns = NULL;
+        cJSON *ignsregex = NULL;
+
+        for (i=0; rootcheck.ignore[i]; i++) {
+            if (rootcheck.ignore_sregex[i]) {
+                if (!ignsregex) ignsregex = cJSON_CreateArray();
+                cJSON_AddItemToArray(ignsregex, cJSON_CreateString(rootcheck.ignore_sregex[i]->raw));
+            } else {
+                if (!igns) igns = cJSON_CreateArray();
+                cJSON_AddItemToArray(igns, cJSON_CreateString(rootcheck.ignore[i]));
+            }
+        }
+
+        if (igns) cJSON_AddItemToObject(rtck, "ignore", igns);
+        if (ignsregex) cJSON_AddItemToObject(rtck, "ignore_sregex", ignsregex);
+    }
+
+    cJSON_AddItemToObject(root, "rootcheck", rtck);
+
+    return root;
+}
+
+#endif /* OSSECHIDS */
diff --git a/src/modules/rootcheck/src/os_string.c b/src/modules/rootcheck/src/os_string.c
new file mode 100644
index 0000000000..9c1b3805e3
--- /dev/null
+++ b/src/modules/rootcheck/src/os_string.c
@@ -0,0 +1,275 @@
+/* Included and modified strings.c from the OpenBSD project */
+
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ * Copyright (c) 1980, 1987, 1993
+ * The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef WIN32
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include "file_op.h"
+#include <stdlib.h>
+#include <string.h>
+#include <locale.h>
+#include <unistd.h>
+#include <netinet/in.h>
+
+#ifdef SOLARIS
+#include <sys/exechdr.h>
+#elif defined Darwin || defined HPUX || defined ALPINE
+
+/* For some reason darwin does not have that */
+struct exec {
+    unsigned long a_info;         /* Use macros N_MAGIC, etc for access */
+    unsigned char   a_machtype;   /* machine type */
+    unsigned short  a_magic;      /* magic number */
+    unsigned a_text;              /* length of text, in bytes */
+    unsigned a_data;              /* length of data, in bytes */
+    unsigned a_bss;               /* length of uninitialized data area for file, in bytes */
+    unsigned a_syms;              /* length of symbol table data in file, in bytes */
+    unsigned a_entry;             /* start address */
+    unsigned a_trsize;            /* length of relocation info for text, in bytes */
+    unsigned a_drsize;            /* length of relocation info for data, in bytes */
+};
+
+#define OMAGIC      0407     /* Object file or impure executable */
+#define NMAGIC      0410     /* Code indicating pure executable */
+#define ZMAGIC      0413     /* Code indicating demand-paged executable */
+#define BMAGIC      0415     /* Used by a b.out object */
+#define M_OLDSUN2      0
+
+#else
+
+#include <a.out.h>
+
+#endif
+
+#ifndef PAGSIZ
+#define       PAGSIZ          0x02000
+#endif
+
+#ifndef OLD_PAGSIZ
+#define       OLD_PAGSIZ      0x00800
+#endif
+
+#ifndef N_BADMAG
+
+#ifdef AIX
+#define       N_BADMAG(x) \
+    (((x).magic)!=U802TOCMAGIC && ((x).magic)!=U803TOCMAGIC && ((x).magic)!=U803XTOCMAGIC && ((x).magic)!=U64_TOCMAGIC)
+#else /* non AIX */
+#define       N_BADMAG(x) \
+    (((x).a_magic)!=OMAGIC && ((x).a_magic)!=NMAGIC && ((x).a_magic)!=ZMAGIC)
+#endif
+
+#endif  /* N_BADMAG */
+
+#ifndef N_PAGSIZ
+#define       N_PAGSIZ(x) \
+        ((x).a_machtype == M_OLDSUN2? OLD_PAGSIZ : PAGSIZ)
+#endif
+
+#ifndef N_TXTOFF
+
+#ifdef AIX
+#define         N_TXTOFF(x) \
+        /* text segment */ \
+            ((x).magic==U64_TOCMAGIC ? 0 : sizeof (struct aouthdr))
+#else /* non AIX */
+#define       N_TXTOFF(x) \
+        /* text segment */ \
+    ((x).a_machtype == M_OLDSUN2 \
+           ? ((x).a_magic==ZMAGIC ? N_PAGSIZ(x) : sizeof (struct exec)) \
+           : ((x).a_magic==ZMAGIC ? 0 : sizeof (struct exec)) )
+#endif
+
+#endif /* N_TXTOFF */
+
+#include "headers/defs.h"
+#include "headers/debug_op.h"
+#include "headers/regex_op.h"
+
+#include "error_messages/error_messages.h"
+#include "error_messages/debug_messages.h"
+
+#define STR_MINLEN  4       /* Minimum length for a string */
+
+#define ISSTR(ch)   (isascii(ch) && (isprint(ch) || ch == '\t'))
+
+#ifdef AIX
+typedef struct aouthdr EXEC;
+#else
+typedef struct exec EXEC;
+#endif
+
+typedef struct _os_strings {
+    int head_len;
+    int read_len;
+    int hcnt;
+    long foff;
+    unsigned char hbfr[sizeof(EXEC)];
+    FILE *fp;
+} os_strings;
+
+/* Read each character from a binary file */
+int os_getch(os_strings *oss);
+
+
+/* List the strings of a binary and check if the regex given is there */
+int os_string(char *file, char *regex)
+{
+    int ch, cnt;
+    unsigned char *C;
+    unsigned char *bfr;
+    char line[OS_SIZE_1024 + 1];
+    char *buf;
+    EXEC *head = NULL;
+    os_strings oss;
+
+    /* Return didn't match */
+    if (!file || !regex) {
+        return (0);
+    }
+
+    /* Allocate the buffer */
+    bfr = (unsigned char *) calloc(STR_MINLEN + 2, sizeof(unsigned char));
+    if (!bfr) {
+        mterror(ARGV0, MEM_ERROR, errno, strerror(errno));
+        return (0);
+    }
+
+    /* Open the file */
+    oss.fp = wfopen(file, "r");
+    if (!oss.fp) {
+        free(bfr);
+        return (0);
+    }
+
+    /* Clean the line */
+    memset(line, '\0', OS_SIZE_1024 + 1);
+
+    /* Start (from old strings.c) */
+    oss.foff = 0;
+    oss.head_len = 0;
+    oss.read_len = -1;
+    head = (EXEC *)oss.hbfr;
+
+    if ((oss.head_len = read(fileno(oss.fp), head, sizeof(EXEC))) == -1) {
+        oss.head_len = 0;
+        oss.read_len = -1;
+    } else if (oss.head_len == sizeof(EXEC) && !N_BADMAG(*head)) {
+        oss.foff = N_TXTOFF(*head);
+        if (fseek(stdin, oss.foff, SEEK_SET) == -1) {
+            oss.read_len = -1;
+        } else {
+#ifdef AIX
+            oss.read_len = head->tsize + head->dsize;
+#else
+            oss.read_len = head->a_text + head->a_data;
+#endif
+        }
+
+        oss.head_len = 0;
+    } else {
+        oss.hcnt = 0;
+    }
+
+    /* Read the file and perform the regex comparison */
+    for (cnt = 0, C = bfr; (ch = os_getch(&oss)) != EOF;) {
+        if (ISSTR(ch)) {
+            if (!cnt) {
+                C = bfr;
+            }
+            *C++ = ch;
+            if (++cnt < STR_MINLEN) {
+                continue;
+            }
+
+            strncpy(line, (char *)bfr, STR_MINLEN + 1);
+            buf = line;
+            buf += strlen(line);
+
+            while ((ch = os_getch(&oss)) != EOF && ISSTR(ch)) {
+                if (cnt < OS_SIZE_1024) {
+                    *buf = (char)ch;
+                    buf++;
+                } else {
+                    *buf = '\0';
+                    break;
+                }
+                cnt++;
+            }
+
+            *buf = '\0';
+
+            if (OS_PRegex(line, regex)) {
+                if (oss.fp) {
+                    fclose(oss.fp);
+                }
+                free(bfr);
+                return (1);
+            }
+        }
+
+        cnt = 0;
+    }
+
+    if (oss.fp) {
+        fclose(oss.fp);
+    }
+    free(bfr);
+    return (0);
+}
+
+/* Get next character from wherever */
+int os_getch(os_strings *oss)
+{
+    ++oss->foff;
+    if (oss->head_len) {
+        if (oss->hcnt < oss->head_len) {
+            return ((int)oss->hbfr[oss->hcnt++]);
+        }
+        oss->head_len = 0;
+    }
+    if (oss->read_len == -1 || oss->read_len-- > 0) {
+        return (fgetc(oss->fp));
+    }
+    return (EOF);
+}
+
+#else
+int os_string(__attribute__((unused)) char *file, __attribute__((unused)) char *regex)
+{
+    return (0);
+}
+#endif
diff --git a/src/modules/rootcheck/src/rootcheck.c b/src/modules/rootcheck/src/rootcheck.c
index e69de29bb2..aed44184b5 100644
--- a/src/modules/rootcheck/src/rootcheck.c
+++ b/src/modules/rootcheck/src/rootcheck.c
@@ -0,0 +1,293 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+/*
+ * Rootcheck
+ * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
+ * http://www.ossec.net/rootcheck/
+ */
+
+#include "headers/shared.h"
+#include "rootcheck.h"
+
+rkconfig rootcheck;
+char **rk_sys_file;
+char **rk_sys_name;
+int rk_sys_count;
+char total_ports_udp[65535 + 1];
+char total_ports_tcp[65535 + 1];
+
+#ifndef ARGV0
+#define ARGV0 "rootcheck"
+#endif
+
+#ifndef OSSECHIDS
+
+/* Print help statement */
+void help_rootcheck(char * home_path)
+{
+    print_header();
+    print_out("  %s: -[Vhdtsr] [-c config] [-D dir]", ARGV0);
+    print_out("    -V          Version and license message");
+    print_out("    -h          Print this help message");
+    print_out("    -d          Execute in debug mode. This parameter");
+    print_out("                can be specified multiple times");
+    print_out("                to increase the debug level.");
+    print_out("    -t          Test configuration");
+    print_out("    -s          Scan the whole system");
+    print_out("    -r          Read all the files for kernel-based detection");
+    print_out("    -c <config> Configuration file to use");
+    print_out("    -D <dir>    Directory to chroot into (default: %s)", home_path);
+    print_out(" ");
+    os_free(home_path);
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    int test_config = 0;
+    const char *cfg = "./rootcheck.conf";
+    char * home_path = w_homedir(argv[0]);
+
+#else
+
+int rootcheck_init(int test_config)
+{
+    const char *cfg = OSSECCONF;
+
+#endif /* OSSECHIDS */
+
+    int c;
+
+#ifndef OSSECHIDS
+    if (chdir(home_path) == -1) {
+        merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno));
+    }
+#endif /* OSSECHIDS */
+
+    /* Zero the structure, initialize default values */
+    rootcheck.workdir = NULL;
+    rootcheck.basedir = NULL;
+    rootcheck.unixaudit = NULL;
+    rootcheck.ignore = NULL;
+    rootcheck.ignore_sregex = NULL;
+    rootcheck.rootkit_files = NULL;
+    rootcheck.rootkit_trojans = NULL;
+    rootcheck.winaudit = NULL;
+    rootcheck.winmalware = NULL;
+    rootcheck.winapps = NULL;
+    rootcheck.daemon = 1;
+    rootcheck.notify = QUEUE;
+    rootcheck.scanall = 0;
+    rootcheck.readall = 0;
+    rootcheck.disabled = RK_CONF_UNPARSED;
+    rootcheck.skip_nfs = 0;
+    rootcheck.alert_msg = NULL;
+    rootcheck.time = ROOTCHECK_WAIT;
+
+    rootcheck.checks.rc_dev = 1;
+    rootcheck.checks.rc_files = 0;
+    rootcheck.checks.rc_if = 1;
+    rootcheck.checks.rc_pids = 1;
+    rootcheck.checks.rc_ports = 1;
+    rootcheck.checks.rc_sys = 1;
+    rootcheck.checks.rc_trojans = 0;
+#ifdef WIN32
+    rootcheck.checks.rc_winaudit = 0;
+    rootcheck.checks.rc_winmalware = 0;
+    rootcheck.checks.rc_winapps = 0;
+#else
+    rootcheck.checks.rc_unixaudit = 0;
+#endif
+
+    /* We store up to 255 alerts in there */
+    os_calloc(256, sizeof(char *), rootcheck.alert_msg);
+    c = 0;
+    while (c <= 255) {
+        rootcheck.alert_msg[c] = NULL;
+        c++;
+    }
+
+#ifndef OSSECHIDS
+    rootcheck.notify = SYSLOG_RK;
+    rootcheck.daemon = 0;
+    while ((c = getopt(argc, argv, "VstrdhD:c:")) != -1) {
+        switch (c) {
+            case 'V':
+                print_version();
+                break;
+            case 'h':
+                help_rootcheck(home_path);
+                break;
+            case 'd':
+                nowDebug();
+                break;
+            case 'D':
+                if (!optarg) {
+                    mterror_exit(ARGV0, "-D needs an argument");
+                }
+                rootcheck.workdir = optarg;
+                break;
+            case 'c':
+                if (!optarg) {
+                    mterror_exit(ARGV0, "-c needs an argument");
+                }
+                cfg = optarg;
+                break;
+            case 's':
+                rootcheck.scanall = 1;
+                break;
+            case 't':
+                test_config = 1;
+                break;
+            case 'r':
+                rootcheck.readall = 1;
+                break;
+            default:
+                help_rootcheck(home_path);
+                break;
+        }
+    }
+#ifdef WIN32
+    /* Start Winsock */
+    {
+        WSADATA wsaData;
+        if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) {
+            mterror_exit(ARGV0, "WSAStartup() failed");
+        }
+    }
+#endif /* WIN32 */
+
+#endif /* OSSECHIDS */
+
+    /* Check if the configuration is present */
+    if (File_DateofChange(cfg) < 0) {
+        mterror(ARGV0, "Configuration file '%s' not found", cfg);
+        return (-1);
+    }
+
+    /* Read configuration  --function specified twice (check makefile) */
+    if (Read_Rootcheck_Config(cfg) < 0) {
+        mwarn(RCONFIG_ERROR, ARGV0, cfg);
+        return (1);
+    }
+
+#ifndef WIN32
+    if(rootcheck.checks.rc_unixaudit && !test_config) {
+        mwarn("The check_unixaudit option is deprecated in favor of the SCA module.");
+    }
+#endif
+
+#ifdef WIN32
+    if(rootcheck.checks.rc_winaudit && !test_config) {
+        mwarn("The check_winaudit option is deprecated in favor of the SCA module.");
+    }
+#endif
+
+    rootcheck.tsleep = getDefine_Int("rootcheck", "sleep", 0, 1000);
+
+    /* If testing config, exit here */
+    if (test_config) {
+        return (0);
+    }
+
+    /* Return 1 disables rootcheck */
+    if (rootcheck.disabled == 1) {
+        mtinfo(ARGV0, "Rootcheck disabled.");
+        return (1);
+    }
+
+#ifndef WIN32
+    /* Check if Unix audit file is configured */
+    if (rootcheck.checks.rc_unixaudit && !rootcheck.unixaudit) {
+        mtferror(ARGV0, "System audit file not configured.");
+    }
+#endif
+
+    /* Set default values */
+#ifndef OSSECHIDS
+    mdebug1(WAZUH_HOMEDIR, home_path);
+    if (rootcheck.workdir == NULL) {
+        rootcheck.workdir = home_path;
+    }
+#endif
+
+#ifdef OSSECHIDS
+    /* Start up message */
+#ifdef WIN32
+    mtinfo(ARGV0, STARTUP_MSG, getpid());
+#endif /* WIN32 */
+
+#endif /* OSSECHIDS */
+
+    /* Initialize rk list */
+    rk_sys_name = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *));
+    rk_sys_file = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *));
+    if (!rk_sys_name || !rk_sys_file) {
+        mterror_exit(ARGV0, MEM_ERROR, errno, strerror(errno));
+    }
+    rk_sys_name[0] = NULL;
+    rk_sys_file[0] = NULL;
+
+#ifndef OSSECHIDS
+#ifndef WIN32
+    /* Start signal handling */
+    StartSIG(ARGV0);
+    rootcheck_connect();
+#endif
+    mtdebug1(ARGV0, "Running run_rk_check");
+    run_rk_check();
+
+    mtdebug1(ARGV0, "Leaving...");
+    os_free(home_path);
+#endif /* OSSECHIDS */
+    return (0);
+}
+
+void rootcheck_connect() {
+#ifndef WIN32
+    /* Connect to the queue if configured to do so */
+    if (rootcheck.notify == QUEUE) {
+        mtdebug1(ARGV0, "Starting queue ...");
+
+        /* Start the queue */
+        if ((rootcheck.queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+            mterror_exit(ARGV0, QUEUE_FATAL, DEFAULTQUEUE);
+        }
+    }
+#endif
+}
+
+/* Do not look for the user ignored paths */
+ int check_ignore(const char *path_to_ignore) {
+    int i;
+
+    if (!rootcheck.ignore) {
+        return 0;
+    }
+
+    for (i = 0; rootcheck.ignore[i] != NULL; i++) {
+        if (rootcheck.ignore_sregex[i]) {
+            if (OSMatch_Execute(path_to_ignore, strlen(path_to_ignore), rootcheck.ignore_sregex[i])) {
+                mdebug1("'%s' matches the '%s' pattern, so it will be ignored.", path_to_ignore, rootcheck.ignore_sregex[i]->raw);
+                return 1;
+            }
+#ifndef WIN32
+        } else if (!strcmp(path_to_ignore, rootcheck.ignore[i])) {
+#else
+        } else if (!strcasecmp(path_to_ignore, rootcheck.ignore[i])) {
+#endif
+            mdebug1("'%s' has been marked as ignored.", path_to_ignore);
+            return 1;
+        }
+    }
+
+    return 0;
+ }
diff --git a/src/modules/rootcheck/src/rootcheck_config.c b/src/modules/rootcheck/src/rootcheck_config.c
new file mode 100644
index 0000000000..202b4967d4
--- /dev/null
+++ b/src/modules/rootcheck/src/rootcheck_config.c
@@ -0,0 +1,157 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef OSSECHIDS
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "shared.h"
+#include "os_xml/os_xml.h"
+#include "rootcheck.h"
+
+
+/* Evaluate boolean with two arguments
+ * str: input string, "yes"|"no"
+ * default_val: 1(yes)|0(no)
+ */
+short eval_bool2(char *str, short default_val)
+{
+    short ret = default_val;
+
+    if (str == NULL) {
+        return (ret);
+    } else if (strcmp(str, "yes") == 0) {
+        ret = 1;
+    } else if (strcmp(str, "no") == 0) {
+        ret = 0;
+    }
+
+    free(str);
+    return (ret);
+}
+
+/* Read the rootcheck config */
+int Read_Rootcheck_Config(const char *cfgfile)
+{
+    OS_XML xml;
+
+    /* XML Definitions */
+    const char *(xml_base_dir[]) = {xml_rootcheck, "base_directory", NULL};
+    const char *(xml_workdir[]) = {xml_rootcheck, "work_directory", NULL};
+    const char *(xml_rootkit_files[]) = {xml_rootcheck, "rootkit_files", NULL};
+    const char *(xml_rootkit_trojans[]) = {xml_rootcheck, "rootkit_trojans", NULL};
+    const char *(xml_rootkit_unixaudit[]) = {xml_rootcheck, "system_audit", NULL};
+    const char *(xml_rootkit_winaudit[]) = {xml_rootcheck, "windows_audit", NULL};
+    const char *(xml_rootkit_winapps[]) = {xml_rootcheck, "windows_apps", NULL};
+    const char *(xml_rootkit_winmalware[]) = {xml_rootcheck, "windows_malware", NULL};
+    const char *(xml_scanall[]) = {xml_rootcheck, "scanall", NULL};
+    const char *(xml_readall[]) = {xml_rootcheck, "readall", NULL};
+#ifdef OSSECHIDS
+    const char *(xml_time[]) = {xml_rootcheck, "frequency", NULL};
+    char *str = NULL;
+#endif
+    const char *(xml_check_dev[]) = {xml_rootcheck, "check_dev", NULL};
+    const char *(xml_check_files[]) = {xml_rootcheck, "check_files", NULL};
+    const char *(xml_check_if[]) = {xml_rootcheck, "check_if", NULL};
+    const char *(xml_check_pids[]) = {xml_rootcheck, "check_pids", NULL};
+    const char *(xml_check_ports[]) = {xml_rootcheck, "check_ports", NULL};
+    const char *(xml_check_sys[]) = {xml_rootcheck, "check_sys", NULL};
+    const char *(xml_check_trojans[]) = {xml_rootcheck, "check_trojans", NULL};
+#ifdef WIN32
+    const char *(xml_check_winapps[]) = {xml_rootcheck, "check_winapps", NULL};
+    const char *(xml_check_winaudit[]) = {xml_rootcheck, "check_winaudit", NULL};
+    const char *(xml_check_winmalware[]) = {xml_rootcheck, "check_winmalware", NULL};
+#else
+    const char *(xml_check_unixaudit[]) = {xml_rootcheck, "check_unixaudit", NULL};
+#endif
+
+#ifdef OSSECHIDS
+    /* :) */
+    xml_time[2] = NULL;
+#endif
+
+    if (OS_ReadXML(cfgfile, &xml) < 0) {
+        mterror(ARGV0, "config_op: XML error: %s", xml.err);
+        return (OS_INVALID);
+    }
+
+    if (!OS_RootElementExist(&xml, xml_rootcheck)) {
+        OS_ClearXML(&xml);
+        mterror(ARGV0, "Rootcheck configuration not found.");
+        return (-1);
+    }
+
+
+#ifdef OSSECHIDS
+    /* time  */
+    str = OS_GetOneContentforElement(&xml, xml_time);
+    if (str) {
+        if (!OS_StrIsNum(str)) {
+            mterror(ARGV0, "Invalid frequency time '%s' for the rootkit detection (must be int).", str);
+            return (OS_INVALID);
+        }
+
+        rootcheck.time = atoi(str);
+        free(str);
+        str = NULL;
+    }
+#endif /* OSSECHIDS */
+
+    /* Scan all flags */
+    if (!rootcheck.scanall) {
+        rootcheck.scanall = eval_bool2(OS_GetOneContentforElement(&xml, xml_scanall), 0);
+    }
+
+    /* Read all flags */
+    if (!rootcheck.readall) {
+        rootcheck.readall = eval_bool2(OS_GetOneContentforElement(&xml, xml_readall), 0);
+    }
+
+    /* Get work directory */
+    if (!rootcheck.workdir) {
+        rootcheck.workdir  = OS_GetOneContentforElement(&xml, xml_workdir);
+    }
+
+    rootcheck.rootkit_files  = OS_GetOneContentforElement
+                               (&xml, xml_rootkit_files);
+    rootcheck.rootkit_trojans  = OS_GetOneContentforElement
+                                 (&xml, xml_rootkit_trojans);
+    rootcheck.unixaudit = OS_GetContents
+                          (&xml, xml_rootkit_unixaudit);
+    rootcheck.winaudit  = OS_GetOneContentforElement
+                          (&xml, xml_rootkit_winaudit);
+    rootcheck.winapps  = OS_GetOneContentforElement
+                         (&xml, xml_rootkit_winapps);
+    rootcheck.winmalware  = OS_GetOneContentforElement
+                            (&xml, xml_rootkit_winmalware);
+    rootcheck.basedir  = OS_GetOneContentforElement(&xml, xml_base_dir);
+    rootcheck.checks.rc_dev = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_dev), 1);
+    rootcheck.checks.rc_files = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_files), 1);
+    rootcheck.checks.rc_if = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_if), 1);
+    rootcheck.checks.rc_pids = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_pids), 1);
+    rootcheck.checks.rc_ports = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_ports), 1);
+    rootcheck.checks.rc_sys = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_sys), 1);
+    rootcheck.checks.rc_trojans = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_trojans), 1);
+#ifdef WIN32
+    rootcheck.checks.rc_winapps = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winapps), 1);
+    rootcheck.checks.rc_winaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winaudit), 1);
+    rootcheck.checks.rc_winmalware = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winmalware), 1);
+#else
+    rootcheck.checks.rc_unixaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_unixaudit), 1);
+#endif /* WIN32 */
+    OS_ClearXML(&xml);
+
+
+    return (0);
+}
+#endif
diff --git a/src/modules/rootcheck/src/run_rk_check.c b/src/modules/rootcheck/src/run_rk_check.c
new file mode 100644
index 0000000000..7ecad012e9
--- /dev/null
+++ b/src/modules/rootcheck/src/run_rk_check.c
@@ -0,0 +1,360 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+#include "config/syscheck-config.h"
+
+static void log_realtime_status_rk(int next);
+
+/* Report a problem */
+int notify_rk(int rk_type, const char *msg)
+{
+    /* Non-queue notification */
+    if (rootcheck.notify != QUEUE) {
+        if (rk_type == ALERT_OK) {
+            printf("[OK]: %s\n", msg);
+        } else if (rk_type == ALERT_SYSTEM_ERR) {
+            printf("[ERR]: %s\n", msg);
+        } else if (rk_type == ALERT_POLICY_VIOLATION) {
+            printf("[INFO]: %s\n", msg);
+        } else {
+            printf("[FAILED]: %s\n", msg);
+        }
+
+        printf("\n");
+        return (0);
+    }
+
+    /* No need to alert on that to the server */
+    if (rk_type <= ALERT_SYSTEM_ERR) {
+        return (0);
+    }
+
+#ifdef OSSECHIDS
+    /* When running in context of OSSEC-HIDS, send problem to the rootcheck queue */
+    if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) {
+        mterror(ARGV0, QUEUE_SEND);
+
+        if ((rootcheck.queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+            mterror_exit(ARGV0, QUEUE_FATAL, DEFAULTQUEUE);
+        }
+
+        if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) {
+            mterror_exit(ARGV0, QUEUE_FATAL, DEFAULTQUEUE);
+        }
+    }
+#endif
+
+    return (0);
+}
+
+/* Execute the rootkit checks */
+void run_rk_check()
+{
+    time_t time1;
+    time_t time2;
+    FILE *fp;
+    OSList *plist;
+
+#ifndef WIN32
+    /* On non-Windows, always start at / */
+    char basedir[] = "";
+#else
+    /* On Windows, always start at C:\ */
+    char basedir[] = "C:";
+#endif
+
+    /* Set basedir */
+    if (rootcheck.basedir == NULL || !strlen(rootcheck.basedir)) {
+        free(rootcheck.basedir);
+        rootcheck.basedir = strdup(basedir);
+    } else {
+        if (rootcheck.basedir[strlen(rootcheck.basedir)-1] == '/') {
+            rootcheck.basedir[strlen(rootcheck.basedir)-1] = '\0';
+        }
+    }
+
+    time1 = time(0);
+
+    /* Initial message */
+    if (rootcheck.notify != QUEUE) {
+        printf("\n");
+        printf("** Starting Rootcheck v0.9 by Daniel B. Cid        **\n");
+        printf("** http://www.ossec.net/en/about.html#dev-team     **\n");
+        printf("** http://www.ossec.net/rootcheck/                 **\n\n");
+        printf("Be patient, it may take a few minutes to complete...\n");
+        printf("\n");
+    }
+
+    /* Clean the global variables */
+    rk_sys_count = 0;
+    rk_sys_file[rk_sys_count] = NULL;
+    rk_sys_name[rk_sys_count] = NULL;
+
+    /* Send scan start message */
+    notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
+    if (rootcheck.notify == QUEUE) {
+        mtinfo(ARGV0, "Starting rootcheck scan.");
+    }
+
+    /* Check for Rootkits */
+    /* Open rootkit_files and pass the pointer to check_rc_files */
+    if (rootcheck.checks.rc_files) {
+        if (!rootcheck.rootkit_files) {
+#ifndef WIN32
+            mterror(ARGV0, "No rootcheck_files file configured.");
+#endif
+        } else {
+            fp = wfopen(rootcheck.rootkit_files, "r");
+            if (!fp) {
+                mterror(ARGV0, "No rootcheck_files file: '%s'", rootcheck.rootkit_files);
+            }
+
+            else {
+                check_rc_files(rootcheck.basedir, fp);
+                fclose(fp);
+            }
+        }
+    }
+
+    /* Check for trojan entries in common binaries */
+    if (rootcheck.checks.rc_trojans) {
+        if (!rootcheck.rootkit_trojans) {
+#ifndef WIN32
+            mterror(ARGV0, "No rootcheck_trojans file configured.");
+#endif
+        } else {
+            fp = wfopen(rootcheck.rootkit_trojans, "r");
+            if (!fp) {
+                mterror(ARGV0, "No rootcheck_trojans file: '%s'", rootcheck.rootkit_trojans);
+            } else {
+#ifndef HPUX
+                check_rc_trojans(rootcheck.basedir, fp);
+#endif
+                fclose(fp);
+            }
+        }
+    }
+
+#ifdef WIN32
+    /* Get process list */
+    plist = os_get_process_list();
+
+    /* Windows audit check */
+    if (rootcheck.checks.rc_winaudit) {
+        if (!rootcheck.winaudit) {
+            mtinfo(ARGV0, "No winaudit file configured.");
+        } else {
+            fp = wfopen(rootcheck.winaudit, "r");
+            if (!fp) {
+                mterror(ARGV0, "No winaudit file: '%s'", rootcheck.winaudit);
+            } else {
+                check_rc_winaudit(fp, plist);
+                fclose(fp);
+            }
+        }
+    }
+
+    /* Windows malware */
+    if (rootcheck.checks.rc_winmalware) {
+        if (!rootcheck.winmalware) {
+            mtinfo(ARGV0, "No winmalware file configured.");
+        } else {
+            fp = wfopen(rootcheck.winmalware, "r");
+            if (!fp) {
+                mterror(ARGV0, "No winmalware file: '%s'", rootcheck.winmalware);
+            } else {
+                check_rc_winmalware(fp, plist);
+                fclose(fp);
+            }
+        }
+    }
+
+    /* Windows Apps */
+    if (rootcheck.checks.rc_winapps) {
+        if (!rootcheck.winapps) {
+            mtinfo(ARGV0, "No winapps file configured.");
+        } else {
+            fp = wfopen(rootcheck.winapps, "r");
+            if (!fp) {
+                mterror(ARGV0, "No winapps file: '%s'", rootcheck.winapps);
+            } else {
+                check_rc_winapps(fp, plist);
+                fclose(fp);
+            }
+        }
+    }
+
+    /* Free the process list */
+    del_plist((void *)plist);
+
+#else
+    size_t i;
+    /* Checks for other non-Windows */
+
+    /* Unix audit check ***/
+    if (rootcheck.checks.rc_unixaudit) {
+        if (rootcheck.unixaudit) {
+            /* Get process list */
+            plist = os_get_process_list();
+
+            i = 0;
+            while (rootcheck.unixaudit[i]) {
+                fp = wfopen(rootcheck.unixaudit[i], "r");
+                if (!fp) {
+                    mterror(ARGV0, "No unixaudit file: '%s'", rootcheck.unixaudit[i]);
+                } else {
+                    /* Run unix audit */
+                    check_rc_unixaudit(fp, plist);
+                    fclose(fp);
+                }
+
+                i++;
+            }
+
+            /* Free list */
+            del_plist(plist);
+        }
+    }
+
+#endif /* !WIN32 */
+
+    /* Check for files in the /dev filesystem */
+    if (rootcheck.checks.rc_dev) {
+        mtdebug1(ARGV0, "Going into check_rc_dev");
+        check_rc_dev(rootcheck.basedir);
+    }
+
+    /* Scan the whole system for additional issues */
+    if (rootcheck.checks.rc_sys) {
+        mtdebug1(ARGV0, "Going into check_rc_sys");
+        check_rc_sys(rootcheck.basedir);
+    }
+
+    /* Check processes */
+    if (rootcheck.checks.rc_pids) {
+        mtdebug1(ARGV0, "Going into check_rc_pids");
+        check_rc_pids();
+    }
+
+    /* Check all ports */
+    if (rootcheck.checks.rc_ports) {
+        mtdebug1(ARGV0, "Going into check_rc_ports");
+        check_rc_ports();
+
+        /* Check open ports */
+        mtdebug1(ARGV0, "Going into check_open_ports");
+        check_open_ports();
+    }
+
+    /* Check interfaces */
+    if (rootcheck.checks.rc_if) {
+        mtdebug1(ARGV0, "Going into check_rc_if");
+        check_rc_if();
+    }
+
+    mtdebug1(ARGV0, "Completed with all checks.");
+
+    /* Clean the global memory */
+    {
+        int li;
+        for (li = 0; li <= rk_sys_count; li++) {
+            if (!rk_sys_file[li] ||
+                    !rk_sys_name[li]) {
+                break;
+            }
+
+            free(rk_sys_file[li]);
+            free(rk_sys_name[li]);
+        }
+    }
+
+    /* Final message */
+    time2 = time(0);
+
+    if (rootcheck.notify != QUEUE) {
+        printf("\n");
+        printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1));
+    } else {
+        sleep(5);
+    }
+
+    /* Send scan ending message */
+    notify_rk(ALERT_POLICY_VIOLATION, "Ending rootcheck scan.");
+    if (rootcheck.notify == QUEUE) {
+        mtinfo(ARGV0, "Ending rootcheck scan.");
+    }
+
+    mtdebug1(ARGV0, "Leaving run_rk_check");
+    return;
+}
+
+#ifdef WIN32
+DWORD WINAPI w_rootcheck_thread(__attribute__((unused)) void * args){
+#else
+void * w_rootcheck_thread(__attribute__((unused)) void * args) {
+#endif
+    time_t curr_time = 0;
+    time_t prev_time_rk = 0;
+    syscheck_config *syscheck = args;
+
+    while (1) {
+        int run_now = 0;
+
+        /* Check if syscheck should be restarted */
+        run_now = os_check_restart_rootcheck();
+        curr_time = time(0);
+
+        /* If time elapsed is higher than the rootcheck_time, run it */
+        if (syscheck->rootcheck) {
+            if (((curr_time - prev_time_rk) > rootcheck.time) || run_now) {
+                log_realtime_status_rk(2);
+                run_rk_check();
+                prev_time_rk = time(0);
+            }
+        }
+        sleep(1);
+    }
+
+#ifndef WIN32
+    return NULL;
+#endif
+}
+
+void log_realtime_status_rk(int next) {
+    /*
+     * 0: stop (initial)
+     * 1: run
+     * 2: pause
+     */
+
+    static int status = 0;
+
+    switch (status) {
+    case 0:
+        if (next == 1) {
+            minfo("Starting rootcheck real-time monitoring.");
+            status = next;
+        }
+        break;
+    case 1:
+        if (next == 2) {
+            minfo("Pausing rootcheck real-time monitoring.");
+            status = next;
+        }
+        break;
+    case 2:
+        if (next == 1) {
+            minfo("Resuming rootcheck real-time monitoring.");
+            status = next;
+        }
+    }
+}
diff --git a/src/modules/rootcheck/src/unix_process.c b/src/modules/rootcheck/src/unix_process.c
new file mode 100644
index 0000000000..233952a1df
--- /dev/null
+++ b/src/modules/rootcheck/src/unix_process.c
@@ -0,0 +1,121 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+
+#ifndef WIN32
+
+static char *_os_get_runps(const char *ps, int mpid)
+{
+    char *tmp_str, *nbuf;
+    char buf[OS_SIZE_2048 + 1];
+    char command[OS_SIZE_1024 + 1];
+    FILE *fp;
+
+    buf[0] = '\0';
+    command[0] = '\0';
+    command[OS_SIZE_1024] = '\0';
+
+    const int size = snprintf(command, sizeof(command), "%s -p %d 2> /dev/null", ps, mpid);
+
+    if (size < 0 || (size_t)size >= sizeof(command)) {
+        return (NULL);
+    }
+
+
+    fp = popen(command, "r");
+    if (fp) {
+        while (fgets(buf, OS_SIZE_2048, fp) != NULL) {
+            tmp_str = strchr(buf, ':');
+            if (!tmp_str) {
+                continue;
+            }
+
+            nbuf = tmp_str++;
+
+            tmp_str = strchr(nbuf, ' ');
+            if (!tmp_str) {
+                continue;
+            }
+            tmp_str++;
+
+            /* Remove whitespaces */
+            while (*tmp_str == ' ') {
+                tmp_str++;
+            }
+
+            nbuf = tmp_str;
+
+            tmp_str = strchr(nbuf, '\n');
+            if (tmp_str) {
+                *tmp_str = '\0';
+            }
+
+            pclose(fp);
+            return (strdup(nbuf));
+        }
+
+        pclose(fp);
+    }
+
+    return (NULL);
+}
+
+/* Get list of Unix processes */
+OSList *os_get_process_list()
+{
+    int i = 1;
+    pid_t max_pid = MAX_PID;
+    OSList *p_list = NULL;
+    char ps[OS_SIZE_1024 + 1];
+
+    /* Check where ps is */
+    memset(ps, '\0', OS_SIZE_1024 + 1);
+    strncpy(ps, "/bin/ps", OS_SIZE_1024);
+    if (!is_file(ps)) {
+        strncpy(ps, "/usr/bin/ps", OS_SIZE_1024);
+        if (!is_file(ps)) {
+            mterror(ARGV0, "'ps' not found.");
+            return (NULL);
+        }
+    }
+
+    /* Create process list */
+    p_list = OSList_Create();
+    if (!p_list) {
+        mterror(ARGV0, LIST_ERROR);
+        return (NULL);
+    }
+
+    for (i = 1; i <= max_pid; i++) {
+        /* Check if the pid is present */
+        if ((!((getsid(i) == -1) && (errno == ESRCH))) &&
+                (!((getpgid(i) == -1) && (errno == ESRCH)))) {
+            Proc_Info *p_info;
+            char *p_name;
+
+            p_name = _os_get_runps(ps, (int)i);
+            if (!p_name) {
+                continue;
+            }
+
+            os_calloc(1, sizeof(Proc_Info), p_info);
+            p_info->p_path = p_name;
+            p_info->p_name = NULL;
+            OSList_AddData(p_list, p_info);
+        }
+    }
+
+    return (p_list);
+}
+
+#endif /* WIN32 */
diff --git a/src/modules/rootcheck/src/win_common.c b/src/modules/rootcheck/src/win_common.c
new file mode 100644
index 0000000000..9d3dcbca2e
--- /dev/null
+++ b/src/modules/rootcheck/src/win_common.c
@@ -0,0 +1,356 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "shared.h"
+#include "rootcheck.h"
+
+#ifdef WIN32
+
+/* Global variables */
+HKEY rk_sub_tree;
+
+/* Default values */
+#define MAX_KEY_LENGTH   255
+#define MAX_KEY         2048
+#define MAX_VALUE_NAME 16383
+
+
+/* Check if file has NTFS ADS */
+int os_check_ads(const char *full_path)
+{
+    HANDLE file_h;
+    WIN32_STREAM_ID sid;
+    void *context = NULL;
+    char stream_name[MAX_PATH + 1];
+    char final_name[MAX_PATH + 1];
+    DWORD dwRead, shs, dw1, dw2;
+
+    /* Open file */
+    file_h = CreateFile(full_path,
+                        GENERIC_READ,
+                        FILE_SHARE_READ,
+                        NULL,
+                        OPEN_EXISTING,
+                        FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_POSIX_SEMANTICS,
+                        NULL);
+
+    if (file_h == INVALID_HANDLE_VALUE) {
+        return 0;
+    }
+
+    /* Zero memory */
+    ZeroMemory(&sid, sizeof(WIN32_STREAM_ID));
+
+    /* Get stream header size -- should be 20 bytes */
+    shs = (LPBYTE)&sid.cStreamName - (LPBYTE)&sid + sid.dwStreamNameSize;
+
+    while (1) {
+        if (BackupRead(file_h, (LPBYTE) &sid, shs, &dwRead,
+                       FALSE, FALSE, &context) == 0) {
+            break;
+        }
+        if (dwRead == 0) {
+            break;
+        }
+
+        stream_name[0] = '\0';
+        stream_name[MAX_PATH] = '\0';
+        if (BackupRead(file_h, (LPBYTE)stream_name,
+                       sid.dwStreamNameSize,
+                       &dwRead, FALSE, FALSE, &context)) {
+            if (dwRead != 0) {
+                DWORD i = 0;
+                int max_path_size = 0;
+                char *tmp_pt;
+                char op_msg[OS_SIZE_1024 + 1];
+
+                snprintf(final_name, MAX_PATH, "%s", full_path);
+                max_path_size = strlen(final_name);
+
+                /* Copy from wide char to char */
+                while ((i < dwRead) && (max_path_size < MAX_PATH)) {
+                    if (stream_name[i] != 0) {
+                        final_name[max_path_size] = stream_name[i];
+                        max_path_size++;
+                        final_name[max_path_size] = '\0';
+                    }
+                    i++;
+                }
+
+                tmp_pt = strrchr(final_name, ':');
+                if (tmp_pt) {
+                    *tmp_pt = '\0';
+                }
+
+                snprintf(op_msg, OS_SIZE_1024, "NTFS Alternate data stream "
+                         "found: '%s'. Possible hidden"
+                         " content.",
+                         final_name);
+                notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
+            }
+        }
+
+        /* Get next */
+        if (!BackupSeek(file_h, sid.Size.LowPart, sid.Size.HighPart,
+                        &dw1, &dw2, &context)) {
+            break;
+        }
+    }
+    BackupRead(file_h, (LPBYTE)stream_name,
+                       sid.dwStreamNameSize,
+                       &dwRead, TRUE, FALSE, &context);
+    CloseHandle(file_h);
+    return (0);
+}
+
+/* Get registry high level key */
+char *__os_winreg_getkey(char *reg_entry)
+{
+    char *ret = NULL;
+    char *tmp_str;
+
+    /* Get only the sub tree first */
+    tmp_str = strchr(reg_entry, '\\');
+    if (tmp_str) {
+        *tmp_str = '\0';
+        ret = tmp_str + 1;
+    }
+
+    /* Set sub tree */
+    if ((strcmp(reg_entry, "HKEY_LOCAL_MACHINE") == 0) ||
+            (strcmp(reg_entry, "HKLM") == 0)) {
+        rk_sub_tree = HKEY_LOCAL_MACHINE;
+    } else if (strcmp(reg_entry, "HKEY_CLASSES_ROOT") == 0) {
+        rk_sub_tree = HKEY_CLASSES_ROOT;
+    } else if (strcmp(reg_entry, "HKEY_CURRENT_CONFIG") == 0) {
+        rk_sub_tree = HKEY_CURRENT_CONFIG;
+    } else if (strcmp(reg_entry, "HKEY_USERS") == 0) {
+        rk_sub_tree = HKEY_USERS;
+    } else if ((strcmp(reg_entry, "HKCU") == 0) ||
+               (strcmp(reg_entry, "HKEY_CURRENT_USER") == 0)) {
+        rk_sub_tree = HKEY_CURRENT_USER;
+    } else {
+        /* Set sub tree to null */
+        rk_sub_tree = NULL;
+
+        /* Return tmp_str to the previous value */
+        if (tmp_str && (*tmp_str == '\0')) {
+            *tmp_str = '\\';
+        }
+        return (NULL);
+    }
+
+    /* Check if ret has nothing else */
+    if (ret && (*ret == '\0')) {
+        ret = NULL;
+    }
+
+    /* Fixing tmp_str and the real name of the registry */
+    if (tmp_str && (*tmp_str == '\0')) {
+        *tmp_str = '\\';
+    }
+
+    return (ret);
+}
+
+/* Query the key and get the value of a specific entry */
+int __os_winreg_querykey(HKEY hKey,
+        __attribute__((unused))char *p_key,
+        __attribute__((unused)) char *full_key_name,
+                         char *reg_option, char *reg_value)
+{
+    int rc;
+    DWORD i, j;
+
+    /* QueryInfo and EnumKey variables */
+    TCHAR class_name_b[MAX_PATH + 1];
+    DWORD class_name_s = MAX_PATH;
+
+    /* Number of sub keys */
+    DWORD subkey_count = 0;
+
+    /* Number of values */
+    DWORD value_count;
+
+    /* Variables for RegEnumValue */
+    TCHAR value_buffer[MAX_VALUE_NAME + 1];
+    TCHAR data_buffer[MAX_VALUE_NAME + 1];
+    DWORD value_size;
+    DWORD data_size;
+
+    /* Data type for RegEnumValue */
+    DWORD data_type = 0;
+
+    /* Storage var */
+    char var_storage[MAX_VALUE_NAME + 1];
+
+    /* Initialize the memory for some variables */
+    class_name_b[0] = '\0';
+    class_name_b[MAX_PATH] = '\0';
+
+    /* We use the class_name, subkey_count and the value count */
+    rc = RegQueryInfoKey(hKey, class_name_b, &class_name_s, NULL,
+                         &subkey_count, NULL, NULL, &value_count,
+                         NULL, NULL, NULL, NULL);
+    if (rc != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    /* Get values (if available) */
+    if (value_count) {
+        char *mt_data;
+
+        /* Clear the values for value_size and data_size */
+        value_buffer[MAX_VALUE_NAME] = '\0';
+        data_buffer[MAX_VALUE_NAME] = '\0';
+        var_storage[MAX_VALUE_NAME] = '\0';
+
+        /* Get each value */
+        for (i = 0; i < value_count; i++) {
+            value_size = MAX_VALUE_NAME;
+            data_size = MAX_VALUE_NAME;
+
+            value_buffer[0] = '\0';
+            data_buffer[0] = '\0';
+            var_storage[0] = '\0';
+
+            rc = RegEnumValue(hKey, i, value_buffer, &value_size,
+                              NULL, &data_type, (LPBYTE)data_buffer, &data_size);
+
+            /* No more values available */
+            if (rc != ERROR_SUCCESS) {
+                break;
+            }
+
+            /* Check if no value name is specified */
+            if (value_buffer[0] == '\0') {
+                value_buffer[0] = '@';
+                value_buffer[1] = '\0';
+            }
+
+            /* Check if the entry name matches the reg_option */
+            if (strcasecmp(value_buffer, reg_option) != 0) {
+                continue;
+            }
+
+            /* If a value is not present and the option matches,
+             * we can return ok
+             */
+            if (!reg_value) {
+                return (1);
+            }
+
+            /* Write value into a string */
+            switch (data_type) {
+                    int size_available;
+
+                case REG_SZ:
+                case REG_EXPAND_SZ:
+                    snprintf(var_storage, sizeof(var_storage), "%s", data_buffer);
+                    break;
+                case REG_MULTI_SZ:
+                    /* Printing multiple strings */
+                    size_available = MAX_VALUE_NAME;
+                    mt_data = data_buffer;
+
+                    while (*mt_data) {
+                        if (size_available >= (int)strlen(mt_data) + 1) {
+                            strncat(var_storage, mt_data, size_available);
+                            size_available -= strlen(mt_data);
+                            strncat(var_storage, " ", 2);
+                            size_available -= 1;
+                        }
+                        mt_data += strlen(mt_data) + 1;
+                    }
+
+                    break;
+                case REG_DWORD:
+                    snprintf(var_storage, MAX_VALUE_NAME,
+                             "%x", (unsigned int)*data_buffer);
+                    break;
+                default:
+                    size_available = MAX_VALUE_NAME - 2;
+                    for (j = 0; j < data_size; j++) {
+                        char tmp_c[12];
+
+                        snprintf(tmp_c, 12, "%02x",
+                                 (unsigned int)data_buffer[j]);
+
+                        if (size_available > 2) {
+                            strncat(var_storage, tmp_c, size_available);
+                            size_available = MAX_VALUE_NAME -
+                                             (strlen(var_storage) + 2);
+                        }
+                    }
+                    break;
+            }
+
+            /* Check if value matches */
+            if (pt_matches(var_storage, reg_value)) {
+                return (1);
+            }
+
+            return (0);
+        }
+    }
+
+    return (0);
+}
+
+/* Open the registry key */
+int __os_winreg_open_key(char *subkey, char *full_key_name, unsigned long arch,
+                         char *reg_option, char *reg_value)
+{
+    int ret = 1;
+    HKEY oshkey;
+
+    if (RegOpenKeyEx(rk_sub_tree, subkey, 0, KEY_READ | arch, &oshkey) != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    /* If option is set, return the value of query key */
+    if (reg_option) {
+        ret = __os_winreg_querykey(oshkey, subkey, full_key_name,
+                                   reg_option, reg_value);
+    }
+
+    RegCloseKey(oshkey);
+    return (ret);
+}
+
+/* Check if the entry is present in the registry */
+int is_registry(char *entry_name, char *reg_option, char *reg_value)
+{
+    char *rk;
+
+    rk = __os_winreg_getkey(entry_name);
+    if (rk_sub_tree == NULL || rk == NULL) {
+        mterror(ARGV0, SK_INV_REG, entry_name);
+        return (0);
+    }
+
+    return __os_winreg_open_key(rk, entry_name, KEY_WOW64_32KEY, reg_option, reg_value) || __os_winreg_open_key(rk, entry_name, KEY_WOW64_64KEY, reg_option, reg_value);
+}
+
+#else
+
+/* Non-Windows defs */
+int os_check_ads(__attribute__((unused)) const char *full_path)
+{
+    return (0);
+}
+int is_registry(__attribute__((unused)) char *entry_name,
+                __attribute__((unused)) char *reg_option,
+                __attribute__((unused)) char *reg_value)
+{
+    return (0);
+}
+
+#endif /* !WIN32 */
diff --git a/src/modules/rootcheck/src/win_process.c b/src/modules/rootcheck/src/win_process.c
new file mode 100644
index 0000000000..39e7c6231a
--- /dev/null
+++ b/src/modules/rootcheck/src/win_process.c
@@ -0,0 +1,204 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * Copyright (C) 2009 Trend Micro Inc.
+ * All right reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifdef WIN32
+#include "shared.h"
+#include "rootcheck.h"
+
+#include <tlhelp32.h>
+#include <psapi.h>
+
+
+/* Set Debug privilege
+ * See: "How to obtain a handle to any process with SeDebugPrivilege"
+ * http://support.microsoft.com/kb/131065/en-us
+ */
+int os_win32_setdebugpriv(HANDLE h, int en)
+{
+    TOKEN_PRIVILEGES tp;
+    TOKEN_PRIVILEGES tpPrevious;
+    LUID luid;
+    DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
+
+    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
+        return (0);
+    }
+
+    tp.PrivilegeCount = 1;
+    tp.Privileges[0].Luid = luid;
+    tp.Privileges[0].Attributes = 0;
+
+    AdjustTokenPrivileges(h, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
+                          &tpPrevious, &cbPrevious);
+
+    if (GetLastError() != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    tpPrevious.PrivilegeCount = 1;
+    tpPrevious.Privileges[0].Luid = luid;
+
+    /* If en is set to true, we enable the privilege */
+    if (en) {
+        tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
+    } else {
+        tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &
+                                                tpPrevious.Privileges[0].Attributes);
+    }
+
+    AdjustTokenPrivileges(h, FALSE, &tpPrevious, cbPrevious, NULL, NULL);
+    if (GetLastError() != ERROR_SUCCESS) {
+        return (0);
+    }
+
+    return (1);
+}
+
+/* Get list of win32 processes */
+OSList *os_get_process_list()
+{
+    OSList *p_list = NULL;
+    HANDLE hsnap;
+    HANDLE hpriv;
+    PROCESSENTRY32 p_entry;
+    p_entry.dwSize = sizeof(PROCESSENTRY32);
+
+    /* Get token to enable Debug privilege */
+    if (!OpenThreadToken(GetCurrentThread(),
+                         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hpriv)) {
+        if (GetLastError() == ERROR_NO_TOKEN) {
+            if (!ImpersonateSelf(SecurityImpersonation)) {
+                mterror(ARGV0, "os_get_win32_process_list -> ImpersonateSelf");
+                return (NULL);
+            }
+
+            if (!OpenThreadToken(GetCurrentThread(),
+                                 TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+                                 FALSE, &hpriv)) {
+                mterror(ARGV0, "os_get_win32_process_list -> OpenThread");
+                return (NULL) ;
+            }
+        } else {
+            mterror(ARGV0, "os_get_win32_process_list -> OpenThread");
+            return (NULL);
+        }
+    }
+
+    /* Enable debug privilege */
+    if (!os_win32_setdebugpriv(hpriv, 1)) {
+        mterror(ARGV0, "os_win32_setdebugpriv");
+
+        if(CloseHandle(hpriv) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        return (NULL);
+    }
+
+    /* Make a snapshot of every process */
+    hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hsnap == INVALID_HANDLE_VALUE) {
+        mterror(ARGV0, "CreateToolhelp32Snapshot");
+
+        if (CloseHandle(hpriv) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        return (NULL);
+    }
+
+    /* Get first and second processes -- system entries */
+    if (!Process32First(hsnap, &p_entry) && !Process32Next(hsnap, &p_entry )) {
+        mterror(ARGV0, "Process32First");
+
+        if (CloseHandle(hsnap) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        if (CloseHandle(hpriv) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        return (NULL);
+    }
+
+    /* Create process list */
+    p_list = OSList_Create();
+    if (!p_list) {
+
+        if (CloseHandle(hsnap) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        if (CloseHandle(hpriv) == 0) {
+            mdebug2("Can't close handle");
+        }
+
+        mterror(ARGV0, LIST_ERROR);
+        return (0);
+    }
+
+    /* Get each process name and path */
+    while (Process32Next( hsnap, &p_entry)) {
+        char *p_name;
+        char *p_path;
+        Proc_Info *p_info;
+
+        /* Set process name */
+        os_strdup(p_entry.szExeFile, p_name);
+
+        /* Get additional information from modules */
+        HANDLE hmod = INVALID_HANDLE_VALUE;
+        MODULEENTRY32 m_entry;
+        m_entry.dwSize = sizeof(MODULEENTRY32);
+
+        /* Snapshot of the process */
+        hmod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, p_entry.th32ProcessID);
+
+        if (hmod == INVALID_HANDLE_VALUE) {
+            os_strdup(p_name, p_path);
+        } else if (!Module32First(hmod, &m_entry)) {
+            /* Get executable path (first entry in the module list) */
+
+            if (CloseHandle(hmod) == 0){
+                mdebug2("Can't close handle");
+            }
+
+            os_strdup(p_name, p_path);
+        }
+        else {
+            os_strdup(m_entry.szExePath, p_path);
+
+            if (CloseHandle(hmod) == 0) {
+                mdebug2("Can't close handle");
+            }
+        }
+
+        os_calloc(1, sizeof(Proc_Info), p_info);
+        p_info->p_name = p_name;
+        p_info->p_path = p_path;
+        OSList_AddData(p_list, p_info);
+    }
+
+    /* Remove debug privileges */
+    os_win32_setdebugpriv(hpriv, 0);
+
+    if (CloseHandle(hsnap) == 0) {
+        mdebug2("Can't close handle");
+    }
+
+    if (CloseHandle(hpriv) == 0) {
+        mdebug2("Can't close handle");
+    }
+
+    return (p_list);
+}
+
+#endif /* WIN32 */
diff --git a/src/modules/sca/include/wm_sca.h b/src/modules/sca/include/wm_sca.h
new file mode 100644
index 0000000000..d36289cd1f
--- /dev/null
+++ b/src/modules/sca/include/wm_sca.h
@@ -0,0 +1,77 @@
+/*
+ * Wazuh Module for Security Configuration Assessment
+ * Copyright (C) 2015, Wazuh Inc.
+ * November 25, 2018.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_SCA_H
+#define WM_SCA_H
+
+#define WM_SCA_LOGTAG SCA_WM_NAME
+
+/* Types of values */
+#define WM_SCA_TYPE_FILE      1
+#define WM_SCA_TYPE_REGISTRY  2
+#define WM_SCA_TYPE_PROCESS   3
+#define WM_SCA_TYPE_DIR       4
+#define WM_SCA_TYPE_COMMAND   5
+
+#define WM_SCA_COND_ALL       0x001
+#define WM_SCA_COND_ANY       0x002
+#define WM_SCA_COND_REQ       0x004
+#define WM_SCA_COND_NON       0x008
+#define WM_SCA_COND_INV       0x010
+#define WM_SCA_STAMP          "sca"
+#define WM_CONFIGURATION_ASSESSMENT_DB_DUMP                   "sca-dump"
+
+typedef struct wm_sca_policy_t {
+    unsigned int enabled:1;
+    unsigned int remote:1;
+    char *policy_path;
+    char *policy_id;
+    char *policy_regex_type;
+} wm_sca_policy_t;
+
+typedef struct wm_sca_t {
+    int enabled;
+    int scan_on_start;
+    int skip_nfs;
+    int msg_delay;
+    unsigned int summary_delay;
+    unsigned int request_db_interval;
+    char* scan_time;
+    wm_sca_policy_t** policies;
+    char **alert_msg;
+    int queue;
+    int remote_commands:1;
+    int commands_timeout;
+    sched_scan_config scan_config;
+} wm_sca_t;
+
+typedef struct cis_db_info_t {
+    char *result;
+    cJSON *event;
+    int id;
+} cis_db_info_t;
+
+typedef struct cis_db_hash_info_t {
+    cis_db_info_t **elem;
+} cis_db_hash_info_t;
+
+extern const wm_context WM_SCA_CONTEXT;
+
+// Read configuration and return a module (if enabled) or NULL (if disabled)
+int wm_sca_read(const OS_XML *xml,xml_node **nodes, wmodule *module);
+char *wm_sca_hash_integrity_file(const char *file);
+char **wm_sort_variables(const cJSON * const variables);
+#ifdef WIN32
+void wm_sca_push_request_win(char *msg);
+#endif
+
+
+#endif // WM_KEY_REQUEST_H
diff --git a/src/modules/sca/src/wm_sca.c b/src/modules/sca/src/wm_sca.c
new file mode 100644
index 0000000000..5933127d14
--- /dev/null
+++ b/src/modules/sca/src/wm_sca.c
@@ -0,0 +1,3360 @@
+/*
+ * Wazuh Module for Security Configuration Assessment
+ * Copyright (C) 2015, Wazuh Inc.
+ * January 25, 2019.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wmodules.h"
+#include <os_net/os_net.h>
+#include <sys/stat.h>
+#include "os_crypto/sha256/sha256_op.h"
+#include "expression.h"
+#include "shared.h"
+
+#undef minfo
+#undef mwarn
+#undef merror
+#undef mdebug1
+#undef mdebug2
+
+#define minfo(msg, ...) _mtinfo(WM_SCA_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mwarn(msg, ...) _mtwarn(WM_SCA_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define merror(msg, ...) _mterror(WM_SCA_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mdebug1(msg, ...) _mtdebug1(WM_SCA_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+#define mdebug2(msg, ...) _mtdebug2(WM_SCA_LOGTAG, __FILE__, __LINE__, __func__, msg, ##__VA_ARGS__)
+
+#ifdef WAZUH_UNIT_TESTING
+/* Remove static qualifier when testing */
+#define static
+#endif
+
+typedef struct request_dump_t {
+    int policy_index;
+    int first_scan;
+} request_dump_t;
+
+#ifdef WIN32
+static HKEY wm_sca_sub_tree;
+#endif
+
+static const int RETURN_NOT_FOUND = 0;
+static const int RETURN_FOUND = 1;
+static const int RETURN_INVALID = 2;
+
+#ifdef WIN32
+static DWORD WINAPI wm_sca_main(void *arg);         // Module main function. It won't return
+#else
+static void * wm_sca_main(wm_sca_t * data);   // Module main function. It won't return
+#endif
+static void wm_sca_destroy(wm_sca_t * data);  // Destroy data
+static int wm_sca_start(wm_sca_t * data);  // Start
+static cJSON *wm_sca_build_event(const cJSON * const check, const cJSON * const policy, char **p_alert_msg, int id, const char * const result, const char * const reason);
+static int wm_sca_send_event_check(wm_sca_t * data,cJSON *event);  // Send check event
+static void wm_sca_read_files(wm_sca_t * data);  // Read policy monitoring files
+static int wm_sca_do_scan(cJSON *checks, OSStore *vars, wm_sca_t * data, int id, cJSON *policy, int requirements_scan, int cis_db_index, unsigned int remote_policy, int first_scan, int *checks_number, char ** sorted_variables, char * policy_engine);
+static int wm_sca_send_summary(wm_sca_t * data, int scan_id,unsigned int passed, unsigned int failed,unsigned int invalid,cJSON *policy,int start_time,int end_time, char * integrity_hash, char * integrity_hash_file, int first_scan, int id, int checks_number);
+static int wm_sca_check_policy(const cJSON * const policy, const cJSON * const checks, OSHash *global_check_list);
+static int wm_sca_check_requirements(const cJSON * const requirements);
+static void wm_sca_summary_increment_passed();
+static void wm_sca_summary_increment_failed();
+static void wm_sca_summary_increment_invalid();
+static void wm_sca_reset_summary();
+static int wm_sca_send_alert(wm_sca_t * data,cJSON *json_alert); // Send alert
+static int wm_sca_check_hash(OSHash *cis_db_hash, const char * const result, const cJSON * const check, const cJSON * const event, int check_index, int policy_index);
+static char *wm_sca_hash_integrity(int policy_index);
+static void wm_sca_free_hash_data(cis_db_info_t *event);
+#ifdef WIN32
+static DWORD WINAPI wm_sca_dump_db_thread(wm_sca_t * data);
+#else
+static void * wm_sca_dump_db_thread(wm_sca_t * data);
+#endif
+static void wm_sca_send_policies_scanned(wm_sca_t * data);
+static int wm_sca_send_dump_end(wm_sca_t * data, unsigned int elements_sent,char * policy_id,int scan_id);  // Send dump end event
+static int append_msg_to_vm_scat (wm_sca_t * const data, const char * const msg);
+static int compare_cis_db_info_t_entry(const void * const a, const void * const  b);
+
+#ifndef WIN32
+static void * wm_sca_request_thread(wm_sca_t * data);
+#endif
+
+/* Extra functions */
+static int wm_sca_get_vars(const cJSON * const variables, OSStore * const vars);
+static void wm_sca_set_condition(const char * const c_cond, int *condition);
+static char * wm_sca_get_value(char *buf, int *type);
+static char * wm_sca_get_pattern(char *value);
+static int wm_sca_check_file_contents(const char * const file, const char * const pattern, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_check_file_list_for_contents(const char * const file_list, char * const pattern, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_check_file_existence(const char * const file, char ** reason);
+static int wm_sca_check_file_list_for_existence(const char * const file_list, char ** reason);
+static int wm_sca_check_file_list(const char * const file_list, char * const pattern, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_read_command(char *command, char * pattern, wm_sca_t * data, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_test_positive_minterm(char * const minterm, const char * const str, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_pattern_matches(const char * const str, const char * const pattern, char ** reason, w_expression_t * regex_engine); // Check pattern match
+static int wm_sca_check_dir(const char * const dir, const char * const file, char * const pattern, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_check_dir_existence(const char * const dir, char ** reason);
+static int wm_sca_check_dir_list(wm_sca_t * const data, char * const dir_list, char * const file, char * const pattern, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_check_process_is_running(OSList *p_list, char * value, char ** reason, w_expression_t * regex_engine);
+#ifndef WIN32
+static int wm_sca_resolve_symlink(const char * const file, char * realpath_buffer, char **reason);
+#endif
+static int wm_sca_apply_numeric_partial_comparison(const char * const partial_comparison, const long int number, char **reason, w_expression_t * regex_engine);
+static int wm_sca_regex_numeric_comparison (const char * const pattern, const char *const str, char ** reason, w_expression_t * regex_engine);
+
+#ifdef WIN32
+static int wm_sca_is_registry(char * entry_name, char * reg_option, char * reg_value, char ** reason, w_expression_t * regex_engine);
+static char *wm_sca_os_winreg_getkey(char * reg_entry);
+static int wm_sca_test_key(char * subkey, char * full_key_name, unsigned long arch, char * reg_option, char * reg_value, char ** reason, w_expression_t * regex_engine);
+static int wm_sca_winreg_querykey(HKEY hKey, const char * full_key_name, char * reg_option, char * reg_value, char ** reason, w_expression_t * regex_engine);
+#endif
+
+cJSON *wm_sca_dump(const wm_sca_t * data);     // Read config
+
+const wm_context WM_SCA_CONTEXT = {
+    .name = SCA_WM_NAME,
+    .start = (wm_routine)wm_sca_main,
+    .destroy = (void(*)(void *))wm_sca_destroy,
+    .dump = (cJSON * (*)(const void *))wm_sca_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+static unsigned int summary_passed = 0;
+static unsigned int summary_failed = 0;
+static unsigned int summary_invalid = 0;
+
+static OSHash **cis_db;
+static char **last_sha256;
+static cis_db_hash_info_t *cis_db_for_hash;
+
+static w_queue_t * request_queue;
+static wm_sca_t * data_win;
+
+cJSON **last_summary_json = NULL;
+
+/* Multiple readers / one write mutex */
+static pthread_rwlock_t dump_rwlock;
+
+// Module main function. It won't return
+#ifdef WIN32
+DWORD WINAPI wm_sca_main(void *arg) {
+    wm_sca_t *data = (wm_sca_t *)arg;
+#else
+void * wm_sca_main(wm_sca_t * data) {
+#endif
+    // If module is disabled, exit
+    if (data->enabled) {
+        minfo("Module started.");
+    } else {
+        minfo("Module disabled. Exiting.");
+        pthread_exit(NULL);
+    }
+
+    if (!data->policies || data->policies[0] == NULL) {
+        minfo("No policies defined. Exiting.");
+        pthread_exit(NULL);
+    }
+
+    data->msg_delay = 1000000 / wm_max_eps;
+    data->summary_delay = 3; /* Seconds to wait for summary sending */
+    data_win = data;
+
+    /* Reading the internal options */
+
+    // Default values
+    data->request_db_interval = 300;
+    data->remote_commands = 0;
+    data->commands_timeout = 30;
+
+    data->request_db_interval = getDefine_Int("sca","request_db_interval", 1, 60) * 60;
+    data->commands_timeout = getDefine_Int("sca", "commands_timeout", 1, 300);
+#ifdef CLIENT
+    data->remote_commands = getDefine_Int("sca", "remote_commands", 0, 1);
+#else
+    data->remote_commands = 1;  // Only for agents
+#endif
+
+    /* Maximum request interval is the scan interval */
+    if(data->request_db_interval > data->scan_config.interval) {
+       data->request_db_interval = data->scan_config.interval;
+       minfo("The request_db_interval option cannot be higher than the scan interval. It will be redefined to that value.");
+    }
+
+    int i;
+    for(i = 0; data->policies[i]; i++) {
+        if(data->policies[i]->enabled){
+            minfo("Loaded policy '%s'", data->policies[i]->policy_path);
+        } else {
+            minfo("Policy '%s' disabled by configuration.", data->policies[i]->policy_path);
+        }
+    }
+
+    /* Create Hash for each policy file */
+    for(i = 0; data->policies[i]; i++) {
+        os_realloc(cis_db, (i + 2) * sizeof(OSHash *), cis_db);
+        cis_db[i] = OSHash_Create();
+        if (!cis_db[i]) {
+            merror(LIST_ERROR);
+            pthread_exit(NULL);
+        }
+        OSHash_SetFreeDataPointer(cis_db[i], (void (*)(void *))wm_sca_free_hash_data);
+
+        /* DB for calculating hash only */
+        os_realloc(cis_db_for_hash, (i + 2) * sizeof(cis_db_hash_info_t), cis_db_for_hash);
+
+        /* Last summary for each policy */
+        os_realloc(last_summary_json, (i + 2) * sizeof(cJSON *), last_summary_json);
+        last_summary_json[i] = NULL;
+
+        /* Prepare first ID for each policy file */
+        os_calloc(1,sizeof(cis_db_info_t *),cis_db_for_hash[i].elem);
+        cis_db_for_hash[i].elem[0] = NULL;
+    }
+
+    /* Create summary hash for each policy file */
+    for(i = 0; data->policies[i]; i++) {
+        os_realloc(last_sha256, (i + 2) * sizeof(char *), last_sha256);
+        os_calloc(1,sizeof(os_sha256),last_sha256[i]);
+    }
+
+
+#ifndef WIN32
+
+    data->queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    if (data->queue < 0) {
+        merror("Can't connect to queue.");
+    }
+
+#endif
+
+    request_queue = queue_init(1024);
+
+    w_rwlock_init(&dump_rwlock, NULL);
+
+#ifndef WIN32
+    w_create_thread(wm_sca_request_thread, data);
+    w_create_thread(wm_sca_dump_db_thread, data);
+#else
+    w_create_thread(NULL,
+                    0,
+                    (void *)wm_sca_dump_db_thread,
+                    data,
+                    0,
+                    NULL);
+#endif
+
+    wm_sca_start(data);
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+static int wm_sca_send_alert(wm_sca_t * data,cJSON *json_alert)
+{
+
+#ifdef WIN32
+    int queue_fd = 0;
+#else
+    int queue_fd = data->queue;
+#endif
+
+    char *msg = cJSON_PrintUnformatted(json_alert);
+    mdebug2("Sending event: %s",msg);
+
+    if (wm_sendmsg(data->msg_delay, queue_fd, msg,WM_SCA_STAMP, SCA_MQ) < 0) {
+        merror(QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+
+        if ((data->queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS)) < 0) {
+            mwarn("Can't connect to queue.");
+        } else {
+            if(wm_sendmsg(data->msg_delay, data->queue, msg,WM_SCA_STAMP, SCA_MQ) < 0) {
+                merror(QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+            }
+        }
+    }
+
+    os_free(msg);
+
+    return (0);
+}
+
+#ifdef WAZUH_UNIT_TESTING
+__attribute__((weak))
+#endif
+static void wm_sca_send_policies_scanned(wm_sca_t * data) {
+    cJSON *policies_obj = cJSON_CreateObject();
+    cJSON *policies = cJSON_CreateArray();
+
+    int i;
+    if(data->policies) {
+        for(i = 0; data->policies[i]; i++) {
+            if(data->policies[i]->enabled) {
+                cJSON_AddStringToObject(policies,"policy",data->policies[i]->policy_id);
+            }
+        }
+    }
+
+    cJSON_AddStringToObject(policies_obj, "type", "policies");
+    cJSON_AddItemToObject(policies_obj,"policies",policies);
+
+    mdebug2("Sending scanned policies.");
+    wm_sca_send_alert(data,policies_obj);
+    cJSON_Delete(policies_obj);
+}
+
+static int wm_sca_start(wm_sca_t * data) {
+    char * timestamp = NULL;
+    time_t time_start = 0;
+    time_t duration = 0;
+
+    do {
+        const time_t time_sleep = sched_scan_get_time_until_next_scan(&(data->scan_config), WM_SCA_LOGTAG, data->scan_on_start);
+
+        if (time_sleep) {
+            const int next_scan_time = sched_get_next_scan_time(data->scan_config);
+            timestamp = w_get_timestamp(next_scan_time);
+            mtdebug2(WM_SCA_LOGTAG, "Sleeping until: %s", timestamp);
+            os_free(timestamp);
+            w_sleep_until(next_scan_time);
+        }
+        mtinfo(WM_SCA_LOGTAG,"Starting Security Configuration Assessment scan.");
+        time_start = time(NULL);
+
+        /* Do scan for every policy file */
+        wm_sca_read_files(data);
+
+        /* Send policies scanned for database purge on manager side */
+        wm_sca_send_policies_scanned(data);
+
+        duration = time(NULL) - time_start;
+        mtinfo(WM_SCA_LOGTAG, "Security Configuration Assessment scan finished. Duration: %d seconds.", (int)duration);
+
+    } while(FOREVER());
+
+    return 0;
+}
+
+static void wm_sca_read_files(wm_sca_t * data) {
+    int checks_number = 0;
+    static int first_scan = 1;
+
+    /* Read every policy monitoring file */
+    if(data->policies) {
+        OSHash *check_list = OSHash_Create();
+        int i;
+        for(i = 0; data->policies[i]; i++) {
+            if(!data->policies[i]->enabled){
+                continue;
+            }
+
+            OSStore *vars = NULL;
+            cJSON * object = NULL;
+            cJSON *requirements_array = NULL;
+            int cis_db_index = i;
+            char **sorted_variables = NULL;
+
+            FILE *fp = wfopen(data->policies[i]->policy_path, "r");
+
+            if(!fp) {
+                mwarn("Policy file not found: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+            w_file_cloexec(fp);
+
+            /* Yaml parsing */
+            yaml_document_t document;
+
+            if (yaml_parse_file(data->policies[i]->policy_path, &document)) {
+                mwarn("Error found while parsing file: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+
+            if (object = yaml2json(&document,1), !object) {
+                mwarn("Error found while transforming yaml to json: '%s'. Skipping it.", data->policies[i]->policy_path);
+                yaml_document_delete(&document);
+                goto next;
+            }
+
+            yaml_document_delete(&document);
+
+            cJSON *policy = cJSON_GetObjectItem(object, "policy");
+            cJSON *variables_policy = cJSON_GetObjectItem(object, "variables");
+            cJSON *checks = cJSON_GetObjectItem(object, "checks");
+            requirements_array = cJSON_CreateArray();
+            cJSON *requirements = cJSON_GetObjectItem(object, "requirements");
+            cJSON_AddItemReferenceToArray(requirements_array, requirements);
+
+            if (wm_sca_check_policy(policy, checks, check_list)) {
+                mwarn("Error found while validating policy file: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+
+            cJSON * policy_regex_type = cJSON_GetObjectItem(policy, "regex_type");
+
+            if (!policy_regex_type) {
+                data->policies[i]->policy_regex_type = OSREGEX_STR;
+            } else {
+                data->policies[i]->policy_regex_type = cJSON_GetStringValue(policy_regex_type);
+            }
+
+            if (requirements && wm_sca_check_requirements(requirements)) {
+                mwarn("Error found while reading 'requirements' section of file: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+
+            if (!data->policies[i]->policy_id) {
+                cJSON *id = cJSON_GetObjectItem(policy, "id");
+                os_strdup(id->valuestring,data->policies[i]->policy_id);
+            }
+
+            if (!checks) {
+                mwarn("Error found while reading 'checks' section of file: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+
+            vars = OSStore_Create();
+            sorted_variables = wm_sort_variables(variables_policy);
+            if (wm_sca_get_vars(variables_policy,vars) != 0) {
+                mwarn("Error found while reading the 'variables' section of file: '%s'. Skipping it.", data->policies[i]->policy_path);
+                goto next;
+            }
+
+            // Set unique ID for each scan
+#ifndef WIN32
+            int id = os_random();
+            if (id < 0) {
+                id = -id;
+            }
+#else
+            char random_id[RANDOM_LENGTH];
+            snprintf(random_id, RANDOM_LENGTH - 1, "%u%u", os_random(), os_random());
+            int id = atoi(random_id);
+
+            if (id < 0) {
+                id = -id;
+            }
+#endif
+            int requirements_satisfied = 0;
+
+            if(!requirements) {
+                requirements_satisfied = 1;
+            }
+
+            mdebug1("Calculating hash for policy file '%s'", data->policies[i]->policy_path);
+            char * integrity_hash_file = wm_sca_hash_integrity_file(data->policies[i]->policy_path);
+
+            /* Check if the file integrity has changed */
+            if(last_sha256[cis_db_index]) {
+                w_rwlock_rdlock(&dump_rwlock);
+                if (strcmp(last_sha256[cis_db_index],"")) {
+
+                    /* File hash changed, delete table */
+                    if(integrity_hash_file && strcmp(integrity_hash_file,last_sha256[cis_db_index])) {
+                        OSHash_Free(cis_db[cis_db_index]);
+                        cis_db[cis_db_index] = OSHash_Create();
+
+                        if (!cis_db[cis_db_index]) {
+                            merror(LIST_ERROR);
+                            w_rwlock_unlock(&dump_rwlock);
+                            pthread_exit(NULL);
+                        }
+
+                        OSHash_SetFreeDataPointer(cis_db[cis_db_index], (void (*)(void *))wm_sca_free_hash_data);
+
+                        os_free(cis_db_for_hash[cis_db_index].elem);
+                        os_realloc(cis_db_for_hash[cis_db_index].elem, sizeof(cis_db_info_t *) * (2), cis_db_for_hash[cis_db_index].elem);
+                        cis_db_for_hash[cis_db_index].elem[0] = NULL;
+                        cis_db_for_hash[cis_db_index].elem[1] = NULL;
+                    }
+                }
+                w_rwlock_unlock(&dump_rwlock);
+            }
+
+            if(requirements) {
+                w_rwlock_rdlock(&dump_rwlock);
+                if (wm_sca_do_scan(requirements_array, vars, data, id, policy, 1, cis_db_index, data->policies[i]->remote,first_scan, &checks_number, sorted_variables, data->policies[i]->policy_regex_type) == 0) {
+                    requirements_satisfied = 1;
+                }
+                w_rwlock_unlock(&dump_rwlock);
+            }
+
+            if(requirements_satisfied) {
+                w_rwlock_rdlock(&dump_rwlock);
+
+                time_t time_start = 0;
+                time_t time_end = 0;
+                time_start = time(NULL);
+
+                minfo("Starting evaluation of policy: '%s'", data->policies[i]->policy_path);
+
+                if (wm_sca_do_scan(checks, vars, data, id, policy, 0, cis_db_index, data->policies[i]->remote, first_scan, &checks_number, sorted_variables, data->policies[i]->policy_regex_type) != 0) {
+                    merror("Error while evaluating the policy '%s'", data->policies[i]->policy_path);
+                }
+                mdebug1("Calculating hash for scanned results.");
+                char * integrity_hash = wm_sca_hash_integrity(cis_db_index);
+
+                time_end = time(NULL);
+
+                /* Send summary */
+                if(integrity_hash && integrity_hash_file) {
+                    w_time_delay(1000 * data->summary_delay);
+                    wm_sca_send_summary(data,id,summary_passed,summary_failed,summary_invalid,policy,time_start,time_end,integrity_hash,integrity_hash_file,first_scan,cis_db_index,checks_number);
+                    snprintf(last_sha256[cis_db_index] ,sizeof(os_sha256),"%s",integrity_hash_file);
+                }
+
+                os_free(integrity_hash);
+
+                minfo("Evaluation finished for policy '%s'", data->policies[i]->policy_path);
+                wm_sca_reset_summary();
+
+                w_rwlock_unlock(&dump_rwlock);
+            } else {
+                cJSON *title = cJSON_GetObjectItem(requirements,"title");
+                minfo("Skipping policy '%s': '%s'", data->policies[i]->policy_path, title->valuestring);
+            }
+
+            os_free(integrity_hash_file);
+
+    next:
+            if(fp){
+                fclose(fp);
+            }
+
+            if(object) {
+                cJSON_Delete(object);
+            }
+
+            if(requirements_array){
+                cJSON_Delete(requirements_array);
+            }
+
+            if(vars) {
+                OSStore_Free(vars);
+            }
+
+            free_strarray(sorted_variables);
+        }
+        first_scan = 0;
+        OSHash_Clean(check_list, free);
+    }
+}
+
+static int wm_sca_check_policy(const cJSON * const policy, const cJSON * const checks, OSHash *global_check_list)
+{
+    if(!policy) {
+        return 1;
+    }
+
+    const cJSON * const id = cJSON_GetObjectItem(policy, "id");
+    if(!id) {
+        mwarn("Field 'id' not found in policy header.");
+        return 1;
+    }
+
+    if(!id->valuestring){
+        mwarn("Invalid format for field 'id'");
+        return 1;
+    }
+
+    char *coincident_policy_file;
+    if((coincident_policy_file = OSHash_Get(global_check_list,id->valuestring)), coincident_policy_file) {
+        mwarn("Found duplicated policy ID: %s. File '%s' contains the same ID.", id->valuestring, coincident_policy_file);
+        return 1;
+    }
+
+    const cJSON * const name = cJSON_GetObjectItem(policy, "name");
+    if(!name) {
+        mwarn("Field 'name' not found in policy header.");
+        return 1;
+    }
+
+    if(!name->valuestring){
+        mwarn("Invalid format for field 'name'");
+        return 1;
+    }
+
+    const cJSON * const file = cJSON_GetObjectItem(policy, "file");
+    if(!file) {
+        mwarn("Field 'file' not found in policy header.");
+        return 1;
+    }
+
+    if(!file->valuestring){
+        mwarn("Invalid format for field 'file'");
+        return 1;
+    }
+
+    const cJSON * const description = cJSON_GetObjectItem(policy, "description");
+    if(!description) {
+        mwarn("Field 'description' not found in policy header.");
+        return 1;
+    }
+
+    const cJSON * const regex_type = cJSON_GetObjectItem(policy, "regex_type");
+    if(!regex_type) {
+        mdebug1("Field 'regex_type' not found in policy header. The OS_REGEX engine shall be used.");
+    }
+
+    if(!description->valuestring) {
+        mwarn("Invalid format for field 'description'");
+        return 1;
+    }
+
+    // Check for policy rules with duplicated IDs */
+    if (!checks) {
+        mwarn("Section 'checks' not found.");
+        return 1;
+    }
+
+    int *read_id;
+    os_calloc(1, sizeof(int), read_id);
+    read_id[0] = 0;
+
+    const cJSON *check;
+    cJSON_ArrayForEach(check, checks) {
+        const cJSON * const check_id = cJSON_GetObjectItem(check, "id");
+        if (check_id == NULL) {
+            mwarn("Check ID not found.");
+            free(read_id);
+            return 1;
+        }
+
+        if (check_id->valueint <= 0) {
+            // Invalid ID
+            mwarn("Invalid check ID: %d", check_id->valueint);
+            free(read_id);
+            return 1;
+        }
+
+        char *coincident_policy;
+        char *key_id;
+        size_t key_length = snprintf(NULL, 0, "%d", check_id->valueint);
+        os_malloc(key_length + 1, key_id);
+        snprintf(key_id, key_length + 1, "%d", check_id->valueint);
+
+        if((coincident_policy = (char *)OSHash_Get(global_check_list, key_id)), coincident_policy){
+            // Invalid ID
+            mwarn("Found duplicated check ID: %d. First appearance at policy '%s'", check_id->valueint, coincident_policy);
+            os_free(key_id);
+            os_free(read_id);
+            return 1;
+        }
+        os_free(key_id);
+
+        int i;
+        for (i = 0; read_id[i] != 0; i++) {
+            if (check_id->valueint == read_id[i]) {
+                // Duplicated ID
+                mwarn("Found duplicated check ID: %d", check_id->valueint);
+                free(read_id);
+                return 1;
+            }
+        }
+
+        os_realloc(read_id, sizeof(int) * (i + 2), read_id);
+        read_id[i] = check_id->valueint;
+        read_id[i + 1] = 0;
+
+        const cJSON * const rules = cJSON_GetObjectItem(check, "rules");
+
+        if (rules == NULL) {
+            mwarn("Invalid check %d: no rules found.", check_id->valueint);
+            free(read_id);
+            return 1;
+        }
+
+        int rules_n = 0;
+        const cJSON *rule;
+        cJSON_ArrayForEach(rule, rules) {
+            if (!rule->valuestring) {
+                mwarn("Invalid check %d: Empty rule.", check_id->valueint);
+                free(read_id);
+                return 1;
+            }
+
+            char *valuestring_ref = rule->valuestring;
+            valuestring_ref += 4 * (!strncmp(valuestring_ref, "NOT ", 4) || !strncmp(valuestring_ref, "not ", 4));
+
+            switch (*valuestring_ref) {
+#ifdef WIN32
+                case 'r':
+#endif
+                case 'f':
+                case 'd':
+                case 'p':
+                case 'c':
+                    break;
+                case '\0':
+                    mwarn("Invalid check %d: Empty rule.", check_id->valueint);
+                    free(read_id);
+                    return 1;
+                default:
+                    mwarn("Invalid check %d: Invalid rule format.", check_id->valueint);
+                    free(read_id);
+                    return 1;
+            }
+
+            rules_n++;
+            if (rules_n > 255) {
+                free(read_id);
+                mwarn("Invalid check %d: Maximum number of rules is 255.", check_id->valueint);
+                return 1;
+            }
+        }
+
+        if (rules_n == 0) {
+            mwarn("Invalid check %d: no rules found.", check_id->valueint);
+            free(read_id);
+            return 1;
+        }
+
+    }
+
+    char *policy_file = NULL;
+    os_strdup(file->valuestring, policy_file);
+    const int id_add_retval = OSHash_Add(global_check_list, id->valuestring, policy_file);
+    if (id_add_retval == 0){
+        os_free(policy_file);
+        os_free(read_id);
+        merror_exit("(1102): Could not acquire memory");
+    }
+
+    if (id_add_retval == 1){
+        merror("Error validating duplicated ID. Policy %s in file %s is duplicated", id->valuestring, policy_file);
+        os_free(policy_file);
+        os_free(read_id);
+        return 1;
+    }
+
+    int i;
+    for (i = 0; read_id[i] != 0; ++i) {
+        char *policy_id = NULL;
+        os_strdup(id->valuestring, policy_id);
+        const int check_add_retval = OSHash_Numeric_Add_ex(global_check_list, read_id[i], policy_id);
+        if (check_add_retval == 0){
+            os_free(policy_id);
+            os_free(read_id);
+            merror_exit("(1102): Could not acquire memory");
+        }
+
+        if (check_add_retval == 1){
+            merror("Error validating duplicated ID. Check %s in policy %s is duplicated", id->valuestring, policy_id);
+            os_free(policy_id);
+            os_free(read_id);
+            return 1;
+        }
+    }
+
+    os_free(read_id);
+    return 0;
+}
+
+static int wm_sca_check_requirements(const cJSON * const requirements)
+{
+    if(!requirements) {
+        return 1;
+    }
+
+    const cJSON * const title = cJSON_GetObjectItem(requirements, "title");
+    if(!title) {
+        merror("Field 'title' not found on requirements.");
+        return 1;
+    }
+
+    if(!title->valuestring){
+        merror("Field 'title' must be a string.");
+        return 1;
+    }
+
+    const cJSON * const description = cJSON_GetObjectItem(requirements, "description");
+    if(!description) {
+        merror("Field 'description' not found on policy.");
+        return 1;
+    }
+
+    if(!description->valuestring){
+        merror("Field 'description' must be a string.");
+        return 1;
+    }
+
+    const cJSON * const condition = cJSON_GetObjectItem(requirements, "condition");
+    if(!condition) {
+        merror("Field 'condition' not found on policy.");
+        return 1;
+    }
+
+    if(!condition->valuestring){
+        merror("Field 'condition' must be a string.");
+        return 1;
+    }
+
+    const cJSON * const rules = cJSON_GetObjectItem(requirements, "rules");
+    if (!rules) {
+        merror("Field 'rules' must be present.");
+        return 1;
+    }
+
+    if (!cJSON_IsArray(rules)) {
+        merror("Field 'rules' must be an array.");
+        return 1;
+    }
+
+    return 0;
+}
+
+#ifndef WIN32
+static int wm_sca_resolve_symlink(const char * const file, char * realpath_buffer, char **reason)
+{
+    mdebug2("Resolving real path of '%s'", file);
+    const char * const realpath_buffer_ref = realpath(file, realpath_buffer);
+
+    if (realpath_buffer_ref == NULL) {
+        const int realpath_errno = errno;
+
+        if (realpath_errno == ENOENT) {
+            mdebug2("Path '%s' does not exists, or points to an unexistent path -> RETURN_NOT_FOUND: %s", file, strerror(realpath_errno));
+            return RETURN_NOT_FOUND;
+        }
+
+        mdebug2("Could not resolve the real path of '%s': %s", file, strerror(realpath_errno));
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not resolve the real path of '%s': %s", file, strerror(realpath_errno)) + 1, *reason);
+            sprintf(*reason, "Could not resolve the real path of '%s': %s", file, strerror(realpath_errno));
+        }
+
+        return RETURN_INVALID;
+    }
+
+    mdebug2("Real path of '%s' is '%s'", file, realpath_buffer);
+    return RETURN_FOUND;
+}
+#endif
+
+static int wm_sca_check_dir_list(wm_sca_t * const data,
+                                 char * const dir_list,
+                                 char * const file,
+                                 char * const pattern,
+                                 char ** reason,
+                                 w_expression_t * regex_engine)
+{
+    char *f_value_copy;
+    os_strdup(dir_list, f_value_copy);
+    char *f_value_copy_ref = f_value_copy;
+    int found = RETURN_NOT_FOUND;
+    char *dir = NULL;
+    mdebug2("Exploring directories [%s]", f_value_copy);
+    while ((dir = w_strtok_r_str_delim(",", &f_value_copy_ref))) {
+        short is_nfs = IsNFS(dir);
+        mdebug2("Checking directory '%s' => is_nfs=%d, skip_nfs=%d", dir, is_nfs, data->skip_nfs);
+        if(data->skip_nfs && is_nfs == 1) {
+            mdebug2("Directory '%s' flagged as NFS and skip_nfs is enabled.", dir);
+            if (*reason == NULL) {
+                os_malloc(snprintf(NULL, 0, "Directory '%s' flagged as NFS and skip_nfs is enabled", dir) + 1, *reason);
+                sprintf(*reason, "Directory '%s' flagged as NFS and skip_nfs is enabled", dir);
+            }
+            found = RETURN_INVALID;
+        } else {
+            int check_result;
+            if (file == NULL) {
+                check_result = wm_sca_check_dir_existence(dir, reason);
+            } else {
+                check_result = wm_sca_check_dir(dir, file, pattern, reason, regex_engine);
+            }
+
+            if (check_result == RETURN_FOUND) {
+                found = RETURN_FOUND;
+                mdebug2("Found match in directory '%s'", dir);
+            } else if (check_result == RETURN_INVALID) {
+                found = RETURN_INVALID;
+                mdebug2("Check returned not applicable for directory '%s'", dir);
+            }
+        }
+
+        char _b_msg[OS_SIZE_1024 + 1];
+        _b_msg[OS_SIZE_1024] = '\0';
+        snprintf(_b_msg, OS_SIZE_1024, " Directory: %s", dir);
+        append_msg_to_vm_scat(data, _b_msg);
+
+        if (found == RETURN_FOUND) {
+            break;
+        }
+    }
+
+    os_free(f_value_copy);
+    return found;
+}
+
+/*
+Rules that match always return 1, and the other way arround.
+
+Rule aggregators logic:
+
+##########################################################
+
+ALL:
+    r_1 -f -> r:123
+    ...
+    r_n -f -> r:234
+
+For an ALL to succeed, every rule shall return 1, in other words,
+
+               |  = n -> ALL = RETURN_FOUND
+SUM(r_i, 0, n) |
+               | != n -> ALL = RETURN_NOT_FOUND
+
+##########################################################
+
+ANY:
+    r_1 -f -> r:123
+    ...
+    r_n -f -> r:234
+
+For an ANY to succeed, a rule shall return 1, in other words,
+
+               | > 0 -> ANY = RETURN_FOUND
+SUM(r_i, 0, n) |
+               | = 0 -> ANY = RETURN_NOT_FOUND
+
+##########################################################
+
+NONE:
+    r_1 -f -> r:123
+    ...
+    r_n -f -> r:234
+
+For a NONE to succeed, all rules shall return RETURN_NOT_FOUND, in other words,
+
+               |  > 0 -> NONE = RETURN_NOT_FOUND
+SUM(r_i, 0, n) |
+               |  = 0 -> NONE = RETURN_FOUND
+
+##########################################################
+
+ANY and NONE aggregators are complementary.
+
+*/
+
+static int wm_sca_do_scan(cJSON * checks,
+                          OSStore * vars,
+                          wm_sca_t * data,
+                          int id,
+                          cJSON * policy,
+                          int requirements_scan,
+                          int cis_db_index,
+                          unsigned int remote_policy,
+                          int first_scan,
+                          int * checks_number,
+                          char ** sorted_variables,
+                          char * policy_engine)
+{
+    int type = 0;
+    char buf[OS_SIZE_1024 + 2];
+    char final_file[2048 + 1];
+    char *reason = NULL;
+
+    int ret_val = 0;
+    OSList *p_list = NULL;
+
+    /* Initialize variables */
+    memset(buf, '\0', sizeof(buf));
+    memset(final_file, '\0', sizeof(final_file));
+
+    int check_count = 0;
+    cJSON *check = NULL;
+    cJSON_ArrayForEach(check, checks) {
+        char _check_id_str[50];
+        if (requirements_scan) {
+            snprintf(_check_id_str, sizeof(_check_id_str), "Requirements check");
+        } else {
+            const cJSON * const c_id = cJSON_GetObjectItem(check, "id");
+            if (!c_id || !c_id->valueint) {
+                merror("Skipping check. Check ID is invalid. Offending check number: %d", check_count);
+                ret_val = 1;
+                continue;
+            }
+            snprintf(_check_id_str, sizeof(_check_id_str), "id: %d", c_id->valueint);
+        }
+
+        const cJSON * const c_title = cJSON_GetObjectItem(check, "title");
+        if (!c_title || !c_title->valuestring) {
+            merror("Skipping check with %s: Check name is invalid.", _check_id_str);
+            if (requirements_scan) {
+                ret_val = 1;
+                goto clean_return;
+            }
+            continue;
+        }
+
+        const cJSON * const c_condition = cJSON_GetObjectItem(check, "condition");
+        if (!c_condition || !c_condition->valuestring) {
+            merror("Skipping check '%s: %s': Check condition not found.", _check_id_str, c_title->valuestring);
+            if (requirements_scan) {
+                ret_val = 1;
+                goto clean_return;
+            }
+            continue;
+        }
+
+        int condition = 0;
+        wm_sca_set_condition(c_condition->valuestring, &condition);
+
+        if (condition == WM_SCA_COND_INV) {
+            merror("Skipping check '%s: %s': Check condition (%s) is invalid.",_check_id_str, c_title->valuestring, c_condition->valuestring);
+            if (requirements_scan) {
+                ret_val = 1;
+                goto clean_return;
+            }
+            continue;
+        }
+
+        int g_found = RETURN_NOT_FOUND;
+        if ((condition & WM_SCA_COND_ANY) || (condition & WM_SCA_COND_NON)) {
+            /* aggregators ANY and NONE break by matching, so they shall return NOT_FOUND if they never break */
+            g_found = RETURN_NOT_FOUND;
+        } else if (condition & WM_SCA_COND_ALL) {
+            /* aggregator ALL breaks the moment a rule does not match. If it doesn't break, all rules have matched */
+            g_found = RETURN_FOUND;
+        }
+
+        mdebug1("Beginning evaluation of check %s '%s'", _check_id_str, c_title->valuestring);
+        mdebug1("Rule aggregation strategy for this check is '%s'", c_condition->valuestring);
+        mdebug2("Initial rule-aggregator value por this type of rule is '%d'",  g_found);
+        mdebug1("Beginning rules evaluation.");
+
+        const cJSON *const rules = cJSON_GetObjectItem(check, "rules");
+        if (!rules) {
+            merror("Skipping check %s '%s': No rules found.", _check_id_str, c_title->valuestring);
+            if (requirements_scan) {
+                ret_val = 1;
+                goto clean_return;
+            }
+            continue;
+        }
+
+        w_expression_t * regex_engine = NULL;
+        cJSON * engine = cJSON_GetObjectItem(check, "regex_type");
+        if (engine) {
+            if (strcmp(PCRE2_STR, cJSON_GetStringValue(engine)) == 0) {
+                w_calloc_expression_t(&regex_engine, EXP_TYPE_PCRE2);
+            } else {
+                w_calloc_expression_t(&regex_engine, EXP_TYPE_OSREGEX);
+            }
+        } else {
+            if(strcmp(PCRE2_STR, policy_engine) == 0) {
+                w_calloc_expression_t(&regex_engine, EXP_TYPE_PCRE2);
+            } else {
+                w_calloc_expression_t(&regex_engine, EXP_TYPE_OSREGEX);
+            }
+        }
+        mdebug1("SCA will use '%s' engine to check the rules.", w_expression_get_regex_type(regex_engine));
+
+        char *rule_cp = NULL;
+        const cJSON *rule_ref;
+        cJSON_ArrayForEach(rule_ref, rules) {
+            /* this free is responsible of freeing the copy of the previous rule if
+            the loop 'continues', i.e, does not reach the end of its block. */
+            os_free(rule_cp);
+
+            if(!rule_ref->valuestring) {
+                mdebug1("Field 'rule' must be a string.");
+                ret_val = 1;
+                os_free(regex_engine);
+                goto clean_return;
+            }
+
+            mdebug1("Considering rule: '%s'", rule_ref->valuestring);
+
+            os_strdup(rule_ref->valuestring, rule_cp);
+            char *rule_cp_ref = NULL;
+
+        #ifdef WIN32
+            char expanded_rule[2048] = {0};
+            ExpandEnvironmentStrings(rule_cp, expanded_rule, 2048);
+            rule_cp_ref = expanded_rule;
+            mdebug2("Rule after variable expansion: '%s'", rule_cp_ref);
+        #else
+            rule_cp_ref = rule_cp;
+        #endif
+
+            int rule_is_negated = 0;
+            if (rule_cp_ref &&
+                    (strncmp(rule_cp_ref, "NOT ", 4) == 0 ||
+                     strncmp(rule_cp_ref, "not ", 4) == 0))
+            {
+                mdebug2("Rule is negated.");
+                rule_is_negated = 1;
+                rule_cp_ref += 4;
+            }
+
+            /* Get value to look for. char *value is a reference
+            to rule_cp memory. Do not release value!  */
+            char *value = wm_sca_get_value(rule_cp_ref, &type);
+
+            if (value == NULL) {
+                merror("Invalid rule: '%s'. Skipping policy.", rule_ref->valuestring);
+                os_free(rule_cp);
+                ret_val = 1;
+                os_free(regex_engine);
+                goto clean_return;
+            }
+
+            int found = RETURN_NOT_FOUND;
+            if (type == WM_SCA_TYPE_FILE) {
+                /* Check files */
+                char *pattern = wm_sca_get_pattern(value);
+                char *rule_location = NULL;
+                char *aux = NULL;
+
+                os_strdup(value, rule_location);
+
+                /* If any, replace the variables by their respective values */
+                if (sorted_variables) {
+                    for (int i = 0; sorted_variables[i]; i++) {
+                        if (strstr(rule_location, sorted_variables[i])) {
+                            mdebug2("Variable '%s' found at rule '%s'. Replacing it.", sorted_variables[i], rule_location);
+                            aux = wstr_replace(rule_location, sorted_variables[i], OSStore_Get(vars, sorted_variables[i]));
+                            os_free(rule_location);
+                            rule_location = aux;
+                            if (!rule_location) {
+                                merror("Invalid variable replacement: '%s'. Skipping check.", sorted_variables[i]);
+                                break;
+                            }
+                            mdebug2("Variable replaced: '%s'", rule_location);
+                        }
+                    }
+                }
+
+                if (!rule_location) {
+                    continue;
+                }
+                const int result = wm_sca_check_file_list(rule_location, pattern, &reason, regex_engine);
+                if (result == RETURN_FOUND || result == RETURN_INVALID) {
+                    found = result;
+                }
+
+                char _b_msg[OS_SIZE_1024 + 1];
+                _b_msg[OS_SIZE_1024] = '\0';
+                snprintf(_b_msg, OS_SIZE_1024, " File: %s", rule_location);
+                append_msg_to_vm_scat(data, _b_msg);
+                os_free(rule_location);
+
+            } else if (type == WM_SCA_TYPE_COMMAND) {
+                /* Check command output */
+                char *pattern = wm_sca_get_pattern(value);
+                char *rule_location = NULL;
+                char *aux = NULL;
+
+                os_strdup(value, rule_location);
+
+                if (!data->remote_commands && remote_policy) {
+                    mwarn("Ignoring check for policy '%s'. The internal option 'sca.remote_commands' is disabled.", cJSON_GetObjectItem(policy, "name")->valuestring);
+                    if (reason == NULL) {
+                        os_malloc(snprintf(NULL, 0, "Ignoring check for running command '%s'. The internal option 'sca.remote_commands' is disabled", rule_location) + 1, reason);
+                        sprintf(reason, "Ignoring check for running command '%s'. The internal option 'sca.remote_commands' is disabled", rule_location);
+                    }
+                    found = RETURN_INVALID;
+
+                } else {
+                    /* If any, replace the variables by their respective values */
+                    if (sorted_variables) {
+                        for (int i = 0; sorted_variables[i]; i++) {
+                            if (strstr(rule_location, sorted_variables[i])) {
+                                mdebug2("Variable '%s' found at rule '%s'. Replacing it.", sorted_variables[i], rule_location);
+                                aux = wstr_replace(rule_location, sorted_variables[i], OSStore_Get(vars, sorted_variables[i]));
+                                os_free(rule_location);
+                                rule_location = aux;
+                                if (!rule_location) {
+                                    merror("Invalid variable: '%s'. Skipping check.", sorted_variables[i]);
+                                    break;
+                                }
+                                mdebug2("Variable replaced: '%s'", rule_location);
+                            }
+                        }
+                    }
+
+                    if (!rule_location) {
+                        continue;
+                    }
+
+                    mdebug2("Running command: '%s'", rule_location);
+                    const int val = wm_sca_read_command(rule_location, pattern, data, &reason, regex_engine);
+                    if (val == RETURN_FOUND) {
+                        mdebug2("Command output matched.");
+                        found = RETURN_FOUND;
+                    } else if (val == RETURN_INVALID){
+                        mdebug2("Command output did not match.");
+                        found = RETURN_INVALID;
+                    }
+                }
+
+                char _b_msg[OS_SIZE_1024 + 1];
+                _b_msg[OS_SIZE_1024] = '\0';
+                snprintf(_b_msg, OS_SIZE_1024, " Command: %s", rule_location);
+                append_msg_to_vm_scat(data, _b_msg);
+                os_free(rule_location);
+
+            } else if (type == WM_SCA_TYPE_DIR) {
+                /* Check directory */
+                mdebug2("Processing directory rule '%s'", value);
+                char * const file = wm_sca_get_pattern(value);
+                char *rule_location = NULL;
+                char *aux = NULL;
+
+                os_strdup(value, rule_location);
+
+                /* If any, replace the variables by their respective values */
+                if (sorted_variables) {
+                    for (int i = 0; sorted_variables[i]; i++) {
+                        if (strstr(rule_location, sorted_variables[i])) {
+                            mdebug2("Variable '%s' found at rule '%s'. Replacing it.", sorted_variables[i], rule_location);
+                            aux = wstr_replace(rule_location, sorted_variables[i], OSStore_Get(vars, sorted_variables[i]));
+                            os_free(rule_location);
+                            rule_location = aux;
+                            if (!rule_location) {
+                                merror("Invalid variable: '%s'. Skipping check.", sorted_variables[i]);
+                                break;
+                            }
+                            mdebug2("Variable replaced: '%s'", rule_location);
+                        }
+                    }
+                }
+
+                if (!rule_location) {
+                    continue;
+                }
+
+                char * const pattern = wm_sca_get_pattern(file);
+                found = wm_sca_check_dir_list(data, rule_location, file, pattern, &reason, regex_engine);
+                mdebug2("Check directory rule result: %d", found);
+                os_free(rule_location);
+
+            } else if (type == WM_SCA_TYPE_PROCESS) {
+                /* Check process existence */
+                if (!p_list) {
+                    /* Lazy evaluation */
+                    p_list = w_os_get_process_list();
+                }
+
+                mdebug2("Checking process: '%s'", value);
+                if (wm_sca_check_process_is_running(p_list, value, &reason, regex_engine)) {
+                    mdebug2("Process found.");
+                    found = RETURN_FOUND;
+                } else {
+                    mdebug2("Process not found.");
+                }
+
+                char _b_msg[OS_SIZE_1024 + 1];
+                _b_msg[OS_SIZE_1024] = '\0';
+                snprintf(_b_msg, OS_SIZE_1024, " Process: %s", value);
+                append_msg_to_vm_scat(data, _b_msg);
+            }
+        #ifdef WIN32
+            else if (type == WM_SCA_TYPE_REGISTRY) {
+                /* Check windows registry */
+                char * const entry = wm_sca_get_pattern(value);
+                char * const pattern = wm_sca_get_pattern(entry);
+                found = wm_sca_is_registry(value, entry, pattern, &reason, regex_engine);
+
+                char _b_msg[OS_SIZE_1024 + 1];
+                _b_msg[OS_SIZE_1024] = '\0';
+                snprintf(_b_msg, OS_SIZE_1024, " Registry: %s", value);
+                append_msg_to_vm_scat(data, _b_msg);
+            }
+        #endif
+
+            /* Rule result processing */
+
+            if (found != RETURN_INVALID) {
+                found = rule_is_negated ^ found;
+            }
+
+            mdebug1("Result for rule '%s': %d", rule_ref->valuestring, found);
+
+            if (((condition & WM_SCA_COND_ALL) && found == RETURN_NOT_FOUND) ||
+                ((condition & WM_SCA_COND_ANY) && found == RETURN_FOUND) ||
+                ((condition & WM_SCA_COND_NON) && found == RETURN_FOUND))
+            {
+                g_found = found;
+                mdebug1("Breaking from rule aggregator '%s' with found = %d", c_condition->valuestring, g_found);
+                break;
+            }
+
+            if (found == RETURN_INVALID) {
+                /* Rules that agreggate by ANY are the only that can success after an INVALID
+                On the other hand ALL and NONE agregators can fail after an INVALID. */
+                g_found = found;
+                mdebug1("Rule evaluation returned INVALID. Continuing.");
+            }
+        }
+
+        if ((condition & WM_SCA_COND_NON) && g_found != RETURN_INVALID) {
+            g_found = !g_found;
+        }
+
+        mdebug1("Result for check %s '%s' -> %d", _check_id_str, c_title->valuestring, g_found);
+
+        if (g_found != RETURN_INVALID) {
+            os_free(reason);
+        }
+
+        /* if the loop breaks, rule_cp shall be released.
+            Also frees the the memory reserved on the last iteration */
+        os_free(rule_cp);
+
+        /* Determine if requirements are satisfied */
+        if (requirements_scan) {
+            /*  return value for requirement scans is the inverse of the result,
+                unless the result is INVALID */
+            ret_val = g_found == RETURN_INVALID ? 1 : !g_found;
+            int i;
+            for (i=0; data->alert_msg[i]; i++){
+                free(data->alert_msg[i]);
+                data->alert_msg[i] = NULL;
+            }
+            w_free_expression_t(&regex_engine);
+            goto clean_return;
+        }
+
+        /* Event construction */
+        const char failed[] = "failed";
+        const char passed[] = "passed";
+        const char invalid[] = ""; //NOT AN ERROR!
+        const char *message_ref = NULL;
+
+        if (g_found == RETURN_NOT_FOUND) {
+            wm_sca_summary_increment_failed();
+            message_ref = failed;
+        } else if (g_found == RETURN_FOUND) {
+            wm_sca_summary_increment_passed();
+            message_ref = passed;
+        } else {
+            wm_sca_summary_increment_invalid();
+            message_ref = invalid;
+
+            if (reason == NULL) {
+                os_malloc(snprintf(NULL, 0, "Unknown reason") + 1, reason);
+                sprintf(reason, "Unknown reason");
+                mdebug1("A check returned INVALID for an unknown reason.");
+            }
+        }
+
+        cJSON *event = wm_sca_build_event(check, policy, data->alert_msg, id, message_ref, reason);
+        if (event) {
+            /* Alert if necessary */
+            if(!cis_db_for_hash[cis_db_index].elem[check_count]) {
+                os_realloc(cis_db_for_hash[cis_db_index].elem, sizeof(cis_db_info_t *) * (check_count + 2), cis_db_for_hash[cis_db_index].elem);
+                cis_db_for_hash[cis_db_index].elem[check_count] = NULL;
+                cis_db_for_hash[cis_db_index].elem[check_count + 1] = NULL;
+            }
+
+            if (wm_sca_check_hash(cis_db[cis_db_index], message_ref, check, event, check_count, cis_db_index) && !first_scan) {
+                wm_sca_send_event_check(data,event);
+            }
+
+            check_count++;
+
+            cJSON_Delete(event);
+        } else {
+            merror("Error constructing event for check: %s. Set debug mode for more information.", c_title->valuestring);
+            ret_val = 1;
+        }
+
+        int i;
+        for (i=0; data->alert_msg[i]; i++){
+            free(data->alert_msg[i]);
+            data->alert_msg[i] = NULL;
+        }
+
+        os_free(reason);
+        w_free_expression_t(&regex_engine);
+    }
+
+    *checks_number = check_count;
+
+/* Clean up memory */
+clean_return:
+    os_free(reason);
+    w_del_plist(p_list);
+
+    return ret_val;
+}
+
+static void wm_sca_set_condition(const char * const c_cond, int *condition)
+{
+    if (strcmp(c_cond, "all") == 0) {
+        *condition |= WM_SCA_COND_ALL;
+    } else if (strcmp(c_cond, "any") == 0) {
+        *condition |= WM_SCA_COND_ANY;
+    } else if (strcmp(c_cond, "none") == 0) {
+        *condition |= WM_SCA_COND_NON;
+    } else if (strcmp(c_cond, "any required") == 0) {
+        *condition |= WM_SCA_COND_ANY;
+        minfo("Modifier 'required' is deprecated. Defaults to 'any'");
+    } else if (strcmp(c_cond, "all required") == 0) {
+        *condition |= WM_SCA_COND_ALL;
+        minfo("Modifier 'required' is deprecated. Defaults to 'all'");
+    } else {
+        *condition = WM_SCA_COND_INV;
+    }
+}
+
+static int wm_sca_get_vars(const cJSON * const variables, OSStore * const vars)
+{
+    const cJSON *variable;
+    cJSON_ArrayForEach (variable, variables) {
+        if (*variable->string != '$') {
+            merror("Invalid variable: '%s'", variable->string);
+            return -1;
+        }
+
+        char *var_value;
+        os_strdup(variable->valuestring, var_value);
+        OSStore_Put(vars, variable->string, var_value);
+
+    }
+
+    return 0;
+}
+
+static char *wm_sca_get_value(char *buf, int *type)
+{
+    /* Zero type before using it to make sure return is valid
+     * in case of error.
+     */
+    *type = 0;
+
+    char *value = strchr(buf, ':');
+    if (value == NULL) {
+        return NULL;
+    }
+
+    *value = '\0';
+    value++;
+
+    /* Get types - removing negate flag (using later) */
+    if (*buf == '!') {
+        buf++;
+    }
+
+    if (strcmp(buf, "f") == 0) {
+        *type = WM_SCA_TYPE_FILE;
+    } else if (strcmp(buf, "r") == 0) {
+        *type = WM_SCA_TYPE_REGISTRY;
+    } else if (strcmp(buf, "p") == 0) {
+        *type = WM_SCA_TYPE_PROCESS;
+    } else if (strcmp(buf, "d") == 0) {
+        *type = WM_SCA_TYPE_DIR;
+    } else if (strcmp(buf, "c") == 0) {
+        *type = WM_SCA_TYPE_COMMAND;
+    } else {
+        return NULL;
+    }
+
+    return value;
+}
+
+static char *wm_sca_get_pattern(char *value)
+{
+    if (value == NULL) {
+        return NULL;
+    }
+
+    while (*value != '\0') {
+        if ((*value == ' ') && (value[1] == '-') &&
+                (value[2] == '>') && (value[3] == ' ')) {
+            *value = '\0';
+            value += 4;
+
+            return (value);
+        }
+        value++;
+    }
+
+    return (NULL);
+}
+
+static int wm_sca_check_file_existence(const char * const file, char **reason)
+{
+    #ifdef WIN32
+    const char *realpath_buffer = file;
+    #else
+    char realpath_buffer[OS_MAXSTR];
+    const int wm_sca_resolve_symlink_result = wm_sca_resolve_symlink(file, realpath_buffer, reason);
+    if (wm_sca_resolve_symlink_result != RETURN_FOUND) {
+        return wm_sca_resolve_symlink_result;
+    }
+    #endif
+
+    struct stat statbuf;
+    const int lstat_ret = lstat(realpath_buffer, &statbuf);
+    const int lstat_errno = errno;
+
+    if (lstat_ret == -1) {
+        if (lstat_errno == ENOENT) {
+            mdebug2("FILE_EXISTS(%s) -> RETURN_NOT_FOUND: %s", file, strerror(lstat_errno));
+            return RETURN_NOT_FOUND;
+        }
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not open '%s': %s", file, strerror(lstat_errno)) + 1, *reason);
+            sprintf(*reason, "Could not open '%s': %s", file, strerror(lstat_errno));
+        }
+        mdebug2("FILE_EXISTS(%s) -> RETURN_INVALID: %s", file, strerror(lstat_errno));
+        return RETURN_INVALID;
+    }
+
+    if (S_ISREG(statbuf.st_mode)) {
+        mdebug2("FILE_EXISTS(%s) -> RETURN_FOUND", file);
+        return RETURN_FOUND;
+    }
+
+    if (*reason == NULL) {
+        os_malloc(snprintf(NULL, 0, "FILE_EXISTS(%s) -> RETURN_INVALID: Not a regular file.", file) + 1, *reason);
+        sprintf(*reason, "FILE_EXISTS(%s) -> RETURN_INVALID: Not a regular file.", file);
+    }
+
+    mdebug2("FILE_EXISTS(%s) -> RETURN_INVALID: Not a regular file.", file);
+    return RETURN_INVALID;
+}
+
+static int wm_sca_check_file_contents(const char * const file,
+                                      const char * const pattern,
+                                      char ** reason,
+                                      w_expression_t * regex_engine)
+{
+    mdebug2("Checking contents of file '%s' against pattern '%s'", file, pattern);
+
+    #ifdef WIN32
+    const char *realpath_buffer = file;
+    #else
+    char realpath_buffer[OS_MAXSTR];
+    const int wm_sca_resolve_symlink_result = wm_sca_resolve_symlink(file, realpath_buffer, reason);
+    if (wm_sca_resolve_symlink_result != RETURN_FOUND) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not open file '%s'", file) + 1, *reason);
+            sprintf(*reason, "Could not open file '%s'", file);
+        }
+
+        mdebug2("Could not open file '%s'", file);
+
+        return RETURN_INVALID;
+    }
+    #endif
+
+    FILE *fp = wfopen(realpath_buffer, "r");
+    const int fopen_errno = errno;
+    if (!fp) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not open file '%s': %s", file, strerror(fopen_errno)) + 1, *reason);
+            sprintf(*reason, "Could not open file '%s': %s", file, strerror(fopen_errno));
+        }
+        mdebug2("Could not open file '%s': %s", file, strerror(fopen_errno));
+        return RETURN_INVALID;
+    }
+
+    int result = RETURN_NOT_FOUND;
+    char buf[OS_SIZE_2048 + 1];
+    while (fgets(buf, OS_SIZE_2048, fp) != NULL) {
+        os_trimcrlf(buf);
+        result = wm_sca_pattern_matches(buf, pattern, reason, regex_engine);
+        mdebug2("(%s)(%s) -> %d", pattern, *buf != '\0' ? buf : "EMPTY_LINE" , result);
+
+        if (result) {
+            mdebug2("Match found. Skipping the rest.");
+            break;
+        }
+    }
+
+    fclose(fp);
+    mdebug2("Result for (%s)(%s) -> %d", pattern, file, result);
+    return result;
+}
+
+static int wm_sca_check_file_list(const char * const file_list,
+                                  char * const pattern,
+                                  char ** reason,
+                                  w_expression_t * regex_engine)
+{
+    if (pattern) {
+        return wm_sca_check_file_list_for_contents(file_list, pattern, reason, regex_engine);
+    }
+
+    return wm_sca_check_file_list_for_existence(file_list, reason);
+}
+
+static int wm_sca_check_file_list_for_existence(const char * const file_list, char **reason)
+{
+    mdebug1("Checking file list '%s' for existence.", file_list);
+
+    if (!file_list) {
+        return RETURN_NOT_FOUND;
+    }
+
+    int result_accumulator = RETURN_NOT_FOUND;
+    char *file_list_copy = NULL;
+    os_strdup(file_list, file_list_copy);
+    char *file_list_ref = file_list_copy;
+    char *file = NULL;
+    char *save_ptr = NULL;
+    for (file = strtok_r(file_list_ref, ",", &save_ptr); file != NULL;
+            file = strtok_r(NULL, ",", &save_ptr))
+    {
+        const int file_check_result = wm_sca_check_file_existence(file, reason);
+        if (file_check_result == RETURN_FOUND) {
+            result_accumulator = RETURN_FOUND;
+            mdebug2("File '%s' found. Skipping the rest.", file);
+            break;
+        }
+
+        if (file_check_result == RETURN_INVALID) {
+            result_accumulator = RETURN_INVALID;
+            mdebug2("Could not open file '%s'. Continuing.", file);
+        } else {
+            mdebug2("File '%s' does not exists. Continuing.", file);
+        }
+    }
+
+    mdebug1("Result for FILES_EXIST(%s) -> %d", file_list, result_accumulator);
+
+    os_free(file_list_copy);
+    return result_accumulator;
+}
+
+static int wm_sca_check_file_list_for_contents(const char * const file_list,
+                                               char * pattern,
+                                               char ** reason,
+                                               w_expression_t * regex_engine)
+{
+    mdebug1("Checking file list '%s' with '%s'", file_list, pattern);
+
+    if (!file_list) {
+        return RETURN_NOT_FOUND;
+    }
+
+    int result_accumulator = RETURN_NOT_FOUND;
+    char *file_list_copy = NULL;
+    os_strdup(file_list, file_list_copy);
+    char *file_list_ref = file_list_copy;
+    char *file = NULL;
+    char *save_ptr = NULL;
+    for (file = strtok_r(file_list_ref, ",", &save_ptr); file != NULL;
+            file = strtok_r(NULL, ",", &save_ptr))
+    {
+        const int existence_check_result = wm_sca_check_file_existence(file, reason);
+        if (existence_check_result != RETURN_FOUND) {
+            /* a file that does not exist produces an INVALID check */
+            result_accumulator = RETURN_INVALID;
+            if (*reason == NULL) {
+                os_malloc(snprintf(NULL, 0, "Could not open file '%s'",  file) + 1, *reason);
+                sprintf(*reason, "Could not open file '%s'",  file);
+            }
+            mdebug2("Could not open file '%s'. Skipping.", file);
+            continue;
+        }
+
+        const int contents_check_result = wm_sca_check_file_contents(file, pattern, reason, regex_engine);
+        if (contents_check_result == RETURN_FOUND) {
+            result_accumulator = RETURN_FOUND;
+            mdebug2("Match found in '%s'. Skipping the rest.", file);
+            break;
+        }
+
+        if (contents_check_result == RETURN_INVALID) {
+            mdebug2("Check was invalid in file '%s'. Continuing.", file);
+            result_accumulator = RETURN_INVALID;
+        } else {
+            mdebug2("Match not found in file '%s'. Continuing.", file);
+        }
+    }
+
+    mdebug1("Result for (%s)(%s) -> %d", pattern, file_list, result_accumulator);
+
+    os_free(file_list_copy);
+    return result_accumulator;
+}
+
+static int wm_sca_read_command(char * command,
+                               char * pattern,
+                               wm_sca_t * data,
+                               char ** reason,
+                               w_expression_t * regex_engine)
+{
+    if (command == NULL) {
+        mdebug1("No Command specified Returning.");
+        return RETURN_NOT_FOUND;
+    }
+
+    if (!pattern) {
+        mdebug1("No pattern given. Returning FOUND.");
+        return RETURN_FOUND;
+    }
+
+    mdebug1("Executing command '%s', and testing output with pattern '%s'", command, pattern);
+    char *cmd_output = NULL;
+    int result_code;
+
+    switch (wm_exec(command, &cmd_output, &result_code, data->commands_timeout, NULL)) {
+    case 0:
+        mdebug1("Command '%s' returned code %d", command, result_code);
+        break;
+    case WM_ERROR_TIMEOUT:
+        os_free(cmd_output);
+        mdebug1("Timeout overtaken running command '%s'", command);
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Timeout overtaken running command '%s'", command) + 1, *reason);
+            sprintf(*reason, "Timeout overtaken running command '%s'", command);
+        }
+        os_free(cmd_output);
+        return RETURN_INVALID;
+    default:
+        if (result_code == EXECVE_ERROR) {
+            mdebug1("Invalid path or wrong permissions to run command '%s'", command);
+            if (*reason == NULL) {
+                os_malloc(snprintf(NULL, 0, "Invalid path or wrong permissions to run command '%s'", command) + 1, *reason);
+                sprintf(*reason, "Invalid path or wrong permissions to run command '%s'", command);
+            }
+        } else {
+            mdebug1("Failed to run command '%s'. Returned code %d", command, result_code);
+            if (*reason == NULL) {
+                os_malloc(snprintf(NULL, 0, "Failed to run command '%s'. Returned code %d", command, result_code) + 1, *reason);
+                sprintf(*reason, "Failed to run command '%s'. Returned code %d", command, result_code);
+            }
+        }
+        return RETURN_INVALID;
+    }
+
+    if(!cmd_output) {
+        mdebug2("Command yielded no output. Returning.");
+        return RETURN_NOT_FOUND;
+    }
+
+    char **output_line;
+    output_line = OS_StrBreak('\n', cmd_output, 256);
+
+    if(!output_line) {
+        mdebug1("Command output could not be processed. Output dump:\n%s", cmd_output);
+        os_free(cmd_output);
+        return RETURN_NOT_FOUND;
+    }
+
+    os_free(cmd_output);
+
+    int i;
+    int result = RETURN_NOT_FOUND;
+    for (i=0; output_line[i] != NULL; i++) {
+        char *buf = output_line[i];
+        os_trimcrlf(buf);
+        result = wm_sca_pattern_matches(buf, pattern, reason, regex_engine);
+        if (result == RETURN_FOUND){
+            break;
+        }
+    }
+
+    free_strarray(output_line);
+    mdebug2("Result for (%s)(%s) -> %d", pattern, command, result);
+    return result;
+}
+
+static int wm_sca_apply_numeric_partial_comparison(const char * const partial_comparison,
+                                                   const long int number,
+                                                   char ** reason,
+                                                   w_expression_t * regex_engine)
+{
+    if (!partial_comparison) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "No comparison provided.") + 1, *reason);
+            sprintf(*reason, "No comparison provided.");
+        }
+        mwarn("No comparison provided.");
+        return RETURN_INVALID;
+    }
+
+    mdebug2("Partial comparison '%s'", partial_comparison);
+
+    w_expression_t * regex = NULL;
+    if (strcmp(w_expression_get_regex_type(regex_engine), OSREGEX_STR) == 0) {
+            w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    }
+    else if (strcmp(w_expression_get_regex_type(regex_engine), PCRE2_STR) == 0) {
+            w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    }
+    else{
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Invalid regex type.") + 1, *reason);
+            sprintf(*reason, "Invalid regex type.");
+        }
+        return RETURN_INVALID;
+    }
+
+    if (!w_expression_compile(regex, "(\\d+)", OS_RETURN_SUBSTRING)) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Cannot compile regex.") + 1, *reason);
+            sprintf(*reason, "Cannot compile regex.");
+        }
+        mwarn("Cannot compile regex");
+        w_free_expression_t(&regex);
+        return RETURN_INVALID;
+    }
+    regex_matching * regex_match = NULL;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    if (!w_expression_match(regex, partial_comparison, NULL, regex_match)) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "No integer was found within the comparison '%s' ", partial_comparison) + 1, *reason);
+            sprintf(*reason, "No integer was found within the comparison '%s' ", partial_comparison);
+        }
+        mwarn("No integer was found within the comparison '%s' ", partial_comparison);
+        w_free_expression_match(regex, &regex_match);
+        w_free_expression_t(&regex);
+        return RETURN_INVALID;
+    }
+
+    if (!regex_match->sub_strings || !regex_match->sub_strings[0]) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "No number was captured.") + 1, *reason);
+            sprintf(*reason, "No number was captured.");
+        }
+        mwarn("No number was captured.");
+        w_free_expression_match(regex, &regex_match);
+        w_free_expression_t(&regex);
+        return RETURN_INVALID;
+    }
+
+    mdebug2("Value given for comparison: '%s'", regex_match->sub_strings[0]);
+
+    errno = 0;
+    char *strtol_end_ptr = NULL;
+    const long int value_given = strtol(regex_match->sub_strings[0], &strtol_end_ptr, 10);
+
+    if (errno != 0 || strtol_end_ptr == regex_match->sub_strings[0]) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]) + 1, *reason);
+            sprintf(*reason, "Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]);
+        }
+        mwarn("Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]);
+        w_free_expression_match(regex, &regex_match);
+        w_free_expression_t(&regex);
+        return RETURN_INVALID;
+    }
+
+    if (regex_match) {
+        if (regex_match->sub_strings) {
+            for (unsigned int a = 0; regex_match->sub_strings[a] != NULL; a++) {
+                os_free(regex_match->sub_strings[a]);
+            }
+            os_free(regex_match->sub_strings);
+        }
+    }
+
+    w_free_expression_match(regex, &regex_match);
+    w_free_expression_t(&regex);
+
+
+    mdebug2("Value converted: '%ld'", value_given);
+
+    if ('=' == *partial_comparison) {
+        mdebug2("Operation is '%ld == %ld'", number, value_given);
+        return number == value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    } else if (strstr(partial_comparison, "!=")) {
+        mdebug2("Operation is '%ld != %ld'", number, value_given);
+        return number != value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    } else if (strstr(partial_comparison, "<=")) {
+        mdebug2("Operation is '%ld <= %ld'", number, value_given);
+        return number <= value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    } else if (strstr(partial_comparison, ">=")) {
+        mdebug2("Operation is '%ld >= %ld'", number, value_given);
+        return number >= value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    } else if (strstr(partial_comparison, "<")) {
+        mdebug2("Operation is '%ld < %ld'", number, value_given);
+        return number < value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    } else if (strstr(partial_comparison, ">")) {
+        mdebug2("Operation is '%ld > %ld'", number, value_given);
+        return number > value_given ? RETURN_FOUND : RETURN_NOT_FOUND;
+    }
+    if (*reason == NULL) {
+        os_malloc(snprintf(NULL, 0, "Unrecognized operation: '%s'", partial_comparison) + 1, *reason);
+        sprintf(*reason, "Unrecognized operation: '%s'", partial_comparison);
+    }
+    mdebug2("Unrecognized operation: '%s'", partial_comparison);
+    return RETURN_INVALID;
+}
+
+static int wm_sca_regex_numeric_comparison (const char * const pattern,
+                                            const char * const str,
+                                            char ** reason,
+                                            w_expression_t * regex_engine)
+{
+    char *pattern_copy;
+    os_strdup(pattern, pattern_copy);
+    char *pattern_copy_ref = pattern_copy;
+    char *partial_comparison_ref = strstr(pattern_copy_ref, " compare ");
+
+    if (!partial_comparison_ref) {
+        mdebug2("Keyword 'compare' not found. Did you forget adding 'compare COMPARATOR VALUE' to your rule?' %s'", pattern_copy_ref);
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Keyword 'compare' not found. Did you forget adding 'compare COMPARATOR VALUE' to your rule?' %s'", pattern_copy_ref) + 1, *reason);
+            sprintf(*reason, "Keyword 'compare' not found. Did you forget adding 'compare COMPARATOR VALUE' to your rule?' %s'", pattern_copy_ref);
+        }
+        os_free(pattern_copy);
+        return RETURN_INVALID;
+    }
+
+    *partial_comparison_ref = '\0';
+    partial_comparison_ref += 9;
+    mdebug2("REGEX: '%s'. Partial comparison: '%s'", pattern_copy_ref, partial_comparison_ref);
+
+    if (!w_expression_compile(regex_engine, pattern_copy_ref, OS_RETURN_SUBSTRING)) {
+        mdebug2("Cannot compile regex '%s'", pattern_copy_ref);
+        if (!*reason) {
+            os_malloc(snprintf(NULL, 0, "Cannot compile regex '%s'", pattern_copy_ref) + 1, *reason);
+            sprintf(*reason, "Cannot compile regex '%s'", pattern_copy_ref);
+        }
+        os_free(pattern_copy);
+        return RETURN_INVALID;
+    }
+    regex_matching * regex_match = NULL;
+    os_calloc(1, sizeof(regex_matching), regex_match);
+
+    if (!w_expression_match(regex_engine, str, NULL, regex_match)) {
+        mdebug2("No match found for regex '%s'", pattern_copy_ref);
+        os_free(pattern_copy);
+        w_free_expression_match(regex_engine, &regex_match);
+        return RETURN_NOT_FOUND;
+    }
+
+    if (!regex_match->sub_strings || !regex_match->sub_strings[0]) {
+        mdebug2("Regex '%s' matched, but no string was captured by it. Did you forget specifying a capture group?", pattern_copy_ref);
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Regex '%s' matched, but no string was captured by it. Did you forget specifying a capture group?", pattern_copy_ref) + 1, *reason);
+            sprintf(*reason, "Regex '%s' matched, but no string was captured by it. Did you forget specifying a capture group?", pattern_copy_ref);
+        }
+        os_free(pattern_copy);
+        w_free_expression_match(regex_engine, &regex_match);
+        return RETURN_INVALID;
+    }
+
+    mdebug2("Captured value: '%s'", regex_match->sub_strings[0]);
+
+    errno = 0;
+    char *strtol_end_ptr = NULL;
+    const long int value_captured = strtol(regex_match->sub_strings[0], &strtol_end_ptr, 10);
+
+    if (errno != 0 || strtol_end_ptr == regex_match->sub_strings[0]) {
+        mdebug2("Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]);
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]) + 1, *reason);
+            sprintf(*reason, "Conversion error. Cannot convert '%s' to integer.", regex_match->sub_strings[0]);
+        }
+        os_free(pattern_copy);
+        w_free_expression_match(regex_engine, &regex_match);
+        return RETURN_INVALID;
+    }
+
+    mdebug2("Converted value: '%ld'", value_captured);
+
+    const int result = wm_sca_apply_numeric_partial_comparison(partial_comparison_ref, value_captured, reason, regex_engine);
+    mdebug2("Comparison result '%ld %s' -> %d", value_captured, partial_comparison_ref, result);
+
+    os_free(pattern_copy);
+    if (regex_match) {
+        if (regex_match->sub_strings) {
+            for (unsigned int a = 0; regex_match->sub_strings[a] != NULL; a++) {
+                os_free(regex_match->sub_strings[a]);
+            }
+            os_free(regex_match->sub_strings);
+        }
+        w_free_expression_match(regex_engine, &regex_match);
+    }
+
+    return result;
+}
+
+int wm_sca_test_positive_minterm(char * const minterm,
+                                 const char * const str,
+                                 char **reason,
+                                 w_expression_t * regex_engine)
+{
+    char * pattern_ref = minterm;
+    if (strncasecmp(pattern_ref, "r:", 2) == 0) {
+        pattern_ref += 2;
+        if (!w_expression_compile(regex_engine, pattern_ref, OS_RETURN_SUBSTRING)) {
+            mdebug2("Failed to compile regex '%s'", pattern_ref);
+            return RETURN_NOT_FOUND;
+        }
+        if (w_expression_match(regex_engine, str, NULL, NULL)) {
+            return RETURN_FOUND;
+        }
+    } else if (strncasecmp(pattern_ref, "n:", 2) == 0) {
+        pattern_ref += 2;
+        return wm_sca_regex_numeric_comparison(pattern_ref, str, reason, regex_engine);
+    } else if (strcasecmp(pattern_ref, str) == 0) {
+        return RETURN_FOUND;
+    }
+
+    return RETURN_NOT_FOUND;
+}
+
+int wm_sca_pattern_matches(const char * const str,
+                           const char * const pattern,
+                           char ** reason,
+                           w_expression_t * regex_engine)
+{
+    if (!str) {
+        return 0;
+    }
+
+    char *pattern_copy = NULL;
+    os_strdup(pattern, pattern_copy);
+    char *pattern_copy_ref = pattern_copy;
+    char *minterm = NULL;
+    int test_result = RETURN_FOUND;
+
+    while ((minterm = w_strtok_r_str_delim(" && ", &pattern_copy_ref))) {
+        int negated = 0;
+        if ((*minterm) == '!'){
+            minterm++;
+            negated = 1;
+        }
+
+        w_expression_t * regex = NULL;
+        if (strcmp(w_expression_get_regex_type(regex_engine), OSREGEX_STR) == 0) {
+            w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+        }
+        else if (strcmp(w_expression_get_regex_type(regex_engine), PCRE2_STR) == 0) {
+            w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+        }
+        if(regex == NULL)
+            break;
+
+        const int minterm_result = negated ^ wm_sca_test_positive_minterm (minterm, str, reason, regex);
+        w_free_expression_t(&regex);
+
+        test_result *= minterm_result;
+        mdebug2("Testing minterm (%s%s)(%s) -> %d", negated ? "!" : "", minterm, *str != '\0' ? str : "EMPTY_LINE", minterm_result);
+    }
+
+    mdebug2("Pattern test result: (%s)(%s) -> %d", pattern, *str != '\0' ? str : "EMPTY_LINE", test_result);
+    os_free(pattern_copy);
+
+    return test_result;
+}
+
+static int wm_sca_check_dir_existence(const char * const dir, char **reason)
+{
+    #ifdef WIN32
+    const char *realpath_buffer = dir;
+    #else
+    char realpath_buffer[OS_MAXSTR];
+    const int wm_sca_resolve_symlink_result = wm_sca_resolve_symlink(dir, realpath_buffer, reason);
+    if (wm_sca_resolve_symlink_result != RETURN_FOUND) {
+        return wm_sca_resolve_symlink_result;
+    }
+    #endif
+
+    DIR *dp = opendir(realpath_buffer);
+    const int open_dir_errno = errno;
+    if (dp) {
+        mdebug2("DIR_EXISTS(%s) -> RETURN_FOUND", dir);
+        closedir(dp);
+        return RETURN_FOUND;
+    }
+
+    if (open_dir_errno == ENOENT) {
+        mdebug2("DIR_EXISTS(%s) -> RETURN_NOT_FOUND. Reason: %s", dir, strerror(open_dir_errno));
+        return RETURN_NOT_FOUND;
+    }
+
+    if (*reason == NULL) {
+        os_malloc(snprintf(NULL, 0, "Could not check directory existence for '%s': %s", dir, strerror(open_dir_errno)) + 1, *reason);
+        sprintf(*reason, "Could not check directory existence for '%s': %s", dir, strerror(open_dir_errno));
+    }
+
+    mdebug2("Could not check directory existence for '%s': %s", dir, strerror(open_dir_errno));
+    return RETURN_INVALID;
+}
+
+static int wm_sca_check_dir(const char * const dir,
+                            const char * const file,
+                            char * const pattern,
+                            char **reason,
+                            w_expression_t * regex_engine)
+{
+    mdebug2("Checking directory '%s'%s%s%s%s", dir,
+            file ? " -> "  : "", file ? file : "",
+            pattern ? " -> " : "", pattern ? pattern: "");
+
+    #ifdef WIN32
+    const char *realpath_buffer = dir;
+    #else
+    char realpath_buffer[OS_MAXSTR];
+    const int wm_sca_resolve_symlink_result = wm_sca_resolve_symlink(dir, realpath_buffer, reason);
+    if (wm_sca_resolve_symlink_result != RETURN_FOUND) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not open dir '%s'", dir) + 1, *reason);
+            sprintf(*reason, "Could not open dir '%s'", dir);
+        }
+
+        mdebug2("Could not open dir '%s'", dir);
+
+        return RETURN_INVALID;
+    }
+    #endif
+
+    DIR *dp = opendir(realpath_buffer);
+    if (!dp) {
+        const int open_dir_errno = errno;
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Could not open '%s': %s", dir, strerror(open_dir_errno)) + 1, *reason);
+            sprintf(*reason, "Could not open '%s': %s", dir, strerror(open_dir_errno));
+        }
+        mdebug2("Could not open '%s': %s", dir, strerror(open_dir_errno));
+        return RETURN_INVALID;
+    }
+
+    int result_accumulator = RETURN_NOT_FOUND;
+    struct dirent *entry = NULL;
+
+    while ((entry = readdir(dp)) != NULL) {
+        /* Ignore . and ..  */
+        if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) {
+            continue;
+        }
+
+        /* Create new file + path string */
+        char f_name[PATH_MAX + 2];
+        f_name[PATH_MAX + 1] = '\0';
+        snprintf(f_name, PATH_MAX + 1, "%s/%s", dir, entry->d_name);
+
+        mdebug2("Considering directory entry '%s'", f_name);
+
+        int result;
+        struct stat statbuf_local;
+        if (lstat(f_name, &statbuf_local) != 0) {
+            mdebug2("Cannot check directory entry '%s'", f_name);
+            if (*reason == NULL){
+                os_malloc(snprintf(NULL, 0, "Cannot check directory entry '%s", f_name) + 1, *reason);
+                sprintf(*reason, "Cannot check directory entry '%s", f_name);
+            }
+            result_accumulator = RETURN_INVALID;
+            continue;
+        }
+
+        if (S_ISDIR(statbuf_local.st_mode)) {
+            result = wm_sca_check_dir(f_name, file, pattern, reason, regex_engine);
+        } else if (((file && strncasecmp(file, "r:", 2) == 0) && OS_Regex(file + 2, entry->d_name))
+                || OS_Match2(file, entry->d_name))
+        {
+            result = wm_sca_check_file_list(f_name, pattern, reason, regex_engine);
+        } else {
+            mdebug2("Skipping directory entry '%s'", f_name);
+            continue;
+        }
+
+        mdebug2("Result for entry '%s': %d", f_name, result);
+
+        if (result == RETURN_FOUND) {
+            mdebug2("Match found in '%s', skipping the rest.", f_name);
+            result_accumulator = RETURN_FOUND;
+            break;
+        } else if (result == RETURN_INVALID) {
+            result_accumulator = RETURN_INVALID;
+        }
+    }
+
+    closedir(dp);
+    mdebug2("Check result for dir '%s': %d", dir, result_accumulator);
+    return result_accumulator;
+}
+
+static int wm_sca_check_process_is_running(OSList * p_list,
+                                           char * value,
+                                           char ** reason,
+                                           w_expression_t * regex_engine)
+{
+    if (p_list == NULL) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Process list is empty.") + 1, *reason);
+            sprintf(*reason, "Process list is empty.");
+        }
+        return RETURN_INVALID;
+    }
+
+    if (!value) {
+        return RETURN_NOT_FOUND;
+    }
+
+    OSListNode *l_node = OSList_GetFirstNode(p_list);
+    while (l_node) {
+        W_Proc_Info *pinfo = (W_Proc_Info *)l_node->data;
+        /* Check if value matches */
+        if (wm_sca_pattern_matches(pinfo->p_path, value, reason, regex_engine)) {
+            return RETURN_FOUND;
+        }
+
+        l_node = OSList_GetNextNode(p_list);
+    }
+
+    return RETURN_NOT_FOUND;
+}
+
+// Destroy data
+void wm_sca_destroy(wm_sca_t * data) {
+    os_free(data);
+}
+
+#ifdef WIN32
+
+static int wm_sca_is_registry(char * entry_name,
+                              char * reg_option,
+                              char * reg_value,
+                              char ** reason,
+                              w_expression_t * regex_engine)
+{
+    char *rk = wm_sca_os_winreg_getkey(entry_name);
+
+    if (wm_sca_sub_tree == NULL || rk == NULL) {
+         if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Invalid registry entry: '%s'", entry_name) + 1, *reason);
+            sprintf(*reason, "Invalid registry entry: '%s'", entry_name);
+        }
+
+        merror("Invalid registry entry: '%s'", entry_name);
+        return RETURN_INVALID;
+    }
+
+    int returned_value_64 = wm_sca_test_key(rk, entry_name, KEY_WOW64_64KEY, reg_option, reg_value, reason, regex_engine);
+
+    int returned_value_32 = RETURN_NOT_FOUND;
+    if (returned_value_64 != RETURN_FOUND) {
+        returned_value_32 = wm_sca_test_key(rk, entry_name, KEY_WOW64_32KEY, reg_option, reg_value, reason, regex_engine);
+    }
+
+    int ret_value = RETURN_NOT_FOUND;
+    if (returned_value_32 == RETURN_INVALID && returned_value_64 == RETURN_INVALID) {
+        ret_value = RETURN_INVALID;
+    } else if (returned_value_32 == RETURN_FOUND || returned_value_64 == RETURN_FOUND) {
+        ret_value = RETURN_FOUND;
+    }
+
+    return ret_value;
+}
+
+static char *wm_sca_os_winreg_getkey(char *reg_entry)
+{
+    char *ret = NULL;
+    char *tmp_str;
+
+    /* Get only the sub tree first */
+    tmp_str = strchr(reg_entry, '\\');
+    if (tmp_str) {
+        *tmp_str = '\0';
+        ret = tmp_str + 1;
+    }
+
+    /* Set sub tree */
+    if ((strcmp(reg_entry, "HKEY_LOCAL_MACHINE") == 0) ||
+            (strcmp(reg_entry, "HKLM") == 0)) {
+        wm_sca_sub_tree = HKEY_LOCAL_MACHINE;
+    } else if (strcmp(reg_entry, "HKEY_CLASSES_ROOT") == 0) {
+        wm_sca_sub_tree = HKEY_CLASSES_ROOT;
+    } else if (strcmp(reg_entry, "HKEY_CURRENT_CONFIG") == 0) {
+        wm_sca_sub_tree = HKEY_CURRENT_CONFIG;
+    } else if (strcmp(reg_entry, "HKEY_USERS") == 0) {
+        wm_sca_sub_tree = HKEY_USERS;
+    } else if ((strcmp(reg_entry, "HKCU") == 0) ||
+               (strcmp(reg_entry, "HKEY_CURRENT_USER") == 0)) {
+        wm_sca_sub_tree = HKEY_CURRENT_USER;
+    } else {
+        /* Set sub tree to null */
+        wm_sca_sub_tree = NULL;
+
+        /* Return tmp_str to the previous value */
+        if (tmp_str && (*tmp_str == '\0')) {
+            *tmp_str = '\\';
+        }
+        return (NULL);
+    }
+
+    /* Check if ret has nothing else */
+    if (ret && (*ret == '\0')) {
+        ret = NULL;
+    }
+
+    /* Fixing tmp_str and the real name of the registry */
+    if (tmp_str && (*tmp_str == '\0')) {
+        *tmp_str = '\\';
+    }
+
+    return (ret);
+}
+
+static int wm_sca_test_key(char * subkey,
+                           char * full_key_name,
+                           unsigned long arch,
+                           char * reg_option,
+                           char * reg_value,
+                           char ** reason,
+                           w_expression_t * regex_engine)
+{
+    mdebug2("Checking '%s' in the %dBIT subsystem.", full_key_name, arch == KEY_WOW64_64KEY ? 64 : 32);
+
+    HKEY oshkey;
+    LSTATUS err = RegOpenKeyEx(wm_sca_sub_tree, subkey, 0, KEY_READ | arch, &oshkey);
+    if (err == ERROR_ACCESS_DENIED) {
+        if (*reason == NULL) {
+            os_malloc(snprintf(NULL, 0, "Access denied for registry '%s'", full_key_name) + 1, *reason);
+            sprintf(*reason, "Access denied for registry '%s'", full_key_name);
+        }
+        merror("Access denied for registry '%s'", full_key_name);
+        return RETURN_INVALID;
+    } else if (err != ERROR_SUCCESS) {
+        char error_msg[OS_SIZE_1024 + 1];
+        error_msg[OS_SIZE_1024] = '\0';
+        FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
+                    | FORMAT_MESSAGE_MAX_WIDTH_MASK,
+                    NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                    (LPTSTR) &error_msg, OS_SIZE_1024, NULL);
+
+        mdebug2("Unable to read registry '%s': %s", full_key_name, error_msg);
+
+        /* If registry not found and no key is requested -> return RETURN_NOT_FOUND */
+        if (!reg_option) {
+            mdebug2("Registry '%s' not found.", full_key_name);
+            return RETURN_NOT_FOUND;
+        }
+
+        if (*reason == NULL){
+            os_malloc(snprintf(NULL, 0, "Unable to read registry '%s' (%s)", full_key_name, error_msg) + 1, *reason);
+            sprintf(*reason, "Unable to read registry '%s' (%s)", full_key_name, error_msg);
+        }
+        return RETURN_INVALID;
+    }
+
+    /* If the key does exists, a test for existence succeeds  */
+    int ret_val = RETURN_FOUND;
+
+    /* If option is set, set test_result as the value of query key */
+    if (reg_option) {
+        ret_val = wm_sca_winreg_querykey(oshkey, full_key_name, reg_option, reg_value, reason, regex_engine);
+    }
+
+    RegCloseKey(oshkey);
+
+    return ret_val;
+}
+
+static int wm_sca_winreg_querykey(HKEY hKey,
+                                  const char * full_key_name,
+                                  char * reg_option,
+                                  char * reg_value,
+                                  char ** reason,
+                                  w_expression_t * regex_engine)
+{
+    int rc;
+    DWORD i, j;
+
+    /* QueryInfo and EnumKey variables */
+    TCHAR class_name_b[MAX_PATH + 1];
+    DWORD class_name_s = MAX_PATH;
+
+    /* Number of sub keys */
+    DWORD subkey_count = 0;
+
+    /* Number of values */
+    DWORD value_count;
+
+    /* Variables for RegEnumValue */
+    TCHAR value_buffer[MAX_VALUE_NAME + 1];
+    TCHAR data_buffer[MAX_VALUE_NAME + 1];
+    DWORD value_size;
+    DWORD data_size;
+
+    /* Data type for RegEnumValue */
+    DWORD data_type = 0;
+
+    /* Storage var */
+    char var_storage[MAX_VALUE_NAME + 1];
+
+    /* Initialize the memory for some variables */
+    class_name_b[0] = '\0';
+    class_name_b[MAX_PATH] = '\0';
+
+    /* We use the class_name, subkey_count and the value count */
+    rc = RegQueryInfoKey(hKey, class_name_b, &class_name_s, NULL,
+                         &subkey_count, NULL, NULL, &value_count,
+                         NULL, NULL, NULL, NULL);
+
+    if (rc != ERROR_SUCCESS) {
+        char error_msg[OS_SIZE_1024 + 1];
+        error_msg[OS_SIZE_1024] = '\0';
+        FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
+                    | FORMAT_MESSAGE_MAX_WIDTH_MASK,
+                    NULL, rc, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                    (LPTSTR) &error_msg, OS_SIZE_1024, NULL);
+
+        if (*reason == NULL){
+            os_malloc(snprintf(NULL, 0, "Unable to read registry '%s' (%s)", full_key_name, error_msg) + 1, *reason);
+            sprintf(*reason, "Unable to read registry '%s' (%s)", full_key_name, error_msg);
+        }
+
+        mdebug2("Unable to read registry '%s': %s", full_key_name, error_msg);
+        return RETURN_INVALID;
+    }
+
+    /* Get values (if available) */
+    if (value_count) {
+        char *mt_data;
+
+        /* Clear the values for value_size and data_size */
+        value_buffer[MAX_VALUE_NAME] = '\0';
+        data_buffer[MAX_VALUE_NAME] = '\0';
+        var_storage[MAX_VALUE_NAME] = '\0';
+
+        /* Get each value */
+        for (i = 0; i < value_count; i++) {
+            value_size = MAX_VALUE_NAME;
+            data_size = MAX_VALUE_NAME;
+
+            value_buffer[0] = '\0';
+            data_buffer[0] = '\0';
+            var_storage[0] = '\0';
+
+            rc = RegEnumValue(hKey, i, value_buffer, &value_size,
+                              NULL, &data_type, (LPBYTE)data_buffer, &data_size);
+
+            /* No more values available */
+            if (rc != ERROR_SUCCESS && rc != ERROR_NO_MORE_ITEMS) {
+                char error_msg[OS_SIZE_1024 + 1];
+                error_msg[OS_SIZE_1024] = '\0';
+                FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
+                            | FORMAT_MESSAGE_MAX_WIDTH_MASK,
+                            NULL, rc, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                            (LPTSTR) &error_msg, OS_SIZE_1024, NULL);
+
+                if (*reason == NULL){
+                    os_malloc(snprintf(NULL, 0, "Unable to enumerate values of registry '%s' (%s)", full_key_name, error_msg) + 1, *reason);
+                    sprintf(*reason, "Unable to enumerate values of registry '%s' (%s)", full_key_name, error_msg);
+                }
+
+                mdebug2("Unable to enumerate values of registry '%s' -> RETURN_INVALID", full_key_name);
+                return RETURN_INVALID;
+            }
+
+            /* Check if no value name is specified */
+            if (value_buffer[0] == '\0') {
+                value_buffer[0] = '@';
+                value_buffer[1] = '\0';
+            }
+
+            /* Check if the entry name matches the reg_option */
+            if (strcasecmp(value_buffer, reg_option) != 0) {
+                mdebug2("Considering value '%s' -> '%s' != '%s': Skipping value.", full_key_name, value_buffer, reg_option);
+                continue;
+            }
+
+            mdebug2("Considering value '%s' -> '%s' == '%s': Value found.", full_key_name, value_buffer, reg_option);
+
+            /* If a value is not present and the option matches return found */
+            if (!reg_value) {
+                mdebug2("No value data especified. Existence check for '%s': 1", full_key_name);
+                return RETURN_FOUND;
+            }
+
+            /* Write value into a string */
+            switch (data_type) {
+                int size_available;
+                size_t size_data;
+
+                case REG_SZ:
+                case REG_EXPAND_SZ:
+                    snprintf(var_storage, MAX_VALUE_NAME, "%s", data_buffer);
+                    break;
+                case REG_MULTI_SZ:
+                    /* Printing multiple strings */
+                    size_available = MAX_VALUE_NAME;
+                    mt_data = data_buffer;
+
+                    while (*mt_data) {
+                        size_data = strlen(mt_data) + strlen(" ");
+
+                        if ((size_t)size_available >= size_data) {
+                            strncat(var_storage, mt_data, size_available);
+                            size_available -= strlen(mt_data);
+                            strncat(var_storage, " ", size_available);
+                            size_available -= strlen(" ");
+                        }
+                        mt_data += strlen(mt_data) + 1;
+                    }
+                    break;
+                case REG_DWORD:
+                    snprintf(var_storage, MAX_VALUE_NAME, "%u", *((uint32_t*)data_buffer));
+                    break;
+                default:
+                    size_available = MAX_VALUE_NAME - 2;
+                    for (j = 0; j < data_size; j++) {
+                        char tmp_c[12];
+
+                        snprintf(tmp_c, 12, "%02x",
+                                 (unsigned int)data_buffer[j]);
+
+                        if (size_available > 2) {
+                            strncat(var_storage, tmp_c, size_available);
+                            size_available = MAX_VALUE_NAME -
+                                             (strlen(var_storage) + 2);
+                        }
+                    }
+                    break;
+            }
+
+            mdebug2("Checking value data '%s' with rule '%s'", var_storage, reg_value);
+
+            int result = wm_sca_pattern_matches(var_storage, reg_value, reason, regex_engine);
+            return result;
+        }
+    }
+
+    if (*reason == NULL && reg_value){
+        os_malloc(snprintf(NULL, 0, "Key '%s' not found for registry '%s'", reg_option, full_key_name) + 1, *reason);
+        sprintf(*reason, "Key '%s' not found for registry '%s'", reg_option, full_key_name);
+    }
+
+    return reg_value ? RETURN_INVALID : RETURN_NOT_FOUND;
+}
+#endif
+
+static int wm_sca_send_summary(wm_sca_t * data, int scan_id,unsigned int passed, unsigned int failed,unsigned int invalid,cJSON *policy,int start_time,int end_time,char * integrity_hash,char *integrity_hash_file, int first_scan,int id,int checks_number) {
+
+    cJSON *json_summary = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(json_summary, "type", "summary");
+    cJSON_AddNumberToObject(json_summary, "scan_id", scan_id);
+
+    /* Policy fields */
+    cJSON *name = cJSON_GetObjectItem(policy,"name");
+    cJSON *description = cJSON_GetObjectItem(policy,"description");
+    cJSON *references = cJSON_GetObjectItem(policy,"references");
+    cJSON *policy_id = cJSON_GetObjectItem(policy,"id");
+    cJSON *file= cJSON_GetObjectItem(policy,"file");
+
+    cJSON_AddStringToObject(json_summary, "name", name->valuestring);
+    cJSON_AddStringToObject(json_summary, "policy_id", policy_id->valuestring);
+    cJSON_AddStringToObject(json_summary, "file", file->valuestring);
+
+    if(description) {
+        cJSON_AddStringToObject(json_summary, "description", description->valuestring);
+    }
+
+    if(references) {
+        cJSON *reference;
+        char *ref = NULL;
+
+        cJSON_ArrayForEach(reference,references)
+        {
+            if(reference->valuestring){
+                wm_strcat(&ref,reference->valuestring,',');
+            }
+        }
+
+        if (ref) {
+            cJSON_AddStringToObject(json_summary, "references", ref);
+        }
+
+        os_free(ref);
+    }
+
+    cJSON_AddNumberToObject(json_summary, "passed", passed);
+    cJSON_AddNumberToObject(json_summary, "failed", failed);
+    cJSON_AddNumberToObject(json_summary, "invalid", invalid);
+
+    float passedf = passed;
+    float failedf = failed;
+    float score = ((passedf/(failedf+passedf))) * 100;
+
+    if (passed == 0 && failed == 0) {
+        score = 0;
+    }
+
+    cJSON_AddNumberToObject(json_summary, "total_checks", checks_number);
+    cJSON_AddNumberToObject(json_summary, "score", score);
+
+    cJSON_AddNumberToObject(json_summary, "start_time", start_time);
+    cJSON_AddNumberToObject(json_summary, "end_time", end_time);
+
+    cJSON_AddStringToObject(json_summary, "hash", integrity_hash);
+    cJSON_AddStringToObject(json_summary, "hash_file", integrity_hash_file);
+
+    if (first_scan) {
+        cJSON_AddNumberToObject(json_summary, "first_scan", first_scan);
+    }
+
+    mdebug1("Sending summary event for file: '%s'", file->valuestring);
+
+    if (last_summary_json[id]) {
+        cJSON_Delete(last_summary_json[id]);
+    }
+
+    last_summary_json[id] = cJSON_Duplicate(json_summary,1);
+    wm_sca_send_alert(data,json_summary);
+    cJSON_Delete(json_summary);
+
+    return 0;
+}
+
+static int wm_sca_send_event_check(wm_sca_t * data,cJSON *event) {
+
+    wm_sca_send_alert(data,event);
+
+    return 0;
+}
+
+static cJSON *wm_sca_build_event(const cJSON * const check, const cJSON * const policy, char **p_alert_msg, int id, const char * const result, const char * const reason) {
+    cJSON *json_alert = cJSON_CreateObject();
+    cJSON_AddStringToObject(json_alert, "type", "check");
+    cJSON_AddNumberToObject(json_alert, "id", id);
+
+    cJSON *name = cJSON_GetObjectItem(policy,"name");
+    cJSON *policy_id = cJSON_GetObjectItem(policy,"id");
+    cJSON_AddStringToObject(json_alert, "policy", name->valuestring);
+
+    cJSON *check_information = cJSON_CreateObject();
+    cJSON *pm_id = cJSON_GetObjectItem(check, "id");
+    cJSON *title = cJSON_GetObjectItem(check, "title");
+    cJSON *description = cJSON_GetObjectItem(check, "description");
+    cJSON *rationale = cJSON_GetObjectItem(check, "rationale");
+    cJSON *remediation = cJSON_GetObjectItem(check, "remediation");
+    cJSON *condition = cJSON_GetObjectItem(check, "condition");
+    cJSON *rules = cJSON_GetObjectItem(check, "rules");
+
+    if(!pm_id) {
+        mdebug1("No 'id' field found on check.");
+        goto error;
+    }
+
+    if(!pm_id->valueint) {
+        mdebug1("Field 'id' must be a number.");
+        goto error;
+    }
+
+    cJSON_AddNumberToObject(check_information, "id", pm_id->valueint);
+
+    if(title){
+        if(!title->valuestring) {
+            mdebug1("Field 'title' must be a string.");
+            goto error;
+        }
+        cJSON_AddStringToObject(check_information, "title", title->valuestring);
+    } else {
+        mdebug1("No 'title' field found on check '%d'", pm_id->valueint);
+        goto error;
+    }
+
+    if(!policy_id){
+        mdebug1("No 'id' field found on policy.");
+        goto error;
+    }
+
+    if(description){
+        if(!description->valuestring) {
+            mdebug1("Field 'description' must be a string.");
+            goto error;
+        }
+        cJSON_AddStringToObject(check_information, "description", description->valuestring);
+    }
+
+    if(rationale){
+        if(!rationale->valuestring) {
+            mdebug1("Field 'rationale' must be a string.");
+            goto error;
+        }
+        cJSON_AddStringToObject(check_information, "rationale", rationale->valuestring);
+    }
+
+    if(remediation){
+        if(!remediation->valuestring) {
+            mdebug1("Field 'remediation' must be a string.");
+            goto error;
+        }
+        cJSON_AddStringToObject(check_information, "remediation", remediation->valuestring);
+    }
+
+    cJSON *compliances = cJSON_GetObjectItem(check, "compliance");
+
+    if(compliances) {
+        cJSON *add_compliances = cJSON_CreateObject();
+        cJSON *compliance;
+
+        cJSON_ArrayForEach(compliance, compliances) {
+
+            if (!compliance->child) {
+                continue;
+            }
+
+            cJSON *policy = cJSON_GetObjectItem(compliance, compliance->child->string);
+            cJSON *version;
+            char *compliance_value = NULL;
+            cJSON_ArrayForEach(version, policy){
+                if(!version->valuestring){
+                    mwarn("Invalid compliance format in policy: %s (check %d)", policy_id->valuestring, pm_id->valueint);
+                    continue;
+                }
+                wm_strcat(&compliance_value, version->valuestring, ',');
+            }
+
+            cJSON_AddStringToObject(add_compliances, compliance->child->string, compliance_value);
+            os_free(compliance_value);
+        }
+
+        cJSON_AddItemToObject(check_information, "compliance", add_compliances);
+    }
+
+    cJSON_AddItemToObject(check_information, "rules", cJSON_Duplicate(rules, 1));
+
+    if(!condition) {
+        mdebug1("No 'condition' field found on check.");
+        goto error;
+    }
+
+    if(!condition->valuestring) {
+        mdebug1("Field 'condition' must be a string.");
+        goto error;
+    }
+
+    cJSON_AddStringToObject(check_information, "condition", condition->valuestring);
+
+    cJSON *references = cJSON_GetObjectItem(check, "references");
+
+    if(references) {
+        cJSON *reference;
+        char *reference_list = NULL;
+
+        cJSON_ArrayForEach(reference,references)
+        {
+            if(reference->valuestring){
+               wm_strcat(&reference_list, reference->valuestring, ',');
+            }
+        }
+
+        if (reference_list) {
+            cJSON_AddStringToObject(check_information, "references", reference_list);
+        }
+
+        os_free(reference_list);
+    }
+
+    // Get File or Process from alert
+    int i = 0;
+    char * final_str_file = NULL;
+    char * final_str_directory = NULL;
+    char * final_str_process = NULL;
+    char * final_str_registry = NULL;
+    char * final_str_command = NULL;
+    while(i < 255) {
+
+        if(p_alert_msg[i]) {
+            char *alert_file = strstr(p_alert_msg[i],"File:");
+            char *alert_directory = strstr(p_alert_msg[i],"Directory:");
+
+            if(alert_file){
+                alert_file+= 5;
+                *alert_file = '\0';
+                alert_file++;
+                wm_strcat(&final_str_file,alert_file,',');
+            } else if (alert_directory){
+                alert_directory+= 10;
+                *alert_directory = '\0';
+                alert_directory++;
+                wm_strcat(&final_str_directory,alert_directory,',');
+            } else {
+                char *alert_process = strstr(p_alert_msg[i],"Process:");
+                if(alert_process){
+                    alert_process+= 8;
+                    *alert_process = '\0';
+                    alert_process++;
+                    wm_strcat(&final_str_process,alert_process,',');
+                } else {
+                    char *alert_registry = strstr(p_alert_msg[i],"Registry:");
+                    if(alert_registry){
+                        alert_registry+= 9;
+                        *alert_registry = '\0';
+                        alert_registry++;
+                        wm_strcat(&final_str_registry,alert_registry,',');
+                    } else {
+                        char *alert_command = strstr(p_alert_msg[i],"Command:");
+                        if(alert_command) {
+                            alert_command+= 8;
+                            *alert_command = '\0';
+                            alert_command++;
+                            wm_strcat(&final_str_command,alert_command,',');
+                        }
+                    }
+                }
+            }
+        } else {
+            break;
+        }
+        i++;
+    }
+
+    if(final_str_file) {
+        cJSON_AddStringToObject(check_information, "file", final_str_file);
+        os_free(final_str_file);
+    }
+
+    if(final_str_directory) {
+        cJSON_AddStringToObject(check_information, "directory", final_str_directory);
+        os_free(final_str_directory);
+    }
+
+    if(final_str_process) {
+       cJSON_AddStringToObject(check_information, "process", final_str_process);
+       os_free(final_str_process);
+    }
+
+    if(final_str_registry) {
+       cJSON_AddStringToObject(check_information, "registry", final_str_registry);
+       os_free(final_str_registry);
+    }
+
+    if(final_str_command) {
+       cJSON_AddStringToObject(check_information, "command", final_str_command);
+       os_free(final_str_command);
+    }
+
+    if (!strcmp(result, "")) {
+        cJSON_AddStringToObject(check_information, "status", "Not applicable");
+        if (reason) {
+            cJSON_AddStringToObject(check_information, "reason", reason);
+        }
+    } else {
+        cJSON_AddStringToObject(check_information, "result", result);
+    }
+
+    if(!policy_id->valuestring) {
+        mdebug1("Field 'id' must be a string.");
+        goto error;
+    }
+
+    cJSON_AddStringToObject(json_alert, "policy_id", policy_id->valuestring);
+    cJSON_AddItemToObject(json_alert, "check", check_information);
+
+    return json_alert;
+
+error:
+
+    if(json_alert){
+        cJSON_Delete(json_alert);
+    }
+
+    return NULL;
+}
+
+static int wm_sca_check_hash(OSHash * const cis_db_hash, const char * const result,
+    const cJSON * const check, const cJSON * const event, int check_index,int policy_index)
+{
+    cis_db_info_t *hashed_result = NULL;
+    char id_hashed[OS_SIZE_128];
+    int ret_add = 0;
+    cJSON *pm_id = cJSON_GetObjectItem(check, "id");
+    int alert = 1;
+
+    if(!pm_id) {
+        return 0;
+    }
+
+    if(!pm_id->valueint) {
+        return 0;
+    }
+
+    sprintf(id_hashed, "%d", pm_id->valueint);
+
+    hashed_result = OSHash_Get(cis_db_hash, id_hashed);
+
+    cis_db_info_t *elem;
+    os_calloc(1, sizeof(cis_db_info_t), elem);
+
+    elem->id = pm_id->valueint;
+
+    if (!result) {
+	    os_strdup("",elem->result);
+	} else {
+	    os_strdup(result,elem->result);
+	}
+
+    cJSON *obj = cJSON_Duplicate(event,1);
+    elem->event = NULL;
+
+    if(obj) {
+        elem->event = obj;
+
+        if (!hashed_result) {
+            if (ret_add = OSHash_Add(cis_db_hash,id_hashed,elem), ret_add != 2) {
+                merror("Unable to update hash table for check: %d", pm_id->valueint);
+                os_free(elem->result);
+                cJSON_Delete(elem->event);
+                os_free(elem);
+                return 0;
+            }
+        } else {
+            if(strcmp(elem->result,hashed_result->result) == 0) {
+                alert = 0;
+            }
+
+            if (ret_add = OSHash_Update(cis_db_hash,id_hashed,elem), ret_add != 1) {
+                merror("Unable to update hash table for check: %d", pm_id->valueint);
+                os_free(elem->result);
+                cJSON_Delete(elem->event);
+                os_free(elem);
+                return 0;
+            }
+        }
+
+        cis_db_for_hash[policy_index].elem[check_index] = elem;
+        return alert;
+
+    }
+
+    os_free(elem->result);
+    os_free(elem);
+    return 0;
+
+}
+
+static void wm_sca_free_hash_data(cis_db_info_t *event) {
+
+    if(event) {
+        if(event->result){
+            os_free(event->result);
+        }
+
+        if(event->event) {
+            cJSON_Delete(event->event);
+        }
+        os_free(event);
+    }
+}
+
+static int compare_cis_db_info_t_entry(const void * const a, const void * const  b)
+{
+    const cis_db_info_t * const cis_db_info_t_a = *((const cis_db_info_t ** const) a);
+    const cis_db_info_t * const cis_db_info_t_b = *((const cis_db_info_t ** const) b);
+    return cis_db_info_t_a->id - cis_db_info_t_b->id;
+}
+
+static char *wm_sca_hash_integrity(int policy_index) {
+    char *str = NULL;
+
+
+    int check_count = 0;
+    int i;
+    for(i = 0; cis_db_for_hash[policy_index].elem[i]; ++i) {
+        ++check_count;
+    }
+
+    if (check_count) {
+        qsort(cis_db_for_hash[policy_index].elem, check_count, sizeof(struct cis_db_info_t *), compare_cis_db_info_t_entry);
+    }
+
+    mdebug2("Concatenating check results:");
+    for(i = 0; cis_db_for_hash[policy_index].elem[i]; i++) {
+        const cis_db_info_t * const event = cis_db_for_hash[policy_index].elem[i];
+        mdebug2("ID: %d; Result: '%s'", event->id, event->result);
+        if(event->result){
+            wm_strcat(&str,event->result,':');
+        }
+    }
+
+    if(str) {
+        os_sha256 hash;
+        OS_SHA256_String(str, hash);
+        os_free(str);
+        return strdup(hash);
+    }
+
+    return NULL;
+}
+
+char *wm_sca_hash_integrity_file(const char *file) {
+
+    char *hash_file = NULL;
+    os_malloc(65*sizeof(char), hash_file);
+
+    if(OS_SHA256_File(file, hash_file, OS_TEXT) != 0){
+        merror("Unable to calculate SHA256 for file '%s'", file);
+        os_free(hash_file);
+        return NULL;
+    }
+
+    return hash_file;
+}
+
+#ifdef WIN32
+static DWORD WINAPI wm_sca_dump_db_thread(wm_sca_t * data) {
+#else
+static void *wm_sca_dump_db_thread(wm_sca_t * data) {
+#endif
+    int i;
+
+    while(1) {
+        request_dump_t *request;
+
+        if (request = queue_pop_ex(request_queue), request) {
+
+#ifndef WIN32
+            int random = os_random();
+            if (random < 0) {
+                random = -random;
+            }
+#else
+            unsigned int random1 = os_random();
+            unsigned int random2 = os_random();
+
+            char random_id[OS_MAXSTR];
+            snprintf(random_id, OS_MAXSTR - 1, "%u%u", random1, random2);
+
+            int random = atoi(random_id);
+            if (random < 0) {
+                random = -random;
+            }
+#endif
+            random = random % data->request_db_interval;
+
+            if(random == 0) {
+                random += 5;
+            }
+
+            unsigned int time = random;
+
+            if (request->first_scan) {
+                w_time_delay(2000);
+                mdebug1("Sending first scan results for policy '%s'", data->policies[request->policy_index]->policy_path);
+            } else {
+                minfo("Integration checksum failed for policy '%s'. Resending scan results in %d seconds.",
+                    data->policies[request->policy_index]->policy_path, random);
+                w_time_delay(1000 * time);
+            }
+
+            mdebug1("Dumping results to SCA DB for policy '%s' (Policy index: %u)",
+                    data->policies[request->policy_index]->policy_path, request->policy_index);
+
+            int scan_id = -1;
+            w_rwlock_wrlock(&dump_rwlock);
+
+            for(i = 0; cis_db_for_hash[request->policy_index].elem[i]; i++) {
+                cis_db_info_t *event;
+                event = cis_db_for_hash[request->policy_index].elem[i];
+
+                if (event) {
+                    if(event->event){
+                        cJSON *db_obj;
+                        db_obj = event->event;
+
+                        if(scan_id == -1) {
+                            cJSON * scan_id_obj = cJSON_GetObjectItem(db_obj, "id");
+
+                            if(scan_id_obj) {
+                                scan_id =  scan_id_obj->valueint;
+                            }
+                        }
+                        wm_sca_send_event_check(data,db_obj);
+                    }
+                }
+            }
+
+            w_time_delay(5000);
+
+            int elements_sent = i;
+            mdebug1("Sending end of dump control event.");
+
+            wm_sca_send_dump_end(data,elements_sent,data->policies[request->policy_index]->policy_id,scan_id);
+
+            w_time_delay(2000);
+
+            /* Send summary only for first scan */
+            if (request->first_scan) {
+                /* Send summary */
+                cJSON_DeleteItemFromObject(last_summary_json[request->policy_index],"first_scan");
+                /* Force alert */
+                cJSON_AddStringToObject(last_summary_json[request->policy_index], "force_alert", "1");
+
+                wm_sca_send_alert(data,last_summary_json[request->policy_index]);
+            }
+
+            mdebug1("Finished dumping scan results to SCA DB for policy '%s' (%u) (%d)",
+                data->policies[request->policy_index]->policy_id,
+                request->policy_index,
+                request->first_scan);
+
+            w_rwlock_unlock(&dump_rwlock);
+            os_free(request);
+        }
+    }
+
+#ifndef WIN32
+    return NULL;
+#endif
+}
+
+
+static int wm_sca_send_dump_end(wm_sca_t * data, unsigned int elements_sent,char * policy_id, int scan_id) {
+    cJSON *dump_event = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(dump_event, "type", "dump_end");
+    cJSON_AddStringToObject(dump_event, "policy_id", policy_id);
+    cJSON_AddNumberToObject(dump_event, "elements_sent", elements_sent);
+    cJSON_AddNumberToObject(dump_event, "scan_id", scan_id);
+
+    wm_sca_send_alert(data,dump_event);
+
+    cJSON_Delete(dump_event);
+
+    return 0;
+}
+
+#ifdef WIN32
+void wm_sca_push_request_win(char * msg){
+    char *db = strchr(msg,':');
+
+    if(!strncmp(msg,WM_CONFIGURATION_ASSESSMENT_DB_DUMP,strlen(WM_CONFIGURATION_ASSESSMENT_DB_DUMP)) && db) {
+
+        *db++ = '\0';
+
+        /* Check for first scan */
+        char *first_scan = strchr(db,':');
+
+        if (!first_scan) {
+            mdebug1("First scan flag missing.");
+            return;
+        }
+
+        *first_scan++ = '\0';
+
+        /* Search DB */
+        int i;
+
+        if(data_win) {
+            for(i = 0; data_win->policies[i]; i++) {
+                if(!data_win->policies[i]->enabled){
+                    continue;
+                }
+
+                if(data_win->policies[i]->policy_id) {
+                    char *endl;
+
+                    endl = strchr(db,'\n');
+
+                    if(endl){
+                        *endl = '\0';
+                    }
+
+                    if(strcmp(data_win->policies[i]->policy_id,db) == 0){
+                        request_dump_t *request;
+                        os_calloc(1, sizeof(request_dump_t),request);
+
+                        request->policy_index = i;
+                        request->first_scan = atoi(first_scan);
+
+                        if(queue_push_ex(request_queue,request) < 0) {
+                            os_free(request);
+                            mdebug1("Could not push policy index to queue.");
+                        }
+                        break;
+                    }
+                }
+            }
+        }
+    }
+}
+
+#endif
+
+#ifndef WIN32
+static void * wm_sca_request_thread(wm_sca_t * data) {
+
+    /* Create request socket */
+    int cfga_queue;
+    if ((cfga_queue = StartMQWithSpecificOwnerAndPerms(CFGAQUEUE, READ, 0, getuid(), wm_getGroupID(), 0660)) < 0) {
+        merror(QUEUE_ERROR, CFGAQUEUE, strerror(errno));
+        pthread_exit(NULL);
+    }
+
+    int recv = 0;
+    char *buffer = NULL;
+
+    /* For he who seeks The Leak in here:
+        This buffer is going to report a leak whenever the process dies, as this function never returns
+        and its buffer is never released. Also, any forks() comming from the process that's started this
+        thread will report a leak here, as the leak has been inherited from the parent.
+
+        But rest assured, if the fork dies the memory is recalled by the OS.
+    */
+    os_calloc(OS_MAXSTR + 1, sizeof(char), buffer);
+
+    while (1) {
+        if (recv = OS_RecvUnix(cfga_queue, OS_MAXSTR, buffer),recv) {
+            buffer[recv] = '\0';
+
+            char *db = strchr(buffer,':');
+
+            if(!strncmp(buffer,WM_CONFIGURATION_ASSESSMENT_DB_DUMP,strlen(WM_CONFIGURATION_ASSESSMENT_DB_DUMP)) && db) {
+
+                *db++ = '\0';
+
+                /* Check for first scan */
+                char *first_scan = strchr(db,':');
+
+                if (!first_scan) {
+                    mdebug1("First scan flag missing.");
+                    continue;
+                }
+
+                *first_scan++ = '\0';
+
+                /* Search DB */
+                int i;
+                for(i = 0; data->policies[i]; i++) {
+                    if(!data->policies[i]->enabled){
+                        continue;
+                    }
+
+                    if(data->policies[i]->policy_id) {
+                        char *endl;
+
+                        endl = strchr(db,'\n');
+
+                        if(endl){
+                            *endl = '\0';
+                        }
+
+                        if(strcmp(data->policies[i]->policy_id,db) == 0){
+                            request_dump_t *request;
+                            os_calloc(1, sizeof(request_dump_t),request);
+
+                            request->policy_index = i;
+                            request->first_scan = atoi(first_scan);
+
+                            if(queue_push_ex(request_queue,request) < 0) {
+                                os_free(request);
+                                mdebug1("Could not push policy index to queue.");
+                            }
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    os_free(buffer);
+    return NULL;
+}
+#endif
+static void wm_sca_summary_increment_passed() {
+    summary_passed++;
+}
+
+static void wm_sca_summary_increment_failed() {
+    summary_failed++;
+}
+
+static void wm_sca_summary_increment_invalid() {
+    summary_invalid++;
+}
+
+static void wm_sca_reset_summary() {
+    summary_failed = 0;
+    summary_passed = 0;
+    summary_invalid = 0;
+}
+
+cJSON *wm_sca_dump(const wm_sca_t *data) {
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_wd = cJSON_CreateObject();
+
+    sched_scan_dump(&(data->scan_config), wm_wd);
+
+    cJSON_AddStringToObject(wm_wd, "enabled", data->enabled ? "yes" : "no");
+    cJSON_AddStringToObject(wm_wd, "scan_on_start", data->scan_on_start ? "yes" : "no");
+    cJSON_AddStringToObject(wm_wd, "skip_nfs", data->skip_nfs ? "yes" : "no");
+
+    if (data->policies && *data->policies) {
+        cJSON *policies = cJSON_CreateArray();
+        int i;
+        for (i=0;data->policies[i];i++) {
+            if(data->policies[i]->enabled == 1){
+                cJSON_AddStringToObject(policies, "policy", data->policies[i]->policy_path);
+            }
+        }
+        cJSON_AddItemToObject(wm_wd,"policies", policies);
+    }
+
+    cJSON_AddItemToObject(root,"sca",wm_wd);
+
+
+    return root;
+}
+
+static int append_msg_to_vm_scat (wm_sca_t * const data, const char * const msg)
+{
+    /* Already present */
+    if (w_is_str_in_array(data->alert_msg, msg)) {
+        return 1;
+    }
+
+    int i = 0;
+    while (data->alert_msg[i] && (i < 255)) {
+        i++;
+    }
+
+    if (!data->alert_msg[i]) {
+        os_strdup(msg, data->alert_msg[i]);
+    }
+    return 0;
+}
+
+/* Sort the variables from largest to smallest in size */
+char **wm_sort_variables(const cJSON * const variables) {
+    char **variables_array;
+    const cJSON *variable;
+    char *aux;
+    int i = 0;
+    int variables_array_size = cJSON_GetArraySize(variables);
+
+    if (variables == NULL || variables_array_size == 0) {
+        return NULL;
+    }
+
+    os_calloc(variables_array_size + 1, sizeof(char *), variables_array);
+
+    // Fill array with unsorted variables
+    cJSON_ArrayForEach(variable, variables) {
+        os_strdup(variable->string, variables_array[i]);
+        i++;
+    }
+
+    // variables_array_size and i should always be the same
+    if (variables_array_size != i) {
+        free_strarray(variables_array);
+        return NULL;
+    }
+
+    // Sorting algorithm
+    for(i = 0; i < variables_array_size; i++) {
+        for(int j = i + 1; j < variables_array_size; j++) {
+            if(strlen(variables_array[j]) > strlen(variables_array[i])) {
+                aux = variables_array[i];
+                variables_array[i] = variables_array[j];
+                variables_array[j] = aux;
+            }
+        }
+    }
+
+    return variables_array;
+}
diff --git a/src/modules/sca/tests/integration/conftest.py b/src/modules/sca/tests/integration/conftest.py
new file mode 100644
index 0000000000..bbcd3712dd
--- /dev/null
+++ b/src/modules/sca/tests/integration/conftest.py
@@ -0,0 +1,254 @@
+"""
+ Copyright (C) 2015-2024, Wazuh Inc.
+ Created by Wazuh, Inc. <info@wazuh.com>.
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+import os
+import sys
+import subprocess
+import pytest
+from typing import List
+
+from wazuh_testing import session_parameters
+from wazuh_testing.constants.paths import ROOT_PREFIX
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.constants.platforms import LINUX, WINDOWS, MACOS
+from wazuh_testing.logger import logger
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.modules.modulesd.sca import patterns
+from wazuh_testing.utils import callbacks, configuration, services
+from wazuh_testing.utils.file import truncate_file
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - -Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    """Add command-line options to the tests.
+
+    Args:
+        parser (pytest.Parser): Parser for command line arguments and ini-file values.
+    """
+    parser.addoption(
+        "--tier",
+        action="append",
+        metavar="level",
+        default=None,
+        type=int,
+        help="only run tests with a tier level equal to 'level'",
+    )
+    parser.addoption(
+        "--tier-minimum",
+        action="store",
+        metavar="minimum_level",
+        default=-1,
+        type=int,
+        help="only run tests with a tier level greater or equal than 'minimum_level'"
+    )
+    parser.addoption(
+        "--tier-maximum",
+        action="store",
+        metavar="maximum_level",
+        default=sys.maxsize,
+        type=int,
+        help="only run tests with a tier level less or equal than 'minimum_level'"
+    )
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: List[pytest.Item]) -> None:
+    """Deselect tests that do not match with the specified environment or tier.
+
+    Args:
+        config (pytest.Config): Access to configuration values, pluginmanager and plugin hooks.
+        items (list): List of items where each item is a basic test invocation.
+    """
+    selected_tests = []
+    deselected_tests = []
+    _platforms = set([LINUX,
+                      WINDOWS,
+                      MACOS])
+
+    for item in items:
+        supported_platforms = _platforms.intersection(
+            mark.name for mark in item.iter_markers())
+        plat = sys.platform
+
+        selected = True
+        if supported_platforms and plat not in supported_platforms:
+            selected = False
+
+        # Consider only first mark
+        levels = [mark.kwargs['level']
+                  for mark in item.iter_markers(name="tier")]
+        if levels and len(levels) > 0:
+            tiers = item.config.getoption("--tier")
+            if tiers is not None and levels[0] not in tiers:
+                selected = False
+            elif item.config.getoption("--tier-minimum") > levels[0]:
+                selected = False
+            elif item.config.getoption("--tier-maximum") < levels[0]:
+                selected = False
+        if selected:
+            selected_tests.append(item)
+        else:
+            deselected_tests.append(item)
+
+    config.hook.pytest_deselected(items=deselected_tests)
+    items[:] = selected_tests
+
+
+# - - - - - - - - - - - - - - - - - - - - - - -End of Pytest configuration - - - - - - - - - - - - - - - - - - - - - - -
+
+
+@pytest.fixture()
+def set_wazuh_configuration(test_configuration: dict) -> None:
+    """Set wazuh configuration
+
+    Args:
+        test_configuration (dict): Configuration template data to write in the ossec.conf
+    """
+    # Save current configuration
+    backup_config = configuration.get_wazuh_conf()
+
+    # Configuration for testing
+    test_config = configuration.set_section_wazuh_conf(test_configuration.get('sections'))
+
+    # Set new configuration
+    configuration.write_wazuh_conf(test_config)
+
+    # Set current configuration
+    session_parameters.current_configuration = test_config
+
+    yield
+
+    # Restore previous configuration
+    configuration.write_wazuh_conf(backup_config)
+
+
+@pytest.fixture()
+def truncate_monitored_files() -> None:
+    """Truncate all the log files and json alerts files before and after the test execution"""
+    log_files = [WAZUH_LOG_PATH]
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+    yield
+
+    for log_file in log_files:
+        if os.path.isfile(os.path.join(ROOT_PREFIX, log_file)):
+            truncate_file(log_file)
+
+
+@pytest.fixture()
+def configure_local_internal_options(request: pytest.FixtureRequest, test_metadata) -> None:
+    """Configure the local internal options file.
+
+    Takes the `local_internal_options` variable from the request.
+    The `local_internal_options` is a dict with keys and values as the Wazuh `local_internal_options` format.
+    E.g.: local_internal_options = {'monitord.rotate_log': '0', 'syscheck.debug': '0' }
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+        test_metadata (map): Data with configuration parameters
+    """
+    try:
+        local_internal_options = request.param
+    except AttributeError:
+        try:
+            local_internal_options = getattr(request.module, 'local_internal_options')
+        except AttributeError:
+            raise AttributeError('Error when using the fixture "configure_local_internal_options", no '
+                                 'parameter has been passed explicitly, nor is the variable local_internal_options '
+                                 'found in the module.') from AttributeError
+
+    backup_local_internal_options = configuration.get_local_internal_options_dict()
+
+    if test_metadata and 'local_internal_options' in test_metadata:
+        for key in test_metadata['local_internal_options']:
+            local_internal_options[key] = test_metadata['local_internal_options'][key]
+
+    configuration.set_local_internal_options_dict(local_internal_options)
+
+    yield
+
+    configuration.set_local_internal_options_dict(backup_local_internal_options)
+
+
+@pytest.fixture()
+def daemons_handler(request: pytest.FixtureRequest) -> None:
+    """Helper function to handle Wazuh daemons.
+
+    It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture.
+
+    The  `daemons_handler_configuration` should be a dictionary with the following keys:
+        daemons (list, optional): List with every daemon to be used by the module. In case of empty a ValueError
+            will be raised
+        all_daemons (boolean): Configure to restart all wazuh services. Default `False`.
+        ignore_errors (boolean): Configure if errors in daemon handling should be ignored. This option is available
+        in order to use this fixture along with invalid configuration. Default `False`
+
+    Args:
+        request (pytest.FixtureRequest): Provide information about the current test function which made the request.
+    """
+    daemons = []
+    ignore_errors = False
+    all_daemons = False
+
+    if config := getattr(request.module, 'daemons_handler_configuration', None):
+        if 'daemons' in config:
+            daemons = config['daemons']
+            if not daemons or len(daemons) == 0 or type(daemons) not in [list, tuple]:
+                logger.error('Daemons list/tuple is not set')
+                raise ValueError
+
+        if 'all_daemons' in config:
+            logger.debug(f"Wazuh control set to {config['all_daemons']}")
+            all_daemons = config['all_daemons']
+
+        if 'ignore_errors' in config:
+            logger.debug(f"Ignore error set to {config['ignore_errors']}")
+            ignore_errors = config['ignore_errors']
+    else:
+        logger.debug("Wazuh control set to 'all_daemons'")
+        all_daemons = True
+
+    try:
+        if all_daemons:
+            logger.debug('Restarting wazuh using wazuh-control')
+            services.control_service('restart')
+        else:
+            for daemon in daemons:
+                logger.debug(f"Restarting {daemon}")
+                # Restart daemon instead of starting due to legacy used fixture in the test suite.
+                services.control_service('restart', daemon=daemon)
+
+    except ValueError as value_error:
+        logger.error(f"{str(value_error)}")
+        if not ignore_errors:
+            raise value_error
+    except subprocess.CalledProcessError as called_process_error:
+        logger.error(f"{str(called_process_error)}")
+        if not ignore_errors:
+            raise called_process_error
+
+    yield
+
+    if all_daemons:
+        logger.debug('Stopping wazuh using wazuh-control')
+        services.control_service('stop')
+    else:
+        for daemon in daemons:
+            logger.debug(f"Stopping {daemon}")
+            services.control_service('stop', daemon=daemon)
+
+
+@pytest.fixture()
+def wait_for_sca_enabled():
+    '''
+    Wait for the sca module to start.
+    '''
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_ENABLED), timeout=60 if sys.platform == WINDOWS else 10)
+    assert log_monitor.callback_result
diff --git a/src/modules/sca/tests/integration/pytest.ini b/src/modules/sca/tests/integration/pytest.ini
new file mode 100644
index 0000000000..a4d99caad2
--- /dev/null
+++ b/src/modules/sca/tests/integration/pytest.ini
@@ -0,0 +1,10 @@
+[pytest]
+addopts = --strict-markers
+markers =
+    tier(level)
+    darwin
+    linux
+    win32
+    agent
+filterwarnings=
+    ignore::urllib3.exceptions.InsecureRequestWarning
diff --git a/src/modules/sca/tests/integration/test_basic/__init__.py b/src/modules/sca/tests/integration/test_basic/__init__.py
new file mode 100644
index 0000000000..eb7412a443
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/__init__.py
@@ -0,0 +1,12 @@
+"""
+Copyright (C) 2015-2024, Wazuh Inc.
+Created by Wazuh, Inc. <info@wazuh.com>.
+This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+from pathlib import Path
+
+
+# Constants & base paths
+TEST_DATA_PATH = Path(Path(__file__).parent, 'data')
+TEST_CASES_FOLDER_PATH = Path(TEST_DATA_PATH, 'test_cases')
+CONFIGURATIONS_FOLDER_PATH = Path(TEST_DATA_PATH, 'configuration_templates')
diff --git a/src/modules/sca/tests/integration/test_basic/conftest.py b/src/modules/sca/tests/integration/test_basic/conftest.py
new file mode 100644
index 0000000000..3b9afca407
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/conftest.py
@@ -0,0 +1,59 @@
+"""
+ Copyright (C) 2015-2024, Wazuh Inc.
+ Created by Wazuh, Inc. <info@wazuh.com>.
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+"""
+import os
+import pytest
+import sys
+import subprocess
+from pathlib import Path
+
+from wazuh_testing.constants.paths.ruleset import CIS_RULESET_PATH
+from wazuh_testing.utils.file import copy, remove_file, copy_files_in_folder, delete_path_recursively
+from wazuh_testing.constants.paths import TEMP_FILE_PATH
+from wazuh_testing.constants.platforms import WINDOWS
+
+from . import TEST_DATA_PATH
+
+
+@pytest.fixture()
+def prepare_cis_policies_file(test_metadata):
+    '''
+    Copies policy file from named by metadata into agent's ruleset path. Deletes file after test.
+    Args:
+        test_metadata (dict): contains the test metadata. Must contain policy_file key with file name.
+    '''
+    files_to_restore = copy_files_in_folder(src_folder=CIS_RULESET_PATH, dst_folder=TEMP_FILE_PATH)
+    filename = test_metadata['policy_file']
+    filepath = Path(TEST_DATA_PATH, 'policies_samples', filename)
+    copy(filepath, CIS_RULESET_PATH)
+    yield
+    copy_files_in_folder(src_folder=TEMP_FILE_PATH, dst_folder=CIS_RULESET_PATH, files_to_move=files_to_restore)
+    remove_file(Path(CIS_RULESET_PATH, filename))
+
+
+@pytest.fixture()
+def prepare_remediation_test(folder_path='/testfile', mode=0o666):
+    '''
+    Creates folder with a given mode or modifies the user lockout duration in Windows.
+    Args:
+        folder_path (str): path for the folder to create
+        mode (int): mode to be used for folder creation.
+    '''
+
+    duration = ''
+    if sys.platform == WINDOWS:
+        p = subprocess.run(["powershell.exe", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", "net accounts"],
+                           capture_output=True, text=True)
+        duration = p.stdout.splitlines()[6].split(':')[1].replace(" ", "")
+        subprocess.call('net accounts /lockoutduration:30', shell=True)
+    else:
+        os.makedirs(folder_path, mode, exist_ok=True)
+
+    yield
+
+    if sys.platform == WINDOWS:
+        subprocess.call('net accounts /lockoutduration:' + duration, shell=True)
+    else:
+        delete_path_recursively(folder_path)
diff --git a/src/modules/sca/tests/integration/test_basic/data/configuration_templates/configuration_sca.yaml b/src/modules/sca/tests/integration/test_basic/data/configuration_templates/configuration_sca.yaml
new file mode 100644
index 0000000000..554fdc312e
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/configuration_templates/configuration_sca.yaml
@@ -0,0 +1,30 @@
+- sections:
+    - section: sca
+      elements:
+        - enabled:
+            value: ENABLED
+        - scan_on_start:
+            value: 'yes'
+        - interval:
+            value: INTERVAL
+        - policies:
+            elements:
+              - policy:
+                  value: POLICY_FILE
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_osregex.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_osregex.yaml
new file mode 100644
index 0000000000..6a5dff9971
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_osregex.yaml
@@ -0,0 +1,56 @@
+policy:
+  id: cis_centos8_osregex
+  file: cis_centos8_osregex
+  name: CIS Benchmark for CentOS Linux 8
+  description: This is mock file for checking CIS SCA compliance on centos 8 systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+requirements:
+  title: Check Centos 8 family platform
+  description: Requirements for running the policy against CentOS 8 family.
+  condition: any
+  rules:
+    - f:/etc/os-release -> r:Centos
+    - f:/proc/sys/kernel/ostype -> Linux
+
+checks:
+
+  # Check with default value - OS_REGEX
+  - id: 1
+    title: Test_1
+    description: Test osregex regex engine with osregex rules
+    rationale: Test_1
+    remediation: Run osregex
+    compliance:
+      - cis: [1.8.1.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)
+
+  # Check with PCRE2 value
+  - id: 2
+    title: Test_2
+    description: Test osregex regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: Run pcre2
+    compliance:
+      - cis: [1.7.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat /etc/issue -> r:^Access:\s*\(0644\/.{0,10}\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_pcre2.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_pcre2.yaml
new file mode 100644
index 0000000000..e4b6bcbe80
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_pcre2.yaml
@@ -0,0 +1,57 @@
+policy:
+  id: cis_centos8_pcre2
+  file: cis_centos8_pcre2
+  name: CIS Benchmark for CentOS Linux 8
+  description: This is mock file for checking CIS SCA compliance on centos 8 systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+  regex_type: pcre2
+
+requirements:
+  title: Check Centos 8 family platform
+  description: Requirements for running the policy against CentOS 8 family.
+  condition: any
+  rules:
+    - f:/etc/os-release -> r:Centos
+    - f:/proc/sys/kernel/ostype -> Linux
+
+checks:
+
+  # Check with default value - OS_REGEX
+  - id: 1
+    title: Test_1
+    description: Test pcre2 regex engine with osregex rules
+    rationale: Test_1
+    remediation: Run osregex
+    compliance:
+      - cis: [1.8.1.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)
+
+  # Check with PCRE2 value
+  - id: 2
+    title: Test_2
+    description: Test pcre2 regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: Run pcre2
+    compliance:
+      - cis: [1.7.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat /etc/issue -> r:^Access:\s*\(0644\/.{0,10}\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_validate_remediation.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_validate_remediation.yaml
new file mode 100644
index 0000000000..5f2a945981
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_centos8_validate_remediation.yaml
@@ -0,0 +1,41 @@
+policy:
+  id: cis_centos8_validate_remediation
+  file: cis_centos8_validate_remediation.yaml
+  name: CIS Benchmark for CentOS Linux 8
+  description: This is mock file for checking CIS SCA compliance on centos 8 systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+requirements:
+  title: Check Centos 8 family platform
+  description: Requirements for running the policy against CentOS 8 family.
+  condition: any
+  rules:
+    - f:/etc/os-release -> r:Centos
+    - f:/proc/sys/kernel/ostype -> Linux
+
+checks:
+
+  # Check that permitions for file are 222
+  - id: 1
+    title: Test_1
+    description: Test osregex regex engine with osregex rules
+    rationale: Test_1
+    remediation: The testfile permissions should be '0222'. Use chmod 222 /testfile command to fix permissions
+    compliance:
+      - cis: [1.8.1.5]
+    condition: all
+    rules:
+      - c:stat -L /testfile -> r:Access:\s*\(0222/d-w--w--w-\)\s*Uid:\.*root\)\s*\t*Gid:\.*root\)
+
+  # Check that permitions for file are 644
+  - id: 2
+    title: Test_2
+    description: Test osregex regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: The testfile permissions should be '644'. Use chmod 666 /testfile command to fix permissions
+    compliance:
+      - cis: [1.8.1.5]
+    condition: all
+    rules:
+      - c:stat -L /testfile -> r:Access:\s*\(0644/drw-r--r--\)\s*Uid:\.*root\)\s*\t*Gid:\.*root\)
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_osregex.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_osregex.yaml
new file mode 100644
index 0000000000..748724f8ff
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_osregex.yaml
@@ -0,0 +1,55 @@
+policy:
+  id: cis_win_osregex
+  file: cis_win_osregex
+  name: CIS Benchmark for Windows
+  description: This is mock file for checking CIS SCA compliance on Windows systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+requirements:
+  title: Check Windows family platform
+  description: Requirements for running the policy against Windows family.
+  condition: any
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+checks:
+
+  # Check with default value - OS_REGEX
+  - id: 1
+    title: Test_1
+    description: Test osregex regex engine with osregex rules
+    rationale: Test_1
+    remediation: Run osregex
+    compliance:
+      - cis: [1.8.1.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+
+  # Check with PCRE2 value
+  - id: 2
+    title: Test_2
+    description: Test osregex regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: Run pcre2
+    compliance:
+      - cis: [1.7.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_pcre2.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_pcre2.yaml
new file mode 100644
index 0000000000..fe079c7a4f
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_pcre2.yaml
@@ -0,0 +1,56 @@
+policy:
+  id: cis_win_pcre2
+  file: cis_win_pcre2
+  name: CIS Benchmark for Windows
+  description: This is mock file for checking CIS SCA compliance on Windows systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+  regex_type: pcre2
+
+requirements:
+  title: Check Windows family platform
+  description: Requirements for running the policy against Windows family.
+  condition: any
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+checks:
+
+  # Check with default value - OS_REGEX
+  - id: 1
+    title: Test_1
+    description: Test pcre2 regex engine with osregex rules
+    rationale: Test_1
+    remediation: Run osregex
+    compliance:
+      - cis: [1.8.1.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+
+  # Check with PCRE2 value
+  - id: 2
+    title: Test_2
+    description: Test pcre2 regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: Run pcre2
+    compliance:
+      - cis: [1.7.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - 'c:net user administrator -> r:Account active\s+No'
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_validate_remediation.yaml b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_validate_remediation.yaml
new file mode 100644
index 0000000000..0ae41a5748
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/policies_samples/cis_win_validate_remediation.yaml
@@ -0,0 +1,40 @@
+policy:
+  id: cis_win_validate_remediation
+  file: cis_win_validate_remediation.yaml
+  name: CIS Benchmark for Windows
+  description: This is mock file for checking CIS SCA compliance on Windows systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+requirements:
+  title: Check Windows family platform
+  description: Requirements for running the policy against Windows family.
+  condition: any
+  rules:
+    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
+
+checks:
+
+  # Check that user lockout duration is >= 50
+  - id: 1
+    title: Test_1
+    description: Test sca rules
+    rationale: Test_1
+    remediation: The user lockout duration should be >= 50. Use net accounts /lockoutduration:100 command to fix duration
+    compliance:
+      - cis: [1.8.1.5]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout duration \(minutes\):\s+(\d+) compare >= 50'
+
+  # Check that user lockout duration is < 50
+  - id: 2
+    title: Test_2
+    description: Test sca rules
+    rationale: Test_2
+    remediation: The testfile permissions should be '644'. Use net accounts /lockoutduration:30 command to fix duration
+    compliance:
+      - cis: [1.8.1.5]
+    condition: all
+    rules:
+      - 'c:net.exe accounts -> n:Lockout duration \(minutes\):\s+(\d+) compare < 50'
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_disabled.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_disabled.yaml
new file mode 100644
index 0000000000..49fd02681f
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_disabled.yaml
@@ -0,0 +1,9 @@
+- name: SCA disabled
+  description: Set enabled to no value
+  configuration_parameters:
+    ENABLED: 'no'
+    INTERVAL: 100
+    POLICY_FILE: cis_centos8_osregex.yaml
+  metadata:
+    enabled: false
+    policy_file: cis_centos8_osregex.yaml
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_enabled.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_enabled.yaml
new file mode 100644
index 0000000000..3b0014c6d3
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_sca_enabled.yaml
@@ -0,0 +1,9 @@
+- name: SCA enabled
+  description: Set enabled to yes value
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 100
+    POLICY_FILE: cis_centos8_osregex.yaml
+  metadata:
+    enabled: true
+    policy_file: cis_centos8_osregex.yaml
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results.yaml
new file mode 100644
index 0000000000..e761578c13
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results.yaml
@@ -0,0 +1,21 @@
+- name: '"CIS CentOS 8 osregex" policy'
+  description: Run a SCA scan and check regex engine used and results
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 1000
+    POLICY_FILE: cis_centos8_osregex.yaml
+  metadata:
+    policy_file: cis_centos8_osregex.yaml
+    results: 2
+    regex_type: osregex
+
+- name: '"CIS CentOS 8 PCRE2 regex" policy'
+  description: Run a SCA scan and check regex engine used and results
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 1000
+    POLICY_FILE: cis_centos8_pcre2.yaml
+  metadata:
+    policy_file: cis_centos8_pcre2.yaml
+    results: 2
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results_win.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results_win.yaml
new file mode 100644
index 0000000000..53834f978a
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_scan_results_win.yaml
@@ -0,0 +1,21 @@
+- name: '"CIS Windows osregex" policy'
+  description: Run a SCA scan and check regex engine used and results
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 1000
+    POLICY_FILE: cis_win_osregex.yaml
+  metadata:
+    policy_file: cis_win_osregex.yaml
+    results: 2
+    regex_type: osregex
+
+- name: '"CIS windows PCRE2 regex" policy'
+  description: Run a SCA scan and check regex engine used and results
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 1000
+    POLICY_FILE: cis_win_pcre2.yaml
+  metadata:
+    policy_file: cis_win_pcre2.yaml
+    results: 2
+    regex_type: pcre2
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation.yaml
new file mode 100644
index 0000000000..4854a19323
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation.yaml
@@ -0,0 +1,25 @@
+- name: SCA Rule Check Fails - Apply remediation.
+  description: A given rule check fails in SCA scan. After applying remediation, it passes in next scan.
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 5
+    POLICY_FILE: cis_centos8_validate_remediation.yaml
+  metadata:
+    policy_file: cis_centos8_validate_remediation.yaml
+    check_id: 1
+    perms: 0222
+    initial_result: failed
+    final_result: passed
+
+- name: SCA Rule Check Passes - Change system cause Fail
+  description: A given rule check passes in SCA scan. After changing system, it fails in next scan.
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 5
+    POLICY_FILE: cis_centos8_validate_remediation.yaml
+  metadata:
+    policy_file: cis_centos8_validate_remediation.yaml
+    check_id: 2
+    perms: 0222
+    initial_result: passed
+    final_result: failed
diff --git a/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation_win.yaml b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation_win.yaml
new file mode 100644
index 0000000000..326d3e837d
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/data/test_cases/cases_validate_remediation_win.yaml
@@ -0,0 +1,23 @@
+- name: SCA Rule Check Fails - Apply remediation.
+  description: A given rule check fails in SCA scan. After applying remediation, it passes in next scan.
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 5
+    POLICY_FILE: cis_win_validate_remediation.yaml
+  metadata:
+    policy_file: cis_win_validate_remediation.yaml
+    check_id: 1
+    initial_result: failed
+    final_result: passed
+
+- name: SCA Rule Check Passes - Change system cause Fail
+  description: A given rule check passes in SCA scan. After changing system, it fails in next scan.
+  configuration_parameters:
+    ENABLED: 'yes'
+    INTERVAL: 5
+    POLICY_FILE: cis_win_validate_remediation.yaml
+  metadata:
+    policy_file: cis_win_validate_remediation.yaml
+    check_id: 2
+    initial_result: passed
+    final_result: failed
diff --git a/src/modules/sca/tests/integration/test_basic/test_basic.py b/src/modules/sca/tests/integration/test_basic/test_basic.py
new file mode 100644
index 0000000000..290d301fa6
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/test_basic.py
@@ -0,0 +1,203 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+           Created by Wazuh, Inc. <info@wazuh.com>.
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check if the `enabled` option of the SCA module
+       is working correctly. This option is located in its corresponding section of
+       the `ossec.conf` file and allows enabling or disabling this module.
+
+components:
+    - sca
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - Debian Buster
+    - Red Hat 8
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+tags:
+    - sca
+'''
+import sys
+import pytest
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.modules.modulesd.sca import patterns
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.constants.platforms import WINDOWS
+
+from . import CONFIGURATIONS_FOLDER_PATH, TEST_CASES_FOLDER_PATH
+
+
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+local_internal_options = {AGENTD_WINDOWS_DEBUG if sys.platform == WINDOWS else MODULESD_DEBUG: '2'}
+
+# Configuration and cases data
+configurations_path = Path(CONFIGURATIONS_FOLDER_PATH, 'configuration_sca.yaml')
+
+# ---------------------------------------------------- TEST_ENABLED ---------------------------------------------------
+# Test configurations
+t1_cases_path = Path(TEST_CASES_FOLDER_PATH, 'cases_sca_enabled.yaml')
+t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = configuration.get_test_cases_data(t1_cases_path)
+t1_configurations = configuration.load_configuration_template(configurations_path, t1_configuration_parameters,
+                                                t1_configuration_metadata)
+
+# ---------------------------------------------------- TEST_DISABLED --------------------------------------------------
+# Test configurations
+t2_cases_path = Path(TEST_CASES_FOLDER_PATH, 'cases_sca_disabled.yaml')
+t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = configuration.get_test_cases_data(t2_cases_path)
+t2_configurations = configuration.load_configuration_template(configurations_path, t2_configuration_parameters,
+                                                t2_configuration_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids)
+def test_sca_enabled(test_configuration, test_metadata, prepare_cis_policies_file, truncate_monitored_files,
+                     set_wazuh_configuration, configure_local_internal_options, daemons_handler):
+    '''
+    description: Check SCA behavior when enabled tag is set to yes.
+
+    test_phases:
+        - Set a custom Wazuh configuration.
+        - Copy cis_sca ruleset file into agent.
+        - Restart wazuh.
+        - Check that sca module starts if enabled is set to 'yes'
+        - Check in the log that the sca module started appears.
+        - Check that sca scan starts and finishes
+
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
+        - test_metadata:
+            type: dict
+            brief: Wazuh configuration metadata.
+        - prepare_cis_policies_file:
+            type: fixture
+            brief: copy test sca policy file. Delete it after test.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set the wazuh configuration according to the configuration data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the local_internal_options_file.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that when the `enabled` option is set to `yes`, the SCA module is enabled.
+        - Verify the sca scan starts.
+        - Verify the sca scan ends.
+
+    input_description:
+        - The `cases_sca_enabled.yaml` file provides the module configuration for this test.
+        - the cis*.yaml files located in the policies folder provide the sca rules to check.
+
+    expected_output:
+        - r'.*sca.*INFO: (Module started.)'
+        - r'.*sca.*INFO: (Starting Security Configuration Assessment scan).'
+        - r".*sca.*INFO: Security Configuration Assessment scan finished. Duration: (\\d+) seconds."
+    '''
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_ENABLED), timeout=60 if sys.platform == WINDOWS else 10)
+    assert log_monitor.callback_result
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_SCAN_STARTED), timeout=10)
+    assert log_monitor.callback_result
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_SCAN_ENDED), timeout=30)
+    assert log_monitor.callback_result
+
+
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids)
+def test_sca_disabled(test_configuration, test_metadata, prepare_cis_policies_file, truncate_monitored_files,
+                      set_wazuh_configuration, configure_local_internal_options, daemons_handler):
+    '''
+    description: Check SCA behavior when enabled tag is set no.
+
+    test_phases:
+        - Set a custom Wazuh configuration.
+        - Copy cis_sca ruleset file into agent.
+        - Restart wazuh.
+        - Check that sca module is disabled if enabled tag is set to 'no'
+
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - test_configuration:
+            type: dict
+            brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
+        - test_metadata:
+            type: dict
+            brief: Wazuh configuration metadata.
+        - prepare_cis_policies_file:
+            type: fixture
+            brief: copy test sca policy file. Delete it after test.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set the wazuh configuration according to the configuration data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the local_internal_options_file.
+        - daemons_handler:
+            type: fixture
+            brief: Handler of Wazuh daemons.
+
+    assertions:
+        - Verify that when the `enabled` option is set to `no`, the SCA module does not start.
+
+    input_description:
+        - The `cases_sca_disabled.yaml` file provides the module configuration for this test.
+        - the cis*.yaml files located in the policies folder provide the sca rules to check.
+
+    expected_output:
+        - r".*sca.*INFO: (Module disabled). Exiting."
+    '''
+
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_DISABLED), timeout=10)
+    assert log_monitor.callback_result
diff --git a/src/modules/sca/tests/integration/test_basic/test_scan_results.py b/src/modules/sca/tests/integration/test_basic/test_scan_results.py
new file mode 100644
index 0000000000..3d220d6e63
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/test_scan_results.py
@@ -0,0 +1,177 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+           Created by Wazuh, Inc. <info@wazuh.com>.
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will that a scan is ran using the configured sci_sca ruleset and regex engine.
+
+components:
+    - sca
+
+suite: sca
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - CentOS 8
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+tags:
+    - sca
+'''
+import sys
+import pytest
+import re
+import json
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.modules.modulesd.sca import patterns
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.constants.platforms import WINDOWS
+
+from . import CONFIGURATIONS_FOLDER_PATH, TEST_CASES_FOLDER_PATH
+
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+local_internal_options = {AGENTD_WINDOWS_DEBUG if sys.platform == WINDOWS else MODULESD_DEBUG: '2'}
+
+# Configuration and cases data
+configurations_path = Path(CONFIGURATIONS_FOLDER_PATH, 'configuration_sca.yaml')
+cases_path = Path(TEST_CASES_FOLDER_PATH, 'cases_scan_results_win.yaml' if sys.platform == WINDOWS else 'cases_scan_results.yaml')
+
+# Test configurations
+configuration_parameters, configuration_metadata, case_ids = configuration.get_test_cases_data(cases_path)
+configurations = configuration.load_configuration_template(configurations_path, configuration_parameters, configuration_metadata)
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+# Callback functions
+def callback_scan_id_result(line):
+    '''Callback that returns the ID an result of a SCA check
+    Args:
+        line (str): line string to check for match.
+    '''
+    match = re.match(patterns.CB_SCAN_RULE_RESULT, line)
+    if match:
+        return [match.group(1), match.group(2)]
+
+
+def callback_detect_sca_scan_summary(line):
+    '''Callback that return the json from a SCA summary event.
+    Args:
+        line (str): line string to check for match.
+    '''
+    match = re.match(patterns.CB_SCA_SCAN_EVENT, line)
+    if match:
+        if json.loads(match.group(1))['type'] == 'summary':
+            return json.loads(match.group(1))
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(configurations, configuration_metadata), ids=case_ids)
+def test_sca_scan_results(test_configuration, test_metadata, prepare_cis_policies_file, truncate_monitored_files,
+                          set_wazuh_configuration, configure_local_internal_options, daemons_handler,
+                          wait_for_sca_enabled):
+    '''
+    description: This test will check that a SCA scan is correctly executed on an agent, with a given policy file and
+                 a regex engine. For this it will copy a policy file located in the data folder and verify the engine
+                 used, the amount of results found, and that the results come from the policy file.
+
+    test_phases:
+        - Copy cis_sca ruleset file into agent.
+        - Restart wazuh.
+        - Check in the log that the sca module started appears.
+        - Check the regex engine used by the policy.
+        - Get the result for each ID check
+        - Check that the policy_id from the scan matches with the file used.
+
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - configuration:
+            type: dict
+            brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
+        - metadata:
+            type: dict
+            brief: Wazuh configuration metadata.
+        - prepare_cis_policies_file:
+            type: fixture
+            brief: copy test sca policy file. Delete it after test.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set the wazuh configuration according to the configuration data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the local_internal_options_file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - restart_modulesd_function:
+            type: fixture
+            brief: Restart the wazuh-modulesd daemon.
+        - wait_for_sca_enabled:
+            type: fixture
+            brief: Wait for the sca Module to start before starting the test.
+
+    assertions:
+        - Verify that when the `enabled` option is set to `yes`, the SCA module is enabled.
+        - Assert the engine used matches the regex_type configured in the metadata
+        - Assert the scan gets results from each rule check
+
+    input_description:
+        - The `cases_scan_results.yaml` file provides the module configuration for this test.
+        - The cis*.yaml files located in the policies folder provide the sca rules to check.
+
+    expected_output:
+        - r'.*sca.*INFO: (Module started.)'
+        - r'.*sca.*INFO: (Starting Security Configuration Assessment scan).'
+        - r".*sca.*DEBUG: SCA will use '(.*)' engine to check the rules."
+        - r".*sca.*wm_sca_hash_integrity.*DEBUG: ID: (\\d+); Result: '(.*)'"
+        - r'.*sca_send_alert.*Sending event: (.*)'
+    '''
+
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    # Wait for the end of SCA scan
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_SCAN_STARTED), timeout=10)
+    assert log_monitor.callback_result
+
+    # Check the regex engine used by SCA
+    log_monitor.start(callback=callbacks.generate_callback(patterns.CB_SCA_OSREGEX_ENGINE), timeout=10)
+    engine = log_monitor.callback_result[0] if log_monitor.callback_result != None else None
+
+    assert engine == test_metadata['regex_type'], \
+        f"Wrong regex-engine found: {engine}, expected: {test_metadata['regex_type']}"
+
+    # Check all checks have been done
+    log_monitor.start(callback=callback_scan_id_result, timeout=20, accumulations=int(test_metadata['results']))
+
+    # # Get scan summary event and check it matches with the policy file used
+    log_monitor.start(callback=callback_detect_sca_scan_summary, timeout=20)
+    summary = log_monitor.callback_result
+
+    assert summary['policy_id'] == test_metadata['policy_file'][0:-5], f"Unexpected policy_id found. Got \
+                                                                    {summary['policy_id']}, expected \
+                                                                    {test_metadata['policy_file'][0:-5]}"
diff --git a/src/modules/sca/tests/integration/test_basic/test_validate_remediation.py b/src/modules/sca/tests/integration/test_basic/test_validate_remediation.py
new file mode 100644
index 0000000000..bdb59b4f81
--- /dev/null
+++ b/src/modules/sca/tests/integration/test_basic/test_validate_remediation.py
@@ -0,0 +1,175 @@
+'''
+copyright: Copyright (C) 2015-2024, Wazuh Inc.
+           Created by Wazuh, Inc. <info@wazuh.com>.
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will that a scan is ran using the configured sci_sca ruleset and regex engine.
+
+components:
+    - sca
+
+suite: sca
+
+targets:
+    - agent
+
+daemons:
+    - wazuh-modulesd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - CentOS 8
+    - Windows 10
+    - Windows Server 2019
+    - Windows Server 2016
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+tags:
+    - sca
+'''
+import sys
+import os
+import pytest
+import re
+import subprocess
+from pathlib import Path
+
+from wazuh_testing.constants.paths.logs import WAZUH_LOG_PATH
+from wazuh_testing.utils import callbacks, configuration
+from wazuh_testing.tools.monitors import file_monitor
+from wazuh_testing.modules.modulesd.sca import patterns
+from wazuh_testing.modules.modulesd.configuration import MODULESD_DEBUG
+from wazuh_testing.modules.agentd.configuration import AGENTD_WINDOWS_DEBUG
+from wazuh_testing.constants.platforms import WINDOWS
+
+from . import CONFIGURATIONS_FOLDER_PATH, TEST_CASES_FOLDER_PATH
+
+pytestmark = [pytest.mark.agent, pytest.mark.linux, pytest.mark.win32, pytest.mark.tier(level=0)]
+
+local_internal_options = {AGENTD_WINDOWS_DEBUG if sys.platform == WINDOWS else MODULESD_DEBUG: '2'}
+
+# Configuration and cases data
+configurations_path = Path(CONFIGURATIONS_FOLDER_PATH, 'configuration_sca.yaml')
+cases_path = Path(TEST_CASES_FOLDER_PATH, 'cases_validate_remediation_win.yaml' if sys.platform == WINDOWS else 'cases_validate_remediation.yaml')
+
+# Test configurations
+configuration_parameters, configuration_metadata, case_ids = configuration.get_test_cases_data(cases_path)
+configurations = configuration.load_configuration_template(configurations_path, configuration_parameters, configuration_metadata)
+test_folder = '/testfile'
+
+# Test daemons to restart.
+daemons_handler_configuration = {'all_daemons': True}
+
+# Callback functions
+def callback_scan_id_result(line):
+    '''Callback that returns the ID an result of a SCA check
+    Args:
+        line (str): line string to check for match.
+    '''
+    match = re.match(patterns.CB_SCAN_RULE_RESULT, line)
+    if match:
+        return [match.group(1), match.group(2)]
+
+
+# Tests
+@pytest.mark.parametrize('test_configuration, test_metadata', zip(configurations, configuration_metadata), ids=case_ids)
+def test_validate_remediation_results(test_configuration, test_metadata, prepare_cis_policies_file, truncate_monitored_files,
+                                      prepare_remediation_test, set_wazuh_configuration,
+                                      configure_local_internal_options, daemons_handler,
+                                      wait_for_sca_enabled):
+    '''
+    description: This test will check that a SCA scan results, with the  expected initial results (passed/failed) for a
+                 given check, results change on subsequent checks if change is done to the system. For this a folder's
+                 permissions will be checked, passing or failing if the permissions match. Then, the permissions for
+                 the folder will be changed and wait for a new scan, and validate the results changed as expected.
+
+    test_phases:
+        - Copy cis_sca ruleset file into agent
+        - Create a folder that will be checked by the SCA rules (Linux)
+        - Restart wazuh
+        - Validate the result for a given SCA check are as expected
+        - Change the folder's permissions / Modifies the user lockout duration (Windows)
+        - Validate the result for a given SCA check change as expected
+
+    wazuh_min_version: 4.6.0
+
+    tier: 0
+
+    parameters:
+        - configuration:
+            type: dict
+            brief: Wazuh configuration data. Needed for set_wazuh_configuration fixture.
+        - metadata:
+            type: dict
+            brief: Wazuh configuration metadata.
+        - prepare_cis_policies_file:
+            type: fixture
+            brief: copy test sca policy file. Delete it after test.
+        - prepare_remediation_test:
+            type: fixture
+            brief: Create a folder with a given set of permissions or modifies the user
+                lockout duration in Windows. Delete it/Restores the value after test.
+        - set_wazuh_configuration:
+            type: fixture
+            brief: Set the wazuh configuration according to the configuration data.
+        - configure_local_internal_options:
+            type: fixture
+            brief: Configure the local_internal_options_file.
+        - truncate_monitored_files:
+            type: fixture
+            brief: Truncate all the log files and json alerts files before and after the test execution.
+        - restart_modulesd_function:
+            type: fixture
+            brief: Restart the wazuh-modulesd daemon.
+        - wait_for_sca_enabled:
+            type: fixture
+            brief: Wait for the sca Module to start before starting the test.
+
+    assertions:
+        - Assert the result for a given check passed/failed as expected
+        - Assert the result for a given check changes as expected after remediation/breaking commands
+
+    input_description:
+        - The `cases_validate_remediation.yaml` file provides the module configuration for this test.
+        - The cis*.yaml files located in the policies folder provide the sca rules to check.
+
+    expected_output:
+        - r".*sca.*wm_sca_hash_integrity.*DEBUG: ID: (\\d+); Result: '(.*)'"
+    '''
+
+    log_monitor = file_monitor.FileMonitor(WAZUH_LOG_PATH)
+
+    # Get the results for the checks obtained in the initial SCA scan
+    log_monitor.start(callback=callback_scan_id_result, timeout=20, \
+                      only_new_events=True, accumulations=3)
+
+    results = log_monitor.callback_result
+
+    # Assert the tested check has initial expected results (failed/passed)
+    check_result = results[test_metadata['check_id']-1][1]
+    assert check_result == test_metadata['initial_result'], f"Got unexcepted SCA result: {test_metadata['initial_result']},\
+                                                         got {check_result}"
+
+    if sys.platform == WINDOWS:
+        # Modify lockout duration
+        subprocess.call('net accounts /lockoutduration:100', shell=True)
+    else:
+        # Modify the folder's permissions
+        os.chmod(test_folder, test_metadata['perms'])
+
+    # Get the results for the checks obtained in the SCA scan
+    log_monitor.start(callback=callback_scan_id_result, timeout=20, \
+                      only_new_events=True, accumulations=3)
+    results = log_monitor.callback_result
+
+    # Assert the tested check result changed as expected (passed to failed, and vice-versa)
+    check_result = results[test_metadata['check_id']-1][1]
+    assert check_result == test_metadata['final_result'], f"Got unexcepted SCA result: {test_metadata['final_result']},\
+                                                       got {check_result}"
diff --git a/src/modules/sca/tests/unit/tests/CMakeLists.txt b/src/modules/sca/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..399dc438fa
--- /dev/null
+++ b/src/modules/sca/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,72 @@
+# Copyright (C) 2015, Wazuh Inc.
+#
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Tests list and flags
+list(APPEND tests_names "test_wm_sca")
+list(APPEND tests_flags "-Wl,--wrap=time,--wrap=w_time_delay,--wrap=w_sleep_until,--wrap=_mwarn,--wrap=_minfo,--wrap=_merror \
+                         -Wl,--wrap=_mtwarn,--wrap=_mtinfo,--wrap=_mterror,--wrap=FOREVER,--wrap=IsFile,--wrap=getDefine_Int \
+                         -Wl,--wrap=StartMQ,--wrap=CreateThread,--wrap=wm_exec,--wrap=wm_sendmsg,--wrap=opendir,--wrap=realpath,--wrap=atexit \
+                         -Wl,--wrap=w_expression_compile -Wl,--wrap=w_expression_match -Wl,--wrap,wfopen")
+list(APPEND use_shared_libs 1)
+
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.h")
+list(APPEND shared_libs "../scheduling/wmodules_scheduling_helpers.c")
+
+# Generate wazuh modules library
+file(GLOB sca ../../../wazuh_modules/*.o)
+list(REMOVE_ITEM sca ../../../wazuh_modules/main.o)
+
+add_library(SCA_O STATIC ${sca})
+
+set_source_files_properties(
+  ${sca}
+  PROPERTIES
+  EXTERNAL_OBJECT true
+  GENERATED true
+  )
+
+set_target_properties(
+  SCA_O
+  PROPERTIES
+  LINKER_LANGUAGE C
+  )
+
+target_link_libraries(SCA_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+
+# Compiling tests
+list(LENGTH tests_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET tests_names ${counter} test_name)
+    list(GET tests_flags ${counter} test_flags)
+    list(GET use_shared_libs ${counter} use_libs)
+
+    if(use_libs EQUAL "1")
+      add_executable(${test_name} ${test_name}.c ${shared_libs})
+    else ()
+      add_executable(${test_name} ${test_name}.c)
+    endif()
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        SCA_O
+        -ldl
+        -lcmocka
+        -fprofile-arcs
+        -ftest-coverage
+    )
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(${test_name} ${test_name})
+endforeach()
diff --git a/src/modules/sca/tests/unit/tests/test_wm_sca.c b/src/modules/sca/tests/unit/tests/test_wm_sca.c
new file mode 100644
index 0000000000..ecb82dc98e
--- /dev/null
+++ b/src/modules/sca/tests/unit/tests/test_wm_sca.c
@@ -0,0 +1,828 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ *
+ * Test corresponding to the scheduling capacities
+ * for SCA Module
+ * */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <time.h>
+#include <stdlib.h>
+
+#include "shared.h"
+#include "../../../wazuh_modules/wmodules.h"
+#include "../scheduling/wmodules_scheduling_helpers.h"
+
+#include "../../wrappers/common.h"
+#include "../../wrappers/posix/dirent_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/pthreads_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/validate_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_exec_wrappers.h"
+
+#define TEST_MAX_DATES 3
+
+static wmodule *sca_module;
+static OS_XML *lxml;
+extern int test_mode;
+
+extern void wm_sca_send_policies_scanned(wm_sca_t * data);
+extern int wm_sca_test_positive_minterm(const char * const pattern, const char * const str, char ** reason, w_expression_t * regex_engine);
+extern int wm_sca_regex_numeric_comparison(const char * const pattern, const char * const str, char ** reason, w_expression_t * regex_engine);
+extern int wm_sca_apply_numeric_partial_comparison(const char * const partial_comparison, const long int number, char ** reason, w_expression_t * regex_engine);
+
+extern w_queue_t * request_queue;
+extern char **last_sha256;
+extern OSHash **cis_db;
+extern struct cis_db_hash_info_t *cis_db_for_hash;
+extern unsigned int policies_count;
+
+void wm_sca_send_policies_scanned(wm_sca_t * data)
+{
+    // Will wrap this function to check running times in order to check scheduling
+    return;
+}
+
+/******* Helpers **********/
+
+static void wmodule_cleanup(wmodule *module){
+    wm_sca_t* module_data = (wm_sca_t *)module->data;
+    int i;
+    for(i = 0; i < policies_count; i++) {
+        os_free(module_data->policies[i]->policy_path);
+        os_free(module_data->policies[i]);
+    }
+    os_free(module_data->alert_msg);
+    os_free(module_data->policies);
+    os_free(module_data);
+    os_free(module->tag);
+    os_free(module);
+}
+
+/***  SETUPS/TEARDOWNS  ******/
+static int setup_module() {
+    sca_module = calloc(1, sizeof(wmodule));
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<interval>12h</interval>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n";
+    lxml = malloc(sizeof(OS_XML));
+
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    XML_NODE nodes = string_to_xml_node(string, lxml);
+    int ret = wm_sca_read(lxml, nodes, sca_module);
+    OS_ClearNode(nodes);
+    test_mode = 0;
+
+    return ret;
+}
+
+static int teardown_module(){
+    test_mode = 1;
+    wm_sca_t* module_data = (wm_sca_t *)sca_module->data;
+    wmodule_cleanup(sca_module);
+    OS_ClearXML(lxml);
+    return 0;
+}
+
+static int setup_test_executions(void **state) {
+    wm_max_eps = 1;
+    return 0;
+}
+
+static int teardown_test_executions(void **state) {
+    wm_sca_t* module_data = (wm_sca_t *)sca_module->data;
+    sched_scan_free(&(module_data->scan_config));
+    int i;
+    for(i = 0; module_data->policies[i]; i++) {
+        os_free(last_sha256[i]);
+        OSHash_Free(cis_db[i]);
+        os_free(cis_db_for_hash[i].elem);
+    }
+    queue_free(request_queue);
+    return 0;
+}
+
+static int setup_test_read(void **state) {
+    test_structure *test = calloc(1, sizeof(test_structure));
+    test->module =  calloc(1, sizeof(wmodule));
+    *state = test;
+    return 0;
+}
+
+static int teardown_test_read(void **state) {
+    test_structure *test = *state;
+    OS_ClearNode(test->nodes);
+    OS_ClearXML(&(test->xml));
+    wmodule *module = test->module;
+    wm_sca_t* module_data = (wm_sca_t *)module->data;
+    sched_scan_free(&(module_data->scan_config));
+    wmodule_cleanup(module);
+    os_free(test);
+    return 0;
+}
+
+/****************************************************************/
+
+
+/** Tests **/
+void test_interval_execution(void **state) {
+    wm_sca_t* module_data = (wm_sca_t *)sca_module->data;
+    *state = module_data;
+    module_data->scan_config.next_scheduled_scan_time = 0;
+    module_data->scan_config.scan_day = 0;
+    module_data->scan_config.scan_wday = -1;
+    module_data->scan_config.interval = 60; // 1min
+    module_data->scan_config.month_interval = false;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 0);
+
+    will_return_count(__wrap_FOREVER, 1, TEST_MAX_DATES);
+    will_return(__wrap_FOREVER, 0);
+    expect_any_always(__wrap__mtinfo, tag);
+    expect_any_always(__wrap__mtinfo, formatted_msg);
+    expect_any_always(__wrap__mtwarn, tag);
+    expect_any_always(__wrap__mtwarn, formatted_msg);
+
+    sca_module->context->start(module_data);
+}
+
+void test_fake_tag(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<time>03:30</time>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n"
+        "<fake>invalid</fake>";
+    test_structure *test = *state;
+    test->nodes = string_to_xml_node(string, &(test->xml));
+
+    expect_string(__wrap__mterror, tag, "sca");
+    expect_string(__wrap__mterror, formatted_msg, "No such tag 'fake' at module 'sca'.");
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    assert_int_equal(wm_sca_read(&(test->xml), test->nodes, test->module),-1);
+}
+
+void test_read_scheduling_monthday_configuration(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<day>7</day>\n"
+        "<time>03:30</time>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n";
+    test_structure *test = *state;
+
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one month. New interval value: 1M");
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_sca_read(&(test->xml), test->nodes, test->module),0);
+    wm_sca_t* module_data = (wm_sca_t *)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 7);
+    assert_int_equal(module_data->scan_config.interval, 1);
+    assert_int_equal(module_data->scan_config.month_interval, true);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "03:30");
+}
+
+void test_read_scheduling_weekday_configuration(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<wday>Monday</wday>\n"
+        "<time>04:30</time>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n";
+    test_structure *test = *state;
+
+    expect_string(__wrap__mwarn, formatted_msg, "Interval must be a multiple of one week. New interval value: 1w");
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_sca_read(&(test->xml), test->nodes, test->module),0);
+    wm_sca_t* module_data = (wm_sca_t *)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 604800);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, 1);
+    assert_string_equal(module_data->scan_config.scan_time, "04:30");
+}
+
+void test_read_scheduling_daytime_configuration(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<time>05:30</time>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n";
+    test_structure *test = *state;
+
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_sca_read(&(test->xml), test->nodes, test->module),0);
+    wm_sca_t* module_data = (wm_sca_t *)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, WM_DEF_INTERVAL);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+    assert_string_equal(module_data->scan_config.scan_time, "05:30");
+}
+
+void test_read_scheduling_interval_configuration(void **state) {
+    const char *string =
+        "<enabled>yes</enabled>\n"
+        "<scan_on_start>no</scan_on_start>\n"
+        "<interval>2h</interval>\n"
+        "<policies>\n"
+        "    <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>\n"
+        "</policies>\n";
+    test_structure *test = *state;
+
+    will_return(__wrap_opendir, 0);
+    expect_string(__wrap__mtinfo, tag, "sca");
+    expect_any(__wrap__mtinfo, formatted_msg);
+    expect_string(__wrap_realpath, path, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_realpath, "/var/ossec/etc/shared/your_policy_file.yml");
+    expect_string(__wrap_IsFile, file, "/var/ossec/etc/shared/your_policy_file.yml");
+    will_return(__wrap_IsFile, 0);
+
+    test->nodes = string_to_xml_node(string, &(test->xml));
+    assert_int_equal(wm_sca_read(&(test->xml), test->nodes, test->module),0);
+    wm_sca_t* module_data = (wm_sca_t *)test->module->data;
+    assert_int_equal(module_data->scan_config.scan_day, 0);
+    assert_int_equal(module_data->scan_config.interval, 7200);
+    assert_int_equal(module_data->scan_config.month_interval, false);
+    assert_int_equal(module_data->scan_config.scan_wday, -1);
+}
+
+/* wm_sort_variables tests */
+
+void test_wm_sort_variables_null(void **state)
+{
+    char **ret;
+    cJSON *variables_policy = NULL;
+
+    ret = wm_sort_variables(variables_policy);
+    assert_null(ret);
+}
+
+void test_wm_sort_variables_duplicated(void **state)
+{
+    char **ret;
+    char *expected_ret[] = {"$system_root", "$system_root"};
+    const char *variables_json_mock = "{\n \
+        \"variables\": {\n \
+            \"$system_root\": \"/var\",\n \
+            \"$system_root\": \"/etc\"\n \
+        }\n \
+    }";
+
+    cJSON *variables_list = cJSON_Parse(variables_json_mock);
+    cJSON *variables_policy = cJSON_GetObjectItem(variables_list, "variables");
+    ret = wm_sort_variables(variables_policy);
+
+    for (int i = 0; ret[i]; i++) {
+        assert_string_equal(ret[i], expected_ret[i]);
+        os_free(ret[i]);
+    }
+    os_free(ret);
+    cJSON_Delete(variables_list);
+}
+
+void test_wm_sort_variables(void **state)
+{
+    char **ret;
+    char *expected_ret[] = {"$system_root_file", "$ssh_&_ssl_path", "$system_root", "$file"};
+    const char *variables_json_mock = "{\n \
+        \"variables\": {\n \
+            \"$system_root\": \"/var\",\n \
+            \"$file\": \"/\",\n \
+            \"$ssh_&_ssl_path\": \"/new/directory\",\n \
+            \"$system_root_file\": \"/var\"\n \
+        }\n \
+    }";
+
+    cJSON *variables_list = cJSON_Parse(variables_json_mock);
+    cJSON *variables_policy = cJSON_GetObjectItem(variables_list, "variables");
+    ret = wm_sort_variables(variables_policy);
+
+    for (int i = 0; ret[i]; i++) {
+        assert_string_equal(ret[i], expected_ret[i]);
+        os_free(ret[i]);
+    }
+    os_free(ret);
+    cJSON_Delete(variables_list);
+}
+
+void test_wm_sca_test_positive_minterm_pcre2(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+    assert_int_equal(wm_sca_test_positive_minterm("r: test", "Status: test ok tested", NULL, regex), 1);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_pcre2_fail(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    assert_int_equal(wm_sca_test_positive_minterm("r: test", "Status: test ok tested", NULL, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_pcre2_fail_no_compile(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, false);
+
+    assert_int_equal(wm_sca_test_positive_minterm("r: ???", "Status: test ok tested", NULL, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_pcre2_fail_no_match(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    assert_int_equal(wm_sca_test_positive_minterm("r: test", "Status: test ok tested", NULL, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_os_regex(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+    assert_int_equal(wm_sca_test_positive_minterm("r: test", "Status: test ok tested", NULL, regex), 1);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_os_regex_fail_no_match(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    assert_int_equal(wm_sca_test_positive_minterm("r: \\w\\w\\w\\d", "Status: test ok tested", NULL, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_exact_match(void **state)
+{
+    assert_int_equal(wm_sca_test_positive_minterm("test", "test", NULL, NULL), 1);
+}
+
+void test_wm_sca_test_positive_minterm_no_exact_match(void **state)
+{
+    assert_int_equal(wm_sca_test_positive_minterm("test", "other thing", NULL, NULL), 0);
+}
+
+void test_wm_sca_test_positive_minterm_numeric_expression(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "20");
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_test_positive_minterm("n:^\\s*\t*test\\s*\t*(\\d+) compare <= 30", "test 20", NULL, regex), 1);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_test_positive_minterm_numeric_expression_fail(void **state)
+{
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    assert_int_equal(wm_sca_test_positive_minterm("n:^\\s*\t*test\\s*\t*(\\d+) compare <= 30", "test 20", NULL, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_regex_numeric_comparison_PCRE2(void **state)
+{
+   w_expression_t * regex;
+   w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+   will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "20");
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+   assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+) compare < 30", "test 20", NULL, regex), 1);
+   w_free_expression_t(&regex);
+}
+
+void test_wm_sca_regex_numeric_comparison_OS_REGEX(void **state)
+{
+   w_expression_t * regex;
+   w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+   will_return(__wrap_w_expression_compile, true);
+   will_return(__wrap_w_expression_match, -1);
+   will_return(__wrap_w_expression_match, "50");
+   will_return(__wrap_w_expression_compile, true);
+   will_return(__wrap_w_expression_match, -1);
+   will_return(__wrap_w_expression_match, "30");
+
+   assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+) compare > 30", "test 50", NULL, regex), 1);
+   w_free_expression_t(&regex);
+}
+
+void test_wm_sca_regex_numeric_comparison_without_compare_word_nor_reason(void **state)
+{
+    char *reason = NULL;
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+)", "test 50", &reason, NULL), 2);
+    os_free(reason);
+}
+
+void test_wm_sca_regex_numeric_comparison_without_compare_word_with_reason(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+)", "test 50", &reason, NULL), 2);
+    os_free(reason);
+}
+
+void test_wm_sca_regex_numeric_comparison_without_compile_regex(void **state)
+{
+    char * reason = NULL;
+
+    will_return(__wrap_w_expression_compile, false);
+
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:???", "test 50", &reason, NULL), 2);
+    os_free(reason);
+}
+
+void test_wm_sca_regex_numeric_comparison_no_match(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+) compare > 30", "test 50", &reason, regex), 0);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_regex_numeric_comparison_no_detect_number_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+) compare ", "test 50", &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_regex_numeric_comparison_no_detect_number_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    assert_int_equal(wm_sca_regex_numeric_comparison("n:^\\s*\t*test\\s*\t*(\\d+) compare ", "test 50", &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_OS_REGEX(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("== 30", 30, &reason, regex), 1);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_PCRE2(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 20, &reason, regex), 1);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_PCRE2_fail(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_PCRE2);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 40, &reason, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_OS_REGEX_fail(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("== 30", 50, &reason, regex), 0);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_without_string_to_compare_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No comparison provided.");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison(NULL, 30, &reason, NULL), 2);
+    os_free(reason);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_without_string_to_compare_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No comparison provided.");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison(NULL, 30, &reason, NULL), 2);
+    os_free(reason);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_not_compile_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, false);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "Cannot compile regex");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("???", 30, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_not_compile_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, false);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "Cannot compile regex");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("???", 30, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_not_match_regex_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No integer was found within the comparison '< 30' ");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_not_match_regex_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, false);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No integer was found within the comparison '< 30' ");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_no_capture_number_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No number was captured.");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_no_capture_number_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, true);
+
+    expect_string(__wrap__mtwarn, tag, "sca");
+    expect_string(__wrap__mtwarn, formatted_msg, "No number was captured.");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("< 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_no_operation_supported_with_reason_null(void **state)
+{
+    char * reason = NULL;
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("! 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+void test_wm_sca_apply_numeric_partial_comparison_no_operation_supported_with_reason_not_null(void **state)
+{
+    char * reason = NULL;
+    os_malloc(OS_MAXSTR, reason);
+    sprintf(reason, "This is a test");
+    w_expression_t * regex;
+    w_calloc_expression_t(&regex, EXP_TYPE_OSREGEX);
+    will_return(__wrap_w_expression_compile, true);
+    will_return(__wrap_w_expression_match, -1);
+    will_return(__wrap_w_expression_match, "30");
+
+    assert_int_equal(wm_sca_apply_numeric_partial_comparison("! 30", 50, &reason, regex), 2);
+    os_free(reason);
+    w_free_expression_t(&regex);
+}
+
+/* main */
+
+int main(void) {
+    const struct CMUnitTest tests_with_startup[] = {
+        cmocka_unit_test_setup_teardown(test_interval_execution, setup_test_executions, teardown_test_executions)
+    };
+    const struct CMUnitTest tests_without_startup[] = {
+        cmocka_unit_test_setup_teardown(test_fake_tag, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_monthday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_weekday_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_daytime_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test_setup_teardown(test_read_scheduling_interval_configuration, setup_test_read, teardown_test_read),
+        cmocka_unit_test(test_wm_sort_variables_null),
+        cmocka_unit_test(test_wm_sort_variables_duplicated),
+        cmocka_unit_test(test_wm_sort_variables),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_pcre2),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_pcre2_fail),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_pcre2_fail_no_match),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_pcre2_fail_no_compile),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_os_regex),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_os_regex_fail_no_match),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_exact_match),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_no_exact_match),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_numeric_expression),
+        cmocka_unit_test(test_wm_sca_test_positive_minterm_numeric_expression_fail),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_PCRE2),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_OS_REGEX),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_without_compare_word_nor_reason),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_without_compare_word_with_reason),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_no_match),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_no_detect_number_with_reason_null),
+        cmocka_unit_test(test_wm_sca_regex_numeric_comparison_no_detect_number_with_reason_not_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_OS_REGEX),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_OS_REGEX_fail),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_PCRE2),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_PCRE2_fail),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_without_string_to_compare_with_reason_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_without_string_to_compare_with_reason_not_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_not_compile_with_reason_not_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_not_compile_with_reason_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_not_match_regex_with_reason_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_not_match_regex_with_reason_not_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_no_capture_number_with_reason_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_no_capture_number_with_reason_not_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_no_operation_supported_with_reason_null),
+        cmocka_unit_test(test_wm_sca_apply_numeric_partial_comparison_no_operation_supported_with_reason_not_null)
+    };
+    int result;
+    result = cmocka_run_group_tests(tests_with_startup, setup_module, teardown_module);
+    result += cmocka_run_group_tests(tests_without_startup, NULL, NULL);
+    return result;
+}
diff --git a/src/modules/upgrade/include/wm_agent_upgrade.h b/src/modules/upgrade/include/wm_agent_upgrade.h
new file mode 100644
index 0000000000..d0eff1ab2f
--- /dev/null
+++ b/src/modules/upgrade/include/wm_agent_upgrade.h
@@ -0,0 +1,55 @@
+/*
+ * Wazuh Module for Agent Upgrading
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 15, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_AGENT_UPGRADE_H
+#define WM_AGENT_UPGRADE_H
+
+#define WM_AGENT_UPGRADE_LOGTAG ARGV0 ":" AGENT_UPGRADE_WM_NAME
+
+#define WM_UPGRADE_WPK_REPO_URL_3_X "packages.wazuh.com/wpk/"
+#define WM_UPGRADE_WPK_REPO_URL "packages.wazuh.com/%d.x/wpk/"
+#define WM_UPGRADE_CHUNK_SIZE 512
+#define WM_UPGRADE_MAX_THREADS 8
+#define WM_UPGRADE_WAIT_START 300
+#define WM_UPGRADE_WAIT_MAX 3600
+#define WM_UPGRADE_WAIT_FACTOR_INCREASE 2.0
+
+/**
+ * Configurations on agent side
+ */
+typedef struct _wm_agent_configs {
+    unsigned int upgrade_wait_start;
+    unsigned int upgrade_wait_max;
+    float upgrade_wait_factor_increase;
+    unsigned int enable_ca_verification;
+} wm_agent_configs;
+
+/**
+ * Configuration only for manager
+ */
+typedef struct _wm_manager_configs {
+    unsigned int max_threads;
+    unsigned int chunk_size;
+    char *wpk_repository;
+} wm_manager_configs;
+
+typedef struct _wm_agent_upgrade {
+    int enabled:1;
+    wm_agent_configs agent_config;
+    wm_manager_configs manager_config;
+} wm_agent_upgrade;
+
+// Parse XML configuration
+int wm_agent_upgrade_read(const OS_XML *xml, xml_node **nodes, wmodule *module);
+
+extern const wm_context WM_AGENT_UPGRADE_CONTEXT;   // Context
+
+#endif
diff --git a/src/modules/upgrade/include/wm_agent_upgrade_agent.h b/src/modules/upgrade/include/wm_agent_upgrade_agent.h
new file mode 100644
index 0000000000..7cb02bc2a4
--- /dev/null
+++ b/src/modules/upgrade/include/wm_agent_upgrade_agent.h
@@ -0,0 +1,57 @@
+/*
+ * Wazuh Module for Agent Upgrading
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 30, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_AGENT_UPGRADE_AGENT_H
+#define WM_AGENT_UPGRADE_AGENT_H
+
+#ifdef WIN32
+    #define WM_AGENT_UPGRADE_RESULT_FILE UPGRADE_DIR "\\upgrade_result"
+#else
+    #define WM_AGENT_UPGRADE_RESULT_FILE UPGRADE_DIR "/upgrade_result"
+#endif
+
+#define WM_AGENT_UPGRADE_RESULT_WAIT_TIME 30
+
+typedef enum _wm_upgrade_agent_state {
+    WM_UPGRADE_SUCCESSFUL = 0,
+    WM_UPGRADE_FAILED_DEPENDENCY,
+    WM_UPGRADE_FAILED,
+    WM_UPGRADE_MAX_STATE
+} wm_upgrade_agent_state;
+
+extern char **wcom_ca_store;
+
+extern bool allow_upgrades;
+
+/**
+ * Start main loop of the upgrade module for the agent
+ * @param agent_config Agent configuration parameters
+ * @param enabled Wheter the module will allow or not upgrades
+ * */
+void wm_agent_upgrade_start_agent_module(const wm_agent_configs* agent_config, const int enabled) __attribute__((nonnull));
+
+/**
+ * Receives a string and process it with the available commands
+ * Request format:
+ *{
+ *   "command": "upgrade",
+ *   "parameters" : {
+ *       "file" : "file_path",
+ *       "installer" : "installer_path"
+ *    }
+ *}
+ * @param buffer string with the information
+ * @param output response to command
+ * @return size of the response
+ * */
+size_t wm_agent_upgrade_process_command(const char *buffer, char **output);
+
+#endif
diff --git a/src/modules/upgrade/include/wm_task_general.h b/src/modules/upgrade/include/wm_task_general.h
new file mode 100644
index 0000000000..e1a386460d
--- /dev/null
+++ b/src/modules/upgrade/include/wm_task_general.h
@@ -0,0 +1,107 @@
+/*
+ * Wazuh Module for Task management.
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 13, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifndef WM_TASK_GENERAL_H
+#define WM_TASK_GENERAL_H
+
+#define WM_TASK_STATUS_PENDING "Pending"
+#define WM_TASK_STATUS_IN_PROGRESS "In progress"
+#define WM_TASK_STATUS_DONE "Done"
+#define WM_TASK_STATUS_FAILED "Failed"
+#define WM_TASK_STATUS_CANCELLED "Cancelled"
+#define WM_TASK_STATUS_TIMEOUT "Timeout"
+#define WM_TASK_STATUS_LEGACY "Legacy"
+
+/**
+ * Enumeration of all available keys that could be used in the messages
+ * */
+typedef enum _task_manager_json_key {
+    // Request
+    WM_TASK_ORIGIN = 0,
+    WM_TASK_NAME,
+    WM_TASK_MODULE,
+    WM_TASK_COMMAND,
+    WM_TASK_PARAMETERS,
+    WM_TASK_AGENTS,
+    // Response
+    WM_TASK_ERROR,
+    WM_TASK_DATA,
+    WM_TASK_ERROR_MESSAGE,
+    WM_TASK_AGENT_ID,
+    WM_TASK_TASK_ID,
+    WM_TASK_NODE,
+    WM_TASK_STATUS,
+    WM_TASK_ERROR_MSG,
+    WM_TASK_CREATE_TIME,
+    WM_TASK_LAST_UPDATE_TIME,
+    // Clean tasks request
+    WM_TASK_NOW,
+    WM_TASK_INTERVAL,
+    WM_TASK_TIMESTAMP
+} task_manager_json_key;
+
+/**
+ * Enumeration of the available commands
+ * */
+typedef enum _command_list {
+    WM_TASK_UPGRADE = 0,
+    WM_TASK_UPGRADE_CUSTOM,
+    WM_TASK_UPGRADE_GET_STATUS,
+    WM_TASK_UPGRADE_UPDATE_STATUS,
+    WM_TASK_UPGRADE_RESULT,
+    WM_TASK_UPGRADE_CANCEL_TASKS,
+    WM_TASK_SET_TIMEOUT,
+    WM_TASK_DELETE_OLD,
+    WM_TASK_UNKNOWN
+} command_list;
+
+/**
+ * Enumeration of the modules orchestrated by the task manager
+ * */
+typedef enum _module_list {
+    WM_TASK_UPGRADE_MODULE = 0,
+    WM_TASK_API_MODULE
+} module_list;
+
+/**
+ * Enumeration of the possible task statuses
+ * */
+typedef enum _task_status {
+    WM_TASK_PENDING = 0,
+    WM_TASK_IN_PROGRESS,
+    WM_TASK_DONE,
+    WM_TASK_FAILED,
+    WM_TASK_CANCELLED,
+    WM_TASK_TIMEOUT,
+    WM_TASK_LEGACY
+} task_status;
+
+/**
+ * List containing all the possible json_keys
+ * */
+extern const char *task_manager_json_keys[];
+
+/**
+ * List containing all the command names
+ * */
+extern const char *task_manager_commands_list[];
+
+/**
+ * List containing the module names
+ * */
+extern const char *task_manager_modules_list[];
+
+/**
+ * List of possible task statuses
+ * */
+extern const char *task_statuses[];
+
+#endif
diff --git a/src/modules/upgrade/src/wm_agent_upgrade.c b/src/modules/upgrade/src/wm_agent_upgrade.c
new file mode 100644
index 0000000000..7f67853245
--- /dev/null
+++ b/src/modules/upgrade/src/wm_agent_upgrade.c
@@ -0,0 +1,108 @@
+/*
+ * Wazuh Module for Agent Upgrading
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 3, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+#include "wazuh_modules/wmodules.h"
+#include "os_net/os_net.h"
+
+#ifdef CLIENT
+#include "agent/wm_agent_upgrade_agent.h"
+#else
+#include "manager/wm_agent_upgrade_manager.h"
+#endif
+
+/**
+ * Module main function. It won't return
+ * */
+#ifdef WIN32
+STATIC DWORD WINAPI wm_agent_upgrade_main(void *arg);
+#else
+STATIC void* wm_agent_upgrade_main(wm_agent_upgrade* upgrade_config);
+#endif
+STATIC void wm_agent_upgrade_destroy(wm_agent_upgrade* upgrade_config);
+STATIC cJSON *wm_agent_upgrade_dump(const wm_agent_upgrade* upgrade_config);
+
+/* Context definition */
+const wm_context WM_AGENT_UPGRADE_CONTEXT = {
+    .name = AGENT_UPGRADE_WM_NAME,
+    .start = (wm_routine)wm_agent_upgrade_main,
+    .destroy = (void(*)(void *))wm_agent_upgrade_destroy,
+    .dump = (cJSON * (*)(const void *))wm_agent_upgrade_dump,
+    .sync = NULL,
+    .stop = NULL,
+    .query = NULL,
+};
+
+#ifdef WIN32
+STATIC DWORD WINAPI wm_agent_upgrade_main(void *arg) {
+    wm_agent_upgrade* upgrade_config = (wm_agent_upgrade *)arg;
+#else
+STATIC void *wm_agent_upgrade_main(wm_agent_upgrade* upgrade_config) {
+#endif
+    #ifdef CLIENT
+        wm_agent_upgrade_start_agent_module(&upgrade_config->agent_config, upgrade_config->enabled);
+    #else
+        wm_agent_upgrade_start_manager_module(&upgrade_config->manager_config, upgrade_config->enabled);
+    #endif
+
+#ifdef WIN32
+    return 0;
+#else
+    return NULL;
+#endif
+}
+
+STATIC void wm_agent_upgrade_destroy(wm_agent_upgrade* upgrade_config) {
+    mtinfo(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_MODULE_FINISHED);
+    #ifndef CLIENT
+    os_free(upgrade_config->manager_config.wpk_repository);
+    #endif
+    os_free(upgrade_config);
+}
+
+STATIC cJSON *wm_agent_upgrade_dump(const wm_agent_upgrade* upgrade_config){
+    cJSON *root = cJSON_CreateObject();
+    cJSON *wm_info = cJSON_CreateObject();
+
+    if (upgrade_config->enabled) {
+        cJSON_AddStringToObject(wm_info,"enabled","yes");
+    } else {
+        cJSON_AddStringToObject(wm_info,"enabled","no");
+    }
+    #ifndef CLIENT
+    cJSON_AddNumberToObject(wm_info, "max_threads", upgrade_config->manager_config.max_threads);
+    cJSON_AddNumberToObject(wm_info, "chunk_size", upgrade_config->manager_config.chunk_size);
+    if (upgrade_config->manager_config.wpk_repository) {
+        cJSON_AddStringToObject(wm_info, "wpk_repository", upgrade_config->manager_config.wpk_repository);
+    }
+    #else
+    if (upgrade_config->agent_config.enable_ca_verification) {
+        cJSON_AddStringToObject(wm_info,"ca_verification","yes");
+    } else {
+        cJSON_AddStringToObject(wm_info,"ca_verification","no");
+    }
+    if (wcom_ca_store) {
+        cJSON *calist = cJSON_CreateArray();
+        for (int i=0; wcom_ca_store[i]; i++) {
+            cJSON_AddItemToArray(calist,cJSON_CreateString(wcom_ca_store[i]));
+        }
+        cJSON_AddItemToObject(wm_info,"ca_store",calist);
+    }
+    #endif
+    cJSON_AddItemToObject(root,"agent-upgrade",wm_info);
+    return root;
+}
diff --git a/src/modules/upgrade/src/wm_agent_upgrade_agent.c b/src/modules/upgrade/src/wm_agent_upgrade_agent.c
new file mode 100644
index 0000000000..0a3598678f
--- /dev/null
+++ b/src/modules/upgrade/src/wm_agent_upgrade_agent.c
@@ -0,0 +1,286 @@
+/*
+ * Wazuh Module for Agent Upgrading
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 30, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wazuh_modules/wmodules.h"
+#include "wm_agent_upgrade_agent.h"
+#ifndef WIN32
+#include "os_net/os_net.h"
+#endif
+
+#ifdef WAZUH_UNIT_TESTING
+#ifdef WIN32
+#include "unit_tests/wrappers/windows/libc/stdio_wrappers.h"
+#include "unit_tests/wrappers/windows/synchapi_wrappers.h"
+#endif
+// Remove static qualifier when unit testing
+#define STATIC
+#else
+#define STATIC static
+#endif
+
+const char* upgrade_values[] = {
+    [WM_UPGRADE_SUCCESSFUL] = "0",
+    [WM_UPGRADE_FAILED_DEPENDENCY] = "1",
+    [WM_UPGRADE_FAILED] = "2"
+};
+
+const char* upgrade_messages[] = {
+    [WM_UPGRADE_SUCCESSFUL] = "Upgrade was successful",
+    [WM_UPGRADE_FAILED_DEPENDENCY] = "Upgrade failed due missing dependency",
+    [WM_UPGRADE_FAILED] = "Upgrade failed"
+};
+
+static const char *task_statuses_map[] = {
+    [WM_UPGRADE_SUCCESSFUL] = WM_TASK_STATUS_DONE,
+    [WM_UPGRADE_FAILED_DEPENDENCY] = WM_TASK_STATUS_FAILED,
+    [WM_UPGRADE_FAILED] = WM_TASK_STATUS_FAILED
+};
+
+// CA certificates
+char **wcom_ca_store = NULL;
+
+#ifndef WIN32
+
+/**
+ * Listen to the upgrade socket in order to receive commands
+ * @return only on errors, socket will be closed
+ * */
+STATIC void* wm_agent_upgrade_listen_messages(__attribute__((unused)) void *arg);
+
+#endif
+
+/**
+ * Checks if an agent has been recently upgraded, by reading upgrade_results file
+ * If there has been an upgrade, dispatchs a message to notificate the manager.
+ * This method will block the thread if the agent is not connected to the manager
+ * @param agent_config Agent configuration parameters
+ * */
+STATIC void wm_agent_upgrade_check_status(const wm_agent_configs* agent_config) __attribute__((nonnull));
+
+/**
+ * Checks in the upgrade_results file for a code that determines the result
+ * of the upgrade operation, then sends it to the current manager
+ * @param queue_fd file descriptor of the queue where the notification will be sent
+ * @return a flag indicating if any result was found
+ * @retval true information was found on the upgrade_result file
+ * @retval either the upgrade_result file does not exist or contains invalid information
+ * */
+STATIC bool wm_upgrade_agent_search_upgrade_result(int *queue_fd);
+
+/**
+ * Reads the upgrade_result file if it is present and sends the upgrade result message to the manager.
+ * Example message:
+ * {
+ *	  "command": "upgrade_update_status",
+ *	  "parameters": {
+ *        "status": "Failed",
+ *        "error_msg": "Upgrade procedure exited with error code"
+ *	  }
+ * }
+ * @param queue_fd File descriptor of the upgrade queue
+ * @param state upgrade result state
+ * */
+STATIC void wm_upgrade_agent_send_ack_message(int *queue_fd, wm_upgrade_agent_state state);
+
+void wm_agent_upgrade_start_agent_module(const wm_agent_configs* agent_config, const int enabled) {
+
+    // Check if module is enabled
+    if (!enabled) {
+        allow_upgrades = false;
+    } else {
+        mtinfo(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_MODULE_STARTED);
+    }
+
+    #ifndef WIN32
+        w_create_thread(wm_agent_upgrade_listen_messages, NULL);
+    #endif
+
+    if (enabled) {
+        wm_agent_upgrade_check_status(agent_config);
+    }
+}
+
+#ifndef WIN32
+
+STATIC void* wm_agent_upgrade_listen_messages(__attribute__((unused)) void *arg) {
+    // Initialize socket
+    char sockname[PATH_MAX + 1];
+
+	strcpy(sockname, AGENT_UPGRADE_SOCK);
+
+    int sock = OS_BindUnixDomainWithPerms(sockname, SOCK_STREAM, OS_MAXSTR, getuid(), wm_getGroupID(), 0660);
+    if (sock < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_BIND_SOCK_ERROR, AGENT_UPGRADE_SOCK, strerror(errno));
+        return NULL;
+    }
+
+    while(1) {
+        // listen - wait connection
+        fd_set fdset;
+        FD_ZERO(&fdset);
+        FD_SET(sock, &fdset);
+
+        switch (select(sock + 1, &fdset, NULL, NULL, NULL)) {
+        case -1:
+            if (errno != EINTR) {
+                mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_SELECT_ERROR, strerror(errno));
+                close(sock);
+                return NULL;
+            }
+            continue;
+        case 0:
+            continue;
+        }
+
+        //Accept
+        int peer;
+        if (peer = accept(sock, NULL, NULL), peer < 0) {
+            if (errno != EINTR) {
+                mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_ACCEPT_ERROR, strerror(errno));
+            }
+            continue;
+        }
+
+        // Get request string
+        char *buffer = NULL;
+
+        os_calloc(OS_MAXSTR, sizeof(char), buffer);
+        int length;
+        switch (length = OS_RecvSecureTCP(peer, buffer, OS_MAXSTR), length) {
+        case OS_SOCKTERR:
+            mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_SOCKTERR_ERROR);
+            break;
+        case -1:
+            mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_RECV_ERROR, strerror(errno));
+            break;
+        case 0:
+            mtdebug1(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_EMPTY_MESSAGE);
+            break;
+        default:
+            mtdebug1(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INCOMMING_MESSAGE, buffer);
+            char* message = NULL;
+            size_t length = wm_agent_upgrade_process_command(buffer, &message);
+
+            mtdebug1(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_RESPONSE_MESSAGE, message);
+            OS_SendSecureTCP(peer, length, message);
+            os_free(message);
+            break;
+        }
+
+        os_free(buffer);
+        close(peer);
+
+    #ifdef WAZUH_UNIT_TESTING
+        break;
+    #endif
+    }
+
+    close(sock);
+
+    return NULL;
+}
+
+#endif
+
+STATIC void wm_agent_upgrade_check_status(const wm_agent_configs* agent_config) {
+    /**
+     *  StartMQ will wait until agent connection which is when the pkg_install.sh will write
+     *  the upgrade result
+    */
+    int queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+
+    // Wait until pkg_installer script verifies the agent was connected and writes the upgrade_result file
+    sleep(WM_AGENT_UPGRADE_RESULT_WAIT_TIME);
+
+    if (queue_fd < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_QUEUE_FD);
+    } else {
+        bool result_available = true;
+        unsigned int wait_time = agent_config->upgrade_wait_start;
+        /**
+         * This loop will send the upgrade result notification to the manager
+         * If the manager is able to update the upgrade status will notify the agent
+         * erasing the result file and exiting this loop
+         * */
+        while (result_available) {
+            result_available = wm_upgrade_agent_search_upgrade_result(&queue_fd);
+
+            if(result_available) {
+                sleep(wait_time);
+
+                wait_time *= agent_config->upgrade_wait_factor_increase;
+                if (wait_time > agent_config->upgrade_wait_max) {
+                    wait_time = agent_config->upgrade_wait_max;
+                }
+            }
+        }
+    #ifndef WIN32
+        close(queue_fd);
+    #endif
+    }
+
+    if (!allow_upgrades) {
+        allow_upgrades = true;
+    }
+}
+
+STATIC bool wm_upgrade_agent_search_upgrade_result(int *queue_fd) {
+    char buffer[20];
+    const char * PATH = WM_AGENT_UPGRADE_RESULT_FILE;
+
+    FILE *result_file = wfopen(PATH, "r");
+    if (result_file) {
+        if (fgets(buffer, 20, result_file) == NULL) {
+            fclose(result_file);
+            return true;
+        }
+        fclose(result_file);
+
+        wm_upgrade_agent_state state;
+        for (state = 0; state < WM_UPGRADE_MAX_STATE; state++) {
+            // File can either be "0\n", "1\n" or "2\n", so we are expecting a positive match
+            if (strstr(buffer, upgrade_values[state]) != NULL) {
+                // Matched value, send message
+                wm_upgrade_agent_send_ack_message(queue_fd, state);
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+STATIC void wm_upgrade_agent_send_ack_message(int *queue_fd, wm_upgrade_agent_state state) {
+    int msg_delay = 1000000 / wm_max_eps;
+    cJSON* root = cJSON_CreateObject();
+    cJSON* parameters = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(root, task_manager_json_keys[WM_TASK_COMMAND], task_manager_commands_list[WM_TASK_UPGRADE_UPDATE_STATUS]);
+    cJSON_AddNumberToObject(parameters, task_manager_json_keys[WM_TASK_ERROR], atoi(upgrade_values[state]));
+    cJSON_AddStringToObject(parameters, task_manager_json_keys[WM_TASK_ERROR_MESSAGE], upgrade_messages[state]);
+    cJSON_AddStringToObject(parameters,  task_manager_json_keys[WM_TASK_STATUS], task_statuses_map[state]);
+    cJSON_AddItemToObject(root, task_manager_json_keys[WM_TASK_PARAMETERS], parameters);
+
+    char *msg_string = cJSON_PrintUnformatted(root);
+    if (wm_sendmsg(msg_delay, *queue_fd, msg_string, task_manager_modules_list[WM_TASK_UPGRADE_MODULE], UPGRADE_MQ) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, QUEUE_ERROR, DEFAULTQUEUE, strerror(errno));
+        if(*queue_fd >= 0){
+            close(*queue_fd);
+        }
+        *queue_fd = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
+        if (*queue_fd < 0) {
+            mterror_exit(WM_AGENT_UPGRADE_LOGTAG, QUEUE_FATAL, DEFAULTQUEUE);
+        }
+    }
+
+    mtdebug1(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_ACK_MESSAGE, msg_string);
+    os_free(msg_string);
+    cJSON_Delete(root);
+}
diff --git a/src/modules/upgrade/src/wm_agent_upgrade_com.c b/src/modules/upgrade/src/wm_agent_upgrade_com.c
new file mode 100644
index 0000000000..f22d60f46e
--- /dev/null
+++ b/src/modules/upgrade/src/wm_agent_upgrade_com.c
@@ -0,0 +1,528 @@
+/*
+ * Wazuh Module for Agent Upgrading
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 30, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+#ifdef WAZUH_UNIT_TESTING
+// Remove static qualifier when unit testing
+#define STATIC
+
+#ifdef WIN32
+#include "unit_tests/wrappers/windows/io_wrappers.h"
+#endif
+
+#else
+#define STATIC static
+#endif
+
+#include <shared.h>
+#include "external/zlib/zlib.h"
+#include "os_crypto/sha1/sha1_op.h"
+#include "os_crypto/signature/signature.h"
+#include "wazuh_modules/wmodules.h"
+#include "wm_agent_upgrade_agent.h"
+
+/**
+ * Static struct to track opened file
+ * */
+STATIC struct {
+    char path[PATH_MAX + 1];
+    FILE * fp;
+} file = {"\0", NULL};
+
+typedef enum _command_error_codes {
+    ERROR_OK = 0,
+    ERROR_UPGRADES_NOT_ALLOWED,
+    ERROR_UNKNOWN_COMMAND,
+    ERROR_PARAMETERS_NOT_FOUND,
+    ERROR_UNSOPPORTED_MODE,
+    ERROR_INVALID_FILE_NAME,
+    ERROR_FILE_OPEN,
+    ERROR_FILE_NOT_OPENED,
+    ERROR_FILE_NOT_OPENED2,
+    ERROR_TARGET_FILE_NOT_MATCH,
+    ERROR_WRITE_FILE,
+    ERROR_CLOSE,
+    ERROR_GEN_SHA1,
+    ERROR_SIGNATURE,
+    ERROR_COMPRESS,
+    ERROR_CLEAN_DIRECTORY,
+    ERROR_UNMERGE,
+    ERROR_CHMOD,
+    ERROR_EXEC,
+    ERROR_CLEAR_UPGRADE_FILE
+} command_error_codes;
+
+STATIC const char * error_messages[] = {
+    [ERROR_OK] = "ok",
+    [ERROR_UPGRADES_NOT_ALLOWED] = "Upgrade module is disabled or not ready yet",
+    [ERROR_UNKNOWN_COMMAND] = "Command not found",
+    [ERROR_PARAMETERS_NOT_FOUND] = "Required parameters were not found",
+    [ERROR_UNSOPPORTED_MODE] = "Unsupported file mode",
+    [ERROR_INVALID_FILE_NAME] = "Invalid file name",
+    [ERROR_FILE_OPEN] = "File Open Error: %s",
+    [ERROR_FILE_NOT_OPENED] = "File not opened. Agent might have been auto-restarted during upgrade",
+    [ERROR_FILE_NOT_OPENED2] = "No file opened",
+    [ERROR_TARGET_FILE_NOT_MATCH] = "The target file doesn't match the opened file",
+    [ERROR_WRITE_FILE] = "Cannot write file",
+    [ERROR_CLOSE] = "Cannot close file",
+    [ERROR_GEN_SHA1] = "Cannot generate SHA1",
+    [ERROR_SIGNATURE] = "Could not verify signature",
+    [ERROR_COMPRESS] = "Could not uncompress package",
+    [ERROR_CLEAN_DIRECTORY] = "Could not clean up upgrade directory",
+    [ERROR_UNMERGE] = "Error unmerging file",
+    [ERROR_CHMOD] = "Could not chmod",
+    [ERROR_EXEC] = "Error executing command",
+    [ERROR_CLEAR_UPGRADE_FILE] = "Could not erase upgrade_result file"
+};
+
+// Variable used to allow new upgrades after confirming the result of the previous upgrade
+bool allow_upgrades = false;
+
+/**
+ * Format message into the response format
+ * @param error_code code error
+ * @param message string message of the error
+ * @return string meessage with the response format
+ * Response format:
+ * {
+ *    "error": {error_code},
+ *    "message": "message",
+ *    "data": []
+ * }
+ * */
+STATIC char* wm_agent_upgrade_command_ack(int error_code, const char* message);
+
+/**
+ * Process a command that opens a file
+ * @param json_obj expected json format parameters
+ * {
+ *    "file":    "file_path",
+ *    "mode":    "wb|w"
+ * }
+ * */
+STATIC char* wm_agent_upgrade_com_open(const cJSON* json_object) __attribute__((nonnull));
+
+/**
+ * Process a command that writes on an already opened file
+ * @param json_obj expected json format
+ * {
+ *    "file":    "file_path",
+ *    "buffer" : "base64_data",
+ *    "length" : {data_length}
+ * }
+ * */
+STATIC char * wm_agent_upgrade_com_write(const cJSON* json_object) __attribute__((nonnull));
+
+/**
+ * Process a command the close an already opened file
+ * @param json_obj expected json format
+ * {
+ *    "file" : "file_path"
+ * }
+ * */
+STATIC char * wm_agent_upgrade_com_close(const cJSON* json_object) __attribute__((nonnull));
+
+/**
+ * Process a command that calculates the sha1 already opened file
+ * @param json_obj expected json format
+ * {
+ *    "file" : "file_path"
+ * }
+ * */
+STATIC char * wm_agent_upgrade_com_sha1(const cJSON* json_object) __attribute__((nonnull));
+
+/**
+ * Process a command that executes an upgrade script
+ * @param json_obj expected json format
+ * {
+ *    "file" : "file_path",
+ *    "installer" : "installer_path"
+ * }
+ * */
+STATIC char * wm_agent_upgrade_com_upgrade(const cJSON* json_object) __attribute__((nonnull));
+
+/**
+ * Process a command that clears the upgrade_result file
+ * */
+STATIC char * wm_agent_upgrade_com_clear_result();
+
+/* Helpers methods */
+STATIC int _jailfile(char finalpath[PATH_MAX + 1], const char * basedir, const char * filename);
+STATIC int _unsign(const char * source, char dest[PATH_MAX + 1]);
+STATIC int _uncompress(const char * source, const char *package, char dest[PATH_MAX + 1]);
+
+size_t wm_agent_upgrade_process_command(const char *buffer, char **output) {
+    cJSON *buffer_obj = cJSON_Parse(buffer);
+
+    if (buffer_obj) {
+        cJSON *command_obj = cJSON_GetObjectItem(buffer_obj, task_manager_json_keys[WM_TASK_COMMAND]);
+
+        if (command_obj && (command_obj->type == cJSON_String)) {
+            const char* command = command_obj->valuestring;
+
+            if (strcmp(command, "clear_upgrade_result") == 0) {
+                *output = wm_agent_upgrade_com_clear_result();
+            } else if (allow_upgrades) {
+                const cJSON *parameters = cJSON_GetObjectItem(buffer_obj, task_manager_json_keys[WM_TASK_PARAMETERS]);
+                if (!parameters) {
+                    *output = wm_agent_upgrade_command_ack(ERROR_PARAMETERS_NOT_FOUND, error_messages[ERROR_PARAMETERS_NOT_FOUND]);
+                } else if (strcmp(command, "open") == 0) {
+                    *output = wm_agent_upgrade_com_open(parameters);
+                } else if (strcmp(command, "write") == 0) {
+                    *output = wm_agent_upgrade_com_write(parameters);
+                } else if (strcmp(command, "close") == 0) {
+                    *output = wm_agent_upgrade_com_close(parameters);
+                } else if (strcmp(command, "sha1") == 0) {
+                    *output = wm_agent_upgrade_com_sha1(parameters);
+                } else if (strcmp(command, "upgrade") == 0) {
+                    *output = wm_agent_upgrade_com_upgrade(parameters);
+                }
+            } else {
+                *output = wm_agent_upgrade_command_ack(ERROR_UPGRADES_NOT_ALLOWED, error_messages[ERROR_UPGRADES_NOT_ALLOWED]);
+            }
+        }
+
+        cJSON_Delete(buffer_obj);
+    }
+
+    if (!(*output)) {
+       *output = wm_agent_upgrade_command_ack(ERROR_UNKNOWN_COMMAND, error_messages[ERROR_UNKNOWN_COMMAND]);
+    }
+
+    return strlen(*output);
+}
+
+STATIC char* wm_agent_upgrade_command_ack(int error_code, const char* message) {
+    cJSON* root = cJSON_CreateObject();
+    cJSON_AddNumberToObject(root, task_manager_json_keys[WM_TASK_ERROR], error_code);
+    cJSON_AddStringToObject(root, task_manager_json_keys[WM_TASK_ERROR_MESSAGE], message);
+    cJSON_AddItemToObject(root, task_manager_json_keys[WM_TASK_DATA], cJSON_CreateArray());
+    char *msg_string = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return msg_string;
+}
+
+STATIC char * wm_agent_upgrade_com_open(const cJSON* json_object) {
+    char final_path[PATH_MAX + 1];
+    const cJSON *mode_obj = cJSON_GetObjectItem(json_object, "mode");
+    const cJSON *file_path_obj = cJSON_GetObjectItem(json_object, "file");
+
+    if (*file.path) {
+        mtwarn(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_FILE_OPENED, "open", file.path);
+        fclose(file.fp);
+        *file.path = '\0';
+    }
+
+    if (!mode_obj || (mode_obj->type != cJSON_String) || (strcmp(mode_obj->valuestring, "w") && strcmp(mode_obj->valuestring, "wb"))) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_UNSUPPORTED_MODE, "open");
+        return wm_agent_upgrade_command_ack(ERROR_UNSOPPORTED_MODE, error_messages[ERROR_UNSOPPORTED_MODE]);
+    }
+
+    if (!file_path_obj || (file_path_obj->type != cJSON_String) || _jailfile(final_path, INCOMING_DIR, file_path_obj->valuestring) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "open");
+        return wm_agent_upgrade_command_ack(ERROR_INVALID_FILE_NAME, error_messages[ERROR_INVALID_FILE_NAME]);
+    }
+
+    if (file.fp = wfopen(final_path, mode_obj->valuestring), file.fp) {
+        snprintf(file.path, sizeof(file.path), "%s", final_path);
+        return wm_agent_upgrade_command_ack(ERROR_OK, error_messages[ERROR_OK]);
+    } else {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, FOPEN_ERROR, file_path_obj->valuestring, errno, strerror(errno));
+        char *output;
+        os_malloc(OS_MAXSTR + 1, output);
+        snprintf(output, OS_MAXSTR + 1, error_messages[ERROR_FILE_OPEN], strerror(errno));
+        char *response = wm_agent_upgrade_command_ack(ERROR_FILE_OPEN, output);
+        os_free(output);
+        return response;
+    }
+}
+
+STATIC char * wm_agent_upgrade_com_write(const cJSON* json_object) {
+    const cJSON *file_path_obj = cJSON_GetObjectItem(json_object, "file");
+    const cJSON *buffer_obj = cJSON_GetObjectItem(json_object, "buffer");
+    const cJSON *value_obj = cJSON_GetObjectItem(json_object, "length");
+    char final_path[PATH_MAX + 1];
+
+    if (!*file.path) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_FILE_NOT_OPENED_AUTO, "write");
+        return wm_agent_upgrade_command_ack(ERROR_FILE_NOT_OPENED, error_messages[ERROR_FILE_NOT_OPENED]);
+    }
+
+    if (!file_path_obj || (file_path_obj->type != cJSON_String) || _jailfile(final_path, INCOMING_DIR, file_path_obj->valuestring) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "write");
+        return wm_agent_upgrade_command_ack(ERROR_INVALID_FILE_NAME, error_messages[ERROR_INVALID_FILE_NAME]);
+    }
+
+    if (strcmp(file.path, final_path) != 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_DIFFERENT_FILE, "write", file.path);
+        return wm_agent_upgrade_command_ack(ERROR_TARGET_FILE_NOT_MATCH, error_messages[ERROR_TARGET_FILE_NOT_MATCH]);
+    }
+
+    char *base64_string = decode_base64(buffer_obj->valuestring);
+    if (value_obj && (value_obj->type == cJSON_Number) && base64_string && fwrite(base64_string, 1, value_obj->valueint, file.fp) == (unsigned)value_obj->valueint) {
+        os_free(base64_string);
+        return wm_agent_upgrade_command_ack(ERROR_OK, error_messages[ERROR_OK]);
+    } else {
+        os_free(base64_string);
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_CANNOT_WRITE, "write", final_path);
+        return wm_agent_upgrade_command_ack(ERROR_WRITE_FILE, error_messages[ERROR_WRITE_FILE]);
+    }
+}
+
+STATIC char * wm_agent_upgrade_com_close(const cJSON* json_object) {
+    const cJSON *file_path_obj = cJSON_GetObjectItem(json_object, "file");
+    char final_path[PATH_MAX + 1];
+
+    if (!*file.path) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_FILE_NOT_OPENED, "close");
+        return wm_agent_upgrade_command_ack(ERROR_FILE_NOT_OPENED2, error_messages[ERROR_FILE_NOT_OPENED2]);
+    }
+
+    if (!file_path_obj || (file_path_obj->type != cJSON_String) || _jailfile(final_path, INCOMING_DIR, file_path_obj->valuestring) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "close");
+        return wm_agent_upgrade_command_ack(ERROR_INVALID_FILE_NAME, error_messages[ERROR_INVALID_FILE_NAME]);
+    }
+
+    if (strcmp(file.path, final_path) != 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_DIFFERENT_FILE, "close", file.path);
+        return wm_agent_upgrade_command_ack(ERROR_TARGET_FILE_NOT_MATCH, error_messages[ERROR_TARGET_FILE_NOT_MATCH]);
+    }
+
+    *file.path = '\0';
+
+    if (fclose(file.fp)) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_GERENIC_ERROR, "close", strerror(errno));
+        return wm_agent_upgrade_command_ack(ERROR_CLOSE, error_messages[ERROR_CLOSE]);
+    }
+
+    return wm_agent_upgrade_command_ack(ERROR_OK, error_messages[ERROR_OK]);
+}
+
+STATIC char * wm_agent_upgrade_com_sha1(const cJSON* json_object) {
+    const cJSON *file_path_obj = cJSON_GetObjectItem(json_object, "file");
+    char final_path[PATH_MAX + 1];
+    os_sha1 sha1;
+
+    if (!file_path_obj || (file_path_obj->type != cJSON_String) || _jailfile(final_path, INCOMING_DIR, file_path_obj->valuestring) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "sha1");
+        return wm_agent_upgrade_command_ack(ERROR_INVALID_FILE_NAME, error_messages[ERROR_INVALID_FILE_NAME]);
+    }
+
+    if (OS_SHA1_File(final_path, sha1, OS_BINARY) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_GENERATING_SHA1_ERROR, "sha1");
+        return wm_agent_upgrade_command_ack(ERROR_GEN_SHA1, error_messages[ERROR_GEN_SHA1]);
+    }
+
+    return wm_agent_upgrade_command_ack(ERROR_OK, sha1);
+}
+
+STATIC char * wm_agent_upgrade_com_upgrade(const cJSON* json_object) {
+    char compressed[PATH_MAX + 1];
+    char merged[PATH_MAX + 1];
+    char installer_j[PATH_MAX + 1];
+    const cJSON *package_obj = cJSON_GetObjectItem(json_object, "file");
+    const cJSON *installer_obj = cJSON_GetObjectItem(json_object, "installer");
+    int status = 0;
+    char *out;
+
+    int req_timeout = getDefine_Int("execd", "request_timeout", 1, 3600);
+
+    // Unsign
+    if (!package_obj || (package_obj->type != cJSON_String) || _unsign(package_obj->valuestring, compressed) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_GERENIC_ERROR, "upgrade", error_messages[ERROR_SIGNATURE]);
+        return wm_agent_upgrade_command_ack(ERROR_SIGNATURE, error_messages[ERROR_SIGNATURE]);
+    }
+
+    // Uncompress
+    if (_uncompress(compressed, package_obj->valuestring, merged) < 0) {
+        unlink(compressed);
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_GERENIC_ERROR, "upgrade", error_messages[ERROR_COMPRESS]);
+        return wm_agent_upgrade_command_ack(ERROR_COMPRESS, error_messages[ERROR_COMPRESS]);
+    }
+
+    // Clean up upgrade folder
+    if (cldir_ex(UPGRADE_DIR)) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_GERENIC_ERROR, "upgrade", error_messages[ERROR_CLEAN_DIRECTORY]);
+        return wm_agent_upgrade_command_ack(ERROR_CLEAN_DIRECTORY, error_messages[ERROR_CLEAN_DIRECTORY]);
+    }
+
+    //Unmerge
+    if (UnmergeFiles(merged, UPGRADE_DIR, OS_BINARY, NULL) == 0) {
+        unlink(merged);
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_UNMERGING_FILE_ERROR, "upgrade", merged);
+        return wm_agent_upgrade_command_ack(ERROR_UNMERGE, error_messages[ERROR_UNMERGE]);
+    }
+
+    unlink(merged);
+
+    // Installer executable file
+    if (!installer_obj || (installer_obj->type != cJSON_String) || _jailfile(installer_j, UPGRADE_DIR, installer_obj->valuestring) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "upgrade");
+        return wm_agent_upgrade_command_ack(ERROR_INVALID_FILE_NAME, error_messages[ERROR_INVALID_FILE_NAME]);
+    }
+
+    // Execute
+#ifndef WIN32
+    if (chmod(installer_j, 0750) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_CHMOD_ERROR, "upgrade", installer_j);
+        return wm_agent_upgrade_command_ack(ERROR_CHMOD, error_messages[ERROR_CHMOD]);
+    }
+#endif
+
+    if (wm_exec(installer_j, &out, &status, req_timeout, NULL) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_COMMAND_ERROR, "upgrade", installer_j);
+        os_free(out);
+        return wm_agent_upgrade_command_ack(ERROR_EXEC, error_messages[ERROR_EXEC]);
+    } else {
+        char status_str[5];
+        sprintf(status_str, "%d", status);
+        os_free(out);
+        return wm_agent_upgrade_command_ack(ERROR_OK, status_str);
+    }
+}
+
+STATIC char * wm_agent_upgrade_com_clear_result() {
+    const char * PATH = WM_AGENT_UPGRADE_RESULT_FILE;
+    if (remove(PATH) == 0) {
+        allow_upgrades = true;
+        return wm_agent_upgrade_command_ack(ERROR_OK, error_messages[ERROR_OK]);
+    } else {
+        mtdebug1(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_ERASE_FILE_ERROR, "clear_upgrade_result", PATH);
+        return wm_agent_upgrade_command_ack(ERROR_CLEAR_UPGRADE_FILE, error_messages[ERROR_CLEAR_UPGRADE_FILE]);
+    }
+}
+
+STATIC int _jailfile(char finalpath[PATH_MAX + 1], const char * basedir, const char * filename) {
+
+    if (w_ref_parent_folder(filename)) {
+        return -1;
+    }
+
+#ifndef WIN32
+    return snprintf(finalpath, PATH_MAX + 1, "%s/%s", basedir, filename) > PATH_MAX ? -1 : 0;
+#else
+    return snprintf(finalpath, PATH_MAX + 1, "%s\\%s", basedir, filename) > PATH_MAX ? -1 : 0;
+#endif
+}
+
+STATIC int _unsign(const char * source, char dest[PATH_MAX + 1]) {
+    const char TEMPLATE[] = ".gz.XXXXXX";
+    char source_j[PATH_MAX + 1];
+    size_t length;
+    int output = 0;
+
+    if (_jailfile(source_j, INCOMING_DIR, source) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "unsign()");
+        return -1;
+    }
+
+    if (_jailfile(dest, TMP_DIR, source) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "unsign()");
+        return -1;
+    }
+
+    // Skipping coverage: In the linux case, the difference between TMP_DIR and INCOMING_DIR is exactly 10
+    // which causes an error in the _jailfile instead of here
+    // LCOV_EXCL_START
+    if (length = strlen(dest), length + 10 > PATH_MAX) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_TOO_LONG_TEMP_FILE, "unsign()");
+        return -1;
+    }
+    // LCOV_EXCL_STOP
+
+    memcpy(dest + length, TEMPLATE, sizeof(TEMPLATE));
+    mode_t old_mask = umask(0022);
+#ifndef WIN32
+    int fd;
+
+    if (fd = mkstemp(dest), fd >= 0) {
+        close(fd);
+
+        if (chmod(dest, 0640) < 0) {
+            unlink(dest);
+            mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_CHMOD_ERROR, "unsign()", dest);
+            output = -1;
+        }
+    } else {
+#else
+    if (_mktemp_s(dest, strlen(dest) + 1)) {
+#endif
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_COMPRESSED_FILE_ERROR, "unsign()");
+        output = -1;
+    }
+
+    if ((output == 0) && w_wpk_unsign(source_j, dest, (const char **)wcom_ca_store) < 0) {
+        unlink(dest);
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_UNSIGN_FILE_ERROR, "unsign()", source_j);
+        output = -1;
+    }
+    umask(old_mask);
+    unlink(source);
+    return output;
+}
+
+STATIC int _uncompress(const char * source, const char *package, char dest[PATH_MAX + 1]) {
+    const char TEMPLATE[] = ".mg.XXXXXX";
+    char buffer[4096];
+    gzFile fsource;
+    FILE *ftarget;
+
+    if (_jailfile(dest, TMP_DIR, package) < 0) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_INVALID_FILE_NAME, "uncompress()");
+        return -1;
+    }
+
+    {
+        size_t length;
+
+        if (length = strlen(dest), length + 10 > PATH_MAX) {
+            mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_TOO_LONG_TEMP_FILE, "uncompress()");
+            return -1;
+        }
+
+        memcpy(dest + length, TEMPLATE, sizeof(TEMPLATE));
+    }
+
+    if (fsource = gzopen(source, "rb"), !fsource) {
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_FILE_OPEN_ERROR, "uncompress()", source);
+        return -1;
+    }
+
+    if (ftarget = wfopen(dest, "wb"), !ftarget) {
+        gzclose(fsource);
+        mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_FILE_OPEN_ERROR, "uncompress()", dest);
+        return -1;
+    }
+
+    {
+        int length;
+
+        while (length = gzread(fsource, buffer, sizeof(buffer)), length > 0) {
+            if ((int)fwrite(buffer, 1, length, ftarget) != length) {
+                unlink(dest);
+                gzclose(fsource);
+                fclose(ftarget);
+                mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_CANNOT_WRITE, "uncompress()", source);
+                return -1;
+            }
+        }
+
+        gzclose(fsource);
+        fclose(ftarget);
+
+        if (length < 0) {
+            unlink(dest);
+            mterror(WM_AGENT_UPGRADE_LOGTAG, WM_UPGRADE_CANNOT_READ, "uncompress()", source);
+            return -1;
+        }
+    }
+
+    unlink(source);
+    return 0;
+}
diff --git a/src/modules/upgrade/src/wm_task_general.c b/src/modules/upgrade/src/wm_task_general.c
new file mode 100644
index 0000000000..fba65d9b9d
--- /dev/null
+++ b/src/modules/upgrade/src/wm_task_general.c
@@ -0,0 +1,63 @@
+/*
+ * Wazuh Module for Task management.
+ * Copyright (C) 2015, Wazuh Inc.
+ * July 13, 2020.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include "wm_task_general.h"
+
+const char *task_manager_json_keys[] = {
+    // Request
+    [WM_TASK_ORIGIN] = "origin",
+    [WM_TASK_NAME] = "name",
+    [WM_TASK_MODULE] = "module",
+    [WM_TASK_COMMAND] = "command",
+    [WM_TASK_PARAMETERS] = "parameters",
+    [WM_TASK_AGENTS] = "agents",
+    // Response
+    [WM_TASK_ERROR] = "error",
+    [WM_TASK_DATA] = "data",
+    [WM_TASK_ERROR_MESSAGE] = "message",
+    [WM_TASK_AGENT_ID] = "agent",
+    [WM_TASK_TASK_ID] = "task_id",
+    [WM_TASK_NODE] = "node",
+    [WM_TASK_STATUS] = "status",
+    [WM_TASK_ERROR_MSG] = "error_msg",
+    [WM_TASK_CREATE_TIME] = "create_time",
+    [WM_TASK_LAST_UPDATE_TIME] = "update_time",
+    // Clean tasks request
+    [WM_TASK_NOW] = "now",
+    [WM_TASK_INTERVAL] = "interval",
+    [WM_TASK_TIMESTAMP] = "timestamp"
+};
+
+const char *task_manager_commands_list[] = {
+    [WM_TASK_UPGRADE] = "upgrade",
+    [WM_TASK_UPGRADE_CUSTOM] = "upgrade_custom",
+    [WM_TASK_UPGRADE_GET_STATUS] = "upgrade_get_status",
+    [WM_TASK_UPGRADE_UPDATE_STATUS] = "upgrade_update_status",
+    [WM_TASK_UPGRADE_RESULT] = "upgrade_result",
+    [WM_TASK_UPGRADE_CANCEL_TASKS] = "upgrade_cancel_tasks",
+    [WM_TASK_SET_TIMEOUT] = "set_timeout",
+    [WM_TASK_DELETE_OLD] = "delete_old"
+};
+
+const char *task_manager_modules_list[] = {
+    [WM_TASK_UPGRADE_MODULE] = "upgrade_module",
+    [WM_TASK_API_MODULE] = "api"
+};
+
+const char *task_statuses[] = {
+    [WM_TASK_PENDING] = WM_TASK_STATUS_PENDING,
+    [WM_TASK_IN_PROGRESS] = WM_TASK_STATUS_IN_PROGRESS,
+    [WM_TASK_DONE] = WM_TASK_STATUS_DONE,
+    [WM_TASK_FAILED] = WM_TASK_STATUS_FAILED,
+    [WM_TASK_CANCELLED] = WM_TASK_STATUS_CANCELLED,
+    [WM_TASK_TIMEOUT] = WM_TASK_STATUS_TIMEOUT,
+    [WM_TASK_LEGACY] = WM_TASK_STATUS_LEGACY
+};
diff --git a/src/modules/upgrade/tests/unit/tests/CMakeLists.txt b/src/modules/upgrade/tests/unit/tests/CMakeLists.txt
new file mode 100644
index 0000000000..199af8aa2f
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/tests/CMakeLists.txt
@@ -0,0 +1,113 @@
+# Generate agent upgrade library
+file(GLOB upgrade_files
+    ${SRC_FOLDER}/wazuh_modules/*.o
+    ${SRC_FOLDER}/wazuh_modules/agent_upgrade/*.o
+    ${SRC_FOLDER}/wazuh_modules/agent_upgrade/agent/*.o
+    ${SRC_FOLDER}/wazuh_modules/agent_upgrade/manager/*.o)
+list(REMOVE_ITEM upgrade_files ${SRC_FOLDER}/wazuh_modules/main.o)
+
+add_library(UPGRADE_O STATIC ${upgrade_files})
+
+set_source_files_properties(
+    ${upgrade_files}
+    PROPERTIES
+    EXTERNAL_OBJECT true
+    GENERATED true
+)
+
+set_target_properties(
+    UPGRADE_O
+    PROPERTIES
+    LINKER_LANGUAGE C
+)
+
+target_link_libraries(UPGRADE_O ${WAZUHLIB} ${WAZUHEXT} -lpthread)
+
+#include wrappers
+include(${SRC_FOLDER}/unit_tests/wrappers/wazuh/shared/shared.cmake)
+
+# Generate agent upgrade tests
+list(APPEND upgrade_names "test_wm_agent_upgrade")
+list(APPEND upgrade_flags "-Wl,--wrap,_mtinfo -Wl,--wrap,wm_agent_upgrade_start_agent_module -Wl,--wrap,wm_agent_upgrade_start_manager_module -Wl,--wrap,getpid -Wl,--wrap,unlink")
+
+if(${TARGET} STREQUAL "server")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_manager")
+    list(APPEND upgrade_flags "-Wl,--wrap,OS_BindUnixDomainWithPerms -Wl,--wrap,select -Wl,--wrap,close -Wl,--wrap,accept -Wl,--wrap,OS_RecvSecureTCP -Wl,--wrap,OS_SendSecureTCP \
+                            -Wl,--wrap,wm_agent_upgrade_parse_message -Wl,--wrap,wm_agent_upgrade_process_upgrade_command -Wl,--wrap,wm_agent_upgrade_process_upgrade_custom_command -Wl,--wrap,wm_agent_upgrade_process_agent_result_command \
+                            -Wl,--wrap,wm_agent_upgrade_parse_response -Wl,--wrap,wm_agent_upgrade_cancel_pending_upgrades -Wl,--wrap,wm_agent_upgrade_process_upgrade_result_command -Wl,--wrap,sleep -Wl,--wrap,CreateThread -Wl,--wrap,pthread_exit -Wl,--wrap,getpid \
+                            ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_parsing")
+    list(APPEND upgrade_flags "-Wl,--wrap,OS_ReadXML -Wl,--wrap,OS_GetOneContentforElement -Wl,--wrap,OS_ClearXML ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_validate")
+    list(APPEND upgrade_flags "-Wl,--wrap,wurl_http_get -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,OS_SHA1_File -Wl,--wrap,wurl_request -Wl,--wrap,sleep -Wl,--wrap,wfopen \
+                               -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,getpid -Wl,--wrap,fgetpos -Wl,--wrap=fgetc \
+                               -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_tasks")
+    list(APPEND upgrade_flags "-Wl,--wrap,OS_ConnectUnixDomain -Wl,--wrap,OS_SendSecureTCP -Wl,--wrap,OS_RecvSecureTCP -Wl,--wrap,close -Wl,--wrap,w_create_sendsync_payload -Wl,--wrap,w_send_clustered_message \
+                            -Wl,--wrap,w_is_worker -Wl,--wrap,cJSON_Duplicate -Wl,--wrap,getpid ${HASH_OP_WRAPPERS} ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_tasks_callbacks")
+    list(APPEND upgrade_flags "-Wl,--wrap,wm_agent_upgrade_validate_task_ids_message -Wl,--wrap,wm_agent_upgrade_remove_entry \
+                            -Wl,--wrap,wm_agent_upgrade_parse_data_response -Wl,--wrap,wm_agent_upgrade_parse_response -Wl,--wrap,wm_agent_upgrade_validate_task_status_message -Wl,--wrap,wm_agent_upgrade_send_command_to_agent \
+                            -Wl,--wrap,wm_agent_upgrade_parse_agent_response -Wl,--wrap,wm_agent_upgrade_send_tasks_information -Wl,--wrap,wm_agent_upgrade_parse_agent_upgrade_command_response ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_commands")
+    list(APPEND upgrade_flags "-Wl,--wrap,wm_agent_upgrade_parse_task_module_request -Wl,--wrap,wm_agent_upgrade_task_module_callback -Wl,--wrap,wm_agent_upgrade_validate_task_status_message -Wl,--wrap,wm_agent_upgrade_validate_id \
+                            -Wl,--wrap,wm_agent_upgrade_validate_status -Wl,--wrap,wm_agent_upgrade_validate_system -Wl,--wrap,wm_agent_upgrade_validate_version -Wl,--wrap,wdb_get_agent_info -Wl,--wrap,wm_agent_upgrade_create_task_entry \
+                            -Wl,--wrap,wm_agent_upgrade_parse_data_response -Wl,--wrap,wm_agent_upgrade_parse_response -Wl,--wrap,wm_agent_upgrade_prepare_upgrades -Wl,--wrap,wm_agent_upgrade_get_agent_ids ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_upgrades")
+    list(APPEND upgrade_flags "-Wl,--wrap,OS_ConnectUnixDomain -Wl,--wrap,OS_SendSecureTCP -Wl,--wrap,OS_RecvSecureTCP -Wl,--wrap,close -Wl,--wrap,popen \
+                            -Wl,--wrap,wm_agent_upgrade_parse_task_module_request -Wl,--wrap,wm_agent_upgrade_task_module_callback -Wl,--wrap,wm_agent_upgrade_parse_agent_response -Wl,--wrap,fopen -Wl,--wrap,fread -Wl,--wrap,fclose \
+                            -Wl,--wrap,OS_SHA1_File -Wl,--wrap,wm_agent_upgrade_get_first_node -Wl,--wrap,wm_agent_upgrade_get_next_node -Wl,--wrap,compare_wazuh_versions -Wl,--wrap,wm_agent_upgrade_remove_entry \
+                            -Wl,--wrap,wm_agent_upgrade_validate_task_status_message -Wl,--wrap,wm_agent_upgrade_validate_wpk -Wl,--wrap,wm_agent_upgrade_validate_wpk_custom -Wl,--wrap,wm_agent_upgrade_validate_wpk_version \
+                            -Wl,--wrap,linked_queue_push_ex -Wl,--wrap,linked_queue_pop_ex -Wl,--wrap,pthread_cond_signal -Wl,--wrap,pthread_cond_wait -Wl,--wrap,CreateThread -Wl,--wrap,wfopen \
+                            -Wl,--wrap,wm_agent_upgrade_parse_agent_upgrade_command_response -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,getpid -Wl,--wrap,fgetpos -Wl,--wrap=fgetc \
+                            ${DEBUG_OP_WRAPPERS}")
+
+else()
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_agent")
+    list(APPEND upgrade_flags "-Wl,--wrap,wm_sendmsg -Wl,--wrap,fopen -Wl,--wrap,fgets -Wl,--wrap,fclose -Wl,--wrap,StartMQ -Wl,--wrap,sleep -Wl,--wrap,close -Wl,--wrap,wfopen \
+                               -Wl,--wrap,OS_BindUnixDomain -Wl,--wrap,select -Wl,--wrap,close -Wl,--wrap,accept -Wl,--wrap,OS_RecvSecureTCP -Wl,--wrap,OS_SendSecureTCP -Wl,--wrap,wm_agent_upgrade_process_command \
+                               -Wl,--wrap,fflush -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove -Wl,--wrap,getpid -Wl,--wrap,CreateThread -Wl,--wrap,unlink -Wl,--wrap,fgetpos -Wl,--wrap=fgetc \
+                               -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+    list(APPEND upgrade_names "test_wm_agent_upgrade_com")
+    list(APPEND upgrade_flags "-Wl,--wrap,w_ref_parent_folder -Wl,--wrap,w_wpk_unsign -Wl,--wrap,unlink -Wl,--wrap,getpid -Wl,--wrap,gzopen \
+                               -Wl,--wrap,fopen -Wl,--wrap,fclose -Wl,--wrap,fflush -Wl,--wrap,fgets -Wl,--wrap,fread -Wl,--wrap,fseek -Wl,--wrap,fwrite -Wl,--wrap,remove \
+                               -Wl,--wrap,gzclose -Wl,--wrap,gzread -Wl,--wrap,mkstemp -Wl,--wrap,atexit -Wl,--wrap,chmod -Wl,--wrap,stat -Wl,--wrap,wfopen \
+                               -Wl,--wrap,OS_SHA1_File -Wl,--wrap,getDefine_Int -Wl,--wrap,cldir_ex -Wl,--wrap,UnmergeFiles -Wl,--wrap,wm_exec -Wl,--wrap,remove \
+                               -Wl,--wrap,fgetpos -Wl,--wrap=fgetc  -Wl,--wrap,popen ${DEBUG_OP_WRAPPERS}")
+
+endif()
+
+# Compiling tests
+list(LENGTH upgrade_names count)
+math(EXPR count "${count} - 1")
+foreach(counter RANGE ${count})
+    list(GET upgrade_names ${counter} test_name)
+    list(GET upgrade_flags ${counter} test_flags)
+
+    add_executable(${test_name} ${test_name}.c)
+
+    target_link_libraries(
+        ${test_name}
+        ${WAZUHLIB}
+        ${WAZUHEXT}
+        UPGRADE_O
+        ${TEST_DEPS}
+    )
+
+    if(NOT test_flags STREQUAL " ")
+        target_link_libraries(
+            ${test_name}
+            ${test_flags}
+        )
+    endif()
+    add_test(NAME ${test_name} COMMAND ${test_name})
+endforeach()
diff --git a/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade.c b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade.c
new file mode 100644
index 0000000000..4f6efb5405
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../../wrappers/posix/pthread_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_agent_upgrade_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_agent_upgrade_agent_wrappers.h"
+
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/agent_upgrade/wm_agent_upgrade.h"
+#include "../../headers/shared.h"
+
+void* wm_agent_upgrade_main(wm_agent_upgrade* upgrade_config);
+void wm_agent_upgrade_destroy(wm_agent_upgrade* upgrade_config);
+cJSON *wm_agent_upgrade_dump(const wm_agent_upgrade* upgrade_config);
+
+// Setup / teardown
+
+static int setup_group(void **state) {
+    wm_agent_upgrade *config = NULL;
+    os_calloc(1, sizeof(wm_agent_upgrade), config);
+    *state = config;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    wm_agent_upgrade *config = *state;
+    #ifdef TEST_SERVER
+    os_free(config->manager_config.wpk_repository);
+    #else
+    if (wcom_ca_store) {
+        for (int i=0; wcom_ca_store[i]; i++) {
+            os_free(wcom_ca_store[i]);
+        }
+        os_free(wcom_ca_store);
+    }
+    #endif
+    os_free(config);
+    return 0;
+}
+
+static int teardown_json(void **state) {
+    if (state[1]) {
+        cJSON *json = state[1];
+        cJSON_Delete(json);
+    }
+    return 0;
+}
+
+// Tests
+
+void test_wm_agent_upgrade_dump_enabled(void **state)
+{
+    wm_agent_upgrade *config = *state;
+
+    config->enabled = 1;
+
+    #ifdef TEST_SERVER
+    os_strdup("wazuh.com/packages", config->manager_config.wpk_repository);
+    config->manager_config.chunk_size = 512;
+    config->manager_config.max_threads = 8;
+    #else
+    config->agent_config.enable_ca_verification = 1;
+    os_calloc(2, sizeof(char*), wcom_ca_store);
+    os_strdup(DEF_CA_STORE, wcom_ca_store[0]);
+    wcom_ca_store[1] = NULL;
+    #endif
+
+    cJSON *ret = wm_agent_upgrade_dump(config);
+
+    state[1] = ret;
+
+    assert_non_null(ret);
+    cJSON *conf = cJSON_GetObjectItem(ret, "agent-upgrade");
+    assert_non_null(conf);
+    assert_non_null(cJSON_GetObjectItem(conf, "enabled"));
+    assert_string_equal(cJSON_GetObjectItem(conf, "enabled")->valuestring, "yes");
+    #ifdef TEST_SERVER
+    assert_int_equal(cJSON_GetObjectItem(conf, "max_threads")->valueint, 8);
+    assert_int_equal(cJSON_GetObjectItem(conf, "chunk_size")->valueint, 512);
+    assert_non_null(cJSON_GetObjectItem(conf, "wpk_repository"));
+    assert_string_equal(cJSON_GetObjectItem(conf, "wpk_repository")->valuestring, "wazuh.com/packages");
+    #else
+    assert_non_null(cJSON_GetObjectItem(conf, "ca_verification"));
+    assert_string_equal(cJSON_GetObjectItem(conf, "ca_verification")->valuestring, "yes");
+    cJSON *certs = cJSON_GetObjectItem(conf, "ca_store");
+    assert_non_null(certs);
+    assert_int_equal(cJSON_GetArraySize(certs), 1);
+    assert_string_equal(cJSON_GetArrayItem(certs, 0)->valuestring, DEF_CA_STORE);
+    assert_null(cJSON_GetArrayItem(certs, 1));
+    #endif
+}
+
+void test_wm_agent_upgrade_dump_disabled(void **state)
+{
+    wm_agent_upgrade *config = *state;
+
+    config->enabled = 0;
+
+    #ifdef TEST_SERVER
+    os_free(config->manager_config.wpk_repository);
+    #else
+    config->agent_config.enable_ca_verification = 0;
+    if (wcom_ca_store) {
+        for (int i=0; wcom_ca_store[i]; i++) {
+            os_free(wcom_ca_store[i]);
+        }
+        os_free(wcom_ca_store);
+    }
+    #endif
+
+    cJSON *ret = wm_agent_upgrade_dump(config);
+
+    state[1] = ret;
+
+    assert_non_null(ret);
+    cJSON *conf = cJSON_GetObjectItem(ret, "agent-upgrade");
+    assert_non_null(conf);
+    assert_non_null(cJSON_GetObjectItem(conf, "enabled"));
+    assert_string_equal(cJSON_GetObjectItem(conf, "enabled")->valuestring, "no");
+    #ifndef TEST_SERVER
+    assert_non_null(cJSON_GetObjectItem(conf, "ca_verification"));
+    assert_string_equal(cJSON_GetObjectItem(conf, "ca_verification")->valuestring, "no");
+    cJSON *certs = cJSON_GetObjectItem(conf, "ca_store");
+    assert_null(certs);
+    #endif
+}
+
+void test_wm_agent_upgrade_destroy(void **state)
+{
+    wm_agent_upgrade *config = NULL;
+    os_calloc(1, sizeof(wm_agent_upgrade), config);
+
+    #ifdef TEST_SERVER
+    os_strdup("wazuh.com/packages", config->manager_config.wpk_repository);
+    #endif
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtinfo, formatted_msg, "(8154): Module Agent Upgrade finished.");
+
+    wm_agent_upgrade_destroy(config);
+}
+
+void test_wm_agent_upgrade_main_ok(void **state)
+{
+    wm_agent_upgrade *config = *state;
+
+    config->enabled = 1;
+
+    #ifdef TEST_SERVER
+    expect_memory(__wrap_wm_agent_upgrade_start_manager_module, manager_configs, &config->manager_config, sizeof(&config->manager_config));
+    expect_value(__wrap_wm_agent_upgrade_start_manager_module, enabled, config->enabled);
+    #else
+    expect_memory(__wrap_wm_agent_upgrade_start_agent_module, agent_config, &config->agent_config, sizeof(&config->agent_config));
+    expect_value(__wrap_wm_agent_upgrade_start_agent_module, enabled, config->enabled);
+    #endif
+
+    wm_agent_upgrade_main(config);
+}
+
+void test_wm_agent_upgrade_main_disabled(void **state)
+{
+    wm_agent_upgrade *config = *state;
+
+    config->enabled = 0;
+
+    #ifdef TEST_SERVER
+    expect_memory(__wrap_wm_agent_upgrade_start_manager_module, manager_configs, &config->manager_config, sizeof(&config->manager_config));
+    expect_value(__wrap_wm_agent_upgrade_start_manager_module, enabled, config->enabled);
+    #else
+    expect_memory(__wrap_wm_agent_upgrade_start_agent_module, agent_config, &config->agent_config, sizeof(&config->agent_config));
+    expect_value(__wrap_wm_agent_upgrade_start_agent_module, enabled, config->enabled);
+    #endif
+
+    wm_agent_upgrade_main(config);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // wm_agent_upgrade_dump
+        cmocka_unit_test_teardown(test_wm_agent_upgrade_dump_enabled, teardown_json),
+        cmocka_unit_test_teardown(test_wm_agent_upgrade_dump_disabled, teardown_json),
+        // wm_task_manager_destroy
+        cmocka_unit_test(test_wm_agent_upgrade_destroy),
+        // wm_agent_upgrade_main
+        cmocka_unit_test(test_wm_agent_upgrade_main_ok),
+        cmocka_unit_test(test_wm_agent_upgrade_main_disabled)
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_agent.c b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_agent.c
new file mode 100644
index 0000000000..cc3e6010aa
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_agent.c
@@ -0,0 +1,1070 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../../wrappers/common.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+#include "../../wrappers/posix/select_wrappers.h"
+#include "../../wrappers/posix/unistd_wrappers.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/mq_op_wrappers.h"
+#include "../../wrappers/wazuh/os_net/os_net_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wmodules_wrappers.h"
+#include "../../wrappers/wazuh/wazuh_modules/wm_agent_upgrade_wrappers.h"
+
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/agent_upgrade/agent/wm_agent_upgrade_agent.h"
+#include "../../headers/shared.h"
+
+#ifndef TEST_WINAGENT
+void wm_agent_upgrade_listen_messages(const wm_agent_configs* agent_configs);
+#endif
+void wm_agent_upgrade_check_status(const wm_agent_configs* agent_config);
+bool wm_upgrade_agent_search_upgrade_result(int *queue_fd);
+void wm_upgrade_agent_send_ack_message(int *queue_fd, wm_upgrade_agent_state state);
+
+// Setup / teardown
+
+static int setup_group(void **state) {
+    wm_agent_configs *config = NULL;
+    os_calloc(1, sizeof(wm_agent_configs), config);
+    *state = config;
+    test_mode = 1;
+    return 0;
+}
+
+static int teardown_group(void **state) {
+    wm_agent_configs *config = *state;
+    os_free(config);
+    test_mode = 0;
+    return 0;
+}
+
+static int setup_test_executions(void **state) {
+    wm_max_eps = 1;
+    return 0;
+}
+
+// Wrappers
+
+int __wrap_accept() {
+    return mock();
+}
+
+int __wrap_CreateThread(void * (*function_pointer)(void *), void *data) {
+    check_expected_ptr(function_pointer);
+    return 1;
+}
+
+// Tests
+
+void test_wm_upgrade_agent_send_ack_message_successful(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+    wm_upgrade_agent_send_ack_message(&queue, upgrade_state);
+
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_send_ack_message_failed(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":2,"
+                                                           "\"message\":\"Upgrade failed\","
+                                                           "\"status\":\"Failed\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":2,"
+                                                                 "\"message\":\"Upgrade failed\","
+                                                                 "\"status\":\"Failed\"}}'");
+
+    wm_upgrade_agent_send_ack_message(&queue, upgrade_state);
+
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_send_ack_message_error(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = -1;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":2,"
+                                                           "\"message\":\"Upgrade failed\","
+                                                           "\"status\":\"Failed\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Success'");
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, 1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":2,"
+                                                                 "\"message\":\"Upgrade failed\","
+                                                                 "\"status\":\"Failed\"}}'");
+
+    wm_upgrade_agent_send_ack_message(&queue, upgrade_state);
+
+    assert_int_equal(queue, 1);
+}
+
+void test_wm_upgrade_agent_send_ack_message_error_exit(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = -1;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":2,"
+                                                           "\"message\":\"Upgrade failed\","
+                                                           "\"status\":\"Failed\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(1210): Queue 'queue/sockets/queue' not accessible: 'Success'");
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, -1);
+
+    expect_string(__wrap__mterror_exit, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror_exit, formatted_msg, "(1211): Unable to access queue: 'queue/sockets/queue'. Giving up.");
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":2,"
+                                                                 "\"message\":\"Upgrade failed\","
+                                                                 "\"status\":\"Failed\"}}'");
+
+    wm_upgrade_agent_send_ack_message(&queue, upgrade_state);
+
+    assert_int_equal(queue, -1);
+}
+
+void test_wm_upgrade_agent_search_upgrade_result_successful(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+    int ret = wm_upgrade_agent_search_upgrade_result(&queue);
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_search_upgrade_result_failed_missing_dependency(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED_DEPENDENCY;
+
+    expect_string(__wrap_fopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_fopen, mode, "r");
+    will_return(__wrap_fopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "1\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "1\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":1,"
+                                                           "\"message\":\"Upgrade failed due missing dependency\","
+                                                           "\"status\":\"Failed\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":1,"
+                                                                 "\"message\":\"Upgrade failed due missing dependency\","
+                                                                 "\"status\":\"Failed\"}}'");
+
+    int ret = wm_upgrade_agent_search_upgrade_result(&queue);
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_search_upgrade_result_failed(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "2\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "2\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":2,"
+                                                           "\"message\":\"Upgrade failed\","
+                                                           "\"status\":\"Failed\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":2,"
+                                                                 "\"message\":\"Upgrade failed\","
+                                                                 "\"status\":\"Failed\"}}'");
+
+    int ret = wm_upgrade_agent_search_upgrade_result(&queue);
+
+    assert_int_equal(ret, 1);
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_search_upgrade_result_error_open(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, NULL);
+
+    int ret = wm_upgrade_agent_search_upgrade_result(&queue);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_upgrade_agent_search_upgrade_result_error_code(void **state)
+{
+    (void) state;
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_FAILED;
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "5\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "5\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    int ret = wm_upgrade_agent_search_upgrade_result(&queue);
+
+    assert_int_equal(ret, 0);
+    assert_int_equal(queue, 0);
+}
+
+void test_wm_agent_upgrade_check_status_successful(void **state)
+{
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+    wm_agent_configs *config = *state;
+
+    config->upgrade_wait_start = 1;
+    config->upgrade_wait_max = 10;
+    config->upgrade_wait_factor_increase = 3;
+
+    allow_upgrades = false;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, queue);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, config->upgrade_wait_start * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, config->upgrade_wait_start);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, NULL);
+
+    wm_agent_upgrade_check_status(config);
+
+    assert_int_equal(allow_upgrades, true);
+}
+
+void test_wm_agent_upgrade_check_status_time_limit(void **state)
+{
+    int queue = 0;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+    wm_agent_configs *config = *state;
+
+    config->upgrade_wait_start = 1;
+    config->upgrade_wait_max = 10;
+    config->upgrade_wait_factor_increase = 3;
+
+    allow_upgrades = false;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, queue);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, config->upgrade_wait_start  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, config->upgrade_wait_start);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, config->upgrade_wait_start * config->upgrade_wait_factor_increase  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, config->upgrade_wait_start * config->upgrade_wait_factor_increase);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, config->upgrade_wait_start * config->upgrade_wait_factor_increase * config->upgrade_wait_factor_increase  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, config->upgrade_wait_start * config->upgrade_wait_factor_increase * config->upgrade_wait_factor_increase);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, (FILE*)1);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_fgets, __stream, (FILE*)1);
+    will_return(wrap_fgets, "0\n");
+#else
+    expect_value(__wrap_fgets, __stream, (FILE*)1);
+    will_return(__wrap_fgets, "0\n");
+#endif
+
+    expect_value(__wrap_fclose, _File, (FILE*)1);
+    will_return(__wrap_fclose, 1);
+
+    expect_value(__wrap_wm_sendmsg, usec, 1000000);
+    expect_value(__wrap_wm_sendmsg, queue, queue);
+    expect_string(__wrap_wm_sendmsg, message, "{\"command\":\"upgrade_update_status\","
+                                               "\"parameters\":{\"error\":0,"
+                                                           "\"message\":\"Upgrade was successful\","
+                                                           "\"status\":\"Done\"}}");
+    expect_string(__wrap_wm_sendmsg, locmsg, task_manager_modules_list[WM_TASK_UPGRADE_MODULE]);
+    expect_value(__wrap_wm_sendmsg, loc, UPGRADE_MQ);
+
+    will_return(__wrap_wm_sendmsg, result);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8163): Sending upgrade ACK event: "
+                                                   "'{\"command\":\"upgrade_update_status\","
+                                                     "\"parameters\":{\"error\":0,"
+                                                                 "\"message\":\"Upgrade was successful\","
+                                                                 "\"status\":\"Done\"}}'");
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, config->upgrade_wait_max  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, config->upgrade_wait_max);
+#endif
+
+    expect_string(__wrap_wfopen, path, WM_AGENT_UPGRADE_RESULT_FILE);
+    expect_string(__wrap_wfopen, mode, "r");
+    will_return(__wrap_wfopen, NULL);
+
+    wm_agent_upgrade_check_status(config);
+
+    assert_int_equal(allow_upgrades, true);
+}
+
+void test_wm_agent_upgrade_check_status_queue_error(void **state)
+{
+    int queue = -1;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+    wm_agent_configs *config = *state;
+
+    config->upgrade_wait_start = 1;
+    config->upgrade_wait_max = 10;
+    config->upgrade_wait_factor_increase = 3;
+
+    allow_upgrades = false;
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, queue);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME);
+#endif
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8113): Could not open default queue to send upgrade notification.");
+
+    wm_agent_upgrade_check_status(config);
+
+    assert_int_equal(allow_upgrades, true);
+}
+
+#ifndef TEST_WINAGENT
+
+void test_wm_agent_upgrade_listen_messages_ok(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+
+    char *input = "{"
+                  "   \"command\": \"upgrade\","
+                  "   \"parameters\": {"
+                  "        \"file\":\"test.wpk\","
+                  "        \"installer\":\"test.sh\""
+                  "    }"
+                  "}";
+
+    size_t input_size = strlen(input) + 1;
+    char *response = NULL;
+    os_calloc(OS_SIZE_256, sizeof(char), response);
+
+    sprintf(response, "{"
+                      "    \"error\":0,"
+                      "    \"data\":[],"
+                      "    \"message\":\"ok\""
+                      "}");
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, input_size);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8155): Incomming message: '{"
+                                                                               "   \"command\": \"upgrade\","
+                                                                               "   \"parameters\": {"
+                                                                               "        \"file\":\"test.wpk\","
+                                                                               "        \"installer\":\"test.sh\""
+                                                                               "    }"
+                                                                               "}'");
+
+    expect_memory(__wrap_wm_agent_upgrade_process_command, buffer, input, sizeof(input));
+    will_return(__wrap_wm_agent_upgrade_process_command, response);
+    will_return(__wrap_wm_agent_upgrade_process_command, strlen(response));
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8156): Response message: '{"
+                                                                              "    \"error\":0,"
+                                                                              "    \"data\":[],"
+                                                                              "    \"message\":\"ok\""
+                                                                              "}'");
+
+    expect_value(__wrap_OS_SendSecureTCP, sock, peer);
+    expect_value(__wrap_OS_SendSecureTCP, size, strlen(response));
+    expect_string(__wrap_OS_SendSecureTCP, msg, response);
+    will_return(__wrap_OS_SendSecureTCP, 0);
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_receive_empty(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, 0);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtdebug1, formatted_msg, "(8159): Empty message from local client.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_receive_error(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8111): Error in recv(): 'Success'");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_receive_sock_error(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, OS_SOCKTERR);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8112): Response size is bigger than expected.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_accept_error_eintr(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+    errno = EINTR;
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, -1);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, OS_SOCKTERR);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8112): Response size is bigger than expected.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_accept_error(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+    errno = 1;
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8110): Error in accept(): 'Operation not permitted'");
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, OS_SOCKTERR);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8112): Response size is bigger than expected.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_select_zero(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, 0);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, OS_SOCKTERR);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8112): Response size is bigger than expected.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_select_error_eintr(void **state)
+{
+    int socket = 0;
+    int peer = 1111;
+    char *input = "Bad JSON";
+    errno = EINTR;
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, -1);
+
+    will_return(__wrap_select, 1);
+
+    will_return(__wrap_accept, peer);
+
+    expect_value(__wrap_OS_RecvSecureTCP, sock, peer);
+    expect_value(__wrap_OS_RecvSecureTCP, size, OS_MAXSTR);
+    will_return(__wrap_OS_RecvSecureTCP, input);
+    will_return(__wrap_OS_RecvSecureTCP, OS_SOCKTERR);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8112): Response size is bigger than expected.");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_select_error(void **state)
+{
+    int socket = 0;
+    errno = 1;
+
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, socket);
+
+    will_return(__wrap_select, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8109): Error in select(): 'Operation not permitted'. Exiting...");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+void test_wm_agent_upgrade_listen_messages_bind_error(void **state)
+{
+    expect_string(__wrap_OS_BindUnixDomain, path, AGENT_UPGRADE_SOCK);
+    expect_value(__wrap_OS_BindUnixDomain, type, SOCK_STREAM);
+    expect_value(__wrap_OS_BindUnixDomain, max_msg_size, OS_MAXSTR);
+    will_return(__wrap_OS_BindUnixDomain, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8108): Unable to bind to socket 'queue/ossec/upgrade': 'Operation not permitted'");
+
+    wm_agent_upgrade_listen_messages(NULL);
+}
+
+#endif
+
+void test_wm_agent_upgrade_start_agent_module_enabled(void **state)
+{
+    int queue = -1;
+    int result = 0;
+    wm_upgrade_agent_state upgrade_state = WM_UPGRADE_SUCCESSFUL;
+    wm_agent_configs *config = *state;
+
+    config->upgrade_wait_start = 1;
+    config->upgrade_wait_max = 10;
+    config->upgrade_wait_factor_increase = 3;
+
+    allow_upgrades = false;
+
+    expect_string(__wrap__mtinfo, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtinfo, formatted_msg, "(8153): Module Agent Upgrade started.");
+
+#ifndef TEST_WINAGENT
+    expect_memory(__wrap_CreateThread, function_pointer, wm_agent_upgrade_listen_messages, sizeof(wm_agent_upgrade_listen_messages));
+#endif
+
+    expect_string(__wrap_StartMQ, path, DEFAULTQUEUE);
+    expect_value(__wrap_StartMQ, type, WRITE);
+    will_return(__wrap_StartMQ, queue);
+
+#ifdef TEST_WINAGENT
+    expect_value(wrap_Sleep, dwMilliseconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME  * 1000);
+#else
+    expect_value(__wrap_sleep, seconds, WM_AGENT_UPGRADE_RESULT_WAIT_TIME);
+#endif
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8113): Could not open default queue to send upgrade notification.");
+
+    wm_agent_upgrade_start_agent_module(config, 1);
+
+    assert_int_equal(allow_upgrades, true);
+}
+
+void test_wm_agent_upgrade_start_agent_module_disabled(void **state)
+{
+    wm_agent_configs *config = *state;
+
+    allow_upgrades = false;
+
+#ifndef TEST_WINAGENT
+    expect_memory(__wrap_CreateThread, function_pointer, wm_agent_upgrade_listen_messages, sizeof(wm_agent_upgrade_listen_messages));
+#endif
+
+    wm_agent_upgrade_start_agent_module(config, 0);
+
+    assert_int_equal(allow_upgrades, false);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        // wm_upgrade_agent_send_ack_message
+        cmocka_unit_test_setup(test_wm_upgrade_agent_send_ack_message_successful, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_send_ack_message_failed, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_send_ack_message_error, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_send_ack_message_error_exit, setup_test_executions),
+        // wm_upgrade_agent_search_upgrade_result
+        cmocka_unit_test_setup(test_wm_upgrade_agent_search_upgrade_result_successful, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_search_upgrade_result_failed, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_search_upgrade_result_failed_missing_dependency, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_search_upgrade_result_error_open, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_upgrade_agent_search_upgrade_result_error_code, setup_test_executions),
+        // wm_agent_upgrade_check_status
+        cmocka_unit_test_setup(test_wm_agent_upgrade_check_status_successful, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_agent_upgrade_check_status_time_limit, setup_test_executions),
+        cmocka_unit_test_setup(test_wm_agent_upgrade_check_status_queue_error, setup_test_executions),
+#ifndef TEST_WINAGENT
+        // wm_agent_upgrade_listen_messages
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_ok),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_receive_empty),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_receive_error),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_receive_sock_error),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_accept_error_eintr),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_accept_error),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_select_zero),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_select_error_eintr),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_select_error),
+        cmocka_unit_test(test_wm_agent_upgrade_listen_messages_bind_error),
+#endif
+        // wm_agent_upgrade_start_agent_module
+        cmocka_unit_test_setup(test_wm_agent_upgrade_start_agent_module_enabled, setup_test_executions),
+        cmocka_unit_test(test_wm_agent_upgrade_start_agent_module_disabled)
+    };
+    return cmocka_run_group_tests(tests, setup_group, teardown_group);
+}
diff --git a/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_com.c b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_com.c
new file mode 100644
index 0000000000..1e9332fd27
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/tests/test_wm_agent_upgrade_com.c
@@ -0,0 +1,1921 @@
+/*
+ * Copyright (C) 2015, Wazuh Inc.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <stdio.h>
+
+#include "../../headers/shared.h"
+#include "../../wazuh_modules/wm_task_general.h"
+#include "../../wazuh_modules/wmodules.h"
+#include "../../wazuh_modules/agent_upgrade/wm_agent_upgrade.h"
+#include "../../wazuh_modules/agent_upgrade/agent/wm_agent_upgrade_agent.h"
+
+#include "../../wrappers/common.h"
+#include "../../wrappers/wazuh/shared/debug_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/file_op_wrappers.h"
+#include "../../wrappers/wazuh/shared/validate_op_wrappers.h"
+#include "../../wrappers/libc/string_wrappers.h"
+#include "../../wrappers/libc/stdlib_wrappers.h"
+#include "../../wrappers/libc/stdio_wrappers.h"
+#include "../../wrappers/posix/unistd_wrappers.h"
+#include "../../wrappers/externals/zlib/zlib_wrappers.h"
+
+extern int test_mode;
+
+extern size_t __real_strlen(const char *s);
+
+extern int _jailfile(char finalpath[PATH_MAX + 1], const char * basedir, const char * filename);
+extern int _unsign(const char * source, char dest[PATH_MAX + 1]);
+extern int _uncompress(const char * source, const char *package, char dest[PATH_MAX + 1]);
+
+extern char * wm_agent_upgrade_com_open(const cJSON* json_object);
+extern char * wm_agent_upgrade_com_write(const cJSON* json_object);
+extern char * wm_agent_upgrade_com_close(const cJSON* json_object);
+extern char * wm_agent_upgrade_com_sha1(const cJSON* json_object);
+extern char * wm_agent_upgrade_com_upgrade(const cJSON* json_object);
+extern char * wm_agent_upgrade_com_clear_result();
+
+extern struct {char path[PATH_MAX + 1]; FILE * fp;} file;
+extern const char * error_messages[];
+/* Internal methods tests */
+
+int setup_jailfile(void **state) {
+    char *filename = malloc(sizeof(char) * OS_MAXSTR);
+    sprintf(filename, "test_filename");
+    *state = filename;
+    test_mode = 1;
+    return 0;
+}
+
+#ifdef TEST_WINAGENT
+int setup_jailfile_long_name(void **state) {
+    char *filename = malloc(sizeof(char) * OS_MAXSTR);
+    const unsigned int length = PATH_MAX - strlen(INCOMING_DIR) - 2;
+    for(int i=0; i < length; i++) {
+        sprintf(&filename[i], "a");
+    }
+    *state = filename;
+    test_mode = 1;
+    return 0;
+}
+#endif
+
+int setup_jailfile_long_name2(void **state) {
+    char *filename = malloc(sizeof(char) * OS_MAXSTR);
+    const unsigned int length = PATH_MAX - strlen(TMP_DIR) - 2;
+    for(int i=0; i < length; i++) {
+        sprintf(&filename[i], "a");
+    }
+    *state = filename;
+    test_mode = 1;
+    return 0;
+}
+
+int teardown_jailfile(void **state) {
+    char *filename = *state;
+    test_mode = 0;
+    os_free(filename);
+    return 0;
+}
+
+int setup_clear_result(void **state) {
+    test_mode = 1;
+    return 0;
+}
+
+int teadown_clear_result(void **state) {
+    test_mode = 0;
+    return 0;
+}
+
+void test_jailfile_invalid_path(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *filename = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, filename);
+    will_return(__wrap_w_ref_parent_folder, 1);
+    int ret = _jailfile(finalpath, TMP_DIR, filename);
+    assert_int_equal(ret, -1);
+}
+
+void test_jailfile_valid_path(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *filename = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, filename);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    int ret = _jailfile(finalpath, TMP_DIR, filename);
+    assert_int_equal(ret, 0);
+#ifdef TEST_WINAGENT
+    assert_string_equal(finalpath, "tmp\\test_filename");
+#else
+    assert_string_equal(finalpath, "tmp/test_filename");
+#endif
+}
+
+void test_unsign_invalid_source_incomming(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 1);
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At unsign(): Invalid file name.");
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+
+void test_unsign_invalid_source_temp(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 1);
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At unsign(): Invalid file name.");
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+
+#ifdef TEST_WINAGENT
+void test_unsign_invalid_source_len(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8137): At unsign(): Too long temp file.");
+
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+#endif
+
+void test_unsign_temp_file_fail(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+#ifdef TEST_WINAGENT
+    will_return(wrap_mktemp_s, 1);
+#else
+    will_return(__wrap_mkstemp, -1);
+#endif
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8138): At unsign(): Could not create temporary compressed file.");
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+
+void test_unsign_wpk_using_fail(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+#ifdef TEST_WINAGENT
+    will_return(wrap_mktemp_s,  NULL);
+    expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_filename");
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8139): At unsign(): Could not unsign package file 'incoming\\test_filename'");
+#else
+    expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_filename");
+    will_return(__wrap_mkstemp, 8);
+    expect_any(__wrap_chmod, path);
+    will_return(__wrap_chmod, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8139): At unsign(): Could not unsign package file 'var/incoming/test_filename'");
+#endif
+    will_return(__wrap_w_wpk_unsign, -1);
+    expect_any_count(__wrap_unlink, file, 2);
+    will_return_count(__wrap_unlink, 0, 2);
+
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+
+void test_unsign_temp_chmod_fail(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    will_return(__wrap_mkstemp, 8);
+    expect_any(__wrap_chmod, path);
+    will_return(__wrap_chmod, -1);
+
+    expect_any_count(__wrap_unlink, file, 2);
+    will_return_count(__wrap_unlink, 0, 2);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8134): At unsign(): Could not chmod 'tmp/test_filename.gz.XXXXXX'");
+
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, -1);
+}
+
+void test_unsign_success(void **state) {
+    char finalpath[PATH_MAX + 1];
+    char *source =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+    expect_string(__wrap_w_ref_parent_folder, path, source);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+#ifdef TEST_WINAGENT
+    will_return(wrap_mktemp_s,  NULL);
+    expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_filename");
+#else
+    expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_filename");
+
+    will_return(__wrap_mkstemp, 8);
+    expect_any(__wrap_chmod, path);
+    will_return(__wrap_chmod, 0);
+#endif
+    will_return(__wrap_w_wpk_unsign, 0);
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    int ret = _unsign(source, finalpath);
+    assert_int_equal(ret, 0);
+}
+
+
+void test_uncompress_invalid_filename(void **state) {
+    char compressed[PATH_MAX + 1];
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At uncompress(): Invalid file name.");
+
+    int ret = _uncompress(compressed, package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_invalid_file_len(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8137): At uncompress(): Too long temp file.");
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_gzopen_fail(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap_gzopen, path, "compressed_test");
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, NULL);
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8140): At uncompress(): Unable to open 'compressed_test'");
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_fopen_fail(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap_gzopen, path, "compressed_test");
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 4);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mterror, formatted_msg, "(8140): At uncompress(): Unable to open 'tmp\\test_filename.mg.XXXXXX'");
+#else
+    expect_string(__wrap__mterror, formatted_msg, "(8140): At uncompress(): Unable to open 'tmp/test_filename.mg.XXXXXX'");
+#endif
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "wb");
+    will_return(__wrap_wfopen, 0);
+
+    expect_value(__wrap_gzclose, file, 4);
+    will_return(__wrap_gzclose, 0);
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_fwrite_fail(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap_gzopen, path, "compressed_test");
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 4);
+
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "wb");
+    will_return(__wrap_wfopen, 5);
+
+    expect_value(__wrap_gzread, gz_fd, 4);
+    will_return(__wrap_gzread, 4);
+    will_return(__wrap_gzread, "test");
+
+    will_return(__wrap_fwrite, -1);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    expect_value(__wrap_gzclose, file, 4);
+    will_return(__wrap_gzclose, 0);
+
+    expect_value(__wrap_fclose, _File, 5);
+    will_return(__wrap_fclose, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8129): At uncompress(): Cannot write on 'compressed_test'");
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_gzread_fail(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap_gzopen, path, "compressed_test");
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 4);
+
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "wb");
+    will_return(__wrap_wfopen, 5);
+
+    expect_value(__wrap_gzread, gz_fd, 4);
+    will_return(__wrap_gzread, -1);
+
+    expect_value(__wrap_gzclose, file, 4);
+    will_return(__wrap_gzclose, 0);
+
+    expect_value(__wrap_fclose, _File, 5);
+    will_return(__wrap_fclose, 0);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8141): At uncompress(): Unable to read 'compressed_test'");
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, -1);
+}
+
+void test_uncompress_success(void **state) {
+    char merged[PATH_MAX + 1];
+    char *package =  *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, package);
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap_gzopen, path, "compressed_test");
+    expect_string(__wrap_gzopen, mode, "rb");
+    will_return(__wrap_gzopen, 4);
+
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "wb");
+    will_return(__wrap_wfopen, 5);
+
+    expect_value(__wrap_gzread, gz_fd, 4);
+    will_return(__wrap_gzread, 4);
+    will_return(__wrap_gzread, "test");
+
+    will_return(__wrap_fwrite, 4);
+
+    expect_value(__wrap_gzread, gz_fd, 4);
+    will_return(__wrap_gzread, 0);
+
+    expect_value(__wrap_gzclose, file, 4);
+    will_return(__wrap_gzclose, 0);
+
+    expect_value(__wrap_fclose, _File, 5);
+    will_return(__wrap_fclose, 0);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    int ret = _uncompress("compressed_test", package, merged);
+    assert_int_equal(ret, 0);
+}
+
+/* Commands tests */
+int setup_open1(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "mode", "r");
+    cJSON_AddStringToObject(command, "file", "test_file");
+    *state = command;
+    test_mode = 1;
+    return 0;
+}
+
+int setup_open2(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "mode", "w");
+    cJSON_AddStringToObject(command, "file", "test_file");
+    *state = command;
+    test_mode = 1;
+    return 0;
+}
+
+int setup_write(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "buffer", "ABCDABCD");
+    cJSON_AddStringToObject(command, "file", "test_file");
+    cJSON_AddNumberToObject(command, "length", 8);
+    *state = command;
+    test_mode = 1;
+    return 0;
+}
+
+int setup_sha1(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "file", "test_file");
+    *state = command;
+    test_mode = 1;
+    return 0;
+}
+
+int setup_upgrade(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "file", "test_file");
+    cJSON_AddStringToObject(command, "installer", "install.sh");
+    *state = command;
+    test_mode = 1;
+    return 0;
+}
+
+int teardown_commands(void **state) {
+    cJSON * command = *state;
+    test_mode = 0;
+    cJSON_Delete(command);
+    return 0;
+}
+
+void test_wm_agent_upgrade_com_open_unsopported_mode(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "existent_path");
+    expect_string(__wrap__mtwarn, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mtwarn, formatted_msg,  "(8124): At open: File 'existent_path' was opened. Closing.");
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg,  "(8125): At open: Unsupported mode.");
+
+    char *response = wm_agent_upgrade_com_open(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Unsupported file mode");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_open_invalid_file_name(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg,  "(8126): At open: Invalid file name.");
+
+    char *response = wm_agent_upgrade_com_open(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Invalid file name");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_open_invalid_open(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg,   "(1103): Could not open file 'test_file' due to [(2)-(No such file or directory)].");
+
+    errno = 2;
+
+    char *response = wm_agent_upgrade_com_open(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "File Open Error: No such file or directory");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_open_success(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_wfopen, path);
+    expect_string(__wrap_wfopen, mode, "w");
+    will_return(__wrap_wfopen, 4);
+
+    char *response = wm_agent_upgrade_com_open(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "ok");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_write_file_closed(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "%s", "\0");
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg,   "(8127): At write: File not opened. Agent might have been auto-restarted during upgrade.");
+
+    char *response = wm_agent_upgrade_com_write(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "File not opened. Agent might have been auto-restarted during upgrade");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_write_invalid_file_name(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "%s", "test_file");
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg,   "(8126): At write: Invalid file name.");
+
+    char *response = wm_agent_upgrade_com_write(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Invalid file name");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_write_different_file_name(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "%s", "test_file_different");
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8128): At write: The target file doesn't match the opened file 'test_file_different'");
+
+    char *response = wm_agent_upgrade_com_write(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "The target file doesn't match the opened file");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_write_error(void **state) {
+    cJSON * command = *state;
+#ifdef TEST_WINAGENT
+    sprintf(file.path, "incoming\\test_file");
+#else
+    sprintf(file.path, "var/incoming/test_file");
+#endif
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    will_return(__wrap_fwrite, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+#ifdef TEST_WINAGENT
+    expect_string(__wrap__mterror, formatted_msg, "(8129): At write: Cannot write on 'incoming\\test_file'");
+#else
+    expect_string(__wrap__mterror, formatted_msg, "(8129): At write: Cannot write on 'var/incoming/test_file'");
+#endif
+
+    char *response = wm_agent_upgrade_com_write(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Cannot write file");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_write_success(void **state) {
+    cJSON * command = *state;
+#ifdef TEST_WINAGENT
+    sprintf(file.path, "incoming\\test_file");
+#else
+    sprintf(file.path, "var/incoming/test_file");
+#endif
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    will_return(__wrap_fwrite, 8);
+
+    char *response = wm_agent_upgrade_com_write(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "ok");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_close_file_opened(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "%s", "\0");
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8130): At close: No file is opened.");
+
+    char *response = wm_agent_upgrade_com_close(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "No file opened");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_close_invalid_file_name(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "test_file");
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At close: Invalid file name.");
+
+    char *response = wm_agent_upgrade_com_close(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Invalid file name");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_close_different_file_name(void **state) {
+    cJSON * command = *state;
+
+    sprintf(file.path, "%s", "test_file_different");
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8128): At close: The target file doesn't match the opened file 'test_file_different'");
+
+    char *response = wm_agent_upgrade_com_close(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "The target file doesn't match the opened file");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_close_failed(void **state) {
+    cJSON * command = *state;
+
+    #ifdef TEST_WINAGENT
+    sprintf(file.path, "incoming\\test_file");
+    #else
+    sprintf(file.path, "var/incoming/test_file");
+    #endif
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, -1);
+
+    errno = EPERM;
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8131): At close: 'Operation not permitted'");
+
+    char *response = wm_agent_upgrade_com_close(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Cannot close file");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_close_success(void **state) {
+    cJSON * command = *state;
+
+    #ifdef TEST_WINAGENT
+    sprintf(file.path, "incoming\\test_file");
+    #else
+    sprintf(file.path, "var/incoming/test_file");
+    #endif
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_fclose, _File);
+    will_return(__wrap_fclose, 0);
+
+    char *response = wm_agent_upgrade_com_close(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "ok");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_sha1_invalid_file(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At sha1: Invalid file name.");
+
+    char *response = wm_agent_upgrade_com_sha1(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Invalid file name");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_sha1_sha_error(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_OS_SHA1_File, fname);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_BINARY);
+    will_return(__wrap_OS_SHA1_File, "");
+    will_return(__wrap_OS_SHA1_File, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8132): At sha1: Error generating SHA1.");
+
+    char *response = wm_agent_upgrade_com_sha1(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Cannot generate SHA1");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_sha1_sha_success(void **state) {
+    cJSON * command = *state;
+
+    expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+    will_return(__wrap_w_ref_parent_folder, 0);
+
+    expect_any(__wrap_OS_SHA1_File, fname);
+    expect_value(__wrap_OS_SHA1_File, mode, OS_BINARY);
+    will_return(__wrap_OS_SHA1_File, "2c312ada12ab321a253ad321af65983fa412e3a1");
+    will_return(__wrap_OS_SHA1_File, 0);
+
+    char *response = wm_agent_upgrade_com_sha1(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "2c312ada12ab321a253ad321af65983fa412e3a1");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_upgrade_unsign_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 1);
+        expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+        expect_string(__wrap__mterror, formatted_msg, "(8126): At unsign(): Invalid file name.");
+    }
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8131): At upgrade: 'Could not verify signature'");
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Could not verify signature");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_upgrade_uncompress_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    // Uncompress
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 1);
+        expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+        expect_string(__wrap__mterror, formatted_msg, "(8126): At uncompress(): Invalid file name.");
+    }
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8131): At upgrade: 'Could not uncompress package'");
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Could not uncompress package");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+
+void test_wm_agent_upgrade_com_upgrade_clean_directory_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8131): At upgrade: 'Could not clean up upgrade directory'");
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Could not clean up upgrade directory");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_unmerge_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, 0);
+
+    expect_any(__wrap_UnmergeFiles, finalpath);
+    expect_any(__wrap_UnmergeFiles, optdir);
+    expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+    will_return(__wrap_UnmergeFiles, 0);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_any(__wrap__mterror, formatted_msg);
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Error unmerging file");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_installer_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, 0);
+
+    expect_any(__wrap_UnmergeFiles, finalpath);
+    expect_any(__wrap_UnmergeFiles, optdir);
+    expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+    will_return(__wrap_UnmergeFiles, -1);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    expect_any(__wrap_w_ref_parent_folder, path);
+    will_return(__wrap_w_ref_parent_folder, 1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8126): At upgrade: Invalid file name.");
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Invalid file name");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+#ifndef TEST_WINAGENT
+void test_wm_agent_upgrade_com_chmod_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, 0);
+
+    expect_any(__wrap_UnmergeFiles, finalpath);
+    expect_any(__wrap_UnmergeFiles, optdir);
+    expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+    will_return(__wrap_UnmergeFiles, -1);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    // Jailfile
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "install.sh");
+        will_return(__wrap_w_ref_parent_folder, 0);
+    }
+
+    expect_string(__wrap_chmod, path, "var/upgrade/install.sh");
+    will_return(__wrap_chmod, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+    expect_string(__wrap__mterror, formatted_msg, "(8134): At upgrade: Could not chmod 'var/upgrade/install.sh'");
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Could not chmod");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+#endif
+
+void test_wm_agent_upgrade_com_execute_error(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, 0);
+
+    expect_any(__wrap_UnmergeFiles, finalpath);
+    expect_any(__wrap_UnmergeFiles, optdir);
+    expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+    will_return(__wrap_UnmergeFiles, -1);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    // Jailfile
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "install.sh");
+        will_return(__wrap_w_ref_parent_folder, 0);
+    }
+
+    #ifndef TEST_WINAGENT
+    expect_string(__wrap_chmod, path, "var/upgrade/install.sh");
+    will_return(__wrap_chmod, 0);
+    expect_string(__wrap_wm_exec, command, "var/upgrade/install.sh");
+
+    #else
+    expect_string(__wrap_wm_exec, command, "upgrade\\install.sh");
+    #endif
+
+
+    expect_value(__wrap_wm_exec, secs, 3600);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, "OUTPUT COMMAND");
+    will_return(__wrap_wm_exec, -1);
+    will_return(__wrap_wm_exec, -1);
+
+    expect_string(__wrap__mterror, tag, "wazuh-modulesd:agent-upgrade");
+
+    #ifndef TEST_WINAGENT
+    expect_string(__wrap__mterror, formatted_msg, "(8135): At upgrade: Error executing command [var/upgrade/install.sh]");
+    #else
+    expect_string(__wrap__mterror, formatted_msg, "(8135): At upgrade: Error executing command [upgrade\\install.sh]");
+    #endif
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Error executing command");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_success(void **state) {
+    cJSON * command = *state;
+
+    will_return(__wrap_getDefine_Int, 3600);
+    // Unsign
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        #ifdef TEST_WINAGENT
+            will_return(wrap_mktemp_s,  NULL);
+            expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+        #else
+            expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+            will_return(__wrap_mkstemp, 8);
+            expect_any(__wrap_chmod, path);
+            will_return(__wrap_chmod, 0);
+        #endif
+        will_return(__wrap_w_wpk_unsign, 0);
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+    // Uncompress
+    {
+        expect_any(__wrap_w_ref_parent_folder, path);
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_gzopen, path);
+        expect_string(__wrap_gzopen, mode, "rb");
+        will_return(__wrap_gzopen, 4);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "wb");
+        will_return(__wrap_wfopen, 5);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 4);
+        will_return(__wrap_gzread, "test");
+
+        will_return(__wrap_fwrite, 4);
+
+        expect_value(__wrap_gzread, gz_fd, 4);
+        will_return(__wrap_gzread, 0);
+
+        expect_value(__wrap_gzclose, file, 4);
+        will_return(__wrap_gzclose, 0);
+
+        expect_value(__wrap_fclose, _File, 5);
+        will_return(__wrap_fclose, 0);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+    }
+
+    will_return(__wrap_cldir_ex, 0);
+
+    expect_any(__wrap_UnmergeFiles, finalpath);
+    expect_any(__wrap_UnmergeFiles, optdir);
+    expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+    will_return(__wrap_UnmergeFiles, -1);
+
+    expect_any(__wrap_unlink, file);
+    will_return(__wrap_unlink, 0);
+
+    // Jailfile
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "install.sh");
+        will_return(__wrap_w_ref_parent_folder, 0);
+    }
+
+    #ifndef TEST_WINAGENT
+    expect_string(__wrap_chmod, path, "var/upgrade/install.sh");
+    will_return(__wrap_chmod, 0);
+    expect_string(__wrap_wm_exec, command, "var/upgrade/install.sh");
+
+    #else
+    expect_string(__wrap_wm_exec, command, "upgrade\\install.sh");
+    #endif
+
+
+    expect_value(__wrap_wm_exec, secs, 3600);
+    expect_value(__wrap_wm_exec, add_path, NULL);
+    will_return(__wrap_wm_exec, "OUTPUT COMMAND");
+    will_return(__wrap_wm_exec, 0);
+    will_return(__wrap_wm_exec, 0);
+
+    char *response = wm_agent_upgrade_com_upgrade(command);
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "0");
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_clear_result_failed(void **state) {
+    allow_upgrades = false;
+
+    #ifndef TEST_WINAGENT
+        expect_string(__wrap_remove, filename, "var/upgrade/upgrade_result");
+    #else
+        expect_string(__wrap_remove, filename, "upgrade\\upgrade_result");
+    #endif
+    will_return(__wrap_remove, -1);
+
+    expect_string(__wrap__mtdebug1, tag, "wazuh-modulesd:agent-upgrade");
+    #ifndef TEST_WINAGENT
+        expect_string(__wrap__mtdebug1, formatted_msg,  "(8136): At clear_upgrade_result: Could not erase file 'var/upgrade/upgrade_result'");
+    #else
+        expect_string(__wrap__mtdebug1, formatted_msg,  "(8136): At clear_upgrade_result: Could not erase file 'upgrade\\upgrade_result'");
+    #endif
+
+    char *response = wm_agent_upgrade_com_clear_result();
+
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "Could not erase upgrade_result file");
+
+    assert_int_equal(allow_upgrades, false);
+
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+void test_wm_agent_upgrade_com_clear_result_success(void **state) {
+    allow_upgrades = false;
+
+    #ifndef TEST_WINAGENT
+        expect_string(__wrap_remove, filename, "var/upgrade/upgrade_result");
+    #else
+        expect_string(__wrap_remove, filename, "upgrade\\upgrade_result");
+    #endif
+    will_return(__wrap_remove, 0);
+
+    char *response = wm_agent_upgrade_com_clear_result();
+
+    cJSON *response_object = cJSON_Parse(response);
+    assert_string_equal(cJSON_GetObjectItem(response_object, task_manager_json_keys[WM_TASK_ERROR_MESSAGE])->valuestring, "ok");
+
+    assert_int_equal(allow_upgrades, true);
+
+    cJSON_Delete(response_object);
+    os_free(response);
+}
+
+/* Process commands */
+int setup_process_clear_upgrade(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "clear_upgrade_result");
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int teardown_process(void **state) {
+    char *buffer = *state;
+    os_free(buffer);
+    allow_upgrades = true;
+    test_mode = 0;
+    return 0;
+}
+
+int setup_process_no_parameters(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "open");
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_open(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "open");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddStringToObject(parameters, "mode", "w");
+    cJSON_AddStringToObject(parameters, "file", "test_file");
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_write(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "write");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddStringToObject(parameters, "buffer", "ABCDABCD");
+    cJSON_AddStringToObject(parameters, "file", "test_file");
+    cJSON_AddNumberToObject(parameters, "length", 8);
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_close(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "close");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddStringToObject(parameters, "file", "test_file");
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_sha1(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "sha1");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddStringToObject(parameters, "file", "test_file");
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_upgrade(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "upgrade");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddStringToObject(parameters, "file", "test_file");
+    cJSON_AddStringToObject(parameters, "installer", "install.sh");
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+int setup_process_upgrade_not_allowed(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "open");
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    // Turn off upgrades
+    allow_upgrades = false;
+    return 0;
+}
+
+int setup_process_unknown(void **state) {
+    cJSON * command = cJSON_CreateObject();
+    cJSON_AddStringToObject(command, "command", "abcd");
+    cJSON * parameters = cJSON_CreateObject();
+    cJSON_AddItemToObject(command, "parameters", parameters);
+    char *ptr = cJSON_PrintUnformatted(command);
+    *state = ptr;
+    cJSON_Delete(command);
+    test_mode = 1;
+    return 0;
+}
+
+void test_wm_agent_upgrade_process_clear_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+
+    {
+        #ifndef TEST_WINAGENT
+            expect_string(__wrap_remove, filename, "var/upgrade/upgrade_result");
+        #else
+            expect_string(__wrap_remove, filename, "upgrade\\upgrade_result");
+        #endif
+        will_return(__wrap_remove, 0);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "ok");
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_open_no_parameters(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "Required parameters were not found");
+    assert_int_not_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_open_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+    // Open
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_wfopen, path);
+        expect_string(__wrap_wfopen, mode, "w");
+        will_return(__wrap_wfopen, 4);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "ok");
+    assert_int_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_write_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+    // Write
+    {
+        #ifdef TEST_WINAGENT
+            sprintf(file.path, "incoming\\test_file");
+        #else
+            sprintf(file.path, "var/incoming/test_file");
+        #endif
+
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        will_return(__wrap_fwrite, 8);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "ok");
+    assert_int_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_close_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+    // Close
+    {
+        #ifdef TEST_WINAGENT
+        sprintf(file.path, "incoming\\test_file");
+        #else
+        sprintf(file.path, "var/incoming/test_file");
+        #endif
+
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_fclose, _File);
+        will_return(__wrap_fclose, 0);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "ok");
+    assert_int_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_sha1_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+    // sha1
+    {
+        expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+        will_return(__wrap_w_ref_parent_folder, 0);
+
+        expect_any(__wrap_OS_SHA1_File, fname);
+        expect_value(__wrap_OS_SHA1_File, mode, OS_BINARY);
+        will_return(__wrap_OS_SHA1_File, "2c312ada12ab321a253ad321af65983fa412e3a1");
+        will_return(__wrap_OS_SHA1_File, 0);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "2c312ada12ab321a253ad321af65983fa412e3a1");
+    assert_int_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_upgrade_command(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+    // upgrade
+    {
+        will_return(__wrap_getDefine_Int, 3600);
+        // Unsign
+        {
+            expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+            will_return(__wrap_w_ref_parent_folder, 0);
+            expect_string(__wrap_w_ref_parent_folder, path, "test_file");
+            will_return(__wrap_w_ref_parent_folder, 0);
+
+            #ifdef TEST_WINAGENT
+                will_return(wrap_mktemp_s,  NULL);
+                expect_string(__wrap_w_wpk_unsign, source, "incoming\\test_file");
+            #else
+                expect_string(__wrap_w_wpk_unsign, source, "var/incoming/test_file");
+
+                will_return(__wrap_mkstemp, 8);
+                expect_any(__wrap_chmod, path);
+                will_return(__wrap_chmod, 0);
+            #endif
+            will_return(__wrap_w_wpk_unsign, 0);
+            expect_any(__wrap_unlink, file);
+            will_return(__wrap_unlink, 0);
+        }
+        // Uncompress
+        {
+            expect_any(__wrap_w_ref_parent_folder, path);
+            will_return(__wrap_w_ref_parent_folder, 0);
+
+            expect_any(__wrap_gzopen, path);
+            expect_string(__wrap_gzopen, mode, "rb");
+            will_return(__wrap_gzopen, 4);
+
+            expect_any(__wrap_wfopen, path);
+            expect_string(__wrap_wfopen, mode, "wb");
+            will_return(__wrap_wfopen, 5);
+
+            expect_value(__wrap_gzread, gz_fd, 4);
+            will_return(__wrap_gzread, 4);
+            will_return(__wrap_gzread, "test");
+
+            will_return(__wrap_fwrite, 4);
+
+            expect_value(__wrap_gzread, gz_fd, 4);
+            will_return(__wrap_gzread, 0);
+
+            expect_value(__wrap_gzclose, file, 4);
+            will_return(__wrap_gzclose, 0);
+
+            expect_value(__wrap_fclose, _File, 5);
+            will_return(__wrap_fclose, 0);
+
+            expect_any(__wrap_unlink, file);
+            will_return(__wrap_unlink, 0);
+        }
+
+        will_return(__wrap_cldir_ex, 0);
+
+        expect_any(__wrap_UnmergeFiles, finalpath);
+        expect_any(__wrap_UnmergeFiles, optdir);
+        expect_value(__wrap_UnmergeFiles, mode, OS_BINARY);
+        will_return(__wrap_UnmergeFiles, -1);
+
+        expect_any(__wrap_unlink, file);
+        will_return(__wrap_unlink, 0);
+
+        // Jailfile
+        {
+            expect_string(__wrap_w_ref_parent_folder, path, "install.sh");
+            will_return(__wrap_w_ref_parent_folder, 0);
+        }
+
+        #ifndef TEST_WINAGENT
+        expect_string(__wrap_chmod, path, "var/upgrade/install.sh");
+        will_return(__wrap_chmod, 0);
+        expect_string(__wrap_wm_exec, command, "var/upgrade/install.sh");
+
+        #else
+        expect_string(__wrap_wm_exec, command, "upgrade\\install.sh");
+        #endif
+
+
+        expect_value(__wrap_wm_exec, secs, 3600);
+        expect_value(__wrap_wm_exec, add_path, NULL);
+        will_return(__wrap_wm_exec, "OUTPUT COMMAND");
+        will_return(__wrap_wm_exec, 0);
+        will_return(__wrap_wm_exec, 0);
+    }
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "0");
+    assert_int_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_upgrade_not_allowed(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "Upgrade module is disabled or not ready yet");
+    assert_int_not_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+void test_wm_agent_upgrade_process_unknown(void **state) {
+    char * buffer = *state;
+    char *output = NULL;
+
+    size_t length = wm_agent_upgrade_process_command(buffer, &output);
+    cJSON *response = cJSON_Parse(output);
+    assert_string_equal(cJSON_GetObjectItem(response, "message")->valuestring, "Command not found");
+    assert_int_not_equal(cJSON_GetObjectItem(response, "error")->valueint, 0);
+    assert_int_equal(strlen(output), length);
+    cJSON_Delete(response);
+    os_free(output);
+}
+
+int main(void) {
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_jailfile_invalid_path, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_jailfile_valid_path, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_unsign_invalid_source_incomming, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_unsign_invalid_source_temp, setup_jailfile, teardown_jailfile),
+        #ifdef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_unsign_invalid_source_len, setup_jailfile_long_name, teardown_jailfile),
+        #endif
+        cmocka_unit_test_setup_teardown(test_unsign_temp_file_fail, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_unsign_wpk_using_fail, setup_jailfile, teardown_jailfile),
+        #ifndef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_unsign_temp_chmod_fail, setup_jailfile, teardown_jailfile),
+        #endif
+        cmocka_unit_test_setup_teardown(test_unsign_success, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_invalid_filename, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_invalid_file_len, setup_jailfile_long_name2, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_gzopen_fail, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_fopen_fail, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_fwrite_fail, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_gzread_fail, setup_jailfile, teardown_jailfile),
+        cmocka_unit_test_setup_teardown(test_uncompress_success, setup_jailfile, teardown_jailfile),
+        // Test commands
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_open_unsopported_mode, setup_open1, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_open_invalid_file_name, setup_open2, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_open_invalid_open, setup_open2, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_open_success, setup_open2, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_write_file_closed, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_write_invalid_file_name, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_write_different_file_name, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_write_error, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_write_success, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_close_file_opened, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_close_invalid_file_name, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_close_different_file_name, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_close_failed, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_close_success, setup_write, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_sha1_invalid_file, setup_sha1, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_sha1_sha_error, setup_sha1, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_sha1_sha_success, setup_sha1, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_upgrade_unsign_error, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_upgrade_uncompress_error, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_upgrade_clean_directory_error, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_unmerge_error, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_installer_error, setup_upgrade, teardown_commands),
+    #ifndef TEST_WINAGENT
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_chmod_error, setup_upgrade, teardown_commands),
+    #endif
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_execute_error, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_success, setup_upgrade, teardown_commands),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_clear_result_failed, setup_clear_result, teadown_clear_result),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_com_clear_result_success, setup_clear_result, teadown_clear_result),
+        // Command dispatcher
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_clear_command, setup_process_clear_upgrade, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_open_no_parameters, setup_process_no_parameters, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_open_command, setup_process_open, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_write_command, setup_process_write, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_close_command, setup_process_close, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_sha1_command, setup_process_sha1, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_upgrade_command, setup_process_upgrade, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_upgrade_not_allowed, setup_process_upgrade_not_allowed, teardown_process),
+        cmocka_unit_test_setup_teardown(test_wm_agent_upgrade_process_unknown, setup_process_unknown, teardown_process)
+    };
+
+    return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.c b/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.c
new file mode 100644
index 0000000000..87308e6c7c
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.c
@@ -0,0 +1,27 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#include "../../common.h"
+#include "wm_agent_upgrade_agent_wrappers.h"
+#include <stddef.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+void __wrap_wm_agent_upgrade_start_agent_module(const wm_agent_configs* agent_config, const int enabled) {
+    check_expected(agent_config);
+    check_expected(enabled);
+}
+
+size_t __wrap_wm_agent_upgrade_process_command(const char *buffer, char **output) {
+    check_expected(buffer);
+    *output = mock_type(char*);
+
+    return mock();
+}
diff --git a/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.h b/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.h
new file mode 100644
index 0000000000..3a545c2d7e
--- /dev/null
+++ b/src/modules/upgrade/tests/unit/wrappers/wm_agent_upgrade_agent_wrappers.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 2015, Wazuh Inc.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it
+ * and/or modify it under the terms of the GNU General Public
+ * License (version 2) as published by the FSF - Free Software
+ * Foundation
+ */
+
+#ifndef WM_AGENT_UPGRADE_AGENT_WRAPPERS_H
+#define WM_AGENT_UPGRADE_AGENT_WRAPPERS_H
+
+#include "../../../../headers/shared.h"
+#include "../../../../wazuh_modules/wmodules.h"
+#include "../../../../wazuh_modules/agent_upgrade/agent/wm_agent_upgrade_agent.h"
+
+void __wrap_wm_agent_upgrade_start_agent_module(const wm_agent_configs* agent_config, const int enabled);
+
+size_t __wrap_wm_agent_upgrade_process_command(const char *buffer, char **output);
+
+#endif